[分享]SitMan PC 复读机V2.3破解过程-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[分享]SitMan PC 复读机V2.3破解过程

发表于: 2007-9-16 11:14 9103

[分享]SitMan PC 复读机V2.3破解过程

laowanghai 活跃值

2007-9-16 11:14

9103

【软件名称】SitMan PC 复读机V2.3
【应用平台】Win2000 SP4
【作者邮箱】chubing6143@sina.com
【使用工具】OllyDbg1.10，C32ASM
【软件简介】互联网上众多的RM、MP3等格式的外语语音资料，为外语学习者带来了前所未有的便利，然而一般的媒体播放软件(如RealPlayer、Winamp等)远远不能满足外语听说训练的要求，“SitMan PC 复读机”即为此专门设计
【破解过程】
好久没有出来混了,出来冒个泡,主要给那些学习英语的提供方便了.出于国产软件的考虑,省略掉一点关键信息,当然如果出于学习目的,你一定能搞定注册机了.
参考 eCool[BCG]的 "SitMan PC 复读机 2.0 beta 2 注册算法分析"及其注册机,本人很懒就直接利用其注册机了,但是其以前的注册机有点问题了.软件升级后不能注册了,我跟踪分析了一遍软件,下面是分析过程:
在"关于"窗口中,双击"未注册",会出现注册窗口.程序AsPack加壳,脱壳(不提)后在DeDe帮助下,可以找到注册按钮对应函数如下:
004BCE1C          /.  55             push ebp
004BCE1D          |.  8BEC             mov ebp,esp
004BCE1F          |.  B9 06000000    mov ecx,6
004BCE24          |>  6A 00          /push 0
004BCE26          |.  6A 00          |push 0
004BCE28          |.  49             |dec ecx
004BCE29          |.^ 75 F9          \jnz short dumped_u.004BCE24
004BCE2B          |.  53             push ebx
004BCE2C          |.  56             push esi
004BCE2D          |.  8BD8             mov ebx,eax
004BCE2F          |.  33C0             xor eax,eax
004BCE31          |.  55             push ebp
004BCE32          |.  68 91D04B00    push dumped_u.004BD091
004BCE37          |.  64:FF30          push dword ptr fs:[eax]
004BCE3A          |.  64:8920          mov dword ptr fs:[eax],esp
004BCE3D          |.  8D55 FC          lea edx,dword ptr ss:[ebp-4]
004BCE40          |.  8B83 14030000    mov eax,dword ptr ds:[ebx+314]
004BCE46          |.  E8 0928F9FF    call dumped_u.0044F654
004BCE4B          |.  837D FC 00       cmp dword ptr ss:[ebp-4],0    ;  用户名不为空
004BCE4F          |.  0F84 F4010000    je dumped_u.004BD049
004BCE55          |.  8D55 F8          lea edx,dword ptr ss:[ebp-8]
004BCE58          |.  8B83 18030000    mov eax,dword ptr ds:[ebx+318]
004BCE5E          |.  E8 F127F9FF    call dumped_u.0044F654
004BCE63          |.  837D F8 00       cmp dword ptr ss:[ebp-8],0    ;  注册码不为空
004BCE67          |.  0F84 DC010000    je dumped_u.004BD049
004BCE6D          |.  33D2             xor edx,edx
004BCE6F          |.  8B83 58030000    mov eax,dword ptr ds:[ebx+358]
004BCE75          |.  8B08             mov ecx,dword ptr ds:[eax]
004BCE77          |.  FF51 64          call dword ptr ds:[ecx+64]
004BCE7A          |.  8B15 3C484D00    mov edx,dword ptr ds:[4D483C] ;  dumped_u.004D46CC
004BCE80          |.  8B12             mov edx,dword ptr ds:[edx]
004BCE82          |.  8B83 5C030000    mov eax,dword ptr ds:[ebx+35C]
004BCE88          |.  E8 F727F9FF    call dumped_u.0044F684
004BCE8D          |.  BE 03000000    mov esi,3
004BCE92          |>  B2 01          /mov dl,1
004BCE94          |.  8B83 5C030000    |mov eax,dword ptr ds:[ebx+35C]
004BCE9A          |.  E8 D526F9FF    |call dumped_u.0044F574
004BCE9F          |.  66:B8 BC02       |mov ax,2BC
004BCEA3          |.  E8 80380000    |call dumped_u.004C0728
004BCEA8          |.  33D2             |xor edx,edx
004BCEAA          |.  8B83 5C030000    |mov eax,dword ptr ds:[ebx+35C]
004BCEB0          |.  E8 BF26F9FF    |call dumped_u.0044F574
004BCEB5          |.  66:B8 2C01       |mov ax,12C
004BCEB9          |.  E8 6A380000    |call dumped_u.004C0728
004BCEBE          |.  4E             |dec esi
004BCEBF          |.^ 75 D1          \jnz short dumped_u.004BCE92
004BCEC1          |.  8D55 F4          lea edx,dword ptr ss:[ebp-C]
004BCEC4          |.  8B83 18030000    mov eax,dword ptr ds:[ebx+318]
004BCECA          |.  E8 8527F9FF    call dumped_u.0044F654
004BCECF          |.  8B45 F4          mov eax,dword ptr ss:[ebp-C]
004BCED2          |.  50             push eax
