[破解作者]xsy3660
[软件名]名家庭银行家 2.0 alpha build 43
[软件介绍]这是一个家庭理财软件的项目。我们以前用过的名称是:"欢乐家庭-理财软件"和 "M99 家庭理财软件",现在将它改名为"家庭银行家",希望它能够帮你管好帐、理好财。
[破解过程]首先查看无壳,delphi编写,赚了一步,哈哈.先用dede得map文件后OD导入,输入注册,提示"失败",查字符串,分析得知是由注册名经运算后得到注册码,再与假码比较,相同则注册成功,反之失败.过程如下:哇噻,12:30了,伸了懒腰才!
本人学习破解有二月有余了,看了后自己也搞了一些自己常用的软件,前二天在上面看了一位朋友破的delphi软件,正好我有一个,也就拿来试了试,真苦,花了二天的时间来仔细研读,终于搞清了整个算法过程了
006AFF08 >/. 55 push ebp ; <-TfrmReg@btnRegClick
006AFF09 |. 8BEC mov ebp,esp
006AFF0B |. 6A 00 push 0
006AFF0D |. 6A 00 push 0
006AFF0F |. 53 push ebx
006AFF10 |. 8BD8 mov ebx,eax
006AFF12 |. 33C0 xor eax,eax
006AFF14 |. 55 push ebp
006AFF15 |. 68 B7FF6A00 push <HOMEBANK.->system.@HandleFinally;>
006AFF1A |. 64:FF30 push dword ptr fs:[eax]
006AFF1D |. 64:8920 mov dword ptr fs:[eax],esp
006AFF20 |. 8D55 FC lea edx,dword ptr ss:[ebp-4]
006AFF23 >|. 8B83 04030000 mov eax,dword ptr ds:[ebx+304] ; *TfrmReg.txtRegCode:TEdit
006AFF29 >|. E8 029CD8FF call HOMEBANK.00439B30 ; ->controls.TControl.GetText(TControl):TCaption;
006AFF2E |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
006AFF31 |. 50 push eax
006AFF32 |. 8D55 F8 lea edx,dword ptr ss:[ebp-8]
006AFF35 >|. 8B83 FC020000 mov eax,dword ptr ds:[ebx+2FC] ; *TfrmReg.txtRegUser:TEdit
006AFF3B >|. E8 F09BD8FF call HOMEBANK.00439B30 ; ->controls.TControl.GetText(TControl):TCaption;
006AFF40 |. 8B55 F8 mov edx,dword ptr ss:[ebp-8]
006AFF43 |. 33C9 xor ecx,ecx
006AFF45 >|. 8B83 D0020000 mov eax,dword ptr ds:[ebx+2D0] ; *TfrmReg.Reg:TfrmReg
006AFF4B >|. E8 0CCBFFFF call HOMEBANK.006ACA5C ; ->:TRegwareII._PROC_006ACA5C() \\ 关键call,go!
006AFF50 |. 84C0 test al,al
006AFF52 |. 75 1A jnz short <HOMEBANK.*TfrmReg.Reg:TfrmReg>
006AFF54 |. 6A 10 push 10
006AFF56 |. B9 C4FF6A00 mov ecx,HOMEBANK.006AFFC4 ;ASCII "家庭银行家"
006AFF5B |. BA D0FF6A00 mov edx,HOMEBANK.006AFFD0
006AFF60 |. A1 C81E6E00 mov eax,dword ptr ds:[6E1EC8]
006AFF65 |. 8B00 mov eax,dword ptr ds:[eax]
006AFF67 >|. E8 D892DAFF call HOMEBANK.00459244 ; ->forms.TApplication.MessageBox(TApplication;PChar;PChar;Longint):Integer;
006AFF6C |. EB 2E jmp short HOMEBANK.006AFF9C
006AFF6E >|> 8B83 D0020000 mov eax,dword ptr ds:[ebx+2D0] ; *TfrmReg.Reg:TfrmReg
006AFF74 >|. E8 C7C7FFFF call HOMEBANK.006AC740 ; ->:TRegwareII._PROC_006AC740()
006AFF79 |. 84C0 test al,al
006AFF7B |. 74 1F je short HOMEBANK.006AFF9C
006AFF7D |. 6A 40 push 40
006AFF7F |. B9 C4FF6A00 mov ecx,HOMEBANK.006AFFC4 ; ASCII "家庭银行家"
006AFF84 |. BA FCFF6A00 mov edx,HOMEBANK.006AFFFC ; ASCII "注册成功,谢谢。" ;往上看看,哪跳过了这?
006AFF89 |. A1 C81E6E00 mov eax,dword ptr ds:[6E1EC8]
006AFF8E |. 8B00 mov eax,dword ptr ds:[eax]
006AFF90 >|. E8 AF92DAFF call HOMEBANK.00459244 ; ->forms.TApplication.MessageBox(TApplication;PChar;PChar;Longint):Integer;
006AFF95 |. 8BC3 mov eax,ebx
006AFF97 >|. E8 9C57DAFF call HOMEBANK.00455738 ; ->forms.TCustomForm.Close(TCustomForm);
006AFF9C |> 33C0 xor eax,eax
006AFF9E |. 5A pop edx
006AFF9F |. 59 pop ecx
006AFFA0 |. 59 pop ecx
006AFFA1 |. 64:8910 mov dword ptr fs:[eax],edx
006AFFA4 |. 68 BEFF6A00 push HOMEBANK.006AFFBE
006AFFA9 |> 8D45 F8 lea eax,dword ptr ss:[ebp-8]
006AFFAC |. BA 02000000 mov edx,2
006AFFB1 >|. E8 0A41D5FF call HOMEBANK.004040C0 ; ->system.@LStrArrayClr;
006AFFB6 \. C3 retn
----------------------------------------------------------------------------------------------
006AFF4B >|. E8 0CCBFFFF call HOMEBANK.006ACA5C
006ACA5C /$ 55 push ebp
006ACA5D |. 8BEC mov ebp,esp
006ACA5F |. 83C4 F0 add esp,-10
006ACA62 |. 53 push ebx
.......
