万年历 V2.4.053　

标题：万年历 V2.4.053　
作者：fly
时间：2003/05/07 07:14pm
链接：http://bbs.pediy.com

算法浅探——万年历 V2.4.053

下载页面： http://www.skycn.com/soft/11961.html
软件大小： 241 KB
软件语言：简体中文
软件类别：国产软件 / 共享版 / 时钟日历
应用平台： Win9x/NT/2000/XP
加入时间： 2003-05-05 11:11:05
下载次数： 29
推荐等级： ***

【软件简介】：本万年历工作范围1901-2100年，共200年。能显示公历、农历日期，交节气时间，年月日时干支，及简单的占卜等；想知道今天的运气如何？可以试试………

【软件限制】：20次试用。免费软件。

【作者声明】：初学Crack，只是感兴趣，没有其它目的。失误之处敬请诸位大侠赐教！

【破解工具】：TRW2000娃娃修改版、Ollydbg1.09、PEiD、AspackDie、W32Dasm 9.0白金版

—————————————————————————————————
【过程】：

这个小东东的算法实在是有点麻烦，呵呵，跟到中间有点头大眼花了。^O^ ^O^
万年历 V2.4.053.exe 是ASPack 2.12壳，用AspackDie脱之。2410K->708K。 Delphi 编写。

用户名：fly
机器码：c7a5f8d8
试炼码：13572468
—————————————————————————————————
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00475C1C(C)
|
:00475C31 8D55F8 lea edx, dword ptr [ebp-08]
:00475C34 8B831C030000 mov eax, dword ptr [ebx+0000031C]
:00475C3A E83924FCFF call 00438078
:00475C3F 837DF800 cmp dword ptr [ebp-08], 00000000
====>没有注册码？

:00475C43 7523 jne 00475C68
:00475C45 8B831C030000 mov eax, dword ptr [ebx+0000031C]
:00475C4B 8B10 mov edx, dword ptr [eax]
:00475C4D FF92C4000000 call dword ptr [edx+000000C4]

* Possible StringData Ref from Code Obj ->"未输入注册码"
|
:00475C53 BA885E4700 mov edx, 00475E88
:00475C58 8B8308030000 mov eax, dword ptr [ebx+00000308]
:00475C5E E84524FCFF call 004380A8
:00475C63 E987010000 jmp 00475DEF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00475C43(C)
|
:00475C68 8D55F4 lea edx, dword ptr [ebp-0C]
:00475C6B 8B831C030000 mov eax, dword ptr [ebx+0000031C]
:00475C71 E80224FCFF call 00438078
:00475C76 8B45F4 mov eax, dword ptr [ebp-0C]
====>EAX=13572468 试炼码

:00475C79 50 push eax
:00475C7A 8D55EC lea edx, dword ptr [ebp-14]
:00475C7D 8B8314030000 mov eax, dword ptr [ebx+00000314]
:00475C83 E8F023FCFF call 00438078
:00475C88 8B45EC mov eax, dword ptr [ebp-14]
====>EAX=c7a5f8d8 机器码

:00475C8B 50 push eax
:00475C8C 8D45F0 lea eax, dword ptr [ebp-10]
:00475C8F 50 push eax
:00475C90 8D55E8 lea edx, dword ptr [ebp-18]
:00475C93 A198C54700 mov eax, dword ptr [0047C598]
:00475C98 8B00 mov eax, dword ptr [eax]
:00475C9A E87D1CFEFF call 0045791C
:00475C9F 8B45E8 mov eax, dword ptr [ebp-18]
:00475CA2 50 push eax
:00475CA3 8D55E4 lea edx, dword ptr [ebp-1C]
:00475CA6 8B8310030000 mov eax, dword ptr [ebx+00000310]
:00475CAC E8C723FCFF call 00438078
:00475CB1 8B45E4 mov eax, dword ptr [ebp-1C]
====>EAX=fly 用户名

* Possible StringData Ref from Code Obj ->"China"
|
:00475CB4 BAA05E4700 mov edx, 00475EA0
====>EDX=China 程序自给的参数

:00475CB9 59 pop ecx
:00475CBA E8E9F2FFFF call 00474FA8
====>关键CALL！进入！

:00475CBF 8B55F0 mov edx, dword ptr [ebp-10]
====>EDX=901e494b 注册码

:00475CC2 58 pop eax
====>EAX=13572468 试炼码

:00475CC3 E89CE7F8FF call 00404464
====>比较CALL！

:00475CC8 742B je 00475CF5
====>不跳则OVER！

:00475CCA 6A30 push 00000030

* Possible StringData Ref from Code Obj ->"警告"
|
:00475CCC 68A85E4700 push 00475EA8

