本软件是一个机器人编程软件,VC6的程序,软件保护方式是每台机子有一个机器码,然后根据这个机器
码得到一个序列号。
入口:messageboxa
00423FC8 |. 50 push eax ;
/Arg2
00423FC9 |. 8B4D FC mov ecx,dword ptr ss:[ebp-4] ; |
00423FCC |. 83C1 68 add ecx,68 ; |
00423FCF |. 51 push ecx ;
|Arg1
00423FD0 |. E8 DBE5FDFF call software.004025B0
; \software.004025B0
00423FD5 |. 25 FF000000 and eax,0FF
00423FDA |. 85C0 test eax,eax
00423FDC |. 74 1E je short software.00423FFC <------爆破改这里改掉
密码写在注册表里
cur\software\roboto\
password=284248195480218
004015AF |. 8985 F0FEFFFF mov dword ptr ss:[ebp-110],eax ; |
004015B5 |. 8D4D A8 lea ecx,dword ptr ss:[ebp-58] ; |
004015B8 |. 51 push ecx <-----参数"kMPB3LAX5JTGE1M"
KMPB3LAX5JTGE1M
; |Arg1
004015B9 |. E8 84FCFFFF call software.00401242
; \这个call里出现了注册码,这个call就是计算注册码的地方,跟踪进去得到注册机算法
004015BE |. 83C4 08 add esp,8
跟踪进去这个关键的call:
00401242 /$ 55 push ebp
00401243 |. 8BEC mov ebp,esp
00401245 |. 6A FF push -1
00401247 |. 68 895A4300 push software.00435A89 ; SE
handler installation
0040124C |. 64:A1 0000000>mov eax,dword ptr fs:[0]
00401252 |. 50 push eax
00401253 |. 64:8925 00000>mov dword ptr fs:[0],esp
0040125A |. 83EC 24 sub esp,24
0040125D |. C745 D0 00000>mov dword ptr ss:[ebp-30],0
00401264 |. C745 FC 01000>mov dword ptr ss:[ebp-4],1
0040126B |. 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0040126E |. E8 113A0300 call <jmp.&MFC42.#540>
00401273 |. C645 FC 02 mov byte ptr ss:[ebp-4],2
00401277 |. 8D4D 0C lea ecx,dword ptr ss:[ebp+C]
0040127A |. E8 C1120000 call software.00402540
0040127F |. 8945 D8 mov dword ptr ss:[ebp-28],eax ; 机器码长度
00401282 |. C745 D4 07000>mov dword ptr ss:[ebp-2C],7
00401289 |. C745 F0 05000>mov dword ptr ss:[ebp-10],5
00401290 |. C745 EC 03000>mov dword ptr ss:[ebp-14],3
00401297 |. C745 E8 02000>mov dword ptr ss:[ebp-18],2
0040129E |. C745 E4 01000>mov dword ptr ss:[ebp-1C],1
004012A5 |. C745 DC 00000>mov dword ptr ss:[ebp-24],0
004012AC |. EB 09 jmp short software.004012B7
004012AE |> 8B45 DC /mov eax,dword ptr ss:[ebp-24]
004012B1 |. 83C0 01 |add eax,1
004012B4 |. 8945 DC |mov dword ptr ss:[ebp-24],eax
004012B7 |> 8B4D DC mov ecx,dword ptr ss:[ebp-24]
004012BA |. 3B4D D8 |cmp ecx,dword ptr ss:[ebp-28] ; 比较长度
004012BD |. 0F8D 5F010000 |jge software.00401422
004012C3 |. 8B45 DC |mov eax,dword ptr ss:[ebp-24]
004012C6 |. 99 |cdq
004012C7 |. B9 07000000 |mov ecx,7 //判断是否是7的倍数
004012CC |. F7F9 |idiv ecx
004012CE |. 85D2 |test edx,edx
004012D0 |. 75 1C |jnz short software.004012EE ;
004012D2 |. 8B55 DC |mov edx,dword ptr ss:[ebp-24]
004012D5 |. 52 |push edx ; /Arg1
004012D6 |. 8D4D 0C |lea ecx,dword ptr ss:[ebp+C] ; |
