考无忧专业技术人员考试软件离线注册分析+注册源码
考无忧专业技术人员考试软件离线注册分析+注册源码www.k51.com.cn
有算法了,版本不重要了,目前都还能注册。
0054E153 .FF35 B4765B00 push dword ptr ;ds:=01877DC8, (ASCII "WD-WCAV29821726")
0054E159 .FF35 B8765B00 push dword ptr ;ds:=01877DE4, (ASCII "B329-664D-6575-7320")//还没分析是怎么来的
0054E15F .FF35 C0765B00 push dword ptr ;ds:=01885DAC, (ASCII "excel2003")
0054E165 .8D85 88FEFFFF lea eax, dword ptr
0054E16B .BA 03000000 mov edx, 0x3
0054E170 .E8 8B6EEBFF call 00405000
0054E175 .8B95 88FEFFFF mov edx, dword ptr ;堆栈 ss:=01885E1C, (ASCII "WD-WCAV29821726B329-664D-6575-7320excel2003")
0054E17B .8D8D E8FEFFFF lea ecx, dword ptr
0054E181 .8BC6 mov eax, esi
0054E183 .E8 3815FFFF call 0053F6C0
0054E188 .8D85 84FEFFFF lea eax, dword ptr
0054E18E .50 push eax
0054E18F .8D8D 80FEFFFF lea ecx, dword ptr
0054E195 .8D95 E8FEFFFF lea edx, dword ptr
0054E19B .8B06 mov eax, dword ptr
0054E19D .E8 8E15FFFF call 0053F730 ;MD5
0054E1A2 .8B85 80FEFFFF mov eax, dword ptr ;堆栈 ss:=01885E54, (ASCII "0A2D629215B24A7B9A29AAF00644E11D")
0054E1A8 .B9 05000000 mov ecx, 0x5
0054E1AD .33D2 xor edx, edx
0054E1AF .E8 F06FEBFF call 004051A4
0054E1B4 .FFB5 84FEFFFF push dword ptr ;堆栈 ss:=01866224, (ASCII "0A2D6")
0054E1BA .68 C0E45400 push 0054E4C0 ;-
0054E1BF .8D85 7CFEFFFF lea eax, dword ptr
0054E1C5 .50 push eax
0054E1C6 .8D8D 78FEFFFF lea ecx, dword ptr
0054E1CC .8D95 E8FEFFFF lea edx, dword ptr
0054E1D2 .8B06 mov eax, dword ptr
0054E1D4 .E8 5715FFFF call 0053F730
0054E1D9 .8B85 78FEFFFF mov eax, dword ptr
0054E1DF .B9 05000000 mov ecx, 0x5
0054E1E4 .BA 06000000 mov edx, 0x6
0054E1E9 .E8 B66FEBFF call 004051A4
0054E1EE .FFB5 7CFEFFFF push dword ptr ;堆栈 ss:=01885EB4, (ASCII "29215")
0054E1F4 .68 C0E45400 push 0054E4C0 ;-
0054E1F9 .8D85 74FEFFFF lea eax, dword ptr
0054E1FF .50 push eax
0054E200 .8D8D 70FEFFFF lea ecx, dword ptr
0054E206 .8D95 E8FEFFFF lea edx, dword ptr
0054E20C .8B06 mov eax, dword ptr
0054E20E .E8 1D15FFFF call 0053F730
0054E213 .8B85 70FEFFFF mov eax, dword ptr
0054E219 .B9 05000000 mov ecx, 0x5
0054E21E .BA 0B000000 mov edx, 0xB
0054E223 .E8 7C6FEBFF call 004051A4
0054E228 .FFB5 74FEFFFF push dword ptr ;堆栈 ss:=01885EF8, (ASCII "B24A7")
0054E22E .68 C0E45400 push 0054E4C0 ;-
0054E233 .8D85 6CFEFFFF lea eax, dword ptr
0054E239 .50 push eax
0054E23A .8D8D 68FEFFFF lea ecx, dword ptr
0054E240 .8D95 E8FEFFFF lea edx, dword ptr
0054E246 .8B06 mov eax, dword ptr
0054E248 .E8 E314FFFF call 0053F730
