这是一个很奇怪的破解,是一个国产软件,我没有提出它的名字
该软件信息:
可执行文件大小是363,008字节
经aspack加壳
版本3.??
注册费15元/份,请大家支持国产软件,注册机暂不公开,本文仅做为参考研究
PART1
==================================================
004B2924 lea eax, [ebp+var_14]
004B2927 mov edx, offset str_4B3950 ;为了隐藏软件名,我有意将此字串隐去
004B292C call sub_403DD4
004B2931 mov eax, [ebp+var_4]
004B2934 add eax, 5D0h
004B2939 mov edx, [ebp+var_4]
004B293C mov edx, [edx+5BCh]
004B2942 call sub_403D90
004B2947 loc_4B2947: lea eax, [ebp+var_18]
004B294A mov edx, offset unk_4B398C
004B294F call sub_403DD4
004B2954 mov eax, [ebp+var_4]
004B2957 mov eax, [eax+5D0h] ;用户名
004B295D call sub_403FBC ;取字串长度
004B2962 mov edi, eax
004B2964 test edi, edi ; = 0 ?
004B2966 jle short loc_4B29CE
004B2968 mov esi, 1
004B296D loc_4B296D: mov eax, [ebp+var_4]
004B2970 mov eax, [eax+5D0h] ;用户名strname
004B2976 mov bl, [eax+esi-1]
004B297A mov eax, [ebp+var_14] ;str_4B3950
004B297D mov al, [eax+esi-1]
004B2981 xor bl, al ;此段算法没什么好解释的
004B2983 and ebx, 0FFh
004B2989 xor ebx, esi
004B298B cmp ebx, 41h
004B298E jge short loc_4B299B
004B2990 loc_4B2990: lea eax, [esi+ebx+16h]
004B2994 mov ebx, eax
004B2996 cmp ebx, 41h
004B2999 jl short loc_4B2990
004B299B loc_4B299B: cmp ebx, 7Ah
004B299E jle short loc_4B29AF
004B29A0 loc_4B29A0: sub ebx, 1Bh
004B29A3 sub ebx, esi
004B29A5 cmp ebx, 7Ah
004B29A8 jg short loc_4B29A0
004B29AA jmp short loc_4B29AF
004B29AC loc_4B29AC: add ebx, 4
004B29AF loc_4B29AF: cmp ebx, 61h
004B29B2 jge short loc_4B29B9
004B29B4 cmp ebx, 5Ah
004B29B7 jg short loc_4B29AC
004B29B9 loc_4B29B9: mov eax, [ebp+var_4]
004B29BC add eax, 5D0h
004B29C1 call sub_40418C
004B29C6 mov [eax+esi-1], bl ;存储运算结果,称之为strname1
004B29CA inc esi
004B29CB dec edi
004B29CC jnz short loc_4B296D
PART2
==================================================
004B2B66 mov eax, [ebp+var_4]
004B2B69 add eax, 5F8h ;注册码strcode
004B2B6E mov edx, 0Ah ;10
004B2B73 call sub_4042F0 ;取注册码前10位,称之为strcode1
004B2B78 mov eax, [ebp+var_4]
004B2B7B mov eax, [eax+5F8h]
004B2B81 call sub_403FBC ;取strcode1长度
004B2B86 mov ebx, eax
004B2B88 mov eax, [ebp+var_4]
004B2B8B add eax, 5F8h
004B2B90 mov edx, ebx
004B2B92 call sub_4042F0
004B2B97 mov eax, [ebp+var_4]
004B2B9A mov eax, [eax+5F8h]
004B2BA0 call sub_403FBC
004B2BA5 mov edi, eax
004B2BA7 test edi, edi
004B2BA9 jle short loc_4B2C07
004B2BAB mov esi, 1
004B2BB0 loc_4B2BB0: mov eax, [ebp+var_4]
004B2BB3 mov eax, [eax+5F8h] ;strcode1
004B2BB9 xor ebx, ebx
004B2BBB mov bl, [eax+esi-1]
004B2BBF xor ebx, esi ;此段算法在做注册机时是有用的
004B2BC1 add ebx, 29h ;诸位仔细看看吧
004B2BC4 cmp ebx, 41h
004B2BC7 jge short loc_4B2BD4
004B2BC9 loc_4B2BC9: lea eax, [esi+ebx+16h]
004B2BCD mov ebx, eax
004B2BCF cmp ebx, 41h
004B2BD2 jl short loc_4B2BC9
004B2BD4 loc_4B2BD4: cmp ebx, 7Ah
004B2BD7 jle short loc_4B2BE8
004B2BD9 loc_4B2BD9: sub ebx, 1Bh
004B2BDC sub ebx, esi
004B2BDE cmp ebx, 7Ah
004B2BE1 jg short loc_4B2BD9
004B2BE3 jmp short loc_4B2BE8
004B2BE5 loc_4B2BE5: add ebx, 4
004B2BE8 loc_4B2BE8: cmp ebx, 61h
004B2BEB jge short loc_4B2BF2
004B2BED cmp ebx, 5Ah
004B2BF0 jg short loc_4B2BE5
004B2BF2 loc_4B2BF2: mov eax, [ebp+var_4]
004B2BF5 add eax, 5F8h
004B2BFA call sub_40418C
004B2BFF mov [eax+esi-1], bl ;存储运算结果,strcode2
004B2C03 inc esi
004B2C04 dec edi
004B2C05 jnz short loc_4B2BB0
PART3
==================================================
004B0AB1 xor ebx, ebx
004B0AB3 mov eax, [esi+5ECh] ;strname1
