Windows系统切换工具 算法分析+注册机
生活随笔
收集整理的這篇文章主要介紹了
Windows系统切换工具 算法分析+注册机
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
Windows系統切換工具 算法分析+注冊機
:0040715B?50??????????????????????push?eax*?Possible?StringData?Ref?from?Data?Obj?->"%s"| :0040715C?68A4A24100??????????????push?0041A2A4 :00407161?51??????????????????????push?ecx*?Reference?To:?MFC42.Ordinal:0B02,?Ord:0B02h| :00407162?E8B5970000??????????????Call?0041091C????;這個CALL是GetWindowText(MFC寫的東東用IDA很容易明白) :00407167?8B542420????????????????mov?edx,?dword?ptr?[esp+20] :0040716B?83C40C??????????????????add?esp,?0000000C :0040716E?8B42F8??????????????????mov?eax,?dword?ptr?[edx-08] :00407171?85C0????????????????????test?eax,?eax????;用戶名長度不能為0 :00407173?750E????????????????????jne?00407183..........:004071AA?50??????????????????????push?eax*?Possible?StringData?Ref?from?Data?Obj?->"%s"| :004071AB?68A4A24100??????????????push?0041A2A4 :004071B0?51??????????????????????push?ecx*?Reference?To:?MFC42.Ordinal:0B02,?Ord:0B02h| :004071B1?E866970000??????????????Call?0041091C????;GetWindowText,得到注冊名 :004071B6?8B4C241C????????????????mov?ecx,?dword?ptr?[esp+1C] :004071BA?BB03000000??????????????mov?ebx,?00000003??;EBX=3 :004071BF?83C40C??????????????????add?esp,?0000000C :004071C2?8B41F8??????????????????mov?eax,?dword?ptr?[ecx-08] :004071C5?3BC3????????????????????cmp?eax,?ebx :004071C7?7D0E????????????????????jge?004071D7????;注冊名長度必須大于等于3 :004071C9?6AFF????????????????????push?FFFFFFFF :004071CB?6A00????????????????????push?00000000 :004071CD?6833F00000??????????????push?0000F033 :004071D2?E997020000??????????????jmp?0040746E????;不然就有你好看*?Referenced?by?a?(U)nconditional?or?(C)onditional?Jump?at?Address: |:004071C7(C) |*?Reference?To:?MSVCRT._mbsicmp,?Ord:015Fh| :004071D7?8B3580444100????????????mov?esi,?dword?ptr?[00414480]*?Possible?StringData?Ref?from?Data?Obj?->"白山破解網"????;黑名單| :004071DD?6898A64100??????????????push?0041A698 :004071E2?51??????????????????????push?ecx :004071E3?FFD6????????????????????call?esi :004071E5?83C408??????????????????add?esp,?00000008 :004071E8?85C0????????????????????test?eax,?eax :004071EA?0F8475020000????????????je?00407465 :004071F0?8B542410????????????????mov?edx,?dword?ptr?[esp+10]*?Possible?StringData?Ref?from?Data?Obj?->"Zhenlong[BCG]"??;BCG的一位老兄進黑名單了:D| :004071F4?6888A64100??????????????push?0041A688 :004071F9?52??????????????????????push?edx :004071FA?FFD6????????????????????call?esi :004071FC?83C408??????????????????add?esp,?00000008 :004071FF?85C0????????????????????test?eax,?eax :00407201?0F845E020000????????????je?00407465???? :00407207?6A01????????????????????push?00000001 :00407209?6A00????????????????????push?00000000 :0040720B?6874040000??????????????push?00000474 :00407210?8BCD????????????????????mov?ecx,?ebp*?Reference?To:?MFC42.Ordinal:0C17,?Ord:0C17h| :00407212?E811970000??????????????Call?00410928 :00407217?8BF0????????????????????mov?esi,?eax :00407219?8D442410????????????????lea?eax,?dword?ptr?[esp+10] :0040721D?56??????????????????????push?esi :0040721E?51??????????????????????push?ecx :0040721F?8BCC????????????????????mov?ecx,?esp :00407221?89642420????????????????mov?dword?ptr?