Internet Download Manager6.25注册算法分析及成品注册机【Hosts自己搞定]】
本帖最后由 aikuimail 于 2016-1-7 19:26 编辑目标程序:Internet Download Manager 6.25
官方网站:http://www.internetdownloadmanager.com/
工 具:吾爱OD MASM32
平 台:Windows7 32-bit
在没开始之前,我得先声明,我在这里只解析一下这个软件的注册算法以及一个简易的算号器,至于Hosts屏蔽之类或者直接修改软件,大家自己动手吧,我在这里只说一下实现本地注册的流程。网上有很多这样的配置文章,或者论坛上面有很多修改版本,都很好用,我在这里只是学习一下该软件的算法,在这里我上两篇这方面的文章:
教你玩转IDM>>>一些让你无法忍受的细节 http://www.52pojie.cn/thread-232058-1-1.html
Internet Download Manager.v6.25.Build.10.Patch.By.Soundhttp://www.52pojie.cn/thread-452369-1-1.html
好了,我们开始吧!这个软件真正分析起来,其实应该先构造一个假码,在试过错知道,序列号应该满足以下几个基本要求:
1、长度为23位
2、序列号每个子串要用连字符'-'隔开
3、如SN1-SN2-SN3-SN4形式,每个子串都五位长度
代码:
005022C0/.55 push ebp
005022C1|.8BEC mov ebp,esp
005022C3|.6A FF push -0x1
005022C5|.68 25DF6000 push IDMan.0060DF25 ;父党; SE 处理程序安装
005022CA|.64:A1 0000000>mov eax,dword ptr fs:
005022D0|.50 push eax ;ntdll.77C4D63E
005022D1|.64:8925 00000>mov dword ptr fs:,esp
005022D8|.81EC 88030000 sub esp,0x388
005022DE|.53 push ebx
005022DF|.56 push esi
005022E0|.57 push edi
005022E1|.8D85 C0FEFFFF lea eax,dword ptr ss:
005022E7|.8965 F0 mov dword ptr ss:,esp
005022EA|.6A 32 push 0x32
005022EC|.8BD9 mov ebx,ecx
005022EE|.50 push eax ;ntdll.77C4D63E
005022EF|.68 B0040000 push 0x4B0
005022F4|.895D C8 mov dword ptr ss:,ebx
005022F7|.C605 E0786D00>mov byte ptr ds:,0x32
005022FE|.C605 E1786D00>mov byte ptr ds:,0x59
00502305|.C605 E2786D00>mov byte ptr ds:,0x4F
0050230C|.C605 E3786D00>mov byte ptr ds:,0x50
00502313|.C605 E4786D00>mov byte ptr ds:,0x42
0050231A|.C605 E5786D00>mov byte ptr ds:,0x33
00502321|.C605 E6786D00>mov byte ptr ds:,0x41
00502328|.C605 E7786D00>mov byte ptr ds:,0x51
0050232F|.C605 E8786D00>mov byte ptr ds:,0x43
00502336|.C605 E9786D00>mov byte ptr ds:,0x56
0050233D|.C605 EA786D00>mov byte ptr ds:,0x55
00502344|.C605 EB786D00>mov byte ptr ds:,0x58
0050234B|.C605 EC786D00>mov byte ptr ds:,0x4D
00502352|.C605 ED786D00>mov byte ptr ds:,0x4E
00502359|.C605 EE786D00>mov byte ptr ds:,0x52
00502360|.C605 EF786D00>mov byte ptr ds:,0x53
00502367|.C605 F0786D00>mov byte ptr ds:,0x39
0050236E|.C605 F1786D00>mov byte ptr ds:,0x37
00502375|.C605 F2786D00>mov byte ptr ds:,0x57
0050237C|.C605 F3786D00>mov byte ptr ds:,0x45
00502383|.C605 F4786D00>mov byte ptr ds:,0x30
0050238A|.C605 F5786D00>mov byte ptr ds:,0x49
00502391|.C605 F6786D00>mov byte ptr ds:,0x5A
00502398|.C605 F7786D00>mov byte ptr ds:,0x44
0050239F|.C605 F8786D00>mov byte ptr ds:,0x34
005023A6|.C605 F9786D00>mov byte ptr ds:,0x4B
005023AD|.C605 FA786D00>mov byte ptr ds:,0x4C
005023B4|.C605 FB786D00>mov byte ptr ds:,0x46
005023BB|.C605 FC786D00>mov byte ptr ds:,0x47
005023C2|.C605 FD786D00>mov byte ptr ds:,0x48
005023C9|.C605 FE786D00>mov byte ptr ds:,0x4A
005023D0|.C605 FF786D00>mov byte ptr ds:,0x38
005023D7|.C605 00796D00>mov byte ptr ds:,0x31
005023DE|.C605 01796D00>mov byte ptr ds:,0x36
005023E5|.C605 02796D00>mov byte ptr ds:,0x35
005023EC|.C605 03796D00>mov byte ptr ds:,0x54
005023F3|.C745 FC 00000>mov dword ptr ss:,0x0
005023FA|.E8 976A0E00 call IDMan.005E8E96 ;//取First Name长度
005023FF|.85C0 test eax,eax ;ntdll.77C4D63E
00502401|.75 25 jnz short IDMan.00502428 ;//First Name不为空则跳转
00502403|.8B0D 9C826D00 mov ecx,dword ptr ds:
00502409|.50 push eax ;ntdll.77C4D63E
0050240A|.68 847F6A00 push IDMan.006A7F84 ;Internet Download Manager
0050240F|>51 push ecx
00502410|>8BCB mov ecx,ebx
00502412|>E8 20560E00 call IDMan.005E7A37 ;//弹出出错提示
00502417|.8B4D F4 mov ecx,dword ptr ss:
0050241A|.64:890D 00000>mov dword ptr fs:,ecx
00502421|.5F pop edi
00502422|.5E pop esi
00502423|.5B pop ebx
00502424|.8BE5 mov esp,ebp
00502426|.5D pop ebp
00502427|.C3 retn
00502428|>8D95 28FFFFFF lea edx,dword ptr ss:
0050242E|.6A 32 push 0x32
00502430|.52 push edx
00502431|.68 13040000 push 0x413
00502436|.8BCB mov ecx,ebx
00502438|.E8 596A0E00 call IDMan.005E8E96 ;//Last Name长度
0050243D|.85C0 test eax,eax ;ntdll.77C4D63E
0050243F|.75 0E jnz short IDMan.0050244F ;//Last Name长度不为空
00502441|.50 push eax ;ntdll.77C4D63E
00502442|.A1 98826D00 mov eax,dword ptr ds:
00502447|.68 847F6A00 push IDMan.006A7F84 ;Internet Download Manager
0050244C|.50 push eax ;ntdll.77C4D63E
0050244D|.^ EB C1 jmp short IDMan.00502410
0050244F|>8D8D F4FEFFFF lea ecx,dword ptr ss:
00502455|.6A 32 push 0x32
00502457|.51 push ecx
00502458|.68 A5040000 push 0x4A5
0050245D|.8BCB mov ecx,ebx
0050245F|.E8 326A0E00 call IDMan.005E8E96 ;//取邮箱长度
