前些时间有位网友发给我一调试发电机的软件,要求帮它破解,破解非专业版,报酬1000块,心想这么高报酬接受这受了这生意,几经日夜的调试程序,终于破解了软件,这时那位网友切说他找到了注册码(最菜的方法从内存中搞到的,他好像也是经别人指点搞的),害我苦苦搞了那么久(也不过几分钟就搞定了)//钱又没搞到,真是哭笑不得,所以心里想天下没有免费午餐,所以后再也不帮别人破解软件.汗,现在不知为了气愤还是为什么要写这文章,(那位网友说:不要公开,不然以后破解不了就完了,12000元的注册会,谁不想也),所以在这发破文请软件作者们加密码好你的软件,不然发行软件时一并也把注册机也给发了.
会话了那么多,我们开工吧!软件INPOWER 5.0 2006版,每年更新一次,4.0没破过听说要狗才能安装,5.0取消了不用狗也可安装使用,不过是非专业版要经过注册后才能使用,专业版要用狗,非专业版与专业版注册会用一样12000一台机一只狗.
工具:PEID OD Resource Hacker
PEID查壳主程序为:Microsoft Visual C++ 7.0 Method2无壳//省事
使用软件,启动程序出现注册窗口,这里破非专业版输入注册码有错误提示//
OD载入主程序,S ASCII字符串没结果/
程序入口
0045F3FA > $ 6A 74 push 74-------->OE
0045F3FC . 68 80B74700 push 0047B780
0045F401 . E8 32020000 call 0045F638
0045F406 . 33DB xor ebx, ebx
0045F408 . 895D E0 mov [ebp-20], ebx
-------------------------------------------------------------------------------------------------------
没法,那么软件一启动有介面的,我的习惯是用OD动态跟/(了解程序的运行,就是破解软件的最好方法.)一直跟到:
0041C5A0 /> \55 push ebp
0041C5A1 |. 8BEC mov ebp, esp
0041C5A3 |. 6A FF push -1
0041C5A5 |. 68 51754600 push 00467551 ; SE 处理程序安装
0041C5AA |. 64:A1 0000000>mov eax, fs:[0]
0041C5B0 |. 50 push eax
0041C5B1 |. 64:8925 00000>mov fs:[0], esp
省略部分
0041C8F2 |. 68 A4344700 push 004734A4 ; /FileName = "BvLock.dll"
0041C8F7 |. FF15 68284900 call [<&KERNEL32.LoadLibraryA>] ; \LoadLibraryA
0041C8FD |. A3 FC044900 mov [4904FC], eax
0041C902 |. 833D FC044900>cmp dword ptr [4904FC], 0
0041C909 |. 75 15 jnz short 0041C920 ; 检测有没有BvLock.dll,没有就出错,很重要的一个DLL
0041C90B |. 6A 00 push 0
0041C90D |. 6A 10 push 10
0041C90F |. 68 B0344700 push 004734B0 ; ASCII "Error in loading BvLock.dll."
0041C914 |. E8 49130400 call <jmp.&MFC71.#1123_AfxMessageBox>
省略部分
0041CAF3 |. 8D45 F0 lea eax, [ebp-10]
0041CAF6 |. 50 push eax ; /pHandle
0041CAF7 |. 68 19000200 push 20019 ; |Access = KEY_READ
0041CAFC |. 6A 00 push 0 ; |Reserved = 0
0041CAFE |. 68 EC344700 push 004734EC ; |Subkey = "Software\Cummins\BServer\Config"
0041CB03 |. 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
0041CB08 |. FF15 A8264900 call [<&ADVAPI32.RegOpenKeyExA>] ; \RegOpenKeyExA
0041CB0E |. 8D8D D8FEFFFF lea ecx, [ebp-128]
0041CB14 |. E8 5E5AFEFF call CBravoMode::operator int
0041CB19 |. 83F8 03 cmp eax, 3
0041CB1C |. 0F85 CC000000 jnz 0041CBEE ; 检测有没有安装工具,没就出错
0041CB22 |. 8D8D ACFEFFFF lea ecx, [ebp-154]
0041CB28 |. 51 push ecx ; /pBufSize
0041CB29 |. 8D95 E4FEFFFF lea edx, [ebp-11C] ; |
0041CB2F |. 52 push edx ; |Buffer
0041CB30 |. 6A 00 push 0 ; |pValueType = NULL
0041CB32 |. 6A 00 push 0 ; |Reserved = NULL
0041CB34 |. 68 0C354700 push 0047350C ; |ValueName = "InPower Version"
0041CB39 |. 8B45 F0 mov eax, [ebp-10] ; |
0041CB3C |. 50 push eax ; |hKey
0041CB3D |. FF15 A4264900 call [<&ADVAPI32.RegQueryValueExA>] ; \RegQueryValueExA
0041CB43 |. 8985 B0FEFFFF mov [ebp-150], eax
0041CB49 |. 83BD B0FEFFFF>cmp dword ptr [ebp-150], 0
0041CB50 |. 74 35 je short 0041CB87 ; 检测安装版正确吗?
0041CB52 |. 6A FF push -1
0041CB54 |. 6A 10 push 10
0041CB56 |. 68 FD000000 push 0FD
0041CB5B |. E8 E4100400 call <jmp.&MFC71.#1122_AfxMessageBox>
0041CB60 |. C785 0CFEFFFF>mov dword ptr [ebp-1F4], 0
0041CB6A |. C745 FC FFFFF>mov dword ptr [ebp-4], -1
0041CB71 |. 8D8D B4FEFFFF lea ecx, [ebp-14C]
0041CB77 |. E8 754EFEFF call 004019F1
0041CB7C |. 8B85 0CFEFFFF mov eax, [ebp-1F4]
0041CB82 |. E9 AA0D0000 jmp 0041D931
0041CB87 |> 8D8D D8FEFFFF lea ecx, [ebp-128]
0041CB8D |. 51 push ecx
0041CB8E |. E8 091D0300 call <jmp.&BvLock.IsRegistered> ; 这里检测有狗吗?//重点CALL也是(加密狗算法所在CALL)跟进
0041CB93 |. 83C4 04 add esp, 4
0041CB96 |. 3D C05D0000 cmp eax, 5DC0
0041CB9B |. 74 4C je short 0041CBE9 ; 这用户不是加密狗用户(非专业版)不跳
0041CB9D |. 8D8D D8FEFFFF lea ecx, [ebp-128]
0041CBA3 |. E8 5858FEFF call CBravoMode::GetMode ; 办断是用户是专业版还是非专业版)跟进
0041CBA8 |. 8985 78FEFFFF mov [ebp-188], eax
0041CBAE |. 8D95 78FEFFFF lea edx, [ebp-188]
0041CBB4 |. 52 push edx
0041CBB5 |. E8 DC1C0300 call <jmp.&BvLock.BvRegProduct_4> ; 重点CALL,非专业版算法所在
0041CBBA |. 83C4 04 add esp, 4
0041CBBD |. 83F8 01 cmp eax, 1
0041CBC0 |. 74 27 je short 0041CBE9 ; 注册成功,就跳
0041CBC2 |. C785 08FEFFFF>mov dword ptr [ebp-1F8], 0
0041CBCC |. C745 FC FFFFF>mov dword ptr [ebp-4], -1
0041CBD3 |. 8D8D B4FEFFFF lea ecx, [ebp-14C]
0041CBD9 |. E8 134EFEFF call 004019F1
0041CBDE |. 8B85 08FEFFFF mov eax, [ebp-1F8]
0041CBE4 |. E9 480D0000 jmp 0041D931
