法律文书、合同样本库 5.10破解手记--算法分析
作者:newlaos[CCG][DFCG]
软件名称:法律文书、合同样本库 5.10(行业软件)
整理日期:2003.4.23
最新版本:5.10
文件大小:3780KB
软件授权:共享软件
使用平台:Win9x/Me/NT/2000/XP
发布公司:"http://www.votolink.com/"
软件简介:万通联合一贯专注于法律咨询、商务咨询。在我们多年为客户服务的过程中,积累了大量的法律文书样本、标准合同样本和相关法律信息。我们把这些信息制作成了专业的信息软件,以共享软件的形式向广大用户提供。软件的内容主要包括:法律格式文书库、公司常用文书库 、行业合同样板库 、版权与著作权类 、律师办案宝典 等。
加密方式:ASPACK2.1+注册码
功能限制:功能限制
PJ工具:TRW20001.23注册版,W32Dasm8.93黄金版,FI2.5,OLLYDBG1.09B中文版,PE-scan3.31
PJ日期:2003-04-27
作者newlaos申明:只是学习,请不用于商业用途或是将本文方法制作的注册机任意传播,造成后果,本人一概不负。
注:笔者认为用eBook Edit Pro做软件,真的不保险! 即使是用它最强功能10位机器码+密钥,只要知道它的密钥(这个密钥竟然在程序运行中,以明文的形式出现),就可以用eBook Edit Pro自带的KeyMaker.exe,求得真正的注册码了。本文对算法的分析,也就等效于对KeyMaker.exe的加密分析。
1、用FI2.5查壳,发现加了ASPACK2.1的壳,用TRW2000进行手动脱壳,也可以用PE-scan3.31脱壳! 生成UNPACK.exe文件。
2、用W32Dasm黄金修正版本进行静态反汇编,找不到任何有用的信息,只了用TRW2000的万能断点大法了。
3、动态跟踪调试。请出国宝TRW2000,下断点BPX hmemcpy。输入假码78787878,点确定被断下来,F12和F10来到下列代码段
.......
.......
:004786C0 50 push eax
:004786C1 8D55F8 lea edx, dword ptr [ebp-08]
:004786C4 8BC3 mov eax, ebx
:004786C6 8B08 mov ecx, dword ptr [eax]
:004786C8 FF91E4000000 call dword ptr [ecx+000000E4]
:004786CE 8B45F8 mov eax, dword ptr [ebp-08] <===EAX=3754256370(机器码)
:004786D1 8B8BF8020000 mov ecx, dword ptr [ebx+000002F8] <===ECX=lawtxt163424(这里竟然用明码形式显示密钥,就破解角度而言就太简单了:-)
:004786D7 5A pop edx <===EDX=78787878(假码)
:004786D8 E81FF7FFFF call 00477DFC <===不用问关键的CALL,F8跟进(其实到这里,已经可以利用eBook Edit Pro自带的KeyMaker.exe,求得真正的注册码了,即填入机器码,再填入密钥,最后点生成,就出来真正的注册码了)----得出结论用eBook Edit Pro做的程序并不保险呀!在OLLYDBG里密钥竟然也可以在内存椎栈中找到!
