锦州市广厦电脑维修|上门维修电脑|上门做系统|0416-3905144热诚服务,锦州广厦维修电脑,公司IT外包服务
topFlag1 设为首页
topFlag3 收藏本站
 
maojin003 首 页 公司介绍 服务项目 服务报价 维修流程 IT外包服务 服务器维护 技术文章 常见故障
锦州市广厦电脑维修|上门维修电脑|上门做系统|0416-3905144热诚服务技术文章
考无忧2017离线注册算法分析(注册机已删除)

作者: 肥牛  日期:2017-06-02 16:29:52   来源: 本站整理

看了zjy-geek的帖子“考无忧2017 离线注册 破解 入门教程”,里面写到如何跟踪出的注册码,但是并没有分析出注册码的算法。
所以,我接着那个帖子,继续分析注册码是怎么算出来的,这样也许对新人更有帮助一些。
考无忧2017是用DELPHI XE2写的,所以还是习惯性的用IDR做分析。其中涉及到注册码算法的部分,我用OD做了跟踪,并且写了注释,方便大家的理解。
首先,按照原贴中,断网,注册转入离线注册。这里需要输入的内容如下图:
 
考生姓名,手机号,邮箱等都是随便输的,软件也没有做合法性的判断。
注册码一定要输入25位,不符合条件软件会给出相应的提示。
注册科目是软件自动填好的,因为我下载的是winxp的卷子,所以这里的科目就是winxp。
机器码也是软件自动填好的。
剩下的事情就是我们自己输入离线注册码了。
在IDR中,查看离线注册按钮的点击事件。

[Asm] 纯文本查看 复制代码
001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
036
037
038
039
040
041
042
043
044
045
046
047
048
049
050
051
052
053
054
055
056
057
058
059
060
061
062
063
064
065
066
067
068
069
070
071
072
073
074
075
076
077
078
079
080
081
082
083
084
085
086
087
088
089
090
091
092
093
094
095
096
097
098
099
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
register.TregisterForm.BitmapButton5Click
00893A00        push        ebp
00893A01        mov         ebp,esp
00893A03        mov         ecx,11
00893A08        push        0
00893A0A        push        0
00893A0C        dec         ecx
00893A0D>       jne         00893A08
00893A0F        push        ecx
00893A10        push        ebx
00893A11        mov         ebx,eax
00893A13        xor         eax,eax
00893A15        push        ebp
00893A16        push        893EFB
00893A1B        push        dword ptr fs:[eax]
00893A1E        mov         dword ptr fs:[eax],esp
00893A21        movzx       eax,byte ptr ds:[893F0C];0x1 gvar_00893F0C
00893A28        push        eax
00893A29        lea         eax,[ebp-4]
00893A2C        push        eax
00893A2D        lea         edx,[ebp-8]
00893A30        mov         eax,dword ptr [ebx+3D0];TregisterForm.Edit6:TEdit        //Edit6就是我们输入的离线注册码
00893A36        call        TControl.GetText
00893A3B        mov         eax,dword ptr [ebp-8]
00893A3E        xor         ecx,ecx
00893A40        mov         edx,893F1C;' '
00893A45        call        StringReplace                                //去掉空格
00893A4A        movzx       eax,byte ptr ds:[893F0C];0x1 gvar_00893F0C
00893A51        push        eax
00893A52        lea         eax,[ebp-4]
00893A55        push        eax
00893A56        lea         edx,[ebp-0C]
00893A59        mov         eax,dword ptr [ebx+3D0];TregisterForm.Edit6:TEdit
00893A5F        call        TControl.GetText
00893A64        mov         eax,dword ptr [ebp-0C]
00893A67        xor         ecx,ecx
00893A69        mov         edx,893F2C;' '
00893A6E        call        StringReplace                                //去掉全角空格
00893A73        movzx       eax,byte ptr ds:[893F0C];0x1 gvar_00893F0C
00893A7A        push        eax
00893A7B        lea         eax,[ebp-4]
00893A7E        push        eax
00893A7F        lea         edx,[ebp-10]
00893A82        mov         eax,dword ptr [ebx+3D0];TregisterForm.Edit6:TEdit
00893A88        call        TControl.GetText
00893A8D        mov         eax,dword ptr [ebp-10]
00893A90        mov         ecx,893F3C;'0'
00893A95        mov         edx,893F4C;'o'
00893A9A        call        StringReplace                                //把小写字母o换成0
00893A9F        movzx       eax,byte ptr ds:[893F0C];0x1 gvar_00893F0C
00893AA6        push        eax
00893AA7        lea         eax,[ebp-4]
00893AAA        push        eax