0041CBE9 |> E9 52010000 jmp 0041CD40 ; 跳去加载软件运行了
0041CBEE |> 8D8D D8FEFFFF lea ecx, [ebp-128]
0041CBF4 |. E8 7E59FEFF call CBravoMode::operator int
0041CBF9 |. 83F8 02 cmp eax, 2
0041CBFC |. 0F85 C9000000 jnz 0041CCCB
0041CC02 |. 8D85 ACFEFFFF lea eax, [ebp-154]
0041CC08 |. 50 push eax ; /pBufSize
0041CC09 |. 8D8D E4FEFFFF lea ecx, [ebp-11C] ; |
0041CC0F |. 51 push ecx ; |Buffer
0041CC10 |. 6A 00 push 0 ; |pValueType = NULL
0041CC12 |. 6A 00 push 0 ; |Reserved = NULL
0041CC14 |. 68 1C354700 push 0047351C ; |ValueName = "EngTool Version"
0041CC19 |. 8B55 F0 mov edx, [ebp-10] ; |
0041CC1C |. 52 push edx ; |hKey
0041CC1D |. FF15 A4264900 call [<&ADVAPI32.RegQueryValueExA>] ; \RegQueryValueExA
0041CC23 |. 8985 B0FEFFFF mov [ebp-150], eax
0041CC29 |. 83BD B0FEFFFF>cmp dword ptr [ebp-150], 0
0041CC30 |. 74 35 je short 0041CC67
-------------------------------------------------------------------------------------------
看上面,注册,,算法是同一个DLL//两处调用分别跟入
-------------------------------------------------------------------------------------------
1.跟入第一处调用
00A89180 55 push ebp
00A89181 8BEC mov ebp, esp
00A89183 6A FF push -1
00A89185 68 1CC1AA00 push 00AAC11C
00A8918A 64:A1 00000000 mov eax, fs:[0]
省略部分
00A8927C 8D55 BC lea edx, [ebp-44]
00A8927F 52 push edx
00A89280 8B45 08 mov eax, [ebp+8]
00A89283 50 push eax
00A89284 E8 D47FFFFF call 00A8125D ; 第一次比较注册码,进
00A89289 83C4 08 add esp, 8
00A8928C 8945 A8 mov [ebp-58], eax
00A8928F 8B4D A8 mov ecx, [ebp-58]
----------------------------------
call 00A8125D来到///
----------------------------------
00A89020 55 push ebp
00A89021 8BEC mov ebp, esp
00A89023 6A FF push -1
00A89025 68 01C1AA00 push 00AAC101
00A8902A 64:A1 00000000 mov eax, fs:[0]
00A89030 50 push eax
00A89031 64:8925 0000000>mov fs:[0], esp
00A89038 83EC 30 sub esp, 30
00A8903B A1 0028AC00 mov eax, [AC2800]
00A89040 8945 F0 mov [ebp-10], eax
00A89043 C745 CC C15D000>mov dword ptr [ebp-34], 5DC1
00A8904A 8D4D E0 lea ecx, [ebp-20]
00A8904D E8 A880FFFF call 00A810FA
00A89052 8B45 08 mov eax, [ebp+8]
00A89055 50 push eax
00A89056 8D4D E8 lea ecx, [ebp-18]
00A89059 51 push ecx
00A8905A E8 3E83FFFF call GetToolRegistrationNumber
00A8905F 83C4 08 add esp, 8
00A89062 6A 04 push 4
00A89064 68 00002800 push 280000
00A89069 68 01680000 push 6801
00A8906E 6A 01 push 1
00A89070 68 102CAB00 push 00AB2C10 ; ASCII "Microsoft Base Cryptographic Provider v1.0"
00A89075 68 3C2CAB00 push 00AB2C3C ; ASCII "{47824E98-5DD5-4101-B8F1-FF65C73D3977}"
00A8907A 8D4D D0 lea ecx, [ebp-30]
00A8907D E8 1787FFFF call CRatsel::CRatsel
00A89082 C745 FC 0000000>mov dword ptr [ebp-4], 0
00A89089 6A 08 push 8
00A8908B 8D55 E0 lea edx, [ebp-20]
00A8908E 52 push edx
00A8908F 6A 08 push 8
00A89091 8D45 E8 lea eax, [ebp-18]
00A89094 50 push eax
00A89095 8D4D D0 lea ecx, [ebp-30]
00A89098 E8 6587FFFF call CRatsel::EncryptBuffer
00A8909D 8D4D C8 lea ecx, [ebp-38]
00A890A0 FF15 8463AC00 call [<&MFC71.#310_ATL::CStringT<char,>; MFC71.7C173199
00A890A6 C645 FC 01 mov byte ptr [ebp-4], 1
00A890AA 0FB74D E6 movzx ecx, word ptr [ebp-1A]
00A890AE 51 push ecx
00A890AF 0FB755 E4 movzx edx, word ptr [ebp-1C]
00A890B3 52 push edx
00A890B4 0FB745 E2 movzx eax, word ptr [ebp-1E]
00A890B8 50 push eax
00A890B9 0FB74D E0 movzx ecx, word ptr [ebp-20]
00A890BD 51 push ecx
00A890BE 68 642CAB00 push 00AB2C64 ; ASCII "%X%X%X%X"
00A890C3 8D55 C8 lea edx, [ebp-38]
00A890C6 52 push edx
00A890C7 FF15 9C63AC00 call [<&MFC71.#2322_ATL::CStringT<char>; MFC71.7C146A9D---->计算注册的CALL//算法在此找,第一次可能是狗的密码
寄存器看到:
ECX 01055548 ASCII "BBFD1BA4F17BE0DD"
EDX 01055548 ASCII "BBFD1BA4F17BE0DD"
00A890CD 83C4 18 add esp, 18
00A890D0 8B4D 0C mov ecx, [ebp+C]
00A890D3 FF15 A463AC00 call [<&MFC71.#876_ATL::CSimpleStringT<char>; 读取密码
00A890D9 50 push eax
00A890DA 8D4D C8 lea ecx, [ebp-38]
00A890DD FF15 3863AC00 call [<&MFC71.#1482_ATL::CStringT<char,StrT>; 比较
00A890E3 85C0 test eax, eax
00A890E5 75 07 jnz short 00A890EE ; 不正确//跳的//
00A890E7 C745 CC C05D000>mov dword ptr [ebp-34], 5DC0
00A890EE 8B45 CC mov eax, [ebp-34]
00A890F1 8945 C4 mov [ebp-3C], eax
00A890F4 C645 FC 00 mov byte ptr [ebp-4], 0
00A890F8 8D4D C8 lea ecx, [ebp-38]
00A890FB FF15 B063AC00 call [<&MFC71.#578_ATL::CStringT<char,>; MFC71.7C1771B1
00A89101 C745 FC FFFFFFF>mov dword ptr [ebp-4], -1
00A89108 8D4D D0 lea ecx, [ebp-30]