* Possible StringData Ref from Code Obj ->"注册码不符!"
====>BAD BOY！

:00475CD1 68B05E4700 push 00475EB0
:00475CD6 8BC3 mov eax, ebx
:00475CD8 E88F8BFCFF call 0043E86C
:00475CDD 50 push eax

* Reference To: user32.MessageBoxA, Ord:0000h
|
:00475CDE E88D0BF9FF Call 00406870
:00475CE3 B201 mov dl, 01
:00475CE5 8B8330030000 mov eax, dword ptr [ebx+00000330]
:00475CEB E8A822FCFF call 00437F98
:00475CF0 E9FA000000 jmp 00475DEF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00475CC8(C)
|
:00475CF5 33C0 xor eax, eax
:00475CF7 E80CF4FFFF call 00475108
:00475CFC 3C02 cmp al, 02
:00475CFE 0F85EB000000 jne 00475DEF

* Possible StringData Ref from Code Obj ->"注册成功"
====>呵呵，胜利女神！

:00475D04 BAC45E4700 mov edx, 00475EC4
:00475D09 8B8308030000 mov eax, dword ptr [ebx+00000308]
:00475D0F E89423FCFF call 004380A8

—————————————————————————————————
进入关键CALL：00475CBA call 00474FA8

* Referenced by a CALL at Addresses:
|:00475606 , :00475CBA
|
:00474FA8 55 push ebp
:00474FA9 8BEC mov ebp, esp
:00474FAB 83C4EC add esp, FFFFFFEC
:00474FAE 53 push ebx
:00474FAF 33DB xor ebx, ebx
:00474FB1 895DEC mov dword ptr [ebp-14], ebx
:00474FB4 895DF0 mov dword ptr [ebp-10], ebx
:00474FB7 894DF4 mov dword ptr [ebp-0C], ecx
:00474FBA 8955F8 mov dword ptr [ebp-08], edx
:00474FBD 8945FC mov dword ptr [ebp-04], eax
====>EAX=fly 用户名

:00474FC0 8B45FC mov eax, dword ptr [ebp-04]
:00474FC3 E840F5F8FF call 00404508
:00474FC8 8B45F8 mov eax, dword ptr [ebp-08]
====>EAX=China 程序自给的参数

:00474FCB E838F5F8FF call 00404508
:00474FD0 8B45F4 mov eax, dword ptr [ebp-0C]
====>EAX=万年历 (1901-2100) 程序自给的参数

:00474FD3 E830F5F8FF call 00404508
:00474FD8 8B450C mov eax, dword ptr [ebp+0C]
====>EAX=c7a5f8d8 机器码

:00474FDB E828F5F8FF call 00404508
:00474FE0 33C0 xor eax, eax
:00474FE2 55 push ebp
:00474FE3 684E504700 push 0047504E
:00474FE8 64FF30 push dword ptr fs:[eax]
:00474FEB 648920 mov dword ptr fs:[eax], esp
:00474FEE FF75FC push [ebp-04]
:00474FF1 FF75F8 push [ebp-08]
:00474FF4 FF75F4 push [ebp-0C]
:00474FF7 FF750C push [ebp+0C]
:00474FFA 8B450C mov eax, dword ptr [ebp+0C]
:00474FFD 50 push eax
:00474FFE 8D45EC lea eax, dword ptr [ebp-14]
:00475001 50 push eax
:00475002 8B4DF4 mov ecx, dword ptr [ebp-0C]
:00475005 8B55F8 mov edx, dword ptr [ebp-08]
:00475008 8B45FC mov eax, dword ptr [ebp-04]
:0047500B E840FDFFFF call 00474D50
====>对上面3组参数进行处理得出最后一组参数

:00475010 FF75EC push [ebp-14]
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
内存中的值是上面得出的参数：

00C148E8 5F 3E 45 51 20 _>EQ 这是最后一组参数！
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆

:00475013 8D45F0 lea eax, dword ptr [ebp-10]
:00475016 BA05000000 mov edx, 00000005
:0047501B E8B8F3F8FF call 004043D8
====>把上面5组字符连接起来

:00475020 8B5508 mov edx, dword ptr [ebp+08]
:00475023 8B45F0 mov eax, dword ptr [ebp-10]
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
内存中的值是上面连接的结果：

00C1C280 66 6C 79 43 68 69 6E 61 CD F2 C4 EA C0 FA 20 28 flyChina万年历 (
00C1C290 31 39 30 31 2D 32 31 30 30 29 63 37 61 35 66 38 1901-2100)c7a5f8
00C1C2A0 64 38 5F 3E 45 51 20 d8_>EQ
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆

:00475026 E831000000 call 0047505C
====>算法CALL！进入！

:0047502B 33C0 xor eax, eax
:0047502D 5A pop edx
:0047502E 59 pop ecx
:0047502F 59 pop ecx
:00475030 648910 mov dword ptr fs:[eax], edx
:00475033 6855504700 push 00475055

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00475053(U)
|
:00475038 8D45EC lea eax, dword ptr [ebp-14]
:0047503B BA05000000 mov edx, 00000005
:00475040 E837F0F8FF call 0040407C
:00475045 8D450C lea eax, dword ptr [ebp+0C]
:00475048 E80BF0F8FF call 00404058
:0047504D C3 ret

—————————————————————————————————
进入关键CALL：0047500B call 00474D50

* Referenced by a CALL at Address:
|:0047500B
|
:00474D50 55 push ebp
:00474D51 8BEC mov ebp, esp
:00474D53 83C4E8 add esp, FFFFFFE8
:00474D56 53 push ebx
:00474D57 33DB xor ebx, ebx
:00474D59 895DE8 mov dword ptr [ebp-18], ebx
:00474D5C 895DEC mov dword ptr [ebp-14], ebx
:00474D5F 895DF0 mov dword ptr [ebp-10], ebx
:00474D62 894DF4 mov dword ptr [ebp-0C], ecx
:00474D65 8955F8 mov dword ptr [ebp-08], edx
:00474D68 8945FC mov dword ptr [ebp-04], eax
:00474D6B 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=fly 用户名

:00474D6E E895F7F8FF call 00404508
:00474D73 8B45F8 mov eax, dword ptr [ebp-08]
====>EAX=China 程序自给的参数

:00474D76 E88DF7F8FF call 00404508
:00474D7B 8B45F4 mov eax, dword ptr [ebp-0C]
====>EAX=万年历 (1901-2100) 程序自给的参数

:00474D7E E885F7F8FF call 00404508
:00474D83 8B450C mov eax, dword ptr [ebp+0C]
:00474D86 E87DF7F8FF call 00404508
:00474D8B 33C0 xor eax, eax
:00474D8D 55 push ebp
:00474D8E 680B4E4700 push 00474E0B
:00474D93 64FF30 push dword ptr fs:[eax]
:00474D96 648920 mov dword ptr fs:[eax], esp
:00474D99 33D2 xor edx, edx
:00474D9B 8B450C mov eax, dword ptr [ebp+0C]
:00474D9E E85134F9FF call 004081F4
:00474DA3 8BD0 mov edx, eax
:00474DA5 8D4DF0 lea ecx, dword ptr [ebp-10]
:00474DA8 B81C4E4700 mov eax, 00474E1C
:00474DAD E86E000000 call 00474E20
:00474DB2 8B45F4 mov eax, dword ptr [ebp-0C]
====>EAX=万年历 (1901-2100) 程序自给的参数
:00474DB5 E85EF7F8FF call 00404518
:00474DBA 8D4DEC lea ecx, dword ptr [ebp-14]
:00474DBD 33D2 xor edx, edx
:00474DBF E85C000000 call 00474E20
====>对万年历 (1901-2100) 进行运算

:00474DC4 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=fly 用户名

:00474DC7 E84CF7F8FF call 00404518
:00474DCC 8D4DE8 lea ecx, dword ptr [ebp-18]
:00474DCF 33D2 xor edx, edx
:00474DD1 E84A000000 call 00474E20
====>对用户名fly 进行运算

:00474DD6 8B45F8 mov eax, dword ptr [ebp-08]
====>EAX=China 程序自给的参数

:00474DD9 E83AF7F8FF call 00404518
:00474DDE 8B4D08 mov ecx, dword ptr [ebp+08]
:00474DE1 33D2 xor edx, edx
:00474DE3 E838000000 call 00474E20
====>对 China 进行运算得出最后一组参数

:00474DE8 33C0 xor eax, eax
:00474DEA 5A pop edx
:00474DEB 59 pop ecx
:00474DEC 59 pop ecx
:00474DED 648910 mov dword ptr fs:[eax], edx
:00474DF0 68124E4700 push 00474E12

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00474E10(U)
|
:00474DF5 8D45E8 lea eax, dword ptr [ebp-18]
:00474DF8 BA06000000 mov edx, 00000006
:00474DFD E87AF2F8FF call 0040407C
:00474E02 8D450C lea eax, dword ptr [ebp+0C]
:00474E05 E84EF2F8FF call 00404058
:00474E0A C3 ret

—————————————————————————————————
进入运算CALL：00474DBF、00474DD1、00474DE3 call 00474E20

