【破文标题】 BoxShotMaker1.88注册算法分析+汇编注册机
【破文作者】 snake
【软件名称】 Box Shot Maker 1.88
【下载地址】 http://yncnc.onlinedown.net/soft/44994.htm
【软件简介】 一款能把普通的一维图片转变成具有三维效果的图片。自带了一个简单的图形编辑器。
【调试环境】 Windows 2000+SP4、PEiD、Ollydbg
【作者声明】 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------------
【算法总结】
注册码长度为50位,以"12345678901234567890123456789012345678901234567890"为例
1、第2位为字符'-'
2、第11位为字符'Y'
3、第41~44位为字符'BSM1'
4、取注册码前6位的每一位的ASCII值%10+30分别得到注册码的最后6位
则注册码转换为"1-34567890Y23456789012345678901234567890BSM1951234"
5、将第2位换为字符‘#’
6、从常串"1z1h+2a0n-0g8y*9a1n|"第3位起分别取值与注册码从第2位起分别取值进行运算得到注册码的第12~19位
结果为"1#34567890YIRNVLHHT012345678901234567890BSM1951234"
7、从注册码第2位起依次取相邻3位进行运算生成一个新的16位字符串+"ZY"得字符串"ovcplrkflaewqmcoZY"
8、依次取新字符串相邻两位进行运算得注册码第25~40位
9、注册码第24位为0~9之间的值,其余位任意
得最终注册码为"1-34567890YIRNVLHHT01234XBKARTDKIKFSKTJPBSM1951234",具体运算过程见下面分析
【破解过程】
一、程序脱壳
用PEiD查壳,为ASPack 2.001 -> Alexey Solodovnikov,OD载入手动脱壳(略)
脱壳后查为Borland C++ DLL Method 1
二、算法分析
分别输入Email Address,Registration Code,根据提示的错误信息,可断在此处
0042C4E5 . 8BEC mov ebp,esp
0042C4E7 . 83C4 94 add esp,-6C
0042C4EA . 8955 98 mov dword ptr ss:[ebp-68],edx
0042C4ED . 8945 9C mov dword ptr ss:[ebp-64],eax
0042C4F0 . B8 C4155200 mov eax,x.005215C4
0042C4F5 . E8 86D80C00 call x.004F9D80
0042C4FA . 66:C745 B0 0800 mov word ptr ss:[ebp-50],8
0042C500 . 8D45 FC lea eax,dword ptr ss:[ebp-4]
0042C503 . E8 685FFDFF call x.00402470
0042C508 . 8BD0 mov edx,eax
0042C50A . FF45 BC inc dword ptr ss:[ebp-44]
0042C50D . 8B4D 9C mov ecx,dword ptr ss:[ebp-64]
0042C510 . 8B81 00030000 mov eax,dword ptr ds:[ecx+300]
0042C516 . E8 E5E80700 call x.004AAE00
0042C51B . 8D45 FC lea eax,dword ptr ss:[ebp-4]
0042C51E . E8 5DEEFFFF call x.0042B380 ; 取输入的Email长度
0042C523 . 83F8 03 cmp eax,3 ; 是否有效
0042C526 . 7C 6A jl short x.0042C592
0042C528 . 8D45 F8 lea eax,dword ptr ss:[ebp-8]
0042C52B . E8 405FFDFF call x.00402470
......
