-
-
某QQ信息群发机 V1.0 注册码算法分析
-
发表于: 2005-8-23 11:41
-
某QQ信息群发机 V1.0 注册码算法分析
日期:2005年8月22日 破解人:wxb
-------------------------------------------------------------------------------------------------------------------------
『软件名称』:某QQ信息群发机 V1.0
『软件大小』:1111 KB
『下载地址』:软件涉及发送垃圾信息,下载地址免去。
『保护方式』:注册码保护+发送广告
『破解声明』:初学Crack,只是感兴趣,今天QQ里收到一个未注册版发送来带广告信息,无聊分析之,失误之处敬请诸位大侠赐教!
『破解工具』:OllyDbg.V1.10 聆风听雨汉化第二版、PeID 0.93
『破解过程』:
一、查壳
PeID 0.93,查壳,NsPack V1.4 -> LiuXingPing [Overlay] *,试试脱掉它,OD载入:
0042AF61 阿> 9C pushfd
0042AF62 60 pushad
0042AF63 E8 00000000 call qf.0042AF68 //F8到这里,ESP=0012FFA0
0042AF68 5D pop ebp
0042AF69 B8 B1854000 mov eax,qf.004085B1
0042AF6E 2D AA854000 sub eax,qf.004085AA
根据ESP定律,命令行下断点:hr esp,F9运行:
0042B185 9D popfd //断在这里,取消硬件断点
0042B186 - E9 A686FDFF jmp qf.00403831 //JMP OEP
0042B18B 8BB5 A3FEFFFF mov esi,dword ptr ss:[ebp-15D]
0042B191 0BF6 or esi,esi
断下后,取消断点,2下F7单步执行,来到:
00403831 /. 55 push ebp
00403832 |. 8BEC mov ebp,esp
00403834 |. 6A FF push -1
00403836 |. 68 F0624000 push qf.004062F0
0040383B |. 68 A44C4000 push qf.00404CA4 ; SE 句柄安装
00403840 |. 64:A1 00000000 mov eax,dword ptr fs:[0]
00403846 |. 50 push eax
00403847 |. 64:8925 00000000 mov dword ptr fs:[0],esp
0040384E |. 83EC 58 sub esp,58
00403851 |. 53 push ebx
00403852 |. 56 push esi
抓取修复后文件不能运行,查看文件竟然比脱壳前还要小,汗。Overlay数据没有修复,我等壳盲,带壳修行算了,F9运行……
二、注册验证分析
切换到注册界面,输入试炼码:1234567890 点击“注册”,提示:错误的注册码,有提示好啊,bp MessageBoxA,确定,OD中断在:
77D5050B U> 8BFF mov edi,edi
77D5050D 55 push ebp
77D5050E 8BEC mov ebp,esp
77D50510 833D 1C04D777 00 cmp dword ptr ds:[77D7041C],0
反回主模块,中断在00427844,向上来到:
00427767 |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 试炼码
0042776A |. 85C0 test eax,eax
0042776C |. 75 05 jnz short qf.00427773
0042776E |. B8 C7924000 mov eax,qf.004092C7
00427773 |> 50 push eax
00427774 |. 68 01000000 push 1
00427779 |. BB 30010000 mov ebx,130
0042777E |. E8 48040000 call qf.00427BCB
00427783 |. 83C4 10 add esp,10
00427786 |. 8945 F4 mov dword ptr ss:[ebp-C],eax ; 试炼码长度
00427789 |. 837D F4 0B cmp dword ptr ss:[ebp-C],0B
0042778D |. 0F85 71000000 jnz qf.00427804 ; 试炼码长度必需=11
00427793 |. 68 01030080 push 80000301
00427798 |. 6A 00 push 0
0042779A |. 68 03000000 push 3
0042779F |. 68 04000080 push 80000004
004277A4 |. 6A 00 push 0
004277A6 |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 试炼码
004277A9 |. 85C0 test eax,eax
004277AB |. 75 05 jnz short qf.004277B2 ; 试炼码不为空
004277AD |. B8 C7924000 mov eax,qf.004092C7
004277B2 |> 50 push eax ; 试炼码
004277B3 |. 68 02000000 push 2 ; 2
004277B8 |. BB 34010000 mov ebx,134
004277BD |. E8 09040000 call qf.00427BCB ; 取试炼码前3位
004277C2 |. 83C4 1C add esp,1C
004277C5 |. 8945 EC mov dword ptr ss:[ebp-14],eax ; 试炼码前3位
004277C8 |. 68 F4FC4000 push qf.0040FCF4 ; ASCII "BIN"
