mtasia V3.0.2

标题：Camtasia V3.0.2
作者：cyclotron
时间：2003/02/11 11:41am
链接：http://bbs.pediy.com

破解对象：Camtasia V3.0.2

破解工具：TRW2000 V1.22

软件简介：

Camtasia是套屏幕摄影及影像制造工具，它能帮助你做演出、软件辅助、及自动文件。你可以用它来建立AVI或影像文件、捕捉整个屏幕或局部放大、加入特效等。它的Producer功能让你可以修剪、切割、或贴上AVI影像修剪片段，及记录你的叙述。Camtasia包含一个特别的程序，具有功能强大的压缩功能，能存成AVI或ASF格式，且拥有高分辨率。
版本2.0有实时输出功能，可以在网上传送desktop activity。你能透过电子邮件、于网站上、在网上、或于CD片上共享你的Camtasia屏幕录像。它有ScreenPad及Watermark效果，能将批注、标题、标识、及其它图形加入至影片中。
版本2.0.1主要是错误修改后的版本。然而它也增加了一些强化功能，如支持Real Video 8及修改了原本支持common line options的功能。

这个软件我跟踪了很久，直到昨晚才跟出来（我菜啊！毕竟学crack才半年不到）。这个软件的验证过程是我crack到现在最难找的一个，能找到注册码对我这样的初学者来说实在是有90％的运气。不过我想分析过程中的一些思路还是可以给和我一样的初学者借鉴一下，所以在这里把过程贴出来。
老规矩，先填入用户名和假的注册码1213141516171819（为什么要18位？后面会解释到），下断点bpx hmemcpy 开始跟踪。
017F:00449B09 50 PUSH EAX
017F:00449B0A 51 PUSH ECX
017F:00449B0B 8B8E94000000 MOV ECX,[ESI+94]
017F:00449B11 56 PUSH ESI
017F:00449B12 E8E9E3FFFF CALL 00447F00－－－－call（1），关键，进入
017F:00449B17 8BD8 MOV EBX,EAX
F10带过上面这个call是会出现注册失败提示，按照常规的切入点应往上找可疑的跳转，但我跟踪了很久都没有找到，无奈之下走进了这个call，才发现真正的验证过程就在这个call中。虽然以前看到过这种软件，但我自己还是第一次碰到。
****************************************************
call（1）：
17F:00447F00 53 PUSH EBX
017F:00447F01 55 PUSH EBP
017F:00447F02 8B6C2414 MOV EBP,[ESP+14]
017F:00447F06 56 PUSH ESI
017F:00447F07 8BF1 MOV ESI,ECX
017F:00447F09 57 PUSH EDI
017F:00447F0A 8B4500 MOV EAX,[EBP+00]－－－－假注册码地址入eax
017F:00447F0D 8B48F8 MOV ECX,[EAX-08]－－－－假注册码长度入ecx
017F:00447F10 85C9 TEST ECX,ECX－－－－测试输入的用户名长度是否为零？
017F:00447F12 7518 JNZ 00447F2C
017F:00447F14 6AFF PUSH BYTE -01
017F:00447F16 6A00 PUSH BYTE +00
017F:00447F18 683E280000 PUSH DWORD 283E
017F:00447F1D E8E31B0600 CALL 004A9B05
017F:00447F22 5F POP EDI
017F:00447F23 5E POP ESI
017F:00447F24 5D POP EBP
017F:00447F25 6633C0 XOR AX,AX
017F:00447F28 5B POP EBX
017F:00447F29 C20C00 RET 0C
017F:00447F2C 8B7C2418 MOV EDI,[ESP+18]
017F:00447F30 8BCF MOV ECX,EDI
017F:00447F32 E881520500 CALL 0049D1B8
017F:00447F37 8B07 MOV EAX,[EDI]－－－－注册码地址入eax
017F:00447F39 8B58F8 MOV EBX,[EAX-08]－－－注册码长度入ebx
017F:00447F3C 83FB0E CMP EBX,BYTE +0E－－－－比较注册码位数是否大于0Eh
017F:00447F3F 0F8CB9000000 JL NEAR 00447FFE
017F:00447F45 689CD44E00 PUSH DWORD 004ED49C
017F:00447F4A 50 PUSH EAX－－－－注册码地址入栈
017F:00447F4B E830370100 CALL 0045B680－－－－call(2)，检验注册码中的字符是否为“123456789ABCDEF－”之一，若有不是的就出错
017F:00447F50 83C408 ADD ESP,BYTE +08
