时间提醒助手20040425 算法分析
日期:2005年3月9日 破解人:Baby2008
———————————————————————————————————————————
【软件名称】:时间提醒助手20040425
【软件大小】:2.26M
【下载地址】:http://www.my530.com
【软件限制】:未注册30天试用限制
【破解声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:OLLYDBG 1.1 ,PEID0.92,DeDe,Quick Unpack 0.6
———————————————————————————————————————————
【破解过程】:
先用PEID 0.93汉化增强版查壳,ASPack 2.12 -> Alexey Solodovnikov,用Quick Unpack 0.6轻松脱去,默认另存为TimeHelper__.exe
脱壳后再用PEID 0.93汉化增强版查壳,Borland Delphi 6.0 - 7.0
delphi程序,先用Dede处理,输出map文件
用od打开目标程序:TimeHelper__.exe ,用mapconv插件引入Dede输出的map文件,替换标签及插件。然后查找字符,可以找到“注册注册成功
,谢谢你的支持”字样,双击来到cpu窗口,来到0054AC46 向上翻看可以找到这里:以下就是具体算法
0054AB78 <>/. 55 push ebp ; <-TFrmRegistry@SpeedButton4Click
0054AB79 |. 8BEC mov ebp,esp
0054AB7B |. 33C9 xor ecx,ecx
0054AB7D |. 51 push ecx
0054AB7E |. 51 push ecx
0054AB7F |. 51 push ecx
0054AB80 |. 51 push ecx
0054AB81 |. 51 push ecx
0054AB82 |. 51 push ecx
0054AB83 |. 51 push ecx
0054AB84 |. 53 push ebx
0054AB85 |. 56 push esi
0054AB86 |. 8BD8 mov ebx,eax
0054AB88 |. 33C0 xor eax,eax
0054AB8A |. 55 push ebp
0054AB8B |. 68 55AD5400 push <TimeHelp.->System.@HandleFinal>
0054AB90 |. 64:FF30 push dword ptr fs:[eax]
0054AB93 |. 64:8920 mov dword ptr fs:[eax],esp
0054AB96 |. 8D55 FC lea edx,dword ptr ss:[ebp-4]
0054AB99 <>|. 8B83 2C030000 mov eax,dword ptr ds:[ebx+32C] ; *TFrmRegistry.Edit3:TEdit
0054AB9F <>|. E8 38EBEFFF call TimeHelp.004496DC ; 取试炼码
->Controls.TControl.GetText(TControl):TCaption;
0054ABA4 |. 837D FC 00 cmp dword ptr ss:[ebp-4],0 ; 试炼码不能为空
0054ABA8 |. 0F84 3C010000 je TimeHelp.0054ACEA
0054ABAE |. 8D55 F8 lea edx,dword ptr ss:[ebp-8]
0054ABB1 <>|. 8B83 2C030000 mov eax,dword ptr ds:[ebx+32C] ; *TFrmRegistry.Edit3:TEdit
0054ABB7 <>|. E8 20EBEFFF call TimeHelp.004496DC ;
->Controls.TControl.GetText(TControl):TCaption;
0054ABBC |. 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 取试炼码
0054ABBF |. 50 push eax
0054ABC0 |. 68 6CAD5400 push TimeHelp.0054AD6C ; ASCII "aB"
0054ABC5 |. 8D55 EC lea edx,dword ptr ss:[ebp-14]
0054ABC8 <>|. 8B83 30030000 mov eax,dword ptr ds:[ebx+330] ; *TFrmRegistry.Edit2:TEdit
0054ABCE <>|. E8 09EBEFFF call TimeHelp.004496DC ;
->Controls.TControl.GetText(TControl):TCaption;
0054ABD3 |. 8B45 EC mov eax,dword ptr ss:[ebp-14] ; 机器码
0054ABD6 <>|. E8 4DEEEBFF call TimeHelp.00409A28 ; 将机器码转换成16进制字符串
0054ABDB |. 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
0054ABDE |. BA 08000000 mov edx,8
0054ABE3 <>|. E8 C4EDEBFF call TimeHelp.004099AC ; ->Unit_004085A8.Proc_004099AC
0054ABE8 |. FF75 F0 push dword ptr ss:[ebp-10] ; 机器码16进制字符串
