[转载]ScreenHunter 4.2 Pro 注册算法分析

pub!1c

魔

团队执行官

Rank: 8 Rank: 8

E.S.T核心成员

帖子: 3926
精华: 128
积分: 209876
阅读权限: 200
性别: 男
在线时间: 1107 小时
注册时间: 2007-10-23
最后登录: 2008-8-29

资料收集奖运营支持奖

发短消息
加为好友
当前离线

楼主大中小发表于 2006-1-16 14:13 只看该作者

[转载]ScreenHunter 4.2 Pro 注册算法分析

文章作者:ForEver

【软件名称】ScreenHunter4.2Pro
【破文作者】forever[RCT]
【编程语言】VC
【保护方式】简单运算
【使用工具】peid0.93,exescope6.5,ida4.6,ollydbg1.1
【软件简介】ScreenHunter是一个非常好的屏幕抓取工具，除了基本常见的功能外，他还可以抓取椭圆的选取区，抓取Word文件，还可以自动产生文件名称，定时抓取屏幕，抓取DirectX游戏及屏幕保护程序的屏幕，转存JPEG、GIF、PNG、BMP文件。
【下载地址】http://www4.skycn.com/soft/5021.html
【破文正文】
首先声明一下，这篇帖子是写给新手的。:)
突然发现，写破文其实是一件很辛苦的事，尤其是想把整个过程写清楚的时候。向那些写了大量破文的前辈们道声辛苦吧。;)
我尽量把过程写的易懂些，不过我还是假定你会使用基本的工具，懂得编程的基本知识。关于MFC的消息处理函数的查找过程
我前面有过一篇帖子<从对话框的构造函数找到消息处理过程>，如果你不太清楚下面的过程可以参考一下前面的帖子。下面我只写
下整个过程。我不在这里对代码做逆向分析了，我只是在注释里尽量写的清楚些。这样可以省掉很多时间:)

首先检查软件的编程语言，peid侦测出是VC，大多数情况下这是可信的。用od和ida载入也证实确实是VC的。
软件启动时有个NAP窗口提示输入注册码，我用exescope找到这个窗口的资源id是1797h,ok按钮的id是1d4h。了解这些信息是有用的。
现在用ida载入软件分析。我以前做过一个mfc4.2的sig，如果你使用这个sig，会检测出更多的函数名。
在Name窗口里查找"CDialog::CDialog(unsignedint,classCWnd*)",来到下面，

.text:0054A50Fpublic:__thiscallCDialog::CDialog(unsignedint,classCWnd*)procnear
.text:0054A50F
.text:0054A50Farg_0=dwordptr0Ch
.text:0054A50Farg_4=dwordptr10h
.text:0054A50F
.text:0054A50Fpushesi
.text:0054A510pushedi
.text:0054A511movesi,ecx
.text:0054A513callCWnd::CWnd(void)
.text:0054A518leaedi,[esi+3Ch]
.text:0054A51Bpush20h;size_t
.text:0054A51Dpush0;int
.text:0054A51Fpushedi;void*
.text:0054A520movdwordptr[esi],offsetoff_5838D4
.text:0054A526call_memset
.text:0054A52Bmoveax,[esp+0Ch+arg_4]
.text:0054A52Faddesp,0Ch
.text:0054A532mov[esi+50h],eax
.text:0054A535moveax,[esp+arg_0]
.text:0054A539movzxecx,ax
.text:0054A53Cmov[edi],eax
.text:0054A53Emov[esi+40h],ecx
.text:0054A541moveax,esi
.text:0054A543popedi
.text:0054A544popesi
.text:0054A545retn8
.text:0054A545public:__thiscallCDialog::CDialog(unsignedint,classCWnd*)endp
;=================================================================================
为什么要找这个函数呢？因为这个函数是对话框类的构造函数，自定义对话框在初始化时肯定要调用这个函数。

在名字CDialog::CDialog上右击，选择菜单Jumptoxreftooperand，来到下面，
Uppsub_40E7A7+CcallCDialog::CDialog(uint,CWnd*)
Uppsub_411987+1BcallCDialog::CDialog(uint,CWnd*)
Uppsub_414C64+1BcallCDialog::CDialog(uint,CWnd*)
Uppsub_437218+1BcallCDialog::CDialog(uint,CWnd*)
Uppsub_43F20C+1BcallCDialog::CDialog(uint,CWnd*)
Uppsub_4460F4+1BcallCDialog::CDialog(uint,CWnd*)
Uppsub_44D3FD+1AcallCDialog::CDialog(uint,CWnd*)
Uppsub_46F72B+CcallCDialog::CDialog(uint,CWnd*)
Uppsub_486E87+1BcallCDialog::CDialog(uint,CWnd*)
Uppsub_4A89B6+1DcallCDialog::CDialog(uint,CWnd*)
Uppsub_4AF524+1BcallCDialog::CDialog(uint,CWnd*)
Uppsub_4BC73F+1BcallCDialog::CDialog(uint,CWnd*)
Uppsub_4C0301+1AcallCDialog::CDialog(uint,CWnd*)
Uppsub_4C2F1A+1AcallCDialog::CDialog(uint,CWnd*)
Uppsub_4C5B16+1AcallCDialog::CDialog(uint,CWnd*)
Uppsub_4C8639+1AcallCDialog::CDialog(uint,CWnd*)
UppCFileDialog::CFileDialog(int,charconst*,charconst*,ulong,charconst*,CWnd*)+19callCDialog::CDia
UppCFontDialog::CFontDialog(tagLOGFONTA*,ulong,CDC*,CWnd*)+19callCDialog::CDialog(uint,CWnd*)
UppCFontDialog::CFontDialog(_charformatconst&,ulong,CDC*,CWnd*)+19callCDialog::CDialog(uint,CWnd*)
UppCColorDialog::CColorDialog(ulong,ulong,CWnd*)+17callCDialog::CDialog(uint,CWnd*)
UppCPageSetupDialog::CPageSetupDialog(ulong,CWnd*)+17callCDialog::CDialog(uint,CWnd*)
UppCPrintDialog::CPrintDialog(int,ulong,CWnd*)+18callCDialog::CDialog(uint,CWnd*)
UppCPrintDialog::CPrintDialog(tagPDA&)+7callCDialog::CDialog(uint,CWnd*)
UppCFindReplaceDialog::CFindReplaceDialog(void)+17callCDialog::CDialog(uint,CWnd*)
DownpCDocManager::OnFileNew(void)+3DcallCDialog::CDialog(uint,CWnd*)

