- UID
- 65892
注册时间2010-3-1
阅读权限50
最后登录1970-1-1
感悟天道
 
TA的每日心情 | 慵懒
2024-12-4 10:07 |
|---|
签到天数: 444 天 [LV.9]以坛为家II
|
软件下载: http://www.exeone.com/
版本号: Ver 2.0.1.004
代码分析部分:
计算4组注册码用到的数据:
008EE535 |. B1 3F MOV CL,0x3F
008EE537 |. B2 18 MOV DL,0x18
008EE539 |. B0 A6 MOV AL,0xA6
008EE57F |. B1 87 MOV CL,0x87
008EE581 |. B2 35 MOV DL,0x35
008EE583 |. B0 F0 MOV AL,0xF0
008EE5C9 |. B1 1A MOV CL,0x1A
008EE5CB |. B2 8E MOV DL,0x8E
008EE5CD |. B0 17 MOV AL,0x17
008EE60F |. B1 0F MOV CL,0xF
008EE611 |. B2 22 MOV DL,0x22
008EE613 |. B0 8B MOV AL,0x8B
这里根据CL值判断执行代码
00406DA4 /$ 80F9 20 CMP CL,0x20
00406DA7 |. 7C 11 JL SHORT Archiver.00406DBA
00406DA9 |. 80F9 40 CMP CL,0x40
00406DAC |. 7C 05 JL SHORT Archiver.00406DB3
00406DAE |. 31D2 XOR EDX,EDX
00406DB0 |. 31C0 XOR EAX,EAX
00406DB2 |. C3 RETN
00406DB3 |> 89D0 MOV EAX,EDX
00406DB5 |. 31D2 XOR EDX,EDX
00406DB7 |. D3E8 SHR EAX,CL
00406DB9 |. C3 RETN
00406DBA |> 0FADD0 SHRD EAX,EDX,CL
00406DBD |. D3EA SHR EDX,CL
00406DBF \. C3 RETN
00406DC0 . C3 RETN
校验值计算:
008EE368 |> /0FB67C30 FF /MOVZX EDI,BYTE PTR [EAX+ESI-0x1] ; ASCII "123456784BEE3CEE"
008EE36D |. |66:03D7 |ADD DX,DI ; 00AF + DI
008EE370 |. |66:81FA FF00 |CMP DX,0xFF
008EE375 |. |76 05 |JBE SHORT Archiver.008EE37C
008EE377 |. |66:81EA FF00 |SUB DX,0xFF
008EE37C |> |66:03CA |ADD CX,DX ; 0x56 + DX
008EE37F |. |66:81F9 FF00 |CMP CX,0xFF
008EE384 |. |76 05 |JBE SHORT Archiver.008EE38B
008EE386 |. |66:81E9 FF00 |SUB CX,0xFF
008EE38B |> |46 |INC ESI
008EE38C |. |4B |DEC EBX
008EE38D |.^\75 D9 \JNZ SHORT Archiver.008EE368
008EE38F |> 8BD9 MOV EBX,ECX ; 0018008F
008EE391 |. C1E3 08 SHL EBX,0x8
008EE394 |. 66:03DA ADD BX,DX ; 18008F00
008EE397 |. 8B0C24 MOV ECX,DWORD PTR [ESP]
008EE39A |. 0FB7C3 MOVZX EAX,BX ; 18008F57
008EE39D |. BA 04000000 MOV EDX,0x4
008EE3A2 |. E8 5DDEB1FF CALL Archiver.0040C204
008EE3A7 |. 5A POP EDX
008EE3A8 |. 5F POP EDI
008EE3A9 |. 5E POP ESI
008EE3AA |. 5B POP EBX
008EE3AB \. C3 RETN
注册码部分计算:
008EE2A8 /$ 55 PUSH EBP ; 124B 24EE
008EE2A9 |. 8BEC MOV EBP,ESP
008EE2AB |. 51 PUSH ECX
008EE2AC |. 53 PUSH EBX
008EE2AD |. 884D FE MOV BYTE PTR [EBP-0x2],CL ; CL:3F 87 1A
008EE2B0 |. 8855 FF MOV BYTE PTR [EBP-0x1],DL ; DL:18 35 8E
008EE2B3 |. 8BD8 MOV EBX,EAX ; AL:A6 F0 17
008EE2B5 |. 0FB6C3 MOVZX EAX,BL
