-
-
我也来凑热闹--驱动程序备份工具2.3 注册算法分析
-
发表于: 2005-4-18 20:42 7920
-
驱动程序备份工具2.3 注册算法分析
日期:2005年4月18日 破解人:Baby2008
--------------------------------------------------------------------------------------------------------------
看见 №微笑一刀[闲云野鹤]的爆破文章,才想到要分析一下注册算法^_^
http://bbs.pediy.com/showthread.php?threadid=12919
【软件名称】:驱动程序备份工具2.3
【软件大小】:772 KB
【下载地址】:http://www.hyrj.com
【软件简介】:
“驱动程序备份工具”使用说明
您经常重装电脑吗?您是否有过重装电脑时却找不到原版驱动程序的烦恼?现在,有了这款“驱动程序备份工具”您可以远离电脑重装时找不
到驱动的厄梦了。
“驱动程序备份工具”是系统支持和管理人员的得力助手,它为用户提供了备份电脑中目前已安装的最新驱动程序的功能。在重装电脑系统前
,您可以先使用 这款工具软件将电脑中的驱动程序备份到您指定的位置,待系统重装执行到硬件安装这一步骤时,您可以将Windows安装程序
搜索驱动的路径指向您备份的驱动程序所在路径,即可快速完成各种硬件设备的驱动安装工作,这样,可以为您节省许多程序安装的时间,同
时也为您省去了四处找驱动盘、频繁更换驱动光盘的麻烦,达到快速“克隆”驱动程序的目的。“驱动程序备份工具”还可以通过插件技术备
份收藏夹、注册表、Cookies等相关信息,是您重装系统时的得力助手。
【保护方式】:注册码保护
【破解声明】:初学Crack,只是感兴趣,失误之处敬请诸位大侠赐教!
【破解工具】:OllyDbg.V1.10 聆风听雨汉化第二版、PeID 0.93,DeDe
【破解过程】:
程序未加壳,OD直接载入DriverStore.exe,插件查找“注册成功,感谢您注册本软件!”,双击来到0049EDBB,向上查找,在0049ED5C下断,F9
运行,输入注册码:123456789ABCDEF,点击确定,OD中断在:
0049ED5C >/. 55 push ebp ; <-TRegForm@Button1Click
0049ED5D |. 8BEC mov ebp,esp
0049ED5F |. 6A 00 push 0
0049ED61 |. 6A 00 push 0
0049ED63 |. 53 push ebx
0049ED64 |. 8BD8 mov ebx,eax
0049ED66 |. 33C0 xor eax,eax
0049ED68 |. 55 push ebp
0049ED69 |. 68 F3ED4900 push <DriverSt.->System.@HandleFinally>
0049ED6E |. 64:FF30 push dword ptr fs:[eax]
0049ED71 |. 64:8920 mov dword ptr fs:[eax],esp
0049ED74 |. 8D55 FC lea edx,[local.1]
0049ED77 >|. 8B83 08030000 mov eax,dword ptr ds:[ebx+308] ; *Edit4:N.A.
0049ED7D >|. E8 3AAEFBFF call DriverSt.00459BBC ; ->Controls.TControl.GetText(TControl):TCaption;
0049ED82 |. 8B45 FC mov eax,[local.1] ; 试炼码
0049ED85 |. 50 push eax
0049ED86 |. 8D55 F8 lea edx,[local.2]
0049ED89 >|. 8B83 00030000 mov eax,dword ptr ds:[ebx+300] ; *Edit3:N.A.
0049ED8F >|. E8 28AEFBFF call DriverSt.00459BBC ; ->Controls.TControl.GetText(TControl):TCaption;
0049ED94 |. 8B55 F8 mov edx,[local.2] ; 机器码
0049ED97 |. A1 70464A00 mov eax,dword ptr ds:[4A4670]
0049ED9C |. 8B00 mov eax,dword ptr ds:[eax]
0049ED9E |. 8B80 70030000 mov eax,dword ptr ds:[eax+370]
0049EDA4 |. 33C9 xor ecx,ecx
0049EDA6 |. E8 05EAFFFF call DriverSt.0049D7B0 ; 注册验证
0049EDAB |. 84C0 test al,al
0049EDAD |. 74 1F je short DriverSt.0049EDCE ; 注册爆破
0049EDAF |. A1 70464A00 mov eax,dword ptr ds:[4A4670]
0049EDB4 |. 8B00 mov eax,dword ptr ds:[eax]
0049EDB6 |. E8 852D0000 call DriverSt.004A1B40
0049EDBB |. B8 08EE4900 mov eax,DriverSt.0049EE08 ; '注册成功,感谢您注册本软件!'
0049EDC0 >|. E8 2F21F9FF call DriverSt.00430EF4 ; ->Dialogs.ShowMessage(AnsiString);
0049EDC5 |. 8BC3 mov eax,ebx
0049EDC7 >|. E8 D477FDFF call DriverSt.004765A0 ; ->Forms.TCustomForm.Close(TCustomForm);
0049EDCC |. EB 0A jmp short DriverSt.0049EDD8
0049EDCE |> B8 30EE4900 mov eax,DriverSt.0049EE30 ; '无效的注册码,注册失败。'
0049EDD3 >|. E8 1C21F9FF call DriverSt.00430EF4 ; ->Dialogs.ShowMessage(AnsiString);
0049EDD8 |> 33C0 xor eax,eax
0049EDDA |. 5A pop edx
0049EDDB |. 59 pop ecx
0049EDDC |. 59 pop ecx
0049EDDD |. 64:8910 mov dword ptr fs:[eax],edx
0049EDE0 |. 68 FAED4900 push DriverSt.0049EDFA
0049EDE5 |> 8D45 F8 lea eax,[local.2]
0049EDE8 |. BA 02000000 mov edx,2
0049EDED >|. E8 1658F6FF call DriverSt.00404608 ; ->System.@LStrArrayClr(void;void;Integer);
0049EDF2 \. C3 retn
0049EDF3 > .^ E9 C851F6FF jmp DriverSt.00403FC0 ; ->System.@HandleFinally;
0049EDF8 .^ EB EB jmp short DriverSt.0049EDE5
0049EDFA . 5B pop ebx
0049EDFB . 59 pop ecx
0049EDFC . 59 pop ecx
0049EDFD . 5D pop ebp
0049EDFE . C3 retn
很明显,0049EDA6 |. E8 05EAFFFF call DriverSt.0049D7B0关键跟进。
--------------------------------------------------------------------------------------------------------------
0049D7B0 /$ 55 push ebp
0049D7B1 |. 8BEC mov ebp,esp
0049D7B3 |. 83C4 F8 add esp,-8
0049D7B6 |. 53 push ebx
0049D7B7 |. 894D F8 mov [local.2],ecx
0049D7BA |. 8955 FC mov [local.1],edx ; 机器码
0049D7BD |. 8BD8 mov ebx,eax
0049D7BF |. 8B45 FC mov eax,[local.1]
0049D7C2 |. E8 CD72F6FF call DriverSt.00404A94
0049D7C7 |. 8B45 F8 mov eax,[local.2]
0049D7CA |. E8 C572F6FF call DriverSt.00404A94
0049D7CF |. 8B45 08 mov eax,[arg.1] ; 试炼码
0049D7D2 |. E8 BD72F6FF call DriverSt.00404A94
0049D7D7 |. 33C0 xor eax,eax
0049D7D9 |. 55 push ebp
0049D7DA |. 68 1DD84900 push DriverSt.0049D81D
0049D7DF |. 64:FF30 push dword ptr fs:[eax]
0049D7E2 |. 64:8920 mov dword ptr fs:[eax],esp
0049D7E5 |. 8B45 08 mov eax,[arg.1]
0049D7E8 |. 50 push eax
0049D7E9 |. 6A 00 push 0
0049D7EB |. 8B4D F8 mov ecx,[local.2]
0049D7EE |. 8B55 FC mov edx,[local.1] ; 机器码
0049D7F1 |. 8BC3 mov eax,ebx
