水滴电脑闹钟注册码分析
本帖最后由 gmh5225 于 2014-12-31 13:44 编辑这是彩神发的视频:https://www.52hb.com/thread-4208-1-1.html
我只是分析下注册码,这次注册码很简单,适合新手学习
找到注册call
004135A0/[ DISCUZ_CODE_2 ]nbsp; 55 push ebp
004135A1|.8BEC mov ebp,esp
004135A3|.6A FF push -0x1
004135A5|.68 B0A35400 push PearlClo.0054A3B0
004135AA|.64:A1 0000000>mov eax,dword ptr fs:
004135B0|.50 push eax
004135B1|.81EC C8000000 sub esp,0xC8
004135B7|.A1 00315A00 mov eax,dword ptr ds:
004135BC|.33C5 xor eax,ebp
004135BE|.8945 F0 mov ,eax
004135C1|.53 push ebx
004135C2|.56 push esi
004135C3|.57 push edi
004135C4|.50 push eax
004135C5|.8D45 F4 lea eax,
004135C8|.64:A3 0000000>mov dword ptr fs:,eax
004135CE|.8B45 08 mov eax,
004135D1|.8985 2CFFFFFF mov ,eax
004135D7|.33DB xor ebx,ebx
004135D9|.8BC1 mov eax,ecx
004135DB|.C745 CC 0F000>mov ,0xF
004135E2|.895D C8 mov ,ebx
004135E5|.885D B8 mov byte ptr ss:,bl
004135E8|.8D70 01 lea esi,dword ptr ds:
004135EB|.EB 03 jmp short PearlClo.004135F0
004135ED| 8D49 00 lea ecx,dword ptr ds:
004135F0|>8A10 /mov dl,byte ptr ds:
004135F2|.40 |inc eax
004135F3|.3AD3 |cmp dl,bl
004135F5|.^ 75 F9 \jnz short PearlClo.004135F0
004135F7|.2BC6 sub eax,esi
004135F9|.50 push eax
004135FA|.51 push ecx
004135FB|.8D4D B8 lea ecx,
004135FE|.E8 9DEBFEFF call PearlClo.004021A0
00413603|.895D FC mov ,ebx
00413606|.8B45 C8 mov eax,
00413609|.83F8 05 cmp eax,0x5
0041360C|.73 1A jnb short PearlClo.00413628
0041360E|.837D CC 10 cmp ,0x10
00413612|.72 0C jb short PearlClo.00413620
00413614|.8B4D B8 mov ecx,
00413617|.51 push ecx
00413618|.E8 81DB0100 call PearlClo.0043119E
0041361D|.83C4 04 add esp,0x4
00413620|>83C8 FF or eax,0xFFFFFFFF
00413623|.E9 24010000 jmp PearlClo.0041374C
00413628|>837D CC 10 cmp ,0x10
0041362C|.8B4D B8 mov ecx,
0041362F|.885D 98 mov byte ptr ss:,bl
00413632|.899D 44FFFFFF mov ,ebx
00413638|.899D 40FFFFFF mov ,ebx
0041363E|.C785 30FFFFFF>mov ,0x67452301 ;MD5算法特征
00413648|.C785 34FFFFFF>mov ,0xEFCDAB89
00413652|.C785 38FFFFFF>mov ,0x98BADCFE
0041365C|.C785 3CFFFFFF>mov ,0x10325476
00413666|.73 03 jnb short PearlClo.0041366B
00413668|.8D4D B8 lea ecx,
0041366B|>51 push ecx
0041366C|.8DB5 30FFFFFF lea esi,
00413672|.E8 89C4FFFF call PearlClo.0040FB00
00413677|.8D7D 9C lea edi,
0041367A|.8BC6 mov eax,esi
0041367C|.E8 1FCEFFFF call PearlClo.004104A0
00413681|.C645 FC 01 mov byte ptr ss:,0x1
00413685|.6A 0C push 0xC
00413687|.68 3CB15700 push PearlClo.0057B13C ;000000000000
0041368C|.8D4D D4 lea ecx,
0041368F|.C745 E8 0F000>mov ,0xF
00413696|.895D E4 mov ,ebx ;机器码进行MD5加密
00413699|.885D D4 mov byte ptr ss:,bl
0041369C|.E8 FFEAFEFF call PearlClo.004021A0 ;得到MD5加密数据
004136A1|.33C0 xor eax,eax ;b2b43d5e0e479d89472294d24b00fe74
004136A3|>8B75 9C /mov esi,
004136A6|.B9 10000000 |mov ecx,0x10 ;ecx=16
004136AB|.394D B0 |cmp ,ecx ;2F》=0x10
004136AE|.73 03 |jnb short PearlClo.004136B3
004136B0|.8D75 9C |lea esi,
004136B3|>394D E8 |cmp ,ecx ;15》16?
004136B6|.8B4D D4 |mov ecx,
004136B9|.73 03 |jnb short PearlClo.004136BE
004136BB|.8D4D D4 |lea ecx,
004136BE|>8A5406 02 |mov dl,byte ptr ds: ;dl=a
004136C2|.881401 |mov byte ptr ds:,dl
004136C5|.40 |inc eax
004136C6|.83F8 0C |cmp eax,0xC ;从a到a 12次
004136C9|.^ 7C D8 \jl short PearlClo.004136A3
004136CB|.8B45 D4 mov eax, ;得到 b43d5e0e479d
004136CE|.BF 10000000 mov edi,0x10
004136D3|.397D E8 cmp ,edi ;15>=16?
004136D6|.73 03 jnb short PearlClo.004136DB
004136D8|.8D45 D4 lea eax,
004136DB|>C640 03 31 mov byte ptr ds:,0x31 ;数组第3个字节替换为31
004136DF|.8B75 E8 mov esi, ;得到 b4315e0e479d 为注册码
004136E2|.8B45 D4 mov eax,
004136E5|.3BF7 cmp esi,edi ;15>=10?
004136E7|.73 03 jnb short PearlClo.004136EC大致如下步骤。。
计算机器码的MD5值,取 从第三位开始,长度为12的字符串,把第3个字节赋值为31
鉴于貌似发C++源码没人鸟我。。我还是发易语言的吧。。
易语言算法如下:
.版本 2
.支持库 dp1
.子程序 GetRegCode, 文本型
.参数 MachineCode, 文本型
MachineCode = 取数据摘要 (到字节集 (MachineCode))
MachineCode = 取文本中间 (MachineCode, 3, 12)
MachineCode = 文本替换 (MachineCode, 3, 2, “31”)
返回 (MachineCode)
这次够简单了。。。大家不要说看不懂了。。心好累
支持算法牛,直接写注册机了,幸苦了
ningzhonghui 发表于 2014-12-31 13:48
支持算法牛,直接写注册机了,幸苦了
这个算法比较简单,嘿嘿
擦,又一个算法牛诞生。膜拜
学习了,感谢分享。
终于用易语言了、这回能看懂了
{:6_225:}E语言算法! 后面的看懂了前面的OD 没了解!
很详细的教程,学习了,谢谢!
易语言不错