无敌图像印章 3.06注册算法分析。
【软件简介】:批量为图像添加印章、制作缩略图、添加特效、增加蒙版效果、图像浏览
* 特别增加了“藏宝”功能,即将一幅图片藏在另外一幅图片中(请登录 http://wosens.com 选择“Show”查看藏宝效果)
【下载地址】:http://www.wosens.com/china/index.asp
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
================================================================================
【破解过程】:
用PEiD,ASP壳。从CrazyMarker\language目录里看Simplified chinese文件611代码就是已注册版本。
用查找字符串插件查找611双击来到 。。。
0055D6A7 |. 64:FF30 push dword ptr fs:[eax]
0055D6AA |. 64:8920 mov dword ptr fs:[eax],esp
0055D6AD |. A1 98FF5600 mov eax,dword ptr ds:[56FF98]
0055D6B2 |. 8B00 mov eax,dword ptr ds:[eax]
0055D6B4 |. 8B40 08 mov eax,dword ptr ds:[eax+8]
0055D6B7 |. E8 DC7CFAFF call unpacked.00505398 ; 关键算法
0055D6BC |. 84C0 test al,al
0055D6BE |. 74 45 je short unpacked.0055D705 ; 跳就未注册
0055D6C0 |. 8D55 FC lea edx,dword ptr ss:[ebp-4]
0055D6C3 |. B8 28D85500 mov eax,unpacked.0055D828 ; 611=已注册版本
0055D6C8 |. E8 175BFAFF call unpacked.005031E4
0055D6CD |. 8B55 FC mov edx,dword ptr ss:[ebp-4]
0055D6D0 |. 8B83 3C030000 mov eax,dword ptr ds:[ebx+33C]
0055D6D6 |. E8 9986EFFF call unpacked.00455D74
0055D6DB |. 33D2 xor edx,edx
0055D6DD |. 8B83 24030000 mov eax,dword ptr ds:[ebx+324]
0055D6E3 |. E8 8C86EFFF call unpacked.00455D74
0055D6E8 |. 8D55 F8 lea edx,dword ptr ss:[ebp-8]
0055D6EB |. B8 34D85500 mov eax,unpacked.0055D834 ; 615=有了您的注册,凌丽软件将会制造更多更好的软件产品,谢谢!
0055D6F0 |. E8 EF5AFAFF call unpacked.005031E4
0055D6F5 |. 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0055D6F8 |. 8B83 28030000 mov eax,dword ptr ds:[ebx+328]
0055D6FE |. E8 7186EFFF call unpacked.00455D74
0055D703 |. EB 51 jmp short unpacked.0055D756
0055D705 |> 8D55 F4 lea edx,dword ptr ss:[ebp-C]
0055D708 |. B8 40D85500 mov eax,unpacked.0055D840 ; 610=未注册版本
0055D70D |. E8 D25AFAFF call unpacked.005031E4
0055D712 |. 8B55 F4 mov edx,dword ptr ss:[ebp-C]
0055D715 |. 8B83 3C030000 mov eax,dword ptr ds:[ebx+33C]
0055D71B |. E8 5486EFFF call unpacked.00455D74
0055D720 |. 8D55 F0 lea edx,dword ptr ss:[ebp-10]
0055D723 |. B8 4CD85500 mov eax,unpacked.0055D84C ; 613
----------------------------------------- call unpacked.00505398 ; 关键算法--------------------------------------------------
00505398 /$ E8 B3FCFFFF call unpacked.00505050跟进。。。。。。。。。。。
0050539D \. C3 retn
对注册码进行运算处理
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
00505086 . BA 74535000 mov edx,unpacked.00505374 ; -
0050508B . 8BC3 mov eax,ebx
0050508D . E8 86A3F0FF call unpacked.0040F418
00505092 . 8D55 EC lea edx,dword ptr ss:[ebp-14] ; 注册码
00505095 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
00505098 . E8 EBFEFFFF call unpacked.00504F88 ; 关键算法
0050509D . 8B55 EC mov edx,dword ptr ss:[ebp-14]
005050A0 . 8D45 FC lea eax,dword ptr ss:[ebp-4]
005050A3 . E8 D4F8EFFF call unpacked.0040497C
