【破解作者】 Bmzy
【作者主页】 http://www.9ycn.com/
【使用工具】 OllyDbg v1.10 , PEiD v0.92 , DeDe v3.20.04
【破解平台】 WinXP SP2
【软件名称】 Hide Window Now V2.5
【下载地址】 http://www.skycn.com/soft/19655.html
【软件简介】 隐藏窗口的软件。
【破解声明】 我是菜鸟,请各位高手指教
--------------------------------------------------------------------------------
【破解内容】
软件打开,显示NAG窗口,提示"注册"或"试用"。点击注册,显示注册对话框。
首先用PEiD检查,是Delphi编写的,无壳。
用DeDe分析,有一个名为TRegisterForm的Class,猜测其中的ImgBtn1Click为注册框的确定按钮相应,地址为474558,OD载入,设断474558。
F9运行,在注册框填用户名:"Bmzy[PCG]",注册码:"1234abcd",按确定,停在474558处。
00474558 PUSH EBP
00474559 MOV EBP,ESP
0047455B MOV ECX,8
00474560 PUSH 0
00474562 PUSH 0
00474564 DEC ECX
00474565 JNZ SHORT HWN.00474560
00474567 PUSH EBX
00474568 MOV EBX,EAX
0047456A XOR EAX,EAX
0047456C PUSH EBP
0047456D PUSH HWN.00474773
00474572 PUSH DWORD PTR FS:[EAX]
00474575 MOV DWORD PTR FS:[EAX],ESP
00474578 LEA EAX,DWORD PTR SS:[EBP-4]
0047457B MOV EDX,HWN.00474788 ; ASCII 0D," Name is "
00474580 CALL HWN.004040D0
00474585 LEA EAX,DWORD PTR SS:[EBP-8]
00474588 MOV EDX,HWN.004747AC ; ASCII "Thank you for buying our software . Please restart Hide Window Now."
0047458D CALL HWN.004040D0
00474592 LEA EAX,DWORD PTR SS:[EBP-C]
00474595 MOV EDX,HWN.004747FC ; ASCII "The Key you entered appears to be invalid."
0047459A CALL HWN.004040D0
0047459F LEA EDX,DWORD PTR SS:[EBP-14] 以上程序在装载字符串,与验证无关
004745A2 MOV EAX,DWORD PTR DS:[EBX+300]
004745A8 CALL HWN.0044BE1C
004745AD MOV EAX,DWORD PTR SS:[EBP-14]
004745B0 CALL HWN.0046F038
004745B5 AND AL,BYTE PTR DS:[478D60]
004745BB JE SHORT HWN.004745C7
004745BD MOV EDX,EBX
004745BF MOV EAX,DWORD PTR SS:[EBP-4]
004745C2 CALL HWN.0046FCA0
004745C7 CMP BYTE PTR DS:[478D60],0
004745CE JE SHORT HWN.004745DA
004745D0 MOV EDX,EBX
004745D2 MOV EAX,DWORD PTR SS:[EBP-8]
004745D5 CALL HWN.0046FCA0
004745DA CMP BYTE PTR DS:[478D60],0
004745E1 JE SHORT HWN.00474607
004745E3 LEA EDX,DWORD PTR SS:[EBP-18]
004745E6 MOV EAX,DWORD PTR DS:[EBX+300]
004745EC CALL HWN.0044BE1C
004745F1 MOV EAX,DWORD PTR SS:[EBP-18]
004745F4 CALL HWN.0046F038
004745F9 TEST AL,AL
004745FB JE SHORT HWN.00474607
004745FD MOV EDX,EBX
004745FF MOV EAX,DWORD PTR SS:[EBP-C]
00474602 CALL HWN.0046FCA0
00474607 LEA EDX,DWORD PTR SS:[EBP-1C]
0047460A MOV EAX,HWN.00474830 ; ASCII "!!!!!O`ld!hr!sdpthsde/!!!"
0047460F CALL HWN.0046F3B4
00474614 MOV ECX,DWORD PTR SS:[EBP-1C]
00474617 MOV EAX,HWN.00478D54
0047461C MOV EDX,HWN.00474854
00474621 CALL HWN.00404344
00474626 LEA EDX,DWORD PTR SS:[EBP-20]
00474629 MOV EAX,HWN.00474860 ; ASCII "Ui`oj!xnt!gns!ctxhof!nts!"
0047462E CALL HWN.0046F3B4
00474633 PUSH DWORD PTR SS:[EBP-20]
00474636 PUSH HWN.00474854
0047463B LEA EDX,DWORD PTR SS:[EBP-24]
0047463E MOV EAX,HWN.00474884 ; ASCII "rnguv`sd!/!Qmd`rd!sdru`su!"