说明一下：

1、程序对3组字符的运算处理流程是一致的，因此我只是记录了运算用户名时的数据。

2、[0047DDD0]初始值是0，通过对 “万年历 (1901-2100)” 的运算而成为0002ED18，这个值可以应该看作是固定值，因为“万年历 (1901-2100)”参数是固定的。如果有朋友跟踪麻烦应证一下。

3、[0047DDD4]初始值是0，通过万年历 (1901-2100) 的运算而增至C，这个值也可以看作是固定值。

4、程序在这个基础上对用户名和China运算处理得出最后一组参数，这个是变量，根据用户名的不同而不同！

* Referenced by a CALL at Addresses:
|:00474DAD , :00474DBF , :00474DD1 , :00474DE3
|
:00474E20 55 push ebp
:00474E21 8BEC mov ebp, esp
:00474E23 83C4EC add esp, FFFFFFEC
:00474E26 53 push ebx
:00474E27 56 push esi
:00474E28 57 push edi
:00474E29 33DB xor ebx, ebx
:00474E2B 895DEC mov dword ptr [ebp-14], ebx
:00474E2E 895DF0 mov dword ptr [ebp-10], ebx
:00474E31 894DF8 mov dword ptr [ebp-08], ecx
:00474E34 8BF2 mov esi, edx
:00474E36 8945FC mov dword ptr [ebp-04], eax
:00474E39 33C0 xor eax, eax
:00474E3B 55 push ebp
:00474E3C 685A4F4700 push 00474F5A
:00474E41 64FF30 push dword ptr fs:[eax]
:00474E44 648920 mov dword ptr fs:[eax], esp
:00474E47 8D45F0 lea eax, dword ptr [ebp-10]
:00474E4A 8B55FC mov edx, dword ptr [ebp-04]
:00474E4D E8FEF3F8FF call 00404250
:00474E52 8B45F0 mov eax, dword ptr [ebp-10]
:00474E55 E8BEF4F8FF call 00404318
:00474E5A 8BD8 mov ebx, eax
:00474E5C 85DB test ebx, ebx
:00474E5E 7513 jne 00474E73
:00474E60 8935D0DD4700 mov dword ptr [0047DDD0], esi
:00474E66 6BC664 imul eax, esi, 00000064
:00474E69 A3D4DD4700 mov dword ptr [0047DDD4], eax
:00474E6E E9CC000000 jmp 00474F3F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00474E5E(C)
|
:00474E73 8B45F8 mov eax, dword ptr [ebp-08]
:00474E76 E8DDF1F8FF call 00404058
:00474E7B 8BFB mov edi, ebx
:00474E7D 4F dec edi
:00474E7E 85FF test edi, edi
:00474E80 0F8CB9000000 jl 00474F3F
:00474E86 47 inc edi
:00474E87 33F6 xor esi, esi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00474F39(C)
|
:00474E89 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=fly 用户名

:00474E8C 8A0430 mov al, byte ptr [eax+esi]
====>依次取fly字符的HEX值

:00474E8F 3C20 cmp al, 20
:00474E91 0F82A0000000 jb 00474F37
:00474E97 3C7E cmp al, 7E
:00474E99 0F8798000000 ja 00474F37
:00474E9F 8B15D0DD4700 mov edx, dword ptr [0047DDD0]
1、 ====>EDX=0002DE18 此值是对上个参数处理的结果！
2、 ====>EDX=0005DA73
3、 ====>EDX=000BB502

:00474EA5 81E2FFFFFF1F and edx, 1FFFFFFF
:00474EAB 8B0DD0DD4700 mov ecx, dword ptr [0047DDD0]
:00474EB1 C1E91D shr ecx, 1D
1、 ====>ECX=0002DE18 SHR 1D=00000000
2、 ====>ECX=0005DA73 SHR 1D=00000000
3、 ====>ECX=000BB502 SHR 1D=00000000

:00474EB4 83E131 and ecx, 00000031
:00474EB7 33D1 xor edx, ecx
1、 ====>EDX=0002DE18 XOR 00000000=0002DE18
2、 ====>EDX=0005DA73 XOR 00000000=0005DA73
3、 ====>EDX=000BB502 XOR 00000000=000BB502

:00474EB9 8915D0DD4700 mov dword ptr [0047DDD0], edx
:00474EBF 8845F7 mov byte ptr [ebp-09], al
====>[ebp-09]=AL=依次取fly字符的HEX值

