【破文标题】:佳宜客户管理软件 V1.15 注册算法分析
【破文作者】:KuNgBiM[DFCG]
【作者邮箱】:gb_1227@163.com
【软件名称】:佳宜客户管理软件 V1.15
【保护方式】:启动NAG + 注册码 + 试用时间45天 + 部分功能限制
【编译语言】:Borland Delphi 6.0 - 7.0
—————————————————————————————————
【破解过程】:
****** 试炼信息 ******
用户名称:KuNgBiM
产品编号:3HSCCTSM
授权编号:78787878
**********************
005E2FC0 55 push ebp
005E2FC1 8BEC mov ebp,esp
005E2FC3 B9 06000000 mov ecx,6 //系统检测6次
005E2FC8 6A 00 push 0
005E2FCA 6A 00 push 0
005E2FCC 49 dec ecx
005E2FCD ^ 75 F9 jnz short JyCrm.005E2FC8 //向上循环检查6次
005E2FCF 51 push ecx
005E2FD0 53 push ebx
005E2FD1 56 push esi
005E2FD2 57 push edi
005E2FD3 8945 FC mov dword ptr ss:[ebp-4],eax
005E2FD6 33C0 xor eax,eax
005E2FD8 55 push ebp
005E2FD9 68 3E325E00 push JyCrm.005E323E
005E2FDE 64:FF30 push dword ptr fs:[eax]
005E2FE1 64:8920 mov dword ptr fs:[eax],esp
005E2FE4 8D55 F0 lea edx,dword ptr ss:[ebp-10]
005E2FE7 8B45 FC mov eax,dword ptr ss:[ebp-4]
005E2FEA 8B80 04030000 mov eax,dword ptr ds:[eax+304]
005E2FF0 E8 0BBFE6FF call JyCrm.0044EF00 //取用户名称
005E2FF5 8B45 F0 mov eax,dword ptr ss:[ebp-10] //ASCII "KuNgBiM"
005E2FF8 8D55 F4 lea edx,dword ptr ss:[ebp-C]
005E2FFB E8 D067E2FF call JyCrm.004097D0 //取用户名称位数
005E3000 837D F4 00 cmp dword ptr ss:[ebp-C],0 //用户名称位数与0比较
005E3004 75 22 jnz short JyCrm.005E3028 //必须跳
005E3006 6A 00 push 0
005E3008 68 4C325E00 push JyCrm.005E324C //ASCII "请填写用户名称!"
005E300D E8 9213FFFF call <jmp.&PunUnitLib.ShowMess>
005E3012 8B45 FC mov eax,dword ptr ss:[ebp-4]
005E3015 8B80 04030000 mov eax,dword ptr ds:[eax+304]
005E301B 8B10 mov edx,dword ptr ds:[eax]
005E301D FF92 C0000000 call dword ptr ds:[edx+C0]
005E3023 E9 B1010000 jmp JyCrm.005E31D9
005E3028 8D55 E8 lea edx,dword ptr ss:[ebp-18]
005E302B 8B45 FC mov eax,dword ptr ss:[ebp-4]
005E302E 8B80 FC020000 mov eax,dword ptr ds:[eax+2FC]
005E3034 E8 C7BEE6FF call JyCrm.0044EF00 //取授权编号
005E3039 8B45 E8 mov eax,dword ptr ss:[ebp-18] //ASCII "78787878"
005E303C 8D55 EC lea edx,dword ptr ss:[ebp-14]
005E303F E8 8C67E2FF call JyCrm.004097D0 //取授权编号位数
005E3044 837D EC 00 cmp dword ptr ss:[ebp-14],0 //授权编号位数与0比较
005E3048 75 22 jnz short JyCrm.005E306C //必须跳
005E304A 6A 00 push 0
005E304C 68 60325E00 push JyCrm.005E3260 //ASCII "授权号不能为空,请填写授权号!"