00474643 CALL HWN.0046F3B4
00474648 PUSH DWORD PTR SS:[EBP-24]
0047464B PUSH HWN.00474854
00474650 LEA EDX,DWORD PTR SS:[EBP-28]
00474653 MOV EAX,HWN.004748A8 ; ASCII "Ihed!Vhoenv!Onv/!;!("
00474658 CALL HWN.0046F3B4
0047465D PUSH DWORD PTR SS:[EBP-28]
00474660 MOV EAX,HWN.00478D58
00474665 MOV EDX,5
0047466A CALL HWN.004043B8
0047466F LEA EDX,DWORD PTR SS:[EBP-2C]
00474672 MOV EAX,HWN.004748C8 ; ASCII "Uid!Jdx!xnt!doudsde!`qqd`sr"
00474677 CALL HWN.0046F3B4
0047467C PUSH DWORD PTR SS:[EBP-2C]
0047467F PUSH HWN.00474854
00474684 LEA EDX,DWORD PTR SS:[EBP-30]
00474687 MOV EAX,HWN.004748EC ; ASCII "un!cd!how`mhe/"
0047468C CALL HWN.0046F3B4
00474691 PUSH DWORD PTR SS:[EBP-30] 以上字符串与验证无关
00474694 MOV EAX,HWN.00478D5C
00474699 MOV EDX,3
0047469E CALL HWN.004043B8
004746A3 LEA EDX,DWORD PTR SS:[EBP-34]
004746A6 MOV EAX,DWORD PTR DS:[EBX+304]
004746AC CALL HWN.0044BE1C
004746B1 CMP DWORD PTR SS:[EBP-34],0
004746B5 JNZ SHORT HWN.004746C5
004746B7 MOV EDX,EBX
004746B9 MOV EAX,DWORD PTR DS:[478D54]
004746BE CALL HWN.0046FCA0
004746C3 JMP SHORT HWN.00474731
004746C5 LEA EDX,DWORD PTR SS:[EBP-38]
004746C8 MOV EAX,DWORD PTR DS:[EBX+300]
004746CE CALL HWN.0044BE1C
004746D3 MOV EAX,DWORD PTR SS:[EBP-38]
004746D6 LEA EDX,DWORD PTR SS:[EBP-D]
004746D9 CALL HWN.0046FD10 执行过这个CALL后判断显示注册是否正确的信息
004746DE TEST AL,AL
004746E0 JE SHORT HWN.00474725
004746E2 LEA EDX,DWORD PTR SS:[EBP-3C]
004746E5 MOV EAX,DWORD PTR DS:[EBX+300]
004746EB CALL HWN.0044BE1C
004746F0 MOV EAX,DWORD PTR SS:[EBP-3C]
004746F3 PUSH EAX
004746F4 LEA EDX,DWORD PTR SS:[EBP-40]
004746F7 MOV EAX,DWORD PTR DS:[EBX+304]
004746FD CALL HWN.0044BE1C
00474702 MOV EAX,DWORD PTR SS:[EBP-40]
00474705 POP EDX
00474706 CALL HWN.0046FB5C
0047470B MOV EDX,EBX
0047470D MOV EAX,DWORD PTR DS:[478D58]
00474712 CALL HWN.0046FCA0 通过改前面的跳转,发现执行这个CALL显示注册正确信息
00474717 MOV EAX,DWORD PTR DS:[477268]
0047471C MOV EAX,DWORD PTR DS:[EAX]
0047471E CALL HWN.0046BB88
00474723 JMP SHORT HWN.00474731
00474725 MOV EDX,EBX
00474727 MOV EAX,DWORD PTR DS:[478D5C]
0047472C CALL HWN.0046FCA0 不断运行下来,发现执行这个CALL会显示注册错误信息
00474731 XOR EAX,EAX
00474733 POP EDX
00474734 POP ECX
00474735 POP ECX
00474736 MOV DWORD PTR FS:[EAX],EDX
00474739 PUSH HWN.0047477A
0047473E LEA EAX,DWORD PTR SS:[EBP-40]
00474741 MOV EDX,4
00474746 CALL HWN.0040405C
0047474B LEA EAX,DWORD PTR SS:[EBP-30]
0047474E MOV EDX,6
00474753 CALL HWN.0040405C
