[转载]注册相片装饰大师FrameMaster
<P>文章作者: qduwg</P><P><FONT face=宋体>题目:注册相片装饰大师FrameMaster<BR>软件功能:美国人开发的这个照片装饰大师软件,可以给数码相片添加各种眼花缭乱的边框效果。从数码相机和扫描仪获取数码相片后,可以很快地毫<BR><BR>不费力地直接应用华丽的相框,蒙版,叠加效果,阴影及各种边框效果。除此之外,你还可以添加各种小图片(橡皮图章)到相片上,起到画龙点睛的<BR><BR>效果。可以对相片大小进行修改,完全自己定制各种特性。未注册版试用期30天,过后必须注册。<BR>软件来源:电脑爱好者2002光盘<BR>破解工具:Softice,PEID,OD<BR>破解目的:找出注册码(因为这个软件是明码比较,没有注册算法)<BR><BR>引子:今天又从光盘随便安装了这个相框大师,实验了一下效果不错。可惜只有30天试用期限。现在就一起来动手把它注册了吧。完整完毕,先用PEID<BR><BR>查看是否加壳,结果没有。是BC++写的。运行程序,打开HELP菜单,点击里面的Register命令,弹出注册窗口,在里面输入用户名和假注册码。比如<BR><BR>wanggang,7878787878,调出SOFTICE,下断点bpxhmemcpy,F5退出,点击OK,被拦下。我们按7次F12即可回到主程序空间,然后再按F10跟踪,我们来<BR><BR>到如下代码处:<BR>00446277|.8B4D98MOVECX,DWORDPTRSS:[EBP-68]<BR>0044627A|.8B81E0020000MOVEAX,DWORDPTRDS:[ECX+2E0]<BR>00446280|.E88BEC0700CALLFRMMSTR.004C4F10<BR>00446285|.8D45F4LEAEAX,DWORDPTRSS:[EBP-C]//用户名地址送EAX。<BR>00446288|.E87F6BFFFFCALLFRMMSTR.0043CE0C//取用户名长度。<BR>0044628D|.85C0TESTEAX,EAX<BR>0044628F|.0F94C2SETEDL<BR>00446292|.83E201ANDEDX,1<BR>00446295|.52PUSHEDX<BR>00446296|.FF4DB8DECDWORDPTRSS:[EBP-48]<BR>00446299|.8D45F4LEAEAX,DWORDPTRSS:[EBP-C]<BR>0044629C|.BA02000000MOVEDX,2<BR>004462A1|.E88E1D0E00CALLFRMMSTR.00528034//测试用户名是否为空。<BR>004462A6|.59POPECX<BR>004462A7|.84C9TESTCL,CL<BR>004462A9|.7474JESHORTFRMMSTR.0044631F//如果用户名名为空,则OK,否则走到下面提示框。<BR>004462AB|.6A00PUSH0<BR>004462AD|.8D4592LEAEAX,DWORDPTRSS:[EBP-6E]<BR>004462B0|.E82331FFFFCALLFRMMSTR.004393D8<BR>004462B5|.B202MOVDL,2<BR>004462B7|.E85031FFFFCALLFRMMSTR.0043940C<BR>004462BC|.66:8B08MOVCX,WORDPTRDS:[EAX]<BR>004462BF|.51PUSHECX<BR>004462C0|.66:C745AC380>MOVWORDPTRSS:[EBP-54],38<BR>004462C6|.BA786D5400MOVEDX,FRMMSTR.00546D78;ASCII"Pleaseenteryourname"<BR>004462CB|.8D45F0LEAEAX,DWORDPTRSS:[EBP-10]<BR>004462CE|.E84D1C0E00CALLFRMMSTR.00527F20<BR>*省略多行<BR>0044631F|>66:C745AC440>MOVWORDPTRSS:[EBP-54],44//用户名不为空则跳到这里来。