005050A8 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
===============================================================================
对注册码的处理函数
call unpacked.00504F88 ; 关键算法
==============================================================================
00504F88 /$ 55 push ebp
00504F89 |. 8BEC mov ebp,esp
00504F8B |. 33C9 xor ecx,ecx
00504F8D |. 51 push ecx
00504F8E |. 51 push ecx
00504F8F |. 51 push ecx
00504F90 |. 51 push ecx
00504F91 |. 51 push ecx
00504F92 |. 53 push ebx
00504F93 |. 56 push esi
00504F94 |. 57 push edi
00504F95 |. 8955 F8 mov dword ptr ss:[ebp-8],edx
00504F98 |. 8945 FC mov dword ptr ss:[ebp-4],eax
00504F9B |. 33C0 xor eax,eax
00504F9D |. 55 push ebp
00504F9E |. 68 42505000 push unpacked.00505042
00504FA3 |. 64:FF30 push dword ptr fs:[eax]
00504FA6 |. 64:8920 mov dword ptr fs:[eax],esp
00504FA9 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
00504FAC |. E8 EBFBEFFF call unpacked.00404B9C ; 注册码长度
00504FB1 |. 8BF0 mov esi,eax
00504FB3 |. 85F6 test esi,esi
00504FB5 |. 79 03 jns short unpacked.00504FBA
00504FB7 |. 83C6 03 add esi,3
00504FBA |> C1FE 02 sar esi,2
00504FBD |. 85F6 test esi,esi
00504FBF |. 7E 5B jle short unpacked.0050501C
00504FC1 |. BF 01000000 mov edi,1
00504FC6 |> 8D45 F0 /lea eax,dword ptr ss:[ebp-10]
00504FC9 |. 50 |push eax
00504FCA |. 8BD7 |mov edx,edi
00504FCC |. C1E2 02 |shl edx,2
00504FCF |. 83EA 03 |sub edx,3
00504FD2 |. B9 04000000 |mov ecx,4
00504FD7 |. 8B45 FC |mov eax,dword ptr ss:[ebp-4]
00504FDA |. E8 15FEEFFF |call unpacked.00404DF4 ; 依次取4位注册码
00504FDF |. 8B45 F0 |mov eax,dword ptr ss:[ebp-10]
00504FE2 |. B2 10 |mov dl,10
00504FE4 |. E8 536DFDFF |call unpacked.004DBD3C ; 转换成16进制数
00504FE9 |. 8BD8 |mov ebx,eax
00504FEB |. 85DB |test ebx,ebx
00504FED |. 79 05 |jns short unpacked.00504FF4
00504FEF |. E8 14EAEFFF |call unpacked.00403A08
00504FF4 |> 81F3 79900000 |xor ebx,9079 ; 和0X9079 XOR
00504FFA |. 8BC3 |mov eax,ebx
00504FFC |. 33D2 |xor edx,edx
00504FFE |. 52 |push edx ; /Arg2 => 00000000
00504FFF |. 50 |push eax ; |Arg1
00505000 |. 8D55 EC |lea edx,dword ptr ss:[ebp-14] ; |
00505003 |. B8 04000000 |mov eax,4 ; |
00505008 |. E8 3347F0FF |call unpacked.00409740 ; \再转换成字符串
0050500D |. 8B55 EC |mov edx,dword ptr ss:[ebp-14]
00505010 |. 8D45 F4 |lea eax,dword ptr ss:[ebp-C]
00505013 |. E8 8CFBEFFF |call unpacked.00404BA4
00505018 |. 47 |inc edi
00505019 |. 4E |dec esi
0050501A |.^ 75 AA \jnz short unpacked.00504FC6
=========================================================================
对注册码简单加密后来到这里
005050B0 . 83F8 14 cmp eax,14 ; 注册码长度是否等于20位
005050B3 . 74 07 je short unpacked.005050BC
005050B5 . 33DB xor ebx,ebx
005050B7 . E9 6A020000 jmp unpacked.00505326
005050BC > 8B45 FC mov eax,dword ptr ss:[ebp-4]
005050BF . E8 3059FDFF call unpacked.004DA9F4 ; 关键函数
