Instyler Ex-it! 漢化版 1.64 簡單演算法分析

看雪資料發表於2015-11-15

Instyler Ex-it! 漢化版 1.64 簡單演算法分析


軟體名稱: Instyler Ex-it! 漢化版 1.64
軟體簡介:  instyler ex-it! 是一個建立自解壓縮檔案的功能強大的開發工具。
          它不同於其他自解壓縮程式,instyler ex-it! 為你提供多個附加
          選項,你可以配置每個視覺化的物件、使用訊息框、設定不同的語
          言、或者建立單個檔案的安裝程式。用 instyler ex-it! 建立的自
          解壓縮檔案支援密碼保護、顯示許可協議、可執行檔案,幷包含一
          個內建的解除安裝程式。 建立的自解壓縮檔案不顯示任何廣告,看上去
          就象是你自己建立的。
下載地址:  http://antivirus.pchome.net/utility/pack/10964.html  
此文目的: 學習該軟體的註冊碼生成方法
除錯工具: ollydbg1.09中文版、W32Dasm10、language
除錯平臺: Windows XP (哈哈,ollydbg真好,XP下也能除錯了,想想吧,還有MP3)

過程:
1)  執行程式,首先彈出一提示註冊視窗,點選輸入註冊碼按扭,輸入註冊姓名&註冊碼,確定.
彈出"輸入的註冊值是無效的。舊資料已經回存。"對話方塊.先關閉程式.

2)  使用 language 檢測主程式“Exit.exe”,沒有殼.

3)  用W32dasm10反編譯Exit.exe,然後查詢字串"輸入的註冊值是無效的。舊資料已經回存。" 雙擊找到的字串,來到以下地方:
 
發現到出錯資訊的跳轉:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00458590(C)
往上來到00458590,看到上面一行的0045858E有一個比較,再上面又有一個CALL
於是跟進上面的這個CALL,也就是00458589 E8421C0000  call 0045A1D0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00458508(C)
|
:00458577 8D55F8                  lea edx, dword ptr [ebp-08]
:0045857A 8B83B8010000            mov eax, dword ptr [ebx+000001B8]
:00458580 E8ABAFFBFF              call 00413530
:00458585 8B45F8                  mov eax, dword ptr [ebp-08]
:00458588 5A                      pop edx
:00458589 E8421C0000              call 0045A1D0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045851F(C)
|
:0045858E 3C01                    cmp al, 01
:00458590 0F85C3000000            jne 00458659
:00458596 8D55FC                  lea edx, dword ptr [ebp-04]
:00458599 8B83B8010000            mov eax, dword ptr [ebx+000001B8]
:0045859F E88CAFFBFF              call 00413530
:004585A4 8B55FC                  mov edx, dword ptr [ebp-04]
:004585A7 A1303B4600              mov eax, dword ptr [00463B30]
:004585AC 0574040000              add eax, 00000474
:004585B1 E892B0FAFF              call 00403648
:004585B6 8D55FC                  lea edx, dword ptr [ebp-04]
:004585B9 8B83BC010000            mov eax, dword ptr [ebx+000001BC]
:004585BF E86CAFFBFF              call 00413530
:004585C4 8B55FC                  mov edx, dword ptr [ebp-04]
:004585C7 A1303B4600              mov eax, dword ptr [00463B30]
:004585CC 0578040000              add eax, 00000478
:004585D1 E872B0FAFF              call 00403648
:004585D6 33C9                    xor ecx, ecx
:004585D8 B201                    mov dl, 01
:004585DA B860DC4300              mov eax, 0043DC60
:004585DF E8D85CFEFF              call 0043E2BC
:004585E4 8BF0                    mov esi, eax
:004585E6 BA01000080              mov edx, 80000001
:004585EB 8BC6                    mov eax, esi
:004585ED E8B657FEFF              call 0043DDA8
:004585F2 A1303B4600              mov eax, dword ptr [00463B30]
:004585F7 8B8074040000            mov eax, dword ptr [eax+00000474]
:004585FD 50                      push eax

* Possible StringData Ref from Code Obj ->"Username"
                                 |
:004585FE B99C864500              mov ecx, 0045869C

* Possible StringData Ref from Code Obj ->"Software\instyler\ex-it!\RegData"
                                 |
:00458603 BAB0864500              mov edx, 004586B0
:00458608 8BC6                    mov eax, esi
:0045860A E8C15DFEFF              call 0043E3D0
:0045860F A1303B4600              mov eax, dword ptr [00463B30]
:00458614 8B8078040000            mov eax, dword ptr [eax+00000478]
:0045861A 50                      push eax