.......
006ACA8D |. 55 push ebp
006ACA8E |. 68 46CB6A00 push HOMEBANK.006ACB46
006ACA93 |. 64:FF30 push dword ptr fs:[eax]
006ACA96 |. 64:8920 mov dword ptr fs:[eax],esp
006ACA99 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
006ACA9C |. E8 7B78D5FF call HOMEBANK.0040431C ; 看注册名是否为空
006ACAA1 |. 3B43 3C cmp eax,dword ptr ds:[ebx+3C]
006ACAA4 |. 7F 19 jg short HOMEBANK.006ACABF
006ACAA6 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
006ACAA9 |. E8 6E78D5FF call HOMEBANK.0040431C
006ACAAE |. 3B43 40 cmp eax,dword ptr ds:[ebx+40]
006ACAB1 |. 7C 0C jl short HOMEBANK.006ACABF
006ACAB3 |. 8B45 08 mov eax,dword ptr ss:[ebp+8]
006ACAB6 |. E8 6178D5FF call HOMEBANK.0040431C ; 看假码是否为空
006ACABB |. 85C0 test eax,eax
006ACABD |. 75 04 jnz short HOMEBANK.006ACAC3
006ACABF |> 33DB xor ebx,ebx
006ACAC1 |. EB 60 jmp short HOMEBANK.006ACB23
006ACAC3 |> 8D55 F4 lea edx,dword ptr ss:[ebp-C]
006ACAC6 |. 8B45 08 mov eax,dword ptr ss:[ebp+8]
006ACAC9 |. E8 C2D2D5FF call HOMEBANK.00409D90 把假码中的小写字母变大写字母
006ACACE |. 8B55 F4 mov edx,dword ptr ss:[ebp-C]
006ACAD1 |. 8D45 08 lea eax,dword ptr ss:[ebp+8]
006ACAD4 |. E8 5B76D5FF call HOMEBANK.00404134
006ACAD9 |. 8D4D F0 lea ecx,dword ptr ss:[ebp-10] ; 清0
006ACADC |. 8B55 FC mov edx,dword ptr ss:[ebp-4] ;注册名给edx
006ACADF |. 8BC3 mov eax,ebx
006ACAE1 |. E8 66FCFFFF call HOMEBANK.006AC74C ; 关键call,进入
006ACAE6 |. 8B45 F0 mov eax,dword ptr ss:[ebp-10] ; 真码给eax
006ACAE9 |. 8B55 08 mov edx,dword ptr ss:[ebp+8] ; 假码给edx
006ACAEC |. E8 17D3D5FF call HOMEBANK.00409E08 ; 比较
006ACAF1 |. 85C0 test eax,eax
006ACAF3 |. 74 04 je short HOMEBANK.006ACAF9 ; 不对则失败
006ACAF5 |. 33DB xor ebx,ebx
006ACAF7 |. EB 2A jmp short HOMEBANK.006ACB23
006ACAF9 |> 8D43 38 lea eax,dword ptr ds:[ebx+38]
006ACAFC |. 8B55 FC mov edx,dword ptr ss:[ebp-4]
006ACAFF |. E8 EC75D5FF call HOMEBANK.004040F0
006ACB04 |. 8D43 44 lea eax,dword ptr ds:[ebx+44]
006ACB07 |. 8B55 F8 mov edx,dword ptr ss:[ebp-8]
006ACB0A |. E8 E175D5FF call HOMEBANK.004040F0
006ACB0F |. 8D43 4C lea eax,dword ptr ds:[ebx+4C]
006ACB12 |. 8B55 08 mov edx,dword ptr ss:[ebp+8]
006ACB15 |. E8 D675D5FF call HOMEBANK.004040F0
006ACB1A |. 8BC3 mov eax,ebx
006ACB1C |. E8 B7010000 call HOMEBANK.006ACCD8
006ACB21 |. B3 01 mov bl,1
006ACB23 |> 33C0 xor eax,eax
006ACB25 |. 5A pop edx
006ACB26 |. 59 pop ecx
006ACB27 |. 59 pop ecx
006ACB28 |. 64:8910 mov dword ptr fs:[eax],edx
006ACB2B |. 68 4DCB6A00 push HOMEBANK.006ACB4D
006ACB30 |> 8D45 F0 lea eax,dword ptr ss:[ebp-10]
006ACB33 |. BA 04000000 mov edx,4
006ACB38 |. E8 8375D5FF call HOMEBANK.004040C0
006ACB3D |. 8D45 08 lea eax,dword ptr ss:[ebp+8]
006ACB40 |. E8 5775D5FF call HOMEBANK.0040409C
006ACB45 \. C3 retn
-------------------------------------------------------------------------------核心呀!!!!
