-
-
[原创]Picture To Icon注册算法深入全面分析(注册机源码)
-
发表于: 2012-2-11 10:58
-
【文章标题】: Picture To Icon注册算法深入分析(注册机源码)
【文章作者】: suredwang
【作者邮箱】: suredwang@126.com
【软件名称】: Picture To Icon V3.x
【软件大小】: 1.05M
【下载地址】: http://www.onlinedown.net/soft/45891.htm
【加壳方式】: 无壳
【保护方式】: 注册码+暗桩
【编写语言】: Borland C++ 1999
【使用工具】: OD
【操作平台】: WIN-XP
【软件介绍】: 国外软件,由图片转图标的转换工具
【作者声明】: 只是感兴趣学习,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
本人在自己编程序过程经常要使用大量ICO图标,好多从网上下载来的无效,用它转换后就可以变有效,而且能保持很好的清晰效果,还可以任意调节,
但却要注册并弹出网页,很是烦人,而且未注册版本只能使用15天或20次,那要想完全用她,要么花 $29.95 Add $9.95 for CD, or free delivery if email/download.
要么就是要花点时间破解,后来搜索看雪论坛上已有多位大侠研究过,版本是1.9X,而且算法分析不完整,注册成功也不能用,算了,还是自己动手丰衣足食啊,
呵呵,闲话少说啦
先用查壳工具PEID0.94查无壳Borland C++ 1999语言编写,信心大振,直接用OD载入,右键查找注册有关的字符
your registration code is invalid. \nif you have purchased this software and get the wrong code, maybe you have not downloaded and installed the latest version. or please send email to: support@exeicon.com \n
双击到程序领空,并往上查找如下:
00425009 |. E8 9E9D0300 call 0045EDAC
0042500E |. 8B55 9C mov edx, dword ptr [ebp-64]
00425011 |. 8955 D4 mov dword ptr [ebp-2C], edx
00425014 |. 837D D4 00 cmp dword ptr [ebp-2C], 0
00425018 |. 74 21 je short 0042503B
0042501A |. 8B4D D4 mov ecx, dword ptr [ebp-2C]
0042501D |. 8B01 mov eax, dword ptr [ecx]
0042501F |. 8945 D8 mov dword ptr [ebp-28], eax
00425022 |. 66:C745 B8 68>mov word ptr [ebp-48], 68
00425028 |. BA 03000000 mov edx, 3
0042502D |. 8B45 D4 mov eax, dword ptr [ebp-2C]
00425030 |. 8B08 mov ecx, dword ptr [eax]
00425032 |. FF51 FC call dword ptr [ecx-4]
00425035 |. 66:C745 B8 5C>mov word ptr [ebp-48], 5C
0042503B |> 66:C745 B8 74>mov word ptr [ebp-48], 74
00425041 |. BA 53455000 mov edx, 00504553 ; register successfully!\nthank you.
00425046 |. 8D45 D0 lea eax, dword ptr [ebp-30]
00425049 |. E8 365D0C00 call 004EAD84
0042504E |. FF45 C4 inc dword ptr [ebp-3C]
00425051 |. 8B00 mov eax, dword ptr [eax]
00425053 |. E8 C4E30800 call 004B341C
00425058 |. FF4D C4 dec dword ptr [ebp-3C]
0042505B |. 8D45 D0 lea eax, dword ptr [ebp-30]
0042505E |. BA 02000000 mov edx, 2
00425063 |. E8 7C5E0C00 call 004EAEE4
00425068 |. 8B45 A4 mov eax, dword ptr [ebp-5C]
0042506B |. E8 34350800 call 004A85A4
00425070 |. EB 37 jmp short 004250A9 双击到这里
00425072 |> 66:C745 B8 80>mov word ptr [ebp-48], 80
00425078 |. BA 75455000 mov edx, 00504575 ; your registration code is invalid. \nif you have purchased this software and get the wrong code, maybe you have not downloaded and installed the latest version. or please send email to: support@exeicon.com \n
0042507D |. 8D45 CC lea eax, dword ptr [ebp-34]
00425080 |. E8 FF5C0C00 call 004EAD84
可以再往上搜索查找注册算法入口,来到这里
00424D3C /. 55 push ebp ; 在此下断,输入邮箱名和试验码断在这
00424D3D |. 8BEC mov ebp, esp ; 定位入口
00424D3F |. 83C4 9C add esp, -64
00424D42 |. 8955 A0 mov dword ptr [ebp-60], edx
00424D45 |. 8945 A4 mov dword ptr [ebp-5C], eax
00424D48 |. B8 684F5000 mov eax, 00504F68
00424D4D |. E8 86AF0B00 call 004DFCD8
00424D52 |. 8B15 EC1B5100 mov edx, dword ptr [511BEC] ; Pic2Ico._IconConverter
00424D58 |. 8B0A mov ecx, dword ptr [edx]
00424D5A |. 80B9 F8030000>cmp byte ptr [ecx+3F8], 0 ; 其实这是一个注册标志判断,这里可以爆破
00424D61 |. 0F85 3A030000 jnz 004250A1
00424D67 |. 66:C745 B8 08>mov word ptr [ebp-48], 8
00424D6D |. 8D45 FC lea eax, dword ptr [ebp-4]
00424D70 |. E8 6FDDFDFF call 00402AE4
00424D75 |. 8BD0 mov edx, eax
00424D77 |. FF45 C4 inc dword ptr [ebp-3C]
00424D7A |. 8B4D A4 mov ecx, dword ptr [ebp-5C]
00424D7D |. 8B81 00030000 mov eax, dword ptr [ecx+300]
00424D83 |. E8 0C400900 call 004B8D94
00424D88 |. 8D45 FC lea eax, dword ptr [ebp-4]
00424D8B |. E8 A026FEFF call 00407430 ; 取邮箱地址长度
00424D90 |. 83F8 03 cmp eax, 3 ; 长度大于3就赋入继续标志
00424D93 |. 0F9CC2 setl dl
00424D96 |. 83E2 01 and edx, 1
00424D99 |. 52 push edx
00424D9A |. FF4D C4 dec dword ptr [ebp-3C]
00424D9D |. 8D45 FC lea eax, dword ptr [ebp-4]
00424DA0 |. BA 02000000 mov edx, 2
00424DA5 |. E8 3A610C00 call 004EAEE4
00424DAA |. 59 pop ecx
00424DAB |. 84C9 test cl, cl
00424DAD |. 74 3C je short 00424DEB ; 长度大于3就跳到下面继续
00424DAF |. 66:C745 B8 14>mov word ptr [ebp-48], 14
00424DB5 |. BA 18455000 mov edx, 00504518 ; please input your full name!
00424DBA |. 8D45 F8 lea eax, dword ptr [ebp-8]
00424DBD |. E8 C25F0C00 call 004EAD84
00424DC2 |. FF45 C4 inc dword ptr [ebp-3C]
00424DC5 |. 8B00 mov eax, dword ptr [eax]
00424DC7 |. E8 50E60800 call 004B341C
00424DCC |. FF4D C4 dec dword ptr [ebp-3C]
00424DCF |. 8D45 F8 lea eax, dword ptr [ebp-8]
00424DD2 |. BA 02000000 mov edx, 2
00424DD7 |. E8 08610C00 call 004EAEE4
00424DDC |. 8B4D A8 mov ecx, dword ptr [ebp-58]
00424DDF |. 64:890D 00000>mov dword ptr fs:[0], ecx
00424DE6 |. E9 C8020000 jmp 004250B3
00424DEB |> 68 F4010000 push 1F4 ; /Timeout = 500. ms
00424DF0 |. E8 299B0D00 call <jmp.&KERNEL32.Sleep> ; \Sleep
00424DF5 |. 66:C745 B8 20>mov word ptr [ebp-48], 20
00424DFB |. 8D45 F4 lea eax, dword ptr [ebp-C]
00424DFE |. E8 E1DCFDFF call 00402AE4
00424E03 |. 8BD0 mov edx, eax
00424E05 |. FF45 C4 inc dword ptr [ebp-3C]
00424E08 |. 8B4D A4 mov ecx, dword ptr [ebp-5C]
00424E0B |. 8B81 04030000 mov eax, dword ptr [ecx+304]
00424E11 |. E8 7E3F0900 call 004B8D94
00424E16 |. 8D55 F4 lea edx, dword ptr [ebp-C]
00424E19 |. FF32 push dword ptr [edx] ; 取出试验码
00424E1B |. E8 48E3FFFF call 00423168 ; 算法关键CALL,F7进
00424E20 |. 59 pop ecx
00424E21 |. 8B0D EC1B5100 mov ecx, dword ptr [511BEC] ; Pic2Ico._IconConverter
00424E27 |. 8B11 mov edx, dword ptr [ecx]
00424E29 |. 8882 F8030000 mov byte ptr [edx+3F8], al
00424E2F |. FF4D C4 dec dword ptr [ebp-3C]
00424E32 |. 8D45 F4 lea eax, dword ptr [ebp-C]
00424E35 |. BA 02000000 mov edx, 2
00424E3A |. E8 A5600C00 call 004EAEE4 ; 注册码正确与否判断
00424E3F |. A1 EC1B5100 mov eax, dword ptr [511BEC]
00424E44 |. 8B08 mov ecx, dword ptr [eax]
00424E46 |. 80B9 F8030000>cmp byte ptr [ecx+3F8], 0
00424E4D |. 0F84 1F020000 je 00425072 ; 此处关键跳,跳走就失败,可爆破NOP
00424E53 |. 66:C745 B8 2C>mov word ptr [ebp-48], 2C
00424E59 |. 8D45 F0 lea eax, dword ptr [ebp-10]
00424E5C |. E8 83DCFDFF call 00402AE4
00424E61 |. 8BD0 mov edx, eax
00424E63 |. FF45 C4 inc dword ptr [ebp-3C]
00424E66 |. 8B4D A4 mov ecx, dword ptr [ebp-5C]
00424E69 |. 8B81 04030000 mov eax, dword ptr [ecx+304]
00424E6F |. E8 203F0900 call 004B8D94
00424E74 |. 8D55 F0 lea edx, dword ptr [ebp-10]
00424E77 |. 8B45 A4 mov eax, dword ptr [ebp-5C]
00424E7A |. 05 1C030000 add eax, 31C
00424E7F |. E8 90600C00 call 004EAF14
00424E84 |. FF4D C4 dec dword ptr [ebp-3C]
00424E87 |. 8D45 F0 lea eax, dword ptr [ebp-10]
00424E8A |. BA 02000000 mov edx, 2
00424E8F |. E8 50600C00 call 004EAEE4
00424E94 |. 8B45 A4 mov eax, dword ptr [ebp-5C] ; 再取试验码
00424E97 |. 05 1C030000 add eax, 31C
00424E9C |. E8 67CFFDFF call 00401E08
00424EA1 |. 0FBE50 17 movsx edx, byte ptr [eax+17] ; 取试验码第二十四位
00424EA5 |. 83FA 30 cmp edx, 30 ; 与数字0比较
00424EA8 |. 7C 16 jl short 00424EC0
00424EAA |. 8B45 A4 mov eax, dword ptr [ebp-5C]
00424EAD |. 05 1C030000 add eax, 31C
00424EB2 |. E8 51CFFDFF call 00401E08
00424EB7 |. 0FBE50 17 movsx edx, byte ptr [eax+17]
00424EBB |. 83FA 39 cmp edx, 39 ; 与9作比较 即0--9之间就通过
00424EBE 7E 0F jle short 00424ECF
00424EC0 |> 8B0D EC1B5100 mov ecx, dword ptr [511BEC] ; Pic2Ico._IconConverter
00424EC6 |. 8B01 mov eax, dword ptr [ecx]
00424EC8 |. C680 F8030000>mov byte ptr [eax+3F8], 0
00424ECF |> B2 01 mov dl, 1
00424ED1 |. A1 3CEC4500 mov eax, dword ptr [45EC3C]
00424ED6 |. E8 619E0300 call 0045ED3C
00424EDB |. 8945 9C mov dword ptr [ebp-64], eax
00424EDE |. BA 01000080 mov edx, 80000001
00424EE3 |. 8B45 9C mov eax, dword ptr [ebp-64]
00424EE6 |. E8 055E0C00 call 004EACF0
00424EEB |. 8B15 EC1B5100 mov edx, dword ptr [511BEC] ; Pic2Ico._IconConverter
00424EF1 |. 8B0A mov ecx, dword ptr [edx]
00424EF3 |. 80B9 F8030000>cmp byte ptr [ecx+3F8], 0 ; 再次判断注册码是否符合要求
00424EFA |. 0F84 06010000 je 00425006
00424F00 |. 66:C745 B8 38>mov word ptr [ebp-48], 38 ; 以下都是成功后对注册表写入的操作
00424F06 |. BA 35455000 mov edx, 00504535 ; software\xtzy\pic2ico
00424F0B |. 8D45 EC lea eax, dword ptr [ebp-14]
00424F0E |. E8 715E0C00 call 004EAD84
00424F13 |. FF45 C4 inc dword ptr [ebp-3C]
00424F16 |. 8B10 mov edx, dword ptr [eax]
00424F18 |. B1 01 mov cl, 1
00424F1A |. 8B45 9C mov eax, dword ptr [ebp-64]
00424F1D |. E8 1E9F0300 call 0045EE40
00424F22 |. 84C0 test al, al
00424F24 |. 0F95C0 setne al
00424F27 |. 83E0 01 and eax, 1
00424F2A |. 50 push eax
00424F2B |. FF4D C4 dec dword ptr [ebp-3C]
00424F2E |. 8D45 EC lea eax, dword ptr [ebp-14]
00424F31 |. BA 02000000 mov edx, 2
00424F36 |. E8 A95F0C00 call 004EAEE4
00424F3B |. 59 pop ecx
00424F3C |. 85C9 test ecx, ecx
00424F3E |. 0F84 C2000000 je 00425006
00424F44 |. 8D45 E4 lea eax, dword ptr [ebp-1C]
00424F47 |. E8 98DBFDFF call 00402AE4
00424F4C |. 8BD0 mov edx, eax
00424F4E |. FF45 C4 inc dword ptr [ebp-3C]
00424F51 |. 8B4D A4 mov ecx, dword ptr [ebp-5C]
00424F54 |. 8B81 04030000 mov eax, dword ptr [ecx+304] ; (initial cpu selection)
00424F5A |. E8 353E0900 call 004B8D94
00424F5F |. 8D55 E4 lea edx, dword ptr [ebp-1C]
00424F62 |. FF32 push dword ptr [edx]
00424F64 |. 66:C745 B8 44>mov word ptr [ebp-48], 44 ; 写入注册表的键名与键值
00424F6A |. BA 4B455000 mov edx, 0050454B ; no
00424F6F |. 8D45 E8 lea eax, dword ptr [ebp-18]
00424F72 |. E8 0D5E0C00 call 004EAD84
00424F77 |. FF45 C4 inc dword ptr [ebp-3C]
00424F7A |. 8B10 mov edx, dword ptr [eax]
00424F7C |. 8B45 9C mov eax, dword ptr [ebp-64]
00424F7F |. 59 pop ecx
00424F80 |. E8 57A00300 call 0045EFDC
00424F85 |. FF4D C4 dec dword ptr [ebp-3C]
00424F88 |. 8D45 E4 lea eax, dword ptr [ebp-1C]
00424F8B |. BA 02000000 mov edx, 2
00424F90 |. E8 4F5F0C00 call 004EAEE4
00424F95 |. FF4D C4 dec dword ptr [ebp-3C]
00424F98 |. 8D45 E8 lea eax, dword ptr [ebp-18]
00424F9B |. BA 02000000 mov edx, 2
00424FA0 |. E8 3F5F0C00 call 004EAEE4
00424FA5 |. 8D45 DC lea eax, dword ptr [ebp-24]
00424FA8 |. E8 37DBFDFF call 00402AE4
00424FAD |. 8BD0 mov edx, eax
00424FAF |. FF45 C4 inc dword ptr [ebp-3C]
00424FB2 |. 8B4D A4 mov ecx, dword ptr [ebp-5C]
00424FB5 |. 8B81 00030000 mov eax, dword ptr [ecx+300]
00424FBB |. E8 D43D0900 call 004B8D94
00424FC0 |. 8D55 DC lea edx, dword ptr [ebp-24]
00424FC3 |. FF32 push dword ptr [edx]
00424FC5 |. 66:C745 B8 50>mov word ptr [ebp-48], 50
00424FCB |. BA 4E455000 mov edx, 0050454E ; name
00424FD0 |. 8D45 E0 lea eax, dword ptr [ebp-20]
00424FD3 |. E8 AC5D0C00 call 004EAD84
00424FD8 |. FF45 C4 inc dword ptr [ebp-3C]
00424FDB |. 8B10 mov edx, dword ptr [eax]
00424FDD |. 8B45 9C mov eax, dword ptr [ebp-64]
00424FE0 |. 59 pop ecx
00424FE1 |. E8 F69F0300 call 0045EFDC
00424FE6 |. FF4D C4 dec dword ptr [ebp-3C]
00424FE9 |. 8D45 DC lea eax, dword ptr [ebp-24]
00424FEC |. BA 02000000 mov edx, 2
00424FF1 |. E8 EE5E0C00 call 004EAEE4
00424FF6 |. FF4D C4 dec dword ptr [ebp-3C]
00424FF9 |. 8D45 E0 lea eax, dword ptr [ebp-20]
00424FFC |. BA 02000000 mov edx, 2
00425001 |. E8 DE5E0C00 call 004EAEE4
00425006 |> 8B45 9C mov eax, dword ptr [ebp-64]
00425009 |. E8 9E9D0300 call 0045EDAC
0042500E |. 8B55 9C mov edx, dword ptr [ebp-64]
00425011 |. 8955 D4 mov dword ptr [ebp-2C], edx
00425014 |. 837D D4 00 cmp dword ptr [ebp-2C], 0
00425018 |. 74 21 je short 0042503B
0042501A |. 8B4D D4 mov ecx, dword ptr [ebp-2C]
0042501D |. 8B01 mov eax, dword ptr [ecx]
0042501F |. 8945 D8 mov dword ptr [ebp-28], eax
00425022 |. 66:C745 B8 68>mov word ptr [ebp-48], 68
00425028 |. BA 03000000 mov edx, 3
0042502D |. 8B45 D4 mov eax, dword ptr [ebp-2C]
00425030 |. 8B08 mov ecx, dword ptr [eax]
00425032 |. FF51 FC call dword ptr [ecx-4]
00425035 |. 66:C745 B8 5C>mov word ptr [ebp-48], 5C
0042503B |> 66:C745 B8 74>mov word ptr [ebp-48], 74
00425041 |. BA 53455000 mov edx, 00504553 ; register successfully!\nthank you.