<BR>00446325|.8D45ECLEAEAX,DWORDPTRSS:[EBP-14]<BR>00446328|.E8CF1EFFFFCALLFRMMSTR.004381FC<BR>0044632D|.8BD0MOVEDX,EAX<BR>0044632F|.FF45B8INCDWORDPTRSS:[EBP-48]<BR>00446332|.8B4D98MOVECX,DWORDPTRSS:[EBP-68]<BR>00446335|.8B81D0020000MOVEAX,DWORDPTRDS:[ECX+2D0]<BR>0044633B|.E8D0EB0700CALLFRMMSTR.004C4F10<BR>00446340|.8D55ECLEAEDX,DWORDPTRSS:[EBP-14]<BR>00446343|.8B12MOVEDX,DWORDPTRDS:[EDX]<BR>00446345|.A1905D5500MOVEAX,DWORDPTRDS:[555D90]<BR>0044634A|.8B00MOVEAX,DWORDPTRDS:[EAX]<BR>0044634C|.E803A0FFFFCALLFRMMSTR.00440354//这是关键函数,F8跟入,代码在后面分析。<BR>00446351|.50PUSHEAX<BR>00446352|.FF4DB8DECDWORDPTRSS:[EBP-48]<BR>00446355|.8D45ECLEAEAX,DWORDPTRSS:[EBP-14]<BR>00446358|.BA02000000MOVEDX,2<BR>0044635D|.E8D21C0E00CALLFRMMSTR.00528034<BR>00446362|.59POPECX<BR>00446363|.84C9TESTCL,CL//这是注册码正确与否的标志<BR>00446365|.0F8425020000JEFRMMSTR.00446590//CL为0则跳走,当然是死路一条啦。<BR>0044636B|.B201MOVDL,1//下面这一大堆都是在注册成功后向注册表写内容的过程。<BR>0044636D|.A13C444800MOVEAX,DWORDPTRDS:[48443C]<BR>00446372|.E81DE20300CALLFRMMSTR.00484594<BR>00446377|.89458CMOVDWORDPTRSS:[EBP-74],EAX<BR>0044637A|.66:C745AC140>MOVWORDPTRSS:[EBP-54],14<BR>00446380|.BA02000080MOVEDX,80000002<BR>00446385|.8B458CMOVEAX,DWORDPTRSS:[EBP-74]<BR>00446388|.E88B1B0E00CALLFRMMSTR.00527F18<BR>0044638D|.66:C745AC500>MOVWORDPTRSS:[EBP-54],50<BR>00446393|.BA8F6D5400MOVEDX,FRMMSTR.00546D8F;ASCII"\SOFTWARE\Microsoft\CORBASpecs\Key"//这个是在HKEY_Local_Machine下<BR><BR>面创建的。注册成功后,你输入的注册码就那里可以看到,是明码。<BR>00446398|.8D45E8LEAEAX,DWORDPTRSS:[EBP-18]<BR>0044639B|.E8801B0E00CALLFRMMSTR.00527F20<BR>*省去很多行<BR>0044643F|.66:C745AC680>MOVWORDPTRSS:[EBP-54],68<BR>00446445|.BAB76D5400MOVEDX,FRMMSTR.00546DB7;ASCII"ThankyoufororderingFrameMaster!<BR>Yoursupportismuchappreciated.<BR>Pleasestoretheregistrationkeyincaseyouneeditlater.<BR>"<BR>0044644A|.8D45DCLEAEAX,DWORDPTRSS:[EBP-24]<BR>0044644D|.E8CE1A0E00CALLFRMMSTR.00527F20<BR>00446452|.FF45B8INCDWORDPTRSS:[EBP-48]<BR>00446455|.8B00MOVEAX,DWORDPTRDS:[EAX]<BR>00446457|.B202MOVDL,2<BR>00446459|.59POPECX<BR>0044645A|.E81D8B0700CALLFRMMSTR.004BEF7C<BR>0044645F|.FF4DB8DECDWORDPTRSS:[EBP-48]<BR>00446462|.8D45DCLEAEAX,DWORDPTRSS:[EBP-24]<BR>00446465|.BA02000000MOVEDX,2<BR>0044646A|.E8C51B0E00CALLFRMMSTR.00528034<BR>0044646F|>66:C745AC740>MOVWORDPTRSS:[EBP-54],74<BR>00446475|.BA3B6E5400MOVEDX,FRMMSTR.00546E3B;ASCII"\SOFTWARE\GalleriaSoftware\FrameMaster\Registrant"//这个是<BR><BR>在HKEY_LOCAL_MACHINE下面建立的。