史萊姆論壇

返回   史萊姆論壇 > 教學文件資料庫 > Hacker/Cracker 及加解密技術文件
忘記密碼?
註冊帳號 論壇說明 標記討論區已讀

歡迎您來到『史萊姆論壇』 ^___^

您目前正以訪客的身份瀏覽本論壇,訪客所擁有的權限將受到限制,您可以瀏覽本論壇大部份的版區與文章,但您將無法參與任何討論或是使用私人訊息與其他會員交流。若您希望擁有完整的使用權限,請註冊成為我們的一份子,註冊的程序十分簡單、快速,而且最重要的是--註冊是完全免費的!

請點擊這裡:『註冊成為我們的一份子!』

Google 提供的廣告


 
 
主題工具 顯示模式
舊 2003-12-11, 07:53 PM   #1
psac
榮譽會員
 
psac 的頭像
榮譽勳章
UID - 3662
在線等級: 級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時
註冊日期: 2002-12-07
住址: 木柵市立動物園
文章: 17381
現金: 5253 金幣
資產: 33853 金幣
預設 UltraEdit-32 10註冊碼算法分析

軟體名稱:UltraEdit-32 10.00.c
編程語言:VC++ 6.0
執行環境:Win9x/NT/2000/XP
保護措施:註冊碼,有45天使用期限
破 解 人:wolverine [CCG]
使用工具:Trw2000 1.23 IDA Pro 4.3

作者宣告:初學破解,純屬技術交流,無其它目的。

由於它的註冊方式與其他軟體不一樣,所以我用了大約3天的時間才找到關鍵點,我都看見星星了.
在這裡我只講講它的加密算法,並給出必要的程式碼.由於我的語文水準有限,可能有些語病.請多包涵.如果有科學性錯誤,請大家指出.我會加以改正,以免誤人子弟.:-)

016F:004185F0 AND BYTE [EBP-14],00
016F:004185F4 AND BYTE [EBP-54],00
016F:004185F8 AND BYTE [EBP+FFFFFF6C],00
016F:004185FF CMP [EBP+14],EBX
016F:00418602 JZ NEAR 0041890C
016F:00418608 PUSH ESI
016F:00418609 PUSH EDI
016F:0041860A CALL 004FF590
016F:0041860F POP ECX
016F:00418610 PUSH BYTE +3C
016F:00418612 POP ESI
016F:00418613 CMP EAX,ESI
016F:00418615 JA 00418620
016F:00418617 PUSH EDI
016F:00418618 CALL 004FF590
016F:0041861D POP ECX
016F:0041861E MOV ESI,EAX
016F:00418620 MOV [EBP-0C],ESI
016F:00418623 XOR ECX,ECX

016F:00418625 MOV AL,CL
016F:00418627 MOV DL,03
016F:00418629 IMUL DL
016F:0041862B SUB AL,DL
016F:0041862D MOV [EBP+ECX+FFFFFF70],AL
016F:00418634 INC ECX
016F:00418635 CMP ECX,BYTE +3D
016F:00418638 JC 00418625
上面的一段程序完成下面操作:
有一個存儲空間(或者叫陣列)M[3Dh],
ecx=0
1) M[ecx]=ecx*3-3
2) ecx=ecx+1
重複執行1、2 3Dh次,
============================================================
016F:0041863A PUSH ESI
016F:0041863B LEA EAX,[EBP+FFFFFF70]
016F:00418641 PUSH EDI
016F:00418642 PUSH EAX
016F:00418643 CALL 004FF990 將name複製到M中,也就是[ebp+ffffff70]
016F:00418648 AND BYTE [EBP+ESI+FFFFFF70],00
016F:00418650 ADD ESP,BYTE +0C
016F:00418653 XOR ECX,ECX
016F:00418655 DEC ESI
016F:00418656 PUSH BYTE +01
016F:00418658 MOV [EBP-10],ECX
016F:0041865B POP EDX
016F:0041865C CMP ESI,EDX
016F:0041865E JNG 0041869A

