XXX计算器1.8注册分析和注册机代码
该软件计算器查壳是Aspack v2.12加壳,可用脱壳机脱壳或手动脱壳,OD载入脱壳软件,F9运行出现注册框,输入一个注册号,如"-9282155802"。下硬盘断点bp GetDiskFreeSpaceA 点注册,断下Alt+F9返回到这里
004A9FB7|.8B45 98 |mov eax,
004A9FBA|.F76D A4 |imul
004A9FBD|.F76D A0 |imul
004A9FC0|.C1E8 0A |shr eax,0xA
004A9FC3|.C1E8 0A |shr eax,0xA
004A9FC6|.8945 9C |mov ,eax
004A9FC9|.8B45 9C |mov eax,
004A9FCC|.33D2 |xor edx,edx
004A9FCE|.52 |push edx
004A9FCF|.50 |push eax
004A9FD0|.8D85 64FFFFFF |lea eax,
004A9FD6|.E8 99EAF5FF |call _UnPacke.00408A74
004A9FDB|.8B95 64FFFFFF |mov edx,
004A9FE1|.8D45 B0 |lea eax,
004A9FE4|.E8 ABA7F5FF |call _UnPacke.00404794
004A9FE9|.8D95 60FFFFFF |lea edx,
004A9FEF|.8B45 FC |mov eax,
004A9FF2|.8B80 88040000 |mov eax,dword ptr ds:
004A9FF8|.E8 CB2EF9FF |call _UnPacke.0043CEC8
004A9FFD|.8B85 60FFFFFF |mov eax, -----获取到的注册号,如"-9282155802" 16进制为FFFFFFFDD6BD8AE6
004AA003|.E8 DC00F6FF |call _UnPacke.0040A0E4
004AA008|.DB7D E8 |fstp tbyte ptr ss:
004AA00B|.9B |wait
004AA00C|.DB6D E8 |fld tbyte ptr ss:
004AA00F|.E8 408BF5FF |call _UnPacke.00402B54
004AA014|.8945 D8 |mov ,eax -----先取注册号的16进制后8位送入 如D6BD8AE6
004AA017|.8955 DC |mov ,edx -----剩余部分送入 如FFFFFFFD
004AA01A|.A1 FCED4A00 |mov eax,dword ptr ds:
004AA01F|.35 C0400818 |xor eax,0x180840C0
004AA024|.0D 24080300 |or eax,0x30824
004AA029|.0D A32F1A02 |or eax,0x21A2FA3
004AA02E|.35 64082100 |xor eax,0x210864
004AA033|.0D 60A00900 |or eax,0x9A060
004AA038|.33D2 |xor edx,edx
004AA03A|.8945 E0 |mov ,eax
004AA03D|.8955 E4 |mov ,edx
004AA040|.8B45 D8 |mov eax,
004AA043|.8B55 DC |mov edx,
004AA046|.81F0 640AB302 |xor eax,0x2B30A64
004AA04C|.81F2 00000000 |xor edx,0x0
004AA052|.81F0 26924700 |xor eax,0x479226
004AA058|.81F2 00000000 |xor edx,0x0
004AA05E|.0D A1240000 |or eax,0x24A1
004AA063|.81F0 83720000 |xor eax,0x7283
004AA069|.81F2 00000000 |xor edx,0x0
004AA06F|.3B55 E4 |cmp edx,
004AA072|.75 47 |jnz short _UnPacke.004AA0BB
004AA074|.3B45 E0 |cmp eax,
004AA077|.75 42 |jnz short _UnPacke.004AA0BB
004AA079|.8B45 E0 |mov eax,
004AA07C|.8B55 E4 |mov edx,
004AA07F|.81E0 A32F1A02 |and eax,0x21A2FA3
004AA085|.33D2 |xor edx,edx
004AA087|.0D 6CF21100 |or eax,0x11F26C
004AA08C|.81F0 13C92300 |xor eax,0x23C913
004AA092|.81F2 00000000 |xor edx,0x0
004AA098|.0D 640AB302 |or eax,0x2B30A64
004AA09D|.81F0 13C92300 |xor eax,0x23C913
004AA0A3|.81F2 00000000 |xor edx,0x0
004AA0A9|.81F0 11980A00 |xor eax,0xA9811
