Active Messenger v3.03

标题：Active Messenger（恒创企业信使）v3.03跟踪　　
作者：fxyang
时间：2003/04/05 09:52am
链接：http://bbs.pediy.com

Active Messenger（恒创企业信使）
Active Messenger（恒创企业信使）是一款专为企业定制的即时消息系统, 其目标是解决企业的沟通及协同的问题, 提高工作。企业员工可以利用Active Messenger随时随地的进行即时交流、传送文件。

【破解工具】：Ollydbg1.09 中文版

—————————————————————————————
【过程】：

呵呵，我们开工吧！唉！^-^^-^ 我的水平很低，许多地方表达的有问题，烦请各位指教！
用ollydbg加载运行 ,填注册试验码:A1BCK-D23LE-4AMNB-5O1CP 后按注册键后不久就能
来到这里：

0041DDD0 PUSH -1
0041DDD2 PUSH AMSAdmin.0046DCC0
0041DDD7 MOV EAX, DWORD PTR FS:[0]
0041DDDD PUSH EAX
0041DDDE MOV DWORD PTR FS:[0], ESP
0041DDE5 SUB ESP, 28
0041DDE8 PUSH EBX
0041DDE9 PUSH EBP
0041DDEA PUSH ESI
0041DDEB PUSH EDI
0041DDEC MOV ESI, ECX
0041DDEE XOR EDI, EDI
0041DDF0 MOV DWORD PTR SS:[ESP+40], EDI
0041DDF4 MOV EAX, DWORD PTR SS:[ESP+48]
0041DDF8 PUSH AMSAdmin.0048CC7C

; 0048CC7C,(ASCII "B6IOH-0S5BS-D606J-PC4Q4")

0041DDFD PUSH EAX

; EAX<== 01284028,(ASCII "A1BCK-D23LE-4AMNB-5O1CP")

0041DDFE CALL AMSAdmin.00437985 // 比较上面的值，如果是就是注册数五个
0041DE03 ADD ESP, 8
0041DE06 TEST EAX, EAX
0041DE08 JNZ SHORT AMSAdmin.0041DE17
0041DE0A MOV DWORD PTR SS:[ESP+18], 5
0041DE12 JMP AMSAdmin.0041DFC1
0041DE17 MOV ECX, DWORD PTR SS:[ESP+48]
0041DE1B PUSH AMSAdmin.0048CC64

; 0048CC64 ASCII "B2DLI-0M3ES-C6L2F-RF3O8"

0041DE20 PUSH ECX

; ECX= 01284028 ASCII "A1BCK-D23LE-4AMNB-5O1CP"

0041DE21 CALL AMSAdmin.00437985 // 比较上面的值，如果是就是注册数十个
0041DE26 ADD ESP, 8
0041DE29 TEST EAX, EAX
0041DE2B JNZ SHORT AMSAdmin.0041DE3A
0041DE2D MOV DWORD PTR SS:[ESP+18], 0A
0041DE35 JMP AMSAdmin.0041DFC1
0041DE3A MOV EDX, DWORD PTR DS:[48E3B8]
0041DE40 MOV DWORD PTR SS:[ESP+20], EDX
0041DE44 PUSH ECX
0041DE45 LEA EAX, DWORD PTR SS:[ESP+50]
0041DE49 MOV ECX, ESP
0041DE4B MOV DWORD PTR SS:[ESP+2C], ESP
0041DE4F PUSH EAX
0041DE50 MOV BYTE PTR SS:[ESP+48], 3
0041DE55 CALL AMSAdmin.0044AE98
0041DE5A LEA ECX, DWORD PTR SS:[ESP+14]
0041DE5E PUSH ECX
0041DE5F MOV ECX, ESI
0041DE61 CALL AMSAdmin.0041D9B0
0041DE66 EBX, 4
0041DE6B PUSH 1
0041DE6D PUSH 0E
0041DE6F LEA ECX, DWORD PTR SS:[ESP+18]
0041DE73 MOV BYTE PTR SS:[ESP+48], BL
0041DE77 CALL AMSAdmin.00447696
0041DE7C PUSH 1
0041DE7E PUSH 9
0041DE80 LEA ECX, DWORD PTR SS:[ESP+18]
0041DE84 CALL AMSAdmin.00447696
0041DE89 PUSH 1
0041DE8B PUSH EBX // 这里开始根据软件号计算注册码
0041DE8C LEA ECX, DWORD PTR SS:[ESP+18]

; ECX<==01284078,(ASCII "7573-7175-7171-7112")<--软件号

0041DE90 CALL AMSAdmin.00447696 ; 把序列号的"-"除掉
0041DE95 EDX, DWORD PTR SS:[ESP+48]

; EDX= 01284028 ASCII "A1BCK-D23LE-4AMNB-5O1CP"<--试验码

0041DE99 DWORD PTR DS:[EDX-8], 17 ; 比较注册码的长度23位
0041DE9D JL AMSAdmin.0041E1AB
0041DEA3 PUSH 1
0041DEA5 PUSH 11
0041DEA7 LEA ECX, DWORD PTR SS:[ESP+50]
0041DEAB CALL AMSAdmin.00447696
0041DEB0 PUSH 1
0041DEB2 PUSH 0B
0041DEB4 LEA ECX, DWORD PTR SS:[ESP+50]
0041DEB8 CALL AMSAdmin.00447696
0041DEBD PUSH 1
0041DEBF PUSH 5
0041DEC1 LEA ECX, DWORD PTR SS:[ESP+50]