016F:00418660 MOV DWORD [EBP+10],02
016F:00418667 MOVSX EDI,BYTE [EBP+EDX+FFFFFF6F]
016F:0041866F MOVSX EBX,BYTE [EBP+EDX+FFFFFF71]
016F:00418677 LEA EAX,[EBP+EDX+FFFFFF71]
016F:0041867E IMUL EDI,EBX
016F:00418681 MOVSX EAX,BYTE [EAX-01]
016F:00418685 SUB EDI,EAX
016F:00418687 SUB EDI,[EBP+10]
016F:0041868A ADD DWORD [EBP+10],BYTE +02
016F:0041868E INC EDX
016F:0041868F CMP EDX,ESI
016F:00418691 LEA ECX,[ECX+EDI+03]
016F:00418695 JL 00418667
016F:00418697 MOV [EBP-10],ECX
對name的處理,程序如下
設name的位址為X,name的長度為Z,n∈[1,3ch],C=2h,S=0 :
1)T=[X(n)*X(n+2)-X(n+1)-C]
2)C=C+2
3)n=n+1
4)S=S+T+3
重複執行1、2、3、4,Z-1次,最後結果放在[ebp-10]中,後面會用到
=================================================================================
從這開始計算註冊碼,其程序比較繁瑣,我理解它的算法,但我不道怎樣去描述,
如果你能詳細描述出算法,並且易懂,請告訴我
016F:0041869A XOR ECX,ECX
016F:0041869C XOR EDI,EDI
016F:0041869E MOV DWORD [EBP-08],01
016F:004186A5 LEA EAX,[EBP+FFFFFF70]
016F:004186AB SUB [EBP-08],EAX
016F:004186AE MOV [EBP-04],EDI
016F:004186B1 MOV [005933F4],ECX

016F:004186B7 MOV EAX,[EBP-08]
016F:004186BA LEA ESI,[EBP+ECX+FFFFFF70]
016F:004186C1 ADD EAX,ESI
016F:004186C3 CMP EAX,BYTE +3C eax是否大於3ch
016F:004186C6 JNL NEAR 0041874C


016F:004186CC MOV EAX,ECX ecx=0
016F:004186CE PUSH BYTE +04
016F:004186D0 CDQ
016F:004186D1 POP EDI
016F:004186D2 IDIV EDI ; edx=ecx mod 4h

016F:004186D4 MOV EAX,ECX
016F:004186D6 PUSH BYTE +20
016F:004186D8 POP EBX
016F:004186D9 PUSH BYTE +3B
016F:004186DB MOV EDI,EDX ;edi=edx=ecx mod 4h
016F:004186DD CDQ
016F:004186DE IDIV EBX ;

016F:004186E0 MOV EAX,EDX ; eax=ecx mod 20h
016F:004186E2 CDQ
016F:004186E3 SUB EAX,EDX

