騰龍備份大師2003 V3.05.01 專業版專業版演算法分析

作者：wzh123

軟體大小： 3030 KB
軟體語言：簡體中文
軟體類別：國產軟體 / 共享版 / 資料備份
應用平臺： Win9x/NT/2000/XP
軟體介紹：全方位的資料備份保護系統“騰龍備份大師 2003”專業版隆重出場.適用於個人使用者、企市業單

位及政府機關使用的全新版本！最新編制的監控引擎，更低的系統資源佔用率(1%-5%根據計算機配置).為政府

企業特別設計的自動資料鎖定系統，可以廣泛應用於政府網站.保護及企業資料保護，有效防止因防火牆及操作

系統漏洞而造成黑客成功入侵的資料損失！針對性的為使用者設計了三大類十小類資料備份保護方法，以適應不

同場合及不同人員對資料備份保護的需要！全新編寫的核心程式碼、全新的操作介面、全新的嚮導介面，讓每一

個使用者體驗最便捷的操作感！最優惠的註冊價格，讓每一位使用者都能夠擁有安全的資訊空間！

PJ工具：softice，W32Dasm8.93黃金版，FI2.5
作者申明：只是學習，無其他目的。
本人剛剛學破解，錯誤在所難免，寫的也很亂，請各位包涵，也請各位高手指教
1、軟體沒有加殼，用delphi編的；
2、這是一個重啟驗證的軟體，註冊檔案放在\winnt\system32\SYSTEMWIN32.dll,可以用記事本開啟。用

softice下斷，

序列號：3781489924572

註冊名：wzh123

註冊碼：a1234-b2345-c3456-d4567-5678

你一定可以來到以下地方：(以下的分析都以我的註冊資訊為例子，大家可以根據自己的情況算出自己的註冊碼

)

－－－－－－－－－－－－註冊碼第一部分計算－－－－－－－－－－－－－－－
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00506DE6(C)
|
:00506D94 8BC3 mov eax, ebx
:00506D96 2501000080 and eax, 80000001
:00506D9B 7905 jns 00506DA2
:00506D9D 48 dec eax
:00506D9E 83C8FE or eax, FFFFFFFE
:00506DA1 40 inc eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00506D9B(C)
|
:00506DA2 85C0 test eax, eax
:00506DA4 751F jne 00506DC5
:00506DA6 8D45CC lea eax, dword ptr [ebp-34]
:00506DA9 50 push eax
:00506DAA B901000000 mov ecx, 00000001
:00506DAF 8BD3 mov edx, ebx
:00506DB1 8B45FC mov eax, dword ptr [ebp-04]
:00506DB4 E83349F3FF call 0043B6EC
:00506DB9 8B45CC mov eax, dword ptr [ebp-34]
:00506DBC E89B2BF0FF call 0040995C
:00506DC1 03F8 add edi, eax
:00506DC3 EB1D jmp 00506DE2

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00506DA4(C)
|
:00506DC5 8D45C8 lea eax, dword ptr [ebp-38]
:00506DC8 50 push eax
:00506DC9 B901000000 mov ecx, 00000001
:00506DCE 8BD3 mov edx, ebx
:00506DD0 8B45FC mov eax, dword ptr [ebp-04]
:00506DD3 E81449F3FF call 0043B6EC
:00506DD8 8B45C8 mov eax, dword ptr [ebp-38]
:00506DDB E87C2BF0FF call 0040995C
:00506DE0 03F0 add esi, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00506DC3(U)
|
:00506DE2 43 inc ebx
:00506DE3 83FB0E cmp ebx, 0000000E
:00506DE6 75AC jne 00506D94 --------------以上將給定的序列號的奇、偶數位分別

相加，將奇數位相加的結果-->esi,將偶數位相加的結果-->edi
(以我的序列號為例3781489924572，3+8+4+9+2+5+2=0x21==>esi,7+1+8+9+4+7=0x24==>edi)

:00506DE8 8D55C4 lea edx, dword ptr [ebp-3C]
:00506DEB 8BC7 mov eax, edi 偶數位相加的結果0x24-->eax
:00506DED 0FAFC6 imul eax, esi 偶數位相加的結果*奇數位相加的結果

