【破文标题】:Filter Wiz PRO V3.2 注册算法分析 + C 注册机
【破文作者】:greatboy
【软件名称】:Filter Wiz PRO V3.2
【软件大小】:2.22 MB
【软件语言】:英文
【软件类别】:国外软件 / 共享版 / 电路辅助设计
【整理时间】:2005-11-22
【开 发 商】:http://www.schematica.com/
【下载地址】:http://www.schematica.com/
【软件简介】:
有源低通滤波器电路辅助设计
【保护方式】:注册码 + 启动NAG + 功能限制
【编译语言】:Borland Delphi 4.0 - 5.0
【调试环境】:WinXP、PEiD、Ollydbg
【破解日期】:2005-11-20
【破解目的】:研究算法分析
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
―――――――――――――――――――――――――――――――――
【破解过程】:
首先用PEiD查壳为:
PC-Guard 3.00 - 4.02 -> Blagoje Ceklic
该壳比较容易脱,先在00401000段设内存写入断点,
00606970 281F sub byte ptr ds:[edi],bl ;断在此
00606972 50 push eax
00606973 8B85 1B154100 mov eax,dword ptr ss:[ebp+41151B]
00606979 3207 xor al,byte ptr ds:[edi]
0060697B D1C0 rol eax,1
0060697D 8985 1B154100 mov dword ptr ss:[ebp+41151B],eax
00606983 58 pop eax
00606984 47 inc edi
00606985 59 pop ecx
00606986 ^ E2 AC loopd short FWP3232.00606934
00606988 8B85 1E244100 mov eax,dword ptr ss:[ebp+41241E] ;再在此设置断点
在00606970断后,先清除内存断点,再在此处设置断点,F9,断下,又在内存00401000段设内存访问断点。断在:
00560A00 55 push ebp ; OEP
00560A01 8BEC mov ebp,esp
00560A03 B9 04000000 mov ecx,4
00560A08 6A 00 push 0
00560A0A 6A 00 push 0
00560A0C 49 dec ecx
00560A0D ^ 75 F9 jnz short FWP3232.00560A08
00560A0F 51 push ecx
00560A10 53 push ebx
00560A11 B8 E8055600 mov eax,FWP3232.005605E8
00560A16 E8 1D61EAFF call FWP3232.00406B38
然后用OD自带的插件脱壳后即可运行,再用PEiD查看为Borland Delphi 4.0 - 5.0。
这里主要分析注册码算法,所以没有优化脱壳后的文件。
用OD载入脱壳后的文件dumped.exe,下断HE MessageBoxA,没栏到。该软件用了字符加密显示,所以用常规办法找不到提示字符,
搜索所有参考文本字串,在每个命令中记录断点。F9,激活该程序窗口中断,取消这个断点,再F9,到程序窗口中输入用户名OK中断,
0049E9B8 BA 50F04900 mov edx,dumped.0049F050 ; ASCII "Gztj ZbepNnlh arg Heyqxvumtdon Podx msfq be ubbblebfg."
************ 试炼信息 *************
User Name:LinHG
Registration Code:13032856998
***********************************
经过译码后这段文本是"Both UserName and Registration Code must be completed."
提示必须要输入2行文本,用户名和注册码。代码往下翻几屏看到
0049EC11 8038 00 cmp byte ptr ds:[eax],0
0049EC14 0F84 FD020000 je dumped.0049EF17
0049EC1A A1 AC1F5600 mov eax,dword ptr ds:[561FAC]
0049EC1F 50 push eax
0049EC20 A1 94255600 mov eax,dword ptr ds:[562594]
0049EC25 50 push eax
0049EC26 68 9CF14900 push dumped.0049F19C ; ASCII "Name"
0049EC2B A1 78265600 mov eax,dword ptr ds:[562678]
0049EC30 50 push eax
0049EC31 E8 8681F6FF call <jmp.&kernel32.WritePrivateProf>
0049EC36 A1 AC1F5600 mov eax,dword ptr ds:[561FAC]
0049EC3B 50 push eax
0049EC3C A1 7C205600 mov eax,dword ptr ds:[56207C]
0049EC41 50 push eax
0049EC42 68 A4F14900 push dumped.0049F1A4 ; ASCII "SerialNumber"
0049EC47 A1 78265600 mov eax,dword ptr ds:[562678]
0049EC4C 50 push eax
0049EC4D E8 6A81F6FF call <jmp.&kernel32.WritePrivateProf>
就是这里了。
0049EC07 |. E8 F09CFEFF call dumped.004888FC ; 注册码比较
0049EC0C |. A1 D0225600 mov eax,dword ptr ds:[5622D0] ; 取成功标志
0049EC11 |. 8038 00 cmp byte ptr ds:[eax],0 ; 为0完蛋(地址566339)
0049EC14 |. 0F84 FD020000 je dumped.0049EF17
跟进004888FC
以下看注释,我就不述叙了。
004888FC /$ 55 push ebp
004888FD |. 8BEC mov ebp,esp
004888FF |. 83C4 F8 add esp,-8
00488902 |. 8955 F8 mov dword ptr ss:[ebp-8],edx
00488905 |. 8945 FC mov dword ptr ss:[ebp-4],eax
00488908 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048890B |. E8 40B7F7FF call dumped.00404050
00488910 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00488913 |. E8 38B7F7FF call dumped.00404050
00488918 |. 33C0 xor eax,eax
0048891A |. 55 push ebp
0048891B |. 68 70894800 push dumped.00488970
00488920 |. 64:FF30 push dword ptr fs:[eax]
00488923 |. 64:8920 mov dword ptr fs:[eax],esp
00488926 |. B8 40060000 mov eax,640
0048892B |. E8 D49DF7FF call dumped.00402704
00488930 |. A3 BC655600 mov dword ptr ds:[5665BC],eax ; 第一个表格的地址
00488935 |. 8B55 F8 mov edx,dword ptr ss:[ebp-8]
00488938 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048893B |. E8 3C000000 call dumped.0048897C ; 注册码变换
00488940 |. 8B55 F8 mov edx,dword ptr ss:[ebp-8]
00488943 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
00488946 |. E8 21070000 call dumped.0048906C ; 注册码变换后非明码比较
0048894B |. A1 BC655600 mov eax,dword ptr ds:[5665BC] ; 第一个表格的地址
00488950 |. E8 C79DF7FF call dumped.0040271C
00488955 |. 33C0 xor eax,eax
00488957 |. 5A pop edx
00488958 |. 59 pop ecx
00488959 |. 59 pop ecx
0048895A |. 64:8910 mov dword ptr fs:[eax],edx
0048895D |. 68 77894800 push dumped.00488977
00488962 |> 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00488965 |. BA 02000000 mov edx,2
0048896A |. E8 D1B2F7FF call dumped.00403C40
0048896F \. C3 retn
00488970 .^ E9 3FADF7FF jmp dumped.004036B4
00488975 .^ EB EB jmp short dumped.00488962
00488977 . 59 pop ecx
00488978 . 59 pop ecx
00488979 . 5D pop ebp
0048897A . C3 retn
0048897C /$ 55 push ebp
0048897D |. 8BEC mov ebp,esp
0048897F |. 83C4 D0 add esp,-30
00488982 |. 53 push ebx
00488983 |. 56 push esi
00488984 |. 57 push edi
00488985 |. 33C9 xor ecx,ecx
00488987 |. 894D E0 mov dword ptr ss:[ebp-20],ecx
0048898A |. 894D F0 mov dword ptr ss:[ebp-10],ecx
0048898D |. 8955 F8 mov dword ptr ss:[ebp-8],edx
00488990 |. 8945 FC mov dword ptr ss:[ebp-4],eax
00488993 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
00488996 |. E8 B5B6F7FF call dumped.00404050
0048899B |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0048899E |. E8 ADB6F7FF call dumped.00404050
004889A3 |. 33C0 xor eax,eax
004889A5 |. 55 push ebp
004889A6 |. 68 5C904800 push dumped.0048905C
004889AB |. 64:FF30 push dword ptr fs:[eax]
004889AE |. 64:8920 mov dword ptr fs:[eax],esp
004889B1 |. BB 01000000 mov ebx,1
004889B6 |. BF 18675600 mov edi,dumped.00566718
004889BB |. BE 1C655600 mov esi,dumped.0056651C