00425046 |. 8D45 D0 lea eax, dword ptr [ebp-30]
00425049 |. E8 365D0C00 call 004EAD84
0042504E |. FF45 C4 inc dword ptr [ebp-3C]
00425051 |. 8B00 mov eax, dword ptr [eax]
00425053 |. E8 C4E30800 call 004B341C
00425058 |. FF4D C4 dec dword ptr [ebp-3C]
0042505B |. 8D45 D0 lea eax, dword ptr [ebp-30]
0042505E |. BA 02000000 mov edx, 2
00425063 |. E8 7C5E0C00 call 004EAEE4
00425068 |. 8B45 A4 mov eax, dword ptr [ebp-5C]
0042506B |. E8 34350800 call 004A85A4
00425070 |. EB 37 jmp short 004250A9
00425072 |> 66:C745 B8 80>mov word ptr [ebp-48], 80
00425078 |. BA 75455000 mov edx, 00504575 ; your registration code is invalid. \nif you have purchased this software and get the wrong code, maybe you have not downloaded and installed the latest version. or please send email to: support@exeicon.com \n
0042507D |. 8D45 CC lea eax, dword ptr [ebp-34]
00425080 |. E8 FF5C0C00 call 004EAD84
00425085 |. FF45 C4 inc dword ptr [ebp-3C]
00425088 |. 8B00 mov eax, dword ptr [eax]
0042508A |. E8 8DE30800 call 004B341C
0042508F |. FF4D C4 dec dword ptr [ebp-3C]
00425092 |. 8D45 CC lea eax, dword ptr [ebp-34]
00425095 |. BA 02000000 mov edx, 2
0042509A |. E8 455E0C00 call 004EAEE4
0042509F |. EB 08 jmp short 004250A9
004250A1 |> 8B45 A4 mov eax, dword ptr [ebp-5C]
004250A4 |. E8 FB340800 call 004A85A4
004250A9 |> 8B55 A8 mov edx, dword ptr [ebp-58]
004250AC |. 64:8915 00000>mov dword ptr fs:[0], edx
004250B3 |> 8BE5 mov esp, ebp
004250B5 |. 5D pop ebp
004250B6 \. C3 retn
上面关键算法call 00423168 进入
00423168 /$ 55 push ebp ; 算法CALL入口
00423169 |. 8BEC mov ebp, esp
0042316B |. 81C4 70FFFFFF add esp, -90
00423171 |. 56 push esi
00423172 |. 57 push edi
00423173 |. B8 C4465000 mov eax, 005046C4
00423178 |. E8 5BCB0B00 call 004DFCD8
0042317D |. C745 F4 01000>mov dword ptr [ebp-C], 1
00423184 |. 8D55 08 lea edx, dword ptr [ebp+8]
00423187 |. 8D45 08 lea eax, dword ptr [ebp+8]
0042318A |. E8 2D7C0C00 call 004EADBC
0042318F |. FF45 F4 inc dword ptr [ebp-C]
00423192 |. 66:C745 E8 08>mov word ptr [ebp-18], 8
00423198 |. C645 D7 00 mov byte ptr [ebp-29], 0
0042319C |. 66:C745 E8 14>mov word ptr [ebp-18], 14
004231A2 |. 8D45 FC lea eax, dword ptr [ebp-4]
004231A5 |. E8 3AF9FDFF call 00402AE4
004231AA |. 8BD0 mov edx, eax
004231AC |. FF45 F4 inc dword ptr [ebp-C]
004231AF |. 8D45 08 lea eax, dword ptr [ebp+8]
004231B2 |. E8 75800C00 call 004EB22C
004231B7 |. 8D55 FC lea edx, dword ptr [ebp-4]
004231BA |. 8D45 08 lea eax, dword ptr [ebp+8]
004231BD |. E8 527D0C00 call 004EAF14
004231C2 |. FF4D F4 dec dword ptr [ebp-C]
004231C5 |. 8D45 FC lea eax, dword ptr [ebp-4]
004231C8 |. BA 02000000 mov edx, 2
004231CD |. E8 127D0C00 call 004EAEE4 ; 取试验码
004231D2 |. 8D45 08 lea eax, dword ptr [ebp+8]
004231D5 |. E8 5642FEFF call 00407430 ; 算出试验码长度
004231DA |. 83F8 2C cmp eax, 2C ; 注册码长度要等于44(2Ch)
004231DD |. 0F85 44020000 jnz 00423427
004231E3 |. BE 04415000 mov esi, 00504104 ; 赋入固定字符串 1z1h+2a0n-0g8y*9a1n|
004231E8 |. 8D7D 84 lea edi, dword ptr [ebp-7C]
004231EB |. B9 05000000 mov ecx, 5
004231F0 |. F3:A5 rep movs dword ptr es:[edi], dword p>
004231F2 |. A4 movs byte ptr es:[edi], byte ptr [esi>
004231F3 |. 66:C745 E8 08>mov word ptr [ebp-18], 8
004231F9 |. 8D45 08 lea eax, dword ptr [ebp+8]
004231FC |. E8 07ECFDFF call 00401E08
00423201 |. 0FBE50 28 movsx edx, byte ptr [eax+28] ; 取出注册码第41位
00423205 |. 83FA 50 cmp edx, 50 ; 要等于固定字符P(50)
00423208 |. 74 23 je short 0042322D
0042320A |. 33C0 xor eax, eax
0042320C |. 50 push eax
0042320D |. FF4D F4 dec dword ptr [ebp-C]
00423210 |. 8D45 08 lea eax, dword ptr [ebp+8]
00423213 |. BA 02000000 mov edx, 2
00423218 |. E8 C77C0C00 call 004EAEE4
0042321D |. 58 pop eax
0042321E |. 8B55 D8 mov edx, dword ptr [ebp-28]
00423221 |. 64:8915 00000>mov dword ptr fs:[0], edx
00423228 |. E9 19020000 jmp 00423446
0042322D |> 8D45 08 lea eax, dword ptr [ebp+8] ; 再推入试验码
00423230 |. E8 D3EBFDFF call 00401E08
00423235 |. 0FBE50 29 movsx edx, byte ptr [eax+29] ; 取出试验码第42位
00423239 |. 83FA 33 cmp edx, 33 ; 为常数 3
0042323C |. 74 23 je short 00423261
0042323E |. 33C0 xor eax, eax
00423240 |. 50 push eax
00423241 |. FF4D F4 dec dword ptr [ebp-C]
00423244 |. 8D45 08 lea eax, dword ptr [ebp+8]
00423247 |. BA 02000000 mov edx, 2
0042324C |. E8 937C0C00 call 004EAEE4
00423251 |. 58 pop eax
00423252 |. 8B55 D8 mov edx, dword ptr [ebp-28]
00423255 |. 64:8915 00000>mov dword ptr fs:[0], edx
0042325C |. E9 E5010000 jmp 00423446
00423261 |> 8D45 08 lea eax, dword ptr [ebp+8]
00423264 |. E8 9FEBFDFF call 00401E08
00423269 |. 0FBE50 2A movsx edx, byte ptr [eax+2A] ; 试验码第43位
0042326D |. 83FA 54 cmp edx, 54 ; 为固定大写 T
00423270 |. 74 23 je short 00423295
00423272 |. 33C0 xor eax, eax
00423274 |. 50 push eax
00423275 |. FF4D F4 dec dword ptr [ebp-C]
00423278 |. 8D45 08 lea eax, dword ptr [ebp+8]
0042327B |. BA 02000000 mov edx, 2
00423280 |. E8 5F7C0C00 call 004EAEE4
00423285 |. 58 pop eax
00423286 |. 8B55 D8 mov edx, dword ptr [ebp-28]
00423289 |. 64:8915 00000>mov dword ptr fs:[0], edx
00423290 |. E9 B1010000 jmp 00423446
00423295 |> 8D45 08 lea eax, dword ptr [ebp+8]
00423298 |. E8 6BEBFDFF call 00401E08
0042329D |. 0FBE50 2B movsx edx, byte ptr [eax+2B] ; 取试验码最后一位
004232A1 |. 83FA 31 cmp edx, 31 ; 等于固定常数 1
004232A4 |. 74 23 je short 004232C9
004232A6 |. 33C0 xor eax, eax
004232A8 |. 50 push eax
004232A9 |. FF4D F4 dec dword ptr [ebp-C]
004232AC |. 8D45 08 lea eax, dword ptr [ebp+8]
004232AF |. BA 02000000 mov edx, 2
004232B4 |. E8 2B7C0C00 call 004EAEE4
004232B9 |. 58 pop eax
004232BA |. 8B55 D8 mov edx, dword ptr [ebp-28]
004232BD |. 64:8915 00000>mov dword ptr fs:[0], edx
004232C4 |. E9 7D010000 jmp 00423446
004232C9 |> 8D45 08 lea eax, dword ptr [ebp+8]
004232CC |. E8 37EBFDFF call 00401E08
004232D1 |. 50 push eax ; 试验码赋入寄存器EAX
004232D2 |. 8D55 9C lea edx, dword ptr [ebp-64]
004232D5 |. 52 push edx
004232D6 |. E8 59C70B00 call 004DFA34
004232DB |. 83C4 08 add esp, 8
004232DE |. 0FBE4D 9D movsx ecx, byte ptr [ebp-63] ; 取出试验码第2位
004232E2 |. 83F9 33 cmp ecx, 33 ; 等于常数 3
004232E5 |. 0F85 3C010000 jnz 00423427
004232EB |. C645 9D 23 mov byte ptr [ebp-63], 23 ; 取 符号 #
004232EF |. C645 D7 01 mov byte ptr [ebp-29], 1
004232F3 |. C745 D0 02000>mov dword ptr [ebp-30], 2 ; 与注册码第2位 3替换
004232FA |> 8B45 D0 /mov eax, dword ptr [ebp-30]
004232FD |. 0FBE5405 84 |movsx edx, byte ptr [ebp+eax-7C] ; 取固定字符串"1z1h+2a0n-0g8y*9a1n|"第三位
00423302 |. 8B4D D0 |mov ecx, dword ptr [ebp-30]
00423305 |. 0FBE440D 9B |movsx eax, byte ptr [ebp+ecx-65] ; 取替换的#
0042330A |. 03D0 |add edx, eax ; 相加
0042330C |. 8B4D D0 |mov ecx, dword ptr [ebp-30]
0042330F |. 0FBE440D 9C |movsx eax, byte ptr [ebp+ecx-64] ; 取试验码第三位
00423314 33D0 xor edx, eax ; 与上面相加数相异或
00423316 |. 8B4D D0 |mov ecx, dword ptr [ebp-30]
00423319 |. 0FBE440D 84 |movsx eax, byte ptr [ebp+ecx-7C] ; (initial cpu selection)
0042331E |. 33D0 |xor edx, eax ; 两数相异或
00423320 |. 52 |push edx
00423321 |. E8 F275FEFF |call 0040A918 ; 结果转存到EAX作被除数
00423326 |. 59 |pop ecx
00423327 |. B9 1A000000 |mov ecx, 1A
0042332C |. 99 |cdq
0042332D |. F7F9 |idiv ecx ; 除数 1Ah
0042332F |. 83C2 41 |add edx, 41 ; 余数与41h相加得出结果
00423332 |. 8B45 D0 |mov eax, dword ptr [ebp-30]
00423335 |. 0FBE4C05 A5 |movsx ecx, byte ptr [ebp+eax-5B] ; 取试验码的第十二位
0042333A |. 3BD1 |cmp edx, ecx ; 比较相等就通过
0042333C |. 74 06 |je short 00423344
0042333E |. C645 D7 00 |mov byte ptr [ebp-29], 0
00423342 |. EB 09 |jmp short 0042334D
00423344 |> FF45 D0 |inc dword ptr [ebp-30] ; 循环计数由2开始加1
00423347 |. 837D D0 0A |cmp dword ptr [ebp-30], 0A ; 与10比较开始循环计算八次
0042334B |.^ 7C AD \jl short 004232FA
0042334D |> 807D D7 00 cmp byte ptr [ebp-29], 0
00423351 |. 0F84 C3000000 je 0042341A
00423357 |. C745 CC 18000>mov dword ptr [ebp-34], 18 ; 赋值24
0042335E |. 66:C745 E8 08>mov word ptr [ebp-18], 8
00423364 |. 837D CC 28 cmp dword ptr [ebp-34], 28 ; 与40作比较进入下轮算法循环
00423368 |. 7D 4B jge short 004233B5
0042336A |> 8B55 CC /mov edx, dword ptr [ebp-34]
0042336D |. 0FBE4415 85 |movsx eax, byte ptr [ebp+edx-7B] ; 取试验码替换后的第二位#
00423372 |. B9 06000000 |mov ecx, 6 ; 常数 6作除数
00423377 |. 99 |cdq
00423378 |. F7F9 |idiv ecx
0042337A |. 8BCA |mov ecx, edx
0042337C |. 8B45 CC |mov eax, dword ptr [ebp-34]
0042337F |. 0FBE5405 86 |movsx edx, byte ptr [ebp+eax-7A] ; 取试验码第三位
00423384 |. D3E2 |shl edx, cl ; 左移上面相除的余数 位
00423386 |. 8B45 CC |mov eax, dword ptr [ebp-34]
00423389 |. 0FBE4C05 87 |movsx ecx, byte ptr [ebp+eax-79] ; 取试验码第四位
0042338E |. 0BD1 |or edx, ecx ; 相 与 0R
00423390 |. 52 |push edx
00423391 |. E8 8275FEFF |call 0040A918 ; 转入寄存器EAX 作被除数
00423396 |. 59 |pop ecx
00423397 |. B9 1A000000 |mov ecx, 1A ; 除数 26 (1Ah)
0042339C |. 99 |cdq
0042339D |. F7F9 |idiv ecx
0042339F |. 80C2 61 |add dl, 61 ; 余数与61h相加
004233A2 |. 8B45 CC |mov eax, dword ptr [ebp-34]
004233A5 |. 889405 58FFFF>|mov byte ptr [ebp+eax-A8], dl ; 算出的字符储存
