簡單演算法――藍帆打支票 V5.5

標題:簡單演算法——藍帆打支票 V5.5

發信人:fly

時間:2003/04/15 12:30pm

詳細資訊:

簡單演算法――藍帆打支票 V5.5
下載頁面： http://www.skycn.com/soft/1469.html
軟體大小： 419 KB
軟體語言：簡體中文
軟體類別：國產軟體 / 共享版 / 列印工具
應用平臺： Win9x/NT/2000/XP
加入時間： 2003-04-12 11:03:04
下載次數： 1159
推薦等級： ***
開發商： http://lanfan.3322.net/

【軟體簡介】：１、支援系統內的各種漢字字型。２、支援Windows下的多數印表機。３、小寫到大寫嚴格無差錯轉換(金額範圍：0.01-999,999,999.99)。４、支票要素列印精確定位（0.1毫米）。５、支票存根可選列印。６、所見即所得，支援列印預覽。７、方便的預設定，可以設定無限個收款人和用途。８、日期輸入靈活、方便。９、列印記錄可選儲存，(history.txt)。10、Ctr+p熱鍵，可以進行印表機設定並列印。11、大寫金額自動傳送到剪貼簿，便於其它地方使用。12、支援橫向，縱向列印，列印專案整體調整。13、可以設定不同型別的支票，一次設定安逸使用。

【軟體限制】：NAG、功能限制。

【作者宣告】：初學Crack，只是感興趣，沒有其它目的。失誤之處敬請諸位大俠賜教！

【破解工具】：TRW2000娃娃修改版、Ollydbg1.09、PEiD、UnAspacka、W32Dasm 9.0白金版

―――――――――――――――――――――――――――――――――
【過程】：

check.exe 是ASPack 2.1殼，用UnAspacka脫之。428K->1.26M。Borland C++ 編寫。

呵呵，註冊碼很容易就能找到，但想找找演算法還真有點麻煩，程式啟動後跳出註冊框，攔住後就看到註冊碼已經算好了。試了幾次發現程式在彈出註冊框之前已經“默默無聞”的算好了註冊碼。呵呵，真勤快呀。^Q^^Q^^Q^^Q^

序列號：3297438
試煉碼：13572468
―――――――――――――――――――――――――――――――――
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401856(C)
|
:0040178B 8BCB mov ecx, ebx
:0040178D B801000000 mov eax, 00000001
:00401792 D3E0 shl eax, cl
:00401794 85F0 test eax, esi
:00401796 0F84B7000000 je 00401853
:0040179C 66C78514FFFFFF3800 mov word ptr [ebp+FFFFFF14], 0038
:004017A5 8BD3 mov edx, ebx
:004017A7 8BFB mov edi, ebx
:004017A9 80C241 add dl, 41
:004017AC 8D45E8 lea eax, dword ptr [ebp-18]
:004017AF E814320D00 call 004D49C8
:004017B4 FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:004017BA 8D55E8 lea edx, dword ptr [ebp-18]
:004017BD 8D45F8 lea eax, dword ptr [ebp-08]
:004017C0 E807330D00 call 004D4ACC
:004017C5 FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:004017CB 8D45E8 lea eax, dword ptr [ebp-18]
:004017CE BA02000000 mov edx, 00000002
:004017D3 E8C4320D00 call 004D4A9C
:004017D8 66C78514FFFFFF4400 mov word ptr [ebp+FFFFFF14], 0044
:004017E1 8D45E0 lea eax, dword ptr [ebp-20]
:004017E4 E8EF0F0000 call 004027D8
:004017E9 50 push eax
:004017EA FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]

* Possible StringData Ref from Data Obj ->":\"
|
:004017F0 BAD0904E00 mov edx, 004E90D0
:004017F5 8D45E4 lea eax, dword ptr [ebp-1C]
:004017F8 E8FB300D00 call 004D48F8
:004017FD FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:00401803 8D55E4 lea edx, dword ptr [ebp-1C]
:00401806 8D45F8 lea eax, dword ptr [ebp-08]
:00401809 59 pop ecx
:0040180A E8E5320D00 call 004D4AF4
:0040180F 8D55E0 lea edx, dword ptr [ebp-20]
:00401812 8D45F8 lea eax, dword ptr [ebp-08]
:00401815 E8B2320D00 call 004D4ACC
:0040181A FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:00401820 8D45E0 lea eax, dword ptr [ebp-20]
:00401823 BA02000000 mov edx, 00000002
:00401828 E86F320D00 call 004D4A9C
:0040182D FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:00401833 8D45E4 lea eax, dword ptr [ebp-1C]
:00401836 BA02000000 mov edx, 00000002
:0040183B E85C320D00 call 004D4A9C
:00401840 8D45F8 lea eax, dword ptr [ebp-08]
:00401843 E8C00F0000 call 00402808
:00401848 50 push eax

* Reference To: KERNEL32.GetDriveTypeA, Ord:0000h
|
:00401849 E82C6A0E00 Call 004E827A
:0040184E 83F803 cmp eax, 00000003
:00401851 7409 je 0040185C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401796(C)
|
:00401853 4B dec ebx
:00401854 85DB test ebx, ebx
:00401856 0F8F2FFFFFFF jg 0040178B
====>迴圈20次。得到系統中硬碟的資訊。

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401851(C)
|
:0040185C 8D95D4FEFFFF lea edx, dword ptr [ebp+FFFFFED4]
:00401862 52 push edx

* Reference To: KERNEL32.GetSystemInfo, Ord:0000h
|
:00401863 E8906A0E00 Call 004E82F8
:00401868 6A00 push 00000000
:0040186A 68DD2A0000 push 00002ADD
:0040186F 8BC7 mov eax, edi
:00401871 40 inc eax
:00401872 E8D1310B00 call 004B4A48
====>取最後一個分割槽G盤的空間資訊？
====>EAX=B4110000

:00401877 E817B80C00 call 004CD093
====>對B4110000迴圈邏輯左移得到新的值
====>EAX=0028092B

:0040187C 8B95ECFEFFFF mov edx, dword ptr [ebp+FFFFFEEC]
:00401882 8BCA mov ecx, edx
====>ECX=EDX=24A

:00401884 C1E204 shl edx, 04
====>EDX=24A SHL 4=24A0

:00401887 03D1 add edx, ecx
====>EDX=24A0 + 24A=26EA

:00401889 2BC2 sub eax, edx
====>EAX=0028092B - 26EA=0027E241

:0040188B 50 push eax
:0040188C E8870F0000 call 00402818
:00401891 59 pop ecx
:00401892 8985FCFEFFFF mov dword ptr [ebp+FFFFFEFC], eax
====>[ebp+FFFFFEFC]=EAX=0027E241

