注册算法还是比较简单的。注册算法计算过程放在UTLib8***.dll中。注册函数名称为ImRegUserInfo::IsValidRegInfo_private复制内容到剪贴板
代码:
首先判断了注册码长度,为27h也就是39位
复制内容到剪贴板
00476DF3 8D8D 78FFFFFF lea ecx, dword ptr [ebp-88]
00476DF9 FF15 44064D00 call dword ptr [<&MFC71U.#2895_ATL>; GetLength,获取注册码长度
00476DFF 83F8 27 cmp eax, 27 ; 比较长度是否为27h位
00476E02 74 42 je short 00476E46
00476E04 C785 1CFFFFFF 0>mov dword ptr [ebp-E4], 0
代码:
然后取软件的信息
复制内容到剪贴板
00476E9E 8B0D 182C4F00 mov ecx, dword ptr [g_Pref]
00476EA4 E8 07D0FFFF call ImAppPref::GetAppInfo
00476EA9 83C0 38 add eax, 38 //+38h,取00E161D0 UNICODE "Xilisoftvideotoaudioconverter5"
信息列表
00E16198 UNICODE "Xilisoft"
00E1619C UNICODE "Xilisoft Corporation"
00E161A0 UNICODE "http://www.xilisoft.com.cn"
00E161A4 UNICODE "Software\Xilisoft"
00E161A8 UNICODE "Xilisoft Video to Audio Converter"
00E161AC UNICODE "Video to Audio Converter"
00E161B0 UNICODE "x-video-to-audio-converter-standard"
00E161B4 UNICODE "Xilisoft Video to Audio Converter"
00E161B8 UNICODE "http://www.xilisoft.com.cn/video-to-audio-converter.html"
00E161BC UNICODE "http://www.xilisoft.com.cn/video-to-audio-converter.html"
00E161C0 UNICODE "Software\Xilisoft\Video to Audio Converter"
00E161C4 UNICODE "Software\Xilisoft\Video to Audio Converter\RegInfo"
00E161C8 UNICODE "Software\Xilisoft\Video to Audio Converter\Affiliate"
00E161CC UNICODE "Software\Xilisoft\Video to Audio Converter\Settings"
00E161D0 UNICODE "Xilisoftvideotoaudioconverter5"
00E161D4 UNICODE "support@xilisoft.com"
00E161D8 UNICODE "http://www.xilisoft.com.cn/support.html"
00E161DC UNICODE "Copyright (C) 2008 Xilisoft Corporation, ImTOO Software Studio"
00E161E0 MFC71U.7C32EA74
00E161E4 UNICODE "Software\Classes\CLSID\{9F51E651-A668-485d-82C7-4408D6403A98}"
00E161E8 UNICODE "https://online.xilisoft.com/ols.soap.php"
这里取出来的信息为
"Xilisoftvideotoaudioconverter5"
代码:
00476F4F C785 30FFFFFF 0>mov dword ptr [ebp-D0], 0
复制内容到剪贴板
00476F59 EB 0F jmp short 00476F6A
00476F5B 8B8D 30FFFFFF mov ecx, dword ptr [ebp-D0]
00476F61 83C1 01 add ecx, 1
00476F64 898D 30FFFFFF mov dword ptr [ebp-D0], ecx
00476F6A 8D4D E0 lea ecx, dword ptr [ebp-20] ; "Xilisoftvideotoaudioconverter5"
00476F6D FF15 7C034D00 call dword ptr [<&MFC71U.#2896_ATL>; GetLength
00476F73 3985 30FFFFFF cmp dword ptr [ebp-D0], eax
00476F79 7D 6E jge short 00476FE9
00476F7B 8B95 30FFFFFF mov edx, dword ptr [ebp-D0]
00476F81 81E2 01000080 and edx, 80000001
00476F87 79 05 jns short 00476F8E
00476F89 4A dec edx
00476F8A 83CA FE or edx, FFFFFFFE