00502464|.85C0 test eax,eax ;ntdll.77C4D63E
00502466|.75 0F jnz short IDMan.00502477 ;//邮箱不为空
00502468|.8B15 94826D00 mov edx,dword ptr ds:
0050246E|.50 push eax ;ntdll.77C4D63E
0050246F|.68 847F6A00 push IDMan.006A7F84 ;Internet Download Manager
00502474|.52 push edx
00502475|.^ EB 99 jmp short IDMan.00502410
00502477|>8D85 7CFFFFFF lea eax,dword ptr ss:
0050247D|.6A 32 push 0x32
0050247F|.50 push eax ;ntdll.77C4D63E
00502480|.68 AA040000 push 0x4AA
00502485|.8BCB mov ecx,ebx
00502487|.E8 0A6A0E00 call IDMan.005E8E96 ;//取序列号长度
0050248C|.85C0 test eax,eax ;ntdll.77C4D63E
0050248E|.75 11 jnz short IDMan.005024A1 ;//序列号不为空
00502490|.8B0D 90826D00 mov ecx,dword ptr ds:
00502496|.50 push eax ;ntdll.77C4D63E
00502497|.68 847F6A00 push IDMan.006A7F84 ;Internet Download Manager
0050249C|.^ E9 6EFFFFFF jmp IDMan.0050240F
005024A1|>B2 20 mov dl,0x20
005024A3|>3895 7CFFFFFF /cmp byte ptr ss:,dl ;--------------------------------
005024A9|.75 5C |jnz short IDMan.00502507
005024AB|.8DBD 7DFFFFFF |lea edi,dword ptr ss:
005024B1|.83C9 FF |or ecx,-0x1
005024B4|.33C0 |xor eax,eax ;ntdll.77C4D63E
005024B6|.8DB5 0CFEFFFF |lea esi,dword ptr ss:
005024BC|.F2:AE |repne scas byte ptr es:
005024BE|.F7D1 |not ecx
005024C0|.2BF9 |sub edi,ecx
005024C2|.8975 D4 |mov dword ptr ss:,esi
005024C5|.8BC1 |mov eax,ecx
005024C7|.8BF7 |mov esi,edi
005024C9|.8B7D D4 |mov edi,dword ptr ss:
005024CC|.C1E9 02 |shr ecx,0x2
005024CF|.F3:A5 |rep movs dword ptr es:,dword ptr d>
005024D1|.8BC8 |mov ecx,eax ;ntdll.77C4D63E
005024D3|.33C0 |xor eax,eax ;ntdll.77C4D63E
005024D5|.83E1 03 |and ecx,0x3
005024D8|.F3:A4 |rep movs byte ptr es:,byte ptr ds:>
005024DA|.8DBD 0CFEFFFF |lea edi,dword ptr ss:
005024E0|.83C9 FF |or ecx,-0x1
005024E3|.F2:AE |repne scas byte ptr es:
005024E5|.F7D1 |not ecx
005024E7|.8DB5 7CFFFFFF |lea esi,dword ptr ss:
005024ED|.2BF9 |sub edi,ecx
005024EF|.8BC1 |mov eax,ecx
005024F1|.8975 D4 |mov dword ptr ss:,esi
005024F4|.8BF7 |mov esi,edi
005024F6|.8B7D D4 |mov edi,dword ptr ss:
005024F9|.C1E9 02 |shr ecx,0x2
005024FC|.F3:A5 |rep movs dword ptr es:,dword ptr d>
005024FE|.8BC8 |mov ecx,eax ;ntdll.77C4D63E
00502500|.83E1 03 |and ecx,0x3
00502503|.F3:A4 |rep movs byte ptr es:,byte ptr ds:>
00502505|.^ EB 9C \jmp short IDMan.005024A3 ;--------------------------------
00502507|>8DBD 7CFFFFFF lea edi,dword ptr ss: ;ASCII "12345-789ab-defgh-78900"
0050250D|.83C9 FF or ecx,-0x1
00502510|.33C0 xor eax,eax ;ntdll.77C4D63E
00502512|.F2:AE repne scas byte ptr es:
00502514|.F7D1 not ecx
00502516|.49 dec ecx ;//求序列号长度
00502517|.75 12 jnz short IDMan.0050252B ;//序列号不为空
00502519|>8B0D 8C826D00 mov ecx,dword ptr ds:
0050251F|.6A 00 push 0x0
00502521|.68 847F6A00 push IDMan.006A7F84 ;Internet Download Manager
00502526|.^ E9 E4FEFFFF jmp IDMan.0050240F
0050252B|>8DBD 7CFFFFFF /lea edi,dword ptr ss: ;ASCII "12345-789ab-defgh-78900"
00502531|.83C9 FF |or ecx,-0x1
00502534|.33C0 |xor eax,eax ;ntdll.77C4D63E
00502536|.F2:AE |repne scas byte ptr es:
00502538|.F7D1 |not ecx
0050253A|.49 |dec ecx ;//求序列号长度
0050253B|.38940D 7BFFFF>|cmp byte ptr ss:,dl
00502542|.75 19 |jnz short IDMan.0050255D ;//不为空
00502544|.8DBD 7CFFFFFF |lea edi,dword ptr ss:
0050254A|.83C9 FF |or ecx,-0x1
0050254D|.33C0 |xor eax,eax ;ntdll.77C4D63E
0050254F|.F2:AE |repne scas byte ptr es:
00502551|.F7D1 |not ecx
00502553|.49 |dec ecx
00502554|.88840D 7BFFFF>|mov byte ptr ss:,al
0050255B|.^ EB CE \jmp short IDMan.0050252B
0050255D|>8D95 7CFFFFFF lea edx,dword ptr ss:
00502563|.52 push edx
00502564|.E8 42E10C00 call IDMan.005D06AB ;//将序列号大写
00502569|.8DBD 7CFFFFFF lea edi,dword ptr ss: ;ASCII "12345-789AB-DEFGH-78900"
0050256F|.83C9 FF or ecx,-0x1
00502572|.33C0 xor eax,eax ;ntdll.77C4D63E
00502574|.83C4 04 add esp,0x4
00502577|.F2:AE repne scas byte ptr es:
00502579|.F7D1 not ecx
0050257B|.49 dec ecx ;ASCII "12345-789AB-DEFGH-78900"长度
0050257C|.83F9 17 cmp ecx,0x17 ;//真正序列号的长度要23位
0050257F|.^ 75 98 jnz short IDMan.00502519 ;//跳则出错
00502581|.8A4D 81 mov cl,byte ptr ss: ;//取序列号第六位
00502584|.8845 EF mov byte ptr ss:,al ;//给标志位赋值,此时AL为0
00502587|.B0 2D mov al,0x2D
00502589|.3AC8 cmp cl,al ;//比较序列号第六位是否为连字符
0050258B|.75 0A jnz short IDMan.00502597 ;//序列号第六位不为连字符则跳
0050258D|.3845 87 cmp byte ptr ss:,al
00502590|.75 05 jnz short IDMan.00502597
00502592|.3845 8D cmp byte ptr ss:,al
00502595|.74 04 je short IDMan.0050259B ;//跳过给标志位赋值*
00502597|>C645 EF 01 mov byte ptr ss:,0x1 ;//给标志位赋值
