1.OD加载填入用户名和假码
用户名JZYJD,假码123456789 点注册提示注册码错误。F12暂停法。找到关键:
004C8D76 |. E8 353AFCFF call bigjig.0048C7B0 ; 关键CALL
004C8D7B |. 3C 01 cmp al,0x1 ; al要等于0
004C8D7D |. 75 32 jnz Xbigjig.004C8DB1 ; 必须跳才能注册成功
进入关键CALL
0048C7EA 8D55 F4 lea edx,dword ptr ss:[ebp-0xC]
0048C7ED 8B45 FC mov eax,dword ptr ss:[ebp-0x4] ; 注册名
0048C7F0 E8 2FBFF7FF call bigjig.00408724
0048C7F5 8D55 F0 lea edx,dword ptr ss:[ebp-0x10]
0048C7F8 8B45 F8 mov eax,dword ptr ss:[ebp-0x8] ; 注册码
0048C7FB E8 24BFF7FF call bigjig.00408724
0048C800 8B45 F4 mov eax,dword ptr ss:[ebp-0xC]
0048C803 E8 6476F7FF call bigjig.00403E6C ; 取注册名长度
0048C808 83F8 06 cmp eax,0x6
0048C80B 74 07 je Xbigjig.0048C814 ; 注册名必须是6位
0048C80D B3 01 mov bl,0x1
0048C80F E9 03020000 jmp bigjig.0048CA17
0048C814 8D45 E0 lea eax,dword ptr ss:[ebp-0x20]
0048C817 8B55 F4 mov edx,dword ptr ss:[ebp-0xC]
0048C81A E8 11C9F7FF call bigjig.00409130
0048C81F 33C0 xor eax,eax
0048C821 8903 mov dword ptr ds:[ebx],eax
0048C823 8D45 E0 lea eax,dword ptr ss:[ebp-0x20]
0048C826 8D55 D8 lea edx,dword ptr ss:[ebp-0x28]
0048C829 8A08 mov cl,byte ptr ds:[eax]
0048C82B 880A mov byte ptr ds:[edx],cl
0048C82D FF03 inc dword ptr ds:[ebx]
0048C82F 42 inc edx
0048C830 40 inc eax
0048C831 833B 07 cmp dword ptr ds:[ebx],0x7
0048C834 ^ 75 F3 jnz Xbigjig.0048C829 ; 以上循环取注册名的ASC
0048C836 33C0 xor eax,eax
0048C838 8903 mov dword ptr ds:[ebx],eax
0048C83A 8D45 D8 lea eax,dword ptr ss:[ebp-0x28]
0048C83D 8A10 mov dl,byte ptr ds:[eax]
0048C83F 80FA 41 cmp dl,0x41
0048C842 72 05 jb Xbigjig.0048C849
0048C844 80FA 5A cmp dl,0x5A
0048C847 76 07 jbe Xbigjig.0048C850
0048C849 B3 01 mov bl,0x1
0048C84B E9 C7010000 jmp bigjig.0048CA17
0048C850 FF03 inc dword ptr ds:[ebx]
0048C852 40 inc eax
0048C853 833B 06 cmp dword ptr ds:[ebx],0x6
0048C856 ^ 75 E5 jnz Xbigjig.0048C83D ; 以上循环注册名必须是大写字母A-Z
0048C858 33C0 xor eax,eax
0048C85A 8A45 D8 mov al,byte ptr ss:[ebp-0x28] ; 取注册名第一位J 4A
0048C85D 33D2 xor edx,edx
0048C85F 8A55 D9 mov dl,byte ptr ss:[ebp-0x27] ; 取注册名第二位Z 5A
0048C862 03C2 add eax,edx ; 5A+4A=A4
0048C864 33D2 xor edx,edx
0048C866 8A55 DA mov dl,byte ptr ss:[ebp-0x26] ; 取注册名第三位Y 59
0048C869 03C2 add eax,edx ; A4+59=FD
0048C86B 33D2 xor edx,edx
0048C86D 8A55 DB mov dl,byte ptr ss:[ebp-0x25] ; 取注册名第四位J 4A
0048C870 03C2 add eax,edx ; 4A+FD=147
0048C872 33D2 xor edx,edx
0048C874 8A55 DC mov dl,byte ptr ss:[ebp-0x24] ; 取注册名第五位D 44
0048C877 03C2 add eax,edx ; 147+44=18B
0048C879 B9 05000000 mov ecx,0x5 ; ecx赋值5
0048C87E 33D2 xor edx,edx
0048C880 F7F1 div ecx ; 18B/5=4F
0048C882 33D2 xor edx,edx
0048C884 8A55 DD mov dl,byte ptr ss:[ebp-0x23] ; 取注册名第六位H 48
0048C887 3BC2 cmp eax,edx ; 总结前5位注册名ASC码之和除以5,结果要与第六位相同即为第六位注册名
0048C889 /74 07 je Xbigjig.0048C892
