本人旨在给入门者一个破解的途径,高手者请勿入内。该软件是一个彩票软件,注册方法是用光盘的注册方法,未注册时不能使用分析和选号功能。
该软件用aspack 1.07版加密压缩,可以用unaspack1.09来脱壳,但脱壳后不能使用,只可以反汇编,反汇编后查找“提示:请插入“白金版”光盘进行注册。”这个字符串,双击后来到下面的代码:
:00401D5A E8BDC80000
call 0040E61C <====注册码运算对比
:00401D5F 84C0
test al, al
:00401D61 0F8545010000
jne 00401EAC <====注册码正确,则跳到注册成功的地方
:00401D67 66C78558FFFFFFE000 mov word ptr [ebp+FFFFFF58],
00E0
* Possible StringData Ref from Data Obj ->"提示:请插入“白金版”光盘进行注册。"
|
:00401D70 BA1A2A6C00
mov edx, 006C2A1A
:00401D75 8D4598
lea eax, dword ptr [ebp-68]
:00401D78 E82FD92B00 call
006BF6AC
:00401D7D FF8564FFFFFF
inc dword ptr [ebp+FFFFFF64]
:00401D83 8B00
mov eax, dword ptr [eax]
:00401D85 E8BA2B2600
call 00664944
:00401D8A FF8D64FFFFFF
dec dword ptr [ebp+FFFFFF64]
:00401D90
8D4598 lea eax,
dword ptr [ebp-68]
:00401D93 BA02000000
mov edx, 00000002
:00401D98 E8ABDB2B00
call 006BF948
:00401D9D E85AC60000
call 0040E3FC
:00401DA2 84C0
test al, al
:00401DA4
7545 jne
00401DEB
:00401DA6 66C78558FFFFFFEC00 mov word ptr [ebp+FFFFFF58],
00EC
* Possible StringData Ref from Data Obj ->"提示:注册失败。"
|
:00401DAF BA3F2A6C00
mov edx, 006C2A3F
:00401DB4 8D4594
lea eax, dword ptr [ebp-6C]
:00401DB7
E8F0D82B00 call 006BF6AC
我们进入00401D5A这个CALL看看怎么运算注册码的:
:0040E61C 55
push ebp
:0040E61D
8BEC mov
ebp, esp
:0040E61F 83C4B4
add esp, FFFFFFB4
:0040E622 53
push ebx
:0040E623 56
push esi
:0040E624
57
push edi
:0040E625 B818726C00
mov eax, 006C7218
:0040E62A E891582A00
call 006B3EC0
:0040E62F 66C745CC0800
mov [ebp-34], 0008
:0040E635 8D45FC
lea eax, dword ptr [ebp-04]
:0040E638
E85B3AFFFF call 00402098
:0040E63D FF45D8
inc [ebp-28]
:0040E640 66C745CC1400
mov [ebp-34], 0014
:0040E646 66C745CC2000
mov [ebp-34], 0020
:0040E64C 8D45F8
lea eax, dword ptr [ebp-08]
:0040E64F E8443AFFFF
call 00402098
:0040E654 FF45D8
inc [ebp-28]
:0040E657
66C745CC1400 mov [ebp-34], 0014
:0040E65D B201
mov dl, 01
:0040E65F A184116300
mov eax, dword ptr [00631184]
:0040E664 E8C72C2200
call 00631330
:0040E669 8945B4
mov dword ptr [ebp-4C], eax
:0040E66C
BA02000080 mov edx, 80000002
:0040E671 8B45B4
mov eax, dword ptr [ebp-4C]
:0040E674 E89F0F2B00
call 006BF618
:0040E679 66C745CC2C00
mov [ebp-34], 002C
* Possible StringData Ref from
Data Obj ->"Software\Microsoft\MSE\9.0" <====查询注册表中软件有没有注册过
|
:0040E67F BAD0566C00
mov edx, 006C56D0
:0040E684 8D45F4
lea eax, dword ptr [ebp-0C]
:0040E687
E820102B00 call 006BF6AC
:0040E68C FF45D8
inc [ebp-28]
:0040E68F 8B10
mov edx, dword ptr [eax]
:0040E691 B101
mov cl, 01
:0040E693
8B45B4 mov eax,
dword ptr [ebp-4C]
:0040E696 E8892E2200
call 00631524
:0040E69B 3C01
cmp al, 01
:0040E69D 0F94C2
sete dl
:0040E6A0 83E201
and edx, 00000001
:0040E6A3 52
push edx
:0040E6A4 FF4DD8
dec [ebp-28]
:0040E6A7 8D45F4
lea eax, dword ptr [ebp-0C]
:0040E6AA
BA02000000 mov edx, 00000002
:0040E6AF E894122B00 call 006BF948
:0040E6B4 59
pop ecx
:0040E6B5 84C9
test cl, cl
:0040E6B7 0F84CC000000
