eXeScope 注册机制算法破解
使用x64dbg进行修改
从网上找来一片文章,感觉靠谱,如下
---------------------------------------------------------------------------------------
第一次看到这个界面还是在十多年前,当时的我并不明白这些数据的含义。
现在为它写一篇博客,算是一种纪念吧。
用x64dbg加载exescope,来到0x401000。搜索当前模块中的字符串 在结果中搜索关键字“reg"。
来到004CA44 ,这就是判断注册是否合法的函数。
1 004C2A44 | 55 | push ebp | 2 004C2A45 | 8BEC | mov ebp,esp | 3 004C2A47 | 33C9 | xor ecx,ecx | ecx:EntryPoint 4 004C2A49 | 51 | push ecx | ecx:EntryPoint 5 004C2A4A | 51 | push ecx | ecx:EntryPoint 6 004C2A4B | 51 | push ecx | ecx:EntryPoint 7 004C2A4C | 51 | push ecx | ecx:EntryPoint 8 004C2A4D | 51 | push ecx | ecx:EntryPoint 9 004C2A4E | 53 | push ebx | 10 004C2A4F | 56 | push esi | esi:EntryPoint 11 004C2A50 | 57 | push edi | edi:EntryPoint 12 004C2A51 | 8BD8 | mov ebx,eax | 13 004C2A53 | 33C0 | xor eax,eax | 14 004C2A55 | 55 | push ebp | 15 004C2A56 | 68 A12B4C00 | push 0x4C2BA1 | 16 004C2A5B | 64:FF30 | push dword ptr fs:[eax] | 17 004C2A5E | 64:8920 | mov dword ptr fs:[eax],esp | 18 004C2A61 | A1 5CFC4C00 | mov eax,dword ptr ds:[0x4CFC5C] | 19 004C2A66 | 8038 00 | cmp byte ptr ds:[eax],0x0 | 20 004C2A69 | 74 0F | je 0x4C2A7A | 21 004C2A6B | C783 4C020000 02000000 | mov dword ptr ds:[ebx+0x24C],0x2 | ebx+24C:L"練" 22 004C2A75 | E9 FF000000 | jmp 0x4C2B79 | 23 004C2A7A | 8D55 FC | lea edx,dword ptr ss:[ebp-0x4] | edx:EntryPoint 24 004C2A7D | 8B83 F8020000 | mov eax,dword ptr ds:[ebx+0x2F8] | 25 004C2A83 | E8 F4F8FAFF | call 0x47237C | 26 004C2A88 | 8B55 FC | mov edx,dword ptr ss:[ebp-0x4] | edx:EntryPoint 27 004C2A8B | A1 E8FE4C00 | mov eax,dword ptr ds:[0x4CFEE8] | 004CFEE8:"T.M" 28 004C2A90 | E8 4F1FF4FF | call 0x4049E4 | 29 004C2A95 | 8D55 F8 | lea edx,dword ptr ss:[ebp-0x8] | edx:EntryPoint 30 004C2A98 | 8B83 FC020000 | mov eax,dword ptr ds:[ebx+0x2FC] | 31 004C2A9E | E8 D9F8FAFF | call 0x47237C | 32 004C2AA3 | 8B55 F8 | mov edx,dword ptr ss:[ebp-0x8] | edx:EntryPoint 33 004C2AA6 | A1 4CFE4C00 | mov eax,dword ptr ds:[0x4CFE4C] | 004CFE4C:"X.M" 34 004C2AAB | E8 341FF4FF | call 0x4049E4 | 35 004C2AB0 | 8B15 4CFE4C00 | mov edx,dword ptr ds:[0x4CFE4C] | edx:EntryPoint, 004CFE4C:"X.M" 36 004C2AB6 | 8B12 | mov edx,dword ptr ds:[edx] | edx:EntryPoint 37 004C2AB8 | A1 54FC4C00 | mov eax,dword ptr ds:[0x4CFC54] | 38 004C2ABD | 8B00 | mov eax,dword ptr ds:[eax] | 39 004C2ABF | E8 B8940000 | call 0x4CBF7C | 40 004C2AC4 | 84C0 | test al,al | 41 004C2AC6 | 0F84 8D000000 | je 0x4C2B59 | 42 004C2ACC | A1 E8FE4C00 | mov eax,dword ptr ds:[0x4CFEE8] | 004CFEE8:"T.M" 43 004C2AD1 | 8B00 | mov eax,dword ptr ds:[eax] | 44 004C2AD3 | E8 7821F4FF | call 0x404C50 | 45 004C2AD8 | 85C0 | test eax,eax | 46 004C2ADA | 7E 7D | jle 0x4C2B59 | 47 004C2ADC | 8D55 F0 | lea edx,dword ptr ss:[ebp-0x10] | edx:EntryPoint 48 004C2ADF | A1 FCFE4C00 | mov eax,dword ptr ds:[0x4CFEFC] | 49 004C2AE4 | 8B00 | mov eax,dword ptr ds:[eax] | 50 004C2AE6 | E8 11FCFCFF | call 0x4926FC | 51 004C2AEB | 8B45 F0 | mov eax,dword ptr ss:[ebp-0x10] | 52 004C2AEE | 8D4D F4 | lea ecx,dword ptr ss:[ebp-0xC] | ecx:EntryPoint 53 004C2AF1 | BA B82B4C00 | mov edx,0x4C2BB8 | edx:EntryPoint, 4C2BB8:".ini" 54 004C2AF6 | E8 2570F4FF | call 0x409B20 | 55 004C2AFB | 8B4D F4 | mov ecx,dword ptr ss:[ebp-0xC] | ecx:EntryPoint 56 004C2AFE | B2 01 | mov dl,0x1 | 57 004C2B00 | A1 2CBE4300 | mov eax,dword ptr ds:[0x43BE2C] | 0043BE2C:"x綜" 58 004C2B05 | E8 D293F7FF | call 0x43BEDC | 59 004C2B0A | 8BF0 | mov esi,eax | esi:EntryPoint 60 004C2B0C | A1 E8FE4C00 | mov eax,dword ptr ds:[0x4CFEE8] | 004CFEE8:"T.M" 61 004C2B11 | 8B00 | mov eax,dword ptr ds:[eax] | 62 004C2B13 | 50 | push eax | 63 004C2B14 | B9 C82B4C00 | mov ecx,0x4C2BC8 | ecx:EntryPoint, 4C2BC8:"Name" 64 004C2B19 | BA D82B4C00 | mov edx,0x4C2BD8 | edx:EntryPoint, 4C2BD8:"Reg" 65 004C2B1E | 8BC6 | mov eax,esi | esi:EntryPoint 66 004C2B20 | 8B38 | mov edi,dword ptr ds:[eax] | edi:EntryPoint 67 004C2B22 | FF57 04 | call dword ptr ds:[edi+0x4] | 68 004C2B25 | A1 4CFE4C00 | mov eax,dword ptr ds:[0x4CFE4C] | 004CFE4C:"X.M" 69 004C2B2A | 8B00 | mov eax,dword ptr ds:[eax] | 70 004C2B2C | 50 | push eax | 71 004C2B2D | BA D82B4C00 | mov edx,0x4C2BD8 | edx:EntryPoint, 4C2BD8:"Reg" 72 004C2B32 | B9 E42B4C00 | mov ecx,0x4C2BE4 | ecx:EntryPoint, 4C2BE4:"ID" 73 004C2B37 | 8BC6 | mov eax,esi | esi:EntryPoint 74 004C2B39 | 8B38 | mov edi,dword ptr ds:[eax] | edi:EntryPoint 75 004C2B3B | FF57 04 | call dword ptr ds:[edi+0x4] | 76 004C2B3E | 8BC6 | mov eax,esi | esi:EntryPoint 77 004C2B40 | E8 9B10F4FF | call 0x403BE0 | 78 004C2B45 | A1 5CFC4C00 | mov eax,dword ptr ds:[0x4CFC5C] | 79 004C2B4A | C600 01 | mov byte ptr ds:[eax],0x1 | 80 004C2B4D | C783 4C020000 01000000 | mov dword ptr ds:[ebx+0x24C],0x1 | ebx+24C:L"練" 81 004C2B57 | EB 20 | jmp 0x4C2B79 | 82 004C2B59 | 6A 00 | push 0x0 | 83 004C2B5B | 8D55 EC | lea edx,dword ptr ss:[ebp-0x14] | edx:EntryPoint 84 004C2B5E | B8 F02B4C00 | mov eax,0x4C2BF0 | 4C2BF0:"无效的 ID 或名字" 85 004C2B63 | E8 680D0000 | call 0x4C38D0 | 86 004C2B68 | 8B45 EC | mov eax,dword ptr ss:[ebp-0x14] | 87 004C2B6B | 66:8B0D 202C4C00 | mov cx,word ptr ds:[0x4C2C20] | 88 004C2B72 | B2 01 | mov dl,0x1 | 89 004C2B74 | E8 2F4BF7FF | call 0x4376A8 | 90 004C2B79 | 33C0 | xor eax,eax | 91 004C2B7B | 