某EDA电路设计软件

标题：打狗棒法：深思3软件狗(47千字)
作者：wyjm
时间：2002-6-30 10:23:15
链接：http://bbs.pediy.com

打狗棒法：深思3软件狗
应用软件：某EDA电路设计软件FOR 98/nt/2000/xp
保护方法：深思3型软件狗
破解工具：TRW2000 1.23,WDasm89
破解方法：带狗杀狗
作者:crack123 [FCG]
-------------------------------------------------------------
转载:大老于大老的解狗论坛
http://dalao2002.yeah.net
-------------------------------------------------------------
破解过程：
一、
该软件无狗运行时提示"校验逻辑错误, 未找到软件加密锁!"，因此在TRW2000中下
BPX MESSAGEBOXA,拦截后回到主程序空间：
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040C98D(C), :0040CB87(C)
|
:0040CB97 8D8C24A0000000 lea ecx, dword ptr [esp+000000A0]
:0040CB9E 899C2460060000 mov dword ptr [esp+00000660], ebx
:0040CBA5 E8D5FE1700 call 0058CA7F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C933(C)
|
:0040CBAA 8BCD mov ecx, ebp
:0040CBAC E88F590000 call 00412540 **
:0040CBB1 85C0 test eax, eax
:0040CBB3 89442420 mov dword ptr [esp+20], eax
:0040CBB7 6A10 push 00000010
:0040CBB9 751C jne 0040CBD7 **跳转后的程序见第二部分

* Possible StringData Ref from Data Obj ->"eda"
|
:0040CBBB A12C035F00 mov eax, dword ptr [005F032C]

* Possible StringData Ref from Data Obj ->"校验逻辑错误, 未找到软件加密锁!"
|
:0040CBC0 8B0D28035F00 mov ecx, dword ptr [005F0328]
:0040CBC6 50 push eax
:0040CBC7 51 push ecx
:0040CBC8 6A00 push 00000000

* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:0040CBCA FF15F0165C00 Call dword ptr [005C16F0]
:0040CBD0 33C0 xor eax, eax
:0040CBD2 E96E070000 jmp 0040D345

显然，40CBAA处的调用就是读狗进行校验，跟进去看看：
--------------

* Referenced by a CALL at Address:
|:0040CBAC
|
:00412540 E84B96FFFF call 0040BB90 **
:00412545 66F7D8 neg ax
:00412548 1BC0 sbb eax, eax
:0041254A 257EFAFFFF and eax, FFFFFA7E
:0041254F 0582050000 add eax, 00000582
:00412554 C3 ret

只一个412540处的调用，再进：
--------------

* Referenced by a CALL at Addresses:
|:00412540 , :00412874 , :00412891
|

* Possible Reference to Dialog:
|
:0040BB90 6868326000 push 00603268
:0040BB95 66C7056C3260009300 mov word ptr [0060326C], 0093 **\
:0040BB9E 66C7056E3260000201 mov word ptr [0060326E], 0102 ** \深思3读狗口令
:0040BBA7 66C705703260006A0E mov word ptr [00603270], 0E6A ** /
:0040BBB0 66C7056A326000FFFF mov word ptr [0060326A], FFFF **/
:0040BBB9 E8121C1600 call 0056D7D0 ** 读狗
:0040BBBE 66A168326000 mov ax, word ptr [00603268] **此地址为狗标志
:0040BBC4 C3 ret 0为有狗，非0无狗

:0040BBC5 90 nop
:0040BBC6 90 nop
:0040BBC7 90 nop
:0040BBC8 90 nop
:0040BBC9 90 nop
:0040BBCA 90 nop
:0040BBCB 90 nop
:0040BBCC 90 nop
:0040BBCD 90 nop
:0040BBCE 90 nop
:0040BBCF 90 nop

只要将[00603268]等于0,即可跳过错误提示。
因有多处调用，且程序有空地方供使用，最好在此处对【603268】和AX赋值,而不要在40CBB9处强制
跳转，否则程序运行到后面，【603268】的值不对仍会出错。

二、继续运行程序，显示软件启动封面后，出现非法错误提示，

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040CBB9(C)
|

* Reference To: USER32.GetSystemMetrics, Ord:0146h
|
:0040CBD7 FF15F8175C00 Call dword ptr [005C17F8]
:0040CBDD 3D00050000 cmp eax, 00000500
:0040CBE2 7E16 jle 0040CBFA
:0040CBE4 C70558F35E0028000000 mov dword ptr [005EF358], 00000028
:0040CBEE C70554F35E001E000000 mov dword ptr [005EF354], 0000001E
:0040CBF8 EB4B jmp 0040CC45

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040CBE2(C)
|

* Possible Reference to Dialog: DialogID_00BA, CONTROL_ID:0400, ""
|
:0040CBFA 3D00040000 cmp eax, 00000400
:0040CBFF 7E16 jle 0040CC17
:0040CC01 C70558F35E0032000000 mov dword ptr [005EF358], 00000032
:0040CC0B C70554F35E0023000000 mov dword ptr [005EF354], 00000023
:0040CC15 EB2E jmp 0040CC45

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040CBFF(C)
|
:0040CC17 3D84030000 cmp eax, 00000384
:0040CC1C 7E16 jle 0040CC34
:0040CC1E C70558F35E003C000000 mov dword ptr [005EF358], 0000003C
:0040CC28 C70554F35E0028000000 mov dword ptr [005EF354], 00000028
:0040CC32 EB11 jmp 0040CC45

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040CC1C(C)
|
:0040CC34 3DBC020000 cmp eax, 000002BC
:0040CC39 7E0A jle 0040CC45
:0040CC3B C70558F35E0050000000 mov dword ptr [005EF358], 00000050

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040CBF8(U), :0040CC15(U), :0040CC32(U), :0040CC39(C)
|
:0040CC45 8BCD mov ecx, ebp
:0040CC47 E876C41900 call 005A90C2

