分类分类
关注+2004-10-15作者:蓝点
身份证信息查询与校验(IdCard) v1.01
软件名称: 身份证信息查询与校验(IdCard) v1.01
软件语言: 简体中文
软件类型: 共享软件 / 实用工具 / 其他工具
运行环境: WinXP, Win2000, NT, WinME, Win9X
授权方式: 共享软件
软件大小: 747 KB
软件等级:
整理时间: 2003-4-22 22:33:00
开 发 商:
下载地址: http://ttdown.com/SoftView_12998.htm
软件简介
该软件主要应用于对身份证号码信息的查询与校验,并且具备升级15位旧身份证为18位新身份证号码格式的能力。尤其适用于对不明身份证号码持有人的信息查询与校验。功能:1.查询身份证号码持有人的 住址,生日,性别等信息。2.校验身份证号码,检查身份证号码的真实性。3.将15位的旧身份证号码升级为18位的新身份证号码。使用方法:输入待查询的身份证号码,即可得到这个号码持有人的住址,生日,性别等信息。并能检验该号码的真实性。
【作者声明】:本人只是对Crack感兴趣,没有其它目的。
【破解工具】:Ollydbg1.09 中文版 TRW2000 V1.23
—————————————————————————————
【过 程】:
这个软件防Ollydbg并且加了壳,我没有脱成功,所以就用TRW2000的万能断点找注册码计算的入口然后用Ollydbg的附加功能跟踪程序,填注册信息,用户名:fxyang 试验码:7894561230123456 跟踪来到这里:
004A120C PUSH EBP
004A120D PUSH 4A128A
004A1212 PUSH DWORD PTR FS:[EAX]
004A1215 MOV DWORD PTR FS:[EAX], ESP
004A1218 LEA EDX, DWORD PTR SS:[EBP-1C]
004A121B MOV EAX, DWORD PTR DS:[EBX+2F8]
004A1221 CALL 004388D8 ; IDCard.004388D8
004A1226 MOV EAX, DWORD PTR SS:[EBP-1C] ; EAX<--00E5A784,(ASCII"7894561230123456")
004A1229 LEA EDX, DWORD PTR SS:[EBP-18]
004A122C CALL 0049BBAC ; <--检查注册码前部分的正确性
====>F8
--------检查注册码前部分的正确性---------
|
0049BBBB PUSH ECX
0049BBBC PUSH EBX
0049BBBD PUSH ESI
0049BBBE PUSH EDI
0049BBBF MOV DWORD PTR SS:[EBP-8], E>
0049BBC2 MOV DWORD PTR SS:[EBP-4], E>; EAX<--00E5A784,(ASCII"7894561230123456")
0049BBC5 MOV EAX, DWORD PTR SS:[EBP->; EAX<--00E5A784,(ASCII"7894561230123456")
0049BBC8 CALL 00404950 ; IDCard.00404950
0049BBCD XOR EAX, EAX
0049BBCF PUSH EBP
0049BBD0 PUSH 49BD33
0049BBD5 PUSH DWORD PTR FS:[EAX]
0049BBD8 MOV DWORD PTR FS:[EAX], ESP
0049BBDB XOR EAX, EAX
0049BBDD PUSH EBP
0049BBDE PUSH 49BD06
0049BBE3 PUSH DWORD PTR FS:[EAX]
0049BBE6 MOV DWORD PTR FS:[EAX], ESP
0049BBE9 PUSH 6FB2
0049BBEE LEA EAX, DWORD PTR SS:[EBP->
0049BBF1 PUSH EAX
0049BBF2 LEA EAX, DWORD PTR SS:[EBP->
0049BBF5 PUSH EAX
0049BBF6 MOV ECX, 9 <---取位的长度(9)
0049BBFB MOV EDX, 1
0049BC00 MOV EAX, DWORD PTR SS:[EBP->; EAX<--00E5A784,(ASCII"7894561230123456")
0049BC03 CALL 004049C0 ; <--取试验码的前9位
0049BC08 MOV EAX, DWORD PTR SS:[EBP->; EAX=00D955C4,(ASCII "789456123")
0049BC0B LEA EDX, DWORD PTR SS:[EBP->
0049BC0E CALL 0049BAF4 ; <--把上面的串每3个一组变换成16进制
====>F8
--------把上面的串每3个一组变换成16进制---------
|
0049BAF4 PUSH EBP
0049BAF5 MOV EBP, ESP
