【文章名称】:Auto Power-on Version 1.52算法分析
【文章作者】:lnn1123
【软件名称】:Auto Power-on Version 1.52
【下载地址】:华军软件
【破解工具】:OLLYDBG
【保护方式】:注册码+NAG
【软件限制】:无
【破解分析过程】
==========================分析过程==============================================
PEID,查看没有加壳,OD载入,点注册有错误提示,老罗插件找到错误提示,下断
===================================================================================
004B5DD4 /. 55 PUSH EBP
004B5DD5 |. 8BEC MOV EBP,ESP
004B5DD7 |. B9 06000000 MOV ECX,6
004B5DDC |> 6A 00 /PUSH 0
004B5DDE |. 6A 00 |PUSH 0
004B5DE0 |. 49 |DEC ECX
004B5DE1 |.^75 F9 \JNZ SHORT AutoPowe.004B5DDC
004B5DE3 |. 53 PUSH EBX
004B5DE4 |. 56 PUSH ESI
004B5DE5 |. 57 PUSH EDI
004B5DE6 |. 8BD8 MOV EBX,EAX
004B5DE8 |. 33C0 XOR EAX,EAX
004B5DEA |. 55 PUSH EBP
004B5DEB |. 68 4B604B00 PUSH AutoPowe.004B604B
004B5DF0 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004B5DF3 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004B5DF6 |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
004B5DF9 |. 8BB3 4C030000 MOV ESI,DWORD PTR DS:[EBX+34C]
004B5DFF |. 8BC6 MOV EAX,ESI
004B5E01 |. E8 BAD5F9FF CALL AutoPowe.004533C0 ; 取假码
004B5E06 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] ; EAX为假码长度
004B5E09 |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
004B5E0C |. E8 E32EF5FF CALL AutoPowe.00408CF4
004B5E11 |. 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10] ; 假码
004B5E14 |. 8BC6 MOV EAX,ESI
004B5E16 |. E8 D5D5F9FF CALL AutoPowe.004533F0
004B5E1B |. 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
004B5E1E |. 8B83 4C030000 MOV EAX,DWORD PTR DS:[EBX+34C]
004B5E24 |. E8 97D5F9FF CALL AutoPowe.004533C0 ; 又取了
004B5E29 |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18] ; 假码
004B5E2C |. BA 64604B00 MOV EDX,AutoPowe.004B6064 ; ASCII "Registered!"
004B5E31 |. E8 E6ECF4FF CALL AutoPowe.00404B1C ; 比较假码与Registered!
004B5E36 |. 0F84 C0010000 JE AutoPowe.004B5FFC
004B5E3C |. 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
004B5E3F |. A1 9C7C4E00 MOV EAX,DWORD PTR DS:[4E7C9C]
004B5E44 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B5E46 |. E8 0DE5FBFF CALL AutoPowe.00474358 ; 取得程序运行路径
004B5E4B |. 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20] ; 程序路径
004B5E4E |. 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
004B5E51 |. E8 9237F5FF CALL AutoPowe.004095E8 ; 程序路径的上级目录
004B5E56 |. 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
004B5E59 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
004B5E5C |. B9 78604B00 MOV ECX,AutoPowe.004B6078 ; ASCII "\wake.ini"
004B5E61 |. E8 B6EBF4FF CALL AutoPowe.00404A1C ; 连接得到.ini文件路径
004B5E66 |. 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] ; .INI文件路径
004B5E69 |. B2 01 MOV DL,1 ; DL置1
004B5E6B |. A1 D8624300 MOV EAX,DWORD PTR DS:[4362D8]
004B5E70 |. E8 1305F8FF CALL AutoPowe.00436388
004B5E75 |. 8BF0 MOV ESI,EAX
004B5E77 |. 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
004B5E7A |. 8B83 20030000 MOV EAX,DWORD PTR DS:[EBX+320]
004B5E80 |. E8 3BD5F9FF CALL AutoPowe.004533C0 ; 取得注册名
004B5E85 |. 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24] ; EAX中是长度
