protectz v1.53

标题：protectz v1.53
作者：lancelot[CCG]
时间：2001
链接：http://bbs.pediy.com

下载：http://newhua.infosail.com/down/protectz.exe

* Referenced by a CALL at Address:
|:0048926F
|
:00488F8C 55 push ebp
:00488F8D 8BEC mov ebp, esp
:00488F8F 83C4B0 add esp, FFFFFFB0
:00488F92 33D2 xor edx, edx
:00488F94 8955B0 mov dword ptr [ebp-50], edx
:00488F97 8955B4 mov dword ptr [ebp-4C], edx
:00488F9A 8955B8 mov dword ptr [ebp-48], edx
:00488F9D 8955BC mov dword ptr [ebp-44], edx
:00488FA0 8955C8 mov dword ptr [ebp-38], edx
:00488FA3 8955C4 mov dword ptr [ebp-3C], edx
:00488FA6 8945FC mov dword ptr [ebp-04], eax
:00488FA9 33C0 xor eax, eax
:00488FAB 55 push ebp
:00488FAC 6898914800 push 00489198
:00488FB1 64FF30 push dword ptr fs:[eax]
:00488FB4 648920 mov dword ptr fs:[eax], esp
:00488FB7 8D55C8 lea edx, dword ptr [ebp-38]
:00488FBA 8B45FC mov eax, dword ptr [ebp-04]
:00488FBD 8B8004030000 mov eax, dword ptr [eax+00000304]
:00488FC3 E8687EFAFF call 00430E30<---------------------------------读取注册码
:00488FC8 8B45C8 mov eax, dword ptr [ebp-38]
:00488FCB 50 push eax
:00488FCC 8D55C4 lea edx, dword ptr [ebp-3C]
:00488FCF 8B45FC mov eax, dword ptr [ebp-04]
:00488FD2 8B8000030000 mov eax, dword ptr [eax+00000300]
:00488FD8 E8537EFAFF call 00430E30<---------------------------------读取用户名
:00488FDD 8B45C4 mov eax, dword ptr [ebp-3C]
:00488FE0 5A pop edx
:00488FE1 E8AEF9FFFF call 00488994<-----------------(1)-------------比较核心，跟入
:00488FE6 85C0 test eax, eax
:00488FE8 0F8482010000 je 00489170
================================================================================================
* Referenced by a CALL at Address:<------------------------call (1)
|:00488FE1
|
:00488994 55 push ebp
:00488995 8BEC mov ebp, esp
:00488997 B905000000 mov ecx, 00000005