用户名在里面。<BR>0044647A|.8D45D8LEAEAX,DWORDPTRSS:[EBP-28]<BR>*省去多行<BR>004464C2|.8D55D0LEAEDX,DWORDPTRSS:[EBP-30]//用户名地址送EDX<BR>004464C5|.FF32PUSHDWORDPTRDS:[EDX]<BR>004464C7|.66:C745AC800>MOVWORDPTRSS:[EBP-54],80<BR>004464CD|.BA6E6E5400MOVEDX,FRMMSTR.00546E6E;ASCII"Registrant"<BR>004464D2|.8D45D4LEAEAX,DWORDPTRSS:[EBP-2C]<BR>004464D5|.E8461A0E00CALLFRMMSTR.00527F20<BR>004464DA|.FF45B8INCDWORDPTRSS:[EBP-48]<BR>004464DD|.8B10MOVEDX,DWORDPTRDS:[EAX]<BR>*省去多行<BR>00446584|>A1987D5500MOVEAX,DWORDPTRDS:[_frmRegister]<BR>00446589|.E836950600CALLFRMMSTR.004AFAC4<BR>0044658E|.EB59JMPSHORTFRMMSTR.004465E9//如果注册成功,则走到这里,然后跳到下面。<BR>00446590|>68D0070000PUSH7D0;/Timeout=2000.ms//如果注册码不正确,则直接来到这里,打个2000MS的盹,然<BR><BR>后显示一个不成功对话框。<BR>00446595|.E8EA8C0F00CALL<JMP.&KERNEL32.Sleep>;\Sleep<BR>0044659A|.6A00PUSH0<BR>0044659C|.8D4588LEAEAX,DWORDPTRSS:[EBP-78]<BR>0044659F|.E8342EFFFFCALLFRMMSTR.004393D8<BR>004465A4|.B202MOVDL,2<BR>004465A6|.E8612EFFFFCALLFRMMSTR.0043940C<BR>004465AB|.66:8B08MOVCX,WORDPTRDS:[EAX]<BR>004465AE|.51PUSHECX<BR>004465AF|.66:C745ACB00>MOVWORDPTRSS:[EBP-54],0B0<BR>004465B5|.BA7A6E5400MOVEDX,FRMMSTR.00546E7A;ASCII"FailedRegistration"<BR>004465BA|.8D45C0LEAEAX,DWORDPTRSS:[EBP-40]<BR>004465BD|.E85E190E00CALLFRMMSTR.00527F20<BR>004465C2|.FF45B8INCDWORDPTRSS:[EBP-48]<BR>004465C5|.8B00MOVEAX,DWORDPTRDS:[EAX]<BR>004465C7|.B201MOVDL,1<BR>004465C9|.59POPECX<BR>004465CA|.E8AD890700CALLFRMMSTR.004BEF7C//这个CALL出现错误提示。<BR>004465CF|.FF4DB8DECDWORDPTRSS:[EBP-48]<BR>004465D2|.8D45C0LEAEAX,DWORDPTRSS:[EBP-40]<BR>*略去多行。<BR>================================================================================<BR>下面我们看0044634C处的函数调用CALLFRMMSTR.00440354,代码如下:<BR>*函数前面部分代码省去,下面是黑名单比较。