卡通软件 Cartoon_Maker v3.15 以及 素描软件 Photo to ColorSketch v3.11 的注册算法简单分析
Homepage:
Cartoon_Maker v3.15
http://www.liangzhuchina.com/cartoon/index.htm
Photo to ColorSketch v3.11
http://www.liangzhuchina.com/colorsketch/index.htm
卡通软件 Cartoon_Maker v3.15 是一款可以把自己的照片或是其它图片制作成卡通图片的软件,分析了下,简单写出来。
通过字符串参考:
超级字符串参考, 条目 310
地址=004800FA
反汇编地址=mov edx, Cartoon_.004802E4
字符内容=Congratulation! Registration is successful!
和
超级字符串参考, 条目 318
地址=0048020A
反汇编地址=mov edx, Cartoon_.00480374
字符内容=Sorry!Your UserCode or SerialNumber is wrong!
确定了注册判断的子程序为从004B56E2地址开始的这个子Call,故在地址:004B56E2处,F2键下断后,运行程序,打开注册窗口,输入注册名:aCaFeeL,输入注册码:12345678,点击OK按钮,被中断下来:
>>>>>>
0047FEA8 . 55 push ebp ; 开始分析
0047FEA9 . 8BEC mov ebp, esp
0047FEAB . B9 10000000 mov ecx, 10
0047FEB0 > 6A 00 push 0
0047FEB2 . 6A 00 push 0
0047FEB4 . 49 dec ecx
0047FEB5 .^ 75 F9 jnz short Cartoon_.0047FEB0
0047FEB7 . 53 push ebx
0047FEB8 . 56 push esi
0047FEB9 . 57 push edi
0047FEBA . 8BD8 mov ebx, eax
0047FEBC . 33C0 xor eax, eax
0047FEBE . 55 push ebp
0047FEBF . 68 8E024800 push Cartoon_.0048028E
0047FEC4 . 64:FF30 push dword ptr fs:[eax]
0047FEC7 . 64:8920 mov dword ptr fs:[eax], esp
0047FECA . 8D55 E0 lea edx, dword ptr [ebp-20]
0047FECD . 8B83 00030000 mov eax, dword ptr [ebx+300]
0047FED3 . E8 E0AAFBFF call Cartoon_.0043A9B8
0047FED8 . 837D E0 00 cmp dword ptr [ebp-20], 0 ; 注册名是否为空?
0047FEDC . 75 15 jnz short Cartoon_.0047FEF3 ; 不为空,OK
0047FEDE . 8B83 00030000 mov eax, dword ptr [ebx+300]
0047FEE4 . BA A4024800 mov edx, Cartoon_.004802A4 ; Fill in your UserCode
0047FEE9 . E8 FAAAFBFF call Cartoon_.0043A9E8
0047FEEE . E9 41030000 jmp Cartoon_.00480234
0047FEF3 > 8D55 DC lea edx, dword ptr [ebp-24]
0047FEF6 . 8B83 04030000 mov eax, dword ptr [ebx+304]
0047FEFC . E8 B7AAFBFF call Cartoon_.0043A9B8
0047FF01 . 837D DC 00 cmp dword ptr [ebp-24], 0 ; 注册码是否为空?