004B5E88 |. 50 PUSH EAX ; 压键
004B5E89 |. B9 8C604B00 MOV ECX,AutoPowe.004B608C ; ASCII "name"
004B5E8E |. BA 9C604B00 MOV EDX,AutoPowe.004B609C ; ASCII "reg"
004B5E93 |. 8BC6 MOV EAX,ESI
004B5E95 |. 8B38 MOV EDI,DWORD PTR DS:[EAX]
004B5E97 |. FF57 04 CALL DWORD PTR DS:[EDI+4]
004B5E9A |. 8D55 D8 LEA EDX,DWORD PTR SS:[EBP-28]
004B5E9D |. 8B83 4C030000 MOV EAX,DWORD PTR DS:[EBX+34C]
004B5EA3 |. E8 18D5F9FF CALL AutoPowe.004533C0 ; 取假码,长度在EAX中
004B5EA8 |. 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28] ; 假码
004B5EAB |. 50 PUSH EAX
004B5EAC |. B9 A8604B00 MOV ECX,AutoPowe.004B60A8 ; ASCII "code"
004B5EB1 |. BA 9C604B00 MOV EDX,AutoPowe.004B609C ; ASCII "reg"
004B5EB6 |. 8BC6 MOV EAX,ESI
004B5EB8 |. 8B38 MOV EDI,DWORD PTR DS:[EAX]
004B5EBA |. FF57 04 CALL DWORD PTR DS:[EDI+4]
004B5EBD |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
004B5EC0 |. 8B83 4C030000 MOV EAX,DWORD PTR DS:[EBX+34C]
004B5EC6 |. E8 F5D4F9FF CALL AutoPowe.004533C0 ; 又是
004B5ECB |. 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C] ; EAX中是假码长度
004B5ECE |. 50 PUSH EAX
004B5ECF |. B9 06000000 MOV ECX,6
004B5ED4 |. BA 01000000 MOV EDX,1
004B5ED9 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; 假码
004B5EDC |. E8 4FEDF4FF CALL AutoPowe.00404C30 ; 取前6位
004B5EE1 |. 8B55 D4 MOV EDX,DWORD PTR SS:[EBP-2C] ; 前6位字符
004B5EE4 |. 8D4D F4 LEA ECX,DWORD PTR SS:[EBP-C]
004B5EE7 |. A1 307C4E00 MOV EAX,DWORD PTR DS:[4E7C30]
004B5EEC |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B5EEE |. 8B80 14050000 MOV EAX,DWORD PTR DS:[EAX+514]
004B5EF4 |. E8 9BC3FFFF CALL AutoPowe.004B2294 ; 关键CALL,跟进
004B5EF9 |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] ; 运算得到的用与比较的重要值
004B5EFC |. 8B83 20030000 MOV EAX,DWORD PTR DS:[EBX+320]
004B5F02 |. E8 E9D4F9FF CALL AutoPowe.004533F0
004B5F07 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; 假码
004B5F0A |. E8 C1EAF4FF CALL AutoPowe.004049D0 ; 取假码长度
004B5F0F |. 83F8 28 CMP EAX,28 ; 与0X28比较
004B5F12 |. 0F8E A8000000 JLE AutoPowe.004B5FC0 ; 小于等于就死了
004B5F18 |. 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
004B5F1B |. 50 PUSH EAX
004B5F1C |. B9 0C000000 MOV ECX,0C
004B5F21 |. BA 08000000 MOV EDX,8
004B5F26 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; 假码
004B5F29 |. E8 02EDF4FF CALL AutoPowe.00404C30 ; 取假码8--19位
004B5F2E |. 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30] ; 假码8--19位
004B5F31 |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] ; 上面那个关键CALL AutoPowe.004B2294 得到的值
004B5F34 |. E8 E3EBF4FF CALL AutoPowe.00404B1C ; 关键比较
004B5F39 |. 0F85 81000000 JNZ AutoPowe.004B5FC0 ; 跳就死
004B5F3F |. A1 307C4E00 MOV EAX,DWORD PTR DS:[4E7C30] ; 下面是显示注册成功的提示
004B5F44 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B5F46 |. 8BB8 E8030000 MOV EDI,DWORD PTR DS:[EAX+3E8]
004B5F4C |. C647 48 01 MOV BYTE PTR DS:[EDI+48],1
004B5F50 |. A1 307C4E00 MOV EAX,DWORD PTR DS:[4E7C30]
004B5F55 |. 8D47 68 LEA EAX,DWORD PTR DS:[EDI+68]
004B5F58 |. BA B8604B00 MOV EDX,AutoPowe.004B60B8 ; ASCII "Registered OK!"
