以下是小编为大家准备的浪漫情书v3.11注册算法分析,本文共2篇,仅供参考,大家一起来看看吧。本文原稿由网友“萌妹儿”提供。
篇1:浪漫情书v3.11注册算法分析
软件大小: 884 KB
软件语言: 简体中文
软件类别: 国产软件 / 共享版 / 趣味软件
应用平台: Win9x/NT//XP
开 发 商: go3.163.com/pyeditor/
下载地址: www.skycn.com/soft/6605.html
软件介绍:
“浪漫情书”是一个专业级的情书编辑软件!该软件是用Delphi编写的纯32位软件,程序设计精
巧、功能强大、扩充方便,不需要任何数据库驱动程式支持,软件有下列功能和特点:1、界面简洁,
操作简单,你只需轻轻点击几下鼠标就可以写出让你感到满意的情书;2、可以由电脑自动书写情书,
并且电脑写出的情书也很通顺;3、支持发Email功能,可使用软件附带的各种精美的信纸,信纸中有
动听的音乐,现在情书也可以“有声有色”;4、支持各种文本处理功能,包括查找、替换、复制、
撤消、打印等;5、开放式的情话库管理,可以自动搜索新情话,可以自制情话库;6、除了有详尽的
帮助文件之外,还有“情书精灵”及时地提醒您使用的方法;7、更多精彩功能等待您去探索……
Cracked by eCool .07.20
一:脱壳&除去文件大小判断
这个软件是用Aspack加壳的,用Caspr很容易搞定,不过脱壳后不能运行,提示文件大小改变了,
不过去除这个是Very Easy的,用w32dasm反汇编,自己找出错时的提示字符串,结果来到这:
-------------------------------------------------------------------------------
:004974C5 E8DAB2F6FF call 004027A4
:004974CA 3DD0050500 cmp eax, 000505D0
:004974CF 7F17 jg 004974E8 // 文件大小大于329168字节就Over
:004974D1 8D85B4FEFFFF lea eax, dword ptr [ebp+FFFFFEB4]
:004974D7 E860E0F6FF call 0040553C
:004974DC E8C3B2F6FF call 004027A4
:004974E1 3D18FA0400 cmp eax, 0004FA18 // 文件大小小于326168字节也Over
:004974E6 7D3D jge 00497525
* Referenced by a (U)nconditional or ?onditional Jump at Address:
|:004974CF?
|
:004974E8 8D85B0FEFFFF lea eax, dword ptr [ebp+FFFFFEB0]
:004974EE 8B8E90060000 mov ecx, dword ptr [esi+00000690]
* Possible StringData Ref from Code Obj->“文件读写错误,由于某些原因(例如:被病毒感染)
”
->“改变了loveletter31.exe文件,为了保证您的电脑安”
->“
全,程式将会自动退出!
建议您访问下址重新下载”
->““浪漫情书”软件:
”
-------------------------------------------------------------------------------
二:找注册算法
用DeDe来对付Delphi的程序吧,很容易来到这:
-------------------------------------------------------------------------------
* Reference to control Trrr.username : TFlatEdit
|
00488F47 8B80E0020000 mov eax, [eax+$02E0] // 取得用户名
|
00488F4D E8DE5CFAFF call 0042EC30
00488F52 8B45F0 mov eax, [ebp-$10]
|
00488F55 E836ADF7FF call 00403C90
00488F5A 83F806 cmp eax, +$06 // 用户名长度小于6则Over
00488F5D 7D20 jnl 00488F7F
* Possible String Reference to: ’用户名的长度不能小于6个字符!’
|
00488F5F B8F4914800 mov eax, $004891F4
|
00488F64 E8E78AFCFF call 00451A50
00488F69 8B45FC mov eax, [ebp-$04]
* Reference to control Trrr.username : TFlatEdit
|
00488F6C 8B80E0020000 mov eax, [eax+$02E0]
00488F72 8B10 mov edx, [eax]
* Possible reference to virtual method TFlatEdit.OFFS_00B4
|
00488F74 FF92B4000000 call dword ptr [edx+$00B4]
00488F7A E92F020000 jmp 004891AE
00488F7F 8D55F0 lea edx, [ebp-$10]
00488F82 8B45FC mov eax, [ebp-$04]
* Reference to control Trrr.regcode : TFlatEdit
|
00488F85 8B80D0020000 mov eax, [eax+$02D0] // 取注册码
|
00488F8B E8A05CFAFF call 0042EC30
00488F90 8B45F0 mov eax, [ebp-$10]
|
00488F93 E8F8ACF7FF call 00403C90 // 注册码为空则Over
00488F98 48 dec eax
00488F99 7D20 jnl 00488FBB
* Possible String Reference to: ’请输入注册码!’
