法律文书、合同样本库 5.10破解手记--算法分析
作者:newlaos[CCG][DFCG]
软件名称:法律文书、合同样本库
5.10(行业软件)
整理日期:2003.4.23
最新版本:5.10
文件大小:3780KB
软件授权:共享软件
使用平台:Win9x/Me/NT/2000/XP
发布公司:"http://www.votolink.com/"
软件简介:万通联合一贯专注于法律咨询、商务咨询。在我们多年为客户服务的过程中,积累了大量的法律文书样本、标准合同样本和相关法律信息。我们把这些信息制作成了专业的信息软件,以共享软件的形式向广大用户提供。软件的内容主要包括:法律格式文书库、公司常用文书库
、行业合同样板库 、版权与著作权类 、律师办案宝典 等。
加密方式:ASPACK2.1+注册码
功能限制:功能限制
PJ工具:TRW20001.23注册版,W32Dasm8.93黄金版,FI2.5,OLLYDBG1.09B中文版,PE-scan3.31
PJ日期:2003-04-27
作者newlaos申明:只是学习,请不用于商业用途或是将本文方法制作的注册机任意传播,造成后果,本人一概不负。
注:笔者认为用eBook
Edit Pro做软件,真的不保险! 即使是用它最强功能10位机器码+密钥,只要知道它的密钥(这个密钥竟然在程序运行中,以明文的形式出现),就可以用eBook
Edit Pro自带的KeyMaker.exe,求得真正的注册码了。本文对算法的分析,也就等效于对KeyMaker.exe的加密分析。
1、用FI2.5查壳,发现加了ASPACK2.1的壳,用TRW2000进行手动脱壳,也可以用PE-scan3.31脱壳! 生成UNPACK.exe文件。
2、用W32Dasm黄金修正版本进行静态反汇编,找不到任何有用的信息,只了用TRW2000的万能断点大法了。
3、动态跟踪调试。请出国宝TRW2000,下断点BPX hmemcpy。输入假码78787878,点确定被断下来,F12和F10来到下列代码段
.......
.......
:004786C0
50 push
eax
:004786C1 8D55F8
lea edx, dword ptr [ebp-08]
:004786C4 8BC3
mov eax, ebx
:004786C6 8B08
mov ecx, dword ptr
[eax]
:004786C8 FF91E4000000 call
dword ptr [ecx+000000E4]
:004786CE 8B45F8
mov eax, dword ptr [ebp-08] <===EAX=3754256370(机器码)
:004786D1
8B8BF8020000 mov ecx, dword ptr [ebx+000002F8]
<===ECX=lawtxt163424(这里竟然用明码形式显示密钥,就破解角度而言就太简单了:-)
:004786D7 5A
pop edx <===EDX=78787878(假码)
:004786D8
E81FF7FFFF call 00477DFC <===不用问关键的CALL,F8跟进(其实到这里,已经可以利用eBook
Edit Pro自带的KeyMaker.exe,求得真正的注册码了,即填入机器码,再填入密钥,最后点生成,就出来真正的注册码了)----得出结论用eBook
Edit Pro做的程序并不保险呀!在OLLYDBG里密钥竟然也可以在内存椎栈中找到!
