• 抬起头,继续前进吧,去把这个不完美的故事,变成你成所期望的样子
  • 登山路上我们会放弃很多东西,但这些被我们丢掉在我们登上山顶之际,都会一一回来
  • 不论开发还是逆向,数学水平的高低直接决定了”你的饭碗里有没有肉”
  • 万丈高楼平地起,勿在浮沙筑高台

SmartCheck破解与序列号算法还原

安全 菜鸟 3个月前 (05-29) 320次浏览 未收录 0个评论
[隐藏]

本来在做逆向练习,需要用到 SmartCheck6.20(很老的软件了),本来兴致勃勃准备调试,运行时出现试用版提醒,然后就有了这篇文件,仅当练手。

一. 准备

工具:
PEid 0.95
x32Dbg
目标:
A. 破解 SmartCheck6.20,使其可以正常使用
B. 序列号算法
SmartCheck 破解与序列号算法还原

二. 分析

用 PEid 查看 SMARTCHK.exe,无壳,C++程序
SmartCheck 破解与序列号算法还原
用 x32Dbg 附加 SMARTCHK.exe,成功,找到 You have entered 字符串的引用位置 0x10003FB1,下断点
重新点击 Purchase 按钮,输入 code,成功中断
SmartCheck 破解与序列号算法还原

10003FA7    | 68 00200000     | push 2000                                |
10003FAC    | 68 193B0110     | push tl32v20.10013B19                    | 10013B19:"SmartCheck"
10003FB1    | 68 EB410110     | push tl32v20.100141EB                    | 100141EB:"You have entered an incorrect code."
10003FB6    | 56              | push esi                                 |
10003FB7    | FF15 A8630110   | call dword ptr ds:[<&MessageBoxA>]       |
10003FBD    | EB 2D           | jmp tl32v20.10003FEC                     |
10003FBF    | 68 00200000     | push 2000                                |
10003FC4    | 68 193B0110     | push tl32v20.10013B19                    | 10013B19:"SmartCheck"
10003FC9    | 68 81420110     | push tl32v20.10014281                    | 10014281:"Please enter the unlocking code."
10003FCE    | 56              | push esi                                 |

