一个简单的破解示例
2005-09-10 16:51
323 查看
以Rulz写的一个CrackMe文件为例学习破解的三种简单招式:
1.暴力破解
2.内存注册机制作
3.算法注册机写作
文件:ex604.exe
===================================================================================
用ollydb1.09中文版载入ex604.exe,由于没加壳,所以停在真正的入口处
00441A48 > $ 55 PUSH EBP ;无用指令,要通过关键字串设断点
00441A49 . 8BEC MOV EBP,ESP
00441A4B . 83C4 F4 ADD ESP,-0C
00441A4E . B8 40194400 MOV EAX,ex604.00441940
00441A53 . E8 4C41FCFF CALL ex604.00405BA4
00441A58 . A1 302C4400 MOV EAX,DWORD PTR DS:[442C30]
00441A5D . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00441A5F . E8 A0D2FFFF CALL ex604.0043ED04
00441A64 . 8B0D 002D4400 MOV ECX,DWORD PTR DS:[442D00] ; ex604.0044382C
00441A6A . A1 302C4400 MOV EAX,DWORD PTR DS:[442C30]
00441A6F . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00441A71 . 8B15 18154400 MOV EDX,DWORD PTR DS:[441518] ; ex604.00441564
00441A77 . E8 A0D2FFFF CALL ex604.0043ED1C
00441A7C . A1 302C4400 MOV EAX,DWORD PTR DS:[442C30]
00441A81 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00441A83 . E8 14D3FFFF CALL ex604.0043ED9C
00441A88 . E8 FB1BFCFF CALL ex604.00403688
00441A8D . 8D40 00 LEA EAX,DWORD PTR DS:[EAX]
00441A90 . 0000 ADD BYTE PTR DS:[EAX],AL
00441A92 . 0000 ADD BYTE PTR DS:[EAX],AL
00441A94 . 0000 ADD BYTE PTR DS:[EAX],AL
00441A96 . 0000 ADD BYTE PTR DS:[EAX],AL
00441A98 . 0000 ADD BYTE PTR DS:[EAX],AL
但是入口处看上去都不知是什么意思,不用慌,在程序中填入注册名和注册码随便注册,找到出错字符串,在ollydb中下断.下断后分析一下,来到如下部分:
004417B8 /. 55 PUSH EBP ; 注册计算部分
004417B9 |. 8BEC MOV EBP,ESP
004417BB |. 6A 00 PUSH 0
004417BD |. 6A 00 PUSH 0
004417BF |. 6A 00 PUSH 0
004417C1 |. 53 PUSH EBX
004417C2 |. 8BD8 MOV EBX,EAX
004417C4 |. 33C0 XOR EAX,EAX
004417C6 |. 55 PUSH EBP
004417C7 |. 68 60184400 PUSH ex604.00441860
004417CC |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004417CF |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004417D2 |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
004417D5 |. 8B83 C8020000 MOV EAX,DWORD PTR DS:[EBX+2C8]
004417DB |. E8 C419FEFF CALL ex604.004231A4
004417E0 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 输入码地址到EAX
004417E3 |. 50 PUSH EAX
004417E4 |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
004417E7 |. 8B83 C4020000 MOV EAX,DWORD PTR DS:[EBX+2C4]
004417ED |. E8 B219FEFF CALL ex604.004231A4 ; 调用函数1
004417F2 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] ; 用户名地址到EAX
004417F5 |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
004417F8 |. E8 FBFEFFFF CALL ex604.004416F8 ; 算注册码函数 追入(sunxysong:1EE8-01D1-06DF-3913)
004417FD |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] ; 注册码地址到EDX(利用此处制作注册机)
00441800 |. 58 POP EAX ; 输入码出栈到EAX
00441801 |. E8 3E23FCFF CALL ex604.00403B44 ; 比较输入码和注册码
