-
-
[原创]MicroCCD 4(光学处理软件) 注册简单分析
-
发表于: 2005-12-7 16:00 4556
-
MicroCCD 4(光学处理软件) 注册简单分析
作者:HaiLDuZ[CCG Temp Member]
软件名称:MicroCCD(光学处理软件),Diffraction Limited :http://www.cyanogen.com/index.htm
整理日期:2005.12.8
文件大小:16.3MB
软件授权:收费软件
加密方式:注册码
使用工具:Ollydbg 1.10 ;W32Dasm 10.0 ;
作者申明:纯技术交流,无任何商业目的,转贴请保持完整。
前言:
前一阶段因工作需要,网上看到一个显微镜图像处理软件,注册一个演示版只有30天,结果安装一看是从他们网站注册之日起算,现在只有几天了。
看看其执行程序,没壳(老外一些商业软件比较好或对自己加密方法比较有信心),对于我这种没有脱壳能力的人太适合了。于是开始,一看是完整版,
需要注册码得到不同使用权。需事先填入姓名,邮件地址,最后期限及注册码。到其程序比较处下断。
// 序列号计算比较段
* Referenced by a CALL at Addresses:
|:004AE9E5 , :004AEBB2 , :004AF729 , :004AF78B , :004AF874
|
:004ADD96 55 push ebp
:004ADD97 8BEC mov ebp, esp
:004ADD99 6AFF push FFFFFFFF
:004ADD9B 682DA95800 push 0058A92D
:004ADDA0 64A100000000 mov eax, dword ptr fs:[00000000]
:004ADDA6 50 push eax
:004ADDA7 64892500000000 mov dword ptr fs:[00000000], esp
:004ADDAE 83EC64 sub esp, 00000064
:004ADDB1 894DA4 mov dword ptr [ebp-5C], ecx
:004ADDB4 8B4DA4 mov ecx, dword ptr [ebp-5C]
:004ADDB7 81C1A0000000 add ecx, 000000A0
* Reference To: MFC42.Ordinal:188A, Ord:188Ah
|
:004ADDBD E842220D00 Call 00580004
:004ADDC2 8B4DA4 mov ecx, dword ptr [ebp-5C]
:004ADDC5 81C1A0000000 add ecx, 000000A0
* Reference To: MFC42.Ordinal:188B, Ord:188Bh
|
:004ADDCB E82E220D00 Call 0057FFFE
:004ADDD0 8B4DA4 mov ecx, dword ptr [ebp-5C]
:004ADDD3 81C1A4000000 add ecx, 000000A4
* Reference To: MFC42.Ordinal:188A, Ord:188Ah
|
:004ADDD9 E826220D00 Call 00580004
:004ADDDE 8B4DA4 mov ecx, dword ptr [ebp-5C]
:004ADDE1 81C1A4000000 add ecx, 000000A4
* Reference To: MFC42.Ordinal:188B, Ord:188Bh
|
:004ADDE7 E812220D00 Call 0057FFFE
:004ADDEC 8B4DA4 mov ecx, dword ptr [ebp-5C]
:004ADDEF 81C1A8000000 add ecx, 000000A8
* Reference To: MFC42.Ordinal:188A, Ord:188Ah
|
:004ADDF5 E80A220D00 Call 00580004
:004ADDFA 8B4DA4 mov ecx, dword ptr [ebp-5C]
:004ADDFD 81C1A8000000 add ecx, 000000A8
* Reference To: MFC42.Ordinal:188B, Ord:188Bh
|
:004ADE03 E8F6210D00 Call 0057FFFE
:004ADE08 8B45A4 mov eax, dword ptr [ebp-5C]
:004ADE0B C680BF00000000 mov byte ptr [eax+000000BF], 00
:004ADE12 8D4DF0 lea ecx, dword ptr [ebp-10]
* Reference To: MFC42.Ordinal:021C, Ord:021Ch
|
:004ADE15 E8B2200D00 Call 0057FECC
:004ADE1A C745FC00000000 mov [ebp-04], 00000000
* Possible StringData Ref from Data Obj ->"9999"
|
:004ADE21 68ACCE5C00 push 005CCEAC
:004ADE26 8B4DA4 mov ecx, dword ptr [ebp-5C]
:004ADE29 81C1B4000000 add ecx, 000000B4
:004ADE2F 51 push ecx
:004ADE30 E8AB17F6FF call 0040F5E0
:004ADE35 25FF000000 and eax, 000000FF
:004ADE3A 85C0 test eax, eax
:004ADE3C 7412 je 004ADE50
* Possible StringData Ref from Data Obj ->"99999"
|
:004ADE3E 68B4CE5C00 push 005CCEB4
:004ADE43 8D4DF0 lea ecx, dword ptr [ebp-10]
* Reference To: MFC42.Ordinal:035C, Ord:035Ch
|
:004ADE46 E8ED200D00 Call 0057FF38
:004ADE4B E9AD000000 jmp 004ADEFD
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004ADE3C(C)
|
:004ADE50 6A00 push 00000000
:004ADE52 6A00 push 00000000
:004ADE54 6A00 push 00000000
:004ADE56 8B4DA4 mov ecx, dword ptr [ebp-5C]
:004ADE59 81C1AC000000 add ecx, 000000AC
:004ADE5F E83C59F5FF call 004037A0
:004ADE64 50 push eax //压入输入限制时间的日期
* Reference To: MSVCRT.atoi, Ord:023Dh
|
:004ADE65 FF1530325900 Call dword ptr [00593230]
:004ADE6B 83C404 add esp, 00000004
:004ADE6E 50 push eax
:004ADE6F 8B4DA4 mov ecx, dword ptr [ebp-5C]
:004ADE72 81C1B0000000 add ecx, 000000B0
:004ADE78 E82359F5FF call 004037A0
