[求助]注册码算法问题-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [求助]注册码算法问题 0.00雪花

发表于: 2008-1-29 14:09 3682

[旧帖] [求助]注册码算法问题 0.00雪花

tzkj

活跃值

2008-1-29 14:09

3682

一直在努力,可是一直无解............
这几天搞手头上一个软件,软件没加密(新手,当然是用容易的练手)!OD载入查找ASCII字符,找到注册失败下断,然后F8走几下就找到了注册码,虽然有了注册码就可以用了,但是我要的终极目标是做出注册机,算法CALL也找到了,但是一直看不懂究竟算法是怎样的,软件会自动生成机器码,不用写用户名,我的机器码是:FBPSOgcFZTTWCCKDEFkijhzbaaazzbzGJHOOOxpv
注册码是:nSBDbKoGpSKHgFLPOIgGEHGPIEeJELhGlKIPBDHQLQpJMQbSGHqRgJQPHPeSKMgSHPfRmGnRMEiGLMbJ
下面是算法CALL.麻烦高人帮忙看一下,能解释最好,感激不尽!!!

0041F180  /$  6A FF       push -1
0041F182  |.  68 5C674200 push 0042675C                            ;  SE 处理程序安装
0041F187  |.  64:A1 0000000>mov    eax, dword ptr fs:[0]
0041F18D  |.  50          push eax
0041F18E  |.  64:8925 00000>mov    dword ptr fs:[0], esp
0041F195  |.  81EC A0030000 sub    esp, 3A0
0041F19B  |.  53          push ebx
0041F19C  |.  55          push ebp
0041F19D  |.  56          push esi
0041F19E  |.  8BF1       mov    esi, ecx
0041F1A0  |.  57          push edi
0041F1A1  |.  68 785B4300 push 00435B78
0041F1A6  |.  8D4C24 14    lea    ecx, dword ptr [esp+14]
0041F1AA  |.  C74424 30 000>mov    dword ptr [esp+30], 0
0041F1B2  |.  E8 4B200000 call <jmp.&MFC42.#537_CString::CString>
0041F1B7  |.  68 785B4300 push 00435B78
0041F1BC  |.  8D4C24 18    lea    ecx, dword ptr [esp+18]
0041F1C0  |.  C78424 BC0300>mov    dword ptr [esp+3BC], 1
0041F1CB  |.  E8 32200000 call <jmp.&MFC42.#537_CString::CString>
0041F1D0  |.  B9 20000000 mov    ecx, 20
0041F1D5  |.  33C0       xor    eax, eax
0041F1D7  |.  8D7C24 30    lea    edi, dword ptr [esp+30]
0041F1DB  |.  C68424 B80300>mov    byte ptr [esp+3B8], 2
0041F1E3  |.  F3:AB       rep    stos dword ptr es:[edi]
0041F1E5  |.  8D4424 30    lea    eax, dword ptr [esp+30]
0041F1E9  |.  8BCE       mov    ecx, esi
0041F1EB  |.  50          push eax
0041F1EC  |.  E8 7F110000 call 00420370
0041F1F1  |.  8D4C24 30    lea    ecx, dword ptr [esp+30]
0041F1F5  |.  51          push ecx
0041F1F6  |.  8D4C24 24    lea    ecx, dword ptr [esp+24]
0041F1FA  |.  E8 03200000 call <jmp.&MFC42.#537_CString::CString>
0041F1FF  |.  8D5424 28    lea    edx, dword ptr [esp+28]
0041F203  |.  6A 0C       push 0C
0041F205  |.  52          push edx
0041F206  |.  8D4C24 28    lea    ecx, dword ptr [esp+28]
0041F20A  |.  C68424 C00300>mov    byte ptr [esp+3C0], 3
0041F212  |.  E8 1F220000 call <jmp.&MFC42.#4129_CString::Left>
0041F217  |.  50          push eax
0041F218  |.  8D4C24 24    lea    ecx, dword ptr [esp+24]
0041F21C  |.  C68424 BC0300>mov    byte ptr [esp+3BC], 4
0041F224  |.  E8 D31F0000 call <jmp.&MFC42.#858_CString::operator=>
0041F229  |.  8D4C24 28    lea    ecx, dword ptr [esp+28]
0041F22D  |.  C68424 B80300>mov    byte ptr [esp+3B8], 3
0041F235  |.  E8 BC1F0000 call <jmp.&MFC42.#800_CString::~CString>
0041F23A  |.  6A 0A       push 0A                                  ; /pFileSystemNameSize = 0000000A
0041F23C  |.  6A 00       push 0                                     ; |pFileSystemNameBuffer = NULL
0041F23E  |.  6A 00       push 0                                     ; |pFileSystemFlags = NULL