017F:00447F53 3BC3 CMP EAX,EBX－－－－测试注册码有效长度，call（2）结果正确就不跳
017F:00447F55 0F85A3000000 JNZ NEAR 00447FFE
017F:00447F5B 6800374F00 PUSH DWORD 004F3700
017F:00447F60 6898D44E00 PUSH DWORD 004ED498
017F:00447F65 8BCF MOV ECX,EDI
017F:00447F67 E8BC4A0500 CALL 0049CA28
017F:00447F6C 8B07 MOV EAX,[EDI]
017F:00447F6E 8B4D00 MOV ECX,[EBP+00]
017F:00447F71 8B16 MOV EDX,[ESI]
017F:00447F73 50 PUSH EAX
017F:00447F74 51 PUSH ECX
017F:00447F75 8BCE MOV ECX,ESI
017F:00447F77 FF520C CALL NEAR [EDX+0C]－－－－－有问题！进入！
017F:00447F7A 8BD8 MOV EBX,EAX
017F:00447F7C 80FB01 CMP BL,01
017F:00447F7F 7545 JNZ 00447FC6－－－－－－call（3）关键跳转！跳就完了！
017F:00447F81 C7460401000000 MOV DWORD [ESI+04],01
017F:00447F88 C7460C00000000 MOV DWORD [ESI+0C],00
017F:00447F8F 8B07 MOV EAX,[EDI]
017F:00447F91 8BCE MOV ECX,ESI
017F:00447F93 50 PUSH EAX
017F:00447F94 6894C24E00 PUSH DWORD 004EC294
017F:00447F99 E882FDFFFF CALL 00447D20
017F:00447F9E 8B4D00 MOV ECX,[EBP+00]
017F:00447FA1 51 PUSH ECX
017F:00447FA2 68B4C24E00 PUSH DWORD 004EC2B4
017F:00447FA7 8BCE MOV ECX,ESI
017F:00447FA9 E872FDFFFF CALL 00447D20
017F:00447FAE 8B542414 MOV EDX,[ESP+14]
017F:00447FB2 57 PUSH EDI
017F:00447FB3 55 PUSH EBP
017F:00447FB4 52 PUSH EDX
017F:00447FB5 8BCE MOV ECX,ESI
017F:00447FB7 E864000000 CALL 00448020
017F:00447FBC 5F POP EDI
017F:00447FBD 5E POP ESI
017F:00447FBE 668BC3 MOV AX,BX
017F:00447FC1 5D POP EBP
017F:00447FC2 5B POP EBX
017F:00447FC3 C20C00 RET 0C
017F:00447FC6 53 PUSH EBX
017F:00447FC7 8BCE MOV ECX,ESI
017F:00447FC9 E822FDFFFF CALL 00447CF0
017F:00447FCE 85C0 TEST EAX,EAX
017F:00447FD0 6AFF PUSH BYTE -01
017F:00447FD2 6A00 PUSH BYTE +00
017F:00447FD4 7414 JZ 00447FEA－检验是否为老版本的序列号，不是则跳，转向出错处
017F:00447FD6 6841280000 PUSH DWORD 2841
017F:00447FDB E8251B0600 CALL 004A9B05
017F:00447FE0 5F POP EDI
017F:00447FE1 5E POP ESI
017F:00447FE2 668BC3 MOV AX,BX
017F:00447FE5 5D POP EBP
017F:00447FE6 5B POP EBX
017F:00447FE7 C20C00 RET 0C
017F:00447FEA 683D280000 PUSH DWORD 283D
017F:00447FEF E8111B0600 CALL 004A9B05
017F:00447FF4 5F POP EDI
017F:00447FF5 5E POP ESI
017F:00447FF6 668BC3 MOV AX,BX
017F:00447FF9 5D POP EBP
017F:00447FFA 5B POP EBX

**********************************************************************
call（2）：
017F:0045B680 55 PUSH EBP
017F:0045B681 8BEC MOV EBP,ESP
017F:0045B683 56 PUSH ESI
