晕倒，永远也没有合法的……说DISKdata.exe

标题：晕倒，永远也没有合法的……说DISKdata.exe
作者：我烦死机代码
时间：2005-06-02 16:14
链接：http://bbs.pediy.com/showthread.php?threadid=14165

软件名称：DISKdata.exe
下载地址：http://www.digallery.com/download/ddsetup.exe
软件功能：不太明白，没用过

编译语言：Borland Delphi 4.0 - 5.0

破解作者：wofan[OCN][PYG]

00491738=DISKdata.00491738 (ASCII "The license is invalid! Be sure to enter the "Licensed To" and the "License Key" information exactly as supplied in your license.")
Jumps from 004911E5, 00491248, 004912CA

软件启动时有Nag延时，OD载入，先找个断点，这个软件有未注册成功的提示，见上面！
注册码要22位！！！！当然开始并不知道，所以折腾了一些时间，并且因为打雷闪电，又要上班，并未在我预定的6.1儿童节完成。
输入：
Licensed to:wofan
License key:1234123412341234563478 （试验码1）   ******暂定为22位,如果选取的注册码在运算中出现不可见字符，就增加了分析的难度。

在断点在F2断下后，点击Set按钮，断下：

0049115A    .  E8 61F5F9FF       call DISKdata.004306C0      **********取得注册码长度0x16
0049115F    .  8B45 F0           mov eax,dword ptr ss:[ebp-10]*********假注册码1234123412341234563478
00491162    .  8D55 F4           lea edx,dword ptr ss:[ebp-C]
00491165    .  E8 AA74F7FF       call DISKdata.00408614
0049116A    .  8B45 F4           mov eax,dword ptr ss:[ebp-C]*********假注册码地地址
0049116D    .  8D4D FC           lea ecx,dword ptr ss:[ebp-4]
00491170    .  BA 20164900       mov edx,DISKdata.00491620              ;  ASCII "DISKdata"
00491175    .  E8 4E03FEFF       call DISKdata.004714C8      *********第一处按F7跟进！！！！！
0049117A    .  84C0              test al,al                    ******这里是第一处判断，不能通过就会弹出未成功注册的信息：The license is invalid!……
0049117C    .  0F84 C7030000     je DISKdata.00491549
00491182    .  8D45 E8           lea eax,dword ptr ss:[ebp-18]
00491185    .  50                push eax
00491186    .  B9 02000000       mov ecx,2                     ***ECX=2
0049118B    .  BA 05000000       mov edx,5                     ***EDX=5
00491190    .  8B45 FC           mov eax,dword ptr ss:[ebp-4]   ******新字串3:V}AvUfU{p（上面如果不跳，这里开始效验）
00491193    .  E8 102FF7FF       call DISKdata.004040A8         ******取新字串3的第五六位：Stack ss:[0012F67C]=00DBA290, (ASCII "vU")
00491198    .  8B4D E8           mov ecx,dword ptr ss:[ebp-18]
0049119B    .  8D45 EC           lea eax,dword ptr ss:[ebp-14]
0049119E    .  BA 34164900       mov edx,DISKdata.00491634
004911A3    .  E8 442DF7FF       call DISKdata.00403EEC          *****Stack ss:[0012F680]=00DBA2A0, (ASCII "$vU")  在前面加上一个$
004911A8    .  8B45 EC           mov eax,dword ptr ss:[ebp-14]
004911AB    .  E8 C475F7FF       call DISKdata.00408774          *****开始效验之一，不成功会返回：“''is not a valid integer value”*******
004911B0    .  8BF0              mov esi,eax                    ××××以修改后的注册码12341234050012345634B2(试验码2），会使ESI＝EAX=AA×××××××
004911B2    .  8D55 DC           lea edx,dword ptr ss:[ebp-24]
004911B5    .  8B83 48040000     mov eax,dword ptr ds:[ebx+448]
004911BB    .  E8 00F5F9FF       call DISKdata.004306C0         ××××注册名：wofan
004911C0    .  8B45 DC           mov eax,dword ptr ss:[ebp-24]
004911C3    .  8D55 E0           lea edx,dword ptr ss:[ebp-20]
004911C6    .  E8 0572F7FF       call DISKdata.004083D0         ××××开始处理注册名：wofan，注册名大写化
004911CB    .  8B45 E0           mov eax,dword ptr ss:[ebp-20]   ××××WOFAN
004911CE    .  8D55 E4           lea edx,dword ptr ss:[ebp-1C]
004911D1    .  E8 3E74F7FF       call DISKdata.00408614
004911D6    .  8B45 E4           mov eax,dword ptr ss:[ebp-1C]
004911D9    .  E8 F604FEFF       call DISKdata.004716D4        ×××处理注册名之二，得到注册名大写化后ASCII累加值，（保留低八位）7B送EAX
004911DE    .  25 FF000000       and eax,0FF                    ×××EAX=7B
004911E3    .  3BF0              cmp esi,eax                    ×××ESI=AA，EAX=7B
004911E5    .  0F85 52030000     jnz DISKdata.0049153D           ×××可不能跳呀！原来新字串3，的第五，六位是7B
××××××××××××××××××××××××××××××