* Possible StringData Ref from Code Obj ->"Userkey"
                                 |
:0045861B B9DC864500              mov ecx, 004586DC

* Possible StringData Ref from Code Obj ->"Software\instyler\ex-it!\RegData"
                                 |
:00458620 BAB0864500              mov edx, 004586B0
:00458625 8BC6                    mov eax, esi
:00458627 E8A45DFEFF              call 0043E3D0
:0045862C 6A40                    push 00000040

* Possible StringData Ref from Code Obj ->"謝謝你註冊"
                                 |
:0045862E B9E4864500              mov ecx, 004586E4

* Possible StringData Ref from Code Obj ->"謝謝你註冊 instyler ex-it!"
                                 |
:00458633 BA00874500              mov edx, 00458700
:00458638 A130364600              mov eax, dword ptr [00463630]
:0045863D E84ACCFCFF              call 0042528C
:00458642 A1143B4600              mov eax, dword ptr [00463B14]
:00458647 80783700                cmp byte ptr [eax+37], 00
:0045864B 7416                    je 00458663
:0045864D A1143B4600              mov eax, dword ptr [00463B14]
:00458652 E835B1FCFF              call 0042378C
:00458657 EB0A                    jmp 00458663

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00458590(C)
|

* Possible StringData Ref from Code Obj ->"輸入的註冊值是無效的。舊資料已經回存。"
                                 |
:00458659 B8B0874500              mov eax, 004587B0
:0045865E E8E98BFDFF              call 0043124C

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0045855F(C), :0045864B(C), :00458657(U)
|
:00458663 8BC3                    mov eax, ebx
:00458665 E822B1FCFF              call 0042378C
:0045866A 33C0                    xor eax, eax
:0045866C 5A                      pop edx
:0045866D 59                      pop ecx
:0045866E 59                      pop ecx
:0045866F 648910                  mov dword ptr fs:[eax], edx
:00458672 688C864500              push 0045868C


4) 使用ollydbg載入Exit.exe在0045A1D0處設定斷點,F9執行程式,輸入name and regcode 點OK中斷於此:

* Referenced by a CALL at Addresses:
|:00458589   , :0045C970  
|
:0045A1D0 55                      push ebp
:0045A1D1 8BEC                    mov ebp, esp
:0045A1D3 33C9                    xor ecx, ecx
:0045A1D5 51                      push ecx
:0045A1D6 51                      push ecx
:0045A1D7 51                      push ecx
:0045A1D8 51                      push ecx
:0045A1D9 51                      push ecx
:0045A1DA 51                      push ecx
:0045A1DB 51                      push ecx
:0045A1DC 53                      push ebx
:0045A1DD 56                      push esi
:0045A1DE 57                      push edi
:0045A1DF 8955F8                  mov dword ptr [ebp-08], edx
:0045A1E2 8945FC                  mov dword ptr [ebp-04], eax
:0045A1E5 8B45FC                  mov eax, dword ptr [ebp-04]
:0045A1E8 E83397FAFF              call 00403920
:0045A1ED 8B45F8                  mov eax, dword ptr [ebp-08]
:0045A1F0 E82B97FAFF              call 00403920
:0045A1F5 33C0                    xor eax, eax
:0045A1F7 55                      push ebp
:0045A1F8 68DBA24500              push 0045A2DB
:0045A1FD 64FF30                  push dword ptr fs:[eax]
:0045A200 648920                  mov dword ptr fs:[eax], esp
:0045A203 33DB                    xor ebx, ebx
:0045A205 8B45FC                  mov eax, dword ptr [ebp-04]
:0045A208 E85F95FAFF              call 0040376C
:0045A20D 83F804                  cmp eax, 00000004    <-----比較註冊名的位數是否小於4
:0045A210 0F8CAA000000            jl 0045A2C0          <-----小於4就跳
:0045A216 33F6                    xor esi, esi         <-----ESI清零
:0045A218 33FF                    xor edi, edi         <-----EDI清零

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045A240(C)
|
:0045A21A 8D45F0                  lea eax, dword ptr [ebp-10]
:0045A21D 50                      push eax
:0045A21E B901000000              mov ecx, 00000001
:0045A223 8BD7                    mov edx, edi              <----第一次EDX=EDI=0
:0045A225 8B45FC                  mov eax, dword ptr [ebp-04]
:0045A228 E84397FAFF              call 00403970             <----這個CALL搞鬼使第一位運算兩次,跟進