004012D9 |. E8 B2120000 |call <software.GetSysCodeBin> ; \得到每一
位,放在al里
004012DE |. 0FBEC0 |movsx eax,al ; eax除了al外高
位清零
004012E1 |. 8B4D E4 |mov ecx,dword ptr ss:[ebp-1C]
004012E4 |. 03C8 |add ecx,eax
004012E6 |. 894D E4 |mov dword ptr ss:[ebp-1C],ecx ; ebp_1c := k +
ebp_1c;
004012E9 |. E9 94000000 |jmp software.00401382
004012EE |> 8B45 DC |mov eax,dword ptr ss:[ebp-24]
004012F1 |. 99 |cdq
004012F2 |. B9 05000000 |mov ecx,5 <-----------------------判断是5的倍数
004012F7 |. F7F9 |idiv ecx
004012F9 |. 85D2 |test edx,edx
004012FB |. 75 19 |jnz short software.00401316
004012FD |. 8B55 DC |mov edx,dword ptr ss:[ebp-24]
00401300 |. 52 |push edx ; /Arg1
00401301 |. 8D4D 0C |lea ecx,dword ptr ss:[ebp+C] ; |
00401304 |. E8 87120000 |call <software.GetSysCodeBin> ;
\software.00402590
00401309 |. 0FBEC0 |movsx eax,al
0040130C |. 8B4D E8 |mov ecx,dword ptr ss:[ebp-18]
0040130F |. 03C8 |add ecx,eax
00401311 |. 894D E8 |mov dword ptr ss:[ebp-18],ecx
00401314 |. EB 6C |jmp short software.00401382
00401316 |> 8B45 DC |mov eax,dword ptr ss:[ebp-24]
00401319 |. 99 |cdq
0040131A |. B9 03000000 |mov ecx,3<---------------------------判断是否是3的倍数
0040131F |. F7F9 |idiv ecx
00401321 |. 85D2 |test edx,edx
00401323 |. 75 19 |jnz short software.0040133E
00401325 |. 8B55 DC |mov edx,dword ptr ss:[ebp-24]
00401328 |. 52 |push edx ; /Arg1
00401329 |. 8D4D 0C |lea ecx,dword ptr ss:[ebp+C] ; |
0040132C |. E8 5F120000 |call <software.GetSysCodeBin> ;
\software.00402590
00401331 |. 0FBEC0 |movsx eax,al
00401334 |. 8B4D EC |mov ecx,dword ptr ss:[ebp-14]
00401337 |. 03C8 |add ecx,eax
00401339 |. 894D EC |mov dword ptr ss:[ebp-14],ecx
0040133C |. EB 44 |jmp short software.00401382
0040133E |> 8B55 DC |mov edx,dword ptr ss:[ebp-24]
00401341 |. 81E2 01000080 |and edx,80000001 《---------------判断是否大于等于0
00401347 |. 79 05 |jns short software.0040134E
00401349 |. 4A |dec edx
0040134A |. 83CA FE |or edx,FFFFFFFE
0040134D |. 42 |inc edx
0040134E |> 85D2 |test edx,edx
00401350 |. 75 19 |jnz short software.0040136B
00401352 |. 8B45 DC |mov eax,dword ptr ss:[ebp-24]
00401355 |. 50 |push eax ; /Arg1
00401356 |. 8D4D 0C |lea ecx,dword ptr ss:[ebp+C] ; |
00401359 |. E8 32120000 |call <software.GetSysCodeBin> ;
\software.00402590
0040135E |. 0FBEC8 |movsx ecx,al
00401361 |. 8B55 F0 |mov edx,dword ptr ss:[ebp-10]
00401364 |. 03D1 |add edx,ecx
00401366 |. 8955 F0 |mov dword ptr ss:[ebp-10],edx
00401369 |. EB 17 |jmp short software.00401382
0040136B |> 8B45 DC |mov eax,dword ptr ss:[ebp-24]
0040136E |. 50 |push eax ; /Arg1
0040136F |. 8D4D 0C |lea ecx,dword ptr ss:[ebp+C] ; |