:00401898 6A14 push 00000014
:0040189A 6A00 push 00000000
:0040189C 6A00 push 00000000
:0040189E 8D85F8FEFFFF lea eax, dword ptr [ebp+FFFFFEF8]
:004018A4 6A00 push 00000000
:004018A6 50 push eax
:004018A7 68FF000000 push 000000FF
:004018AC 6A00 push 00000000
:004018AE 8D45F8 lea eax, dword ptr [ebp-08]

:004018B1 E8520F0000 call 00402808
:004018B6 50 push eax

* Reference To: KERNEL32.GetVolumeInformationA, Ord:0000h
|
:004018B7 E8B66B0E00 Call 004E8472
====>取G盤的硬碟序列號？

:004018BC 8B85F8FEFFFF mov eax, dword ptr [ebp+FFFFFEF8]
====>EAX=[ebp+FFFFFEF8]=1EED362D

:004018C2 B9F7020000 mov ecx, 000002F7
====>ECX=2F7

:004018C7 33D2 xor edx, edx
:004018C9 F7F1 div ecx
====>EAX=1EED362D / 2F7=A6E5D

:004018CB 0385FCFEFFFF add eax, dword ptr [ebp+FFFFFEFC]
====>EAX=A6E5D + 0027E241=0032509E（H）=3297438（D）

:004018D1 8985FCFEFFFF mov dword ptr [ebp+FFFFFEFC], eax
====>[ebp+FFFFFEFC]= EAX =0032509E（H）=3297438（D）
====>呵呵，3297438就是程式顯示的序列號了！

:004018D7 66C78514FFFFFF5000 mov word ptr [ebp+FFFFFF14], 0050
:004018E0 8D45F4 lea eax, dword ptr [ebp-0C]
:004018E3 E8F00E0000 call 004027D8
:004018E8 FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:004018EE 66C78514FFFFFF1400 mov word ptr [ebp+FFFFFF14], 0014
:004018F7 66C78514FFFFFF5C00 mov word ptr [ebp+FFFFFF14], 005C
:00401900 8D45F0 lea eax, dword ptr [ebp-10]
:00401903 E8D00E0000 call 004027D8
:00401908 FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:0040190E 66C78514FFFFFF1400 mov word ptr [ebp+FFFFFF14], 0014
:00401917 66C78514FFFFFF6800 mov word ptr [ebp+FFFFFF14], 0068
:00401920 8D45DC lea eax, dword ptr [ebp-24]
:00401923 E8B00E0000 call 004027D8
:00401928 8BD0 mov edx, eax
:0040192A FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:00401930 8B85FCFEFFFF mov eax, dword ptr [ebp+FFFFFEFC]
:00401936 E8BD280B00 call 004B41F8
:0040193B 8D55DC lea edx, dword ptr [ebp-24]
:0040193E 8D45F4 lea eax, dword ptr [ebp-0C]
:00401941 E886310D00 call 004D4ACC
:00401946 FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:0040194C 8D45DC lea eax, dword ptr [ebp-24]
:0040194F BA02000000 mov edx, 00000002
:00401954 E843310D00 call 004D4A9C
:00401959 8D55F4 lea edx, dword ptr [ebp-0C]
:0040195C 8D45F0 lea eax, dword ptr [ebp-10]
:0040195F E868310D00 call 004D4ACC
:00401964 EB68 jmp 004019CE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004019D9(C)
|
:00401966 66C78514FFFFFF7400 mov word ptr [ebp+FFFFFF14], 0074
:0040196F 8D45D4 lea eax, dword ptr [ebp-2C]
:00401972 E8610E0000 call 004027D8
:00401977 50 push eax
:00401978 FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]

* Possible StringData Ref from Data Obj ->"00燃撞"
|
:0040197E BAD3904E00 mov edx, 004E90D3
:00401983 8D45D8 lea eax, dword ptr [ebp-28]
:00401986 E86D2F0D00 call 004D48F8
:0040198B FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:00401991 8D55D8 lea edx, dword ptr [ebp-28]
:00401994 8D45F4 lea eax, dword ptr [ebp-0C]
:00401997 59 pop ecx
:00401998 E857310D00 call 004D4AF4
:0040199D 8D55D4 lea edx, dword ptr [ebp-2C]
:004019A0 8D45F4 lea eax, dword ptr [ebp-0C]
:004019A3 E824310D00 call 004D4ACC
:004019A8 FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:004019AE 8D45D4 lea eax, dword ptr [ebp-2C]
:004019B1 BA02000000 mov edx, 00000002
:004019B6 E8E1300D00 call 004D4A9C
:004019BB FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:004019C1 8D45D8 lea eax, dword ptr [ebp-28]
:004019C4 BA02000000 mov edx, 00000002
:004019C9 E8CE300D00 call 004D4A9C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401964(U)
|
:004019CE 8D45F4 lea eax, dword ptr [ebp-0C]
:004019D1 E8520E0000 call 00402828
:004019D6 83F809 cmp eax, 00000009
:004019D9 7C8B jl 00401966
====>比較使用者號是否9位？不到9位則跳上去末尾添0
====>3297438--->329743800

:004019DB 33D2 xor edx, edx
:004019DD 8995FCFEFFFF mov dword ptr [ebp+FFFFFEFC], edx
:004019E3 66C78514FFFFFF8000 mov word ptr [ebp+FFFFFF14], 0080
:004019EC 8D45D0 lea eax, dword ptr [ebp-30]
:004019EF E8E40D0000 call 004027D8
:004019F4 50 push eax
:004019F5 8D45F4 lea eax, dword ptr [ebp-0C]
:004019F8 FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]

====>下面開始依次取序列號的值運算了！！
:004019FE B901000000 mov ecx, 00000001
:00401A03 BA01000000 mov edx, 00000001
:00401A08 E8C7320D00 call 004D4CD4
:00401A0D 8D45D0 lea eax, dword ptr [ebp-30]
:00401A10 8B00 mov eax, dword ptr [eax]
:00401A12 E881280B00 call 004B4298
:00401A17 8BD0 mov edx, eax
第一部分！ 1、 ====>EDX=EAX=3

:00401A19 C1E204 shl edx, 04
====>EDX=3 SHL 4=30

:00401A1C 03D0 add edx, eax
====>EDX=30 + 3=33

:00401A1E 8D14D0 lea edx, dword ptr [eax+8*edx]
====>EDX=3 + 8*33=19B

:00401A21 81C2F6000000 add edx, 000000F6
====>EDX=19B + F6=291

:00401A27 0195FCFEFFFF add dword ptr [ebp+FFFFFEFC], edx
====>[ebp+FFFFFEFC]=00 + 291=291

