软件名称:Menu Maker 4
下载地址:http://www.selteco.com/?src=smmk2a
购买价格:¥29.00
简介:The easiest way to create pull-down web menus without coding.
编译语言:Microsoft Visual C++ 6.0
本文档由 :wofan[OCN] 制作,虽然是国外软件,还是不允许制作并发放注册机,违者后果自负。
本程序虽然没有采用加密算法,但是要很好地描述它的算法,还真有点麻烦。
填入注册码:
123456-787878787
我把它们分别叫做regone 和 regtwo
bpx GetWindowTextA 可以断下
00416B8A 8B4424 0C mov eax,dword ptr ss:[esp+C]
00416B8E 8378 F8 06 cmp dword ptr ds:[eax-8],6========第一个注册框中实际上也只能填写6个字符
00416B92 75 25 jnz short menumake.00416BB9
00416B94 8B4C24 08 mov ecx,dword ptr ss:[esp+8]
00416B98 8379 F8 09 cmp dword ptr ds:[ecx-8],9========第二个注册框中实际上也只能填写9个字符
00416B9C 75 1B jnz short menumake.00416BB9
00416B9E 50 push eax
00416B9F E8 72D40000 call menumake.00424016=================== 将regone转为十六进制0x1E240
00416BA4 8B5424 0C mov edx,dword ptr ss:[esp+C]
00416BA8 8946 60 mov dword ptr ds:[esi+60],eax
00416BAB 52 push edx
00416BAC E8 65D40000 call menumake.00424016====================将regtwo转为十六进制0x2EF61383
00416BB1 83C4 08 add esp,8
……
00416BF4 C3 retn
以后居然不知跑到那里去了,我靠,难找了
换个断点:
bp MessageBoxA
来到:
00408314 6A 10 push 10
00408316 68 94064700 push menumake.00470694 ; ASCII "Selteco Menu Maker"
0040831B 68 2C064700 push menumake.0047062C ; ASCII "Invalid serial number."
00408320 6A 00 push 0
00408322 FF15 E8954500 call dword ptr ds:[<&USER32.MessageBoxA>] ; USER32.MessageBoxA------这里
右击,分析代码,看它从那里来的。
0040814A . 52 push edx ; /Arg2
0040814B . 51 push ecx ; |Arg1
0040814C . 8BCE mov ecx,esi ; |
0040814E . E8 0D0B0000 call menumake.00408C60 ; \menumake.00408C60---这才是关键Call,F7跟进
00408153 . 85C0 test eax,eax
00408155 . 0F84 B9010000 je menumake.00408314-----------------出错MessageboxA来自这里的跳转,向上找
======================================================================
======================================================================
关键Call,F7跟进,算法在这里:
===========================================================================================================
==特别说明:本算法,不好描述,我估且: ======
==常数前面加const,例如出现的第一个常数,我就记为const_one ======
==注册码分为两部分, 我就分别记为:regone,regtwo ======
==由regone 和常数运算得到的数就记为,例如:conone_regone 就是第一个常数和注册码第一部分运算得到和结果======
==没有其它大常数参加运算,只是处理注册码,得到的数,记为,如regone_num 就是由注册码第一部分产生的数据======
===========================================================================================================
00408C60 /$ 83EC 3C sub esp,3C
00408C63 |. 8B4C24 40 mov ecx,dword ptr ss:[esp+40]==regone的十六进制:0x1E240
00408C67 |. B8 8F588B4F mov eax,4F8B588F---------------const_one
00408C6C |. F7E1 mul ecx----------------------------regone mul const_one=95D8 3F9361C0
00408C6E |. 8BC1 mov eax,ecx
00408C70 |. 53 push ebx
00408C71 |. 2BC2 sub eax,edx------------------------regone - 0x95D8=0x14C68
00408C73 |. 55 push ebp
00408C74 |. D1E8 shr eax,1--------------------------0x1FC68 shr 1=0xA634
00408C76 |. 03C2 add eax,edx------------------------0xA634+0x95D8=0x13C0C