; ECX= 01284028 ASCII "A1BCK-D23LE-4AMNB-5O1CP"

0041DEC5 CALL AMSAdmin.00447696 ; 把试验码的"-"除掉
0041DECA LEA EAX, DWORD PTR SS:[ESP+18]
0041DECE LEA ECX, DWORD PTR SS:[ESP+30]
0041DED2 PUSH EAX
0041DED3 PUSH ECX
0041DED4 PUSH ECX
0041DED5 LEA EDX, DWORD PTR SS:[ESP+54]
0041DED9 MOV ECX, ESP
0041DEDB MOV DWORD PTR SS:[ESP+34], ESP
0041DEDF PUSH EDX
0041DEE0 CALL AMSAdmin.0044AE98
0041DEE5 MOV ECX, ESI
0041DEE7 CALL AMSAdmin.0041E490

// 关键的地方1--判断注册码的取值范围,计算关键值

0041DEEC MOV EAX, DWORD PTR SS:[ESP+30] ; EAX=8817B2CD

<==第一个关键值

0041DEF0 MOV ECX, DWORD PTR SS:[ESP+34] ; ECX=6458

<==第二个关键值

0041DEF4 OR EAX, ECX // 试验码计算的值
0041DEF6 JE AMSAdmin.0041E1AB // 以上是第一部分
0041DEFC CMP DWORD PTR SS:[ESP+18], EDI
0041DF00 JE AMSAdmin.0041E1AB
0041DF06 PUSH ECX
0041DF07 LEA EDX, DWORD PTR SS:[ESP+50]
0041DF0B MOV ECX, ESP
0041DF0D MOV DWORD PTR SS:[ESP+2C], ESP
0041DF11 PUSH EDX
0041DF12 CALL AMSAdmin.0044AE98
0041DF17 LEA EAX, DWORD PTR SS:[ESP+14]
0041DF1B MOV ECX, ESI
0041DF1D PUSH EAX
0041DF1E CALL AMSAdmin.0041E210 ; 关键的计算的地方--软件号变换的地方
0041DF23 MOV ECX, DWORD PTR SS:[ESP+10] ; ECX<==01284348
0041DF27 MOV EAX, DWORD PTR DS:[ECX-8]

// ASCII "77b272b67fb274b677b270b6e672bd7016"

0041DF2A CMP EAX, 0F
0041DF2D JLE SHORT AMSAdmin.0041DF5B
0041DF2F LEA EDX, DWORD PTR SS:[ESP+28]
0041DF33 PUSH 0F
0041DF35 PUSH EDX
0041DF36 LEA ECX, DWORD PTR SS:[ESP+18]
0041DF3A CALL AMSAdmin.00447A43
0041DF3F PUSH EAX
0041DF40 LEA ECX, DWORD PTR SS:[ESP+14]
0041DF44 MOV BYTE PTR SS:[ESP+44], 5
0041DF49 CALL AMSAdmin.0044B25C
0041DF4E LEA ECX, DWORD PTR SS:[ESP+28]
0041DF52 MOV BYTE PTR SS:[ESP+40], BL
0041DF56 CALL AMSAdmin.0044B123
0041DF5B LEA ECX, DWORD PTR SS:[ESP+10]
0041DF5F CALL AMSAdmin.0044B645
0041DF64 MOV EAX, DWORD PTR SS:[ESP+10]

; 0012F934 01284438 ASCII "270B6E672BD7016"
// 软件号变换的值

0041DF68 CMP BYTE PTR DS:[EAX], 50
0041DF6B JLE SHORT AMSAdmin.0041DF79
0041DF6D PUSH 46
0041DF6F PUSH EDI
0041DF70 LEA ECX, DWORD PTR SS:[ESP+18]
0041DF74 CALL AMSAdmin.0044B669
0041DF79 PUSH ECX
0041DF7A LEA EDX, DWORD PTR SS:[ESP+14]
0041DF7E MOV ECX, ESP
0041DF80 MOV DWORD PTR SS:[ESP+2C], ESP
0041DF84 PUSH EDX
0041DF85 CALL AMSAdmin.0044AE98
0041DF8A MOV ECX, ESI
0041DF8C CALL AMSAdmin.0041E3D0 ; 关键计算的地方2--软件号计算的地方
0041DF91 CMP EAX, DWORD PTR SS:[ESP+30]

; EAX=D166F738 SS:[ESP+34]=8817B2CD

0041DF95 JNZ AMSAdmin.0041E1AB

; 关键的跳转<==不同就ＯＶＥＲ

0041DF9B CMP EDX, DWORD PTR SS:[ESP+34]

