软件名称:日语天天背单词
软件版本:V1.5B1326
软件性质:共享软件
软件语言:简体中文版
操作系统:Win98/2000/NT/XP
下载页面:http://www.china690.net/homerocker/softmore.asp
运行软件试注册,有错误提示。
PEID查为ASPack
2.11c加的壳,用AspackDie脱之。
W32dasm反汇编,能很容易找到错误提示内容。用ICE装入文件,填入注册信息:
注册名:YQMJCH
注册码:25256363
然后按Ctrl+D呼出ICE,下万能断点bpx
hmemcpy(当然脱壳反汇编后,也可在关键call处直接下断),按F5后点现在注册拦截后按几下F12,换为单步跟踪,很快能来到下面代码处:
* Possible StringData Ref from Code Obj
->"\SOFTWARE\白领软件工作室\日语天天背单词\"
|
:004FB643 BAA4B84F00
mov edx, 004FB8A4
:004FB648 E84F90F0FF
call 0040469C
:004FB64D 8D45F4
lea eax, dword ptr [ebp-0C]
* Possible StringData Ref from Code Obj ->"V1.4"
|
:004FB650 BAD8B84F00
mov edx, 004FB8D8
:004FB655 E84290F0FF
call 0040469C
:004FB65A 8D55EC
lea edx, dword ptr
[ebp-14]
:004FB65D 8B45FC
mov eax, dword ptr [ebp-04]
:004FB660 8B8034030000
mov eax, dword ptr [eax+00000334]
:004FB666
E895D8F4FF call
00448F00(取输入的注册码)
:004FB66B 8B45EC
mov eax, dword ptr [ebp-14]
:004FB66E 50
push
eax
:004FB66F 8D55E4
lea edx, dword ptr [ebp-1C]
:004FB672 8B45FC
mov eax, dword ptr
[ebp-04]
:004FB675 8B802C030000 mov
eax, dword ptr [eax+0000032C]
:004FB67B E880D8F4FF
call 00448F00(取机器码)
:004FB680 8B45E4
mov eax, dword ptr
[ebp-1C]
:004FB683 50
push eax
:004FB684 8D55E0
lea edx, dword ptr [ebp-20]
:004FB687
8B45FC mov eax,
dword ptr [ebp-04]
:004FB68A 8B8030030000
mov eax, dword ptr [eax+00000330]
:004FB690 E86BD8F4FF
call 00448F00(取注册名)
:004FB695 8B45E0
mov eax, dword ptr
[ebp-20]
:004FB698 8D4DE8
lea ecx, dword ptr [ebp-18]
:004FB69B 5A
pop edx
:004FB69C
E81F120000 call
004FC8C0(算法call)
:004FB6A1 8B55E8
mov edx, dword ptr [ebp-18]
:004FB6A4 58
pop
eax
:004FB6A5 E85693F0FF call
00404A00(比较注册码)
:004FB6AA 0F8577010000
jne 004FB827(跳则over)
:004FB6B0 B201
mov dl, 01
:004FB6B2 A1D0F24600
mov eax, dword ptr
[0046F2D0]
:004FB6B7 E8143DF7FF
call 0046F3D0
:004FB6BC 8945F0
mov dword ptr [ebp-10],
eax
…
省略:
…
:004FB731 8D55D0
lea edx, dword ptr [ebp-30]
:004FB734 8B45FC
mov eax, dword ptr
[ebp-04]
:004FB737 8B8030030000 mov
eax, dword ptr [eax+00000330]
:004FB73D E8BED7F4FF
call 00448F00
:004FB742 8B4DD0
mov ecx, dword ptr [ebp-30]
以下程序将注册信息写入注册表:
* Possible StringData Ref from Code Obj
->"username"
|
:004FB745
BAE8B84F00 mov edx,
004FB8E8
:004FB74A 8B45F0
mov eax, dword ptr [ebp-10]
:004FB74D E8FA3FF7FF
call 0046F74C
:004FB752 8D55CC
lea edx, dword ptr
[ebp-34]
:004FB755 8B45FC
mov eax, dword ptr [ebp-04]
:004FB758 8B802C030000
mov eax, dword ptr [eax+0000032C]
:004FB75E
E89DD7F4FF call
00448F00
:004FB763 8B4DCC
mov ecx, dword ptr [ebp-34]
* Possible StringData Ref from Code Obj ->"regstr"
|
:004FB766 BAFCB84F00
mov edx, 004FB8FC
:004FB76B 8B45F0
mov eax, dword ptr [ebp-10]
:004FB76E
E8D93FF7FF call
0046F74C
:004FB773 8D55C8
lea edx, dword ptr [ebp-38]
:004FB776 8B45FC
mov eax, dword ptr
[ebp-04]
:004FB779 8B8034030000 mov
eax, dword ptr [eax+00000334]
:004FB77F E87CD7F4FF
call 00448F00
:004FB784 8B4DC8
mov ecx, dword ptr
[ebp-38]
:004FB787 BA0CB94F00
mov edx, 004FB90C
:004FB78C 8B45F0
mov eax, dword ptr [ebp-10]
:004FB78F E8B83FF7FF
call
0046F74C
…
省略
…
:004FB7BB 668B0D10B94F00
mov cx, word ptr [004FB910]
:004FB7C2 B202
mov dl, 02
* Possible StringData Ref from Code Obj ->"输入的注册码正确,已经成功注册软件!
