申请会员ID:wslvic
申请标题:申请会员ID:wslvic1、申 请 I D:wslvic
2、个人邮箱:wslvic@163.com
3、原创技术文章:
本人是看雪技术论坛会员, 有早年的数篇精华帖,如图:
精华帖:
Icon Craft v4.4 注册算法(搞笑)及 KeyGen
原帖地址:
https://bbs.pediy.com/thread-138583.htm
精华帖原文:
Icon Craft v4.4 注册算法
【软件名称】:
Icon Craft
【下载地址】:
Http://www.iconempire.com/
【软件简介】:
Icon Craft 是一款相当不错的 Windows 图标,光标,图标库的编辑,创建,和管理工具.
【软件限制】:
30 天的试用期
【破解声明】:
仅用于探索,学习软件注册算法及其保护方式的研究.
【破解工具】:
PEID v0.94,OllyDBG v1.10
【破文作者】:
WSLVIC 电邮:Crk4u@163.com
【破解时间】:
二〇一一年八月八日
【破解过程】:
———————————————————————————————————————————
这东西没加壳,是 Borland Delphi 4.0 - 5.0 写的,文件也不大,用 OD 载入后,很快就分析完毕了,软件注册很"方便",因为进入/退出时都会提示你注册!晕!既然如此,就随便写个什么试试吧,在 Name 一栏中写入 "WSLVIC",注册码就写 "u r crazy",便弹出了 "Please reenter key.Key is required.",什么意思-你懂的.仔细看看注册窗口,发现在 Name 一栏后面有一串字符 "(You can enter any name or empty string)","empty string"! 看来不输入姓名也行,换句话说,注册码与注册名无关!呵呵,不错的信息,对于懒人来说这是最好不过的了.
回到 OD 领空,"查找"→"所有参考文本字符串",稍等之后,→"查找文本"→输入关键字 "reenter",很快就找到了 "Please reenter key.".可是没找到其后面的 "Key is required."上下翻了翻,还是没有,但是却看到了下面这些信息:
ASCII "Please reenter key.
ASCII "- KEY BEGIN KEY -"
ASCII "- KEY END KEY -"
ASCII "Not found row: - KEY BEGIN KEY -"
ASCII "Not found row: - KEY END KEY -"
ASCII "Software\IconEmpire\"
ASCII "Key"
ASCII "Key"
ASCII "Time"
ASCII "FullProductName"
ASCII "<BR>"
ASCII " - "
ASCII "licenses -"
ASCII "UserName"
ASCII "You should restart application now"
分析一下就知道,注册码一定以 "- KEY BEGIN KEY -" 开头,以 "- KEY END KEY -" 结束,中间才是真正的注册码,其形式必然是:
- KEY BEGIN KEY -
注册码
- KEY END KEY -
再往下,看到 "Software\IconEmpire\",明眼人一看就知道这是注册表项,可能是读入或写入某些信息,那些信息呢,很可能就是 "Key","Time","FullProductName"...当然现在只是猜测,要 OD 动态调试才会知道,好了要重新修改测试注册码了,就用下面这个
- KEY BEGIN KEY -
u r crazy
- KEY END KEY -
走到这里是很重要的,会大大节省调试时间,提高调试效率,因为这里的分析已经得出了注册码格式的一些关键信息,就我个人经验而言,对于比较复杂的注册算法,花在了解注册码的格式上的时间,往往数倍于注册码本身的计算,因为你不知道那些字符是合法的,那些是非法的,其长度多少,是否有特定字符等诸多一系列问题.
好了言归正传,在字符串参考窗口中双击 "Please reenter key."来到这里,
┌──────────────────────────────────────────────┐
│00642920/$PUSH EBP
│00642921|.MOV EBP,ESP
│00642923|.PUSH 0
│00642925|.PUSH EBX
│00642926|.MOV EBX,EAX
│00642928|.XOR EAX,EAX
│0064292A|.PUSH EBP
│0064292B|.PUSH ICONCRAF.0064296F
│00642930|.PUSH DWORD PTR FS:
│00642933|.MOV DWORD PTR FS:,ESP
│00642936|.LEA EAX,DWORD PTR SS:
│00642939|.MOV ECX,EBX
───────────────────────────────────────────────
│0064293B|.MOV EDX,ICONCRAF.00642984 ; ASCII "Please reenter key."
