【破文标题】:Setup2Go 1.9.11 破解体验--算法分析
【破文作者】:KuNgBiM[DFCG]
【作者邮箱】:gb_1227@163.com
【软件名称】:Setup2Go 1.9.11
【整理日期】:2003-11-04
【最新版本】:1.9.11 <===这次做汉化软件时临时当的,但没找到更新的版本了,看来作者已经很久都没更新了
【软件大小】:1004 KB
【软件授权】:编程相关/共享软件/安装制作
【使用平台】:Win9x/Me/NT/2000/XP
【发布公司】:http://www.dev4pc.com/products.html
【加密方式】:注册码
【编译语言】:Microsoft Visual C++ 6.0
【功能限制】:功能限制+NAG提示
【调试环境】:WinXP、W32Dasm、PEiD、Ollydbg、Visual Basic 6
【破解日期】:2005-02-02
【破解目的】:研究算法分析
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
—————————————————————————————————
【破解过程】:
1、试探:运行主程序注册,输入注册名、注册码,确认!程序无反映!
2、侦测:用PEiD0.92查壳,发现是VC++ 6.0编译,无壳,但用OD载入时提醒程序压缩过(其实加了一个压缩壳)
3、初步下药:使出法宝,用W32Dasm黄金修正版本进行静态反汇编,但什么也找不到。
4、对症下药:用Ollydbg V1.10a中文DIY版来调试,下断bpx SendMessageA,F9运行,中断、取消(共5次)至程序运行为止!
5、试炼码:
注册名:KuNgBiM
注册码:9876543210
点击注册后,断下在00417B69 :
.........(略).........
00417B69 FF15 C0124000 CALL DWORD PTR DS:[<&USER32.SendMessageA>
00417B6F 8BFB MOV EDI,EBX <===程序来到这里,EAX=7(注册名的长度),EBX=KuNgBiM
00417B71 83C9 FF OR ECX,FFFFFFFF
00417B74 33C0 XOR EAX,EAX
00417B76 8D95 F4FDFFFF LEA EDX,DWORD PTR SS:[EBP-20C]
00417B7C F2:AE REPNE SCAS BYTE PTR ES:[EDI]
00417B7E F7D1 NOT ECX
00417B80 2BF9 SUB EDI,ECX
00417B82 53 PUSH EBX
00417B83 8BC1 MOV EAX,ECX
00417B85 8BF7 MOV ESI,EDI
00417B87 8BFA MOV EDI,EDX
00417B89 68 00020000 PUSH 200
00417B8E C1E9 02 SHR ECX,2
00417B91 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
00417B93 8BC8 MOV ECX,EAX
00417B95 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00417B98 6A 0D PUSH 0D
00417B9A 83E1 03 AND ECX,3
00417B9D FF70 38 PUSH DWORD PTR DS:[EAX+38]
00417BA0 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
00417BA2 FF15 C0124000 CALL DWORD PTR DS:[<&USER32.SendMessageA>
00417BA8 8BFB MOV EDI,EBX <===EAX=10(假码的长度),EBX=9876543210
00417BAA 83C9 FF OR ECX,FFFFFFFF
00417BAD 33C0 XOR EAX,EAX
00417BAF 8D95 F8FEFFFF LEA EDX,DWORD PTR SS:[EBP-108]
00417BB5 F2:AE REPNE SCAS BYTE PTR ES:[EDI]
00417BB7 F7D1 NOT ECX
00417BB9 2BF9 SUB EDI,ECX
00417BBB 8BC1 MOV EAX,ECX
00417BBD 8BF7 MOV ESI,EDI
00417BBF 8BFA MOV EDI,EDX
00417BC1 C1E9 02 SHR ECX,2
00417BC4 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
00417BC6 8BC8 MOV ECX,EAX
00417BC8 8D85 F8FEFFFF LEA EAX,DWORD PTR SS:[EBP-108]
00417BCE 50 PUSH EAX
00417BCF 83E1 03 AND ECX,3
00417BD2 8D85 F4FDFFFF LEA EAX,DWORD PTR SS:[EBP-20C]
00417BD8 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
00417BDA 50 PUSH EAX
00417BDB E8 D04C0200 CALL Setup2Go.0043C8B0
00417BE0 8BC8 MOV ECX,EAX
00417BE2 E8 62E2FFFF CALL Setup2Go.00415E49 <===这里是关键的CALL,F8跟进
00417BE7 5F POP EDI
00417BE8 5E POP ESI
00417BE9 84C0 TEST AL,AL <===要想注册成功,则这里AL不能为0
00417BEB 5B POP EBX
00417BEC ^0F84 5DFFFFFF JE Setup2Go.00417B4F <===这里是关键的跳,这里不能跳
00417BF2 68 0D080000 PUSH 80D
00417BF7 EB 18 JMP SHORT Setup2Go.00417C11
00417BF9 68 10040000 PUSH 410
00417BFE 6A 01 PUSH 1
00417C00 E8 644D0200 CALL Setup2Go.0043C969
00417C05 59 POP ECX
00417C06 59 POP ECX
00417C07 ^E9 43FFFFFF JMP Setup2Go.00417B4F
00417C0C 68 01080000 PUSH 801
00417C11 FF75 08 PUSH DWORD PTR SS:[EBP+8]
00417C14 FF15 94134000 CALL DWORD PTR DS:[<&USER32.EndDialog>] <===结束对话框函数,胜利的标志
00417C1A B0 01 MOV AL,1
00417C1C C9 LEAVE
00417C1D C2 1000 RETN 10
----------00417BE2 关键CALL,F8跟进------------------
00415E49 55 PUSH EBP
00415E4A 8BEC MOV EBP,ESP
00415E4C 51 PUSH ECX
00415E4D 51 PUSH ECX
00415E4E 53 PUSH EBX <===EBX=9876543210
00415E4F 56 PUSH ESI
00415E50 57 PUSH EDI
00415E51 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]
00415E54 FF75 0C PUSH DWORD PTR SS:[EBP+C]