0049BAF7 PUSH 0
0049BAF9 PUSH 0
0049BAFB PUSH 0
0049BAFD PUSH EBX
0049BAFE PUSH ESI
0049BAFF MOV ESI, EDX
0049BB01 MOV DWORD PTR SS:[EBP-4], EAX ; EAX=00D955C4,(ASCII "789456123")
0049BB04 MOV EAX, DWORD PTR SS:[EBP-4] ; EAX=00D955C4,(ASCII "789456123")
0049BB07 CALL 00404950 ; IDCard.00404950
0049BB0C XOR EAX, EAX
0049BB0E PUSH EBP
0049BB0F PUSH 49BB9C
0049BB14 PUSH DWORD PTR FS:[EAX]
0049BB17 MOV DWORD PTR FS:[EAX], ESP
0049BB1A MOV EBX, 1
0049BB1F MOV EAX, ESI
0049BB21 CALL 004044B0 ; IDCard.004044B0
0049BB26 MOV EAX, DWORD PTR SS:[EBP-4] ; EAX=00D955C4,(ASCII "789456123")
0049BB29 CALL 00404768 ; IDCard.00404768
0049BB2E MOV ECX, 3 ; ECX=3
0049BB33 CDQ
0049BB34 IDIV ECX
0049BB36 TEST EDX, EDX
0049BB38 JNZ SHORT 0049BB81 ; IDCard.0049BB81
0049BB3A JMP SHORT 0049BB75 ; IDCard.0049BB75
0049BB3C LEA EAX, DWORD PTR SS:[EBP-C]
0049BB3F PUSH EAX
0049BB40 MOV ECX, 3
0049BB45 MOV EDX, EBX
0049BB47 MOV EAX, DWORD PTR SS:[EBP-4] ; EAX=00D955C4,(ASCII "789456123")
0049BB4A CALL 004049C0 ; <--取前三位 ("789")
0049BB4F MOV EAX, DWORD PTR SS:[EBP-C] ; EAX<--00E5A730,(ASCII"789")
0049BB52 CALL 00408A84 ; <--把"789"变成16进制值"315"
=====>F8
-----把"789"变成16进制值"315"------
|
004030C2 SUB BL, 30
004030C5 CMP BL, 9
004030C8 JA SHORT 004030EF ; IDCard.004030EF
004030CA CMP EAX, EDI
004030CC JA SHORT 004030EF ; IDCard.004030EF
004030CE LEA EAX, DWORD PTR DS:[EAX+EAX*4]
004030D1 ADD EAX, EAX
004030D3 ADD EAX, EBX
004030D5 MOV BL, BYTE PTR DS:[ESI]
004030D7 INC ESI
004030D8 TEST BL, BL
004030DA JNZ SHORT 004030C2
<--这段循环把"789"变成16进制值"315"
-----------------------------------------
继续:
|
0049BB57 MOV EDX, EAX ; EDX=EAX=315
0049BB59 LEA EAX, DWORD PTR SS:[EBP-8]
0049BB5C CALL 00404690 ; IDCard.00404690
0049BB61 MOV EDX, DWORD PTR SS:[EBP-8]
0049BB64 MOV EAX, ESI
0049BB66 CALL 00404770 ; IDCard.00404770
0049BB6B ADD EBX, 3
0049BB6E JNO SHORT 0049BB75 ; IDCard.0049BB75
0049BB70 CALL 00403684 ; IDCard.00403684
0049BB75 MOV EAX, DWORD PTR SS:[EBP-4] ; EAX=00D955C4,(ASCII "789456123")
0049BB78 CALL 00404768 ; IDCard.00404768
0049BB7D CMP EBX, EAX
0049BB7F JL SHORT 0049BB3C ; IDCard.0049BB3C
0049BB81 XOR EAX, EAX
0049BB83 POP EDX
0049BB84 POP ECX
0049BB85 POP ECX
0049BB86 MOV DWORD PTR FS:[EAX], EDX
0049BB89 PUSH 49BBA3