|
00488F9B B81C924800 mov eax, $0048921C
|
00488FA0 E8AB8AFCFF call 00451A50
00488FA5 8B45FC mov eax, [ebp-$04]
* Reference to control Trrr.regcode : TFlatEdit
|
00488FA8 8B80D0020000 mov eax, [eax+$02D0]
00488FAE 8B10 mov edx, [eax]
* Possible reference to virtual method TFlatEdit.OFFS_00B4
|
00488FB0 FF92B4000000 call dword ptr [edx+$00B4]
00488FB6 E9F3010000 jmp 004891AE
00488FBB 8D45F8 lea eax, [ebp-$08]
|
00488FBE E851AAF7FF call 00403A14
00488FC3 8D55F4 lea edx, [ebp-$0C]
00488FC6 8B45FC mov eax, [ebp-$04]
* Reference to control Trrr.regcode : TFlatEdit
|
00488FC9 8B80D0020000 mov eax, [eax+$02D0]
|
00488FCF E85C5CFAFF call 0042EC30
00488FD4 8B45F4 mov eax, [ebp-$0C] // 取注册码长度
|
00488FD7 E8B4ACF7FF call 00403C90
00488FDC 8BF0 mov esi, eax
00488FDE 85F6 test esi, esi
00488FE0 7C37 jl 00489019
00488FE2 46 inc esi
00488FE3 33DB xor ebx, ebx
00488FE5 8B45F4 mov eax, [ebp-$0C]
00488FE8 8A4418FF mov al, byte ptr [eax+ebx-$01]
00488FEC 3C30 cmp al, $30 // “0”
00488FEE 7225 jb 00489015
00488FF0 8B55F4 mov edx, [ebp-$0C]
00488FF3 3C39 cmp al, $39 // “9”
00488FF5 771E jnbe 00489015
00488FF7 8D45EC lea eax, [ebp-$14]
00488FFA 50 push eax
00488FFB B901000000 mov ecx, $00000001
00489000 8BD3 mov edx, ebx
00489002 8B45F4 mov eax, [ebp-$0C]
|
00489005 E88AAEF7FF call 00403E94
0048900A 8B55EC mov edx, [ebp-$14]
0048900D 8D45F8 lea eax, [ebp-$08]
|
00489010 E883ACF7FF call 00403C98
00489015 43 inc ebx
00489016 4E dec esi
00489017 75CC jnz 00488FE5
00489019 8D55F0 lea edx, [ebp-$10]
0048901C 8B45FC mov eax, [ebp-$04]
上面的语句用来判断注册码是否都是数字
-------------------------------------------------------------------------------
* Reference to control Trrr.username : TFlatEdit
|
0048901F 8B80E0020000 mov eax, [eax+$02E0]
|
00489025 E8065CFAFF call 0042EC30
0048902A 8B45F0 mov eax, [ebp-$10]
0048902D 8D55EC lea edx, [ebp-$14]
|
00489030 E83BFEFFFF call 00488E70 // 进去看看
---------------------------- CALL 00488E70 ----------------------------------------------
00488E70 55 push ebp
00488E71 8BEC mov ebp, esp
00488E73 83C4F8 add esp, -$08
00488E76 53 push ebx
00488E77 56 push esi
00488E78 57 push edi
00488E79 33C9 xor ecx, ecx
00488E7B 894DF8 mov [ebp-$08], ecx
00488E7E 8BF2 mov esi, edx
00488E80 8945FC mov [ebp-$04], eax
00488E83 8B45FC mov eax, [ebp-$04]
|
00488E86 E8B9AFF7FF call 00403E44
00488E8B 33C0 xor eax, eax
00488E8D 55 push ebp
* Possible String Reference to: ’榫腚_^[YY]U3QQQQQQQQSVWE?