00476F8D 42 inc edx
00476F8E 85D2 test edx, edx
00476F90 75 52 jnz short 00476FE4
00476F92 8B85 30FFFFFF mov eax, dword ptr [ebp-D0]
00476F98 50 push eax
00476F99 8D4D E0 lea ecx, dword ptr [ebp-20]
00476F9C FF15 78034D00 call dword ptr [<&MFC71U.#861_ATL:>; []
00476FA2 50 push eax
00476FA3 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C]
00476FA9 FF15 74034D00 call dword ptr [<&MFC71U.#904_ATL:>; +=
00476FAF 8B85 30FFFFFF mov eax, dword ptr [ebp-D0]
00476FB5 83C0 01 add eax, 1
00476FB8 99 cdq
00476FB9 B9 FF000000 mov ecx, 0FF
00476FBE F7F9 idiv ecx
00476FC0 8895 2FFFFFFF mov byte ptr [ebp-D1], dl
00476FC6 0FBE95 2FFFFFFF movsx edx, byte ptr [ebp-D1]
00476FCD 85D2 test edx, edx
00476FCF 74 13 je short 00476FE4
00476FD1 8A85 2FFFFFFF mov al, byte ptr [ebp-D1]
00476FD7 50 push eax
00476FD8 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C]
00476FDE FF15 74034D00 call dword ptr [<&MFC71U.#904_ATL:>; MFC71U.7C29B289
00476FE4 ^ E9 72FFFFFF jmp 00476F5B
这段代码是取"Xilisoftvideotoaudioconverter5" 这个字符串的偶数位并且连接起来,中间插入了字符的序号。
执行完结果如下
01148D70 58 01 6C 03 73 05 66 07 76 09 64 0B 6F 0D 6F 0F Xlsfv.do.o
01148D80 75 11 69 13 63 15 6E 17 65 19 74 1B 72 1D 00 01 uicnetr.
代码:
00476FE9 C785 30FFFFFF 0>mov dword ptr [ebp-D0], 0
复制内容到剪贴板
00476FF3 EB 0F jmp short 00477004
00476FF5 8B8D 30FFFFFF mov ecx, dword ptr [ebp-D0]
00476FFB 83C1 01 add ecx, 1
00476FFE 898D 30FFFFFF mov dword ptr [ebp-D0], ecx
00477004 8D4D E0 lea ecx, dword ptr [ebp-20]
00477007 FF15 7C034D00 call dword ptr [<&MFC71U.#2896_ATL>; GetLength
0047700D 3985 30FFFFFF cmp dword ptr [ebp-D0], eax
00477013 7D 6E jge short 00477083
00477015 8B95 30FFFFFF mov edx, dword ptr [ebp-D0]
0047701B 81E2 01000080 and edx, 80000001
00477021 79 05 jns short 00477028
00477023 4A dec edx
00477024 83CA FE or edx, FFFFFFFE
00477027 42 inc edx
00477028 85D2 test edx, edx
0047702A 74 52 je short 0047707E
0047702C 8B85 30FFFFFF mov eax, dword ptr [ebp-D0]
00477032 50 push eax
00477033 8D4D E0 lea ecx, dword ptr [ebp-20]
00477036 FF15 78034D00 call dword ptr [<&MFC71U.#861_ATL:>; []
0047703C 50 push eax
0047703D 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C]
00477043 FF15 74034D00 call dword ptr [<&MFC71U.#904_ATL:>; +=
00477049 8B85 30FFFFFF mov eax, dword ptr [ebp-D0]
0047704F 83C0 01 add eax, 1
00477052 99 cdq
00477053 B9 FF000000 mov ecx, 0FF
00477058 F7F9 idiv ecx
0047705A 8895 2EFFFFFF mov byte ptr [ebp-D2], dl
00477060 0FBE95 2EFFFFFF movsx edx, byte ptr [ebp-D2]
