这个软件让Otdr破过
但没有看明白太菜了.今天拿起OLD开始研究了一番.
004C4A08 |. BA 544C4C00 mov edx,12_.004C4C54
004C4A0D |. E8 7EF1F3FF call 12_.00403B90 ; '未注册版本!'
004C4A12 |. 8D45 EC lea eax,dword ptr ss:[ebp-14]
004C4A15 |. BA 684C4C00 mov edx,12_.004C4C68 ; '注册版本!'
004C4A1A |. E8 71F1F3FF call 12_.00403B90
004C4A1F |. 33C9 xor ecx,ecx
004C4A21 |. BA 7C4C4C00 mov edx,12_.004C4C7C ; ASCII "\Software\Microsoft\Windows\CurrentVersion\Explorer\Sysdisk"
004C4A26 |. 8BC6 mov eax,esi
004C4A28 |. E8 C77EFBFF call 12_.0047C8F4 ; 看有没有这个键值
004C4A2D |. 84C0 test al,al
004C4A2F |. 0F84 7B010000 je 12_.004C4BB0
004C4A35 |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]
004C4A38 |. E8 BBF0F3FF call 12_.00403AF8
004C4A3D |. 8D4D FC lea ecx,dword ptr ss:[ebp-4]
004C4A40 |. BA C04C4C00 mov edx,12_.004C4CC0 ; ASCII "FN ame"
004C4A45 |. 8BC6 mov eax,esi
004C4A47 |. E8 7080FBFF call 12_.0047CABC
004C4A4C |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004C4A4F |. E8 24F3F3FF call 12_.00403D78 ; 用户名长度
004C4A54 |. 8BD8 mov ebx,eax
004C4A56 |. 85DB test ebx,ebx
004C4A58 |. 7E 43 jle short 12_.004C4A9D
004C4A5A |. C745 F4 01000000 mov dword ptr ss:[ebp-C],1
004C4A61 |> 8D45 E4 /lea eax,dword ptr ss:[ebp-1C] ; 对注册表中的用户名加密解密的循环
004C4A64 |. 50 |push eax
004C4A65 |. B9 01000000 |mov ecx,1
004C4A6A |. 8B55 F4 |mov edx,dword ptr ss:[ebp-C]
004C4A6D |. 8B45 FC |mov eax,dword ptr ss:[ebp-4]
004C4A70 |. E8 0BF5F3FF |call 12_.00403F80
004C4A75 |. 8B45 E4 |mov eax,dword ptr ss:[ebp-1C]
004C4A78 |. E8 BFF4F3FF |call 12_.00403F3C
004C4A7D |. 33D2 |xor edx,edx
004C4A7F |. 8A10 |mov dl,byte ptr ds:[eax]
004C4A81 |. 83EA 05 |sub edx,5 ; NAME[I]
004C4A84 |. 8D45 E8 |lea eax,dword ptr ss:[ebp-18]
004C4A87 |. E8 14F2F3FF |call 12_.00403CA0
004C4A8C |. 8B55 E8 |mov edx,dword ptr ss:[ebp-18]
004C4A8F |. 8D45 F8 |lea eax,dword ptr ss:[ebp-8]
004C4A92 |. E8 E9F2F3FF |call 12_.00403D80
004C4A97 |. FF45 F4 |inc dword ptr ss:[ebp-C]
004C4A9A |. 4B |dec ebx
004C4A9B |.^ 75 C4 \jnz short 12_.004C4A61
004C4A9D |> 8B87 E0020000 mov eax,dword ptr ds:[edi+2E0]
004C4AA3 |. 8B55 F8 mov edx,dword ptr ss:[ebp-8] ; EDX=用户名
004C4AA6 |. E8 C97DF6FF call 12_.0042C874
004C4AAB |. BA D04C4C00 mov edx,12_.004C4CD0 ; ASCII "FP ass"
004C4AB0 |. 8BC6 mov eax,esi
004C4AB2 |. E8 9180FBFF call 12_.0047CB48 ;
004C4AB7 |. 35 0AB30000 xor eax,0B30A
004C4ABC |. 8D55 E0 lea edx,dword ptr ss:[ebp-20]
004C4ABF |. E8 283CF4FF call 12_.004086EC
004C4AC4 |. 8B55 E0 mov edx,dword ptr ss:[ebp-20] ; EDX=注册码
=======================================================
004C48B9 |. 8BEC mov ebp,esp
004C48BB |. 83C4 E8 add esp,-18
004C48BE |. 53 push ebx
004C48BF |. 56 push esi
004C48C0 |. 33D2 xor edx,edx
.................................
