腾龙备份大师2003 V3.05.01 专业版专业版算法分析
作者:wzh123
软件大小:
3030 KB
软件语言: 简体中文
软件类别: 国产软件 / 共享版 / 数据备份
应用平台: Win9x/NT/2000/XP
软件介绍:
全方位的数据备份保护系统“腾龙备份大师 2003”专业版隆重出场.适用于个人用户、企市业单
位及政府机关使用的全新版本!最新编制的监控引擎,更低的系统资源占用率(1%-5%根据计算机配置).为政府
企业特别设计的自动数据锁定系统,可以广泛应用于政府网站.保护及企业数据保护,有效防止因防火墙及操作
系统漏洞而造成黑客成功入侵的数据损失!针对性的为用户设计了三大类十小类数据备份保护方法,以适应不
同场合及不同人员对数据备份保护的需要!全新编写的内核代码、全新的操作界面、全新的向导界面,让每一
个用户体验最便捷的操作感!最优惠的注册价格,让每一位用户都能够拥有安全的信息空间!
PJ工具:softice,W32Dasm8.93黄金版,FI2.5
作者申明:只是学习,无其他目的。
本人刚刚学破解,错误在所难免,写的也很乱,请各位包涵,也请各位高手指教
1、软件没有加壳,用delphi编的;
2、这是一个重启验证的软件,注册文件放在\winnt\system32\SYSTEMWIN32.dll,可以用记事本打开。用
softice下断,
序列号:3781489924572
注册名:wzh123
注册码:a1234-b2345-c3456-d4567-5678
你一定可以来到以下地方:(以下的分析都以我的注册信息为例子,大家可以根据自己的情况算出自己的注册码
)
------------注册码第一部分计算---------------
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00506DE6(C)
|
:00506D94
8BC3 mov
eax, ebx
:00506D96 2501000080 and
eax, 80000001
:00506D9B 7905
jns 00506DA2
:00506D9D 48
dec eax
:00506D9E 83C8FE
or eax, FFFFFFFE
:00506DA1
40 inc
eax
* Referenced by
a (U)nconditional or (C)onditional Jump at Address:
|:00506D9B(C)
|
:00506DA2
85C0 test
eax, eax
:00506DA4 751F
jne 00506DC5
:00506DA6 8D45CC
lea eax, dword ptr [ebp-34]
:00506DA9 50
push eax
:00506DAA
B901000000 mov ecx, 00000001
:00506DAF
8BD3 mov
edx, ebx
:00506DB1 8B45FC
mov eax, dword ptr [ebp-04]
:00506DB4 E83349F3FF
call 0043B6EC
:00506DB9 8B45CC
mov eax, dword ptr [ebp-34]
:00506DBC
E89B2BF0FF call 0040995C
:00506DC1
03F8 add
edi, eax
:00506DC3 EB1D
jmp 00506DE2
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00506DA4(C)
|
:00506DC5
8D45C8 lea eax,
dword ptr [ebp-38]
:00506DC8 50
push eax
:00506DC9 B901000000
mov ecx, 00000001
:00506DCE 8BD3
mov edx, ebx
:00506DD0 8B45FC
mov eax, dword ptr
[ebp-04]
:00506DD3 E81449F3FF call
0043B6EC
:00506DD8 8B45C8
mov eax, dword ptr [ebp-38]
:00506DDB E87C2BF0FF
call 0040995C
:00506DE0 03F0
add esi, eax
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00506DC3(U)
|
:00506DE2
43 inc
ebx
:00506DE3 83FB0E
cmp ebx, 0000000E
:00506DE6 75AC
jne 00506D94 --------------以上将给定的序列号的奇、偶数位分别
相加,将奇数位相加的结果-->esi,将偶数位相加的结果-->edi
(以我的序列号为例3781489924572,3+8+4+9+2+5+2=0x21==>esi,7+1+8+9+4+7=0x24==>edi)
:00506DE8
8D55C4 lea edx,
dword ptr [ebp-3C]
:00506DEB 8BC7
mov eax, edi
偶数位相加的结果0x24-->eax
:00506DED 0FAFC6
imul eax, esi
偶数位相加的结果*奇数位相加的结果
0x4a4-->eax
:00506DF0
E8FB29F0FF call 004097F0
0x4a4-->1188(H)
:00506DF5 8B45C4
mov eax, dword ptr [ebp-3C]
:00506DF8
8D4DE8 lea ecx,
dword ptr [ebp-18]
:00506DFB BA05000000
mov edx, 00000005
:00506E00 E8B3EDFFFF
call 00505BB8
1188-->11880
:00506E05 8D55BC
lea edx, dword ptr [ebp-44]
:00506E08 8B45F8
mov eax, dword ptr
[ebp-08] 注册名"wzh123"-->eax
:00506E0B E8CCEEFFFF
call 00505CDC
注册名转换
:00506E10 8B45BC
mov eax, dword ptr [ebp-44] 71610-->eax
:00506E13
8D55C0 lea edx,
dword ptr [ebp-40]
:00506E16 E89DECFFFF
call 00505AB8
:00506E1B 8B45C0
mov eax, dword ptr [ebp-40] 71610-->eax
:00506E1E
8D4DE4 lea ecx,
dword ptr [ebp-1C]
:00506E21 BA05000000
mov edx, 00000005
:00506E26 E88DEDFFFF
call 00505BB8
:00506E2B 8B45E8
mov eax, dword ptr [ebp-18] 11880-->eax
:00506E2E
E8292BF0FF call 0040995C
11880(D)-->2E68(H)
:00506E33
50 push
eax
:00506E34 8B45E4
mov eax, dword ptr [ebp-1C] 71610-->eax
:00506E37 E8202BF0FF