0049BB8E LEA EAX, DWORD PTR SS:[EBP-C]
0049BB91 MOV EDX, 3
0049BB96 CALL 004044D4 ; IDCard.004044D4
0049BB9B RETN
-----------------------------------------
继续:
|
0049BC13 MOV EAX, DWORD PTR SS:[EBP->
0049BC16 MOV ECX, 0C891 ; ECX=0C891
0049BC1B MOV EDX, 3D0 ; EDX=3D0
0049BC20 CALL 0049BA54 ; <--用上面的值计算出新值
===>F8
-------用上面的值计算出新值--------
|
0049BA54 PUSH EBP
0049BA55 MOV EBP, ESP
0049BA57 ADD ESP, -0C
0049BA5A PUSH EBX
0049BA5B PUSH ESI
0049BA5C PUSH EDI
0049BA5D XOR EBX, EBX
0049BA5F MOV DWORD PTR SS:[EBP-C], EBX
0049BA62 MOV DWORD PTR SS:[EBP-4], ECX
0049BA65 MOV ESI, EDX ; EDX=3D0=ESI
0049BA67 MOV EDI, EAX
0049BA69 XOR EAX, EAX
0049BA6B PUSH EBP
0049BA6C PUSH 49BAE2
0049BA71 PUSH DWORD PTR FS:[EAX]
0049BA74 MOV DWORD PTR FS:[EAX], ESP
0049BA77 MOV EAX, DWORD PTR SS:[EBP+8]
0049BA7A CALL 004044B0 ; IDCard.004044B0
0049BA7F MOV EAX, EDI
0049BA81 CALL 00404768 ; IDCard.00404768
0049BA86 TEST AL, AL
0049BA88 JBE SHORT 0049BACC ; IDCard.0049BACC
0049BA8A MOV BYTE PTR SS:[EBP-5], AL ; AL=3
0049BA8D MOV BL, 1 ; BL=1
0049BA8F LEA EAX, DWORD PTR SS:[EBP-C]
0049BA92 XOR EDX, EDX
0049BA94 MOV DL, BL ; DL=BL=1
0049BA96 MOV DL, BYTE PTR DS:[EDI+EDX-1] ; DL=DS:[EDI+EDX-1]=15 (315)|=C8 (1C8)|=7B (7B)
0049BA9A MOV ECX, ESI ; ECX=ESI=3D0|=030D8C67|=50FA1F51
0049BA9C SHR ECX, 8 ; ECX=3|=30D8C=50FA1F
0049BA9F XOR DL, CL ; DL=15 XOR 03=16|=C8 XOR 8C=44|=7B XOR 1F=64
0049BAA1 CALL 00404690 ; IDCard.00404690
0049BAA6 MOV EDX, DWORD PTR SS:[EBP-C] ; EDX=00D9AFD8<--("16")
0049BAA9 MOV EAX, DWORD PTR SS:[EBP+8]
0049BAAC CALL 00404770 ; IDCard.00404770
0049BAB1 MOV EAX, DWORD PTR SS:[EBP+8]
0049BAB4 XOR EAX, EAX
0049BAB6 MOV AL, BL ; BL=1
0049BAB8 MOVZX EAX, BYTE PTR DS:[EDI+EAX-1]
; EAX=DS:[EDI+EDX-1]=15 (315)|=C8 (1C8)|=7B (7B)
0049BABD ADD ESI, EAX
; ESI=3D0+15=3E5|=030D8C67+C8=030D8D2F|=50FA1F51+7B=50FA1FCC
0049BABF IMUL ESI, DWORD PTR SS:[EBP-4]
; ESI=3E5*C891=030D1CB5|=030D8D2F*C891=50F9AF9F|=50FA1FCC*C891=4683628C
0049BAC3 ADD ESI, DWORD PTR SS:[EBP+C]
; ESI=030D1CB5+6FB2=030D8C67|=50F9AF9F+6FB2=50FA1F51|=4683628C+6FB2=4683D23E
0049BAC6 INC EBX ; EBX=1++
0049BAC7 DEC BYTE PTR SS:[EBP-5] ; SS:[00`12F847]=03--
0049BACA JNZ SHORT 0049BA8F ; IDCard.0049BA8F
0049BACC XOR EAX, EAX
0049BACE POP EDX
0049BACF POP ECX
0049BAD0 POP ECX