004233AC >|. FF45 CC |inc dword ptr [ebp-34]
004233AF |. 837D CC 28 |cmp dword ptr [ebp-34], 28 ; 循环计数加1 与40作比较
004233B3 |.^ 7C B5 \jl short 0042336A ; 开始第二轮循环
004233B5 |> C645 80 5A mov byte ptr [ebp-80], 5A ; 固定字符 Z
004233B9 |. C645 81 59 mov byte ptr [ebp-7F], 59 ; 固定字符 Y
004233BD |. C745 C8 18000>mov dword ptr [ebp-38], 18 ; 连接成十八位字符串
004233C4 |. 66:C745 E8 08>mov word ptr [ebp-18], 8
004233CA |. 837D C8 28 cmp dword ptr [ebp-38], 28 ; 作为下次循环使用
004233CE |. 7D 4A jge short 0042341A
004233D0 |> 8B55 C8 /mov edx, dword ptr [ebp-38]
004233D3 |. 0FBE8415 58FF>|movsx eax, byte ptr [ebp+edx-A8] ; 取出十八位字符串第一位
004233DB |. C1E0 04 |shl eax, 4 ; 左移 固定数四位 相当于2*2*2*2
004233DE |. 8B55 C8 |mov edx, dword ptr [ebp-38]
004233E1 |. 0FBE8C15 59FF>|movsx ecx, byte ptr [ebp+edx-A7] ; 取第二位
004233E9 |. D1F9 |sar ecx, 1 ; 右移一位
004233EB |. 33C1 |xor eax, ecx ; 两得数相异或
004233ED |. 50 |push eax
004233EE |. E8 2575FEFF |call 0040A918
004233F3 |. 59 |pop ecx
004233F4 |. B9 1A000000 |mov ecx, 1A
004233F9 |. 99 |cdq
004233FA |. F7F9 |idiv ecx
004233FC |. 83C2 41 |add edx, 41 ; 余数加41h
004233FF |. 8B45 C8 |mov eax, dword ptr [ebp-38]
00423402 |. 0FBE4405 9C |movsx eax, byte ptr [ebp+eax-64] ; 取试验码第二十五位
00423407 |. 3BD0 |cmp edx, eax ; 比较相等就通过
00423409 74 06 je short 00423411
0042340B |. C645 D7 00 |mov byte ptr [ebp-29], 0
0042340F |. EB 09 |jmp short 0042341A
00423411 |> FF45 C8 |inc dword ptr [ebp-38]
00423414 |. 837D C8 28 |cmp dword ptr [ebp-38], 28 ; 再次循环开始
00423418 |.^ 7C B6 \jl short 004233D0
0042341A |> 0FBE55 A6 movsx edx, byte ptr [ebp-5A] ; 取出试验码第十一位
0042341E |. 83FA 59 cmp edx, 59 ; 与固定字符 Y 作比较相等就通过
00423421 |. 74 04 je short 00423427
00423423 |. C645 D7 00 mov byte ptr [ebp-29], 0
00423427 |> 8A45 D7 mov al, byte ptr [ebp-29]
0042342A |. 50 push eax
0042342B |. FF4D F4 dec dword ptr [ebp-C]
0042342E |. 8D45 08 lea eax, dword ptr [ebp+8]
00423431 |. BA 02000000 mov edx, 2
00423436 |. E8 A97A0C00 call 004EAEE4
0042343B |. 58 pop eax
0042343C |. 8B55 D8 mov edx, dword ptr [ebp-28]
0042343F |. 64:8915 00000>mov dword ptr fs:[0], edx
00423446 |> 5F pop edi
00423447 |. 5E pop esi
00423448 |. 8BE5 mov esp, ebp
0042344A |. 5D pop ebp
0042344B \. C3 retn
上面的注册码算法可以总结如下:
长度必须为44位
第41位为50 P
第42位为33 3
第43位为54 T
第44位为31 1
第2位为33 3
第11位为59 Y
第24位必须为0--9之间的数字
第2位然后为23 #替代
取1z1h+2a0n-0g8y*9a1n|第一位ASC码 取注册码第二位(替换后)23 相加得数
与 取注册码第三位 相XOR 再取1z1h+2a0n-0g8y*9a1n|第三位ASC码 相XOR 得数放入EAX中除1A ,用余数与41h相加得数作为注册码12位
类推13位14位15位16位17位18位19位 共八位注册码
算出计算用的固定字符串A:
取注册码(替换后)第二位23# 除6 取余数 ,取注册码第三位 左移所取的余数, 得数与取注册码第四位 相0R ,得数放入EAX中除1A 得到余数再与61h相加结果
与下面继续类推的结果相连成一组作为后面计算的字符串16位 ,然后再补上二个字符5A 59 即ZY 共18位
后一段十六位注册码算法
取固定字符串A第一位 左移4 得数 ,再与固定字符串A第二位右移1位得数, 二个数相XOR 得到结果 放入EAX中除1A 取余数,用余数与41h相加结果作为注册码25位
以此方式类推,得到 第四十位注册码 共十六位
然后把固定字符串A最后一位Y作为第十一位注册码
根据以上的算法结果注册成功信息才能出现,并在注册表HKCU\software\xtzy\pic2ico里删除后成未注册版,重启后也显示已注册,看起来是正常的,用起来就不正常了,LOAD图片后MODIFY ICON 完成就会在图标上面出现一个大大“白色x”
根本无法使用,看来还有暗桩,继续找吧
沿着注册算法往上翻找到
004BA2D0 /$ 53 push ebx ; 找到这,下个断
004BA2D1 |. 8BD8 mov ebx, eax
004BA2D3 |. 66:83BB 22010>cmp word ptr [ebx+122], 0
004BA2DB |. 74 2D je short 004BA30A
004BA2DD |. 8BC3 mov eax, ebx
004BA2DF |. 8B10 mov edx, dword ptr [eax]
004BA2E1 |. FF52 3C call dword ptr [edx+3C]
004BA2E4 |. 85C0 test eax, eax
004BA2E6 |. 74 22 je short 004BA30A
004BA2E8 |. 8BC3 mov eax, ebx
004BA2EA |. 8B10 mov edx, dword ptr [eax]
004BA2EC |. FF52 3C call dword ptr [edx+3C]
004BA2EF |. 8B40 40 mov eax, dword ptr [eax+40]
004BA2F2 |. 3B83 20010000 cmp eax, dword ptr [ebx+120]
004BA2F8 |. 74 10 je short 004BA30A
004BA2FA |. 8BD3 mov edx, ebx
004BA2FC |. 8B83 24010000 mov eax, dword ptr [ebx+124]
004BA302 |. FF93 20010000 call dword ptr [ebx+120]
004BA308 |. 5B pop ebx
004BA309 |. C3 retn
004BA30A |> F643 1C 10 test byte ptr [ebx+1C], 10
004BA30E |. 75 12 jnz short 004BA322
004BA310 |. 837B 6C 00 cmp dword ptr [ebx+6C], 0
004BA314 |. 74 0C je short 004BA322
004BA316 |. 8BD3 mov edx, ebx
004BA318 |. 8B43 6C mov eax, dword ptr [ebx+6C]
004BA31B |. 8B08 mov ecx, dword ptr [eax]
004BA31D |. FF51 18 call dword ptr [ecx+18]
004BA320 |. EB 18 jmp short 004BA33A
004BA322 |> 66:83BB 22010>cmp word ptr [ebx+122], 0
004BA32A |. 74 0E je short 004BA33A
004BA32C |. 8BD3 mov edx, ebx
004BA32E |. 8B83 24010000 mov eax, dword ptr [ebx+124]
004BA334 |. FF93 20010000 call dword ptr [ebx+120] ; 关键CALL F7进入
004BA33A |> 5B pop ebx
004BA33B \. C3 retn
点注册成功后的软件进行图标转换,MODIFY ICON一路NEXT正常,最后点FINISH断在上面,关键CALL进入如下:
00438CC8 /. 55 push ebp
00438CC9 |. 8BEC mov ebp, esp
00438CCB |. 83C4 94 add esp, -6C
00438CCE |. 8955 AC mov dword ptr [ebp-54], edx
00438CD1 |. 8945 B0 mov dword ptr [ebp-50], eax
00438CD4 |. B8 FC875000 mov eax, 005087FC
00438CD9 |. E8 FA6F0A00 call 004DFCD8
00438CDE |. 8B15 EC1B5100 mov edx, dword ptr [511BEC] ; Pic2Ico._IconConverter
00438CE4 |. 8B0A mov ecx, dword ptr [edx]
00438CE6 |. 8A81 F9030000 mov al, byte ptr [ecx+3F9]
00438CEC |. 8845 AB mov byte ptr [ebp-55], al
00438CEF |. 8B15 F81B5100 mov edx, dword ptr [511BF8] ; Pic2Ico._Form3
00438CF5 |. 8B02 mov eax, dword ptr [edx]
00438CF7 |. 05 1C030000 add eax, 31C
00438CFC |. E8 2FE7FCFF call 00407430
00438D01 |. 48 dec eax
00438D02 |. 7E 53 jle short 00438D57
00438D04 |. 66:C745 C4 08>mov word ptr [ebp-3C], 8
00438D0A |. BA 2D7E5000 mov edx, 00507E2D ; 赋入固定字符串fpjunt
00438D0F |. 8D45 FC lea eax, dword ptr [ebp-4]
00438D12 |. E8 6D200B00 call 004EAD84
00438D17 |. FF45 D0 inc dword ptr [ebp-30]
00438D1A |. 8D55 FC lea edx, dword ptr [ebp-4]
00438D1D |. 8B0D F81B5100 mov ecx, dword ptr [511BF8] ; Pic2Ico._Form3
00438D23 |. 8B01 mov eax, dword ptr [ecx]
00438D25 |. 05 1C030000 add eax, 31C
00438D2A |. E8 C9230B00 call 004EB0F8 ; 关键CALL进入
00438D2F |. 85C0 test eax, eax
00438D31 |. 0F95C2 setne dl ; 验证成功与否标志
00438D34 83E2 01 and edx, 1
00438D37 |. 52 push edx
00438D38 |. FF4D D0 dec dword ptr [ebp-30]
00438D3B |. 8D45 FC lea eax, dword ptr [ebp-4]
00438D3E |. BA 02000000 mov edx, 2
00438D43 |. E8 9C210B00 call 004EAEE4
00438D48 |. 59 pop ecx
00438D49 |. 84C9 test cl, cl ; 标志判断
00438D4B 74 06 je short 00438D53
00438D4D |. C645 AB 00 mov byte ptr [ebp-55], 0 ; 符合就
00438D51 EB 04 jmp short 00438D57 ; 这个跳转地址,如果猜的没错的话,是试用与正式版本不一样的,这个在后面介绍
00438D53 C645 AB 01 mov byte ptr [ebp-55], 1
00438D57 |> A1 EC1B5100 mov eax, dword ptr [511BEC] ; 以下几个赋值是未注册前的取得的软件状态值
00438D5C |. 8B10 mov edx, dword ptr [eax]
00438D5E |. 8B8A F4030000 mov ecx, dword ptr [edx+3F4]
00438D64 |. A1 EC1B5100 mov eax, dword ptr [511BEC]
00438D69 |. 8B10 mov edx, dword ptr [eax]
00438D6B |. 8B82 F4030000 mov eax, dword ptr [edx+3F4] ; 安装软件后多长时间与使用次数等
00438D71 |. 48 dec eax
00438D72 |. 2BC8 sub ecx, eax
00438D74 |. 6BD1 15 imul edx, ecx, 15
00438D77 |. 8B0D EC1B5100 mov ecx, dword ptr [511BEC] ; Pic2Ico._IconConverter
00438D7D |. 8B01 mov eax, dword ptr [ecx]
00438D7F |. 3B90 F4030000 cmp edx, dword ptr [eax+3F4] ; 使用天数与15作比较
00438D85 0F8D E0010000 jge 00438F6B ; 这里可以作个爆破点
00438D8B |. 8B55 B0 mov edx, dword ptr [ebp-50]
00438D8E |. 8B82 EC040000 mov eax, dword ptr [edx+4EC]
00438D94 |. 8B10 mov edx, dword ptr [eax]
关键 call 004EB0F8 来到这里
004EB0F8 /$ 55 push ebp
004EB0F9 |. 8BEC mov ebp, esp
004EB0FB |. 83C4 F8 add esp, -8
004EB0FE |. 53 push ebx
004EB0FF |. 8955 F8 mov dword ptr [ebp-8], edx
004EB102 |. 8945 FC mov dword ptr [ebp-4], eax
004EB105 |. 8B55 FC mov edx, dword ptr [ebp-4]
004EB108 |. 8B12 mov edx, dword ptr [edx] ; 取得成功后的注册码
004EB10A |. 8B45 F8 mov eax, dword ptr [ebp-8] ; 取固定字符串FPJUNT
004EB10D |. 8B00 mov eax, dword ptr [eax]
004EB10F |. E8 CC90F8FF call 004741E0 ; 关键CALL F7
004EB114 |. 5B pop ebx
004EB115 |. 59 pop ecx
004EB116 |. 59 pop ecx
004EB117 |. 5D pop ebp
004EB118 \. C3 retn
关键 call 004741E0 来到这里
004741E0 /$ 85C0 test eax, eax ; 固定字符串判断
004741E2 |. 74 40 je short 00474224
004741E4 |. 85D2 test edx, edx ; 注册码判断
004741E6 |. 74 31 je short 00474219
004741E8 |. 53 push ebx
004741E9 |. 56 push esi
004741EA |. 57 push edi
004741EB |. 89C6 mov esi, eax
004741ED |. 89D7 mov edi, edx
004741EF |. 8B4F FC mov ecx, dword ptr [edi-4] ; 取注册码长度2Ch
004741F2 |. 57 push edi
004741F3 |. 8B56 FC mov edx, dword ptr [esi-4]
004741F6 |. 4A dec edx ; 减去字符串长度6
004741F7 |. 78 1B js short 00474214
004741F9 |. 8A06 mov al, byte ptr [esi] ; 固定字符串第一位F送入AL
004741FB |. 46 inc esi
004741FC |. 29D1 sub ecx, edx ; 循环次数ECX 为2C -6 = 27h
004741FE |. 7E 14 jle short 00474214
00474200 |> F2:AE /repne scas byte ptr es:[edi] ; 此命令是判断注册码中是否包含AL里字符F 并改标志位
00474202 |. 75 10 |jnz short 00474214 ; 没有就跳走
00474204 |. 89CB |mov ebx, ecx
00474206 |. 56 |push esi
00474207 |. 57 |push edi
00474208 |. 89D1 |mov ecx, edx
0047420A |. F3:A6 |repe cmps byte ptr es:[edi], byte pt>; 重复比较,判断固定字符串PJUNT
0047420C |. 5F |pop edi
0047420D |. 5E |pop esi
0047420E 74 0C je short 0047421C ; 符合就验证通过
00474210 |. 89D9 |mov ecx, ebx
