[原创]MicroCCD 4(光学处理软件) 注册简单分析-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[原创]MicroCCD 4(光学处理软件) 注册简单分析

2005-12-7 16:00 4102

[原创]MicroCCD 4(光学处理软件) 注册简单分析

HaIlDuZ

2005-12-7 16:00

4102

MicroCCD 4(光学处理软件) 注册简单分析
作者：HaiLDuZ[CCG Temp Member]
软件名称：MicroCCD(光学处理软件),Diffraction Limited :http://www.cyanogen.com/index.htm
整理日期：2005.12.8
文件大小：16.3MB
软件授权：收费软件
加密方式：注册码
使用工具：Ollydbg 1.10 ;W32Dasm 10.0 ；
作者申明：纯技术交流，无任何商业目的,转贴请保持完整。

前言：
前一阶段因工作需要，网上看到一个显微镜图像处理软件，注册一个演示版只有30天，结果安装一看是从他们网站注册之日起算，现在只有几天了。
看看其执行程序，没壳（老外一些商业软件比较好或对自己加密方法比较有信心），对于我这种没有脱壳能力的人太适合了。于是开始，一看是完整版，
需要注册码得到不同使用权。需事先填入姓名，邮件地址，最后期限及注册码。到其程序比较处下断。

// 序列号计算比较段

* Referenced by a CALL at Addresses:
|:004AE9E5 , :004AEBB2 , :004AF729 , :004AF78B , :004AF874
|
:004ADD96 55                   push ebp
:004ADD97 8BEC                   mov ebp, esp
:004ADD99 6AFF                   push FFFFFFFF
:004ADD9B 682DA95800             push 0058A92D
:004ADDA0 64A100000000          mov eax, dword ptr fs:[00000000]
:004ADDA6 50                   push eax
:004ADDA7 64892500000000       mov dword ptr fs:[00000000], esp
:004ADDAE 83EC64                sub esp, 00000064
:004ADDB1 894DA4                mov dword ptr [ebp-5C], ecx
:004ADDB4 8B4DA4                mov ecx, dword ptr [ebp-5C]
:004ADDB7 81C1A0000000          add ecx, 000000A0

* Reference To: MFC42.Ordinal:188A, Ord:188Ah
                              |
:004ADDBD E842220D00             Call 00580004
:004ADDC2 8B4DA4                mov ecx, dword ptr [ebp-5C]
:004ADDC5 81C1A0000000          add ecx, 000000A0

* Reference To: MFC42.Ordinal:188B, Ord:188Bh
                              |
:004ADDCB E82E220D00             Call 0057FFFE
:004ADDD0 8B4DA4                mov ecx, dword ptr [ebp-5C]
:004ADDD3 81C1A4000000          add ecx, 000000A4

* Reference To: MFC42.Ordinal:188A, Ord:188Ah
                              |
:004ADDD9 E826220D00             Call 00580004
:004ADDDE 8B4DA4                mov ecx, dword ptr [ebp-5C]
:004ADDE1 81C1A4000000          add ecx, 000000A4

* Reference To: MFC42.Ordinal:188B, Ord:188Bh
                              |
:004ADDE7 E812220D00             Call 0057FFFE
:004ADDEC 8B4DA4                mov ecx, dword ptr [ebp-5C]
:004ADDEF 81C1A8000000          add ecx, 000000A8

* Reference To: MFC42.Ordinal:188A, Ord:188Ah
                              |
:004ADDF5 E80A220D00             Call 00580004
:004ADDFA 8B4DA4                mov ecx, dword ptr [ebp-5C]
:004ADDFD 81C1A8000000          add ecx, 000000A8

* Reference To: MFC42.Ordinal:188B, Ord:188Bh
                              |
:004ADE03 E8F6210D00             Call 0057FFFE
:004ADE08 8B45A4                mov eax, dword ptr [ebp-5C]
:004ADE0B C680BF00000000       mov byte ptr [eax+000000BF], 00
:004ADE12 8D4DF0                lea ecx, dword ptr [ebp-10]

* Reference To: MFC42.Ordinal:021C, Ord:021Ch
                              |
:004ADE15 E8B2200D00             Call 0057FECC
:004ADE1A C745FC00000000       mov [ebp-04], 00000000

* Possible StringData Ref from Data Obj ->"9999"
                              |
:004ADE21 68ACCE5C00             push 005CCEAC
:004ADE26 8B4DA4                mov ecx, dword ptr [ebp-5C]
:004ADE29 81C1B4000000          add ecx, 000000B4
:004ADE2F 51                   push ecx
:004ADE30 E8AB17F6FF             call 0040F5E0
:004ADE35 25FF000000             and eax, 000000FF
:004ADE3A 85C0                   test eax, eax
:004ADE3C 7412                   je 004ADE50

* Possible StringData Ref from Data Obj ->"99999"
                              |
:004ADE3E 68B4CE5C00             push 005CCEB4
:004ADE43 8D4DF0                lea ecx, dword ptr [ebp-10]

* Reference To: MFC42.Ordinal:035C, Ord:035Ch
                              |
:004ADE46 E8ED200D00             Call 0057FF38
:004ADE4B E9AD000000             jmp 004ADEFD

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004ADE3C(C)
|
:004ADE50 6A00                   push 00000000
:004ADE52 6A00                   push 00000000
:004ADE54 6A00                   push 00000000
:004ADE56 8B4DA4                mov ecx, dword ptr [ebp-5C]
:004ADE59 81C1AC000000          add ecx, 000000AC
:004ADE5F E83C59F5FF             call 004037A0
:004ADE64 50                   push eax                         //压入输入限制时间的日期