向上找到检测与判断的位置,在 0x10003EEA 位置下断点,重新点击 OK

10003EE2    | 8D45 EC         | lea eax,dword ptr ss:[ebp-14]            |
10003EE5    | 8D4D D8         | lea ecx,dword ptr ss:[ebp-28]            |
10003EE8    | 50              | push eax                                 |
10003EE9    | 51              | push ecx                                 | ecx:"8888888888888888"
10003EEA    | E8 91170000     | call tl32v20.10005680                    | 检查
10003EEF    | 83C4 08         | add esp,8                                |
10003EF2    | 85C0            | test eax,eax                             |
10003EF4    | 75 53           | jne tl32v20.10003F49                     | V
10003EF6    | 8D45 EC         | lea eax,dword ptr ss:[ebp-14]            |
10003EF9    | 50              | push eax                                 |
10003EFA    | 68 85450110     | push tl32v20.10014585                    | 10014585:"0000000000000000"
10003EFF    | E8 7C0F0000     | call <tl32v20.sub_10004E80>              |
10003F04    | 83C4 08         | add esp,8                                |
10003F07    | 8D45 84         | lea eax,dword ptr ss:[ebp-7C]            |
10003F0A    | 50              | push eax                                 |
10003F0B    | 68 F9440110     | push tl32v20.100144F9                    | 100144F9:"Trial User"
10003F10    | E8 6B0F0000     | call <tl32v20.sub_10004E80>              |
10003F15    | 83C4 08         | add esp,8                                |
10003F18    | 6A 6C           | push 6C                                  |
10003F1A    | E8 1BD2FFFF     | call tl32v20.1000113A                    |
10003F1F    | 83C4 04         | add esp,4                                |
10003F22    | 85C0            | test eax,eax                             |
10003F24    | 74 71           | je tl32v20.10003F97                      |
10003F26    | 68 00200000     | push 2000                                |
10003F2B    | 68 193B0110     | push tl32v20.10013B19                    | 10013B19:"SmartCheck"
10003F30    | 68 BF400110     | push tl32v20.100140BF                    | 100140BF:"Thank you for your purchase."
10003F35    | 6A 00           | push 0                                   |
10003F37    | FF15 A8630110   | call dword ptr ds:[<&MessageBoxA>]       |
10003F3D    | C705 30100110 0 | mov dword ptr ds:[10011030],1            |
10003F47    | EB 4E           | jmp tl32v20.10003F97                     |
10003F49    | 8D45 D8         | lea eax,dword ptr ss:[ebp-28]            |
10003F4C    | 50              | push eax                                 |
10003F4D    | E8 59E6FFFF     | call <tl32v20.sub_100025AB>              |
10003F52    | 83C4 04         | add esp,4                                |
10003F55    | 8D45 EC         | lea eax,dword ptr ss:[ebp-14]            |
10003F58    | 8D4D D8         | lea ecx,dword ptr ss:[ebp-28]            |
10003F5B    | 50              | push eax                                 |
10003F5C    | 51              | push ecx                                 | ecx:"8888888888888888"
10003F5D    | E8 1E170000     | call tl32v20.10005680                    |
10003F62    | 83C4 08         | add esp,8                                |
10003F65    | 85C0            | test eax,eax                             |
10003F67    | 75 3E           | jne tl32v20.10003FA7                     | V
10003F69    | 6A 6B           | push 6B                                  |
10003F6B    | E8 CAD1FFFF     | call tl32v20.1000113A                    |
