【文章标题】: 《恒特画王》的注册算法分析(浮点运算)
【文章作者】: 水中花
【软件名称】: 恒特画王
【下载地址】: 自己搜索下载
【保护方式】: sn
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
下断在此处:
0041526B /$ 55 push ebp
0041526C |. 8BEC mov ebp, esp
0041526E |. 6A FF push -1
00415270 |. 68 728D4A00 push dnhx.004A8D72 ; SE 处理程序安装
00415275 |. 64:A1 0000000>mov eax, dword ptr fs:[0]
0041527B |. 50 push eax
0041527C |. 64:8925 00000>mov dword ptr fs:[0], esp
00415283 |. 81EC EC010000 sub esp, 1EC
00415289 |. 898D 1CFEFFFF mov dword ptr [ebp-1E4], ecx
0041528F |. 6A 00 push 0 ; /Arg1 = 00000000
00415291 |. 8D4D 90 lea ecx, dword ptr [ebp-70] ; |
00415294 |. E8 07360400 call dnhx.004588A0 ; \dnhx.004588A0
00415299 |. C745 FC 00000>mov dword ptr [ebp-4], 0
004152A0 |. 8D4D 90 lea ecx, dword ptr [ebp-70]
004152A3 |. E8 1BED0600 call dnhx.00483FC3
004152A8 |. 8D45 EC lea eax, dword ptr [ebp-14] ; 密码
004152AB |. 50 push eax
004152AC |. 8D4D F0 lea ecx, dword ptr [ebp-10]
004152AF |. E8 FA2D0700 call dnhx.004880AE ; 是否有输入密码
004152B4 |. C645 FC 01 mov byte ptr [ebp-4], 1
004152B8 |. 8D8D 2CFEFFFF lea ecx, dword ptr [ebp-1D4]
004152BE |. 51 push ecx ; /Arg1
004152BF |. 8B8D 1CFEFFFF mov ecx, dword ptr [ebp-1E4] ; |
004152C5 |. E8 C8DEFFFF call dnhx.00413192 ; \关键处,跟进
004152CA |. 8985 18FEFFFF mov dword ptr [ebp-1E8], eax 真码地址
004152D0 |. 8B95 18FEFFFF mov edx, dword ptr [ebp-1E8]
004152D6 |. 8995 14FEFFFF mov dword ptr [ebp-1EC], edx
004152DC |. C645 FC 02 mov byte ptr [ebp-4], 2
004152E0 |. 8B85 14FEFFFF mov eax, dword ptr [ebp-1EC]
004152E6 |. 50 push eax ; /Arg2
004152E7 |. 8D4D F0 lea ecx, dword ptr [ebp-10] ; |
004152EA |. 51 push ecx ; |Arg1
004152EB |. E8 60090000 call dnhx.00415C50 真假码比较
004152F0 |. 25 FF000000 and eax, 0FF
004152F5 |. 85C0 test eax, eax
004152F7 |. 74 52 je short dnhx.0041534B
004152F9 |. 68 C0A64C00 push dnhx.004CA6C0 ; /无光盘
004152FE |. 8D55 F0 lea edx, dword ptr [ebp-10] ; |
00415301 |. 52 push edx ; |Arg1
00415302 |. E8 2987FFFF call dnhx.0040DA30 ; \dnhx.0040DA30
00415307 |. 8885 28FEFFFF mov byte ptr [ebp-1D8], al
0041530D |. 8B85 28FEFFFF mov eax, dword ptr [ebp-1D8]
00415313 |. 25 FF000000 and eax, 0FF
00415318 |. 85C0 test eax, eax
0041531A |. 74 2F je short dnhx.0041534B
0041531C |. 8D4D F0 lea ecx, dword ptr [ebp-10]
0041531F |. E8 ACDAFEFF call dnhx.00402DD0
00415324 |. F7D8 neg eax
00415326 |. 1BC0 sbb eax, eax
00415328 |. 40 inc eax
00415329 |. 8885 24FEFFFF mov byte ptr [ebp-1DC], al