00477067 85D2 test edx, edx
00477069 74 13 je short 0047707E
0047706B 8A85 2EFFFFFF mov al, byte ptr [ebp-D2]
00477071 50 push eax
00477072 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C]
00477078 FF15 74034D00 call dword ptr [<&MFC71U.#904_ATL:>; MFC71U.7C29B289
0047707E ^ E9 72FFFFFF jmp 00476FF5
这段代码是处理的计数位,与上面那段类似。结果如下
01148D90 69 04 6F 06 74 08 69 0A 65 0C 74 0E 61 10 64 12 ioti.e.tad
01148DA0 6F 14 6F 16 76 18 72 1A 65 1C 35 1E oovre5
这个处理结果放到上面那个结果下面,连接在一起
代码:
00477089 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C]
复制内容到剪贴板
0047708F FF15 70034D00 call dword ptr [<&MFC71U.#781_ATL:>; MFC71U.7C29B0D9
00477095 8D4D D8 lea ecx, dword ptr [ebp-28]
00477098 FF15 68054D00 call dword ptr [<&MFC71U.#310_ATL:>; MFC71U.7C274E6D
0047709E C645 FC 0A mov byte ptr [ebp-4], 0A
004770A2 8B95 7CFFFFFF mov edx, dword ptr [ebp-84]
004770A8 52 push edx
004770A9 68 BC254D00 push 004D25BC ; ASCII "%d"
004770AE 8D45 D8 lea eax, dword ptr [ebp-28]
004770B1 50 push eax
004770B2 FF15 34034D00 call dword ptr [<&MFC71U.#2313_ATL>; Format
004770B8 83C4 0C add esp, 0C
004770BB 8D4D D8 lea ecx, dword ptr [ebp-28]
004770BE FF15 5C054D00 call dword ptr [<&MFC71U.#872_ATL:>; *
004770C4 50 push eax
004770C5 6A 00 push 0
004770C7 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C]
004770CD FF15 6C034D00 call dword ptr [<&MFC71U.#3844_ATL>; Insert
004770D3 8D4D EC lea ecx, dword ptr [ebp-14]
004770D6 FF15 68054D00 call dword ptr [<&MFC71U.#310_ATL:>; CString
004770DC C645 FC 0B mov byte ptr [ebp-4], 0B
004770E0 8D4D F0 lea ecx, dword ptr [ebp-10]
004770E3 FF15 68054D00 call dword ptr [<&MFC71U.#310_ATL:>; CString
004770E9 C645 FC 0C mov byte ptr [ebp-4], 0C
004770ED 6A 00 push 0
004770EF 68 C0254D00 push 004D25C0 ; ASCII "%d"
004770F4 8D4D EC lea ecx, dword ptr [ebp-14]
004770F7 51 push ecx
004770F8 FF15 34034D00 call dword ptr [<&MFC71U.#2313_ATL>; Format
004770FE 83C4 0C add esp, 0C
00477101 6A 00 push 0
00477103 68 C4254D00 push 004D25C4 ; ASCII "%d"
00477108 8D55 F0 lea edx, dword ptr [ebp-10]
0047710B 52 push edx
0047710C FF15 34034D00 call dword ptr [<&MFC71U.#2313_ATL>; Format
00477112 83C4 0C add esp, 0C
00477112 83C4 0C add esp, 0C
00477115 8D45 F0 lea eax, dword ptr [ebp-10]
00477118 50 push eax
00477119 8D4D EC lea ecx, dword ptr [ebp-14]
0047711C 51 push ecx
0047711D 8D95 14FFFFFF lea edx, dword ptr [ebp-EC]
00477123 52 push edx
00477124 E8 B7330000 call 0047A4E0
00477129 83C4 0C add esp, 0C