0050259B|>8D85 7CFFFFFF lea eax,dword ptr ss: ;ASCII "12345-789AB-DEFGH-78900"
005025A1|.6A 05 push 0x5
005025A3|.8D4D D4 lea ecx,dword ptr ss:
005025A6|.50 push eax ;ntdll.77C4D63E
005025A7|.51 push ecx
005025A8|.E8 53B30C00 call IDMan.005CD900 ;//取语前1-5位
005025AD|.8D55 82 lea edx,dword ptr ss: ;ASCII "789AB-DEFGH-78900"
005025B0|.6A 05 push 0x5
005025B2|.8D45 CC lea eax,dword ptr ss:
005025B5|.52 push edx
005025B6|.50 push eax ;ntdll.77C4D63E
005025B7|.E8 44B30C00 call IDMan.005CD900 ;//取序列号7-11位
005025BC|.8D4D 88 lea ecx,dword ptr ss: ;ASCII "DEFGH-78900"
005025BF|.6A 05 push 0x5
005025C1|.8D55 E0 lea edx,dword ptr ss:
005025C4|.51 push ecx
005025C5|.52 push edx
005025C6|.E8 35B30C00 call IDMan.005CD900 ;//取序列号13-17位
005025CB|.8D45 8E lea eax,dword ptr ss: ;ASCII "78900"
005025CE|.6A 05 push 0x5
005025D0|.8D4D B0 lea ecx,dword ptr ss:
005025D3|.50 push eax ;ntdll.77C4D63E
005025D4|.51 push ecx
005025D5|.E8 26B30C00 call IDMan.005CD900 ;//取序列号19-23位
005025DA|.33FF xor edi,edi
005025DC|.83C4 30 add esp,0x30
005025DF|.C645 D9 00 mov byte ptr ss:,0x0
005025E3|.C645 D1 00 mov byte ptr ss:,0x0
005025E7|.C645 E5 00 mov byte ptr ss:,0x0
005025EB|.C645 B5 00 mov byte ptr ss:,0x0 ;//为SN加上字符串结束符
005025EF|.897D E8 mov dword ptr ss:,edi
005025F2|.33F6 xor esi,esi
005025F4|>83FE 05 cmp esi,0x5 ;//用序列号前5位参与运算
005025F7|.7D 32 jge short IDMan.0050262B ;//用序列号前5位在表中的索引累计算出一个KEY
005025F9|.8A5435 D4 mov dl,byte ptr ss: ;//序列号第一位
005025FD|.83C9 FF or ecx,-0x1
00502600|.33C0 xor eax,eax ;ntdll.77C4D63E
00502602|>83F8 24 /cmp eax,0x24 ;--------------------
00502605|.7D 0A |jge short IDMan.00502611
00502607|.3890 E0786D00 |cmp byte ptr ds:,dl ;//序列号的第一位与初始化的第一个值进行比较
0050260D|.75 15 |jnz short IDMan.00502624 ;//不相等则跳转
0050260F|.8BC8 |mov ecx,eax ;//EAX为要寻找的字符在表里面的索引,索引以0开始
00502611|>83F9 FF |cmp ecx,-0x1 ;ECX=EAX
00502614|.74 11 |je short IDMan.00502627 ;//表里没找到则跳转
00502616|.8D14FF |lea edx,dword ptr ds: ;EDX=EDI+EDI*8
00502619|.03CF |add ecx,edi ;ECX=ECX+EDI
0050261B|.46 |inc esi
0050261C|.8D3C91 |lea edi,dword ptr ds: ;EDI=ECX+EDX*4 EDI=EAX+EDI+(EDI+EDI*8)*4
0050261F|.897D E8 |mov dword ptr ss:,edi ;//计算结果
00502622|.^ EB D0 |jmp short IDMan.005025F4
00502624|>40 |inc eax ;ntdll.77C4D63E
00502625|.^ EB DB \jmp short IDMan.00502602 ;--------------------
00502627|>C645 EF 01 mov byte ptr ss:,0x1 ;//给标志位赋值
0050262B|>33FF xor edi,edi ;//清零EDI
0050262D|.33F6 xor esi,esi ;//清零ESI
0050262F|.897D DC mov dword ptr ss:,edi
00502632|>83FE 05 cmp esi,0x5 ;用SN2每一位在表的索引参与运算
00502635|.7D 32 jge short IDMan.00502669
00502637|.8A5435 CC mov dl,byte ptr ss: ;SN2
0050263B|.83C9 FF or ecx,-0x1
0050263E|.33C0 xor eax,eax ;ntdll.77C4D63E
00502640|>83F8 24 /cmp eax,0x24
00502643|.7D 0A |jge short IDMan.0050264F
00502645|.3890 E0786D00 |cmp byte ptr ds:,dl
0050264B|.75 15 |jnz short IDMan.00502662
0050264D|.8BC8 |mov ecx,eax ;ECX=EAX
0050264F|>83F9 FF |cmp ecx,-0x1
00502652|.74 11 |je short IDMan.00502665
00502654|.8D04FF |lea eax,dword ptr ds: ;EAX=EDI+EDI*8
00502657|.03CF |add ecx,edi ;ECX=ECX+EDI
00502659|.46 |inc esi
0050265A|.8D3C81 |lea edi,dword ptr ds: ;EDI=ECX+EAX*4 EDI=EAX+EDI+(EDI+EDI*8)*4
0050265D|.897D DC |mov dword ptr ss:,edi
00502660|.^ EB D0 |jmp short IDMan.00502632
00502662|>40 |inc eax ;ntdll.77C4D63E
00502663|.^ EB DB \jmp short IDMan.00502640
00502665|>C645 EF 01 mov byte ptr ss:,0x1 ;//给标志位赋值
00502669|>33DB xor ebx,ebx
0050266B|.33F6 xor esi,esi
0050266D|>83FE 05 cmp esi,0x5 ;用SN3每一位在表的索引参与运算
00502670|.7D 2F jge short IDMan.005026A1
00502672|.8A5435 E0 mov dl,byte ptr ss:
00502676|.83C9 FF or ecx,-0x1
00502679|.33C0 xor eax,eax ;ntdll.77C4D63E
0050267B|>83F8 24 /cmp eax,0x24
0050267E|.7D 0A |jge short IDMan.0050268A
00502680|.3890 E0786D00 |cmp byte ptr ds:,dl
00502686|.75 12 |jnz short IDMan.0050269A
00502688|.8BC8 |mov ecx,eax ;ntdll.77C4D63E
0050268A|>83F9 FF |cmp ecx,-0x1
0050268D|.74 0E |je short IDMan.0050269D ;//如果在表中没有找到,就会到下面给标志位赋1
0050268F|.8D14DB |lea edx,dword ptr ds:
00502692|.03CB |add ecx,ebx
00502694|.46 |inc esi
00502695|.8D1C91 |lea ebx,dword ptr ds:
00502698|.^ EB D3 |jmp short IDMan.0050266D
0050269A|>40 |inc eax ;ntdll.77C4D63E
0050269B|.^ EB DE \jmp short IDMan.0050267B
0050269D|>C645 EF 01 mov byte ptr ss:,0x1 ;//给标志位赋值
005026A1|>33FF xor edi,edi
005026A3|.33F6 xor esi,esi
005026A5|>83FE 05 cmp esi,0x5 ;用SN4每一位在表的索引参与运算
005026A8|.7D 2B jge short IDMan.005026D5
005026AA|.8A5435 B0 mov dl,byte ptr ss:
005026AE|.83C9 FF or ecx,-0x1
005026B1|.33C0 xor eax,eax ;ntdll.77C4D63E
005026B3|>83F8 24 /cmp eax,0x24
005026B6|.7D 0A |jge short IDMan.005026C2
005026B8|.3890 E0786D00 |cmp byte ptr ds:,dl
005026BE|.75 12 |jnz short IDMan.005026D2
005026C0|.8BC8 |mov ecx,eax ;ntdll.77C4D63E
005026C2|>83F9 FF |cmp ecx,-0x1
005026C5|.74 15 |je short IDMan.005026DC
005026C7|.8D04FF |lea eax,dword ptr ds:
005026CA|.03CF |add ecx,edi
005026CC|.46 |inc esi
005026CD|.8D3C81 |lea edi,dword ptr ds:
005026D0|.^ EB D3 |jmp short IDMan.005026A5
005026D2|>40 |inc eax ;ntdll.77C4D63E
005026D3|.^ EB DE \jmp short IDMan.005026B3
005026D5|>8A45 EF mov al,byte ptr ss: ;//保存标志位的值
005026D8|.84C0 test al,al ;//检查标志位的值
005026DA|.74 16 je short IDMan.005026F2 ;//标志位为0则跳转
005026DC|>8B0D 8C826D00 mov ecx,dword ptr ds: ;//序列号输入错误提示
005026E2|.6A 00 push 0x0
005026E4|.68 847F6A00 push IDMan.006A7F84 ;Internet Download Manager
005026E9|.51 push ecx
005026EA|.8B4D C8 mov ecx,dword ptr ss:
005026ED|.^ E9 20FDFFFF jmp IDMan.00502412
005026F2|>8B4D E8 mov ecx,dword ptr ss:
005026F5|.BE 2B000000 mov esi,0x2B
005026FA|.8BC1 mov eax,ecx
005026FC|.99 cdq
005026FD|.F7FE idiv esi
005026FF|.85D2 test edx,edx
00502701|.75 04 jnz short IDMan.00502707 ;//跳转则将标志位赋一
00502703|.85C9 test ecx,ecx
00502705|.75 04 jnz short IDMan.0050270B ;//防止SN1为"22222"
00502707|>C645 EF 01 mov byte ptr ss:,0x1 ;//给标志位赋值
0050270B|>8B4D DC mov ecx,dword ptr ss:
0050270E|.BE 17000000 mov esi,0x17
00502713|.8BC1 mov eax,ecx
00502715|.99 cdq
00502716|.F7FE idiv esi
00502718|.85D2 test edx,edx
0050271A|.75 04 jnz short IDMan.00502720 ;//跳转则将标志位赋一
0050271C|.85C9 test ecx,ecx
0050271E|.75 04 jnz short IDMan.00502724
00502720|>C645 EF 01 mov byte ptr ss:,0x1 ;//将标志位赋一
00502724|>8BC3 mov eax,ebx
00502726|.B9 11000000 mov ecx,0x11
0050272B|.99 cdq
0050272C|.F7F9 idiv ecx
0050272E|.85D2 test edx,edx
00502730|.75 04 jnz short IDMan.00502736 ;//跳转则将标志位赋一
00502732|.85DB test ebx,ebx
00502734|.75 04 jnz short IDMan.0050273A
00502736|>C645 EF 01 mov byte ptr ss:,0x1 ;//将标志位赋一
0050273A|>8BC7 mov eax,edi
0050273C|.B9 35000000 mov ecx,0x35
00502741|.99 cdq
00502742|.F7F9 idiv ecx
00502744|.85D2 test edx,edx
00502746|.75 0B jnz short IDMan.00502753
00502748|.85FF test edi,edi
0050274A|.74 07 je short IDMan.00502753
0050274C|.8A45 EF mov al,byte ptr ss: ;//将标志位赋一
0050274F|.84C0 test al,al
00502751|.74 16 je short IDMan.00502769 ;//跳转则注册成功
00502753|>8B15 8C826D00 mov edx,dword ptr ds: ;//注册失败
00502759|.8B4D C8 mov ecx,dword ptr ss:
0050275C|.6A 00 push 0x0
0050275E|.68 847F6A00 push IDMan.006A7F84 ;Internet Download Manager
00502763|.52 push edx
00502764|.^ E9 A9FCFFFF jmp IDMan.00502412
00502769|>8D45 C4 lea eax,dword ptr ss:
0050276C|.6A 00 push 0x0 ; /pDisposition = NULL
0050276E|.50 push eax ; |pHandle = ntdll.77C4D63E
0050276F|.6A 00 push 0x0 ; |pSecurity = NULL
00502771|.68 3F000F00 push 0xF003F ; |Access = KEY_ALL_ACCESS
00502776|.6A 00 push 0x0 ; |Options = REG_OPTION_NON_VOLATILE
00502778|.6A 00 push 0x0 ; |Class = NULL
0050277A|.6A 00 push 0x0 ; |Reserved = 0x0
0050277C|.68 007F6A00 push IDMan.006A7F00 ; |SOFTWARE\Internet Download Manager
00502781|.68 02000080 push 0x80000002 ; |hKey = HKEY_LOCAL_MACHINE
程序一开始就是初始化一个全局数组,我们“数据窗口跟随”可以得到一段固定的字符串:
2YOPB3AQCVUXMNRS97WE0IZD4KLFGHJ8165T
005022F4|.895D C8 mov dword ptr ss:,ebx
005022F7|.C605 E0786D00>mov byte ptr ds:,0x32
005022FE|.C605 E1786D00>mov byte ptr ds:,0x59
00502305|.C605 E2786D00>mov byte ptr ds:,0x4F
0050230C|.C605 E3786D00>mov byte ptr ds:,0x50
00502313|.C605 E4786D00>mov byte ptr ds:,0x42
0050231A|.C605 E5786D00>mov byte ptr ds:,0x33
00502321|.C605 E6786D00>mov byte ptr ds:,0x41
00502328|.C605 E7786D00>mov byte ptr ds:,0x51
0050232F|.C605 E8786D00>mov byte ptr ds:,0x43
00502336|.C605 E9786D00>mov byte ptr ds:,0x56
0050233D|.C605 EA786D00>mov byte ptr ds:,0x55
00502344|.C605 EB786D00>mov byte ptr ds:,0x58
0050234B|.C605 EC786D00>mov byte ptr ds:,0x4D
00502352|.C605 ED786D00>mov byte ptr ds:,0x4E
00502359|.C605 EE786D00>mov byte ptr ds:,0x52
00502360|.C605 EF786D00>mov byte ptr ds:,0x53
00502367|.C605 F0786D00>mov byte ptr ds:,0x39
0050236E|.C605 F1786D00>mov byte ptr ds:,0x37
00502375|.C605 F2786D00>mov byte ptr ds:,0x57
0050237C|.C605 F3786D00>mov byte ptr ds:,0x45
00502383|.C605 F4786D00>mov byte ptr ds:,0x30
0050238A|.C605 F5786D00>mov byte ptr ds:,0x49
00502391|.C605 F6786D00>mov byte ptr ds:,0x5A
