- UID
- 32678
注册时间2007-8-2
阅读权限40
最后登录1970-1-1
独步武林
 
该用户从未签到
|
【文章作者】: 网络断魂
【软件名称】: 小颖安装程序制作专家 5.5 Final
【下载地址】: 自己搜索
【加壳方式】: 无
【保护方式】: 序列号
【编写语言】: Borland C++ 1999
【使用工具】: PEID,OD,
【操作平台】: XP SP3,
【软件介绍】: 新一代的软件发布打包工具,内置BDE、MDAC、MS Sql server 2000 client数据库支持包,支持数据压缩,生成的安装程序解压速度很快,内置超强的智能化管理 引擎,你可以很轻松的管理你要发布的软件。支持广告图显示,支持EXE/DLL/OCX自动注册,支持注册表操作,支持反安装,支持多个地区语言(简、繁、英),支持加入软件序列号,生成的安装程序界面美观,共享版本没有任何时间限制, 但不允许使用于商业应用目的。
【作者声明】: 前几天在PYG上看到有兄弟发布这软件的内存注册机,本人也一直在用这个软件,就想分析一下它的算法,虽然这软件有万能注册码。菜鸟学习算法,失误之处敬请
诸位大侠赐教!
1、通过注册表读取或对话框断点找到关键处
0042157C /. 55 push ebp
0042157D |. 8BEC mov ebp, esp
0042157F |. 83C4 C4 add esp, -3C
00421582 |. 53 push ebx
00421583 |. 56 push esi
00421584 |. 57 push edi
00421585 |. 8D7D C4 lea edi, dword ptr [ebp-3C]
00421588 |. B8 50325300 mov eax, 00533250
0042158D |. E8 BEA00D00 call 004FB650
00421592 |. 8B15 8CFE5400 mov edx, dword ptr [54FE8C] ; CreateIn.005551A4
00421598 |. 8B02 mov eax, dword ptr [edx]
0042159A |. 8B0D 60FB5400 mov ecx, dword ptr [54FB60] ; CreateIn._BuildingFileProcessWnd
004215A0 |. 8B15 80665200 mov edx, dword ptr [526680] ; CreateIn.005266CC
004215A6 |. E8 E1470900 call 004B5D8C
004215AB |. 6A 00 push 0
004215AD |. E8 02120100 call 004327B4
004215B2 |. 59 pop ecx
004215B3 |. 6A 01 push 1
004215B5 |. E8 36120100 call 004327F0
004215BA |. 59 pop ecx
004215BB |. B2 01 mov dl, 1
004215BD |. A1 149D4500 mov eax, dword ptr [459D14]
004215C2 |. E8 4D880300 call 00459E14
004215C7 |. 8BD8 mov ebx, eax
004215C9 |. BA 02000080 mov edx, 80000002
004215CE |. 8BC3 mov eax, ebx
004215D0 |. E8 0F6D0E00 call 005082E4
004215D5 |. 66:C747 10 0C>mov word ptr [edi+10], 0C
004215DB |. BA 37035300 mov edx, 00530337 ; \software\yingsoft\yinginstall
004215E0 |. 8D45 F8 lea eax, dword ptr [ebp-8]
004215E3 |. E8 046D0E00 call 005082EC ; //读注册表
004215E8 |. FF47 1C inc dword ptr [edi+1C]
004215EB |. 8B10 mov edx, dword ptr [eax]
004215ED |. B1 01 mov cl, 1
004215EF |. 8BC3 mov eax, ebx
004215F1 |. E8 22890300 call 00459F18
004215F6 |. FF4F 1C dec dword ptr [edi+1C]
004215F9 |. 8D45 F8 lea eax, dword ptr [ebp-8]
004215FC |. BA 02000000 mov edx, 2
00421601 |. E8 F26D0E00 call 005083F8
00421606 |. 66:C747 10 24>mov word ptr [edi+10], 24
0042160C |. BA 56035300 mov edx, 00530356
00421611 |. 8D45 FC lea eax, dword ptr [ebp-4]
00421614 |. E8 D36C0E00 call 005082EC
00421619 |. FF47 1C inc dword ptr [edi+1C]
0042161C |. 66:C747 10 18>mov word ptr [edi+10], 18
00421622 |. 66:C747 10 30>mov word ptr [edi+10], 30
00421628 |. 8D45 F0 lea eax, dword ptr [ebp-10]
0042162B |. E8 400BFEFF call 00402170
00421630 |. 50 push eax
00421631 |. FF47 1C inc dword ptr [edi+1C]
00421634 |. BA 57035300 mov edx, 00530357 ; regcode