感谢您注?
->"帷度沼锾焯毂车ゴ省?请重新启动您的软件!使注册"
->"有效!"
|
:004FB7C4 B81CB94F00
mov eax, 004FB91C
:004FB7C9 E87668F4FF
call 00442044
……
省略
……
:004FB820 E827F4F5FF
call 0045AC4C
:004FB825 EB15
jmp
004FB83C
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004FB6AA(C)
|
:004FB827 6A00
push 00000000
:004FB829
668B0D10B94F00 mov cx, word ptr
[004FB910]
:004FB830 B201
mov dl, 01
* Possible StringData Ref from Code Obj ->"输入的注册码错误,请重新输入!"
|
:004FB832 B894B94F00
mov eax, 004FB994
:004FB837 E80868F4FF
call 00442044
跟进算法call:
* Referenced by a CALL at Address:
|:004FB69C
|
:004FC8C0 55
push ebp
:004FC8C1 8BEC
mov ebp, esp
:004FC8C3 51
push
ecx
:004FC8C4 B95B000000 mov
ecx, 0000005B
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004FC8CE(C)
|
:004FC8C9 6A00
push 00000000
:004FC8CB 6A00
push
00000000
:004FC8CD 49
dec ecx
:004FC8CE 75F9
jne 004FC8C9
:004FC8D0 874DFC
xchg dword ptr [ebp-04],
ecx
:004FC8D3 53
push ebx
:004FC8D4 56
push esi
:004FC8D5 57
push
edi
:004FC8D6 894DF4
mov dword ptr [ebp-0C], ecx
:004FC8D9 8955F8
mov dword ptr [ebp-08],
edx
:004FC8DC 8945FC
mov dword ptr [ebp-04], eax
:004FC8DF 8B45FC
mov eax, dword ptr
[ebp-04]
:004FC8E2 E8BD81F0FF
call 00404AA4
:004FC8E7 8B45F8
mov eax, dword ptr [ebp-08]
:004FC8EA E8B581F0FF
call 00404AA4
:004FC8EF
8D9D3CFDFFFF lea ebx, dword ptr
[ebp+FFFFFD3C]
:004FC8F5 33C0
xor eax, eax
:004FC8F7 55
push ebp
:004FC8F8
68CFDB4F00 push
004FDBCF
:004FC8FD 64FF30
push dword ptr fs:[eax]
:004FC900 648920
mov dword ptr fs:[eax], esp
以下是一张大表:有600多大写字母,晕:
:004FC903 C60343
mov byte ptr [ebx], 43
:004FC906 C6430148
mov [ebx+01], 48
:004FC90A
C6430255 mov [ebx+02],
55
……………
中间省略了600多行
……………
:004FD9E2 C683A002000055
mov byte ptr [ebx+000002A0], 55
:004FD9E9 C683A102000041
mov byte ptr [ebx+000002A1], 41
:004FD9F0
C683A20200004E mov byte ptr [ebx+000002A2],
4E
:004FD9F7 C683A302000059 mov byte ptr
[ebx+000002A3], 59
:004FD9FE FF75FC
push [ebp-04]
:004FDA01 FF75FC
push [ebp-04]
:004FDA04 FF75FC
push
[ebp-04]
:004FDA07 8D45E8
lea eax, dword ptr [ebp-18]
:004FDA0A BA03000000
mov edx, 00000003
:004FDA0F E8686FF0FF
call
0040497C(将注册名复制三遍)
:004FDA14 8D45E8
lea eax, dword ptr [ebp-18]
:004FDA17 50
push
eax
:004FDA18 B90F000000 mov
ecx, 0000000F
:004FDA1D BA01000000
mov edx, 00000001
:004FDA22 8B45E8
mov eax, dword ptr [ebp-18]
:004FDA25 E8EA70F0FF
call
00404B14(保留前15位,注册名最好5位以上,否则可能有麻烦)
:004FDA2A 8D45E4
lea eax, dword ptr
[ebp-1C]
:004FDA2D E8D26BF0FF
call 00404604
:004FDA32 BE0F000000
mov esi, 0000000F