004889C0 |> C705 C8655600>/mov dword ptr ds:[5665C8],1
004889CA |. 8B45 FC |mov eax,dword ptr ss:[ebp-4]
004889CD |. 8A4418 FF |mov al,byte ptr ds:[eax+ebx-1] ; 取一个注册名
004889D1 |. 8BD0 |mov edx,eax
004889D3 |. 80C2 D0 |add dl,0D0
004889D6 |. 80EA 0A |sub dl,0A
004889D9 |. 73 0F |jnb short dumped.004889EA ; 不小于0A就跳
004889DB |. 8B55 FC |mov edx,dword ptr ss:[ebp-4]
004889DE |. 25 FF000000 |and eax,0FF
004889E3 |. 83E8 2A |sub eax,2A
004889E6 |. 8907 |mov dword ptr ds:[edi],eax
004889E8 |. EB 59 |jmp short dumped.00488A43
004889EA |> 8B55 FC |mov edx,dword ptr ss:[ebp-4]
004889ED |. 8BD0 |mov edx,eax
004889EF |. 80C2 BF |add dl,0BF
004889F2 |. 80EA 1A |sub dl,1A
004889F5 |. 73 0F |jnb short dumped.00488A06 ; 不小于1A就跳
004889F7 |. 8B55 FC |mov edx,dword ptr ss:[ebp-4]
004889FA |. 25 FF000000 |and eax,0FF
004889FF |. 83E8 38 |sub eax,38
00488A02 |. 8907 |mov dword ptr ds:[edi],eax
00488A04 |. EB 3D |jmp short dumped.00488A43
00488A06 |> 8B55 FC |mov edx,dword ptr ss:[ebp-4]
00488A09 |. 8BD0 |mov edx,eax
00488A0B |. 80C2 9F |add dl,9F
00488A0E |. 80EA 1A |sub dl,1A
00488A11 |. 73 0F |jnb short dumped.00488A22 ; 不小于1A就跳
00488A13 |. 8B55 FC |mov edx,dword ptr ss:[ebp-4]
00488A16 |. 25 FF000000 |and eax,0FF
00488A1B |. 83E8 4B |sub eax,4B
00488A1E |. 8907 |mov dword ptr ds:[edi],eax
00488A20 |. EB 21 |jmp short dumped.00488A43
00488A22 |> 8B55 FC |mov edx,dword ptr ss:[ebp-4]
00488A25 |. 3C 20 |cmp al,20
00488A27 |. 75 0E |jnz short dumped.00488A37 ; 不是空格就跳
00488A29 |. A1 C8655600 |mov eax,dword ptr ds:[5665C8]
00488A2E |. F7EB |imul ebx
00488A30 |. 83C0 11 |add eax,11
00488A33 |. 8907 |mov dword ptr ds:[edi],eax
00488A35 |. EB 0C |jmp short dumped.00488A43
00488A37 |> A1 C8655600 |mov eax,dword ptr ds:[5665C8]
00488A3C |. F7EB |imul ebx
00488A3E |. 83C0 1A |add eax,1A
00488A41 |. 8907 |mov dword ptr ds:[edi],eax
00488A43 |> 8BC3 |mov eax,ebx
00488A45 |. 83F8 06 |cmp eax,6 ; Switch (cases 1..6)
00488A48 |. 0F87 26010000 |ja dumped.00488B74
00488A4E |. FF2485 558A48>|jmp dword ptr ds:[eax*4+488A55]
00488A55 |. 748B4800 |dd dumped.00488B74 ; Switch table used at 00488A4E
00488A59 |. 718A4800 |dd dumped.00488A71
00488A5D |. 9E8A4800 |dd dumped.00488A9E
00488A61 |. C88A4800 |dd dumped.00488AC8
00488A65 |. F68A4800 |dd dumped.00488AF6
00488A69 |. 208B4800 |dd dumped.00488B20
00488A6D |. 4A8B4800 |dd dumped.00488B4A
00488A71 |> DB05 C0655600 |fild dword ptr ds:[5665C0] ; Case 1 of switch 00488A45
00488A77 |. D9FA |fsqrt
00488A79 |. 8B07 |mov eax,dword ptr ds:[edi]
00488A7B |. 8B15 C8655600 |mov edx,dword ptr ds:[5665C8]
00488A81 |. 8D14D2 |lea edx,dword ptr ds:[edx+edx*8]
00488A84 |. 2BC2 |sub eax,edx
00488A86 |. F7E8 |imul eax
00488A88 |. 8945 E4 |mov dword ptr ss:[ebp-1C],eax
00488A8B |. DB45 E4 |fild dword ptr ss:[ebp-1C]
00488A8E |. DEC1 |faddp st(1),st
00488A90 |. D9FA |fsqrt
00488A92 |. E8 39A0F7FF |call dumped.00402AD0
00488A97 |. 8906 |mov dword ptr ds:[esi],eax
00488A99 |. E9 D6000000 |jmp dumped.00488B74
00488A9E |> DB05 C0655600 |fild dword ptr ds:[5665C0] ; Case 2 of switch 00488A45
00488AA4 |. D9FA |fsqrt
00488AA6 |. 8B07 |mov eax,dword ptr ds:[edi]
00488AA8 |. 8B15 C8655600 |mov edx,dword ptr ds:[5665C8]
00488AAE |. 03C2 |add eax,edx
00488AB0 |. F7E8 |imul eax
00488AB2 |. 8945 E4 |mov dword ptr ss:[ebp-1C],eax
00488AB5 |. DB45 E4 |fild dword ptr ss:[ebp-1C]
00488AB8 |. DEC1 |faddp st(1),st
00488ABA |. D9FA |fsqrt
00488ABC |. E8 0FA0F7FF |call dumped.00402AD0
00488AC1 |. 8906 |mov dword ptr ds:[esi],eax
00488AC3 |. E9 AC000000 |jmp dumped.00488B74
00488AC8 |> DB05 C0655600 |fild dword ptr ds:[5665C0] ; Case 3 of switch 00488A45
00488ACE |. D9FA |fsqrt
00488AD0 |. 8B07 |mov eax,dword ptr ds:[edi]
00488AD2 |. 8B15 C8655600 |mov edx,dword ptr ds:[5665C8]
00488AD8 |. 8BCA |mov ecx,edx
00488ADA |. C1E2 03 |shl edx,3
00488ADD |. 2BD1 |sub edx,ecx
00488ADF |. 2BC2 |sub eax,edx
00488AE1 |. F7E8 |imul eax
00488AE3 |. 8945 E4 |mov dword ptr ss:[ebp-1C],eax
00488AE6 |. DB45 E4 |fild dword ptr ss:[ebp-1C]
00488AE9 |. DEC1 |faddp st(1),st
00488AEB |. D9FA |fsqrt
00488AED |. E8 DE9FF7FF |call dumped.00402AD0
00488AF2 |. 8906 |mov dword ptr ds:[esi],eax
00488AF4 |. EB 7E |jmp short dumped.00488B74
00488AF6 |> DB05 C0655600 |fild dword ptr ds:[5665C0] ; Case 4 of switch 00488A45
00488AFC |. D9FA |fsqrt
00488AFE |. 8B07 |mov eax,dword ptr ds:[edi]
00488B00 |. 8B15 C8655600 |mov edx,dword ptr ds:[5665C8]
00488B06 |. 8D1452 |lea edx,dword ptr ds:[edx+edx*2]
00488B09 |. 03C2 |add eax,edx
00488B0B |. F7E8 |imul eax
00488B0D |. 8945 E4 |mov dword ptr ss:[ebp-1C],eax
00488B10 |. DB45 E4 |fild dword ptr ss:[ebp-1C]
00488B13 |. DEC1 |faddp st(1),st
00488B15 |. D9FA |fsqrt
00488B17 |. E8 B49FF7FF |call dumped.00402AD0
00488B1C |. 8906 |mov dword ptr ds:[esi],eax
00488B1E |. EB 54 |jmp short dumped.00488B74
00488B20 |> DB05 C0655600 |fild dword ptr ds:[5665C0] ; Case 5 of switch 00488A45
00488B26 |. D9FA |fsqrt
00488B28 |. 8B07 |mov eax,dword ptr ds:[edi]
00488B2A |. 8B15 C8655600 |mov edx,dword ptr ds:[5665C8]
00488B30 |. 8D1492 |lea edx,dword ptr ds:[edx+edx*4]
00488B33 |. 03C2 |add eax,edx
00488B35 |. F7E8 |imul eax
00488B37 |. 8945 E4 |mov dword ptr ss:[ebp-1C],eax
00488B3A |. DB45 E4 |fild dword ptr ss:[ebp-1C]
00488B3D |. DEC1 |faddp st(1),st
00488B3F |. D9FA |fsqrt
00488B41 |. E8 8A9FF7FF |call dumped.00402AD0
00488B46 |. 8906 |mov dword ptr ds:[esi],eax
00488B48 |. EB 2A |jmp short dumped.00488B74
00488B4A |> DB05 C0655600 |fild dword ptr ds:[5665C0] ; Case 6 of switch 00488A45
