【标 题】:如何破解Opera 4.0 Final 下
【关键字】:in,破解,Opera,Fi,Opera,Final
【来 源】:网络
经过这一番折腾,它把a[0]瓜分了,显然是想分散我们的注意力,只要我们漏过a[0]的7部分中的任一部分,有效的注册码就找不到。
还记不记得注册码的第1部分只有一个字符?接下来它就要对注册码的第1部分进行查表变换。
:004F4031 0FB655E8 movzx edx, byte ptr [ebp-18] //取出注册码的第1部分
:004F4035 33C9 xor ecx, ecx //下标清0
:004F4037 0FBEB180D35300 movsx esi, byte ptr [ecx+0053D380]//查表,从表"emuw"中取出一个字符
:004F403E 3BF2 cmp esi, edx //和注册码的第一部分相等?
:004F4040 740A je 004F404C //相等则将下标记下来
:004F4042 41 inc ecx //下标加1
:004F4043 83F903 cmp ecx, 00000003 //该表中仅4个字符
:004F4046 7EEF jle 004F4037 //循环,遍历该表
:004F4048 0CFF or al, FF //bad guy
:004F404A EB05 jmp 004F4051
:004F404C 894804 mov dword ptr [eax+04], ecx //保存此时的下标
:004F404F 32C0 xor al, al //good guy
:004F4051 5F pop edi
:004F4052 5E pop esi
:004F4053 C9 leave
:004F4054 C3 ret
由上可见,如果你输入的假注册码的第一个字符如果不是e或m或u或w,则bye-bye了。否则它就记下该下标,此后要对这个下标进行判断,耐心等等,后面还会提到。
接下来,它要根据a[1]、a[2]、a[3]计算出一个数来,然后和a[4]进行比较。至此我们知道a[4]是根据a[1]、a[2]、a[3]计算出来的,这对写注册机很重要。计算没什么特别的地方,照搬到我们的注册机中,稍加改动即可。计算过程如下:
* Referenced by a CALL at Address:
|:004F411A
|
:004F4055 55 push ebp
:004F4056 8BEC mov ebp, esp
:004F4058 83EC0C sub esp, 0000000C
:004F405B 8B4D08 mov ecx, dword ptr [ebp+08]
:004F405E 53 push ebx
:004F405F 56 push esi
:004F4060 33F6 xor esi, esi
:004F4062 8B4104 mov eax, dword ptr [ecx+04]
:004F4065 57 push edi
:004F4066 40 inc eax
:004F4067 C745FC79786573 mov [ebp-04], 73657879
:004F406E C745F865626162 mov [ebp-08], 62616265
:004F4075 8945F4 mov dword ptr [ebp-0C], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F40DF(C)
|
:004F4078 8BC6 mov eax, esi
:004F407A 6A03 push 00000003
:004F407C 99 cdq
:004F407D 5F pop edi
:004F407E F7FF idiv edi
:004F4080 46 inc esi
:004F4081 6A03 push 00000003
:004F4083 8BC6 mov eax, esi
:004F4085 5B pop ebx
:004F4086 8B7C910C mov edi, dword ptr [ecx+4*edx+0C]
:004F408A 99 cdq
:004F408B F7FB idiv ebx
:004F408D 8B45F4 mov eax, dword ptr [ebp-0C]
:004F4090 85C0 test eax, eax
:004F4092 8B54910C mov edx, dword ptr [ecx+4*edx+0C]
:004F4096 7E37 jle 004F40CF
:004F4098 8B5DFC mov ebx, dword ptr [ebp-04]
:004F409B 894508 mov dword ptr [ebp+08], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F40AA(C)
|
:004F409E 8BC3 mov eax, ebx
:004F40A0 0FAFC3 imul eax, ebx
:004F40A3 33C7 xor eax, edi
:004F40A5 FF4D08 dec [ebp+08]
:004F40A8 8BD8 mov ebx, eax
:004F40AA 75F2 jne 004F409E
:004F40AC 895DFC mov dword ptr [ebp-04], ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F40D2(U)
|
:004F40AF 8B4108 mov eax, dword ptr [ecx+08]
:004F40B2 83C003 add eax, 00000003
:004F40B5 85C0 test eax, eax