00893AAB        lea         edx,[ebp-14]
00893AAE        mov         eax,dword ptr [ebx+3D0];TregisterForm.Edit6:TEdit
00893AB4        call        TControl.GetText
00893AB9        mov         eax,dword ptr [ebp-14]
00893ABC        mov         ecx,893F3C;'0'
00893AC1        mov         edx,893F5C;'o'
00893AC6        call        StringReplace                                //把全角小写字母o换成0
00893ACB        movzx       eax,byte ptr ds:[893F0C];0x1 gvar_00893F0C
00893AD2        push        eax
00893AD3        lea         eax,[ebp-4]
00893AD6        push        eax
00893AD7        lea         edx,[ebp-18]
00893ADA        mov         eax,dword ptr [ebx+3D0];TregisterForm.Edit6:TEdit
00893AE0        call        TControl.GetText
00893AE5        mov         eax,dword ptr [ebp-18]
00893AE8        mov         ecx,893F3C;'0'
00893AED        mov         edx,893F6C;'O'
00893AF2        call        StringReplace                                //把大写字母O换成0
00893AF7        movzx       eax,byte ptr ds:[893F0C];0x1 gvar_00893F0C
00893AFE        push        eax
00893AFF        lea         eax,[ebp-4]
00893B02        push        eax
00893B03        lea         edx,[ebp-1C]
00893B06        mov         eax,dword ptr [ebx+3D0];TregisterForm.Edit6:TEdit
00893B0C        call        TControl.GetText
00893B11        mov         eax,dword ptr [ebp-1C]
00893B14        mov         ecx,893F3C;'0'
00893B19        mov         edx,893F7C;'O'
00893B1E        call        StringReplace                                //把全角大写字母O换成0
00893B23        movzx       eax,byte ptr ds:[893F0C];0x1 gvar_00893F0C
00893B2A        push        eax
00893B2B        lea         eax,[ebp-4]
00893B2E        push        eax
00893B2F        lea         edx,[ebp-20]
00893B32        mov         eax,dword ptr [ebx+3D0];TregisterForm.Edit6:TEdit
00893B38        call        TControl.GetText
00893B3D        mov         eax,dword ptr [ebp-20]
00893B40        mov         ecx,893F8C;'-'
00893B45        mov         edx,893F9C;'_'
00893B4A        call        StringReplace                                //把下划线换成减号-
00893B4F        movzx       eax,byte ptr ds:[893F0C];0x1 gvar_00893F0C
00893B56        push        eax
00893B57        lea         eax,[ebp-4]
00893B5A        push        eax
00893B5B        lea         edx,[ebp-24]
00893B5E        mov         eax,dword ptr [ebx+3D0];TregisterForm.Edit6:TEdit
00893B64        call        TControl.GetText
00893B69        mov         eax,dword ptr [ebp-24]
00893B6C        mov         ecx,893F8C;'-'
00893B71        mov         edx,893FAC;'——'                                //把破折号换成减号-
00893B76        call        StringReplace
00893B7B        movzx       eax,byte ptr ds:[893F0C];0x1 gvar_00893F0C
00893B82        push        eax
00893B83        lea         eax,[ebp-4]
00893B86        push        eax
00893B87        lea         edx,[ebp-28]
00893B8A        mov         eax,dword ptr [ebx+3D0];TregisterForm.Edit6:TEdit
00893B90        call        TControl.GetText
00893B95        mov         eax,dword ptr [ebp-28]
00893B98        mov         ecx,893F8C;'-'
00893B9D        mov         edx,893FC0;'—'                                //把全角横线线换成减号-
00893BA2        call        StringReplace
00893BA7        movzx       eax,byte ptr ds:[893F0C];0x1 gvar_00893F0C
00893BAE        push        eax
00893BAF        lea         eax,[ebp-4]
00893BB2        push        eax
00893BB3        lea         edx,[ebp-2C]
00893BB6        mov         eax,dword ptr [ebx+3D0];TregisterForm.Edit6:TEdit