017F:0045B684 33C0 XOR EAX,EAX
017F:0045B686 50 PUSH EAX
017F:0045B687 50 PUSH EAX
017F:0045B688 50 PUSH EAX
017F:0045B689 50 PUSH EAX
017F:0045B68A 50 PUSH EAX
017F:0045B68B 50 PUSH EAX
017F:0045B68C 50 PUSH EAX
017F:0045B68D 50 PUSH EAX
017F:0045B68E 8B550C MOV EDX,[EBP+0C]
017F:0045B691 8D4900 LEA ECX,[ECX+00]
017F:0045B694 8A02 MOV AL,[EDX]
017F:0045B696 0AC0 OR AL,AL
017F:0045B698 7407 JZ 0045B6A1
017F:0045B69A 42 INC EDX
017F:0045B69B 0FAB0424 BTS [ESP],EAX
017F:0045B69F EBF3 JMP SHORT 0045B694
017F:0045B6A1 8B7508 MOV ESI,[EBP+08]
017F:0045B6A4 83C9FF OR ECX,BYTE -01
017F:0045B6A7 90 NOP
017F:0045B6A8 41 INC ECX
017F:0045B6A9 8A06 MOV AL,[ESI]－－－依次取注册码每一位的ASCII码
017F:0045B6AB 0AC0 OR AL,AL
017F:0045B6AD 7407 JZ 0045B6B6－－－－是否结束？
017F:0045B6AF 46 INC ESI
017F:0045B6B0 0FA30424 BT [ESP],EAX
017F:0045B6B4 72F2 JC 0045B6A8
017F:0045B6B6 8BC1 MOV EAX,ECX
017F:0045B6B8 83C420 ADD ESP,BYTE +20
017F:0045B6BB 5E POP ESI
017F:0045B6BC C9 LEAVE

**********************************************************************
call（3）：
注意：这个call的后半部分有大量的跳向436E7E的跳转，可以判断这些是跳向出错处的，所以在跟踪过程中要把握好程序走向。
017F:00436CD0 6AFF PUSH BYTE -01
017F:00436CD2 68A0E84B00 PUSH DWORD 004BE8A0
017F:00436CD7 64A100000000 MOV EAX,[FS:00]
017F:00436CDD 50 PUSH EAX
017F:00436CDE 64892500000000 MOV [FS:00],ESP
017F:00436CE5 83EC58 SUB ESP,BYTE +58
017F:00436CE8 8B44246C MOV EAX,[ESP+6C]
017F:00436CEC 53 PUSH EBX
017F:00436CED 56 PUSH ESI
017F:00436CEE 57 PUSH EDI
017F:00436CEF 50 PUSH EAX
017F:00436CF0 8D4C247C LEA ECX,[ESP+7C]
017F:00436CF4 C744241800000000 MOV DWORD [ESP+18],00
017F:00436CFC C744242006000000 MOV DWORD [ESP+20],06
017F:00436D04 C644241300 MOV BYTE [ESP+13],00
017F:00436D09 B301 MOV BL,01
017F:00436D0B E86FDB0600 CALL 004A487F
017F:00436D10 8B0DB4D84E00 MOV ECX,[004ED8B4]
017F:00436D16 C744246C00000000 MOV DWORD [ESP+6C],00
017F:00436D1E 894C2410 MOV [ESP+10],ECX
017F:00436D22 8D542418 LEA EDX,[ESP+18]
017F:00436D26 6A04 PUSH BYTE +04
017F:00436D28 52 PUSH EDX
017F:00436D29 8D8C2480000000 LEA ECX,[ESP+80]
017F:00436D30 885C2474 MOV [ESP+74],BL
017F:00436D34 E85C5F0600 CALL 0049CC95
017F:00436D39 50 PUSH EAX
017F:00436D3A 8D4C2414 LEA ECX,[ESP+14]
017F:00436D3E C644247002 MOV BYTE [ESP+70],02
017F:00436D43 E802DC0600 CALL 004A494A
017F:00436D48 8D4C2418 LEA ECX,[ESP+18]