通过注册名wofan得到7B，
37(7) xor 64(d)=53
42(B) xor 61(a)=23
注册码的9-12位就是5323

××××××××××××××××××××××××××××××
004911EB    .  8D45 D4           lea eax,dword ptr ss:[ebp-2C]
004911EE    .  50                push eax
004911EF    .  8D55 CC           lea edx,dword ptr ss:[ebp-34]
004911F2    .  8B83 48040000     mov eax,dword ptr ds:[ebx+448]
004911F8    .  E8 C3F4F9FF       call DISKdata.004306C0           ×××注册名长度5
004911FD    .  8B45 CC           mov eax,dword ptr ss:[ebp-34]   ×××注册名wofan
00491200    .  8D55 D0           lea edx,dword ptr ss:[ebp-30]
00491203    .  E8 0C74F7FF       call DISKdata.00408614           ×××注册名wofan
00491208    .  8B45 D0           mov eax,dword ptr ss:[ebp-30]
0049120B    .  B9 02000000       mov ecx,2                        ×××ECX=2
00491210    .  BA 01000000       mov edx,1                         ×××EDX=1
00491215    .  E8 8E2EF7FF       call DISKdata.004040A8            ×××取wofan的前两位wo
0049121A    .  8B45 D4           mov eax,dword ptr ss:[ebp-2C]
0049121D    .  8D55 D8           lea edx,dword ptr ss:[ebp-28]
00491220    .  E8 AB71F7FF       call DISKdata.004083D0            ×××大写化成为WO
00491225    .  8B45 D8           mov eax,dword ptr ss:[ebp-28]
00491228    .  50                push eax                          ×××Push
00491229    .  8D45 C8           lea eax,dword ptr ss:[ebp-38]
0049122C    .  50                push eax
0049122D    .  B9 02000000       mov ecx,2                       ×××ECX=2
00491232    .  BA 01000000       mov edx,1                       ×××EDX=1
00491237    .  8B45 FC           mov eax,dword ptr ss:[ebp-4]
0049123A    .  E8 692EF7FF       call DISKdata.004040A8           ×××取新字串3的前两位，应该记得是 "V}"
0049123F    .  8B55 C8           mov edx,dword ptr ss:[ebp-38]
00491242    .  58                pop eax                         ×××pop,使EAX得到WO
00491243    .  E8 682DF7FF       call DISKdata.00403FB0           ×××比较
00491248    .  0F85 EF020000     jnz DISKdata.0049153D             ×××当然要相等才行！
******************************************
可见注册码前四位应该是：1306
44(D) xor 57(W)=13
49(I) xor 4F(O)=06
*******************************************
0049124E    .  8D45 C0           lea eax,dword ptr ss:[ebp-40]
00491251    .  50                push eax
00491252    .  8D55 B8           lea edx,dword ptr ss:[ebp-48]
00491255    .  8B83 48040000     mov eax,dword ptr ds:[ebx+448]
0049125B    .  E8 60F4F9FF       call DISKdata.004306C0
00491260    .  8B45 B8           mov eax,dword ptr ss:[ebp-48]
00491263    .  8D55 BC           lea edx,dword ptr ss:[ebp-44]
00491266    .  E8 A973F7FF       call DISKdata.00408614
0049126B    .  8B45 BC           mov eax,dword ptr ss:[ebp-44]
0049126E    .  E8 2D2CF7FF       call DISKdata.00403EA0         ×××注册名长度5送EAX
00491273    .  48                dec eax                        ×××EAX=EAX-1＝4（用它确定，从注册名后取两位）
00491274    .  50                push eax
00491275    .  8D55 B0           lea edx,dword ptr ss:[ebp-50]
00491278    .  8B83 48040000     mov eax,dword ptr ds:[ebx+448]
0049127E    .  E8 3DF4F9FF       call DISKdata.004306C0
00491283    .  8B45 B0           mov eax,dword ptr ss:[ebp-50]
00491286    .  8D55 B4           lea edx,dword ptr ss:[ebp-4C]
00491289    .  E8 8673F7FF       call DISKdata.00408614
0049128E    .  8B45 B4           mov eax,dword ptr ss:[ebp-4C]      ×××注册名wofan
00491291    .  B9 02000000       mov ecx,2                          ×××ECX=2
00491296    .  5A                pop edx                            ×××Pop，使EDX=4
00491297    .  E8 0C2EF7FF       call DISKdata.004040A8              ×××取注册名的后两位an
0049129C    .  8B45 C0           mov eax,dword ptr ss:[ebp-40]
0049129F    .  8D55 C4           lea edx,dword ptr ss:[ebp-3C]
004912A2    .  E8 2971F7FF       call DISKdata.004083D0            ×××大写化变成AN
004912A7    .  8B45 C4           mov eax,dword ptr ss:[ebp-3C]
004912AA    .  50                push eax
004912AB    .  8D45 AC           lea eax,dword ptr ss:[ebp-54]
004912AE    .  50                push eax                          ×××Push
004912AF    .  B9 02000000       mov ecx,2                        ×××ECX=2
004912B4    .  BA 03000000       mov edx,3                        ×××EDX=3
004912B9    .  8B45 FC           mov eax,dword ptr ss:[ebp-4]
004912BC    .  E8 E72DF7FF       call DISKdata.004040A8           ×××新字串3的第三，四位
004912C1    .  8B55 AC           mov edx,dword ptr ss:[ebp-54]
004912C4    .  58                pop eax                          ×××Pop，使EAX得到AN
004912C5    .  E8 E62CF7FF       call DISKdata.00403FB0           ×××又是比较
××××××××××××××××××
注册码的5-8位，应该是：1205
53(S) xor 41(A)=12
4B(K) xor 4E(N)=05
可见注册码前四位应该是：1306
44(D) xor 57(W)=13
49(I) xor 4F(O)=06
注册码的9-12位就是5323
7B
37(7) xor 64(d)=53
42(B) xor 61(a)=23

生成一个新的注册码：
130612055323123456341D    试验码3
新字串3变为：WOAN7BfU{p
××××××××××××××××××
004912CA    .  0F85 6D020000     jnz DISKdata.0049153D            ×××不能跳！！
004912D0    .  8D45 A8           lea eax,dword ptr ss:[ebp-58]
004912D3    .  50                push eax
004912D4    .  B9 02000000       mov ecx,2                       ×××ECX=2
004912D9    .  BA 0B000000       mov edx,0B                      ××× EDX=B  （从这里与下面一个Call才知道注册码要26位！！！累呀！）
004912DE    .  8B45 FC           mov eax,dword ptr ss:[ebp-4]    ×××新字串3：WOAN7BfU{p（试验码三：130612055323123456341D得到的！）
004912E1    .  E8 C22DF7FF       call DISKdata.004040A8     *********开始效验之二（效验注册码位数），不成功会返回：“''is not a valid integer value”*******
                                                             效验通过，则取试验码四所得到的新字串3的末两位：}g
*******************************************************
没办法，制造试验码四（26位）：
13061205532312345634343473
经它产生的新字串3：WOAN7BfU{p}g
*******************************************************
004912E6    .  8B45 A8           mov eax,dword ptr ss:[ebp-58]
004912E9    .  E8 8674F7FF       call DISKdata.00408774        ××看看新字串3的末两位（注册码21-24位）是否合法（应该只能是数字！，如果合法，就运算）
*****************************************************
只好再度修改得到试验码五：
13061205532312345634706A8D
DISKdata-DISK
假设就为9吧：
于是有：49(I) xor 39=70
        53(S) xor 39=6A
得到新字串3为：
WOAN7BfU{p99

调试运行到00491322，发现99的十六进制形式63，要<=0xC,才能进行下去！
故重新修改注册码为：能够通过验证的组合，只有01,02,03……10,11,12
49(I) xor 31=78
53(S) xor 31=62
130612055323123456347862FD   试验码六
得到新字串3：
WOAN7BfU{p11

试验码七：
74(t) xor 39=4D
61(a) xor 39=58
2D(-) xor 39=14
44(D) xor 39=7D
试验码七：
1306120553234D58147D7861BE
由此产生的新字串3：
WOAN7B999912
****************************************************
004912EE    .  50                push eax                     ***通过试验码六，得到返回值为((31-30)*A+(31-30)=B（11的十六进制形式）
004912EF    .  8D45 A0           lea eax,dword ptr ss:[ebp-60]
004912F2    .  50                push eax
004912F3    .  B9 02000000       mov ecx,2                    ×××ECX=2
004912F8    .  BA 0D000000       mov edx,0D                   ×××EDX=D
004912FD    .  8B45 FC           mov eax,dword ptr ss:[ebp-4] ×××新字串3：WOAN7BfU{p11
00491300    .  E8 A32DF7FF       call DISKdata.004040A8
00491305    .  8B4D A0           mov ecx,dword ptr ss:[ebp-60]
00491308    .  8D45 A4           lea eax,dword ptr ss:[ebp-5C]
0049130B    .  BA 40164900       mov edx,DISKdata.00491640              ;  ASCII "20"一个字串
00491310    .  E8 D72BF7FF       call DISKdata.00403EEC
00491315    .  8B45 A4           mov eax,dword ptr ss:[ebp-5C]
00491318    .  E8 5774F7FF       call DISKdata.00408774         ×××处理字串：20，取它的十六进制形式14××
0049131D    .  66:B9 0100        mov cx,1                    ××××CX=1
00491321    .  5A                pop edx                     ××××Pop：B（11的十六进制值）
00491322    .  E8 4584F7FF       call DISKdata.0040976C      ×××验证是否合法，不合法就玩完，弹出：Invalid argument to date encode ×××
00491327    .  DD5D 98           fstp qword ptr ss:[ebp-68]     ×××居然还要进行浮点运算！！！
****************************************************
如果11的十六进制数B不大于0xC，就通过验证，继续下去：
st=-686349.00000000000000
Stack ss:[0012F62C]=0.0

****************************************************
0049132A    .  9B                wait
0049132B    .  E8 AC86F7FF       call DISKdata.004099DC     ××××通过取Local time，得到一个浮点数
00491330    .  DC5D 98           fcomp qword ptr ss:[ebp-68]   ********************不通过就会弹出：The license has expired!
************************************************************
st=38505.000000000000000                         ××××通过Local time得到一个值，只要系统时间不变，这是个固定值！！
Stack ss:[0012F62C]=-686349.00000000000000

