EXE文件捆绑器V1.0

标题：算法浅探——EXE文件捆绑器V1.0
作者：fly
时间：2003/04/04 12:18pm
链接：http://bbs.pediy.com

下载页面： http://www.yd123.com/cncg/
软件大小： 278 KB
适用平台: WIN9x, NT, 2000

【软件简介】：将两个可执行文件捆绑在一起的软件，捆绑后的文件图标是第一个文件的图标。软件自带10个系统图标，也可以从另外的可执行文件中提取图标。

【软件限制】：30次试用

【作者声明】：初学Crack，只是感兴趣，没有其它目的。失误之处敬请诸位大侠赐教！

【破解工具】：TRW2000娃娃修改版、Ollydbg1.09、FI2.5、AspackDie、W32Dasm 10修改版

—————————————————————————————————
【过程】：

exebind.exe是ASPack 2.12壳，用AspackDie脱之。278K->1.22M。Delphi编写。
软件重启验证。注册码保存在注册表中，因此在反汇编代码里查找regcode，很容易就能找到下面的核心。

序列号：211C1E09 （呵呵，又要用我的硬盘序列号了）
用户名：fly0 （呵呵，至少4位。否则重启软件就非法操作了！）
试炼码：13572468 （注册码要8位）

—————————————————————————————————
* Referenced by a CALL at Address:
|:00486E3A
|
:004862F8 55 push ebp
:004862F9 8BEC mov ebp, esp
:004862FB 6A00 push 00000000
:004862FD 6A00 push 00000000
:004862FF 53 push ebx
:00486300 33C0 xor eax, eax
:00486302 55 push ebp
:00486303 6828654800 push 00486528
:00486308 64FF30 push dword ptr fs:[eax]
:0048630B 648920 mov dword ptr fs:[eax], esp
:0048630E C60560BD480001 mov byte ptr [0048BD60], 01
:00486315 B201 mov dl, 01
:00486317 A140BB4500 mov eax, dword ptr [0045BB40]
:0048631C E81F59FDFF call 0045BC40
:00486321 A358BD4800 mov dword ptr [0048BD58], eax
:00486326 BA02000080 mov edx, 80000002
:0048632B A158BD4800 mov eax, dword ptr [0048BD58]
:00486330 E8AB59FDFF call 0045BCE0
:00486335 33C9 xor ecx, ecx

* Possible StringData Ref from Code Obj ->"\software\exebind\reg"
|
:00486337 BA40654800 mov edx, 00486540
:0048633C A158BD4800 mov eax, dword ptr [0048BD58]
:00486341 E8DA5AFDFF call 0045BE20
:00486346 84C0 test al, al
:00486348 0F84BD010000 je 0048650B

* Possible StringData Ref from Code Obj ->"user"
|
:0048634E BA60654800 mov edx, 00486560
:00486353 A158BD4800 mov eax, dword ptr [0048BD58]
:00486358 E8235EFDFF call 0045C180
:0048635D 84C0 test al, al
:0048635F 0F84A2010000 je 00486507

* Possible StringData Ref from Code Obj ->"regcode"
|
:00486365 BA70654800 mov edx, 00486570
:0048636A A158BD4800 mov eax, dword ptr [0048BD58]
:0048636F E80C5EFDFF call 0045C180
:00486374 84C0 test al, al
:00486376 0F848B010000 je 00486507
:0048637C 8D4DFC lea ecx, dword ptr [ebp-04]

* Possible StringData Ref from Code Obj ->"user"
|
:0048637F BA60654800 mov edx, 00486560
:00486384 A158BD4800 mov eax, dword ptr [0048BD58]
:00486389 E85A5CFDFF call 0045BFE8
:0048638E 8D4DF8 lea ecx, dword ptr [ebp-08]

* Possible StringData Ref from Code Obj ->"regcode"
|
:00486391 BA70654800 mov edx, 00486570
:00486396 A158BD4800 mov eax, dword ptr [0048BD58]
:0048639B E8485CFDFF call 0045BFE8
:004863A0 8B55F8 mov edx, dword ptr [ebp-08]
====>EDX=[ebp-08]=13572468

:004863A3 B85CBD4800 mov eax, 0048BD5C
:004863A8 E81BE1F7FF call 004044C8
:004863AD 837DFC00 cmp dword ptr [ebp-04], 00000000
====>[ebp-04]=fly0 没填用户名？