004277CD |. FF75 EC push dword ptr ss:[ebp-14]
004277D0 |. E8 26A8FFFF call qf.00421FFB
004277D5 |. 83C4 08 add esp,8
004277D8 |. 83F8 00 cmp eax,0
004277DB |. B8 00000000 mov eax,0
004277E0 |. 0F95C0 setne al ; 前3位必需为BIN标志
004277E3 |. 8945 E8 mov dword ptr ss:[ebp-18],eax
004277E6 |. 8B5D EC mov ebx,dword ptr ss:[ebp-14] ; 试炼码前3位
004277E9 |. 85DB test ebx,ebx
004277EB |. 74 09 je short qf.004277F6 ; 不能为空
004277ED |. 53 push ebx
004277EE |. E8 D2030000 call qf.00427BC5
004277F3 |. 83C4 04 add esp,4
004277F6 |> 837D E8 00 cmp dword ptr ss:[ebp-18],0
004277FA |. 0F85 04000000 jnz qf.00427804
00427800 |. 33C0 xor eax,eax
00427802 |. EB 05 jmp short qf.00427809
00427804 |> B8 01000000 mov eax,1
00427809 |> 85C0 test eax,eax
0042780B |. 0F84 3B000000 je qf.0042784C ; 必需跳,要求前3位为BIN
00427811 |. 68 04000080 push 80000004
00427816 |. 6A 00 push 0
00427818 |. 68 61FF4000 push qf.0040FF61
0042781D |. 68 01030080 push 80000301
00427822 |. 6A 00 push 0
00427824 |. 68 10000000 push 10
00427829 |. 68 04000080 push 80000004
0042782E |. 6A 00 push 0
00427830 |. 68 66FF4000 push qf.0040FF66
00427835 |. 68 03000000 push 3
0042783A |. BB 00030000 mov ebx,300
0042783F |. E8 87030000 call qf.00427BCB ; MessageBoxA
00427844 |. 83C4 28 add esp,28 ; 中断在这里
00427847 |. E9 B5010000 jmp qf.00427A01
0042784C |> 6A FF push -1
0042784E |. 6A 08 push 8
00427850 |. 68 68010116 push 16010168
00427855 |. 68 01000152 push 52010001
0042785A |. E8 78030000 call qf.00427BD7
0042785F |. 83C4 10 add esp,10
00427862 |. 8945 F8 mov dword ptr ss:[ebp-8],eax ; EAX指向试炼码
00427865 |. A1 180DE700 mov eax,dword ptr ds:[E70D18] ; 已经计算好的注册码??
0042786A |. 50 push eax ; 注册码
0042786B |. FF75 F8 push dword ptr ss:[ebp-8] ; 试炼码
0042786E |. E8 88A7FFFF call qf.00421FFB ; 比较
00427873 |. 83C4 08 add esp,8
00427876 |. 83F8 00 cmp eax,0
00427879 |. B8 00000000 mov eax,0
0042787E |. 0F95C0 setne al ; 比较标志
00427881 |. 8945 F4 mov dword ptr ss:[ebp-C],eax
00427884 |. 8B5D F8 mov ebx,dword ptr ss:[ebp-8]
00427887 |. 85DB test ebx,ebx
00427889 |. 74 09 je short qf.00427894
0042788B |. 53 push ebx
0042788C |. E8 34030000 call qf.00427BC5
00427891 |. 83C4 04 add esp,4
00427894 |> 837D F4 00 cmp dword ptr ss:[ebp-C],0 ; 判断比较标志
00427898 |. 0F84 3B000000 je qf.004278D9 ; 爆破点
0042789E |. 68 04000080 push 80000004
004278A3 |. 6A 00 push 0
004278A5 |. 68 61FF4000 push qf.0040FF61
004278AA |. 68 01030080 push 80000301
004278AF |. 6A 00 push 0
004278B1 |. 68 10000000 push 10
004278B6 |. 68 04000080 push 80000004
004278BB |. 6A 00 push 0
004278BD |. 68 66FF4000 push qf.0040FF66
004278C2 |. 68 03000000 push 3
004278C7 |. BB 00030000 mov ebx,300
004278CC |. E8 FA020000 call qf.00427BCB
004278D1 |. 83C4 28 add esp,28