017F:00436D4C 885C246C MOV [ESP+6C],BL
017F:00436D50 E8BCDA0600 CALL 004A4811
017F:00436D55 8B442478 MOV EAX,[ESP+78]
017F:00436D59 8D4C2418 LEA ECX,[ESP+18]
017F:00436D5D 8B40F8 MOV EAX,[EAX-08]
017F:00436D60 83C0FC ADD EAX,BYTE -04
017F:00436D63 50 PUSH EAX
017F:00436D64 51 PUSH ECX
017F:00436D65 8D8C2480000000 LEA ECX,[ESP+80]
017F:00436D6C E8A05F0600 CALL 0049CD11
017F:00436D71 50 PUSH EAX
017F:00436D72 8D4C247C LEA ECX,[ESP+7C]
017F:00436D76 C644247003 MOV BYTE [ESP+70],03
017F:00436D7B E8CADB0600 CALL 004A494A
017F:00436D80 8D4C2418 LEA ECX,[ESP+18]
017F:00436D84 885C246C MOV [ESP+6C],BL
017F:00436D88 E884DA0600 CALL 004A4811
017F:00436D8D 33D2 XOR EDX,EDX
017F:00436D8F 8B742478 MOV ESI,[ESP+78]
017F:00436D93 89542420 MOV [ESP+20],EDX
017F:00436D97 8D7C2420 LEA EDI,[ESP+20]
017F:00436D9B 89542424 MOV [ESP+24],EDX
017F:00436D9F 6A10 PUSH BYTE +10
017F:00436DA1 8954242C MOV [ESP+2C],EDX
017F:00436DA5 6689542430 MOV [ESP+30],DX
017F:00436DAA 88542432 MOV [ESP+32],DL
017F:00436DAE 8B4EF8 MOV ECX,[ESI-08]
017F:00436DB1 8BC1 MOV EAX,ECX
017F:00436DB3 52 PUSH EDX
017F:00436DB4 C1E902 SHR ECX,02
017F:00436DB7 F3A5 REP MOVSD
017F:00436DB9 8BC8 MOV ECX,EAX
017F:00436DBB 83E103 AND ECX,BYTE +03
017F:00436DBE F3A4 REP MOVSB
017F:00436DC0 8B4C2418 MOV ECX,[ESP+18]
017F:00436DC4 51 PUSH ECX
017F:00436DC5 E8D7450200 CALL 0045B3A1
017F:00436DCA 8D54243C LEA EDX,[ESP+3C]
017F:00436DCE 89442420 MOV [ESP+20],EAX
017F:00436DD2 52 PUSH EDX
017F:00436DD3 E878190100 CALL 00448750
017F:00436DD8 83C410 ADD ESP,BYTE +10
017F:00436DDB 85C0 TEST EAX,EAX
017F:00436DDD 7507 JNZ 00436DE6
017F:00436DDF 32DB XOR BL,BL
017F:00436DE1 E998000000 JMP 00436E7E
017F:00436DE6 8D44241C LEA EAX,[ESP+1C]
017F:00436DEA 6A02 PUSH BYTE +02
017F:00436DEC 8D4C2434 LEA ECX,[ESP+34]
017F:00436DF0 50 PUSH EAX
017F:00436DF1 51 PUSH ECX
017F:00436DF2 E869190100 CALL 00448760
017F:00436DF7 83C40C ADD ESP,BYTE +0C
017F:00436DFA 85C0 TEST EAX,EAX
017F:00436DFC 7504 JNZ 00436E02
017F:00436DFE 32DB XOR BL,BL
017F:00436E00 EB7C JMP SHORT 00436E7E
017F:00436E02 8D542414 LEA EDX,[ESP+14]
017F:00436E06 6A02 PUSH BYTE +02
017F:00436E08 8D442434 LEA EAX,[ESP+34]
017F:00436E0C 52 PUSH EDX
017F:00436E0D 50 PUSH EAX
017F:00436E0E E84D190100 CALL 00448760
017F:00436E13 83C40C ADD ESP,BYTE +0C
017F:00436E16 85C0 TEST EAX,EAX