004BCED3          |.  8D55 F0          lea edx,dword ptr ss:[ebp-10]
004BCED6          |.  8B83 14030000    mov eax,dword ptr ds:[ebx+314]
004BCEDC          |.  E8 7327F9FF    call dumped_u.0044F654
004BCEE1          |.  8B45 F0          mov eax,dword ptr ss:[ebp-10] ;  用户名
004BCEE4          |.  5A             pop edx                         ;  注册码
004BCEE5          |.  E8 1AFDFFFF    call dumped_u.004BCC04          ;  判断函数
004BCEEA          |.  84C0             test al,al                      ;  关键判断
004BCEEC          |.  0F84 20010000    je dumped_u.004BD012
004BCEF2          |.  E8 7108F5FF    call dumped_u.0040D768
004BCEF7          |.  A1 8C4A4D00    mov eax,dword ptr ds:[4D4A8C]
004BCEFC          |.  8B00             mov eax,dword ptr ds:[eax]
004BCEFE          |.  E8 99B6F8FF    call dumped_u.0044859C
004BCF03          |.  8D55 E8          lea edx,dword ptr ss:[ebp-18]
004BCF06          |.  8B83 14030000    mov eax,dword ptr ds:[ebx+314]
004BCF0C          |.  E8 4327F9FF    call dumped_u.0044F654
004BCF11          |.  8B45 E8          mov eax,dword ptr ss:[ebp-18]
004BCF14          |.  8D55 EC          lea edx,dword ptr ss:[ebp-14]
004BCF17          |.  E8 F4C1F4FF    call dumped_u.00409110
004BCF1C          |.  8B55 EC          mov edx,dword ptr ss:[ebp-14]
004BCF1F          |.  A1 BC4B4D00    mov eax,dword ptr ds:[4D4BBC]
004BCF24          |.  E8 4B7AF4FF    call dumped_u.00404974
004BCF29          |.  8D55 E0          lea edx,dword ptr ss:[ebp-20]
004BCF2C          |.  8B83 18030000    mov eax,dword ptr ds:[ebx+318]
004BCF32          |.  E8 1D27F9FF    call dumped_u.0044F654
004BCF37          |.  8B45 E0          mov eax,dword ptr ss:[ebp-20]
004BCF3A          |.  8D55 E4          lea edx,dword ptr ss:[ebp-1C]
004BCF3D          |.  E8 CEC1F4FF    call dumped_u.00409110
004BCF42          |.  8B55 E4          mov edx,dword ptr ss:[ebp-1C]
004BCF45          |.  A1 B8484D00    mov eax,dword ptr ds:[4D48B8]
004BCF4A          |.  E8 257AF4FF    call dumped_u.00404974
004BCF4F          |.  A1 544B4D00    mov eax,dword ptr ds:[4D4B54]
004BCF54          |.  C700 3E330100    mov dword ptr ds:[eax],1333E
004BCF5A          |.  A1 084A4D00    mov eax,dword ptr ds:[4D4A08]
004BCF5F          |.  8338 00          cmp dword ptr ds:[eax],0
004BCF62          |.  75 36          jnz short dumped_u.004BCF9A
004BCF64          |.  A1 D04A4D00    mov eax,dword ptr ds:[4D4AD0]
004BCF69          |.  FF30             push dword ptr ds:[eax]
004BCF6B          |.  A1 6C4A4D00    mov eax,dword ptr ds:[4D4A6C]
004BCF70          |.  FF30             push dword ptr ds:[eax]
004BCF72          |.  68 A8D04B00    push dumped_u.004BD0A8
004BCF77          |.  A1 704E4D00    mov eax,dword ptr ds:[4D4E70]
004BCF7C          |.  FF30             push dword ptr ds:[eax]
004BCF7E          |.  8D45 DC          lea eax,dword ptr ss:[ebp-24]
004BCF81          |.  BA 04000000    mov edx,4
004BCF86          |.  E8 0D7DF4FF    call dumped_u.00404C98
004BCF8B          |.  8B55 DC          mov edx,dword ptr ss:[ebp-24]
004BCF8E          |.  A1 E8484D00    mov eax,dword ptr ds:[4D48E8]
004BCF93          |.  8B00             mov eax,dword ptr ds:[eax]
004BCF95          |.  E8 EA26F9FF    call dumped_u.0044F684
004BCF9A          |>  E8 7D9C0000    call dumped_u.004C6C1C
004BCF9F          |.  8D45 D8          lea eax,dword ptr ss:[ebp-28]
004BCFA2          |.  E8 A5950000    call dumped_u.004C654C
004BCFA7          |.  8B45 D8          mov eax,dword ptr ss:[ebp-28]
004BCFAA          |.  50             push eax
004BCFAB          |.  8D45 D4          lea eax,dword ptr ss:[ebp-2C]
004BCFAE          |.  E8 01950000    call dumped_u.004C64B4
004BCFB3          |.  8B45 D4          mov eax,dword ptr ss:[ebp-2C]
004BCFB6          |.  5A             pop edx