0049BAD1 MOV DWORD PTR FS:[EAX], EDX
0049BAD4 PUSH 49BAE9
0049BAD9 LEA EAX, DWORD PTR SS:[EBP-C]
0049BADC CALL 004044B0 ; IDCard.004044B0
0049BAE1 RETN
-----------------------------------------
继续:
|
0049BC25 MOV EAX, DWORD PTR SS:[EBP->; EAX=00D9A910,(ASCII "867")
0049BC28 CALL 00408A84 ; <--比较计算值的正确性
====>F8
------比较计算值的正确性--------
|
00403070 PUSH EBX
00403071 PUSH ESI
00403072 PUSH EDI
00403073 MOV ESI, EAX ; EAX<--00E5A730,(ASCII"789")
00403075 PUSH EAX
00403076 TEST EAX, EAX
00403078 JE SHORT 004030E6 ; IDCard.004030E6
0040307A XOR EAX, EAX
0040307C XOR EBX, EBX
0040307E MOV EDI, 0CCCCCCC
00403083 MOV BL, BYTE PTR DS:[ESI] ; BL=DS:[ESI]=37 ||||=16(1)
00403085 INC ESI
00403086 CMP BL, 20
00403089 JE SHORT 00403083 ; IDCard.00403083
0040308B MOV CH, 0
0040308D CMP BL, 2D
00403090 JE SHORT 004030F4 ; IDCard.004030F4
00403092 CMP BL, 2B
00403095 JE SHORT 004030F6 ; IDCard.004030F6
00403097 CMP BL, 24
0040309A JE SHORT 004030FB ; IDCard.004030FB
0040309C CMP BL, 78
0040309F JE SHORT 004030FB ; IDCard.004030FB
004030A1 CMP BL, 58
004030A4 JE SHORT 004030FB ; IDCard.004030FB
004030A6 CMP BL, 30
004030A9 JNZ SHORT 004030BE ; IDCard.004030BE
004030AB MOV BL, BYTE PTR DS:[ESI]
004030AD INC ESI
004030AE CMP BL, 78
004030B1 JE SHORT 004030FB ; IDCard.004030FB
004030B3 CMP BL, 58
004030B6 JE SHORT 004030FB ; IDCard.004030FB
004030B8 TEST BL, BL
004030BA JE SHORT 004030DC ; IDCard.004030DC
004030BC JMP SHORT 004030C2 ; IDCard.004030C2
004030BE TEST BL, BL
004030C0 JE SHORT 004030EF \
004030C2 SUB BL, 30 |
004030C5 CMP BL, 9 |<--正确性效验
004030C8 JA SHORT 004030EF |
004030CA CMP EAX, EDI |
004030CC JA SHORT 004030EF /
说明:效验的方法是比较上面计算的值是不是数字
------------------------------------
|
0049BC2D MOV EBX, EAX ; EBX=EAX=363
0049BC2F PUSH 6FB2
0049BC34 LEA EAX, DWORD PTR SS:[EBP->
0049BC37 PUSH EAX
0049BC38 LEA EAX, DWORD PTR SS:[EBP->
0049BC3B PUSH EAX
0049BC3C MOV ECX, 0F ; <---取位的长度(15),改试验码位30位继续
0049BC41 MOV EDX, 0A
0049BC46 MOV EAX, DWORD PTR SS:[EBP->; EAX<--00E49794,(ASCII"315359390147258")
0049BC49 CALL 004049C0 ; <--取余下的试验码的前15位"315359390315359"
0049BC4E MOV EAX, DWORD PTR SS:[EBP->; EAX<--01C19570,(ASCII "315359390315359")
0049BC51 LEA EDX, DWORD PTR SS:[EBP->
0049BC54 CALL 0049BAF4 <--把上面的串每3个一组变换成16进制