00893BBC        call        TControl.GetText
00893BC1        mov         eax,dword ptr [ebp-2C]
00893BC4        mov         ecx,893F8C;'-'
00893BC9        mov         edx,893FD0;'-'                                //把全角减号换成减号-
00893BCE        call        StringReplace
00893BD3        movzx       eax,byte ptr ds:[893F0C];0x1 gvar_00893F0C
00893BDA        push        eax
00893BDB        lea         eax,[ebp-4]
00893BDE        push        eax
00893BDF        lea         edx,[ebp-30]
00893BE2        mov         eax,dword ptr [ebx+3D0];TregisterForm.Edit6:TEdit
00893BE8        call        TControl.GetText
00893BED        mov         eax,dword ptr [ebp-30]
00893BF0        mov         ecx,893F8C;'-'
00893BF5        mov         edx,893FE0;'_'
00893BFA        call        StringReplace                                //把下划线换成减号-
00893BFF        lea         ecx,[ebp-34]
00893C02        mov         edx,dword ptr [ebp-4]
00893C05        mov         eax,[007944CC];TZhou
00893C0A        call        TZhou.sbctoDbc
00893C0F        mov         edx,dword ptr [ebp-34]
00893C12        lea         eax,[ebp-4]
00893C15        call        @UStrLAsg
00893C1A        lea         edx,[ebp-38]
00893C1D        mov         eax,dword ptr [ebp-4]
00893C20        call        AnsiUpperCase
00893C25        mov         edx,dword ptr [ebp-38]
00893C28        lea         eax,[ebp-4]
00893C2B        call        @UStrLAsg
00893C30        mov         edx,dword ptr [ebp-4]
00893C33        mov         eax,dword ptr [ebx+3D0];TregisterForm.Edit6:TEdit
00893C39        call        TControl.SetText
00893C3E        lea         edx,[ebp-3C]
00893C41        mov         eax,dword ptr [ebx+3D0];TregisterForm.Edit6:TEdit
00893C47        call        TControl.GetText
00893C4C        cmp         dword ptr [ebp-3C],0
00893C50>       jne         00893C7D
00893C52        push        0
00893C54        mov         ecx,893FE4
00893C59        mov         edx,893FF0
00893C5E        mov         eax,[009295CC];^Application:TApplication
00893C63        mov         eax,dword ptr [eax]
00893C65        call        TApplication.MessageBox
00893C6A        mov         eax,dword ptr [ebx+3D0];TregisterForm.Edit6:TEdit
00893C70        mov         edx,dword ptr [eax]
00893C72        call        dword ptr [edx+0F4];TWinControl.SetFocus
00893C78>       jmp         00893E54
00893C7D        call        00892D40                                //这里是判断函数
                                                                //理由,第一,这个CALL后面就是判断加跳转;
                                                                //第二,这个跳转的地址也在这个段,所以应该是判断注册码的地方。
00893C82        cmp         dword ptr ds:[0A343D4],1;gvar_00A343D4
00893C89>       jne         00893E2E
00893C8F        lea         edx,[ebp-4C]
00893C92        mov         eax,dword ptr [ebx+3D0];TregisterForm.Edit6:TEdit
00893C98        call        TControl.GetText
00893C9D        mov         eax,dword ptr [ebp-4C]
00893CA0        lea         edx,[ebp-48]
00893CA3        call        EncodeString
00893CA8        mov         eax,dword ptr [ebp-48]
00893CAB        lea         edx,[ebp-44]
00893CAE        call        0043121C
00893CB3        mov         ecx,dword ptr [ebp-44]
00893CB6        lea         eax,[ebp-40]
00893CB9        mov         edx,894010;'update user set Rcode='
00893CBE        call        @UStrCat3
00893CC3        mov         edx,dword ptr [ebp-40]
00893CC6        mov         eax,[0092946C];^gvar_00A345C8:TCtl