───────────────────────────────────────────────
│00642940|.CALL ICONCRAF.004041D8
│00642945|.MOV ECX,DWORD PTR SS:
│00642948|.MOV DL,1
│0064294A|.MOV EAX,DWORD PTR DS:
│0064294F|.CALL ICONCRAF.0040D134
│00642954|.CALL ICONCRAF.0040392C
│00642959|.XOR EAX,EAX
│0064295B|.POP EDX
│0064295C|.POP ECX
│0064295D|.POP ECX
│0064295E|.MOV DWORD PTR FS:,EDX
│00642961|.PUSH ICONCRAF.00642976
│00642966|>LEA EAX,DWORD PTR SS:
│00642969|.CALL ICONCRAF.00403EFC
│0064296E\.RETN
└──────────────────────────────────────────────┘
运气不太好,看不到关键跳转,看来注册失败信息,是用函数调用进行的,只好在函数入口处 642920 下断点了,之后重新载入 Icon Craft,输入注册码,终于断在了 642920,打开 OD 调用堆栈窗口,得知调用来自 642C16,上下翻了翻,发现跳转标志不是很明显,索性在 642C16 的段入口处 64299C 下断点,重新载入 Icon Craft,断在了 64299C
┌──────────────────────────────────────────────┐
│0064299C/$PUSH EBP
│0064299D|.MOV EBP,ESP
│0064299F|.MOV ECX,0F
│006429A4|>/PUSH 0
│006429A6|.|PUSH 0
│006429A8|.|DEC ECX
│006429A9|.\JNZ SHORT ICONCRAF.006429A4
│006429AB|.PUSH EBX
│006429AC|.PUSH ESI
│006429AD|.PUSH EDI
│006429AE|.MOV DWORD PTR SS:,EAX
│006429B1|.XOR EAX,EAX
│006429B3|.PUSH EBP
│006429B4|.PUSH ICONCRAF.00643000
│006429B9|.PUSH DWORD PTR FS:
│006429BC|.MOV DWORD PTR FS:,ESP
│006429BF|.MOV DWORD PTR SS:,-1
│006429C6|.MOV DWORD PTR SS:,-1
│006429CD|.MOV EAX,DWORD PTR SS:
│006429D0|.MOV EAX,DWORD PTR DS:
│006429D6|.MOV EAX,DWORD PTR DS:
│006429DC|.MOV EDX,DWORD PTR DS:
│006429DE|.CALL DWORD PTR DS:
│006429E1|.MOV ESI,EAX
│006429E3|.DEC ESI
│006429E4|.TEST ESI,ESI
│006429E6|.JL SHORT ICONCRAF.00642A4E
│006429E8|.INC ESI
│006429E9|.XOR EBX,EBX
│006429EB|>/LEA ECX,DWORD PTR SS:
│006429EE|.|MOV EAX,DWORD PTR SS:
│006429F1|.|MOV EAX,DWORD PTR DS:
│006429F7|.|MOV EAX,DWORD PTR DS:
│006429FD|.|MOV EDX,EBX
│006429FF|.|MOV EDI,DWORD PTR DS:
│00642A01|.|CALL DWORD PTR DS:
│00642A04|.|MOV EAX,DWORD PTR SS:
│00642A07|.|LEA EDX,DWORD PTR SS:
│00642A0A|.|CALL ICONCRAF.00409678
│00642A0F|.|MOV EAX,DWORD PTR SS:
│00642A12|.|LEA EDX,DWORD PTR SS:
│00642A15|.|CALL ICONCRAF.004098EC
│00642A1A|.|MOV EDX,DWORD PTR SS:
│00642A1D|.|MOV EAX,ICONCRAF.0064301C ;ASCII "- KEY BEGIN KEY -"
│00642A22|.|CALL ICONCRAF.00404478
│00642A27|.|TEST EAX,EAX
│00642A29|.|JLE SHORT ICONCRAF.00642A33
│00642A2B|.|LEA EAX,DWORD PTR DS:
│00642A2E|.|MOV DWORD PTR SS:,EAX
│00642A31|.|JMP SHORT ICONCRAF.00642A4A
│00642A33|>|MOV EDX,DWORD PTR SS:
│00642A36|.|MOV EAX,ICONCRAF.00643038 ;ASCII "- KEY END KEY -"
│00642A3B|.|CALL ICONCRAF.00404478
│00642A40|.|TEST EAX,EAX
│00642A42|.|JLE SHORT ICONCRAF.00642A4A
│00642A44|.|MOV EAX,EBX
│00642A46|.|DEC EAX
│00642A47|.|MOV DWORD PTR SS:,EAX
│00642A4A|>|INC EBX