call 0040995C
71610(D)-->117BA(H)
:00506E3C 5A
pop edx
:00506E3D
92 xchg
eax,edx 2E68(H)-->eax,117BA(H)-->edx
:00506E3E
8BCA mov
ecx, edx
:00506E40 99
cdq
:00506E41 F7F9
idiv ecx
2E68(H)/117BA
:00506E43 8BC2
mov eax, edx
余数(0x2E68)-->eax
:00506E45
05E7030000 add eax, 000003E7
0x2E68+0x3E7=0x324F-->eax
:00506E4A 8D55B4
lea edx, dword ptr
[ebp-4C]
:00506E4D E89E29F0FF
call 004097F0 0x324F-->12879(D)
:00506E52
8B45B4 mov eax,
dword ptr [ebp-4C] 12879(D)-->eax
:00506E55 8D4DB8
lea ecx, dword ptr [ebp-48]
:00506E58
BA04000000 mov edx, 00000004
:00506E5D
E856EDFFFF call 00505BB8
12879(D)-->1287
:00506E62
8B45B8 mov eax,
dword ptr [ebp-48] 1287-->eax
:00506E65 8D55EC
lea edx, dword ptr [ebp-14]
:00506E68
E87F090000 call 005077EC
:00506E6D
8D55B0 lea edx,
dword ptr [ebp-50]
:00506E70 8B45EC
mov eax, dword ptr [ebp-14]
:00506E73 E874090000
call 005077EC
:00506E78 8B45B0
mov eax, dword ptr [ebp-50]
:00506E7B
E8DC2AF0FF call 0040995C
1287(D)-->507(H)
:00506E80
8945D0 mov dword
ptr [ebp-30], eax
:00506E83 8D55A0
lea edx, dword ptr [ebp-60]
:00506E86 8B45EC
mov eax, dword ptr [ebp-14]
:00506E89
E85E090000 call 005077EC
取507最后一位"7"
:00506E8E
8B45A0 mov eax,
dword ptr [ebp-60]
:00506E91 8D4DA4
lea ecx, dword ptr [ebp-5C]
:00506E94 BA01000000
mov edx, 00000001
:00506E99 E8EE22FEFF
call 004E918C
:00506E9E 8B45A4
mov eax, dword ptr
[ebp-5C] "7"-->[eax]
:00506EA1 E8B62AF0FF
call 0040995C
7-->eax
:00506EA6 8BD0
mov edx, eax
:00506EA8 83C241
add edx, 00000041
7+41=0x48即"H"-->edx
:00506EAB
8D45A8 lea eax,
dword ptr [ebp-58]
:00506EAE E89DDFEFFF
call 00404E50
:00506EB3 8D45A8
lea eax, dword ptr [ebp-58]
:00506EB6 50
push eax
:00506EB7
8D559C lea edx,
dword ptr [ebp-64]
:00506EBA 8B45EC
mov eax, dword ptr [ebp-14]
:00506EBD E82A090000
call 005077EC
:00506EC2 8B559C
mov edx, dword ptr [ebp-64]
1287-->edx
:00506EC5 58
pop eax
:00506EC6 E865E0EFFF
call 00404F30
将1287与"H"连起来得到字串
"H1287"--------第一部分的真注册码出现
:00506ECB
8B45A8 mov eax,
dword ptr [ebp-58]
:00506ECE 8D55AC
lea edx, dword ptr [ebp-54]
:00506ED1 E816090000
call 005077EC
:00506ED6 8B55AC
mov edx, dword ptr [ebp-54]
:00506ED9
8D45EC lea eax,
dword ptr [ebp-14]
:00506EDC E81FDEEFFF
call 00404D00
:00506EE1 8D5590
lea edx, dword ptr [ebp-70]
:00506EE4 8B45EC
mov eax, dword ptr [ebp-14]
:00506EE7
E800090000 call 005077EC
:00506EEC
8B4590 mov eax,
dword ptr [ebp-70]
:00506EEF 8D4D94
lea ecx, dword ptr [ebp-6C]
:00506EF2 BA01000000
mov edx, 00000001
:00506EF7 E89022FEFF
call 004E918C
:00506EFC 8B4594
mov eax, dword ptr
[ebp-6C]
:00506EFF E8582AF0FF call
0040995C
:00506F04 83C041
add eax, 00000041
:00506F07 8D5598
lea edx, dword ptr [ebp-68]
:00506F0A E8E128F0FF
call 004097F0
:00506F0F 8D4598
lea eax, dword ptr
[ebp-68]
:00506F12 50
push eax
:00506F13 8D558C
lea edx, dword ptr [ebp-74]
:00506F16 8B45D0
mov eax, dword ptr [ebp-30]
:00506F19
E8D228F0FF call 004097F0
:00506F1E
8B558C mov edx,
dword ptr [ebp-74]
:00506F21 58
pop eax
:00506F22 E809E0EFFF
call 00404F30
1287-->721287(下面有用)
:00506F27 8B4598
mov eax, dword ptr [ebp-68]
:00506F2A
E82D2AF0FF call 0040995C
187-->eax
:00506F2F
8945D0 mov dword
ptr [ebp-30], eax
:00506F32 8D5588
lea edx, dword ptr [ebp-78]
:00506F35 8B45D0
mov eax, dword ptr [ebp-30]
:00506F38