:00401A2D FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:00401A33 8D45D0 lea eax, dword ptr [ebp-30]
:00401A36 BA02000000 mov edx, 00000002
:00401A3B E85C300D00 call 004D4A9C
:00401A40 66C78514FFFFFF8C00 mov word ptr [ebp+FFFFFF14], 008C
:00401A49 8D45CC lea eax, dword ptr [ebp-34]
:00401A4C E8870D0000 call 004027D8
:00401A51 50 push eax
:00401A52 8D45F4 lea eax, dword ptr [ebp-0C]
:00401A55 FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:00401A5B B901000000 mov ecx, 00000001
:00401A60 BA02000000 mov edx, 00000002
:00401A65 E86A320D00 call 004D4CD4
:00401A6A 8D45CC lea eax, dword ptr [ebp-34]
:00401A6D 8B00 mov eax, dword ptr [eax]
:00401A6F E824280B00 call 004B4298
:00401A74 8BD8 mov ebx, eax
:00401A76 8D45C8 lea eax, dword ptr [ebp-38]
====>EAX=[ebp-38]=291

:00401A79 E85A0D0000 call 004027D8
:00401A7E 50 push eax
:00401A7F 8D45F4 lea eax, dword ptr [ebp-0C]
:00401A82 FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:00401A88 B901000000 mov ecx, 00000001
:00401A8D BA02000000 mov edx, 00000002
:00401A92 E83D320D00 call 004D4CD4
:00401A97 8D45C8 lea eax, dword ptr [ebp-38]
:00401A9A 8B00 mov eax, dword ptr [eax]
:00401A9C E8F7270B00 call 004B4298
:00401AA1 0FAFD8 imul ebx, eax
2、 ====>EBX=2 * 2=4

:00401AA4 81C371010000 add ebx, 00000171
====>EBX=4 + 171=175

:00401AAA 019DFCFEFFFF add dword ptr [ebp+FFFFFEFC], ebx
====>[ebp+FFFFFEFC]=291 + 175=406

:00401AB0 FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:00401AB6 8D45C8 lea eax, dword ptr [ebp-38]
:00401AB9 BA02000000 mov edx, 00000002
:00401ABE E8D92F0D00 call 004D4A9C
:00401AC3 FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:00401AC9 8D45CC lea eax, dword ptr [ebp-34]
:00401ACC BA02000000 mov edx, 00000002
:00401AD1 E8C62F0D00 call 004D4A9C
:00401AD6 66C78514FFFFFF9800 mov word ptr [ebp+FFFFFF14], 0098
:00401ADF 8D45C4 lea eax, dword ptr [ebp-3C]
:00401AE2 E8F10C0000 call 004027D8
:00401AE7 50 push eax
:00401AE8 8D45F4 lea eax, dword ptr [ebp-0C]
:00401AEB FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:00401AF1 B901000000 mov ecx, 00000001
:00401AF6 BA03000000 mov edx, 00000003
:00401AFB E8D4310D00 call 004D4CD4
:00401B00 8D45C4 lea eax, dword ptr [ebp-3C]
:00401B03 8B00 mov eax, dword ptr [eax]
:00401B05 E88E270B00 call 004B4298
:00401B0A 8BD0 mov edx, eax
3、 ====>EDX=EAX=9

:00401B0C C1E209 shl edx, 09
====>EDX=9 SHL 9=1200

:00401B0F 2BD0 sub edx, eax
====>EDX=1200 - 9=11F7

:00401B11 81C207F2FFFF add edx, FFFFF207
====>EDX=11F7 + -0DF9=3FE

:00401B17 0195FCFEFFFF add dword ptr [ebp+FFFFFEFC], edx
====>[ebp+FFFFFEFC]=406 + 3FE=804

:00401B1D FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:00401B23 8D45C4 lea eax, dword ptr [ebp-3C]
:00401B26 BA02000000 mov edx, 00000002
:00401B2B E86C2F0D00 call 004D4A9C
:00401B30 66C78514FFFFFFA400 mov word ptr [ebp+FFFFFF14], 00A4
:00401B39 8D45C0 lea eax, dword ptr [ebp-40]
:00401B3C E8970C0000 call 004027D8
:00401B41 50 push eax
:00401B42 8D45F4 lea eax, dword ptr [ebp-0C]
:00401B45 FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:00401B4B B901000000 mov ecx, 00000001
:00401B50 BA04000000 mov edx, 00000004
:00401B55 E87A310D00 call 004D4CD4
:00401B5A 8D45C0 lea eax, dword ptr [ebp-40]
:00401B5D 8B00 mov eax, dword ptr [eax]
4、 ====>EAX=7

:00401B5F E834270B00 call 004B4298
:00401B64 8D1440 lea edx, dword ptr [eax+2*eax]
====>EDX=7 + 2*7=15

:00401B67 C1E203 shl edx, 03
====>EDX=15 SHL 3=A8

:00401B6A 2BD0 sub edx, eax
====>EDX=A8 - 7=A1

:00401B6C C1E202 shl edx, 02
====>EDX=A1 SHL 2=284

:00401B6F 2BD0 sub edx, eax
====>EDX=284 - 7=27D

:00401B71 81C2E7230000 add edx, 000023E7
====>EDX=27D + 23E7=2664

:00401B77 0195FCFEFFFF add dword ptr [ebp+FFFFFEFC], edx
====>[ebp+FFFFFEFC]=804 + 2664=2E68

:00401B7D FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:00401B83 8D45C0 lea eax, dword ptr [ebp-40]
:00401B86 BA02000000 mov edx, 00000002
:00401B8B E80C2F0D00 call 004D4A9C
:00401B90 66C78514FFFFFFB000 mov word ptr [ebp+FFFFFF14], 00B0
:00401B99 8D45BC lea eax, dword ptr [ebp-44]
:00401B9C E8370C0000 call 004027D8
:00401BA1 50 push eax
:00401BA2 8D45F4 lea eax, dword ptr [ebp-0C]
:00401BA5 FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:00401BAB B901000000 mov ecx, 00000001
:00401BB0 BA05000000 mov edx, 00000005
:00401BB5 E81A310D00 call 004D4CD4
:00401BBA 8D45BC lea eax, dword ptr [ebp-44]
:00401BBD 8B00 mov eax, dword ptr [eax]
5、 ====>EAX=4

:00401BBF E8D4260B00 call 004B4298
:00401BC4 69D0E2180000 imul edx, eax, 000018E2
====>EDX=4 * 18E2=6388

:00401BCA 81C21EE7FFFF add edx, FFFFE71E
====>EDX=6388 + -18E2=4AA6

:00401BD0 0195FCFEFFFF add dword ptr [ebp+FFFFFEFC], edx
====>[ebp+FFFFFEFC]=2E68 + 4AA6=790E

