HRMIS人力资源管理系统标准版

标题： HRMIS人力资源管理系统标准版
作者：lq7972
时间：2006-05-25 00:05
链接：http://bbs.pediy.com/showthread.php?threadid=26228

【目标软件】HRMIS人力资源管理系统标准版
【破解工具】IDA、SoftICE
【破解目标】得到注册算法
【参考资料】dREAMtHEATER 《Delphi 对象模型学习笔记》http://dreamtheater.reg365.com/papers/Object.htm
这个软件采用了Delphi类虚拟方法来保护注册机制，dREAMtHEATER老大的文章对Delphi类的虚拟方法表格和动态方法表格讲的很清楚
【说明】这个是人事部的老大要试用下，却没试用版；要我帮破下，就做了它；几个月了，一直没时间整理贴上来；今天花时间搞上来，没其他不良企图，只是想与大家交流

开始～
主程序文件用的壳是ASPack 2.12 -> Alexey Solodovnikov，很好脱；找个ASPack的脱壳机脱壳，是Borland Delphi程序

用IDA反汇编，在Strings中找到'请及时注册,谢谢!'的提示串：
CODE:005C3DA0 aIVS db '请及时注册,谢谢!',0 ; DATA XREF: sub_5C3B8C+1A2o

。。。

代码: 
CODE:005C3C6E 020                 lea     eax, [ebp+var_4]
CODE:005C3C71 020                 push    eax
CODE:005C3C72 024                 lea     edx, [ebp+var_11C]
CODE:005C3C78 024                 mov     eax, esi
CODE:005C3C7A 024                 mov     bx, -10h        ; call sub_5C3638，这个地方是取得卷信息★★
CODE:005C3C7E 024                 call    @System@@CallDynaInst$qqrv ; System::__linkproc__ CallDynaInst(void)
CODE:005C3C83 024                 mov     eax, [ebp+var_11C]
CODE:005C3C89 024                 push    eax
CODE:005C3C8A 028                 lea     eax, [ebp+var_120]
CODE:005C3C90 028                 lea     edx, [esi+0A6h]
CODE:005C3C96 028                 call    unknown_libname_10 ; LStrFromPCharLen(System::AnsiString &,char *,int)
CODE:005C3C96                                             ; 分配并从 PChar 复制指定长度的 AnsiString
CODE:005C3C96                                             ; EAX ：目标字符串
CODE:005C3C96                                             ; EDX ：源字符串
CODE:005C3C96                                             ; ECX ：要复制的长度
CODE:005C3C96                                             ;
CODE:005C3C9B 028                 mov     edx, [ebp+var_120]
CODE:005C3CA1 028                 mov     eax, esi
CODE:005C3CA3 028                 pop     ecx
CODE:005C3CA4 024                 mov     bx, -12h        ; call sub_5C3848，这个地方就是注册算法▲▲▲
CODE:005C3CA8 024                 call    @System@@CallDynaInst$qqrv ; System::__linkproc__ CallDynaInst(void)
CODE:005C3CAD 024                 lea     eax, [ebp+var_124]
CODE:005C3CB3 024                 lea     edx, [esi+254h]
CODE:005C3CB9 024                 call    unknown_libname_10 ; LStrFromPCharLen(System::AnsiString &,char *,int)
CODE:005C3CB9                                             ; 分配并从 PChar 复制指定长度的 AnsiString
CODE:005C3CB9                                             ; EAX ：目标字符串
CODE:005C3CB9                                             ; EDX ：源字符串
CODE:005C3CB9                                             ; ECX ：要复制的长度
CODE:005C3CB9                                             ;
CODE:005C3CBE 024                 mov     eax, [ebp+var_124]
CODE:005C3CC4 024                 mov     edx, [ebp+var_4]
CODE:005C3CC7 024                 call    @System@@LStrCmp$qqrv ; System::__linkproc__ LStrCmp(void)
CODE:005C3CCC 024                 jz      loc_5C3D5E
CODE:005C3CD2 024                 mov     ebx, 1
CODE:005C3CD7
CODE:005C3CD7     loc_5C3CD7:                             ; CODE XREF: sub_5C3B8C+17Aj
CODE:005C3CD7 024                 lea     eax, [ebp+var_128]
CODE:005C3CDD 024                 lea     edx, [esi+254h]
CODE:005C3CE3 024                 call    unknown_libname_10 ; CBuilder 4 and Delphi 4 VCL
CODE:005C3CE8 024                 mov     eax, [ebp+var_128] ; 用户输入的注册码
CODE:005C3CEE 024                 mov     edx, [ebp+var_4] ; 程序计算的注册码
CODE:005C3CF1 024                 call    @System@@LStrCmp$qqrv ; 注册码比较
CODE:005C3CF6 024                 jz      short loc_5C3D08 ; 注册成功，跳
CODE:005C3CF8 024                 lea     edx, [ebp+var_4]
CODE:005C3CFB 024                 mov     eax, esi
CODE:005C3CFD 024                 call    sub_5C3DE4      ; 注册对话框
CODE:005C3D02 024                 inc     ebx
CODE:005C3D03 024                 cmp     ebx, 4          ; 每次运行，可输入3次
CODE:005C3D06 024                 jnz     short loc_5C3CD7
CODE:005C3D08
CODE:005C3D08     loc_5C3D08:                             ; CODE XREF: sub_5C3B8C+16Aj
CODE:005C3D08 024                 cmp     ebx, 3
CODE:005C3D0B 024                 jl      short loc_5C3D3D
CODE:005C3D0D 024                 lea     eax, [ebp+var_12C]
CODE:005C3D13 024                 lea     edx, [esi+254h]
CODE:005C3D19 024                 call    unknown_libname_10 ; CBuilder 4 and Delphi 4 VCL
CODE:005C3D1E 024                 mov     eax, [ebp+var_12C]
CODE:005C3D24 024                 mov     edx, [ebp+var_4]
CODE:005C3D27 024                 call    @System@@LStrCmp$qqrv ; System::__linkproc__ LStrCmp(void)
CODE:005C3D2C 024                 jz      short loc_5C3D3D
CODE:005C3D2E 024                 mov     eax, offset aIVS ; "请及时注册,谢谢!"

; ＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
; CallDynaInst 调用
; call sub_5C3638，这个地方是取得卷信息★★
CODE:005C3638     sub_5C3638      proc near
CODE:005C3638
CODE:005C3638     var_110         = dword ptr -110h
CODE:005C3638     var_10C         = dword ptr -10Ch
CODE:005C3638     FileSystemNameBuffer= byte ptr -108h
CODE:005C3638     FileSystemFlags = dword ptr -8
CODE:005C3638     MaximumComponentLength= dword ptr -4
CODE:005C3638
CODE:005C3638 000                 push    ebp
CODE:005C3639 004                 mov     ebp, esp
CODE:005C363B 004                 add     esp, 0FFFFFEF0h
CODE:005C3641 114                 push    ebx
CODE:005C3642 118                 push    esi
CODE:005C3643 11C                 push    edi
CODE:005C3644 120                 xor     ecx, ecx
CODE:005C3646 120                 mov     [ebp+var_10C], ecx
CODE:005C364C 120                 mov     [ebp+var_110], ecx
CODE:005C3652 120                 mov     edi, edx
CODE:005C3654 120                 xor     eax, eax
CODE:005C3656 120                 push    ebp
CODE:005C3657 124                 push    offset loc_5C3712
CODE:005C365C 128                 push    dword ptr fs:[eax]
CODE:005C365F 12C                 mov     fs:[eax], esp
CODE:005C3662 12C                 mov     eax, 4
CODE:005C3667 12C                 call    @System@@GetMem$qqrv ; System::__linkproc__ GetMem(void)
CODE:005C366C 12C                 mov     ebx, eax
CODE:005C366E 12C                 push    100h            ; nFileSystemNameSize
CODE:005C3673 130                 lea     eax, [ebp+FileSystemNameBuffer]
CODE:005C3679 130                 push    eax             ; lpFileSystemNameBuffer
CODE:005C367A 134                 lea     eax, [ebp+FileSystemFlags]
CODE:005C367D 134                 push    eax             ; lpFileSystemFlags
CODE:005C367E 138                 lea     eax, [ebp+MaximumComponentLength]
CODE:005C3681 138                 push    eax             ; lpMaximumComponentLength
CODE:005C3682 13C                 push    ebx             ; lpVolumeSerialNumber
CODE:005C3683 140                 push    0               ; nVolumeNameSize
CODE:005C3685 144                 push    0               ; lpVolumeNameBuffer
CODE:005C3687 148                 push    offset off_5C3720 ; lpRootPathName
CODE:005C368C 14C                 call    GetVolumeInformationA