| UhH’
|
00488E8E 68118F4800 push $00488F11
***** TRY
|
00488E93 64FF30 push dword ptr fs:[eax]
00488E96 648920 mov fs:[eax], esp
00488E99 33DB xor ebx, ebx
00488E9B 8D55F8 lea edx, [ebp-$08]
* Reference to Tmainform. instance
|
00488E9E A1E4784A00 mov eax, dword ptr [$4A78E4]
00488EA3 8B00 mov eax, [eax]
* Reference to : Tmainform.GetDrvID
|
00488EA5 E882D90000 call 0049682C
00488EAA 8B55F8 mov edx, [ebp-$08] // 取用户名
00488EAD 8D45FC lea eax, [ebp-$04]
00488EB0 8B4DFC mov ecx, [ebp-$04] // 取机器码
|
00488EB3 E824AEF7FF call 00403CDC
00488EB8 8B45FC mov eax, [ebp-$04] // 合并“机器码”,“用户名”
// 设s=“机器码”+“用户名”
|
00488EBB E8D0ADF7FF call 00403C90 // 取s的长度
00488EC0 8BD0 mov edx, eax
00488EC2 85D2 test edx, edx
00488EC4 7C17 jl 00488EDD
00488EC6 42 inc edx
00488EC7 33C0 xor eax, eax
00488EC9 8B4DFC mov ecx, [ebp-$04]
00488ECC 0FB64C01FF movzx ecx, byte ptr [ecx+eax-$01] // 依次取s中的每个字符的
// ASCII码
* Reference to field TFlatEdit.OFFS_0003
|
00488ED1 8D7803 lea edi, [eax+$03] // edi=eax+3
00488ED4 0FAFCF imul ecx, edi // ecx=ecx*edi
00488ED7 03D9 add ebx, ecx // add ebx,ecx
00488ED9 40 inc eax // eax=eax+1
00488EDA 4A dec edx
00488EDB 75EC jnz 00488EC9 // 有没有取完?
00488EDD 8BC3 mov eax, ebx // eax=ebx
00488EDF 99 cdq
00488EE0 33C2 xor eax, edx //
00488EE2 2BC2 sub eax, edx // 这两句是废话
// 因为edx=0,eax xor 0 = eax
00488EE4 69C0C9430000 imul eax, eax, $000043C9 // eax=eax*43C9H
00488EEA 05BBEF9505 add eax, +$0595EFBB // eax=eax+595EFBBH
00488EEF 8BD6 mov edx, esi // 这时的eax就是注册码了
---------------------------- END CALL 00488E70 ----------------------------------------
00489035 8B45EC mov eax, [ebp-$14]
00489038 8B55F8 mov edx, [ebp-$08]
|
0048903B E860ADF7FF call 00403DA0
00489040 0F8556010000 jnz 0048919C // 这里很眼熟吧,
* Possible String Reference to: ’注册成功!请重新启动浪漫情书……’
|
00489046 B834924800 mov eax, $00489234
.
.
.
.
