010Editor的破解,做个记录
首先在OD中打开010Editor,然后搜索字符串"Invalid name",可以看到有字符串"Invalid name or password. Please enter your name and password exactly as given when you purchased 010 Editor (make sure no quotes are included)."
跟踪到汇编窗口中,向上查找头部开始处
015380E0 > \6A FF push -1
接下来一段是取用户名和密码,略过
在下来是验证过程:
// 开始校验
0153846F . 51 push ecx
01538470 . 8B0D CC4D8701 mov ecx, dword ptr [1874DCC]
01538476 . E8 60A1E8FF call 013C25DB
0153847B . 8B0D CC4D8701 mov ecx, dword ptr [1874DCC]
01538481 . 68 23400000 push 4023
01538486 . 6A 07 push 7
01538488 . E8 7E11E9FF call 013C960B ;校验
0153848D . 8B0D CC4D8701 mov ecx, dword ptr [1874DCC]
01538493 . 68 23400000 push 4023
01538498 . 6A 07 push 7
0153849A . 8BD8 mov ebx, eax
0153849C . E8 D807E9FF call 013C8C79 ;校验
push ecx,结构
0018D43C 98 A6 7D 08 01 00 00 00 60 FF 89 08 10 A6 7D 08 槮}...`?
0018D44C 70 F4 83 08 00 D5 18 00 32 4B 6C 01 01 00 00 00 p魞.?.2Kl...
{
QString u"01234-4567-89ab-cdef-3456"
NUM 1
QString u"01"
QString u"01234-4567-89ab-cdef-3456"
QString u"deadash"
}
mov ecx,x
00852BC8 00 18 26 6C 70 F4 83 08 88 A5 7D 08 50 72 81 08 .&lp魞垾}Pr?
{
QString::shared_null
QString u"deadash"
QString u"01234-4567-89ab-cdef-3456"
QString u""
}
=========================================================================================
013C25DB:
0161E0AE . 52 push edx
0161E0AF . 8BCE mov ecx, esi
0161E0B1 . E8 C4AADAFF call 013C8B7A
// 转化字符串为 16进制值 保存到堆栈临时变量中
esp -> 0018D3DC
// 01234-4567-89ab-cdef-3456
$+1C > 67452301
$+20 > EFCDAB89
0018D3F8<$+1C> 01 23 45 67 89 AB CD EF 34 56 18 00 #Eg壂惋4V.≡
pass[10] = { 01 23 45 67 89 AB CD EF 34 56};
0161E0DE . 8A4424 1F mov al, byte ptr [esp+1F] ;67
0161E0E2 . 8A5C24 21 mov bl, byte ptr [esp+21] ;AB
// al = pass[3], bl = pass[5];
BYTE bRet = 0;
switch(al)
{
case 0x9C:
L_EOEA:
break;
case 0xFC:
break;
case 0xAC:
break;
default:
bRet = 0xE7
break;
}
------------------------------------------------------------------------------------------
L_EOEA:([esp+1c] -> pass[0])
0161E0EA . 8A5424 23 mov dl, byte ptr [esp+23] ; Case 9C of switch 0161E0E6
0161E0EE . 325424 1D xor dl, byte ptr [esp+1D]
0161E0F2 . 8A4C24 22 mov cl, byte ptr [esp+22]
0161E0F6 . 324C24 1C xor cl, byte ptr [esp+1C]
0161E0FA . 66:0FB6C2 movzx ax, dl
0161E0FE . 884C24 18 mov byte ptr [esp+18], cl
// ax = p[7] ^ p[1]
// t = p[6] ^ p[0] ; t-> [esp+18]
0161E102 . B9 00010000 mov ecx, 100
0161E107 . 66:0FAFC1 imul ax, cx
// ax *= 0x100;
0161E10B . 8AD3 mov dl, bl ; bl = pass[5]
0161E10D . 325424 1E xor dl, byte ptr [esp+1E]
0161E111 . 66:0FB6CA movzx cx, dl
0161E115 . 8B5424 18 mov edx, dword ptr [esp+18]
0161E119 . 66:03C1 add ax, cx
// ax += pass[5] ^ pass[2];
0161E11C . 52 push edx ;t
0161E11D . 0FB7F8 movzx edi, ax ;规避值 -> edi
0161E120 . E8 BA8BDAFF call 013C6CDF
L_6CDF:
0161C870 > \8A4424 04 mov al, byte ptr [esp+4]
0161C874 . 34 18 xor al, 18
0161C876 . 04 3D add al, 3D
0161C878 . 34 A7 xor al, 0A7
0161C87A . C3 retn
// return ((param ^ 0x18) + 0x3D) ^ 0xA7;
//L_6CDF(t);
0161E125 . 0FB6C0 movzx eax, al
0161E128 . 57 push edi
0161E129 . 8946 1C mov dword ptr [esi+1C], eax
0161E12C . E8 3997DAFF call 013C786A
// save eax -> [esi+0x1c]
L_C880:
0161C880 > \8B4424 04 mov eax, dword ptr [esp+4]
0161C884 . 35 92780000 xor eax, 7892
0161C889 . 05 304D0000 add eax, 4D30
0161C88E . 35 21340000 xor eax, 3421
0161C893 . 0FB7C0 movzx eax, ax
0161C896 . 99 cdq
0161C897 . B9 0B000000 mov ecx, 0B
0161C89C . F7F9 idiv ecx
0161C89E . 85D2 test edx, edx
0161C8A0 . 74 02 je short 0161C8A4
0161C8A2 . 33C0 xor eax, eax
0161C8A4 > C3 retn
//WORD k = (((param^0x7892+0x4D30)^0x3421));