:004ADE7D 50 push eax //压入输入限制时间的月
* Reference To: MSVCRT.atoi, Ord:023Dh
|
:004ADE7E FF1530325900 Call dword ptr [00593230]
:004ADE84 83C404 add esp, 00000004
:004ADE87 50 push eax
:004ADE88 8B4DA4 mov ecx, dword ptr [ebp-5C]
:004ADE8B 81C1B4000000 add ecx, 000000B4
:004ADE91 E80A59F5FF call 004037A0
:004ADE96 50 push eax //压入输入限制时间的年
* Reference To: MSVCRT.atoi, Ord:023Dh
|
:004ADE97 FF1530325900 Call dword ptr [00593230]
:004ADE9D 83C404 add esp, 00000004
:004ADEA0 50 push eax
:004ADEA1 8D4DE0 lea ecx, dword ptr [ebp-20]
:004ADEA4 E867230000 call 004B0210 //利用年月日,调用MFC,的SetDateTime 计算对象的m_dt值备用
:004ADEA9 8D55E0 lea edx, dword ptr [ebp-20]
:004ADEAC 52 push edx
:004ADEAD 8D4DCC lea ecx, dword ptr [ebp-34]
:004ADEB0 E82B230000 call 004B01E0
:004ADEB5 C645FC01 mov [ebp-04], 01
:004ADEB9 6A00 push 00000000
:004ADEBB 6A05 push 00000005
:004ADEBD 8D4DCC lea ecx, dword ptr [ebp-34]
* Reference To: MFC42.Ordinal:06EA, Ord:06EAh
|
:004ADEC0 E8A5270D00 Call 0058066A
:004ADEC5 8B45D4 mov eax, dword ptr [ebp-2C]
:004ADEC8 8945C4 mov dword ptr [ebp-3C], eax
:004ADECB 8B4DD8 mov ecx, dword ptr [ebp-28]
:004ADECE 894DC8 mov dword ptr [ebp-38], ecx
:004ADED1 DD45C4 fld qword ptr [ebp-3C]
* Reference To: MSVCRT._ftol, Ord:00F1h
|
:004ADED4 E899300D00 Call 00580F72
:004ADED9 8945DC mov dword ptr [ebp-24], eax
:004ADEDC 8B55DC mov edx, dword ptr [ebp-24]
:004ADEDF 52 push edx
* Possible StringData Ref from Data Obj ->"%i"
|
:004ADEE0 68BCCE5C00 push 005CCEBC
:004ADEE5 8D45F0 lea eax, dword ptr [ebp-10]
:004ADEE8 50 push eax
* Reference To: MFC42.Ordinal:0B02, Ord:0B02h
|
:004ADEE9 E86E200D00 Call 0057FF5C //将m_dt值转换为10进制数备用。
:004ADEEE 83C40C add esp, 0000000C
:004ADEF1 C645FC00 mov [ebp-04], 00
:004ADEF5 8D4DCC lea ecx, dword ptr [ebp-34]
:004ADEF8 E8C3220000 call 004B01C0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004ADE4B(U)
|
:004ADEFD 8B4DA4 mov ecx, dword ptr [ebp-5C]
:004ADF00 C681BC000000FF mov byte ptr [ecx+000000BC], FF
:004ADF07 8B55A4 mov edx, dword ptr [ebp-5C]
:004ADF0A C782B800000004000000 mov dword ptr [ebx+000000B8], 00000004
:004ADF14 C745EC00000000 mov [ebp-14], 00000000
:004ADF1B EB09 jmp 004ADF26
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AE0C4(U)
|
:004ADF1D 8B45EC mov eax, dword ptr [ebp-14]
:004ADF20 83C001 add eax, 00000001
:004ADF23 8945EC mov dword ptr [ebp-14], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004ADF1B(U)
|
:004ADF26 837DEC04 cmp dword ptr [ebp-14], 00000004
:004ADF2A 0F8D99010000 jnl 004AE0C9
:004ADF30 8B4DEC mov ecx, dword ptr [ebp-14]
:004ADF33 8B148DA8CD5C00 mov edx, dword ptr [4*ecx+005CCDA8]
:004ADF3A 52 push edx //压入常驻串"MICROCCD"备用
:004ADF3B 8D4DB8 lea ecx, dword ptr [ebp-48]
* Reference To: MFC42.Ordinal:0219, Ord:0219h
|
:004ADF3E E86B1F0D00 Call 0057FEAE
:004ADF43 C645FC02 mov [ebp-04], 02
:004ADF47 8B45EC mov eax, dword ptr [ebp-14]
:004ADF4A 8B0C85A8CD5C00 mov ecx, dword ptr [4*eax+005CCDA8]
:004ADF51 51 push ecx
:004ADF52 8D55F0 lea edx, dword ptr [ebp-10]
:004ADF55 52 push edx
:004ADF56 8B45A4 mov eax, dword ptr [ebp-5C]
:004ADF59 05A0000000 add eax, 000000A0
:004ADF5E 50 push eax
:004ADF5F 8B4DA4 mov ecx, dword ptr [ebp-5C]
:004ADF62 81C1A4000000 add ecx, 000000A4
:004ADF68 51 push ecx
:004ADF69 8D55B0 lea edx, dword ptr [ebp-50]
:004ADF6C 52 push edx
* Reference To: MFC42.Ordinal:039A, Ord:039Ah
|