017F:00436E18 7504 JNZ 00436E1E
017F:00436E1A 32DB XOR BL,BL
017F:00436E1C EB60 JMP SHORT 00436E7E
017F:00436E1E 8D4C2420 LEA ECX,[ESP+20]
017F:00436E22 8D542430 LEA EDX,[ESP+30]
017F:00436E26 51 PUSH ECX
017F:00436E27 52 PUSH EDX
017F:00436E28 E8131A0100 CALL 00448840－－call（4），这个调用检验注册码的前八位是否正确
017F:00436E2D 83C408 ADD ESP,BYTE +08
017F:00436E30 85C0 TEST EAX,EAX
017F:00436E32 7509 JNZ 00436E3D－－－－正确就跳
017F:00436E34 32DB XOR BL,BL
017F:00436E36 C644240F0A MOV BYTE [ESP+0F],0A
017F:00436E3B EB41 JMP SHORT 00436E7E
017F:00436E3D 8B442478 MOV EAX,[ESP+78]－－注册码地址入eax，此时注册码第15位已置'\0'
017F:00436E41 8378F80E CMP DWORD [EAX-08],BYTE +0E
017F:00436E45 7C30 JL 00436E77－－若注册码长度为18位，这里就不跳
017F:00436E47 83C00C ADD EAX,BYTE +0C
017F:00436E4A 6A02 PUSH BYTE +02
017F:00436E4C 50 PUSH EAX
017F:00436E4D E85E190100 CALL 004487B0－－－call（5),取得注册码的15，16位，eax返回15，16位组成的十六进制值
017F:00436E52 83C408 ADD ESP,BYTE +08
017F:00436E55 83F841 CMP EAX,BYTE +41－－－比较上面的返回值是否大于等于41h
017F:00436E58 7304 JNC 00436E5E－－－大于等于41h就跳
017F:00436E5A 33C0 XOR EAX,EAX
017F:00436E5C EB08 JMP SHORT 00436E66
017F:00436E5E 83E841 SUB EAX,BYTE +41－－eax＝eax－41h
017F:00436E61 83F830 CMP EAX,BYTE +30－－比较eax值是否还大于等于30h
017F:00436E64 7303 JNC 00436E69－－－大于等于30h就跳（这里跳就注册成功了）
017F:00436E66 83C00D ADD EAX,BYTE +0D－－eax=eax+0Dh
017F:00436E69 83F82E CMP EAX,BYTE +2E－－－比较eax值是否大于等于2Eh
017F:00436E6C 7310 JNC 00436E7E－－－大于等于2Eh就跳（这里跳就注册成功了），总起来说，注册码15，16两位构成的十六进制值只要大于等于62h就可以了。
017F:00436E6E 32DB XOR BL,BL
017F:00436E70 C644240F0B MOV BYTE [ESP+0F],0B
017F:00436E75 EB07 JMP SHORT 00436E7E
017F:00436E77 32DB XOR BL,BL
017F:00436E79 C644240F0C MOV BYTE [ESP+0F],0C
017F:00436E7E 33C0 XOR EAX,EAX
017F:00436E80 8D4C2410 LEA ECX,[ESP+10]
017F:00436E84 8A64240F MOV AH,[ESP+0F]
017F:00436E88 C644246C00 MOV BYTE [ESP+6C],00
017F:00436E8D 8AC3 MOV AL,BL
017F:00436E8F 8BF0 MOV ESI,EAX
017F:00436E91 E87BD90600 CALL 004A4811
017F:00436E96 8D4C2478 LEA ECX,[ESP+78]
017F:00436E9A C744246CFFFFFFFF MOV DWORD [ESP+6C],FFFFFFFF
017F:00436EA2 E86AD90600 CALL 004A4811
017F:00436EA7 8B4C2464 MOV ECX,[ESP+64]
017F:00436EAB 668BC6 MOV AX,SI
017F:00436EAE 5F POP EDI
017F:00436EAF 5E POP ESI
017F:00436EB0 5B POP EBX
017F:00436EB1 64890D00000000 MOV [FS:00],ECX
**************************************************************
call（4）：
