考无忧2017实战破解+注册机
考无忧2017实战破解+注册机考无忧2017是用DELPHI XE2写的,所以还是习惯性的用IDR做剖析。其间涉及到注册码算法的有些,我用OD做了盯梢,并且写了注释,便利我们的了解。
首要,依照原贴中,断网,注册转入离线注册。这儿需要输入的内容如下图:
考生名字,手机号,邮箱等都是随意输的,软件也没有做合法性的判断。
注册码一定要输入25位,不符合条件软件会给出相应的提示。
注册科目是软件主动填好的,因为我下载的是winxp的卷子,所以这儿的科目即是winxp。
机器码也是软件主动填好的。
剩余的工作即是咱们自己输入离线注册码了。
在IDR中,查看离线注册按钮的点击事情。
register.TregisterForm.BitmapButton5Click
00893A00 push ebp
00893A01 mov ebp,esp
00893A03 mov ecx,11
00893A08 push 0
00893A0A push 0
00893A0C dec ecx
00893A0D> jne 00893A08
00893A0F push ecx
00893A10 push ebx
00893A11 mov ebx,eax
00893A13 xor eax,eax
00893A15 push ebp
00893A16 push 893EFB
00893A1B push dword ptr fs:
00893A1E mov dword ptr fs:,esp
00893A21 movzx eax,byte ptr ds:;0x1 gvar_00893F0C
00893A28 push eax
00893A29 lea eax,
00893A2C push eax
00893A2D lea edx,
00893A30 mov eax,dword ptr ;TregisterForm.Edit6:TEdit //Edit6就是我们输入的离线注册码
00893A36 call TControl.GetText
00893A3B mov eax,dword ptr
00893A3E xor ecx,ecx
00893A40 mov edx,893F1C;' '
00893A45 call StringReplace //去掉空格
00893A4A movzx eax,byte ptr ds:;0x1 gvar_00893F0C
00893A51 push eax
00893A52 lea eax,
00893A55 push eax
00893A56 lea edx,
00893A59 mov eax,dword ptr ;TregisterForm.Edit6:TEdit
00893A5F call TControl.GetText
00893A64 mov eax,dword ptr
00893A67 xor ecx,ecx
00893A69 mov edx,893F2C;' '
00893A6E call StringReplace //去掉全角空格
00893A73 movzx eax,byte ptr ds:;0x1 gvar_00893F0C
00893A7A push eax
00893A7B lea eax,
00893A7E push eax
00893A7F lea edx,
00893A82 mov eax,dword ptr ;TregisterForm.Edit6:TEdit
00893A88 call TControl.GetText
00893A8D mov eax,dword ptr
00893A90 mov ecx,893F3C;'0'
00893A95 mov edx,893F4C;'o'
00893A9A call StringReplace //把小写字母o换成0
00893A9F movzx eax,byte ptr ds:;0x1 gvar_00893F0C
00893AA6 push eax
00893AA7 lea eax,
00893AAA push eax
00893AAB lea edx,
00893AAE mov eax,dword ptr ;TregisterForm.Edit6:TEdit
00893AB4 call TControl.GetText
00893AB9 mov eax,dword ptr
00893ABC mov ecx,893F3C;'0'
00893AC1 mov edx,893F5C;'o'
00893AC6 call StringReplace //把全角小写字母o换成0
00893ACB movzx eax,byte ptr ds:;0x1 gvar_00893F0C
00893AD2 push eax
00893AD3 lea eax,
00893AD6 push eax
00893AD7 lea edx,
00893ADA mov eax,dword ptr ;TregisterForm.Edit6:TEdit
00893AE0 call TControl.GetText
00893AE5 mov eax,dword ptr
00893AE8 mov ecx,893F3C;'0'
00893AED mov edx,893F6C;'O'
00893AF2 call StringReplace //把大写字母O换成0
00893AF7 movzx eax,byte ptr ds:;0x1 gvar_00893F0C
00893AFE push eax
00893AFF lea eax,
00893B02 push eax
00893B03 lea edx,
00893B06 mov eax,dword ptr ;TregisterForm.Edit6:TEdit
00893B0C call TControl.GetText
00893B11 mov eax,dword ptr
00893B14 mov ecx,893F3C;'0'
00893B19 mov edx,893F7C;'O'
00893B1E call StringReplace //把全角大写字母O换成0
00893B23 movzx eax,byte ptr ds:;0x1 gvar_00893F0C
00893B2A push eax
00893B2B lea eax,
00893B2E push eax
00893B2F lea edx,
00893B32 mov eax,dword ptr ;TregisterForm.Edit6:TEdit
00893B38 call TControl.GetText
00893B3D mov eax,dword ptr
00893B40 mov ecx,893F8C;'-'
