-
-
[原创]菜鸟maomaoma的算法练习破文六
-
2006-12-20 20:46 3449
-
【破文标题】菜鸟maomaoma的算法练习破文六
【破文作者】maomaoma
【作者邮箱】
【作者主页】无
【破解工具】OD、PEiD、DeDe
【破解平台】winxp
【软件名称】国产某局域网软件
【软件大小】788K
【原版下载】
【保护方式】无
【软件简介】局域网即时通讯协同办公
【破解声明】我是菜鸟,学写破文,还请大侠多多指教:)
------------------------------------------------------------------------
------------------------------------------------------------------------
【破解过程】
1、PEiD扫描该软件,为Borland Delphi 6.0 - 7.0编译
2、DeDe反编译,得注册过程起始地址00429420
3、OD载入,Ctrl+G,跟随至00429420,F2下断点,F9运行,OD断下
00429420 /. 55 push ebp ; OD断在此处
00429421 |. 8BEC mov ebp, esp
00429423 |. B9 0A000000 mov ecx, 0A
00429428 |> 6A 00 /push 0
0042942A |. 6A 00 |push 0
0042942C |. 49 |dec ecx
0042942D |.^ 75 F9 \jnz short 00429428
0042942F |. 53 push ebx
00429430 |. 56 push esi
00429431 |. 8BD8 mov ebx, eax
00429433 |. 8B35 40D44400 mov esi, [44D440] ;
00429439 |. 33C0 xor eax, eax
0042943B |. 55 push ebp
0042943C |. 68 22974200 push 00429722
00429441 |. 64:FF30 push dword ptr fs:[eax]
00429444 |. 64:8920 mov fs:[eax], esp
00429447 |. 8D55 E8 lea edx, [ebp-18]
0042944A |. 8B83 08030000 mov eax, [ebx+308]
00429450 |. E8 9391FDFF call <jmp.&vcl70.Controls::TControl::GetTe>; 取用户名
00429455 |. 8B45 E8 mov eax, [ebp-18]
00429458 |. 8D55 EC lea edx, [ebp-14]
0042945B |. E8 4483FDFF call <jmp.&rtl70.Sysutils::Trim>
00429460 |. 837D EC 00 cmp dword ptr [ebp-14], 0
00429464 |. 75 28 jnz short 0042948E
00429466 |. 8D55 E4 lea edx, [ebp-1C]
00429469 |. A1 E4D44400 mov eax, [44D4E4]
0042946E |. E8 0D7FFDFF call <jmp.&rtl70.System::LoadResString>
00429473 |. 8B45 E4 mov eax, [ebp-1C]
00429476 |. E8 E1AAFDFF call 00403F5C
0042947B |. 8B83 08030000 mov eax, [ebx+308]
00429481 |. 8B10 mov edx, [eax]
00429483 |. FF92 C4000000 call [edx+C4]
00429489 |. E9 FF010000 jmp 0042968D
0042948E |> 8D55 E0 lea edx, [ebp-20]
00429491 |. 8B83 0C030000 mov eax, [ebx+30C]
00429497 |. E8 4C91FDFF call <jmp.&vcl70.Controls::TControl::GetTe>; 取注册码第一部分,记着A1
0042949C |. 8B45 E0 mov eax, [ebp-20]
0042949F |. 8D55 F8 lea edx, [ebp-8]
004294A2 |. E8 FD82FDFF call <jmp.&rtl70.Sysutils::Trim>
004294A7 |. 837D F8 00 cmp dword ptr [ebp-8], 0
004294AB |. 74 0D je short 004294BA
004294AD |. 8B45 F8 mov eax, [ebp-8]
004294B0 |. E8 537DFDFF call <jmp.&rtl70.System::LStrLen>
004294B5 |. 83F8 06 cmp eax, 6 ; 是否为6位
004294B8 |. 74 28 je short 004294E2
004294BA |> 8D55 DC lea edx, [ebp-24]
004294BD |. A1 60D44400 mov eax, [44D460]
004294C2 |. E8 B97EFDFF call <jmp.&rtl70.System::LoadResString>
004294C7 |. 8B45 DC mov eax, [ebp-24]
004294CA |. E8 8DAAFDFF call 00403F5C
004294CF |. 8B83 0C030000 mov eax, [ebx+30C]
004294D5 |. 8B10 mov edx, [eax]
004294D7 |. FF92 C4000000 call [edx+C4]
004294DD |. E9 AB010000 jmp 0042968D
004294E2 |> 8D45 F4 lea eax, [ebp-C]
004294E5 |. 8B55 F8 mov edx, [ebp-8]
004294E8 |. E8 DB7CFDFF call <jmp.&rtl70.System::LStrLAsg>
004294ED |. 8D55 D8 lea edx, [ebp-28]
004294F0 |. 8B83 14030000 mov eax, [ebx+314]
004294F6 |. E8 ED90FDFF call <jmp.&vcl70.Controls::TControl::GetTe>; 取注册码第二部分,记着B1
004294FB |. 8B45 D8 mov eax, [ebp-28]
004294FE |. 8D55 F8 lea edx, [ebp-8]
00429501 |. E8 9E82FDFF call <jmp.&rtl70.Sysutils::Trim>
00429506 |. 837D F8 00 cmp dword ptr [ebp-8], 0
0042950A |. 74 0D je short 00429519
0042950C |. 8B45 F8 mov eax, [ebp-8]
0042950F |. E8 F47CFDFF call <jmp.&rtl70.System::LStrLen>
00429514 |. 83F8 06 cmp eax, 6 ; 是否为6位
00429517 |. 74 28 je short 00429541
00429519 |> 8D55 D4 lea edx, [ebp-2C]
0042951C |. A1 60D44400 mov eax, [44D460]
00429521 |. E8 5A7EFDFF call <jmp.&rtl70.System::LoadResString>
00429526 |. 8B45 D4 mov eax, [ebp-2C]
00429529 |. E8 2EAAFDFF call 00403F5C
0042952E |. 8B83 14030000 mov eax, [ebx+314]
00429534 |. 8B10 mov edx, [eax]
00429536 |. FF92 C4000000 call [edx+C4]
0042953C |. E9 4C010000 jmp 0042968D
00429541 |> 8D45 F4 lea eax, [ebp-C]
00429544 |. 8B55 F8 mov edx, [ebp-8]
00429547 |. E8 C47CFDFF call <jmp.&rtl70.System::LStrCat> ; A1,B1相连
0042954C |. 8D55 D0 lea edx, [ebp-30]
0042954F |. 8B83 1C030000 mov eax, [ebx+31C]
00429555 |. E8 8E90FDFF call <jmp.&vcl70.Controls::TControl::GetTe>; 取注册码第三部分,C
0042955A |. 8B45 D0 mov eax, [ebp-30]
0042955D |. 8D55 F8 lea edx, [ebp-8]
00429560 |. E8 3F82FDFF call <jmp.&rtl70.Sysutils::Trim>
00429565 |. 837D F8 00 cmp dword ptr [ebp-8], 0
00429569 |. 75 28 jnz short 00429593
0042956B |. 8D55 CC lea edx, [ebp-34]
0042956E |. A1 60D44400 mov eax, [44D460]
00429573 |. E8 087EFDFF call <jmp.&rtl70.System::LoadResString>
00429578 |. 8B45 CC mov eax, [ebp-34]
0042957B |. E8 DCA9FDFF call 00403F5C
00429580 |. 8B83 1C030000 mov eax, [ebx+31C]
00429586 |. 8B10 mov edx, [eax]
00429588 |. FF92 C4000000 call [edx+C4]
0042958E |. E9 FA000000 jmp 0042968D
00429593 |> 8D45 F4 lea eax, [ebp-C]
00429596 |. 8B55 F8 mov edx, [ebp-8]
00429599 |. E8 727CFDFF call <jmp.&rtl70.System::LStrCat> ; A1,B1,C相连
0042959E |. 8D45 F3 lea eax, [ebp-D]
004295A1 |. 50 push eax
004295A2 |. 8D55 C4 lea edx, [ebp-3C]
004295A5 |. 8B83 08030000 mov eax, [ebx+308]
004295AB |. E8 3890FDFF call <jmp.&vcl70.Controls::TControl::GetTe>; 取用户名
004295B0 |. 8B45 C4 mov eax, [ebp-3C]
004295B3 |. 8D55 C8 lea edx, [ebp-38]
004295B6 |. E8 E981FDFF call <jmp.&rtl70.Sysutils::Trim>
004295BB |. 8B45 C8 mov eax, [ebp-38]
004295BE |. 8D4D FC lea ecx, [ebp-4]
004295C1 |. 8B55 F4 mov edx, [ebp-C]