:004786DD 8BD8
mov ebx, eax
:004786DF 33C0
xor eax,
eax
:004786E1 5A
pop edx
:004786E2 59
pop ecx
:004786E3 59
pop ecx
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00478675(C)
|
:004786E4
648910 mov dword
ptr fs:[eax], edx
:004786E7 6801874700
push 00478701
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004786FF(U)
|
:004786EC
8D45F8 lea eax,
dword ptr [ebp-08]
:004786EF BA02000000
mov edx, 00000002
:004786F4 E8CFB4F8FF
call 00403BC8
:004786F9 C3
ret
---------004786D8
call 00477DFC 关键的CALL,F8跟进-------------
:00477DFC 55
push ebp
:00477DFD 8BEC
mov ebp, esp
:00477DFF
81C4FCFEFFFF add esp, FFFFFEFC
:00477E05
53 push
ebx
:00477E06 56
push esi
:00477E07 57
push edi
:00477E08 33DB
xor ebx, ebx
:00477E0A 895DFC
mov dword ptr [ebp-04],
ebx
:00477E0D 8BF9
mov edi, ecx
:00477E0F 8BF2
mov esi, edx
:00477E11 8BD8
mov ebx, eax
:00477E13
33C0 xor
eax, eax
:00477E15 55
push ebp
:00477E16 68637E4700
push 00477E63
:00477E1B 64FF30
push dword ptr fs:[eax]
:00477E1E 648920
mov dword ptr fs:[eax],
esp
:00477E21 8D8DFCFEFFFF lea ecx,
dword ptr [ebp+FFFFFEFC]
:00477E27 8BD7
mov edx, edi <===EDX=lawtxt163424(作者定的密钥)
:00477E29
8BC3 mov
eax, ebx <===EAX=3754256370(机器码)
:00477E2B E864FEFFFF
call 00477C94 <===关键算法CALL,F8跟进
:00477E30 8D95FCFEFFFF
lea edx, dword ptr [ebp+FFFFFEFC]
:00477E36
8D45FC lea eax,
dword ptr [ebp-04]
:00477E39 E88ABFF8FF
call 00403DC8
:00477E3E 8B45FC
mov eax, dword ptr [ebp-04] <===真注册码Sey0kJw6CBL6
:00477E41
8BD6 mov
edx, esi <===假码78787878
:00477E43 E8ECC0F8FF
call 00403F34
:00477E48 0F94C0
sete al
:00477E4B 8BD8
mov ebx, eax
:00477E4D
33C0 xor
eax, eax
:00477E4F 5A
pop edx
:00477E50 59
pop ecx
:00477E51 59
pop ecx
:00477E52
648910 mov dword
ptr fs:[eax], edx
:00477E55 686A7E4700
push 00477E6A
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477E68(U)
|
:00477E5A
8D45FC lea eax,
dword ptr [ebp-04]
:00477E5D E842BDF8FF
call 00403BA4
:00477E62 C3
ret
--------00477E2B
call 00477C94 算法CALL,F8跟进--------------
:00477C94 55
push ebp
:00477C95 8BEC
mov ebp, esp
:00477C97
83C4E0 add esp,
FFFFFFE0
:00477C9A 53
push ebx
:00477C9B 56
push esi
:00477C9C 57
push edi
:00477C9D
33DB xor
ebx, ebx
:00477C9F 895DE0
mov dword ptr [ebp-20], ebx
:00477CA2 895DE4
mov dword ptr [ebp-1C], ebx
:00477CA5
895DE8 mov dword
ptr [ebp-18], ebx
:00477CA8 8BF9
mov edi, ecx
:00477CAA 8955F8
mov dword ptr [ebp-08], edx
:00477CAD
8945FC mov dword
ptr [ebp-04], eax
:00477CB0 8B45FC
mov eax, dword ptr [ebp-04] <===EAX=3754256370(机器码)
:00477CB3
E820C3F8FF call 00403FD8
:00477CB8
