考真考职称软件离线注册码分析+易语言注册机源码
目标:http://www.cqzkt.com/#工具:OllyDebug
想直接爆破的可以看我以前的这个帖子:https://www.52hb.com/thread-3740-1-1.html
本文中的例子:
序列号:123456789111111
机器码:68621-58750
科目:PhotoShopCS
注册码:1160954577
直接看注册码
00D05130/$55 push ebp
00D05131|.8BEC mov ebp, esp
00D05133|.6A FF push -0x1
00D05135|.68 CF0FE300 push PhotoSho.00E30FCF
00D0513A|.64:A1 0000000>mov eax, dword ptr fs:
00D05140|.50 push eax
00D05141|.83EC 34 sub esp, 0x34
00D05144|.A1 2006EB00 mov eax, dword ptr
00D05149|.33C5 xor eax, ebp
00D0514B|.50 push eax
00D0514C|.8D45 F4 lea eax, dword ptr
00D0514F|.64:A3 0000000>mov dword ptr fs:, eax
00D05155|.894D D8 mov dword ptr , ecx
00D05158|.C745 F0 01000>mov dword ptr , 0x1
00D0515F|.8B45 10 mov eax, dword ptr
00D05162|.50 push eax ;机器码
00D05163|.68 207BE500 push PhotoSho.00E57B20 ;full
00D05168|.8B4D 0C mov ecx, dword ptr ;序列号最后5位
00D0516B|.51 push ecx
00D0516C|.8B55 08 mov edx, dword ptr ;序列号前10位
00D0516F|.52 push edx
00D05170|.8D45 EC lea eax, dword ptr ;机器码
00D05173|.50 push eax
00D05174|.8B4D D8 mov ecx, dword ptr
00D05177|.E8 C4FDFFFF call PhotoSho.00D04F40
00D0517C|.C745 FC 00000>mov dword ptr , 0x0 ;EDX中出现 注册码1160954577
00D05183|.8D4D EC lea ecx, dword ptr
我们进入call 00D04F40这个里面去看他的注册码算法
00D04F40/$55 push ebp
00D04F41|.8BEC mov ebp, esp
00D04F43|.6A FF push -0x1
00D04F45|.68 830FE300 push PhotoSho.00E30F83
00D04F4A|.64:A1 0000000>mov eax, dword ptr fs:
00D04F50|.50 push eax
00D04F51|.81EC 38050000 sub esp, 0x538
00D04F57|.A1 2006EB00 mov eax, dword ptr
00D04F5C|.33C5 xor eax, ebp
00D04F5E|.8945 F0 mov dword ptr , eax
00D04F61|.50 push eax
00D04F62|.8D45 F4 lea eax, dword ptr
00D04F65|.64:A3 0000000>mov dword ptr fs:, eax
00D04F6B|.898D C4FAFFFF mov dword ptr , ecx
00D04F71|.C785 C8FAFFFF>mov dword ptr , 0x0
00D04F7B|.8B45 14 mov eax, dword ptr
00D04F7E|.50 push eax
00D04F7F|.8B4D 18 mov ecx, dword ptr
00D04F82|.51 push ecx ;机器码
00D04F83|.8B55 10 mov edx, dword ptr
00D04F86|.52 push edx ;序列号后5位
00D04F87|.8B45 0C mov eax, dword ptr
00D04F8A|.50 push eax ;序列号前10位
00D04F8B|.E8 9029FBFF call PhotoSho.00CB7920 ;得到软件名称PhotoShopCS
00D04F90|.50 push eax
00D04F91|.68 0C7BE500 push PhotoSho.00E57B0C ;%s-%s-%s-%s-%s
00D04F96|.68 FF030000 push 0x3FF
00D04F9B|.8D8D 6CFBFFFF lea ecx, dword ptr
00D04FA1|.51 push ecx
00D04FA2|.FF15 F0F2E300 call dword ptr [<&MSVCR90.sprintf_s>] ;msvcr90.sprintf_s
00D04FA8|.83C4 20 add esp, 0x20
00D04FAB|.8D8D FCFAFFFF lea ecx, dword ptr
00D04FB1|.E8 9A88FCFF call PhotoSho.00CCD850 ;链接字符串"PhotoShopCS-1234567891-11111-6862158750-full"
00D04FB6|.8D95 6CFBFFFF lea edx, dword ptr
00D04FBC|.52 push edx ; /s
00D04FBD|.E8 E4401200 call <jmp.&MSVCR90.strlen> ; \strlen
00D04FC2|.83C4 04 add esp, 0x4 ;eax得到strlen
00D04FC5|.50 push eax
00D04FC6|.8D85 6CFBFFFF lea eax, dword ptr
00D04FCC|.50 push eax
00D04FCD|.8D8D FCFAFFFF lea ecx, dword ptr
00D04FD3|.E8 A889FCFF call PhotoSho.00CCD980
00D04FD8|.6A 40 push 0x40 ; /n = 40 (64.)