:00401BD6 FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:00401BDC 8D45BC lea eax, dword ptr [ebp-44]
:00401BDF BA02000000 mov edx, 00000002
:00401BE4 E8B32E0D00 call 004D4A9C
:00401BE9 66C78514FFFFFFBC00 mov word ptr [ebp+FFFFFF14], 00BC
:00401BF2 8D45B8 lea eax, dword ptr [ebp-48]
:00401BF5 E8DE0B0000 call 004027D8
:00401BFA 50 push eax
:00401BFB 8D45F4 lea eax, dword ptr [ebp-0C]
:00401BFE FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:00401C04 B901000000 mov ecx, 00000001
:00401C09 BA06000000 mov edx, 00000006
:00401C0E E8C1300D00 call 004D4CD4
:00401C13 8D45B8 lea eax, dword ptr [ebp-48]
:00401C16 8B00 mov eax, dword ptr [eax]
6、 ====>EAX=3

:00401C18 E87B260B00 call 004B4298
:00401C1D 8D1480 lea edx, dword ptr [eax+4*eax]
====>EDX=3 + 4*3=F

:00401C20 C1E203 shl edx, 03
====>EDX=F SHL 3=78

:00401C23 2BD0 sub edx, eax
====>EDX=78 - 3=75

:00401C25 C1E203 shl edx, 03
====>EDX=75 SHL 3=3A8

:00401C28 2BD0 sub edx, eax
====>EDX=3A8 - 3=3A5

:00401C2A 81C252FFFFFF add edx, FFFFFF52
====>EDX=3A5 + -0AE=2F7

:00401C30 0195FCFEFFFF add dword ptr [ebp+FFFFFEFC], edx
====>[ebp+FFFFFEFC]=790E + 2F7=7C05

:00401C36 FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:00401C3C 8D45B8 lea eax, dword ptr [ebp-48]
:00401C3F BA02000000 mov edx, 00000002
:00401C44 E8532E0D00 call 004D4A9C
:00401C49 66C78514FFFFFFC800 mov word ptr [ebp+FFFFFF14], 00C8
:00401C52 8D45B4 lea eax, dword ptr [ebp-4C]
:00401C55 E87E0B0000 call 004027D8
:00401C5A 50 push eax
:00401C5B 8D45F4 lea eax, dword ptr [ebp-0C]
:00401C5E FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:00401C64 B901000000 mov ecx, 00000001
:00401C69 BA07000000 mov edx, 00000007
:00401C6E E861300D00 call 004D4CD4
:00401C73 8D45B4 lea eax, dword ptr [ebp-4C]
:00401C76 8B00 mov eax, dword ptr [eax]
7、 ====>EAX=8

:00401C78 E81B260B00 call 004B4298
:00401C7D 8D1480 lea edx, dword ptr [eax+4*eax]
====>EDX=8 + 4*8=28

:00401C80 C1E205 shl edx, 05
====>EDX=28 * 5=500

:00401C83 03D0 add edx, eax
====>EDX=500 + 8=508

:00401C85 8D1450 lea edx, dword ptr [eax+2*edx]
====>EDX=8 + 2*508=A18

:00401C88 81C2DFCBFFFF add edx, FFFFCBDF
====>EDX=A18 + -3421=FFFFD5F7

:00401C8E 0195FCFEFFFF add dword ptr [ebp+FFFFFEFC], edx
====>[ebp+FFFFFEFC]=7C05 + FFFFD5F7=51FC

:00401C94 FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:00401C9A 8D45B4 lea eax, dword ptr [ebp-4C]
:00401C9D BA02000000 mov edx, 00000002
:00401CA2 E8F52D0D00 call 004D4A9C
:00401CA7 66C78514FFFFFFD400 mov word ptr [ebp+FFFFFF14], 00D4
:00401CB0 8D45B0 lea eax, dword ptr [ebp-50]
:00401CB3 E8200B0000 call 004027D8
:00401CB8 50 push eax
:00401CB9 8D45F4 lea eax, dword ptr [ebp-0C]
:00401CBC FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:00401CC2 B901000000 mov ecx, 00000001
:00401CC7 BA08000000 mov edx, 00000008
:00401CCC E803300D00 call 004D4CD4
:00401CD1 8D45B0 lea eax, dword ptr [ebp-50]
:00401CD4 8B00 mov eax, dword ptr [eax]
8、 ====>EAX=0

:00401CD6 E8BD250B00 call 004B4298
:00401CDB 8BD8 mov ebx, eax
:00401CDD 8D45AC lea eax, dword ptr [ebp-54]
:00401CE0 E8F30A0000 call 004027D8
:00401CE5 50 push eax
:00401CE6 8D45F4 lea eax, dword ptr [ebp-0C]
:00401CE9 FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:00401CEF B901000000 mov ecx, 00000001
:00401CF4 BA08000000 mov edx, 00000008
:00401CF9 E8D62F0D00 call 004D4CD4
:00401CFE 8D45AC lea eax, dword ptr [ebp-54]
:00401D01 8B00 mov eax, dword ptr [eax]
====>EAX=0

:00401D03 E890250B00 call 004B4298
:00401D08 0FAFD8 imul ebx, eax
====>EBX=0 * 0=0

:00401D0B 8D45A8 lea eax, dword ptr [ebp-58]
:00401D0E E8C50A0000 call 004027D8
:00401D13 50 push eax
:00401D14 8D45F4 lea eax, dword ptr [ebp-0C]
:00401D17 FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:00401D1D B901000000 mov ecx, 00000001
:00401D22 BA08000000 mov edx, 00000008
:00401D27 E8A82F0D00 call 004D4CD4
:00401D2C 8D45A8 lea eax, dword ptr [ebp-58]
:00401D2F 8B00 mov eax, dword ptr [eax]
9、 ====>EAX=0

:00401D31 E862250B00 call 004B4298
:00401D36 0FAFD8 imul ebx, eax
====>EBX=0 * 0=0

:00401D39 81C3550B0000 add ebx, 00000B55
====>EBX=0 + B55=B55

:00401D3F 019DFCFEFFFF add dword ptr [ebp+FFFFFEFC], ebx
====>[ebp+FFFFFEFC]=51FC + B55=5D51