0047FF05 . 75 15 jnz short Cartoon_.0047FF1C ; 不为空,OK
0047FF07 . 8B83 04030000 mov eax, dword ptr [ebx+304]
0047FF0D . BA C4024800 mov edx, Cartoon_.004802C4 ; Fill in Serial Number
0047FF12 . E8 D1AAFBFF call Cartoon_.0043A9E8
0047FF17 . E9 18030000 jmp Cartoon_.00480234
0047FF1C > 8D55 D8 lea edx, dword ptr [ebp-28]
0047FF1F . 8B83 00030000 mov eax, dword ptr [ebx+300]
0047FF25 . E8 8EAAFBFF call Cartoon_.0043A9B8
0047FF2A . 8B45 D8 mov eax, dword ptr [ebp-28]
0047FF2D . 8A00 mov al, byte ptr [eax] ; 注册名第1位
0047FF2F . 8845 FF mov byte ptr [ebp-1], al
0047FF32 . 8D55 D4 lea edx, dword ptr [ebp-2C]
0047FF35 . 8B83 00030000 mov eax, dword ptr [ebx+300]
0047FF3B . E8 78AAFBFF call Cartoon_.0043A9B8
0047FF40 . 8B45 D4 mov eax, dword ptr [ebp-2C]
0047FF43 . 8A40 01 mov al, byte ptr [eax+1] ; 注册名第2位
0047FF46 . 8845 FE mov byte ptr [ebp-2], al
0047FF49 . 8D55 D0 lea edx, dword ptr [ebp-30]
0047FF4C . 8B83 00030000 mov eax, dword ptr [ebx+300]
0047FF52 . E8 61AAFBFF call Cartoon_.0043A9B8
0047FF57 . 8B45 D0 mov eax, dword ptr [ebp-30]
0047FF5A . 8A40 02 mov al, byte ptr [eax+2] ; 注册名第3位
0047FF5D . 8845 FD mov byte ptr [ebp-3], al
0047FF60 . 8D55 CC lea edx, dword ptr [ebp-34]
0047FF63 . 8B83 00030000 mov eax, dword ptr [ebx+300]
0047FF69 . E8 4AAAFBFF call Cartoon_.0043A9B8
0047FF6E . 8B45 CC mov eax, dword ptr [ebp-34]
0047FF71 . 8A40 03 mov al, byte ptr [eax+3] ; 注册名第4位
0047FF74 . 8845 FC mov byte ptr [ebp-4], al
0047FF77 . 8D55 C8 lea edx, dword ptr [ebp-38]
0047FF7A . 8B83 00030000 mov eax, dword ptr [ebx+300]
0047FF80 . E8 33AAFBFF call Cartoon_.0043A9B8
0047FF85 . 8B45 C8 mov eax, dword ptr [ebp-38]
0047FF88 . 8A40 04 mov al, byte ptr [eax+4] ; 注册名第5位
0047FF8B . 8845 FB mov byte ptr [ebp-5], al
0047FF8E . 8D55 C4 lea edx, dword ptr [ebp-3C]
0047FF91 . 8B83 00030000 mov eax, dword ptr [ebx+300]
0047FF97 . E8 1CAAFBFF call Cartoon_.0043A9B8
0047FF9C . 8B45 C4 mov eax, dword ptr [ebp-3C] ; //下面算法开始了:
0047FF9F . 8A40 05 mov al, byte ptr [eax+5] ; eax := '$00EDE9' + '注册名第6位码值';
0047FFA2 . 33D2 xor edx, edx ; edx 清零
0047FFA4 . 8A55 FF mov dl, byte ptr [ebp-1] ; 注册名第1位 -> edx(低位)
0047FFA7 . 83C2 02 add edx, 2 ; edx := edx + $2;
0047FFAA . 0FB675 FE movzx esi, byte ptr [ebp-2] ; 注册名第2位 -> esi
0047FFAE . 83C6 09 add esi, 9 ; esi := esi + $9;
0047FFB1 . 33C9 xor ecx, ecx ; ecx 清零
0047FFB3 . 8A4D FD mov cl, byte ptr [ebp-3] ; 注册名第3位 -> ecx(低位)
0047FFB6 . 41 inc ecx ; ecx := ecx + $1;
0047FFB7 . 894D F4 mov dword ptr [ebp-C], ecx ; // [ebp-c] := ecx;
