加密方式:注册码 使用工具:TRW2000;W32Dasm 10.0 作者申明:纯技术交流,无任何商业目的,转贴请保持完整。 ///////////////////////////////////////////////////////////////////////////////////////////// 开始TRW2000加载输入注册码,下BPX HMEMCPY,点“注册”,程序被拦断, BC *,PMODULE后停在这里 :004419B0 3BC3 cmp eax, ebx :004419B2 DBE2 fclex :004419B4 7D12 jge 004419C8 :004419B6 68A0000000 push 000000A0 :004419BB 68FCE24000 push 0040E2FC :004419C0 57 push edi :004419C1 50 push eax F10跟踪 经过********!!!!!!%%%%%%(好累!)到PART1 /////////////////////////////////////PART1//////////////////////////////////////////////// :00441C6C FF1510114000 Call dword ptr [00401110] :00441C72 8BF8 mov edi, eax :00441C74 8D55E4 lea edx, dword ptr [ebp-1C] :00441C77 F7DF neg edi :00441C79 1BFF sbb edi, edi :00441C7B 52 push edx :00441C7C 47 inc edi :00441C7D F7DF neg edi :00441C7F E86C220000 call 00443EF0 /关键CALL 跟进 见 PART2 :00441C84 6648 dec ax :00441C86 8D4DE4 lea ecx, dword ptr [ebp-1C] :00441C89 66F7D8 neg ax :00441C8C 1BC0 sbb eax, eax :00441C8E 40 inc eax :00441C8F F7D8 neg eax :00441C91 0BF8 or edi, eax :00441C93 8D45E0 lea eax, dword ptr [ebp-20] :00441C96 50 push eax :00441C97 51 push ecx :00441C98 6A02 push 00000002
/////////////////////////////////////PART2////////////////////////////////////////////////
:00443EF0 55 push ebp :00443EF1 8BEC mov ebp, esp :00443EF3 83EC08 sub esp, 00000008 :00443EF6 68662A4000 push 00402A66 :00443EFB 64A100000000 mov eax, dword ptr fs:[00000000] :00443F01 50 push eax :00443F02 64892500000000 mov dword ptr fs:[00000000], esp :00443F09 81ECB4000000 sub esp, 000000B4 :00443F0F 53 push ebx :00443F10 56 push esi :00443F11 57 push edi :00443F12 8965F8 mov dword ptr [ebp-08], esp :00443F15 C745FC80254000 mov [ebp-04], 00402580 :00443F1C 8B4508 mov eax, dword ptr [ebp+08] :00443F1F 33F6 xor esi, esi :00443F21 8975E0 mov dword ptr [ebp-20], esi :00443F24 8975DC mov dword ptr [ebp-24], esi :00443F27 8B08 mov ecx, dword ptr [eax] :00443F29 8975D0 mov dword ptr [ebp-30], esi :00443F2C 51 push ecx :00443F2D 8975CC mov dword ptr [ebp-34], esi :00443F30 8975C8 mov dword ptr [ebp-38], esi :00443F33 8975C4 mov dword ptr [ebp-3C], esi :00443F36 8975C0 mov dword ptr [ebp-40], esi :00443F39 8975B0 mov dword ptr [ebp-50], esi :00443F3C 8975A0 mov dword ptr [ebp-60], esi :00443F3F 897590 mov dword ptr [ebp-70], esi :00443F42 897580 mov dword ptr [ebp-80], esi :00443F45 89B57CFFFFFF mov dword ptr [ebp+FFFFFF7C], esi :00443F4B 89B578FFFFFF mov dword ptr [ebp+FFFFFF78], esi :00443F51 89B564FFFFFF mov dword ptr [ebp+FFFFFF64], esi :00443F57 89B554FFFFFF mov dword ptr [ebp+FFFFFF54], esi
* Reference To: MSVBVM60.__vbaLenBstr, Ord:0000h | :00443F5D FF1528104000 Call dword ptr [00401028] :00443F63 83F80E cmp eax, 0000000E /eax返回注册码位数,判断是否为14位,否则失败 :00443F66 740E je 00443F76 :00443F68 8975D8 mov dword ptr [ebp-28], esi :00443F6B 6861424400 push 00444261 :00443F70 9B wait :00443F71 E9C8020000 jmp 0044423E
................. ............