:004786DD 8BD8 mov ebx, eax
:004786DF 33C0 xor eax, eax
:004786E1 5A pop edx
:004786E2 59 pop ecx
:004786E3 59 pop ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00478675(C)
|
:004786E4 648910 mov dword ptr fs:[eax], edx
:004786E7 6801874700 push 00478701
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004786FF(U)
|
:004786EC 8D45F8 lea eax, dword ptr [ebp-08]
:004786EF BA02000000 mov edx, 00000002
:004786F4 E8CFB4F8FF call 00403BC8
:004786F9 C3 ret
---------004786D8 call 00477DFC 关键的CALL,F8跟进-------------
:00477DFC 55 push ebp
:00477DFD 8BEC mov ebp, esp
:00477DFF 81C4FCFEFFFF add esp, FFFFFEFC
:00477E05 53 push ebx
:00477E06 56 push esi
:00477E07 57 push edi
:00477E08 33DB xor ebx, ebx
:00477E0A 895DFC mov dword ptr [ebp-04], ebx
:00477E0D 8BF9 mov edi, ecx
:00477E0F 8BF2 mov esi, edx
:00477E11 8BD8 mov ebx, eax
:00477E13 33C0 xor eax, eax
:00477E15 55 push ebp
:00477E16 68637E4700 push 00477E63
:00477E1B 64FF30 push dword ptr fs:[eax]
:00477E1E 648920 mov dword ptr fs:[eax], esp
:00477E21 8D8DFCFEFFFF lea ecx, dword ptr [ebp+FFFFFEFC]
:00477E27 8BD7 mov edx, edi <===EDX=lawtxt163424(作者定的密钥)
:00477E29 8BC3 mov eax, ebx <===EAX=3754256370(机器码)
:00477E2B E864FEFFFF call 00477C94 <===关键算法CALL,F8跟进
:00477E30 8D95FCFEFFFF lea edx, dword ptr [ebp+FFFFFEFC]
:00477E36 8D45FC lea eax, dword ptr [ebp-04]
:00477E39 E88ABFF8FF call 00403DC8
:00477E3E 8B45FC mov eax, dword ptr [ebp-04] <===真注册码Sey0kJw6CBL6
:00477E41 8BD6 mov edx, esi <===假码78787878
:00477E43 E8ECC0F8FF call 00403F34
:00477E48 0F94C0 sete al
:00477E4B 8BD8 mov ebx, eax
:00477E4D 33C0 xor eax, eax
:00477E4F 5A pop edx
:00477E50 59 pop ecx
:00477E51 59 pop ecx
:00477E52 648910 mov dword ptr fs:[eax], edx
:00477E55 686A7E4700 push 00477E6A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477E68(U)
|
:00477E5A 8D45FC lea eax, dword ptr [ebp-04]
:00477E5D E842BDF8FF call 00403BA4
:00477E62 C3 ret
--------00477E2B call 00477C94 算法CALL,F8跟进--------------
:00477C94 55 push ebp
:00477C95 8BEC mov ebp, esp
:00477C97 83C4E0 add esp, FFFFFFE0
:00477C9A 53 push ebx
:00477C9B 56 push esi
:00477C9C 57 push edi
:00477C9D 33DB xor ebx, ebx
:00477C9F 895DE0 mov dword ptr [ebp-20], ebx
:00477CA2 895DE4 mov dword ptr [ebp-1C], ebx
:00477CA5 895DE8 mov dword ptr [ebp-18], ebx
:00477CA8 8BF9 mov edi, ecx
:00477CAA 8955F8 mov dword ptr [ebp-08], edx
:00477CAD 8945FC mov dword ptr [ebp-04], eax
:00477CB0 8B45FC mov eax, dword ptr [ebp-04] <===EAX=3754256370(机器码)
:00477CB3 E820C3F8FF call 00403FD8
:00477CB8 8B45F8 mov eax, dword ptr [ebp-08] <===EAX=lawtxt163424(作者定的密钥)