0054ABEB |. 68 78AD5400 push TimeHelp.0054AD78 ; ASCII "Cd"
0054ABF0 |. 8D45 F4 lea eax,dword ptr ss:[ebp-C]
0054ABF3 |. BA 03000000 mov edx,3
0054ABF8 <>|. E8 7FA3EBFF call TimeHelp.00404F7C ; ->System.Proc_00404F7C
0054ABFD |. 8B55 F4 mov edx,dword ptr ss:[ebp-C] ; 'aB'+机器码16进制字符串+'Cd'
0054AC00 |. A1 98FA5500 mov eax,dword ptr ds:[55FA98]
0054AC05 |. 8B00 mov eax,dword ptr ds:[eax]
0054AC07 <>|. 8B80 58030000 mov eax,dword ptr ds:[eax+358] ; *TFrmTimeHelper.Reg:TRegwareII
0054AC0D |. B9 84AD5400 mov ecx,TimeHelp.0054AD84 ; ASCII "my530.com"
0054AC12 <>|. E8 919CF4FF call TimeHelp.004948A8 ; 关键,跟进
0054AC17 |. 84C0 test al,al
0054AC19 |. 0F84 B1000000 je TimeHelp.0054ACD0
0054AC1F |. BA 98AD5400 mov edx,TimeHelp.0054AD98
0054AC24 |. A1 B8D75600 mov eax,dword ptr ds:[56D7B8]
0054AC29 <>|. E8 DEEAEFFF call TimeHelp.0044970C ;
->Controls.TControl.SetText(TControl;TCaption);
0054AC2E |. A1 98FA5500 mov eax,dword ptr ds:[55FA98]
0054AC33 |. 8B00 mov eax,dword ptr ds:[eax]
0054AC35 |. BA B0AD5400 mov edx,TimeHelp.0054ADB0
0054AC3A <>|. E8 CDEAEFFF call TimeHelp.0044970C ;
->Controls.TControl.SetText(TControl;TCaption);
0054AC3F |. 6A 40 push 40
0054AC41 |. B9 C0AD5400 mov ecx,TimeHelp.0054ADC0
0054AC46 |. BA C8AD5400 mov edx,TimeHelp.0054ADC8
call TimeHelp.004948A8
———————————————————————————————————————————
004948A8 /$ 55 push ebp
004948A9 |. 8BEC mov ebp,esp
004948AB |. 83C4 F8 add esp,-8
004948AE |. 53 push ebx
004948AF |. 894D F8 mov dword ptr ss:[ebp-8],ecx ; my530.com
004948B2 |. 8955 FC mov dword ptr ss:[ebp-4],edx
004948B5 |. 8BD8 mov ebx,eax
004948B7 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004948BA |. E8 E507F7FF call TimeHelp.004050A4
004948BF |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
004948C2 |. E8 DD07F7FF call TimeHelp.004050A4
004948C7 |. 8B45 08 mov eax,dword ptr ss:[ebp+8] ; 试炼码
004948CA |. E8 D507F7FF call TimeHelp.004050A4
004948CF |. 33C0 xor eax,eax
004948D1 |. 55 push ebp
004948D2 |. 68 15494900 push TimeHelp.00494915
004948D7 |. 64:FF30 push dword ptr fs:[eax]
004948DA |. 64:8920 mov dword ptr fs:[eax],esp
004948DD |. 8B45 08 mov eax,dword ptr ss:[ebp+8]
004948E0 |. 50 push eax
004948E1 |. 6A 00 push 0
004948E3 |. 8B4D F8 mov ecx,dword ptr ss:[ebp-8] ; my530.com
004948E6 |. 8B55 FC mov edx,dword ptr ss:[ebp-4] ; 'aB'+机器码16进制字符串+'Cd'
004948E9 |. 8BC3 mov eax,ebx
004948EB |. E8 38000000 call TimeHelp.00494928 ;关键,跟进
004948F0 |. 8BD8 mov ebx,eax
004948F2 |. 33C0 xor eax,eax
004948F4 |. 5A pop edx
004948F5 |. 59 pop ecx
004948F6 |. 59 pop ecx
004948F7 |. 64:8910 mov dword ptr fs:[eax],edx