************************************************************
00491333    .  DFE0              fstsw ax
00491335    .  9E                sahf
00491336    .  0F83 F5010000     jnb DISKdata.00491531       *************跳到00491531，弹出The license has expired!，Nop掉！！！
**************************************
用最大的能通过验证的C，也得不到一个正数！！！！这一定是个陷阱！！！！！
将这一行Nop掉，会提示：注册给：Site，Expired time :11/20
晕倒！！！！！

*************************************

0049133C    .  8D45 94           lea eax,dword ptr ss:[ebp-6C]
0049133F    .  50                push eax
00491340    .  B9 04000000       mov ecx,4                            ****ECX=4
00491345    .  BA 07000000       mov edx,7                            ****EDX=7  （从新字串3中的第七位起，取四位）
0049134A    .  8B45 FC           mov eax,dword ptr ss:[ebp-4]
0049134D    .  E8 562DF7FF       call DISKdata.004040A8
00491352    .  8B45 94           mov eax,dword ptr ss:[ebp-6C]
00491355    .  BA 4C164900       mov edx,DISKdata.0049164C              ;  ASCII "9999"又一个字串，以后就与新字串的7-10相比较
0049135A    .  E8 512CF7FF       call DISKdata.00403FB0
0049135F    .  75 12             jnz short DISKdata.00491373                  *****可见新字串3的7-10就是9999
00491361    .  8B83 64040000     mov eax,dword ptr ds:[ebx+464]
00491367    .  BA 5C164900       mov edx,DISKdata.0049165C              ;  ASCII "Site"
0049136C    .  E8 7FF3F9FF       call DISKdata.004306F0
00491371    .  EB 24             jmp short DISKdata.00491397
00491373    >  8D45 90           lea eax,dword ptr ss:[ebp-70]
00491376    .  50                push eax
00491377    .  B9 04000000       mov ecx,4
0049137C    .  BA 07000000       mov edx,7
00491381    .  8B45 FC           mov eax,dword ptr ss:[ebp-4]
00491384    .  E8 1F2DF7FF       call DISKdata.004040A8
00491389    .  8B55 90           mov edx,dword ptr ss:[ebp-70]
0049138C    .  8B83 64040000     mov eax,dword ptr ds:[ebx+464]
00491392    .  E8 59F3F9FF       call DISKdata.004306F0
00491397    >  8D45 88           lea eax,dword ptr ss:[ebp-78]
0049139A    .  50                push eax
0049139B    .  B9 02000000       mov ecx,2
004913A0    .  BA 0B000000       mov edx,0B
004913A5    .  8B45 FC           mov eax,dword ptr ss:[ebp-4]
004913A8    .  E8 FB2CF7FF       call DISKdata.004040A8
004913AD    .  FF75 88           push dword ptr ss:[ebp-78]
004913B0    .  68 6C164900       push DISKdata.0049166C
004913B5    .  8D45 84           lea eax,dword ptr ss:[ebp-7C]
004913B8    .  50                push eax
004913B9    .  B9 02000000       mov ecx,2
004913BE    .  BA 0D000000       mov edx,0D
004913C3    .  8B45 FC           mov eax,dword ptr ss:[ebp-4]
004913C6    .  E8 DD2CF7FF       call DISKdata.004040A8
004913CB    .  FF75 84           push dword ptr ss:[ebp-7C]
004913CE    .  8D45 8C           lea eax,dword ptr ss:[ebp-74]
004913D1    .  BA 03000000       mov edx,3
004913D6    .  E8 852BF7FF       call DISKdata.00403F60
004913DB    .  8B45 8C           mov eax,dword ptr ss:[ebp-74]
004913DE    .  BA 78164900       mov edx,DISKdata.00491678              ;  ASCII "12/99"
004913E3    .  E8 C82BF7FF       call DISKdata.00403FB0
004913E8    .  75 12             jnz short DISKdata.004913FC
004913EA    .  8B83 60040000     mov eax,dword ptr ds:[ebx+460]
004913F0    .  BA 88164900       mov edx,DISKdata.00491688              ;  ASCII "None"
004913F5    .  E8 F6F2F9FF       call DISKdata.004306F0
004913FA    .  EB 63             jmp short DISKdata.0049145F
004913FC    >  8D85 7CFFFFFF     lea eax,dword ptr ss:[ebp-84]
00491402    .  50                push eax
00491403    .  B9 02000000       mov ecx,2
00491408    .  BA 0B000000       mov edx,0B
0049140D    .  8B45 FC           mov eax,dword ptr ss:[ebp-4]
00491410    .  E8 932CF7FF       call DISKdata.004040A8
00491415    .  FFB5 7CFFFFFF     push dword ptr ss:[ebp-84]
0049141B    .  68 6C164900       push DISKdata.0049166C
00491420    .  68 40164900       push DISKdata.00491640                 ;  ASCII "20"
00491425    .  8D85 78FFFFFF     lea eax,dword ptr ss:[ebp-88]
0049142B    .  50                push eax
0049142C    .  B9 02000000       mov ecx,2
00491431    .  BA 0D000000       mov edx,0D
00491436    .  8B45 FC           mov eax,dword ptr ss:[ebp-4]
00491439    .  E8 6A2CF7FF       call DISKdata.004040A8
0049143E    .  FFB5 78FFFFFF     push dword ptr ss:[ebp-88]
00491444    .  8D45 80           lea eax,dword ptr ss:[ebp-80]
00491447    .  BA 04000000       mov edx,4
0049144C    .  E8 0F2BF7FF       call DISKdata.00403F60
00491451    .  8B55 80           mov edx,dword ptr ss:[ebp-80]
00491454    .  8B83 60040000     mov eax,dword ptr ds:[ebx+460]
0049145A    .  E8 91F2F9FF       call DISKdata.004306F0
0049145F    >  8B83 30030000     mov eax,dword ptr ds:[ebx+330]
00491465    .  BA 98164900       mov edx,DISKdata.00491698              ;  ASCII "About"
0049146A    .  E8 81F2F9FF       call DISKdata.004306F0
0049146F    .  B9 A8164900       mov ecx,DISKdata.004916A8              ;  ASCII "\Software\Digital Information Gallery\DiskData"
00491474    .  B2 01             mov dl,1
00491476    .  A1 2CEB4600       mov eax,dword ptr ds:[46EB2C]
0049147B    .  E8 94DFFDFF       call DISKdata.0046F414
00491480    .  8945 F8           mov dword ptr ss:[ebp-8],eax
00491483    .  8B83 88030000     mov eax,dword ptr ds:[ebx+388]
00491489    .  33D2              xor edx,edx
0049148B    .  E8 48F1F9FF       call DISKdata.004305D8
00491490    .  33C0              xor eax,eax
00491492    .  55                push ebp
00491493    .  68 2A154900       push DISKdata.0049152A
00491498    .  64:FF30           push dword ptr fs:[eax]
0049149B    .  64:8920           mov dword ptr fs:[eax],esp
0049149E    .  8D95 70FFFFFF     lea edx,dword ptr ss:[ebp-90]
004914A4    .  8B83 48040000     mov eax,dword ptr ds:[ebx+448]
004914AA    .  E8 11F2F9FF       call DISKdata.004306C0
004914AF    .  8B85 70FFFFFF     mov eax,dword ptr ss:[ebp-90]
004914B5    .  8D95 74FFFFFF     lea edx,dword ptr ss:[ebp-8C]
004914BB    .  E8 5471F7FF       call DISKdata.00408614
004914C0    .  8B85 74FFFFFF     mov eax,dword ptr ss:[ebp-8C]
004914C6    .  50                push eax
004914C7    .  B9 E0164900       mov ecx,DISKdata.004916E0              ;  ASCII "Licensee"
004914CC    .  BA F4164900       mov edx,DISKdata.004916F4              ;  ASCII "Settings"
004914D1    .  8B45 F8           mov eax,dword ptr ss:[ebp-8]
004914D4    .  E8 9BE0FDFF       call DISKdata.0046F574
004914D9    .  8D95 68FFFFFF     lea edx,dword ptr ss:[ebp-98]
004914DF    .  8B83 4C040000     mov eax,dword ptr ds:[ebx+44C]
004914E5    .  E8 D6F1F9FF       call DISKdata.004306C0
004914EA    .  8B85 68FFFFFF     mov eax,dword ptr ss:[ebp-98]
004914F0    .  8D95 6CFFFFFF     lea edx,dword ptr ss:[ebp-94]
004914F6    .  E8 1971F7FF       call DISKdata.00408614
004914FB    .  8B85 6CFFFFFF     mov eax,dword ptr ss:[ebp-94]
00491501    .  50                push eax
00491502    .  BA F4164900       mov edx,DISKdata.004916F4              ;  ASCII "Settings"
00491507    .  B9 08174900       mov ecx,DISKdata.00491708              ;  ASCII "Key"
0049150C    .  8B45 F8           mov eax,dword ptr ss:[ebp-8]
0049150F    .  E8 60E0FDFF       call DISKdata.0046F574
00491514    .  33C0              xor eax,eax
00491516    .  5A                pop edx
00491517    .  59                pop ecx
00491518    .  59                pop ecx
00491519    .  64:8910           mov dword ptr fs:[eax],edx
0049151C    .  68 53154900       push DISKdata.00491553
00491521    >  8B45 F8           mov eax,dword ptr ss:[ebp-8]
00491524    .  E8 2F1AF7FF       call DISKdata.00402F58
00491529    .  C3                retn
0049152A    .^ E9 8921F7FF       jmp DISKdata.004036B8
0049152F    .^ EB F0             jmp short DISKdata.00491521
00491531    >  B8 14174900       mov eax,DISKdata.00491714              ;  ASCII "The license has expired!"
00491536    .  E8 4149FCFF       call DISKdata.00455E7C
0049153B    .  EB 16             jmp short DISKdata.00491553
0049153D    >  B8 38174900       mov eax,DISKdata.00491738              ;  ASCII "The license is invalid! Be sure to enter the "Licensed To" and the "License Key" information exactly as supplied in your license."
00491542    .  E8 3549FCFF       call DISKdata.00455E7C
00491547    .  EB 0A             jmp short DISKdata.00491553
00491549    >  B8 38174900       mov eax,DISKdata.00491738              ;  ASCII "The license is invalid! Be sure to enter the "Licensed To" and the "License Key" information exactly as supplied in your license."