0041F240  |.  8D4424 28    lea    eax, dword ptr [esp+28]             ; |
0041F244  |.  6A 00       push 0                                     ; |pMaxFilenameLength = NULL
0041F246  |.  50          push eax                                  ; |pVolumeSerialNumber
0041F247  |.  6A 0C       push 0C                                  ; |MaxVolumeNameSize = C (12.)
0041F249  |.  6A 00       push 0                                     ; |VolumeNameBuffer = NULL
0041F24B  |.  68 785A4300 push 00435A78                            ; |c:\
0041F250  |.  FF15 30704200 call dword ptr [<&KERNEL32.GetVolumeInforma>; \GetVolumeInformationA
0041F256  |.  8B5424 1C    mov    edx, dword ptr [esp+1C]
0041F25A  |.  8B1D 40744200 mov    ebx, dword ptr [<&MSVCRT._itoa>]    ;  msvcrt._itoa
0041F260  |.  8D8C24 B00100>lea    ecx, dword ptr [esp+1B0]
0041F267  |.  6A 10       push 10                                  ; /radix = 10 (16.)
0041F269  |.  51          push ecx                                  ; |string
0041F26A  |.  52          push edx                                  ; |value
0041F26B  |.  FFD3       call ebx                                  ; \_itoa
0041F26D  |.  83C4 0C    add    esp, 0C
0041F270  |.  8D4424 20    lea    eax, dword ptr [esp+20]
0041F274  |.  8D4C24 18    lea    ecx, dword ptr [esp+18]
0041F278  |.  50          push eax
0041F279  |.  E8 06220000 call <jmp.&MFC42.#535_CString::CString>
0041F27E  |.  8B4424 1C    mov    eax, dword ptr [esp+1C]
0041F282  |.  8D8C24 B00000>lea    ecx, dword ptr [esp+B0]
0041F289  |.  05 F9CD3101 add    eax, 131CDF9
0041F28E  |.  6A 10       push 10
0041F290  |.  51          push ecx
0041F291  |.  50          push eax
0041F292  |.  C68424 C40300>mov    byte ptr [esp+3C4], 5
0041F29A  |.  894424 28    mov    dword ptr [esp+28], eax
0041F29E  |.  FFD3       call ebx
0041F2A0  |.  83C4 0C    add    esp, 0C
0041F2A3  |.  8D9424 B00100>lea    edx, dword ptr [esp+1B0]
0041F2AA  |.  8D4C24 10    lea    ecx, dword ptr [esp+10]
0041F2AE  |.  52          push edx
0041F2AF  |.  E8 CE200000 call <jmp.&MFC42.#860_CString::operator=>
0041F2B4  |.  8D8424 B00000>lea    eax, dword ptr [esp+B0]
0041F2BB  |.  50          push eax
0041F2BC  |.  8D4C24 14    lea    ecx, dword ptr [esp+14]
0041F2C0  |.  E8 8B220000 call <jmp.&MFC42.#941_CString::operator+=>
0041F2C5  |.  68 6C5A4300 push 00435A6C                            ;  quanzidong
0041F2CA  |.  8D4C24 14    lea    ecx, dword ptr [esp+14]
0041F2CE  |.  E8 7D220000 call <jmp.&MFC42.#941_CString::operator+=>
0041F2D3  |.  8B7424 10    mov    esi, dword ptr [esp+10]
0041F2D7  |.  BF 01000000 mov    edi, 1
0041F2DC  |.  8B4E F8    mov    ecx, dword ptr [esi-8]
0041F2DF  |.  8BC1       mov    eax, ecx
0041F2E1  |.  99          cdq
0041F2E2  |.  2BC2       sub    eax, edx
0041F2E4  |.  D1F8       sar    eax, 1
0041F2E6  |.  3BC7       cmp    eax, edi
0041F2E8  |.  7E 50       jle    short 0041F33A
0041F2EA  |.  BD 02000000 mov    ebp, 2
0041F2EF  |>  2BCD       /sub    ecx, ebp
0041F2F1  |.  0FBE0431    |movsx eax, byte ptr [ecx+esi]
0041F2F5  |.  83F8 5B    |cmp    eax, 5B
0041F2F8  |.  7D 11       |jge    short 0041F30B