0042C5F3 . 66:C745 B0 2000 mov word ptr ss:[ebp-50],20
0042C5F9 . 8D45 EC lea eax,dword ptr ss:[ebp-14]
0042C5FC . E8 6F5EFDFF call x.00402470
0042C601 . 8BD0 mov edx,eax
0042C603 . FF45 BC inc dword ptr ss:[ebp-44]
0042C606 . 8B4D 9C mov ecx,dword ptr ss:[ebp-64]
0042C609 . 8B81 04030000 mov eax,dword ptr ds:[ecx+304]
0042C60F . E8 ECE70700 call x.004AAE00
0042C614 . 8D55 EC lea edx,dword ptr ss:[ebp-14]
0042C617 . FF32 push dword ptr ds:[edx] ; /取?码
0042C619 . E8 DAE9FFFF call x.0042AFF8 ; \算法call,跟进
0042C61E . 59 pop ecx
0042C61F . 8B0D E09B5200 mov ecx,dword ptr ds:[529BE0] ; x._Form1
0042C625 . 8B11 mov edx,dword ptr ds:[ecx]
0042C627 . 8882 91050000 mov byte ptr ds:[edx+591],al ; 设置标志位
0042C62D . FF4D BC dec dword ptr ss:[ebp-44]
0042C630 . 8D45 EC lea eax,dword ptr ss:[ebp-14]
0042C633 . BA 02000000 mov edx,2
0042C638 . E8 D7780D00 call x.00503F14
0042C63D . A1 E09B5200 mov eax,dword ptr ds:[529BE0]
0042C642 . 8B08 mov ecx,dword ptr ds:[eax]
0042C644 . 80B9 91050000 0>cmp byte ptr ds:[ecx+591],0
0042C64B . 0F84 1F020000 je x.0042C870 ; 关键跳转,不相等则验证通过
0042C651 . 66:C745 B0 2C00 mov word ptr ss:[ebp-50],2C
0042C657 . 8D45 E8 lea eax,dword ptr ss:[ebp-18]
0042C65A . E8 115EFDFF call x.00402470
0042C65F . 8BD0 mov edx,eax
0042C661 . FF45 BC inc dword ptr ss:[ebp-44]
0042C664 . 8B4D 9C mov ecx,dword ptr ss:[ebp-64]
0042C667 . 8B81 04030000 mov eax,dword ptr ds:[ecx+304]
0042C66D . E8 8EE70700 call x.004AAE00
0042C672 . 8D55 E8 lea edx,dword ptr ss:[ebp-18]
0042C675 . 8B45 9C mov eax,dword ptr ss:[ebp-64]
0042C678 . 05 2C030000 add eax,32C
0042C67D . E8 C2780D00 call x.00503F44
0042C682 . FF4D BC dec dword ptr ss:[ebp-44]
0042C685 . 8D45 E8 lea eax,dword ptr ss:[ebp-18]
0042C688 . BA 02000000 mov edx,2
0042C68D . E8 82780D00 call x.00503F14
0042C692 . 8B45 9C mov eax,dword ptr ss:[ebp-64]
0042C695 . 05 2C030000 add eax,32C
0042C69A . E8 015EFDFF call x.004024A0
0042C69F . 0FBE50 17 movsx edx,byte ptr ds:[eax+17] ; 取假码第24位
0042C6A3 . 83FA 30 cmp edx,30 ; 与‘0’比较
0042C6A6 . 7C 16 jl short x.0042C6BE ; 不跳
0042C6A8 . 8B45 9C mov eax,dword ptr ss:[ebp-64]
0042C6AB . 05 2C030000 add eax,32C
0042C6B0 . E8 EB5DFDFF call x.004024A0
0042C6B5 . 0FBE50 17 movsx edx,byte ptr ds:[eax+17] ; 取假码第24位
0042C6B9 . 83FA 39 cmp edx,39 ; 与‘9’比较
0042C6BC . 7E 0F jle short x.0042C6CD ; 跳
0042C6BE > 8B0D E09B5200 mov ecx,dword ptr ds:[529BE0] ; x._Form1
0042C6C4 . 8B01 mov eax,dword ptr ds:[ecx]
0042C6C6 . C680 91050000 0>mov byte ptr ds:[eax+591],0
0042C6CD > B2 01 mov dl,1
0042C6CF . A1 94074E00 mov eax,dword ptr ds:[4E0794]
0042C6D4 . E8 BB410B00 call x.004E0894
0042C6D9 . 8945 94 mov dword ptr ss:[ebp-6C],eax
0042C6DC . BA 01000080 mov edx,80000001
0042C6E1 . 8B45 94 mov eax,dword ptr ss:[ebp-6C]
0042C6E4 . E8 37760D00 call x.00503D20
0042C6E9 . 8B15 E09B5200 mov edx,dword ptr ds:[529BE0] ; x._Form1
0042C6EF . 8B0A mov ecx,dword ptr ds:[edx]
0042C6F1 . 80B9 91050000 0>cmp byte ptr ds:[ecx+591],0
0042C6F8 . 0F84 06010000 je x.0042C804
0042C6FE . 66:C745 B0 3800 mov word ptr ss:[ebp-50],38
0042C704 . BA 660D5200 mov edx,x.00520D66 ; ASCII "Software\XTZY\BoxShotMaker"
......