00502398|.C605 F7786D00>mov byte ptr ds:,0x44
0050239F|.C605 F8786D00>mov byte ptr ds:,0x34
005023A6|.C605 F9786D00>mov byte ptr ds:,0x4B
005023AD|.C605 FA786D00>mov byte ptr ds:,0x4C
005023B4|.C605 FB786D00>mov byte ptr ds:,0x46
005023BB|.C605 FC786D00>mov byte ptr ds:,0x47
005023C2|.C605 FD786D00>mov byte ptr ds:,0x48
005023C9|.C605 FE786D00>mov byte ptr ds:,0x4A
005023D0|.C605 FF786D00>mov byte ptr ds:,0x38
005023D7|.C605 00796D00>mov byte ptr ds:,0x31
005023DE|.C605 01796D00>mov byte ptr ds:,0x36
005023E5|.C605 02796D00>mov byte ptr ds:,0x35
005023EC|.C605 03796D00>mov byte ptr ds:,0x54
005023F3|.C745 FC 00000>mov dword ptr ss:,0x0
接下来就是简单的判断一下姓、名以及邮箱、序列号是否为空,完成这些基本条件后,再将整个假码大写:
00502563|.52 push edx
00502564|.E8 42E10C00 call IDMan.005D06AB ;//将序列号大写
00502569|.8DBD 7CFFFFFF lea edi,dword ptr ss: ;ASCII "12345-789AB-DEFGH-78900"
0050256F|.83C9 FF or ecx,-0x1
00502572|.33C0 xor eax,eax ;ntdll.77C4D63E
00502574|.83C4 04 add esp,0x4
再进一步确定序列号的长度为23,是否被连字符分割,然后初始化一个非常重要的标志位。
0050257B|.49 dec ecx ;ASCII "12345-789AB-DEFGH-78900"长度
0050257C|.83F9 17 cmp ecx,0x17 ;//真正序列号的长度要23位
0050257F|.^ 75 98 jnz short IDMan.00502519 ;//跳则出错
00502581|.8A4D 81 mov cl,byte ptr ss: ;//取序列号第六位
00502584|.8845 EF mov byte ptr ss:,al ;//给标志位赋值,此时AL为0
00502587|.B0 2D mov al,0x2D
00502589|.3AC8 cmp cl,al ;//比较序列号第六位是否为连字符
0050258B|.75 0A jnz short IDMan.00502597 ;//序列号第六位不为连字符则跳
通过下面的好几处地方可以看到byte ptr ss:这个标志位只要被置一,整个注册任务就会失败,所以我们要想方法跳过。接下来就是通过连字符,将序列号分割成四个子串:
0050258D|.3845 87 cmp byte ptr ss:,al
00502590|.75 05 jnz short IDMan.00502597
00502592|.3845 8D cmp byte ptr ss:,al
00502595|.74 04 je short IDMan.0050259B ;//跳过给标志位赋值*
00502597|>C645 EF 01 mov byte ptr ss:,0x1 ;//给标志位赋值
0050259B|>8D85 7CFFFFFF lea eax,dword ptr ss: ;ASCII "12345-789AB-DEFGH-78900"
005025A1|.6A 05 push 0x5
005025A3|.8D4D D4 lea ecx,dword ptr ss:
005025A6|.50 push eax ;ntdll.77C4D63E
005025A7|.51 push ecx
005025A8|.E8 53B30C00 call IDMan.005CD900 ;//取语前1-5位
005025AD|.8D55 82 lea edx,dword ptr ss: ;ASCII "789AB-DEFGH-78900"
005025B0|.6A 05 push 0x5
005025B2|.8D45 CC lea eax,dword ptr ss:
005025B5|.52 push edx
005025B6|.50 push eax ;ntdll.77C4D63E
005025B7|.E8 44B30C00 call IDMan.005CD900 ;//取序列号7-11位
005025BC|.8D4D 88 lea ecx,dword ptr ss: ;ASCII "DEFGH-78900"
005025BF|.6A 05 push 0x5
005025C1|.8D55 E0 lea edx,dword ptr ss:
005025C4|.51 push ecx
005025C5|.52 push edx
005025C6|.E8 35B30C00 call IDMan.005CD900 ;//取序列号13-17位
005025CB|.8D45 8E lea eax,dword ptr ss: ;ASCII "78900"
005025CE|.6A 05 push 0x5
005025D0|.8D4D B0 lea ecx,dword ptr ss:
005025D3|.50 push eax ;ntdll.77C4D63E
005025D4|.51 push ecx
005025D5|.E8 26B30C00 call IDMan.005CD900 ;//取序列号19-23位
005025DA|.33FF xor edi,edi
005025DC|.83C4 30 add esp,0x30
每个子串末尾添加字符串结束符:
005025DF|.C645 D9 00 mov byte ptr ss:,0x0
005025E3|.C645 D1 00 mov byte ptr ss:,0x0
005025E7|.C645 E5 00 mov byte ptr ss:,0x0
005025EB|.C645 B5 00 mov byte ptr ss:,0x0 ;//为SN加上字符串结束符
005025EF|.897D E8 mov dword ptr ss:,edi
再下面就是一个比较大的循环,在全局数组里面逐个寻找假码所在的位置,然后得出假码在全局数组的下标,这个下标将参与下面的运算。简单描述一下,一个关于索引的表达式:
EDI=EAX+EDI+(EDI+EDI*8)*4(EDI初始为0)
= EAX+37*EDI
下面三个循环将分别计算SN2,SN3,SN4,代码虽然有点不同,但是本质上还是我上面给出我那个公式,大家在最后看我的注册机源码就会知道了,简单粘贴一下:
SN2
0050262B|> \33FF xor edi,edi ;//清零EDI
0050262D|.33F6 xor esi,esi ;//清零ESI
0050262F|.897D DC mov dword ptr ss:,edi
00502632|>83FE 05 cmp esi,0x5 ;用SN2每一位在表的索引参与运算
00502635|.7D 32 jge short IDMan.00502669
00502637|.8A5435 CC mov dl,byte ptr ss: ;SN2
0050263B|.83C9 FF or ecx,-0x1
0050263E|.33C0 xor eax,eax ;ntdll.77C4D63E
00502640|>83F8 24 /cmp eax,0x24
00502643|.7D 0A |jge short IDMan.0050264F
00502645|.3890 E0786D00 |cmp byte ptr ds:,dl
0050264B|.75 15 |jnz short IDMan.00502662
0050264D|.8BC8 |mov ecx,eax ;ECX=EAX
0050264F|>83F9 FF |cmp ecx,-0x1
00502652|.74 11 |je short IDMan.00502665
00502654|.8D04FF |lea eax,dword ptr ds: ;EAX=EDI+EDI*8
00502657|.03CF |add ecx,edi ;ECX=ECX+EDI
00502659|.46 |inc esi
0050265A|.8D3C81 |lea edi,dword ptr ds: ;EDI=ECX+EAX*4 EDI=EAX+EDI+(EDI+EDI*8)*4
0050265D|.897D DC |mov dword ptr ss:,edi
00502660|.^ EB D0 |jmp short IDMan.00502632
00502662|>40 |inc eax ;ntdll.77C4D63E
00502663|.^ EB DB \jmp short IDMan.00502640
00502665|>C645 EF 01 mov byte ptr ss:,0x1 ;//给标志位赋值
SN3:
00502669|> \33DB xor ebx,ebx
0050266B|.33F6 xor esi,esi
0050266D|>83FE 05 cmp esi,0x5 ;用SN3每一位在表的索引参与运算
00502670|.7D 2F jge short IDMan.005026A1
00502672|.8A5435 E0 mov dl,byte ptr ss:
00502676|.83C9 FF or ecx,-0x1
00502679|.33C0 xor eax,eax ;ntdll.77C4D63E
0050267B|>83F8 24 /cmp eax,0x24
0050267E|.7D 0A |jge short IDMan.0050268A
00502680|.3890 E0786D00 |cmp byte ptr ds:,dl
00502686|.75 12 |jnz short IDMan.0050269A
00502688|.8BC8 |mov ecx,eax ;ntdll.77C4D63E
0050268A|>83F9 FF |cmp ecx,-0x1
0050268D|.74 0E |je short IDMan.0050269D ;//如果在表中没有找到,就会到下面给标志位赋1
0050268F|.8D14DB |lea edx,dword ptr ds:
00502692|.03CB |add ecx,ebx
00502694|.46 |inc esi
00502695|.8D1C91 |lea ebx,dword ptr ds:
00502698|.^ EB D3 |jmp short IDMan.0050266D
0050269A|>40 |inc eax ;ntdll.77C4D63E
0050269B|.^ EB DE \jmp short IDMan.0050267B
0050269D|>C645 EF 01 mov byte ptr ss:,0x1 ;//给标志位赋值
SN4:
005026A1|> \33FF xor edi,edi
005026A3|.33F6 xor esi,esi
005026A5|>83FE 05 cmp esi,0x5 ;用SN4每一位在表的索引参与运算
005026A8|.7D 2B jge short IDMan.005026D5
005026AA|.8A5435 B0 mov dl,byte ptr ss:
005026AE|.83C9 FF or ecx,-0x1
005026B1|.33C0 xor eax,eax ;ntdll.77C4D63E
005026B3|>83F8 24 /cmp eax,0x24
005026B6|.7D 0A |jge short IDMan.005026C2
005026B8|.3890 E0786D00 |cmp byte ptr ds:,dl
005026BE|.75 12 |jnz short IDMan.005026D2
005026C0|.8BC8 |mov ecx,eax ;ntdll.77C4D63E
005026C2|>83F9 FF |cmp ecx,-0x1
005026C5|.74 15 |je short IDMan.005026DC
005026C7|.8D04FF |lea eax,dword ptr ds:
005026CA|.03CF |add ecx,edi
005026CC|.46 |inc esi
005026CD|.8D3C81 |lea edi,dword ptr ds:
005026D0|.^ EB D3 |jmp short IDMan.005026A5
005026D2|>40 |inc eax ;ntdll.77C4D63E
005026D3|.^ EB DE \jmp short IDMan.005026B3
再到下面就是一系列的判断了,我将给出我的破解笔记:
005026D5|> \8A45 EF mov al,byte ptr ss: ;//保存标志位的值
005026D8|.84C0 test al,al ;//检查标志位的值
005026DA|.74 16 je short IDMan.005026F2 ;//标志位为0则跳转
005026DC|>8B0D 8C826D00 mov ecx,dword ptr ds: ;//序列号输入错误提示
005026E2|.6A 00 push 0x0
005026E4|.68 847F6A00 push IDMan.006A7F84 ;Internet Download Manager
005026E9|.51 push ecx
005026EA|.8B4D C8 mov ecx,dword ptr ss:
005026ED|.^ E9 20FDFFFF jmp IDMan.00502412
005026F2|>8B4D E8 mov ecx,dword ptr ss:
005026F5|.BE 2B000000 mov esi,0x2B
005026FA|.8BC1 mov eax,ecx
005026FC|.99 cdq
005026FD|.F7FE idiv esi
005026FF|.85D2 test edx,edx
00502701|.75 04 jnz short IDMan.00502707 ;//跳转则将标志位赋一
00502703|.85C9 test ecx,ecx
00502705|.75 04 jnz short IDMan.0050270B ;//防止SN1为"22222"
00502707|>C645 EF 01 mov byte ptr ss:,0x1 ;//给标志位赋值
0050270B|>8B4D DC mov ecx,dword ptr ss:
0050270E|.BE 17000000 mov esi,0x17
00502713|.8BC1 mov eax,ecx
00502715|.99 cdq
00502716|.F7FE idiv esi
00502718|.85D2 test edx,edx
0050271A|.75 04 jnz short IDMan.00502720 ;//跳转则将标志位赋一
0050271C|.85C9 test ecx,ecx
0050271E|.75 04 jnz short IDMan.00502724
00502720|>C645 EF 01 mov byte ptr ss:,0x1 ;//将标志位赋一
00502724|>8BC3 mov eax,ebx
00502726|.B9 11000000 mov ecx,0x11
0050272B|.99 cdq
0050272C|.F7F9 idiv ecx
0050272E|.85D2 test edx,edx
00502730|.75 04 jnz short IDMan.00502736 ;//跳转则将标志位赋一
00502732|.85DB test ebx,ebx
00502734|.75 04 jnz short IDMan.0050273A
00502736|>C645 EF 01 mov byte ptr ss:,0x1 ;//将标志位赋一
0050273A|>8BC7 mov eax,edi
0050273C|.B9 35000000 mov ecx,0x35
00502741|.99 cdq
00502742|.F7F9 idiv ecx
00502744|.85D2 test edx,edx
00502746|.75 0B jnz short IDMan.00502753
00502748|.85FF test edi,edi
0050274A|.74 07 je short IDMan.00502753
0050274C|.8A45 EF mov al,byte ptr ss: ;//将标志位赋一
0050274F|.84C0 test al,al
00502751|.74 16 je short IDMan.00502769 ;//跳转则注册成功
00502753|>8B15 8C826D00 mov edx,dword ptr ds: ;//注册失败
00502759|.8B4D C8 mov ecx,dword ptr ss:
上面这串代码实际上就是要每个子串循环得到的一个数值要被不同的整数整除,所以在做注册机的时候,我们只要写好一个函数,别外三个就小小改动一下就好了,关于上面这段代码,我粘贴一下我的推导过程,比较简单。
Ashe
Green
aikuimail@gmail.com
123456789abcdefgh678900
12345-789ab-defgh-78900SN1-SN2-SN3-SN4
第一步:初始化
2YOPB3AQCVUXMNRS97WE0IZD4KLFGHJ8165T
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
SN1
索引值=0x2B*n (n e Z+)
2B =
EDI=EAX+EDI+(EDI+EDI*8)*4(EDI初始为0)
= EAX+37*EDI
32 32 32
0 1184
5 43813
24 1621105
34 59980919MOD 2B = 4
最大值的测试:
EDI=EAX+37*EDI
35 35
35 1330
35 49245
35 1822100
35 67417735
计算SN2
2YOPB3AQCVUXMNRS97WE0IZD4KLFGHJ8165T
789ab
要被0x17整除
EDI=EAX+EDI+(EDI+EDI*8)*4
=EAX+37*EDI
1717
31660
1624436
6 904138
4 33453110
计算SN3
2YOPB3AQCVUXMNRS97WE0IZD4KLFGHJ8165T
defgh
要被0x11整除
计算SN4
2YOPB3AQCVUXMNRS97WE0IZD4KLFGHJ8165T
defgh
要被0x35整除
比较乱,但是应该很容易明白。好了,我贴一下我的源码和简易的注册机,关于序列号的构造,源码里面写得很清楚,比较简单。但是屏蔽网络就自己去参考一下别的吧,比较简单,主要是弄清楚算法,这样以后自己也知道怎么打补丁,不是吗?附带我的UDD:
include string.inc
includelib string.lib
include masm32.inc
includelib masm32.lib
include debug.inc
includelib debug.lib
.data?
