破解心得之Windows優化大師篇

看雪資料發表於2015-11-15

軟體名稱:Windows優化大師
版本:4.20
作者:時空幻影
時間:2001年11月25日
使用工具:TRW2000 V1.22已註冊版、CASPR(脫殼工具)、PW32DSM白金版漢化版

    先用CASPR脫掉WINDOWS優化大師.EXE和OCTODLL.DLL的殼,然後進入TRW2000,再進入Windows優化大師,點選“軟體註冊”,
然後在註冊者姓名欄中填入自己的名字,按Enter鍵,點選“取消”,就會看見註冊申請碼,在註冊認證碼的兩個欄中分別隨便填入一
個長度為8的十進位制數。按CTRL+N啟用TRW2000後,設“萬能斷點”BPX HMEMCPY,回車,然後按F5回到WINDOWS下,點選“註冊認證”
會被攔下,輸入指令BD *、PMODULE,回車,然後按F10過了幾個RET後會來到如下所指的地方:

* Possible StringData Ref from Code Obj ->"
TSearchRecX"
                                  |
:004D12C2 8B156C7E4000            mov edxdword ptr [00407E6C]
:004D12C8 E87732F3FF              call 00404544
:004D12CD 33C0                    xor eaxeax
:004D12CF 55                      push ebp
:004D12D0 682C164D00              push 004D162C
:004D12D5 64FF30                  push dword ptr fs:[eax]
:004D12D8 648920                  mov dword ptr fs:[eax], esp
:004D12DB 8D95A0FDFFFF            lea edxdword ptr [ebp+FFFFFDA0]
:004D12E1 8B861C030000            mov eaxdword ptr [esi+0000031C]
:004D12E7 E8E805F6FF              call 004318D4
:004D12EC 83BDA0FDFFFF00          cmp dword ptr [ebp+FFFFFDA0], 00000000  <--停在這裡
:004D12F3 751D                    jne 004D1312
:004D12F5 6A10                    push 00000010

* Possible StringData Ref from Code Obj ->"Windows優化大師"
                                  |
:004D12F7 B93C164D00              mov ecx, 004D163C

* Possible StringData Ref from Code Obj ->"錯誤!沒有輸入註冊者姓名。"  <--提示你沒有輸入註冊者姓名
                                  |
:004D12FC BA4C164D00              mov edx, 004D164C
:004D1301 A174C25600              mov eaxdword ptr [0056C274]
:004D1306 8B00                    mov eaxdword ptr [eax]
:004D1308 E89BEBF7FF              call 0044FEA8
:004D130D E9E3020000              jmp 004D15F5

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D12F3(C)
|
:004D1312 8D959CFDFFFF            lea edxdword ptr [ebp+FFFFFD9C]
:004D1318 8B86E4020000            mov eaxdword ptr [esi+000002E4]
:004D131E E8B105F6FF              call 004318D4
:004D1323 83BD9CFDFFFF00          cmp dword ptr [ebp+FFFFFD9C], 00000000
:004D132A 741A                    je 004D1346
:004D132C 8D9598FDFFFF            lea edxdword ptr [ebp+FFFFFD98]
:004D1332 8B86E8020000            mov eaxdword ptr [esi+000002E8]
:004D1338 E89705F6FF              call 004318D4
:004D133D 83BD98FDFFFF00          cmp dword ptr [ebp+FFFFFD98], 00000000
:004D1344 751D                    jne 004D1363

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D132A(C)
|
:004D1346 6A10                    push 00000010

* Possible StringData Ref from Code Obj ->"Windows優化大師"
                                  |
:004D1348 B93C164D00              mov ecx, 004D163C

* Possible StringData Ref from Code Obj ->"錯誤!沒有輸入註冊認證碼。"  <--提示你沒有輸入註冊認證碼
                                  |
:004D134D BA68164D00              mov edx, 004D1668
:004D1352 A174C25600              mov eaxdword ptr [0056C274]
:004D1357 8B00                    mov eaxdword ptr [eax]
:004D1359 E84AEBF7FF              call 0044FEA8
:004D135E E992020000              jmp 004D15F5

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D1344(C)
|
:004D1363 8D8DA4FEFFFF            lea ecxdword ptr [ebp+FFFFFEA4]
:004D1369 BA3F000000              mov edx, 0000003F

* Possible StringData Ref from Code Obj ->"*.*"  <--查詢當前目錄下的所有檔案
                                  |
:004D136E B88C164D00              mov eax, 004D168C
:004D1373 E8B87EF3FF              call 00409230
:004D1378 81BDA8FEFFFF00680200    cmp dword ptr [ebp+FFFFFEA8], 00026800
:004D1382 0F846D020000            je 004D15F5

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D13A9(C)
|
:004D1388 8D85A4FEFFFF            lea eaxdword ptr [ebp+FFFFFEA4]
:004D138E E8ED7EF3FF              call 00409280
:004D1393 85C0                    test eaxeax
:004D1395 7510                    jne 004D13A7
:004D1397 81BDA8FEFFFF00680200    cmp dword ptr [ebp+FFFFFEA8], 00026800
:004D13A1 0F844E020000            je 004D15F5

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D1395(C)
|
:004D13A7 85C0                    test eaxeax
:004D13A9 74DD                    je 004D1388
:004D13AB 8D85A4FEFFFF            lea eaxdword ptr [ebp+FFFFFEA4]
:004D13B1 E8EE7EF3FF              call 004092A4
:004D13B6 6A00                    push 00000000
:004D13B8 8BC6                    mov eaxesi
:004D13BA E87566F6FF              call 00437A34
:004D13BF 50                      push eax

* Reference To: user32.GetWindow, Ord:0000h
                                  |
:004D13C0 E81762F3FF              Call 004075DC
:004D13C5 8BD8                    mov ebxeax
:004D13C7 85DB                    test ebxebx
:004D13C9 0F848A000000            je 004D1459

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D1453(C)
|
:004D13CF 68FF000000              push 000000FF
:004D13D4 8D85A5FDFFFF            lea eaxdword ptr [ebp+FFFFFDA5]
:004D13DA 50                      push eax
:004D13DB 53                      push ebx

* Reference To: user32.GetWindowTextA, Ord:0000h  <--呼叫WIN32 API函式GetWindowTextA取得標題欄上的字串
                                  |
:004D13DC E82362F3FF              Call 00407604
:004D13E1 85C0                    test eaxeax
:004D13E3 7E62                    jle 004D1447
:004D13E5 8D55FC                  lea edxdword ptr [ebp-04]
:004D13E8 8D85A5FDFFFF            lea eaxdword ptr [ebp+FFFFFDA5]
:004D13EE E8B584F3FF              call 004098A8
:004D13F3 8B55FC                  mov edxdword ptr [ebp-04]

* Possible StringData Ref from Code Obj ->"序號產生器"
                                  |
:004D13F6 B898164D00              mov eax, 004D1698
:004D13FB E8242EF3FF              call 00404224  <--檢查字串中是否含有"序號產生器"
:004D1400 85C0                    test eaxeax
:004D1402 0F85ED010000            jne 004D15F5  <--不應該跳轉
:004D1408 8B55FC                  mov edxdword ptr [ebp-04]

* Possible StringData Ref from Code Obj ->"wom"
                                  |
:004D140B B8A8164D00              mov eax, 004D16A8
:004D1410 E80F2EF3FF              call 00404224  <--檢查字串中是否含有"wom"
:004D1415 85C0                    test eaxeax
:004D1417 0F85D8010000            jne 004D15F5  <--不應該跳轉
:004D141D 8B55FC                  mov edxdword ptr [ebp-04]

* Possible StringData Ref from Code Obj ->"cr-wom"
                                  |
:004D1420 B8B4164D00              mov eax, 004D16B4
:004D1425 E8FA2DF3FF              call 00404224  <--檢查字串中是否含有"cr-wom"
:004D142A 85C0                    test eaxeax
:004D142C 0F85C3010000            jne 004D15F5  <--不應該跳轉
:004D1432 8B55FC                  mov edxdword ptr [ebp-04]