004295C4 |. E8 5B27FEFF call 0040BD24 ; 关键call(1),跟进
004295C9 |. 84C0 test al, al
004295CB |. 75 28 jnz short 004295F5 ; 不等则跳
004295CD |. 8D55 C0 lea edx, [ebp-40]
004295D0 |. A1 F4D34400 mov eax, [44D3F4]
004295D5 |. E8 A67DFDFF call <jmp.&rtl70.System::LoadResString>
004295DA |. 8B45 C0 mov eax, [ebp-40]
004295DD |. E8 2AA9FDFF call 00403F0C
004295E2 |. 8B83 0C030000 mov eax, [ebx+30C]
004295E8 |. 8B10 mov edx, [eax]
004295EA |. FF92 C4000000 call [edx+C4]
004295F0 |. E9 98000000 jmp 0042968D
004295F5 |> 8D55 B8 lea edx, [ebp-48]
004295F8 |. 8B83 08030000 mov eax, [ebx+308]
004295FE |. E8 E58FFDFF call <jmp.&vcl70.Controls::TControl::GetTe>
00429603 |. 8B45 B8 mov eax, [ebp-48]
00429606 |. 8D55 BC lea edx, [ebp-44]
00429609 |. E8 9681FDFF call <jmp.&rtl70.Sysutils::Trim>
0042960E |. 8B55 BC mov edx, [ebp-44]
00429611 |. 8B06 mov eax, [esi]
00429613 |. 8B4D F4 mov ecx, [ebp-C]
00429616 |. E8 A55D0100 call 0043F3C0
0042961B |. 8B06 mov eax, [esi]
0042961D |. C640 60 01 mov byte ptr [eax+60], 1
00429621 |. 8D55 B0 lea edx, [ebp-50]
00429624 |. 8B83 08030000 mov eax, [ebx+308]
0042962A |. E8 B98FFDFF call <jmp.&vcl70.Controls::TControl::GetTe>
0042962F |. 8B45 B0 mov eax, [ebp-50]
00429632 |. 8D55 B4 lea edx, [ebp-4C]
00429635 |. E8 6A81FDFF call <jmp.&rtl70.Sysutils::Trim>
0042963A |. 8B55 B4 mov edx, [ebp-4C]
0042963D |. 8B06 mov eax, [esi]
0042963F |. 83C0 68 add eax, 68
00429642 |. E8 797BFDFF call <jmp.&rtl70.System::LStrAsg>
00429647 |. 8B06 mov eax, [esi]
00429649 |. 83C0 6C add eax, 6C
0042964C |. 8B55 F4 mov edx, [ebp-C]
0042964F |. E8 6C7BFDFF call <jmp.&rtl70.System::LStrAsg>
00429654 |. 8B06 mov eax, [esi]
00429656 |. 8B55 FC mov edx, [ebp-4]
00429659 |. 8950 70 mov [eax+70], edx
0042965C |. 8B06 mov eax, [esi]
0042965E |. 8A55 F3 mov dl, [ebp-D]
00429661 |. 8850 61 mov [eax+61], dl
00429664 |. 8B06 mov eax, [esi]
00429666 |. E8 CD5D0100 call 0043F438
0042966B |. A1 BCD44400 mov eax, [44D4BC]
00429670 |. 8B00 mov eax, [eax]
00429672 |. E8 A15F0100 call 0043F618
00429677 |. A1 D8D54400 mov eax, [44D5D8]
0042967C |. 8B00 mov eax, [eax]
0042967E |. E8 793DFEFF call 0040D3FC
00429683 |. C783 4C020000>mov dword ptr [ebx+24C], 1
0042968D |> 33C0 xor eax, eax
0042968F |. 5A pop edx
00429690 |. 59 pop ecx
00429691 |. 59 pop ecx
00429692 |. 64:8910 mov fs:[eax], edx
00429695 |. 68 2C974200 push 0042972C
0042969A |> 8D45 B0 lea eax, [ebp-50]
0042969D |. E8 0E7BFDFF call <jmp.&rtl70.System::LStrClr>
004296A2 |. 8D45 B4 lea eax, [ebp-4C]
004296A5 |. E8 067BFDFF call <jmp.&rtl70.System::LStrClr>
004296AA |. 8D45 B8 lea eax, [ebp-48]
004296AD |. E8 FE7AFDFF call <jmp.&rtl70.System::LStrClr>
004296B2 |. 8D45 BC lea eax, [ebp-44]
004296B5 |. BA 02000000 mov edx, 2
004296BA |. E8 F97AFDFF call <jmp.&rtl70.System::LStrArrayClr>
004296BF |. 8D45 C4 lea eax, [ebp-3C]
004296C2 |. E8 E97AFDFF call <jmp.&rtl70.System::LStrClr>
004296C7 |. 8D45 C8 lea eax, [ebp-38]
004296CA |. BA 02000000 mov edx, 2
004296CF |. E8 E47AFDFF call <jmp.&rtl70.System::LStrArrayClr>
004296D4 |. 8D45 D0 lea eax, [ebp-30]
004296D7 |. E8 D47AFDFF call <jmp.&rtl70.System::LStrClr>
004296DC |. 8D45 D4 lea eax, [ebp-2C]
004296DF |. E8 CC7AFDFF call <jmp.&rtl70.System::LStrClr>
004296E4 |. 8D45 D8 lea eax, [ebp-28]
004296E7 |. E8 C47AFDFF call <jmp.&rtl70.System::LStrClr>
004296EC |. 8D45 DC lea eax, [ebp-24]
004296EF |. E8 BC7AFDFF call <jmp.&rtl70.System::LStrClr>
004296F4 |. 8D45 E0 lea eax, [ebp-20]
004296F7 |. E8 B47AFDFF call <jmp.&rtl70.System::LStrClr>
004296FC |. 8D45 E4 lea eax, [ebp-1C]
004296FF |. E8 AC7AFDFF call <jmp.&rtl70.System::LStrClr>
00429704 |. 8D45 E8 lea eax, [ebp-18]
00429707 |. E8 A47AFDFF call <jmp.&rtl70.System::LStrClr>
0042970C |. 8D45 EC lea eax, [ebp-14]
0042970F |. E8 9C7AFDFF call <jmp.&rtl70.System::LStrClr>
00429714 |. 8D45 F4 lea eax, [ebp-C]
00429717 |. BA 02000000 mov edx, 2
0042971C |. E8 977AFDFF call <jmp.&rtl70.System::LStrArrayClr>
00429721 \. C3 retn
00429722 .^ E9 517AFDFF jmp <jmp.&rtl70.System::HandleFinally>
00429727 .^ E9 6EFFFFFF jmp 0042969A
0042972C . 5E pop esi
0042972D . 5B pop ebx
0042972E . 8BE5 mov esp, ebp
00429730 . 5D pop ebp
00429731 . C3 retn
(1)
0040BD24 /$ 55 push ebp
0040BD25 |. 8BEC mov ebp, esp
0040BD27 |. 83C4 D0 add esp, -30
0040BD2A |. 53 push ebx
0040BD2B |. 56 push esi
0040BD2C |. 57 push edi
0040BD2D |. 33DB xor ebx, ebx
0040BD2F |. 895D D0 mov [ebp-30], ebx
0040BD32 |. 895D D8 mov [ebp-28], ebx
0040BD35 |. 895D D4 mov [ebp-2C], ebx
0040BD38 |. 895D E0 mov [ebp-20], ebx
0040BD3B |. 895D DC mov [ebp-24], ebx
0040BD3E |. 8BF9 mov edi, ecx
0040BD40 |. 8BDA mov ebx, edx
0040BD42 |. 8BF0 mov esi, eax
0040BD44 |. 8D45 F0 lea eax, [ebp-10]
0040BD47 |. 8B15 FCBC4000 mov edx, [40BCFC] ;
0040BD4D |. E8 7E55FFFF call <jmp.&rtl70.System::InitializeRecord>
0040BD52 |. 8D45 E4 lea eax, [ebp-1C]
0040BD55 |. 8B15 FCBC4000 mov edx, [40BCFC] ;
0040BD5B |. E8 7055FFFF call <jmp.&rtl70.System::InitializeRecord>
0040BD60 |. 33C0 xor eax, eax
0040BD62 |. 55 push ebp
0040BD63 |. 68 AFBE4000 push 0040BEAF
0040BD68 |. 64:FF30 push dword ptr fs:[eax]
0040BD6B |. 64:8920 mov fs:[eax], esp
0040BD6E |. 33C0 xor eax, eax
0040BD70 |. 8907 mov [edi], eax
0040BD72 |. C645 FF 00 mov byte ptr [ebp-1], 0
0040BD76 |. 85F6 test esi, esi
0040BD78 |. 0F84 03010000 je 0040BE81