|
004891E5 5F pop edi
004891E6 5E pop esi
004891E7 5B pop ebx
004891E8 8BE5 mov esp, ebp
004891EA 5D pop ebp
004891EB C3 ret
三. 注册算法总结
s1 = 机器码(不为空)
s2 = 用户名(大于等于6个字符)
s3 = s1跟s2合并,s1在前,s2在后
len = s3的长度
sn = 0
for i=1 to len
sn = (i+3) * (s3中的第i个字符的ASCII码) + sn
next i
sn = sn + 43C9h
sn = sn * 595EFBBh
唉,现在用win2000,上班时SoftIce又不能用,只好用Ollydge拣软柿子了,望大家见谅,
篇2:斗地主4.0注册算法分析
====================================================================================
004991B1 call rtcRandomNext
004991B7 fmul dbl_403920
004991BD call __vbaFpI4
004991C3 mov dword_4D1030, eax ;随机数R1
004991C8 lea ecx, [ebp-98h]
004991CE call __vbaFreeVar
004991D4 mov dword ptr [ebp-4], 0Eh
004991DB mov dword ptr [ebp-90h], 80020004h
004991E5 mov dword ptr [ebp-98h], 0Ah
004991EF lea ecx, [ebp-98h]
004991F5 push ecx
004991F6 call rtcRandomize
004991FC lea ecx, [ebp-98h]
00499202 call __vbaFreeVar
00499208 mov dword ptr [ebp-4], 0Fh
0049920F mov dword ptr [ebp-90h], 3
00499219 mov dword ptr [ebp-98h], 2
00499223 lea edx, [ebp-98h]
00499229 push edx
0049922A call rtcRandomNext
00499230 fmul dbl_403920
00499236 call __vbaFpI4
0049923C mov dword_4D1044, eax ;随机数R2
00499241 lea ecx, [ebp-98h]
00499247 call __vbaFreeVar
0049924D mov dword ptr [ebp-4], 10h
00499254 mov eax, dword_4D1030
00499259 xor eax, 9DB7h
0049925E mov dword_4D11EC, eax ;R3=R1 xor 9DB7h
00499263 mov dword ptr [ebp-4], 11h
0049926A mov ecx, dword_4D1044
00499270 xor ecx, 10A7Bh
00499276 mov dword_4D10D8, ecx ;R4=R2 xor 10A7Bh
====================================================================================
004BD57B lea ecx, [ebp-54h]
004BD57E push ecx
004BD57F push 4
004BD581 lea edx, [ebp-74h]
004BD584 push edx
004BD585 lea eax, [ebp-64h]
004BD588 push eax
004BD589 mov dword ptr [ebp-4Ch], 5
004BD590 mov dword ptr [ebp-54h], 2
004BD597 mov [ebp-6Ch], edi
004BD59A mov dword ptr [ebp-74h], 4008h
004BD5A1 call rtcMidCharVar
004BD5A7 lea ecx, [ebp-64h] ;str1=机器码第4到8组成的5位字符串
004BD5AA push ecx
004BD5AB lea edx, [ebp-18h]
004BD5AE push edx
004BD5AF call __vbaStrVarVal
004BD5B5 push eax ;str1
004BD5B6 call sub_4A8290 ;H1 = invoke sub_4A8290 ,str1
004BD5BB mov ecx, dword_4D1030 ;R1
004BD5C1 xor ecx, dword_4D11EC ;ecx=R1 xor R3 = 9DB7h
004BD5C7 push ecx ;9DB7h
004BD5C8 push eax ;H1
004BD5C9 call sub_4A83F0 ;X1 = invoke sub_4A83F0 ,H1,9DB7h
004BD5CE mov edx, [esi+48h]
004BD5D1 push edx
004BD5D2 push eax ;X1
004BD5D3 call sub_4A83F0 ;
004BD5D8 lea ecx, [ebp-18h]
004BD5DB mov [esi+34h], eax ;A1 = invoke sub_4A83F0 ,X1,[esi+48h]
====================================================================================
004BDE78 lea eax, [ebp-2Ch]
004BDE7B push eax
004BDE7C lea ecx, [ebp-3Ch]
004BDE7F push ecx
004BDE80 mov dword ptr [ebp-2Ch], 9
004BDE87 call edi ; rtcTrimVar
004BDE89 mov edx, [esi+44h]
004BDE8C push 5
004BDE8E lea eax, [ebp-0BCh]
004BDE94 push eax
004BDE95 lea ecx, [ebp-3Ch] ;注册名