00441806 |. 75 1A JNZ SHORT ex604.00441822 ; 不等就跳 跳则失败(将751A改为9090则爆破)
00441808 |. 6A 40 PUSH 40
0044180A |. B9 6C184400 MOV ECX,ex604.0044186C ; ASCII "U made it"
0044180F |. BA 78184400 MOV EDX,ex604.00441878 ; ASCII "Right Code"
00441814 |. A1 302C4400 MOV EAX,DWORD PTR DS:[442C30]
00441819 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
0044181B |. E8 D4D6FFFF CALL ex604.0043EEF4
00441820 |. EB 18 JMP SHORT ex604.0044183A
00441822 |> 6A 10 PUSH 10
00441824 |. B9 84184400 MOV ECX,ex604.00441884 ; ASCII "Error"
00441829 |. BA 8C184400 MOV EDX,ex604.0044188C ; ASCII "Wrong Code"
0044182E |. A1 302C4400 MOV EAX,DWORD PTR DS:[442C30]
00441833 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
00441835 |. E8 BAD6FFFF CALL ex604.0043EEF4
0044183A |> 33C0 XOR EAX,EAX
0044183C |. 5A POP EDX
0044183D |. 59 POP ECX
0044183E |. 59 POP ECX
0044183F |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
00441842 |. 68 67184400 PUSH ex604.00441867
00441847 |> 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0044184A |. E8 691FFCFF CALL ex604.004037B8
0044184F |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
00441852 |. E8 611FFCFF CALL ex604.004037B8
00441857 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0044185A |. E8 591FFCFF CALL ex604.004037B8
0044185F /. C3 RETN
从004417F8处追入,来到:
004416F8 /$ 53 PUSH EBX
004416F9 |. 56 PUSH ESI
004416FA |. 57 PUSH EDI
004416FB |. 83C4 DC ADD ESP,-24
004416FE |. 891424 MOV DWORD PTR SS:[ESP],EDX
00441701 |. 8BF8 MOV EDI,EAX
00441703 |. BB 05033949 MOV EBX,49390305
00441708 |. BE 20126348 MOV ESI,48631220
0044170D |. 8BC7 MOV EAX,EDI
0044170F |. E8 2023FCFF CALL ex604.00403A34 ; 计算用户名长度到EAX
00441714 |. 85C0 TEST EAX,EAX
00441716 |. 7E 2E JLE SHORT ex604.00441746 ; 用户名如为空,得到默认注册码(0305-4939-1220-4863)
00441718 |. BA 01000000 MOV EDX,1
0044171D |> 33C9 /XOR ECX,ECX ; EAX中为注册名长度 EDX为字串指针
0044171F |. 8A4C17 FF |MOV CL,BYTE PTR DS:[EDI+EDX-1]
00441723 |. 33D9 |XOR EBX,ECX ; 常数1-49390305异或每一个字符
00441725 |. 33F3 |XOR ESI,EBX ; 常数2-48631220再异或结果
00441727 |. F6C3 01 |TEST BL,1
0044172A |. 74 0F |JE SHORT ex604.0044173B ; 分奇偶分别处理
0044172C |. D1FB |SAR EBX,1
0044172E |. 79 03 |JNS SHORT ex604.00441733
00441730 |. 83D3 00 |ADC EBX,0
00441733 |> 81F3 11032001 |XOR EBX,1200311
00441739 |. EB 07 |JMP SHORT ex604.00441742
0044173B |> D1FB |SAR EBX,1
0044173D |. 79 03 |JNS SHORT ex604.00441742
0044173F |. 83D3 00 |ADC EBX,0
00441742 |> 42 |INC EDX
00441743 |. 48 |DEC EAX
00441744 |.^75 D7 /JNZ SHORT ex604.0044171D
00441746 |> 8B0424 MOV EAX,DWORD PTR SS:[ESP] ; EBX ESI为相关有效结果
00441749 |. 50 PUSH EAX ; /Arg1
0044174A |. 8BC3 MOV EAX,EBX ; |结果到EAX
0044174C |. 25 FFFF0000 AND EAX,0FFFF ; |取EBX低16位
00441751 |. 894424 08 MOV DWORD PTR SS:[ESP+8],EAX ; |
