Photo Watermark V1.2.0.6

标题：Photo Watermark V1.2.0.6
作者：fly
时间：2003/04/22 12:41pm
链接：http://bbs.pediy.com

下载页面： http://www.skycn.com/soft/8210.html
软件大小： 1265 KB
软件语言：英文
软件类别：国外软件 / 共享版 / 图像处理
应用平台： Win9x/NT/2000/XP
加入时间： 2003-03-31 08:38:47
下载次数： 2531
推荐等级： ****
开发商： http://www.unidreamtech.com/

【软件简介】：Photo Watermark 是一款专业的给图片加水印软件，如果你想在网络上保护你的图片，可以试试这个软件。

【软件限制】：15天试用、功能限制。

【作者声明】：初学Crack，只是感兴趣，没有其它目的。失误之处敬请诸位大侠赐教！

【破解工具】：TRW2000娃娃修改版、Ollydbg1.09、Fi2.5、Hex Workshop、UPX1.2、W32Dasm 9.0白金版

—————————————————————————————————
【过程】：

首先说明的是我手里分析的是V1.2.0.6的版本，天空下载站上的是V3.0.0.0新版，呵呵，小猫上网就不去“喜新厌旧”了。可能有许多地方是不一样的。不过我的目的只是学习CRACK技术。

watermark.exe 用Fi2.5看是UPX壳，但是这个壳再次用其它工具做了保护。如：UPX-Scrambler RC 1.05 ——modifies files packed with UPX so that they cannot be unpacked with the "-d" command build into UPX。

呵呵，看了《看雪论坛精华》里 bottle 朋友的帖子学习了脱壳方法。谢谢 bottle 朋友！为了大家方便我转贴一下我所用到的关键部分。

用Hex Workshop打开watermark.exe：
00000400：5B66 FEFF 0410 4000 0307 426F 6F6C 6561 6E01 0009 2A05 46B3 DFDE FF61 6C73 6504
把00000400处的：5B66 FEFF 0410 改为5550 5821 0C09

保存后再用UPX1.2解压成功。556K->1.53M。Delphi编写。反汇编，根据提示很容易就找到核心了。

用户名：fly
电邮：fly@263.net
试炼码：13572468

程序根据注册码的不同而分为2个版本，运算流程是相似的，因此我只是记录了第二次运算“Pro”版注册码时的参数。
—————————————————————————————————
* Possible StringData Ref from Code Obj ->"Plus"
|
:00535460 BAB0565300 mov edx, 005356B0
====>EDX=Plus

:00535465 E8FAEBECFF call 00404064
:0053546A 755B jne 005354C7

* Possible StringData Ref from Code Obj ->"Pro"
|
:0053546C 68C0565300 push 005356C0
:00535471 8D45FC lea eax, dword ptr [ebp-04]
:00535474 50 push eax
:00535475 8D55F8 lea edx, dword ptr [ebp-08]
:00535478 8B83D8020000 mov eax, dword ptr [ebx+000002D8]
:0053547E E83DFAEFFF call 00434EC0
:00535483 8B45F8 mov eax, dword ptr [ebp-08]
:00535486 50 push eax
:00535487 8D55F4 lea edx, dword ptr [ebp-0C]
:0053548A 8B83F4020000 mov eax, dword ptr [ebx+000002F4]
:00535490 E82BFAEFFF call 00434EC0
:00535495 8B55F4 mov edx, dword ptr [ebp-0C]
:00535498 8B83EC020000 mov eax, dword ptr [ebx+000002EC]
:0053549E 59 pop ecx
:0053549F E85CEDFFFF call 00534200
:005354A4 8B45FC mov eax, dword ptr [ebp-04]
:005354A7 50 push eax
:005354A8 8D55F0 lea edx, dword ptr [ebp-10]
:005354AB 8B83E0020000 mov eax, dword ptr [ebx+000002E0]
:005354B1 E80AFAEFFF call 00434EC0
:005354B6 8B55F0 mov edx, dword ptr [ebp-10]
:005354B9 58 pop eax
:005354BA E8E136EDFF call 00408BA0
:005354BF 85C0 test eax, eax
:005354C1 0F84C9000000 je 00535590

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0053546A(C)
|

* Possible StringData Ref from Code Obj ->"Plus"
|
:005354C7 68B0565300 push 005356B0
:005354CC 8D45EC lea eax, dword ptr [ebp-14]
====>EAX=fly@263.net