0041532F |. 8B8D 24FEFFFF mov ecx, dword ptr [ebp-1DC]
00415335 |. 81E1 FF000000 and ecx, 0FF
0041533B |. 85C9 test ecx, ecx
0041533D |. 74 0C je short dnhx.0041534B
0041533F |. C785 10FEFFFF>mov dword ptr [ebp-1F0], 1
00415349 |. EB 0A jmp short dnhx.00415355
0041534B |> C785 10FEFFFF>mov dword ptr [ebp-1F0], 0
00415355 |> 8A95 10FEFFFF mov dl, byte ptr [ebp-1F0]
0041535B |. 8895 30FEFFFF mov byte ptr [ebp-1D0], dl
00415361 |. C645 FC 01 mov byte ptr [ebp-4], 1
00415365 |. 8D8D 2CFEFFFF lea ecx, dword ptr [ebp-1D4]
0041536B |. E8 C92F0700 call dnhx.00488339 比较处
00415370 |. 8B85 30FEFFFF mov eax, dword ptr [ebp-1D0]
00415376 |. 25 FF000000 and eax, 0FF
0041537B |. 85C0 test eax, eax
0041537D |. 0F84 2B010000 je dnhx.004154AE 为0跳向错误处
00415383 |. 6A 00 push 0
00415385 |. 68 C8A64C00 push dnhx.004CA6C8 ; 密码正确
0041538A |. 68 D4A64C00 push dnhx.004CA6D4 ; 谢谢支持使用恒特软件产品!
0041538F |. 8B8D 1CFEFFFF mov ecx, dword ptr [ebp-1E4]
00415395 |. E8 690C0700 call dnhx.00486003
0041539A |. 68 04010000 push 104 ; /BufSize = 104 (260.)
0041539F |. 8D8D 78FEFFFF lea ecx, dword ptr [ebp-188] ; |
004153A5 |. 51 push ecx ; |Buffer
004153A6 |. FF15 B4F24A00 call dword ptr [<&KERNEL32.GetS>; \GetSystemDirectoryA
004153AC |. 8D95 78FEFFFF lea edx, dword ptr [ebp-188]
004153B2 |. 52 push edx
004153B3 |. 8D8D 7CFFFFFF lea ecx, dword ptr [ebp-84]
004153B9 |. E8 E92F0700 call dnhx.004883A7
004153BE |. C645 FC 03 mov byte ptr [ebp-4], 3
004153C2 |. 68 F0A64C00 push dnhx.004CA6F0 ; \configa.hps
004153C7 |. 8D8D 7CFFFFFF lea ecx, dword ptr [ebp-84]
004153CD |. E8 43330700 call dnhx.00488715
004153D2 |. 8D85 20FEFFFF lea eax, dword ptr [ebp-1E0]
004153D8 |. 50 push eax ; /Arg1
004153D9 |. 8B8D 1CFEFFFF mov ecx, dword ptr [ebp-1E4] ; |
004153DF |. E8 AEDDFFFF call dnhx.00413192 ; \dnhx.00413192
004153E4 |. 8985 0CFEFFFF mov dword ptr [ebp-1F4], eax
004153EA |. 8B8D 0CFEFFFF mov ecx, dword ptr [ebp-1F4]
004153F0 |. 898D 08FEFFFF mov dword ptr [ebp-1F8], ecx
004153F6 |. C645 FC 04 mov byte ptr [ebp-4], 4
004153FA |. 8B95 08FEFFFF mov edx, dword ptr [ebp-1F8]
00415400 |. 52 push edx
00415401 |. 8D4D F0 lea ecx, dword ptr [ebp-10]
00415404 |. E8 69300700 call dnhx.00488472
00415409 |. C645 FC 03 mov byte ptr [ebp-4], 3
0041540D |. 8D8D 20FEFFFF lea ecx, dword ptr [ebp-1E0]
00415413 |. E8 212F0700 call dnhx.00488339
00415418 |. 8D4D 80 lea ecx, dword ptr [ebp-80]
0041541B |. E8 AF350700 call dnhx.004889CF
00415420 |. C645 FC 05 mov byte ptr [ebp-4], 5
