1)PEID检查,Borland Delphi 6.0 - 7.0,无壳。
2)试运行程序,任意输入注册信息后,无提示。
3)OD载入程序,用超级字符串查找,发现有注册成功的提示。
超级字串参考+ , 条目 221
地址=00459A59
反汇编=MOV EAX,CrackMeN.00459AB0
文本字串=恭喜你!完全正确。
双击后,向上寻找注册码计算过程开始的地方。下断。
4)OD重新载入程序,任意输入注册信息后程序中断
0045994B |. 55 PUSH EBP
0045994C |. 68 8E9A4500 PUSH CrackMeN.00459A8E
00459951 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00459954 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00459957 |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
0045995A |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0045995D |. 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+300]
00459963 |. E8 FCEFFDFF CALL CrackMeN.00438964 ;
00459968 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
0045994B |. 55 PUSH EBP
0045994C |. 68 8E9A4500 PUSH CrackMeN.00459A8E
00459951 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00459954 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00459957 |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
0045995A |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0045995D |. 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+300]
00459963 |. E8 FCEFFDFF CALL CrackMeN.00438964 ; 取注册名
00459968 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
0045996B |. E8 FCABFAFF CALL CrackMeN.0040456C ; 取注册名位数
00459970 |. 8BF0 MOV ESI,EAX
00459972 |. 33DB XOR EBX,EBX
00459974 |. 8BC6 MOV EAX,ESI
00459976 |. 85C0 TEST EAX,EAX
00459978 |. 7E 21 JLE SHORT CrackMeN.0045999B
0045997A |. BA 01000000 MOV EDX,1
0045997F |> 69CE 8E91C621 /IMUL ECX,ESI,21C6918E ; ECX=ESI*21C6918E,ESI=注册名位数
00459985 |. 03D9 |ADD EBX,ECX ; EBX=EBX+ECX
00459987 |. 8B4D EC |MOV ECX,DWORD PTR SS:[EBP-14]
0045998A |. 0FB64C11 FF |MOVZX ECX,BYTE PTR DS:[ECX+EDX-1] ; 取注册名ASCII值
0045998F |. 69C9 CE020000 |IMUL ECX,ECX,2CE ; ECX=ECX*2CE
00459995 |. 03D9 |ADD EBX,ECX ; EBX=EBX+ECX
00459997 |. 42 |INC EDX ; 每计算一次EDX+1
00459998 |. 48 |DEC EAX ; 每计算一次EAX-1
00459999 |.^ 75 E4 \JNZ SHORT CrackMeN.0045997F
0045999B |> 8BC3 MOV EAX,EBX
0045999D |. 99 CDQ
0045999E |. 33C2 XOR EAX,EDX
004599A0 |. 2BC2 SUB EAX,EDX
004599A2 |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
004599A5 |. E8 9AEBFAFF CALL CrackMeN.00408544 ; 结果转换成十进制
004599AA |. 8BC6 MOV EAX,ESI
004599AC |. 85C0 TEST EAX,EAX
004599AE |. 7E 21 JLE SHORT CrackMeN.004599D1
004599B0 |. BA 01000000 MOV EDX,1
004599B5 |> 8B4D EC /MOV ECX,DWORD PTR SS:[EBP-14]
004599B8 >|. 0FB64C11 FF |MOVZX ECX,BYTE PTR DS:[ECX+EDX-1]
004599BD |. 69C9 8E91C621 |IMUL ECX,ECX,21C6918E ; ECX=ECX*21C6918E
004599C3 |. 69C9 BC070000 |IMUL ECX,ECX,7BC ; ECX=ECX*21C6918E*7BC
004599C9 |. 03D9 |ADD EBX,ECX ; EBX=EBX+ECX
004599CB |. 2BDE |SUB EBX,ESI ; EBX=EBX-ESI。ESI=注册名位数
004599CD |. 42 |INC EDX ; 每计算一次EDX+1
004599CE |. 48 |DEC EAX ; 每计算一次EAX-1
004599CF |.^ 75 E4 \JNZ SHORT CrackMeN.004599B5
