Icon Craft v4.4 注册算法

【软件名称】:
    Icon Craft

【下载地址】:
    Http://www.iconempire.com/

【软件简介】:
    Icon Craft 是一款相当不错的 Windows 图标,光标,图标库的编辑,创建,和管理工具.



【软件限制】:
    30 天的试用期

【破解声明】:
    仅用于探索,学习软件注册算法及其保护方式的研究.

【破解工具】:
    PEID v0.94,OllyDBG v1.10

【破文作者】:
    WSLVIC 电邮:Crk4u@163.com

【破解时间】:
    二一一年八月八日

【破解过程】:

    这东西没加壳,是 Borland Delphi 4.0 - 5.0 写的,文件也不大,用 OD 载入后,很快就分析完毕了,软件注册很"方便",因为进入/退出时都会提示你注册!晕!既然如此,就随便写个什么试试吧,在 Name 一栏中写入 "WSLVIC",注册码就写 "u r crazy",便弹出了 "Please reenter key.Key is required.",什么意思-你懂的.仔细看看注册窗口,发现在 Name 一栏后面有一串字符 "(You can enter any name or empty string)","empty string"! 看来不输入姓名也行,换句话说,注册码与注册名无关!呵呵,不错的信息,对于懒人来说这是最好不过的了.

    回到 OD 领空,"查找"→"所有参考文本字符串",稍等之后,→"查找文本"→输入关键字 "reenter",很快就找到了 "Please reenter key.".可是没找到其后面的 "Key is required."上下翻了翻,还是没有,但是却看到了下面这些信息:

    ASCII "Please reenter key.
    ASCII "- KEY BEGIN KEY -"
    ASCII "- KEY END KEY -"
    ASCII "Not found row: - KEY BEGIN KEY -"
    ASCII "Not found row: - KEY END KEY -"
    ASCII "Software\IconEmpire\"
    ASCII "Key"
    ASCII "Key"
    ASCII "Time"
    ASCII "FullProductName"
    ASCII "<BR>"
    ASCII " - "
    ASCII "licenses -"
    ASCII "UserName"
    ASCII "You should restart application now"