:005354CF 50 push eax
:005354D0 8D55E8 lea edx, dword ptr [ebp-18]
:005354D3 8B83D8020000 mov eax, dword ptr [ebx+000002D8]
:005354D9 E8E2F9EFFF call 00434EC0
:005354DE 8B45E8 mov eax, dword ptr [ebp-18]
====>EAX=fly@263.net

:005354E1 50 push eax
:005354E2 8D55E4 lea edx, dword ptr [ebp-1C]
:005354E5 8B83F4020000 mov eax, dword ptr [ebx+000002F4]
:005354EB E8D0F9EFFF call 00434EC0
:005354F0 8B55E4 mov edx, dword ptr [ebp-1C]
====>EDX=fly

:005354F3 8B83EC020000 mov eax, dword ptr [ebx+000002EC]
:005354F9 59 pop ecx
====>ECX=fly@263.net

:005354FA E801EDFFFF call 00534200
====>算法CALL！运算“Plus”版本的注册码！

:005354FF 8B45EC mov eax, dword ptr [ebp-14]
====>EAX=Y1728-E7272

:00535502 50 push eax
:00535503 8D55E0 lea edx, dword ptr [ebp-20]
:00535506 8B83E0020000 mov eax, dword ptr [ebx+000002E0]
:0053550C E8AFF9EFFF call 00434EC0
====>取试炼码

:00535511 8B45E0 mov eax, dword ptr [ebp-20]
====>EAX=13572468

:00535514 5A pop edx
:00535515 E81AC5FCFF call 00501A34
====>比较“Plus”版本的注册码！

:0053551A 85C0 test eax, eax
:0053551C 7572 jne 00535590
====>跳则“Plus”版本注册成功！

:0053551E A1CC8C5400 mov eax, dword ptr [00548CCC]
:00535523 8B00 mov eax, dword ptr [eax]

* Possible StringData Ref from Code Obj ->"Watermark"
|
:00535525 BACC565300 mov edx, 005356CC
====>EDX=Watermark

:0053552A E835EBECFF call 00404064
:0053552F 0F85DC000000 jne 00535611

* Possible StringData Ref from Code Obj ->"Watermark"
|
:00535535 68CC565300 push 005356CC
:0053553A 8D45DC lea eax, dword ptr [ebp-24]
:0053553D 50 push eax
:0053553E 8D55D8 lea edx, dword ptr [ebp-28]
:00535541 8B83D8020000 mov eax, dword ptr [ebx+000002D8]
:00535547 E874F9EFFF call 00434EC0
:0053554C 8B45D8 mov eax, dword ptr [ebp-28]
====>EAX=fly@263.net

:0053554F 50 push eax
:00535550 8D55D4 lea edx, dword ptr [ebp-2C]
:00535553 8B83F4020000 mov eax, dword ptr [ebx+000002F4]
:00535559 E862F9EFFF call 00434EC0
:0053555E 8B55D4 mov edx, dword ptr [ebp-2C]
====>EDX=fly

:00535561 8B83EC020000 mov eax, dword ptr [ebx+000002EC]
:00535567 59 pop ecx
:00535568 E893ECFFFF call 00534200
====>算法CALL！运算“Pro”版本的注册码！进入！

:0053556D 8B45DC mov eax, dword ptr [ebp-24]
====>EAX=7761746572-Y1728-6D61726BE7272

:00535570 50 push eax
:00535571 8D55D0 lea edx, dword ptr [ebp-30]
:00535574 8B83E0020000 mov eax, dword ptr [ebx+000002E0]
:0053557A E841F9EFFF call 00434EC0
====>取试炼码

:0053557F 8B55D0 mov edx, dword ptr [ebp-30]
====>EDX=13572468

:00535582 58 pop eax
:00535583 E81836EDFF call 00408BA0
====>比较“Pro”版本的注册码！

:00535588 85C0 test eax, eax
:0053558A 0F8581000000 jne 00535611
====>不跳则“Pro”版本注册成功！