:00443FCC 85C0 test eax, eax /循环求前12位注册码中的数字和 :00443FCE 0F848D000000 je 00444061 :00443FD4 8D55B0 lea edx, dword ptr [ebp-50] :00443FD7 8D45E0 lea eax, dword ptr [ebp-20] :00443FDA 52 push edx :00443FDB 50 push eax :00443FDC C745B801000000 mov [ebp-48], 00000001 :00443FE3 C745B002000000 mov [ebp-50], 00000002
* Reference To: MSVBVM60.__vbaI4Var, Ord:0000h | :00443FEA FF1520124000 Call dword ptr [00401220] :00443FF0 8B4D08 mov ecx, dword ptr [ebp+08] :00443FF3 50 push eax :00443FF4 8B11 mov edx, dword ptr [ecx] :00443FF6 52 push edx
* Reference To: MSVBVM60.rtcMidCharBstr, Ord:0277h | :00443FF7 FF15E8104000 Call dword ptr [004010E8] :00443FFD 8BD0 mov edx, eax :00443FFF 8D4DD0 lea ecx, dword ptr [ebp-30] :00444002 FFD7 call edi :00444004 50 push eax
* Reference To: MSVBVM60.rtcR8ValFromBstr, Ord:0245h | :00444005 FF15A4124000 Call dword ptr [004012A4] :0044400B 0FBF45DC movsx eax, word ptr [ebp-24] :0044400F 898544FFFFFF mov dword ptr [ebp+FFFFFF44], eax :00444015 DB8544FFFFFF fild dword ptr [ebp+FFFFFF44] :0044401B DD9D3CFFFFFF fstp qword ptr [ebp+FFFFFF3C] :00444021 DC853CFFFFFF fadd qword ptr [ebp+FFFFFF3C] :00444027 DFE0 fstsw ax :00444029 A80D test al, 0D :0044402B 0F8547020000 jne 00444278 :00444031 FFD6 call esi :00444033 8D4DD0 lea ecx, dword ptr [ebp-30] :00444036 8945DC mov dword ptr [ebp-24], eax /存注册码中数字的累加和
* Reference To: MSVBVM60.__vbaFreeStr, Ord:0000h | :00444039 FF15A0124000 Call dword ptr [004012A0] :0044403F 8D4DB0 lea ecx, dword ptr [ebp-50] :00444042 FFD3 call ebx :00444044 8D8D54FFFFFF lea ecx, dword ptr [ebp+FFFFFF54] :0044404A 8D9564FFFFFF lea edx, dword ptr [ebp+FFFFFF64] :00444050 51 push ecx :00444051 8D45E0 lea eax, dword ptr [ebp-20] :00444054 52 push edx :00444055 50 push eax
* Reference To: MSVBVM60.__vbaVarForNext, Ord:0000h | :00444056 FF1594124000 Call dword ptr [00401294] :0044405C E96BFFFFFF jmp 00443FCC
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00443FCE(C) | :00444061 8B0D34D04400 mov ecx, dword ptr [0044D034] /取机器码后两位 :00444067 6A02 push 00000002 :00444069 51 push ecx
* Reference To: MSVBVM60.rtcRightCharBstr, Ord:026Ah | :0044406A FF1570124000 Call dword ptr [00401270] :00444070 8BD0 mov edx, eax :00444072 8D4DD0 lea ecx, dword ptr [ebp-30] :00444075 FFD7 call edi :00444077 50 push eax
* Reference To: MSVBVM60.rtcR8ValFromBstr, Ord:0245h | :00444078 FF15A4124000 Call dword ptr [004012A4] :0044407E FFD6 call esi :00444080 8D4DD0 lea ecx, dword ptr [ebp-30] :00444083 8BF0 mov esi, eax /机器码后两位字符串转成数字后存入esi,以下为生成机器码后两位变码
* Reference To: MSVBVM60.__vbaFreeStr, Ord:0000h | :00444085 FF15A0124000 Call dword ptr [004012A0] :0044408B 6683FE0A cmp si, 000A /比较数字是否大于等于10 :0044408F 7D0A jge 0044409B :00444091 6683C60A add si, 000A /小于10则该数字加10 :00444095 0F80E2010000 jo 0044427D