; call sub_5C3848，这个地方就是注册算法▲▲▲
CODE:005C3848     sub_5C3848      proc near
CODE:005C3848
CODE:005C3848     var_38          = dword ptr -38h
CODE:005C3848     var_34          = dword ptr -34h
CODE:005C3848     FrmVolInfoStr[j]= byte ptr -2Eh
CODE:005C3848     FrmVolInfoStr[i]= byte ptr -2Dh
CODE:005C3848     var_2C          = dword ptr -2Ch
CODE:005C3848     var_28          = dword ptr -28h
CODE:005C3848     var_24          = dword ptr -24h
CODE:005C3848     var_20          = dword ptr -20h
CODE:005C3848     var_1C          = dword ptr -1Ch
CODE:005C3848     FrmVolInfoStr[j]_tmp= dword ptr -18h
CODE:005C3848     FrmVolInfoStr[i]_Tmp= dword ptr -14h
CODE:005C3848     BuildinStr_01   = dword ptr -10h
CODE:005C3848     FrmVolInfoStr   = dword ptr -0Ch
CODE:005C3848     UserOrganizationName= dword ptr -8
CODE:005C3848     var_4           = dword ptr -4
CODE:005C3848     arg_0           = dword ptr  8
CODE:005C3848
CODE:005C3848 000                 push    ebp
CODE:005C3849 004                 mov     ebp, esp
CODE:005C384B 004                 push    ecx
CODE:005C384C 008                 mov     ecx, 6
CODE:005C3851
CODE:005C3851     loc_5C3851:                             ; CODE XREF: sub_5C3848+Ej
CODE:005C3851 008                 push    0
CODE:005C3853 00C                 push    0               ;  i，从0到末位
CODE:005C3853                                             ;  j，从末位到0
CODE:005C3853                                             ;
CODE:005C3855 010                 dec     ecx
CODE:005C3856 010                 jnz     short loc_5C3851
CODE:005C3858 010                 push    ecx
CODE:005C3859 014                 xchg    ecx, [ebp+var_4] ; 格式化卷信息串
CODE:005C385C 014                 push    ebx
CODE:005C385D 018                 push    esi
CODE:005C385E 01C                 push    edi
CODE:005C385F 020                 mov     [ebp+FrmVolInfoStr], ecx
CODE:005C3862 020                 mov     [ebp+UserOrganizationName], edx ; 用户填入的单位名称
CODE:005C3862                                             ; 注意：这个名称是经过了变换的
CODE:005C3862                                             ; 方法是：取第一个，取最末位，取第二个，取倒数第二个，。。。
CODE:005C3865 020                 mov     [ebp+var_4], eax
CODE:005C3868 020                 mov     eax, [ebp+UserOrganizationName]
CODE:005C386B 020                 call    @@LStrAddRef    ; __linkproc__ LStrAddRef
CODE:005C3870 020                 mov     eax, [ebp+FrmVolInfoStr]
CODE:005C3873 020                 call    @@LStrAddRef    ; __linkproc__ LStrAddRef
CODE:005C3878 020                 xor     eax, eax
CODE:005C387A 020                 push    ebp
CODE:005C387B 024                 push    offset loc_5C3A4A
CODE:005C3880 028                 push    dword ptr fs:[eax]
CODE:005C3883 02C                 mov     fs:[eax], esp
CODE:005C3886 02C                 lea     edx, [ebp+var_34]
CODE:005C3889 02C                 mov     eax, [ebp+var_4]
CODE:005C388C 02C                 mov     eax, [eax+28h]  ; "FD52F4F6-E33E-4866-A232-E5A1C8CE0E62_STAND_HRMIS_ShangXin_HeLuo"
CODE:005C388F 02C                 call    @Sysutils@Trim$qqrx17System@AnsiString ; Sysutils::Trim(System::AnsiString)
CODE:005C3894 02C                 cmp     [ebp+var_34], 0
CODE:005C3898 02C                 jz      short loc_5C38AA ; 上面的串为空，则取下面的串
CODE:005C389A 02C                 lea     eax, [ebp+BuildinStr_01]
CODE:005C389D 02C                 mov     edx, [ebp+var_4]
CODE:005C38A0 02C                 mov     edx, [edx+28h]
CODE:005C38A3 02C                 call    @@LStrLAsg      ; __linkproc__ LStrLAsg
CODE:005C38A8 02C                 jmp     short loc_5C38B7 ; 卷信息串
CODE:005C38AA     ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
CODE:005C38AA
CODE:005C38AA     loc_5C38AA:                             ; CODE XREF: sub_5C3848+50j
CODE:005C38AA 02C                 lea     eax, [ebp+BuildinStr_01]
CODE:005C38AD 02C                 mov     edx, offset aZxasdqexcsrfcw ; "#zXaSDqExCsRFcW$VdevJMfrbgNtnhymju,kilo"...
CODE:005C38B2 02C                 call    @@LStrLAsg      ; __linkproc__ LStrLAsg
CODE:005C38B7
CODE:005C38B7     loc_5C38B7:                             ; CODE XREF: sub_5C3848+60j
CODE:005C38B7 02C                 mov     eax, [ebp+FrmVolInfoStr] ; 卷信息串
CODE:005C38BA 02C                 call    sub_404464
CODE:005C38BF 02C                 mov     esi, eax        ; 卷信息串长度
CODE:005C38C1 02C                 jmp     short loc_5C38CE
CODE:005C38C3     ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
CODE:005C38C3
CODE:005C38C3     loc_5C38C3:                             ; CODE XREF: sub_5C3848+90j
CODE:005C38C3 02C                 lea     eax, [ebp+BuildinStr_01]
CODE:005C38C6 02C                 mov     edx, [ebp+BuildinStr_01]
CODE:005C38C9 02C                 call    @System@@LStrCat$qqrv ; System::__linkproc__ LStrCat(void)
CODE:005C38CE
CODE:005C38CE     loc_5C38CE:                             ; CODE XREF: sub_5C3848+79j