* Possible StringData Ref from Code Obj ->"Windowsyhds"
                                  |
:004D1435 B8C4164D00              mov eax, 004D16C4
:004D143A E8E52DF3FF              call 00404224  <--檢查字串中是否含有"Windowsyhds"
:004D143F 85C0                    test eaxeax
:004D1441 0F85AE010000            jne 004D15F5  <--不應該跳轉

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D13E3(C)
|
:004D1447 6A02                    push 00000002
:004D1449 53                      push ebx

* Reference To: user32.GetWindow, Ord:0000h
                                  |
:004D144A E88D61F3FF              Call 004075DC
:004D144F 8BD8                    mov ebxeax
:004D1451 85DB                    test ebxebx
:004D1453 0F8576FFFFFF            jne 004D13CF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D13C9(C)
|
:004D1459 B811270000              mov eax, 00002711

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D145F(C)
|
:004D145E 48                      dec eax
:004D145F 75FD                    jne 004D145E  <--這可能是軟體作者故意加的,以提高難度,不過卻實在不敢恭維!
:004D1461 8D9594FDFFFF            lea edxdword ptr [ebp+FFFFFD94]  <--其實只要把光條移到該行,然後按F7即可!
:004D1467 8B86E4020000            mov eaxdword ptr [esi+000002E4]
:004D146D E86204F6FF              call 004318D4
:004D1472 8B8594FDFFFF            mov eaxdword ptr [ebp+FFFFFD94]
:004D1478 E81BFDFFFF              call 004D1198  <--把輸入的Regcode1轉化為一個十六進位制的32位數,並送入到EAX中!
:004D147D 99                      cdq
:004D147E 52                      push edx
:004D147F 50                      push eax
:004D1480 8D9590FDFFFF            lea edxdword ptr [ebp+FFFFFD90]
:004D1486 8B86E8020000            mov eaxdword ptr [esi+000002E8]
:004D148C E84304F6FF              call 004318D4
:004D1491 8B8590FDFFFF            mov eaxdword ptr [ebp+FFFFFD90]
:004D1497 E8FCFCFFFF              call 004D1198  <--把輸入的Regcode2轉化為一個十六進位制的32位數,並送入到EAX中!
:004D149C 99                      cdq
:004D149D 52                      push edx
:004D149E 50                      push eax
:004D149F 8D958CFDFFFF            lea edxdword ptr [ebp+FFFFFD8C]
:004D14A5 8B86E0020000            mov eaxdword ptr [esi+000002E0]
:004D14AB E82404F6FF              call 004318D4
:004D14B0 8B858CFDFFFF            mov eaxdword ptr [ebp+FFFFFD8C]  <--EAX中為註冊申請碼的首地址
:004D14B6 E8412CF3FF              call 004040FC

* Reference To: Octodll.Registed, Ord:0000h
                                  |
:004D14BB E8D0FCFFFF              Call 004D1190  <--核心CALL,按F8進入Octodll.dll
:004D14C0 83F814                  cmp eax, 00000014  <--比較第二部分的計算結果的低16位是否等於14
:004D14C3 7417                    je 004D14DC  <--是的話則跳轉,如果要暴破的話,把這裡的je改成jmp即可
:004D14C5 B811270000              mov eax, 00002711

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D14CB(C)
|
:004D14CA 48                      dec eax
:004D14CB 75FD                    jne 004D14CA
:004D14CD A114E05600              mov eaxdword ptr [0056E014]
:004D14D2 E88DB5F7FF              call 0044CA64
:004D14D7 E919010000              jmp 004D15F5

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D14C3(C)
|
:004D14DC B201                    mov dl, 01
:004D14DE A1787F4500              mov eaxdword ptr [00457F78]
:004D14E3 E8906BF8FF              call 00458078
:004D14E8 8BD8                    mov ebxeax
:004D14EA BA02000080              mov edx, 80000002
:004D14EF 8BC3                    mov eaxebx
:004D14F1 E8226CF8FF              call 00458118
:004D14F6 B101                    mov cl, 01

* Possible StringData Ref from Code Obj ->"Software\Wom"
                                  |
:004D14F8 BAD8164D00              mov edx, 004D16D8
:004D14FD 8BC3                    mov eaxebx
:004D14FF E8586DF8FF              call 0045825C
:004D1504 8D9588FDFFFF            lea edxdword ptr [ebp+FFFFFD88]
:004D150A 8B861C030000            mov eaxdword ptr [esi+0000031C]
:004D1510 E8BF03F6FF              call 004318D4
:004D1515 8B8D88FDFFFF            mov ecxdword ptr [ebp+FFFFFD88]

* Possible StringData Ref from Code Obj ->"Register"
                                  |
:004D151B BAF0164D00              mov edx, 004D16F0
:004D1520 8BC3                    mov eaxebx
:004D1522 E88572F8FF              call 004587AC
:004D1527 8D9584FDFFFF            lea edxdword ptr [ebp+FFFFFD84]
:004D152D 8B86E4020000            mov eaxdword ptr [esi+000002E4]
:004D1533 E89C03F6FF              call 004318D4
:004D1538 8B8D84FDFFFF            mov ecxdword ptr [ebp+FFFFFD84]

* Possible StringData Ref from Code Obj ->"Register_1"
                                  |
:004D153E BA04174D00              mov edx, 004D1704
:004D1543 8BC3                    mov eaxebx
:004D1545 E86272F8FF              call 004587AC
:004D154A 8D9580FDFFFF            lea edxdword ptr [ebp+FFFFFD80]
:004D1550 8B86E8020000            mov eaxdword ptr [esi+000002E8]
:004D1556 E87903F6FF              call 004318D4
:004D155B 8B8D80FDFFFF            mov ecxdword ptr [ebp+FFFFFD80]

* Possible StringData Ref from Code Obj ->"Register_2"
                                  |
:004D1561 BA18174D00              mov edx, 004D1718
:004D1566 8BC3                    mov eaxebx
:004D1568 E83F72F8FF              call 004587AC
:004D156D 8BC3                    mov eaxebx
:004D156F E8746BF8FF              call 004580E8
:004D1574 8BC3                    mov eaxebx
:004D1576 E8F119F3FF              call 00402F6C
:004D157B A138C45600              mov eaxdword ptr [0056C438]
:004D1580 8B00                    mov eaxdword ptr [eax]
:004D1582 8B8064050000            mov eaxdword ptr [eax+00000564]

* Possible StringData Ref from Code Obj ->"Windows優化大師 V4.2 (已註冊)"
                                  |
:004D1588 BA2C174D00              mov edx, 004D172C
:004D158D E87203F6FF              call 00431904
:004D1592 A138C45600              mov eaxdword ptr [0056C438]
:004D1597 8B00                    mov eaxdword ptr [eax]
:004D1599 8B806C030000            mov eaxdword ptr [eax+0000036C]

* Possible StringData Ref from Code Obj ->"網上升級"
                                  |
:004D159F BA54174D00              mov edx, 004D1754
:004D15A4 E85B03F6FF              call 00431904
:004D15A9 B201                    mov dl, 01
:004D15AB A1787F4500              mov eaxdword ptr [00457F78]
:004D15B0 E8C36AF8FF              call 00458078
:004D15B5 8BD8                    mov ebxeax
:004D15B7 BA02000080              mov edx, 80000002
:004D15BC 8BC3                    mov eaxebx
:004D15BE E8556BF8FF              call 00458118
:004D15C3 B101                    mov cl, 01

* Possible StringData Ref from Code Obj ->"Software\Wom"
                                  |
:004D15C5 BAD8164D00              mov edx, 004D16D8
:004D15CA 8BC3                    mov eaxebx
:004D15CC E88B6CF8FF              call 0045825C