    分析一下就知道,注册码一定以 "- KEY BEGIN KEY -" 开头,以 "- KEY END KEY -" 结束,中间才是真正的注册码,其形式必然是:
    - KEY BEGIN KEY -
    注册码
    - KEY END KEY -
    再往下,看到 "Software\IconEmpire\",明眼人一看就知道这是注册表项,可能是读入或写入某些信息,那些信息呢,很可能就是 "Key","Time","FullProductName"...当然现在只是猜测,要 OD 动态调试才会知道,好了要重新修改测试注册码了,就用下面这个
    - KEY BEGIN KEY -
    u r crazy
    - KEY END KEY -
    走到这里是很重要的,会大大节省调试时间,提高调试效率,因为这里的分析已经得出了注册码格式的一些关键信息,就我个人经验而言,对于比较复杂的注册算法,花在了解注册码的格式上的时间,往往数倍于注册码本身的计算,因为你不知道那些字符是合法的,那些是非法的,其长度多少,是否有特定字符等诸多一系列问题.
    好了言归正传,在字符串参考窗口中双击 "Please reenter key."来到这里,
    ┌──────────────────────────────────────────────┐
    │00642920  /$PUSH EBP                                                                        │
    │00642921  |.MOV EBP,ESP                                                                     │
    │00642923  |.PUSH 0                                                                          │
    │00642925  |.PUSH EBX                                                                        │
    │00642926  |.MOV EBX,EAX                                                                     │
    │00642928  |.XOR EAX,EAX                                                                     │
    │0064292A  |.PUSH EBP                                                                        │
    │0064292B  |.PUSH ICONCRAF.0064296F                                                          │
    │00642930  |.PUSH DWORD PTR FS:[EAX]                                                         │
    │00642933  |.MOV DWORD PTR FS:[EAX],ESP                                                      │
    │00642936  |.LEA EAX,DWORD PTR SS:[EBP-4]                                                    │
    │00642939  |.MOV ECX,EBX                                                                     │
     ───────────────────────────────────────────────
    │0064293B  |.MOV EDX,ICONCRAF.00642984                ; ASCII "Please reenter key."          │
     ───────────────────────────────────────────────
    │00642940  |.CALL ICONCRAF.004041D8                                                          │
    │00642945  |.MOV ECX,DWORD PTR SS:[EBP-4]                                                    │
    │00642948  |.MOV DL,1                                                                        │
    │0064294A  |.MOV EAX,DWORD PTR DS:[408A60]                                                   │
    │0064294F  |.CALL ICONCRAF.0040D134                                                          │
    │00642954  |.CALL ICONCRAF.0040392C                                                          │
    │00642959  |.XOR EAX,EAX                                                                     │
    │0064295B  |.POP EDX                                                                         │
    │0064295C  |.POP ECX                                                                         │
    │0064295D  |.POP ECX                                                                         │
    │0064295E  |.MOV DWORD PTR FS:[EAX],EDX                                                      │
    │00642961  |.PUSH ICONCRAF.00642976                                                          │
    │00642966  |>LEA EAX,DWORD PTR SS:[EBP-4]                                                    │
    │00642969  |.CALL ICONCRAF.00403EFC                                                          │
    │0064296E  \.RETN                                                                            │
    └──────────────────────────────────────────────┘
    运气不太好,看不到关键跳转,看来注册失败信息,是用函数调用进行的,只好在函数入口处 642920 下断点了,之后重新载入 Icon Craft,输入注册码,终于断在了 642920,打开 OD 调用堆栈窗口,得知调用来自 642C16,上下翻了翻,发现跳转标志不是很明显,索性在 642C16 的段入口处 64299C 下断点,重新载入 Icon Craft,断在了 64299C
    ┌──────────────────────────────────────────────┐
    │0064299C  /$PUSH EBP                                                                        │
    │0064299D  |.MOV EBP,ESP                                                                     │
    │0064299F  |.MOV ECX,0F                                                                      │
    │006429A4  |>/PUSH 0                                                                         │
    │006429A6  |.|PUSH 0                                                                         │
    │006429A8  |.|DEC ECX                                                                        │
    │006429A9  |.\JNZ SHORT ICONCRAF.006429A4                                                    │
    │006429AB  |.PUSH EBX                                                                        │
    │006429AC  |.PUSH ESI                                                                        │
    │006429AD  |.PUSH EDI                                                                        │
    │006429AE  |.MOV DWORD PTR SS:[EBP-4],EAX                                                    │
    │006429B1  |.XOR EAX,EAX                                                                     │
    │006429B3  |.PUSH EBP                                                                        │
    │006429B4  |.PUSH ICONCRAF.00643000                                                          │
    │006429B9  |.PUSH DWORD PTR FS:[EAX]                                                         │
    │006429BC  |.MOV DWORD PTR FS:[EAX],ESP                                                      │
    │006429BF  |.MOV DWORD PTR SS:[EBP-18],-1                                                    │
    │006429C6  |.MOV DWORD PTR SS:[EBP-1C],-1                                                    │
    │006429CD  |.MOV EAX,DWORD PTR SS:[EBP-4]                                                    │
    │006429D0  |.MOV EAX,DWORD PTR DS:[EAX+2E0]                                                  │
    │006429D6  |.MOV EAX,DWORD PTR DS:[EAX+208]                                                  │
    │006429DC  |.MOV EDX,DWORD PTR DS:[EAX]                                                      │
    │006429DE  |.CALL DWORD PTR DS:[EDX+14]                                                      │
    │006429E1  |.MOV ESI,EAX                                                                     │
    │006429E3  |.DEC ESI                                                                         │
    │006429E4  |.TEST ESI,ESI                                                                    │
    │006429E6  |.JL SHORT ICONCRAF.00642A4E                                                      │
    │006429E8  |.INC ESI                                                                         │
    │006429E9  |.XOR EBX,EBX                                                                     │
    │006429EB  |>/LEA ECX,DWORD PTR SS:[EBP-40]                                                  │
    │006429EE  |.|MOV EAX,DWORD PTR SS:[EBP-4]                                                   │
    │006429F1  |.|MOV EAX,DWORD PTR DS:[EAX+2E0]                                                 │
    │006429F7  |.|MOV EAX,DWORD PTR DS:[EAX+208]                                                 │
    │006429FD  |.|MOV EDX,EBX                                                                    │
    │006429FF  |.|MOV EDI,DWORD PTR DS:[EAX]                                                     │
    │00642A01  |.|CALL DWORD PTR DS:[EDI+C]                                                      │