0040BD7E |. 85DB test ebx, ebx
0040BD80 |. 0F84 FB000000 je 0040BE81
0040BD86 |. 8D4D DC lea ecx, [ebp-24]
0040BD89 |. BA 06000000 mov edx, 6
0040BD8E |. 8BC3 mov eax, ebx
0040BD90 |. E8 F363FFFF call <jmp.&rtl70.Strutils::LeftStr> ; 取A1
0040BD95 |. 8B45 DC mov eax, [ebp-24]
0040BD98 |. 8D55 E0 lea edx, [ebp-20]
0040BD9B |. E8 EC59FFFF call <jmp.&rtl70.Sysutils::UpperCase> ;
0040BDA0 |. 8B55 E0 mov edx, [ebp-20]
0040BDA3 |. 8D45 F0 lea eax, [ebp-10]
0040BDA6 |. E8 1D54FFFF call <jmp.&rtl70.System::LStrLAsg>
0040BDAB |. 8D45 D4 lea eax, [ebp-2C]
0040BDAE |. 50 push eax
0040BDAF |. B9 06000000 mov ecx, 6
0040BDB4 |. BA 07000000 mov edx, 7
0040BDB9 |. 8BC3 mov eax, ebx
0040BDBB |. E8 D863FFFF call <jmp.&rtl70.Strutils::MidStr> ; 取B1
0040BDC0 |. 8B45 D4 mov eax, [ebp-2C]
0040BDC3 |. 8D55 D8 lea edx, [ebp-28]
0040BDC6 |. E8 C159FFFF call <jmp.&rtl70.Sysutils::UpperCase> ;
0040BDCB |. 8B55 D8 mov edx, [ebp-28]
0040BDCE |. 8D45 F4 lea eax, [ebp-C]
0040BDD1 |. E8 F253FFFF call <jmp.&rtl70.System::LStrLAsg>
0040BDD6 |. 8D45 D0 lea eax, [ebp-30]
0040BDD9 |. 50 push eax
0040BDDA |. 8BC3 mov eax, ebx
0040BDDC |. E8 2754FFFF call <jmp.&rtl70.System::LStrLen>
0040BDE1 |. 8BC8 mov ecx, eax
0040BDE3 |. 83E9 0C sub ecx, 0C
0040BDE6 |. BA 0D000000 mov edx, 0D
0040BDEB |. 8BC3 mov eax, ebx
0040BDED |. E8 A663FFFF call <jmp.&rtl70.Strutils::MidStr> ; 取C
0040BDF2 |. 8B45 D0 mov eax, [ebp-30]
0040BDF5 |. E8 D259FFFF call <jmp.&rtl70.Sysutils::StrToInt>
0040BDFA |. 8945 F8 mov [ebp-8], eax
0040BDFD |. 8D45 E4 lea eax, [ebp-1C]
0040BE00 |. 50 push eax
0040BE01 |. 33C9 xor ecx, ecx
0040BE03 |. 8B55 F8 mov edx, [ebp-8]
0040BE06 |. 8BC6 mov eax, esi
0040BE08 |. E8 B7000000 call 0040BEC4 ; 算法call(2),跟进
0040BE0D |. 8B45 F0 mov eax, [ebp-10]
0040BE10 |. 8B55 E4 mov edx, [ebp-1C]
0040BE13 |. E8 1054FFFF call <jmp.&rtl70.System::LStrCmp> ; A1,A2比较不等则跳
0040BE18 |. 75 26 jnz short 0040BE40
0040BE1A |. 8B45 F4 mov eax, [ebp-C]
0040BE1D |. 8B55 E8 mov edx, [ebp-18]
0040BE20 |. E8 0354FFFF call <jmp.&rtl70.System::LStrCmp> ; B1,B2比较不等则跳
0040BE25 |. 75 19 jnz short 0040BE40
0040BE27 |. 8B45 F8 mov eax, [ebp-8]
0040BE2A |. 3B45 EC cmp eax, [ebp-14]
0040BE2D |. 75 11 jnz short 0040BE40
0040BE2F |. 8B45 F8 mov eax, [ebp-8]
0040BE32 |. 8907 mov [edi], eax
0040BE34 |. 8B45 08 mov eax, [ebp+8]
0040BE37 |. C600 00 mov byte ptr [eax], 0
0040BE3A |. C645 FF 01 mov byte ptr [ebp-1], 1
0040BE3E |. EB 41 jmp short 0040BE81
0040BE40 |> 8D45 E4 lea eax, [ebp-1C]
0040BE43 |. 50 push eax
0040BE44 |. B1 01 mov cl, 1
0040BE46 |. 8B55 F8 mov edx, [ebp-8]
0040BE49 |. 8BC6 mov eax, esi
0040BE4B |. E8 74000000 call 0040BEC4
0040BE50 |. 8B45 F0 mov eax, [ebp-10]
0040BE53 |. 8B55 E4 mov edx, [ebp-1C]
0040BE56 |. E8 CD53FFFF call <jmp.&rtl70.System::LStrCmp>
0040BE5B |. 75 24 jnz short 0040BE81
0040BE5D |. 8B45 F4 mov eax, [ebp-C]
0040BE60 |. 8B55 E8 mov edx, [ebp-18]
0040BE63 |. E8 C053FFFF call <jmp.&rtl70.System::LStrCmp>
0040BE68 |. 75 17 jnz short 0040BE81
0040BE6A |. 8B45 F8 mov eax, [ebp-8]
0040BE6D |. 3B45 EC cmp eax, [ebp-14]
0040BE70 |. 75 0F jnz short 0040BE81
0040BE72 |. 8B45 F8 mov eax, [ebp-8]
0040BE75 |. 8907 mov [edi], eax
0040BE77 |. 8B45 08 mov eax, [ebp+8]
0040BE7A |. C600 01 mov byte ptr [eax], 1
0040BE7D |. C645 FF 01 mov byte ptr [ebp-1], 1
0040BE81 |> 33C0 xor eax, eax
0040BE83 |. 5A pop edx
0040BE84 |. 59 pop ecx
0040BE85 |. 59 pop ecx
0040BE86 |. 64:8910 mov fs:[eax], edx
0040BE89 |. 68 B6BE4000 push 0040BEB6
0040BE8E |> 8D45 D0 lea eax, [ebp-30]
0040BE91 |. BA 05000000 mov edx, 5
0040BE96 |. E8 1D53FFFF call <jmp.&rtl70.System::LStrArrayClr>
0040BE9B |. 8D45 E4 lea eax, [ebp-1C]
0040BE9E |. 8B15 FCBC4000 mov edx, [40BCFC] ;
0040BEA4 |. B9 02000000 mov ecx, 2
0040BEA9 |. E8 3254FFFF call <jmp.&rtl70.System::FinalizeArray>
0040BEAE \. C3 retn
0040BEAF .^ E9 C452FFFF jmp <jmp.&rtl70.System::HandleFinally>
0040BEB4 .^ EB D8 jmp short 0040BE8E
0040BEB6 . 8A45 FF mov al, [ebp-1]
0040BEB9 . 5F pop edi
0040BEBA . 5E pop esi
0040BEBB . 5B pop ebx
0040BEBC . 8BE5 mov esp, ebp
0040BEBE . 5D pop ebp
0040BEBF . C2 0400 retn 4
(2)
0040BEC4 /$ 55 push ebp
0040BEC5 |. 8BEC mov ebp, esp
0040BEC7 |. 51 push ecx
0040BEC8 |. B9 06000000 mov ecx, 6
0040BECD |> 6A 00 /push 0
0040BECF |. 6A 00 |push 0
0040BED1 |. 49 |dec ecx
0040BED2 |.^ 75 F9 \jnz short 0040BECD
0040BED4 |. 874D FC xchg [ebp-4], ecx
0040BED7 |. 53 push ebx
0040BED8 |. 56 push esi
0040BED9 |. 57 push edi
0040BEDA |. 884D FF mov [ebp-1], cl
0040BEDD |. 8BF2 mov esi, edx
0040BEDF |. 8BF8 mov edi, eax
0040BEE1 |. 8B5D 08 mov ebx, [ebp+8]
0040BEE4 |. 33C0 xor eax, eax
0040BEE6 |. 55 push ebp
0040BEE7 |. 68 CFBF4000 push 0040BFCF
0040BEEC |. 64:FF30 push dword ptr fs:[eax]
0040BEEF |. 64:8920 mov fs:[eax], esp
0040BEF2 |. 8D55 F4 lea edx, [ebp-C]
0040BEF5 |. 8BC6 mov eax, esi
0040BEF7 |. E8 B858FFFF call <jmp.&rtl70.Sysutils::IntToStr>
0040BEFC |. 8B45 F4 mov eax, [ebp-C]
0040BEFF |. 50 push eax
0040BF00 |. 8D55 F0 lea edx, [ebp-10]
0040BF03 |. 8BC7 mov eax, edi
0040BF05 |. E8 8258FFFF call <jmp.&rtl70.Sysutils::UpperCase>
0040BF0A |. 8B55 F0 mov edx, [ebp-10]
0040BF0D |. 8D45 F8 lea eax, [ebp-8]
0040BF10 |. 59 pop ecx
0040BF11 |. E8 0253FFFF call <jmp.&rtl70.System::LStrCat3>
0040BF16 |. 807D FF 00 cmp byte ptr [ebp-1], 0