0047FFBA . 0FB67D FC movzx edi, byte ptr [ebp-4] ; 注册名第4位 -> edi
0047FFBE . 83EF 04 sub edi, 4 ; edi := edi - $4;
0047FFC1 . 33C9 xor ecx, ecx ; ecx 清零
0047FFC3 . 8A4D FB mov cl, byte ptr [ebp-5] ; 注册名第5位 -> ecx(低位)
0047FFC6 . 49 dec ecx ; ecx := ecx - $1;
0047FFC7 . 894D F0 mov dword ptr [ebp-10], ecx ; // [ebp-10] := ecx;
0047FFCA . 25 FF000000 and eax, 0FF ; eax := eax + $0FF; 即: eax := '注册名第6位码值';
0047FFCF . 83C0 05 add eax, 5 ; eax := eax + $5;
0047FFD2 . 8855 EF mov byte ptr [ebp-11], dl ; // [ebp-11] := edx(低位);
0047FFD5 . 8BD6 mov edx, esi ; edx := esi;
0047FFD7 . 8855 EE mov byte ptr [ebp-12], dl ; // [ebp-12] := edx(低位);
0047FFDA . 8A55 F4 mov dl, byte ptr [ebp-C] ; edx := [ebp-c];
0047FFDD . 8855 ED mov byte ptr [ebp-13], dl ; // [ebp-13] := edx(低位);
0047FFE0 . 8BD7 mov edx, edi ; edx := edi;
0047FFE2 . 8855 EC mov byte ptr [ebp-14], dl ; // [ebp-14] := edx(低位);
0047FFE5 . 8A55 F0 mov dl, byte ptr [ebp-10] ; edx := [ebp-10];
0047FFE8 . 8855 EB mov byte ptr [ebp-15], dl ; // [ebp-15] := edx(低位);
0047FFEB . 8845 EA mov byte ptr [ebp-16], al ; // [ebp-16] := eax(低位);
0047FFEE . 8D45 B8 lea eax, dword ptr [ebp-48] ; $0012F614 -> eax
0047FFF1 . 8A55 ED mov dl, byte ptr [ebp-13] ; 新字符串 第4位
0047FFF4 . 8850 01 mov byte ptr [eax+1], dl ; $第4位 -> $0012F615
0047FFF7 . C600 01 mov byte ptr [eax], 1 ; $01 -> $0012F614
0047FFFA . 8D55 B8 lea edx, dword ptr [ebp-48]
0047FFFD . 8D45 B4 lea eax, dword ptr [ebp-4C]
00480000 . E8 2B2DF8FF call Cartoon_.00402D30
00480005 . 8D45 B0 lea eax, dword ptr [ebp-50] ; $0012F60C -> eax
00480008 . 8A55 EA mov dl, byte ptr [ebp-16] ; 新字符串 第1位
0048000B . 8850 01 mov byte ptr [eax+1], dl ; $第1位 -> $0012F60D
0048000E . C600 01 mov byte ptr [eax], 1 ; $01 -> $0012F60C
00480011 . 8D55 B0 lea edx, dword ptr [ebp-50]
00480014 . 8D45 B4 lea eax, dword ptr [ebp-4C]
00480017 . B1 02 mov cl, 2
00480019 . E8 E22CF8FF call Cartoon_.00402D00 ; // 第4位 + 第1位
0048001E . 8D55 B4 lea edx, dword ptr [ebp-4C] ; -> edx
00480021 . 8D45 BC lea eax, dword ptr [ebp-44]
00480024 . E8 2F45F8FF call Cartoon_.00404558
00480029 . FF75 BC push dword ptr [ebp-44]
0048002C . 8D55 AC lea edx, dword ptr [ebp-54]
0048002F . 8BC6 mov eax, esi
00480031 . E8 A287F8FF call Cartoon_.004087D8 ; 将第5位的 16进制 转换位 10进制
00480036 . FF75 AC push dword ptr [ebp-54]
00480039 . 8D45 A8 lea eax, dword ptr [ebp-58] ; $0012F604 -> eax
0048003C . 8A55 EB mov dl, byte ptr [ebp-15] ; 新字符串 第2位
0048003F . E8 9844F8FF call Cartoon_.004044DC