* Possible StringData Ref from Code Obj ->"Masters"
                                  |
:004D15D1 BA68174D00              mov edx, 004D1768
:004D15D6 8BC3                    mov eaxebx
8:004D15D8 E81B6FF8FF              call 004584F8
:004D15DD 8BC3                    mov eaxebx
:004D15DF E8046BF8FF              call 004580E8
:004D15E4 8BC3                    mov eaxebx
:004D15E6 E88119F3FF              call 00402F6C
:004D15EB A114E05600              mov eaxdword ptr [0056E014]
:004D15F0 E86FB4F7FF              call 0044CA64

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004D130D(U), :004D135E(U), :004D1382(C), :004D13A1(C), :004D1402(C)
|:004D1417(C), :004D142C(C), :004D1441(C), :004D14D7(U)
|
:004D15F5 33C0                    xor eaxeax
:004D15F7 5A                      pop edx
:004D15F8 59                      pop ecx
:004D15F9 59                      pop ecx
:004D15FA 648910                  mov dword ptr fs:[eax], edx
:004D15FD 6833164D00              push 004D1633

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D1631(U)
|
:004D1602 8D8580FDFFFF            lea eaxdword ptr [ebp+FFFFFD80]
:004D1608 BA09000000              mov edx, 00000009
:004D160D E8CA26F3FF              call 00403CDC
:004D1612 8D85A4FEFFFF            lea eaxdword ptr [ebp+FFFFFEA4]

* Possible StringData Ref from Code Obj ->"
TSearchRecX"
                                  |
:004D1618 8B156C7E4000            mov edxdword ptr [00407E6C]
:004D161E E8ED2FF3FF              call 00404610
:004D1623 8D45FC                  lea eaxdword ptr [ebp-04]
:004D1626 E88D26F3FF              call 00403CB8
:004D162B C3                      ret


//--------------------------------------------------------------------------------------------------
    在上面的核心CALL中按F8進入後,會來到如下地方(注意:由於程式碼在DLL中,所以地址與記憶體中的地址會有所不同):
:004043AC 55                      push ebp
:004043AD 68FE434000              push 004043FE
:004043B2 64FF30                  push dword ptr fs:[eax]
:004043B5 648920                  mov dword ptr fs:[eax], esp
:004043B8 8B4510                  mov eaxdword ptr [ebp+10]
:004043BB 8945F8                  mov dword ptr [ebp-08], eax
:004043BE 8B4508                  mov eaxdword ptr [ebp+08]
:004043C1 8945FC                  mov dword ptr [ebp-04], eax
:004043C4 8D45F0                  lea eaxdword ptr [ebp-10]
:004043C7 8BD3                    mov edxebx
:004043C9 E876EBFFFF              call 00402F44  <--處理申請註冊碼
:004043CE 8B45F0                  mov eaxdword ptr [ebp-10]
:004043D1 8D55F6                  lea edxdword ptr [ebp-0A]
:004043D4 8D4DF8                  lea ecxdword ptr [ebp-08]
:004043D7 E8FCFDFFFF              call 004041D8  <--進行註冊碼計算的核心CALL,按F8進入
:004043DC 85C0                    test eaxeax
:004043DE 7504                    jne 004043E4  <--一定要跳轉
:004043E0 33DB                    xor ebxebx
:004043E2 EB04                    jmp 004043E8

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040437D(C), :004043DE(C)
|
:004043E4 0FB75DF6                movzx ebxword ptr [ebp-0A]  <--把第二部分的計算結果的低16位送到EBX中

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004043E2(U)
|
:004043E8 33C0                    xor eaxeax
:004043EA 5A                      pop edx
:004043EB 59                      pop ecx
:004043EC 59                      pop ecx
:004043ED 648910                  mov dword ptr fs:[eax], edx
:004043F0 6805444000              push 00404405

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404403(U)
|
:004043F5 8D45F0                  lea eaxdword ptr [ebp-10]
:004043F8 E85FEAFFFF              call 00402E5C
:004043FD C3                      ret


:004043FE E9D5E4FFFF              jmp 004028D8
:00404403 EBF0                    jmp 004043F5
:00404405 8BC3                    mov eaxebx  <--把第二部分的計算結果的低16位送到EAX中
:00404407 5B                      pop ebx
:00404408 8BE5                    mov espebp
:0040440A 5D                      pop ebp
:0040440B C21000                  ret 0010


//--------------------------------------------------------------------------------------------------
    在上面的核心CALL按F8進入後,會來到如下地方:
:004041D8 55                      push ebp
:004041D9 8BEC                    mov ebpesp
:004041DB 83C4DC                  add esp, FFFFFFDC
:004041DE 53                      push ebx
:004041DF 56                      push esi
:004041E0 57                      push edi
:004041E1 33DB                    xor ebxebx
:004041E3 895DEC                  mov dword ptr [ebp-14], ebx
:004041E6 8BF1                    mov esiecx
:004041E8 8D7DF0                  lea edidword ptr [ebp-10]
:004041EB A5                      movsd  <--把輸入的註冊碼的第一部分的32位十六進位制數送到EDI所指向的記憶體中
:004041EC A5                      movsd  <--把輸入的註冊碼的第二部分的32位十六進位制數送到EDI所指向的記憶體中
:004041ED 8955F8                  mov dword ptr [ebp-08], edx
:004041F0 8945FC                  mov dword ptr [ebp-04], eax
:004041F3 8B45FC                  mov eaxdword ptr [ebp-04]
:004041F6 E8C5EDFFFF              call 00402FC0
:004041FB 33C0                    xor eaxeax
:004041FD 55                      push ebp
:004041FE 685F434000              push 0040435F
:00404203 64FF30                  push dword ptr fs:[eax]
:00404206 648920                  mov dword ptr fs:[eax], esp
:00404209 8D45EC                  lea eaxdword ptr [ebp-14]

* Possible StringData Ref from Code Obj ->"You are big pig."
                                  |
:0040420C BA78434000              mov edx, 00404378
:00404211 E8AEECFFFF              call 00402EC4
:00404216 8B45FC                  mov eaxdword ptr [ebp-04]
:00404219 E856EDFFFF              call 00402F74
:0040421E 2507000080              and eax, 80000007
:00404223 7905                    jns 0040422A
:00404225 48                      dec eax
:00404226 83C8F8                  or eax, FFFFFFF8
:00404229 40                      inc eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404223(C)
|
:0040422A 85C0                    test eaxeax
:0040422C 742C                    je 0040425A
:0040422E 8D45FC                  lea eaxdword ptr [ebp-04]

* Possible StringData Ref from Code Obj ->"1234567"
                                  |
:00404231 BA94434000              mov edx, 00404394
:00404236 E841EDFFFF              call 00402F7C  <--把"1234567"連線到註冊申請碼的後面形成新的字串
:0040423B 8B45FC                  mov eaxdword ptr [ebp-04]
:0040423E E831EDFFFF              call 00402F74  <--求新字串的長度
:00404243 85C0                    test eaxeax
:00404245 7903                    jns 0040424A  <--一般都會跳轉
:00404247 83C007                  add eax, 00000007

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404245(C)
|
:0040424A C1F803                  sar eax, 03
:0040424D 8BD0                    mov edxeax
:0040424F C1E203                  shl edx, 03
:00404252 8D45FC                  lea eaxdword ptr [ebp-04]
:00404255 E8AEEDFFFF              call 00403008  <--截斷新字串,使其長度位8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040422C(C)
|
:0040425A 33F6                    xor esiesi
:0040425C 8D45FC                  lea eaxdword ptr [ebp-04]
:0040425F E86CEDFFFF              call 00402FD0
:00404264 8BF8                    mov edieax
:00404266 8D45EC                  lea eaxdword ptr [ebp-14]
:00404269 E862EDFFFF              call 00402FD0  <--拷貝字串"You are big pig."到EAX所指的記憶體中
:0040426E 8BD8                    mov ebxeax
:00404270 EB30                    jmp 004042A2