00421639 |. 8D45 F4 lea eax, dword ptr [ebp-C]
0042163C |. E8 AB6C0E00 call 005082EC
00421641 |. FF47 1C inc dword ptr [edi+1C]
00421644 |. 8B10 mov edx, dword ptr [eax]
00421646 |. 8BC3 mov eax, ebx
00421648 |. 59 pop ecx
00421649 |. E8 968C0300 call 0045A2E4 ; //取假码
0042164E |. 8D55 F0 lea edx, dword ptr [ebp-10] ; //假码存储的堆栈地址送给EDX,FAD8堆栈
00421651 |. 8D45 FC lea eax, dword ptr [ebp-4] ; //FAE4堆栈地址送给EAX
00421654 |. E8 CF6D0E00 call 00508428
00421659 |. FF4F 1C dec dword ptr [edi+1C]
0042165C |. 8D45 F0 lea eax, dword ptr [ebp-10] ; //假码地址送给EAX
0042165F |. BA 02000000 mov edx, 2 ; //EDX置2
00421664 |. E8 8F6D0E00 call 005083F8
00421669 |. FF4F 1C dec dword ptr [edi+1C]
0042166C |. 8D45 F4 lea eax, dword ptr [ebp-C]
0042166F |. BA 02000000 mov edx, 2
00421674 |. E8 7F6D0E00 call 005083F8
00421679 |. 8BC3 mov eax, ebx
0042167B |. E8 04880300 call 00459E84
00421680 |. 8BF3 mov esi, ebx
00421682 |. 8975 E8 mov dword ptr [ebp-18], esi
00421685 |. 85F6 test esi, esi
00421687 |. 74 1E je short 004216A7
00421689 |. 8B06 mov eax, dword ptr [esi]
0042168B |. 8945 EC mov dword ptr [ebp-14], eax
0042168E |. 66:C747 10 48>mov word ptr [edi+10], 48
00421694 |. BA 03000000 mov edx, 3
00421699 |. 8B45 E8 mov eax, dword ptr [ebp-18]
0042169C |. 8B08 mov ecx, dword ptr [eax]
0042169E |. FF51 FC call dword ptr [ecx-4]
004216A1 |. 66:C747 10 3C>mov word ptr [edi+10], 3C
004216A7 |> 8B55 FC mov edx, dword ptr [ebp-4] ; //假码送给EDX
004216AA |. 52 push edx ; //入栈
004216AB |. E8 D0D20000 call 0042E980 ; //关键CALL
004216B0 |. 59 pop ecx
004216B1 |. 84C0 test al, al
004216B3 |. 75 27 jnz short 004216DC ; //关键跳?
004216B5 |. A1 8CFE5400 mov eax, dword ptr [54FE8C]
004216BA |. 8B00 mov eax, dword ptr [eax]
004216BC |. 8B0D 98FB5400 mov ecx, dword ptr [54FB98] ; CreateIn._RegSoft
004216C2 |. 8B15 20F15300 mov edx, dword ptr [53F120] ; CreateIn.0053F16C
004216C8 |. E8 BF460900 call 004B5D8C
004216CD |. A1 98FB5400 mov eax, dword ptr [54FB98]
004216D2 |. 8B00 mov eax, dword ptr [eax]
004216D4 |. 8B10 mov edx, dword ptr [eax]
004216D6 |. FF92 FC000000 call dword ptr [edx+FC] ; //弹注册框
004216DC |> FF4F 1C dec dword ptr [edi+1C]
004216DF |. 8D45 FC lea eax, dword ptr [ebp-4]
004216E2 |. BA 02000000 mov edx, 2
004216E7 |. E8 0C6D0E00 call 005083F8
004216EC |. 8B0F mov ecx, dword ptr [edi]
004216EE |. 64:890D 00000>mov dword ptr fs:[0], ecx
004216F5 |. 5F pop edi
004216F6 |. 5E pop esi
004216F7 |. 5B pop ebx
004216F8 |. 8BE5 mov esp, ebp
004216FA |. 5D pop ebp
004216FB \. C3 retn
2、由004216AB call 0042E980 ; //关键CALL 进入:
(在这个CALL中我们可以找出这软件的万能注册码CHINAPOWER-YINGSOFT,这个注册号对本软件所有版本都通用)
0042E980 /$ 55 push ebp
0042E981 |. 8BEC mov ebp, esp