00893CCB        mov         eax,dword ptr [eax]
00893CCD        call        TCtl.exeSQLStatement
00893CD2        lea         edx,[ebp-5C]
00893CD5        mov         eax,dword ptr [ebx+3C4];TregisterForm.Edit1:TEdit
00893CDB        call        TControl.GetText
00893CE0        mov         eax,dword ptr [ebp-5C]
00893CE3        lea         edx,[ebp-58]
00893CE6        call        EncodeString
00893CEB        mov         eax,dword ptr [ebp-58]
00893CEE        lea         edx,[ebp-54]
00893CF1        call        0043121C
00893CF6        mov         ecx,dword ptr [ebp-54]
00893CF9        lea         eax,[ebp-50]
00893CFC        mov         edx,89404C;'update user set Acode='
00893D01        call        @UStrCat3
00893D06        mov         edx,dword ptr [ebp-50]
00893D09        mov         eax,[0092946C];^gvar_00A345C8:TCtl
00893D0E        mov         eax,dword ptr [eax]
00893D10        call        TCtl.exeSQLStatement
00893D15        lea         edx,[ebp-6C]
00893D18        mov         eax,dword ptr [ebx+3B8];TregisterForm.Edit2:TEdit
00893D1E        call        TControl.GetText
00893D23        mov         eax,dword ptr [ebp-6C]
00893D26        lea         edx,[ebp-68]
00893D29        call        Trim
00893D2E        mov         eax,dword ptr [ebp-68]
00893D31        lea         edx,[ebp-64]
00893D34        call        0043121C
00893D39        mov         ecx,dword ptr [ebp-64]
00893D3C        lea         eax,[ebp-60]
00893D3F        mov         edx,894088;'update user set Name='
00893D44        call        @UStrCat3
00893D49        mov         edx,dword ptr [ebp-60]
00893D4C        mov         eax,[0092946C];^gvar_00A345C8:TCtl
00893D51        mov         eax,dword ptr [eax]
00893D53        call        TCtl.exeSQLStatement
00893D58        lea         edx,[ebp-7C]
00893D5B        mov         eax,dword ptr [ebx+3BC];TregisterForm.Edit4:TEdit
00893D61        call        TControl.GetText
00893D66        mov         eax,dword ptr [ebp-7C]
00893D69        lea         edx,[ebp-78]
00893D6C        call        Trim
00893D71        mov         eax,dword ptr [ebp-78]
00893D74        lea         edx,[ebp-74]
00893D77        call        0043121C
00893D7C        mov         ecx,dword ptr [ebp-74]
00893D7F        lea         eax,[ebp-70]
00893D82        mov         edx,8940C0;'update user set Phone='
00893D87        call        @UStrCat3
00893D8C        mov         edx,dword ptr [ebp-70]
00893D8F        mov         eax,[0092946C];^gvar_00A345C8:TCtl
00893D94        mov         eax,dword ptr [eax]
00893D96        call        TCtl.exeSQLStatement
00893D9B        lea         edx,[ebp-8C]
00893DA1        mov         eax,dword ptr [ebx+3C0];TregisterForm.Edit5:TEdit
00893DA7        call        TControl.GetText
00893DAC        mov         eax,dword ptr [ebp-8C]
00893DB2        lea         edx,[ebp-88]
00893DB8        call        Trim
00893DBD        mov         eax,dword ptr [ebp-88]
00893DC3        lea         edx,[ebp-84]
00893DC9        call        0043121C
00893DCE        mov         ecx,dword ptr [ebp-84]
00893DD4        lea         eax,[ebp-80]
00893DD7        mov         edx,8940FC;'update user set Email='
00893DDC        call        @UStrCat3
00893DE1        mov         edx,dword ptr [ebp-80]
00893DE4        mov         eax,[0092946C];^gvar_00A345C8:TCtl
00893DE9        mov         eax,dword ptr [eax]
00893DEB        call        TCtl.exeSQLStatement
00893DF0        push        0
00893DF2        mov         ecx,893FE4
00893DF7        mov         edx,89412C