E8B328F0FF call 004097F0
:00506F3D
8B4588 mov eax,
dword ptr [ebp-78]
:00506F40 8D55DC
lea edx, dword ptr [ebp-24]
:00506F43 E8A4080000
call 005077EC
将真注册码的第一部分各位取反
:00506F48 8D4D80
lea ecx, dword ptr [ebp-80]
:00506F4B
BA05000000 mov edx, 00000005
:00506F50
8B45F4 mov eax,
dword ptr [ebp-0C] 取第一部分的假码
:00506F53 E8A046F3FF
call 0043B5F8
:00506F58 8B4580
mov eax, dword ptr [ebp-80]
:00506F5B
8D5584 lea edx,
dword ptr [ebp-7C]
:00506F5E E889080000
call 005077EC
将输入注册码的第一部分各位取反
:00506F63 8B5584
mov edx, dword ptr [ebp-7C]
:00506F66 8B45EC
mov eax, dword ptr [ebp-14]
:00506F69
E806E1EFFF call 00405074
第一部分的经过变换的真假注册码相
比
:00506F6E
7409 je 00506F79
相等就跳到注册码第二部分的计算,
否则去死(爆破点)
:00506F70
C645F300 mov [ebp-0D],
00
:00506F74 E946060000 jmp
005075BF
------------注册码第二部分计算---------------
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00506F6E(C)
|
:00506F79
8D45E0 lea eax,
dword ptr [ebp-20]
:00506F7C E8E7DCEFFF
call 00404C68
:00506F81 BB01000000
mov ebx, 00000001
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00506FF6(C)
|
:00506F86
8D8578FFFFFF lea eax, dword ptr [ebp+FFFFFF78]
:00506F8C
50 push
eax
:00506F8D B901000000 mov
ecx, 00000001
:00506F92 8BD3
mov edx, ebx
:00506F94 8B45E8
mov eax, dword ptr [ebp-18] 11880(见上)-->eax
:00506F97
E85047F3FF call 0043B6EC
:00506F9C
8B8578FFFFFF mov eax, dword ptr [ebp+FFFFFF78]
:00506FA2 E8B529F0FF
call 0040995C
:00506FA7 8BF0
mov esi, eax
:00506FA9 8D8574FFFFFF
lea eax, dword ptr [ebp+FFFFFF74]
:00506FAF
50 push
eax
:00506FB0 8D5301
lea edx, dword ptr [ebx+01]
:00506FB3 B901000000
mov ecx, 00000001
:00506FB8 8B45E8
mov eax, dword ptr [ebp-18]
:00506FBB
E82C47F3FF call 0043B6EC
:00506FC0
8B8574FFFFFF mov eax, dword ptr [ebp+FFFFFF74]
:00506FC6
E89129F0FF call 0040995C
:00506FCB
03F0 add
esi, eax
:00506FCD 8BC6
mov eax, esi
:00506FCF B90A000000
mov ecx, 0000000A
:00506FD4 99
cdq
:00506FD5 F7F9
idiv ecx
:00506FD7 8BC2
mov eax,
edx
:00506FD9 8D957CFFFFFF lea edx,
dword ptr [ebp+FFFFFF7C]
:00506FDF E80C28F0FF
call 004097F0
:00506FE4 8B957CFFFFFF
mov edx, dword ptr [ebp+FFFFFF7C]
:00506FEA 8D45E0
lea eax, dword ptr [ebp-20]
:00506FED
E83EDFEFFF call 00404F30
:00506FF2
43 inc
ebx
:00506FF3 83FB05
cmp ebx, 00000005
:00506FF6 758E
jne 00506F86-----------------------以上构成循环,将11880两位一
组合,然后除0xA,余数保存起来,如
1、(1+1)%0xA="2"
2、(1+8)%0xA="9"
3、(8+8)%0xA="6"
4、(8+0)%0xA="8"
:00506FF8
33F6 xor
esi, esi
:00506FFA BB01000000 mov
ebx, 00000001
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00507026(C)
|
:00506FFF
8D8570FFFFFF lea eax, dword ptr [ebp+FFFFFF70]
:00507005
50 push
eax
:00507006 B901000000 mov
ecx, 00000001
:0050700B 8BD3
mov edx, ebx
:0050700D 8B45E0
mov eax, dword ptr [ebp-20]
:00507010 E8D746F3FF
call 0043B6EC
:00507015 8B8570FFFFFF
mov eax, dword ptr [ebp+FFFFFF70]
:0050701B
E83C29F0FF call 0040995C
:00507020
03F0 add
esi, eax
:00507022 43
inc ebx
:00507023 83FB05
cmp ebx, 00000005
:00507026 75D7
jne 00506FFF------------------------又一个循环,将以上得到的余
数相加,即2+9+6+8=0x19---->esi
:00507028
8BC6 mov
eax, esi
:0050702A B90A000000 mov
ecx, 0000000A
:0050702F 99
cdq
:00507030 F7F9
idiv ecx
0x19/0xA
:00507032
8BC2 mov
eax, edx
余数"5"-->eax
:00507034 8D9564FFFFFF
lea edx, dword ptr [ebp+FFFFFF64]
:0050703A E8B127F0FF