:00477CBB E818C3F8FF call 00403FD8
:00477CC0 33C0 xor eax, eax
:00477CC2 55 push ebp
:00477CC3 68ED7D4700 push 00477DED
:00477CC8 64FF30 push dword ptr fs:[eax]
:00477CCB 648920 mov dword ptr fs:[eax], esp
:00477CCE 837DFC00 cmp dword ptr [ebp-04], 00000000 <===[ebp-04]为机器码不会跳
:00477CD2 746F je 00477D43
:00477CD4 BB01000000 mov ebx, 00000001 <===计数器EBX初始化为1
:00477CD9 8D75EF lea esi, dword ptr [ebp-11]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477D09(C)
|
:00477CDC 8B45FC mov eax, dword ptr [ebp-04] <===EAX=3754256370(机器码)
:00477CDF E840C1F8FF call 00403E24 <===计算出机器码的长度(EAX=A)
:00477CE4 50 push eax <===压入A
:00477CE5 8BC3 mov eax, ebx <===EBX为计数器(依次为1,2,3,4,5,6,7,8,9)
:00477CE7 48 dec eax <===EAX依次为0,1,2,3,4,5,6,7,8
:00477CE8 5A pop edx <===EDX=A (定值)
:00477CE9 8BCA mov ecx, edx
:00477CEB 99 cdq
:00477CEC F7F9 idiv ecx <===这里EAX始终为0,而EDX依次为012345678
:00477CEE 8B45FC mov eax, dword ptr [ebp-04] <===EAX=3754256370(机器码)
:00477CF1 8A0410 mov al, byte ptr [eax+edx] <===依次将机器码每个字符的ASC值,放入AL
:00477CF4 50 push eax
:00477CF5 8B45FC mov eax, dword ptr [ebp-04] <===EAX=3754256370(机器码)
:00477CF8 E827C1F8FF call 00403E24 <===计算出机器码的长度(EAX=A)
:00477CFD 5A pop edx <===取出每个字符的ASC值
:00477CFE 32D0 xor dl, al
:00477D00 32D3 xor dl, bl
DL= A XOR 33=39 XOR 1=38
DL= A XOR 37=3D XOR 2=3F
DL= A XOR 35=3F XOR 3=3C
DL= A XOR 34=3E XOR 4=3A
DL= A XOR 32=38 XOR 5=3D
DL= A XOR 35=3F XOR 6=39
DL= A XOR 36=3C XOR 7=3B
DL= A XOR 33=39 XOR 8=31
DL= A XOR 37=3D XOR 9=34
:00477D02 8816 mov byte ptr [esi], dl <===第一遍处理的值依次放入ESI的位置里
:00477D04 43 inc ebx <===EBX=EBX+1
:00477D05 46 inc esi
:00477D06 83FB0A cmp ebx, 0000000A <===说明此处循环9次,正好处理机器码的前9位
:00477D09 75D1 jne 00477CDC <===向上跳成循环结构,对机器码进行第一遍变形处理
:00477D0B 8B45FC mov eax, dword ptr [ebp-04] <===EAX=3754256370(机器码)
:00477D0E E811C1F8FF call 00403E24 <===计算出机器码的长度(EAX=A)
:00477D13 8BF0 mov esi, eax <===ESI=A
:00477D15 85F6 test esi, esi
:00477D17 7E2A jle 00477D43 <===当然不跳了
:00477D19 BB01000000 mov ebx, 00000001 <===计数器EBX再次初始化为1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477D41(C)
|
:00477D1E 8B45FC mov eax, dword ptr [ebp-04] <===EAX=3754256370(机器码)
:00477D21 E8FEC0F8FF call 00403E24 <===计算出机器码的长度(EAX=A)
:00477D26 2BC3 sub eax, ebx <===EAX=EAX-EBX(依次为9876543210)
:00477D28 8B55FC mov edx, dword ptr [ebp-04] <===EDX=3754256370(机器码)
:00477D2B 8A0C02 mov cl, byte ptr [edx+eax] <===反向顺序依次取机器码的ASC值
:00477D2E 8BC3 mov eax, ebx <===EAX依次为123456789A
:00477D30 48 dec eax <===EAX依次为0123456789
:00477D31 51 push ecx <===ASC值压入栈