008EE2B8 |. B9 19000000 MOV ECX,0x19
008EE2BD |. 33D2 XOR EDX,EDX
008EE2BF |. F7F1 DIV ECX
008EE2C1 |. 8BDA MOV EBX,EDX ; AL % 19 = 0x10 F
008EE2C3 |. 0FB645 FF MOVZX EAX,BYTE PTR [EBP-0x1] ; DL
008EE2C7 |. B9 03000000 MOV ECX,0x3
008EE2CC |. 33D2 XOR EDX,EDX
008EE2CE |. F7F1 DIV ECX ; DL / 3
008EE2D0 |. 8855 FF MOV BYTE PTR [EBP-0x1],DL ; DL % 3 余数的低位 = 0 2
008EE2D3 |. 0FB6C3 MOVZX EAX,BL
008EE2D6 |. 83E0 01 AND EAX,0x1 ; (AL % 19) & 1
008EE2D9 |. 85C0 TEST EAX,EAX
008EE2DB |. 75 29 JNZ SHORT Archiver.008EE306
008EE2DD |. 8B45 08 MOV EAX,DWORD PTR [EBP+0x8] ; 堆栈 SS:[0018F020]=12345678
008EE2E0 |. 8B55 0C MOV EDX,DWORD PTR [EBP+0xC] ; 0
008EE2E3 |. 8BCB MOV ECX,EBX ; AL % 19 = 0x10
008EE2E5 |. E8 BA8AB1FF CALL Archiver.00406DA4 ; 根据 CL 值进行不同计算
008EE2EA |. 24 FF AND AL,0xFF ; EAX:1234
008EE2EC |. 50 PUSH EAX
008EE2ED |. 8B45 08 MOV EAX,DWORD PTR [EBP+0x8] ; 堆栈 SS:[0018F020]=12345678
008EE2F0 |. 8B55 0C MOV EDX,DWORD PTR [EBP+0xC] ; 0
008EE2F3 |. 0FB64D FF MOVZX ECX,BYTE PTR [EBP-0x1] ; DL % 3 余数的低位 = 0
008EE2F7 |. E8 A88AB1FF CALL Archiver.00406DA4
008EE2FC |. 0A45 FE OR AL,BYTE PTR [EBP-0x2] ; CL 78|3F=7F
008EE2FF |. 8BD0 MOV EDX,EAX ; 1234567F
008EE301 |. 58 POP EAX ; 1234
008EE302 |. 32C2 XOR AL,DL ; 34^7F=4B
008EE304 |. EB 27 JMP SHORT Archiver.008EE32D
008EE306 |> 8B45 08 MOV EAX,DWORD PTR [EBP+0x8] ; 堆栈 SS:[0018F020]=12345678
008EE309 |. 8B55 0C MOV EDX,DWORD PTR [EBP+0xC] ; 0
008EE30C |. 8BCB MOV ECX,EBX ; AL % 19 = 0x10 F
008EE30E |. E8 918AB1FF CALL Archiver.00406DA4
008EE313 |. 24 FF AND AL,0xFF ; EAX:2468
008EE315 |. 50 PUSH EAX
008EE316 |. 8B45 08 MOV EAX,DWORD PTR [EBP+0x8] ; 堆栈 SS:[0018F020]=12345678
008EE319 |. 8B55 0C MOV EDX,DWORD PTR [EBP+0xC] ; 0
008EE31C |. 0FB64D FF MOVZX ECX,BYTE PTR [EBP-0x1] ; DL % 3 余数的低位 = 0 2
008EE320 |. E8 7F8AB1FF CALL Archiver.00406DA4
008EE325 |. 2245 FE AND AL,BYTE PTR [EBP-0x2] ; 048D159E & CL = 048D1586
008EE328 |. 8BD0 MOV EDX,EAX
008EE32A |. 58 POP EAX ; 2468
008EE32B |. 32C2 XOR AL,DL ; 2468 ^ 86 24EE
008EE32D |> 5B POP EBX
008EE32E |. 59 POP ECX
008EE32F |. 5D POP EBP
008EE330 \. C2 0800 RETN 0x8
写注册表位置:
Software\Microsoft\Windows\CurrentVersion\Settings\InstallA3
两组测试用注册码:
0000 0000 3F00 000F B3E1
1234 5678 4BEE 3CEE 8F57
注册机源码部分:
unsigned char mCL[4] = {0x3F,0x87,0x1A,0xF};
unsigned char mDL[4] = {0x18,0x35,0x8E,0x22};
unsigned char mAL[4] = {0xA6,0xF0,0x17,0x8B};
unsigned char mP16[0x10] = {0};
unsigned char mReg[4] = {0}; //保存计算出来4位注册码
unsigned int mLReg = 0; //保存注册友最后4位 hash 值
unsigned long mP8 = 0; //注册码前8位,随机生成
string strP16 ;
unsigned long mEax = 0;
unsigned long mEdx = 0;
unsigned long mEax1 = 0;
unsigned long mEdx1 = 0;
unsigned char Mod_AL = 0;
unsigned char Mod_DL = 0;
unsigned int i = 0;
srand((unsigned)time(NULL)*10);
mP8 = rand() % 0xFFFFFFFF;
//mP8 = 0x12345678;
for (i=0;i<4;i++)
{
mEax = mP8;
mEdx = 0;
Mod_AL = mAL % 0x19;
Mod_DL = mDL % 0x3;
__asm
{
MOV eax,mEax
MOV edx,mEdx
MOV CL,Mod_AL
CMP CL,0x20
JL _00406DBA1
CMP CL,0x40
JL _00406DB31
XOR EDX,EDX
XOR EAX,EAX
JMP _end1
_00406DB31:
MOV EAX,EDX
XOR EDX,EDX
SHR EAX,CL
JMP _end1
_00406DBA1:
SHRD EAX,EDX,CL
SHR EDX,CL
_end1:
MOV mEax1,eax
MOV mEdx1,edx
}
__asm
{
MOV eax,mEax
MOV edx,mEdx
MOV CL,Mod_DL
CMP CL,0x20
JL _00406DBA
CMP CL,0x40
JL _00406DB3
XOR EDX,EDX
XOR EAX,EAX
JMP _end
_00406DB3:
MOV EAX,EDX
XOR EDX,EDX
SHR EAX,CL
JMP _end
_00406DBA:
SHRD EAX,EDX,CL
SHR EDX,CL
_end:
MOV mEax,eax
MOV mEdx,edx
}
if ((Mod_AL & 1) == 0)
{
mReg= (unsigned char)((mEax | mCL) ^ mEax1) ;
}
else
{
mReg = (unsigned char)((mEax & mCL) ^ mEax1);
}
}
//给前16位赋值
unsigned j=0;
for (i=0;i<0x10;i++)
{
if (i<8)
{
mP16[7-i] = ( mP8 >> (i*4)) & 0xF;
}
else
{
mP16[i+1] = mReg[j] & 0xF;
mP16 = (mReg[j] >> 4) & 0xF;
i++;
j++;
}
}
strP16.empty();
char temStr[8] = {0};
for (i=0;i<0x10;i++)
{
sprintf_s(temStr,sizeof(temStr),"%X",mP16);
strP16 += temStr;
}
//计算校验值
unsigned int mDX = 0xAF;
unsigned int mCX = 0x56;
unsigned long mEBX = 0;
for (i=0;i<0x10;i++)
{
mDX += strP16;
if (mDX > 0xFF)
{
mDX -= 0xFF;
}
mCX += mDX;
if (mCX > 0xFF)
{
mCX -= 0xFF;
}
}
mEBX = mCX;
mEBX = (mEBX << 8);
mEBX += mDX;
mLReg = (unsigned int)mEBX;
sprintf_s(temStr,sizeof(temStr),"%X",mLReg);
strP16 += temStr;
string strREG;
for (i=0;i<0x14;i++)
{
strREG += strP16;
if (i>1 && (i+1) % 4 ==0 && i<0x10)
{
strREG += '-';
}
}
SetDlgItemText(IDC_RegCode,(LPCTSTR)strREG.c_str());
|
评分
-
查看全部评分
|
IP卡
发表于 2014-10-17 16:16:29
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2014-10-17 16:34:22
发表于 2014-10-17 16:52:06
发表于 2014-10-17 16:56:50
