【破文标题】:佳宜客户管理软件 V1.15 注册算法分析

【破文作者】:KuNgBiM[DFCG]

【作者邮箱】:gb_1227@163.com

【软件名称】:佳宜客户管理软件 V1.15

【保护方式】:启动NAG + 注册码 + 试用时间45天 + 部分功能限制

【编译语言】:Borland Delphi 6.0 - 7.0

—————————————————————————————————
【破解过程】:

****** 试炼信息 ******

用户名称:KuNgBiM
产品编号:3HSCCTSM
授权编号:78787878

**********************

005E2FC0    55              push ebp
005E2FC1    8BEC            mov ebp,esp
005E2FC3    B9 06000000     mov ecx,6                                //系统检测6次
005E2FC8    6A 00           push 0
005E2FCA    6A 00           push 0
005E2FCC    49              dec ecx
005E2FCD  ^ 75 F9           jnz short JyCrm.005E2FC8                 //向上循环检查6次
005E2FCF    51              push ecx
005E2FD0    53              push ebx
005E2FD1    56              push esi
005E2FD2    57              push edi
005E2FD3    8945 FC         mov dword ptr ss:[ebp-4],eax
005E2FD6    33C0            xor eax,eax
005E2FD8    55              push ebp
005E2FD9    68 3E325E00     push JyCrm.005E323E
005E2FDE    64:FF30         push dword ptr fs:[eax]
005E2FE1    64:8920         mov dword ptr fs:[eax],esp
005E2FE4    8D55 F0         lea edx,dword ptr ss:[ebp-10]
005E2FE7    8B45 FC         mov eax,dword ptr ss:[ebp-4]
005E2FEA    8B80 04030000   mov eax,dword ptr ds:[eax+304]
005E2FF0    E8 0BBFE6FF     call JyCrm.0044EF00                      //取用户名称
005E2FF5    8B45 F0         mov eax,dword ptr ss:[ebp-10]            //ASCII "KuNgBiM"
005E2FF8    8D55 F4         lea edx,dword ptr ss:[ebp-C]
005E2FFB    E8 D067E2FF     call JyCrm.004097D0                      //取用户名称位数
005E3000    837D F4 00      cmp dword ptr ss:[ebp-C],0               //用户名称位数与0比较
005E3004    75 22           jnz short JyCrm.005E3028                 //必须跳
005E3006    6A 00           push 0
005E3008    68 4C325E00     push JyCrm.005E324C                      //ASCII "请填写用户名称!"
005E300D    E8 9213FFFF     call <jmp.&PunUnitLib.ShowMess>
005E3012    8B45 FC         mov eax,dword ptr ss:[ebp-4]
005E3015    8B80 04030000   mov eax,dword ptr ds:[eax+304]
005E301B    8B10            mov edx,dword ptr ds:[eax]
005E301D    FF92 C0000000   call dword ptr ds:[edx+C0]
005E3023    E9 B1010000     jmp JyCrm.005E31D9
005E3028    8D55 E8         lea edx,dword ptr ss:[ebp-18]
005E302B    8B45 FC         mov eax,dword ptr ss:[ebp-4]
005E302E    8B80 FC020000   mov eax,dword ptr ds:[eax+2FC]
005E3034    E8 C7BEE6FF     call JyCrm.0044EF00                      //取授权编号
005E3039    8B45 E8         mov eax,dword ptr ss:[ebp-18]            //ASCII "78787878"
005E303C    8D55 EC         lea edx,dword ptr ss:[ebp-14]
005E303F    E8 8C67E2FF     call JyCrm.004097D0                      //取授权编号位数
005E3044    837D EC 00      cmp dword ptr ss:[ebp-14],0              //授权编号位数与0比较
005E3048    75 22           jnz short JyCrm.005E306C                 //必须跳
005E304A    6A 00           push 0
005E304C    68 60325E00     push JyCrm.005E3260                      //ASCII "授权号不能为空,请填写授权号!"
005E3051    E8 4E13FFFF     call <jmp.&PunUnitLib.ShowMess>
005E3056    8B45 FC         mov eax,dword ptr ss:[ebp-4]
005E3059    8B80 FC020000   mov eax,dword ptr ds:[eax+2FC]
005E305F    8B10            mov edx,dword ptr ds:[eax]
005E3061    FF92 C0000000   call dword ptr ds:[edx+C0]
005E3067    E9 6D010000     jmp JyCrm.005E31D9
005E306C    A1 2CB56100     mov eax,dword ptr ds:[61B52C]            //读取内存中的信息
005E3071    8B00            mov eax,dword ptr ds:[eax]               //读取固定字符串,ASCII "C56D-Q638"
005E3073    E8 0820E2FF     call JyCrm.00405080
005E3078    50              push eax                                 //字符串压栈给EAX,ASCII "C56D-Q638"
005E3079    8D55 E4         lea edx,dword ptr ss:[ebp-1C]            //EDX地址清零
005E307C    8B45 FC         mov eax,dword ptr ss:[ebp-4]             //ASCII "C56D-Q638"