0040BF1A |. 74 0F je short 0040BF2B
0040BF1C |. 8D45 F8 lea eax, [ebp-8]
0040BF1F |. BA E8BF4000 mov edx, 0040BFE8 ; mypersonallicense
0040BF24 |. E8 E752FFFF call <jmp.&rtl70.System::LStrCat>
0040BF29 |. EB 0D jmp short 0040BF38
0040BF2B |> 8D45 F8 lea eax, [ebp-8]
0040BF2E |. BA 04C04000 mov edx, 0040C004 ; myfirstlicense
0040BF33 |. E8 D852FFFF call <jmp.&rtl70.System::LStrCat> ; 用户名,注册码C,固定字串"myfirstlicense",三者相连
0040BF38 |> 8D55 DC lea edx, [ebp-24]
0040BF3B |. 8B45 F8 mov eax, [ebp-8]
0040BF3E |. E8 CD7CFFFF call 00403C10
0040BF43 |. 8D45 DC lea eax, [ebp-24]
0040BF46 |. 8D55 EC lea edx, [ebp-14]
0040BF49 |. E8 367DFFFF call 00403C84 ; MD5计算(3),结果记着D
0040BF4E |. 8B55 EC mov edx, [ebp-14]
0040BF51 |. 8D45 F8 lea eax, [ebp-8]
0040BF54 |. E8 6F52FFFF call <jmp.&rtl70.System::LStrLAsg>
0040BF59 |. 8D4D D4 lea ecx, [ebp-2C]
0040BF5C |. BA 06000000 mov edx, 6
0040BF61 |. 8B45 F8 mov eax, [ebp-8]
0040BF64 |. E8 1F62FFFF call <jmp.&rtl70.Strutils::LeftStr> ; 取D的前六位
0040BF69 |. 8B45 D4 mov eax, [ebp-2C]
0040BF6C |. 8D55 D8 lea edx, [ebp-28]
0040BF6F |. E8 1858FFFF call <jmp.&rtl70.Sysutils::UpperCase> ; D的前六位转为大写,记着A2
0040BF74 |. 8B55 D8 mov edx, [ebp-28]
0040BF77 |. 8BC3 mov eax, ebx
0040BF79 |. E8 4252FFFF call <jmp.&rtl70.System::LStrAsg>
0040BF7E |. 8D4D CC lea ecx, [ebp-34]
0040BF81 |. BA 06000000 mov edx, 6
0040BF86 |. 8B45 F8 mov eax, [ebp-8]
0040BF89 |. E8 0262FFFF call <jmp.&rtl70.Strutils::RightStr> ; 取D的后六位
0040BF8E |. 8B45 CC mov eax, [ebp-34]
0040BF91 |. 8D55 D0 lea edx, [ebp-30]
0040BF94 |. E8 F357FFFF call <jmp.&rtl70.Sysutils::UpperCase> ; D的后六位转为大写,记着B2
0040BF99 |. 8B55 D0 mov edx, [ebp-30]
0040BF9C |. 8D43 04 lea eax, [ebx+4]
0040BF9F |. E8 1C52FFFF call <jmp.&rtl70.System::LStrAsg>
0040BFA4 |. 8973 08 mov [ebx+8], esi
0040BFA7 |. 33C0 xor eax, eax
0040BFA9 |. 5A pop edx
0040BFAA |. 59 pop ecx
0040BFAB |. 59 pop ecx
0040BFAC |. 64:8910 mov fs:[eax], edx
0040BFAF |. 68 D6BF4000 push 0040BFD6
0040BFB4 |> 8D45 CC lea eax, [ebp-34]
0040BFB7 |. BA 04000000 mov edx, 4
0040BFBC |. E8 F751FFFF call <jmp.&rtl70.System::LStrArrayClr>
0040BFC1 |. 8D45 EC lea eax, [ebp-14]
0040BFC4 |. BA 04000000 mov edx, 4
0040BFC9 |. E8 EA51FFFF call <jmp.&rtl70.System::LStrArrayClr>
0040BFCE \. C3 retn
0040BFCF .^ E9 A451FFFF jmp <jmp.&rtl70.System::HandleFinally>
0040BFD4 .^ EB DE jmp short 0040BFB4
0040BFD6 . 5F pop edi
0040BFD7 . 5E pop esi
0040BFD8 . 5B pop ebx
0040BFD9 . 8BE5 mov esp, ebp
0040BFDB . 5D pop ebp
0040BFDC . C2 0400 retn 4
(3)MD5计算
00403C84 /$ 55 push ebp
00403C85 |. 8BEC mov ebp, esp
00403C87 |. 83C4 E8 add esp, -18
00403C8A |. 53 push ebx
00403C8B |. 56 push esi
00403C8C |. 57 push edi
00403C8D |. 33C9 xor ecx, ecx
00403C8F |. 894D EC mov [ebp-14], ecx
00403C92 |. 894D E8 mov [ebp-18], ecx
00403C95 |. 8BF0 mov esi, eax
00403C97 |. 8D7D F0 lea edi, [ebp-10]
00403C9A |. A5 movs dword ptr es:[edi], dword ptr [esi]
00403C9B |. A5 movs dword ptr es:[edi], dword ptr [esi]
00403C9C |. A5 movs dword ptr es:[edi], dword ptr [esi]
00403C9D |. A5 movs dword ptr es:[edi], dword ptr [esi]
00403C9E |. 8BFA mov edi, edx
00403CA0 |. 33C0 xor eax, eax
00403CA2 |. 55 push ebp
00403CA3 |. 68 1F3D4000 push 00403D1F
00403CA8 |. 64:FF30 push dword ptr fs:[eax]
00403CAB |. 64:8920 mov fs:[eax], esp
00403CAE |. 8BC7 mov eax, edi
00403CB0 |. E8 FBD4FFFF call <jmp.&rtl70.System::LStrClr>
00403CB5 |. B3 10 mov bl, 10
00403CB7 |. 8D75 F0 lea esi, [ebp-10]
00403CBA |> FF37 /push dword ptr [edi]
00403CBC |. 8D45 EC |lea eax, [ebp-14]
00403CBF |. 33D2 |xor edx, edx
00403CC1 |. 8A16 |mov dl, [esi]
00403CC3 |. C1EA 04 |shr edx, 4
00403CC6 |. 83E2 0F |and edx, 0F
00403CC9 |. 8A92 6CD04400 |mov dl, [edx+44D06C]
00403CCF |. E8 04D5FFFF |call <jmp.&rtl70.System::LStrFromChar>
00403CD4 |. FF75 EC |push dword ptr [ebp-14]
00403CD7 |. 8D45 E8 |lea eax, [ebp-18]
00403CDA |. 8A16 |mov dl, [esi]
00403CDC |. 80E2 0F |and dl, 0F
00403CDF |. 81E2 FF000000 |and edx, 0FF
00403CE5 |. 8A92 6CD04400 |mov dl, [edx+44D06C]
00403CEB |. E8 E8D4FFFF |call <jmp.&rtl70.System::LStrFromChar>
00403CF0 |. FF75 E8 |push dword ptr [ebp-18]
00403CF3 |. 8BC7 |mov eax, edi
00403CF5 |. BA 03000000 |mov edx, 3
00403CFA |. E8 21D5FFFF |call <jmp.&rtl70.System::LStrCatN>
00403CFF |. 46 |inc esi
00403D00 |. FECB |dec bl
00403D02 |.^ 75 B6 \jnz short 00403CBA
00403D04 |. 33C0 xor eax, eax
00403D06 |. 5A pop edx
00403D07 |. 59 pop ecx
00403D08 |. 59 pop ecx
00403D09 |. 64:8910 mov fs:[eax], edx
00403D0C |. 68 263D4000 push 00403D26
00403D11 |> 8D45 E8 lea eax, [ebp-18]
00403D14 |. BA 02000000 mov edx, 2
00403D19 |. E8 9AD4FFFF call <jmp.&rtl70.System::LStrArrayClr>
00403D1E \. C3 retn
00403D1F .^ E9 54D4FFFF jmp <jmp.&rtl70.System::HandleFinally>
00403D24 .^ EB EB jmp short 00403D11
00403D26 . 5F pop edi
00403D27 . 5E pop esi
00403D28 . 5B pop ebx
00403D29 . 8BE5 mov esp, ebp
00403D2B . 5D pop ebp
00403D2C . C3 retn
------------------------------------------------------------------------
------------------------------------------------------------------------
【破解总结】
1、注册码分三部分;
2、用户名,注册码第三部分,固定字串“myfirstlicense”三部分组合,再作MD5运算;
3、取MD5运算结果的前六位、后六位转为大写后分别作注册码的第一、第二部分;
4、注册信息保存于注册表。
提供一组可用注册信息:
用户名:maomaoma
注册码:E45D1F-64B4FF-787
------------------------------------------------------------------------
【版权声明】本文系作者原创, 转载请注明作者并保持文章的完整, 谢谢!