:004863B1 7409 je 004863BC
:004863B3 833D5CBD480000 cmp dword ptr [0048BD5C], 00000000
====>[0048BD5C]=13572468 没填注册码？

:004863BA 7507 jne 004863C3

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004863B1(C)
|
:004863BC 33DB xor ebx, ebx
:004863BE E94A010000 jmp 0048650D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004863BA(C)
|
:004863C3 A15CBD4800 mov eax, dword ptr [0048BD5C]
====>EAX=[0048BD5C]=13572468

:004863C8 E85FE3F7FF call 0040472C
:004863CD 83F808 cmp eax, 00000008
====>注册码是否8位？

:004863D0 7407 je 004863D9
:004863D2 33DB xor ebx, ebx
:004863D4 E934010000 jmp 0048650D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004863D0(C)
|
:004863D9 33C0 xor eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004863FD(C)
|
:004863DB 33D2 xor edx, edx
:004863DD 8AD0 mov dl, al
:004863DF 8B0D5CBD4800 mov ecx, dword ptr [0048BD5C]
====>ECX=[0048BD5C]=13572468

:004863E5 8A0C11 mov cl, byte ptr [ecx+edx]
====>依次取试炼码字符的HEX值
1、 ====>CL=31
2、 ====>33

:004863E8 8D5801 lea ebx, dword ptr [eax+01]
====>EBX依次增1
1、 ====>EBX=1
2、 ====>EBX=2

:004863EB C1E304 shl ebx, 04
1、 ====>EBX=1 SHL 04=10
2、 ====>EBX=2 SHL 04=20
3、 ====>EBX=3 SHL 04=30
4、 ====>EBX=4 SHL 04=40
5、 ====>EBX=5 SHL 04=50
6、 ====>EBX=6 SHL 04=60
7、 ====>EBX=7 SHL 04=70
8、 ====>EBX=8 SHL 04=80

:004863EE 32CB xor cl, bl
1、 ====>CL=31 XOR 10=21
2、 ====>CL=33 XOR 20=13
3、 ====>CL=35 XOR 30=05
4、 ====>CL=37 XOR 40=77
5、 ====>CL=32 XOR 50=62
6、 ====>CL=34 XOR 60=54
7、 ====>CL=36 XOR 70=46
8、 ====>CL=38 XOR 80=B8

:004863F0 42 inc edx
:004863F1 8D1452 lea edx, dword ptr [edx+2*edx]
:004863F4 888A7BBD4800 mov byte ptr [edx+0048BD7B], cl
====>CL 入 [edx+0048BD7B]处

0048BD7B 00 00 00 21 00 00 13 00 00 05 00 00 77 00 00 62 ...!......w..b
0048BD8B 00 00 54 00 00 46 00 00 B8 00 00 00 00 00 00 00 ..T..F..?......4

:004863FA 40 inc eax
====>EAX 依次增1

:004863FB 3C08 cmp al, 08
:004863FD 75DC jne 004863DB
====>循环8次

:004863FF 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=fly0

:00486402 E805FBFFFF call 00485F0C
====>关键CALL！对用户名和序列号运算得出一组值！

====>下面进行逐位比较，有一处不同就OVER了！
:00486407 A084BD4800 mov al, byte ptr [0048BD84]
====>AL=05

:0048640C 3A05ABBD4800 cmp al, byte ptr [0048BDAB]
====>[0048BDAB]=76 比较第3位！

:00486412 7412 je 00486426
====>不跳则OVER！

:00486414 803D60BD480000 cmp byte ptr [0048BD60], 00
:0048641B 33C0 xor eax, eax
:0048641D EB02 jmp 00486421
:0048641F B001 mov al, 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048641D(U)
|
:00486421 A260BD4800 mov byte ptr [0048BD60], al

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00486412(C)
|
:00486426 A08ABD4800 mov al, byte ptr [0048BD8A]
====>[0048BD8A]=62

:0048642B 3A05CBBD4800 cmp al, byte ptr [0048BDCB]
====>[0048BDCB]=18 比较第5位！

:00486431 7412 je 00486445
====>不跳则OVER！

:00486433 803D60BD480000 cmp byte ptr [0048BD60], 00
:0048643A 33C0 xor eax, eax
:0048643C EB02 jmp 00486440
:0048643E B001 mov al, 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048643C(U)
|
:00486440 A260BD4800 mov byte ptr [0048BD60], al

