您的位置:首页精文荟萃破解文章 → 极速传真[SpeedFax] 2.4 破解手记--程序逆向分析算法

极速传真[SpeedFax] 2.4 破解手记--程序逆向分析算法

时间:2004/10/15 0:53:00来源:本站整理作者:蓝点我要评论(0)

 

极速传真[SpeedFax] 2.4  破解手记--程序逆向分析算法
作者:newlaos


整理日期:2003.3.14(华军网)
最新版本:2.4
文件大小:681KB
软件授权:共享软件
使用平台:Win9x/Me/NT/2000
发布公司:http://www.speedfax.onchina.net/


软件简介:快捷高效的通过电脑收发传真精典工具,功能特色如下:1.◆可视化拖放式传真封面文件编辑、设计,真正图文并茂;2.◆支持Class1/class2/class2.0等多类传真卡并可自动侦测;3.◆功能强大的字符宏替换,轻松创建各类传真标注;4.◆可导入多种图像格式文件,方便实现传真图片和印章盖戳;5.◆一次添加数百个传真任务,极适合商务传真群发广播;6.◆可以手动方式接收传真,也可自动监控并接收传真;7.◆支持传真文件翻转、放大、缩小、压缩等方式浏览;8.◆轻松打印传真文件,支持一边接收传真一边自动打印传真;9.◆支持WORD/WPS等各类文字办公处理系统直接转发传真;10.◆真正绿色软件,无需安装即可使用,操作简便,界面美观。

加密方式:注册码
功能限制:次数限制
PJ工具:TRW20001.23注册版、PE-SCAN3.31、W32Dasm8.93黄金版,FI2.5
PJ日期:2003-03-17
作者newlaos申明:只是学习,请不用于商业用途或是将本文方法制作的注册机任意传播,造成后果,本人一概不负。

1、先用FI2.5看一下主程序speedfaxV24.exe,没有加壳

2、用W32Dasm8.93黄金版对主程序进行静态反汇编,再用串式数据参考,找到"软件登记注册成功!"(很经典的句子),双击来到下面代码段。这样就找到注册码的计算部分。

3、再用TRW20001.23注册版进行动态跟踪,下断BPX 4FF938(通常在注册成功与否前面一些下断,这样,才能找到关键部分),先输入假码78787878

......
......
:004FF924 8D4DF4                  lea ecx, dword ptr [ebp-0C]

* Possible StringData Ref from Code Obj ->"请输入您的软件注册码"
                                 |
:004FF927 BA2CFA4F00              mov edx, 004FFA2C