006ACAE1 |. E8 66FCFFFF call HOMEBANK.006AC74C
省了一段
006AC794 |> \8BC7 mov eax,edi
006AC796 |. E8 0179D5FF call HOMEBANK.0040409C
006AC79B |. E9 9F000000 jmp HOMEBANK.006AC83F
006AC7A0 |> 8B45 FC mov eax,dword ptr ss:[ebp-4]
006AC7A3 |. E8 747BD5FF call HOMEBANK.0040431C
006AC7A8 |. 8BD8 mov ebx,eax
006AC7AA |. EB 31 jmp short HOMEBANK.006AC7DD
006AC7AC |> /8B45 FC /mov eax,dword ptr ss:[ebp-4] ; 由注册名从后面依次往前取出一个字符进行下面的运算循环后得一串数
006AC7AF |. |8A4418 FF |mov al,byte ptr ds:[eax+ebx-1] ; 取注册名中的一字符
006AC7B3 |. |25 FF000000 |and eax,0FF ; 高位清0
006AC7B8 |. |33D2 |xor edx,edx ; 清零
006AC7BA |. |52 |push edx
006AC7BB |. |50 |push eax
006AC7BC |. |8B46 58 |mov eax,dword ptr ds:[esi+58] ; 查表给eax赋值(C7BC0D7C)
006AC7BF |. |8B56 5C |mov edx,dword ptr ds:[esi+5C] ; 查表给edx赋值:0000025C
006AC7C2 |. |E8 66B1D5FF |call HOMEBANK.0040792D ; 关键call,从注册名取出的每个字符经运算得一16进制码,进入,见(1)
006AC7C7 |. |52 |push edx ; /Arg2
006AC7C8 |. |50 |push eax ; |Arg1
006AC7C9 |. |8D45 E4 |lea eax,dword ptr ss:[ebp-1C] ; |
006AC7CC |. |E8 67DCD5FF |call HOMEBANK.0040A438 ; \把上面得到的16进制变成10进制数
006AC7D1 |. |8B55 E4 |mov edx,dword ptr ss:[ebp-1C] ; 得到的数字传给edx
006AC7D4 |. |8D45 F4 |lea eax,dword ptr ss:[ebp-C] ; 清0
006AC7D7 |. |E8 487BD5FF |call HOMEBANK.00404324 ; 把各次得到的数连起来,计为数A
006AC7DC |. |4B |dec ebx ; 由注册名长度减1
006AC7DD |> |8B45 FC mov eax,dword ptr ss:[ebp-4] ;注册名给eax
006AC7E0 |. |E8 377BD5FF |call HOMEBANK.0040431C ; 注册名长度给eax
006AC7E5 |. |83E8 06 |sub eax,6
006AC7E8 |. |3BD8 |cmp ebx,eax
006AC7EA |. |7C 04 |jl short HOMEBANK.006AC7F0 ; 注册名长度小于6时由注册名长度控制次数
006AC7EC |. |85DB |test ebx,ebx ; 最多循环7次
006AC7EE |.^\7F BC \jg short HOMEBANK.006AC7AC
006AC7F0 |> 8D55 F8 lea edx,dword ptr ss:[ebp-8]
006AC7F3 |. 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; 把上面循环产生的一串10进制数A给eax
006AC7F6 |. E8 159CD5FF call HOMEBANK.00406410 ; 由数A换成16进制码,计为串B,进入,见(2)
006AC7FB |. 8945 E8 mov dword ptr ss:[ebp-18],eax ; 放在eax处的是串B的后8位,把其传给[ebp-18]
006AC7FE |. 8955 EC mov dword ptr ss:[ebp-14],edx ; 放在edx处的是串B的其余位,把其传给[ebp-14]
006AC801 |. 8B5E 50 mov ebx,dword ptr ds:[esi+50] ; ebx<-"c"
006AC804 |. 85DB test ebx,ebx
006AC806 |. 7F 11 jg short HOMEBANK.006AC819
006AC808 |. FF75 EC push dword ptr ss:[ebp-14] ; /Arg2
006AC80B |. FF75 E8 push dword ptr ss:[ebp-18] ; |Arg1
006AC80E |. 8BD7 mov edx,edi ; |
006AC810 |. 33C0 xor eax,eax ; |
006AC812 |. E8 55DCD5FF call HOMEBANK.0040A46C ;NK.0040A46C
006AC817 |. EB 26 jmp short HOMEBANK.006AC83F
006AC819 |> FF75 EC push dword ptr ss:[ebp-14] ; /Arg2
006AC81C |. FF75 E8 push dword ptr ss:[ebp-18] ; |Arg1
006AC81F |. 8BD7 mov edx,edi ; |
006AC821 |. 8BC3 mov eax,ebx ; |
006AC823 |. E8 44DCD5FF call HOMEBANK.0040A46C ; \把串B中的非数字或字母去掉,并且不够12位时在前补0至12位,得到正确的注册码,进入,见(4)
006AC828 |. 8B07 mov eax,dword ptr ds:[edi]
006AC82A |. E8 ED7AD5FF call HOMEBANK.0040431C
006AC82F |. 8BC8 mov ecx,eax
006AC831 |. 2B4E 50 sub ecx,dword ptr ds:[esi+50]