00474212 |.^ EB EC \jmp short 00474200
00474214 |> 5A pop edx
00474215 |. 31C0 xor eax, eax
00474217 |. EB 08 jmp short 00474221
00474219 |> 31C0 xor eax, eax
0047421B |. C3 retn
0047421C |> 5A pop edx
0047421D |. 89F8 mov eax, edi
0047421F 29D0 sub eax, edx ; 算出固定字符串所处的位置
00474221 5F pop edi
00474222 5E pop esi
00474223 5B pop ebx
00474224 \> C3 retn
这里特别说明一下:
00438D51 EB 04 jmp short 00438D57
这个跳转地址,如果猜的没错的话,是试用与正式版本不一样的,经过多次调试,发现不管上面验证是否通过都要经过这使用天数比较,超过期限
就在转换的图标上打白色的叉,应该是作者后来把这段代码添加上去,所以可以CUT掉,或简单修改JMP地址00438F6B 就是正式版本了
好了,第一个暗桩解除了,转换图标正常了
下面点SAVE ICON 按钮 发现保存不出来,看来还有暗桩,分析发现
上面CALL有两处调用
本地调用来自 00463A11, 004EB10F
呵呵,看来作者也是为省事,没有重设地址,那对破解者就简单了一步,好了,点下保存后再断在上面,这次发现固定字符串已换了DUR
这样算法也是一样的了,只不过字符串换成DUR
004090F6 . BA EB055000 mov edx, 005005EB ; dur
004090FB . 8D45 A8 lea eax, dword ptr [ebp-58]
004090FE . E8 811C0E00 call 004EAD84
00409103 . FF85 10FFFFFF inc dword ptr [ebp-F0]
00409109 . 8D55 A8 lea edx, dword ptr [ebp-58]
0040910C . 8B0D F81B5100 mov ecx, dword ptr [511BF8] ; Pic2Ico._Form3
00409112 . 8B01 mov eax, dword ptr [ecx]
00409114 . 05 1C030000 add eax, 31C
00409119 . E8 DA1F0E00 call 004EB0F8
0040911E . 85C0 test eax, eax ; 验证通过出来到这里
00409120 . 0F94C2 sete dl
00409123 . 83E2 01 and edx, 1
00409126 . 52 push edx
00409127 . FF8D 10FFFFFF dec dword ptr [ebp-F0]
0040912D . 8D45 A8 lea eax, dword ptr [ebp-58]
00409130 . BA 02000000 mov edx, 2
00409135 . E8 AA1D0E00 call 004EAEE4
0040913A . 59 pop ecx
0040913B . 84C9 test cl, cl ; 同第一个字符串一样 判断标志
0040913D . 74 11 je short 00409150
0040913F . 8B85 F4FEFFFF mov eax, dword ptr [ebp-10C]
00409145 . 64:A3 0000000>mov dword ptr fs:[0], eax
0040914B . E9 000B0000 jmp 00409C50 ; 不通过就由此JMP 广告网并不保存
00409150 > 8B95 F0FEFFFF mov edx, dword ptr [ebp-110] ;
00409156 . 8B82 F4020000 mov eax, dword ptr [edx+2F4]
0040915C . E8 1B920A00 call 004B237C
到此转换 保存 ,使用一切正常了
但有一个问题,每次关机都会出现网页,这也是与正式版本不同之处,算了既然到这就顺路再找个这个暗桩吧
我们知道,调用网页函数一般是用 ShellExecuteA,可以在当前模块中找到它,并下断,关闭软件后断在这里往上查找发现如下
00409C8C /. 55 push ebp
00409C8D |. 8BEC mov ebp, esp
00409C8F |. 83C4 C0 add esp, -40
00409C92 |. 894D C8 mov dword ptr [ebp-38], ecx
00409C95 |. 8955 CC mov dword ptr [ebp-34], edx
00409C98 |. 8945 D0 mov dword ptr [ebp-30], eax
00409C9B |. B8 C4265000 mov eax, 005026C4
00409CA0 |. E8 33600D00 call 004DFCD8
00409CA5 |. 66:C745 E4 08>mov word ptr [ebp-1C], 8
00409CAB |. 8D45 F8 lea eax, dword ptr [ebp-8]
00409CAE |. E8 318EFFFF call 00402AE4
00409CB3 |. 50 push eax
00409CB4 |. FF45 F0 inc dword ptr [ebp-10]
00409CB7 |. BA 21075000 mov edx, 00500721 ; eitemp.ico
00409CBC |. 8D45 FC lea eax, dword ptr [ebp-4]
00409CBF |. E8 C0100E00 call 004EAD84
00409CC4 |. FF45 F0 inc dword ptr [ebp-10]
00409CC7 |. 8D55 FC lea edx, dword ptr [ebp-4]
00409CCA |. 8B45 D0 mov eax, dword ptr [ebp-30]
00409CCD |. 05 FC030000 add eax, 3FC
00409CD2 |. 59 pop ecx
00409CD3 |. E8 64120E00 call 004EAF3C
00409CD8 |. 8D45 F8 lea eax, dword ptr [ebp-8]
00409CDB |. 8B00 mov eax, dword ptr [eax]
00409CDD |. E8 16100E00 call 004EACF8
00409CE2 |. FF4D F0 dec dword ptr [ebp-10]
00409CE5 |. 8D45 F8 lea eax, dword ptr [ebp-8]
00409CE8 |. BA 02000000 mov edx, 2
00409CED |. E8 F2110E00 call 004EAEE4
00409CF2 |. FF4D F0 dec dword ptr [ebp-10]
00409CF5 |. 8D45 FC lea eax, dword ptr [ebp-4]
00409CF8 |. BA 02000000 mov edx, 2
00409CFD |. E8 E2110E00 call 004EAEE4
00409D02 |. 8B4D D0 mov ecx, dword ptr [ebp-30]
00409D05 |. 83B9 F4030000>cmp dword ptr [ecx+3F4], 3 ; 判断使用天数加1是否超过3
00409D0C 7E 40 jle short 00409D4E ; 此处改JMP
00409D0E |. E8 DD8B0500 call 004628F0
00409D13 |. DD5D C0 fstp qword ptr [ebp-40]
00409D16 |. 8D45 C0 lea eax, dword ptr [ebp-40]
00409D19 |. E8 02A8FFFF call 00404520
00409D1E |. D80D B89D4000 fmul dword ptr [409DB8]
00409D24 |. E8 27A40D00 call 004E4150
00409D29 |. B9 03000000 mov ecx, 3
00409D2E |. 99 cdq
00409D2F |. F7F9 idiv ecx
00409D31 |. 85D2 test edx, edx
00409D33 |. 75 19 jnz short 00409D4E
00409D35 |. 6A 05 push 5 ; /IsShown = 5
00409D37 |. 6A 00 push 0 ; |DefDir = NULL
00409D39 |. 6A 00 push 0 ; |Parameters = NULL
00409D3B |. 68 31075000 push 00500731 ; |http://www.exeicon.com/picture-to-icon/?from=softexit
00409D40 |. 68 2C075000 push 0050072C ; |open
00409D45 |. 6A 00 push 0 ; |hWnd = NULL
00409D47 |. E8 EE4E0F00 call <jmp.&SHELL32.ShellExecuteA> ; \ShellExecuteA
00409D4C |. EB 48 jmp short 00409D96
00409D4E |> 8B45 D0 mov eax, dword ptr [ebp-30]
00409D51 |. 80B8 F8030000>cmp byte ptr [eax+3F8], 0 ; 标志值判断是否符合 改JMP
00409D58 74 19 je short 00409D73
00409D5A |. 6A 05 push 5 ; /IsShown = 5
00409D5C |. 6A 00 push 0 ; |DefDir = NULL
00409D5E |. 6A 00 push 0 ; |Parameters = NULL
00409D60 |. 68 6C075000 push 0050076C ; |http://www.freesafesoft.com/download/icons.php?f=p2irokc
00409D65 |. 68 67075000 push 00500767 ; |open
00409D6A |. 6A 00 push 0 ; |hWnd = NULL
00409D6C |. E8 C94E0F00 call <jmp.&SHELL32.ShellExecuteA> ; \ShellExecuteA
00409D71 |. EB 23 jmp short 00409D96
00409D73 |> 8B55 D0 mov edx, dword ptr [ebp-30]
00409D76 |. 80BA F9030000>cmp byte ptr [edx+3F9], 0 ; 标志值判断是否符合 改JMP
00409D7D 74 17 je short 00409D96
00409D7F |. 6A 05 push 5 ; /IsShown = 5
00409D81 |. 6A 00 push 0 ; |DefDir = NULL
00409D83 |. 6A 00 push 0 ; |Parameters = NULL
00409D85 |. 68 AA075000 push 005007AA ; |http://www.freesafesoft.com/download/icons.php?f=p2iexp
00409D8A |. 68 A5075000 push 005007A5 ; |open
00409D8F |. 6A 00 push 0 ; |hWnd = NULL
00409D91 |. E8 A44E0F00 call <jmp.&SHELL32.ShellExecuteA> ; \ShellExecuteA
00409D96 |> 8B4D D0 mov ecx, dword ptr [ebp-30]
00409D99 |. 8B91 FC030000 mov edx, dword ptr [ecx+3FC]
00409D9F |. 8B45 D0 mov eax, dword ptr [ebp-30]
00409DA2 |. E8 8D8DFFFF call 00402B34
00409DA7 |. 8B4D D4 mov ecx, dword ptr [ebp-2C]
00409DAA |. 64:890D 00000>mov dword ptr fs:[0], ecx
00409DB1 |. 8BE5 mov esp, ebp
00409DB3 |. 5D pop ebp
00409DB4 \. C3 retn
现在终于全部完成了
总结:这个软件注册算法不是太复杂,只要有耐心就可以完成,关键是那两个暗桩"FPJUNT""DUR"验证及更换了跳转地址,调试多次,好象跟两个暗桩的字符串放在注册码的位置关系不大,只是有个判断是否大于5,我两种都试过还是无法正常,估计网上下载的与正式版不同,因为不管暗桩如何跳都要跳回试用期验证,只要超过试用期就直接破坏掉转换成的图标,只有改掉那个地址才正常。
好了,现在我把修改过的程序和注册机都放到附件里贴出来,分享给大家(注册机用VB编写,在多台电脑测试通过,有BUG,就是两个固定字符串的位置无法自动调换,所以算出的不包括全部,但已经N多够用的了
Private Sub Command1_Click()
Dim b As String, i As Integer
Dim d As String, j As Integer
Dim v As String
a1 = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
a = "1z1h+2a0n-0g8y*9a1n|" '算法常数
b = "#" & "FPJUNT" & Mid(a1, Int(Rnd() * 35 + 1), 1) & Mid(a1, Int(Rnd() * 35 + 1), 1)
For i = 1 To 8 '算出十二位到二十位注册码
a = Trim(a)
b = Trim(b)
c = Hex(Asc(Mid(b, i, 1)))
f = Hex(Asc(Mid(a, i + 2, 1)))
g = Hex(Val("&h" & (c)) + Val("&h" & (f)))
d = Hex(Asc(Mid(b, i + 1, 1)))
e = Hex(Val("&h" & (g)) Xor Val("&h" & (d)))
h = Val("&h" & (e)) Xor Val("&h" & (f))
s = h Mod 26 '取余数
s = Hex(s)
t = Hex(Val("&h" & (s)) + Val("&h" & (41)))
u = Val("&H" & (t))
Y = Y & Chr(u)
Next i
X = b & "Y" & Y '第二位(#)到二十位注册码
For i = 1 To 16 '算出十八位计算数
c1 = Val(Asc(Mid(X, i, 1)))
d1 = c1 Mod 6
e1 = Asc(Mid(X, i + 1, 1))
For j = 1 To d1
e1 = e1 * 2
Next j
e1 = Hex(e1)
f1 = Val("&H" & (e1)) Or Val("&H" & (Hex(Asc(Mid(X, i + 2, 1)))))
g1 = f1 Mod 26
s1 = Hex(g1)
t1 = Hex(Val("&h" & (s1)) + Val("&h" & (61)))
u1 = Val("&H" & (t1))
Y1 = Y1 & Chr(u1)
Next i
X1 = Y1 & Chr(90) & Chr(89)
For i = 1 To 16 '算出二十五位到四十位注册码
c2 = Val(Asc(Mid(X1, i, 1)))
For j = 1 To 4
c2 = c2 * 2
Next j
c2 = Hex(c2)
c3 = Val(Asc(Mid(X1, i + 1, 1)))
n = c3 Mod 2
If (n = 0) Then
e2 = (c3) / 2
Else
e2 = (c3 - 1) / 2
End If
e2 = Hex(e2)
f2 = Val("&H" & (c2)) Xor Val("&H" & (e2))
g2 = f2 Mod 26
s2 = Hex(g2)
t2 = Hex(Val("&h" & (s2)) + Val("&h" & (41)))
u2 = Val("&H" & (t2))
Y2 = Y2 & Chr(u2)
Next i
X2 = Mid(X, 2, (Len(X) - 1))
v = Mid(a1, Int(Rnd() * 35 + 1), 1) & "3" & X2 & "DUR" & Mid(a1, Int(Rnd() * 35 + 1), 1) & Int(Rnd() * 9 + 1) & Y2 & "P3T1"
Text2.Text = v
Clipboard.Clear
Clipboard.SetText (Text2.Text)
End Sub
Private Sub Command1_MouseUp(Button As Integer, Shift As Integer, X As Single, Y As Single)
Command1.Caption = "注册码已复制"
End Sub
Private Sub Command1_MouseDown(Button As Integer, Shift As Integer, X As Single, Y As Single)
Command1.Caption = "另取注册码"
End Sub
Private Sub Form_Load()
Text1.Text = "邮箱地址为任意大于三位字符即可"
Label1.Caption = "本注册机由看雪论坛suredwang编写"
Command1.Caption = "获取注册码"
End Sub
pic2ico.zip
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2012年02月11日 10:44:13
【文章作者】: suredwang
【作者邮箱】: suredwang@126.com
【软件名称】: Picture To Icon V3.x
【软件大小】: 1.05M
【下载地址】: http://www.onlinedown.net/soft/45891.htm
【加壳方式】: 无壳
【保护方式】: 注册码+暗桩
【编写语言】: Borland C++ 1999
【使用工具】: OD
【操作平台】: WIN-XP
【软件介绍】: 国外软件,由图片转图标的转换工具
【作者声明】: 只是感兴趣学习,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
本人在自己编程序过程经常要使用大量ICO图标,好多从网上下载来的无效,用它转换后就可以变有效,而且能保持很好的清晰效果,还可以任意调节,
但却要注册并弹出网页,很是烦人,而且未注册版本只能使用15天或20次,那要想完全用她,要么花 $29.95 Add $9.95 for CD, or free delivery if email/download.