============ 跟进 0042C619 . E8 DAE9FFFF call x.0042AFF8 ==========
0042AFF8 /$ 55 push ebp
0042AFF9 |. 8BEC mov ebp,esp
0042AFFB |. 81C4 64FFFFFF add esp,-9C
0042B001 |. 56 push esi
0042B002 |. 57 push edi
0042B003 |. B8 A00F5200 mov eax,x.00520FA0
0042B008 |. E8 73ED0C00 call x.004F9D80
0042B00D |. C745 F4 0100000>mov [local.3],1
0042B014 |. 8D55 08 lea edx,[arg.1]
0042B017 |. 8D45 08 lea eax,[arg.1]
0042B01A |. E8 CD8D0D00 call x.00503DEC
0042B01F |. FF45 F4 inc [local.3]
0042B022 |. 66:C745 E8 0800 mov word ptr ss:[ebp-18],8
0042B028 |. C645 D7 00 mov byte ptr ss:[ebp-29],0
0042B02C |. 8D45 08 lea eax,[arg.1]
0042B02F |. E8 4C030000 call x.0042B380 ; 取假码长度
0042B034 |. 83F8 32 cmp eax,32 ; 是否为50位
0042B037 |. 0F85 B1000000 jnz x.0042B0EE
0042B03D |. 66:C745 E8 2000 mov word ptr ss:[ebp-18],20
0042B043 |. 8D45 FC lea eax,[local.1]
0042B046 |. E8 2574FDFF call x.00402470
0042B04B |. 50 push eax ; /Arg1
0042B04C |. FF45 F4 inc [local.3] ; |
0042B04F |. 8D45 08 lea eax,[arg.1] ; |
0042B052 |. B9 06000000 mov ecx,6 ; |
0042B057 |. BA 2D000000 mov edx,2D ; |
0042B05C |. E8 FB910D00 call x.0050425C ; \x.0050425C
0042B061 |. 66:C745 E8 1400 mov word ptr ss:[ebp-18],14
0042B067 |. 8D45 FC lea eax,[local.1]
0042B06A |. E8 3174FDFF call x.004024A0
0042B06F |. 50 push eax ; /Arg2
0042B070 |. 8D55 D0 lea edx,[local.12] ; |
0042B073 |. 52 push edx ; |Arg1
0042B074 |. E8 6FEA0C00 call x.004F9AE8 ; \x.004F9AE8
0042B079 |. 83C4 08 add esp,8
0042B07C |. C645 CF 01 mov byte ptr ss:[ebp-31],1
0042B080 |. 33C9 xor ecx,ecx
0042B082 |. 894D C8 mov [local.14],ecx
0042B085 |> 8D45 08 /lea eax,[arg.1]
0042B088 |. E8 1374FDFF |call x.004024A0
0042B08D |. 8B55 C8 |mov edx,[local.14]
0042B090 |. 0FBE0410 |movsx eax,byte ptr ds:[eax+edx] ; 分别取假码前6位进行运算
0042B094 |. B9 0A000000 |mov ecx,0A
0042B099 |. 99 |cdq
0042B09A |. F7F9 |idiv ecx
0042B09C |. 83C2 30 |add edx,30
0042B09F |. 8B45 C8 |mov eax,[local.14]
0042B0A2 |. 0FBE4C05 D0 |movsx ecx,byte ptr ss:[ebp+eax-30]
0042B0A7 |. 3BD1 |cmp edx,ecx ; 每位运算的结果与分别与最后6位比较
0042B0A9 |. 74 06 |je short x.0042B0B1 ; 必须跳,否则验证失败
0042B0AB |. C645 CF 00 |mov byte ptr ss:[ebp-31],0
0042B0AF |. EB 09 |jmp short x.0042B0BA
0042B0B1 |> FF45 C8 |inc [local.14]
0042B0B4 |. 837D C8 06 |cmp [local.14],6
0042B0B8 |.^ 7C CB \jl short x.0042B085
0042B0BA |> 8B15 E09B5200 mov edx,dword ptr ds:[529BE0] ; x._Form1
0042B0C0 |. 8B02 mov eax,dword ptr ds:[edx]
0042B0C2 |. 8A55 CF mov dl,byte ptr ss:[ebp-31]