// if(k % 0x0B !=0) return 0;
// else return (k/0x0B);
//L_C880(edi);
0161E131 . 8B4E 1C mov ecx, dword ptr [esi+1C]
0161E134 . 0FB7C0 movzx eax, ax
0161E137 . 83C4 08 add esp, 8
0161E13A . 8946 20 mov dword ptr [esi+20], eax
// 保存 -> [esi+0x20];
// 取ecx<- [esi+0x1C];
0161E13D . 85C9 test ecx, ecx
0161E13F . 0F84 3B010000 je 0161E280
0161E145 . 85C0 test eax, eax
0161E147 . 0F84 33010000 je 0161E280
0161E14D . 3D E8030000 cmp eax, 3E8
0161E152 . 0F87 28010000 ja 0161E280
// if(ecx == 0 || eax ==0 || eax >0x3E8) return 0xE7;
0161E158 . 83F9 02 cmp ecx, 2
0161E15B . 1BFF sbb edi, edi
0161E15D . 23F9 and edi, ecx
// (ecx<2.cf=1) (ecx>=2.cf=0) edi=0-cf. edi&=ecx
// edi = ecx \ edi = 0 。对下面的调用有影响
0161E23B . 8B41 0C mov eax, dword ptr [ecx+C] ; name="deadash"
0161E23E . 8B56 20 mov edx, dword ptr [esi+20] ; 上面保存的值 /0x0B,可能是点击次数
0161E243 . 807C24 1F FC cmp byte ptr [esp+1F], 0FC
// 比较 pass[3] == 0xFC
============================================================================================
0161E248 . 52 push edx
0161E249 . 0F95C1 setne cl
0161E24C . 57 push edi
0161E24D . 51 push ecx
0161E24E . 50 push eax
0161E24F . E8 9846DAFF call 013C28EC
// 用户名处理
堆栈
$-10 > 0880EAC0 ASCII "deadash" ;eax // name
$-C > 00000001 ;cl = (pass[3]==0xFC)?0:1. // param1
$-8 > 00000000 ;edi // 可能是版本 // param2
$-4 > 00000001 ;edx // 手工赋值为 1 // param3
0161C510 > /8A08 mov cl, byte ptr [eax]
0161C512 . |40 inc eax
0161C513 . |84C9 test cl, cl
0161C515 .^\75 F9 jnz short 0161C510
0161C51B . 894424 10 mov dword ptr [esp+10], eax
// strlen(name) -> 临时变量 [esp+10]
0161C525 . 8B4424 24 mov eax, dword ptr [esp+24]
// eax <- param3
0161C52B . 8BF8 mov edi, eax
0161C52D . C1E7 04 shl edi, 4
0161C530 . 2BF8 sub edi, eax ; param3 << 4 - param3(param3 *15)
0161C532 . 8B4424 28 mov eax, dword ptr [esp+28] ;param2
0161C536 . 8BF0 mov esi, eax
0161C538 . C1E6 04 shl esi, 4
0161C53B . 895C24 14 mov dword ptr [esp+14], ebx ; ebx 固定0
0161C53F . 895C24 10 mov dword ptr [esp+10], ebx
0161C543 . 03F0 add esi, eax ;param2 << 4 + param2 (param2 *17)
LOOP:
0161C545 > /8B4424 20 mov eax, dword ptr [esp+20] ;name,"deadash"
0161C549 . |0FB60C03 movzx ecx, byte ptr [ebx+eax] ;eax ->&pName, ebx-> i(0)
0161C54D . 51 push ecx ; /c
0161C54E . FF15 60908701 call dword ptr [<&MSVCR90.toupper>] ; \toupper
// c = name[i].toupper;
0161C557 . 837C24 24 00 cmp dword ptr [esp+24], 0 ;param1
0161C55C . 74 5B je short 0161C5B9
if(param1 != 0)
---> L_C55E
else
---> L_C5B9
L_C55E:
0161C55E . 8B0C85 F0B586>mov ecx, dword ptr [eax*4+186B5F0]
0161C565 . 8D50 0D lea edx, dword ptr [eax+D]
0161C568 . 81E2 FF000000 and edx, 0FF
0161C56E . 03CD add ecx, ebp // ecx = p[c]+ ebp; -- ebp初始值为0
0161C570 . 330C95 F0B586>xor ecx, dword ptr [edx*4+186B5F0] // ecx ^= p[ BYTE(c+D)];
0161C577 . 83C0 2F add eax, 2F
0161C57A . 25 FF000000 and eax, 0FF
0161C57F . 0FAF0C85 F0B5>imul ecx, dword ptr [eax*4+186B5F0] // ecx *= p[ BYTE(c+0x2F)];
0161C587 . 8BD6 mov edx, esi
0161C589 . 81E2 FF000000 and edx, 0FF
0161C58F . 030C95 F0B586>add ecx, dword ptr [edx*4+186B5F0] // ecx += p[ BYTE(esi)]; -- esi有初始值
0161C596 . 8B5424 10 mov edx, dword ptr [esp+10] // 初始值为0
0161C59A . 8BC7 mov eax, edi
0161C59C . 25 FF000000 and eax, 0FF
0161C5A1 . 030C85 F0B586>add ecx, dword ptr [eax*4+186B5F0] // ecx += p[ BYTE(edi)]; -- edi有初始值
0161C5A8 . 81E2 FF000000 and edx, 0FF
0161C5AE . 030C95 F0B586>add ecx, dword ptr [edx*4+186B5F0] // ecx += p[ BYTE(t1)]; --临时变量 [esp+10],初始0
0161C5B5 . 8BE9 mov ebp, ecx // ebp <- ecx ,保存值
// k = (k + p[c]) ^ p[c+d] * p[c+2F] + p[esi]+ p[edi] + p[t1] ;
L_c5b9:
0161C5B9 > \8B1485 F0B586>mov edx, dword ptr [eax*4+186B5F0]
0161C5C0 . 8D48 3F lea ecx, dword ptr [eax+3F]
0161C5C3 . 03D5 add edx, ebp
0161C5C5 . 83C0 17 add eax, 17
0161C5C8 . 81E1 FF000000 and ecx, 0FF
0161C5CE . 33148D F0B586>xor edx, dword ptr [ecx*4+186B5F0]
0161C5D5 . 25 FF000000 and eax, 0FF
0161C5DA . 0FAF1485 F0B5>imul edx, dword ptr [eax*4+186B5F0]
0161C5E2 . 8BC6 mov eax, esi
0161C5E4 . 25 FF000000 and eax, 0FF
0161C5E9 . 031485 F0B586>add edx, dword ptr [eax*4+186B5F0]
0161C5F0 . 8B4424 14 mov eax, dword ptr [esp+14] // 临时变量 t2 初始0
0161C5F4 . 8BCF mov ecx, edi
0161C5F6 . 81E1 FF000000 and ecx, 0FF
0161C5FC . 03148D F0B586>add edx, dword ptr [ecx*4+186B5F0]
0161C603 . 25 FF000000 and eax, 0FF
0161C608 . 031485 F0B586>add edx, dword ptr [eax*4+186B5F0]
0161C60F . 8BEA mov ebp, edx
// k = (k + p[c]) ^ p[c+3f] *p[c+17] + p[esi] + p[edi] + p[t2] ;
// 全部跳转 <循环判断>
0161C611 > \834424 10 13 add dword ptr [esp+10], 13 ; t1 += 13
0161C616 . 834424 14 07 add dword ptr [esp+14], 7 ; t2 += 7
0161C61B . 43 inc ebx ;i++
0161C61C . 83C6 09 add esi, 9 ; esi += 9
0161C61F . 83C7 0D add edi, 0D ; edi += 0x0d
0161C622 . 3B5C24 18 cmp ebx, dword ptr [esp+18] ; i < len,goto loop
0161C626 .^ 0F8C 19FFFFFF jl 0161C545
// return ebp
=============================================================================================================
0161E257 . 384424 20 cmp byte ptr [esp+20], al
// 比较最低位 是否和 pass[4]相等 不等返回 0xE7
0161E28A > \8BD0 mov edx, eax
0161E28C . C1EA 08 shr edx, 8
0161E28F . 3ADA cmp bl, dl ; bl = pass[5]
// 比较第二位 是否和 pass[5]相等 不等返回 0xE7
0161E2C0 > \8BC8 mov ecx, eax
0161E2C2 . C1E9 10 shr ecx, 10
0161E2C5 . 384C24 22 cmp byte ptr [esp+22], cl
0161E2C9 .^ 75 92 jnz short 0161E25D
// 比较第三位, 是否和 pass[6]相等 不等返回 0xE7
0161E2CB . 8BD0 mov edx, eax
0161E2CD . C1EA 18 shr edx, 18
0161E2D0 . 385424 23 cmp byte ptr [esp+23], dl
// 比较第四位 是否和 pass[7]相等 不等返回 0xE7
002CE2DA . 80F9 9C cmp cl, 9C ; Switch (cases 9C..FC)
002CE2DD . 75 4E jnz short 002CE32D
全部相等 且 pass[3] == 0x9C,0xFC,0xAC:
返回 0x2d
返回 0xDB.
接下来把上面代码转换成伪代码,更便于我们分析
取 用户名
string name;
取 密码
char pass[10];
BYTE type = pass[3]; // 注册码类型
BYTE ret; // 返回结果 返回 0x2D 即注册成功
switch(type)
{
case 0x9C:// 只关注这个
break;
case 0xFC:
case 0xAC:
default:
ret = 0xE7;
break;
}
==========================================================
// 使用了 0,1,2,3,5,6,7
// 返回校验 使用了 4,5,6,7
ax = pass[7] ^ pass[1];
t = pass[6] ^ pass[0];
ax *= 0x100;
ax += pass[5] ^ pass[2];
hash_1(byte param){
return ((param ^0x18) + 0x3D) ^ 0xA7;
}
x = hash_1(t);
hash_2(word param){
word k = (((param^0x7892+0x4D30)^0x3421));
if(k % 0x0b !=0) return 0;
else return (k / 0x0b);
}
y = hash_2(ax);
if(x ==0 || y==0 || y > 0x3e8) return 0xE7;
dword check_name(string name, // "deadash"
bool type, // (type==0xFC)?false:true
int version, // x<2?x:0
int number // y,可能是人数
);
value = check_name("deadash",true,0,1);
value[0-3]; ==
pass[4],pass[5],pass[6],pass[7]
相等返回 0x2D;
================================================================
dword check_name(string name, // "deadash"
bool type, // (type==0xFC)?false:true
int version, // x<2?x:0
int number // y,可能是人数
){
esi = number * 15;
edi = version * 17;
dword ret = 0;
for(int i = 0; i < strlen(name); i++){
char k = toupper(name[i]); // 转化为大写
if(type){
ret = (ret + p[k]) ^ p[k+d] * p[k+2F] + p[esi]+ p[edi] + p[t1] ;
}else{
ret = (ret + p[k]) ^ p[k+3f] *p[k+17] + p[esi] + p[edi] + p[t2] ;
}
t1 += 13; t2 += 7;
esi += 9; edi += 0x0D;
}
}
===================================================================
加密数据 (p)
0051B5F0 B8 44 CB 39 67 4F 75 23 11 72 01 5F DA 24 BB 3E 窪?gOu#r_??