0049D7F3 |. E8 38000000 call DriverSt.0049D830 ; 关键、跟进
0049D7F8 |. 8BD8 mov ebx,eax
0049D7FA |. 33C0 xor eax,eax
0049D7FC |. 5A pop edx
0049D7FD |. 59 pop ecx
0049D7FE |. 59 pop ecx
0049D7FF |. 64:8910 mov dword ptr fs:[eax],edx
0049D802 |. 68 24D84900 push DriverSt.0049D824
0049D807 |> 8D45 F8 lea eax,[local.2]
0049D80A |. BA 02000000 mov edx,2
0049D80F |. E8 F46DF6FF call DriverSt.00404608
0049D814 |. 8D45 08 lea eax,[arg.1]
0049D817 |. E8 C86DF6FF call DriverSt.004045E4
0049D81C \. C3 retn
--------------------------------------------------------------------------------------------------------------
在0049D7F3 |. E8 38000000 call DriverSt.0049D830 处继续跟进……
--------------------------------------------------------------------------------------------------------------
0049D830 $ 55 push ebp
0049D831 . 8BEC mov ebp,esp
0049D833 . 83C4 BC add esp,-44
0049D836 . 53 push ebx
0049D837 . 56 push esi
0049D838 . 57 push edi
0049D839 . 33DB xor ebx,ebx
0049D83B . 895D BC mov dword ptr ss:[ebp-44],ebx
0049D83E . 895D C0 mov dword ptr ss:[ebp-40],ebx
0049D841 . 895D C4 mov dword ptr ss:[ebp-3C],ebx
0049D844 . 895D C8 mov dword ptr ss:[ebp-38],ebx
0049D847 . 895D DC mov dword ptr ss:[ebp-24],ebx
0049D84A . 895D F0 mov dword ptr ss:[ebp-10],ebx
0049D84D . 895D EC mov dword ptr ss:[ebp-14],ebx
0049D850 . 895D E8 mov dword ptr ss:[ebp-18],ebx
0049D853 . 894D F8 mov dword ptr ss:[ebp-8],ecx
0049D856 . 8955 FC mov dword ptr ss:[ebp-4],edx
0049D859 . 8BD8 mov ebx,eax
0049D85B . 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 机器码
0049D85E . E8 3172F6FF call DriverSt.00404A94
0049D863 . 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0049D866 . E8 2972F6FF call DriverSt.00404A94
0049D86B . 8B45 0C mov eax,dword ptr ss:[ebp+C] ; 试练码
0049D86E . E8 2172F6FF call DriverSt.00404A94
0049D873 . 8B45 08 mov eax,dword ptr ss:[ebp+8]
0049D876 . E8 1972F6FF call DriverSt.00404A94
0049D87B . 33C0 xor eax,eax
0049D87D . 55 push ebp
0049D87E . 68 68DB4900 push DriverSt.0049DB68
0049D883 . 64:FF30 push dword ptr fs:[eax]
0049D886 . 64:8920 mov dword ptr fs:[eax],esp ; 时间锁?
0049D889 > E8 5292F6FF call <jmp.&kernel32.GetTickCount> ; [GetTickCount
0049D88E . 8BF0 mov esi,eax
0049D890 . 68 D0070000 push 7D0 ; /Timeout = 2000. ms
0049D895 . E8 BA06F7FF call <jmp.&kernel32.Sleep> ; \Sleep
0049D89A . 8B43 54 mov eax,dword ptr ds:[ebx+54]
0049D89D . 8078 04 00 cmp byte ptr ds:[eax+4],0
0049D8A1 . 74 0A je short DriverSt.0049D8AD
0049D8A3 . 8D55 FC lea edx,dword ptr ss:[ebp-4]
0049D8A6 . 8BC3 mov eax,ebx
0049D8A8 . E8 27F9FFFF call DriverSt.0049D1D4
0049D8AD > E8 2E92F6FF call <jmp.&kernel32.GetTickCount> ; [GetTickCount
0049D8B2 . 81C6 CF070000 add esi,7CF
0049D8B8 . 3BC6 cmp eax,esi
0049D8BA .^ 72 CD jb short DriverSt.0049D889
0049D8BC . 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 机器码
0049D8BF . E8 E06FF6FF call DriverSt.004048A4 ; System.@LStrLen(String):Integer;
0049D8C4 . 3B43 58 cmp eax,dword ptr ds:[ebx+58] ; $32
0049D8C7 . 7F 19 jg short DriverSt.0049D8E2
0049D8C9 . 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 机器码
0049D8CC . E8 D36FF6FF call DriverSt.004048A4 ; System.@LStrLen(String):Integer;
0049D8D1 . 3B43 5C cmp eax,dword ptr ds:[ebx+5C] ; $5
0049D8D4 . 7C 0C jl short DriverSt.0049D8E2
0049D8D6 . 8B45 0C mov eax,dword ptr ss:[ebp+C] ; 试炼码
0049D8D9 . E8 C66FF6FF call DriverSt.004048A4 ; System.@LStrLen(String):Integer;
0049D8DE . 85C0 test eax,eax
0049D8E0 . 75 09 jnz short DriverSt.0049D8EB
0049D8E2 > C645 F7 00 mov byte ptr ss:[ebp-9],0
0049D8E6 . E9 33020000 jmp DriverSt.0049DB1E
0049D8EB > 8D55 DC lea edx,dword ptr ss:[ebp-24]
0049D8EE . 8B45 0C mov eax,dword ptr ss:[ebp+C] ; 试炼码
0049D8F1 . E8 D6ADF6FF call DriverSt.004086CC ; 试炼码转为大写,记为SN
0049D8F6 . 8B55 DC mov edx,dword ptr ss:[ebp-24] ; SN
0049D8F9 . 8D45 0C lea eax,dword ptr ss:[ebp+C]
0049D8FC . E8 7B6DF6FF call DriverSt.0040467C
0049D901 . C645 F7 00 mov byte ptr ss:[ebp-9],0
0049D905 . B1 01 mov cl,1
0049D907 . 8B55 0C mov edx,dword ptr ss:[ebp+C] ; SN
0049D90A . 8BC3 mov eax,ebx
0049D90C . E8 83FAFFFF call DriverSt.0049D394
0049D911 . 84C0 test al,al
0049D913 . 0F85 05020000 jnz DriverSt.0049DB1E
0049D919 . 33C9 xor ecx,ecx
0049D91B . 55 push ebp
0049D91C . 68 A4DA4900 push DriverSt.0049DAA4
0049D921 . 64:FF31 push dword ptr fs:[ecx]
0049D924 . 64:8921 mov dword ptr fs:[ecx],esp
0049D927 . 8D45 F0 lea eax,dword ptr ss:[ebp-10]
0049D92A . 8B55 0C mov edx,dword ptr ss:[ebp+C]
0049D92D . 8A52 01 mov dl,byte ptr ds:[edx+1] ; 试炼码第2位,SN[2]