要么就是要花点时间破解,后来搜索看雪论坛上已有多位大侠研究过,版本是1.9X,而且算法分析不完整,注册成功也不能用,算了,还是自己动手丰衣足食啊,
呵呵,闲话少说啦先用查壳工具PEID0.94查无壳Borland C++ 1999语言编写,信心大振,直接用OD载入,右键查找注册有关的字符
your registration code is invalid. \nif you have purchased this software and get the wrong code, maybe you have not downloaded and installed the latest version. or please send email to: support@exeicon.com \n
双击到程序领空,并往上查找如下:
00425009 |. E8 9E9D0300 call 0045EDAC
0042500E |. 8B55 9C mov edx, dword ptr [ebp-64]
00425011 |. 8955 D4 mov dword ptr [ebp-2C], edx
00425014 |. 837D D4 00 cmp dword ptr [ebp-2C], 0
00425018 |. 74 21 je short 0042503B
0042501A |. 8B4D D4 mov ecx, dword ptr [ebp-2C]
0042501D |. 8B01 mov eax, dword ptr [ecx]
0042501F |. 8945 D8 mov dword ptr [ebp-28], eax
00425022 |. 66:C745 B8 68>mov word ptr [ebp-48], 68
00425028 |. BA 03000000 mov edx, 3
0042502D |. 8B45 D4 mov eax, dword ptr [ebp-2C]
00425030 |. 8B08 mov ecx, dword ptr [eax]
00425032 |. FF51 FC call dword ptr [ecx-4]
00425035 |. 66:C745 B8 5C>mov word ptr [ebp-48], 5C
0042503B |> 66:C745 B8 74>mov word ptr [ebp-48], 74
00425041 |. BA 53455000 mov edx, 00504553 ; register successfully!\nthank you.
00425046 |. 8D45 D0 lea eax, dword ptr [ebp-30]
00425049 |. E8 365D0C00 call 004EAD84
0042504E |. FF45 C4 inc dword ptr [ebp-3C]
00425051 |. 8B00 mov eax, dword ptr [eax]
00425053 |. E8 C4E30800 call 004B341C
00425058 |. FF4D C4 dec dword ptr [ebp-3C]
0042505B |. 8D45 D0 lea eax, dword ptr [ebp-30]
0042505E |. BA 02000000 mov edx, 2
00425063 |. E8 7C5E0C00 call 004EAEE4
00425068 |. 8B45 A4 mov eax, dword ptr [ebp-5C]
0042506B |. E8 34350800 call 004A85A4
00425070 |. EB 37 jmp short 004250A9 双击到这里
00425072 |> 66:C745 B8 80>mov word ptr [ebp-48], 80
00425078 |. BA 75455000 mov edx, 00504575 ; your registration code is invalid. \nif you have purchased this software and get the wrong code, maybe you have not downloaded and installed the latest version. or please send email to: support@exeicon.com \n
0042507D |. 8D45 CC lea eax, dword ptr [ebp-34]
00425080 |. E8 FF5C0C00 call 004EAD84
可以再往上搜索查找注册算法入口,来到这里
00424D3C /. 55 push ebp ; 在此下断,输入邮箱名和试验码断在这
00424D3D |. 8BEC mov ebp, esp ; 定位入口
00424D3F |. 83C4 9C add esp, -64
00424D42 |. 8955 A0 mov dword ptr [ebp-60], edx
00424D45 |. 8945 A4 mov dword ptr [ebp-5C], eax
00424D48 |. B8 684F5000 mov eax, 00504F68
00424D4D |. E8 86AF0B00 call 004DFCD8
00424D52 |. 8B15 EC1B5100 mov edx, dword ptr [511BEC] ; Pic2Ico._IconConverter
00424D58 |. 8B0A mov ecx, dword ptr [edx]
00424D5A |. 80B9 F8030000>cmp byte ptr [ecx+3F8], 0 ; 其实这是一个注册标志判断,这里可以爆破
00424D61 |. 0F85 3A030000 jnz 004250A1
00424D67 |. 66:C745 B8 08>mov word ptr [ebp-48], 8
00424D6D |. 8D45 FC lea eax, dword ptr [ebp-4]
00424D70 |. E8 6FDDFDFF call 00402AE4
00424D75 |. 8BD0 mov edx, eax
00424D77 |. FF45 C4 inc dword ptr [ebp-3C]
00424D7A |. 8B4D A4 mov ecx, dword ptr [ebp-5C]
00424D7D |. 8B81 00030000 mov eax, dword ptr [ecx+300]
00424D83 |. E8 0C400900 call 004B8D94
00424D88 |. 8D45 FC lea eax, dword ptr [ebp-4]
00424D8B |. E8 A026FEFF call 00407430 ; 取邮箱地址长度
00424D90 |. 83F8 03 cmp eax, 3 ; 长度大于3就赋入继续标志
00424D93 |. 0F9CC2 setl dl
00424D96 |. 83E2 01 and edx, 1
00424D99 |. 52 push edx
00424D9A |. FF4D C4 dec dword ptr [ebp-3C]
00424D9D |. 8D45 FC lea eax, dword ptr [ebp-4]
00424DA0 |. BA 02000000 mov edx, 2
00424DA5 |. E8 3A610C00 call 004EAEE4
00424DAA |. 59 pop ecx
00424DAB |. 84C9 test cl, cl
00424DAD |. 74 3C je short 00424DEB ; 长度大于3就跳到下面继续
00424DAF |. 66:C745 B8 14>mov word ptr [ebp-48], 14
00424DB5 |. BA 18455000 mov edx, 00504518 ; please input your full name!
00424DBA |. 8D45 F8 lea eax, dword ptr [ebp-8]
00424DBD |. E8 C25F0C00 call 004EAD84
00424DC2 |. FF45 C4 inc dword ptr [ebp-3C]
00424DC5 |. 8B00 mov eax, dword ptr [eax]
00424DC7 |. E8 50E60800 call 004B341C
00424DCC |. FF4D C4 dec dword ptr [ebp-3C]
00424DCF |. 8D45 F8 lea eax, dword ptr [ebp-8]
00424DD2 |. BA 02000000 mov edx, 2
00424DD7 |. E8 08610C00 call 004EAEE4
00424DDC |. 8B4D A8 mov ecx, dword ptr [ebp-58]
00424DDF |. 64:890D 00000>mov dword ptr fs:[0], ecx
00424DE6 |. E9 C8020000 jmp 004250B3
00424DEB |> 68 F4010000 push 1F4 ; /Timeout = 500. ms
00424DF0 |. E8 299B0D00 call <jmp.&KERNEL32.Sleep> ; \Sleep
00424DF5 |. 66:C745 B8 20>mov word ptr [ebp-48], 20
00424DFB |. 8D45 F4 lea eax, dword ptr [ebp-C]
00424DFE |. E8 E1DCFDFF call 00402AE4
00424E03 |. 8BD0 mov edx, eax
00424E05 |. FF45 C4 inc dword ptr [ebp-3C]
00424E08 |. 8B4D A4 mov ecx, dword ptr [ebp-5C]
00424E0B |. 8B81 04030000 mov eax, dword ptr [ecx+304]
00424E11 |. E8 7E3F0900 call 004B8D94
00424E16 |. 8D55 F4 lea edx, dword ptr [ebp-C]
00424E19 |. FF32 push dword ptr [edx] ; 取出试验码
00424E1B |. E8 48E3FFFF call 00423168 ; 算法关键CALL,F7进
00424E20 |. 59 pop ecx
00424E21 |. 8B0D EC1B5100 mov ecx, dword ptr [511BEC] ; Pic2Ico._IconConverter
00424E27 |. 8B11 mov edx, dword ptr [ecx]
00424E29 |. 8882 F8030000 mov byte ptr [edx+3F8], al
00424E2F |. FF4D C4 dec dword ptr [ebp-3C]
00424E32 |. 8D45 F4 lea eax, dword ptr [ebp-C]
00424E35 |. BA 02000000 mov edx, 2
00424E3A |. E8 A5600C00 call 004EAEE4 ; 注册码正确与否判断
00424E3F |. A1 EC1B5100 mov eax, dword ptr [511BEC]
00424E44 |. 8B08 mov ecx, dword ptr [eax]
00424E46 |. 80B9 F8030000>cmp byte ptr [ecx+3F8], 0
00424E4D |. 0F84 1F020000 je 00425072 ; 此处关键跳,跳走就失败,可爆破NOP
00424E53 |. 66:C745 B8 2C>mov word ptr [ebp-48], 2C
00424E59 |. 8D45 F0 lea eax, dword ptr [ebp-10]
00424E5C |. E8 83DCFDFF call 00402AE4
00424E61 |. 8BD0 mov edx, eax
00424E63 |. FF45 C4 inc dword ptr [ebp-3C]
00424E66 |. 8B4D A4 mov ecx, dword ptr [ebp-5C]
00424E69 |. 8B81 04030000 mov eax, dword ptr [ecx+304]
00424E6F |. E8 203F0900 call 004B8D94
00424E74 |. 8D55 F0 lea edx, dword ptr [ebp-10]
00424E77 |. 8B45 A4 mov eax, dword ptr [ebp-5C]
00424E7A |. 05 1C030000 add eax, 31C
00424E7F |. E8 90600C00 call 004EAF14
00424E84 |. FF4D C4 dec dword ptr [ebp-3C]
00424E87 |. 8D45 F0 lea eax, dword ptr [ebp-10]
00424E8A |. BA 02000000 mov edx, 2
00424E8F |. E8 50600C00 call 004EAEE4
00424E94 |. 8B45 A4 mov eax, dword ptr [ebp-5C] ; 再取试验码
00424E97 |. 05 1C030000 add eax, 31C
00424E9C |. E8 67CFFDFF call 00401E08
00424EA1 |. 0FBE50 17 movsx edx, byte ptr [eax+17] ; 取试验码第二十四位
00424EA5 |. 83FA 30 cmp edx, 30 ; 与数字0比较
00424EA8 |. 7C 16 jl short 00424EC0
00424EAA |. 8B45 A4 mov eax, dword ptr [ebp-5C]
00424EAD |. 05 1C030000 add eax, 31C
00424EB2 |. E8 51CFFDFF call 00401E08
00424EB7 |. 0FBE50 17 movsx edx, byte ptr [eax+17]
00424EBB |. 83FA 39 cmp edx, 39 ; 与9作比较 即0--9之间就通过
00424EBE 7E 0F jle short 00424ECF
00424EC0 |> 8B0D EC1B5100 mov ecx, dword ptr [511BEC] ; Pic2Ico._IconConverter
00424EC6 |. 8B01 mov eax, dword ptr [ecx]
00424EC8 |. C680 F8030000>mov byte ptr [eax+3F8], 0
00424ECF |> B2 01 mov dl, 1
00424ED1 |. A1 3CEC4500 mov eax, dword ptr [45EC3C]
00424ED6 |. E8 619E0300 call 0045ED3C
00424EDB |. 8945 9C mov dword ptr [ebp-64], eax
00424EDE |. BA 01000080 mov edx, 80000001
00424EE3 |. 8B45 9C mov eax, dword ptr [ebp-64]
00424EE6 |. E8 055E0C00 call 004EACF0
00424EEB |. 8B15 EC1B5100 mov edx, dword ptr [511BEC] ; Pic2Ico._IconConverter
00424EF1 |. 8B0A mov ecx, dword ptr [edx]
00424EF3 |. 80B9 F8030000>cmp byte ptr [ecx+3F8], 0 ; 再次判断注册码是否符合要求
00424EFA |. 0F84 06010000 je 00425006
00424F00 |. 66:C745 B8 38>mov word ptr [ebp-48], 38 ; 以下都是成功后对注册表写入的操作
00424F06 |. BA 35455000 mov edx, 00504535 ; software\xtzy\pic2ico
00424F0B |. 8D45 EC lea eax, dword ptr [ebp-14]
00424F0E |. E8 715E0C00 call 004EAD84
00424F13 |. FF45 C4 inc dword ptr [ebp-3C]
00424F16 |. 8B10 mov edx, dword ptr [eax]
00424F18 |. B1 01 mov cl, 1
00424F1A |. 8B45 9C mov eax, dword ptr [ebp-64]
00424F1D |. E8 1E9F0300 call 0045EE40
00424F22 |. 84C0 test al, al
00424F24 |. 0F95C0 setne al
00424F27 |. 83E0 01 and eax, 1
00424F2A |. 50 push eax
00424F2B |. FF4D C4 dec dword ptr [ebp-3C]
00424F2E |. 8D45 EC lea eax, dword ptr [ebp-14]
00424F31 |. BA 02000000 mov edx, 2
00424F36 |. E8 A95F0C00 call 004EAEE4
00424F3B |. 59 pop ecx
00424F3C |. 85C9 test ecx, ecx
00424F3E |. 0F84 C2000000 je 00425006
00424F44 |. 8D45 E4 lea eax, dword ptr [ebp-1C]
00424F47 |. E8 98DBFDFF call 00402AE4
00424F4C |. 8BD0 mov edx, eax
00424F4E |. FF45 C4 inc dword ptr [ebp-3C]
00424F51 |. 8B4D A4 mov ecx, dword ptr [ebp-5C]
00424F54 |. 8B81 04030000 mov eax, dword ptr [ecx+304] ; (initial cpu selection)
00424F5A |. E8 353E0900 call 004B8D94
00424F5F |. 8D55 E4 lea edx, dword ptr [ebp-1C]
00424F62 |. FF32 push dword ptr [edx]
00424F64 |. 66:C745 B8 44>mov word ptr [ebp-48], 44 ; 写入注册表的键名与键值
00424F6A |. BA 4B455000 mov edx, 0050454B ; no
00424F6F |. 8D45 E8 lea eax, dword ptr [ebp-18]
00424F72 |. E8 0D5E0C00 call 004EAD84
00424F77 |. FF45 C4 inc dword ptr [ebp-3C]
00424F7A |. 8B10 mov edx, dword ptr [eax]
00424F7C |. 8B45 9C mov eax, dword ptr [ebp-64]
00424F7F |. 59 pop ecx
00424F80 |. E8 57A00300 call 0045EFDC
00424F85 |. FF4D C4 dec dword ptr [ebp-3C]
00424F88 |. 8D45 E4 lea eax, dword ptr [ebp-1C]
00424F8B |. BA 02000000 mov edx, 2
00424F90 |. E8 4F5F0C00 call 004EAEE4
00424F95 |. FF4D C4 dec dword ptr [ebp-3C]
00424F98 |. 8D45 E8 lea eax, dword ptr [ebp-18]
00424F9B |. BA 02000000 mov edx, 2
00424FA0 |. E8 3F5F0C00 call 004EAEE4
00424FA5 |. 8D45 DC lea eax, dword ptr [ebp-24]
00424FA8 |. E8 37DBFDFF call 00402AE4
00424FAD |. 8BD0 mov edx, eax
00424FAF |. FF45 C4 inc dword ptr [ebp-3C]
00424FB2 |. 8B4D A4 mov ecx, dword ptr [ebp-5C]
00424FB5 |. 8B81 00030000 mov eax, dword ptr [ecx+300]
00424FBB |. E8 D43D0900 call 004B8D94
00424FC0 |. 8D55 DC lea edx, dword ptr [ebp-24]
00424FC3 |. FF32 push dword ptr [edx]
00424FC5 |. 66:C745 B8 50>mov word ptr [ebp-48], 50
00424FCB |. BA 4E455000 mov edx, 0050454E ; name
00424FD0 |. 8D45 E0 lea eax, dword ptr [ebp-20]
00424FD3 |. E8 AC5D0C00 call 004EAD84
00424FD8 |. FF45 C4 inc dword ptr [ebp-3C]
00424FDB |. 8B10 mov edx, dword ptr [eax]
00424FDD |. 8B45 9C mov eax, dword ptr [ebp-64]
00424FE0 |. 59 pop ecx
00424FE1 |. E8 F69F0300 call 0045EFDC
00424FE6 |. FF4D C4 dec dword ptr [ebp-3C]
00424FE9 |. 8D45 DC lea eax, dword ptr [ebp-24]
00424FEC |. BA 02000000 mov edx, 2
00424FF1 |. E8 EE5E0C00 call 004EAEE4
00424FF6 |. FF4D C4 dec dword ptr [ebp-3C]
00424FF9 |. 8D45 E0 lea eax, dword ptr [ebp-20]
00424FFC |. BA 02000000 mov edx, 2
00425001 |. E8 DE5E0C00 call 004EAEE4
00425006 |> 8B45 9C mov eax, dword ptr [ebp-64]
00425009 |. E8 9E9D0300 call 0045EDAC
0042500E |. 8B55 9C mov edx, dword ptr [ebp-64]
00425011 |. 8955 D4 mov dword ptr [ebp-2C], edx
00425014 |. 837D D4 00 cmp dword ptr [ebp-2C], 0
00425018 |. 74 21 je short 0042503B
0042501A |. 8B4D D4 mov ecx, dword ptr [ebp-2C]
0042501D |. 8B01 mov eax, dword ptr [ecx]
0042501F |. 8945 D8 mov dword ptr [ebp-28], eax
00425022 |. 66:C745 B8 68>mov word ptr [ebp-48], 68
00425028 |. BA 03000000 mov edx, 3
0042502D |. 8B45 D4 mov eax, dword ptr [ebp-2C]
00425030 |. 8B08 mov ecx, dword ptr [eax]
00425032 |. FF51 FC call dword ptr [ecx-4]
00425035 |. 66:C745 B8 5C>mov word ptr [ebp-48], 5C
0042503B |> 66:C745 B8 74>mov word ptr [ebp-48], 74
00425041 |. BA 53455000 mov edx, 00504553 ; register successfully!\nthank you.