00415E57 8BD9 MOV EBX,ECX
00415E59 57 PUSH EDI
00415E5A E8 97FFFFFF CALL Setup2Go.00415DF6 <===又是关键的CALL,F8跟进
00415E5F 84C0 TEST AL,AL <===AL不能为0
00415E61 0F84 C0000000 JE Setup2Go.00415F27 <===这里一跳就OVER了
00415E67 33F6 XOR ESI,ESI
00415E69 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00415E6C 56 PUSH ESI
00415E6D 50 PUSH EAX
00415E6E 56 PUSH ESI
00415E6F 68 3F000F00 PUSH 0F003F
00415E74 56 PUSH ESI
00415E75 68 9CC14000 PUSH Setup2Go.0040C19C ; ASCII "Setup2GO"
00415E7A 56 PUSH ESI
00415E7B 68 24C24000 PUSH Setup2Go.0040C224 ; ASCII "software\SDS Software\Setup2GO"
00415E80 68 02000080 PUSH 80000002
00415E85 FF15 0C104000 CALL DWORD PTR DS:[<&ADVAPI32.RegCreateK>; ADVAPI32.RegCreateKeyExA
00415E8B 85C0 TEST EAX,EAX
00415E8D 75 55 JNZ SHORT Setup2Go.00415EE4
00415E8F 83C9 FF OR ECX,FFFFFFFF
00415E92 F2:AE REPNE SCAS BYTE PTR ES:[EDI]
00415E94 F7D1 NOT ECX
00415E96 49 DEC ECX
00415E97 51 PUSH ECX
00415E98 FF75 08 PUSH DWORD PTR SS:[EBP+8]
00415E9B 6A 01 PUSH 1
00415E9D 56 PUSH ESI
00415E9E 8B35 08104000 MOV ESI,DWORD PTR DS:[<&ADVAPI32.RegSetV>; ADVAPI32.RegSetValueExA
00415EA4 68 5CC24000 PUSH Setup2Go.0040C25C ; ASCII "username"
00415EA9 FF75 FC PUSH DWORD PTR SS:[EBP-4]
00415EAC FFD6 CALL ESI
00415EAE 8B7D 0C MOV EDI,DWORD PTR SS:[EBP+C]
00415EB1 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
00415EB4 83C9 FF OR ECX,FFFFFFFF
00415EB7 33C0 XOR EAX,EAX
00415EB9 F2:AE REPNE SCAS BYTE PTR ES:[EDI]
00415EBB F7D1 NOT ECX
00415EBD 49 DEC ECX
00415EBE 51 PUSH ECX
00415EBF FF75 0C PUSH DWORD PTR SS:[EBP+C]
00415EC2 6A 01 PUSH 1
00415EC4 50 PUSH EAX
00415EC5 68 68C24000 PUSH Setup2Go.0040C268 ; ASCII "regcode"
00415ECA FF75 FC PUSH DWORD PTR SS:[EBP-4]
00415ECD FFD6 CALL ESI
00415ECF FF75 FC PUSH DWORD PTR SS:[EBP-4]
00415ED2 8BF0 MOV ESI,EAX
00415ED4 FF15 00104000 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; ADVAPI32.RegCloseKey
00415EDA 837D F8 00 CMP DWORD PTR SS:[EBP-8],0
00415EDE 75 47 JNZ SHORT Setup2Go.00415F27
00415EE0 85F6 TEST ESI,ESI
00415EE2 75 43 JNZ SHORT Setup2Go.00415F27
00415EE4 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]
00415EE7 83C9 FF OR ECX,FFFFFFFF
00415EEA 33C0 XOR EAX,EAX
00415EEC F2:AE REPNE SCAS BYTE PTR ES:[EDI]
00415EEE F7D1 NOT ECX
00415EF0 49 DEC ECX
00415EF1 51 PUSH ECX
00415EF2 8D8B A8060000 LEA ECX,DWORD PTR DS:[EBX+6A8]
00415EF8 FF75 08 PUSH DWORD PTR SS:[EBP+8]
00415EFB E8 660E0000 CALL Setup2Go.00416D66
00415F00 8B7D 0C MOV EDI,DWORD PTR SS:[EBP+C]
00415F03 83C9 FF OR ECX,FFFFFFFF
00415F06 33C0 XOR EAX,EAX
00415F08 F2:AE REPNE SCAS BYTE PTR ES:[EDI]
00415F0A F7D1 NOT ECX
00415F0C 49 DEC ECX
00415F0D 51 PUSH ECX
00415F0E 8D8B B8060000 LEA ECX,DWORD PTR DS:[EBX+6B8]
00415F14 FF75 0C PUSH DWORD PTR SS:[EBP+C]
00415F17 E8 4A0E0000 CALL Setup2Go.00416D66
00415F1C C683 C8060000 01 MOV BYTE PTR DS:[EBX+6C8],1
00415F23 B0 01 MOV AL,1 <===关键的标志位赋值,必须经过
00415F25 EB 02 JMP SHORT Setup2Go.00415F29
00415F27 32C0 XOR AL,AL <===标志位清0,那就OVER了
00415F29 5F POP EDI
00415F2A 5E POP ESI
00415F2B 5B POP EBX
00415F2C C9 LEAVE
00415F2D C2 0800 RETN 8
----------00415E5A 又是关键CALL,F8再次跟进------------------
00415DF6 55 PUSH EBP
00415DF7 8BEC MOV EBP,ESP
00415DF9 51 PUSH ECX
00415DFA 33D2 XOR EDX,EDX
00415DFC 57 PUSH EDI
00415DFD 3955 08 CMP DWORD PTR SS:[EBP+8],EDX <===看是否输入的用户名
00415E00 74 40 JE SHORT Setup2Go.00415E42 <===这里不能跳
00415E02 3955 0C CMP DWORD PTR SS:[EBP+C],EDX <===看是否输入的注册码
00415E05 74 3B JE SHORT Setup2Go.00415E42 <===这里不能跳