00893DFC        mov         eax,[009295CC];^Application:TApplication
00893E01        mov         eax,dword ptr [eax]
00893E03        call        TApplication.MessageBox
00893E08        mov         eax,[0092946C];^gvar_00A345C8:TCtl
00893E0D        mov         eax,dword ptr [eax]
00893E0F        call        TCtl.clearTryHistroy
00893E14        push        1
00893E16        push        894154;'start.exe'
00893E1B        call        kernel32.WinExec
00893E20        mov         eax,[009295CC];^Application:TApplication
00893E25        mov         eax,dword ptr [eax]
00893E27        call        TApplication.Terminate
00893E2C>       jmp         00893E54
00893E2E        push        0
00893E30        mov         ecx,893FE4
00893E35        mov         edx,894160
00893E3A        mov         eax,[009295CC];^Application:TApplication
00893E3F        mov         eax,dword ptr [eax]
00893E41        call        TApplication.MessageBox
00893E46        mov         eax,dword ptr [ebx+3D0];TregisterForm.Edit6:TEdit
00893E4C        mov         edx,dword ptr [eax]
00893E4E        call        dword ptr [edx+0F4];TWinControl.SetFocus
00893E54        xor         eax,eax
00893E56        pop         edx
00893E57        pop         ecx
00893E58        pop         ecx
00893E59        mov         dword ptr fs:[eax],edx
00893E5C        push        893F05
00893E61        lea         eax,[ebp-8C]
00893E67        call        @UStrClr
00893E6C        lea         eax,[ebp-88]
00893E72        mov         edx,3
00893E77        call        @UStrArrayClr
00893E7C        lea         eax,[ebp-7C]
00893E7F        call        @UStrClr
00893E84        lea         eax,[ebp-78]
00893E87        mov         edx,3
00893E8C        call        @UStrArrayClr
00893E91        lea         eax,[ebp-6C]
00893E94        call        @UStrClr
00893E99        lea         eax,[ebp-68]
00893E9C        mov         edx,3
00893EA1        call        @UStrArrayClr
00893EA6        lea         eax,[ebp-5C]
00893EA9        call        @UStrClr
00893EAE        lea         eax,[ebp-58]
00893EB1        mov         edx,3
00893EB6        call        @UStrArrayClr
00893EBB        lea         eax,[ebp-4C]
00893EBE        call        @UStrClr
00893EC3        lea         eax,[ebp-48]
00893EC6        mov         edx,3
00893ECB        call        @UStrArrayClr
00893ED0        lea         eax,[ebp-3C]
00893ED3        call        @UStrClr
00893ED8        lea         eax,[ebp-38]
00893EDB        mov         edx,2
00893EE0        call        @UStrArrayClr
00893EE5        lea         eax,[ebp-30]
00893EE8        mov         edx,0B
00893EED        call        @UStrArrayClr
00893EF2        lea         eax,[ebp-4]
00893EF5        call        @UStrClr
00893EFA        ret
00893EFB>       jmp         @HandleFinally
00893F00>       jmp         00893E61
00893F05        pop         ebx
00893F06        mov         esp,ebp
00893F08        pop         ebp
00893F09        ret



代码的前面一大段是对输入的离线注册码进行一些小的处理,主要就是把字符变为半角而已,到后面有个函数的判断,我也标注出来了。而且为什么要关注这个函数,作为破解的经验,也一并分享给大家。
那么我们就继续看那个函数,如果只分析代码,可能大家不太好理解,我把OD跟踪的示例也一并加进去,方便大家理解。

[Asm] 纯文本查看 复制代码
001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
036
037
038
039
040
041
042
043
044
045
046
047
048
049
050
051
052
053
054
055
056
057
058
059
060
061
062
063
064
065
066
067
068
069
070
071
072
073
074
075
076
077
078
079
080
081
082
083
084
085
086
087
088
089
090
091
092
093
094
095
096
097
098
099
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