8B45F8 mov eax,
dword ptr [ebp-08] <===EAX=lawtxt163424(作者定的密钥)
:00477CBB E818C3F8FF
call 00403FD8
:00477CC0 33C0
xor eax, eax
:00477CC2
55 push
ebp
:00477CC3 68ED7D4700 push
00477DED
:00477CC8 64FF30
push dword ptr fs:[eax]
:00477CCB 648920
mov dword ptr fs:[eax], esp
:00477CCE
837DFC00 cmp dword ptr
[ebp-04], 00000000 <===[ebp-04]为机器码不会跳
:00477CD2 746F
je 00477D43
:00477CD4 BB01000000
mov ebx, 00000001 <===计数器EBX初始化为1
:00477CD9
8D75EF lea esi,
dword ptr [ebp-11]
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477D09(C)
|
:00477CDC
8B45FC mov eax,
dword ptr [ebp-04] <===EAX=3754256370(机器码)
:00477CDF E840C1F8FF
call 00403E24 <===计算出机器码的长度(EAX=A)
:00477CE4
50 push
eax <===压入A
:00477CE5 8BC3
mov eax, ebx <===EBX为计数器(依次为1,2,3,4,5,6,7,8,9)
:00477CE7
48 dec
eax <===EAX依次为0,1,2,3,4,5,6,7,8
:00477CE8 5A
pop edx <===EDX=A
(定值)
:00477CE9 8BCA
mov ecx, edx
:00477CEB 99
cdq
:00477CEC F7F9
idiv ecx <===这里EAX始终为0,而EDX依次为012345678
:00477CEE
8B45FC mov eax,
dword ptr [ebp-04] <===EAX=3754256370(机器码)
:00477CF1 8A0410
mov al, byte ptr [eax+edx] <===依次将机器码每个字符的ASC值,放入AL
:00477CF4
50 push
eax
:00477CF5 8B45FC
mov eax, dword ptr [ebp-04] <===EAX=3754256370(机器码)
:00477CF8 E827C1F8FF
call 00403E24 <===计算出机器码的长度(EAX=A)
:00477CFD
5A pop
edx <===取出每个字符的ASC值
:00477CFE 32D0
xor dl, al
:00477D00 32D3
xor dl, bl
DL= A XOR 33=39 XOR 1=38
DL= A XOR 37=3D XOR 2=3F
DL= A XOR 35=3F XOR 3=3C
DL= A XOR 34=3E XOR 4=3A
DL= A XOR 32=38 XOR 5=3D
DL= A XOR 35=3F XOR 6=39
DL= A XOR 36=3C XOR 7=3B
DL= A XOR 33=39 XOR 8=31
DL= A XOR 37=3D XOR 9=34
:00477D02 8816
mov byte
ptr [esi], dl <===第一遍处理的值依次放入ESI的位置里
:00477D04 43
inc ebx <===EBX=EBX+1
:00477D05
46 inc
esi
:00477D06 83FB0A
cmp ebx, 0000000A <===说明此处循环9次,正好处理机器码的前9位
:00477D09 75D1
jne 00477CDC
<===向上跳成循环结构,对机器码进行第一遍变形处理
:00477D0B 8B45FC
mov eax, dword ptr [ebp-04] <===EAX=3754256370(机器码)
:00477D0E
E811C1F8FF call 00403E24 <===计算出机器码的长度(EAX=A)
:00477D13
8BF0 mov
esi, eax <===ESI=A
:00477D15 85F6
test esi, esi
:00477D17 7E2A
jle 00477D43 <===当然不跳了
:00477D19
BB01000000 mov ebx, 00000001 <===计数器EBX再次初始化为1
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477D41(C)
|
:00477D1E
8B45FC mov eax,
dword ptr [ebp-04] <===EAX=3754256370(机器码)
:00477D21 E8FEC0F8FF
call 00403E24 <===计算出机器码的长度(EAX=A)
:00477D26
2BC3 sub
eax, ebx <===EAX=EAX-EBX(依次为9876543210)
:00477D28 8B55FC
mov edx, dword ptr [ebp-04]
<===EDX=3754256370(机器码)
:00477D2B 8A0C02
mov cl, byte ptr [edx+eax] <===反向顺序依次取机器码的ASC值
:00477D2E
8BC3 mov
eax, ebx <===EAX依次为123456789A
:00477D30 48
dec eax