00415E07 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]
00415E0A 83C9 FF OR ECX,FFFFFFFF
00415E0D 33C0 XOR EAX,EAX
00415E0F F2:AE REPNE SCAS BYTE PTR ES:[EDI]
00415E11 F7D1 NOT ECX
00415E13 49 DEC ECX
00415E14 74 2C JE SHORT Setup2Go.00415E42
00415E16 8B7D 0C MOV EDI,DWORD PTR SS:[EBP+C]
00415E19 83C9 FF OR ECX,FFFFFFFF
00415E1C F2:AE REPNE SCAS BYTE PTR ES:[EDI]
00415E1E F7D1 NOT ECX
00415E20 49 DEC ECX
00415E21 83F9 0A CMP ECX,0A <===注册码的长度,必须为10位,我们达到了要求!^__^
00415E24 75 1C JNZ SHORT Setup2Go.00415E42 <===如果不是,一跳就OVER了
00415E26 FF75 0C PUSH DWORD PTR SS:[EBP+C]
00415E29 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00415E2C 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
00415E2F 50 PUSH EAX
00415E30 68 68C54000 PUSH Setup2Go.0040C568 ; ASCII "pasha and andrey"
00415E35 FF75 08 PUSH DWORD PTR SS:[EBP+8] <==="KuNgBiM"压栈
00415E38 E8 F6250100 CALL Setup2Go.00428433 <===算法CALL,F8跟进
00415E3D 83C4 10 ADD ESP,10 <===ECX就出来了真正的注册码了
00415E40 EB 02 JMP SHORT Setup2Go.00415E44
00415E42 32C0 XOR AL,AL
00415E44 5F POP EDI
00415E45 C9 LEAVE
00415E46 C2 0800 RETN 8
----------00415E38 是关键的算法CALL,F8再次跟进------------------
00428433 55 PUSH EBP
00428434 8BEC MOV EBP,ESP
00428436 51 PUSH ECX
00428437 53 PUSH EBX
00428438 8B5D 14 MOV EBX,DWORD PTR SS:[EBP+14] <===EBX=9876543210
0042843B 56 PUSH ESI
0042843C 57 PUSH EDI
0042843D 8BFB MOV EDI,EBX
0042843F 83C9 FF OR ECX,FFFFFFFF
00428442 33C0 XOR EAX,EAX
00428444 F2:AE REPNE SCAS BYTE PTR ES:[EDI]
00428446 F7D1 NOT ECX
00428448 49 DEC ECX
00428449 8BF9 MOV EDI,ECX
0042844B 8D47 01 LEA EAX,DWORD PTR DS:[EDI+1]
0042844E 50 PUSH EAX
0042844F E8 CA1E0300 CALL Setup2Go.0045A31E <===这个CALL就算出了EAX=98WDMRQ2XU,还要F8跟进
00428454 8B75 10 MOV ESI,DWORD PTR SS:[EBP+10] <===在这里不知道能不能做内存注册机
00428457 59 POP ECX
00428458 85F6 TEST ESI,ESI
0042845A 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0042845D 74 2B JE SHORT Setup2Go.0042848A
.................(略)
004284BE C3 RETN
--------0042844F 算出了注册码的CALL,同样F8跟进-----------
0045A31E 6A 01 PUSH 1
0045A320 FF7424 08 PUSH DWORD PTR SS:[ESP+8]
0045A324 E8 F2220000 CALL Setup2Go.0045C61B <===这个CALL,算出来注册码,F8跟进
0045A329 59 POP ECX
0045A32A 59 POP ECX
0045A32B C3 RETN
--------0045A324 算出了注册码的CALL,再次F8跟进-------------------------------------
0045C61B 837C24 04 E0 CMP DWORD PTR SS:[ESP+4],-20
0045C620 77 22 JA SHORT Setup2Go.0045C644
0045C622 FF7424 04 PUSH DWORD PTR SS:[ESP+4]
0045C626 E8 1C000000 CALL Setup2Go.0045C647 <===这个CALL,算出来注册码,F8跟进
0045C62B 85C0 TEST EAX,EAX
0045C62D 59 POP ECX
0045C62E 75 16 JNZ SHORT Setup2Go.0045C646
0045C630 394424 08 CMP DWORD PTR SS:[ESP+8],EAX
0045C634 74 10 JE SHORT Setup2Go.0045C646
0045C636 FF7424 04 PUSH DWORD PTR SS:[ESP+4]
0045C63A E8 49E4FFFF CALL Setup2Go.0045AA88
0045C63F 85C0 TEST EAX,EAX
0045C641 59 POP ECX
0045C642 ^75 DE JNZ SHORT Setup2Go.0045C622
0045C644 33C0 XOR EAX,EAX
0045C646 C3 RETN
-------------0045C626 算出了注册码的CALL,F8跟进----------------------
0045C647 55 PUSH EBP
0045C648 8BEC MOV EBP,ESP
0045C64A 6A FF PUSH -1
0045C64C 68 F83A4000 PUSH Setup2Go.00403AF8
0045C651 68 58C04500 PUSH Setup2Go.0045C058
0045C656 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0045C65C 50 PUSH EAX
0045C65D 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
0045C664 83EC 0C SUB ESP,0C
0045C667 53 PUSH EBX
0045C668 56 PUSH ESI
0045C669 57 PUSH EDI
0045C66A A1 C8F14600 MOV EAX,DWORD PTR DS:[46F1C8]
0045C66F 83F8 03 CMP EAX,3
0045C672 75 43 JNZ SHORT Setup2Go.0045C6B7 <===不能跳!