5A | pop edx | edx:EntryPoint 92 004C2B7C | 59 | pop ecx | ecx:EntryPoint 93 004C2B7D | 59 | pop ecx | ecx:EntryPoint 94 004C2B7E | 64:8910 | mov dword ptr fs:[eax],edx | edx:EntryPoint 95 004C2B81 | 68 A82B4C00 | push 0x4C2BA8 | 96 004C2B86 | 8D45 EC | lea eax,dword ptr ss:[ebp-0x14] | 97 004C2B89 | BA 03000000 | mov edx,0x3 | edx:EntryPoint 98 004C2B8E | E8 211EF4FF | call 0x4049B4 | 99 004C2B93 | 8D45 F8 | lea eax,dword ptr ss:[ebp-0x8] | 100 004C2B96 | BA 02000000 | mov edx,0x2 | edx:EntryPoint 101 004C2B9B | E8 141EF4FF | call 0x4049B4 | 102 004C2BA0 | C3 | ret | 103 004C2BA1 | E9 CE17F4FF | jmp 0x404374 | 104 004C2BA6 | EB DE | jmp 0x4C2B86 | 105 004C2BA8 | 5F | pop edi | edi:EntryPoint 106 004C2BA9 | 5E | pop esi | esi:EntryPoint 107 004C2BAA | 5B | pop ebx | 108 004C2BAB | 8BE5 | mov esp,ebp | 109 004C2BAD | 5D | pop ebp | 110 004C2BAE | C3 | ret |
其中
004C2AC6 | 0F84 8D000000 | je 0x4C2B59
跳过了一大段,根据经验不能让它跳。
但是这里不直接更改跳转。跟进
004C2ABF | E8 B8940000 | call 0x4CBF7C
这个call,修改如下
004CBF7C | 33C0 | xor eax,eax | 004CBF7E | 40 | inc eax | 004CBF7F | C3 | ret |
直接对eax置1 然后返回,F9让程序跑起来
已经注册成功了。
那么为什么不直接更改跳转指令呢?
这个软件除了在验证注册码的时候有校验,启动的时候会根据 .ini 中的信息再一次校验,直接patch校验注册的函数 让它return TRUE 可以一次性bypass所有的认证
如果单单改那个跳转,每次打开exescope就得重新注册一次。
2024-01-31 11:31:23【出处】:https://www.cnblogs.com/BD1A489/p/9825382.html
=======================================================================================
eXeScope注册码算法bat版
脚本宝典收集整理的这篇文章主要介绍了eXeScope注册码算法bat版,脚本宝典觉得挺不错的,现在分享给大家,也给大家做个参考。
eXeScoPE的官方网站是:http://hp.vector.co.jp/authors/VA003525/emysoft.htm
除了eXeScope以外还有一些其他的软件,不过似乎不怎么出名。
eXeScope汉化特别版下载地址: https://www.js-code.com/softs/32587.html
正确的注册码满足下列条件:含有十个字符;前五位为A1910或者A1423;第2至10位必须为数字;注册码第九位和第十位的ASCII码加和,除以10的余数必须为4。
最后一个条件换种表达方式就是第九位和第十位数字相加起来是8或者18(两位均为9)。
一个可用的注册码:A191067880
或者可以使用下面的批处理生成:
来自链接: http://demon.tw/software/exescope-regcode.html
脚本宝典总结
以上是脚本宝典为你收集整理的eXeScope注册码算法bat版全部内容,希望文章能够帮你解决eXeScope注册码算法bat版所遇到的问题。
本图文内容来源于网友网络收集整理提供,作为学习参考使用,版权属于原作者。
如您有任何意见或建议可联系处理。小编QQ:384754419,请注明来意。
出处:http://www.js-code.com/dosbat/dosbat_106305.html
=======================================================================================
eXeScope V6.41 的注册算法破解
- 标 题:eXeScope V6.41 的注册算法破解
- 作 者:小虾
- 时 间:004-05-03,01:07
- 链 接:http://bbs.pediy.com
eXeScope V6.41 的注册算法破解
【软件名称】:eXeScope V6.41
【软件语言】:英文
【应用平台】:Win9x/NT/2000/XP
【难 度】:简单,献给像我等这样的菜鸟学习
【破解工具】TRW2000 1.23,winDasm V8.93汉化版(写教程用)
【软件介绍】:
功能强大的软件资源分析工具(地球人都知道),升到了6.41版了。
近来闲来无事,就分析了这个软件的算法,启动TRW2000,点击帮助/注册,输入:
用户名:小虾
假 码:7878787878 ←必须输够十位,等下就知道。
按快捷键:Ctrl+N弹出TRW2000调试界面。输入万能断点:Hmemcpy,按F5键返回,点击注册按钮,被TRW拦到,来到以下地方:
:004C2170 8B1528EE4C00 mov edx, dword ptr [004CEE28]
:004C2176 8B12 mov edx, dword ptr [edx] ←EDX为你输入的注册码
:004C2178 A130EC4C00 mov eax, dword ptr [004CEC30]
:004C217D 8B00 mov eax, dword ptr [eax]
:004C217F E82C8F0000 call 004CB0B0 ←关键Call,按F8进入
:004C2184 84C0 test al, al ←测试al值是否为1
:004C2186 0F848D000000 je 004C2219 ←经典跳转,跳就死,暴力破解的话将这里NOP就行了。
:004C218C A1C4EE4C00 mov eax, dword ptr [004CEEC4]
:004C2191 8B00 mov eax, dword ptr [eax]
:004C2193 E8B82AF4FF call 00404C50
:004C2198 85C0 test eax, eax
:004C219A 7E7D jle 004C2219
:004C219C 8D55F0 lea edx, dword ptr [ebp-10]
:004C219F A1D8EE4C00 mov eax, dword ptr [004CEED8]
:004C21A4 8B00 mov eax, dword ptr [eax]
:004C21A6 E8B904FDFF call 00492664
:004C21AB 8B45F0 mov eax, dword ptr [ebp-10]
:004C21AE 8D4DF4 lea ecx, dword ptr [ebp-0C]
* Possible StringData Ref from Code Obj ->".ini"
|
:004C21B1 BA78224C00 mov edx, 004C2278
:004C21B6 E85D79F4FF call 00409B18
:004C21BB 8B4DF4 mov ecx, dword ptr [ebp-0C]
:004C21BE B201 mov dl, 01
:004C21C0 A124BE4300 mov eax, dword ptr [0043BE24]
:004C21C5 E80A9DF7FF call 0043BED4
:004C21CA 8BF0 mov esi, eax
:004C21CC A1C4EE4C00 mov eax, dword ptr [004CEEC4]
:004C21D1 8B00 mov eax, dword ptr [eax]
:004C21D3 50 push eax
* Possible StringData Ref from Code Obj ->"Name"
|
:004C21D4 B988224C00 mov ecx, 004C2288
* Possible StringData Ref from Code Obj ->"Reg"
|
:004C21D9 BA98224C00 mov edx, 004C2298
:004C21DE 8BC6 mov eax, esi
:004C21E0 8B38 mov edi, dword ptr [eax]
:004C21E2 FF5704 call [edi+04]
:004C21E5 A128EE4C00 mov eax, dword ptr [004CEE28]
:004C21EA 8B00 mov eax, dword ptr [eax]
:004C21EC 50 push eax
* Possible StringData Ref from Code Obj ->"Reg"
|
:004C21ED BA98224C00 mov edx, 004C2298
:004C21F2 B9A4224C00 mov ecx, 004C22A4
:004C21F7 8BC6 mov eax, esi
:004C21F9 8B38 mov edi, dword ptr [eax]
:004C21FB FF5704 call [edi+04]
:004C21FE 8BC6 mov eax, esi
:004C2200 E8DB19F4FF call 00403BE0
:004C2205 A138EC4C00 mov eax, dword ptr [004CEC38]
:004C220A C60001 mov byte ptr [eax], 01
:004C220D C7834C02000001000000 mov dword ptr [ebx+0000024C], 00000001
:004C2217 EB20 jmp 004C2239
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004C2186(C), :004C219A(C)
|
:004C2219 6A00 push 00000000 ←跳到这里你以经完了。
:004C221B 8D55EC lea edx, dword ptr [ebp-14]
* Possible StringData Ref from Code Obj ->"错误注册码或姓名!;搊榐ID傑偨偼柤慜偑柍岠偱偡"
|
:004C221E B8B0224C00 mov eax, 004C22B0
:004C2223 E8280C0000 call 004C2E50 ←出错的对话框
这里是上面按F8进的Call里面,分析算法就在这里。
:004CB0B0 55 push ebp
:004CB0B1 8BEC mov ebp, esp
:004CB0B3 51 push ecx
:004CB0B4 53 push ebx
:004CB0B5 8955FC mov dword ptr [ebp-04], edx
