【破解作者】 ftts[BCG]
【作者邮箱】 [email]ftts1@163.com[/email]
【作者主页】 http://ftts.wy8.net
【使用工具】 ollydbg 1.1
【破解平台】 Win9x/NT/2000/XP
【软件名称】 Camtasia Studio 3.0
【软件大小】 26.203k
【加壳方式】 无壳
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【破解内容】
注册算法分析:去掉25位注册码的后四位的比较位,取25位注册码的第6位跟第12位做为移位码,取完之后并将它们去掉,余下19位注册码,这19位注册码
经过移位之后,取19位注册码中的第十一位移位码,取完之后并将它们去掉,得到十八位注册码,这些注册码再经过第二次移位。再取经过第二次移位的注册码
的md5散列的的前4位跳25位注册码的后四位比较,并且要求它位是相等的。再之后就是将移位后的十八位注册码转为二进制,并去掉其中的三十位,进行验正
这几关过了就注册成功^_~.
注册机:我们把移位码设为C则移位量为0,就不用移位了,25位注册码的6-13(CACCBACC)位跟后四位是有限制的,其它位可为随机数(0-F),位要满足移位后的18位注册码的
md5散列前四位为2-9之间的数字。
首先我们用ollydbg加载CamAudioEditor.exe,找注册码算法的入口来到41f1fa.
0041F1FA |> \68 E4F04800 push CamAudio.0048F0E4
0041F1FF |. 68 501A4900 push CamAudio.00491A50
0041F204 |. 8BCF mov ecx,edi
0041F206 |. FF15 FCD44800 call dword ptr ds:[<&MFC71.#5491>] ; MFC71.7C189DD6
0041F20C |. 8B1E mov ebx,dword ptr ds:[esi]
0041F20E |. 8BCF mov ecx,edi
0041F210 |. FF15 08D94800 call dword ptr ds:[<&MFC71.#876>] ; MFC71.7C158BCD
0041F216 |. 50 push eax
0041F217 |. 8BCD mov ecx,ebp
0041F219 |. FF15 08D94800 call dword ptr ds:[<&MFC71.#876>] ; MFC71.7C158BCD
0041F21F |. 50 push eax
0041F220 |. 8BCE mov ecx,esi
0041F222 |. FF53 24 call dword ptr ds:[ebx+24] ; CamAudio.00416070 -->这里面是注册算法
0041F225 |. 8BD8 mov ebx,eax 返回值为1则注册成功,并且将注册码跟注册名
0041F227 |. 80FB 01 cmp bl,1 保存在注册表里面
0041F22A |. 75 53 jnz short CamAudio.0041F27F
0041F22C |. 8BCF mov ecx,edi
0041F22E |. C746 34 01000000 mov dword ptr ds:[esi+34],1
0041F235 |. C786 BC000000 00>mov dword ptr ds:[esi+BC],0
0041F23F |. FF15 08D94800 call dword ptr ds:[<&MFC71.#876>] ; MFC71.7C158BCD
0041F245 |. 50 push eax ; /Arg2
0041F246 |. 68 B01A4900 push CamAudio.00491AB0 ; |Arg1 = 00491AB0 ASCII "RegistrationKey"
0041F24B |. 8BCE mov ecx,esi ; |
0041F24D |. E8 8EF6FFFF call CamAudio.0041E8E0 ; \CamAudio.0041E8E0
0041F252 |. 8BCD mov ecx,ebp
0041F254 |. FF15 08D94800 call dword ptr ds:[<&MFC71.#876>] ; MFC71.7C158BCD
0041F25A |. 50 push eax ; /Arg2
0041F25B |. 68 C01A4900 push CamAudio.00491AC0 ; |Arg1 = 00491AC0 ASCII "RegisteredTo"
0041F260 |. 8BCE mov ecx,esi ; |
0041F262 |. E8 79F6FFFF call CamAudio.0041E8E0 ; \CamAudio.0041E8E0
0041F267 |. 8B4C24 14 mov ecx,dword ptr ss:[esp+14]
0041F26B |. 8B06 mov eax,dword ptr ds:[esi]
-------------------------->跟进00416070
00416070 . 6A FF push -1
00416072 . 68 F9444800 push CamAudio.004844F9 ; SE handler installation
..................
00416097 . C74424 20 000000>mov dword ptr ss:[esp+20],0
0041609F . BF 08000000 mov edi,8 ; 这里要注意,下面比较要用到
004160A4 . 50 push eax
004160A5 . 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
004160A9 . C74424 20 000000>mov dword ptr ss:[esp+20],0
004160B1 . 897C24 3C mov dword ptr ss:[esp+3C],edi
004160B5 . 32DB xor bl,bl
004160B7 . C64424 12 0A mov byte ptr ss:[esp+12],0A
004160BC . FF15 D8D84800 call dword ptr ds:[<&MFC71.#304>] ; MFC71.7C16A59C
004160C2 . 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
004160C6 . C78424 B0000000 >mov dword ptr ss:[esp+B0],0
004160D1 . FF15 FCD84800 call dword ptr ds:[<&MFC71.#2902>] ; MFC71.7C146AB0
004160D7 . 83F8 1D cmp eax,1D
004160DA . 0F84 E9010000 je CamAudio.004162C9
004160E0 . 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
004160E4 . FF15 FCD84800 call dword ptr ds:[<&MFC71.#2902>] ; MFC71.7C146AB0
004160EA . 83F8 19 cmp eax,19 ; ---->这里比较注册码长度为25位则跳
004160ED . 0F84 D6010000 je CamAudio.004162C9
004160F3 . 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
004160F7 . FF15 FCD84800 call dword ptr ds:[<&MFC71.#2902>] ; MFC71.7C146AB0
004160FD . 83F8 0E cmp eax,0E
00416100 . 74 19 je short CamAudio.0041611B
00416102 . 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00416106 . FF15 FCD84800 call dword ptr ds:[<&MFC71.#2902>] ; MFC71.7C146AB0
0041610C . 83F8 12 cmp eax,12 ; ---->这里是以前老版本的注册码为18位,到后面你可以看出
0041610F . 74 0A je short CamAudio.0041611B ; 老版本的注册码现在以经不能用了
00416111 . C64424 0E 0C mov byte ptr ss:[esp+E],0C
00416116 . E9 FC020000 jmp CamAudio.00416417
0041611B > 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0041611F . 51 push ecx
00416120 . 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00416124 . FF15 F0D84800 call dword ptr ds:[<&MFC71.#297>] ; MFC71.7C14E575
0041612A . 6A 04 push 4
0041612C . 8D5424 1C lea edx,dword ptr ss:[esp+1C]
00416130 . 52 push edx
.............................