0049D930 . E8 976EF6FF call DriverSt.004047CC ; System.@PStrCpy(PShortString;PShortString);
0049D935 . 8D45 D8 lea eax,dword ptr ss:[ebp-28]
0049D938 . 8B55 0C mov edx,dword ptr ss:[ebp+C] ; SN
0049D93B . 8A52 09 mov dl,byte ptr ds:[edx+9] ; 试炼码第10位,SN[10]
0049D93E . 8850 01 mov byte ptr ds:[eax+1],dl
0049D941 . C600 01 mov byte ptr ds:[eax],1
0049D944 . 8D55 D8 lea edx,dword ptr ss:[ebp-28]
0049D947 . 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
0049D94A . E8 BD57F6FF call DriverSt.0040310C ; System.@PStrCpy(PShortString;PShortString);
0049D94F . 8D45 D0 lea eax,dword ptr ss:[ebp-30]
0049D952 . 8B55 0C mov edx,dword ptr ss:[ebp+C] ; SN
0049D955 . 8A52 07 mov dl,byte ptr ds:[edx+7] ; 试炼码第8位,SN[8]
0049D958 . 8850 01 mov byte ptr ds:[eax+1],dl
0049D95B . C600 01 mov byte ptr ds:[eax],1
0049D95E . 8D55 D0 lea edx,dword ptr ss:[ebp-30]
0049D961 . 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
0049D964 . B1 02 mov cl,2
0049D966 . E8 7157F6FF call DriverSt.004030DC ; System.@PStrNCat;
0049D96B . 8D55 D4 lea edx,dword ptr ss:[ebp-2C] ; SN[10]+SN[8]
0049D96E . 8D45 EC lea eax,dword ptr ss:[ebp-14]
0049D971 . E8 D26EF6FF call DriverSt.00404848
0049D976 . 8D45 D8 lea eax,dword ptr ss:[ebp-28]
0049D979 . 8B55 0C mov edx,dword ptr ss:[ebp+C] ; SN
0049D97C . 8A52 03 mov dl,byte ptr ds:[edx+3] ; 试炼码第4位,SN[4]
0049D97F . 8850 01 mov byte ptr ds:[eax+1],dl
0049D982 . C600 01 mov byte ptr ds:[eax],1
0049D985 . 8D55 D8 lea edx,dword ptr ss:[ebp-28]
0049D988 . 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
0049D98B . E8 7C57F6FF call DriverSt.0040310C
0049D990 . 8D45 D0 lea eax,dword ptr ss:[ebp-30]
0049D993 . 8B55 0C mov edx,dword ptr ss:[ebp+C] ; SN
0049D996 . 8A52 05 mov dl,byte ptr ds:[edx+5] ; 试炼码第6位,SN[6]
0049D999 . 8850 01 mov byte ptr ds:[eax+1],dl
0049D99C . C600 01 mov byte ptr ds:[eax],1
0049D99F . 8D55 D0 lea edx,dword ptr ss:[ebp-30]
0049D9A2 . 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
0049D9A5 . B1 02 mov cl,2
0049D9A7 . E8 3057F6FF call DriverSt.004030DC
0049D9AC . 8D55 D4 lea edx,dword ptr ss:[ebp-2C] ; SN[4]+SN[6]
0049D9AF . 8D45 CC lea eax,dword ptr ss:[ebp-34]
0049D9B2 . E8 5557F6FF call DriverSt.0040310C
0049D9B7 . 8D45 D0 lea eax,dword ptr ss:[ebp-30]
0049D9BA . 8B55 0C mov edx,dword ptr ss:[ebp+C] ; SN
0049D9BD . 8A52 0B mov dl,byte ptr ds:[edx+B] ; 试炼码第12位,SN[12]
0049D9C0 . 8850 01 mov byte ptr ds:[eax+1],dl
0049D9C3 . C600 01 mov byte ptr ds:[eax],1
0049D9C6 . 8D55 D0 lea edx,dword ptr ss:[ebp-30]
0049D9C9 . 8D45 CC lea eax,dword ptr ss:[ebp-34]
0049D9CC . B1 03 mov cl,3
0049D9CE . E8 0957F6FF call DriverSt.004030DC ; System.@PStrNCat;
0049D9D3 . 8D55 CC lea edx,dword ptr ss:[ebp-34] ; SN[4]+SN[6]+SN[12]
0049D9D6 . 8D45 E8 lea eax,dword ptr ss:[ebp-18]
0049D9D9 . E8 6A6EF6FF call DriverSt.00404848
0049D9DE . 8D45 C8 lea eax,dword ptr ss:[ebp-38]
0049D9E1 . 8B4D F0 mov ecx,dword ptr ss:[ebp-10] ; SN[2]
0049D9E4 . BA 84DB4900 mov edx,DriverSt.0049DB84 ; '$'
0049D9E9 . E8 026FF6FF call DriverSt.004048F0 ; System.@LStrCat3;
0049D9EE . 8B45 C8 mov eax,dword ptr ss:[ebp-38] ; $SN[2]
0049D9F1 . BA FFFF0000 mov edx,0FFFF
0049D9F6 . E8 69B3F6FF call DriverSt.00408D64 ; SysUtils.StrToIntDef(AnsiString;Integer):Integer;
0049D9FB . 8BF0 mov esi,eax ; ESI保存 StrToInt($SN[2])
0049D9FD . 8D45 C4 lea eax,dword ptr ss:[ebp-3C]
0049DA00 . 8B4D EC mov ecx,dword ptr ss:[ebp-14] ; SN[10]+SN[8]
0049DA03 . BA 84DB4900 mov edx,DriverSt.0049DB84 ; '$'
0049DA08 . E8 E36EF6FF call DriverSt.004048F0 ; System.@LStrCat3;
0049DA0D . 8B45 C4 mov eax,dword ptr ss:[ebp-3C] ; $SN[10]+SN[8]
0049DA10 . BA FFFF0000 mov edx,0FFFF
0049DA15 . E8 4AB3F6FF call DriverSt.00408D64 ; SysUtils.StrToIntDef(AnsiString;Integer):Integer;
0049DA1A . 8BF8 mov edi,eax ; EDI保存 StrToInt($SN[10]+SN[8])
0049DA1C . 8D45 C0 lea eax,dword ptr ss:[ebp-40]
0049DA1F . 8B4D E8 mov ecx,dword ptr ss:[ebp-18] ; SN[4]+SN[6]+SN[12]
0049DA22 . BA 84DB4900 mov edx,DriverSt.0049DB84 ; '$'
0049DA27 . E8 C46EF6FF call DriverSt.004048F0 ; System.@LStrCat3;
0049DA2C . 8B45 C0 mov eax,dword ptr ss:[ebp-40] ; $(SN[4]+SN[6]+SN[12])
0049DA2F . BA FFFF0000 mov edx,0FFFF
0049DA34 . E8 2BB3F6FF call DriverSt.00408D64 ; SysUtils.StrToIntDef(AnsiString;Integer):Integer;
0049DA39 . 8BD7 mov edx,edi ; EDI=StrToInt($SN[10]+SN[8])
0049DA3B . 0BD6 or edx,esi ; ESI=StrToInt($SN[2])
0049DA3D . 0BD0 or edx,eax ; EAX=StrToInt($SN[4]+SN[6]+SN[12])
0049DA3F . 81FA FFFF0000 cmp edx,0FFFF ; =$FFFF
0049DA45 75 0F jnz short DriverSt.0049DA56 ; 假如相等,完蛋,好像是永远不会相等的!