******************************第一处按F7跟进！！！！！************************************
004714D1    .  33DB              xor ebx,ebx                       ******xor异或，异或的作用与赋值0相同
004714D3    .  895D D8           mov dword ptr ss:[ebp-28],ebx     ******这样，以下就初始化了
004714D6    .  895D DC           mov dword ptr ss:[ebp-24],ebx
004714D9    .  895D E0           mov dword ptr ss:[ebp-20],ebx
004714DC    .  895D E8           mov dword ptr ss:[ebp-18],ebx
004714DF    .  895D E4           mov dword ptr ss:[ebp-1C],ebx
004714E2    .  894D F4           mov dword ptr ss:[ebp-C],ecx
004714E5    .  8955 F8           mov dword ptr ss:[ebp-8],edx     ******一个字串：ASCII "DISKdata"，好像很有用，这是本程序的程序名
004714E8    .  8945 FC           mov dword ptr ss:[ebp-4],eax     ******假注册码：1234123412341234563478
004714EB    .  8B45 FC           mov eax,dword ptr ss:[ebp-4]     *****假注册码的地址送EAX
004714EE    .  E8 612BF9FF       call DISKdata.00404054
004714F3    .  8B45 F8           mov eax,dword ptr ss:[ebp-8]
004714F6    .  E8 592BF9FF       call DISKdata.00404054
004714FB    .  33C0              xor eax,eax
004714FD    .  55                push ebp
004714FE    .  68 B3164700       push DISKdata.004716B3
00471503    .  64:FF30           push dword ptr fs:[eax]
00471506    .  64:8920           mov dword ptr fs:[eax],esp
00471509    .  33C0              xor eax,eax
0047150B    .  55                push ebp
0047150C    .  68 7F164700       push DISKdata.0047167F
00471511    .  64:FF30           push dword ptr fs:[eax]
00471514    .  64:8920           mov dword ptr fs:[eax],esp
00471517    .  8B45 FC           mov eax,dword ptr ss:[ebp-4]
0047151A    .  E8 8129F9FF       call DISKdata.00403EA0 *********取假注册码的位数16
0047151F    .  85C0              test eax,eax           ********Test 一下，也就是进行与运算，但是只改变标志位
00471521    .  0F8E 4C010000     jle DISKdata.00471673  ********当然不跳
00471527    .  8D45 E0           lea eax,dword ptr ss:[ebp-20]
0047152A    .  B9 CC164700       mov ecx,DISKdata.004716CC
0047152F    .  8B55 F8           mov edx,dword ptr ss:[ebp-8]  *****字串DISKdata
00471532    .  E8 B529F9FF       call DISKdata.00403EEC        *****在它后面加上个“－”，变成新字串1：DISKdata-
00471537    .  8B45 E0           mov eax,dword ptr ss:[ebp-20] *****新字串1地址送EAX
0047153A    .  E8 6129F9FF       call DISKdata.00403EA0        *****取新字串1长度9送EAX
0047153F    .  8BF0              mov esi,eax                   *****复制到ESI
00471541    .  8B45 FC           mov eax,dword ptr ss:[ebp-4]  *****记得dword ptr ss:[ebp-4]放的是假注册码的地址
00471544    .  E8 5729F9FF       call DISKdata.00403EA0        *****这个Call，也要记得，是取字串长度，
00471549    .  8BF8              mov edi,eax                   *****假码长度16复制到EDI
0047154B    .  D1FF              sar edi,1                     *****Sar EdI,1 （右移一次，相当除以2）使EDI=B
0047154D    .  79 03             jns short DISKdata.00471552
0047154F    .  83D7 00           adc edi,0
00471552    >  85FF              test edi,edi
00471554    .  0F8E D8000000     jle DISKdata.00471632
0047155A    .  C745 F0 01000000  mov dword ptr ss:[ebp-10],1 *****dword ptr ss:[ebp-10]=1
00471561    >  8B5D F0           mov ebx,dword ptr ss:[ebp-10]****同样，EBX=1
00471564    .  03DB              add ebx,ebx                  ****EBX=2
00471566    .  4B                dec ebx                      ****EBX=1 （转到原地，干什么呀！）
00471567    .  8D43 01           lea eax,dword ptr ds:[ebx+1] ****地址传送，EAX=2
0047156A    .  D1F8              sar eax,1                    **** 除2,EAX=1
0047156C    .  79 03             jns short DISKdata.00471571
0047156E    .  83D0 00           adc eax,0
00471571    >  99                cdq                          ****双字变四字,相当于，EDX清零
00471572    .  F7FE              idiv esi                     ****idiv,主要是为了取余，第一次，EDX=1 mod B=1
00471574    .  8BC2              mov eax,edx                  ****EAX=EDX
00471576    .  E8 41FFFFFF       call DISKdata.004714BC       ****这个Call会将EAX清零
0047157B    .  F7EE              imul esi                      ****imul esi   即0*9=0
0047157D    .  50                push eax                      ****push压栈
0047157E    .  8D43 01           lea eax,dword ptr ds:[ebx+1]   EAX=2,以下同上
00471581    .  D1F8              sar eax,1