016F:004186E5 MOV EDX,[EDI*4+00586C38] ;(ecx mod 20h)*4+586C38
016F:004186EC SAR EAX,1 ;eax=eax*2
016F:004186EE POP EDI ;edi=3bh
016F:004186EF MOVZX EAX,BYTE [EDX+EAX]
016F:004186F3 MOV DL,CL
016F:004186F5 PUSH BYTE +12
016F:004186F7 ADD DL,[EBP-10]
016F:004186FA MOVZX EDX,DL
016F:004186FD XOR EAX,EDX
016F:004186FF CDQ
016F:00418700 IDIV EDI
016F:00418702 POP EDI //edi=12h
016F:00418703 PUSH BYTE +04
016F:00418705 POP EBX //edx=4h
016F:00418706 PUSH BYTE +20
016F:00418708 MOV DL,[EBP+EDX+FFFFFF70]
016F:0041870F MOVZX EAX,DL
016F:00418712 ADD EAX,ECX
016F:00418714 MOV [EBP+13],DL
016F:00418717 CDQ
016F:00418718 IDIV EDI
016F:0041871A MOV EDI,EDX
016F:0041871C MOV EAX,EDI
016F:0041871E CDQ
016F:0041871F IDIV EBX
016F:00418721 MOV EAX,EDI
016F:00418723 POP EDI //edi=20h
016F:00418724 MOV EBX,EDX
016F:00418726 CDQ
016F:00418727 IDIV EDI
016F:00418729 MOV EDI,[EBP-04]
016F:0041872C MOV EAX,EDX
016F:0041872E CDQ
016F:0041872F SUB EAX,EDX
016F:00418731 MOV EDX,[EBX*4+00586C38]
016F:00418738 SAR EAX,1
016F:0041873A MOV AL,[EDX+EAX]
016F:0041873D MOV DL,[ESI+01]
016F:00418740 XOR AL,[EBP+13]
016F:00418743 SHL DL,1
016F:00418745 ADD AL,[EBP+13]
016F:00418748 XOR AL,DL
016F:0041874A MOV [ESI],AL
016F:0041874C CMP EDI,BYTE +3C
016F:0041874F JNL 004187C2
016F:00418751 MOV EAX,ECX
016F:00418753 PUSH BYTE +05
016F:00418755 CDQ
016F:00418756 POP EBX //ebx=5h
016F:00418757 IDIV EBX
016F:00418759 MOV EBX,EDX
016F:0041875B TEST EBX,EBX
016F:0041875D MOV [EBP+10],EBX
016F:00418760 JZ 0041876C
016F:00418762 CMP EBX,BYTE +02
016F:00418765 JZ 0041876C
016F:00418767 CMP EBX,BYTE +04
016F:0041876A JNZ 00418786
016F:0041876C MOVZX EAX,BYTE [ESI]
016F:0041876F PUSH BYTE +1A
016F:00418771 CDQ
016F:00418772 POP EBX //ebx=1ah
016F:00418773 IDIV EBX
016F:00418775 MOV EBX,[EBP+10]
016F:00418778 ADD DL,41
016F:0041877B MOV [EBP+EDI+FFFFFF30],DL
016F:00418782 INC EDI
016F:00418783 MOV [EBP-04],EDI
016F:00418786 CMP EDI,BYTE +3C
016F:00418789 JNL 004187C2
016F:0041878B CMP EBX,BYTE +01
016F:0041878E JZ 00418795
016F:00418790 CMP EBX,BYTE +03
016F:00418793 JNZ 004187AC
016F:00418795 MOVZX EAX,BYTE [ESI]
016F:00418798 PUSH BYTE +0A
016F:0041879A CDQ
016F:0041879B POP ESI
016F:0041879C IDIV ESI
016F:0041879E ADD DL,30
016F:004187A1 MOV [EBP+EDI+FFFFFF30],DL
016F:004187A8 INC EDI
016F:004187A9 MOV [EBP-04],EDI
016F:004187AC CMP EDI,BYTE +3C
016F:004187AF JNL 004187C2
016F:004187B1 CMP EBX,BYTE +04
016F:004187B4 JNZ 004187C2
016F:004187B6 MOV BYTE [EBP+EDI+FFFFFF30],2D
016F:004187BE INC EDI
016F:004187BF MOV [EBP-04],EDI
016F:004187C2 TEST ECX,ECX
016F:004187C4 JNG 004187E5
016F:004187C6 CMP ECX,[EBP-0C]
016F:004187C9 JNL 004187E5
016F:004187CB CMP EDI,[EBP-0C]
016F:004187CE JNL 004187E5
016F:004187D0 MOV EAX,[EBP+08]
016F:004187D3 MOVSX EDX,BYTE [ECX+EAX-01]
016F:004187D8 MOVSX EAX,BYTE [EDI+EAX]
016F:004187DC IMUL EDX,EAX
016F:004187DF ADD [005933F4],EDX ;這個值好像沒用到呀?
016F:004187E5 INC ECX
016F:004187E6 CMP ECX,BYTE +3C
016F:004187E9 JL NEAR 004186B7

算法分析:

一.做準備工作:
有一個存儲空間(或者叫陣列)M[3Dh],
ecx=0
1) M[ecx]=ecx*3-3
2) ecx=ecx+1
重複執行1、2 3Dh次,再將name複製到M中,也就是上面的[ebp+ffffff70]
二.對name的處理,程序如下:
設name為X,name的長度為Z,n∈[1,3ch],C=2h,S=0
1)T=[X(n)*X(n+2)-X(n+1)-C]
2)C=C+2
3)n=n+1
4)S=S+T+3
重複執行1、2、3、4,Z-1次,最後結果放在S中也就是[ebp-10]中,只用到S的低8為
三.計算註冊碼
啟始化:
[ebp-4]=0
ecx=0
[5933f4]=0
1. 計算ecx mod 4h,將算出的值*4+00586C38,從目錄(見附錄)中取出相應的位址p,再計算(ecx mod 20h)/2算出q,然後以p+q為位址從碼表取出相應的值,假設為Q
計算(ecx+S xor Q) mod 3bh,以算出的值為索引值,從M中取出相應的值,假設該值為t,計算[(t+ecx) mod 12h] mod 4h 將算出的值*4+00586C38,從目錄(見附錄)中取出相應的位址p ,{[(t+ecx) mod 12h] mod 20h}/2算出q,然後以p+q為位址從碼表取出相應的值AL,計算[(AL xor t)+t] xor M[esi+1]*2,將結果儲存再M[esi]中.
2. 計算 ecx mod 5h,將算出的值儲存到[ebp+10]中,如果等於0或等於2或等於4,則計算(M[esi] mod 1Ah)+41h.如果等於1或3,則計算(M[esi] mod 1Ah)+30h,結果放在[EBP+EDI+FFFFFF30]中,這就是註冊碼,當然這不是最後的註冊碼.
3.ecx=ecx+1
重複1,2,3直到ecx>3ch為止
在計算註冊碼的程序中,每隔5位插入一個"-".


