極速傳真[SpeedFax] 2.4 破解手記--程式逆向分析演算法
極速傳真[SpeedFax]
2.4 破解手記--程式逆向分析演算法
作者:newlaos
整理日期:2003.3.14(華軍網)
最新版本:2.4
檔案大小:681KB
軟體授權:共享軟體
使用平臺:Win9x/Me/NT/2000
釋出公司:http://www.speedfax.onchina.net/
軟體簡介:快捷高效的透過電腦收發傳真精典工具,功能特色如下:1.◆視覺化拖放式傳真封面檔案編輯、設計,真正圖文並茂;2.◆支援Class1/class2/class2.0等多類傳真卡並可自動偵測;3.◆功能強大的字元宏替換,輕鬆建立各類傳真標註;4.◆可匯入多種影像格式檔案,方便實現傳真圖片和印章蓋戳;5.◆一次新增數百個傳真任務,極適合商務傳真群發廣播;6.◆可以手動方式接收傳真,也可自動監控並接收傳真;7.◆支援傳真檔案翻轉、放大、縮小、壓縮等方式瀏覽;8.◆輕鬆列印傳真檔案,支援一邊接收傳真一邊自動列印傳真;9.◆支援WORD/WPS等各類文字辦公處理系統直接轉發傳真;10.◆真正綠色軟體,無需安裝即可使用,操作簡便,介面美觀。
加密方式:註冊碼
功能限制:次數限制
PJ工具:TRW20001.23註冊版、PE-SCAN3.31、W32Dasm8.93黃金版,FI2.5
PJ日期:2003-03-17
作者newlaos申明:只是學習,請不用於商業用途或是將本文方法制作的序號產生器任意傳播,造成後果,本人一概不負。
1、先用FI2.5看一下主程式speedfaxV24.exe,沒有加殼
2、用W32Dasm8.93黃金版對主程式進行靜態反彙編,再用串式資料參考,找到"軟體登記註冊成功!"(很經典的句子),雙擊來到下面程式碼段。這樣就找到註冊碼的計算部分。
3、再用TRW20001.23註冊版進行動態跟蹤,下斷BPX 4FF938(通常在註冊成功與否前面一些下斷,這樣,才能找到關鍵部分),先輸入假碼78787878
......
......
:004FF924
8D4DF4 lea ecx,
dword ptr [ebp-0C]
*
Possible StringData Ref from Code Obj ->"請輸入您的軟體註冊碼"
|
:004FF927 BA2CFA4F00
mov edx, 004FFA2C
*
Possible StringData Ref from Code Obj ->"登記註冊"
|
:004FF92C B84CFA4F00
mov eax, 004FFA4C
:004FF931 E87A36F4FF
call 00442FB0
:004FF936 3C01
cmp al, 01
<===看你是點了確定還是放棄
:004FF938 0F85A8000000
jne 004FF9E6
<===如果是點的放棄,則跳到後面去了。
:004FF93E 8D55D4
lea edx, dword ptr [ebp-2C]
:004FF941
8B45F4 mov eax,
dword ptr [ebp-0C] <===EAX=78787878
:004FF944 E87B9DF0FF
call 004096C4
<===EAX放了一個地址指標,正好指向我們輸入的假碼
:004FF949 8B45D4
mov eax, dword ptr [ebp-2C] <===EAX=78787878
:004FF94C
E8C3A0F0FF call 00409A14
<===將註冊碼進行第一次加工,當輸入假碼是78787878時,這裡EAX=4B23526,從下面推上來,EAX應該等於199FF22,才能註冊成功,F8跟進看個究竟
:004FF951
8945F8 mov dword
ptr [ebp-08], eax
:004FF954 8955FC
mov dword ptr [ebp-04], edx
:004FF957 6A00
push 00000000
:004FF959
6A1B push
0000001B
:004FF95B 8B45F8
mov eax, dword ptr [ebp-08] <===上個CALL計算出來的EAX=4B23526
:004FF95E
8B55FC mov edx,
dword ptr [ebp-04] <===EDX=0
:004FF961 E88266F0FF
call 00405FE8