00D04FDA|.6A 00 push 0x0 ; |c = 00
00D04FDC|.8D8D 6CFFFFFF lea ecx, dword ptr ; |
00D04FE2|.51 push ecx ; |s
00D04FE3|.E8 B8401200 call <jmp.&MSVCR90.memset> ; \memset
00D04FE8|.83C4 0C add esp, 0xC
00D04FEB|.8D95 CCFAFFFF lea edx, dword ptr
00D04FF1|.52 push edx
00D04FF2|.8D8D FCFAFFFF lea ecx, dword ptr
00D04FF8|.E8 039DFCFF call PhotoSho.00CCED00
00D04FFD|.8985 C0FAFFFF mov dword ptr , eax
00D05003|.8B85 C0FAFFFF mov eax, dword ptr
00D05009|.8985 BCFAFFFF mov dword ptr , eax
00D0500F|.C745 FC 00000>mov dword ptr , 0x0 ;下面的eax得到
00D05016|.8B8D BCFAFFFF mov ecx, dword ptr ;42e1455639cebfa78dfbaecf6e7a21ad
00D0501C|.FF15 E8F1E300 call dword ptr [<&MSVCP90.std::basic_string>;msvcp90.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::data
00D05022|.50 push eax ; /src
00D05023|.8D4D AC lea ecx, dword ptr ; |
00D05026|.51 push ecx ; |dest
00D05027|.E8 C6401200 call <jmp.&MSVCR90.strcpy> ; \strcpy
00D0502C|.83C4 08 add esp, 0x8
00D0502F|.C745 FC FFFFF>mov dword ptr , -0x1
00D05036|.8D8D CCFAFFFF lea ecx, dword ptr
00D0503C|.FF15 D4F1E300 call dword ptr [<&MSVCP90.std::basic_string>;msvcp90.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::~basic_string<char,std::char_traits<char>,std::allocator<char> >
00D05042|.C785 F8FAFFFF>mov dword ptr , 0x0 ;初始化 i = 0
00D0504C|.EB 0F jmp short PhotoSho.00D0505D
00D0504E|>8B95 F8FAFFFF /mov edx, dword ptr ;edx=i
00D05054|.83C2 01 |add edx, 0x1 ;edx=edx+1
00D05057|.8995 F8FAFFFF |mov dword ptr , edx ;i=edx
00D0505D|>83BD F8FAFFFF> cmp dword ptr , 0xA ;i<10
00D05064|.0F8D 89000000 |jge PhotoSho.00D050F3
00D0506A|.8B85 F8FAFFFF |mov eax, dword ptr ;eax=i
00D05070|.8A4C05 AC |mov cl, byte ptr ;cl=a
00D05074|.888D F5FAFFFF |mov byte ptr , cl ;x=a
00D0507A|.8B95 F8FAFFFF |mov edx, dword ptr ;edx=i
00D05080|.8A4415 B6 |mov al, byte ptr ;al=a
00D05084|.8885 F6FAFFFF |mov byte ptr , al ;y=a
00D0508A|.B9 20000000 |mov ecx, 0x20 ;ecx=32
00D0508F|.2B8D F8FAFFFF |sub ecx, dword ptr ;ecx=ecx-i
00D05095|.8A540D AC |mov dl, byte ptr ;dl=a
00D05099|.8895 F7FAFFFF |mov byte ptr , dl ;z=dl
00D0509F|.0FBE85 F5FAFF>|movsx eax, byte ptr ;eax=x
00D050A6|.0FBE8D F6FAFF>|movsx ecx, byte ptr ;ecx=y
00D050AD|.03C1 |add eax, ecx ;eax=x+y
00D050AF|.0FBE95 F7FAFF>|movsx edx, byte ptr ;edx=z
00D050B6|.03C2 |add eax, edx ;eax=eax+edx
00D050B8|.99 |cdq
00D050B9|.B9 0A000000 |mov ecx, 0xA ;ecx=10
00D050BE|.F7F9 |idiv ecx ;eax=eax/ecx商在eax 余数在edx中
00D050C0|.52 |push edx ;压入余数
00D050C1|.68 1C7BE500 |push PhotoSho.00E57B1C ;%d
00D050C6|.6A 09 |push 0x9
00D050C8|.8D95 E8FAFFFF |lea edx, dword ptr
00D050CE|.52 |push edx
00D050CF|.FF15 F0F2E300 |call dword ptr [<&MSVCR90.sprintf_s>] ;msvcr90.sprintf_s
00D050D5|.83C4 10 |add esp, 0x10
00D050D8|.8D85 E8FAFFFF |lea eax, dword ptr
00D050DE|.50 |push eax ; /src