0054E24D .8B85 68FEFFFF mov eax, dword ptr
0054E253 .B9 05000000 mov ecx, 0x5
0054E258 .BA 10000000 mov edx, 0x10
0054E25D .E8 426FEBFF call 004051A4
0054E262 .FFB5 6CFEFFFF push dword ptr ;堆栈 ss:=01885F3C, (ASCII "B9A29")
0054E268 .B8 BC765B00 mov eax, 005B76BC
0054E26D .BA 07000000 mov edx, 0x7
0054E272 .E8 896DEBFF call 00405000
0054E277 .8B83 68030000 mov eax, dword ptr
0054E27D .8B15 BC765B00 mov edx, dword ptr ;ds:=01885F50, (ASCII "0A2D6-29215-B24A7-B9A29") 机器码
===========================================================================================================================
0059536F .8B30 mov esi, dword ptr
00595371 .FF56 10 call dword ptr
00595374 .8B45 B0 mov eax, dword ptr
00595377 .8D4D B4 lea ecx, dword ptr
0059537A .BA 70565900 mov edx, 00595670 ;Acode
0059537F .8B30 mov esi, dword ptr
00595381 .FF56 0C call dword ptr
00595384 .8D55 B4 lea edx, dword ptr
00595387 .8D45 C4 lea eax, dword ptr
0059538A .E8 E102E8FF call 00415670
0059538F .8B45 C4 mov eax, dword ptr ;读取到的注册码的BASE64(ASCII "MEEyRDYyOTIxNUIyNEE3QjlBMjlBQUYwMA==")
00595392 .8D55 F8 lea edx, dword ptr
00595395 .E8 C65CF1FF call 004AB060
0059539A .8D95 78FFFFFF lea edx, dword ptr
005953A0 .A1 4C5A5B00 mov eax, dword ptr
005953A5 .8B00 mov eax, dword ptr
005953A7 .8B80 00030000 mov eax, dword ptr
005953AD .E8 4E13F0FF call 00496700
005953B2 .8B85 78FFFFFF mov eax, dword ptr
005953B8 .8D95 7CFFFFFF lea edx, dword ptr
005953BE .8B08 mov ecx, dword ptr
005953C0 .FF51 14 call dword ptr
005953C3 .8B85 7CFFFFFF mov eax, dword ptr
005953C9 .50 push eax
005953CA .8D85 68FFFFFF lea eax, dword ptr
005953D0 .33D2 xor edx, edx
005953D2 .B1 01 mov cl, 0x1
005953D4 .E8 6B11E8FF call 00416544
005953D9 .8D95 68FFFFFF lea edx, dword ptr
005953DF .8D4D 80 lea ecx, dword ptr
005953E2 .58 pop eax
005953E3 .8B30 mov esi, dword ptr
005953E5 .FF56 10 call dword ptr
005953E8 .8B45 80 mov eax, dword ptr
005953EB .8D4D 84 lea ecx, dword ptr
005953EE .BA 80565900 mov edx, 00595680 ;Rcode
005953F3 .8B30 mov esi, dword ptr
005953F5 .FF56 0C call dword ptr
005953F8 .8D55 84 lea edx, dword ptr
005953FB .8D45 94 lea eax, dword ptr
005953FE .E8 6D02E8FF call 00415670
00595403 .8B45 94 mov eax, dword ptr ;堆栈 ss:=018CA3E8, (ASCII "d2lueHA=")winxp的base64
00595406 .8D55 F4 lea edx, dword ptr
00595409 .E8 525CF1FF call 004AB060
0059540E .A0 8C565900 mov al, byte ptr
00595413 .50 push eax
00595414 .8D85 64FFFFFF lea eax, dword ptr