;=================================================================================

这里就是对CDialog::CDialog引用的地方了。注意找对话框资源号为1797h的函数。（使用exescope查看注册对话框资源）
来到下面：
.text:0043F20Csub_43F20Cprocnear;CODEXREF:sub_46973F+31p
.text:0043F20Cmoveax,offsetunknown_libname_1324
.text:0043F211call__EH_prolog
.text:0043F216pushecx
.text:0043F217pushebx
.text:0043F218pushesi
.text:0043F219pushedi
.text:0043F21Amovesi,ecx
.text:0043F21Cpushdwordptr[ebp+8]
.text:0043F21Fmov[ebp-10h],esi
.text:0043F222push1797h;注册对话框
.text:0043F227callCDialog::CDialog(uint,CWnd*)//构造注册对话框的地方，这就是
.text:0043F22Canddwordptr[ebp-4],0//从CDialog::CDialog下手的原因
.text:0043F230leaebx,[esi+5Ch]
.text:0043F233movecx,ebx
.text:0043F235callCWnd::CWnd(void)
.text:0043F23Amovedi,offsetoff_584E04
.text:0043F23Fmov[ebx],edi
.text:0043F241leaebx,[esi+98h]
.text:0043F247movbyteptr[ebp-4],1
.text:0043F24Bmovecx,ebx
.text:0043F24DcallCWnd::CWnd(void)
.text:0043F252mov[ebx],edi
.text:0043F254leaebx,[esi+0D4h]
.text:0043F25Amovbyteptr[ebp-4],2
.text:0043F25Emovecx,ebx
.text:0043F260callCWnd::CWnd(void)
.text:0043F265mov[ebx],edi
.text:0043F267leaebx,[esi+110h]
.text:0043F26Dmovbyteptr[ebp-4],3
.text:0043F271movecx,ebx
.text:0043F273callCWnd::CWnd(void)
.text:0043F278mov[ebx],edi
.text:0043F27Aleaebx,[esi+14Ch]
.text:0043F280movbyteptr[ebp-4],4
.text:0043F284movecx,ebx
.text:0043F286callCWnd::CWnd(void)
.text:0043F28Bmov[ebx],edi
.text:0043F28Dmoveax,dword_5D537C
.text:0043F292leaebx,[esi+188h]
.text:0043F298mov[ebx],eax
.text:0043F29Amoveax,dword_5D537C
.text:0043F29Fmov[esi+18Ch],eax
.text:0043F2A5moveax,dword_5D537C
.text:0043F2AAmov[esi+190h],eax
.text:0043F2B0moveax,dword_5D537C
.text:0043F2B5mov[esi+194h],eax
.text:0043F2BBmoveax,dword_5D537C
.text:0043F2C0mov[esi+198h],eax
.text:0043F2C6leaecx,[esi+19Ch]
.text:0043F2CCmovbyteptr[ebp-4],0Ah
.text:0043F2D0callsub_5430CA
.text:0043F2D5movedi,offsetWindowName
.text:0043F2DAmovecx,ebx
.text:0043F2DCpushedi
.text:0043F2DDmovbyteptr[ebp-4],0Bh
.text:0043F2E1movdwordptr[esi],offsetoff_57AEE0//这个地址里对话框的虚函数表
.text:0043F2E7callCString::operator=(charconst*)//一般都是在ESI或者EDI里
.text:0043F2ECpushedi
.text:0043F2EDleaecx,[esi+18Ch]
.text:0043F2F3callCString::operator=(charconst*)
.text:0043F2F8pushedi
.text:0043F2F9leaecx,[esi+190h]
.text:0043F2FFcallCString::operator=(charconst*)
.text:0043F304pushedi
.text:0043F305leaecx,[esi+194h]
.text:0043F30BcallCString::operator=(charconst*)
.text:0043F310pushedi
.text:0043F311leaecx,[esi+198h]
.text:0043F317callCString::operator=(charconst*)//上面连续5个字符串应该是保存
.text:0043F31Cpush0FFFFFFFFh//注册码用的
.text:0043F31Epush5
.text:0043F320leaecx,[esi+19Ch]
.text:0043F326callCStringArray::SetSize(int,int)
.text:0043F32Bmovecx,[ebp-0Ch]
.text:0043F32Emoveax,esi
.text:0043F330popedi
.text:0043F331popesi
.text:0043F332popebx
.text:0043F333movlargefs:0,ecx
.text:0043F33Aleave
.text:0043F33Bretn4
.text:0043F33Bsub_43F20Cendp;sp=4
;=================================================================================
跟踪对话框的虚函数表地址57AEE0，来到下面：