0048C88B |B3 01 mov bl,0x1
0048C88D |E9 85010000 jmp bigjig.0048CA17
0048C892 \B2 01 mov dl,0x1
0048C894 33C0 xor eax,eax
0048C896 8903 mov dword ptr ds:[ebx],eax
0048C898 8D45 D8 lea eax,dword ptr ss:[ebp-0x28]
0048C89B 8B0D B8F34C00 mov ecx,dword ptr ds:[0x4CF3B8] ; bigjig.0048C798
0048C8A1 8B33 mov esi,dword ptr ds:[ebx]
0048C8A3 0FB60C31 movzx ecx,byte ptr ds:[ecx+esi] ; 字串DIKYUN,第一个字母D 44
0048C8A7 49 dec ecx
0048C8A8 0FB630 movzx esi,byte ptr ds:[eax]
0048C8AB 3BCE cmp ecx,esi
0048C8AD 74 04 je Xbigjig.0048C8B3
0048C8AF 33D2 xor edx,edx
0048C8B1 EB 08 jmp Xbigjig.0048C8BB
0048C8B3 FF03 inc dword ptr ds:[ebx]
0048C8B5 40 inc eax
0048C8B6 833B 06 cmp dword ptr ds:[ebx],0x6
0048C8B9 ^ 75 E0 jnz Xbigjig.0048C89B
0048C8BB 84D2 test dl,dl
0048C8BD 74 07 je Xbigjig.0048C8C6
0048C8BF B3 01 mov bl,0x1
0048C8C1 E9 51010000 jmp bigjig.0048CA17
0048C8C6 B2 01 mov dl,0x1
0048C8C8 33C0 xor eax,eax
0048C8CA 8903 mov dword ptr ds:[ebx],eax
0048C8CC 8D45 D8 lea eax,dword ptr ss:[ebp-0x28]
0048C8CF 8B0D BCF34C00 mov ecx,dword ptr ds:[0x4CF3BC] ; EZMJFL
0048C8D5 8B33 mov esi,dword ptr ds:[ebx]
0048C8D7 0FB60C31 movzx ecx,byte ptr ds:[ecx+esi]
0048C8DB 49 dec ecx
0048C8DC 0FB630 movzx esi,byte ptr ds:[eax]
0048C8DF 3BCE cmp ecx,esi ; 用户名和字串EZMJFL比较
0048C8E1 74 04 je Xbigjig.0048C8E7
0048C8E3 33D2 xor edx,edx
0048C8E5 EB 08 jmp Xbigjig.0048C8EF
0048C8E7 FF03 inc dword ptr ds:[ebx]
0048C8E9 40 inc eax
0048C8EA 833B 06 cmp dword ptr ds:[ebx],0x6
0048C8ED ^ 75 E0 jnz Xbigjig.0048C8CF
0048C8EF 84D2 test dl,dl
0048C8F1 74 07 je Xbigjig.0048C8FA
0048C8F3 B3 01 mov bl,0x1
0048C8F5 E9 1D010000 jmp bigjig.0048CA17
0048C8FA B2 01 mov dl,0x1
0048C8FC 33C0 xor eax,eax
0048C8FE 8903 mov dword ptr ds:[ebx],eax
0048C900 8D45 D8 lea eax,dword ptr ss:[ebp-0x28]
0048C903 8B0D C0F34C00 mov ecx,dword ptr ds:[0x4CF3C0] ; bigjig.0048C7A8
0048C909 8B33 mov esi,dword ptr ds:[ebx]
0048C90B 0FB60C31 movzx ecx,byte ptr ds:[ecx+esi]
0048C90F 49 dec ecx
0048C910 0FB630 movzx esi,byte ptr ds:[eax]
0048C913 3BCE cmp ecx,esi ; 用户名和字串GMNWCL比较
0048C915 74 04 je Xbigjig.0048C91B
0048C917 33D2 xor edx,edx
0048C919 EB 08 jmp Xbigjig.0048C923
0048C91B FF03 inc dword ptr ds:[ebx]
0048C91D 40 inc eax
0048C91E 833B 06 cmp dword ptr ds:[ebx],0x6
0048C921 ^ 75 E0 jnz Xbigjig.0048C903
0048C923 84D2 test dl,dl ; 以上三个字串DIKYUN、EZMJFL、GMNWCL应该是黑名单,如果是这几个注册名则失败。
以上是对注册名的要求总结一下:注册名必须是6位大写字母,前5位注册名ASC码之和除以5,结果要与第六位相同,即为第六位注册名,注册名不能是DIKYUN、EZMJFL、GMNWCL。所以我们修改自己的注册名为:JZYJDO然后点注册继续分析
0048C92E 8B45 F0 mov eax,dword ptr ss:[ebp-0x10] ; 取假码
0048C931 E8 3675F7FF call bigjig.00403E6C
0048C936 83F8 0B cmp eax,0xB ; 注册码长度必须11位
0048C939 74 07 je Xbigjig.0048C942
0048C93B B3 01 mov bl,0x1