0049BC59 MOV EAX, DWORD PTR SS:[EBP->
0049BC5C MOV ECX, 0C891
0049BC61 MOV EDX, 3D0
0049BC66 CALL 0049BA54 ; <--用上面的值计算出新值
0049BC6B MOV EAX, DWORD PTR SS:[EBP->; EAX=00D9A910,(ASCII "86725")
0049BC6E CALL 00408A84 <--比较计算值的正确性
;说明:计算和比较的方法同上
0049BC73 MOV ESI, EAX
0049BC75 PUSH 6FB2
0049BC7A LEA EAX, DWORD PTR SS:[EBP->
0049BC7D PUSH EAX
0049BC7E LEA EAX, DWORD PTR SS:[EBP->
0049BC81 PUSH EAX
0049BC82 MOV ECX, 0F ; <---取位的长度(15),改试验码位40位继续
0049BC87 MOV EDX, 19
0049BC8C MOV EAX, DWORD PTR SS:[EBP->
0049BC8F CALL 004049C0 ; IDCard.004049C0
0049BC94 MOV EAX, DWORD PTR SS:[EBP->
0049BC97 LEA EDX, DWORD PTR SS:[EBP->
0049BC9A CALL 0049BAF4 <--把上面的串每3个一组变换成16进制
0049BC9F MOV EAX, DWORD PTR SS:[EBP->
0049BCA2 MOV ECX, 0C891
0049BCA7 MOV EDX, 3D0
0049BCAC CALL 0049BA54 ; <--用上面的值计算出新值
0049BCB1 MOV EAX, DWORD PTR SS:[EBP->; EAX=00D9A910,(ASCII "86725")
0049BCB4 CALL 00408A84 <--比较计算值的正确性
;说明:计算和比较的方法同上
0049BCB9 MOV EDI, EAX ; EAX=152C5=EDI
0049BCBB PUSH EDI
0049BCBC MOV EAX, DWORD PTR SS:[EBP->
0049BCBF PUSH EAX
0049BCC0 LEA EAX, DWORD PTR SS:[EBP->
0049BCC3 PUSH EAX
0049BCC4 MOV EAX, DWORD PTR SS:[EBP->
; EAX<--01C13B94 ASCII "315359390315359390438360315359390438360123456789"
0049BCC7 CALL 00404768 ; IDCard.00404768
0049BCCC MOV ECX, EAX ; ECX=30
0049BCCE SUB ECX, 27
0049BCD1 JNO SHORT 0049BCD8 ; IDCard.0049BCD8
0049BCD3 CALL 00403684 ; IDCard.00403684
0049BCD8 MOV EDX, 28
0049BCDD MOV EAX, DWORD PTR SS:[EBP->
0049BCE0 CALL 004049C0
; <--取用户名的效验位--长度=用户名*3,改试验码位57位继续
0049BCE5 MOV EAX, DWORD PTR SS:[EBP->
; EAX<--00D955C4,(ASCII "123456789147258369")<--用户名的效验位
0049BCE8 LEA EDX, DWORD PTR SS:[EBP->
0049BCEB CALL 0049BAF4 <--把上面的串每3个一组变换成16进制
0049BCF0 MOV EAX, DWORD PTR SS:[EBP->
0049BCF3 MOV ECX, ESI
0049BCF5 MOV EDX, EBX
0049BCF7 CALL 0049BA54 ; <--用上面的值计算出新值
说明:计算的方法同上
0049BCFC XOR EAX, EAX
0049BCFE POP EDX
0049BCFF POP ECX
0049BD00 POP ECX
0049BD01 MOV DWORD PTR FS:[EAX], EDX
0049BD04 JMP SHORT 0049BD10 ; IDCard.0049BD10
0049BD06 JMP 00403C24 ; IDCard.00403C24
0049BD0B CALL 00403F8C ; IDCard.00403F8C
0049BD10 XOR EAX, EAX
0049BD12 POP EDX
0049BD13 POP ECX
0049BD14 POP ECX
0049BD15 MOV DWORD PTR FS:[EAX], EDX
0049BD18 PUSH 49BD3A
0049BD1D LEA EAX, DWORD PTR SS:[EBP->
0049BD20 MOV EDX, 0B