來到此處:哇,好多地方呼叫呀,裡面好多的跳轉,沒搞懂,哪位大俠願意,請指教
* Referenced by a CALL at Addresses:
|:00405FDC   , :00406435   , :0040646E   , :004064B4   , :0040A4DF  
|:0040A600   , :0040C68C   , :0040C88F   , :0040C8A2   , :0040FAB8  
|:004123D3   , :00412417   , :00430B35   , :0043508A   , :0043541B  
|:00436451   , :00436963   , :004380C9   , :00438B5A   , :00438CBB  
|:00439047   , :0043906E   , :00439CB1   , :0043B8D5   , :0043F00A  
|:0043F040   , :0043FFEF   , :004411D0   , :00441207   , :004412AC  
|:004412E3   , :00441569   , :004415A7   , :004415F3   , :0044160B  
|:0044162E   , :00441649   , :004425E0   , :004429EC   , :00442A04  
|:00442A88   , :00443078   , :004430A1   , :004430FC   , :00443131  
|:0044315C   , :00443175   , :00443261   , :004434D2   , :00457ECD  
|:004580A1   , :0045A228   , :0045A267   , :0045A28E   , :0045A4C3  
|:0045AFD3   , :0045B06D   , :0045B95E   , :0045B984   , :0045CC6F  
|:0045D181   , :0045D5BD   , :0045D63F   , :0045F361   , :0045F3D4  
|
:00403970 53                      push ebx
:00403971 85C0                    test eax, eax
:00403973 742D                    je 004039A2
:00403975 8B58FC                  mov ebx, dword ptr [eax-04]
:00403978 85DB                    test ebx, ebx
:0040397A 7426                    je 004039A2
:0040397C 4A                      dec edx          <------EDX值是關鍵引數
:0040397D 7C1B                    jl 0040399A
:0040397F 39DA                    cmp edx, ebx
:00403981 7D1F                    jge 004039A2

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040399C(U)
|
:00403983 29D3                    sub ebx, edx
:00403985 85C9                    test ecx, ecx
:00403987 7C19                    jl 004039A2
:00403989 39D9                    cmp ecx, ebx
:0040398B 7F11                    jg 0040399E

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004039A0(U)
|
:0040398D 01C2                    add edx, eax
:0040398F 8B442408                mov eax, dword ptr [esp+08]
:00403993 E840FDFFFF              call 004036D8
:00403998 EB11                    jmp 004039AB

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040397D(C)
|
:0040399A 31D2                    xor edx, edx
:0040399C EBE5                    jmp 00403983

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040398B(C)
|
:0040399E 89D9                    mov ecx, ebx
:004039A0 EBEB                    jmp 0040398D

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00403973(C), :0040397A(C), :00403981(C), :00403987(C)
|
:004039A2 8B442408                mov eax, dword ptr [esp+08]
:004039A6 E84DFCFFFF              call 004035F8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403998(U)
|
:004039AB 5B                      pop ebx
:004039AC C20400                  ret 0004

出來繼續

:0045A22D 8B45F0                  mov eax, dword ptr [ebp-10]
:0045A230 0FB600                  movzx eax, byte ptr [eax]  <----註冊名的各位的ASCII值入EAX
                                                                 此處因為使用者名稱的第一位運算  
                                                                 兩次同時又只用運算註冊名的
                                                                 位數次,所以最後一位不參加運算
:0045A233 03F0                    add esi, eax             <---EAX值累加 ESI=ESI+EAX
:0045A235 47                      inc edi                  <---計數器加1
:0045A236 8B45FC                  mov eax, dword ptr [ebp-04]
:0045A239 E82E95FAFF              call 0040376C
:0045A23E 3BF8                    cmp edi, eax           <-----比較是否達到註冊名的長度次
:0045A240 7CD8                    jl 0045A21A            <-----沒完就回去