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00486431(C)
|
:00486445 A081BD4800 mov al, byte ptr [0048BD81]
====>[0048BD81]=13

:0048644A 3A059BBD4800 cmp al, byte ptr [0048BD9B]
====>[0048BD9B]=73 比较第2位！

:00486450 7412 je 00486464
====>不跳则OVER！

:00486452 803D60BD480000 cmp byte ptr [0048BD60], 00
:00486459 33C0 xor eax, eax
:0048645B EB02 jmp 0048645F
:0048645D B001 mov al, 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048645B(U)
|
:0048645F A260BD4800 mov byte ptr [0048BD60], al

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00486450(C)
|
:00486464 A087BD4800 mov al, byte ptr [0048BD87]
====>[0048BD87]=77

:00486469 3A05BBBD4800 cmp al, byte ptr [0048BDBB]
====>[0048BDBB]=09 比较第4位！

:0048646F 7412 je 00486483
====>不跳则OVER！

:00486471 803D60BD480000 cmp byte ptr [0048BD60], 00
:00486478 33C0 xor eax, eax
:0048647A EB02 jmp 0048647E
:0048647C B001 mov al, 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048647A(U)
|
:0048647E A260BD4800 mov byte ptr [0048BD60], al

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048646F(C)
|
:00486483 A07EBD4800 mov al, byte ptr [0048BD7E]
====>[0048BD7E]=21

:00486488 3A058BBD4800 cmp al, byte ptr [0048BD8B]
====>[0048BD8B]=48 比较第1位！

:0048648E 7412 je 004864A2
====>不跳则OVER！

:00486490 803D60BD480000 cmp byte ptr [0048BD60], 00
:00486497 33C0 xor eax, eax
:00486499 EB02 jmp 0048649D
:0048649B B001 mov al, 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00486499(U)
|
:0048649D A260BD4800 mov byte ptr [0048BD60], al

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048648E(C)
|
:004864A2 A08DBD4800 mov al, byte ptr [0048BD8D]
====>[0048BD8D]=54

:004864A7 3A05DBBD4800 cmp al, byte ptr [0048BDDB]
====>[0048BDDB]=26 比较第6位！

:004864AD 7412 je 004864C1
====>不跳则OVER！

:004864AF 803D60BD480000 cmp byte ptr [0048BD60], 00
:004864B6 33C0 xor eax, eax
:004864B8 EB02 jmp 004864BC
:004864BA B001 mov al, 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004864B8(U)
|
:004864BC A260BD4800 mov byte ptr [0048BD60], al

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004864AD(C)
|
:004864C1 A093BD4800 mov al, byte ptr [0048BD93]
====>[0048BD93]=B8

:004864C6 3A05FBBD4800 cmp al, byte ptr [0048BDFB]
====>[0048BDFB]=C3 比较第8位！

:004864CC 7412 je 004864E0
====>不跳则OVER！

:004864CE 803D60BD480000 cmp byte ptr [0048BD60], 00
:004864D5 33C0 xor eax, eax
:004864D7 EB02 jmp 004864DB
:004864D9 B001 mov al, 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004864D7(U)
|
:004864DB A260BD4800 mov byte ptr [0048BD60], al

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004864CC(C)
|
:004864E0 A090BD4800 mov al, byte ptr [0048BD90]
====>[0048BD90]=46

:004864E5 3A05EBBD4800 cmp al, byte ptr [0048BDEB]
====>[0048BDEB]=3D 比较第7位！

:004864EB 7412 je 004864FF
====>不跳则OVER！

:004864ED 803D60BD480000 cmp byte ptr [0048BD60], 00
:004864F4 33C0 xor eax, eax
:004864F6 EB02 jmp 004864FA
:004864F8 B001 mov al, 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004864F6(U)
|
:004864FA A260BD4800 mov byte ptr [0048BD60], al

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004864EB(C)
|
:004864FF 8A1D60BD4800 mov bl, byte ptr [0048BD60]
====>BL=[0048BD60]=01 置1就OK了！