00A8910B E8 B884FFFF call CRatsel::~CRatsel
00A89110 8B45 C4 mov eax, [ebp-3C]
00A89113 8B4D F4 mov ecx, [ebp-C]
00A89116 64:890D 0000000>mov fs:[0], ecx
00A8911D 8B4D F0 mov ecx, [ebp-10]
00A89120 E8 99FB0100 call 00AA8CBE
00A89125 8BE5 mov esp, ebp
00A89127 5D pop ebp
00A89128 C3 retn
----------------------------------------------------
retn第一次调用出来//进入第二处调用DLL
--------------------------------------------------------
00A89DE0 55 push ebp
00A89DE1 8BEC mov ebp, esp
00A89DE3 6A FF push -1
00A89DE5 68 F8C1AA00 push 00AAC1F8
00A89DEA 64:A1 00000000 mov eax, fs:[0]
-------------------------------------------------------
00A89E82 52 push edx
00A89E83 8D8D 00FFFFFF lea ecx, [ebp-100]
00A89E89 E8 5278FFFF call 00A816E0 ; 第一次比较注册码,进
00A89E8E 81BD F8FEFFFF C>cmp dword ptr [ebp-108], 5DC0
00A89E98 75 25 jnz short 00A89EBF
00A89E9A 8D8D FCFEFFFF lea ecx, [ebp-104]
00A89EA0 E8 9771FFFF call CBravoMode::GetMode
00A89EA5 8985 E8FEFFFF mov [ebp-118], eax
-----------------------------------------------------------
第二次装入有所不同吧>
---------------------------------------------
00AA52A0 55 push ebp----->进到这里
00AA52A1 8BEC mov ebp, esp
00AA52A3 51 push ecx
00AA52A4 894D FC mov [ebp-4], ecx
00AA52A7 8B45 08 mov eax, [ebp+8]
00AA52AA C700 C15D0000 mov dword ptr [eax], 5DC1
00AA52B0 8B4D FC mov ecx, [ebp-4]
00AA52B3 8B55 08 mov edx, [ebp+8]
00AA52B6 8991 84000000 mov [ecx+84], edx
00AA52BC 8B4D FC mov ecx, [ebp-4]
00AA52BF E8 92290000 call <jmp.&MFC71.#2020_CDialog::DoModal>----->调用MFC下面
00AA52C4 8BE5 mov esp, ebp
00AA52C6 5D pop ebp
00AA52C7 C2 0400 retn 4
00AA52CA CC int3
00AA52CB CC int3
00AA52CC CC int3
00AA52CD CC int3
00AA52CE CC int3
00AA52CF CC int3
00AA52D0 55 push ebp------------>MFC返回处注册DLL入口
00AA52D1 8BEC mov ebp, esp
00AA52D3 6A FF push -1
00AA52D5 68 E0E0AA00 push 00AAE0E0
00AA52DA 64:A1 00000000 mov eax, fs:[0]
00AA52E0 50 push eax
00AA52E1 64:8925 0000000>mov fs:[0], esp
00AA52E8 83EC 18 sub esp, 18
00AA52EB 894D E0 mov [ebp-20], ecx
00AA52EE 8B4D E0 mov ecx, [ebp-20]
00AA52F1 E8 7C2B0000 call <jmp.&MFC71.#4580_CDialog::OnInitDialog>
00AA52F6 8D4D F0 lea ecx, [ebp-10]
00AA52F9 FF15 8463AC00 call [<&MFC71.#310_ATL::CStringT<char,StrTraitMFC_DL>; MFC71.7C173199
00AA52FF C745 FC 0000000>mov dword ptr [ebp-4], 0
00AA5306 8D4D EC lea ecx, [ebp-14]
00AA5309 FF15 8463AC00 call [<&MFC71.#310_ATL::CStringT<char,StrTraitMFC_DL>; MFC71.7C173199
00AA530F C645 FC 01 mov byte ptr [ebp-4], 1
00AA5313 6A 2F push 2F
00AA5315 8D4D EC lea ecx, [ebp-14]
00AA5318 FF15 3463AC00 call [<&MFC71.#4035_ATL::CStringT<char,StrTraitMFC_D>; MFC71.7C153789
00AA531E 8D4D EC lea ecx, [ebp-14]
00AA5321 FF15 A463AC00 call [<&MFC71.#876_ATL::CSimpleStringT<char,1>::oper>; MFC71.7C158BCD
00AA5327 50 push eax
00AA5328 8B4D E0 mov ecx, [ebp-20]
00AA532B E8 362B0000 call <jmp.&MFC71.#6067_CWnd::SetWindowTextA>
00AA5330 8B45 E0 mov eax, [ebp-20]
00AA5333 8B88 80000000 mov ecx, [eax+80]
00AA5339 E8 ADC7FDFF call CBravoMode::GetMainMode
00AA533E 83F8 03 cmp eax, 3
00AA5341 75 6E jnz short 00AA53B1 ; 工具箱安装正确吗?
00AA5343 8B4D E0 mov ecx, [ebp-20]
00AA5346 81C1 88000000 add ecx, 88
00AA534C E8 21C3FDFF call 00A81672
00AA5351 8B4D E0 mov ecx, [ebp-20]
00AA5354 8B89 80000000 mov ecx, [ecx+80]
00AA535A E8 F6BCFDFF call CBravoMode::GetSubMode ; 办断用户//有狗没狗//
00AA535F 8945 DC mov [ebp-24], eax
00AA5362 837D DC 00 cmp dword ptr [ebp-24], 0
00AA5366 74 23 je short 00AA538B ; 跳//读取版本
00AA5368 837D DC 02 cmp dword ptr [ebp-24], 2
00AA536C 74 08 je short 00AA5376
00AA536E 837D DC 03 cmp dword ptr [ebp-24], 3
00AA5372 74 17 je short 00AA538B
00AA5374 EB 3B jmp short 00AA53B1
00AA5376 68 385CAB00 push 00AB5C38 ; ASCII "Inpower ONAN"
00AA537B 8B4D E0 mov ecx, [ebp-20]
00AA537E 81C1 88000000 add ecx, 88
00AA5384 E8 81BCFDFF call 00A8100A
00AA5389 EB 26 jmp short 00AA53B1
00AA538B 68 485CAB00 push 00AB5C48 ; ASCII "Inpower Pro"
00AA5390 8B4D E0 mov ecx, [ebp-20]
00AA5393 81C1 88000000 add ecx, 88
00AA5399 E8 6CBCFDFF call 00A8100A
00AA539E 68 545CAB00 push 00AB5C54 ; ASCII "Inpower Non-Pro"
00AA53A3 8B4D E0 mov ecx, [ebp-20]
00AA53A6 81C1 88000000 add ecx, 88
00AA53AC E8 59BCFDFF call 00A8100A
00AA53B1 8B55 E0 mov edx, [ebp-20]
00AA53B4 8B8A 80000000 mov ecx, [edx+80]
00AA53BA E8 2CC7FDFF call CBravoMode::GetMainMode ; 什么版本,有相应的工具箱吗?