0059541A .50 push eax
0059541B .A0 8C565900 mov al, byte ptr
00595420 .50 push eax
00595421 .8D85 60FFFFFF lea eax, dword ptr
00595427 .50 push eax
00595428 .A1 60565B00 mov eax, dword ptr
0059542D .FF30 push dword ptr ;硬件信息MD5处理结果? (ASCII "0A2D6-29215-B24A7-B9A29")
0059542F .68 98565900 push 00595698 ;&
00595434 .FF75 F8 push dword ptr ;还原的输入的任意注册码(ASCII "0A2D629215B24A7B9A29AAF00")
00595437 .68 98565900 push 00595698 ;&
0059543C .8D85 54FFFFFF lea eax, dword ptr
00595442 .BA 04000000 mov edx, 0x4
00595447 .E8 B4FBE6FF call 00405000
0059544C .8B85 54FFFFFF mov eax, dword ptr ;堆栈 ss:=018CA400, (ASCII "0A2D6-29215-B24A7-B9A29&0A2D629215B24A7B9A29AAF00&")
00595452 .8D95 58FFFFFF lea edx, dword ptr
00595458 .E8 23FDFFFF call 00595180
0059545D .8B85 58FFFFFF mov eax, dword ptr
00595463 .8D95 5CFFFFFF lea edx, dword ptr
00595469 .E8 9246E7FF call 00409B00
0059546E .8B85 5CFFFFFF mov eax, dword ptr
00595474 .33C9 xor ecx, ecx
00595476 .BA A4565900 mov edx, 005956A4 ;-
0059547B .E8 F0A6E7FF call 0040FB70
00595480 .8B85 60FFFFFF mov eax, dword ptr ;堆栈 ss:=018CA600, (ASCII "0A2D629215B24A7B9A29&0A2D629215B24A7B9A29AAF00&")
00595486 .33C9 xor ecx, ecx
00595488 .BA B0565900 mov edx, 005956B0
0059548D .E8 DEA6E7FF call 0040FB70
00595492 .8B95 64FFFFFF mov edx, dword ptr
00595498 .8B0D 24585B00 mov ecx, dword ptr ;easykao.005B76C0
0059549E .8B09 mov ecx, dword ptr
005954A0 .8D45 F0 lea eax, dword ptr
005954A3 .E8 E4FAE6FF call 00404F8C
005954A8 .8D4D D8 lea ecx, dword ptr
005954AB .8B55 F0 mov edx, dword ptr ;堆栈 ss:=018CA63C, (ASCII "0A2D629215B24A7B9A29&0A2D629215B24A7B9A29AAF00&excel2003")
005954AE .8BC3 mov eax, ebx
005954B0 .E8 0BA2FAFF call 0053F6C0
005954B5 .8D4D EC lea ecx, dword ptr
005954B8 .8D55 D8 lea edx, dword ptr
005954BB .8B03 mov eax, dword ptr
005954BD .E8 6EA2FAFF call 0053F730 ;计算处理的MD5
005954C2 .8D85 50FFFFFF lea eax, dword ptr ;eax=018CA684, (ASCII "94BA7A365C749DA8BFCB6540D032CFCB")
005954C8 .50 push eax
005954C9 .B9 14000000 mov ecx, 0x14
005954CE .33D2 xor edx, edx
005954D0 .8B45 EC mov eax, dword ptr ;堆栈 ss:=018CA684, (ASCII "94BA7A365C749DA8BFCB6540D032CFCB")
005954D3 .E8 CCFCE6FF call 004051A4
005954D8 .8B95 50FFFFFF mov edx, dword ptr ;取20位(ASCII "94BA7A365C749DA8BFCB")
005954DE .8D4D C8 lea ecx, dword ptr
005954E1 .8BC3 mov eax, ebx
005954E3 .E8 D8A1FAFF call 0053F6C0
005954E8 .8D4D E8 lea ecx, dword ptr