0047712C 8985 FCFEFFFF mov dword ptr [ebp-104], eax
00477132 8B85 FCFEFFFF mov eax, dword ptr [ebp-104]
00477138 8985 F8FEFFFF mov dword ptr [ebp-108], eax
0047713E C645 FC 0D mov byte ptr [ebp-4], 0D
00477142 8B8D F8FEFFFF mov ecx, dword ptr [ebp-108]
00477148 51 push ecx
00477149 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C]
0047714F FF15 30034D00 call dword ptr [<&MFC71U.#903_ATL:>; MFC71U.7C29B383
在上面结果前面插入'1',后面接上两个'0'
代码:
004771F0 8D55 84 lea edx, dword ptr [ebp-7C]
复制内容到剪贴板
004771F3 52 push edx ; str2
004771F4 8D45 DC lea eax, dword ptr [ebp-24]
004771F7 50 push eax ; str1
004771F8 8D8D 10FFFFFF lea ecx, dword ptr [ebp-F0]
004771FE 51 push ecx ; pOutBuf
004771FF E8 DC320000 call 0047A4E0 ; 将两个字符串连接起来
0012F744 ASCII "ZXQMLZRLJBTTDMEGJUGJ"
0012F748 ASCII "Xilisoftvideotoaudioconverter5"
ZXQMLZRLJBTTDMEGJUGJ为输入的注册码的前20位,与Xilisoftvideotoaudioconverter5连接起来后字符串为
"ZXQMLZRLJBTTDMEGJUGJXilisoftvideotoaudioconverter5"
之后将这个字符串连接到前面形成的串上
01148EB0 31 58 01 6C 03 73 05 66 07 76 09 64 0B 6F 0D 6F 1Xlsfv.do.o
01148EC0 0F 75 11 69 13 63 15 6E 17 65 19 74 1B 72 1D 69 uicnetri
01148ED0 02 69 04 6F 06 74 08 69 0A 65 0C 74 0E 61 10 64 ioti.e.tad
01148EE0 12 6F 14 6F 16 76 18 72 1A 65 1C 35 1E 30 30 5A oovre500Z
01148EF0 58 51 4D 4C 5A 52 4C 4A 42 54 54 44 4D 45 47 4A XQMLZRLJBTTDMEGJ
01148F00 55 47 4A 58 69 6C 69 73 6F 66 74 76 69 64 65 6F UGJXilisoftvideo
01148F10 74 6F 61 75 64 69 6F 63 6F 6E 76 65 72 74 65 72 toaudioconverter
01148F20 35 00 5.
代码:
接下来是一个函数,跟进去看到这里
复制内容到剪贴板
004BD080 55 push ebp
004BD081 8BEC mov ebp, esp
004BD083 8B45 08 mov eax, dword ptr [ebp+8]
004BD086 C740 14 0000000>mov dword ptr [eax+14], 0
004BD08D 8B4D 08 mov ecx, dword ptr [ebp+8]
004BD090 C741 10 0000000>mov dword ptr [ecx+10], 0
004BD097 8B55 08 mov edx, dword ptr [ebp+8]
004BD09A C702 01234567 mov dword ptr [edx], 67452301
004BD0A0 8B45 08 mov eax, dword ptr [ebp+8]
004BD0A3 C740 04 89ABCDE>mov dword ptr [eax+4], EFCDAB89
004BD0AA 8B4D 08 mov ecx, dword ptr [ebp+8]
004BD0AD C741 08 FEDCBA9>mov dword ptr [ecx+8], 98BADCFE
004BD0B4 8B55 08 mov edx, dword ptr [ebp+8]
004BD0B7 C742 0C 7654321>mov dword ptr [edx+C], 10325476
004BD0BE 5D pop ebp
004BD0BF C3 retn
明眼的人一看就知道是MD5算法
所以下面这段代码便是对上面的串取MD5了
0047724C 50 push eax
0047724D 8D4D 90 lea ecx, dword ptr [ebp-70]
00477250 E8 CB570400 call 004BCA20 ; 取MD5
00477255 C645 FC 12 mov byte ptr [ebp-4], 12
00477259 8D4D 90 lea ecx, dword ptr [ebp-70]
0047725C E8 2F580400 call 004BCA90 ; MD5?