.rdata:0057AEE0off_57AEE0ddoffsetsub_563B94;DATAXREF:sub_43F20C+D5o
.rdata:0057AEE4ddoffsetsub_43F33E
.rdata:0057AEE8ddoffsetnullsub_50
.rdata:0057AEECddoffsetunknown_libname_12862;?OnCmdMsg@CPropertySheet@@UAEHIHPAXPAUAFX_CMDHANDLERINFO@@@Z
.rdata:0057AEEC;doubtfulname
.rdata:0057AEF0ddoffsetCWnd::OnFinalRelease(void)
.rdata:0057AEF4ddoffsetunknown_libname_884
.rdata:0057AEF8ddoffsetunknown_libname_885
.rdata:0057AEFCddoffsetsub_54B286
.rdata:0057AF00ddoffsetsub_54B289
.rdata:0057AF04ddoffsetCCmdTarget::GetTypeLib(ulong,ITypeLib**)
.rdata:0057AF08ddoffsetsub_43F4E4//消息映射函数,继续跟踪这里
.rdata:0057AF0Cddoffsetsub_54B336
.rdata:0057AF10ddoffsetsub_54B2D9
.rdata:0057AF14ddoffsetsub_54B326
.rdata:0057AF18ddoffsetsub_54B2E5
.rdata:0057AF1Cddoffsetsub_54B2DF
.rdata:0057AF20ddoffsetsub_54B31D
.rdata:0057AF24ddoffsetunknown_libname_886
.rdata:0057AF28ddoffsetunknown_libname_888
.rdata:0057AF2Cddoffsetunknown_libname_887
.rdata:0057AF30ddoffsetnullsub_24
.rdata:0057AF34ddoffsetCWnd::Create(charconst*,charconst*,ulong,tagRECTconst&,CWnd*,uint,CCreateContext*)
.rdata:0057AF38ddoffsetCWnd::DestroyWindow(void)
.rdata:0057AF3CddoffsetCWnd::PreCreateWindow(tagCREATESTRUCTA&)
.rdata:0057AF40ddoffsetCWnd::CalcWindowRect(tagRECT*,uint)
.rdata:0057AF44ddoffsetCWnd::OnToolHitTest(CPoint,tagTOOLINFOA*)
.rdata:0057AF48ddoffsetunknown_libname_880
.rdata:0057AF4CddoffsetCWnd::WinHelpA(ulong,uint)
.rdata:0057AF50ddoffsetCWnd::ContinueModal(void)
.rdata:0057AF54ddoffsetCWnd::EndModalLoop(int)
.rdata:0057AF58ddoffsetCWnd::OnCommand(uint,long)
.rdata:0057AF5CddoffsetCWnd::OnNotify(uint,long,long*)
.rdata:0057AF60ddoffsetsub_546855
.rdata:0057AF64ddoffsetsub_43F428
.rdata:0057AF68ddoffsetCWnd::BeginModalState(void)
.rdata:0057AF6CddoffsetCWnd::EndModalState(void)
.rdata:0057AF70ddoffsetCDialog::PreTranslateMessage(tagMSG*)
.rdata:0057AF74ddoffsetCWnd::OnAmbientProperty(COleControlSite*,long,tagVARIANT*)
.rdata:0057AF78ddoffsetCWnd::WindowProc(uint,uint,long)
.rdata:0057AF7CddoffsetCWnd::OnWndMsg(uint,uint,long,long*)
.rdata:0057AF80ddoffsetCWnd::DefWindowProcA(uint,uint,long)
.rdata:0057AF84ddoffsetnullsub_25
.rdata:0057AF88ddoffsetCWnd::OnChildNotify(uint,uint,long,long*)
.rdata:0057AF8CddoffsetCDialog::CheckAutoCenter(void)
.rdata:0057AF90ddoffsetsub_548E97
.rdata:0057AF94ddoffsetCDialog::SetOccDialogInfo(_AFX_OCC_DIALOG_INFO*)
.rdata:0057AF98ddoffsetCDialog::DoModal(void)
.rdata:0057AF9Cddoffsetsub_43F4EA
.rdata:0057AFA0ddoffsetnullsub_52
.rdata:0057AFA4ddoffsetCDialog::OnOK(void)
.rdata:0057AFA8ddoffsetCDialog::OnCancel(void)
.rdata:0057AFACddoffsetnullsub_53
;=================================================================================

注意CCmdTarget::GetTypeLib，跟踪这个函数下面的那个函数的地址43F4E4，可以找到处理这个对话框消息的函数。

.text:0043F4E4sub_43F4E4procnear;DATAXREF:.rdata:0057AF08o
.text:0043F4E4moveax,offsetoff_57AE30
.text:0043F4E9retn
.text:0043F4E9sub_43F4E4endp
;=================================================================================
继续跟踪地址57AE30,来到下面：
.rdata:0057AE30off_57AE30ddoffsetoff_5837E8//指向父类的消息处理函数
.rdata:0057AE34ddoffsetdword_57AE38//本对话框的消息处理函数
.rdata:0057AE38dword_57AE38dd111h
.rdata:0057AE3Cdd0
.rdata:0057AE40dd627h
.rdata:0057AE44dd627h
.rdata:0057AE48dd0Ch
.rdata:0057AE4Cdd43F682h
.rdata:0057AE50dd111h
.rdata:0057AE54dd0
.rdata:0057AE58dd1D3h
.rdata:0057AE5Cdd1D3h
.rdata:0057AE60dd0Ch
.rdata:0057AE64dd43F6A0h
.rdata:0057AE68dd111h//WM_COMMAND消息
.rdata:0057AE6Cdd0
.rdata:0057AE70dd1D4h
.rdata:0057AE74dd1D4h//ok按钮id
.rdata:0057AE78dd0Ch
.rdata:0057AE7Cdd43F6B7h//ok按钮的处理函数
.rdata:0057AE80dd111h
.rdata:0057AE84dd0
.rdata:0057AE88dd7D6h
.rdata:0057AE8Cdd7D6h
.rdata:0057AE90dd0Ch
.rdata:0057AE94dd43F7A4h
.rdata:0057AE98dd19h
.rdata:0057AE9Cdd0
.rdata:0057AEA0dd0
.rdata:0057AEA4dd0
.rdata:0057AEA8dd4
.rdata:0057AEACdd43F7ADh
.rdata:0057AEB0dd111h
.rdata:0057AEB4dd0
.rdata:0057AEB8dd623h
.rdata:0057AEBCdd623h
.rdata:0057AEC0dd0Ch
.rdata:0057AEC4dd43F867h
.rdata:0057AEC8dd0
.rdata:0057AECCdd0
.rdata:0057AED0dd0
.rdata:0057AED4dd0
.rdata:0057AED8dd0
.rdata:0057AEDCdd0
;=================================================================================