    │00642A04  |.|MOV EAX,DWORD PTR SS:[EBP-40]                                                  │
    │00642A07  |.|LEA EDX,DWORD PTR SS:[EBP-3C]                                                  │
    │00642A0A  |.|CALL ICONCRAF.00409678                                                         │
    │00642A0F  |.|MOV EAX,DWORD PTR SS:[EBP-3C]                                                  │
    │00642A12  |.|LEA EDX,DWORD PTR SS:[EBP-10]                                                  │
    │00642A15  |.|CALL ICONCRAF.004098EC                                                         │
    │00642A1A  |.|MOV EDX,DWORD PTR SS:[EBP-10]                                                  │
    │00642A1D  |.|MOV EAX,ICONCRAF.0064301C       ;ASCII "- KEY BEGIN KEY -"                     │
    │00642A22  |.|CALL ICONCRAF.00404478                                                         │
    │00642A27  |.|TEST EAX,EAX                                                                   │
    │00642A29  |.|JLE SHORT ICONCRAF.00642A33                                                    │
    │00642A2B  |.|LEA EAX,DWORD PTR DS:[EBX+1]                                                   │
    │00642A2E  |.|MOV DWORD PTR SS:[EBP-18],EAX                                                  │
    │00642A31  |.|JMP SHORT ICONCRAF.00642A4A                                                    │
    │00642A33  |>|MOV EDX,DWORD PTR SS:[EBP-10]                                                  │
    │00642A36  |.|MOV EAX,ICONCRAF.00643038       ;ASCII "- KEY END KEY -"                       │
    │00642A3B  |.|CALL ICONCRAF.00404478                                                         │
    │00642A40  |.|TEST EAX,EAX                                                                   │
    │00642A42  |.|JLE SHORT ICONCRAF.00642A4A                                                    │
    │00642A44  |.|MOV EAX,EBX                                                                    │
    │00642A46  |.|DEC EAX                                                                        │
    │00642A47  |.|MOV DWORD PTR SS:[EBP-1C],EAX                                                  │
    │00642A4A  |>|INC EBX                                                                        │
    │00642A4B  |.|DEC ESI                                                                        │
    │00642A4C  |.\JNZ SHORT ICONCRAF.006429EB                                                    │
    │00642A4E  |>LEA EAX,DWORD PTR SS:[EBP-14]                                                   │
    │00642A51  |.CALL ICONCRAF.00403EFC                                                          │
    │00642A56  |.CMP DWORD PTR SS:[EBP-18],-1                                                    │
    │00642A5A  |.JNZ SHORT ICONCRAF.00642A71                                                     │
    │00642A5C  |.CMP DWORD PTR SS:[EBP-1C],0                                                     │
    │00642A60  |.JLE SHORT ICONCRAF.00642A71                                                     │
    │00642A62  |.LEA EAX,DWORD PTR SS:[EBP-14]                                                   │
    │00642A65  |.MOV EDX,ICONCRAF.00643050        ;ASCII "Not found row: - KEY BEGIN KEY -"      │
    │00642A6A  |.CALL ICONCRAF.00403F94                                                          │
    │00642A6F  |.JMP SHORT ICONCRAF.00642A8A                                                     │
    │00642A71  |>CMP DWORD PTR SS:[EBP-1C],-1                                                    │
    │00642A75  |.JNZ SHORT ICONCRAF.00642A8A                                                     │
    │00642A77  |.CMP DWORD PTR SS:[EBP-18],0                                                     │
    │00642A7B  |.JLE SHORT ICONCRAF.00642A8A                                                     │
    │00642A7D  |.LEA EAX,DWORD PTR SS:[EBP-14]                                                   │
    │00642A80  |.MOV EDX,ICONCRAF.0064307C        ;ASCII "Not found row: - KEY END KEY -"        │
    │00642A85  |.CALL ICONCRAF.00403F94                                                          │
    │00642A8A  |>CMP DWORD PTR SS:[EBP-14],0                                                     │
    │00642A8E  |.JE SHORT ICONCRAF.00642A98                                                      │
    │00642A90  |.MOV EAX,DWORD PTR SS:[EBP-14]                                                   │
    │00642A93  |.CALL ICONCRAF.00642920                                                          │
    │00642A98  |>LEA EAX,DWORD PTR SS:[EBP-C]                                                    │
    │00642A9B  |.CALL ICONCRAF.00403EFC                                                          │
    │00642AA0  |.CMP DWORD PTR SS:[EBP-18],0                                                     │
    │00642AA4  |.JLE SHORT ICONCRAF.00642AAC                                                     │
    │00642AA6  |.CMP DWORD PTR SS:[EBP-1C],0                                                     │
    │00642AAA  |.JG SHORT ICONCRAF.00642AC9                                                      │
    │00642AAC  |>XOR EAX,EAX                                                                     │
    │00642AAE  |.MOV DWORD PTR SS:[EBP-18],EAX                                                   │
    │00642AB1  |.MOV EAX,DWORD PTR SS:[EBP-4]                                                    │
    │00642AB4  |.MOV EAX,DWORD PTR DS:[EAX+2E0]                                                  │
    │00642ABA  |.MOV EAX,DWORD PTR DS:[EAX+208]                                                  │
    │00642AC0  |.MOV EDX,DWORD PTR DS:[EAX]                                                      │
    │00642AC2  |.CALL DWORD PTR DS:[EDX+14]                                                      │
    │00642AC5  |.DEC EAX                                                                         │
    │00642AC6  |.MOV DWORD PTR SS:[EBP-1C],EAX                                                   │
    │00642AC9  |>MOV EAX,DWORD PTR SS:[EBP-4]                                                    │
    │00642ACC  |.MOV EAX,DWORD PTR DS:[EAX+300]                                                  │
    │00642AD2  |.MOV EDX,DWORD PTR DS:[EAX]                                                      │
    │00642AD4  |.CALL DWORD PTR DS:[EDX+40]                                                      │
    │00642AD7  |.XOR EAX,EAX                                                                     │
    │00642AD9  |.MOV DWORD PTR SS:[EBP-20],EAX                                                   │
    │00642ADC  |.MOV EBX,DWORD PTR SS:[EBP-18]                                                   │
    │00642ADF  |.MOV ESI,DWORD PTR SS:[EBP-1C]                                                   │
    │00642AE2  |.SUB ESI,EBX                                                                     │
    │00642AE4  |.JL ICONCRAF.00642B78                                                            │
    │00642AEA  |.INC ESI                                                                         │
    │00642AEB  |>/LEA ECX,DWORD PTR SS:[EBP-44]                                                  │
    │00642AEE  |.|MOV EAX,DWORD PTR SS:[EBP-4]                                                   │
    │00642AF1  |.|MOV EAX,DWORD PTR DS:[EAX+2E0]                                                 │