:00477D32 B909000000 mov ecx, 00000009 <===ECX=9
:00477D37 99 cdq
:00477D38 F7F9 idiv ecx <===EAX前9次始终为0,最后一次为1,EDX依次为0123456780
:00477D3A 59 pop ecx <===ECX为依次取出的ASC值
:00477D3B 304C15EF xor byte ptr [ebp+edx-11], cl <===依次与上个循环出来的值做异或运算
38 xor 30=08 XOR 33 =3B <===由于是10次,所以又循环上来做异或运算,
3F xor 37=08
3C xor 33=0F
3A xor 36=0C
3D xor 35=08
39 xor 32=0B
3B xor 34=0F
31 xor 35=04
34 xor 37=03
:00477D3F 43 inc ebx
:00477D40 4E dec esi <===此次循环,却是由ESI说了算,所以循环了10次,即机器码的长度次
:00477D41 75DB jne 00477D1E <===向上跳构成循环结构,对机器码进行第二次变形,反向顺序
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00477CD2(C), :00477D17(C)
|
:00477D43 837DF800 cmp dword ptr [ebp-08], 00000000 <===[ebp-08]=lawtxt163424(作者定的密钥)
:00477D47 7439 je 00477D82 <===当然不跳了
:00477D49 BB01000000 mov ebx, 00000001 <===计数器初始化为1
:00477D4E 8D75EF lea esi, dword ptr [ebp-11]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477D80(C)
|
:00477D51 8B45F8 mov eax, dword ptr [ebp-08] <===EAX=lawtxt163424
:00477D54 E8CBC0F8FF call 00403E24 <===计算出密钥的长度EAX=C
:00477D59 50 push eax <===将长度C压入栈
:00477D5A 8BC3 mov eax, ebx <===EAX依次为123456789
:00477D5C 48 dec eax <===EAX依次为012345678
:00477D5D 5A pop edx <===EDX=C
:00477D5E 8BCA mov ecx, edx <===ECX=C
:00477D60 99 cdq
:00477D61 F7F9 idiv ecx <===EAX始终为0,EDX依次为012345678
:00477D63 8B45F8 mov eax, dword ptr [ebp-08] <===EAX=lawtxt163424
:00477D66 8A0410 mov al, byte ptr [eax+edx] <===依次取出密钥前9个字符的ASC值
:00477D69 3206 xor al, byte ptr [esi]
AL=3B XOR 6C=57
AL=08 XOR 61=69
AL=0F XOR 77=78
AL=0C XOR 74=78
AL=08 XOR 78=70
AL=0B XOR 74=7F
AL=0F XOR 31=3E
AL=04 XOR 36=32
AL=03 XOR 33=30
:00477D6B 50 push eax
:00477D6C 8B45F8 mov eax, dword ptr [ebp-08]<===EAX=lawtxt163424
:00477D6F E8B0C0F8FF call 00403E24 <===计算出密钥的长度EAX=C
:00477D74 5A pop edx <===EDX依为上面计算出的值
:00477D75 32D0 xor dl, al <===
:00477D77 32D3 xor dl, bl
DL= C XOR 57=39 XOR 1=5A (ASC="Z")
DL= C XOR 69=3D XOR 2=67 (ASC="g")
DL= C XOR 78=3F XOR 3=77 (ASC="w")
DL= C XOR 78=3E XOR 4=70 (ASC="p")
DL= C XOR 70=38 XOR 5=79 (ASC="y")
DL= C XOR 7F=3F XOR 6=75 (ASC="u")
DL= C XOR 3E=3C XOR 7=35 (ASC="5")
DL= C XOR 32=39 XOR 8=36 (ASC="6")
DL= C XOR 30=3D XOR 9=35 (ASC="5")
:00477D79 8816 mov byte ptr [esi], dl
:00477D7B 43 inc ebx
:00477D7C 46 inc esi
:00477D7D 83FB0A cmp ebx, 0000000A <===哈哈,又是只循环9次
:00477D80 75CF jne 00477D51 <===向上跳构成循环结构
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477D47(C)
|
:00477D82 8D45E8 lea eax, dword ptr [ebp-18]
:00477D85 E81ABEF8FF call 00403BA4
:00477D8A BB09000000 mov ebx, 00000009