<===EAX依次为0123456789
:00477D31 51
push ecx <===ASC值压入栈
:00477D32
B909000000 mov ecx, 00000009 <===ECX=9
:00477D37
99 cdq
:00477D38
F7F9 idiv
ecx <===EAX前9次始终为0,最后一次为1,EDX依次为0123456780
:00477D3A 59
pop ecx <===ECX为依次取出的ASC值
:00477D3B
304C15EF xor byte ptr [ebp+edx-11],
cl <===依次与上个循环出来的值做异或运算
38 xor 30=08 XOR 33 =3B <===由于是10次,所以又循环上来做异或运算,
3F xor 37=08
3C xor 33=0F
3A xor 36=0C
3D xor
35=08
39 xor 32=0B
3B xor 34=0F
31 xor 35=04
34 xor 37=03
:00477D3F 43
inc ebx
:00477D40 4E
dec esi <===此次循环,却是由ESI说了算,所以循环了10次,即机器码的长度次
:00477D41
75DB jne
00477D1E <===向上跳构成循环结构,对机器码进行第二次变形,反向顺序
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00477CD2(C),
:00477D17(C)
|
:00477D43 837DF800
cmp dword ptr [ebp-08], 00000000 <===[ebp-08]=lawtxt163424(作者定的密钥)
:00477D47
7439 je 00477D82
<===当然不跳了
:00477D49 BB01000000
mov ebx, 00000001 <===计数器初始化为1
:00477D4E 8D75EF
lea esi, dword ptr [ebp-11]
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477D80(C)
|
:00477D51
8B45F8 mov eax,
dword ptr [ebp-08] <===EAX=lawtxt163424
:00477D54 E8CBC0F8FF
call 00403E24 <===计算出密钥的长度EAX=C
:00477D59
50 push
eax <===将长度C压入栈
:00477D5A 8BC3
mov eax, ebx <===EAX依次为123456789
:00477D5C
48 dec
eax <===EAX依次为012345678
:00477D5D 5A
pop edx <===EDX=C
:00477D5E
8BCA mov
ecx, edx <===ECX=C
:00477D60 99
cdq
:00477D61 F7F9
idiv ecx <===EAX始终为0,EDX依次为012345678
:00477D63
8B45F8 mov eax,
dword ptr [ebp-08] <===EAX=lawtxt163424
:00477D66 8A0410
mov al, byte ptr [eax+edx] <===依次取出密钥前9个字符的ASC值
:00477D69
3206 xor
al, byte ptr [esi]
AL=3B XOR 6C=57
AL=08
XOR 61=69
AL=0F XOR 77=78
AL=0C XOR 74=78
AL=08 XOR 78=70
AL=0B XOR 74=7F
AL=0F XOR 31=3E
AL=04
XOR 36=32
AL=03 XOR 33=30
:00477D6B
50 push
eax
:00477D6C 8B45F8
mov eax, dword ptr [ebp-08]<===EAX=lawtxt163424
:00477D6F E8B0C0F8FF
call 00403E24 <===计算出密钥的长度EAX=C
:00477D74
5A pop
edx <===EDX依为上面计算出的值
:00477D75 32D0
xor dl, al <===
:00477D77 32D3
xor dl, bl
DL= C XOR 57=39 XOR 1=5A (ASC="Z")
DL= C XOR 69=3D XOR 2=67 (ASC="g")
DL= C XOR 78=3F XOR 3=77 (ASC="w")
DL= C XOR 78=3E XOR 4=70 (ASC="p")
DL= C XOR 70=38 XOR 5=79 (ASC="y")
DL= C XOR 7F=3F XOR 6=75 (ASC="u")
DL= C XOR 3E=3C XOR 7=35 (ASC="5")
DL= C XOR 32=39 XOR 8=36 (ASC="6")
DL= C XOR 30=3D XOR 9=35 (ASC="5")
:00477D79
8816 mov
byte ptr [esi], dl
:00477D7B 43
inc ebx
:00477D7C 46
inc esi
:00477D7D 83FB0A
cmp ebx, 0000000A <===哈哈,又是只循环9次
:00477D80
75CF jne
00477D51 <===向上跳构成循环结构
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477D47(C)
|
:00477D82
8D45E8 lea eax,
dword ptr [ebp-18]
:00477D85 E81ABEF8FF
call 00403BA4