szName db 64 dup (?)
szSerial db 64 dup (?)
szSn1 db 6 dup (?)
szSn2 db 6 dup (?)
szSn3 db 6 dup (?)
szSn4 db 6 dup (?)
.const
;定义全局数组
szTable db "2YOPB3AQCVUXMNRS97WE0IZD4KLFGHJ8165T", 0
szSeparate db '-', 0
.code
comment#
函数名:KeyGenSn1
无参数
无返回值
#
KeyGenSn1 proc
local @index1:DWORD
local @index2:DWORD
local @index3:DWORD
local @index4:DWORD
local @index5:DWORD
local @sum:DWORD
local @sn1:BYTE
invoke RtlZeroMemory, addr @sn1, sizeof @sn1
@@:
xor eax, eax
xor ebx, ebx
xor edx, edx
invoke GetTickCount
invoke nrandom, eax
mov ebx, 23h
cdq
idivebx
mov @index1, edx
invoke GetTickCount
invoke nrandom, eax
mov ebx, 23h
cdq
idivebx
mov @index2, edx
invoke GetTickCount
invoke nrandom, eax
mov ebx, 23h
cdq
idivebx
mov @index3, edx
invoke GetTickCount
invoke nrandom, eax
mov ebx, 23h
cdq
idivbx
mov @index4, edx
invoke GetTickCount
invoke nrandom, eax
mov ebx, 23h
cdq
idivbx
mov @index5, edx
mov @sum, 0
mov eax, 37
mul @sum
add eax, @index1
mov @sum, eax
mov eax, 37
mul @sum
add eax, @index2
mov @sum, eax
mov eax, 37
mul @sum
add eax, @index3
mov @sum, eax
mov eax, 37
mul @sum
add eax, @index4
mov @sum, eax
mov eax, 37
mul @sum
add eax, @index5
mov @sum, eax
mov ebx, 2Bh
cdq
idiv ebx
.if edx
jmp @B
.endif
;得到了合适的数据
lea ebx, szTable
xor edx, edx
xor edi, edi
mov edi, @index1
mov edx,
mov @sn1, dl
xor edx, edx
xor edi, edi
mov edi, @index2
mov edx,
mov @sn1, dl
xor edx, edx
xor edi, edi
mov edi, @index3
mov edx,
mov @sn1, dl
xor edx, edx
xor edi, edi
mov edi, @index4
mov edx,
mov @sn1, dl
xor edx, edx
xor edi, edi
mov edi, @index5
mov edx,
mov @sn1, dl
xor edx, edx
mov @sn1, dl
invoke szCopy, addr @sn1, addr szSn1
mov eax, @sum
ret
KeyGenSn1 endp
comment#
函数名:KeyGenSn2
无参数
无返回值
#
KeyGenSn2 proc
local @index1:DWORD
local @index2:DWORD
local @index3:DWORD
local @index4:DWORD
local @index5:DWORD
local @sum:DWORD
local @sn2:BYTE
invoke RtlZeroMemory, addr @sn2, sizeof @sn2
@@:
xor eax, eax
xor ebx, ebx
xor edx, edx
invoke GetTickCount
invoke nrandom, eax
mov ebx, 23h
cdq
idivebx
mov @index1, edx
invoke GetTickCount
invoke nrandom, eax
mov ebx, 23h
cdq
idivebx
mov @index2, edx
invoke GetTickCount
invoke nrandom, eax
mov ebx, 23h
cdq
idivebx
mov @index3, edx
invoke GetTickCount
invoke nrandom, eax
mov ebx, 23h
cdq
idivbx
mov @index4, edx
invoke GetTickCount
invoke nrandom, eax
mov ebx, 23h
cdq
idivbx
mov @index5, edx
mov @sum, 0
mov eax, 37
mul @sum
add eax, @index1
mov @sum, eax
mov eax, 37
mul @sum
add eax, @index2
mov @sum, eax
mov eax, 37
mul @sum
add eax, @index3
mov @sum, eax
mov eax, 37
mul @sum
add eax, @index4
mov @sum, eax
mov eax, 37
mul @sum
add eax, @index5
mov @sum, eax
mov ebx, 17h
cdq
idiv ebx
.if edx
jmp @B
.endif
;得到了合适的数据
lea ebx, szTable
xor edx, edx
xor edi, edi
mov edi, @index1
mov edx,
mov @sn2, dl
xor edx, edx
xor edi, edi
mov edi, @index2
mov edx,
mov @sn2, dl
xor edx, edx
xor edi, edi
mov edi, @index3
mov edx,
mov @sn2, dl
xor edx, edx
xor edi, edi
mov edi, @index4
mov edx,
mov @sn2, dl
xor edx, edx
xor edi, edi
mov edi, @index5
mov edx,
mov @sn2, dl
xor edx, edx
mov @sn2, dl
invoke szCopy, addr @sn2, addr szSn2
mov eax, @sum
ret
KeyGenSn2 endp
comment#
函数名:KeyGenSn3
无参数
无返回值
#
KeyGenSn3 proc
local @index1:DWORD
local @index2:DWORD
local @index3:DWORD
local @index4:DWORD
local @index5:DWORD
local @sum:DWORD
local @sn3:BYTE
invoke RtlZeroMemory, addr @sn3, sizeof @sn3
@@:
xor eax, eax
xor ebx, ebx
xor edx, edx
invoke GetTickCount
invoke nrandom, eax
mov ebx, 23h
cdq
idivebx
mov @index1, edx
invoke GetTickCount
invoke nrandom, eax
mov ebx, 23h
cdq
idivebx
mov @index2, edx
invoke GetTickCount
invoke nrandom, eax
mov ebx, 23h
cdq
idivebx
mov @index3, edx
invoke GetTickCount
invoke nrandom, eax
mov ebx, 23h
cdq
idivbx
mov @index4, edx