<BR>004404AB|.FF8518FFFFFFINCDWORDPTRSS:[EBP-E8]<BR>004404B1|.BAC5285400MOVEDX,FRMMSTR.005428C5;ASCII"KD8383VMDKKAAAL-LLF4VVIII34AAAAA-LLF4VVIII34AAAAA"<BR>004404B6|.8D4584LEAEAX,DWORDPTRSS:[EBP-7C]<BR>004404B9|.E8627A0E00CALLFRMMSTR.00527F20<BR>004404BE|.FF8518FFFFFFINCDWORDPTRSS:[EBP-E8]<BR>004404C4|.BAF7285400MOVEDX,FRMMSTR.005428F7;ASCII"344DDDDAAKKAAAB-VVIII34AAAAABBF4-LLF4VVIII34AAAAA"<BR>004404C9|.8D4588LEAEAX,DWORDPTRSS:[EBP-78]<BR>004404CC|.E84F7A0E00CALLFRMMSTR.00527F20<BR>004404D1|.FF8518FFFFFFINCDWORDPTRSS:[EBP-E8]<BR>004404D7|.BA29295400MOVEDX,FRMMSTR.00542929;ASCII"344DDDDAAKVVIII-34AAAAAKAAABBBF4-LLF4VVIII34AAAAA"<BR>004404DC|.8D458CLEAEAX,DWORDPTRSS:[EBP-74]<BR>004404DF|.E83C7A0E00CALLFRMMSTR.00527F20<BR>004404E4|.FF8518FFFFFFINCDWORDPTRSS:[EBP-E8]<BR>004404EA|.BA5B295400MOVEDX,FRMMSTR.0054295B;ASCII"344DDVVIII34AAA-AADDAAKKAAABBBF4-LLF4VVIII34AAAAA"<BR>004404EF|.8D4590LEAEAX,DWORDPTRSS:[EBP-70]<BR>004404F2|.E8297A0E00CALLFRMMSTR.00527F20<BR>004404F7|.FF8518FFFFFFINCDWORDPTRSS:[EBP-E8]<BR>004404FD|.BA8D295400MOVEDX,FRMMSTR.0054298D;ASCII"344DDDDAAKVVIII-34AAAAAKAAABBBF4-LLF4VVIII34AAAAA"<BR>00440502|.8D4594LEAEAX,DWORDPTRSS:[EBP-6C]<BR>00440505|.E8167A0E00CALLFRMMSTR.00527F20<BR>0044050A|.FF8518FFFFFFINCDWORDPTRSS:[EBP-E8]<BR>00440510|.BABF295400MOVEDX,FRMMSTR.005429BF;ASCII"VVIII34AAAAA344-DDDDAAKKAAABBBF4-LLF4VVIII34AAAAA"<BR>00440515|.8D4598LEAEAX,DWORDPTRSS:[EBP-68]<BR>00440518|.E8037A0E00CALLFRMMSTR.00527F20<BR>0044051D|.FF8518FFFFFFINCDWORDPTRSS:[EBP-E8]<BR>00440523|.BAF1295400MOVEDX,FRMMSTR.005429F1;ASCII"344DDDDVVIII34A-AAAAAAKKAAABBBF4-LLF4VVIII34AAAAA"<BR>00440528|.8D459CLEAEAX,DWORDPTRSS:[EBP-64]<BR>0044052B|.E8F0790E00CALLFRMMSTR.00527F20<BR>00440530|.FF8518FFFFFFINCDWORDPTRSS:[EBP-E8]<BR>00440536|.BA232A5400MOVEDX,FRMMSTR.00542A23;ASCII"344DDDDAAVVIII3-4AAAAAKKAAABBBF4-LLF4VVIII34AAAAA"<BR>0044053B|.8D45A0LEAEAX,DWORDPTRSS:[EBP-60]<BR>0044053E|.E8DD790E00CALLFRMMSTR.00527F20<BR>00440543|.FF8518FFFFFFINCDWORDPTRSS:[EBP-E8]<BR>00440549|.BA552A5400MOVEDX,FRMMSTR.00542A55;ASCII"344DDDDAVVIII34-AAAAAAKKAAABBBF4-LLF4VVIII34AAAAA"<BR>0044054E|.8D45A4LEAEAX,DWORDPTRSS:[EBP-5C]<BR>00440551|.E8CA790E00CALLFRMMSTR.00527F20<BR>00440556|.FF8518FFFFFFINCDWORDPTRSS:[EBP-E8]<BR>0044055C|.BA872A5400MOVEDX,FRMMSTR.00542A87;ASCII"344DDDDAAKKAVVI-II34AAAAAAABBBF4-LLF4VVIII34AAAAA"<BR>00440561|.8D45A8LEAEAX,DWORDPTRSS:[EBP-58]<BR>00440564|.E8B7790E00CALLFRMMSTR.00527F20<BR>00440569|.FF8518FFFFFFINCDWORDPTRSS:[EBP-E8]<BR>0044056F|.BAB92A5400MOVEDX,FRMMSTR.00542AB9;ASCII"344DDDDAAKKVVII-I34AAAAAAAABBBF4-LLF4VVIII34AAAAA"<BR>00440574|.8D45ACLEAEAX,DWORDPTRSS:[EBP-54]<BR>00440577|.E8A4790E00CALLFRMMSTR.00527F20<BR>0044057C|.FF8518FFFFFFINCDWORDPTRSS:[EBP-E8]<BR>00440582|.BAEB2A5400MOVEDX,FRMMSTR.00542AEB;ASCII"5666DDDAAKKAVVI-II34AAAAAAABBBF4-LLF4VVIII34AAAAA"<BR>00440587|.8D45B0LEAEAX,DWORDPTRSS:[EBP-50]<BR>0044058A|.E891790E00CALLFRMMSTR.00527F20<BR>0044058F|.FF8518FFFFFFINCDWORDPTRSS:[EBP-E8]<BR>00440595|.BA1D2B5400MOVEDX,FRMMSTR.00542B1D;ASCII"KJ4DDDDAAKKAAVV-III34AAAAAABBBF4-LLF4VVIII34AAAAA"<BR>0044059A|.8D45B4LEAEAX,DWORDPTRSS:[EBP-4C]<BR>0044059D|.E87E790E00CALLFRMMSTR.00527F20<BR>004405A2|.FF8518FFFFFFINCDWORDPTRSS:[EBP-E8]<BR>004405A8|.BA4F2B5400MOVEDX,FRMMSTR.00542B4F;ASCII"3447777AVVIII34-AAAAAAKKAAABBBF4-LLF4VVIII34AAAAA"<BR>004405AD|.8D45B8LEAEAX,DWORDPTRSS:[EBP-48]<BR>004405B0|.E86B790E00CALLFRMMSTR.00527F20<BR>004405B5|.FF8518FFFFFFINCDWORDPTRSS:[EBP-E8]<BR>004405BB|.BA812B5400MOVEDX,FRMMSTR.00542B81;ASCII"344DDDDAAKKVVII-I34AAAAAAAABBBF4-LLF4VVIII34AAAAA"<BR>*省去很多行<BR>004408E0|.8D9530FFFFFF||LEAEDX,DWORDPTRSS:[EBP-D0]<BR>004408E6|.8D45FC||LEAEAX,DWORDPTRSS:[EBP-4]<BR>004408E9|.E816780E00||CALLFRMMSTR.00528104//这个CALL和下面构成经典结构。所以F8跟入。<BR>004408EE|.84C0||TESTAL,AL<BR>004408F0|.0F84BD000000||JEFRMMSTR.004409B3//测试AL标志,如果为不为0则不跳,不跳则OK。