call 004097F0
:0050703F 8B8D64FFFFFF
mov ecx, dword ptr [ebp+FFFFFF64]
:00507045
8D8568FFFFFF lea eax, dword ptr [ebp+FFFFFF68]
:0050704B
8B55E0 mov edx,
dword ptr [ebp-20]
:0050704E E821DFEFFF
call 00404F74
将"2968"与"5"相连得到第二部
分的真注册码"29685"
:00507053
8B8568FFFFFF mov eax, dword ptr [ebp+FFFFFF68]
:00507059
8D956CFFFFFF lea edx, dword ptr [ebp+FFFFFF6C]
:0050705F
E888070000 call 005077EC
:00507064
8B956CFFFFFF mov edx, dword ptr [ebp+FFFFFF6C]
:0050706A
8D45E0 lea eax,
dword ptr [ebp-20]
:0050706D E88EDCEFFF
call 00404D00
:00507072 8D45EC
lea eax, dword ptr [ebp-14]
:00507075 8B55E0
mov edx, dword ptr [ebp-20]
:00507078
E883DCEFFF call 00404D00
:0050707D
8D9560FFFFFF lea edx, dword ptr [ebp+FFFFFF60]
:00507083
8B45EC mov eax,
dword ptr [ebp-14]
:00507086 E861070000
call 005077EC
:0050708B 8B8560FFFFFF
mov eax, dword ptr [ebp+FFFFFF60]
:00507091 E8C628F0FF
call 0040995C
:00507096 0145D0
add dword ptr [ebp-30],
eax
:00507099 8D45D8
lea eax, dword ptr [ebp-28]
:0050709C 8B55EC
mov edx, dword ptr [ebp-14]
:0050709F E85CDCEFFF
call 00404D00
:005070A4 8D8558FFFFFF
lea eax, dword ptr [ebp+FFFFFF58]
:005070AA
50 push
eax
:005070AB B905000000 mov
ecx, 00000005
:005070B0 BA07000000
mov edx, 00000007
:005070B5 8B45F4
mov eax, dword ptr [ebp-0C]
:005070B8 E82F46F3FF
call 0043B6EC
取第二部分的假码
:005070BD 8B8558FFFFFF
mov eax, dword ptr [ebp+FFFFFF58]
:005070C3
8D955CFFFFFF lea edx, dword ptr [ebp+FFFFFF5C]
:005070C9
E81E070000 call 005077EC
假码各位取反
:005070CE
8B955CFFFFFF mov edx, dword ptr [ebp+FFFFFF5C]
:005070D4
8B45EC mov eax,
dword ptr [ebp-14]
:005070D7 E898DFEFFF
call 00405074
第二部分的经过变换的真假注册
码相比
:005070DC
7409 je 005070E7
相等就跳到注册码第三部分的计
算,否则去死(爆破点)
:005070DE
C645F300 mov [ebp-0D],
00
:005070E2 E9D8040000 jmp
005075BF
------------注册码第三部分计算---------------
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005070DC(C)
|
:005070E7
8D45E0 lea eax,
dword ptr [ebp-20]
:005070EA E879DBEFFF
call 00404C68
:005070EF BB01000000
mov ebx, 00000001
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0050715E(C)
|
:005070F4
8D8550FFFFFF lea eax, dword ptr [ebp+FFFFFF50]
:005070FA
50 push
eax
:005070FB B901000000 mov
ecx, 00000001
:00507100 8BD3
mov edx, ebx
:00507102 8B45E8
mov eax, dword ptr [ebp-18]
11880-->eax
:00507105 E8E245F3FF
call 0043B6EC
:0050710A 8B8550FFFFFF
mov eax, dword ptr [ebp+FFFFFF50]
:00507110 E84728F0FF
call 0040995C
:00507115 50
push
eax
:00507116 8D854CFFFFFF lea eax,
dword ptr [ebp+FFFFFF4C]
:0050711C 50
push eax
:0050711D 8D5301
lea edx, dword ptr [ebx+01]
:00507120
B901000000 mov ecx, 00000001
:00507125
8B45E8 mov eax,
dword ptr [ebp-18]
:00507128 E8BF45F3FF
call 0043B6EC
:0050712D 8B854CFFFFFF
mov eax, dword ptr [ebp+FFFFFF4C]
:00507133 E82428F0FF
call 0040995C
:00507138 5A
pop edx
:00507139
92 xchg
eax,edx
:0050713A 2BC2
sub eax, edx
:0050713C 99
cdq
:0050713D 33C2
xor eax, edx
:0050713F
2BC2 sub
eax, edx
:00507141 8D9554FFFFFF lea
edx, dword ptr [ebp+FFFFFF54]
:00507147 E8A426F0FF
call 004097F0
:0050714C 8B9554FFFFFF
mov edx, dword ptr [ebp+FFFFFF54]
:00507152 8D45E0
lea eax, dword ptr [ebp-20]
:00507155
E8D6DDEFFF call 00404F30
:0050715A
43 inc
ebx
:0050715B 83FB05
cmp ebx, 00000005
:0050715E 7594
jne 005070F4------------------------以上构成循环,将11880各位两