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005354C1(C), :0053551C(C)
|
:00535590 8D55CC lea edx, dword ptr [ebp-34]
:00535593 8B83D8020000 mov eax, dword ptr [ebx+000002D8]
:00535599 E822F9EFFF call 00434EC0
:0053559E 8B55CC mov edx, dword ptr [ebp-34]
:005355A1 8B83EC020000 mov eax, dword ptr [ebx+000002EC]
:005355A7 E8E8EEFFFF call 00534494
:005355AC 8D55C8 lea edx, dword ptr [ebp-38]
:005355AF 8B83F4020000 mov eax, dword ptr [ebx+000002F4]
:005355B5 E806F9EFFF call 00434EC0
:005355BA 8B55C8 mov edx, dword ptr [ebp-38]
:005355BD 8B83EC020000 mov eax, dword ptr [ebx+000002EC]
:005355C3 83C034 add eax, 00000034
:005355C6 E895EEECFF call 00404460
:005355CB 8B83EC020000 mov eax, dword ptr [ebx+000002EC]
:005355D1 05C0000000 add eax, 000000C0
:005355D6 8B15CC8C5400 mov edx, dword ptr [00548CCC]
:005355DC 8B12 mov edx, dword ptr [edx]
:005355DE E845E7ECFF call 00403D28
:005355E3 33D2 xor edx, edx
:005355E5 8B83EC020000 mov eax, dword ptr [ebx+000002EC]
:005355EB E844EEFFFF call 00534434
:005355F0 8D55C4 lea edx, dword ptr [ebp-3C]
:005355F3 8B83E0020000 mov eax, dword ptr [ebx+000002E0]
:005355F9 E8C2F8EFFF call 00434EC0
:005355FE 8B55C4 mov edx, dword ptr [ebp-3C]
:00535601 8B83EC020000 mov eax, dword ptr [ebx+000002EC]
:00535607 E84CF3FFFF call 00534958
:0053560C C60601 mov byte ptr [esi], 01
:0053560F EB32 jmp 00535643

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0053552F(C), :0053558A(C)
|
:00535611 6A00 push 00000000
:00535613 8D4DC0 lea ecx, dword ptr [ebp-40]

* Possible StringData Ref from Code Obj ->"InvalidKeyStr"
|
:00535616 BAE0565300 mov edx, 005356E0

* Possible StringData Ref from Code Obj ->"The information you entered is "
->"not valid. Please retry."
====>BAD BOY！

* Possible StringData Ref from Code Obj ->"RegisteredStr"
|
:0053E85D BA98E95300 mov edx, 0053E998

* Possible StringData Ref from Code Obj ->"Thank you for registering %s. "
->"Please keep your key code in a "
->"secret place. Program will restart."

:0053E8B7 FF92D8000000 call dword ptr [edx+000000D8]
====>呵呵，胜利女神！

—————————————————————————————————
进入算法CALL：00535568 call 00534200

* Referenced by a CALL at Addresses:
|:00534A15 , :00534E78 , :00534EA8 , :00534ED8 , :0053549F
|:005354FA , :00535568
|
:00534200 55 push ebp
:00534201 8BEC mov ebp, esp
:00534203 51 push ecx
:00534204 B908000000 mov ecx, 00000008

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0053420E(C)
|
:00534209 6A00 push 00000000
:0053420B 6A00 push 00000000
:0053420D 49 dec ecx
:0053420E 75F9 jne 00534209
:00534210 51 push ecx
:00534211 874DFC xchg dword ptr [ebp-04], ecx
:00534214 53 push ebx
:00534215 894DF8 mov dword ptr [ebp-08], ecx
:00534218 8955FC mov dword ptr [ebp-04], edx
:0053421B 8BD8 mov ebx, eax
:0053421D 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=[ebp-04]=fly

:00534220 E8E3FEECFF call 00404108
:00534225 8B45F8 mov eax, dword ptr [ebp-08]
====>EAX=[ebp-08]=fly@263.net

:00534228 E8DBFEECFF call 00404108
:0053422D 8B450C mov eax, dword ptr [ebp+0C]
====>EAX=Plus

:00534230 E8D3FEECFF call 00404108
:00534235 33C0 xor eax, eax
:00534237 55 push ebp
:00534238 68BC435300 push 005343BC
:0053423D 64FF30 push dword ptr fs:[eax]
:00534240 648920 mov dword ptr fs:[eax], esp
:00534243 8B450C mov eax, dword ptr [ebp+0C]