10003F70    | 83C4 04         | add esp,4                                |
10003F73    | 85C0            | test eax,eax                             |
10003F75    | 74 20           | je tl32v20.10003F97                      |
10003F77    | 68 00200000     | push 2000                                |
10003F7C    | 68 193B0110     | push tl32v20.10013B19                    | 10013B19:"SmartCheck"
10003F81    | 68 55410110     | push tl32v20.10014155                    | 10014155:"Your trial period has been restored."
10003F86    | 56              | push esi                                 |
10003F87    | FF15 A8630110   | call dword ptr ds:[<&MessageBoxA>]       |
10003F8D    | C705 34100110 0 | mov dword ptr ds:[10011034],1            |
10003F97    | 6A 01           | push 1                                   |
10003F99    | 56              | push esi                                 |
10003F9A    | FF15 B8630110   | call dword ptr ds:[<&EndDialog>]         |
10003FA0    | B8 01000000     | mov eax,1                                |
10003FA5    | EB 5D           | jmp tl32v20.10004004                     |
10003FA7    | 68 00200000     | push 2000                                |

进到 tl32v20.10005680 看一看,功能就是比对,这里 1560362484478079 应该就是我们序列号,先记录下来。

10005680    | 8B5424 04       | mov edx,dword ptr ss:[esp+4]             | [esp+4]:"1560362484478079"
10005684    | 8B4C24 08       | mov ecx,dword ptr ss:[esp+8]             | [esp+8]:"8888888888888888"
10005688    | F7C2 03000000   | test edx,3                               |
1000568E    | 75 3C           | jne tl32v20.100056CC                     |
10005690    | 8B02            | mov eax,dword ptr ds:[edx]               | eax:"8888888888888888"
10005692    | 3A01            | cmp al,byte ptr ds:[ecx]                 | ecx:"1560362484478079"
10005694    | 75 2E           | jne tl32v20.100056C4                     |
10005696    | 0AC0            | or al,al                                 |
10005698    | 74 26           | je tl32v20.100056C0                      |
1000569A    | 3A61 01         | cmp ah,byte ptr ds:[ecx+1]               | ecx+1:"560362484478079"
1000569D    | 75 25           | jne tl32v20.100056C4                     |
1000569F    | 0AE4            | or ah,ah                                 |
100056A1    | 74 1D           | je tl32v20.100056C0                      |
100056A3    | C1E8 10         | shr eax,10                               | eax:"8888888888888888"
100056A6    | 3A41 02         | cmp al,byte ptr ds:[ecx+2]               | ecx+2:"60362484478079"
100056A9    | 75 19           | jne tl32v20.100056C4                     |
100056AB    | 0AC0            | or al,al                                 |
100056AD    | 74 11           | je tl32v20.100056C0                      |
100056AF    | 3A61 03         | cmp ah,byte ptr ds:[ecx+3]               | ecx+3:"0362484478079"
100056B2    | 75 10           | jne tl32v20.100056C4                     |
100056B4    | 83C1 04         | add ecx,4                                | ecx:"1560362484478079"
100056B7    | 83C2 04         | add edx,4                                |
100056BA    | 0AE4            | or ah,ah                                 |
100056BC    | 75 D2           | jne tl32v20.10005690                     |
100056BE    | 8BC0            | mov eax,eax                              |
100056C0    | 33C0            | xor eax,eax                              | eax:"8888888888888888"
100056C2    | C3              | ret                                      |