004948FA |. 68 1C494900 push TimeHelp.0049491C
004948FF |> 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00494902 |. BA 02000000 mov edx,2
00494907 |. E8 1C03F7FF call TimeHelp.00404C28
0049490C |. 8D45 08 lea eax,dword ptr ss:[ebp+8]
0049490F |. E8 F002F7FF call TimeHelp.00404C04
00494914 \. C3 retn
———————————————————————————————————————————
call TimeHelp.00494928
———————————————————————————————————————————
00494928 /$ 55 push ebp
00494929 |. 8BEC mov ebp,esp
0049492B |. 83C4 F0 add esp,-10
0049492E |. 53 push ebx
0049492F |. 56 push esi
00494930 |. 33DB xor ebx,ebx
00494932 |. 895D F0 mov dword ptr ss:[ebp-10],ebx ; 0
00494935 |. 895D F4 mov dword ptr ss:[ebp-C],ebx ; 0
00494938 |. 894D F8 mov dword ptr ss:[ebp-8],ecx ; my530.com
0049493B |. 8955 FC mov dword ptr ss:[ebp-4],edx ; 'aB'+机器码16进制字符串+'Cd'
0049493E |. 8BD8 mov ebx,eax
00494940 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
00494943 |. E8 5C07F7FF call TimeHelp.004050A4
00494948 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0049494B |. E8 5407F7FF call TimeHelp.004050A4
00494950 |. 8B45 0C mov eax,dword ptr ss:[ebp+C] ; 试炼码
00494953 |. E8 4C07F7FF call TimeHelp.004050A4
00494958 |. 8B45 08 mov eax,dword ptr ss:[ebp+8]
0049495B |. E8 4407F7FF call TimeHelp.004050A4
00494960 |. 33C0 xor eax,eax
00494962 |. 55 push ebp
00494963 |. 68 5E4A4900 push TimeHelp.00494A5E
00494968 |. 64:FF30 push dword ptr fs:[eax]
0049496B |. 64:8920 mov dword ptr fs:[eax],esp
0049496E |> E8 492BF7FF /call <jmp.&KERNEL32.GetTickCount> ; [GetTickCount
00494973 |. 8BF0 |mov esi,eax
00494975 |. 68 D0070000 |push 7D0 ; /Timeout = 2000. ms
0049497A |. E8 899FF7FF |call <jmp.&KERNEL32.Sleep> ; \Sleep
0049497F |. 8B43 54 |mov eax,dword ptr ds:[ebx+54]
00494982 |. 8078 04 00 |cmp byte ptr ds:[eax+4],0
00494986 |. 74 0A |je short TimeHelp.00494992
00494988 |. 8D55 FC |lea edx,dword ptr ss:[ebp-4]
0049498B |. 8BC3 |mov eax,ebx
0049498D |. E8 F2F8FFFF |call TimeHelp.00494284
00494992 |> E8 252BF7FF |call <jmp.&KERNEL32.GetTickCount> ; [GetTickCount
00494997 |. 81C6 CF070000 |add esi,7CF
0049499D |. 3BC6 |cmp eax,esi
0049499F |.^ 72 CD \jb short TimeHelp.0049496E
004949A1 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004949A4 |. E8 1305F7FF call TimeHelp.00404EBC
004949A9 |. 3B43 58 cmp eax,dword ptr ds:[ebx+58]
004949AC |. 7F 19 jg short TimeHelp.004949C7
004949AE |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004949B1 |. E8 0605F7FF call TimeHelp.00404EBC
004949B6 |. 3B43 5C cmp eax,dword ptr ds:[ebx+5C]
004949B9 |. 7C 0C jl short TimeHelp.004949C7