005E3051 E8 4E13FFFF call <jmp.&PunUnitLib.ShowMess>
005E3056 8B45 FC mov eax,dword ptr ss:[ebp-4]
005E3059 8B80 FC020000 mov eax,dword ptr ds:[eax+2FC]
005E305F 8B10 mov edx,dword ptr ds:[eax]
005E3061 FF92 C0000000 call dword ptr ds:[edx+C0]
005E3067 E9 6D010000 jmp JyCrm.005E31D9
005E306C A1 2CB56100 mov eax,dword ptr ds:[61B52C] //读取内存中的信息
005E3071 8B00 mov eax,dword ptr ds:[eax] //读取固定字符串,ASCII "C56D-Q638"
005E3073 E8 0820E2FF call JyCrm.00405080
005E3078 50 push eax //字符串压栈给EAX,ASCII "C56D-Q638"
005E3079 8D55 E4 lea edx,dword ptr ss:[ebp-1C] //EDX地址清零
005E307C 8B45 FC mov eax,dword ptr ss:[ebp-4] //ASCII "C56D-Q638"
005E307F 8B80 F4020000 mov eax,dword ptr ds:[eax+2F4]
005E3085 E8 76BEE6FF call JyCrm.0044EF00 //取产品编号
005E308A 8B45 E4 mov eax,dword ptr ss:[ebp-1C] //ASCII "3HSCCTSM"
005E308D E8 EE1FE2FF call JyCrm.00405080
005E3092 50 push eax //产品编号压栈给EAX
005E3093 E8 3C13FFFF call <jmp.&PunUnitLib.GetRegPass> //调用注册码计算“PunUnitLib.dll”文件,F7跟进!★
005E3098 8BD0 mov edx,eax //真码出现,ASCII "C56D-D435-Q638-4534"
005E309A 8D45 F8 lea eax,dword ptr ss:[ebp-8] //真码赋值给EAX
005E309D E8 1E1DE2FF call JyCrm.00404DC0 //计算验证真码的位数
005E30A2 8D55 DC lea edx,dword ptr ss:[ebp-24] //ASCII "C56D-D435-Q638-4534",edx=12(16进制)
005E30A5 8B45 FC mov eax,dword ptr ss:[ebp-4]
005E30A8 8B80 FC020000 mov eax,dword ptr ds:[eax+2FC]
005E30AE E8 4DBEE6FF call JyCrm.0044EF00 //计算假码的位数
005E30B3 8B45 DC mov eax,dword ptr ss:[ebp-24] //ASCII "78787878",eax=8(16进制)
005E30B6 8D55 E0 lea edx,dword ptr ss:[ebp-20]
005E30B9 E8 1267E2FF call JyCrm.004097D0
005E30BE 8B45 E0 mov eax,dword ptr ss:[ebp-20] //假码赋值给EAX,ASCII "78787878"
005E30C1 8B55 F8 mov edx,dword ptr ss:[ebp-8] //真码赋值给EDX,ASCII "C56D-D435-Q638-4534"
005E30C4 E8 031FE2FF call JyCrm.00404FCC //关键CALL(经典比较 ^o^)
005E30C9 0F85 FE000000 jnz JyCrm.005E31CD //爆破点★
005E30CF 33C0 xor eax,eax
005E30D1 55 push ebp
005E30D2 68 B9315E00 push JyCrm.005E31B9
005E30D7 64:FF30 push dword ptr fs:[eax]
005E30DA 64:8920 mov dword ptr fs:[eax],esp
005E30DD B2 01 mov dl,1
005E30DF A1 9C2E4700 mov eax,dword ptr ds:[472E9C]
005E30E4 E8 1FFFE8FF call JyCrm.00473008
005E30E9 8BD8 mov ebx,eax
005E30EB BA 02000080 mov edx,80000002
005E30F0 8BC3 mov eax,ebx
005E30F2 E8 EDFFE8FF call JyCrm.004730E4
005E30F7 B1 01 mov cl,1
005E30F9 8B15 A8A96100 mov edx,dword ptr ds:[61A9A8] //ASCII "software\jycrm\crm"
//写入注册表的注册信息保存位置
005E30FF 8BC3 mov eax,ebx
005E3101 E8 2201E9FF call JyCrm.00473228