0042B0C5 |. 8890 93050000 mov byte ptr ds:[eax+593],dl
0042B0CB |. 8D45 08 lea eax,[arg.1]
0042B0CE |. BA 2C000000 mov edx,2C
0042B0D3 |. E8 30900D00 call x.00504108 ; 取假码前44位
0042B0D8 |. FF4D F4 dec [local.3]
0042B0DB |. 8D45 FC lea eax,[local.1]
0042B0DE |. BA 02000000 mov edx,2
0042B0E3 |. E8 2C8E0D00 call x.00503F14
0042B0E8 |. 66:C745 E8 0800 mov word ptr ss:[ebp-18],8
0042B0EE |> 8D45 08 lea eax,[arg.1]
0042B0F1 |. E8 8A020000 call x.0042B380
0042B0F6 |. 83F8 2C cmp eax,2C ; 是否为44位
0042B0F9 |. 0F85 5C020000 jnz x.0042B35B
0042B0FF |. BE 0E0C5200 mov esi,x.00520C0E ; ASCII "1z1h+2a0n-0g8y*9a1n|"
0042B104 |. 8DBD 78FFFFFF lea edi,[local.34]
0042B10A |. B9 05000000 mov ecx,5
0042B10F |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi>
0042B111 |. A4 movs byte ptr es:[edi],byte ptr ds:[esi]
0042B112 |. 66:C745 E8 0800 mov word ptr ss:[ebp-18],8
0042B118 |. 8D45 08 lea eax,[arg.1]
0042B11B |. E8 8073FDFF call x.004024A0
0042B120 |. 0FBE50 28 movsx edx,byte ptr ds:[eax+28] ; 取第41位
0042B124 |. 83FA 42 cmp edx,42 ; 与‘B’比较
0042B127 |. 74 23 je short x.0042B14C ; 跳
0042B129 |. 33C0 xor eax,eax
0042B12B |. 50 push eax
0042B12C |. FF4D F4 dec [local.3]
0042B12F |. 8D45 08 lea eax,[arg.1]
0042B132 |. BA 02000000 mov edx,2
0042B137 |. E8 D88D0D00 call x.00503F14
0042B13C |. 58 pop eax
0042B13D |. 8B55 D8 mov edx,[local.10]
0042B140 |. 64:8915 0000000>mov dword ptr fs:[0],edx
0042B147 |. E9 2E020000 jmp x.0042B37A
0042B14C |> 8D45 08 lea eax,[arg.1]
0042B14F |. E8 4C73FDFF call x.004024A0
0042B154 |. 0FBE50 29 movsx edx,byte ptr ds:[eax+29] ; 取第42位
0042B158 |. 83FA 53 cmp edx,53 ; 与‘S’比较
0042B15B |. 74 23 je short x.0042B180 ; 跳
0042B15D |. 33C0 xor eax,eax
0042B15F |. 50 push eax
0042B160 |. FF4D F4 dec [local.3]
0042B163 |. 8D45 08 lea eax,[arg.1]
0042B166 |. BA 02000000 mov edx,2
0042B16B |. E8 A48D0D00 call x.00503F14
0042B170 |. 58 pop eax
0042B171 |. 8B55 D8 mov edx,[local.10]
0042B174 |. 64:8915 0000000>mov dword ptr fs:[0],edx
0042B17B |. E9 FA010000 jmp x.0042B37A
0042B180 |> 8D45 08 lea eax,[arg.1]
0042B183 |. E8 1873FDFF call x.004024A0
0042B188 |. 0FBE50 2A movsx edx,byte ptr ds:[eax+2A] ; 取第43位
0042B18C |. 83FA 4D cmp edx,4D ; 与‘M’比较
0042B18F |. 74 23 je short x.0042B1B4 ; 跳
0042B191 |. 33C0 xor eax,eax
0042B193 |. 50 push eax
0042B194 |. FF4D F4 dec [local.3]
0042B197 |. 8D45 08 lea eax,[arg.1]
0042B19A |. BA 02000000 mov edx,2
0042B19F |. E8 708D0D00 call x.00503F14
0042B1A4 |. 58 pop eax
0042B1A5 |. 8B55 D8 mov edx,[local.10]
