-
-
搜索引擎工厂专业版算法分析+算法注册机
-
发表于: 2005-1-12 19:29 4871
-
【破解作者】 stasi[DCM][BCG][DFCG][FCG][OCN][CZG][D.4s]
【作者邮箱】 [email]stasi@163.com[/email]
【作者主页】 stasi.7169.com
【使用工具】 ollydbg vc++6.0
【破解平台】 Win9x/NT/2000/XP
【软件名称】 搜索引擎工厂专业版v1.68
【下载地址】 http://www.aleadsoft.com/
【软件简介】 Search Engine Builder is specifically designed to help with
that problem. It indexes your entire website quickly and
generates an efficient search engine. It makes it easier
for your visitors to find things on your website and gives
it a more professional appearance.
【软件大小】 1.24m
【加壳方式】 无
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【破解内容】
前几天,上海下了十年来最大的一场雪,好福气啊:)正是朋友聚聚的好时候,忙了好几天:(
今天才有空在论坛上看看,一来就看到fcg征召新年文章,我水平不济,所以先写,要不等师傅
的文章出来,就浪费看的大家时间了:)手上没什么东西,在dfcg论坛上看到一篇搜索引擎工厂
专业版的文章,作者在算法上难住了,我看了一下,占用午睡的时候,涂了一篇,贻笑大方。
RegOpenKeyA断下:
* Possible StringData Ref from Data Obj ->"RegInfo"
|
:0042DE9D 6804614A00 push 004A6104
:0042DEA2 52 push edx
:0042DEA3 8BCE mov ecx, esi
:0042DEA5 E8227C0400 call 00475ACC
:0042DEAA 50 push eax
:0042DEAB 8D4C2420 lea ecx, dword ptr [esp+20]
:0042DEAF C68424540200000B mov byte ptr [esp+00000254], 0B
:0042DEB7 E8F21A0300 call 0045F9AE
:0042DEBC 8D4C2410 lea ecx, dword ptr [esp+10]
:0042DEC0 889C2450020000 mov byte ptr [esp+00000250], bl
:0042DEC7 E8A9190300 call 0045F875
:0042DECC 51 push ecx
:0042DECD 8D442420 lea eax, dword ptr [esp+20]
:0042DED1 8BCC mov ecx, esp
:0042DED3 89642424 mov dword ptr [esp+24], esp
:0042DED7 50 push eax
:0042DED8 E80D170300 call 0045F5EA
:0042DEDD 51 push ecx
:0042DEDE 8D542420 lea edx, dword ptr [esp+20]
:0042DEE2 8BCC mov ecx, esp
:0042DEE4 8964241C mov dword ptr [esp+1C], esp
:0042DEE8 52 push edx
:0042DEE9 C684245C0200000C mov byte ptr [esp+0000025C], 0C
:0042DEF1 E8F4160300 call 0045F5EA
:0042DEF6 8BCE mov ecx, esi
:0042DEF8 889C2458020000 mov byte ptr [esp+00000258], bl
:0042DEFF E8AC440000 call 004323B0 //算法
:0042DF04 33ED xor ebp, ebp
:0042DF06 3BC5 cmp eax, ebp
:0042DF08 740C je 0042DF16
:0042DF0A C786E800000001000000 mov dword ptr [esi+000000E8], 00000001
:0042DF14 EB59 jmp 0042DF6F
:004323B0 6AFF push FFFFFFFF
:004323B2 68D03A4800 push 00483AD0
:004323B7 64A100000000 mov eax, dword ptr fs:[00000000]
:004323BD 50 push eax
:004323BE 64892500000000 mov dword ptr fs:[00000000], esp
:004323C5 81ECD4000000 sub esp, 000000D4
:004323CB 53 push ebx
:004323CC 56 push esi
:004323CD 8BF1 mov esi, ecx
:004323CF B801000000 mov eax, 00000001
:004323D4 6870DB4A00 push 004ADB70
:004323D9 898424E8000000 mov dword ptr [esp+000000E8], eax
:004323E0 8986EC000000 mov dword ptr [esi+000000EC], eax
:004323E6 8B8424F0000000 mov eax, dword ptr [esp+000000F0]
:004323ED 50 push eax
:004323EE E82B5B0100 call 00447F1E
:004323F3 83C408 add esp, 00000008
:004323F6 85C0 test eax, eax
:004323F8 0F8477010000 je 00432575
:004323FE 8B8C24F0000000 mov ecx, dword ptr [esp+000000F0]
:00432405 6870DB4A00 push 004ADB70
:0043240A 51 push ecx
:0043240B E80E5B0100 call 00447F1E