00D050DF|.8D8D 6CFFFFFF |lea ecx, dword ptr ; |
00D050E5|.51 |push ecx ; |dest
00D050E6|.E8 8F411200 |call <jmp.&MSVCR90.strcat> ; \strcat
00D050EB|.83C4 08 |add esp, 0x8 ;上面的是链接字符串 存入eax
00D050EE|.^ E9 5BFFFFFF \jmp PhotoSho.00D0504E
00D050F3|>8D95 6CFFFFFF lea edx, dword ptr
00D050F9|.52 push edx
00D050FA|.8B4D 08 mov ecx, dword ptr
00D050FD|.FF15 40F8E300 call dword ptr [<&mfc90.#310>] ;mfc90.#310
00D05103|.8B85 C8FAFFFF mov eax, dword ptr
00D05109|.83C8 01 or eax, 0x1
00D0510C|.8985 C8FAFFFF mov dword ptr , eax
00D05112|.8B45 08 mov eax, dword ptr
00D05115|.8B4D F4 mov ecx, dword ptr
00D05118|.64:890D 00000>mov dword ptr fs:, ecx
00D0511F|.59 pop ecx
00D05120|.8B4D F0 mov ecx, dword ptr
00D05123|.33CD xor ecx, ebp
00D05125|.E8 FA3D1200 call PhotoSho.00E28F24
00D0512A|.8BE5 mov esp, ebp
00D0512C|.5D pop ebp
00D0512D\.C2 1400 retn 0x14
在上面的这个call里得到软件科目的名称;
00D04F8B|.E8 9029FBFF call PhotoSho.00CB7920 ;得到软件名称PhotoShopCS
我们进入这个call内部去看看
00CB7920/$55 push ebp
00CB7921|.8BEC mov ebp, esp
00CB7923|.51 push ecx
00CB7924|.A1 20CBEA00 mov eax, dword ptr ;\r
00CB7929|.8945 FC mov dword ptr , eax
00CB792C|.8B4D FC mov ecx, dword ptr
00CB792F|.83E9 01 sub ecx, 0x1
00CB7932|.894D FC mov dword ptr , ecx
00CB7935|.837D FC 27 cmp dword ptr , 0x27
00CB7939|.0F87 5F030000 ja PhotoSho.00CB7C9E
00CB793F|.8B55 FC mov edx, dword ptr
00CB7942|.FF2495 A87CCB>jmp dword ptr
00CB7949|>68 5892E400 push PhotoSho.00E49258 ;WindowsXP
00CB794E|.68 00010000 push 0x100
00CB7953|.68 E807EB00 push PhotoSho.00EB07E8 ;PhotoShopCS
00CB7958|.FF15 94F2E300 call dword ptr [<&MSVCR90.strcpy_s>] ;msvcr90.strcpy_s
00CB795E|.83C4 0C add esp, 0xC
00CB7961|.E9 38030000 jmp PhotoSho.00CB7C9E
00CB7966|>68 6492E400 push PhotoSho.00E49264 ;Windows7
00CB796B|.68 00010000 push 0x100
00CB7970|.68 E807EB00 push PhotoSho.00EB07E8 ;PhotoShopCS
00CB7975|.FF15 94F2E300 call dword ptr [<&MSVCR90.strcpy_s>] ;msvcr90.strcpy_s
00CB797B|.83C4 0C add esp, 0xC
00CB797E|.E9 1B030000 jmp PhotoSho.00CB7C9E
00CB7983|>68 7092E400 push PhotoSho.00E49270 ;RedFlag
00CB7988|.68 00010000 push 0x100
00CB798D|.68 E807EB00 push PhotoSho.00EB07E8 ;PhotoShopCS
00CB7992|.FF15 94F2E300 call dword ptr [<&MSVCR90.strcpy_s>] ;msvcr90.strcpy_s
00CB7998|.83C4 0C add esp, 0xC
00CB799B|.E9 FE020000 jmp PhotoSho.00CB7C9E
00CB79A0|>68 7892E400 push PhotoSho.00E49278 ;Word2003
00CB79A5|.68 00010000 push 0x100
00CB79AA|.68 E807EB00 push PhotoSho.00EB07E8 ;PhotoShopCS
00CB79AF|.FF15 94F2E300 call dword ptr [<&MSVCR90.strcpy_s>] ;msvcr90.strcpy_s
00CB79B5|.83C4 0C add esp, 0xC
00CB79B8|.E9 E1020000 jmp PhotoSho.00CB7C9E
00CB79BD|>68 8492E400 push PhotoSho.00E49284 ;Word2007
00CB79C2|.68 00010000 push 0x100
00CB79C7|.68 E807EB00 push PhotoSho.00EB07E8 ;PhotoShopCS
00CB79CC|.FF15 94F2E300 call dword ptr [<&MSVCR90.strcpy_s>] ;msvcr90.strcpy_s