00441755 |. C64424 0C 00 MOV BYTE PTR SS:[ESP+C],0 ; |置'/0'位,以便后面转换成字串 下同
0044175A |. C1EB 10 SHR EBX,10 ; |逻辑右移16位
0044175D |. 895C24 10 MOV DWORD PTR SS:[ESP+10],EBX ; |
00441761 |. C64424 14 00 MOV BYTE PTR SS:[ESP+14],0 ; |
00441766 |. 8BC6 MOV EAX,ESI ; |
00441768 |. 25 FFFF0000 AND EAX,0FFFF ; |取ESI低16位
0044176D |. 894424 18 MOV DWORD PTR SS:[ESP+18],EAX ; |
00441771 |. C64424 1C 00 MOV BYTE PTR SS:[ESP+1C],0 ; |
00441776 |. C1EE 10 SHR ESI,10 ; |逻辑右移16位
00441779 |. 897424 20 MOV DWORD PTR SS:[ESP+20],ESI ; |
0044177D |. C64424 24 00 MOV BYTE PTR SS:[ESP+24],0 ; |到此放入4组注册码(首地址为[ESP+8])
00441782 |. 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8] ; |
00441786 |. B9 03000000 MOV ECX,3 ; |
0044178B |. B8 A4174400 MOV EAX,ex604.004417A4 ; |ASCII "%.4x-%.4x-%.4x-%.4x"
00441790 |. E8 6F68FCFF CALL ex604.00408004 ; /将注册码组装成"XXXX-XXXX-XXXX-XXXX"形式(输入参数为EDX,ECX,EAX)
00441795 |. 83C4 24 ADD ESP,24
00441798 |. 5F POP EDI
00441799 |. 5E POP ESI
0044179A |. 5B POP EBX
0044179B /. C3 RETN
从每句的注释可以看到0044177D处就得出了注册码.
由上可以看出00441806处可以暴力破解,004417FD处可以用于制作注册机,至于注册机算法看下面.
============================================================================
注册机代码:
//必须在win32位环境下编译运行
//**********************************************
// KeyGen for ex604:Written by sunxysong
//**********************************************
#include <iostream>
#include <string>
#include <stdlib.h>
using namespace std;
string HexToString(int hex)
{
string str="";
char ch[5]={0},temp=0;
for(int i=1;i<=4;i++)
{
temp=(char)(hex&0xF);
if(temp>=0&&temp<=9)
ch[4-i]=temp+48;
if(temp>=10&&temp<=15)
ch[4-i]=temp+55;
hex=hex>>4;
}
str=string(ch);
return str;
}
string GetCode(string username)
{
string codes="";
int par1=0x49390305;
int par2=0x48631220;
int par3=0x1200311;
int index;
int temp1=par1;
int temp2=par2;
int temp3=0;
int cf=0;
if(username=="")
codes="0305-4939-1220-4863";
else
{
for(index=0;index<username.length();index++)
{
temp1=temp1^(*(username.c_str()+index));
temp2=temp2^temp1;
cf=temp1&1;
if(cf==0)
temp3=0;
else
temp3=par3;
temp1=temp1>>1;
if(!(temp1>0))
temp1+=cf;
temp1=temp1^temp3;
}
codes=HexToString(temp1&0xFFFF)+"-"+
HexToString((temp1>>16)&0xFFFF)+"-"+
HexToString(temp2&0xFFFF)+"-"+
HexToString((temp2>>16)&0xFFFF);
}
return codes;
}
int main(int argc,char** argv)
{
string name="";
cout<<endl<<"/t/tkeyGen_ex604:Written by sunxysong"<<endl<<endl;
cout<<"Please input your name:";
cin>>name;
cout<<endl<<"The serial is:"<<GetCode(name)<<endl;
system("pause");
return 0;
}
=========================================================================
总结:
抓住主要部分,先从大体上把握注册机制,找出重要断点下断;
写注册机时,以汇编代码为基础,用高级语言写出相同算法流程,要注意逻辑跳转和各标志位;确认算法逻辑无误后,再对高级语言写的算法作提炼调整;要有很大的毅力和耐心,这一点是非常重要的.
