3D Art Screen Saver 5.0算法分析和C注册机源码-软件逆向-看雪-安全社区|安全招聘|kanxue.com

3D Art Screen Saver 5.0算法分析和C注册机源码

发表于: 2008-8-6 01:47 6672

3D Art Screen Saver 5.0算法分析和C注册机源码

qifeon

2008-8-6 01:47

6672

【文章标题】: 3D Art Screen Saver 5.0算法分析和C注册机源码
【文章作者】: qifeon
【软件名称】: 3D Art Screen Saver 5.0
【下载地址】: http://www.onlinedown.net/soft/33724.htm
【保护方式】: 注册码
【编写语言】: 英文
【使用工具】: OD
【软件介绍】: 3D Art Screen Saver 是一个精美的3D艺术屏幕保护程
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
  一、破解过程

  这是一个屏保程序，安装后看不到主程序。运行文件夹里的Launch Setup后启动主程序，然后利用OD的附加功能，附加进程里的 3D Art.SCR

  未命名的窗口
  进程    名称    窗口                      路径

  00001244 3D Art    3D Art Screen Saver       C:\WINDOWS\system32\3D Art.SCR                   附加程序
  000013CC Launch Se                            C:\Program Files\3D Art\Launch Setup.exe

  然后就可以正常调试了。about项里找到注册项，输入“qifeon，123456”，出现错误提示“this user name does not match the registration code entered”，
  利用插件查找此字符串

  Ultra String Reference, 条目 20
Address=0040172F
Disassembly=push 0045E258
Text String=this user name does not match the registration code entered.

  双击后来到
  *******************************************************************************************************************************************************

  00401705  |.  68 F8E14500 push 0045E1F8                      ;  registration successful!
  0040170A  |.  68 14E24500 push 0045E214                      ;  thank you for registering the program.
  0040170F  |.  8B8D 64FFFFFF mov    ecx, dword ptr [ebp-9C]
  00401715  |.  E8 B13E0400 call 004455CB
  0040171A  |.  C645 FC 02 mov    byte ptr [ebp-4], 2
  0040171E  |.  8D4D 80    lea    ecx, dword ptr [ebp-80]
  00401721  |.  E8 2B5A0400 call 00447151
  00401726  |.  EB 17       jmp    short 0040173F
  00401728  |>  6A 10       push 10
  0040172A  |.  68 3CE24500 push 0045E23C                      ;  registration unsuccessful
  0040172F  |.  68 58E24500 push 0045E258                      ;  this user name does not match the registration code entered.
            返回处
  *********************************************************************************************************************************************************

  向上可以找到段首

  ************************************************************************************************************************************************************