* Possible Reference to Dialog:
|
:0040CC4C 689C0C5F00 push 005F0C9C
:0040CC51 8BCD mov ecx, ebp
:0040CC53 E8D8C11900 call 005A8E30
:0040CC58 6A04 push 00000004
:0040CC5A 8BCD mov ecx, ebp
:0040CC5C E887B21900 call 005A7EE8
:0040CC61 8D542434 lea edx, dword ptr [esp+34]
:0040CC65 BB0B000000 mov ebx, 0000000B
:0040CC6A 52 push edx
:0040CC6B 66895C243A mov word ptr [esp+3A], bx
:0040CC70 E8EBF1FFFF call 0040BE60
:0040CC75 8B44243E mov eax, dword ptr [esp+3E]
:0040CC79 BF0A000000 mov edi, 0000000A
:0040CC7E 25FFFF0000 and eax, 0000FFFF
:0040CC83 66897C243A mov word ptr [esp+3A], di
:0040CC88 8D0480 lea eax, dword ptr [eax+4*eax]
:0040CC8B 8D0480 lea eax, dword ptr [eax+4*eax]
:0040CC8E 8D0480 lea eax, dword ptr [eax+4*eax]
:0040CC91 8D3480 lea esi, dword ptr [eax+4*eax]
:0040CC94 8D442438 lea eax, dword ptr [esp+38]
:0040CC98 50 push eax
:0040CC99 C1E604 shl esi, 04
:0040CC9C E8BFF1FFFF call 0040BE60
:0040CCA1 8B4C2442 mov ecx, dword ptr [esp+42]
:0040CCA5 66897C243E mov word ptr [esp+3E], di
:0040CCAA 81E1FFFF0000 and ecx, 0000FFFF
:0040CCB0 8D740E01 lea esi, dword ptr [esi+ecx+01]
:0040CCB4 B910270000 mov ecx, 00002710
:0040CCB9 8BC6 mov eax, esi
:0040CCBB 99 cdq
:0040CCBC F7F9 idiv ecx
:0040CCBE 668954243C mov word ptr [esp+3C], dx
:0040CCC3 8D54243C lea edx, dword ptr [esp+3C]
:0040CCC7 52 push edx
:0040CCC8 E8E3F8FFFF call 0040C5B0
:0040CCCD B8AD8BDB68 mov eax, 68DB8BAD
:0040CCD2 8D4C2440 lea ecx, dword ptr [esp+40]
:0040CCD6 F7EE imul esi
:0040CCD8 C1FA0C sar edx, 0C
:0040CCDB 8BC2 mov eax, edx
:0040CCDD 51 push ecx
:0040CCDE C1E81F shr eax, 1F
:0040CCE1 03D0 add edx, eax
:0040CCE3 66895C2446 mov word ptr [esp+46], bx
:0040CCE8 6689542444 mov word ptr [esp+44], dx
:0040CCED E8BEF8FFFF call 0040C5B0
:0040CCF2 83C410 add esp, 00000010
:0040CCF5 8BCD mov ecx, ebp
:0040CCF7 E814070000 call 0040D410 **
:0040CCFC 6A00 push 00000000
:0040CCFE 6A00 push 00000000
:0040CD00 6A00 push 00000000
:0040CD02 6A03 push 00000003
:0040CD04 E849171800 call 0058E452
:0040CD09 50 push eax
:0040CD0A B99C886000 mov ecx, 0060889C
:0040CD0F E862461800 call 00591376
:0040CD14 6A5C push 0000005C
:0040CD16 E8C44A1800 call 005917DF
:0040CD1B 83C404 add esp, 00000004
:0040CD1E 89442418 mov dword ptr [esp+18], eax
:0040CD22 85C0 test eax, eax
:0040CD24 C784246006000001000000 mov dword ptr [esp+00000660], 00000001
:0040CD2F 740D je 0040CD3E
:0040CD31 6A00 push 00000000
:0040CD33 8BC8 mov ecx, eax
:0040CD35 E826471100 call 00521460
:0040CD3A 8BF0 mov esi, eax
:0040CD3C EB02 jmp 0040CD40

经跟踪40CCF7处CALL 40D410内一段程序有看头：

* Referenced by a CALL at Address:
|:0040CCF7
|

* Possible Reference to Menu: MenuID_00FF
|
:0040D410 6AFF push FFFFFFFF
:0040D412 68D8145B00 push 005B14D8
:0040D417 64A100000000 mov eax, dword ptr fs:[00000000]
:0040D41D 50 push eax
:0040D41E 64892500000000 mov dword ptr fs:[00000000], esp
:0040D425 83EC64 sub esp, 00000064
:0040D428 A1D0096000 mov eax, dword ptr [006009D0]
:0040D42D 53 push ebx
:0040D42E 55 push ebp
:0040D42F 57 push edi
:0040D430 8BE9 mov ebp, ecx
:0040D432 8944240C mov dword ptr [esp+0C], eax
:0040D436 8D4C2428 lea ecx, dword ptr [esp+28]
:0040D43A 33DB xor ebx, ebx
:0040D43C 51 push ecx
:0040D43D 895C247C mov dword ptr [esp+7C], ebx
:0040D441 66C744242E0C00 mov [esp+2E], 000C
:0040D448 E813EAFFFF call 0040BE60 **读狗
:0040D44D 668B442432 mov ax, word ptr [esp+32]
:0040D452 83C404 add esp, 00000004
:0040D455 663DD007 cmp ax, 07D0
:0040D459 7206 jb 0040D461 ** 不能跳，否则后面程序出错
:0040D45B 663DD507 cmp ax, 07D5
:0040D45F 760E jbe 0040D46F **一定要跳

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D459(C)
|

* Possible Reference to Dialog: DialogID_0064
|
:0040D461 B964000000 mov ecx, 00000064 **跳到此处将内存中数据区清0,肯定要出错！
:0040D466 33C0 xor eax, eax

* Possible StringData Ref from Data Obj ->""
|
:0040D468 BF38F35E00 mov edi, 005EF338
:0040D46D F3 repz
:0040D46E AB stosd

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D45F(C)
|
:0040D46F 56 push esi ***到这儿就对了！！！
:0040D470 B914000000 mov ecx, 00000014

* Possible StringData Ref from Data Obj ->"�PP"
|
:0040D475 BE40F65E00 mov esi, 005EF640
:0040D47A BFE8836000 mov edi, 006083E8
:0040D47F F3 repz
:0040D480 A5 movsd
:0040D481 8B0D2C846000 mov ecx, dword ptr [0060842C]
:0040D487 8B1534846000 mov edx, dword ptr [00608434]
:0040D48D A130846000 mov eax, dword ptr [00608430]
:0040D492 890D18F45E00 mov dword ptr [005EF418], ecx
:0040D498 B914000000 mov ecx, 00000014

三、
经过上一步骤，再次运行程序，又出现提示"校验逻辑错误, 未找到软件加密锁!"，还得继续看：

* Reference To: KERNEL32.GlobalAddAtomA, Ord:017Fh
|
:0040CF9E FF15F8125C00 Call dword ptr [005C12F8]
:0040CFA4 53 push ebx
:0040CFA5 668985C0000000 mov word ptr [ebp+000000C0], ax
:0040CFAC E8DFB41600 call 00578490
:0040CFB1 50 push eax
:0040CFB2 E8AAB41600 call 00578461
:0040CFB7 E8B2B41600 call 0057846E
:0040CFBC A338035F00 mov dword ptr [005F0338], eax
:0040CFC1 B90A000000 mov ecx, 0000000A
:0040CFC6 99 cdq
:0040CFC7 F7F9 idiv ecx
:0040CFC9 891534035F00 mov dword ptr [005F0334], edx
:0040CFCF E89AB41600 call 0057846E ***生成随即数1
:0040CFD4 99 cdq