00CB79D2|.83C4 0C add esp, 0xC
00CB79D5|.E9 C4020000 jmp PhotoSho.00CB7C9E
00CB79DA|>68 9092E400 push PhotoSho.00E49290 ;PPT2007
00CB79DF|.68 00010000 push 0x100
00CB79E4|.68 E807EB00 push PhotoSho.00EB07E8 ;PhotoShopCS
00CB79E9|.FF15 94F2E300 call dword ptr [<&MSVCR90.strcpy_s>] ;msvcr90.strcpy_s
00CB79EF|.83C4 0C add esp, 0xC
00CB79F2|.E9 A7020000 jmp PhotoSho.00CB7C9E
00CB79F7|>68 9892E400 push PhotoSho.00E49298 ;PPT2003
00CB79FC|.68 00010000 push 0x100
00CB7A01|.68 E807EB00 push PhotoSho.00EB07E8 ;PhotoShopCS
00CB7A06|.FF15 94F2E300 call dword ptr [<&MSVCR90.strcpy_s>] ;msvcr90.strcpy_s
00CB7A0C|.83C4 0C add esp, 0xC
00CB7A0F|.E9 8A020000 jmp PhotoSho.00CB7C9E
00CB7A14|>68 A092E400 push PhotoSho.00E492A0 ;Excel2003
00CB7A19|.68 00010000 push 0x100
00CB7A1E|.68 E807EB00 push PhotoSho.00EB07E8 ;PhotoShopCS
00CB7A23|.FF15 94F2E300 call dword ptr [<&MSVCR90.strcpy_s>] ;msvcr90.strcpy_s
00CB7A29|.83C4 0C add esp, 0xC
00CB7A2C|.E9 6D020000 jmp PhotoSho.00CB7C9E
00CB7A31|>68 AC92E400 push PhotoSho.00E492AC ;Excel2007
00CB7A36|.68 00010000 push 0x100
00CB7A3B|.68 E807EB00 push PhotoSho.00EB07E8 ;PhotoShopCS
00CB7A40|.FF15 94F2E300 call dword ptr [<&MSVCR90.strcpy_s>] ;msvcr90.strcpy_s
00CB7A46|.83C4 0C add esp, 0xC
00CB7A49|.E9 50020000 jmp PhotoSho.00CB7C9E
00CB7A4E|>68 B892E400 push PhotoSho.00E492B8 ;Internet
00CB7A53|.68 00010000 push 0x100
00CB7A58|.68 E807EB00 push PhotoSho.00EB07E8 ;PhotoShopCS
00CB7A5D|.FF15 94F2E300 call dword ptr [<&MSVCR90.strcpy_s>] ;msvcr90.strcpy_s
00CB7A63|.83C4 0C add esp, 0xC
00CB7A66|.E9 33020000 jmp PhotoSho.00CB7C9E
00CB7A6B|>68 C492E400 push PhotoSho.00E492C4 ;InterWin7
00CB7A70|.68 00010000 push 0x100
00CB7A75|.68 E807EB00 push PhotoSho.00EB07E8 ;PhotoShopCS
00CB7A7A|.FF15 94F2E300 call dword ptr [<&MSVCR90.strcpy_s>] ;msvcr90.strcpy_s
00CB7A80|.83C4 0C add esp, 0xC
00CB7A83|.E9 16020000 jmp PhotoSho.00CB7C9E
00CB7A88|>68 D092E400 push PhotoSho.00E492D0 ;FrontPage
00CB7A8D|.68 00010000 push 0x100
00CB7A92|.68 E807EB00 push PhotoSho.00EB07E8 ;PhotoShopCS
00CB7A97|.FF15 94F2E300 call dword ptr [<&MSVCR90.strcpy_s>] ;msvcr90.strcpy_s
00CB7A9D|.83C4 0C add esp, 0xC
00CB7AA0|.E9 F9010000 jmp PhotoSho.00CB7C9E
00CB7AA5|>68 DC92E400 push PhotoSho.00E492DC ;FrontPage2003
00CB7AAA|.68 00010000 push 0x100
00CB7AAF|.68 E807EB00 push PhotoSho.00EB07E8 ;PhotoShopCS
00CB7AB4|.FF15 94F2E300 call dword ptr [<&MSVCR90.strcpy_s>] ;msvcr90.strcpy_s
00CB7ABA|.83C4 0C add esp, 0xC
00CB7ABD|.E9 DC010000 jmp PhotoSho.00CB7C9E
00CB7AC2|>68 EC92E400 push PhotoSho.00E492EC ;WPSOffice
00CB7AC7|.68 00010000 push 0x100
00CB7ACC|.68 E807EB00 push PhotoSho.00EB07E8 ;PhotoShopCS
00CB7AD1|.FF15 94F2E300 call dword ptr [<&MSVCR90.strcpy_s>] ;msvcr90.strcpy_s
00CB7AD7|.83C4 0C add esp, 0xC