* Reference To: MSVCRT.atoi, Ord:023Dh
                              |
:004ADE65 FF1530325900          Call dword ptr [00593230]
:004ADE6B 83C404                add esp, 00000004
:004ADE6E 50                   push eax
:004ADE6F 8B4DA4                mov ecx, dword ptr [ebp-5C]
:004ADE72 81C1B0000000          add ecx, 000000B0
:004ADE78 E82359F5FF             call 004037A0
:004ADE7D 50                   push eax                         //压入输入限制时间的月

* Reference To: MSVCRT.atoi, Ord:023Dh
                              |
:004ADE7E FF1530325900          Call dword ptr [00593230]
:004ADE84 83C404                add esp, 00000004
:004ADE87 50                   push eax
:004ADE88 8B4DA4                mov ecx, dword ptr [ebp-5C]
:004ADE8B 81C1B4000000          add ecx, 000000B4
:004ADE91 E80A59F5FF             call 004037A0
:004ADE96 50                   push eax                         //压入输入限制时间的年

* Reference To: MSVCRT.atoi, Ord:023Dh
                              |
:004ADE97 FF1530325900          Call dword ptr [00593230]
:004ADE9D 83C404                add esp, 00000004
:004ADEA0 50                   push eax
:004ADEA1 8D4DE0                lea ecx, dword ptr [ebp-20]
:004ADEA4 E867230000             call 004B0210                      //利用年月日，调用MFC,的SetDateTime 计算对象的m_dt值备用

:004ADEA9 8D55E0                lea edx, dword ptr [ebp-20]
:004ADEAC 52                   push edx
:004ADEAD 8D4DCC                lea ecx, dword ptr [ebp-34]
:004ADEB0 E82B230000             call 004B01E0
:004ADEB5 C645FC01             mov [ebp-04], 01
:004ADEB9 6A00                   push 00000000
:004ADEBB 6A05                   push 00000005
:004ADEBD 8D4DCC                lea ecx, dword ptr [ebp-34]

* Reference To: MFC42.Ordinal:06EA, Ord:06EAh
                              |
:004ADEC0 E8A5270D00             Call 0058066A
:004ADEC5 8B45D4                mov eax, dword ptr [ebp-2C]
:004ADEC8 8945C4                mov dword ptr [ebp-3C], eax
:004ADECB 8B4DD8                mov ecx, dword ptr [ebp-28]
:004ADECE 894DC8                mov dword ptr [ebp-38], ecx
:004ADED1 DD45C4                fld qword ptr [ebp-3C]

* Reference To: MSVCRT._ftol, Ord:00F1h
                              |
:004ADED4 E899300D00             Call 00580F72
:004ADED9 8945DC                mov dword ptr [ebp-24], eax
:004ADEDC 8B55DC                mov edx, dword ptr [ebp-24]
:004ADEDF 52                   push edx

* Possible StringData Ref from Data Obj ->"%i"
                              |
:004ADEE0 68BCCE5C00             push 005CCEBC
:004ADEE5 8D45F0                lea eax, dword ptr [ebp-10]
:004ADEE8 50                   push eax

* Reference To: MFC42.Ordinal:0B02, Ord:0B02h
                              |
:004ADEE9 E86E200D00             Call 0057FF5C                      //将m_dt值转换为10进制数备用。
:004ADEEE 83C40C                add esp, 0000000C
:004ADEF1 C645FC00             mov [ebp-04], 00
:004ADEF5 8D4DCC                lea ecx, dword ptr [ebp-34]
:004ADEF8 E8C3220000             call 004B01C0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004ADE4B(U)
|
:004ADEFD 8B4DA4                mov ecx, dword ptr [ebp-5C]
:004ADF00 C681BC000000FF       mov byte ptr [ecx+000000BC], FF
:004ADF07 8B55A4                mov edx, dword ptr [ebp-5C]
:004ADF0A C782B800000004000000 mov dword ptr [ebx+000000B8], 00000004
:004ADF14 C745EC00000000       mov [ebp-14], 00000000
:004ADF1B EB09                   jmp 004ADF26

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AE0C4(U)
|
:004ADF1D 8B45EC                mov eax, dword ptr [ebp-14]
:004ADF20 83C001                add eax, 00000001
:004ADF23 8945EC                mov dword ptr [ebp-14], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004ADF1B(U)
|
:004ADF26 837DEC04             cmp dword ptr [ebp-14], 00000004
:004ADF2A 0F8D99010000          jnl 004AE0C9
:004ADF30 8B4DEC                mov ecx, dword ptr [ebp-14]
:004ADF33 8B148DA8CD5C00       mov edx, dword ptr [4*ecx+005CCDA8]
:004ADF3A 52                   push edx                            //压入常驻串"MICROCCD"备用
:004ADF3B 8D4DB8                lea ecx, dword ptr [ebp-48]

* Reference To: MFC42.Ordinal:0219, Ord:0219h
                              |
:004ADF3E E86B1F0D00             Call 0057FEAE
:004ADF43 C645FC02             mov [ebp-04], 02
:004ADF47 8B45EC                mov eax, dword ptr [ebp-14]
:004ADF4A 8B0C85A8CD5C00       mov ecx, dword ptr [4*eax+005CCDA8]
:004ADF51 51                   push ecx
:004ADF52 8D55F0                lea edx, dword ptr [ebp-10]
:004ADF55 52                   push edx
:004ADF56 8B45A4                mov eax, dword ptr [ebp-5C]
:004ADF59 05A0000000             add eax, 000000A0
:004ADF5E 50                   push eax
:004ADF5F 8B4DA4                mov ecx, dword ptr [ebp-5C]
:004ADF62 81C1A4000000          add ecx, 000000A4
:004ADF68 51                   push ecx
:004ADF69 8D55B0                lea edx, dword ptr [ebp-50]
:004ADF6C 52                   push edx