:004CB0B8 8B45FC mov eax, dword ptr [ebp-04]
:004CB0BB E8809DF3FF call 00404E40
:004CB0C0 33C0 xor eax, eax
:004CB0C2 55 push ebp
:004CB0C3 684FB14C00 push 004CB14F
:004CB0C8 64FF30 push dword ptr fs:[eax]
:004CB0CB 648920 mov dword ptr fs:[eax], esp
:004CB0CE 33DB xor ebx, ebx
:004CB0D0 8B45FC mov eax, dword ptr [ebp-04] ←EAX为你的假码
:004CB0D3 E8789BF3FF call 00404C50 ←取得假码的位数
:004CB0D8 83F80A cmp eax, 0000000A ←比较假码是不是十位,
:004CB0DB 755C jne 004CB139 ←不到十位或超过十位送你上西天
:004CB0DD 8B55FC mov edx, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"A1910"
|
:004CB0E0 B864B14C00 mov eax, 004CB164 ←EAX为A1910
:004CB0E5 E8AA9EF3FF call 00404F94 ←检查你的注册码前五位是不是A1910
:004CB0EA 48 dec eax
:004CB0EB 7410 je 004CB0FD ←是就跳到004CB0FD继续。不是就接着往下比较
:004CB0ED 8B55FC mov edx, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"A1423"
|
:004CB0F0 B874B14C00 mov eax, 004CB174 ←如果你的注册码前五位不是A1910就走到这里,现EAX值是A1423
:004CB0F5 E89A9EF3FF call 00404F94 ←比较注册码前五位是不是A1423
:004CB0FA 48 dec eax
:004CB0FB 753C jne 004CB139 ←不是就跳,送你上西天。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004CB0EB(C)
|
:004CB0FD B802000000 mov eax, 00000002
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004CB117(C)
|
:004CB102 8B55FC mov edx, dword ptr [ebp-04] ←EDX值为假码
:004CB105 8A5402FF mov dl, byte ptr [edx+eax-01] ←依次取出假码的第二位
:004CB109 80FA30 cmp dl, 30 ←比较
:004CB10C 722B jb 004CB139 ←小于30就送你上西天
:004CB10E 80FA39 cmp dl, 39 ←比较
:004CB111 7726 ja 004CB139 ←大于39就送你上西天
:004CB113 40 inc eax ←计数加1
:004CB114 83F80B cmp eax, 0000000B ←比较
:004CB117 75E9 jne 004CB102 ←EAX小于0B继续跳到上面比较下一个假码。
:004CB119 8B45FC mov eax, dword ptr [ebp-04] ←EAX为假码
:004CB11C 0FB64008 movzx eax, byte ptr [eax+08] ←取出假码的第九位数
:004CB120 8B55FC mov edx, dword ptr [ebp-04] ←EDX为假码
:004CB123 0FB65209 movzx edx, byte ptr [edx+09] ←取出假码的第十位数
:004CB127 03C2 add eax, edx ←EAX和EDX相加
:004CB129 B90A000000 mov ecx, 0000000A ←ECX值为0000000A
:004CB12E 33D2 xor edx, edx ←EDX清0
:004CB130 F7F1 div ecx ←EAX和ECX相除,整数保存在EAX中,余数保存在EDX
:004CB132 83FA04 cmp edx, 00000004 ←比较
:004CB135 7502 jne 004CB139 ←若相除的余数不相等就送你上西天。算法到这里也就结束了,以下不管它了
:004CB137 B301 mov bl, 01
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004CB0DB(C), :004CB0FB(C), :004CB10C(C), :004CB111(C), :004CB135(C)
|
:004CB139 33C0 xor eax, eax
:004CB13B 5A pop edx
:004CB13C 59 pop ecx
:004CB13D 59 pop ecx
:004CB13E 648910 mov dword ptr fs:[eax], edx
:004CB141 6856B14C00 push 004CB156
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004CB154(U)
|
:004CB146 8D45FC lea eax, dword ptr [ebp-04]
:004CB149 E84298F3FF call 00404990
:004CB14E C3 ret ←返回子程序