0x4a4-->eax
:00506DF0 E8FB29F0FF call 004097F0 0x4a4-->1188(H)
:00506DF5 8B45C4 mov eax, dword ptr [ebp-3C]
:00506DF8 8D4DE8 lea ecx, dword ptr [ebp-18]
:00506DFB BA05000000 mov edx, 00000005
:00506E00 E8B3EDFFFF call 00505BB8 1188-->11880
:00506E05 8D55BC lea edx, dword ptr [ebp-44]
:00506E08 8B45F8 mov eax, dword ptr [ebp-08] 註冊名"wzh123"-->eax
:00506E0B E8CCEEFFFF call 00505CDC 註冊名轉換
:00506E10 8B45BC mov eax, dword ptr [ebp-44] 71610-->eax
:00506E13 8D55C0 lea edx, dword ptr [ebp-40]
:00506E16 E89DECFFFF call 00505AB8
:00506E1B 8B45C0 mov eax, dword ptr [ebp-40] 71610-->eax
:00506E1E 8D4DE4 lea ecx, dword ptr [ebp-1C]
:00506E21 BA05000000 mov edx, 00000005
:00506E26 E88DEDFFFF call 00505BB8
:00506E2B 8B45E8 mov eax, dword ptr [ebp-18] 11880-->eax
:00506E2E E8292BF0FF call 0040995C 11880(D)-->2E68(H)
:00506E33 50 push eax
:00506E34 8B45E4 mov eax, dword ptr [ebp-1C] 71610-->eax
:00506E37 E8202BF0FF call 0040995C 71610(D)-->117BA(H)
:00506E3C 5A pop edx
:00506E3D 92 xchg eax,edx 2E68(H)-->eax,117BA(H)-->edx
:00506E3E 8BCA mov ecx, edx
:00506E40 99 cdq
:00506E41 F7F9 idiv ecx 2E68(H)/117BA
:00506E43 8BC2 mov eax, edx 餘數(0x2E68)-->eax
:00506E45 05E7030000 add eax, 000003E7 0x2E68+0x3E7=0x324F-->eax
:00506E4A 8D55B4 lea edx, dword ptr [ebp-4C]
:00506E4D E89E29F0FF call 004097F0 0x324F-->12879(D)
:00506E52 8B45B4 mov eax, dword ptr [ebp-4C] 12879(D)-->eax
:00506E55 8D4DB8 lea ecx, dword ptr [ebp-48]
:00506E58 BA04000000 mov edx, 00000004
:00506E5D E856EDFFFF call 00505BB8 12879(D)-->1287
:00506E62 8B45B8 mov eax, dword ptr [ebp-48] 1287-->eax
:00506E65 8D55EC lea edx, dword ptr [ebp-14]
:00506E68 E87F090000 call 005077EC
:00506E6D 8D55B0 lea edx, dword ptr [ebp-50]
:00506E70 8B45EC mov eax, dword ptr [ebp-14]
:00506E73 E874090000 call 005077EC
:00506E78 8B45B0 mov eax, dword ptr [ebp-50]
:00506E7B E8DC2AF0FF call 0040995C 1287(D)-->507(H)
:00506E80 8945D0 mov dword ptr [ebp-30], eax
:00506E83 8D55A0 lea edx, dword ptr [ebp-60]
:00506E86 8B45EC mov eax, dword ptr [ebp-14]
:00506E89 E85E090000 call 005077EC 取507最後一位"7"
:00506E8E 8B45A0 mov eax, dword ptr [ebp-60]
:00506E91 8D4DA4 lea ecx, dword ptr [ebp-5C]
:00506E94 BA01000000 mov edx, 00000001
:00506E99 E8EE22FEFF call 004E918C
:00506E9E 8B45A4 mov eax, dword ptr [ebp-5C] "7"-->[eax]
:00506EA1 E8B62AF0FF call 0040995C 7-->eax
:00506EA6 8BD0 mov edx, eax
:00506EA8 83C241 add edx, 00000041 7+41=0x48即"H"-->edx
:00506EAB 8D45A8 lea eax, dword ptr [ebp-58]
:00506EAE E89DDFEFFF call 00404E50
:00506EB3 8D45A8 lea eax, dword ptr [ebp-58]
:00506EB6 50 push eax
:00506EB7 8D559C lea edx, dword ptr [ebp-64]
:00506EBA 8B45EC mov eax, dword ptr [ebp-14]
:00506EBD E82A090000 call 005077EC
:00506EC2 8B559C mov edx, dword ptr [ebp-64] 1287-->edx
:00506EC5 58 pop eax
:00506EC6 E865E0EFFF call 00404F30 將1287與"H"連起來得到字串

"H1287"--------第一部分的真註冊碼出現
:00506ECB 8B45A8 mov eax, dword ptr [ebp-58]
:00506ECE 8D55AC lea edx, dword ptr [ebp-54]
:00506ED1 E816090000 call 005077EC
:00506ED6 8B55AC mov edx, dword ptr [ebp-54]
:00506ED9 8D45EC lea eax, dword ptr [ebp-14]
:00506EDC E81FDEEFFF call 00404D00
:00506EE1 8D5590 lea edx, dword ptr [ebp-70]
:00506EE4 8B45EC mov eax, dword ptr [ebp-14]
:00506EE7 E800090000 call 005077EC
:00506EEC 8B4590 mov eax, dword ptr [ebp-70]
:00506EEF 8D4D94 lea ecx, dword ptr [ebp-6C]
:00506EF2 BA01000000 mov edx, 00000001
:00506EF7 E89022FEFF call 004E918C
:00506EFC 8B4594 mov eax, dword ptr [ebp-6C]
:00506EFF E8582AF0FF call 0040995C
:00506F04 83C041 add eax, 00000041
:00506F07 8D5598 lea edx, dword ptr [ebp-68]
:00506F0A E8E128F0FF call 004097F0
:00506F0F 8D4598 lea eax, dword ptr [ebp-68]
:00506F12 50 push eax
:00506F13 8D558C lea edx, dword ptr [ebp-74]
:00506F16 8B45D0 mov eax, dword ptr [ebp-30]
:00506F19 E8D228F0FF call 004097F0
:00506F1E 8B558C mov edx, dword ptr [ebp-74]
:00506F21 58 pop eax
:00506F22 E809E0EFFF call 00404F30 1287-->721287(下面有用)
:00506F27 8B4598 mov eax, dword ptr [ebp-68]
:00506F2A E82D2AF0FF call 0040995C 187-->eax
:00506F2F 8945D0 mov dword ptr [ebp-30], eax
:00506F32 8D5588 lea edx, dword ptr [ebp-78]
:00506F35 8B45D0 mov eax, dword ptr [ebp-30]
:00506F38 E8B328F0FF call 004097F0
:00506F3D 8B4588 mov eax, dword ptr [ebp-78]
:00506F40 8D55DC lea edx, dword ptr [ebp-24]
:00506F43 E8A4080000 call 005077EC 將真註冊碼的第一部分各位取反
:00506F48 8D4D80 lea ecx, dword ptr [ebp-80]
:00506F4B BA05000000 mov edx, 00000005
:00506F50 8B45F4 mov eax, dword ptr [ebp-0C] 取第一部分的假碼
:00506F53 E8A046F3FF call 0043B5F8
:00506F58 8B4580 mov eax, dword ptr [ebp-80]
:00506F5B 8D5584 lea edx, dword ptr [ebp-7C]
:00506F5E E889080000 call 005077EC 將輸入註冊碼的第一部分各位取反
:00506F63 8B5584 mov edx, dword ptr [ebp-7C]
:00506F66 8B45EC mov eax, dword ptr [ebp-14]
:00506F69 E806E1EFFF call 00405074 第一部分的經過變換的真假註冊碼相