:00474EC2 A1D0DD4700 mov eax, dword ptr [0047DDD0]
:00474EC7 B95F000000 mov ecx, 0000005F
:00474ECC 99 cdq
:00474ECD F7F9 idiv ecx
1、 ====>EAX=0002DE18 / 5F=000007E2
2、 ====>EAX=0005DA73 / 5F=00000FC5
3、 ====>EAX=000BB502 / 5F=00001F8C

:00474ECF 33D2 xor edx, edx
:00474ED1 8A55F7 mov dl, byte ptr [ebp-09]
1、 ====>DL=66 即：f的HEX值
2、 ====>DL=6C 即：l的HEX值
3、 ====>DL=79 即：y的HEX值

:00474ED4 83EA20 sub edx, 00000020
1、 ====>EDX=00000066 - 00000020=00000046
2、 ====>EDX=0000006C - 00000020=0000004C
3、 ====>EDX=00000079 - 00000020=00000059

:00474ED7 2BC2 sub eax, edx
1、 ====>EAX=000007E2 - 00000046=0000079C
2、 ====>EAX=00000FC5 - 0000004C=00000F79
2、 ====>EAX=00001F8C - 00000059=00001F33

:00474ED9 E88A000000 call 00474F68
====>对上面的得数进行处理！进入！

:00474EDE 8BD8 mov ebx, eax
====>对上面的得数处理的结果
1、 ====>EBX=30
2、 ====>EBX=42
3、 ====>EBX=07

:00474EE0 80C320 add bl, 20
1、 ====>BL=30 + 20=50
2、 ====>BL=42 + 20=62
3、 ====>BL=07 + 20=27

:00474EE3 FF05D4DD4700 inc dword ptr [0047DDD4]
====>[0047DDD4]增1

:00474EE9 813DD4DD470079510000 cmp dword ptr [0047DDD4], 00005179
:00474EF3 7C07 jl 00474EFC
:00474EF5 33C0 xor eax, eax
:00474EF7 A3D4DD4700 mov dword ptr [0047DDD4], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00474EF3(C)
|
:00474EFC 8A45F7 mov al, byte ptr [ebp-09]
:00474EFF 32C3 xor al, bl
1、 ====>AL=66 XOR 50=36
2、 ====>AL=6C XOR 62=0E
3、 ====>AL=79 XOR 27=5E

:00474F01 25FF000000 and eax, 000000FF
:00474F06 8B15D0DD4700 mov edx, dword ptr [0047DDD0]
1、 ====>EDX=0002DE18
2、 ====>EDX=0005DA73
3、 ====>EDX=000BB502

:00474F0C 0315D0DD4700 add edx, dword ptr [0047DDD0]
1、 ====>EDX=0002DE18 + 0002DE18=0005DA30
2、 ====>EDX=0005DA73 + 0005DA73=000BB4E6
3、 ====>EDX=000BB502 + 000BB502=00176A04

:00474F12 03C2 add eax, edx
1、 ====>EAX=00000036 + 0005DA30=0005DA66
2、 ====>EAX=0000000E + 000BB4E6=000BB4F4
3、 ====>EAX=0000005E + 00176A04=00176A62

:00474F14 0305D4DD4700 add eax, dword ptr [0047DDD4]
1、 ====>EAX=0005DA66 + D=0005DA73
2、 ====>EAX=000BB4F4 + E=000BB502
3、 ====>EAX=00176A62 + F=00176A71

:00474F1A A3D0DD4700 mov dword ptr [0047DDD0], eax
====>[0047DDD0]=EAX

:00474F1F 8D45EC lea eax, dword ptr [ebp-14]
:00474F22 8BD3 mov edx, ebx
:00474F24 E817F3F8FF call 00404240
:00474F29 8B55EC mov edx, dword ptr [ebp-14]
1、 ====>EDX=50
2、 ====>EDX=62
3、 ====>EDX=27

:00474F2C 8B45F8 mov eax, dword ptr [ebp-08]
:00474F2F E8ECF3F8FF call 00404320
:00474F34 8B45F8 mov eax, dword ptr [ebp-08]
====>对用户名循环处理最后[ebp-08]中的值：50 62 27
====>对China 循环处理最后[ebp-08]中的值：5F 3E 45 51 20 终于得出最后一个参数了！

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00474E91(C), :00474E99(C)
|
:00474F37 46 inc esi
:00474F38 4F dec edi
:00474F39 0F854AFFFFFF jne 00474E89
====>循环

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00474E6E(U), :00474E80(C)
|
:00474F3F 33C0 xor eax, eax
:00474F41 5A pop edx
:00474F42 59 pop ecx
:00474F43 59 pop ecx
:00474F44 648910 mov dword ptr fs:[eax], edx
:00474F47 68614F4700 push 00474F61