00480044 . FF75 A8 push dword ptr [ebp-58]
00480047 . 8D45 A4 lea eax, dword ptr [ebp-5C]
0048004A . 8A55 EE mov dl, byte ptr [ebp-12] ; 新字符串 第5位
0048004D . E8 8A44F8FF call Cartoon_.004044DC
00480052 . FF75 A4 push dword ptr [ebp-5C]
00480055 . 8D55 A0 lea edx, dword ptr [ebp-60]
00480058 . 8BC7 mov eax, edi
0048005A . E8 7987F8FF call Cartoon_.004087D8 ; 将第3位的 16进制 转换位 10进制
0048005F . FF75 A0 push dword ptr [ebp-60]
00480062 . 8D45 9C lea eax, dword ptr [ebp-64] ; $0012F5F8 -> eax
00480065 . 8A55 EF mov dl, byte ptr [ebp-11] ; 新字符串 第6位
00480068 . E8 6F44F8FF call Cartoon_.004044DC
0048006D . FF75 9C push dword ptr [ebp-64]
00480070 . 8D45 98 lea eax, dword ptr [ebp-68] ; $0012F5F4 -> eax
00480073 . 8A55 EC mov dl, byte ptr [ebp-14] ; 新字符串 第3位
00480076 . E8 6144F8FF call Cartoon_.004044DC
0048007B . FF75 98 push dword ptr [ebp-68]
0048007E . 8D45 C0 lea eax, dword ptr [ebp-40]
00480081 . BA 07000000 mov edx, 7
00480086 . E8 E945F8FF call Cartoon_.00404674 ; 重新排顺序,排成:新字符串的 char(4)+char(1)+ ord(5) +char(2)+char(5)+ ord(3) +char(6)+char(3) ;
0048008B . 8B55 C0 mov edx, dword ptr [ebp-40] ; 结果送到edx,即真的注册码!
0048008E . 8B83 08030000 mov eax, dword ptr [ebx+308]
00480094 . E8 4FA9FBFF call Cartoon_.0043A9E8
00480099 . 8D45 94 lea eax, dword ptr [ebp-6C]
0048009C . 50 push eax
0048009D . 8D55 90 lea edx, dword ptr [ebp-70]
004800A0 . 8B83 04030000 mov eax, dword ptr [ebx+304]
004800A6 . E8 0DA9FBFF call Cartoon_.0043A9B8
004800AB . 8B45 90 mov eax, dword ptr [ebp-70] ; |
004800AE . B9 08000000 mov ecx, 8 ; |
004800B3 . BA 01000000 mov edx, 1 ; |
004800B8 . E8 4746FBFF call Cartoon_.00434704 ; \Cartoon_.00434704
004800BD . 8B45 94 mov eax, dword ptr [ebp-6C]
004800C0 . 50 push eax
004800C1 . 8D45 8C lea eax, dword ptr [ebp-74]
004800C4 . 50 push eax
004800C5 . 8D55 88 lea edx, dword ptr [ebp-78]
004800C8 . 8B83 08030000 mov eax, dword ptr [ebx+308]
004800CE . E8 E5A8FBFF call Cartoon_.0043A9B8
004800D3 . 8B45 88 mov eax, dword ptr [ebp-78] ; |
004800D6 . B9 08000000 mov ecx, 8 ; |
004800DB . BA 01000000 mov edx, 1 ; |
004800E0 . E8 1F46FBFF call Cartoon_.00434704 ; \Cartoon_.00434704
004800E5 . 8B55 8C mov edx, dword ptr [ebp-74]
004800E8 . 58 pop eax
004800E9 . E8 0A46F8FF call Cartoon_.004046F8 ; 判断,真假注册码是否一样
004800EE . 0F85 10010000 jnz Cartoon_.00480204 ; 一样,便不跳,便OK了!
004800F4 . 8B83 FC020000 mov eax, dword ptr [ebx+2FC]
004800FA . BA E4024800 mov edx, Cartoon_.004802E4 ; Congratulation! Registration is successful!