【破文作者】maomaoma
【作者邮箱】
【作者主页】无
【破解工具】OD、PEiD、DeDe
【破解平台】winxp
【软件名称】国产某局域网软件
【软件大小】788K
【原版下载】
【保护方式】无
【软件简介】局域网即时通讯协同办公
【破解声明】我是菜鸟,学写破文,还请大侠多多指教:)
------------------------------------------------------------------------
------------------------------------------------------------------------
【破解过程】
1、PEiD扫描该软件,为Borland Delphi 6.0 - 7.0编译
2、DeDe反编译,得注册过程起始地址00429420
3、OD载入,Ctrl+G,跟随至00429420,F2下断点,F9运行,OD断下
00429420 /. 55 push ebp ; OD断在此处
00429421 |. 8BEC mov ebp, esp
00429423 |. B9 0A000000 mov ecx, 0A
00429428 |> 6A 00 /push 0
0042942A |. 6A 00 |push 0
0042942C |. 49 |dec ecx
0042942D |.^ 75 F9 \jnz short 00429428
0042942F |. 53 push ebx
00429430 |. 56 push esi
00429431 |. 8BD8 mov ebx, eax
00429433 |. 8B35 40D44400 mov esi, [44D440] ;
00429439 |. 33C0 xor eax, eax
0042943B |. 55 push ebp
0042943C |. 68 22974200 push 00429722
00429441 |. 64:FF30 push dword ptr fs:[eax]
00429444 |. 64:8920 mov fs:[eax], esp
00429447 |. 8D55 E8 lea edx, [ebp-18]
0042944A |. 8B83 08030000 mov eax, [ebx+308]
00429450 |. E8 9391FDFF call <jmp.&vcl70.Controls::TControl::GetTe>; 取用户名
00429455 |. 8B45 E8 mov eax, [ebp-18]
00429458 |. 8D55 EC lea edx, [ebp-14]
0042945B |. E8 4483FDFF call <jmp.&rtl70.Sysutils::Trim>
00429460 |. 837D EC 00 cmp dword ptr [ebp-14], 0
00429464 |. 75 28 jnz short 0042948E
00429466 |. 8D55 E4 lea edx, [ebp-1C]
00429469 |. A1 E4D44400 mov eax, [44D4E4]
0042946E |. E8 0D7FFDFF call <jmp.&rtl70.System::LoadResString>
00429473 |. 8B45 E4 mov eax, [ebp-1C]
00429476 |. E8 E1AAFDFF call 00403F5C
0042947B |. 8B83 08030000 mov eax, [ebx+308]
00429481 |. 8B10 mov edx, [eax]
00429483 |. FF92 C4000000 call [edx+C4]
00429489 |. E9 FF010000 jmp 0042968D
0042948E |> 8D55 E0 lea edx, [ebp-20]
00429491 |. 8B83 0C030000 mov eax, [ebx+30C]
00429497 |. E8 4C91FDFF call <jmp.&vcl70.Controls::TControl::GetTe>; 取注册码第一部分,记着A1
0042949C |. 8B45 E0 mov eax, [ebp-20]
0042949F |. 8D55 F8 lea edx, [ebp-8]
004294A2 |. E8 FD82FDFF call <jmp.&rtl70.Sysutils::Trim>
004294A7 |. 837D F8 00 cmp dword ptr [ebp-8], 0
004294AB |. 74 0D je short 004294BA
004294AD |. 8B45 F8 mov eax, [ebp-8]
004294B0 |. E8 537DFDFF call <jmp.&rtl70.System::LStrLen>
004294B5 |. 83F8 06 cmp eax, 6 ; 是否为6位
004294B8 |. 74 28 je short 004294E2
004294BA |> 8D55 DC lea edx, [ebp-24]
004294BD |. A1 60D44400 mov eax, [44D460]
004294C2 |. E8 B97EFDFF call <jmp.&rtl70.System::LoadResString>
004294C7 |. 8B45 DC mov eax, [ebp-24]
004294CA |. E8 8DAAFDFF call 00403F5C
004294CF |. 8B83 0C030000 mov eax, [ebx+30C]
004294D5 |. 8B10 mov edx, [eax]
004294D7 |. FF92 C4000000 call [edx+C4]
004294DD |. E9 AB010000 jmp 0042968D
004294E2 |> 8D45 F4 lea eax, [ebp-C]
004294E5 |. 8B55 F8 mov edx, [ebp-8]
004294E8 |. E8 DB7CFDFF call <jmp.&rtl70.System::LStrLAsg>
004294ED |. 8D55 D8 lea edx, [ebp-28]
004294F0 |. 8B83 14030000 mov eax, [ebx+314]
004294F6 |. E8 ED90FDFF call <jmp.&vcl70.Controls::TControl::GetTe>; 取注册码第二部分,记着B1
004294FB |. 8B45 D8 mov eax, [ebp-28]
004294FE |. 8D55 F8 lea edx, [ebp-8]
00429501 |. E8 9E82FDFF call <jmp.&rtl70.Sysutils::Trim>
00429506 |. 837D F8 00 cmp dword ptr [ebp-8], 0
0042950A |. 74 0D je short 00429519
0042950C |. 8B45 F8 mov eax, [ebp-8]
0042950F |. E8 F47CFDFF call <jmp.&rtl70.System::LStrLen>
00429514 |. 83F8 06 cmp eax, 6 ; 是否为6位
00429517 |. 74 28 je short 00429541
00429519 |> 8D55 D4 lea edx, [ebp-2C]
0042951C |. A1 60D44400 mov eax, [44D460]
00429521 |. E8 5A7EFDFF call <jmp.&rtl70.System::LoadResString>
00429526 |. 8B45 D4 mov eax, [ebp-2C]
00429529 |. E8 2EAAFDFF call 00403F5C
0042952E |. 8B83 14030000 mov eax, [ebx+314]
00429534 |. 8B10 mov edx, [eax]
00429536 |. FF92 C4000000 call [edx+C4]
0042953C |. E9 4C010000 jmp 0042968D
00429541 |> 8D45 F4 lea eax, [ebp-C]
00429544 |. 8B55 F8 mov edx, [ebp-8]
00429547 |. E8 C47CFDFF call <jmp.&rtl70.System::LStrCat> ; A1,B1相连
0042954C |. 8D55 D0 lea edx, [ebp-30]
0042954F |. 8B83 1C030000 mov eax, [ebx+31C]
00429555 |. E8 8E90FDFF call <jmp.&vcl70.Controls::TControl::GetTe>; 取注册码第三部分,C
0042955A |. 8B45 D0 mov eax, [ebp-30]
0042955D |. 8D55 F8 lea edx, [ebp-8]
00429560 |. E8 3F82FDFF call <jmp.&rtl70.Sysutils::Trim>
00429565 |. 837D F8 00 cmp dword ptr [ebp-8], 0
00429569 |. 75 28 jnz short 00429593
0042956B |. 8D55 CC lea edx, [ebp-34]
0042956E |. A1 60D44400 mov eax, [44D460]
00429573 |. E8 087EFDFF call <jmp.&rtl70.System::LoadResString>
00429578 |. 8B45 CC mov eax, [ebp-34]
0042957B |. E8 DCA9FDFF call 00403F5C
00429580 |. 8B83 1C030000 mov eax, [ebx+31C]
00429586 |. 8B10 mov edx, [eax]
00429588 |. FF92 C4000000 call [edx+C4]
0042958E |. E9 FA000000 jmp 0042968D
00429593 |> 8D45 F4 lea eax, [ebp-C]
00429596 |. 8B55 F8 mov edx, [ebp-8]
00429599 |. E8 727CFDFF call <jmp.&rtl70.System::LStrCat> ; A1,B1,C相连
0042959E |. 8D45 F3 lea eax, [ebp-D]
004295A1 |. 50 push eax
004295A2 |. 8D55 C4 lea edx, [ebp-3C]
004295A5 |. 8B83 08030000 mov eax, [ebx+308]
004295AB |. E8 3890FDFF call <jmp.&vcl70.Controls::TControl::GetTe>; 取用户名
004295B0 |. 8B45 C4 mov eax, [ebp-3C]
004295B3 |. 8D55 C8 lea edx, [ebp-38]
004295B6 |. E8 E981FDFF call <jmp.&rtl70.Sysutils::Trim>
004295BB |. 8B45 C8 mov eax, [ebp-38]
004295BE |. 8D4D FC lea ecx, [ebp-4]
004295C1 |. 8B55 F4 mov edx, [ebp-C]
004295C4 |. E8 5B27FEFF call 0040BD24 ; 关键call(1),跟进
004295C9 |. 84C0 test al, al