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004042B6(C)
|
:00404272 8B04B7                  mov eaxdword ptr [edi+4*esi]
:00404275 8945E4                  mov dword ptr [ebp-1C], eax
:00404278 8B44B704                mov eaxdword ptr [edi+4*esi+04]
:0040427C 8945E8                  mov dword ptr [ebp-18], eax
:0040427F 8BD3                    mov edxebx
:00404281 8D45E4                  lea eaxdword ptr [ebp-1C]
:00404284 E8E7FEFFFF              call 00404170  <--按F8進入,編號為(1)
:00404289 8B03                    mov eaxdword ptr [ebx]
:0040428B 894308                  mov dword ptr [ebx+08], eax
:0040428E 8B4304                  mov eaxdword ptr [ebx+04]
:00404291 89430C                  mov dword ptr [ebx+0C], eax
:00404294 8B45E4                  mov eaxdword ptr [ebp-1C]  <--計算結果的第一部分送入EAX中
:00404297 8903                    mov dword ptr [ebx], eax
:00404299 8B45E8                  mov eaxdword ptr [ebp-18]  <--計算結果的第二部分送入EAX中
:0040429C 894304                  mov dword ptr [ebx+04], eax
:0040429F 83C602                  add esi, 00000002

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404270(U)
|
:004042A2 8B45FC                  mov eaxdword ptr [ebp-04]
:004042A5 E8CAECFFFF              call 00402F74  <--取註冊申請碼的長度
:004042AA 85C0                    test eaxeax
:004042AC 7903                    jns 004042B1  <--會跳轉
:004042AE 83C003                  add eax, 00000003

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004042AC(C)
|
:004042B1 C1F802                  sar eax, 02
:004042B4 3BF0                    cmp esieax
:004042B6 72BA                    jb 00404272  <--會跳轉
:004042B8 8B45F0                  mov eaxdword ptr [ebp-10]  <--輸入註冊碼的第一部分的32位十六進位制數送到EAX中
:004042BB 33D2                    xor edxedx
:004042BD 52                      push edx  <--輸入註冊碼的第一部分的高32位入棧(恆為0)
:004042BE 50                      push eax  <--輸入註冊碼的第一部分的低32位入棧
:004042BF FF35D0504000            push dword ptr [004050D0]  <--RSA中加密金鑰e的高32位(0)
:004042C5 FF35CC504000            push dword ptr [004050CC]  <--RSA中加密金鑰e的低32位(0x3B442AF9)
:004042CB FF35D8504000            push dword ptr [004050D8]  <--RSA中n的高32位(0)
:004042D1 FF35D4504000            push dword ptr [004050D4]  <--RSA中n的低位(0x69AAA0E3)
:004042D7 E8DCFDFFFF              call 004040B8  <--按F8進入,編號為(2)
:004042DC 83E802                  sub eax, 00000002  <--結果減去2
:004042DF 8945DC                  mov dword ptr [ebp-24], eax  <--儲存第一部分的計算結果
:004042E2 8B45F4                  mov eaxdword ptr [ebp-0C]  <--輸入註冊碼的第二部分的32位十六進位制數送到EAX中
:004042E5 33D2                    xor edxedx
:004042E7 52                      push edx  <--輸入註冊碼的第二部分的高32位入棧(恆為0)
:004042E8 50                      push eax  <--輸入註冊碼的第二部分的低32位入棧
:004042E9 FF35D0504000            push dword ptr [004050D0]  <--RSA中加密金鑰e的高32位(0)
:004042EF FF35CC504000            push dword ptr [004050CC]  <--RSA中加密金鑰e的低32位(0x3B442AF9)
:004042F5 FF35D8504000            push dword ptr [004050D8]  <--RSA中n的高32位(0)
:004042FB FF35D4504000            push dword ptr [004050D4]  <--RSA中n的低位(0x69AAA0E3)
:00404301 E8B2FDFFFF              call 004040B8  <--按F8進入,編號為(2)
:00404306 83E802                  sub eax, 00000002  <--結果減去2
:00404309 8945E0                  mov dword ptr [ebp-20], eax  <--儲存第二部分的計算結果
:0040430C C165DC02                shl dword ptr [ebp-24], 02  <--第一部分的計算結果向左移2位
:00404310 8D4DDC                  lea ecxdword ptr [ebp-24]
:00404313 8B01                    mov eaxdword ptr [ecx]  <--第一部分的計算結果送EAX
:00404315 8B5104                  mov edxdword ptr [ecx+04]  <--第二部分的計算結果送EDX
:00404318 0FACD002                shrd eaxedx, 02  <--這條和下面一條完成64位環形向右移2位
:0040431C C1EA02                  shr edx, 02
:0040431F 8901                    mov dword ptr [ecx], eax  <--儲存第一部分的計算結果
:00404321 895104                  mov dword ptr [ecx+04], edx  <--儲存第二部分的計算結果
:00404324 8B45DC                  mov eaxdword ptr [ebp-24]  <--第一部分的計算結果送EAX
:00404327 3B45E4                  cmp eaxdword ptr [ebp-1C]  <--比較輸入註冊碼第一部分的計算結果是否等於註冊
                                                                                                                   申請碼計算結果的第一部分
:0040432A 7404                    je 00404330  <--應該跳轉
:0040432C 33DB                    xor ebxebx
:0040432E EB11                    jmp 00404341

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040432A(C)
|
:00404330 668B45E0                mov axword ptr [ebp-20]  <--把第二部分的計算結果的低16位送AX
:00404334 6625FFFF                and ax, FFFF
:00404338 8B55F8                  mov edxdword ptr [ebp-08]
:0040433B 668902                  mov word ptr [edx], ax  <--儲存第二部分的計算結果的低16位
:0040433E 83CBFF                  or ebx, FFFFFFFF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040432E(U)
|
:00404341 33C0                    xor eaxeax
:00404343 5A                      pop edx
:00404344 59                      pop ecx
:00404345 59                      pop ecx
:00404346 648910                  mov dword ptr fs:[eax], edx
:00404349 6866434000              push 00404366

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404364(U)
|
:0040434E 8D45EC                  lea eaxdword ptr [ebp-14]
:00404351 E806EBFFFF              call 00402E5C
:00404356 8D45FC                  lea eaxdword ptr [ebp-04]
:00404359 E8FEEAFFFF              call 00402E5C
:0040435E C3                      ret


//--------------------------------------------------------------------------------------------------
在上面的編號為(1)的CALL按F8進入後會來到如下地方(對註冊申請碼和字串"You are big pig."進行計算):
* Referenced by a CALL at Address:
|:00404284   
|
:00404170 53                      push ebx
:00404171 56                      push esi
:00404172 57                      push edi
:00404173 51                      push ecx
:00404174 890424                  mov dword ptr [esp], eax
:00404177 B820000000              mov eax, 00000020  <--該過程使下面的迴圈進行0x20次
:0040417C 8B0C24                  mov ecxdword ptr [esp]
:0040417F 8B09                    mov ecxdword ptr [ecx]  <--將註冊申請碼的高16位送入ECX中
:00404181 8B1C24                  mov ebxdword ptr [esp]
:00404184 8B5B04                  mov ebxdword ptr [ebx+04]  <--將註冊申請碼的低16位送入ECX中
:00404187 33F6                    xor esiesi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004041C5(C)
|
:00404189 48                      dec eax
:0040418A 0335C8504000            add esidword ptr [004050C8]  <--[004050C8]中初始值為0x9E3779B9
:00404190 8BFB                    mov ediebx
:00404192 C1E704                  shl edi, 04
:00404195 03CF                    add ecxedi
:00404197 8B3A                    mov edidword ptr [edx]  <--EDX為指向字串"You are big pig."的首地址
:00404199 33FB                    xor ediebx
:0040419B 03CF                    add ecxedi
:0040419D 8BFB                    mov ediebx
:0040419F C1EF05                  shr edi, 05
:004041A2 33FE                    xor ediesi
:004041A4 03CF                    add ecxedi
:004041A6 034A04                  add ecxdword ptr [edx+04]
:004041A9 8BF9                    mov ediecx
:004041AB C1E704                  shl edi, 04
:004041AE 03DF                    add ebxedi
:004041B0 8B7A08                  mov edidword ptr [edx+08]
:004041B3 33F9                    xor ediecx
:004041B5 03DF                    add ebxedi
:004041B7 8BF9                    mov ediecx
:004041B9 C1EF05                  shr edi, 05
:004041BC 33FE                    xor ediesi
:004041BE 03DF                    add ebxedi
:004041C0 035A0C                  add ebxdword ptr [edx+0C]
:004041C3 85C0                    test eaxeax
:004041C5 77C2                    ja 00404189
:004041C7 8B0424                  mov eaxdword ptr [esp]
:004041CA 8908                    mov dword ptr [eax], ecx
:004041CC 8B0424                  mov eaxdword ptr [esp]
:004041CF 895804                  mov dword ptr [eax+04], ebx
:004041D2 5A                      pop edx
:004041D3 5F                      pop edi
:004041D4 5E                      pop esi
:004041D5 5B                      pop ebx
:004041D6 C3                      ret