017F:00448840 83EC7C SUB ESP,BYTE +7C
017F:00448843 33C0 XOR EAX,EAX－－－eax清零
017F:00448845 B930000000 MOV ECX,30－－－ecx＝30
017F:0044884A 8BD0 MOV EDX,EAX－－－edx初值为零，每次递增1
017F:0044884C 81E2FFFF0000 AND EDX,FFFF
017F:00448852 40 INC EAX－－eax＝eax＋1
017F:00448853 884C1404 MOV [ESP+EDX+04],CL－－－cl的值送指定地址，即在那里产生0－9的ASCII码
017F:00448857 41 INC ECX
017F:00448858 6683F939 CMP CX,BYTE +39－－－－是否产生完毕？
017F:0044885C 76EC JNA 0044884A－－－－－－这个循环产生“123456789”
017F:0044885E B941000000 MOV ECX,41
017F:00448863 8BD0 MOV EDX,EAX
017F:00448865 81E2FFFF0000 AND EDX,FFFF
017F:0044886B 40 INC EAX
017F:0044886C 884C1404 MOV [ESP+EDX+04],CL
017F:00448870 41 INC ECX
017F:00448871 6683F946 CMP CX,BYTE +46
017F:00448875 76EC JNA 00448863－－－同上，这个循环产生“ABCDEF”
017F:00448877 53 PUSH EBX
017F:00448878 8B9C2488000000 MOV EBX,[ESP+88]
017F:0044887F 56 PUSH ESI
017F:00448880 89442408 MOV [ESP+08],EAX
017F:00448884 57 PUSH EDI
017F:00448885 8D430C LEA EAX,[EBX+0C]
017F:00448888 6A02 PUSH BYTE +02
017F:0044888A 50 PUSH EAX
017F:0044888B E820FFFFFF CALL 004487B0
017F:00448890 8BB42494000000 MOV ESI,[ESP+94]
017F:00448897 8D4C2414 LEA ECX,[ESP+14]
017F:0044889B 6A02 PUSH BYTE +02
017F:0044889D 51 PUSH ECX
017F:0044889E 56 PUSH ESI
017F:0044889F 89442420 MOV [ESP+20],EAX
017F:004488A3 E8B8FEFFFF CALL 00448760
017F:004488A8 8D5308 LEA EDX,[EBX+08]
017F:004488AB 6A04 PUSH BYTE +04
017F:004488AD 52 PUSH EDX
017F:004488AE E8FDFEFFFF CALL 004487B0
017F:004488B3 89442428 MOV [ESP+28],EAX
017F:004488B7 8D442428 LEA EAX,[ESP+28]
017F:004488BB 6A02 PUSH BYTE +02
017F:004488BD 50 PUSH EAX
017F:004488BE 56 PUSH ESI
017F:004488BF E89CFEFFFF CALL 00448760
017F:004488C4 8D4C2458 LEA ECX,[ESP+58]
017F:004488C8 51 PUSH ECX
017F:004488C9 E882000000 CALL 00448950
017F:004488CE 33D2 XOR EDX,EDX
017F:004488D0 8D7E02 LEA EDI,[ESI+02]
017F:004488D3 668B16 MOV DX,[ESI]
017F:004488D6 8D44245C LEA EAX,[ESP+5C]
017F:004488DA 52 PUSH EDX
017F:004488DB 57 PUSH EDI
017F:004488DC 50 PUSH EAX
017F:004488DD E89E000000 CALL 00448980
017F:004488E2 8D4C2468 LEA ECX,[ESP+68]
017F:004488E6 8D542458 LEA EDX,[ESP+58]
017F:004488EA 51 PUSH ECX
017F:004488EB 52 PUSH EDX
017F:004488EC E84F010000 CALL 00448A40－－－－call（6），这个call产生下面要用到的密码表
017F:004488F1 B90C000000 MOV ECX,0C
017F:004488F6 33C0 XOR EAX,EAX
017F:004488F8 F3AB REP STOSD
017F:004488FA 66AB STOSW