两相减,得出一组数字,
1、1-1=0
2、8-1=7
3、8-8=0
4、8-0=8 (0708)
:00507160 BE01000000
mov esi, 00000001
:00507165 BB01000000
mov ebx, 00000001
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005071B8(C)
|
:0050716A
8D8548FFFFFF lea eax, dword ptr [ebp+FFFFFF48]
:00507170
50 push
eax
:00507171 B901000000 mov
ecx, 00000001
:00507176 8BD3
mov edx, ebx
:00507178 8B45E0
mov eax, dword ptr [ebp-20]
0708--->eax
:0050717B E86C45F3FF
call 0043B6EC
:00507180 8B8548FFFFFF
mov eax, dword ptr [ebp+FFFFFF48]
:00507186 E8D127F0FF
call 0040995C
:0050718B 85C0
test eax,
eax
:0050718D 7425
je 005071B4
:0050718F 8D8544FFFFFF
lea eax, dword ptr [ebp+FFFFFF44]
:00507195 50
push eax
:00507196 B901000000
mov ecx, 00000001
:0050719B
8BD3 mov
edx, ebx
:0050719D 8B45E0
mov eax, dword ptr [ebp-20]
:005071A0 E84745F3FF
call 0043B6EC
:005071A5 8B8544FFFFFF
mov eax, dword ptr [ebp+FFFFFF44]
:005071AB
E8AC27F0FF call 0040995C
:005071B0
F7EE imul
esi
:005071B2 8BF0
mov esi, eax
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0050718D(C)
|
:005071B4
43 inc
ebx
:005071B5 83FB05
cmp ebx, 00000005
:005071B8 75B0
jne 0050716A------------------------又是一个循环,将0708进行处
理,如果遇到0,则不处理,遇到其他数字,进行如下处理:
:005071BA 8BC6
mov eax, esi
:005071BC B90A000000
mov ecx, 0000000A
:005071C1 99
cdq
:005071C2
F7F9 idiv
ecx
:005071C4 8BC2
mov eax, edx
如:(7*8)%0xA=6
:005071C6 8D953CFFFFFF
lea edx, dword ptr [ebp+FFFFFF3C]
:005071CC E81F26F0FF
call 004097F0
:005071D1 8D853CFFFFFF
lea eax, dword ptr [ebp+FFFFFF3C]
:005071D7
8B55E0 mov edx,
dword ptr [ebp-20]
:005071DA E851DDEFFF
call 00404F30
将0708与6连接起来得到第三部
分真注册码"60708"
:005071DF
8B853CFFFFFF mov eax, dword ptr [ebp+FFFFFF3C]
:005071E5
8D9540FFFFFF lea edx, dword ptr [ebp+FFFFFF40]
:005071EB
E8FC050000 call 005077EC
:005071F0
8B9540FFFFFF mov edx, dword ptr [ebp+FFFFFF40]
:005071F6
8D45E0 lea eax,
dword ptr [ebp-20]
:005071F9 E802DBEFFF
call 00404D00
:005071FE 8D45EC
lea eax, dword ptr [ebp-14]
:00507201 8B55E0
mov edx, dword ptr [ebp-20]
:00507204
E8F7DAEFFF call 00404D00
:00507209
8D45D4 lea eax,
dword ptr [ebp-2C]
:0050720C 8B55EC
mov edx, dword ptr [ebp-14]
:0050720F E8ECDAEFFF
call 00404D00
:00507214 8D9538FFFFFF
lea edx, dword ptr [ebp+FFFFFF38]
:0050721A
8B45EC mov eax,
dword ptr [ebp-14]
:0050721D E8CA050000
call 005077EC
:00507222 8B8538FFFFFF
mov eax, dword ptr [ebp+FFFFFF38]
:00507228 E82F27F0FF
call 0040995C
:0050722D 0145D0
add dword ptr [ebp-30],
eax
:00507230 8D8530FFFFFF lea eax,
dword ptr [ebp+FFFFFF30]
:00507236 50
push eax
:00507237 B905000000
mov ecx, 00000005
:0050723C BA0D000000
mov edx, 0000000D
:00507241 8B45F4
mov eax, dword ptr
[ebp-0C]
:00507244 E8A344F3FF call
0043B6EC
取第三部分的假码
:00507249 8B8530FFFFFF
mov eax, dword ptr [ebp+FFFFFF30]
:0050724F 8D9534FFFFFF
lea edx, dword ptr [ebp+FFFFFF34]
:00507255 E892050000
call 005077EC
:0050725A 8B9534FFFFFF
mov edx, dword ptr [ebp+FFFFFF34]
:00507260
8B45EC mov eax,
dword ptr [ebp-14]
:00507263 E80CDEEFFF
call 00405074
第三部分的经过变换的真假注
册码相比
:00507268
7409 je 00507273
相等就跳到注册码第四部分的
计算,否则去死(爆破点)
:0050726A
C645F300 mov [ebp-0D],
00
:0050726E E94C030000 jmp
005075BF
------------注册码第四部分计算---------------
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00507268(C)
|
:00507273