00488B50 |. D9FA |fsqrt
00488B52 |. 8B07 |mov eax,dword ptr ds:[edi]
00488B54 |. 8B15 C8655600 |mov edx,dword ptr ds:[5665C8]
00488B5A |. 03D2 |add edx,edx
00488B5C |. 8D1452 |lea edx,dword ptr ds:[edx+edx*2]
00488B5F |. 2BC2 |sub eax,edx
00488B61 |. F7E8 |imul eax
00488B63 |. 8945 E4 |mov dword ptr ss:[ebp-1C],eax
00488B66 |. DB45 E4 |fild dword ptr ss:[ebp-1C]
00488B69 |. DEC1 |faddp st(1),st
00488B6B |. D9FA |fsqrt
00488B6D |. E8 5E9FF7FF |call dumped.00402AD0
00488B72 |. 8906 |mov dword ptr ds:[esi],eax
00488B74 |> 8B06 |mov eax,dword ptr ds:[esi] ; Default case of switch 00488A45
00488B76 |. 99 |cdq ; 这三行等效于取绝对值
00488B77 |. 33C2 |xor eax,edx
00488B79 |. 2BC2 |sub eax,edx
00488B7B |. 8BC8 |mov ecx,eax
00488B7D |. 890E |mov dword ptr ds:[esi],ecx
00488B7F |. 49 |dec ecx
00488B80 |. D1F9 |sar ecx,1 ; 除以2
00488B82 |. 79 03 |jns short dumped.00488B87 ; 如果这时ecx为-1时
00488B84 |. 83D1 00 |adc ecx,0 ; 加进位标志,等效于-1/2取0
00488B87 |> 83C1 41 |add ecx,41
00488B8A |. 890E |mov dword ptr ds:[esi],ecx
00488B8C |. 43 |inc ebx
00488B8D |. 83C6 04 |add esi,4
00488B90 |. 83C7 04 |add edi,4
00488B93 |. 83FB 07 |cmp ebx,7
00488B96 |.^ 0F85 24FEFFFF \jnz dumped.004889C0
00488B9C |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00488B9F |. E8 F8B2F7FF call dumped.00403E9C
00488BA4 |. 8BF0 mov esi,eax
00488BA6 |. 85F6 test esi,esi
00488BA8 |. 7E 1B jle short dumped.00488BC5
00488BAA |. BB 01000000 mov ebx,1
00488BAF |. B8 3C635600 mov eax,dumped.0056633C
00488BB4 |> 8B55 F8 /mov edx,dword ptr ss:[ebp-8]
00488BB7 |. 0FB6541A FF |movzx edx,byte ptr ds:[edx+ebx-1]
00488BBC |. 8910 |mov dword ptr ds:[eax],edx
00488BBE |. 43 |inc ebx
00488BBF |. 83C0 04 |add eax,4
00488BC2 |. 4E |dec esi
00488BC3 |.^ 75 EF \jnz short dumped.00488BB4
00488BC5 |> 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00488BC8 |. E8 CFB2F7FF call dumped.00403E9C
00488BCD |. A3 C4655600 mov dword ptr ds:[5665C4],eax
00488BD2 |. 8B35 C4655600 mov esi,dword ptr ds:[5665C4]
00488BD8 |. 85F6 test esi,esi
00488BDA |. 7E 25 jle short dumped.00488C01
00488BDC |. BB 01000000 mov ebx,1
00488BE1 |. B9 7C645600 mov ecx,dumped.0056647C
00488BE6 |> 8B45 F8 /mov eax,dword ptr ss:[ebp-8]
00488BE9 |. 0FB64418 FF |movzx eax,byte ptr ds:[eax+ebx-1]
00488BEE |. BF 0A000000 |mov edi,0A
00488BF3 |. 33D2 |xor edx,edx
00488BF5 |. F7F7 |div edi
00488BF7 |. 42 |inc edx
00488BF8 |. 8911 |mov dword ptr ds:[ecx],edx
00488BFA |. 43 |inc ebx
00488BFB |. 83C1 04 |add ecx,4
00488BFE |. 4E |dec esi
00488BFF |.^ 75 E5 \jnz short dumped.00488BE6
00488C01 |> C745 F4 01000>mov dword ptr ss:[ebp-C],1
00488C08 |> 8B35 C4655600 /mov esi,dword ptr ds:[5665C4]
00488C0E |. 85F6 |test esi,esi
00488C10 |. 0F8E 09030000 |jle dumped.00488F1F
00488C16 |. BB 01000000 |mov ebx,1
00488C1B |. BF 3C635600 |mov edi,dumped.0056633C
00488C20 |. C745 EC 7C645>|mov dword ptr ss:[ebp-14],dumped.0056647C
00488C27 |> 8B45 F4 |/mov eax,dword ptr ss:[ebp-C]
00488C2A |. 83F8 0A ||cmp eax,0A ; Switch (cases 1..A)
00488C2D |. 0F87 DD020000 ||ja dumped.00488F10
00488C33 |. FF2485 3A8C48>||jmp dword ptr ds:[eax*4+488C3A]
00488C3A |. 108F4800 ||dd dumped.00488F10 ; Switch table used at 00488C33
00488C3E |. 668C4800 ||dd dumped.00488C66
00488C42 |. A68C4800 ||dd dumped.00488CA6
00488C46 |. F08C4800 ||dd dumped.00488CF0
00488C4A |. 308D4800 ||dd dumped.00488D30
00488C4E |. 7A8D4800 ||dd dumped.00488D7A
00488C52 |. BA8D4800 ||dd dumped.00488DBA
00488C56 |. 048E4800 ||dd dumped.00488E04
00488C5A |. 448E4800 ||dd dumped.00488E44
00488C5E |. 8E8E4800 ||dd dumped.00488E8E
00488C62 |. CB8E4800 ||dd dumped.00488ECB
00488C66 |> 8B07 ||mov eax,dword ptr ds:[edi] ; Case 1 of switch 00488C2A
00488C68 |. F7E8 ||imul eax
00488C6A |. 8BC8 ||mov ecx,eax
00488C6C |. 8B45 EC ||mov eax,dword ptr ss:[ebp-14]
00488C6F |. 8B00 ||mov eax,dword ptr ds:[eax]
00488C71 |. F7E8 ||imul eax
00488C73 |. F72D C0655600 ||imul dword ptr ds:[5665C0] ; 固定值8
00488C79 |. 03C8 ||add ecx,eax
00488C7B |. 894D E4 ||mov dword ptr ss:[ebp-1C],ecx
00488C7E |. DB45 E4 ||fild dword ptr ss:[ebp-1C]
00488C81 |. D9FA ||fsqrt
00488C83 |. E8 489EF7FF ||call dumped.00402AD0 ; sqrt(31*31+A*A*8)
00488C88 |. 8B55 F4 ||mov edx,dword ptr ss:[ebp-C]
00488C8B |. C1E2 02 ||shl edx,2
00488C8E |. 8D1492 ||lea edx,dword ptr ds:[edx+edx*4]
00488C91 |. 8B0D BC655600 ||mov ecx,dword ptr ds:[5665BC]
00488C97 |. 8D14D1 ||lea edx,dword ptr ds:[ecx+edx*8]
00488C9A |. 89849A 5CFFFF>||mov dword ptr ds:[edx+ebx*4-A4],eax
00488CA1 |. E9 6A020000 ||jmp dumped.00488F10
00488CA6 |> 8B07 ||mov eax,dword ptr ds:[edi] ; Case 2 of switch 00488C2A
00488CA8 |. F7E8 ||imul eax
00488CAA |. 8BC8 ||mov ecx,eax
00488CAC |. 8B45 EC ||mov eax,dword ptr ss:[ebp-14]
00488CAF |. 8B00 ||mov eax,dword ptr ds:[eax]
00488CB1 |. F7E8 ||imul eax
00488CB3 |. F72D C0655600 ||imul dword ptr ds:[5665C0]
00488CB9 |. 51 ||push ecx
00488CBA |. B9 05000000 ||mov ecx,5
00488CBF |. 99 ||cdq
00488CC0 |. F7F9 ||idiv ecx
00488CC2 |. 59 ||pop ecx
00488CC3 |. 2BC8 ||sub ecx,eax
00488CC5 |. 894D E4 ||mov dword ptr ss:[ebp-1C],ecx
00488CC8 |. DB45 E4 ||fild dword ptr ss:[ebp-1C]
00488CCB |. D9FA ||fsqrt
00488CCD |. E8 FE9DF7FF ||call dumped.00402AD0 ; sqrt(31*31-A*A*8\5)
00488CD2 |. 8B55 F4 ||mov edx,dword ptr ss:[ebp-C]
00488CD5 |. C1E2 02 ||shl edx,2
00488CD8 |. 8D1492 ||lea edx,dword ptr ds:[edx+edx*4]
00488CDB |. 8B0D BC655600 ||mov ecx,dword ptr ds:[5665BC]
00488CE1 |. 8D14D1 ||lea edx,dword ptr ds:[ecx+edx*8]
00488CE4 |. 89849A 5CFFFF>||mov dword ptr ds:[edx+ebx*4-A4],eax
00488CEB |. E9 20020000 ||jmp dumped.00488F10