:00486505 EB06 jmp 0048650D

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0048635F(C), :00486376(C)
|
:00486507 33DB xor ebx, ebx
:00486509 EB02 jmp 0048650D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00486348(C)
|
:0048650B 33DB xor ebx, ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004863BE(U), :004863D4(U), :00486505(U), :00486509(U)
|
:0048650D 33C0 xor eax, eax
:0048650F 5A pop edx
:00486510 59 pop ecx
:00486511 59 pop ecx
:00486512 648910 mov dword ptr fs:[eax], edx
:00486515 682F654800 push 0048652F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048652D(U)
|
:0048651A 8D45F8 lea eax, dword ptr [ebp-08]
:0048651D BA02000000 mov edx, 00000002
:00486522 E871DFF7FF call 00404498
:00486527 C3 ret
:00486528 E96FD9F7FF jmp 00403E9C
:0048652D EBEB jmp 0048651A
:0048652F 8BC3 mov eax, ebx
:00486531 5B pop ebx
:00486532 59 pop ecx
:00486533 59 pop ecx
:00486534 5D pop ebp
:00486535 C3 ret

—————————————————————————————————
进入关键CALL：486402 call 00485F0C

呵呵，很是烦琐，作者自己是不嫌麻烦的。想写注册机的CRACKER可不轻松了。

* Referenced by a CALL at Address:
|:00486402
|
:00485F0C 55 push ebp
:00485F0D 8BEC mov ebp, esp
:00485F0F 83C4EC add esp, FFFFFFEC
:00485F12 53 push ebx
:00485F13 56 push esi
:00485F14 57 push edi
:00485F15 33D2 xor edx, edx
:00485F17 8955F8 mov dword ptr [ebp-08], edx
:00485F1A 8955F4 mov dword ptr [ebp-0C], edx
:00485F1D 8945FC mov dword ptr [ebp-04], eax
:00485F20 8B45FC mov eax, dword ptr [ebp-04]
:00485F23 E8ECE9F7FF call 00404914
:00485F28 33C0 xor eax, eax
:00485F2A 55 push ebp
:00485F2B 6849614800 push 00486149
:00485F30 64FF30 push dword ptr fs:[eax]
:00485F33 648920 mov dword ptr fs:[eax], esp
:00485F36 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=fly0

:00485F39 E8EEE7F7FF call 0040472C
====>取用户名位数入 AL

:00485F3E 8845F2 mov byte ptr [ebp-0E], al
====>[ebp-0E]=AL=04

:00485F41 E87AF0FFFF call 00484FC0
====>取硬盘序列号入 EAX=211C1E09

:00485F46 8D4DF4 lea ecx, dword ptr [ebp-0C]
:00485F49 BA08000000 mov edx, 00000008
:00485F4E E8112BF8FF call 00408A64
:00485F53 33C0 xor eax, eax
:00485F55 8A45F2 mov al, byte ptr [ebp-0E]
:00485F58 83C009 add eax, 00000009
====>EAX=04 + 09=0D

:00485F5B 50 push eax
:00485F5C 8D45F8 lea eax, dword ptr [ebp-08]
:00485F5F B901000000 mov ecx, 00000001

* Possible StringData Ref from Code Obj ->".3"
|
:00485F64 8B15EC5E4800 mov edx, dword ptr [00485EEC]
:00485F6A E8A9FAF7FF call 00405A18
:00485F6F 83C404 add esp, 00000004
:00485F72 8A45F2 mov al, byte ptr [ebp-0E]
:00485F75 48 dec eax
:00485F76 84C0 test al, al
:00485F78 721C jb 00485F96
:00485F7A 40 inc eax
:00485F7B B300 mov bl, 00

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00485F94(C)
|
:00485F7D 33D2 xor edx, edx
:00485F7F 8AD3 mov dl, bl
:00485F81 8B4DFC mov ecx, dword ptr [ebp-04]
:00485F84 8A1411 mov dl, byte ptr [ecx+edx]
:00485F87 33C9 xor ecx, ecx
:00485F89 8ACB mov cl, bl
:00485F8B 8B75F8 mov esi, dword ptr [ebp-08]
:00485F8E 88140E mov byte ptr [esi+ecx], dl
====>用户名入 [esi+ecx]处
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
[esi+ecx]内存中的值：

00C92358 66 6C 79 30 00 00 00 00 00 00 00 00 00 00 00 00 fly0............
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆

:00485F91 43 inc ebx
:00485F92 FEC8 dec al
:00485F94 75E7 jne 00485F7D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00485F78(C)
|
:00485F96 8A5DF2 mov bl, byte ptr [ebp-0E]
:00485F99 8A45F2 mov al, byte ptr [ebp-0E]
:00485F9C 0407 add al, 07
====>AL=04 + 07=0B

:00485F9E 2AC3 sub al, bl
====>AL=0B - 04=07

:00485FA0 7233 jb 00485FD5
:00485FA2 40 inc eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00485FD3(C)
|
:00485FA3 8BF3 mov esi, ebx
:00485FA5 81E6FF000000 and esi, 000000FF
:00485FAB 8BD6 mov edx, esi
:00485FAD 33C9 xor ecx, ecx
:00485FAF 8A4DF2 mov cl, byte ptr [ebp-0E]
:00485FB2 2BD1 sub edx, ecx
:00485FB4 8B4DF4 mov ecx, dword ptr [ebp-0C]
====>ECX=211C1E09 呵呵，我的硬盘序列号

:00485FB7 8A0C11 mov cl, byte ptr [ecx+edx]
====>依次取硬盘序列号的字符值

:00485FBA 51 push ecx
:00485FBB 8B4DF8 mov ecx, dword ptr [ebp-08]
:00485FBE 8D3431 lea esi, dword ptr [ecx+esi]
:00485FC1 59 pop ecx
:00485FC2 880E mov byte ptr [esi], cl
:00485FC4 8B4DF4 mov ecx, dword ptr [ebp-0C]
:00485FC7 8A0C11 mov cl, byte ptr [ecx+edx]
:00485FCA 888A64BD4800 mov byte ptr [edx+0048BD64], cl
====>硬盘序列号入 [edx+0048BD64]处
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
[edx+0048BD64]内存中的值：

0048BD64 32 31 31 43 31 45 30 39 00 00 00 00 00 00 00 00 211C1E09........
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆

:00485FD0 43 inc ebx
:00485FD1 FEC8 dec al
:00485FD3 75CE jne 00485FA3

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00485FA0(C)
|
:00485FD5 33C0 xor eax, eax
:00485FD7 8A45F2 mov al, byte ptr [ebp-0E]
====>AL=04

:00485FDA 8B55F8 mov edx, dword ptr [ebp-08]
====>EDX=fly0211C1E09 用户名和序列号连接起来

:00485FDD C644020900 mov [edx+eax+09], 00
:00485FE2 C645F100 mov [ebp-0F], 00
:00485FE6 8A45F2 mov al, byte ptr [ebp-0E]
:00485FE9 0408 add al, 08
====>AL=04 + 08=0C

:00485FEB 8845EF mov byte ptr [ebp-11], al
====>AL=0C 入 [ebp-11]

:00485FEE 8A45F2 mov al, byte ptr [ebp-0E]
:00485FF1 0407 add al, 07
====>AL=04 + 07=0B

:00485FF3 84C0 test al, al
:00485FF5 7215 jb 0048600C
:00485FF7 40 inc eax
:00485FF8 B300 mov bl, 00

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048600A(C)
|
:00485FFA 33D2 xor edx, edx
:00485FFC 8AD3 mov dl, bl
:00485FFE 8B4DF8 mov ecx, dword ptr [ebp-08]
====>ECX=fly0211C1E09

:00486001 8A1411 mov dl, byte ptr [ecx+edx]
====>依次取上面字符的HEX值，下面累加

:00486004 0055F1 add byte ptr [ebp-0F], dl
====>[ebp-0F]=0+66+6C+79+32+31+31+43+31+45+30+39=31 舍去溢出

:00486007 43 inc ebx
:00486008 FEC8 dec al
:0048600A 75EE jne 00485FFA
====>循环12次

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00485FF5(C)
|
:0048600C 33DB xor ebx, ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00486117(C)
|
:0048600E C645F300 mov [ebp-0D], 00

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004860BF(C), :004860C7(C)
|
:00486012 8BFB mov edi, ebx
:00486014 81E7FF000000 and edi, 000000FF
:0048601A 8B45F8 mov eax, dword ptr [ebp-08]
====>EAX=fly0211C1E09