经过以上分析,得出算法:
1、与用户名无关,
2、注册码前五位必须是:A1910和A1423
3、第二位以后的注册码必须是数字0~9
4、注册码第六位和第八位可以是任意数。
5、注册码第九位和第十位注册码也可任意输入,但他们相加再除的余数必须余4,否则注册不成功
例如:A1910XXX08或A1423XXX08就可以注册成功。
好了,有以上信息,可以写注册机了(我的编程技术太烂,注册机就让你们去写吗!呵呵~~),我也累了,分析这个软件花了几分钟,但写这个教程用了半个钟头呀。
作者:小虾
2004年5月3日
出处:https://www.pediy.com/kssd/pediy06/pediy6535.htm
=======================================================================================
破解心得之eXeScope篇
使用工具:Fileinfo v2.43、W32DSM白金版汉化版、TRW2000 v1.22
由于这个软件没有加壳,因此破解相对容易一些,且注册算法也不复杂,很适合初学者破解。
先执行TRW2000,然后运行该软件,填好Your Name和ID后,按Ctrl+N激活TRW2000,然后键入"BPX HMEMCPY",
按F5跳回程序,然后点OK就会被拦下,再键入"pmodule",继续按F10。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A7BAA(C)
|
:004A7BBE 8D55F0 lea edx, dword ptr [ebp-10]
:004A7BC1 8B45FC mov eax, dword ptr [ebp-04]
:004A7BC4 8B80D0020000 mov eax, dword ptr [eax+000002D0]
:004A7BCA E885B7F8FF call 00433354
:004A7BCF 8B55F0 mov edx, dword ptr [ebp-10] <--经过几个RET以后来到这里
:004A7BD2 A1B8594B00 mov eax, dword ptr [004B59B8]
:004A7BD7 E830C0F5FF call 00403C0C
:004A7BDC 8D55EC lea edx, dword ptr [ebp-14]
:004A7BDF 8B45FC mov eax, dword ptr [ebp-04]
:004A7BE2 8B80D4020000 mov eax, dword ptr [eax+000002D4]
:004A7BE8 E867B7F8FF call 00433354
:004A7BED 8B55EC mov edx, dword ptr [ebp-14]
:004A7BF0 A134594B00 mov eax, dword ptr [004B5934]
:004A7BF5 E812C0F5FF call 00403C0C
:004A7BFA 8B1534594B00 mov edx, dword ptr [004B5934]
:004A7C00 8B12 mov edx, dword ptr [edx]
:004A7C02 A174574B00 mov eax, dword ptr [004B5774]
:004A7C07 8B00 mov eax, dword ptr [eax]
:004A7C09 E8DA8D0000 call 004B09E8 <--核心CALL,按F8进入
:004A7C0E 84C0 test al, al
:004A7C10 0F8498000000 je 004A7CAE <--一定不能跳转
:004A7C16 A1B8594B00 mov eax, dword ptr [004B59B8]
:004A7C1B 8B00 mov eax, dword ptr [eax]
:004A7C1D E816C2F5FF call 00403E38
:004A7C22 85C0 test eax, eax
:004A7C24 0F8E84000000 jle 004A7CAE <--一定不能跳转
:004A7C2A 8D55E4 lea edx, dword ptr [ebp-1C]
:004A7C2D A1C4594B00 mov eax, dword ptr [004B59C4]
:004A7C32 8B00 mov eax, dword ptr [eax]
:004A7C34 E82F9BFAFF call 00451768
:004A7C39 8B45E4 mov eax, dword ptr [ebp-1C]
:004A7C3C 8D4DE8 lea ecx, dword ptr [ebp-18]
* Possible StringData Ref from Code Obj ->".ini"
|
:004A7C3F BA0C7D4A00 mov edx, 004A7D0C
:004A7C44 E8F319F6FF call 0040963C
:004A7C49 8B4DE8 mov ecx, dword ptr [ebp-18]
:004A7C4C B201 mov dl, 01
* Possible StringData Ref from Code Obj ->"XuG"
|
:004A7C4E A1906E4700 mov eax, dword ptr [00476E90]
:004A7C53 E8E0F2FCFF call 00476F38
:004A7C58 8945F8 mov dword ptr [ebp-08], eax
:004A7C5B A1B8594B00 mov eax, dword ptr [004B59B8]
:004A7C60 8B00 mov eax, dword ptr [eax]
:004A7C62 50 push eax