00893B45 mov edx,893F9C;'_'
00893B4A call StringReplace //把下划线换成减号-
00893B4F movzx eax,byte ptr ds:;0x1 gvar_00893F0C
00893B56 push eax
00893B57 lea eax,
00893B5A push eax
00893B5B lea edx,
00893B5E mov eax,dword ptr ;TregisterForm.Edit6:TEdit
00893B64 call TControl.GetText
00893B69 mov eax,dword ptr
00893B6C mov ecx,893F8C;'-'
00893B71 mov edx,893FAC;'——' //把破折号换成减号-
00893B76 call StringReplace
00893B7B movzx eax,byte ptr ds:;0x1 gvar_00893F0C
00893B82 push eax
00893B83 lea eax,
00893B86 push eax
00893B87 lea edx,
00893B8A mov eax,dword ptr ;TregisterForm.Edit6:TEdit
00893B90 call TControl.GetText
00893B95 mov eax,dword ptr
00893B98 mov ecx,893F8C;'-'
00893B9D mov edx,893FC0;'—' //把全角横线线换成减号-
00893BA2 call StringReplace
00893BA7 movzx eax,byte ptr ds:;0x1 gvar_00893F0C
00893BAE push eax
00893BAF lea eax,
00893BB2 push eax
00893BB3 lea edx,
00893BB6 mov eax,dword ptr ;TregisterForm.Edit6:TEdit
00893BBC call TControl.GetText
00893BC1 mov eax,dword ptr
00893BC4 mov ecx,893F8C;'-'
00893BC9 mov edx,893FD0;'-' //把全角减号换成减号-
00893BCE call StringReplace
00893BD3 movzx eax,byte ptr ds:;0x1 gvar_00893F0C
00893BDA push eax
00893BDB lea eax,
00893BDE push eax
00893BDF lea edx,
00893BE2 mov eax,dword ptr ;TregisterForm.Edit6:TEdit
00893BE8 call TControl.GetText
00893BED mov eax,dword ptr
00893BF0 mov ecx,893F8C;'-'
00893BF5 mov edx,893FE0;'_'
00893BFA call StringReplace //把下划线换成减号-
00893BFF lea ecx,
00893C02 mov edx,dword ptr
00893C05 mov eax,;TZhou
00893C0A call TZhou.sbctoDbc
00893C0F mov edx,dword ptr
00893C12 lea eax,
00893C15 call @UStrLAsg
00893C1A lea edx,
00893C1D mov eax,dword ptr
00893C20 call AnsiUpperCase
00893C25 mov edx,dword ptr
00893C28 lea eax,
00893C2B call @UStrLAsg
00893C30 mov edx,dword ptr
00893C33 mov eax,dword ptr ;TregisterForm.Edit6:TEdit
00893C39 call TControl.SetText
00893C3E lea edx,
00893C41 mov eax,dword ptr ;TregisterForm.Edit6:TEdit
00893C47 call TControl.GetText
00893C4C cmp dword ptr ,0
00893C50> jne 00893C7D
00893C52 push 0
00893C54 mov ecx,893FE4
00893C59 mov edx,893FF0
00893C5E mov eax,;^Application:TApplication
00893C63 mov eax,dword ptr
00893C65 call TApplication.MessageBox
00893C6A mov eax,dword ptr ;TregisterForm.Edit6:TEdit
00893C70 mov edx,dword ptr
00893C72 call dword ptr ;TWinControl.SetFocus
00893C78> jmp 00893E54
00893C7D call 00892D40 //这里是判断函数
//理由,第一,这个CALL后面就是判断加跳转;
//第二,这个跳转的地址也在这个段,所以应该是判断注册码的地方。
00893C82 cmp dword ptr ds:,1;gvar_00A343D4
00893C89> jne 00893E2E
00893C8F lea edx,
00893C92 mov eax,dword ptr ;TregisterForm.Edit6:TEdit
00893C98 call TControl.GetText
00893C9D mov eax,dword ptr
00893CA0 lea edx,
00893CA3 call EncodeString
00893CA8 mov eax,dword ptr
00893CAB lea edx,
00893CAE call 0043121C
00893CB3 mov ecx,dword ptr
00893CB6 lea eax,
00893CB9 mov edx,894010;'update user set Rcode='
00893CBE call @UStrCat3
00893CC3 mov edx,dword ptr
00893CC6 mov eax,;^gvar_00A345C8:TCtl
00893CCB mov eax,dword ptr
00893CCD call TCtl.exeSQLStatement