004BDE98 mov [ebp-0B4h], edx
004BDE9E push ecx
004BDE9F lea edx, [ebp-4Ch] ;机器码的右3位
004BDEA2 push edx
004BDEA3 mov dword ptr [ebp-0BCh], 8
004BDEAD call __vbaVarCat ;str0=机器码的右3位 + 注册名
004BDEB3 push eax
004BDEB4 lea eax, [ebp-5Ch]
004BDEB7 push eax
004BDEB8 call rtcRightCharVar
004BDEBE lea ecx, [ebp-5Ch] ;str2=str0的右5位
004BDEC1 push ecx
004BDEC2 lea edx, [ebp-18h]
004BDEC5 push edx
004BDEC6 call __vbaStrVarVal
004BDECC push eax ;str2
004BDECD call sub_4A8290 ;H2 = invoke sub_4A8290 ,str2
004BDED2 mov ecx, dword_4D1044 ;R2
004BDED8 xor ecx, dword_4D10D8 ;ecx=R2 xor R4 = 10A7Bh
004BDEDE push ecx ;10A7Bh
004BDEDF push eax ;H2
004BDEE0 call sub_4A83F0 ;X2 = invoke sub_4A83F0 ,H2,10A7Bh
004BDEE5 mov edx, [esi+4Ch]
004BDEE8 push edx
004BDEE9 push eax ;X2
004BDEEA call sub_4A83F0 ;
004BDEEF lea ecx, [ebp-18h]
004BDEF2 mov [esi+38h], eax ;A2 = invoke sub_4A83F0 ,X2,[esi+4Ch]
====================================================================================
004BD9B2 lea edx, [ebp-28h]
004BD9B5 mov [ebp-20h], eax
004BD9B8 push edx
004BD9B9 lea eax, [ebp-38h]
004BD9BC push eax
004BD9BD mov dword ptr [ebp-28h], 9
004BD9C4 call edi ; rtcTrimVar
004BD9C6 push 5
004BD9C8 lea ecx, [ebp-38h] ;SN = 输入的注册码
004BD9CB push ecx
004BD9CC lea edx, [ebp-48h]
004BD9CF push edx
004BD9D0 call rtcLeftCharVar
004BD9D6 mov eax, [esi+48h]
004BD9D9 push eax
004BD9DA lea ecx, [ebp-48h] ;snl5 = SN 的前5位
004BD9DD push ecx
004BD9DE call __vbaI4ErrVar
004BD9E4 push eax ;Y1 = hex(snl5)
004BD9E5 call sub_4A83F0 ;
004BD9EA lea edx, [ebp-48h]
004BD9ED push edx
004BD9EE mov [esi+3Ch], eax ;B1 = invoke sub_4A83F0 ,Y1,[esi+48h]
====================================================================================
004BDAE5 lea ecx, [ebp-28h]
004BDAE8 push ecx
004BDAE9 lea edx, [ebp-38h]
004BDAEC push edx
004BDAED mov [ebp-20h], eax
004BDAF0 mov dword ptr [ebp-28h], 9
004BDAF7 call edi ; rtcTrimVar
004BDAF9 push 5
004BDAFB lea eax, [ebp-38h] ;SN = 输入的注册码
004BDAFE push eax
004BDAFF lea ecx, [ebp-48h]
004BDB02 push ecx
004BDB03 call rtcRightCharVar
004BDB09 mov edx, [esi+4Ch]
004BDB0C push edx
004BDB0D lea eax, [ebp-48h] ;snr5 = SN 的后5位
004BDB10 push eax
004BDB11 call __vbaI4ErrVar
004BDB17 push eax ;Y2 = hex(snr5)
004BDB18 call sub_4A83F0 ;
004BDB1D lea ecx, [ebp-48h]
004BDB20 push ecx
004BDB21 lea edx, [ebp-48h]
004BDB24 push edx
004BDB25 mov [esi+40h], eax ;B2 = invoke sub_4A83F0 ,Y2,[esi+4Ch]
====================================================================================
004BCAAC mov eax, [esi+3Ch]
004BCAAF mov ecx, [esi+40h]
004BCAB2 mov edx, dword_4D1030
004BCAB8 add esp, 1Ch
004BCABB mov [ebp-0C4h], eax
004BCAC1 mov [ebp-0C8h], ecx
004BCAC7 push edx ;R1
004BCAC8 push eax ;B1
004BCAC9 call sub_4A83F0 ;
004BCACE mov ecx, [ebp-0C8h]
004BCAD4 mov [esi+3Ch], eax ;N1 = invoke sub_4A83F0 ,B1,R1
004BCAD7 mov eax, dword_4D1044
