过程:
中断后F10来到这:
===============================================================
:004F2432 33C9 xor ecx, ecx
:004F2434 B201 mov dl, 01
:004F2436 A198864E00 mov eax, dword ptr [004E8698]
:004F243B E8AC63FFFF call 004E87EC
:004F2440 8BD8 mov ebx, eax
:004F2442 8B55FC mov edx, dword ptr [ebp-04]
:004F2445 8BC3 mov eax, ebx
:004F2447 E89464FFFF call 004E88E0
:004F244C C6434400 mov [ebx+44], 00
* Possible StringData Ref from Code Obj ->"F0E1"<----------------注意这些特殊字符以后和它进行计算
|
:004F2450 BA70254F00 mov edx, 004F2570<-------------取特殊字符(EDX为“F0E1”)
:004F2455 8BC3 mov eax, ebx
:004F2457 E82864FFFF call 004E8884
:004F245C 8BC3 mov eax, ebx
:004F245E E81967FFFF call 004E8B7C<-----------------具体算法在里面(跟进)
:004F2463 837B3400 cmp dword ptr [ebx+34], 00000000<----判断注册码是否存在
:004F2467 0F84CB000000 je 004F2538
:004F246D 8B4334 mov eax, dword ptr [ebx+34]<---真的注册码
:004F2470 8B55F8 mov edx, dword ptr [ebp-08]<---假的注册码
:004F2473 E83429F1FF call 00404DAC<-----------------在此CALL里比较
:004F2478 0F85BA000000 jne 004F2538<------------------不跳则注册成功
:004F247E B201 mov dl, 01
来到这里:
============================================================
:004E8B7C 55 push ebp
:004E8B7D 8BEC mov ebp, esp
:004E8B7F 6A00 push 00000000
:004E8B81 53 push ebx
................
................
:004E8BB5 53 push ebx
:004E8BB6 8D45FC lea eax, dword ptr [ebp-04]
:004E8BB9 50 push eax
:004E8BBA 8B4E40 mov ecx, dword ptr [esi+40]
:004E8BBD 8B5630 mov edx, dword ptr [esi+30]
:004E8BC0 8BC6 mov eax, esi
:004E8BC2 E875FDFFFF call 004E893C<-----------------跟进
:004E8BC7 8B55FC mov edx, dword ptr [ebp-04]
来到这里:
==============================================================
:004E893C 55 push ebp
:004E893D 8BEC mov ebp, esp
:004E893F 83C4C4 add esp, FFFFFFC4
:004E8942 53 push ebx
:004E8943 56 push esi
...............
...............
:004E899E 33F6 xor esi, esi
:004E89A0 807D0C00 cmp byte ptr [ebp+0C], 00
:004E89A4 0F849B000000 je 004E8A45
:004E89AA BF64000000 mov edi, 00000064<-------------EDI赋初值64(真注册码的第一位)
:004E89AF 8D45F0 lea eax, dword ptr [ebp-10]
:004E89B2 50 push eax
:004E89B3 897DDC mov dword ptr [ebp-24], edi
:004E89B6 C645E000 mov [ebp-20], 00
:004E89BA 8D55DC lea edx, dword ptr [ebp-24]
:004E89BD 33C9 xor ecx, ecx
* Possible StringData Ref from Code Obj ->"%1.2x"
|
:004E89BF B8688B4E00 mov eax, 004E8B68
:004E89C4 E8CB17F2FF call 0040A194
:004E89C9 8B45FC mov eax, dword ptr [ebp-04]
:004E89CC E897C2F1FF call 00404C68
:004E89D1 85C0 test eax, eax
:004E89D3 0F8E2F010000 jle 004E8B08
:004E89D9 8945E4 mov dword ptr [ebp-1C], eax
:004E89DC C745EC01000000 mov [ebp-14], 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E8A3E(C)
|
:004E89E3 8B45FC mov eax, dword ptr [ebp-04]<-----------取注册名
:004E89E6 8B55EC mov edx, dword ptr [ebp-14]
:004E89E9 0FB64410FF movzx eax, byte ptr [eax+edx-01]<------取一位注册名
:004E89EE 03C7 add eax, edi<--------------------------与EDI相加
:004E89F0 B9FF000000 mov ecx, 000000FF<---------------------ECX赋值FF
:004E89F5 99 cdq
:004E89F6 F7F9 idiv ecx<------------------------------除以FF
:004E89F8 8BDA mov ebx, edx<--------------------------余数存入EBX(设此值为X)
:004E89FA 3B75F4 cmp esi, dword ptr [ebp-0C]<-----------比较ESI是否大于等于4([ebp-0c]==4(特殊字符是4位,如大于则从第一位再来)
:004E89FD 7D03 jge 004E8A02
:004E89FF 46 inc esi
:004E8A00 EB05 jmp 004E8A07
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E89FD(C)
|
:004E8A02 BE01000000 mov esi, 00000001<----------------------ESI大于等于4则重新赋值为1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E8A00(U)
|
:004E8A07 8B45F8 mov eax, dword ptr [ebp-08]<------------取要进行运算的特殊字符(F0E1)
:004E8A0A 0FB64430FF movzx eax, byte ptr [eax+esi-01]<-------取其中一位(设为Y)
:004E8A0F 33D8 xor ebx, eax<---------------------------值X与一位特殊字符Y异或(结果为一位注册码)
:004E8A11 8D45D8 lea eax, dword ptr [ebp-28]
:004E8A14 50 push eax
:004E8A15 895DDC mov dword ptr [ebp-24], ebx
:004E8A18 C645E000 mov [ebp-20], 00
:004E8A1C 8D55DC lea edx, dword ptr [ebp-24]
:004E8A1F 33C9 xor ecx, ecx
* Possible StringData Ref from Code Obj ->"%1.2x"
|
:004E8A21 B8688B4E00 mov eax, 004E8B68
:004E8A26 E86917F2FF call 0040A194
:004E8A2B 8B55D8 mov edx, dword ptr [ebp-28]
:004E8A2E 8D45F0 lea eax, dword ptr [ebp-10]
:004E8A31 E83AC2F1FF call 00404C70
:004E8A36 8BFB mov edi, ebx
:004E8A38 FF45EC inc [ebp-14]<------特殊字符计数器+1
:004E8A3B FF4DE4 dec [ebp-1C]<------注册名长度计数器-1
:004E8A3E 75A3 jne 004E89E3<------判断运算完没有,没有则继续
:004E8A40 E9C3000000 jmp 004E8B08
================================================================
算法总结:
1、注册码前二位为64。
2、其它位为:每位注册名+前两位注册码的值 mod FF 再与特殊字符(“F0E1”往后一次取一位,循环取),相异或的值。
3、注册码都为大写字母。
注册名:master
注册码:6497C879DC0446
附TC2.0注册机源码:
main()
{
short c[20],x1,x2;
int i,j,m;
char a[20],b[4]={"F0E1"};
c[0]=0x64;
clrscr();
printf("===============================\n");
printf(" This Is QC Keygen \n");
printf(" made by master[FCG] \n");
printf("===============================\n");
printf("\nPlease Input Your name: ");
gets(a);
j=strlen(a);
for (i=0;i
printf("Your Code Is: ");
for (i=0;i
x1=c[i]/16;
x2=c[i]%16;
if (x1<10) x1=x1+48;
else x1=x1+55;
if (x2<10) x2=x2+48;
else x2=x2+55;
printf("%c%c",x1,x2);
}
}
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
热门文章
去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据
人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>