[esp+20],?esp :00407225?50??????????????????????push?eax*?Reference?To:?MFC42.Ordinal:0217,?Ord:0217h| :00407226?E847980000??????????????Call?00410A72 :0040722B?8BCD????????????????????mov?ecx,?ebp :0040722D?E80E030000??????????????call?00407540????;這個CALL有鬼 :00407232?85C0????????????????????test?eax,?eax :00407234?0F842B020000????????????je?00407465????;關鍵跳轉,跳下去就OVER跟進上面CALL:*?Referenced?by?a?CALL?at?Address: |:0040722D??? | :00407540?6AFF????????????????????push?FFFFFFFF :00407542?68581D4100??????????????push?00411D58 :00407547?64A100000000????????????mov?eax,?dword?ptr?fs:[00000000] :0040754D?50??????????????????????push?eax :0040754E?64892500000000??????????mov?dword?ptr?fs:[00000000],?esp :00407555?83EC10??????????????????sub?esp,?00000010 :00407558?53??????????????????????push?ebx :00407559?55??????????????????????push?ebp :0040755A?56??????????????????????push?esi :0040755B?57??????????????????????push?edi :0040755C?8BF9????????????????????mov?edi,?ecx :0040755E?51??????????????????????push?ecx :0040755F?8D442434????????????????lea?eax,?dword?ptr?[esp+34] :00407563?8BCC????????????????????mov?ecx,?esp :00407565?8964241C????????????????mov?dword?ptr?[esp+1C],?esp :00407569?50??????????????????????push?eax :0040756A?C744243000000000????????mov?[esp+30],?00000000*?Reference?To:?MFC42.Ordinal:0217,?Ord:0217h| :00407572?E8FB940000??????????????Call?00410A72 :00407577?8BCF????????????????????mov?ecx,?edi??;此處D?*EAX可以看到輸入的注冊名,作CALL的參數 :00407579?E822010000??????????????call?004076A0??;這個CALL很重要,下面多次出現(分析見下) :0040757E?8BF0????????????????????mov?esi,?eax??;EAX是返回的值,放進ESI :00407580?85F6????????????????????test?esi,?esi :00407582?0F84F0000000????????????je?00407678???? :00407588?51??????????????????????push?ecx :00407589?8BCC????????????????????mov?ecx,?esp :0040758B?8964241C????????????????mov?dword?ptr?[esp+1C],?esp*?Possible?StringData?Ref?from?Data?Obj?->"EasunLee"?| :0040758F?68F4A64100??????????????push?0041A6F4*?Reference?To:?MFC42.Ordinal:0219,?Ord:0219h| :00407594?E8BF930000??????????????Call?00410958 :00407599?8BCF????????????????????mov?ecx,?edi :0040759B?E800010000??????????????call?004076A0??;把字串"EasunLee"作同樣計算 :004075A0?51??????????????????????push?ecx :004075A1?8BD8????????????????????mov?ebx,?eax??;結果1放在EBX :004075A3?8BCC????????????????????mov?ecx,?esp :004075A5?8964241C????????????????mov?dword?ptr?[esp+1C],?esp*?Possible?StringData?Ref?from?Data?Obj?->"EasunLee"| :004075A9?68F4A64100??????????????push?0041A6F4*?Reference?To:?MFC42.Ordinal:0219,?Ord:0219h| :004075AE?E8A5930000??????????????Call?00410958 :004075B3?8BCF????????????????????mov?ecx,?edi :004075B5?E8E6000000??????????????call?004076A0 :004075BA?51??????????????????????push?ecx :004075BB?8BE8????????????????????mov?ebp,?eax??;結果1放在EBP :004075BD?8BCC????????????????????mov?ecx,?esp :004075BF?8964241C????????????????mov?dword?ptr?[esp+1C],?esp*?Possible?StringData?Ref?from?Data?Obj?->"easunlee98meiosys"| :004075C3?68E0A64100??????????????push?0041A6E0*?Reference?To:?MFC42.Ordinal:0219,?Ord:0219h| :004075C8?E88B930000??????????????Call?00410958 :004075CD?8BCF????????????????????mov?ecx,?edi :004075CF?E8CC000000??????????????call?004076A0??;字串"easunlee98meiosys"同樣的計算 :004075D4?51??????????????????????push?ecx :004075D5?89442418????????????????mov?dword?ptr?[esp+18],?eax??;結果2在[ESP+18] :004075D9?8BCC????????????????????mov?ecx,?esp :004075DB?8964241C????????????????mov?dword?ptr?[esp+1C],?esp*?Possible?StringData?Ref?from?Data?Obj?