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00474F5F(U)
|
:00474F4C 8D45EC lea eax, dword ptr [ebp-14]
:00474F4F BA02000000 mov edx, 00000002
:00474F54 E823F1F8FF call 0040407C
:00474F59 C3 ret

—————————————————————————————————
进入处理CALL：00474ED9 call 00474F68
根据不同的大小而分别进行处理！

* Referenced by a CALL at Address:
|:00474ED9
|
:00474F68 3D1C250000 cmp eax, 0000251C
:00474F6D 7C0C jl 00474F7B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00474F79(C)
|
:00474F6F 2D1C250000 sub eax, 0000251C
:00474F74 3D1C250000 cmp eax, 0000251C
:00474F79 7DF4 jge 00474F6F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00474F6D(C)
|
:00474F7B 3DB6030000 cmp eax, 000003B6
:00474F80 7C0C jl 00474F8E

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00474F8C(C)
|
:00474F82 2DB6030000 sub eax, 000003B6
1、 ====>EAX=0000079C - 000003B6=000003E6
====>EAX=000003E6 - 000003B6=00000030

2、 ====>EAX=00000F79 - 000003B6=00000BC3
…… …… 省略 …… ……
====>EAX=00000457 - 000003B6=000000A1

3、 ====>EAX=00001F33 - 000003B6=00001B7D
…… …… 省略 …… ……
====>EAX=00000539 - 000003B6=00000183

:00474F87 3DB6030000 cmp eax, 000003B6
:00474F8C 7DF4 jge 00474F82

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00474F80(C)
|
:00474F8E 83F85F cmp eax, 0000005F
:00474F91 7C08 jl 00474F9B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00474F99(C)
|
:00474F93 83E85F sub eax, 0000005F
2、 ====>EAX=000000A1 - 0000005F=00000042

3、 ====>EAX=00000183 - 0000005F=00000124
…… …… 省略 …… ……
====>EAX=00000066 - 0000005F=00000007

:00474F96 83F85F cmp eax, 0000005F
:00474F99 7DF8 jge 00474F93

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00474F91(C)
|
:00474F9B 85C0 test eax, eax
:00474F9D 7D07 jge 00474FA6

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00474FA4(C)
|
:00474F9F 83C05F add eax, 0000005F
:00474FA2 85C0 test eax, eax
:00474FA4 7CF9 jl 00474F9F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00474F9D(C)
|
:00474FA6 C3 ret

—————————————————————————————————
进入算法CALL：00475026 call 0047505C

* Referenced by a CALL at Address:
|:00475026
|
:0047505C 55 push ebp
:0047505D 8BEC mov ebp, esp
:0047505F 83C4F4 add esp, FFFFFFF4
:00475062 53 push ebx
:00475063 56 push esi
:00475064 33C9 xor ecx, ecx
:00475066 894DF4 mov dword ptr [ebp-0C], ecx
:00475069 8955F8 mov dword ptr [ebp-08], edx
:0047506C 8945FC mov dword ptr [ebp-04], eax
:0047506F 8B45FC mov eax, dword ptr [ebp-04]
:00475072 E891F4F8FF call 00404508
:00475077 33C0 xor eax, eax
:00475079 55 push ebp
:0047507A 68FB504700 push 004750FB
:0047507F 64FF30 push dword ptr fs:[eax]
:00475082 648920 mov dword ptr fs:[eax], esp
:00475085 33DB xor ebx, ebx
:00475087 8B45FC mov eax, dword ptr [ebp-04]
:0047508A E889F2F8FF call 00404318
====>取连接后字符串的长度

:0047508F 85C0 test eax, eax
====>EAX=27（H）=39（D）

:00475091 7E2C jle 004750BF
:00475093 BE01000000 mov esi, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004750BD(C)
|
:00475098 8B55FC mov edx, dword ptr [ebp-04]
:0047509B 8A5432FF mov dl, byte ptr [edx+esi-01]
====>依次取下面内存中的HEX值

☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
内存中的值是上面连接的结果：

:0047509F 32D3 xor dl, bl
1、 ====>DL=66 XOR 00=66
2、 ====>DL=6C XOR 6D=01
3、 ====>DL=79 XOR 52=2B
…… …… 省略 …… ……
39、 ====>DL=20 XOR 2F=0F

:004750A1 81E2FF000000 and edx, 000000FF
:004750A7 8B14956CBE4700 mov edx, dword ptr [4*edx+0047BE6C]
====>以EDX*4为指针从[0047BE6C]内存中取值
1、 ====>EDX=A4D1C46D
2、 ====>EDX=77073096
3、 ====>EDX=ACBCF940
…… …… 省略 …… ……
39、 ====>EDX=90BF1D91

☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
[0047BE6C]内存中有一张表：呵呵，真不小呀。不知道是否是固定值 {:-) :-(

0047BE6C 00 00 00 00 96 30 07 77 2C 61 0E EE BA 51 09 99 ....?w,a詈Q.
0047BE7C 19 C4 6D 07 8F F4 6A 70 35 A5 63 E9 A3 95 64 9E 膍忯jp5椋昫?
0047BE8C 32 88 DB 0E A4 B8 DC 79 1E E9 D5 E0 88 D9 D2 97 2堐じ躽檎鄨僖?
0047BE9C 2B 4C B6 09 BD 7C B1 7E 07 2D B8 E7 91 1D BF 90 +L?絴眫-哥?繍
0047BEAC 64 10 B7 1D F2 20 B0 6A 48 71 B9 F3 DE 41 BE 84 d??癹Hq贵轆緞
0047BEBC 7D D4 DA 1A EB E4 DD 6D 51 B5 D4 F4 C7 85 D3 83 }在脘輒Q翟羟呌?
0047BECC 56 98 6C 13 C0 A8 6B 64 7A F9 62 FD EC C9 65 8A V榣括kdz鵥蒭?
0047BEDC 4F 5C 01 14 D9 6C 06 63 63 3D 0F FA F5 0D 08 8D O\賚cc=.?
0047BEEC C8 20 6E 3B 5E 10 69 4C E4 41 60 D5 72 71 67 A2 ?n;^iL銩`誶qg?
0047BEFC D1 E4 03 3C 47 D4 04 4B FD 85 0D D2 6B B5 0A A5 唁<G?K齾.襨??
0047BF0C FA A8 B5 35 6C 98 B2 42 D6 C9 BB DB 40 F9 BC AC ?l槻B稚慧@?
0047BF1C E3 6C D8 32 75 5C DF 45 CF 0D D6 DC 59 3D D1 AB 鉲?u\逧?周Y=勋
0047BF2C AC 30 D9 26 3A 00 DE 51 80 51 D7 C8 16 61 D0 BF ??:.轖€Q兹a锌
0047BF3C B5 F4 B4 21 23 C4 B3 56 99 95 BA CF 0F A5 BD B8 掉?#某V檿合ソ?
0047BF4C 9E B8 02 28 08 88 05 5F B2 D9 0C C6 24 E9 0B B1 灨(?_操.???
0047BF5C 87 7C 6F 2F 11 4C 68 58 AB 1D 61 C1 3D 2D 66 B6 噟o/LhX?a?-f?
0047BF6C 90 41 DC 76 06 71 DB 01 BC 20 D2 98 2A 10 D5 EF 怉躹q??覙*诊
0047BF7C 89 85 B1 71 1F B5 B6 06 A5 E4 BF 9F 33 D4 B8 E8 墔眖刀ヤ繜3愿?
0047BF8C A2 C9 07 78 34 F9 00 0F 8E A8 09 96 18 98 0E E1 ⑸x4?帹.???
0047BF9C BB 0D 6A 7F 2D 3D 6D 08 97 6C 64 91 01 5C 63 E6 ?j-=m條d?\c?
0047BFAC F4 51 6B 6B 62 61 6C 1C D8 30 65 85 4E 00 62 F2 鬛kkbal?e匩.b?
0047BFBC ED 95 06 6C 7B A5 01 1B C1 F4 08 82 57 C4 0F F5 頃l{?留俉??
0047BFCC C6 D9 B0 65 50 E9 B7 12 EA B8 BE 8B 7C 88 B9 FC 瀑癳P榉旮緥|埞?
0047BFDC DF 1D DD 62 49 2D DA 15 F3 7C D3 8C 65 4C D4 FB ?輇I-?髚訉eL喳
0047BFEC 58 61 B2 4D CE 51 B5 3A 74 00 BC A3 E2 30 BB D4 Xa睲蜵?t.迹?辉
0047BFFC 41 A5 DF 4A D7 95 D8 3D 6D C4 D1 A4 FB F4 D6 D3 AミJ讜?m难糁?
0047C00C 6A E9 69 43 FC D9 6E 34 46 88 67 AD D0 B8 60 DA j閕Cn4F坓竊?
0047C01C 73 2D 04 44 E5 1D 03 33 5F 4C 0A AA C9 7C 0D DD s-D?3_L.|.?
…… ……　省　略　……　……
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆

:004750AE C1EB08 shr ebx, 08
1、 ====>EBX=00000000 SHR 8=00000000
2、 ====>EBX=A4D1C46D SHR 8=00A4D1C4
3、 ====>EBX=77A3E152 SHR 8=0077A3E1
…… …… 省略 …… ……
39、 ====>EBX=A154DA2F SHR 8=00A154DA