//--------------------------------------------------------------------------------------------------
編號為(2)的CALL實際上等價下面的偽C程式碼(摘自論壇精華III中dr0的《Windows優化大師v2.9+的註冊碼加密演算法》):
ReturnValueType  encrypt_decrypt(m, e, n) 

  LocalVariables a, b, c; 

  a = m; 
  b = e; 
  c = 1; 

  while(b) 
  { 
    if ((b mod 2) == 0) 
        { 
          b = b / 2;        //降階 
                a = (a * a) mod n; 
        } 
        else 
        { 
                b = b - 1; 
                c = (a * c) mod n; 
        } 
  }        
    
  return c; 


在上面的編號為(2)的CALL按F8進入後會來到如下地方:
* Referenced by a CALL at Addresses:
|:004042D7   , :00404301   
|
:004040B8 55                      push ebp
:004040B9 8BEC                    mov ebpesp
:004040BB 83C4F8                  add esp, FFFFFFF8
:004040BE C745F801000000          mov [ebp-08], 00000001  <--c = 1
:004040C5 C745FC00000000          mov [ebp-04], 00000000
:004040CC EB7C                    jmp 0040414A

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00404154(C), :0040415C(C)
|
:004040CE 6A00                    push 00000000
:004040D0 6A02                    push 00000002
:004040D2 8B4510                  mov eaxdword ptr [ebp+10]
:004040D5 8B5514                  mov edxdword ptr [ebp+14]
:004040D8 E890FAFFFF              call 00403B6D  <--b mod 2
:004040DD 83FA00                  cmp edx, 00000000
:004040E0 7539                    jne 0040411B
:004040E2 83F800                  cmp eax, 00000000
:004040E5 7534                    jne 0040411B
:004040E7 6A00                    push 00000000
:004040E9 6A02                    push 00000002
:004040EB 8B4510                  mov eaxdword ptr [ebp+10]
:004040EE 8B5514                  mov edxdword ptr [ebp+14]
:004040F1 E884F9FFFF              call 00403A7A  <--b = b / 2
:004040F6 894510                  mov dword ptr [ebp+10], eax
:004040F9 895514                  mov dword ptr [ebp+14], edx
:004040FC FF751C                  push [ebp+1C]
:004040FF FF7518                  push [ebp+18]
:00404102 FF751C                  push [ebp+1C]
:00404105 FF7518                  push [ebp+18]
:00404108 FF750C                  push [ebp+0C]
:0040410B FF7508                  push [ebp+08]
:0040410E E84DFFFFFF              call 00404060  <--a = (a * a) mod n
:00404113 894518                  mov dword ptr [ebp+18], eax
:00404116 89551C                  mov dword ptr [ebp+1C], edx
:00404119 EB2F                    jmp 0040414A

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004040E0(C), :004040E5(C)
|
:0040411B 8B4510                  mov eaxdword ptr [ebp+10]
:0040411E 8B5514                  mov edxdword ptr [ebp+14]
:00404121 83E801                  sub eax, 00000001  <--b = b - 1
:00404124 83DA00                  sbb edx, 00000000
:00404127 894510                  mov dword ptr [ebp+10], eax
:0040412A 895514                  mov dword ptr [ebp+14], edx
:0040412D FF751C                  push [ebp+1C]
:00404130 FF7518                  push [ebp+18]
:00404133 FF75FC                  push [ebp-04]
:00404136 FF75F8                  push [ebp-08]
:00404139 FF750C                  push [ebp+0C]
:0040413C FF7508                  push [ebp+08]
:0040413F E81CFFFFFF              call 00404060  <--c = (a * c) mod n
:00404144 8945F8                  mov dword ptr [ebp-08], eax
:00404147 8955FC                  mov dword ptr [ebp-04], edx

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004040CC(U), :00404119(U)
|
:0040414A 837D1400                cmp dword ptr [ebp+14], 00000000  <--b等於0嗎?
:0040414E 750C                    jne 0040415C
:00404150 837D1000                cmp dword ptr [ebp+10], 00000000
:00404154 0F8774FFFFFF            ja 004040CE
:0040415A EB06                    jmp 00404162  <--繼續迴圈

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040414E(C)
|
:0040415C 0F8F6CFFFFFF            jg 004040CE  <--繼續迴圈

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040415A(U)
|
:00404162 8B45F8                  mov eaxdword ptr [ebp-08]  <--返回值c
:00404165 8B55FC                  mov edxdword ptr [ebp-04]
:00404168 59                      pop ecx
:00404169 59                      pop ecx
:0040416A 5D                      pop ebp
:0040416B C21800                  ret 0018


//--------------------------------------------------------------------------------------------------
    現在我們可以得到RSA中的相關引數:
兩個素因數之積:    n=0x69AAA0E3
加密金鑰:          e=0x3B442AF9
解密金鑰:          d=0x002C86F9


//------------------------------------------------------------------------------
    至此我們已經對《WINDOWS優化大師》的註冊碼機制進行了比較完全的分析,所以我相信大家對其寫序號產生器沒有太大的困難了。
希望大家沒事的時候寫一寫序號產生器,以提高自己的程式設計水平!!!

後記:今天終於買到了看雪兄的書了(嗚~~~~~~~~~~~~~),真是等你等到我心痛啊!!!


================================================================================
破解心得之Windows優化大師篇(補充)

軟體名稱:Windows優化大師
版本:4.20
作者:時空幻影
時間:2001年11月25日
使用工具:TRW2000 V1.22已註冊版、CASPR(脫殼工具)、PW32DSM白金版漢化版

    在我破解的過程中,我發現在輸入註冊碼後軟體可以變成已註冊的,也能進行自動優化,但當退出後再重新執行又變成未註冊的了。
經過跟蹤除錯分析後,我發現原來是由於我為了能夠反編譯OCTODLL.DLL,對該檔案進行了脫殼,並把脫殼後的檔案拷貝到軟體目錄下覆蓋
了原來的未脫殼的檔案而導致了軟體變成了未註冊的。
    現在讓我們來看一看有哪些因素會導致軟體變成了未註冊的:
* Referenced by a CALL at Addresses:
|:00534EFA   , :005360D8   
|
:0052738C 55                      push ebp
:0052738D 8BEC                    mov ebpesp
:0052738F 81C48CFEFFFF            add esp, FFFFFE8C
:00527395 53                      push ebx
:00527396 56                      push esi
:00527397 33D2                    xor edxedx
:00527399 89958CFEFFFF            mov dword ptr [ebp+FFFFFE8C], edx
:0052739F 899590FEFFFF            mov dword ptr [ebp+FFFFFE90], edx
:005273A5 8955F8                  mov dword ptr [ebp-08], edx
:005273A8 8955F4                  mov dword ptr [ebp-0C], edx
:005273AB 8955F0                  mov dword ptr [ebp-10], edx
:005273AE 8955EC                  mov dword ptr [ebp-14], edx
:005273B1 8945FC                  mov dword ptr [ebp-04], eax
:005273B4 8D8594FEFFFF            lea eaxdword ptr [ebp+FFFFFE94]