0051B600 C6 07 17 35 4B 77 F9 63 88 72 82 17 21 48 E7 0F ?5Kw鵦坮?!H?
0051B610 0F 67 5F 5B E8 5A 31 48 69 77 5B 78 47 15 7A 2B g_[鑊1Hiw[xGz+
0051B620 92 12 D1 38 32 1B A1 42 44 22 33 35 60 7B 43 77 ??2D"35`{Cw
0051B630 10 3B AB 1E 00 00 81 53 AE 12 02 1D A8 77 03 6F ;?..丼?╳o
0051B640 92 30 C0 43 8E 0A 3C 2D BF 0C 95 62 FA 6F F0 30 ?繡?<-?昩鷒?
0051B650 E0 10 F7 34 FB 17 F4 28 95 2F 0D 35 5A 1D 36 5A ?????.5Z6Z
0051B660 0B 06 CC 15 CC 13 FD 0A CF 3B 60 28 6B 06 71 33 ????`(kq3
0051B670 E4 14 CD 30 67 3A 5D 17 13 6A D6 6D F9 09 34 2D ??g:]j謒?4-
0051B680 82 7B 1E 58 99 6B 52 76 88 51 8D 5C 71 79 85 2C 倇X檏Rv圦峔qy?
0051B690 C0 1F F5 15 11 0D CC 68 5C 5E F5 49 64 43 5E 27 ??.蘦\^鮅dC^'
0051B6A0 BC 0D 1E 2D E3 7C EE 4C 40 58 55 32 08 2E 2E 11 ?-銃頛@XU2..
0051B6B0 5A 06 78 69 06 14 92 72 E7 78 45 31 B7 21 56 17 Zxi抮鐇E1?V
0051B6C0 BF 1D 77 40 D6 38 C2 3F 8A 12 31 4A 6E 03 AD 2D ?w@???1Jn?
0051B6D0 D6 69 A0 41 92 01 40 25 67 46 DD 00 4F 1F FC 6A 謎燗?@%gF?O黬
0051B6E0 CE 40 10 57 DF 66 FE 62 3E 4B DB 41 1F 23 82 35 蜙W遞>K跘#?
0051B6F0 9A 07 F6 55 44 06 A7 1C D2 43 16 1B C9 28 72 3F ?鯱D?褻?r?
0051B700 70 10 14 5F AB 74 14 3E 6E 25 4B 44 D9 50 70 53 p_玹>n%KD貾pS
0051B710 4B 09 42 0F E6 20 D8 2F 5E 2E 8B 77 02 6D 17 71 K.B??^.媤mq
0051B720 69 7A EA 7F 28 46 B5 5B 71 6C BA 19 99 3A 76 39 iz?(F礫ql??v9
0051B730 CD 54 8D 17 88 6E 24 01 7E 53 13 33 17 2D 8E 2B 蚑?坣$~S3-?
0051B740 BE 10 3D 2A 82 05 D1 59 DB 63 A1 37 9A 48 D6 30 ?=*?裏踓?欻?
0051B750 46 5C 21 6A 76 7A 1C 0E E7 60 C7 1F 65 0C B8 79 F\!jvz鏯?e.竬
0051B760 B4 59 F4 27 26 73 9A 79 82 17 BA 50 5C 6D 11 2A 碮?&s歽?篜\m*
0051B770 1B 6E 86 63 3C 0E 92 3F 90 34 02 55 89 60 B5 55 n哻<??U塦礥
0051B780 D1 1F 39 2C C2 35 80 2F 7A 2B FD 64 9A 75 E8 4C ?9,?€/z+齞歶鐻
0051B790 F0 04 85 51 A8 01 95 79 AD 2C 5B 3F 60 01 E6 38 ?匭?晊?[?`?
0051B7A0 D8 41 76 63 42 2A 35 33 19 2C A2 51 51 58 5C 08 谹vcB*53,QX\
0051B7B0 AB 17 29 03 C7 0A 77 2B B3 77 AC 30 07 19 EC 2B ?)?w+硍??
0051B7C0 D0 02 52 03 D3 33 A9 0F F3 5D 25 61 BF 06 AD 22 ?R??骫%a??
0051B7D0 71 69 B8 58 E5 0D CA 5F 56 64 0D 70 DB 73 A9 56 qi竂?蔩Vd.p踫¬
0051B7E0 FD 59 B7 5A E2 0B 0E 33 DD 0D 3C 5B 60 3C 5D 49 齓穁?3?<[`<]I
0051B7F0 A6 59 BD 53 91 6D 5E 4C 8D 31 D9 49 79 50 3D 10 絊憁^L?買yP=
0051B800 E3 42 CE 61 1D 12 D5 7E ED 60 E1 14 F2 4E 2D 21 鉈蝍諂韅?騈-!