004AA0AF|.81F2 00000000 |xor edx,0x0
004AA0B5|.8945 E0 |mov ,eax
004AA0B8|.8955 E4 |mov ,edx
004AA0BB|>8D95 5CFFFFFF |lea edx,
004AA0C1|.8B45 FC |mov eax,
004AA0C4|.8B80 24040000 |mov eax,dword ptr ds:
004AA0CA|.E8 F92DF9FF |call _UnPacke.0043CEC8
004AA0CF|.8B95 5CFFFFFF |mov edx,
004AA0D5|.B8 C4ED4A00 |mov eax,_UnPacke.004AEDC4
004AA0DA|.E8 49A4F5FF |call _UnPacke.00404528
004AA0DF|.A1 C4ED4A00 |mov eax,dword ptr ds:
004AA0E4|.E8 A3A6F5FF |call _UnPacke.0040478C
004AA0E9|.8BD8 |mov ebx,eax
004AA0EB|.85DB |test ebx,ebx
004AA0ED|.7E 3D |jle short _UnPacke.004AA12C
004AA0EF|.BE 01000000 |mov esi,0x1
004AA0F4|>8D85 58FFFFFF |/lea eax, ------从这到地址004AA12A为循环,根据序列号位数如3395943118循环10次
004AA0FA|.8B15 C4ED4A00 ||mov edx,dword ptr ds:---edx=序列号3395943118
004AA100|.8A5432 FF ||mov dl,byte ptr ds: ---取序列号第一位如3
004AA104|.E8 ABA5F5FF ||call _UnPacke.004046B4
004AA109|.8B85 58FFFFFF ||mov eax,
004AA10F|.E8 D4E9F5FF ||call _UnPacke.00408AE8 ----eax=3
004AA114|.8B0485 20CA4A>||mov eax,dword ptr ds:----取从0x4ACA20开始偏移eax*4的值送入eax
004AA11B|.99 ||cdq ------注意这里判断eax 如<&H80000000 则 edx=0;如>=&H80000000 则edx=&HFFFFFFFF
004AA11C|.3345 D8 ||xor eax,-----eax=eax xor
004AA11F|.3355 DC ||xor edx, -----edx=edx xor
004AA122|.8945 D8 ||mov ,eax-----=eax
004AA125|.8955 DC ||mov ,edx -----=edx
004AA128|.46 ||inc esi
004AA129|.4B ||dec ebx
004AA12A|.^ 75 C8 |\jnz short _UnPacke.004AA0F4
004AA12C|>33F6 |xor esi,esi
004AA12E|.B9 20CA4A00 |mov ecx,_UnPacke.004ACA20
004AA133|>8B01 |/mov eax,dword ptr ds:------从这到地址004AA15F循环&H80次 eax=
004AA135|.99 ||cdq -----同上
004AA136|.3345 D8 ||xor eax, -----eax=eax xor
004AA139|.3355 DC ||xor edx,-----edx=edx xor
004AA13C|.8945 D8 ||mov ,eax -----=eax
004AA13F|.8955 DC ||mov ,edx-----=edx
004AA142|.8B81 00020000 ||mov eax,dword ptr ds: ---eax=
004AA148|.99 ||cdq -----同上
004AA149|.3345 D8 ||xor eax, -----同上
004AA14C|.3355 DC ||xor edx, -----同上
004AA14F|.8945 D8 ||mov ,eax -----同上
004AA152|.8955 DC ||mov ,edx -----同上
004AA155|.46 ||inc esi
004AA156|.83C1 04 ||add ecx,0x4
004AA159|.81FE 80000000 ||cmp esi,0x80
004AA15F|.^ 75 D2 |\jnz short _UnPacke.004AA133
004AA161|.DF6D D8 |fild qword ptr ss:
004AA164|.83C4 F4 |add esp,-0xC
004AA167|.DB3C24 |fstp tbyte ptr ss:
004AA16A|.9B |wait
004AA16B|.8D85 54FFFFFF |lea eax,
004AA171|.E8 E6FEF5FF |call _UnPacke.0040A05C
004AA176|.8B95 54FFFFFF |mov edx, -----------经以上循环得到的值 如"9594311833"