* Possible StringData Ref from Code Obj ->"
TSearchRecX"
                                  |
:005273BA 8B156C7E4000            mov edxdword ptr [00407E6C]
:005273C0 E87FD1EDFF              call 00404544
:005273C5 33C0                    xor eaxeax
:005273C7 55                      push ebp
:005273C8 68B8785200              push 005278B8
:005273CD 64FF30                  push dword ptr fs:[eax]
:005273D0 648920                  mov dword ptr fs:[eax], esp
:005273D3 B201                    mov dl, 01
:005273D5 A1787F4500              mov eaxdword ptr [00457F78]
:005273DA E8990CF3FF              call 00458078
:005273DF 8BD8                    mov ebxeax
:005273E1 BA02000080              mov edx, 80000002
:005273E6 8BC3                    mov eaxebx
:005273E8 E82B0DF3FF              call 00458118
:005273ED B101                    mov cl, 01

* Possible StringData Ref from Code Obj ->"Software\Wom"
                                  |
:005273EF BAD0785200              mov edx, 005278D0
:005273F4 8BC3                    mov eaxebx
:005273F6 E8610EF3FF              call 0045825C
:005273FB 8D9590FEFFFF            lea edxdword ptr [ebp+FFFFFE90]
:00527401 A174C25600              mov eaxdword ptr [0056C274]
:00527406 8B00                    mov eaxdword ptr [eax]
:00527408 E8838EF2FF              call 00450290
:0052740D 8B8D90FEFFFF            mov ecxdword ptr [ebp+FFFFFE90]

* Possible StringData Ref from Code Obj ->"location"
                                  |
:00527413 BAE8785200              mov edx, 005278E8
:00527418 8BC3                    mov eaxebx
:0052741A E88D13F3FF              call 004587AC

* Possible StringData Ref from Code Obj ->"Register"
                                  |
:0052741F BAFC785200              mov edx, 005278FC
:00527424 8BC3                    mov eaxebx
:00527426 E8E115F3FF              call 00458A0C  <--讀取註冊者姓名
:0052742B 84C0                    test alal
:0052742D 752B                    jne 0052745A  <--有註冊者姓名的話則跳轉
:0052742F 8B45FC                  mov eaxdword ptr [ebp-04]
:00527432 8B8064050000            mov eaxdword ptr [eax+00000564]

* Possible StringData Ref from Code Obj ->"Windows優化大師 V4.2 (未註冊)"
                                  |
:00527438 BA10795200              mov edx, 00527910
:0052743D E8C2A4F0FF              call 00431904
:00527442 8BC3                    mov eaxebx
:00527444 E89F0CF3FF              call 004580E8
:00527449 8BC3                    mov eaxebx
:0052744B E81CBBEDFF              call 00402F6C
:00527450 BB01000000              mov ebx, 00000001
:00527455 E922040000              jmp 0052787C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0052742D(C)
|
:0052745A 8D4DF0                  lea ecxdword ptr [ebp-10]

* Possible StringData Ref from Code Obj ->"Register"
                                  |
:0052745D BAFC785200              mov edx, 005278FC
:00527462 8BC3                    mov eaxebx
:00527464 E86F13F3FF              call 004587D8
:00527469 8BC3                    mov eaxebx
:0052746B E8780CF3FF              call 004580E8
:00527470 8BC3                    mov eaxebx
:00527472 E8F5BAEDFF              call 00402F6C
:00527477 8D45EC                  lea eaxdword ptr [ebp-14]
:0052747A 8B1554FF5600            mov edxdword ptr [0056FF54]
:00527480 E8CBC8EDFF              call 00403D50
:00527485 C705E0FE560001000000    mov dword ptr [0056FEE0], 00000001
:0052748F 8B45F0                  mov eaxdword ptr [ebp-10]
:00527492 E8A1CAEDFF              call 00403F38
:00527497 8BC8                    mov ecxeax
:00527499 85C9                    test ecxecx
:0052749B 7E2F                    jle 005274CC
:0052749D BB01000000              mov ebx, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005274CA(C)
|
:005274A2 8B45F0                  mov eaxdword ptr [ebp-10]
:005274A5 0FB64418FF              movzx eaxbyte ptr [eax+ebx-01]
:005274AA F72DE0FE5600            imul dword ptr [0056FEE0]
:005274B0 0578080D00              add eax, 000D0878
:005274B5 99                      cdq
:005274B6 33C2                    xor eaxedx
:005274B8 2BC2                    sub eaxedx
:005274BA BE40420F00              mov esi, 000F4240
:005274BF 99                      cdq
:005274C0 F7FE                    idiv esi
:005274C2 8915E0FE5600            mov dword ptr [0056FEE0], edx
:005274C8 43                      inc ebx
:005274C9 49                      dec ecx
:005274CA 75D6                    jne 005274A2

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0052749B(C)
|
:005274CC 8B45EC                  mov eaxdword ptr [ebp-14]
:005274CF E864CAEDFF              call 00403F38
:005274D4 8BC8                    mov ecxeax
:005274D6 85C9                    test ecxecx
:005274D8 7E2F                    jle 00527509
:005274DA BB01000000              mov ebx, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00527507(C)
|
:005274DF 8B45EC                  mov eaxdword ptr [ebp-14]
:005274E2 0FB64418FF              movzx eaxbyte ptr [eax+ebx-01]
:005274E7 F72DE0FE5600            imul dword ptr [0056FEE0]
:005274ED 057D590200              add eax, 0002597D
:005274F2 99                      cdq
:005274F3 33C2                    xor eaxedx
:005274F5 2BC2                    sub eaxedx
:005274F7 BE40420F00              mov esi, 000F4240
:005274FC 99                      cdq
:005274FD F7FE                    idiv esi
:005274FF 8915E0FE5600            mov dword ptr [0056FEE0], edx
:00527505 43                      inc ebx
:00527506 49                      dec ecx
:00527507 75D6                    jne 005274DF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005274D8(C)
|
:00527509 B201                    mov dl, 01
:0052750B A1787F4500              mov eaxdword ptr [00457F78]
:00527510 E8630BF3FF              call 00458078
:00527515 8BF0                    mov esieax
:00527517 BA02000080              mov edx, 80000002
:0052751C 8BC6                    mov eaxesi
:0052751E E8F50BF3FF              call 00458118
:00527523 B101                    mov cl, 01

* Possible StringData Ref from Code Obj ->"Software\Wom"
                                  |
:00527525 BAD0785200              mov edx, 005278D0
:0052752A 8BC6                    mov eaxesi
:0052752C E82B0DF3FF              call 0045825C

* Possible StringData Ref from Code Obj ->"Register_1"
                                  |
:00527531 BA38795200              mov edx, 00527938
:00527536 8BC6                    mov eaxesi
:00527538 E8CF14F3FF              call 00458A0C  <--讀取註冊碼第一部分
:0052753D 84C0                    test alal
:0052753F 752B                    jne 0052756C  <--有註冊碼第一部分的話則跳轉
:00527541 8B45FC                  mov eaxdword ptr [ebp-04]
:00527544 8B8064050000            mov eaxdword ptr [eax+00000564]

* Possible StringData Ref from Code Obj ->"Windows優化大師 V4.2 (未註冊)"
                                  |
:0052754A BA10795200              mov edx, 00527910
:0052754F E8B0A3F0FF              call 00431904
:00527554 8BC6                    mov eaxesi
:00527556 E88D0BF3FF              call 004580E8
:0052755B 8BC6                    mov eaxesi
:0052755D E80ABAEDFF              call 00402F6C
:00527562 BB01000000              mov ebx, 00000001
:00527567 E910030000              jmp 0052787C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0052753F(C)
|