00425046 |. 8D45 D0 lea eax, dword ptr [ebp-30]
00425049 |. E8 365D0C00 call 004EAD84
0042504E |. FF45 C4 inc dword ptr [ebp-3C]
00425051 |. 8B00 mov eax, dword ptr [eax]
00425053 |. E8 C4E30800 call 004B341C
00425058 |. FF4D C4 dec dword ptr [ebp-3C]
0042505B |. 8D45 D0 lea eax, dword ptr [ebp-30]
0042505E |. BA 02000000 mov edx, 2
00425063 |. E8 7C5E0C00 call 004EAEE4
00425068 |. 8B45 A4 mov eax, dword ptr [ebp-5C]
0042506B |. E8 34350800 call 004A85A4
00425070 |. EB 37 jmp short 004250A9
00425072 |> 66:C745 B8 80>mov word ptr [ebp-48], 80
00425078 |. BA 75455000 mov edx, 00504575 ; your registration code is invalid. \nif you have purchased this software and get the wrong code, maybe you have not downloaded and installed the latest version. or please send email to: support@exeicon.com \n
0042507D |. 8D45 CC lea eax, dword ptr [ebp-34]
00425080 |. E8 FF5C0C00 call 004EAD84
00425085 |. FF45 C4 inc dword ptr [ebp-3C]
00425088 |. 8B00 mov eax, dword ptr [eax]
0042508A |. E8 8DE30800 call 004B341C
0042508F |. FF4D C4 dec dword ptr [ebp-3C]
00425092 |. 8D45 CC lea eax, dword ptr [ebp-34]
00425095 |. BA 02000000 mov edx, 2
0042509A |. E8 455E0C00 call 004EAEE4
0042509F |. EB 08 jmp short 004250A9
004250A1 |> 8B45 A4 mov eax, dword ptr [ebp-5C]
004250A4 |. E8 FB340800 call 004A85A4
004250A9 |> 8B55 A8 mov edx, dword ptr [ebp-58]
004250AC |. 64:8915 00000>mov dword ptr fs:[0], edx
004250B3 |> 8BE5 mov esp, ebp
004250B5 |. 5D pop ebp
004250B6 \. C3 retn
上面关键算法call 00423168 进入
00423168 /$ 55 push ebp ; 算法CALL入口
00423169 |. 8BEC mov ebp, esp
0042316B |. 81C4 70FFFFFF add esp, -90
00423171 |. 56 push esi
00423172 |. 57 push edi
00423173 |. B8 C4465000 mov eax, 005046C4
00423178 |. E8 5BCB0B00 call 004DFCD8
0042317D |. C745 F4 01000>mov dword ptr [ebp-C], 1
00423184 |. 8D55 08 lea edx, dword ptr [ebp+8]
00423187 |. 8D45 08 lea eax, dword ptr [ebp+8]
0042318A |. E8 2D7C0C00 call 004EADBC
0042318F |. FF45 F4 inc dword ptr [ebp-C]
00423192 |. 66:C745 E8 08>mov word ptr [ebp-18], 8
00423198 |. C645 D7 00 mov byte ptr [ebp-29], 0
0042319C |. 66:C745 E8 14>mov word ptr [ebp-18], 14
004231A2 |. 8D45 FC lea eax, dword ptr [ebp-4]
004231A5 |. E8 3AF9FDFF call 00402AE4
004231AA |. 8BD0 mov edx, eax
004231AC |. FF45 F4 inc dword ptr [ebp-C]
004231AF |. 8D45 08 lea eax, dword ptr [ebp+8]
004231B2 |. E8 75800C00 call 004EB22C
004231B7 |. 8D55 FC lea edx, dword ptr [ebp-4]
004231BA |. 8D45 08 lea eax, dword ptr [ebp+8]
004231BD |. E8 527D0C00 call 004EAF14
004231C2 |. FF4D F4 dec dword ptr [ebp-C]
004231C5 |. 8D45 FC lea eax, dword ptr [ebp-4]
004231C8 |. BA 02000000 mov edx, 2
004231CD |. E8 127D0C00 call 004EAEE4 ; 取试验码
004231D2 |. 8D45 08 lea eax, dword ptr [ebp+8]
004231D5 |. E8 5642FEFF call 00407430 ; 算出试验码长度
004231DA |. 83F8 2C cmp eax, 2C ; 注册码长度要等于44(2Ch)
004231DD |. 0F85 44020000 jnz 00423427
004231E3 |. BE 04415000 mov esi, 00504104 ; 赋入固定字符串 1z1h+2a0n-0g8y*9a1n|
004231E8 |. 8D7D 84 lea edi, dword ptr [ebp-7C]
004231EB |. B9 05000000 mov ecx, 5
004231F0 |. F3:A5 rep movs dword ptr es:[edi], dword p>
004231F2 |. A4 movs byte ptr es:[edi], byte ptr [esi>
004231F3 |. 66:C745 E8 08>mov word ptr [ebp-18], 8
004231F9 |. 8D45 08 lea eax, dword ptr [ebp+8]
004231FC |. E8 07ECFDFF call 00401E08
00423201 |. 0FBE50 28 movsx edx, byte ptr [eax+28] ; 取出注册码第41位
00423205 |. 83FA 50 cmp edx, 50 ; 要等于固定字符P(50)
00423208 |. 74 23 je short 0042322D
0042320A |. 33C0 xor eax, eax
0042320C |. 50 push eax
0042320D |. FF4D F4 dec dword ptr [ebp-C]
00423210 |. 8D45 08 lea eax, dword ptr [ebp+8]
00423213 |. BA 02000000 mov edx, 2
00423218 |. E8 C77C0C00 call 004EAEE4
0042321D |. 58 pop eax
0042321E |. 8B55 D8 mov edx, dword ptr [ebp-28]
00423221 |. 64:8915 00000>mov dword ptr fs:[0], edx
00423228 |. E9 19020000 jmp 00423446
0042322D |> 8D45 08 lea eax, dword ptr [ebp+8] ; 再推入试验码
00423230 |. E8 D3EBFDFF call 00401E08
00423235 |. 0FBE50 29 movsx edx, byte ptr [eax+29] ; 取出试验码第42位
00423239 |. 83FA 33 cmp edx, 33 ; 为常数 3
0042323C |. 74 23 je short 00423261
0042323E |. 33C0 xor eax, eax
00423240 |. 50 push eax
00423241 |. FF4D F4 dec dword ptr [ebp-C]
00423244 |. 8D45 08 lea eax, dword ptr [ebp+8]
00423247 |. BA 02000000 mov edx, 2
0042324C |. E8 937C0C00 call 004EAEE4
00423251 |. 58 pop eax
00423252 |. 8B55 D8 mov edx, dword ptr [ebp-28]
00423255 |. 64:8915 00000>mov dword ptr fs:[0], edx
0042325C |. E9 E5010000 jmp 00423446
00423261 |> 8D45 08 lea eax, dword ptr [ebp+8]
00423264 |. E8 9FEBFDFF call 00401E08
00423269 |. 0FBE50 2A movsx edx, byte ptr [eax+2A] ; 试验码第43位
0042326D |. 83FA 54 cmp edx, 54 ; 为固定大写 T
00423270 |. 74 23 je short 00423295
00423272 |. 33C0 xor eax, eax
00423274 |. 50 push eax
00423275 |. FF4D F4 dec dword ptr [ebp-C]
00423278 |. 8D45 08 lea eax, dword ptr [ebp+8]
0042327B |. BA 02000000 mov edx, 2
00423280 |. E8 5F7C0C00 call 004EAEE4
00423285 |. 58 pop eax
00423286 |. 8B55 D8 mov edx, dword ptr [ebp-28]
00423289 |. 64:8915 00000>mov dword ptr fs:[0], edx
00423290 |. E9 B1010000 jmp 00423446
00423295 |> 8D45 08 lea eax, dword ptr [ebp+8]
00423298 |. E8 6BEBFDFF call 00401E08
0042329D |. 0FBE50 2B movsx edx, byte ptr [eax+2B] ; 取试验码最后一位
004232A1 |. 83FA 31 cmp edx, 31 ; 等于固定常数 1
004232A4 |. 74 23 je short 004232C9
004232A6 |. 33C0 xor eax, eax
004232A8 |. 50 push eax
004232A9 |. FF4D F4 dec dword ptr [ebp-C]
004232AC |. 8D45 08 lea eax, dword ptr [ebp+8]
004232AF |. BA 02000000 mov edx, 2
004232B4 |. E8 2B7C0C00 call 004EAEE4
004232B9 |. 58 pop eax
004232BA |. 8B55 D8 mov edx, dword ptr [ebp-28]
004232BD |. 64:8915 00000>mov dword ptr fs:[0], edx
004232C4 |. E9 7D010000 jmp 00423446
004232C9 |> 8D45 08 lea eax, dword ptr [ebp+8]
004232CC |. E8 37EBFDFF call 00401E08
004232D1 |. 50 push eax ; 试验码赋入寄存器EAX
004232D2 |. 8D55 9C lea edx, dword ptr [ebp-64]
004232D5 |. 52 push edx
004232D6 |. E8 59C70B00 call 004DFA34
004232DB |. 83C4 08 add esp, 8
004232DE |. 0FBE4D 9D movsx ecx, byte ptr [ebp-63] ; 取出试验码第2位
004232E2 |. 83F9 33 cmp ecx, 33 ; 等于常数 3
004232E5 |. 0F85 3C010000 jnz 00423427
004232EB |. C645 9D 23 mov byte ptr [ebp-63], 23 ; 取 符号 #
004232EF |. C645 D7 01 mov byte ptr [ebp-29], 1
004232F3 |. C745 D0 02000>mov dword ptr [ebp-30], 2 ; 与注册码第2位 3替换
004232FA |> 8B45 D0 /mov eax, dword ptr [ebp-30]
004232FD |. 0FBE5405 84 |movsx edx, byte ptr [ebp+eax-7C] ; 取固定字符串"1z1h+2a0n-0g8y*9a1n|"第三位
00423302 |. 8B4D D0 |mov ecx, dword ptr [ebp-30]
00423305 |. 0FBE440D 9B |movsx eax, byte ptr [ebp+ecx-65] ; 取替换的#
0042330A |. 03D0 |add edx, eax ; 相加
0042330C |. 8B4D D0 |mov ecx, dword ptr [ebp-30]
0042330F |. 0FBE440D 9C |movsx eax, byte ptr [ebp+ecx-64] ; 取试验码第三位
00423314 33D0 xor edx, eax ; 与上面相加数相异或
00423316 |. 8B4D D0 |mov ecx, dword ptr [ebp-30]
00423319 |. 0FBE440D 84 |movsx eax, byte ptr [ebp+ecx-7C] ; (initial cpu selection)
0042331E |. 33D0 |xor edx, eax ; 两数相异或
00423320 |. 52 |push edx
00423321 |. E8 F275FEFF |call 0040A918 ; 结果转存到EAX作被除数
00423326 |. 59 |pop ecx
00423327 |. B9 1A000000 |mov ecx, 1A
0042332C |. 99 |cdq
0042332D |. F7F9 |idiv ecx ; 除数 1Ah
0042332F |. 83C2 41 |add edx, 41 ; 余数与41h相加得出结果
00423332 |. 8B45 D0 |mov eax, dword ptr [ebp-30]
00423335 |. 0FBE4C05 A5 |movsx ecx, byte ptr [ebp+eax-5B] ; 取试验码的第十二位
0042333A |. 3BD1 |cmp edx, ecx ; 比较相等就通过
0042333C |. 74 06 |je short 00423344
0042333E |. C645 D7 00 |mov byte ptr [ebp-29], 0
00423342 |. EB 09 |jmp short 0042334D
00423344 |> FF45 D0 |inc dword ptr [ebp-30] ; 循环计数由2开始加1
00423347 |. 837D D0 0A |cmp dword ptr [ebp-30], 0A ; 与10比较开始循环计算八次
0042334B |.^ 7C AD \jl short 004232FA
0042334D |> 807D D7 00 cmp byte ptr [ebp-29], 0
00423351 |. 0F84 C3000000 je 0042341A
00423357 |. C745 CC 18000>mov dword ptr [ebp-34], 18 ; 赋值24
0042335E |. 66:C745 E8 08>mov word ptr [ebp-18], 8
00423364 |. 837D CC 28 cmp dword ptr [ebp-34], 28 ; 与40作比较进入下轮算法循环
00423368 |. 7D 4B jge short 004233B5
0042336A |> 8B55 CC /mov edx, dword ptr [ebp-34]
0042336D |. 0FBE4415 85 |movsx eax, byte ptr [ebp+edx-7B] ; 取试验码替换后的第二位#
00423372 |. B9 06000000 |mov ecx, 6 ; 常数 6作除数
00423377 |. 99 |cdq
00423378 |. F7F9 |idiv ecx
0042337A |. 8BCA |mov ecx, edx
0042337C |. 8B45 CC |mov eax, dword ptr [ebp-34]
0042337F |. 0FBE5405 86 |movsx edx, byte ptr [ebp+eax-7A] ; 取试验码第三位
00423384 |. D3E2 |shl edx, cl ; 左移上面相除的余数 位
00423386 |. 8B45 CC |mov eax, dword ptr [ebp-34]
00423389 |. 0FBE4C05 87 |movsx ecx, byte ptr [ebp+eax-79] ; 取试验码第四位
0042338E |. 0BD1 |or edx, ecx ; 相 与 0R
00423390 |. 52 |push edx
00423391 |. E8 8275FEFF |call 0040A918 ; 转入寄存器EAX 作被除数
00423396 |. 59 |pop ecx
00423397 |. B9 1A000000 |mov ecx, 1A ; 除数 26 (1Ah)
0042339C |. 99 |cdq
0042339D |. F7F9 |idiv ecx
0042339F |. 80C2 61 |add dl, 61 ; 余数与61h相加
004233A2 |. 8B45 CC |mov eax, dword ptr [ebp-34]
004233A5 |. 889405 58FFFF>|mov byte ptr [ebp+eax-A8], dl ; 算出的字符储存