004800FF . E8 E4A8FBFF call Cartoon_.0043A9E8
00480104 . A1 B81B4900 mov eax, dword ptr [491BB8]
00480109 . 8B00 mov eax, dword ptr [eax]
0048010B . 8B80 10030000 mov eax, dword ptr [eax+310]
00480111 . BA 18034800 mov edx, Cartoon_.00480318 ; Registered
00480116 . E8 F1C1FCFF call Cartoon_.0044C30C
0048011B . 8B83 0C030000 mov eax, dword ptr [ebx+30C]
(。。中间省略。。)
00480204 > \8B83 FC020000 mov eax, dword ptr [ebx+2FC] ; 注册失败,则来到这里!
0048020A . BA 74034800 mov edx, Cartoon_.00480374 ; Sorry!Your UserCode or SerialNumber is wrong!
0048020F . E8 D4A7FBFF call Cartoon_.0043A9E8
00480214 . 8B83 00030000 mov eax, dword ptr [ebx+300]
0048021A . BA AC034800 mov edx, Cartoon_.004803AC ; Try again
0048021F . E8 C4A7FBFF call Cartoon_.0043A9E8
00480224 . 8B83 04030000 mov eax, dword ptr [ebx+304]
0048022A . BA AC034800 mov edx, Cartoon_.004803AC ; Try again
0048022F . E8 B4A7FBFF call Cartoon_.0043A9E8
00480234 > 33C0 xor eax, eax
00480236 . 5A pop edx
00480237 . 59 pop ecx
00480238 . 59 pop ecx
00480239 . 64:8910 mov dword ptr fs:[eax], edx
0048023C . 68 95024800 push Cartoon_.00480295
00480241 > 8D45 80 lea eax, dword ptr [ebp-80]
00480244 . BA 02000000 mov edx, 2
00480249 . E8 D240F8FF call Cartoon_.00404320
0048024E . 8D45 88 lea eax, dword ptr [ebp-78]
00480251 . E8 A640F8FF call Cartoon_.004042FC
00480256 . 8D45 8C lea eax, dword ptr [ebp-74]
00480259 . E8 9E40F8FF call Cartoon_.004042FC
0048025E . 8D45 90 lea eax, dword ptr [ebp-70]
00480261 . E8 9640F8FF call Cartoon_.004042FC
00480266 . 8D45 94 lea eax, dword ptr [ebp-6C]
00480269 . BA 07000000 mov edx, 7
0048026E . E8 AD40F8FF call Cartoon_.00404320
00480273 . 8D45 BC lea eax, dword ptr [ebp-44]
00480276 . BA 02000000 mov edx, 2
0048027B . E8 A040F8FF call Cartoon_.00404320
00480280 . 8D45 C4 lea eax, dword ptr [ebp-3C]
00480283 . BA 08000000 mov edx, 8
00480288 . E8 9340F8FF call Cartoon_.00404320
0048028D . C3 retn
>>>>>>
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
素描软件 Photo to ColorSketch v3.11 是一款可以把自己的照片或是其它图片制作成彩色或者黑白素描画的软件,分析了下,算法居然和Cartoon_Maker v3.15 的一模一样,看主要代码:
>>>>>>
0048D46C . 837D E0 00 cmp dword ptr [ebp-20], 0 ; 注册名不为空
0048D470 . 75 15 jnz short colorske.0048D487
0048D472 . 8B83 00030000 mov eax, dword ptr [ebx+300]
0048D478 . BA 64D84800 mov edx, colorske.0048D864 ; Please fill in your UserCode
0048D47D . E8 6E27FBFF call colorske.0043FBF0