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004FDA78(C)
|
:004FDA37 8D8534FDFFFF lea eax,
dword ptr [ebp+FFFFFD34]
:004FDA3D 50
push eax
:004FDA3E B901000000
mov ecx, 00000001
:004FDA43 8BD6
mov edx,
esi
:004FDA45 8B45E8
mov eax, dword ptr [ebp-18]
:004FDA48 E8C770F0FF
call 00404B14
:004FDA4D 8B8534FDFFFF
mov eax, dword ptr [ebp+FFFFFD34]
:004FDA53 8A00
mov al,
byte ptr [eax]
:004FDA55 E82250F0FF
call 00402A7C
:004FDA5A 8BD0
mov edx, eax
:004FDA5C 8D8538FDFFFF
lea eax, dword ptr [ebp+FFFFFD38]
:004FDA62
E87D6DF0FF call
004047E4
:004FDA67 8B9538FDFFFF mov
edx, dword ptr [ebp+FFFFFD38]
:004FDA6D 8D45E4
lea eax, dword ptr [ebp-1C]
:004FDA70
E84F6EF0FF call
004048C4
:004FDA75 4E
dec esi
:004FDA76 85F6
test esi, esi
:004FDA78 75BD
jne
004FDA37
以上这段程序将经复制保留的注册码第3位一组变换排列顺序,
如123 456 789 012
345(下面称原始排列用“A”表示)
排列成321 654 987 210 543(下面称变化排列用“B”表示)
:004FDA7A 8D45EC
lea eax, dword ptr [ebp-14]
:004FDA7D E8826BF0FF
call 00404604
:004FDA82 8D45F0
lea eax, dword ptr
[ebp-10]
:004FDA85 E87A6BF0FF
call 00404604
:004FDA8A 8D45E0
lea eax, dword ptr [ebp-20]
:004FDA8D 8B55F8
mov edx, dword ptr
[ebp-08]
:004FDA90 E8076CF0FF
call 0040469C
:004FDA95 BE01000000
mov esi, 00000001
:004FDA9A 8D7B1A
lea edi, dword ptr [ebx+1A]
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004FDB2B(C)
|
:004FDA9D 8B45E4
mov eax, dword ptr
[ebp-1C](“B”入eax)
:004FDAA0 8A4430FF
mov al, byte ptr [eax+esi-01](取“B”第一位)
:004FDAA4
E8D34FF0FF call
00402A7C
:004FDAA9 25FF000000
and eax, 000000FF
:004FDAAE 50
push eax
:004FDAAF 8B45E8
mov eax, dword ptr
[ebp-18](“A”入eax)
:004FDAB2 8A4430FF
mov al, byte ptr [eax+esi-01](取“A”第一位)
:004FDAB6
E8C14FF0FF call
00402A7C
:004FDABB 25FF000000
and eax, 000000FF
:004FDAC0 6BC00D
imul eax, 0000000D(“A”第一位乘以“D”入eax)
:004FDAC3
8D0443 lea eax,
dword ptr [ebx+2*eax](eax*2后查表取值再入eax)
:004FDAC6 5A
pop edx
:004FDAC7
8A941025F9FFFF mov dl, byte ptr
[eax+edx-000006DB](eax加“B”第一位再减6DB的值入dl)
:004FDACE 8D8530FDFFFF
lea eax, dword ptr [ebp+FFFFFD30]
:004FDAD4
E80B6DF0FF call
004047E4
:004FDAD9 8B9530FDFFFF mov
edx, dword ptr [ebp+FFFFFD30]
:004FDADF 8D45EC
lea eax, dword ptr [ebp-14]
:004FDAE2
E8DD6DF0FF call
004048C4(把运算得值存入一表)
:004FDAE7 8D8528FDFFFF
lea eax, dword ptr [ebp+FFFFFD28]
:004FDAED 50
push eax
:004FDAEE
B901000000 mov ecx,
00000001
:004FDAF3 8BD6
mov edx, esi
:004FDAF5 8B45E0
mov eax, dword ptr [ebp-20]
:004FDAF8
E81770F0FF call
00404B14(取机器码第一位)
:004FDAFD 8B8528FDFFFF
mov eax, dword ptr [ebp+FFFFFD28]
:004FDB03 E850B6F0FF
call 00409158