00AA53BF 83F8 02 cmp eax, 2
00AA53C2 75 21 jnz short 00AA53E5 ; 有没有狗//没就跳,定为非专业版
00AA53C4 8B4D E0 mov ecx, [ebp-20]
00AA53C7 81C1 88000000 add ecx, 88
00AA53CD E8 A0C2FDFF call 00A81672
00AA53D2 68 645CAB00 push 00AB5C64 ; ASCII "Engineering Tool"
00AA53D7 8B4D E0 mov ecx, [ebp-20]
00AA53DA 81C1 88000000 add ecx, 88
00AA53E0 E8 25BCFDFF call 00A8100A
00AA53E5 8D4D E8 lea ecx, [ebp-18]
00AA53E8 FF15 8463AC00 call [<&MFC71.#310_ATL::CStringT<char,StrTraitMFC_DL>; MFC71.7C173199
00AA53EE C645 FC 02 mov byte ptr [ebp-4], 2
00AA53F2 8D45 E8 lea eax, [ebp-18]
00AA53F5 50 push eax
00AA53F6 6A 00 push 0
00AA53F8 8B4D E0 mov ecx, [ebp-20]
00AA53FB 81C1 88000000 add ecx, 88
00AA5401 E8 4C2C0000 call <jmp.&MFC71.#2899_CComboBox::GetLBText> ; 取得版本
00AA5406 8D4D E8 lea ecx, [ebp-18]
00AA5409 FF15 A463AC00 call [<&MFC71.#876_ATL::CSimpleStringT<char,1>::oper>; MFC71.7C158BCD
00AA540F 50 push eax
00AA5410 6A FF push -1
00AA5412 8B4D E0 mov ecx, [ebp-20]
00AA5415 81C1 88000000 add ecx, 88
00AA541B E8 DCBFFDFF call 00A813FC
00AA5420 8B4D E0 mov ecx, [ebp-20]
00AA5423 E8 57C4FDFF call 00A8187F ; 非专业版注册办断//进
00AA5428 6A 00 push 0
00AA542A 8B4D E0 mov ecx, [ebp-20]
00AA542D E8 2E2A0000 call <jmp.&MFC71.#6236_CWnd::UpdateData>
00AA5432 68 DD070000 push 7DD
00AA5437 8B4D E0 mov ecx, [ebp-20]
00AA543A E8 0BBDFDFF call 00A8114A
00AA543F 50 push eax
00AA5440 E8 CEC1FDFF call 00A81613
00AA5445 83C4 08 add esp, 8
00AA5448 C745 E4 0100000>mov dword ptr [ebp-1C], 1
00AA544F C645 FC 01 mov byte ptr [ebp-4], 1
00AA5453 8D4D E8 lea ecx, [ebp-18]
00AA5456 FF15 B063AC00 call [<&MFC71.#578_ATL::CStringT<char,StrTraitMFC_DL>; MFC71.7C1771B1
00AA545C C645 FC 00 mov byte ptr [ebp-4], 0
00AA5460 8D4D EC lea ecx, [ebp-14]
00AA5463 FF15 B063AC00 call [<&MFC71.#578_ATL::CStringT<char,StrTraitMFC_DL>; MFC71.7C1771B1
00AA5469 C745 FC FFFFFFF>mov dword ptr [ebp-4], -1
00AA5470 8D4D F0 lea ecx, [ebp-10]
00AA5473 FF15 B063AC00 call [<&MFC71.#578_ATL::CStringT<char,StrTraitMFC_DL>; MFC71.7C1771B1
00AA5479 8B45 E4 mov eax, [ebp-1C]
00AA547C 8B4D F4 mov ecx, [ebp-C]
00AA547F 64:890D 0000000>mov fs:[0], ecx
00AA5486 8BE5 mov esp, ebp
00AA5488 5D pop ebp
00AA5489 C3 retn
-----------------------------------------------------------------
call 00A8187F 进到///MFC71//就像吃肯得鸡
-----------------------------------------------------
00AA55F0 55 push ebp
00AA55F1 8BEC mov ebp, esp
00AA55F3 51 push ecx
00AA55F4 894D FC mov [ebp-4], ecx
00AA55F7 8B45 FC mov eax, [ebp-4]
00AA55FA 8B48 20 mov ecx, [eax+20]
00AA55FD 51 push ecx
00AA55FE 68 C617A800 push 00A817C6
00AA5603 FF15 4867AC00 call [<&USER32.EnumWindows>] ; USER32.EnumWindows
00AA5609 8B55 08 mov edx, [ebp+8]
00AA560C 52 push edx
00AA560D 8B4D FC mov ecx, [ebp-4]
00AA5610 E8 40BFFDFF call 00A81555
00AA5615 8BE5 mov esp, ebp
00AA5617 5D pop ebp
00AA5618 C2 0400 retn 4
00AA561B CC int3
00AA561C CC int3
00AA561D CC int3
00AA561E CC int3
00AA561F CC int3
00AA5620 55 push ebp
00AA5621 8BEC mov ebp, esp
00AA5623 6A FF push -1
00AA5625 68 F3E0AA00 push 00AAE0F3
00AA562A 64:A1 00000000 mov eax, fs:[0]
00AA5630 50 push eax
00AA5631 64:8925 0000000>mov fs:[0], esp
00AA5638 83EC 0C sub esp, 0C
00AA563B 894D E8 mov [ebp-18], ecx
00AA563E 8D4D F0 lea ecx, [ebp-10]
00AA5641 FF15 8463AC00 call [<&MFC71.#310_ATL::CStringT<cha>; MFC71.7C173199
00AA5647 C745 FC 0000000>mov dword ptr [ebp-4], 0
00AA564E 8D45 F0 lea eax, [ebp-10]
00AA5651 50 push eax
00AA5652 8B4D 08 mov ecx, [ebp+8]
00AA5655 51 push ecx
00AA5656 E8 9BC3FDFF call 00A819F6
00AA565B 83C4 08 add esp, 8
00AA565E 83E8 03 sub eax, 3
00AA5661 F7D8 neg eax
00AA5663 1BC0 sbb eax, eax
00AA5665 40 inc eax
00AA5666 8845 EF mov [ebp-11], al
00AA5669 C745 FC FFFFFFF>mov dword ptr [ebp-4], -1
00AA5670 8D4D F0 lea ecx, [ebp-10]
00AA5673 FF15 B063AC00 call [<&MFC71.#578_ATL::CStringT<cha>; MFC71.7C1771B1
00AA5679 8A45 EF mov al, [ebp-11]
00AA567C 8B4D F4 mov ecx, [ebp-C]
00AA567F 64:890D 0000000>mov fs:[0], ecx
00AA5686 8BE5 mov esp, ebp
00AA5688 5D pop ebp
00AA5689 C2 0400 retn 4
00AA568C CC int3
00AA568D CC int3
00AA568E CC int3
00AA568F CC int3
00AA5690 55 push ebp
00AA5691 8BEC mov ebp, esp
00AA5693 6A FF push -1
00AA5695 68 18E1AA00 push 00AAE118
00AA569A 64:A1 00000000 mov eax, fs:[0]
00AA56A0 50 push eax
00AA56A1 64:8925 0000000>mov fs:[0], esp
00AA56A8 83EC 50 sub esp, 50
00AA56AB A1 0028AC00 mov eax, [AC2800]
00AA56B0 8945 E4 mov [ebp-1C], eax
00AA56B3 894D A4 mov [ebp-5C], ecx
00AA56B6 8D4D F0 lea ecx, [ebp-10]
00AA56B9 FF15 8463AC00 call [<&MFC71.#310_ATL::CStringT<cha>; MFC71.7C173199
00AA56BF C745 FC 0000000>mov dword ptr [ebp-4], 0
00AA56C6 8B4D A4 mov ecx, [ebp-5C]
00AA56C9 81C1 88000000 add ecx, 88
00AA56CF E8 97C1FDFF call 00A8186B
00AA56D4 8945 E8 mov [ebp-18], eax
00AA56D7 8D45 F0 lea eax, [ebp-10]
00AA56DA 50 push eax
00AA56DB 8B4D E8 mov ecx, [ebp-18]
00AA56DE 51 push ecx
00AA56DF 8B4D A4 mov ecx, [ebp-5C]
00AA56E2 81C1 88000000 add ecx, 88