0048D482 . E9 6B030000 jmp colorske.0048D7F2
0048D487 > 8D55 DC lea edx, dword ptr [ebp-24]
0048D48A . 8B83 04030000 mov eax, dword ptr [ebx+304]
0048D490 . E8 2B27FBFF call colorske.0043FBC0
0048D495 . 837D DC 00 cmp dword ptr [ebp-24], 0
0048D499 . 75 15 jnz short colorske.0048D4B0 ; 注册码不为空
0048D49B . 8B83 04030000 mov eax, dword ptr [ebx+304]
0048D4A1 . BA 8CD84800 mov edx, colorske.0048D88C ; Please fill in your Serial Number
0048D4A6 . E8 4527FBFF call colorske.0043FBF0
0048D4AB . E9 42030000 jmp colorske.0048D7F2
0048D4B0 > 8D55 D8 lea edx, dword ptr [ebp-28]
0048D4B3 . 8B83 00030000 mov eax, dword ptr [ebx+300]
0048D4B9 . E8 0227FBFF call colorske.0043FBC0
0048D4BE . 8B45 D8 mov eax, dword ptr [ebp-28]
0048D4C1 . 8A00 mov al, byte ptr [eax] ; 注册码第1位
0048D4C3 . 8845 FF mov byte ptr [ebp-1], al
0048D4C6 . 8D55 D4 lea edx, dword ptr [ebp-2C]
0048D4C9 . 8B83 00030000 mov eax, dword ptr [ebx+300]
0048D4CF . E8 EC26FBFF call colorske.0043FBC0
0048D4D4 . 8B45 D4 mov eax, dword ptr [ebp-2C]
0048D4D7 . 8A40 01 mov al, byte ptr [eax+1] ; 注册码第2位
0048D4DA . 8845 FE mov byte ptr [ebp-2], al
0048D4DD . 8D55 D0 lea edx, dword ptr [ebp-30]
0048D4E0 . 8B83 00030000 mov eax, dword ptr [ebx+300]
0048D4E6 . E8 D526FBFF call colorske.0043FBC0
0048D4EB . 8B45 D0 mov eax, dword ptr [ebp-30]
0048D4EE . 8A40 02 mov al, byte ptr [eax+2]
0048D4F1 . 8845 FD mov byte ptr [ebp-3], al ; 注册码第3位
0048D4F4 . 8D55 CC lea edx, dword ptr [ebp-34]
0048D4F7 . 8B83 00030000 mov eax, dword ptr [ebx+300]
0048D4FD . E8 BE26FBFF call colorske.0043FBC0
0048D502 . 8B45 CC mov eax, dword ptr [ebp-34]
0048D505 . 8A40 03 mov al, byte ptr [eax+3]
0048D508 . 8845 FC mov byte ptr [ebp-4], al ; 注册码第4位
0048D50B . 8D55 C8 lea edx, dword ptr [ebp-38]
0048D50E . 8B83 00030000 mov eax, dword ptr [ebx+300]
0048D514 . E8 A726FBFF call colorske.0043FBC0
0048D519 . 8B45 C8 mov eax, dword ptr [ebp-38]
0048D51C . 8A40 04 mov al, byte ptr [eax+4] ; 注册码第5位
0048D51F . 8845 FB mov byte ptr [ebp-5], al
0048D522 . 8D55 C4 lea edx, dword ptr [ebp-3C]
0048D525 . 8B83 00030000 mov eax, dword ptr [ebx+300]
0048D52B . E8 9026FBFF call colorske.0043FBC0
0048D530 . 8B45 C4 mov eax, dword ptr [ebp-3C]
0048D533 . 8A40 05 mov al, byte ptr [eax+5] ; 注册码第6位
0048D536 . 33D2 xor edx, edx
0048D538 . 8A55 FF mov dl, byte ptr [ebp-1] ; 注册码第1位