00893CD2 lea edx,
00893CD5 mov eax,dword ptr ;TregisterForm.Edit1:TEdit
00893CDB call TControl.GetText
00893CE0 mov eax,dword ptr
00893CE3 lea edx,
00893CE6 call EncodeString
00893CEB mov eax,dword ptr
00893CEE lea edx,
00893XF1 call 0043121C
00893XF6 mov ecx,dword ptr
00893XF9 lea eax,
00893XFC mov edx,89404C;'update user set Acode='
00893D01 call @UStrCat3
00893D06 mov edx,dword ptr
00893D09 mov eax,;^gvar_00A345C8:TCtl
00893D0E mov eax,dword ptr
00893D10 call TCtl.exeSQLStatement
00893D15 lea edx,
00893D18 mov eax,dword ptr ;TregisterForm.Edit2:TEdit
00893D1E call TControl.GetText
00893D23 mov eax,dword ptr
00893D26 lea edx,
00893D29 call Trim
00893D2E mov eax,dword ptr
00893D31 lea edx,
00893D34 call 0043121C
00893D39 mov ecx,dword ptr
00893D3C lea eax,
00893D3F mov edx,894088;'update user set Name='
00893D44 call @UStrCat3
00893D49 mov edx,dword ptr
00893D4C mov eax,;^gvar_00A345C8:TCtl
00893D51 mov eax,dword ptr
00893D53 call TCtl.exeSQLStatement
00893D58 lea edx,
00893D5B mov eax,dword ptr ;TregisterForm.Edit4:TEdit
00893D61 call TControl.GetText
00893D66 mov eax,dword ptr
00893D69 lea edx,
00893D6C call Trim
00893D71 mov eax,dword ptr
00893D74 lea edx,
00893D77 call 0043121C
00893D7C mov ecx,dword ptr
00893D7F lea eax,
00893D82 mov edx,8940C0;'update user set Phone='
00893D87 call @UStrCat3
00893D8C mov edx,dword ptr
00893D8F mov eax,;^gvar_00A345C8:TCtl
00893D94 mov eax,dword ptr
00893D96 call TCtl.exeSQLStatement
00893D9B lea edx,
00893DA1 mov eax,dword ptr ;TregisterForm.Edit5:TEdit
00893DA7 call TControl.GetText
00893DAC mov eax,dword ptr
00893DB2 lea edx,
00893DB8 call Trim
00893DBD mov eax,dword ptr
00893DC3 lea edx,
00893DC9 call 0043121C
00893DCE mov ecx,dword ptr
00893DD4 lea eax,
00893DD7 mov edx,8940FC;'update user set Email='
00893DDC call @UStrCat3
00893DE1 mov edx,dword ptr
00893DE4 mov eax,;^gvar_00A345C8:TCtl
00893DE9 mov eax,dword ptr
00893DEB call TCtl.exeSQLStatement
00893DF0 push 0
00893DF2 mov ecx,893FE4
00893DF7 mov edx,89412C
00893DFC mov eax,;^Application:TApplication
00893E01 mov eax,dword ptr
00893E03 call TApplication.MessageBox
00893E08 mov eax,;^gvar_00A345C8:TCtl
00893E0D mov eax,dword ptr
00893E0F call TCtl.clearTryHistroy
00893E14 push 1
00893E16 push 894154;'start.exe'
00893E1B call kernel32.WinExec
00893E20 mov eax,;^Application:TApplication
00893E25 mov eax,dword ptr
00893E27 call TApplication.Terminate
00893E2C> jmp 00893E54
00893E2E push 0
00893E30 mov ecx,893FE4
00893E35 mov edx,894160
00893E3A mov eax,;^Application:TApplication
00893E3F mov eax,dword ptr
00893E41 call TApplication.MessageBox
00893E46 mov eax,dword ptr ;TregisterForm.Edit6:TEdit
00893E4C mov edx,dword ptr
00893E4E call dword ptr ;TWinControl.SetFocus
00893E54 xor eax,eax
00893E56 pop edx
00893E57 pop ecx
00893E58 pop ecx
00893E59 mov dword ptr fs:,edx
00893E5C push 893F05
00893E61 lea eax,
00893E67 call @UStrClr
00893E6C lea eax,