跳出该函数,继续向上找[ebp-28]这个局部变量的改变位置。
这里就是给了[ebp-28]的地址,然后拿到了序列号

10003ED6    | 8D45 D8         | lea eax,dword ptr ss:[ebp-28]            |
10003ED9    | 50              | push eax                                 |
10003EDA    | E8 85E9FFFF     | call <tl32v20.sub_10002864>              | 生成序列号
10003EDF    | 83C4 04         | add esp,4       

|
跟进 0x10003EDA 位置的 call 进行查看,菜鸟根据大概流程整理出来如下信息:
a. 0x10014332 存储一个固定字符串,会使用到前 6 位
b. 0x100144DF 存储的是注册码字符串
c. sub_10004E80 是用来拷贝字符串的
d. 将注册码字符串和那个固定字符串转数字,并使用数组存放
e. 调用 sub_10004E00 来生成一个新数字
f. 最后将解锁码拷贝到传出参数中

10002864 <t | 55              | push ebp                                 |
10002865    | 33C0            | xor eax,eax                              |
10002867    | 8BEC            | mov ebp,esp                              |
10002869    | 81EC B0000000   | sub esp,B0                               |
1000286F    | C685 50FFFFFF 0 | mov byte ptr ss:[ebp-B0],0               |
10002876    | 56              | push esi                                 |
10002877    | 57              | push edi                                 |
10002878    | 8DBD 51FFFFFF   | lea edi,dword ptr ss:[ebp-AF]            |
1000287E    | 33F6            | xor esi,esi                              |
10002880    | AB              | stosd                                    | 数组清零
10002881    | AB              | stosd                                    |
10002882    | AB              | stosd                                    |
10002883    | AB              | stosd                                    |
10002884    | 68 70100110     | push tl32v20.10011070                    |
10002889    | 8D45 FC         | lea eax,dword ptr ss:[ebp-4]             |
1000288C    | 50              | push eax                                 |
1000288D    | 46              | inc esi                                  |
1000288E    | E8 ED250000     | call <tl32v20.sub_10004E80>              |
10002893    | 83C4 08         | add esp,8                                |
10002896    | 8D4D FC         | lea ecx,dword ptr ss:[ebp-4]             |
10002899    | 0FBE86 32430110 | movsx eax,byte ptr ds:[esi+10014332]     |
100028A0    | 50              | push eax                                 |
100028A1    | 68 B8140110     | push tl32v20.100114B8                    | 100114B8:"%c"
100028A6    | 51              | push ecx                                 |
100028A7    | E8 64250000     | call <tl32v20.sub_10004E10>              |
100028AC    | 83C4 0C         | add esp,C                                |
100028AF    | 8D4D FC         | lea ecx,dword ptr ss:[ebp-4]             |
100028B2    | 51              | push ecx                                 |
100028B3    | E8 48250000     | call <tl32v20.sub_10004E00>              |
100028B8    | 83C4 04         | add esp,4                                |
100028BB    | 8944B5 A0       | mov dword ptr ss:[ebp+esi*4-60],eax      |
100028BF    | 83FE 06         | cmp esi,6                                |
100028C2    | 72 C0           | jb tl32v20.10002884                      |
100028C4    | 33F6            | xor esi,esi                              |
100028C6    | 68 70100110     | push tl32v20.10011070                    |
100028CB    | 8D45 FC         | lea eax,dword ptr ss:[ebp-4]             |
100028CE    | 50              | push eax                                 |
100028CF    | 46              | inc esi                                  |
100028D0    | E8 AB250000     | call <tl32v20.sub_10004E80>              |
100028D5    | 83C4 08         | add esp,8                                |
100028D8    | 8D4D FC         | lea ecx,dword ptr ss:[ebp-4]             | Char cTmp
100028DB    | 0FBE86 DF440110 | movsx eax,byte ptr ds:[esi+100144DF]     |
100028E2    | 50              | push eax                                 |
100028E3    | 68 B8140110     | push tl32v20.100114B8                    | 100114B8:"%c"
100028E8    | 51              | push ecx                                 |
100028E9    | E8 22250000     | call <tl32v20.sub_10004E10>              | sub_10004E10 = sprint()
100028EE    | 83C4 0C         | add esp,C                                |
100028F1    | 8D4D FC         | lea ecx,dword ptr ss:[ebp-4]             |