:004ADF6D E8F61F0D00 Call 0057FF68 //将输入名字和Email字符串联在一起备用
:004ADF72 8945A0 mov dword ptr [ebp-60], eax
:004ADF75 8B45A0 mov eax, dword ptr [ebp-60]
:004ADF78 89459C mov dword ptr [ebp-64], eax
:004ADF7B C645FC03 mov [ebp-04], 03
:004ADF7F 8B4D9C mov ecx, dword ptr [ebp-64]
:004ADF82 51 push ecx
:004ADF83 8D55AC lea edx, dword ptr [ebp-54]
:004ADF86 52 push edx
* Reference To: MFC42.Ordinal:039A, Ord:039Ah
|
:004ADF87 E8DC1F0D00 Call 0057FF68 //将上面名字和Email字符串和m_dt值转换为10进制数连在一起
:004ADF8C 894598 mov dword ptr [ebp-68], eax
:004ADF8F 8B4598 mov eax, dword ptr [ebp-68]
:004ADF92 894594 mov dword ptr [ebp-6C], eax
:004ADF95 C645FC04 mov [ebp-04], 04
:004ADF99 8B4D94 mov ecx, dword ptr [ebp-6C]
:004ADF9C 51 push ecx
:004ADF9D 8D55C0 lea edx, dword ptr [ebp-40]
:004ADFA0 52 push edx
* Reference To: MFC42.Ordinal:039C, Ord:039Ch
|
:004ADFA1 E8BC1F0D00 Call 0057FF62 //在上面的串后面加上"MICROCCD"
:004ADFA6 C645FC07 mov [ebp-04], 07
:004ADFAA 8D4DAC lea ecx, dword ptr [ebp-54]
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:004ADFAD E8021F0D00 Call 0057FEB4
:004ADFB2 C645FC06 mov [ebp-04], 06
:004ADFB6 8D4DB0 lea ecx, dword ptr [ebp-50]
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:004ADFB9 E8F61E0D00 Call 0057FEB4
:004ADFBE 8D4DB4 lea ecx, dword ptr [ebp-4C]
:004ADFC1 E87A0D0D00 call 0057ED40
:004ADFC6 C645FC08 mov [ebp-04], 08
:004ADFCA C745BC04000000 mov [ebp-44], 00000004
:004ADFD1 8B4DA4 mov ecx, dword ptr [ebp-5C]
:004ADFD4 81C1A8000000 add ecx, 000000A8
:004ADFDA E8C157F5FF call 004037A0
:004ADFDF 50 push eax
:004ADFE0 68FBEB6A5C push 5C6AEBFB
:004ADFE5 68F5548610 push 108654F5
:004ADFEA 8D4DC0 lea ecx, dword ptr [ebp-40]
:004ADFED E8AE57F5FF call 004037A0
:004ADFF2 50 push eax
:004ADFF3 8D4DB4 lea ecx, dword ptr [ebp-4C] //注册码:他公司给的Demo形式*****-****-****-****-*****
:004ADFF6 E8850D0D00 call 0057ED80 //关键计算部分,利用注册信息计算校验码,同时计算注册校验码。
:004ADFFB 25FF000000 and eax, 000000FF
:004AE000 85C0 test eax, eax
:004AE002 7406 je 004AE00A
:004AE004 8B45EC mov eax, dword ptr [ebp-14]
:004AE007 8945BC mov dword ptr [ebp-44], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AE002(C)
|
:004AE00A 8B4DBC mov ecx, dword ptr [ebp-44]
:004AE00D 894D90 mov dword ptr [ebp-70], ecx
:004AE010 837D9003 cmp dword ptr [ebp-70], 00000003
:004AE014 0F8786000000 ja 004AE0A0
:004AE01A 8B5590 mov edx, dword ptr [ebp-70]
:004AE01D FF2495FBE04A00 jmp dword ptr [4*edx+004AE0FB]
:004AE024 8B45A4 mov eax, dword ptr [ebp-5C]
:004AE027 C680BC00000043 mov byte ptr [eax+000000BC], 43
:004AE02E E8FF970300 call 004E7832
:004AE033 8B4DA4 mov ecx, dword ptr [ebp-5C]
:004AE036 8B55EC mov edx, dword ptr [ebp-14]
:004AE039 8991B8000000 mov dword ptr [ecx+000000B8], edx
:004AE03F EB5F jmp 004AE0A0
:004AE041 8B45A4 mov eax, dword ptr [ebp-5C]
:004AE044 C680BC00000043 mov byte ptr [eax+000000BC], 43
:004AE04B E8E2970300 call 004E7832
:004AE050 8B4DA4 mov ecx, dword ptr [ebp-5C]
:004AE053 8B55EC mov edx, dword ptr [ebp-14]
:004AE056 8991B8000000 mov dword ptr [ecx+000000B8], edx
:004AE05C EB42 jmp 004AE0A0
:004AE05E 8B45A4 mov eax, dword ptr [ebp-5C]
:004AE061 C680BC00000043 mov byte ptr [eax+000000BC], 43
:004AE068 8B4DA4 mov ecx, dword ptr [ebp-5C]
:004AE06B 8B55EC mov edx, dword ptr [ebp-14]
:004AE06E 8991B8000000 mov dword ptr [ecx+000000B8], edx
:004AE074 E8B9970300 call 004E7832
:004AE079 EB25 jmp 004AE0A0
:004AE07B 8B45A4 mov eax, dword ptr [ebp-5C]