│00642A4B|.|DEC ESI
│00642A4C|.\JNZ SHORT ICONCRAF.006429EB
│00642A4E|>LEA EAX,DWORD PTR SS:
│00642A51|.CALL ICONCRAF.00403EFC
│00642A56|.CMP DWORD PTR SS:,-1
│00642A5A|.JNZ SHORT ICONCRAF.00642A71
│00642A5C|.CMP DWORD PTR SS:,0
│00642A60|.JLE SHORT ICONCRAF.00642A71
│00642A62|.LEA EAX,DWORD PTR SS:
│00642A65|.MOV EDX,ICONCRAF.00643050 ;ASCII "Not found row: - KEY BEGIN KEY -"
│00642A6A|.CALL ICONCRAF.00403F94
│00642A6F|.JMP SHORT ICONCRAF.00642A8A
│00642A71|>CMP DWORD PTR SS:,-1
│00642A75|.JNZ SHORT ICONCRAF.00642A8A
│00642A77|.CMP DWORD PTR SS:,0
│00642A7B|.JLE SHORT ICONCRAF.00642A8A
│00642A7D|.LEA EAX,DWORD PTR SS:
│00642A80|.MOV EDX,ICONCRAF.0064307C ;ASCII "Not found row: - KEY END KEY -"
│00642A85|.CALL ICONCRAF.00403F94
│00642A8A|>CMP DWORD PTR SS:,0
│00642A8E|.JE SHORT ICONCRAF.00642A98
│00642A90|.MOV EAX,DWORD PTR SS:
│00642A93|.CALL ICONCRAF.00642920
│00642A98|>LEA EAX,DWORD PTR SS:
│00642A9B|.CALL ICONCRAF.00403EFC
│00642AA0|.CMP DWORD PTR SS:,0
│00642AA4|.JLE SHORT ICONCRAF.00642AAC
│00642AA6|.CMP DWORD PTR SS:,0
│00642AAA|.JG SHORT ICONCRAF.00642AC9
│00642AAC|>XOR EAX,EAX
│00642AAE|.MOV DWORD PTR SS:,EAX
│00642AB1|.MOV EAX,DWORD PTR SS:
│00642AB4|.MOV EAX,DWORD PTR DS:
│00642ABA|.MOV EAX,DWORD PTR DS:
│00642AC0|.MOV EDX,DWORD PTR DS:
│00642AC2|.CALL DWORD PTR DS:
│00642AC5|.DEC EAX
│00642AC6|.MOV DWORD PTR SS:,EAX
│00642AC9|>MOV EAX,DWORD PTR SS:
│00642ACC|.MOV EAX,DWORD PTR DS:
│00642AD2|.MOV EDX,DWORD PTR DS:
│00642AD4|.CALL DWORD PTR DS:
│00642AD7|.XOR EAX,EAX
│00642AD9|.MOV DWORD PTR SS:,EAX
│00642ADC|.MOV EBX,DWORD PTR SS:
│00642ADF|.MOV ESI,DWORD PTR SS:
│00642AE2|.SUB ESI,EBX
│00642AE4|.JL ICONCRAF.00642B78
│00642AEA|.INC ESI
│00642AEB|>/LEA ECX,DWORD PTR SS:
│00642AEE|.|MOV EAX,DWORD PTR SS:
│00642AF1|.|MOV EAX,DWORD PTR DS:
│00642AF7|.|MOV EAX,DWORD PTR DS:
│00642AFD|.|MOV EDX,EBX
│00642AFF|.|MOV EDI,DWORD PTR DS:
│00642B01|.|CALL DWORD PTR DS:
│00642B04|.|MOV EAX,DWORD PTR SS:
│00642B07|.|LEA EDX,DWORD PTR SS:
│00642B0A|.|CALL ICONCRAF.004098EC
│00642B0F|.|LEA EAX,DWORD PTR SS:
│00642B12|.|PUSH EAX
│00642B13|.|XOR ECX,ECX
│00642B15|.|MOV EDX,ICONCRAF.006430A4
│00642B1A|.|MOV EAX,DWORD PTR SS:
│00642B1D|.|CALL ICONCRAF.00466218
│00642B22|.|MOV EDX,DWORD PTR SS:
│00642B25|.|LEA EAX,DWORD PTR SS:
│00642B28|.|CALL ICONCRAF.00403F94
│00642B2D|.|LEA EAX,DWORD PTR SS:
│00642B30|.|MOV EDX,DWORD PTR SS:
│00642B33|.|CALL ICONCRAF.00404194
│00642B38|.|MOV EAX,DWORD PTR SS:
│00642B3B|.|CALL ICONCRAF.0040418C
│00642B40|.|CMP EAX,0A
│00642B43|.|JLE SHORT ICONCRAF.00642B5C
│00642B45|.|CMP DWORD PTR SS:,0