005050C4 . 84C0 test al,al
005050C6 . 75 07 jnz short unpacked.005050CF
005050C8 . 33DB xor ebx,ebx
----------------------------------- call unpacked.004DA9F4 ; 关键函数--
call 004DA9F4 主要验证对注册码进行加密后字符串必须是数字形式
004DA9F4 /$ 55 push ebp
004DA9F5 |. 8BEC mov ebp,esp
004DA9F7 |. 83C4 EC add esp,-14
004DA9FA |. 53 push ebx
004DA9FB |. 56 push esi
004DA9FC |. 33D2 xor edx,edx
004DA9FE |. 8955 EC mov dword ptr ss:[ebp-14],edx
004DAA01 |. 8955 F0 mov dword ptr ss:[ebp-10],edx
004DAA04 |. 8945 FC mov dword ptr ss:[ebp-4],eax
004DAA07 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004DAA0A |. E8 75A3F2FF call unpacked.00404D84
004DAA0F |. 33C0 xor eax,eax
004DAA11 |. 55 push ebp
004DAA12 |. 68 D5AA4D00 push unpacked.004DAAD5
004DAA17 |. 64:FF30 push dword ptr fs:[eax]
004DAA1A |. 64:8920 mov dword ptr fs:[eax],esp
004DAA1D |. 33C0 xor eax,eax
004DAA1F |. 8945 F4 mov dword ptr ss:[ebp-C],eax
004DAA22 |. C645 FB 01 mov byte ptr ss:[ebp-5],1
004DAA26 |. 8D55 F0 lea edx,dword ptr ss:[ebp-10]
004DAA29 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004DAA2C |. E8 DBE9F2FF call unpacked.0040940C
004DAA31 |. 837D F0 00 cmp dword ptr ss:[ebp-10],0
004DAA35 |. 75 06 jnz short unpacked.004DAA3D
004DAA37 |. C645 FB 00 mov byte ptr ss:[ebp-5],0
004DAA3B |. EB 75 jmp short unpacked.004DAAB2
004DAA3D |> 8B45 FC mov eax,dword ptr ss:[ebp-4]
004DAA40 |. E8 57A1F2FF call unpacked.00404B9C
004DAA45 |. 8BD8 mov ebx,eax
004DAA47 |. 85DB test ebx,ebx
004DAA49 |. 7E 67 jle short unpacked.004DAAB2
004DAA4B |. BE 01000000 mov esi,1
004DAA50 |> 8D45 EC /lea eax,dword ptr ss:[ebp-14]
004DAA53 |. 50 |push eax
004DAA54 |. B9 01000000 |mov ecx,1
004DAA59 |. 8BD6 |mov edx,esi
004DAA5B |. 8B45 FC |mov eax,dword ptr ss:[ebp-4]
004DAA5E |. E8 91A3F2FF |call unpacked.00404DF4
004DAA63 |. 8B45 EC |mov eax,dword ptr ss:[ebp-14]
004DAA66 |. BA 01000000 |mov edx,1
004DAA6B |. 4A |dec edx
004DAA6C |. 85C0 |test eax,eax
004DAA6E |. 74 05 |je short unpacked.004DAA75
004DAA70 |. 3B50 FC |cmp edx,dword ptr ds:[eax-4]
004DAA73 |. 72 05 |jb short unpacked.004DAA7A
004DAA75 |> E8 8E8FF2FF |call unpacked.00403A08
004DAA7A |> 42 |inc edx
004DAA7B |. 0FB64410 FF |movzx eax,byte ptr ds:[eax+edx-1]
004DAA80 |. 83F8 2E |cmp eax,2E
004DAA83 |. 75 03 |jnz short unpacked.004DAA88
004DAA85 |. FF45 F4 |inc dword ptr ss:[ebp-C]
004DAA88 |> 837D F4 01 |cmp dword ptr ss:[ebp-C],1
004DAA8C |. 7E 06 |jle short unpacked.004DAA94
004DAA8E |. C645 FB 00 |mov byte ptr ss:[ebp-5],0
004DAA92 |. EB 1E |jmp short unpacked.004DAAB2
004DAA94 |> 83F8 30 |cmp eax,30
004DAA97 |. 7C 05 |jl short unpacked.004DAA9E
004DAA99 |. 83F8 39 |cmp eax,39
004DAA9C |. 7E 10 |jle short unpacked.004DAAAE
004DAA9E |> 83F8 2E |cmp eax,2E
004DAAA1 |. 74 0B |je short unpacked.004DAAAE