* Possible StringData Ref from Code Obj ->"Name"
|
:004A7C63 B91C7D4A00 mov ecx, 004A7D1C
* Possible StringData Ref from Code Obj ->"Reg"
|
:004A7C68 BA2C7D4A00 mov edx, 004A7D2C
:004A7C6D 8B45F8 mov eax, dword ptr [ebp-08]
:004A7C70 8B18 mov ebx, dword ptr [eax]
:004A7C72 FF5304 call [ebx+04]
:004A7C75 A134594B00 mov eax, dword ptr [004B5934]
:004A7C7A 8B00 mov eax, dword ptr [eax]
:004A7C7C 50 push eax
* Possible StringData Ref from Code Obj ->"Reg"
|
:004A7C7D BA2C7D4A00 mov edx, 004A7D2C
:004A7C82 B9387D4A00 mov ecx, 004A7D38
:004A7C87 8B45F8 mov eax, dword ptr [ebp-08]
:004A7C8A 8B18 mov ebx, dword ptr [eax]
:004A7C8C FF5304 call [ebx+04]
:004A7C8F 8B45F8 mov eax, dword ptr [ebp-08]
:004A7C92 E83DB2F5FF call 00402ED4
:004A7C97 A17C574B00 mov eax, dword ptr [004B577C]
:004A7C9C C60001 mov byte ptr [eax], 01
:004A7C9F 8B45FC mov eax, dword ptr [ebp-04]
:004A7CA2 C7803402000001000000 mov dword ptr [ebx+00000234], 00000001
:004A7CAC EB20 jmp 004A7CCE
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004A7C10(C), :004A7C24(C)
|
:004A7CAE 6A00 push 00000000
:004A7CB0 8D55E0 lea edx, dword ptr [ebp-20]
* Possible StringData Ref from Code Obj ->"Invalid ID or Name;o^IDO" <--错误信息对话框
|
:004A7CB3 B8447D4A00 mov eax, 004A7D44
:004A7CB8 E8D79D0000 call 004B1A94
:004A7CBD 8B45E0 mov eax, dword ptr [ebp-20]
:004A7CC0 668B0D747D4A00 mov cx, word ptr [004A7D74]
:004A7CC7 B201 mov dl, 01
:004A7CC9 E88E01FBFF call 00457E5C
在上面的核心CALL按F8进入后会来到如下地方:
* Referenced by a CALL at Addresses:
|:004A7C09 , :004B088C
|
:004B09E8 55 push ebp
:004B09E9 8BEC mov ebp, esp
:004B09EB 83C4F0 add esp, FFFFFFF0
:004B09EE 8955F8 mov dword ptr [ebp-08], edx
:004B09F1 8945FC mov dword ptr [ebp-04], eax
:004B09F4 8B45F8 mov eax, dword ptr [ebp-08]
:004B09F7 E8F035F5FF call 00403FEC
:004B09FC 33C0 xor eax, eax
:004B09FE 55 push ebp
:004B09FF 689F0A4B00 push 004B0A9F
:004B0A04 64FF30 push dword ptr fs:[eax]
:004B0A07 648920 mov dword ptr fs:[eax], esp
:004B0A0A C645F700 mov [ebp-09], 00
:004B0A0E 8B45F8 mov eax, dword ptr [ebp-08]
:004B0A11 E82234F5FF call 00403E38 <--求ID长度
:004B0A16 83F80A cmp eax, 0000000A <--判断ID的长度是否等于10
:004B0A19 756E jne 004B0A89 <--不等的话跳转,一定不能跳转
:004B0A1B 8B55F8 mov edx, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"A1910"
|
:004B0A1E B8B80A4B00 mov eax, 004B0AB8 <--[004B0AB8]为"A1910"
:004B0A23 E8FC36F5FF call 00404124 <--判断ID的前五个字符是否为"A1910"
:004B0A28 48 dec eax
:004B0A29 7410 je 004B0A3B
:004B0A2B 8B55F8 mov edx, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"A1423"
|
:004B0A2E B8C80A4B00 mov eax, 004B0AC8 <--[004B0AC8]为"A1423"