:004AE07E C680BC00000043 mov byte ptr [eax+000000BC], 43
:004AE085 8B4DA4 mov ecx, dword ptr [ebp-5C]
:004AE088 8B55EC mov edx, dword ptr [ebp-14]
:004AE08B 8991B8000000 mov dword ptr [ecx+000000B8], edx
:004AE091 8B45A4 mov eax, dword ptr [ebp-5C]
:004AE094 C680BF00000001 mov byte ptr [eax+000000BF], 01
:004AE09B E892970300 call 004E7832
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004AE014(C), :004AE03F(U), :004AE05C(U), :004AE079(U)
|
:004AE0A0 C645FC06 mov [ebp-04], 06
:004AE0A4 8D4DB4 lea ecx, dword ptr [ebp-4C]
:004AE0A7 E8C40C0D00 call 0057ED70
:004AE0AC C645FC02 mov [ebp-04], 02
:004AE0B0 8D4DC0 lea ecx, dword ptr [ebp-40]
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:004AE0B3 E8FC1D0D00 Call 0057FEB4
:004AE0B8 C645FC00 mov [ebp-04], 00
:004AE0BC 8D4DB8 lea ecx, dword ptr [ebp-48]
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:004AE0BF E8F01D0D00 Call 0057FEB4
:004AE0C4 E954FEFFFF jmp 004ADF1D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004ADF2A(C)
|
:004AE0C9 8B4DA4 mov ecx, dword ptr [ebp-5C]
:004AE0CC 33D2 xor edx, edx
:004AE0CE 83B9B800000004 cmp dword ptr [ecx+000000B8], 00000004
:004AE0D5 0F95C2 setne dl
:004AE0D8 8855A8 mov byte ptr [ebp-58], dl
:004AE0DB C745FCFFFFFFFF mov [ebp-04], FFFFFFFF
:004AE0E2 8D4DF0 lea ecx, dword ptr [ebp-10]
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:004AE0E5 E8CA1D0D00 Call 0057FEB4
:004AE0EA 8A45A8 mov al, byte ptr [ebp-58]
:004AE0ED 8B4DF4 mov ecx, dword ptr [ebp-0C]
:004AE0F0 64890D00000000 mov dword ptr fs:[00000000], ecx
:004AE0F7 8BE5 mov esp, ebp
:004AE0F9 5D pop ebp
:004AE0FA C3 ret
// 序列号计算比较段结束。
**********************************************************************************************
//关键计算部分:
1、//关键计算主
* Referenced by a CALL at Address:
|:004ADFF6
|
:0057ED80 81EC44040000 sub esp, 00000444
:0057ED86 53 push ebx
:0057ED87 55 push ebp
:0057ED88 56 push esi
:0057ED89 8BB42460040000 mov esi, dword ptr [esp+00000460]
:0057ED90 33DB xor ebx, ebx
:0057ED92 57 push edi
:0057ED93 8A06 mov al, byte ptr [esi]
:0057ED95 8BE9 mov ebp, ecx
:0057ED97 84C0 test al, al
:0057ED99 8D7C2434 lea edi, dword ptr [esp+34]
:0057ED9D 7427 je 0057EDC6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057EDC4(C)
|
:0057ED9F 83FB20 cmp ebx, 00000020
:0057EDA2 7D22 jge 0057EDC6
:0057EDA4 803E2A cmp byte ptr [esi], 2A
:0057EDA7 7503 jne 0057EDAC
:0057EDA9 C6062B mov byte ptr [esi], 2B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057EDA7(C)
|
:0057EDAC 8A06 mov al, byte ptr [esi]
:0057EDAE 3C2D cmp al, 2D
:0057EDB0 740B je 0057EDBD
:0057EDB2 50 push eax
:0057EDB3 8BCD mov ecx, ebp
:0057EDB5 E806010000 call 0057EEC0
:0057EDBA 8807 mov byte ptr [edi], al
:0057EDBC 47 inc edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057EDB0(C)
|
:0057EDBD 8A4601 mov al, byte ptr [esi+01]
:0057EDC0 46 inc esi
:0057EDC1 43 inc ebx
:0057EDC2 84C0 test al, al
:0057EDC4 75D9 jne 0057ED9F
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0057ED9D(C), :0057EDA2(C)
|
:0057EDC6 C6073D mov byte ptr [edi], 3D
:0057EDC9 47 inc edi
:0057EDCA 8D442434 lea eax, dword ptr [esp+34]
:0057EDCE 6A18 push 00000018
:0057EDD0 C6073D mov byte ptr [edi], 3D
:0057EDD3 50 push eax
:0057EDD4 C6470100 mov [edi+01], 00
:0057EDD8 E873020000 call 0057F050 // 自此将注册码去掉‘-’,末尾加==
:0057EDDD 83C408 add esp, 00000008
:0057EDE0 85C0 test eax, eax
:0057EDE2 750F jne 0057EDF3