006AC834 |. 8B56 50 mov edx,dword ptr ds:[esi+50]
006AC837 |. 42 inc edx
006AC838 |. 8BC7 mov eax,edi
006AC83A |. E8 257DD5FF call HOMEBANK.00404564
006AC83F |> 33C0 xor eax,eax
006AC841 |. 5A pop edx
006AC842 |. 59 pop ecx
006AC843 |. 59 pop ecx
006AC844 |. 64:8910 mov dword ptr fs:[eax],edx
006AC847 |. 68 6CC86A00 push HOMEBANK.006AC86C
006AC84C |> 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
006AC84F |. E8 4878D5FF call HOMEBANK.0040409C
006AC854 |. 8D45 F4 lea eax,dword ptr ss:[ebp-C]
006AC857 |. E8 4078D5FF call HOMEBANK.0040409C
006AC85C |. 8D45 FC lea eax,dword ptr ss:[ebp-4]
006AC85F |. E8 3878D5FF call HOMEBANK.0040409C
006AC864 \. C3 retn
(1)------------------------------------------------------------------------------------------------
006AC7C2 |. E8 66B1D5FF |call HOMEBANK.0040792D
0040792D /$ 55 push ebp
0040792E |. 53 push ebx
0040792F |. 56 push esi
00407930 |. 57 push edi
00407931 |. 33FF xor edi,edi
00407933 |. 8B5C2>mov ebx,dword ptr ss:[esp+14] ;把取出的注册名字符的ASCII给ebx
00407937 |. 8B4C2>mov ecx,dword ptr ss:[esp+18]
0040793B |. 0BC9 or ecx,ecx
0040793D |. 75 08 jnz short HOMEBANK.00407947
0040793F |. 0BD2 or edx,edx
00407941 |. 74 5D je short HOMEBANK.004079A0
00407943 |. 0BDB or ebx,ebx
00407945 |. 74 59 je short HOMEBANK.004079A0
00407947 |> 0BD2 or edx,edx
00407949 |. 79 0A jns short HOMEBANK.00407955
0040794B |. F7DA neg edx
0040794D |. F7D8 neg eax
0040794F |. 83DA >sbb edx,0
00407952 |. 83CF >or edi,1
00407955 |> 0BC9 or ecx,ecx
00407957 |. 79 07 jns short HOMEBANK.00407960
00407959 |. F7D9 neg ecx
0040795B |. F7DB neg ebx
0040795D |. 83D9 >sbb ecx,0
00407960 |> 8BE9 mov ebp,ecx
00407962 |. B9 40>mov ecx,40 ; 赋初值,用于控制循环
00407967 |. 57 push edi
00407968 |. 33FF xor edi,edi ;edi清0
0040796A |. 33F6 xor esi,esi ;esi清0
0040796C |> D1E0 /shl eax,1 ; eax逻辑左移
0040796E |. D1D2 |rcl edx,1 ;edx进位循环左移
00407970 |. D1D6 |rcl esi,1 ;esi进位循环左移
00407972 |. D1D7 |rcl edi,1
00407974 |. 3BFD |cmp edi,ebp
00407976 |. 72 0B |jb short HOMEBANK.00407983
00407978 |. 77 04 |ja short HOMEBANK.0040797E
0040797A |. 3BF3 |cmp esi,ebx
0040797C |. 72 05 |jb short HOMEBANK.00407983
0040797E |> 2BF3 |sub esi,ebx ; esi=esi-ebx
00407980 |. 1BFD |sbb edi,ebp
00407982 |. 40 |inc eax
00407983 |>^ E2 E7 \loopd short HOMEBANK.0040796C ; 循环64次后得到esi的值
00407985 |. 8BC6 mov eax,esi ; esi中的值给eax
00407987 |. 8BD7 mov edx,edi
00407989 |. 5B pop ebx
0040798A |. F7C3 >test ebx,1
00407990 |. 74 07 je short HOMEBANK.00407999
00407992 |. F7DA neg edx
00407994 |. F7D8 neg eax
00407996 |. 83DA >sbb edx,0
00407999 |> 5F pop edi
0040799A |. 5E pop esi
0040799B |. 5B pop ebx
0040799C |. 5D pop ebp
0040799D |. C2 08>retn 8
(2)------------------------------------------------------------------------------------------------
00406410 /$ 53 push ebx
00406411 |. 56 push esi
00406412 |. 57 push edi
00406413 |. 55 push ebp
00406414 |. 83C4 EC add esp,-14
....... ........
...... ........