:00401D45 FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:00401D4B 8D45A8 lea eax, dword ptr [ebp-58]
:00401D4E BA02000000 mov edx, 00000002
:00401D53 E8442D0D00 call 004D4A9C
:00401D58 FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:00401D5E 8D45AC lea eax, dword ptr [ebp-54]
:00401D61 BA02000000 mov edx, 00000002
:00401D66 E8312D0D00 call 004D4A9C
:00401D6B FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:00401D71 8D45B0 lea eax, dword ptr [ebp-50]
:00401D74 BA02000000 mov edx, 00000002
:00401D79 E81E2D0D00 call 004D4A9C
:00401D7E 66C78514FFFFFFE000 mov word ptr [ebp+FFFFFF14], 00E0
:00401D87 8D45A4 lea eax, dword ptr [ebp-5C]
:00401D8A E8490A0000 call 004027D8
:00401D8F 50 push eax
:00401D90 8D45F4 lea eax, dword ptr [ebp-0C]
:00401D93 FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:00401D99 B901000000 mov ecx, 00000001
:00401D9E BA01000000 mov edx, 00000001
:00401DA3 E82C2F0D00 call 004D4CD4
:00401DA8 8D45A4 lea eax, dword ptr [ebp-5C]
:00401DAB 8B00 mov eax, dword ptr [eax]
第二部分！ 1、 ====>EAX=3

:00401DAD E8E6240B00 call 004B4298
:00401DB2 40 inc eax
====>EAX=3 + 1=4

:00401DB3 BA02000000 mov edx, 00000002
:00401DB8 0FAF85FCFEFFFF imul eax, dword ptr [ebp+FFFFFEFC]
====>EAX=4 * 5D51=17544

:00401DBF 8985FCFEFFFF mov dword ptr [ebp+FFFFFEFC], eax
====>[ebp+FFFFFEFC]=EAX=17544

:00401DC5 8D45A4 lea eax, dword ptr [ebp-5C]
:00401DC8 FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:00401DCE E8C92C0D00 call 004D4A9C
:00401DD3 66C78514FFFFFFEC00 mov word ptr [ebp+FFFFFF14], 00EC
:00401DDC 8D45A0 lea eax, dword ptr [ebp-60]
:00401DDF E8F4090000 call 004027D8
:00401DE4 50 push eax
:00401DE5 8D45F4 lea eax, dword ptr [ebp-0C]
:00401DE8 FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:00401DEE B901000000 mov ecx, 00000001
:00401DF3 BA02000000 mov edx, 00000002
:00401DF8 E8D72E0D00 call 004D4CD4
:00401DFD 8D45A0 lea eax, dword ptr [ebp-60]
:00401E00 8B00 mov eax, dword ptr [eax]
2、 ====>====>EAX=2

:00401E02 E891240B00 call 004B4298
:00401E07 40 inc eax
====>EAX=2 + 1=3

:00401E08 BA02000000 mov edx, 00000002
:00401E0D 0FAF85FCFEFFFF imul eax, dword ptr [ebp+FFFFFEFC]
====>EAX=3 * 17544=45FCC

:00401E14 8985FCFEFFFF mov dword ptr [ebp+FFFFFEFC], eax
====>[ebp+FFFFFEFC]=EAX=45FCC

:00401E1A 8D45A0 lea eax, dword ptr [ebp-60]
:00401E1D FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:00401E23 E8742C0D00 call 004D4A9C
:00401E28 66C78514FFFFFFF800 mov word ptr [ebp+FFFFFF14], 00F8
:00401E31 8D459C lea eax, dword ptr [ebp-64]
:00401E34 E89F090000 call 004027D8
:00401E39 50 push eax
:00401E3A 8D45F4 lea eax, dword ptr [ebp-0C]
:00401E3D FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:00401E43 B901000000 mov ecx, 00000001
:00401E48 BA03000000 mov edx, 00000003
:00401E4D E8822E0D00 call 004D4CD4
:00401E52 8D459C lea eax, dword ptr [ebp-64]
:00401E55 8B00 mov eax, dword ptr [eax]
3、 ====>====>EAX=9

:00401E57 E83C240B00 call 004B4298
:00401E5C 40 inc eax
====>EAX=9 + 1=A

:00401E5D BA02000000 mov edx, 00000002
:00401E62 0FAF85FCFEFFFF imul eax, dword ptr [ebp+FFFFFEFC]
====>EAX=A * 45FCC=2BBDF8

:00401E69 8985FCFEFFFF mov dword ptr [ebp+FFFFFEFC], eax
====>[ebp+FFFFFEFC]=EAX=2BBDF8

:00401E6F 8D459C lea eax, dword ptr [ebp-64]
:00401E72 FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:00401E78 E81F2C0D00 call 004D4A9C
:00401E7D 66C78514FFFFFF0401 mov word ptr [ebp+FFFFFF14], 0104
:00401E86 8D4598 lea eax, dword ptr [ebp-68]
:00401E89 E84A090000 call 004027D8
:00401E8E 50 push eax
:00401E8F 8D45F4 lea eax, dword ptr [ebp-0C]
:00401E92 FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:00401E98 B901000000 mov ecx, 00000001
:00401E9D BA04000000 mov edx, 00000004
:00401EA2 E82D2E0D00 call 004D4CD4
:00401EA7 8D4598 lea eax, dword ptr [ebp-68]
:00401EAA 8B00 mov eax, dword ptr [eax]
4、 ====>EAX=7

:00401EAC E8E7230B00 call 004B4298
:00401EB1 40 inc eax
====>EAX=7 + 1=8

:00401EB2 BA02000000 mov edx, 00000002
:00401EB7 0FAF85FCFEFFFF imul eax, dword ptr [ebp+FFFFFEFC]
====>EAX=8 * 2BBDF8=15DEFC0

:00401EBE 8985FCFEFFFF mov dword ptr [ebp+FFFFFEFC], eax
====>[ebp+FFFFFEFC]=EAX=15DEFC0

:00401EC4 8D4598 lea eax, dword ptr [ebp-68]
:00401EC7 FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:00401ECD E8CA2B0D00 call 004D4A9C
:00401ED2 66C78514FFFFFF1001 mov word ptr [ebp+FFFFFF14], 0110
:00401EDB 8D4594 lea eax, dword ptr [ebp-6C]
:00401EDE E8F5080000 call 004027D8
:00401EE3 50 push eax
:00401EE4 8D45F4 lea eax, dword ptr [ebp-0C]
:00401EE7 FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:00401EED B901000000 mov ecx, 00000001
:00401EF2 BA05000000 mov edx, 00000005
:00401EF7 E8D82D0D00 call 004D4CD4
:00401EFC 8D4594 lea eax, dword ptr [ebp-6C]
:00401EFF 8B00 mov eax, dword ptr [eax]
5、 ====>EAX=4

:00401F01 E892230B00 call 004B4298
:00401F06 40 inc eax
====>EAX=4 + 1=5

:00401F07 BA02000000 mov edx, 00000002
:00401F0C 0FAF85FCFEFFFF imul eax, dword ptr [ebp+FFFFFEFC]
====>EAX=5 * 15DEFC0=6D5AEC0

:00401F13 8985FCFEFFFF mov dword ptr [ebp+FFFFFEFC], eax
====>[ebp+FFFFFEFC]=EAX=6D5AEC0

