Setup2Go 1.97破解手記--演算法分析
Setup2Go
1.97破解手記--演算法分析
作者:newlaos[CCG][DFCG]
軟體名稱:Setup2Go
1.97(安裝製作)
整理日期:2003.4.23
最新版本:1.97 (04.15)
檔案大小:955KB
軟體授權:共享軟體
使用平臺:Win9x/Me/NT/2000/XP
釋出公司:"http://www.dev4pc.com/products.html"
軟體簡介:Setup2Go
是一個很不錯的安裝程式製作工具,易於使用且互動性強,它不需要使用者具備多少程式設計知識和程式設計經驗就可在極短的時間內輕鬆完成製作,該軟體還支援當前所有的32 位
Windows 作業系統的程式,包括 Windows 95、98、ME、NT4、2000、XP等。軟體還自帶工程嚮導幫助你快速生成安裝專案,像建立快捷方式、寫入登錄檔、檔案型別關聯、定製對話方塊及螢幕樣式、使用外部工具、修改
INI檔案、新增安裝密碼、測試執行等等這些功能它都具備,並且你還可以利用 Setup2Go製作出支援多國語言的安裝程式,便於你向外國人出售自己的軟體產品。
加密方式:註冊碼+VC6.0
功能限制:功能限制
PJ工具:TRW20001.23註冊版,W32Dasm8.93黃金版,FI2.5,Ollydbg
V1.09b中文版
PJ日期:2003-04-17
作者newlaos申明:只是學習,請不用於商業用途或是將本文方法制作的序號產生器任意傳播,造成後果,本人一概不負。
1、用FI2.5查殼,發現是VC6.0程式(其實加了一個壓縮殼)
2、用W32Dasm黃金修正版本進行靜態反彙編,什麼也找不到
3、只好動態跟蹤除錯。請出國寶TRW2000,輸入姓名newlaos,假碼78787878,下斷點BPX hmemcpy(萬能斷點)。點確定被斷下來,用命令pmodule,發現卻來到這裡00415F55,而在W32Dasm黃金修正版本進行靜態反彙編時,沒有這個程式碼段,說明原程式被壓縮過了。
4、最好用Ollydbg
V1.09b中文版來除錯,有人問為什麼?原因就是這樣我才好為大家寫破文呀,在TRW2000動態跟蹤裡,彙編程式碼也不可能手抄呀。在00415F55處,按F2下斷點:
.......
.......
00415F4F
FF15 C4124000 CALL DWORD PTR DS:[<&USER32.SendMessageA>
00415F55 8BFB MOV EDI,EBX
<===程式來到這裡,EAX=7(註冊名的長度),EBX=newlaos
00415F57
83C9 FF OR ECX,FFFFFFFF
00415F5A 33C0
XOR EAX,EAX
00415F5C 8D95
F4FDFFFF LEA EDX,DWORD PTR SS:[EBP-20C]
00415F62 F2:AE
REPNE SCAS BYTE PTR ES:[EDI]
00415F64
F7D1 NOT ECX
00415F66
2BF9 SUB EDI,ECX
00415F68
53 PUSH EBX
00415F69
8BC1 MOV EAX,ECX
00415F6B
8BF7 MOV ESI,EDI
00415F6D
8BFA MOV EDI,EDX
00415F6F
68 00020000 PUSH 200
00415F74 C1E9 02
SHR ECX,2
00415F77 F3:A5
REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
00415F79 8BC8
MOV ECX,EAX
00415F7B 8B45
FC MOV EAX,DWORD PTR SS:[EBP-4]
00415F7E
6A 0D PUSH 0D
00415F80
83E1 03 AND ECX,3
00415F83 FF70 38
PUSH DWORD PTR DS:[EAX+38]
00415F86
F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE
PTR DS:[>
00415F88 FF15 C4124000 CALL DWORD PTR DS:[<&USER32.SendMessageA>
00415F8E
8BFB MOV EDI,EBX
<===EAX=8(假碼的長度),EBX=78787878
00415F90 83C9 FF
OR ECX,FFFFFFFF
00415F93 33C0
XOR EAX,EAX
00415F95 8D95 F8FEFFFF LEA
EDX,DWORD PTR SS:[EBP-108]
00415F9B F2:AE
REPNE SCAS BYTE PTR ES:[EDI]
00415F9D F7D1
NOT ECX
00415F9F 2BF9
SUB EDI,ECX
00415FA1 8BC1
MOV EAX,ECX
00415FA3 8BF7
MOV ESI,EDI
00415FA5 8BFA
MOV EDI,EDX
00415FA7 C1E9 02
SHR ECX,2
00415FAA F3:A5
REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
00415FAC 8BC8
MOV ECX,EAX
00415FAE 8D85 F8FEFFFF
LEA EAX,DWORD PTR SS:[EBP-108]
00415FB4 50
PUSH EAX
00415FB5 83E1 03
AND ECX,3
00415FB8 8D85 F4FDFFFF LEA
EAX,DWORD PTR SS:[EBP-20C]
00415FBE F3:A4
REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
00415FC0 50
PUSH EAX
00415FC1 E8
DA3A0200 CALL SETUP2GO.00439AA0
00415FC6 8BC8
MOV ECX,EAX
00415FC8 E8 5AE5FFFF
CALL SETUP2GO.00414527 <===這裡是關鍵的CALL,F8跟進
00415FCD
5F POP EDI
00415FCE
5E POP ESI
00415FCF
84C0 TEST AL,AL <===要想註冊成功,則這裡AL不能為0
00415FD1
5B POP EBX
00415FD2
^0F84 5DFFFFFF JE SETUP2GO.00415F35 <===這裡是關鍵的跳轉,這裡不能跳
00415FD8
68 0D080000 PUSH 80D
00415FDD EB 18
JMP SHORT SETUP2GO.00415FF7
00415FDF
68 10040000 PUSH 410
00415FE4 6A 01
PUSH 1
00415FE6 E8 7F3B0200
CALL SETUP2GO.00439B6A
00415FEB 59
POP ECX
00415FEC 59
POP ECX
00415FED ^E9 43FFFFFF JMP
SETUP2GO.00415F35
00415FF2 68 01080000 PUSH 801
00415FF7
FF75 08 PUSH DWORD PTR SS:[EBP+8]
00415FFA
FF15 8C134000 CALL DWORD PTR DS:[<&USER32.EndDialog>]
<===結束對話方塊函式,勝利的標誌
00416000 B0 01
MOV AL,1
00416002 C9
LEAVE
00416003 C2 1000 RETN
10