:004F40B7 7E1B jle 004F40D4
:004F40B9 894508 mov dword ptr [ebp+08], eax
:004F40BC 8B45F8 mov eax, dword ptr [ebp-08]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F40CB(C)
|
:004F40BF 8BF8 mov edi, eax
:004F40C1 0FAFF8 imul edi, eax
:004F40C4 33FA xor edi, edx
:004F40C6 FF4D08 dec [ebp+08]
:004F40C9 8BC7 mov eax, edi
:004F40CB 75F2 jne 004F40BF
:004F40CD EB0A jmp 004F40D9
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F4096(C)
|
:004F40CF 8B5DFC mov ebx, dword ptr [ebp-04]
:004F40D2 EBDB jmp 004F40AF
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F40B7(C)
|
:004F40D4 8B45F8 mov eax, dword ptr [ebp-08]
:004F40D7 EB03 jmp 004F40DC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F40CD(U)
|
:004F40D9 8945F8 mov dword ptr [ebp-08], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F40D7(U)
|
:004F40DC 83FE1F cmp esi, 0000001F
:004F40DF 7C97 jl 004F4078
:004F40E1 81E3F0F0F000 and ebx, 00F0F0F0 //最高4 bit被干掉了
:004F40E7 250F0F0F0F and eax, 0F0F0F0F //最高4 bit被干掉了
:004F40EC 0BD8 or ebx, eax
:004F40EE 8B450C mov eax, dword ptr [ebp+0C]
:004F40F1 5F pop edi
:004F40F2 5E pop esi
:004F40F3 8918 mov dword ptr [eax], ebx //保存计算的结果
:004F40F5 32C0 xor al, al
:004F40F7 5B pop ebx
:004F40F8 C9 leave
:004F40F9 C3 ret
注意上面的注释!在CS:004F40E1和CS:004F40E7这两处,最高4个bit都被变为0了,这意味着计算出来的这个数的最高4 bit全部为0。但是它又要拿这个计算出来的数和a[4]进行比较,那说明此时a[4]的最高4 bit也必须为0。
还记不记得此时a[4]的最高4 bit是从a[0]中分来的(十六进制形式为Zkkkkkkk)!至此我们又搞定a[0]的7部分
中的一部分。
下面是和a[4]进行比较:
:004F4112 8D4508 lea eax, dword ptr [ebp+08]
:004F4115 50 push eax
:004F4116 8D45E4 lea eax, dword ptr [ebp-1C]
:004F4119 50 push eax
:004F411A E836FFFFFF call 004F4055 //根据a[1]、a[2]、a[3]计算
:004F411F 59 pop ecx
:004F4120 84C0 test al, al
:004F4122 59 pop ecx
:004F4123 7528 jne 004F414D
:004F4125 8B45FC mov eax, dword ptr [ebp-04]
:004F4128 3B4508 cmp eax, dword ptr [ebp+08] //和a[4]比较
:004F412B 7520 jne 004F414D
紧跟着它要判断a[1]、a[2]、a[3]了,如下:
* Referenced by a CALL at Address:
|:004F4131
|
:004F4155 8B442404 mov eax, dword ptr [esp+04]
:004F4159 56 push esi
:004F415A BE74D35300 mov esi, 0053D374
:004F415F 8D480C lea ecx, dword ptr [eax+0C]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F4178(C)
|
:004F4162 8B01 mov eax, dword ptr [ecx] //取出a[k],k=1,2,3
:004F4164 33D2 xor edx, edx
:004F4166 F736 div dword ptr [esi] //分别除以常数
:004F4168 85D2 test edx, edx //余数不为0则bad guy
:004F416A 7512 jne 004F417E
:004F416C 83C604 add esi, 00000004
:004F416F 83C104 add ecx, 00000004 //余数为0则继续比较
:004F4172 81FE80D35300 cmp esi, 0053D380
:004F4178 7CE8 jl 004F4162 //循环