0041F2FA  |.  8D4440 05    |lea    eax, dword ptr [eax+eax*2+5]
0041F2FE  |.  B9 1A000000 |mov    ecx, 1A
0041F303  |.  99          |cdq
0041F304  |.  F7F9       |idiv ecx
0041F306  |.  83C2 41    |add    edx, 41
0041F309  |.  EB 0F       |jmp    short 0041F31A
0041F30B  |>  8D4400 0A    |lea    eax, dword ptr [eax+eax+A]
0041F30F  |.  B9 1A000000 |mov    ecx, 1A
0041F314  |.  99          |cdq
0041F315  |.  F7F9       |idiv ecx
0041F317  |.  83C2 61    |add    edx, 61
0041F31A  |>  52          |push edx
0041F31B  |.  8D4C24 18    |lea    ecx, dword ptr [esp+18]
0041F31F  |.  E8 6C210000 |call <jmp.&MFC42.#940_CString::operator+=>
0041F324  |.  8B7424 10    |mov    esi, dword ptr [esp+10]
0041F328  |.  47          |inc    edi
0041F329  |.  83C5 02    |add    ebp, 2
0041F32C  |.  8B4E F8    |mov    ecx, dword ptr [esi-8]
0041F32F  |.  8BC1       |mov    eax, ecx
0041F331  |.  99          |cdq
0041F332  |.  2BC2       |sub    eax, edx
0041F334  |.  D1F8       |sar    eax, 1
0041F336  |.  3BF8       |cmp    edi, eax
0041F338  |.^ 7C B5       \jl    short 0041F2EF
0041F33A  |>  68 785B4300 push 00435B78
0041F33F  |.  8D4C24 28    lea    ecx, dword ptr [esp+28]
0041F343  |.  E8 BA1E0000 call <jmp.&MFC42.#537_CString::CString>
0041F348  |.  8B4C24 18    mov    ecx, dword ptr [esp+18]
0041F34C  |.  33FF       xor    edi, edi
0041F34E  |.  C68424 B80300>mov    byte ptr [esp+3B8], 6
0041F356  |.  8B41 F8    mov    eax, dword ptr [ecx-8]
0041F359  |.  99          cdq
0041F35A  |.  2BC2       sub    eax, edx
0041F35C  |.  D1F8       sar    eax, 1
0041F35E  |.  85C0       test eax, eax
0041F360  |.  7E 3D       jle    short 0041F39F
0041F362  |>  0FBE7479 01 /movsx esi, byte ptr [ecx+edi*2+1]
0041F367  |.  83FE 3A    |cmp    esi, 3A
0041F36A  |.  7D 05       |jge    short 0041F371
0041F36C  |.  83C6 13    |add    esi, 13
0041F36F  |.  EB 09       |jmp    short 0041F37A
0041F371  |>  BA BB000000 |mov    edx, 0BB
0041F376  |.  2BD6       |sub    edx, esi
0041F378  |.  8BF2       |mov    esi, edx
0041F37A  |>  56          |push esi
0041F37B  |.  8D4C24 18    |lea    ecx, dword ptr [esp+18]
0041F37F  |.  E8 0C210000 |call <jmp.&MFC42.#940_CString::operator+=>
0041F384  |.  56          |push esi
0041F385  |.  8D4C24 28    |lea    ecx, dword ptr [esp+28]
0041F389  |.  E8 02210000 |call <jmp.&MFC42.#940_CString::operator+=>
0041F38E  |.  8B4C24 18    |mov    ecx, dword ptr [esp+18]
0041F392  |.  47          |inc    edi
0041F393  |.  8B41 F8    |mov    eax, dword ptr [ecx-8]
0041F396  |.  99          |cdq
0041F397  |.  2BC2       |sub    eax, edx
0041F399  |.  D1F8       |sar    eax, 1
0041F39B  |.  3BF8       |cmp    edi, eax
0041F39D  |.^ 7C C3       \jl    short 0041F362
0041F39F  |>  8D4424 24    lea    eax, dword ptr [esp+24]
0041F3A3  |.  8D4C24 18    lea    ecx, dword ptr [esp+18]
0041F3A7  |.  50          push eax
0041F3A8  |.  E8 E9200000 call <jmp.&MFC42.#939_CString::operator+=>
0041F3AD  |.  8B4424 1C    mov    eax, dword ptr [esp+1C]
0041F3B1  |.  8D8C24 B00200>lea    ecx, dword ptr [esp+2B0]
0041F3B8  |.  69C0 B054258A imul eax, eax, 8A2554B0
0041F3BE  |.  6A 10       push 10