:00401F19 8D4594 lea eax, dword ptr [ebp-6C]
:00401F1C FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:00401F22 E8752B0D00 call 004D4A9C
:00401F27 66C78514FFFFFF1C01 mov word ptr [ebp+FFFFFF14], 011C
:00401F30 8D4590 lea eax, dword ptr [ebp-70]
:00401F33 E8A0080000 call 004027D8
:00401F38 50 push eax
:00401F39 8D45F4 lea eax, dword ptr [ebp-0C]
:00401F3C FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:00401F42 B901000000 mov ecx, 00000001
:00401F47 BA06000000 mov edx, 00000006
:00401F4C E8832D0D00 call 004D4CD4
:00401F51 8D4590 lea eax, dword ptr [ebp-70]
:00401F54 8B00 mov eax, dword ptr [eax]
6、 ====>EAX=3

:00401F56 E83D230B00 call 004B4298
:00401F5B 40 inc eax
====>EAX=3 + 1=4

:00401F5C BA02000000 mov edx, 00000002
:00401F61 0FAF85FCFEFFFF imul eax, dword ptr [ebp+FFFFFEFC]
====>EAX=4 * 6D5AEC0=1B56BB00

:00401F68 8985FCFEFFFF mov dword ptr [ebp+FFFFFEFC], eax
====>[ebp+FFFFFEFC]=EAX=1B56BB00

:00401F6E 8D4590 lea eax, dword ptr [ebp-70]
:00401F71 FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:00401F77 E8202B0D00 call 004D4A9C
:00401F7C 66C78514FFFFFF2801 mov word ptr [ebp+FFFFFF14], 0128
:00401F85 8D458C lea eax, dword ptr [ebp-74]
:00401F88 E84B080000 call 004027D8
:00401F8D 50 push eax
:00401F8E 8D45F4 lea eax, dword ptr [ebp-0C]
:00401F91 FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:00401F97 B901000000 mov ecx, 00000001
:00401F9C BA07000000 mov edx, 00000007
:00401FA1 E82E2D0D00 call 004D4CD4
:00401FA6 8D458C lea eax, dword ptr [ebp-74]
:00401FA9 8B00 mov eax, dword ptr [eax]
7、 ====>EAX=8

:00401FAB E8E8220B00 call 004B4298
:00401FB0 057E4A0300 add eax, 00034A7E
====>EAX=8 + 34A7E=34A86

:00401FB5 0185FCFEFFFF add dword ptr [ebp+FFFFFEFC], eax
====>[ebp+FFFFFEFC]=1B56BB00 + 34A86=1B5A0586

:00401FBB FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:00401FC1 8D458C lea eax, dword ptr [ebp-74]
:00401FC4 BA02000000 mov edx, 00000002
:00401FC9 E8CE2A0D00 call 004D4A9C
:00401FCE 66C78514FFFFFF3401 mov word ptr [ebp+FFFFFF14], 0134
:00401FD7 8D4588 lea eax, dword ptr [ebp-78]
:00401FDA E8F9070000 call 004027D8
:00401FDF 50 push eax
:00401FE0 8D45F4 lea eax, dword ptr [ebp-0C]
:00401FE3 FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:00401FE9 B901000000 mov ecx, 00000001
:00401FEE BA08000000 mov edx, 00000008
:00401FF3 E8DC2C0D00 call 004D4CD4
:00401FF8 8D4588 lea eax, dword ptr [ebp-78]
:00401FFB 8B00 mov eax, dword ptr [eax]
8、 ====>EAX=0

:00401FFD E896220B00 call 004B4298
:00402002 0547430000 add eax, 00004347
====>EAX=0 + 4347=4347

:00402007 0D79450200 or eax, 00024579
====>EAX=4347 OR 24579=2477F

:0040200C 0185FCFEFFFF add dword ptr [ebp+FFFFFEFC], eax
====>[ebp+FFFFFEFC]=1B5A0586 + 2477F=1B5C4D05

:00402012 FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:00402018 8D4588 lea eax, dword ptr [ebp-78]
:0040201B BA02000000 mov edx, 00000002
:00402020 E8772A0D00 call 004D4A9C
:00402025 DB85FCFEFFFF fild dword ptr [ebp+FFFFFEFC]
:0040202B 83C4F8 add esp, FFFFFFF8
:0040202E DD1C24 fstp qword ptr [esp]
:00402031 E8B6B50C00 call 004CD5EC
:00402036 83C408 add esp, 00000008
:00402039 E8F2B50C00 call 004CD630
:0040203E 8985FCFEFFFF mov dword ptr [ebp+FFFFFEFC], eax
====>[ebp+FFFFFEFC]=EAX=1B5C4D05

:00402044 8D857CFFFFFF lea eax, dword ptr [ebp+FFFFFF7C]
:0040204A 66C78514FFFFFF4001 mov word ptr [ebp+FFFFFF14], 0140
:00402053 66C78514FFFFFF4C01 mov word ptr [ebp+FFFFFF14], 014C

* Possible StringData Ref from Data Obj ->"00親?! 東顓斃梁:"
|
:0040205C BAE5904E00 mov edx, 004E90E5
:00402061 E892280D00 call 004D48F8
:00402066 FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:0040206C 8B10 mov edx, dword ptr [eax]
:0040206E 8D8578FFFFFF lea eax, dword ptr [ebp+FFFFFF78]
:00402074 52 push edx
:00402075 E85E070000 call 004027D8
:0040207A 50 push eax
:0040207B FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]

* Possible StringData Ref from Data Obj ->"註冊碼"
|
:00402081 BADE904E00 mov edx, 004E90DE
:00402086 8D4580 lea eax, dword ptr [ebp-80]
:00402089 E86A280D00 call 004D48F8
:0040208E FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:00402094 8B10 mov edx, dword ptr [eax]
:00402096 52 push edx