0051B810 F0 33 01 27 96 5A 43 62 8B 5E A7 1F BE 2F 09 6F ?'朲Cb媈??.o
0051B820 49 0D 00 4A 70 1C AE 57 77 24 4E 00 72 7E 1E 56 I..Jp甒w$N.r~V
0051B830 33 00 8C 46 02 24 CC 5D C6 7A 50 78 C7 24 AF 58 3.孎$蘛苲Px?疿
0051B840 34 2D F6 0D 08 47 8A 35 11 1E FB 3C 1C 45 71 2B 4-?G??Eq+
0051B850 95 52 A7 77 21 07 89 56 F3 75 EF 0F F1 24 0F 12 昍!塚髐??
0051B860 E7 0A 99 01 52 44 9C 33 8E 5B A1 27 6D 27 A7 0B ??RD?嶽?m'?
0051B870 7B 1B DC 60 82 7F 4B 4F 07 70 DB 67 D9 57 4A 4F {躟?KOp踘賅JO
0051B880 E8 52 12 62 FC 2C 53 20 06 03 39 6A 23 04 80 18 鑂b?S 9j#€
0051B890 8A 77 F3 19 F0 16 23 46 37 09 AE 56 5C 67 C2 43 妛??#F7.甐\g翪
0051B8A0 FD 45 CA 65 F2 4F 60 0D CB 22 FD 0B 3B 64 FE 3A 鼸蔱騉`.??;d?
0051B8B0 A6 7F F6 3B 79 35 62 44 F8 31 40 18 97 4F 17 32 ??y5bD?@桹2
0051B8C0 2A 09 6A 4C 61 02 B5 5F 74 01 65 01 F1 4A 63 33 *.jLa礯te馢c3
0051B8D0 F4 18 2D 71 69 71 99 6E FE 7A AB 5D E8 2E 2B 7C ?-qiq檔玗?+|
0051B8E0 B4 75 DB 6E B6 6F 83 5F D6 6D 2A 3C C2 05 2D 29 磚踤秓僟謒*<?-)
0051B8F0 DB 44 22 05 4F 5F 9A 14 40 65 48 5D EA 15 1D 33 跠"O_?@eH]?3
0051B900 20 69 45 4F 9F 69 3A 48 05 0F 45 3B 6C 7C 20 3B iEO焛:HE;l| ;
0051B910 FE 70 9D 74 F6 61 74 41 F1 31 B0 62 7B 57 50 27 漷鯽tA?癰{WP'
0051B920 33 15 13 29 08 38 8C 58 56 34 EF 1A EC 00 3C 0F 3)8孹V4??<
0051B930 42 47 A7 7D 6C 7A 79 4B 87 32 BB 5E B8 58 65 78 BGlzyK?籢竂ex
0051B940 F2 4F ED 00 1E 69 69 62 5F 25 A2 24 7E 1F C1 62 騉?iib_%?~羈
0051B950 CD 7D 8A 2F FE 17 3B 64 B8 18 83 77 FE 60 3B 25 蛚??;d?僿;%
0051B960 A3 63 BB 34 4F 21 03 5B F4 71 15 5F 9F 6E 31 1A ?O![魆_焠1
0051B970 04 27 CF 7A 38 68 89 28 77 46 61 18 EB 69 F5 1B '蟴8h?wFa雐?
0051B980 C9 5E A8 0B 46 6B CA 6A 2A 42 43 1E 0E 5F 4D 51 蒦?Fk蔶*BC_MQ
0051B990 8C 01 3E 41 E9 26 76 30 FA 1D ED 01 5A 6F F4 49 ?>A?v0??Zo鬒
0051B9A0 2B 64 1B 46 F2 07 70 7D 57 26 65 13 C5 0B 16 6B +dF?p}W&e?k
0051B9B0 49 48 E0 65 1C 6E 52 1F B6 51 02 5A 69 3F D7 2B IH鄀nR禥Zi??
0051B9C0 CD 7A BF 2D 80 3E E6 51 0F 67 F2 5C 03 0A CD 21 蛕?€>鍽g騖.?
0051B9D0 61 02 FF 5C 1E 06 AE 33 5F 34 B6 3B 75 4A 81 5D a\?_4?uJ乚
0051B9E0 F4 5D 7B 25 5B 2C 5C 0A 27 55 A4 16 45 39 F2 16 鬩{%[,\.'U?E9?