----------00415FC8
CALL 00414527 這裡是關鍵的CALL,F8跟進-------------------------
00414527 55
PUSH EBP
00414528 8BEC
MOV EBP,ESP
0041452A 51
PUSH ECX
0041452B 51
PUSH ECX
0041452C 53
PUSH EBX <===EBX=78787878
0041452D
56 PUSH ESI
0041452E
57 PUSH EDI
0041452F
8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]
<===EDI=newlaos
00414532 FF75 0C PUSH
DWORD PTR SS:[EBP+C]
00414535 8BD9
MOV EBX,ECX
00414537 57
PUSH EDI
00414538 E8 97FFFFFF CALL SETUP2GO.004144D4
<===又是關鍵的CALL,F8跟進
0041453D 84C0
TEST AL,AL
<===AL不能為0
0041453F 0F84 C0000000 JE SETUP2GO.00414605
<===這裡一就OVER了
00414545 33F6
XOR ESI,ESI
00414547 8D45 FC
LEA EAX,DWORD PTR SS:[EBP-4]
0041454A 56
PUSH ESI
0041454B 50
PUSH EAX
0041454C 56
PUSH ESI
0041454D 68 3F000F00
PUSH 0F003F
00414552 56
PUSH ESI
00414553 68 2CB14000 PUSH
SETUP2GO.0040B12C
; ASCII "Setup2GO"
00414558 56
PUSH ESI
00414559 68 B0B14000 PUSH
SETUP2GO.0040B1B0
; ASCII "software\SDS Software\Setup2GO"
.......
.......此處略去一段正確的註冊資訊儲存程式碼
00414601
B0 01 MOV AL,1 <===關鍵的標誌位賦值,必須經過
00414603
EB 02 JMP SHORT SETUP2GO.00414607
00414605
32C0 XOR AL,AL <===標誌位清0,就OVER了
00414607
5F POP EDI
00414608
5E POP ESI
00414609
5B POP EBX
0041460A
C9 LEAVE
0041460B
C2 0800 RETN 8
-----------00414538
CALL 004144D4 又是關鍵的CALL,F8跟進--------------------
004144D4 55
PUSH EBP
004144D5 8BEC
MOV EBP,ESP
004144D7 51
PUSH ECX
004144D8 33D2
XOR EDX,EDX
004144DA 57
PUSH EDI
004144DB 3955 08
CMP DWORD PTR SS:[EBP+8],EDX <===看是否輸入的使用者名稱
004144DE
74 40 JE SHORT SETUP2GO.00414520
<===這裡不能跳
004144E0 3955 0C
CMP DWORD PTR SS:[EBP+C],EDX <===看是否輸入的註冊碼
004144E3 74
3B JE SHORT SETUP2GO.00414520
<===這裡不能跳
004144E5 8B7D 08 MOV
EDI,DWORD PTR SS:[EBP+8] <===EDI=newlaos
004144E8 83C9 FF
OR ECX,FFFFFFFF
004144EB 33C0
XOR EAX,EAX
004144ED F2:AE
REPNE SCAS BYTE PTR ES:[EDI]
004144EF F7D1
NOT ECX
004144F1 49
DEC ECX
004144F2 74 2C
JE SHORT SETUP2GO.00414520
004144F4
8B7D 0C MOV EDI,DWORD PTR SS:[EBP+C]
004144F7
83C9 FF OR ECX,FFFFFFFF
004144FA
F2:AE REPNE SCAS BYTE PTR ES:[EDI]
004144FC
F7D1 NOT ECX
004144FE
49 DEC ECX
004144FF
83F9 0A CMP ECX,0A
<===註冊碼的長度,必須為10位
00414502 75
1C JNZ SHORT SETUP2GO.00414520 <===如果不是,一跳就OVER了
00414504
FF75 0C PUSH DWORD PTR SS:[EBP+C]
<===重新輸入假碼7878787878,來到這裡
00414507 8D45 FC
LEA EAX,DWORD PTR SS:[EBP-4]
0041450A 8955 FC
MOV DWORD PTR SS:[EBP-4],EDX
0041450D 50
PUSH EAX
0041450E 68 74B44000
PUSH SETUP2GO.0040B474
; ASCII "pasha and andrey"
00414513
FF75 08 PUSH DWORD PTR SS:[EBP+8]
<===壓入newlaos
00414516 E8 BB130100 CALL
SETUP2GO.004258D6 <===關鍵的CALL了,F8跟進
0041451B
83C4 10 ADD ESP,10
<===ECX就出來了真正的註冊碼了
0041451E EB
02 JMP SHORT SETUP2GO.00414522
00414520
32C0 XOR AL,AL
00414522
5F POP EDI
00414523
C9 LEAVE
00414524 C2
0800 RETN 8
------------00414516
CALL 004258D6 關鍵的演算法CALL了,F8跟進--------------------
004258D6 55
PUSH EBP
004258D7 8BEC
MOV EBP,ESP
004258D9 51
PUSH ECX
004258DA 53
PUSH EBX
004258DB 8B5D 14
MOV EBX,DWORD PTR SS:[EBP+14] <===EBX=7878787878
004258DE
56 PUSH ESI
004258DF
57 PUSH EDI
004258E0
8BFB MOV EDI,EBX
004258E2
83C9 FF OR ECX,FFFFFFFF
004258E5
33C0 XOR EAX,EAX
004258E7
F2:AE REPNE SCAS BYTE PTR ES:[EDI]
004258E9
F7D1 NOT ECX
004258EB
49 DEC ECX
004258EC
8BF9 MOV EDI,ECX
004258EE
8D47 01 LEA EAX,DWORD PTR DS:[EDI+1]
004258F1
50 PUSH EAX
004258F2
E8 26F70200 CALL SETUP2GO.0045501D <===這個CALL就算出了EAX=78KB0HS6MA,還要F8跟進
004258F7
8B75 10 MOV ESI,DWORD PTR SS:[EBP+10]
<===在這裡不知道能不能做記憶體序號產生器
.......
