奇怪的破解，國產軟體，我不說它的名字，你們猜猜 (11千字)

標題:奇怪的破解，國產軟體，我不說它的名字，你們猜猜 (11千字)

發信人:heXer

時間:2002-6-15 23:17:17

詳細資訊:

這是一個很奇怪的破解，是一個國產軟體，我沒有提出它的名字

該軟體資訊：
可執行檔案大小是363,008位元組
經aspack加殼
版本3.??
註冊費15元/份，請大家支援國產軟體，序號產生器暫不公開，本文僅做為參考研究

PART1
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
004B2924 lea eax, [ebp+var_14]
004B2927 mov edx, offset str_4B3950 ;為了隱藏軟體名，我有意將此字串隱去
004B292C call sub_403DD4
004B2931 mov eax, [ebp+var_4]
004B2934 add eax, 5D0h
004B2939 mov edx, [ebp+var_4]
004B293C mov edx, [edx+5BCh]
004B2942 call sub_403D90
004B2947 loc_4B2947: lea eax, [ebp+var_18]
004B294A mov edx, offset unk_4B398C
004B294F call sub_403DD4
004B2954 mov eax, [ebp+var_4]
004B2957 mov eax, [eax+5D0h] ;使用者名稱
004B295D call sub_403FBC ;取字串長度
004B2962 mov edi, eax
004B2964 test edi, edi ; = 0 ?
004B2966 jle short loc_4B29CE
004B2968 mov esi, 1
004B296D loc_4B296D: mov eax, [ebp+var_4]
004B2970 mov eax, [eax+5D0h] ;使用者名稱strname
004B2976 mov bl, [eax+esg-1]
004B297A mov eax, [ebp+var_14] ;str_4B3950
004B297D mov al, [eax+esg-1]
004B2981 xor bl, al ;此段演算法沒什麼好解釋的
004B2983 and ebx, 0FFh
004B2989 xor ebx, esi
004B298B cmp ebx, 41h
004B298E jge short loc_4B299B
004B2990 loc_4B2990: lea eax, [esi+ebx+16h]
004B2994 mov ebx, eax
004B2996 cmp ebx, 41h
004B2999 jl short loc_4B2990
004B299B loc_4B299B: cmp ebx, 7Ah
004B299E jle short loc_4B29AF
004B29A0 loc_4B29A0: sub ebx, 1Bh
004B29A3 sub ebx, esi
004B29A5 cmp ebx, 7Ah
004B29A8 jg short loc_4B29A0
004B29AA jmp short loc_4B29AF
004B29AC loc_4B29AC: add ebx, 4
004B29AF loc_4B29AF: cmp ebx, 61h
004B29B2 jge short loc_4B29B9
004B29B4 cmp ebx, 5Ah
004B29B7 jg short loc_4B29AC
004B29B9 loc_4B29B9: mov eax, [ebp+var_4]
004B29BC add eax, 5D0h
004B29C1 call sub_40418C
004B29C6 mov [eax+esg-1], bl ;儲存運算結果，稱之為strname1
004B29CA inc esi
004B29CB dec edi
004B29CC jnz short loc_4B296D