  004013BD  /.  55          push ebp                            段首
  004013BE  |.  8BEC       mov    ebp, esp
  004013C0  |.  6A FF       push -1
  004013C2  |.  68 09DD4400 push 0044DD09                      ;  SE 处理程序安装
  004013C7  |.  64:A1 0000000>mov    eax, dword ptr fs:[0]
  004013CD  |.  50          push eax
  004013CE  |.  64:8925 00000>mov    dword ptr fs:[0], esp
  004013D5  |.  81EC C4000000 sub    esp, 0C4
  004013DB  |.  898D 64FFFFFF mov    dword ptr [ebp-9C], ecx
  004013E1  |.  8D4D E8    lea    ecx, dword ptr [ebp-18]
  004013E4  |.  E8 C7070000 call 00401BB0
  004013E9  |.  C745 FC 00000>mov    dword ptr [ebp-4], 0
  004013F0  |.  8D4D EC    lea    ecx, dword ptr [ebp-14]
  004013F3  |.  E8 B8070000 call 00401BB0
  004013F8  |.  C645 FC 01 mov    byte ptr [ebp-4], 1
  004013FC  |.  8B85 64FFFFFF mov    eax, dword ptr [ebp-9C]
  00401402  |.  50          push eax
  00401403  |.  8D4D 84    lea    ecx, dword ptr [ebp-7C]
  00401406  |.  E8 652F0100 call 00414370
  0040140B  |.  C645 FC 02 mov    byte ptr [ebp-4], 2
  0040140F  |.  8D4D 84    lea    ecx, dword ptr [ebp-7C]
  00401412  |.  E8 7D220400 call 00443694                      ;  出现程序注册对话框
  00401417  |.  8945 F0    mov    dword ptr [ebp-10], eax
  0040141A  |.  837D F0 01 cmp    dword ptr [ebp-10], 1          ;  判断注册或取消按钮，点注册则返回eax=1
  0040141E  |.  0F85 1B030000 jnz    0040173F                      ;  点注册按钮则不跳
  00401424  |.  8D4D E4    lea    ecx, dword ptr [ebp-1C]
  00401427  |.  51          push ecx
  00401428  |.  8D4D E8    lea    ecx, dword ptr [ebp-18]
  0040142B  |.  E8 0E5E0400 call 0044723E
  00401430  |.  8D55 E0    lea    edx, dword ptr [ebp-20]
  00401433  |.  52          push edx
  00401434  |.  8D4D EC    lea    ecx, dword ptr [ebp-14]
  00401437  |.  E8 025E0400 call 0044723E
  0040143C  |.  8D4D E8    lea    ecx, dword ptr [ebp-18]
  0040143F  |.  E8 8C070000 call 00401BD0                      ;  检查用户名是否为空
  00401444  |.  85C0       test eax, eax                      ;  不为空eax=0
  00401446  |.  74 43       je    short 0040148B
  00401448  |.  6A 10       push 10
  0040144A  |.  68 60E14500 push 0045E160                      ;  registration unsuccessful
  0040144F  |.  68 7CE14500 push 0045E17C                      ;  please enter a username
  00401454  |.  8B8D 64FFFFFF mov    ecx, dword ptr [ebp-9C]
  0040145A  |.  E8 6C410400 call 004455CB
  0040145F  |.  C645 FC 01 mov    byte ptr [ebp-4], 1
  00401463  |.  8D4D 84    lea    ecx, dword ptr [ebp-7C]
  00401466  |.  E8 95060000 call 00401B00
  0040146B  |.  C645 FC 00 mov    byte ptr [ebp-4], 0
  0040146F  |.  8D4D EC    lea    ecx, dword ptr [ebp-14]
  00401472  |.  E8 DA5C0400 call 00447151
  00401477  |.  C745 FC FFFFF>mov    dword ptr [ebp-4], -1
  0040147E  |.  8D4D E8    lea    ecx, dword ptr [ebp-18]
  00401481  |.  E8 CB5C0400 call 00447151
  00401486  |.  E9 DB020000 jmp    00401766
  0040148B  |>  8D4D EC    lea    ecx, dword ptr [ebp-14]
  0040148E  |.  E8 3D070000 call 00401BD0                      ;  试炼码是否为空？
  00401493  |.  85C0       test eax, eax                      ;  不为空则返回eax=0
  00401495  |.  74 43       je    short 004014DA
  00401497  |.  6A 10       push 10
  00401499  |.  68 94E14500 push 0045E194                      ;  registration unsuccessful
  0040149E  |.  68 B0E14500 push 0045E1B0                      ;  please enter a registration code
  004014A3  |.  8B8D 64FFFFFF mov    ecx, dword ptr [ebp-9C]
  004014A9  |.  E8 1D410400 call 004455CB
  004014AE  |.  C645 FC 01 mov    byte ptr [ebp-4], 1
  004014B2  |.  8D4D 84    lea    ecx, dword ptr [ebp-7C]
  004014B5  |.  E8 46060000 call 00401B00