1.暴力破解
2.内存注册机制作
3.算法注册机写作
文件:ex604.exe
===================================================================================
用ollydb1.09中文版载入ex604.exe,由于没加壳,所以停在真正的入口处
00441A48 > $ 55 PUSH EBP ;无用指令,要通过关键字串设断点
00441A49 . 8BEC MOV EBP,ESP
00441A4B . 83C4 F4 ADD ESP,-0C
00441A4E . B8 40194400 MOV EAX,ex604.00441940
00441A53 . E8 4C41FCFF CALL ex604.00405BA4
00441A58 . A1 302C4400 MOV EAX,DWORD PTR DS:[442C30]
00441A5D . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00441A5F . E8 A0D2FFFF CALL ex604.0043ED04
00441A64 . 8B0D 002D4400 MOV ECX,DWORD PTR DS:[442D00] ; ex604.0044382C
00441A6A . A1 302C4400 MOV EAX,DWORD PTR DS:[442C30]
00441A6F . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00441A71 . 8B15 18154400 MOV EDX,DWORD PTR DS:[441518] ; ex604.00441564
00441A77 . E8 A0D2FFFF CALL ex604.0043ED1C
00441A7C . A1 302C4400 MOV EAX,DWORD PTR DS:[442C30]
00441A81 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00441A83 . E8 14D3FFFF CALL ex604.0043ED9C
00441A88 . E8 FB1BFCFF CALL ex604.00403688
00441A8D . 8D40 00 LEA EAX,DWORD PTR DS:[EAX]
00441A90 . 0000 ADD BYTE PTR DS:[EAX],AL
00441A92 . 0000 ADD BYTE PTR DS:[EAX],AL
00441A94 . 0000 ADD BYTE PTR DS:[EAX],AL
00441A96 . 0000 ADD BYTE PTR DS:[EAX],AL
00441A98 . 0000 ADD BYTE PTR DS:[EAX],AL
但是入口处看上去都不知是什么意思,不用慌,在程序中填入注册名和注册码随便注册,找到出错字符串,在ollydb中下断.下断后分析一下,来到如下部分:
004417B8 /. 55 PUSH EBP ; 注册计算部分
004417B9 |. 8BEC MOV EBP,ESP
004417BB |. 6A 00 PUSH 0
004417BD |. 6A 00 PUSH 0
004417BF |. 6A 00 PUSH 0
004417C1 |. 53 PUSH EBX
004417C2 |. 8BD8 MOV EBX,EAX
004417C4 |. 33C0 XOR EAX,EAX
004417C6 |. 55 PUSH EBP
004417C7 |. 68 60184400 PUSH ex604.00441860
004417CC |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004417CF |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004417D2 |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
004417D5 |. 8B83 C8020000 MOV EAX,DWORD PTR DS:[EBX+2C8]
004417DB |. E8 C419FEFF CALL ex604.004231A4
004417E0 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 输入码地址到EAX
004417E3 |. 50 PUSH EAX
004417E4 |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
004417E7 |. 8B83 C4020000 MOV EAX,DWORD PTR DS:[EBX+2C4]
004417ED |. E8 B219FEFF CALL ex604.004231A4 ; 调用函数1
004417F2 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] ; 用户名地址到EAX
004417F5 |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
004417F8 |. E8 FBFEFFFF CALL ex604.004416F8 ; 算注册码函数 追入(sunxysong:1EE8-01D1-06DF-3913)
004417FD |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] ; 注册码地址到EDX(利用此处制作注册机)
00441800 |. 58 POP EAX ; 输入码出栈到EAX
00441801 |. E8 3E23FCFF CALL ex604.00403B44 ; 比较输入码和注册码
00441806 |. 75 1A JNZ SHORT ex604.00441822 ; 不等就跳 跳则失败(将751A改为9090则爆破)
00441808 |. 6A 40 PUSH 40
0044180A |. B9 6C184400 MOV ECX,ex604.0044186C ; ASCII "U made it"
0044180F |. BA 78184400 MOV EDX,ex604.00441878 ; ASCII "Right Code"
00441814 |. A1 302C4400 MOV EAX,DWORD PTR DS:[442C30]
00441819 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
0044181B |. E8 D4D6FFFF CALL ex604.0043EEF4
00441820 |. EB 18 JMP SHORT ex604.0044183A
00441822 |> 6A 10 PUSH 10
00441824 |. B9 84184400 MOV ECX,ex604.00441884 ; ASCII "Error"
00441829 |. BA 8C184400 MOV EDX,ex604.0044188C ; ASCII "Wrong Code"