.......此處略去一段無關程式碼
00425961 C3
RETN
--------004258F2
CALL 0045501D 算出了註冊碼(78KB0HS6MA),還要F8跟進-----------
0045501D 6A 01
PUSH 1
0045501F FF7424 08
PUSH DWORD PTR SS:[ESP+8]
00455023 E8 43210000
CALL SETUP2GO.0045716B <===這個CALL,就出來註冊碼,F8跟進
00455028
59 POP ECX
00455029
59 POP ECX
0045502A
C3 RETN
--------00455023
CALL 0045716B 再次F8跟進-------------------------------------
0045716B 837C24
04 E0 CMP DWORD PTR SS:[ESP+4],-20
00457170 77 22
JA SHORT SETUP2GO.00457194
00457172
FF7424 04 PUSH DWORD PTR SS:[ESP+4]
00457176
E8 1C000000 CALL SETUP2GO.00457197 <===這個CALL,就出來註冊碼,F8跟進
0045717B
85C0 TEST EAX,EAX
0045717D
59 POP ECX
0045717E
75 16 JNZ SHORT SETUP2GO.00457196
00457180
394424 08 CMP DWORD PTR SS:[ESP+8],EAX
00457184
74 10 JE SHORT SETUP2GO.00457196
00457186
FF7424 04 PUSH DWORD PTR SS:[ESP+4]
0045718A
E8 F5E5FFFF CALL SETUP2GO.00455784
0045718F
85C0 TEST EAX,EAX
00457191
59 POP ECX
00457192 ^75
DE JNZ SHORT SETUP2GO.00457172
00457194
33C0 XOR EAX,EAX
00457196
C3 RETN
-------------00457176
CALL 00457197 出來註冊碼,F8跟進----------------------
00457197 55
PUSH EBP
00457198 8BEC
MOV EBP,ESP
0045719A 6A FF
PUSH -1
0045719C 68 38394000
PUSH SETUP2GO.00403938
004571A1 68 A86B4500
PUSH SETUP2GO.00456BA8
004571A6 64:A1 00000000 MOV EAX,DWORD
PTR FS:[0]
004571AC 50
PUSH EAX
004571AD 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
004571B4
83EC 0C SUB ESP,0C
004571B7
53 PUSH EBX
004571B8
56 PUSH ESI
004571B9
57 PUSH EDI
004571BA
A1 C49A4600 MOV EAX,DWORD PTR DS:[469AC4]
004571BF
83F8 03 CMP EAX,3
004571C2 75 43
JNZ SHORT SETUP2GO.00457207 <===不跳
004571C4
8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
004571C7
3B35 BC9A4600 CMP ESI,DWORD PTR DS:[469ABC]
004571CD
0F87 93000000 JA SETUP2GO.00457266
004571D3 6A 09
PUSH 9
004571D5 E8 13220000
CALL SETUP2GO.004593ED
004571DA 59
POP ECX
004571DB 8365 FC 00
AND DWORD PTR SS:[EBP-4],0
004571DF 56
PUSH ESI
004571E0 E8 314E0000 CALL
SETUP2GO.0045C016 <===這個CALL,就出來註冊碼,F8跟進(真的放的很深呀)
004571E5
59 POP ECX
004571E6
8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
004571E9
834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
004571ED
E8 0C000000 CALL SETUP2GO.004571FE
004571F2
8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
004571F5
85C0 TEST EAX,EAX
004571F7
74 6D JE SHORT SETUP2GO.00457266
004571F9
E9 86000000 JMP SETUP2GO.00457284
004571FE
6A 09 PUSH 9
00457200 E8 49220000
CALL SETUP2GO.0045944E
00457205 59
POP ECX
00457206 C3
RETN
-------------004571E0
CALL 0045C016 出來註冊碼,F8跟進-------------
0045C016 55
PUSH EBP
.......
.......此處略去一大段無關程式碼
0045C31A
5F POP EDI
0045C31B
5E POP ESI
0045C31C
5B POP EBX <===EBX=7878787878
0045C31D
C9 LEAVE
0045C31E
C3 RETN
......
......這個RETN來到下面程式碼段:
004571E5
59 POP ECX
; 007C000C
004571E6 8945 E4
MOV DWORD PTR SS:[EBP-1C],EAX
004571E9 834D FC FF
OR DWORD PTR SS:[EBP-4],FFFFFFFF
004571ED E8 0C000000
CALL SETUP2GO.004571FE <===這個CALL出來EAX=8187BD44
004571F2
8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
004571F5
85C0 TEST EAX,EAX
004571F7
74 6D JE SHORT SETUP2GO.00457266
004571F9
E9 86000000 JMP SETUP2GO.00457284 <===從這裡就跳走了
.......
.......
00457284
8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
<===跳到這裡
00457287 64:890D 00000000 MOV DWORD PTR FS:[0],ECX
0045728E
5F POP EDI
0045728F
5E POP ESI
00457290
5B POP EBX
00457291
C9 LEAVE
00457292
C3 RETN
.......