00415424 |. 6A 00 push 0
00415426 |. 68 01100000 push 1001
0041542B |. 8D8D 7CFFFFFF lea ecx, dword ptr [ebp-84]
00415431 |. E8 DAD9FEFF call dnhx.00402E10
00415436 |. 50 push eax ; |Arg1
00415437 |. 8D4D 80 lea ecx, dword ptr [ebp-80] ; |
0041543A |. E8 42370700 call dnhx.00488B81 ; \dnhx.00488B81
0041543F |. 85C0 test eax, eax
00415441 |. 74 4E je short dnhx.00415491
00415443 |. 6A 00 push 0
00415445 |. 68 00100000 push 1000
0041544A |. 6A 00 push 0
0041544C |. 8D45 80 lea eax, dword ptr [ebp-80]
0041544F |. 50 push eax
00415450 |. 8D8D 34FEFFFF lea ecx, dword ptr [ebp-1CC]
00415456 |. E8 8C760700 call dnhx.0048CAE7
0041545B |. C645 FC 06 mov byte ptr [ebp-4], 6
0041545F |. 8D4D F0 lea ecx, dword ptr [ebp-10]
00415462 |. 51 push ecx ; /Arg2
00415463 |. 8D95 34FEFFFF lea edx, dword ptr [ebp-1CC] ; |
00415469 |. 52 push edx ; |Arg1
0041546A |. E8 4D740700 call dnhx.0048C8BC ; \dnhx.0048C8BC
0041546F |. 8D8D 34FEFFFF lea ecx, dword ptr [ebp-1CC]
00415475 |. E8 D1770700 call dnhx.0048CC4B
0041547A |. 8D4D 80 lea ecx, dword ptr [ebp-80]
0041547D |. E8 1A390700 call dnhx.00488D9C
00415482 |. C645 FC 05 mov byte ptr [ebp-4], 5
00415486 |. 8D8D 34FEFFFF lea ecx, dword ptr [ebp-1CC]
0041548C |. E8 32770700 call dnhx.0048CBC3
00415491 |> C645 FC 03 mov byte ptr [ebp-4], 3
00415495 |. 8D4D 80 lea ecx, dword ptr [ebp-80]
00415498 |. E8 27360700 call dnhx.00488AC4
0041549D |. C645 FC 01 mov byte ptr [ebp-4], 1
004154A1 |. 8D8D 7CFFFFFF lea ecx, dword ptr [ebp-84]
004154A7 |. E8 8D2E0700 call dnhx.00488339
004154AC |. EB 17 jmp short dnhx.004154C5
004154AE |> 6A 00 push 0
004154B0 |. 68 00A74C00 push dnhx.004CA700 ; 密码错误!
004154B5 |. 68 0CA74C00 push dnhx.004CA70C
004154BA |. 8B8D 1CFEFFFF mov ecx, dword ptr [ebp-1E4]
004154C0 |. E8 3E0B0700 call dnhx.00486003
004154C5 |> C645 FC 00 mov byte ptr [ebp-4], 0
004154C9 |. 8D4D F0 lea ecx, dword ptr [ebp-10]
004154CC |. E8 682E0700 call dnhx.00488339
004154D1 |. C745 FC FFFFF>mov dword ptr [ebp-4], -1
004154D8 |. 8D4D 90 lea ecx, dword ptr [ebp-70]
004154DB |. E8 B0070000 call dnhx.00415C90
004154E0 |. 8B4D F4 mov ecx, dword ptr [ebp-C]
004154E3 |. 64:890D 00000>mov dword ptr fs:[0], ecx
004154EA |. 8BE5 mov esp, ebp
004154EC |. 5D pop ebp
004154ED \. C3 retn
关键处:
00413192 /$ 55 push ebp
00413193 |. 8BEC mov ebp, esp
00413195 |. 6A FF push -1
00413197 |. 68 BB894A00 push dnhx.004A89BB ; SE 处理程序安装
0041319C |. 64:A1 0000000>mov eax, dword ptr fs:[0]