0049DA47 . 64:8F05 00000000 pop dword ptr fs:[0]
0049DA4E . 83C4 08 add esp,8
0049DA51 . E9 C8000000 jmp DriverSt.0049DB1E
0049DA56 > 8BD6 mov edx,esi
0049DA58 . 66:83F2 07 xor dx,7
0049DA5C . 8BF7 mov esi,edi
0049DA5E . 66:81F6 B700 xor si,0B7
0049DA63 . 66:35 B705 xor ax,5B7
0049DA67 . 8BCE mov ecx,esi
0049DA69 . E8 A6CDF6FF call DriverSt.0040A814 ; SysUtils.EncodeDate(Word;Word;Word):TDateTime;
0049DA6E . DD5D E0 fstp qword ptr ss:[ebp-20]
0049DA71 . 9B wait
0049DA72 . E8 65CFF6FF call DriverSt.0040A9DC
0049DA77 . DC5D E0 fcomp qword ptr ss:[ebp-20]
0049DA7A . DFE0 fstsw ax
0049DA7C . 9E sahf
0049DA7D 76 1B jbe short DriverSt.0049DA9A
0049DA7F . DD45 E0 fld qword ptr ss:[ebp-20]
0049DA82 . D81D 88DB4900 fcomp dword ptr ds:[49DB88]
0049DA88 . DFE0 fstsw ax
0049DA8A . 9E sahf
0049DA8B 75 0D jnz short DriverSt.0049DA9A ; 时间锁?此处必须跳走
0049DA8D . 33C0 xor eax,eax
0049DA8F . 5A pop edx
0049DA90 . 59 pop ecx
0049DA91 . 59 pop ecx
0049DA92 . 64:8910 mov dword ptr fs:[eax],edx
0049DA95 . E9 84000000 jmp DriverSt.0049DB1E
0049DA9A > 33C0 xor eax,eax
0049DA9C . 5A pop edx
0049DA9D . 59 pop ecx
0049DA9E . 59 pop ecx
0049DA9F . 64:8910 mov dword ptr fs:[eax],edx
0049DAA2 . EB 11 jmp short DriverSt.0049DAB5
0049DAA4 .^ E9 6362F6FF jmp DriverSt.00403D0C
0049DAA9 . E8 C665F6FF call DriverSt.00404074
0049DAAE . EB 6E jmp short DriverSt.0049DB1E
0049DAB0 . E8 BF65F6FF call DriverSt.00404074
0049DAB5 > 8D45 BC lea eax,dword ptr ss:[ebp-44]
0049DAB8 . 50 push eax
0049DAB9 . 8B4D 0C mov ecx,dword ptr ss:[ebp+C] ; SN
0049DABC . 8B55 FC mov edx,dword ptr ss:[ebp-4] ; 机器码
0049DABF . 8BC3 mov eax,ebx ;
0049DAC1 . E8 76F0FFFF call DriverSt.0049CB3C ; 关键,跟进
0049DAC6 . 8B45 BC mov eax,dword ptr ss:[ebp-44]
0049DAC9 . BA 94DB4900 mov edx,DriverSt.0049DB94 ; ASCII "645364631365423154824"
0049DACE . E8 99ACF6FF call DriverSt.0040876C
0049DAD3 . 85C0 test eax,eax
0049DAD5 . 75 06 jnz short DriverSt.0049DADD
0049DAD7 . C645 F7 01 mov byte ptr ss:[ebp-9],1
0049DADB . EB 04 jmp short DriverSt.0049DAE1
0049DADD > C645 F7 00 mov byte ptr ss:[ebp-9],0
0049DAE1 > 807D F7 01 cmp byte ptr ss:[ebp-9],1
0049DAE5 . 75 37 jnz short DriverSt.0049DB1E
0049DAE7 . 8D43 50 lea eax,dword ptr ds:[ebx+50]
0049DAEA . 8B55 FC mov edx,dword ptr ss:[ebp-4]
0049DAED . E8 466BF6FF call DriverSt.00404638
0049DAF2 . 8D43 60 lea eax,dword ptr ds:[ebx+60]
0049DAF5 . 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0049DAF8 . E8 3B6BF6FF call DriverSt.00404638
0049DAFD . 8D43 68 lea eax,dword ptr ds:[ebx+68]
0049DB00 . 8B55 0C mov edx,dword ptr ss:[ebp+C]
0049DB03 . E8 306BF6FF call DriverSt.00404638
0049DB08 . 8D43 44 lea eax,dword ptr ds:[ebx+44]
0049DB0B . 8B55 08 mov edx,dword ptr ss:[ebp+8]
0049DB0E . E8 256BF6FF call DriverSt.00404638
0049DB13 . 8BC3 mov eax,ebx
0049DB15 . E8 C2020000 call DriverSt.0049DDDC
0049DB1A . C645 F7 01 mov byte ptr ss:[ebp-9],1
0049DB1E > 33C0 xor eax,eax
0049DB20 . 5A pop edx
0049DB21 . 59 pop ecx
0049DB22 . 59 pop ecx
0049DB23 . 64:8910 mov dword ptr fs:[eax],edx
0049DB26 . 68 6FDB4900 push DriverSt.0049DB6F
0049DB2B > 8D45 BC lea eax,dword ptr ss:[ebp-44] ; 以下打扫战场……
0049DB2E . BA 04000000 mov edx,4
0049DB33 . E8 D06AF6FF call DriverSt.00404608
0049DB38 . 8D45 DC lea eax,dword ptr ss:[ebp-24]
0049DB3B . E8 A46AF6FF call DriverSt.004045E4
0049DB40 . 8D45 E8 lea eax,dword ptr ss:[ebp-18]
0049DB43 . BA 03000000 mov edx,3
0049DB48 . E8 BB6AF6FF call DriverSt.00404608
0049DB4D . 8D45 F8 lea eax,dword ptr ss:[ebp-8]
0049DB50 . BA 02000000 mov edx,2
0049DB55 . E8 AE6AF6FF call DriverSt.00404608
0049DB5A . 8D45 08 lea eax,dword ptr ss:[ebp+8]
0049DB5D . BA 02000000 mov edx,2
0049DB62 . E8 A16AF6FF call DriverSt.00404608
0049DB67 . C3 retn
0049DB68 .^ E9 5364F6FF jmp DriverSt.00403FC0
0049DB6D .^ EB BC jmp short DriverSt.0049DB2B
0049DB6F . 8A45 F7 mov al,byte ptr ss:[ebp-9]
0049DB72 . 5F pop edi
0049DB73 . 5E pop esi
0049DB74 . 5B pop ebx