│00642B49|.|JNZ SHORT ICONCRAF.00642B5C
│00642B4B|.|MOV EAX,DWORD PTR SS:
│00642B4E|.|MOV EAX,DWORD PTR DS:
│00642B54|.|MOV EDX,DWORD PTR SS:
│00642B57|.|MOV ECX,DWORD PTR DS:
│00642B59|.|CALL DWORD PTR DS:
│00642B5C|>|MOV EDX,DWORD PTR SS:
│00642B5F|.|MOV EAX,ICONCRAF.006430B0
│00642B64|.|CALL ICONCRAF.00404478
│00642B69|.|TEST EAX,EAX
│00642B6B|.|JLE SHORT ICONCRAF.00642B70
│00642B6D|.|INC DWORD PTR SS:
│00642B70|>|INC EBX
│00642B71|.|DEC ESI
│00642B72|.\JNZ ICONCRAF.00642AEB
│00642B78|>CMP DWORD PTR SS:,0
│00642B7C|.JNZ SHORT ICONCRAF.00642B8A
│00642B7E|.MOV EAX,DWORD PTR DS:
│00642B83|.MOV EAX,DWORD PTR DS:
│00642B85|.CALL ICONCRAF.00642920
│00642B8A|>MOV EAX,DWORD PTR SS:
│00642B8D|.CALL ICONCRAF.0040418C
│00642B92|.MOV EDX,DWORD PTR SS:
│00642B95|.CMP BYTE PTR DS:,22
│00642B9A|.JNZ SHORT ICONCRAF.00642BB3
│00642B9C|.MOV EAX,DWORD PTR SS:
│00642B9F|.CALL ICONCRAF.0040418C
│00642BA4|.MOV EDX,EAX
│00642BA6|.LEA EAX,DWORD PTR SS:
│00642BA9|.MOV ECX,1
│00642BAE|.CALL ICONCRAF.004043D4
│00642BB3|>MOV EAX,DWORD PTR SS:
│00642BB6|.CALL ICONCRAF.0040418C
│00642BBB|.MOV EBX,EAX
│00642BBD|.CMP EBX,1
│00642BC0|.JL SHORT ICONCRAF.00642BEC
│00642BC2|>/MOV EAX,DWORD PTR SS:
│00642BC5|.|CMP BYTE PTR DS:,22
│00642BCA|.|JNZ SHORT ICONCRAF.00642BE7
│00642BCC|.|MOV EAX,DWORD PTR SS:
│00642BCF|.|CALL ICONCRAF.0040418C
│00642BD4|.|CMP EBX,EAX
│00642BD6|.|JG SHORT ICONCRAF.00642BE7
│00642BD8|.|LEA EAX,DWORD PTR SS:
│00642BDB|.|MOV ECX,EBX
│00642BDD|.|MOV EDX,1
│00642BE2|.|CALL ICONCRAF.004043D4
│00642BE7|>|DEC EBX
│00642BE8|.|TEST EBX,EBX
│00642BEA|.\JNZ SHORT ICONCRAF.00642BC2
│00642BEC|>LEA EDX,DWORD PTR SS:
│00642BEF|.MOV EAX,DWORD PTR SS:
│00642BF2|.CALL ICONCRAF.004098EC
│00642BF7|.MOV EDX,DWORD PTR SS: ;EDX=注册码
│00642BFA|.LEA EAX,DWORD PTR SS:
│00642BFD|.CALL ICONCRAF.00403F94
│00642C02|.MOV EAX,DWORD PTR SS: ;EAX=注册码
│00642C05|.CALL ICONCRAF.0040418C ;计算注册码长度
│00642C0A|.CMP EAX,64 ;将注册码长度与 0x64(100) 比较
───────────────────────────────────────────────
│00642C0D|.JGE SHORT ICONCRAF.00642C1B ;不跳就死
───────────────────────────────────────────────
│00642C0F|.MOV EAX,DWORD PTR DS:
│00642C14|.MOV EAX,DWORD PTR DS:
│00642C16|.CALL ICONCRAF.00642920
│00642C1B|>MOV EDX,DWORD PTR SS: ;EDX=注册码
│00642C1E|.MOV EAX,ICONCRAF.006430B0
│00642C23|.CALL ICONCRAF.00404478 ;计算 '=' 的开始位置
│00642C28|.MOV DWORD PTR SS:,EAX
│00642C2B|.MOV DWORD PTR SS:,1
│00642C32|.MOV EAX,DWORD PTR SS: ;EAX=注册码
│00642C35|.CALL ICONCRAF.0040418C ;计算注册码长度
│00642C3A|.CMP EAX,DWORD PTR SS: ;'=' 在最后一位
│00642C3D|.JE SHORT ICONCRAF.00642C84 ;最后一位是 '=' 时,就跳.