; EDX=0013E9E9 SS:[0012F958]=00006458

0041DF9F JNZ AMSAdmin.0041E1AB

; 关键的跳转<==不同就ＯＶＥＲ

0041DFA5 LEA ECX, DWORD PTR SS:[ESP+10]
0041DFA9 MOV BYTE PTR SS:[ESP+40], 3
0041DFAE CALL AMSAdmin.0044B123
0041DFB3 LEA ECX, DWORD PTR SS:[ESP+20]
0041DFB7 MOV BYTE PTR SS:[ESP+40], 2
0041DFBC CALL AMSAdmin.0044B123
0041DFC1 MOV DWORD PTR SS:[ESP+20], EDI
0041DFC5 PUSH ECX
0041DFC6 LEA EAX, DWORD PTR SS:[ESP+50]
0041DFCA MOV ECX, ESP
0041DFCC MOV DWORD PTR SS:[ESP+2C], ESP
0041DFD0 PUSH EAX
0041DFD1 MOV BYTE PTR SS:[ESP+48], 6
0041DFD6 CALL AMSAdmin.0044AE98
0041DFDB LEA ECX, DWORD PTR SS:[ESP+54]
0041DFDF PUSH ECX
0041DFE0 MOV ECX, ESI
0041DFE2 CALL AMSAdmin.0041E210
0041DFE7 LEA EDX, DWORD PTR SS:[ESP+50]
0041DFEB LEA EAX, DWORD PTR SS:[ESP+24]
0041DFEF PUSH EDX
0041DFF0 PUSH AMSAdmin.0048CC50 ; ASCII "SOFTWARE\Microsoft\"
0041DFF5 PUSH EAX // 注册成功后在注册表的操作
0041DFF6 CALL AMSAdmin.0044B42C
0041DFFB MOV EAX, DWORD PTR SS:[ESP+24]
0041DFFF LEA ECX, DWORD PTR SS:[ESP+2C]
0041E003 LEA EDX, DWORD PTR SS:[ESP+28]
0041E007 PUSH ECX ; /pDisposition
0041E008 PUSH EDX ; |pHandle
0041E009 PUSH EDI ; |pSecurity
0041E00A PUSH 0F003F ; |Access = KEY_ALL_ACCESS
0041E00F PUSH EDI ; |Options
0041E010 PUSH EDI ; |Class
0041E011 PUSH EDI ; |Reserved
0041E012 PUSH EAX ; |Subkey
0041E013 PUSH 80000002 ; \hKey = HKEY_LOCAL_MACHINE
0041E018 MOV BYTE PTR SS:[ESP+64], 7
0041E01D MOV DWORD PTR SS:[ESP+4C], EDI
0041E021 CALL DWORD PTR DS:[<&ADVAPI32.RegCrea>; \RegCreateKeyExA
0041E027 CMP EAX, EDI
0041E029 JNZ AMSAdmin.0041E134
0041E02F MOV EDI, DWORD PTR SS:[ESP+28]
0041E033 PUSH ECX
0041E034 LEA EDX, DWORD PTR SS:[ESP+50]
0041E038 MOV ECX, ESP
0041E03A MOV DWORD PTR SS:[ESP+14], ESP
0041E03E PUSH EDX
0041E03F MOV DWORD PTR SS:[ESP+28], EDI
==============================================
第一关键分支： CALL AMSAdmin.0041E490 // 关键的地方1--判断注册码的取值范围,计算关键值
|

0041E490 PUSH -1
0041E492 PUSH AMSAdmin.0046DD60
0041E497 MOV EAX, DWORD PTR FS:[0]
0041E49D PUSH EAX
0041E49E MOV DWORD PTR FS:[0], ESP
0041E4A5 SUB ESP, 0C
0041E4A8 PUSH ESI
0041E4A9 PUSH EDI
0041E4AA MOV EDI, ECX
0041E4AC MOV EAX, DWORD PTR DS:[48E3B8]
0041E4B1 MOV DWORD PTR SS:[ESP+1C], 0
0041E4B9 MOV DWORD PTR SS:[ESP+8], EAX
0041E4BD MOV BYTE PTR SS:[ESP+1C], 1
0041E4C2 MOV ESI, 0C
0041E4C7 /MOV ECX, DWORD PTR SS:[ESP+24]
]
; ECX<==01284488,(ASCII "A1BCKD23LE4AMNB5O1CP"

0041E4CB |PUSH 1
0041E4CD |PUSH ESI
0041E4CE |MOV DL, BYTE PTR DS:[ESI+ECX]

; DL<==DS:[ESI+ECX]=33 ('3') ESI=C ECX=01284488

// 以上循环把试验码的第4,7,10,13位取出"C2EM"

0041E4F6 AMSAdmin.00492B18
0041E4FB AMSAdmin.0048CC94
0041E500 ECX, DWORD PTR SS:[ESP+10]
0041E504 CALL AMSAdmin.00447827
0041E509 PUSH ECX
0041E50A LEA EDX, DWORD PTR SS:[ESP+C]
0041E50E MOV ECX, ESP
0041E510 MOV DWORD PTR SS:[ESP+10], ESP
0041E514 PUSH EDX
0041E515 CALL AMSAdmin.0044AE98
0041E51A MOV ECX, EDI
0041E51C CALL AMSAdmin.0041E2D0
0041E521 MOV ECX, DWORD PTR SS:[ESP+2C]
0041E525 MOV DWORD PTR SS:[ESP+10], EDX
0041E529 PUSH ECX
0041E52A LEA EDX, DWORD PTR SS:[ESP+28]
0041E52E MOV DWORD PTR DS:[ECX], EAX
0041E530 MOV ECX, ESP
0041E532 MOV DWORD PTR SS:[ESP+30], ESP
0041E536 PUSH EDX
0041E537 CALL AMSAdmin.0044AE98
0041E53C MOV ECX, EDI
0041E53E CALL AMSAdmin.0041E2D0