0042E983 |. 83C4 B4 add esp, -4C
0042E986 |. 53 push ebx
0042E987 |. 56 push esi
0042E988 |. 8D5D B4 lea ebx, dword ptr [ebp-4C]
0042E98B |. 8D75 D4 lea esi, dword ptr [ebp-2C]
0042E98E |. B8 28A25300 mov eax, 0053A228
0042E993 |. E8 B8CC0C00 call 004FB650
0042E998 |. C746 1C 01000>mov dword ptr [esi+1C], 1
0042E99F |. 8D55 08 lea edx, dword ptr [ebp+8] ; //假码堆栈地址送给EDX
0042E9A2 |. 8D45 08 lea eax, dword ptr [ebp+8]
0042E9A5 |. E8 7A990D00 call 00508324
0042E9AA |. FF46 1C inc dword ptr [esi+1C]
0042E9AD |. 66:C746 10 0C>mov word ptr [esi+10], 0C ; //这一段送万能注册码:CHINAPOWER-YINGSOFT
0042E9B3 |. C643 05 50 mov byte ptr [ebx+5], 50
0042E9B7 |. C643 06 4F mov byte ptr [ebx+6], 4F
0042E9BB |. C643 07 57 mov byte ptr [ebx+7], 57
0042E9BF |. C603 43 mov byte ptr [ebx], 43
0042E9C2 |. C643 01 48 mov byte ptr [ebx+1], 48
0042E9C6 |. C643 08 45 mov byte ptr [ebx+8], 45
0042E9CA |. C643 09 52 mov byte ptr [ebx+9], 52
0042E9CE |. C643 0D 4E mov byte ptr [ebx+D], 4E
0042E9D2 |. C643 0E 47 mov byte ptr [ebx+E], 47
0042E9D6 |. C643 0A 2D mov byte ptr [ebx+A], 2D
0042E9DA |. C643 0B 59 mov byte ptr [ebx+B], 59
0042E9DE |. C643 0C 49 mov byte ptr [ebx+C], 49
0042E9E2 |. C643 11 46 mov byte ptr [ebx+11], 46
0042E9E6 |. C643 12 54 mov byte ptr [ebx+12], 54
0042E9EA |. C643 0F 53 mov byte ptr [ebx+F], 53
0042E9EE |. C643 10 4F mov byte ptr [ebx+10], 4F
0042E9F2 |. C643 13 00 mov byte ptr [ebx+13], 0
0042E9F6 |. C643 02 49 mov byte ptr [ebx+2], 49
0042E9FA |. C643 03 4E mov byte ptr [ebx+3], 4E
0042E9FE |. C643 04 41 mov byte ptr [ebx+4], 41
0042EA02 |. 66:C746 10 18>mov word ptr [esi+10], 18
0042EA08 |. 8D45 FC lea eax, dword ptr [ebp-4]
0042EA0B |. E8 6037FDFF call 00402170
0042EA10 |. 8BD0 mov edx, eax
0042EA12 |. FF46 1C inc dword ptr [esi+1C]
0042EA15 |. 8BC3 mov eax, ebx
0042EA17 |. E8 CCF40200 call 0045DEE8
0042EA1C |. 8D55 FC lea edx, dword ptr [ebp-4]
0042EA1F |. 8D45 08 lea eax, dword ptr [ebp+8]
0042EA22 |. E8 B59A0D00 call 005084DC
0042EA27 |. 50 push eax
0042EA28 |. FF4E 1C dec dword ptr [esi+1C]
0042EA2B |. 8D45 FC lea eax, dword ptr [ebp-4]
0042EA2E |. BA 02000000 mov edx, 2
0042EA33 |. E8 C0990D00 call 005083F8
0042EA38 |. 59 pop ecx
0042EA39 |. 84C9 test cl, cl
0042EA3B |. 74 1F je short 0042EA5C
0042EA3D |. B0 01 mov al, 1
0042EA3F |. BA 02000000 mov edx, 2
0042EA44 |. 50 push eax
0042EA45 |. 8D45 08 lea eax, dword ptr [ebp+8]
0042EA48 |. FF4E 1C dec dword ptr [esi+1C]
0042EA4B |. E8 A8990D00 call 005083F8
0042EA50 |. 58 pop eax
0042EA51 |. 8B16 mov edx, dword ptr [esi]
0042EA53 |. 64:8915 00000>mov dword ptr fs:[0], edx
0042EA5A |. EB 75 jmp short 0042EAD1
0042EA5C |> 66:C746 10 24>mov word ptr [esi+10], 24
