The author Ggzlxg
stated that he was just curious, and had no other purpose. If there was, I published the registration machine (already written). Don't send me a letter asking for the registration machine, I won't publish it. This is also the request of Boss Xue. In fact, I think this article has gone too far. According to this article, you can get the correct registration code 1%.
IDA, OllyDBG
The software uses the GoodName.Exe v3.37 version that I have perfectly shelled in ACProtect 1.41 -- Tongyi famous masters v3.36, V3.37 and vp3.33 (Professional Edition). Using the shell version, tracking is easier. Of course, you can also use the original version directly, but it will be more difficult.
/showthread.php? Threadid=1624
Before reading this article, please read the riddle of Master moon-Analysis of Registration Algorithm of Tongyi Naming Master 3.36,
/showthread.php? Threadid=14716 I won't waste any more ink on the same part as moon.
This article is published in Xuekan Forum and DFCG at the same time. Please keep it intact when reprinting, and the moderator can delete it if it is inappropriate.
Preface:
The verification of the registration code with the same name is all over the whole program, including the establishment of the main window, the establishment of the sub-window and the key operation, and the verification of the registration code and the registration application code is everywhere, and the calculation method is repeated back and forth. For example, there are three identical processes for obtaining the registration application code, and there are two complete sets of DES algorithm. What we use to analyze the registration code is the registration operation part, which can actually be done in the process of building the main window and the sub-window, because they are exactly the same.
this is the method table part in the vmt table of the registration window (tfxhm) (the whole table is too long). These codes are all analyzed in IDA.
code:------------. dw 16h
556483 dd offset Tfxhm@suiButton2Click ; Exit button
556487 asuibutton2click dbfh,' suibutton2click'
556497dw1h
556499ddoffset tfxhm @ formclose; Close the window
55649daform close _ db9,' formclose'
5564a7dw11h
5564a9 DD offset tfxhm @ formcreate; Establish a window
5564ad a formcreate _ dbah
5564ad db' formcreate'
5564b8dw16h
5564ba DD offset tfxhm @ suibutton1click; Register button
5564 BEASUIBUTTON 1Click DBFH,' SUIButton1Click'
5564 CEDWFH
5564 DdDD Offset TFXHM @ get _ text; Verification registration application code called by suiButton1Click
; And the sub-process
5564daget _ textdb8,' get _ text'
5564ddwfh
5564ddf DD offset tfxhm @ formshow; Display window
5564E3 AFORM show _ db8,' formshow'
5564EC TFX HM DB 5,' TFX HM'; Class name
5564f2word _ 5564f2dw5
5564fdd offset tsui form @ VMT @ PRT; Parent's VMT table pointer address
.................................................................................................................................................................. Tfxhm@get_text Starting address: 55986C
1. Get the 28th bit of the registration code
Make sure the correct number of strokes of the surname you want to register (it must be the same as that found in slzik in Tongyi database, subject to the number of strokes of traditional Chinese characters, and the number of strokes of some words in Tongyi database is incorrect, so you can get the number of strokes of the surname in Tongyi name analysis). Search from left to right in the following string, and get the 28th registration code: for example, Lu: traditional Chinese characters are 7 strokes. (counting from )
123456 7 89123456789123456789
ah6cd3bef4trs2 puv5k1mn78yz9gij
the letter obtained is b, In this way, our registration code has the following form: (31 digits) Here is our initial registration code
12345678912345678 91
123456789 abcdefghijklmnopqrs TUV
Add the 28th letter b, Get the following registration code:
123456789 abcdefghijklmnopqrb TUV
According to the transposition method proposed by moon (4*i+1 bit and 4*(i+1) bit are interchanged, i=,1,2, ..., and the last two bits are interchanged when there are less than 4 bits at the end), 25 < -> 28-bit switch, this B should be in the 25th place < P > In order to facilitate the switch, I wrote a few Delphi small programs to complete: (This operation is still easy to assemble, Therefore, it is actually compiled)
Code:------------------------.
var
Str: String;
begin
Str := Edit1.Text;
asm
PushA
Xor Edx, Edx
Mov Esi, Str
Mov Ecx, 7
@1:
Mov Al, [Esi + Edx]
Xchg Al, [Esi + Edx + 3]
Xchg Al, [Esi + Edx]
Dec Ecx
Add Edx, 4
Cmp Ecx,
Jnz @1
Mov Al, [Esi + Edx + 1]
Xchg Al, [Esi + Edx + 2]
Xchg Al, [Esi + Edx + 1]
PopA
end;
Edit2.Text := Str;
end;
-----------. Press Button2 to get the following new registration code:
The new registration code is:
1234567891234 5 67891
42318675 CAB9Gefdkijhomnl bqrptvu
Please see moon's explanation for the detailed analysis.
second, get the registration code. 23 ~ 27 digits of the registration code
use OD to load it as UNGDN.exe (the program after shelling).
code:------------. The result obtained by XOR of registration application number plus surname and 1FH
55cf83moveax, [eax]
55cf85callsub _ 4fed88; EncodeFunction1
55CF8A lea eax, [ebp+var_94] ; Here, the three characters
55CF8A for computing 23-27 bits are broken;
55cf9pueseax
55cf91Leaedx, [EBP+var _ 98]
55cf97moveax, ds: serial _ cryhex @ PRT can be obtained according to the algorithm given by Master moon; The exclusive-or result of registration number and 1FH is
55cf9cmovax, [eax]
55cf9e call cycleconversion str; After 1FH XOR, the
55cf3movax, [ebp+var _ 98]
55cfA9movoecx, 5
55cfA3movoedx, 17h
55cf3calllstr copy are restored; Take the 23rd-27th bits
55cfb8moveax, [EBP+var _ 94]
55cfblea EDX, [EBP+var _ 9]
55cfc4call sub _ 4f48; Calculate and get three characters. If they are the same as the three characters calculated above, pass
55cf9movedx, [EBP+VAR _ 9]
55cfCFMOVEAX, [EBP+VAR _ C]
55cfD2 calllstrcmp; The key comparison is to compare the three characters
55cf7jnzloc _ 55d157
55cfDD Leaeax, [EBP+VAR _ A]
55cfE3 Push eax
55cfE4 Leaedx, [ebp+var_A4]
55CFEA mov eax, ds:Serial_CryHex@Prt
55CFEF mov eax, [eax]
55CFF1 call CycleConversionStr
55CFF6 mov eax, [eb