.text:004187F1 loc_4187F1: ; CODE XREF: sub_4185B8+295j
.text:004187F1 mov cl, [ebp+edx+var_90]
.text:004187F8 lea eax, [ebp+edx+var_90]
.text:004187FF cmp cl, 80h
.text:00418802 jb short loc_418809
.text:00418804 add cl, 80h
.text:00418807 mov [eax], cl
.text:00418809
.text:00418809 loc_418809: ; CODE XREF: sub_4185B8+24Aj
.text:00418809 mov cl, [eax]
.text:0041880B cmp cl, 7Fh
.text:0041880E jl short loc_418815
.text:00418810 sub cl, 7Fh
.text:00418813 mov [eax], cl
.text:00418815
.text:00418815 loc_418815: ; CODE XREF: sub_4185B8+256j
.text:00418815 mov cl, [eax]
.text:00418817 cmp cl, 21h
.text:0041881A jg short loc_418821
.text:0041881C add cl, 21h
.text:0041881F mov [eax], cl
.text:00418821
.text:00418821 loc_418821: ; CODE XREF: sub_4185B8+262j
.text:00418821 cmp byte ptr [eax], 22h
.text:00418824 jnz short loc_418829
.text:00418826 mov byte ptr [eax], 23h
.text:00418829
.text:00418829 loc_418829: ; CODE XREF: sub_4185B8+26Cj
.text:00418829 cmp byte ptr [eax], 27h
.text:0041882C jnz short loc_418831
.text:0041882E mov byte ptr [eax], 28h
.text:00418831
.text:00418831 loc_418831: ; CODE XREF: sub_4185B8+274j
.text:00418831 cmp byte ptr [eax], 2Eh
.text:00418834 jnz short loc_418839
.text:00418836 mov byte ptr [eax], 2Fh
.text:00418839
.text:00418839 loc_418839: ; CODE XREF: sub_4185B8+27Cj
.text:00418839 cmp byte ptr [eax], 60h
.text:0041883C jnz short loc_418841
.text:0041883E mov byte ptr [eax], 61h
.text:00418841
.text:00418841 loc_418841: ; CODE XREF: sub_4185B8+284j
.text:00418841 cmp byte ptr [eax], 7Ch
.text:00418844 jnz short loc_418849
.text:00418846 mov byte ptr [eax], 6Ch
.text:00418849
.text:00418849 loc_418849: ; CODE XREF: sub_4185B8+28Cj
.text:00418849 inc edx
.text:0041884A cmp edx, 3Ch
.text:0041884D jl short loc_4187F1
.text:0041884F mov esi, [ebp+arg_C]
.text:00418852 push 6
.text:00418854 and [ebp+var_81], 0
.text:0041885B and [ebp+var_B9], 0
.text:00418862 pop ecx
.text:00418863 lea eax, [ebp+var_50]
.text:00418866 push eax ; char *
.text:00418867 lea edi, [ebp+var_50]
.text:0041886A push [ebp+arg_4] ; char *
.text:0041886D mov [ebp+var_CF], 30h
.text:00418874 repe movsd
.text:00418876 and [ebp+var_39], 0
.text:0041887A mov [ebp+var_4F], 30h
.text:0041887E mov [ebp+var_46], 30h
.text:00418882 mov [ebp+var_44], 30h
.text:00418886 mov [ebp+var_42], 30h
.text:0041888A mov [ebp+var_3A], 30h
.text:0041888E mov [ebp+var_C6], 30h
.text:00418895 mov [ebp+var_C4], 30h
.text:0041889C mov [ebp+var_C2], 30h
.text:004188A3 mov [ebp+var_BA], 30h
.text:004188AA call _strcmp
.text:004188AF pop ecx
.text:004188B0 pop ecx
.text:004188B1 pop esi
.text:004188B2 test eax, eax
.text:004188B4 jnz short loc_4188D6
.text:004188B6 lea eax, [ebp+var_50]
.text:004188B9 push eax ; char *
.text:004188BA push [ebp+arg_4] ; char *
.text:004188BD call _strcmp
.text:004188C2 pop ecx
.text:004188C3 test eax, eax
.text:004188C5 pop ecx
.text:004188C6 jnz short loc_418919
.text:004188C8 push [ebp+arg_4] ; char *
.text:004188CB call _strlen
.text:004188D0 cmp eax, 0Ch
.text:004188D3 pop ecx
.text:004188D4 jz short loc_418919
.text:004188D6
.text:004188D6 loc_4188D6: ; CODE XREF: sub_4185B8+2FCj
.text:004188D6 lea eax, [ebp+var_90]
.text:004188DC push eax ; char *
.text:004188DD lea eax, [ebp+var_50]
.text:004188E0 push eax ; char *
.text:004188E1 call _strcmp
.text:004188E6 pop ecx
.text:004188E7 test eax, eax
.text:004188E9 pop ecx
.text:004188EA jz short loc_418912
.text:004188EC lea eax, [ebp+var_D0] ;這是最後算出的註冊碼
.text:004188F2 push eax ; char *
.text:004188F3 lea eax, [ebp+var_50] ;這是我們輸入的註冊碼
.text:004188F6 push eax ; char *
.text:004188F7 call _strcmp ;比較註冊碼
.text:004188FC pop ecx
.text:004188FD test eax, eax
.text:004188FF pop ecx
.text:00418900 jz short loc_418912
.text:00418902 mov dword_593518, 1
.text:0041890C
.text:0041890C loc_41890C: ; CODE XREF: sub_4185B8+29j
.text:0041890C ; sub_4185B8+32j ...
.text:0041890C xor eax, eax
.text:0041890E
.text:0041890E loc_41890E: ; CODE XREF: sub_4185B8+364j
.text:0041890E pop edi
.text:0041890F pop ebx
.text:00418910 leave
.text:00418911 retn
別以為這樣找到的註冊碼就能順利過關.當你輸入註冊碼後,重新啟動後發現註冊成功.關閉後再啟動,UltraEdit-32又會彈出註冊視窗,再看看UltraEdit-32目錄,Uedit32.reg文件被刪除了.這說明還有其他的地方檢查註冊碼.於是下bpx deletefilea,再註冊一次,找到