比
:00506F6E 7409 je 00506F79 相等就跳到註冊碼第二部分的計算，

否則去死(爆破點)
:00506F70 C645F300 mov [ebp-0D], 00
:00506F74 E946060000 jmp 005075BF

－－－－－－－－－－－－註冊碼第二部分計算－－－－－－－－－－－－－－－
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00506F6E(C)
|
:00506F79 8D45E0 lea eax, dword ptr [ebp-20]
:00506F7C E8E7DCEFFF call 00404C68
:00506F81 BB01000000 mov ebx, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00506FF6(C)
|
:00506F86 8D8578FFFFFF lea eax, dword ptr [ebp+FFFFFF78]
:00506F8C 50 push eax
:00506F8D B901000000 mov ecx, 00000001
:00506F92 8BD3 mov edx, ebx
:00506F94 8B45E8 mov eax, dword ptr [ebp-18] 11880(見上)-->eax
:00506F97 E85047F3FF call 0043B6EC
:00506F9C 8B8578FFFFFF mov eax, dword ptr [ebp+FFFFFF78]
:00506FA2 E8B529F0FF call 0040995C
:00506FA7 8BF0 mov esi, eax
:00506FA9 8D8574FFFFFF lea eax, dword ptr [ebp+FFFFFF74]
:00506FAF 50 push eax
:00506FB0 8D5301 lea edx, dword ptr [ebx+01]
:00506FB3 B901000000 mov ecx, 00000001
:00506FB8 8B45E8 mov eax, dword ptr [ebp-18]
:00506FBB E82C47F3FF call 0043B6EC
:00506FC0 8B8574FFFFFF mov eax, dword ptr [ebp+FFFFFF74]
:00506FC6 E89129F0FF call 0040995C
:00506FCB 03F0 add esi, eax
:00506FCD 8BC6 mov eax, esi
:00506FCF B90A000000 mov ecx, 0000000A
:00506FD4 99 cdq
:00506FD5 F7F9 idiv ecx
:00506FD7 8BC2 mov eax, edx
:00506FD9 8D957CFFFFFF lea edx, dword ptr [ebp+FFFFFF7C]
:00506FDF E80C28F0FF call 004097F0
:00506FE4 8B957CFFFFFF mov edx, dword ptr [ebp+FFFFFF7C]
:00506FEA 8D45E0 lea eax, dword ptr [ebp-20]
:00506FED E83EDFEFFF call 00404F30
:00506FF2 43 inc ebx
:00506FF3 83FB05 cmp ebx, 00000005
:00506FF6 758E jne 00506F86-----------------------以上構成迴圈，將11880兩位一

組合，然後除0xA，餘數儲存起來，如 1、(1+1)%0xA="2"
2、(1+8)%0xA="9"
3、(8+8)%0xA="6"
4、(8+0)%0xA="8"

:00506FF8 33F6 xor esi, esi
:00506FFA BB01000000 mov ebx, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00507026(C)
|
:00506FFF 8D8570FFFFFF lea eax, dword ptr [ebp+FFFFFF70]
:00507005 50 push eax
:00507006 B901000000 mov ecx, 00000001
:0050700B 8BD3 mov edx, ebx
:0050700D 8B45E0 mov eax, dword ptr [ebp-20]
:00507010 E8D746F3FF call 0043B6EC
:00507015 8B8570FFFFFF mov eax, dword ptr [ebp+FFFFFF70]
:0050701B E83C29F0FF call 0040995C
:00507020 03F0 add esi, eax
:00507022 43 inc ebx
:00507023 83FB05 cmp ebx, 00000005
:00507026 75D7 jne 00506FFF------------------------又一個迴圈，將以上得到的餘