<===將註冊碼進行第二次加工,當輸入假碼是78787878時,這裡EAX=2C86B5,從下面推上來,EAX應該等於F2F6,才能註冊成功,F8跟進看個究竟
:004FF966
8945F8 mov dword
ptr [ebp-08], eax <===這裡就算出了EAX,這裡要正確則EAX=686+EC70=F2F6
:004FF969
8955FC mov dword
ptr [ebp-04], edx
:004FF96C 8B45F8
mov eax, dword ptr [ebp-08]
:004FF96F 8B55FC
mov edx, dword ptr [ebp-04]
:004FF972
2D70EC0000 sub eax, 0000EC70
<===第二次計算出來的EAX再減去EC70,成功的關鍵就是要等於686
:004FF977 83DA00
sbb edx, 00000000
<===EDX=0
:004FF97A 8945F8
mov dword ptr [ebp-08], eax
:004FF97D 8955FC
mov dword ptr [ebp-04],
edx
:004FF980 8D45D8
lea eax, dword ptr [ebp-28]
:004FF983 E8CCEDFFFF
call 004FE754
:004FF988 8B45D8
mov eax, dword ptr [ebp-28] <===這裡的值是經過上面計算好的,是固定的686
:004FF98B
99 cdq
<===這裡EDX被清0
:004FF98C 8945E8
mov dword ptr [ebp-18], eax
:004FF98F 8955EC
mov dword ptr [ebp-14], edx
:004FF992
8B45F8 mov eax,
dword ptr [ebp-08] <===這裡說明,[EBP-08]必須和[EBP-18]相等
:004FF995
8B55FC mov edx,
dword ptr [ebp-04] <===這裡說明,[EBP-04]必須和[ebp-14]相等
:004FF998
3B55EC cmp edx,
dword ptr [ebp-14] <===必須相等
:004FF99B 7534
jne 004FF9D1
<===都是0,所以不會跳過去的。
:004FF99D 3B45E8
cmp eax, dword ptr [ebp-18]
<===必須相等(EAX要等於686),
這個686好象是計算機的CPU ID
:004FF9A0 752F
jne 004FF9D1 <===跳過去就OVER了
:004FF9A2
8B83B4030000 mov eax, dword ptr [ebx+000003B4]
:004FF9A8
E8037BFCFF call 004C74B0
:004FF9AD
6A00 push
00000000
:004FF9AF 668B0D58FA4F00 mov cx,
word ptr [004FFA58]
:004FF9B6 B202
mov dl, 02
*
Possible StringData Ref from Code Obj ->"軟體登記註冊成功!"
|
:004FF9B8 B864FA4F00
mov eax, 004FFA64
:004FF9BD E8D234F4FF
call 00442E94
:004FF9C2 33D2
xor edx, edx
:004FF9C4 8B838C030000
mov eax, dword ptr [ebx+0000038C]
:004FF9CA
E839C3F5FF call 0045BD08
:004FF9CF
EB15 jmp
004FF9E6
* Referenced
by a (U)nconditional or (C)onditional Jump at Addresses:
|:004FF99B(C), :004FF9A0(C)
|
:004FF9D1
6A00 push
00000000
:004FF9D3 668B0D58FA4F00 mov cx,
word ptr [004FFA58]
:004FF9DA B201
mov dl, 01
*
Possible StringData Ref from Code Obj ->"軟體註冊號錯誤!"