->"Luyanghs&&Tsai&&bluebird"| :004075DF?68C4A64100??????????????push?0041A6C4*?Reference?To:?MFC42.Ordinal:0219,?Ord:0219h| :004075E4?E86F930000??????????????Call?00410958 :004075E9?8BCF????????????????????mov?ecx,?edi :004075EB?E8B0000000??????????????call?004076A0??;字串"Luyanghs&&Tsai&&bluebird" :004075F0?51??????????????????????push?ecx :004075F1?89442414????????????????mov?dword?ptr?[esp+14],?eax??;結果3在[ESP+14] :004075F5?8BCC????????????????????mov?ecx,?esp :004075F7?8964241C????????????????mov?dword?ptr?[esp+1C],?esp*?Possible?StringData?Ref?from?Data?Obj?->"heshengwssu1091119"| :004075FB?68B0A64100??????????????push?0041A6B0*?Reference?To:?MFC42.Ordinal:0219,?Ord:0219h| :00407600?E853930000??????????????Call?00410958 :00407605?8BCF????????????????????mov?ecx,?edi :00407607?E894000000??????????????call?004076A0??;字串"heshengwssu1091119" :0040760C?51??????????????????????push?ecx :0040760D?8944241C????????????????mov?dword?ptr?[esp+1C],?eax??;結果4在[ESP+1C] :00407611?8BCC????????????????????mov?ecx,?esp :00407613?89642420????????????????mov?dword?ptr?[esp+20],?esp*?Possible?StringData?Ref?from?Data?Obj?->"200970878"| :00407617?68A4A64100??????????????push?0041A6A4*?Reference?To:?MFC42.Ordinal:0219,?Ord:0219h| :0040761C?E837930000??????????????Call?00410958 :00407621?8BCF????????????????????mov?ecx,?edi :00407623?E878000000??????????????call?004076A0????;字串"200970878"同樣的計算,結果5在EAX :00407628?81F678EE0220????????????xor?esi,?2002EE78??;ESI是注冊名經運算的結果,與2002EE78異或 :0040762E?8B7C2414????????????????mov?edi,?dword?ptr?[esp+14]??;把結果2放入EDI?? :00407632?81EE21050E20????????????sub?esi,?200E0521??;再減200E0521 :00407638?8B542418????????????????mov?edx,?dword?ptr?[esp+18]??;把結果4放在EDX :0040763C?81F678563472????????????xor?esi,?72345678??;再與72345678異或 :00407642?81EE88F76877????????????sub?esi,?7768F788??;再減7768F788 :00407648?33F3????????????????????xor?esi,?ebx????;再與結果1異或 :0040764A?8B5C2410????????????????mov?ebx,?dword?ptr?[esp+10]??;把結果3放入EBX :0040764E?03F5????????????????????add?esi,?ebp????;再加結果1 :00407650?33F3????????????????????xor?esi,?ebx????;與結果3異或 :00407652?33F7????????????????????xor?esi,?edi????;與結果2異或 :00407654?2BF2????????????????????sub?esi,?edx????;減去結果4 :00407656?03F0????????????????????add?esi,?eax????;加上結果5 :00407658?8B442434????????????????mov?eax,?dword?ptr?[esp+34]??;EAX是我們輸入的注冊碼數值 :0040765C?3BF0????????????????????cmp?esi,?eax????;上面一堆運算的結果必須與輸入的注冊碼相等 :0040765E?7518????????????????????jne?00407678????;不等就跳 :00407660?8D4C2430????????????????lea?ecx,?dword?ptr?[esp+30] :00407664?C7442428FFFFFFFF????????mov?[esp+28],?FFFFFFFF*?Reference?To:?MFC42.Ordinal:0320,?Ord:0320h| :0040766C?E899920000??????????????Call?0041090A :00407671?B801000000??????????????mov?eax,?00000001??;如果相等來到這里EAX=1,成功 :00407676?EB13????????????????????jmp?0040768B*?Referenced?by?a?(U)nconditional?or?(C)onditional?Jump?at?Addresses: |:00407582(C),?:0040765E(C) | :00407678?8D4C2430????????????????lea?ecx,?dword?ptr?[esp+30] :0040767C?C7442428FFFFFFFF????????mov?[esp+28],?FFFFFFFF*?Reference?To:?MFC42.Ordinal:0320,?Ord:0320h| :00407684?E881920000??????????????Call?0041090A :00407689?33C0????????????????????xor?eax,?eax????;如果不等EAX在這里被干掉了*?Referenced?by?a?(U)nconditional?or?(C)onditional?Jump?at?Address: |:00407676(U) | :0040768B?8B4C2420????????????????mov?ecx,?dword?ptr?