004278D4 |. E9 28010000 jmp qf.00427A01
004278D9 |> 68 04000080 push 80000004 ; 注册成功,保存注册信息
004278DE |. 6A 00 push 0
004278E0 |. A1 180DE700 mov eax,dword ptr ds:[E70D18]
004278E5 |. 85C0 test eax,eax
004278E7 |. 75 05 jnz short qf.004278EE
004278E9 |. B8 C7924000 mov eax,qf.004092C7
004278EE |> 50 push eax
004278EF |. 68 04000080 push 80000004
004278F4 |. 6A 00 push 0
004278F6 |. 68 F8FC4000 push qf.0040FCF8 ; ASCII "softwore\binqqmsg\reg\"
004278FB |. 68 01030080 push 80000301
00427900 |. 6A 00 push 0
00427902 |. 68 02000000 push 2
00427907 |. 68 03000000 push 3
0042790C |. BB A4060000 mov ebx,6A4
00427911 |. E8 B5020000 call qf.00427BCB
分析代码结果发现按钮事件开始判断注册码的有效性(具体请看注释),并没有计算注册码的过程,但在00427865处发现ds:[E70D18]存放的就是注册码的明码,在0042786E处进行明码比较,汗,在注册验证前注册码已经计算好了,注册按钮仅仅进行比较而已,现在关键是要找到ds:[E70D18]的数据是从那里来的,鼠标右键-搜索-全部常数:00E70D18:
参考位于 qf:v0到常数E70D18
地址 反汇编 注释
00425D3B mov ebx,dword ptr ds:[E70D18] (初始 CPU 选择)
00425D51 mov dword ptr ds:[E70D18],eax
00425D69 mov eax,dword ptr ds:[E70D18] [00E70D18]=001D1820
00425DEE mov ebx,dword ptr ds:[E70D18] ds:[00E70D18]=001D1820, (ASCII "BIN97E69658")
00425E04 mov dword ptr ds:[E70D18],eax 保存注册码,阴险,先计算好注册码^_^
00425E70 mov eax,dword ptr ds:[E70D18] [00E70D18]=001D1820
00427865 mov eax,dword ptr ds:[E70D18] 已经计算好的注册码??
004278E0 mov eax,dword ptr ds:[E70D18] [00E70D18]=001D1820
00427B58 mov ebx,dword ptr ds:[E70D18] ds:[00E70D18]=001D1820, (ASCII "BIN97E69658")
在00425E04处mov dword ptr ds:[E70D18],eax赋值,双击反汇编中跟随,向上来到:
00425B42 |. E8 84200000 call qf.00427BCB ; 取机器特征码
00425B47 |. 83C4 04 add esp,4
00425B4A |. 8945 E4 mov dword ptr ss:[ebp-1C],eax
00425B4D |. DB45 E4 fild dword ptr ss:[ebp-1C]
00425B50 |. DD5D E4 fstp qword ptr ss:[ebp-1C]
00425B53 |. DD45 E4 fld qword ptr ss:[ebp-1C]
00425B56 |. DC05 E7FC4000 fadd qword ptr ds:[40FCE7]
00425B5C |. DD5D DC fstp qword ptr ss:[ebp-24]
00425B5F |. 68 01060080 push 80000601
00425B64 |. FF75 E0 push dword ptr ss:[ebp-20]
00425B67 |. FF75 DC push dword ptr ss:[ebp-24]
00425B6A |. 68 01000000 push 1
00425B6F |. BB 68010000 mov ebx,168
00425B74 |. E8 52200000 call qf.00427BCB
00425B79 |. 83C4 10 add esp,10
00425B7C |. 8945 D8 mov dword ptr ss:[ebp-28],eax
00425B7F |. 8B1D 140DE700 mov ebx,dword ptr ds:[E70D14]
00425B85 |. 85DB test ebx,ebx
00425B87 |. 74 09 je short qf.00425B92
00425B89 |. 53 push ebx
00425B8A |. E8 36200000 call qf.00427BC5
00425B8F |. 83C4 04 add esp,4
00425B92 |> 8B45 D8 mov eax,dword ptr ss:[ebp-28]
00425B95 |. A3 140DE700 mov dword ptr ds:[E70D14],eax
00425B9A |. 68 04000080 push 80000004
00425B9F |. 6A 00 push 0
00425BA1 |. A1 140DE700 mov eax,dword ptr ds:[E70D14]
00425BA6 |. 85C0 test eax,eax
00425BA8 |. 75 05 jnz short qf.00425BAF
00425BAA |. B8 C7924000 mov eax,qf.004092C7