  004014BA  |.  C645 FC 00 mov    byte ptr [ebp-4], 0
  004014BE  |.  8D4D EC    lea    ecx, dword ptr [ebp-14]
  004014C1  |.  E8 8B5C0400 call 00447151
  004014C6  |.  C745 FC FFFFF>mov    dword ptr [ebp-4], -1
  004014CD  |.  8D4D E8    lea    ecx, dword ptr [ebp-18]
  004014D0  |.  E8 7C5C0400 call 00447151
  004014D5  |.  E9 8C020000 jmp    00401766
  004014DA  |>  51          push ecx
  004014DB  |.  8BCC       mov    ecx, esp
  004014DD  |.  89A5 7CFFFFFF mov    dword ptr [ebp-84], esp
  004014E3  |.  8D45 EC    lea    eax, dword ptr [ebp-14]
  004014E6  |.  50          push eax
  004014E7  |.  E8 DA590400 call 00446EC6
  004014EC  |.  8985 60FFFFFF mov    dword ptr [ebp-A0], eax
  004014F2  |.  8B8D 60FFFFFF mov    ecx, dword ptr [ebp-A0]
  004014F8  |.  898D 5CFFFFFF mov    dword ptr [ebp-A4], ecx
  004014FE  |.  C645 FC 03 mov    byte ptr [ebp-4], 3
  00401502  |.  51          push ecx
  00401503  |.  8BCC       mov    ecx, esp
  00401505  |.  89A5 78FFFFFF mov    dword ptr [ebp-88], esp
  0040150B  |.  8D55 E8    lea    edx, dword ptr [ebp-18]
  0040150E  |.  52          push edx
  0040150F  |.  E8 B2590400 call 00446EC6
  00401514  |.  8985 58FFFFFF mov    dword ptr [ebp-A8], eax
  0040151A  |.  8B85 58FFFFFF mov    eax, dword ptr [ebp-A8]
  00401520  |.  8985 54FFFFFF mov    dword ptr [ebp-AC], eax
  00401526  |.  C645 FC 04 mov    byte ptr [ebp-4], 4
  0040152A  |.  E8 F1060000 call 00401C20
  0040152F  |.  8BC8       mov    ecx, eax
  00401531  |.  C645 FC 02 mov    byte ptr [ebp-4], 2
  00401535  |.  E8 F25F0100 call 0041752C                      ;  算法CALL
  0040153A  |.  8985 50FFFFFF mov    dword ptr [ebp-B0], eax
  00401540  |.  83BD 50FFFFFF>cmp    dword ptr [ebp-B0], 0
  00401547  |.  0F84 DB010000 je    00401728                      ;  关键跳转
  0040154D  |.  51          push ecx
  0040154E  |.  8BCC       mov    ecx, esp
  00401550  |.  89A5 74FFFFFF mov    dword ptr [ebp-8C], esp
  00401556  |.  8D55 EC    lea    edx, dword ptr [ebp-14]
  00401559  |.  52          push edx
  0040155A  |.  E8 67590400 call 00446EC6
  0040155F  |.  8985 4CFFFFFF mov    dword ptr [ebp-B4], eax
  00401565  |.  8B85 4CFFFFFF mov    eax, dword ptr [ebp-B4]
  0040156B  |.  8985 48FFFFFF mov    dword ptr [ebp-B8], eax
  00401571  |.  C645 FC 05 mov    byte ptr [ebp-4], 5
  00401575  |.  51          push ecx
  00401576  |.  8BCC       mov    ecx, esp
  00401578  |.  89A5 70FFFFFF mov    dword ptr [ebp-90], esp
  0040157E  |.  8D55 E8    lea    edx, dword ptr [ebp-18]
  00401581  |.  52          push edx
  00401582  |.  E8 3F590400 call 00446EC6
  00401587  |.  8985 44FFFFFF mov    dword ptr [ebp-BC], eax
  0040158D  |.  8B85 44FFFFFF mov    eax, dword ptr [ebp-BC]
  00401593  |.  8985 40FFFFFF mov    dword ptr [ebp-C0], eax
  00401599  |.  C645 FC 06 mov    byte ptr [ebp-4], 6
  0040159D  |.  E8 7E060000 call 00401C20
  004015A2  |.  8BC8       mov    ecx, eax
  004015A4  |.  C645 FC 02 mov    byte ptr [ebp-4], 2
  004015A8  |.  E8 D1620100 call 0041787E
  004015AD  |.  8D4D 80    lea    ecx, dword ptr [ebp-80]
  004015B0  |.  E8 FB050000 call 00401BB0
  004015B5  |.  C645 FC 07 mov    byte ptr [ebp-4], 7
  004015B9  |.  68 D4E14500 push 0045E1D4                      ;  .
  004015BE  |.  E8 5D060000 call 00401C20
  004015C3  |.  05 04020000 add    eax, 204
  004015C8  |.  50          push eax
  004015C9  |.  68 D8E14500 push 0045E1D8                      ;  this program is registered to
  004015CE  |.  8D8D 6CFFFFFF lea    ecx, dword ptr [ebp-94]
  004015D4  |.  51          push ecx
  ----------------------------————————————————————————————————-
  略去若干代码
  ————————————————————————————————————————————————