[esp+20] :0040768F?5F??????????????????????pop?edi :00407690?5E??????????????????????pop?esi :00407691?5D??????????????????????pop?ebp :00407692?64890D00000000??????????mov?dword?ptr?fs:[00000000],?ecx :00407699?5B??????????????????????pop?ebx :0040769A?83C41C??????????????????add?esp,?0000001C :0040769D?C20800??????????????????ret?0008那個多次涉及的CALL:*?Referenced?by?a?CALL?at?Addresses: |:00407579???,?:0040759B???,?:004075B5???,?:004075CF???,?:004075EB??? |:00407607???,?:00407623??? | :004076A0?64A100000000????????????mov?eax,?dword?ptr?fs:[00000000] :004076A6?6AFF????????????????????push?FFFFFFFF :004076A8?68781D4100??????????????push?00411D78 :004076AD?50??????????????????????push?eax :004076AE?64892500000000??????????mov?dword?ptr?fs:[00000000],?esp :004076B5?56??????????????????????push?esi :004076B6?57??????????????????????push?edi :004076B7?8B7C2418????????????????mov?edi,?dword?ptr?[esp+18] :004076BB?8B57F8??????????????????mov?edx,?dword?ptr?[edi-08] :004076BE?83FA03??????????????????cmp?edx,?00000003 :004076C1?7D26????????????????????jge?004076E9????;字串長度必須大于等于3 :004076C3?8D4C2418????????????????lea?ecx,?dword?ptr?[esp+18] :004076C7?C7442410FFFFFFFF????????mov?[esp+10],?FFFFFFFF............*?Referenced?by?a?(U)nconditional?or?(C)onditional?Jump?at?Address: |:004076C1(C) | :004076E9?33F6????????????????????xor?esi,?esi :004076EB?33C9????????????????????xor?ecx,?ecx :004076ED?85D2????????????????????test?edx,?edx :004076EF?7E0D????????????????????jle?004076FE*?Referenced?by?a?(U)nconditional?or?(C)onditional?Jump?at?Address: |:004076FC(C) | :004076F1?0FBE0439????????????????movsx?eax,?byte?ptr?[ecx+edi]??;循環,依次取出每一個字符 :004076F5?D3E0????????????????????shl?eax,?cl??;ECX為循環變量i,取出的字符左移i位 :004076F7?03F0????????????????????add?esi,?eax??;累加起來 :004076F9?41??????????????????????inc?ecx :004076FA?3BCA????????????????????cmp?ecx,?edx??;ECX是否大于字串長度 :004076FC?7CF3????????????????????jl?004076F1???;循環取數*?Referenced?by?a?(U)nconditional?or?(C)onditional?Jump?at?Address: |:004076EF(C) | :004076FE?8D4C2418????????????????lea?ecx,?dword?ptr?[esp+18] :00407702?C7442410FFFFFFFF????????mov?[esp+10],?FFFFFFFF*?Reference?To:?MFC42.Ordinal:0320,?Ord:0320h| :0040770A?E8FB910000??????????????Call?0041090A :0040770F?8B4C2408????????????????mov?ecx,?dword?ptr?[esp+08] :00407713?8BC6????????????????????mov?eax,?esi??;把累加結果給EAX,作為返回值 :00407715?5F??????????????????????pop?edi :00407716?64890D00000000??????????mov?dword?ptr?fs:[00000000],?ecx :0040771D?5E??????????????????????pop?esi :0040771E?83C40C??????????????????add?esp,?0000000C :00407721?C20400??????????????????ret?0004
整理一下思路:設F()為上面計算的CALL
則?注冊碼=(((F(用戶名)?XOR?2002EE78?-?200E0521)XOR?72345678?-?7768F788)?XOR?F("EasunLee")?+?F("EasunLee"))?XOR?F("Luyanghs&&Tsai&&bluebird")?XOR?F("easunlee98meiosys")?-?F("heshengwssu1091119")?+?F("200970878")
注冊機:
代碼:
#include?<iostream.h> #include?<string.h>int?F(char?st[]) {int?len=strlen(st);int?s=0;for?(int?i=0;i<len;i++)s=s+(st[i]<<i);return?s; }void?main() {char?name[20];int?code;cout<<"Please?input?your?name?:?";cin>>name;code=F(name);code=(code^0x2002EE78)-0x200E0521;code=(code^0x72345678)-0x7768F788;code=(code^F("EasunLee"))+F("EasunLee");code=code^F("Luyanghs&&Tsai&&bluebird")^F("easunlee98meiosys");code=code-F("heshengwssu1091119")+F("200970878");cout<<"Your?seiral?number?is?"<<code<<endl; }
下載地址:?http://www4.skycn.com/soft/8306.html
Windows系統切換工具?V1.09.1208?
軟件大小:??1312?KB
軟件語言:??簡體中文
軟件類別:??國產軟件?/?共享版?/?系統其它
應用平臺:??Win9x/NT/2000/XP
界面預覽:??
加入時間:??2002-12-10?10:07:34
下載次數:??11796
推薦等級:??
在線注冊:??點擊這里成為正版用戶==>
聯?系?人:??easunlee@21cn.com??
開?發?商:??http://easunlee.diy.163.com/
軟件介紹:???