* Reference To: MFC42.Ordinal:039A, Ord:039Ah
                              |
:004ADF6D E8F61F0D00             Call 0057FF68                         //将输入名字和Email字符串联在一起备用
:004ADF72 8945A0                mov dword ptr [ebp-60], eax
:004ADF75 8B45A0                mov eax, dword ptr [ebp-60]
:004ADF78 89459C                mov dword ptr [ebp-64], eax
:004ADF7B C645FC03             mov [ebp-04], 03
:004ADF7F 8B4D9C                mov ecx, dword ptr [ebp-64]
:004ADF82 51                   push ecx
:004ADF83 8D55AC                lea edx, dword ptr [ebp-54]
:004ADF86 52                   push edx

* Reference To: MFC42.Ordinal:039A, Ord:039Ah
                              |
:004ADF87 E8DC1F0D00             Call 0057FF68                         //将上面名字和Email字符串和m_dt值转换为10进制数连在一起
:004ADF8C 894598                mov dword ptr [ebp-68], eax
:004ADF8F 8B4598                mov eax, dword ptr [ebp-68]
:004ADF92 894594                mov dword ptr [ebp-6C], eax
:004ADF95 C645FC04             mov [ebp-04], 04
:004ADF99 8B4D94                mov ecx, dword ptr [ebp-6C]
:004ADF9C 51                   push ecx
:004ADF9D 8D55C0                lea edx, dword ptr [ebp-40]
:004ADFA0 52                   push edx

* Reference To: MFC42.Ordinal:039C, Ord:039Ch
                              |
:004ADFA1 E8BC1F0D00             Call 0057FF62                         //在上面的串后面加上"MICROCCD"
:004ADFA6 C645FC07             mov [ebp-04], 07
:004ADFAA 8D4DAC                lea ecx, dword ptr [ebp-54]

* Reference To: MFC42.Ordinal:0320, Ord:0320h
                              |
:004ADFAD E8021F0D00             Call 0057FEB4
:004ADFB2 C645FC06             mov [ebp-04], 06
:004ADFB6 8D4DB0                lea ecx, dword ptr [ebp-50]

* Reference To: MFC42.Ordinal:0320, Ord:0320h
                              |
:004ADFB9 E8F61E0D00             Call 0057FEB4
:004ADFBE 8D4DB4                lea ecx, dword ptr [ebp-4C]
:004ADFC1 E87A0D0D00             call 0057ED40
:004ADFC6 C645FC08             mov [ebp-04], 08
:004ADFCA C745BC04000000       mov [ebp-44], 00000004
:004ADFD1 8B4DA4                mov ecx, dword ptr [ebp-5C]
:004ADFD4 81C1A8000000          add ecx, 000000A8
:004ADFDA E8C157F5FF             call 004037A0
:004ADFDF 50                   push eax
:004ADFE0 68FBEB6A5C             push 5C6AEBFB
:004ADFE5 68F5548610             push 108654F5
:004ADFEA 8D4DC0                lea ecx, dword ptr [ebp-40]
:004ADFED E8AE57F5FF             call 004037A0
:004ADFF2 50                   push eax
:004ADFF3 8D4DB4                lea ecx, dword ptr [ebp-4C]          //注册码：他公司给的Demo形式*****-****-****-****-*****
:004ADFF6 E8850D0D00             call 0057ED80                         //关键计算部分，利用注册信息计算校验码，同时计算注册校验码。
:004ADFFB 25FF000000             and eax, 000000FF
:004AE000 85C0                   test eax, eax
:004AE002 7406                   je 004AE00A
:004AE004 8B45EC                mov eax, dword ptr [ebp-14]
:004AE007 8945BC                mov dword ptr [ebp-44], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AE002(C)
|
:004AE00A 8B4DBC                mov ecx, dword ptr [ebp-44]
:004AE00D 894D90                mov dword ptr [ebp-70], ecx
:004AE010 837D9003             cmp dword ptr [ebp-70], 00000003
:004AE014 0F8786000000          ja 004AE0A0
:004AE01A 8B5590                mov edx, dword ptr [ebp-70]
:004AE01D FF2495FBE04A00       jmp dword ptr [4*edx+004AE0FB]
:004AE024 8B45A4                mov eax, dword ptr [ebp-5C]
:004AE027 C680BC00000043       mov byte ptr [eax+000000BC], 43
:004AE02E E8FF970300             call 004E7832
:004AE033 8B4DA4                mov ecx, dword ptr [ebp-5C]
:004AE036 8B55EC                mov edx, dword ptr [ebp-14]
:004AE039 8991B8000000          mov dword ptr [ecx+000000B8], edx
:004AE03F EB5F                   jmp 004AE0A0
:004AE041 8B45A4                mov eax, dword ptr [ebp-5C]
:004AE044 C680BC00000043       mov byte ptr [eax+000000BC], 43
:004AE04B E8E2970300             call 004E7832
:004AE050 8B4DA4                mov ecx, dword ptr [ebp-5C]
:004AE053 8B55EC                mov edx, dword ptr [ebp-14]
:004AE056 8991B8000000          mov dword ptr [ecx+000000B8], edx
:004AE05C EB42                   jmp 004AE0A0
:004AE05E 8B45A4                mov eax, dword ptr [ebp-5C]
:004AE061 C680BC00000043       mov byte ptr [eax+000000BC], 43
:004AE068 8B4DA4                mov ecx, dword ptr [ebp-5C]
:004AE06B 8B55EC                mov edx, dword ptr [ebp-14]
:004AE06E 8991B8000000          mov dword ptr [ecx+000000B8], edx
:004AE074 E8B9970300             call 004E7832
:004AE079 EB25                   jmp 004AE0A0
:004AE07B 8B45A4                mov eax, dword ptr [ebp-5C]
:004AE07E C680BC00000043       mov byte ptr [eax+000000BC], 43
:004AE085 8B4DA4                mov ecx, dword ptr [ebp-5C]
:004AE088 8B55EC                mov edx, dword ptr [ebp-14]
:004AE08B 8991B8000000          mov dword ptr [ecx+000000B8], edx
:004AE091 8B45A4                mov eax, dword ptr [ebp-5C]
:004AE094 C680BF00000001       mov byte ptr [eax+000000BF], 01
:004AE09B E892970300             call 004E7832