  00401703  |.  6A 40       push 40
  00401705  |.  68 F8E14500 push 0045E1F8                      ;  registration successful!
  0040170A  |.  68 14E24500 push 0045E214                      ;  thank you for registering the program.
  0040170F  |.  8B8D 64FFFFFF mov    ecx, dword ptr [ebp-9C]
  00401715  |.  E8 B13E0400 call 004455CB
  0040171A  |.  C645 FC 02 mov    byte ptr [ebp-4], 2
  0040171E  |.  8D4D 80    lea    ecx, dword ptr [ebp-80]
  00401721  |.  E8 2B5A0400 call 00447151
  00401726  |.  EB 17       jmp    short 0040173F
  00401728  |>  6A 10       push 10
  0040172A  |.  68 3CE24500 push 0045E23C                      ;  registration unsuccessful
  0040172F  |.  68 58E24500 push 0045E258                      ;  this user name does not match the registration code entered.
  00401734  |.  8B8D 64FFFFFF mov    ecx, dword ptr [ebp-9C]
  0040173A  |.  E8 8C3E0400 call 004455CB

  ****************************************************************************************************************************************

  段首下断，重载。点ABOUT，再点Regster now 断下,单步，中间输入试炼码，进入算法CALL call 0041752C

  ***************************************************************************************************************************************