:004F417A 32C0 xor al, al //a[1]、a[2]、a[3]均通过检查则OK
:004F417C 5E pop esi
:004F417D C3 ret
由上可知,此时的a[1]、a[2]、a[3]应为常数的整数倍,执行上面的那条除法指令时敲dd esi,可以看见常数分别为00114BCF, 0x0013D39F, 0x003687A9。至于究竟是多少倍,我们写注册机的时候可以用随机数(我用GetTickCount模拟随机数),这也说明这个软件有很多个注册码。注意到此时的a[1]、a[2]、a[3]的最高4 bit都是从a[0]中分来的一杯羹,于是我们又搞定了a[0]的7部分之中的3部分。
至此,我们已经可以写程序生成a[1]、a[2]、a[3],然后再生成a[4],现在只剩下a[0]的7部分中的两部分(即最低8bit位,分成7个bit和1个bit共两部分)和注册码的第一部分(即查表后的下标)了。
下面就是对这3个东西的判断:
:004F412D 8D45E4 lea eax, dword ptr [ebp-1C]
:004F4130 50 push eax
:004F4131 E81F000000 call 004F4155 //这里头检查a[1]、a[2]、a[3]
:004F4136 84C0 test al, al
:004F4138 59 pop ecx
:004F4139 7512 jne 004F414D
:004F413B 837DE400 cmp dword ptr [ebp-1C], 00000000 //a[0]的最低bit,即第0bit
:004F413F 750C jne 004F414D
:004F4141 837DE803 cmp dword ptr [ebp-18], 00000003 //注册码的第1部分所对应的下标
:004F4145 7506 jne 004F414D
:004F4147 837DEC02 cmp dword ptr [ebp-14], 00000002 //a[0]的第1~7bit
:004F414B 7404 je 004F4151
根据上面的比较可知,注册码的第一部分在表格"emuw"中的下标应为3,即注册码的第一个字符固定为w;
a[0]的最低8个bit用十六进制表示为0x04,结合前面我们得到的关于a[0]的信息,就可以把a[0]表示出来了。
至此可以写出注册机。(累死了,呵呵)
为保持完整性,把注册机再贴一下:
//keygen for Opera 4.0 Final
//compiled with Visual C++ 5
#include <stdio.h>
#include <windows.h>
unsigned long Sequence;
const unsigned long factor[3] = { 0x00114BCF, 0x0013D39F, 0x003687A9 };
const char table[50] = "abcdefhijkmnprstuvwxyzABCDEFHJKLMNPQRSTUVWXY345678";
int k, m;
unsigned long a[5];
long EBP_04, EBP_08, EBP_0C, EBP_p08;
void main(void)
{
printf("Key generator for Opera 4.0 final.\n");
printf("http://www.opera.com.\n");
printf("coded by dr0, 2000.6.30.\n");
for (k = 1; k <= 3; k++)
{
a[k] = factor[k-1] * (GetTickCount( ) % (0xFFFFFFFFL / factor[k-1] + 1));
}
_asm
{
push eax
push ebx
push ecx
push edx
push esi
push edi
mov ecx, offset a
XOR ESI,ESI
MOV EAX,0x03
INC EAX
MOV DWORD PTR [EBP_04],0x73657879L
MOV DWORD PTR [EBP_08],0x62616265L
MOV [EBP_0C],EAX
_004F4078: MOV EAX,ESI
PUSH 0x03
CDQ
POP EDI
IDIV EDI
INC ESI
PUSH 0x03
MOV EAX,ESI
POP EBX
MOV EDI,[EDX*4+ECX+4]
CDQ
IDIV EBX
MOV EAX,[EBP_0C]
TEST EAX,EAX
MOV EDX,[EDX*4+ECX+4]
JLE _004F40CF
MOV EBX,[EBP_04]
MOV [EBP_p08],EAX
_004F409E: MOV EAX,EBX
IMUL EAX,EBX
XOR EAX,EDI
DEC DWORD PTR [EBP_p08]
MOV EBX,EAX
JNZ _004F409E
MOV [EBP_04],EBX
_004F40AF: MOV EAX,0x02
ADD EAX,0x03
TEST EAX,EAX
JLE _004F40D4
MOV [EBP_p08],EAX
MOV EAX,[EBP_08]
_004F40BF: MOV EDI,EAX
IMUL EDI,EAX
XOR EDI,EDX
DEC DWORD PTR [EBP_p08]
MOV EAX,EDI
JNZ _004F40BF
JMP _004F40D9
_004F40CF: MOV EBX,[EBP_04]
JMP _004F40AF
_004F40D4: MOV EAX,[EBP_08]
JMP _004F40DC
_004F40D9: MOV [EBP_08],EAX