005E3106 8D55 D8 lea edx,dword ptr ss:[ebp-28]
005E3109 8B45 FC mov eax,dword ptr ss:[ebp-4]
005E310C 8B80 04030000 mov eax,dword ptr ds:[eax+304]
005E3112 E8 E9BDE6FF call JyCrm.0044EF00
005E3117 8B4D D8 mov ecx,dword ptr ss:[ebp-28]
005E311A BA 88325E00 mov edx,JyCrm.005E3288 //ASCII "UserName"
//注册表内的用户名称
005E311F 8BC3 mov eax,ebx
005E3121 E8 9E02E9FF call JyCrm.004733C4
005E3126 8D55 D0 lea edx,dword ptr ss:[ebp-30]
005E3129 8B45 FC mov eax,dword ptr ss:[ebp-4]
005E312C 8B80 F4020000 mov eax,dword ptr ds:[eax+2F4]
005E3132 E8 C9BDE6FF call JyCrm.0044EF00
005E3137 8B45 D0 mov eax,dword ptr ss:[ebp-30]
005E313A E8 411FE2FF call JyCrm.00405080
005E313F 50 push eax
005E3140 E8 8712FFFF call <jmp.&PunUnitLib.SavePass>
005E3145 8BD0 mov edx,eax
005E3147 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
005E314A E8 711CE2FF call JyCrm.00404DC0
005E314F 8B4D D4 mov ecx,dword ptr ss:[ebp-2C]
005E3152 BA 9C325E00 mov edx,JyCrm.005E329C //ASCII "SignCode"
//注册表内的产品编号(硬盘号)
005E3157 8BC3 mov eax,ebx
005E3159 E8 6602E9FF call JyCrm.004733C4
005E315E 8B45 F8 mov eax,dword ptr ss:[ebp-8]
005E3161 E8 1A1FE2FF call JyCrm.00405080
005E3166 50 push eax
005E3167 E8 6012FFFF call <jmp.&PunUnitLib.SavePass>
005E316C 8BD0 mov edx,eax
005E316E 8D45 CC lea eax,dword ptr ss:[ebp-34]
005E3171 E8 4A1CE2FF call JyCrm.00404DC0
005E3176 8B4D CC mov ecx,dword ptr ss:[ebp-34]
005E3179 BA B0325E00 mov edx,JyCrm.005E32B0 //ASCII "RegCode"
//注册表内的授权编号(注册码)
005E317E 8BC3 mov eax,ebx
005E3180 E8 3F02E9FF call JyCrm.004733C4
005E3185 8BC3 mov eax,ebx
005E3187 E8 500BE2FF call JyCrm.00403CDC
005E318C 6A 00 push 0
005E318E 68 B8325E00 push JyCrm.005E32B8 //ASCII "系统注册成功,欢迎你使用本软件!"
005E3193 E8 0C12FFFF call <jmp.&PunUnitLib.ShowMess>
005E3198 A1 28B56100 mov eax,dword ptr ds:[61B528]
005E319D C700 02000000 mov dword ptr ds:[eax],2
005E31A3 A1 F0B26100 mov eax,dword ptr ds:[61B2F0]
005E31A8 8B00 mov eax,dword ptr ds:[eax]
005E31AA E8 C5D8E8FF call JyCrm.00470A74
005E31AF 33C0 xor eax,eax
005E31B1 5A pop edx
005E31B2 59 pop ecx
005E31B3 59 pop ecx
005E31B4 64:8910 mov dword ptr fs:[eax],edx
005E31B7 EB 20 jmp short JyCrm.005E31D9
005E31B9 ^ E9 FE0FE2FF jmp JyCrm.004041BC
005E31BE 8B45 FC mov eax,dword ptr ss:[ebp-4]
005E31C1 E8 FE9FE8FF call JyCrm.0046D1C4
005E31C6 E8 1D14E2FF call JyCrm.004045E8
005E31CB EB 0C jmp short JyCrm.005E31D9
005E31CD 6A 03 push 3
005E31CF 68 DC325E00 push JyCrm.005E32DC //ASCII "系统注册失败,请检查注册是否有误!"