004BCADC push eax ;R2
004BCADD push ecx ;B2
004BCADE call sub_4A83F0 ;
004BCAE3 mov [esi+40h], eax ;N2 = invoke sub_4A83F0 ,B2,R2
004BCAE6 call rtcGetTimer
004BCAEC fsub dword ptr [esi+50h]
004BCAEF fcomp flt_403914
004BCAF5 fnstsw ax
004BCAF7 test ah, 41h
004BCAFA jnz short loc_4BCB52
004BCAFC cmp dword_4D1F98, edi
004BCB02 jnz short loc_4BCB14
004BCB04 push offset dword_4D1F98
004BCB09 push offset dword_416764
004BCB0E call __vbaNew2
004BCB14
004BCB14 loc_4BCB14:
004BCB14 mov edi, dword_4D1F98
004BCB1A mov ebx, [edi]
004BCB1C push esi
004BCB1D lea edx, [ebp-34h]
004BCB20 push edx
004BCB21 call __vbaObjSetAddref
004BCB27 push eax
004BCB28 push edi
004BCB29 call dword ptr [ebx+10h]
004BCB2C fnclex
004BCB2E test eax, eax
004BCB30 jge short loc_4BCB41
004BCB32 push 10h
004BCB34 push offset dword_416754
004BCB39 push edi
004BCB3A push eax
004BCB3B call __vbaHresultCheckObj
004BCB41
004BCB41 loc_4BCB41:
004BCB41 lea ecx, [ebp-34h]
004BCB44 call __vbaFreeObj
004BCB4A mov ebx, __vbaStrMove
004BCB50 xor edi, edi
004BCB52
004BCB52 loc_4BCB52:
004BCB52 mov eax, [esi+40h]
004BCB55 mov ecx, [esi+3Ch]
004BCB58 mov edx, [esi+38h]
004BCB5B push eax ;arg_C = N2
004BCB5C mov eax, [esi+34h]
004BCB5F push ecx ;arg_8 = N1
004BCB60 push edx ;arg_4 = A2
004BCB61 push eax ;arg_0 = A1
004BCB62 call sub_4A8060 ;这个call是比较的核心
004BCB67 test ax, ax ;返回ax=0则注册失败
004BCB6A jz loc_4BCDC4
====================================================================================
004A8060 push ebp
004A8061 mov ebp, esp
004A8063 sub esp, 8
004A8066 push offset loc_404806
004A806B mov eax, large fs0
004A8071 push eax
004A8072 mov large fs0, esp
004A8079 sub esp, 34h
004A807C push ebx
004A807D push esi
004A807E push edi
004A807F mov [ebp+var_8], esp
004A8082 mov [ebp+var_4], offset dword_403928
004A8089 mov ecx, [ebp+arg_0] ;A1
004A808C xor eax, eax
004A808E mov [ebp+var_2C], eax
004A8091 mov [ebp+var_40], eax
004A8094 mov [ebp+var_1C], eax
004A8097 mov eax, dword_4D1030 ;R1
004A809C push eax ;R1
004A809D push ecx ;A1
004A809E call sub_4A83F0 ;
004A80A3 mov edx, dword_4D1044 ;R2
004A80A9 mov [ebp+arg_0], eax ;M1 = invoke sub_4A83F0 ,A1,R1
004A80AC mov eax, [ebp+arg_4] ;A2
004A80AF push edx ;R2
004A80B0 push eax ;A2
004A80B1 call sub_4A83F0 ;
004A80B6 mov ecx, [ebp+arg_0] ;M1
004A80B9 mov edx, [ebp+arg_8] ;N1
004A80BC add edx, ecx ;M1+N1
004A80BE add ecx, ecx ;M1+M1
004A80C0 cmp ecx, edx ;M1+N1 =? M1+M1 等效为N1 =? M1
004A80C2 mov [ebp+arg_4], eax ;M2 = invoke sub_4A83F0 ,A2,R2
004A80C5 jnz short loc_4A80E6
004A80C7 mov edx, [ebp+arg_C] ;N2
004A80CA lea ecx, [eax+edx] ;M2+N2
004A80CD lea edx, [eax+eax] ;M2+M2
004A80D0 cmp ecx, edx ;M2+N2 =? M2+M2 等效为N2 =? M2
004A80D2 jnz short loc_4A80E6
004A80D4 mov [ebp+var_1C], 0FFFFFFFFh ;到这里置注册成功标志
=========================sub_4A8290======================================
004A8290 push ebp