好了，现在找到了注册对话框中的ok按钮的处理函数，看一下这个函数：
.text:0043F6B7sub_43F6B7procnear
.text:0043F6B7moveax,offsetunknown_libname_1327
.text:0043F6BCcall__EH_prolog
.text:0043F6C1pushecx
.text:0043F6C2pushesi
.text:0043F6C3movesi,ecx
.text:0043F6C5push1
.text:0043F6C7callCWnd::UpdateData(int)
.text:0043F6CCmovecx,[esi+1A0h]
.text:0043F6D2leaeax,[esi+188h]
.text:0043F6D8pusheax
.text:0043F6D9callCString::operator=(CStringconst&)
.text:0043F6DEmovecx,[esi+1A0h]
.text:0043F6E4leaeax,[esi+18Ch]
.text:0043F6EApusheax
.text:0043F6EBaddecx,4
.text:0043F6EEcallCString::operator=(CStringconst&)
.text:0043F6F3movecx,[esi+1A0h]
.text:0043F6F9leaeax,[esi+190h]
.text:0043F6FFpusheax
.text:0043F700addecx,8
.text:0043F703callCString::operator=(CStringconst&)
.text:0043F708movecx,[esi+1A0h]
.text:0043F70Eleaeax,[esi+194h]
.text:0043F714pusheax
.text:0043F715addecx,0Ch
.text:0043F718callCString::operator=(CStringconst&)
.text:0043F71Dmovecx,[esi+1A0h]
.text:0043F723leaeax,[esi+198h]
.text:0043F729pusheax
.text:0043F72Aaddecx,10h
.text:0043F72DcallCString::operator=(CStringconst&)
.text:0043F732leaeax,[esi+19Ch]
.text:0043F738push0
.text:0043F73Apusheax
.text:0043F73Bmovecx,offsetunk_5ECE48
.text:0043F740callsub_46CB82//这里是关键函数，下面着重分析
.text:0043F745testeax,eax
.text:0043F747jzshortloc_43F750//返回0就失败了
.text:0043F749movecx,esi
.text:0043F74BcallCDialog::OnOK(void)
.text:0043F750
.text:0043F750loc_43F750:
.text:0043F750moveax,dword_5D537C//到这里就是注册失败提示了
.text:0043F755mov[ebp-10h],eax
.text:0043F758anddwordptr[ebp-4],0
.text:0043F75Cpush0Dh;InvalidLicenseKey.PleasetryagainorcontactWisdomSoftware
.text:0043F75Eleaecx,[ebp-10h]
.text:0043F761callCString::LoadStringA(uint)
.text:0043F766push1037h
.text:0043F76Bmovecx,esi
.text:0043F76DcallCWnd::GetDlgItem(int)
.text:0043F772testeax,eax
.text:0043F774jzshortloc_43F780
.text:0043F776pushdwordptr[ebp-10h]
.text:0043F779movecx,eax
.text:0043F77BcallCWnd::SetWindowTextA(charconst*)
.text:0043F780
.text:0043F780loc_43F780:
.text:0043F780leaecx,[esi+14Ch]
.text:0043F786callCWnd::SetFocus(void)
.text:0043F78Bordwordptr[ebp-4],0FFFFFFFFh
.text:0043F78Fleaecx,[ebp-10h]
.text:0043F792callCString::~CString(void)
.text:0043F797movecx,[ebp-0Ch]
.text:0043F79Apopesi
.text:0043F79Bmovlargefs:0,ecx
.text:0043F7A2leave
.text:0043F7A3retn
.text:0043F7A3sub_43F6B7endp;sp=4
;=================================================================================

跟进关键函数46CB82:

.text:0046CB82sub_46CB82procnear
.text:0046CB82moveax,offsetunknown_libname_1421
.text:0046CB87call__EH_prolog
.text:0046CB8Cpushecx
.text:0046CB8Dpushebx
.text:0046CB8Exorebx,ebx
.text:0046CB90pushesi
.text:0046CB91pushedi
.text:0046CB92movesi,ecx
.text:0046CB94mov[ebp-10h],ebx
.text:0046CB97pushebx
.text:0046CB98pushebx
.text:0046CB99push0F003Fh
.text:0046CB9Epushebx
.text:0046CB9Fpushebx
.text:0046CBA0leaecx,[ebp-10h]
.text:0046CBA3pushdword_5F0CC8
.text:0046CBA9mov[ebp-4],ebx
.text:0046CBACpush80000001h
.text:0046CBB1callsub_466121
.text:0046CBB6cmpeax,ebx
.text:0046CBB8jlloc_46CCFE
.text:0046CBBEpushdwordptr[ebp+0Ch]
.text:0046CBC1movedi,[ebp+8]
.text:0046CBC4pushedi
.text:0046CBC5callfun1_422C8E//检验函数1*****
.text:0046CBCApopecx
.text:0046CBCBtesteax,eax
.text:0046CBCDpopecx
.text:0046CBCEjzloc_46CCFC
.text:0046CBD4
.text:0046CBD4loc_46CBD4:
.text:0046CBD4moveax,ebx
.text:0046CBD6movecx,ebx
.text:0046CBD8addeax,[edi+4]
.text:0046CBDBaddecx,[esi+120h]
.text:0046CBE1pusheax
.text:0046CBE2callCString::operator=(CStringconst&)
.text:0046CBE7addebx,4
.text:0046CBEAcmpebx,20//把5组注册码拷贝到[esi+120h]处
.text:0046CBEDjlshortloc_46CBD4
.text:0046CBEFpush1
.text:0046CBF1leaeax,[esi+11Ch]
.text:0046CBF7popebx
.text:0046CBF8pusheax
.text:0046CBF9mov[esi+130h],ebx
.text:0046CBFFcallfun2_422EF1//检验函数2*****
.text:0046CC04testeax,eax
.text:0046CC06popecx
.text:0046CC07jzshortloc_46CC0F
.text:0046CC09mov[esi+134h],ebx
.text:0046CC0F
.text:0046CC0Floc_46CC0F:
.text:0046CC0Fmovecx,[esi+120h]
.text:0046CC15leaeax,[ebp+0Ch]
.text:0046CC18pushebx;1
.text:0046CC19pusheax
.text:0046CC1Aaddecx,8
.text:0046CC1DcallCString::Left(int)//取第三组注册码左边一个字符
.text:0046CC22pusheax
.text:0046CC23leaecx,[esi+4C4h]//保存到这里
.text:0046CC29mov[ebp-4],bl
.text:0046CC2CcallCString::operator=(CStringconst&)
.text:0046CC31andbyteptr[ebp-4],0
.text:0046CC35leaecx,[ebp+0Ch]
.text:0046CC38callCString::~CString(void)
.text:0046CC3Dmovecx,[esi+120h]
.text:0046CC43leaeax,[ebp+0Ch]
.text:0046CC46push2
.text:0046CC48pusheax
.text:0046CC49addecx,4
.text:0046CC4CcallCString::Left(int)//取第二组注册码左边2个字符
.text:0046CC51pusheax
.text:0046CC52leaecx,[esi+4C8h]//保存到这里
.text:0046CC58movbyteptr[ebp-4],2
.text:0046CC5CcallCString::operator=(CStringconst&)
.text:0046CC61andbyteptr[ebp-4],0
.text:0046CC65leaecx,[ebp+0Ch]
.text:0046CC68callCString::~CString(void)
.text:0046CC6Dxoredi,edi
.text:0046CC6F
.text:0046CC6Floc_46CC6F:
.text:0046CC6Fmoveax,edi
.text:0046CC71pushebx;1
.text:0046CC72addeax,[esi+120h]
.text:0046CC78pusheax
.text:0046CC79callsub_4230E4;对字符串加密处理
.text:0046CC7Eaddedi,4
.text:0046CC81popecx
.text:0046CC82cmpedi,14h
.text:0046CC85popecx
.text:0046CC86jlshortloc_46CC6F
.text:0046CC88moveax,[esi+120h]
.text:0046CC8Eleaecx,[ebp-10h]
.text:0046CC91pushdwordptr[eax];以下5个函数保存注册码到注册表
.text:0046CC93pushkey_5F0F5C
.text:0046CC99callsub_466387
.text:0046CC9Emoveax,[esi+120h]
.text:0046CCA4leaecx,[ebp-10h]
.text:0046CCA7pushdwordptr[eax+4]
.text:0046CCAApushkey_5F0F58
.text:0046CCB0callsub_466387
.text:0046CCB5moveax,[esi+120h]
.text:0046CCBBleaecx,[ebp-10h]
.text:0046CCBEpushdwordptr[eax+8]
.text:0046CCC1pushkey_5F0F54
.text:0046CCC7callsub_466387
.text:0046CCCCmoveax,[esi+120h]
.text:0046CCD2leaecx,[ebp-10h]
.text:0046CCD5pushdwordptr[eax+0Ch]
.text:0046CCD8pushkey_5F0F50
.text:0046CCDEcallsub_466387
.text:0046CCE3moveax,[esi+120h]
.text:0046CCE9leaecx,[ebp-10h]
.text:0046CCECpushdwordptr[eax+10h]
.text:0046CCEFpushkey_5F0F4C
.text:0046CCF5callsub_466387
.text:0046CCFAjmpshortloc_46CCFE
.text:0046CCFC;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
.text:0046CCFC
.text:0046CCFCloc_46CCFC:
.text:0046CCFCxorebx,ebx
.text:0046CCFE
.text:0046CCFEloc_46CCFE:
.text:0046CCFE
.text:0046CCFEordwordptr[ebp-4],0FFFFFFFFh
.text:0046CD02leaecx,[ebp-10h]
.text:0046CD05callsub_46610A
.text:0046CD0Amovecx,[ebp-0Ch]
.text:0046CD0Dpopedi
.text:0046CD0Emoveax,ebx
.text:0046CD10popesi
.text:0046CD11popebx
.text:0046CD12movlargefs:0,ecx
.text:0046CD19leave
.text:0046CD1Aretn8
.text:0046CD1Asub_46CB82endp;sp=4