//　关键的地方--判断注册码的取值范围,计算关键值

0041E543 MOV ECX, DWORD PTR SS:[ESP+28]
0041E547 MOV BYTE PTR SS:[ESP+1C], 0
0041E54C MOV DWORD PTR DS:[ECX], EAX　

; EAX=8817B2CD　<==关键值１　
　　　　
0041E54E MOV DWORD PTR DS:[ECX+4], EDX

; EDX=6458　　　<==关键值２

0041E551 LEA ECX, DWORD PTR SS:[ESP+8]
0041E555 CALL AMSAdmin.0044B123
0041E55A LEA ECX, DWORD PTR SS:[ESP+24]
0041E55E MOV DWORD PTR SS:[ESP+1C], -1
0041E566 CALL AMSAdmin.0044B123
0041E56B MOV ECX, DWORD PTR SS:[ESP+14]
0041E56F POP EDI
0041E570 MOV DWORD PTR FS:[0], ECX
0041E577 POP ESI
0041E578 ADD ESP, 18
0041E57B RETN 0C
----------------------------------------------
第二关键分支:CALL AMSAdmin.0041E2D0 // 判断注册码的取值范围,计算关键值
|
0041E2D0 PUSH -1
0041E2D2 PUSH AMSAdmin.0046DD20
0041E2D7 MOV EAX, DWORD PTR FS:[0]
0041E2DD PUSH EAX
0041E2DE MOV DWORD PTR FS:[0], ESP
0041E2E5 SUB ESP, 8
0041E2E8 PUSH ESI
0041E2E9 PUSH EDI
0041E2EA MOV EAX, DWORD PTR DS:[48E3B8]
0041E2EF MOV DWORD PTR SS:[ESP+18], 0
0041E2F7 MOV DWORD PTR SS:[ESP+C], EAX
0041E2FB MOV ECX, DWORD PTR SS:[ESP+20]

; ECX=012840C8,(ASCII "C2EM")

0041E2FF XOR ESI, ESI

// =01284438 ASCII "A1BKD3L4ANB5O1CP"

; ECX=012840C8,(ASCII "C2EM")

0041E37F |INC ESI
0041E380 |CMP ESI, DWORD PTR DS:[ECX-8]
0041E383 \JL SHORT AMSAdmin.0041E30E
------------------------------------------

循环算法总结：
1.第一次用取出的四位计算--第一位－11 ;第二位直接用　；第三位-11 ;第四位-1B
得到新的四位字符串ASCII "2242"
2.用剩下的16位计算--第一位－11 ;第二位直接用　；第三位-11 ;第四位-1B,然后如此循环
得到新的16位字符串ASCII "0110331403154125"

-----------------------
|
0041E385 POP EBP
0041E386 MOV EDX, DWORD PTR SS:[ESP+C] ; EDX<==SS:[ESP+C]=012844D8 ,
0041E38A PUSH EDX ; //试验码的第4,7,10,13位
0041E38B CALL AMSAdmin.004371BC <==关键的地方--判断注册码的取值范围
0041E390 ADD ESP, 4 ; //关键值１的计算
0041E393 LEA ECX, DWORD PTR SS:[ESP+C]
0041E397 MOV ESI, EAX ; EAX=8817B2CD<==第一关键值
0041E399 MOV EDI, EDX ; EDX=00006458<==第二关键值
0041E39B MOV BYTE PTR SS:[ESP+18], 0
0041E3A0 CALL AMSAdmin.0044B123
0041E3A5 LEA ECX, DWORD PTR SS:[ESP+20]
0041E3A9 MOV DWORD PTR SS:[ESP+18], -1
0041E3B1 CALL AMSAdmin.0044B123
0041E3B6 MOV ECX, DWORD PTR SS:[ESP+10]
0041E3BA MOV EDX, EDI
0041E3BC MOV EAX, ESI
0041E3BE POP EDI
0041E3BF POP ESI
0041E3C0 MOV DWORD PTR FS:[0], ECX
0041E3C7 ADD ESP, 14
0041E3CA RETN 4

--------------------------------------------
第三关键分支： CALL AMSAdmin.004371BC 　　判断注册码的取值范围
|
004371BC PUSH ECX
004371BD PUSH EBX
004371BE PUSH EBP
004371BF PUSH ESI
004371C0 PUSH EDI
004371C1 MOV EDI, DWORD PTR SS:[ESP+18]

; EDI<==012844D8 ,(32 32 34 32)