register.sub_00892D40
00892D40        push        ebp
00892D41        mov         ebp,esp
00892D43        mov         ecx,8
00892D48        push        0
00892D4A        push        0
00892D4C        dec         ecx
00892D4D>       jne         00892D48
00892D4F        push        ecx
00892D50        push        ebx
00892D51        push        esi
00892D52        push        edi
00892D53        xor         eax,eax
00892D55        push        ebp
00892D56        push        892F39
00892D5B        push        dword ptr fs:[eax]
00892D5E        mov         dword ptr fs:[eax],esp
00892D61        xor         eax,eax
00892D63        push        ebp
00892D64        push        892EFF
00892D69        push        dword ptr fs:[eax]
00892D6C        mov         dword ptr fs:[eax],esp
00892D6F        mov         dl,1
00892D71        mov         eax,[00765BD8];TIdHashMessageDigest5
00892D76        call        TIdHashMessageDigest4.Create;TIdHashMessageDigest5.Create
00892D7B        mov         ebx,eax
00892D7D        lea         edx,[ebp-4]
00892D80        mov         eax,[00A343A8];gvar_00A343A8:TregisterForm
00892D85        mov         eax,dword ptr [eax+3C4]
00892D8B        call        TControl.GetText
00892D90        movzx       eax,byte ptr ds:[892F4C];0x1 gvar_00892F4C
00892D97        push        eax
00892D98        lea         eax,[ebp-1C]
00892D9B        push        eax
00892D9C        movzx       eax,byte ptr ds:[892F4C];0x1 gvar_00892F4C
00892DA3        push        eax
00892DA4        lea         eax,[ebp-20]
00892DA7        push        eax
00892DA8        push        dword ptr ds:[0A343B4];gvar_00A343B4:UnicodeString                        //4700D-936AF-CEB02-9A5B8,也就是机器码
00892DAE        push        892F5C;'&'                                                                //&字符
00892DB3        push        dword ptr [ebp-4]                                                        //1234567890123456789012345,我们输入的注册码
00892DB6        push        892F5C;'&'                                                                //&字符
00892DBB        lea         eax,[ebp-2C]
00892DBE        mov         edx,4                                                                //一共4个部分
00892DC3        call        @UStrCatN                                                                //4个部分合并,机器码 & 注册码 &
00892DC8        mov         edx,dword ptr [ebp-2C]                                                //合并后的字符串是4700D-936AF-CEB02-9A5B8&1234567890123456789012345&
00892DCB        lea         ecx,[ebp-28]
00892DCE        mov         eax,[007944CC];TZhou
00892DD3        call        TZhou.sbctoDbc                                                        //这里是干嘛的暂时不知,应该是对字符串做处理的函数,但是好像对我们这个字符串没有影响,先跳过
                                                                                                //百度了一下,sbctoDbc应该是全角转半角的函数,所以这里直接忽略了
00892DD8        mov         eax,dword ptr [ebp-28]
00892DDB        lea         edx,[ebp-24]
00892DDE        call        AnsiUpperCase
00892DE3        mov         eax,dword ptr [ebp-24]
00892DE6        xor         ecx,ecx
00892DE8        mov         edx,892F6C;'-'
00892DED        call        StringReplace                                                        //去掉减号-
00892DF2        mov         eax,dword ptr [ebp-20]
00892DF5        xor         ecx,ecx
00892DF7        mov         edx,892F7C;' '
00892DFC        call        StringReplace                                                        //去掉空格