00AA56E8 E8 65290000 call <jmp.&MFC71.#2899_CComboBox::Ge>; 取得版本//这里没狗(非专业版)
00AA56ED 68 F05CAB00 push 00AB5CF0
00AA56F2 8B4D A4 mov ecx, [ebp-5C]
00AA56F5 83C1 78 add ecx, 78
00AA56F8 FF15 9863AC00 call [<&MFC71.#784_ATL::CStringT<cha>; MFC71.7C14FF74
00AA56FE 6A 00 push 0
00AA5700 8B4D A4 mov ecx, [ebp-5C]
00AA5703 E8 58270000 call <jmp.&MFC71.#6236_CWnd::UpdateD>
00AA5708 68 03000300 push 30003
00AA570D 8D4D EC lea ecx, [ebp-14]
00AA5710 E8 3ABFFDFF call CBravoMode::CBravoMode
00AA5715 68 F45CAB00 push 00AB5CF4 ; ASCII "Engineering Tool"
00AA571A 8D4D F0 lea ecx, [ebp-10]
00AA571D FF15 3863AC00 call [<&MFC71.#1482_ATL::CStringT<ch>; MFC71.7C144DAE
00AA5723 85C0 test eax, eax
00AA5725 0F85 59010000 jnz 00AA5884 ; 检测狗(也就是工具箱)//有有没有输入狗密码//吗?没就跳罗//
00AA572B 6A 02 push 2 ; 有没有啊?//有//过//我不生成机器码给你//妈的注册狂啊
00AA572D 8D4D B4 lea ecx, [ebp-4C]
00AA5730 E8 1ABFFDFF call CBravoMode::CBravoMode
00AA5735 8B55 B4 mov edx, [ebp-4C]
00AA5738 8955 EC mov [ebp-14], edx
00AA573B 8D45 EC lea eax, [ebp-14]
00AA573E 50 push eax
00AA573F 8B4D A4 mov ecx, [ebp-5C]
00AA5742 E8 48BBFDFF call 00A8128F
00AA5747 0FB6C8 movzx ecx, al
00AA574A 83F9 01 cmp ecx, 1
00AA574D 0F85 19010000 jnz 00AA586C
00AA5753 8D55 EC lea edx, [ebp-14]
00AA5756 52 push edx
00AA5757 E8 62B9FDFF call IsRegistered
00AA575C 83C4 04 add esp, 4
00AA575F 3D C05D0000 cmp eax, 5DC0
00AA5764 75 0D jnz short 00AA5773 ; 注册后//注册按钮变OK
00AA5766 8B4D A4 mov ecx, [ebp-5C]
00AA5769 E8 77BAFDFF call 00A811E5
00AA576E E9 F7000000 jmp 00AA586A
00AA5773 68 085DAB00 push 00AB5D08 ; ASCII "OK"
00AA5778 6A 01 push 1
00AA577A 8B4D A4 mov ecx, [ebp-5C]
00AA577D E8 DC280000 call <jmp.&MFC71.#2657_CWnd::GetDlgI>
00AA5782 8BC8 mov ecx, eax
00AA5784 E8 DD260000 call <jmp.&MFC71.#6067_CWnd::SetWind>
00AA5789 8B45 A4 mov eax, [ebp-5C]
00AA578C 8B88 84000000 mov ecx, [eax+84]
00AA5792 C701 C15D0000 mov dword ptr [ecx], 5DC1
00AA5798 8D55 EC lea edx, [ebp-14]
00AA579B 52 push edx
00AA579C 8D45 DC lea eax, [ebp-24]
00AA579F 50 push eax
00AA57A0 E8 F8BBFDFF call GetToolRegistrationNumber
00AA57A5 83C4 08 add esp, 8
00AA57A8 0FB74D E2 movzx ecx, word ptr [ebp-1E]
00AA57AC 51 push ecx
00AA57AD 0FB755 E0 movzx edx, word ptr [ebp-20]
00AA57B1 52 push edx
00AA57B2 0FB745 DE movzx eax, word ptr [ebp-22]
00AA57B6 50 push eax
00AA57B7 0FB74D DC movzx ecx, word ptr [ebp-24]
00AA57BB 51 push ecx
00AA57BC 68 0C5DAB00 push 00AB5D0C ; ASCII "%04X-%04X-%04X-%04X"
00AA57C1 8B55 A4 mov edx, [ebp-5C] ; 生成狗用机器码
00AA57C4 83C2 78 add edx, 78
00AA57C7 52 push edx
00AA57C8 FF15 9C63AC00 call [<&MFC71.#2322_ATL::CStringT<ch>; MFC71.7C146A9D
00AA57CE 83C4 18 add esp, 18
00AA57D1 68 205DAB00 push 00AB5D20 ; ASCII "Engineering Tool"
00AA57D6 8D4D D8 lea ecx, [ebp-28]
00AA57D9 FF15 A063AC00 call [<&MFC71.#304_ATL::CStringT<cha>; MFC71.7C16A59C
00AA57DF C645 FC 01 mov byte ptr [ebp-4], 1
00AA57E3 6A 24 push 24
00AA57E5 8D4D D8 lea ecx, [ebp-28]
00AA57E8 FF15 A463AC00 call [<&MFC71.#876_ATL::CSimpleStrin>; MFC71.7C158BCD
00AA57EE 50 push eax
00AA57EF 68 385DAB00 push 00AB5D38 ; ASCII "Dongle is already registered.Do you want to register this tool?"
00AA57F4 8B4D A4 mov ecx, [ebp-5C]
00AA57F7 E8 D0260000 call <jmp.&MFC71.#4104_CWnd::Message>; 对不起///你的狗狗呢???
00AA57FC 83F8 06 cmp eax, 6
00AA57FF 75 49 jnz short 00AA584A ; 对不起//我不跳//又没狗狗咬我
00AA5801 8B45 A4 mov eax, [ebp-5C] ; 下面还一处检测
00AA5804 83C0 74 add eax, 74
00AA5807 50 push eax
00AA5808 8B4D A4 mov ecx, [ebp-5C]
00AA580B 83C1 78 add ecx, 78
00AA580E 51 push ecx
00AA580F E8 2CBEFDFF call BvDongle::GenToolRegPass
00AA5814 83C4 08 add esp, 8
00AA5817 8B55 A4 mov edx, [ebp-5C]
00AA581A 83C2 74 add edx, 74
00AA581D 52 push edx
00AA581E 8D45 EC lea eax, [ebp-14]
00AA5821 50 push eax
00AA5822 E8 06B8FDFF call 00A8102D
00AA5827 83C4 08 add esp, 8
00AA582A 3D C05D0000 cmp eax, 5DC0
00AA582F 75 17 jnz short 00AA5848
00AA5831 8B4D A4 mov ecx, [ebp-5C]
00AA5834 8B91 84000000 mov edx, [ecx+84]
00AA583A C702 C05D0000 mov dword ptr [edx], 5DC0
00AA5840 8B4D A4 mov ecx, [ebp-5C]
00AA5843 E8 B6240000 call <jmp.&MFC71.#4735_CDialog::OnOK>
00AA5848 EB 13 jmp short 00AA585D
00AA584A 8B45 A4 mov eax, [ebp-5C]
00AA584D 83C0 78 add eax, 78
00AA5850 50 push eax
00AA5851 8D4D EC lea ecx, [ebp-14]
00AA5854 51 push ecx
00AA5855 E8 9CC1FDFF call 00A819F6
00AA585A 83C4 08 add esp, 8
00AA585D C645 FC 00 mov byte ptr [ebp-4], 0
00AA5861 8D4D D8 lea ecx, [ebp-28]
00AA5864 FF15 B063AC00 call [<&MFC71.#578_ATL::CStringT<cha>; MFC71.7C1771B1
00AA586A EB 13 jmp short 00AA587F
00AA586C 8B55 A4 mov edx, [ebp-5C]
00AA586F 83C2 78 add edx, 78
00AA5872 52 push edx
00AA5873 8D45 EC lea eax, [ebp-14]
00AA5876 50 push eax
00AA5877 E8 7AC1FDFF call 00A819F6
00AA587C 83C4 08 add esp, 8
00AA587F E9 A9020000 jmp 00AA5B2D
00AA5884 68 785DAB00 push 00AB5D78 ; ASCII "Inpower Pro"
00AA5889 8D4D F0 lea ecx, [ebp-10]
00AA588C FF15 3863AC00 call [<&MFC71.#1482_ATL::CStringT<ch>; 专业版有注册过吗?