0042EA62 |. 8D45 F8 lea eax, dword ptr [ebp-8]
0042EA65 |. E8 0637FDFF call 00402170
0042EA6A |. 50 push eax
0042EA6B |. FF46 1C inc dword ptr [esi+1C]
0042EA6E |. E8 41010000 call 0042EBB4 ; //关键CALL,生成真码
0042EA73 |. 59 pop ecx
0042EA74 |. 8D55 F8 lea edx, dword ptr [ebp-8]
0042EA77 |. 8D45 08 lea eax, dword ptr [ebp+8]
0042EA7A |. E8 5D9A0D00 call 005084DC
0042EA7F |. 50 push eax ; //内存注册机地址
0042EA80 |. FF4E 1C dec dword ptr [esi+1C]
0042EA83 |. 8D45 F8 lea eax, dword ptr [ebp-8]
0042EA86 |. BA 02000000 mov edx, 2
0042EA8B |. E8 68990D00 call 005083F8
0042EA90 |. 59 pop ecx
0042EA91 |. 84C9 test cl, cl
0042EA93 |. 74 1F je short 0042EAB4
0042EA95 |. B0 01 mov al, 1
0042EA97 |. BA 02000000 mov edx, 2
0042EA9C |. 50 push eax
0042EA9D |. 8D45 08 lea eax, dword ptr [ebp+8]
0042EAA0 |. FF4E 1C dec dword ptr [esi+1C]
0042EAA3 |. E8 50990D00 call 005083F8
0042EAA8 |. 58 pop eax
0042EAA9 |. 8B16 mov edx, dword ptr [esi]
0042EAAB |. 64:8915 00000>mov dword ptr fs:[0], edx
0042EAB2 |. EB 1D jmp short 0042EAD1
0042EAB4 |> 33C0 xor eax, eax
0042EAB6 |. BA 02000000 mov edx, 2
0042EABB |. 50 push eax
0042EABC |. 8D45 08 lea eax, dword ptr [ebp+8]
0042EABF |. FF4E 1C dec dword ptr [esi+1C]
0042EAC2 |. E8 31990D00 call 005083F8 ; //取假码
0042EAC7 |. 58 pop eax
0042EAC8 |. 8B16 mov edx, dword ptr [esi]
0042EACA |. 64:8915 00000>mov dword ptr fs:[0], edx
0042EAD1 |> 5E pop esi
0042EAD2 |. 5B pop ebx
0042EAD3 |. 8BE5 mov esp, ebp
0042EAD5 |. 5D pop ebp
0042EAD6 \. C3 retn
3、由0042EA6E call 0042EBB4 ; //关键CALL, 来到:
0042EBB4 /$ 55 push ebp ; //关键函数,生成真码
0042EBB5 |. 8BEC mov ebp, esp
0042EBB7 |. 81C4 84FEFFFF add esp, -17C
0042EBBD |. 53 push ebx
0042EBBE |. 56 push esi
0042EBBF |. 57 push edi
0042EBC0 |. 8D75 CC lea esi, dword ptr [ebp-34]
0042EBC3 |. B8 4CA35300 mov eax, 0053A34C
0042EBC8 |. E8 83CA0C00 call 004FB650
0042EBCD |. 33D2 xor edx, edx
0042EBCF |. 8955 C8 mov dword ptr [ebp-38], edx
0042EBD2 |. 66:C746 10 0C>mov word ptr [esi+10], 0C
0042EBD8 |. 8D45 FC lea eax, dword ptr [ebp-4]
0042EBDB |. E8 9035FDFF call 00402170
0042EBE0 |. FF46 1C inc dword ptr [esi+1C]
0042EBE3 |. 8D55 C0 lea edx, dword ptr [ebp-40]
0042EBE6 |. 66:C746 10 18>mov word ptr [esi+10], 18
0042EBEC |. 6A 00 push 0 ; /pFileSystemNameSize = NULL
0042EBEE |. 6A 00 push 0 ; |pFileSystemNameBuffer = NULL
0042EBF0 |. 52 push edx ; |pFileSystemFlags
0042EBF1 |. 8D4D C4 lea ecx, dword ptr [ebp-3C] ; |
0042EBF4 |. 51 push ecx ; |pMaxFilenameLength
0042EBF5 |. 8D45 C8 lea eax, dword ptr [ebp-38] ; |
0042EBF8 |. 50 push eax ; |pVolumeSerialNumber
0042EBF9 |. 8D95 94FEFFFF lea edx, dword ptr [ebp-16C] ; |
0042EBFF |. 68 04010000 push 104 ; |MaxVolumeNameSize = 104 (260.)