│00642C3F|.CMP DWORD PTR SS:,0 ;注册码中不包含 '='
│00642C43|.JE SHORT ICONCRAF.00642C84
│00642C45|.XOR EAX,EAX
│00642C47|.MOV DWORD PTR SS:,EAX
│00642C4A|.MOV EAX,DWORD PTR SS: ;EAX=注册码
│00642C4D|.CALL ICONCRAF.0040418C ;计算注册码长度
│00642C52|.MOV ESI,EAX
│00642C54|.TEST ESI,ESI
│00642C56|.JLE SHORT ICONCRAF.00642C6E
│00642C58|.MOV EBX,1
│00642C5D|>/MOV EAX,DWORD PTR SS: ;/
│00642C60|.|CMP BYTE PTR DS:,3D;|与 '=' 比较
│00642C65|.|JNZ SHORT ICONCRAF.00642C6A
│00642C67|.|INC DWORD PTR SS: ;|
│00642C6A|>|INC EBX
│00642C6B|.|DEC ESI ;|这个循环,用来计算 '=' 的个数,结果放在堆栈里.
│00642C6C|.\JNZ SHORT ICONCRAF.00642C5D ;\
│00642C6E|>MOV EAX,DWORD PTR SS: ;EAX=注册码
│00642C71|.CALL ICONCRAF.0040418C ;计算注册码长度
│00642C76|.MOV ECX,EAX
│00642C78|.MOV EDX,DWORD PTR SS: ;EDX=注册码第一个 '=' 所在位置
│00642C7B|.INC EDX
│00642C7C|.LEA EAX,DWORD PTR SS: ;EAX 指向注册码的堆栈地址
│00642C7F|.CALL ICONCRAF.004043D4 ;取出 '=' 前的部分(包括 '=')
│00642C84|>MOV EAX,DWORD PTR SS:
│00642C87|.MOV EAX,DWORD PTR DS:
│00642C8D|.MOV EDX,DWORD PTR DS:
│00642C8F|.CALL DWORD PTR DS: ;F2D3FC
│00642C92|.CMP EAX,3
│00642C95|.JL ICONCRAF.00642E29 ;
│00642C9B|.LEA ECX,DWORD PTR SS:
│00642C9E|.MOV EAX,DWORD PTR SS:
│00642CA1|.MOV EAX,DWORD PTR DS:
│00642CA7|.XOR EDX,EDX
│00642CA9|.MOV EBX,DWORD PTR DS:
│00642CAB|.CALL DWORD PTR DS:
│00642CAE|.CMP DWORD PTR SS:,0
│00642CB2|.JE ICONCRAF.00642E29
│00642CB8|.LEA ECX,DWORD PTR SS:
│00642CBB|.MOV EAX,DWORD PTR SS:
│00642CBE|.MOV EAX,DWORD PTR DS:
│00642CC4|.MOV EDX,1
│00642CC9|.MOV EBX,DWORD PTR DS:
│00642CCB|.CALL DWORD PTR DS:
│00642CCE|.CMP DWORD PTR SS:,0
│00642CD2|.JE ICONCRAF.00642E29
│00642CD8|.LEA ECX,DWORD PTR SS:
│00642CDB|.MOV EAX,DWORD PTR SS:
│00642CDE|.MOV EAX,DWORD PTR DS:
│00642CE4|.MOV EDX,2
│00642CE9|.MOV EBX,DWORD PTR DS:
│00642CEB|.CALL DWORD PTR DS:
│00642CEE|.CMP DWORD PTR SS:,0
│00642CF2|.JE ICONCRAF.00642E29
│00642CF8|.MOV EAX,DWORD PTR SS:
│00642CFB|.MOV EBX,DWORD PTR DS:
│00642D01|.MOV EAX,EBX
│00642D03|.MOV EDX,DWORD PTR DS:
│00642D05|.CALL DWORD PTR DS:
│00642D08|.MOV EDX,EAX
│00642D0A|.DEC EDX
│00642D0B|.LEA ECX,DWORD PTR SS:
│00642D0E|.MOV EAX,EBX
│00642D10|.MOV EBX,DWORD PTR DS:
│00642D12|.CALL DWORD PTR DS:
│00642D15|.MOV EAX,DWORD PTR SS:
│00642D18|.CALL ICONCRAF.0040418C
│00642D1D|.MOV EDX,DWORD PTR SS:
│00642D20|.CMP BYTE PTR DS:,3D
│00642D25|.JNZ ICONCRAF.00642E29
│00642D2B|.XOR EAX,EAX
│00642D2D|.MOV DWORD PTR SS:,EAX
│00642D30|.MOV EAX,DWORD PTR SS:
│00642D33|.CALL ICONCRAF.0040418C
│00642D38|.MOV ESI,EAX
│00642D3A|.TEST ESI,ESI
│00642D3C|.JLE SHORT ICONCRAF.00642D9E
│00642D3E|.MOV EBX,1