0041F3C0  |.  51          push ecx
0041F3C1  |.  50          push eax
0041F3C2  |.  894424 28    mov    dword ptr [esp+28], eax
0041F3C6  |.  FFD3       call ebx
0041F3C8  |.  83C4 0C    add    esp, 0C
0041F3CB  |.  8D5424 20    lea    edx, dword ptr [esp+20]
0041F3CF  |.  8D4C24 10    lea    ecx, dword ptr [esp+10]
0041F3D3  |.  52          push edx
0041F3D4  |.  E8 231E0000 call <jmp.&MFC42.#858_CString::operator=>
0041F3D9  |.  8D8424 B00200>lea    eax, dword ptr [esp+2B0]
0041F3E0  |.  8D4C24 10    lea    ecx, dword ptr [esp+10]
0041F3E4  |.  50          push eax
0041F3E5  |.  E8 66210000 call <jmp.&MFC42.#941_CString::operator+=>
0041F3EA  |.  68 605A4300 push 00435A60                            ;  zhengliqi
0041F3EF  |.  8D4C24 14    lea    ecx, dword ptr [esp+14]
0041F3F3  |.  E8 58210000 call <jmp.&MFC42.#941_CString::operator+=>
0041F3F8  |.  8B7424 10    mov    esi, dword ptr [esp+10]
0041F3FC  |.  BD 01000000 mov    ebp, 1
0041F401  |.  8B4E F8    mov    ecx, dword ptr [esi-8]
0041F404  |.  8BC1       mov    eax, ecx
0041F406  |.  99          cdq
0041F407  |.  2BC2       sub    eax, edx
0041F409  |.  D1F8       sar    eax, 1
0041F40B  |.  3BC5       cmp    eax, ebp
0041F40D  |.  7E 62       jle    short 0041F471
0041F40F  |.  BF 02000000 mov    edi, 2
0041F414  |>  2BCF       /sub    ecx, edi
0041F416  |.  0FBE0C31    |movsx ecx, byte ptr [ecx+esi]
0041F41A  |.  83F9 5B    |cmp    ecx, 5B
0041F41D  |.  7D 1D       |jge    short 0041F43C
0041F41F  |.  B8 56555555 |mov    eax, 55555556
0041F424  |.  F7E9       |imul ecx
0041F426  |.  8BCA       |mov    ecx, edx
0041F428  |.  C1E9 1F    |shr    ecx, 1F
0041F42B  |.  8D440A 09    |lea    eax, dword ptr [edx+ecx+9]
0041F42F  |.  B9 1A000000 |mov    ecx, 1A
0041F434  |.  99          |cdq
0041F435  |.  F7F9       |idiv ecx
0041F437  |.  83C2 61    |add    edx, 61
0041F43A  |.  EB 15       |jmp    short 0041F451
0041F43C  |>  8BC1       |mov    eax, ecx
0041F43E  |.  B9 1A000000 |mov    ecx, 1A
0041F443  |.  99          |cdq
0041F444  |.  2BC2       |sub    eax, edx
0041F446  |.  D1F8       |sar    eax, 1
0041F448  |.  83C0 13    |add    eax, 13
0041F44B  |.  99          |cdq
0041F44C  |.  F7F9       |idiv ecx
0041F44E  |.  83C2 41    |add    edx, 41
0041F451  |>  52          |push edx
0041F452  |.  8D4C24 18    |lea    ecx, dword ptr [esp+18]
0041F456  |.  E8 35200000 |call <jmp.&MFC42.#940_CString::operator+=>
0041F45B  |.  8B7424 10    |mov    esi, dword ptr [esp+10]
0041F45F  |.  45          |inc    ebp
0041F460  |.  83C7 02    |add    edi, 2
0041F463  |.  8B4E F8    |mov    ecx, dword ptr [esi-8]
0041F466  |.  8BC1       |mov    eax, ecx
0041F468  |.  99          |cdq
0041F469  |.  2BC2       |sub    eax, edx
0041F46B  |.  D1F8       |sar    eax, 1
0041F46D  |.  3BE8       |cmp    ebp, eax
0041F46F  |.^ 7C A3       \jl    short 0041F414
0041F471  |>  8B4C24 18    mov    ecx, dword ptr [esp+18]
0041F475  |.  33F6       xor    esi, esi
0041F477  |.  8B41 F8    mov    eax, dword ptr [ecx-8]
0041F47A  |.  99          cdq
0041F47B  |.  2BC2       sub    eax, edx
0041F47D  |.  D1F8       sar    eax, 1
0041F47F  |.  85C0       test eax, eax