數相加，即2+9+6+8=0x19---->esi
:00507028 8BC6 mov eax, esi
:0050702A B90A000000 mov ecx, 0000000A
:0050702F 99 cdq
:00507030 F7F9 idiv ecx 0x19/0xA
:00507032 8BC2 mov eax, edx 餘數"5"-->eax
:00507034 8D9564FFFFFF lea edx, dword ptr [ebp+FFFFFF64]
:0050703A E8B127F0FF call 004097F0
:0050703F 8B8D64FFFFFF mov ecx, dword ptr [ebp+FFFFFF64]
:00507045 8D8568FFFFFF lea eax, dword ptr [ebp+FFFFFF68]
:0050704B 8B55E0 mov edx, dword ptr [ebp-20]
:0050704E E821DFEFFF call 00404F74 將"2968"與"5"相連得到第二部

分的真註冊碼"29685"
:00507053 8B8568FFFFFF mov eax, dword ptr [ebp+FFFFFF68]
:00507059 8D956CFFFFFF lea edx, dword ptr [ebp+FFFFFF6C]
:0050705F E888070000 call 005077EC
:00507064 8B956CFFFFFF mov edx, dword ptr [ebp+FFFFFF6C]
:0050706A 8D45E0 lea eax, dword ptr [ebp-20]
:0050706D E88EDCEFFF call 00404D00
:00507072 8D45EC lea eax, dword ptr [ebp-14]
:00507075 8B55E0 mov edx, dword ptr [ebp-20]
:00507078 E883DCEFFF call 00404D00
:0050707D 8D9560FFFFFF lea edx, dword ptr [ebp+FFFFFF60]
:00507083 8B45EC mov eax, dword ptr [ebp-14]
:00507086 E861070000 call 005077EC
:0050708B 8B8560FFFFFF mov eax, dword ptr [ebp+FFFFFF60]
:00507091 E8C628F0FF call 0040995C
:00507096 0145D0 add dword ptr [ebp-30], eax
:00507099 8D45D8 lea eax, dword ptr [ebp-28]
:0050709C 8B55EC mov edx, dword ptr [ebp-14]
:0050709F E85CDCEFFF call 00404D00
:005070A4 8D8558FFFFFF lea eax, dword ptr [ebp+FFFFFF58]
:005070AA 50 push eax
:005070AB B905000000 mov ecx, 00000005
:005070B0 BA07000000 mov edx, 00000007
:005070B5 8B45F4 mov eax, dword ptr [ebp-0C]
:005070B8 E82F46F3FF call 0043B6EC 取第二部分的假碼
:005070BD 8B8558FFFFFF mov eax, dword ptr [ebp+FFFFFF58]
:005070C3 8D955CFFFFFF lea edx, dword ptr [ebp+FFFFFF5C]
:005070C9 E81E070000 call 005077EC 假碼各位取反
:005070CE 8B955CFFFFFF mov edx, dword ptr [ebp+FFFFFF5C]
:005070D4 8B45EC mov eax, dword ptr [ebp-14]
:005070D7 E898DFEFFF call 00405074 第二部分的經過變換的真假註冊

碼相比
:005070DC 7409 je 005070E7 相等就跳到註冊碼第三部分的計

算，否則去死(爆破點)
:005070DE C645F300 mov [ebp-0D], 00
:005070E2 E9D8040000 jmp 005075BF

－－－－－－－－－－－－註冊碼第三部分計算－－－－－－－－－－－－－－－
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005070DC(C)
|
:005070E7 8D45E0 lea eax, dword ptr [ebp-20]
:005070EA E879DBEFFF call 00404C68
:005070EF BB01000000 mov ebx, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0050715E(C)
|
:005070F4 8D8550FFFFFF lea eax, dword ptr [ebp+FFFFFF50]
:005070FA 50 push eax
:005070FB B901000000 mov ecx, 00000001
:00507100 8BD3 mov edx, ebx
:00507102 8B45E8 mov eax, dword ptr [ebp-18] 11880-->eax
:00507105 E8E245F3FF call 0043B6EC
:0050710A 8B8550FFFFFF mov eax, dword ptr [ebp+FFFFFF50]
:00507110 E84728F0FF call 0040995C
:00507115 50 push eax
:00507116 8D854CFFFFFF lea eax, dword ptr [ebp+FFFFFF4C]
:0050711C 50 push eax
:0050711D 8D5301 lea edx, dword ptr [ebx+01]
:00507120 B901000000 mov ecx, 00000001
:00507125 8B45E8 mov eax, dword ptr [ebp-18]
:00507128 E8BF45F3FF call 0043B6EC
:0050712D 8B854CFFFFFF mov eax, dword ptr [ebp+FFFFFF4C]
:00507133 E82428F0FF call 0040995C
:00507138 5A pop edx
:00507139 92 xchg eax,edx
:0050713A 2BC2 sub eax, edx
:0050713C 99 cdq
:0050713D 33C2 xor eax, edx
:0050713F 2BC2 sub eax, edx
:00507141 8D9554FFFFFF lea edx, dword ptr [ebp+FFFFFF54]
:00507147 E8A426F0FF call 004097F0
:0050714C 8B9554FFFFFF mov edx, dword ptr [ebp+FFFFFF54]
:00507152 8D45E0 lea eax, dword ptr [ebp-20]
:00507155 E8D6DDEFFF call 00404F30
:0050715A 43 inc ebx
:0050715B 83FB05 cmp ebx, 00000005
:0050715E 7594 jne 005070F4------------------------以上構成迴圈，將11880各位兩