004949BB |. 8B45 0C mov eax,dword ptr ss:[ebp+C]
004949BE |. E8 F904F7FF call TimeHelp.00404EBC
004949C3 |. 85C0 test eax,eax
004949C5 |. 75 04 jnz short TimeHelp.004949CB
004949C7 |> 33DB xor ebx,ebx
004949C9 |. EB 6B jmp short TimeHelp.00494A36
004949CB |> 8D55 F4 lea edx,dword ptr ss:[ebp-C]
004949CE |. 8B45 0C mov eax,dword ptr ss:[ebp+C]
004949D1 |. E8 AE48F7FF call TimeHelp.00409284
004949D6 |. 8B55 F4 mov edx,dword ptr ss:[ebp-C]
004949D9 |. 8D45 0C lea eax,dword ptr ss:[ebp+C]
004949DC |. E8 BB02F7FF call TimeHelp.00404C9C
004949E1 |. 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
004949E4 |. 8B55 FC mov edx,dword ptr ss:[ebp-4]
004949E7 |. 8BC3 mov eax,ebx
004949E9 |. E8 C2F9FFFF call TimeHelp.004943B0 ; 注册算法,关键,跟进
004949EE |. 8B45 F0 mov eax,dword ptr ss:[ebp-10] ; 注册码,可以制作内存注册机
004949F1 |. 8B55 0C mov edx,dword ptr ss:[ebp+C]
004949F4 |. E8 5349F7FF call TimeHelp.0040934C
004949F9 |. 85C0 test eax,eax
004949FB |. 74 04 je short TimeHelp.00494A01
004949FD |. 33DB xor ebx,ebx
004949FF |. EB 35 jmp short TimeHelp.00494A36
00494A01 |> 8D43 50 lea eax,dword ptr ds:[ebx+50]
00494A04 |. 8B55 FC mov edx,dword ptr ss:[ebp-4]
00494A07 |. E8 4C02F7FF call TimeHelp.00404C58
00494A0C |. 8D43 60 lea eax,dword ptr ds:[ebx+60]
00494A0F |. 8B55 F8 mov edx,dword ptr ss:[ebp-8]
00494A12 |. E8 4102F7FF call TimeHelp.00404C58
00494A17 |. 8D43 6C lea eax,dword ptr ds:[ebx+6C]
00494A1A |. 8B55 0C mov edx,dword ptr ss:[ebp+C]
00494A1D |. E8 3602F7FF call TimeHelp.00404C58
00494A22 |. 8D43 44 lea eax,dword ptr ds:[ebx+44]
00494A25 |. 8B55 08 mov edx,dword ptr ss:[ebp+8]
00494A28 |. E8 2B02F7FF call TimeHelp.00404C58
00494A2D |. 8BC3 mov eax,ebx
00494A2F |. E8 58020000 call TimeHelp.00494C8C
00494A34 |. B3 01 mov bl,1
00494A36 |> 33C0 xor eax,eax
00494A38 |. 5A pop edx
00494A39 |. 59 pop ecx
00494A3A |. 59 pop ecx
00494A3B |. 64:8910 mov dword ptr fs:[eax],edx
00494A3E |. 68 654A4900 push TimeHelp.00494A65
00494A43 |> 8D45 F0 lea eax,dword ptr ss:[ebp-10]
00494A46 |. BA 04000000 mov edx,4
00494A4B |. E8 D801F7FF call TimeHelp.00404C28
00494A50 |. 8D45 08 lea eax,dword ptr ss:[ebp+8]
00494A53 |. BA 02000000 mov edx,2
00494A58 |. E8 CB01F7FF call TimeHelp.00404C28
00494A5D \. C3 retn
———————————————————————————————————————————
call TimeHelp.004943B0
———————————————————————————————————————————
004943B0 /$ 55 push ebp
004943B1 |. 8BEC mov ebp,esp
004943B3 |. 83C4 CC add esp,-34
004943B6 |. 53 push ebx
004943B7 |. 56 push esi
004943B8 |. 57 push edi
004943B9 |. 33DB xor ebx,ebx
004943BB |. 895D CC mov dword ptr ss:[ebp-34],ebx