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0044408F(C) | :0044409B 668BC6 mov ax, si :0044409E 66B90A00 mov cx, 000A :004440A2 6699 cwd :004440A4 66F7F9 idiv cx /数字除10并判断余数 :004440A7 6685D2 test dx, dx :004440AA 750A jne 004440B6 :004440AC 6683C609 add si, 0009 /除尽则原数字加9再乘3;除不尽原数字乘3 :004440B0 0F80C7010000 jo 0044427D
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004440AA(C) | :004440B6 666BF603 imul si, 0003 :004440BA 0F80BD010000 jo 0044427D :004440C0 660375DC add si, word ptr [ebp-24] /得到的机器码变码加注册码前12位中数字的和。 :004440C4 8D45A0 lea eax, dword ptr [ebp-60] :004440C7 8D4DB0 lea ecx, dword ptr [ebp-50] :004440CA 8D55DC lea edx, dword ptr [ebp-24] :004440CD 50 push eax :004440CE 51 push ecx :004440CF 0F80A8010000 jo 0044427D :004440D5 8975DC mov dword ptr [ebp-24], esi /结果存入 [ebp-24] :004440D8 8955A8 mov dword ptr [ebp-58], edx :004440DB C745A002400000 mov [ebp-60], 00004002
* Reference To: MSVBVM60.rtcVarStrFromVar, Ord:0265h | :004440E2 FF153C124000 Call dword ptr [0040123C] :004440E8 8D55B0 lea edx, dword ptr [ebp-50] :004440EB 8D45D0 lea eax, dword ptr [ebp-30] :004440EE 52 push edx :004440EF 50 push eax
* Reference To: MSVBVM60.__vbaStrVarVal, Ord:0000h | :004440F0 FF15B8114000 Call dword ptr [004011B8] :004440F6 50 push eax
* Reference To: MSVBVM60.rtcTrimBstr, Ord:0207h | :004440F7 FF1558104000 Call dword ptr [00401058] :004440FD 8BD0 mov edx, eax /前面计算结果转化成十进制数后再生成最终变码。 :004440FF 8D4DC0 lea ecx, dword ptr [ebp-40] :00444102 FFD7 call edi :00444104 8B4D08 mov ecx, dword ptr [ebp+08] :00444107 8B75C0 mov esi, dword ptr [ebp-40] :0044410A 6A02 push 00000002 :0044410C C745C000000000 mov [ebp-40], 00000000 :00444113 8B11 mov edx, dword ptr [ecx] /取注册码得到最后两位 :00444115 52 push edx
* Reference To: MSVBVM60.rtcRightCharBstr, Ord:026Ah | :00444116 FF1570124000 Call dword ptr [00401270] :0044411C 8BD0 mov edx, eax :0044411E 8D4DC8 lea ecx, dword ptr [ebp-38] :00444121 FFD7 call edi :00444123 50 push eax :00444124 6A02 push 00000002 :00444126 8BD6 mov edx, esi :00444128 8D4DCC lea ecx, dword ptr [ebp-34] :0044412B FFD7 call edi :0044412D 50 push eax /取出最终变码的后两位
* Reference To: MSVBVM60.rtcRightCharBstr, Ord:026Ah | :0044412E FF1570124000 Call dword ptr [00401270] :00444134 8BD0 mov edx, eax :00444136 8D4DC4 lea ecx, dword ptr [ebp-3C] :00444139 FFD7 call edi :0044413B 50 push eax
* Reference To: MSVBVM60.__vbaStrCmp, Ord:0000h | :0044413C FF1510114000 Call dword ptr [00401110] /比较变码的后两位与注册码后两位相同则成功。 ////////////////////////////////////////////////////////////////////////////// 算法总结: 1、注册码必为14位。将注册码前12位中数字累加。 2、将机器码后两位数字变化得到变码,再用变码与前累加和相加,转化成十进制数,取最后两位并与注册码最后两位比较相同则成功。
|
|
查看所有0条评论>>