* Possible StringData Ref from Code Obj ->"Pro"
|
:00534246 BAD4435300 mov edx, 005343D4
====>EDX=Pro

:0053424B E814FEECFF call 00404064
====>判断是哪个版本？

:00534250 7572 jne 005342C4
:00534252 8D55F4 lea edx, dword ptr [ebp-0C]

* Possible StringData Ref from Code Obj ->"pro"
|
:00534255 B8E0435300 mov eax, 005343E0
:0053425A E8F5E7FCFF call 00502A54
:0053425F FF75F4 push [ebp-0C]
:00534262 68EC435300 push 005343EC
:00534267 8D55EC lea edx, dword ptr [ebp-14]
:0053426A 8B45FC mov eax, dword ptr [ebp-04]
:0053426D E87E47EDFF call 004089F0
:00534272 8B55EC mov edx, dword ptr [ebp-14]
:00534275 8D4DF0 lea ecx, dword ptr [ebp-10]
:00534278 8BC3 mov eax, ebx
:0053427A E8AD080000 call 00534B2C
:0053427F FF75F0 push [ebp-10]
:00534282 68EC435300 push 005343EC
:00534287 8D55E8 lea edx, dword ptr [ebp-18]

* Possible StringData Ref from Code Obj ->"Pro"
|
:0053428A B8D4435300 mov eax, 005343D4
:0053428F E8C0E7FCFF call 00502A54
:00534294 FF75E8 push [ebp-18]
:00534297 8D55E0 lea edx, dword ptr [ebp-20]
:0053429A 8B45F8 mov eax, dword ptr [ebp-08]
:0053429D E88A47EDFF call 00408A2C
:005342A2 8B55E0 mov edx, dword ptr [ebp-20]
:005342A5 8D4DE4 lea ecx, dword ptr [ebp-1C]
:005342A8 8BC3 mov eax, ebx
:005342AA E87D080000 call 00534B2C
:005342AF FF75E4 push [ebp-1C]
:005342B2 8B4508 mov eax, dword ptr [ebp+08]
:005342B5 BA06000000 mov edx, 00000006
:005342BA E855FDECFF call 00404014
:005342BF E9D5000000 jmp 00534399

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534250(C)
|
:005342C4 8B450C mov eax, dword ptr [ebp+0C]

* Possible StringData Ref from Code Obj ->"Watermark"
|
:005342C7 BAF8435300 mov edx, 005343F8
====>EDX=Watermark

:005342CC E893FDECFF call 00404064
:005342D1 756F jne 00534342
====>第一次运算“Plus”版时从这跳走。

:005342D3 8D55DC lea edx, dword ptr [ebp-24]

* Possible StringData Ref from Code Obj ->"water"
|
:005342D6 B80C445300 mov eax, 0053440C
====>EAX=water

:005342DB E874E7FCFF call 00502A54
====>取water字符的ASCII码7761746572

:005342E0 FF75DC push [ebp-24]
① ====>[ebp-24]=7761746572

:005342E3 68EC435300 push 005343EC
:005342E8 8D55D4 lea edx, dword ptr [ebp-2C]
:005342EB 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=[ebp-04]=fly

:005342EE E8FD46EDFF call 004089F0
====>将fly转化为大写字母

:005342F3 8B55D4 mov edx, dword ptr [ebp-2C]
====>EDX=FLY

:005342F6 8D4DD8 lea ecx, dword ptr [ebp-28]
:005342F9 8BC3 mov eax, ebx
:005342FB E82C080000 call 00534B2C
====>对FLY进行运算得出下面的Y1728 进入！

:00534300 FF75D8 push [ebp-28]
② ====>[ebp-28]=Y1728

:00534303 68EC435300 push 005343EC
:00534308 8D55D0 lea edx, dword ptr [ebp-30]

* Possible StringData Ref from Code Obj ->"mark"
|
:0053430B B81C445300 mov eax, 0053441C
====>EAX=mark

:00534310 E83FE7FCFF call 00502A54
====>取mark字符的ASCII码6D61726B

:00534315 FF75D0 push [ebp-30]
③ ====>[ebp-30]=6D61726B

:00534318 8D55C8 lea edx, dword ptr [ebp-38]
:0053431B 8B45F8 mov eax, dword ptr [ebp-08]
====>EAX=[ebp-08]=fly@263.net