PART2
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
004B2B66 mov eax, [ebp+var_4]
004B2B69 add eax, 5F8h ;註冊碼strcode
004B2B6E mov edx, 0Ah ;10
004B2B73 call sub_4042F0 ;取註冊碼前10位，稱之為strcode1
004B2B78 mov eax, [ebp+var_4]
004B2B7B mov eax, [eax+5F8h]
004B2B81 call sub_403FBC ;取strcode1長度
004B2B86 mov ebx, eax
004B2B88 mov eax, [ebp+var_4]
004B2B8B add eax, 5F8h
004B2B90 mov edx, ebx
004B2B92 call sub_4042F0
004B2B97 mov eax, [ebp+var_4]
004B2B9A mov eax, [eax+5F8h]
004B2BA0 call sub_403FBC
004B2BA5 mov edi, eax
004B2BA7 test edi, edi
004B2BA9 jle short loc_4B2C07
004B2BAB mov esi, 1
004B2BB0 loc_4B2BB0: mov eax, [ebp+var_4]
004B2BB3 mov eax, [eax+5F8h] ;strcode1
004B2BB9 xor ebx, ebx
004B2BBB mov bl, [eax+esg-1]
004B2BBF xor ebx, esi ;此段演算法在做序號產生器時是有用的
004B2BC1 add ebx, 29h ;諸位仔細看看吧
004B2BC4 cmp ebx, 41h
004B2BC7 jge short loc_4B2BD4
004B2BC9 loc_4B2BC9: lea eax, [esi+ebx+16h]
004B2BCD mov ebx, eax
004B2BCF cmp ebx, 41h
004B2BD2 jl short loc_4B2BC9
004B2BD4 loc_4B2BD4: cmp ebx, 7Ah
004B2BD7 jle short loc_4B2BE8
004B2BD9 loc_4B2BD9: sub ebx, 1Bh
004B2BDC sub ebx, esi
004B2BDE cmp ebx, 7Ah
004B2BE1 jg short loc_4B2BD9
004B2BE3 jmp short loc_4B2BE8
004B2BE5 loc_4B2BE5: add ebx, 4
004B2BE8 loc_4B2BE8: cmp ebx, 61h
004B2BEB jge short loc_4B2BF2
004B2BED cmp ebx, 5Ah
004B2BF0 jg short loc_4B2BE5
004B2BF2 loc_4B2BF2: mov eax, [ebp+var_4]
004B2BF5 add eax, 5F8h
004B2BFA call sub_40418C
004B2BFF mov [eax+esg-1], bl ;儲存運算結果，strcode2
004B2C03 inc esi
004B2C04 dec edi
004B2C05 jnz short loc_4B2BB0