004A8291 mov ebp, esp
004A8293 sub esp, 8
004A8296 push offset loc_404806
004A829B mov eax, large fs0
004A82A1 push eax
004A82A2 mov large fs0, esp
004A82A9 sub esp, 70h
004A82AC push ebx
004A82AD push esi
004A82AE push edi
004A82AF mov [ebp+var_8], esp
004A82B2 mov [ebp+var_4], offset dword_403938
004A82B9 mov edx, [ebp+arg_0] ;5位的str,(都是WideChar)
004A82BC xor esi, esi
004A82BE lea ecx, [ebp+var_18]
004A82C1 mov [ebp+var_18], esi
004A82C4 mov [ebp+var_28], esi
004A82C7 mov [ebp+var_38], esi
004A82CA mov [ebp+var_48], esi
004A82CD mov [ebp+var_58], esi
004A82D0 call __vbaStrCopy
004A82D6 mov edi, 1
004A82DB mov [ebp+var_24], esi
004A82DE mov ebx, edi
004A82E0 mov esi, edi ;第n位WideChar
004A82E2 loc_4A82E2:
004A82E2 mov eax, 5 ;循环5次
004A82E7 cmp esi, eax
004A82E9 jg loc_4A839D
004A82EF lea ecx, [ebp+var_38]
004A82F2 push ecx
004A82F3 lea eax, [ebp+var_18]
004A82F6 push edi
004A82F7 lea edx, [ebp+var_58]
004A82FA mov [ebp+var_50], eax
004A82FD push edx
004A82FE lea eax, [ebp+var_48]
004A8301 push eax
004A8302 mov [ebp+var_30], 1
004A8309 mov [ebp+var_38], 2
004A8310 mov [ebp+var_58], 4008h
004A8317 call rtcMidCharVar
004A831D lea ecx, [ebp+var_48] ;取出一位WideChar
004A8320 push ecx
004A8321 lea edx, [ebp+var_28]
004A8324 push edx
004A8325 call __vbaStrVarVal
004A832B push eax
004A832C call rtcBytevalueBstr ;
004A8332 mov byte ptr [ebp+var_6C], al ;只保留WideChar的低字节
004A8335 mov eax, 5
004A833A sub eax, esi
004A833C mov [ebp+var_7C], eax ;5-n
004A833F fild [ebp+var_7C]
004A8342 sub esp, 8
004A8345 fstp [esp]
004A8348 push 40240000h ;浮点数10
004A834D push 0
004A834F call __vbaPowerR8 ;10^(5-n)
004A8355 mov eax, [ebp+var_6C] ;每位WideChar的低字节
004A8358 and eax, 0FFh
004A835D cdq
004A835E mov ecx, 0Ah
004A8363 idiv ecx
004A8365 mov [ebp+var_80], edx ;r = 每位WideChar的低字节mod 10
004A8368 fild [ebp+var_80]
004A836B fmulp st(1), st ;r*10^(5-n)
004A836D fiadd [ebp+var_24] ;循环相加
004A8370 call __vbaFpI4
004A8376 lea ecx, [ebp+var_28]
004A8379 mov [ebp+var_24], eax ;经5次循环后,H = r1*10^4+r2*10^3+r3*10^2+r4*10+r5
004A837C call __vbaFreeStr
004A8382 lea edx, [ebp+var_48]
004A8385 push edx
004A8386 lea eax, [ebp+var_38]
004A8389 push eax
004A838A push 2
004A838C call __vbaFreeVarList
004A8392 add esp, 0Ch
004A8395 inc edi
004A8396 add esi, ebx
004A8398 jmp loc_4A82E2
004A839D loc_4A839D:
004A839D wait
004A839E push offset loc_4A83CC
004A83A3 jmp short loc_4A83C2
004A83A5 lea ecx, [ebp-28h]
004A83A8 call __vbaFreeStr
004A83AE lea ecx, [ebp-48h]
004A83B1 push ecx
004A83B2 lea edx, [ebp-38h]
004A83B5 push edx
004A83B6 push 2
004A83B8 call __vbaFreeVarList
004A83BE add esp, 0Ch
004A83C1 retn
004A83C2 loc_4A83C2:
004A83C2 lea ecx, [ebp+var_18]
004A83C5 call __vbaFreeStr
004A83CB retn
004A83CC loc_4A83CC:
004A83CC mov ecx, [ebp-10h]
004A83CF mov eax, [ebp-24h] ;返回值H
004A83D2 pop edi
004A83D3 pop esi
004A83D4 mov large fs0, ecx
004A83DB pop ebx