0044182E |. A1 302C4400 MOV EAX,DWORD PTR DS:[442C30]
00441833 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
00441835 |. E8 BAD6FFFF CALL ex604.0043EEF4
0044183A |> 33C0 XOR EAX,EAX
0044183C |. 5A POP EDX
0044183D |. 59 POP ECX
0044183E |. 59 POP ECX
0044183F |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
00441842 |. 68 67184400 PUSH ex604.00441867
00441847 |> 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0044184A |. E8 691FFCFF CALL ex604.004037B8
0044184F |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
00441852 |. E8 611FFCFF CALL ex604.004037B8
00441857 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0044185A |. E8 591FFCFF CALL ex604.004037B8
0044185F /. C3 RETN
从004417F8处追入,来到:
004416F8 /$ 53 PUSH EBX
004416F9 |. 56 PUSH ESI
004416FA |. 57 PUSH EDI
004416FB |. 83C4 DC ADD ESP,-24
004416FE |. 891424 MOV DWORD PTR SS:[ESP],EDX
00441701 |. 8BF8 MOV EDI,EAX
00441703 |. BB 05033949 MOV EBX,49390305
00441708 |. BE 20126348 MOV ESI,48631220
0044170D |. 8BC7 MOV EAX,EDI
0044170F |. E8 2023FCFF CALL ex604.00403A34 ; 计算用户名长度到EAX
00441714 |. 85C0 TEST EAX,EAX
00441716 |. 7E 2E JLE SHORT ex604.00441746 ; 用户名如为空,得到默认注册码(0305-4939-1220-4863)
00441718 |. BA 01000000 MOV EDX,1
0044171D |> 33C9 /XOR ECX,ECX ; EAX中为注册名长度 EDX为字串指针
0044171F |. 8A4C17 FF |MOV CL,BYTE PTR DS:[EDI+EDX-1]
00441723 |. 33D9 |XOR EBX,ECX ; 常数1-49390305异或每一个字符
00441725 |. 33F3 |XOR ESI,EBX ; 常数2-48631220再异或结果
00441727 |. F6C3 01 |TEST BL,1
0044172A |. 74 0F |JE SHORT ex604.0044173B ; 分奇偶分别处理
0044172C |. D1FB |SAR EBX,1
0044172E |. 79 03 |JNS SHORT ex604.00441733
00441730 |. 83D3 00 |ADC EBX,0
00441733 |> 81F3 11032001 |XOR EBX,1200311
00441739 |. EB 07 |JMP SHORT ex604.00441742
0044173B |> D1FB |SAR EBX,1
0044173D |. 79 03 |JNS SHORT ex604.00441742
0044173F |. 83D3 00 |ADC EBX,0
00441742 |> 42 |INC EDX
00441743 |. 48 |DEC EAX
00441744 |.^75 D7 /JNZ SHORT ex604.0044171D
00441746 |> 8B0424 MOV EAX,DWORD PTR SS:[ESP] ; EBX ESI为相关有效结果
00441749 |. 50 PUSH EAX ; /Arg1
0044174A |. 8BC3 MOV EAX,EBX ; |结果到EAX
0044174C |. 25 FFFF0000 AND EAX,0FFFF ; |取EBX低16位
00441751 |. 894424 08 MOV DWORD PTR SS:[ESP+8],EAX ; |
00441755 |. C64424 0C 00 MOV BYTE PTR SS:[ESP+C],0 ; |置'/0'位,以便后面转换成字串 下同
0044175A |. C1EB 10 SHR EBX,10 ; |逻辑右移16位
0044175D |. 895C24 10 MOV DWORD PTR SS:[ESP+10],EBX ; |
00441761 |. C64424 14 00 MOV BYTE PTR SS:[ESP+14],0 ; |
00441766 |. 8BC6 MOV EAX,ESI ; |
00441768 |. 25 FFFF0000 AND EAX,0FFFF ; |取ESI低16位
0044176D |. 894424 18 MOV DWORD PTR SS:[ESP+18],EAX ; |
00441771 |. C64424 1C 00 MOV BYTE PTR SS:[ESP+1C],0 ; |
00441776 |. C1EE 10 SHR ESI,10 ; |逻辑右移16位
00441779 |. 897424 20 MOV DWORD PTR SS:[ESP+20],ESI ; |
0044177D |. C64424 24 00 MOV BYTE PTR SS:[ESP+24],0 ; |到此放入4组注册码(首地址为[ESP+8])
00441782 |. 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8] ; |
00441786 |. B9 03000000 MOV ECX,3 ; |
0044178B |. B8 A4174400 MOV EAX,ex604.004417A4 ; |ASCII "%.4x-%.4x-%.4x-%.4x"
00441790 |. E8 6F68FCFF CALL ex604.00408004 ; /将注册码组装成"XXXX-XXXX-XXXX-XXXX"形式(输入参数为EDX,ECX,EAX)
00441795 |. 83C4 24 ADD ESP,24
00441798 |. 5F POP EDI
00441799 |. 5E POP ESI
0044179A |. 5B POP EBX
0044179B /. C3 RETN
从每句的注释可以看到0044177D处就得出了注册码.