* Possible Reference to Dialog: DialogID_00C8
|
:0040CFD5 B9C8000000 mov ecx, 000000C8
:0040CFDA F7F9 idiv ecx
:0040CFDC 8915A4716000 mov dword ptr [006071A4], edx **此处将随机数1保存
:0040CFE2 E887B41600 call 0057846E **生成随机数2
:0040CFE7 99 cdq

* Possible Reference to Dialog: DialogID_00C8
|
:0040CFE8 B9C8000000 mov ecx, 000000C8
:0040CFED F7F9 idiv ecx
:0040CFEF 66A138035F00 mov ax, word ptr [005F0338]
:0040CFF5 8D4C243C lea ecx, dword ptr [esp+3C]
:0040CFF9 51 push ecx
:0040CFFA 6689442440 mov word ptr [esp+40], ax
:0040CFFF 8915A0716000 mov dword ptr [006071A0], edx **随机数2保存
:0040D005 668B1534035F00 mov dx, word ptr [005F0334]
:0040D00C 6689542442 mov word ptr [esp+42], dx
:0040D011 E89AF5FFFF call 0040C5B0
:0040D016 83C40C add esp, 0000000C
:0040D019 8BCD mov ecx, ebp
:0040D01B E840550000 call 00412560 ***此处仍是读狗校验，比上一个重要
:0040D020 3D82050000 cmp eax, 00000582 ，看后面的分析吧！
:0040D025 745B je 0040D082 **此处跳转

* Possible StringData Ref from Data Obj ->"eda"
|
:0040D027 8B152C035F00 mov edx, dword ptr [005F032C]

* Possible StringData Ref from Data Obj ->"校验逻辑错误, 未找到软件加密锁!"
|
:0040D02D A128035F00 mov eax, dword ptr [005F0328]
:0040D032 6A10 push 00000010
:0040D034 52 push edx
:0040D035 50 push eax
:0040D036 53 push ebx

* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:0040D037 FF15F0165C00 Call dword ptr [005C16F0]
:0040D03D 8D4C241C lea ecx, dword ptr [esp+1C]
:0040D041 C684246006000006 mov byte ptr [esp+00000660], 06
:0040D049 E89F411800 call 005911ED
:0040D04E 8D4C247C lea ecx, dword ptr [esp+7C]
:0040D052 C684246006000002 mov byte ptr [esp+00000660], 02
:0040D05A E8B3AF1900 call 005A8012
:0040D05F C7442410F4025D00 mov [esp+10], 005D02F4
:0040D067 8D4C2410 lea ecx, dword ptr [esp+10]
:0040D06B C784246006000009000000 mov dword ptr [esp+00000660], 00000009
:0040D076 E8B9831800 call 00595434
:0040D07B 33C0 xor eax, eax
:0040D07D E9C3020000 jmp 0040D345

接下来看看40D01B CALL 412560里有什么？

* Referenced by a CALL at Address:
|:0040D01B
|
:00412560 81EC98000000 sub esp, 00000098
:00412566 66A134035F00 mov ax, word ptr [005F0334]
:0041256C 56 push esi
:0041256D 8D4C2404 lea ecx, dword ptr [esp+04]
:00412571 57 push edi
:00412572 51 push ecx
:00412573 668944240E mov word ptr [esp+0E], ax
:00412578 E8E398FFFF call 0040BE60 **读狗
:0041257D 8B542412 mov edx, dword ptr [esp+12]
:00412581 A138035F00 mov eax, dword ptr [005F0338]
:00412586 81E2FFFF0000 and edx, 0000FFFF
:0041258C 83C404 add esp, 00000004
:0041258F 3BD0 cmp edx, eax
:00412591 740C je 0041259F ***一定要跳，后面是读狗数据，还要运算