CODE:005C38CE 02C                 mov     eax, [ebp+BuildinStr_01]
CODE:005C38D1 02C                 call    sub_404464
CODE:005C38D6 02C                 cmp     esi, eax
CODE:005C38D8 02C                 jg      short loc_5C38C3 ;
CODE:005C38D8                                             ;
CODE:005C38D8                                             ;
CODE:005C38D8                                             ;
CODE:005C38DA 02C                 lea     ecx, [ebp+var_38]
CODE:005C38DD 02C                 mov     edx, [ebp+UserOrganizationName]
CODE:005C38E0 02C                 mov     eax, [ebp+var_4]
CODE:005C38E3 02C                 call    sub_5C3770      ; 对单位名称进行运算，如下
CODE:005C38E3                                             ; 注意：UserUnitName变成了
CODE:005C38E3                                             ;       UserUnitName_BuildinStr_01
CODE:005C38E8 02C                 mov     edx, [ebp+var_38]
CODE:005C38EB 02C                 lea     eax, [ebp+UserOrganizationName]
CODE:005C38EE 02C                 call    @@LStrLAsg      ; __linkproc__ LStrLAsg
CODE:005C38F3 02C                 lea     eax, [ebp+UserOrganizationName]
CODE:005C38F6 02C                 mov     edx, [ebp+BuildinStr_01]
CODE:005C38F9 02C                 call    @System@@LStrCat$qqrv ; System::__linkproc__ LStrCat(void)
CODE:005C38FE 02C                 mov     eax, [ebp+arg_0]
CODE:005C3901 02C                 call    @@LStrClr       ; __linkproc__ LStrClr
CODE:005C3906 02C                 mov     edi, esi
CODE:005C3908 02C                 test    edi, edi
CODE:005C390A 02C                 jle     loc_5C3A22
CODE:005C3910 02C                 mov     ebx, 1          ; counter
CODE:005C3915
CODE:005C3915     loc_5C3915:                             ; CODE XREF: sub_5C3848+1D4j
CODE:005C3915 02C                 mov     eax, [ebp+FrmVolInfoStr]
CODE:005C3918 02C                 mov     al, [eax+ebx-1] ; 从前往后取字符
CODE:005C391C 02C                 mov     [ebp+FrmVolInfoStr[i]], al
CODE:005C391F 02C                 mov     eax, esi        ; length of FrmVolInfoStr
CODE:005C3921 02C                 sub     eax, ebx
CODE:005C3923 02C                 mov     edx, [ebp+FrmVolInfoStr]
CODE:005C3926 02C                 mov     al, [edx+eax]   ; 从后往前取字符
CODE:005C3929 02C                 mov     [ebp+FrmVolInfoStr[j]], al
CODE:005C392C 02C                 lea     edx, [ebp+FrmVolInfoStr[i]_Tmp] ; FrmVolInfoStr[i]
CODE:005C392F 02C                 xor     eax, eax
CODE:005C3931 02C                 mov     al, [ebp+FrmVolInfoStr[i]]
CODE:005C3934 02C                 call    @Sysutils@IntToStr$qqri ; Sysutils::IntToStr(int)
CODE:005C3939 02C                 mov     eax, [ebp+var_4]
CODE:005C393C 02C                 cmp     byte ptr [eax+40h], 0
CODE:005C3940 02C                 jz      short loc_5C395E
CODE:005C3942 02C                 mov     eax, [ebp+BuildinStr_01]
CODE:005C3945 02C                 movzx   eax, byte ptr [eax+ebx-1]
CODE:005C394A 02C                 mov     edx, [ebp+UserOrganizationName]
CODE:005C394D 02C                 movzx   edx, byte ptr [edx+ebx-1]
CODE:005C3952 02C                 add     eax, edx        ; BuildinStr_01[i]+UserUnitName[i]
CODE:005C3954 02C                 lea     edx, [ebp+var_28]
CODE:005C3957 02C                 call    @Sysutils@IntToStr$qqri ; Sysutils::IntToStr(int)
CODE:005C395C 02C                 jmp     short loc_5C396E ; FrmVolInfoStr[j]
CODE:005C395E     ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
CODE:005C395E
CODE:005C395E     loc_5C395E:                             ; CODE XREF: sub_5C3848+F8j
CODE:005C395E 02C                 lea     edx, [ebp+var_28]
CODE:005C3961 02C                 mov     eax, [ebp+BuildinStr_01]
CODE:005C3964 02C                 movzx   eax, byte ptr [eax+ebx-1]
CODE:005C3969 02C                 call    @Sysutils@IntToStr$qqri ; Sysutils::IntToStr(int)
CODE:005C396E
CODE:005C396E     loc_5C396E:                             ; CODE XREF: sub_5C3848+114j
CODE:005C396E 02C                 lea     edx, [ebp+FrmVolInfoStr[j]_tmp] ; FrmVolInfoStr[j]
CODE:005C3971 02C                 xor     eax, eax
CODE:005C3973 02C                 mov     al, [ebp+FrmVolInfoStr[j]]
CODE:005C3976 02C                 call    @Sysutils@IntToStr$qqri ; Sysutils::IntToStr(int)
CODE:005C397B 02C                 mov     eax, [ebp+FrmVolInfoStr[i]_Tmp]
CODE:005C397E 02C                 call    sub_404464
CODE:005C3983 02C                 mov     edx, [ebp+FrmVolInfoStr[i]_Tmp]
CODE:005C3986 02C                 mov     dl, [edx+eax-1]
CODE:005C398A 02C                 lea     eax, [ebp+var_1C]
CODE:005C398D 02C                 call    unknown_libname_6 ; CBuilder 4 and Delphi 4 VCL
CODE:005C3992 02C                 mov     eax, [ebp+FrmVolInfoStr[j]_tmp] ; 卷信息，从后往前取的字符
CODE:005C3995 02C                 call    sub_404464
CODE:005C399A 02C                 mov     edx, [ebp+FrmVolInfoStr[j]_tmp]