00401372 |. E8 19120000 |call <software.GetSysCodeBin> ;
\software.00402590
00401377 |. 0FBEC8 |movsx ecx,al
0040137A |. 8B55 D4 |mov edx,dword ptr ss:[ebp-2C]
0040137D |. 03D1 |add edx,ecx
0040137F |. 8955 D4 |mov dword ptr ss:[ebp-2C],edx
00401382 |> 8B45 DC |mov eax,dword ptr ss:[ebp-24]
00401385 |. 50 |push eax ; /Arg1
00401386 |. 8D4D 0C |lea ecx,dword ptr ss:[ebp+C] ; |
00401389 |. E8 02120000 |call <software.GetSysCodeBin> ;
\software.00402590
0040138E |. 0FBEC8 |movsx ecx,al
00401391 |. 83E1 01 |and ecx,1
00401394 |. 85C9 |test ecx,ecx
00401396 |. 74 09 |je short software.004013A1
00401398 |. 8B55 E4 |mov edx,dword ptr ss:[ebp-1C]
0040139B |. 83C2 01 |add edx,1
0040139E |. 8955 E4 |mov dword ptr ss:[ebp-1C],edx
004013A1 |> 8B45 DC |mov eax,dword ptr ss:[ebp-24]
004013A4 |. 50 |push eax ; /Arg1
004013A5 |. 8D4D 0C |lea ecx,dword ptr ss:[ebp+C] ; |
004013A8 |. E8 E3110000 |call <software.GetSysCodeBin> ;
\software.00402590
004013AD |. 0FBEC8 |movsx ecx,al
004013B0 |. 83E1 02 |and ecx,2
004013B3 |. 85C9 |test ecx,ecx
004013B5 |. 74 09 |je short software.004013C0
004013B7 |. 8B55 E8 |mov edx,dword ptr ss:[ebp-18]
004013BA |. 83C2 01 |add edx,1
004013BD |. 8955 E8 |mov dword ptr ss:[ebp-18],edx
004013C0 |> 8B45 DC |mov eax,dword ptr ss:[ebp-24]
004013C3 |. 50 |push eax ; /Arg1
004013C4 |. 8D4D 0C |lea ecx,dword ptr ss:[ebp+C] ; |
004013C7 |. E8 C4110000 |call <software.GetSysCodeBin> ;
\software.00402590
004013CC |. 0FBEC8 |movsx ecx,al
004013CF |. 83E1 04 |and ecx,4
004013D2 |. 85C9 |test ecx,ecx
004013D4 |. 74 09 |je short software.004013DF
004013D6 |. 8B55 EC |mov edx,dword ptr ss:[ebp-14]
004013D9 |. 83C2 01 |add edx,1
004013DC |. 8955 EC |mov dword ptr ss:[ebp-14],edx
004013DF |> 8B45 DC |mov eax,dword ptr ss:[ebp-24]
004013E2 |. 50 |push eax ; /Arg1
004013E3 |. 8D4D 0C |lea ecx,dword ptr ss:[ebp+C] ; |
004013E6 |. E8 A5110000 |call <software.GetSysCodeBin> ;
\software.00402590
004013EB |. 0FBEC8 |movsx ecx,al
004013EE |. 83E1 08 |and ecx,8
004013F1 |. 85C9 |test ecx,ecx
004013F3 |. 74 09 |je short software.004013FE
004013F5 |. 8B55 F0 |mov edx,dword ptr ss:[ebp-10]
004013F8 |. 83C2 01 |add edx,1
004013FB |. 8955 F0 |mov dword ptr ss:[ebp-10],edx
004013FE |> 8B45 DC |mov eax,dword ptr ss:[ebp-24]
00401401 |. 50 |push eax ; /Arg1
00401402 |. 8D4D 0C |lea ecx,dword ptr ss:[ebp+C] ; |
00401405 |. E8 86110000 |call <software.GetSysCodeBin> ;
\software.00402590
0040140A |. 0FBEC8 |movsx ecx,al
0040140D |. 83E1 10 |and ecx,10
00401410 |. 85C9 |test ecx,ecx