.......這個RETN來到下面程式碼段:
0045717B
85C0 TEST EAX,EAX
0045717D
59 POP ECX
0045717E
75 16 JNZ SHORT SETUP2GO.00457196
<===我跳
00457180 394424 08 CMP DWORD PTR
SS:[ESP+8],EAX
00457184 74 10 JE
SHORT SETUP2GO.00457196
00457186 FF7424 04 PUSH
DWORD PTR SS:[ESP+4]
0045718A E8 F5E5FFFF CALL SETUP2GO.00455784
0045718F
85C0 TEST EAX,EAX
00457191
59 POP ECX
00457192
^75 DE JNZ SHORT SETUP2GO.00457172
00457194
33C0 XOR EAX,EAX
00457196
C3 RETN
<===跳到這裡
........
........這個RETN來到下面程式碼段:
00455028 59
POP ECX
00455029 59
POP ECX
0045502A C3
RETN
.......
.......這個RETN來到下面程式碼段:
004258F7
8B75 10 MOV ESI,DWORD PTR SS:[EBP+10]
004258FA
59 POP ECX
004258FB
85F6 TEST ESI,ESI
004258FD
8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00425900
74 2B JE SHORT SETUP2GO.0042592D
00425902
8A43 01 MOV AL,BYTE PTR DS:[EBX+1] <===這裡取出的就是"7878787878",第2個值的
00425905
50 PUSH EAX
00425906
E8 A9FFFFFF CALL SETUP2GO.004258B4
0042590B
8BD0 MOV EDX,EAX <===EAX=8(提取出來了),EBX=38(為ASC值)
0042590D
8A03 MOV AL,BYTE PTR DS:[EBX]
<===這裡取出的就是"7878787878",第1個值的
0042590F 50
PUSH EAX
00425910 8955 10
MOV DWORD PTR SS:[EBP+10],EDX
00425913
E8 9CFFFFFF CALL SETUP2GO.004258B4 <===EAX=7(提取出來了),EBX=37(為ASC值)
00425918
59 POP ECX
00425919
59 POP ECX
0042591A
8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
0042591D
C1E0 04 SHL EAX,4 <===EAX=7
SHL 4=70
00425920 03C8 ADD
ECX,EAX <===ECX=8+70=78
00425922 81F1 FF000000 XOR ECX,0FF
<===ECX=87
00425928 83E9 55 SUB
ECX,55 <===ECX=87-55=32
0042592B 890E
MOV DWORD PTR DS:[ESI],ECX
0042592D 57
PUSH EDI
0042592E FF75 FC
PUSH DWORD PTR SS:[EBP-4]
00425931 FF36
PUSH DWORD PTR DS:[ESI] <===32
00425933
FF75 0C PUSH DWORD PTR SS:[EBP+C] <==="pasha
and andrey"
00425936 FF75 08 PUSH
DWORD PTR SS:[EBP+8] <==="newlaos"
00425939 E8 6AFEFFFF
CALL SETUP2GO.004257A8 <===ECX="newlaosnew"
(被迴圈補足了10位),F8跟進
0042593E 57
PUSH EDI
0042593F 53
PUSH EBX
<===假碼7878787878
00425940 FF75 FC
PUSH DWORD PTR SS:[EBP-4] <==="78KB0HS6MA"
00425943
E8 E8100300 CALL SETUP2GO.00456A30
00425948 FF75
FC PUSH DWORD PTR SS:[EBP-4]
0042594B
8BD8 MOV EBX,EAX
0042594D
F7DB NEG EBX
0042594F 1ADB
SBB BL,BL
00425951 FEC3
INC BL
00425953 E8 CAF10200
CALL SETUP2GO.00454B22
00425958 83C4 24
ADD ESP,24
0042595B 8AC3
MOV AL,BL
0042595D 5F
POP EDI
0042595E 5E
POP ESI
0042595F 5B
POP EBX
00425960 C9
LEAVE
00425961 C3
RETN
--------00425939
CALL SETUP2GO.004257A8- 跟進來到下面程式碼段-------------
004257A8 55
PUSH EBP
004257A9 8BEC
MOV EBP,ESP
004257AB 51
PUSH ECX
004257AC 51
PUSH ECX
004257AD 53
PUSH EBX
004257AE 8B5D 18
MOV EBX,DWORD PTR SS:[EBP+18]
004257B1 56
PUSH ESI
004257B2 57
PUSH EDI
004257B3 8D73 01
LEA ESI,DWORD PTR DS:[EBX+1]
004257B6
56 PUSH ESI
004257B7
E8 61F80200 CALL SETUP2GO.0045501D <===EAX=Setup2Go
004257BC
56 PUSH ESI
004257BD
8945 FC MOV DWORD PTR SS:[EBP-4],EAX
004257C0
E8 58F80200 CALL SETUP2GO.0045501D
004257C5
8365 18 00 AND DWORD PTR SS:[EBP+18],0
004257C9
53 PUSH EBX
004257CA
FF75 08 PUSH DWORD PTR SS:[EBP+8]<===newlaos
004257CD
8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
004257D0
FF75 FC PUSH DWORD PTR SS:[EBP-4]
004257D3
E8 31FFFFFF CALL SETUP2GO.00425709 <===EAX="newlaosnew"
(被迴圈補足了10位)
004257D8 53
PUSH EBX
004257D9 FF75 0C PUSH
DWORD PTR SS:[EBP+C] <==="pasha and andrey"
004257DC FF75
F8 PUSH DWORD PTR SS:[EBP-8]
004257DF
E8 25FFFFFF CALL SETUP2GO.00425709 <===EAX="pasha
and "(只留10位)
004257E4 8B75 10 MOV
ESI,DWORD PTR SS:[EBP+10] <===32(就是前面用註冊碼前兩位計算出來的結果)
004257E7 BF
FF000000 MOV EDI,0FF
004257EC 23F7
AND ESI,EDI
004257EE 83C6 55
ADD ESI,55 <===ESI=32+55=87
004257F1 33F7
XOR ESI,EDI <===ESI=78(呵呵,又回來了?難道真正註冊碼的前兩位為任意?)