005E31D4 E8 CB11FFFF call <jmp.&PunUnitLib.ShowMess>
005E31D9 33C0 xor eax,eax
005E31DB 5A pop edx
005E31DC 59 pop ecx
005E31DD 59 pop ecx
005E31DE 64:8910 mov dword ptr fs:[eax],edx
005E31E1 68 45325E00 push JyCrm.005E3245
005E31E6 8D45 CC lea eax,dword ptr ss:[ebp-34]
005E31E9 E8 E219E2FF call JyCrm.00404BD0
005E31EE 8D45 D0 lea eax,dword ptr ss:[ebp-30]
005E31F1 E8 DA19E2FF call JyCrm.00404BD0
005E31F6 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
005E31F9 E8 D219E2FF call JyCrm.00404BD0
005E31FE 8D45 D8 lea eax,dword ptr ss:[ebp-28]
005E3201 BA 02000000 mov edx,2
005E3206 E8 E919E2FF call JyCrm.00404BF4
005E320B 8D45 E0 lea eax,dword ptr ss:[ebp-20]
005E320E E8 BD19E2FF call JyCrm.00404BD0
005E3213 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
005E3216 BA 02000000 mov edx,2
005E321B E8 D419E2FF call JyCrm.00404BF4
005E3220 8D45 EC lea eax,dword ptr ss:[ebp-14]
005E3223 E8 A819E2FF call JyCrm.00404BD0
005E3228 8D45 F0 lea eax,dword ptr ss:[ebp-10]
005E322B E8 A019E2FF call JyCrm.00404BD0
005E3230 8D45 F4 lea eax,dword ptr ss:[ebp-C]
005E3233 BA 02000000 mov edx,2
005E3238 E8 B719E2FF call JyCrm.00404BF4
005E323D C3 retn
005E323E ^ E9 2D12E2FF jmp JyCrm.00404470
005E3243 ^ EB A1 jmp short JyCrm.005E31E6
005E3245 5F pop edi
005E3246 5E pop esi
005E3247 5B pop ebx
005E3248 8BE5 mov esp,ebp
005E324A 5D pop ebp
005E324B C3 retn
================= 跟进:005E3093 E8 3C13FFFF call <jmp.&PunUnitLib.GetRegPass> =================
005D43D4 - FF25 48FB6100 jmp dword ptr ds:[<&PunUnitLib.GetRegPass>] //跳向算法CALL,F8跟进★
005D43DA 8BC0 mov eax,eax
005D43DC FFFF ??? ; 未知命令
005D43DE FFFF ??? ; 未知命令
005D43E0 0C 00 or al,0
005D43E2 0000 add byte ptr ds:[eax],al
005D43E4 CE into
005D43E5 F7B0 B2BCD1D2 div dword ptr ds:[eax+D2D1BCB2]
005D43EB CB retf
=========== 跟进:005D43D4 - FF25 48FB6100 jmp dword ptr ds:[<&PunUnitLib.GetRegPass>] ===========
003E9024 > 55 push ebp
003E9025 8BEC mov ebp,esp
003E9027 B9 06000000 mov ecx,6 //检查注册内容是否填写完整,并循环6次
003E902C 6A 00 push 0
003E902E 6A 00 push 0
003E9030 49 dec ecx
003E9031 ^ 75 F9 jnz short PunUnitL.003E902C //向上循环检查6次
003E9033 53 push ebx
003E9034 56 push esi
003E9035 33C0 xor eax,eax //EAX清零
003E9037 55 push ebp
003E9038 68 F2913E00 push PunUnitL.003E91F2
003E903D 64:FF30 push dword ptr fs:[eax]
003E9040 64:8920 mov dword ptr fs:[eax],esp
003E9043 8D45 EC lea eax,dword ptr ss:[ebp-14]
