Zappee 2.01

标题：初学者(14) (5千字)
作者：liutong
时间：2000-6-10 20:02:37
链接：http://bbs.pediy.com

软件名称： Zappee
软件版本： 2.01
软件大小： 2507KB
软件授权：共享软件
使用平台： Win95/98/NT
发布公司： http://www.zappee.com/
软件简介：是一套“All-in-One”的MP3软件，也就是集成了CD播放、WAV播放、MP3播放、抓取光碟音轨、MP3编码、MP3解码、ID3Tag编辑、播放清单建立等功能。

设断点bpx hmemcpy,程序被中断后按F12键12次(第13次出错)
按F10追,很快便可找到你的注册码
下面介绍注册码生成过程:

软件内部有四组数据,如下:
第一组数据: 6 n 5 2 2 m 0 4 l 4 1 6
相应ASCII: 36 6E 35 32 32 6D 30 34 6C 34 31 36

第二组数据: K 9 6 w 6 9 7 o 4 7 k 7
相应ASCII: 4B 39 36 77 36 39 37 6F 34 37 6B 37

第三组数据: i 1 N 7 5 g 2 6 o 1 3 H
相应ASCII: 69 31 4E 37 35 67 32 36 6F 31 33 48

序号: 0 1 2 3 4 5 6 7 8 9 A B C D E F
第四组数据: 3 F Z e A g 2 D b H 4 c C 9 y 8
C J X a d k V z E L 1 Y f m P x
5 N u W h o T v I 0 s 7 j q R z
K d S M r 6 Q O p W

注册时需要输入用户名,@地址,注册码
当用户名和@地址不足12位时,分别用第一,二组数据补足
例:
用户名为LiuTong
补足后为LiuTong6n522

然后将补足12位的用户名和@地址按下面的算法改头换面(得到另外的两组数).
* Referenced by a CALL at Addresses:
|:00414A87 , :00414AE6 , :00414B6F , :00414C0B , :00414C68
|:00414CF4
|
:00414DC0 0FBE4C2404 movsx ecx, byte ptr [esp+04]
:00414DC5 8BC1 mov eax, ecx
:00414DC7 83E10F and ecx, 0000000F
:00414DCA C1F804 sar eax, 04
:00414DCD 83E00F and eax, 0000000F
:00414DD0 8BD0 mov edx, eax
:00414DD2 D1FA sar edx, 1
:00414DD4 A801 test al, 01
:00414DD6 7403 je 00414DDB
:00414DD8 83CA08 or edx, 00000008

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00414DD6(C)
|
:00414DDB 8BC1 mov eax, ecx
:00414DDD D1F8 sar eax, 1
:00414DDF F6C101 test cl, 01
:00414DE2 7402 je 00414DE6
:00414DE4 0C08 or al, 08

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00414DE2(C)
|
:00414DE6 240F and al, 0F
:00414DE8 C0E204 shl dl, 04
:00414DEB 0AC2 or al, dl
:00414DED C20400 ret 0004

根据上面计算得到的数据和第三组数据相加,除以39(程序在下面),余数是
注册码在第四组数据中的序号

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041443C(C)
|
:004143F9 0FBE440C48 movsx eax, byte ptr [esp+ecx+48]
:004143FE 8B948CC8000000 mov edx, dword ptr [esp+4*ecx+000000C8]
:00414405 8BAC8CF8000000 mov ebp, dword ptr [esp+4*ecx+000000F8]
:0041440C 03C2 add eax, edx
:0041440E 8BB42494000000 mov esi, dword ptr [esp+00000094]
:00414415 03C5 add eax, ebp
:00414417 8D1440 lea edx, dword ptr [eax+2*eax]
:0041441A C1E202 shl edx, 02
:0041441D 2BD1 sub edx, ecx
:0041441F 03F2 add esi, edx
:00414421 89B42494000000 mov dword ptr [esp+00000094], esi
:00414428 BE39000000 mov esi, 00000039
:0041442D 99 cdq
:0041442E F7FE idiv esi
:00414430 41 inc ecx
:00414431 83F90C cmp ecx, 0000000C
:00414434 8A441458 mov al, byte ptr [esp+edx+58]<----查到注册码
:00414438 88440C0F mov byte ptr [esp+ecx+0F], al
:0041443C 7CBB jl 004143F9 <----12位未计算完返回
:0041443E 8B842494000000 mov eax, dword ptr [esp+00000094]
:00414445 8BCE mov ecx, esi
:00414447 99 cdq
:00414448 F7F9 idiv ecx
:0041444A 33C0 xor eax, eax
:0041444C 8D7C2410 lea edi, dword ptr [esp+10]
:00414450 C644241D00 mov [esp+1D], 00
:00414455 8A541458 mov dl, byte ptr [esp+edx+58]
:00414459 8854241C mov byte ptr [esp+1C], dl
:0041445D 8B942434010000 mov edx, dword ptr [esp+00000134]
:00414464 8BCA mov ecx, edx
:00414466 8901 mov dword ptr [ecx], eax
:00414468 894104 mov dword ptr [ecx+04], eax
:0041446B 894108 mov dword ptr [ecx+08], eax
:0041446E 6689410C mov word ptr [ecx+0C], ax
:00414472 83C9FF or ecx, FFFFFFFF
:00414475 F2 repnz
:00414476 AE scasb
:00414477 F7D1 not ecx
:00414479 2BF9 sub edi, ecx
:0041447B 8BC1 mov eax, ecx
:0041447D 8BF7 mov esi, edi
:0041447F 8BFA mov edi, edx
:00414481 C1E902 shr ecx, 02
:00414484 F3 repz
:00414485 A5 movsd
:00414486 8BC8 mov ecx, eax
:00414488 83E103 and ecx, 00000003
:0041448B F3 repz
:0041448C A4 movsb
:0041448D 5F pop edi
:0041448E 5E pop esi
:0041448F 5D pop ebp
:00414490 5B pop ebx
:00414491 81C418010000 add esp, 00000118
:00414497 C20C00 ret 000C

整理
用户名:LiuTong
@地址:a@b.c
注册码:fY3iZ5oWcovZ2