* Possible StringData Ref from Code Obj ->"Register_2"
                                  |
:0052756C BA4C795200              mov edx, 0052794C
:00527571 8BC6                    mov eaxesi
:00527573 E89414F3FF              call 00458A0C  <--讀取註冊碼第二部分
:00527578 84C0                    test alal
:0052757A 752B                    jne 005275A7  <--有註冊碼第二部分的話則跳轉
:0052757C 8B45FC                  mov eaxdword ptr [ebp-04]
:0052757F 8B8064050000            mov eaxdword ptr [eax+00000564]

* Possible StringData Ref from Code Obj ->"Windows優化大師 V4.2 (未註冊)"
                                  |
:00527585 BA10795200              mov edx, 00527910
:0052758A E875A3F0FF              call 00431904
:0052758F 8BC6                    mov eaxesi
:00527591 E8520BF3FF              call 004580E8
:00527596 8BC6                    mov eaxesi
:00527598 E8CFB9EDFF              call 00402F6C
:0052759D BB01000000              mov ebx, 00000001
:005275A2 E9D5020000              jmp 0052787C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0052757A(C)
|
:005275A7 8D8D94FEFFFF            lea ecxdword ptr [ebp+FFFFFE94]
:005275AD BA3F000000              mov edx, 0000003F

* Possible StringData Ref from Code Obj ->"*.*"
                                  |
:005275B2 B860795200              mov eax, 00527960
:005275B7 E8741CEEFF              call 00409230
:005275BC 8B85A0FEFFFF            mov eaxdword ptr [ebp+FFFFFEA0]

* Possible StringData Ref from Code Obj ->"OctoDll.dll"
                                  |
:005275C2 BA6C795200              mov edx, 0052796C
:005275C7 E87CCAEDFF              call 00404048  <--校驗檔案OctoDll.dll是否有改變
:005275CC 7537                    jne 00527605
:005275CE 81BD98FEFFFF00460000    cmp dword ptr [ebp+FFFFFE98], 00004600
:005275D8 742B                    je 00527605
:005275DA 8B45FC                  mov eaxdword ptr [ebp-04]
:005275DD 8B8064050000            mov eaxdword ptr [eax+00000564]

* Possible StringData Ref from Code Obj ->"Windows優化大師 V4.2 (未註冊)"
                                  |
:005275E3 BA10795200              mov edx, 00527910
:005275E8 E817A3F0FF              call 00431904
:005275ED 8BC6                    mov eaxesi
:005275EF E8F40AF3FF              call 004580E8
:005275F4 8BC6                    mov eaxesi
:005275F6 E871B9EDFF              call 00402F6C
:005275FB BB01000000              mov ebx, 00000001
:00527600 E977020000              jmp 0052787C

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005275CC(C), :005275D8(C)
|
:00527605 81BD98FEFFFF00680200    cmp dword ptr [ebp+FFFFFE98], 00026800
:0052760F 752B                    jne 0052763C
:00527611 8B45FC                  mov eaxdword ptr [ebp-04]
:00527614 8B8064050000            mov eaxdword ptr [eax+00000564]

* Possible StringData Ref from Code Obj ->"Windows優化大師 V4.2 (未註冊)"
                                  |
:0052761A BA10795200              mov edx, 00527910
:0052761F E8E0A2F0FF              call 00431904
:00527624 8BC6                    mov eaxesi
:00527626 E8BD0AF3FF              call 004580E8
:0052762B 8BC6                    mov eaxesi
:0052762D E83AB9EDFF              call 00402F6C
:00527632 BB01000000              mov ebx, 00000001
:00527637 E940020000              jmp 0052787C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0052760F(C)
|
:0052763C 8B95A0FEFFFF            mov edxdword ptr [ebp+FFFFFEA0]

* Possible StringData Ref from Code Obj ->"cr-wom"
                                  |
:00527642 B880795200              mov eax, 00527980
:00527647 E8D8CBEDFF              call 00404224  <--檢查當前目錄下的所有檔案的檔名中是否包含有"cr-wom"字眼
:0052764C 85C0                    test eaxeax
:0052764E 742B                    je 0052767B
:00527650 8B45FC                  mov eaxdword ptr [ebp-04]
:00527653 8B8064050000            mov eaxdword ptr [eax+00000564]

* Possible StringData Ref from Code Obj ->"Windows優化大師 V4.2 (未註冊)"
                                  |
:00527659 BA10795200              mov edx, 00527910
:0052765E E8A1A2F0FF              call 00431904
:00527663 8BC6                    mov eaxesi
:00527665 E87E0AF3FF              call 004580E8
:0052766A 8BC6                    mov eaxesi
:0052766C E8FBB8EDFF              call 00402F6C
:00527671 BB01000000              mov ebx, 00000001
:00527676 E901020000              jmp 0052787C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0052764E(C)
|

* Possible StringData Ref from Code Obj ->"Windowsyhds.exe"
                                  |
:0052767B B890795200              mov eax, 00527990
:00527680 E8FB1AEEFF              call 00409180  <--檢查當前目錄下的所有檔案的檔名中是否有"Windowsyhds.exe"
:00527685 84C0                    test alal
:00527687 751C                    jne 005276A5

* Possible StringData Ref from Code Obj ->"fwd.txt"
                                  |
:00527689 B8A8795200              mov eax, 005279A8
:0052768E E8ED1AEEFF              call 00409180  <--檢查當前目錄下的所有檔案的檔名中是否有"fwd.txt"
:00527693 84C0                    test alal
:00527695 750E                    jne 005276A5

* Possible StringData Ref from Code Obj ->"wom29a_k.exe"
                                  |
:00527697 B8B8795200              mov eax, 005279B8
:0052769C E8DF1AEEFF              call 00409180  <--檢查當前目錄下的所有檔案的檔名中是否有"wom29a_k.exe"
:005276A1 84C0                    test alal
:005276A3 742B                    je 005276D0

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00527687(C), :00527695(C)
|
:005276A5 8B45FC                  mov eaxdword ptr [ebp-04]
:005276A8 8B8064050000            mov eaxdword ptr [eax+00000564]

* Possible StringData Ref from Code Obj ->"Windows優化大師 V4.2 (未註冊)"
                                  |
:005276AE BA10795200              mov edx, 00527910
:005276B3 E84CA2F0FF              call 00431904
:005276B8 8BC6                    mov eaxesi
:005276BA E8290AF3FF              call 004580E8
:005276BF 8BC6                    mov eaxesi
:005276C1 E8A6B8EDFF              call 00402F6C
:005276C6 BB01000000              mov ebx, 00000001
:005276CB E9AC010000              jmp 0052787C

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005276A3(C), :005277FB(C)
|
:005276D0 8D8594FEFFFF            lea eaxdword ptr [ebp+FFFFFE94]
:005276D6 E8A51BEEFF              call 00409280
:005276DB 8BD8                    mov ebxeax
:005276DD 85DB                    test ebxebx
:005276DF 0F8514010000            jne 005277F9
:005276E5 8B85A0FEFFFF            mov eaxdword ptr [ebp+FFFFFEA0]

* Possible StringData Ref from Code Obj ->"OctoDll.dll"
                                  |
:005276EB BA6C795200              mov edx, 0052796C
:005276F0 E853C9EDFF              call 00404048
:005276F5 7537                    jne 0052772E
:005276F7 81BD98FEFFFF00460000    cmp dword ptr [ebp+FFFFFE98], 00004600
:00527701 742B                    je 0052772E
:00527703 8B45FC                  mov eaxdword ptr [ebp-04]
:00527706 8B8064050000            mov eaxdword ptr [eax+00000564]

* Possible StringData Ref from Code Obj ->"Windows優化大師 V4.2 (未註冊)"
                                  |
:0052770C BA10795200              mov edx, 00527910
:00527711 E8EEA1F0FF              call 00431904
:00527716 8BC6                    mov eaxesi
:00527718 E8CB09F3FF              call 004580E8
:0052771D 8BC6                    mov eaxesi
:0052771F E848B8EDFF              call 00402F6C
:00527724 BB01000000              mov ebx, 00000001
:00527729 E94E010000              jmp 0052787C