je 0040E789
:0040E6BD 66C745CC3800
mov [ebp-34], 0038
:0040E6C3 66C745CC4400
mov [ebp-34], 0044
:0040E6C9 8D45EC
lea eax, dword ptr [ebp-14]
:0040E6CC E8C739FFFF call
00402098
:0040E6D1 50
push eax
:0040E6D2 FF45D8
inc [ebp-28]
* Possible StringData
Ref from Data Obj ->"Code" <=====注册码存放的地方
|
:0040E6D5 BAEB566C00
mov edx, 006C56EB
:0040E6DA 8D45F0
lea eax, dword ptr [ebp-10]
:0040E6DD E8CA0F2B00
call 006BF6AC
:0040E6E2 FF45D8
inc [ebp-28]
:0040E6E5
8B10 mov
edx, dword ptr [eax]
:0040E6E7 8B45B4
mov eax, dword ptr [ebp-4C]
:0040E6EA 59
pop ecx
:0040E6EB
E8DC312200 call 006318CC
:0040E6F0 8D55EC
lea edx, dword ptr [ebp-14]
:0040E6F3 8D45FC
lea eax, dword ptr [ebp-04]
:0040E6F6 E87D122B00
call 006BF978
:0040E6FB FF4DD8
dec [ebp-28]
:0040E6FE
8D45EC lea eax,
dword ptr [ebp-14]
:0040E701 BA02000000
mov edx, 00000002
:0040E706 E83D122B00
call 006BF948
:0040E70B FF4DD8
dec [ebp-28]
:0040E70E 8D45F0
lea eax, dword ptr [ebp-10]
:0040E711 BA02000000 mov
edx, 00000002
:0040E716 E82D122B00
call 006BF948
:0040E71B 66C745CC1400
mov [ebp-34], 0014
:0040E721 EB17
jmp 0040E73A
:0040E723 C645BB00
mov [ebp-45], 00
:0040E727
66C745CC1400 mov [ebp-34], 0014
:0040E72D EB64
jmp 0040E793
:0040E72F 66C745CC4000
mov [ebp-34], 0040
:0040E735 E818E02A00
call 006BC752
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:0040E721(U)
|
:0040E73A 66C745CC5000
mov [ebp-34], 0050
:0040E740 8D45E8
lea eax, dword ptr [ebp-18]
:0040E743 E85039FFFF call 00402098
:0040E748 FF45D8
inc [ebp-28]
:0040E74B E8B0000000
call 0040E800 <=====运算注册码
:0040E750 8D45E8
lea eax, dword ptr [ebp-18]
<====注册表中的键值
:0040E753 8D55FC
lea edx, dword ptr [ebp-04] <====运算出来的注册码
:0040E756
E8D1122B00 call 006BFA2C
<====比较
下面是比较注册码的CALL:
:006BFA2C 55
push ebp
:006BFA2D
8BEC mov
ebp, esp
:006BFA2F 53
push ebx
:006BFA30 8B00
mov eax, dword ptr [eax] <====注册表中的键值
:006BFA32 8B12
mov edx, dword ptr [edx] <====运算出来的注册码
:006BFA34 E89774FEFF
call 006A6ED0
:006BFA39 0F94C0
sete al <====设标志
:006BFA3C 83E001
and eax, 00000001
:006BFA3F 5B
pop ebx
:006BFA40 5D
pop ebp
:006BFA41 C3
ret
我们进入0040E74B运算注册码的CALL:
* Referenced by a CALL at Addresses:
|:0040E475 , :0040E74B , :0054CE8B
|
:0040E800 55
push ebp
:0040E801 8BEC
mov ebp, esp
:0040E803 81C470FFFFFF
add esp, FFFFFF70
:0040E809 53
push ebx
:0040E80A 8945CC
mov dword ptr [ebp-34], eax
:0040E80D B888736C00 mov eax,
006C7388
:0040E812 E8A9562A00
call 006B3EC0
:0040E817 66C745B80800
mov [ebp-48], 0008
:0040E81D 8D45FC
lea eax, dword ptr [ebp-04]
:0040E820 E87338FFFF
call 00402098
:0040E825 FF45C4
inc [ebp-3C]
:0040E828
66C745B81400 mov [ebp-48], 0014
:0040E82E 66C745B82000 mov [ebp-48],
0020
:0040E834 8D45F8
lea eax, dword ptr [ebp-08]
:0040E837 E85C38FFFF
call 00402098
:0040E83C FF45C4
inc [ebp-3C]
:0040E83F 66C745B81400
mov [ebp-48], 0014
:0040E845 66C745B82C00
mov [ebp-48], 002C
:0040E84B 8D45F4