* Possible StringData Ref from Code Obj ->"登记注册"
                                 |
:004FF92C B84CFA4F00              mov eax, 004FFA4C
:004FF931 E87A36F4FF              call 00442FB0
:004FF936 3C01                    cmp al, 01                <===看你是点了确定还是放弃
:004FF938 0F85A8000000            jne 004FF9E6              <===如果是点的放弃,则跳到后面去了。
:004FF93E 8D55D4                  lea edx, dword ptr [ebp-2C]
:004FF941 8B45F4                  mov eax, dword ptr [ebp-0C]  <===EAX=78787878
:004FF944 E87B9DF0FF              call 004096C4            
                    <===EAX放了一个地址指针,正好指向我们输入的假码
:004FF949 8B45D4                  mov eax, dword ptr [ebp-2C]  <===EAX=78787878
:004FF94C E8C3A0F0FF              call 00409A14            
                    <===将注册码进行第一次加工,当输入假码是78787878时,这里EAX=4B23526,从下面推上来,EAX应该等于199FF22,才能注册成功,F8跟进看个究竟
:004FF951 8945F8                  mov dword ptr [ebp-08], eax
:004FF954 8955FC                  mov dword ptr [ebp-04], edx
:004FF957 6A00                    push 00000000
:004FF959 6A1B                    push 0000001B
:004FF95B 8B45F8                  mov eax, dword ptr [ebp-08]   <===上个CALL计算出来的EAX=4B23526
:004FF95E 8B55FC                  mov edx, dword ptr [ebp-04]   <===EDX=0
:004FF961 E88266F0FF              call 00405FE8                  
                    <===将注册码进行第二次加工,当输入假码是78787878时,这里EAX=2C86B5,从下面推上来,EAX应该等于F2F6,才能注册成功,F8跟进看个究竟
:004FF966 8945F8                  mov dword ptr [ebp-08], eax    <===这里就算出了EAX,这里要正确则EAX=686+EC70=F2F6
:004FF969 8955FC                  mov dword ptr [ebp-04], edx
:004FF96C 8B45F8                  mov eax, dword ptr [ebp-08]
:004FF96F 8B55FC                  mov edx, dword ptr [ebp-04]
:004FF972 2D70EC0000              sub eax, 0000EC70        
                    <===第二次计算出来的EAX再减去EC70,成功的关键就是要等于686
:004FF977 83DA00                  sbb edx, 00000000        <===EDX=0
:004FF97A 8945F8                  mov dword ptr [ebp-08], eax
:004FF97D 8955FC                  mov dword ptr [ebp-04], edx
:004FF980 8D45D8                  lea eax, dword ptr [ebp-28]
:004FF983 E8CCEDFFFF              call 004FE754
:004FF988 8B45D8                  mov eax, dword ptr [ebp-28]  <===这里的值是经过上面计算好的,是固定的686
:004FF98B 99                      cdq                          <===这里EDX被清0
:004FF98C 8945E8                  mov dword ptr [ebp-18], eax
:004FF98F 8955EC                  mov dword ptr [ebp-14], edx
:004FF992 8B45F8                  mov eax, dword ptr [ebp-08]    <===这里说明,[EBP-08]必须和[EBP-18]相等
:004FF995 8B55FC                  mov edx, dword ptr [ebp-04]    <===这里说明,[EBP-04]必须和[ebp-14]相等
:004FF998 3B55EC                  cmp edx, dword ptr [ebp-14]    <===必须相等
:004FF99B 7534                    jne 004FF9D1           <===都是0,所以不会跳过去的。
:004FF99D 3B45E8                  cmp eax, dword ptr [ebp-18]    
                    <===必须相等(EAX要等于686), 这个686好象是计算机的CPU ID
:004FF9A0 752F                    jne 004FF9D1           <===跳过去就OVER了
:004FF9A2 8B83B4030000            mov eax, dword ptr [ebx+000003B4]
:004FF9A8 E8037BFCFF              call 004C74B0
:004FF9AD 6A00                    push 00000000
:004FF9AF 668B0D58FA4F00          mov cx, word ptr [004FFA58]
:004FF9B6 B202                    mov dl, 02

* Possible StringData Ref from Code Obj ->"软件登记注册成功!"
                                 |
:004FF9B8 B864FA4F00              mov eax, 004FFA64
:004FF9BD E8D234F4FF              call 00442E94
:004FF9C2 33D2                    xor edx, edx
:004FF9C4 8B838C030000            mov eax, dword ptr [ebx+0000038C]
:004FF9CA E839C3F5FF              call 0045BD08
:004FF9CF EB15                    jmp 004FF9E6

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004FF99B(C), :004FF9A0(C)
|
:004FF9D1 6A00                    push 00000000
:004FF9D3 668B0D58FA4F00          mov cx, word ptr [004FFA58]
:004FF9DA B201                    mov dl, 01

* Possible StringData Ref from Code Obj ->"软件注册号错误!"
                                 |
:004FF9DC B880FA4F00              mov eax, 004FFA80
:004FF9E1 E8AE34F4FF              call 00442E94

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004FF938(C), :004FF9CF(U)
|
:004FF9E6 33C0                    xor eax, eax
:004FF9E8 5A                      pop edx
:004FF9E9 59                      pop ecx
:004FF9EA 59                      pop ecx
:004FF9EB 648910                  mov dword ptr fs:[eax], edx
:004FF9EE 680BFA4F00              push 004FFA0B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004FFA09(U)
|
:004FF9F3 8D45D4                  lea eax, dword ptr [ebp-2C]
:004FF9F6 E8F555F0FF              call 00404FF0
:004FF9FB 8D45F4                  lea eax, dword ptr [ebp-0C]
:004FF9FE E8ED55F0FF              call 00404FF0
:004FFA03 C3                      ret


:004FFA04 E98B4FF0FF              jmp 00404994
:004FFA09 EBE8                    jmp 004FF9F3
:004FFA0B 5B                      pop ebx
:004FFA0C 8BE5                    mov esp, ebp
:004FFA0E 5D                      pop ebp
:004FFA0F C3                      ret