0042EC04 |. 52 push edx ; |VolumeNameBuffer
0042EC05 |. 68 3F845300 push 0053843F ; |c:\
0042EC0A |. E8 DB5C0F00 call <jmp.&KERNEL32.GetVolumeInformat>; \GetVolumeInformationA
0042EC0F |. C165 C8 02 shl dword ptr [ebp-38], 2 ; //682B62E6 左移2位,难道682B62E6是硬件号?(F9FC堆栈中)
0042EC13 |. 66:C746 10 24>mov word ptr [esi+10], 24 ; //24送给FA10堆栈中
0042EC19 |. 8B4D C8 mov ecx, dword ptr [ebp-38] ; //左移后的低32位送给ECX
0042EC1C |. 33C0 xor eax, eax ; //EAX清零
0042EC1E |. 898D 8CFEFFFF mov dword ptr [ebp-174], ecx ; //低32位送入F8C0堆栈中
0042EC24 |. 8985 90FEFFFF mov dword ptr [ebp-170], eax ; //0送入F8C4堆栈中
0042EC2A |. DFAD 8CFEFFFF fild qword ptr [ebp-174] ; //fild是将整数转化为长双精度压栈
0042EC30 |. 83C4 F4 add esp, -0C
0042EC33 |. 8D45 F8 lea eax, dword ptr [ebp-8]
0042EC36 |. DB3C24 fstp tbyte ptr [esp] ; //将左移后的低32位转换为又精度数弹出,变成2695728024
0042EC39 |. E8 3235FDFF call 00402170
0042EC3E |. FF46 1C inc dword ptr [esi+1C]
0042EC41 |. E8 DAFE0200 call 0045EB20
0042EC46 |. 8D55 F8 lea edx, dword ptr [ebp-8] ; //转换后的数字字符串堆栈地址送给EDX
0042EC49 |. 8D45 FC lea eax, dword ptr [ebp-4] ; //FA30堆栈送给EAX
0042EC4C |. E8 D7970D00 call 00508428 ; //字符串转存到FA30堆栈中
0042EC51 |. FF4E 1C dec dword ptr [esi+1C] ; //FA1C中的内容-1(原值为2)
0042EC54 |. 8D45 F8 lea eax, dword ptr [ebp-8] ; //FA2C堆栈地址给EAX(存的是数字字符串)
0042EC57 |. BA 02000000 mov edx, 2 ; //EDX置2
0042EC5C |. E8 97970D00 call 005083F8 ; //干嘛?
