1st Security Agent pro 7.62_注册算法初探

蚊香 · 发表于 2008-6-29 21:41

【文章标题】: 1st Security Agent pro 7.62_注册算法初探
【文章作者】: 蚊香
【作者邮箱】: xpi386com@163.com
【作者主页】: http://www.xpi386.com
【软件名称】: 1st Security Agent pro 7.62
【软件大小】: 1884KB
【下载地址】: http://www.newhua.com/soft/26590.htm
【使用工具】: OD
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
试注册有错误提示，用堆栈调用法定位到关键。

 004BFE2C /$ 55      PUSH EBP 004BFE2D |. 8BEC     MOV EBP,ESP 004BFE2F |. B9 07000000 MOV ECX,7 004BFE34 |> 6A 00    /PUSH 0 004BFE36 |. 6A 00    |PUSH 0 004BFE38 |. 49      |DEC ECX 004BFE39 |.^ 75 F9    \JNZ SHORT newadmin.004BFE34 004BFE3B |. 51      PUSH ECX 004BFE3C |. 8945 FC   MOV DWORD PTR SS:[EBP-4],EAX 004BFE3F |. 33C0     XOR EAX,EAX 004BFE41 |. 55      PUSH EBP 004BFE42 |. 68 AFFF4B00 PUSH newadmin.004BFFAF 004BFE47 |. 64:FF30   PUSH DWORD PTR FS:[EAX] 004BFE4A |. 64:8920   MOV DWORD PTR FS:[EAX],ESP 004BFE4D |. 8D55 EC   LEA EDX,DWORD PTR SS:[EBP-14] 004BFE50 |. 8B45 FC   MOV EAX,DWORD PTR SS:[EBP-4] 004BFE53 |. 8B80 B0030000 MOV EAX,DWORD PTR DS:[EAX+3B0] 004BFE59 |. E8 C6B3F9FF CALL newadmin.0045B224         ; 1 004BFE5E |. 8B45 EC   MOV EAX,DWORD PTR SS:[EBP-14] 004BFE61 |. 8D55 F0   LEA EDX,DWORD PTR SS:[EBP-10] 004BFE64 |. E8 8BF0FBFF CALL newadmin.0047EEF4 004BFE69 |. 8B55 F0   MOV EDX,DWORD PTR SS:[EBP-10] 004BFE6C |. B8 542E5100 MOV EAX,newadmin.00512E54 004BFE71 |. E8 4A54F4FF CALL newadmin.004052C0 004BFE76 |. E8 09FDFFFF CALL newadmin.004BFB84         ; 关键CALL,算法在里面,F7进 004BFE7B |. 8845 FB   MOV BYTE PTR SS:[EBP-5],AL 004BFE7E |. 807D FB 00  CMP BYTE PTR SS:[EBP-5],0 004BFE82 |. 0F84 D8000000 JE newadmin.004BFF60          ; 关键跳,跳了就挂 004BFE88 |. 8B45 FC   MOV EAX,DWORD PTR SS:[EBP-4] 004BFE8B |. C680 D8030000>MOV BYTE PTR DS:[EAX+3D8],1 004BFE92 |. 8D45 F4   LEA EAX,DWORD PTR SS:[EBP-C] 004BFE95 |. 50      PUSH EAX 004BFE96 |. 8D55 E8   LEA EDX,DWORD PTR SS:[EBP-18] 004BFE99 |. B8 C8FF4B00 MOV EAX,newadmin.004BFFC8        ; ASCII "BF8A83B980" 004BFE9E |. E8 D908FCFF CALL newadmin.0048077C 004BFEA3 |. 8B45 E8   MOV EAX,DWORD PTR SS:[EBP-18] 004BFEA6 |. 50      PUSH EAX 004BFEA7 |. 8D55 E4   LEA EDX,DWORD PTR SS:[EBP-1C] 004BFEAA |. B8 DCFF4B00 MOV EAX,newadmin.004BFFDC        ; ASCII "BE828B999A8C9F88B1C8BDBFA2AAA3ACA0A8C8" 004BFEAF |. E8 14FEFFFF CALL newadmin.004BFCC8 004BFEB4 |. 8B55 E4   MOV EDX,DWORD PTR SS:[EBP-1C] 004BFEB7 |. A1 5C2E5100 MOV EAX,DWORD PTR DS:[512E5C] 004BFEBC |. 59      POP ECX 004BFEBD |. E8 A245FCFF CALL newadmin.00484464 004BFEC2 |. 8D55 E0   LEA EDX,DWORD PTR SS:[EBP-20] 004BFEC5 |. A1 542E5100 MOV EAX,DWORD PTR DS:[512E54] 004BFECA |. E8 F507FCFF CALL newadmin.004806C4         ; ？？？？？？？？？？？？？ 004BFECF |. 8B45 E0   MOV EAX,DWORD PTR SS:[EBP-20] 004BFED2 |. 50      PUSH EAX 004BFED3 |. 8D55 DC   LEA EDX,DWORD PTR SS:[EBP-24] 004BFED6 |. B8 0C004C00 MOV EAX,newadmin.004C000C        ; ASCII "BF9D9FAE999E" 004BFEDB |. E8 9C08FCFF CALL newadmin.0048077C 004BFEE0 |. 8B45 DC   MOV EAX,DWORD PTR SS:[EBP-24] 004BFEE3 |. 50      PUSH EAX 004BFEE4 |. 