CODE:005C399D 02C                 mov     dl, [edx+eax-1]
CODE:005C39A1 02C                 lea     eax, [ebp+var_20] ; FrmVolInfoStr[j]_tmp，串末位
CODE:005C39A4 02C                 call    unknown_libname_6 ; CBuilder 4 and Delphi 4 VCL
CODE:005C39A9 02C                 mov     eax, [ebp+var_28] ; UserUnitName[i]+BuildinStr_01[i]
CODE:005C39AC 02C                 call    sub_404464
CODE:005C39B1 02C                 mov     edx, [ebp+var_28]
CODE:005C39B4 02C                 mov     dl, [edx+eax-1]
CODE:005C39B8 02C                 lea     eax, [ebp+var_2C] ; UserUnitName[i]+BuildinStr_01[i]，串末位
CODE:005C39BB 02C                 call    unknown_libname_6 ; CBuilder 4 and Delphi 4 VCL
CODE:005C39C0 02C                 mov     eax, [ebp+var_1C] ; FrmVolInfoStr[i]_tmp，串末位
CODE:005C39C3 02C                 call    @StrToInt
CODE:005C39C8 02C                 push    eax
CODE:005C39C9 030                 mov     eax, [ebp+var_20]
CODE:005C39CC 030                 call    @StrToInt
CODE:005C39D1 030                 pop     edx
CODE:005C39D2 02C                 add     edx, eax
CODE:005C39D4 02C                 push    edx
CODE:005C39D5 030                 mov     eax, [ebp+var_2C]
CODE:005C39D8 030                 call    @StrToInt
CODE:005C39DD 030                 mov     edx, eax
CODE:005C39DF 030                 pop     eax
CODE:005C39E0 02C                 add     eax, edx
CODE:005C39E2 02C                 lea     edx, [ebp+var_24] ; FrmVolINfoStr[i]_tmp+FrmVolInfoStr[j]_tmp+(UserUnitName[i]+BuildinStr_01[i])
CODE:005C39E5 02C                 call    @Sysutils@IntToStr$qqri ; Sysutils::IntToStr(int)
CODE:005C39EA 02C                 mov     eax, [ebp+var_24]
CODE:005C39ED 02C                 call    sub_404464
CODE:005C39F2 02C                 dec     eax
CODE:005C39F3 02C                 jle     short loc_5C3A0C ; 只有一位，jump；否则取末位
CODE:005C39F5 02C                 mov     eax, [ebp+var_24]
CODE:005C39F8 02C                 call    sub_404464
CODE:005C39FD 02C                 mov     edx, [ebp+var_24]
CODE:005C3A00 02C                 mov     dl, [edx+eax-1]
CODE:005C3A04 02C                 lea     eax, [ebp+var_24]
CODE:005C3A07 02C                 call    unknown_libname_6 ; CBuilder 4 and Delphi 4 VCL
CODE:005C3A0C
CODE:005C3A0C     loc_5C3A0C:                             ; CODE XREF: sub_5C3848+1ABj
CODE:005C3A0C 02C                 mov     eax, [ebp+arg_0]
CODE:005C3A0F 02C                 mov     edx, [ebp+var_24]
CODE:005C3A12 02C                 call    @System@@LStrCat$qqrv ; System::__linkproc__ LStrCat(void)
CODE:005C3A17 02C                 mov     eax, [ebp+arg_0]
CODE:005C3A1A 02C                 inc     ebx
CODE:005C3A1B 02C                 dec     edi
CODE:005C3A1C 02C                 jnz     loc_5C3915
CODE:005C3A22
CODE:005C3A22     loc_5C3A22:                             ; CODE XREF: sub_5C3848+C2j
CODE:005C3A22 02C                 xor     eax, eax
CODE:005C3A24 02C                 pop     edx
CODE:005C3A25 028                 pop     ecx
CODE:005C3A26 024                 pop     ecx
CODE:005C3A27 020                 mov     fs:[eax], edx
CODE:005C3A2A 020                 push    offset loc_5C3A51
CODE:005C3A2F
CODE:005C3A2F     loc_5C3A2F:                             ; CODE XREF: sub_5C3848+207j
CODE:005C3A2F 024                 lea     eax, [ebp+var_38]
CODE:005C3A32 024                 mov     edx, 2
CODE:005C3A37
CODE:005C3A37     loc_5C3A37:                             ; DATA XREF: CODE:off_5E7484o
CODE:005C3A37 024                 call    @@LStrArrayClr  ; __linkproc__ LStrArrayClr
CODE:005C3A3C 024                 lea     eax, [ebp+var_2C]
CODE:005C3A3F
CODE:005C3A3F     loc_5C3A3F:                             ; DATA XREF: CODE:off_9C6C60o
CODE:005C3A3F                                             ; CODE:off_5C3720o ...
CODE:005C3A3F 024                 mov     edx, 0Ah
CODE:005C3A44 024                 call    @@LStrArrayClr  ; __linkproc__ LStrArrayClr
CODE:005C3A49 024                 retn
CODE:005C3A4A     ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
CODE:005C3A4A
CODE:005C3A4A     loc_5C3A4A:                             ; DATA XREF: sub_5C3848+33o
CODE:005C3A4A 020                 jmp     @System@@HandleFinally$qqrv ; System::__linkproc__ HandleFinally(void)
CODE:005C3A4F     ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
CODE:005C3A4F 020                 jmp     short loc_5C3A2F
CODE:005C3A51     ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
CODE:005C3A51
CODE:005C3A51     loc_5C3A51:                             ; DATA XREF: sub_5C3848+1E2o
CODE:005C3A51 020                 pop     edi
CODE:005C3A52 01C                 pop     esi
CODE:005C3A53 018                 pop     ebx
CODE:005C3A54 014                 mov     esp, ebp
CODE:005C3A56 004                 pop     ebp
CODE:005C3A57 000                 retn    4
CODE:005C3A57     sub_5C3848      endp
CODE:005C3A57

＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
算法还简单，下面是Delphi写的注册机，照抄上面的分析：
{-----------------------------------------------------}
// proc: GenerateRegCode
// author: lq7972
//
{-----------------------------------------------------}

代码: 
function GenerateRegCode: string;
const
  BUILDIN_STR_01 : string =
    'FD52F4F6-E33E-4866-A232-E5A1C8CE0E62_STAND_HRMIS_ShangXin_HeLuo';
  BUILDIN_STR_02 : string =
    '#zXaSDqExCsRFcW$VdevJMfrbgNtnhymju,kilo/;p!QAZ@%T.GB^YwH\&[U*-]=IK<(OL> )P:?_{+}|~';
var            
  pcFileSystemNameBuf: PChar;
  nMaxComponentLen, nFileSystemFlags: Cardinal;
  pdVolumeSerialNumber: PDWORD;
  sVolInfo: string;            
  c: Char;
  i, j, k, l, m, n, x, y: Integer;
  s: string;
  a, b, z: Integer;
  sName, s1, s2, str: string;
  sRegCode: string;
begin
  New(pdVolumeSerialNumber);
  GetMem(pcFileSystemNameBuf, 100);

  try
    if GetVolumeInformation('C:', nil, 0,
         pdVolumeSerialNumber, nMaxComponentLen,
         nFileSystemFlags, pcFileSystemNameBuf, 100)
    then begin
      sRegCode := '';
      