lea eax, dword ptr [ebp-0C]
:0040E84E E84538FFFF call
00402098
:0040E853 FF45C4
inc [ebp-3C]
:0040E856 66C745B81400
mov [ebp-48], 0014
:0040E85C 6A00
push 00000000
:0040E85E 6A00
push 00000000
:0040E860 6A00
push 00000000
:0040E862 6A00
push 00000000
:0040E864 8D9574FFFFFF
lea edx, dword ptr [ebp+FFFFFF74]
:0040E86A 52
push edx
:0040E86B 6A00
push 00000000
:0040E86D 6A00
push 00000000
* Possible StringData Ref
from Data Obj ->"C:\"
|
:0040E86F
68F0566C00 push 006C56F0
* Reference To: KERNEL32.GetVolumeInformationA, Ord:0000h <====获得硬盘序列号
|
:0040E874 E841232B00
Call 006C0BBA
:0040E879 66C745B83800
mov [ebp-48], 0038
:0040E87F 8D45F0
lea eax, dword ptr [ebp-10]
:0040E882 8B9574FFFFFF mov edx,
dword ptr [ebp+FFFFFF74] <===取硬盘序列号
:0040E888 E80B102B00
call 006BF898
:0040E88D 8BD0
mov edx, eax
:0040E88F
FF45C4 inc [ebp-3C]
:0040E892 8D45FC
lea eax, dword ptr [ebp-04]
:0040E895 E8DE102B00
call 006BF978
:0040E89A FF4DC4
dec [ebp-3C]
:0040E89D 8D45F0
lea eax, dword ptr [ebp-10]
:0040E8A0 BA02000000 mov edx,
00000002
:0040E8A5 E89E102B00
call 006BF948 <====将硬盘序列号转换成十进制
:0040E8AA 8D45FC
lea eax, dword ptr [ebp-04]
:0040E8AD E8AA112B00 call 006BFA5C
<====获得硬盘序列号的长度(HDLN)
:0040E8B2 89458C
mov dword ptr [ebp-74], eax <====保存HDLN
:0040E8B5 C7459C07000000 mov [ebp-64],
00000007 <====变量V1
:0040E8BC C7459801000000
mov [ebp-68], 00000001 <====变量V2
:0040E8C3
C7459403000000 mov [ebp-6C], 00000003
<====变量V3
:0040E8CA 33D2
xor edx, edx
:0040E8CC 895590
mov dword ptr [ebp-70], edx <====变量V4
:0040E8CF 66C745B84400 mov [ebp-48],
0044
:0040E8D5 BA2E536C00
mov edx, 006C532E
:0040E8DA 8D45EC
lea eax, dword ptr [ebp-14]
:0040E8DD E8CA0D2B00
call 006BF6AC
:0040E8E2 FF45C4
inc [ebp-3C]
:0040E8E5
8D55EC lea edx,
dword ptr [ebp-14]
:0040E8E8 8D45F8
lea eax, dword ptr [ebp-08]
:0040E8EB E888102B00
call 006BF978
:0040E8F0 FF4DC4
dec [ebp-3C]
:0040E8F3
8D45EC lea eax,
dword ptr [ebp-14]
:0040E8F6 BA02000000
mov edx, 00000002
:0040E8FB E848102B00
call 006BF948
:0040E900 33C9
xor ecx, ecx
:0040E902 894DA4
mov dword ptr [ebp-5C],
ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
<====循环计算注册码,共20位
|:0040EBFD(C)
|
:0040E905
B806000000 mov eax, 00000006
:0040E90A 99
cdq <====EDX清0
:0040E90B F77D8C
idiv [ebp-74] <====6
MOD HDLN
:0040E90E 42
inc edx <====(6 MOD
HDLN)+1
:0040E90F 8B4594
mov eax, dword ptr [ebp-6C] <====取变量V3
:0040E912 40
inc eax
<====V3+1
:0040E913 8BCA
mov ecx, edx <====(6 MOD HDLN)+1
:0040E915 99
cdq
:0040E916 F7F9
idiv ecx <====(V3+1) MOD ((6 MOD HDLN)+1)
:0040E918 42
inc edx <====((V3+1) MOD ((6 MOD HDLN)+1))+1
:0040E919 895594
mov dword ptr [ebp-6C], edx <====V3:=((V3+1) MOD ((6 MOD HDLN)+1))+1
这个结果是要取硬盘序列号的位数
:0040E91C 8B459C
mov eax, dword ptr [ebp-64] <====取V1
:0040E91F
014590 add dword
ptr [ebp-70], eax <====V4:=V4+V1
:0040E922 8B459C
mov eax, dword ptr [ebp-64] <====取V1
:0040E925 058B010000 add
eax, 0000018B <====V1+$18B