兩相減，得出一組數字， 1、1-1=0
2、8-1=7
3、8-8=0
4、8-0=8 (0708)

:00507160 BE01000000 mov esi, 00000001
:00507165 BB01000000 mov ebx, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005071B8(C)
|
:0050716A 8D8548FFFFFF lea eax, dword ptr [ebp+FFFFFF48]
:00507170 50 push eax
:00507171 B901000000 mov ecx, 00000001
:00507176 8BD3 mov edx, ebx
:00507178 8B45E0 mov eax, dword ptr [ebp-20] 0708--->eax
:0050717B E86C45F3FF call 0043B6EC
:00507180 8B8548FFFFFF mov eax, dword ptr [ebp+FFFFFF48]
:00507186 E8D127F0FF call 0040995C
:0050718B 85C0 test eax, eax
:0050718D 7425 je 005071B4
:0050718F 8D8544FFFFFF lea eax, dword ptr [ebp+FFFFFF44]
:00507195 50 push eax
:00507196 B901000000 mov ecx, 00000001
:0050719B 8BD3 mov edx, ebx
:0050719D 8B45E0 mov eax, dword ptr [ebp-20]
:005071A0 E84745F3FF call 0043B6EC
:005071A5 8B8544FFFFFF mov eax, dword ptr [ebp+FFFFFF44]
:005071AB E8AC27F0FF call 0040995C
:005071B0 F7EE imul esi
:005071B2 8BF0 mov esi, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0050718D(C)
|
:005071B4 43 inc ebx
:005071B5 83FB05 cmp ebx, 00000005
:005071B8 75B0 jne 0050716A------------------------又是一個迴圈，將0708進行處

理，如果遇到0，則不處理，遇到其他數字，進行如下處理：

:005071BA 8BC6 mov eax, esi
:005071BC B90A000000 mov ecx, 0000000A
:005071C1 99 cdq
:005071C2 F7F9 idiv ecx
:005071C4 8BC2 mov eax, edx 如：(7*8)%0xA=6
:005071C6 8D953CFFFFFF lea edx, dword ptr [ebp+FFFFFF3C]
:005071CC E81F26F0FF call 004097F0
:005071D1 8D853CFFFFFF lea eax, dword ptr [ebp+FFFFFF3C]
:005071D7 8B55E0 mov edx, dword ptr [ebp-20]
:005071DA E851DDEFFF call 00404F30 將0708與6連線起來得到第三部

分真註冊碼"60708"

:005071DF 8B853CFFFFFF mov eax, dword ptr [ebp+FFFFFF3C]
:005071E5 8D9540FFFFFF lea edx, dword ptr [ebp+FFFFFF40]
:005071EB E8FC050000 call 005077EC
:005071F0 8B9540FFFFFF mov edx, dword ptr [ebp+FFFFFF40]
:005071F6 8D45E0 lea eax, dword ptr [ebp-20]
:005071F9 E802DBEFFF call 00404D00
:005071FE 8D45EC lea eax, dword ptr [ebp-14]
:00507201 8B55E0 mov edx, dword ptr [ebp-20]
:00507204 E8F7DAEFFF call 00404D00
:00507209 8D45D4 lea eax, dword ptr [ebp-2C]
:0050720C 8B55EC mov edx, dword ptr [ebp-14]
:0050720F E8ECDAEFFF call 00404D00
:00507214 8D9538FFFFFF lea edx, dword ptr [ebp+FFFFFF38]
:0050721A 8B45EC mov eax, dword ptr [ebp-14]
:0050721D E8CA050000 call 005077EC
:00507222 8B8538FFFFFF mov eax, dword ptr [ebp+FFFFFF38]
:00507228 E82F27F0FF call 0040995C
:0050722D 0145D0 add dword ptr [ebp-30], eax
:00507230 8D8530FFFFFF lea eax, dword ptr [ebp+FFFFFF30]
:00507236 50 push eax
:00507237 B905000000 mov ecx, 00000005
:0050723C BA0D000000 mov edx, 0000000D
:00507241 8B45F4 mov eax, dword ptr [ebp-0C]
:00507244 E8A344F3FF call 0043B6EC 取第三部分的假碼
:00507249 8B8530FFFFFF mov eax, dword ptr [ebp+FFFFFF30]
:0050724F 8D9534FFFFFF lea edx, dword ptr [ebp+FFFFFF34]
:00507255 E892050000 call 005077EC
:0050725A 8B9534FFFFFF mov edx, dword ptr [ebp+FFFFFF34]
:00507260 8B45EC mov eax, dword ptr [ebp-14]
:00507263 E80CDEEFFF call 00405074 第三部分的經過變換的真假注

冊碼相比
:00507268 7409 je 00507273 相等就跳到註冊碼第四部分的

計算，否則去死(爆破點)