0049DB75 . 8BE5 mov esp,ebp
0049DB77 . 5D pop ebp
0049DB78 . C2 0800 retn 8
--------------------------------------------------------------------------------------------------------------
这部分,作者用了一个“时间锁”?在0049DA8B处必须调走,否则Over, 所以在调试的时候记得要将JE改为jnz。
代码开始部分对注册码进行一些校验(不知道是干什么用的,好像这些校验条件从来都不会满足),接下来在call DriverSt.0049CB3C处校验,产
生一字符串与"645364631365423154824"比较,相等注册成功!,那还等什么,立刻跟进call DriverSt.0049CB3C:
--------------------------------------------------------------------------------------------------------------
0049CB3C /$ 55 push ebp
0049CB3D |. 8BEC mov ebp,esp
0049CB3F |. 83C4 C4 add esp,-3C
0049CB42 |. 53 push ebx
0049CB43 |. 56 push esi
0049CB44 |. 57 push edi
0049CB45 |. 33DB xor ebx,ebx
0049CB47 |. 895D C4 mov [local.15],ebx
0049CB4A |. 895D C8 mov [local.14],ebx
0049CB4D |. 895D CC mov [local.13],ebx
0049CB50 |. 895D D0 mov [local.12],ebx
0049CB53 |. 895D F0 mov [local.4],ebx
0049CB56 |. 895D EC mov [local.5],ebx
0049CB59 |. 894D F4 mov [local.3],ecx ; SN
0049CB5C |. 8955 F8 mov [local.2],edx ; 机器码
0049CB5F |. 8945 FC mov [local.1],eax
0049CB62 |. 8B45 F8 mov eax,[local.2]
0049CB65 |. E8 2A7FF6FF call DriverSt.00404A94
0049CB6A |. 8B45 F4 mov eax,[local.3]
0049CB6D |. E8 227FF6FF call DriverSt.00404A94
0049CB72 |. 33C0 xor eax,eax
0049CB74 |. 55 push ebp
0049CB75 |. 68 E0CE4900 push DriverSt.0049CEE0
0049CB7A |. 64:FF30 push dword ptr fs:[eax]
0049CB7D |. 64:8920 mov dword ptr fs:[eax],esp
0049CB80 |. 8B45 08 mov eax,[arg.1]
0049CB83 |. BA F8CE4900 mov edx,DriverSt.0049CEF8 ; ASCII "542264156124568746123"
0049CB88 |. E8 AB7AF6FF call DriverSt.00404638 ; System.@LStrAsg(void;void;void;void);
0049CB8D |. 8B45 F8 mov eax,[local.2] ; 机器码
0049CB90 |. E8 0F7DF6FF call DriverSt.004048A4 ; System.@LStrLen(String):Integer;
0049CB95 |. 8B55 FC mov edx,[local.1]
0049CB98 |. 3B42 58 cmp eax,dword ptr ds:[edx+58] ; $32
0049CB9B |. 0F8F 17030000 jg DriverSt.0049CEB8
0049CBA1 |. 8B45 F8 mov eax,[local.2]
0049CBA4 |. E8 FB7CF6FF call DriverSt.004048A4 ; System.@LStrLen(String):Integer;
0049CBA9 |. 8B55 FC mov edx,[local.1]
0049CBAC |. 3B42 5C cmp eax,dword ptr ds:[edx+5C] ; $5
0049CBAF |. 0F8C 03030000 jl DriverSt.0049CEB8
0049CBB5 |. 8D45 E0 lea eax,[local.8]
0049CBB8 |. 8B55 F4 mov edx,[local.3] ; SN
0049CBBB |. 8A12 mov dl,byte ptr ds:[edx] ; 试炼码第1位,SN[1]
0049CBBD |. 8850 01 mov byte ptr ds:[eax+1],dl
0049CBC0 |. C600 01 mov byte ptr ds:[eax],1
0049CBC3 |. 8D55 E0 lea edx,[local.8]
0049CBC6 |. 8D45 DC lea eax,[local.9]
0049CBC9 |. E8 3E65F6FF call DriverSt.0040310C
0049CBCE |. 8D45 D8 lea eax,[local.10]
0049CBD1 |. 8B55 F4 mov edx,[local.3] ; SN
0049CBD4 |. 8A52 02 mov dl,byte ptr ds:[edx+2] ; 试炼码第3位,SN[3]
0049CBD7 |. 8850 01 mov byte ptr ds:[eax+1],dl
0049CBDA |. C600 01 mov byte ptr ds:[eax],1
0049CBDD |. 8D55 D8 lea edx,[local.10]
0049CBE0 |. 8D45 DC lea eax,[local.9]
0049CBE3 |. B1 02 mov cl,2
0049CBE5 |. E8 F264F6FF call DriverSt.004030DC ; System.@PStrNCat;
0049CBEA |. 8D55 DC lea edx,[local.9] ; SN[1]+SN[3]
0049CBED |. 8D45 F0 lea eax,[local.4]
0049CBF0 |. E8 537CF6FF call DriverSt.00404848
0049CBF5 |. 8D45 EC lea eax,[local.5]
0049CBF8 |. 8B55 F4 mov edx,[local.3] ; SN
0049CBFB |. 8A52 04 mov dl,byte ptr ds:[edx+4] ; 试炼码第5位,SN[5]
0049CBFE |. E8 C97BF6FF call DriverSt.004047CC
0049CC03 |. 8B45 F8 mov eax,[local.2] ; 机器码
0049CC06 |. E8 997CF6FF call DriverSt.004048A4 ; System.@LStrLen(String):Integer;
0049CC0B |. 8BF0 mov esi,eax
0049CC0D |. 8975 D4 mov [local.11],esi ; ESI=机器码长度
0049CC10 |. DB45 D4 fild [local.11]
0049CC13 |. D835 10CF4900 fdiv dword ptr ds:[49CF10] ; 2
0049CC19 |. E8 D263F6FF call DriverSt.00402FF0 ; System.@TRUNC;
0049CC1E |. 8B55 F8 mov edx,[local.2] ; 机器码
0049CC21 |. 0FB64402 FF movzx eax,byte ptr ds:[edx+eax-1] ; M[length/2]
0049CC26 |. 8B55 F8 mov edx,[local.2]
0049CC29 |. 0FB612 movzx edx,byte ptr ds:[edx] ; M[1]
0049CC2C |. 8B4D F8 mov ecx,[local.2]
0049CC2F |. 0FB649 01 movzx ecx,byte ptr ds:[ecx+1] ; M[2]