---------将注册码进行第二次加工的CALL ,F8跟进(004FF961 call 00405FE8)-------------------------
------------------注,要想正确,则EAX的返回值应该是F2F6-------------------------
:00405FE8 55                      push ebp
:00405FE9 53                      push ebx
:00405FEA 56                      push esi
:00405FEB 57                      push edi
:00405FEC 31FF                    xor edi, edi
:00405FEE 8B5C2414                mov ebx, dword ptr [esp+14]       <===EBX=1B(固定)
:00405FF2 8B4C2418                mov ecx, dword ptr [esp+18]
:00405FF6 09C9                    or ecx, ecx
:00405FF8 7508                    jne 00406002     <===不跳
:00405FFA 09D2                    or edx, edx
:00405FFC 745C                    je 0040605A      <===跳
:00405FFE 09DB                    or ebx, ebx
:00406000 7458                    je 0040605A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405FF8(C)
|
:00406002 09D2                    or edx, edx
:00406004 790A                    jns 00406010
:00406006 F7DA                    neg edx
:00406008 F7D8                    neg eax
:0040600A 83DA00                  sbb edx, 00000000
:0040600D 83CF01                  or edi, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406004(C)
|
:00406010 09C9                    or ecx, ecx
:00406012 790A                    jns 0040601E
:00406014 F7D9                    neg ecx
:00406016 F7DB                    neg ebx
:00406018 83D900                  sbb ecx, 00000000
:0040601B 83F701                  xor edi, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406012(C)
|
:0040601E 89CD                    mov ebp, ecx
:00406020 B940000000              mov ecx, 00000040
:00406025 57                      push edi
:00406026 31FF                    xor edi, edi
:00406028 31F6                    xor esi, esi
:0040602A D1E0                    shl eax, 1
:0040602C D1D2                    rcl edx, 1
:0040602E D1D6                    rcl esi, 1
:00406030 D1D7                    rcl edi, 1
:00406032 39EF                    cmp edi, ebp
:00406034 720B                    jb 00406041
:00406036 7704                    ja 0040603C
:00406038 39DE                    cmp esi, ebx
:0040603A 7205                    jb 00406041

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406036(C)
|
:0040603C 29DE                    sub esi, ebx
:0040603E 19EF                    sbb edi, ebp
:00406040 40                      inc eax

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00406034(C), :0040603A(C)
|
:00406041 E2E7                    loop 0040602A
:00406043 5B                      pop ebx
:00406044 F7C301000000            test ebx, 00000001
:0040604A 7407                    je 00406053
:0040604C F7DA                    neg edx
:0040604E F7D8                    neg eax
:00406050 83DA00                  sbb edx, 00000000

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040604A(C), :0040605E(U)
|
:00406053 5F                      pop edi
:00406054 5E                      pop esi
:00406055 5B                      pop ebx
:00406056 5D                      pop ebp
:00406057 C20800                  ret 0008


* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00405FFC(C), :00406000(C)
|
:0040605A F7F3                    div ebx  
    <===一下子跳到这里EBX=1B,要求正确则EAX返回F2F6,所以这之前EAX应该等于199FF2(双字运算)
:0040605C 31D2                    xor edx, edx
:0040605E EBF3                    jmp 00406053
:00406060 C3                      ret


------将注册码进行第一次加工的CALL ,F8跟进(:004FF94C call 00409A14)-------------------------
------------------注,要想正确,则EAX的返回值应该是199FF2------------------------------------
:00409A14 53                      push ebx
:00409A15 83C4EC                  add esp, FFFFFFEC
:00409A18 8BD8                    mov ebx, eax
:00409A1A 8D542408                lea edx, dword ptr [esp+08]
:00409A1E 8BC3                    mov eax, ebx       <===EAX=EBX=78787878
:00409A20 E897C7FFFF              call 004061BC     <===这个CALL,就可以算出EAX=4B23526出来,F8进去
:00409A25 890424                  mov dword ptr [esp], eax  
:00409A28 89542404                mov dword ptr [esp+04], edx
:00409A2C 837C240800              cmp dword ptr [esp+08], 00000000
:00409A31 7419                    je 00409A4C        <===输入假码78787878时,这个就跳走
:00409A33 895C240C                mov dword ptr [esp+0C], ebx
:00409A37 C64424100B              mov [esp+10], 0B
:00409A3C 8D54240C                lea edx, dword ptr [esp+0C]
:00409A40 A1C8555000              mov eax, dword ptr [005055C8]
:00409A45 33C9                    xor ecx, ecx
:00409A47 E86CF9FFFF              call 004093B8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409A31(C)
|
:00409A4C 8B0424                  mov eax, dword ptr [esp]  
:00409A4F 8B542404                mov edx, dword ptr [esp+04]
:00409A53 83C414                  add esp, 00000014
:00409A56 5B                      pop ebx
:00409A57 C3                      ret