0045C674 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
0045C677 3B35 C0F14600 CMP ESI,DWORD PTR DS:[46F1C0]
0045C67D 0F87 93000000 JA Setup2Go.0045C716
0045C683 6A 09 PUSH 9
0045C685 E8 DB150000 CALL Setup2Go.0045DC65
0045C68A 59 POP ECX
0045C68B 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
0045C68F 56 PUSH ESI
0045C690 E8 36590000 CALL Setup2Go.00461FCB <===这个CALL,深藏注册码,F8跟进(革命尚未成功,同志仍需努力!)
0045C695 59 POP ECX
0045C696 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
0045C699 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
0045C69D E8 0C000000 CALL Setup2Go.0045C6AE
0045C6A2 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
0045C6A5 85C0 TEST EAX,EAX
0045C6A7 74 6D JE SHORT Setup2Go.0045C716
0045C6A9 E9 86000000 JMP Setup2Go.0045C734
0045C6AE 6A 09 PUSH 9
0045C6B0 E8 11160000 CALL Setup2Go.0045DCC6
0045C6B5 59 POP ECX
0045C6B6 C3 RETN
..............(略)
-------------0045C690 出来注册码,F8跟进(跳了3次)-------------
经过这3个RETN来到下面代码段:
..............(略)
00428454 8B75 10 MOV ESI,DWORD PTR SS:[EBP+10]
00428457 59 POP ECX
00428458 85F6 TEST ESI,ESI
0042845A 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0042845D 74 2B JE SHORT Setup2Go.0042848A
0042845F 8A43 01 MOV AL,BYTE PTR DS:[EBX+1]<===这里取出的就是"9876543210",第2个值的
00428462 50 PUSH EAX
00428463 E8 A9FFFFFF CALL Setup2Go.00428411 <===EAX=8(提取出来了),EBX=38(HEX值)
00428468 8BD0 MOV EDX,EAX
0042846A 8A03 MOV AL,BYTE PTR DS:[EBX] <===这里取出的就是"9876543210",第1个值的
0042846C 50 PUSH EAX
0042846D 8955 10 MOV DWORD PTR SS:[EBP+10],EDX
00428470 E8 9CFFFFFF CALL Setup2Go.00428411 <===EAX=9(提取出来了),EBX=39(HEX值)
00428475 59 POP ECX
00428476 59 POP ECX
00428477 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
0042847A C1E0 04 SHL EAX,4 <===EAX=9 SHL 4=90
0042847D 03C8 ADD ECX,EAX <===ECX=8+90=98
0042847F 81F1 FF000000 XOR ECX,0FF <===ECX=67
00428485 83E9 55 SUB ECX,55 <===ECX=67-55=12
00428488 890E MOV DWORD PTR DS:[ESI],ECX
0042848A 57 PUSH EDI
0042848B FF75 FC PUSH DWORD PTR SS:[EBP-4]
0042848E FF36 PUSH DWORD PTR DS:[ESI] <===12
00428490 FF75 0C PUSH DWORD PTR SS:[EBP+C] <==="pasha and andrey"
00428493 FF75 08 PUSH DWORD PTR SS:[EBP+8] <==="KuNgBiM"
00428496 E8 6AFEFFFF CALL Setup2Go.00428305 <===ECX="KuNgBiMKuN" (被循环补足了10位),F8跟进
0042849B 57 PUSH EDI
0042849C 53 PUSH EBX <===假码9876543210
0042849D FF75 FC PUSH DWORD PTR SS:[EBP-4] <===真码98WDMRQ2XU
004284A0 E8 3B3A0300 CALL Setup2Go.0045BEE0
004284A5 FF75 FC PUSH DWORD PTR SS:[EBP-4]
004284A8 8BD8 MOV EBX,EAX
004284AA F7DB NEG EBX
004284AC 1ADB SBB BL,BL
004284AE FEC3 INC BL
004284B0 E8 8DF50200 CALL Setup2Go.00457A42
004284B5 83C4 24 ADD ESP,24
004284B8 8AC3 MOV AL,BL
004284BA 5F POP EDI
004284BB 5E POP ESI
004284BC 5B POP EBX
004284BD C9 LEAVE
004284BE C3 RETN