:00477D8F 8D75EF lea esi, dword ptr [ebp-11]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477DA9(C)
|
:00477D92 8D45E4 lea eax, dword ptr [ebp-1C]
:00477D95 8A16 mov dl, byte ptr [esi] <===依次取出Zgwpyu565的ASC值
:00477D97 E8B0BFF8FF call 00403D4C
:00477D9C 8B55E4 mov edx, dword ptr [ebp-1C]
:00477D9F 8D45E8 lea eax, dword ptr [ebp-18]
:00477DA2 E885C0F8FF call 00403E2C
:00477DA7 46 inc esi
:00477DA8 4B dec ebx
:00477DA9 75E7 jne 00477D92 <===向上跳构成循环结构
:00477DAB 8D55E0 lea edx, dword ptr [ebp-20]
:00477DAE 8B45E8 mov eax, dword ptr [ebp-18] <===EAX=Zgwpyu565
:00477DB1 E89AFDFFFF call 00477B50 <===最后的关键CALL,F8跟进
:00477DB6 8B55E0 mov edx, dword ptr [ebp-20] <===EDX=Sey0kJw6CBL6
:00477DB9 8BC7 mov eax, edi
:00477DBB B9FF000000 mov ecx, 000000FF
:00477DC0 E83BC0F8FF call 00403E00
:00477DC5 33C0 xor eax, eax
:00477DC7 5A pop edx
:00477DC8 59 pop ecx
:00477DC9 59 pop ecx
:00477DCA 648910 mov dword ptr fs:[eax], edx
:00477DCD 68F47D4700 push 00477DF4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477DF2(U)
|
:00477DD2 8D45E0 lea eax, dword ptr [ebp-20]
:00477DD5 BA03000000 mov edx, 00000003
:00477DDA E8E9BDF8FF call 00403BC8
:00477DDF 8D45F8 lea eax, dword ptr [ebp-08]
:00477DE2 BA02000000 mov edx, 00000002
:00477DE7 E8DCBDF8FF call 00403BC8
:00477DEC C3 ret
:00477DED E92EB8F8FF jmp 00403620
:00477DF2 EBDE jmp 00477DD2
:00477DF4 5F pop edi
:00477DF5 5E pop esi
:00477DF6 5B pop ebx
:00477DF7 8BE5 mov esp, ebp
:00477DF9 5D pop ebp
:00477DFA C3 ret
------:00477DB1 call 00477B50 最后的关键CALL,F8跟进----------------
:00477B50 55 push ebp
:00477B51 8BEC mov ebp, esp
:00477B53 83C4F0 add esp, FFFFFFF0
:00477B56 53 push ebx
:00477B57 56 push esi
:00477B58 57 push edi
:00477B59 33C9 xor ecx, ecx
:00477B5B 894DF0 mov dword ptr [ebp-10], ecx
:00477B5E 8BFA mov edi, edx
:00477B60 8945FC mov dword ptr [ebp-04], eax
:00477B63 8B45FC mov eax, dword ptr [ebp-04]
:00477B66 E86DC4F8FF call 00403FD8
:00477B6B 33C0 xor eax, eax
:00477B6D 55 push ebp
:00477B6E 68847C4700 push 00477C84
:00477B73 64FF30 push dword ptr fs:[eax]
:00477B76 648920 mov dword ptr fs:[eax], esp
:00477B79 8BC7 mov eax, edi
:00477B7B E824C0F8FF call 00403BA4
:00477B80 E9D7000000 jmp 00477C5C <===我跳
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477C60(C)
| *********************从下跳上来,开始循环**********************
:00477B85 8B45FC mov eax, dword ptr [ebp-04] <===EAX依次为Zgwpyu565,pyu565,565(每次用三位)
:00477B88 E897C2F8FF call 00403E24 <===求出长度9,6,3
:00477B8D 8BC8 mov ecx, eax <===ECX=9,6,3
:00477B8F 8BC1 mov eax, ecx
:00477B91 BB03000000 mov ebx, 00000003
:00477B96 99 cdq