------------------------------------------------------------------------------------------
:00409A20  call 004061BC    这个CALL,就可以算出EAX=4B23526出来(要求EAX=199FF2),
F8进去来到下面代码段:

:004061BC 53                      push ebx      <===EBX=78787878
:004061BD 56                      push esi
:004061BE 57                      push edi
:004061BF 55                      push ebp      
:004061C0 83C4EC                  add esp, FFFFFFEC  
:004061C3 891424                  mov dword ptr [esp], edx
:004061C6 8BF0                    mov esi, eax  <===ESI=EAX=78787878
:004061C8 BD01000000              mov ebp, 00000001
:004061CD 33FF                    xor edi, edi
:004061CF C744240800000000        mov [esp+08], 00000000
:004061D7 C744240C00000000        mov [esp+0C], 00000000
:004061DF 85F6                    test esi, esi  <===当然不为零了
:004061E1 750B                    jne 004061EE   <===这里跳走,说时我们输入不为空
:004061E3 8B0424                  mov eax, dword ptr [esp]
:004061E6 8928                    mov dword ptr [eax], ebp
:004061E8 E9E1010000              jmp 004063CE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004061F3(C)
|
:004061ED 45                      inc ebp

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004061E1(C)
|
:004061EE 807C2EFF20              cmp byte ptr [esi+ebp-01], 20  <===从004061E1跳到这一行
:004061F3 74F8                    je 004061ED    <===这好象是去掉输入字符串中的空格,如果第一个不是空格,就不跳了!
:004061F5 C644241000              mov [esp+10], 00
:004061FA 8A442EFF                mov al, byte ptr [esi+ebp-01]
:004061FE 3C2D                    cmp al, 2D       <===这里是看第一个字符是不是“-”
:00406200 7508                    jne 0040620A     <===不是则跳走
:00406202 C644241001              mov [esp+10], 01
:00406207 45                      inc ebp
:00406208 EB05                    jmp 0040620F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406200(C)
|
:0040620A 3C2B                    cmp al, 2B       <===这里是看第一个字符是不是“+”
:0040620C 7501                    jne 0040620F     <===不是则跳走
:0040620E 45                      inc ebp

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00406208(U), :0040620C(C)
|
:0040620F B301                    mov bl, 01       <===再次跳到这一行。
:00406211 807C2EFF24              cmp byte ptr [esi+ebp-01], 24  <===这里是看第一个字符是不是“$”
:00406216 741B                    je 00406233                    <===不跳
:00406218 807C2EFF30              cmp byte ptr [esi+ebp-01], 30  <===这里是看第一个字符是不是“0”
:0040621D 0F85DA000000            jne 004062FD                   <===不是,则跳走
:00406223 8A042E                  mov al, byte ptr [esi+ebp]
:00406226 E8A9CAFFFF              call 00402CD4
:0040622B 3C58                    cmp al, 58                     <===是不x(小写)
:0040622D 0F85CA000000            jne 004062FD

***  注:这里好几个判断跳转,试一下,最后确定正确的注册码应该为0x??????的形式,把注册码改为0x787878重新来。

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406216(C)
|
:00406233 807C2EFF30              cmp byte ptr [esi+ebp-01], 30  <==看第一个字符是不是0
:00406238 7501                    jne 0040623B                   <==是所以不跳
:0040623A 45                      inc ebp

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406238(C)
|
:0040623B 45                      inc ebp

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004062D1(U)
|
:0040623C 8A442EFF                mov al, byte ptr [esi+ebp-01] <==依次取注册码的第3位到第8位
:00406240 8BD0                    mov edx, eax
:00406242 80C2D0                  add dl, D0
:00406245 80EA0A                  sub dl, 0A
:00406248 7212                    jb 0040625C
:0040624A 80C2F9                  add dl, F9
:0040624D 80EA06                  sub dl, 06
:00406250 7217                    jb 00406269
:00406252 80C2E6                  add dl, E6
:00406255 80EA06                  sub dl, 06
:00406258 721C                    jb 00406276
:0040625A EB7A                    jmp 004062D6                  <==循环了5次后,就这里跳出

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406248(C)
|
:0040625C 8BF8                    mov edi, eax
:0040625E 81E7FF000000            and edi, 000000FF
:00406264 83EF30                  sub edi, 00000030
:00406267 EB18                    jmp 00406281

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406250(C)
|
:00406269 8BF8                    mov edi, eax
:0040626B 81E7FF000000            and edi, 000000FF
:00406271 83EF37                  sub edi, 00000037
:00406274 EB0B                    jmp 00406281