004B5F5D |. E8 02E8F4FF CALL AutoPowe.00404764
004B5F62 |. A1 307C4E00 MOV EAX,DWORD PTR DS:[4E7C30]
004B5F67 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B5F69 |. 8B80 E8030000 MOV EAX,DWORD PTR DS:[EAX+3E8]
004B5F6F |. 8B10 MOV EDX,DWORD PTR DS:[EAX]
004B5F71 |. FF52 30 CALL DWORD PTR DS:[EDX+30]
004B5F74 |. A1 307C4E00 MOV EAX,DWORD PTR DS:[4E7C30]
004B5F79 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B5F7B |. B2 01 MOV DL,1
004B5F7D |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
004B5F7F |. FF51 64 CALL DWORD PTR DS:[ECX+64]
004B5F82 |. BA 64604B00 MOV EDX,AutoPowe.004B6064 ; ASCII "Registered!"
004B5F87 |. 8B83 4C030000 MOV EAX,DWORD PTR DS:[EBX+34C]
004B5F8D |. E8 5ED4F9FF CALL AutoPowe.004533F0
004B5F92 |. A1 D0784E00 MOV EAX,DWORD PTR DS:[4E78D0]
004B5F97 |. C600 01 MOV BYTE PTR DS:[EAX],1
004B5F9A |. 68 D0604B00 PUSH AutoPowe.004B60D0
004B5F9F |. B9 DC604B00 MOV ECX,AutoPowe.004B60DC ; ASCII "dd"
004B5FA4 |. BA E8604B00 MOV EDX,AutoPowe.004B60E8 ; ASCII "date"
004B5FA9 |. 8BC6 MOV EAX,ESI
004B5FAB |. 8B38 MOV EDI,DWORD PTR DS:[EAX]
004B5FAD |. FF57 04 CALL DWORD PTR DS:[EDI+4]
004B5FB0 |. 8BC6 MOV EAX,ESI
004B5FB2 |. E8 65D9F4FF CALL AutoPowe.0040391C
004B5FB7 |. 8BC3 MOV EAX,EBX
004B5FB9 |. E8 A6A5FBFF CALL AutoPowe.00470564
004B5FBE |. EB 3C JMP SHORT AutoPowe.004B5FFC
004B5FC0 |> A1 307C4E00 MOV EAX,DWORD PTR DS:[4E7C30] ;注册失败提示
004B5FC5 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B5FC7 |. 8B98 E8030000 MOV EBX,DWORD PTR DS:[EAX+3E8]
004B5FCD |. C643 48 01 MOV BYTE PTR DS:[EBX+48],1
004B5FD1 |. A1 307C4E00 MOV EAX,DWORD PTR DS:[4E7C30]
004B5FD6 |. 8D43 68 LEA EAX,DWORD PTR DS:[EBX+68]
004B5FD9 |. BA F8604B00 MOV EDX,AutoPowe.004B60F8 ; ASCII "Invalid key, please input again!"
004B5FDE |. E8 81E7F4FF CALL AutoPowe.00404764
004B5FE3 |. A1 307C4E00 MOV EAX,DWORD PTR DS:[4E7C30]
004B5FE8 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B5FEA |. 8B80 E8030000 MOV EAX,DWORD PTR DS:[EAX+3E8]
004B5FF0 |. 8B10 MOV EDX,DWORD PTR DS:[EAX]
004B5FF2 |. FF52 30 CALL DWORD PTR DS:[EDX+30]
004B5FF5 |. 8BC6 MOV EAX,ESI
004B5FF7 |. E8 20D9F4FF CALL AutoPowe.0040391C
004B5FFC |> 33C0 XOR EAX,EAX
004B5FFE |. 5A POP EDX
004B5FFF |. 59 POP ECX
004B6000 |. 59 POP ECX
004B6001 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004B6004 |. 68 52604B00 PUSH AutoPowe.004B6052
004B6009 |> 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
004B600C |. BA 02000000 MOV EDX,2
004B6011 |. E8 1EE7F4FF CALL AutoPowe.00404734
004B6016 |. 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
004B6019 |. BA 02000000 MOV EDX,2
004B601E |. E8 11E7F4FF CALL AutoPowe.00404734
004B6023 |. 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
004B6026 |. BA 02000000 MOV EDX,2
004B602B |. E8 04E7F4FF CALL AutoPowe.00404734
004B6030 |. 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