004295CB |. 75 28 jnz short 004295F5 ; 不等则跳
004295CD |. 8D55 C0 lea edx, [ebp-40]
004295D0 |. A1 F4D34400 mov eax, [44D3F4]
004295D5 |. E8 A67DFDFF call <jmp.&rtl70.System::LoadResString>
004295DA |. 8B45 C0 mov eax, [ebp-40]
004295DD |. E8 2AA9FDFF call 00403F0C
004295E2 |. 8B83 0C030000 mov eax, [ebx+30C]
004295E8 |. 8B10 mov edx, [eax]
004295EA |. FF92 C4000000 call [edx+C4]
004295F0 |. E9 98000000 jmp 0042968D
004295F5 |> 8D55 B8 lea edx, [ebp-48]
004295F8 |. 8B83 08030000 mov eax, [ebx+308]
004295FE |. E8 E58FFDFF call <jmp.&vcl70.Controls::TControl::GetTe>
00429603 |. 8B45 B8 mov eax, [ebp-48]
00429606 |. 8D55 BC lea edx, [ebp-44]
00429609 |. E8 9681FDFF call <jmp.&rtl70.Sysutils::Trim>
0042960E |. 8B55 BC mov edx, [ebp-44]
00429611 |. 8B06 mov eax, [esi]
00429613 |. 8B4D F4 mov ecx, [ebp-C]
00429616 |. E8 A55D0100 call 0043F3C0
0042961B |. 8B06 mov eax, [esi]
0042961D |. C640 60 01 mov byte ptr [eax+60], 1
00429621 |. 8D55 B0 lea edx, [ebp-50]
00429624 |. 8B83 08030000 mov eax, [ebx+308]
0042962A |. E8 B98FFDFF call <jmp.&vcl70.Controls::TControl::GetTe>
0042962F |. 8B45 B0 mov eax, [ebp-50]
00429632 |. 8D55 B4 lea edx, [ebp-4C]
00429635 |. E8 6A81FDFF call <jmp.&rtl70.Sysutils::Trim>
0042963A |. 8B55 B4 mov edx, [ebp-4C]
0042963D |. 8B06 mov eax, [esi]
0042963F |. 83C0 68 add eax, 68
00429642 |. E8 797BFDFF call <jmp.&rtl70.System::LStrAsg>
00429647 |. 8B06 mov eax, [esi]
00429649 |. 83C0 6C add eax, 6C
0042964C |. 8B55 F4 mov edx, [ebp-C]
0042964F |. E8 6C7BFDFF call <jmp.&rtl70.System::LStrAsg>
00429654 |. 8B06 mov eax, [esi]
00429656 |. 8B55 FC mov edx, [ebp-4]
00429659 |. 8950 70 mov [eax+70], edx
0042965C |. 8B06 mov eax, [esi]
0042965E |. 8A55 F3 mov dl, [ebp-D]
00429661 |. 8850 61 mov [eax+61], dl
00429664 |. 8B06 mov eax, [esi]
00429666 |. E8 CD5D0100 call 0043F438
0042966B |. A1 BCD44400 mov eax, [44D4BC]
00429670 |. 8B00 mov eax, [eax]
00429672 |. E8 A15F0100 call 0043F618
00429677 |. A1 D8D54400 mov eax, [44D5D8]
0042967C |. 8B00 mov eax, [eax]
0042967E |. E8 793DFEFF call 0040D3FC
00429683 |. C783 4C020000>mov dword ptr [ebx+24C], 1
0042968D |> 33C0 xor eax, eax
0042968F |. 5A pop edx
00429690 |. 59 pop ecx
00429691 |. 59 pop ecx
00429692 |. 64:8910 mov fs:[eax], edx
00429695 |. 68 2C974200 push 0042972C
0042969A |> 8D45 B0 lea eax, [ebp-50]
0042969D |. E8 0E7BFDFF call <jmp.&rtl70.System::LStrClr>
004296A2 |. 8D45 B4 lea eax, [ebp-4C]
004296A5 |. E8 067BFDFF call <jmp.&rtl70.System::LStrClr>
004296AA |. 8D45 B8 lea eax, [ebp-48]
004296AD |. E8 FE7AFDFF call <jmp.&rtl70.System::LStrClr>
004296B2 |. 8D45 BC lea eax, [ebp-44]
004296B5 |. BA 02000000 mov edx, 2
004296BA |. E8 F97AFDFF call <jmp.&rtl70.System::LStrArrayClr>
004296BF |. 8D45 C4 lea eax, [ebp-3C]
004296C2 |. E8 E97AFDFF call <jmp.&rtl70.System::LStrClr>
004296C7 |. 8D45 C8 lea eax, [ebp-38]
004296CA |. BA 02000000 mov edx, 2
004296CF |. E8 E47AFDFF call <jmp.&rtl70.System::LStrArrayClr>
004296D4 |. 8D45 D0 lea eax, [ebp-30]
004296D7 |. E8 D47AFDFF call <jmp.&rtl70.System::LStrClr>
004296DC |. 8D45 D4 lea eax, [ebp-2C]
004296DF |. E8 CC7AFDFF call <jmp.&rtl70.System::LStrClr>
004296E4 |. 8D45 D8 lea eax, [ebp-28]
004296E7 |. E8 C47AFDFF call <jmp.&rtl70.System::LStrClr>
004296EC |. 8D45 DC lea eax, [ebp-24]
004296EF |. E8 BC7AFDFF call <jmp.&rtl70.System::LStrClr>
004296F4 |. 8D45 E0 lea eax, [ebp-20]
004296F7 |. E8 B47AFDFF call <jmp.&rtl70.System::LStrClr>
004296FC |. 8D45 E4 lea eax, [ebp-1C]
004296FF |. E8 AC7AFDFF call <jmp.&rtl70.System::LStrClr>
00429704 |. 8D45 E8 lea eax, [ebp-18]
00429707 |. E8 A47AFDFF call <jmp.&rtl70.System::LStrClr>
0042970C |. 8D45 EC lea eax, [ebp-14]
0042970F |. E8 9C7AFDFF call <jmp.&rtl70.System::LStrClr>
00429714 |. 8D45 F4 lea eax, [ebp-C]
00429717 |. BA 02000000 mov edx, 2
0042971C |. E8 977AFDFF call <jmp.&rtl70.System::LStrArrayClr>
00429721 \. C3 retn
00429722 .^ E9 517AFDFF jmp <jmp.&rtl70.System::HandleFinally>
00429727 .^ E9 6EFFFFFF jmp 0042969A
0042972C . 5E pop esi
0042972D . 5B pop ebx
0042972E . 8BE5 mov esp, ebp
00429730 . 5D pop ebp
00429731 . C3 retn
(1)
0040BD24 /$ 55 push ebp
0040BD25 |. 8BEC mov ebp, esp
0040BD27 |. 83C4 D0 add esp, -30
0040BD2A |. 53 push ebx
0040BD2B |. 56 push esi
0040BD2C |. 57 push edi
0040BD2D |. 33DB xor ebx, ebx
0040BD2F |. 895D D0 mov [ebp-30], ebx
0040BD32 |. 895D D8 mov [ebp-28], ebx
0040BD35 |. 895D D4 mov [ebp-2C], ebx
0040BD38 |. 895D E0 mov [ebp-20], ebx
0040BD3B |. 895D DC mov [ebp-24], ebx
0040BD3E |. 8BF9 mov edi, ecx
0040BD40 |. 8BDA mov ebx, edx
0040BD42 |. 8BF0 mov esi, eax
0040BD44 |. 8D45 F0 lea eax, [ebp-10]
0040BD47 |. 8B15 FCBC4000 mov edx, [40BCFC] ;
0040BD4D |. E8 7E55FFFF call <jmp.&rtl70.System::InitializeRecord>
0040BD52 |. 8D45 E4 lea eax, [ebp-1C]
0040BD55 |. 8B15 FCBC4000 mov edx, [40BCFC] ;
0040BD5B |. E8 7055FFFF call <jmp.&rtl70.System::InitializeRecord>
0040BD60 |. 33C0 xor eax, eax
0040BD62 |. 55 push ebp
0040BD63 |. 68 AFBE4000 push 0040BEAF
0040BD68 |. 64:FF30 push dword ptr fs:[eax]
0040BD6B |. 64:8920 mov fs:[eax], esp
0040BD6E |. 33C0 xor eax, eax
0040BD70 |. 8907 mov [edi], eax
0040BD72 |. C645 FF 00 mov byte ptr [ebp-1], 0
0040BD76 |. 85F6 test esi, esi
0040BD78 |. 0F84 03010000 je 0040BE81
0040BD7E |. 85DB test ebx, ebx
0040BD80 |. 0F84 FB000000 je 0040BE81