  0041752C  /$  55          push ebp
  0041752D  |.  8BEC       mov    ebp, esp
  0041752F  |.  6A FF       push -1
  00417531  |.  68 51F24400 push 0044F251                      ;  SE 处理程序安装
  00417536  |.  64:A1 0000000>mov    eax, dword ptr fs:[0]
  0041753C  |.  50          push eax
  0041753D  |.  64:8925 00000>mov    dword ptr fs:[0], esp
  00417544  |.  83EC 44    sub    esp, 44
  00417547  |.  894D CC    mov    dword ptr [ebp-34], ecx
  0041754A  |.  C745 FC 01000>mov    dword ptr [ebp-4], 1
  00417551  |.  68 000F4600 push 00460F00                      ;  141040
  00417556  |.  8D45 0C    lea    eax, dword ptr [ebp+C]
  00417559  |.  50          push eax
  0041755A  |.  E8 91BDFEFF call 004032F0                      ;  判断是否是固定注册码码“141040”
  0041755F  |.  25 FF000000 and    eax, 0FF
  00417564  |.  85C0       test eax, eax
  00417566  |.  75 17       jnz    short 0041757F                ;  验证失败则进入第2组注册码判断
  00417568  |.  68 080F4600 push 00460F08                      ;  117445
  0041756D  |.  8D4D 0C    lea    ecx, dword ptr [ebp+C]
  00417570  |.  51          push ecx
  00417571  |.  E8 7ABDFEFF call 004032F0                      ;  判断是否是固定注册码码“117445”
  00417576  |.  25 FF000000 and    eax, 0FF
  0041757B  |.  85C0       test eax, eax
  0041757D  |.  74 64       je    short 004175E3                ;  验证失败则进入另一组注册码判断
  0041757F  |>  51          push ecx
  00417580  |.  8BCC       mov    ecx, esp
  00417582  |.  8965 E8    mov    dword ptr [ebp-18], esp
  00417585  |.  8D55 0C    lea    edx, dword ptr [ebp+C]
  00417588  |.  52          push edx
  00417589  |.  E8 38F90200 call 00446EC6
  0041758E  |.  8945 C8    mov    dword ptr [ebp-38], eax
  00417591  |.  8B45 C8    mov    eax, dword ptr [ebp-38]
  00417594  |.  8945 C4    mov    dword ptr [ebp-3C], eax
  00417597  |.  C645 FC 02 mov    byte ptr [ebp-4], 2
  0041759B  |.  51          push ecx
  0041759C  |.  8BCC       mov    ecx, esp
  0041759E  |.  8965 E4    mov    dword ptr [ebp-1C], esp
  004175A1  |.  8D55 08    lea    edx, dword ptr [ebp+8]
  004175A4  |.  52          push edx
  004175A5  |.  E8 1CF90200 call 00446EC6
  004175AA  |.  8945 C0    mov    dword ptr [ebp-40], eax
  004175AD  |.  8B4D CC    mov    ecx, dword ptr [ebp-34]
  004175B0  |.  C645 FC 01 mov    byte ptr [ebp-4], 1
  004175B4  |.  E8 C5020000 call 0041787E
  004175B9  |.  C745 E0 FFFFF>mov    dword ptr [ebp-20], -1
  004175C0  |.  C645 FC 00 mov    byte ptr [ebp-4], 0
  004175C4  |.  8D4D 08    lea    ecx, dword ptr [ebp+8]
  004175C7  |.  E8 85FB0200 call 00447151
  004175CC  |.  C745 FC FFFFF>mov    dword ptr [ebp-4], -1
  004175D3  |.  8D4D 0C    lea    ecx, dword ptr [ebp+C]
  004175D6  |.  E8 76FB0200 call 00447151
  004175DB  |.  8B45 E0    mov    eax, dword ptr [ebp-20]
  004175DE  |.  E9 0A010000 jmp    004176ED
  004175E3  |>  8D4D EC    lea    ecx, dword ptr [ebp-14]       ;  第2组注册码失败后跳到这里
  004175E6  |.  E8 C5A5FEFF call 00401BB0
  004175EB  |.  C645 FC 03 mov    byte ptr [ebp-4], 3
  004175EF  |.  6A 0A       push 0A
  004175F1  |.  68 00010000 push 100
  004175F6  |.  8D4D EC    lea    ecx, dword ptr [ebp-14]
  004175F9  |.  E8 F6FE0200 call 004474F4
  004175FE  |.  50          push eax
  004175FF  |.  68 2C010000 push 12C
  00417604  |.  E8 909E0000 call 00421499
  00417609  |.  83C4 0C    add    esp, 0C
  0041760C  |.  6A FF       push -1
  0041760E  |.  8D4D EC    lea    ecx, dword ptr [ebp-14]