    │00642AF7  |.|MOV EAX,DWORD PTR DS:[EAX+208]                                                 │
    │00642AFD  |.|MOV EDX,EBX                                                                    │
    │00642AFF  |.|MOV EDI,DWORD PTR DS:[EAX]                                                     │
    │00642B01  |.|CALL DWORD PTR DS:[EDI+C]                                                      │
    │00642B04  |.|MOV EAX,DWORD PTR SS:[EBP-44]                                                  │
    │00642B07  |.|LEA EDX,DWORD PTR SS:[EBP-2C]                                                  │
    │00642B0A  |.|CALL ICONCRAF.004098EC                                                         │
    │00642B0F  |.|LEA EAX,DWORD PTR SS:[EBP-48]                                                  │
    │00642B12  |.|PUSH EAX                                                                       │
    │00642B13  |.|XOR ECX,ECX                                                                    │
    │00642B15  |.|MOV EDX,ICONCRAF.006430A4                                                      │
    │00642B1A  |.|MOV EAX,DWORD PTR SS:[EBP-2C]                                                  │
    │00642B1D  |.|CALL ICONCRAF.00466218                                                         │
    │00642B22  |.|MOV EDX,DWORD PTR SS:[EBP-48]                                                  │
    │00642B25  |.|LEA EAX,DWORD PTR SS:[EBP-2C]                                                  │
    │00642B28  |.|CALL ICONCRAF.00403F94                                                         │
    │00642B2D  |.|LEA EAX,DWORD PTR SS:[EBP-C]                                                   │
    │00642B30  |.|MOV EDX,DWORD PTR SS:[EBP-2C]                                                  │
    │00642B33  |.|CALL ICONCRAF.00404194                                                         │
    │00642B38  |.|MOV EAX,DWORD PTR SS:[EBP-2C]                                                  │
    │00642B3B  |.|CALL ICONCRAF.0040418C                                                         │
    │00642B40  |.|CMP EAX,0A                                                                     │
    │00642B43  |.|JLE SHORT ICONCRAF.00642B5C                                                    │
    │00642B45  |.|CMP DWORD PTR SS:[EBP-20],0                                                    │
    │00642B49  |.|JNZ SHORT ICONCRAF.00642B5C                                                    │
    │00642B4B  |.|MOV EAX,DWORD PTR SS:[EBP-4]                                                   │
    │00642B4E  |.|MOV EAX,DWORD PTR DS:[EAX+300]                                                 │
    │00642B54  |.|MOV EDX,DWORD PTR SS:[EBP-2C]                                                  │
    │00642B57  |.|MOV ECX,DWORD PTR DS:[EAX]                                                     │
    │00642B59  |.|CALL DWORD PTR DS:[ECX+34]                                                     │
    │00642B5C  |>|MOV EDX,DWORD PTR SS:[EBP-2C]                                                  │
    │00642B5F  |.|MOV EAX,ICONCRAF.006430B0                                                      │
    │00642B64  |.|CALL ICONCRAF.00404478                                                         │
    │00642B69  |.|TEST EAX,EAX                                                                   │
    │00642B6B  |.|JLE SHORT ICONCRAF.00642B70                                                    │
    │00642B6D  |.|INC DWORD PTR SS:[EBP-20]                                                      │
    │00642B70  |>|INC EBX                                                                        │
    │00642B71  |.|DEC ESI                                                                        │
    │00642B72  |.\JNZ ICONCRAF.00642AEB                                                          │
    │00642B78  |>CMP DWORD PTR SS:[EBP-C],0                                                      │
    │00642B7C  |.JNZ SHORT ICONCRAF.00642B8A                                                     │
    │00642B7E  |.MOV EAX,DWORD PTR DS:[71EF10]                                                   │
    │00642B83  |.MOV EAX,DWORD PTR DS:[EAX]                                                      │
    │00642B85  |.CALL ICONCRAF.00642920                                                          │
    │00642B8A  |>MOV EAX,DWORD PTR SS:[EBP-C]                                                    │
    │00642B8D  |.CALL ICONCRAF.0040418C                                                          │
    │00642B92  |.MOV EDX,DWORD PTR SS:[EBP-C]                                                    │
    │00642B95  |.CMP BYTE PTR DS:[EDX+EAX-1],22                                                  │
    │00642B9A  |.JNZ SHORT ICONCRAF.00642BB3                                                     │
    │00642B9C  |.MOV EAX,DWORD PTR SS:[EBP-C]                                                    │
    │00642B9F  |.CALL ICONCRAF.0040418C                                                          │
    │00642BA4  |.MOV EDX,EAX                                                                     │
    │00642BA6  |.LEA EAX,DWORD PTR SS:[EBP-C]                                                    │
    │00642BA9  |.MOV ECX,1                                                                       │
    │00642BAE  |.CALL ICONCRAF.004043D4                                                          │
    │00642BB3  |>MOV EAX,DWORD PTR SS:[EBP-C]                                                    │
    │00642BB6  |.CALL ICONCRAF.0040418C                                                          │
    │00642BBB  |.MOV EBX,EAX                                                                     │
    │00642BBD  |.CMP EBX,1                                                                       │
    │00642BC0  |.JL SHORT ICONCRAF.00642BEC                                                      │
    │00642BC2  |>/MOV EAX,DWORD PTR SS:[EBP-C]                                                   │
    │00642BC5  |.|CMP BYTE PTR DS:[EAX+EBX-1],22                                                 │
    │00642BCA  |.|JNZ SHORT ICONCRAF.00642BE7                                                    │
    │00642BCC  |.|MOV EAX,DWORD PTR SS:[EBP-C]                                                   │
    │00642BCF  |.|CALL ICONCRAF.0040418C                                                         │
    │00642BD4  |.|CMP EBX,EAX                                                                    │
    │00642BD6  |.|JG SHORT ICONCRAF.00642BE7                                                     │
    │00642BD8  |.|LEA EAX,DWORD PTR SS:[EBP-C]                                                   │
    │00642BDB  |.|MOV ECX,EBX                                                                    │
    │00642BDD  |.|MOV EDX,1                                                                      │
    │00642BE2  |.|CALL ICONCRAF.004043D4                                                         │
    │00642BE7  |>|DEC EBX                                                                        │
    │00642BE8  |.|TEST EBX,EBX                                                                   │
    │00642BEA  |.\JNZ SHORT ICONCRAF.00642BC2                                                    │