0048C93D E9 D5000000 jmp bigjig.0048CA17
0048C942 8D45 EC lea eax,dword ptr ss:[ebp-0x14]
0048C945 50 push eax
0048C946 B9 04000000 mov ecx,0x4
0048C94B BA 01000000 mov edx,0x1
0048C950 8B45 F0 mov eax,dword ptr ss:[ebp-0x10] ; 取假码
0048C953 E8 1877F7FF call bigjig.00404070
0048C958 BA 4CCA4800 mov edx,bigjig.0048CA4C ; BJ4-
0048C95D 8B45 EC mov eax,dword ptr ss:[ebp-0x14]
0048C960 E8 23BCF7FF call bigjig.00408588 ; 假码前四位(1234)和BJ4-比较
0048C965 85C0 test eax,eax
0048C967 74 07 je Xbigjig.0048C970 ; 不相等则注册不成功
0048C969 B3 01 mov bl,0x1
0048C96B E9 A7000000 jmp bigjig.0048CA17
0048C970 8D45 EC lea eax,dword ptr ss:[ebp-0x14]
0048C973 50 push eax
0048C974 B9 01000000 mov ecx,0x1
0048C979 BA 08000000 mov edx,0x8
0048C97E 8B45 F0 mov eax,dword ptr ss:[ebp-0x10] ; 假码
0048C981 E8 EA76F7FF call bigjig.00404070
0048C986 BA 5CCA4800 mov edx,bigjig.0048CA5C ; -
0048C98B 8B45 EC mov eax,dword ptr ss:[ebp-0x14]
0048C98E E8 F5BBF7FF call bigjig.00408588 ; 假码第八位(8)与-比较,不相等则注册不成功
0048C993 85C0 test eax,eax
0048C995 74 04 je Xbigjig.0048C99B
小结:注册码长度必须11位,前四位为BJ4-,第八位为-。我们改注册码为所要求,点注册继续
0048C9BB 8BF0 mov esi,eax ; 假码第5-7位567的十六进制237
0048C9BD 8D45 EC lea eax,dword ptr ss:[ebp-0x14]
0048C9C0 50 push eax
0048C9C1 B9 03000000 mov ecx,0x3
0048C9C6 BA 09000000 mov edx,0x9
0048C9CB 8B45 F0 mov eax,dword ptr ss:[ebp-0x10] ; 假码BJ4-567-901
0048C9CE E8 9D76F7FF call bigjig.00404070
0048C9D3 8BD3 mov edx,ebx
0048C9D5 8B45 EC mov eax,dword ptr ss:[ebp-0x14] ; 最后三位假码901
0048C9D8 E8 F762F7FF call bigjig.00402CD4
0048C9DD 8BD6 mov edx,esi ; 567的十六进制237放EDX
0048C9DF D1FA sar edx,1 ; 237右移一位得到11B
0048C9E1 79 03 jns Xbigjig.0048C9E6
0048C9E3 83D2 00 adc edx,0x0
0048C9E6 52 push edx ; 11B
0048C9E7 BA 84030000 mov edx,0x384 ; EDX=384
0048C9EC 59 pop ecx
0048C9ED 2BD1 sub edx,ecx ; 384 (900)-11B =269
0048C9EF 33C9 xor ecx,ecx
0048C9F1 8A4D D8 mov cl,byte ptr ss:[ebp-0x28] ; 注册名第一位J 4A
0048C9F4 03D1 add edx,ecx ; 269+4A=2B3
0048C9F6 33C9 xor ecx,ecx
0048C9F8 8A4D DD mov cl,byte ptr ss:[ebp-0x23] ; 注册名最后一位O 4F
0048C9FB 8D0C49 lea ecx,dword ptr ds:[ecx+ecx*2] ; ED(237转换成16进制)
0048C9FE 2BD1 sub edx,ecx ; 2B3-ED=1C4
0048CA00 83FE 64 cmp esi,0x64
0048CA03 7C 0C jl Xbigjig.0048CA11
0048CA05 81FE E7030000 cmp esi,0x3E7
0048CA0B 7F 04 jg Xbigjig.0048CA11
0048CA0D 3BC2 cmp eax,edx ; 假码9-11位(901)和454比较,不相等则注册不成功。
0048CA0F 74 04 je Xbigjig.0048CA15 ; OK,算法到此结束.
算法总结:
1.注册名要求6位大写字母,前5位的ASC十六进制码之和除以5即为第6位注册名,但注册名不能是DIKYUN、EZMJFL、GMNWCL这三个。
2.注册码长度必须11位,前4位固定为BJ4-,第8位固定为-。
3.注册码5-7位ASC的十六进制右移一位得到A,固定值384-A得到B,B加第一位注册名的十六进制得到C,C减去最后一位注册名ASC码十六进制乘以3的值得到D,D转换为十进制数即为9-11位注册码。
能用两组注册码
JZYJDO
BJ4-567-454
IOVCRM
BJ4-567-459
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