004599D1 |> 8BC3 MOV EAX,EBX
004599D3 |. 99 CDQ
004599D4 |. 33C2 XOR EAX,EDX
004599D6 |. 2BC2 SUB EAX,EDX
004599D8 |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
004599DB |. E8 64EBFAFF CALL CrackMeN.00408544 ; 结果转换成十进制
004599E0 |. 8BC6 MOV EAX,ESI
004599E2 |. 85C0 TEST EAX,EAX
004599E4 |. 7E 1E JLE SHORT CrackMeN.00459A04
004599E6 |. BA 01000000 MOV EDX,1
004599EB |> 8B4D EC /MOV ECX,DWORD PTR SS:[EBP-14] ; 取注册名
004599EE |. 0FB64C11 FF |MOVZX ECX,BYTE PTR DS:[ECX+EDX-1] ; 取注册名每一位的ASCII值
004599F3 |. 0FAFCE |IMUL ECX,ESI ; ECX=ECX*ESI
004599F6 |. 69C9 C6040000 |IMUL ECX,ECX,4C6 ; ECX=ECX*ESI*4C6
004599FC |. 03D9 |ADD EBX,ECX ; EBX=EBX+ECX
004599FE |. 03DE |ADD EBX,ESI ; EBX=EBX+ESI。ESI=注册名位数
00459A00 |. 42 |INC EDX ; 每计算一次EDX+1
00459A01 |. 48 |DEC EAX ; 每计算一次EAX-1
00459A02 |.^ 75 E7 \JNZ SHORT CrackMeN.004599EB
00459A04 |> 81C3 8E91C621 ADD EBX,21C6918E
00459A0A |. 8BC3 MOV EAX,EBX
00459A0C |. 99 CDQ
00459A0D |. 33C2 XOR EAX,EDX
00459A0F |. 2BC2 SUB EAX,EDX
00459A11 |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
00459A14 |. E8 2BEBFAFF CALL CrackMeN.00408544 结果转换成十进制
00459A19 |. 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
00459A1C |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00459A1F |. 8B80 04030000 MOV EAX,DWORD PTR DS:[EAX+304]
00459A25 |. E8 3AEFFDFF CALL CrackMeN.00438964 ; 取假码
00459A2A |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
00459A2D |. 50 PUSH EAX
00459A2E |. FF75 F8 PUSH DWORD PTR SS:[EBP-8]
00459A31 |. 68 A49A4500 PUSH CrackMeN.00459AA4 ; -
00459A36 |. FF75 F4 PUSH DWORD PTR SS:[EBP-C]
00459A39 |. 68 A49A4500 PUSH CrackMeN.00459AA4 ; -
00459A3E |. FF75 F0 PUSH DWORD PTR SS:[EBP-10]
00459A41 |. 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
00459A44 |. BA 05000000 MOV EDX,5
00459A49 |. E8 DEABFAFF CALL CrackMeN.0040462C 连接注册码的三个部分
00459A4E |. 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
00459A51 |. 58 POP EAX
00459A52 |. E8 59ACFAFF CALL CrackMeN.004046B0 真假注册码比较
00459A57 |. 75 0A JNZ SHORT CrackMeN.00459A63 不相等就跳向失败
00459A59 |. B8 B09A4500 MOV EAX,CrackMeN.00459AB0 ; 恭喜你!完全正确
------------------------------------------------------------------------BY 逍遥风
算法总结:
1)注册名必须大于四位。以注册码的位数作为循环计算的次数。
2)注册名位数乘以定值21C6918E设结果为A。注册名每一位ASCII值乘以定值2CE,结果在加上A。进行循环计算。最终结果设为甲
3)注册名每一位ASCII值乘以定值21C6918E后再乘以定值7BC。积加上甲,结果再减去注册名位数。进行循环计算。最终结果设为乙
4)注册名每一位ASCII值乘以注册名位数,再乘定值4C6。积加上乙,结果在加上注册名位数。进行循环计算。结最终结果设为丙
5)分别将甲乙丙转换成相应的十进制数,并按甲-乙-丙的顺序合并,结果即是注册码。
例 注册名tcxb
1)运算结果为1C6DD74E。转换成十进制等于476960590
2)运算结果为437A3706。转换成十进制等于1132082950
3)运算结果为6561143C。转换成十进制等于1700860988
所以:
注册名:tcxb
注册码:476960590-1132082950-1700860988
----------------------------------------------------------------------
有错误或疏漏的地方请大家指出
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课