扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条
破解人:chp1[dfcg][fcg]
工具:trw,w32dsm
软件未加壳,用w32dsm反汇编后,寻找字符: "Your license has been registered. Thank you for purchasing "
:0044BD5B E8A42C0200 call 0046EA04
:0044BD60 83C408 add esp, 00000008
:0044BD63 8B85B4FCFFFF mov eax, dword ptr [ebp+FFFFFCB4]
:0044BD69 8168FC6AFFFFFF sub dword ptr [eax-04], FFFFFF6A
:0044BD70 83ADA8FCFFFF02 sub dword ptr [ebp+FFFFFCA8], 00000002
:0044BD77 6A00 push 00000000
:0044BD79 8D95D9FCFFFF lea edx, dword ptr [ebp+FFFFFCD9]
:0044BD7F 52 push edx
:0044BD80 E8469B0100 call 004658CB
:0044BD85 8B8DB4FCFFFF mov ecx, dword ptr [ebp+FFFFFCB4]
:0044BD8B 83C408 add esp, 00000008
:0044BD8E 8D85D1FCFFFF lea eax, dword ptr [ebp+FFFFFCD1]
:0044BD94 8141FC6AFFFFFF add dword ptr [ecx-04], FFFFFF6A
:0044BD9B FF8DA8FCFFFF dec dword ptr [ebp+FFFFFCA8]
:0044BDA1 6A00 push 00000000
:0044BDA3 50 push eax
:0044BDA4 E8031B0300 call 0047D8AC
:0044BDA9 83C408 add esp, 00000008
:0044BDAC 5A pop edx
:0044BDAD 84D2 test dl, dl
:0044BDAF 0F848F000000 je 0044BE44
:0044BDB5 57 push edi
:0044BDB6 E875F3FFFF call 0044B130 (关键)f8跟进
:0044BDBB 59 pop ecx
:0044BDBC 84C0 test al, al a1<>0就注册成功
:0044BDBE 7444 je 0044BE04 (跳转就game over)
:0044BDC0 68C8000000 push 000000C8
:0044BDC5 8D8FB6000000 lea ecx, dword ptr [edi+000000B6]
:0044BDCB 51 push ecx
* Possible Reference to String Resource ID=09140: "Your license has been registered. Thank you for purchasing "
|
:0044BDCC 68B4230000 push 000023B4
:0044BDD1 8D4704 lea eax, dword ptr [edi+04]
:0044BDD4 50 push eax
:0044BDD5 E87BB50200 call 00477355
:0044BDDA 83C410 add esp, 00000010
:0044BDDD 8D97B6000000 lea edx, dword ptr [edi+000000B6]
:0044BDE3 8B4F66 mov ecx, dword ptr [edi+66]
:0044BDE6 8B01 mov eax, dword ptr [ecx]
:0044BDE8 6A00 push 00000000
* Possible Reference to Dialog:
|
:0044BDEA 6838FE4900 push 0049FE38
:0044BDEF 52 push edx
:0044BDF0 8B500C mov edx, dword ptr [eax+0C]
:0044BDF3 52 push edx
:0044BDF4 8B4868 mov ecx, dword ptr [eax+68]
:0044BDF7 51 push ecx
:0044BDF8 E8B9D60100 call 004694B6
:0044BDFD 83C414 add esp, 00000014
:0044BE00 33DB xor ebx, ebx
:0044BE02 EB40 jmp 0044BE44
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044BDBE(C)
|
:0044BE04 68C8000000 push 000000C8 (跳转到这里就完了)
:0044BE09 8DB7B6000000 lea esi, dword ptr [edi+000000B6]
:0044BE0F 56 push esi
* Possible Reference to String Resource ID=09141: "The key code does not match the license owner."