00CB7ADA|.E9 BF010000 jmp PhotoSho.00CB7C9E
00CB7ADF|>68 F892E400 push PhotoSho.00E492F8 ;JSWZ
00CB7AE4|.68 00010000 push 0x100
00CB7AE9|.68 E807EB00 push PhotoSho.00EB07E8 ;PhotoShopCS
00CB7AEE|.FF15 94F2E300 call dword ptr [<&MSVCR90.strcpy_s>] ;msvcr90.strcpy_s
00CB7AF4|.83C4 0C add esp, 0xC
00CB7AF7|.E9 A2010000 jmp PhotoSho.00CB7C9E
00CB7AFC|>68 0093E400 push PhotoSho.00E49300 ;JSYS
00CB7B01|.68 00010000 push 0x100
00CB7B06|.68 E807EB00 push PhotoSho.00EB07E8 ;PhotoShopCS
00CB7B0B|.FF15 94F2E300 call dword ptr [<&MSVCR90.strcpy_s>] ;msvcr90.strcpy_s
00CB7B11|.83C4 0C add esp, 0xC
00CB7B14|.E9 85010000 jmp PhotoSho.00CB7C9E
00CB7B19|>68 0893E400 push PhotoSho.00E49308 ;JSBG
00CB7B1E|.68 00010000 push 0x100
00CB7B23|.68 E807EB00 push PhotoSho.00EB07E8 ;PhotoShopCS
00CB7B28|.FF15 94F2E300 call dword ptr [<&MSVCR90.strcpy_s>] ;msvcr90.strcpy_s
00CB7B2E|.83C4 0C add esp, 0xC
00CB7B31|.E9 68010000 jmp PhotoSho.00CB7C9E
00CB7B36|>68 1093E400 push PhotoSho.00E49310 ;AutoCAD2004
00CB7B3B|.68 00010000 push 0x100
00CB7B40|.68 E807EB00 push PhotoSho.00EB07E8 ;PhotoShopCS
00CB7B45|.FF15 94F2E300 call dword ptr [<&MSVCR90.strcpy_s>] ;msvcr90.strcpy_s
00CB7B4B|.83C4 0C add esp, 0xC
00CB7B4E|.E9 4B010000 jmp PhotoSho.00CB7C9E
00CB7B53|>68 1C93E400 push PhotoSho.00E4931C ;AutoCADR14
00CB7B58|.68 00010000 push 0x100
00CB7B5D|.68 E807EB00 push PhotoSho.00EB07E8 ;PhotoShopCS
00CB7B62|.FF15 94F2E300 call dword ptr [<&MSVCR90.strcpy_s>] ;msvcr90.strcpy_s
00CB7B68|.83C4 0C add esp, 0xC
00CB7B6B|.E9 2E010000 jmp PhotoSho.00CB7C9E
00CB7B70|>68 2893E400 push PhotoSho.00E49328 ;PhotoShopCS
00CB7B75|.68 00010000 push 0x100
00CB7B7A|.68 E807EB00 push PhotoSho.00EB07E8 ;PhotoShopCS
00CB7B7F|.FF15 94F2E300 call dword ptr [<&MSVCR90.strcpy_s>] ;msvcr90.strcpy_s
00CB7B85|.83C4 0C add esp, 0xC
00CB7B88|.E9 11010000 jmp PhotoSho.00CB7C9E
00CB7B8D|>68 3493E400 push PhotoSho.00E49334 ;PhotoShop6
00CB7B92|.68 00010000 push 0x100
00CB7B97|.68 E807EB00 push PhotoSho.00EB07E8 ;PhotoShopCS
00CB7B9C|.FF15 94F2E300 call dword ptr [<&MSVCR90.strcpy_s>] ;msvcr90.strcpy_s
00CB7BA2|.83C4 0C add esp, 0xC
00CB7BA5|.E9 F4000000 jmp PhotoSho.00CB7C9E
00CB7BAA|>68 4093E400 push PhotoSho.00E49340 ;FlashMX
00CB7BAF|.68 00010000 push 0x100
00CB7BB4|.68 E807EB00 push PhotoSho.00EB07E8 ;PhotoShopCS
00CB7BB9|.FF15 94F2E300 call dword ptr [<&MSVCR90.strcpy_s>] ;msvcr90.strcpy_s
00CB7BBF|.83C4 0C add esp, 0xC
00CB7BC2|.E9 D7000000 jmp PhotoSho.00CB7C9E
00CB7BC7|>68 4893E400 push PhotoSho.00E49348 ;Authorware
00CB7BCC|.68 00010000 push 0x100
00CB7BD1|.68 E807EB00 push PhotoSho.00EB07E8 ;PhotoShopCS
00CB7BD6|.FF15 94F2E300 call dword ptr [<&MSVCR90.strcpy_s>] ;msvcr90.strcpy_s
00CB7BDC|.83C4 0C add esp, 0xC
00CB7BDF|.E9 BA000000 jmp PhotoSho.00CB7C9E
00CB7BE4|>68 5493E400 push PhotoSho.00E49354 ;DreamWeaver