004B6033 |. BA 02000000 MOV EDX,2
004B6038 |. E8 F7E6F4FF CALL AutoPowe.00404734
004B603D |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004B6040 |. BA 04000000 MOV EDX,4
004B6045 |. E8 EAE6F4FF CALL AutoPowe.00404734
004B604A \. C3 RETN
-------------------- 004B5EF4 |. E8 9BC3FFFF CALL AutoPowe.004B2294跟进 ------------------------------
{
004B2294 /$ 55 PUSH EBP
004B2295 |. 8BEC MOV EBP,ESP
004B2297 |. 83C4 DC ADD ESP,-24
004B229A |. 53 PUSH EBX
004B229B |. 56 PUSH ESI
004B229C |. 57 PUSH EDI
004B229D |. 33DB XOR EBX,EBX
004B229F |. 895D DC MOV DWORD PTR SS:[EBP-24],EBX
004B22A2 |. 895D F4 MOV DWORD PTR SS:[EBP-C],EBX
004B22A5 |. 8BF9 MOV EDI,ECX
004B22A7 |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX ; EDX为假码前6位
004B22AA |. 8BF0 MOV ESI,EAX
004B22AC |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 假码前6位
004B22AF |. E8 0C29F5FF CALL AutoPowe.00404BC0
004B22B4 |. 33C0 XOR EAX,EAX ; 清0
004B22B6 |. 55 PUSH EBP
004B22B7 |. 68 EE234B00 PUSH AutoPowe.004B23EE
004B22BC |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004B22BF |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004B22C2 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 假码前6位
004B22C5 |. E8 0627F5FF CALL AutoPowe.004049D0 ; 取假码前6位长度
004B22CA |. 3B46 58 CMP EAX,DWORD PTR DS:[ESI+58] ; 与0X32比较
004B22CD |. 7F 0D JG SHORT AutoPowe.004B22DC
004B22CF |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 假码前6位
004B22D2 |. E8 F926F5FF CALL AutoPowe.004049D0 ; 长度
004B22D7 |. 3B46 5C CMP EAX,DWORD PTR DS:[ESI+5C] ; 与5比较
004B22DA |. 7D 0C JGE SHORT AutoPowe.004B22E8 ; 这里会跳
004B22DC |> 8BC7 MOV EAX,EDI
004B22DE |. E8 2D24F5FF CALL AutoPowe.00404710
004B22E3 |. E9 E0000000 JMP AutoPowe.004B23C8
004B22E8 |> 8B46 70 MOV EAX,DWORD PTR DS:[ESI+70]
004B22EB |. 99 CDQ
004B22EC |. 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX ; 假码前6位
004B22EF |. 8955 E4 MOV DWORD PTR SS:[EBP-1C],EDX ; 假码
004B22F2 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B22F5 |. E8 D626F5FF CALL AutoPowe.004049D0 ; 假码前6位长度
004B22FA |. 8BD8 MOV EBX,EAX
004B22FC |. EB 51 JMP SHORT AutoPowe.004B234F
004B22FE |> 8B45 FC /MOV EAX,DWORD PTR SS:[EBP-4] ; 假码
004B2301 |. 4B |DEC EBX
004B2302 |. 85C0 |TEST EAX,EAX ; 位测试
004B2304 |. 74 05 |JE SHORT AutoPowe.004B230B
004B2306 |. 3B58 FC |CMP EBX,DWORD PTR DS:[EAX-4]
004B2309 |. 72 05 |JB SHORT AutoPowe.004B2310
004B230B |> E8 4415F5FF |CALL AutoPowe.00403854
004B2310 |> 43 |INC EBX
004B2311 |. 8A4418 FF |MOV AL,BYTE PTR DS:[EAX+EBX-1] ; 倒取假码前6位
004B2315 |. 25 FF000000 |AND EAX,0FF ; 搞定高位
004B231A |. 33D2 |XOR EDX,EDX ; 清0
004B231C |. 52 |PUSH EDX
004B231D |. 50 |PUSH EAX ; 压键
004B231E |. 8B45 E0 |MOV EAX,DWORD PTR SS:[EBP-20]
004B2321 |. 8B55 E4 |MOV EDX,DWORD PTR SS:[EBP-1C]
004B2324 |. E8 0333F5FF |CALL AutoPowe.0040562C ; 重要运算,跟进
004B2329 |. 71 05 |JNO SHORT AutoPowe.004B2330 ; 不溢出就跳