100028F4    | 51              | push ecx                                 |
100028F5    | E8 06250000     | call <tl32v20.sub_10004E00>              | _atoi, eax 保存数字
100028FA    | 83C4 04         | add esp,4                                |
100028FD    | 8944B5 B8       | mov dword ptr ss:[ebp+esi*4-48],eax      | 存放
10002901    | 83FE 10         | cmp esi,10                               |
10002904    | 72 C0           | jb tl32v20.100028C6                      |
10002906    | FF75 CC         | push dword ptr ss:[ebp-34]               |
10002909    | FF75 F8         | push dword ptr ss:[ebp-8]                |
1000290C    | FF75 A4         | push dword ptr ss:[ebp-5C]               |
1000290F    | FF75 D8         | push dword ptr ss:[ebp-28]               |
10002912    | FF75 BC         | push dword ptr ss:[ebp-44]               |
10002915    | E8 61FCFFFF     | call <tl32v20.sub_1000257B>              |
1000291A    | 83C4 14         | add esp,14                               |
1000291D    | 8985 64FFFFFF   | mov dword ptr ss:[ebp-9C],eax            | 第 0 位
10002923    | FF75 D0         | push dword ptr ss:[ebp-30]               |
10002926    | FF75 F4         | push dword ptr ss:[ebp-C]                |
10002929    | FF75 A8         | push dword ptr ss:[ebp-58]               |
1000292C    | FF75 D4         | push dword ptr ss:[ebp-2C]               |
1000292F    | FF75 C0         | push dword ptr ss:[ebp-40]               |
10002932    | E8 44FCFFFF     | call <tl32v20.sub_1000257B>              |
10002937    | 83C4 14         | add esp,14                               |
1000293A    | 8985 68FFFFFF   | mov dword ptr ss:[ebp-98],eax            | 第 1 位
10002940    | FF75 D4         | push dword ptr ss:[ebp-2C]               |
10002943    | FF75 F0         | push dword ptr ss:[ebp-10]               |
10002946    | FF75 AC         | push dword ptr ss:[ebp-54]               |
10002949    | FF75 D0         | push dword ptr ss:[ebp-30]               |
1000294C    | FF75 C4         | push dword ptr ss:[ebp-3C]               |
1000294F    | E8 27FCFFFF     | call <tl32v20.sub_1000257B>              |
10002954    | 83C4 14         | add esp,14                               |
10002957    | 8985 6CFFFFFF   | mov dword ptr ss:[ebp-94],eax            | 第 2 位
1000295D    | FF75 D8         | push dword ptr ss:[ebp-28]               |
10002960    | FF75 EC         | push dword ptr ss:[ebp-14]               |
10002963    | FF75 B0         | push dword ptr ss:[ebp-50]               |
10002966    | FF75 CC         | push dword ptr ss:[ebp-34]               |
10002969    | FF75 C8         | push dword ptr ss:[ebp-38]               |
1000296C    | E8 0AFCFFFF     | call <tl32v20.sub_1000257B>              |
10002971    | 83C4 14         | add esp,14                               |
10002974    | 8985 70FFFFFF   | mov dword ptr ss:[ebp-90],eax            | 第 3 位
1000297A    | FF75 DC         | push dword ptr ss:[ebp-24]               |
1000297D    | FF75 E8         | push dword ptr ss:[ebp-18]               |
10002980    | FF75 B4         | push dword ptr ss:[ebp-4C]               |
10002983    | FF75 C8         | push dword ptr ss:[ebp-38]               |
10002986    | FF75 CC         | push dword ptr ss:[ebp-34]               |
10002989    | E8 EDFBFFFF     | call <tl32v20.sub_1000257B>              |
1000298E    | 83C4 14         | add esp,14                               |
10002991    | 8985 74FFFFFF   | mov dword ptr ss:[ebp-8C],eax            | 第 4 位
10002997    | FF75 E0         | push dword ptr ss:[ebp-20]               |
1000299A    | FF75 E4         | push dword ptr ss:[ebp-1C]               |
1000299D    | FF75 B8         | push dword ptr ss:[ebp-48]               |
100029A0    | FF75 C4         | push dword ptr ss:[ebp-3C]               |
100029A3    | FF75 D0         | push dword ptr ss:[ebp-30]               |
100029A6    | E8 D0FBFFFF     | call <tl32v20.sub_1000257B>              |
100029AB    | 83C4 14         | add esp,14                               |
100029AE    | 8985 78FFFFFF   | mov dword ptr ss:[ebp-88],eax            | 第 5 位
100029B4    | FF75 E4         | push dword ptr ss:[ebp-1C]               |