0042EC61 |. 837D FC 00 cmp dword ptr [ebp-4], 0 ; //FA30中的内容是否为空(数字字符串)
0042EC65 |. 74 05 je short 0042EC6C ; //为空则跳
0042EC67 |. 8B5D FC mov ebx, dword ptr [ebp-4] ; //FA30中的内容送给EBX
0042EC6A |. EB 05 jmp short 0042EC71
0042EC6C |> BB 43845300 mov ebx, 00538443
0042EC71 |> 33C0 xor eax, eax ; //EAX清零
0042EC73 |. 56 push esi
0042EC74 |. 8BFB mov edi, ebx ; //数字字符串送给EDI
0042EC76 |. 83C9 FF or ecx, FFFFFFFF ; //ECX=FFFFFFFF
0042EC79 |. F2:AE repne scas byte ptr es:[edi] ; //重复查找ASCII值为0的字符,这里可以计算出长度
0042EC7B |. F7D1 not ecx ; //取反,(可以得出字符串长度+1的值)
0042EC7D |. 2BF9 sub edi, ecx ; //减去长度加一后的值,回到字符串首地址
0042EC7F |. 8DB5 94FEFFFF lea esi, dword ptr [ebp-16C]
0042EC85 |. 87F7 xchg edi, esi ; //交换操作数
0042EC87 |. 8BD1 mov edx, ecx
0042EC89 |. 8BC7 mov eax, edi
0042EC8B |. C1E9 02 shr ecx, 2 ; //右移2位(即除以4),用来取前面4的倍数位字符
0042EC8E |. F3:A5 rep movs dword ptr es:[edi], dword p>; //字符串传送(传送前8位)
0042EC90 |. 8BCA mov ecx, edx ; //长度+1的值再送给ECX,
0042EC92 |. 83E1 03 and ecx, 3 ; //跟3作与运算,用来传送剩余的字符,
0042EC95 |. F3:A4 rep movs byte ptr es:[edi], byte ptr>; //字传送,用来传送刚才剩余的字符
0042EC97 |. 8A85 94FEFFFF mov al, byte ptr [ebp-16C] ; //第一位字符送给AL
0042EC9D |. 5E pop esi ; //字符串最后一位地址弹给ESI(堆栈FA00)
0042EC9E |. 8A95 98FEFFFF mov dl, byte ptr [ebp-168] ; //字符串第五位字符送给DL
0042ECA4 |. 8895 94FEFFFF mov byte ptr [ebp-16C], dl ; //DL(第五位)送给字符串第一位
0042ECAA |. 8885 98FEFFFF mov byte ptr [ebp-168], al ; //AL(第一位)送给第五位, 这两句是第1位与第5位交换
0042ECB0 |. 8A85 97FEFFFF mov al, byte ptr [ebp-169] ; //字符串第4位送给AL
0042ECB6 |. 8A95 96FEFFFF mov dl, byte ptr [ebp-16A] ; //字符串第3位送给DL
0042ECBC |. 8895 97FEFFFF mov byte ptr [ebp-169], dl ; //DL(第3位)送给第4位
0042ECC2 |. 8885 96FEFFFF mov byte ptr [ebp-16A], al ; //AL(第4位)送给第3位,这里是第3和第4位交换
0042ECC8 |. 66:C746 10 30>mov word ptr [esi+10], 30 ; //30(0)送入堆栈FA10中
0042ECCE |. 8D45 F4 lea eax, dword ptr [ebp-C]
0042ECD1 |. 8D95 94FEFFFF lea edx, dword ptr [ebp-16C] ; //交换好的字符串送给EDX
0042ECD7 |. E8 10960D00 call 005082EC
0042ECDC |. FF46 1C inc dword ptr [esi+1C]
0042ECDF |. 8B00 mov eax, dword ptr [eax]
0042ECE1 |. E8 D2FE0200 call 0045EBB8
0042ECE6 |. E8 1D270D00 call 00501408 ; //将字符串转换为十六进制,EAX中放低8位,EDX中放高8位
0042ECEB |. 8945 C8 mov dword ptr [ebp-38], eax ; //EAX(低8位)送入F9FC堆栈中
0042ECEE |. FF4E 1C dec dword ptr [esi+1C]
0042ECF1 |. 8D45 F4 lea eax, dword ptr [ebp-C] ; //FA28堆栈地址(存的是交换后的字符串)送给EAX
0042ECF4 |. BA 02000000 mov edx, 2 ; //EDX=2
0042ECF9 |. E8 FA960D00 call 005083F8
0042ECFE |. 8175 C8 8DF00>xor dword ptr [ebp-38], 404F08D ; //低8位 XOR 404F08D
0042ED05 |. 66:C746 10 3C>mov word ptr [esi+10], 3C ; //3C送入堆栈FA10中
0042ED0B |. 8B4D C8 mov ecx, dword ptr [ebp-38] ; //异或后的结果送给ECX
0042ED0E |. 33C0 xor eax, eax ; //EAX清零
0042ED10 |. 898D 84FEFFFF mov dword ptr [ebp-17C], ecx ; //异或结果送入堆栈F8B8中,