005E307F    8B80 F4020000   mov eax,dword ptr ds:[eax+2F4]
005E3085    E8 76BEE6FF     call JyCrm.0044EF00                      //取产品编号
005E308A    8B45 E4         mov eax,dword ptr ss:[ebp-1C]            //ASCII "3HSCCTSM"
005E308D    E8 EE1FE2FF     call JyCrm.00405080
005E3092    50              push eax                                 //产品编号压栈给EAX
005E3093    E8 3C13FFFF     call <jmp.&PunUnitLib.GetRegPass>        //调用注册码计算“PunUnitLib.dll”文件,F7跟进!★
005E3098    8BD0            mov edx,eax                              //真码出现,ASCII "C56D-D435-Q638-4534"
005E309A    8D45 F8         lea eax,dword ptr ss:[ebp-8]             //真码赋值给EAX
005E309D    E8 1E1DE2FF     call JyCrm.00404DC0                      //计算验证真码的位数
005E30A2    8D55 DC         lea edx,dword ptr ss:[ebp-24]            //ASCII "C56D-D435-Q638-4534",edx=12(16进制)
005E30A5    8B45 FC         mov eax,dword ptr ss:[ebp-4]
005E30A8    8B80 FC020000   mov eax,dword ptr ds:[eax+2FC]
005E30AE    E8 4DBEE6FF     call JyCrm.0044EF00                      //计算假码的位数
005E30B3    8B45 DC         mov eax,dword ptr ss:[ebp-24]            //ASCII "78787878",eax=8(16进制)
005E30B6    8D55 E0         lea edx,dword ptr ss:[ebp-20]
005E30B9    E8 1267E2FF     call JyCrm.004097D0
005E30BE    8B45 E0         mov eax,dword ptr ss:[ebp-20]            //假码赋值给EAX,ASCII "78787878"
005E30C1    8B55 F8         mov edx,dword ptr ss:[ebp-8]             //真码赋值给EDX,ASCII "C56D-D435-Q638-4534"
005E30C4    E8 031FE2FF     call JyCrm.00404FCC                      //关键CALL(经典比较 ^o^)
005E30C9    0F85 FE000000   jnz JyCrm.005E31CD                       //爆破点★
005E30CF    33C0            xor eax,eax
005E30D1    55              push ebp
005E30D2    68 B9315E00     push JyCrm.005E31B9
005E30D7    64:FF30         push dword ptr fs:[eax]
005E30DA    64:8920         mov dword ptr fs:[eax],esp
005E30DD    B2 01           mov dl,1
005E30DF    A1 9C2E4700     mov eax,dword ptr ds:[472E9C]
005E30E4    E8 1FFFE8FF     call JyCrm.00473008
005E30E9    8BD8            mov ebx,eax
005E30EB    BA 02000080     mov edx,80000002
005E30F0    8BC3            mov eax,ebx
005E30F2    E8 EDFFE8FF     call JyCrm.004730E4
005E30F7    B1 01           mov cl,1
005E30F9    8B15 A8A96100   mov edx,dword ptr ds:[61A9A8]           //ASCII "software\jycrm\crm"
                                                                    //写入注册表的注册信息保存位置
005E30FF    8BC3            mov eax,ebx
005E3101    E8 2201E9FF     call JyCrm.00473228
005E3106    8D55 D8         lea edx,dword ptr ss:[ebp-28]
005E3109    8B45 FC         mov eax,dword ptr ss:[ebp-4]
005E310C    8B80 04030000   mov eax,dword ptr ds:[eax+304]
005E3112    E8 E9BDE6FF     call JyCrm.0044EF00
005E3117    8B4D D8         mov ecx,dword ptr ss:[ebp-28]
005E311A    BA 88325E00     mov edx,JyCrm.005E3288                  //ASCII "UserName"
                                                                    //注册表内的用户名称
005E311F    8BC3            mov eax,ebx
005E3121    E8 9E02E9FF     call JyCrm.004733C4
005E3126    8D55 D0         lea edx,dword ptr ss:[ebp-30]
005E3129    8B45 FC         mov eax,dword ptr ss:[ebp-4]
005E312C    8B80 F4020000   mov eax,dword ptr ds:[eax+2F4]
005E3132    E8 C9BDE6FF     call JyCrm.0044EF00
005E3137    8B45 D0         mov eax,dword ptr ss:[ebp-30]
005E313A    E8 411FE2FF     call JyCrm.00405080
005E313F    50              push eax
005E3140    E8 8712FFFF     call <jmp.&PunUnitLib.SavePass>
005E3145    8BD0            mov edx,eax
005E3147    8D45 D4         lea eax,dword ptr ss:[ebp-2C]
005E314A    E8 711CE2FF     call JyCrm.00404DC0
005E314F    8B4D D4         mov ecx,dword ptr ss:[ebp-2C]
005E3152    BA 9C325E00     mov edx,JyCrm.005E329C                  //ASCII "SignCode"