00AA5892 85C0 test eax, eax
00AA5894 0F85 9B010000 jnz 00AA5A35 ; 没--跳
00AA589A 6A 03 push 3
00AA589C 8D4D B0 lea ecx, [ebp-50]
00AA589F E8 ABBDFDFF call CBravoMode::CBravoMode
00AA58A4 8B4D B0 mov ecx, [ebp-50]
00AA58A7 894D EC mov [ebp-14], ecx
00AA58AA 8D55 EC lea edx, [ebp-14]
00AA58AD 52 push edx
00AA58AE 8B4D A4 mov ecx, [ebp-5C]
00AA58B1 E8 D9B9FDFF call 00A8128F
00AA58B6 0FB6C0 movzx eax, al
00AA58B9 83F8 01 cmp eax, 1
00AA58BC 0F85 5B010000 jnz 00AA5A1D
00AA58C2 8D4D EC lea ecx, [ebp-14]
00AA58C5 51 push ecx
00AA58C6 E8 F3B7FDFF call IsRegistered
00AA58CB 83C4 04 add esp, 4
00AA58CE 3D C05D0000 cmp eax, 5DC0
00AA58D3 75 0D jnz short 00AA58E2 ; 注册后//注册按钮变OK
00AA58D5 8B4D A4 mov ecx, [ebp-5C]
00AA58D8 E8 08B9FDFF call 00A811E5
00AA58DD E9 39010000 jmp 00AA5A1B
00AA58E2 68 845DAB00 push 00AB5D84 ; ASCII "OK"
00AA58E7 6A 01 push 1
00AA58E9 8B4D A4 mov ecx, [ebp-5C]
00AA58EC E8 6D270000 call <jmp.&MFC71.#2657_CWnd::GetDlgI>
00AA58F1 8BC8 mov ecx, eax
00AA58F3 E8 6E250000 call <jmp.&MFC71.#6067_CWnd::SetWind>
00AA58F8 8B55 A4 mov edx, [ebp-5C]
00AA58FB 8B82 84000000 mov eax, [edx+84]
00AA5901 C700 C15D0000 mov dword ptr [eax], 5DC1
00AA5907 8D4D EC lea ecx, [ebp-14]
00AA590A 51 push ecx
00AA590B 8D55 D0 lea edx, [ebp-30]
00AA590E 52 push edx
00AA590F E8 89BAFDFF call GetToolRegistrationNumber
00AA5914 83C4 08 add esp, 8
00AA5917 0FB745 D6 movzx eax, word ptr [ebp-2A]
00AA591B 50 push eax
00AA591C 0FB74D D4 movzx ecx, word ptr [ebp-2C]
00AA5920 51 push ecx
00AA5921 0FB755 D2 movzx edx, word ptr [ebp-2E]
00AA5925 52 push edx
00AA5926 0FB745 D0 movzx eax, word ptr [ebp-30]
00AA592A 50 push eax
00AA592B 68 885DAB00 push 00AB5D88 ; ASCII "%04X-%04X-%04X-%04X"
00AA5930 8B4D A4 mov ecx, [ebp-5C] ; 生成硬件狗机器码
00AA5933 83C1 78 add ecx, 78 ; 没注册过的//要在这里算
00AA5936 51 push ecx
00AA5937 FF15 9C63AC00 call [<&MFC71.#2322_ATL::CStringT<ch>; MFC71.7C146A9D
00AA593D 83C4 18 add esp, 18
00AA5940 8B55 A4 mov edx, [ebp-5C]
00AA5943 8B8A 80000000 mov ecx, [edx+80]
00AA5949 E8 EEB6FDFF call CBravoMode::GetMode
00AA594E 50 push eax
00AA594F 8D4D CC lea ecx, [ebp-34]
00AA5952 E8 F8BCFDFF call CBravoMode::CBravoMode
00AA5957 68 9C5DAB00 push 00AB5D9C
00AA595C 8D4D C8 lea ecx, [ebp-38]
00AA595F FF15 A063AC00 call [<&MFC71.#304_ATL::CStringT<cha>; MFC71.7C16A59C
00AA5965 C645 FC 02 mov byte ptr [ebp-4], 2
00AA5969 8D4D CC lea ecx, [ebp-34]
00AA596C E8 E4B6FDFF call CBravoMode::GetSubMode
00AA5971 83F8 02 cmp eax, 2
00AA5974 75 10 jnz short 00AA5986
00AA5976 68 A05DAB00 push 00AB5DA0 ; ASCII "InPower ONAN"
00AA597B 8D4D C8 lea ecx, [ebp-38]
00AA597E FF15 9863AC00 call [<&MFC71.#784_ATL::CStringT<cha>; MFC71.7C14FF74
00AA5984 EB 0E jmp short 00AA5994
00AA5986 68 B05DAB00 push 00AB5DB0 ; ASCII "InPower"
00AA598B 8D4D C8 lea ecx, [ebp-38]
00AA598E FF15 9863AC00 call [<&MFC71.#784_ATL::CStringT<cha>; MFC71.7C14FF74
00AA5994 6A 24 push 24
00AA5996 8D4D C8 lea ecx, [ebp-38]
00AA5999 FF15 A463AC00 call [<&MFC71.#876_ATL::CSimpleStrin>; MFC71.7C158BCD
00AA599F 50 push eax
00AA59A0 68 B85DAB00 push 00AB5DB8 ; ASCII "Dongle is already registered.Do you want to register this tool?"
00AA59A5 8B4D A4 mov ecx, [ebp-5C]
00AA59A8 E8 1F250000 call <jmp.&MFC71.#4104_CWnd::Message>; 没有找到狗狗哦
00AA59AD 83F8 06 cmp eax, 6
00AA59B0 75 49 jnz short 00AA59FB ; 有就跳了
00AA59B2 8B45 A4 mov eax, [ebp-5C]
00AA59B5 83C0 74 add eax, 74
00AA59B8 50 push eax
00AA59B9 8B4D A4 mov ecx, [ebp-5C]
00AA59BC 83C1 78 add ecx, 78
00AA59BF 51 push ecx
00AA59C0 E8 7BBCFDFF call BvDongle::GenToolRegPass
00AA59C5 83C4 08 add esp, 8
00AA59C8 8B55 A4 mov edx, [ebp-5C]
00AA59CB 83C2 74 add edx, 74
00AA59CE 52 push edx
00AA59CF 8D45 EC lea eax, [ebp-14]
00AA59D2 50 push eax
00AA59D3 E8 55B6FDFF call 00A8102D
00AA59D8 83C4 08 add esp, 8
00AA59DB 3D C05D0000 cmp eax, 5DC0
00AA59E0 75 17 jnz short 00AA59F9
00AA59E2 8B4D A4 mov ecx, [ebp-5C]
00AA59E5 8B91 84000000 mov edx, [ecx+84]
00AA59EB C702 C05D0000 mov dword ptr [edx], 5DC0
00AA59F1 8B4D A4 mov ecx, [ebp-5C]
00AA59F4 E8 05230000 call <jmp.&MFC71.#4735_CDialog::OnOK>
00AA59F9 EB 13 jmp short 00AA5A0E
00AA59FB 8B45 A4 mov eax, [ebp-5C]
00AA59FE 83C0 78 add eax, 78
00AA5A01 50 push eax
00AA5A02 8D4D EC lea ecx, [ebp-14]
00AA5A05 51 push ecx
00AA5A06 E8 EBBFFDFF call 00A819F6
00AA5A0B 83C4 08 add esp, 8
00AA5A0E C645 FC 00 mov byte ptr [ebp-4], 0
00AA5A12 8D4D C8 lea ecx, [ebp-38]
00AA5A15 FF15 B063AC00 call [<&MFC71.#578_ATL::CStringT<cha>; MFC71.7C1771B1
00AA5A1B EB 13 jmp short 00AA5A30
00AA5A1D 8B55 A4 mov edx, [ebp-5C]
00AA5A20 83C2 78 add edx, 78