:0040E92A B90A000000
mov ecx, 0000000A
:0040E92F 99
cdq
:0040E930
F7F9 idiv
ecx <====(V1+$18B) MOD 0A
:0040E932 89559C
mov dword ptr [ebp-64], edx
<====V1:=(V1+$18B) MOD 0A
:0040E935 66C745B85000
mov [ebp-48], 0050
:0040E93B BA2E536C00
mov edx, 006C532E
:0040E940 8D45E8
lea eax, dword ptr [ebp-18]
:0040E943 E8640D2B00 call 006BF6AC
:0040E948 FF45C4
inc [ebp-3C]
:0040E94B 8D55E8
lea edx, dword ptr [ebp-18]
:0040E94E 8D45F4
lea eax, dword ptr [ebp-0C]
:0040E951
E822102B00 call 006BF978
:0040E956 FF4DC4
dec [ebp-3C]
:0040E959 8D45E8
lea eax, dword ptr [ebp-18]
:0040E95C BA02000000
mov edx, 00000002
:0040E961 E8E20F2B00
call 006BF948
:0040E966 33C9
xor ecx, ecx
:0040E968 894DA0
mov dword ptr [ebp-60], ecx
:0040E96B 8B45A0
mov eax, dword ptr [ebp-60]
:0040E96E 8B5594
mov edx, dword ptr [ebp-6C]
:0040E971 3BC2
cmp eax, edx
:0040E973 0F8D97000000
jnl 0040EA10
* Referenced by a (U)nconditional or (C)onditional
Jump at Address: <====取V3位的硬盘序列号
|:0040EA0A(C)
|
:0040E979
8B4590 mov eax,
dword ptr [ebp-70] <====取V4
:0040E97C 8B5598
mov edx, dword ptr [ebp-68]
<====取V2
:0040E97F 03C2
add eax, edx <====V4+V2
:0040E981
99
cdq
:0040E982 F77D8C
idiv [ebp-74] <====(V4+V2) MOD HDLN
:0040E985 42
inc edx
<====((V4+V2) MOD HDLN)+1
:0040E986 895590
mov dword ptr [ebp-70], edx <====C4:=((V4+V2)
MOD HDLN)+1
:0040E989 8B4598
mov eax, dword ptr [ebp-68] <====取V2
:0040E98C
40
inc eax <====V2+1
:0040E98D B906000000
mov ecx, 00000006
:0040E992 99
cdq
:0040E993 F7F9
idiv ecx
<====(V2+1) MOD 6
:0040E995 895598
mov dword ptr [ebp-68], edx <====V2:=(V2+1)
MOD 6
:0040E998 66C745B85C00 mov
[ebp-48], 005C
:0040E99E 8D45E4
lea eax, dword ptr [ebp-1C]
:0040E9A1 E8F236FFFF
call 00402098
:0040E9A6 50
push eax
:0040E9A7 FF45C4
inc [ebp-3C]
:0040E9AA 8D45FC
lea eax, dword ptr [ebp-04]
:0040E9AD B901000000
mov ecx, 00000001
:0040E9B2 8B5590
mov edx, dword ptr [ebp-70]
:0040E9B5 E85A142B00 call
006BFE14 <====取第V4位的硬盘序列号
:0040E9BA 8D45E4
lea eax, dword ptr [ebp-1C]
:0040E9BD
50
push eax
:0040E9BE 8D45E0
lea eax, dword ptr [ebp-20]
:0040E9C1 E8D236FFFF
call 00402098
:0040E9C6 8BC8
mov ecx, eax
:0040E9C8
FF45C4 inc [ebp-3C]
:0040E9CB 8D45F4
lea eax, dword ptr [ebp-0C]
:0040E9CE 5A
pop edx
:0040E9CF E8CC0F2B00
call 006BF9A0
:0040E9D4 8D55E0
lea edx, dword ptr [ebp-20]
:0040E9D7 8D45F4
lea eax, dword ptr [ebp-0C]
:0040E9DA E8990F2B00
call 006BF978
:0040E9DF FF4DC4
dec [ebp-3C]
:0040E9E2 8D45E0
lea eax, dword ptr [ebp-20]
:0040E9E5 BA02000000 mov edx,
00000002
:0040E9EA E8590F2B00
call 006BF948
:0040E9EF FF4DC4
dec [ebp-3C]
:0040E9F2 8D45E4
lea eax, dword ptr [ebp-1C]
:0040E9F5 BA02000000
mov edx, 00000002
:0040E9FA E8490F2B00
call 006BF948
:0040E9FF FF45A0
inc [ebp-60]
:0040EA02
8B4DA0 mov ecx,
dword ptr [ebp-60]
:0040EA05 8B4594
mov eax, dword ptr [ebp-6C]
:0040EA08 3BC8
cmp ecx, eax
:0040EA0A
0F8C69FFFFFF jl 0040E979 <====取够V3位没有?