004AA17C|.B8 C4ED4A00 |mov eax,_UnPacke.004AEDC4
004AA181|.E8 A2A3F5FF |call _UnPacke.00404528
004AA186|.BB 08000000 |mov ebx,0x8
004AA18B|>8D45 CC |/lea eax, ------从这到地址004AA1FB 循环把发上的值最后2位数移到前面,如"3395943118"此值由注册号生成
004AA18E|.50 ||push eax
004AA18F|.B9 01000000 ||mov ecx,0x1
004AA194|.8BD3 ||mov edx,ebx
004AA196|.A1 C4ED4A00 ||mov eax,dword ptr ds:
004AA19B|.E8 44A8F5FF ||call _UnPacke.004049E4
004AA1A0|.8D45 A8 ||lea eax,
004AA1A3|.50 ||push eax
004AA1A4|.8D7B 02 ||lea edi,dword ptr ds:
004AA1A7|.8BD7 ||mov edx,edi
004AA1A9|.B9 01000000 ||mov ecx,0x1
004AA1AE|.A1 C4ED4A00 ||mov eax,dword ptr ds:
004AA1B3|.E8 2CA8F5FF ||call _UnPacke.004049E4
004AA1B8|.B8 C4ED4A00 ||mov eax,_UnPacke.004AEDC4
004AA1BD|.B9 01000000 ||mov ecx,0x1
004AA1C2|.8BD3 ||mov edx,ebx
004AA1C4|.E8 5BA8F5FF ||call _UnPacke.00404A24
004AA1C9|.BA C4ED4A00 ||mov edx,_UnPacke.004AEDC4
004AA1CE|.8BCB ||mov ecx,ebx
004AA1D0|.8B45 A8 ||mov eax,
004AA1D3|.E8 94A8F5FF ||call _UnPacke.00404A6C
004AA1D8|.8BD7 ||mov edx,edi
004AA1DA|.B8 C4ED4A00 ||mov eax,_UnPacke.004AEDC4
004AA1DF|.B9 01000000 ||mov ecx,0x1
004AA1E4|.E8 3BA8F5FF ||call _UnPacke.00404A24
004AA1E9|.8BCF ||mov ecx,edi
004AA1EB|.BA C4ED4A00 ||mov edx,_UnPacke.004AEDC4
004AA1F0|.8B45 CC ||mov eax,
004AA1F3|.E8 74A8F5FF ||call _UnPacke.00404A6C
004AA1F8|.4B ||dec ebx
004AA1F9|.85DB ||test ebx,ebx
004AA1FB|.^ 75 8E |\jnz short _UnPacke.004AA18B
004AA1FD|.8D45 B0 |lea eax,
004AA200|.8B15 C4ED4A00 |mov edx,dword ptr ds:
004AA206|.E8 61A3F5FF |call _UnPacke.0040456C
生成的值与序列号比较,相同则注册成功,否则错误。根据“异或”性质a xor b=c 则c xor a=b或者c xor b=a 可逆运算
注册流程是:注册号 xor 固定数值=C,在把C的值后2位移到前面即为生成的值 与序列号比较,相同则注册成功。
注册成功后会在注册表\Software\Microsoft\Active Setup\Installed Components位置字符串值Device_AutoCopyTo=0,Version=注册号
注册机编写:把输入的序列号前2位移到后面 xor 固定数值即为注册号
注:CalcVoice1_8.cpx文件是(从内存0x4ACA20开始取大小0x870的数据)
根据注册流程即可编写注册机了,以下用vb.net编写,代码如下
Public Function 打开文件读取字节到数组中(ByVal path As String) As Byte() ' 打开文件读取字节到数组中
Dim byTmp As Byte()
Dim fs As FileStream
Dim br As BinaryReader
fs = New FileStream(path, FileMode.Open, FileAccess.Read)
br = New BinaryReader(fs)
byTmp = br.ReadBytes(fs.Length)
br.Close()
fs.Close()
fs.Dispose()
Return byTmp
End Function
Function 在数组指定位置读取N字节返回十进制(ByVal array() As Byte, ByVal m As Integer, ByVal n As Integer) As Long
Dim i As Integer
Dim s As String = ""