00AA5A23 52 push edx
00AA5A24 8D45 EC lea eax, [ebp-14]
00AA5A27 50 push eax
00AA5A28 E8 C9BFFDFF call 00A819F6
00AA5A2D 83C4 08 add esp, 8
00AA5A30 E9 F8000000 jmp 00AA5B2D
00AA5A35 68 F85DAB00 push 00AB5DF8 ; ASCII "Inpower Non-Pro"
00AA5A3A 8D4D F0 lea ecx, [ebp-10]
00AA5A3D FF15 3863AC00 call [<&MFC71.#1482_ATL::CStringT<ch>; 好!终于确定用户是非专业版了
00AA5A43 85C0 test eax, eax
00AA5A45 75 6B jnz short 00AA5AB2 ; 不跳罗//那就去比较吧
00AA5A47 68 03000300 push 30003
00AA5A4C 8D4D AC lea ecx, [ebp-54]
00AA5A4F E8 FBBBFDFF call CBravoMode::CBravoMode
00AA5A54 8B4D AC mov ecx, [ebp-54]
00AA5A57 894D EC mov [ebp-14], ecx
00AA5A5A 8D55 EC lea edx, [ebp-14]
00AA5A5D 52 push edx
00AA5A5E E8 5BB6FDFF call IsRegistered ; 注册码比较办断CALL
00AA5A63 83C4 04 add esp, 4 ; TETN出来
00AA5A66 3D C05D0000 cmp eax, 5DC0
00AA5A6B 75 0A jnz short 00AA5A77 ; 此版本已是注册的非专业版
00AA5A6D 8B4D A4 mov ecx, [ebp-5C]
00AA5A70 E8 70B7FDFF call 00A811E5 ; 提示你已经注册了非专业版
00AA5A75 EB 39 jmp short 00AA5AB0 ; 跳走///不读机器码//
00AA5A77 8D45 EC lea eax, [ebp-14]
00AA5A7A 50 push eax
00AA5A7B 8D4D C0 lea ecx, [ebp-40]
00AA5A7E 51 push ecx
00AA5A7F E8 19B9FDFF call GetToolRegistrationNumber
00AA5A84 83C4 08 add esp, 8
00AA5A87 0FB755 C6 movzx edx, word ptr [ebp-3A]
00AA5A8B 52 push edx
00AA5A8C 0FB745 C4 movzx eax, word ptr [ebp-3C]
00AA5A90 50 push eax
00AA5A91 0FB74D C2 movzx ecx, word ptr [ebp-3E]
00AA5A95 51 push ecx
00AA5A96 0FB755 C0 movzx edx, word ptr [ebp-40]
00AA5A9A 52 push edx
00AA5A9B 68 085EAB00 push 00AB5E08 ; ASCII "%04X-%04X-%04X-%04X"
00AA5AA0 8B45 A4 mov eax, [ebp-5C] ; 生成非专业版机器码
00AA5AA3 83C0 78 add eax, 78 ; 下面还有一处
00AA5AA6 50 push eax
00AA5AA7 FF15 9C63AC00 call [<&MFC71.#2322_ATL::CStringT<ch>; MFC71.7C146A9D
00AA5AAD 83C4 18 add esp, 18
00AA5AB0 EB 7B jmp short 00AA5B2D ; 不是有狗狗的版本...GO GO///
00AA5AB2 68 1C5EAB00 push 00AB5E1C ; ASCII "Inpower ONAN"
00AA5AB7 8D4D F0 lea ecx, [ebp-10]
00AA5ABA FF15 3863AC00 call [<&MFC71.#1482_ATL::CStringT<ch>; MFC71.7C144DAE
00AA5AC0 85C0 test eax, eax
00AA5AC2 75 69 jnz short 00AA5B2D
00AA5AC4 68 03000200 push 20003
00AA5AC9 8D4D A8 lea ecx, [ebp-58]
00AA5ACC E8 7EBBFDFF call CBravoMode::CBravoMode
00AA5AD1 8B4D A8 mov ecx, [ebp-58]
00AA5AD4 894D EC mov [ebp-14], ecx
00AA5AD7 8D55 EC lea edx, [ebp-14]
00AA5ADA 52 push edx
00AA5ADB E8 DEB5FDFF call IsRegistered
00AA5AE0 83C4 04 add esp, 4
00AA5AE3 3D C05D0000 cmp eax, 5DC0
00AA5AE8 75 0A jnz short 00AA5AF4
00AA5AEA 8B4D A4 mov ecx, [ebp-5C]
00AA5AED E8 F3B6FDFF call 00A811E5
00AA5AF2 EB 39 jmp short 00AA5B2D
00AA5AF4 8D45 EC lea eax, [ebp-14]
00AA5AF7 50 push eax
00AA5AF8 8D4D B8 lea ecx, [ebp-48]
00AA5AFB 51 push ecx
00AA5AFC E8 9CB8FDFF call GetToolRegistrationNumber
00AA5B01 83C4 08 add esp, 8
00AA5B04 0FB755 BE movzx edx, word ptr [ebp-42]
00AA5B08 52 push edx
00AA5B09 0FB745 BC movzx eax, word ptr [ebp-44]
00AA5B0D 50 push eax
00AA5B0E 0FB74D BA movzx ecx, word ptr [ebp-46]
00AA5B12 51 push ecx
00AA5B13 0FB755 B8 movzx edx, word ptr [ebp-48]
00AA5B17 52 push edx
00AA5B18 68 2C5EAB00 push 00AB5E2C ; ASCII "%04X-%04X-%04X-%04X"
00AA5B1D 8B45 A4 mov eax, [ebp-5C] ; 生成非专业版机器码//没注册过的//要在这里算
00AA5B20 83C0 78 add eax, 78
00AA5B23 50 push eax
00AA5B24 FF15 9C63AC00 call [<&MFC71.#2322_ATL::CStringT<ch>; MFC71.7C146A9D
00AA5B2A 83C4 18 add esp, 18
00AA5B2D 6A 00 push 0 ; 两个版本都在这里入口
00AA5B2F 8B4D A4 mov ecx, [ebp-5C]
00AA5B32 E8 29230000 call <jmp.&MFC71.#6236_CWnd::UpdateD>
00AA5B37 C745 FC FFFFFFF>mov dword ptr [ebp-4], -1
00AA5B3E 8D4D F0 lea ecx, [ebp-10]
00AA5B41 FF15 B063AC00 call [<&MFC71.#578_ATL::CStringT<cha>; MFC71.7C1771B1
00AA5B47 8B4D F4 mov ecx, [ebp-C]
00AA5B4A 64:890D 0000000>mov fs:[0], ecx
00AA5B51 8B4D E4 mov ecx, [ebp-1C]
00AA5B54 E8 65310000 call 00AA8CBE
00AA5B59 8BE5 mov esp, ebp
00AA5B5B 5D pop ebp
00AA5B5C C3 retn
----------------------------------------------------------------
retn出来第二次正式比较,,呵呵,是不是和刚才第一次来的一样//
00A89280 8B45 08 mov eax, [ebp+8]
00A89283 50 push eax
00A89284 E8 D47FFFFF call 00A8125D ; 第二次比较注册码,进
00A89289 83C4 08 add esp, 8
00A8928C 8945 A8 mov [ebp-58], eax
--------------------------------------------------------------
00A89020 55 push ebp
00A89021 8BEC mov ebp, esp
00A89023 6A FF push -1
00A89025 68 01C1AA00 push 00AAC101
略一点
00A890BD 51 push ecx
00A890BE 68 642CAB00 push 00AB2C64 ; ASCII "%X%X%X%X"
00A890C3 8D55 C8 lea edx, [ebp-38]
00A890C6 52 push edx
00A890C7 FF15 9C63AC00 call [<&MFC71.#2322_ATL::CStringT<char,StrT>; 计算注册的CALL//算法在此找,第一次可能是狗的密码
我机上寄存器上看到:
ECX 01055B08 ASCII "7C40603C308B45D8"
EDX 01055B08 ASCII "7C40603C308B45D8"
呵呵//那就是12000块的东东了//非专业版注册码.