00425BAF |> 50 push eax
00425BB0 |. 68 01000000 push 1
00425BB5 |. BB 98010000 mov ebx,198
00425BBA |. E8 0C200000 call qf.00427BCB
00425BBF |. 83C4 10 add esp,10
00425BC2 |. 8945 EC mov dword ptr ss:[ebp-14],eax
00425BC5 |. 68 05000080 push 80000005
00425BCA |. 6A 00 push 0
00425BCC |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
00425BCF |. 85C0 test eax,eax
00425BD1 |. 75 05 jnz short qf.00425BD8
00425BD3 |. B8 6CF94000 mov eax,qf.0040F96C
00425BD8 |> 50 push eax
00425BD9 |. 68 01000000 push 1
00425BDE |. BB 08000000 mov ebx,8
00425BE3 |. B8 05000000 mov eax,5
00425BE8 |. E8 F01F0000 call qf.00427BDD
00425BED |. 83C4 10 add esp,10
00425BF0 |. 8945 E8 mov dword ptr ss:[ebp-18],eax
00425BF3 |. 8B5D EC mov ebx,dword ptr ss:[ebp-14]
00425BF6 |. 85DB test ebx,ebx
00425BF8 |. 74 09 je short qf.00425C03
00425BFA |. 53 push ebx
00425BFB |. E8 C51F0000 call qf.00427BC5
00425C00 |. 83C4 04 add esp,4
00425C03 |> 8B1D 140DE700 mov ebx,dword ptr ds:[E70D14]
00425C09 |. 85DB test ebx,ebx
00425C0B |. 74 09 je short qf.00425C16
00425C0D |. 53 push ebx
00425C0E |. E8 B21F0000 call qf.00427BC5 ; MD5,计算机器特征码MD5值
00425C13 |. 83C4 04 add esp,4
00425C16 |> 8B45 E8 mov eax,dword ptr ss:[ebp-18]
00425C19 |. A3 140DE700 mov dword ptr ds:[E70D14],eax
00425C1E |. 68 01030080 push 80000301
00425C23 |. 6A 00 push 0
00425C25 |. 68 08000000 push 8
00425C2A |. 68 04000080 push 80000004
00425C2F |. 6A 00 push 0
00425C31 |. A1 140DE700 mov eax,dword ptr ds:[E70D14]
00425C36 |. 85C0 test eax,eax
00425C38 |. 75 05 jnz short qf.00425C3F
00425C3A |. B8 C7924000 mov eax,qf.004092C7
00425C3F |> 50 push eax
00425C40 |. 68 02000000 push 2
00425C45 |. BB 34010000 mov ebx,134
00425C4A |. E8 7C1F0000 call qf.00427BCB ; 取前8为作为机器码
00425C4F |. 83C4 1C add esp,1C
00425C52 |. 8945 EC mov dword ptr ss:[ebp-14],eax
00425C55 |. 68 04000080 push 80000004
00425C5A |. 6A 00 push 0
00425C5C |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
00425C5F |. 85C0 test eax,eax
00425C61 |. 75 05 jnz short qf.00425C68
00425C63 |. B8 C7924000 mov eax,qf.004092C7
00425C68 |> 50 push eax
00425C69 |. 68 01000000 push 1
00425C6E |. BB 50010000 mov ebx,150
00425C73 |. E8 531F0000 call qf.00427BCB
00425C78 |. 83C4 10 add esp,10
00425C7B |. 8945 E8 mov dword ptr ss:[ebp-18],eax ; 机器码,也是由机器特征码的MD5值所得;
00425C7E |. 8B5D EC mov ebx,dword ptr ss:[ebp-14]
00425C81 |. 85DB test ebx,ebx
00425C83 |. 74 09 je short qf.00425C8E
00425C85 |. 53 push ebx
00425C86 |. E8 3A1F0000 call qf.00427BC5
00425C8B |. 83C4 04 add esp,4
00425C8E |> 8B1D 140DE700 mov ebx,dword ptr ds:[E70D14]
00425C94 |. 85DB test ebx,ebx
00425C96 |. 74 09 je short qf.00425CA1
00425C98 |. 53 push ebx
00425C99 |. E8 271F0000 call qf.00427BC5
00425C9E |. 83C4 04 add esp,4