:00477D8A BB09000000
mov ebx, 00000009
:00477D8F 8D75EF
lea esi, dword ptr [ebp-11]
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477DA9(C)
|
:00477D92
8D45E4 lea eax,
dword ptr [ebp-1C]
:00477D95 8A16
mov dl, byte ptr [esi] <===依次取出Zgwpyu565的ASC值
:00477D97
E8B0BFF8FF call 00403D4C
:00477D9C 8B55E4
mov edx, dword ptr [ebp-1C]
:00477D9F 8D45E8
lea eax, dword ptr [ebp-18]
:00477DA2
E885C0F8FF call 00403E2C
:00477DA7
46 inc
esi
:00477DA8 4B
dec ebx
:00477DA9 75E7
jne 00477D92 <===向上跳构成循环结构
:00477DAB 8D55E0
lea edx, dword ptr [ebp-20]
:00477DAE
8B45E8 mov eax,
dword ptr [ebp-18] <===EAX=Zgwpyu565
:00477DB1 E89AFDFFFF
call 00477B50 <===最后的关键CALL,F8跟进
:00477DB6
8B55E0 mov edx,
dword ptr [ebp-20] <===EDX=Sey0kJw6CBL6
:00477DB9 8BC7
mov eax, edi
:00477DBB B9FF000000
mov ecx, 000000FF
:00477DC0
E83BC0F8FF call 00403E00
:00477DC5
33C0 xor
eax, eax
:00477DC7 5A
pop edx
:00477DC8 59
pop ecx
:00477DC9 59
pop ecx
:00477DCA
648910 mov dword
ptr fs:[eax], edx
:00477DCD 68F47D4700
push 00477DF4
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477DF2(U)
|
:00477DD2
8D45E0 lea eax,
dword ptr [ebp-20]
:00477DD5 BA03000000
mov edx, 00000003
:00477DDA E8E9BDF8FF
call 00403BC8
:00477DDF 8D45F8
lea eax, dword ptr [ebp-08]
:00477DE2 BA02000000
mov edx, 00000002
:00477DE7
E8DCBDF8FF call 00403BC8
:00477DEC
C3 ret
:00477DED
E92EB8F8FF jmp 00403620
:00477DF2
EBDE jmp
00477DD2
:00477DF4 5F
pop edi
:00477DF5 5E
pop esi
:00477DF6 5B
pop ebx
:00477DF7
8BE5 mov
esp, ebp
:00477DF9 5D
pop ebp
:00477DFA C3
ret
------:00477DB1
call 00477B50 最后的关键CALL,F8跟进----------------
:00477B50 55
push ebp
:00477B51
8BEC mov
ebp, esp
:00477B53 83C4F0
add esp, FFFFFFF0
:00477B56 53
push ebx
:00477B57 56
push esi
:00477B58
57 push
edi
:00477B59 33C9
xor ecx, ecx
:00477B5B 894DF0
mov dword ptr [ebp-10], ecx
:00477B5E 8BFA
mov edi, edx
:00477B60
8945FC mov dword
ptr [ebp-04], eax
:00477B63 8B45FC
mov eax, dword ptr [ebp-04]
:00477B66 E86DC4F8FF
call 00403FD8
:00477B6B 33C0
xor eax, eax
:00477B6D
55 push
ebp
:00477B6E 68847C4700 push
00477C84
:00477B73 64FF30
push dword ptr fs:[eax]
:00477B76 648920
mov dword ptr fs:[eax], esp
:00477B79
8BC7 mov
eax, edi
:00477B7B E824C0F8FF call
00403BA4
:00477B80 E9D7000000 jmp
00477C5C <===我跳
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477C60(C)
| *********************从下跳上来,开始循环**********************
:00477B85
8B45FC mov eax,
dword ptr [ebp-04] <===EAX依次为Zgwpyu565,pyu565,565(每次用三位)
:00477B88 E897C2F8FF
call 00403E24 <===求出长度9,6,3
:00477B8D
8BC8 mov