0042ED16 |. 8985 88FEFFFF mov dword ptr [ebp-178], eax ; //EAX值送入堆栈FB8C,(置零)
0042ED1C |. DFAD 84FEFFFF fild qword ptr [ebp-17C] ; //压入栈(双精度)
0042ED22 |. 83C4 F4 add esp, -0C
0042ED25 |. 8D45 F0 lea eax, dword ptr [ebp-10]
0042ED28 |. DB3C24 fstp tbyte ptr [esp] ; //双精度弹出,就是真码
0042ED2B |. E8 4034FDFF call 00402170
0042ED30 |. FF46 1C inc dword ptr [esi+1C]
0042ED33 |. E8 E8FD0200 call 0045EB20
0042ED38 |. 8D55 F0 lea edx, dword ptr [ebp-10]
0042ED3B |. 8B45 08 mov eax, dword ptr [ebp+8]
0042ED3E |. E8 E5960D00 call 00508428
0042ED43 |. 8B45 08 mov eax, dword ptr [ebp+8]
0042ED46 |. BA 02000000 mov edx, 2
0042ED4B |. 66:C746 10 48>mov word ptr [esi+10], 48
0042ED51 |. 50 push eax
0042ED52 |. 8D45 F0 lea eax, dword ptr [ebp-10]
0042ED55 |. FF4E 1C dec dword ptr [esi+1C]
0042ED58 |. E8 9B960D00 call 005083F8 ; //取出真码
0042ED5D |. FF4E 1C dec dword ptr [esi+1C]
0042ED60 |. 8D45 FC lea eax, dword ptr [ebp-4]
0042ED63 |. BA 02000000 mov edx, 2
0042ED68 |. E8 8B960D00 call 005083F8
0042ED6D |. 58 pop eax
0042ED6E |. 66:C746 10 3C>mov word ptr [esi+10], 3C
0042ED74 |. FF46 1C inc dword ptr [esi+1C]
0042ED77 |. 8B16 mov edx, dword ptr [esi]
0042ED79 |. 64:8915 00000>mov dword ptr fs:[0], edx
0042ED80 |. 5F pop edi
0042ED81 |. 5E pop esi
0042ED82 |. 5B pop ebx
0042ED83 |. 8BE5 mov esp, ebp
0042ED85 |. 5D pop ebp
0042ED86 \. C3 retn
4、由注册码的生成过程我们知道,要生成注册码必须依靠硬件号,如果要作算法注册机的话我们必须知道硬件号,那就得根据软件产生的机器码反推出硬件号,
根据上面分析我们知道 0042EC0A |. E8 DB5C0F00 call <jmp.&KERNEL32.GetVolumeInformat> 这里读取硬件号,F7进去,
005248EA $- FF25 CCC35500 jmp dword ptr [<&KERNEL32.GetVolumeI>; kernel32.GetVolumeInformationA
在这个地方我们可以看到:
ds:[0055C3CC]=7C821B8D (kernel32.GetVolumeInformationA)
本地调用来自 0042EB28, 0042EC0A
0042EAD8 /$ 55 push ebp ; //取硬盘号,生成机器码的地方
0042EAD9 |. 8BEC mov ebp, esp
0042EADB |. 81C4 94FEFFFF add esp, -16C
0042EAE1 |. B8 A4A25300 mov eax, 0053A2A4
0042EAE6 |. E8 65CB0C00 call 004FB650
0042EAEB |. 33D2 xor edx, edx
0042EAED |. 8955 D0 mov dword ptr [ebp-30], edx
0042EAF0 |. 66:C745 E4 0C>mov word ptr [ebp-1C], 0C
0042EAF6 |. 8D45 FC lea eax, dword ptr [ebp-4]
0042EAF9 |. E8 7236FDFF call 00402170
0042EAFE |. FF45 F0 inc dword ptr [ebp-10]
0042EB01 |. 8D55 C8 lea edx, dword ptr [ebp-38]
0042EB04 |. 66:C745 E4 18>mov word ptr [ebp-1C], 18
0042EB0A |. 6A 00 push 0 ; /pFileSystemNameSize = NULL
0042EB0C |. 6A 00 push 0 ; |pFileSystemNameBuffer = NULL
0042EB0E |. 52 push edx ; |pFileSystemFlags
0042EB0F |. 8D4D CC lea ecx, dword ptr [ebp-34] ; |
0042EB12 |. 51 push ecx ; |pMaxFilenameLength
0042EB13 |. 8D45 D0 lea eax, dword ptr [ebp-30] ; |
0042EB16 |. 50 push eax ; |pVolumeSerialNumber
0042EB17 |. 8D95 9CFEFFFF lea edx, dword ptr [ebp-164] ; |
0042EB1D |. 68 04010000 push 104 ; |MaxVolumeNameSize = 104 (260.)