00471583    .  79 03             jns short DISKdata.00471588
00471585    .  83D0 00           adc eax,0
00471588    >  99                cdq
00471589    .  F7FE              idiv esi                 ****EDX=1
0047158B    .  58                pop eax                  ****将刚才Push的值弹出到EAX，记得是Push了一个0
0047158C    .  2BD0              sub edx,eax              ****EDX=EDX-EAX=1-0=1
0047158E    .  52                push edx                 ****再Push
0047158F    .  8D45 DC           lea eax,dword ptr ss:[ebp-24]
00471592    .  B9 CC164700       mov ecx,DISKdata.004716CC
00471597    .  8B55 F8           mov edx,dword ptr ss:[ebp-8]  ****字串DISKdata
0047159A    .  E8 4D29F9FF       call DISKdata.00403EEC        ****还是在它后面加上“－”，这不都重复了吗？
0047159F    .  8B45 DC           mov eax,dword ptr ss:[ebp-24] ***新字串1地址
004715A2    .  5A                pop edx                       ***将前面Push的值1弹出到EDX
004715A3    .  8A4410 FF         mov al,byte ptr ds:[eax+edx-1] ***终于等到ASCII传送，DISKdata- 第一个是D，ASCII码是44
004715A7    .  8845 EF           mov byte ptr ss:[ebp-11],al    ***保存
004715AA    .  BA D0164700       mov edx,DISKdata.004716D0
004715AF    .  8D45 D4           lea eax,dword ptr ss:[ebp-2C]
004715B2    .  E8 7915F9FF       call DISKdata.00402B30
004715B7    .  8D45 D0           lea eax,dword ptr ss:[ebp-30]
004715BA    .  8B55 FC           mov edx,dword ptr ss:[ebp-4]  ****假码1234123412341234563478
004715BD    .  8A541A FF         mov dl,byte ptr ds:[edx+ebx-1]****也是ASCII逐个传送，DL，第一个自然是31(1)
004715C1    .  8850 01           mov byte ptr ds:[eax+1],dl    ***EAX+1地址指向0012F5B1，保存
004715C4    .  C600 01           mov byte ptr ds:[eax],1        ****0012F5B0给一个固定值1
004715C7    .  8D55 D0           lea edx,dword ptr ss:[ebp-30]  ****dword ptr ss:[ebp-30]保存的就是0012F5B0
004715CA    .  8D45 D4           lea eax,dword ptr ss:[ebp-2C]  ****dword ptr ss:[ebp-2C]=0012F5B4
004715CD    .  B1 02             mov cl,2                        ***使CL=2
004715CF    .  E8 2C15F9FF       call DISKdata.00402B00
004715D4    .  8D55 D4           lea edx,dword ptr ss:[ebp-2C]
004715D7    .  8D45 CC           lea eax,dword ptr ss:[ebp-34]
004715DA    .  E8 5115F9FF       call DISKdata.00402B30
004715DF    .  8D45 D0           lea eax,dword ptr ss:[ebp-30]
004715E2    .  8B55 FC           mov edx,dword ptr ss:[ebp-4]
004715E5    .  8A141A            mov dl,byte ptr ds:[edx+ebx]  ****取假码第二位32(2)
004715E8    .  8850 01           mov byte ptr ds:[eax+1],dl
004715EB    .  C600 01           mov byte ptr ds:[eax],1
004715EE    .  8D55 D0           lea edx,dword ptr ss:[ebp-30]
004715F1    .  8D45 CC           lea eax,dword ptr ss:[ebp-34]
004715F4    .  B1 03             mov cl,3
004715F6    .  E8 0515F9FF       call DISKdata.00402B00
004715FB    .  8D55 CC           lea edx,dword ptr ss:[ebp-34]
004715FE    .  8D45 D8           lea eax,dword ptr ss:[ebp-28]
00471601    .  E8 3E28F9FF       call DISKdata.00403E44
00471606    .  8B45 D8           mov eax,dword ptr ss:[ebp-28]
00471609    .  E8 6671F9FF       call DISKdata.00408774       ****以上取假码，两位两位的取，第一次取的12
0047160E    .  8BD0              mov edx,eax
00471610    .  8A45 EF           mov al,byte ptr ss:[ebp-11]  ****新字串DISKdata-第一位D(44)
00471613    .  32D0              xor dl,al                    ****xor  DL xor Al=12 xor 44=56
00471615    .  8D45 E8           lea eax,dword ptr ss:[ebp-18]
00471618    .  E8 AB27F9FF       call DISKdata.00403DC8
0047161D    .  8D45 E4           lea eax,dword ptr ss:[ebp-1C]
00471620    .  8B55 E8           mov edx,dword ptr ss:[ebp-18]
00471623    .  E8 8028F9FF       call DISKdata.00403EA8
00471628    .  FF45 F0           inc dword ptr ss:[ebp-10]
0047162B    .  4F                dec edi                     *********EDI初值是B（假码位数16 div 2=B）
0047162C    .^ 0F85 2FFFFFFF     jnz DISKdata.00471561       **********jnz,循环
*****************************************
这个循环，就是假码两位两位的取，然后与固定字串DISKdata-的ASCII码异或，
也就是说，注册码要18位才对呀！
DISKdata-的ASCII码分别是：44 49 53 4B 64 61 74 61 2D
12 xor 44(D)=56 (V)
34 xor 49(I)=7D (})
12 xor 53(S)=41 (A)
34 xor 4B(K)=7F ()
12 xor 64(d)=76 (v)
34 xor 61(a)=55 (U)
12 xor 74(t)=66 (f)
34 xor 61(a)=55（U)
56 xor 2D(-)=7B（{）
34 xor 44(D)=70（p）
78 xor 49(I)=31（1）