0042B1A8 |. 64:8915 0000000>mov dword ptr fs:[0],edx
0042B1AF |. E9 C6010000 jmp x.0042B37A
0042B1B4 |> 8D45 08 lea eax,[arg.1]
0042B1B7 |. E8 E472FDFF call x.004024A0
0042B1BC |. 0FBE50 2B movsx edx,byte ptr ds:[eax+2B] ; 取第44位
0042B1C0 |. 83FA 31 cmp edx,31 ; 与‘1’比较
0042B1C3 |. 74 23 je short x.0042B1E8 ; 跳
0042B1C5 |. 33C0 xor eax,eax
0042B1C7 |. 50 push eax
0042B1C8 |. FF4D F4 dec [local.3]
0042B1CB |. 8D45 08 lea eax,[arg.1]
0042B1CE |. BA 02000000 mov edx,2
0042B1D3 |. E8 3C8D0D00 call x.00503F14
0042B1D8 |. 58 pop eax
0042B1D9 |. 8B55 D8 mov edx,[local.10]
0042B1DC |. 64:8915 0000000>mov dword ptr fs:[0],edx
0042B1E3 |. E9 92010000 jmp x.0042B37A
0042B1E8 |> 8D45 08 lea eax,[arg.1]
0042B1EB |. E8 B072FDFF call x.004024A0
0042B1F0 |. 50 push eax ; /Arg2
0042B1F1 |. 8D55 90 lea edx,[local.28] ; |
0042B1F4 |. 52 push edx ; |Arg1
0042B1F5 |. E8 EEE80C00 call x.004F9AE8 ; \x.004F9AE8
0042B1FA |. 83C4 08 add esp,8
0042B1FD |. 0FBE4D 91 movsx ecx,byte ptr ss:[ebp-6F] ; 取第2位
0042B201 |. 83F9 2D cmp ecx,2D ; 与‘-’比较
0042B204 |. 0F85 51010000 jnz x.0042B35B ; 不跳
0042B20A |. C645 91 23 mov byte ptr ss:[ebp-6F],23 ; 将第2位改为‘#’
0042B20E |. C645 D7 01 mov byte ptr ss:[ebp-29],1
0042B212 |. C745 C4 0200000>mov [local.15],2
0042B219 |> 8B45 C4 /mov eax,[local.15]
0042B21C |. 0FBE9405 78FFFF>|movsx edx,byte ptr ss:[ebp+eax-88] ; 取常串第3位
0042B224 |. 8B4D C4 |mov ecx,[local.15]
0042B227 |. 0FBE440D 8F |movsx eax,byte ptr ss:[ebp+ecx-71] ; 取假码第2位
0042B22C |. 03D0 |add edx,eax
0042B22E |. 8B4D C4 |mov ecx,[local.15]
0042B231 |. 0FBE440D 90 |movsx eax,byte ptr ss:[ebp+ecx-70] ; 取假码第3位
0042B236 |. 33D0 |xor edx,eax
0042B238 |. 8B4D C4 |mov ecx,[local.15]
0042B23B |. 0FBE840D 78FFFF>|movsx eax,byte ptr ss:[ebp+ecx-88] ; 取常串第3位
0042B243 |. 33D0 |xor edx,eax
0042B245 |. 52 |push edx ; /Arg1
0042B246 |. E8 25E0FFFF |call x.00429270 ; \x.00429270
0042B24B |. 59 |pop ecx
0042B24C |. B9 1A000000 |mov ecx,1A
0042B251 |. 99 |cdq
0042B252 |. F7F9 |idiv ecx
0042B254 |. 83C2 41 |add edx,41 ; 运算结果
0042B257 |. 8B45 C4 |mov eax,[local.15]
0042B25A |. 0FBE4C05 99 |movsx ecx,byte ptr ss:[ebp+eax-67] ; 取假码第12位
0042B25F |. 3BD1 |cmp edx,ecx ; 比较
0042B261 |. 74 06 |je short x.0042B269 ; 必须跳
0042B263 |. C645 D7 00 |mov byte ptr ss:[ebp-29],0
0042B267 |. EB 09 |jmp short x.0042B272
0042B269 |> FF45 C4 |inc [local.15] ; 计数器
0042B26C |. 837D C4 0A |cmp [local.15],0A ; 循环8次
0042B270 |.^ 7C A7 \jl short x.0042B219
0042B272 |> 807D D7 00 cmp byte ptr ss:[ebp-29],0