004233AC >|. FF45 CC |inc dword ptr [ebp-34]
004233AF |. 837D CC 28 |cmp dword ptr [ebp-34], 28 ; 循环计数加1 与40作比较
004233B3 |.^ 7C B5 \jl short 0042336A ; 开始第二轮循环
004233B5 |> C645 80 5A mov byte ptr [ebp-80], 5A ; 固定字符 Z
004233B9 |. C645 81 59 mov byte ptr [ebp-7F], 59 ; 固定字符 Y
004233BD |. C745 C8 18000>mov dword ptr [ebp-38], 18 ; 连接成十八位字符串
004233C4 |. 66:C745 E8 08>mov word ptr [ebp-18], 8
004233CA |. 837D C8 28 cmp dword ptr [ebp-38], 28 ; 作为下次循环使用
004233CE |. 7D 4A jge short 0042341A
004233D0 |> 8B55 C8 /mov edx, dword ptr [ebp-38]
004233D3 |. 0FBE8415 58FF>|movsx eax, byte ptr [ebp+edx-A8] ; 取出十八位字符串第一位
004233DB |. C1E0 04 |shl eax, 4 ; 左移 固定数四位 相当于2*2*2*2
004233DE |. 8B55 C8 |mov edx, dword ptr [ebp-38]
004233E1 |. 0FBE8C15 59FF>|movsx ecx, byte ptr [ebp+edx-A7] ; 取第二位
004233E9 |. D1F9 |sar ecx, 1 ; 右移一位
004233EB |. 33C1 |xor eax, ecx ; 两得数相异或
004233ED |. 50 |push eax
004233EE |. E8 2575FEFF |call 0040A918
004233F3 |. 59 |pop ecx
004233F4 |. B9 1A000000 |mov ecx, 1A
004233F9 |. 99 |cdq
004233FA |. F7F9 |idiv ecx
004233FC |. 83C2 41 |add edx, 41 ; 余数加41h
004233FF |. 8B45 C8 |mov eax, dword ptr [ebp-38]
00423402 |. 0FBE4405 9C |movsx eax, byte ptr [ebp+eax-64] ; 取试验码第二十五位
00423407 |. 3BD0 |cmp edx, eax ; 比较相等就通过
00423409 74 06 je short 00423411
0042340B |. C645 D7 00 |mov byte ptr [ebp-29], 0
0042340F |. EB 09 |jmp short 0042341A
00423411 |> FF45 C8 |inc dword ptr [ebp-38]
00423414 |. 837D C8 28 |cmp dword ptr [ebp-38], 28 ; 再次循环开始
00423418 |.^ 7C B6 \jl short 004233D0
0042341A |> 0FBE55 A6 movsx edx, byte ptr [ebp-5A] ; 取出试验码第十一位
0042341E |. 83FA 59 cmp edx, 59 ; 与固定字符 Y 作比较相等就通过
00423421 |. 74 04 je short 00423427
00423423 |. C645 D7 00 mov byte ptr [ebp-29], 0
00423427 |> 8A45 D7 mov al, byte ptr [ebp-29]
0042342A |. 50 push eax
0042342B |. FF4D F4 dec dword ptr [ebp-C]
0042342E |. 8D45 08 lea eax, dword ptr [ebp+8]
00423431 |. BA 02000000 mov edx, 2
00423436 |. E8 A97A0C00 call 004EAEE4
0042343B |. 58 pop eax
0042343C |. 8B55 D8 mov edx, dword ptr [ebp-28]
0042343F |. 64:8915 00000>mov dword ptr fs:[0], edx
00423446 |> 5F pop edi
00423447 |. 5E pop esi
00423448 |. 8BE5 mov esp, ebp
0042344A |. 5D pop ebp
0042344B \. C3 retn
上面的注册码算法可以总结如下:
长度必须为44位
第41位为50 P
第42位为33 3
第43位为54 T
第44位为31 1
第2位为33 3
第11位为59 Y
第24位必须为0--9之间的数字
第2位然后为23 #替代
取1z1h+2a0n-0g8y*9a1n|第一位ASC码 取注册码第二位(替换后)23 相加得数
与 取注册码第三位 相XOR 再取1z1h+2a0n-0g8y*9a1n|第三位ASC码 相XOR 得数放入EAX中除1A ,用余数与41h相加得数作为注册码12位
类推13位14位15位16位17位18位19位 共八位注册码
算出计算用的固定字符串A:
取注册码(替换后)第二位23# 除6 取余数 ,取注册码第三位 左移所取的余数, 得数与取注册码第四位 相0R ,得数放入EAX中除1A 得到余数再与61h相加结果
与下面继续类推的结果相连成一组作为后面计算的字符串16位 ,然后再补上二个字符5A 59 即ZY 共18位
后一段十六位注册码算法
取固定字符串A第一位 左移4 得数 ,再与固定字符串A第二位右移1位得数, 二个数相XOR 得到结果 放入EAX中除1A 取余数,用余数与41h相加结果作为注册码25位
以此方式类推,得到 第四十位注册码 共十六位
然后把固定字符串A最后一位Y作为第十一位注册码
根据以上的算法结果注册成功信息才能出现,并在注册表HKCU\software\xtzy\pic2ico里删除后成未注册版,重启后也显示已注册,看起来是正常的,用起来就不正常了,LOAD图片后MODIFY ICON 完成就会在图标上面出现一个大大“白色x”
根本无法使用,看来还有暗桩,继续找吧
沿着注册算法往上翻找到
004BA2D0 /$ 53 push ebx ; 找到这,下个断
004BA2D1 |. 8BD8 mov ebx, eax
004BA2D3 |. 66:83BB 22010>cmp word ptr [ebx+122], 0
004BA2DB |. 74 2D je short 004BA30A
004BA2DD |. 8BC3 mov eax, ebx
004BA2DF |. 8B10 mov edx, dword ptr [eax]
004BA2E1 |. FF52 3C call dword ptr [edx+3C]
004BA2E4 |. 85C0 test eax, eax
004BA2E6 |. 74 22 je short 004BA30A
004BA2E8 |. 8BC3 mov eax, ebx
004BA2EA |. 8B10 mov edx, dword ptr [eax]
004BA2EC |. FF52 3C call dword ptr [edx+3C]
004BA2EF |. 8B40 40 mov eax, dword ptr [eax+40]
004BA2F2 |. 3B83 20010000 cmp eax, dword ptr [ebx+120]
004BA2F8 |. 74 10 je short 004BA30A
004BA2FA |. 8BD3 mov edx, ebx
004BA2FC |. 8B83 24010000 mov eax, dword ptr [ebx+124]
004BA302 |. FF93 20010000 call dword ptr [ebx+120]
004BA308 |. 5B pop ebx
004BA309 |. C3 retn
004BA30A |> F643 1C 10 test byte ptr [ebx+1C], 10
004BA30E |. 75 12 jnz short 004BA322
004BA310 |. 837B 6C 00 cmp dword ptr [ebx+6C], 0
004BA314 |. 74 0C je short 004BA322
004BA316 |. 8BD3 mov edx, ebx
004BA318 |. 8B43 6C mov eax, dword ptr [ebx+6C]
004BA31B |. 8B08 mov ecx, dword ptr [eax]
004BA31D |. FF51 18 call dword ptr [ecx+18]
004BA320 |. EB 18 jmp short 004BA33A
004BA322 |> 66:83BB 22010>cmp word ptr [ebx+122], 0
004BA32A |. 74 0E je short 004BA33A
004BA32C |. 8BD3 mov edx, ebx
004BA32E |. 8B83 24010000 mov eax, dword ptr [ebx+124]
004BA334 |. FF93 20010000 call dword ptr [ebx+120] ; 关键CALL F7进入
004BA33A |> 5B pop ebx
004BA33B \. C3 retn
点注册成功后的软件进行图标转换,MODIFY ICON一路NEXT正常,最后点FINISH断在上面,关键CALL进入如下:
00438CC8 /. 55 push ebp
00438CC9 |. 8BEC mov ebp, esp
00438CCB |. 83C4 94 add esp, -6C
00438CCE |. 8955 AC mov dword ptr [ebp-54], edx
00438CD1 |. 8945 B0 mov dword ptr [ebp-50], eax
00438CD4 |. B8 FC875000 mov eax, 005087FC
00438CD9 |. E8 FA6F0A00 call 004DFCD8
00438CDE |. 8B15 EC1B5100 mov edx, dword ptr [511BEC] ; Pic2Ico._IconConverter
00438CE4 |. 8B0A mov ecx, dword ptr [edx]
00438CE6 |. 8A81 F9030000 mov al, byte ptr [ecx+3F9]
00438CEC |. 8845 AB mov byte ptr [ebp-55], al
00438CEF |. 8B15 F81B5100 mov edx, dword ptr [511BF8] ; Pic2Ico._Form3
00438CF5 |. 8B02 mov eax, dword ptr [edx]
00438CF7 |. 05 1C030000 add eax, 31C
00438CFC |. E8 2FE7FCFF call 00407430
00438D01 |. 48 dec eax
00438D02 |. 7E 53 jle short 00438D57
00438D04 |. 66:C745 C4 08>mov word ptr [ebp-3C], 8
00438D0A |. BA 2D7E5000 mov edx, 00507E2D ; 赋入固定字符串fpjunt
00438D0F |. 8D45 FC lea eax, dword ptr [ebp-4]
00438D12 |. E8 6D200B00 call 004EAD84
00438D17 |. FF45 D0 inc dword ptr [ebp-30]
00438D1A |. 8D55 FC lea edx, dword ptr [ebp-4]
00438D1D |. 8B0D F81B5100 mov ecx, dword ptr [511BF8] ; Pic2Ico._Form3
00438D23 |. 8B01 mov eax, dword ptr [ecx]
00438D25 |. 05 1C030000 add eax, 31C
00438D2A |. E8 C9230B00 call 004EB0F8 ; 关键CALL进入
00438D2F |. 85C0 test eax, eax
00438D31 |. 0F95C2 setne dl ; 验证成功与否标志
00438D34 83E2 01 and edx, 1
00438D37 |. 52 push edx
00438D38 |. FF4D D0 dec dword ptr [ebp-30]
00438D3B |. 8D45 FC lea eax, dword ptr [ebp-4]
00438D3E |. BA 02000000 mov edx, 2
00438D43 |. E8 9C210B00 call 004EAEE4
00438D48 |. 59 pop ecx
00438D49 |. 84C9 test cl, cl ; 标志判断
00438D4B 74 06 je short 00438D53
00438D4D |. C645 AB 00 mov byte ptr [ebp-55], 0 ; 符合就
00438D51 EB 04 jmp short 00438D57 ; 这个跳转地址,如果猜的没错的话,是试用与正式版本不一样的,这个在后面介绍
00438D53 C645 AB 01 mov byte ptr [ebp-55], 1
00438D57 |> A1 EC1B5100 mov eax, dword ptr [511BEC] ; 以下几个赋值是未注册前的取得的软件状态值
00438D5C |. 8B10 mov edx, dword ptr [eax]
00438D5E |. 8B8A F4030000 mov ecx, dword ptr [edx+3F4]
00438D64 |. A1 EC1B5100 mov eax, dword ptr [511BEC]
00438D69 |. 8B10 mov edx, dword ptr [eax]
00438D6B |. 8B82 F4030000 mov eax, dword ptr [edx+3F4] ; 安装软件后多长时间与使用次数等
00438D71 |. 48 dec eax
00438D72 |. 2BC8 sub ecx, eax
00438D74 |. 6BD1 15 imul edx, ecx, 15
00438D77 |. 8B0D EC1B5100 mov ecx, dword ptr [511BEC] ; Pic2Ico._IconConverter
00438D7D |. 8B01 mov eax, dword ptr [ecx]
00438D7F |. 3B90 F4030000 cmp edx, dword ptr [eax+3F4] ; 使用天数与15作比较
00438D85 0F8D E0010000 jge 00438F6B ; 这里可以作个爆破点
00438D8B |. 8B55 B0 mov edx, dword ptr [ebp-50]
00438D8E |. 8B82 EC040000 mov eax, dword ptr [edx+4EC]
00438D94 |. 8B10 mov edx, dword ptr [eax]
关键 call 004EB0F8 来到这里
004EB0F8 /$ 55 push ebp
004EB0F9 |. 8BEC mov ebp, esp
004EB0FB |. 83C4 F8 add esp, -8
004EB0FE |. 53 push ebx
004EB0FF |. 8955 F8 mov dword ptr [ebp-8], edx
004EB102 |. 8945 FC mov dword ptr [ebp-4], eax
004EB105 |. 8B55 FC mov edx, dword ptr [ebp-4]
004EB108 |. 8B12 mov edx, dword ptr [edx] ; 取得成功后的注册码
004EB10A |. 8B45 F8 mov eax, dword ptr [ebp-8] ; 取固定字符串FPJUNT
004EB10D |. 8B00 mov eax, dword ptr [eax]
004EB10F |. E8 CC90F8FF call 004741E0 ; 关键CALL F7
004EB114 |. 5B pop ebx
004EB115 |. 59 pop ecx
004EB116 |. 59 pop ecx
004EB117 |. 5D pop ebp
004EB118 \. C3 retn
关键 call 004741E0 来到这里
004741E0 /$ 85C0 test eax, eax ; 固定字符串判断
004741E2 |. 74 40 je short 00474224
004741E4 |. 85D2 test edx, edx ; 注册码判断
004741E6 |. 74 31 je short 00474219
004741E8 |. 53 push ebx
004741E9 |. 56 push esi
004741EA |. 57 push edi
004741EB |. 89C6 mov esi, eax
004741ED |. 89D7 mov edi, edx
004741EF |. 8B4F FC mov ecx, dword ptr [edi-4] ; 取注册码长度2Ch
004741F2 |. 57 push edi
004741F3 |. 8B56 FC mov edx, dword ptr [esi-4]
004741F6 |. 4A dec edx ; 减去字符串长度6
004741F7 |. 78 1B js short 00474214
004741F9 |. 8A06 mov al, byte ptr [esi] ; 固定字符串第一位F送入AL
004741FB |. 46 inc esi
004741FC |. 29D1 sub ecx, edx ; 循环次数ECX 为2C -6 = 27h
004741FE |. 7E 14 jle short 00474214
00474200 |> F2:AE /repne scas byte ptr es:[edi] ; 此命令是判断注册码中是否包含AL里字符F 并改标志位
00474202 |. 75 10 |jnz short 00474214 ; 没有就跳走
00474204 |. 89CB |mov ebx, ecx
00474206 |. 56 |push esi
00474207 |. 57 |push edi
00474208 |. 89D1 |mov ecx, edx
0047420A |. F3:A6 |repe cmps byte ptr es:[edi], byte pt>; 重复比较,判断固定字符串PJUNT
0047420C |. 5F |pop edi
0047420D |. 5E |pop esi
0047420E 74 0C je short 0047421C ; 符合就验证通过
00474210 |. 89D9 |mov ecx, ebx
00474212 |.^ EB EC \jmp short 00474200