0041F481  |.  7E 32       jle    short 0041F4B5
0041F483  |>  0FBE0471    /movsx eax, byte ptr [ecx+esi*2]
0041F487  |.  83F8 3A    |cmp    eax, 3A
0041F48A  |.  7D 05       |jge    short 0041F491
0041F48C  |.  83C0 17    |add    eax, 17
0041F48F  |.  EB 09       |jmp    short 0041F49A
0041F491  |>  BA BB000000 |mov    edx, 0BB
0041F496  |.  2BD0       |sub    edx, eax
0041F498  |.  8BC2       |mov    eax, edx
0041F49A  |>  50          |push eax
0041F49B  |.  8D4C24 18    |lea    ecx, dword ptr [esp+18]
0041F49F  |.  E8 EC1F0000 |call <jmp.&MFC42.#940_CString::operator+=>
0041F4A4  |.  8B4C24 18    |mov    ecx, dword ptr [esp+18]
0041F4A8  |.  46          |inc    esi
0041F4A9  |.  8B41 F8    |mov    eax, dword ptr [ecx-8]
0041F4AC  |.  99          |cdq
0041F4AD  |.  2BC2       |sub    eax, edx
0041F4AF  |.  D1F8       |sar    eax, 1
0041F4B1  |.  3BF0       |cmp    esi, eax
0041F4B3  |.^ 7C CE       \jl    short 0041F483
0041F4B5  |>  8BB424 C00300>mov    esi, dword ptr [esp+3C0]
0041F4BC  |.  8D4424 14    lea    eax, dword ptr [esp+14]
0041F4C0  |.  50          push eax
0041F4C1  |.  8BCE       mov    ecx, esi
0041F4C3  |.  E8 BC1F0000 call <jmp.&MFC42.#535_CString::CString>
0041F4C8  |.  C74424 2C 010>mov    dword ptr [esp+2C], 1
0041F4D0  |.  8D4C24 24    lea    ecx, dword ptr [esp+24]
0041F4D4  |.  C68424 B80300>mov    byte ptr [esp+3B8], 5
0041F4DC  |.  E8 151D0000 call <jmp.&MFC42.#800_CString::~CString>
0041F4E1  |.  8D4C24 18    lea    ecx, dword ptr [esp+18]
0041F4E5  |.  C68424 B80300>mov    byte ptr [esp+3B8], 3
0041F4ED  |.  E8 041D0000 call <jmp.&MFC42.#800_CString::~CString>
0041F4F2  |.  8D4C24 20    lea    ecx, dword ptr [esp+20]
0041F4F6  |.  C68424 B80300>mov    byte ptr [esp+3B8], 2
0041F4FE  |.  E8 F31C0000 call <jmp.&MFC42.#800_CString::~CString>
0041F503  |.  8D4C24 14    lea    ecx, dword ptr [esp+14]
0041F507  |.  C68424 B80300>mov    byte ptr [esp+3B8], 1
0041F50F  |.  E8 E21C0000 call <jmp.&MFC42.#800_CString::~CString>
0041F514  |.  8D4C24 10    lea    ecx, dword ptr [esp+10]
0041F518  |.  C68424 B80300>mov    byte ptr [esp+3B8], 0
0041F520  |.  E8 D11C0000 call <jmp.&MFC42.#800_CString::~CString>
0041F525  |.  8B8C24 B00300>mov    ecx, dword ptr [esp+3B0]
0041F52C  |.  8BC6       mov    eax, esi
0041F52E  |.  5F          pop    edi
0041F52F  |.  5E          pop    esi
0041F530  |.  5D          pop    ebp
0041F531  |.  5B          pop    ebx
0041F532  |.  64:890D 00000>mov    dword ptr fs:[0], ecx
0041F539  |.  81C4 AC030000 add    esp, 3AC
0041F53F  \.  C2 0400    retn 4

[课程]Android-CTF解题方法汇总！

收藏・0

免费・0

支持

分享

最新回复 (3)
riusksk 雪币： 433 活跃值： (1875) 能力值： ( LV17，RANK：1820 ) 在线值：发帖 169 回帖 2648 粉丝 251 关注私信	riusksk 41 2 楼这个最好动态调试分析一下，多注意寄存器值的变化 2008-1-30 15:06 0
lovesj 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 24 粉丝 0 关注私信	lovesj 3 楼呵呵先随便输个帐号密码而后看寄存器的变化吧 2008-1-30 16:58 0
comslook 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 2 粉丝 0 关注私信	comslook 4 楼 LS在具体点 2008-1-30 21:09 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

返回

tzkj

发帖

回帖

RANK

他的文章

[求助]注册码算法问题 3683

看雪公众号

专注于PC、移动、智能设备安全研究及逆向工程的开发者社区

//