PART3
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
004B0AB1 xor ebx, ebx
004B0AB3 mov eax, [esi+5ECh] ;strname1
004B0AB9 call sub_403FBC ;取長度
004B0ABE mov edi, eax ;下面一段演算法不必細究，做序號產生器時照抄就行
004B0AC0 jmp loc_4B0B7F
004B0AC5 loc_4B0AC5: cmp edi, 15h
004B0AC8 jge short loc_4B0ACD
004B0ACA inc ebx
004B0ACB jmp short loc_4B0AE2
004B0ACD loc_4B0ACD: mov eax, [esi+5ECh]
004B0AD3 call sub_403FBC
004B0AD8 mov ecx, 9
004B0ADD cdq
004B0ADE idiv ecx
004B0AE0 mov ebx, edx
004B0AE2 loc_4B0AE2: mov eax, [esi+5ECh]
004B0AE8 call sub_403FBC
004B0AED sub eax, ebx
004B0AEF mov edx, [esi+5ECh]
004B0AF5 mov al, [edx+eaw-1]
004B0AF9 mov edx, [esi+5ECh]
004B0AFF mov dl, [edx+ebw-1]
004B0B03 xor al, dl
004B0B05 and eax, 0FFh
004B0B0A add eax, 79h
004B0B0D push eax
004B0B0E lea eax, [esi+5ECh]
004B0B14 call sub_40418C
004B0B19 pop edx
004B0B1A mov [eax+ebw-1], dl
004B0B1E mov eax, [esi+5ECh]
004B0B24 movzx eax, byte ptr [eax+ebw-1]
004B0B29 call sub_4A63D8
004B0B2E push eax
004B0B2F lea eax, [esi+5ECh]
004B0B35 call sub_40418C
004B0B3A pop edx
004B0B3B mov [eax+ebw-1], dl
004B0B3F lea eax, [esi+5ECh]
004B0B45 push eax
004B0B46 mov eax, [esi+5ECh]
004B0B4C call sub_403FBC
004B0B51 mov ecx, eax
004B0B53 sub ecx, ebx
004B0B55 mov edx, 1
004B0B5A mov eax, [esi+5ECh]
004B0B60 call sub_4041C4
004B0B65 mov eax, [esi+5ECh]
004B0B6B call sub_403FBC
004B0B70 mov edx, eax
004B0B72 sub edx, ebx
004B0B74 lea eax, [esi+5ECh]
004B0B7A call sub_4042F0
004B0B7F loc_4B0B7F: mov eax, [esi+5ECh]
004B0B85 call sub_403FBC
004B0B8A cmp eax, 0Bh
004B0B8D jg loc_4B0AC5
004B0B93 xor ebx, ebx
004B0B95 jmp short loc_4B0BD7
004B0B97 loc_4B0B97: inc ebx
004B0B98 mov eax, [esi+5ECh]
004B0B9E mov al, [eax+ebw-1]
004B0BA2 xor al, 55h
004B0BA4 and eax, 0FFh
004B0BA9 lea edx, [ebx+46h]
004B0BAC xor eax, edx
004B0BAE mov [ebp-5], al
004B0BB1 xor eax, eax
004B0BB3 mov al, [ebp-5]
004B0BB6 call sub_4A63D8
004B0BBB mov [ebp-5], al
004B0BBE lea eax, [ebp-10h]
004B0BC1 mov dl, [ebp-5]
004B0BC4 call sub_403EE4
004B0BC9 mov edx, [ebp-10h]
004B0BCC lea eax, [esi+5ECh]
004B0BD2 call sub_403FC4
004B0BD7 loc_4B0BD7: mov eax, [esi+5ECh]
004B0BDD call sub_403FBC
004B0BE2 cmp eax, 0Ah
004B0BE5 jge short loc_4B0BF5
004B0BE7 mov eax, [esi+5ECh]
004B0BED call sub_403FBC
004B0BF2 dec eax
004B0BF3 jg short loc_4B0B97
004B0BF5 loc_4B0BF5: lea eax, [esi+5ECh]
004B0BFB mov edx, 0Ah
004B0C00 call sub_4042F0
004B0C05 lea edx, [ebp-14h]
004B0C08 mov eax, [esi+5ECh]
004B0C0E call sub_4097F0
004B0C13 mov edx, [ebp-14h]
004B0C16 lea eax, [esi+5ECh]
004B0C1C call sub_403D90
004B0C21 lea eax, [ebp-4]
004B0C24 mov edx, [esi+5E0h]
004B0C2A call sub_403DD4 ;上面一大段演算法把strname1轉為10位的strname2
004B0C2F mov byte ptr [esi+60Ch], 1
004B0C36 mov edi, 1
004B0C3B loc_4B0C3B: cmp byte ptr [esi+60Ch], 0
004B0C42 jz short loc_4B0C60
004B0C44 mov eax, [esi+5ECh] ;strname2 ，len=10
004B0C4A mov al, [eax+edg-1] ;從前往後正向取
004B0C4E mov edx, 0Bh
004B0C53 sub edx, edi
004B0C55 mov ecx, [ebp-4] ;strcode2 ，len=10
004B0C58 mov dl, [ecx+edw-1] ;從後往前反向取
004B0C5C xor al,dl ;比較＝？
004B0C5E jz short loc_4B0C64
004B0C60 loc_4B0C60: xor eax, eax
004B0C62 jmp short loc_4B0C66
004B0C64 loc_4B0C64: mov al, 1
004B0C66 loc_4B0C66: mov [esi+60Ch], al
004B0C6C inc edi
004B0C6D cmp edi, 0Bh
004B0C70 jnz short loc_4B0C3B
004B0C72 jmp short loc_4B0C9E ;比較結束，註冊成功標誌是byte ptr [esi+60Ch]＝1
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
文章寫的不太好，請見諒，謝謝您有興趣看完
最後給出一組註冊碼，以便於大家跟蹤分析
使用者名稱：heXer
註冊碼：KSHPNBY7S7
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
heXer/iPB
2002.06.15

奇怪的破解，國產軟體，我不說它的名字，你們猜猜 (11千字)

相關文章