生成了一个新字串2：V}AvUfU{p1    *********长度为0xB

****************************************
00471632    >  8B45 F4           mov eax,dword ptr ss:[ebp-C]
00471635    .  50                push eax
00471636    .  8B45 E4           mov eax,dword ptr ss:[ebp-1C]
00471639    .  E8 6228F9FF       call DISKdata.00403EA0
0047163E    .  8BC8              mov ecx,eax
00471640    .  49                dec ecx
00471641    .  BA 01000000       mov edx,1
00471646    .  8B45 E4           mov eax,dword ptr ss:[ebp-1C]
00471649    .  E8 5A2AF9FF       call DISKdata.004040A8
0047164E    .  8B45 E4           mov eax,dword ptr ss:[ebp-1C]
00471651    .  E8 4A28F9FF       call DISKdata.00403EA0
00471656    .  8B55 E4           mov edx,dword ptr ss:[ebp-1C]
00471659    .  8A5C02 FF         mov bl,byte ptr ds:[edx+eax-1]   新字串2的末位的ASCII码送BL，它是1(31)
0047165D    .  8B45 F4           mov eax,dword ptr ss:[ebp-C]     把一个地址0012F690送到EAX
00471660    .  8B00              mov eax,dword ptr ds:[eax]       把该地址中的数据00DBA278送到EAX
*************************************************
看内存：
00DBA278  V}AvUfU{p      *****这可是我们刚才异或得到的数据呀，不过最后一位被去掉了哟！只保有0xA位。我叫它新字串3
*************************************************
00471662    .  E8 6D000000       call DISKdata.004716D4         ****如此，这里一定要看一下哟*******
00471667    .  3AD8              cmp bl,al                      ****因为这里就比较了，AL=04,BL=31
00471669    .  74 04             je short DISKdata.0047166F      *****应该要相等才成
0047166B    .  33DB              xor ebx,ebx                     ***使EBX等于0
0047166D    .  EB 06             jmp short DISKdata.00471675
0047166F    >  B3 01             mov bl,1                        ****使BL等于1  ，这难道不是在设置标志位吗？
00471671    .  EB 02             jmp short DISKdata.00471675
00471673    >  33DB              xor ebx,ebx
00471675    >  33C0              xor eax,eax
00471677    .  5A                pop edx
00471678    .  59                pop ecx
00471679    .  59                pop ecx
0047167A    .  64:8910           mov dword ptr fs:[eax],edx
0047167D    .  EB 0C             jmp short DISKdata.0047168B
0047167F    .^ E9 801DF9FF       jmp DISKdata.00403404
00471684    .  33DB              xor ebx,ebx
00471686    .  E8 D520F9FF       call DISKdata.00403760
0047168B    >  33C0              xor eax,eax
0047168D    .  5A                pop edx
0047168E    .  59                pop ecx
0047168F    .  59                pop ecx
00471690    .  64:8910           mov dword ptr fs:[eax],edx
00471693    .  68 BA164700       push DISKdata.004716BA                 ;  ASCII "嬅_^[嬪]?
00471698    >  8D45 D8           lea eax,dword ptr ss:[ebp-28]
0047169B    .  BA 05000000       mov edx,5
004716A0    .  E8 9F25F9FF       call DISKdata.00403C44
004716A5    .  8D45 F8           lea eax,dword ptr ss:[ebp-8]
004716A8    .  BA 02000000       mov edx,2
004716AD    .  E8 9225F9FF       call DISKdata.00403C44
004716B2    .  C3                retn

×××00471662    .  E8 6D000000       call DISKdata.004716D4 ****如此，这里一定要看一下哟**××
004716D4   /$  55                push ebp
004716D5   |.  8BEC              mov ebp,esp
004716D7   |.  51                push ecx
004716D8   |.  53                push ebx
004716D9   |.  8945 FC           mov dword ptr ss:[ebp-4],eax  ****新字串2地址保存
004716DC   |.  8B45 FC           mov eax,dword ptr ss:[ebp-4]
004716DF   |.  E8 7029F9FF       call DISKdata.00404054
004716E4   |.  33C0              xor eax,eax
004716E6   |.  55                push ebp
004716E7   |.  68 37174700       push DISKdata.00471737
004716EC   |.  64:FF30           push dword ptr fs:[eax]
004716EF   |.  64:8920           mov dword ptr fs:[eax],esp
004716F2   |.  33DB              xor ebx,ebx                     *****EBX清零。以后要用的
004716F4   |.  8B45 FC           mov eax,dword ptr ss:[ebp-4]
004716F7   |.  E8 A427F9FF       call DISKdata.00403EA0          ****取新字串3的长度8送EAX
004716FC   |.  85C0              test eax,eax
004716FE   |.  7E 21             jle short DISKdata.00471721
00471700   |.  BA 01000000       mov edx,1                       *****EDX=1
00471705   |>  8B4D FC           /mov ecx,dword ptr ss:[ebp-4]    ****新字串2（刚才异或生成的）
00471708   |.  0FB64C11 FF       |movzx ecx,byte ptr ds:[ecx+edx-1] ****很熟悉的ASCII传送，第一位是56(V)
0047170D   |.  81E3 FF000000     |and ebx,0FF                       ***and 取EBX的低八位
00471713   |.  03CB              |add ecx,ebx                       ****Add  两者加起来
00471715   |.  81E1 FF000000     |and ecx,0FF                       ****保留加起来的结果的低八位
0047171B   |.  8BD9              |mov ebx,ecx                       ****保存中间结果到EBX
0047171D   |.  42                |inc edx                           ****EDX++
0047171E   |.  48                |dec eax                          ****EAX++
0047171F   |.^ 75 E4             \jnz short DISKdata.00471705      ****jnz 循环
**********************************************************
总结一下，为了好看：
V}AvUfU{p
56 7D 41 7F 76 55 66 55 7B 70
56+7D+41+7F+76+55+66+55+7B+70=404
保留后两位即04
**********************************************************
00471721   |>  33C0              xor eax,eax
00471723   |.  5A                pop edx
00471724   |.  59                pop ecx
00471725   |.  59                pop ecx
00471726   |.  64:8910           mov dword ptr fs:[eax],edx
00471729   |.  68 3E174700       push DISKdata.0047173E
0047172E   |>  8D45 FC           lea eax,dword ptr ss:[ebp-4]
00471731   |.  E8 EA24F9FF       call DISKdata.00403C20
00471736   \.  C3                retn
00471737    .^\E9 7C1FF9FF       jmp DISKdata.004036B8
0047173C    .^ EB F0             jmp short DISKdata.0047172E
0047173E    .  8BC3              mov eax,ebx                ******** EAX=EBX=04
00471740    .  5B                pop ebx
00471741    .  59                pop ecx
00471742    .  5D                pop ebp
00471743    .  C3                retn
把04返回去，与新字串末位1(31)相比较
可见，以1234123412341234563478为注册码，最后两位应该是：04 xor 49(I)=4D
即：123412341234123456344D

×××××××××××××××××××××××××××××××××××××××××
*****开始效验之一************
……
00402D2E   |> /80FB 61           /cmp bl,61                  **********************$vU因为$（24)je到这里，将v的ASCII与61比较
00402D31   |. |72 03             |jb short DISKdata.00402D36
00402D33   |. |80EB 20           |sub bl,20
00402D36   |> |80EB 30           |sub bl,30                                     ;  Switch (cases 30..46)****sub 20,再sub 30得到26（如果少于61，则只Sub 30）
00402D39   |. |80FB 09           |cmp bl,9                                     *****与9比较***大于9
00402D3C   |. |76 0B             |jbe short DISKdata.00402D49
00402D3E   |. |80EB 11           |sub bl,11                                          再 sub 11得到15
00402D41   |. |80FB 05           |cmp bl,5                                    *****与5比较，大于5
00402D44   |.^|77 D0             |ja short DISKdata.00402D16     ***********不能跳
00402D46   |. |80C3 0A           |add bl,0A             *******否则Add A        ;  Cases 41 ('A'),42 ('B'),43 ('C'),44 ('D'),45 ('E'),46 ('F') of switch 00402D36
00402D49   |> |39F8              |cmp eax,edi           *******再Cmp EAX,Edi    ;  Cases 30 ('0'),31 ('1'),32 ('2'),33 ('3'),34 ('4'),35 ('5'),36 ('6'),37 ('7'),38 ('8'),39 ('9') of switch 00402D36
00402D4B   |.^|77 C9             |ja short DISKdata.00402D16  **************不能跳
00402D4D   |. |C1E0 04           |shl eax,4                    *****都没有跳，就Shl EAX,4  ,清了EAX
00402D50   |. |01D8              |add eax,ebx                   *****ADD ，累加
00402D52   |. |8A1E              |mov bl,byte ptr ds:[esi]     *****取下一位U
00402D54   |. |46                |inc esi
00402D55   |. |84DB              |test bl,bl
00402D57   |.^\75 D5             \jnz short DISKdata.00402D2E   *****循环
00402D59   \.^ EB A9             jmp short DISKdata.00402D04    ****强行跳
00402D5B    .  C3                retn