可以看出,上面共有2个验证的函数,下面分别分析:
先看fun1_422C8E:
=================================================================
text:00422C8Efun1_422C8Eprocnear
.text:00422C8E
.text:00422C8Emoveax,offsetunknown_libname_1253
.text:00422C93call__EH_prolog
.text:00422C98subesp,44h
.text:00422C9Bpushebx
.text:00422C9Cpushesi
.text:00422C9Dmovesi,[ebp+8]
.text:00422CA0pushedi
.text:00422CA1moveax,[esi+8]
.text:00422CA4cmpeax,5
.text:00422CA7jnzloc_422E62
.text:00422CADmoveax,[esi+4]
.text:00422CB0xorebx,ebx
.text:00422CB2xorecx,ecx
.text:00422CB4
.text:00422CB4loc_422CB4:
.text:00422CB4movedx,[eax]
.text:00422CB6cmpdwordptr[edx-8],4
.text:00422CBAjnzloc_422E64
.text:00422CC0incecx
.text:00422CC1addeax,4
.text:00422CC4cmpecx,5;检查5组注册码是否都是4个字符
.text:00422CC7jlshortloc_422CB4
.text:00422CC9xoredi,edi
.text:00422CCB
.text:00422CCBloc_422CCB:
.text:00422CCBmoveax,[esi+4]
.text:00422CCEpushdwordptr[edi+eax];char*
.text:00422CD1leaeax,[ebp-28h]
.text:00422CD4pusheax;char*
.text:00422CD5call_strcpy;拷贝一组注册码到[ebp-28]
.text:00422CDAmovzxeax,byteptr[ebp-26h];取第三个字符到eax
.text:00422CDEpopecx
.text:00422CDFpopecx
.text:00422CE0movzxecx,byteptr[ebp-27h];取第二个字符到ecx
.text:00422CE4addeax,ecx;第三个字符和第二个字符相加，和到eax
.text:00422CE6push26
.text:00422CE8movzxecx,byteptr[ebp-28h];取第一个字符到ecx
.text:00422CECaddeax,ecx;上面的和和第一个字符相加，和到eax
.text:00422CEEpopecx
.text:00422CEFcdq
.text:00422CF0idivecx;和模上26
.text:00422CF2adddl,40h;加上40h
.text:00422CF5cmpdl,40h
.text:00422CF8jnzshortloc_422CFD
.text:00422CFAadddl,26;结果为40h则再加上26
.text:00422CFD
.text:00422CFDloc_422CFD:
.text:00422CFDcmpdl,[ebp-25h];和第四个字符比较，不等则失败
.text:00422D00jnzloc_422E64
.text:00422D06addedi,4
.text:00422D09cmpedi,10h;依次处理前4组
.text:00422D0Cjlshortloc_422CCB
.text:00422D0Emov[ebp-10h],ebx;索引初始化为0
.text:00422D11movebx,offsetasc_5C8424;"------"
.text:00422D16
.text:00422D16loc_422D16:
.text:00422D16movesi,ebx
.text:00422D18leaedi,[ebp-48h];[ebp-48]填充6个"-"字符
.text:00422D1Bmovsd
.text:00422D1Cpush1
.text:00422D1Eleaeax,[ebp-14h]
.text:00422D21pushdwordptr[ebp-10h];索引
.text:00422D24movsw
.text:00422D26pusheax
.text:00422D27moveax,[ebp+8]
.text:00422D2Amovsb
.text:00422D2Bmovecx,[eax+4];第一组注册码
.text:00422D2EcallCString::Mid(int,int)
.text:00422D33pushdwordptr[eax];char*;取第一组注册码索引处一个字符
.text:00422D35leaeax,[ebp-48h]
.text:00422D38pusheax;char*
.text:00422D39call_strcpy;拷贝到[ebp-48]
.text:00422D3Epopecx
.text:00422D3Fpopecx
.text:00422D40leaecx,[ebp-14h]
.text:00422D43callCString::~CString(void)
.text:00422D48movesi,ebx
.text:00422D4Aleaedi,[ebp-40h]
.text:00422D4Dpush1
.text:00422D4Fleaeax,[ebp-18h]
.text:00422D52pushdwordptr[ebp-10h];索引
.text:00422D55movsd
.text:00422D56pusheax
.text:00422D57moveax,[ebp+8]
.text:00422D5Amovsw
.text:00422D5Cmovecx,[eax+4]
.text:00422D5Faddecx,4;第二组注册码
.text:00422D62movsb
.text:00422D63callCString::Mid(int,int)
.text:00422D68pushdwordptr[eax];char*;取第二组注册码索引处一个字符
.text:00422D6Aleaeax,[ebp-40h]
.text:00422D6Dpusheax;char*
.text:00422D6Ecall_strcpy;拷贝到[ebp-40]
.text:00422D73popecx
.text:00422D74popecx
.text:00422D75leaecx,[ebp-18h]
.text:00422D78callCString::~CString(void)
.text:00422D7Dmovesi,ebx
.text:00422D7Fleaedi,[ebp-38h]
.text:00422D82push1
.text:00422D84leaeax,[ebp-1Ch]
.text:00422D87pushdwordptr[ebp-10h];索引
.text:00422D8Amovsd
.text:00422D8Bpusheax
.text:00422D8Cmoveax,[ebp+8]
.text:00422D8Fmovsw
.text:00422D91movecx,[eax+4]
.text:00422D94addecx,8;第三组注册码
.text:00422D97movsb
.text:00422D98callCString::Mid(int,int);取第三组注册码索引处一个字符
.text:00422D9Dpushdwordptr[eax];char*
.text:00422D9Fleaeax,[ebp-38h]
.text:00422DA2pusheax;char*
.text:00422DA3call_strcpy;拷贝到[ebp-38]
.text:00422DA8popecx
.text:00422DA9popecx
.text:00422DAAleaecx,[ebp-1Ch]
.text:00422DADcallCString::~CString(void)
.text:00422DB2movesi,ebx
.text:00422DB4leaedi,[ebp-30h]
.text:00422DB7push1
.text:00422DB9leaeax,[ebp-20h]
.text:00422DBCpushdwordptr[ebp-10h];索引
.text:00422DBFmovsd
.text:00422DC0pusheax
.text:00422DC1moveax,[ebp+8]
.text:00422DC4movsw
.text:00422DC6movecx,[eax+4]
.text:00422DC9addecx,0Ch;第四组注册码
.text:00422DCCmovsb
.text:00422DCDcallCString::Mid(int,int);取第四组注册码索引处一个字符
.text:00422DD2pushdwordptr[eax];char*
.text:00422DD4leaeax,[ebp-30h]
.text:00422DD7pusheax;char*
.text:00422DD8call_strcpy;拷贝到[ebp-30]
.text:00422DDDpopecx
.text:00422DDEpopecx
.text:00422DDFleaecx,[ebp-20h]
.text:00422DE2callCString::~CString(void)
.text:00422DE7movesi,ebx
.text:00422DE9leaedi,[ebp-50h]
.text:00422DECpush1
.text:00422DEEleaeax,[ebp-28h]
.text:00422DF1pushdwordptr[ebp-10h];索引
.text:00422DF4movsd
.text:00422DF5pusheax
.text:00422DF6moveax,[ebp+8]
.text:00422DF9movsw
.text:00422DFBmovecx,[eax+4]
.text:00422DFEaddecx,10h;第五组注册码
.text:00422E01movsb
.text:00422E02callCString::Mid(int,int);取第五组注册码索引处一个字符
.text:00422E07pushdwordptr[eax];char*
.text:00422E09leaeax,[ebp-50h]
.text:00422E0Cpusheax;char*
.text:00422E0Dcall_strcpy;拷贝到[ebp-50]
.text:00422E12popecx
.text:00422E13popecx
.text:00422E14leaecx,[ebp-28h]
.text:00422E17callCString::~CString(void)
.text:00422E1Cmovzxeax,byteptr[ebp-30h]
.text:00422E20movzxecx,byteptr[ebp-38h]
.text:00422E24addeax,ecx
.text:00422E26push36
.text:00422E28movzxecx,byteptr[ebp-40h]
.text:00422E2Caddeax,ecx
.text:00422E2Emovzxecx,byteptr[ebp-48h]
.text:00422E32addeax,ecx;前4个字符相加
.text:00422E34popecx
.text:00422E35cdq
.text:00422E36idivecx;和模上36
.text:00422E38adddl,64;加上64
.text:00422E3Bcmpdl,'Z'
.text:00422E3Ejbeshortloc_422E43;结果大于字符'Z'则减去42
.text:00422E40adddl,-42
.text:00422E43
.text:00422E43loc_422E43:
.text:00422E43cmpdl,[ebp-50h];和第五个字符比较
.text:00422E46jnzshortloc_422E62
.text:00422E48incdwordptr[ebp-10h];索引加1
.text:00422E4Bcmpdwordptr[ebp-10h],4
.text:00422E4Fjlloc_422D16
.text:00422E55pushdwordptr[ebp+8];注册码压入堆栈
.text:00422E58callfun3_42306F;调用验证函数42306F
.text:00422E5Dtesteax,eax
.text:00422E5Fpopecx
.text:00422E60jnzshortloc_422EDF;验证函数42306F返回非零值则本函数返回1
.text:00422E62
.text:00422E62loc_422E62:
.text:00422E62
.text:00422E62xorebx,ebx;跳到这里就验证失败了
.text:00422E64
.text:00422E64loc_422E64:
.text:00422E64
.text:00422E64cmp[ebp+0Ch],ebx
.text:00422E67jzshortloc_422EDB
.text:00422E69moveax,dword_5D537C
.text:00422E6Emov[ebp+0Ch],eax
.text:00422E71push0Dh;InvalidLicenseKey.PleasetryagainorcontactWisdomSoftware.
.text:00422E73leaecx,[ebp+0Ch]
.text:00422E76mov[ebp-4],ebx
.text:00422E79callCString::LoadStringA(uint)
.text:00422E7Emoveax,dword_5D537C
.text:00422E83mov[ebp+8],eax
.text:00422E86push0Eh;ScreenHunterMessage
.text:00422E88leaecx,[ebp+8]
.text:00422E8Bmovbyteptr[ebp-4],1
.text:00422E8FcallCString::LoadStringA(uint)
.text:00422E94pushdwordptr[ebp+8];lpWindowName
.text:00422E97pushebx;lpClassName
.text:00422E98callds:FindWindowA
.text:00422E9Ecmpeax,ebx
.text:00422EA0moveax,[ebp+8]
.text:00422EA3jzshortloc_422EAA
.text:00422EA5cmp[eax-8],ebx
.text:00422EA8jgshortloc_422EC3
.text:00422EAA
.text:00422EAAloc_422EAA:
.text:00422EAAcmpdword_5ED0C4,6
.text:00422EB1jzshortloc_422EC3
.text:00422EB3push40010h;uType
.text:00422EB8pusheax;lpCaption
.text:00422EB9pushdwordptr[ebp+0Ch];lpText
.text:00422EBCpushebx;hWnd
.text:00422EBDcallds:MessageBoxA
.text:00422EC3
.text:00422EC3loc_422EC3:
.text:00422EC3
.text:00422EC3andbyteptr[ebp-4],0
.text:00422EC7leaecx,[ebp+8]
.text:00422ECAcallCString::~CString(void)
.text:00422ECFordwordptr[ebp-4],0FFFFFFFFh
.text:00422ED3leaecx,[ebp+0Ch]
.text:00422ED6callCString::~CString(void)
.text:00422EDB
.text:00422EDBloc_422EDB:
.text:00422EDBxoreax,eax
.text:00422EDDjmpshortloc_422EE2
.text:00422EDF;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
.text:00422EDF
.text:00422EDFloc_422EDF:
.text:00422EDFpush1
.text:00422EE1popeax
.text:00422EE2
.text:00422EE2loc_422EE2:
.text:00422EE2movecx,[ebp-0Ch]
.text:00422EE5popedi
.text:00422EE6popesi
.text:00422EE7popebx
.text:00422EE8movlargefs:0,ecx
.text:00422EEFleave
.text:00422EF0retn
.text:00422EF0fun1_422C8Eendp;sp=4