00406544 |. 894424 08 mov dword ptr ss:[esp+8],eax
00406548 |. 895>mov dword ptr ss:[esp+C],edx
0040654C |. /E9 B7000000 jmp HOMEBANK.00406608 ; 下面的循环是用注册名产生的10进制数串A来得到一值B放在esp+8处
00406551 |> |8A442E FF /mov al,byte ptr ds:[esi+ebp-1] ; 依次取字符给al
00406555 |. |8BD0 |mov edx,eax ; eax传给edx
00406557 |. |80C2 D0 |add dl,0D0
0040655A |. |80EA 0A |sub dl,0A ; 判断取出的是字母还是数字
0040655D |. |73 62 |jnb short HOMEBANK.004065C1 ; 若是字母则走
0040655F |. |8BF8 |mov edi,eax ; eax-->edi
00406561 |. |81E7 FF000000 |and edi,0FF ; 高位清0
00406567 |. |83EF 30 |sub edi,30 ; ASCII码变成10进制数
0040656A |. |837C24 0C 00 |cmp dword ptr ss:[esp+C],0
0040656F |. |75 09 |jnz short HOMEBANK.0040657A
00406571 |. |837C24 08 00 |cmp dword ptr ss:[esp+8],0
00406576 |. |72 49 |jb short HOMEBANK.004065C1
00406578 |. |EB 02 |jmp short HOMEBANK.0040657C
0040657A |> |7C 45 |jl short HOMEBANK.004065C1
0040657C |> |817C24 0C CCCCC>|cmp dword ptr ss:[esp+C],0CCCCCCC
00406584 |. |75 0C |jnz short HOMEBANK.00406592
00406586 |. |817C24 08 CCCCC>|cmp dword ptr ss:[esp+8],CCCCCCCC
0040658E |. |76 04 |jbe short HOMEBANK.00406594
00406590 |. |EB 2F |jmp short HOMEBANK.004065C1
00406592 |> |7F 2D |jg short HOMEBANK.004065C1
00406594 |> |6A 00 |push 0
00406596 |. |6A 0A |push 0A ; 压入A
00406598 |. |8B4424 10 |mov eax,dword ptr ss:[esp+10] ;第一次循环时eax为0,以后第次就用前次的值来进行运算
0040659C |. |8B5424 14 |mov edx,dword ptr ss:[esp+14] ; 同上句
004065A0 |. |E8 4F120000 |call HOMEBANK.004077F4 ; 此call是把eax=eax*A
004065A5 |. |52 |push edx
004065A6 |. |50 |push eax
004065A7 |. |8BC7 |mov eax,edi
004065A9 |. |99 |cdq
004065AA |. |030424 |add eax,dword ptr ss:[esp] ; 设每次取出的字符计为a(i),a(i)+eax--->eax,下次循环用此值进行运算
004065AD |. |135424 04 |adc edx,dword ptr ss:[esp+4]
004065B1 |. |83C4 08 |add esp,8
004065B4 |. |894424 08 |mov dword ptr ss:[esp+8],eax ;eax传给[esp+8]
004065B8 |. |895424 0C |mov dword ptr ss:[esp+C],edx
004065BC |. |45 |inc ebp ; 循环控制
004065BD |. |33DB |xor ebx,ebx ; ebx清 0
004065BF |.^ EB >\jmp short HOMEBANK.00406551
004065C1 |> 807C24 10 00 cmp byte ptr ss:[esp+10],0
004065C6 |. 74 17 je short HOMEBANK.004065DF
004065C8 |. 8B4424 08 mov eax,dword ptr ss:[esp+8]
004065CC |. 8B5424 0C mov edx,dword ptr ss:[esp+C]
004065D0 |. F7D8 neg eax
004065D2 |. 83D2 00 adc edx,0
(3)---------------------------------------
004077F4 /$ 52 push edx
004077F5 |. 50 push eax
004077F6 |. 8B4424 10 mov eax,dword ptr ss:[esp+10]
004077FA |. F72424 mul dword ptr ss:[esp]
004077FD |. 8BC8 mov ecx,eax
004077FF |. 8B4424 04 mov eax,dword ptr ss:[esp+4]
00407803 |. F76424 0C mul dword ptr ss:[esp+C]
00407807 |. 03C8 add ecx,eax
00407809 |. 8B0424 mov eax,dword ptr ss:[esp]
0040780C |. F76424 0C mul dword ptr ss:[esp+C] ;eax*0A--->EAX
00407810 |. 03D1 add edx,ecx
00407812 |. 59 pop ecx
00407813 |. 59 pop ecx
00407814 \. C2 0800 retn 8
(4)---------------------------------------------------------------------------------------
0040A46C /$ 55 push ebp
0040A46D |. 8BEC mov ebp,esp
0040A46F |. 83C4 F0 add esp,-10
0040A472 |. 6A 01 push 1 ; /Arg1 = 00000001
0040A474 |. 8945 F0 mov dword ptr ss:[ebp-10],eax ; |
0040A477 |. C645 F4 00 mov byte ptr ss:[ebp-C],0 ; |
0040A47B |. 8D45 08 lea eax,dword ptr ss:[ebp+8] ; |
0040A47E |. 8945 F8 mov dword ptr ss:[ebp-8],eax ; |
0040A481 |. C645 FC 10 mov byte ptr ss:[ebp-4],10 ; |
0040A485 |. 8D4D F0 lea ecx,dword ptr ss:[ebp-10] ; |
0040A488 |. 8BC2 mov eax,edx ; |
0040A48A |. BA A4A44000 mov edx,HOMEBANK.0040A4A4 ;ASCII "%.*x"
0040A48F |. E8 700F0000 call HOMEBANK.0040B404 ; 关键,进入!