                                                                    //注册表内的产品编号(硬盘号)
005E3157    8BC3            mov eax,ebx
005E3159    E8 6602E9FF     call JyCrm.004733C4
005E315E    8B45 F8         mov eax,dword ptr ss:[ebp-8]
005E3161    E8 1A1FE2FF     call JyCrm.00405080
005E3166    50              push eax
005E3167    E8 6012FFFF     call <jmp.&PunUnitLib.SavePass>
005E316C    8BD0            mov edx,eax
005E316E    8D45 CC         lea eax,dword ptr ss:[ebp-34]
005E3171    E8 4A1CE2FF     call JyCrm.00404DC0
005E3176    8B4D CC         mov ecx,dword ptr ss:[ebp-34]
005E3179    BA B0325E00     mov edx,JyCrm.005E32B0                  //ASCII "RegCode"
                                                                    //注册表内的授权编号(注册码)
005E317E    8BC3            mov eax,ebx
005E3180    E8 3F02E9FF     call JyCrm.004733C4
005E3185    8BC3            mov eax,ebx
005E3187    E8 500BE2FF     call JyCrm.00403CDC
005E318C    6A 00           push 0
005E318E    68 B8325E00     push JyCrm.005E32B8                     //ASCII "系统注册成功,欢迎你使用本软件!"
005E3193    E8 0C12FFFF     call <jmp.&PunUnitLib.ShowMess>
005E3198    A1 28B56100     mov eax,dword ptr ds:[61B528]
005E319D    C700 02000000   mov dword ptr ds:[eax],2
005E31A3    A1 F0B26100     mov eax,dword ptr ds:[61B2F0]
005E31A8    8B00            mov eax,dword ptr ds:[eax]
005E31AA    E8 C5D8E8FF     call JyCrm.00470A74
005E31AF    33C0            xor eax,eax
005E31B1    5A              pop edx
005E31B2    59              pop ecx
005E31B3    59              pop ecx
005E31B4    64:8910         mov dword ptr fs:[eax],edx
005E31B7    EB 20           jmp short JyCrm.005E31D9
005E31B9  ^ E9 FE0FE2FF     jmp JyCrm.004041BC
005E31BE    8B45 FC         mov eax,dword ptr ss:[ebp-4]
005E31C1    E8 FE9FE8FF     call JyCrm.0046D1C4
005E31C6    E8 1D14E2FF     call JyCrm.004045E8
005E31CB    EB 0C           jmp short JyCrm.005E31D9
005E31CD    6A 03           push 3
005E31CF    68 DC325E00     push JyCrm.005E32DC                     //ASCII "系统注册失败,请检查注册是否有误!"
005E31D4    E8 CB11FFFF     call <jmp.&PunUnitLib.ShowMess>
005E31D9    33C0            xor eax,eax
005E31DB    5A              pop edx
005E31DC    59              pop ecx
005E31DD    59              pop ecx
005E31DE    64:8910         mov dword ptr fs:[eax],edx
005E31E1    68 45325E00     push JyCrm.005E3245
005E31E6    8D45 CC         lea eax,dword ptr ss:[ebp-34]
005E31E9    E8 E219E2FF     call JyCrm.00404BD0
005E31EE    8D45 D0         lea eax,dword ptr ss:[ebp-30]
005E31F1    E8 DA19E2FF     call JyCrm.00404BD0
005E31F6    8D45 D4         lea eax,dword ptr ss:[ebp-2C]
005E31F9    E8 D219E2FF     call JyCrm.00404BD0
005E31FE    8D45 D8         lea eax,dword ptr ss:[ebp-28]
005E3201    BA 02000000     mov edx,2
005E3206    E8 E919E2FF     call JyCrm.00404BF4
005E320B    8D45 E0         lea eax,dword ptr ss:[ebp-20]
005E320E    E8 BD19E2FF     call JyCrm.00404BD0
005E3213    8D45 E4         lea eax,dword ptr ss:[ebp-1C]
005E3216    BA 02000000     mov edx,2
005E321B    E8 D419E2FF     call JyCrm.00404BF4
005E3220    8D45 EC         lea eax,dword ptr ss:[ebp-14]
005E3223    E8 A819E2FF     call JyCrm.00404BD0
005E3228    8D45 F0         lea eax,dword ptr ss:[ebp-10]
005E322B    E8 A019E2FF     call JyCrm.00404BD0
005E3230    8D45 F4         lea eax,dword ptr ss:[ebp-C]
005E3233    BA 02000000     mov edx,2
005E3238    E8 B719E2FF     call JyCrm.00404BF4
005E323D    C3              retn
005E323E  ^ E9 2D12E2FF     jmp JyCrm.00404470
005E3243  ^ EB A1           jmp short JyCrm.005E31E6
005E3245    5F              pop edi
005E3246    5E              pop esi
005E3247    5B              pop ebx
005E3248    8BE5            mov esp,ebp
005E324A    5D              pop ebp
005E324B    C3              retn