004DAAA3 |. 83F8 2D |cmp eax,2D
004DAAA6 |. 74 06 |je short unpacked.004DAAAE
004DAAA8 |. C645 FB 00 |mov byte ptr ss:[ebp-5],0
004DAAAC |. EB 04 |jmp short unpacked.004DAAB2
004DAAAE |> 46 |inc esi
004DAAAF |. 4B |dec ebx
004DAAB0 |.^ 75 9E \jnz short unpacked.004DAA50
004DAAB2 |> 33C0 xor eax,eax
004DAAB4 |. 5A pop edx
004DAAB5 |. 59 pop ecx
004DAAB6 |. 59 pop ecx
004DAAB7 |. 64:8910 mov dword ptr fs:[eax],edx
004DAABA |. 68 DCAA4D00 push unpacked.004DAADC
004DAABF |> 8D45 EC lea eax,dword ptr ss:[ebp-14]
004DAAC2 |. BA 02000000 mov edx,2
004DAAC7 |. E8 3C9EF2FF call unpacked.00404908
004DAACC |. 8D45 FC lea eax,dword ptr ss:[ebp-4]
004DAACF |. E8 109EF2FF call unpacked.004048E4
004DAAD4 \. C3 retn
---------------------------------------------------------------------------------------
下面是依次取加密后的注册码第1,8,9,15
005050CF > \B2 01 mov dl,1
005050D1 . A1 60734100 mov eax,dword ptr ds:[417360]
005050D6 . E8 C5E9EFFF call unpacked.00403AA0
005050DB . 8945 F0 mov dword ptr ss:[ebp-10],eax
005050DE . 33C0 xor eax,eax
005050E0 . 55 push ebp
005050E1 . 68 18525000 push unpacked.00505218
005050E6 . 64:FF30 push dword ptr fs:[eax]
005050E9 . 64:8920 mov dword ptr fs:[eax],esp
005050EC . 8D45 E8 lea eax,dword ptr ss:[ebp-18]
005050EF . BA 01000000 mov edx,1 ;取第1位
005050F4 . 8B4D FC mov ecx,dword ptr ss:[ebp-4]
005050F7 . 4A dec edx
005050F8 . 85C9 test ecx,ecx
005050FA . 74 05 je short unpacked.00505101
005050FC . 3B51 FC cmp edx,dword ptr ds:[ecx-4]
005050FF . 72 05 jb short unpacked.00505106
00505101 > E8 02E9EFFF call unpacked.00403A08
00505106 > 42 inc edx
00505107 . 8A5411 FF mov dl,byte ptr ds:[ecx+edx-1]
0050510B . 8850 01 mov byte ptr ds:[eax+1],dl
0050510E . C600 01 mov byte ptr ds:[eax],1
00505111 . 8D55 E8 lea edx,dword ptr ss:[ebp-18]
00505114 . 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
00505117 . E8 14E0EFFF call unpacked.00403130
0050511C . 8D45 E0 lea eax,dword ptr ss:[ebp-20]
0050511F . BA 08000000 mov edx,8 ;取第8位
00505124 . 8B4D FC mov ecx,dword ptr ss:[ebp-4]
00505127 . 4A dec edx
00505128 . 85C9 test ecx,ecx
0050512A . 74 05 je short unpacked.00505131
0050512C . 3B51 FC cmp edx,dword ptr ds:[ecx-4]
0050512F . 72 05 jb short unpacked.00505136
00505131 > E8 D2E8EFFF call unpacked.00403A08
00505136 > 42 inc edx
00505137 . 8A5411 FF mov dl,byte ptr ds:[ecx+edx-1]
0050513B . 8850 01 mov byte ptr ds:[eax+1],dl
0050513E . C600 01 mov byte ptr ds:[eax],1
00505141 . 8D55 E0 lea edx,dword ptr ss:[ebp-20]
00505144 . 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
00505147 . B1 02 mov cl,2
00505149 . E8 B2DFEFFF call unpacked.00403100
0050514E . 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
00505151 . 8D45 DC lea eax,dword ptr ss:[ebp-24]
00505154 . E8 D7DFEFFF call unpacked.00403130