00401412 |. 74 09 |je short software.0040141D
00401414 |. 8B55 D4 |mov edx,dword ptr ss:[ebp-2C]
00401417 |. 83C2 01 |add edx,1
0040141A |. 8955 D4 |mov dword ptr ss:[ebp-2C],edx
0040141D |>^ E9 8CFEFFFF \jmp software.004012AE 《---------------大循环
00401422 |> 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
00401425 |. 0C 5A or al,5A
00401427 |. 50 push eax
00401428 |. 8B4D E4 mov ecx,dword ptr ss:[ebp-1C]
0040142B |. 81F1 FA000000 xor ecx,0FA
00401431 |. 51 push ecx
00401432 |. 8B55 F0 mov edx,dword ptr ss:[ebp-10]
00401435 |. 52 push edx
00401436 |. 8B45 E8 mov eax,dword ptr ss:[ebp-18]
00401439 |. 83F0 5F xor eax,5F
0040143C |. 50 push eax
0040143D |. 8B4D EC mov ecx,dword ptr ss:[ebp-14]
00401440 |. 51 push ecx
00401441 |. 68 D0304400 push software.004430D0 ; ASCII "%
d%d%d%d%d"
00401446 |. 8D55 E0 lea edx,dword ptr ss:[ebp-20]
00401449 |. 52 push edx
0040144A |. E8 2F380300 call <jmp.&MFC42.#2818>
0040144F |. 83C4 1C add esp,1C
00401452 |. 8D45 E0 lea eax,dword ptr ss:[ebp-20]
00401455 |. 50 push eax
00401456 |. 8B4D 08 mov ecx,dword ptr ss:[ebp+8] ; 得到了序列号
做注册机
procedure TfrmMain.btnGenClick(Sender: TObject);
var
ebp_2c: integer;
ebp_24: integer;
ebp_1c: integer;
ebp_18: integer;
ebp_14: integer;
ebp_10: integer;
BinCode: byte; //系统码每一位
SysCode: string;//系统码
SerialNo: string; //注册码
len: integer; //系统码长度
i: integer;
eax,ecx,edx: integer;
begin
ebp_2c := 7;
ebp_24 := 0;
ebp_1c := 1;
ebp_18 := 2;
ebp_14 := 3;
ebp_10 := 5;
SysCode := trim(edtSysCode.Text);
len := length(SysCode);
for i := 0 to len - 1 do
begin
ebp_24 := i;
binCode := Ord(sysCode[ebp_24+1]);
if ebp_24 mod 7=0 then
ebp_1c := binCode+ebp_1c
else if ebp_24 mod 5 = 0 then
ebp_18 := binCode + ebp_18
else if ebp_24 mod 3 = 0 then
ebp_14 := binCode + ebp_14
else begin
if ebp_24 and $80000001=0 then
ebp_10 := bincode+ ebp_10
else ebp_2c := binCode + ebp_2c;
end;
//binCode := Ord(sysCode[ebp_24+1]);
//ebp_1c := binCode + ebp_1c;
ecx := binCode;
if ecx and 1<>0 then
inc(ebp_1c);
ecx := binCode and 2;
if ecx <> 0 then
inc(ebp_18);
ecx := binCode and 4;
if ecx<>0 then
inc(ebp_14);
ecx := binCode and 8;
if ecx<>0 then
inc(ebp_10);
ecx := binCode and $10;
if ecx<>0 then
inc(ebp_2c);
end;
ecx := ebp_14; //11C 284
serialNo := IntToStr(ecx);
eax := ebp_18 xor $5f; //F8 248
SerialNo := SerialNo + IntToStr(eax);
edx := ebp_10; //C3 195
SerialNo := SerialNo + IntToStr(edx);
ecx := ebp_1c xor $0fa; //1E0 480
SerialNo := SerialNo + IntToStr(ecx);
eax := ebp_2c or $5a; //DA 218
SerialNo := SerialNo + IntToStr(eax);
edtSerialNo.Text := SerialNo;
end;
284248195480218