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004125F4(C), :00412656(C), :004126C7(C), :00412718(C), :0041278B(C)
|:004127DC(C), :00412849(C)
|
:00412593 5F pop edi
:00412594 83C8FF or eax, FFFFFFFF
:00412597 5E pop esi
:00412598 81C498000000 add esp, 00000098
:0041259E C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412591(C)
|
:0041259F BE10000000 mov esi, 00000010 **一定要跳到这儿，否则死定了！
:004125A4 8D7C2450 lea edi, dword ptr [esp+50]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004125CD(C)
|
:004125A8 8D442408 lea eax, dword ptr [esp+08]
:004125AC 668974240A mov word ptr [esp+0A], si
:004125B1 50 push eax
:004125B2 E8A998FFFF call 0040BE60 **读狗
:004125B7 8B4C2412 mov ecx, dword ptr [esp+12]
:004125BB 83C404 add esp, 00000004
:004125BE 81E1FFFF0000 and ecx, 0000FFFF
:004125C4 46 inc esi
:004125C5 890F mov dword ptr [edi], ecx
:004125C7 83C704 add edi, 00000004
:004125CA 83FE17 cmp esi, 00000017
:004125CD 7CD9 jl 004125A8
:004125CF 8B442458 mov eax, dword ptr [esp+58] **[ESP+58]=14
:004125D3 8B542454 mov edx, dword ptr [esp+54] **[ESP+54]=0A
:004125D7 A350F35E00 mov dword ptr [005EF350], eax
:004125DC 89154CF35E00 mov dword ptr [005EF34C], edx
:004125E2 33C0 xor eax, eax
:004125E4 8D4C2450 lea ecx, dword ptr [esp+50]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004125FD(C)
|
:004125E8 8B31 mov esi, dword ptr [ecx]
:004125EA 33D2 xor edx, edx
:004125EC 8A9060035F00 mov dl, byte ptr [eax+005F0360] **与码表第1组数比对
:004125F2 3BD6 cmp edx, esi **CMP EDX,EDX 以下同此
:004125F4 759D jne 00412593 **后面所有这样的跳转可千万不能跳，否则还得死！！
:004125F6 40 inc eax
:004125F7 83C104 add ecx, 00000004
:004125FA 83F807 cmp eax, 00000007
:004125FD 7CE9 jl 004125E8
:004125FF BE17000000 mov esi, 00000017
:00412604 8D7C2450 lea edi, dword ptr [esp+50]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041262D(C)
|
:00412608 8D442408 lea eax, dword ptr [esp+08]
:0041260C 668974240A mov word ptr [esp+0A], si
:00412611 50 push eax
:00412612 E84998FFFF call 0040BE60
:00412617 8B4C2412 mov ecx, dword ptr [esp+12]
:0041261B 83C404 add esp, 00000004
:0041261E 81E1FFFF0000 and ecx, 0000FFFF
:00412624 46 inc esi
:00412625 890F mov dword ptr [edi], ecx
:00412627 83C704 add edi, 00000004
:0041262A 83FE1D cmp esi, 0000001D
:0041262D 7CD9 jl 00412608
:0041262F 8B442460 mov eax, dword ptr [esp+60] **[ESP+60]=53
:00412633 8B4C245C mov ecx, dword ptr [esp+5C] **[ESP+60]=50
:00412637 2BC1 sub eax, ecx
:00412639 8D4C2450 lea ecx, dword ptr [esp+50]
:0041263D 8D1480 lea edx, dword ptr [eax+4*eax]
:00412640 D1E2 shl edx, 1
:00412642 8915A8886000 mov dword ptr [006088A8], edx
:00412648 33C0 xor eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412663(C)
|
:0041264A 8B31 mov esi, dword ptr [ecx]
:0041264C 33D2 xor edx, edx
:0041264E 8A9068035F00 mov dl, byte ptr [eax+005F0368] **与码表第2组数比对
:00412654 3BD6 cmp edx, esi
:00412656 0F8537FFFFFF jne 00412593
:0041265C 40 inc eax
:0041265D 83C104 add ecx, 00000004
:00412660 83F806 cmp eax, 00000006
:00412663 7CE5 jl 0041264A
:00412665 BE1D000000 mov esi, 0000001D
:0041266A 8D7C2450 lea edi, dword ptr [esp+50]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412693(C)
|
:0041266E 8D442408 lea eax, dword ptr [esp+08]
:00412672 668974240A mov word ptr [esp+0A], si
:00412677 50 push eax
:00412678 E8E397FFFF call 0040BE60
:0041267D 8B4C2412 mov ecx, dword ptr [esp+12]
:00412681 83C404 add esp, 00000004
:00412684 81E1FFFF0000 and ecx, 0000FFFF
:0041268A 46 inc esi
:0041268B 890F mov dword ptr [edi], ecx
:0041268D 83C704 add edi, 00000004
:00412690 83FE23 cmp esi, 00000023
:00412693 7CD9 jl 0041266E
:00412695 A1A8886000 mov eax, dword ptr [006088A8]
:0041269A 8B542454 mov edx, dword ptr [esp+54] **[ESP+54]=08
:0041269E 8B4C245C mov ecx, dword ptr [esp+5C] **[ESP+5C]=0B
:004126A2 2BC2 sub eax, edx
:004126A4 03C1 add eax, ecx
:004126A6 8D4C2450 lea ecx, dword ptr [esp+50]
:004126AA 8D0480 lea eax, dword ptr [eax+4*eax]
:004126AD 8D1480 lea edx, dword ptr [eax+4*eax]
:004126B0 C1E202 shl edx, 02
:004126B3 8915A8886000 mov dword ptr [006088A8], edx
:004126B9 33C0 xor eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004126D4(C)
|
:004126BB 8B31 mov esi, dword ptr [ecx]
:004126BD 33D2 xor edx, edx
:004126BF 8A9070035F00 mov dl, byte ptr [eax+005F0370] **与码表第3组数比对
:004126C5 3BD6 cmp edx, esi
:004126C7 0F85C6FEFFFF jne 00412593
:004126CD 40 inc eax
:004126CE 83C104 add ecx, 00000004
:004126D1 83F806 cmp eax, 00000006
:004126D4 7CE5 jl 004126BB
:004126D6 BE23000000 mov esi, 00000023
:004126DB 8D7C2450 lea edi, dword ptr [esp+50]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412704(C)
|
:004126DF 8D442408 lea eax, dword ptr [esp+08]
:004126E3 668974240A mov word ptr [esp+0A], si
:004126E8 50 push eax
:004126E9 E87297FFFF call 0040BE60
:004126EE 8B4C2412 mov ecx, dword ptr [esp+12]
:004126F2 83C404 add esp, 00000004
:004126F5 81E1FFFF0000 and ecx, 0000FFFF
:004126FB 46 inc esi
:004126FC 890F mov dword ptr [edi], ecx
:004126FE 83C704 add edi, 00000004
:00412701 83FE29 cmp esi, 00000029
:00412704 7CD9 jl 004126DF
:00412706 33C0 xor eax, eax
:00412708 8D4C2450 lea ecx, dword ptr [esp+50]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412725(C)
|
:0041270C 8B31 mov esi, dword ptr [ecx]
:0041270E 33D2 xor edx, edx
:00412710 8A9078035F00 mov dl, byte ptr [eax+005F0378] **与码表第4组数比对
:00412716 3BD6 cmp edx, esi
:00412718 0F8575FEFFFF jne 00412593
:0041271E 40 inc eax
:0041271F 83C104 add ecx, 00000004
:00412722 83F806 cmp eax, 00000006
:00412725 7CE5 jl 0041270C
:00412727 BE29000000 mov esi, 00000029
:0041272C 8D7C2450 lea edi, dword ptr [esp+50]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412755(C)
|
:00412730 8D442408 lea eax, dword ptr [esp+08]
:00412734 668974240A mov word ptr [esp+0A], si
:00412739 50 push eax
:0041273A E82197FFFF call 0040BE60
:0041273F 8B4C2412 mov ecx, dword ptr [esp+12]
:00412743 83C404 add esp, 00000004
:00412746 81E1FFFF0000 and ecx, 0000FFFF
:0041274C 46 inc esi
:0041274D 890F mov dword ptr [edi], ecx
:0041274F 83C704 add edi, 00000004
:00412752 83FE30 cmp esi, 00000030
:00412755 7CD9 jl 00412730
:00412757 A1A8886000 mov eax, dword ptr [006088A8]
:0041275C 8B742464 mov esi, dword ptr [esp+64] **[ESP+64]=30
:00412760 8B542468 mov edx, dword ptr [esp+68] **[ESP+68]=3A
:00412764 8B4C2458 mov ecx, dword ptr [esp+58] **[ESP+58]=14
:00412768 2BC6 sub eax, esi
:0041276A 03C2 add eax, edx
:0041276C 03C1 add eax, ecx
:0041276E 8D4C2450 lea ecx, dword ptr [esp+50]
:00412772 8D1480 lea edx, dword ptr [eax+4*eax]
:00412775 D1E2 shl edx, 1
:00412777 8915A8886000 mov dword ptr [006088A8], edx
:0041277D 33C0 xor eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412798(C)
|
:0041277F 8B31 mov esi, dword ptr [ecx]
:00412781 33D2 xor edx, edx
:00412783 8A9080035F00 mov dl, byte ptr [eax+005F0380] **与码表第5组数比对
:00412789 3BD6 cmp edx, esi
:0041278B 0F8502FEFFFF jne 00412593
:00412791 40 inc eax
:00412792 83C104 add ecx, 00000004
:00412795 83F807 cmp eax, 00000007
:00412798 7CE5 jl 0041277F
:0041279A BE30000000 mov esi, 00000030
:0041279F 8D7C2450 lea edi, dword ptr [esp+50]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004127C8(C)
|
:004127A3 8D442408 lea eax, dword ptr [esp+08]
:004127A7 668974240A mov word ptr [esp+0A], si
:004127AC 50 push eax
:004127AD E8AE96FFFF call 0040BE60
:004127B2 8B4C2412 mov ecx, dword ptr [esp+12]
:004127B6 83C404 add esp, 00000004
:004127B9 81E1FFFF0000 and ecx, 0000FFFF
:004127BF 46 inc esi
:004127C0 890F mov dword ptr [edi], ecx
:004127C2 83C704 add edi, 00000004
:004127C5 83FE36 cmp esi, 00000036
:004127C8 7CD9 jl 004127A3
:004127CA 33C0 xor eax, eax
:004127CC 8D4C2450 lea ecx, dword ptr [esp+50]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004127E9(C)
|
:004127D0 8B31 mov esi, dword ptr [ecx]
:004127D2 33D2 xor edx, edx
:004127D4 8A9088035F00 mov dl, byte ptr [eax+005F0388] **与码表第6组数比对
:004127DA 3BD6 cmp edx, esi
:004127DC 0F85B1FDFFFF jne 00412593
:004127E2 40 inc eax
:004127E3 83C104 add ecx, 00000004
:004127E6 83F806 cmp eax, 00000006
:004127E9 7CE5 jl 004127D0
:004127EB BE36000000 mov esi, 00000036
:004127F0 8D7C2450 lea edi, dword ptr [esp+50]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412819(C)
|
:004127F4 8D442408 lea eax, dword ptr [esp+08]
:004127F8 668974240A mov word ptr [esp+0A], si
:004127FD 50 push eax
:004127FE E85D96FFFF call 0040BE60
:00412803 8B4C2412 mov ecx, dword ptr [esp+12]
:00412807 83C404 add esp, 00000004
:0041280A 81E1FFFF0000 and ecx, 0000FFFF
:00412810 46 inc esi
:00412811 890F mov dword ptr [edi], ecx
:00412813 83C704 add edi, 00000004
:00412816 83FE3C cmp esi, 0000003C
:00412819 7CD9 jl 004127F4
:0041281B 8B542460 mov edx, dword ptr [esp+60] **[ESP+60]=15
:0041281F 8B442450 mov eax, dword ptr [esp+50] **[ESP+50]=1A
:00412823 03C2 add eax, edx
:00412825 8D0480 lea eax, dword ptr [eax+4*eax]
:00412828 8D0480 lea eax, dword ptr [eax+4*eax]
:0041282B 8D0C80 lea ecx, dword ptr [eax+4*eax]
:0041282E C1E103 shl ecx, 03
:00412831 890DA4886000 mov dword ptr [006088A4], ecx
:00412837 33C0 xor eax, eax
:00412839 8D4C2450 lea ecx, dword ptr [esp+50]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412856(C)
|
:0041283D 8B31 mov esi, dword ptr [ecx]
:0041283F 33D2 xor edx, edx
:00412841 8A9098035F00 mov dl, byte ptr [eax+005F0398] **与码表第8组数比对
:00412847 3BD6 cmp edx, esi
:00412849 0F8544FDFFFF jne 00412593
:0041284F 40 inc eax
:00412850 83C104 add ecx, 00000004
:00412853 83F806 cmp eax, 00000006
:00412856 7CE5 jl 0041283D
:00412858 5F pop edi
:00412859 B882050000 mov eax, 00000582
:0041285E 5E pop esi
:0041285F 81C498000000 add esp, 00000098
:00412865 C3 ret