00505159 . 8D45 E0 lea eax,dword ptr ss:[ebp-20]
0050515C . BA 09000000 mov edx,9 ;取第9位
00505161 . 8B4D FC mov ecx,dword ptr ss:[ebp-4]
00505164 . 4A dec edx
00505165 . 85C9 test ecx,ecx
00505167 . 74 05 je short unpacked.0050516E
00505169 . 3B51 FC cmp edx,dword ptr ds:[ecx-4]
0050516C . 72 05 jb short unpacked.00505173
0050516E > E8 95E8EFFF call unpacked.00403A08
00505173 > 42 inc edx
00505174 . 8A5411 FF mov dl,byte ptr ds:[ecx+edx-1]
00505178 . 8850 01 mov byte ptr ds:[eax+1],dl
0050517B . C600 01 mov byte ptr ds:[eax],1
0050517E . 8D55 E0 lea edx,dword ptr ss:[ebp-20]
00505181 . 8D45 DC lea eax,dword ptr ss:[ebp-24]
00505184 . B1 03 mov cl,3
00505186 . E8 75DFEFFF call unpacked.00403100
0050518B . 8D55 DC lea edx,dword ptr ss:[ebp-24]
0050518E . 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
00505191 . E8 9ADFEFFF call unpacked.00403130
00505196 . 8D45 E0 lea eax,dword ptr ss:[ebp-20]
00505199 . BA 0E000000 mov edx,0E ;取第0E位
0050519E . 8B4D FC mov ecx,dword ptr ss:[ebp-4]
005051A1 . 4A dec edx
005051A2 . 85C9 test ecx,ecx
005051A4 . 74 05 je short unpacked.005051AB
005051A6 . 3B51 FC cmp edx,dword ptr ds:[ecx-4]
005051A9 . 72 05 jb short unpacked.005051B0
005051AB > E8 58E8EFFF call unpacked.00403A08
005051B0 > 42 inc edx
005051B1 . 8A5411 FF mov dl,byte ptr ds:[ecx+edx-1]
005051B5 . 8850 01 mov byte ptr ds:[eax+1],dl
005051B8 . C600 01 mov byte ptr ds:[eax],1
005051BB . 8D55 E0 lea edx,dword ptr ss:[ebp-20]
005051BE . 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
005051C1 . B1 04 mov cl,4
005051C3 . E8 38DFEFFF call unpacked.00403100
005051C8 . 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
005051CB . 8D45 F4 lea eax,dword ptr ss:[ebp-C]
005051CE . E8 6DF9EFFF call unpacked.00404B40
005051D3 . 8D45 D0 lea eax,dword ptr ss:[ebp-30]
005051D6 . 50 push eax
005051D7 . B9 04000000 mov ecx,4
005051DC . BA 11000000 mov edx,11 ;从第11位取4个
005051E1 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
005051E4 . E8 0BFCEFFF call unpacked.00404DF4
005051E9 . 8B55 D0 mov edx,dword ptr ss:[ebp-30]
005051EC . 8B45 F4 mov eax,dword ptr ss:[ebp-C]
005051EF . E8 ECFAEFFF call unpacked.00404CE0 ; 关键比较函数
005051F4 . 74 0C je short unpacked.00505202
005051F6 . 33DB xor ebx,ebx
005051F8 . E8 4BF1EFFF call unpacked.00404348
005051FD . E9 24010000 jmp unpacked.00505326
------------------------------------------- call unpacked.00404CE0 ; 关键比较函数
该函数比较加密后的注册码取第1位,8位,9位,0E=15位形成数字和从第17位到20位形成的数字比较是否相等
00404CDD 8D40 00 lea eax,dword ptr ds:[eax]
00404CE0 /$ 53 push ebx
00404CE1 |. 56 push esi
00404CE2 |. 57 push edi
00404CE3 |. 89C6 mov esi,eax
00404CE5 |. 89D7 mov edi,edx
00404CE7 |. 39D0 cmp eax,edx
00404CE9 |. 0F84 8F000000 je unpacked.00404D7E
00404CEF |. 85F6 test esi,esi