:0048601D 8A0438 mov al, byte ptr [eax+edi]
====>依次取上面字符的HEX值

:00486020 02C3 add al, bl
====>AL=66 + 00=66

:00486022 8A55F1 mov dl, byte ptr [ebp-0F]
====>DL=[ebp-0F]=31

:00486025 02D3 add dl, bl
====>DL=31 + 00=31

:00486027 32C2 xor al, dl
====>AL=66 XOR 31=57

:00486029 33D2 xor edx, edx
:0048602B 8A55EF mov dl, byte ptr [ebp-11]
====>DL=[ebp-11]=OC

:0048602E 2BD7 sub edx, edi
:00486030 8B4DF8 mov ecx, dword ptr [ebp-08]
====>ECX=fly0211C1E09

:00486033 8A1411 mov dl, byte ptr [ecx+edx]
====>加1位倒序依次取上面字符的HEX值
====>DL=00

:00486036 02D3 add dl, bl
====>DL=00 + 00=00

:00486038 8BCB mov ecx, ebx
:0048603A 660FAFCB imul cx, bx
:0048603E 02D1 add dl, cl
:00486040 8855F0 mov byte ptr [ebp-10], dl
:00486043 8A55F3 mov dl, byte ptr [ebp-0D]
:00486046 660FAF55F3 imul dx, word ptr [ebp-0D]
====>DX=00 * F800=00
0076FC3B 00 F8 51 C9 00 58 23 C9 00 50 FD C9 00 68 FC 76 .鳴?X#?P.h黺 00 5

:0048604B 52 push edx
:0048604C 8A55F0 mov dl, byte ptr [ebp-10]
:0048604F 59 pop ecx
:00486050 2AD1 sub dl, cl
:00486052 2A55EF sub dl, byte ptr [ebp-11]
====>DL=00 - 0C=F4

:00486055 32D0 xor dl, al
====>DL=F4 XOR 57=A3

:00486057 8BC2 mov eax, edx
:00486059 E8FA000000 call 00486158
:0048605E 8A55F3 mov dl, byte ptr [ebp-0D]
:00486061 660FAFD3 imul dx, bx
:00486065 02C2 add al, dl
:00486067 2A45F3 sub al, byte ptr [ebp-0D]
:0048606A 32C3 xor al, bl
:0048606C E8C3010000 call 00486234
:00486071 8D9080000000 lea edx, dword ptr [eax+00000080]
:00486077 2A55F3 sub dl, byte ptr [ebp-0D]
:0048607A 8BC3 mov eax, ebx
:0048607C 660FAF45F3 imul ax, word ptr [ebp-0D]
:00486081 02C3 add al, bl
:00486083 32D0 xor dl, al
:00486085 8BC2 mov eax, edx
:00486087 E8CC000000 call 00486158
:0048608C 8A55F3 mov dl, byte ptr [ebp-0D]
:0048608F 660FAF55F3 imul dx, word ptr [ebp-0D]
:00486094 02C2 add al, dl
:00486096 2AC3 sub al, bl
:00486098 32C3 xor al, bl
:0048609A E895010000 call 00486234
:0048609F 0580000000 add eax, 00000080
:004860A4 2A45F3 sub al, byte ptr [ebp-0D]
====>DL=A3 - 00=A3

:004860A7 8BD3 mov edx, ebx
:004860A9 660FAFD3 imul dx, bx
:004860AD 0255F3 add dl, byte ptr [ebp-0D]
:004860B0 32C2 xor al, dl
:004860B2 FE45F3 inc [ebp-0D]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
下面是对AL的取值范围进行比较，如果不在此范围则继续循环直至符合为止！
:004860B5 3C41 cmp al, 41
:004860B7 7204 jb 004860BD
:004860B9 3C5A cmp al, 5A
:004860BB 7610 jbe 004860CD

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004860B7(C)
|
:004860BD 3C61 cmp al, 61
:004860BF 0F824DFFFFFF jb 00486012
:004860C5 3C7A cmp al, 7A
:004860C7 0F8745FFFFFF ja 00486012
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004860BB(C)
|
:004860CD 3C61 cmp al, 61
:004860CF 7202 jb 004860D3
:004860D1 2C20 sub al, 20