004257F3
8BC6 MOV EAX,ESI
004257F5
C1E8 04 SHR EAX,4 <===EAX=78 SHR 4=7
004257F8
50 PUSH EAX
004257F9
E8 74FFFFFF CALL SETUP2GO.00425772 <===EAX=37回到的ASC值了
004257FE
8B4D 14 MOV ECX,DWORD PTR SS:[EBP+14]
<===ECX=7umber
00425801 83E6 0F AND
ESI,0F <===ESI=8
00425804 56
PUSH ESI
00425805 8801
MOV BYTE PTR DS:[ECX],AL
00425807 E8 66FFFFFF CALL
SETUP2GO.00425772 <===eax=38回到的ASC值了
0042580C 8B55 14
MOV EDX,DWORD PTR SS:[EBP+14]
0042580F 83C4 28
ADD ESP,28
00425812 33F6
XOR ESI,ESI
00425814 85DB
TEST EBX,EBX
00425816 8842 01
MOV BYTE PTR DS:[EDX+1],AL <===ECX=78mber
00425819 7E
26 JLE SHORT SETUP2GO.00425841
0042581B
8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
<==="pasha and andrey"
0042581E 8B4D 18
MOV ECX,DWORD PTR SS:[EBP+18]
00425821 23CF
AND ECX,EDI
00425823 8A0406
MOV AL,BYTE PTR DS:[ESI+EAX] <===依次將"pasha and andrey"每個字元的ASC值,放入AL
00425826
23C7 AND EAX,EDI
00425828
33C1 XOR EAX,ECX
0042582A
8B4D 18 MOV ECX,DWORD PTR SS:[EBP+18]
0042582D
C1E9 08 SHR ECX,8
00425830
8B0485 24C24000 MOV EAX,DWORD PTR DS:[EAX*4+40C224]<===又是一個天大的256個位碼錶(和木馬克星5.41的是一樣的。小樓老師曾說過這是CRC32,但我不明白,只能用笨辦法--抄)
*********************碼錶如下,共有256個數******************************
77073096 EE0E612C 990951BA 076DC419 706AF48F E963A535 9E6495A3 0EDB8832
79DCB8A4
E0D5E91E 97D2D988 09B64C2B 7EB17CBD E7B82D07 90BF1D91 00000000
6AB020F2 F3B97148
84BE41DE 1ADAD47D 6DDDE4EB F4D4B551 83D385C7 136C9856
646BA8C0 FD62F97A 8A65C9EC
14015C4F 63066CD9 FA0F3D63 8D080DF5 3B6E20C8
4C69105E D56041E4 A2677172 3C03E4D1
4B04D447 D20D85FD A50AB56B 35B5A8FA
42B2986C DBBBC9D6 ACBCF940 32D86CE3 45DF5C75
DCD60DCF ABD13D59 26D930AC
51DE003A C8D75180 BFD06116 21B4F4B5 56B3C423 CFBA9599
B8BDA50F 2802B89E
5F058808 C60CD9B2 B10BE924 2F6F7C87 58684C11 C1611DAB B6662D3D
76DC4190
01DB7106 98D220BC EFD5102A 71B18589 06B6B51F 9FBFE4A5 E8B8D433 7807C9A2
0F00F934 9609A88E E10E9818 7F6A0DBB 086D3D2D 91646C97 E6635C01 6B6B51F4
1C6C6162 856530D8 F262004E 6C0695ED 1B01A57B 8208F4C1 F50FC457 65B0D9C6
12B7E950
8BBEB8EA FCB9887C 62DD1DDF 15DA2D49 8CD37CF3 FBD44C65 4DB26158
3AB551CE A3BC0074
D4BB30E2 4ADFA541 3DD895D7 A4D1C46D D3D6F4FB 4369E96A
346ED9FC AD678846 DA60B8D0
44042D73 33031DE5 AA0A4C5F DD0D7CC9 5005713C
270241AA BE0B1010 C90C2086 5768B525
206F85B3 B966D409 CE61E49F 5EDEF90E
29D9C998 B0D09822 C7D7A8B4 59B33D17 2EB40D81
B7BD5C3B C0BA6CAD EDB88320
9ABFB3B6 03B6E20C 74B1D29A EAD54739 9DD277AF 04DB2615
73DC1683 E3630B12
94643B84 0D6D6A3E 7A6A5AA8 E40ECF0B 9309FF9D 0A00AE27 7D079EB1
F00F9344
8708A3D2 1E01F268 6906C2FE F762575D 806567CB 196C3671 6E6B06E7 FED41B76
89D32BE0 10DA7A5A 67DD4ACC F9B9DF6F 8EBEEFF9 17B7BE43 60B08ED5 D6D6A3E8
A1D1937E 38D8C2C4 4FDFF252 D1BB67F1 A6BC5767 3FB506DD 48B2364B D80D2BDA
AF0A1B4C
36034AF6 41047A60 DF60EFC3 A867DF55 316E8EEF 4669BE79 CB61B38C
BC66831A 256FD2A0
5268E236 CC0C7795 BB0B4703 220216B9 5505262F C5BA3BBE
B2BD0B28 2BB45A92 5CB36A04
C2D7FFA7 B5D0CF31 2CD99E8B 5BDEAE1D 9B64C2B0
EC63F226 756AA39C 026D930A 9C0906A9
EB0E363F 72076785 05005713 95BF4A82
E2B87A14 7BB12BAE 0CB61B38 92D28E9B E5D5BE0D
7CDCEFB7 0BDBDF21 86D3D2D4
F1D4E242 68DDB3F8 1FDA836E 81BE16CD F6B9265B 6FB077E1
18B74777 88085AE6
FF0F6A70 66063BCA 11010B5C 8F659EFF F862AE69 616BFFD3 166CCF45
A00AE278
D70DD2EE 4E048354 3903B3C2 A7672661 D06016F7 4969474D 3E6E77DB AED16A4A
D9D65ADC 40DF0B66 37D83BF0 A9BCAE53 DEBB9EC5 47B2CF7F 30B5FFE9 BDBDF21C
CABAC28A 53B39330 24B4A3A6 BAD03605 CDD70693 54DE5729 23D967BF B3667A2E