00488CF0 |> 8B07 ||mov eax,dword ptr ds:[edi] ; Case 3 of switch 00488C2A
00488CF2 |. F7E8 ||imul eax
00488CF4 |. 8BC8 ||mov ecx,eax
00488CF6 |. 8B45 EC ||mov eax,dword ptr ss:[ebp-14]
00488CF9 |. 8B00 ||mov eax,dword ptr ds:[eax]
00488CFB |. F7E8 ||imul eax
00488CFD |. F72D C0655600 ||imul dword ptr ds:[5665C0]
00488D03 |. 03C8 ||add ecx,eax
00488D05 |. 894D E4 ||mov dword ptr ss:[ebp-1C],ecx
00488D08 |. DB45 E4 ||fild dword ptr ss:[ebp-1C]
00488D0B |. D9FA ||fsqrt
00488D0D |. E8 BE9DF7FF ||call dumped.00402AD0 ; sqrt(31*31+A*A*8)
00488D12 |. 8B55 F4 ||mov edx,dword ptr ss:[ebp-C]
00488D15 |. C1E2 02 ||shl edx,2
00488D18 |. 8D1492 ||lea edx,dword ptr ds:[edx+edx*4]
00488D1B |. 8B0D BC655600 ||mov ecx,dword ptr ds:[5665BC]
00488D21 |. 8D14D1 ||lea edx,dword ptr ds:[ecx+edx*8]
00488D24 |. 89849A 5CFFFF>||mov dword ptr ds:[edx+ebx*4-A4],eax
00488D2B |. E9 E0010000 ||jmp dumped.00488F10
00488D30 |> 8B07 ||mov eax,dword ptr ds:[edi] ; Case 4 of switch 00488C2A
00488D32 |. F7E8 ||imul eax
00488D34 |. 8BC8 ||mov ecx,eax
00488D36 |. 8B45 EC ||mov eax,dword ptr ss:[ebp-14]
00488D39 |. 8B00 ||mov eax,dword ptr ds:[eax]
00488D3B |. F7E8 ||imul eax
00488D3D |. F72D C0655600 ||imul dword ptr ds:[5665C0]
00488D43 |. 51 ||push ecx
00488D44 |. B9 05000000 ||mov ecx,5
00488D49 |. 99 ||cdq
00488D4A |. F7F9 ||idiv ecx
00488D4C |. 59 ||pop ecx
00488D4D |. 2BC8 ||sub ecx,eax
00488D4F |. 894D E4 ||mov dword ptr ss:[ebp-1C],ecx
00488D52 |. DB45 E4 ||fild dword ptr ss:[ebp-1C]
00488D55 |. D9FA ||fsqrt
00488D57 |. E8 749DF7FF ||call dumped.00402AD0 ; sqrt(31*31-A*A*8\5)
00488D5C |. 8B55 F4 ||mov edx,dword ptr ss:[ebp-C]
00488D5F |. C1E2 02 ||shl edx,2
00488D62 |. 8D1492 ||lea edx,dword ptr ds:[edx+edx*4]
00488D65 |. 8B0D BC655600 ||mov ecx,dword ptr ds:[5665BC]
00488D6B |. 8D14D1 ||lea edx,dword ptr ds:[ecx+edx*8]
00488D6E |. 89849A 5CFFFF>||mov dword ptr ds:[edx+ebx*4-A4],eax
00488D75 |. E9 96010000 ||jmp dumped.00488F10
00488D7A |> 8B07 ||mov eax,dword ptr ds:[edi] ; Case 5 of switch 00488C2A
00488D7C |. F7E8 ||imul eax
00488D7E |. 8BC8 ||mov ecx,eax
00488D80 |. 8B45 EC ||mov eax,dword ptr ss:[ebp-14]
00488D83 |. 8B00 ||mov eax,dword ptr ds:[eax]
00488D85 |. F7E8 ||imul eax
00488D87 |. F72D C0655600 ||imul dword ptr ds:[5665C0]
00488D8D |. 03C8 ||add ecx,eax
00488D8F |. 894D E4 ||mov dword ptr ss:[ebp-1C],ecx
00488D92 |. DB45 E4 ||fild dword ptr ss:[ebp-1C]
00488D95 |. D9FA ||fsqrt
00488D97 |. E8 349DF7FF ||call dumped.00402AD0 ; sqrt(31*31+A*A*8)
00488D9C |. 8B55 F4 ||mov edx,dword ptr ss:[ebp-C]
00488D9F |. C1E2 02 ||shl edx,2
00488DA2 |. 8D1492 ||lea edx,dword ptr ds:[edx+edx*4]
00488DA5 |. 8B0D BC655600 ||mov ecx,dword ptr ds:[5665BC]
00488DAB |. 8D14D1 ||lea edx,dword ptr ds:[ecx+edx*8]
00488DAE |. 89849A 5CFFFF>||mov dword ptr ds:[edx+ebx*4-A4],eax
00488DB5 |. E9 56010000 ||jmp dumped.00488F10
00488DBA |> 8B07 ||mov eax,dword ptr ds:[edi] ; Case 6 of switch 00488C2A
00488DBC |. F7E8 ||imul eax
00488DBE |. 8BC8 ||mov ecx,eax
00488DC0 |. 8B45 EC ||mov eax,dword ptr ss:[ebp-14]
00488DC3 |. 8B00 ||mov eax,dword ptr ds:[eax]
00488DC5 |. F7E8 ||imul eax
00488DC7 |. F72D C0655600 ||imul dword ptr ds:[5665C0]
00488DCD |. 51 ||push ecx
00488DCE |. B9 05000000 ||mov ecx,5
00488DD3 |. 99 ||cdq
00488DD4 |. F7F9 ||idiv ecx
00488DD6 |. 59 ||pop ecx
00488DD7 |. 2BC8 ||sub ecx,eax
00488DD9 |. 894D E4 ||mov dword ptr ss:[ebp-1C],ecx
00488DDC |. DB45 E4 ||fild dword ptr ss:[ebp-1C]
00488DDF |. D9FA ||fsqrt
00488DE1 |. E8 EA9CF7FF ||call dumped.00402AD0 ; sqrt(31*31-A*A*8\5)
00488DE6 |. 8B55 F4 ||mov edx,dword ptr ss:[ebp-C]
00488DE9 |. C1E2 02 ||shl edx,2
00488DEC |. 8D1492 ||lea edx,dword ptr ds:[edx+edx*4]
00488DEF |. 8B0D BC655600 ||mov ecx,dword ptr ds:[5665BC]
00488DF5 |. 8D14D1 ||lea edx,dword ptr ds:[ecx+edx*8]
00488DF8 |. 89849A 5CFFFF>||mov dword ptr ds:[edx+ebx*4-A4],eax
00488DFF |. E9 0C010000 ||jmp dumped.00488F10
00488E04 |> 8B07 ||mov eax,dword ptr ds:[edi] ; Case 7 of switch 00488C2A
00488E06 |. F7E8 ||imul eax
00488E08 |. 8BC8 ||mov ecx,eax
00488E0A |. 8B45 EC ||mov eax,dword ptr ss:[ebp-14]
00488E0D |. 8B00 ||mov eax,dword ptr ds:[eax]
00488E0F |. F7E8 ||imul eax
00488E11 |. F72D C0655600 ||imul dword ptr ds:[5665C0]
00488E17 |. 03C8 ||add ecx,eax
00488E19 |. 894D E4 ||mov dword ptr ss:[ebp-1C],ecx
00488E1C |. DB45 E4 ||fild dword ptr ss:[ebp-1C]
00488E1F |. D9FA ||fsqrt
00488E21 |. E8 AA9CF7FF ||call dumped.00402AD0 ; sqrt(31*31+A*A*8)
00488E26 |. 8B55 F4 ||mov edx,dword ptr ss:[ebp-C]
00488E29 |. C1E2 02 ||shl edx,2
00488E2C |. 8D1492 ||lea edx,dword ptr ds:[edx+edx*4]
00488E2F |. 8B0D BC655600 ||mov ecx,dword ptr ds:[5665BC]
00488E35 |. 8D14D1 ||lea edx,dword ptr ds:[ecx+edx*8]
00488E38 |. 89849A 5CFFFF>||mov dword ptr ds:[edx+ebx*4-A4],eax
00488E3F |. E9 CC000000 ||jmp dumped.00488F10
00488E44 |> 8B07 ||mov eax,dword ptr ds:[edi] ; Case 8 of switch 00488C2A
00488E46 |. F7E8 ||imul eax
00488E48 |. 8BC8 ||mov ecx,eax
00488E4A |. 8B45 EC ||mov eax,dword ptr ss:[ebp-14]
00488E4D |. 8B00 ||mov eax,dword ptr ds:[eax]
00488E4F |. F7E8 ||imul eax
00488E51 |. F72D C0655600 ||imul dword ptr ds:[5665C0]
00488E57 |. 51 ||push ecx
00488E58 |. B9 05000000 ||mov ecx,5
00488E5D |. 99 ||cdq
00488E5E |. F7F9 ||idiv ecx
00488E60 |. 59 ||pop ecx
00488E61 |. 2BC8 ||sub ecx,eax
00488E63 |. 894D E4 ||mov dword ptr ss:[ebp-1C],ecx
00488E66 |. DB45 E4 ||fild dword ptr ss:[ebp-1C]
00488E69 |. D9FA ||fsqrt
00488E6B |. E8 609CF7FF ||call dumped.00402AD0 ; sqrt(31*31-A*A*8\5)