:00432410 83C408 add esp, 00000008
:00432413 85C0 test eax, eax
:00432415 0F845A010000 je 00432575
* Possible StringData Ref from Data Obj ->"ttdown" //黑名单
|
:0043241B 68F0964A00 push 004A96F0
:00432420 8D8C24F0000000 lea ecx, dword ptr [esp+000000F0]
:00432427 E8FB580200 call 00457D27
:0043242C 33DB xor ebx, ebx
:0043242E 83F8FF cmp eax, FFFFFFFF
:00432431 7542 jne 00432475
* Possible StringData Ref from Data Obj ->"crsky"
|
:00432433 68E8964A00 push 004A96E8
:00432438 8D8C24F0000000 lea ecx, dword ptr [esp+000000F0]
:0043243F E8E3580200 call 00457D27
:00432444 83F8FF cmp eax, FFFFFFFF
:00432447 752C jne 00432475
* Possible StringData Ref from Data Obj ->".com"
|
:00432449 68D8964A00 push 004A96D8
:0043244E 8D8C24F0000000 lea ecx, dword ptr [esp+000000F0]
:00432455 E8CD580200 call 00457D27
:0043245A 83F8FF cmp eax, FFFFFFFF
:0043245D 7516 jne 00432475
* Possible StringData Ref from Data Obj ->"jetdown"
|
:0043245F 68D0964A00 push 004A96D0
:00432464 8D8C24F0000000 lea ecx, dword ptr [esp+000000F0]
:0043246B E8B7580200 call 00457D27
:00432470 83F8FF cmp eax, FFFFFFFF
:00432473 7406 je 0043247B
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00432431(C), :00432447(C), :0043245D(C)
|
:00432475 899EEC000000 mov dword ptr [esi+000000EC], ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00432473(C)
|
:0043247B 55 push ebp
:0043247C 8BAC24F0000000 mov ebp, dword ptr [esp+000000F0]
:00432483 33C9 xor ecx, ecx
:00432485 C644240C73 mov [esp+0C], 73 //'s'
:0043248A 8B75F8 mov esi, dword ptr [ebp-08]
:0043248D C644240D65 mov [esp+0D], 65 //'e'
:00432492 3BF3 cmp esi, ebx
:00432494 C644240E61 mov [esp+0E], 61 //'a'
:00432499 C644240F72 mov [esp+0F], 72 //'r'
:0043249E C644241062 mov [esp+10], 62 //'b'
:004324A3 C644241175 mov [esp+11], 75 //'u'
:004324A8 C644241269 mov [esp+12], 69 //'i'
:004324AD C64424136C mov [esp+13], 6C //'l'
:004324B2 885C2414 mov byte ptr [esp+14], bl
:004324B6 7E3D jle 004324F5
:004324B8 57 push edi
:004324B9 8D7C341B lea edi, dword ptr [esp+esi+1B]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004324F0(C)
|
:004324BD 8A0429 mov al, byte ptr [ecx+ebp]
:004324C0 8BD1 mov edx, ecx
:004324C2 81E207000080 and edx, 80000007
:004324C8 7905 jns 004324CF
:004324CA 4A dec edx
:004324CB 83CAF8 or edx, FFFFFFF8
:004324CE 42 inc edx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004324C8(C)
|
:004324CF 0FBE541410 movsx edx, byte ptr [esp+edx+10]
:004324D4 0FBEC0 movsx eax, al
:004324D7 8BD9 mov ebx, ecx
:004324D9 03DA add ebx, edx
:004324DB 03C3 add eax, ebx
:004324DD BB09000000 mov ebx, 00000009
:004324E2 03C6 add eax, esi //注册名字符+对应字符+对应位数+注册名长度
:004324E4 99 cdq
:004324E5 F7FB idiv ebx //除ebx=9,得余数
:004324E7 80C230 add dl, 30
:004324EA 41 inc ecx
:004324EB 8817 mov byte ptr [edi], dl
:004324ED 4F dec edi
:004324EE 3BCE cmp ecx, esi
:004324F0 7CCB jl 004324BD //全部比完,连接成注册码前面的部分
:004324F2 33DB xor ebx, ebx
:004324F4 5F pop edi
:004324F5 8D4668 lea eax, dword ptr [esi+68] //注册名长度+0x68