* Possible StringData Ref from Data Obj ->"軟體註冊"
|
:00402097 BAD5904E00 mov edx, 004E90D5
:0040209C 8D4584 lea eax, dword ptr [ebp-7C]
:0040209F E854280D00 call 004D48F8
:004020A4 FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:004020AA 8B10 mov edx, dword ptr [eax]
:004020AC 8B8500FFFFFF mov eax, dword ptr [ebp+FFFFFF00]
:004020B2 59 pop ecx
:004020B3 8B18 mov ebx, dword ptr [eax]
:004020B5 FF13 call dword ptr [ebx]
:004020B7 8D8578FFFFFF lea eax, dword ptr [ebp+FFFFFF78]
:004020BD 8B00 mov eax, dword ptr [eax]
:004020BF E8D4210B00 call 004B4298
:004020C4 8BD8 mov ebx, eax
:004020C6 FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:004020CC 8D8578FFFFFF lea eax, dword ptr [ebp+FFFFFF78]
:004020D2 BA02000000 mov edx, 00000002
:004020D7 E8C0290D00 call 004D4A9C
:004020DC FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:004020E2 8D857CFFFFFF lea eax, dword ptr [ebp+FFFFFF7C]
:004020E8 BA02000000 mov edx, 00000002
:004020ED E8AA290D00 call 004D4A9C
:004020F2 FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:004020F8 8D4580 lea eax, dword ptr [ebp-80]
:004020FB BA02000000 mov edx, 00000002
:00402100 E897290D00 call 004D4A9C
:00402105 FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:0040210B 8D4584 lea eax, dword ptr [ebp-7C]
:0040210E BA02000000 mov edx, 00000002
:00402113 E884290D00 call 004D4A9C
:00402118 66C78514FFFFFF1400 mov word ptr [ebp+FFFFFF14], 0014
:00402121 EB10 jmp 00402133
:00402123 33DB xor ebx, ebx
:00402125 66C78514FFFFFF4801 mov word ptr [ebp+FFFFFF14], 0148
:0040212E E85FFC0C00 call 004D1D92

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402121(U)
|
:00402133 66C78514FFFFFF5801 mov word ptr [ebp+FFFFFF14], 0158
:0040213C 8D8574FFFFFF lea eax, dword ptr [ebp+FFFFFF74]
:00402142 E891060000 call 004027D8
:00402147 8BD0 mov edx, eax
:00402149 FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:0040214F 8B85FCFEFFFF mov eax, dword ptr [ebp+FFFFFEFC]
:00402155 E89E200B00 call 004B41F8
:0040215A 8D9574FFFFFF lea edx, dword ptr [ebp+FFFFFF74]
:00402160 52 push edx
:00402161 8D93A6D80000 lea edx, dword ptr [ebx+0000D8A6]
:00402167 8D8570FFFFFF lea eax, dword ptr [ebp+FFFFFF70]
:0040216D E8A2280D00 call 004D4A14
:00402172 FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:00402178 8D9570FFFFFF lea edx, dword ptr [ebp+FFFFFF70]
:0040217E 58 pop eax
:0040217F E8142A0D00 call 004D4B98
:00402184 50 push eax
:00402185 FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:0040218B 8D8570FFFFFF lea eax, dword ptr [ebp+FFFFFF70]
:00402191 BA02000000 mov edx, 00000002
:00402196 E801290D00 call 004D4A9C
:0040219B FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:004021A1 8D8574FFFFFF lea eax, dword ptr [ebp+FFFFFF74]
:004021A7 BA02000000 mov edx, 00000002
:004021AC E8EB280D00 call 004D4A9C
:004021B1 59 pop ecx
:004021B2 84C9 test cl, cl
:004021B4 0F847D020000 je 00402437
:004021BA 66C78514FFFFFF6401 mov word ptr [ebp+FFFFFF14], 0164
:004021C3 66C78514FFFFFF7001 mov word ptr [ebp+FFFFFF14], 0170
:004021CC 8D8558FFFFFF lea eax, dword ptr [ebp+FFFFFF58]
:004021D2 E801060000 call 004027D8
:004021D7 50 push eax
:004021D8 8D8568FFFFFF lea eax, dword ptr [ebp+FFFFFF68]
:004021DE FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:004021E4 E8EF050000 call 004027D8
:004021E9 8BC8 mov ecx, eax
:004021EB FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:004021F1 8D55F0 lea edx, dword ptr [ebp-10]

* Possible StringData Ref from Data Obj ->"序列號: "
|
:004021F4 B8FF904E00 mov eax, 004E90FF
:004021F9 E8D22C0D00 call 004D4ED0
:004021FE 8D9568FFFFFF lea edx, dword ptr [ebp+FFFFFF68]
:00402204 8D8560FFFFFF lea eax, dword ptr [ebp+FFFFFF60]
:0040220A 52 push edx
:0040220B E8C8050000 call 004027D8
:00402210 50 push eax
:00402211 FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]

* Possible StringData Ref from Data Obj ->" "
|
:00402217 BA08914E00 mov edx, 004E9108
:0040221C 8D8564FFFFFF lea eax, dword ptr [ebp+FFFFFF64]
:00402222 E8D1260D00 call 004D48F8
:00402227 FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:0040222D 8D9564FFFFFF lea edx, dword ptr [ebp+FFFFFF64]
:00402233 59 pop ecx
:00402234 58 pop eax
:00402235 E8BA280D00 call 004D4AF4
:0040223A 8D9560FFFFFF lea edx, dword ptr [ebp+FFFFFF60]
:00402240 8D855CFFFFFF lea eax, dword ptr [ebp+FFFFFF5C]
:00402246 8B0A mov ecx, dword ptr [edx]

* Possible StringData Ref from Data Obj ->"00燃撞"
|
:00402248 BA0E914E00 mov edx, 004E910E
:0040224D 51 push ecx
:0040224E E8A5260D00 call 004D48F8
:00402253 FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]

* Possible StringData Ref from Data Obj ->"請註冊!!! 藍帆打支票"
|
:00402259 BAE7904E00 mov edx, 004E90E7
:0040225E 8B08 mov ecx, dword ptr [eax]
:00402260 8D856CFFFFFF lea eax, dword ptr [ebp+FFFFFF6C]
:00402266 51 push ecx
:00402267 E88C260D00 call 004D48F8
:0040226C FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:00402272 8B00 mov eax, dword ptr [eax]
:00402274 59 pop ecx
:00402275 5A pop edx
:00402276 E88D680700 call 00478B08
====>請註冊！呵呵，到這裡出來要求註冊的視窗！

:0040227B 8D8558FFFFFF lea eax, dword ptr [ebp+FFFFFF58]
:00402281 8B00 mov eax, dword ptr [eax]
====>EAX=13572468 試煉碼