:00477B97 F7FB idiv ebx <===EAX=3,2,1 EDX=0
:00477B99 85C0 test eax, eax
:00477B9B 7E07 jle 00477BA4 <===如果商为0,就跳走
:00477B9D BB03000000 mov ebx, 00000003
:00477BA2 EB02 jmp 00477BA6 <===我跳
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477B9B(C)
|
:00477BA4 8BD9 mov ebx, ecx <===如果商为0,则EBX就为长度
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477BA2(U)
|
:00477BA6 8D45F9 lea eax, dword ptr [ebp-07] <===跳到这里
:00477BA9 33C9 xor ecx, ecx <===ECX=0
:00477BAB BA03000000 mov edx, 00000003 <===edx=3
:00477BB0 E8B3AFF8FF call 00402B68 <===在[ebp-07]的内存位置上布在上3个0
:00477BB5 8D45F5 lea eax, dword ptr [ebp-0B]
:00477BB8 B940000000 mov ecx, 00000040
:00477BBD BA04000000 mov edx, 00000004
:00477BC2 E8A1AFF8FF call 00402B68 <===在[ebp-0B]的内存位置上布在上4个40
:00477BC7 8D45FC lea eax, dword ptr [ebp-04]
:00477BCA E825C4F8FF call 00403FF4 <===EAX=Zgwpyu565
:00477BCF 8D55F9 lea edx, dword ptr [ebp-07]
:00477BD2 8BCB mov ecx, ebx <===ECX=3
:00477BD4 E8B7ACF8FF call 00402890 <===在[ebp-07]的内存位置上依次放上Zgw, pyu, 565
:00477BD9 83FB03 cmp ebx, 00000003
:00477BDC 7C08 jl 00477BE6
:00477BDE 8A45FB mov al, byte ptr [ebp-05] <===将字符串的最后一个字符取出(例:"w","u","5")
:00477BE1 243F and al, 3F
第一次大循环(w) AL=77 AND 3F =37
第二次大循环(u) AL=75 AND 3F =35
第三次大循环(5) AL=35 AND 3F =35
:00477BE3 8845F8 mov byte ptr [ebp-08], al <===关键位置1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477BDC(C)
|
:00477BE6 83FB02 cmp ebx, 00000002
:00477BE9 7C15 jl 00477C00
:00477BEB 8A45FA mov al, byte ptr [ebp-06] <===将字符串的倒数第二个字符取出(例:"g","y","6")
:00477BEE C1E002 shl eax, 02
:00477BF1 33D2 xor edx, edx
第一次大循环(g) AL=67 shl 02 =9C
第二次大循环(y) AL=79 shl 02 =E4
第三次大循环(6) AL=36 shl 02 =D8
:00477BF3 8A55FB mov dl, byte ptr [ebp-05] <===将字符串的倒数第一个字符取出(例:"w","u","5")
:00477BF6 C1EA06 shr edx, 06
第一次大循环(w) DL=77 shr 06 =01
第二次大循环(u) DL=75 shr 06 =01
第三次大循环(5) DL=35 shr 06 =00
:00477BF9 0AC2 or al, dl
:00477BFB 243F and al, 3F
第一次大循环 AL=9C OR 01 =9D AND 3F =1D
第二次大循环 AL=E4 OR 01 =E5 AND 3F =25
第三次大循环 AL=D8 OR 00 =D8 AND 3F =18
:00477BFD 8845F7 mov byte ptr [ebp-09], al <===关键位置2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477BE9(C)
|
:00477C00 8A45F9 mov al, byte ptr [ebp-07] <===将字符串的第一个字符取出(例:"Z","p","5")
:00477C03 8BD0 mov edx, eax
:00477C05 C1E204 shl edx, 04
第一次大循环(Z) DL=5A shl 04 =A0
第二次大循环(p) DL=70 shl 04 =00
第三次大循环(5) DL=35 shl 04 =50
:00477C08 33C9 xor ecx, ecx
:00477C0A 8A4DFA mov cl, byte ptr [ebp-06] <===将字符串的倒数第二个字符取出(例:"g","y","6")
:00477C0D C1E904 shr ecx, 04
第一次大循环(g) CL=67 shr 04 =6
第二次大循环(y) CL=79 shr 04 =7
第三次大循环(6) CL=36 shr 04 =3