MD5结果为
ff94d22f565336afadd4200a61ad
代码:
接下来这段代码是对MD5结果取偶数位并连接
复制内容到剪贴板
0047737B 8B95 28FFFFFF mov edx, dword ptr [ebp-D8]
00477381 83C2 02 add edx, 2
00477384 8995 28FFFFFF mov dword ptr [ebp-D8], edx
0047738A 83BD 28FFFFFF 2>cmp dword ptr [ebp-D8], 20
00477391 7D 4E jge short 004773E1
00477393 8B85 28FFFFFF mov eax, dword ptr [ebp-D8]
00477399 50 push eax
0047739A 8D4D E4 lea ecx, dword ptr [ebp-1C]
0047739D FF15 78034D00 call dword ptr [<&MFC71U.#861_ATL:>; MFC71U.7C29986D
004773A3 50 push eax
004773A4 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C]
004773AA FF15 74034D00 call dword ptr [<&MFC71U.#904_ATL:>; MFC71U.7C29B289
004773B0 8B85 28FFFFFF mov eax, dword ptr [ebp-D8]
004773B6 99 cdq
004773B7 2BC2 sub eax, edx
004773B9 D1F8 sar eax, 1
004773BB 83C0 01 add eax, 1
004773BE 25 03000080 and eax, 80000003
004773C3 79 05 jns short 004773CA
004773C5 48 dec eax
004773C6 83C8 FC or eax, FFFFFFFC
004773C9 40 inc eax
004773CA 85C0 test eax, eax
004773CC 75 11 jnz short 004773DF
004773CE 68 D4254D00 push 004D25D4
004773D3 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C]
004773D9 FF15 50034D00 call dword ptr [<&MFC71U.#907_ATL:>; MFC71U.7C29B867
004773DF ^ EB 9A jmp short 0047737B
处理后结果
"03f9-d255-3aad-206a-"
代码:
后面这段代码是将注册码的前20位和这个md5处理的结果连接起来形成注册码
004773F5 FF15 7C034D00 call dword ptr [<&MFC71U.#2896_ATL>; MFC71U.7C256550
004773FB 83E8 01 sub eax, 1
004773FE 50 push eax
004773FF 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C]
00477405 FF15 4C034D00 call dword ptr [<&MFC71U.#1907_ATL>; MFC71U.7C299932
0047740B 8D4D D4 lea ecx, dword ptr [ebp-2C]
0047740E FF15 5C054D00 call dword ptr [<&MFC71U.#872_ATL:>; MFC71U.7C268F59
00477414 50 push eax
00477415 6A 00 push 0
00477417 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C]
0047741D FF15 6C034D00 call dword ptr [<&MFC71U.#3844_ATL>; Insert
00477423 8D4D E8 lea ecx, dword ptr [ebp-18]
00477426 51 push ecx
"ZXQMLZRLJBTTDMEGJUGJ03F9-D255-3AAD-206A"
到此注册码校验过程就结束了,非常之简单
写个简单的注册算法复制内容到剪贴板
代码:
int _tmain(int argc, _TCHAR* argv[])
{
int i = 0;
int j = 0;
int n = 0;
char szVersion[] = "Xilisoftvideoconverterstandard5";
BYTE byBuf[500] = {0};
char szSN[100] = {0};
char szMD5[20] = {0};
//偶数处理
for (i = 0; i < strlen(szVersion); i += 2)
{
byBuf[1 + i] = szVersion[i];
byBuf[2 + i] = i + 1;
}
//奇数处理
for (j = 0; j < strlen(szVersion) + 1; j += 2)
{
byBuf[1 + j + i] = szVersion[j + 1];
byBuf[2 + j + i] = j + 2;
}
byBuf[0] = 0x31;
byBuf[i + j - 1] = 0x30;
byBuf[i + j] = 0x30;
n = i + j + 1;
srand(GetTickCount());
for (i = 0; i < 20; i++)
{
szSN[i] = 'A' + rand() % 26; //随便什么都行,就选大写字母吧
}
memcpy(byBuf + n, szSN, strlen(szSN));
n += 20;
memcpy(byBuf + n, szVersion, strlen(szVersion));
n += strlen(szVersion);
MD5_CTX ctx;
MD5Init(&ctx);
MD5Update(&ctx, byBuf, n);
MD5Final((BYTE *)szMD5, &ctx);
char sztmp[10] = {0};
char sztmp2[20] = {0};
for (i = 0, j = 0; i < strlen(szMD5); i++, j++)
{
memset(sztmp, 0, sizeof(sztmp));
sprintf(sztmp, "%02X", BYTE(szMD5[i]));
sztmp2[j] = sztmp[0];
if (j % 5 == 3)
{
j++;
sztmp2[j] = '-';
}
}
memcpy(szSN + 20, sztmp2, 19);
printf("%s\n", szSN);
system("pause");
return 0;
}