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406258(C)
|
:00406276 8BF8                    mov edi, eax
:00406278 81E7FF000000            and edi, 000000FF
:0040627E 83EF57                  sub edi, 00000057

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00406267(U), :00406274(U)
|
:00406281 837C240C00              cmp dword ptr [esp+0C], 00000000
:00406286 7509                    jne 00406291
:00406288 837C240800              cmp dword ptr [esp+08], 00000000
:0040628D 7247                    jb 004062D6
:0040628F EB02                    jmp 00406293

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406286(C)
|
:00406291 7C43                    jl 004062D6

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040628F(U)
|
:00406293 817C240CFFFFFF07        cmp dword ptr [esp+0C], 07FFFFFF
:0040629B 7509                    jne 004062A6
:0040629D 837C2408FF              cmp dword ptr [esp+08], FFFFFFFF
:004062A2 7604                    jbe 004062A8
:004062A4 EB30                    jmp 004062D6

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040629B(C)
|
:004062A6 7F2E                    jg 004062D6

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004062A2(C)
|
:004062A8 8BC7                    mov eax, edi
:004062AA 99                      cdq
:004062AB 52                      push edx
:004062AC 50                      push eax
:004062AD 8B442410                mov eax, dword ptr [esp+10]
:004062B1 8B542414                mov edx, dword ptr [esp+14]
:004062B5 0FA4C204                shld edx, eax, 04
:004062B9 C1E004                  shl eax, 04
:004062BC 030424                  add eax, dword ptr [esp]
:004062BF 13542404                adc edx, dword ptr [esp+04]
:004062C3 83C408                  add esp, 00000008
:004062C6 89442408                mov dword ptr [esp+08], eax
:004062CA 8954240C                mov dword ptr [esp+0C], edx
:004062CE 45                      inc ebp
:004062CF 33DB                    xor ebx, ebx
:004062D1 E966FFFFFF              jmp 0040623C         <===从这里往上跳构成循环,5次

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040625A(U), :0040628D(C), :00406291(C), :004062A4(U), :004062A6(C)
|
:004062D6 807C241000              cmp byte ptr [esp+10], 00    <==从0040625A行跳到这里
:004062DB 0F84D3000000            je 004063B4                  <==是0,所以再次跳走
:004062E1 8B442408                mov eax, dword ptr [esp+08]
:004062E5 8B54240C                mov edx, dword ptr [esp+0C]
:004062E9 F7D8                    neg eax
:004062EB 83D200                  adc edx, 00000000
:004062EE F7DA                    neg edx
:004062F0 89442408                mov dword ptr [esp+08], eax
:004062F4 8954240C                mov dword ptr [esp+0C], edx
:004062F8 E9B7000000              jmp 004063B4

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040621D(C), :0040622D(C), :0040636B(U)
|
:004062FD 8A442EFF                mov al, byte ptr [esi+ebp-01]  
       ****** 如果,前两位不是0x,则从0040621D跳到这一行,依次取注册码的值,放入AL
:00406301 8BD0                    mov edx, eax
:00406303 80C2D0                  add dl, D0
:00406306 80EA0A                  sub dl, 0A
:00406309 7362                    jnb 0040636D
:0040630B 8BF8                    mov edi, eax
:0040630D 81E7FF000000            and edi, 000000FF
:00406313 83EF30                  sub edi, 00000030
:00406316 837C240C00              cmp dword ptr [esp+0C], 00000000
:0040631B 7509                    jne 00406326
:0040631D 837C240800              cmp dword ptr [esp+08], 00000000
:00406322 7249                    jb 0040636D
:00406324 EB02                    jmp 00406328

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040631B(C)
|
:00406326 7C45                    jl 0040636D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406324(U)
|
:00406328 817C240CCCCCCC0C        cmp dword ptr [esp+0C], 0CCCCCCC
:00406330 750C                    jne 0040633E
:00406332 817C2408CCCCCCCC        cmp dword ptr [esp+08], CCCCCCCC
:0040633A 7604                    jbe 00406340
:0040633C EB2F                    jmp 0040636D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406330(C)
|
:0040633E 7F2D                    jg 0040636D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040633A(C)
|
:00406340 6A00                    push 00000000
:00406342 6A0A                    push 0000000A
:00406344 8B442410                mov eax, dword ptr [esp+10]
:00406348 8B542414                mov edx, dword ptr [esp+14]
:0040634C E873FCFFFF              call 00405FC4
:00406351 52                      push edx
:00406352 50                      push eax
:00406353 8BC7                    mov eax, edi
:00406355 99                      cdq
:00406356 030424                  add eax, dword ptr [esp]
:00406359 13542404                adc edx, dword ptr [esp+04]
:0040635D 83C408                  add esp, 00000008
:00406360 89442408                mov dword ptr [esp+08], eax
:00406364 8954240C                mov dword ptr [esp+0C], edx
:00406368 45                      inc ebp
:00406369 33DB                    xor ebx, ebx
:0040636B EB90                    jmp 004062FD