ecx, eax <===ECX=9,6,3
:00477B8F 8BC1
mov eax, ecx
:00477B91 BB03000000
mov ebx, 00000003
:00477B96
99 cdq
:00477B97
F7FB idiv
ebx <===EAX=3,2,1 EDX=0
:00477B99 85C0
test eax, eax
:00477B9B
7E07 jle
00477BA4 <===如果商为0,就跳走
:00477B9D BB03000000
mov ebx, 00000003
:00477BA2 EB02
jmp 00477BA6 <===我跳
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477B9B(C)
|
:00477BA4
8BD9 mov
ebx, ecx <===如果商为0,则EBX就为长度
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477BA2(U)
|
:00477BA6
8D45F9 lea eax,
dword ptr [ebp-07] <===跳到这里
:00477BA9 33C9
xor ecx, ecx <===ECX=0
:00477BAB
BA03000000 mov edx, 00000003 <===edx=3
:00477BB0
E8B3AFF8FF call 00402B68 <===在[ebp-07]的内存位置上布在上3个0
:00477BB5
8D45F5 lea eax,
dword ptr [ebp-0B]
:00477BB8 B940000000
mov ecx, 00000040
:00477BBD BA04000000
mov edx, 00000004
:00477BC2 E8A1AFF8FF
call 00402B68 <===在[ebp-0B]的内存位置上布在上4个40
:00477BC7
8D45FC lea eax,
dword ptr [ebp-04]
:00477BCA E825C4F8FF
call 00403FF4 <===EAX=Zgwpyu565
:00477BCF 8D55F9
lea edx, dword ptr [ebp-07]
:00477BD2
8BCB mov
ecx, ebx <===ECX=3
:00477BD4 E8B7ACF8FF
call 00402890 <===在[ebp-07]的内存位置上依次放上Zgw, pyu, 565
:00477BD9
83FB03 cmp ebx,
00000003
:00477BDC 7C08
jl 00477BE6
:00477BDE 8A45FB
mov al, byte ptr [ebp-05] <===将字符串的最后一个字符取出(例:"w","u","5")
:00477BE1
243F and
al, 3F
第一次大循环(w) AL=77
AND 3F =37
第二次大循环(u) AL=75 AND 3F
=35
第三次大循环(5) AL=35 AND 3F =35
:00477BE3
8845F8 mov byte
ptr [ebp-08], al <===关键位置1
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477BDC(C)
|
:00477BE6
83FB02 cmp ebx,
00000002
:00477BE9 7C15
jl 00477C00
:00477BEB 8A45FA
mov al, byte ptr [ebp-06] <===将字符串的倒数第二个字符取出(例:"g","y","6")
:00477BEE
C1E002 shl eax,
02
:00477BF1 33D2
xor edx, edx
第一次大循环(g) AL=67
shl 02 =9C
第二次大循环(y) AL=79 shl 02
=E4
第三次大循环(6) AL=36 shl 02 =D8
:00477BF3 8A55FB mov
dl, byte ptr [ebp-05] <===将字符串的倒数第一个字符取出(例:"w","u","5")
:00477BF6
C1EA06 shr edx,
06
第一次大循环(w) DL=77 shr 06 =01
第二次大循环(u) DL=75 shr 06 =01
第三次大循环(5) DL=35 shr 06 =00
:00477BF9 0AC2
or al, dl
:00477BFB
243F and
al, 3F
第一次大循环 AL=9C OR 01 =9D AND
3F =1D
第二次大循环 AL=E4 OR 01 =E5 AND
3F =25
第三次大循环 AL=D8 OR 00 =D8 AND
3F =18
:00477BFD 8845F7
mov byte ptr [ebp-09],
al <===关键位置2
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:00477BE9(C)
|
:00477C00 8A45F9
mov al, byte ptr [ebp-07] <===将字符串的第一个字符取出(例:"Z","p","5")
:00477C03
8BD0 mov
edx, eax
:00477C05 C1E204
shl edx, 04
第一次大循环(Z)
DL=5A shl 04 =A0
第二次大循环(p) DL=70
shl 04 =00
第三次大循环(5) DL=35 shl 04
=50
:00477C08 33C9
xor ecx, ecx
:00477C0A 8A4DFA
mov cl, byte ptr [ebp-06] <===将字符串的倒数第二个字符取出(例:"g","y","6")