|
:004FF9DC B880FA4F00
mov eax, 004FFA80
:004FF9E1 E8AE34F4FF
call 00442E94
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004FF938(C),
:004FF9CF(U)
|
:004FF9E6 33C0
xor eax, eax
:004FF9E8 5A
pop edx
:004FF9E9 59
pop ecx
:004FF9EA
59 pop
ecx
:004FF9EB 648910
mov dword ptr fs:[eax], edx
:004FF9EE 680BFA4F00
push 004FFA0B
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004FFA09(U)
|
:004FF9F3
8D45D4 lea eax,
dword ptr [ebp-2C]
:004FF9F6 E8F555F0FF
call 00404FF0
:004FF9FB 8D45F4
lea eax, dword ptr [ebp-0C]
:004FF9FE E8ED55F0FF
call 00404FF0
:004FFA03 C3
ret
:004FFA04
E98B4FF0FF jmp 00404994
:004FFA09
EBE8 jmp
004FF9F3
:004FFA0B 5B
pop ebx
:004FFA0C 8BE5
mov esp, ebp
:004FFA0E 5D
pop ebp
:004FFA0F C3
ret
---------將註冊碼進行第二次加工的CALL
,F8跟進(004FF961 call 00405FE8)-------------------------
------------------注,要想正確,則EAX的返回值應該是F2F6-------------------------
:00405FE8
55 push
ebp
:00405FE9 53
push ebx
:00405FEA 56
push esi
:00405FEB 57
push edi
:00405FEC 31FF
xor edi,
edi
:00405FEE 8B5C2414 mov
ebx, dword ptr [esp+14] <===EBX=1B(固定)
:00405FF2 8B4C2418
mov ecx, dword ptr [esp+18]
:00405FF6
09C9 or ecx,
ecx
:00405FF8 7508
jne 00406002 <===不跳
:00405FFA 09D2
or edx, edx
:00405FFC
745C je 0040605A
<===跳
:00405FFE 09DB
or ebx, ebx
:00406000 7458
je 0040605A
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405FF8(C)
|
:00406002
09D2 or edx,
edx
:00406004 790A
jns 00406010
:00406006 F7DA
neg edx
:00406008 F7D8
neg eax
:0040600A 83DA00
sbb edx, 00000000
:0040600D
83CF01 or edi, 00000001
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406004(C)
|
:00406010
09C9 or ecx,
ecx
:00406012 790A
jns 0040601E
:00406014 F7D9
neg ecx
:00406016 F7DB
neg ebx
:00406018 83D900
sbb ecx, 00000000
:0040601B
83F701 xor edi,
00000001
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00406012(C)
|
:0040601E
89CD mov
ebp, ecx
:00406020 B940000000 mov
ecx, 00000040
:00406025 57
push edi
:00406026 31FF
xor edi, edi
:00406028 31F6
xor esi, esi
:0040602A
D1E0 shl
eax, 1
:0040602C D1D2
rcl edx, 1
:0040602E D1D6
rcl esi, 1
:00406030 D1D7
rcl edi, 1
:00406032 39EF
cmp edi, ebp
:00406034
720B jb 00406041
:00406036
7704 ja 0040603C
:00406038
39DE cmp
esi, ebx
:0040603A 7205
jb 00406041
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406036(C)
|
:0040603C
29DE sub
esi, ebx
:0040603E 19EF
sbb edi, ebp
:00406040 40
inc eax
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00406034(C),
:0040603A(C)
|
:00406041 E2E7
loop 0040602A
:00406043 5B
pop ebx
:00406044 F7C301000000
test ebx, 00000001
:0040604A 7407
je 00406053
:0040604C
F7DA neg
edx
:0040604E F7D8
neg eax
:00406050 83DA00
sbb edx, 00000000
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040604A(C),
:0040605E(U)
|
:00406053 5F
pop edi
:00406054 5E
pop esi
:00406055 5B
pop ebx
:00406056
5D pop
ebp
:00406057 C20800
ret 0008
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00405FFC(C),
:00406000(C)
|
:0040605A F7F3
div ebx
<===一下子跳到這裡EBX=1B,要求正確則EAX返回F2F6,所以這之前EAX應該等於199FF2(雙字運算)
:0040605C
31D2 xor
edx, edx
:0040605E EBF3
jmp 00406053
:00406060 C3
ret
------將註冊碼進行第一次加工的CALL