00404CF1 |. 74 68 je short unpacked.00404D5B
00404CF3 |. 85FF test edi,edi
00404CF5 |. 74 6B je short unpacked.00404D62
00404CF7 |. 8B46 FC mov eax,dword ptr ds:[esi-4]
00404CFA |. 8B57 FC mov edx,dword ptr ds:[edi-4]
00404CFD |. 29D0 sub eax,edx
00404CFF |. 77 02 ja short unpacked.00404D03
00404D01 |. 01C2 add edx,eax
00404D03 |> 52 push edx
00404D04 |. C1EA 02 shr edx,2
00404D07 |. 74 26 je short unpacked.00404D2F
00404D09 |> 8B0E /mov ecx,dword ptr ds:[esi]
00404D0B |. 8B1F |mov ebx,dword ptr ds:[edi]
00404D0D |. 39D9 |cmp ecx,ebx
00404D0F |. 75 58 |jnz short unpacked.00404D69
00404D11 |. 4A |dec edx
00404D12 |. 74 15 |je short unpacked.00404D29
00404D14 |. 8B4E 04 |mov ecx,dword ptr ds:[esi+4]
00404D17 |. 8B5F 04 |mov ebx,dword ptr ds:[edi+4]
00404D1A |. 39D9 |cmp ecx,ebx
00404D1C |. 75 4B |jnz short unpacked.00404D69
00404D1E |. 83C6 08 |add esi,8
00404D21 |. 83C7 08 |add edi,8
00404D24 |. 4A |dec edx
00404D25 |.^ 75 E2 \jnz short unpacked.00404D09
00404D27 |. EB 06 jmp short unpacked.00404D2F
00404D29 |> 83C6 04 add esi,4
00404D2C |. 83C7 04 add edi,4
00404D2F |> 5A pop edx
00404D30 |. 83E2 03 and edx,3
00404D33 |. 74 22 je short unpacked.00404D57
00404D35 |. 8B0E mov ecx,dword ptr ds:[esi]
00404D37 |. 8B1F mov ebx,dword ptr ds:[edi]
00404D39 |. 38D9 cmp cl,bl
00404D3B |. 75 41 jnz short unpacked.00404D7E
00404D3D |. 4A dec edx
00404D3E |. 74 17 je short unpacked.00404D57
00404D40 |. 38FD cmp ch,bh
00404D42 |. 75 3A jnz short unpacked.00404D7E
00404D44 |. 4A dec edx
00404D45 |. 74 10 je short unpacked.00404D57
00404D47 |. 81E3 0000FF00 and ebx,0FF0000
00404D4D |. 81E1 0000FF00 and ecx,0FF0000
00404D53 |. 39D9 cmp ecx,ebx
00404D55 |. 75 27 jnz short unpacked.00404D7E
00404D57 |> 01C0 add eax,eax
00404D59 |. EB 23 jmp short unpacked.00404D7E
00404D5B |> 8B57 FC mov edx,dword ptr ds:[edi-4]
00404D5E |. 29D0 sub eax,edx
00404D60 |. EB 1C jmp short unpacked.00404D7E
00404D62 |> 8B46 FC mov eax,dword ptr ds:[esi-4]
00404D65 |. 29D0 sub eax,edx
00404D67 |. EB 15 jmp short unpacked.00404D7E
00404D69 |> 5A pop edx
00404D6A |. 38D9 cmp cl,bl
00404D6C |. 75 10 jnz short unpacked.00404D7E
00404D6E |. 38FD cmp ch,bh
00404D70 |. 75 0C jnz short unpacked.00404D7E
00404D72 |. C1E9 10 shr ecx,10
00404D75 |. C1EB 10 shr ebx,10
00404D78 |. 38D9 cmp cl,bl
00404D7A |. 75 02 jnz short unpacked.00404D7E
00404D7C |. 38FD cmp ch,bh
00404D7E |> 5F pop edi
00404D7F |. 5E pop esi
00404D80 |. 5B pop ebx
00404D81 \. C3 retn
------------------------------------------------------------------------------------------------------------
满足上述条件后来到这里开始比较经过运算得出的6位数是否大于472008且是否小于500000
00505202 > \33C0 xor eax,eax
00505204 . 5A pop edx
00505205 . 59 pop ecx
00505206 . 59 pop ecx
00505207 . 64:8910 mov dword ptr fs:[eax],edx
