您的位置首页快问快答

请问这个用keymake怎么写注册机?

Simone 发布于 2025-02-05 14:43:41 580 阅读

请问这个用keymake怎么写注册机?

的有关信息介绍如下:

请问这个用keymake怎么写注册机?

* Reference T USER32.GetDlgItem, Ord:0000h

|

:00401088 E8159C0000 Call 0040ACA2 ;得到文本框句柄

:0040108D 6A64 push 00000064 ;得到字符串的最大长度

:0040108F 8D9548FFFFFF lea edx, dword ptr [ebp+FFFFFF48]

:00401095 52 push edx ;EDX是存取字符串的地址

:00401096 50 push eax ;EAX是上面得到的文本框句柄

* Reference T USER32.GetWindowTextA, Ord:0000h

|

:00401097 E8129C0000 Call 0040ACAE ;得到用户名,在[ebp+FFFFFF48]

* Possible Reference to Dialog: DialogID_0001, CONTROL_ID:0068, ""

|

:0040109C 6A68 push 00000068 ;同样的操作,输入注册码的文本框ID

:0040109E 53 push ebx

* Reference T USER32.GetDlgItem, Ord:0000h

|

:0040109F E8FE9B0000 Call 0040ACA2

:004010A4 6A64 push 00000064

:004010A6 8D8DE4FEFFFF lea ecx, dword ptr [ebp+FFFFFEE4]

:004010AC 51 push ecx

:004010AD 50 push eax

* Reference T USER32.GetWindowTextA, Ord:0000h

|

:004010AE E8FB9B0000 Call 0040ACAE ;得到注册码,在[ebp+FFFFFEE4]

* Possible Reference to Dialog: DialogID_0001, CONTROL_ID:0067, ""

|

:004010B3 6A67 push 00000067 ;这个是最下面的提示的文本框的ID

:004010B5 53 push ebx

7

* Reference T USER32.GetDlgItem, Ord:0000h

|

:004010B6 E8E79B0000 Call 0040ACA2 ;得到句柄

:004010BB 8BF0 mov esi, eax ;放在ESI备用

:004010BD 8D8548FFFFFF lea eax, dword ptr [ebp+FFFFFF48]

:004010C3 50 push eax ;指向用户名

:004010C4 E867050000 call 00401630 ;得到用户名长度

:004010C9 59 pop ecx

:004010CA 8945D8 mov dword ptr [ebp-28], eax ;长度放在[ebp-28]

:004010CD 8D95E4FEFFFF lea edx, dword ptr [ebp+FFFFFEE4]

:004010D3 52 push edx ;指向注册码

:004010D4 E857050000 call 00401630 ;得到注册码长度

:004010D9 59 pop ecx

:004010DA 68EAB04000 push 0040B0EA

:004010DF E84C050000 call 00401630

:004010E4 59 pop ecx

:004010E5 680EB14000 push 0040B10E

:004010EA E841050000 call 00401630

:004010EF 59 pop ecx

:004010F0 837DD803 cmp dword ptr [ebp-28], 00000003

:004010F4 7E7B jle 00401171 ;用户名长度不能小于等于3

:004010F6 90 nop

:004010F7 90 nop

:004010F8 90 nop

:004010F9 90 nop

:004010FA 33C9 xor ecx, ecx

:004010FC 33D2 xor edx, edx

:004010FE 33DB xor ebx, ebx

:00401100 33C0 xor eax, eax

:00401102 837DD832 cmp dword ptr [ebp-28], 00000032

:00401106 7D69 jge 00401171 ;用户名长度不能大于等于32h

:00401108 90 nop

:00401109 90 nop

:0040110A 90 nop

:0040110B 90 nop

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:0040111C(C)