0049BD25 CALL 004044D4 ; IDCard.004044D4
0049BD2A LEA EAX, DWORD PTR SS:[EBP->
0049BD2D CALL 004044B0 ; IDCard.004044B0
0049BD32 RETN
-----------------------------------------
继续:
|
004A1231 MOV EAX, DWORD PTR SS:[EBP-18]
004A1234 PUSH EAX
004A1235 LEA EDX, DWORD PTR SS:[EBP-20]
004A1238 MOV EAX, DWORD PTR DS:[EBX+2F4]
004A123E CALL 004388D8
004A1243 MOV EDX, DWORD PTR SS:[EBP-20] ; EDX<--01C19570,(ASCII "fxyang")
004A1246 POP EAX
004A1247 CALL 004048AC ; <--关键的比较
====>F8
------关键的比较-------
|
004048AC PUSH EBX
004048AD PUSH ESI
004048AE PUSH EDI
004048AF MOV ESI, EAX
; ESI<--=0034A078 <---用户名效验位计算的值--参数
004048B1 MOV EDI, EDX
; EDX<--01C19570,(ASCII "fxyang")<--参数--用户名
004048B3 CMP EAX, EDX
004048B5 JE 0040494A ; IDCard.0040494A
004048BB TEST ESI, ESI
004048BD JE SHORT 00404927 ; IDCard.00404927
004048BF TEST EDI, EDI
004048C1 JE SHORT 0040492E ; IDCard.0040492E
004048C3 MOV EAX, DWORD PTR DS:[ESI-4]
004048C6 MOV EDX, DWORD PTR DS:[EDI-4]
004048C9 SUB EAX, EDX
004048CB JA SHORT 004048CF ; IDCard.004048CF
004048CD ADD EDX, EAX
004048CF PUSH EDX
004048D0 SHR EDX, 2
004048D3 JE SHORT 004048FB ; IDCard.004048FB
004048D5 MOV ECX, DWORD PTR DS:[ESI]
004048D7 MOV EBX, DWORD PTR DS:[EDI]
004048D9 CMP ECX, EBX
004048DB JNZ SHORT 00404935 ; IDCard.00404935
004048DD DEC EDX
004048DE JE SHORT 004048F5 ; IDCard.004048F5
004048E0 MOV ECX, DWORD PTR DS:[ESI+4]
004048E3 MOV EBX, DWORD PTR DS:[EDI+4]
004048E6 CMP ECX, EBX
004048E8 JNZ SHORT 00404935 ; IDCard.00404935
004048EA ADD ESI, 8
004048ED ADD EDI, 8
004048F0 DEC EDX
004048F1 JNZ SHORT 004048D5 ; IDCard.004048D5
004048F3 JMP SHORT 004048FB ; IDCard.004048FB
004048F5 ADD ESI, 4
004048F8 ADD EDI, 4
004048FB POP EDX
004048FC AND EDX, 3
004048FF JE SHORT 00404923 ; IDCard.00404923
00404901 MOV ECX, DWORD PTR DS:[ESI]
; ECX<--DS:[ESI]=0034A078 <---用户名效验位计算的值
00404903 MOV EBX, DWORD PTR DS:[EDI]
; EBX<--DS:[EDI]=61797866 <---用户名的hex值
00404905 CMP CL, BL \
00404907 JNZ SHORT 0040494A |
00404909 DEC EDX |
0040490A JE SHORT 00404923 |<--逐位比较
0040490C CMP CH, BH |
0040490E JNZ SHORT 0040494A |
00404910 DEC EDX |
00404911 JE SHORT 00404923 /
00404913 AND EBX, 0FF0000
00404919 AND ECX, 0FF0000
0040491F CMP ECX, EBX
00404921 JNZ SHORT 0040494A
00404923 ADD EAX, EAX
00404925 JMP SHORT 0040494A