--------00428496 重要CALL,同样F8跟进-----------
00428305 55 PUSH EBP
00428306 8BEC MOV EBP,ESP
00428308 51 PUSH ECX
00428309 51 PUSH ECX
0042830A 53 PUSH EBX
0042830B 8B5D 18 MOV EBX,DWORD PTR SS:[EBP+18] <===EBX="9876543210"
0042830E 56 PUSH ESI
0042830F 57 PUSH EDI
00428310 8D73 01 LEA ESI,DWORD PTR DS:[EBX+1]
00428313 56 PUSH ESI
00428314 E8 05200300 CALL Setup2Go.0045A31E
00428319 56 PUSH ESI
0042831A 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0042831D E8 FC1F0300 CALL Setup2Go.0045A31E
00428322 8365 18 00 AND DWORD PTR SS:[EBP+18],0
00428326 53 PUSH EBX
00428327 FF75 08 PUSH DWORD PTR SS:[EBP+8] <===KuNgBiM
0042832A 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
0042832D FF75 FC PUSH DWORD PTR SS:[EBP-4]
00428330 E8 31FFFFFF CALL Setup2Go.00428266 <===EAX="KuNgBiMKuN" (被循环补足了10位)
00428335 53 PUSH EBX
00428336 FF75 0C PUSH DWORD PTR SS:[EBP+C] <==="pasha and andrey"
00428339 FF75 F8 PUSH DWORD PTR SS:[EBP-8]
0042833C E8 25FFFFFF CALL Setup2Go.00428266 <===EAX="pasha and "(只留10位)
00428341 8B75 10 MOV ESI,DWORD PTR SS:[EBP+10] <===12 (就是前面用注册码前两位计算出来的结果)
00428344 BF FF000000 MOV EDI,0FF
00428349 23F7 AND ESI,EDI
0042834B 83C6 55 ADD ESI,55 <===ESI=12+55=67
0042834E 33F7 XOR ESI,EDI <===ESI=98 (呵呵,又回来了?难道注册码的前两位任意?一个用户名就有100个注册码?)
00428350 8BC6 MOV EAX,ESI
00428352 C1E8 04 SHR EAX,4 <===EAX=98 SHR 4=9
00428355 50 PUSH EAX
00428356 E8 74FFFFFF CALL Setup2Go.004282CF <===EAX=39回到了HEX值
0042835B 8B4D 14 MOV ECX,DWORD PTR SS:[EBP+14] <===ECX=9
0042835E 83E6 0F AND ESI,0F
00428361 56 PUSH ESI
00428362 8801 MOV BYTE PTR DS:[ECX],AL
00428364 E8 66FFFFFF CALL Setup2Go.004282CF <===EAX=38回到了HEX值
00428369 8B55 14 MOV EDX,DWORD PTR SS:[EBP+14]
0042836C 83C4 28 ADD ESP,28
0042836F 33F6 XOR ESI,ESI
00428371 85DB TEST EBX,EBX
00428373 8842 01 MOV BYTE PTR DS:[EDX+1],AL <===ECX=98
00428376 7E 26 JLE SHORT Setup2Go.0042839E
00428378 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] <==="pasha and andrey"
0042837B 8B4D 18 MOV ECX,DWORD PTR SS:[EBP+18]
0042837E 23CF AND ECX,EDI
00428380 8A0406 MOV AL,BYTE PTR DS:[ESI+EAX] <===依次取"pasha and andrey"每个字符的HEX值,放入AL
00428383 23C7 AND EAX,EDI
00428385 33C1 XOR EAX,ECX
00428387 8B4D 18 MOV ECX,DWORD PTR SS:[EBP+18]
0042838A C1E9 08 SHR ECX,8
0042838D 8B0485 58D34000 MOV EAX,DWORD PTR DS:[EAX*4+40D358]<===又是一个天大的256个位码表(这是CRC32-照抄)
****************CRC32-照抄的位码表如下,共有256个数*********************
77073096 EE0E612C 990951BA 076DC419 706AF48F E963A535 9E6495A3 0EDB8832
79DCB8A4 E0D5E91E 97D2D988 09B64C2B 7EB17CBD E7B82D07 90BF1D91 00000000
6AB020F2 F3B97148 84BE41DE 1ADAD47D 6DDDE4EB F4D4B551 83D385C7 136C9856
646BA8C0 FD62F97A 8A65C9EC 14015C4F 63066CD9 FA0F3D63 8D080DF5 3B6E20C8
4C69105E D56041E4 A2677172 3C03E4D1 4B04D447 D20D85FD A50AB56B 35B5A8FA