100029B7    | FF75 E0         | push dword ptr ss:[ebp-20]               |
100029BA    | FF75 A4         | push dword ptr ss:[ebp-5C]               |
100029BD    | FF75 C0         | push dword ptr ss:[ebp-40]               |
100029C0    | FF75 D4         | push dword ptr ss:[ebp-2C]               |
100029C3    | E8 B3FBFFFF     | call <tl32v20.sub_1000257B>              |
100029C8    | 83C4 14         | add esp,14                               |
100029CB    | 8985 7CFFFFFF   | mov dword ptr ss:[ebp-84],eax            | 第 6 位
100029D1    | FF75 E8         | push dword ptr ss:[ebp-18]               |
100029D4    | FF75 DC         | push dword ptr ss:[ebp-24]               |
100029D7    | FF75 A8         | push dword ptr ss:[ebp-58]               |
100029DA    | FF75 BC         | push dword ptr ss:[ebp-44]               |
100029DD    | FF75 D8         | push dword ptr ss:[ebp-28]               |
100029E0    | E8 96FBFFFF     | call <tl32v20.sub_1000257B>              |
100029E5    | 83C4 14         | add esp,14                               |
100029E8    | 8945 80         | mov dword ptr ss:[ebp-80],eax            | 第 7 位
100029EB    | FF75 E8         | push dword ptr ss:[ebp-18]               |
100029EE    | FF75 F8         | push dword ptr ss:[ebp-8]                |
100029F1    | FF75 AC         | push dword ptr ss:[ebp-54]               |
100029F4    | FF75 F8         | push dword ptr ss:[ebp-8]                |
100029F7    | FF75 DC         | push dword ptr ss:[ebp-24]               |
100029FA    | E8 7CFBFFFF     | call <tl32v20.sub_1000257B>              |
100029FF    | 83C4 14         | add esp,14                               |
10002A02    | 8945 84         | mov dword ptr ss:[ebp-7C],eax            | 第 8 位
10002A05    | FF75 EC         | push dword ptr ss:[ebp-14]               |
10002A08    | FF75 F4         | push dword ptr ss:[ebp-C]                |
10002A0B    | FF75 B0         | push dword ptr ss:[ebp-50]               |
10002A0E    | FF75 F4         | push dword ptr ss:[ebp-C]                |
10002A11    | FF75 E0         | push dword ptr ss:[ebp-20]               |
10002A14    | E8 62FBFFFF     | call <tl32v20.sub_1000257B>              |
10002A19    | 83C4 14         | add esp,14                               |
10002A1C    | 8945 88         | mov dword ptr ss:[ebp-78],eax            | 第 9 位
10002A1F    | FF75 F0         | push dword ptr ss:[ebp-10]               |
10002A22    | FF75 F0         | push dword ptr ss:[ebp-10]               |
10002A25    | FF75 B4         | push dword ptr ss:[ebp-4C]               |
10002A28    | FF75 F0         | push dword ptr ss:[ebp-10]               |
10002A2B    | FF75 E4         | push dword ptr ss:[ebp-1C]               |
10002A2E    | E8 48FBFFFF     | call <tl32v20.sub_1000257B>              |
10002A33    | 83C4 14         | add esp,14                               |
10002A36    | 8945 8C         | mov dword ptr ss:[ebp-74],eax            | 第 10 位
10002A39    | FF75 F4         | push dword ptr ss:[ebp-C]                |
10002A3C    | FF75 EC         | push dword ptr ss:[ebp-14]               |
10002A3F    | FF75 B8         | push dword ptr ss:[ebp-48]               |
10002A42    | FF75 EC         | push dword ptr ss:[ebp-14]               |
10002A45    | FF75 E8         | push dword ptr ss:[ebp-18]               |
10002A48    | E8 2EFBFFFF     | call <tl32v20.sub_1000257B>              |
10002A4D    | 83C4 14         | add esp,14                               |
10002A50    | 8945 90         | mov dword ptr ss:[ebp-70],eax            | 第 11 位
10002A53    | FF75 F8         | push dword ptr ss:[ebp-8]                |
10002A56    | FF75 E8         | push dword ptr ss:[ebp-18]               |
10002A59    | FF75 A4         | push dword ptr ss:[ebp-5C]               |
10002A5C    | FF75 E8         | push dword ptr ss:[ebp-18]               |
10002A5F    | FF75 EC         | push dword ptr ss:[ebp-14]               |
10002A62    | E8 14FBFFFF     | call <tl32v20.sub_1000257B>              |
10002A67    | 83C4 14         | add esp,14                               |
10002A6A    | 8945 94         | mov dword ptr ss:[ebp-6C],eax            | 第 12 位
10002A6D    | FF75 CC         | push dword ptr ss:[ebp-34]               |