00893E72 mov edx,3
00893E77 call @UStrArrayClr
00893E7C lea eax,
00893E7F call @UStrClr
00893E84 lea eax,
00893E87 mov edx,3
00893E8C call @UStrArrayClr
00893E91 lea eax,
00893E94 call @UStrClr
00893E99 lea eax,
00893E9C mov edx,3
00893EA1 call @UStrArrayClr
00893EA6 lea eax,
00893EA9 call @UStrClr
00893EAE lea eax,
00893EB1 mov edx,3
00893EB6 call @UStrArrayClr
00893EBB lea eax,
00893EBE call @UStrClr
00893EC3 lea eax,
00893EC6 mov edx,3
00893ECB call @UStrArrayClr
00893ED0 lea eax,
00893ED3 call @UStrClr
00893ED8 lea eax,
00893EDB mov edx,2
00893EE0 call @UStrArrayClr
00893EE5 lea eax,
00893EE8 mov edx,0B
00893EED call @UStrArrayClr
00893EF2 lea eax,
00893EF5 call @UStrClr
00893EFA ret
00893EFB> jmp @HandleFinally
00893F00> jmp 00893E61
00893F05 pop ebx
00893F06 mov esp,ebp
00893F08 pop ebp
00893F09 ret
代码的前面一大段是对输入的离线注册码进行一些小的处理,首要即是把字符变为半角罢了,到后边有个函数的判别,我也标示出来了。并且为何要关注这个函数,作为破解的经历,也同时共享给咱们。
那么咱们就持续看那个函数,假如只剖析代码,也许咱们不太好了解,我把OD盯梢的示例也同时加进去,方便咱们了解。
register.sub_00892D40
00892D40 push ebp
00892D41 mov ebp,esp
00892D43 mov ecx,8
00892D48 push 0
00892D4A push 0
00892D4C dec ecx
00892D4D> jne 00892D48
00892D4F push ecx
00892D50 push ebx
00892D51 push esi
00892D52 push edi
00892D53 xor eax,eax
00892D55 push ebp
00892D56 push 892F39
00892D5B push dword ptr fs:
00892D5E mov dword ptr fs:,esp
00892D61 xor eax,eax
00892D63 push ebp
00892D64 push 892EFF
00892D69 push dword ptr fs:
00892D6C mov dword ptr fs:,esp
00892D6F mov dl,1
00892D71 mov eax,;TIdHashMessageDigest5
00892D76 call TIdHashMessageDigest4.Create;TIdHashMessageDigest5.Create
00892D7B mov ebx,eax
00892D7D lea edx,
00892D80 mov eax,;gvar_00A343A8:TregisterForm
00892D85 mov eax,dword ptr
00892D8B call TControl.GetText
00892D90 movzx eax,byte ptr ds:;0x1 gvar_00892F4C
00892D97 push eax
00892D98 lea eax,
00892D9B push eax
00892D9C movzx eax,byte ptr ds:;0x1 gvar_00892F4C
00892DA3 push eax
00892DA4 lea eax,
00892DA7 push eax
00892DA8 push dword ptr ds:;gvar_00A343B4:UnicodeString //4700D-936AF-CEB02-9A5B8,也就是机器码
00892DAE push 892F5C;'&' //&字符
00892DB3 push dword ptr //1234567890123456789012345,我们输入的注册码
00892DB6 push 892F5C;'&' //&字符
00892DBB lea eax,
00892DBE mov edx,4 //一共4个部分
00892DC3 call @UStrCatN //4个部分合并,机器码 & 注册码 &
00892DC8 mov edx,dword ptr //合并后的字符串是4700D-936AF-CEB02-9A5B8&1234567890123456789012345&
00892DCB lea ecx,
00892DCE mov eax,;TZhou
00892DD3 call TZhou.sbctoDbc //这里是干嘛的暂时不知,应该是对字符串做处理的函数,但是好像对我们这个字符串没有影响,先跳过
//百度了一下,sbctoDbc应该是全角转半角的函数,所以这里直接忽略了
00892DD8 mov eax,dword ptr
00892DDB lea edx,
00892DDE call AnsiUpperCase
00892DE3 mov eax,dword ptr
00892DE6 xor ecx,ecx
00892DE8 mov edx,892F6C;'-'
00892DED call StringReplace //去掉减号-
00892DF2 mov eax,dword ptr
00892DF5 xor ecx,ecx
00892DF7 mov edx,892F7C;' '
00892DFC call StringReplace //去掉空格
00892E01 mov edx,dword ptr //于是我们得到了字符串4700D936AFCEB029A5B8&1234567890123456789012345&
00892E04 lea eax,
00892E07 mov ecx,dword ptr ds:;gvar_00A343C0:UnicodeString //这里是注册科目winxp