0040A494 |. 8BE5 mov esp,ebp
0040A496 |. 5D pop ebp
0040A497 \. C2 0800 retn 8
-------------------------------------------------------------
0040A48F |. E8 700F0000 call HOMEBANK.0040B404
0040B404 /$ 55 push ebp
0040B405 |. 8BEC mov ebp,esp
0040B407 |. 81C4 04F0FFFF add esp,-0FFC
0040B40D |. 50 push eax
0040B40E |. 83C4 F4 add esp,-0C
0040B411 |. 53 push ebx
0040B412 |. 56 push esi
0040B413 |. 894D F8 mov dword ptr ss:[ebp-8],ecx
0040B416 |. 8955 FC mov dword ptr ss:[ebp-4],edx
0040B419 |. 8BF0 mov esi,eax
0040B41B |. BB 02100000 mov ebx,1002
0040B420 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
0040B423 |. E8 F48EFFFF call HOMEBANK.0040431C
0040B428 |. 8BD3 mov edx,ebx
0040B42A |. 85D2 test edx,edx
0040B42C |. 79 03 jns short HOMEBANK.0040B431
0040B42E |. 83C2 03 add edx,3
0040B431 |> C1FA 02 sar edx,2
0040B434 |. 8BCB mov ecx,ebx
0040B436 |. 2BCA sub ecx,edx
0040B438 |. 3BC1 cmp eax,ecx
0040B43A |. 7D 24 jge short HOMEBANK.0040B460
0040B43C |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
0040B43F |. E8 D88EFFFF call HOMEBANK.0040431C
0040B444 |. 50 push eax
0040B445 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0040B448 |. 50 push eax
0040B449 |. 8B45 08 mov eax,dword ptr ss:[ebp+8]
0040B44C |. 50 push eax
0040B44D |. 8B4D FC mov ecx,dword ptr ss:[ebp-4]
0040B450 |. 8BD3 mov edx,ebx
0040B452 |. 4A dec edx
0040B453 |. 8D85 F6EFFFFF lea eax,dword ptr ss:[ebp-100A]
0040B459 |. E8 32FBFFFF call HOMEBANK.0040AF90 ; 关键call,进入
0040B45E |. EB 0C jmp short HOMEBANK.0040B46C
0040B460 |> 8B45 FC mov eax,dword ptr ss:[ebp-4]
0040B463 |. E8 B48EFFFF call HOMEBANK.0040431C
0040B468 |. 8BD8 mov ebx,eax
0040B46A |. 8BC3 mov eax,ebx
0040B46C |> 8BD3 mov edx,ebx
0040B46E |. 4A dec edx
0040B46F |. 3BC2 cmp eax,edx
0040B471 |. 7C 43 jl short HOMEBANK.0040B4B6
0040B473 |. EB 30 jmp short HOMEBANK.0040B4A5
0040B475 |> 03DB /add ebx,ebx
0040B477 |. 8BC6 |mov eax,esi
0040B479 |. E8 1E8CFFFF |call HOMEBANK.0040409C
0040B47E |. 8BC6 |mov eax,esi
0040B480 |. 8BD3 |mov edx,ebx
0040B482 |. E8 C991FFFF |call HOMEBANK.00404650
0040B487 |. 8B45 FC |mov eax,dword ptr ss:[ebp-4]
0040B48A |. E8 8D8EFFFF |call HOMEBANK.0040431C
0040B48F |. 50 |push eax
0040B490 |. 8B45 F8 |mov eax,dword ptr ss:[ebp-8]
0040B493 |. 50 |push eax
0040B494 |. 8B45 08 |mov eax,dword ptr ss:[ebp+8]
0040B497 |. 50 |push eax
0040B498 |. 8B4D FC |mov ecx,dword ptr ss:[ebp-4]
0040B49B |. 8BD3 |mov edx,ebx
0040B49D |. 4A |dec edx
------------------------------------
0040AF90 $ 55 push ebp
0040AF91 . 8BEC mov ebp,esp
0040AF93 . 83C4 8C add esp,-74
0040AF96 . 53 push ebx
0040AF97 . 33DB xor ebx,ebx
0040AF99 . 895D F0 mov dword ptr ss:[ebp-10],ebx
0040AF9C . 53 push ebx
0040AF9D . 56 push esi
0040AF9E . 57 push edi
0040AF9F . 89C7 mov edi,eax
0040AFA1 . 89CE mov esi,ecx
0040AFA3 . 034D 10 add ecx,dword ptr ss:[ebp+10]
0040AFA6 . 897D FC mov dword ptr ss:[ebp-4],edi
0040AFA9 . 31C0 xor eax,eax
0040AFAB . 8945 F8 mov dword ptr ss:[ebp-8],eax
0040AFAE . 8945 F4 mov dword ptr ss:[ebp-C],eax
0040AFB1 . 8945 F0 mov dword ptr ss:[ebp-10],eax
0040AFB4 > 09D2 or edx,edx
0040AFB6 . 74 0E je short HOMEBANK.0040AFC6
0040AFB8 > 39CE cmp esi,ecx
0040AFBA . 74 0A je short HOMEBANK.0040AFC6
0040AFBC . AC lods byte ptr ds:[esi]
0040AFBD . 80F8 25 cmp al,25
0040AFC0 . 74 0E je short HOMEBANK.0040AFD0
0040AFC2 > AA stos byte ptr es:[edi]
0040AFC3 . 4A dec edx