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004860CF(C)
|
:004860D3 8D5301 lea edx, dword ptr [ebx+01]
:004860D6 C1E204 shl edx, 04
:004860D9 32D0 xor dl, al
:004860DB 8BF3 mov esi, ebx
:004860DD 81E6FF000000 and esi, 000000FF
:004860E3 46 inc esi
:004860E4 8BC6 mov eax, esi
:004860E6 C1E004 shl eax, 04
:004860E9 88907BBD4800 mov byte ptr [eax+0048BD7B], dl
循环结果 ====>DL=①48 ②73 ③76 ④09 ⑤18 ⑥26 ⑦3D ⑧C3

:004860EF 33C0 xor eax, eax
:004860F1 8AC3 mov al, bl
:004860F3 40 inc eax
:004860F4 C1E004 shl eax, 04
:004860F7 8D0476 lea eax, dword ptr [esi+2*esi]
:004860FA 3A907BBD4800 cmp dl, byte ptr [eax+0048BD7B]
:00486100 7511 jne 00486113
:00486102 33C0 xor eax, eax
:00486104 8AC3 mov al, bl
:00486106 83C005 add eax, 00000005
:00486109 8D0480 lea eax, dword ptr [eax+4*eax]
:0048610C C6807BBD480001 mov byte ptr [eax+0048BD7B], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00486100(C)
|
:00486113 43 inc ebx
:00486114 80FB08 cmp bl, 08
:00486117 0F85F1FEFFFF jne 0048600E
====>大循环8次，得出8个值！

:0048611D 33C0 xor eax, eax
:0048611F 5A pop edx
:00486120 59 pop ecx
:00486121 59 pop ecx
:00486122 648910 mov dword ptr fs:[eax], edx
:00486125 6850614800 push 00486150

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048614E(U)
|
:0048612A 8D45F4 lea eax, dword ptr [ebp-0C]
:0048612D E842E3F7FF call 00404474
:00486132 8D45F8 lea eax, dword ptr [ebp-08]

* Possible StringData Ref from Code Obj ->".3"
|
:00486135 8B15EC5E4800 mov edx, dword ptr [00485EEC]
:0048613B E8F8F9F7FF call 00405B38
:00486140 8D45FC lea eax, dword ptr [ebp-04]
:00486143 E82CE3F7FF call 00404474
:00486148 C3 ret

—————————————————————————————————
【求逆】：

现在我已知道程序首先对试炼码进行简单的异或处理得出新的值；设为S1。
然后，程序通过对用户名和序列号的运算再次得出一组值；设为S2
只要S1=S2，则OK！

所以我们可以通过K2简单求逆就可得出真正的注册码！

这是K1的生成过程：
:004863EE 32CB xor cl, bl
1、 ====>CL=31 XOR 10=21
2、 ====>CL=33 XOR 20=13
3、 ====>CL=35 XOR 30=05
4、 ====>CL=37 XOR 40=77
5、 ====>CL=32 XOR 50=62
6、 ====>CL=34 XOR 60=54
7、 ====>CL=36 XOR 70=46
8、 ====>CL=38 XOR 80=B8

现在我的S2=①48 ②73 ③76 ④09 ⑤18 ⑥26 ⑦3D ⑧C3
所以注册码的求逆过程为：
1、 ====>K1=48 XOR 10=58 即：字符X
2、 ====>K2=73 XOR 20=53 即：字符S
3、 ====>K3=76 XOR 30=46 即：字符F
4、 ====>K4=09 XOR 40=49 即：字符I
5、 ====>K5=18 XOR 50=48 即：字符H
6、 ====>K6=26 XOR 60=46 即：字符F
7、 ====>K7=3D XOR 70=4D 即：字符M
8、 ====>K8=C3 XOR 80=43 即：字符C

所以，我的注册码为：XSFIHFMC

另外，再多说一点，如果仅仅是在验证外的某处爆破的话，会显示“已注册”，但是合并后的文件是会非法操作的。
呵呵，即便如此，却也比开山文件合并器要“温柔”的多了。

—————————————————————————————————
【注册信息保存】：

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\exebind\reg]
"user"="fly0"
"regcode"="XSFIHFMC"

—————————————————————————————————
【整理】：

序列号：211C1E09
用户名：fly0
注册码：XSFIHFMC

—————————————————————————————————

Cracked By 巢水工作坊——fly【OCN】

2003-04-04 11:01:11