004131A2 |. 50 push eax
004131A3 |. 64:8925 00000>mov dword ptr fs:[0], esp
004131AA |. 83EC 20 sub esp, 20
004131AD |. 894D E4 mov dword ptr [ebp-1C], ecx
004131B0 |. C745 E8 00000>mov dword ptr [ebp-18], 0
004131B7 |. 51 push ecx
004131B8 |. 8BCC mov ecx, esp
004131BA |. 8965 F0 mov dword ptr [ebp-10], esp
004131BD |. 68 70A24C00 push dnhx.004CA270 ; 固定值:23345107
004131C2 |. E8 E0510700 call dnhx.004883A7
004131C7 |. 8945 E0 mov dword ptr [ebp-20], eax ; |固定值
004131CA |. 8B45 E0 mov eax, dword ptr [ebp-20] ; |
004131CD |. 8945 DC mov dword ptr [ebp-24], eax ; |
004131D0 |. C745 FC 00000>mov dword ptr [ebp-4], 0 ; |
004131D7 |. 51 push ecx ; |Arg2
004131D8 |. 8BCC mov ecx, esp ; |
004131DA |. 8965 EC mov dword ptr [ebp-14], esp ; |
004131DD |. 51 push ecx ; |/Arg1
004131DE |. 8B4D E4 mov ecx, dword ptr [ebp-1C] ; ||
004131E1 |. E8 1F030000 call dnhx.00413505 ; |\由硬盘的序列号进行计算获取机器码
004131E6 |. 8945 D8 mov dword ptr [ebp-28], eax ; |机器码
004131E9 |. 8B55 08 mov edx, dword ptr [ebp+8] ; |
004131EC |. 52 push edx ; |Arg1
004131ED |. 8B4D E4 mov ecx, dword ptr [ebp-1C] ; |
004131F0 |. C745 FC FFFFF>mov dword ptr [ebp-4], -1 ; |
004131F7 |. E8 A2040000 call dnhx.0041369E ; \算法处,跟进
004131FC |. 8945 D4 mov dword ptr [ebp-2C], eax
004131FF |. 8B45 E8 mov eax, dword ptr [ebp-18]
00413202 |. 0C 01 or al, 1
00413204 |. 8945 E8 mov dword ptr [ebp-18], eax
00413207 |. 8B45 08 mov eax, dword ptr [ebp+8]
0041320A |. 8B4D F4 mov ecx, dword ptr [ebp-C]
0041320D |. 64:890D 00000>mov dword ptr fs:[0], ecx
00413214 |. 8BE5 mov esp, ebp
00413216 |. 5D pop ebp
00413217 \. C2 0400 retn 4
算法处,跟进:
0041369E /$ 55 push ebp
0041369F |. 8BEC mov ebp, esp
004136A1 |. 6A FF push -1
004136A3 |. 68 E18A4A00 push dnhx.004A8AE1 ; SE 处理程序安装
004136A8 |. 64:A1 0000000>mov eax, dword ptr fs:[0]
004136AE |. 50 push eax
004136AF |. 64:8925 00000>mov dword ptr fs:[0], esp
004136B6 |. 83EC 50 sub esp, 50
004136B9 |. 894D B8 mov dword ptr [ebp-48], ecx
004136BC |. C745 BC 00000>mov dword ptr [ebp-44], 0
004136C3 |. C745 FC 02000>mov dword ptr [ebp-4], 2
004136CA |. 68 B4A24C00 push dnhx.004CA2B4 ; /固定值:23345107
004136CF |. 8D45 10 lea eax, dword ptr [ebp+10] ; |
004136D2 |. 50 push eax ; |Arg1
004136D3 |. E8 58A3FFFF call dnhx.0040DA30 ; \dnhx.0040DA30
004136D8 |. 25 FF000000 and eax, 0FF
004136DD |. 85C0 test eax, eax
004136DF |. 74 36 je short dnhx.00413717
004136E1 |. 68 A0014D00 push dnhx.004D01A0