│00642D43|>/MOV EAX,DWORD PTR SS:
│00642D46|.|MOV EAX,DWORD PTR DS:
│00642D4C|.|MOV EDX,DWORD PTR DS:
│00642D4E|.|CALL DWORD PTR DS:
│00642D51|.|SUB EAX,2
│00642D54|.|TEST EAX,EAX
│00642D56|.|JL SHORT ICONCRAF.00642D94
│00642D58|.|INC EAX
│00642D59|.|MOV DWORD PTR SS:,EAX
│00642D5C|.|MOV DWORD PTR SS:,0
│00642D63|>|/LEA ECX,DWORD PTR SS:
│00642D66|.||MOV EAX,DWORD PTR SS:
│00642D69|.||MOV EAX,DWORD PTR DS:
│00642D6F|.||MOV EDX,DWORD PTR SS:
│00642D72|.||MOV EDI,DWORD PTR DS:
│00642D74|.||CALL DWORD PTR DS:
│00642D77|.||MOV EAX,DWORD PTR SS:
│00642D7A|.||MOV AL,BYTE PTR DS:
│00642D7E|.||MOV EDX,DWORD PTR SS:
│00642D81|.||CMP AL,BYTE PTR DS:
│00642D85|.||JE SHORT ICONCRAF.00642D8C
│00642D87|.||MOV DWORD PTR SS:,EBX
│00642D8A|.||JMP SHORT ICONCRAF.00642D94
│00642D8C|>||INC DWORD PTR SS:
│00642D8F|.||DEC DWORD PTR SS:
│00642D92|.|\JNZ SHORT ICONCRAF.00642D63
│00642D94|>|CMP DWORD PTR SS:,0
│00642D98|.|JNZ SHORT ICONCRAF.00642D9E
│00642D9A|.|INC EBX
│00642D9B|.|DEC ESI
│00642D9C|.\JNZ SHORT ICONCRAF.00642D43
│00642D9E|>CMP DWORD PTR SS:,1
│00642DA2|.JLE ICONCRAF.00642E29
│00642DA8|.LEA ECX,DWORD PTR SS:
│00642DAB|.MOV EAX,DWORD PTR SS:
│00642DAE|.MOV EAX,DWORD PTR DS:
│00642DB4|.XOR EDX,EDX
│00642DB6|.MOV EBX,DWORD PTR DS:
│00642DB8|.CALL DWORD PTR DS:
│00642DBB|.MOV EAX,DWORD PTR SS:
│00642DBE|.MOV EAX,DWORD PTR DS:
│00642DC4|.MOV EDX,DWORD PTR DS:
│00642DC6|.CALL DWORD PTR DS:
│00642DC9|.MOV ESI,EAX
│00642DCB|.DEC ESI
│00642DCC|.TEST ESI,ESI
│00642DCE|.JLE SHORT ICONCRAF.00642E29
│00642DD0|.MOV DWORD PTR SS:,1
│00642DD7|>/LEA EAX,DWORD PTR SS:
│00642DDA|.|PUSH EAX
│00642DDB|.|LEA ECX,DWORD PTR SS:
│00642DDE|.|MOV EAX,DWORD PTR SS:
│00642DE1|.|MOV EAX,DWORD PTR DS:
│00642DE7|.|MOV EDX,DWORD PTR SS:
│00642DEA|.|MOV EBX,DWORD PTR DS:
│00642DEC|.|CALL DWORD PTR DS:
│00642DEF|.|MOV EAX,DWORD PTR SS:
│00642DF2|.|CALL ICONCRAF.0040418C
│00642DF7|.|PUSH EAX
│00642DF8|.|LEA ECX,DWORD PTR SS:
│00642DFB|.|MOV EAX,DWORD PTR SS:
│00642DFE|.|MOV EAX,DWORD PTR DS:
│00642E04|.|MOV EDX,DWORD PTR SS:
│00642E07|.|MOV EBX,DWORD PTR DS:
│00642E09|.|CALL DWORD PTR DS:
│00642E0C|.|MOV EAX,DWORD PTR SS:
│00642E0F|.|MOV EDX,DWORD PTR SS:
│00642E12|.|POP ECX
│00642E13|.|CALL ICONCRAF.00404394
│00642E18|.|LEA EAX,DWORD PTR SS:
│00642E1B|.|MOV EDX,DWORD PTR SS:
│00642E1E|.|CALL ICONCRAF.00404194
│00642E23|.|INC DWORD PTR SS:
│00642E26|.|DEC ESI
│00642E27|.\JNZ SHORT ICONCRAF.00642DD7
│00642E29|>MOV EAX,DWORD PTR SS: ;EAX=注册码
───────────────────────────────────────────────
│00642E2C|.CALL ICONCRAF.00700D10 ;关键调用检查注册码