????Easun?Studio?Windows?系統切換工具是是安裝多Windows系統的用戶的福音。不知道您是否有這種體會,為了工作需要,安裝了多個Windows(比如中文Win98、英文Win98及Win2000),可是切換起來卻太是困難,Windows?2000?還提供了啟動菜單,而多Win95/98/Me根本上就沒有這種菜單供您選擇,就只有自己在DOS下用批處理進行切換。網上進行多系統切換的工具也可謂多也,但是幾乎都是用自己的模塊替換BOOT區來完成的,而且都是在DOS(字符界面)下進行切換選擇,既麻煩有不安全,而且界面操作復雜,那能不能有一種界面友好,安全,方便在Windows界面下進行操作的系統切換工具呢?路楊就是本著這個原因開發這個軟件的,該軟件界面大方美觀,操作上手,不用自身模塊覆蓋BOOT區,安全可靠,工作在Windows95/98/Me/2000/Xp?環境下,讓您徹底拋開DOS界面和字符界面!另外,本軟件還有設置系統和恢復IE設定的功能,當然,這就是附加功能了。
=========================================================================================
前兩天我的機子上boot.ini被我搞得一團糟,下了這個東東來整理一下,順便把它破了,挺簡單的,現在這樣的很難找了。
先檢查,AsPack的殼,脫了,是我最喜歡的VC?:D?,很容易找到下面:
:0040715B?50??????????????????????push?eax*?Possible?StringData?Ref?from?Data?Obj?->"%s"| :0040715C?68A4A24100??????????????push?0041A2A4 :00407161?51??????????????????????push?ecx*?Reference?To:?MFC42.Ordinal:0B02,?Ord:0B02h| :00407162?E8B5970000??????????????Call?0041091C????;這個CALL是GetWindowText(MFC寫的東東用IDA很容易明白) :00407167?8B542420????????????????mov?edx,?dword?ptr?[esp+20] :0040716B?83C40C??????????????????add?esp,?0000000C :0040716E?8B42F8??????????????????mov?eax,?dword?ptr?[edx-08] :00407171?85C0????????????????????test?eax,?eax????;用戶名長度不能為0 :00407173?750E????????????????????jne?00407183..........:004071AA?50??????????????????????push?eax*?Possible?StringData?Ref?from?Data?Obj?->"%s"| :004071AB?68A4A24100??????????????push?0041A2A4 :004071B0?51??????????????????????push?ecx*?Reference?To:?MFC42.Ordinal:0B02,?Ord:0B02h| :004071B1?E866970000??????????????Call?0041091C????;GetWindowText,得到注冊名 :004071B6?8B4C241C????????????????mov?ecx,?dword?ptr?[esp+1C] :004071BA?BB03000000??????????????mov?ebx,?00000003??;EBX=3 :004071BF?83C40C??????????????????add?esp,?0000000C :004071C2?8B41F8??????????????????mov?eax,?dword?ptr?[ecx-08] :004071C5?3BC3????????????????????cmp?eax,?ebx :004071C7?7D0E????????????????????jge?004071D7????;注冊名長度必須大于等于3 :004071C9?6AFF????????????????????push?FFFFFFFF :004071CB?6A00????????????????????push?00000000 :004071CD?6833F00000??????????????push?0000F033 :004071D2?E997020000??????????????jmp?0040746E????;不然就有你好看*?Referenced?by?a?(U)nconditional?or?(C)onditional?Jump?at?Address: |:004071C7(C) |*?Reference?To:?MSVCRT._mbsicmp,?Ord:015Fh| :004071D7?8B3580444100????????????mov?esi,?dword?ptr?[00414480]*?Possible?StringData?Ref?from?Data?Obj?->"白山破解網"????;黑名單| :004071DD?6898A64100??????????????push?0041A698 :004071E2?51??????????????????????push?ecx :004071E3?FFD6????????????????????call?esi :004071E5?83C408??????????????????add?esp,?00000008 :004071E8?85C0????????????????????test?eax,?eax :004071EA?0F8475020000????????????je?00407465 :004071F0?8B542410????????????????mov?edx,?dword?ptr?[esp+10]*?Possible?StringData?Ref?from?Data?Obj?->"Zhenlong[BCG]"??;BCG的一位老兄進黑名單了:D| :004071F4?6888A64100??????????????push?0041A688 :004071F9?52??????????????????????push?edx :004071FA?FFD6????????????????????call?esi :004071FC?83C408??????????????????add?esp,?00000008 :004071FF?85C0????????????????????test?eax,?eax :00407201?0F845E020000????????????je?00407465???? :00407207?6A01????????????????????push?00000001 :00407209?6A00????????????????????push?00000000 :0040720B?6874040000??????????????push?00000474 :00407210?8BCD????????????????????mov?ecx,?ebp*?Reference?To:?MFC42.Ordinal:0C17,?Ord:0C17h| :00407212?E811970000??????????????Call?00410928 :00407217?8BF0????????????????????mov?esi,?eax :00407219?8D442410????????????????lea?eax,?dword?ptr?