这是一个很奇怪的破解,是一个国产软件,我没有提出它的名字
该软件信息:
可执行文件大小是363,008字节
经aspack加壳
版本3.??
注册费15元/份,请大家支持国产软件,注册机暂不公开,本文仅做为参考研究
PART1
==================================================
004B2924 lea
eax, [ebp+var_14]
004B2927
mov edx, offset str_4B3950 ;为了隐藏软件名,我有意将此字串隐去
004B292C call
sub_403DD4
004B2931
mov eax, [ebp+var_4]
004B2934
add eax, 5D0h
004B2939
mov edx, [ebp+var_4]
004B293C mov
edx, [edx+5BCh]
004B2942
call sub_403D90
004B2947 loc_4B2947: lea
eax, [ebp+var_18]
004B294A
mov edx, offset unk_4B398C
004B294F
call sub_403DD4
004B2954
mov eax, [ebp+var_4]
004B2957 mov
eax, [eax+5D0h] ;用户名
004B295D
call sub_403FBC
;取字串长度
004B2962
mov edi, eax
004B2964 test
edi, edi
; = 0 ?
004B2966 jle
short loc_4B29CE
004B2968
mov esi, 1
004B296D loc_4B296D: mov
eax, [ebp+var_4]
004B2970
mov eax, [eax+5D0h]
;用户名strname
004B2976
mov bl, [eax+esi-1]
004B297A
mov eax, [ebp+var_14]
;str_4B3950
004B297D
mov al, [eax+esi-1]
004B2981
xor bl, al
;此段算法没什么好解释的
004B2983
and ebx, 0FFh
004B2989 xor
ebx, esi
004B298B
cmp ebx, 41h
004B298E
jge short loc_4B299B
004B2990 loc_4B2990:
lea eax, [esi+ebx+16h]
004B2994
mov ebx, eax
004B2996
cmp ebx, 41h
004B2999
jl short
loc_4B2990
004B299B loc_4B299B: cmp ebx, 7Ah
004B299E jle
short loc_4B29AF
004B29A0 loc_4B29A0: sub ebx,
1Bh
004B29A3 sub
ebx, esi
004B29A5
cmp ebx, 7Ah
004B29A8
jg short loc_4B29A0
004B29AA
jmp short loc_4B29AF
004B29AC loc_4B29AC: add ebx, 4
004B29AF loc_4B29AF:
cmp ebx, 61h
004B29B2
jge short loc_4B29B9
004B29B4
cmp ebx, 5Ah
004B29B7
jg short
loc_4B29AC
004B29B9 loc_4B29B9: mov eax, [ebp+var_4]
004B29BC add
eax, 5D0h
004B29C1
call sub_40418C
004B29C6
mov [eax+esi-1], bl
;存储运算结果,称之为strname1
004B29CA
inc esi
004B29CB
dec edi
004B29CC
jnz short loc_4B296D
PART2
==================================================
004B2B66
mov eax, [ebp+var_4]
004B2B69 add
eax, 5F8h
;注册码strcode
004B2B6E
mov edx, 0Ah
;10
004B2B73
call sub_4042F0
;取注册码前10位,称之为strcode1
004B2B78
mov eax, [ebp+var_4]
004B2B7B
mov eax, [eax+5F8h]
004B2B81
call sub_403FBC
;取strcode1长度
004B2B86
mov ebx, eax
004B2B88 mov
eax, [ebp+var_4]
004B2B8B
add eax, 5F8h
004B2B90
mov edx, ebx
004B2B92
call sub_4042F0
004B2B97
mov eax, [ebp+var_4]
004B2B9A mov
eax, [eax+5F8h]
004B2BA0
call sub_403FBC
004B2BA5
mov edi, eax
004B2BA7
test edi, edi
004B2BA9
jle short loc_4B2C07