<BR>004408F6|.B001||MOVAL,1<BR>004408F8|.50||PUSHEAX<BR>004408F9|.FF8D18FFFFFF||DECDWORDPTRSS:[EBP-E8]<BR>004408FF|.8D8530FFFFFF||LEAEAX,DWORDPTRSS:[EBP-D0]<BR>*省去若干行<BR>0044098A|.83C414||ADDESP,14<BR>0044098D|.FF8D18FFFFFF||DECDWORDPTRSS:[EBP-E8]<BR>00440993|.8D45FC||LEAEAX,DWORDPTRSS:[EBP-4]<BR>00440996|.BA02000000||MOVEDX,2<BR>0044099B|.E894760E00||CALLFRMMSTR.00528034<BR>004409A0|.58||POPEAX<BR>004409A1|.8B95FCFEFFFF||MOVEDX,DWORDPTRSS:[EBP-104]<BR>004409A7|.64:891500000000||MOVDWORDPTRFS:[0],EDX<BR>004409AE|.E9E7000000||JMPFRMMSTR.00440A9A//程序到这里就直接跳到下面(*)代码处。<BR>*省去若干行<BR>00440A87|.E8A8750E00CALLFRMMSTR.00528034<BR>00440A8C|.58POPEAX<BR>00440A8D|.8B95FCFEFFFFMOVEDX,DWORDPTRSS:[EBP-104]<BR>00440A93|.64:891500000000MOVDWORDPTRFS:[0],EDX<BR>00440A9A|>8BE5MOVESP,EBP//跳到这里则成功。--------------(*)<BR>00440A9C|.5DPOPEBP<BR>00440A9D\.C3RETN<BR>=============================================================================<BR>下面继续分析004408E9CALLFRMMSTR.00528104代码:<BR>00528104/$55PUSHEBP<BR>00528105|.8BECMOVEBP,ESP<BR>00528107|.53PUSHEBX<BR>00528108|.8B00MOVEAX,DWORDPTRDS:[EAX]<BR>0052810A|.8B12MOVEDX,DWORDPTRDS:[EDX]<BR>0052810C|.E81BF9FDFFCALLFRMMSTR.00507A2C//这个函数内就这一个关键函数调用,F8跟入。<BR>00528111|.0F94C0SETEAL<BR>00528114|.83E001ANDEAX,1<BR>00528117|.5BPOPEBX<BR>00528118|.5DPOPEBP<BR>00528119\.C3RETN<BR>=============================================================================<BR>下面是0052810CCALLFRMMSTR.00507A2C函数的代码,这里就是关键地方了。<BR>00507A43|.8B46FCMOVEAX,DWORDPTRDS:[ESI-4]//假码长度送EAX。<BR>00507A46|.8B57FCMOVEDX,DWORDPTRDS:[EDI-4]//真码长度送EAX。<BR>00507A49|.29D0SUBEAX,EDX//假码长度减去真码长度。这里假码是10位,真码是48位。结果是-38。<BR>00507A4B|.7702JASHORTFRMMSTR.00507A4F//假码长度大于真码则跳。<BR>00507A4D|.01C2ADDEDX,EAX//上面差值-38加到EDX上,就是EDX=48-38=10位。也就是下面只比较你这十位<BR><BR>是否相同了。<BR>00507A4F|>52PUSHEDX<BR>00507A50|.C1EA02SHREDX,2//计数器初始化。<BR>00507A53|.7426JESHORTFRMMSTR.00507A7B<BR>00507A55|>8B0E/MOVECX,DWORDPTRDS:[ESI]//假码前4个字节送ECX。<BR>00507A57|.8B1F|MOVEBX,DWORDPTRDS:[EDI]//真码前4个字节送EBX。<BR>00507A59|.39D9|CMPECX,EBX//比较真假。<BR>00507A5B|.7558|JNZSHORTFRMMSTR.00507AB5//不同则OVER。