……
总结一下：
新字串3
V}AvUfU{p
的第五，六位要满足条件，才行：

ASCII码与61(a)相比，如果少于61则Sub 30，否则Sub 50之后要少于或等于9
或者Sub 50，再Sub 11之后，不能大于5，这时，再Add A
结果先SHl，然后累加！
也就是说，第五，第六位的ASCII码不大于59时，直接作为结果累加

就假定为61吧：
那么有：
61(a) xor 64=05
61(a) xor 61=00
制作一个合格的注册码：
12341234050012345634B2 （试验码2）相应的新字串3就是：V}AaafU{p

1234123453233456AE     （试验码3）
××××××××××××××××××××××××××××××××××××××××××
××××××××××××××××××××××××××××××××××××××××××
开始处理注册名：将注册名大写化

004083D9   |.  E8 C2BAFFFF       call DISKdata.00403EA0   ×××取注册名长度5送EAX
004083DE   |.  8BD8              mov ebx,eax
004083E0   |.  8BC7              mov eax,edi
004083E2   |.  8BD3              mov edx,ebx
004083E4   |.  E8 EBBDFFFF       call DISKdata.004041D4
004083E9   |.  8BD6              mov edx,esi
004083EB   |.  8B37              mov esi,dword ptr ds:[edi]
004083ED   |.  85DB              test ebx,ebx
004083EF   |.  74 15             je short DISKdata.00408406
004083F1   |>  8A02              /mov al,byte ptr ds:[edx]   ×××注册名ASCII依次送AL，第一位是77(w)
004083F3   |.  3C 61             |cmp al,61
004083F5   |.  72 06             |jb short DISKdata.004083FD
004083F7   |.  3C 7A             |cmp al,7A
004083F9   |.  77 02             |ja short DISKdata.004083FD
004083FB   |.  2C 20             |sub al,20                 ××××典型的大写化
004083FD   |>  8806              |mov byte ptr ds:[esi],al
004083FF   |.  42                |inc edx                 ×××EDX++    指向下一个注册名
00408400   |.  46                |inc esi
00408401   |.  4B                |dec ebx                 ×××EBX--    EBX初值是注册名长度，控制循环
00408402   |.  85DB              |test ebx,ebx
00408404   |.^ 75 EB             \jnz short DISKdata.004083F1 ×××很明显，这是一个大写化的程序，将注册名大写化
00408406   |>  5F                pop edi
00408407   |.  5E                pop esi
00408408   |.  5B                pop ebx
00408409   \.  C3                retn
××××××××××××处理注册名之二，得到累加值7B送EAX×××××××××
×××004911D9    .  E8 F604FEFF       call DISKdata.004716D4×××××××
……
004716F2   |.  33DB              xor ebx,ebx              ×××EBX清零
004716F4   |.  8B45 FC           mov eax,dword ptr ss:[ebp-4]
004716F7   |.  E8 A427F9FF       call DISKdata.00403EA0
004716FC   |.  85C0              test eax,eax
004716FE   |.  7E 21             jle short DISKdata.00471721
00471700   |.  BA 01000000       mov edx,1                  ×××EDX=1
00471705   |>  8B4D FC           /mov ecx,dword ptr ss:[ebp-4]  ×××大写化后的注册名：WOFAN
00471708   |.  0FB64C11 FF       |movzx ecx,byte ptr ds:[ecx+edx-1] ×××ASCII码逐位送ECX
0047170D   |.  81E3 FF000000     |and ebx,0FF                      ×××and ,保留低八位
00471713   |.  03CB              |add ecx,ebx                      ×××ADD，累加
00471715   |.  81E1 FF000000     |and ecx,0FF                      ×××依然保留低八位
0047171B   |.  8BD9              |mov ebx,ecx                      ×××复制，用作累加的中间数
0047171D   |.  42                |inc edx                          ×××EDX++
0047171E   |.  48                |dec eax                          ×××EAX--
0047171F   |.^ 75 E4             \jnz short DISKdata.00471705

WOFAN
57+4F+41+46+4E＝17B
即使EBX=7B
…

××××××××××××××××××××××××××××××××××××××××××

*****开始效验之二（效验注册码的位数是26位），不成功会返回：“''is not a valid integer value”*******

004040A5       8D40 00           lea eax,dword ptr ds:[eax]
004040A8   /$  53                push ebx
004040A9   |.  85C0              test eax,eax                 ****EAX保存新字串3的地址
004040AB   |.  74 2D             je short DISKdata.004040DA    ****跳到004040DA就玩完！
004040AD   |.  8B58 FC           mov ebx,dword ptr ds:[eax-4]   ***EBX=A  (新字串3的长度)
004040B0   |.  85DB              test ebx,ebx
004040B2   |.  74 26             je short DISKdata.004040DA
004040B4   |.  4A                dec edx                         ****EDX=B-1=A
004040B5   |.  7C 1B             jl short DISKdata.004040D2
004040B7   |.  39DA              cmp edx,ebx                     ****cmp，所以新字串3要大于0xA
004040B9   |.  7D 1F             jge short DISKdata.004040DA     ****大于或等于就跳，一跳就完
004040BB   |>  29D3              sub ebx,edx                    ****要少多少呢？Sub一下
004040BD   |.  85C9              test ecx,ecx                   ****ECX=2
004040BF   |.  7C 19             jl short DISKdata.004040DA
004040C1   |.  39D9              cmp ecx,ebx                    ***Sub之后，与ECX＝2相比
004040C3   |.  7F 11             jg short DISKdata.004040D6     ****Sub之后，如果EBX=1，就跳走到004040D6，初步看来，注册码应该是26位（会得到新字串3的位数是0xC位）才对！
004040C5   |>  01C2              add edx,eax                    ****否则Add，EAX中保留新字串3的地址
004040C7   |.  8B4424 08         mov eax,dword ptr ss:[esp+8]
004040CB   |.  E8 38FCFFFF       call DISKdata.00403D08         ****取得新字串的最后两位
004040D0   |.  EB 11             jmp short DISKdata.004040E3
004040D2   |>  31D2              xor edx,edx
004040D4   |.^ EB E5             jmp short DISKdata.004040BB
004040D6   |>  89D9              mov ecx,ebx
004040D8   |.^ EB EB             jmp short DISKdata.004040C5
004040DA   |>  8B4424 08         mov eax,dword ptr ss:[esp+8]
004040DE   |.  E8 3DFBFFFF       call DISKdata.00403C20
004040E3   |>  5B                pop ebx
004040E4   \.  C2 0400           retn 4
×××××××××××××××××××××××××××××××××××××××××××××××××××××

×××××××××××××看看末两位是否合法×××××××××××××××××××××××
……
试验码四所得到的新字串3的末两位：}g
(})7D  (g)67

00402CE2   |>  80EB 30           /sub bl,30                  ****(BL=7D)   7D-30=4D
00402CE5   |. |80FB 09           |cmp bl,9                   *****与9相比较，
00402CE8   |. |77 2C             |ja short DISKdata.00402D16 *****大于9就玩蛋！
00402CEA   |. |39F8              |cmp eax,edi
00402CEC   |. |77 28             |ja short DISKdata.00402D16
00402CEE   |. |8D0480            |lea eax,dword ptr ds:[eax+eax*4] ***EAX=EAX*5
00402CF1   |. |01C0              |add eax,eax                      ***EAX=EAX*2
00402CF3   |. |01D8              |add eax,ebx               *****否则就累加
00402CF5   |. |8A1E              |mov bl,byte ptr ds:[esi]
00402CF7   |. |46                |inc esi
00402CF8   |. |84DB              |test bl,bl
00402CFA   |.^\75 E6             \jnz short DISKdata.00402CE2