0040AFC4 .^ 75 F2 jnz short HOMEBANK.0040AFB8
0040AFC6 > 89F8 mov eax,edi
0040AFC8 . 2B45 FC sub eax,dword ptr ss:[ebp-4]
0040AFCB . E9 A8030000 jmp HOMEBANK.0040B378
0040AFD0 > 39CE cmp esi,ecx
0040AFD2 .^ 74 F2 je short HOMEBANK.0040AFC6
0040AFD4 . AC lods byte ptr ds:[esi]
0040AFD5 . 80F8 25 cmp al,25
0040AFD8 .^ 74 E8 je short HOMEBANK.0040AFC2
0040AFDA . 8D5E FE lea ebx,dword ptr ds:[esi-2]
0040AFDD . 895D EC mov dword ptr ss:[ebp-14],ebx
0040AFE0 > 8845 EB mov byte ptr ss:[ebp-15],al
0040AFE3 . 80F8 2D cmp al,2D
0040AFE6 . 75 05 jnz short HOMEBANK.0040AFED
0040AFE8 . 39CE cmp esi,ecx
0040AFEA .^ 74 DA je short HOMEBANK.0040AFC6
0040AFEC . AC lods byte ptr ds:[esi]
0040AFED > E8 80000000 call HOMEBANK.0040B072
0040AFF2 . 80F8 3A cmp al,3A
0040AFF5 . 75 0A jnz short HOMEBANK.0040B001
0040AFF7 . 895D F8 mov dword ptr ss:[ebp-8],ebx
0040AFFA . 39CE cmp esi,ecx
0040AFFC .^ 74 C8 je short HOMEBANK.0040AFC6
0040AFFE . AC lods byte ptr ds:[esi]
0040AFFF .^ EB DF jmp short HOMEBANK.0040AFE0
0040B001 > 895D E4 mov dword ptr ss:[ebp-1C],ebx
0040B004 . BB FFFFFFFF mov ebx,-1
0040B009 . 80F8 2E cmp al,2E
0040B00C . 75 0A jnz short HOMEBANK.0040B018
0040B00E . 39CE cmp esi,ecx
0040B010 .^ 74 B4 je short HOMEBANK.0040AFC6
0040B012 . AC lods byte ptr ds:[esi]
0040B013 . E8 5A000000 call HOMEBANK.0040B072
0040B018 > 895D E0 mov dword ptr ss:[ebp-20],ebx
0040B01B . 8975 DC mov dword ptr ss:[ebp-24],esi
0040B01E . 51 push ecx
0040B01F . 52 push edx
0040B020 . E8 96000000 call HOMEBANK.0040B0BB ;关键call;进入
0040B025 . 5A pop edx
0040B026 . 8B5D E4 mov ebx,dword ptr ss:[ebp-1C]
0040B029 . 29CB sub ebx,ecx
0040B02B . 73 02 jnb short HOMEBANK.0040B02F
0040B02D . 31DB xor ebx,ebx
0040B02F > 807D EB 2D cmp byte ptr ss:[ebp-15],2D
--------------------------------搞了N个call后,终于到了,不耐烦了吧,哈哈!
0040B020 . E8 96000000 call HOMEBANK.0040B0BB
0040B0BB /$ 24 DF and al,0DF
0040B0BD |. 88C1 mov cl,al
0040B0BF |. B8 01000000 mov eax,1
0040B0C4 |. 8B5D F8 mov ebx,dword ptr ss:[ebp-8]
0040B0C7 |. 3B5D 08 cmp ebx,dword ptr ss:[ebp+8]
0040B0CA |. 77 5C ja short HOMEBANK.0040B128
0040B0CC |. FF45 F8 inc dword ptr ss:[ebp-8]
0040B0CF |. 8B75 0C mov esi,dword ptr ss:[ebp+C]
0040B0D2 |. 8D34DE lea esi,dword ptr ds:[esi+ebx*8]
0040B0D5 |. 8B06 mov eax,dword ptr ds:[esi]
0040B0D7 |. 0FB65E 04 movzx ebx,byte ptr ds:[esi+4]
0040B0DB |. FF249D E2B0400>jmp dword ptr ds:[ebx*4+40B0E2]
0040B0E2 |. D6B14000 dd HOMEBANK.0040B1D6 ; Switch table used at 0040B0DB
0040B0E6 |. 26B14000 dd HOMEBANK.0040B126
0040B0EA |. 3DB24000 dd HOMEBANK.0040B23D
0040B0EE |. FBB24000 dd HOMEBANK.0040B2FB
0040B0F2 |. 6DB24000 dd HOMEBANK.0040B26D
0040B0F6 |. DDB24000 dd HOMEBANK.0040B2DD
0040B0FA |. BDB24000 dd HOMEBANK.0040B2BD
0040B0FE |. 26B14000 dd HOMEBANK.0040B126
0040B102 |. 26B14000 dd HOMEBANK.0040B126
0040B106 |. 26B14000 dd HOMEBANK.0040B126
0040B10A |. 7EB24000 dd HOMEBANK.0040B27E
0040B10E |. A1B24000 dd HOMEBANK.0040B2A1
0040B112 |. F7B24000 dd HOMEBANK.0040B2F7
0040B116 |. 4CB24000 dd HOMEBANK.0040B24C
0040B11A |. 26B14000 dd HOMEBANK.0040B126
0040B11E |. 85B24000 dd HOMEBANK.0040B285
0040B122 |. 3AB14000 dd HOMEBANK.0040B13A
0040B126 |> 31C0 xor eax,eax
0040B128 |> E8 40020000 call HOMEBANK.0040B36D
0040B12D |. 8B55 EC mov edx,dword ptr ss:[ebp-14]
0040B130 |. 8B4D DC mov ecx,dword ptr ss:[ebp-24]
0040B133 |. 29D1 sub ecx,edx