Dim s0 As String
For i = 0 To n - 1
s0 = Hex(array(m + (n - 1) - i))
If Len(s0) = 1 Then s0 = "0" & s0
s = s & s0
Next
Return ("&H" & s)
End Function
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
Dim EAX, ECX, EDX As Long
Dim m, n As Integer
Dim ss As Double
Dim xlh, dl As String
Dim local_10, local_9 As Double
Dim r, r0, s10, s11, s12 As String
r0 = Mid(TextBox1.Text, 3, Len(TextBox1.Text) - 2) & Mid(TextBox1.Text, 1, 2) '序列号前2位移到后面
r = Hex(r0)
If Len(r) <= 8 Then
local_10 = "&H" & r
local_9 = 0
Else
local_10 = "&H" & Mid(r, Len(r) - 7, 8)
local_9 = "&H" & Mid(r, 1, Len(r) - 8)
End If
xlh = TextBox1.Text '序列号
array = 打开文件读取字节到数组中(Application.StartupPath & "\CalcVoice1_8.cpx")
For m = 1 To 10
dl = Mid(xlh, m, 1)
EAX = Val(dl)
'0x4ACA20 开始位置为0
EAX = 在数组指定位置读取N字节返回十进制(array, EAX * 4, 4)
If EAX < 2147483648 Then
EDX = &H0
ElseIf EAX >= 2147483648 Then
EDX = &HFFFFFFFF
End If
EAX = EAX Xor local_10
EDX = EDX Xor local_9
local_10 = EAX
local_9 = EDX
Next
'-------------------------------------------------------------------
ECX = 0
For n = 1 To &H80
EAX = 在数组指定位置读取N字节返回十进制(array, ECX, 4)
If EAX < 2147483648 Then
EDX = &H0
ElseIf EAX >= 2147483648 Then
EDX = &HFFFFFFFF
End If
EAX = EAX Xor local_10
EDX = EDX Xor local_9
local_10 = EAX
local_9 = EDX
EAX = 在数组指定位置读取N字节返回十进制(array, ECX + &H200, 4)
If EAX < 2147483648 Then
EDX = &H0
ElseIf EAX >= 2147483648 Then
EDX = &HFFFFFFFF
End If
EAX = EAX Xor local_10
EDX = EDX Xor local_9
local_10 = EAX
local_9 = EDX
ECX = ECX + &H4
Next
s10 = Hex(local_10)
s11 = Hex(local_9)
s12 = Microsoft.VisualBasic.Right(s11, 8) & Microsoft.VisualBasic.Right(s10, 8)
ss = "&H" & s12
TextBox2.Text = ss
End Sub
不好意思,忘了在项目文件Form1.vb加入命名空间
Imports System
Imports System.Collections
Imports System.ComponentModel
Imports System.Diagnostics
Imports System.Drawing
Imports System.IO
Imports System.Runtime.CompilerServices
Imports System.Runtime.InteropServices
Imports System.Windows.Forms
Imports Microsoft.VisualBasic
Imports Microsoft.VisualBasic.CompilerServices
CalcVoice1_8.cpx文件放在附件下和Debug目录下
Array 数组变量未声明 加入Dim array As Byte()即可编译成功
附件: 测试出现如下提示
(1:0) Statement is not valid in a namespace.
(13:0) Statement is not valid in a namespace.
(24:0) Statement is not valid in a namespace.
请教楼主如何解决,谢谢 附件里的cpx文件是什么?没有注册机成品 运行出错。..... 学习了,谢谢分享 下来看看 什么计算器呢? 一串数字然后报错,无法运行 无法运行 直接报错
页:
[1]
2