004136E6 |. 8B4D 08 mov ecx, dword ptr [ebp+8]
004136E9 |. E8 B94C0700 call dnhx.004883A7
004136EE |. 8B4D BC mov ecx, dword ptr [ebp-44]
004136F1 |. 83C9 01 or ecx, 1
004136F4 |. 894D BC mov dword ptr [ebp-44], ecx
004136F7 |. C645 FC 01 mov byte ptr [ebp-4], 1
004136FB |. 8D4D 0C lea ecx, dword ptr [ebp+C]
004136FE |. E8 364C0700 call dnhx.00488339
00413703 |. C645 FC 00 mov byte ptr [ebp-4], 0
00413707 |. 8D4D 10 lea ecx, dword ptr [ebp+10]
0041370A |. E8 2A4C0700 call dnhx.00488339
0041370F |. 8B45 08 mov eax, dword ptr [ebp+8]
00413712 |. E9 96010000 jmp dnhx.004138AD
00413717 |> 8D4D E4 lea ecx, dword ptr [ebp-1C] ; 69
0041371A |. E8 91F6FEFF call dnhx.00402DB0
0041371F |. C645 FC 03 mov byte ptr [ebp-4], 3
00413723 |. 8D4D DC lea ecx, dword ptr [ebp-24]
00413726 |. E8 85F6FEFF call dnhx.00402DB0
0041372B |. C645 FC 04 mov byte ptr [ebp-4], 4
0041372F |. 8D4D D0 lea ecx, dword ptr [ebp-30]
00413732 |. E8 79F6FEFF call dnhx.00402DB0
00413737 |. C645 FC 05 mov byte ptr [ebp-4], 5
0041373B |. 8D4D 0C lea ecx, dword ptr [ebp+C]
0041373E |. E8 9DA2FFFF call dnhx.0040D9E0
00413743 |. 83F8 08 cmp eax, 8
00413746 |. 7E 33 jle short dnhx.0041377B
00413748 |. 6A 08 push 8
0041374A |. 8D55 C4 lea edx, dword ptr [ebp-3C]
0041374D |. 52 push edx
0041374E |. 8D4D 0C lea ecx, dword ptr [ebp+C]
00413751 |. E8 79D30600 call dnhx.00480ACF ; 获取序列号的后8位
00413756 |. 8945 B4 mov dword ptr [ebp-4C], eax ; 序列号的后8位保存在[ebp-4c]中
00413759 |. 8B45 B4 mov eax, dword ptr [ebp-4C]
0041375C |. 8945 B0 mov dword ptr [ebp-50], eax
0041375F |. C645 FC 06 mov byte ptr [ebp-4], 6
00413763 |. 8B4D B0 mov ecx, dword ptr [ebp-50]
00413766 |. 51 push ecx
00413767 |. 8D4D 0C lea ecx, dword ptr [ebp+C]
0041376A |. E8 034D0700 call dnhx.00488472
0041376F |. C645 FC 05 mov byte ptr [ebp-4], 5
00413773 |. 8D4D C4 lea ecx, dword ptr [ebp-3C]
00413776 |. E8 BE4B0700 call dnhx.00488339
0041377B |> 8D4D 0C lea ecx, dword ptr [ebp+C]
0041377E |. E8 8DF6FEFF call dnhx.00402E10
00413783 |. 50 push eax
00413784 |. E8 CD070600 call dnhx.00473F56
00413789 |. 83C4 04 add esp, 4
0041378C |. 8945 D8 mov dword ptr [ebp-28], eax
0041378F |. 8B55 D8 mov edx, dword ptr [ebp-28]
00413792 |. 81C2 2990CC01 add edx, 1CC9029 ; 序列号后8位 add 1CC9029,所得值设为A
00413798 |. 8955 D8 mov dword ptr [ebp-28], edx ; 保存在[ebp-28]
0041379B |. 6A 0A push 0A ; /Arg3 = 0000000A
0041379D |. 8D45 E8 lea eax, dword ptr [ebp-18] ; |
004137A0 |. 50 push eax ; |Arg2