_004F40DC: CMP ESI,0x1F
JL _004F4078
AND EBX,0x00F0F0F0L
AND EAX,0x0F0F0F0FL
OR EBX,EAX
mov [ecx+4*4], ebx
pop edi
pop esi
pop edx
pop ecx
pop ebx
pop eax
}
a[0] = 0;
for (k = 1; k <= 3; k++)
{
a[0] |= a[k] >> 28;
a[0] <<= 4;
}
a[0] <<= 12;
a[0] |= 0x00000F04L;
for (k = 0; k < 4; k++)
{
a[k] &= 0x0FFFFFFFL;
}
Sequence = 0x01A26A75;
for(k = 0; k < 0x65; k++)
{
_asm
{
push eax
push ecx
push edx
MOV ECX, [Sequence]
MOV EAX, ECX
LEA EDX, [ECX+ECX]
AND AL, 0xFE
XOR EAX, EDX
MOV EDX, ECX
SHL EAX, 1
AND EDX, -0x04
XOR EAX, EDX
MOV EDX, ECX
SHL EAX, 0x02
AND EDX, -0x10
XOR EAX, EDX
MOV EDX, ECX
SHL EAX, 0x02
AND EDX, -0x40
XOR EAX, EDX
MOV EDX, ECX
SHL EAX, 0x19
AND EDX, 0x80000000
XOR EAX, EDX
SHR ECX, 1
OR EAX, ECX
MOV [Sequence], EAX
pop edx
pop ecx
pop eax
}
a[k % 5] ^= (Sequence & 0x0FFFFFFFL);
}
for (k = 3; k >= 0; k--)
{
a[k] ^= a[k+1];
}
printf("Your code is: ");
putchar('w');
for(k = 0; k < 5; k++)
{
putchar('-');
for(m = 0; m < 5; m++)
{
putchar(table[a[k] % 50L]);
a[k] /= 50L;
}
}
printf("\n");
}
【关键字】:in,破解,Opera,Fi,Opera,Final
【来 源】:网络
如何破解Opera 4.0 Final 下
还记不记得注册码的第1部分只有一个字符?接下来它就要对注册码的第1部分进行查表变换。
:004F4031 0FB655E8 movzx edx, byte ptr [ebp-18] //取出注册码的第1部分
:004F4035 33C9 xor ecx, ecx //下标清0
:004F4037 0FBEB180D35300 movsx esi, byte ptr [ecx+0053D380]//查表,从表"emuw"中取出一个字符
:004F403E 3BF2 cmp esi, edx //和注册码的第一部分相等?
:004F4040 740A je 004F404C //相等则将下标记下来
:004F4042 41 inc ecx //下标加1
:004F4043 83F903 cmp ecx, 00000003 //该表中仅4个字符
:004F4046 7EEF jle 004F4037 //循环,遍历该表
:004F4048 0CFF or al, FF //bad guy
:004F404A EB05 jmp 004F4051
:004F404C 894804 mov dword ptr [eax+04], ecx //保存此时的下标
:004F404F 32C0 xor al, al //good guy
:004F4051 5F pop edi
:004F4052 5E pop esi
:004F4053 C9 leave
:004F4054 C3 ret
由上可见,如果你输入的假注册码的第一个字符如果不是e或m或u或w,则bye-bye了。否则它就记下该下标,此后要对这个下标进行判断,耐心等等,后面还会提到。
接下来,它要根据a[1]、a[2]、a[3]计算出一个数来,然后和a[4]进行比较。至此我们知道a[4]是根据a[1]、a[2]、a[3]计算出来的,这对写注册机很重要。计算没什么特别的地方,照搬到我们的注册机中,稍加改动即可。计算过程如下:
* Referenced by a CALL at Address:
|:004F411A
|
:004F4055 55 push ebp
:004F4056 8BEC mov ebp, esp
:004F4058 83EC0C sub esp, 0000000C
:004F405B 8B4D08 mov ecx, dword ptr [ebp+08]
:004F405E 53 push ebx
:004F405F 56 push esi
:004F4060 33F6 xor esi, esi
:004F4062 8B4104 mov eax, dword ptr [ecx+04]
:004F4065 57 push edi
:004F4066 40 inc eax
:004F4067 C745FC79786573 mov [ebp-04], 73657879
:004F406E C745F865626162 mov [ebp-08], 62616265
:004F4075 8945F4 mov dword ptr [ebp-0C], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F40DF(C)
|
:004F4078 8BC6 mov eax, esi
:004F407A 6A03 push 00000003