00474758 LEA EAX,DWORD PTR SS:[EBP-18]
0047475B MOV EDX,2
00474760 CALL HWN.0040405C
00474765 LEA EAX,DWORD PTR SS:[EBP-C]
00474768 MOV EDX,3
0047476D CALL HWN.0040405C
00474772 RETN
00474773 JMP HWN.00403A3C
00474778 JMP SHORT HWN.0047473E
0047477A POP EBX
0047477B MOV ESP,EBP
0047477D POP EBP
0047477E RETN
-------------------------------------------------------------------------------------------
在这一层调用,先走到了4747C2出现注册错误信息,向上分析,找到4746D9处的CALL和其下面的跳转。
重新进来设断停在4746D9处,按F8,在4746E0处修改标志位,使其不跳,运行到474712的CALL出现注册
正确信息。经过分析,4746D9处的CALL 46FD10是验证的部分,下面进入它分析。
-------------------------------------------------------------------------------------------
重新进来,设断4746D9,F7进入
0046FD10 PUSH EBP
0046FD11 MOV EBP,ESP
0046FD13 MOV ECX,7
0046FD18 PUSH 0 这里的循环在堆栈开了14个临时变量,并
0046FD1A PUSH 0 初始为0,下面大量使用这些变量进行计算
0046FD1C DEC ECX 在OD中监视窗口设上"string[[EBP-04]]"
0046FD1D JNZ SHORT HWN.0046FD18 到"string[[EBP-38]]",后面可以可以
0046FD1F PUSH EBX 很方便的观察这些变量的变化
0046FD20 PUSH ESI
0046FD21 PUSH EDI
0046FD22 MOV ESI,EDX
0046FD24 MOV DWORD PTR SS:[EBP-4],EAX
0046FD27 MOV EAX,DWORD PTR SS:[EBP-4]
0046FD2A CALL HWN.004044E8 这步调用以后,变量[EBP-4]中放的是注册
0046FD2F XOR EAX,EAX 码字串的指针,已经获得字串
0046FD31 PUSH EBP
0046FD32 PUSH HWN.0046FEF2
0046FD37 PUSH DWORD PTR FS:[EAX]
0046FD3A MOV DWORD PTR FS:[EAX],ESP
0046FD3D MOV BYTE PTR DS:[ESI],0
0046FD40 XOR EBX,EBX
0046FD42 XOR EAX,EAX
0046FD44 PUSH EBP
0046FD45 PUSH HWN.0046FECB
0046FD4A PUSH DWORD PTR FS:[EAX]
0046FD4D MOV DWORD PTR FS:[EAX],ESP
0046FD50 CMP DWORD PTR SS:[EBP-4],0 比较字串长不能为0
0046FD54 JE HWN.0046FEC1
0046FD5A MOV EAX,DWORD PTR SS:[EBP-4]
0046FD5D CALL HWN.004044F8
0046FD62 CALL HWN.00408AA0 此CALL将字串全部变为大写
0046FD67 MOV EDX,EAX
0046FD69 LEA EAX,DWORD PTR SS:[EBP-8]
0046FD6C CALL HWN.00404230 此处CALL复制一个字串将指针放入变量[EBP-8]
0046FD71 LEA EAX,DWORD PTR SS:[EBP-C]
0046FD74 MOV EDX,DWORD PTR SS:[EBP-8]
0046FD77 MOV DL,BYTE PTR DS:[EDX+2]
0046FD7A CALL HWN.00404220 从此开始连续调用4次404220,传入三个变量,每
0046FD7F LEA EAX,DWORD PTR SS:[EBP-10] 次都传入[EBP-8],是上面复制的注册码字串的指针,
0046FD82 MOV EDX,DWORD PTR SS:[EBP-8] 另一个传入的变量是返回的字串指针,还有一个是
0046FD85 MOV DL,BYTE PTR DS:[EDX+6] 要复制的字符。这个函数四次调用将注册码偏移
0046FD88 CALL HWN.00404220 0x2、0x6、0xA、0x10处的四个字符分别复制并将指
0046FD8D LEA EAX,DWORD PTR SS:[EBP-14] 针放到[EBP-C]、[EBP-10]、[EBP-14]、[EBP-18]中
0046FD90 MOV EDX,DWORD PTR SS:[EBP-8]
0046FD93 MOV DL,BYTE PTR DS:[EDX+A]
0046FD96 CALL HWN.00404220