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00406309(C), :00406322(C), :00406326(C), :0040633C(U), :0040633E(C)
|
:0040636D 807C241000              cmp byte ptr [esp+10], 00
:00406372 7417                    je 0040638B
:00406374 8B442408                mov eax, dword ptr [esp+08]
:00406378 8B54240C                mov edx, dword ptr [esp+0C]
:0040637C F7D8                    neg eax
:0040637E 83D200                  adc edx, 00000000
:00406381 F7DA                    neg edx
:00406383 89442408                mov dword ptr [esp+08], eax
:00406387 8954240C                mov dword ptr [esp+0C], edx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406372(C)
|
:0040638B 837C240C00              cmp dword ptr [esp+0C], 00000000
:00406390 7505                    jne 00406397
:00406392 837C240800              cmp dword ptr [esp+08], 00000000

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406390(C)
|
:00406397 741B                    je 004063B4
:00406399 837C240C00              cmp dword ptr [esp+0C], 00000000
:0040639E 750A                    jne 004063AA
:004063A0 837C240800              cmp dword ptr [esp+08], 00000000
:004063A5 0F92C0                  setb al
:004063A8 EB03                    jmp 004063AD

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040639E(C)
|
:004063AA 0F9CC0                  setl al

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004063A8(U)
|
:004063AD 3A442410                cmp al, byte ptr [esp+10]
:004063B1 7401                    je 004063B4
:004063B3 4D                      dec ebp

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004062DB(C), :004062F8(U), :00406397(C), :004063B1(C)
|
:004063B4 807C2EFF00              cmp byte ptr [esi+ebp-01], 00  <==从004062DB跳到这里
:004063B9 0F95C0                  setne al
:004063BC 0AD8                    or bl, al
:004063BE 7407                    je 004063C7
:004063C0 8B0424                  mov eax, dword ptr [esp]
:004063C3 8928                    mov dword ptr [eax], ebp
:004063C5 EB07                    jmp 004063CE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004063BE(C)
|
:004063C7 8B0424                  mov eax, dword ptr [esp]
:004063CA 33D2                    xor edx, edx
:004063CC 8910                    mov dword ptr [eax], edx

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004061E8(U), :004063C5(U)
|
:004063CE 8B442408                mov eax, dword ptr [esp+08]  
           <===如果前面位是0x的话则,这里EAX的值正好等于787878,要EAX=199FF2,到这里我们可以判断出注册码了,它就是0x199ff2(均为小写)。退出程序一试,呵呵,“注册完成”
:004063D2 8B54240C                mov edx, dword ptr [esp+0C]
:004063D6 83C414                  add esp, 00000014
:004063D9 5D                      pop ebp
:004063DA 5F                      pop edi
:004063DB 5E                      pop esi
:004063DC 5B                      pop ebx
:004063DD C3                      ret


------------------------------------------------------------------------------------------

4、软件还有一种是,前两位不是0x的情况,我跟踪出来,但不知怎么返回到注册码,把它的算法写在下面:
eax=0;
string=输入的注册码;
for(i=0;i=strlen(string);i++)                  <---循环注册码长度的次数
{eax=eax*10+string[i]
}
printf("%d",eax);                               <---最后EAX应该等于EAX=199FF2(16进制)=1679346(10进制)

呵呵,算出来了,还有一个注册码就是1679346


5、注册信息保存在注册表
[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{1AE69D60-73D0-11D4-BD52-38A480C50000}]
"224951124"="224951124"

这个键值为1-10,是尚余的使用次数,如果是上面的数值时,就是注册版的了。
删除键值,就成为未注册版本了。


(我没学过汇编,C语言自学了一段时间,没学完,如有不对的地方请大家指正)


    
    
     
    
    
     

相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么

文章评论
发表评论

热门文章 去除winrar注册框方法

最新文章 比特币病毒怎么破解 比去除winrar注册框方法 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据

人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程