0050520A . 68 1F525000 push unpacked.0050521F
0050520F > 8B45 F0 mov eax,dword ptr ss:[ebp-10]
00505212 . E8 B9E8EFFF call unpacked.00403AD0
00505217 . C3 retn
00505218 .^ E9 47F0EFFF jmp unpacked.00404264
0050521D .^ EB F0 jmp short unpacked.0050520F
0050521F . 8D45 CC lea eax,dword ptr ss:[ebp-34]
00505222 . 50 push eax
00505223 . B9 01000000 mov ecx,1
00505228 . BA 10000000 mov edx,10 ; 取第16位数
0050522D . 8B45 FC mov eax,dword ptr ss:[ebp-4] ; EAX=[15]
00505230 . E8 BFFBEFFF call unpacked.00404DF4
00505235 . 8B45 CC mov eax,dword ptr ss:[ebp-34] ; EAX-0X30
00505238 . E8 4B45F0FF call unpacked.00409788
0050523D . 8BC8 mov ecx,eax
0050523F . 8BC1 mov eax,ecx
00505241 . B9 03000000 mov ecx,3 ; ECX=3
00505246 . 99 cdq
00505247 . F7F9 idiv ecx
00505249 . 8BF2 mov esi,edx ; 除以3取余数给ESI
0050524B . 33DB xor ebx,ebx ; EBX=0
0050524D > 8D45 C8 lea eax,dword ptr ss:[ebp-38]
00505250 . 50 push eax
00505251 . 8BD3 mov edx,ebx ; EDX=EBX
00505253 . 03D2 add edx,edx ; EDX+EDX
00505255 . 03D6 add edx,esi ; EDX+=ESI
00505257 . 83C2 02 add edx,2 ; EDX+=2 EDX代表加密注册码的元素下标
0050525A . B9 01000000 mov ecx,1 ; ECX=1 取一位
0050525F . 8B45 FC mov eax,dword ptr ss:[ebp-4] ; JIAMI[]
00505262 . E8 8DFBEFFF call unpacked.00404DF4
00505267 . 8B55 C8 mov edx,dword ptr ss:[ebp-38]
0050526A . 8D45 F8 lea eax,dword ptr ss:[ebp-8]
0050526D . E8 32F9EFFF call unpacked.00404BA4
00505272 . 43 inc ebx ; EBX++
00505273 . 83FB 06 cmp ebx,6
00505276 .^ 75 D5 jnz short unpacked.0050524D ; 依次取6个
00505278 . 33F6 xor esi,esi ; ESI=0
0050527A . BB 01000000 mov ebx,1 ; EBX=1
0050527F > 8D45 C4 lea eax,dword ptr ss:[ebp-3C]
00505282 . 8B55 FC mov edx,dword ptr ss:[ebp-4] ; JIAMI[]
00505285 . 4B dec ebx
00505286 . 85D2 test edx,edx
00505288 . 74 05 je short unpacked.0050528F
0050528A . 3B5A FC cmp ebx,dword ptr ds:[edx-4]
0050528D . 72 05 jb short unpacked.00505294
0050528F > E8 74E7EFFF call unpacked.00403A08
00505294 > 43 inc ebx
00505295 . 8A541A FF mov dl,byte ptr ds:[edx+ebx-1]
00505299 . E8 26F8EFFF call unpacked.00404AC4 ; 取数组元素
0050529E . 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
005052A1 . E8 E244F0FF call unpacked.00409788 ; 这个函数类似 KEY-0X30
005052A6 . 03F0 add esi,eax
005052A8 . 43 inc ebx
005052A9 . 83FB 11 cmp ebx,11 ; 依次取JIAMI[]17个元素 转换成10进制数进行类加
005052AC .^ 75 D1 jnz short unpacked.0050527F
005052AE . 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 取完后的数字要比 472008大 且要比500000小
005052B1 . BA 80535000 mov edx,unpacked.00505380 ; 472008
005052B6 . E8 25FAEFFF call unpacked.00404CE0
005052BB . 72 13 jb short unpacked.005052D0 ; 不能跳
005052BD . 8B45 F8 mov eax,dword ptr ss:[ebp-8]
005052C0 . BA 90535000 mov edx,unpacked.00505390 ; 500000
005052C5 . E8 16FAEFFF call unpacked.00404CE0
005052CA . 77 04 ja short unpacked.005052D0 ; 不能跳
005052CC . B3 01 mov bl,1