004137A1 |. 8B4D D8 mov ecx, dword ptr [ebp-28] ; |
004137A4 |. 51 push ecx ; |Arg1
004137A5 |. E8 9B050600 call dnhx.00473D45 ; \将A转化为十进制,设为B
004137AA |. 83C4 0C add esp, 0C
004137AD |. 50 push eax
004137AE |. 8D4D DC lea ecx, dword ptr [ebp-24]
004137B1 |. E8 0C4D0700 call dnhx.004884C2
004137B6 |. C745 D4 00000>mov dword ptr [ebp-2C], 0
004137BD |. EB 09 jmp short dnhx.004137C8
004137BF |> 8B55 D4 /mov edx, dword ptr [ebp-2C]
004137C2 |. 83C2 01 |add edx, 1
004137C5 |. 8955 D4 |mov dword ptr [ebp-2C], edx
004137C8 |> 8D4D DC lea ecx, dword ptr [ebp-24] ; B
004137CB |. E8 10A2FFFF |call dnhx.0040D9E0 ; 获取B的长度
004137D0 |. 3945 D4 |cmp dword ptr [ebp-2C], eax ; eax为B值的长度
004137D3 |. 7D 44 |jge short dnhx.00413819 ; 下面开始循环取B,进行运算
004137D5 |. 8B45 D4 |mov eax, dword ptr [ebp-2C]
004137D8 |. 50 |push eax ; /Arg1
004137D9 |. 8D4D DC |lea ecx, dword ptr [ebp-24] ; |B
004137DC |. E8 5FD7FFFF |call dnhx.00410F40 ; \取B的字符
004137E1 |. 8845 CC |mov byte ptr [ebp-34], al ; B的字符的ASC值
004137E4 |. 0FBE4D CC |movsx ecx, byte ptr [ebp-34]
004137E8 |. 894D AC |mov dword ptr [ebp-54], ecx
004137EB |. DB45 AC |fild dword ptr [ebp-54] ; 装入整数到[ebp-54]
004137EE |. DC0D E0074B00 |fmul qword ptr [4B07E0] ; 乘上一个实数,[ebp-54]*[4b07e0]
([4b07e0]值为1.5),设为C1
004137F4 |. E8 37010600 |call dnhx.00473930 ; 跟进一
004137F9 |. 8945 C8 |mov dword ptr [ebp-38], eax ; 浮点运算后所得值设为D
004137FC |. 6A 0A |push 0A ; /Arg3 = 0000000A
004137FE |. 8D55 E0 |lea edx, dword ptr [ebp-20] ; |
00413801 |. 52 |push edx ; |Arg2
00413802 |. 8B45 C8 |mov eax, dword ptr [ebp-38] ; |
00413805 |. 50 |push eax ; |Arg1
00413806 |. E8 3A050600 |call dnhx.00473D45 ; \跟进二
0041380B |. 83C4 0C |add esp, 0C
0041380E |. 50 |push eax
0041380F |. 8D4D D0 |lea ecx, dword ptr [ebp-30] ; 地址
00413812 |. E8 FE4E0700 |call dnhx.00488715 ; 将E值存入栈中
00413817 |.^ EB A6 \jmp short dnhx.004137BF
00413819 |> 8D4D D0 lea ecx, dword ptr [ebp-30] ; 上面计算所得串E
0041381C |. E8 BFA1FFFF call dnhx.0040D9E0
00413821 |. 83F8 08 cmp eax, 8
00413824 |. 7E 33 jle short dnhx.00413859
00413826 |. 6A 08 push 8
00413828 |. 8D4D C0 lea ecx, dword ptr [ebp-40]
0041382B |. 51 push ecx
0041382C |. 8D4D D0 lea ecx, dword ptr [ebp-30]
0041382F |. E8 9BD20600 call dnhx.00480ACF ; 取E串的后8位,即为注册码(密码)
00413834 |. 8945 A8 mov dword ptr [ebp-58], eax
00413837 |. 8B55 A8 mov edx, dword ptr [ebp-58]
0041383A |. 8955 A4 mov dword ptr [ebp-5C], edx
0041383D |. C645 FC 07 mov byte ptr [ebp-4], 7