42B2986C DBBBC9D6 ACBCF940 32D86CE3 45DF5C75 DCD60DCF ABD13D59 26D930AC
51DE003A C8D75180 BFD06116 21B4F4B5 56B3C423 CFBA9599 B8BDA50F 2802B89E
5F058808 C60CD9B2 B10BE924 2F6F7C87 58684C11 C1611DAB B6662D3D 76DC4190
01DB7106 98D220BC EFD5102A 71B18589 06B6B51F 9FBFE4A5 E8B8D433 7807C9A2
0F00F934 9609A88E E10E9818 7F6A0DBB 086D3D2D 91646C97 E6635C01 6B6B51F4
1C6C6162 856530D8 F262004E 6C0695ED 1B01A57B 8208F4C1 F50FC457 65B0D9C6
12B7E950 8BBEB8EA FCB9887C 62DD1DDF 15DA2D49 8CD37CF3 FBD44C65 4DB26158
3AB551CE A3BC0074 D4BB30E2 4ADFA541 3DD895D7 A4D1C46D D3D6F4FB 4369E96A
346ED9FC AD678846 DA60B8D0 44042D73 33031DE5 AA0A4C5F DD0D7CC9 5005713C
270241AA BE0B1010 C90C2086 5768B525 206F85B3 B966D409 CE61E49F 5EDEF90E
29D9C998 B0D09822 C7D7A8B4 59B33D17 2EB40D81 B7BD5C3B C0BA6CAD EDB88320
9ABFB3B6 03B6E20C 74B1D29A EAD54739 9DD277AF 04DB2615 73DC1683 E3630B12
94643B84 0D6D6A3E 7A6A5AA8 E40ECF0B 9309FF9D 0A00AE27 7D079EB1 F00F9344
8708A3D2 1E01F268 6906C2FE F762575D 806567CB 196C3671 6E6B06E7 FED41B76
89D32BE0 10DA7A5A 67DD4ACC F9B9DF6F 8EBEEFF9 17B7BE43 60B08ED5 D6D6A3E8
A1D1937E 38D8C2C4 4FDFF252 D1BB67F1 A6BC5767 3FB506DD 48B2364B D80D2BDA
AF0A1B4C 36034AF6 41047A60 DF60EFC3 A867DF55 316E8EEF 4669BE79 CB61B38C
BC66831A 256FD2A0 5268E236 CC0C7795 BB0B4703 220216B9 5505262F C5BA3BBE
B2BD0B28 2BB45A92 5CB36A04 C2D7FFA7 B5D0CF31 2CD99E8B 5BDEAE1D 9B64C2B0
EC63F226 756AA39C 026D930A 9C0906A9 EB0E363F 72076785 05005713 95BF4A82
E2B87A14 7BB12BAE 0CB61B38 92D28E9B E5D5BE0D 7CDCEFB7 0BDBDF21 86D3D2D4
F1D4E242 68DDB3F8 1FDA836E 81BE16CD F6B9265B 6FB077E1 18B74777 88085AE6
FF0F6A70 66063BCA 11010B5C 8F659EFF F862AE69 616BFFD3 166CCF45 A00AE278
D70DD2EE 4E048354 3903B3C2 A7672661 D06016F7 4969474D 3E6E77DB AED16A4A
D9D65ADC 40DF0B66 37D83BF0 A9BCAE53 DEBB9EC5 47B2CF7F 30B5FFE9 BDBDF21C
CABAC28A 53B39330 24B4A3A6 BAD03605 CDD70693 54DE5729 23D967BF B3667A2E
C4614AB8 5D681B02 2A6F2B94 B40BBE37 C30C8EA1 5A05DF1B 2D02EF8D 0000003D
************************************************************************
00428394 33C1 XOR EAX,ECX
00428396 46 INC ESI <===ESI=ESI+1
00428397 3BF3 CMP ESI,EBX <===EBX=10,所以这个循环要经过10次
00428399 8945 18 MOV DWORD PTR SS:[EBP+18],EAX <===最后的关键值放在SS:[EBP+18]里(得出DE928F52),因为这是定值,所 以在做注册机时,完全可以直接拿来用!
0042839C ^7C DA JL SHORT Setup2Go.00428378 <===向上跳构成循环,循环10次
0042839E 83FB 02 CMP EBX,2
004283A1 7E 53 JLE SHORT Setup2Go.004283F6
004283A3 8B75 FC MOV ESI,DWORD PTR SS:[EBP-4] <===EAX="KuNgBiMKuN"
004283A6 8D43 FE LEA EAX,DWORD PTR DS:[EBX-2]
004283A9 2BF2 SUB ESI,EDX <===EDX="98"
004283AB 8D4A 02 LEA ECX,DWORD PTR DS:[EDX+2]
004283AE 8975 08 MOV DWORD PTR SS:[EBP+8],ESI
004283B1 8945 0C MOV DWORD PTR SS:[EBP+C],EAX
004283B4 EB 03 JMP SHORT Setup2Go.004283B9 <===我跳
.................从这里开始循环运算.....................