:0053431E E80947EDFF call 00408A2C
====>对fly@263.net进行检测，如果有大写字母则转化为小写

:00534323 8B55C8 mov edx, dword ptr [ebp-38]
====>EDX=[ebp-38]=fly@263.net

:00534326 8D4DCC lea ecx, dword ptr [ebp-34]
:00534329 8BC3 mov eax, ebx
:0053432B E8FC070000 call 00534B2C
====>对fly@263.net进行运算得出下面的E7272
====>与 005342FB 处的运算流程相同

:00534330 FF75CC push [ebp-34]
④ ====>[ebp-34]=E7272

:00534333 8B4508 mov eax, dword ptr [ebp+08]
:00534336 BA06000000 mov edx, 00000006
:0053433B E8D4FCECFF call 00404014
====>将上面得出的①②③④连接成①-②-③④

:00534340 EB57 jmp 00534399
====>“Pro”版本注册码运算结束！跳走！

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005342D1(C)
|
:00534342 8B450C mov eax, dword ptr [ebp+0C]

====>下面是第一次时运算“Plus”版本的注册码
* Possible StringData Ref from Code Obj ->"Plus"
|
:00534345 BA2C445300 mov edx, 0053442C
:0053434A E815FDECFF call 00404064
:0053434F 7548 jne 00534399
:00534351 8D55C0 lea edx, dword ptr [ebp-40]
:00534354 8B45FC mov eax, dword ptr [ebp-04]
:00534357 E89446EDFF call 004089F0
:0053435C 8B55C0 mov edx, dword ptr [ebp-40]
:0053435F 8D4DC4 lea ecx, dword ptr [ebp-3C]
:00534362 8BC3 mov eax, ebx
:00534364 E8C3070000 call 00534B2C
:00534369 FF75C4 push [ebp-3C]
:0053436C 68EC435300 push 005343EC
:00534371 8D55B8 lea edx, dword ptr [ebp-48]
:00534374 8B45F8 mov eax, dword ptr [ebp-08]
:00534377 E8B046EDFF call 00408A2C
:0053437C 8B55B8 mov edx, dword ptr [ebp-48]
:0053437F 8D4DBC lea ecx, dword ptr [ebp-44]
:00534382 8BC3 mov eax, ebx
:00534384 E8A3070000 call 00534B2C
:00534389 FF75BC push [ebp-44]
:0053438C 8B4508 mov eax, dword ptr [ebp+08]
:0053438F BA03000000 mov edx, 00000003
:00534394 E87BFCECFF call 00404014

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005342BF(U), :00534340(U), :0053434F(C)
|
:00534399 33C0 xor eax, eax
:0053439B 5A pop edx
:0053439C 59 pop ecx
:0053439D 59 pop ecx
:0053439E 648910 mov dword ptr fs:[eax], edx
:005343A1 68C3435300 push 005343C3

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005343C1(U)
|
:005343A6 8D45B8 lea eax, dword ptr [ebp-48]
:005343A9 BA12000000 mov edx, 00000012
:005343AE E845F9ECFF call 00403CF8
:005343B3 8D450C lea eax, dword ptr [ebp+0C]
:005343B6 E819F9ECFF call 00403CD4
:005343BB C3 ret

—————————————————————————————————
进入：005342FB call 00534B2C

* Referenced by a CALL at Addresses:
|:0053427A , :005342AA , :005342FB , :0053432B , :00534364
|:00534384
|
:00534B2C 55 push ebp
:00534B2D 8BEC mov ebp, esp
:00534B2F 6A00 push 00000000
:00534B31 6A00 push 00000000
:00534B33 6A00 push 00000000
:00534B35 6A00 push 00000000
:00534B37 6A00 push 00000000
:00534B39 6A00 push 00000000
:00534B3B 6A00 push 00000000
:00534B3D 53 push ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534ACD(C)
|
:00534B3E 56 push esi
:00534B3F 57 push edi
:00534B40 894DF8 mov dword ptr [ebp-08], ecx
:00534B43 8955FC mov dword ptr [ebp-04], edx
:00534B46 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=FLY