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E973(C)
|
:0040EA10 8D45F4
lea eax, dword ptr [ebp-0C]
:0040EA13 E8C436FFFF
call 004020DC <====取上面的运算结果NEWBIT
:0040EA18 50
push eax
:0040EA19 E82A912A00
call 006B7B48 <====转为十六进制
:0040EA1E 59
pop ecx
:0040EA1F 898570FFFFFF mov dword
ptr [ebp+FFFFFF70], eax <====保存NEWBIT
:0040EA25 C7458485000000
mov [ebp-7C], 00000085 <====变量V5
:0040EA2C C745806F000000 mov [ebp-80], 0000006F
<====变量V6
:0040EA33 C7857CFFFFFF42000000 mov dword
ptr [ebp+FFFFFF7C], 00000042 <====变量V7
:0040EA3D C78578FFFFFFA6000000
mov dword ptr [ebp+FFFFFF78], 000000A6 <====变量V8
:0040EA47
33D2 xor
edx, edx
:0040EA49 8955A0
mov dword ptr [ebp-60], edx
* Referenced by a (U)nconditional
or (C)onditional Jump at Address: <====循环6次计算注册码
|:0040EBEE(C)
|
:0040EA4C 8B4D84
mov ecx, dword ptr [ebp-7C] <====取V5
:0040EA4F 41
inc ecx
<====V5+1
:0040EA50 8B8570FFFFFF
mov eax, dword ptr [ebp+FFFFFF70] 取NEWBIT
:0040EA56 33D2
xor edx, edx
:0040EA58 F7F1
div ecx <====NEWBIT MOD (V5+1)
:0040EA5A 8BCA
mov ecx, edx
:0040EA5C
8B4580 mov eax,
dword ptr [ebp-80] <====取V6
:0040EA5F 40
inc eax <====V6+1
:0040EA60 50
push eax
:0040EA61 8B8570FFFFFF
mov eax, dword ptr [ebp+FFFFFF70] <====取NEWBIT
:0040EA67 5A
pop edx
:0040EA68 8BDA
mov ebx, edx
:0040EA6A 33D2
xor edx, edx
:0040EA6C F7F3
div ebx
<====NEWBIT MOD (V6+1)
:0040EA6E 03CA
add ecx, edx <====(NEWBIT MOD
(V5+1))+(NEWBIT MOD (V6+1))
:0040EA70 8B857CFFFFFF
mov eax, dword ptr [ebp+FFFFFF7C] <====取V7
:0040EA76 40
inc eax <====V7+1
:0040EA77 50
push eax
:0040EA78
8B8570FFFFFF mov eax, dword ptr [ebp+FFFFFF70]
<====取NEWBIT
:0040EA7E 5A
pop edx
:0040EA7F 8BDA
mov ebx, edx
:0040EA81 33D2
xor edx, edx
:0040EA83 F7F3
div ebx <====NEWBIT MOD (V7+1)
:0040EA85 03CA
add ecx, edx
<====(NEWBIT MOD (V5+1))+(NEWBIT MOD (V6+1))+(NEWBIT MOD (V7+1))
:0040EA87
8BC1 mov
eax, ecx
:0040EA89 8B9578FFFFFF
mov edx, dword ptr [ebp+FFFFFF78] <====取V8
:0040EA8F 42
inc edx
<====V8+1
:0040EA90 8BCA
mov ecx, edx
:0040EA92 33D2
xor edx, edx
:0040EA94 F7F1
div ecx
<====((NEWBIT MOD (V5+1))+(NEWBIT MOD (V6+1))+(NEWBIT MOD (V7+1))) MOD
(V8+1)
:0040EA96 895588
mov dword ptr [ebp-78], edx <====保存结果(即计算出来的注册码)
:0040EA99
83458402 add dword ptr
[ebp-7C], 00000002 <====V5:=V5+2
:0040EA9D 836D8007
sub dword ptr [ebp-80], 00000007
<====V6:=V6-7
:0040EAA1 83857CFFFFFF05
add dword ptr [ebp+FFFFFF7C], 00000005 <====V7:=V7+5
:0040EAA8 83AD78FFFFFF03 sub dword ptr [ebp+FFFFFF78],
00000003 <====V8:=V8-3
:0040EAAF 8B4588
mov eax, dword ptr [ebp-78]
:0040EAB2
83F830 cmp eax,
00000030
:0040EAB5 7C08
jl 0040EABF
:0040EAB7 8B4588
mov eax, dword ptr [ebp-78]
:0040EABA 83F839
cmp eax, 00000039
:0040EABD 7E20
jle 0040EADF <====注册码是不是数字?