004283B6 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
004283B9 8A040E MOV AL,BYTE PTR DS:[ESI+ECX] <===依次第三位开始取"KuNgBiMKuN"每个字符的HEX值,如果是中文字符, 也是只取半个
004283BC 8B55 18 MOV EDX,DWORD PTR SS:[EBP+18]
004283BF 23C7 AND EAX,EDI <===EDI=FF,EAX=4E(N的HEX值)
004283C1 23D7 AND EDX,EDI <===EDI=FF
004283C3 33C2 XOR EAX,EDX
004283C5 8B55 18 MOV EDX,DWORD PTR SS:[EBP+18]
004283C8 C1EA 08 SHR EDX,8
004283CB 8B0485 58D34000 MOV EAX,DWORD PTR DS:[EAX*4+40D358] <===在码表中取值,EAX=4B04D447
004283D2 6A 24 PUSH 24 <===除以24得到的余数,取值成注册码
004283D4 33C2 XOR EAX,EDX
004283D6 33D2 XOR EDX,EDX <===EDX清0
004283D8 5E POP ESI <===ESI=24
004283D9 8945 18 MOV DWORD PTR SS:[EBP+18],EAX <===这个值又入关键位置
004283DC F7F6 DIV ESI <===开始取码,先除一下
004283DE 83FA 0A CMP EDX,0A <===如果大于10,就跳
004283E1 73 05 JNB SHORT Setup2Go.004283E8
004283E3 80C2 30 ADD DL,30 <===如果余数小于等于9,就加上30,对应其HEX值
004283E6 EB 03 JMP SHORT Setup2Go.004283EB
004283E8 80C2 37 ADD DL,37 <===如果余数大于9,就加37,对应大写的英文字符
004283EB 8811 MOV BYTE PTR DS:[ECX],DL <===取出的字符就放入[ECX],逐个出来真正的注册码(W,D,M,R,Q,2,X,U)
004283ED 41 INC ECX
004283EE FF4D 0C DEC DWORD PTR SS:[EBP+C] <===初始值为8
004283F1 ^75 C3 JNZ SHORT Setup2Go.004283B6 <===向上跳8次,得出后面8位注册码
004283F3 8B55 14 MOV EDX,DWORD PTR SS:[EBP+14]
004283F6 FF75 FC PUSH DWORD PTR SS:[EBP-4]
004283F9 80241A 00 AND BYTE PTR DS:[EDX+EBX],0
004283FD E8 40F60200 CALL Setup2Go.00457A42
00428402 FF75 F8 PUSH DWORD PTR SS:[EBP-8]
00428405 E8 38F60200 CALL Setup2Go.00457A42
0042840A 59 POP ECX
0042840B 59 POP ECX
0042840C 5F POP EDI
0042840D 5E POP ESI
0042840E 5B POP EBX
0042840F C9 LEAVE
00428410 C3 RETN
..............(终)
好了,我这会儿差不多也被它搞晕了,大概的算法就这样了,那么就开始写注册机咯~~~~~
6、算法注册机源码
【作者声明】该注册机源码只能作为学习,请勿用于商业用途或是将本文方法制作的注册机任意传播,造成后果,本人一概不负。
------------Visual Basic 6.0在WINXP下编译通过--------------
Private Sub Text1_Change()
Dim i As Integer
Dim h As Integer
Dim edx As Long
Dim eax As Long
Dim ss As Long
Dim startin As String
Dim sjs As String
Dim A As Variant
Dim B As Variant
startin = Text1.Text
nlen = Len(startin)
mabiao = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
A = Array(0, &H77073096, &HEE0E612C, &H990951BA, &H76DC419, &H706AF48F, &HE963A535, &H9E6495A3, &HEDB8832, &H79DCB8A4, &HE0D5E91E, &H97D2D988, &H9B64C2B, &H7EB17CBD, &HE7B82D07, &H90BF1D91, &H0 _
, &H6AB020F2, &HF3B97148, &H84BE41DE, &H1ADAD47D, &H6DDDE4EB, &HF4D4B551, &H83D385C7, &H136C9856, &H646BA8C0, &HFD62F97A, &H8A65C9EC, &H14015C4F, &H63066CD9, &HFA0F3D63, &H8D080DF5, &H3B6E20C8 _
, &H4C69105E, &HD56041E4, &HA2677172, &H3C03E4D1, &H4B04D447, &HD20D85FD, &HA50AB56B, &H35B5A8FA, &H42B2986C, &HDBBBC9D6, &HACBCF940, &H32D86CE3, &H45DF5C75, &HDCD60DCF, &HABD13D59, &H26D930AC _
, &H51DE003A, &HC8D75180, &HBFD06116, &H21B4F4B5, &H56B3C423, &HCFBA9599, &HB8BDA50F, &H2802B89E, &H5F058808, &HC60CD9B2, &HB10BE924, &H2F6F7C87, &H58684C11, &HC1611DAB, &HB6662D3D, &H76DC4190 _
, &H1DB7106, &H98D220BC, &HEFD5102A, &H71B18589, &H6B6B51F, &H9FBFE4A5, &HE8B8D433, &H7807C9A2, &HF00F934, &H9609A88E, &HE10E9818, &H7F6A0DBB, &H86D3D2D, &H91646C97, &HE6635C01, &H6B6B51F4 _
, &H1C6C6162, &H856530D8, &HF262004E, &H6C0695ED, &H1B01A57B, &H8208F4C1, &HF50FC457, &H65B0D9C6, &H12B7E950, &H8BBEB8EA, &HFCB9887C, &H62DD1DDF, &H15DA2D49, &H8CD37CF3, &HFBD44C65, &H4DB26158 _