004B2BAB mov
esi, 1
004B2BB0 loc_4B2BB0: mov eax, [ebp+var_4]
004B2BB3 mov
eax, [eax+5F8h] ;strcode1
004B2BB9 xor
ebx, ebx
004B2BBB
mov bl, [eax+esi-1]
004B2BBF
xor ebx, esi
;此段算法在做注册机时是有用的
004B2BC1
add ebx, 29h
;诸位仔细看看吧
004B2BC4
cmp ebx, 41h
004B2BC7 jge
short loc_4B2BD4
004B2BC9 loc_4B2BC9: lea eax,
[esi+ebx+16h]
004B2BCD
mov ebx, eax
004B2BCF
cmp ebx, 41h
004B2BD2
jl short loc_4B2BC9
004B2BD4
loc_4B2BD4: cmp ebx, 7Ah
004B2BD7
jle short loc_4B2BE8
004B2BD9 loc_4B2BD9: sub ebx, 1Bh
004B2BDC
sub ebx, esi
004B2BDE cmp
ebx, 7Ah
004B2BE1
jg short loc_4B2BD9
004B2BE3
jmp short loc_4B2BE8
004B2BE5 loc_4B2BE5:
add ebx, 4
004B2BE8 loc_4B2BE8: cmp
ebx, 61h
004B2BEB
jge short loc_4B2BF2
004B2BED
cmp ebx, 5Ah
004B2BF0
jg short loc_4B2BE5
004B2BF2 loc_4B2BF2: mov eax, [ebp+var_4]
004B2BF5 add
eax, 5F8h
004B2BFA
call sub_40418C
004B2BFF
mov [eax+esi-1], bl
;存储运算结果,strcode2
004B2C03
inc esi
004B2C04
dec edi
004B2C05
jnz short loc_4B2BB0
PART3
==================================================
004B0AB1
xor ebx, ebx
004B0AB3
mov eax, [esi+5ECh]
;strname1
004B0AB9
call sub_403FBC
;取长度
004B0ABE
mov edi, eax
;下面一段算法不必细究,做注册机时照抄就行
004B0AC0
jmp loc_4B0B7F
004B0AC5
loc_4B0AC5: cmp edi, 15h
004B0AC8
jge short loc_4B0ACD
004B0ACA inc
ebx
004B0ACB jmp
short loc_4B0AE2
004B0ACD loc_4B0ACD: mov
eax, [esi+5ECh]
004B0AD3
call sub_403FBC
004B0AD8
mov ecx, 9
004B0ADD
cdq
004B0ADE
idiv ecx
004B0AE0
mov ebx, edx
004B0AE2 loc_4B0AE2:
mov eax, [esi+5ECh]
004B0AE8
call sub_403FBC
004B0AED
sub eax, ebx
004B0AEF
mov edx, [esi+5ECh]
004B0AF5 mov
al, [edx+eax-1]
004B0AF9
mov edx, [esi+5ECh]
004B0AFF
mov dl, [edx+ebx-1]
004B0B03
xor al, dl
004B0B05 and
eax, 0FFh
004B0B0A
add eax, 79h
004B0B0D
push eax
004B0B0E
lea eax, [esi+5ECh]
004B0B14
call sub_40418C
004B0B19
pop edx
004B0B1A
mov [eax+ebx-1],
dl
004B0B1E mov
eax, [esi+5ECh]
004B0B24
movzx eax, byte ptr [eax+ebx-1]
004B0B29
call sub_4A63D8
004B0B2E
push eax
004B0B2F
lea eax, [esi+5ECh]
004B0B35 call
sub_40418C
004B0B3A
pop edx
004B0B3B
mov [eax+ebx-1], dl
004B0B3F
lea eax, [esi+5ECh]
004B0B45
push eax
004B0B46
mov eax, [esi+5ECh]
004B0B4C call
sub_403FBC
004B0B51
mov ecx, eax
004B0B53
sub ecx, ebx
004B0B55
mov edx, 1
004B0B5A
mov eax, [esi+5ECh]
004B0B60 call
sub_4041C4
004B0B65
mov eax, [esi+5ECh]
004B0B6B