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0040EAB5(C)
|
:0040EABF 8B5588
mov edx, dword ptr [ebp-78]
:0040EAC2 83FA41
cmp edx, 00000041
:0040EAC5 7C08
jl 0040EACF
:0040EAC7 8B4D88
mov ecx, dword ptr [ebp-78]
:0040EACA
83F95A cmp ecx,
0000005A
:0040EACD 7E10
jle 0040EADF <====注册码是不是大写字母?
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:0040EAC5(C)
|
:0040EACF 8B4588
mov eax, dword ptr [ebp-78]
:0040EAD2 83F861
cmp eax, 00000061
:0040EAD5 7C63
jl 0040EB3A
:0040EAD7 8B5588
mov edx, dword ptr [ebp-78]
:0040EADA 83FA7A
cmp edx, 0000007A
:0040EADD 7F5B
jg 0040EB3A
<====注册码是不是小写
* Referenced by a (U)nconditional or (C)onditional
Jump at Addresses:
|:0040EABD(C), :0040EACD(C)
|
:0040EADF 66C745B86800
mov [ebp-48], 0068
:0040EAE5 8D45D8
lea eax, dword ptr [ebp-28]
:0040EAE8 E8AB35FFFF call
00402098
:0040EAED 50
push eax
:0040EAEE FF45C4
inc [ebp-3C]
:0040EAF1 8A5588
mov dl, byte ptr [ebp-78]
:0040EAF4 8D45DC
lea eax, dword ptr [ebp-24]
:0040EAF7 E8800C2B00
call 006BF77C
:0040EAFC 8BD0
mov edx, eax
:0040EAFE FF45C4
inc [ebp-3C]
:0040EB01
8D45F8 lea eax,
dword ptr [ebp-08]
:0040EB04 59
pop ecx
:0040EB05 E8960E2B00
call 006BF9A0
:0040EB0A 8D55D8
lea edx, dword ptr [ebp-28]
:0040EB0D 8D45F8
lea eax, dword ptr [ebp-08]
:0040EB10 E8630E2B00
call 006BF978
:0040EB15 FF4DC4
dec [ebp-3C]
:0040EB18 8D45D8
lea eax, dword ptr [ebp-28]
:0040EB1B BA02000000 mov edx,
00000002
:0040EB20 E8230E2B00
call 006BF948
:0040EB25 FF4DC4
dec [ebp-3C]
:0040EB28 8D45DC
lea eax, dword ptr [ebp-24]
:0040EB2B BA02000000
mov edx, 00000002
:0040EB30 E8130E2B00
call 006BF948
:0040EB35 E9BA000000
jmp 0040EBF4
* Referenced
by a (U)nconditional or (C)onditional Jump at Addresses: <====6次循环后不符合条件则跳到这里
|:0040EAD5(C), :0040EADD(C)
|
:0040EB3A 8B4DA0
mov ecx, dword ptr [ebp-60]
:0040EB3D
83F905 cmp ecx,
00000005
:0040EB40 0F859F000000
jne 0040EBE5
:0040EB46 8B4588
mov eax, dword ptr [ebp-78]
:0040EB49 83F83D
cmp eax, 0000003D <====比较结果是不是大于等于3D
:0040EB4C 7D13
jge 0040EB61 <====是则跳
:0040EB4E 8B4588
mov eax, dword ptr [ebp-78]
<====取运算结果REGCODEBIT
:0040EB51 B90A000000
mov ecx, 0000000A
:0040EB56 99
cdq
:0040EB57 F7F9
idiv ecx
<====REGCODEBIT MOD 0A
:0040EB59 83C230
add edx, 00000030 <====(REGCODEBIT
MOD 0A)+30
:0040EB5C 895588
mov dword ptr [ebp-78], edx <====保存注册码
:0040EB5F
EB2C jmp
0040EB8D
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:0040EB4C(C)
|
:0040EB61 8B4588
mov eax, dword ptr [ebp-78]
:0040EB64
83F85D cmp eax,
0000005D <====比较结果是不是小于等于5D
:0040EB67 7E13
jle 0040EB7C <====是则跳
:0040EB69 8B4588
mov eax, dword ptr [ebp-78] <====取运算结果REGCODEBIT
:0040EB6C
B91A000000 mov ecx, 0000001A
:0040EB71 99
cdq
:0040EB72 F7F9
idiv ecx <====REGCODEBIT MOD 1A
:0040EB74
83C261 add edx,
00000061 <====(REGCODEBIT MOD 1A)+61
:0040EB77 895588
mov dword ptr [ebp-78],
edx <====保存注册码
:0040EB7A EB11
jmp 0040EB8D
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:0040EB67(C)
|
:0040EB7C 8B4588
mov eax, dword ptr [ebp-78] <====取运算结果REGCODEBIT
:0040EB7F