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004889A1(C)
|
:0048899C 6A00 push 00000000
:0048899E 6A00 push 00000000
:004889A0 49 dec ecx
:004889A1 75F9 jne 0048899C
:004889A3 51 push ecx
:004889A4 8955F8 mov dword ptr [ebp-08], edx<-------------注册码
:004889A7 8945FC mov dword ptr [ebp-04], eax<-------------用户名
:004889AA 8B45FC mov eax, dword ptr [ebp-04]
:004889AD E86AB6F7FF call 0040401C
:004889B2 8B45F8 mov eax, dword ptr [ebp-08]
:004889B5 E862B6F7FF call 0040401C
:004889BA 33C0 xor eax, eax
:004889BC 55 push ebp
:004889BD 68AE8B4800 push 00488BAE
:004889C2 64FF30 push dword ptr fs:[eax]
:004889C5 648920 mov dword ptr fs:[eax], esp
:004889C8 33C0 xor eax, eax
:004889CA 8945F4 mov dword ptr [ebp-0C], eax
:004889CD 8D45F0 lea eax, dword ptr [ebp-10]
:004889D0 8B55F8 mov edx, dword ptr [ebp-08]
:004889D3 E8A8B2F7FF call 00403C80
:004889D8 8B55F0 mov edx, dword ptr [ebp-10]
:004889DB B8C48B4800 mov eax, 00488BC4
:004889E0 E86FB7F7FF call 00404154<--------------------------注册码中'-'的位置
:004889E5 8845EB mov byte ptr [ebp-15], al<--------------在第9位
:004889E8 807DEB00 cmp byte ptr [ebp-15], 00
:004889EC 0F8687010000 jbe 00488B79<---------------------------没有'-'就完了
:004889F2 33D2 xor edx, edx
:004889F4 8A55EB mov dl, byte ptr [ebp-15]
:004889F7 8D45F0 lea eax, dword ptr [ebp-10]
:004889FA B901000000 mov ecx, 00000001
:004889FF E8ACB6F7FF call 004040B0<--------------------------去掉注册码中的'-'
:00488A04 8B45F0 mov eax, dword ptr [ebp-10]
:00488A07 E85CB4F7FF call 00403E68<--------------------------计算注册码的长度
:00488A0C 83F810 cmp eax, 00000010<----------------------不包括'-',要16位
:00488A0F 0F8564010000 jne 00488B79<---------------------------不然就完蛋
:00488A15 8D45EC lea eax, dword ptr [ebp-14]
:00488A18 E8CBB1F7FF call 00403BE8
:00488A1D C645EB01 mov [ebp-15], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00488A60(C)
|
:00488A21 8D45E0 lea eax, dword ptr [ebp-20]
:00488A24 50 push eax
:00488A25 33C0 xor eax, eax
:00488A27 8A45EB mov al, byte ptr [ebp-15]
:00488A2A 8BD0 mov edx, eax
:00488A2C 03D2 add edx, edx
:00488A2E 4A dec edx
:00488A2F B902000000 mov ecx, 00000002
:00488A34 8B45F0 mov eax, dword ptr [ebp-10]<-----------去掉'-'后,的注册码
:00488A37 E834B6F7FF call 00404070<-------------------------取前两位
:00488A3C 8B45E0 mov eax, dword ptr [ebp-20]
:00488A3F E870FDFFFF call 004887B4<-------------------------转换成16进制并放在al中
:00488A44 8BD0 mov edx, eax<--------------------------"12"==>0x12
:00488A46 8D45E4 lea eax, dword ptr [ebp-1C]
:00488A49 E842B3F7FF call 00403D90
:00488A4E 8B55E4 mov edx, dword ptr [ebp-1C]
:00488A51 8D45EC lea eax, dword ptr [ebp-14]
:00488A54 E817B4F7FF call 00403E70
:00488A59 FE45EB inc [ebp-15]
:00488A5C 807DEB09 cmp byte ptr [ebp-15], 09
:00488A60 75BF jne 00488A21<--------------------------循环8次
:00488A62 8D45F0 lea eax, dword ptr [ebp-10]
:00488A65 E87EB1F7FF call 00403BE8
:00488A6A 8B45EC mov eax, dword ptr [ebp-14]
:00488A6D E8F6B3F7FF call 00403E68
:00488A72 84C0 test al, al
:00488A74 7636 jbe 00488AAC
:00488A76 8845EA mov byte ptr [ebp-16], al
:00488A79 C645EB01 mov [ebp-15], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00488AAA(C)
|
:00488A7D 8D45DC lea eax, dword ptr [ebp-24]
:00488A80 33D2 xor edx, edx
:00488A82 8A55EB mov dl, byte ptr [ebp-15]
:00488A85 8B4DEC mov ecx, dword ptr [ebp-14]
:00488A88 8A5411FF mov dl, byte ptr [ecx+edx-01]
:00488A8C 8A4DEB mov cl, byte ptr [ebp-15]
:00488A8F 80C134 add cl, 34 12 xor (1+34)==0x27
:00488A92 32D1 xor dl, cl 34 xor (2+34)==0x02
:00488A94 E8F7B2F7FF call 00403D90 56 xor (3+34)==0x61
:00488A99 8B55DC mov edx, dword ptr [ebp-24] 78 xor (4+34)==0x40
:00488A9C 8D45F0 lea eax, dword ptr [ebp-10] 87 xor (5+34)==0xbe
:00488A9F E8CCB3F7FF call 00403E70 65 xor (6+34)==0x5f
:00488AA4 FE45EB inc [ebp-15] 43 xor (7+34)==0x78
:00488AA7 FE4DEA dec [ebp-16]<----------------------- 21 xor (8+34)==0x1d
:00488AAA 75D1 jne 00488A7D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00488A74(C)
|
:00488AAC 8D45EC lea eax, dword ptr [ebp-14]
:00488AAF 50 push eax
:00488AB0 B9BB000000 mov ecx, 000000BB
:00488AB5 BA07000000 mov edx, 00000007
:00488ABA 8B45F0 mov eax, dword ptr [ebp-10]<-----------27 02 61 40 be 5f 78 1d
:00488ABD E8AEFDFFFF call 00488870<--------------(1.1)------计算出8位的用户名,跟入
:00488AC2 8D45F0 lea eax, dword ptr [ebp-10]
:00488AC5 E81EB1F7FF call 00403BE8
:00488ACA 8B45FC mov eax, dword ptr [ebp-04]<-----------输入的用户名
:00488ACD E896B3F7FF call 00403E68<-------------------------计算长度
:00488AD2 84C0 test al, al
:00488AD4 764C jbe 00488B22
:00488AD6 8845EA mov byte ptr [ebp-16], al
:00488AD9 C645EB01 mov [ebp-15], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00488B20(C)
|
:00488ADD 33C0 xor eax, eax
:00488ADF 8A45EB mov al, byte ptr [ebp-15]
:00488AE2 8B55FC mov edx, dword ptr [ebp-04]
:00488AE5 807C02FF20 cmp byte ptr [edx+eax-01], 20<---------是否小于0x20
:00488AEA 762E jbe 00488B1A
:00488AEC 33C0 xor eax, eax
:00488AEE 8A45EB mov al, byte ptr [ebp-15]
:00488AF1 8B55FC mov edx, dword ptr [ebp-04]
:00488AF4 807C02FF7B cmp byte ptr [edx+eax-01], 7B<---------是否大于0x7b
:00488AF9 731F jnb 00488B1A
:00488AFB 8D45D8 lea eax, dword ptr [ebp-28]
:00488AFE 33D2 xor edx, edx
:00488B00 8A55EB mov dl, byte ptr [ebp-15]
:00488B03 8B4DFC mov ecx, dword ptr [ebp-04]
:00488B06 8A5411FF mov dl, byte ptr [ecx+edx-01]
:00488B0A E881B2F7FF call 00403D90
:00488B0F 8B55D8 mov edx, dword ptr [ebp-28]
:00488B12 8D45F0 lea eax, dword ptr [ebp-10]
:00488B15 E856B3F7FF call 00403E70