0049CC33 |. 03D1 add edx,ecx ; M[1]+M[2]
0049CC35 |. 03C2 add eax,edx ; Eax=M[length/2]+M1+M2
0049CC37 |. 8B55 F8 mov edx,[local.2] ; M
0049CC3A |. 0FB65432 FF movzx edx,byte ptr ds:[edx+esi-1] ; M[length]
0049CC3F |. 03C2 add eax,edx ; EAX=M[length/2]+M1+M2+M[Length]
0049CC41 |. 8B55 F8 mov edx,[local.2] ; M
0049CC44 |. 0FB65432 FE movzx edx,byte ptr ds:[edx+esi-2] ; M[Length-1]
0049CC49 |. 03C2 add eax,edx ; EAX=M[length/2]+M1+M2+M[Length]+M[length-1]
0049CC4B |. 8945 E8 mov [local.6],eax ; 保存计算结果
0049CC4E |. 8D45 D0 lea eax,[local.12]
0049CC51 |. 8B4D F0 mov ecx,[local.4] ; SN[1]+SN[3]
0049CC54 |. BA 1CCF4900 mov edx,DriverSt.0049CF1C ; $
0049CC59 |. E8 927CF6FF call DriverSt.004048F0 ; System.@LStrCat3;
0049CC5E |. 8B45 D0 mov eax,[local.12] ; $SN[1]+SN[3]
0049CC61 |. BA FFFF0000 mov edx,0FFFF
0049CC66 |. E8 F9C0F6FF call DriverSt.00408D64 ; SysUtils.StrToIntDef(AnsiString;Integer):Integer;
0049CC6B |. 8BF0 mov esi,eax ; StrToInt($SN[1]+SN[3])
0049CC6D |. 81FE FFFF0000 cmp esi,0FFFF
0049CC73 |. 0F84 3F020000 je DriverSt.0049CEB8
0049CC79 |. 8B45 FC mov eax,[local.1]
0049CC7C |. 8B40 70 mov eax,dword ptr ds:[eax+70] ; 014387B3
0049CC7F |. 99 cdq
0049CC80 |. F77D E8 idiv [local.6] ; EAX=M[length/2]+M1+M2+M[Length]+M[length-1]
0049CC83 |. 81E2 FF000000 and edx,0FF
0049CC89 |. 3BF2 cmp esi,edx ; ESI=$(SN1+SN3),可得SN1,3位
0049CC8B |. 0F85 27020000 jnz DriverSt.0049CEB8
0049CC91 |. 8D45 CC lea eax,[local.13]
0049CC94 |. 8B4D EC mov ecx,[local.5] ; SN[5]
0049CC97 |. BA 1CCF4900 mov edx,DriverSt.0049CF1C ; '$'
0049CC9C |. E8 4F7CF6FF call DriverSt.004048F0 ; System.@LStrCat3;
0049CCA1 |. 8B45 CC mov eax,[local.13] ; $SN[5]
0049CCA4 |. BA FFFF0000 mov edx,0FFFF
0049CCA9 |. E8 B6C0F6FF call DriverSt.00408D64 ; SysUtils.StrToIntDef(AnsiString;Integer):Integer;
0049CCAE |. 8BF0 mov esi,eax
0049CCB0 |. 81FE FFFF0000 cmp esi,0FFFF
0049CCB6 |. 0F84 FC010000 je DriverSt.0049CEB8
0049CCBC |. 8B45 F8 mov eax,[local.2] ; 机器码
0049CCBF |. E8 E07BF6FF call DriverSt.004048A4 ; System.@LStrLen(String):Integer;
0049CCC4 |. 3BF0 cmp esi,eax ; SN[5]=Length(M)
0049CCC6 |. 74 15 je short DriverSt.0049CCDD
0049CCC8 |. 8B45 F8 mov eax,[local.2] ; 机器码
0049CCCB |. E8 D47BF6FF call DriverSt.004048A4 ; System.@LStrLen(String):Integer;
0049CCD0 |. 83F8 10 cmp eax,10 ; 机器码长度,16
0049CCD3 |. 7E 08 jle short DriverSt.0049CCDD
0049CCD5 |. 85F6 test esi,esi ; SN[5]
0049CCD7 |. 0F85 DB010000 jnz DriverSt.0049CEB8 ; 不能跳,可得SN[5]=0
0049CCDD |> 8D45 E0 lea eax,[local.8]
0049CCE0 |. 8B55 F4 mov edx,[local.3] ; SN
0049CCE3 |. 8A52 06 mov dl,byte ptr ds:[edx+6] ; SN[7]
0049CCE6 |. 8850 01 mov byte ptr ds:[eax+1],dl
0049CCE9 |. C600 01 mov byte ptr ds:[eax],1
0049CCEC |. 8D55 E0 lea edx,[local.8]
0049CCEF |. 8D45 DC lea eax,[local.9]
0049CCF2 |. E8 1564F6FF call DriverSt.0040310C
0049CCF7 |. 8D45 D8 lea eax,[local.10]
0049CCFA |. 8B55 F4 mov edx,[local.3] ; SN
0049CCFD |. 8A52 08 mov dl,byte ptr ds:[edx+8] ; SN[9]
0049CD00 |. 8850 01 mov byte ptr ds:[eax+1],dl
0049CD03 |. C600 01 mov byte ptr ds:[eax],1
0049CD06 |. 8D55 D8 lea edx,[local.10]
0049CD09 |. 8D45 DC lea eax,[local.9]
0049CD0C |. B1 02 mov cl,2
0049CD0E |. E8 C963F6FF call DriverSt.004030DC
0049CD13 |. 8D55 DC lea edx,[local.9] ; SN[7]+SN[9]
0049CD16 |. 8D45 D4 lea eax,[local.11]
0049CD19 |. E8 EE63F6FF call DriverSt.0040310C
0049CD1E |. 8D45 D8 lea eax,[local.10]
0049CD21 |. 8B55 F4 mov edx,[local.3] ; SN
0049CD24 |. 8A52 0A mov dl,byte ptr ds:[edx+A] ; SN[11]
0049CD27 |. 8850 01 mov byte ptr ds:[eax+1],dl
0049CD2A |. C600 01 mov byte ptr ds:[eax],1
0049CD2D |. 8D55 D8 lea edx,[local.10]
0049CD30 |. 8D45 D4 lea eax,[local.11]
0049CD33 |. B1 03 mov cl,3
0049CD35 |. E8 A263F6FF call DriverSt.004030DC
0049CD3A |. 8D55 D4 lea edx,[local.11] ; SN[7]+SN[9]+SN[11]
0049CD3D |. 8D45 F0 lea eax,[local.4]
0049CD40 |. E8 037BF6FF call DriverSt.00404848
0049CD45 |. 8D45 C8 lea eax,[local.14]
0049CD48 |. 8B4D F0 mov ecx,[local.4]