;=================================================================================
fun1_422C8E里还调用到了函数fun3_42306F,来到下面看看:

.text:0042306Ffun3_42306Fprocnear
.text:0042306F
.text:0042306F
.text:0042306F
.text:0042306Farg_0=dwordptr8
.text:0042306F
.text:0042306Fpushebp
.text:00423070movebp,esp
.text:00423072pushesi
.text:00423073movesi,[ebp+arg_0]
.text:00423076pushedi
.text:00423077leaeax,[ebp+arg_0]
.text:0042307Amovecx,[esi+4];第一组注册码
.text:0042307Dpush3
.text:0042307Fpusheax
.text:00423080callCString::Left(int);取前3位
.text:00423085pushdwordptr[eax];char*
.text:00423087pushdword_5DFEA0;"SH4"
.text:0042308Dcall_strcmp;比较是否是"SH4"
.text:00423092popecx
.text:00423093movedi,eax
.text:00423095popecx
.text:00423096leaecx,[ebp+arg_0]
.text:00423099callCString::~CString(void)
.text:0042309Etestedi,edi
.text:004230A0jnzshortloc_4230D2;不等则跳
.text:004230A2movecx,[esi+4]
.text:004230A5push1
.text:004230A7leaeax,[ebp+arg_0]
.text:004230AApush2
.text:004230ACpusheax
.text:004230ADaddecx,4;第二组注册码
.text:004230B0callCString::Mid(int,int);取第三个字符
.text:004230B5pushdwordptr[eax];char*
.text:004230B7pushdword_5DFE9C;"9"
.text:004230BDcall_strcmp;比较是否是"9"
.text:004230C2popecx
.text:004230C3movesi,eax
.text:004230C5popecx
.text:004230C6leaecx,[ebp+arg_0]
.text:004230C9callCString::~CString(void)
.text:004230CEtestesi,esi
.text:004230D0jzshortloc_4230DD
.text:004230D2
.text:004230D2loc_4230D2:
.text:004230D2anddword_5ECF7C,0;置全局注册失败标志
.text:004230D9xoreax,eax;失败则返回0
.text:004230DBjmpshortloc_4230E0
.text:004230DD;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
.text:004230DD
.text:004230DDloc_4230DD:
.text:004230DDpush1
.text:004230DFpopeax
.text:004230E0
.text:004230E0loc_4230E0:
.text:004230E0popedi
.text:004230E1popesi
.text:004230E2popebp
.text:004230E3retn
.text:004230E3fun3_42306Fendp