0040B135 |. E8 DEFDFFFF call HOMEBANK.0040AF18
0040B13A |> 8D5D D0 lea ebx,dword ptr ss:[ebp-30] ; %.*x
0040B13D |. 8B10 mov edx,dword ptr ds:[eax]
0040B13F |. 8913 mov dword ptr ds:[ebx],edx
0040B141 |. 8B50 04 mov edx,dword ptr ds:[eax+4] ; 10
0040B144 |. 8953 04 mov dword ptr ds:[ebx+4],edx
0040B147 |. 80F9 44 cmp cl,44
0040B14A |. 74 11 je short HOMEBANK.0040B15D
0040B14C |. 80F9 55 cmp cl,55
0040B14F |. 74 2A je short HOMEBANK.0040B17B
0040B151 |. 80F9 58 cmp cl,58
0040B154 |.^ 75 D0 jnz short HOMEBANK.0040B126
0040B156 |. B9 10000000 mov ecx,10
0040B15B |. EB 23 jmp short HOMEBANK.0040B180
0040B15D |> F743 04 000000>test dword ptr ds:[ebx+4],80000000
0040B164 |. 74 15 je short HOMEBANK.0040B17B
0040B166 |. F71B neg dword ptr ds:[ebx]
0040B168 |. 8353 04 00 adc dword ptr ds:[ebx+4],0
0040B16C |. F75B 04 neg dword ptr ds:[ebx+4]
0040B16F |. E8 07000000 call HOMEBANK.0040B17B
0040B174 |. B0 2D mov al,2D
0040B176 |. 41 inc ecx
0040B177 |. 4E dec esi
0040B178 |. 8806 mov byte ptr ds:[esi],al
0040B17A |. C3 retn
0040B17B |$ B9 0A000000 mov ecx,0A
0040B180 |> 8D75 AF lea esi,dword ptr ss:[ebp-51]
0040B183 |> /51 /push ecx
0040B184 |. |6A 00 |push 0
0040B186 |. |51 |push ecx
0040B187 |. |8B03 |mov eax,dword ptr ds:[ebx] ;赋初值:串B中的后8位-->[ebx]
0040B189 |. |8B53 04 |mov edx,dword ptr ds:[ebx+4] 赋初值:串B中的其余位-->[ebp+4]
0040B18C |. |E8 48C8FFFF |call HOMEBANK.004079D9 ; 依次从后往前取串B中的字符
0040B191 |. |59 |pop ecx
0040B192 |. |92 |xchg eax,edx
0040B193 |. |80C2 30 |add dl,30
0040B196 |. |80FA 3A |cmp dl,3A ; 判断是否在数字9与字母A之间
0040B199 |. |72 03 |jb short HOMEBANK.0040B19E
0040B19B |. |80C2 07 |add dl,7 ; 若是,则变成字母A后的字母
0040B19E |> |4E |dec esi ; 控制循环
0040B19F |. |8816 |mov byte ptr ds:[esi],dl ; 把结果依次放入[esi]中,注意第一次值为注册码的最后一位
0040B1A1 |. |51 |push ecx
0040B1A2 |. |6A 00 |push 0
0040B1A4 |. |51 |push ecx
0040B1A5 |. |8B03 |mov eax,dword ptr ds:[ebx] ;把串B分别给eax,edx,还记得在哪产生的吗?是在006AC7F6处的call
0040B1A7 |. |8B53 04 |mov edx,dword ptr ds:[ebx+4]
0040B1AA |. |E8 35C7FFFF |call HOMEBANK.004078E4 ; 把串B余下未取出的部分再分别给eax(后8位),edx(其余部分)
0040B1AF |. |59 |pop ecx
0040B1B0 |. |8903 |mov dword ptr ds:[ebx],eax ;eax->[ebp],为下次循环时给eax赋值
0040B1B2 |. |8953 04 |mov dword ptr ds:[ebx+4],edx ;edx-->[ebp+4],为下次循环时为edx赋值
0040B1B5 |. |09D0 |or eax,edx
0040B1B7 |.^\75 CA \jnz short HOMEBANK.0040B183
0040B1B9 |. 8D4D AF lea ecx,dword ptr ss:[ebp-51]
0040B1BC |. 29F1 sub ecx,esi ; 上面得到的注册码的位数-->ecx
0040B1BE |. 8B55 E0 mov edx,dword ptr ss:[ebp-20] ; 把真码的位数(12位)给edx
0040B1C1 |. 83FA 10 cmp edx,10
0040B1C4 |. 76 01 jbe short HOMEBANK.0040B1C7 ; 跳走,去补够12位
0040B1C6 |. C3 retn
0040B1C7 |> 29CA sub edx,ecx ; 算出的注册码位数是否与真码位数相同
0040B1C9 |. 76 0A jbe short HOMEBANK.0040B1D5 ; 若等则跳走,反之补0至12位
0040B1CB |. 01D1 add ecx,edx
0040B1CD |. B0 30 mov al,30
0040B1CF |> 4E /dec esi
0040B1D0 |. 8806 |mov byte ptr ds:[esi],al ;在注册码前补0至12位
0040B1D2 |. 4A |dec edx
0040B1D3 |.^ 75 FA \jnz short HOMEBANK.0040B1CF
0040B1D5 |> C3 retn
------------------------------------
小结:
1.由注册名从后信前依次取出每个字符得出一个16进制数,后变成10进制a(i),注册名的个数大于7时,只取后7位,把每次得到的10进数连起来,计为串A,即:a(1)a(2).......a(i), i小于等于7
2.把串A换成16进制,计为B
3. 看串B中有无不是数字或字母的字符,有则除去,除去后若B不够12位,则在字符串前加0至12,得出正确的注册码.
如:注册名:lsezxsy 组织:任意(不参与计算) 得出
A:52781082497812 B:20010DAC5314
VB注册机正在写,往后,如有人需要,我再放上去.
-------------------------------------------------------------------
*** ***
* * *
* *
* *
* *
*
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