00408C78 |. 56 push esi
00408C79 |. C1E8 10 shr eax,10-------------------------0x13C0C shr 0x10=1
00408C7C |. 33D2 xor edx,edx
00408C7E |. BE 0A000000 mov esi,0A------------------------------常数
00408C83 |. F7F6 div esi----------------------------1 div 0xA=> EAX=0 EDX=1
00408C85 |. B8 5917B7D1 mov eax,D1B71759--------------const_two
00408C8A |. 57 push edi
00408C8B |. BF 0A000000 mov edi,0A
00408C90 |. BB 0A000000 mov ebx,0A
00408C95 |. BD 0A000000 mov ebp,0A
00408C9A |. 8BF2 mov esi,edx=========保存余数,记为conone_regone
00408C9C |. F7E1 mul ecx----------------------------const_two mul regone=18B0F 27BB6840
00408C9E |. 8BC2 mov eax,edx
00408CA0 |. 33D2 xor edx,edx
00408CA2 |. C1E8 0D shr eax,0D-------------------------0x18B0F shr 0xD=0xC
00408CA5 |. F7F7 div edi----------------------------同样,它也div 0xA=1 余 2
00408CA7 |. B8 D34D6210 mov eax,10624DD3--------------const_three
00408CAC |. 895424 14 mov dword ptr ss:[esp+14],edx===保存余数,记为contwo_regone
00408CB0 |. F7E1 mul ecx----------------------------const_three mul regone=1EDD 2F1ABAC0
00408CB2 |. 8BC2 mov eax,edx------------------------同样,提取Hiword
00408CB4 |. 33D2 xor edx,edx
00408CB6 |. C1E8 06 shr eax,6--------------------------Hiword shr 6=7B
00408CB9 |. F7F7 div edi----------------------------同样 div 0xA=C 余 3
00408CBB |. B8 1F85EB51 mov eax,51EB851F--------------const_four
00408CC0 |. 895424 18 mov dword ptr ss:[esp+18],edx===保存余数,记为conthree_regone
00408CC4 |. F7E1 mul ecx----------------------------const_four mul regone=9A51 EB85A5C0
00408CC6 |. 8BC2 mov eax,edx
00408CC8 |. 33D2 xor edx,edx
00408CCA |. C1E8 05 shr eax,5--------------------------9A51 shr 5=4D2
00408CCD |. F7F7 div edi----------------------------div 0xA=7B 余 4
00408CCF |. B8 CDCCCCCC mov eax,CCCCCCCD--------------const_five
00408CD4 |. 8BFA mov edi,edx==========保存余数,记为confour_regone
00408CD6 |. F7E1 mul ecx---------------------------const_five mul regone=181CC CCCD2D40
00408CD8 |. 8BC2 mov eax,edx
00408CDA |. 33D2 xor edx,edx
00408CDC |. C1E8 03 shr eax,3-------------------------181CC shr 3=3039
00408CDF |. F7F3 div ebx---------------------------div 0xA=4D2 余 5
00408CE1 |. 8BC1 mov eax,ecx
00408CE3 |. B9 0A000000 mov ecx,0A
00408CE8 |. 8BDA mov ebx,edx>>>>>>>>>>>>>>>保存余数5,记为confive_regone
00408CEA |. 33D2 xor edx,edx
00408CEC |. F7F1 div ecx---------------------------regone div 0xA=3039 余 6
00408CEE |. 8B4C24 54 mov ecx,dword ptr ss:[esp+54]=======regtwo 的十六进制
00408CF2 |. B8 893BE655 mov eax,55E63B89-------const_six
00408CF7 |. 895424 24 mov dword ptr ss:[esp+24],edx====保存余数regone_num
00408CFB |. F7E1 mul ecx--------------regtwo mul const_six=FC1F07B DEE1A21B
00408CFD |. 8BC2 mov eax,edx
00408CFF |. 33D2 xor edx,edx
00408D01 |. C1E8 19 shr eax,19------------FC1F07B shr 19=7
00408D04 |. F7F5 div ebp--------------div 0xA=0 余 7
00408D06 |. B8 6BCA5F6B mov eax,6B5FCA6B-------const_seven