:00477C0D
C1E904 shr ecx,
04
第一次大循环(g) CL=67 shr 04 =6
第二次大循环(y) CL=79 shr 04 =7
第三次大循环(6) CL=36 shr 04 =3
:00477C10 0AD1
or dl, cl
:00477C12
80E23F and dl, 3F
第一次大循环 DL=A0 OR 6 =A6 AND
3F=26
第二次大循环 DL=00 OR
7 =07 AND 3F=07
第三次大循环 DL=50
OR 3 =53 AND 3F=13
:00477C15 8855F6
mov byte ptr [ebp-0A], dl <===关键位置3
:00477C18
25FF000000 and eax, 000000FF
:00477C1D
C1E802 shr eax,
02
:00477C20 243F
and al, 3F
第一次大循环(Z) AL=5A
shr 02 =16 AND 3F=16
第二次大循环(p) AL=70
shr 02 =1C AND 3F=1C
第三次大循环(5) AL=35
shr 02 =0D AND 3F=0D
:00477C22 8845F5
mov byte ptr [ebp-0B], al <===关键位置4
:00477C25
8D45FC lea eax,
dword ptr [ebp-04]
:00477C28 8BCB
mov ecx, ebx <===ECX=3
:00477C2A
BA01000000 mov edx, 00000001
<===EDX=1
:00477C2F E838C4F8FF
call 0040406C <===EAX依次为pyu565,565
:00477C34
BE04000000 mov esi, 00000004
<===ESI=4,计数器初始化为4(因为正好4个关键位置的值)
:00477C39 8D5DF5
lea ebx, dword ptr [ebp-0B]
第一次大循环四个关键位置的值 16 26 1D 37
第二次大循环四个关键位置的值
1C 07 25 35
第三次大循环四个关键位置的值 0D 13 28 35
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00477C5A(C)
|
:00477C3C
8D45F0 lea eax,
dword ptr [ebp-10]
:00477C3F 33D2
xor edx, edx
:00477C41 8A13
mov dl, byte ptr [ebx]
第一次大循环中,小循环里DL的值依次为 16 26 1D 37
第二次大循环中,小循环里DL的值依次为
1C 07 25 35
第三次大循环中,小循环里DL的值依次为 0D 13 28 35
:00477C43
8A929DE44700 mov dl, byte ptr [edx+0047E49D]
<===根据EDX的不同在码表中取值
*****************码表如下(共65个值)*********************
0047E49D
49 59 41 47 50 58 44 4A IYAGPXDJ
0047E4A5 51 57 4D 48 56
43 4E 46 QWMHVCNF
0047E4AD 55 5A 52 42 4B 45 53 4F UZRBKESO
0047E4B5
4C 54 74 66 6B 79 73 62 LTtfkysb
0047E4BD 6F 68 6C 75 6A
77 65 63 ohlujwec
0047E4C5 70 6D 69 61 71 6E 64 78 pmiaqndx
0047E4CD
7A 76 67 72 34 36 2B 30 zvgr46+0
0047E4D5 32 35 37 33 2F
38 31 3D 2573/81=
0047E4DD 39
9
********************************************************
第一次大循环中,小循环里DL的值依次提取的是 S e y 0
第二次大循环中,小循环里DL的值依次提取的是 k J w 6
第三次大循环中,小循环里DL的值依次提取的是
C B L 6
:00477C49 E8FEC0F8FF call
00403D4C
:00477C4E 8B55F0
mov edx, dword ptr [ebp-10]
:00477C51 8BC7
mov eax, edi
:00477C53 E8D4C1F8FF
call 00403E2C
:00477C58 43
inc
ebx
:00477C59 4E
dec esi
:00477C5A 75E0
jne 00477C3C <===此处向上跳,构成一个小循环,每次循环形成注册码的1个字符,每次大循环,此处循环4次,注册码也就出来了"Sey0kJw6CBL6"。
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477B80(U)
|
:00477C5C
837DFC00 cmp dword ptr
[ebp-04], 00000000 <===第一大跳到这里
:00477C60 0F851FFFFFFF
jne 00477B85 <===因为[ebp-04]=Zgwpyu565,所以这里又向上跳,开始大循环,每次循环形成注册码的四个字符,共循环三次
:00477C66
33C0 xor
eax, eax
:00477C68 5A
pop edx
:00477C69 59
pop ecx
:00477C6A 59
pop ecx
:00477C6B
648910 mov dword