004B232B |. E8 2C15F5FF |CALL AutoPowe.0040385C
004B2330 |> 52 |PUSH EDX ; /Arg2
004B2331 |. 50 |PUSH EAX ; |Arg1
004B2332 |. 8D45 DC |LEA EAX,DWORD PTR SS:[EBP-24] ; |
004B2335 |. E8 0E6DF5FF |CALL AutoPowe.00409048 ; \16进制转化为10进制
004B233A |. 8B55 DC |MOV EDX,DWORD PTR SS:[EBP-24] ; 得到的10进制值
004B233D |. 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C]
004B2340 |. E8 9326F5FF |CALL AutoPowe.004049D8
004B2345 |. 83EB 01 |SUB EBX,1
004B2348 |. 71 05 |JNO SHORT AutoPowe.004B234F
004B234A |. E8 0D15F5FF |CALL AutoPowe.0040385C
004B234F |> 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 假码前6位
004B2352 |. E8 7926F5FF |CALL AutoPowe.004049D0 ; 长度
004B2357 |. 83E8 06 |SUB EAX,6 ; 减6
004B235A |. 71 05 |JNO SHORT AutoPowe.004B2361
004B235C |. E8 FB14F5FF |CALL AutoPowe.0040385C
004B2361 |> 3BD8 |CMP EBX,EAX ; EBX为6
004B2363 |. 7C 04 |JL SHORT AutoPowe.004B2369
004B2365 |. 85DB |TEST EBX,EBX
004B2367 |.^7F 95 \JG SHORT AutoPowe.004B22FE
004B2369 |> 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
004B236C |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] ; 连接起来的上面得到的值
004B236F |. E8 F032F5FF CALL AutoPowe.00405664 ; 转化为16进制
004B2374 |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX ; EAX为转化后的16进制值
004B2377 |. 8955 EC MOV DWORD PTR SS:[EBP-14],EDX
004B237A |. 8B5E 6C MOV EBX,DWORD PTR DS:[ESI+6C]
004B237D |. 85DB TEST EBX,EBX
004B237F |. 7F 11 JG SHORT AutoPowe.004B2392
004B2381 |. FF75 EC PUSH DWORD PTR SS:[EBP-14] ; /Arg2
004B2384 |. FF75 E8 PUSH DWORD PTR SS:[EBP-18] ; |Arg1
004B2387 |. 8BD7 MOV EDX,EDI ; |
004B2389 |. 33C0 XOR EAX,EAX ; |
004B238B |. E8 086DF5FF CALL AutoPowe.00409098 ; \AutoPowe.00409098
004B2390 |. EB 36 JMP SHORT AutoPowe.004B23C8
004B2392 |> FF75 EC PUSH DWORD PTR SS:[EBP-14] ; /Arg2
004B2395 |. FF75 E8 PUSH DWORD PTR SS:[EBP-18] ; |Arg1
004B2398 |. 8BD7 MOV EDX,EDI ; |
004B239A |. 8BC3 MOV EAX,EBX ; |
004B239C |. E8 F76CF5FF CALL AutoPowe.00409098 ; \不足12位的前面补0
004B23A1 |. 8B07 MOV EAX,DWORD PTR DS:[EDI]
004B23A3 |. E8 2826F5FF CALL AutoPowe.004049D0
004B23A8 |. 8BC8 MOV ECX,EAX
004B23AA |. 2B4E 6C SUB ECX,DWORD PTR DS:[ESI+6C]
004B23AD |. 71 05 JNO SHORT AutoPowe.004B23B4
004B23AF |. E8 A814F5FF CALL AutoPowe.0040385C
004B23B4 |> 8B56 6C MOV EDX,DWORD PTR DS:[ESI+6C]
004B23B7 |. 83C2 01 ADD EDX,1
004B23BA |. 71 05 JNO SHORT AutoPowe.004B23C1
004B23BC |. E8 9B14F5FF CALL AutoPowe.0040385C
004B23C1 |> 8BC7 MOV EAX,EDI
004B23C3 |. E8 A828F5FF CALL AutoPowe.00404C70 ; 得到最后的结果
}
------------------------004B2324 |. E8 0333F5FF CALL AutoPowe.0040562C;跟进 -------------------------------------
{0040562C /$ 56 PUSH ESI
0040562D |. 8B7424 0C MOV ESI,DWORD PTR SS:[ESP+C]
00405631 |. 237424 08 AND ESI,DWORD PTR SS:[ESP+8]
00405635 |. 81FE FFFFFFFF CMP ESI,-1
0040563B |. 75 11 JNZ SHORT AutoPowe.0040564E
0040563D |. 89C6 MOV ESI,EAX
0040563F |. 09D6 OR ESI,EDX