0040BD86 |. 8D4D DC lea ecx, [ebp-24]
0040BD89 |. BA 06000000 mov edx, 6
0040BD8E |. 8BC3 mov eax, ebx
0040BD90 |. E8 F363FFFF call <jmp.&rtl70.Strutils::LeftStr> ; 取A1
0040BD95 |. 8B45 DC mov eax, [ebp-24]
0040BD98 |. 8D55 E0 lea edx, [ebp-20]
0040BD9B |. E8 EC59FFFF call <jmp.&rtl70.Sysutils::UpperCase> ;
0040BDA0 |. 8B55 E0 mov edx, [ebp-20]
0040BDA3 |. 8D45 F0 lea eax, [ebp-10]
0040BDA6 |. E8 1D54FFFF call <jmp.&rtl70.System::LStrLAsg>
0040BDAB |. 8D45 D4 lea eax, [ebp-2C]
0040BDAE |. 50 push eax
0040BDAF |. B9 06000000 mov ecx, 6
0040BDB4 |. BA 07000000 mov edx, 7
0040BDB9 |. 8BC3 mov eax, ebx
0040BDBB |. E8 D863FFFF call <jmp.&rtl70.Strutils::MidStr> ; 取B1
0040BDC0 |. 8B45 D4 mov eax, [ebp-2C]
0040BDC3 |. 8D55 D8 lea edx, [ebp-28]
0040BDC6 |. E8 C159FFFF call <jmp.&rtl70.Sysutils::UpperCase> ;
0040BDCB |. 8B55 D8 mov edx, [ebp-28]
0040BDCE |. 8D45 F4 lea eax, [ebp-C]
0040BDD1 |. E8 F253FFFF call <jmp.&rtl70.System::LStrLAsg>
0040BDD6 |. 8D45 D0 lea eax, [ebp-30]
0040BDD9 |. 50 push eax
0040BDDA |. 8BC3 mov eax, ebx
0040BDDC |. E8 2754FFFF call <jmp.&rtl70.System::LStrLen>
0040BDE1 |. 8BC8 mov ecx, eax
0040BDE3 |. 83E9 0C sub ecx, 0C
0040BDE6 |. BA 0D000000 mov edx, 0D
0040BDEB |. 8BC3 mov eax, ebx
0040BDED |. E8 A663FFFF call <jmp.&rtl70.Strutils::MidStr> ; 取C
0040BDF2 |. 8B45 D0 mov eax, [ebp-30]
0040BDF5 |. E8 D259FFFF call <jmp.&rtl70.Sysutils::StrToInt>
0040BDFA |. 8945 F8 mov [ebp-8], eax
0040BDFD |. 8D45 E4 lea eax, [ebp-1C]
0040BE00 |. 50 push eax
0040BE01 |. 33C9 xor ecx, ecx
0040BE03 |. 8B55 F8 mov edx, [ebp-8]
0040BE06 |. 8BC6 mov eax, esi
0040BE08 |. E8 B7000000 call 0040BEC4 ; 算法call(2),跟进
0040BE0D |. 8B45 F0 mov eax, [ebp-10]
0040BE10 |. 8B55 E4 mov edx, [ebp-1C]
0040BE13 |. E8 1054FFFF call <jmp.&rtl70.System::LStrCmp> ; A1,A2比较不等则跳
0040BE18 |. 75 26 jnz short 0040BE40
0040BE1A |. 8B45 F4 mov eax, [ebp-C]
0040BE1D |. 8B55 E8 mov edx, [ebp-18]
0040BE20 |. E8 0354FFFF call <jmp.&rtl70.System::LStrCmp> ; B1,B2比较不等则跳
0040BE25 |. 75 19 jnz short 0040BE40
0040BE27 |. 8B45 F8 mov eax, [ebp-8]
0040BE2A |. 3B45 EC cmp eax, [ebp-14]
0040BE2D |. 75 11 jnz short 0040BE40
0040BE2F |. 8B45 F8 mov eax, [ebp-8]
0040BE32 |. 8907 mov [edi], eax
0040BE34 |. 8B45 08 mov eax, [ebp+8]
0040BE37 |. C600 00 mov byte ptr [eax], 0
0040BE3A |. C645 FF 01 mov byte ptr [ebp-1], 1
0040BE3E |. EB 41 jmp short 0040BE81
0040BE40 |> 8D45 E4 lea eax, [ebp-1C]
0040BE43 |. 50 push eax
0040BE44 |. B1 01 mov cl, 1
0040BE46 |. 8B55 F8 mov edx, [ebp-8]
0040BE49 |. 8BC6 mov eax, esi
0040BE4B |. E8 74000000 call 0040BEC4
0040BE50 |. 8B45 F0 mov eax, [ebp-10]
0040BE53 |. 8B55 E4 mov edx, [ebp-1C]
0040BE56 |. E8 CD53FFFF call <jmp.&rtl70.System::LStrCmp>
0040BE5B |. 75 24 jnz short 0040BE81
0040BE5D |. 8B45 F4 mov eax, [ebp-C]
0040BE60 |. 8B55 E8 mov edx, [ebp-18]
0040BE63 |. E8 C053FFFF call <jmp.&rtl70.System::LStrCmp>
0040BE68 |. 75 17 jnz short 0040BE81
0040BE6A |. 8B45 F8 mov eax, [ebp-8]
0040BE6D |. 3B45 EC cmp eax, [ebp-14]
0040BE70 |. 75 0F jnz short 0040BE81
0040BE72 |. 8B45 F8 mov eax, [ebp-8]
0040BE75 |. 8907 mov [edi], eax
0040BE77 |. 8B45 08 mov eax, [ebp+8]
0040BE7A |. C600 01 mov byte ptr [eax], 1
0040BE7D |. C645 FF 01 mov byte ptr [ebp-1], 1
0040BE81 |> 33C0 xor eax, eax
0040BE83 |. 5A pop edx
0040BE84 |. 59 pop ecx
0040BE85 |. 59 pop ecx
0040BE86 |. 64:8910 mov fs:[eax], edx
0040BE89 |. 68 B6BE4000 push 0040BEB6
0040BE8E |> 8D45 D0 lea eax, [ebp-30]
0040BE91 |. BA 05000000 mov edx, 5
0040BE96 |. E8 1D53FFFF call <jmp.&rtl70.System::LStrArrayClr>
0040BE9B |. 8D45 E4 lea eax, [ebp-1C]
0040BE9E |. 8B15 FCBC4000 mov edx, [40BCFC] ;
0040BEA4 |. B9 02000000 mov ecx, 2
0040BEA9 |. E8 3254FFFF call <jmp.&rtl70.System::FinalizeArray>
0040BEAE \. C3 retn
0040BEAF .^ E9 C452FFFF jmp <jmp.&rtl70.System::HandleFinally>
0040BEB4 .^ EB D8 jmp short 0040BE8E
0040BEB6 . 8A45 FF mov al, [ebp-1]
0040BEB9 . 5F pop edi
0040BEBA . 5E pop esi
0040BEBB . 5B pop ebx
0040BEBC . 8BE5 mov esp, ebp
0040BEBE . 5D pop ebp
0040BEBF . C2 0400 retn 4
(2)
0040BEC4 /$ 55 push ebp
0040BEC5 |. 8BEC mov ebp, esp
0040BEC7 |. 51 push ecx
0040BEC8 |. B9 06000000 mov ecx, 6
0040BECD |> 6A 00 /push 0
0040BECF |. 6A 00 |push 0
0040BED1 |. 49 |dec ecx
0040BED2 |.^ 75 F9 \jnz short 0040BECD
0040BED4 |. 874D FC xchg [ebp-4], ecx
0040BED7 |. 53 push ebx
0040BED8 |. 56 push esi
0040BED9 |. 57 push edi
0040BEDA |. 884D FF mov [ebp-1], cl
0040BEDD |. 8BF2 mov esi, edx
0040BEDF |. 8BF8 mov edi, eax
0040BEE1 |. 8B5D 08 mov ebx, [ebp+8]
0040BEE4 |. 33C0 xor eax, eax
0040BEE6 |. 55 push ebp
0040BEE7 |. 68 CFBF4000 push 0040BFCF
0040BEEC |. 64:FF30 push dword ptr fs:[eax]
0040BEEF |. 64:8920 mov fs:[eax], esp
0040BEF2 |. 8D55 F4 lea edx, [ebp-C]
0040BEF5 |. 8BC6 mov eax, esi
0040BEF7 |. E8 B858FFFF call <jmp.&rtl70.Sysutils::IntToStr>
0040BEFC |. 8B45 F4 mov eax, [ebp-C]
0040BEFF |. 50 push eax
0040BF00 |. 8D55 F0 lea edx, [ebp-10]
0040BF03 |. 8BC7 mov eax, edi
0040BF05 |. E8 8258FFFF call <jmp.&rtl70.Sysutils::UpperCase>
0040BF0A |. 8B55 F0 mov edx, [ebp-10]
0040BF0D |. 8D45 F8 lea eax, [ebp-8]
0040BF10 |. 59 pop ecx
0040BF11 |. E8 0253FFFF call <jmp.&rtl70.System::LStrCat3>
0040BF16 |. 807D FF 00 cmp byte ptr [ebp-1], 0
0040BF1A |. 74 0F je short 0040BF2B
0040BF1C |. 8D45 F8 lea eax, [ebp-8]
0040BF1F |. BA E8BF4000 mov edx, 0040BFE8 ; mypersonallicense