8D55 D8   LEA EDX,DWORD PTR SS:[EBP-28] 004BFEE7 |. B8 DCFF4B00 MOV EAX,newadmin.004BFFDC        ; ASCII "BE828B999A8C9F88B1C8BDBFA2AAA3ACA0A8C8" 004BFEEC |. E8 D7FDFFFF CALL newadmin.004BFCC8 004BFEF1 |. 8B55 D8   MOV EDX,DWORD PTR SS:[EBP-28] 004BFEF4 |. A1 5C2E5100 MOV EAX,DWORD PTR DS:[512E5C] 004BFEF9 |. 59      POP ECX 004BFEFA |. E8 E146FCFF CALL newadmin.004845E0 004BFEFF |. 837D F4 00  CMP DWORD PTR SS:[EBP-C],0 004BFF03 |. 75 44    JNZ SHORT newadmin.004BFF49 004BFF05 |. E8 1ABCF4FF CALL newadmin.0040BB24 004BFF0A |. 83C4 F8   ADD ESP,-8 004BFF0D |. DD1C24    FSTP QWORD PTR SS:[ESP] 004BFF10 |. 9B      WAIT 004BFF11 |. 8D45 D4   LEA EAX,DWORD PTR SS:[EBP-2C] 004BFF14 |. E8 D70AFCFF CALL newadmin.004809F0 004BFF19 |. 8B45 D4   MOV EAX,DWORD PTR SS:[EBP-2C] 004BFF1C |. 50      PUSH EAX 004BFF1D |. 8D55 D0   LEA EDX,DWORD PTR SS:[EBP-30] 004BFF20 |. B8 C8FF4B00 MOV EAX,newadmin.004BFFC8        ; ASCII "BF8A83B980" 004BFF25 |. E8 5208FCFF CALL newadmin.0048077C 004BFF2A |. 8B45 D0   MOV EAX,DWORD PTR SS:[EBP-30] 004BFF2D |. 50      PUSH EAX 004BFF2E |. 8D55 CC   LEA EDX,DWORD PTR SS:[EBP-34] 004BFF31 |. B8 DCFF4B00 MOV EAX,newadmin.004BFFDC        ; ASCII "BE828B999A8C9F88B1C8BDBFA2AAA3ACA0A8C8" 004BFF36 |. E8 8DFDFFFF CALL newadmin.004BFCC8 004BFF3B |. 8B55 CC   MOV EDX,DWORD PTR SS:[EBP-34] 004BFF3E |. A1 5C2E5100 MOV EAX,DWORD PTR DS:[512E5C] 004BFF43 |. 59      POP ECX 004BFF44 |. E8 9746FCFF CALL newadmin.004845E0 004BFF49 |> 8D55 C8   LEA EDX,DWORD PTR SS:[EBP-38] 004BFF4C |. B8 24004C00 MOV EAX,newadmin.004C0024        ; ASCII "M_THANKS" 004BFF51 |. E8 CEECFEFF CALL newadmin.004AEC24 004BFF56 |. 8B45 C8   MOV EAX,DWORD PTR SS:[EBP-38] 004BFF59 |. E8 0AFDFEFF CALL newadmin.004AFC68         ; 这里是成功 004BFF5E |. EB 1F    JMP SHORT newadmin.004BFF7F 004BFF60 |> B8 542E5100 MOV EAX,newadmin.00512E54 004BFF65 |. E8 0253F4FF CALL newadmin.0040526C 004BFF6A |. 8D55 C4   LEA EDX,DWORD PTR SS:[EBP-3C] 004BFF6D |. B8 38004C00 MOV EAX,newadmin.004C0038        ; ASCII "M_BADCODE" 004BFF72 |. E8 ADECFEFF CALL newadmin.004AEC24 004BFF77 |. 8B45 C4   MOV EAX,DWORD PTR SS:[EBP-3C] 004BFF7A |. E8 5DFCFEFF CALL newadmin.004AFBDC         ; 这里是失败 004BFF7F |> 33C0     XOR EAX,EAX 004BFF81 |. 5A      POP EDX 004BFF82 |. 59      POP ECX 004BFF83 |. 59      POP ECX 004BFF84 |. 64:8910   MOV DWORD PTR FS:[EAX],EDX 004BFF87 |. 68 B6FF4B00 PUSH newadmin.004BFFB6 004BFF8C |> 8D45 C4   LEA EAX,DWORD PTR SS:[EBP-3C] 004BFF8F |. BA 0A000000 MOV EDX,0A 004BFF94 |. E8 F752F4FF CALL newadmin.00405290 004BFF99 |. 8D45 EC   LEA EAX,DWORD PTR SS:[EBP-14] 004BFF9C |. E8 CB52F4FF CALL newadmin.0040526C 004BFFA1 |. 8D45 F0   LEA EAX,DWORD PTR SS:[EBP-10] 004BFFA4 |. BA 02000000 MOV EDX,2 004BFFA9 |. E8 E252F4FF CALL newadmin.00405290 004BFFAE \. C3      RETN 004BFFAF .^ E9 204CF4FF JMP newadmin.00404BD4 004BFFB4 .^ EB D6    JMP SHORT newadmin.004BFF8C 004BFFB6 . 8A45 FB   MOV AL,BYTE PTR SS:[EBP-5] 004BFFB9 . 8BE5     MOV ESP,EBP 004BFFBB . 5D      POP EBP 004BFFBC . C3      RETN