004943BE |. 895D F4 mov dword ptr ss:[ebp-C],ebx
004943C1 |. 8BF9 mov edi,ecx
004943C3 |. 8955 FC mov dword ptr ss:[ebp-4],edx ; 'aB'+机器码16进制字符串+'Cd'
004943C6 |. 8BF0 mov esi,eax
004943C8 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004943CB |. E8 D40CF7FF call TimeHelp.004050A4
004943D0 |. 33C0 xor eax,eax
004943D2 |. 55 push ebp
004943D3 |. 68 80454900 push TimeHelp.00494580
004943D8 |. 64:FF30 push dword ptr fs:[eax]
004943DB |. 64:8920 mov dword ptr fs:[eax],esp
004943DE |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004943E1 |. E8 D60AF7FF call TimeHelp.00404EBC
004943E6 |. 3B46 58 cmp eax,dword ptr ds:[esi+58]
004943E9 |. 7F 0D jg short TimeHelp.004943F8
004943EB |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004943EE |. E8 C90AF7FF call TimeHelp.00404EBC
004943F3 |. 3B46 5C cmp eax,dword ptr ds:[esi+5C]
004943F6 |. 7D 0C jge short TimeHelp.00494404
004943F8 |> 8BC7 mov eax,edi
004943FA |. E8 0508F7FF call TimeHelp.00404C04
004943FF |. E9 56010000 jmp TimeHelp.0049455A
00494404 |> 8B46 78 mov eax,dword ptr ds:[esi+78] ; $587CF33
00494407 |. 8945 E0 mov dword ptr ss:[ebp-20],eax
0049440A |. 8B46 7C mov eax,dword ptr ds:[esi+7C] ; 0
0049440D |. 8945 E4 mov dword ptr ss:[ebp-1C],eax
00494410 |. 8B45 E0 mov eax,dword ptr ss:[ebp-20]
00494413 |. 8B55 E4 mov edx,dword ptr ss:[ebp-1C]
00494416 |. 83C0 03 add eax,3
00494419 |. 83D2 00 adc edx,0 ; ADC 带进位加法指令
0049441C |. 8945 D8 mov dword ptr ss:[ebp-28],eax
0049441F |. 8955 DC mov dword ptr ss:[ebp-24],edx
00494422 |. 836D D8 0A sub dword ptr ss:[ebp-28],0A ; $587CF33+3-10
00494426 |. 835D DC 00 sbb dword ptr ss:[ebp-24],0 ; -0
0049442A |. DF6D D8 fild qword ptr ss:[ebp-28] ; 取浮点数
0049442D |. DB2D 90454900 fld tbyte ptr ds:[494590] ; 将一个常数装到st(1)
00494433 |. DEF1 fdivrp st(1),st ; FDIVRP ST(1),ST 完成ST(1)←ST/ST(1),并执行POP
操作
00494435 |. D805 9C454900 fadd dword ptr ds:[49459C] ; FADD ST(i),ST 完成ST(i)←ST(i)+ST
**上门为浮点操作,但在注册算法里好像没用到,指令含义可参考http://www.pediy.com/tutorial/chap2/Chap2-4.htm
0049443B |. E8 84E7F6FF call TimeHelp.00402BC4
00494440 |. 8945 D0 mov dword ptr ss:[ebp-30],eax
00494443 |. 8955 D4 mov dword ptr ss:[ebp-2C],edx
00494446 |. 8B45 D0 mov eax,dword ptr ss:[ebp-30]
00494449 |. 8B55 D4 mov edx,dword ptr ss:[ebp-2C]
0049444C |. 0D 89706A5B or eax,5B6A7089
00494451 |. 81CA 4C3D2E1F or edx,1F2E3D4C
00494457 |. 8945 D8 mov dword ptr ss:[ebp-28],eax
0049445A |. 8955 DC mov dword ptr ss:[ebp-24],edx
0049445D |. 8345 D8 0C add dword ptr ss:[ebp-28],0C
00494461 |. 8355 DC 00 adc dword ptr ss:[ebp-24],0
00494465 |. 8B45 D8 mov eax,dword ptr ss:[ebp-28]