0046FD9B LEA EAX,DWORD PTR SS:[EBP-18]
0046FD9E MOV EDX,DWORD PTR SS:[EBP-8]
0046FDA1 MOV DL,BYTE PTR DS:[EDX+10]
0046FDA4 CALL HWN.00404220
0046FDA9 LEA EAX,DWORD PTR SS:[EBP-2C]
0046FDAC MOV EDX,DWORD PTR SS:[EBP-8]
0046FDAF MOV DL,BYTE PTR DS:[EDX+7]
0046FDB2 CALL HWN.00404220 从这里开始CALL 404220和CALL 46F2F4两个一组调用
0046FDB7 MOV EAX,DWORD PTR SS:[EBP-2C] 四次,追踪发现CALL 404220和上面一样,分别把偏移
0046FDBA LEA EDX,DWORD PTR SS:[EBP-1C] 0x7、0xB、0x12、0x3处的四个字符分别复制并将指
0046FDBD CALL HWN.0046F2F4 针放到[EBP-2C]、[EBP-30]、[EBP-34]、[EBP-38]中
0046FDC2 LEA EAX,DWORD PTR SS:[EBP-30] 而CALL 46F2F4是将CALL 404220刚复制的字符经过变
0046FDC5 MOV EDX,DWORD PTR SS:[EBP-8] 换然后存分别指针到[EBP-1C]、[EBP-20]、[EBP-24]
0046FDC8 MOV DL,BYTE PTR DS:[EDX+B] 、[EBP-28]中
0046FDCB CALL HWN.00404220
0046FDD0 MOV EAX,DWORD PTR SS:[EBP-30]
0046FDD3 LEA EDX,DWORD PTR SS:[EBP-20]
0046FDD6 CALL HWN.0046F2F4
0046FDDB LEA EAX,DWORD PTR SS:[EBP-34]
0046FDDE MOV EDX,DWORD PTR SS:[EBP-8]
0046FDE1 MOV DL,BYTE PTR DS:[EDX+12]
0046FDE4 CALL HWN.00404220
0046FDE9 MOV EAX,DWORD PTR SS:[EBP-34]
0046FDEC LEA EDX,DWORD PTR SS:[EBP-24]
0046FDEF CALL HWN.0046F2F4
0046FDF4 LEA EAX,DWORD PTR SS:[EBP-38]
0046FDF7 MOV EDX,DWORD PTR SS:[EBP-8]
0046FDFA MOV DL,BYTE PTR DS:[EDX+3]
0046FDFD CALL HWN.00404220
0046FE02 MOV EAX,DWORD PTR SS:[EBP-38]
0046FE05 LEA EDX,DWORD PTR SS:[EBP-28]
0046FE08 CALL HWN.0046F2F4
0046FE0D MOV EAX,DWORD PTR SS:[EBP-8]
0046FE10 CALL HWN.004042F8
0046FE15 CMP EAX,13 查字串长度必须等于0x13,既19个字符
0046FE18 JNZ HWN.0046FEC1
0046FE1E MOV EAX,DWORD PTR SS:[EBP-C] 下面CALL 404444四次是进行比较,分别比较开始
0046FE21 MOV EDX,DWORD PTR SS:[EBP-1C] CALL 404220得到的4个字符和CALL 46F2F4变换出
0046FE24 CALL HWN.00404444 的四个字符是否相等,如不等则跳46FEC1,码错误
0046FE29 JNZ HWN.0046FEC1
0046FE2F MOV EAX,DWORD PTR SS:[EBP-10]
0046FE32 MOV EDX,DWORD PTR SS:[EBP-20]
0046FE35 CALL HWN.00404444
0046FE3A JNZ HWN.0046FEC1
0046FE40 MOV EAX,DWORD PTR SS:[EBP-14]
0046FE43 MOV EDX,DWORD PTR SS:[EBP-24]
0046FE46 CALL HWN.00404444
0046FE4B JNZ SHORT HWN.0046FEC1
0046FE4D MOV EAX,DWORD PTR SS:[EBP-18]
0046FE50 MOV EDX,DWORD PTR SS:[EBP-28]
0046FE53 CALL HWN.00404444
0046FE58 JNZ SHORT HWN.0046FEC1
0046FE5A MOV EAX,DWORD PTR SS:[EBP-8] 从此处开始是比较注册码的一些固定位是否等于
0046FE5D CMP BYTE PTR DS:[EAX],41 一些固定的字符,如不等则跳46FEC1,码错误
0046FE60 JNZ SHORT HWN.0046FEC1
0046FE62 MOV EAX,DWORD PTR SS:[EBP-8]
0046FE65 CMP BYTE PTR DS:[EAX+1],31
0046FE69 JNZ SHORT HWN.0046FEC1