017F:004488FC 83C440 ADD ESP,BYTE +40
017F:004488FF 33FF XOR EDI,EDI－－－－edi清零
017F:00448901 8BF7 MOV ESI,EDI－－－－esi初值为零，以2为递增量
017F:00448903 81E6FFFF0000 AND ESI,FFFF
017F:00448909 8BC6 MOV EAX,ESI－－－eax＝esi
017F:0044890B D1E8 SHR EAX,1－－－eax＝eax/2
017F:0044890D 8A0C18 MOV CL,[EAX+EBX]－－－－依次取得注册码前八位得ASCII码
017F:00448910 51 PUSH ECX－－－－ASCII码入栈
017F:00448911 E80AFFFFFF CALL 00448820－－－－call（7），对ASCII码进行处理
017F:00448916 8A543424 MOV DL,[ESP+ESI+24]－－－从密码表（长度：10h字节）中取出相应的值送入dl
017F:0044891A 25FF000000 AND EAX,FF
017F:0044891F 83E20F AND EDX,BYTE +0F－－－取dl的右半个字节
017F:00448922 83C404 ADD ESP,BYTE +04
017F:00448925 0FBE4C1410 MOVSX ECX,BYTE [ESP+EDX+10]－－－从“123456789ABCDEF”中取出对应字符的ASCII码送入ecx中
017F:0044892A 3BC8 CMP ECX,EAX－－－－与假注册码中对应位置的字符比较
017F:0044892C 7515 JNZ 00448943－－－－不一样就跳走
017F:0044892E 83C702 ADD EDI,BYTE +02－－－－edi为计数器，递增量为2
017F:00448931 6683FF10 CMP DI,BYTE +10－－－－直到edi＝10h，即取前八个字符
017F:00448935 72CA JC 00448901
017F:00448937 5F POP EDI
017F:00448938 5E POP ESI
017F:00448939 B801000000 MOV EAX,01
017F:0044893E 5B POP EBX
017F:0044893F 83C47C ADD ESP,BYTE +7C
017F:00448942 C3 RET
017F:00448943 5F POP EDI
017F:00448944 5E POP ESI
017F:00448945 33C0 XOR EAX,EAX
017F:00448947 5B POP EBX
017F:00448948 83C47C ADD ESP,BYTE +7C

**********************************************************************
call（5):
017F:004487BD 6685ED TEST BP,BP
017F:004487C0 764F JNA 00448811
017F:004487C2 8B5C2414 MOV EBX,[ESP+14]
017F:004487C6 8BC6 MOV EAX,ESI
017F:004487C8 25FFFF0000 AND EAX,FFFF
017F:004487CD 8A0C18 MOV CL,[EAX+EBX]
017F:004487D0 51 PUSH ECX
017F:004487D1 E84A000000 CALL 00448820－－－又是call（7），分别对15，16位注册码的ASCII码进行处理
017F:004487D6 660FB6C0 MOVZX AX,AL
017F:004487DA 83C404 ADD ESP,BYTE +04
017F:004487DD 663D3000 CMP AX,30
017F:004487E1 720D JC 004487F0
017F:004487E3 663D3900 CMP AX,39
017F:004487E7 7707 JA 004487F0
017F:004487E9 05D0FF0000 ADD EAX,FFD0
017F:004487EE EB11 JMP SHORT 00448801
017F:004487F0 663D4100 CMP AX,41
017F:004487F4 7222 JC 00448818
017F:004487F6 663D4600 CMP AX,46
017F:004487FA 771C JA 00448818
017F:004487FC 05C9FF0000 ADD EAX,FFC9
017F:00448801 C1E704 SHL EDI,04
017F:00448804 25FFFF0000 AND EAX,FFFF
017F:00448809 0BF8 OR EDI,EAX
017F:0044880B 46 INC ESI
017F:0044880C 663BF5 CMP SI,BP
017F:0044880F 72B5 JC 004487C6
017F:00448811 8BC7 MOV EAX,EDI