B91A000000 mov ecx, 0000001A
:0040EB84 99
cdq
:0040EB85 F7F9
idiv ecx <====REGCODEBIT MOD 1A
:0040EB87
83C241 add edx,
00000041 <====(REGCODEBIT MOD 1A)+41
:0040EB8A 895588
mov dword ptr [ebp-78],
edx <====保存注册码
* Referenced by a (U)nconditional or
(C)onditional Jump at Addresses:
|:0040EB5F(U), :0040EB7A(U)
|
:0040EB8D 66C745B87400 mov [ebp-48],
0074
:0040EB93 8D45D0
lea eax, dword ptr [ebp-30]
:0040EB96 E8FD34FFFF
call 00402098
:0040EB9B 50
push eax
:0040EB9C
FF45C4 inc [ebp-3C]
:0040EB9F 8A5588
mov dl, byte ptr [ebp-78]
:0040EBA2 8D45D4
lea eax, dword ptr [ebp-2C]
:0040EBA5 E8D20B2B00
call 006BF77C
:0040EBAA 8BD0
mov edx, eax
:0040EBAC FF45C4
inc [ebp-3C]
:0040EBAF 8D45F8
lea eax, dword ptr [ebp-08]
:0040EBB2 59
pop ecx
:0040EBB3
E8E80D2B00 call 006BF9A0
:0040EBB8 8D55D0
lea edx, dword ptr [ebp-30]
:0040EBBB 8D45F8
lea eax, dword ptr [ebp-08]
:0040EBBE E8B50D2B00
call 006BF978
:0040EBC3 FF4DC4
dec [ebp-3C]
:0040EBC6
8D45D0 lea eax,
dword ptr [ebp-30]
:0040EBC9 BA02000000
mov edx, 00000002
:0040EBCE E8750D2B00
call 006BF948
:0040EBD3 FF4DC4
dec [ebp-3C]
:0040EBD6 8D45D4
lea eax, dword ptr [ebp-2C]
:0040EBD9 BA02000000 mov
edx, 00000002
:0040EBDE E8650D2B00
call 006BF948
:0040EBE3 EB0F
jmp 0040EBF4
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0040EB40(C)
|
:0040EBE5 FF45A0
inc [ebp-60]
:0040EBE8
8B4DA0 mov ecx,
dword ptr [ebp-60]
:0040EBEB 83F906
cmp ecx, 00000006
:0040EBEE 0F8C58FEFFFF
jl 0040EA4C
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:0040EB35(U), :0040EBE3(U)
|
:0040EBF4 FF45A4
inc [ebp-5C]
:0040EBF7 8B45A4
mov eax, dword ptr [ebp-5C]
:0040EBFA 83F814
cmp eax, 00000014 <====注册码共20位
:0040EBFD 0F8C02FDFFFF jl 0040E905
<====循环计算注册码
:0040EC03 66C745B88000
mov [ebp-48], 0080
:0040EC09 8D55F8
lea edx, dword ptr [ebp-08]
:0040EC0C 8B45CC
mov eax, dword ptr [ebp-34]
:0040EC0F E8640D2B00 call
006BF978
:0040EC14 8B45CC
mov eax, dword ptr [ebp-34]
:0040EC17 66C745B88C00
mov [ebp-48], 008C
:0040EC1D 50
push eax
:0040EC1E
FF4DC4 dec [ebp-3C]
:0040EC21 8D45F4
lea eax, dword ptr [ebp-0C]
:0040EC24 BA02000000
mov edx, 00000002
:0040EC29 E81A0D2B00
call 006BF948
:0040EC2E FF4DC4
dec [ebp-3C]
:0040EC31 8D45F8
lea eax, dword ptr [ebp-08]
:0040EC34 BA02000000 mov
edx, 00000002
:0040EC39 E80A0D2B00
call 006BF948
:0040EC3E FF4DC4
dec [ebp-3C]
:0040EC41 8D45FC
lea eax, dword ptr [ebp-04]
:0040EC44
BA02000000 mov edx, 00000002
:0040EC49 E8FA0C2B00 call 006BF948
:0040EC4E 58
pop eax
:0040EC4F 66C745B88000
mov [ebp-48], 0080
:0040EC55 FF45C4
inc [ebp-3C]
:0040EC58 8B55A8
mov edx, dword ptr [ebp-58]
:0040EC5B
64891500000000 mov dword ptr fs:[00000000],
edx
:0040EC62 5B
pop ebx
:0040EC63 8BE5
mov esp, ebp
:0040EC65 5D
pop ebp
:0040EC66
C3
ret
至此,整个运算过程结束了,下面用DELPHI写出注册机:
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes,
Graphics, Controls, Forms,
Dialogs, XP_Form, XP_Button, jpeg, ExtCtrls,
XP_GroupBox, StdCtrls,registry;
type
TForm1 = class(TForm)
frmain: TXP_Form;
reg: TXP_Button;
about: TXP_Button;
exitprogram: TXP_Button;