|

:0040110C 0FBE840D48FFFFFF movsx eax, byte ptr [ebp+ecx-000000B8];依次取用户名的字符

:00401114 41 inc ecx ;ECX为循环变量

:00401115 33C1 xor eax, ecx ;取的字符与循环变量XOR

:00401117 03D8 add ebx, eax ;把结果累加到EBX

:00401119 3B4DD8 cmp ecx, dword ptr [ebp-28] ;循环变量与用户名长度相比

:0040111C 75EE jne 0040110C ;如果未取完就跳回继续

:0040111E 6BC006 imul eax, 00000006 ;最后一轮计算的结果在EAX, 乘6

:00401121 C1E307 shl ebx, 07 ;前面累加结果左移7位

:00401124 03C3 add eax, ebx ;相加

:00401126 8945C8 mov dword ptr [ebp-38], eax

:00401129 FF75C8 push [ebp-38] ;把上面结果压栈

* Possible StringData Ref from Data Obj ->"%lX"

|

:0040112C 6838B44000 push 0040B438 ;一个转换的标识

:00401131 8D8D80FEFFFF lea ecx, dword ptr [ebp+FFFFFE80]

:00401137 51 push ecx ;存放转换结果的地址

:00401138 E8873D0000 call 00404EC4 ;数字转为十六进制字串

:0040113D 83C40C add esp, 0000000C

:00401140 8D8580FEFFFF lea eax, dword ptr [ebp+FFFFFE80]

:00401146 50 push eax ;上面转换的字串

:00401147 8D95E4FEFFFF lea edx, dword ptr [ebp+FFFFFEE4]

:0040114D 52 push edx ;假注册码

* Reference T KERNEL32.lstrcmpA, Ord:0000h

|

:0040114E E8339C0000 Call 0040AD86 ;比较

:00401153 85C0 test eax, eax

:00401155 750D jne 00401164 ;这里就是关键的跳转

* Possible StringData Ref from Data Obj ->"Congratulations! IF this number "

->"comes *FROM YOUR* keygen, Write "

->"a tutorial dude ;)."

|

:00401157 683CB44000 push 0040B43C ;指向表示成功的字符串

:0040115C 56 push esi ;ESI还记得么?那个提示文本框的句柄

* Reference T USER32.SetWindowTextA, Ord:0000h

|

:0040115D E8289B0000 Call 0040AC8A ;显示出来

:00401162 EB18 jmp 0040117C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:00401155(C)

|

* Possible StringData Ref from Data Obj ->"This serial is *NOT* Valid!! Try "

->"again... : UNREGISTERED"

|

:00401164 6890B44000 push 0040B490 ;开始时停在这句,向上找跳转

:00401169 56 push esi ;ESI提示文本框的句柄

* Reference T USER32.SetWindowTextA, Ord:0000h

|

:0040116A E81B9B0000 Call 0040AC8A

:0040116F EB0B jmp 0040117C

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:

|:004010F4(C), :00401106(C)

|

* Possible StringData Ref from Data Obj ->"Name must contain more than 4 "

->"chars and less than 50 chars !!"

|

:00401171 68C9B44000 push 0040B4C9 ;用户名不符合要求跳到这里

:00401176 56 push esi ;ESI提示文本框的句柄

* Reference T USER32.SetWindowTextA, Ord:0000h

|

:00401177 E80E9B0000 Call 0040AC8A

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:

|:00401162(U), :0040116F(U)

|

:0040117C 5F pop edi

:0040117D 5E pop esi

:0040117E 5B pop ebx

:0040117F 8BE5 mov esp, ebp

:00401181 5D pop ebp ;整理一下返回了

。(这是找爆破点时的基本思想)向上找找看,找到了:

:00401155 750D jne 00401164

正好跳到401164错误信息那一句。呵呵,如果你想爆破的话,只要把750D改成740D(je,把条件反过来,注册码错误就显示正确信息:D)或者改成EB0D(jmp,无条件跳转,不管三七二十一就正确)。

标签:keymake,注册机
相关文章
1 谁有AE cs4 1023开头的序列号注册机?发给我 QQ631055373。 1325开头的序列号就不要发了,用不了!
598 阅读
2 经典的Photoshop软件CS2.9.0安装注册机注册教程
531 阅读
3 这个用户注册机器码怎么算的?
587 阅读
4 AUTO CAD2010的注册机里的32位和64位是什么意思
527 阅读
5 算法注册机
604 阅读