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005276F5(C), :00527701(C)
|
:0052772E 81BD98FEFFFF00680200    cmp dword ptr [ebp+FFFFFE98], 00026800
:00527738 752B                    jne 00527765
:0052773A 8B45FC                  mov eaxdword ptr [ebp-04]
:0052773D 8B8064050000            mov eaxdword ptr [eax+00000564]

* Possible StringData Ref from Code Obj ->"Windows優化大師 V4.2 (未註冊)"
                                  |
:00527743 BA10795200              mov edx, 00527910
:00527748 E8B7A1F0FF              call 00431904
:0052774D 8BC6                    mov eaxesi
:0052774F E89409F3FF              call 004580E8
:00527754 8BC6                    mov eaxesi
:00527756 E811B8EDFF              call 00402F6C
:0052775B BB01000000              mov ebx, 00000001
:00527760 E917010000              jmp 0052787C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00527738(C)
|
:00527765 8B95A0FEFFFF            mov edxdword ptr [ebp+FFFFFEA0]

* Possible StringData Ref from Code Obj ->"cr-wom"
                                  |
:0052776B B880795200              mov eax, 00527980
:00527770 E8AFCAEDFF              call 00404224
:00527775 85C0                    test eaxeax
:00527777 742B                    je 005277A4
:00527779 8B45FC                  mov eaxdword ptr [ebp-04]
:0052777C 8B8064050000            mov eaxdword ptr [eax+00000564]

* Possible StringData Ref from Code Obj ->"Windows優化大師 V4.2 (未註冊)"
                                  |
:00527782 BA10795200              mov edx, 00527910
:00527787 E878A1F0FF              call 00431904
:0052778C 8BC6                    mov eaxesi
:0052778E E85509F3FF              call 004580E8
:00527793 8BC6                    mov eaxesi
:00527795 E8D2B7EDFF              call 00402F6C
:0052779A BB01000000              mov ebx, 00000001
:0052779F E9D8000000              jmp 0052787C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00527777(C)
|

* Possible StringData Ref from Code Obj ->"Windowsyhds.exe"
                                  |
:005277A4 B890795200              mov eax, 00527990
:005277A9 E8D219EEFF              call 00409180
:005277AE 84C0                    test alal
:005277B0 751C                    jne 005277CE

* Possible StringData Ref from Code Obj ->"fwd.txt"
                                  |
:005277B2 B8A8795200              mov eax, 005279A8
:005277B7 E8C419EEFF              call 00409180
:005277BC 84C0                    test alal
:005277BE 750E                    jne 005277CE

* Possible StringData Ref from Code Obj ->"wom29a_k.exe"
                                  |
:005277C0 B8B8795200              mov eax, 005279B8
:005277C5 E8B619EEFF              call 00409180
:005277CA 84C0                    test alal
:005277CC 742B                    je 005277F9

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005277B0(C), :005277BE(C)
|
:005277CE 8B45FC                  mov eaxdword ptr [ebp-04]
:005277D1 8B8064050000            mov eaxdword ptr [eax+00000564]

* Possible StringData Ref from Code Obj ->"Windows優化大師 V4.2 (未註冊)"
                                  |
:005277D7 BA10795200              mov edx, 00527910
:005277DC E823A1F0FF              call 00431904
:005277E1 8BC6                    mov eaxesi
:005277E3 E80009F3FF              call 004580E8
:005277E8 8BC6                    mov eaxesi
:005277EA E87DB7EDFF              call 00402F6C
:005277EF BB01000000              mov ebx, 00000001
:005277F4 E983000000              jmp 0052787C

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005276DF(C), :005277CC(C)
|
:005277F9 85DB                    test ebxebx
:005277FB 0F84CFFEFFFF            je 005276D0
:00527801 8D8594FEFFFF            lea eaxdword ptr [ebp+FFFFFE94]  <--只要能夠執行到這裡,那麼除了註冊碼錯誤,
                                                                        也就沒有其他的問題了
:00527807 E8981AEEFF              call 004092A4
:0052780C 8D4DF8                  lea ecxdword ptr [ebp-08]

* Possible StringData Ref from Code Obj ->"Register_1"
                                  |
:0052780F BA38795200              mov edx, 00527938
:00527814 8BC6                    mov eaxesi
:00527816 E8BD0FF3FF              call 004587D8
:0052781B 8D4DF4                  lea ecxdword ptr [ebp-0C]

* Possible StringData Ref from Code Obj ->"Register_2"
                                  |
:0052781E BA4C795200              mov edx, 0052794C
:00527823 8BC6                    mov eaxesi
:00527825 E8AE0FF3FF              call 004587D8
:0052782A 8BC6                    mov eaxesi
:0052782C E8B708F3FF              call 004580E8
:00527831 8BC6                    mov eaxesi
:00527833 E834B7EDFF              call 00402F6C
:00527838 8B45F8                  mov eaxdword ptr [ebp-08]
:0052783B E870FAFFFF              call 005272B0
:00527840 99                      cdq
:00527841 52                      push edx
:00527842 50                      push eax
:00527843 8B45F4                  mov eaxdword ptr [ebp-0C]
:00527846 E865FAFFFF              call 005272B0
:0052784B 99                      cdq
:0052784C 52                      push edx
:0052784D 50                      push eax
:0052784E 8D958CFEFFFF            lea edxdword ptr [ebp+FFFFFE8C]
:00527854 A1E0FE5600              mov eaxdword ptr [0056FEE0]
:00527859 E83616EEFF              call 00408E94
:0052785E 8B858CFEFFFF            mov eaxdword ptr [ebp+FFFFFE8C]
:00527864 E893C8EDFF              call 004040FC

* Reference To: Octodll.Registed, Ord:0000h
                                  |
:00527869 E896E7FFFF              Call 00526004
:0052786E 83F814                  cmp eax, 00000014
:00527871 7407                    je 0052787A
:00527873 BB01000000              mov ebx, 00000001
:00527878 EB02                    jmp 0052787C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00527871(C)
|
:0052787A 33DB                    xor ebxebx

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00527455(U), :00527567(U), :005275A2(U), :00527600(U), :00527637(U)
|:00527676(U), :005276CB(U), :00527729(U), :00527760(U), :0052779F(U)
|:005277F4(U), :00527878(U)
|
:0052787C 33C0                    xor eaxeax
:0052787E 5A                      pop edx
:0052787F 59                      pop ecx
:00527880 59                      pop ecx
:00527881 648910                  mov dword ptr fs:[eax], edx
:00527884 68BF785200              push 005278BF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005278BD(U)
|
:00527889 8D858CFEFFFF            lea eaxdword ptr [ebp+FFFFFE8C]
:0052788F BA02000000              mov edx, 00000002
:00527894 E843C4EDFF              call 00403CDC
:00527899 8D8594FEFFFF            lea eaxdword ptr [ebp+FFFFFE94]

* Possible StringData Ref from Code Obj ->"
TSearchRecX"
                                  |
:0052789F 8B156C7E4000            mov edxdword ptr [00407E6C]
:005278A5 E866CDEDFF              call 00404610
:005278AA 8D45EC                  lea eaxdword ptr [ebp-14]
:005278AD BA04000000              mov edx, 00000004
:005278B2 E825C4EDFF              call 00403CDC
:005278B7 C3                      ret


:005278B8 E90FBEEDFF              jmp 004036CC
:005278BD EBCA                    jmp 00527889
:005278BF 8BC3                    mov eaxebx
:005278C1 5E                      pop esi
:005278C2 5B                      pop ebx
:005278C3 8BE5                    mov espebp
:005278C5 5D                      pop ebp
:005278C6 C3                      ret


//--------------------------------------------------------------------------------------------------
    另外值得注意的是在寫序號產生器的時候,當求Code2是不要直接使用0x14,因為算出來的註冊碼與作者不符。其實Code2並不唯一,
除了最高2位和低16位不能動,剩餘的14位可以為任意數。經過我的分析,使用0x93E0014算出來的註冊碼才與作者相符。

相關文章