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057EE5E(C)
|
:0057EDE4 5F pop edi
:0057EDE5 5E pop esi
:0057EDE6 5D pop ebp
:0057EDE7 32C0 xor al, al
:0057EDE9 5B pop ebx
:0057EDEA 81C444040000 add esp, 00000444
:0057EDF0 C21000 ret 0010
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057EDE2(C)
|
:0057EDF3 8D4C2434 lea ecx, dword ptr [esp+34]
:0057EDF7 6A18 push 00000018
:0057EDF9 8D542424 lea edx, dword ptr [esp+24]
:0057EDFD 51 push ecx
:0057EDFE 52 push edx
:0057EDFF E82C010000 call 0057EF30 //利用注册码计算注册码变码。比较用
:0057EE04 8B84246C040000 mov eax, dword ptr [esp+0000046C]
:0057EE0B 8B8C2468040000 mov ecx, dword ptr [esp+00000468]
:0057EE12 8B942464040000 mov edx, dword ptr [esp+00000464]
:0057EE19 83C40C add esp, 0000000C
:0057EE1C 50 push eax
:0057EE1D 51 push ecx
:0057EE1E 52 push edx
:0057EE1F 8D442460 lea eax, dword ptr [esp+60]
* Possible StringData Ref from Data Obj ->"%s%08lX%08lX"
|
:0057EE23 68C85B5D00 push 005D5BC8
:0057EE28 50 push eax
* Reference To: USER32.wsprintfA, Ord:02ACh
|
:0057EE29 FF159C335900 Call dword ptr [0059339C]
:0057EE2F 83C414 add esp, 00000014
:0057EE32 8D4C2410 lea ecx, dword ptr [esp+10]
:0057EE36 8D7C2454 lea edi, dword ptr [esp+54]
:0057EE3A 33C0 xor eax, eax
:0057EE3C 51 push ecx
:0057EE3D 83C9FF or ecx, FFFFFFFF
:0057EE40 F2 repnz
:0057EE41 AE scasb
:0057EE42 F7D1 not ecx
:0057EE44 49 eB21 dec ecx
:0057EE45 8D542458 lea edx, dword ptr [esp+58]
:0057EE49 51 push ecx
:0057EE4A 52 push edx
:0057EE4B 8BCD mov ecx, ebp
:0057EE4D E82E000000 call 0057EE80
:0057EE52 33C0 xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057EE64(C)
|
:0057EE54 8A4C0420 mov cl, byte ptr [esp+eax+20] //此处比较计算要求注册码和注册变码的值共计0x10位
:0057EE58 8A540410 mov dl, byte ptr [esp+eax+10]
:0057EE5C 3ACA cmp cl, dl
:0057EE5E 7584 jne 0057EDE4 //nop掉即可爆破^_^
:0057EE60 40 inc eax
:0057EE61 83F810 cmp eax, 00000010
:0057EE64 7CEE jl 0057EE54
:0057EE66 5F pop edi
:0057EE67 5E pop esi
:0057EE68 5D pop ebp
:0057EE69 B001 mov al, 01
:0057EE6B 5B pop ebx
:0057EE6C 81C444040000 add esp, 00000444
:0057EE72 C21000 ret 0010
//关键计算主结束
*********************************************************************************************************
2、//根据注册信息计算要求注册码
* Referenced by a CALL at Address:
|:0057EDFF
|
:0057EF30 51 push ecx
:0057EF31 53 push ebx
:0057EF32 55 push ebp
:0057EF33 56 push esi
:0057EF34 57 push edi
:0057EF35 8B7C241C mov edi, dword ptr [esp+1C]
:0057EF39 8B6C2420 mov ebp, dword ptr [esp+20]
:0057EF3D B0E0 mov al, E0
:0057EF3F 33C9 xor ecx, ecx
:0057EF41 8A17 mov dl, byte ptr [edi]
:0057EF43 894C2410 mov dword ptr [esp+10], ecx
:0057EF47 83E27F and edx, 0000007F
:0057EF4A 38821C5C5D00 cmp byte ptr [edx+005D5C1C], al
:0057EF50 7514 jne 0057EF66
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057EF64(C)
|
:0057EF52 3BE9 cmp ebp, ecx
:0057EF54 7E10 jle 0057EF66
:0057EF56 8A5701 mov dl, byte ptr [edi+01]
:0057EF59 47 inc edi
:0057EF5A 83E27F and edx, 0000007F
:0057EF5D 4D dec ebp
:0057EF5E 38821C5C5D00 cmp byte ptr [edx+005D5C1C], al
:0057EF64 74EC je 0057EF52
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0057EF50(C), :0057EF54(C)
|
:0057EF66 83FD03 cmp ebp, 00000003
:0057EF69 7E1B jle 0057EF86
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057EF84(C)
|
:0057EF6B 8A442FFF mov al, byte ptr [edi+ebp-01]
:0057EF6F 83E07F and eax, 0000007F
:0057EF72 8A901C5C5D00 mov dl, byte ptr [eax+005D5C1C]