8D9528FFFFFF lea edx, dword ptr [ebp+FFFFFF28]
:00507279
8B45D0 mov eax,
dword ptr [ebp-30]
:0050727C E86F25F0FF
call 004097F0
:00507281 8B8528FFFFFF
mov eax, dword ptr [ebp+FFFFFF28] 811680-->eax
:00507287
8D8D2CFFFFFF lea ecx, dword ptr [ebp+FFFFFF2C]
:0050728D
BA05000000 mov edx, 00000005
:00507292
E821E9FFFF call 00505BB8
811680-->81168
:00507297
8B852CFFFFFF mov eax, dword ptr [ebp+FFFFFF2C]
"81168"-->eax,即第四部分真
注册码
:0050729D 8D55EC
lea edx, dword ptr [ebp-14]
:005072A0 E847050000
call 005077EC
真注册码各位取反
:005072A5 8D8520FFFFFF
lea eax, dword ptr [ebp+FFFFFF20]
:005072AB
50 push
eax
:005072AC B905000000 mov
ecx, 00000005
:005072B1 BA13000000
mov edx, 00000013
:005072B6 8B45F4
mov eax, dword ptr [ebp-0C]
:005072B9 E82E44F3FF
call 0043B6EC
取第四部分的假码
:005072BE
8B8520FFFFFF mov eax, dword ptr [ebp+FFFFFF20]
:005072C4
8D9524FFFFFF lea edx, dword ptr [ebp+FFFFFF24]
:005072CA
E81D050000 call 005077EC
第四部分的假码各位取反
:005072CF
8B9524FFFFFF mov edx, dword ptr [ebp+FFFFFF24]
:005072D5
8B45EC mov eax,
dword ptr [ebp-14]
:005072D8 E897DDEFFF
call 00405074
第四部分的经过变换的真假注
册码相比
:005072DD
7409 je 005072E8
相等就跳到注册码第五部分的
计算,否则去死(爆破点)
:005072DF
C645F300 mov [ebp-0D],
00
:005072E3 E9D7020000 jmp
005075BF
------------注册码第五部分计算---------------
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005072DD(C)
|
:005072E8
33F6 xor
esi, esi
esi清零
:005072EA BB01000000
mov ebx, 00000001
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00507327(C)
|
:005072EF
8D851CFFFFFF lea eax, dword ptr [ebp+FFFFFF1C]
:005072F5
50 push
eax
:005072F6 8D9518FFFFFF lea edx,
dword ptr [ebp+FFFFFF18]
:005072FC 8B45EC
mov eax, dword ptr [ebp-14]
:005072FF E8E8040000
call 005077EC
:00507304 8B8518FFFFFF
mov eax, dword ptr [ebp+FFFFFF18]
81168-->eax
:0050730A B901000000
mov ecx, 00000001
:0050730F 8BD3
mov edx, ebx
:00507311 E8D643F3FF
call 0043B6EC
:00507316 8B851CFFFFFF
mov eax, dword ptr [ebp+FFFFFF1C]
:0050731C
E83B26F0FF call 0040995C
:00507321
03F0 add
esi, eax
:00507323 43
inc ebx
:00507324 83FB06
cmp ebx, 00000006
:00507327 75C6
jne 005072EF--------------------------以上构成循环,将81168各位
相加,即8+1+1+6+8=0x18---->esi
:00507329 8BC6
mov eax, esi
:0050732B B90A000000
mov ecx, 0000000A
:00507330 99
cdq
:00507331 F7F9
idiv ecx
0x18/0xA
:00507333 8BF2
mov esi, edx
余数为"4"-->esi
:00507335 8D55E0
lea edx, dword ptr
[ebp-20]
:00507338 8BC6
mov eax, esi
:0050733A E8B124F0FF
call 004097F0
:0050733F 33F6
xor esi, esi
:00507341 BB01000000
mov ebx, 00000001
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0050737E(C)
|
:00507346
8D8514FFFFFF lea eax, dword ptr [ebp+FFFFFF14]
:0050734C
50 push
eax
:0050734D 8D9510FFFFFF lea edx,
dword ptr [ebp+FFFFFF10]
:00507353 8B45DC
mov eax, dword ptr [ebp-24]
:00507356 E891040000
call 005077EC
:0050735B 8B8510FFFFFF
mov eax, dword ptr [ebp+FFFFFF10] 721287(见上)-->eax
:00507361
B901000000 mov ecx, 00000001
:00507366
8BD3 mov
edx, ebx
:00507368 E87F43F3FF call
0043B6EC
:0050736D 8B8514FFFFFF mov
eax, dword ptr [ebp+FFFFFF14]
:00507373 E8E425F0FF
call 0040995C
:00507378 03F0
add esi, eax
:0050737A 43
inc ebx
:0050737B
83FB07 cmp ebx,
00000007
:0050737E 75C6
jne 00507346--------------------------又一个循环,将721287各位
相加,即7+2+1+2+8+7=0x1B----->esi
:00507380
8BC6 mov
eax, esi
:00507382 B90A000000 mov