0041626E . 6A 10 push 10
00416270 . 6A 00 push 0
00416272 . 8BC8 mov ecx,eax
00416274 . FF15 08D94800 call dword ptr ds:[<&MFC71.#876>] ; MFC71.7C158BCD
0041627A . 50 push eax
0041627B . FFD6 call esi
0041627D . 83C4 0C add esp,0C
00416280 . 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
00416284 . 8BF0 mov esi,eax
00416286 . FF15 10D94800 call dword ptr ds:[<&MFC71.#578>] ; MFC71.7C1771B1
0041628C . 83FE 41 cmp esi,41
0041628F . 72 18 jb short CamAudio.004162A9
00416291 . 83C6 BF add esi,-41
00416294 . 32DB xor bl,bl ; 看这里bl被清0了
00416296 . 83FE 21 cmp esi,21
00416299 . 73 07 jnb short CamAudio.004162A2 ; 这里要跳过
0041629B . C64424 0E 0D mov byte ptr ss:[esp+E],0D
004162A0 . EB 0E jmp short CamAudio.004162B0
004162A2 > C64424 0E 0C mov byte ptr ss:[esp+E],0C
004162A7 . EB 07 jmp short CamAudio.004162B0
004162A9 > C64424 0E 0C mov byte ptr ss:[esp+E],0C
004162AE > 32DB xor bl,bl ; 看这里bl被清0了
004162B0 > 8D4C24 18 lea ecx,dword ptr ss:[esp+18] ; 所以这里不论老的注册码是否正确,都会注册失败
004162B4 . FF15 10D94800 call dword ptr ds:[<&MFC71.#578>] ; MFC71.7C1771B1
004162BA . 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
004162BE . FF15 10D94800 call dword ptr ds:[<&MFC71.#578>] ; MFC71.7C1771B1
004162C4 . E9 4E010000 jmp CamAudio.00416417 ; 下面为25位注册码的算法
004162C9 > 68 E4F04800 push CamAudio.0048F0E4 ; /Arg1 = 0048F0E4
004162CE . 8D4C24 50 lea ecx,dword ptr ss:[esp+50] ; |
004162D2 . E8 A9A70000 call CamAudio.00420A80 ; \CamAudio.00420A80
004162D7 . 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
004162DB . C68424 B0000000 >mov byte ptr ss:[esp+B0],1
004162E3 . FF15 08D94800 call dword ptr ds:[<&MFC71.#876>] ; MFC71.7C158BCD
004162E9 . 50 push eax ; /Arg1
004162EA . 8D4C24 50 lea ecx,dword ptr ss:[esp+50] ; |
004162EE . E8 BDA00000 call CamAudio.004203B0 ;---->注册算法跟进去
004162F3 . 84C0 test al,al
004162F5 . 74 24 je short CamAudio.0041631B ; 不能跳转
004162F7 . 397C24 50 cmp dword ptr ss:[esp+50],edi ; 这里的edi就是最开始要求要注意的 mov esi,8
004162FB . 75 1E jnz short CamAudio.0041631B ; 另一个参数是由注册码算出来的
004162FD . 8D5424 2C lea edx,dword ptr ss:[esp+2C]
00416301 . 52 push edx
00416302 . 8D4C24 50 lea ecx,dword ptr ss:[esp+50]
00416306 . E8 E5FBFFFF call CamAudio.00415EF0
0041630B . 8338 00 cmp dword ptr ds:[eax],0 ; 12d2a0
0041630E . B9 01000000 mov ecx,1
00416313 . 74 0A je short CamAudio.0041631F ; 不能跳转
00416315 . 884C24 0F mov byte ptr ss:[esp+F],cl ; 要到这里来 cl=1 下面要用到
00416319 . EB 09 jmp short CamAudio.00416324
0041631B > 8A4C24 20 mov cl,byte ptr ss:[esp+20] ; c1
0041631F > C64424 0F 00 mov byte ptr ss:[esp+F],0 ; 不能到这里来12d283
00416324 > F6C1 01 test cl,1
00416327 . 74 09 je short CamAudio.00416332
00416329 . 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
0041632D . E8 DE760100 call CamAudio.0042DA10
00416332 > 8A4424 0F mov al,byte ptr ss:[esp+F] ; 12d283 al=cl=1
00416336 . 84C0 test al,al
00416338 . 0F84 C8000000 je CamAudio.00416406
0041633E . 6A 00 push 0
00416340 . 6A 00 push 0
00416342 . 6A 03 push 3
00416344 . 8D4C24 38 lea ecx,dword ptr ss:[esp+38]
00416348 . E8 53760100 call CamAudio.0042D9A0
0041634D . 8BF8 mov edi,eax
0041634F . 8D4424 20 lea eax,dword ptr ss:[esp+20]
00416353 . 50 push eax
00416354 . 8D4C24 50 lea ecx,dword ptr ss:[esp+50]
00416358 . E8 53F4FFFF call CamAudio.004157B0
0041635D . 57 push edi
0041635E . 8BC8 mov ecx,eax
00416360 . C68424 B4000000 >mov byte ptr ss:[esp+B4],3
00416368 . E8 53760100 call CamAudio.0042D9C0 ; ---.
0041636D . 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
00416371 . 8AD8 mov bl,al
00416373 . C68424 B0000000 >mov byte ptr ss:[esp+B0],2
0041637B . E8 70B5FEFF call CamAudio.004018F0
00416380 . 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
00416384 . C68424 B0000000 >mov byte ptr ss:[esp+B0],1
0041638C . E8 5FB5FEFF call CamAudio.004018F0
00416391 . 84DB test bl,bl
00416393 . 74 6A je short CamAudio.004163FF ; 不能跳
00416395 . 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
00416399 . 51 push ecx
0041639A . 8D4C24 50 lea ecx,dword ptr ss:[esp+50]
0041639E . B3 01 mov bl,1 ; 要到这里来
004163A0 . C64424 12 00 mov byte ptr ss:[esp+12],0
004163A5 . E8 06F4FFFF call CamAudio.004157B0
004163AA . 8B08 mov ecx,dword ptr ds:[eax]
004163AC . 8D96 CC000000 lea edx,dword ptr ds:[esi+CC]
004163B2 . 890A mov dword ptr ds:[edx],ecx
004163B4 . 8B48 04 mov ecx,dword ptr ds:[eax+4]
004163B7 . 894A 04 mov dword ptr ds:[edx+4],ecx
.........................
00416421 . 8B8C24 A8000000 mov ecx,dword ptr ss:[esp+A8]
00416428 . 33C0 xor eax,eax
0041642A . 8A6424 0E mov ah,byte ptr ss:[esp+E]
0041642E . 5F pop edi
0041642F . 5E pop esi
00416430 . 64:890D 00000000 mov dword ptr fs:[0],ecx
00416437 . 8AC3 mov al,bl ; bl=1则注册成功
00416439 . 5B pop ebx
0041643A . 81C4 A8000000 add esp,0A8
00416440 . C2 0800 retn 8
------------------------->
004203B0 /$ 6A FF push -1
004203B2 |. 68 AF524800 push CamAudio.004852AF ; SE handler installation
004203B7 |. 64:A1 00000000 mov eax,dword ptr fs:[0]
004203BD |. 50 push eax
004203BE |. 64:8925 00000000 mov dword ptr fs:[0],esp
004203C5 |. 83EC 40 sub esp,40
...........................