004BCFB7          |.  E8 C89A0000    call dumped_u.004C6A84
004BCFBC          |.  84C0             test al,al
004BCFBE          |.  75 05          jnz short dumped_u.004BCFC5
004BCFC0          |.  E8 479D0000    call dumped_u.004C6D0C
004BCFC5          |>  A1 F44D4D00    mov eax,dword ptr ds:[4D4DF4]
004BCFCA          |.  FF30             push dword ptr ds:[eax]
004BCFCC          |.  68 B4D04B00    push dumped_u.004BD0B4          ;  ASCII " : "
004BCFD1          |.  A1 BC4B4D00    mov eax,dword ptr ds:[4D4BBC]
004BCFD6          |.  FF30             push dword ptr ds:[eax]
004BCFD8          |.  8D45 D0          lea eax,dword ptr ss:[ebp-30]
004BCFDB          |.  BA 03000000    mov edx,3
004BCFE0          |.  E8 B37CF4FF    call dumped_u.00404C98
004BCFE5          |.  8B55 D0          mov edx,dword ptr ss:[ebp-30]
004BCFE8          |.  8B83 50030000    mov eax,dword ptr ds:[ebx+350]
004BCFEE          |.  E8 9126F9FF    call dumped_u.0044F684
004BCFF3          |.  BA C0D04B00    mov edx,dumped_u.004BD0C0       ;  ASCII "********"
004BCFF8          |.  8B83 18030000    mov eax,dword ptr ds:[ebx+318]
004BCFFE          |.  E8 8126F9FF    call dumped_u.0044F684
004BD003          |.  33D2             xor edx,edx
004BD005          |.  8B83 58030000    mov eax,dword ptr ds:[ebx+358]
004BD00B          |.  8B08             mov ecx,dword ptr ds:[eax]
004BD00D          |.  FF51 64          call dword ptr ds:[ecx+64]
004BD010          |.  EB 37          jmp short dumped_u.004BD049
004BD012          |>  6A 30          push 30
004BD014          |.  A1 D8494D00    mov eax,dword ptr ds:[4D49D8]
004BD019          |.  8B00             mov eax,dword ptr ds:[eax]
004BD01B          |.  E8 B07DF4FF    call dumped_u.00404DD0
004BD020          |.  50             push eax
004BD021          |.  A1 D84A4D00    mov eax,dword ptr ds:[4D4AD8]
004BD026          |.  8B00             mov eax,dword ptr ds:[eax]
004BD028          |.  E8 A37DF4FF    call dumped_u.00404DD0
004BD02D          |.  8BD0             mov edx,eax
004BD02F          |.  A1 D84B4D00    mov eax,dword ptr ds:[4D4BD8]
004BD034          |.  8B00             mov eax,dword ptr ds:[eax]
004BD036          |.  59             pop ecx
004BD037          |.  E8 5C37FBFF    call dumped_u.00470798
004BD03C          |.  B2 01          mov dl,1
004BD03E          |.  8B83 58030000    mov eax,dword ptr ds:[ebx+358]
004BD044          |.  8B08             mov ecx,dword ptr ds:[eax]
004BD046          |.  FF51 64          call dword ptr ds:[ecx+64]
004BD049          |>  33C0             xor eax,eax
004BD04B          |.  5A             pop edx
004BD04C          |.  59             pop ecx
004BD04D          |.  59             pop ecx
004BD04E          |.  64:8910          mov dword ptr fs:[eax],edx
004BD051          |.  68 98D04B00    push dumped_u.004BD098
004BD056          |>  8D45 D0          lea eax,dword ptr ss:[ebp-30]
004BD059          |.  BA 04000000    mov edx,4
004BD05E          |.  E8 E178F4FF    call dumped_u.00404944
004BD063          |.  8D45 E0          lea eax,dword ptr ss:[ebp-20]
004BD066          |.  E8 B578F4FF    call dumped_u.00404920
004BD06B          |.  8D45 E4          lea eax,dword ptr ss:[ebp-1C]
004BD06E          |.  E8 AD78F4FF    call dumped_u.00404920
004BD073          |.  8D45 E8          lea eax,dword ptr ss:[ebp-18]
004BD076          |.  E8 A578F4FF    call dumped_u.00404920
004BD07B          |.  8D45 EC          lea eax,dword ptr ss:[ebp-14]
004BD07E          |.  E8 9D78F4FF    call dumped_u.00404920
004BD083          |.  8D45 F0          lea eax,dword ptr ss:[ebp-10]
004BD086          |.  BA 04000000    mov edx,4
004BD08B          |.  E8 B478F4FF    call dumped_u.00404944
004BD090          \.  C3             retn