      sName := '';
      s := '';
      sName := edtName.Text;
      l := Length(sName);
      if (l mod 2)=0 then k := trunc(l/2)
      else k := trunc(l/2+1);
      for i := 1 to k do
      begin
        s1 := sName[i];
        j := l-i+1;
        if i=j Then
        begin  
          s := s + s1;
          Break;
        end;
        s2 := sName[j];
        s := s + (s1+s2);
      end;
      str := s + BUILDIN_STR_01;
      
      sVolInfo := IntToStr(pdVolumeSerialNumber^) + pcFileSystemNameBuf;
      l := Length(sVolInfo);
      for i := 1 to l do
      begin
        j := l-i+1;

        c := sVolInfo[i];
        m := Ord(c);
        s := IntToStr(m);
        k := Length(s);
        x := StrToInt(s[k]);

        c := sVolInfo[j];
        m := Ord(c);
        s := IntToStr(m);
        k := Length(s);
        y := StrToInt(s[k]);

        s := IntToStr(x+y);
        k := Length(s);
        a := StrToInt(s[k]);

        //
        c := BUILDIN_STR_01[i];
        m := Ord(c);
        c := str[i];
        n := Ord(c);
        m := m + n;
        s := IntToStr(m);
        k := Length(s);
        b := StrToInt(s[k]);

        z := a + b;
        s := IntToStr(z);
        k := Length(s);

        sRegCode := sRegCode + s[k];
      end;

      Result := sRegCode;
    end;
  finally
    Dispose(pdVolumeSerialNumber);
    FreeMem(pcFileSystemNameBuf, 100);
  end;
end;

＝＝＝＝＝＝＝＝＝＝
thx
end