005954EB .8D55 C8 lea edx, dword ptr
005954EE .8B03 mov eax, dword ptr
005954F0 .E8 3BA2FAFF call 0053F730 ;MD5处理
005954F5 .8D85 4CFFFFFF lea eax, dword ptr ;eax=018CA6B4, (ASCII "5F71C4E08417C67EE3EF6335466B9E8A")
005954FB .50 push eax
005954FC .B9 05000000 mov ecx, 0x5
00595501 .33D2 xor edx, edx
00595503 .8B45 E8 mov eax, dword ptr ;堆栈 ss:=018CA6B4, (ASCII "5F71C4E08417C67EE3EF6335466B9E8A")
00595506 .E8 99FCE6FF call 004051A4
0059550B .FFB5 4CFFFFFF push dword ptr
00595511 .68 A4565900 push 005956A4 ;-
00595516 .8D85 48FFFFFF lea eax, dword ptr
0059551C .50 push eax
0059551D .B9 05000000 mov ecx, 0x5
00595522 .BA 06000000 mov edx, 0x6
00595527 .8B45 E8 mov eax, dword ptr
0059552A .E8 75FCE6FF call 004051A4
0059552F .FFB5 48FFFFFF push dword ptr
00595535 .68 A4565900 push 005956A4 ;-
0059553A .8D85 44FFFFFF lea eax, dword ptr
00595540 .50 push eax
00595541 .B9 05000000 mov ecx, 0x5
00595546 .BA 0B000000 mov edx, 0xB
0059554B .8B45 E8 mov eax, dword ptr
0059554E .E8 51FCE6FF call 004051A4
00595553 .FFB5 44FFFFFF push dword ptr
00595559 .68 A4565900 push 005956A4 ;-
0059555E .8D85 40FFFFFF lea eax, dword ptr
00595564 .50 push eax
00595565 .B9 05000000 mov ecx, 0x5
0059556A .BA 10000000 mov edx, 0x10
0059556F .8B45 E8 mov eax, dword ptr
00595572 .E8 2DFCE6FF call 004051A4
00595577 .FFB5 40FFFFFF push dword ptr
0059557D .B8 F8855B00 mov eax, 005B85F8
00595582 .BA 07000000 mov edx, 0x7
00595587 .E8 74FAE6FF call 00405000
0059558C .A1 F8855B00 mov eax, dword ptr ;EAX 018CA6F8 ASCII "5F71C-4E084-17C67-EE3EF" 这个的BASE64是RECODE后面的正确内容
00595591 .8B55 F4 mov edx, dword ptr ;堆栈 ss:=018B5998, (ASCII "winxp") 默认的注册内容是其BASE64
00595594 .E8 F3FAE6FF call 0040508C ;比较的内容是ATCODE处理后的信息要跟RECODE相同
00595599 .75 0C jnz short 005955A7
0059559B .C705 F0855B00>mov dword ptr , 0x1 ;是否是注册版本的标志位
DELPHI注册机核心代码
procedure TForm1.btn1Click(Sender: TObject);
var
m : MD5;
jqm,s,jhm:string;
begin
if (Length(jiqima.Text)=0)or (Length(kmmc.Text)=0)then Exit;
jqm:=jiqima.Text;
jqm:=Copy(jqm,1,5)+Copy(jqm,7,5)+Copy(jqm,13,5)+Copy(jqm,19,5);
m:=MD5.Create;
m.bmsj(jqm+'&0000000000000000000000000&'+kmmc.text);
s:=copy(m.MD5bm,1,20);
m.bmsj(s);
s:=m.MD5bm;
jihuoma.Text:=Copy(s,1,5)+'-'+Copy(s,6,5)+'-'+Copy(s,11,5)+'-'+Copy(s,16,5);
end;
源码用到了MD5模块,需要编译的自己去找个编译就行了,或者换别的语言别的模块。
感谢楼主出的教程,原来楼主也是用的DELPHI啊。
感谢楼主出的教程
膜拜搞无忧的、、膜拜算法帝
感谢楼主又出新教程!
教程考无忧计算机辅导软件追码分析{:5_119:} 感谢楼主分享新技能!谢谢! [快捷回复]-学破解防逆向,知进攻懂防守! 真是太棒了
页:
[1]
2