  00417611  |.  E8 2DFF0200 call 00447543
  00417616  |.  51          push ecx
  00417617  |.  8BCC       mov    ecx, esp
  00417619  |.  8965 DC    mov    dword ptr [ebp-24], esp
  0041761C  |.  8D45 EC    lea    eax, dword ptr [ebp-14]
  0041761F  |.  50          push eax
  00417620  |.  E8 A1F80200 call 00446EC6
  00417625  |.  8945 BC    mov    dword ptr [ebp-44], eax
  00417628  |.  8B4D BC    mov    ecx, dword ptr [ebp-44]
  0041762B  |.  894D B8    mov    dword ptr [ebp-48], ecx
  0041762E  |.  C645 FC 04 mov    byte ptr [ebp-4], 4
  00417632  |.  51          push ecx
  00417633  |.  8BCC       mov    ecx, esp
  00417635  |.  8965 D8    mov    dword ptr [ebp-28], esp
  00417638  |.  8D55 08    lea    edx, dword ptr [ebp+8]
  0041763B  |.  52          push edx
  0041763C  |.  E8 85F80200 call 00446EC6
  00417641  |.  8945 B4    mov    dword ptr [ebp-4C], eax
  00417644  |.  8D45 F0    lea    eax, dword ptr [ebp-10]
  00417647  |.  50          push eax
  00417648  |.  8B4D CC    mov    ecx, dword ptr [ebp-34]
  0041764B  |.  C645 FC 03 mov    byte ptr [ebp-4], 3
  0041764F  |.  E8 A9000000 call 004176FD                      ;  算法CALL
  00417654  |.  8945 B0    mov    dword ptr [ebp-50], eax
  00417657  |.  C645 FC 05 mov    byte ptr [ebp-4], 5
  0041765B  |.  8D4D 0C    lea    ecx, dword ptr [ebp+C]
  0041765E  |.  51          push ecx
  0041765F  |.  8D55 F0    lea    edx, dword ptr [ebp-10]
  00417662  |.  52          push edx
  00417663  |.  E8 7805FFFF call 00407BE0                      ;  上面计算得到注册码与试炼码比较
  00417668  |.  25 FF000000 and    eax, 0FF
  0041766D  |.  85C0       test eax, eax
  0041766F  |.  74 3F       je    short 004176B0
  00417671  |.  C745 D4 01000>mov    dword ptr [ebp-2C], 1
  00417678  |.  C645 FC 03 mov    byte ptr [ebp-4], 3
  0041767C  |.  8D4D F0    lea    ecx, dword ptr [ebp-10]
  0041767F  |.  E8 CDFA0200 call 00447151
  00417684  |.  C645 FC 01 mov    byte ptr [ebp-4], 1
  00417688  |.  8D4D EC    lea    ecx, dword ptr [ebp-14]
  0041768B  |.  E8 C1FA0200 call 00447151
  00417690  |.  C645 FC 00 mov    byte ptr [ebp-4], 0
  00417694  |.  8D4D 08    lea    ecx, dword ptr [ebp+8]
  00417697  |.  E8 B5FA0200 call 00447151
  0041769C  |.  C745 FC FFFFF>mov    dword ptr [ebp-4], -1
  004176A3  |.  8D4D 0C    lea    ecx, dword ptr [ebp+C]
  004176A6  |.  E8 A6FA0200 call 00447151
  004176AB  |.  8B45 D4    mov    eax, dword ptr [ebp-2C]
  004176AE  |.  EB 3D       jmp    short 004176ED
  004176B0  |>  C745 D0 00000>mov    dword ptr [ebp-30], 0
  004176B7  |.  C645 FC 03 mov    byte ptr [ebp-4], 3
  004176BB  |.  8D4D F0    lea    ecx, dword ptr [ebp-10]
  004176BE  |.  E8 8EFA0200 call 00447151
  004176C3  |.  C645 FC 01 mov    byte ptr [ebp-4], 1
  004176C7  |.  8D4D EC    lea    ecx, dword ptr [ebp-14]
  004176CA  |.  E8 82FA0200 call 00447151
  004176CF  |.  C645 FC 00 mov    byte ptr [ebp-4], 0
  004176D3  |.  8D4D 08    lea    ecx, dword ptr [ebp+8]
  004176D6  |.  E8 76FA0200 call 00447151
  004176DB  |.  C745 FC FFFFF>mov    dword ptr [ebp-4], -1
  004176E2  |.  8D4D 0C    lea    ecx, dword ptr [ebp+C]
  004176E5  |.  E8 67FA0200 call 00447151
  004176EA  |.  8B45 D0    mov    eax, dword ptr [ebp-30]
  004176ED  |>  8B4D F4    mov    ecx, dword ptr [ebp-C]
  004176F0  |.  64:890D 00000>mov    dword ptr fs:[0], ecx
  004176F7  |.  8BE5       mov    esp, ebp
  004176F9  |.  5D          pop    ebp
  004176FA  \.  C2 0800    retn 8