0042B276 |. 0F84 D2000000 je x.0042B34E
0042B27C |. C745 C0 1800000>mov [local.16],18
0042B283 |. 66:C745 E8 0800 mov word ptr ss:[ebp-18],8
0042B289 |. 837D C0 28 cmp [local.16],28
0042B28D |. 7D 54 jge short x.0042B2E3
0042B28F |> 8B55 C0 /mov edx,[local.16]
0042B292 |. 0FBE8415 79FFFF>|movsx eax,byte ptr ss:[ebp+edx-87] ; 取假码第2位
0042B29A |. B9 06000000 |mov ecx,6
0042B29F |. 99 |cdq
0042B2A0 |. F7F9 |idiv ecx
0042B2A2 |. 8BCA |mov ecx,edx
0042B2A4 |. 8B45 C0 |mov eax,[local.16]
0042B2A7 |. 0FBE9405 7AFFFF>|movsx edx,byte ptr ss:[ebp+eax-86] ; 取假码第3位
0042B2AF |. D3E2 |shl edx,cl
0042B2B1 |. 8B45 C0 |mov eax,[local.16]
0042B2B4 |. 0FBE8C05 7BFFFF>|movsx ecx,byte ptr ss:[ebp+eax-85] ; 取假码第4位
0042B2BC |. 0BD1 |or edx,ecx
0042B2BE |. 52 |push edx ; /Arg1
0042B2BF |. E8 ACDFFFFF |call x.00429270 ; \x.00429270
0042B2C4 |. 59 |pop ecx
0042B2C5 |. B9 1A000000 |mov ecx,1A
0042B2CA |. 99 |cdq
0042B2CB |. F7F9 |idiv ecx
0042B2CD |. 80C2 61 |add dl,61 ; 运算结果
0042B2D0 |. 8B45 C0 |mov eax,[local.16]
0042B2D3 |. 889405 4CFFFFFF |mov byte ptr ss:[ebp+eax-B4],dl ; 生成新的字符串
0042B2DA |. FF45 C0 |inc [local.16] ; 计数器
0042B2DD |. 837D C0 28 |cmp [local.16],28 ; 循环16次
0042B2E1 |.^ 7C AC \jl short x.0042B28F
0042B2E3 |> C685 74FFFFFF 5>mov byte ptr ss:[ebp-8C],5A
0042B2EA |. C685 75FFFFFF 5>mov byte ptr ss:[ebp-8B],59
0042B2F1 |. C745 BC 1800000>mov [local.17],18
0042B2F8 |. 66:C745 E8 0800 mov word ptr ss:[ebp-18],8
0042B2FE |. 837D BC 28 cmp [local.17],28
0042B302 |. 7D 4A jge short x.0042B34E
0042B304 |> 8B55 BC /mov edx,[local.17]
0042B307 |. 0FBE8415 4CFFFF>|movsx eax,byte ptr ss:[ebp+edx-B4] ; 新字符串第1位
0042B30F |. C1E0 04 |shl eax,4
0042B312 |. 8B55 BC |mov edx,[local.17]
0042B315 |. 0FBE8C15 4DFFFF>|movsx ecx,byte ptr ss:[ebp+edx-B3] ; 新字符串第2位
0042B31D |. D1F9 |sar ecx,1
0042B31F |. 33C1 |xor eax,ecx
0042B321 |. 50 |push eax ; /Arg1
0042B322 |. E8 49DFFFFF |call x.00429270 ; \x.00429270
0042B327 |. 59 |pop ecx
0042B328 |. B9 1A000000 |mov ecx,1A
0042B32D |. 99 |cdq
0042B32E |. F7F9 |idiv ecx
0042B330 |. 83C2 41 |add edx,41 ; 运算结果
0042B333 |. 8B45 BC |mov eax,[local.17]
0042B336 |. 0FBE4405 90 |movsx eax,byte ptr ss:[ebp+eax-70] ; 取假码第25位
0042B33B |. 3BD0 |cmp edx,eax ; 比较
0042B33D |. 74 06 |je short x.0042B345 ; 必须跳
0042B33F |. C645 D7 00 |mov byte ptr ss:[ebp-29],0
0042B343 |. EB 09 |jmp short x.0042B34E
0042B345 |> FF45 BC |inc [local.17] ; 计数器
0042B348 |. 837D BC 28 |cmp [local.17],28 ; 循环16次