    │00642BEC  |>LEA EDX,DWORD PTR SS:[EBP-4C]                                                   │
    │00642BEF  |.MOV EAX,DWORD PTR SS:[EBP-C]                                                    │
    │00642BF2  |.CALL ICONCRAF.004098EC                                                          │
    │00642BF7  |.MOV EDX,DWORD PTR SS:[EBP-4C]    ;EDX=注册码                                    │
    │00642BFA  |.LEA EAX,DWORD PTR SS:[EBP-C]                                                    │
    │00642BFD  |.CALL ICONCRAF.00403F94                                                          │
    │00642C02  |.MOV EAX,DWORD PTR SS:[EBP-C]     ;EAX=注册码                                    │
    │00642C05  |.CALL ICONCRAF.0040418C           ;计算注册码长度                                │
    │00642C0A  |.CMP EAX,64                       ;将注册码长度与 0x64(100) 比较                 │
     ───────────────────────────────────────────────
    │00642C0D  |.JGE SHORT ICONCRAF.00642C1B      ;不跳就死                                      │
     ───────────────────────────────────────────────
    │00642C0F  |.MOV EAX,DWORD PTR DS:[71EF10]                                                   │
    │00642C14  |.MOV EAX,DWORD PTR DS:[EAX]                                                      │
    │00642C16  |.CALL ICONCRAF.00642920                                                          │
    │00642C1B  |>MOV EDX,DWORD PTR SS:[EBP-C]     ;EDX=注册码                                    │
    │00642C1E  |.MOV EAX,ICONCRAF.006430B0                                                       │
    │00642C23  |.CALL ICONCRAF.00404478           ;计算 '=' 的开始位置                           │
    │00642C28  |.MOV DWORD PTR SS:[EBP-18],EAX                                                   │
    │00642C2B  |.MOV DWORD PTR SS:[EBP-20],1                                                     │
    │00642C32  |.MOV EAX,DWORD PTR SS:[EBP-C]     ;EAX=注册码                                    │
    │00642C35  |.CALL ICONCRAF.0040418C           ;计算注册码长度                                │
    │00642C3A  |.CMP EAX,DWORD PTR SS:[EBP-18]    ;'=' 在最后一位                                │
    │00642C3D  |.JE SHORT ICONCRAF.00642C84       ;最后一位是 '=' 时,就跳.                       │
    │00642C3F  |.CMP DWORD PTR SS:[EBP-18],0      ;注册码中不包含 '='                            │
    │00642C43  |.JE SHORT ICONCRAF.00642C84                                                      │
    │00642C45  |.XOR EAX,EAX                                                                     │
    │00642C47  |.MOV DWORD PTR SS:[EBP-20],EAX                                                   │
    │00642C4A  |.MOV EAX,DWORD PTR SS:[EBP-C]     ;EAX=注册码                                    │
    │00642C4D  |.CALL ICONCRAF.0040418C           ;计算注册码长度                                │
    │00642C52  |.MOV ESI,EAX                                                                     │
    │00642C54  |.TEST ESI,ESI                                                                    │
    │00642C56  |.JLE SHORT ICONCRAF.00642C6E                                                     │
    │00642C58  |.MOV EBX,1                                                                       │
    │00642C5D  |>/MOV EAX,DWORD PTR SS:[EBP-C]    ;/                                             │
    │00642C60  |.|CMP BYTE PTR DS:[EAX+EBX-1],3D  ;|与 '=' 比较                                  │
    │00642C65  |.|JNZ SHORT ICONCRAF.00642C6A                                                    │
    │00642C67  |.|INC DWORD PTR SS:[EBP-20]       ;|                                             │
    │00642C6A  |>|INC EBX                                                                        │
    │00642C6B  |.|DEC ESI                         ;|这个循环,用来计算 '=' 的个数,结果放在堆栈里. │
    │00642C6C  |.\JNZ SHORT ICONCRAF.00642C5D     ;\                                             │
    │00642C6E  |>MOV EAX,DWORD PTR SS:[EBP-C]     ;EAX=注册码                                    │
    │00642C71  |.CALL ICONCRAF.0040418C           ;计算注册码长度                                │
    │00642C76  |.MOV ECX,EAX                                                                     │
    │00642C78  |.MOV EDX,DWORD PTR SS:[EBP-18]    ;EDX=注册码第一个 '=' 所在位置                 │
    │00642C7B  |.INC EDX                                                                         │
    │00642C7C  |.LEA EAX,DWORD PTR SS:[EBP-C]     ;EAX 指向注册码的堆栈地址                      │
    │00642C7F  |.CALL ICONCRAF.004043D4           ;取出 '=' 前的部分(包括 '=')                   │
    │00642C84  |>MOV EAX,DWORD PTR SS:[EBP-4]                                                    │
    │00642C87  |.MOV EAX,DWORD PTR DS:[EAX+300]                                                  │
    │00642C8D  |.MOV EDX,DWORD PTR DS:[EAX]                                                      │
    │00642C8F  |.CALL DWORD PTR DS:[EDX+14]       ;F2D3FC                                        │
    │00642C92  |.CMP EAX,3                                                                       │
    │00642C95  |.JL ICONCRAF.00642E29             ;                                              │
    │00642C9B  |.LEA ECX,DWORD PTR SS:[EBP-50]                                                   │
    │00642C9E  |.MOV EAX,DWORD PTR SS:[EBP-4]                                                    │
    │00642CA1  |.MOV EAX,DWORD PTR DS:[EAX+300]                                                  │
    │00642CA7  |.XOR EDX,EDX                                                                     │
    │00642CA9  |.MOV EBX,DWORD PTR DS:[EAX]                                                      │
    │00642CAB  |.CALL DWORD PTR DS:[EBX+C]                                                       │
    │00642CAE  |.CMP DWORD PTR SS:[EBP-50],0                                                     │
    │00642CB2  |.JE ICONCRAF.00642E29                                                            │
    │00642CB8  |.LEA ECX,DWORD PTR SS:[EBP-54]                                                   │
    │00642CBB  |.MOV EAX,DWORD PTR SS:[EBP-4]                                                    │
    │00642CBE  |.MOV EAX,DWORD PTR DS:[EAX+300]                                                  │
    │00642CC4  |.MOV EDX,1                                                                       │
    │00642CC9  |.MOV EBX,DWORD PTR DS:[EAX]                                                      │
    │00642CCB  |.CALL DWORD PTR DS:[EBX+C]                                                       │
    │00642CCE  |.CMP DWORD PTR SS:[EBP-54],0                                                     │
    │00642CD2  |.JE ICONCRAF.00642E29                                                            │
    │00642CD8  |.LEA ECX,DWORD PTR SS:[EBP-58]                                                   │
    │00642CDB  |.MOV EAX,DWORD PTR SS:[EBP-4]                                                    │
    │00642CDE  |.MOV EAX,DWORD PTR DS:[EAX+300]                                                  │
    │00642CE4  |.MOV EDX,2                                                                       │
    │00642CE9  |.MOV EBX,DWORD PTR DS:[EAX]                                                      │
    │00642CEB  |.CALL DWORD PTR DS:[EBX+C]                                                       │