:00534B49 E8BAF5ECFF call 00404108
:00534B4E 33C0 xor eax, eax
:00534B50 55 push ebp
:00534B51 68154C5300 push 00534C15
:00534B56 64FF30 push dword ptr fs:[eax]
:00534B59 648920 mov dword ptr fs:[eax], esp
:00534B5C 33FF xor edi, edi
:00534B5E 8D45F4 lea eax, dword ptr [ebp-0C]
:00534B61 8B55FC mov edx, dword ptr [ebp-04]
====>EDX=FLY

:00534B64 E803F2ECFF call 00403D6C
:00534B69 8B45F4 mov eax, dword ptr [ebp-0C]
:00534B6C E8E3F3ECFF call 00403F54
====>取FLY长度

:00534B71 8BF0 mov esi, eax
====>ESI=EAX=3

:00534B73 85F6 test esi, esi
:00534B75 7E58 jle 00534BCF
:00534B77 BB01000000 mov ebx, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534BCD(C)
|
:00534B7C 8B45F4 mov eax, dword ptr [ebp-0C]
====>EAX=FLY

:00534B7F 8A4418FF mov al, byte ptr [eax+ebx-01]
====>依次取FLY字符的HEX值
1、 ====>AL=46
2、 ====>AL=4C
3、 ====>AL=59

:00534B83 E858FFFFFF call 00534AE0
====>呵呵，这里面有一个分支判断有点意思！猜测一下：程序检测上面所取字符的HEX（DEC）值是否是素数？如果是素数的话，则下面不跳，保留该字符到结果中。并且是小写字母的则转化为大写字母。^O^^O^

:00534B88 84C0 test al, al
:00534B8A 7425 je 00534BB1
:00534B8C 8D45E8 lea eax, dword ptr [ebp-18]
:00534B8F 8B55F4 mov edx, dword ptr [ebp-0C]
:00534B92 8A541AFF mov dl, byte ptr [edx+ebx-01]
3、 ====>DL=59

:00534B96 E8E1F2ECFF call 00403E7C
:00534B9B 8B45E8 mov eax, dword ptr [ebp-18]
3、 ====>EAX=Y

:00534B9E 8D55EC lea edx, dword ptr [ebp-14]
:00534BA1 E84A3EEDFF call 004089F0
:00534BA6 8B55EC mov edx, dword ptr [ebp-14]
:00534BA9 8D45F0 lea eax, dword ptr [ebp-10]
:00534BAC E8ABF3ECFF call 00403F5C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534B8A(C)
|
:00534BB1 83FB01 cmp ebx, 00000001
====>第一位字符运算2遍

:00534BB4 740A je 00534BC0
:00534BB6 8B45F4 mov eax, dword ptr [ebp-0C]
:00534BB9 0FB64418FE movzx eax, byte ptr [eax+ebx-02]
2、 ====>EAX=46
3、 ====>EAX=4C

:00534BBE EB06 jmp 00534BC6

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534BB4(C)
|
:00534BC0 8B45F4 mov eax, dword ptr [ebp-0C]
:00534BC3 0FB600 movzx eax, byte ptr [eax]
1、 ====>EAX=46

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534BBE(U)
|
:00534BC6 C1E003 shl eax, 03
1、 ====>EAX=46 SHL 3=00000230
2、 ====>EAX=46 SHL 3=00000230
3、 ====>EAX=4C SHL 3=00000260

:00534BC9 03F8 add edi, eax
1、 ====>EDI=00000230 + 00000000=00000230
2、 ====>EDI=00000230 + 00000230=00000460
3、 ====>EDI=00000460 + 00000260=000006C0（H）=1728（D）

:00534BCB 43 inc ebx
:00534BCC 4E dec esi
:00534BCD 75AD jne 00534B7C
====>循环用户名位数次

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534B75(C)
|
:00534BCF 8D55E4 lea edx, dword ptr [ebp-1C]
:00534BD2 8BC7 mov eax, edi
====>EAX=EDI=6C0

:00534BD4 E81B42EDFF call 00408DF4
====>将6C0转化成10进制值1728

:00534BD9 8B4DE4 mov ecx, dword ptr [ebp-1C]
====>ECX=1728

:00534BDC 8D45F4 lea eax, dword ptr [ebp-0C]
:00534BDF 8B55F0 mov edx, dword ptr [ebp-10]
====>EDX=Y

:00534BE2 E8B9F3ECFF call 00403FA0
====>将Y和1728连接起来

:00534BE7 8B45F8 mov eax, dword ptr [ebp-08]
:00534BEA 8B55F4 mov edx, dword ptr [ebp-0C]
====>EDX=Y1728