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004AE014(C), :004AE03F(U), :004AE05C(U), :004AE079(U)
|
:004AE0A0 C645FC06             mov [ebp-04], 06
:004AE0A4 8D4DB4                lea ecx, dword ptr [ebp-4C]
:004AE0A7 E8C40C0D00             call 0057ED70
:004AE0AC C645FC02             mov [ebp-04], 02
:004AE0B0 8D4DC0                lea ecx, dword ptr [ebp-40]

* Reference To: MFC42.Ordinal:0320, Ord:0320h
                              |
:004AE0B3 E8FC1D0D00             Call 0057FEB4
:004AE0B8 C645FC00             mov [ebp-04], 00
:004AE0BC 8D4DB8                lea ecx, dword ptr [ebp-48]

* Reference To: MFC42.Ordinal:0320, Ord:0320h
                              |
:004AE0BF E8F01D0D00             Call 0057FEB4
:004AE0C4 E954FEFFFF             jmp 004ADF1D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004ADF2A(C)
|
:004AE0C9 8B4DA4                mov ecx, dword ptr [ebp-5C]
:004AE0CC 33D2                   xor edx, edx
:004AE0CE 83B9B800000004       cmp dword ptr [ecx+000000B8], 00000004
:004AE0D5 0F95C2                setne dl
:004AE0D8 8855A8                mov byte ptr [ebp-58], dl
:004AE0DB C745FCFFFFFFFF       mov [ebp-04], FFFFFFFF
:004AE0E2 8D4DF0                lea ecx, dword ptr [ebp-10]

* Reference To: MFC42.Ordinal:0320, Ord:0320h
                              |
:004AE0E5 E8CA1D0D00             Call 0057FEB4
:004AE0EA 8A45A8                mov al, byte ptr [ebp-58]
:004AE0ED 8B4DF4                mov ecx, dword ptr [ebp-0C]
:004AE0F0 64890D00000000       mov dword ptr fs:[00000000], ecx
:004AE0F7 8BE5                   mov esp, ebp
:004AE0F9 5D                   pop ebp
:004AE0FA C3                   ret

// 序列号计算比较段结束。

**********************************************************************************************

//关键计算部分:

1、//关键计算主
* Referenced by a CALL at Address:
|:004ADFF6
|
:0057ED80 81EC44040000          sub esp, 00000444
:0057ED86 53                   push ebx
:0057ED87 55                   push ebp
:0057ED88 56                   push esi
:0057ED89 8BB42460040000       mov esi, dword ptr [esp+00000460]
:0057ED90 33DB                   xor ebx, ebx
:0057ED92 57                   push edi
:0057ED93 8A06                   mov al, byte ptr [esi]
:0057ED95 8BE9                   mov ebp, ecx
:0057ED97 84C0                   test al, al
:0057ED99 8D7C2434             lea edi, dword ptr [esp+34]
:0057ED9D 7427                   je 0057EDC6

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057EDC4(C)
|
:0057ED9F 83FB20                cmp ebx, 00000020
:0057EDA2 7D22                   jge 0057EDC6
:0057EDA4 803E2A                cmp byte ptr [esi], 2A
:0057EDA7 7503                   jne 0057EDAC
:0057EDA9 C6062B                mov byte ptr [esi], 2B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057EDA7(C)
|
:0057EDAC 8A06                   mov al, byte ptr [esi]
:0057EDAE 3C2D                   cmp al, 2D
:0057EDB0 740B                   je 0057EDBD
:0057EDB2 50                   push eax
:0057EDB3 8BCD                   mov ecx, ebp
:0057EDB5 E806010000             call 0057EEC0
:0057EDBA 8807                   mov byte ptr [edi], al
:0057EDBC 47                   inc edi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057EDB0(C)
|
:0057EDBD 8A4601                mov al, byte ptr [esi+01]
:0057EDC0 46                   inc esi
:0057EDC1 43                   inc ebx
:0057EDC2 84C0                   test al, al
:0057EDC4 75D9                   jne 0057ED9F