:00477C10 0AD1 or dl, cl
:00477C12 80E23F and dl, 3F
第一次大循环 DL=A0 OR 6 =A6 AND 3F=26
第二次大循环 DL=00 OR 7 =07 AND 3F=07
第三次大循环 DL=50 OR 3 =53 AND 3F=13
:00477C15 8855F6 mov byte ptr [ebp-0A], dl <===关键位置3
:00477C18 25FF000000 and eax, 000000FF
:00477C1D C1E802 shr eax, 02
:00477C20 243F and al, 3F
第一次大循环(Z) AL=5A shr 02 =16 AND 3F=16
第二次大循环(p) AL=70 shr 02 =1C AND 3F=1C
第三次大循环(5) AL=35 shr 02 =0D AND 3F=0D
:00477C22 8845F5 mov byte ptr [ebp-0B], al <===关键位置4
:00477C25 8D45FC lea eax, dword ptr [ebp-04]
:00477C28 8BCB mov ecx, ebx <===ECX=3
:00477C2A BA01000000 mov edx, 00000001 <===EDX=1
:00477C2F E838C4F8FF call 0040406C <===EAX依次为pyu565,565
:00477C34 BE04000000 mov esi, 00000004 <===ESI=4,计数器初始化为4(因为正好4个关键位置的值)
:00477C39 8D5DF5 lea ebx, dword ptr [ebp-0B]
第一次大循环四个关键位置的值 16 26 1D 37
第二次大循环四个关键位置的值 1C 07 25 35
第三次大循环四个关键位置的值 0D 13 28 35
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477C5A(C)
|
:00477C3C 8D45F0 lea eax, dword ptr [ebp-10]
:00477C3F 33D2 xor edx, edx
:00477C41 8A13 mov dl, byte ptr [ebx]
第一次大循环中,小循环里DL的值依次为 16 26 1D 37
第二次大循环中,小循环里DL的值依次为 1C 07 25 35
第三次大循环中,小循环里DL的值依次为 0D 13 28 35
:00477C43 8A929DE44700 mov dl, byte ptr [edx+0047E49D] <===根据EDX的不同在码表中取值
*****************码表如下(共65个值)*********************
0047E49D 49 59 41 47 50 58 44 4A IYAGPXDJ
0047E4A5 51 57 4D 48 56 43 4E 46 QWMHVCNF
0047E4AD 55 5A 52 42 4B 45 53 4F UZRBKESO
0047E4B5 4C 54 74 66 6B 79 73 62 LTtfkysb
0047E4BD 6F 68 6C 75 6A 77 65 63 ohlujwec
0047E4C5 70 6D 69 61 71 6E 64 78 pmiaqndx
0047E4CD 7A 76 67 72 34 36 2B 30 zvgr46+0
0047E4D5 32 35 37 33 2F 38 31 3D 2573/81=
0047E4DD 39 9
********************************************************
第一次大循环中,小循环里DL的值依次提取的是 S e y 0
第二次大循环中,小循环里DL的值依次提取的是 k J w 6
第三次大循环中,小循环里DL的值依次提取的是 C B L 6
:00477C49 E8FEC0F8FF call 00403D4C
:00477C4E 8B55F0 mov edx, dword ptr [ebp-10]
:00477C51 8BC7 mov eax, edi
:00477C53 E8D4C1F8FF call 00403E2C
:00477C58 43 inc ebx
:00477C59 4E dec esi
:00477C5A 75E0 jne 00477C3C <===此处向上跳,构成一个小循环,每次循环形成注册码的1个字符,每次大循环,此处循环4次,注册码也就出来了"Sey0kJw6CBL6"。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477B80(U)
|
:00477C5C 837DFC00 cmp dword ptr [ebp-04], 00000000 <===第一大跳到这里
:00477C60 0F851FFFFFFF jne 00477B85 <===因为[ebp-04]=Zgwpyu565,所以这里又向上跳,开始大循环,每次循环形成注册码的四个字符,共循环三次
:00477C66 33C0 xor eax, eax
:00477C68 5A pop edx
:00477C69 59 pop ecx
:00477C6A 59 pop ecx
:00477C6B 648910 mov dword ptr fs:[eax], edx
:00477C6E 688B7C4700 push 00477C8B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477C89(U)
|
:00477C73 8D45F0 lea eax, dword ptr [ebp-10]