C4614AB8
5D681B02 2A6F2B94 B40BBE37 C30C8EA1 5A05DF1B 2D02EF8D 0000003D <===就是最後一個與木馬克星的不一樣
************************************************************************
00425837
33C1 XOR EAX,ECX
00425839
46 INC ESI <===ESI=ESI+1
0042583A
3BF3 CMP ESI,EBX <===EBX=10,所以這個迴圈要經過10次(比木馬克星的71次好多了)
0042583C
8945 18 MOV DWORD PTR SS:[EBP+18],EAX
<===最後的關鍵值放在SS:[EBP+18]裡(得出DE928F52),因為這是定值,所以在做演算法序號產生器時,完全可以直接拿來用!(偷點懶)
0042583F
^7C DA JL SHORT SETUP2GO.0042581B<===向上跳構成迴圈,10次
00425841
83FB 02 CMP EBX,2
00425844
7E 53 JLE SHORT SETUP2GO.00425899
00425846
8B75 FC MOV ESI,DWORD PTR SS:[EBP-4]
<===EAX="newlaosnew"
00425849 8D43 FE
LEA EAX,DWORD PTR DS:[EBX-2]
0042584C 2BF2
SUB ESI,EDX <===EDX="78mber"
0042584E
8D4A 02 LEA ECX,DWORD PTR DS:[EDX+2]
<===ECX="mber"
00425851 8975 08
MOV DWORD PTR SS:[EBP+8],ESI
00425854 8945 0C
MOV DWORD PTR SS:[EBP+C],EAX
00425857 EB 03
JMP SHORT SETUP2GO.0042585C <===我跳
**************這裡開始迴圈結構*************
00425859
8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
0042585C 8A040E MOV AL,BYTE PTR
DS:[ESI+ECX]
<===依次第三位開始取"newlaosnew"每個字元的ASC值,如果是中文字元,也是隻取半個
0042585F
8B55 18 MOV EDX,DWORD PTR SS:[EBP+18]
<===EDX依次DE928F52,4BDA46C8,D1F0BDB7,6F61875C,BFBF0091,4EBB3C54,C642628E,371E7992
00425862
23C7 AND EAX,EDI <===EDI=FF,也就是隻保留EAX的最後兩位EAX=77(w的ASC值)
00425864
23D7 AND EDX,EDI <===EDI=FF,也就是隻保留EDX的最後兩位EDX=52
00425866
33C2 XOR EAX,EDX <===EAX=77
XOR 52 = 25
00425868 8B55 18 MOV EDX,DWORD
PTR SS:[EBP+18] <===EDX=DE928F52
0042586B C1EA 08
SHR EDX,8 <===EDX=DE928F
0042586E 8B0485 24C24000
MOV EAX,DWORD PTR DS:[EAX*4+40C224] <===又在碼錶中取值,EAX=4B04D447
00425875
6A 24 PUSH 24 <===老朋友24(10進位制是36,正好是10個數字+26個英文字母,也是是說要根據除以24得到的餘數,取值成註冊碼)
00425877
33C2 XOR EAX,EDX <===EAX=4B04D447
XOR DE928F=4BDA46C8
<===EAX依次4BDA46C8,D1F0BDB7,6F61875C,BFBF0091,4EBB3C54,C642628E,371E7992,D057088E
00425879
33D2 XOR EDX,EDX <===EDX清0
0042587B
5E POP ESI <===ESI=24
0042587C
8945 18 MOV DWORD PTR SS:[EBP+18],EAX
<===這個值又入關鍵位置
0042587F F7F6
DIV ESI <===現在開始取碼了,先除一下
00425881 83FA 0A
CMP EDX,0A <===如果大於10,就跳
00425884 73 05
JNB SHORT SETUP2GO.0042588B
00425886 80C2
30 ADD DL,30 <===如果餘數小於等於9,就加上30,對應其ASC值
00425889
EB 03 JMP SHORT SETUP2GO.0042588E
0042588B
80C2 37 ADD DL,37 <===如果餘數大於9,就加37,對應大寫的英文字元
0042588E
8811 MOV BYTE PTR DS:[ECX],DL
<===取出的字元就放入[ECX],逐個出來真正的註冊碼(K,B,0,H,S,6,M,A)
00425890 41
INC ECX
00425891 FF4D 0C
DEC DWORD PTR SS:[EBP+C] <===SS:[EBP+C]初始值8
00425894
^75 C3 JNZ SHORT SETUP2GO.00425859
<===向上跳8次,出來後面8個註冊碼
00425896 8B55 14
MOV EDX,DWORD PTR SS:[EBP+14]
00425899 FF75 FC
PUSH DWORD PTR SS:[EBP-4]
0042589C 80241A 00
AND BYTE PTR DS:[EDX+EBX],0
004258A0 E8 7DF20200
CALL SETUP2GO.00454B22
004258A5 FF75 F8
PUSH DWORD PTR SS:[EBP-8]
004258A8 E8 75F20200
CALL SETUP2GO.00454B22
004258AD 59
POP ECX
004258AE 59
POP ECX
004258AF 5F
POP EDI
004258B0 5E
POP ESI
004258B1 5B
POP EBX
004258B2 C9
LEAVE
004258B3 C3
RETN
5、演算法序號產生器原始碼
------------VB6.0在WIN98下編譯透過-----------------------------------------
Private
Sub Command1_Click()
Dim i As Integer
Dim h As Integer
Dim edx As Long
Dim
eax As Long
Dim ss As Long
Dim startin As String
Dim A As Variant
Dim
B As Variant
startin = Text1.Text
nlen = Len(startin)
mabiao = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
A
= Array(0, &H77073096, &HEE0E612C, &H990951BA, &H76DC419, &H706AF48F,
&HE963A535, &H9E6495A3, &HEDB8832, &H79DCB8A4, &HE0D5E91E,
&H97D2D988, &H9B64C2B, &H7EB17CBD, &HE7B82D07, &H90BF1D91,