00892E01        mov         edx,dword ptr [ebp-1C]                                                //于是我们得到了字符串4700D936AFCEB029A5B8&1234567890123456789012345&
00892E04        lea         eax,[ebp-8]
00892E07        mov         ecx,dword ptr ds:[0A343C0];gvar_00A343C0:UnicodeString                //这里是注册科目winxp
00892E0D        call        @UStrCat3                                                                //再合并
00892E12        lea         eax,[ebp-0C]
00892E15        push        eax
00892E16        xor         ecx,ecx
00892E18        mov         edx,dword ptr [ebp-8]                                                //于是就得到了新的字符串4700D936AFCEB029A5B8&1234567890123456789012345&winxp
00892E1B        mov         eax,ebx
00892E1D        call        TIdHash.HashStringAsHex                                                //这个字符串做MD5转换,得到FF154F7AFB41E7B90B99D975625C6A57
00892E22        lea         eax,[ebp-10]
00892E25        push        eax
00892E26        lea         eax,[ebp-30]
00892E29        push        eax
00892E2A        mov         ecx,14                                                                //0x14=20
00892E2F        xor         edx,edx
00892E31        mov         eax,dword ptr [ebp-0C]
00892E34        call        @UStrCopy                                                                //取前20位,得到字符串FF154F7AFB41E7B90B99
00892E39        mov         edx,dword ptr [ebp-30]
00892E3C        xor         ecx,ecx
00892E3E        mov         eax,ebx
00892E40        call        TIdHash.HashStringAsHex                                                //再做MD5转换,得到A3122F54C1523C53FE1CF250E62D7BC9
00892E45        lea         eax,[ebp-34]
00892E48        push        eax
00892E49        mov         ecx,5
00892E4E        xor         edx,edx
00892E50        mov         eax,dword ptr [ebp-10]
00892E53        call        @UStrCopy                                                                //取前5位A3122
00892E58        push        dword ptr [ebp-34]
00892E5B        push        892F6C;'-'                                                                //合并上-
00892E60        lea         eax,[ebp-38]
00892E63        push        eax
00892E64        mov         ecx,5                                                                //取5位
00892E69        mov         edx,6                                                                //从第6位开始取
00892E6E        mov         eax,dword ptr [ebp-10]
00892E71        call        @UStrCopy                                                                //得到F54C1
00892E76        push        dword ptr [ebp-38]
00892E79        push        892F6C;'-'                                                                //再合并上-
00892E7E        lea         eax,[ebp-3C]
00892E81        push        eax
00892E82        mov         ecx,5                                                                //取5位
00892E87        mov         edx,0B                                                                //从第11位开始取
00892E8C        mov         eax,dword ptr [ebp-10]
00892E8F        call        @UStrCopy                                                                //得到523C5
00892E94        push        dword ptr [ebp-3C]
00892E97        push        892F6C;'-'                                                                //再合并上-
00892E9C        lea         eax,[ebp-40]
00892E9F        push        eax
00892EA0        mov         ecx,5                                                                //取5位