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00488AEA(C), :00488AF9(C)
|
:00488B1A FE45EB inc [ebp-15]
:00488B1D FE4DEA dec [ebp-16]
:00488B20 75BB jne 00488ADD

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00488AD4(C)
|
:00488B22 8D55D4 lea edx, dword ptr [ebp-2C]
:00488B25 8B45F0 mov eax, dword ptr [ebp-10]
:00488B28 E8D3FAF7FF call 00408600<------------------------转换成大写字母
:00488B2D 8B55D4 mov edx, dword ptr [ebp-2C]
:00488B30 8D45F0 lea eax, dword ptr [ebp-10]
:00488B33 E848B1F7FF call 00403C80
:00488B38 8B45F0 mov eax, dword ptr [ebp-10]
:00488B3B E828B3F7FF call 00403E68
:00488B40 83F808 cmp eax, 00000008<-------------------要大于8个字
:00488B43 7E0D jle 00488B52
:00488B45 8D45F0 lea eax, dword ptr [ebp-10]
:00488B48 BA08000000 mov edx, 00000008
:00488B4D E84AB6F7FF call 0040419C<-----------------------取前8个字

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00488B43(C)
|
:00488B52 8B45F0 mov eax, dword ptr [ebp-10]
:00488B55 E80EB3F7FF call 00403E68
:00488B5A 8BD0 mov edx, eax
:00488B5C 8D45EC lea eax, dword ptr [ebp-14]
:00488B5F E838B6F7FF call 0040419C
:00488B64 8B45EC mov eax, dword ptr [ebp-14]
:00488B67 8B55F0 mov edx, dword ptr [ebp-10]
:00488B6A E809B4F7FF call 00403F78<--------------------输入的用户名和
:00488B6F 0F94C0 sete al 由注册码算出的用户名比较
:00488B72 F6D8 neg al
:00488B74 1BC0 sbb eax, eax
:00488B76 8945F4 mov dword ptr [ebp-0C], eax<----------此处让eax==1则注册成功

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004889EC(C), :00488A0F(C)
|
:00488B79 33C0 xor eax, eax
:00488B7B 5A pop edx
:00488B7C 59 pop ecx
:00488B7D 59 pop ecx
:00488B7E 648910 mov dword ptr fs:[eax], edx
:00488B81 68B58B4800 push 00488BB5