进入关键CALL 004BFE76

 004BFB84 /$ 55      PUSH EBP 004BFB85 |. 8BEC     MOV EBP,ESP 004BFB87 |. 83C4 F0   ADD ESP,-10 004BFB8A |. 33C0     XOR EAX,EAX 004BFB8C |. 8945 F8   MOV DWORD PTR SS:[EBP-8],EAX 004BFB8F |. C645 FF 00  MOV BYTE PTR SS:[EBP-1],0 004BFB93 |. A1 542E5100 MOV EAX,DWORD PTR DS:[512E54] 004BFB98 |. 8945 F4   MOV DWORD PTR SS:[EBP-C],EAX 004BFB9B |. 8B45 F4   MOV EAX,DWORD PTR SS:[EBP-C] 004BFB9E |. 8945 F0   MOV DWORD PTR SS:[EBP-10],EAX 004BFBA1 |. 837D F0 00  CMP DWORD PTR SS:[EBP-10],0 004BFBA5 |. 74 0B    JE SHORT newadmin.004BFBB2 004BFBA7 |. 8B45 F0   MOV EAX,DWORD PTR SS:[EBP-10] 004BFBAA |. 83E8 04   SUB EAX,4 004BFBAD |. 8B00     MOV EAX,DWORD PTR DS:[EAX] 004BFBAF |. 8945 F0   MOV DWORD PTR SS:[EBP-10],EAX 004BFBB2 |> 837D F0 0E  CMP DWORD PTR SS:[EBP-10],0E      ; 比较注册码是否14位 004BFBB6 |. 0F85 85000000 JNZ newadmin.004BFC41 004BFBBC |. A1 542E5100 MOV EAX,DWORD PTR DS:[512E54] 004BFBC1 |. 8038 31   CMP BYTE PTR DS:[EAX],31        ; 第一位和 1 比较 004BFBC4 |. 0F94C0    SETE AL 004BFBC7 |. 83E0 7F   AND EAX,7F 004BFBCA |. 0145 F8   ADD DWORD PTR SS:[EBP-8],EAX 004BFBCD |. A1 542E5100 MOV EAX,DWORD PTR DS:[512E54] 004BFBD2 |. 8078 02 32  CMP BYTE PTR DS:[EAX+2],32       ; 第三位和 2 比较 004BFBD6 |. 0F94C0    SETE AL 004BFBD9 |. 83E0 7F   AND EAX,7F 004BFBDC |. 0145 F8   ADD DWORD PTR SS:[EBP-8],EAX 004BFBDF |. A1 542E5100 MOV EAX,DWORD PTR DS:[512E54] 004BFBE4 |. 8078 03 31  CMP BYTE PTR DS:[EAX+3],31       ; 第四位和 1 比较 004BFBE8 |. 0F94C0    SETE AL 004BFBEB |. 83E0 7F   AND EAX,7F 004BFBEE |. 0145 F8   ADD DWORD PTR SS:[EBP-8],EAX 004BFBF1 |. A1 542E5100 MOV EAX,DWORD PTR DS:[512E54] 004BFBF6 |. 8078 04 39  CMP BYTE PTR DS:[EAX+4],39       ; 第五位和 9 比较 004BFBFA |. 0F94C0    SETE AL 004BFBFD |. 83E0 7F   AND EAX,7F 004BFC00 |. 0145 F8   ADD DWORD PTR SS:[EBP-8],EAX 004BFC03 |. A1 542E5100 MOV EAX,DWORD PTR DS:[512E54] 004BFC08 |. 8078 07 30  CMP BYTE PTR DS:[EAX+7],30       ; 第八位和 0 比较 004BFC0C |. 0F94C0    SETE AL 004BFC0F |. 83E0 7F   AND EAX,7F 004BFC12 |. 0145 F8   ADD DWORD PTR SS:[EBP-8],EAX 004BFC15 |. A1 542E5100 MOV EAX,DWORD PTR DS:[512E54] 004BFC1A |. 8078 08 35  CMP BYTE PTR DS:[EAX+8],35       ; 第九位和 5 比较 004BFC1E |. 0F94C0    SETE AL 004BFC21 |. 83E0 7F   AND EAX,7F 004BFC24 |. 0145 F8   ADD DWORD PTR SS:[EBP-8],EAX 004BFC27 |. A1 542E5100 MOV EAX,DWORD PTR DS:[512E54] 004BFC2C |. 8078 0A 33  CMP BYTE PTR DS:[EAX+A],33       ; 第十一位和 3 比较 004BFC30 |. 0F94C0    SETE AL 004BFC33 |. 83E0 7F   AND EAX,7F 004BFC36 |. 0145 F8   ADD DWORD PTR SS:[EBP-8],EAX 004BFC39 |. 837D F8 07  CMP DWORD PTR SS:[EBP-8],7 004BFC3D |. 0F9445 FF  SETE BYTE PTR SS:[EBP-1] 004BFC41 |> 8A45 FF   MOV AL,BYTE PTR SS:[EBP-1] 004BFC44 |. 8BE5     MOV ESP,EBP 004BFC46 |. 5D      POP EBP 004BFC47 \. C3      RETN