00A890CD 83C4 18 add esp, 18
00A890D0 8B4D 0C mov ecx, [ebp+C]
00A890D3 FF15 A463AC00 call [<&MFC71.#876_ATL::CSimpleStringT<char>; 读取密码
00A890D9 50 push eax
00A890DA 8D4D C8 lea ecx, [ebp-38]
00A890DD FF15 3863AC00 call [<&MFC71.#1482_ATL::CStringT<char,StrT>; 比较
00A890E3 85C0 test eax, eax
00A890E5 75 07 jnz short 00A890EE ; 不正确//跳的//
---------------------------------------------------------------------------------------------
上面00AA5B5C 处 retn来到///
略一点(下面粗略分析)
00AA5BD5 83F8 02 cmp eax, 2
00AA5BD8 75 1E jnz short 00AA5BF8 ; 有加密狗的//已注册
00AA5BDA 68 00000500 push 50000
00AA5BDF 68 405EAB00 push 00AB5E40 ; ASCII "Engineering Tool"
00AA5BE4 8D4D EC lea ecx, [ebp-14]
00AA5BE7 FF15 A463AC00 call [<&MFC71.#876_ATL::CSimpleStrin>; MFC71.7C158BCD
00AA5BED 50 push eax
00AA5BEE 6A 00 push 0 ; 提示你已注册
00AA5BF0 FF15 E866AC00 call [<&USER32.MessageBoxA>] ; USER32.MessageBoxA
00AA5BF6 EB 47 jmp short 00AA5C3F
00AA5BF8 8D4D F0 lea ecx, [ebp-10]
00AA5BFB E8 55B4FDFF call CBravoMode::GetSubMode
00AA5C00 83F8 02 cmp eax, 2
00AA5C03 75 1E jnz short 00AA5C23 ; 非专业版//已注册
00AA5C05 68 00000500 push 50000
00AA5C0A 68 545EAB00 push 00AB5E54 ; ASCII "InPower ONAN"
00AA5C0F 8D4D EC lea ecx, [ebp-14]
00AA5C12 FF15 A463AC00 call [<&MFC71.#876_ATL::CSimpleStrin>; MFC71.7C158BCD
00AA5C18 50 push eax
00AA5C19 6A 00 push 0 ; 提示你已注册
00AA5C1B FF15 E866AC00 call [<&USER32.MessageBoxA>] ; USER32.MessageBoxA
00AA5C21 EB 1C jmp short 00AA5C3F
00AA5C23 68 00000500 push 50000
00AA5C28 68 645EAB00 push 00AB5E64 ; ASCII "InPower"
00AA5C2D 8D4D EC lea ecx, [ebp-14]
00AA5C30 FF15 A463AC00 call [<&MFC71.#876_ATL::CSimpleStrin>; MFC71.7C158BCD
00AA5C36 50 push eax
00AA5C37 6A 00 push 0 ; 提示你已注册
00AA5C39 FF15 E866AC00 call [<&USER32.MessageBoxA>] ; USER32.MessageBoxA
略一点
========================================================================================
好了//软件已分析到这已基本完了//狗狗的//我再怎分析//因为软件使用过程中还有很检测//
在此过程序中//我们分析看到了非专业版的注册码//为此小Q想写一算法注册机//不过由于时间问题没再分析算法//有兴趣的可看下//现在已是零成3.30分了//好累哦//这时破解的精神让我再次提神.
前几天还在学习PEDIY技术///好吧好吧?没时间//那我们就来PEDIY 把软件的软件做成我们完美的算法注册机吧?想到就做//杀它个精光.//
========================================================================================
//分析//我们要把正确注册显出来就得有 MESSAGEBOX含数//
好//这MESSAGEBOX含数每个软件都有的了//他是WINDOWS吗?
OD载入程序运行程序下BP MESSAGEBOX 随便搞个消息框出来//取得MESSAGEBOX含数调用地址:call [0AC66E8]
好了//我们不是在注册DLL里看到注册码//基于PEDIY的思想/关建就在这
00A890BE 68 642CAB00 push 00AB2C64 ; ASCII "%X%X%X%X"
00A890C3 8D55 C8 lea edx, [ebp-38]
00A890C6 52 push edx
00A890C7 FF15 9C63AC00 call [<&MFC71.#2322_ATL::CStringT<char>; MFC71.7C146A9D---->计算注册的CALL//算法在此找,第一次可能是狗的密码
我机上寄存器上看到:
ECX 01055B08 ASCII "7C40603C308B45D8"
EDX 01055B08 ASCII "7C40603C308B45D8"
00A890CD 83C4 18 add esp, 18---->上面CALL出来正确注册码//我们就在这取值来显示在MESSAGEBOX上
00A890D0 8B4D 0C mov ecx, [ebp+C]
00A890D3 FF15 A463AC00 call [<&MFC71.#876_ATL::CSimpleStringT<char>; 读取密码
=========================================================================================
我们找块空地//我找在00AB1790
在00A890CD那里JMP 00AB1790
写下如下代码:
pushad---------------->堆栈平衡
mov eax, edx------>把EDX的注册码传入EAX
push eax----------->压栈
push 0------------->压栈
call [0AC66E8]------->显示
popad----------------->会服堆栈
add esp, 18------->还原
mov ecx, [ebp+C]-->还原
jmp 00A890D3------>回去
===========================================================================================
然后保存//用Resource Hacker打开BvLock.dll 资源对话框2003项写上
==========================================================================================
2003 DIALOGEX 0, 0, 242, 115
STYLE DS_MODALFRAME | DS_SETFOREGROUND | WS_POPUP | WS_VISIBLE | WS_CAPTION
EXSTYLE WS_EX_TOPMOST
CAPTION "关于[qyc]软件破解-->流行时代 看雪学院 OCN"
LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
FONT 8, "MS Sans Serif"
{
CONTROL "&Register", 1, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 62, 163, 0, 0
CONTROL "&关闭", 2, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 99, 95, 50, 14
CONTROL "这是一个发电机调试软件的非专业版算法注册机.\n它生成的KEY可以注册2006年发行INPOWER 5.0非专\n业版.本注册机不用你手工输入机器码来计算注册码(一切都是为了你着想) BY 小Q 2006年2月25日.", 2012, STATIC, SS_CENTER | WS_CHILD | WS_VISIBLE | WS_GROUP, 6, 18, 230, 33
CONTROL "", -1, BUTTON, BS_GROUPBOX | WS_CHILD | WS_VISIBLE, 3, 0, 236, 112
CONTROL "", 2014, EDIT, ES_LEFT | ES_AUTOHSCROLL | WS_CHILD | WS_BORDER | WS_TABSTOP, 195, 131, 0, 0
CONTROL "请问你把注册码记在纸上了吗?关闭注册进行注册吧!哈哈.", 2011, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 23, 81, 211, 12
CONTROL "有空来来看雪学院:http://www.pediy.com.", 2013, STATIC, SS_CENTER | WS_CHILD | WS_VISIBLE | WS_GROUP, 43, 55, 157, 10
CONTROL "", 2009, EDIT, ES_LEFT | ES_UPPERCASE | ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 138, 130, 0, 0
CONTROL "", 2008, EDIT, ES_LEFT | ES_AUTOHSCROLL | ES_READONLY | WS_CHILD | WS_VISIBLE | WS_BORDER, 138, 106, 0, 0
CONTROL "o○o流行时代o○o http://www.popbase.net", 2017, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 47, 68, 153, 12
CONTROL "说明:", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 110, 6, 31, 12
CONTROL "", 2023, COMBOBOX, CBS_DROPDOWNLIST | CBS_SORT | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 118, 11, 0, 0
CONTROL "请问你把注册码记在纸上了吗?关闭注册进行注册吧!哈哈.", -1, STATIC, SS_LEFT | WS_CHILD | WS_GROUP, 25, 116, 204, 10
}
==========================================================================================
哈哈就成了关于对话框了///
==========================================================================================
好了//在此破解加写不用源程序的完美算法注册机 就完成了//
小Q第一次分析软件到零成3.45分//累死了//洗澡//睡觉..明天起来买菜//上班//请看雪版主给我上传文件权限//好吗?
BY QYC 2006---2008//转贴请保持完整/