invoke GetTickCount
invoke nrandom, eax
mov ebx, 23h
cdq
idivbx
mov @index5, edx
mov @sum, 0
mov eax, 37
mul @sum
add eax, @index1
mov @sum, eax
mov eax, 37
mul @sum
add eax, @index2
mov @sum, eax
mov eax, 37
mul @sum
add eax, @index3
mov @sum, eax
mov eax, 37
mul @sum
add eax, @index4
mov @sum, eax
mov eax, 37
mul @sum
add eax, @index5
mov @sum, eax
mov ebx, 11h
cdq
idiv ebx
.if edx
jmp @B
.endif
;得到了合适的数据
lea ebx, szTable
xor edx, edx
xor edi, edi
mov edi, @index1
mov edx,
mov @sn3, dl
xor edx, edx
xor edi, edi
mov edi, @index2
mov edx,
mov @sn3, dl
xor edx, edx
xor edi, edi
mov edi, @index3
mov edx,
mov @sn3, dl
xor edx, edx
xor edi, edi
mov edi, @index4
mov edx,
mov @sn3, dl
xor edx, edx
xor edi, edi
mov edi, @index5
mov edx,
mov @sn3, dl
xor edx, edx
mov @sn3, dl
invoke szCopy, addr @sn3, addr szSn3
mov eax, @sum
ret
KeyGenSn3 endp
comment#
函数名:KeyGenSn4
无参数
无返回值
#
KeyGenSn4 proc
local @index1:DWORD
local @index2:DWORD
local @index3:DWORD
local @index4:DWORD
local @index5:DWORD
local @sum:DWORD
local @sn4:BYTE
invoke RtlZeroMemory, addr @sn4, sizeof @sn4
@@:
xor eax, eax
xor ebx, ebx
xor edx, edx
invoke GetTickCount
invoke nrandom, eax
mov ebx, 23h
cdq
idivebx
mov @index1, edx
invoke GetTickCount
invoke nrandom, eax
mov ebx, 23h
cdq
idivebx
mov @index2, edx
invoke GetTickCount
invoke nrandom, eax
mov ebx, 23h
cdq
idivebx
mov @index3, edx
invoke GetTickCount
invoke nrandom, eax
mov ebx, 23h
cdq
idivbx
mov @index4, edx
invoke GetTickCount
invoke nrandom, eax
mov ebx, 23h
cdq
idivbx
mov @index5, edx
mov @sum, 0
mov eax, 37
mul @sum
add eax, @index1
mov @sum, eax
mov eax, 37
mul @sum
add eax, @index2
mov @sum, eax
mov eax, 37
mul @sum
add eax, @index3
mov @sum, eax
mov eax, 37
mul @sum
add eax, @index4
mov @sum, eax
mov eax, 37
mul @sum
add eax, @index5
mov @sum, eax
mov ebx, 35h
cdq
idiv ebx
.if edx
jmp @B
.endif
;得到了合适的数据
lea ebx, szTable
xor edx, edx
xor edi, edi
mov edi, @index1
mov edx,
mov @sn4, dl
xor edx, edx
xor edi, edi
mov edi, @index2
mov edx,
mov @sn4, dl
xor edx, edx
xor edi, edi
mov edi, @index3
mov edx,
mov @sn4, dl
xor edx, edx
xor edi, edi
mov edi, @index4
mov edx,
mov @sn4, dl
xor edx, edx
xor edi, edi
mov edi, @index5
mov edx,
mov @sn4, dl
xor edx, edx
mov @sn4, dl
invoke szCopy, addr @sn4, addr szSn4
mov eax, @sum
ret
KeyGenSn4 endp
;PrintHex edx
;DbgDump offset szName,16
GetRegCode proc hDlg
pushad
invokestrempty,addr szSerial,sizeof szSerial
invoke GetDlgItemText,hDlg,IDC_NAME,addr szName,sizeof szName
.if eax
invoke RtlZeroMemory, addr szSn1, sizeof szSn1
invoke SetDlgItemText,hDlg,IDC_REG,addr szSerial
;<<<<<<<<<<<<<<<<<构造序列号<<<<<<<<<<<<<<<<<
call KeyGenSn1
call KeyGenSn2
call KeyGenSn3
call KeyGenSn4
invoke szCatStr, addr szSerial, addr szSn1
invoke szCatStr, addr szSerial, addr szSeparate
invoke szCatStr, addr szSerial, addr szSn2
invoke szCatStr, addr szSerial, addr szSeparate
invoke szCatStr, addr szSerial, addr szSn3
invoke szCatStr, addr szSerial, addr szSeparate
invoke szCatStr, addr szSerial, addr szSn4
;<<<<<<<<<<<<<<<<<构造序列号<<<<<<<<<<<<<<<<<
invoke SetDlgItemText, hDlg, IDC_REG, addr szSerial
.else
invoke SetDlgItemText,hDlg,IDC_REG,CTXT("请输入用户名!")
.endif
popad
ret
GetRegCode endp
对了,这个软件是注册表重启验证的,大家可以直接去注册表里面修改以重复验证。
成品注册机:
UDD:
正在为激活该软件而烦,谢谢楼主分享! 很棒,吃完饭回来再慢慢看,
看完这篇文章后 会自己算注册码啦 ,有兴趣的可以去下载我的Patch 应用后 对比下原版,也不多 几十处地址,
几年前写过几个通杀 , 每个差不多都用个1年 就失效啦,目前来说6.2xx的版本一字节也可以使用,不过感觉不太完美。
我一般Patch的话
1: 假注册码检索
2: 联网校验注册码
3: 程序的更新参数
4: 注册表的获取键值
使用自己算的一个key, 让他只获取注册表 满足注册码条件的键值来显示用户名, 当然注册表键值这里也可以搞掉, 其次让他一直获取本机的系统名,或者指定的名字。
这个软件花样太多。。。。。。
厉害 非常喜欢这样的分析过程。 腻害啊,大牛带我一起飞吧 楼主你好,可以分析一下超级捕快吗? 学霸 发表于 2016-1-7 19:31
楼主你好,可以分析一下超级捕快吗?
昨天拿到了一个正式版本的,但是我电脑太老了,一启动就死机,在虚拟机里面也是这样,以后再分析吧,不好意思。 这些文章太给力,多出点,谢谢。 楼主已刁破天际,请收下我的膝盖 又出新软件了
太厉害了····