:0057EF78 80CA13 or dl, 13
:0057EF7B 80FAF3 cmp dl, F3
:0057EF7E 7506 jne 0057EF86
:0057EF80 4D dec ebp
:0057EF81 83FD03 cmp ebp, 00000003
:0057EF84 7FE5 jg 0057EF6B
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0057EF69(C), :0057EF7E(C)
|
:0057EF86 8BC5 mov eax, ebp
:0057EF88 2503000080 and eax, 80000003
:0057EF8D 7905 jns 0057EF94
:0057EF8F 48 dec eax
:0057EF90 83C8FC or eax, FFFFFFFC
:0057EF93 40 inc eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057EF8D(C)
|
:0057EF94 7409 je 0057EF9F
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0057EFF0(C), :0057EFF4(C), :0057EFFD(C), :0057F002(C)
|
:0057EF96 5F pop edi
:0057EF97 5E pop esi
:0057EF98 5D pop ebp
:0057EF99 83C8FF or eax, FFFFFFFF
:0057EF9C 5B pop ebx
:0057EF9D 59 pop ecx
:0057EF9E C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057EF94(C)
|
:0057EF9F 3BE9 cmp ebp, ecx
:0057EFA1 894C2420 mov dword ptr [esp+20], ecx
:0057EFA5 0F8E99000000 jle 0057F044
:0057EFAB 8B742418 mov esi, dword ptr [esp+18]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057F03E(C)
|
:0057EFAF 8A17 mov dl, byte ptr [edi]
:0057EFB1 33C9 xor ecx, ecx
:0057EFB3 83E27F and edx, 0000007F //从前取四位注册码依次查表5D5C1C区域的数据(见最后),
:0057EFB6 47 inc edi //依据是表加注册码的ASCII值
:0057EFB7 33C0 xor eax, eax
:0057EFB9 8A8A1C5C5D00 mov cl, byte ptr [edx+005D5C1C] // 1位 X1
:0057EFBF 8A17 mov dl, byte ptr [edi]
:0057EFC1 8A5F01 mov bl, byte ptr [edi+01]
:0057EFC4 83E27F and edx, 0000007F
:0057EFC7 47 inc edi
:0057EFC8 83E37F and ebx, 0000007F
:0057EFCB 8A821C5C5D00 mov al, byte ptr [edx+005D5C1C] // 2位 X2
:0057EFD1 33D2 xor edx, edx
:0057EFD3 8A931C5C5D00 mov dl, byte ptr [ebx+005D5C1C] // 3位 X3
:0057EFD9 8A5F01 mov bl, byte ptr [edi+01]
:0057EFDC 47 inc edi
:0057EFDD 8954241C mov dword ptr [esp+1C], edx
:0057EFE1 83E37F and ebx, 0000007F
:0057EFE4 33D2 xor edx, edx
:0057EFE6 47 inc edi
:0057EFE7 8A931C5C5D00 mov dl, byte ptr [ebx+005D5C1C] // 4位 X4
:0057EFED F6C180 test cl, 80
:0057EFF0 75A4 jne 0057EF96
:0057EFF2 A880 test al, 80
:0057EFF4 75A0 jne 0057EF96
:0057EFF6 8B5C241C mov ebx, dword ptr [esp+1C]
:0057EFFA F6C380 test bl, 80
:0057EFFD 7597 jne 0057EF96
:0057EFFF F6C280 test dl, 80
:0057F002 7592 jne 0057EF96
:0057F004 C1E106 shl ecx, 06 // X1*64
:0057F007 0BC8 or ecx, eax // X1*64+X2
:0057F009 C1E106 shl ecx, 06 // (X1*64+X2)*64
:0057F00C 0BCB or ecx, ebx // (X1*64+X2)*64+X3
:0057F00E 8B5C2410 mov ebx, dword ptr [esp+10]
:0057F012 C1E106 shl ecx, 06 // ((X1*64+X2)*64)*64 下面是将这些数据存储作为比较用。
:0057F015 0BCA or ecx, edx
:0057F017 83C303 add ebx, 00000003
:0057F01A 8BC1 mov eax, ecx
:0057F01C 8BD1 mov edx, ecx
:0057F01E C1E810 shr eax, 10
:0057F021 8806 mov byte ptr [esi], al
:0057F023 8B442420 mov eax, dword ptr [esp+20]
:0057F027 46 inc esi
:0057F028 83C004 add eax, 00000004
:0057F02B C1EA08 shr edx, 08
:0057F02E 8816 mov byte ptr [esi], dl
:0057F030 46 inc esi
:0057F031 895C2410 mov dword ptr [esp+10], ebx
:0057F035 89442420 mov dword ptr [esp+20], eax
:0057F039 880E mov byte ptr [esi], cl
:0057F03B 46 inc esi
:0057F03C 3BC5 cmp eax, ebp
:0057F03E 0F8C6BFFFFFF jl 0057EFAF
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057EFA5(C)
|
:0057F044 8B442410 mov eax, dword ptr [esp+10]
:0057F048 5F pop edi
:0057F049 5E pop esi
:0057F04A 5D pop ebp
:0057F04B 5B pop ebx
:0057F04C 59 pop ecx
:0057F04D C3 ret
//根据注册信息计算要求注册码