================= 跟进:005E3093    E8 3C13FFFF     call <jmp.&PunUnitLib.GetRegPass> =================

005D43D4  - FF25 48FB6100   jmp dword ptr ds:[<&PunUnitLib.GetRegPass>]         //跳向算法CALL,F8跟进★
005D43DA    8BC0            mov eax,eax
005D43DC    FFFF            ???                                                 ; 未知命令
005D43DE    FFFF            ???                                                 ; 未知命令
005D43E0    0C 00           or al,0
005D43E2    0000            add byte ptr ds:[eax],al
005D43E4    CE              into
005D43E5    F7B0 B2BCD1D2   div dword ptr ds:[eax+D2D1BCB2]
005D43EB    CB              retf

=========== 跟进:005D43D4  - FF25 48FB6100   jmp dword ptr ds:[<&PunUnitLib.GetRegPass>] ===========

003E9024 >  55              push ebp
003E9025    8BEC            mov ebp,esp
003E9027    B9 06000000     mov ecx,6                                //检查注册内容是否填写完整,并循环6次
003E902C    6A 00           push 0
003E902E    6A 00           push 0
003E9030    49              dec ecx
003E9031  ^ 75 F9           jnz short PunUnitL.003E902C              //向上循环检查6次
003E9033    53              push ebx
003E9034    56              push esi
003E9035    33C0            xor eax,eax                              //EAX清零
003E9037    55              push ebp
003E9038    68 F2913E00     push PunUnitL.003E91F2
003E903D    64:FF30         push dword ptr fs:[eax]
003E9040    64:8920         mov dword ptr fs:[eax],esp
003E9043    8D45 EC         lea eax,dword ptr ss:[ebp-14]
003E9046    E8 65B5F8FF     call PunUnitL.003745B0                   //取产品编号,ASCII "3HSCCTSM"
003E904B    8D45 F0         lea eax,dword ptr ss:[ebp-10]
003E904E    8B55 08         mov edx,dword ptr ss:[ebp+8]
003E9051    E8 4AB7F8FF     call PunUnitL.003747A0
003E9056    8B45 F0         mov eax,dword ptr ss:[ebp-10]            //移入EAX,准备开始计算
003E9059    E8 0AB8F8FF     call PunUnitL.00374868
003E905E    8BF0            mov esi,eax                              //取产品编号位数,EAX=8
003E9060    85F6            test esi,esi                             //检查产品编号位数是否合法
003E9062    7E 26           jle short PunUnitL.003E908A
003E9064    BB 01000000     mov ebx,1                                //运算开始
003E9069    8D4D E8         lea ecx,dword ptr ss:[ebp-18]
003E906C    8B45 F0         mov eax,dword ptr ss:[ebp-10]
003E906F    0FB64418 FF     movzx eax,byte ptr ds:[eax+ebx-1]        //依次取产品编号的HEX值
003E9074    33D2            xor edx,edx                              //异或清零
003E9076    E8 F905F9FF     call PunUnitL.00379674
003E907B    8B55 E8         mov edx,dword ptr ss:[ebp-18]            //产品编号的HEX值
                                                                     //1、EDX=33“3”
                                                                     //2、EDX=48“H”
                                                                     //3、EDX=53“S”
                                                                     //4、EDX=43“C”
                                                                     //5、EDX=43“C”
                                                                     //6、EDX=54“T”
                                                                     //7、EDX=53“S”
                                                                     //8、EDX=4D“M”
003E907E    8D45 FC         lea eax,dword ptr ss:[ebp-4]
003E9081    E8 EAB7F8FF     call PunUnitL.00374870
003E9086    43              inc ebx                                  //EBX自加一,指向下一位
003E9087    4E              dec esi