--------------------------------------------------------------------------------
【经验总结】
算法很简单，约等于明码。注册码14位，其中第一，三，四，五，八，九，十一位分别固定为1，2，1，9，0，5，3。其它位任意。

VB算号器源码：
Dim a(1 To 14) As Integer
Randomize
a(1) = 1
a(2) = Int(Rnd * 9)
a(3) = 2
a(4) = 1
a(5) = 9
a(6) = Int(Rnd * 9)
a(7) = Int(Rnd * 9)
a(8) = 0
a(9) = 5
a(10) = Int(Rnd * 9)
a(11) = 3
a(12) = Int(Rnd * 9)
a(13) = Int(Rnd * 9)
a(14) = Int(Rnd * 9)

Text1.Text = a(1) & a(2) & a(3) & a(4) & a(5) & a(6) & a(7) & a(8) & a(9) & a(10) & a(11) & a(12) & a(13) & a(14)

--------------------------------------------------------------------------------
【版权声明】: 本文蚊香原创, 转载请注明作者并保持文章的完整, 谢谢!

unpack · 发表于 2008-6-29 22:45

算法确实简单我考完试回来正好搞这个软件，刚搞完，以为发到论坛没想到有人已经发布了注册号
我的补丁也就不发了
o(∩_∩)o... 晚上再逛，蚊香把算法贴出来了赫赫 [s:40]

zuqi · 发表于 2008-7-14 21:53

恩，顶顶顶！！！ [s:43]

鬼子 · 发表于 2008-7-15 10:26

天文数字哦``` [s:17] [s:17] 我什么时候能看懂啊

ps520 · 发表于 2008-7-19 21:30

顶顶

我可不用VB做啊.

KEYMAKER支持不错!

duwei1986 · 发表于 2008-7-20 10:07

很好,学习,学习 [s:40][s:40][s:40]

kiss6020 · 发表于 2008-7-21 12:44

天文数字哦```我什么时候能看懂啊 [s:17][s:17]

Spunky · 发表于 2014-2-14 03:13

好复杂啊

帐号		自动登录	找回密码
密码			注册[Register]