00CB7BE9|.68 00010000 push 0x100
00CB7BEE|.68 E807EB00 push PhotoSho.00EB07E8 ;PhotoShopCS
00CB7BF3|.FF15 94F2E300 call dword ptr [<&MSVCR90.strcpy_s>] ;msvcr90.strcpy_s
00CB7BF9|.83C4 0C add esp, 0xC
00CB7BFC|.E9 9D000000 jmp PhotoSho.00CB7C9E
00CB7C01|>68 6093E400 push PhotoSho.00E49360 ;Access
00CB7C06|.68 00010000 push 0x100
00CB7C0B|.68 E807EB00 push PhotoSho.00EB07E8 ;PhotoShopCS
00CB7C10|.FF15 94F2E300 call dword ptr [<&MSVCR90.strcpy_s>] ;msvcr90.strcpy_s
00CB7C16|.83C4 0C add esp, 0xC
00CB7C19|.E9 80000000 jmp PhotoSho.00CB7C9E
00CB7C1E|>68 6893E400 push PhotoSho.00E49368 ;Foxpro
00CB7C23|.68 00010000 push 0x100
00CB7C28|.68 E807EB00 push PhotoSho.00EB07E8 ;PhotoShopCS
00CB7C2D|.FF15 94F2E300 call dword ptr [<&MSVCR90.strcpy_s>] ;msvcr90.strcpy_s
00CB7C33|.83C4 0C add esp, 0xC
00CB7C36|.EB 66 jmp short PhotoSho.00CB7C9E
00CB7C38|>68 7093E400 push PhotoSho.00E49370 ;YYT3
00CB7C3D|.68 00010000 push 0x100
00CB7C42|.68 E807EB00 push PhotoSho.00EB07E8 ;PhotoShopCS
00CB7C47|.FF15 94F2E300 call dword ptr [<&MSVCR90.strcpy_s>] ;msvcr90.strcpy_s
00CB7C4D|.83C4 0C add esp, 0xC
00CB7C50|.EB 4C jmp short PhotoSho.00CB7C9E
00CB7C52|>68 7893E400 push PhotoSho.00E49378 ;YYU8
00CB7C57|.68 00010000 push 0x100
00CB7C5C|.68 E807EB00 push PhotoSho.00EB07E8 ;PhotoShopCS
00CB7C61|.FF15 94F2E300 call dword ptr [<&MSVCR90.strcpy_s>] ;msvcr90.strcpy_s
00CB7C67|.83C4 0C add esp, 0xC
00CB7C6A|.EB 32 jmp short PhotoSho.00CB7C9E
00CB7C6C|>68 8093E400 push PhotoSho.00E49380 ;Project2000
00CB7C71|.68 00010000 push 0x100
00CB7C76|.68 E807EB00 push PhotoSho.00EB07E8 ;PhotoShopCS
00CB7C7B|.FF15 94F2E300 call dword ptr [<&MSVCR90.strcpy_s>] ;msvcr90.strcpy_s
00CB7C81|.83C4 0C add esp, 0xC
00CB7C84|.EB 18 jmp short PhotoSho.00CB7C9E
00CB7C86|>68 8C93E400 push PhotoSho.00E4938C ;CProgram
00CB7C8B|.68 00010000 push 0x100
00CB7C90|.68 E807EB00 push PhotoSho.00EB07E8 ;PhotoShopCS
00CB7C95|.FF15 94F2E300 call dword ptr [<&MSVCR90.strcpy_s>] ;msvcr90.strcpy_s
00CB7C9B|.83C4 0C add esp, 0xC
00CB7C9E|>B8 E807EB00 mov eax, PhotoSho.00EB07E8 ;PhotoShopCS
00CB7CA3|.8BE5 mov esp, ebp
00CB7CA5|.5D pop ebp
00CB7CA6\.C3 retn
发现里面有很多软件的名称,我现在这个软件的科目是PhotoShopCS,我们把这些名字都记住,做注册机有用
再往下面看
在这个call里生成了一串字符串
00D04FB1|.E8 9A88FCFF call PhotoSho.00CCD850 ;字符串"PhotoShopCS-1234567891-11111-6862158750-full"、
“PhotoShopCS-1234567891-11111-6862158750-full"
格式大概是这样的:软件名称+序列号前10位+序列号后5位+机器码+版本类型
在这个call内,
00D0501C|.FF15 E8F1E300 call dword ptr [<&MSVCP90.std::basic_string>;msvcp90.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::data
进行的是MD5的加密,经过调试跟踪可以发现,这个需要经验才能知道什么加密
PhotoShopCS-1234567891-11111-6862158750-full MD5加密后得到的是32位的42e1455639cebfa78dfbaecf6e7a21ad
接下去就是一个算法了,把MD5加密后的字符串进行的一系列运算,具体看我下面的注释,这个算法很简单,没什么好讲的
00D05042|.C785 F8FAFFFF>mov dword ptr , 0x0 ;初始化 i = 0