0042B34C |.^ 7C B6 \jl short x.0042B304
0042B34E |> 0FBE55 9A movsx edx,byte ptr ss:[ebp-66] ; 取假码第11位
0042B352 |. 83FA 59 cmp edx,59 ; 与‘Y’比较
0042B355 |. 74 04 je short x.0042B35B ; 跳
0042B357 |. C645 D7 00 mov byte ptr ss:[ebp-29],0
0042B35B |> 8A45 D7 mov al,byte ptr ss:[ebp-29] ; 验证标志位
0042B35E |. 50 push eax
0042B35F |. FF4D F4 dec [local.3]
0042B362 |. 8D45 08 lea eax,[arg.1]
0042B365 |. BA 02000000 mov edx,2
0042B36A |. E8 A58B0D00 call x.00503F14
0042B36F |. 58 pop eax
0042B370 |. 8B55 D8 mov edx,[local.10]
0042B373 |. 64:8915 0000000>mov dword ptr fs:[0],edx
0042B37A |> 5F pop edi
0042B37B |. 5E pop esi
0042B37C |. 8BE5 mov esp,ebp
0042B37E |. 5D pop ebp
0042B37F \. C3 retn
【汇编注册机算法部分源码】
.data
szStr db '1z1h+2a0n-0g8y*9a1n|',0
szData db 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789',0
.code
GetRegKey proc hDlg:DWORD
local szReg[64]:BYTE,szTmp[32]:BYTE
pushad
invoke RtlZeroMemory,addr szReg,sizeof szReg
invoke RtlZeroMemory,addr szTmp,sizeof szTmp
invoke GetTickCount
lea esi,szData
lea edi,szReg
mov ecx,32h
@@:
and eax,1fh
mov dl,BYTE ptr [esi+eax]
mov BYTE ptr [edi],dl
add eax,3
inc edi
dec ecx
jnz @b
lea edi,szReg
mov BYTE ptr [edi+1],2dh
xor ebx,ebx
@@:
movsx eax,BYTE ptr [edi+ebx]
mov ecx,0ah
cdq
idiv ecx
add edx,30h
mov BYTE ptr [edi+2ch+ebx],dl
inc ebx
cmp ebx,6
jl @b
mov BYTE ptr [edi+28h],42h
mov BYTE ptr [edi+29h],53h
mov BYTE ptr [edi+2ah],4dh
mov BYTE ptr [edi+2bh],31h
mov BYTE ptr [edi+1],23h
mov BYTE ptr [edi+0ah],59h
mov BYTE ptr [edi+17h],37h
lea esi,szStr
mov ebx,2
@@:
movsx edx,BYTE ptr [esi+ebx]
movsx eax,BYTE ptr [edi+ebx-1]
add edx,eax
movsx eax,BYTE ptr [edi+ebx]
xor edx,eax
movsx eax,BYTE ptr [esi+ebx]
xor edx,eax
mov eax,edx
mov ecx,1ah
cdq
idiv ecx
add edx,41h
mov BYTE ptr [edi+9+ebx],dl
inc ebx
cmp ebx,0ah
jl @b
lea esi,szTmp
xor ebx,ebx
@@:
movsx eax,BYTE ptr [edi+1+ebx]
mov ecx,6
cdq
idiv ecx
mov ecx,edx
movsx edx,BYTE ptr [edi+2+ebx]
shl edx,cl
movsx ecx,BYTE ptr [edi+3+ebx]
or edx,ecx
mov eax,edx
mov ecx,1ah
cdq
idiv ecx
add dl,61h
mov BYTE ptr [esi+ebx],dl
inc ebx
cmp ebx,10h
jl @b
mov BYTE ptr [esi+ebx],5ah
mov BYTE ptr [esi+ebx+1],59h
xor ebx,ebx
@@:
movsx eax,BYTE ptr [esi+ebx]
shl eax,4
movsx ecx,BYTE ptr [esi+1+ebx]
sar ecx,1
xor eax,ecx
mov ecx,1ah
cdq
idiv ecx
add edx,41h
mov BYTE ptr [edi+18h+ebx],dl
inc ebx
cmp ebx,10h
jl @b
mov BYTE ptr [edi+1],2dh
invoke SetDlgItemText,hDlg,IDC_REG,addr szReg
popad
ret
GetRegKey endp
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