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0057ED9D(C), :0057EDA2(C)
|
:0057EDC6 C6073D                mov byte ptr [edi], 3D
:0057EDC9 47                   inc edi
:0057EDCA 8D442434             lea eax, dword ptr [esp+34]
:0057EDCE 6A18                   push 00000018
:0057EDD0 C6073D                mov byte ptr [edi], 3D
:0057EDD3 50                   push eax
:0057EDD4 C6470100             mov [edi+01], 00
:0057EDD8 E873020000             call 0057F050                            // 自此将注册码去掉‘-’，末尾加==
:0057EDDD 83C408                add esp, 00000008
:0057EDE0 85C0                   test eax, eax
:0057EDE2 750F                   jne 0057EDF3

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057EE5E(C)
|
:0057EDE4 5F                   pop edi
:0057EDE5 5E                   pop esi
:0057EDE6 5D                   pop ebp
:0057EDE7 32C0                   xor al, al
:0057EDE9 5B                   pop ebx
:0057EDEA 81C444040000          add esp, 00000444
:0057EDF0 C21000                ret 0010

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057EDE2(C)
|
:0057EDF3 8D4C2434             lea ecx, dword ptr [esp+34]
:0057EDF7 6A18                   push 00000018
:0057EDF9 8D542424             lea edx, dword ptr [esp+24]
:0057EDFD 51                   push ecx
:0057EDFE 52                   push edx
:0057EDFF E82C010000             call 0057EF30                            //利用注册码计算注册码变码。比较用
:0057EE04 8B84246C040000       mov eax, dword ptr [esp+0000046C]
:0057EE0B 8B8C2468040000       mov ecx, dword ptr [esp+00000468]
:0057EE12 8B942464040000       mov edx, dword ptr [esp+00000464]
:0057EE19 83C40C                add esp, 0000000C
:0057EE1C 50                   push eax
:0057EE1D 51                   push ecx
:0057EE1E 52                   push edx
:0057EE1F 8D442460             lea eax, dword ptr [esp+60]

* Possible StringData Ref from Data Obj ->"%s%08lX%08lX"
                              |
:0057EE23 68C85B5D00             push 005D5BC8
:0057EE28 50                   push eax

* Reference To: USER32.wsprintfA, Ord:02ACh
                              |
:0057EE29 FF159C335900          Call dword ptr [0059339C]
:0057EE2F 83C414                add esp, 00000014
:0057EE32 8D4C2410             lea ecx, dword ptr [esp+10]
:0057EE36 8D7C2454             lea edi, dword ptr [esp+54]
:0057EE3A 33C0                   xor eax, eax
:0057EE3C 51                   push ecx
:0057EE3D 83C9FF                or ecx, FFFFFFFF
:0057EE40 F2                   repnz
:0057EE41 AE                   scasb
:0057EE42 F7D1                   not ecx
:0057EE44 49          eB21    dec ecx
:0057EE45 8D542458             lea edx, dword ptr [esp+58]
:0057EE49 51                   push ecx
:0057EE4A 52                   push edx
:0057EE4B 8BCD                   mov ecx, ebp
:0057EE4D E82E000000             call 0057EE80
:0057EE52 33C0                   xor eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057EE64(C)
|
:0057EE54 8A4C0420             mov cl, byte ptr [esp+eax+20]       //此处比较计算要求注册码和注册变码的值共计0x10位
:0057EE58 8A540410             mov dl, byte ptr [esp+eax+10]
:0057EE5C 3ACA                   cmp cl, dl
:0057EE5E 7584                   jne 0057EDE4                         //nop掉即可爆破^_^
:0057EE60 40                   inc eax
:0057EE61 83F810                cmp eax, 00000010
:0057EE64 7CEE                   jl 0057EE54
:0057EE66 5F                   pop edi
:0057EE67 5E                   pop esi
:0057EE68 5D                   pop ebp
:0057EE69 B001                   mov al, 01
:0057EE6B 5B                   pop ebx
:0057EE6C 81C444040000          add esp, 00000444
:0057EE72 C21000                ret 0010
//关键计算主结束

*********************************************************************************************************

2、//根据注册信息计算要求注册码
* Referenced by a CALL at Address:
|:0057EDFF
|
:0057EF30 51                   push ecx
:0057EF31 53                   push ebx
:0057EF32 55                   push ebp
:0057EF33 56                   push esi
:0057EF34 57                   push edi
:0057EF35 8B7C241C             mov edi, dword ptr [esp+1C]
:0057EF39 8B6C2420             mov ebp, dword ptr [esp+20]
:0057EF3D B0E0                   mov al, E0
:0057EF3F 33C9                   xor ecx, ecx
:0057EF41 8A17                   mov dl, byte ptr [edi]
:0057EF43 894C2410             mov dword ptr [esp+10], ecx
:0057EF47 83E27F                and edx, 0000007F
:0057EF4A 38821C5C5D00          cmp byte ptr [edx+005D5C1C], al
:0057EF50 7514                   jne 0057EF66

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057EF64(C)
|
:0057EF52 3BE9                   cmp ebp, ecx
:0057EF54 7E10                   jle 0057EF66
:0057EF56 8A5701                mov dl, byte ptr [edi+01]
:0057EF59 47                   inc edi
:0057EF5A 83E27F                and edx, 0000007F
:0057EF5D 4D                   dec ebp
:0057EF5E 38821C5C5D00          cmp byte ptr [edx+005D5C1C], al
:0057EF64 74EC                   je 0057EF52

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0057EF50(C), :0057EF54(C)
|
:0057EF66 83FD03                cmp ebp, 00000003
:0057EF69 7E1B                   jle 0057EF86