10002A70    | FF75 E4         | push dword ptr ss:[ebp-1C]               |
10002A73    | FF75 A8         | push dword ptr ss:[ebp-58]               |
10002A76    | FF75 E4         | push dword ptr ss:[ebp-1C]               |
10002A79    | FF75 F0         | push dword ptr ss:[ebp-10]               |
10002A7C    | E8 FAFAFFFF     | call <tl32v20.sub_1000257B>              |
10002A81    | 83C4 14         | add esp,14                               |
10002A84    | 8945 98         | mov dword ptr ss:[ebp-68],eax            | 第 13 位
10002A87    | FF75 D0         | push dword ptr ss:[ebp-30]               |
10002A8A    | FF75 E0         | push dword ptr ss:[ebp-20]               |
10002A8D    | FF75 AC         | push dword ptr ss:[ebp-54]               |
10002A90    | FF75 E0         | push dword ptr ss:[ebp-20]               |
10002A93    | FF75 F4         | push dword ptr ss:[ebp-C]                |
10002A96    | E8 E0FAFFFF     | call <tl32v20.sub_1000257B>              |
10002A9B    | 83C4 14         | add esp,14                               |
10002A9E    | 8945 9C         | mov dword ptr ss:[ebp-64],eax            | 第 14 位
10002AA1    | FF75 D4         | push dword ptr ss:[ebp-2C]               |
10002AA4    | FF75 DC         | push dword ptr ss:[ebp-24]               |
10002AA7    | FF75 B0         | push dword ptr ss:[ebp-50]               |
10002AAA    | FF75 DC         | push dword ptr ss:[ebp-24]               |
10002AAD    | FF75 F8         | push dword ptr ss:[ebp-8]                |
10002AB0    | E8 C6FAFFFF     | call <tl32v20.sub_1000257B>              |
10002AB5    | 83C4 14         | add esp,14                               |
10002AB8    | 8DB5 64FFFFFF   | lea esi,dword ptr ss:[ebp-9C]            |
10002ABE    | 8945 A0         | mov dword ptr ss:[ebp-60],eax            | 第 15 位
10002AC1    | 68 70100110     | push tl32v20.10011070                    |
10002AC6    | 8D45 FC         | lea eax,dword ptr ss:[ebp-4]             |
10002AC9    | 50              | push eax                                 |
10002ACA    | E8 B1230000     | call <tl32v20.sub_10004E80>              |
10002ACF    | 83C4 08         | add esp,8                                |
10002AD2    | 8D4D FC         | lea ecx,dword ptr ss:[ebp-4]             |
10002AD5    | FF36            | push dword ptr ds:[esi]                  |
10002AD7    | 68 B4140110     | push tl32v20.100114B4                    | 100114B4:"%d"
10002ADC    | 51              | push ecx                                 |
10002ADD    | 83C6 04         | add esi,4                                |
10002AE0    | E8 2B230000     | call <tl32v20.sub_10004E10>              |
10002AE5    | 83C4 0C         | add esp,C                                |
10002AE8    | 8D4D FC         | lea ecx,dword ptr ss:[ebp-4]             |
10002AEB    | 8D95 50FFFFFF   | lea edx,dword ptr ss:[ebp-B0]            |
10002AF1    | 51              | push ecx                                 |
10002AF2    | 52              | push edx                                 |
10002AF3    | FF15 8C620110   | call dword ptr ds:[<&lstrcatA>]          |
10002AF9    | 8D4D A4         | lea ecx,dword ptr ss:[ebp-5C]            |
10002AFC    | 3BF1            | cmp esi,ecx                              |
10002AFE    | 72 C1           | jb tl32v20.10002AC1                      |
10002B00    | 8D85 50FFFFFF   | lea eax,dword ptr ss:[ebp-B0]            |
10002B06    | 50              | push eax                                 |
10002B07    | FF75 08         | push dword ptr ss:[ebp+8]                |
10002B0A    | E8 71230000     | call <tl32v20.sub_10004E80>              | 拷贝字符串
10002B0F    | 83C4 08         | add esp,8                                |
10002B12    | B8 01000000     | mov eax,1                                |
10002B17    | 5F              | pop edi                                  |
10002B18    | 5E              | pop esi                                  |
10002B19    | 8BE5            | mov esp,ebp                              |
10002B1B    | 5D              | pop ebp                                  |
10002B1C    | C3              | ret                                      |