……
可见末两位只能是数字！！！
当然，}g都不是合法，修改Z标志，看下结果：
（（7D-30）*A）＋（67-30）＝339

×××××××××××××××××××××××××××××××××××××××××××××

××××××××××××处理字串：20××××××
……
00402CE2   |>  80EB 30           /sub bl,30
00402CE5   |. |80FB 09           |cmp bl,9
00402CE8   |. |77 2C             |ja short DISKdata.00402D16
00402CEA   |. |39F8              |cmp eax,edi
00402CEC   |. |77 28             |ja short DISKdata.00402D16
00402CEE   |. |8D0480            |lea eax,dword ptr ds:[eax+eax*4]
00402CF1   |. |01C0              |add eax,eax
00402CF3   |. |01D8              |add eax,ebx
00402CF5   |. |8A1E              |mov bl,byte ptr ds:[esi]
00402CF7   |. |46                |inc esi
00402CF8   |. |84DB              |test bl,bl
00402CFA   |.^\75 E6             \jnz short DISKdata.00402CE2
……
取20的十六进制形式：14
×××××××××××××××××××××××××××××××××××××××××
验证14,B是否合法，不合法就玩完，弹出：Invalid argument to date encode ×××
……
004096B9   |.  66:8B45 FE        mov ax,word ptr ss:[ebp-2]   ****AX=14
004096BD   |.  E8 A6FFFFFF       call DISKdata.00409668
004096C2   |.  83E0 7F           and eax,7F                *********EAX=1 and 7F=1
004096C5   |.  8D0440            lea eax,dword ptr ds:[eax+eax*2]  ****EAX=1*3=3
004096C8   |.  8D34C5 34214900   lea esi,dword ptr ds:[eax*8+492134]***传一个地址：eax*8+492134＝49214C
**********************************************
看内存：
0049214C  1F 00 1D 00 1F 00 1E 00  ....
00492154  1F 00 1E 00 1F 00 1F 00  ....
0049215C  1E 00 1F 00 1E 00 1F 00  ....

**********************************************
004096CF   |.  66:837D FE 01     cmp word ptr ss:[ebp-2],1  ****word ptr ss:[ebp-2]=14
004096D4   |.  0F82 86000000     jb DISKdata.00409760        ****一跳就玩完
004096DA   |.  66:817D FE 0F27   cmp word ptr ss:[ebp-2],270F****word ptr ss:[ebp-2]=14
004096E0   |.  77 7E             ja short DISKdata.00409760
004096E2   |.  66:83FF 01        cmp di,1                    ***Di=B
004096E6   |.  72 78             jb short DISKdata.00409760
004096E8   |.  66:83FF 0C        cmp di,0C                    ****di>0xC 就完了！！！*能通过的就只有1,2,3……A,B,C***
004096EC   |.  77 72             ja short DISKdata.00409760
004096EE   |.  66:83FB 01        cmp bx,1                      ***BX=1
004096F2   |.  72 6C             jb short DISKdata.00409760
004096F4   |.  0FB7C7            movzx eax,di                    ****EAX=di=B   (11的十六进制形式）
004096F7   |.  66:3B5C46 FE      cmp bx,word ptr ds:[esi+eax*2-2]****word ptr ds:[esi+eax*2-2]=1E
004096FC   |.  77 62             ja short DISKdata.00409760
004096FE   |.  0FB7C7            movzx eax,di                    ****EAX=di=B
00409701   |.  48                dec eax                         ****EAX=B-1=A
00409702   |.  85C0              test eax,eax                    *****测试一下，当di=1时，直接到00409714
00409704   |.  7E 0E             jle short DISKdata.00409714
00409706   |.  B9 01000000       mov ecx,1                        *****ECX=1
0040970B   |>  66:035C4E FE      /add bx,word ptr ds:[esi+ecx*2-2]*****word ptr ds:[esi+ecx*2-2]=1F  ,BX初值是1
00409710   |.  41                |inc ecx
00409711   |.  48                |dec eax                         ****EAX初值为B
00409712   |.^ 75 F7             \jnz short DISKdata.0040970B       *********这个循环，累加，因为EAX=B，得到BX=132
***************************************************
1+1F+1D+1F+1E+1F+1E+1F+1F+1E+1F ＝132     从地址所指内存中取十个数相加得到132

***************************************************
00409714   |>  0FB74D FE         movzx ecx,word ptr ss:[ebp-2] ****ECX=14
00409718   |.  49                dec ecx                       ****ECX=14-1=13
00409719   |.  8BC1              mov eax,ecx
0040971B   |.  BE 64000000       mov esi,64                     ***ECX=64
00409720   |.  99                cdq
00409721   |.  F7FE              idiv esi                  ****EAX idiv ESi＝13 idiv 64=0----13
00409723   |.  69F1 6D010000     imul esi,ecx,16D          *****ESI=ECX imul 16D=13 * 16D=1B17
00409729   |.  8BD1              mov edx,ecx
0040972B   |.  85D2              test edx,edx
0040972D   |.  79 03             jns short DISKdata.00409732
0040972F   |.  83C2 03           add edx,3
00409732   |>  C1FA 02           sar edx,2             ****EDX sar 2=13 sar 2=4
00409735   |.  03F2              add esi,edx           ****ESI=1B17+4=1B1B
00409737   |.  2BF0              sub esi,eax
00409739   |.  8BC1              mov eax,ecx           ***EAX=ECX=13
0040973B   |.  B9 90010000       mov ecx,190           ****ECX=190
00409740   |.  99                cdq
00409741   |.  F7F9              idiv ecx              ****idiv 使EAX=0,EDX=13
00409743   |.  03F0              add esi,eax
00409745   |.  0FB7C3            movzx eax,bx        ****EAX=BX=132    （EBX=DB0132）
00409748   |.  03F0              add esi,eax         ****ADD ESI=1B1B+132=1C4D
0040974A   |.  81EE 5A950A00     sub esi,0A955A      ****Sub  ESi=FFF586F3
00409750   |.  8975 F8           mov dword ptr ss:[ebp-8],esi
00409753   |.  DB45 F8           fild dword ptr ss:[ebp-8] ***浮点运算，装入整数
************************************

Stack ss:[0012F5A8]=FFF586F3 (十进制 -686349.)

************************************
00409756   |.  8B45 08           mov eax,dword ptr ss:[ebp+8]
00409759   |.  DD18              fstp qword ptr ds:[eax]
*************************************
st=-686349.00000000000000              ****************返回去与一个固定数38505去比较！！！
Stack ds:[0012F5D8]=1.486724818696458e-304
************************************
0040975B   |.  9B                wait
0040975C   |.  C645 FD 01        mov byte ptr ss:[ebp-3],1
00409760   |>  8A45 FD           mov al,byte ptr ss:[ebp-3]
00409763   |.  5F                pop edi
00409764   |.  5E                pop esi
00409765   |.  5B                pop ebx
00409766   |.  59                pop ecx
00409767   |.  59                pop ecx
00409768   |.  5D                pop ebp
00409769   \.  C2 0400           retn 4

那好，通过这一段，来逆向一下：
38505的十六进制是9669
ESI=9669＋0A955A=B2BC3
ESI=B2BC3－1B1B=B10A8
无法得到所要的数值！！！！！！！
我的天呀！

××××××××××××××××××××××××××××××××××××××××

结语：
将下面一行Nop掉！！！！
00491336    .  0F83 F5010000     jnb DISKdata.00491531

一个注册码，就是试验码七啦！
注册名：wofan
注册码：1306120553234D58147D7861BE

这也行，那就是鬼来了！看来是跟到了假比较中去了！！！！可是为什么又接受了Click事件呢？？？？
难道是重启验证？？？？？

    by wofan[OCN][PYG]
传言说：西有张家界，东有酒埠江，我就在酒仙湖身旁！