XP_GroupBox1: TXP_GroupBox;
Image1: TImage;
procedure aboutClick(Sender: TObject);
procedure
exitprogramClick(Sender: TObject);
procedure regClick(Sender:
TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
function GetHardDiskSerieNumber(): integer;
var
Form1: TForm1;
implementation
uses Unit2;
{$R *.dfm}
function GetHardDiskSerieNumber: integer;
var
sysinfo:tsysteminfo;
lpRootPathName : PChar; // address
of root directory of the file system
lpVolumeNameBuffer
: PChar; // address of name of the volume
nVolumeNameSize
: DWORD; // length of lpVolumeNameBuffer
lpVolumeSerialNumber : DWORD; // address of volume serial number
lpMaximumComponentLength : DWORD; // address of system's maximum filename
length
lpFileSystemFlags : DWORD; // address
of file system flags
lpFileSystemNameBuffer : PChar; // address
of name of file system
nFileSystemNameSize : DWORD;
// length of lpFileSystemNameBuffer
begin
lpRootPathName:=pchar('c:\');
windows.GetSystemInfo(sysinfo);
GetMem( lpVolumeNameBuffer,
MAX_PATH + 1 );
GetMem( lpFileSystemNameBuffer, MAX_PATH + 1 );
nVolumeNameSize := MAX_PATH + 1;
nFileSystemNameSize
:= MAX_PATH + 1;
Windows.GetVolumeInformation( lpRootPathName,
lpVolumeNameBuffer,
nVolumeNameSize,
@lpVolumeSerialNumber,
lpMaximumComponentLength,
lpFileSystemFlags,
lpFileSystemNameBuffer,
nFileSystemNameSize );
Result :=
lpVolumeSerialNumber;
end;
procedure TForm1.aboutClick(Sender:
TObject);
begin
form2.show;
end;
procedure TForm1.exitprogramClick(Sender:
TObject);
begin
form1.Close;
end;
procedure TForm1.regClick(Sender:
TObject);
label
isregcode,quitloop;
var
v1,v2,v3,v4,v5,v6,v7,v8:integer;
hdid:longword;
hdln:integer;
idstr:string;
i,j,k:integer;
regcode:array[1..20]
of char ;
cmod:integer;
cdiv:integer;
lidbit,idbit:integer;
idbitstr:string;
newidbit:integer;
regcodebit:integer;
reg:TRegistry;
begin
hdid:=GetHardDiskSerieNumber;
hdln:=length(inttostr(hdid) );
idstr:=inttostr(hdid);
;
v1:=7;
v2:=1;
v3:=3;
v4:=0;
for i:=1 to 20 do
begin
v3:=((v3+1)
mod ((6 mod hdln)+1))+1;
v4:=v4+v1;
v1:=(v1+$18b)
mod $0A;
idbitstr:='';
for j:=1 to v3 do
begin
v4:=((v4+v2) mod hdln)+1;
v2:=(v2+1) mod 6;
idbitstr:=idbitstr+idstr[v4];
end;
newidbit:=strtoint(idbitstr);
v5:=$85;
v6:=$6f;
v7:=$42;
v8:=$a6;
for k:=1 to 6 do
begin
regcodebit:=((newidbit mod (v5+1))+(newidbit mod
(v6+1))+(newidbit mod (v7+1))) mod (v8+1);
v5:=v5+2;
v6:=v6-7;
v7:=v7+5;
v8:=v8-3;
if (regcodebit>=48) and (regcodebit<=57)
then goto isregcode;
if (regcodebit>=65) and (regcodebit<=90)
then goto isregcode;
if (regcodebit>=97) and (regcodebit<=122)
then goto isregcode;
end;
if regcodebit<61
then
begin
regcode[i]:=chr((regcodebit
mod 10)+48);
goto quitloop;
end;
if regcodebit>93 then
begin
regcode[i]:=chr((regcodebit mod 26)+97);
goto quitloop;
end;
if (regcodebit<=93)
then
begin
regcode[i]:=chr((regcodebit
mod 26)+65);
goto quitloop;
end;
isregcode:
regcode[i]:=chr(regcodebit);
quitloop:
end;
Reg := TRegistry.Create;
try
Reg.RootKey := HKEY_LOCAL_MACHINE;
if Reg.