, &H3AB551CE, &HA3BC0074, &HD4BB30E2, &H4ADFA541, &H3DD895D7, &HA4D1C46D, &HD3D6F4FB, &H4369E96A, &H346ED9FC, &HAD678846, &HDA60B8D0, &H44042D73, &H33031DE5, &HAA0A4C5F, &HDD0D7CC9, &H5005713C _
, &H270241AA, &HBE0B1010, &HC90C2086, &H5768B525, &H206F85B3, &HB966D409, &HCE61E49F, &H5EDEF90E, &H29D9C998, &HB0D09822, &HC7D7A8B4, &H59B33D17, &H2EB40D81, &HB7BD5C3B, &HC0BA6CAD, &HEDB88320 _
, &H9ABFB3B6, &H3B6E20C, &H74B1D29A, &HEAD54739, &H9DD277AF, &H4DB2615, &H73DC1683, &HE3630B12, &H94643B84, &HD6D6A3E, &H7A6A5AA8, &HE40ECF0B, &H9309FF9D, &HA00AE27, &H7D079EB1, &HF00F9344 _
, &H8708A3D2, &H1E01F268, &H6906C2FE, &HF762575D, &H806567CB, &H196C3671, &H6E6B06E7, &HFED41B76, &H89D32BE0, &H10DA7A5A, &H67DD4ACC, &HF9B9DF6F, &H8EBEEFF9, &H17B7BE43, &H60B08ED5, &HD6D6A3E8 _
, &HA1D1937E, &H38D8C2C4, &H4FDFF252, &HD1BB67F1, &HA6BC5767, &H3FB506DD, &H48B2364B, &HD80D2BDA, &HAF0A1B4C, &H36034AF6, &H41047A60, &HDF60EFC3, &HA867DF55, &H316E8EEF, &H4669BE79, &HCB61B38C _
, &HBC66831A, &H256FD2A0, &H5268E236, &HCC0C7795, &HBB0B4703, &H220216B9, &H5505262F, &HC5BA3BBE, &HB2BD0B28, &H2BB45A92, &H5CB36A04, &HC2D7FFA7, &HB5D0CF31, &H2CD99E8B, &H5BDEAE1D, &H9B64C2B0 _
, &HEC63F226, &H756AA39C, &H26D930A, &H9C0906A9, &HEB0E363F, &H72076785, &H5005713, &H95BF4A82, &HE2B87A14, &H7BB12BAE, &HCB61B38, &H92D28E9B, &HE5D5BE0D, &H7CDCEFB7, &HBDBDF21, &H86D3D2D4 _
, &HF1D4E242, &H68DDB3F8, &H1FDA836E, &H81BE16CD, &HF6B9265B, &H6FB077E1, &H18B74777, &H88085AE6, &HFF0F6A70, &H66063BCA, &H11010B5C, &H8F659EFF, &HF862AE69, &H616BFFD3, &H166CCF45, &HA00AE278 _
, &HD70DD2EE, &H4E048354, &H3903B3C2, &HA7672661, &HD06016F7, &H4969474D, &H3E6E77DB, &HAED16A4A, &HD9D65ADC, &H40DF0B66, &H37D83BF0, &HA9BCAE53, &HDEBB9EC5, &H47B2CF7F, &H30B5FFE9, &HBDBDF21C _
, &HCABAC28A, &H53B39330, &H24B4A3A6, &HBAD03605, &HCDD70693, &H54DE5729, &H23D967BF, &HB3667A2E, &HC4614AB8, &H5D681B02, &H2A6F2B94, &HB40BBE37, &HC30C8EA1, &H5A05DF1B, &H2D02EF8D, &H3D)
'完成注册名的部分的前期工作
B = Array(0, 0, 0, 0, 0, 0, 0, 0, 0, 0)
k = 1 '是否为中文注册名的标志位
tlen = 0
For h = 1 To nlen
sumtmp = Asc(Mid(startin, h, 1))
If Abs(sumtmp) <> sumtmp Then '为处理中文注册名而设计
k = 2
Else
k = 1
End If
For e = 1 To k
B(tlen) = CInt("&H" + Mid(Hex(sumtmp), 2 * e - 1, 2))
tlen = tlen + 1
If tlen >= 10 Then '只处理用户名前10位
e = k
h = nlen
Else
If h = nlen Then '如果注册名不满10位的处理方式
h = 0 'h=0,一个循环上去,就又成初始值1了
End If
End If
Next e
Next h
ebx = 0
ss = &HDE928F52
For i = 2 To 9
eax = B(i) And &HFF
edx = ss And &HFF
eax = eax Xor edx
TMPLEN = Len(Hex(ss))
edx = CLng("&h" + Mid(Hex(ss), 1, TMPLEN - 2))
eax = A(eax) Xor edx
ss = eax
tmpsum = eax Mod 36
If tmpsum < 0 Then '对于VB中出现负数的处理
tmpsum = 40 + tmpsum
End If
tmpmod = tmpsum + 1
TMPSTR = Mid(mabiao, tmpmod, 1)
laststr = laststr + TMPSTR
Next i
sjs = Int(89 * Rnd + 10) '注册码前2位设定为10-99之间的一个任意随机整数
laststr = sjs + laststr
Text2.Text = laststr
End Sub
-----------------------------------------------------
7、注册信息保存在注册表里:
[HKEY_LOCAL_MACHINE\SOFTWARE\SDS Software\Setup2GO]
"username"="KuNgBiM"
"regcode"="98WDMRQ2XU"
-----------------------------------------------------
========收工,睡觉咯~~~=========
Cracked By KuNgBiM[DFCG]
2005-02-02 05:54:36