00488E70 |. 8B55 F4 ||mov edx,dword ptr ss:[ebp-C]
00488E73 |. C1E2 02 ||shl edx,2
00488E76 |. 8D1492 ||lea edx,dword ptr ds:[edx+edx*4]
00488E79 |. 8B0D BC655600 ||mov ecx,dword ptr ds:[5665BC]
00488E7F |. 8D14D1 ||lea edx,dword ptr ds:[ecx+edx*8]
00488E82 |. 89849A 5CFFFF>||mov dword ptr ds:[edx+ebx*4-A4],eax
00488E89 |. E9 82000000 ||jmp dumped.00488F10
00488E8E |> 8B07 ||mov eax,dword ptr ds:[edi] ; Case 9 of switch 00488C2A
00488E90 |. F7E8 ||imul eax
00488E92 |. 8BC8 ||mov ecx,eax
00488E94 |. 8B45 EC ||mov eax,dword ptr ss:[ebp-14]
00488E97 |. 8B00 ||mov eax,dword ptr ds:[eax]
00488E99 |. F7E8 ||imul eax
00488E9B |. F72D C0655600 ||imul dword ptr ds:[5665C0]
00488EA1 |. 03C8 ||add ecx,eax
00488EA3 |. 894D E4 ||mov dword ptr ss:[ebp-1C],ecx
00488EA6 |. DB45 E4 ||fild dword ptr ss:[ebp-1C]
00488EA9 |. D9FA ||fsqrt
00488EAB |. E8 209CF7FF ||call dumped.00402AD0 ; sqrt(31*31+A*A*8)
00488EB0 |. 8B55 F4 ||mov edx,dword ptr ss:[ebp-C]
00488EB3 |. C1E2 02 ||shl edx,2
00488EB6 |. 8D1492 ||lea edx,dword ptr ds:[edx+edx*4]
00488EB9 |. 8B0D BC655600 ||mov ecx,dword ptr ds:[5665BC]
00488EBF |. 8D14D1 ||lea edx,dword ptr ds:[ecx+edx*8]
00488EC2 |. 89849A 5CFFFF>||mov dword ptr ds:[edx+ebx*4-A4],eax
00488EC9 |. EB 45 ||jmp short dumped.00488F10
00488ECB |> 8B07 ||mov eax,dword ptr ds:[edi] ; Case A of switch 00488C2A
00488ECD |. F7E8 ||imul eax
00488ECF |. 8BC8 ||mov ecx,eax
00488ED1 |. 8B45 EC ||mov eax,dword ptr ss:[ebp-14]
00488ED4 |. 8B00 ||mov eax,dword ptr ds:[eax]
00488ED6 |. F7E8 ||imul eax
00488ED8 |. F72D C0655600 ||imul dword ptr ds:[5665C0]
00488EDE |. 51 ||push ecx
00488EDF |. B9 05000000 ||mov ecx,5
00488EE4 |. 99 ||cdq
00488EE5 |. F7F9 ||idiv ecx
00488EE7 |. 59 ||pop ecx
00488EE8 |. 2BC8 ||sub ecx,eax
00488EEA |. 894D E4 ||mov dword ptr ss:[ebp-1C],ecx
00488EED |. DB45 E4 ||fild dword ptr ss:[ebp-1C]
00488EF0 |. D9FA ||fsqrt
00488EF2 |. E8 D99BF7FF ||call dumped.00402AD0 ; sqrt(31*31-A*A*8\5)
00488EF7 |. 8B55 F4 ||mov edx,dword ptr ss:[ebp-C]
00488EFA |. C1E2 02 ||shl edx,2
00488EFD |. 8D1492 ||lea edx,dword ptr ds:[edx+edx*4]
00488F00 |. 8B0D BC655600 ||mov ecx,dword ptr ds:[5665BC]
00488F06 |. 8D14D1 ||lea edx,dword ptr ds:[ecx+edx*8]
00488F09 |. 89849A 5CFFFF>||mov dword ptr ds:[edx+ebx*4-A4],eax
00488F10 |> 43 ||inc ebx ; Default case of switch 00488C2A
00488F11 |. 8345 EC 04 ||add dword ptr ss:[ebp-14],4
00488F15 |. 83C7 04 ||add edi,4
00488F18 |. 4E ||dec esi
00488F19 |.^ 0F85 08FDFFFF |\jnz dumped.00488C27
00488F1F |> FF45 F4 |inc dword ptr ss:[ebp-C]
00488F22 |. 837D F4 0B |cmp dword ptr ss:[ebp-C],0B
00488F26 |.^ 0F85 DCFCFFFF \jnz dumped.00488C08
00488F2C |. 8D45 F0 lea eax,dword ptr ss:[ebp-10]
00488F2F |. E8 E8ACF7FF call dumped.00403C1C
00488F34 |. 8B35 C4655600 mov esi,dword ptr ds:[5665C4] ; 取注册码长度
00488F3A |. 85F6 test esi,esi
00488F3C |. 7E 62 jle short dumped.00488FA0
00488F3E |. BB 01000000 mov ebx,1
00488F43 |. BF DC635600 mov edi,dumped.005663DC
00488F48 |> 8BC3 /mov eax,ebx
00488F4A |. B9 0A000000 |mov ecx,0A
00488F4F |. 99 |cdq
00488F50 |. F7F9 |idiv ecx
00488F52 |. 8BCA |mov ecx,edx
00488F54 |. 85C9 |test ecx,ecx ; 计算1-9的数
00488F56 |. 7E 05 |jle short dumped.00488F5D
00488F58 |. 894D F4 |mov dword ptr ss:[ebp-C],ecx ; 保存当前上面算得的数
00488F5B |. EB 07 |jmp short dumped.00488F64
00488F5D |> C745 F4 0A000>|mov dword ptr ss:[ebp-C],0A
00488F64 |> 8B45 F4 |mov eax,dword ptr ss:[ebp-C]
00488F67 |. C1E0 02 |shl eax,2
00488F6A |. 8D0480 |lea eax,dword ptr ds:[eax+eax*4] ; 相当于i*14H
00488F6D |. 8B15 BC655600 |mov edx,dword ptr ds:[5665BC] ; 取得上面计算的数的保存地址
00488F73 |. 8D04C2 |lea eax,dword ptr ds:[edx+eax*8] ; 当[ebp-c]为1时取第二个表格,3时取第三个,4->5...
00488F76 |. 8B8498 5CFFFF>|mov eax,dword ptr ds:[eax+ebx*4-A4] ; 等效于取第一个表格中的第一个数据,第二个表格中的第二个数据,第三个表格中的第三个数据...第一个表格中的最后一个数据
00488F7D |. 8907 |mov dword ptr ds:[edi],eax ; 写入到5663dc开始的地方
00488F7F |. 8D45 E0 |lea eax,dword ptr ss:[ebp-20]
00488F82 |. 8B55 F8 |mov edx,dword ptr ss:[ebp-8]
00488F85 |. 8A541A FF |mov dl,byte ptr ds:[edx+ebx-1]
00488F89 |. E8 36AEF7FF |call dumped.00403DC4
00488F8E |. 8B55 E0 |mov edx,dword ptr ss:[ebp-20]
00488F91 |. 8D45 F0 |lea eax,dword ptr ss:[ebp-10]
00488F94 |. E8 0BAFF7FF |call dumped.00403EA4
00488F99 |. 43 |inc ebx
00488F9A |. 83C7 04 |add edi,4
00488F9D |. 4E |dec esi
00488F9E |.^ 75 A8 \jnz short dumped.00488F48
00488FA0 |> 8B35 C4655600 mov esi,dword ptr ds:[5665C4] ; 取注册码长度
00488FA6 |. 83EE 03 sub esi,3 ; 只循环 长度-3次
00488FA9 |. 85F6 test esi,esi
00488FAB |. 0F8E 80000000 jle dumped.00489031
00488FB1 |. BB DC635600 mov ebx,dumped.005663DC
00488FB6 |. BF CC655600 mov edi,dumped.005665CC
00488FBB |. C745 E8 6C665>mov dword ptr ss:[ebp-18],dumped.0056666C
00488FC2 |> 8B03 /mov eax,dword ptr ds:[ebx] ; 取一个上面变换的注册码
00488FC4 |. F7E8 |imul eax
00488FC6 |. 8BC8 |mov ecx,eax
00488FC8 |. 8B43 04 |mov eax,dword ptr ds:[ebx+4] ; 取一个上面变换的下一个注册码
00488FCB |. F7E8 |imul eax
00488FCD |. 0FAFC8 |imul ecx,eax
00488FD0 |. 894D E4 |mov dword ptr ss:[ebp-1C],ecx
00488FD3 |. DB45 E4 |fild dword ptr ss:[ebp-1C]
00488FD6 |. D9FA |fsqrt
00488FD8 |. DB7D D4 |fstp tbyte ptr ss:[ebp-2C]
00488FDB |. 9B |wait
00488FDC |. 8B43 08 |mov eax,dword ptr ds:[ebx+8] ; 取一个上面变换的下下个注册码
00488FDF |. F7E8 |imul eax
00488FE1 |. 8BC8 |mov ecx,eax
00488FE3 |. 8B03 |mov eax,dword ptr ds:[ebx]
00488FE5 |. F7E8 |imul eax
00488FE7 |. 03C8 |add ecx,eax
00488FE9 |. 894D D0 |mov dword ptr ss:[ebp-30],ecx
00488FEC |. DB45 D0 |fild dword ptr ss:[ebp-30]
00488FEF |. D9FA |fsqrt
00488FF1 |. DB6D D4 |fld tbyte ptr ss:[ebp-2C]
00488FF4 |. DEC9 |fmulp st(1),st