[esp+10] :0040721D?56??????????????????????push?esi :0040721E?51??????????????????????push?ecx :0040721F?8BCC????????????????????mov?ecx,?esp :00407221?89642420????????????????mov?dword?ptr?[esp+20],?esp :00407225?50??????????????????????push?eax*?Reference?To:?MFC42.Ordinal:0217,?Ord:0217h| :00407226?E847980000??????????????Call?00410A72 :0040722B?8BCD????????????????????mov?ecx,?ebp :0040722D?E80E030000??????????????call?00407540????;這個CALL有鬼 :00407232?85C0????????????????????test?eax,?eax :00407234?0F842B020000????????????je?00407465????;關鍵跳轉,跳下去就OVER跟進上面CALL:*?Referenced?by?a?CALL?at?Address: |:0040722D??? | :00407540?6AFF????????????????????push?FFFFFFFF :00407542?68581D4100??????????????push?00411D58 :00407547?64A100000000????????????mov?eax,?dword?ptr?fs:[00000000] :0040754D?50??????????????????????push?eax :0040754E?64892500000000??????????mov?dword?ptr?fs:[00000000],?esp :00407555?83EC10??????????????????sub?esp,?00000010 :00407558?53??????????????????????push?ebx :00407559?55??????????????????????push?ebp :0040755A?56??????????????????????push?esi :0040755B?57??????????????????????push?edi :0040755C?8BF9????????????????????mov?edi,?ecx :0040755E?51??????????????????????push?ecx :0040755F?8D442434????????????????lea?eax,?dword?ptr?[esp+34] :00407563?8BCC????????????????????mov?ecx,?esp :00407565?8964241C????????????????mov?dword?ptr?[esp+1C],?esp :00407569?50??????????????????????push?eax :0040756A?C744243000000000????????mov?[esp+30],?00000000*?Reference?To:?MFC42.Ordinal:0217,?Ord:0217h| :00407572?E8FB940000??????????????Call?00410A72 :00407577?8BCF????????????????????mov?ecx,?edi??;此處D?*EAX可以看到輸入的注冊名,作CALL的參數 :00407579?E822010000??????????????call?004076A0??;這個CALL很重要,下面多次出現(分析見下) :0040757E?8BF0????????????????????mov?esi,?eax??;EAX是返回的值,放進ESI :00407580?85F6????????????????????test?esi,?esi :00407582?0F84F0000000????????????je?00407678???? :00407588?51??????????????????????push?ecx :00407589?8BCC????????????????????mov?ecx,?esp :0040758B?8964241C????????????????mov?dword?ptr?[esp+1C],?esp*?Possible?StringData?Ref?from?Data?Obj?->"EasunLee"?| :0040758F?68F4A64100??????????????push?0041A6F4*?Reference?To:?MFC42.Ordinal:0219,?Ord:0219h| :00407594?E8BF930000??????????????Call?00410958 :00407599?8BCF????????????????????mov?ecx,?edi :0040759B?E800010000??????????????call?004076A0??;把字串"EasunLee"作同樣計算 :004075A0?51??????????????????????push?ecx :004075A1?8BD8????????????????????mov?ebx,?eax??;結果1放在EBX :004075A3?8BCC????????????????????mov?ecx,?esp :004075A5?8964241C????????????????mov?dword?ptr?[esp+1C],?esp*?Possible?StringData?Ref?from?Data?Obj?->"EasunLee"| :004075A9?68F4A64100??????????????push?0041A6F4*?Reference?To:?MFC42.Ordinal:0219,?Ord:0219h| :004075AE?E8A5930000??????????????Call?00410958 :004075B3?8BCF????????????????????mov?ecx,?edi :004075B5?E8E6000000??????????????call?004076A0 :004075BA?51??????????????????????push?ecx :004075BB?8BE8????????????????????mov?ebp,?eax??;結果1放在EBP :004075BD?8BCC????????????????????mov?ecx,?esp :004075BF?8964241C????????????????mov?dword?ptr?[esp+1C],?esp*?Possible?StringData?Ref?from?Data?Obj?->"easunlee98meiosys"| :004075C3?68E0A64100??????????????push?0041A6E0*?Reference?To:?MFC42.Ordinal:0219,?Ord:0219h| :004075C8?E88B930000??????????????Call?00410958 :004075CD?8BCF????????????????????mov?ecx,?edi :004075CF?E8CC000000??????????????call?004076A0??;字串"easunlee98meiosys"同樣的計算 :004075D4?51??????????????????????push?ecx :004075D5?89442418????????????????mov?dword?ptr?