00892E0D call @UStrCat3 //再合并
00892E12 lea eax,
00892E15 push eax
00892E16 xor ecx,ecx
00892E18 mov edx,dword ptr //于是就得到了新的字符串4700D936AFCEB029A5B8&1234567890123456789012345&winxp
00892E1B mov eax,ebx
00892E1D call TIdHash.HashStringAsHex //这个字符串做MD5转换,得到FF154F7AFB41E7B90B99D975625C6A57
00892E22 lea eax,
00892E25 push eax
00892E26 lea eax,
00892E29 push eax
00892E2A mov ecx,14 //0x14=20
00892E2F xor edx,edx
00892E31 mov eax,dword ptr
00892E34 call @UStrCopy //取前20位,得到字符串FF154F7AFB41E7B90B99
00892E39 mov edx,dword ptr
00892E3C xor ecx,ecx
00892E3E mov eax,ebx
00892E40 call TIdHash.HashStringAsHex //再做MD5转换,得到A3122F54C1523C53FE1XF250E62D7BC9
00892E45 lea eax,
00892E48 push eax
00892E49 mov ecx,5
00892E4E xor edx,edx
00892E50 mov eax,dword ptr
00892E53 call @UStrCopy //取前5位A3122
00892E58 push dword ptr
00892E5B push 892F6C;'-' //合并上-
00892E60 lea eax,
00892E63 push eax
00892E64 mov ecx,5 //取5位
00892E69 mov edx,6 //从第6位开始取
00892E6E mov eax,dword ptr
00892E71 call @UStrCopy //得到F54C1
00892E76 push dword ptr
00892E79 push 892F6C;'-' //再合并上-
00892E7E lea eax,
00892E81 push eax
00892E82 mov ecx,5 //取5位
00892E87 mov edx,0B //从第11位开始取
00892E8C mov eax,dword ptr
00892E8F call @UStrCopy //得到523C5
00892E94 push dword ptr
00892E97 push 892F6C;'-' //再合并上-
00892E9C lea eax,
00892E9F push eax
00892EA0 mov ecx,5 //取5位
00892EA5 mov edx,10 //从第16位开始取
00892EAA mov eax,dword ptr
00892EAD call @UStrCopy //得到3FE1C
00892EB2 push dword ptr
00892EB5 lea eax,
00892EB8 mov edx,7 //一共7个部分
00892EBD call @UStrCatN //合并,得到A3122-F54C1-523C5-3FE1C
00892EC2 lea edx,
00892EC5 mov eax,;gvar_00A343A8:TregisterForm
00892ECA mov eax,dword ptr
00892ED0 call TControl.GetText
00892ED5 mov edx,dword ptr //输入的离线注册码ABCDE
00892ED8 mov eax,dword ptr //刚才算出来的离线注册码A3122-F54C1-523C5-3FE1C
00892EDB call @UStrEqual //判断是不是相等
00892EE0> jne 00892EEE
00892EE2 mov dword ptr ds:,1;gvar_00A343D4
00892EEC> jmp 00892EF5
00892EEE xor eax,eax
00892EF0 mov ,eax;gvar_00A343D4
00892EF5 xor eax,eax
00892EF7 pop edx
00892EF8 pop ecx
00892EF9 pop ecx
00892EFA mov dword ptr fs:,edx
00892EFD> jmp 00892F09
00892EFF> jmp @HandleAnyException
00892F04 call @DoneExcept
00892F09 xor eax,eax
00892F0B pop edx
00892F0C pop ecx
00892F0D pop ecx
00892F0E mov dword ptr fs:,edx
00892F11 push 892F40
00892F16 lea eax,
00892F19 call @UStrClr
00892F1E lea eax,
00892F21 mov edx,0A
00892F26 call @UStrArrayClr
00892F2B lea eax,
00892F2E mov edx,5
00892F33 call @UStrArrayClr
00892F38 ret
00892F39> jmp @HandleFinally
00892F3E> jmp 00892F16
00892F40 mov eax,dword ptr
00892F43 pop edi
00892F44 pop esi
00892F45 pop ebx
00892F46 mov esp,ebp
00892F48 pop ebp
00892F49 ret这个代码我们应当能看懂了吧?算法本来很简单,字符串拼到一起,MD5处理,取前20位,再MD5处理一下,然后再取前20位,每5位一组分隔,中心用-衔接即为真正的离线注册码。
注册机也趁便写出来了,用注册机的成果如下:
通用注册机
{:じοじ:}{:じοじ:}{:じοじ:}
这么块就出注册机了
想下载。。。。。。。。。 楼主,解压密码是多少啊? 谢谢分享,下载过来看看是否可用{:smile:}
谢谢分享,下载过来看看是否可用 有解压密码耶 解压密码是什么啊 解压缩密码、?? 本帖最后由 空心萝卜 于 2017-9-10 21:54 编辑
楼主辛苦了
页:
[1]
2