|
:0044BE10 68B5230000 push 000023B5
:0044BE15 8D4704 lea eax, dword ptr [edi+04]
:0044BE18 50 push eax
:0044BE19 E837B50200 call 00477355
:0044BE1E 83C410 add esp, 00000010
:0044BE21 8BD6 mov edx, esi
:0044BE23 8B4F66 mov ecx, dword ptr [edi+66]
:0044BE26 8B01 mov eax, dword ptr [ecx]
:0044BE28 6A00 push 00000000
----------------------------------------------
call 0044B130 (关键)f8跟进
:0044B130 55 push ebp
:0044B131 8BEC mov ebp, esp
:0044B133 81C4BCFEFFFF add esp, FFFFFEBC
:0044B139 A184F84900 mov eax, dword ptr [0049F884]
:0044B13E 8B1546E84A00 mov edx, dword ptr [004AE846]
:0044B144 53 push ebx
:0044B145 56 push esi
:0044B146 57 push edi
:0044B147 8945FC mov dword ptr [ebp-04], eax
:0044B14A 6A50 push 00000050
:0044B14C 8D45AC lea eax, dword ptr [ebp-54]
* Possible Reference to Dialog:
|
:0044B14F 6841FD4900 push 0049FD41
:0044B154 50 push eax
* Possible StringData Ref from Data Obj ->"Name"
|
:0044B155 683CFD4900 push 0049FD3C
* Possible StringData Ref from Data Obj ->"RegisterInfo"
|
:0044B15A 682FFD4900 push 0049FD2F
:0044B15F 52 push edx
:0044B160 BEC73A0000 mov esi, 00003AC7
esi=00003ac7(后面要用的)
:0044B165 E8C2A0FCFF call 0041522C 取姓名的chen
:0044B16A 83C418 add esp, 00000018
:0044B16D 8D8D5CFFFFFF lea ecx, dword ptr [ebp+FFFFFF5C]
:0044B173 A146E84A00 mov eax, dword ptr [004AE846]
:0044B178 6A50 push 00000050
* Possible Reference to Dialog:
|
:0044B17A 6857FD4900 push 0049FD57
:0044B17F 51 push ecx
* Possible StringData Ref from Data Obj ->"Company"
|
:0044B180 684FFD4900 push 0049FD4F
* Possible StringData Ref from Data Obj ->"RegisterInfo"
|
:0044B185 6842FD4900 push 0049FD42
:0044B18A 50 push eax
:0044B18B E89CA0FCFF call 0041522C
:0044B190 83C418 add esp, 00000018
:0044B193 8D950CFFFFFF lea edx, dword ptr [ebp+FFFFFF0C]
:0044B199 8B0D46E84A00 mov ecx, dword ptr [004AE846]
:0044B19F 6A50 push 00000050
* Possible Reference to Dialog:
|
:0044B1A1 6869FD4900 push 0049FD69
:0044B1A6 52 push edx
* Possible StringData Ref from Data Obj ->"Key"
|
:0044B1A7 6865FD4900 push 0049FD65
* Possible StringData Ref from Data Obj ->"RegisterInfo"
|
:0044B1AC 6858FD4900 push 0049FD58
:0044B1B1 51 push ecx
:0044B1B2 E875A0FCFF call 0041522C
:0044B1B7 83C418 add esp, 00000018
:0044B1BA 8D45AC lea eax, dword ptr [ebp-54] eax=姓名
:0044B1BD 50 push eax
:0044B1BE E81DE20300 call 004893E0
:0044B1C3 59 pop ecx (ecx=姓名
:0044B1C4 8D955CFFFFFF lea edx, dword ptr [ebp+FFFFFF5C] (edx=公司名称
:0044B1CA 52 push edx
:0044B1CB E810E20300 call 004893E0
:0044B1D0 59 pop ecx
* Possible Ref to Menu: MenuID_0064, Item: "Draw Freehand Volume Curve..."
|
* Possible Reference to String Resource ID=00001: "Enter an arbitary volume curve"
|
:0044B1D1 BB01000000 mov ebx, 00000001 (ebx=1)
:0044B1D6 8D7DAC lea edi, dword ptr [ebp-54]
:0044B1D9 EB13 jmp 0044B1EE
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044B1FA(C)
|
:0044B1DB 0FBE07 movsx eax, byte ptr [edi] edi=姓名chen的每一位的asci码
:0044B1DE 8BD3 mov edx, ebx (edx=1
:0044B1E0 83E203 and edx, 00000003
(edx and 3当姓名和公司名长度超过3位,edx会处理掉,使edx的数字总是0-3的范围)
:0044B1E3 0FBE4C15FC movsx ecx, byte ptr [ebp+edx-04]
[ebp-04]是一密码表A4EB7B11
:0044B1E8 F7E9 imul ecx
:0044B1EA 03F0 add esi, eax (esi的初始数字是00003ac7
:0044B1EC 43 inc ebx ebx来记数
:0044B1ED 47 inc edi edi每次加一,来取姓名的每一位
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044B1D9(U)
|
:0044B1EE 8D45AC lea eax, dword ptr [ebp-54] eax=姓名
:0044B1F1 50 push eax
:0044B1F2 E805570300 call 004808FC 获取姓名的长度 eax=姓名的长度
:0044B1F7 59 pop ecx
:0044B1F8 3BD8 cmp ebx, eax 取姓名完了吗?