最后,根据伪代码的分析,写出一个注册机,注册机关键代码如下所示:
typedef unsigned char u_char;
typedef unsigned int u_int;
typedef unsigned short u_short;
u_int generate(const char *name, // 用户名
u_char type, // 类型 固定 0x9C
u_char version, // 版本 -- version < 2?version:0, version必须大于7
u_char number // 用户数 (1-200 个人 200以上 site license)
);
/************************************************************************/
/* 注册码结构 */
/************************************************************************/
// pass[3] = 0x9C; // 版本 0x9C
// pass[4] = gen & 0xFF; // 低位
// pass[5] = gen >> 0x08 & 0xFF;
// pass[6] = gen >> 0x10 & 0xFF;
// pass[7] = gen >> 0x18 & 0xFF;
/************************************************************************/
/* 校验许可人数 */
/************************************************************************/
//number = _check_number( (pass[7] ^x1) * 0x100 + (pass[5] ^x2) );
u_short check_number(u_short number); // number >0 && < 1000;
// pass[1] = (HIBYTE(chk) ^ pass[7]);
// pass[2] = (LOBYTE(chk) ^ pass[5]);
/************************************************************************/
/* 校验版本 */
/************************************************************************/
u_char check_version(u_char version); // 必须大于等于 7
// pass[0] = chk ^ pass[6];
/************************************************************************/
/* 关键数据 */
/************************************************************************/
unsigned char data[1024] = {
0xB8, 0x44, 0xCB, 0x39, 0x67, 0x4F, 0x75, 0x23, 0x11, 0x72, 0x01, 0x5F, 0xDA, 0x24, 0xBB, 0x3E,
0xC6, 0x07, 0x17, 0x35, 0x4B, 0x77, 0xF9, 0x63, 0x88, 0x72, 0x82, 0x17, 0x21, 0x48, 0xE7, 0x0F,
0x0F, 0x67, 0x5F, 0x5B, 0xE8, 0x5A, 0x31, 0x48, 0x69, 0x77, 0x5B, 0x78, 0x47, 0x15, 0x7A, 0x2B,
0x92, 0x12, 0xD1, 0x38, 0x32, 0x1B, 0xA1, 0x42, 0x44, 0x22, 0x33, 0x35, 0x60, 0x7B, 0x43, 0x77,
0x10, 0x3B, 0xAB, 0x1E, 0x00, 0x00, 0x81, 0x53, 0xAE, 0x12, 0x02, 0x1D, 0xA8, 0x77, 0x03, 0x6F,
0x92, 0x30, 0xC0, 0x43, 0x8E, 0x0A, 0x3C, 0x2D, 0xBF, 0x0C, 0x95, 0x62, 0xFA, 0x6F, 0xF0, 0x30,
0xE0, 0x10, 0xF7, 0x34, 0xFB, 0x17, 0xF4, 0x28, 0x95, 0x2F, 0x0D, 0x35, 0x5A, 0x1D, 0x36, 0x5A,
0x0B, 0x06, 0xCC, 0x15, 0xCC, 0x13, 0xFD, 0x0A, 0xCF, 0x3B, 0x60, 0x28, 0x6B, 0x06, 0x71, 0x33,
0xE4, 0x14, 0xCD, 0x30, 0x67, 0x3A, 0x5D, 0x17, 0x13, 0x6A, 0xD6, 0x6D, 0xF9, 0x09, 0x34, 0x2D,
0x82, 0x7B, 0x1E, 0x58, 0x99, 0x6B, 0x52, 0x76, 0x88, 0x51, 0x8D, 0x5C, 0x71, 0x79, 0x85, 0x2C,
0xC0, 0x1F, 0xF5, 0x15, 0x11, 0x0D, 0xCC, 0x68, 0x5C, 0x5E, 0xF5, 0x49, 0x64, 0x43, 0x5E, 0x27,
0xBC, 0x0D, 0x1E, 0x2D, 0xE3, 0x7C, 0xEE, 0x4C, 0x40, 0x58, 0x55, 0x32, 0x08, 0x2E, 0x2E, 0x11,
0x5A, 0x06, 0x78, 0x69, 0x06, 0x14, 0x92, 0x72, 0xE7, 0x78, 0x45, 0x31, 0xB7, 0x21, 0x56, 0x17,
0xBF, 0x1D, 0x77, 0x40, 0xD6, 0x38, 0xC2, 0x3F, 0x8A, 0x12, 0x31, 0x4A, 0x6E, 0x03, 0xAD, 0x2D,
0xD6, 0x69, 0xA0, 0x41, 0x92, 0x01, 0x40, 0x25, 0x67, 0x46, 0xDD, 0x00, 0x4F, 0x1F, 0xFC, 0x6A,
0xCE, 0x40, 0x10, 0x57, 0xDF, 0x66, 0xFE, 0x62, 0x3E, 0x4B, 0xDB, 0x41, 0x1F, 0x23, 0x82, 0x35,