以上这段代码读了8次狗，并将读回来的数据进行运算，保存到指定地址中备用。同时读回来的
这8组数还与内存中[005F0360]开始的8组数进行明码比较，由此可知，此软件在[5F0360]存放着
码表，共8组分别有6或7个字节：
1. 00 0A 14 1B 27 32 3C
2. 46 45 4C 50 53 5A
3. 0F 08 0D 0B 11 07
4. 1A 1A 19 1B 13 14
5. 00 0A 14 1B 25 30 3A
6. 46 45 4C 41 53 5A
7. 14 08 07 13 16 07
8. 1A 1A 16 18 15 14

四、从40D025处跳转继续运行，软件自动退出，怎么回事，只好继续往下看：

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D025(C)
|
:0040D082 8B16 mov edx, dword ptr [esi]
:0040D084 8BCE mov ecx, esi
:0040D086 FF5258 call [edx+58]
:0040D089 8B442420 mov eax, dword ptr [esp+20]
:0040D08D 8BCD mov ecx, ebp
:0040D08F 50 push eax
:0040D090 E81B580000 call 004128B0
:0040D095 8BCD mov ecx, ebp
:0040D097 E874440000 call 00411510 **此处读狗
:0040D09C 83F8FF cmp eax, FFFFFFFF
:0040D09F 7545 jne 0040D0E6 **此处跳转到40D0E6,进入程序主界面，OK!
:0040D0A1 8D4C241C lea ecx, dword ptr [esp+1C]
:0040D0A5 C684246006000006 mov byte ptr [esp+00000660], 06
:0040D0AD E83B411800 call 005911ED
:0040D0B2 8D4C247C lea ecx, dword ptr [esp+7C]
:0040D0B6 C684246006000002 mov byte ptr [esp+00000660], 02
:0040D0BE E84FAF1900 call 005A8012
:0040D0C3 C7442410F4025D00 mov [esp+10], 005D02F4
:0040D0CB 8D4C2410 lea ecx, dword ptr [esp+10]
:0040D0CF C78424600600000A000000 mov dword ptr [esp+00000660], 0000000A
:0040D0DA E855831800 call 00595434
:0040D0DF 33C0 xor eax, eax
:0040D0E1 E95F020000 jmp 0040D345

进411510看看吧：
* Referenced by a CALL at Address:
|:0040D097
|
:00411510 83EC70 sub esp, 00000070
:00411513 66A134035F00 mov ax, word ptr [005F0334]
:00411519 56 push esi
:0041151A 8BF1 mov esi, ecx
:0041151C 668944242E mov word ptr [esp+2E], ax
:00411521 8D4C242C lea ecx, dword ptr [esp+2C]
:00411525 51 push ecx
:00411526 E835A9FFFF call 0040BE60
:0041152B 8B542436 mov edx, dword ptr [esp+36]
:0041152F A138035F00 mov eax, dword ptr [005F0338]
:00411534 81E2FFFF0000 and edx, 0000FFFF
:0041153A 83C404 add esp, 00000004
:0041153D 3BD0 cmp edx, eax
:0041153F 7408 je 00411549 **此处一定要跳
:00411541 83C8FF or eax, FFFFFFFF
:00411544 5E pop esi
:00411545 83C470 add esp, 00000070
:00411548 C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041153F(C)
|
:00411549 8BCE mov ecx, esi
:0041154B E8B0070000 call 00411D00 **进去看看!
:00411550 83F8FF cmp eax, FFFFFFFF
:00411553 7507 jne 0041155C **此处一定要跳
:00411555 0BC0 or eax, eax
:00411557 5E pop esi
:00411558 83C470 add esp, 00000070
:0041155B C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411553(C)
|
:0041155C 8BCE mov ecx, esi
:0041155E E8AD0C0000 call 00412210 **进去看看!
:00411563 83F8FF cmp eax, FFFFFFFF
:00411566 7507 jne 0041156F
:00411568 0BC0 or eax, eax
:0041156A 5E pop esi
:0041156B 83C470 add esp, 00000070
:0041156E C3 ret