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057EF84(C)
|
:0057EF6B 8A442FFF             mov al, byte ptr [edi+ebp-01]
:0057EF6F 83E07F                and eax, 0000007F
:0057EF72 8A901C5C5D00          mov dl, byte ptr [eax+005D5C1C]
:0057EF78 80CA13                or dl, 13
:0057EF7B 80FAF3                cmp dl, F3
:0057EF7E 7506                   jne 0057EF86
:0057EF80 4D                   dec ebp
:0057EF81 83FD03                cmp ebp, 00000003
:0057EF84 7FE5                   jg 0057EF6B

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0057EF69(C), :0057EF7E(C)
|
:0057EF86 8BC5                   mov eax, ebp
:0057EF88 2503000080             and eax, 80000003
:0057EF8D 7905                   jns 0057EF94
:0057EF8F 48                   dec eax
:0057EF90 83C8FC                or eax, FFFFFFFC
:0057EF93 40                   inc eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057EF8D(C)
|
:0057EF94 7409                   je 0057EF9F

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0057EFF0(C), :0057EFF4(C), :0057EFFD(C), :0057F002(C)
|
:0057EF96 5F                   pop edi
:0057EF97 5E                   pop esi
:0057EF98 5D                   pop ebp
:0057EF99 83C8FF                or eax, FFFFFFFF
:0057EF9C 5B                   pop ebx
:0057EF9D 59                   pop ecx
:0057EF9E C3                   ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057EF94(C)
|
:0057EF9F 3BE9                   cmp ebp, ecx
:0057EFA1 894C2420             mov dword ptr [esp+20], ecx
:0057EFA5 0F8E99000000          jle 0057F044
:0057EFAB 8B742418             mov esi, dword ptr [esp+18]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057F03E(C)
|
:0057EFAF 8A17                   mov dl, byte ptr [edi]
:0057EFB1 33C9                   xor ecx, ecx
:0057EFB3 83E27F                and edx, 0000007F                //从前取四位注册码依次查表5D5C1C区域的数据（见最后），
:0057EFB6 47                   inc edi                         //依据是表加注册码的ASCII值
:0057EFB7 33C0                   xor eax, eax
:0057EFB9 8A8A1C5C5D00          mov cl, byte ptr [edx+005D5C1C] // 1位 X1
:0057EFBF 8A17                   mov dl, byte ptr [edi]
:0057EFC1 8A5F01                mov bl, byte ptr [edi+01]
:0057EFC4 83E27F                and edx, 0000007F
:0057EFC7 47                   inc edi
:0057EFC8 83E37F                and ebx, 0000007F
:0057EFCB 8A821C5C5D00          mov al, byte ptr [edx+005D5C1C]    // 2位  X2
:0057EFD1 33D2                   xor edx, edx
:0057EFD3 8A931C5C5D00          mov dl, byte ptr [ebx+005D5C1C]    // 3位 X3
:0057EFD9 8A5F01                mov bl, byte ptr [edi+01]
:0057EFDC 47                   inc edi
:0057EFDD 8954241C             mov dword ptr [esp+1C], edx
:0057EFE1 83E37F                and ebx, 0000007F
:0057EFE4 33D2                   xor edx, edx
:0057EFE6 47                   inc edi
:0057EFE7 8A931C5C5D00          mov dl, byte ptr [ebx+005D5C1C]    // 4位  X4
:0057EFED F6C180                test cl, 80
:0057EFF0 75A4                   jne 0057EF96
:0057EFF2 A880                   test al, 80
:0057EFF4 75A0                   jne 0057EF96
:0057EFF6 8B5C241C             mov ebx, dword ptr [esp+1C]
:0057EFFA F6C380                test bl, 80
:0057EFFD 7597                   jne 0057EF96
:0057EFFF F6C280                test dl, 80
:0057F002 7592                   jne 0057EF96
:0057F004 C1E106                shl ecx, 06                      // X1*64
:0057F007 0BC8                   or ecx, eax                      // X1*64+X2
:0057F009 C1E106                shl ecx, 06                      // (X1*64+X2)*64
:0057F00C 0BCB                   or ecx, ebx                      // (X1*64+X2)*64+X3
:0057F00E 8B5C2410             mov ebx, dword ptr [esp+10]
:0057F012 C1E106                shl ecx, 06                      // ((X1*64+X2)*64)*64 下面是将这些数据存储作为比较用。
:0057F015 0BCA                   or ecx, edx
:0057F017 83C303                add ebx, 00000003
:0057F01A 8BC1                   mov eax, ecx
:0057F01C 8BD1                   mov edx, ecx
:0057F01E C1E810                shr eax, 10
:0057F021 8806                   mov byte ptr [esi], al
:0057F023 8B442420             mov eax, dword ptr [esp+20]
:0057F027 46                   inc esi
:0057F028 83C004                add eax, 00000004
:0057F02B C1EA08                shr edx, 08
:0057F02E 8816                   mov byte ptr [esi], dl
:0057F030 46                   inc esi
:0057F031 895C2410             mov dword ptr [esp+10], ebx
:0057F035 89442420             mov dword ptr [esp+20], eax
:0057F039 880E                   mov byte ptr [esi], cl
:0057F03B 46                   inc esi
:0057F03C 3BC5                   cmp eax, ebp
:0057F03E 0F8C6BFFFFFF          jl 0057EFAF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057EFA5(C)
|
:0057F044 8B442410             mov eax, dword ptr [esp+10]
:0057F048 5F                   pop edi
:0057F049 5E                   pop esi
:0057F04A 5D                   pop ebp
:0057F04B 5B                   pop ebx
:0057F04C 59                   pop ecx
:0057F04D C3                   ret
//根据注册信息计算要求注册码