    │00642CEE  |.CMP DWORD PTR SS:[EBP-58],0                                                     │
    │00642CF2  |.JE ICONCRAF.00642E29                                                            │
    │00642CF8  |.MOV EAX,DWORD PTR SS:[EBP-4]                                                    │
    │00642CFB  |.MOV EBX,DWORD PTR DS:[EAX+300]                                                  │
    │00642D01  |.MOV EAX,EBX                                                                     │
    │00642D03  |.MOV EDX,DWORD PTR DS:[EAX]                                                      │
    │00642D05  |.CALL DWORD PTR DS:[EDX+14]                                                      │
    │00642D08  |.MOV EDX,EAX                                                                     │
    │00642D0A  |.DEC EDX                                                                         │
    │00642D0B  |.LEA ECX,DWORD PTR SS:[EBP-34]                                                   │
    │00642D0E  |.MOV EAX,EBX                                                                     │
    │00642D10  |.MOV EBX,DWORD PTR DS:[EAX]                                                      │
    │00642D12  |.CALL DWORD PTR DS:[EBX+C]                                                       │
    │00642D15  |.MOV EAX,DWORD PTR SS:[EBP-34]                                                   │
    │00642D18  |.CALL ICONCRAF.0040418C                                                          │
    │00642D1D  |.MOV EDX,DWORD PTR SS:[EBP-34]                                                   │
    │00642D20  |.CMP BYTE PTR DS:[EDX+EAX-1],3D                                                  │
    │00642D25  |.JNZ ICONCRAF.00642E29                                                           │
    │00642D2B  |.XOR EAX,EAX                                                                     │
    │00642D2D  |.MOV DWORD PTR SS:[EBP-1C],EAX                                                   │
    │00642D30  |.MOV EAX,DWORD PTR SS:[EBP-34]                                                   │
    │00642D33  |.CALL ICONCRAF.0040418C                                                          │
    │00642D38  |.MOV ESI,EAX                                                                     │
    │00642D3A  |.TEST ESI,ESI                                                                    │
    │00642D3C  |.JLE SHORT ICONCRAF.00642D9E                                                     │
    │00642D3E  |.MOV EBX,1                                                                       │
    │00642D43  |>/MOV EAX,DWORD PTR SS:[EBP-4]                                                   │
    │00642D46  |.|MOV EAX,DWORD PTR DS:[EAX+300]                                                 │
    │00642D4C  |.|MOV EDX,DWORD PTR DS:[EAX]                                                     │
    │00642D4E  |.|CALL DWORD PTR DS:[EDX+14]                                                     │
    │00642D51  |.|SUB EAX,2                                                                      │
    │00642D54  |.|TEST EAX,EAX                                                                   │
    │00642D56  |.|JL SHORT ICONCRAF.00642D94                                                     │
    │00642D58  |.|INC EAX                                                                        │
    │00642D59  |.|MOV DWORD PTR SS:[EBP-38],EAX                                                  │
    │00642D5C  |.|MOV DWORD PTR SS:[EBP-18],0                                                    │
    │00642D63  |>|/LEA ECX,DWORD PTR SS:[EBP-30]                                                 │
    │00642D66  |.||MOV EAX,DWORD PTR SS:[EBP-4]                                                  │
    │00642D69  |.||MOV EAX,DWORD PTR DS:[EAX+300]                                                │
    │00642D6F  |.||MOV EDX,DWORD PTR SS:[EBP-18]                                                 │
    │00642D72  |.||MOV EDI,DWORD PTR DS:[EAX]                                                    │
    │00642D74  |.||CALL DWORD PTR DS:[EDI+C]                                                     │
    │00642D77  |.||MOV EAX,DWORD PTR SS:[EBP-30]                                                 │
    │00642D7A  |.||MOV AL,BYTE PTR DS:[EAX+EBX-1]                                                │
    │00642D7E  |.||MOV EDX,DWORD PTR SS:[EBP-34]                                                 │
    │00642D81  |.||CMP AL,BYTE PTR DS:[EDX+EBX-1]                                                │
    │00642D85  |.||JE SHORT ICONCRAF.00642D8C                                                    │
    │00642D87  |.||MOV DWORD PTR SS:[EBP-1C],EBX                                                 │
    │00642D8A  |.||JMP SHORT ICONCRAF.00642D94                                                   │
    │00642D8C  |>||INC DWORD PTR SS:[EBP-18]                                                     │
    │00642D8F  |.||DEC DWORD PTR SS:[EBP-38]                                                     │
    │00642D92  |.|\JNZ SHORT ICONCRAF.00642D63                                                   │
    │00642D94  |>|CMP DWORD PTR SS:[EBP-1C],0                                                    │
    │00642D98  |.|JNZ SHORT ICONCRAF.00642D9E                                                    │
    │00642D9A  |.|INC EBX                                                                        │
    │00642D9B  |.|DEC ESI                                                                        │
    │00642D9C  |.\JNZ SHORT ICONCRAF.00642D43                                                    │
    │00642D9E  |>CMP DWORD PTR SS:[EBP-1C],1                                                     │
    │00642DA2  |.JLE ICONCRAF.00642E29                                                           │
    │00642DA8  |.LEA ECX,DWORD PTR SS:[EBP-C]                                                    │
    │00642DAB  |.MOV EAX,DWORD PTR SS:[EBP-4]                                                    │
    │00642DAE  |.MOV EAX,DWORD PTR DS:[EAX+300]                                                  │
    │00642DB4  |.XOR EDX,EDX                                                                     │
    │00642DB6  |.MOV EBX,DWORD PTR DS:[EAX]                                                      │
    │00642DB8  |.CALL DWORD PTR DS:[EBX+C]                                                       │
    │00642DBB  |.MOV EAX,DWORD PTR SS:[EBP-4]                                                    │
    │00642DBE  |.MOV EAX,DWORD PTR DS:[EAX+300]                                                  │
    │00642DC4  |.MOV EDX,DWORD PTR DS:[EAX]                                                      │
    │00642DC6  |.CALL DWORD PTR DS:[EDX+14]                                                      │
    │00642DC9  |.MOV ESI,EAX                                                                     │
    │00642DCB  |.DEC ESI                                                                         │
    │00642DCC  |.TEST ESI,ESI                                                                    │
    │00642DCE  |.JLE SHORT ICONCRAF.00642E29                                                     │
    │00642DD0  |.MOV DWORD PTR SS:[EBP-18],1                                                     │
    │00642DD7  |>/LEA EAX,DWORD PTR SS:[EBP-30]                                                  │