───────────────────────────────────────────────
│00642E31|.MOV DL,1
│00642E33|.MOV EAX,DWORD PTR DS:
│00642E38|.CALL ICONCRAF.004839D0
│00642E3D|.MOV DWORD PTR SS:,EAX
│00642E40|.XOR EAX,EAX
│00642E42|.PUSH EBP
│00642E43|.PUSH ICONCRAF.00642F78
│00642E48|.PUSH DWORD PTR FS:
│00642E4B|.MOV DWORD PTR FS:,ESP
│00642E4E|.MOV EDX,80000001
│00642E53|.MOV EAX,DWORD PTR SS:
│00642E56|.CALL ICONCRAF.00483AAC
│00642E5B|.PUSH ICONCRAF.006430BC ;ASCII "Software\IconEmpire\"
│00642E60|.MOV EAX,DWORD PTR DS:
│00642E65|.PUSH DWORD PTR DS:
│00642E67|.PUSH ICONCRAF.006430DC
│00642E6C|.LEA EAX,DWORD PTR SS:
│00642E6F|.CALL ICONCRAF.00700A90
│00642E74|.PUSH DWORD PTR SS:
│00642E77|.LEA EAX,DWORD PTR SS:
│00642E7A|.MOV EDX,4
│00642E7F|.CALL ICONCRAF.0040424C
│00642E84|.MOV EDX,DWORD PTR SS:
│00642E87|.MOV CL,1
│00642E89|.MOV EAX,DWORD PTR SS:
│00642E8C|.CALL ICONCRAF.00483B14
│00642E91|.MOV BYTE PTR SS:,AL
│00642E94|.CMP BYTE PTR SS:,0
───────────────────────────────────────────────
│00642E98|.JE ICONCRAF.00642F62 ;一跳就死
───────────────────────────────────────────────
│00642E9E|.MOV ECX,DWORD PTR SS:
│00642EA1|.MOV EDX,ICONCRAF.006430E8 ;ASCII "Key"
│00642EA6|.MOV EAX,DWORD PTR SS:
│00642EA9|.CALL ICONCRAF.00484060
│00642EAE|.MOV EDX,ICONCRAF.006430E8 ;ASCII "Key"
│00642EB3|.LEA ECX,DWORD PTR SS:
│00642EB6|.MOV EAX,DWORD PTR SS:
│00642EB9|.CALL ICONCRAF.0048408C
│00642EBE|.MOV EDX,DWORD PTR SS:
│00642EC1|.MOV EAX,DWORD PTR SS:
│00642EC4|.CALL ICONCRAF.0040429C
│00642EC9|.SETE BYTE PTR SS:
│00642ECD|.CALL ICONCRAF.0040B358
│00642ED2|.ADD ESP,-8 ;
│00642ED5|.FSTP QWORD PTR SS: ;Arg1(8 字节)
│00642ED8|.WAIT ;
│00642ED9|.MOV EDX,ICONCRAF.006430F4 ;ASCII "Time"
│00642EDE|.MOV EAX,DWORD PTR SS: ;
│00642EE1|.CALL ICONCRAF.00484104 ;iconcraf.00484104
│00642EE6|.LEA EAX,DWORD PTR SS:
│00642EE9|.CALL ICONCRAF.006FFB18
│00642EEE|.MOV ECX,DWORD PTR SS:
│00642EF1|.MOV EDX,ICONCRAF.00643104 ;ASCII "FullProductName"
│00642EF6|.MOV EAX,DWORD PTR SS:
│00642EF9|.CALL ICONCRAF.00484060
│00642EFE|.LEA EDX,DWORD PTR SS:
│00642F01|.MOV EAX,DWORD PTR SS:
│00642F04|.MOV EAX,DWORD PTR DS:
│00642F0A|.CALL ICONCRAF.00437B28
│00642F0F|.MOV EAX,DWORD PTR SS:
│00642F12|.LEA EDX,DWORD PTR SS:
│00642F15|.CALL ICONCRAF.004098EC
│00642F1A|.CMP DWORD PTR SS:,1
│00642F1E|.JE SHORT ICONCRAF.00642F52
│00642F20|.PUSH DWORD PTR SS:
│00642F23|.PUSH ICONCRAF.0064311C ;ASCII "<BR>"
│00642F28|.PUSH ICONCRAF.0064312C ;ASCII " - "
│00642F2D|.LEA EDX,DWORD PTR SS:
│00642F30|.MOV EAX,DWORD PTR SS:
│00642F33|.CALL ICONCRAF.00409AA0
│00642F38|.PUSH DWORD PTR SS:
│00642F3B|.PUSH ICONCRAF.006430A4
│00642F40|.PUSH ICONCRAF.00643138 ;ASCII "licenses -"
│00642F45|.LEA EAX,DWORD PTR SS:
│00642F48|.MOV EDX,6
│00642F4D|.CALL ICONCRAF.0040424C
│00642F52|>MOV ECX,DWORD PTR SS:
│00642F55|.MOV EDX,ICONCRAF.0064314C ;ASCII "UserName"
│00642F5A|.MOV EAX,DWORD PTR SS:
│00642F5D|.CALL ICONCRAF.00484060
│00642F62|>XOR EAX,EAX
│00642F64|.POP EDX
│00642F65|.POP ECX
│00642F66|.POP ECX
│00642F67|.MOV DWORD PTR FS:,EDX
│00642F6A|.PUSH ICONCRAF.00642F7F
│00642F6F|>MOV EAX,DWORD PTR SS:
│00642F72|.CALL ICONCRAF.00403194
│00642F77\.RETN
└──────────────────────────────────────────────┘
呵呵,一看前面一大段都是在检查 "- KEY BEGIN KEY -" 和 "- KEY END KEY -" 字符串,就不多说了,关键是在 642E2C 处,其内容为,
┌──────────────────────────────────────────────┐
│00700D10/$PUSH EBX
│00700D11|.MOV EBX,EAX
───────────────────────────────────────────────
│00700D13|.CMP BYTE PTR DS:,30 ;注册码第一位与 0 比较
───────────────────────────────────────────────
│00700D16|.JNZ SHORT ICONCRAF.00700D2F ;一跳就死
│00700D18|.MOV EAX,EBX
│00700D1A|.CALL ICONCRAF.0040418C ;计算注册码长度
───────────────────────────────────────────────
│00700D1F|.CMP EAX,0AD ;注册码长度与 0xAD(173) 比较
───────────────────────────────────────────────
│00700D24|.JNZ SHORT ICONCRAF.00700D2F ;一跳就死
───────────────────────────────────────────────
│00700D26|.CMP BYTE PTR DS:,3D ;注册码最后一位与 '=' 比较
───────────────────────────────────────────────
│00700D2D|.JE SHORT ICONCRAF.00700D45 ;不跳就死
│00700D2F|>MOV ECX,ICONCRAF.00700D50 ;ASCII "Invalid key"
│00700D34|.MOV DL,1
│00700D36|.MOV EAX,DWORD PTR DS:
│00700D3B|.CALL ICONCRAF.0040D134
│00700D40|.CALL ICONCRAF.0040392C
│00700D45|>POP EBX
│00700D46\.RETN
└──────────────────────────────────────────────┘
注册算法竟然这么简单!
其流程为,
1.首先检查注册码中是否含 "- KEY BEGIN KEY -" 和 "- KEY END KEY -" 字符串,如果有,则取它们之间的字符为注册码.空格会自动删除.可以为中文.
2.获得注册码后,查找注册码中 '=' 的个数.若 '=' 个数为 0,则调用注册失败对话框.
3.当 '=' 只有一个时,截取 '=' 以左部分(包括 '=')作为新注册码,验证其首位是否为 '0',末尾是否为 '=',长度是否为 0xAD(173d),是则注册成为单用户协议.
4.当 '=' 多于一个时,逐次将注册码分为 '......=' 格式的若干段,对每一段都进行首位是否为 '0',末尾是否为 '=',长度是否为 0xAD(173d)的验证,只要有一段符合要求,协议将注册为多用户协议,协议个数是 '=' 的个数.
5.写入注册表项.
【破解总结】:
———————————————————————————————————————————
该注册算法是俺有史以来,见过的最简单的注册算法,但对 Cracker 新人来讲,多少有点意义,所以写出来,最后给出一个弱※注册码,供大家玩笑,
- KEY BEGIN KEY -
0鲁鲁拉,鲁鲁拉,弱※算法,鲁鲁拉!你笑它,我笑它,哈哈哈哈哈哈.鲁鲁拉,鲁鲁拉,弱※算法,鲁鲁拉!你笑它,我笑它,哈哈哈哈哈哈.鲁鲁拉,鲁鲁拉,弱※算法,鲁鲁拉!你笑它,我笑它,哈哈哈哈哈哈.=
- KEY END KEY -
然后,补一个注册机,这个注册机并非完整意义上的注册机,因为不能列出所有可能的注册码,当然如果非要写,也并非不可,只是觉得没必要.为这个简单注册码算法,写一个复杂注册机,不值得.
高手就不要来了.
注意:该注册算法同样可以注册 IconoMaker 3.20 及 Perfect Icon 2.30
请在看雪论坛给hmilywen发一个短消息确认是本人申请,然后这里回复我一下。
页:
[1]