00425CA1 |> 8B45 E8 mov eax,dword ptr ss:[ebp-18]
00425CA4 |. A3 140DE700 mov dword ptr ds:[E70D14],eax
00425CA9 |. 68 EFFC4000 push qf.0040FCEF ; /Arg2 = 0040FCEF ASCII "e622"
00425CAE |. FF35 140DE700 push dword ptr ds:[E70D14] ; |Arg1 = 001CE150 ASCII "F6D40AB6"
00425CB4 |. B9 02000000 mov ecx,2 ; |
00425CB9 |. E8 13BCFFFF call qf.004218D1 ; \qf.004218D1
00425CBE |. 83C4 08 add esp,8
00425CC1 |. 8945 EC mov dword ptr ss:[ebp-14],eax
00425CC4 |. 68 04000080 push 80000004
00425CC9 |. 6A 00 push 0
00425CCB |. 8B45 EC mov eax,dword ptr ss:[ebp-14] ; 机器码+e622
00425CCE |. 85C0 test eax,eax
00425CD0 |. 75 05 jnz short qf.00425CD7
00425CD2 |. B8 C7924000 mov eax,qf.004092C7
00425CD7 |> 50 push eax
00425CD8 |. 68 01000000 push 1
00425CDD |. BB 98010000 mov ebx,198
00425CE2 |. E8 E41E0000 call qf.00427BCB
00425CE7 |. 83C4 10 add esp,10
00425CEA |. 8945 E8 mov dword ptr ss:[ebp-18],eax
00425CED |. 8B5D EC mov ebx,dword ptr ss:[ebp-14]
00425CF0 |. 85DB test ebx,ebx
00425CF2 |. 74 09 je short qf.00425CFD
00425CF4 |. 53 push ebx
00425CF5 |. E8 CB1E0000 call qf.00427BC5
00425CFA |. 83C4 04 add esp,4
00425CFD |> 68 05000080 push 80000005
00425D02 |. 6A 00 push 0
00425D04 |. 8B45 E8 mov eax,dword ptr ss:[ebp-18]
00425D07 |. 85C0 test eax,eax
00425D09 |. 75 05 jnz short qf.00425D10
00425D0B |. B8 6CF94000 mov eax,qf.0040F96C
00425D10 |> 50 push eax
00425D11 |. 68 01000000 push 1
00425D16 |. BB 08000000 mov ebx,8
00425D1B |. B8 05000000 mov eax,5
00425D20 |. E8 B81E0000 call qf.00427BDD ; MD5
00425D25 |. 83C4 10 add esp,10
00425D28 |. 8945 E4 mov dword ptr ss:[ebp-1C],eax ; EAX=MD5(机器码码+e622)
00425D2B |. 8B5D E8 mov ebx,dword ptr ss:[ebp-18] ; EAX=001D6CF0, (ASCII "97e69658d95de2831573bf8651504e06")
00425D2E |. 85DB test ebx,ebx
00425D30 |. 74 09 je short qf.00425D3B
00425D32 |. 53 push ebx
00425D33 |. E8 8D1E0000 call qf.00427BC5
00425D38 |. 83C4 04 add esp,4
00425D3B |> 8B1D 180DE700 mov ebx,dword ptr ds:[E70D18]
00425D41 |. 85DB test ebx,ebx
00425D43 |. 74 09 je short qf.00425D4E
00425D45 |. 53 push ebx
00425D46 |. E8 7A1E0000 call qf.00427BC5
00425D4B |. 83C4 04 add esp,4
00425D4E |> 8B45 E4 mov eax,dword ptr ss:[ebp-1C] ; MD5值
00425D51 |. A3 180DE700 mov dword ptr ds:[E70D18],eax
00425D56 |. 68 01030080 push 80000301
00425D5B |. 6A 00 push 0 ; 0
00425D5D |. 68 08000000 push 8 ; 8
00425D62 |. 68 04000080 push 80000004
00425D67 |. 6A 00 push 0
00425D69 |. A1 180DE700 mov eax,dword ptr ds:[E70D18]
00425D6E |. 85C0 test eax,eax
00425D70 |. 75 05 jnz short qf.00425D77
00425D72 |. B8 C7924000 mov eax,qf.004092C7
00425D77 |> 50 push eax
00425D78 |. 68 02000000 push 2
00425D7D |. BB 34010000 mov ebx,134
00425D82 |. E8 441E0000 call qf.00427BCB ; 取MD5值前8位
