本文深入探讨了软件注册码验证的内部实现细节,通过逆向工程解析了一个具体案例中的注册码生成逻辑。从汇编代码层面揭示了如何验证注册码的有效性,并提供了一段Delphi源码作为注册机的实现,帮助读者理解整个过程。
提示注册号无效,可以再OD里轻易的找到字符串并设置断点,来看程序的主要算法
00402C70 /$ 6A FF push -1
00402C72 |. 68 E8364200 push MSN_多开.004236E8 ; SE 处理程序安装
00402C77 |. 64:A1 0000000>mov eax, fs:[0]
00402C7D |. 50 push eax
00402C7E |. 64:8925 00000>mov fs:[0], esp
00402C85 |. 83EC 18 sub esp, 18
00402C88 |. 53 push ebx
00402C89 |. 8B4C24 2C mov ecx, [esp+2C]
00402C8D |. 33C0 xor eax, eax
00402C8F |. 894424 05 mov [esp+5], eax
00402C93 |. 33DB xor ebx, ebx
00402C95 |. 66:894424 09 mov [esp+9], ax
00402C9A |. 895C24 24 mov [esp+24], ebx
00402C9E |. 884424 0B mov [esp+B], al
00402CA2 |. 8B41 F8 mov eax, [ecx-8]
00402CA5 |. 83F8 10 cmp eax, 10
00402CA8 |. 885C24 04 mov [esp+4], bl
00402CAC |. 0F8C C0000000 jl MSN_多开.00402D72
00402CB2 |. 56 push esi
00402CB3 |. 68 04010000 push 104
00402CB8 |. 8D4C24 34 lea ecx, [esp+34] ; 取注册码地址到ecx
00402CBC |. E8 768B0100 call MSN_多开.0041B837
00402CC1 |. 8B10 mov edx, [eax]
00402CC3 |. 33F6 xor esi, esi
00402CC5 |. 895424 10 mov [esp+10], edx ; 注册码放入堆栈
00402CC9 |. 8B48 04 mov ecx, [eax+4]
00402CCC |. 894C24 14 mov [esp+14], ecx
00402CD0 |. 8B50 08 mov edx, [eax+8]
00402CD3 |. 895424 18 mov [esp+18], edx
00402CD7 |. 8B40 0C mov eax, [eax+C]
00402CDA |. 894424 1C mov [esp+1C], eax
00402CDE |> 8A4C34 10 /mov cl, [esp+esi+10]
00402CE2 |. 51 |push ecx
00402CE3 |. E8 68FFFFFF |call MSN_多开.00402C50
00402CE8 |. 83C4 04 |add esp, 4
00402CEB |. 884434 10 |mov [esp+esi+10], al
00402CEF |. 46 |inc esi
00402CF0 |. 83FE 10 |cmp esi, 10
00402CF3 |.^ 7C E9 /jl short MSN_多开.00402CDE
00402CF5 |. 33C0 xor eax, eax
00402CF7 |. 8D4C24 10 lea ecx, [esp+10] ; call运算后的码
00402CFB |. 5E pop esi
00402CFC |> 8A51 01 /mov dl, [ecx+1] ; s(i+1)
00402CFF |. 8A19 |mov bl, [ecx] ; s(i)
00402D01 |. C0E2 04 |shl dl, 4 ; s(i+1)<<4
00402D04 |. 02D3 |add dl, bl ; dl=s(i+1)<<4+s(i)
00402D06 |. 83C1 02 |add ecx, 2
00402D09 |. 885404 04 |mov [esp+eax+4], dl
00402D0D |. 40 |inc eax
00402D0E |. 83F8 08 |cmp eax, 8
00402D11 |.^ 7C E9 /jl short MSN_多开.00402CFC
00402D13 |. 8A4424 07 mov al, [esp+7]
00402D17 |. 8A5C24 04 mov bl, [esp+4]
00402D1B |. 8A4C24 0B mov cl, [esp+B]
00402D1F |. 8A5424 05 mov dl, [esp+5]
00402D23 |. 32C3 xor al, bl
00402D25 |. 8A5C24 06 mov bl, [esp+6]
00402D29 |. 32CA xor cl, dl
00402D2B |. 8A5424 09 mov dl, [esp+9]
00402D2F |. 32D3 xor dl, bl
00402D31 |. 8A5C24 08 mov bl, [esp+8]
00402D35 |. 325C24 0A xor bl, [esp+A]
00402D39 |. 3C 38 cmp al, 38
00402D3B |. 75 35 jnz short MSN_多开.00402D72
00402D3D |. 80F9 78 cmp cl, 78
00402D40 |. 75 30 jnz short MSN_多开.00402D72
00402D42 |. 80FA 4E cmp dl, 4E
00402D45 |. 75 2B jnz short MSN_多开.00402D72
00402D47 |. 80FB 1A cmp bl, 1A
00402D4A |. 75 26 jnz short MSN_多开.00402D72
00402D4C |. 8D4C24 2C lea ecx, [esp+2C]