0046FE6B MOV EAX,DWORD PTR SS:[EBP-8]
0046FE6E CMP BYTE PTR DS:[EAX+4],2D
0046FE72 JNZ SHORT HWN.0046FEC1
0046FE74 MOV EAX,DWORD PTR SS:[EBP-8]
0046FE77 CMP BYTE PTR DS:[EAX+5],57
0046FE7B JNZ SHORT HWN.0046FEC1
0046FE7D MOV EAX,DWORD PTR SS:[EBP-8]
0046FE80 CMP BYTE PTR DS:[EAX+8],46
0046FE84 JNZ SHORT HWN.0046FEC1
0046FE86 MOV EAX,DWORD PTR SS:[EBP-8]
0046FE89 CMP BYTE PTR DS:[EAX+9],2D
0046FE8D JNZ SHORT HWN.0046FEC1
0046FE8F MOV EAX,DWORD PTR SS:[EBP-8]
0046FE92 CMP BYTE PTR DS:[EAX+C],53
0046FE96 JNZ SHORT HWN.0046FEC1
0046FE98 MOV EAX,DWORD PTR SS:[EBP-8]
0046FE9B CMP BYTE PTR DS:[EAX+D],52
0046FE9F JNZ SHORT HWN.0046FEC1
0046FEA1 MOV EAX,DWORD PTR SS:[EBP-8]
0046FEA4 CMP BYTE PTR DS:[EAX+E],2D
0046FEA8 JNZ SHORT HWN.0046FEC1
0046FEAA MOV EAX,DWORD PTR SS:[EBP-8]
0046FEAD CMP BYTE PTR DS:[EAX+F],43
0046FEB1 JNZ SHORT HWN.0046FEC1
0046FEB3 MOV EAX,DWORD PTR SS:[EBP-8]
0046FEB6 CMP BYTE PTR DS:[EAX+11],5A
0046FEBA JNZ SHORT HWN.0046FEC1
0046FEBC MOV BYTE PTR DS:[ESI],1
0046FEBF MOV BL,1 如注册码正确,将运行到这里,BL置1,后面
0046FEC1 XOR EAX,EAX 46FEF9将EBX送EAX,作为返回值,码错误,最后
0046FEC3 POP EDX 返回零
0046FEC4 POP ECX
0046FEC5 POP ECX
0046FEC6 MOV DWORD PTR FS:[EAX],EDX
0046FEC9 JMP SHORT HWN.0046FED7
0046FECB JMP HWN.00403788
0046FED0 XOR EBX,EBX
0046FED2 CALL HWN.00403AF0
0046FED7 XOR EAX,EAX
0046FED9 POP EDX
0046FEDA POP ECX
0046FEDB POP ECX
0046FEDC MOV DWORD PTR FS:[EAX],EDX
0046FEDF PUSH HWN.0046FEF9
0046FEE4 LEA EAX,DWORD PTR SS:[EBP-38]
0046FEE7 MOV EDX,0E
0046FEEC CALL HWN.0040405C
0046FEF1 RETN
0046FEF2 JMP HWN.00403A3C
0046FEF7 JMP SHORT HWN.0046FEE4
0046FEF9 MOV EAX,EBX
0046FEFB POP EDI
0046FEFC POP ESI
0046FEFD POP EBX
0046FEFE MOV ESP,EBP
0046FF00 POP EBP
0046FF01 RETN
-------------------------------------------------------------------------------------------
在这一层调用,我们可以看到注册码验证的大概了:
1. 注册码必须是19位的。
2. 分别取注册码3、7、11、17位与用46F2F4函数变换后的注册码8、12、19、4进行比较。
3. 分别比较注册码1、2、5、6、9、10、13、14、15、16、18位是否是指定的字符。
基本知道了验证结构,唯一不清楚的就是CALL 46F2F4进行变换的机制,好,下面追入分析。
-------------------------------------------------------------------------------------------
设断进来
0046F2F4 PUSH EBP
0046F2F5 MOV EBP,ESP
0046F2F7 ADD ESP,-0C
0046F2FA PUSH EBX
0046F2FB PUSH ESI
0046F2FC PUSH EDI
0046F2FD MOV DWORD PTR SS:[EBP-8],EDX
0046F300 MOV DWORD PTR SS:[EBP-4],EAX
0046F303 MOV EAX,DWORD PTR SS:[EBP-4]
0046F306 CALL HWN.004044E8
0046F30B XOR EAX,EAX
0046F30D PUSH EBP
0046F30E PUSH HWN.0046F396