:004B0A33 E8EC36F5FF call 00404124 <--判断ID的前五个字符是否为"A1423"
:004B0A38 48 dec eax
:004B0A39 754E jne 004B0A89 <--这个一定不能跳转
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B0A29(C)
|
:004B0A3B C745F002000000 mov [ebp-10], 00000002
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B0A65(C)
|
:004B0A42 8B45F8 mov eax, dword ptr [ebp-08]
:004B0A45 8B55F0 mov edx, dword ptr [ebp-10]
:004B0A48 8A4410FF mov al, byte ptr [eax+edw-01]
:004B0A4C 3C30 cmp al, 30
:004B0A4E 7239 jb 004B0A89
:004B0A50 8B45F8 mov eax, dword ptr [ebp-08]
:004B0A53 8B55F0 mov edx, dword ptr [ebp-10]
:004B0A56 8A4410FF mov al, byte ptr [eax+edw-01]
:004B0A5A 3C39 cmp al, 39
:004B0A5C 772B ja 004B0A89
:004B0A5E FF45F0 inc [ebp-10]
:004B0A61 837DF00B cmp dword ptr [ebp-10], 0000000B
:004B0A65 75DB jne 004B0A42
:004B0A67 8B45F8 mov eax, dword ptr [ebp-08]
:004B0A6A 0FB64008 movzx eax, byte ptr [eax+08] <--输入的ID的倒数第二个字符的ASCII码送入EAX
:004B0A6E 8B55F8 mov edx, dword ptr [ebp-08]
:004B0A71 0FB65209 movzx edx, byte ptr [edx+09] <--输入的ID的倒数最后一个字符的ASCII码送入EDX
:004B0A75 03C2 add eax, edx
:004B0A77 B90A000000 mov ecx, 0000000A
:004B0A7C 33D2 xor edx, edx
:004B0A7E F7F1 div ecx <--EAX除以10
:004B0A80 83FA04 cmp edx, 00000004 <--比较余数是否等于4
:004B0A83 7504 jne 004B0A89 <--不等于4的话则跳转,一定不能跳转
:004B0A85 C645F701 mov [ebp-09], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B0A19(C), :004B0A39(C), :004B0A4E(C), :004B0A5C(C), :004B0A83(C)
|
:004B0A89 33C0 xor eax, eax
:004B0A8B 5A pop edx
:004B0A8C 59 pop ecx
:004B0A8D 59 pop ecx
:004B0A8E 648910 mov dword ptr fs:[eax], edx
:004B0A91 68A60A4B00 push 004B0AA6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B0AA4(U)
|
:004B0A96 8D45F8 lea eax, dword ptr [ebp-08]
:004B0A99 E81A31F5FF call 00403BB8
:004B0A9E C3 ret
现在我们知道了注册码的形式为A1910xxxxx或A1423xxxxx,其中第6、7、8个字符为任意字符,而第9、10个字符的ASCII
码的和的个位数为4就可以正确的注册了!!
出处:https://bbs.kanxue.com/article-1788.htm
=======================================================================================
如果,您希望更容易地发现我的新博客,不妨点击一下绿色通道的【关注我】。(●'◡'●)
因为,我的写作热情也离不开您的肯定与支持,感谢您的阅读,我是【Jack_孟】!
本文来自博客园,作者:jack_Meng,转载请注明原文链接:https://www.cnblogs.com/mq0036/p/17998881
【免责声明】本文来自源于网络,如涉及版权或侵权问题,请及时联系我们,我们将第一时间删除或更改!
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· DeepSeek 开源周回顾「GitHub 热点速览」
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!
· AI与.NET技术实操系列(二):开始使用ML.NET
· 单线程的Redis速度为什么快?
2023-01-31 提示文件或文件夹已在另一个程序中打开,无法删除怎么办?
2021-01-31 网络接口库函数mpr.dll动态库
2019-01-31 DevExpress控件使用方法:第二篇 barManager
2019-01-31 DevExpress控件使用方法:第一篇 gridControl详解
2019-01-31 DevExpress 控件使用菜单栏之BarManager
2017-01-31 DWZ富客户端HTML框架