0x9A, 0x07, 0xF6, 0x55, 0x44, 0x06, 0xA7, 0x1C, 0xD2, 0x43, 0x16, 0x1B, 0xC9, 0x28, 0x72, 0x3F,
0x70, 0x10, 0x14, 0x5F, 0xAB, 0x74, 0x14, 0x3E, 0x6E, 0x25, 0x4B, 0x44, 0xD9, 0x50, 0x70, 0x53,
0x4B, 0x09, 0x42, 0x0F, 0xE6, 0x20, 0xD8, 0x2F, 0x5E, 0x2E, 0x8B, 0x77, 0x02, 0x6D, 0x17, 0x71,
0x69, 0x7A, 0xEA, 0x7F, 0x28, 0x46, 0xB5, 0x5B, 0x71, 0x6C, 0xBA, 0x19, 0x99, 0x3A, 0x76, 0x39,
0xCD, 0x54, 0x8D, 0x17, 0x88, 0x6E, 0x24, 0x01, 0x7E, 0x53, 0x13, 0x33, 0x17, 0x2D, 0x8E, 0x2B,
0xBE, 0x10, 0x3D, 0x2A, 0x82, 0x05, 0xD1, 0x59, 0xDB, 0x63, 0xA1, 0x37, 0x9A, 0x48, 0xD6, 0x30,
0x46, 0x5C, 0x21, 0x6A, 0x76, 0x7A, 0x1C, 0x0E, 0xE7, 0x60, 0xC7, 0x1F, 0x65, 0x0C, 0xB8, 0x79,
0xB4, 0x59, 0xF4, 0x27, 0x26, 0x73, 0x9A, 0x79, 0x82, 0x17, 0xBA, 0x50, 0x5C, 0x6D, 0x11, 0x2A,
0x1B, 0x6E, 0x86, 0x63, 0x3C, 0x0E, 0x92, 0x3F, 0x90, 0x34, 0x02, 0x55, 0x89, 0x60, 0xB5, 0x55,
0xD1, 0x1F, 0x39, 0x2C, 0xC2, 0x35, 0x80, 0x2F, 0x7A, 0x2B, 0xFD, 0x64, 0x9A, 0x75, 0xE8, 0x4C,
0xF0, 0x04, 0x85, 0x51, 0xA8, 0x01, 0x95, 0x79, 0xAD, 0x2C, 0x5B, 0x3F, 0x60, 0x01, 0xE6, 0x38,
0xD8, 0x41, 0x76, 0x63, 0x42, 0x2A, 0x35, 0x33, 0x19, 0x2C, 0xA2, 0x51, 0x51, 0x58, 0x5C, 0x08,
0xAB, 0x17, 0x29, 0x03, 0xC7, 0x0A, 0x77, 0x2B, 0xB3, 0x77, 0xAC, 0x30, 0x07, 0x19, 0xEC, 0x2B,
0xD0, 0x02, 0x52, 0x03, 0xD3, 0x33, 0xA9, 0x0F, 0xF3, 0x5D, 0x25, 0x61, 0xBF, 0x06, 0xAD, 0x22,
0x71, 0x69, 0xB8, 0x58, 0xE5, 0x0D, 0xCA, 0x5F, 0x56, 0x64, 0x0D, 0x70, 0xDB, 0x73, 0xA9, 0x56,
0xFD, 0x59, 0xB7, 0x5A, 0xE2, 0x0B, 0x0E, 0x33, 0xDD, 0x0D, 0x3C, 0x5B, 0x60, 0x3C, 0x5D, 0x49,
0xA6, 0x59, 0xBD, 0x53, 0x91, 0x6D, 0x5E, 0x4C, 0x8D, 0x31, 0xD9, 0x49, 0x79, 0x50, 0x3D, 0x10,
0xE3, 0x42, 0xCE, 0x61, 0x1D, 0x12, 0xD5, 0x7E, 0xED, 0x60, 0xE1, 0x14, 0xF2, 0x4E, 0x2D, 0x21,
0xF0, 0x33, 0x01, 0x27, 0x96, 0x5A, 0x43, 0x62, 0x8B, 0x5E, 0xA7, 0x1F, 0xBE, 0x2F, 0x09, 0x6F,
0x49, 0x0D, 0x00, 0x4A, 0x70, 0x1C, 0xAE, 0x57, 0x77, 0x24, 0x4E, 0x00, 0x72, 0x7E, 0x1E, 0x56,
0x33, 0x00, 0x8C, 0x46, 0x02, 0x24, 0xCC, 0x5D, 0xC6, 0x7A, 0x50, 0x78, 0xC7, 0x24, 0xAF, 0x58,
0x34, 0x2D, 0xF6, 0x0D, 0x08, 0x47, 0x8A, 0x35, 0x11, 0x1E, 0xFB, 0x3C, 0x1C, 0x45, 0x71, 0x2B,
0x95, 0x52, 0xA7, 0x77, 0x21, 0x07, 0x89, 0x56, 0xF3, 0x75, 0xEF, 0x0F, 0xF1, 0x24, 0x0F, 0x12,
0xE7, 0x0A, 0x99, 0x01, 0x52, 0x44, 0x9C, 0x33, 0x8E, 0x5B, 0xA1, 0x27, 0x6D, 0x27, 0xA7, 0x0B,
0x7B, 0x1B, 0xDC, 0x60, 0x82, 0x7F, 0x4B, 0x4F, 0x07, 0x70, 0xDB, 0x67, 0xD9, 0x57, 0x4A, 0x4F,
0xE8, 0x52, 0x12, 0x62, 0xFC, 0x2C, 0x53, 0x20, 0x06, 0x03, 0x39, 0x6A, 0x23, 0x04, 0x80, 0x18,
0x8A, 0x77, 0xF3, 0x19, 0xF0, 0x16, 0x23, 0x46, 0x37, 0x09, 0xAE, 0x56, 0x5C, 0x67, 0xC2, 0x43,
0xFD, 0x45, 0xCA, 0x65, 0xF2, 0x4F, 0x60, 0x0D, 0xCB, 0x22, 0xFD, 0x0B, 0x3B, 0x64, 0xFE, 0x3A,
0xA6, 0x7F, 0xF6, 0x3B, 0x79, 0x35, 0x62, 0x44, 0xF8, 0x31, 0x40, 0x18, 0x97, 0x4F, 0x17, 0x32,
0x2A, 0x09, 0x6A, 0x4C, 0x61, 0x02, 0xB5, 0x5F, 0x74, 0x01, 0x65, 0x01, 0xF1, 0x4A, 0x63, 0x33,