ecx, 0000000A
:00507387 99
cdq
:00507388 F7F9
idiv ecx
0x1B/0xA
:0050738A
8BF2 mov
esi, edx
余数为"7"-->esi
:0050738C 8D950CFFFFFF
lea edx, dword ptr [ebp+FFFFFF0C]
:00507392
8BC6 mov
eax, esi
:00507394 E85724F0FF
call 004097F0
:00507399 8B850CFFFFFF
mov eax, dword ptr [ebp+FFFFFF0C]
:0050739F 8D55EC
lea edx, dword ptr [ebp-14]
:005073A2
E845040000 call 005077EC
:005073A7
33F6 xor
esi, esi
:005073A9 BB01000000 mov
ebx, 00000001
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:005073E6(C)
|
:005073AE
8D8508FFFFFF lea eax, dword ptr [ebp+FFFFFF08]
:005073B4
50 push
eax
:005073B5 8D9504FFFFFF lea edx,
dword ptr [ebp+FFFFFF04]
:005073BB 8B45D8
mov eax, dword ptr [ebp-28]
:005073BE E829040000
call 005077EC
得到"29685"(见上)
:005073C3
8B8504FFFFFF mov eax, dword ptr [ebp+FFFFFF04]
29685-->eax
:005073C9 B901000000
mov ecx, 00000001
:005073CE 8BD3
mov edx, ebx
:005073D0 E81743F3FF
call 0043B6EC
:005073D5 8B8508FFFFFF
mov eax, dword ptr [ebp+FFFFFF08]
:005073DB
E87C25F0FF call 0040995C
:005073E0
03F0 add
esi, eax
:005073E2 43
inc ebx
:005073E3 83FB06
cmp ebx, 00000006
:005073E6 75C6
jne 005073AE--------------------------又一个循环,将29685各位相
加,即2+9+6+8+5=0x1E----->esi
:005073E8 8BC6
mov eax, esi
:005073EA B90A000000
mov ecx, 0000000A
:005073EF 99
cdq
:005073F0 F7F9
idiv ecx
0x1E/0xA
:005073F2 8BF2
mov esi, edx
余数为"0"-->esi
:005073F4
8D95FCFEFFFF lea edx, dword ptr [ebp+FFFFFEFC]
:005073FA
8B45EC mov eax,
dword ptr [ebp-14]
:005073FD E8EA030000
call 005077EC
:00507402 8D85FCFEFFFF
lea eax, dword ptr [ebp+FFFFFEFC]
:00507408 50
push eax
:00507409 8D95F8FEFFFF
lea edx, dword ptr [ebp+FFFFFEF8]
:0050740F
8BC6 mov
eax, esi
:00507411 E8DA23F0FF call
004097F0
:00507416 8B95F8FEFFFF mov
edx, dword ptr [ebp+FFFFFEF8]
:0050741C 58
pop eax
:0050741D E80EDBEFFF
call 00404F30
将余数"7"与余数"0"连接起
来----->"70"
:00507422
8B85FCFEFFFF mov eax, dword ptr [ebp+FFFFFEFC]
:00507428
8D9500FFFFFF lea edx, dword ptr [ebp+FFFFFF00]
:0050742E
E8B9030000 call 005077EC
:00507433
8B9500FFFFFF mov edx, dword ptr [ebp+FFFFFF00]
:00507439
8D45EC lea eax,
dword ptr [ebp-14]
:0050743C E8BFD8EFFF
call 00404D00
:00507441 33F6
xor esi, esi
esi清零
:00507443 BB01000000
mov ebx, 00000001
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00507480(C)
|
:00507448
8D85F4FEFFFF lea eax, dword ptr [ebp+FFFFFEF4]
:0050744E
50 push
eax
:0050744F 8D95F0FEFFFF lea edx,
dword ptr [ebp+FFFFFEF0]
:00507455 8B45D4
mov eax, dword ptr [ebp-2C]
:00507458 E88F030000
call 005077EC
:0050745D 8B85F0FEFFFF
mov eax, dword ptr [ebp+FFFFFEF0]
"60708"(见上)-->eax
:00507463 B901000000
mov ecx, 00000001
:00507468 8BD3
mov edx, ebx
:0050746A E87D42F3FF
call 0043B6EC
:0050746F 8B85F4FEFFFF
mov eax, dword ptr [ebp+FFFFFEF4]
:00507475
E8E224F0FF call 0040995C
:0050747A
03F0 add
esi, eax
:0050747C 43
inc ebx
:0050747D 83FB06
cmp ebx, 00000006
:00507480 75C6
jne 00507448--------------------------又一个循环,将60708各位相
加,即6+0+7+0+8=0x15----->esi
:00507482 8BC6
mov eax, esi
:00507484 B90A000000
mov ecx, 0000000A
:00507489 99
cdq
:0050748A F7F9
idiv ecx
0x15/0xA
:0050748C 8BF2
mov esi, edx
余数为"1"-->esi
:0050748E
8D95E4FEFFFF lea edx, dword ptr [ebp+FFFFFEE4]
:00507494
8B45EC mov eax,
dword ptr [ebp-14]
:00507497 E850030000
call 005077EC