:0050726A C645F300 mov [ebp-0D], 00
:0050726E E94C030000 jmp 005075BF

－－－－－－－－－－－－註冊碼第四部分計算－－－－－－－－－－－－－－－
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00507268(C)
|
:00507273 8D9528FFFFFF lea edx, dword ptr [ebp+FFFFFF28]
:00507279 8B45D0 mov eax, dword ptr [ebp-30]
:0050727C E86F25F0FF call 004097F0
:00507281 8B8528FFFFFF mov eax, dword ptr [ebp+FFFFFF28] 811680-->eax
:00507287 8D8D2CFFFFFF lea ecx, dword ptr [ebp+FFFFFF2C]
:0050728D BA05000000 mov edx, 00000005
:00507292 E821E9FFFF call 00505BB8 811680-->81168
:00507297 8B852CFFFFFF mov eax, dword ptr [ebp+FFFFFF2C] "81168"-->eax,即第四部分真

註冊碼
:0050729D 8D55EC lea edx, dword ptr [ebp-14]
:005072A0 E847050000 call 005077EC 真註冊碼各位取反
:005072A5 8D8520FFFFFF lea eax, dword ptr [ebp+FFFFFF20]
:005072AB 50 push eax
:005072AC B905000000 mov ecx, 00000005
:005072B1 BA13000000 mov edx, 00000013
:005072B6 8B45F4 mov eax, dword ptr [ebp-0C]
:005072B9 E82E44F3FF call 0043B6EC 取第四部分的假碼
:005072BE 8B8520FFFFFF mov eax, dword ptr [ebp+FFFFFF20]
:005072C4 8D9524FFFFFF lea edx, dword ptr [ebp+FFFFFF24]
:005072CA E81D050000 call 005077EC 第四部分的假碼各位取反
:005072CF 8B9524FFFFFF mov edx, dword ptr [ebp+FFFFFF24]
:005072D5 8B45EC mov eax, dword ptr [ebp-14]
:005072D8 E897DDEFFF call 00405074 第四部分的經過變換的真假注

冊碼相比
:005072DD 7409 je 005072E8 相等就跳到註冊碼第五部分的

計算，否則去死(爆破點)
:005072DF C645F300 mov [ebp-0D], 00
:005072E3 E9D7020000 jmp 005075BF

－－－－－－－－－－－－註冊碼第五部分計算－－－－－－－－－－－－－－－
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005072DD(C)
|
:005072E8 33F6 xor esi, esi esi清零
:005072EA BB01000000 mov ebx, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00507327(C)
|
:005072EF 8D851CFFFFFF lea eax, dword ptr [ebp+FFFFFF1C]
:005072F5 50 push eax
:005072F6 8D9518FFFFFF lea edx, dword ptr [ebp+FFFFFF18]
:005072FC 8B45EC mov eax, dword ptr [ebp-14]
:005072FF E8E8040000 call 005077EC
:00507304 8B8518FFFFFF mov eax, dword ptr [ebp+FFFFFF18] 81168-->eax
:0050730A B901000000 mov ecx, 00000001
:0050730F 8BD3 mov edx, ebx
:00507311 E8D643F3FF call 0043B6EC
:00507316 8B851CFFFFFF mov eax, dword ptr [ebp+FFFFFF1C]
:0050731C E83B26F0FF call 0040995C
:00507321 03F0 add esi, eax
:00507323 43 inc ebx
:00507324 83FB06 cmp ebx, 00000006
:00507327 75C6 jne 005072EF--------------------------以上構成迴圈，將81168各位

相加，即8+1+1+6+8=0x18---->esi
:00507329 8BC6 mov eax, esi
:0050732B B90A000000 mov ecx, 0000000A
:00507330 99 cdq
:00507331 F7F9 idiv ecx 0x18/0xA
:00507333 8BF2 mov esi, edx 餘數為"4"-->esi
:00507335 8D55E0 lea edx, dword ptr [ebp-20]
:00507338 8BC6 mov eax, esi
:0050733A E8B124F0FF call 004097F0
:0050733F 33F6 xor esi, esi
:00507341 BB01000000 mov ebx, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0050737E(C)
|
:00507346 8D8514FFFFFF lea eax, dword ptr [ebp+FFFFFF14]
:0050734C 50 push eax
:0050734D 8D9510FFFFFF lea edx, dword ptr [ebp+FFFFFF10]
:00507353 8B45DC mov eax, dword ptr [ebp-24]
:00507356 E891040000 call 005077EC
:0050735B 8B8510FFFFFF mov eax, dword ptr [ebp+FFFFFF10] 721287(見上)-->eax
:00507361 B901000000 mov ecx, 00000001
:00507366 8BD3 mov edx, ebx
:00507368 E87F43F3FF call 0043B6EC
:0050736D 8B8514FFFFFF mov eax, dword ptr [ebp+FFFFFF14]
:00507373 E8E425F0FF call 0040995C
:00507378 03F0 add esi, eax
:0050737A 43 inc ebx
:0050737B 83FB07 cmp ebx, 00000007
:0050737E 75C6 jne 00507346--------------------------又一個迴圈，將721287各位