:00402283 E810200B00 call 004B4298
====>把試煉碼轉換成16進位制值

:00402288 8BD8 mov ebx, eax
====>EBX=EAX=00CF1974（H）=13572468（D）

:0040228A FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:00402290 8D8558FFFFFF lea eax, dword ptr [ebp+FFFFFF58]
:00402296 BA02000000 mov edx, 00000002
:0040229B E8FC270D00 call 004D4A9C
:004022A0 FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:004022A6 8D855CFFFFFF lea eax, dword ptr [ebp+FFFFFF5C]
:004022AC BA02000000 mov edx, 00000002
:004022B1 E8E6270D00 call 004D4A9C
:004022B6 FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:004022BC 8D8560FFFFFF lea eax, dword ptr [ebp+FFFFFF60]
:004022C2 BA02000000 mov edx, 00000002
:004022C7 E8D0270D00 call 004D4A9C
:004022CC FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:004022D2 8D8564FFFFFF lea eax, dword ptr [ebp+FFFFFF64]
:004022D8 BA02000000 mov edx, 00000002
:004022DD E8BA270D00 call 004D4A9C
:004022E2 FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:004022E8 8D8568FFFFFF lea eax, dword ptr [ebp+FFFFFF68]
:004022EE BA02000000 mov edx, 00000002
:004022F3 E8A4270D00 call 004D4A9C
:004022F8 FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:004022FE 8D856CFFFFFF lea eax, dword ptr [ebp+FFFFFF6C]
:00402304 BA02000000 mov edx, 00000002
:00402309 E88E270D00 call 004D4A9C
:0040230E 66C78514FFFFFF1400 mov word ptr [ebp+FFFFFF14], 0014
:00402317 EB10 jmp 00402329
:00402319 33DB xor ebx, ebx
:0040231B 66C78514FFFFFF6C01 mov word ptr [ebp+FFFFFF14], 016C
:00402324 E869FA0C00 call 004D1D92

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402317(U)
|
:00402329 8D83A6D80000 lea eax, dword ptr [ebx+0000D8A6]
====>EAX=00CF1974 + D8A6=00CFF21A

:0040232F 3B85FCFEFFFF cmp eax, dword ptr [ebp+FFFFFEFC]
====>比較註冊碼!
====>EAX=00CF1974 + D8A6=00CFF21A
====>[ebp+FFFFFEFC] =1B5C4D05
呵呵，程式玩了點小花樣。把我的試煉碼加上D8A6後與1B5C4D05比較，如果這兩者相等就OK!
因此我的註冊碼=1B5C4D05-D8A6=1B5B745F（H）=458978399（D）

:00402335 0F85F2000000 jne 0040242D
====>跳則OVER！

:0040233B C7050C10500001000000 mov dword ptr [0050100C], 00000001
:00402345 8D854CFFFFFF lea eax, dword ptr [ebp+FFFFFF4C]
:0040234B 8BD3 mov edx, ebx
:0040234D E8C2260D00 call 004D4A14
:00402352 FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:00402358 8B00 mov eax, dword ptr [eax]
:0040235A E8391F0B00 call 004B4298
:0040235F 8BD0 mov edx, eax
:00402361 8D8548FFFFFF lea eax, dword ptr [ebp+FFFFFF48]
:00402367 E8A8260D00 call 004D4A14
:0040236C FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:00402372 8B10 mov edx, dword ptr [eax]
:00402374 52 push edx

* Possible StringData Ref from Data Obj ->"註冊碼"
|
:00402375 BA19914E00 mov edx, 004E9119
:0040237A 8D8550FFFFFF lea eax, dword ptr [ebp+FFFFFF50]
:00402380 E873250D00 call 004D48F8
:00402385 FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]

* Possible StringData Ref from Data Obj ->"軟體註冊"
|
:0040238B BA10914E00 mov edx, 004E9110
:00402390 8B08 mov ecx, dword ptr [eax]
:00402392 8D8554FFFFFF lea eax, dword ptr [ebp+FFFFFF54]
:00402398 51 push ecx
:00402399 66C78514FFFFFF7C01 mov word ptr [ebp+FFFFFF14], 017C
:004023A2 E851250D00 call 004D48F8
:004023A7 FF8520FFFFFF inc dword ptr [ebp+FFFFFF20]
:004023AD 8B10 mov edx, dword ptr [eax]
:004023AF 8B8500FFFFFF mov eax, dword ptr [ebp+FFFFFF00]
:004023B5 59 pop ecx
:004023B6 8B18 mov ebx, dword ptr [eax]
:004023B8 FF5304 call [ebx+04]
:004023BB FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:004023C1 8D8548FFFFFF lea eax, dword ptr [ebp+FFFFFF48]
:004023C7 BA02000000 mov edx, 00000002
:004023CC E8CB260D00 call 004D4A9C
:004023D1 FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:004023D7 8D854CFFFFFF lea eax, dword ptr [ebp+FFFFFF4C]
:004023DD BA02000000 mov edx, 00000002
:004023E2 E8B5260D00 call 004D4A9C
:004023E7 FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:004023ED 8D8550FFFFFF lea eax, dword ptr [ebp+FFFFFF50]
:004023F3 BA02000000 mov edx, 00000002
:004023F8 E89F260D00 call 004D4A9C
:004023FD FF8D20FFFFFF dec dword ptr [ebp+FFFFFF20]
:00402403 8D8554FFFFFF lea eax, dword ptr [ebp+FFFFFF54]
:00402409 BA02000000 mov edx, 00000002
:0040240E E889260D00 call 004D4A9C
:00402413 A1100B5000 mov eax, dword ptr [00500B10]
:00402418 6A41 push 00000041

* Possible StringData Ref from Data Obj ->"註冊成功！"
====>呵呵，勝利女神！

:0040241A B940914E00 mov ecx, 004E9140

* Possible StringData Ref from Data Obj ->"非常感謝你的支援!請記住註冊碼!"
|
:0040241F BA20914E00 mov edx, 004E9120
:00402424 8B00 mov eax, dword ptr [eax]
:00402426 E801240D00 call 004D482C
:0040242B EB14 jmp 00402441

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402335(C)
|
:0040242D 33D2 xor edx, edx
:0040242F 89150C105000 mov dword ptr [0050100C], edx
:00402435 EB0A jmp 00402441

―――――――――――――――――――――――――――――――――
【算法總結】：

取硬碟的資訊得出序列號，對序列號進行煩瑣的簡單運算得出一組值。
最後取試煉碼加上D8A6與上面的結果比較，若相同則OK！

―――――――――――――――――――――――――――――――――
【完美爆破】：

004021B2 84C9 test cl, cl
改為： 30C9 xor cl, cl

啟動時無NAG了，也沒有金額限制了。呵呵，只是我沒有支票可打，不知道是否會有其它暗樁。^Q^^Q^

―――――――――――――――――――――――――――――――――
【KeyMake之{59th}記憶體序號產生器】：

中斷地址：40203E
中斷次數：1
第一位元組：89
指令長度：6

暫存器方式：EAX
十進位制

注意：所得結果必須-55462才是真正的註冊碼！

―――――――――――――――――――――――――――――――――
【註冊資訊儲存】：

同資料夾下的check.ini檔案中：

[軟體註冊]
註冊碼=458978399

―――――――――――――――――――――――――――――――――
【整理】：

序列號：3297438
註冊碼：458978399

―――――――――――――――――――――――――――――――――

Cracked By 巢水工作坊――fly[OCN][FCG]

2003-04-15 11:48:21

簡單演算法――藍帆打支票 V5.5

相關文章