*****

* Referenced by a CALL at Address:
|:0041154B
|
:00411D00 81ECF8020000 sub esp, 000002F8
:00411D06 53 push ebx
:00411D07 55 push ebp
:00411D08 56 push esi
:00411D09 57 push edi
:00411D0A 6A04 push 00000004
:00411D0C 6800100000 push 00001000
:00411D11 33FF xor edi, edi
:00411D13 6860E31600 push 0016E360
:00411D18 57 push edi

* Reference To: KERNEL32.VirtualAlloc, Ord:02BBh
|
:00411D19 FF15E4125C00 Call dword ptr [005C12E4]
:00411D1F 3BC7 cmp eax, edi
:00411D21 A3DC836000 mov dword ptr [006083DC], eax
:00411D26 7521 jne 00411D49

* Possible StringData Ref from Data Obj ->"致命错误,内存不足!"
|
:00411D28 A10C035F00 mov eax, dword ptr [005F030C]
:00411D2D 57 push edi
:00411D2E 6894316000 push 00603194
:00411D33 50 push eax
:00411D34 57 push edi

* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:00411D35 FF15F0165C00 Call dword ptr [005C16F0]
:00411D3B 5F pop edi
:00411D3C 5E pop esi
:00411D3D 5D pop ebp
:00411D3E 83C8FF or eax, FFFFFFFF
:00411D41 5B pop ebx
:00411D42 81C4F8020000 add esp, 000002F8
:00411D48 C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411D26(C)
|
:00411D49 68E8886000 push 006088E8
:00411D4E 8D8C24F0000000 lea ecx, dword ptr [esp+000000F0]

* Possible StringData Ref from Data Obj ->"%s\lib\*.lib"
|
:00411D55 6840185F00 push 005F1840
:00411D5A 51 push ecx
:00411D5B 893DE4836000 mov dword ptr [006083E4], edi
:00411D61 893DE0836000 mov dword ptr [006083E0], edi
:00411D67 E8BF601600 call 00577E2B
:00411D6C 8D9424FC010000 lea edx, dword ptr [esp+000001FC]
:00411D73 8D8424F8000000 lea eax, dword ptr [esp+000000F8]
:00411D7A 52 push edx
:00411D7B 50 push eax
:00411D7C E8B15E1600 call 00577C32
:00411D81 8BD8 mov ebx, eax
:00411D83 83C414 add esp, 00000014
:00411D86 83FBFF cmp ebx, FFFFFFFF
:00411D89 0F8492010000 je 00411F21
:00411D8F 8D8C2404020000 lea ecx, dword ptr [esp+00000204]
:00411D96 51 push ecx
:00411D97 B9D17E6000 mov ecx, 00607ED1
:00411D9C E8D5F51700 call 00591376
:00411DA1 BD01000000 mov ebp, 00000001
:00411DA6 BEDE7E6000 mov esi, 00607EDE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411DD9(C)
|
:00411DAB 8D9424F0010000 lea edx, dword ptr [esp+000001F0]
:00411DB2 52 push edx
:00411DB3 53 push ebx
:00411DB4 E8465F1600 call 00577CFF
:00411DB9 83C408 add esp, 00000008
:00411DBC 85C0 test eax, eax
:00411DBE 751B jne 00411DDB
:00411DC0 8D842404020000 lea eax, dword ptr [esp+00000204]
:00411DC7 8BCE mov ecx, esi
:00411DC9 50 push eax
:00411DCA E8A7F51700 call 00591376
:00411DCF 83C60D add esi, 0000000D
:00411DD2 45 inc ebp
:00411DD3 81FEE5836000 cmp esi, 006083E5
:00411DD9 7CD0 jl 00411DAB

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411DBE(C)
|
:00411DDB 8B0DDC836000 mov ecx, dword ptr [006083DC]
:00411DE1 3BEF cmp ebp, edi
:00411DE3 892DE4836000 mov dword ptr [006083E4], ebp
:00411DE9 894C2410 mov dword ptr [esp+10], ecx
:00411DED 897C241C mov dword ptr [esp+1C], edi
:00411DF1 0F8E2A010000 jle 00411F21
:00411DF7 BDCE7E6000 mov ebp, 00607ECE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411F1B(C)
|
:00411DFC 8B5503 mov edx, dword ptr [ebp+03]
:00411DFF 8D8424EC000000 lea eax, dword ptr [esp+000000EC]
:00411E06 52 push edx
:00411E07 68E8886000 push 006088E8

* Possible Reference to Dialog:
|
:00411E0C 6834185F00 push 005F1834
:00411E11 50 push eax
:00411E12 E814601600 call 00577E2B
:00411E17 8D8C24FC000000 lea ecx, dword ptr [esp+000000FC]