00413841 |. 8B45 A4 mov eax, dword ptr [ebp-5C]
00413844 |. 50 push eax
00413845 |. 8D4D D0 lea ecx, dword ptr [ebp-30]
00413848 |. E8 254C0700 call dnhx.00488472
0041384D |. C645 FC 05 mov byte ptr [ebp-4], 5
00413851 |. 8D4D C0 lea ecx, dword ptr [ebp-40]
00413854 |. E8 E04A0700 call dnhx.00488339
00413859 |> 8D4D D0 lea ecx, dword ptr [ebp-30]
0041385C |. 51 push ecx
0041385D |. 8B4D 08 mov ecx, dword ptr [ebp+8]
00413860 |. E8 49480700 call dnhx.004880AE
00413865 |. 8B55 BC mov edx, dword ptr [ebp-44]
00413868 |. 83CA 01 or edx, 1
0041386B |. 8955 BC mov dword ptr [ebp-44], edx
0041386E |. C645 FC 04 mov byte ptr [ebp-4], 4
00413872 |. 8D4D D0 lea ecx, dword ptr [ebp-30]
00413875 |. E8 BF4A0700 call dnhx.00488339
0041387A |. C645 FC 03 mov byte ptr [ebp-4], 3
0041387E |. 8D4D DC lea ecx, dword ptr [ebp-24]
00413881 |. E8 B34A0700 call dnhx.00488339
00413886 |. C645 FC 02 mov byte ptr [ebp-4], 2
0041388A |. 8D4D E4 lea ecx, dword ptr [ebp-1C]
0041388D |. E8 A74A0700 call dnhx.00488339
00413892 |. C645 FC 01 mov byte ptr [ebp-4], 1
00413896 |. 8D4D 0C lea ecx, dword ptr [ebp+C]
00413899 |. E8 9B4A0700 call dnhx.00488339
0041389E |. C645 FC 00 mov byte ptr [ebp-4], 0
004138A2 |. 8D4D 10 lea ecx, dword ptr [ebp+10]
004138A5 |. E8 8F4A0700 call dnhx.00488339
004138AA |. 8B45 08 mov eax, dword ptr [ebp+8]
004138AD |> 8B4D F4 mov ecx, dword ptr [ebp-C]
004138B0 |. 64:890D 00000>mov dword ptr fs:[0], ecx
004138B7 |. 8BE5 mov esp, ebp
004138B9 |. 5D pop ebp
004138BA \. C2 0C00 retn 0C
跟进一处:
00473930 /$ 55 push ebp
00473931 |. 8BEC mov ebp, esp
00473933 |. 83C4 F4 add esp, -0C
00473936 |. 9B wait
00473937 |. D97D FE fstcw word ptr [ebp-2] ; 将FPU的控制字保存到dest
0047393A |. 9B wait
0047393B |. 66:8B45 FE mov ax, word ptr [ebp-2]
0047393F |. 80CC 0C or ah, 0C
00473942 |. 66:8945 FC mov word ptr [ebp-4], ax
00473946 |. D96D FC fldcw word ptr [ebp-4] ; 从src装入FPU的控制字
00473949 |. DF7D F4 fistp qword ptr [ebp-C] ; dest <- st(0),目的操作数->浮点寄存器
,然后再执行一次出栈操作
0047394C |. D96D FE fldcw word ptr [ebp-2] ; 从源操作数装入FPU的控制字
0047394F |. 8B45 F4 mov eax, dword ptr [ebp-C]
00473952 |. 8B55 F8 mov edx, dword ptr [ebp-8]
00473955 |. C9 leave
00473956 \. C3 retn
跟进二处:
00473D45 /$ 55 push ebp
00473D46 |. 8BEC mov ebp, esp
00473D48 |. 837D 10 0A cmp dword ptr [ebp+10], 0A
00473D4C |. 75 0C jnz short dnhx.00473D5A
00473D4E |. 837D 08 00 cmp dword ptr [ebp+8], 0
00473D52 |. 7D 06 jge short dnhx.00473D5A
00473D54 |. 6A 01 push 1