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00488BB3(U)
|
:00488B86 8D45D4 lea eax, dword ptr [ebp-2C]
:00488B89 BA05000000 mov edx, 00000005
:00488B8E E879B0F7FF call 00403C0C
:00488B93 8D45EC lea eax, dword ptr [ebp-14]
:00488B96 BA02000000 mov edx, 00000002
:00488B9B E86CB0F7FF call 00403C0C
:00488BA0 8D45F8 lea eax, dword ptr [ebp-08]
:00488BA3 BA02000000 mov edx, 00000002
:00488BA8 E85FB0F7FF call 00403C0C
:00488BAD C3 ret
================================================================================================
* Referenced by a CALL at Address:<----------------------------call (1.1)
|:00488ABD
|
:00488870 55 push ebp
:00488871 8BEC mov ebp, esp
:00488873 83C4D4 add esp, FFFFFFD4
:00488876 53 push ebx
:00488877 33DB xor ebx, ebx
:00488879 895DD4 mov dword ptr [ebp-2C], ebx
:0048887C 895DEC mov dword ptr [ebp-14], ebx
:0048887F 894DF4 mov dword ptr [ebp-0C], ecx
:00488882 8955F8 mov dword ptr [ebp-08], edx
:00488885 8945FC mov dword ptr [ebp-04], eax
:00488888 8B45FC mov eax, dword ptr [ebp-04]
:0048888B E88CB7F7FF call 0040401C
:00488890 33C0 xor eax, eax
:00488892 55 push ebp
:00488893 6884894800 push 00488984
:00488898 64FF30 push dword ptr fs:[eax]
:0048889B 648920 mov dword ptr fs:[eax], esp
:0048889E 8B45FC mov eax, dword ptr [ebp-04]
:004888A1 E8C2B5F7FF call 00403E68
:004888A6 8845F1 mov byte ptr [ebp-0F], al
:004888A9 807DF108 cmp byte ptr [ebp-0F], 08
:004888AD 7604 jbe 004888B3
:004888AF C645F108 mov [ebp-0F], 08

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004888AD(C)
|
:004888B3 8D45EC lea eax, dword ptr [ebp-14]
:004888B6 E82DB3F7FF call 00403BE8
:004888BB 8A45F1 mov al, byte ptr [ebp-0F]
:004888BE 84C0 test al, al
:004888C0 0F868D000000 jbe 00488953
:004888C6 8845DF mov byte ptr [ebp-21], al
:004888C9 C645F201 mov [ebp-0E], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048894D(C)
|
:004888CD 33C0 xor eax, eax
:004888CF 8A45F2 mov al, byte ptr [ebp-0E]
:004888D2 8B55FC mov edx, dword ptr [ebp-04]
:004888D5 8A4402FF mov al, byte ptr [edx+eax-01]
:004888D9 8845F3 mov byte ptr [ebp-0D], al
:004888DC C745E401000000 mov [ebp-1C], 00000001
:004888E3 33C0 xor eax, eax
:004888E5 8A45F3 mov al, byte ptr [ebp-0D]
:004888E8 8945E8 mov dword ptr [ebp-18], eax
:004888EB 8B45F8 mov eax, dword ptr [ebp-08]
:004888EE 85C0 test eax, eax
:004888F0 763A jbe 0048892C
:004888F2 8945D8 mov dword ptr [ebp-28], eax
:004888F5 C745E001000000 mov [ebp-20], 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048892A(C)
|
:004888FC 8B45E4 mov eax, dword ptr [ebp-1C]<----------0x1
:004888FF F76DE8 imul [ebp-18]<------------------------0x1*0x27==0x27
:00488902 8945E4 mov dword ptr [ebp-1C], eax<----------0xbb
:00488905 8B45F4 mov eax, dword ptr [ebp-0C]<----------0xbb
:00488908 F76DF4 imul [ebp-0C]<------------------------0xbb*0xbb==0x8899
:0048890B 3B45E4 cmp eax, dword ptr [ebp-1C]<----------0x27 < 0x8899 ?
:0048890E 7314 jnb 00488924<-------------------------再乘
:00488910 8B45F4 mov eax, dword ptr [ebp-0C]<----------0xbb
:00488913 F76DF4 imul [ebp-0C]<------------------------0x8899
:00488916 50 push eax
:00488917 8B45E4 mov eax, dword ptr [ebp-1C]
:0048891A 5A pop edx
:0048891B 8BCA mov ecx, edx
:0048891D 33D2 xor edx, edx
:0048891F F7F1 div ecx<------------------------------(0x1*0x27*0x27*0x27)%0x8899==0x5f1e
:00488921 8955E4 mov dword ptr [ebp-1C], edx<----------0x5f1e

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048890E(C)
|
:00488924 FF45E0 inc [ebp-20]
:00488927 FF4DD8 dec [ebp-28]<-------------------------乘7次
:0048892A 75D0 jne 004888FC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004888F0(C)
|
:0048892C 8B45E4 mov eax, dword ptr [ebp-1C]<----------最后的结果0x68f6
:0048892F 33D2 xor edx, edx
:00488931 F775F4 div [ebp-0C]<-------------------------0x68f6%0xbb==0x81
:00488934 8D45D4 lea eax, dword ptr [ebp-2C]<----------用户名的第一个字的ASCII值
:00488937 E854B4F7FF call 00403D90 要等于0x81
:0048893C 8B55D4 mov edx, dword ptr [ebp-2C]
:0048893F 8D45EC lea eax, dword ptr [ebp-14]
:00488942 E829B5F7FF call 00403E70
:00488947 FE45F2 inc [ebp-0E]
:0048894A FE4DDF dec [ebp-21]<-------------------------循环计算8个字
:0048894D 0F857AFFFFFF jne 004888CD