0049CD4B |. BA 1CCF4900 mov edx,DriverSt.0049CF1C ; '$'
0049CD50 |. E8 9B7BF6FF call DriverSt.004048F0
0049CD55 |. 8B45 C8 mov eax,[local.14]
0049CD58 |. BA FFFF0000 mov edx,0FFFF
0049CD5D |. E8 02C0F6FF call DriverSt.00408D64 ; StrToInt
0049CD62 |. 8945 E8 mov [local.6],eax ; $SN[7]+SN[9]+SN[11]
0049CD65 |. 817D E8 FFFF0000 cmp [local.6],0FFFF
0049CD6C |. 0F84 46010000 je DriverSt.0049CEB8
0049CD72 |. 33F6 xor esi,esi
0049CD74 |. 8B45 F8 mov eax,[local.2] ; M
0049CD77 |. E8 287BF6FF call DriverSt.004048A4 ; Length
0049CD7C |. 85C0 test eax,eax
0049CD7E |. 7E 13 jle short DriverSt.0049CD93
0049CD80 |. BB 01000000 mov ebx,1 ; i
0049CD85 |> 8B55 F8 /mov edx,[local.2] ; M
0049CD88 |. 0FB6541A FF |movzx edx,byte ptr ds:[edx+ebx-1] ; M[i]
0049CD8D |. 03F2 |add esi,edx
0049CD8F |. 43 |inc ebx
0049CD90 |. 48 |dec eax
0049CD91 |.^ 75 F2 \jnz short DriverSt.0049CD85 ; 机器码ASCII累加
0049CD93 |> C1E6 04 shl esi,4 ; 结果*16
0049CD96 |. 8B45 FC mov eax,[local.1]
0049CD99 |. 3370 74 xor esi,dword ptr ds:[eax+74] ; 02357417
0049CD9C |. 81E6 FF0F0000 and esi,0FFF
0049CDA2 |. 8975 E4 mov [local.7],esi ; ESI=897
0049CDA5 |. 8B45 E4 mov eax,[local.7]
0049CDA8 |. 3B45 E8 cmp eax,[local.6] ; 可得SN[7]+SN[9]+SN[11]
0049CDAB 0F85 07010000 jnz DriverSt.0049CEB8
0049CDB1 |. 8B45 F4 mov eax,[local.3] ; SN
0049CDB4 |. E8 EB7AF6FF call DriverSt.004048A4 ; Length
0049CDB9 |. 83F8 0C cmp eax,0C ; 12
0049CDBC |. 0F8E E9000000 jle DriverSt.0049CEAB ; SN不能少于12位
0049CDC2 |. 8D45 EC lea eax,[local.5]
0049CDC5 |. E8 1A78F6FF call DriverSt.004045E4
0049CDCA |. 33C0 xor eax,eax
0049CDCC |. 8945 E4 mov [local.7],eax
0049CDCF |. 8B45 F8 mov eax,[local.2] ; M
0049CDD2 |. E8 CD7AF6FF call DriverSt.004048A4 ; Length
0049CDD7 |. 85C0 test eax,eax
0049CDD9 |. 7E 14 jle short DriverSt.0049CDEF
0049CDDB |. BB 01000000 mov ebx,1
0049CDE0 |> 8B55 F8 /mov edx,[local.2] ; M
0049CDE3 |. 0FB6541A FF |movzx edx,byte ptr ds:[edx+ebx-1]
0049CDE8 |. 0155 E4 |add [local.7],edx
0049CDEB |. 43 |inc ebx
0049CDEC |. 48 |dec eax
0049CDED |.^ 75 F1 \jnz short DriverSt.0049CDE0
0049CDEF |> B8 FFFFFF07 mov eax,7FFFFFF ; 7FFFFFF
0049CDF4 |. 99 cdq
0049CDF5 |. F77D E4 idiv [local.7] ; 机器码累加值
0049CDF8 |. F76D E4 imul [local.7]
0049CDFB |. 8945 E4 mov [local.7],eax ; EAX=7FFFFFF DIV 机器码累加值 * 机器码累加值,记为
Total
0049CDFE |. 8B45 F4 mov eax,[local.3] ; SN
0049CE01 |. E8 9E7AF6FF call DriverSt.004048A4 ; Length
0049CE06 |. 83E8 0C sub eax,0C ; Lengeh-12
0049CE09 |. 8945 E8 mov [local.6],eax
0049CE0C |. 8D45 F0 lea eax,[local.4] ; 保存SN后面Length-C位,参与比较
0049CE0F |. 50 push eax
0049CE10 |. 8B4D E8 mov ecx,[local.6] ; Lengeh-12
0049CE13 |. BA 0D000000 mov edx,0D
0049CE18 |. 8B45 F4 mov eax,[local.3] ; SN
0049CE1B |. E8 E47CF6FF call DriverSt.00404B04 ; System.@LStrCopy(SN,$D,Length-C)
0049CE20 |. BF 1F000000 mov edi,1F ; 1F
0049CE25 |. BB 01000000 mov ebx,1 ; 循环变量i=1 To $21
0049CE2A |> 8BCB /mov ecx,ebx ; ECX=i
0049CE2C |. 8B45 FC |mov eax,[local.1]
0049CE2F |. 8B40 78 |mov eax,dword ptr ds:[eax+78] ; 0279BB3E
0049CE32 |. 8BF0 |mov esi,eax
0049CE34 |. D3E6 |shl esi,cl ; 0279BB3E shl i
0049CE36 |. 8BCF |mov ecx,edi ; EDI=$20-i
0049CE38 |. D3E8 |shr eax,cl ; 0279BB3E shr ($20-i)
0049CE3A |. 0BF0 |or esi,eax ; (0279BB3E shl i) or (0279BB3E shr ($20-i)),记为Temp
0049CE3C |. 8BC6 |mov eax,esi
0049CE3E |. 99 |cdq
0049CE3F |. 33C2 |xor eax,edx
0049CE41 |. 2BC2 |sub eax,edx
0049CE43 |. 8BF0 |mov esi,eax
0049CE45 |. 3B75 E4 |cmp esi,[local.7] ; Temp ,机器码计算结果Total
0049CE48 |. 7E 0A |jle short DriverSt.0049CE54 ; <=
0049CE4A |. 8BC6 |mov eax,esi
0049CE4C |. 99 |cdq
0049CE4D |. F77D E4 |idiv [local.7] ; Temp Div Total
0049CE50 |. 8BF2 |mov esi,edx
0049CE52 |. EB 08 |jmp short DriverSt.0049CE5C
0049CE54 |> 8B45 E4 |mov eax,[local.7] ; 机器码计算结果Total
0049CE57 |. 99 |cdq
0049CE58 |. F7FE |idiv esi ; Total div Temp
0049CE5A |. 8BF2 |mov esi,edx
0049CE5C |> 8D4D C4 |lea ecx,[local.15]
0049CE5F |. 8BC6 |mov eax,esi ; and $FFF