00408D0B |. 895424 28 mov dword ptr ss:[esp+28],edx====保存余数,记为:consix_regtwo
00408D0F |. F7E1 mul ecx---------------const_seven mul regtwo=13B26C9A CADC85C1
00408D11 |. 8BC2 mov eax,edx
00408D13 |. 33D2 xor edx,edx
00408D15 |. C1E8 16 shr eax,16-------------13B26C9A shr 16=4E
00408D18 |. F7F5 div ebp---------------div 0xA=7 余 8
00408D1A |. B8 83DE1B43 mov eax,431BDE83-------const_eight
00408D1F |. 895424 2C mov dword ptr ss:[esp+2C],edx===保存余数,记为:conseven_regtwo
00408D23 |. F7E1 mul ecx--------------const_eight mul regtwo=C4F83E0 C4A89609
00408D25 |. 8BC2 mov eax,edx
00408D27 |. 33D2 xor edx,edx
00408D29 |. C1E8 12 shr eax,12-------------------------C4F83E0 shr 12=313
00408D2C |. F7F5 div ebp----------------------------div 0xA=4E 余 7
00408D2E |. B8 8F588B4F mov eax,4F8B588F------const_one
00408D33 |. 895424 30 mov dword ptr ss:[esp+30],edx===保存余数,记为:coneight_regtwo
00408D37 |. F7E1 mul ecx--------------const_one mul regtwo=E977FE0 D74AEE2D
00408D39 |. 8BC1 mov eax,ecx
00408D3B |. 2BC2 sub eax,edx------------------------regtwo-E977FE0=205E93A3
00408D3D |. D1E8 shr eax,1--------------------------205E93A3 shr 1=102F49D1
00408D3F |. 03C2 add eax,edx------------------------102F49D1+E977FE0=1EC6C9B1
00408D41 |. C1E8 10 shr eax,10-------------------------shr 10=1EC6
00408D44 |. 33D2 xor edx,edx
00408D46 |. F7F5 div ebp----------------------------div 0xA=313 余 8
00408D48 |. B8 5917B7D1 mov eax,D1B71759------const_two
00408D4D |. 895424 34 mov dword ptr ss:[esp+34],edx===保存余数,记为:conone_regtwo
00408D51 |. F7E1 mul ecx--------------const_two mul regtwo=26787C1E 54F28D8B
00408D53 |. 8BC2 mov eax,edx
00408D55 |. 33D2 xor edx,edx
00408D57 |. C1E8 0D shr eax,0D-------------------------26787C1E shr 0xD=133C3
00408D5A |. F7F5 div ebp----------------------------div 0xA=1EC6 余 7
00408D5C |. B8 D34D6210 mov eax,10624DD3-----const_three
00408D61 |. 895424 38 mov dword ptr ss:[esp+38],edx===保存余数,记为:contwo_regtwo
00408D65 |. F7E1 mul ecx-------------const_three mul regtwo=30169B2 60D67BF9
00408D67 |. 8BC2 mov eax,edx
00408D69 |. 33D2 xor edx,edx
00408D6B |. C1E8 06 shr eax,6------------------------30169B2 shr 6=C05A6
00408D6E |. F7F5 div ebp--------------------------div 0xA=133C3 余 8
00408D70 |. B8 1F85EB51 mov eax,51EB851F-----const_four
00408D75 |. 895424 3C mov dword ptr ss:[esp+3C],edx===保存余数,记为:conthree_regtwo
00408D79 |. F7E1 mul ecx-------------const_four mul regtwo=F07107B E4306BDD
00408D7B |. 8BC2 mov eax,edx
00408D7D |. 33D2 xor edx,edx
00408D7F |. C1E8 05 shr eax,5------------------------F07107B shr 5=783883
00408D82 |. F7F5 div ebp--------------------------div 0xA=C05A6 余 7
00408D84 |. B8 CDCCCCCC mov eax,CCCCCCCD----const_five
00408D89 |. 895424 40 mov dword ptr ss:[esp+40],edx===保存余数,记为:confour_regtwo
00408D8D |. F7E1 mul ecx-------------------------const_five mul regtwo=2591A935 A2FE03E9