00404927 MOV EDX, DWORD PTR DS:[EDI-4]
0040492A SUB EAX, EDX
0040492C JMP SHORT 0040494A
0040492E MOV EAX, DWORD PTR DS:[ESI-4]
00404931 SUB EAX, EDX
00404933 JMP SHORT 0040494A
00404935 POP EDX
00404936 CMP CL, BL
00404938 JNZ SHORT 0040494A
0040493A CMP CH, BH
0040493C JNZ SHORT 0040494A
0040493E SHR ECX, 10
00404941 SHR EBX, 10
00404944 CMP CL, BL
00404946 JNZ SHORT 0040494A
00404948 CMP CH, BH
0040494A POP EDI
0040494B POP ESI
0040494C POP EBX
0040494D RETN
--------------------------
继续:
|
004A124C JNZ SHORT 004A1264 ; IDCard.004A1264
004A124E MOV EAX, 4A1358
004A1253 CALL 00431CFC ; IDCard.00431CFC
004A1258 MOV EAX, DWORD PTR DS:[4AFE14]
004A125D CALL 00454E44 ; IDCard.00454E44
004A1262 JMP SHORT 004A1280 ; IDCard.004A1280
004A1264 MOV ECX, 4A1378
004A1269 MOV EDX, 4A1348 ; ASCII "regcode"
004A126E MOV EAX, DWORD PTR SS:[EBP-4]
004A1271 CALL 004A0A40 ; IDCard.004A0A40
004A1276 MOV EAX, 4A1384
004A127B CALL 00431CFC ; IDCard.00431CFC
004A1280 XOR EAX, EAX
004A1282 POP EDX
004A1283 POP ECX
004A1284 POP ECX
004A1285 MOV DWORD PTR FS:[EAX], EDX
004A1288 JMP SHORT 004A12B0 ; IDCard.004A12B0
004A128A JMP 00403C24 ; IDCard.00403C24
004A128F MOV ECX, 4A1378
004A1294 MOV EDX, 4A1348 ; ASCII "regcode"
004A1299 MOV EAX, DWORD PTR SS:[EBP-4]
004A129C CALL 004A0A40 ; IDCard.004A0A40
004A12A1 MOV EAX, 4A1384
004A12A6 CALL 00431CFC ; IDCard.00431CFC
004A12AB CALL 00403F8C ; IDCard.00403F8C
004A12B0 XOR EAX, EAX
004A12B2 POP EDX
004A12B3 POP ECX
004A12B4 POP ECX
004A12B5 MOV DWORD PTR FS:[EAX], EDX
004A12B8 PUSH 4A12D5
004A12BD MOV EAX, DWORD PTR SS:[EBP-4]
004A12C0 CALL 004A0734 ; IDCard.004A0734
004A12C5 MOV EAX, DWORD PTR SS:[EBP-4]
004A12C8 CALL 00403744 ; IDCard.00403744
004A12CD RETN
===============================================================================
到这里算法跟踪分析已完成,总结一下.
条件--注册码的长度=39位+用户名位数*3
注册码的计算方法:
1.分三次取试验码的前39位(这部分与用户名无关),效验它的正确性
即通过计算的值是数字就正确.所以只有跟踪到一个正确值就能用于
任何一个用户名.
2.后面的用户名位数*3位才是注册码与用户名的效验位.下面来说说计算过程
1.)取试验码的效验位,然后3个一组变换成16进制值
2.)取每组16进制值的低字节进入下步计算(所以用户名的效验码不止一个)
3.)第一组值 XOR 03 =用户名第一位的hex值
4.)第一组值+3D0(固定值)的值*C89(固定值),得到一个新值+6FB2(固定值)
5.)用上面值的第三字节 XOR 第二组值=用户名的第二位
6.)用第四步计算的值+第二组的值然后再次进行第四步第五步计算
直到计算完
by fxyang[OCN][BCG]
2003.4.24
相关文章
更多+相同厂商
热门推荐
点击查看更多
点击查看更多
点击查看更多
说两句网友评论