017F:00448813 5F POP EDI
017F:00448814 5E POP ESI
017F:00448815 5D POP EBP
017F:00448816 5B POP EBX
这个call的功能就是取得注册码第15，16位两个数字构成的16进制值，并放到eax中
****************************************************************
call(6):
017F:00448A40 83EC08 SUB ESP,BYTE +08
017F:00448A43 8D442400 LEA EAX,[ESP+00]
017F:00448A47 56 PUSH ESI
017F:00448A48 57 PUSH EDI
017F:00448A49 8B7C2418 MOV EDI,[ESP+18]
017F:00448A4D 6A08 PUSH BYTE +08
017F:00448A4F 8D7710 LEA ESI,[EDI+10]
017F:00448A52 56 PUSH ESI
017F:00448A53 50 PUSH EAX
017F:00448A54 E8C70A0000 CALL 00449520
017F:00448A59 8B06 MOV EAX,[ESI]
017F:00448A5B 83C40C ADD ESP,BYTE +0C
017F:00448A5E C1E803 SHR EAX,03
017F:00448A61 83E03F AND EAX,BYTE +3F
017F:00448A64 B938000000 MOV ECX,38
017F:00448A69 83F838 CMP EAX,BYTE +38
017F:00448A6C 7205 JC 00448A73
017F:00448A6E B978000000 MOV ECX,78
017F:00448A73 2BC8 SUB ECX,EAX
017F:00448A75 51 PUSH ECX
017F:00448A76 68F8D44E00 PUSH DWORD 004ED4F8
017F:00448A7B 57 PUSH EDI
017F:00448A7C E8FFFEFFFF CALL 00448980
017F:00448A81 8D4C2414 LEA ECX,[ESP+14]
017F:00448A85 6A08 PUSH BYTE +08
017F:00448A87 51 PUSH ECX
017F:00448A88 57 PUSH EDI
017F:00448A89 E8F2FEFFFF CALL 00448980－－－－密码表在这个call中产生
017F:00448A8E 8B54242C MOV EDX,[ESP+2C]
017F:00448A92 6A10 PUSH BYTE +10
017F:00448A94 57 PUSH EDI
017F:00448A95 52 PUSH EDX
017F:00448A96 E8850A0000 CALL 00449520
017F:00448A9B 83C424 ADD ESP,BYTE +24
017F:00448A9E B916000000 MOV ECX,16
017F:00448AA3 33C0 XOR EAX,EAX
017F:00448AA5 F3AB REP STOSD
017F:00448AA7 5F POP EDI
017F:00448AA8 5E POP ESI
017F:00448AA9 83C408 ADD ESP,BYTE +08
017F:00448AAC C3 RET
这个过程比较复杂，我没空分析了，有兴趣的朋友可以跟进去看一看。只要这里搞明白就可以写出注册机了。
******************************************************************
call（7）：
017F:00448820 8B442404 MOV EAX,[ESP+04]－－－eax取得当前字符的ASCII码
017F:00448824 3C61 CMP AL,61
017F:00448826 720D JC 00448835－－－－小于61h就跳
017F:00448828 3C7A CMP AL,7A
017F:0044882A 7709 JA 00448835
017F:0044882C 25FF000000 AND EAX,FF
017F:00448831 83E820 SUB EAX,BYTE +20
017F:00448834 C3 RET
017F:00448835 25FF000000 AND EAX,FF
这个call其实没什么用，因为能走到这里的注册码，其字符应该都是“123456789ABCDEF－”之一，
这些在call（2）中就已经检验过了。
*******************************************************************
这是我今年寒假最后一篇破文了，追这个东西我花了不少时间，希望看懂的朋友帮忙顶一下，没看懂的也可以把问题提出来，可能某些地方还写得不清楚,我会尽力解答。
最后感谢看完拙文！

cyclotron
2003.2.11