00408D8F |. 8BC2 mov eax,edx
00408D91 |. 33D2 xor edx,edx
00408D93 |. C1E8 03 shr eax,3----------------------2591A935 shr 3=4B23526
00408D96 |. F7F5 div ebp------------------------div 0xA=783883 余 8
00408D98 |. 8BC1 mov eax,ecx
00408D9A |. B9 0A000000 mov ecx,0A
00408D9F |. 8BEA mov ebp,edx===================保存余数,记为:confive_regtwo
00408DA1 |. 33D2 xor edx,edx
00408DA3 |. F7F1 div ecx---regtwo div 0xA=04B23526 余 7====被置于EDX中,记为regtwo_num
00408DA5 |. 8B4424 3C mov eax,dword ptr ss:[esp+3C]
00408DA9 |. 8D0C02 lea ecx,dword ptr ds:[edx+eax]
00408DAC |. 8B4424 34 mov eax,dword ptr ss:[esp+34]
00408DB0 |. 8B5424 30 mov edx,dword ptr ss:[esp+30]
00408DB4 |. 03C8 add ecx,eax
00408DB6 |. 8B4424 28 mov eax,dword ptr ss:[esp+28]
00408DBA |. 03CA add ecx,edx
00408DBC |. 8B5424 24 mov edx,dword ptr ss:[esp+24]
00408DC0 |. 03C8 add ecx,eax
00408DC2 |. 03CA add ecx,edx
00408DC4 |. 03CF add ecx,edi
00408DC6 |. 03CE add ecx,esi
///////////////////////////////////////////////////////////////////////////
[esp+3C]==============》conthree_regtwo=8
edx ==============》regtwo_num =7
[esp+34]==============》conone_regtwo =8
[esp+30]==============》coneight_regtwo=7
[esp+28]==============》consix_regtwo =7
[esp+24]==============》regone_num =6
edi ==============》confour_regone =4
esi ==============》conone_regone =1
累加:
这里是:8+7+8+7+7+6+4+1=0x30
///////////////////////////////////////////////////////////////////////////
00408DC8 |. BE 0A000000 mov esi,0A
00408DCD |. 8D41 04 lea eax,dword ptr ds:[ecx+4]====0x30+4=0x34
00408DD0 |. 99 cdq
00408DD1 |. F7FE idiv esi===============0x34对0xA取余得到2
00408DD3 |. 3BD3 cmp edx,ebx >>>>>>>>第一次比较,EBX中是confive_regone,即常数0xCCCCCCCD和注册码第一部分运算的结果
00408DD5 |. 74 0C je short menumake.00408DE3
00408DD7 |. 5F pop edi
00408DD8 |. 5E pop esi
00408DD9 |. 5D pop ebp
00408DDA |. 33C0 xor eax,eax
00408DDC |. 5B pop ebx
00408DDD |. 83C4 3C add esp,3C
00408DE0 |. C2 0800 retn 8
00408DE3 |> \03CA add ecx,edx==================如果上面跳转成功,这里加上余数,0x30+2=0x32
00408DE5 |. BE 0A000000 mov esi,0A
00408DEA |. 8D41 01 lea eax,dword ptr ds:[ecx+1]===再加1
00408DED |. 99 cdq
00408DEE |. F7FE idiv esi=======================依旧对0xA取余
00408DF0 |. 3B5424 18 cmp edx,dword ptr ss:[esp+18]==conthree_regone
00408DF4 |. 74 0C je short menumake.00408E02
00408DF6 |. 5F pop edi
00408DF7 |. 5E pop esi
00408DF8 |. 5D pop ebp
00408DF9 |. 33C0 xor eax,eax
00408DFB |. 5B pop ebx
00408DFC |. 83C4 3C add esp,3C
00408DFF |. C2 0800 retn 8
00408E02 |> 03CA add ecx,edx
00408E04 |. BE 0A000000 mov esi,0A
00408E09 |. 8D41 08 lea eax,dword ptr ds:[ecx+8]
00408E0C |. 99 cdq
00408E0D |. F7FE idiv esi
00408E0F |. 3B5424 2C cmp edx,dword ptr ss:[esp+2C]===conseven_regtwo:>>>>第二次比较
00408E13 |. 74 0C je short menumake.00408E21
00408E15 |. 5F pop edi
00408E16 |. 5E pop esi
00408E17 |. 5D pop ebp
00408E18 |. 33C0 xor eax,eax
00408E1A |. 5B pop ebx