005052CE . EB 02 jmp short unpacked.005052D2
005052D0 > 33DB xor ebx,ebx
005052D2 > 84DB test bl,bl
005052D4 . 74 50 je short unpacked.00505326 ; 不能跳
005052D6 . 33DB xor ebx,ebx
005052D8 . 83FE 39 cmp esi,39
005052DB . 7C 07 jl short unpacked.005052E4
005052DD . 83FE 39 cmp esi,39
005052E0 . 7F 02 jg short unpacked.005052E4
005052E2 . B3 01 mov bl,1
005052E4 > 83FE 47 cmp esi,47
005052E7 . 7C 07 jl short unpacked.005052F0
005052E9 . 83FE 48 cmp esi,48
005052EC . 7F 02 jg short unpacked.005052F0
005052EE . B3 01 mov bl,1
005052F0 > 83FE 64 cmp esi,64
005052F3 . 7C 07 jl short unpacked.005052FC
005052F5 . 83FE 65 cmp esi,65
005052F8 . 7F 02 jg short unpacked.005052FC
005052FA . B3 01 mov bl,1
005052FC > 83FE 6F cmp esi,6F
005052FF . 7C 07 jl short unpacked.00505308
00505301 . 83FE 6F cmp esi,6F
00505304 . 7F 02 jg short unpacked.00505308
00505306 . B3 01 mov bl,1
00505308 > 83FE 7D cmp esi,7D
0050530B . 7C 07 jl short unpacked.00505314
0050530D . 83FE 7D cmp esi,7D
00505310 . 7F 02 jg short unpacked.00505314
00505312 . B3 01 mov bl,1
00505314 > 81FE 88000000 cmp esi,88
0050531A . 7C 0A jl short unpacked.00505326 ; 不能跳
0050531C . 81FE 88000000 cmp esi,88 ; ESI不大于88也不小于88 就得等于88了
00505322 . 7F 02 jg short unpacked.00505326 ; 不能跳
00505324 . B3 01 mov bl,1
00505326 > 33C0 xor eax,eax
00505328 . 5A pop edx
00505329 . 59 pop ecx
0050532A . 59 pop ecx
0050532B . 64:8910 mov dword ptr fs:[eax],edx
0050532E . 68 5D535000 push unpacked.0050535D
00505333 > 8D45 C4 lea eax,dword ptr ss:[ebp-3C]
00505336 . BA 04000000 mov edx,4
0050533B . E8 C8F5EFFF call unpacked.00404908
00505340 . 8D45 EC lea eax,dword ptr ss:[ebp-14]
00505343 . E8 9CF5EFFF call unpacked.004048E4
00505348 . 8D45 F4 lea eax,dword ptr ss:[ebp-C]
0050534B . BA 03000000 mov edx,3
00505350 . E8 B3F5EFFF call unpacked.00404908
00505355 . C3 retn
00505356 .^ E9 09EFEFFF jmp unpacked.00404264
0050535B .^ EB D6 jmp short unpacked.00505333
0050535D . 8BC3 mov eax,ebx
0050535F . 5E pop esi
00505360 . 5B pop ebx
00505361 . 8BE5 mov esp,ebp
00505363 . 5D pop ebp
00505364 . C3 retn
***************************************************************************
总结一下:
1,注册码必须等于20位。
2,注册码依次取4位和0X9079 XOR 得到新的数组取名JIAMI[]。
3,注册码加密后字符串必须是数字形式。
4,注册码加密后字符串取第1位,8位,9位,0E=15位形成数字和从第17位到20位形成的数字比较必须相等。
5,注册码加密后字符串取第16位数进行循环计算得出注册码加密后字符串数组下标,连续取6个数字。
6,取6个数字的数值必须大于472008且小于500000。
7,依次取注册码加密后字符串17个元素 转换成10进制数进行类加,类加后的数值必须等于0X39,0X6F,0X7D,0X88。
给你举个例子:9049 9999 9999 9994 9999 (20位)
0X9049 XOR 0X9079=0030
0X9999 XOR 0X9079=09E0
0X9999 XOR 0X9079=09E0
0X9994 XOR 0X9079=09ED
0X9999 XOR 0X9079=09E0
取第1位,8位,9位,0E=15位形成数字和从第17位到20位形成的数字比较相等。
9049 9999 9999 9994 9999
依次取注册码加密后字符串17个元素 转换成10进制数进行类加,类加后的数值必须等于0X7D=125。
90499999999999949999
一个可用的通用注册码:003009E009E009ED09E0