:004F407C 99 cdq
:004F407D 5F pop edi
:004F407E F7FF idiv edi
:004F4080 46 inc esi
:004F4081 6A03 push 00000003
:004F4083 8BC6 mov eax, esi
:004F4085 5B pop ebx
:004F4086 8B7C910C mov edi, dword ptr [ecx+4*edx+0C]
:004F408A 99 cdq
:004F408B F7FB idiv ebx
:004F408D 8B45F4 mov eax, dword ptr [ebp-0C]
:004F4090 85C0 test eax, eax
:004F4092 8B54910C mov edx, dword ptr [ecx+4*edx+0C]
:004F4096 7E37 jle 004F40CF
:004F4098 8B5DFC mov ebx, dword ptr [ebp-04]
:004F409B 894508 mov dword ptr [ebp+08], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F40AA(C)
|
:004F409E 8BC3 mov eax, ebx
:004F40A0 0FAFC3 imul eax, ebx
:004F40A3 33C7 xor eax, edi
:004F40A5 FF4D08 dec [ebp+08]
:004F40A8 8BD8 mov ebx, eax
:004F40AA 75F2 jne 004F409E
:004F40AC 895DFC mov dword ptr [ebp-04], ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F40D2(U)
|
:004F40AF 8B4108 mov eax, dword ptr [ecx+08]
:004F40B2 83C003 add eax, 00000003
:004F40B5 85C0 test eax, eax
:004F40B7 7E1B jle 004F40D4
:004F40B9 894508 mov dword ptr [ebp+08], eax
:004F40BC 8B45F8 mov eax, dword ptr [ebp-08]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F40CB(C)
|
:004F40BF 8BF8 mov edi, eax
:004F40C1 0FAFF8 imul edi, eax
:004F40C4 33FA xor edi, edx
:004F40C6 FF4D08 dec [ebp+08]
:004F40C9 8BC7 mov eax, edi
:004F40CB 75F2 jne 004F40BF
:004F40CD EB0A jmp 004F40D9
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F4096(C)
|
:004F40CF 8B5DFC mov ebx, dword ptr [ebp-04]
:004F40D2 EBDB jmp 004F40AF
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F40B7(C)
|
:004F40D4 8B45F8 mov eax, dword ptr [ebp-08]
:004F40D7 EB03 jmp 004F40DC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F40CD(U)
|
:004F40D9 8945F8 mov dword ptr [ebp-08], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F40D7(U)
|
:004F40DC 83FE1F cmp esi, 0000001F
:004F40DF 7C97 jl 004F4078
:004F40E1 81E3F0F0F000 and ebx, 00F0F0F0 //最高4 bit被干掉了
:004F40E7 250F0F0F0F and eax, 0F0F0F0F //最高4 bit被干掉了
:004F40EC 0BD8 or ebx, eax
:004F40EE 8B450C mov eax, dword ptr [ebp+0C]
:004F40F1 5F pop edi
:004F40F2 5E pop esi
:004F40F3 8918 mov dword ptr [eax], ebx //保存计算的结果
:004F40F5 32C0 xor al, al
:004F40F7 5B pop ebx
:004F40F8 C9 leave
:004F40F9 C3 ret
注意上面的注释!在CS:004F40E1和CS:004F40E7这两处,最高4个bit都被变为0了,这意味着计算出来的这个数的最高4 bit全部为0。但是它又要拿这个计算出来的数和a[4]进行比较,那说明此时a[4]的最高4 bit也必须为0。
还记不记得此时a[4]的最高4 bit是从a[0]中分来的(十六进制形式为Zkkkkkkk)!至此我们又搞定a[0]的7部分
中的一部分。
下面是和a[4]进行比较:
:004F4112 8D4508 lea eax, dword ptr [ebp+08]
:004F4115 50 push eax
:004F4116 8D45E4 lea eax, dword ptr [ebp-1C]