; AL<==DS:[ECX+EAX*2]=84 ECX=0048FAB2

004371E9 |AND EAX, 8
004371EC |TEST EAX, EAX
004371EE |JE SHORT AMSAdmin.004371F3
004371F0 |INC EDI
004371F1 \JMP SHORT AMSAdmin.004371C5
004371F3 MOVZX ESI, BYTE PTR DS:[EDI]

; ESI<==DS:[EDI]=32 EDI=012844D8

004371F6 INC EDI
004371F7 CMP ESI, 2D
004371FA MOV DWORD PTR SS:[ESP+10], ESI
004371FE JE SHORT AMSAdmin.00437205
00437200 CMP ESI, 2B
00437203 JNZ SHORT AMSAdmin.00437209
00437205 MOVZX ESI, BYTE PTR DS:[EDI]
00437208 INC EDI
00437209 XOR EBX, EBX
0043720B XOR EBP, EBP
0043720D /CMP DWORD PTR DS:[48FCB4], 1
00437214 |JLE SHORT AMSAdmin.00437222 ; //第2个比较
00437216 |PUSH 4
00437218 |PUSH ESI
00437219 |CALL AMSAdmin.0043B7A1
0043721E |POP ECX
0043721F |POP ECX
00437220 |JMP SHORT AMSAdmin.0043722D
00437222 |MOV EAX, DWORD PTR DS:[48FAA8]
00437227 |MOV AL, BYTE PTR DS:[EAX+ESI*2] ; AL<==DS:[EAX+ESI*2]=84
0043722A |AND EAX, 4
0043722D |TEST EAX, EAX
0043722F |JE SHORT AMSAdmin.0043725A
00437231 |LEA EAX, DWORD PTR DS:[ESI-30] \
00437234 |PUSH 0 |
00437236 |CDQ |
00437237 |MOV ESI, EAX |
00437239 |PUSH 0A |
0043723B |PUSH EBP |
0043723C |MOV DWORD PTR SS:[ESP+24], ESI |
00437240 |PUSH EBX |
00437241 |MOV ESI, EDX |
00437243 |CALL AMSAdmin.00437E40 > <==关键值的计算
00437248 |MOV ECX, DWORD PTR SS:[ESP+18] |
0043724C |ADD ECX, EAX |
0043724E |ADC ESI, EDX |
00437250 |MOV EBX, ECX |
00437252 |MOV EBP, ESI |
00437254 |MOVZX ESI, BYTE PTR DS:[EDI] /
00437257 |INC EDI
00437258 \JMP SHORT AMSAdmin.0043720D
0043725A CMP DWORD PTR SS:[ESP+10], 2D
0043725F MOV EAX, EBX
00437261 JNZ SHORT AMSAdmin.0043726E
00437263 NEG EAX
00437265 MOV EDX, EBP
00437267 ADC EDX, 0
0043726A NEG EDX
0043726C JMP SHORT AMSAdmin.00437270
0043726E MOV EDX, EBP
00437270 POP EDI
00437271 POP ESI
00437272 POP EBP
00437273 POP EBX
00437274 POP ECX
00437275 RETN
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
DS:[ECX+EAX*2] ; AL<==DS:[ECX+EAX*2]=10 ECX=0048FAB2 EAX=23
内存值：
｜
0048FAB2 20 00 20 00 20 00 20 00 . . . .
0048FABA 20 00 20 00 20 00 20 00 . . . .
0048FAC2 20 00 28 00 28 00 28 00 .(.(.(.
0048FACA 28 00 28 00 20 00 20 00 (.(. . .
0048FAD2 20 00 20 00 20 00 20 00 . . . .
0048FADA 20 00 20 00 20 00 20 00 . . . .
0048FAE2 20 00 20 00 20 00 20 00 . . . .
0048FAEA 20 00 20 00 20 00 20 00 . . . .
0048FAF2 48 00 10 00 10 00 10 00 H....
0048FAFA 10 00 10 00 10 00 10 00 ....
0048FB02 10 00 10 00 10 00 10 00 ....
0048FB0A 10 00 10 00 10 00 10 00 ....
0048FB12 84 00 84 00 84 00 84 00 ????
0048FB1A 84 00 84 00 84 00 84 00 ????
0048FB22 84 00 84 00 10 00 10 00 ??..
0048FB2A 10 00 10 00 10 00 10 00 ....
0048FB32 10 00 81 00 81 00 81 00 .???
0048FB3A 81 00 81 00 81 00 01 00 ???.
0048FB42 01 00 01 00 01 00 01 00 ....
0048FB4A 01 00 01 00 01 00 01 00 ....
0048FB52 01 00 01 00 01 00 01 00 ....
0048FB5A 01 00 01 00 01 00 01 00 ....
0048FB62 01 00 01 00 01 00 10 00 ....
0048FB6A 10 00 10 00 10 00 10 00 ....
0048FB72 10 00 82 00 82 00 82 00 .???
0048FB7A 82 00 82 00 82 00 02 00 ???.
0048FB82 02 00 02 00 02 00 02 00 ....
0048FB8A 02 00 02 00 02 00 02 00 ....
0048FB92 02 00 02 00 02 00 02 00 ....
0048FB9A 02 00 02 00 02 00 02 00 ....
0048FBA2 02 00 02 00 02 00 10 00 ....
0048FBAA 10 00 10 00 10 00 20 00 ... .