在004BCEE5 call dumped_u.004BCC04关键函数中F7进去,来到:

004BCC04          /$  55             push ebp
004BCC05          |.  8BEC             mov ebp,esp
004BCC07          |.  83C4 EC          add esp,-14
004BCC0A          |.  53             push ebx
004BCC0B          |.  56             push esi
004BCC0C          |.  57             push edi
004BCC0D          |.  33C9             xor ecx,ecx
004BCC0F          |.  894D EC          mov dword ptr ss:[ebp-14],ecx
004BCC12          |.  894D F0          mov dword ptr ss:[ebp-10],ecx
004BCC15          |.  8955 F8          mov dword ptr ss:[ebp-8],edx
004BCC18          |.  8945 FC          mov dword ptr ss:[ebp-4],eax
004BCC1B          |.  8B45 FC          mov eax,dword ptr ss:[ebp-4]
004BCC1E          |.  E8 9D81F4FF    call dumped_u.00404DC0
004BCC23          |.  8B45 F8          mov eax,dword ptr ss:[ebp-8]
004BCC26          |.  E8 9581F4FF    call dumped_u.00404DC0
004BCC2B          |.  33C0             xor eax,eax
004BCC2D          |.  55             push ebp
004BCC2E          |.  68 C7CD4B00    push dumped_u.004BCDC7
004BCC33          |.  64:FF30          push dword ptr fs:[eax]
004BCC36          |.  64:8920          mov dword ptr fs:[eax],esp
004BCC39          |.  C645 F7 00       mov byte ptr ss:[ebp-9],0
004BCC3D          |.  8D55 F0          lea edx,dword ptr ss:[ebp-10]
004BCC40          |.  8B45 FC          mov eax,dword ptr ss:[ebp-4]
004BCC43          |.  E8 C8C4F4FF    call dumped_u.00409110
004BCC48          |.  8B55 F0          mov edx,dword ptr ss:[ebp-10]
004BCC4B          |.  8D45 FC          lea eax,dword ptr ss:[ebp-4]
004BCC4E          |.  E8 657DF4FF    call dumped_u.004049B8
004BCC53          |.  8B45 FC          mov eax,dword ptr ss:[ebp-4]
004BCC56          |.  E8 7D7FF4FF    call dumped_u.00404BD8
004BCC5B          |.  8BC8             mov ecx,eax
004BCC5D          |.  83F9 03          cmp ecx,3
004BCC60          |.  0F8C 39010000    jl dumped_u.004BCD9F
004BCC66          |.  83F9 14          cmp ecx,14
004BCC69          |.  0F8F 30010000    jg dumped_u.004BCD9F                   ;  用户名在3－20个字符之间
004BCC6F          |.  8B45 FC          mov eax,dword ptr ss:[ebp-4]
004BCC72          |.  BA E0CD4B00    mov edx,dumped_u.004BCDE0
004BCC77          |.  E8 A080F4FF    call dumped_u.00404D1C
004BCC7C          |.  0F84 1D010000    je dumped_u.004BCD9F
004BCC82          |.  8B45 F8          mov eax,dword ptr ss:[ebp-8]
004BCC85          |.  E8 4E7FF4FF    call dumped_u.00404BD8
004BCC8A          |.  83F8 12          cmp eax,12                            ;  注册码必须是18个字符
004BCC8D          |.  0F85 0C010000    jnz dumped_u.004BCD9F
004BCC93          |.  B9 01000000    mov ecx,1
004BCC98          |>  8B45 F8          /mov eax,dword ptr ss:[ebp-8]
004BCC9B          |.  8A4408 FF       |mov al,byte ptr ds:[eax+ecx-1]
004BCC9F          |.  04 D0          |add al,0D0
004BCCA1          |.  2C 0A          |sub al,0A
004BCCA3          |.  72 0A          |jb short dumped_u.004BCCAF
004BCCA5          |.  04 D9          |add al,0D9
004BCCA7          |.  2C 1A          |sub al,1A
004BCCA9          |.  0F83 F0000000    |jnb dumped_u.004BCD9F
004BCCAF          |>  41             |inc ecx
004BCCB0          |.  83F9 13          |cmp ecx,13
004BCCB3          |.^ 75 E3          \jnz short dumped_u.004BCC98          ;  判断注册码的所有位是否在'0'-'9'或 'a'-'z'中
004BCCB5          |.  BE 01000000    mov esi,1
004BCCBA          |>  BB 01000000    /mov ebx,1
004BCCBF          |.  8B45 FC          |mov eax,dword ptr ss:[ebp-4]
004BCCC2          |.  E8 117FF4FF    |call dumped_u.00404BD8
004BCCC7          |.  8BF8             |mov edi,eax
004BCCC9          |.  85FF             |test edi,edi
004BCCCB          |.  7E 21          |jle short dumped_u.004BCCEE
004BCCCD          |.  B9 01000000    |mov ecx,1
004BCCD2          |>  8B45 FC          |/mov eax,dword ptr ss:[ebp-4]
004BCCD5          |.  0FB64408 FF    ||movzx eax,byte ptr ds:[eax+ecx-1]
004BCCDA          |.  F7EB             ||imul ebx
004BCCDC          |.  03C6             ||add eax,esi
004BCCDE          |.  03C1             ||add eax,ecx
004BCCE0          |.  BB 65010000    ||mov ebx,165
004BCCE5          |.  99             ||cdq
004BCCE6          |.  F7FB             ||idiv ebx
004BCCE8          |.  8BDA             ||mov ebx,edx
004BCCEA          |.  41             ||inc ecx