00494468 |. 8B55 DC mov edx,dword ptr ss:[ebp-24]
0049446B |. 81E0 72981415 and eax,15149872
00494471 |. 33D2 xor edx,edx
00494473 |. 8945 D0 mov dword ptr ss:[ebp-30],eax
00494476 |. 8955 D4 mov dword ptr ss:[ebp-2C],edx
00494479 |. 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
0049447C |. 33D2 xor edx,edx
0049447E |. 8BD8 mov ebx,eax
00494480 |. 8BC3 mov eax,ebx
00494482 |. 99 cdq
00494483 |. 8945 D8 mov dword ptr ss:[ebp-28],eax
00494486 |. 8955 DC mov dword ptr ss:[ebp-24],edx
00494489 |. 6A 00 push 0
0049448B |. 6A 00 push 0
0049448D |. 8B45 D8 mov eax,dword ptr ss:[ebp-28]
00494490 |. 8B55 DC mov edx,dword ptr ss:[ebp-24]
00494493 |. E8 F417F7FF call TimeHelp.00405C8C
00494498 |. 83C0 01 add eax,1
0049449B |. 83D2 00 adc edx,0
0049449E |. 8945 D8 mov dword ptr ss:[ebp-28],eax
004944A1 |. 8955 DC mov dword ptr ss:[ebp-24],edx
004944A4 |. FF75 DC push dword ptr ss:[ebp-24]
004944A7 |. FF75 D8 push dword ptr ss:[ebp-28]
004944AA |. 8B45 E0 mov eax,dword ptr ss:[ebp-20]
004944AD |. 8B55 E4 mov edx,dword ptr ss:[ebp-1C]
004944B0 |. E8 D717F7FF call TimeHelp.00405C8C
004944B5 |. 8945 E0 mov dword ptr ss:[ebp-20],eax
004944B8 |. 8955 E4 mov dword ptr ss:[ebp-1C],edx
004944BB |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004944BE |. E8 F909F7FF call TimeHelp.00404EBC
004944C3 |. 8BD8 mov ebx,eax
004944C5 |. EB 31 jmp short TimeHelp.004944F8 ;上面的浮点运算好像没什么用处,下面是关键
004944C7 |> 8B45 FC /mov eax,dword ptr ss:[ebp-4]
004944CA |. 8A4418 FF |mov al,byte ptr ds:[eax+ebx-1] ;从'aB'+机器码16进制字符串+'Cd'后面开始取字符
004944CE |. 25 FF000000 |and eax,0FF
004944D3 |. 33D2 |xor edx,edx
004944D5 |. 52 |push edx
004944D6 |. 50 |push eax
004944D7 |. 8B45 E0 |mov eax,dword ptr ss:[ebp-20] ; 常数 587C5F33
004944DA |. 8B55 E4 |mov edx,dword ptr ss:[ebp-1C]
004944DD |. E8 9618F7FF |call TimeHelp.00405D78 ; 587C5F33 Mod ASCII 即取余数 记为Key[i]
004944E2 |. 52 |push edx ; /Arg2
004944E3 |. 50 |push eax ; |Arg1
004944E4 |. 8D45 CC |lea eax,dword ptr ss:[ebp-34] ; |
004944E7 |. E8 8C54F7FF |call TimeHelp.00409978 ; \TimeHelp.00409978 余数转10制字符串
004944EC |. 8B55 CC |mov edx,dword ptr ss:[ebp-34]
004944EF |. 8D45 F4 |lea eax,dword ptr ss:[ebp-C] ;连接 余数10制字符串
004944F2 |. E8 CD09F7FF |call TimeHelp.00404EC4
004944F7 |. 4B |dec ebx
004944F8 |> 8B45 FC mov eax,dword ptr ss:[ebp-4]
004944FB |. E8 BC09F7FF |call TimeHelp.00404EBC
00494500 |. 83E8 06 |sub eax,6 ;'aB'+机器码16进制字符串+'Cd' 长度-6
00494503 |. 3BD8 |cmp ebx,eax
00494505 |. 7C 04 |jl short TimeHelp.0049450B
00494507 |. 85DB |test ebx,ebx
00494509 |.^ 7F BC \jg short TimeHelp.004944C7 ;即取到'aB'+机器码16进制字符串+'Cd'第7位结束