00D0504C|.EB 0F jmp short PhotoSho.00D0505D
00D0504E|>8B95 F8FAFFFF /mov edx, dword ptr ;edx=i
00D05054|.83C2 01 |add edx, 0x1 ;edx=edx+1
00D05057|.8995 F8FAFFFF |mov dword ptr , edx ;i=edx
00D0505D|>83BD F8FAFFFF> cmp dword ptr , 0xA ;i<10
00D05064|.0F8D 89000000 |jge PhotoSho.00D050F3
00D0506A|.8B85 F8FAFFFF |mov eax, dword ptr ;eax=i
00D05070|.8A4C05 AC |mov cl, byte ptr ;cl=a
00D05074|.888D F5FAFFFF |mov byte ptr , cl ;x=a
00D0507A|.8B95 F8FAFFFF |mov edx, dword ptr ;edx=i
00D05080|.8A4415 B6 |mov al, byte ptr ;al=a
00D05084|.8885 F6FAFFFF |mov byte ptr , al ;y=a
00D0508A|.B9 20000000 |mov ecx, 0x20 ;ecx=32
00D0508F|.2B8D F8FAFFFF |sub ecx, dword ptr ;ecx=ecx-i
00D05095|.8A540D AC |mov dl, byte ptr ;dl=a
00D05099|.8895 F7FAFFFF |mov byte ptr , dl ;z=dl
00D0509F|.0FBE85 F5FAFF>|movsx eax, byte ptr ;eax=x
00D050A6|.0FBE8D F6FAFF>|movsx ecx, byte ptr ;ecx=y
00D050AD|.03C1 |add eax, ecx ;eax=x+y
00D050AF|.0FBE95 F7FAFF>|movsx edx, byte ptr ;edx=z
00D050B6|.03C2 |add eax, edx ;eax=eax+edx
00D050B8|.99 |cdq
00D050B9|.B9 0A000000 |mov ecx, 0xA ;ecx=10
00D050BE|.F7F9 |idiv ecx ;eax=eax/ecx商在eax 余数在edx中
00D050C0|.52 |push edx ;压入余数
00D050C1|.68 1C7BE500 |push PhotoSho.00E57B1C ;%d
00D050C6|.6A 09 |push 0x9
00D050C8|.8D95 E8FAFFFF |lea edx, dword ptr
00D050CE|.52 |push edx
00D050CF|.FF15 F0F2E300 |call dword ptr [<&MSVCR90.sprintf_s>] ;msvcr90.sprintf_s
00D050D5|.83C4 10 |add esp, 0x10
00D050D8|.8D85 E8FAFFFF |lea eax, dword ptr
00D050DE|.50 |push eax ; /src
00D050DF|.8D8D 6CFFFFFF |lea ecx, dword ptr ; |
00D050E5|.51 |push ecx ; |dest
00D050E6|.E8 8F411200 |call <jmp.&MSVCR90.strcat> ; \strcat
00D050EB|.83C4 08 |add esp, 0x8 ;上面的是链接字符串 存入eax
00D050EE|.^ E9 5BFFFFFF \jmp PhotoSho.00D0504E
我们可以发现,我上面的这个是在算full版本的注册码,下面还有 part mini seni,代码如下
00D051AD|.52 push edx
00D051AE|.68 287BE500 push PhotoSho.00E57B28 ;part
00D051B3|.8B45 0C mov eax, dword ptr
00D051B6|.50 push eax
00D051B7|.8B4D 08 mov ecx, dword ptr
00D051BA|.51 push ecx
00D051BB|.8D55 E8 lea edx, dword ptr
00D051BE|.52 push edx
00D051BF|.8B4D D8 mov ecx, dword ptr
00D051C2|.E8 79FDFFFF call PhotoSho.00D04F40
00D051C7|.8945 D4 mov dword ptr , eax
00D051CA|.8B45 D4 mov eax, dword ptr
00D051CD|.8945 D0 mov dword ptr , eax
00D051D0|.C645 FC 01 mov byte ptr , 0x1
00D051D4|.8B4D D0 mov ecx, dword ptr
00D051D7|.51 push ecx
00D051D8|.8D4D EC lea ecx, dword ptr
00D051DB|.FF15 64F8E300 call dword ptr [<&mfc90.#817>] ;mfc90.#817
00D051E1|.C645 FC 00 mov byte ptr , 0x0
00D051E5|.8D4D E8 lea ecx, dword ptr
00D051E8|.FF15 5CF9E300 call dword ptr [<&mfc90.#601>] ;mfc90.#601
00D051EE|.8D4D EC lea ecx, dword ptr
00D051F1|.FF15 C8F9E300 call dword ptr [<&mfc90.#910>] ;mfc90.#3726
00D051F7|.50 push eax ; /s2
00D051F8|.8B55 14 mov edx, dword ptr ; |
00D051FB|.52 push edx ; |s1