00420409 |. 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
0042040D |. FF15 84D54800 call dword ptr ds:[<&MFC71.#4085>] ; MFC71.7C189FA4
00420413 |. 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
00420417 |. C64424 60 00 mov byte ptr ss:[esp+60],0 ; 初使化为0
0042041C |. FF15 FCD84800 call dword ptr ds:[<&MFC71.#2902>] ; MFC71.7C146AB0
00420422 |. 83F8 19 cmp eax,19 ; 比较注册码是否为25位
00420425 |. 0F85 4B050000 jnz CamAudio.00420976
0042042B |. 6A 04 push 4
0042042D |. 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
00420431 |. 51 push ecx
00420432 |. 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
00420436 |. FF15 08D54800 call dword ptr ds:[<&MFC71.#5563>] ; MFC71.7C188DED
0042043C |. 6A 15 push 15
0042043E |. 8D5424 14 lea edx,dword ptr ss:[esp+14]
00420442 |. 52 push edx
00420443 |. 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
00420447 |. C64424 60 01 mov byte ptr ss:[esp+60],1
0042044C |. FF15 44D74800 call dword ptr ds:[<&MFC71.#3997>] ; MFC71.7C188E36
00420452 |. 6A 05 push 5 ; 取25位注册码的第六位
00420454 |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00420458 |. C64424 5C 02 mov byte ptr ss:[esp+5C],2
0042045D |. FF15 78D54800 call dword ptr ds:[<&MFC71.#865>] ; MFC71.7C1894E7
00420463 |. 83CF FF or edi,FFFFFFFF
00420466 |. 33C9 xor ecx,ecx
00420468 |> 3A81 88284900 /cmp al,byte ptr ds:[ecx+492888] ; 这里将取出的注册码,跟密码表比较
0042046E |. 74 08 |je short CamAudio.00420478 ; 如果找到相等的,则保存相应序号
00420470 |. 41 |inc ecx
00420471 |. 83F9 20 |cmp ecx,20
00420474 |.^ 7C F2 \jl short CamAudio.00420468
00420476 |. EB 02 jmp short CamAudio.0042047A
00420478 |> 8BF9 mov edi,ecx ; 这里的值是用来算第一次移位位数的,这里为0的话就不用移位了~_^
0042047A |> 6A 01 push 1 ; 将25位注册码的第六位去掉
0042047C |. 6A 05 push 5
0042047E |. 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
00420482 |. FF15 80D54800 call dword ptr ds:[<&MFC71.#1916>] ; MFC71.7C189568
00420488 |. 6A 0A push 0A ; 取25位注册码的第12位
0042048A |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0042048E |. FF15 78D54800 call dword ptr ds:[<&MFC71.#865>] ; MFC71.7C1894E7
00420494 |. 83CE FF or esi,FFFFFFFF
00420497 |. 33C9 xor ecx,ecx
00420499 |. 8DA424 00000000 lea esp,dword ptr ss:[esp]
004204A0 |> 3A81 88284900 /cmp al,byte ptr ds:[ecx+492888]
004204A6 |. 74 08 |je short CamAudio.004204B0
004204A8 |. 41 |inc ecx
004204A9 |. 83F9 20 |cmp ecx,20
004204AC |.^ 7C F2 \jl short CamAudio.004204A0
004204AE |. EB 02 jmp short CamAudio.004204B2
004204B0 |> 8BF1 mov esi,ecx ; 这里的值是用来算第一次移位位数的,这里为0的话就不用移位了~_^
004204B2 |> 6A 01 push 1 ; 将25位注册码的第12位去掉
004204B4 |. 6A 0A push 0A
004204B6 |. 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
004204BA |. FF15 80D54800 call dword ptr ds:[<&MFC71.#1916>] ; MFC71.7C189568
004204C0 |. 33C0 xor eax,eax
004204C2 |. BD A8284900 mov ebp,CamAudio.004928A8
004204C7 |. 896C24 3C mov dword ptr ss:[esp+3C],ebp
004204CB |. 894424 40 mov dword ptr ss:[esp+40],eax
004204CF |. 894424 4C mov dword ptr ss:[esp+4C],eax
004204D3 |. 894424 48 mov dword ptr ss:[esp+48],eax
004204D7 |. 894424 44 mov dword ptr ss:[esp+44],eax
004204DB |. 8D4424 3C lea eax,dword ptr ss:[esp+3C]
004204DF |. B3 03 mov bl,3
004204E1 |. 50 push eax
004204E2 |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
004204E6 |. 885C24 5C mov byte ptr ss:[esp+5C],bl
004204EA |. FF15 08D94800 call dword ptr ds:[<&MFC71.#876>] ; MFC71.7C158BCD
004204F0 |. 50 push eax
004204F1 |. E8 BAFDFFFF call CamAudio.004202B0 ; 注册码转为密码序号,并将密码序号转为2进制
004204F6 |. 83C6 20 add esi,20
004204F9 |. 83C4 08 add esp,8
004204FC |. 83FE FF cmp esi,-1
004204FF |. 75 05 jnz short CamAudio.00420506
00420501 |. 8B7424 44 mov esi,dword ptr ss:[esp+44]
00420505 |. 4E dec esi
00420506 |> 8BC7 mov eax,edi
00420508 |. 99 cdq
00420509 |. 8D4E 01 lea ecx,dword ptr ds:[esi+1]
0042050C |. F7F9 idiv ecx
0042050E |. 56 push esi
0042050F |. 6A 00 push 0
00420511 |. 2BCA sub ecx,edx
00420513 |. 51 push ecx
00420514 |. 8D4C24 48 lea ecx,dword ptr ss:[esp+48]
00420518 |. 51 push ecx
00420519 |. E8 82FBFFFF call CamAudio.004200A0 ; 这里是第一次移位
0042051E |. 8D5424 4C lea edx,dword ptr ss:[esp+4C]
00420522 |. 52 push edx
00420523 |. 8D4424 38 lea eax,dword ptr ss:[esp+38]
00420527 |. 50 push eax
00420528 |. E8 A3FCFFFF call CamAudio.004201D0 ; 将移位之后的二进制再转为注册码
0042052D |. 83C4 18 add esp,18
00420530 |. 50 push eax
00420531 |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00420535 |. C64424 5C 04 mov byte ptr ss:[esp+5C],4
0042053A |. FF15 9CD84800 call dword ptr ds:[<&MFC71.#781>] ; MFC71.7C150F15
00420540 |. 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
00420544 |. 885C24 58 mov byte ptr ss:[esp+58],bl