    │00642DDA  |.|PUSH EAX                                                                       │
    │00642DDB  |.|LEA ECX,DWORD PTR SS:[EBP-5C]                                                  │
    │00642DDE  |.|MOV EAX,DWORD PTR SS:[EBP-4]                                                   │
    │00642DE1  |.|MOV EAX,DWORD PTR DS:[EAX+300]                                                 │
    │00642DE7  |.|MOV EDX,DWORD PTR SS:[EBP-18]                                                  │
    │00642DEA  |.|MOV EBX,DWORD PTR DS:[EAX]                                                     │
    │00642DEC  |.|CALL DWORD PTR DS:[EBX+C]                                                      │
    │00642DEF  |.|MOV EAX,DWORD PTR SS:[EBP-5C]                                                  │
    │00642DF2  |.|CALL ICONCRAF.0040418C                                                         │
    │00642DF7  |.|PUSH EAX                                                                       │
    │00642DF8  |.|LEA ECX,DWORD PTR SS:[EBP-60]                                                  │
    │00642DFB  |.|MOV EAX,DWORD PTR SS:[EBP-4]                                                   │
    │00642DFE  |.|MOV EAX,DWORD PTR DS:[EAX+300]                                                 │
    │00642E04  |.|MOV EDX,DWORD PTR SS:[EBP-18]                                                  │
    │00642E07  |.|MOV EBX,DWORD PTR DS:[EAX]                                                     │
    │00642E09  |.|CALL DWORD PTR DS:[EBX+C]                                                      │
    │00642E0C  |.|MOV EAX,DWORD PTR SS:[EBP-60]                                                  │
    │00642E0F  |.|MOV EDX,DWORD PTR SS:[EBP-1C]                                                  │
    │00642E12  |.|POP ECX                                                                        │
    │00642E13  |.|CALL ICONCRAF.00404394                                                         │
    │00642E18  |.|LEA EAX,DWORD PTR SS:[EBP-C]                                                   │
    │00642E1B  |.|MOV EDX,DWORD PTR SS:[EBP-30]                                                  │
    │00642E1E  |.|CALL ICONCRAF.00404194                                                         │
    │00642E23  |.|INC DWORD PTR SS:[EBP-18]                                                      │
    │00642E26  |.|DEC ESI                                                                        │
    │00642E27  |.\JNZ SHORT ICONCRAF.00642DD7                                                    │
    │00642E29  |>MOV EAX,DWORD PTR SS:[EBP-C]     ;EAX=注册码                                    │
     ───────────────────────────────────────────────
    │00642E2C  |.CALL ICONCRAF.00700D10           ;关键调用检查注册码                            │
     ───────────────────────────────────────────────
    │00642E31  |.MOV DL,1                                                                        │
    │00642E33  |.MOV EAX,DWORD PTR DS:[4838D0]                                                   │
    │00642E38  |.CALL ICONCRAF.004839D0                                                          │
    │00642E3D  |.MOV DWORD PTR SS:[EBP-24],EAX                                                   │
    │00642E40  |.XOR EAX,EAX                                                                     │
    │00642E42  |.PUSH EBP                                                                        │
    │00642E43  |.PUSH ICONCRAF.00642F78                                                          │
    │00642E48  |.PUSH DWORD PTR FS:[EAX]                                                         │
    │00642E4B  |.MOV DWORD PTR FS:[EAX],ESP                                                      │
    │00642E4E  |.MOV EDX,80000001                                                                │
    │00642E53  |.MOV EAX,DWORD PTR SS:[EBP-24]                                                   │
    │00642E56  |.CALL ICONCRAF.00483AAC                                                          │
    │00642E5B  |.PUSH ICONCRAF.006430BC           ;ASCII "Software\IconEmpire\"                  │
    │00642E60  |.MOV EAX,DWORD PTR DS:[71F228]                                                   │
    │00642E65  |.PUSH DWORD PTR DS:[EAX]                                                         │
    │00642E67  |.PUSH ICONCRAF.006430DC                                                          │
    │00642E6C  |.LEA EAX,DWORD PTR SS:[EBP-68]                                                   │
    │00642E6F  |.CALL ICONCRAF.00700A90                                                          │
    │00642E74  |.PUSH DWORD PTR SS:[EBP-68]                                                      │
    │00642E77  |.LEA EAX,DWORD PTR SS:[EBP-64]                                                   │
    │00642E7A  |.MOV EDX,4                                                                       │
    │00642E7F  |.CALL ICONCRAF.0040424C                                                          │
    │00642E84  |.MOV EDX,DWORD PTR SS:[EBP-64]                                                   │
    │00642E87  |.MOV CL,1                                                                        │
    │00642E89  |.MOV EAX,DWORD PTR SS:[EBP-24]                                                   │
    │00642E8C  |.CALL ICONCRAF.00483B14                                                          │
    │00642E91  |.MOV BYTE PTR SS:[EBP-5],AL                                                      │
    │00642E94  |.CMP BYTE PTR SS:[EBP-5],0                                                       │
     ───────────────────────────────────────────────
    │00642E98  |.JE ICONCRAF.00642F62             ;一跳就死                                      │
     ───────────────────────────────────────────────
    │00642E9E  |.MOV ECX,DWORD PTR SS:[EBP-C]                                                    │
    │00642EA1  |.MOV EDX,ICONCRAF.006430E8        ;ASCII "Key"                                   │
    │00642EA6  |.MOV EAX,DWORD PTR SS:[EBP-24]                                                   │
    │00642EA9  |.CALL ICONCRAF.00484060                                                          │
    │00642EAE  |.MOV EDX,ICONCRAF.006430E8        ;ASCII "Key"                                   │
    │00642EB3  |.LEA ECX,DWORD PTR SS:[EBP-6C]                                                   │
    │00642EB6  |.MOV EAX,DWORD PTR SS:[EBP-24]                                                   │
    │00642EB9  |.CALL ICONCRAF.0048408C                                                          │
    │00642EBE  |.MOV EDX,DWORD PTR SS:[EBP-6C]                                                   │
    │00642EC1  |.MOV EAX,DWORD PTR SS:[EBP-C]                                                    │
    │00642EC4  |.CALL ICONCRAF.0040429C                                                          │
    │00642EC9  |.SETE BYTE PTR SS:[EBP-5]                                                        │
    │00642ECD  |.CALL ICONCRAF.0040B358                                                          │
    │00642ED2  |.ADD ESP,-8                       ;                                              │
    │00642ED5  |.FSTP QWORD PTR SS:[ESP]          ;Arg1(8 字节)                                  │