* Possible Reference to Dialog:
|
:00411E1E 6830185F00 push 005F1830
:00411E23 51 push ecx
:00411E24 E825661600 call 0057844E
:00411E29 8BD8 mov ebx, eax
:00411E2B 83C418 add esp, 00000018
:00411E2E 3BDF cmp ebx, edi
:00411E30 0F8446010000 je 00411F7C
:00411E36 53 push ebx
:00411E37 6A10 push 00000010
:00411E39 8D9424B4000000 lea edx, dword ptr [esp+000000B4]
:00411E40 6A02 push 00000002
:00411E42 52 push edx
:00411E43 E861691600 call 005787A9
:00411E48 8B8424BC000000 mov eax, dword ptr [esp+000000BC]
:00411E4F 8B0DE0836000 mov ecx, dword ptr [006083E0]
:00411E55 66894500 mov word ptr [ebp+00], ax
:00411E59 83C410 add esp, 00000010
:00411E5C 0FBFC0 movsx eax, ax
:00411E5F 03C8 add ecx, eax
:00411E61 897C2414 mov dword ptr [esp+14], edi
:00411E65 890DE0836000 mov dword ptr [006083E0], ecx
:00411E6B 8B4C2410 mov ecx, dword ptr [esp+10]
:00411E6F 894DFA mov dword ptr [ebp-06], ecx
:00411E72 66397D00 cmp word ptr [ebp+00], di
:00411E76 897C2418 mov dword ptr [esp+18], edi
:00411E7A 897C2420 mov dword ptr [esp+20], edi
:00411E7E 7E6E jle 00411EEE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411EEA(C)
|
:00411E80 53 push ebx
:00411E81 6A01 push 00000001
:00411E83 8D54244C lea edx, dword ptr [esp+4C]
:00411E87 6A20 push 00000020
:00411E89 52 push edx
:00411E8A E81A691600 call 005787A9
:00411E8F 8D7C2454 lea edi, dword ptr [esp+54]
:00411E93 83C9FF or ecx, FFFFFFFF
:00411E96 33C0 xor eax, eax
:00411E98 83C410 add esp, 00000010
:00411E9B F2 repnz
:00411E9C AE scasb
:00411E9D F7D1 not ecx
:00411E9F 49 dec ecx
:00411EA0 8BC1 mov eax, ecx
:00411EA2 8B4C2418 mov ecx, dword ptr [esp+18]
:00411EA6 40 inc eax
:00411EA7 3BC1 cmp eax, ecx
:00411EA9 7E04 jle 00411EAF
:00411EAB 89442418 mov dword ptr [esp+18], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411EA9(C)
|
:00411EAF 8B742414 mov esi, dword ptr [esp+14]
:00411EB3 8B7C2410 mov edi, dword ptr [esp+10]
:00411EB7 8BC8 mov ecx, eax
:00411EB9 03F0 add esi, eax
:00411EBB 8BD1 mov edx, ecx
:00411EBD 89742414 mov dword ptr [esp+14], esi
:00411EC1 8D742444 lea esi, dword ptr [esp+44]
:00411EC5 C1E902 shr ecx, 02
:00411EC8 F3 repz
:00411EC9 A5 movsd
:00411ECA 8BCA mov ecx, edx
:00411ECC 83E103 and ecx, 00000003
:00411ECF F3 repz
:00411ED0 A4 movsb
:00411ED1 8B7C2410 mov edi, dword ptr [esp+10]
:00411ED5 0FBF4D00 movsx ecx, word ptr [ebp+00]
:00411ED9 03F8 add edi, eax
:00411EDB 8B442420 mov eax, dword ptr [esp+20]
:00411EDF 40 inc eax
:00411EE0 897C2410 mov dword ptr [esp+10], edi
:00411EE4 3BC1 cmp eax, ecx
:00411EE6 89442420 mov dword ptr [esp+20], eax
:00411EEA 7C94 jl 00411E80
:00411EEC 33FF xor edi, edi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411E7E(C)
|
:00411EEE 8A542418 mov dl, byte ptr [esp+18]
:00411EF2 668B442414 mov ax, word ptr [esp+14]
:00411EF7 885502 mov byte ptr [ebp+02], dl
:00411EFA 53 push ebx
:00411EFB 668945FE mov word ptr [ebp-02], ax
:00411EFF E83A641600 call 0057833E
:00411F04 8B442420 mov eax, dword ptr [esp+20]
:00411F08 8B0DE4836000 mov ecx, dword ptr [006083E4]
:00411F0E 83C404 add esp, 00000004
:00411F11 40 inc eax
:00411F12 83C50D add ebp, 0000000D
:00411F15 3BC1 cmp eax, ecx
:00411F17 8944241C mov dword ptr [esp+1C], eax
:00411F1B 0F8CDBFEFFFF jl 00411DFC

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00411D89(C), :00411DF1(C)
|
:00411F21 668B0DA4716000 mov cx, word ptr [006071A4]
:00411F28 668B15A0716000 mov dx, word ptr [006071A0]
:00411F2F 8D442464 lea eax, dword ptr [esp+64]
:00411F33 66894C246A mov word ptr [esp+6A], cx
:00411F38 50 push eax
:00411F39 668954246A mov word ptr [esp+6A], dx
:00411F3E E8FDA3FFFF call 0040C340 **随机数1,2变换运算
:00411F43 8B4C246A mov ecx, dword ptr [esp+6A]
:00411F47 8B44246E mov eax, dword ptr [esp+6E]
:00411F4B 81E1FFFF0000 and ecx, 0000FFFF
:00411F51 25FFFF0000 and eax, 0000FFFF
:00411F56 890D98716000 mov dword ptr [00607198], ecx
:00411F5C 8B0DA4716000 mov ecx, dword ptr [006071A4]
:00411F62 83C404 add esp, 00000004
:00411F65 3BC1 cmp eax, ecx
:00411F67 A39C716000 mov dword ptr [0060719C], eax
:00411F6C 752E jne 00411F9C ***比较运算结果是否正确，此处要跳！
:00411F6E 5F pop edi
:00411F6F 5E pop esi
:00411F70 5D pop ebp
:00411F71 83C8FF or eax, FFFFFFFF
:00411F74 5B pop ebx
:00411F75 81C4F8020000 add esp, 000002F8
:00411F7B C3 ret

****
* Referenced by a CALL at Address:
|:0041155E
|
:00412210 81EC14030000 sub esp, 00000314
:00412216 53 push ebx
:00412217 55 push ebp
:00412218 56 push esi
:00412219 57 push edi
:0041221A 6A04 push 00000004
:0041221C 6800100000 push 00001000
:00412221 68C0450400 push 000445C0
:00412226 6A00 push 00000000

* Reference To: KERNEL32.VirtualAlloc, Ord:02BBh
|
:00412228 FF15E4125C00 Call dword ptr [005C12E4]
:0041222E 85C0 test eax, eax
:00412230 A3E4876000 mov dword ptr [006087E4], eax
:00412235 7522 jne 00412259
:00412237 50 push eax

* Possible StringData Ref from Data Obj ->"致命错误,内存不足!"
|
:00412238 A10C035F00 mov eax, dword ptr [005F030C]
:0041223D 6894316000 push 00603194
:00412242 50 push eax
:00412243 6A00 push 00000000

* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:00412245 FF15F0165C00 Call dword ptr [005C16F0]
:0041224B 5F pop edi
:0041224C 5E pop esi
:0041224D 5D pop ebp
:0041224E 83C8FF or eax, FFFFFFFF
:00412251 5B pop ebx
:00412252 81C414030000 add esp, 00000314
:00412258 C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412235(C)
|
:00412259 68E8886000 push 006088E8
:0041225E 8D4C2460 lea ecx, dword ptr [esp+60]

* Possible StringData Ref from Data Obj ->"%s\font\slhz.lib"
|
:00412262 6868185F00 push 005F1868
:00412267 51 push ecx
:00412268 E8BE5B1600 call 00577E2B
:0041226D 8D542468 lea edx, dword ptr [esp+68]