00420548 |. FF15 10D94800 call dword ptr ds:[<&MFC71.#578>] ; MFC71.7C1771B1
0042054E |. 6A 0A push 0A ; 取经过第一次移位之后的十九位注册码的第
00420550 |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14] 十一位作为移位码
00420554 |. FF15 78D54800 call dword ptr ds:[<&MFC71.#865>] ; MFC71.7C1894E7
0042055A |. 83CE FF or esi,FFFFFFFF
0042055D |. 33C9 xor ecx,ecx
0042055F |. 90 nop
00420560 |> 3A81 88284900 /cmp al,byte ptr ds:[ecx+492888] //取移位码的序号
00420566 |. 74 08 |je short CamAudio.00420570
00420568 |. 41 |inc ecx
00420569 |. 83F9 20 |cmp ecx,20
0042056C |.^ 7C F2 \jl short CamAudio.00420560
0042056E |. EB 02 jmp short CamAudio.00420572
00420570 |> 8BF1 mov esi,ecx
00420572 |> 6A 01 push 1
00420574 |. 6A 0A push 0A //去掉移位码
00420576 |. 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
0042057A |. FF15 80D54800 call dword ptr ds:[<&MFC71.#1916>] ; MFC71.7C189568
00420580 |. 8D4C24 3C lea ecx,dword ptr ss:[esp+3C]
00420584 |. 51 push ecx
00420585 |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00420589 |. FF15 08D94800 call dword ptr ds:[<&MFC71.#876>] ; MFC71.7C158BCD
0042058F |. 50 push eax
00420590 |. E8 1BFDFFFF call CamAudio.004202B0-->将十八位注册码化为二进制
00420595 |. 6A FF push -1
00420597 |. 33FF xor edi,edi
00420599 |. 57 push edi
0042059A |. 8D5424 4C lea edx,dword ptr ss:[esp+4C]
0042059E |. 56 push esi
0042059F |. 52 push edx
004205A0 |. E8 FBFAFFFF call CamAudio.004200A0 -->第二次移位
004205A5 |. 8D4424 54 lea eax,dword ptr ss:[esp+54]
004205A9 |. 50 push eax
004205AA |. 8D4C24 40 lea ecx,dword ptr ss:[esp+40]
004205AE |. 51 push ecx
004205AF |. E8 1CFCFFFF call CamAudio.004201D0 ; 将二进制转为十八位注册码
004205B4 |. 83C4 20 add esp,20
004205B7 |. 50 push eax
004205B8 |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
004205BC |. C64424 5C 05 mov byte ptr ss:[esp+5C],5
004205C1 |. FF15 9CD84800 call dword ptr ds:[<&MFC71.#781>] ; MFC71.7C150F15
004205C7 |. 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
004205CB |. 885C24 58 mov byte ptr ss:[esp+58],bl
004205CF |. FF15 10D94800 call dword ptr ds:[<&MFC71.#578>] ; MFC71.7C1771B1
004205D5 |. 8D5424 10 lea edx,dword ptr ss:[esp+10]
004205D9 |. 52 push edx
004205DA |. 8D4424 18 lea eax,dword ptr ss:[esp+18]
004205DE |. 50 push eax
004205DF |. E8 ECF70000 call CamAudio.0042FDD0 ; ---------->
004205E4 |. 83C4 08 add esp,8
004205E7 |. 6A 04 push 4
004205E9 |. 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
004205ED |. 51 push ecx
004205EE |. 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
004205F2 |. C64424 60 06 mov byte ptr ss:[esp+60],6
004205F7 |. FF15 44D74800 call dword ptr ds:[<&MFC71.#3997>] ; MFC71.7C188E36
004205FD |. 50 push eax
004205FE |. 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
00420602 |. C64424 5C 07 mov byte ptr ss:[esp+5C],7
00420607 |. FF15 9CD84800 call dword ptr ds:[<&MFC71.#781>] ; MFC71.7C150F15
0042060D |. 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
00420611 |. C64424 58 06 mov byte ptr ss:[esp+58],6
00420616 |. FF15 10D94800 call dword ptr ds:[<&MFC71.#578>] ; MFC71.7C1771B1
0042061C |. 33F6 xor esi,esi
0042061E |. 8BFF mov edi,edi
00420620 |> 56 /push esi
00420621 |. 8D4C24 18 |lea ecx,dword ptr ss:[esp+18]
00420625 |. FF15 78D54800 |call dword ptr ds:[<&MFC71.#865>] ; MFC71.7C1894E7
0042062B |. 3C 30 |cmp al,30
0042062D |. 8D4C24 14 |lea ecx,dword ptr ss:[esp+14]
00420631 |. 75 04 |jnz short CamAudio.00420637
00420633 |. 6A 52 |push 52
00420635 |. EB 11 |jmp short CamAudio.00420648
00420637 |> 56 |push esi
00420638 |. FF15 78D54800 |call dword ptr ds:[<&MFC71.#865>] ; MFC71.7C1894E7
0042063E |. 3C 31 |cmp al,31
00420640 |. 75 0D |jnz short CamAudio.0042064F
00420642 |. 6A 4D |push 4D
00420644 |. 8D4C24 18 |lea ecx,dword ptr ss:[esp+18]
00420648 |> 56 |push esi
00420649 |. FF15 7CD54800 |call dword ptr ds:[<&MFC71.#5710>] ; MFC71.7C18952E
0042064F |> 46 |inc esi
00420650 |. 83FE 04 |cmp esi,4
00420653 |.^ 7C CB \jl short CamAudio.00420620
00420655 |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00420659 |. FF15 84D54800 call dword ptr ds:[<&MFC71.#4085>] ; MFC71.7C189FA4
0042065F |. 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
00420663 |. FF15 08D94800 call dword ptr ds:[<&MFC71.#876>] ; MFC71.7C158BCD
00420669 |. 50 push eax
0042066A |. 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
0042066E |. FF15 08D84800 call dword ptr ds:[<&MFC71.#1482>] ; 这里是比较25位注册码的后4位,跟md5散列的前4位是否相等
00420674 |. 85C0 test eax,eax ; 这里不相等,则跳转,跳转注册就失败了
00420676 |. 0F85 C6020000 jnz CamAudio.00420942
0042067C |. 896C24 28 mov dword ptr ss:[esp+28],ebp 要注意,这里的md5前四位只能为数字,且不能为1和0
00420680 |. 897C24 2C mov dword ptr ss:[esp+2C],edi
00420684 |. 897C24 38 mov dword ptr ss:[esp+38],edi