:004F4119 50 push eax
:004F411A E836FFFFFF call 004F4055 //根据a[1]、a[2]、a[3]计算
:004F411F 59 pop ecx
:004F4120 84C0 test al, al
:004F4122 59 pop ecx
:004F4123 7528 jne 004F414D
:004F4125 8B45FC mov eax, dword ptr [ebp-04]
:004F4128 3B4508 cmp eax, dword ptr [ebp+08] //和a[4]比较
:004F412B 7520 jne 004F414D
紧跟着它要判断a[1]、a[2]、a[3]了,如下:
* Referenced by a CALL at Address:
|:004F4131
|
:004F4155 8B442404 mov eax, dword ptr [esp+04]
:004F4159 56 push esi
:004F415A BE74D35300 mov esi, 0053D374
:004F415F 8D480C lea ecx, dword ptr [eax+0C]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F4178(C)
|
:004F4162 8B01 mov eax, dword ptr [ecx] //取出a[k],k=1,2,3
:004F4164 33D2 xor edx, edx
:004F4166 F736 div dword ptr [esi] //分别除以常数
:004F4168 85D2 test edx, edx //余数不为0则bad guy
:004F416A 7512 jne 004F417E
:004F416C 83C604 add esi, 00000004
:004F416F 83C104 add ecx, 00000004 //余数为0则继续比较
:004F4172 81FE80D35300 cmp esi, 0053D380
:004F4178 7CE8 jl 004F4162 //循环
:004F417A 32C0 xor al, al //a[1]、a[2]、a[3]均通过检查则OK
:004F417C 5E pop esi
:004F417D C3 ret
由上可知,此时的a[1]、a[2]、a[3]应为常数的整数倍,执行上面的那条除法指令时敲dd esi,可以看见常数分别为00114BCF, 0x0013D39F, 0x003687A9。至于究竟是多少倍,我们写注册机的时候可以用随机数(我用GetTickCount模拟随机数),这也说明这个软件有很多个注册码。注意到此时的a[1]、a[2]、a[3]的最高4 bit都是从a[0]中分来的一杯羹,于是我们又搞定了a[0]的7部分之中的3部分。
至此,我们已经可以写程序生成a[1]、a[2]、a[3],然后再生成a[4],现在只剩下a[0]的7部分中的两部分(即最低8bit位,分成7个bit和1个bit共两部分)和注册码的第一部分(即查表后的下标)了。
下面就是对这3个东西的判断:
:004F412D 8D45E4 lea eax, dword ptr [ebp-1C]
:004F4130 50 push eax
:004F4131 E81F000000 call 004F4155 //这里头检查a[1]、a[2]、a[3]
:004F4136 84C0 test al, al
:004F4138 59 pop ecx
:004F4139 7512 jne 004F414D
:004F413B 837DE400 cmp dword ptr [ebp-1C], 00000000 //a[0]的最低bit,即第0bit
:004F413F 750C jne 004F414D
:004F4141 837DE803 cmp dword ptr [ebp-18], 00000003 //注册码的第1部分所对应的下标
:004F4145 7506 jne 004F414D
:004F4147 837DEC02 cmp dword ptr [ebp-14], 00000002 //a[0]的第1~7bit
:004F414B 7404 je 004F4151
根据上面的比较可知,注册码的第一部分在表格"emuw"中的下标应为3,即注册码的第一个字符固定为w;
a[0]的最低8个bit用十六进制表示为0x04,结合前面我们得到的关于a[0]的信息,就可以把a[0]表示出来了。
至此可以写出注册机。(累死了,呵呵)
为保持完整性,把注册机再贴一下:
//keygen for Opera 4.0 Final
//compiled with Visual C++ 5
#include <stdio.h>
#include <windows.h>
unsigned long Sequence;
const unsigned long factor[3] = { 0x00114BCF, 0x0013D39F, 0x003687A9 };
const char table[50] = "abcdefhijkmnprstuvwxyzABCDEFHJKLMNPQRSTUVWXY345678";
int k, m;
unsigned long a[5];
long EBP_04, EBP_08, EBP_0C, EBP_p08;
void main(void)
{
printf("Key generator for Opera 4.0 final.\n");
printf("http://www.opera.com.\n");
printf("coded by dr0, 2000.6.30.\n");
for (k = 1; k <= 3; k++)