:00534BED E836F1ECFF call 00403D28
:00534BF2 33C0 xor eax, eax
:00534BF4 5A pop edx
:00534BF5 59 pop ecx
:00534BF6 59 pop ecx
:00534BF7 648910 mov dword ptr fs:[eax], edx
:00534BFA 681C4C5300 push 00534C1C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534C1A(U)
|
:00534BFF 8D45E4 lea eax, dword ptr [ebp-1C]
:00534C02 BA05000000 mov edx, 00000005
:00534C07 E8ECF0ECFF call 00403CF8
:00534C0C 8D45FC lea eax, dword ptr [ebp-04]
:00534C0F E8C0F0ECFF call 00403CD4
:00534C14 C3 ret

—————————————————————————————————
看看素数分支判断：00534B83 call 00534AE0

* Referenced by a CALL at Address:
|:00534B83
|
:00534AE0 55 push ebp
:00534AE1 8BEC mov ebp, esp
:00534AE3 51 push ecx
:00534AE4 53 push ebx
:00534AE5 56 push esi
:00534AE6 8845FF mov byte ptr [ebp-01], al
:00534AE9 C645FD02 mov [ebp-03], 02
:00534AED C645FE01 mov [ebp-02], 01
:00534AF1 8A4DFF mov cl, byte ptr [ebp-01]
:00534AF4 49 dec ecx
:00534AF5 80E902 sub cl, 02
:00534AF8 722A jb 00534B24
:00534AFA 41 inc ecx
:00534AFB B302 mov bl, 02

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534B22(C)
|
:00534AFD 33C0 xor eax, eax
:00534AFF 8A45FF mov al, byte ptr [ebp-01]
:00534B02 33D2 xor edx, edx
:00534B04 8AD3 mov dl, bl
:00534B06 8BF2 mov esi, edx
:00534B08 33D2 xor edx, edx
:00534B0A F7F6 div esi
:00534B0C 85D2 test edx, edx
:00534B0E 7503 jne 00534B13
:00534B10 FE45FD inc [ebp-03]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534B0E(C)
|
:00534B13 807DFD02 cmp byte ptr [ebp-03], 02
:00534B17 7606 jbe 00534B1F
:00534B19 C645FE00 mov [ebp-02], 00
:00534B1D EB05 jmp 00534B24

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534B17(C)
|
:00534B1F 43 inc ebx
:00534B20 FEC9 dec cl
:00534B22 75D9 jne 00534AFD

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00534AF8(C), :00534B1D(U)
|
:00534B24 8A45FE mov al, byte ptr [ebp-02]
:00534B27 5E pop esi
:00534B28 5B pop ebx
:00534B29 59 pop ecx
:00534B2A 5D pop ebp
:00534B2B C3 ret

—————————————————————————————————
【KeyMake之{66th}Pro版内存注册机】：

中断地址：00535583
中断次数：1
第一字节：E8
指令长度：5

内存方式：EAX

—————————————————————————————————
【注册信息保存】：

C:\WINDOWS\SYSTEM 下的udmwm.sys文件。呵呵，想尽办法的隐藏自己呀。
可以用记事本打开的。

[5468616E6B796F75]
4964=3337373332
4C64=3337373333
487569=0
4D61=373736313734363537322D59313732382D36443631373236424537323732
4D696E67=666C79403236332E6E6574
55736572=666C79
4C6963656E7365=506C7573

—————————————————————————————————
【整理】：

用户名：fly
电邮：fly@263.net
注册码：Y1728-E7272 （Plus版）
注册码：7761746572-Y1728-6D61726BE7272 （Pro 版）

—————————————————————————————————

, _/
/| _.-~/ \_ , 青春都一饷
( /~ / \~-._ |\
`\\ _/ \ ~\ ) 忍把浮名
_-~~~-.) )__/;;,. \_ //'
/'_,\ --~ \ ~~~- ,;;\___( (.-~~~-. 换了破解轻狂
`~ _( ,_..--\ ( ,;'' / ~-- /._`\
/~~//' /' `~\ ) /--.._, )_ `~
" `~" " `" /~'`\ `\\~~\
" " "~' ""

Cracked By 巢水工作坊——fly [OCN][FCG]

2003-04-22 2:08