  ***********************************************************************************************************************

  进入第3组注册码算法CALL  004176FD

  *************************************************************************************************************************

  004176FD  /$  55          push ebp
  004176FE  |.  8BEC       mov    ebp, esp
  00417700  |.  6A FF       push -1
  00417702  |.  68 9FF24400 push 0044F29F                      ;  SE 处理程序安装
  00417707  |.  64:A1 0000000>mov    eax, dword ptr fs:[0]
  0041770D  |.  50          push eax
  0041770E  |.  64:8925 00000>mov    dword ptr fs:[0], esp
  00417715  |.  83EC 30    sub    esp, 30
  00417718  |.  894D CC    mov    dword ptr [ebp-34], ecx
  0041771B  |.  C745 D0 00000>mov    dword ptr [ebp-30], 0
  00417722  |.  C745 FC 02000>mov    dword ptr [ebp-4], 2
  00417729  |.  8D4D E4    lea    ecx, dword ptr [ebp-1C]
  0041772C  |.  E8 7FA4FEFF call 00401BB0
  00417731  |.  C645 FC 03 mov    byte ptr [ebp-4], 3
  00417735  |.  8D4D D8    lea    ecx, dword ptr [ebp-28]
  00417738  |.  E8 73A4FEFF call 00401BB0
  0041773D  |.  C645 FC 04 mov    byte ptr [ebp-4], 4
  00417741  |.  C745 E8 00000>mov    dword ptr [ebp-18], 0
  00417748  |.  8D45 10    lea    eax, dword ptr [ebp+10]
  0041774B  |.  50          push eax
  0041774C  |.  8D4D 0C    lea    ecx, dword ptr [ebp+C]
  0041774F  |.  51          push ecx
  00417750  |.  8D55 D4    lea    edx, dword ptr [ebp-2C]
  00417753  |.  52          push edx
  00417754  |.  E8 9AFB0200 call 004472F3
  00417759  |.  8945 C8    mov    dword ptr [ebp-38], eax
  0041775C  |.  8B45 C8    mov    eax, dword ptr [ebp-38]
  0041775F  |.  8945 C4    mov    dword ptr [ebp-3C], eax
  00417762  |.  C645 FC 05 mov    byte ptr [ebp-4], 5
  00417766  |.  8B4D C4    mov    ecx, dword ptr [ebp-3C]
  00417769  |.  51          push ecx
  0041776A  |.  8D4D 0C    lea    ecx, dword ptr [ebp+C]
  0041776D  |.  E8 CCFA0200 call 0044723E
  00417772  |.  C645 FC 04 mov    byte ptr [ebp-4], 4
  00417776  |.  8D4D D4    lea    ecx, dword ptr [ebp-2C]
  00417779  |.  E8 D3F90200 call 00447151
  0041777E  |.  8D4D 0C    lea    ecx, dword ptr [ebp+C]
  00417781  |.  E8 4ABBFEFF call 004032D0
  00417786  |.  8945 EC    mov    dword ptr [ebp-14], eax
  00417789  |.  68 00010000 push 100
  0041778E  |.  8D4D 10    lea    ecx, dword ptr [ebp+10]
  00417791  |.  E8 5EFD0200 call 004474F4
  00417796  |.  50          push eax
  00417797  |.  E8 E1A60000 call 00421E7D
  0041779C  |.  83C4 04    add    esp, 4
  0041779F  |.  8945 DC    mov    dword ptr [ebp-24], eax
  004177A2  |.  6A FF       push -1
  004177A4  |.  8D4D 10    lea    ecx, dword ptr [ebp+10]
  004177A7  |.  E8 97FD0200 call 00447543
  004177AC  |.  68 00010000 push 100
  004177B1  |.  8D4D 0C    lea    ecx, dword ptr [ebp+C]
  004177B4  |.  E8 3BFD0200 call 004474F4                      ;  试炼码与固定字符串“300”连接
  004177B9  |.  8945 F0    mov    dword ptr [ebp-10], eax
  004177BC  |.  C745 E0 00000>mov    dword ptr [ebp-20], 0
  004177C3  |.  EB 09       jmp    short 004177CE
  004177C5  |>  8B55 E0    /mov    edx, dword ptr [ebp-20]       ;  ebp-20的值传送回edx
  004177C8  |.  83C2 01    |add    edx, 1                         ;  edx值增1
  004177CB  |.  8955 E0    |mov    dword ptr [ebp-20], edx       ;  edx值放入ebp-20,以便于后面参与计算
  004177CE  |>  8B45 E0       mov    eax, dword ptr [ebp-20]       ;  ebp-20的值放入eax
  004177D1  |.  3B45 EC    |cmp    eax, dword ptr [ebp-14]       ;  判断是否是否最后一位字符，ebp-14放置字符串长度len
  004177D4  |.  7D 13       |jge    short 004177E9                ;  大于或等于则跳出循环
  004177D6  |.  8B4D F0    |mov    ecx, dword ptr [ebp-10]       ;  连接后字符串放入ecx
  004177D9  |.  034D E0    |add    ecx, dword ptr [ebp-20]       ;  ecx值由ebp-20传送，每次循环增1
  004177DC  |.  0FBE11       |movsx edx, byte ptr [ecx]          ;  连接后字符串逐位扩充放入edx
  004177DF  |.  8B45 E8    |mov    eax, dword ptr [ebp-18]       ;  ebp-18 值放入eax
  004177E2  |.  03C2       |add    eax, edx                      ;  eax与edx值相加
  004177E4  |.  8945 E8    |mov    dword ptr [ebp-18], eax       ;  相加后的值存入ebp-18
  004177E7  |.^ EB DC       \jmp    short 004177C5
  004177E9  |>  8B4D E8    mov    ecx, dword ptr [ebp-18]       ;  连接后字符串ASCII值之和设为sum
  004177EC  |.  2B4D DC    sub    ecx, dword ptr [ebp-24]       ;  减去300的16进制12Ch
  004177EF  |.  894D E8    mov    dword ptr [ebp-18], ecx       ;  sum-12Ch值放入ebp-18
  004177F2  |.  8B55 DC    mov    edx, dword ptr [ebp-24]       ;  12Ch放入edx
  004177F5  |.  2B55 EC    sub    edx, dword ptr [ebp-14]       ;  edx=12Ch-len
  004177F8  |.  8B45 E8    mov    eax, dword ptr [ebp-18]       ;  eax=sum-12Ch
  004177FB  |.  0FAFC2       imul eax, edx                      ;  eax相乘edx
  004177FE  |.  8945 E8    mov    dword ptr [ebp-18], eax       ;  相乘结果放在ebp-18
  00417801  |.  6A 0A       push 0A
  00417803  |.  68 00010000 push 100
  00417808  |.  8D4D E4    lea    ecx, dword ptr [ebp-1C]
  0041780B  |.  E8 E4FC0200 call 004474F4
  00417810  |.  50          push eax
  00417811  |.  8B4D E8    mov    ecx, dword ptr [ebp-18]       ;  相乘结果放入ecx
  00417814  |.  51          push ecx
  00417815  |.  E8 7F9C0000 call 00421499                      ;  相乘结果10进制转为字符串，即为注册码
  0041781A  |.  83C4 0C    add    esp, 0C
  0041781D  |.  6A FF       push -1
  0041781F  |.  8D4D E4    lea    ecx, dword ptr [ebp-1C]
  00417822  |.  E8 1CFD0200 call 00447543                      ;  取计算后长度
  00417827  |.  8D55 E4    lea    edx, dword ptr [ebp-1C]
  0041782A  |.  52          push edx
  0041782B  |.  8B4D 08    mov    ecx, dword ptr [ebp+8]
  0041782E  |.  E8 93F60200 call 00446EC6
  00417833  |.  8B45 D0    mov    eax, dword ptr [ebp-30]
  00417836  |.  0C 01       or    al, 1
  00417838  |.  8945 D0    mov    dword ptr [ebp-30], eax
  0041783B  |.  C645 FC 03 mov    byte ptr [ebp-4], 3
  0041783F  |.  8D4D D8    lea    ecx, dword ptr [ebp-28]
  00417842  |.  E8 0AF90200 call 00447151
  00417847  |.  C645 FC 02 mov    byte ptr [ebp-4], 2
  0041784B  |.  8D4D E4    lea    ecx, dword ptr [ebp-1C]
  0041784E  |.  E8 FEF80200 call 00447151
  00417853  |.  C645 FC 01 mov    byte ptr [ebp-4], 1
  00417857  |.  8D4D 0C    lea    ecx, dword ptr [ebp+C]
  0041785A  |.  E8 F2F80200 call 00447151
  0041785F  |.  C645 FC 00 mov    byte ptr [ebp-4], 0
  00417863  |.  8D4D 10    lea    ecx, dword ptr [ebp+10]
  00417866  |.  E8 E6F80200 call 00447151
  0041786B  |.  8B45 08    mov    eax, dword ptr [ebp+8]
  0041786E  |.  8B4D F4    mov    ecx, dword ptr [ebp-C]
  00417871  |.  64:890D 00000>mov    dword ptr fs:[0], ecx
  00417878  |.  8BE5       mov    esp, ebp
  0041787A  |.  5D          pop    ebp
  0041787B  \.  C2 0C00    retn 0C