0048D53B . 83C2 02 add edx, 2 ; edx := edx + $2;
0048D53E . 0FB675 FE movzx esi, byte ptr [ebp-2] ; 注册码第2位
0048D542 . 83C6 09 add esi, 9 ; esi := esi + $9;
0048D545 . 33C9 xor ecx, ecx
0048D547 . 8A4D FD mov cl, byte ptr [ebp-3] ; 注册码第3位
0048D54A . 41 inc ecx ; ecx := ecx + $1;
0048D54B . 894D F4 mov dword ptr [ebp-C], ecx
0048D54E . 0FB67D FC movzx edi, byte ptr [ebp-4] ; 注册码第4位
0048D552 . 83EF 04 sub edi, 4 ; edi := edi - $4;
0048D555 . 33C9 xor ecx, ecx
0048D557 . 8A4D FB mov cl, byte ptr [ebp-5] ; 注册码第5位
0048D55A . 49 dec ecx ; ecx := ecx - $1;
0048D55B . 894D F0 mov dword ptr [ebp-10], ecx
0048D55E . 25 FF000000 and eax, 0FF ; 注册码第6位
0048D563 . 83C0 05 add eax, 5 ; eax := eax + $5;
0048D566 . 8855 EF mov byte ptr [ebp-11], dl
0048D569 . 8BD6 mov edx, esi
0048D56B . 8855 EE mov byte ptr [ebp-12], dl
0048D56E . 8A55 F4 mov dl, byte ptr [ebp-C]
0048D571 . 8855 ED mov byte ptr [ebp-13], dl
0048D574 . 8BD7 mov edx, edi
0048D576 . 8855 EC mov byte ptr [ebp-14], dl
0048D579 . 8A55 F0 mov dl, byte ptr [ebp-10]
0048D57C . 8855 EB mov byte ptr [ebp-15], dl
0048D57F . 8845 EA mov byte ptr [ebp-16], al
0048D582 . 8D45 B8 lea eax, dword ptr [ebp-48]
0048D585 . 8A55 ED mov dl, byte ptr [ebp-13]
0048D588 . 8850 01 mov byte ptr [eax+1], dl
0048D58B . C600 01 mov byte ptr [eax], 1
0048D58E . 8D55 B8 lea edx, dword ptr [ebp-48]
0048D591 . 8D45 B4 lea eax, dword ptr [ebp-4C]
0048D594 . E8 C358F7FF call colorske.00402E5C
0048D599 . 8D45 B0 lea eax, dword ptr [ebp-50]
0048D59C . 8A55 EA mov dl, byte ptr [ebp-16]
0048D59F . 8850 01 mov byte ptr [eax+1], dl
0048D5A2 . C600 01 mov byte ptr [eax], 1
0048D5A5 . 8D55 B0 lea edx, dword ptr [ebp-50]
0048D5A8 . 8D45 B4 lea eax, dword ptr [ebp-4C]
0048D5AB . B1 02 mov cl, 2
0048D5AD . E8 7A58F7FF call colorske.00402E2C
0048D5B2 . 8D55 B4 lea edx, dword ptr [ebp-4C]
0048D5B5 . 8D45 BC lea eax, dword ptr [ebp-44]
0048D5B8 . E8 8B70F7FF call colorske.00404648
0048D5BD . FF75 BC push dword ptr [ebp-44]
0048D5C0 . 8D55 AC lea edx, dword ptr [ebp-54]
0048D5C3 . 8BC6 mov eax, esi
0048D5C5 . E8 4AB3F7FF call colorske.00408914
0048D5CA . FF75 AC push dword ptr [ebp-54]
0048D5CD . 8D45 A8 lea eax, dword ptr [ebp-58]
0048D5D0 . 8A55 EB mov dl, byte ptr [ebp-15]
0048D5D3 . E8 F46FF7FF call colorske.004045CC
0048D5D8 . FF75 A8 push dword ptr [ebp-58]
0048D5DB . 8D45 A4 lea eax, dword ptr [ebp-5C]