00D051FC|.FF15 8CF2E300 call dword ptr [<&MSVCR90.strstr>] ; \strstr
00D05202|.83C4 08 add esp, 0x8
00D05205|.85C0 test eax, eax
00D05207|.74 0C je short PhotoSho.00D05215
00D05209|.C745 F0 03000>mov dword ptr , 0x3
00D05210|.E9 CE000000 jmp PhotoSho.00D052E3
00D05215|>8B45 10 mov eax, dword ptr
00D05218|.50 push eax
00D05219|.68 307BE500 push PhotoSho.00E57B30 ;mini
00D0521E|.8B4D 0C mov ecx, dword ptr
00D05221|.51 push ecx
00D05222|.8B55 08 mov edx, dword ptr
00D05225|.52 push edx
00D05226|.8D45 E4 lea eax, dword ptr
00D05229|.50 push eax
00D0522A|.8B4D D8 mov ecx, dword ptr
00D0522D|.E8 0EFDFFFF call PhotoSho.00D04F40
00D05232|.8945 CC mov dword ptr , eax
00D05235|.8B4D CC mov ecx, dword ptr
00D05238|.894D C8 mov dword ptr , ecx
00D0523B|.C645 FC 02 mov byte ptr , 0x2
00D0523F|.8B55 C8 mov edx, dword ptr
00D05242|.52 push edx
00D05243|.8D4D EC lea ecx, dword ptr
00D05246|.FF15 64F8E300 call dword ptr [<&mfc90.#817>] ;mfc90.#817
00D0524C|.C645 FC 00 mov byte ptr , 0x0
00D05250|.8D4D E4 lea ecx, dword ptr
00D05253|.FF15 5CF9E300 call dword ptr [<&mfc90.#601>] ;mfc90.#601
00D05259|.8D4D EC lea ecx, dword ptr
00D0525C|.FF15 C8F9E300 call dword ptr [<&mfc90.#910>] ;mfc90.#3726
00D05262|.50 push eax ; /s2
00D05263|.8B45 14 mov eax, dword ptr ; |
00D05266|.50 push eax ; |s1
00D05267|.FF15 8CF2E300 call dword ptr [<&MSVCR90.strstr>] ; \strstr
00D0526D|.83C4 08 add esp, 0x8
00D05270|.85C0 test eax, eax
00D05272|.74 09 je short PhotoSho.00D0527D
00D05274|.C745 F0 02000>mov dword ptr , 0x2
00D0527B|.EB 66 jmp short PhotoSho.00D052E3
00D0527D|>8B4D 10 mov ecx, dword ptr
00D05280|.51 push ecx
00D05281|.68 387BE500 push PhotoSho.00E57B38 ;seni
00D05286|.8B55 0C mov edx, dword ptr
00D05289|.52 push edx
00D0528A|.8B45 08 mov eax, dword ptr
00D0528D|.50 push eax
00D0528E|.8D4D E0 lea ecx, dword ptr
00D05291|.51 push ecx
00D05292|.8B4D D8 mov ecx, dword ptr
00D05295|.E8 A6FCFFFF call PhotoSho.00D04F40
00D0529A|.8945 C4 mov dword ptr , eax
00D0529D|.8B55 C4 mov edx, dword ptr
00D052A0|.8955 C0 mov dword ptr , edx
00D052A3|.C645 FC 03 mov byte ptr , 0x3
可以发现,4个版本调用的call都是一个算法call,区别就在于
full版本是 PhotoShopCS-1234567891-11111-6862158750-full
part版本是PhotoShopCS-1234567891-11111-6862158750-part
依次类推
经过调试分析,对应的英文和中文是如下这样的
full 完整版
part 题库版
mini 冲刺版
seni 高级版
下面是C++核心代码和易语言版注册机源码
C++核心代码:我把MD5类删掉了,要用的自己去搞吧,因为MD5太多代码了
#include <iostream>
using namespace std;
const int RegCodeLen=10;
const int MD5len=32;
int main()
{
char a="42e1455639cebfa78dfbaecf6e7a21ad";
char r;
int x,y,z,eax;
for (int i=0;i<RegCodeLen;++i)
{
x=a;
y=a;
z=a;
eax=x+y+z;
eax%=RegCodeLen;
r=eax+'0';
}
r='\0';
cout<<r;
return 0;
}
易语言版注册机源码,售价10HB,这个好歹也是我的劳动成果,不贵吧。。
新手表示很难,。,,,默默飘过了。。。。
谢谢,来学习,非常不错。
终于等到师傅的算法教程了
膜拜会写注册机的大神
谢谢楼主了,教程很详细
解密专家真不是吹的,厉害!
谢谢分享!!
这个必须赞!
这个必须赞{:5_184:}