00402D50 |. C74424 24 FFF>mov dword ptr [esp+24], -1
00402D58 |. E8 03870100 call MSN_多开.0041B460
00402D5D |. B8 01000000 mov eax, 1
00402D62 |. 5B pop ebx
00402D63 |. 8B4C24 18 mov ecx, [esp+18]
00402D67 |. 64:890D 00000>mov fs:[0], ecx
00402D6E |. 83C4 24 add esp, 24
00402D71 |. C3 retn
00402D72 |> 8D4C24 2C lea ecx, [esp+2C]
00402D76 |. C74424 24 FFF>mov dword ptr [esp+24], -1
00402D7E |. E8 DD860100 call MSN_多开.0041B460
00402D83 |. 8B4C24 1C mov ecx, [esp+1C]
00402D87 |. 33C0 xor eax, eax
00402D89 |. 5B pop ebx
00402D8A |. 64:890D 00000>mov fs:[0], ecx
00402D91 |. 83C4 24 add esp, 24
00402D94 /. C3 retn
注册机:
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls;
type
TForm1 = class(TForm)
edt1: TEdit;
lbl1: TLabel;
lbl2: TLabel;
edt2: TEdit;
btn1: TButton;
procedure btn1Click(Sender: TObject);
private
function keygen(rand:string):string;
function strtohex(str:char):LongWord;
function hextostr(hex:Integer):string;
public
{ Public declarations }
end;
var
Form1: TForm1;
implementation
{$R *.dfm}
procedure TForm1.btn1Click(Sender: TObject);
var rand:string;
sn:string;
begin
//
rand:=UpperCase(edt1.Text);
if (Length(rand)<8) or (Length(rand)>8) then
begin
Application.MessageBox('8λ¾Í¹»ÁË','Ìáʾ',MB_ICONERROR+MB_OK);
Exit;
end;
sn:=keygen(rand);
edt2.Text:= sn;
end;
function TForm1.keygen(rand:string):string;
var
sn:string;
X1,X2,X3,X7_8,X5,X11_12,X13_14,X15_16:Integer;
s7,s8,s11,s12,s13,s14,s15,s16:string;
begin
try
X1:=strtohex(Rand[2])*16 + strtohex(rand[1]);
X2:=strtohex(Rand[4])*16 + strtohex(rand[3]);
X3:=strtohex(Rand[6])*16 + strtohex(rand[5]);
X5:=strtohex(Rand[8])*16 + strtohex(rand[7]);
except on E:Exception do
begin
Application.MessageBox(PChar(E.Message),'´íÎó',MB_OK+MB_ICONERROR);
exit;
end;
end;
X7_8:=$38 xor X1;
X11_12:=$4E xor X3;
X13_14:=$1a xor X5;
X15_16:=$78 xor X2;
s8:= hextostr(Trunc (X7_8/16));
s7:= hextostr(X7_8-Trunc(X7_8/16)*16);
s12:= hextostr(Trunc (X11_12/16));
s11:= hextostr(X11_12-Trunc (X11_12/16)*16);
s14:= hextostr(Trunc (X13_14/16));
s13:= hextostr(X13_14-Trunc (X13_14/16)*16);
s16:= hextostr(Trunc (X15_16/16));
s15:= hextostr(X15_16-Trunc (X15_16/16)*16);
sn:=Copy(rand,1,6)+s7+s8+rand[7]+rand[8]+s11+s12+s13+s14+s15+s16 ;
result:= sn;
end;
function TForm1.strtohex(str: char): LongWord;
begin
if (Ord(str)>= $30) and (Ord(str)<=$39) then
begin
Result:= Ord(str)-$30;
Exit;
end;
if (Ord(str)>=$41) and (Ord(str)<=$46) then
begin
Result:= Ord(str)-$37;
Exit;
end;
raise Exception.Create('±ØÐëÊÇA-F£¬0-9Ö®¼äµÄ×Ö·û');
end;
function TForm1.hextostr(hex: Integer): string;
begin
if (hex>=0) and (hex<=9) then
begin
Result:=Char(hex+$30);
Exit;
end;
if (hex>=$A) and (hex<=$F) then
begin
Result:=Char(hex+$37);
Exit;
end;
Result:='';
end;
end.
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