*********************************************************************************************************
3、//MD5计算开始
* Referenced by a CALL at Address:
|:0057EEAC
|
:0057FC30 53 push ebx
:0057FC31 55 push ebp
:0057FC32 56 push esi
:0057FC33 8B742414 mov esi, dword ptr [esp+14]
:0057FC37 57 push edi
:0057FC38 BD9C5C5D00 mov ebp, 005D5C9C
:0057FC3D 8B4E58 mov ecx, dword ptr [esi+58]
:0057FC40 8D5E18 lea ebx, dword ptr [esi+18]
:0057FC43 8BC1 mov eax, ecx
:0057FC45 83E103 and ecx, 00000003
:0057FC48 C1F802 sar eax, 02
:0057FC4B 83F903 cmp ecx, 00000003
:0057FC4E 8B3C83 mov edi, dword ptr [ebx+4*eax]
:0057FC51 7735 ja 0057FC88
:0057FC53 FF248D5CFD5700 jmp dword ptr [4*ecx+0057FD5C]
:0057FC5A 8B3D9C5C5D00 mov edi, dword ptr [005D5C9C]
:0057FC60 BD9D5C5D00 mov ebp, 005D5C9D
:0057FC65 81E7FF000000 and edi, 000000FF
:0057FC6B 33C9 xor ecx, ecx
:0057FC6D 8A6D00 mov ch, byte ptr [ebp+00]
:0057FC70 0BF9 or edi, ecx
:0057FC72 45 inc ebp
:0057FC73 33D2 xor edx, edx
:0057FC75 8A5500 mov dl, byte ptr [ebp+00]
:0057FC78 C1E210 shl edx, 10
:0057FC7B 0BFA or edi, edx
:0057FC7D 45 inc ebp
:0057FC7E 33C9 xor ecx, ecx
:0057FC80 8A4D00 mov cl, byte ptr [ebp+00]
:0057FC83 C1E118 shl ecx, 18
:0057FC86 0BF9 or edi, ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057FC51(C)
|
:0057FC88 893C83 mov dword ptr [ebx+4*eax], edi
:0057FC8B 8B4E58 mov ecx, dword ptr [esi+58]
:0057FC8E 40 inc eax
:0057FC8F 83F938 cmp ecx, 00000038
:0057FC92 7C21 jl 0057FCB5
:0057FC94 83F810 cmp eax, 00000010
:0057FC97 7D0E jge 0057FCA7
:0057FC99 B910000000 mov ecx, 00000010
:0057FC9E 8D3C83 lea edi, dword ptr [ebx+4*eax]
:0057FCA1 2BC8 sub ecx, eax
:0057FCA3 33C0 xor eax, eax
:0057FCA5 F3 repz
:0057FCA6 AB stosd
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057FC97(C)
|
:0057FCA7 53 push ebx
:0057FCA8 56 push esi
:0057FCA9 E8D2F8FFFF call 0057F580
:0057FCAE 83C408 add esp, 00000008
:0057FCB1 33C0 xor eax, eax
:0057FCB3 EB05 jmp 0057FCBA
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057FC92(C)
|
:0057FCB5 83F80E cmp eax, 0000000E
:0057FCB8 7D0E jge 0057FCC8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057FCB3(U)
|
:0057FCBA B90E000000 mov ecx, 0000000E
:0057FCBF 8D3C83 lea edi, dword ptr [ebx+4*eax]
:0057FCC2 2BC8 sub ecx, eax
:0057FCC4 33C0 xor eax, eax
:0057FCC6 F3 repz
:0057FCC7 AB stosd
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0057FCB8(C)
|
:0057FCC8 8B5610 mov edx, dword ptr [esi+10]
:0057FCCB 53 push ebx
:0057FCCC 895338 mov dword ptr [ebx+38], edx
:0057FCCF 8B4614 mov eax, dword ptr [esi+14]
:0057FCD2 56 push esi //看到"0123456789ABCDEFFEDEBA9876543210"常量估计是MD5算法
:0057FCD3 89433C mov dword ptr [ebx+3C], eax //将注册信息(名字+Email+日期码+他公司信息(是不同版本
:0057FCD6 E8A5F8FFFF call 0057F580 //变化的)进行MD5计算得到要求注册码)
:0057FCDB 8B44241C mov eax, dword ptr [esp+1C]
:0057FCDF 8B0E mov ecx, dword ptr [esi]
:0057FCE1 83C408 add esp, 00000008
:0057FCE4 8BD1 mov edx, ecx
:0057FCE6 8808 mov byte ptr [eax], cl
:0057FCE8 40 inc eax
:0057FCE9 C1EA08 shr edx, 08
:0057FCEC 8810 mov byte ptr [eax], dl
:0057FCEE 8BD1 mov edx, ecx
:0057FCF0 40 inc eax
:0057FCF1 5F pop edi
:0057FCF2 C1EA10 shr edx, 10
:0057FCF5 8810 mov byte ptr [eax], dl
:0057FCF7 40 inc eax
:0057FCF8 C1E918 shr ecx, 18
:0057FCFB 8808 mov byte ptr [eax], cl
:0057FCFD 8B4E04 mov ecx, dword ptr [esi+04]
:0057FD00 40 inc eax
:0057FD01 8BD1 mov edx, ecx
:0057FD03 C1EA08 shr edx, 08
:0057FD06 8808 mov byte ptr [eax], cl
:0057FD08 40 inc eax