<BR>00507A5D|.4A|DECEDX//计数器减1。<BR>00507A5E|.7415|JESHORTFRMMSTR.00507A75//为0则跳走。<BR>00507A60|.8B4E04|MOVECX,DWORDPTRDS:[ESI+4]//假码下4个字节送ECX。<BR>00507A63|.8B5F04|MOVEBX,DWORDPTRDS:[EDI+4]//真码下4个字节送EBX。<BR>00507A66|.39D9|CMPECX,EBX//比较真假。<BR>00507A68|.754B|JNZSHORTFRMMSTR.00507AB5//不同则OVER。<BR>00507A6A|.83C608|ADDESI,8//地址增量<BR>00507A6D|.83C708|ADDEDI,8//地址增量<BR>00507A70|.4A|DECEDX//计数器减量<BR>00507A71|.^75E2\JNZSHORTFRMMSTR.00507A55//不为0则往上循环。<BR>00507A73|.EB06JMPSHORTFRMMSTR.00507A7B//如果上面循环结束,直接跳转。<BR>00507A75|>83C604ADDESI,4<BR>00507A78|.83C704ADDEDI,4<BR>00507A7B|>5APOPEDX//计数器重新赋值<BR>00507A7C|.83E203ANDEDX,3<BR>00507A7F|.7422JESHORTFRMMSTR.00507AA3<BR>00507A81|.8B0EMOVECX,DWORDPTRDS:[ESI]//剩余假码送ECX,因为可能注册码长度并非4的倍数。<BR>00507A83|.8B1FMOVEBX,DWORDPTRDS:[EDI]//剩余真码送EBX。<BR>00507A85|.38D9CMPCL,BL//比较真假。<BR>00507A87|.7541JNZSHORTFRMMSTR.00507ACA//不同则OVER。<BR>00507A89|.4ADECEDX//计数器减量<BR>00507A8A|.7417JESHORTFRMMSTR.00507AA3//为0则跳走。<BR>00507A8C|.38FDCMPCH,BH<BR>00507A8E|.753AJNZSHORTFRMMSTR.00507ACA<BR>00507A90|.4ADECEDX//计数器减量<BR>00507A91|.7410JESHORTFRMMSTR.00507AA3//为0则跳走。<BR>00507A93|.81E30000FF00ANDEBX,0FF0000//如果还有第三个字节,则用与运算取出。<BR>00507A99|.81E10000FF00ANDECX,0FF0000//同上。<BR>00507A9F|.39D9CMPECX,EBX//比较真假。<BR>00507AA1|.7527JNZSHORTFRMMSTR.00507ACA//不同则OVER。<BR>00507AA3|>01C0ADDEAX,EAX;FRMMSTR.<ModuleEntryPoint><BR>00507AA5|.EB23JMPSHORTFRMMSTR.00507ACA//从这里跳走才算成功的。<BR>*省去多行<BR>00507ACA|>5FPOPEDI<BR>00507ACB|.5EPOPESI<BR>00507ACC|.5BPOPEBX<BR>00507ACD\.C3RETN<BR>=============================================================================<BR>后记:<BR><BR>经过1个小时的跟踪,1个小时写出破文来,虽然这个软件最后是明码比较,我还没有发现这个真码怎么计算出来的,好象不明显。进入前面那个比较真<BR><BR>假的函数,你立即就可以看到真码了。当然还有10几个假码在那里列出来了,不要被它所迷惑哟。只有用它自动取的那个注册码才可以成功(废话,假<BR><BR>码跟它也不相等啊。)<BR><BR>虽然没有困难找出注册码,但如何分析出注册码的算法是关键。我还需要继续分析。先把这个笔记POST出来再说吧。<BR><BR>浪费您时间阅读此文,十分感谢!再次向关注我的破文的各位表示感谢!!<BR><BR><BR>结果:<BR>UserName:wanggang<BR>RegisterCode:D8383VMDKKAAAL-LLF4VVIII34AAAAA-LLF4VVIII34AA1-1</FONT><BR></P>
页:
[1]