0040BF24 |. E8 E752FFFF call <jmp.&rtl70.System::LStrCat>
0040BF29 |. EB 0D jmp short 0040BF38
0040BF2B |> 8D45 F8 lea eax, [ebp-8]
0040BF2E |. BA 04C04000 mov edx, 0040C004 ; myfirstlicense
0040BF33 |. E8 D852FFFF call <jmp.&rtl70.System::LStrCat> ; 用户名,注册码C,固定字串"myfirstlicense",三者相连
0040BF38 |> 8D55 DC lea edx, [ebp-24]
0040BF3B |. 8B45 F8 mov eax, [ebp-8]
0040BF3E |. E8 CD7CFFFF call 00403C10
0040BF43 |. 8D45 DC lea eax, [ebp-24]
0040BF46 |. 8D55 EC lea edx, [ebp-14]
0040BF49 |. E8 367DFFFF call 00403C84 ; MD5计算(3),结果记着D
0040BF4E |. 8B55 EC mov edx, [ebp-14]
0040BF51 |. 8D45 F8 lea eax, [ebp-8]
0040BF54 |. E8 6F52FFFF call <jmp.&rtl70.System::LStrLAsg>
0040BF59 |. 8D4D D4 lea ecx, [ebp-2C]
0040BF5C |. BA 06000000 mov edx, 6
0040BF61 |. 8B45 F8 mov eax, [ebp-8]
0040BF64 |. E8 1F62FFFF call <jmp.&rtl70.Strutils::LeftStr> ; 取D的前六位
0040BF69 |. 8B45 D4 mov eax, [ebp-2C]
0040BF6C |. 8D55 D8 lea edx, [ebp-28]
0040BF6F |. E8 1858FFFF call <jmp.&rtl70.Sysutils::UpperCase> ; D的前六位转为大写,记着A2
0040BF74 |. 8B55 D8 mov edx, [ebp-28]
0040BF77 |. 8BC3 mov eax, ebx
0040BF79 |. E8 4252FFFF call <jmp.&rtl70.System::LStrAsg>
0040BF7E |. 8D4D CC lea ecx, [ebp-34]
0040BF81 |. BA 06000000 mov edx, 6
0040BF86 |. 8B45 F8 mov eax, [ebp-8]
0040BF89 |. E8 0262FFFF call <jmp.&rtl70.Strutils::RightStr> ; 取D的后六位
0040BF8E |. 8B45 CC mov eax, [ebp-34]
0040BF91 |. 8D55 D0 lea edx, [ebp-30]
0040BF94 |. E8 F357FFFF call <jmp.&rtl70.Sysutils::UpperCase> ; D的后六位转为大写,记着B2
0040BF99 |. 8B55 D0 mov edx, [ebp-30]
0040BF9C |. 8D43 04 lea eax, [ebx+4]
0040BF9F |. E8 1C52FFFF call <jmp.&rtl70.System::LStrAsg>
0040BFA4 |. 8973 08 mov [ebx+8], esi
0040BFA7 |. 33C0 xor eax, eax
0040BFA9 |. 5A pop edx
0040BFAA |. 59 pop ecx
0040BFAB |. 59 pop ecx
0040BFAC |. 64:8910 mov fs:[eax], edx
0040BFAF |. 68 D6BF4000 push 0040BFD6
0040BFB4 |> 8D45 CC lea eax, [ebp-34]
0040BFB7 |. BA 04000000 mov edx, 4
0040BFBC |. E8 F751FFFF call <jmp.&rtl70.System::LStrArrayClr>
0040BFC1 |. 8D45 EC lea eax, [ebp-14]
0040BFC4 |. BA 04000000 mov edx, 4
0040BFC9 |. E8 EA51FFFF call <jmp.&rtl70.System::LStrArrayClr>
0040BFCE \. C3 retn
0040BFCF .^ E9 A451FFFF jmp <jmp.&rtl70.System::HandleFinally>
0040BFD4 .^ EB DE jmp short 0040BFB4
0040BFD6 . 5F pop edi
0040BFD7 . 5E pop esi
0040BFD8 . 5B pop ebx
0040BFD9 . 8BE5 mov esp, ebp
0040BFDB . 5D pop ebp
0040BFDC . C2 0400 retn 4
(3)MD5计算
00403C84 /$ 55 push ebp
00403C85 |. 8BEC mov ebp, esp
00403C87 |. 83C4 E8 add esp, -18
00403C8A |. 53 push ebx
00403C8B |. 56 push esi
00403C8C |. 57 push edi
00403C8D |. 33C9 xor ecx, ecx
00403C8F |. 894D EC mov [ebp-14], ecx
00403C92 |. 894D E8 mov [ebp-18], ecx
00403C95 |. 8BF0 mov esi, eax
00403C97 |. 8D7D F0 lea edi, [ebp-10]
00403C9A |. A5 movs dword ptr es:[edi], dword ptr [esi]
00403C9B |. A5 movs dword ptr es:[edi], dword ptr [esi]
00403C9C |. A5 movs dword ptr es:[edi], dword ptr [esi]
00403C9D |. A5 movs dword ptr es:[edi], dword ptr [esi]
00403C9E |. 8BFA mov edi, edx
00403CA0 |. 33C0 xor eax, eax
00403CA2 |. 55 push ebp
00403CA3 |. 68 1F3D4000 push 00403D1F
00403CA8 |. 64:FF30 push dword ptr fs:[eax]
00403CAB |. 64:8920 mov fs:[eax], esp
00403CAE |. 8BC7 mov eax, edi
00403CB0 |. E8 FBD4FFFF call <jmp.&rtl70.System::LStrClr>
00403CB5 |. B3 10 mov bl, 10
00403CB7 |. 8D75 F0 lea esi, [ebp-10]
00403CBA |> FF37 /push dword ptr [edi]
00403CBC |. 8D45 EC |lea eax, [ebp-14]
00403CBF |. 33D2 |xor edx, edx
00403CC1 |. 8A16 |mov dl, [esi]
00403CC3 |. C1EA 04 |shr edx, 4
00403CC6 |. 83E2 0F |and edx, 0F
00403CC9 |. 8A92 6CD04400 |mov dl, [edx+44D06C]
00403CCF |. E8 04D5FFFF |call <jmp.&rtl70.System::LStrFromChar>
00403CD4 |. FF75 EC |push dword ptr [ebp-14]
00403CD7 |. 8D45 E8 |lea eax, [ebp-18]
00403CDA |. 8A16 |mov dl, [esi]
00403CDC |. 80E2 0F |and dl, 0F
00403CDF |. 81E2 FF000000 |and edx, 0FF
00403CE5 |. 8A92 6CD04400 |mov dl, [edx+44D06C]
00403CEB |. E8 E8D4FFFF |call <jmp.&rtl70.System::LStrFromChar>
00403CF0 |. FF75 E8 |push dword ptr [ebp-18]
00403CF3 |. 8BC7 |mov eax, edi
00403CF5 |. BA 03000000 |mov edx, 3
00403CFA |. E8 21D5FFFF |call <jmp.&rtl70.System::LStrCatN>
00403CFF |. 46 |inc esi
00403D00 |. FECB |dec bl
00403D02 |.^ 75 B6 \jnz short 00403CBA
00403D04 |. 33C0 xor eax, eax
00403D06 |. 5A pop edx
00403D07 |. 59 pop ecx
00403D08 |. 59 pop ecx
00403D09 |. 64:8910 mov fs:[eax], edx
00403D0C |. 68 263D4000 push 00403D26
00403D11 |> 8D45 E8 lea eax, [ebp-18]
00403D14 |. BA 02000000 mov edx, 2
00403D19 |. E8 9AD4FFFF call <jmp.&rtl70.System::LStrArrayClr>
00403D1E \. C3 retn
00403D1F .^ E9 54D4FFFF jmp <jmp.&rtl70.System::HandleFinally>
00403D24 .^ EB EB jmp short 00403D11
00403D26 . 5F pop edi
00403D27 . 5E pop esi
00403D28 . 5B pop ebx
00403D29 . 8BE5 mov esp, ebp
00403D2B . 5D pop ebp
00403D2C . C3 retn
------------------------------------------------------------------------
------------------------------------------------------------------------
【破解总结】
1、注册码分三部分;
2、用户名,注册码第三部分,固定字串“myfirstlicense”三部分组合,再作MD5运算;
3、取MD5运算结果的前六位、后六位转为大写后分别作注册码的第一、第二部分;
4、注册信息保存于注册表。
提供一组可用注册信息:
用户名:maomaoma
注册码:E45D1F-64B4FF-787
------------------------------------------------------------------------
【版权声明】本文系作者原创, 转载请注明作者并保持文章的完整, 谢谢!
[培训]《安卓高级研修班(网课)》月薪三万计划,掌 握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
赞赏
他的文章
[原创]一种破解思路
4420