00473D56 |. 6A 0A push 0A
00473D58 |. EB 05 jmp short dnhx.00473D5F
00473D5A |> 6A 00 push 0
00473D5C |. FF75 10 push dword ptr [ebp+10]
00473D5F |> FF75 0C push dword ptr [ebp+C] ; |Arg2
00473D62 |. FF75 08 push dword ptr [ebp+8] ; |Arg1
00473D65 |. E8 08000000 call dnhx.00473D72 ; 在此进行计算,跟进三
00473D6A |. 8B45 0C mov eax, dword ptr [ebp+C] E值
00473D6D |. 83C4 10 add esp, 10
00473D70 |. 5D pop ebp
00473D71 \. C3 retn
跟进三处:
00473D72 /$ 55 push ebp
00473D73 |. 8BEC mov ebp, esp
00473D75 |. 837D 14 00 cmp dword ptr [ebp+14], 0
00473D79 |. 8B4D 0C mov ecx, dword ptr [ebp+C]
00473D7C |. 53 push ebx
00473D7D |. 56 push esi
00473D7E |. 57 push edi
00473D7F |. 74 0B je short dnhx.00473D8C
00473D81 |. 8B75 08 mov esi, dword ptr [ebp+8]
00473D84 |. C601 2D mov byte ptr [ecx], 2D
00473D87 |. 41 inc ecx
00473D88 |. F7DE neg esi
00473D8A |. EB 03 jmp short dnhx.00473D8F
00473D8C |> 8B75 08 mov esi, dword ptr [ebp+8] ; D值
00473D8F |> 8BF9 mov edi, ecx
00473D91 |> 8BC6 /mov eax, esi
00473D93 |. 33D2 |xor edx, edx
00473D95 |. F775 10 |div dword ptr [ebp+10] ; D值 div [ebp+10]的值([ebp+10]值为A)
00473D98 |. 8BC6 |mov eax, esi
00473D9A |. 8BDA |mov ebx, edx ; 余数->ebx
00473D9C |. 33D2 |xor edx, edx ; 清0
00473D9E |. F775 10 |div dword ptr [ebp+10] ; D值 div [ebp+10]的值([ebp+10]值为A)
00473DA1 |. 83FB 09 |cmp ebx, 9 ; 比较余数是否大于9
00473DA4 |. 8BF0 |mov esi, eax ; 商存入esi中
00473DA6 |. 76 05 |jbe short dnhx.00473DAD ; 小于9跳
00473DA8 |. 80C3 57 |add bl, 57
00473DAB |. EB 03 |jmp short dnhx.00473DB0
00473DAD |> 80C3 30 |add bl, 30 ; 余数+30,化为数字
00473DB0 |> 8819 |mov byte ptr [ecx], bl ; 放在[ecx]
00473DB2 |. 41 |inc ecx
00473DB3 |. 85F6 |test esi, esi
00473DB5 |.^ 77 DA \ja short dnhx.00473D91 ; 再用商进行div运算操作
00473DB7 |. 8021 00 and byte ptr [ecx], 0
00473DBA |. 49 dec ecx
00473DBB |> 8A17 mov dl, byte ptr [edi] ; 这边是将刚才所得的两位数进行倒置,设为E
00473DBD |. 8A01 mov al, byte ptr [ecx]
00473DBF |. 8811 mov byte ptr [ecx], dl
00473DC1 |. 8807 mov byte ptr [edi], al
00473DC3 |. 49 dec ecx
00473DC4 |. 47 inc edi
00473DC5 |. 3BF9 cmp edi, ecx
00473DC7 |.^ 72 F2 jb short dnhx.00473DBB
00473DC9 |. 5F pop edi
00473DCA |. 5E pop esi
00473DCB |. 5B pop ebx
00473DCC |. 5D pop ebp
00473DCD \. C3 retn
--------------------------------------------------------------------------------
【经验总结】
该软件的注册算法大致如下:
1、取硬盘序列进行运算产生序列号
2、取序列号的后8位的ASC值进行浮点运算
3、ASC值进行浮点运算后,进行div求余运算
4、将求余所得的串,截取后8位即为注册码
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年04月29日 13:46:08