016F:004486E1 MOV EAX,[005933F4]
016F:004486E6 PUSH DWORD [005933D8]
016F:004486EC MOV [EBP-1C],EAX
016F:004486EF CALL 004FF590
016F:004486F4 POP ECX
016F:004486F5 CMP EAX,BYTE +0F
016F:004486F8 POP ECX
016F:004486F9 JC NEAR 004487F6
016F:004486FF CMP [0059DD3C],EDI
016F:00448705 JNZ NEAR 004487F6
016F:0044870B CMP [0059DD40],EDI
016F:00448711 JZ NEAR 004487F6
016F:00448717 MOVZX EDI,BYTE [EBP-1C]
016F:00448
016F:00448717 MOVZX EDI,BYTE [EBP-1C]
016F:0044871B MOV EAX,EDI eax=byte prt [005933f4]
016F:0044871D PUSH BYTE +09
016F:0044871F CDQ
016F:00448720 POP EBX
016F:00448721 MOV ECX,[005933D8]
016F:00448727 IDIV EBX
016F:00448729 MOVSX EAX,BYTE [ECX+0E] //取註冊碼的第15位
016F:0044872D ADD EDX,BYTE +41 EDX=(eax mod 9h)+41h
016F:00448730 CMP EAX,EDX EDX與註冊碼的第15位進行比較
016F:00448732 JNZ 0044874D 若不等,Game Over
016F:00448734 MOV EAX,EDI
016F:00448736 PUSH BYTE +07
016F:00448738 CDQ
016F:00448739 POP EDI
016F:0044873A MOV CL,[ECX+16] //取出註冊碼的第23位
016F:0044873D IDIV EDI ;
016F:0044873F MOVSX EAX,CL ;
016F:00448742 ADD EDX,BYTE +41 ;EDX=(eax mod 7h)+41h
016F:00448745 CMP EAX,EDX EDX與註冊碼的第23位進行比較
016F:00448747 JZ NEAR 004487F3 若不等,Game Over
016F:0044874D AND DWORD [0059DD40],BYTE +00
016F:00448754 CALL 00533F9D
016F:00448759 MOV EAX,[EAX+04]
016F:0044875C LEA ECX,[EBP-10]
016F:0044875F PUSH DWORD [EAX+8C]
016F:00448765 CALL 00519DBA
016F:0044876A MOV EAX,[EBP-10]
016F:0044876D LEA ECX,[EBP-10]
016F:00448770 MOV BYTE [EBP-04],01
016F:00448774 MOV EAX,[EAX-08]
016F:00448777 ADD EAX,BYTE -03
016F:0044877A PUSH EAX
016F:0044877B LEA EAX,[EBP-24]
016F:0044877E PUSH EAX
016F:0044877F CALL 00511C19
016F:00448784 PUSH DWORD 00587018
016F:00448789 PUSH EAX
016F:0044878A LEA EAX,[EBP-1C]
016F:0044878D MOV BYTE [EBP-04],02
016F:00448791 PUSH EAX
016F:00448792 CALL 00519FE1
016F:00448797 PUSH EAX
016F:00448798 LEA ECX,[EBP-10]
016F:0044879B MOV BYTE [EBP-04],03
016F:0044879F CALL 00519E85
016F:004487A4 LEA ECX,[EBP-1C]
016F:004487A7 MOV BYTE [EBP-04],02
016F:004487AB CALL 00519D4C
016F:004487B0 LEA ECX,[EBP-24]
016F:004487B3 MOV BYTE [EBP-04],01
016F:004487B7 CALL 00519D4C
016F:004487BC PUSH DWORD 80
016F:004487C1 PUSH DWORD [EBP-10]
016F:004487C4 CALL `KERNEL32!SetFileAttributesA`
016F:004487CA PUSH DWORD [EBP-10]
016F:004487CD CALL `KERNEL32!DeleteFileA`
還記得在計算註冊碼時有個值沒用到嗎? 對了,就是[005933F4].它在這裡用來檢驗註冊碼的有效性.將[005933F4]中的低8位(二進制)分別與09h進行異或運算後加上41h,再與我們輸入的註冊碼的第15位和第23位進行比較,有一位不對,就刪掉Uedit32.reg.真夠狡猾的.
至此整個算法分析完了。這是我加入CCG後的第一篇文章,讓各位高手見笑了.
User Naem: wolverine[CCG]
Authorization:V7H7L-M2O6S-J1F3H-I8D9B
wolverine[CCG]
2003-5-17
==========================>附錄<=============================
1.
586c38{00586C28,00586B30, ;\
0058CA38,0058D288 ;=>我稱這個為目錄
} ;/
===================碼表====================
00586C28{
D8,00,FE,00,
8E,00,66,00,
2F,00,DE,00,
43,00,A5,00
}