00488FF6 |. E8 D59AF7FF |call dumped.00402AD0 ; EAX=sqrt(code2(i)*code2(i)*code2(i+1)*code2(i+1))*sqrt(code2(i+2)*code2(i+2)+code2(i)*code2(i))
00488FFB |. 8907 |mov dword ptr ds:[edi],eax ; 变换后的码写入5665cc
00488FFD |. 8B43 04 |mov eax,dword ptr ds:[ebx+4] ; 下一个变换后的
00489000 |. 2B03 |sub eax,dword ptr ds:[ebx]
00489002 |. F7E8 |imul eax
00489004 |. 8BC8 |mov ecx,eax
00489006 |. 8B43 08 |mov eax,dword ptr ds:[ebx+8] ; 取下下个变换后的
00489009 |. 2B43 04 |sub eax,dword ptr ds:[ebx+4] ; 取下个变换后的
0048900C |. F7E8 |imul eax
0048900E |. 03C8 |add ecx,eax
00489010 |. 8BC1 |mov eax,ecx
00489012 |. F7E8 |imul eax
00489014 |. 8945 E4 |mov dword ptr ss:[ebp-1C],eax
00489017 |. DB45 E4 |fild dword ptr ss:[ebp-1C]
0048901A |. E8 B19AF7FF |call dumped.00402AD0 ; EAX=((code2(i+1)-code2(i))^2+(code2(i+2)-code2(i+1))^2)^2
0048901F |. 8B55 E8 |mov edx,dword ptr ss:[ebp-18]
00489022 |. 8902 |mov dword ptr ds:[edx],eax ; 保存到56666c开始的地方
00489024 |. 8345 E8 04 |add dword ptr ss:[ebp-18],4
00489028 |. 83C7 04 |add edi,4
0048902B |. 83C3 04 |add ebx,4
0048902E |. 4E |dec esi
0048902F |.^ 75 91 \jnz short dumped.00488FC2
00489031 |> 33C0 xor eax,eax
00489033 |. 5A pop edx
00489034 |. 59 pop ecx
00489035 |. 59 pop ecx
00489036 |. 64:8910 mov dword ptr fs:[eax],edx
00489039 |. 68 63904800 push dumped.00489063
0048903E |> 8D45 E0 lea eax,dword ptr ss:[ebp-20]
00489041 |. E8 D6ABF7FF call dumped.00403C1C
00489046 |. 8D45 F0 lea eax,dword ptr ss:[ebp-10]
00489049 |. E8 CEABF7FF call dumped.00403C1C
0048904E |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00489051 |. BA 02000000 mov edx,2
00489056 |. E8 E5ABF7FF call dumped.00403C40
0048905B \. C3 retn
0048905C .^ E9 53A6F7FF jmp dumped.004036B4
00489061 .^ EB DB jmp short dumped.0048903E
00489063 . 5F pop edi
00489064 . 5E pop esi
00489065 . 5B pop ebx
00489066 . 8BE5 mov esp,ebp
00489068 . 5D pop ebp
00489069 . C3 retn
0048906C $ 55 push ebp
0048906D . 8BEC mov ebp,esp
0048906F . 53 push ebx
00489070 . BB 39635600 mov ebx,dumped.00566339
00489075 . 33C0 xor eax,eax
00489077 . 55 push ebp
00489078 . 68 2B914800 push dumped.0048912B
0048907D . 64:FF30 push dword ptr fs:[eax]
00489080 . 64:8920 mov dword ptr fs:[eax],esp
00489083 . B8 EB250300 mov eax,325EB
00489088 . E8 0F020000 call dumped.0048929C
0048908D . 803B 00 cmp byte ptr ds:[ebx],0 ; 与成功标志566339比较
00489090 . 0F84 87000000 je dumped.0048911D
00489096 . B8 21010000 mov eax,121
0048909B . E8 28020000 call dumped.004892C8
004890A0 . 803B 00 cmp byte ptr ds:[ebx],0 ; 与成功标志566339比较
004890A3 . 74 78 je short dumped.0048911D
004890A5 . B8 01FA0200 mov eax,2FA01
004890AA . E8 ED010000 call dumped.0048929C
004890AF . 803B 00 cmp byte ptr ds:[ebx],0 ; 与成功标志566339比较
004890B2 . 74 69 je short dumped.0048911D
004890B4 . B8 39050800 mov eax,80539
004890B9 . E8 0A020000 call dumped.004892C8
004890BE . 803B 00 cmp byte ptr ds:[ebx],0 ; 与成功标志566339比较
004890C1 . 74 5A je short dumped.0048911D
004890C3 . B8 4F4C0B00 mov eax,0B4C4F
004890C8 . E8 CF010000 call dumped.0048929C
004890CD . 803B 00 cmp byte ptr ds:[ebx],0 ; 与成功标志566339比较
004890D0 . 74 4B je short dumped.0048911D
004890D2 . B8 24160C00 mov eax,0C1624
004890D7 . E8 EC010000 call dumped.004892C8
004890DC . 803B 00 cmp byte ptr ds:[ebx],0 ; 与成功标志566339比较
004890DF . 74 3C je short dumped.0048911D
004890E1 . B8 833D0300 mov eax,33D83
004890E6 . E8 B1010000 call dumped.0048929C
004890EB . 803B 00 cmp byte ptr ds:[ebx],0 ; 与成功标志566339比较
004890EE . 74 2D je short dumped.0048911D
004890F0 . B8 B9560000 mov eax,56B9
004890F5 . E8 CE010000 call dumped.004892C8
004890FA . 803B 00 cmp byte ptr ds:[ebx],0 ; 与成功标志566339比较
004890FD . 74 1E je short dumped.0048911D
004890FF . B8 44F90800 mov eax,8F944
00489104 . E8 93010000 call dumped.0048929C
00489109 . 803B 00 cmp byte ptr ds:[ebx],0 ; 与成功标志566339比较
0048910C . 74 0F je short dumped.0048911D
0048910E . E8 25000000 call dumped.00489138
00489113 . 803B 00 cmp byte ptr ds:[ebx],0 ; 与成功标志566339比较
00489116 . 74 05 je short dumped.0048911D
00489118 . E8 83000000 call dumped.004891A0
0048911D > 33C0 xor eax,eax
0048911F . 5A pop edx
00489120 . 59 pop ecx
00489121 . 59 pop ecx
00489122 . 64:8910 mov dword ptr fs:[eax],edx
00489125 . 68 32914800 push dumped.00489132
0048912A > C3 retn ; RET 用来作为跳转到 00489132
0048912B .^ E9 84A5F7FF jmp dumped.004036B4
00489130 .^ EB F8 jmp short dumped.0048912A
00489132 > 5B pop ebx
00489133 . 5D pop ebp
00489134 . C3 retn
0048929C /$ C605 39635600>mov byte ptr ds:[566339],0 ; 置为不成功
004892A3 |. 8B0D C4655600 mov ecx,dword ptr ds:[5665C4] ; 注册码个数
004892A9 |. 83E9 08 sub ecx,8 ; 循环(注册码个数-8)次
004892AC |. 85C9 test ecx,ecx
004892AE |. 7E 16 jle short dumped.004892C6
004892B0 |. BA CC655600 mov edx,dumped.005665CC
004892B5 |> 3B02 /cmp eax,dword ptr ds:[edx] ; 与5665cc比较
004892B7 |. 75 07 |jnz short dumped.004892C0
004892B9 |. C605 39635600>|mov byte ptr ds:[566339],1 ; 成功标志
004892C0 |> 83C2 04 |add edx,4
004892C3 |. 49 |dec ecx
004892C4 |.^ 75 EF \jnz short dumped.004892B5
004892C6 \> C3 retn
004892C8 /$ C605 39635600>mov byte ptr ds:[566339],0 ; 置为不成功
004892CF |. 8B0D C4655600 mov ecx,dword ptr ds:[5665C4] ; 注册码个数
004892D5 |. 83E9 08 sub ecx,8 ; 循环(注册码个数-8)次
004892D8 |. 85C9 test ecx,ecx
004892DA |. 7E 16 jle short dumped.004892F2
004892DC |. BA 6C665600 mov edx,dumped.0056666C
004892E1 |> 3B02 /cmp eax,dword ptr ds:[edx] ; 与56666c比较
004892E3 |. 75 07 |jnz short dumped.004892EC
004892E5 |. C605 39635600>|mov byte ptr ds:[566339],1 ; 成功标志
004892EC |> 83C2 04 |add edx,4
004892EF |. 49 |dec ecx
004892F0 |.^ 75 EF \jnz short dumped.004892E1