{
a[k] = factor[k-1] * (GetTickCount( ) % (0xFFFFFFFFL / factor[k-1] + 1));
}
_asm
{
push eax
push ebx
push ecx
push edx
push esi
push edi
mov ecx, offset a
XOR ESI,ESI
MOV EAX,0x03
INC EAX
MOV DWORD PTR [EBP_04],0x73657879L
MOV DWORD PTR [EBP_08],0x62616265L
MOV [EBP_0C],EAX
_004F4078: MOV EAX,ESI
PUSH 0x03
CDQ
POP EDI
IDIV EDI
INC ESI
PUSH 0x03
MOV EAX,ESI
POP EBX
MOV EDI,[EDX*4+ECX+4]
CDQ
IDIV EBX
MOV EAX,[EBP_0C]
TEST EAX,EAX
MOV EDX,[EDX*4+ECX+4]
JLE _004F40CF
MOV EBX,[EBP_04]
MOV [EBP_p08],EAX
_004F409E: MOV EAX,EBX
IMUL EAX,EBX
XOR EAX,EDI
DEC DWORD PTR [EBP_p08]
MOV EBX,EAX
JNZ _004F409E
MOV [EBP_04],EBX
_004F40AF: MOV EAX,0x02
ADD EAX,0x03
TEST EAX,EAX
JLE _004F40D4
MOV [EBP_p08],EAX
MOV EAX,[EBP_08]
_004F40BF: MOV EDI,EAX
IMUL EDI,EAX
XOR EDI,EDX
DEC DWORD PTR [EBP_p08]
MOV EAX,EDI
JNZ _004F40BF
JMP _004F40D9
_004F40CF: MOV EBX,[EBP_04]
JMP _004F40AF
_004F40D4: MOV EAX,[EBP_08]
JMP _004F40DC
_004F40D9: MOV [EBP_08],EAX
_004F40DC: CMP ESI,0x1F
JL _004F4078
AND EBX,0x00F0F0F0L
AND EAX,0x0F0F0F0FL
OR EBX,EAX
mov [ecx+4*4], ebx
pop edi
pop esi
pop edx
pop ecx
pop ebx
pop eax
}
a[0] = 0;
for (k = 1; k <= 3; k++)
{
a[0] |= a[k] >> 28;
a[0] <<= 4;
}
a[0] <<= 12;
a[0] |= 0x00000F04L;
for (k = 0; k < 4; k++)
{
a[k] &= 0x0FFFFFFFL;
}
Sequence = 0x01A26A75;
for(k = 0; k < 0x65; k++)
{
_asm
{
push eax
push ecx
push edx
MOV ECX, [Sequence]
MOV EAX, ECX
LEA EDX, [ECX+ECX]
AND AL, 0xFE
XOR EAX, EDX
MOV EDX, ECX
SHL EAX, 1
AND EDX, -0x04
XOR EAX, EDX
MOV EDX, ECX
SHL EAX, 0x02
AND EDX, -0x10
XOR EAX, EDX
MOV EDX, ECX
SHL EAX, 0x02
AND EDX, -0x40
XOR EAX, EDX
MOV EDX, ECX
SHL EAX, 0x19
AND EDX, 0x80000000
XOR EAX, EDX
SHR ECX, 1
OR EAX, ECX
MOV [Sequence], EAX
pop edx
pop ecx
pop eax
}
a[k % 5] ^= (Sequence & 0x0FFFFFFFL);
}
for (k = 3; k >= 0; k--)
{
a[k] ^= a[k+1];
}
printf("Your code is: ");
putchar('w');
for(k = 0; k < 5; k++)
{
putchar('-');
for(m = 0; m < 5; m++)
{
putchar(table[a[k] % 50L]);
a[k] /= 50L;
}
}
printf("\n");
}
【相关文章】
破解HomeWatcher v1.2 第一回合 下
用W32DASM破解图形捕捉ScreenTaker 最新版本:2.21
破解Visual Zip Password Recovery Processor v3.2 初级
‘侠客系统修改1。21’的破解
破解winhex v9.3下篇
破解winhex v9.3
用TRW2000破解EXESCOPE5.12
Recover 4 all version 0.3 破解
破解Advanced Find and Replace V1.2.2
Readbook 1.31破解心得
【随机文章】
DHTML技巧--网页文字选取
今天学的几个C函数的用法(atexit,atoi,atof,atol)
ESFramework介绍之(34)―― ITcpServerAgent和IUdpServerAgent组件关系图
ASANTE无线宽频路由器FR3002AL
C/C++中数组和指针类型的关系
asp常用函数(4)
转载:从 2.4 到 2.6:Linux 内核可装载模块机制的改变对设备驱动的影响
VB中如何修改treeview的背景色
ERP还需要创新吗
安装linux+apache+mysql+php
【相关评论】
没有相关评论
【发表评论】
|