00420688 |. 897C24 34 mov dword ptr ss:[esp+34],edi
0042068C |. 897C24 30 mov dword ptr ss:[esp+30],edi
00420690 |. 6A FF push -1
00420692 |. 6A 3C push 3C
00420694 |. 8D4C24 30 lea ecx,dword ptr ss:[esp+30]
00420698 |. C64424 60 08 mov byte ptr ss:[esp+60],8
0042069D |. E8 5EF8FFFF call CamAudio.0041FF00
004206A2 |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
004206A6 |. 33F6 xor esi,esi
004206A8 |. 33DB xor ebx,ebx
004206AA |. FF15 FCD84800 call dword ptr ds:[<&MFC71.#2902>] ; MFC71.7C146AB0
004206B0 |. 85C0 test eax,eax
004206B2 |. 0F8E 86000000 jle CamAudio.0042073E
004206B8 |. 33ED xor ebp,ebp
004206BA |. 8D9B 00000000 lea ebx,dword ptr ds:[ebx]
-----------------
004206C0 |> 53 /push ebx
004206C1 |. 8D4C24 14 |lea ecx,dword ptr ss:[esp+14]
004206C5 |. FF15 78D54800 |call dword ptr ds:[<&MFC71.#865>] ; MFC71.7C1894E7
004206CB |. 83CF FF |or edi,FFFFFFFF
004206CE |. 33C9 |xor ecx,ecx
004206D0 |> 3A81 88284900 |/cmp al,byte ptr ds:[ecx+492888]
004206D6 |. 74 08 ||je short CamAudio.004206E0
004206D8 |. 41 ||inc ecx
004206D9 |. 83F9 20 ||cmp ecx,20
004206DC |.^ 7C F2 |\jl short CamAudio.004206D0
004206DE |. EB 02 |jmp short CamAudio.004206E2
004206E0 |> 8BF9 |mov edi,ecx
004206E2 |> 33C9 |xor ecx,ecx
004206E4 |> 8D1429 |/lea edx,dword ptr ds:[ecx+ebp]
004206E7 |. B8 10284900 ||mov eax,CamAudio.00492810
004206EC |. 8D6424 00 ||lea esp,dword ptr ss:[esp]
004206F0 |> 3B10 ||/cmp edx,dword ptr ds:[eax]这里是比较,并去掉
004206F2 |. 74 30 |||je short CamAudio.00420724相应的位
004206F4 |. 83C0 04 |||add eax,4
004206F7 |. 3D 88284900 |||cmp eax,CamAudio.00492888
004206FC |.^ 7C F2 ||\jl short CamAudio.004206F0
004206FE |. 85F6 ||test esi,esi
00420700 |. 0F8C 93020000 ||jl CamAudio.00420999
00420706 |. 3B7424 30 ||cmp esi,dword ptr ss:[esp+30]
0042070A |. 0F8D 89020000 ||jge CamAudio.00420999
00420710 |. BA 01000000 ||mov edx,1
00420715 |. D3E2 ||shl edx,cl
00420717 |. 85D7 ||test edi,edx
00420719 |. 8B5424 2C ||mov edx,dword ptr ss:[esp+2C]
0042071D |. 0F95C0 ||setne al
00420720 |. 880432 ||mov byte ptr ds:[edx+esi],al保存结果,去掉了三十位
00420723 |. 46 ||inc esi 共为60位
00420724 |> 41 ||inc ecx
00420725 |. 83F9 05 ||cmp ecx,5
00420728 |.^ 7C BA |\jl short CamAudio.004206E4
0042072A |. 8D4C24 10 |lea ecx,dword ptr ss:[esp+10]
0042072E |. 43 |inc ebx
0042072F |. 83C5 05 |add ebp,5
00420732 |. FF15 FCD84800 |call dword ptr ds:[<&MFC71.#2902>] ; MFC71.7C146AB0
00420738 |. 3BD8 |cmp ebx,eax
0042073A |.^ 7C 84 \jl short CamAudio.004206C0
---------------\\\\\这上面的代码是将第二次移位的得到的注册码转为二进制,并去掉其中三十位
下面的代码为给得到的二进制进行限制
00 06 0b 0c 11 16 19 1c 1d 1e 1f 26 27 28 29 2f 30 31 32 37 3c 41 44 45 46 47 4d 4e 54 59 --->这里是被去掉的位
00 01 02 03 04 ----> 0 <--> 3
-- 1
05 06 07 08 09 ----> 4 <--> 7
-- 2
0A 0B 0C 0D 0E ----> 8 <--> a
-- -- 3
0F 10 11 12 13 ----> b <--> e ----------->这下面的下画线的位是必需的,星号可为0也可为1
-- 4
14 15 16 17 18 ----> f <--> 12 10* | 11* * 01* + ** 9 (1-3)
-- 5 -- -- --
19 1A 1B 1C 1D----> 13 <--> 14 **001 A
-- -- -- 6 --
1E 1F 20 21 22 ----> 15 <--> 17 000** C
-- -- 7 ---
23 24 25 26 27 ----> 18 <--> 1a **000 C
-- -- 8 ---
28 29 2A 2B 2C ----> 1b <--> 1d 000** B
-- -- 9 ---
2D 2E 2F 30 31 ----> 1e <--> 1f ***01 A
-- -- -- 10 --
32 33 34 35 36 ----> 20 <--> 23
-- 11
37 38 39 3A 3B ----> 24 <--> 27
-- 12
3C 3D 3E 3F 40 ----> 28 <--> 2b
-- 13
41 42 43 44 45 ----> 2c <--> 2d
-- -- -- 14
46 47 48 49 4A ----> 2e <--> 30
-- -- 15
4B 4C 4D 4E 4F ----> 31 <--> 33
-- -- 16
50 51 52 53 54 ----> 34 <--> 37
-- 17
55 56 57 58 59 ----> 38 <--> 3b
-- 18
0042073C |. 33FF xor edi,edi
0042073E |> 8B7424 2C mov esi,dword ptr ss:[esp+2C]
00420742 |. 8B5C24 30 mov ebx,dword ptr ss:[esp+30]
00420746 |. 33D2 xor edx,edx
00420748 |. B8 15000000 mov eax,15
0042074D |. 8D49 00 lea ecx,dword ptr ds:[ecx]
00420750 |> 3BC7 /cmp eax,edi
00420752 |. 0F8C 41020000 |jl CamAudio.00420999
00420758 |. 3BC3 |cmp eax,ebx
0042075A |. 0F8D 39020000 |jge CamAudio.00420999
00420760 |. 803C06 00 |cmp byte ptr ds:[esi+eax],0 ; ds:[02E23A6D]=00
00420764 |. 74 0C |je short CamAudio.00420772 edx要为0所以这里都要跳过
00420766 |. 8D48 EB |lea ecx,dword ptr ds:[eax-15] 所以这里的二进制位都要为0
00420769 |. BD 01000000 |mov ebp,1 上面我都以经标出来了
0042076E |. D3E5 |shl ebp,cl
00420770 |. 0BD5 |or edx,ebp
00420772 |> 40 |inc eax
00420773 |. 83F8 1A |cmp eax,1A
00420776 |.^ 7E D8 \jle short CamAudio.00420750
00420778 |. 3BD7 cmp edx,edi ; 12d294
0042077A |. 8B4424 1C mov eax,dword ptr ss:[esp+1C] ; 12d283
0042077E |. 8910 mov dword ptr ds:[eax],edx
00420780 |. 0F85 AA010000 jnz CamAudio.00420930
00420786 |. 33C0 xor eax,eax
00420788 |. 33C9 xor ecx,ecx
0042078A |. 8D9B 00000000 lea ebx,dword ptr ds:[ebx]
...........................