0048D5DE . 8A55 EE mov dl, byte ptr [ebp-12]
0048D5E1 . E8 E66FF7FF call colorske.004045CC
0048D5E6 . FF75 A4 push dword ptr [ebp-5C]
0048D5E9 . 8D55 A0 lea edx, dword ptr [ebp-60]
0048D5EC . 8BC7 mov eax, edi
0048D5EE . E8 21B3F7FF call colorske.00408914
0048D5F3 . FF75 A0 push dword ptr [ebp-60]
0048D5F6 . 8D45 9C lea eax, dword ptr [ebp-64]
0048D5F9 . 8A55 EF mov dl, byte ptr [ebp-11]
0048D5FC . E8 CB6FF7FF call colorske.004045CC
0048D601 . FF75 9C push dword ptr [ebp-64]
0048D604 . 8D45 98 lea eax, dword ptr [ebp-68]
0048D607 . 8A55 EC mov dl, byte ptr [ebp-14]
0048D60A . E8 BD6FF7FF call colorske.004045CC
0048D60F . FF75 98 push dword ptr [ebp-68]
0048D612 . 8D45 C0 lea eax, dword ptr [ebp-40]
0048D615 . BA 07000000 mov edx, 7
0048D61A . E8 4571F7FF call colorske.00404764 ; 重新排顺序,排成:新字符串的 char(4)+char(1)+ ord(5) +char(2)+char(5)+ ord(3) +char(6)+char(3) ;
0048D61F . 8B55 C0 mov edx, dword ptr [ebp-40] ; 结果送到edx,即真的注册码!
>>>>>>
通过上面的分析,我们知道了这两款软件的注册算法都为:虽然算法中没有要求注册名的长度要大于5,但实际上,注册名的长度必须大于5位数,至少要6位数才行!否则注册码就可需要含有不可视的字符,才会匹配的!
具体算法为:读入注册名的第1位字符码并加上$2,读然注册名的第2位字符码并加上$9,读然注册名的第3位字符码并加上$1,读然注册名的第4位字符码并减去$4,读然注册名的第5位字符码并减去$1,读然注册名的第6位字符码并加上$5;然后将这些得到的新字符码重新按6、5、4、3、2、1的迅速排列,生成一个新的字符串,而注册码就是取这个新字符串的 第4位+第1位+第5位的十进制+第2位+第5位+第3位的十进制+第6位+第3位 后,组成的!用这个结果比较注册码输入框中输入的字符串,两者相等,便注册成功了!
用Delphi+kol表示,便是如下格式(已写成为一个string函数格式,方便你的调用和修改,嘿嘿 :)
function CartoonMaker315_PhotoToColorSketch311_sn(RegName: string): string; //定义string函数
var
eax, edx, edi, esi, T0C, T10 : cardinal;
NewStr : string;
begin
if length(RegName) < 6 then
begin
showmessage('输入的注册名长度至少要为6位');
exit;
end;
edx := ord(RegName[1]) + $2;
esi := ord(RegName[2]) + $9;
T0C := ord(RegName[3]) + $1;
edi := ord(RegName[4]) - $4;
T10 := ord(RegName[5]) - $1;
eax := ord(RegName[6]) + $5;
NewStr := char(eax) + char(T10) + char(edi) + char(T0C) + char(esi) + char(edx);
//最终结果:新字符串的 char(4)+char(1)+ ord(5) +char(2)+char(5)+ ord(3) +char(6)+char(3)
Result := NewStr[4] + NewStr[1] + int2str(ord(NewStr[5])) + NewStr[2] + NewStr[5] +
int2str(Ord(NewStr[3])) + NewStr[6] + NewStr[3];
end;
好了,就到这里结束吧!这时多么清爽而又简洁的算法呀!比起一些垃圾软件,这才是有潜力软件嘛!当然,再简洁,也不干保证我的分析就全对,不对之处,还望大家给我指出来!
放上一组可用的Key(同时适用于Cartoon_Maker v3.15 以及 Photo to ColorSketch v3.11):
注册名: aCaFeeL
注册码: bj76dL66cB
注册机的算法估计不会有问题,附件中为我打包后的注册机源代码。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
这个。。。我也不知道,呵呵!
文章不错 支持!