003E9088  ^ 75 DF           jnz short PunUnitL.003E9069              //向上循环运算开始
003E908A    8B45 FC         mov eax,dword ptr ss:[ebp-4]             //将产品编号的HEX值连起来,EAX=334853434354534D
003E908D    E8 D6B7F8FF     call PunUnitL.00374868
003E9092    8BF0            mov esi,eax
003E9094    85F6            test esi,esi
003E9096    7E 2C           jle short PunUnitL.003E90C4
003E9098    BB 01000000     mov ebx,1
003E909D    8B45 FC         mov eax,dword ptr ss:[ebp-4]]            //分别将HEX值取倒
003E90A0    E8 C3B7F8FF     call PunUnitL.00374868
003E90A5    2BC3            sub eax,ebx
003E90A7    8B55 FC         mov edx,dword ptr ss:[ebp-4]
003E90AA    8A1402          mov dl,byte ptr ds:[edx+eax]
003E90AD    8D45 E4         lea eax,dword ptr ss:[ebp-1C]
003E90B0    E8 DBB6F8FF     call PunUnitL.00374790
003E90B5    8B55 E4         mov edx,dword ptr ss:[ebp-1C]
003E90B8    8D45 F8         lea eax,dword ptr ss:[ebp-8]
003E90BB    E8 B0B7F8FF     call PunUnitL.00374870
003E90C0    43              inc ebx                                  //EBX自加一,指向下一位
003E90C1    4E              dec esi
003E90C2  ^ 75 D9           jnz short PunUnitL.003E909D              //向上循环取倒运算开始
003E90C4    8D45 FC         lea eax,dword ptr ss:[ebp-4]
003E90C7    50              push eax
003E90C8    B9 04000000     mov ecx,4
003E90CD    BA 01000000     mov edx,1
003E90D2    8B45 F8         mov eax,dword ptr ss:[ebp-8]             //将取倒后的HEX值连起来,EAX=D435453434358433
003E90D5    E8 E6B9F8FF     call PunUnitL.00374AC0
003E90DA    8D45 F8         lea eax,dword ptr ss:[ebp-8]
003E90DD    50              push eax
003E90DE    B9 04000000     mov ecx,4                                //取4位数
003E90E3    BA 05000000     mov edx,5
003E90E8    8B45 F8         mov eax,dword ptr ss:[ebp-8]
003E90EB    E8 D0B9F8FF     call PunUnitL.00374AC0
003E90F0    8B45 FC         mov eax,dword ptr ss:[ebp-4]             //存入内存EAX,待取!ASCII "D435"  ★SN1
003E90F3    E8 70B7F8FF     call PunUnitL.00374868
003E90F8    83F8 04         cmp eax,4                                //是否多取
003E90FB    7D 2F           jge short PunUnitL.003E912C              //没有多取,则继续下一步
003E90FD    8B45 FC         mov eax,dword ptr ss:[ebp-4]
003E9100    E8 63B7F8FF     call PunUnitL.00374868
003E9105    8BD8            mov ebx,eax
003E9107    83FB 03         cmp ebx,3
003E910A    7F 20           jg short PunUnitL.003E912C
003E910C    8D4D E0         lea ecx,dword ptr ss:[ebp-20]
003E910F    8BC3            mov eax,ebx
003E9111    C1E0 02         shl eax,2
003E9114    33D2            xor edx,edx
003E9116    E8 5905F9FF     call PunUnitL.00379674
003E911B    8B55 E0         mov edx,dword ptr ss:[ebp-20]
003E911E    8D45 FC         lea eax,dword ptr ss:[ebp-4]
003E9121    E8 4AB7F8FF     call PunUnitL.00374870
003E9126    43              inc ebx
003E9127    83FB 04         cmp ebx,4
003E912A  ^ 75 E0           jnz short PunUnitL.003E910C
003E912C    8B45 F8         mov eax,dword ptr ss:[ebp-8]             //存入内存EAX,待取! ASCII "4534" ★SN2
003E912F    E8 34B7F8FF     call PunUnitL.00374868
003E9134    83F8 04         cmp eax,4                                //是否多取
003E9137    7D 2F           jge short PunUnitL.003E9168              //没有多取,则继续下一步
003E9139    8B45 F8         mov eax,dword ptr ss:[ebp-8]
003E913C    E8 27B7F8FF     call PunUnitL.00374868
003E9141    8BD8            mov ebx,eax
003E9143    83FB 03         cmp ebx,3
003E9146    7F 20           jg short PunUnitL.003E9168
003E9148    8D4D DC         lea ecx,dword ptr ss:[ebp-24]