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004888C0(C)
|
:00488953 8B4508 mov eax, dword ptr [ebp+08]
:00488956 8B55EC mov edx, dword ptr [ebp-14]
:00488959 E8DEB2F7FF call 00403C3C
:0048895E 33C0 xor eax, eax
:00488960 5A pop edx
:00488961 59 pop ecx
:00488962 59 pop ecx
:00488963 648910 mov dword ptr fs:[eax], edx
:00488966 688B894800 push 0048898B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00488989(U)
|
:0048896B 8D45D4 lea eax, dword ptr [ebp-2C]
:0048896E E875B2F7FF call 00403BE8
:00488973 8D45EC lea eax, dword ptr [ebp-14]
:00488976 E86DB2F7FF call 00403BE8
:0048897B 8D45FC lea eax, dword ptr [ebp-04]
:0048897E E865B2F7FF call 00403BE8
:00488983 C3 ret
===============================================================================================
算法总结：

用户名：lancelot[CCG]的前8个字转换成大写LANCELOT==0x4c 0x41 0x4e 0x43 0x45 0x4c 0x4f 0x54
注册码：i0 i1 i2 i3 i4 i5 i6 i7 - i8 i9 ia ib ic id ie if
则： 0x4c xor 0x35==0x79, 0x41 xor 0x36==0x77, 0x4e xor 0x37==0x79, 0x43 xor 0x38==0x7b
0x45 xor 0x39==0x7c, 0x4c xor 0x3a==0x76, 0x4f xor 0x3b==0x74, 0x54 xor 0x3c==0x68

假设：已知0xi是一个两位的16进制数
(1) 1*0xi==0xi
(2) 如果 0xi*0xi>=0x8899 则取余--(0xi*0xi)%0x8899,余数参与下面计算
否则用0xi*0xi参与下面计算
(3) 如果 ((2)的结果*0xi)>=0x8899 则取余--((2)的结果*0xi)%0x8899,余数参与下面计算
否则用(2)的结果*0xi)参与下面计算,以下同
(4) 同上
(5) 同上
(6) 同上
(7) 同上
(8) 最后取余--(7)的结果%0xbb==A

例:(1) 1*0x27==0x27
(2) 0x27*0x27==0x0x5f1 < 0x8899
(3) 0x05f1*0x27==0xe7b7 >0x8899 取余 0xe7b7%0x8899==0x5f1e
(4) 0x5f1e*0x27==0xe7d92>0x8899 取余 0xe7d92%0x8899==0x156f
(5) 0x156f*0x27==0x343e9>0x8899 取余 0x343e9%0x8899==0x1053
(6) 0x1053*0x27==0x27ca5>0x8899 取余 0x27ca5%0x8899==0x5a41
(7) 0x5a41*0x27==0xdbfe7>0x8899 取余 0xdbfe7%0x8899==0x68f6
(8) 最后 0x68f6%0xbb==0x81

让 A 依次等于用户名的前8个字与0x35~0x3c异或后的值,逆运算求出0xi,即为注册码。

感谢hying的帮助,唯小弟愚钝,求逆运算,无果... ...
只好编个小程序穷举它：

#include <stdio.h>

void main()
{
  int A=1;
  char username[30];

  printf("Please enter your username(in capitals): ");
  gets(username);
  printf("your register code is: ");

  for(int i=0;i<8;i++)
  {
      for(int j=1;j<4095;j++)
      {
          for(int k=0;k<7;k++)
          {
              if(A*j>=34969)   A=(A*j)%34969;
              else A=A*j;
          }
          if(A>=187) A=A%187;
          if(A==username[i])
          {
if(i==4) printf(" - ");
              printf("%x ",j^(53+i));
              A=1;
              break;
          }
          else A=1;

      }
  }

  printf("\n");

}
=================================================================================================
用户名：lancelot[CCG]
注册码：15b80f7b-b01a9659

,;~;,
/\_
( /
(() //)
| \\ ,,;;'\
__ _( )m=(lancelot(================--------
/' ' '()/~' '.(, |
,;( )|| | ~
,;' \ /-(.;, ) 兰斯洛特[CCG][FCG]
) / ) /
// || 2001.09.25
)_\ )_\
========================================================