,F8跟進(:004FF94C call 00409A14)-------------------------
------------------注,要想正確,則EAX的返回值應該是199FF2------------------------------------
:00409A14
53 push
ebx
:00409A15 83C4EC
add esp, FFFFFFEC
:00409A18 8BD8
mov ebx, eax
:00409A1A 8D542408
lea edx, dword ptr [esp+08]
:00409A1E 8BC3
mov eax,
ebx <===EAX=EBX=78787878
:00409A20 E897C7FFFF
call 004061BC <===這個CALL,就可以算出EAX=4B23526出來,F8進去
:00409A25
890424 mov dword
ptr [esp], eax
:00409A28 89542404
mov dword ptr [esp+04], edx
:00409A2C 837C240800
cmp dword ptr [esp+08], 00000000
:00409A31
7419 je 00409A4C
<===輸入假碼78787878時,這個就跳走
:00409A33 895C240C
mov dword ptr [esp+0C], ebx
:00409A37
C64424100B mov [esp+10], 0B
:00409A3C
8D54240C lea edx, dword
ptr [esp+0C]
:00409A40 A1C8555000
mov eax, dword ptr [005055C8]
:00409A45 33C9
xor ecx, ecx
:00409A47 E86CF9FFFF
call 004093B8
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409A31(C)
|
:00409A4C
8B0424 mov eax,
dword ptr [esp]
:00409A4F 8B542404
mov edx, dword ptr [esp+04]
:00409A53 83C414
add esp, 00000014
:00409A56
5B pop
ebx
:00409A57 C3
ret
------------------------------------------------------------------------------------------
:00409A20
call 004061BC 這個CALL,就可以算出EAX=4B23526出來(要求EAX=199FF2),
F8進去來到下面程式碼段:
:004061BC
53 push
ebx <===EBX=78787878
:004061BD 56
push esi
:004061BE 57
push
edi
:004061BF 55
push ebp
:004061C0 83C4EC
add esp, FFFFFFEC
:004061C3
891424 mov dword
ptr [esp], edx
:004061C6 8BF0
mov esi, eax <===ESI=EAX=78787878
:004061C8 BD01000000
mov ebp, 00000001
:004061CD
33FF xor
edi, edi
:004061CF C744240800000000 mov [esp+08],
00000000
:004061D7 C744240C00000000 mov [esp+0C],
00000000
:004061DF 85F6
test esi, esi <===當然不為零了
:004061E1 750B
jne 004061EE <===這裡跳走,說時我們輸入不為空
:004061E3
8B0424 mov eax,
dword ptr [esp]
:004061E6 8928
mov dword ptr [eax], ebp
:004061E8 E9E1010000
jmp 004063CE
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004061F3(C)
|
:004061ED
45 inc
ebp
* Referenced by
a (U)nconditional or (C)onditional Jump at Address:
|:004061E1(C)
|
:004061EE
807C2EFF20 cmp byte ptr [esi+ebp-01],
20 <===從004061E1跳到這一行
:004061F3 74F8
je 004061ED <===這好象是去掉輸入字串中的空格,如果第一個不是空格,就不跳了!
:004061F5
C644241000 mov [esp+10], 00
:004061FA
8A442EFF mov al, byte ptr
[esi+ebp-01]
:004061FE 3C2D
cmp al, 2D <===這裡是看第一個字元是不是“-”
:00406200
7508 jne
0040620A <===不是則跳走
:00406202 C644241001
mov [esp+10], 01
:00406207 45
inc ebp
:00406208 EB05
jmp 0040620F
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406200(C)
|
:0040620A
3C2B cmp
al, 2B <===這裡是看第一個字元是不是“+”
:0040620C 7501
jne 0040620F
<===不是則跳走
:0040620E 45
inc ebp
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00406208(U),
:0040620C(C)
|
:0040620F B301
mov bl, 01 <===再次跳到這一行。
:00406211
807C2EFF24 cmp byte ptr [esi+ebp-01],
24 <===這裡是看第一個字元是不是“$”
:00406216 741B
je 00406233
<===不跳
:00406218 807C2EFF30
cmp byte ptr [esi+ebp-01], 30 <===這裡是看第一個字元是不是“0”
:0040621D
0F85DA000000 jne 004062FD
<===不是,則跳走
:00406223 8A042E
mov al, byte ptr
[esi+ebp]
:00406226 E8A9CAFFFF call
00402CD4
:0040622B 3C58
cmp al, 58
<===是不x(小寫)
:0040622D 0F85CA000000
jne 004062FD