004C48E4 |. 8B80 E0020000 mov eax,dword ptr ds:[eax+2E0]
004C48EA |. E8 557FF6FF call 12_.0042C844
004C48EF |. 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; eax=name
004C48F2 |. E8 81F4F3FF call 12_.00403D78 ; name_len
004C48F7 |. 8BF0 mov esi,eax
004C48F9 |. 85F6 test esi,esi ; name-len!=0
004C48FB |. 7E 38 jle short 12_.004C4935
004C48FD |. C745 F0 01000000 mov dword ptr ss:[ebp-10],1
004C4904 |> 8D45 EC /lea eax,dword ptr ss:[ebp-14]
004C4907 |. 50 |push eax
004C4908 |. B9 01000000 |mov ecx,1
004C490D |. 8B55 F0 |mov edx,dword ptr ss:[ebp-10]
004C4910 |. 8B45 F4 |mov eax,dword ptr ss:[ebp-C] ; eax=name
004C4913 |. E8 68F6F3FF |call 12_.00403F80
004C4918 |. 8B45 EC |mov eax,dword ptr ss:[ebp-14]
004C491B |. E8 1CF6F3FF |call 12_.00403F3C
004C4920 |. 8A00 |mov al,byte ptr ds:[eax] ; al=name[i]
004C4922 |. 25 FF000000 |and eax,0FF ; eax&0ff
004C4927 03D8 add ebx,eax ; ebx+=name[i]
004C4929 |. 81F3 05FA0B00 |xor ebx,0BFA05 ; ebx^0bfa05
004C492F |. FF45 F0 |inc dword ptr ss:[ebp-10]
004C4932 |. 4E |dec esi
004C4933 |.^ 75 CF \jnz short 12_.004C4904
004C4935 |> A1 F0994C00 mov eax,dword ptr ds:[4C99F0] ; eax=[4c99f0]=12BCC244
004C493A |. 8BD0 mov edx,eax ; edx=12BCC244
004C493C |. C1E0 04 shl eax,4 ; 12BCC244 shl 4
004C493F |. 03C2 add eax,edx ; eax+edx
004C4941 |. 03D8 add ebx,eax ; ebx+12BCC244
004C4943 |. 81C3 D4A31300 add ebx,13A3D4
004C4949 |. 81F3 8DED5900 xor ebx,59ED8D
004C494F |. 8D55 E8 lea edx,dword ptr ss:[ebp-18]
004C4952 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004C4955 |. 8B80 E4020000 mov eax,dword ptr ds:[eax+2E4]
004C495B |. E8 E47EF6FF call 12_.0042C844 ; code_len
004C4960 |. 8B45 E8 mov eax,dword ptr ss:[ebp-18] ; eax=code
004C4963 |. E8 B43DF4FF call 12_.0040871C ; f7
004C4968 |. 8BF3 mov esi,ebx
004C496A |. 81F6 2473C400 xor esi,0C47324 ; esi^=0c47324
004C4970 |. 3BC6 cmp eax,esi ; k1==k2? 关键比较
******************************************************************************
0040871C /$ 53 push ebx
0040871D |. 56 push esi
0040871E |. 83C4 F4 add esp,-0C
00408721 |. 8BD8 mov ebx,eax
00408723 |. 8BD4 mov edx,esp
00408725 |. 8BC3 mov eax,ebx ; eax=ebx=code
00408727 |. E8 E0A3FFFF call 12_.00402B0C ; f7
0040872C |. 8BF0 mov esi,eax
0040872E |. 833C24 00 cmp dword ptr ss:[esp],0 ; code_len!=0
00408732 |. 74 19 je short 12_.0040874D
******************************************************************************
00402B5A |> 84DB test bl,bl
00402B5C |. |74 34 je short 12_.00402B92
00402B5E |> |80EB 30 /sub bl,30 ; bl-30
00402B61 |. |80FB 09 |cmp bl,9
00402B64 |. |77 2C |ja short 12_.00402B92
00402B66 |. |39F8 |cmp eax,edi ; eax>ccccccc?
00402B68 |. |77 28 |ja short 12_.00402B92
00402B6A |. |8D0480 |lea eax,dword ptr ds:[eax+eax*4] ; eax=eax+eax*4=eax*5
00402B6D |. |01C0 |add eax,eax ; eax+eax=eax*2
00402B6F |. |01D8 |add eax,ebx ; eax+=ebx
00402B71 |. |8A1E |mov bl,byte ptr ds:[esi] ; bl=code[i]
00402B73 |. |46 |inc esi ; esi++
00402B74 |. |84DB |test bl,bl
00402B76 |.^|75 E6 \jnz short 12_.00402B5E
===============================================================================
根据他的算法进行求逆运算
void CFeitianDlg::OnButton1()
{
// TODO: Add your control notification handler code here
UpdateData();
unsigned int tmp;
unsigned int sum=0;
if(m_name.IsEmpty())
{
return;
}
m_code.Empty();
//计算K1=SUM
for(int i=0;i<m_name.GetLength();i++)
{ tmp=0xff&m_name[i];
sum+=tmp;
sum^=0xbfa05;
}
_asm
{
mov eax,0x12BCC244
mov edx,eax
shl eax,4
add eax,edx
add sum,eax
add sum,0x13A3D4
xor sum,0x59ED8D
}
sum^= 0xC47324;//进行异或
// 求逆就是K1转换成10进制然后异或0xC47324就可以了
//格式化为10进制//输出到编辑框
m_code.Format ("%2d", sum);
UpdateData(FALSE);
}
最后注册成功后用户名按位加上5保存在
HKEY_CURRENT_USER"\Software\Microsoft\Windows\CurrentVersion\Explorer\Sysdisk"
但是,这个注册码只能去掉注册对话框,好象真正注册还需要网上验证。
。。。。。。。。。。。。。。。。