由上可以看出00441806处可以暴力破解,004417FD处可以用于制作注册机,至于注册机算法看下面.
============================================================================
注册机代码:
//必须在win32位环境下编译运行
//**********************************************
// KeyGen for ex604:Written by sunxysong
//**********************************************
#include <iostream>
#include <string>
#include <stdlib.h>
using namespace std;
string HexToString(int hex)
{
string str="";
char ch[5]={0},temp=0;
for(int i=1;i<=4;i++)
{
temp=(char)(hex&0xF);
if(temp>=0&&temp<=9)
ch[4-i]=temp+48;
if(temp>=10&&temp<=15)
ch[4-i]=temp+55;
hex=hex>>4;
}
str=string(ch);
return str;
}
string GetCode(string username)
{
string codes="";
int par1=0x49390305;
int par2=0x48631220;
int par3=0x1200311;
int index;
int temp1=par1;
int temp2=par2;
int temp3=0;
int cf=0;
if(username=="")
codes="0305-4939-1220-4863";
else
{
for(index=0;index<username.length();index++)
{
temp1=temp1^(*(username.c_str()+index));
temp2=temp2^temp1;
cf=temp1&1;
if(cf==0)
temp3=0;
else
temp3=par3;
temp1=temp1>>1;
if(!(temp1>0))
temp1+=cf;
temp1=temp1^temp3;
}
codes=HexToString(temp1&0xFFFF)+"-"+
HexToString((temp1>>16)&0xFFFF)+"-"+
HexToString(temp2&0xFFFF)+"-"+
HexToString((temp2>>16)&0xFFFF);
}
return codes;
}
int main(int argc,char** argv)
{
string name="";
cout<<endl<<"/t/tkeyGen_ex604:Written by sunxysong"<<endl<<endl;
cout<<"Please input your name:";
cin>>name;
cout<<endl<<"The serial is:"<<GetCode(name)<<endl;
system("pause");
return 0;
}
=========================================================================
总结:
抓住主要部分,先从大体上把握注册机制,找出重要断点下断;
写注册机时,以汇编代码为基础,用高级语言写出相同算法流程,要注意逻辑跳转和各标志位;确认算法逻辑无误后,再对高级语言写的算法作提炼调整;要有很大的毅力和耐心,这一点是非常重要的.
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- C# 带参数线程的一个简单示例
- Android 简单实现一个流式布局的示例
- 一个简单的下载程序VB.NET示例
- Skinned Mesh原理解析和一个最简单的实现示例
- 一个有意思的笔试题:如何破解一个简单密码登陆程序
- 一个简单登录的SpringMVC的示例
- 【代码示例】 一个简单的Java死锁
- 用perl对文件中的字符串做处理的一个简单的示例
- JNDI的一个简单示例[00原创]
- python实现一个简单的并查集的示例代码
- 对3DES加密的运用的一个简单示例
- [ASP.NET 设计模式] 用Visual Studio2010搭建一个简单的分层结构示例Step by Step —— 04 数据访问层
- SWT(一)一个最简单的SWT程序示例
- 一个超简单的闭包示例
- 用opengl编写一个简单的画图软件示例代码
- [VB.Net]委托的一个简单示例
- Asp.net 2.0 一个简单的联动DropDownList示例(示例代码下载)
- 一个创建子进程的简单示例代码
- 一个简单的死锁示例
- OpenCV 入门示例之四:一个简单的变换