00586B30{
D3,00,1F,00,
78,00,6F,00,
38,00,8F,00,
65,00,5A,00
}

0058CA38{
00,10,00,F1,
00,A5,00,2F,
00,1F,00,CB,
00,98,00,F3
}

0058D288{
00,EF,00,E0,
00,73,00,78,
00,73,00,34,
00,77,00,33
}
2.註冊機:
(至於註冊機……)
//-----------kg.cpp--------------------
#include "windows.h"
#include "Kg.h"

#pragma comment(linker,"/OPT:NOWIN98")
#pragma comment(linker,"/ENTRY:WinMain")
#pragma comment(linker, "/SECTION:Mini,")
#pragma comment(linker, "/MERGE:.data=Mini")
#pragma comment(linker, "/MERGE:.text=Mini")
#pragma comment(linker, "/MERGE:.rdata=Mini")


HWND hWnd;
HINSTANCE hInst;

unsigned int iSum=0,iStrLen=0;
int iCheckNum=0;
unsigned char szName[20]; //名字的最大長度
unsigned char szSN[0x60];
unsigned char M[0x40];
unsigned char T[4][0x10]={
// t1[0x10]=
{
0xD8,0x00,0xFE,0x00,
0x8E,0x00,0x66,0x00,
0x2F,0x00,0xDE,0x00,
0x43,0x00,0xA5,0x00
},
// t2[0x10]=
{
0xD3,0x00,0x1F,0x00,
0x78,0x00,0x6F,0x00,
0x38,0x00,0x8F,0x00,
0x65,0x00,0x5A,0x00
},
// t3[0x10]=
{
0x00,0x10,0x00,0xF1,
0x00,0xA5,0x00,0x2F,
0x00,0x1F,0x00,0xCB,
0x00,0x98,0x00,0xF3
},
// t4[0x10]=
{
0x00,0xEF,0x00,0xE0,
0x00,0x73,0x00,0x78,
0x00,0x73,0x00,0x34,
0x00,0x77,0x00,0x33
}
};


void FillM()
{
int i;
for (i=0;i<0x3d;i++)M[i]=(i-1)*3;
}

void CvtName() //1.轉換名字應該是strlen-2次循環。
{
int i,l,c=2,t;
l=iStrLen;
strcpy((char *)M,(const char *)szName);
M[l]=0;
for(i=0;i<l-2;i++){
t=M[i]*M[i+2]-M[i+1]-c;
c+=2;
iSum=iSum+t+3;
}
}

void CvtSN()
{
unsigned char i;
i='0';
szSN[1]=i;
szSN[0xa]=i;
szSN[0xc]=i;
i=iCheckNum&0xff;
szSN[0xe]=(i%9)+'A';
szSN[0x16]=(i%7)+'A';
szSN[0x17]='\0';
}

void KeyGen()
{
unsigned i,j,t,q,p,s,high,low;
iSum=0;
iCheckNum=0;
FillM();
CvtName();
s=iSum%0x100;
for(i=0,j=0;i<0x3c;i++){
high=i%4;
low=(i%0x20)>>1;
q=T[high][low];
high=((i+s)^q)%0x3b;
t=M[high];
high=((t+i)%0x12)%4;
low=((t+i)%0x12/*%0x20*/)>>1;
p=T[high][low]; //mod 12,then mod 20???
M[i]=((t^p)+t)^(M[i+1]<<1);
szSN[j++]=((i%5)&1)?M[i]%10+'0':M[i]%26+'A';
if(i%5==4)szSN[j++]='-';
if(i){
if((i<iStrLen)&&(j<iStrLen))iCheckNum+=szName[i-1]*szName[j];
}
}
CvtSN();
}