003E9046 E8 65B5F8FF call PunUnitL.003745B0 //取产品编号,ASCII "3HSCCTSM"
003E904B 8D45 F0 lea eax,dword ptr ss:[ebp-10]
003E904E 8B55 08 mov edx,dword ptr ss:[ebp+8]
003E9051 E8 4AB7F8FF call PunUnitL.003747A0
003E9056 8B45 F0 mov eax,dword ptr ss:[ebp-10] //移入EAX,准备开始计算
003E9059 E8 0AB8F8FF call PunUnitL.00374868
003E905E 8BF0 mov esi,eax //取产品编号位数,EAX=8
003E9060 85F6 test esi,esi //检查产品编号位数是否合法
003E9062 7E 26 jle short PunUnitL.003E908A
003E9064 BB 01000000 mov ebx,1 //运算开始
003E9069 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
003E906C 8B45 F0 mov eax,dword ptr ss:[ebp-10]
003E906F 0FB64418 FF movzx eax,byte ptr ds:[eax+ebx-1] //依次取产品编号的HEX值
003E9074 33D2 xor edx,edx //异或清零
003E9076 E8 F905F9FF call PunUnitL.00379674
003E907B 8B55 E8 mov edx,dword ptr ss:[ebp-18] //产品编号的HEX值
//1、EDX=33“3”
//2、EDX=48“H”
//3、EDX=53“S”
//4、EDX=43“C”
//5、EDX=43“C”
//6、EDX=54“T”
//7、EDX=53“S”
//8、EDX=4D“M”
003E907E 8D45 FC lea eax,dword ptr ss:[ebp-4]
003E9081 E8 EAB7F8FF call PunUnitL.00374870
003E9086 43 inc ebx //EBX自加一,指向下一位
003E9087 4E dec esi
003E9088 ^ 75 DF jnz short PunUnitL.003E9069 //向上循环运算开始
003E908A 8B45 FC mov eax,dword ptr ss:[ebp-4] //将产品编号的HEX值连起来,EAX=334853434354534D
003E908D E8 D6B7F8FF call PunUnitL.00374868
003E9092 8BF0 mov esi,eax
003E9094 85F6 test esi,esi
003E9096 7E 2C jle short PunUnitL.003E90C4
003E9098 BB 01000000 mov ebx,1
003E909D 8B45 FC mov eax,dword ptr ss:[ebp-4]] //分别将HEX值取倒
003E90A0 E8 C3B7F8FF call PunUnitL.00374868
003E90A5 2BC3 sub eax,ebx
003E90A7 8B55 FC mov edx,dword ptr ss:[ebp-4]
003E90AA 8A1402 mov dl,byte ptr ds:[edx+eax]
003E90AD 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
003E90B0 E8 DBB6F8FF call PunUnitL.00374790
003E90B5 8B55 E4 mov edx,dword ptr ss:[ebp-1C]
003E90B8 8D45 F8 lea eax,dword ptr ss:[ebp-8]
003E90BB E8 B0B7F8FF call PunUnitL.00374870
003E90C0 43 inc ebx //EBX自加一,指向下一位
003E90C1 4E dec esi
003E90C2 ^ 75 D9 jnz short PunUnitL.003E909D //向上循环取倒运算开始
003E90C4 8D45 FC lea eax,dword ptr ss:[ebp-4]
003E90C7 50 push eax
003E90C8 B9 04000000 mov ecx,4
003E90CD BA 01000000 mov edx,1
003E90D2 8B45 F8 mov eax,dword ptr ss:[ebp-8] //将取倒后的HEX值连起来,EAX=D435453434358433
003E90D5 E8 E6B9F8FF call PunUnitL.00374AC0
003E90DA 8D45 F8 lea eax,dword ptr ss:[ebp-8]
003E90DD 50 push eax
003E90DE B9 04000000 mov ecx,4 //取4位数
003E90E3 BA 05000000 mov edx,5