00892EA5        mov         edx,10                                                                //从第16位开始取
00892EAA        mov         eax,dword ptr [ebp-10]
00892EAD        call        @UStrCopy                                                                //得到3FE1C
00892EB2        push        dword ptr [ebp-40]
00892EB5        lea         eax,[ebp-14]
00892EB8        mov         edx,7                                                                //一共7个部分
00892EBD        call        @UStrCatN                                                                //合并,得到A3122-F54C1-523C5-3FE1C
00892EC2        lea         edx,[ebp-44]
00892EC5        mov         eax,[00A343A8];gvar_00A343A8:TregisterForm
00892ECA        mov         eax,dword ptr [eax+3D0]
00892ED0        call        TControl.GetText
00892ED5        mov         edx,dword ptr [ebp-44]                                                //输入的离线注册码ABCDE
00892ED8        mov         eax,dword ptr [ebp-14]                                                //刚才算出来的离线注册码A3122-F54C1-523C5-3FE1C
00892EDB        call        @UStrEqual                                                                //判断是不是相等
00892EE0>       jne         00892EEE
00892EE2        mov         dword ptr ds:[0A343D4],1;gvar_00A343D4
00892EEC>       jmp         00892EF5
00892EEE        xor         eax,eax
00892EF0        mov         [00A343D4],eax;gvar_00A343D4
00892EF5        xor         eax,eax
00892EF7        pop         edx
00892EF8        pop         ecx
00892EF9        pop         ecx
00892EFA        mov         dword ptr fs:[eax],edx
00892EFD>       jmp         00892F09
00892EFF>       jmp         @HandleAnyException
00892F04        call        @DoneExcept
00892F09        xor         eax,eax
00892F0B        pop         edx
00892F0C        pop         ecx
00892F0D        pop         ecx
00892F0E        mov         dword ptr fs:[eax],edx
00892F11        push        892F40
00892F16        lea         eax,[ebp-44]
00892F19        call        @UStrClr
00892F1E        lea         eax,[ebp-40]
00892F21        mov         edx,0A
00892F26        call        @UStrArrayClr
00892F2B        lea         eax,[ebp-14]
00892F2E        mov         edx,5
00892F33        call        @UStrArrayClr
00892F38        ret
00892F39>       jmp         @HandleFinally
00892F3E>       jmp         00892F16
00892F40        mov         eax,dword ptr [ebp-18]
00892F43        pop         edi
00892F44        pop         esi
00892F45        pop         ebx
00892F46        mov         esp,ebp
00892F48        pop         ebp
00892F49        ret


这个代码大家应该能看懂了吧?算法其实很简单,字符串拼到一起,MD5处理,取前20位,再MD5处理一下,然后再取前20位,每5位一组分开,中间用-连接即为真正的离线注册码。
注册机也顺便写出来了,用注册机的结果如下:
 

理论上这个注册机应该可以注册所有考无忧的东西了吧?我没有试过,有兴趣的可以自行尝试。

补充一下,如果科目名称是中文的,请用每个字的第一个字母作为科目名称进行注册。如“一级注册消防工程师”,就用“yjzcxfgcs”。这是软件的设置,好像在软件里写死了,每个软件的名字不一样。

对不起,因为涉及到商业版权,注册机就不放出来了。有能力的自己写吧,我都已经说那么明白了,再不会写,那我前面说那么多都是白



热门文章
  • 机械革命S1 PRO-02 开机不显示 黑...
  • 联想ThinkPad NM-C641上电掉电点不...
  • 三星一体激光打印机SCX-4521F维修...
  • 通过串口命令查看EMMC擦写次数和判...
  • IIS 8 开启 GZIP压缩来减少网络请求...
  • 索尼kd-49x7500e背光一半暗且闪烁 ...
  • 楼宇对讲门禁读卡异常维修,读卡芯...
  • 新款海信电视机始终停留在开机界面...
  • 常见打印机清零步骤
  • 安装驱动时提示不包含数字签名的解...
  • 共享打印机需要密码的解决方法
  • 图解Windows 7系统快速共享打印机的...
  • 锦州广厦电脑上门维修

    报修电话:13840665804  QQ:174984393 (联系人:毛先生)   
    E-Mail:174984393@qq.com
    维修中心地址:锦州广厦电脑城
    ICP备案/许可证号:辽ICP备2023002984号-1
    上门服务区域: 辽宁锦州市区
    主要业务: 修电脑,电脑修理,电脑维护,上门维修电脑,黑屏蓝屏死机故障排除,无线上网设置,IT服务外包,局域网组建,ADSL共享上网,路由器设置,数据恢复,密码破解,光盘刻录制作等服务

    技术支持:微软等