*** 注:這裡好幾個判斷跳轉,試一下,最後確定正確的註冊碼應該為0x??????的形式,把註冊碼改為0x787878重新來。
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406216(C)
|
:00406233
807C2EFF30 cmp byte ptr [esi+ebp-01],
30 <==看第一個字元是不是0
:00406238 7501
jne 0040623B
<==是所以不跳
:0040623A 45
inc ebp
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406238(C)
|
:0040623B
45 inc
ebp
* Referenced by
a (U)nconditional or (C)onditional Jump at Address:
|:004062D1(U)
|
:0040623C
8A442EFF mov al, byte ptr
[esi+ebp-01] <==依次取註冊碼的第3位到第8位
:00406240 8BD0
mov edx, eax
:00406242 80C2D0
add dl, D0
:00406245
80EA0A sub dl, 0A
:00406248
7212 jb 0040625C
:0040624A
80C2F9 add dl, F9
:0040624D
80EA06 sub dl, 06
:00406250
7217 jb 00406269
:00406252
80C2E6 add dl, E6
:00406255
80EA06 sub dl, 06
:00406258
721C jb 00406276
:0040625A
EB7A jmp
004062D6 <==迴圈了5次後,就這裡跳出
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406248(C)
|
:0040625C
8BF8 mov
edi, eax
:0040625E 81E7FF000000 and
edi, 000000FF
:00406264 83EF30
sub edi, 00000030
:00406267 EB18
jmp 00406281
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406250(C)
|
:00406269
8BF8 mov
edi, eax
:0040626B 81E7FF000000 and
edi, 000000FF
:00406271 83EF37
sub edi, 00000037
:00406274 EB0B
jmp 00406281
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406258(C)
|
:00406276
8BF8 mov
edi, eax
:00406278 81E7FF000000 and
edi, 000000FF
:0040627E 83EF57
sub edi, 00000057
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00406267(U),
:00406274(U)
|
:00406281 837C240C00
cmp dword ptr [esp+0C], 00000000
:00406286 7509
jne 00406291
:00406288 837C240800
cmp dword ptr [esp+08], 00000000
:0040628D
7247 jb 004062D6
:0040628F
EB02 jmp
00406293
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00406286(C)
|
:00406291
7C43 jl 004062D6
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040628F(U)
|
:00406293
817C240CFFFFFF07 cmp dword ptr [esp+0C], 07FFFFFF
:0040629B
7509 jne
004062A6
:0040629D 837C2408FF cmp
dword ptr [esp+08], FFFFFFFF
:004062A2 7604
jbe 004062A8
:004062A4 EB30
jmp 004062D6
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040629B(C)
|
:004062A6
7F2E jg 004062D6
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004062A2(C)
|
:004062A8
8BC7 mov
eax, edi
:004062AA 99
cdq
:004062AB 52
push edx
:004062AC 50
push eax
:004062AD 8B442410
mov eax, dword ptr [esp+10]
:004062B1
8B542414 mov edx, dword
ptr [esp+14]
:004062B5 0FA4C204
shld edx, eax, 04
:004062B9 C1E004
shl eax, 04
:004062BC 030424
add eax, dword ptr [esp]
:004062BF
13542404 adc edx, dword
ptr [esp+04]
:004062C3 83C408
add esp, 00000008
:004062C6 89442408
mov dword ptr [esp+08], eax
:004062CA 8954240C
mov dword ptr [esp+0C], edx
:004062CE
45 inc
ebp
:004062CF 33DB
xor ebx, ebx
:004062D1 E966FFFFFF
jmp 0040623C <===從這裡往上跳構成迴圈,5次
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040625A(U),
:0040628D(C), :00406291(C), :004062A4(U), :004062A6(C)
|
:004062D6 807C241000
cmp byte ptr [esp+10], 00
<==從0040625A行跳到這裡
:004062DB 0F84D3000000
je 004063B4
<==是0,所以再次跳走
:004062E1 8B442408
mov eax, dword ptr [esp+08]
:004062E5 8B54240C
mov edx, dword ptr [esp+0C]
:004062E9
F7D8 neg
eax
:004062EB 83D200