00474214 |> 5A pop edx
00474215 |. 31C0 xor eax, eax
00474217 |. EB 08 jmp short 00474221
00474219 |> 31C0 xor eax, eax
0047421B |. C3 retn
0047421C |> 5A pop edx
0047421D |. 89F8 mov eax, edi
0047421F 29D0 sub eax, edx ; 算出固定字符串所处的位置
00474221 5F pop edi
00474222 5E pop esi
00474223 5B pop ebx
00474224 \> C3 retn
这里特别说明一下:
00438D51 EB 04 jmp short 00438D57
这个跳转地址,如果猜的没错的话,是试用与正式版本不一样的,经过多次调试,发现不管上面验证是否通过都要经过这使用天数比较,超过期限
就在转换的图标上打白色的叉,应该是作者后来把这段代码添加上去,所以可以CUT掉,或简单修改JMP地址00438F6B 就是正式版本了
好了,第一个暗桩解除了,转换图标正常了
下面点SAVE ICON 按钮 发现保存不出来,看来还有暗桩,分析发现上面CALL有两处调用
本地调用来自 00463A11, 004EB10F
呵呵,看来作者也是为省事,没有重设地址,那对破解者就简单了一步,好了,点下保存后再断在上面,这次发现固定字符串已换了DUR
这样算法也是一样的了,只不过字符串换成DUR
004090F6 . BA EB055000 mov edx, 005005EB ; dur
004090FB . 8D45 A8 lea eax, dword ptr [ebp-58]
004090FE . E8 811C0E00 call 004EAD84
00409103 . FF85 10FFFFFF inc dword ptr [ebp-F0]
00409109 . 8D55 A8 lea edx, dword ptr [ebp-58]
0040910C . 8B0D F81B5100 mov ecx, dword ptr [511BF8] ; Pic2Ico._Form3
00409112 . 8B01 mov eax, dword ptr [ecx]
00409114 . 05 1C030000 add eax, 31C
00409119 . E8 DA1F0E00 call 004EB0F8
0040911E . 85C0 test eax, eax ; 验证通过出来到这里
00409120 . 0F94C2 sete dl
00409123 . 83E2 01 and edx, 1
00409126 . 52 push edx
00409127 . FF8D 10FFFFFF dec dword ptr [ebp-F0]
0040912D . 8D45 A8 lea eax, dword ptr [ebp-58]
00409130 . BA 02000000 mov edx, 2
00409135 . E8 AA1D0E00 call 004EAEE4
0040913A . 59 pop ecx
0040913B . 84C9 test cl, cl ; 同第一个字符串一样 判断标志
0040913D . 74 11 je short 00409150
0040913F . 8B85 F4FEFFFF mov eax, dword ptr [ebp-10C]
00409145 . 64:A3 0000000>mov dword ptr fs:[0], eax
0040914B . E9 000B0000 jmp 00409C50 ; 不通过就由此JMP 广告网并不保存
00409150 > 8B95 F0FEFFFF mov edx, dword ptr [ebp-110] ;
00409156 . 8B82 F4020000 mov eax, dword ptr [edx+2F4]
0040915C . E8 1B920A00 call 004B237C
到此转换 保存 ,使用一切正常了
但有一个问题,每次关机都会出现网页,这也是与正式版本不同之处,算了既然到这就顺路再找个这个暗桩吧
我们知道,调用网页函数一般是用 ShellExecuteA,可以在当前模块中找到它,并下断,关闭软件后断在这里往上查找发现如下
00409C8C /. 55 push ebp
00409C8D |. 8BEC mov ebp, esp
00409C8F |. 83C4 C0 add esp, -40
00409C92 |. 894D C8 mov dword ptr [ebp-38], ecx
00409C95 |. 8955 CC mov dword ptr [ebp-34], edx
00409C98 |. 8945 D0 mov dword ptr [ebp-30], eax
00409C9B |. B8 C4265000 mov eax, 005026C4
00409CA0 |. E8 33600D00 call 004DFCD8
00409CA5 |. 66:C745 E4 08>mov word ptr [ebp-1C], 8
00409CAB |. 8D45 F8 lea eax, dword ptr [ebp-8]
00409CAE |. E8 318EFFFF call 00402AE4
00409CB3 |. 50 push eax
00409CB4 |. FF45 F0 inc dword ptr [ebp-10]
00409CB7 |. BA 21075000 mov edx, 00500721 ; eitemp.ico
00409CBC |. 8D45 FC lea eax, dword ptr [ebp-4]
00409CBF |. E8 C0100E00 call 004EAD84
00409CC4 |. FF45 F0 inc dword ptr [ebp-10]
00409CC7 |. 8D55 FC lea edx, dword ptr [ebp-4]
00409CCA |. 8B45 D0 mov eax, dword ptr [ebp-30]
00409CCD |. 05 FC030000 add eax, 3FC
00409CD2 |. 59 pop ecx
00409CD3 |. E8 64120E00 call 004EAF3C
00409CD8 |. 8D45 F8 lea eax, dword ptr [ebp-8]
00409CDB |. 8B00 mov eax, dword ptr [eax]
00409CDD |. E8 16100E00 call 004EACF8
00409CE2 |. FF4D F0 dec dword ptr [ebp-10]
00409CE5 |. 8D45 F8 lea eax, dword ptr [ebp-8]
00409CE8 |. BA 02000000 mov edx, 2
00409CED |. E8 F2110E00 call 004EAEE4
00409CF2 |. FF4D F0 dec dword ptr [ebp-10]
00409CF5 |. 8D45 FC lea eax, dword ptr [ebp-4]
00409CF8 |. BA 02000000 mov edx, 2
00409CFD |. E8 E2110E00 call 004EAEE4
00409D02 |. 8B4D D0 mov ecx, dword ptr [ebp-30]
00409D05 |. 83B9 F4030000>cmp dword ptr [ecx+3F4], 3 ; 判断使用天数加1是否超过3
00409D0C 7E 40 jle short 00409D4E ; 此处改JMP
00409D0E |. E8 DD8B0500 call 004628F0
00409D13 |. DD5D C0 fstp qword ptr [ebp-40]
00409D16 |. 8D45 C0 lea eax, dword ptr [ebp-40]
00409D19 |. E8 02A8FFFF call 00404520
00409D1E |. D80D B89D4000 fmul dword ptr [409DB8]
00409D24 |. E8 27A40D00 call 004E4150
00409D29 |. B9 03000000 mov ecx, 3
00409D2E |. 99 cdq
00409D2F |. F7F9 idiv ecx
00409D31 |. 85D2 test edx, edx
00409D33 |. 75 19 jnz short 00409D4E
00409D35 |. 6A 05 push 5 ; /IsShown = 5
00409D37 |. 6A 00 push 0 ; |DefDir = NULL
00409D39 |. 6A 00 push 0 ; |Parameters = NULL
00409D3B |. 68 31075000 push 00500731 ; |http://www.exeicon.com/picture-to-icon/?from=softexit
00409D40 |. 68 2C075000 push 0050072C ; |open
00409D45 |. 6A 00 push 0 ; |hWnd = NULL
00409D47 |. E8 EE4E0F00 call <jmp.&SHELL32.ShellExecuteA> ; \ShellExecuteA
00409D4C |. EB 48 jmp short 00409D96
00409D4E |> 8B45 D0 mov eax, dword ptr [ebp-30]
00409D51 |. 80B8 F8030000>cmp byte ptr [eax+3F8], 0 ; 标志值判断是否符合 改JMP
00409D58 74 19 je short 00409D73
00409D5A |. 6A 05 push 5 ; /IsShown = 5
00409D5C |. 6A 00 push 0 ; |DefDir = NULL
00409D5E |. 6A 00 push 0 ; |Parameters = NULL
00409D60 |. 68 6C075000 push 0050076C ; |http://www.freesafesoft.com/download/icons.php?f=p2irokc
00409D65 |. 68 67075000 push 00500767 ; |open
00409D6A |. 6A 00 push 0 ; |hWnd = NULL
00409D6C |. E8 C94E0F00 call <jmp.&SHELL32.ShellExecuteA> ; \ShellExecuteA
00409D71 |. EB 23 jmp short 00409D96
00409D73 |> 8B55 D0 mov edx, dword ptr [ebp-30]
00409D76 |. 80BA F9030000>cmp byte ptr [edx+3F9], 0 ; 标志值判断是否符合 改JMP
00409D7D 74 17 je short 00409D96
00409D7F |. 6A 05 push 5 ; /IsShown = 5
00409D81 |. 6A 00 push 0 ; |DefDir = NULL
00409D83 |. 6A 00 push 0 ; |Parameters = NULL
00409D85 |. 68 AA075000 push 005007AA ; |http://www.freesafesoft.com/download/icons.php?f=p2iexp
00409D8A |. 68 A5075000 push 005007A5 ; |open
00409D8F |. 6A 00 push 0 ; |hWnd = NULL
00409D91 |. E8 A44E0F00 call <jmp.&SHELL32.ShellExecuteA> ; \ShellExecuteA
00409D96 |> 8B4D D0 mov ecx, dword ptr [ebp-30]
00409D99 |. 8B91 FC030000 mov edx, dword ptr [ecx+3FC]
00409D9F |. 8B45 D0 mov eax, dword ptr [ebp-30]
00409DA2 |. E8 8D8DFFFF call 00402B34
00409DA7 |. 8B4D D4 mov ecx, dword ptr [ebp-2C]
00409DAA |. 64:890D 00000>mov dword ptr fs:[0], ecx
00409DB1 |. 8BE5 mov esp, ebp
00409DB3 |. 5D pop ebp
00409DB4 \. C3 retn
现在终于全部完成了
总结:这个软件注册算法不是太复杂,只要有耐心就可以完成,关键是那两个暗桩"FPJUNT""DUR"验证及更换了跳转地址,调试多次,好象跟两个暗桩的字符串放在注册码的位置关系不大,只是有个判断是否大于5,我两种都试过还是无法正常,估计网上下载的与正式版不同,因为不管暗桩如何跳都要跳回试用期验证,只要超过试用期就直接破坏掉转换成的图标,只有改掉那个地址才正常。
好了,现在我把修改过的程序和注册机都放到附件里贴出来,分享给大家(注册机用VB编写,在多台电脑测试通过,有BUG,就是两个固定字符串的位置无法自动调换,所以算出的不包括全部,但已经N多够用的了
Private Sub Command1_Click()
Dim b As String, i As Integer
Dim d As String, j As Integer
Dim v As String
a1 = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
a = "1z1h+2a0n-0g8y*9a1n|" '算法常数
b = "#" & "FPJUNT" & Mid(a1, Int(Rnd() * 35 + 1), 1) & Mid(a1, Int(Rnd() * 35 + 1), 1)
For i = 1 To 8 '算出十二位到二十位注册码
a = Trim(a)
b = Trim(b)
c = Hex(Asc(Mid(b, i, 1)))
f = Hex(Asc(Mid(a, i + 2, 1)))
g = Hex(Val("&h" & (c)) + Val("&h" & (f)))
d = Hex(Asc(Mid(b, i + 1, 1)))
e = Hex(Val("&h" & (g)) Xor Val("&h" & (d)))
h = Val("&h" & (e)) Xor Val("&h" & (f))
s = h Mod 26 '取余数
s = Hex(s)
t = Hex(Val("&h" & (s)) + Val("&h" & (41)))
u = Val("&H" & (t))
Y = Y & Chr(u)
Next i
X = b & "Y" & Y '第二位(#)到二十位注册码
For i = 1 To 16 '算出十八位计算数
c1 = Val(Asc(Mid(X, i, 1)))
d1 = c1 Mod 6
e1 = Asc(Mid(X, i + 1, 1))
For j = 1 To d1
e1 = e1 * 2
Next j
e1 = Hex(e1)
f1 = Val("&H" & (e1)) Or Val("&H" & (Hex(Asc(Mid(X, i + 2, 1)))))
g1 = f1 Mod 26
s1 = Hex(g1)
t1 = Hex(Val("&h" & (s1)) + Val("&h" & (61)))
u1 = Val("&H" & (t1))
Y1 = Y1 & Chr(u1)
Next i
X1 = Y1 & Chr(90) & Chr(89)
For i = 1 To 16 '算出二十五位到四十位注册码
c2 = Val(Asc(Mid(X1, i, 1)))
For j = 1 To 4
c2 = c2 * 2
Next j
c2 = Hex(c2)
c3 = Val(Asc(Mid(X1, i + 1, 1)))
n = c3 Mod 2
If (n = 0) Then
e2 = (c3) / 2
Else
e2 = (c3 - 1) / 2
End If
e2 = Hex(e2)
f2 = Val("&H" & (c2)) Xor Val("&H" & (e2))
g2 = f2 Mod 26
s2 = Hex(g2)
t2 = Hex(Val("&h" & (s2)) + Val("&h" & (41)))
u2 = Val("&H" & (t2))
Y2 = Y2 & Chr(u2)
Next i
X2 = Mid(X, 2, (Len(X) - 1))
v = Mid(a1, Int(Rnd() * 35 + 1), 1) & "3" & X2 & "DUR" & Mid(a1, Int(Rnd() * 35 + 1), 1) & Int(Rnd() * 9 + 1) & Y2 & "P3T1"
Text2.Text = v
Clipboard.Clear
Clipboard.SetText (Text2.Text)
End Sub
Private Sub Command1_MouseUp(Button As Integer, Shift As Integer, X As Single, Y As Single)
Command1.Caption = "注册码已复制"
End Sub
Private Sub Command1_MouseDown(Button As Integer, Shift As Integer, X As Single, Y As Single)
Command1.Caption = "另取注册码"
End Sub
Private Sub Form_Load()
Text1.Text = "邮箱地址为任意大于三位字符即可"
Label1.Caption = "本注册机由看雪论坛suredwang编写"
Command1.Caption = "获取注册码"
End Sub
pic2ico.zip
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2012年02月11日 10:44:13
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
[QUOTE=suredwang;1044165]00474200 |> F2:AE /repne scas byte ptr es:[edi] ; 此命令是判断注册码中是否包含固定字符串PJUNT 并改标志位
不好意思,这个地方说法是错误的,应该是判断注册码中是否包含AL中的字符F并改标志位 在此说...[/QUOTE] 重新编辑过,自己顶一下
|
|
|
|
|
|
楼主一如既往的地道分析啊 支持下!!!
|
|
|
谢谢支持!我也是一只菜鸟,VB才刚自学不到二个月
,互相支持学习吧
|
|
|
|
|
|
BlueT大侠,非常感谢你的指导!你这一改简洁多了,呵呵,我才学了个把月,我变量多是因为可以边编写边验证测试代码是否正确,全集中到一块,出错后很难找到错在哪里,所以才采用了这种笨办法,这个也只能用来编个注册机什么的,用在程序上肯定不行了, 以后有机会真要请你吃饭啦,呵呵
|
|
|
先祝BlueT大侠保重身体啊,健健康康,天天开心快乐!
说明一下上面注册机里注释写错了字,就注册码二十位应该是十九位,为了严谨,声明一下,已经重编辑一次了,不敢再编辑了
|
|
|
|
|
|
|
|
|
|
|
|
|