[esp+18],?eax??;結果2在[ESP+18] :004075D9?8BCC????????????????????mov?ecx,?esp :004075DB?8964241C????????????????mov?dword?ptr?[esp+1C],?esp*?Possible?StringData?Ref?from?Data?Obj?->"Luyanghs&&Tsai&&bluebird"| :004075DF?68C4A64100??????????????push?0041A6C4*?Reference?To:?MFC42.Ordinal:0219,?Ord:0219h| :004075E4?E86F930000??????????????Call?00410958 :004075E9?8BCF????????????????????mov?ecx,?edi :004075EB?E8B0000000??????????????call?004076A0??;字串"Luyanghs&&Tsai&&bluebird" :004075F0?51??????????????????????push?ecx :004075F1?89442414????????????????mov?dword?ptr?[esp+14],?eax??;結果3在[ESP+14] :004075F5?8BCC????????????????????mov?ecx,?esp :004075F7?8964241C????????????????mov?dword?ptr?[esp+1C],?esp*?Possible?StringData?Ref?from?Data?Obj?->"heshengwssu1091119"| :004075FB?68B0A64100??????????????push?0041A6B0*?Reference?To:?MFC42.Ordinal:0219,?Ord:0219h| :00407600?E853930000??????????????Call?00410958 :00407605?8BCF????????????????????mov?ecx,?edi :00407607?E894000000??????????????call?004076A0??;字串"heshengwssu1091119" :0040760C?51??????????????????????push?ecx :0040760D?8944241C????????????????mov?dword?ptr?[esp+1C],?eax??;結果4在[ESP+1C] :00407611?8BCC????????????????????mov?ecx,?esp :00407613?89642420????????????????mov?dword?ptr?[esp+20],?esp*?Possible?StringData?Ref?from?Data?Obj?->"200970878"| :00407617?68A4A64100??????????????push?0041A6A4*?Reference?To:?MFC42.Ordinal:0219,?Ord:0219h| :0040761C?E837930000??????????????Call?00410958 :00407621?8BCF????????????????????mov?ecx,?edi :00407623?E878000000??????????????call?004076A0????;字串"200970878"同樣的計算,結果5在EAX :00407628?81F678EE0220????????????xor?esi,?2002EE78??;ESI是注冊名經運算的結果,與2002EE78異或 :0040762E?8B7C2414????????????????mov?edi,?dword?ptr?[esp+14]??;把結果2放入EDI?? :00407632?81EE21050E20????????????sub?esi,?200E0521??;再減200E0521 :00407638?8B542418????????????????mov?edx,?dword?ptr?[esp+18]??;把結果4放在EDX :0040763C?81F678563472????????????xor?esi,?72345678??;再與72345678異或 :00407642?81EE88F76877????????????sub?esi,?7768F788??;再減7768F788 :00407648?33F3????????????????????xor?esi,?ebx????;再與結果1異或 :0040764A?8B5C2410????????????????mov?ebx,?dword?ptr?[esp+10]??;把結果3放入EBX :0040764E?03F5????????????????????add?esi,?ebp????;再加結果1 :00407650?33F3????????????????????xor?esi,?ebx????;與結果3異或 :00407652?33F7????????????????????xor?esi,?edi????;與結果2異或 :00407654?2BF2????????????????????sub?esi,?edx????;減去結果4 :00407656?03F0????????????????????add?esi,?eax????;加上結果5 :00407658?8B442434????????????????mov?eax,?dword?ptr?[esp+34]??;EAX是我們輸入的注冊碼數值 :0040765C?3BF0????????????????????cmp?esi,?eax????;上面一堆運算的結果必須與輸入的注冊碼相等 :0040765E?7518????????????????????jne?00407678????;不等就跳 :00407660?8D4C2430????????????????lea?ecx,?dword?ptr?[esp+30] :00407664?C7442428FFFFFFFF????????mov?[esp+28],?FFFFFFFF*?Reference?To:?MFC42.Ordinal:0320,?Ord:0320h| :0040766C?E899920000??????????????Call?0041090A :00407671?B801000000??????????????mov?eax,?00000001??;如果相等來到這里EAX=1,成功 :00407676?EB13????????????????????jmp?0040768B*?Referenced?by?a?(U)nconditional?or?(C)onditional?Jump?at?Addresses: |:00407582(C),?:0040765E(C) | :00407678?8D4C2430????????????????lea?ecx,?dword?ptr?[esp+30] :0040767C?C7442428FFFFFFFF????????mov?[esp+28],?FFFFFFFF*?Reference?To:?MFC42.Ordinal:0320,?Ord:0320h| :00407684?E881920000??????????????Call?0041090A :00407689?33C0????????????????????xor?eax,?eax????;如果不等EAX在這里被干掉了*?Referenced?by?a?(U)nconditional?or?(C)onditional?Jump?at?Address: |:00407676(U) | :0040768B?8B4C2420????????????????mov?ecx,?dword?ptr?