0049CE61 |. 25 FF0F0000 |and eax,0FFF
0049CE66 |. BA 03000000 |mov edx,3
0049CE6B |. E8 90BEF6FF |call DriverSt.00408D00 ; SysUtils.IntToHex
(Integer;Integer):AnsiString;overload;
0049CE70 |. 8B55 C4 |mov edx,[local.15]
0049CE73 |. 8D45 EC |lea eax,[local.5]
0049CE76 |. E8 317AF6FF |call DriverSt.004048AC ; System.@LStrCat;
0049CE7B |. 4F |dec edi
0049CE7C |. 43 |inc ebx
0049CE7D |. 83FB 21 |cmp ebx,21 ; i=21 结束
0049CE80 |.^ 75 A8 \jnz short DriverSt.0049CE2A
0049CE82 |. 8D45 EC lea eax,[local.5]
0049CE85 |. 50 push eax
0049CE86 |. 8B45 FC mov eax,[local.1]
0049CE89 |. 8B48 6C mov ecx,dword ptr ds:[eax+6C] ; $14
0049CE8C |. 83E9 0C sub ecx,0C ; $14-$C
0049CE8F |. BA 01000000 mov edx,1
0049CE94 |. 8B45 EC mov eax,[local.5] ; 上面循环的结果
0049CE97 |. E8 687CF6FF call DriverSt.00404B04 ; System.@LStrCopy;
0049CE9C |. 8B55 EC mov edx,[local.5] ; 取得8位计算结果
0049CE9F |. 8B45 F0 mov eax,[local.4]
0049CEA2 |. E8 15B9F6FF call DriverSt.004087BC ; SysUtils.CompareText(AnsiString;AnsiString):Integer;
0049CEA7 |. 85C0 test eax,eax
0049CEA9 |. 75 0D jnz short DriverSt.0049CEB8
0049CEAB |> 8B45 08 mov eax,[arg.1]
0049CEAE |. BA 28CF4900 mov edx,DriverSt.0049CF28 ; ASCII "645364631365423154824"
0049CEB3 |. E8 8077F6FF call DriverSt.00404638
0049CEB8 |> 33C0 xor eax,eax
0049CEBA |. 5A pop edx
0049CEBB |. 59 pop ecx
0049CEBC |. 59 pop ecx
0049CEBD |. 64:8910 mov dword ptr fs:[eax],edx
0049CEC0 |. 68 E7CE4900 push DriverSt.0049CEE7
0049CEC5 |> 8D45 C4 lea eax,[local.15]
0049CEC8 |. BA 04000000 mov edx,4
0049CECD |. E8 3677F6FF call DriverSt.00404608
0049CED2 |. 8D45 EC lea eax,[local.5]
0049CED5 |. BA 04000000 mov edx,4
0049CEDA |. E8 2977F6FF call DriverSt.00404608
0049CEDF \. C3 retn
0049CEE0 .^ E9 DB70F6FF jmp DriverSt.00403FC0
0049CEE5 .^ EB DE jmp short DriverSt.0049CEC5
0049CEE7 . 5F pop edi
0049CEE8 . 5E pop esi
0049CEE9 . 5B pop ebx
0049CEEA . 8BE5 mov esp,ebp
0049CEEC . 5D pop ebp
0049CEED . C2 0400 retn 4
--------------------------------------------------------------------------------------------------------------
在代码的几个关键跳转处:
在0049CC8B处可得知注册码SN[1]、SN[3];
在0049CCD7处可得知注册码SN[5];
在0049CDAB处可得知注册码SN[7]、SN[9]、SN[11];
在0049CEA9处可得知注册码第12位的后8位。
得知注册码要求满足的条件,如果条件全部满足,函数返回'645364631365423154824',在0049DACE处比较,一致注册成功;
【算法总结】:
记机器码为M,注册码为SN
1、注册码SN[1]、SN[3]=014387B3 DIV (M[Trunc(length/2)]+M1+M2+M[Length]+M[length-1]);
2、SN[5]='0';
3、SN[7]+SN[9]+SN[11]= 机器码ASCII累加 SHL 4 XOR 02357417 AND FFF
4、SN[13-20],机器码转换
a、7FFFFFF DIV 机器码累加值 * 机器码累加值,记为Total
b、(0279BB3E shl i) or (0279BB3E shr ($20-i)),记为Temp i=1 To $21
c、假如Temp >= Total 则 (Temp Mod Total) And $FFF,否则(Total Mod Temp) And $FFF
d、连接C,取前8位即为SN[13-20]
Delphi 7.0 注册码源代码如下:
Procedure TForm1.btn3Click(Sender: TObject);
Var
Total, Temp, i, Len, Sum: Integer;
MachineNo, SerialNo, TempStr: String;
Begin
MachineNo := edt1.Text;
SerialNo := '123456789ABC';
Len := Length(MachineNo);
If Len < 12 Then Exit;
//计算注册码1,3位
Sum := Ord(MachineNo[1]) + Ord(MachineNo[2]) + Ord(MachineNo[Trunc(Len / 2)]) + Ord(MachineNo[Len]) + Ord(MachineNo[Len - 1]);
Temp := ($014387B3 Mod Sum) And $FF;
TempStr := IntToHex(Temp, 2);
SerialNo[1] := TempStr[1];
SerialNo[3] := TempStr[2];
//注册码第5位
SerialNo[5] := '0';
Total := 0;
For i := 1 To Len Do Total := Total + Ord(MachineNo[i]);
// 注册码第7、9、11位
Temp := ((Total Shl 4) Xor $02357417) And $FFF;
TempStr := IntToHex(Temp, 3);
SerialNo[7] := TempStr[1];
SerialNo[9] := TempStr[2];
SerialNo[11] := TempStr[3];
TempStr := '';
//注册码第12位后面部分
Total := $7FFFFFF Div Total * Total;
For i := 1 To $21 Do
Begin
Temp := ($0279BB3E Shl i) Or ($0279BB3E Shr ($20 - i));
If Temp >= Total Then
TempStr := TempStr + IntToHex((Temp Mod Total) And $FFF, 3)
Else
TempStr := TempStr + IntToHex((Total Mod Temp) And $FFF, 3);
End;
TempStr := LeftStr(TempStr, 8);
edt2.Text := SerialNo + TempStr;
End;
我的机器码:55661-OEM-0011903-00155
注册码:72F406889A7C97CD00A0
--(完)--
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