00405641 |. 81FE 00000080 CMP ESI,80000000
00405647 |. 75 05 JNZ SHORT AutoPowe.0040564E
00405649 |. 89F0 MOV EAX,ESI
0040564B |. 5E POP ESI
0040564C |. 48 DEC EAX
0040564D |. C3 RETN
0040564E |> 5E POP ESI
0040564F |. FF7424 08 PUSH DWORD PTR SS:[ESP+8]
00405653 |. FF7424 08 PUSH DWORD PTR SS:[ESP+8] ;倒取的值
00405657 |. E8 54FFFFFF CALL AutoPowe.004055B0 ; 运算在里面
0040565C |. 21C0 AND EAX,EAX
0040565E \. C2 0800 RETN 8
00405661 . C3 RETN
}
-------------------------00405657 |. E8 54FFFFFF CALL AutoPowe.004055B0;跟进---------------------------------------
{004055B0 /$ 55 PUSH EBP
004055B1 |. 53 PUSH EBX
004055B2 |. 56 PUSH ESI
004055B3 |. 57 PUSH EDI
004055B4 |. 31FF XOR EDI,EDI
004055B6 |. 8B5C24 14 MOV EBX,DWORD PTR SS:[ESP+14] ; 被取的16进制值
004055BA |. 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]
004055BE |. 09C9 OR ECX,ECX
004055C0 |. 75 08 JNZ SHORT AutoPowe.004055CA
004055C2 |. 09D2 OR EDX,EDX
004055C4 |. 74 5D JE SHORT AutoPowe.00405623 ;这里会跳
004055C6 |. 09DB OR EBX,EBX
004055C8 |. 74 59 JE SHORT AutoPowe.00405623
004055CA |> 09D2 OR EDX,EDX
004055CC |. 79 0A JNS SHORT AutoPowe.004055D8
004055CE |. F7DA NEG EDX
004055D0 |. F7D8 NEG EAX
004055D2 |. 83DA 00 SBB EDX,0
004055D5 |. 83CF 01 OR EDI,1
004055D8 |> 09C9 OR ECX,ECX
004055DA |. 79 07 JNS SHORT AutoPowe.004055E3
004055DC |. F7D9 NEG ECX
004055DE |. F7DB NEG EBX
004055E0 |. 83D9 00 SBB ECX,0
004055E3 |> 89CD MOV EBP,ECX
004055E5 |. B9 40000000 MOV ECX,40
004055EA |. 57 PUSH EDI
004055EB |. 31FF XOR EDI,EDI
004055ED |. 31F6 XOR ESI,ESI
004055EF |> D1E0 /SHL EAX,1
004055F1 |. D1D2 |RCL EDX,1
004055F3 |. D1D6 |RCL ESI,1
004055F5 |. D1D7 |RCL EDI,1
004055F7 |. 39EF |CMP EDI,EBP
004055F9 |. 72 0B |JB SHORT AutoPowe.00405606
004055FB |. 77 04 |JA SHORT AutoPowe.00405601
004055FD |. 39DE |CMP ESI,EBX
004055FF |. 72 05 |JB SHORT AutoPowe.00405606
00405601 |> 29DE |SUB ESI,EBX
00405603 |. 19EF |SBB EDI,EBP
00405605 |. 40 |INC EAX
00405606 |>^E2 E7 \LOOPD SHORT AutoPowe.004055EF
00405608 |. 89F0 MOV EAX,ESI
0040560A |. 89FA MOV EDX,EDI
0040560C |. 5B POP EBX
0040560D |. F7C3 01000000 TEST EBX,1
00405613 |. 74 07 JE SHORT AutoPowe.0040561C
00405615 |. F7DA NEG EDX
00405617 |. F7D8 NEG EAX
00405619 |. 83DA 00 SBB EDX,0
0040561C |> 5F POP EDI
0040561D |. 5E POP ESI
0040561E |. 5B POP EBX
0040561F |. 5D POP EBP
00405620 |. C2 0800 RETN 8
00405623 |> F7F3 DIV EBX ; EAX\EBX,余数在EDX中
00405625 |. 92 XCHG EAX,EDX ; EAX与EDX交换
00405626 |. 31D2 XOR EDX,EDX ; 清0
00405628 \.^EB F2 JMP SHORT AutoPowe.0040561C ;EDX就是关键值
0040562A . C3 RETN
============================================================
【破解分析过程总结】
算法比较简单,输入29位以上注册码,取注册码前6位,然后倒取注册码前6位16进制值记为N,用0027D4AA/N得到的余数的10进制,连接这些运算得到的值,再转化为16进制,如果转化后的位数如果不没有12位就在转化后的值前补0达到12位,取注册码的8--19位与运算得到的值比较,相等就注册成功,不等OVER!
============================================================
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!