[esp+20] :0040768F?5F??????????????????????pop?edi :00407690?5E??????????????????????pop?esi :00407691?5D??????????????????????pop?ebp :00407692?64890D00000000??????????mov?dword?ptr?fs:[00000000],?ecx :00407699?5B??????????????????????pop?ebx :0040769A?83C41C??????????????????add?esp,?0000001C :0040769D?C20800??????????????????ret?0008那個多次涉及的CALL:*?Referenced?by?a?CALL?at?Addresses: |:00407579???,?:0040759B???,?:004075B5???,?:004075CF???,?:004075EB??? |:00407607???,?:00407623??? | :004076A0?64A100000000????????????mov?eax,?dword?ptr?fs:[00000000] :004076A6?6AFF????????????????????push?FFFFFFFF :004076A8?68781D4100??????????????push?00411D78 :004076AD?50??????????????????????push?eax :004076AE?64892500000000??????????mov?dword?ptr?fs:[00000000],?esp :004076B5?56??????????????????????push?esi :004076B6?57??????????????????????push?edi :004076B7?8B7C2418????????????????mov?edi,?dword?ptr?[esp+18] :004076BB?8B57F8??????????????????mov?edx,?dword?ptr?[edi-08] :004076BE?83FA03??????????????????cmp?edx,?00000003 :004076C1?7D26????????????????????jge?004076E9????;字串長度必須大于等于3 :004076C3?8D4C2418????????????????lea?ecx,?dword?ptr?[esp+18] :004076C7?C7442410FFFFFFFF????????mov?[esp+10],?FFFFFFFF............*?Referenced?by?a?(U)nconditional?or?(C)onditional?Jump?at?Address: |:004076C1(C) | :004076E9?33F6????????????????????xor?esi,?esi :004076EB?33C9????????????????????xor?ecx,?ecx :004076ED?85D2????????????????????test?edx,?edx :004076EF?7E0D????????????????????jle?004076FE*?Referenced?by?a?(U)nconditional?or?(C)onditional?Jump?at?Address: |:004076FC(C) | :004076F1?0FBE0439????????????????movsx?eax,?byte?ptr?[ecx+edi]??;循環,依次取出每一個字符 :004076F5?D3E0????????????????????shl?eax,?cl??;ECX為循環變量i,取出的字符左移i位 :004076F7?03F0????????????????????add?esi,?eax??;累加起來 :004076F9?41??????????????????????inc?ecx :004076FA?3BCA????????????????????cmp?ecx,?edx??;ECX是否大于字串長度 :004076FC?7CF3????????????????????jl?004076F1???;循環取數*?Referenced?by?a?(U)nconditional?or?(C)onditional?Jump?at?Address: |:004076EF(C) | :004076FE?8D4C2418????????????????lea?ecx,?dword?ptr?[esp+18] :00407702?C7442410FFFFFFFF????????mov?[esp+10],?FFFFFFFF*?Reference?To:?MFC42.Ordinal:0320,?Ord:0320h| :0040770A?E8FB910000??????????????Call?0041090A :0040770F?8B4C2408????????????????mov?ecx,?dword?ptr?[esp+08] :00407713?8BC6????????????????????mov?eax,?esi??;把累加結果給EAX,作為返回值 :00407715?5F??????????????????????pop?edi :00407716?64890D00000000??????????mov?dword?ptr?fs:[00000000],?ecx :0040771D?5E??????????????????????pop?esi :0040771E?83C40C??????????????????add?esp,?0000000C :00407721?C20400??????????????????ret?0004
整理一下思路:設F()為上面計算的CALL
則?注冊碼=(((F(用戶名)?XOR?2002EE78?-?200E0521)XOR?72345678?-?7768F788)?XOR?F("EasunLee")?+?F("EasunLee"))?XOR?F("Luyanghs&&Tsai&&bluebird")?XOR?F("easunlee98meiosys")?-?F("heshengwssu1091119")?+?F("200970878")
注冊機:
代碼:
#include?<iostream.h> #include?<string.h>int?F(char?st[]) {int?len=strlen(st);int?s=0;for?(int?i=0;i<len;i++)s=s+(st[i]<<i);return?s; }void?main() {char?name[20];int?code;cout<<"Please?input?your?name?:?";cin>>name;code=F(name);code=(code^0x2002EE78)-0x200E0521;code=(code^0x72345678)-0x7768F788;code=(code^F("EasunLee"))+F("EasunLee");code=code^F("Luyanghs&&Tsai&&bluebird")^F("easunlee98meiosys");code=code-F("heshengwssu1091119")+F("200970878");cout<<"Your?seiral?number?is?"<<code<<endl; }
總結
以上是生活随笔為你收集整理的Windows系统切换工具 算法分析+注册机的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: autobahn-python的使用——
- 下一篇: Photoshop 2018及其他 所有