&H0 _
, &H6AB020F2, &HF3B97148, &H84BE41DE, &H1ADAD47D,
&H6DDDE4EB, &HF4D4B551, &H83D385C7, &H136C9856, &H646BA8C0,
&HFD62F97A, &H8A65C9EC, &H14015C4F, &H63066CD9, &HFA0F3D63,
&H8D080DF5, &H3B6E20C8 _
, &H4C69105E, &HD56041E4, &HA2677172,
&H3C03E4D1, &H4B04D447, &HD20D85FD, &HA50AB56B, &H35B5A8FA,
&H42B2986C, &HDBBBC9D6, &HACBCF940, &H32D86CE3, &H45DF5C75,
&HDCD60DCF, &HABD13D59, &H26D930AC _
, &H51DE003A, &HC8D75180,
&HBFD06116, &H21B4F4B5, &H56B3C423, &HCFBA9599, &HB8BDA50F,
&H2802B89E, &H5F058808, &HC60CD9B2, &HB10BE924, &H2F6F7C87,
&H58684C11, &HC1611DAB, &HB6662D3D, &H76DC4190 _
, &H1DB7106,
&H98D220BC, &HEFD5102A, &H71B18589, &H6B6B51F, &H9FBFE4A5,
&HE8B8D433, &H7807C9A2, &HF00F934, &H9609A88E, &HE10E9818,
&H7F6A0DBB, &H86D3D2D, &H91646C97, &HE6635C01, &H6B6B51F4
_
, &H1C6C6162, &H856530D8, &HF262004E, &H6C0695ED, &H1B01A57B,
&H8208F4C1, &HF50FC457, &H65B0D9C6, &H12B7E950, &H8BBEB8EA,
&HFCB9887C, &H62DD1DDF, &H15DA2D49, &H8CD37CF3, &HFBD44C65,
&H4DB26158 _
, &H3AB551CE, &HA3BC0074, &HD4BB30E2, &H4ADFA541,
&H3DD895D7, &HA4D1C46D, &HD3D6F4FB, &H4369E96A, &H346ED9FC,
&HAD678846, &HDA60B8D0, &H44042D73, &H33031DE5, &HAA0A4C5F,
&HDD0D7CC9, &H5005713C _
, &H270241AA, &HBE0B1010, &HC90C2086,
&H5768B525, &H206F85B3, &HB966D409, &HCE61E49F, &H5EDEF90E,
&H29D9C998, &HB0D09822, &HC7D7A8B4, &H59B33D17, &H2EB40D81,
&HB7BD5C3B, &HC0BA6CAD, &HEDB88320 _
, &H9ABFB3B6, &H3B6E20C,
&H74B1D29A, &HEAD54739, &H9DD277AF, &H4DB2615, &H73DC1683,
&HE3630B12, &H94643B84, &HD6D6A3E, &H7A6A5AA8, &HE40ECF0B,
&H9309FF9D, &HA00AE27, &H7D079EB1, &HF00F9344 _
, &H8708A3D2,
&H1E01F268, &H6906C2FE, &HF762575D, &H806567CB, &H196C3671,
&H6E6B06E7, &HFED41B76, &H89D32BE0, &H10DA7A5A, &H67DD4ACC,
&HF9B9DF6F, &H8EBEEFF9, &H17B7BE43, &H60B08ED5, &HD6D6A3E8
_
, &HA1D1937E, &H38D8C2C4, &H4FDFF252, &HD1BB67F1, &HA6BC5767,
&H3FB506DD, &H48B2364B, &HD80D2BDA, &HAF0A1B4C, &H36034AF6,
&H41047A60, &HDF60EFC3, &HA867DF55, &H316E8EEF, &H4669BE79,
&HCB61B38C _
, &HBC66831A, &H256FD2A0, &H5268E236, &HCC0C7795,
&HBB0B4703, &H220216B9, &H5505262F, &HC5BA3BBE, &HB2BD0B28,
&H2BB45A92, &H5CB36A04, &HC2D7FFA7, &HB5D0CF31, &H2CD99E8B,
&H5BDEAE1D, &H9B64C2B0 _
, &HEC63F226, &H756AA39C, &H26D930A,
&H9C0906A9, &HEB0E363F, &H72076785, &H5005713, &H95BF4A82,
&HE2B87A14, &H7BB12BAE, &HCB61B38, &H92D28E9B, &HE5D5BE0D,
&H7CDCEFB7, &HBDBDF21, &H86D3D2D4 _
, &HF1D4E242, &H68DDB3F8,
&H1FDA836E, &H81BE16CD, &HF6B9265B, &H6FB077E1, &H18B74777,
&H88085AE6, &HFF0F6A70, &H66063BCA, &H11010B5C, &H8F659EFF,
&HF862AE69, &H616BFFD3, &H166CCF45, &HA00AE278 _
, &HD70DD2EE,
&H4E048354, &H3903B3C2, &HA7672661, &HD06016F7, &H4969474D,
&H3E6E77DB, &HAED16A4A, &HD9D65ADC, &H40DF0B66, &H37D83BF0,
&HA9BCAE53, &HDEBB9EC5, &H47B2CF7F, &H30B5FFE9, &HBDBDF21C
_
, &HCABAC28A, &H53B39330, &H24B4A3A6, &HBAD03605, &HCDD70693,
&H54DE5729, &H23D967BF, &HB3667A2E, &HC4614AB8, &H5D681B02,
&H2A6F2B94, &HB40BBE37, &HC30C8EA1, &H5A05DF1B, &H2D02EF8D,
&H3D)
'完成註冊名的部分的前期工作
B
= Array(0, 0, 0, 0, 0, 0, 0, 0, 0, 0)
k = 1 '是否為漢字的標誌位
tlen
= 0
For h = 1 To nlen
sumtmp = Asc(Mid(startin, h, 1))
If
Abs(sumtmp) <> sumtmp Then '對中文特別設計
k = 2
Else
k = 1
End If
For e = 1 To k
B(tlen)
= CInt("&H" + Mid(Hex(sumtmp), 2 * e - 1, 2))
tlen
= tlen + 1
If tlen >= 10 Then '只處理前面10位
e = k
h = nlen
Else
If h = nlen Then '如果不滿註冊名10個的處理
h = 0
'h=0,一個迴圈上去,就又成初始值1了
End If
End If
Next e
Next h
If nlen <
1 Then
h = MsgBox("你輸入的註冊名有誤或是還沒有輸入註冊名", 0, "請確認你輸入是否正確!")