    │00642ED8  |.WAIT                             ;                                              │
    │00642ED9  |.MOV EDX,ICONCRAF.006430F4        ;ASCII "Time"                                  │
    │00642EDE  |.MOV EAX,DWORD PTR SS:[EBP-24]    ;                                              │
    │00642EE1  |.CALL ICONCRAF.00484104           ;iconcraf.00484104                             │
    │00642EE6  |.LEA EAX,DWORD PTR SS:[EBP-70]                                                   │
    │00642EE9  |.CALL ICONCRAF.006FFB18                                                          │
    │00642EEE  |.MOV ECX,DWORD PTR SS:[EBP-70]                                                   │
    │00642EF1  |.MOV EDX,ICONCRAF.00643104        ;ASCII "FullProductName"                       │
    │00642EF6  |.MOV EAX,DWORD PTR SS:[EBP-24]                                                   │
    │00642EF9  |.CALL ICONCRAF.00484060                                                          │
    │00642EFE  |.LEA EDX,DWORD PTR SS:[EBP-74]                                                   │
    │00642F01  |.MOV EAX,DWORD PTR SS:[EBP-4]                                                    │
    │00642F04  |.MOV EAX,DWORD PTR DS:[EAX+2F0]                                                  │
    │00642F0A  |.CALL ICONCRAF.00437B28                                                          │
    │00642F0F  |.MOV EAX,DWORD PTR SS:[EBP-74]                                                   │
    │00642F12  |.LEA EDX,DWORD PTR SS:[EBP-28]                                                   │
    │00642F15  |.CALL ICONCRAF.004098EC                                                          │
    │00642F1A  |.CMP DWORD PTR SS:[EBP-20],1                                                     │
    │00642F1E  |.JE SHORT ICONCRAF.00642F52                                                      │
    │00642F20  |.PUSH DWORD PTR SS:[EBP-28]                                                      │
    │00642F23  |.PUSH ICONCRAF.0064311C           ;ASCII "<BR>"                                  │
    │00642F28  |.PUSH ICONCRAF.0064312C           ;ASCII " - "                                   │
    │00642F2D  |.LEA EDX,DWORD PTR SS:[EBP-78]                                                   │
    │00642F30  |.MOV EAX,DWORD PTR SS:[EBP-20]                                                   │
    │00642F33  |.CALL ICONCRAF.00409AA0                                                          │
    │00642F38  |.PUSH DWORD PTR SS:[EBP-78]                                                      │
    │00642F3B  |.PUSH ICONCRAF.006430A4                                                          │
    │00642F40  |.PUSH ICONCRAF.00643138           ;ASCII "licenses -"                            │
    │00642F45  |.LEA EAX,DWORD PTR SS:[EBP-28]                                                   │
    │00642F48  |.MOV EDX,6                                                                       │
    │00642F4D  |.CALL ICONCRAF.0040424C                                                          │
    │00642F52  |>MOV ECX,DWORD PTR SS:[EBP-28]                                                   │
    │00642F55  |.MOV EDX,ICONCRAF.0064314C        ;ASCII "UserName"                              │
    │00642F5A  |.MOV EAX,DWORD PTR SS:[EBP-24]                                                   │
    │00642F5D  |.CALL ICONCRAF.00484060                                                          │
    │00642F62  |>XOR EAX,EAX                                                                     │
    │00642F64  |.POP EDX                                                                         │
    │00642F65  |.POP ECX                                                                         │
    │00642F66  |.POP ECX                                                                         │
    │00642F67  |.MOV DWORD PTR FS:[EAX],EDX                                                      │
    │00642F6A  |.PUSH ICONCRAF.00642F7F                                                          │
    │00642F6F  |>MOV EAX,DWORD PTR SS:[EBP-24]                                                   │
    │00642F72  |.CALL ICONCRAF.00403194                                                          │
    │00642F77  \.RETN                                                                            │
    └──────────────────────────────────────────────┘
    呵呵,一看前面一大段都是在检查 "- KEY BEGIN KEY -" 和 "- KEY END KEY -" 字符串,就不多说了,关键是在 642E2C 处,其内容为,
    ┌──────────────────────────────────────────────┐
    │00700D10  /$PUSH EBX                                                                        │
    │00700D11  |.MOV EBX,EAX                                                                     │
     ───────────────────────────────────────────────
    │00700D13  |.CMP BYTE PTR DS:[EBX],30                 ;  注册码第一位与 0 比较               │
     ───────────────────────────────────────────────
    │00700D16  |.JNZ SHORT ICONCRAF.00700D2F              ;  一跳就死                            │
    │00700D18  |.MOV EAX,EBX                                                                     │
    │00700D1A  |.CALL ICONCRAF.0040418C                   ;  计算注册码长度                      │
     ───────────────────────────────────────────────
    │00700D1F  |.CMP EAX,0AD                              ;  注册码长度与 0xAD(173) 比较         │
     ───────────────────────────────────────────────
    │00700D24  |.JNZ SHORT ICONCRAF.00700D2F              ;  一跳就死                            │
     ───────────────────────────────────────────────
    │00700D26  |.CMP BYTE PTR DS:[EBX+AC],3D              ;  注册码最后一位与 '=' 比较           │
     ───────────────────────────────────────────────
    │00700D2D  |.JE SHORT ICONCRAF.00700D45               ;  不跳就死                            │
    │00700D2F  |>MOV ECX,ICONCRAF.00700D50                ;  ASCII "Invalid key"                 │
    │00700D34  |.MOV DL,1                                                                        │
    │00700D36  |.MOV EAX,DWORD PTR DS:[408A60]                                                   │
    │00700D3B  |.CALL ICONCRAF.0040D134                                                          │
    │00700D40  |.CALL ICONCRAF.0040392C                                                          │
    │00700D45  |>POP EBX                                                                         │
    │00700D46  \.RETN                                                                            │
    └──────────────────────────────────────────────┘
    注册算法竟然这么简单!
    其流程为,
    1.首先检查注册码中是否含 "- KEY BEGIN KEY -" 和 "- KEY END KEY -" 字符串,如果有,则取它们之间的字符为注册码.空格会自动删除.可以为中文.
    2.获得注册码后,查找注册码中 '=' 的个数.若 '=' 个数为 0,则调用注册失败对话框.
    3.当 '=' 只有一个时,截取 '=' 以左部分(包括 '=')作为新注册码,验证其首位是否为 '0',末尾是否为 '=',长度是否为 0xAD(173d),是则注册成为单用户协议.
    4.当 '=' 多于一个时,逐次将注册码分为 '......=' 格式的若干段,对每一段都进行首位是否为 '0',末尾是否为 '=',长度是否为 0xAD(173d)的验证,只要有一段符合要求,协议将注册为多用户协议,协议个数是 '=' 的个数.
    5.写入注册表项.

【破解总结】:

    该注册算法是俺有史以来,见过的最简单的注册算法,但对 Cracker 新人来讲,多少有点意义,所以写出来,最后给出一个弱※注册码,供大家玩笑,

- KEY BEGIN KEY -
0鲁鲁拉,鲁鲁拉,弱※算法,鲁鲁拉!你笑它,我笑它,哈哈哈哈哈哈.鲁鲁拉,鲁鲁拉,弱※算法,鲁鲁拉!你笑它,我笑它,哈哈哈哈哈哈.鲁鲁拉,鲁鲁拉,弱※算法,鲁鲁拉!你笑它,我笑它,哈哈哈哈哈哈.=
- KEY END KEY -


    然后,补一个注册机,这个注册机并非完整意义上的注册机,因为不能列出所有可能的注册码,当然如果非要写,也并非不可,只是觉得没必要.为这个简单注册码算法,写一个复杂注册机,不值得.
    高手就不要来了.

注意:该注册算法同样可以注册 IconoMaker 3.20 及 Perfect Icon 2.30

上传的附件 KeyGen.rar