0046F313 PUSH DWORD PTR FS:[EAX]
0046F316 MOV DWORD PTR FS:[EAX],ESP
0046F319 MOV ESI,1
0046F31E MOV EAX,DWORD PTR SS:[EBP-4]
0046F321 CALL HWN.004042F8
0046F326 MOV EDI,EAX
0046F328 TEST EDI,EDI
0046F32A JLE SHORT HWN.0046F375
0046F32C MOV EBX,1
0046F331 MOV EAX,DWORD PTR SS:[EBP-4] 从此处到46F373的循环是关键
0046F334 MOV AL,BYTE PTR DS:[EAX+EBX-1] 取传进来的字符
0046F338 AND AL,0F 与0F与运算,只要低4位
0046F33A MOV EDX,HWN.0046F3AC ; ASCII "anloer" (本行是OD自动分析添的注释)
0046F33F MOV DL,BYTE PTR DS:[EDX+ESI-1] 取"anloer"的一个字符(每次都就循环一次,都是"a")
0046F343 AND DL,0F 与0F与运算,获得低4位
0046F346 XOR AL,DL 将字符的低四位与a字符的低四位进行异或运算
0046F348 MOV BYTE PTR SS:[EBP-9],AL 结果存入临时变量[EBP-9]
0046F34B LEA EAX,DWORD PTR SS:[EBP-4]
0046F34E CALL HWN.00404550
0046F353 MOV EDX,DWORD PTR SS:[EBP-4]
0046F356 MOV DL,BYTE PTR DS:[EDX+EBX-1] 再次取字符
0046F35A AND DL,0F0 与0F与运算,只要高4位
0046F35D MOV CL,BYTE PTR SS:[EBP-9] 从变量[EBP-9]取刚才异或的结果放入CL
0046F360 ADD DL,CL 与字符取高4位的结果相加
0046F362 MOV BYTE PTR DS:[EAX+EBX-1],DL 保存结果
0046F366 INC ESI
0046F367 CMP ESI,6
0046F36A JLE SHORT HWN.0046F371
0046F36C MOV ESI,1
0046F371 INC EBX
0046F372 DEC EDI
0046F373 JNZ SHORT HWN.0046F331 循环,这处循环体应该是将一个字串一个一个的与"anloer"
0046F375 MOV EAX,DWORD PTR SS:[EBP-8] 进行计算处理,但验证码的时候每次调用这个函数传的字串
0046F378 MOV EDX,DWORD PTR SS:[EBP-4] 都只有一个字符,因此每次都没循环,只走一次
0046F37B CALL HWN.0040408C
0046F380 XOR EAX,EAX
0046F382 POP EDX
0046F383 POP ECX
0046F384 POP ECX
0046F385 MOV DWORD PTR FS:[EAX],EDX
0046F388 PUSH HWN.0046F39D
0046F38D LEA EAX,DWORD PTR SS:[EBP-4]
0046F390 CALL HWN.00404038
0046F395 RETN
0046F396 JMP HWN.00403A3C
0046F39B JMP SHORT HWN.0046F38D
0046F39D POP EDI
0046F39E POP ESI
0046F39F POP EBX
0046F3A0 MOV ESP,EBP
0046F3A2 POP EBP
0046F3A3 RETN
-------------------------------------------------------------------------------------------
好,46F2F4这个函数也分析清楚了,它将传入的字符的低四位与字符"a"的低四位作异或运算,变换传入的字符。
按追出的算法计算出一个可用的注册码:A1ED-WEDF-EDSR-CEZD,填入注册,成功!
--------------------------------------------------------------------------------
【破解总结】
注册码验证算法如下:
1. 注册码必须是19位的。
2. 分别将注册码8、12、19、4位的字符的低四位与字符"a"的低四位进行XOR运算,高四位不动,结果分别
与注册码3、7、11、17位比较是否相等。
3. 分别比较注册码1、2、5、6、9、10、13、14、15、16、18位是否是"A、1、-、W、F、-、S、R、-、C、Z"。
这个程序的用户名信息没有参与验证,注册成功后信息加密保存在注册表 HKEY_LOCAL_MACHINE\SOFTWARE\Anloer
Software\Hide Window Now\中名为SN的键值中,删掉就又变为不注册的了。函数46FD10是验证函数,如注册表里有
相应键值,程序初始处也要调用这个函数验证,以确定是否显示NAG窗口。
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!