Else
ebx = 0
ss = &HDE928F52
For i = 2 To 9
eax = B(i) And
&HFF
edx = ss And &HFF
eax = eax Xor edx
TMPLEN = Len(Hex(ss))
edx
= CLng("&h" + Mid(Hex(ss), 1, TMPLEN - 2))
eax = A(eax) Xor edx
ss
= eax
tmpsum = eax Mod 36
If tmpsum < 0 Then
'對於VB中出現負數的處理
tmpsum = 40 + tmpsum
End If
tmpmod = tmpsum
+ 1
TMPSTR = Mid(mabiao, tmpmod, 1)
laststr = laststr + TMPSTR
Next i
laststr
= "88" + laststr
End If
Text2.Text = laststr
End Sub
-----------------------------------------------------
6、註冊資訊儲存在登錄檔裡:
[HKEY_LOCAL_MACHINE\Software\SDS
Software\Setup2Go]
"username"="newlaos[CCG][DFCG]"
"regcode"="88KB0HSD9S"
相關文章
- HTMLock 1.9.3破解手記---演算法分析2003-06-27HTML演算法
- IEPopupKiller 1.2破解手記--演算法分析2015-11-15演算法
- QuickCD 1.0.320破解手記--演算法分析2015-11-15UI演算法
- GreenBrowser 1.0.312破解手記--演算法分析2015-11-15演算法
- Golden 5.7 Build 391破解手記--演算法分析2015-11-15GoUI演算法
- 拱豬大戰 1.8破解手記--演算法分析2015-11-15演算法
- pcmedik V5.4.8.2003破解手記--演算法分析2003-05-10演算法
- 極速傳真[SpeedFax] 2.4 破解手記--程式逆向分析演算法2015-11-15演算法
- Advanced MP3WMA Recorder 3.7.3破解手記--完美演算法分析2015-11-15演算法
- 法律文書、合同樣本庫
5.10破解手記--演算法分析2015-11-15演算法
- Iparmor 木馬克星 V5.40 Build 0414破解手記-演算法分析2015-11-15UI演算法
- MySQL Manager 2.8.0.1脫殼破解手記破解分析2004-11-03MySql
- 奇門遁甲演義V6.3破解手記--註冊碼演算法分析2015-11-15演算法
- 安裝製作Setup2Go演算法淺析!2003-07-02Go演算法
- Bannershop 4.5破解手記2015-11-15
- 拱豬大戰 V2.3XP 演算法破解手記2015-11-15演算法
- Irfanview破解手記 (668字)2001-02-02View
- Download Boost 2002 Go 2.0漢化版演算法破解手記2015-11-15Go演算法
- hanami1005破解手記2003-08-19
- 《Erlang
4.08》另類破解手記2002-06-24
- 【 標題:SmartWhoIs 3.0 (build 21) 破解手記
】2000-11-30UI
- GetSmart破解手記 (1011字)2001-02-02
- 分析家資料批量轉換器暴力破解手記 (3千字)2001-09-07
- Turbo Note+ 破解手記 (4千字)2001-05-13
- Trojan Remover 4.3.0破解手記 (8千字)2001-08-31REM
- 漢字通破解手記 (19千字)2000-09-06
- SolSuite v8.0破解手記 (3千字)2001-09-08UI
- ACDSEE4.0的破解手記 (1千字)2002-01-20
- ReGet Junior 2.0破解手記(一) (3千字)2002-02-23
- 轉載:“亂刀”破解手記 (1千字)2000-09-03
- SeaMoon Pic Hunter 1.2破解手記 (8千字)2015-11-15
- ReGet Junior 2.0破解手記(二) (4千字)2015-11-15
- ReGet Junior 2.0破解手記(三) (1千字)2015-11-15
- CVE-2010-3971 CSS記憶體破壞漏洞分析2016-03-24CSS記憶體
- MagicWin 98 Release
1.20 破解手記 (20千字)2002-06-01
- LogoManager 1.18破解手記 (1千字)2001-02-18Go
- 加密MP3光碟破解手記 (1千字)2000-08-02加密
- 快捷反垃圾郵件破解手記--找出註冊碼2015-11-15