0049450B |> 8D55 F8 lea edx,dword ptr ss:[ebp-8]
0049450E |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00494511 |. E8 6E19F7FF call TimeHelp.00405E84
00494516 |. 8945 E8 mov dword ptr ss:[ebp-18],eax
00494519 |. 8955 EC mov dword ptr ss:[ebp-14],edx
0049451C |. 8B5E 70 mov ebx,dword ptr ds:[esi+70]
0049451F |. 85DB test ebx,ebx
00494521 |. 7F 11 jg short TimeHelp.00494534 ;下面是将连接好余数10制字符串,转为16进制字符串
,即为注册码
00494523 |. FF75 EC push dword ptr ss:[ebp-14] ; /Arg2
00494526 |. FF75 E8 push dword ptr ss:[ebp-18] ; |Arg1
00494529 |. 8BD7 mov edx,edi ; |
0049452B |. 33C0 xor eax,eax ; |
0049452D |. E8 B654F7FF call TimeHelp.004099E8 ; \TimeHelp.004099E8
00494532 |. EB 26 jmp short TimeHelp.0049455A
00494534 |> FF75 EC push dword ptr ss:[ebp-14] ; /Arg2
00494537 |. FF75 E8 push dword ptr ss:[ebp-18] ; |Arg1
0049453A |. 8BD7 mov edx,edi ; |
0049453C |. 8BC3 mov eax,ebx ; |
0049453E |. E8 A554F7FF call TimeHelp.004099E8 ; \TimeHelp.004099E8
00494543 |. 8B07 mov eax,dword ptr ds:[edi]
00494545 |. E8 7209F7FF call TimeHelp.00404EBC
0049454A |. 8BC8 mov ecx,eax
0049454C |. 2B4E 70 sub ecx,dword ptr ds:[esi+70]
0049454F |. 8B56 70 mov edx,dword ptr ds:[esi+70]
00494552 |. 42 inc edx
00494553 |. 8BC7 mov eax,edi
00494555 |. E8 FA0BF7FF call TimeHelp.00405154
0049455A |> 33C0 xor eax,eax
0049455C |. 5A pop edx
0049455D |. 59 pop ecx
0049455E |. 59 pop ecx
0049455F |. 64:8910 mov dword ptr fs:[eax],edx
00494562 |. 68 87454900 push TimeHelp.00494587
00494567 |> 8D45 CC lea eax,dword ptr ss:[ebp-34]
0049456A |. E8 9506F7FF call TimeHelp.00404C04
0049456F |. 8D45 F4 lea eax,dword ptr ss:[ebp-C]
00494572 |. E8 8D06F7FF call TimeHelp.00404C04
00494577 |. 8D45 FC lea eax,dword ptr ss:[ebp-4]
0049457A |. E8 8506F7FF call TimeHelp.00404C04
0049457F \. C3 retn
———————————————————————————————————————————
【Crack总结】:
作者的算法很简单,我不知到里面的浮点运算是干什么用的。
1、将机器码转为16进制字符串 记为 M1
2、在M1前加'aB',后加'Cd' 即 'aB'+M1+'Cd' 记为M2
3、循环 从M2后面开始取字符 Char
4、常数 $587C5F33 / Char 的 ASCII值 取余数,余数转化为10进制字符串
5、循环取字符到 length(M2)-6 结束
6、将余数10进制字符串转换为16进制字符串即为注册码。
贴出注册机delphi源码:
Procedure TForm1.btn1Click(Sender: TObject);
Const
Num: Integer = $587C5F33;
Var
MnoStr, SerailNo: String;
i: Integer;
Begin
MnoStr := 'aB' + IntToHex(StrToInt64(edt1.Text), 1) + 'Cd';
For i := 0 To Length(MnoStr) - 6 Do
SerailNo := SerailNo + FormatFloat('0', Num Mod Ord(MnoStr[Length(MnoStr) - i]));
edt2.Text := IntToHex(StrToInt64(SerailNo), 1);
End;
内存注册机:
中断地址:004949F1
中断次数:1
第一字节:8B
指令长度:3
注册码: 内存方式 寄存器 EAX
大家可以验证一下:
机器码:1072429567
注册码:278114D14C6B
第2次写破文,请大侠勿见笑。