*********************************************************************************************************
3、//MD5计算开始
* Referenced by a CALL at Address:
|:0057EEAC
|
:0057FC30 53                   push ebx
:0057FC31 55                   push ebp
:0057FC32 56                   push esi
:0057FC33 8B742414             mov esi, dword ptr [esp+14]
:0057FC37 57                   push edi
:0057FC38 BD9C5C5D00             mov ebp, 005D5C9C
:0057FC3D 8B4E58                mov ecx, dword ptr [esi+58]
:0057FC40 8D5E18                lea ebx, dword ptr [esi+18]
:0057FC43 8BC1                   mov eax, ecx
:0057FC45 83E103                and ecx, 00000003
:0057FC48 C1F802                sar eax, 02
:0057FC4B 83F903                cmp ecx, 00000003
:0057FC4E 8B3C83                mov edi, dword ptr [ebx+4*eax]
:0057FC51 7735                   ja 0057FC88
:0057FC53 FF248D5CFD5700       jmp dword ptr [4*ecx+0057FD5C]
:0057FC5A 8B3D9C5C5D00          mov edi, dword ptr [005D5C9C]
:0057FC60 BD9D5C5D00             mov ebp, 005D5C9D
:0057FC65 81E7FF000000          and edi, 000000FF
:0057FC6B 33C9                   xor ecx, ecx
:0057FC6D 8A6D00                mov ch, byte ptr [ebp+00]
:0057FC70 0BF9                   or edi, ecx
:0057FC72 45                   inc ebp
:0057FC73 33D2                   xor edx, edx
:0057FC75 8A5500                mov dl, byte ptr [ebp+00]
:0057FC78 C1E210                shl edx, 10
:0057FC7B 0BFA                   or edi, edx
:0057FC7D 45                   inc ebp
:0057FC7E 33C9                   xor ecx, ecx
:0057FC80 8A4D00                mov cl, byte ptr [ebp+00]
:0057FC83 C1E118                shl ecx, 18
:0057FC86 0BF9                   or edi, ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057FC51(C)
|
:0057FC88 893C83                mov dword ptr [ebx+4*eax], edi
:0057FC8B 8B4E58                mov ecx, dword ptr [esi+58]
:0057FC8E 40                   inc eax
:0057FC8F 83F938                cmp ecx, 00000038
:0057FC92 7C21                   jl 0057FCB5
:0057FC94 83F810                cmp eax, 00000010
:0057FC97 7D0E                   jge 0057FCA7
:0057FC99 B910000000             mov ecx, 00000010
:0057FC9E 8D3C83                lea edi, dword ptr [ebx+4*eax]
:0057FCA1 2BC8                   sub ecx, eax
:0057FCA3 33C0                   xor eax, eax
:0057FCA5 F3                   repz
:0057FCA6 AB                   stosd

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057FC97(C)
|
:0057FCA7 53                   push ebx
:0057FCA8 56                   push esi
:0057FCA9 E8D2F8FFFF             call 0057F580
:0057FCAE 83C408                add esp, 00000008
:0057FCB1 33C0                   xor eax, eax
:0057FCB3 EB05                   jmp 0057FCBA

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057FC92(C)
|
:0057FCB5 83F80E                cmp eax, 0000000E
:0057FCB8 7D0E                   jge 0057FCC8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057FCB3(U)
|
:0057FCBA B90E000000             mov ecx, 0000000E
:0057FCBF 8D3C83                lea edi, dword ptr [ebx+4*eax]
:0057FCC2 2BC8                   sub ecx, eax
:0057FCC4 33C0                   xor eax, eax
:0057FCC6 F3                   repz
:0057FCC7 AB                   stosd