  *********************************************************************************************************

  限于篇幅，有些CALL调试时都跟进了，这里破文就略去了。兄弟们如果玩玩需要进去看看。比如

  0040143F  |.  E8 8C070000 call 00401BD0                      ;  检查用户名是否为空

还有

  0041755A  |.  E8 91BDFEFF call 004032F0                      ;  判断是否是固定注册码码“141040”

  ***************************************************************************************************************


  二。算法总结

  1、注册码有3组，前2组为固定字符串，与用户名无关。第一组可用注册码“141040”

   第二组可用注册码“117445"”

  2、第3组注册码由用户名与固定字符串“300”计算而来：

用户名与固定字符串“300”连接后字符串ASCII值之和设为sum，长度设为len,300的16进制为12Ch

   （sum-300）乘以（300-len）十进制的值转化为字符串即为对应用户名的注册码


  ************************************************************************************************************************

  三、C算法注册机源代码

  #include "stdio.h"
  #include "string.h"
  void main()
  {
    int i,cheng,sum=0,len;
    char name[20];
    scanf("%s",name);
    strcat (name,"300");
    len=strlen(name);
    for (i=0;i<len;i++)
    sum=sum+name[i];
    cheng=(sum-300)*(300-len);
    printf("%d",cheng);
    system("PAUSE");
  }

--------------------------------------------------------------------------------

登录后可查看完整内容

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)

#调试逆向

收藏・0

免费・7

支持

最新回复 (4)
lOOp 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 260 粉丝 0 关注私信	lOOp 2 楼支持一下 2008-8-6 18:01 0
yunfeng 雪币： 269 活跃值： (51) 能力值： ( LV4，RANK：50 ) 在线值：发帖 3 回帖 489 粉丝 0 关注私信	yunfeng 1 3 楼简单明了，是初学破解的学习教程。 2008-8-7 14:04 0
flong 雪币： 207 活跃值： (13) 能力值： ( LV2，RANK：10 ) 在线值：发帖 30 回帖 263 粉丝 0 关注私信	flong 4 楼思路清晰~~~~~~~~~~ 2008-8-8 10:45 0
linhanshi 雪币： 97697 活跃值： (200759) 能力值： (RANK：10 ) 在线值：发帖 9246 回帖 27942 粉丝 451 关注私信	linhanshi 5 楼 support. 2008-8-8 10:59 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

qifeon

发帖

144

回帖

460

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (4)
lOOp 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 260 粉丝 0 关注私信	lOOp 2 楼支持一下 2008-8-6 18:01 0
yunfeng 雪币： 269 活跃值： (51) 能力值： ( LV4，RANK：50 ) 在线值：发帖 3 回帖 489 粉丝 0 关注私信	yunfeng 1 3 楼简单明了，是初学破解的学习教程。 2008-8-7 14:04 0
flong 雪币： 207 活跃值： (13) 能力值： ( LV2，RANK：10 ) 在线值：发帖 30 回帖 263 粉丝 0 关注私信	flong 4 楼思路清晰~~~~~~~~~~ 2008-8-8 10:45 0
linhanshi 雪币： 97697 活跃值： (200759) 能力值： (RANK：10 ) 在线值：发帖 9246 回帖 27942 粉丝 451 关注私信	linhanshi 5 楼 support. 2008-8-8 10:59 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复