004BCCEB          |.  4F             ||dec edi
004BCCEC          |.^ 75 E4          |\jnz short dumped_u.004BCCD2
004BCCEE          |>  8BC3             |mov eax,ebx
004BCCF0          |.  B9 24000000    |mov ecx,24
004BCCF5          |.  99             |cdq
004BCCF6          |.  F7F9             |idiv ecx
004BCCF8          |.  B8 F4CD4B00    |mov eax,dumped_u.004BCDF4             ;  ASCII "0123456789abcdefghijklmnopqrstuvwxyz"
004BCCFD          |.  0FB60410       |movzx eax,byte ptr ds:[eax+edx]
004BCD01          |.  8B55 F8          |mov edx,dword ptr ss:[ebp-8]
004BCD04          |.  0FB65432 FF    |movzx edx,byte ptr ds:[edx+esi-1]
004BCD09          |.  2BD0             |sub edx,eax
004BCD0B          |.  81C2 AE000000    |add edx,0AE
004BCD11          |.  81FA AE000000    |cmp edx,0AE
004BCD17          |.  0F85 82000000    |jnz dumped_u.004BCD9F
004BCD1D          |.  46             |inc esi
004BCD1E          |.  83FE 04          |cmp esi,4
004BCD21          |.^ 75 97          \jnz short dumped_u.004BCCBA          ;  这段开始算前3位注册码
004BCD23          |.  BB 01000000    mov ebx,1
004BCD28          |.  BF 01000000    mov edi,1
004BCD2D          |.  BE 0A000000    mov esi,0A
004BCD32          |>  B9 01000000    /mov ecx,1
004BCD37          |>  8B45 F8          |/mov eax,dword ptr ss:[ebp-8]
004BCD3A          |.  0FB64408 FF    ||movzx eax,byte ptr ds:[eax+ecx-1]
004BCD3F          |.  F7EB             ||imul ebx
004BCD41          |.  03C1             ||add eax,ecx
004BCD43          |.  03C6             ||add eax,esi
004BCD45          |.  BB 79010000    ||mov ebx,179
004BCD4A          |.  99             ||cdq
004BCD4B          |.  F7FB             ||idiv ebx
004BCD4D          |.  8BDA             ||mov ebx,edx
004BCD4F          |.  41             ||inc ecx
004BCD50          |.  83F9 0A          ||cmp ecx,0A
004BCD53          |.^ 75 E2          |\jnz short dumped_u.004BCD37
004BCD55          |.  8BC3             |mov eax,ebx
004BCD57          |.  B9 24000000    |mov ecx,24
004BCD5C          |.  99             |cdq
004BCD5D          |.  F7F9             |idiv ecx
004BCD5F          |.  8BC2             |mov eax,edx
004BCD61          |.  F7EE             |imul esi
004BCD63          |.  03C6             |add eax,esi
004BCD65          |.  B9 25000000    |mov ecx,25
004BCD6A          |.  99             |cdq
004BCD6B          |.  F7F9             |idiv ecx
004BCD6D          |.  8BCA             |mov ecx,edx
004BCD6F          |.  8BC7             |mov eax,edi
004BCD71          |.  BF 23000000    |mov edi,23
004BCD76          |.  99             |cdq
004BCD77          |.  F7FF             |idiv edi
004BCD79          |.  03CA             |add ecx,edx
004BCD7B          |.  8BF9             |mov edi,ecx
004BCD7D          |.  46             |inc esi
004BCD7E          |.  83FE 13          |cmp esi,13
004BCD81          |.^ 75 AF          \jnz short dumped_u.004BCD32
004BCD83          |.  8D55 EC          lea edx,dword ptr ss:[ebp-14]
004BCD86          |.  A1 085F4D00    mov eax,dword ptr ds:[4D5F08]          ;  4D5F08是由注册码1-9位计算出来的
004BCD8B          |.  2BC7             sub eax,edi                            ;  上面是利用由第1－9位注册码计算算出第10－18位注册码
004BCD8D          |.  E8 1EC6F4FF    call dumped_u.004093B0
004BCD92          |.  8B45 EC          mov eax,dword ptr ss:[ebp-14]
004BCD95          |.  8A00             mov al,byte ptr ds:[eax]
004BCD97          |.  3C 30          cmp al,30                            ;  必须为0
004BCD99          |.  75 04          jnz short dumped_u.004BCD9F
004BCD9B          |.  C645 F7 01       mov byte ptr ss:[ebp-9],1
004BCD9F          |>  33C0             xor eax,eax
004BCDA1          |.  5A             pop edx
004BCDA2          |.  59             pop ecx
004BCDA3          |.  59             pop ecx
004BCDA4          |.  64:8910          mov dword ptr fs:[eax],edx
004BCDA7          |.  68 CECD4B00    push dumped_u.004BCDCE
004BCDAC          |>  8D45 EC          lea eax,dword ptr ss:[ebp-14]
004BCDAF          |.  BA 02000000    mov edx,2
004BCDB4          |.  E8 8B7BF4FF    call dumped_u.00404944
004BCDB9          |.  8D45 F8          lea eax,dword ptr ss:[ebp-8]
004BCDBC          |.  BA 02000000    mov edx,2
004BCDC1          |.  E8 7E7BF4FF    call dumped_u.00404944
004BCDC6          \.  C3             retn