00420858 |. 8D4D 08 lea ecx,dword ptr ss:[ebp+8]
0042085B |. E8 90CE0000 call CamAudio.0042D6F0
00420860 |. 8B7424 2C mov esi,dword ptr ss:[esp+2C]
00420864 |. 33D2 xor edx,edx
00420866 |. B8 11000000 mov eax,11
0042086B |. EB 03 jmp short CamAudio.00420870
0042086D | 8D49 00 lea ecx,dword ptr ds:[ecx]
00420870 |> 85C0 /test eax,eax
00420872 |. 0F8C 21010000 |jl CamAudio.00420999
00420878 |. 3BC3 |cmp eax,ebx
0042087A |. 0F8D 19010000 |jge CamAudio.00420999
00420880 |. 803C06 00 |cmp byte ptr ds:[esi+eax],0
00420884 |. 74 0C |je short CamAudio.00420892
00420886 |. 8D48 EF |lea ecx,dword ptr ds:[eax-11]
00420889 |. BF 01000000 |mov edi,1
0042088E |. D3E7 |shl edi,cl
00420890 |. 0BD7 |or edx,edi
00420892 |> 40 |inc eax
00420893 |. 83F8 14 |cmp eax,14
00420896 |.^ 7E D8 \jle short CamAudio.00420870
00420898 |. 52 push edx 这里edx要为大于0小于4
00420899 |. 8D4D 14 lea ecx,dword ptr ss:[ebp+14]
0042089C |. E8 BFC40000 call CamAudio.0042CD60 ; 这里面要注意了,ds[12f4c0]
004208A1 |. 33D2 xor edx,edx
004208A3 |. B8 1B000000 mov eax,1B
004208A8 |> 85C0 /test eax,eax ;
004208AA |. 0F8C E9000000 |jl CamAudio.00420999
004208B0 |. 3BC3 |cmp eax,ebx
004208B2 |. 0F8D E1000000 |jge CamAudio.00420999
004208B8 |. 803C06 00 |cmp byte ptr ds:[esi+eax],0
004208BC |. 74 0C |je short CamAudio.004208CA
004208BE |. 8D48 E5 |lea ecx,dword ptr ds:[eax-1B]
004208C1 |. BF 01000000 |mov edi,1
004208C6 |. D3E7 |shl edi,cl
004208C8 |. 0BD7 |or edx,edi
004208CA |> 40 |inc eax
004208CB |. 83F8 1F |cmp eax,1F
004208CE |.^ 7E D8 \jle short CamAudio.004208A8
004208D0 |. 8955 04 mov dword ptr ss:[ebp+4],edx 这里要为8
004208D3 |. 33C0 xor eax,eax
004208D5 |. BA 20000000 mov edx,20
------------------------->这下面是将注册码转为二进制
004202B0 $ 6A FF push -1
004202B2 . 68 49524800 push CamAudio.00485249 ; SE handler installation
004202B7 . 64:A1 00000000 mov eax,dword ptr fs:[0]
004202BD . 50 push eax
004202BE . 64:8925 00000000 mov dword ptr fs:[0],esp
004202C5 . 51 push ecx
004202C6 . 8B4424 14 mov eax,dword ptr ss:[esp+14]
004202CA . 53 push ebx
004202CB . 55 push ebp
004202CC . 56 push esi
004202CD . 57 push edi
004202CE . 50 push eax
004202CF . 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
004202D3 . FF15 D8D84800 call dword ptr ds:[<&MFC71.#304>] ; MFC71.7C16A59C
004202D9 . 8B7424 28 mov esi,dword ptr ss:[esp+28]
004202DD . 8B46 04 mov eax,dword ptr ds:[esi+4]
004202E0 . 33ED xor ebp,ebp
004202E2 . 3BC5 cmp eax,ebp
004202E4 . 896C24 1C mov dword ptr ss:[esp+1C],ebp
004202E8 . 74 0C je short CamAudio.004202F6
004202EA . 50 push eax ; /block
004202EB . E8 A0130600 call <jmp.&MFC71.#266> ; \free
004202F0 . 83C4 04 add esp,4
004202F3 . 896E 04 mov dword ptr ds:[esi+4],ebp
004202F6 > 6A FF push -1
004202F8 . 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
004202FC . 896E 0C mov dword ptr ds:[esi+C],ebp
004202FF . 896E 08 mov dword ptr ds:[esi+8],ebp
00420302 . FF15 FCD84800 call dword ptr ds:[<&MFC71.#2902>] ; MFC71.7C146AB0
00420308 . 8D0C80 lea ecx,dword ptr ds:[eax+eax*4]
0042030B . 51 push ecx
0042030C . 8BCE mov ecx,esi
0042030E . E8 EDFBFFFF call CamAudio.0041FF00
00420313 . 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
00420317 . FF15 FCD84800 call dword ptr ds:[<&MFC71.#2902>] ; MFC71.7C146AB0
0042031D . 85C0 test eax,eax
0042031F . 7E 6B jle short CamAudio.0042038C
00420321 . 896C24 28 mov dword ptr ss:[esp+28],ebp
00420325 > 55 push ebp
00420326 . 8D4C24 14 lea ecx,dword ptr ss:[esp+14] ; 取注册码的ascll
0042032A . FF15 78D54800 call dword ptr ds:[<&MFC71.#865>] ; MFC71.7C1894E7
00420330 . 83CF FF or edi,FFFFFFFF
00420333 . 33C9 xor ecx,ecx
00420335 > 3A81 88284900 cmp al,byte ptr ds:[ecx+492888]
0042033B . 74 08 je short CamAudio.00420345 ; 匹配密码表,找出序号
0042033D . 41 inc ecx
0042033E . 83F9 20 cmp ecx,20
00420341 .^ 7C F2 jl short CamAudio.00420335
00420343 . EB 02 jmp short CamAudio.00420347
00420345 > 8BF9 mov edi,ecx ; 将序号转为2进制
00420347 > 8B4424 28 mov eax,dword ptr ss:[esp+28]
0042034B . 33C9 xor ecx,ecx
0042034D . 8D49 00 lea ecx,dword ptr ds:[ecx]
00420350 > 85C0 test eax,eax
00420352 . 7C 55 jl short CamAudio.004203A9
00420354 . 3B46 08 cmp eax,dword ptr ds:[esi+8]
00420357 . 7D 50 jge short CamAudio.004203A9
00420359 . 8B5E 04 mov ebx,dword ptr ds:[esi+4]
0042035C . BA 01000000 mov edx,1
00420361 . D3E2 shl edx,cl
00420363 . 85D7 test edi,edx ; 如果条件为真
00420365 . 0F95C2 setne dl ; 则这里为真,d1就等于1否则dl=0
00420368 . 41 inc ecx
00420369 . 881418 mov byte ptr ds:[eax+ebx],dl ; 这里是保存2进制数
0042036C . 40 inc eax
0042036D . 83F9 05 cmp ecx,5
00420370 .^ 7C DE jl short CamAudio.00420350
00420372 . 8B5424 28 mov edx,dword ptr ss:[esp+28]
00420376 . 83C2 05 add edx,5
00420379 . 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0042037D . 45 inc ebp
0042037E . 895424 28 mov dword ptr ss:[esp+28],edx
00420382 . FF15 FCD84800 call dword ptr ds:[<&MFC71.#2902>] ; MFC71.7C146AB0
00420388 . 3BE8 cmp ebp,eax
0042038A .^ 7C 99 jl short CamAudio.00420325 ; 起初这里是95位,第二次注册码又去掉了一位移位码,所以这里只有90位了
0042038C > 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
00420390 . FF15 10D94800 call dword ptr ds:[<&MFC71.#578>] ; MFC71.7C1771B1
00420396 . 8B4C24 14 mov ecx,dword ptr ss:[esp+14]
0042039A . 5F pop edi
0042039B . 5E pop esi