004A83DC mov esp, ebp
004A83DE pop ebp
004A83DF sub_4A8290 endp
=========================sub_4A83F0======================================
004A83F0 sub_4A83F0 proc near
004A83F0 arg_0 = dword ptr 4
004A83F0 arg_4 = dword ptr 8
004A83F0 mov ecx, [esp+arg_0]
004A83F4 xor ecx, [esp+arg_4]
004A83F8 cmp ecx, 1869Fh ;99999
004A83FE jle short loc_4A8413
004A8400 mov eax, 66666667h
004A8405 imul ecx
004A8407 mov ecx, edx
004A8409 sar ecx, 2
004A840C mov eax, ecx
004A840E shr eax, 1Fh
004A8411 add ecx, eax
004A8413 loc_4A8413:
004A8413 cmp ecx, 2710h
004A8419 jge short loc_4A8421
004A841B add ecx, 2710h ;10000
004A8421 loc_4A8421:
004A8421 mov eax, ecx ;返回一个10000到99999之间的10进制5位数
004A8423 retn 8
004A8423 sub_4A83F0 endp
======================================================================================================
把上面过程可以整理成如下四个步骤:
====步骤1:==========================================================================================
H1 = invoke sub_4A8290 ,str1
X1 = invoke sub_4A83F0 ,H1,9DB7h
A1 = invoke sub_4A83F0 ,X1,[esi+48h]
M1 = invoke sub_4A83F0 ,A1,R1
====================================================================================================
====步骤2:==========================================================================================
B1 = invoke sub_4A83F0 ,Y1,[esi+48h]
N1 = invoke sub_4A83F0 ,B1,R1
====================================================================================================
====步骤3:==========================================================================================
H2 = invoke sub_4A8290 ,str2
X2 = invoke sub_4A83F0 ,H2,10A7Bh
A2 = invoke sub_4A83F0 ,X2,[esi+4Ch]
M2 = invoke sub_4A83F0 ,A2,R2
====================================================================================================
====步骤4:==========================================================================================
B2 = invoke sub_4A83F0 ,Y2,[esi+4Ch]
N2 = invoke sub_4A83F0 ,B2,R2
====================================================================================================
注册成功的条件是:M1=N1,M2=N2
从而只要满足充分条件:
(1)Y1=X1=invoke sub_4A83F0 ,H1,9DB7h
其中H1=invoke sub_4A8290 ,str1
str1=机器码第4到8位
(2)Y2=X2=invoke sub_4A83F0 ,H2,10A7Bh
其中H2=invoke sub_4A8290 ,str2
str2=(机器码的右3位+注册名)的右5位
===================================================================================================
将Y1转换成10进制得到注册码的前5位
将Y2转换成10进制得到注册码的后5位
===================================================================================================
总结:本注册算法并不复杂,只是VB的程序有些烦人,尤其是unicode字符看起来很不习惯
注册机比较容易做,由于我未曾编过WideChar的程序,开始时在WideChar的处理上遇到一点障碍,
无法注册中文用户名,经反复调试修改现已克服,
斗地主4.0注册算法分析
,
- 扣人心弦的浪漫情书2022-12-11
- 岁末的浪漫情书2022-12-11
- 英文浪漫情书2022-12-20
- 浪漫情书怎么写?2023-03-15
- 90后情人节浪漫情书2022-12-11
- 学生最美浪漫感人情书2024-09-10
- 最美浪漫感人三行情书2025-03-23
- 致女友的浪漫又感人肺腑的情书2025-09-17
- 一封浪漫真挚告白情书2025-07-26
- 浪漫情话-短信情书---求婚篇2024-10-24