call sub_403FBC
004B0B70
mov edx, eax
004B0B72
sub edx, ebx
004B0B74 lea
eax, [esi+5ECh]
004B0B7A
call sub_4042F0
004B0B7F loc_4B0B7F: mov
eax, [esi+5ECh]
004B0B85
call sub_403FBC
004B0B8A
cmp eax, 0Bh
004B0B8D
jg loc_4B0AC5
004B0B93 xor
ebx, ebx
004B0B95
jmp short loc_4B0BD7
004B0B97 loc_4B0B97: inc
ebx
004B0B98
mov eax, [esi+5ECh]
004B0B9E
mov al, [eax+ebx-1]
004B0BA2
xor al, 55h
004B0BA4
and eax, 0FFh
004B0BA9 lea
edx, [ebx+46h]
004B0BAC
xor eax, edx
004B0BAE
mov [ebp-5], al
004B0BB1
xor eax, eax
004B0BB3
mov al, [ebp-5]
004B0BB6
call sub_4A63D8
004B0BBB mov
[ebp-5], al
004B0BBE
lea eax, [ebp-10h]
004B0BC1
mov dl, [ebp-5]
004B0BC4
call sub_403EE4
004B0BC9
mov edx, [ebp-10h]
004B0BCC lea
eax, [esi+5ECh]
004B0BD2
call sub_403FC4
004B0BD7 loc_4B0BD7:
mov eax, [esi+5ECh]
004B0BDD
call sub_403FBC
004B0BE2
cmp eax, 0Ah
004B0BE5
jge short loc_4B0BF5
004B0BE7 mov
eax, [esi+5ECh]
004B0BED
call sub_403FBC
004B0BF2
dec eax
004B0BF3
jg short loc_4B0B97
004B0BF5 loc_4B0BF5: lea eax, [esi+5ECh]
004B0BFB
mov edx, 0Ah
004B0C00 call
sub_4042F0
004B0C05
lea edx, [ebp-14h]
004B0C08
mov eax, [esi+5ECh]
004B0C0E
call sub_4097F0
004B0C13
mov edx, [ebp-14h]
004B0C16 lea
eax, [esi+5ECh]
004B0C1C
call sub_403D90
004B0C21
lea eax, [ebp-4]
004B0C24
mov edx, [esi+5E0h]
004B0C2A call
sub_403DD4 ;上面一大段算法把strname1转为10位的strname2
004B0C2F mov
byte ptr [esi+60Ch], 1
004B0C36
mov edi, 1
004B0C3B loc_4B0C3B:
cmp byte ptr [esi+60Ch], 0
004B0C42
jz short loc_4B0C60
004B0C44
mov eax, [esi+5ECh]
;strname2 ,len=10
004B0C4A
mov al, [eax+edi-1]
;从前往后正向取
004B0C4E
mov edx, 0Bh
004B0C53
sub edx, edi
004B0C55
mov ecx, [ebp-4]
;strcode2 ,len=10
004B0C58
mov dl, [ecx+edx-1]
;从后往前反向取
004B0C5C
xor al,dl
;比较=?
004B0C5E
jz short loc_4B0C64
004B0C60 loc_4B0C60: xor eax, eax
004B0C62
jmp short loc_4B0C66
004B0C64 loc_4B0C64: mov al, 1
004B0C66 loc_4B0C66:
mov [esi+60Ch], al
004B0C6C
inc edi
004B0C6D
cmp edi, 0Bh
004B0C70
jnz short loc_4B0C3B
004B0C72 jmp
short loc_4B0C9E ;比较结束,注册成功标志是byte ptr [esi+60Ch]=1
==================================================
文章写的不太好,请见谅,谢谢您有兴趣看完
最后给出一组注册码,以便于大家跟踪分析
用户名:heXer
注册码:KSHPNBY7S7
==================================================
heXer/iPB
2002.06.15
- 标 题:奇怪的破解,国产软件,我不说它的名字,你们猜猜 (11千字)
- 作 者:heXer
- 时 间:2002-6-15
23:17:17
- 链 接:http://bbs.pediy.com