以上计算的总结：注册码取值范围
1.第一个比较循环时用第二次计算的字符串的ｈｅｘ值＊２作指针在以　0048FAB2　开始的内存中
查表，得到的值　AND 8 ,比较得数如果是０就到第二个比较循环．
２．第二个比较循环用第二次计算的字符串的ｈｅｘ值＊２作指针在以　0048FAB2　开始的内存中
查表，得到的值　AND 4 ,比较得数如果是０就OVER.
即查表得到的值　AND 4 不能＝０
经过计算可以知道表中　0048FB12 开始的十个值－'84 '符合条件，第一个８４的偏移量＝60ｈ
那么第二次计算的字符串的ｈｅｘ值的范围是60／２＝30到3A
即第二次计算的字符串的范围是0～9．
3.由此推断注册码的取值范围是
　　 1).30+11=41('A')～4A('J')<--第1,3,4,6,10,12,15,19位
2).30+1B=4B('K')～54('T')<--第5,9,13,14,17,20位
3).30+00=30('0')～39('9')<--第2,7,8,11,16,18位

----------------------------------------------------
CALL AMSAdmin.00437E40 <==关键值的计算
|

00437E40 MOV EAX, DWORD PTR SS:[ESP+8] ; EAX=5AF3
00437E44 MOV ECX, DWORD PTR SS:[ESP+10]
00437E48 OR ECX, EAX ; 检查高位有没有
00437E4A MOV ECX, DWORD PTR SS:[ESP+C] ; ECX=32
00437E4E JNZ SHORT AMSAdmin.00437E59
00437E50 MOV EAX, DWORD PTR SS:[ESP+4]
00437E54 MUL ECX
00437E56 RETN 10
00437E59 PUSH EBX
00437E5A MUL ECX ; EAX=5AF3* ECX=32 =11C376
00437E5C MOV EBX, EAX ; EBX=EAX=11C376
00437E5E MOV EAX, DWORD PTR SS:[ESP+8] ; EAX=107A400
00437E62 MUL DWORD PTR SS:[ESP+14] ; =0
00437E66 ADD EBX, EAX
00437E68 MOV EAX, DWORD PTR SS:[ESP+8] ; EAX=107A400
00437E6C MUL ECX ; EAX=107A4000*ECX(=32)=37E08000
00437E6E ADD EDX, EBX ; EDX=3+EBX(=11C376)=11C379
00437E70 POP EBX ; EBX=32
00437E71 RETN 10

关键值的计算的总结：

关键值＝第二次计算的字符串的各位*A+后一位　直到全部算完
然后取低八位做第一关键值，高位做第二关键值

～第一部分完成～

＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝

第二部分：软件号的计算
由于软件号的计算比较复杂，用到了浮点运算其中还有指数计算．所以不具体发现了
|
00414800 PUSH -1
00414802 PUSH AMSAdmin.0046C8D0
00414807 MOV EAX, DWORD PTR FS:[0]
0041480D PUSH EAX
0041480E MOV DWORD PTR FS:[0], ESP
00414815 SUB ESP, 8
00414818 PUSH EBP
00414819 PUSH ESI
0041481A PUSH EDI
0041481B MOV EDI, DWORD PTR SS:[ESP+24]
0041481F MOV DWORD PTR SS:[ESP+1C], 0
00414827 MOV EAX, DWORD PTR DS:[EDI]

; EAX<==012841B8,(ASCII "7573717571717112")软件号

00414829 MOV ECX, DWORD PTR DS:[EAX-8] ; ECX=10
0041482C TEST ECX, ECX
0041482E JE AMSAdmin.0041495D
00414834 MOV ECX, DWORD PTR DS:[48E3B8]
0041483A MOV DWORD PTR SS:[ESP+24], ECX
0041483E MOV DWORD PTR SS:[ESP+C], ECX
00414842 MOV EBP, DWORD PTR DS:[EAX-8] ; EBP=10
00414845 MOV BYTE PTR SS:[ESP+1C], 2
0041484A MOV EAX, EBP
0041484C AND EAX, 80000003
00414851 JNS SHORT AMSAdmin.00414858
00414853 DEC EAX
00414854 OR EAX, FFFFFFFC
00414857 INC EAX
00414858 JE SHORT AMSAdmin.00414877
0041485A /PUSH 30
0041485C |MOV ECX, EDI
0041485E |CALL AMSAdmin.0044B526
00414863 |MOV ECX, DWORD PTR DS:[EDI]
00414865 |MOV EDX, DWORD PTR DS:[ECX-8]
00414868 |AND EDX, 80000003
0041486E |JNS SHORT AMSAdmin.00414875
00414870 |DEC EDX
00414871 |OR EDX, FFFFFFFC
00414874 |INC EDX
00414875 \JNZ SHORT AMSAdmin.0041485A
00414877 MOV EAX, DWORD PTR DS:[EDI]

; EAX<==012841B8,(ASCII "7573717571717112")