004892F2 \> C3 retn
00489138 /$ 53 push ebx
00489139 |. 56 push esi
0048913A |. 57 push edi
0048913B |. B9 1C655600 mov ecx,dumped.0056651C ; 注册名变换码
00489140 |. BE 3C635600 mov esi,dumped.0056633C ; 假注册码
00489145 |. C605 39635600>mov byte ptr ds:[566339],0 ; 注册成功标志
0048914C |. 8B3D C4655600 mov edi,dword ptr ds:[5665C4] ; 注册码长度
00489152 |. 85FF test edi,edi
00489154 |. 7E 45 jle short dumped.0048919B
00489156 |. BA 01000000 mov edx,1
0048915B |. 8BC6 mov eax,esi
0048915D |> 8B18 /mov ebx,dword ptr ds:[eax] ; 取一个假注册码
0048915F |. 3B19 |cmp ebx,dword ptr ds:[ecx] ; 假注册码与注册名变换码第1位比较
00489161 |. 75 31 |jnz short dumped.00489194
00489163 |. 8B1D C4655600 |mov ebx,dword ptr ds:[5665C4] ; 注册码长度
00489169 |. 83EB 06 |sub ebx,6 ; 注册码长度减6
0048916C |. 3BD3 |cmp edx,ebx ; 只比较假注册码后6位
0048916E |. 7E 24 |jle short dumped.00489194
00489170 |. B8 01000000 |mov eax,1
00489175 |> 8D1C10 |/lea ebx,dword ptr ds:[eax+edx]
00489178 |. 8B5C9E FC ||mov ebx,dword ptr ds:[esi+ebx*4-4] ; 从第7位开始取出
0048917C |. 8D78 01 ||lea edi,dword ptr ds:[eax+1]
0048917F |. 3B5CB9 FC ||cmp ebx,dword ptr ds:[ecx+edi*4-4] ; 假注册码从第7位开始与注册名变换码第2位开始比较
00489183 |. 75 16 ||jnz short dumped.0048919B
00489185 |. 40 ||inc eax
00489186 |. 83F8 06 ||cmp eax,6 ; 只比较后5位(5次)
00489189 |.^ 75 EA |\jnz short dumped.00489175
0048918B |. C605 39635600>|mov byte ptr ds:[566339],1 ; 注册成功
00489192 |. EB 07 |jmp short dumped.0048919B
00489194 |> 42 |inc edx
00489195 |. 83C0 04 |add eax,4
00489198 |. 4F |dec edi
00489199 |.^ 75 C2 \jnz short dumped.0048915D
0048919B |> 5F pop edi
0048919C |. 5E pop esi
0048919D |. 5B pop ebx
0048919E \. C3 retn
004891A0 /$ 53 push ebx
004891A1 |. 56 push esi
004891A2 |. 57 push edi
004891A3 |. 55 push ebp
004891A4 |. 51 push ecx
004891A5 |. C605 39635600>mov byte ptr ds:[566339],0 ; 注册成功标志
004891AC |. BF 01000000 mov edi,1
004891B1 |. BD 34615600 mov ebp,dumped.00566134 ; ASCII "LinHG"
004891B6 |. BE 3C635600 mov esi,dumped.0056633C ; 假注册码
004891BB |> 8A5D 00 /mov bl,byte ptr ss:[ebp] ; 取一个注册名
004891BE |. 80FB 20 |cmp bl,20 ; 空格
004891C1 |. 0F85 B5000000 |jnz dumped.0048927C
004891C7 |. 8BC7 |mov eax,edi
004891C9 |. F72D C8655600 |imul dword ptr ds:[5665C8]
004891CF |. 8BD0 |mov edx,eax
004891D1 |. 83C2 33 |add edx,33
004891D4 |. 3B16 |cmp edx,dword ptr ds:[esi]
004891D6 |. 0F85 B5000000 |jnz dumped.00489291
004891DC |. 80FB 2E |cmp bl,2E ; .句点
004891DF |. 0F85 97000000 |jnz dumped.0048927C
004891E5 |. BA 36000000 |mov edx,36
004891EA |. 2BD0 |sub edx,eax
004891EC |. 3B16 |cmp edx,dword ptr ds:[esi]
004891EE |. 0F85 9D000000 |jnz dumped.00489291
004891F4 |. 833D C8655600>|cmp dword ptr ds:[5665C8],0
004891FB |. 7E 7F |jle short dumped.0048927C
004891FD |. 33C0 |xor eax,eax
004891FF |. 8AC3 |mov al,bl
00489201 |. 83E8 41 |sub eax,41
00489204 |. 8D04C0 |lea eax,dword ptr ds:[eax+eax*8]
00489207 |. 8D04C0 |lea eax,dword ptr ds:[eax+eax*8]
0048920A |. 890424 |mov dword ptr ss:[esp],eax
0048920D |. DB0424 |fild dword ptr ss:[esp]
00489210 |. D835 98924800 |fdiv dword ptr ds:[489298]
00489216 |. D9FA |fsqrt
00489218 |. E8 B398F7FF |call dumped.00402AD0
0048921D |. 83C0 30 |add eax,30
00489220 |. 83D2 00 |adc edx,0
00489223 |. 52 |push edx
00489224 |. 50 |push eax
00489225 |. 8B06 |mov eax,dword ptr ds:[esi]
00489227 |. 99 |cdq
00489228 |. 3B5424 04 |cmp edx,dword ptr ss:[esp+4]
0048922C |. 75 03 |jnz short dumped.00489231
0048922E |. 3B0424 |cmp eax,dword ptr ss:[esp]
00489231 |> 5A |pop edx
00489232 |. 58 |pop eax
00489233 |. 75 5C |jnz short dumped.00489291
00489235 |. B8 39000000 |mov eax,39
0048923A |. 33D2 |xor edx,edx
0048923C |. 52 |push edx
0048923D |. 50 |push eax
0048923E |. 33C0 |xor eax,eax
00489240 |. 8A45 00 |mov al,byte ptr ss:[ebp]
00489243 |. 83E8 41 |sub eax,41
00489246 |. 8D04C0 |lea eax,dword ptr ds:[eax+eax*8]
00489249 |. 8D04C0 |lea eax,dword ptr ds:[eax+eax*8]
0048924C |. 894424 08 |mov dword ptr ss:[esp+8],eax
00489250 |. DB4424 08 |fild dword ptr ss:[esp+8]
00489254 |. D835 98924800 |fdiv dword ptr ds:[489298]
0048925A |. D9FA |fsqrt
0048925C |. E8 6F98F7FF |call dumped.00402AD0
00489261 |. 290424 |sub dword ptr ss:[esp],eax
00489264 |. 195424 04 |sbb dword ptr ss:[esp+4],edx
00489268 |. 58 |pop eax
00489269 |. 5A |pop edx
0048926A |. 52 |push edx
0048926B |. 50 |push eax
0048926C |. 8B06 |mov eax,dword ptr ds:[esi]
0048926E |. 99 |cdq
0048926F |. 3B5424 04 |cmp edx,dword ptr ss:[esp+4]
00489273 |. 75 03 |jnz short dumped.00489278
00489275 |. 3B0424 |cmp eax,dword ptr ss:[esp]
00489278 |> 5A |pop edx
00489279 |. 58 |pop eax
0048927A |. 75 15 |jnz short dumped.00489291
0048927C |> 47 |inc edi
0048927D |. 83C6 04 |add esi,4
00489280 |. 45 |inc ebp
00489281 |. 83FF 04 |cmp edi,4
00489284 |.^ 0F85 31FFFFFF \jnz dumped.004891BB
0048928A |. C605 39635600>mov byte ptr ds:[566339],1 ; 成功标志
00489291 |> 5A pop edx
00489292 |. 5D pop ebp
00489293 |. 5F pop edi
00489294 |. 5E pop esi
00489295 |. 5B pop ebx
00489296 \. C3 retn
输入注册码:13032856998 即
0056633C:31 33 30 33 32 38 35 36 39 39 38
(每位 MOD 0A)+1得到
0056647C:0A 02 09 02 01 07 04 05 08 08 07
对应位置交错计算:
表格一:
第一位:sqrt(31*31+0A*0A*8)取整后保存到第一个表格中的第一个数据位
第二位:sqrt(33*33+02*02*8)取整后保存到第一个表格中的第二个数据位
第三位:sqrt(30*30+09*09*8)取整后保存到第一个表格中的第二个数据位
.................................................................
表格二:
第一位:sqrt(31*31-(0A*0A*8)\5)取整后保存到第二个表格中的第一个数据位
第二位:sqrt(33*33-(02*02*8)\5)取整后保存到第二个表格中的第二个数据位
第三位:sqrt(30*30-(09*09*8)\5)取整后保存到第二个表格中的第三个数据位
.................................................................
表格三与表格一相同、表格四与表格二相同......