相加，即7+2+1+2+8+7=0x1B----->esi
:00507380 8BC6 mov eax, esi
:00507382 B90A000000 mov ecx, 0000000A
:00507387 99 cdq
:00507388 F7F9 idiv ecx 0x1B/0xA
:0050738A 8BF2 mov esi, edx 餘數為"7"-->esi
:0050738C 8D950CFFFFFF lea edx, dword ptr [ebp+FFFFFF0C]
:00507392 8BC6 mov eax, esi
:00507394 E85724F0FF call 004097F0
:00507399 8B850CFFFFFF mov eax, dword ptr [ebp+FFFFFF0C]
:0050739F 8D55EC lea edx, dword ptr [ebp-14]
:005073A2 E845040000 call 005077EC
:005073A7 33F6 xor esi, esi
:005073A9 BB01000000 mov ebx, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005073E6(C)
|
:005073AE 8D8508FFFFFF lea eax, dword ptr [ebp+FFFFFF08]
:005073B4 50 push eax
:005073B5 8D9504FFFFFF lea edx, dword ptr [ebp+FFFFFF04]
:005073BB 8B45D8 mov eax, dword ptr [ebp-28]
:005073BE E829040000 call 005077EC 得到"29685"(見上)
:005073C3 8B8504FFFFFF mov eax, dword ptr [ebp+FFFFFF04] 29685-->eax
:005073C9 B901000000 mov ecx, 00000001
:005073CE 8BD3 mov edx, ebx
:005073D0 E81743F3FF call 0043B6EC
:005073D5 8B8508FFFFFF mov eax, dword ptr [ebp+FFFFFF08]
:005073DB E87C25F0FF call 0040995C
:005073E0 03F0 add esi, eax
:005073E2 43 inc ebx
:005073E3 83FB06 cmp ebx, 00000006
:005073E6 75C6 jne 005073AE--------------------------又一個迴圈,將29685各位相

加，即2+9+6+8+5=0x1E----->esi
:005073E8 8BC6 mov eax, esi
:005073EA B90A000000 mov ecx, 0000000A
:005073EF 99 cdq
:005073F0 F7F9 idiv ecx 0x1E/0xA
:005073F2 8BF2 mov esi, edx 餘數為"0"-->esi
:005073F4 8D95FCFEFFFF lea edx, dword ptr [ebp+FFFFFEFC]
:005073FA 8B45EC mov eax, dword ptr [ebp-14]
:005073FD E8EA030000 call 005077EC
:00507402 8D85FCFEFFFF lea eax, dword ptr [ebp+FFFFFEFC]
:00507408 50 push eax
:00507409 8D95F8FEFFFF lea edx, dword ptr [ebp+FFFFFEF8]
:0050740F 8BC6 mov eax, esi
:00507411 E8DA23F0FF call 004097F0
:00507416 8B95F8FEFFFF mov edx, dword ptr [ebp+FFFFFEF8]
:0050741C 58 pop eax
:0050741D E80EDBEFFF call 00404F30 將餘數"7"與餘數"0"連線起

來----->"70"
:00507422 8B85FCFEFFFF mov eax, dword ptr [ebp+FFFFFEFC]
:00507428 8D9500FFFFFF lea edx, dword ptr [ebp+FFFFFF00]
:0050742E E8B9030000 call 005077EC
:00507433 8B9500FFFFFF mov edx, dword ptr [ebp+FFFFFF00]
:00507439 8D45EC lea eax, dword ptr [ebp-14]
:0050743C E8BFD8EFFF call 00404D00
:00507441 33F6 xor esi, esi esi清零
:00507443 BB01000000 mov ebx, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00507480(C)
|
:00507448 8D85F4FEFFFF lea eax, dword ptr [ebp+FFFFFEF4]
:0050744E 50 push eax
:0050744F 8D95F0FEFFFF lea edx, dword ptr [ebp+FFFFFEF0]
:00507455 8B45D4 mov eax, dword ptr [ebp-2C]
:00507458 E88F030000 call 005077EC
:0050745D 8B85F0FEFFFF mov eax, dword ptr [ebp+FFFFFEF0] "60708"(見上)-->eax
:00507463 B901000000 mov ecx, 00000001
:00507468 8BD3 mov edx, ebx
:0050746A E87D42F3FF call 0043B6EC
:0050746F 8B85F4FEFFFF mov eax, dword ptr [ebp+FFFFFEF4]
:00507475 E8E224F0FF call 0040995C
:0050747A 03F0 add esi, eax
:0050747C 43 inc ebx
:0050747D 83FB06 cmp ebx, 00000006
:00507480 75C6 jne 00507448--------------------------又一個迴圈,將60708各位相

加，即6+0+7+0+8=0x15----->esi
:00507482 8BC6 mov eax, esi
:00507484 B90A000000 mov ecx, 0000000A
:00507489 99 cdq
:0050748A F7F9 idiv ecx 0x15/0xA
:0050748C 8BF2 mov esi, edx 餘數為"1"-->esi
:0050748E 8D95E4FEFFFF lea edx, dword ptr [ebp+FFFFFEE4]
:00507494 8B45EC mov eax, dword ptr [ebp-14]
:00507497 E850030000 call 005077EC
:0050749C FFB5E4FEFFFF push dword ptr [ebp+FFFFFEE4]
:005074A2 8D95E0FEFFFF lea edx, dword ptr [ebp+FFFFFEE0]
:005074A8 8BC6 mov eax, esi
:005074AA E84123F0FF call 004097F0
:005074AF FFB5E0FEFFFF push dword ptr [ebp+FFFFFEE0]
:005074B5 FF75E0 push [ebp-20]
:005074B8 8D85E8FEFFFF lea eax, dword ptr [ebp+FFFFFEE8]
:005074BE BA03000000 mov edx, 00000003
:005074C3 E820DBEFFF call 00404FE8 將以上得到的餘數連線起來