:004750B1 81E3FFFFFF00 and ebx, 00FFFFFF
:004750B7 33D3 xor edx, ebx
1、 ====>EDX=A4D1C46D XOR 00000000=A4D1C46D
2、 ====>EDX=77073096 XOR 00A4D1C4=77A3E152
3、 ====>EDX=ACBCF940 XOR 0077A3E1=ACCB5AA1
…… …… 省略 …… ……
结果 39、 ====>EDX=90BF1D91 XOR 00A154DA=901E494B

:004750B9 8BDA mov ebx, edx
====>EBX=EDX

:004750BB 46 inc esi
:004750BC 48 dec eax
:004750BD 75D9 jne 00475098
====>循环39次

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00475091(C)
|
:004750BF 8BC3 mov eax, ebx
====>循环结果：EAX=EBX=901E494B

:004750C1 33D2 xor edx, edx
:004750C3 52 push edx
:004750C4 50 push eax
:004750C5 8D55F4 lea edx, dword ptr [ebp-0C]
:004750C8 B808000000 mov eax, 00000008
:004750CD E8B630F9FF call 00408188
:004750D2 8B45F4 mov eax, dword ptr [ebp-0C]
:004750D5 8B55F8 mov edx, dword ptr [ebp-08]
:004750D8 E85B2CF9FF call 00407D38
====>把901E494B中的大写字母转化为小写字母
====>901E494B->901e494b 这就是注册码了！

:004750DD 33C0 xor eax, eax
:004750DF 5A pop edx
:004750E0 59 pop ecx
:004750E1 59 pop ecx
:004750E2 648910 mov dword ptr fs:[eax], edx
:004750E5 6802514700 push 00475102

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00475100(U)
|
:004750EA 8D45F4 lea eax, dword ptr [ebp-0C]
:004750ED E866EFF8FF call 00404058
:004750F2 8D45FC lea eax, dword ptr [ebp-04]
:004750F5 E85EEFF8FF call 00404058
:004750FA C3 ret

—————————————————————————————————
【算法总结】：

1、程序自给2组参数：“万年历 (1901-2100)” 和 “China”

2、对“万年历 (1901-2100)” 、用户名和 “China”进行处理运算得出
最后一组参数：5F 3E 45 51 20

3、连接用户名 + China + 万年历 (1901-2100) + 机器码和最后一组参数：
00C1C280 66 6C 79 43 68 69 6E 61 CD F2 C4 EA C0 FA 20 28 flyChina万年历 (
00C1C290 31 39 30 31 2D 32 31 30 30 29 63 37 61 35 66 38 1901-2100)c7a5f8
00C1C2A0 64 38 5F 3E 45 51 20 d8_>EQ

4、取以上字符的HEX值循环异或运算，以此为指针从[4*edx+0047BE6C]的表中取值进入下一轮循环运算，我不知道[0047BE6C]的表是否是固定参数，如果这张表也是变量的话，那么这个程序也就太麻烦了。真不明白，既然作者大费心机设计了如此麻烦的算法为何最后还用明码比较？完全可以来个变量比较呀，那样的话可能就没有几个人会去分析算法了。

5、循环最后得出901E494B，把里面的大写字母替换成小写字母，
得出：901e494b 这就是我用了5个小时跟踪的注册码了！^O^^O^^O^^O^

—————————————————————————————————
【完美爆破】：

00475CC8 742B je 00475CF5
改为： EB2B jmp 00475CF5

呵呵，跳过去程序就自动保存好注册信息了！

—————————————————————————————————
【KeyMake之{82th}内存注册机】：

中断地址：00475CC3
中断次数：1
第一字节：E8
指令长度：5

内存方式：EDX

—————————————————————————————————
【注册信息保存】：

REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Defaultvalue"=dword:00000000 注册成功的标志！

—————————————————————————————————
【整理】：

用户名：fly
机器码：c7a5f8d8
注册码：901e494b

—————————————————————————————————

, _/
/| _.-~/ \_ , 青春都一饷
( /~ / \~-._ |\
`\\ _/ \ ~\ ) 忍把浮名
_-~~~-.) )__/;;,. \_ //'
/'_,\ --~ \ ~~~- ,;;\___( (.-~~~-. 换了破解轻狂
`~ _( ,_..--\ ( ,;'' / ~-- /._`\
/~~//' /' `~\ ) /--.._, )_ `~
" `~" " `" /~'`\ `\\~~\
" " "~' ""

Cracked By 巢水工作坊——fly [OCN][FCG]

2003-05-06 22:24