00FA02F0 38 00FA0390 2F 00FA0430 38 00FA04D0 2F
00FA02F4 33 00FA0394 32 00FA0434 33 00FA04D4 32
00FA02F8 36 00FA0398 2E 00FA0438 36 00FA04D8 2E
00FA02FC 33 00FA039C 32 00FA043C 33 00FA04DC 32
00FA0300 32 00FA03A0 31 00FA0440 32 00FA04E0 31
00FA0304 3B 00FA03A4 37 00FA0444 3B 00FA04E4 37
00FA0308 36 00FA03A8 34 00FA0448 36 00FA04E8 34
00FA030C 37 00FA03AC 35 00FA044C 37 00FA04EC 35
00FA0310 3D 00FA03B0 38 00FA0450 3D 00FA04F0 38
00FA0314 3D 00FA03B4 38 00FA0454 3D 00FA04F4 38
00FA0318 3B 00FA03B8 37 00FA0458 3B 00FA04F8 37
00FA0570 38 00FA0610 2F 00FA06B0 38 00FA0750 2F
00FA0574 33 00FA0614 32 00FA06B4 33 00FA0754 32
00FA0578 36 00FA0618 2E 00FA06B8 36 00FA0758 2E
00FA057C 33 00FA061C 32 00FA06BC 33 00FA075C 32
00FA0580 32 00FA0620 31 00FA06C0 32 00FA0760 31
00FA0584 3B 00FA0624 37 00FA06C4 3B 00FA0764 37
00FA0588 36 00FA0628 34 00FA06C8 36 00FA0768 34
00FA058C 37 00FA062C 35 00FA06CC 37 00FA076C 35
00FA0590 3D 00FA0630 38 00FA06D0 3D 00FA0770 38
00FA0594 3D 00FA0634 38 00FA06D4 3D 00FA0774 38
00FA0598 3B 00FA0638 37 00FA06D8 3B 00FA0778 37
00FA07F0 38 00FA0890 2F
00FA07F4 33 00FA0894 32
00FA07F8 36 00FA0898 2E
00FA07FC 33 00FA089C 32
00FA0800 32 00FA08A0 31
00FA0804 3B 00FA08A4 37
00FA0808 36 00FA08A8 34
00FA080C 37 00FA08AC 35
00FA0810 3D 00FA08B0 38
00FA0814 3D 00FA08B4 38
00FA0818 3B 00FA08B8 37
从左到右、从上到下共10个表格
取第一个表格中的第一个数据、第二个表格中的第二个数据、第三个表格中的第三个数据、...、第一个表格中的最后一个数据
得到:
005663DC:38 32 36 32 32 37 36 35 3D 38 3B
分别表示为:
V0 V1 V2 V3 V4 V5 V6 V7 V8 V9 VA
然后循环(个数-3)次,计算:
sqrt(code2(i)*code2(i)*code2(i+1)*code2(i+1))*sqrt(code2(i+2)*code2(i+2)+code2(i)*code2(i))
((code2(i+1)-code2(i))^2+(code2(i+2)-code2(i+1))^2)^2
第一次:sqrt(V0*V0*V1*V1)*sqrt(V0*V0+V2*V2)取整 ((V1-V0)^2+(V2-V1)^2)^2
第二次:sqrt(V1*V1*V2*V2)*sqrt(V1*V1+V3*V3)取整 ((V2-V1)^2+(V3-V2)^2)^2
第三次:sqrt(V2*V2*V3*V3)*sqrt(V2*V2+V4*V4)取整 ((V3-V2)^2+(V4-V3)^2)^2
...........................................
计算得到:(只有 个数-3 行)
005665CC 000352E0 0005666C 00000A90
005665D0 0002E9C6 00566670 00000400
005665D4 0003082E 00566674 00000100
005665D8 0002D5E1 00566678 00000271
005665DC 0003168E 0056667C 000002A4
005665E0 00037622 00566680 00000004
005665E4 00038EC8 00566684 00001081
005665E8 0003CDBC 00566688 00001EF1
按代码分析应当为:(只比较 个数-8 次)所以注册码位数最少为5+8=13位。列表的数据可以打乱。
即只要上面的数据能在第一列的前5行,第二列的前5行找到即可。
005665CC 000325EB\ 0005666C 00000121\
005665D0 0002FA01| 00566670 00080539|
005665D4 000B4C4F|可打乱 00566674 000C1624|可打乱
005665D8 00033D83| 00566678 000056B9|
005665DC 0008F944/ 0056667C XXXXXXXX/
005665E0 XXXXXXXX 00566680 XXXXXXXX
005665E4 XXXXXXXX 00566684 XXXXXXXX
005665E8 XXXXXXXX 00566688 XXXXXXXX
输入用户名:LinHG则
4C 69 6E 48 47
变换算法:
byte RegName[20];
int var1[20], var2[20], var5665C8=1, var5665C0=8, temp;
for(int i=1; i<7; i++)
{
if RegName[i-1]+0xD0 < 0x0A
{
val1[i-1]=RegName[i-1]-0x2A;
}
else
{
if RegName[i-1]+0xBF < 0x1A
{
val1[i-1]=RegName[i-1]-0x38;
}
else
{
if RegName[i-1]+0x9F < 0x1A
{
var1[i-1]=RegName[i-1]-0x4B;
}
else
{
if RegName[i-1] = 0x20
{
var1[i-1]=var5665C8*i+0x11;
}
else
{
var1[i-1]=var5665C8*i+0x1A;
}
}
}
}
switch(i)
{
case 1: //00488A71
var2[i-1]=sqrt(sqrt(var5665C0)+pow(var1[i-1]-(var5665C8+var5665C8*8),2));
break;
case 2: //00488A9E
var2[i-1]=sqrt(sqrt(var5665C0)+pow(var1[i-1]+var5665C8,2));
break;
case 3: //00488AC8
var2[i-1]=sqrt(sqrt(var5665C0)+pow(var1[i-1]-(var5665C8*8-var5665C8),2));
break;
case 4: //00488AF6
var2[i-1]=sqrt(sqrt(var5665C0)+pow(var1[i-1]+var5665C8+var5665C8*2,2));
break;
case 5: //00488B20
var2[i-1]=sqrt(sqrt(var5665C0)+pow(var1[i-1]+var5665C8+v5665C8*4,2));
break;
case 6: //00488B4A
var2[i-1]=sqrt(sqrt(var5665C0)+pow(var1[i-1]-(var5665C8+var5665C8+(var5665C8+var5665C8)*2),2));
}
//00488B74
temp = (abs(var2[i-1])-1)/2;
temp+=0x41;
var2[i-1]=temp;
}
var2[]为变换后的码,得到:
0056651C 46 i=1
00566520 50 i=2
00566524 4E i=3
00566528 4A i=4
0056652C 4A i=5
00566530 4D i=6
必须要:输入注册码的最后第6位开始与0056651C数据开始比较,全部相等则注册成功。
即:31 33 30 33 32 38 35 36 39 39 38
与:XX Xx XX XX XX 46 50 4E 4A 4A 4D
必须后6位完全相等!
即注册码为.......FPNJJM
输入注册码:KT53-JOMO72466xxxJGALNG 共23位表格有23-3=20行
即:4B 54 35 33 2D 4A 4F 4D 4F 37 32 34 36 36 78 78 78 4A 47 41 4C 4E 47
通过上面计算得到的表格抽取的数据再计算得到
005665CC 0008F944 0056666C 000C1624
005665D0 0006A073 00566670 000B34F1
005665D4 0002FA01 00566674 00000190
005665D8 00033D83 00566678 00060979
005665DC 0005205B 0056667C 00080539
005665E0 0009BE23 00566680 000056B9
005665E4 000B4C4F 00566684 00002584
005665E8 0008F944 00566688 000C1624
005665EC 0006A073 0056668C 000B34F1
005665F0 00030F62 00566690 00000121
005665F4 0002E466 00566694 00000121
005665F8 000325EB 00566698 00000190
005665FC 0005DF17 0056669C 013407A9
00566600 000CA45E 005666A0 01339E64
00566604 0024FA64 005666A4 00000004 --->第15行
00566608 001E6B1E 005666A8 004A8684
0056660C 0012A327 005666AC 004ABA59
00566610 0007AD8A 005666B0 00000AF9
00566614 0007502E 005666B4 0000EA79
00566618 0007A06F 005666B8 00009799
在上面的前23-8=15行能找到
000325EB 00000121
0002FA01 00080539
000B4C4F 000C1624
00033D83 000056B9
0008F944
如果用户名为:LinHG
则注册码为:KT53-JOMO72466xxxFPNJJM
试着输入以上信息注册成功!(删除C:\WINDOWS\FWP32.INI文件即可再注册)
有了上面的C程序,写注册机就容易了。即注册码为:KT53-JOMO72466xxx加上上面C程序计算得到的用户名变换码。
总结:该软件其实前面17位注册码必须为KT53-JOMO72466xxx,后面6位由用户名计算得到。
作者有意将算法复杂化,归根结底是先由KT53-JOMO72466xxx经过复杂运算得到一些数值,
然后隐蔽KT53-JOMO72466xxx,破解者很难通过反算得到KT53-JOMO72466xxx,故而加强了软件保护。
当然可以通过编写穷举破解算法得到注册码。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)