:00477C76 E829BFF8FF call 00403BA4
:00477C7B 8D45FC lea eax, dword ptr [ebp-04]
:00477C7E E821BFF8FF call 00403BA4
:00477C83 C3 ret
:00477C84 E997B9F8FF jmp 00403620
:00477C89 EBE8 jmp 00477C73
:00477C8B 5F pop edi
:00477C8C 5E pop esi
:00477C8D 5B pop ebx
:00477C8E 8BE5 mov esp, ebp
:00477C90 5D pop ebp
:00477C91 C3 ret
-----------------------------------------------------------------------------------
4、算法注册机源码:(等效于eBook Edit Pro自带的KeyMaker.exe的部分功能)
----VB6.0在WIN98下编译通过----
Private Sub Command1_Click()
softbiao = "IYAGPXDJQWMHVCNFUZRBKESOLTtfkysbohlujwecpmiaqndxzvgr46+02573/81=9" '为eBook Edit Pro内定的码表
setkey = "lawtxt163424" '此软件作者定的密钥
keylen = Len(setkey)
A = Array(0, 0, 0, 0, 0, 0, 0, 0, 0) '定义的第一阶段9位长度的变形
strin = Text1.Text
nlen = Len(strin)
z = 1 '机器码输入正确标志
If nlen <> 10 Then
z = 2
Else
For j = 0 To 8 '检查输入的机器是否都是数字,同时完成机器码的第一次变形
ztmp = Asc(Mid(strin, j + 1, 1))
A(j) = ztmp Xor nlen Xor (j + 1)
If ztmp < 48 Or ztmp > 57 Then
z = 2
End If
Next j
j = 0
For i = 1 To nlen '对机器码进行第二次变形
A(j) = A(j) Xor Asc(Mid(strin, nlen + 1 - i, 1))
j = j + 1
If j = 9 Then '这里形成一个循环处理
j = 0
End If
Next i
For k = 0 To 8 '完成机器码与密钥的合成变形处理(只处理密钥的前9位)
A(k) = (A(k) Xor Asc(Mid(setkey, k + 1, 1))) Xor keylen Xor (k + 1)
Next k
'到此完成第一阶段的变形处理
For i = 0 To 8
k = (i Mod 3) + 1
Select Case k
Case 1
AL1 = Int(A(i) / 4) And &H3F '完成逻辑右移2位,并与3F做与运算
str1 = Mid(softbiao, AL1 + 1, 1)
Case 2
DL1 = CInt("&H" + Right(Hex(A(i - 1)) + "0", 2)) '完成逻辑左移4位
DL2 = CInt("&H" + Left(Hex(A(i)), 1)) '完成逻辑右移4位
AL2 = (DL1 Or DL2) And &H3F
str2 = Mid(softbiao, AL2 + 1, 1)
DL3 = CInt("&H" + Right(Hex(A(i) * 4), 2)) '完成逻辑左移2位
lentmp = Len(Oct(A(i + 1)))
If lentmp <= 2 Then
dl4 = 0
Else
dl4 = CInt("&O" + Mid(Oct(A(i + 1)), 1, lentmp - 2)) '完成逻辑右移6位
End If
AL3 = (DL3 Or dl4) And &H3F
str3 = Mid(softbiao, AL3 + 1, 1)
Case 3
AL4 = A(i) And &H3F
str4 = Mid(softbiao, AL4 + 1, 1)
laststr = laststr + str1 + str2 + str3 + str4
End Select
Next i
Text2.Text = laststr
End If
If z = 2 Then
h = MsgBox("你的输入有误,请检查后重新输入", 0, "你输入的是10位的机器吗?")
End If
End Sub
5、注册信息保存在注册表:(只是用eBook Edit Pro加密的软件,其注册信息都放在这个位置)
[HKEY_CURRENT_USER\Software\eBook Edit Pro\Login\18BD1A10]
"SD"=dword:00009368
"SO"=dword:00000009
"LoginUser"="3754256370"
"LoginPassword"="Sey0kJw6CBL6"
BTW:很多CRACKER都收到过律师信,被告知如何如何侵犯软件作者的利益。现在倒好北京市一格律师事务所竟然非法使用工具软件制作《法律文书、合同样本库 5.10》。一怒之下,特意制做成此注册机! 为所有CRACKER鸣不平。
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
热门文章 去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据
人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>