0042EB22 |. 52 push edx ; |VolumeNameBuffer
0042EB23 |. 68 3B845300 push 0053843B ; |c:\
0042EB28 |. E8 BD5D0F00 call <jmp.&KERNEL32.GetVolumeInformat>; \GetVolumeInformationA
0042EB2D |. 66:C745 E4 24>mov word ptr [ebp-1C], 24 ; //取到的硬件码放在F78C堆栈中,| 24送入F7A0堆栈中
0042EB33 |. 8B4D D0 mov ecx, dword ptr [ebp-30] ; //硬件号送给ECX
0042EB36 |. 33C0 xor eax, eax ; //EAX清零
0042EB38 |. 81F1 39FE0D03 xor ecx, 30DFE39 ; //硬件号与30DFE39进行异或运算
0042EB3E |. 83C4 F4 add esp, -0C
0042EB41 |. 898D 94FEFFFF mov dword ptr [ebp-16C], ecx ; //异或结果送到F650堆栈中
0042EB47 |. 8985 98FEFFFF mov dword ptr [ebp-168], eax ; //0送入F654堆栈中,
0042EB4D |. DFAD 94FEFFFF fild qword ptr [ebp-16C] ; //异或值转换为双精度压入栈
0042EB53 |. 8D45 F8 lea eax, dword ptr [ebp-8] ; //F7B4堆栈送给EAX
0042EB56 |. DB3C24 fstp tbyte ptr [esp] ; // fstp是将弹栈指令,弹出的值取整就是机器码
0042EB59 |. E8 1236FDFF call 00402170
0042EB5E |. FF45 F0 inc dword ptr [ebp-10]
0042EB61 |. E8 BAFF0200 call 0045EB20
0042EB66 |. 8D55 F8 lea edx, dword ptr [ebp-8]
0042EB69 |. 8B45 08 mov eax, dword ptr [ebp+8]
0042EB6C |. E8 B7980D00 call 00508428
0042EB71 |. 8B45 08 mov eax, dword ptr [ebp+8]
0042EB74 |. BA 02000000 mov edx, 2
0042EB79 |. 66:C745 E4 30>mov word ptr [ebp-1C], 30
0042EB7F |. 50 push eax
0042EB80 |. 8D45 F8 lea eax, dword ptr [ebp-8]
0042EB83 |. FF4D F0 dec dword ptr [ebp-10]
0042EB86 |. E8 6D980D00 call 005083F8 ; //生成机器码
0042EB8B |. FF4D F0 dec dword ptr [ebp-10]
0042EB8E |. 8D45 FC lea eax, dword ptr [ebp-4]
0042EB91 |. BA 02000000 mov edx, 2
0042EB96 |. E8 5D980D00 call 005083F8
0042EB9B |. 58 pop eax
0042EB9C |. 66:C745 E4 24>mov word ptr [ebp-1C], 24
0042EBA2 |. FF45 F0 inc dword ptr [ebp-10]
0042EBA5 |. 8B55 D4 mov edx, dword ptr [ebp-2C]
0042EBA8 |. 64:8915 00000>mov dword ptr fs:[0], edx
0042EBAF |. 8BE5 mov esp, ebp
0042EBB1 |. 5D pop ebp
0042EBB2 \. C3 retn
5、算法总结:
1)、逆推硬件号:
因为:硬件号 XOR 30DFE39 = 机器码(十六进制) 所以: 硬件号 = 机器码(十六进制)XOR 30DFE39;
2)、生成注册码:
硬件号 SHL 2,取低位,转换为10进制字符串,记作STR1;
第一位与第五位交换,第四位与第三位交换,交换后的字符串记作STR2;
STR2转为十六进制,取低位,记作STR3;
STR3 XOR 404F08D,得出的值转换为10进制,就是真码!!!!
[ 本帖最后由 网络断魂 于 2008-3-9 02:10 编辑 ] |
|
IP卡
发表于 2008-3-8 14:05:05
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主
发表于 2008-3-8 14:07:47
发表于 2008-3-8 18:03:53
发表于 2008-4-4 11:12:17
发表于 2008-4-4 23:55:39