* Possible StringData Ref from Code Obj ->"1000-"        <-----註冊碼的字首
                                 |
:0045A242 68F4A24500              push 0045A2F4
:0045A247 8D55F0                  lea edx, dword ptr [ebp-10]
:0045A24A 8BC6                    mov eax, esi
:0045A24C E897BEFAFF              call 004060E8          <----上面累加算出的值十六進位制轉十進位制,註冊碼的第二段
:0045A251 FF75F0                  push [ebp-10]
:0045A254 6804A34500              push 0045A304
:0045A259 8D45E8                  lea eax, dword ptr [ebp-18]
:0045A25C 50                      push eax
:0045A25D B901000000              mov ecx, 00000001
:0045A262 33D2                    xor edx, edx             <-----EDX清零
:0045A264 8B45FC                  mov eax, dword ptr [ebp-04]
:0045A267 E80497FAFF              call 00403970             <----又來了
:0045A26C 8B45E8                  mov eax, dword ptr [ebp-18]
:0045A26F 0FB600                  movzx eax, byte ptr [eax]   <-----取註冊名的第一位的ASCII
:0045A272 8D55EC                  lea edx, dword ptr [ebp-14]
:0045A275 E86EBEFAFF              call 004060E8                <------又呼叫這個CALL進行進位制轉換,註冊碼第三段的前部
:0045A27A FF75EC                  push [ebp-14]
:0045A27D 8D45E4                  lea eax, dword ptr [ebp-1C]
:0045A280 50                      push eax
:0045A281 B901000000              mov ecx, 00000001
:0045A286 BA04000000              mov edx, 00000004            <------ EDX=4
:0045A28B 8B45FC                  mov eax, dword ptr [ebp-04]
:0045A28E E8DD96FAFF              call 00403970                <------還是它
:0045A293 8B45E4                  mov eax, dword ptr [ebp-1C]
:0045A296 0FB600                  movzx eax, byte ptr [eax]    <-----取註冊名的第四位的ASCII
:0045A299 8D55E8                  lea edx, dword ptr [ebp-18]
:0045A29C E847BEFAFF              call 004060E8                <------再呼叫這個CALL進行進位制轉換,註冊碼第三段的後部
:0045A2A1 FF75E8                  push [ebp-18]
:0045A2A4 8D45F4                  lea eax, dword ptr [ebp-0C]
:0045A2A7 BA05000000              mov edx, 00000005
:0045A2AC E87B95FAFF              call 0040382C                 <------連線各段註冊碼
:0045A2B1 8B45F8                  mov eax, dword ptr [ebp-08]   <------假碼
:0045A2B4 8B55F4                  mov edx, dword ptr [ebp-0C]   <------真碼
:0045A2B7 E8C095FAFF              call 0040387C                 <------比較
:0045A2BC 7502                    jne 0045A2C0                  <------如果你想強暴它這裡是個好地方
      "啪!"
      "誰扔我?"
      "扔你怎麼樣,這裡不準釋出X級的東東"
      "老兄,麻煩你單純點,我是說強制暴破"
      "啪!","啊!你又扔!
:0045A2BE B301                    mov bl, 01

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0045A210(C), :0045A2BC(C)
|
:0045A2C0 33C0                    xor eax, eax  <---註冊名位數小於4就到了這,就跳過了運算.
:0045A2C2 5A                      pop edx
:0045A2C3 59                      pop ecx
:0045A2C4 59                      pop ecx
:0045A2C5 648910                  mov dword ptr fs:[eax], edx
:0045A2C8 68E2A24500              push 0045A2E2

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045A2E0(U)
|
:0045A2CD 8D45E4                  lea eax, dword ptr [ebp-1C]
:0045A2D0 BA07000000              mov edx, 00000007
:0045A2D5 E83E93FAFF              call 00403618
:0045A2DA C3                      ret

5) 現總結一下:
註冊碼的第一段固定不變,也就是"1000-"
註冊碼的第二段是註冊名的第一位的ASCII加上前註冊名長度減一位的ASCII的十進位制總和(不知怎麼表達,希望大家能看懂)
註冊碼的第三段由註冊名的第一位的ASCII和第四位的ASCII組成
如果看不懂就看下面的演算法吧:
Option Explicit
Sub Main()
   On Error Resume Next
   Dim yourname As String, initstr As String, esi As Long
   Dim i As Integer, s As Long, sn As String
begin:
   yourname = Trim(InputBox("請輸入註冊名,註冊名必須不少於四位.", "Instyler Ex-it! 1.64漢化版序號產生器請輸入註冊名", "AXiang"))
   yourname = StrConv(yourname, 128) '因為是VB所以要解決UNICODE問題
   If LenB(yourname) < 4 Then MsgBox "請輸入一個長度大於三的英文名或大於一位的中文名!", 16, "注意!": GoTo begin
   s = AscB(LeftB(yourname, 1))
   For i = 1 To LenB(yourname) - 1 '實質上程式是進行了註冊名長度次運算,但第一個字元運算了兩
       s = s + AscB(MidB(yourname, i, 1))    '次,所以在前面先運算一次,這裡減少一次.
   Next i
   sn = "1000-" + CStr(s) + "-" + CStr(AscB(MidB(yourname, 1, 1))) + CStr(AscB(MidB(yourname, 4, 1)))
   '"1000-"是程式內建的固定字首.
   MsgBox "您的註冊碼為:" + sn + Chr(13) + Chr(10) + "希望與大家交流,我的E-MAIL是:" + Chr(13) + Chr(10) +

"yantuse.student@sina.com", 64, "作者澀郎恭喜你!"
   Exit Sub
End Sub

相關文章