00408E1B |. 83C4 3C add esp,3C
00408E1E |. C2 0800 retn 8
00408E21 |> 03CA add ecx,edx
00408E23 |. BE 0A000000 mov esi,0A
00408E28 |. 8D41 05 lea eax,dword ptr ds:[ecx+5]
00408E2B |. 99 cdq
00408E2C |. F7FE idiv esi
00408E2E |. 3B5424 40 cmp edx,dword ptr ss:[esp+40]====confour_regtwo:>>>>>第三次比较
00408E32 |. 74 0C je short menumake.00408E40
00408E34 |. 5F pop edi
00408E35 |. 5E pop esi
00408E36 |. 5D pop ebp
00408E37 |. 33C0 xor eax,eax
00408E39 |. 5B pop ebx
00408E3A |. 83C4 3C add esp,3C
00408E3D |. C2 0800 retn 8
00408E40 |> 03CA add ecx,edx
00408E42 |. BE 0A000000 mov esi,0A
00408E47 |. 8D41 09 lea eax,dword ptr ds:[ecx+9]
00408E4A |. 99 cdq
00408E4B |. F7FE idiv esi
00408E4D |. 3BD5 cmp edx,ebp==============confive_regtwo:>>>>第四次比较
00408E4F |. 74 0C je short menumake.00408E5D
00408E51 |. 5F pop edi
00408E52 |. 5E pop esi
00408E53 |. 5D pop ebp
00408E54 |. 33C0 xor eax,eax
00408E56 |. 5B pop ebx
00408E57 |. 83C4 3C add esp,3C
00408E5A |. C2 0800 retn 8
00408E5D |> 03CA add ecx,edx
00408E5F |. BE 0A000000 mov esi,0A
00408E64 |. 8D41 01 lea eax,dword ptr ds:[ecx+1]
00408E67 |. 99 cdq
00408E68 |. F7FE idiv esi
00408E6A |. 3B5424 38 cmp edx,dword ptr ss:[esp+38]======contwo_regtwo:>>>>第五次比较
00408E6E |. 74 0C je short menumake.00408E7C
00408E70 |. 5F pop edi
00408E71 |. 5E pop esi
00408E72 |. 5D pop ebp
00408E73 |. 33C0 xor eax,eax
00408E75 |. 5B pop ebx
00408E76 |. 83C4 3C add esp,3C
00408E79 |. C2 0800 retn 8
00408E7C |> 8D440A 02 lea eax,dword ptr ds:[edx+ecx+2]
00408E80 |. B9 0A000000 mov ecx,0A
00408E85 |. 99 cdq
00408E86 |. F7F9 idiv ecx
00408E88 |. 8B4C24 14 mov ecx,dword ptr ss:[esp+14]======contwo_regone:>>>>第六次比较
00408E8C |. 33C0 xor eax,eax
00408E8E |. 5F pop edi
00408E8F |. 5E pop esi
00408E90 |. 5D pop ebp
00408E91 |. 5B pop ebx
00408E92 |. 3BD1 cmp edx,ecx
00408E94 |. 0F94C0 sete al==================全部比较通过,则置标志,置al为1
00408E97 |. 83C4 3C add esp,3C
00408E9A \. C2 0800 retn 8
=====================================================================================
全部的je都跳过来了,就开始写注册表
00408EA0 /$ 83EC 08 sub esp,8
00408EA3 |. 8D4424 04 lea eax,dword ptr ss:[esp+4]
00408EA7 |. 8D4C24 00 lea ecx,dword ptr ss:[esp]
00408EAB |. 56 push esi
00408EAC |. 50 push eax ; /pDisposition
00408EAD |. 51 push ecx ; |pHandle
00408EAE |. 6A 00 push 0 ; |pSecurity = NULL
00408EB0 |. 68 3F000F00 push 0F003F ; |Access = KEY_ALL_ACCESS
00408EB5 |. 6A 00 push 0 ; |Options = REG_OPTION_NON_VOLATILE
00408EB7 |. 68 506C4700 push menumake.00476C50 ; |Class = ""
00408EBC |. 6A 00 push 0 ; |Reserved = 0
00408EBE |. 68 68074700 push menumake.00470768 ; |Subkey = "SOFTWARE\Selteco\Menu Maker"
00408EC3 |. 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00408EC8 |. FF15 10904500 call dword ptr ds:[<&ADVAPI32.RegCr>; \RegCreateKeyExA
======================================================================================
注册机源码:
略