0042039C . 5D pop ebp
0042039D . 5B pop ebx
0042039E . 64:890D 00000000 mov dword ptr fs:[0],ecx
004203A5 . 83C4 10 add esp,10
void change(char * get,char *tem)//get 为注册码,tem为存放二进制的数组
{
char *m="CA5BDWF4H9PJK3SUM2XEL7GRZNQTY6V8";
int length,i,j,le=0;
length=strlen(get);
for(i=0 ;i<length; i++)
{
for(j=0;j<32;j++)
{
if(get[i]==m[j])
{
le=j;
break;
}
else
le=0xff;
}
for(j=0;j<5;j++)
{
if((1&(le>>j))==1)
{
tem[i*5+j]=1;
}
}
}
}
----------->这下面是移位
004200A0 $ 64:A1 00000000 mov eax,dword ptr fs:[0]
004200A6 . 6A FF push -1
004200A8 . 68 08524800 push CamAudio.00485208
004200AD . 50 push eax
004200AE . 64:8925 00000000 mov dword ptr fs:[0],esp
004200B5 . 83EC 14 sub esp,14
004200B8 . 53 push ebx
004200B9 . 55 push ebp
004200BA . 8B6C24 38 mov ebp,dword ptr ss:[esp+38]
004200BE . 83FD FF cmp ebp,-1 ; 如果这里为-1则移位总数为5a=90
004200C1 . 56 push esi
004200C2 . 57 push edi
004200C3 . 8B7C24 34 mov edi,dword ptr ss:[esp+34]
004200C7 . 75 04 jnz short CamAudio.004200CD
004200C9 . 8B6F 08 mov ebp,dword ptr ds:[edi+8]
004200CC . 4D dec ebp
004200CD > 8B5C24 3C mov ebx,dword ptr ss:[esp+3C]
004200D1 . 33C0 xor eax,eax
004200D3 . 8BF5 mov esi,ebp
004200D5 . 2BF3 sub esi,ebx
004200D7 . 46 inc esi
004200D8 . C74424 10 A82849>mov dword ptr ss:[esp+10],CamAudio.0>
004200E0 . 894424 14 mov dword ptr ss:[esp+14],eax
004200E4 . 894424 20 mov dword ptr ss:[esp+20],eax
004200E8 . 894424 1C mov dword ptr ss:[esp+1C],eax
004200EC . 894424 18 mov dword ptr ss:[esp+18],eax
004200F0 . 6A FF push -1
004200F2 . 56 push esi
004200F3 . 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
004200F7 . 894424 34 mov dword ptr ss:[esp+34],eax
004200FB . E8 00FEFFFF call CamAudio.0041FF00
00420100 . 33C9 xor ecx,ecx
00420102 . 3BDD cmp ebx,ebp
00420104 . 8BC3 mov eax,ebx
00420106 . 7F 3F jg short CamAudio.00420147
00420108 . EB 06 jmp short CamAudio.00420110
0042010A > 8B7C24 34 mov edi,dword ptr ss:[esp+34]
0042010E . 8BFF mov edi,edi
00420110 > 85C0 test eax,eax
00420112 . 0F8C AA000000 jl CamAudio.004201C2
00420118 . 3B47 08 cmp eax,dword ptr ds:[edi+8]
0042011B . 0F8D A1000000 jge CamAudio.004201C2
00420121 . 8B7F 04 mov edi,dword ptr ds:[edi+4]
00420124 . 03F8 add edi,eax
00420126 . 85C9 test ecx,ecx
00420128 . 0F8C 94000000 jl CamAudio.004201C2
0042012E . 3B4C24 18 cmp ecx,dword ptr ss:[esp+18]
00420132 . 0F8D 8A000000 jge CamAudio.004201C2
00420138 . 8A17 mov dl,byte ptr ds:[edi]
0042013A . 8B7C24 14 mov edi,dword ptr ss:[esp+14]
0042013E . 40 inc eax
0042013F . 88140F mov byte ptr ds:[edi+ecx],dl
00420142 . 41 inc ecx
00420143 . 3BC5 cmp eax,ebp
00420145 .^ 7E C3 jle short CamAudio.0042010A
00420147 > 8B4424 38 mov eax,dword ptr ss:[esp+38]
0042014B . 99 cdq
0042014C . F7FE idiv esi
0042014E . 33ED xor ebp,ebp
00420150 . 85F6 test esi,esi
00420152 . 8BCB mov ecx,ebx
00420154 . 7E 40 jle short CamAudio.00420196
00420156 . 8BC2 mov eax,edx
00420158 . 2BC3 sub eax,ebx
0042015A . 894424 40 mov dword ptr ss:[esp+40],eax
0042015E . EB 04 jmp short CamAudio.00420164
00420160 > 8B4424 40 mov eax,dword ptr ss:[esp+40]
00420164 > 03C1 add eax,ecx
00420166 . 99 cdq
00420167 . F7FE idiv esi
00420169 . 8BFA mov edi,edx
0042016B . 85FF test edi,edi
0042016D . 7C 53 jl short CamAudio.004201C2
0042016F . 3B7C24 18 cmp edi,dword ptr ss:[esp+18]
00420173 . 7D 4D jge short CamAudio.004201C2
00420175 . 85C9 test ecx,ecx
00420177 . 7C 49 jl short CamAudio.004201C2
00420179 . 8B4424 34 mov eax,dword ptr ss:[esp+34]
0042017D . 3B48 08 cmp ecx,dword ptr ds:[eax+8]
00420180 . 7D 40 jge short CamAudio.004201C2
00420182 . 8B40 04 mov eax,dword ptr ds:[eax+4]
00420185 . 8B5424 14 mov edx,dword ptr ss:[esp+14]
00420189 . 8A143A mov dl,byte ptr ds:[edx+edi]
0042018C . 03C1 add eax,ecx
0042018E . 45 inc ebp
0042018F . 41 inc ecx
00420190 . 3BEE cmp ebp,esi
00420192 . 8810 mov byte ptr ds:[eax],dl
00420194 .^ 7C CA jl short CamAudio.00420160
00420196 > 8B4424 14 mov eax,dword ptr ss:[esp+14]
0042019A . 85C0 test eax,eax
0042019C . C74424 2C FFFFFF>mov dword ptr ss:[esp+2C],-1
004201A4 . 74 09 je short CamAudio.004201AF
004201A6 . 50 push eax ; /block
004201A7 . E8 E4140600 call <jmp.&MFC71.#266> ; \free
004201AC . 83C4 04 add esp,4
004201AF > 8B4C24 24 mov ecx,dword ptr ss:[esp+24]
004201B3 . 5F pop edi
004201B4 . 5E pop esi
004201B5 . 5D pop ebp
004201B6 . 5B pop ebx
004201B7 . 64:890D 00000000 mov dword ptr fs:[0],ecx
004201BE . 83C4 20 add esp,20
void move(char * tem,int le,int f)//tem为二进制字符串,le移位总数,f为移位量
{
int i,j;
int tem1[100];
if(le==-1)
le=0x5a;
for(i=0;i<100;i++)
tem1[i]=tem[i];
for(i=0;i<(le-f);i++)
tem[i]=tem[i+f];
for(i=(le-f),j=0;i<le;i++,j++)
tem[i]=tem1[j];
}
------------------->这下面的功能是将二进制转为注册码
004201D0 $ 6A FF push -1
004201D2 . 68 29524800 push CamAudio.00485229 ; SE handler installation
004201D7 . 64:A1 00000000 mov eax,dword ptr fs:[0]
004201DD . 50 push eax
004201DE . 64:8925 00000000 mov dword ptr fs:[0],esp
004201E5 . 83EC 08 sub esp,8
004201E8 . 53 push ebx
004201E9 . 55 push ebp
004201EA . 56 push esi
004201EB . 33F6 xor esi,esi
004201ED . 57 push edi
004201EE . 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
004201F2 . 897424 14 mov dword ptr ss:[esp+14],esi
004201F6 . FF15 00D94800 call dword ptr ds:[<&MFC71.#310>] ; MFC71.7C173199