ptr fs:[eax], edx
:00477C6E 688B7C4700
push 00477C8B
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477C89(U)
|
:00477C73
8D45F0 lea eax,
dword ptr [ebp-10]
:00477C76 E829BFF8FF
call 00403BA4
:00477C7B 8D45FC
lea eax, dword ptr [ebp-04]
:00477C7E E821BFF8FF
call 00403BA4
:00477C83 C3
ret
:00477C84
E997B9F8FF jmp 00403620
:00477C89
EBE8 jmp
00477C73
:00477C8B 5F
pop edi
:00477C8C 5E
pop esi
:00477C8D 5B
pop ebx
:00477C8E
8BE5 mov
esp, ebp
:00477C90 5D
pop ebp
:00477C91 C3
ret
-----------------------------------------------------------------------------------
4、算法注册机源码:(等效于eBook
Edit Pro自带的KeyMaker.exe的部分功能)
----VB6.0在WIN98下编译通过----
Private
Sub Command1_Click()
softbiao
= "IYAGPXDJQWMHVCNFUZRBKESOLTtfkysbohlujwecpmiaqndxzvgr46+02573/81=9"
'为eBook Edit Pro内定的码表
setkey = "lawtxt163424" '此软件作者定的密钥
keylen
= Len(setkey)
A = Array(0, 0, 0, 0, 0, 0, 0, 0, 0) '定义的第一阶段9位长度的变形
strin
= Text1.Text
nlen = Len(strin)
z = 1 '机器码输入正确标志
If nlen <>
10 Then
z = 2
Else
For j = 0 To 8 '检查输入的机器是否都是数字,同时完成机器码的第一次变形
ztmp = Asc(Mid(strin, j + 1, 1))
A(j) = ztmp Xor nlen Xor (j
+ 1)
If ztmp < 48 Or ztmp > 57 Then
z = 2
End If
Next j
j = 0
For i = 1 To nlen '对机器码进行第二次变形
A(j) = A(j) Xor Asc(Mid(strin,
nlen + 1 - i, 1))
j = j + 1
If j = 9 Then
'这里形成一个循环处理
j = 0
End If
Next i
For k = 0 To 8 '完成机器码与密钥的合成变形处理(只处理密钥的前9位)
A(k) = (A(k) Xor Asc(Mid(setkey, k + 1, 1))) Xor keylen Xor (k + 1)
Next k
'到此完成第一阶段的变形处理
For i = 0 To 8
k = (i Mod 3) + 1
Select Case k
Case 1
AL1 = Int(A(i) / 4) And &H3F '完成逻辑右移2位,并与3F做与运算
str1 = Mid(softbiao, AL1 + 1, 1)
Case 2
DL1 = CInt("&H" + Right(Hex(A(i - 1)) + "0",
2)) '完成逻辑左移4位
DL2 = CInt("&H" + Left(Hex(A(i)),
1)) '完成逻辑右移4位
AL2 =
(DL1 Or DL2) And &H3F
str2 = Mid(softbiao, AL2 + 1, 1)
DL3 = CInt("&H" + Right(Hex(A(i) * 4), 2))
'完成逻辑左移2位
lentmp = Len(Oct(A(i +
1)))
If lentmp <= 2 Then
dl4 = 0
Else
dl4 = CInt("&O"
+ Mid(Oct(A(i + 1)), 1, lentmp - 2)) '完成逻辑右移6位
End If
AL3 = (DL3 Or dl4) And &H3F
str3
= Mid(softbiao, AL3 + 1, 1)
Case 3
AL4 = A(i)
And &H3F
str4 = Mid(softbiao, AL4 + 1, 1)
laststr = laststr + str1 + str2 + str3 + str4
End Select
Next i
Text2.Text
= laststr
End If
If
z = 2 Then
h = MsgBox("你的输入有误,请检查后重新输入", 0, "你输入的是10位的机器吗?")
End
If
End Sub
5、注册信息保存在注册表:(只是用eBook
Edit Pro加密的软件,其注册信息都放在这个位置)
[HKEY_CURRENT_USER\Software\eBook Edit Pro\Login\18BD1A10]
"SD"=dword:00009368
"SO"=dword:00000009
"LoginUser"="3754256370"
"LoginPassword"="Sey0kJw6CBL6"
BTW:很多CRACKER都收到过律师信,被告知如何如何侵犯软件作者的利益。现在倒好北京市一格律师事务所竟然非法使用工具软件制作《法律文书、合同样本库
5.10》。一怒之下,特意制做成此注册机! 为所有CRACKER鸣不平。