003E90E8 8B45 F8 mov eax,dword ptr ss:[ebp-8]
003E90EB E8 D0B9F8FF call PunUnitL.00374AC0
003E90F0 8B45 FC mov eax,dword ptr ss:[ebp-4] //存入内存EAX,待取!ASCII "D435" ★SN1
003E90F3 E8 70B7F8FF call PunUnitL.00374868
003E90F8 83F8 04 cmp eax,4 //是否多取
003E90FB 7D 2F jge short PunUnitL.003E912C //没有多取,则继续下一步
003E90FD 8B45 FC mov eax,dword ptr ss:[ebp-4]
003E9100 E8 63B7F8FF call PunUnitL.00374868
003E9105 8BD8 mov ebx,eax
003E9107 83FB 03 cmp ebx,3
003E910A 7F 20 jg short PunUnitL.003E912C
003E910C 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
003E910F 8BC3 mov eax,ebx
003E9111 C1E0 02 shl eax,2
003E9114 33D2 xor edx,edx
003E9116 E8 5905F9FF call PunUnitL.00379674
003E911B 8B55 E0 mov edx,dword ptr ss:[ebp-20]
003E911E 8D45 FC lea eax,dword ptr ss:[ebp-4]
003E9121 E8 4AB7F8FF call PunUnitL.00374870
003E9126 43 inc ebx
003E9127 83FB 04 cmp ebx,4
003E912A ^ 75 E0 jnz short PunUnitL.003E910C
003E912C 8B45 F8 mov eax,dword ptr ss:[ebp-8] //存入内存EAX,待取! ASCII "4534" ★SN2
003E912F E8 34B7F8FF call PunUnitL.00374868
003E9134 83F8 04 cmp eax,4 //是否多取
003E9137 7D 2F jge short PunUnitL.003E9168 //没有多取,则继续下一步
003E9139 8B45 F8 mov eax,dword ptr ss:[ebp-8]
003E913C E8 27B7F8FF call PunUnitL.00374868
003E9141 8BD8 mov ebx,eax
003E9143 83FB 03 cmp ebx,3
003E9146 7F 20 jg short PunUnitL.003E9168
003E9148 8D4D DC lea ecx,dword ptr ss:[ebp-24]
003E914B 8BC3 mov eax,ebx
003E914D C1E0 02 shl eax,2
003E9150 33D2 xor edx,edx
003E9152 E8 1D05F9FF call PunUnitL.00379674
003E9157 8B55 DC mov edx,dword ptr ss:[ebp-24]
003E915A 8D45 F8 lea eax,dword ptr ss:[ebp-8]
003E915D E8 0EB7F8FF call PunUnitL.00374870
003E9162 43 inc ebx
003E9163 83FB 04 cmp ebx,4
003E9166 ^ 75 E0 jnz short PunUnitL.003E9148
003E9168 8D45 D8 lea eax,dword ptr ss:[ebp-28]
003E916B 8B55 0C mov edx,dword ptr ss:[ebp+C] //获取固定字符串 ASCII "C56D-Q638"
003E916E E8 2DB6F8FF call PunUnitL.003747A0
003E9173 8B45 D8 mov eax,dword ptr ss:[ebp-28]
003E9176 8D55 F4 lea edx,dword ptr ss:[ebp-C]
003E9179 E8 DE03F9FF call PunUnitL.0037955C
003E917E 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
003E9181 50 push eax
003E9182 B9 04000000 mov ecx,4 //取4位数
003E9187 BA 01000000 mov edx,1
003E918C 8B45 F4 mov eax,dword ptr ss:[ebp-C]
003E918F E8 2CB9F8FF call PunUnitL.00374AC0
003E9194 FF75 D4 push dword ptr ss:[ebp-2C] //ASCII "C56D" ★SN3
003E9197 68 0C923E00 push PunUnitL.003E920C //用“-”符号连接