二. 序列号算法

#include <iostream>

int CalculationSerialNumberDigit(int iOne, int iTwo, int iThree, int iFour, int iFive)
{
    iOne += iTwo;
    if (iOne > 9)
    {
        iOne -= 10;
    }
    
    iOne -= iThree;
    if (iOne < 0)
    {
        iOne += 10;
    }
    
    iOne += iFour;
    if (iOne > 9)
    {
        iOne -= 10;
    }
    
    iOne -= iFive;
    if (iOne < 0)
    {
        iOne += 10;
    }
    
    return iOne;
}

int main()
{
    int cntI = 0;
    int aiNumber[22] = { 7, 6, 4, 5, 3, 3, 0 };
    char szRegistrationNumber[17] = { 0 };
    int aiSerialNumber[16] = { 0 };
    std::string strSerialNumber;

    printf("Input Registration Number: ");
    scanf("%16s", &szRegistrationNumber);

    char szDigit[2] = { 0 };
    for (size_t cntI = 6; cntI < 22; cntI++)
    {
        szDigit[0] = szRegistrationNumber[cntI - 6];
        aiNumber[cntI] = atoi(szDigit);
    }

    aiSerialNumber[0] = CalculationSerialNumberDigit(aiNumber[6], aiNumber[13], aiNumber[0], aiNumber[21], aiNumber[10]);
    aiSerialNumber[1] = CalculationSerialNumberDigit(aiNumber[7], aiNumber[12], aiNumber[1], aiNumber[20], aiNumber[11]);
    aiSerialNumber[2] = CalculationSerialNumberDigit(aiNumber[8], aiNumber[11], aiNumber[2], aiNumber[19], aiNumber[12]);
    aiSerialNumber[3] = CalculationSerialNumberDigit(aiNumber[9], aiNumber[10], aiNumber[3], aiNumber[18], aiNumber[13]);
    aiSerialNumber[4] = CalculationSerialNumberDigit(aiNumber[10], aiNumber[9], aiNumber[4], aiNumber[17], aiNumber[14]);
    aiSerialNumber[5] = CalculationSerialNumberDigit(aiNumber[11], aiNumber[8], aiNumber[5], aiNumber[16], aiNumber[15]);
    aiSerialNumber[6] = CalculationSerialNumberDigit(aiNumber[12], aiNumber[7], aiNumber[0], aiNumber[15], aiNumber[16]);
    aiSerialNumber[7] = CalculationSerialNumberDigit(aiNumber[13], aiNumber[6], aiNumber[1], aiNumber[14], aiNumber[17]);
    aiSerialNumber[8] = CalculationSerialNumberDigit(aiNumber[14], aiNumber[21], aiNumber[2], aiNumber[21], aiNumber[17]);
    aiSerialNumber[9] = CalculationSerialNumberDigit(aiNumber[15], aiNumber[20], aiNumber[3], aiNumber[20], aiNumber[18]);
    aiSerialNumber[10] = CalculationSerialNumberDigit(aiNumber[16], aiNumber[19], aiNumber[4], aiNumber[19], aiNumber[19]);
    aiSerialNumber[11] = CalculationSerialNumberDigit(aiNumber[17], aiNumber[18], aiNumber[5], aiNumber[18], aiNumber[20]);
    aiSerialNumber[12] = CalculationSerialNumberDigit(aiNumber[18], aiNumber[17], aiNumber[0], aiNumber[17], aiNumber[21]);
    aiSerialNumber[13] = CalculationSerialNumberDigit(aiNumber[19], aiNumber[16], aiNumber[1], aiNumber[16], aiNumber[10]);
    aiSerialNumber[14] = CalculationSerialNumberDigit(aiNumber[20], aiNumber[15], aiNumber[2], aiNumber[15], aiNumber[11]);
    aiSerialNumber[15] = CalculationSerialNumberDigit(aiNumber[21], aiNumber[14], aiNumber[3], aiNumber[14], aiNumber[12]);
    

    for (size_t cntI = 0; cntI < 16; cntI++)
    {
        char szSerialNumberDigit[10] = { 0 }; 
        strSerialNumber += _itoa(aiSerialNumber[cntI], szSerialNumberDigit, 10);
    }

    printf("SerialNumber: %s\n", strSerialNumber.c_str());

    system("pause");
    return 0;
}

运行结果如下:
SmartCheck 破解与序列号算法还原

三. 测试

SmartCheck 破解与序列号算法还原
再次加载程序,点击运行已经没有注册弹框了。


学习心得 , 版权所有丨如未注明 , 均为原创丨本网站采用BY-NC-SA协议进行授权 , 转载请注明SmartCheck 破解与序列号算法还原
喜欢 (0)
[]
分享 (0)
发表我的评论
取消评论
表情 贴图 加粗 删除线 居中 斜体 签到

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址