00425D87 |. 83C4 1C add esp,1C
00425D8A |. 8945 EC mov dword ptr ss:[ebp-14],eax
00425D8D |. 68 04000080 push 80000004
00425D92 |. 6A 00 push 0
00425D94 |. 8B45 EC mov eax,dword ptr ss:[ebp-14] ; 前8位
00425D97 |. 85C0 test eax,eax
00425D99 |. 75 05 jnz short qf.00425DA0
00425D9B |. B8 C7924000 mov eax,qf.004092C7
00425DA0 |> 50 push eax
00425DA1 |. 68 01000000 push 1
00425DA6 |. BB 50010000 mov ebx,150
00425DAB |. E8 1B1E0000 call qf.00427BCB ; 转大写
00425DB0 |. 83C4 10 add esp,10
00425DB3 |. 8945 E8 mov dword ptr ss:[ebp-18],eax
00425DB6 |. 8B5D EC mov ebx,dword ptr ss:[ebp-14]
00425DB9 |. 85DB test ebx,ebx
00425DBB |. 74 09 je short qf.00425DC6
00425DBD |. 53 push ebx
00425DBE |. E8 021E0000 call qf.00427BC5
00425DC3 |. 83C4 04 add esp,4
00425DC6 |> FF75 E8 push dword ptr ss:[ebp-18] ; /Arg2
00425DC9 |. 68 F4FC4000 push qf.0040FCF4 ; |Arg1 = 0040FCF4 ASCII "BIN"
00425DCE |. B9 02000000 mov ecx,2 ; |
00425DD3 |. E8 F9BAFFFF call qf.004218D1 ; \连接BIN+前8位
00425DD8 |. 83C4 08 add esp,8
00425DDB |. 8945 E4 mov dword ptr ss:[ebp-1C],eax ; 注册码
00425DDE |. 8B5D E8 mov ebx,dword ptr ss:[ebp-18]
00425DE1 |. 85DB test ebx,ebx
00425DE3 |. 74 09 je short qf.00425DEE
00425DE5 |. 53 push ebx
00425DE6 |. E8 DA1D0000 call qf.00427BC5
00425DEB |. 83C4 04 add esp,4
00425DEE |> 8B1D 180DE700 mov ebx,dword ptr ds:[E70D18]
00425DF4 |. 85DB test ebx,ebx
00425DF6 |. 74 09 je short qf.00425E01
00425DF8 |. 53 push ebx
00425DF9 |. E8 C71D0000 call qf.00427BC5
00425DFE |. 83C4 04 add esp,4
00425E01 |> 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
00425E04 |. A3 180DE700 mov dword ptr ds:[E70D18],eax ; 来到这里:保存注册码,阴险,先计算好注册码^_^
00425E09 |. 6A 00 push 0
00425E0B |. 6A 00 push 0
00425E0D |. 6A 00 push 0
00425E0F |. 68 04000080 push 80000004
00425E14 |. 6A 00 push 0
00425E16 |. 68 F8FC4000 push qf.0040FCF8 ; ASCII "softwore\binqqmsg\reg\"
00425E1B |. 68 01030080 push 80000301
00425E20 |. 6A 00 push 0
00425E22 |. 68 02000000 push 2
00425E27 |. 68 03000000 push 3
00425E2C |. BB 98060000 mov ebx,698
00425E31 |. E8 951D0000 call qf.00427BCB
00425E36 |. 83C4 28 add esp,28
说明:
在00425B42下断,Ctrl+F2重新载入程序,先提示程序有壳,然后提示断点失效,因为我现在是带壳修行啊,按照“一、查壳”查壳步骤,来到OEP,Alt+B,切换到断点窗口,重新激活00425B42,F9运行,程序中断在00425B42,剩下的分析请参考注释。
『算法总结』:
1、机器码+固定字符串'e622';(机器码也是机器特征码的MD5值前8位,分析省略)
2、计算1的MD5值;
3、'BIN'+MD5值的前8为即为注册码,格式如BIN12345678,共11位;
『注册机源代码』:
省略,随便找个MD5计算器即可。
我的注册信息:
机器码:F6D40AB6
注册码:BIN97E69658
友情提示:注册成功后别到处发垃圾信息啊,否则BS你一下 ^_^
--完--
怕有人发送垃圾,相关软件信息编辑一下
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
最初由 dfui 发布 编程水平不错,防破解一般般,MD5以后还明码比较,不知道作者在想什么
|
|
|
|
|
|
|
|
|
支持一下
|
|
|
|
|
|
 是比我莱鸟们历害! 学习!
|
|
|
强烈BS马甲。
|
|
|
|
|
|
|
|
|
我的注册信息:
机器码:3EA05DAB 注册码:BIN1EE165B1 
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