003E914B    8BC3            mov eax,ebx
003E914D    C1E0 02         shl eax,2
003E9150    33D2            xor edx,edx
003E9152    E8 1D05F9FF     call PunUnitL.00379674
003E9157    8B55 DC         mov edx,dword ptr ss:[ebp-24]
003E915A    8D45 F8         lea eax,dword ptr ss:[ebp-8]
003E915D    E8 0EB7F8FF     call PunUnitL.00374870
003E9162    43              inc ebx
003E9163    83FB 04         cmp ebx,4
003E9166  ^ 75 E0           jnz short PunUnitL.003E9148
003E9168    8D45 D8         lea eax,dword ptr ss:[ebp-28]
003E916B    8B55 0C         mov edx,dword ptr ss:[ebp+C]             //获取固定字符串 ASCII "C56D-Q638"
003E916E    E8 2DB6F8FF     call PunUnitL.003747A0
003E9173    8B45 D8         mov eax,dword ptr ss:[ebp-28]
003E9176    8D55 F4         lea edx,dword ptr ss:[ebp-C]
003E9179    E8 DE03F9FF     call PunUnitL.0037955C
003E917E    8D45 D4         lea eax,dword ptr ss:[ebp-2C]
003E9181    50              push eax
003E9182    B9 04000000     mov ecx,4                                //取4位数
003E9187    BA 01000000     mov edx,1
003E918C    8B45 F4         mov eax,dword ptr ss:[ebp-C]
003E918F    E8 2CB9F8FF     call PunUnitL.00374AC0
003E9194    FF75 D4         push dword ptr ss:[ebp-2C]               //ASCII "C56D"   ★SN3
003E9197    68 0C923E00     push PunUnitL.003E920C                   //用“-”符号连接
003E919C    FF75 FC         push dword ptr ss:[ebp-4]                //从内存中取出★SN1   ASCII "D435"
003E919F    8D45 D0         lea eax,dword ptr ss:[ebp-30]
003E91A2    50              push eax
003E91A3    B9 05000000     mov ecx,5                                //取5位数
003E91A8    BA 05000000     mov edx,5
003E91AD    8B45 F4         mov eax,dword ptr ss:[ebp-C]             //再次取固定字符串 ASCII "C56D-Q638"
003E91B0    E8 0BB9F8FF     call PunUnitL.00374AC0
003E91B5    FF75 D0         push dword ptr ss:[ebp-30]               //ASCII "-Q638"  ★SN4
003E91B8    68 0C923E00     push PunUnitL.003E920C                   //用“-”符号连接
003E91BD    FF75 F8         push dword ptr ss:[ebp-8]                //从内存中取出★SN2   ASCII "4534"
003E91C0    8D45 EC         lea eax,dword ptr ss:[ebp-14]
003E91C3    BA 06000000     mov edx,6                                //是否经过6次连接
003E91C8    E8 5BB7F8FF     call PunUnitL.00374928
003E91CD    8B45 EC         mov eax,dword ptr ss:[ebp-14]            //连接后的字符,ASCII "C56D-D435-Q638-4534"
003E91D0    E8 8BB8F8FF     call PunUnitL.00374A60
003E91D5    8BD8            mov ebx,eax                              //EAX赋值给EBX,ASCII "C56D-D435-Q638-4534"
003E91D7    33C0            xor eax,eax                              //EAX异或清零
003E91D9    5A              pop edx
003E91DA    59              pop ecx
003E91DB    59              pop ecx
003E91DC    64:8910         mov dword ptr fs:[eax],edx
003E91DF    68 F9913E00     push PunUnitL.003E91F9
003E91E4    8D45 D0         lea eax,dword ptr ss:[ebp-30]
003E91E7    BA 0C000000     mov edx,0C
003E91EC    E8 E3B3F8FF     call PunUnitL.003745D4
003E91F1    C3              retn
003E91F2  ^ E9 1DADF8FF     jmp PunUnitL.00373F14                    //如果未计算完,则继续
003E91F7  ^ EB EB           jmp short PunUnitL.003E91E4
003E91F9    8BC3            mov eax,ebx                              //EBX赋值给EAX,ASCII "C56D-D435-Q638-4534"
003E91FB    5E              pop esi
003E91FC    5B              pop ebx
003E91FD    8BE5            mov esp,ebp
003E91FF    5D              pop ebp
003E9200    C2 0800         retn 8                                   //“PunUnitLib.dll”文件内计算工作完毕,返回程序