004201FC . 8B5C24 2C mov ebx,dword ptr ss:[esp+2C]
00420200 . 8B4B 08 mov ecx,dword ptr ds:[ebx+8]
00420203 . B8 67666666 mov eax,66666667
00420208 . F7E9 imul ecx
0042020A . D1FA sar edx,1
0042020C . 8BEA mov ebp,edx
0042020E . C1ED 1F shr ebp,1F
00420211 . 03EA add ebp,edx
00420213 . 3BEE cmp ebp,esi
00420215 . 897424 20 mov dword ptr ss:[esp+20],esi
00420219 . 897424 14 mov dword ptr ss:[esp+14],esi
0042021D . 7E 59 jle short CamAudio.00420278
0042021F . 90 nop ; 这里的功能是把二进制转为密码序列
00420220 > 8D56 04 lea edx,dword ptr ds:[esi+4]
00420223 . 33FF xor edi,edi ; 取决于edi
00420225 . 33C9 xor ecx,ecx
00420227 . 3BF2 cmp esi,edx
00420229 . 8BC6 mov eax,esi
0042022B . 7F 28 jg short CamAudio.00420255
0042022D . 8D49 00 lea ecx,dword ptr ds:[ecx]
00420230 > 85C0 test eax,eax
00420232 . 7C 74 jl short CamAudio.004202A8
00420234 . 3B43 08 cmp eax,dword ptr ds:[ebx+8]
00420237 . 7D 6F jge short CamAudio.004202A8
00420239 . 8B5B 04 mov ebx,dword ptr ds:[ebx+4]
0042023C . 803C18 00 cmp byte ptr ds:[eax+ebx],0 ; 02A10DF0
00420240 . 74 09 je short CamAudio.0042024B
00420242 . BB 01000000 mov ebx,1
00420247 . D3E3 shl ebx,cl ; cl=3
00420249 . 0BFB or edi,ebx
0042024B > 8B5C24 2C mov ebx,dword ptr ss:[esp+2C]
0042024F . 41 inc ecx
00420250 . 40 inc eax
00420251 . 3BC2 cmp eax,edx
00420253 .^ 7E DB jle short CamAudio.00420230
00420255 > 33C0 xor eax,eax
00420257 . 8A87 88284900 mov al,byte ptr ds:[edi+492888]
0042025D . 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
00420261 . 50 push eax
00420262 . FF15 74D54800 call dword ptr ds:[<&MFC71.#908>] ; MFC71.7C18B24E
00420268 . 8B4424 14 mov eax,dword ptr ss:[esp+14]
0042026C . 40 inc eax
0042026D . 83C6 05 add esi,5
00420270 . 3BC5 cmp eax,ebp
00420272 . 894424 14 mov dword ptr ss:[esp+14],eax
00420276 .^ 7C A8 jl short CamAudio.00420220
00420278 > 8B7424 28 mov esi,dword ptr ss:[esp+28]
0042027C . 8D4C24 10 lea ecx,dword ptr ss:[esp+10] ; 这里重要
00420280 . 51 push ecx
00420281 . 8BCE mov ecx,esi
00420283 . FF15 F0D84800 call dword ptr ds:[<&MFC71.#297>] ; MFC71.7C14E575
00420289 . 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0042028D . FF15 10D94800 call dword ptr ds:[<&MFC71.#578>] ; MFC71.7C1771B1
00420293 . 8B4C24 18 mov ecx,dword ptr ss:[esp+18]
00420297 . 5F pop edi
00420298 . 8BC6 mov eax,esi
0042029A . 5E pop esi
0042029B . 5D pop ebp
0042029C . 5B pop ebx
0042029D . 64:890D 00000000 mov dword ptr fs:[0],ecx
004202A4 . 83C4 14 add esp,14
004202A7 . C3 retn
void back(char * be,char * kt,int length)//be为存放二进制的数组,kt为保存注册码的数组,length为注册码的长度
{
char *m="CA5BDWF4H9PJK3SUM2XEL7GRZNQTY6V8";
int t,i,j;
for(i=0;i<length;i++)
{
t=0;
for(j=0;j<5;j++)
{
if(be[i*5+j]==1)
t+=(1<<j);
}
kt[i]=m[t];
}
},
*********************************************下面为部分keygen的代码,完整代码请参见附件。
#include "mode.h"
#pragma comment(linker, "/ENTRY:EntryPoint")
HINSTANCE hi;
void EntryPoint()
{
ExitProcess(WinMain(GetModuleHandle(NULL), NULL, NULL, SW_SHOWNORMAL));
}
int WINAPI WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
hi=hInstance;
DialogBoxParam(hInstance,MAKEINTRESOURCE(IDD_DIALOG),NULL,(DLGPROC)MyBox,NULL);
ExitProcess(0);
return 0;
}
LRESULT CALLBACK MyBox(HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam)
{
char sn[26]="8F8A9CACCBACCA724C6058687";
switch(message)
{
case WM_INITDIALOG:
SendMessage(hwnd,WM_SETICON,(WPARAM) 1,(LPARAM) LoadIconA(hi,MAKEINTRESOURCE(IDI_ICON)));
SetDlgItemText(hwnd,IDC_EDIT1,sn);
break;
case WM_CLOSE:
EndDialog(hwnd,0);
break;
case WM_COMMAND:
switch(LOWORD(wParam))
{
case IDOK:
gen(sn);
SetDlgItemText(hwnd,IDC_EDIT1,sn);
break;
case IDCANCEL:
EndDialog(hwnd,0);
break;
}
break;
}
return 0;
}
void gen(char * sn)
{
MD5_CTX text;
int r[12],i,length,j;
char s[12];
while(true)
{
zero(s,12);
zero(text.buffer,64);
srand( (unsigned)time( NULL ) );
for(i=0;i<4;i++)
{
r[i*3+0]=(rand()&0xf);
r[i*3+1]=((rand()&0xf0)>>4);
r[i*3+2]=((rand()&0xf00)>>8);
}
change(r,s,12);
for(i=0;i<4;i++)
sn[i]=s[i];
for(i=4;i<12;i++)
sn[i+9]=s[i];
SetChar(sn,text.buffer,21);
cut(text.buffer,21,5);
cut(text.buffer,20,10);
cut(text.buffer,19,10);
handle(text.buffer,18);
length=strlen(text.buffer);
MD5Init(&text);
MD5Update(&text,length);
MD5Final(&text);
if(((text.state[0]>>28)&0xf)>=2 && ((text.state[0]>>28)&0xf)<=9 && ((text.state[0]>>24)&0xf)>=2 && ((text.state[0]>>24)&0xf)<=9 && ((text.state[0]>>20)&0xf)>=2 && ((text.state[0]>>20)&0xf)<=9 && ((text.state[0]>>16)&0xf)>=2 && ((text.state[0]>>16)&0xf)<=9)
{
break;
}
}
for(i=21,j=7;i<25;i++,j--)
sn[i]=(char)((text.state[0]>>(j*4))&0xf)+0x30;
}
void change(int *r,char * s,int length)
{
for(int i=0;i<length;i++)
{
if(r[i]>=0 &&r[i]<=9)
s[i]=r[i]+0x30;
if(r[i]>=10 && r[i]<=15)
s[i]=r[i]+0x37;
}
}
void SetChar(char * str1,char * str2,int length)
{
for(int i=0;i<length;i++)
str2[i]=str1[i];
}
void zero(char * ch,int i)
{
for(int j=0;j<i;j++)
ch[j]=0;
}
void cut(char * str,int le,int c)
{
for(int i=c;i<(le-1);i++)
{
str[i]=str[i+1];
}
str[i]=0;
}
void handle(char * ss,int le)
{
for(int i=0;i<le;i++)
{
if(ss[i]==0x31 ||ss[i]==0x30)
ss[i]=0x38;
}
}
***************************************************************
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!