:004324F8 B909000000 mov ecx, 00000009 //除9
:004324FD 99 cdq
:004324FE F7F9 idiv ecx
:00432500 8B8424F4000000 mov eax, dword ptr [esp+000000F4] //注册码的最后一位
:00432507 5D pop ebp
:00432508 80C230 add dl, 30
:0043250B 88543414 mov byte ptr [esp+esi+14], dl
:0043250F 885C3415 mov byte ptr [esp+esi+15], bl
:00432513 8D742414 lea esi, dword ptr [esp+14]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00432535(C)
|
:00432517 8A10 mov dl, byte ptr [eax]
:00432519 8ACA mov cl, dl
:0043251B 3A16 cmp dl, byte ptr [esi]
:0043251D 751C jne 0043253B
:0043251F 3ACB cmp cl, bl
:00432521 7414 je 00432537
:00432523 8A5001 mov dl, byte ptr [eax+01]
:00432526 8ACA mov cl, dl
:00432528 3A5601 cmp dl, byte ptr [esi+01]
:0043252B 750E jne 0043253B
:0043252D 83C002 add eax, 00000002
:00432530 83C602 add esi, 00000002
:00432533 3ACB cmp cl, bl
:00432535 75E0 jne 00432517
--------------------------------------------------------------------------------
【破解总结】
1)注册名不能超过50个字符。
2)“searbuil”是参考字符,参与算法运算。
3)注册名取一位,参考字符里也取一位,注册名长度超过8个字符时,循环取参考字符。
4)每次运算相当于:(注册名字符+参考对应字符+对应位数+注册名长度)mod 9 的计算,
依次连接结果,保存为注册码的首部分。
5)(注册名长度+0x68) mod 9 的结果是注册码的最后一位。
--------------------------------------------------------------------------------
【算法注册机】
ps:vb 那张盘被借去了,只能c++的代码将就了:(
ps:论坛上说的中文注册名的问题也解决了,注册名中可以使用汉字字符:)
#include"iostream.h"
#include"stdio.h"
#include"string.h"
void main()
{ char n[80];
int len(0),i,m(0),s(0),t(0);
puts("code for 搜索引擎工厂专业版v1.68");
puts("////////////////////////////////////////////////////////////////////////////");
puts(" Cracker : stasi[DCM][BCG][DFCG][FCG][OCN][CZG][D.4s]" );
puts(" Email : [email]stasi@163.com[/email]");
puts(" Homepage: http://stasi.7169.com");
puts(" OS : Win2kADV sp4 & vc++ 6.0");
puts(" Date : 2004-1-1 ");
puts(" Note : If you have one or more question, email me please,thank you! ");
puts("////////////////////////////////////////////////////////////////////////////");
while(1)
{
puts("\nPlease enter your name:");
gets(n);
len=strlen(n);
if (len<=50) break;
else cout<<"sorry! The length of the regname can not be more than 50!";
}
puts("\nregcode is :");
for(i=0;i<(len);i++)
{
s=(int)n[len-i-1];
m=(len-i)%8;
switch(m)
{
case 0: m=108;break;
case 1: m=115;break;
case 2: m=101;break;
case 3: m=97;break;
case 4: m=114;break;
case 5: m=98;break;
case 6: m=117;break;
case 7: m=105;break;
default:puts("maybe have had a mistake:(");break;
}
t=(len-i-1)+s+len+m;
t%=9;
cout<<(t);
}
cout<<(len+104)%9;
cout<<"\nThank you for using & enjoy yourself in the new year!";
}
--------------------------------------------------------------------------------
【内存注册机】
中断地址:42DEFF
中断次数:1
第一字节:E8
指令长度:5
中断地址:43251B
中断次数:1
第一字节:3A
指令长度:2
--------------------------------------------------------------------------------
【用户名、密码】
regname:stasi
regcode:533711
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
2005-1-1
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
|
|
|---|---|
|
|