LRESULT CALLBACK MainProc(HWND hWnd,UINT uMsg,WPARAM wParam,LPARAM lParam)
{
switch(uMsg)
{
case WM_COMMAND:
switch(wParam)
{
case IDC_GEN:
GetDlgItemText(hWnd,IDE_NAME,(char *)szName,0x39);
iStrLen=strlen((const char *)szName);
KeyGen();
SetDlgItemText(hWnd,IDE_SN,(char *)szSN);
break;
case IDC_EXIT:
EndDialog(hWnd,0);
break;
}
break;
default:
return FALSE;
}
return TRUE;
}


int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow)
{
hInst=hInstance;
ExitProcess(DialogBox(hInstance,(LPTSTR)IDD_DLGMAIN,0,(DLGPROC)MainProc));
return 0;
}

//----kg.h---------
#define IDD_DLGMAIN 1000
#define IDE_NAME 1001
#define IDE_SN 1002
#define IDC_GEN 1003
#define IDC_EXIT 1004
//----kg.rc--------
#include "Kg.h"
#include "resource.h"
#include "windows.h"

IDD_DLGMAIN DIALOGEX 0, 0, 180, 73
STYLE WS_POPUP | WS_CAPTION
CAPTION "Uedit10.00c Keygen by 5,555"
FONT 9, "細明體"
BEGIN
EDITTEXT IDE_NAME,48,11,116,12,NOT WS_BORDER,WS_EX_STATICEDGE
EDITTEXT IDE_SN,48,29,116,12,ES_AUTOHSCROLL | ES_READONLY | NOT
WS_BORDER,WS_EX_STATICEDGE
PUSHBUTTON "產生",IDC_GEN,11,52,42,16,0,WS_EX_STATICEDGE
PUSHBUTTON "退出",IDC_EXIT,78,52,42,16,0,WS_EX_STATICEDGE
RTEXT "註冊碼:",-1,8,31,31,8
RTEXT "用戶名:",-1,8,13,31,8
END
psac 目前離線  
送花文章: 3, 收花文章: 1611 篇, 收花: 3167 次
有 10 位會員向 psac 送花:
asnahu (2008-03-13),chungwen (2007-11-27),ddm5 (2008-11-12),gboy (2008-04-04),jotime (2009-11-02),kakao (2007-12-29),marshalb (2012-02-09),nather (2009-03-15),qdenise (2009-07-04),羅迪 (2009-05-06)
感謝您發表一篇好文章
舊 2003-12-11, 11:44 PM   #2 (permalink)
註冊會員
 
Dreamcast 的頭像
榮譽勳章
UID - 1198
在線等級: 級別:20 | 在線時長:504小時 | 升級還需:21小時級別:20 | 在線時長:504小時 | 升級還需:21小時級別:20 | 在線時長:504小時 | 升級還需:21小時級別:20 | 在線時長:504小時 | 升級還需:21小時級別:20 | 在線時長:504小時 | 升級還需:21小時
註冊日期: 2002-12-06
VIP期限: 2011-02
文章: 1253
精華: 0
現金: 58 金幣
資產: 149258 金幣
預設

寫文章的人好強.破解的人更強.
Dreamcast 目前離線  
送花文章: 81, 收花文章: 154 篇, 收花: 878 次
 


主題工具
顯示模式

發表規則
不可以發文
不可以回覆主題
不可以上傳附加檔案
不可以編輯您的文章

論壇啟用 BB 語法
論壇啟用 表情符號
論壇啟用 [IMG] 語法
論壇禁用 HTML 語法
Trackbacks are 禁用
Pingbacks are 禁用
Refbacks are 禁用

相似的主題
主題 主題作者 討論區 回覆 最後發表
偷梁換柱,罷免 Ultracompare,把 UltraEdit 與頂極比較軟體聯姻 psac Hacker/Cracker 及加解密技術文件 0 2004-08-25 11:24 AM
啟動光碟製作完全手冊 psac 應用軟體使用技術文件 3 2004-05-19 11:14 PM


所有時間均為台北時間。現在的時間是 11:05 PM


Powered by vBulletin® 版本 3.6.8
版權所有 ©2000 - 2017, Jelsoft Enterprises Ltd.


SEO by vBSEO 3.6.1