004BCD86          |.  A1 085F4D00    mov eax,dword ptr ds:[4D5F08]          ;  4D5F08是由注册码1-9位计算出来的,这句话写出来大家可能有点莫名其妙,其实我是通过对4D5F08下内存访问断点,找到程序中对注册码文本框内容的监视(如果你利用DeDe仔细找也能找到这个地方,但是我当时没有找,是利用内存断点法找到的)的地方,其中对注册码4-6位有检查,而且对注册码1-9位计算出来的值存放在4D5F08单元处.具体代码如下:

004BD39C          .  55             push ebp
004BD39D          .  8BEC             mov ebp,esp
004BD39F          .  33C9             xor ecx,ecx
004BD3A1          .  51             push ecx
004BD3A2          .  51             push ecx
004BD3A3          .  51             push ecx
004BD3A4          .  51             push ecx
004BD3A5          .  51             push ecx
004BD3A6          .  51             push ecx
004BD3A7          .  51             push ecx
004BD3A8          .  53             push ebx
004BD3A9          .  56             push esi
004BD3AA          .  57             push edi
004BD3AB          .  8BD8             mov ebx,eax
004BD3AD          .  33C0             xor eax,eax
004BD3AF          .  55             push ebp
004BD3B0          .  68 20D54B00    push dumped_u.004BD520
004BD3B5          .  64:FF30          push dword ptr fs:[eax]
004BD3B8          .  64:8920          mov dword ptr fs:[eax],esp
004BD3BB          .  8D55 F8          lea edx,dword ptr ss:[ebp-8]
004BD3BE          .  8B83 18030000    mov eax,dword ptr ds:[ebx+318]
004BD3C4          .  E8 8B22F9FF    call dumped_u.0044F654
004BD3C9          .  8B45 F8          mov eax,dword ptr ss:[ebp-8]
004BD3CC          .  8D55 FC          lea edx,dword ptr ss:[ebp-4]
004BD3CF          .  E8 3CBDF4FF    call dumped_u.00409110
004BD3D4          .  8B45 FC          mov eax,dword ptr ss:[ebp-4]
004BD3D7          .  E8 FC77F4FF    call dumped_u.00404BD8
004BD3DC          .  83F8 12          cmp eax,12
004BD3DF          .  0F85 06010000    jnz dumped_u.004BD4EB
004BD3E5          .  C705 085F4D00 010>mov dword ptr ds:[4D5F08],1
004BD3EF          .  BB 01000000    mov ebx,1
004BD3F4          >  8B45 FC          mov eax,dword ptr ss:[ebp-4]
004BD3F7          .  8A4418 08       mov al,byte ptr ds:[eax+ebx+8] ;  注册码第10位
004BD3FB          .  E8 B88D0000    call dumped_u.004C61B8          ;  取注册码在KEY中的位置
004BD400          .  8D53 09          lea edx,dword ptr ds:[ebx+9]
004BD403          .  F7EA             imul edx
004BD405          .  B9 25000000    mov ecx,25
004BD40A          .  99             cdq
004BD40B          .  F7F9             idiv ecx
004BD40D          .  8BCA             mov ecx,edx                   ;  商
004BD40F          .  A1 085F4D00    mov eax,dword ptr ds:[4D5F08]
004BD414          .  BE 23000000    mov esi,23
004BD419          .  99             cdq
004BD41A          .  F7FE             idiv esi
004BD41C          .  03CA             add ecx,edx
004BD41E          .  890D 085F4D00    mov dword ptr ds:[4D5F08],ecx
004BD424          .  43             inc ebx
004BD425          .  83FB 0A          cmp ebx,0A
004BD428          .^ 75 CA          jnz short dumped_u.004BD3F4
004BD42A          .  8D45 F4          lea eax,dword ptr ss:[ebp-C]
004BD42D          .  50             push eax
004BD42E          .  B9 06000000    mov ecx,6
004BD433          .  BA 04000000    mov edx,4
004BD438          .  8B45 FC          mov eax,dword ptr ss:[ebp-4]
004BD43B          .  E8 780A0000    call dumped_u.004BDEB8          ;  取注册码4-6位
004BD440          .  8B55 F4          mov edx,dword ptr ss:[ebp-C]
004BD443          .  8D45 FC          lea eax,dword ptr ss:[ebp-4]
004BD446          .  E8 6D75F4FF    call dumped_u.004049B8
004BD44B          .  33C0             xor eax,eax
004BD44D          .  55             push ebp
004BD44E          .  68 D5D44B00    push dumped_u.004BD4D5
004BD453          .  64:FF30          push dword ptr fs:[eax]
004BD456          .  64:8920          mov dword ptr fs:[eax],esp
004BD459          .  8D45 F0          lea eax,dword ptr ss:[ebp-10]
004BD45C          .  8B55 FC          mov edx,dword ptr ss:[ebp-4]
004BD45F          .  8A12             mov dl,byte ptr ds:[edx]
004BD461          .  E8 9A76F4FF    call dumped_u.00404B00
004BD466          .  8B45 F0          mov eax,dword ptr ss:[ebp-10]
004BD469          .  E8 E2BFF4FF    call dumped_u.00409450
004BD46E          .  8BD8             mov ebx,eax
004BD470          .  8D45 EC          lea eax,dword ptr ss:[ebp-14]
004BD473          .  8B55 FC          mov edx,dword ptr ss:[ebp-4]
004BD476          .  8A52 01          mov dl,byte ptr ds:[edx+1]