:0050749C FFB5E4FEFFFF
push dword ptr [ebp+FFFFFEE4]
:005074A2 8D95E0FEFFFF
lea edx, dword ptr [ebp+FFFFFEE0]
:005074A8 8BC6
mov eax,
esi
:005074AA E84123F0FF call
004097F0
:005074AF FFB5E0FEFFFF push
dword ptr [ebp+FFFFFEE0]
:005074B5 FF75E0
push [ebp-20]
:005074B8 8D85E8FEFFFF
lea eax, dword ptr [ebp+FFFFFEE8]
:005074BE BA03000000
mov edx, 00000003
:005074C3
E820DBEFFF call 00404FE8
将以上得到的余数连接起来
得到数"7014"
:005074C8
8B85E8FEFFFF mov eax, dword ptr [ebp+FFFFFEE8]
"7014"-->eax
:005074CE 8D95ECFEFFFF
lea edx, dword ptr [ebp+FFFFFEEC]
:005074D4 E813030000
call 005077EC
:005074D9 8B95ECFEFFFF
mov edx, dword ptr [ebp+FFFFFEEC]
:005074DF
8D45EC lea eax,
dword ptr [ebp-14]
:005074E2 E819D8EFFF
call 00404D00
:005074E7 33F6
xor esi, esi
esi清零
:005074E9 BB01000000
mov ebx, 00000001
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00507526(C)
|
:005074EE
8D85DCFEFFFF lea eax, dword ptr [ebp+FFFFFEDC]
:005074F4
50 push
eax
:005074F5 8D95D8FEFFFF lea edx,
dword ptr [ebp+FFFFFED8]
:005074FB 8B45EC
mov eax, dword ptr [ebp-14]
:005074FE E8E9020000
call 005077EC
:00507503 8B85D8FEFFFF
mov eax, dword ptr [ebp+FFFFFED8]
"7014"-->eax
:00507509 B901000000
mov ecx, 00000001
:0050750E 8BD3
mov edx, ebx
:00507510 E8D741F3FF
call 0043B6EC
:00507515 8B85DCFEFFFF
mov eax, dword ptr [ebp+FFFFFEDC]
:0050751B
E83C24F0FF call 0040995C
:00507520
03F0 add
esi, eax
:00507522 43
inc ebx
:00507523 83FB05
cmp ebx, 00000005
:00507526 75C6
jne 005074EE--------------------------又一个循环,将7014各位相加
,即7+0+1+4=0xC----->esi
:00507528 8BC6
mov eax, esi
:0050752A B90A000000
mov ecx, 0000000A
:0050752F 99
cdq
:00507530 F7F9
idiv ecx
0xC/0xA
:00507532 8BF2
mov esi, edx
余数为"2"-->esi
:00507534
8D95D0FEFFFF lea edx, dword ptr [ebp+FFFFFED0]
:0050753A
8B45EC mov eax,
dword ptr [ebp-14]
:0050753D E8AA020000
call 005077EC
:00507542 8D85D0FEFFFF
lea eax, dword ptr [ebp+FFFFFED0]
:00507548 50
push eax
:00507549 8D95CCFEFFFF
lea edx, dword ptr [ebp+FFFFFECC]
:0050754F
8BC6 mov
eax, esi
:00507551 E89A22F0FF call
004097F0
:00507556 8B95CCFEFFFF mov
edx, dword ptr [ebp+FFFFFECC]
:0050755C 58
pop eax
:0050755D E8CED9EFFF
call 00404F30
将"2"与"7014"连接起来,得
到第五部分真注册码,即"70142"
:00507562
8B85D0FEFFFF mov eax, dword ptr [ebp+FFFFFED0]
:00507568
8D95D4FEFFFF lea edx, dword ptr [ebp+FFFFFED4]
:0050756E
E879020000 call 005077EC
真码各位取反
:00507573
8B95D4FEFFFF mov edx, dword ptr [ebp+FFFFFED4]
:00507579
8D45EC lea eax,
dword ptr [ebp-14]
:0050757C E87FD7EFFF
call 00404D00
:00507581 8D85C4FEFFFF
lea eax, dword ptr [ebp+FFFFFEC4]
:00507587 50
push eax
:00507588 B905000000
mov ecx, 00000005
:0050758D
BA19000000 mov edx, 00000019
:00507592
8B45F4 mov eax,
dword ptr [ebp-0C] 取第五部分的假码
:00507595 E85241F3FF call
0043B6EC
:0050759A 8B85C4FEFFFF mov
eax, dword ptr [ebp+FFFFFEC4]
:005075A0 8D95C8FEFFFF
lea edx, dword ptr [ebp+FFFFFEC8]
:005075A6 E841020000
call 005077EC
第五部分的假码取反
:005075AB
8B95C8FEFFFF mov edx, dword ptr [ebp+FFFFFEC8]
:005075B1
8B45EC mov eax,
dword ptr [ebp-14]
:005075B4 E8BBDAEFFF
call 00405074 第五部分的经过变换的真假注册码相比
:005075B9 7404
je 005075BF 相等就跳,注册成功,否则去死(爆破点)
:005075BB
C645F300 mov [ebp-0D],
00
所以注册信息为:
序列号:3781489924572
注册名:wzh123
注册码:H1287-29685-60708-81168-70142
由于注册算法用到了序列号,所以,一个注册码只对应一台机器,你只好自己算算了^-^