003E919C FF75 FC push dword ptr ss:[ebp-4] //从内存中取出★SN1 ASCII "D435"
003E919F 8D45 D0 lea eax,dword ptr ss:[ebp-30]
003E91A2 50 push eax
003E91A3 B9 05000000 mov ecx,5 //取5位数
003E91A8 BA 05000000 mov edx,5
003E91AD 8B45 F4 mov eax,dword ptr ss:[ebp-C] //再次取固定字符串 ASCII "C56D-Q638"
003E91B0 E8 0BB9F8FF call PunUnitL.00374AC0
003E91B5 FF75 D0 push dword ptr ss:[ebp-30] //ASCII "-Q638" ★SN4
003E91B8 68 0C923E00 push PunUnitL.003E920C //用“-”符号连接
003E91BD FF75 F8 push dword ptr ss:[ebp-8] //从内存中取出★SN2 ASCII "4534"
003E91C0 8D45 EC lea eax,dword ptr ss:[ebp-14]
003E91C3 BA 06000000 mov edx,6 //是否经过6次连接
003E91C8 E8 5BB7F8FF call PunUnitL.00374928
003E91CD 8B45 EC mov eax,dword ptr ss:[ebp-14] //连接后的字符,ASCII "C56D-D435-Q638-4534"
003E91D0 E8 8BB8F8FF call PunUnitL.00374A60
003E91D5 8BD8 mov ebx,eax //EAX赋值给EBX,ASCII "C56D-D435-Q638-4534"
003E91D7 33C0 xor eax,eax //EAX异或清零
003E91D9 5A pop edx
003E91DA 59 pop ecx
003E91DB 59 pop ecx
003E91DC 64:8910 mov dword ptr fs:[eax],edx
003E91DF 68 F9913E00 push PunUnitL.003E91F9
003E91E4 8D45 D0 lea eax,dword ptr ss:[ebp-30]
003E91E7 BA 0C000000 mov edx,0C
003E91EC E8 E3B3F8FF call PunUnitL.003745D4
003E91F1 C3 retn
003E91F2 ^ E9 1DADF8FF jmp PunUnitL.00373F14 //如果未计算完,则继续
003E91F7 ^ EB EB jmp short PunUnitL.003E91E4
003E91F9 8BC3 mov eax,ebx //EBX赋值给EAX,ASCII "C56D-D435-Q638-4534"
003E91FB 5E pop esi
003E91FC 5B pop ebx
003E91FD 8BE5 mov esp,ebp
003E91FF 5D pop ebp
003E9200 C2 0800 retn 8 //“PunUnitLib.dll”文件内计算工作完毕,返回程序
-------------------------------------------------------------------------------------------------------------------------
【算法总结】
注册验证非常简单:
注册验证与用户名无关,所以可以任意填写,并不参与注册码计算!
注册码整个计算过程是在安装目录下“PunUnitLib.dll”文件内完成的!
1、取机器码十六进制来反排序.
2、用到的常数为“C56D-Q638”.
3、注册码的组合方式为:
注册码=“C56D”+“-”+取倒(HEX(机器码倒数1、2位))+“-Q638”+“-”+取倒(HEX(机器码倒数后3、4位))
即:SN3 + SN1 + SN4 + SN2
=================================
注册信息:
用户名称:KuNgBiM
产品编号:3HSCCTSM
授权编号:C56D-D435-Q638-4534
=================================
【内存注册机】
中断地址:5E30C4
中断次数:1
第一字节:E8
指令长度:6
保存方式:内存方式--->EDX
【注册爆破点】
005E30C9 0F85 FE000000 jnz JyCrm.005E31CD //nop掉!
〓本文完〓
--------------------------------------------------------------------------
版权所有(C)2005 KuNgBiM[DFCG] Copyright (C) 2005 KuNgBiM[DFCG]
--------------------------------------------------------------------------
Cracked BY KuNgBiM[DFCG]
2005-06-06
16:18:16 PM