004BD479          .  E8 8276F4FF    call dumped_u.00404B00
004BD47E          .  8B45 EC          mov eax,dword ptr ss:[ebp-14]
004BD481          .  E8 CABFF4FF    call dumped_u.00409450
004BD486          .  03C3             add eax,ebx                   ;  ebx 注册码第4位,eax 注册码第5位
004BD488          .  F7EB             imul ebx
004BD48A          .  8BD8             mov ebx,eax
004BD48C          .  8D45 E8          lea eax,dword ptr ss:[ebp-18]
004BD48F          .  8B55 FC          mov edx,dword ptr ss:[ebp-4]
004BD492          .  8A52 02          mov dl,byte ptr ds:[edx+2]
004BD495          .  E8 6676F4FF    call dumped_u.00404B00
004BD49A          .  8B45 E8          mov eax,dword ptr ss:[ebp-18]
004BD49D          .  E8 AEBFF4FF    call dumped_u.00409450
004BD4A2          .  03C3             add eax,ebx
004BD4A4          .  F7EB             imul ebx
004BD4A6          .  8BD8             mov ebx,eax
004BD4A8          .  8D45 E4          lea eax,dword ptr ss:[ebp-1C]
004BD4AB          .  8B55 FC          mov edx,dword ptr ss:[ebp-4]
004BD4AE          .  8A12             mov dl,byte ptr ds:[edx]
004BD4B0          .  E8 4B76F4FF    call dumped_u.00404B00
004BD4B5          .  8B45 E4          mov eax,dword ptr ss:[ebp-1C]
004BD4B8          .  E8 93BFF4FF    call dumped_u.00409450
004BD4BD          .  3BD8             cmp ebx,eax                   ;  对于注册码4-6位必须满足条件的判断
004BD4BF          .  74 0A          je short dumped_u.004BD4CB    ;  关键跳转
004BD4C1             C705 085F4D00 B9F>mov dword ptr ds:[4D5F08],-47
004BD4CB          >  33C0             xor eax,eax
004BD4CD          .  5A             pop edx
004BD4CE          .  59             pop ecx
004BD4CF          .  59             pop ecx
004BD4D0          .  64:8910          mov dword ptr fs:[eax],edx
004BD4D3          .  EB 20          jmp short dumped_u.004BD4F5
004BD4D5          .^ E9 366BF4FF    jmp dumped_u.00404010
004BD4DA          .  C705 085F4D00 77F>mov dword ptr ds:[4D5F08],-89
004BD4E4          .  E8 8F6EF4FF    call dumped_u.00404378
004BD4E9          .  EB 0A          jmp short dumped_u.004BD4F5
004BD4EB          >  C705 085F4D00 85F>mov dword ptr ds:[4D5F08],-7B
004BD4F5          >  33C0             xor eax,eax
004BD4F7          .  5A             pop edx
004BD4F8          .  59             pop ecx
004BD4F9          .  59             pop ecx
004BD4FA          .  64:8910          mov dword ptr fs:[eax],edx
004BD4FD          .  68 27D54B00    push dumped_u.004BD527
004BD502          >  8D45 E4          lea eax,dword ptr ss:[ebp-1C]
004BD505          .  BA 05000000    mov edx,5
004BD50A          .  E8 3574F4FF    call dumped_u.00404944
004BD50F          .  8D45 F8          lea eax,dword ptr ss:[ebp-8]
004BD512          .  E8 0974F4FF    call dumped_u.00404920
004BD517          .  8D45 FC          lea eax,dword ptr ss:[ebp-4]
004BD51A          .  E8 0174F4FF    call dumped_u.00404920
004BD51F          .  C3             retn
004BD520          .^ E9 9F6DF4FF    jmp dumped_u.004042C4
004BD525          .^ EB DB          jmp short dumped_u.004BD502
004BD527          .  5F             pop edi
004BD528          .  5E             pop esi
004BD529          .  5B             pop ebx
004BD52A          .  8BE5             mov esp,ebp
004BD52C          .  5D             pop ebp
004BD52D          .  C3             retn
004BD52E             8BC0             mov eax,eax
004BD530          .  55             push ebp
004BD531          .  8BEC             mov ebp,esp
004BD533          .  33C0             xor eax,eax
004BD535          .  55             push ebp
004BD536          .  68 55D54B00    push dumped_u.004BD555
004BD53B          .  64:FF30          push dword ptr fs:[eax]
004BD53E          .  64:8920          mov dword ptr fs:[eax],esp
004BD541          .  FF05 0C5F4D00    inc dword ptr ds:[4D5F0C]
004BD547          .  33C0             xor eax,eax
004BD549          .  5A             pop edx
004BD54A          .  59             pop ecx
004BD54B          .  59             pop ecx
004BD54C          .  64:8910          mov dword ptr fs:[eax],edx
004BD54F          .  68 5CD54B00    push dumped_u.004BD55C
004BD554          >  C3             retn                            ;  RET used as a jump to 004BD55C
004BD555          .^ E9 6A6DF4FF    jmp dumped_u.004042C4
004BD55A          .^ EB F8          jmp short dumped_u.004BD554
004BD55C          >  5D             pop ebp
004BD55D          .  C3             retn