0xF4, 0x18, 0x2D, 0x71, 0x69, 0x71, 0x99, 0x6E, 0xFE, 0x7A, 0xAB, 0x5D, 0xE8, 0x2E, 0x2B, 0x7C,
0xB4, 0x75, 0xDB, 0x6E, 0xB6, 0x6F, 0x83, 0x5F, 0xD6, 0x6D, 0x2A, 0x3C, 0xC2, 0x05, 0x2D, 0x29,
0xDB, 0x44, 0x22, 0x05, 0x4F, 0x5F, 0x9A, 0x14, 0x40, 0x65, 0x48, 0x5D, 0xEA, 0x15, 0x1D, 0x33,
0x20, 0x69, 0x45, 0x4F, 0x9F, 0x69, 0x3A, 0x48, 0x05, 0x0F, 0x45, 0x3B, 0x6C, 0x7C, 0x20, 0x3B,
0xFE, 0x70, 0x9D, 0x74, 0xF6, 0x61, 0x74, 0x41, 0xF1, 0x31, 0xB0, 0x62, 0x7B, 0x57, 0x50, 0x27,
0x33, 0x15, 0x13, 0x29, 0x08, 0x38, 0x8C, 0x58, 0x56, 0x34, 0xEF, 0x1A, 0xEC, 0x00, 0x3C, 0x0F,
0x42, 0x47, 0xA7, 0x7D, 0x6C, 0x7A, 0x79, 0x4B, 0x87, 0x32, 0xBB, 0x5E, 0xB8, 0x58, 0x65, 0x78,
0xF2, 0x4F, 0xED, 0x00, 0x1E, 0x69, 0x69, 0x62, 0x5F, 0x25, 0xA2, 0x24, 0x7E, 0x1F, 0xC1, 0x62,
0xCD, 0x7D, 0x8A, 0x2F, 0xFE, 0x17, 0x3B, 0x64, 0xB8, 0x18, 0x83, 0x77, 0xFE, 0x60, 0x3B, 0x25,
0xA3, 0x63, 0xBB, 0x34, 0x4F, 0x21, 0x03, 0x5B, 0xF4, 0x71, 0x15, 0x5F, 0x9F, 0x6E, 0x31, 0x1A,
0x04, 0x27, 0xCF, 0x7A, 0x38, 0x68, 0x89, 0x28, 0x77, 0x46, 0x61, 0x18, 0xEB, 0x69, 0xF5, 0x1B,
0xC9, 0x5E, 0xA8, 0x0B, 0x46, 0x6B, 0xCA, 0x6A, 0x2A, 0x42, 0x43, 0x1E, 0x0E, 0x5F, 0x4D, 0x51,
0x8C, 0x01, 0x3E, 0x41, 0xE9, 0x26, 0x76, 0x30, 0xFA, 0x1D, 0xED, 0x01, 0x5A, 0x6F, 0xF4, 0x49,
0x2B, 0x64, 0x1B, 0x46, 0xF2, 0x07, 0x70, 0x7D, 0x57, 0x26, 0x65, 0x13, 0xC5, 0x0B, 0x16, 0x6B,
0x49, 0x48, 0xE0, 0x65, 0x1C, 0x6E, 0x52, 0x1F, 0xB6, 0x51, 0x02, 0x5A, 0x69, 0x3F, 0xD7, 0x2B,
0xCD, 0x7A, 0xBF, 0x2D, 0x80, 0x3E, 0xE6, 0x51, 0x0F, 0x67, 0xF2, 0x5C, 0x03, 0x0A, 0xCD, 0x21,
0x61, 0x02, 0xFF, 0x5C, 0x1E, 0x06, 0xAE, 0x33, 0x5F, 0x34, 0xB6, 0x3B, 0x75, 0x4A, 0x81, 0x5D,
0xF4, 0x5D, 0x7B, 0x25, 0x5B, 0x2C, 0x5C, 0x0A, 0x27, 0x55, 0xA4, 0x16, 0x45, 0x39, 0xF2, 0x16
};
/************************************************************************/
/* 生成注册码 */
/************************************************************************/
u_int generate(const char *name,
u_char type,
u_char version,
u_char number
)
{
version = version<2?version:0;
u_char edi = number * 15;
u_char esi = version *17;
u_char t1 = 0,t2 = 0;
DWORD *p = (DWORD *)data;
unsigned int ret = 0;
int len = strlen(name);
for(int i = 0; i < len; i++){
u_char k = toupper(name[i]);
if(type != 0xFC ){
ret = ( (ret + p[k]) ^ p[BYTE(k+ 0x0D)] ) * p[BYTE(k+ 0x2F)] + p[esi] + p[edi] + p[t1] ;
}else {
ret = ( (ret + p[k]) ^ p[BYTE(k+ 0x3F)] ) * p[BYTE(k+ 0x17)] + p[esi] + p[edi] + p[t2] ;
}
t1 += 0x13; t2 += 0x07;
esi += 9; edi += 0x0D;
}
return ret;
}
// old function
u_char _check_number(u_short param)
{
u_short k = (((param^0x7892+0x4D30)^0x3421));
if( k % 0x0b != 0) return 0; // 不能整除
else return (k / 0x0b);
}
u_short check_number(u_short number)
{
return (((0xB * number // 0xB 的整数倍
) ^ 0x3421) - 0x4D30 ) ^ 0x7892;
}
// old_function
u_char _check_version(u_char param)
{
return ((param ^ 0x18)+ 0x3D) ^ 0xA7;
}
u_char check_version(u_char param)
{
return (((param ^ 0xA7) - 0x3D) ^ 0x18);
}