00414879 XOR ESI, ESI
0041487B MOV ECX, DWORD PTR DS:[EAX-8] ; ECX=10
0041487E TEST ECX, ECX
00414880 JLE SHORT AMSAdmin.004148CF ; //用软件号计算
00414882 /MOVSX EAX, BYTE PTR DS:[EAX+ESI]

; EAX=DS:[EAX+ESI]=37 EAX=012841B8 ESI=0 ("7573717571717112")
]
00414886 |TEST EAX, EAX
00414888 |JGE SHORT AMSAdmin.0041488F
0041488A |ADD EAX, 100
0041488F |PUSH EAX
00414890 |LEA EAX, DWORD PTR SS:[ESP+28]
00414894 |PUSH AMSAdmin.0048C4B4 ; ASCII "%x"
00414899 |PUSH EAX
0041489A |CALL AMSAdmin.00447EDF
0041489F |MOV ECX, DWORD PTR SS:[ESP+30] ; ECX=01284438,(ASCII "37")
004148A3 |ADD ESP, 0C
004148A6 |CMP DWORD PTR DS:[ECX-8], 1
004148AA |JNZ SHORT AMSAdmin.004148B9
004148AC |PUSH 30
004148AE |PUSH 0
004148B0 |LEA ECX, DWORD PTR SS:[ESP+2C]
004148B4 |CALL AMSAdmin.004476EE
004148B9 |LEA EDX, DWORD PTR SS:[ESP+24]
004148BD |LEA ECX, DWORD PTR SS:[ESP+C]
004148C1 |PUSH EDX
004148C2 |CALL AMSAdmin.0044B53B
004148C7 |MOV EAX, DWORD PTR DS:[EDI]

; EAX=DS:[EDI]=012841B8,(ASCII "7573717571717112")

004148C9 |INC ESI
004148CA |CMP ESI, DWORD PTR DS:[EAX-8] ; DS:[EAX-8]=10
004148CD \JL SHORT AMSAdmin.00414882
004148CF PUSH ECX
004148D0 LEA EAX, DWORD PTR SS:[ESP+2C]
004148D4 MOV ECX, ESP
004148D6 MOV DWORD PTR SS:[ESP+14], ESP
004148DA PUSH EAX
004148DB CALL AMSAdmin.0044AE98
004148E0 LEA ECX, DWORD PTR SS:[ESP+10]
004148E4 PUSH ECX
004148E5 CALL AMSAdmin.00414D80
004148EA ADD ESP, 8
004148ED LEA EDX, DWORD PTR SS:[ESP+24]
004148F1 PUSH EBP
004148F2 PUSH AMSAdmin.0048C1BC ; ASCII "%d"
004148F7 PUSH EDX
004148F8 CALL AMSAdmin.00447EDF
004148FD ADD ESP, 0C
00414900 CMP EBP, 0A
00414903 JGE SHORT AMSAdmin.00414912
00414905 PUSH 30
00414907 PUSH 0
00414909 LEA ECX, DWORD PTR SS:[ESP+2C]
0041490D CALL AMSAdmin.004476EE
00414912 LEA EAX, DWORD PTR SS:[ESP+24]
00414916 LEA ECX, DWORD PTR SS:[ESP+C]
0041491A PUSH EAX
0041491B LEA EDX, DWORD PTR SS:[ESP+14]
0041491F PUSH ECX
00414920 PUSH EDX
00414921 CALL AMSAdmin.0044B352
00414926 PUSH EAX
00414927 MOV ECX, EDI
00414929 MOV BYTE PTR SS:[ESP+20], 3
0041492E CALL AMSAdmin.0044B25C
00414933 LEA ECX, DWORD PTR SS:[ESP+10]
00414937 MOV BYTE PTR SS:[ESP+1C], 2
0041493C CALL AMSAdmin.0044B123
00414941 LEA ECX, DWORD PTR SS:[ESP+C]
00414945 MOV BYTE PTR SS:[ESP+1C], 1
0041494A CALL AMSAdmin.0044B123
0041494F LEA ECX, DWORD PTR SS:[ESP+24]
00414953 MOV BYTE PTR SS:[ESP+1C], 0
00414958 CALL AMSAdmin.0044B123
0041495D LEA ECX, DWORD PTR SS:[ESP+28]
00414961 MOV DWORD PTR SS:[ESP+1C], -1
00414969 CALL AMSAdmin.0044B123
0041496E MOV ECX, DWORD PTR SS:[ESP+14]
00414972 POP EDI
00414973 POP ESI
00414974 MOV DWORD PTR FS:[0], ECX
0041497B POP EBP
0041497C ADD ESP, 14
0041497F RETN

0044B4A0 PUSH EBX
0044B4A1 PUSH ESI
0044B4A2 PUSH EDI
0044B4A3 MOV EDI, DWORD PTR SS:[ESP+10]
0044B4A7 TEST EDI, EDI
0044B4A9 MOV ESI, ECX
0044B4AB JE SHORT AMSAdmin.0044B4F9
0044B4AD MOV EAX, DWORD PTR DS:[ESI]

; EAX<==DS:[ESI]=012840C8,(ASCII "37353733373137")