:0044B1FA 76DF jbe 0044B1DB
* Possible Ref to Menu: MenuID_0064, Item: "Draw Freehand Volume Curve..."
|
* Possible Reference to String Resource ID=00001: "Enter an arbitary volume curve"
|
:0044B1FC BB01000000 mov ebx, 00000001
:0044B201 8DBD5CFFFFFF lea edi, dword ptr [ebp+FFFFFF5C] edi=公司的名称
:0044B207 EB13 jmp 0044B21C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044B22B(C)
|
:0044B209 0FBE07 movsx eax, byte ptr [edi]
eax=公司xlin的每一位的asci码
:0044B20C 8BD3 mov edx, ebx
:0044B20E 83E203 and edx, 00000003
:0044B211 0FBE4C15FC movsx ecx, byte ptr [ebp+edx-04]
:0044B216 F7E9 imul ecx eax=eax * ecx
:0044B218 03F0 add esi, eax (esi的初始数字是上面运算得到的数字)
:0044B21A 43 inc ebx
:0044B21B 47 inc edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044B207(U)
|
:0044B21C 8D855CFFFFFF lea eax, dword ptr [ebp+FFFFFF5C]
:0044B222 50 push eax
:0044B223 E8D4560300 call 004808FC 获取公司的长度 eax=公司的长度
:0044B228 59 pop ecx
:0044B229 3BD8 cmp ebx, eax
:0044B22B 76DC jbe 0044B209 取姓名完了吗?
:0044B22D 8BC6 mov eax, esi (你经过姓名和公司的asci码运算后得到 的esi的数字传给eax)
:0044B22F B9A0860100 mov ecx, 000186A0
:0044B234 33D2 xor edx, edx
:0044B236 F7F1 div ecx eax mod ecx(000186A0)
:0044B238 8BDA mov ebx, edx edx(余数)传给ebx
:0044B23A 8D85BCFEFFFF lea eax, dword ptr [ebp+FFFFFEBC]
:0044B240 53 push ebx
* Possible Reference to Dialog:
|
:0044B241 686AFD4900 push 0049FD6A d 0049fd6a可看见AC220-%d
:0044B246 50 push eax
:0044B247 E8608E0300 call 004840AC (关键的运算)
其实好简单的,是把上面的ebx的数字变成十进制数字,并在转换好的数字前加AC220-,这样就得到真的注册吗)
:0044B24C 83C40C add esp, 0000000C d ecx看见真的注册吗
:0044B24F 8D950CFFFFFF lea edx, dword ptr [ebp+FFFFFF0C] d edx=假码
:0044B255 52 push edx
:0044B256 8D8DBCFEFFFF lea ecx, dword ptr [ebp+FFFFFEBC] ecx=真的注册吗
:0044B25C 51 push ecx
* Reference To: KERNEL32.lstrcmpA, Ord:0000h
|
:0044B25D E8344C0400 Call 0048FE96 (KERNEL32.lstrcmpA是比较哟!)
:0044B262 85C0 test eax, eax
:0044B264 7504 jne 0044B26A (不等就跳转)
:0044B266 B001 mov al, 01 a1=1 (好东西)看看0044BDBC test al, al)
:0044B268 EB32 jmp 0044B29C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044B264(C)
|
:0044B26A 53 push ebx
* Possible StringData Ref from Data Obj ->"AC220-%d"
(不等时先看看注册码的前6位是否是AC220-)
|
:0044B26B 6873FD4900 push 0049FD73
:0044B270 8D95BCFEFFFF lea edx, dword ptr [ebp+FFFFFEBC]
:0044B276 52 push edx
:0044B277 E8308E0300 call 004840AC
:0044B27C 83C40C add esp, 0000000C
:0044B27F 8D8D0CFFFFFF lea ecx, dword ptr [ebp+FFFFFF0C]
:0044B285 51 push ecx
:0044B286 8D85BCFEFFFF lea eax, dword ptr [ebp+FFFFFEBC]
:0044B28C 50 push eax
* Reference To: KERNEL32.lstrcmpA, Ord:0000h
|
:0044B28D E8044C0400 Call 0048FE96 (KERNEL32.lstrcmpA 比较)
:0044B292 85C0 test eax, eax
:0044B294 7504 jne 0044B29A (不等就会跳转)
:0044B296 B001 mov al, 01
:0044B298 EB02 jmp 0044B29C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044B294(C)
|
:0044B29A 33C0 xor eax, eax (看看ax=0)
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0044B268(U), :0044B298(U)
|
:0044B29C 5F pop edi
:0044B29D 5E pop esi
:0044B29E 5B pop ebx
:0044B29F 8BE5 mov esp, ebp
:0044B2A1 5D pop ebp
:0044B2A2 C3 ret
name:chen
company:xlin
如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。
5G已至 转型当时——服务提供商如何把握转型的绝佳时机
去集群 更超群——大容量网络演进之路
2019 IBM 中国论坛
H3C 2019 Navigate 领航者峰会
助推数据中心网络现代化转型 打造灵活可靠基础架构平台
京公网安备 11010802021500号