-------------------------------------------------------------------------------------------------------------------------
【算法总结】

注册验证非常简单:

注册验证与用户名无关,所以可以任意填写,并不参与注册码计算!

注册码整个计算过程是在安装目录下“PunUnitLib.dll”文件内完成的!

1、取机器码十六进制来反排序.
2、用到的常数为“C56D-Q638”.
3、注册码的组合方式为:

注册码=“C56D”+“-”+取倒(HEX(机器码倒数1、2位))+“-Q638”+“-”+取倒(HEX(机器码倒数后3、4位))

即:SN3 + SN1 + SN4 + SN2

=================================

注册信息:

用户名称:KuNgBiM
产品编号:3HSCCTSM
授权编号:C56D-D435-Q638-4534

=================================
【内存注册机】

中断地址:5E30C4
中断次数:1
第一字节:E8
指令长度:6

保存方式:内存方式--->EDX

【注册爆破点】

005E30C9    0F85 FE000000   jnz JyCrm.005E31CD           //nop掉!

〓本文完〓

--------------------------------------------------------------------------

版权所有(C)2005 KuNgBiM[DFCG]         Copyright (C) 2005 KuNgBiM[DFCG]

--------------------------------------------------------------------------
          Cracked BY KuNgBiM[DFCG]

                2005-06-06

                16:18:16 PM