得到數"7014"
:005074C8 8B85E8FEFFFF mov eax, dword ptr [ebp+FFFFFEE8] "7014"-->eax
:005074CE 8D95ECFEFFFF lea edx, dword ptr [ebp+FFFFFEEC]
:005074D4 E813030000 call 005077EC
:005074D9 8B95ECFEFFFF mov edx, dword ptr [ebp+FFFFFEEC]
:005074DF 8D45EC lea eax, dword ptr [ebp-14]
:005074E2 E819D8EFFF call 00404D00
:005074E7 33F6 xor esi, esi esi清零
:005074E9 BB01000000 mov ebx, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00507526(C)
|
:005074EE 8D85DCFEFFFF lea eax, dword ptr [ebp+FFFFFEDC]
:005074F4 50 push eax
:005074F5 8D95D8FEFFFF lea edx, dword ptr [ebp+FFFFFED8]
:005074FB 8B45EC mov eax, dword ptr [ebp-14]
:005074FE E8E9020000 call 005077EC
:00507503 8B85D8FEFFFF mov eax, dword ptr [ebp+FFFFFED8] "7014"-->eax
:00507509 B901000000 mov ecx, 00000001
:0050750E 8BD3 mov edx, ebx
:00507510 E8D741F3FF call 0043B6EC
:00507515 8B85DCFEFFFF mov eax, dword ptr [ebp+FFFFFEDC]
:0050751B E83C24F0FF call 0040995C
:00507520 03F0 add esi, eax
:00507522 43 inc ebx
:00507523 83FB05 cmp ebx, 00000005
:00507526 75C6 jne 005074EE--------------------------又一個迴圈,將7014各位相加

，即7+0+1+4=0xC----->esi
:00507528 8BC6 mov eax, esi
:0050752A B90A000000 mov ecx, 0000000A
:0050752F 99 cdq
:00507530 F7F9 idiv ecx 0xC/0xA
:00507532 8BF2 mov esi, edx 餘數為"2"-->esi
:00507534 8D95D0FEFFFF lea edx, dword ptr [ebp+FFFFFED0]
:0050753A 8B45EC mov eax, dword ptr [ebp-14]
:0050753D E8AA020000 call 005077EC
:00507542 8D85D0FEFFFF lea eax, dword ptr [ebp+FFFFFED0]
:00507548 50 push eax
:00507549 8D95CCFEFFFF lea edx, dword ptr [ebp+FFFFFECC]
:0050754F 8BC6 mov eax, esi
:00507551 E89A22F0FF call 004097F0
:00507556 8B95CCFEFFFF mov edx, dword ptr [ebp+FFFFFECC]
:0050755C 58 pop eax
:0050755D E8CED9EFFF call 00404F30 將"2"與"7014"連線起來，得

到第五部分真註冊碼，即"70142"
:00507562 8B85D0FEFFFF mov eax, dword ptr [ebp+FFFFFED0]
:00507568 8D95D4FEFFFF lea edx, dword ptr [ebp+FFFFFED4]
:0050756E E879020000 call 005077EC 真碼各位取反
:00507573 8B95D4FEFFFF mov edx, dword ptr [ebp+FFFFFED4]
:00507579 8D45EC lea eax, dword ptr [ebp-14]
:0050757C E87FD7EFFF call 00404D00
:00507581 8D85C4FEFFFF lea eax, dword ptr [ebp+FFFFFEC4]
:00507587 50 push eax
:00507588 B905000000 mov ecx, 00000005
:0050758D BA19000000 mov edx, 00000019
:00507592 8B45F4 mov eax, dword ptr [ebp-0C] 取第五部分的假碼

:00507595 E85241F3FF call 0043B6EC
:0050759A 8B85C4FEFFFF mov eax, dword ptr [ebp+FFFFFEC4]
:005075A0 8D95C8FEFFFF lea edx, dword ptr [ebp+FFFFFEC8]
:005075A6 E841020000 call 005077EC 第五部分的假碼取反
:005075AB 8B95C8FEFFFF mov edx, dword ptr [ebp+FFFFFEC8]
:005075B1 8B45EC mov eax, dword ptr [ebp-14]
:005075B4 E8BBDAEFFF call 00405074 第五部分的經過變換的真假註冊碼相比
:005075B9 7404 je 005075BF 相等就跳，註冊成功，否則去死(爆破點)
:005075BB C645F300 mov [ebp-0D], 00

所以註冊資訊為：
序列號：3781489924572

註冊名：wzh123

註冊碼：H1287-29685-60708-81168-70142

由於註冊演算法用到了序列號，所以，一個註冊碼只對應一臺機器，你只好自己算算了^-^

騰龍備份大師2003 V3.05.01 專業版專業版演算法分析

相關文章