:004FDB08 8A1407
mov dl, byte ptr
[edi+eax](按机器码数查表求值入dl)
:004FDB0B 8D852CFDFFFF
lea eax, dword ptr [ebp+FFFFFD2C]
:004FDB11 E8CE6CF0FF
call 004047E4
:004FDB16 8B952CFDFFFF
mov edx, dword ptr
[ebp+FFFFFD2C]
:004FDB1C 8D45F0
lea eax, dword ptr [ebp-10]
:004FDB1F E8A06DF0FF
call 004048C4(将所求值存入二表)
:004FDB24 46
inc
esi
:004FDB25 83C71A
add edi, 0000001A
:004FDB28 83FE10
cmp esi, 00000010
:004FDB2B 0F856CFFFFFF
jne
004FDA9D
以上程序循环算出两组15位的大写字母表(下面要别称其为“C”和“D”,对应关系为:由“A”、“B”运算得出C,由机器码运算得出“D”),下面再进行运算:
:004FDB31
8B45F4 mov eax,
dword ptr [ebp-0C]
:004FDB34 E8CB6AF0FF
call 00404604
:004FDB39 BE01000000
mov esi, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004FDB95(C)
|
:004FDB3E 8D8524FDFFFF
lea eax, dword ptr [ebp+FFFFFD24]
:004FDB44 8B55F0
mov edx, dword ptr
[ebp-10](“D”入edx)
:004FDB47 0FB65432FF
movzx edx, byte ptr [edx+esi-01](取“D”的第一位入edx)
:004FDB4C 8B4DEC
mov ecx, dword ptr
[ebp-14](“C”入ecx)
:004FDB4F 0FB64C31FF
movzx ecx, byte ptr [ecx+esi-01](取“C”的第一位入ecx)
:004FDB54 6BC90D
imul ecx,
0000000D(运算:ecx*d)
:004FDB57 8D0C4B
lea ecx, dword ptr
[ebx+2*ecx](运算:ecx再乘以2后再查表求值,入ecx)
:004FDB5A 8A941125F9FFFF
mov dl, byte ptr
[ecx+edx-000006DB](ecx的值加“D”的第一位再减6DB的值入dl,此值为注册码第一位)
:004FDB61 E87E6CF0FF
call 004047E4
:004FDB66
8B9524FDFFFF mov edx, dword ptr
[ebp+FFFFFD24]
:004FDB6C 8B45F4
mov eax, dword ptr [ebp-0C]
:004FDB6F E8506DF0FF
call 004048C4
:004FDB74 8B45F4
mov eax, dword ptr
[ebp-0C]
:004FDB77 83FE05
cmp esi, 00000005(比较计算出的注册码是否够5位)
:004FDB7A 7405
je
004FDB81(够则跳走加“-”)
:004FDB7C 83FE0A
cmp esi, 0000000A(比较计算出的注册码是否够10位)
:004FDB7F 7510
jne
004FDB91(相等时则加“-”)
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004FDB7A(C)
|以下几行代码负责置注册码的第6位、11位为“-”,即注册码形式为:12345-67890-12345
:004FDB81
8B45F4 mov eax,
dword ptr [ebp-0C]
:004FDB84 BAE8DB4F00
mov edx, 004FDBE8
:004FDB89 E8366DF0FF
call 004048C4
:004FDB8E 8B45F4
mov eax, dword ptr [ebp-0C]
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004FDB7F(C)
|
:004FDB91 46
inc esi
:004FDB92 83FE10
cmp esi,
00000010比较计算出的注册码是否够16位)
:004FDB95 75A7
jne 004FDB3E(不够则跳走循环运算直至够15位)
:004FDB97
33C0 xor
eax, eax
:004FDB99 5A
pop edx
:004FDB9A 59
pop ecx
:004FDB9B 59
pop
ecx
:004FDB9C 648910
mov dword ptr fs:[eax], edx
:004FDB9F 68D6DB4F00
push 004FDBD6
整理:
分析过程中:
“A”=YQM JCH YQM JCH
YQM(无空格)
“B”=MQY HCJ MQY HCJ MQY(无空格)
“C”=WIXEGUWIXEGUWIX
“D”=NACEEOIEOXDAEXQ
机器码:349910439465063
注册名:YQMJCH
注册码:UNXIT-ITQXA-IAGIA
注册信息存放位置:
HKEY_LOCAL_MACHINE\software\白领软件工作室\日语天天背单词\v1.4
另外,不知有没有暗桩,不妥之处请高手指点。