adc edx, 00000000
:004062EE F7DA
neg edx
:004062F0 89442408
mov dword ptr [esp+08], eax
:004062F4 8954240C
mov dword ptr [esp+0C],
edx
:004062F8 E9B7000000 jmp
004063B4
* Referenced
by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040621D(C), :0040622D(C),
:0040636B(U)
|
:004062FD 8A442EFF
mov al, byte ptr [esi+ebp-01]
******
如果,前兩位不是0x,則從0040621D跳到這一行,依次取註冊碼的值,放入AL
:00406301 8BD0
mov edx, eax
:00406303 80C2D0
add dl, D0
:00406306
80EA0A sub dl, 0A
:00406309
7362 jnb
0040636D
:0040630B 8BF8
mov edi, eax
:0040630D 81E7FF000000
and edi, 000000FF
:00406313 83EF30
sub edi, 00000030
:00406316 837C240C00
cmp dword ptr [esp+0C], 00000000
:0040631B
7509 jne
00406326
:0040631D 837C240800 cmp
dword ptr [esp+08], 00000000
:00406322 7249
jb 0040636D
:00406324 EB02
jmp 00406328
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040631B(C)
|
:00406326
7C45 jl 0040636D
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406324(U)
|
:00406328
817C240CCCCCCC0C cmp dword ptr [esp+0C], 0CCCCCCC
:00406330
750C jne
0040633E
:00406332 817C2408CCCCCCCC cmp dword ptr
[esp+08], CCCCCCCC
:0040633A 7604
jbe 00406340
:0040633C EB2F
jmp 0040636D
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406330(C)
|
:0040633E
7F2D jg 0040636D
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040633A(C)
|
:00406340
6A00 push
00000000
:00406342 6A0A
push 0000000A
:00406344 8B442410
mov eax, dword ptr [esp+10]
:00406348 8B542414
mov edx, dword ptr [esp+14]
:0040634C
E873FCFFFF call 00405FC4
:00406351
52 push
edx
:00406352 50
push eax
:00406353 8BC7
mov eax, edi
:00406355 99
cdq
:00406356 030424
add eax, dword ptr [esp]
:00406359
13542404 adc edx, dword
ptr [esp+04]
:0040635D 83C408
add esp, 00000008
:00406360 89442408
mov dword ptr [esp+08], eax
:00406364 8954240C
mov dword ptr [esp+0C], edx
:00406368
45 inc
ebp
:00406369 33DB
xor ebx, ebx
:0040636B EB90
jmp 004062FD
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00406309(C),
:00406322(C), :00406326(C), :0040633C(U), :0040633E(C)
|
:0040636D 807C241000
cmp byte ptr [esp+10], 00
:00406372
7417 je 0040638B
:00406374
8B442408 mov eax, dword
ptr [esp+08]
:00406378 8B54240C
mov edx, dword ptr [esp+0C]
:0040637C F7D8
neg eax
:0040637E 83D200
adc edx, 00000000
:00406381
F7DA neg
edx
:00406383 89442408 mov
dword ptr [esp+08], eax
:00406387 8954240C
mov dword ptr [esp+0C], edx
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406372(C)
|
:0040638B
837C240C00 cmp dword ptr [esp+0C],
00000000
:00406390 7505
jne 00406397
:00406392 837C240800
cmp dword ptr [esp+08], 00000000
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406390(C)
|
:00406397
741B je 004063B4
:00406399
837C240C00 cmp dword ptr [esp+0C],
00000000
:0040639E 750A
jne 004063AA
:004063A0 837C240800
cmp dword ptr [esp+08], 00000000
:004063A5 0F92C0
setb al
:004063A8 EB03
jmp 004063AD
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040639E(C)
|
:004063AA
0F9CC0 setl al
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004063A8(U)
|
:004063AD
3A442410 cmp al, byte ptr
[esp+10]
:004063B1 7401
je 004063B4
:004063B3 4D