:0057FD09 8810 mov byte ptr [eax], dl
:0057FD0B 8BD1 mov edx, ecx
:0057FD0D 40 inc eax
:0057FD0E C1EA10 shr edx, 10
:0057FD11 8810 mov byte ptr [eax], dl
:0057FD13 40 inc eax
:0057FD14 C1E918 shr ecx, 18
:0057FD17 8808 mov byte ptr [eax], cl
:0057FD19 8B4E08 mov ecx, dword ptr [esi+08]
:0057FD1C 40 inc eax
:0057FD1D 8BD1 mov edx, ecx
:0057FD1F C1EA08 shr edx, 08
:0057FD22 8808 mov byte ptr [eax], cl
:0057FD24 40 inc eax
:0057FD25 8810 mov byte ptr [eax], dl
:0057FD27 8BD1 mov edx, ecx
:0057FD29 40 inc eax
:0057FD2A C1EA10 shr edx, 10
:0057FD2D 8810 mov byte ptr [eax], dl
:0057FD2F 40 inc eax
:0057FD30 C1E918 shr ecx, 18
:0057FD33 8808 mov byte ptr [eax], cl
:0057FD35 8B4E0C mov ecx, dword ptr [esi+0C]
:0057FD38 40 inc eax
:0057FD39 8BD1 mov edx, ecx
:0057FD3B C1EA08 shr edx, 08
:0057FD3E 8808 mov byte ptr [eax], cl
:0057FD40 40 inc eax
:0057FD41 8810 mov byte ptr [eax], dl
:0057FD43 8BD1 mov edx, ecx
:0057FD45 40 inc eax
:0057FD46 C1EA10 shr edx, 10
:0057FD49 C1E918 shr ecx, 18
:0057FD4C 8810 mov byte ptr [eax], dl
:0057FD4E 884801 mov byte ptr [eax+01], cl
:0057FD51 C7465800000000 mov [esi+58], 00000000
:0057FD58 5E pop esi
:0057FD59 5D pop ebp
:0057FD5A 5B pop ebx
:0057FD5B C3 ret
//MD5计算结束
***************************************************************************************************
///数据表:
005D5C1C FF FF FF FF FF FF FF FF FF E0 F0 FF FF F1 FF FF ????????
005D5C2C FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ????????
005D5C3C E0 FF FF FF FF FF FF FF FF FF FF 3E FF F2 FF 3F ????????
005D5C4C 34 35 36 37 38 39 3A 3B 3C 3D FF FF FF 00 FF FF 456789:;<=???
005D5C5C FF 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E ?..
..
005D5C6C 0F 10 11 12 13 14 15 16 17 18 19 FF FF FF FF FF ???
005D5C7C FF 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 ? !"#$%&'(
005D5C8C 29 2A 2B 2C 2D 2E 2F 30 31 32 33 FF FF FF FF FF )*+,-./0123???
005D5C9C 80 00 00 00 AC 9B 5A 00 00 00 00 00 2E 3F 41 56 ?..?Z......?AV
005D5CAC 74 79 70 65 5F 69 6E 66 6F 40 40 00 00 00 00 00 type_info@@.....
005D5CBC 00 00 00 00 01 00 00 00 00 00 00 00 AC 9B 5A 00 ...........?Z.
005D5CCC 00 00 00 00 2E 3F 41 56 5F 63 6F 6D 5F 65 72 72 .....?AV_com_err
005D5CDC 6F 72 40 40 00 00 00 00 00 00 00 00 00 00 00 00 or@@............
005D5CEC 00 00 00 00 44 DD DC 73 01 00 00 00 00 00 00 00 ....D蒈s.......
005D5CFC 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ...............
005D5D0C E8 44 14 00 00 00 00 00 00 00 00 00 5E FE 84 6D 枘.........^?m
005D5D1C 33 20 C8 4D 84 40 30 71 63 9A 88 3D 30 36 59 00 3 韧?0qc?=06Y.
005D5D2C 00 00 00 00 8C 75 5C 00 00 00 00 FF 68 02 DD 73 ....?\....?蒹
005D5D3C 00 00 00 00 FF FF FF 7F FF FF FF 7F FF FF FF 7E ....??????
005D5D4C 00 00 00 00 FF FF FF 7F FF FF FF 7F FF FF FF 7E ....??????
005D5D5C 00 24 74 C9 FF 4F C3 47 00 00 00 00 50 3C DD 73 .$t?O们....P<蒹
005D5D6C 78 00 00 00 18 3D 59 00 00 00 00 00 00 00 00 00 x...=Y.........
005D5D7C 58 1C E0 73 58 1C E0 73 58 1C E0 73 01 00 00 00 X囿X囿X囿...
********************************************************************************************************
总结:
该软件将注册信息(姓名+邮件地址+时间期限变码+使用权+公司预埋码)取MD5为要求码,将注册码四位一组做乘加组合运算得到比较码,一致则通过。给一个注册码:
name: HaIlDuZ
Email: hailduz@hotmail.com
year: 2005
month: 12
date: 31
code: eB21G-GQWl-Scab-IpGs-uU8vk
HaiLDuZ 于2005.12.8
hailduz@hotmail.com
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
|
|
|---|---|
|
|