0044B4AF CMP DWORD PTR DS:[EAX-C], 1
0044B4B3 LEA EBX, DWORD PTR DS:[EAX-C]
0044B4B6 JG SHORT AMSAdmin.0044B4E3
0044B4B8 MOV ECX, DWORD PTR DS:[EAX-8]
0044B4BB LEA EDX, DWORD PTR DS:[ECX+EDI]
0044B4BE CMP EDX, DWORD PTR DS:[EAX-4]
0044B4C1 JG SHORT AMSAdmin.0044B4E3
0044B4C3 PUSH EDI
0044B4C4 ADD ECX, EAX
0044B4C6 PUSH DWORD PTR SS:[ESP+18]
0044B4CA PUSH ECX
0044B4CB CALL AMSAdmin.004381F0
0044B4D0 MOV EAX, DWORD PTR DS:[ESI]
0044B4D2 ADD ESP, 0C
0044B4D5 ADD DWORD PTR DS:[EAX-8], EDI
0044B4D8 MOV EAX, DWORD PTR DS:[ESI]
0044B4DA MOV ECX, DWORD PTR DS:[EAX-8]
0044B4DD AND BYTE PTR DS:[ECX+EAX], 0
0044B4E1 JMP SHORT AMSAdmin.0044B4F9
0044B4E3 PUSH DWORD PTR SS:[ESP+14]
0044B4E7 MOV ECX, ESI
0044B4E9 PUSH EDI
0044B4EA PUSH EAX
0044B4EB PUSH DWORD PTR DS:[EAX-8]
0044B4EE CALL AMSAdmin.0044B314
0044B4F3 PUSH EBX
0044B4F4 CALL AMSAdmin.0044B08B
0044B4F9 POP EDI
0044B4FA POP ESI
0044B4FB POP EBX
0044B4FC RETN 8

0043835C MOV AL, BYTE PTR DS:[ESI] ; AL=DS:[ESI]=33 ('3')
0043835E MOV BYTE PTR DS:[EDI], AL
00438360 MOV AL, BYTE PTR DS:[ESI+1]
00438363 MOV BYTE PTR DS:[EDI+1], AL
00438366 MOV EAX, DWORD PTR SS:[EBP+8]

; EAX<==012840D6,(ASCII "3575717171")

00438369 POP ESI
0043836A POP EDI
0043836B LEAVE
0043836C RETN

0041E3D0 PUSH -1
0041E3D2 PUSH AMSAdmin.0046DD38
0041E3D7 MOV EAX, DWORD PTR FS:[0]
0041E3DD PUSH EAX
0041E3DE MOV DWORD PTR FS:[0], ESP
0041E3E5 SUB ESP, 0C
0041E3E8 PUSH EBP
0041E3E9 PUSH ESI
0041E3EA PUSH EDI
0041E3EB XOR EBP, EBP
0041E3ED LEA ECX, DWORD PTR SS:[ESP+28]
0041E3F1 MOV DWORD PTR SS:[ESP+20], EBP
0041E3F5 MOV DWORD PTR SS:[ESP+14], EBP
0041E3F9 CALL AMSAdmin.0044B645
0041E3FE MOV EAX, DWORD PTR SS:[ESP+28]

; EAX=01284348, ASCII "270B6E672BD7016" <--软件号生成的字符串

0041E402 XOR ESI, ESI
0041E404 MOV EDI, DWORD PTR DS:[EAX-8] ; EDI=F
0041E407 CMP EDI, EBP
0041E409 JLE SHORT AMSAdmin.0041E45B
0041E40B PUSH EBX
0041E40C /FLD QWORD PTR DS:[474D28] ; ST=10
0041E412 |MOV ECX, DWORD PTR SS:[ESP+2C]

; ECX=01284348, ASCII "270B6E672BD7016"

0041E416 |MOV EDX, EDI
0041E418 |SUB EDX, ESI
0041E41A |MOV BL, BYTE PTR DS:[ESI+ECX]

; BL=DS:[ESI+ECX]=32 ESI=0 ECX=01284348

; F次后　EBP=D166F738<--关键值（低位）

0041E44F |ADC EBX, EDX ; EBX=11C379
0041E451 |INC ESI
0041E452 |CMP ESI, EDI ; EDI=F ESI=0++
0041E454 |MOV DWORD PTR SS:[ESP+18], EBX ;

F次后 EBX=13E9E9<--关键值（高位）

0041E458 \JL SHORT AMSAdmin.0041E40C
0041E45A POP EBX ; EBX=4
0041E45B LEA ECX, DWORD PTR SS:[ESP+28]
0041E45F MOV DWORD PTR SS:[ESP+20], -1
0041E467 CALL AMSAdmin.0044B123
0041E46C MOV ECX, DWORD PTR SS:[ESP+18]
0041E470 MOV EDX, DWORD PTR SS:[ESP+14]
0041E474 POP EDI
0041E475 MOV EAX, EBP
0041E477 POP ESI
0041E478 POP EBP
0041E479 MOV DWORD PTR FS:[0], ECX
0041E480 ADD ESP, 18
0041E483 RETN 4
====================================================

到这里注册算法分析完成，总结一下

注册码的正确方法是：软件号计算的值=注册码计算的值

Cracded fxyang[OCN]

2003.4.5