dec ebp
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004062DB(C),
:004062F8(U), :00406397(C), :004063B1(C)
|
:004063B4 807C2EFF00
cmp byte ptr [esi+ebp-01], 00 <==從004062DB跳到這裡
:004063B9
0F95C0 setne al
:004063BC
0AD8 or bl,
al
:004063BE 7407
je 004063C7
:004063C0 8B0424
mov eax, dword ptr [esp]
:004063C3 8928
mov dword ptr [eax], ebp
:004063C5
EB07 jmp
004063CE
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004063BE(C)
|
:004063C7
8B0424 mov eax,
dword ptr [esp]
:004063CA 33D2
xor edx, edx
:004063CC 8910
mov dword ptr [eax], edx
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004061E8(U),
:004063C5(U)
|
:004063CE 8B442408
mov eax, dword ptr [esp+08]
<===如果前面位是0x的話則,這裡EAX的值正好等於787878,要EAX=199FF2,到這裡我們可以判斷出註冊碼了,它就是0x199ff2(均為小寫)。退出程式一試,呵呵,“註冊完成”
:004063D2
8B54240C mov edx, dword
ptr [esp+0C]
:004063D6 83C414
add esp, 00000014
:004063D9 5D
pop ebp
:004063DA 5F
pop edi
:004063DB
5E pop
esi
:004063DC 5B
pop ebx
:004063DD C3
ret
------------------------------------------------------------------------------------------
4、軟體還有一種是,前兩位不是0x的情況,我跟蹤出來,但不知怎麼返回到註冊碼,把它的演算法寫在下面:
eax=0;
string=輸入的註冊碼;
for(i=0;i=strlen(string);i++)
<---迴圈註冊碼長度的次數
{eax=eax*10+string[i]
}
printf("%d",eax);
<---最後EAX應該等於EAX=199FF2(16進位制)=1679346(10進位制)
呵呵,算出來了,還有一個註冊碼就是1679346
5、註冊資訊儲存在登錄檔
[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{1AE69D60-73D0-11D4-BD52-38A480C50000}]
"224951124"="224951124"
這個鍵值為1-10,是尚餘的使用次數,如果是上面的數值時,就是註冊版的了。
刪除鍵值,就成為未註冊版本了。
(我沒學過彙編,C語言自學了一段時間,沒學完,如有不對的地方請大家指正)
相關文章
- HTMLock 1.9.3破解手記---演算法分析2003-06-27HTML演算法
- IEPopupKiller 1.2破解手記--演算法分析2015-11-15演算法
- QuickCD 1.0.320破解手記--演算法分析2015-11-15UI演算法
- GreenBrowser 1.0.312破解手記--演算法分析2015-11-15演算法
- Golden 5.7 Build 391破解手記--演算法分析2015-11-15GoUI演算法
- 拱豬大戰 1.8破解手記--演算法分析2015-11-15演算法
- Setup2Go 1.97破解手記--演算法分析2015-11-15Go演算法
- 什麼是極速檔案傳輸,極速檔案傳輸如何進行大檔案傳輸2023-02-13
- pcmedik V5.4.8.2003破解手記--演算法分析2003-05-10演算法
- 新狐傳真群發2.0註冊演算法分析2003-06-29演算法
- Advanced MP3WMA Recorder 3.7.3破解手記--完美演算法分析2015-11-15演算法
- 法律文書、合同樣本庫
5.10破解手記--演算法分析2015-11-15演算法
- Iparmor 木馬克星 V5.40 Build 0414破解手記-演算法分析2015-11-15UI演算法
- Android逆向之旅---手遊「狂野飆車極速版」內購破解教程2018-04-09Android
- 排序演算法速記2020-11-11排序演算法
- MySQL Manager 2.8.0.1脫殼破解手記破解分析2004-11-03MySql
- 【小程式逆向專欄】某潤選房小程式逆向分析2024-04-30
- 奇門遁甲演義V6.3破解手記--註冊碼演算法分析2015-11-15演算法
- 逆向分析,計算機世界中的九陰真經2016-01-01計算機
- 1分鐘 Serverless 極速搭建真網站 領貓超卡之《極速搭建 Zblog 部落格系統》場景體驗2022-06-23Server網站
- 南大通用極速記憶體資料庫2021-07-20記憶體資料庫
- “競速”品類將迎復興?3A級跨平臺擬真賽車新作《巔峰極速》首度曝光2021-05-19
- Bannershop 4.5破解手記2015-11-15
- 拱豬大戰 V2.3XP 演算法破解手記2015-11-15演算法
- Mybatis極速入門2020-05-16MyBatis
- CMake極速入門2024-05-01
- 1分鐘 Serverless 極速搭建真網站 領貓超卡之《極速搭建釘釘群定時天氣播報》場景體驗2022-06-21Server網站
- 20 行程式碼極速為 App 加上聊天功能2016-12-16行程APP
- Irfanview破解手記 (668字)2001-02-02View
- 病毒逆向分析2018-03-18
- 登入抓包逆向分析學習筆記2018-02-09筆記
- 【真送禮物】1 分鐘 Serverless 極速部署盲盒平臺,自己部署自己抽!2022-08-22Server
- 體驗有禮 | 1 分鐘 Serverless 極速部署個人網盤,真網盤真好用!2022-05-14Server
- 【Vue 極速指南】Vuex 篇2021-09-09Vue
- 打造極速 Windows XP(轉)2007-08-11Windows
- 「極速上手TypeScript」TypeScript函數語言程式設計2021-11-10TypeScript函數程式設計
- 傳真百科:傳真文件工作流2015-02-02
- 傳真通訊技術的革新:IP傳真2014-09-04