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057FCB8(C)
|
:0057FCC8 8B5610                mov edx, dword ptr [esi+10]
:0057FCCB 53                   push ebx
:0057FCCC 895338                mov dword ptr [ebx+38], edx
:0057FCCF 8B4614                mov eax, dword ptr [esi+14]
:0057FCD2 56                   push esi                      //看到"0123456789ABCDEFFEDEBA9876543210"常量估计是MD5算法
:0057FCD3 89433C                mov dword ptr [ebx+3C], eax    //将注册信息(名字+Email+日期码+他公司信息（是不同版本
:0057FCD6 E8A5F8FFFF             call 0057F580                   //变化的）进行MD5计算得到要求注册码)
:0057FCDB 8B44241C             mov eax, dword ptr [esp+1C]
:0057FCDF 8B0E                   mov ecx, dword ptr [esi]
:0057FCE1 83C408                add esp, 00000008
:0057FCE4 8BD1                   mov edx, ecx
:0057FCE6 8808                   mov byte ptr [eax], cl
:0057FCE8 40                   inc eax
:0057FCE9 C1EA08                shr edx, 08
:0057FCEC 8810                   mov byte ptr [eax], dl
:0057FCEE 8BD1                   mov edx, ecx
:0057FCF0 40                   inc eax
:0057FCF1 5F                   pop edi
:0057FCF2 C1EA10                shr edx, 10
:0057FCF5 8810                   mov byte ptr [eax], dl
:0057FCF7 40                   inc eax
:0057FCF8 C1E918                shr ecx, 18
:0057FCFB 8808                   mov byte ptr [eax], cl
:0057FCFD 8B4E04                mov ecx, dword ptr [esi+04]
:0057FD00 40                   inc eax
:0057FD01 8BD1                   mov edx, ecx
:0057FD03 C1EA08                shr edx, 08
:0057FD06 8808                   mov byte ptr [eax], cl
:0057FD08 40                   inc eax
:0057FD09 8810                   mov byte ptr [eax], dl
:0057FD0B 8BD1                   mov edx, ecx
:0057FD0D 40                   inc eax
:0057FD0E C1EA10                shr edx, 10
:0057FD11 8810                   mov byte ptr [eax], dl
:0057FD13 40                   inc eax
:0057FD14 C1E918                shr ecx, 18
:0057FD17 8808                   mov byte ptr [eax], cl
:0057FD19 8B4E08                mov ecx, dword ptr [esi+08]
:0057FD1C 40                   inc eax
:0057FD1D 8BD1                   mov edx, ecx
:0057FD1F C1EA08                shr edx, 08
:0057FD22 8808                   mov byte ptr [eax], cl
:0057FD24 40                   inc eax
:0057FD25 8810                   mov byte ptr [eax], dl
:0057FD27 8BD1                   mov edx, ecx
:0057FD29 40                   inc eax
:0057FD2A C1EA10                shr edx, 10
:0057FD2D 8810                   mov byte ptr [eax], dl
:0057FD2F 40                   inc eax
:0057FD30 C1E918                shr ecx, 18
:0057FD33 8808                   mov byte ptr [eax], cl
:0057FD35 8B4E0C                mov ecx, dword ptr [esi+0C]
:0057FD38 40                   inc eax
:0057FD39 8BD1                   mov edx, ecx
:0057FD3B C1EA08                shr edx, 08
:0057FD3E 8808                   mov byte ptr [eax], cl
:0057FD40 40                   inc eax
:0057FD41 8810                   mov byte ptr [eax], dl
:0057FD43 8BD1                   mov edx, ecx
:0057FD45 40                   inc eax
:0057FD46 C1EA10                shr edx, 10
:0057FD49 C1E918                shr ecx, 18
:0057FD4C 8810                   mov byte ptr [eax], dl
:0057FD4E 884801                mov byte ptr [eax+01], cl
:0057FD51 C7465800000000       mov [esi+58], 00000000
:0057FD58 5E                   pop esi
:0057FD59 5D                   pop ebp
:0057FD5A 5B                   pop ebx
:0057FD5B C3                   ret
//MD5计算结束

***************************************************************************************************
///数据表：

005D5C1C  FF FF FF FF FF FF FF FF FF E0 F0 FF FF F1 FF FF  ????????
005D5C2C  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ????????
005D5C3C  E0 FF FF FF FF FF FF FF FF FF FF 3E FF F2 FF 3F  ????????
005D5C4C  34 35 36 37 38 39 3A 3B 3C 3D FF FF FF 00 FF FF  456789:;<=???
005D5C5C  FF 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E  ?..
..
005D5C6C  0F 10 11 12 13 14 15 16 17 18 19 FF FF FF FF FF  ???
005D5C7C  FF 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28  ? !"#$%&'(
005D5C8C  29 2A 2B 2C 2D 2E 2F 30 31 32 33 FF FF FF FF FF  )*+,-./0123???
005D5C9C  80 00 00 00 AC 9B 5A 00 00 00 00 00 2E 3F 41 56  ?..?Z......?AV
005D5CAC  74 79 70 65 5F 69 6E 66 6F 40 40 00 00 00 00 00  type_info@@.....
005D5CBC  00 00 00 00 01 00 00 00 00 00 00 00 AC 9B 5A 00  ...........?Z.
005D5CCC  00 00 00 00 2E 3F 41 56 5F 63 6F 6D 5F 65 72 72  .....?AV_com_err
005D5CDC  6F 72 40 40 00 00 00 00 00 00 00 00 00 00 00 00  or@@............
005D5CEC  00 00 00 00 44 DD DC 73 01 00 00 00 00 00 00 00  ....D蒈s.......
005D5CFC  00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  ...............
005D5D0C  E8 44 14 00 00 00 00 00 00 00 00 00 5E FE 84 6D  枘.........^?m
005D5D1C  33 20 C8 4D 84 40 30 71 63 9A 88 3D 30 36 59 00  3 韧?0qc?=06Y.
005D5D2C  00 00 00 00 8C 75 5C 00 00 00 00 FF 68 02 DD 73  ....?\....?蒹
005D5D3C  00 00 00 00 FF FF FF 7F FF FF FF 7F FF FF FF 7E  ....??????
005D5D4C  00 00 00 00 FF FF FF 7F FF FF FF 7F FF FF FF 7E  ....??????
005D5D5C  00 24 74 C9 FF 4F C3 47 00 00 00 00 50 3C DD 73  .$t?O们....P<蒹
005D5D6C  78 00 00 00 18 3D 59 00 00 00 00 00 00 00 00 00  x...=Y.........
005D5D7C  58 1C E0 73 58 1C E0 73 58 1C E0 73 01 00 00 00  X囿X囿X囿...
********************************************************************************************************

总结:
  该软件将注册信息（姓名+邮件地址+时间期限变码+使用权+公司预埋码）取MD5为要求码，将注册码四位一组做乘加组合运算得到比较码，一致则通过。给一个注册码：

name:  HaIlDuZ
Email: hailduz@hotmail.com
year:  2005
month: 12
date:  31
code:  eB21G-GQWl-Scab-IpGs-uU8vk

HaiLDuZ 于2005.12.8

hailduz@hotmail.com

[培训]《安卓高级研修班(网课)》月薪三万计划，掌握调试、分析还原ollvm、vmp的方法，定制art虚拟机自动化脱壳的方法

收藏・0

点赞・7

打赏