对于注册码4-6位必须满足条件的判断可以写成C语言遍历的程序:
unsigned long int ecx,esi,edi; /*这里一定要是 unsigned long int型，否则将不支持中文注册名*/
unsigned long int edx,ebx,eax;  /*同上*/
int a,b,c;
for(a=0;a<=9;a++)
for(b=0;b<=9;b++)
for(c=0;c<=9;c++)
{
eax=b;
ebx=a;
eax+=ebx;
eax*=ebx;
edx=0;
ebx=eax;
eax=c;
eax+=ebx;
eax*=ebx;
ebx=eax;
if(a==ebx)
{
printf("%d %d %d satisfy\n",a,b,c);
}
}
发现只要小于等于100就可以了(高手可能直接看出算法了,我比较笨就遍历了). 但是经过试验发现只有***(//国产软件保护)满足条件,其它的注册能够成功但是,重启后又提示未注册了.

分析到这里就可以总结出注册码的条件了:
1 name一定不能为空，否则会出错！！！
2 name长度要大于等于3，小于等于20。
3 注册码的前3位由用户名计算出来,注册码的4-6位必须为***(//国产软件保护),由注册码的1-9位计算出来10-18位.

这样直接修改原来注册机（ eCool[BCG]的 "SitMan PC 复读机 2.0 beta 2 注册算法分析"及其注册机中的注册机）为:

#include "string.h"
#include <stdio.h>
#include <math.h>
void main()
{
unsigned long int ecx,esi,edi; /*这里一定要是 unsigned long int型，否则将不支持中文注册名*/
unsigned long int edx,ebx,eax;  /*同上*/

int SL; /* edi is SL as NamestrLength*/
unsigned char Namestr[20]; /*定义一个长20的数组来存放注册名,下面的数组是程序提供的一个字符串*/
static unsigned char Conststr[37]={'0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','\0'};
unsigned char SNstr[19]={'h','s','F','*','*','*','0','0','0','m','e','e','t','M','i','s','s','Y'}; //国产软件保护

/* 这个假注册码的4－9位必需是数字，其它可以为数字也可为字母，我随便写了一个，由于这4－9位将是你
　/* 的正确的注册码中的数字，而且它影响后面的9位注册码，你可以改成你喜欢的数字，而不用我的
　/* 这个软件的注册码生成很怪吧？它先用你的注册名算出注册码的前3位，然后再用你的假注册码的4－9位
　/* （一定要是数字）和前3位组成新的字符串来算出注册码的后9位，注册码一共是18位*/
printf ("This is a CrAck program for ----\n SitMan v2.3 \n");
input:
printf("Your Name is: ");  /*  支持中文名，当然也支持英文名*/
gets((char*)Namestr);          /*得到你的注册名 */
SL=strlen((char*)Namestr);             /* 注册名的长度 */
if(SL<3)                                     /* 注册名长度小于3 ,提示重新输入*/
{printf("Name 's Length MUST great than 3\n Try Again  ");
goto input;};
if (SL>20)
{printf("Why you like such a long Name? \n Try Short Name Again  ");
goto input;};
/*开始计算你的注册码*/
ecx=1 ; /* mov ecx,01 */
esi=1 ; /* mov esi,01 b62f */
do
{
ebx=1;/*mov ebx,01*/
edi=SL; /* mov edi,eax */
ecx=1; /* mov ecx,01 */
/* b64c */do
{
eax=Namestr[ecx-1];
eax=eax*ebx;
edx=0;
eax=eax+esi;
eax=eax+ecx;
ebx=0x165;
edx=eax&0xffff0000;  /*cdq */
/*edx=(int)eax%(int)ebx;eax=eax/ebx;*/
edx=eax-eax/ebx*ebx;
ebx=edx;
ecx=ecx+1;
edi=edi-1;}
while (edi>0);
eax=ebx;
ecx=0x24;
edx=eax&0xffff0000; /*cdq */
/*edx=(int)eax%(int)ecx;eax=eax/ecx;  idiv ecx*/
edx=eax-eax/ecx*ecx;
eax=Conststr[edx];
SNstr[esi-1]=eax;
esi=esi+1;
}while (esi<4); /* jnz b634 esi<4? */
/*上面是计算你的注册码的前3位，下面的将计算你的注册码的后9位*/
ebx=1; /*mov ebx,01*/
esi=10;  /*mov esi.0a */
do{
ecx=1;
do{
eax=SNstr[ecx-1];
eax=eax*ebx; edx=0; /* imul ebx*/
eax=eax+ecx;
eax=eax+esi;
ebx=0x179;
edx=eax&0xffff0000; /*cdq*/
edx=eax-eax/ebx*ebx;
ebx=edx;
ecx=ecx+1;}
while(ecx<10);
eax=ebx;
ecx=0x24;
edx=eax&0xffff0000; /*cdq*/
edx=eax-eax/ecx*ecx;
eax=Conststr[edx];
SNstr[esi-1]=eax;
esi=esi+1;}
while(esi<19);
printf("Your SN is:%s \n ",SNstr);  /*这就是你的注册码*/
printf("  \n Enjoy it! \n");
getchar();
}
即可了.

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・1

免费

支持

最新回复 (3)
十三少雪币： 226 活跃值： (15) 能力值： ( LV6，RANK：90 ) 在线值：发帖 10 回帖 402 粉丝 1 关注私信	十三少 2 2 楼精前留影 2007-9-16 12:35 0
【BiNg】雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 67 粉丝 1 关注私信	【BiNg】 3 楼受教了谢谢...... 2007-9-17 12:47 0
fnnfx 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	fnnfx 4 楼估计sitman的作者看到这个帖，肯定会去再升级，呵呵。 2007-9-17 23:58 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

laowanghai

发帖

163

回帖

550

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (3)
十三少雪币： 226 活跃值： (15) 能力值： ( LV6，RANK：90 ) 在线值：发帖 10 回帖 402 粉丝 1 关注私信	十三少 2 2 楼精前留影 2007-9-16 12:35 0
【BiNg】雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 67 粉丝 1 关注私信	【BiNg】 3 楼受教了谢谢...... 2007-9-17 12:47 0
fnnfx 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	fnnfx 4 楼估计sitman的作者看到这个帖，肯定会去再升级，呵呵。 2007-9-17 23:58 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

[分享]SitMan PC 复读机V2.3破解过程

账号登录 验证码登录

账号登录

验证码登录