004B0AB9 call sub_403FBC ;取长度
004B0ABE mov edi, eax ;下面一段算法不必细究,做注册机时照抄就行
004B0AC0 jmp loc_4B0B7F
004B0AC5 loc_4B0AC5: cmp edi, 15h
004B0AC8 jge short loc_4B0ACD
004B0ACA inc ebx
004B0ACB jmp short loc_4B0AE2
004B0ACD loc_4B0ACD: mov eax, [esi+5ECh]
004B0AD3 call sub_403FBC
004B0AD8 mov ecx, 9
004B0ADD cdq
004B0ADE idiv ecx
004B0AE0 mov ebx, edx
004B0AE2 loc_4B0AE2: mov eax, [esi+5ECh]
004B0AE8 call sub_403FBC
004B0AED sub eax, ebx
004B0AEF mov edx, [esi+5ECh]
004B0AF5 mov al, [edx+eax-1]
004B0AF9 mov edx, [esi+5ECh]
004B0AFF mov dl, [edx+ebx-1]
004B0B03 xor al, dl
004B0B05 and eax, 0FFh
004B0B0A add eax, 79h
004B0B0D push eax
004B0B0E lea eax, [esi+5ECh]
004B0B14 call sub_40418C
004B0B19 pop edx
004B0B1A mov [eax+ebx-1], dl
004B0B1E mov eax, [esi+5ECh]
004B0B24 movzx eax, byte ptr [eax+ebx-1]
004B0B29 call sub_4A63D8
004B0B2E push eax
004B0B2F lea eax, [esi+5ECh]
004B0B35 call sub_40418C
004B0B3A pop edx
004B0B3B mov [eax+ebx-1], dl
004B0B3F lea eax, [esi+5ECh]
004B0B45 push eax
004B0B46 mov eax, [esi+5ECh]
004B0B4C call sub_403FBC
004B0B51 mov ecx, eax
004B0B53 sub ecx, ebx
004B0B55 mov edx, 1
004B0B5A mov eax, [esi+5ECh]
004B0B60 call sub_4041C4
004B0B65 mov eax, [esi+5ECh]
004B0B6B call sub_403FBC
004B0B70 mov edx, eax
004B0B72 sub edx, ebx
004B0B74 lea eax, [esi+5ECh]
004B0B7A call sub_4042F0
004B0B7F loc_4B0B7F: mov eax, [esi+5ECh]
004B0B85 call sub_403FBC
004B0B8A cmp eax, 0Bh
004B0B8D jg loc_4B0AC5
004B0B93 xor ebx, ebx
004B0B95 jmp short loc_4B0BD7
004B0B97 loc_4B0B97: inc ebx
004B0B98 mov eax, [esi+5ECh]
004B0B9E mov al, [eax+ebx-1]
004B0BA2 xor al, 55h
004B0BA4 and eax, 0FFh
004B0BA9 lea edx, [ebx+46h]
004B0BAC xor eax, edx
004B0BAE mov [ebp-5], al
004B0BB1 xor eax, eax
004B0BB3 mov al, [ebp-5]
004B0BB6 call sub_4A63D8
004B0BBB mov [ebp-5], al
004B0BBE lea eax, [ebp-10h]
004B0BC1 mov dl, [ebp-5]
004B0BC4 call sub_403EE4
004B0BC9 mov edx, [ebp-10h]
004B0BCC lea eax, [esi+5ECh]
004B0BD2 call sub_403FC4
004B0BD7 loc_4B0BD7: mov eax, [esi+5ECh]
004B0BDD call sub_403FBC
004B0BE2 cmp eax, 0Ah
004B0BE5 jge short loc_4B0BF5
004B0BE7 mov eax, [esi+5ECh]
004B0BED call sub_403FBC
004B0BF2 dec eax
004B0BF3 jg short loc_4B0B97
004B0BF5 loc_4B0BF5: lea eax, [esi+5ECh]
004B0BFB mov edx, 0Ah
004B0C00 call sub_4042F0
004B0C05 lea edx, [ebp-14h]
004B0C08 mov eax, [esi+5ECh]
004B0C0E call sub_4097F0
004B0C13 mov edx, [ebp-14h]
004B0C16 lea eax, [esi+5ECh]
004B0C1C call sub_403D90
004B0C21 lea eax, [ebp-4]
004B0C24 mov edx, [esi+5E0h]
004B0C2A call sub_403DD4 ;上面一大段算法把strname1转为10位的strname2
004B0C2F mov byte ptr [esi+60Ch], 1
004B0C36 mov edi, 1
004B0C3B loc_4B0C3B: cmp byte ptr [esi+60Ch], 0
004B0C42 jz short loc_4B0C60
004B0C44 mov eax, [esi+5ECh] ;strname2 ,len=10
004B0C4A mov al, [eax+edi-1] ;从前往后正向取
004B0C4E mov edx, 0Bh
004B0C53 sub edx, edi
004B0C55 mov ecx, [ebp-4] ;strcode2 ,len=10
004B0C58 mov dl, [ecx+edx-1] ;从后往前反向取
004B0C5C xor al,dl ;比较=?
004B0C5E jz short loc_4B0C64
004B0C60 loc_4B0C60: xor eax, eax
004B0C62 jmp short loc_4B0C66
004B0C64 loc_4B0C64: mov al, 1
004B0C66 loc_4B0C66: mov [esi+60Ch], al
004B0C6C inc edi
004B0C6D cmp edi, 0Bh
004B0C70 jnz short loc_4B0C3B
004B0C72 jmp short loc_4B0C9E ;比较结束,注册成功标志是byte ptr [esi+60Ch]=1
===================================
文章写的不太好,请见谅,谢谢您有兴趣看完
最后给出一组注册码,以便于大家跟踪分析
用户名:heXer
注册码:KSHPNBY7S7
===================================
heXer/iPB
2002.06.15
|
|