* Possible Reference to Dialog:
|
:00412271 6830185F00 push 005F1830
:00412276 52 push edx
:00412277 E8D2611600 call 0057844E
:0041227C 83C414 add esp, 00000014
:0041227F A3E8876000 mov dword ptr [006087E8], eax
:00412284 85C0 test eax, eax
:00412286 7520 jne 004122A8
:00412288 50 push eax

* Possible Reference to Dialog:
|
:00412289 6894316000 push 00603194

* Possible StringData Ref from Data Obj ->"无法打开矢量字库文件"
|
:0041228E 6850185F00 push 005F1850
:00412293 50 push eax

* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:00412294 FF15F0165C00 Call dword ptr [005C16F0]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041234A(C)
|
:0041229A 5F pop edi
:0041229B 5E pop esi
:0041229C 5D pop ebp
:0041229D 83C8FF or eax, FFFFFFFF
:004122A0 5B pop ebx
:004122A1 81C414030000 add esp, 00000314
:004122A7 C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412286(C)
|
:004122A8 66A19C716000 mov ax, word ptr [0060719C]
:004122AE 668B0D98716000 mov cx, word ptr [00607198]
:004122B5 8D542414 lea edx, dword ptr [esp+14]
:004122B9 6689442422 mov word ptr [esp+22], ax
:004122BE 52 push edx
:004122BF 66894C2422 mov word ptr [esp+22], cx
:004122C4 E8079EFFFF call 0040C0D0 **随机数1,2变换运算结果逆变换
:004122C9 8B442426 mov eax, dword ptr [esp+26]
:004122CD 8B4C2422 mov ecx, dword ptr [esp+22]
:004122D1 8B1DE4876000 mov ebx, dword ptr [006087E4]
:004122D7 83C404 add esp, 00000004
:004122DA 25FFFF0000 and eax, 0000FFFF
:004122DF 81E1FFFF0000 and ecx, 0000FFFF
:004122E5 A39C716000 mov dword ptr [0060719C], eax
:004122EA 890D98716000 mov dword ptr [00607198], ecx
:004122F0 C74424100B000000 mov [esp+10], 0000000B
:004122F8 EB05 jmp 004122FF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412362(C)
|
:004122FA A19C716000 mov eax, dword ptr [0060719C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004122F8(U)
|
:004122FF 3B05A4716000 cmp eax, dword ptr [006071A4]
:00412305 755D jne 00412364
:00412307 33ED xor ebp, ebp

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412354(C)
|
:00412309 8B15E8876000 mov edx, dword ptr [006087E8]
:0041230F 8D842424010000 lea eax, dword ptr [esp+00000124]
:00412316 52 push edx
:00412317 6A01 push 00000001
:00412319 6800020000 push 00000200
:0041231E 50 push eax
:0041231F E885641600 call 005787A9

* Possible Reference to Menu: MenuID_0080
|

* Possible Reference to String Resource ID=00128: "eda-嘓"
|
:00412324 B980000000 mov ecx, 00000080
:00412329 8DB42434010000 lea esi, dword ptr [esp+00000134]
:00412330 8BFB mov edi, ebx
:00412332 83C410 add esp, 00000010
:00412335 F3 repz
:00412336 A5 movsd
:00412337 8B0D98716000 mov ecx, dword ptr [00607198]
:0041233D A1A0716000 mov eax, dword ptr [006071A0]
:00412342 81C300020000 add ebx, 00000200
:00412348 3BC8 cmp ecx, eax
:0041234A 0F854AFFFFFF jne 0041229A **比较逆变换结果是否正确，此处不能跳！
:00412350 45 inc ebp
:00412351 83FD20 cmp ebp, 00000020
:00412354 7CB3 jl 00412309
:00412356 8B442410 mov eax, dword ptr [esp+10]
:0041235A 40 inc eax
:0041235B 83F81C cmp eax, 0000001C
:0041235E 89442410 mov dword ptr [esp+10], eax
:00412362 7C96 jl 004122FA

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412305(C)
|
:00412364 5F pop edi
:00412365 5E pop esi
:00412366 5D pop ebp
:00412367 33C0 xor eax, eax
:00412369 5B pop ebx
:0041236A 81C414030000 add esp, 00000314
:00412370 C3 ret

五、

程序正常运行退出时软件还要检测有无狗，无狗时提示->"程序运行中去掉或共享软件锁，
可能会造成程序异常终止和设计数据丢失!"，下BPX MESSAGEBOXA再探:
:0040F659 90 nop
:0040F65A 90 nop
:0040F65B 90 nop
:0040F65C 90 nop
:0040F65D 90 nop
:0040F65E 90 nop
:0040F65F 90 nop
:0040F660 A138035F00 mov eax, dword ptr [005F0338]
:0040F665 81EC30040000 sub esp, 00000430
:0040F66B 85C0 test eax, eax
:0040F66D 56 push esi
:0040F66E 57 push edi
:0040F66F 8BF9 mov edi, ecx
:0040F671 7C4D jl 0040F6C0
:0040F673 66A134035F00 mov ax, word ptr [005F0334]
:0040F679 8D8C24F0030000 lea ecx, dword ptr [esp+000003F0]
:0040F680 51 push ecx
:0040F681 66898424F6030000 mov word ptr [esp+000003F6], ax
:0040F689 E862C5FFFF call 0040BBF0
:0040F68E 8B9424FA030000 mov edx, dword ptr [esp+000003FA]
:0040F695 A138035F00 mov eax, dword ptr [005F0338]
:0040F69A 81E2FFFF0000 and edx, 0000FFFF
:0040F6A0 83C404 add esp, 00000004
:0040F6A3 3BD0 cmp edx, eax
:0040F6A5 7419 je 0040F6C0 **此处强制跳过即可！
:0040F6A7 6A10 push 00000010

* Possible Reference to Dialog:
|
:0040F6A9 6844175F00 push 005F1744

* Possible StringData Ref from Data Obj ->"程序运行中去掉或共享软件锁，可能会造成程序异常"
->"终止和设计数据丢失!"
|
:0040F6AE 6800175F00 push 005F1700
:0040F6B3 6A00 push 00000000

* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:0040F6B5 FF15F0165C00 Call dword ptr [005C16F0]
:0040F6BB E8DB9F1700 call 0058969B

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040F671(C), :0040F6A5(C)
|
:0040F6C0 668B87C0000000 mov ax, word ptr [edi+000000C0]
:0040F6C7 50 push eax

*********
至此程序可正常免狗运行。

后话：这套软件加密后自身带有狗内的数据码表，功力深厚的高手无狗也可解掉它，可惜我水平太低，
有狗还跟了好几天，才有了眉目。因为自己也觉得思路表述的不够好，所以程序段复制的比较多，各位
看官多见谅！

最后，非常感谢老大PETERCHEN,大老的帮助和紫竹、罗降神的文章给我的提示！

CRACK123[FCG]