=================================================================
下面开始看fun2_422EF1:

.text:00422EF1fun2_422EF1procnear
.text:00422EF1
.text:00422EF1
.text:00422EF1var_30=byteptr-30h
.text:00422EF1var_28=byteptr-28h
.text:00422EF1var_20=byteptr-20h
.text:00422EF1var_18=dwordptr-18h
.text:00422EF1var_14=dwordptr-14h
.text:00422EF1var_10=dwordptr-10h
.text:00422EF1var_C=dwordptr-0Ch
.text:00422EF1var_8=dwordptr-8
.text:00422EF1var_1=byteptr-1
.text:00422EF1arg_0=dwordptr8
.text:00422EF1
.text:00422EF1pushebp
.text:00422EF2movebp,esp
.text:00422EF4subesp,30h
.text:00422EF7pushebx
.text:00422EF8pushesi
.text:00422EF9xoresi,esi
.text:00422EFBpushedi
.text:00422EFCcmpdword_5ECF88,esi
.text:00422F02jleloc_423054
.text:00422F08cmpdword_5ECF8C,esi
.text:00422F0Ejleloc_423054
.text:00422F14cmpdword_5ECF90,esi
.text:00422F1Ajleloc_423054
.text:00422F20leaeax,[ebp+var_C]
.text:00422F23pusheax
.text:00422F24callCTime::GetTickCount(void)
.text:00422F29push0FFFFFFFFh
.text:00422F2Bpushesi
.text:00422F2Cpushesi
.text:00422F2Dpushesi
.text:00422F2Epushdword_5ECF90
.text:00422F34leaecx,[ebp+var_8]
.text:00422F37pushdword_5ECF8C
.text:00422F3Dpushdword_5ECF88
.text:00422F43callCTime::CTime(int,int,int,int,int,int,int)
.text:00422F48pushecx
.text:00422F49movecx,[ebp+var_8]
.text:00422F4Cmoveax,esp
.text:00422F4Emov[ebp+var_18],esp
.text:00422F51mov[eax],ecx
.text:00422F53leaeax,[ebp+var_18]
.text:00422F56pusheax
.text:00422F57leaecx,[ebp+var_C]
.text:00422F5Acallsub_423060
.text:00422F5Fmoveax,[eax]
.text:00422F61movecx,15180h
.text:00422F66cdq
.text:00422F67idivecx
.text:00422F69cmpeax,7;随即检查
.text:00422F6Cjlloc_423054
.text:00422F72moveax,dwordptra815;"815"
.text:00422F77mov[ebp+var_8],esi;索引清零
.text:00422F7Amov[ebp+var_14],eax
.text:00422F7Dmovebx,offsetasc_5C8424;"------"
.text:00422F82
.text:00422F82loc_422F82:
.text:00422F82movesi,ebx
.text:00422F84leaedi,[ebp+var_28]
.text:00422F87push1
.text:00422F89leaeax,[ebp+var_C]
.text:00422F8Cpush[ebp+var_8];索引
.text:00422F8Fmovsd
.text:00422F90pusheax
.text:00422F91moveax,[ebp+arg_0]
.text:00422F94movsw
.text:00422F96movecx,[eax+4]
.text:00422F99addecx,4;第二组注册码
.text:00422F9Cmovsb
.text:00422F9DcallCString::Mid(int,int);取索引处一个字符
.text:00422FA2pushdwordptr[eax];char*
.text:00422FA4leaeax,[ebp+var_28]
.text:00422FA7pusheax;char*
.text:00422FA8call_strcpy;拷贝到var_28
.text:00422FADpopecx
.text:00422FAEpopecx
.text:00422FAFleaecx,[ebp+var_C]
.text:00422FB2callCString::~CString(void)
.text:00422FB7movesi,ebx
.text:00422FB9leaedi,[ebp+var_20]
.text:00422FBCmovsd
.text:00422FBDmovsw
.text:00422FBFmovsb
.text:00422FC0movesi,[ebp+var_8];索引
.text:00422FC3push1
.text:00422FC5leaeax,[ebp+var_10]
.text:00422FC8pushesi
.text:00422FC9pusheax
.text:00422FCAmoveax,[ebp+arg_0]
.text:00422FCDmovecx,[eax+4]
.text:00422FD0addecx,8;第三组注册码
.text:00422FD3callCString::Mid(int,int);取索引处一个字符
.text:00422FD8pushdwordptr[eax];char*
.text:00422FDAleaeax,[ebp+var_20]
.text:00422FDDpusheax;char*
.text:00422FDEcall_strcpy;拷贝到var_20
.text:00422FE3popecx
.text:00422FE4popecx
.text:00422FE5leaecx,[ebp+var_10]
.text:00422FE8callCString::~CString(void)
.text:00422FEDmovzxeax,byteptr[ebp+esi+var_14];取字符串"815"索引处一个字符
.text:00422FF2movzxecx,[ebp+var_20]
.text:00422FF6addeax,ecx;加上第三组注册码一个字符
.text:00422FF8push10
.text:00422FFAmovzxecx,[ebp+var_28]
.text:00422FFEaddeax,ecx;加上第二组注册码一个字符
.text:00423000popecx
.text:00423001cdq
.text:00423002idivecx;模上10
.text:00423004movesi,ebx
.text:00423006leaedi,[ebp+var_30]
.text:00423009push1
.text:0042300Bleaeax,[ebp+var_18]
.text:0042300Epush[ebp+var_8];索引
.text:00423011movsd
.text:00423012pusheax
.text:00423013moveax,[ebp+arg_0]
.text:00423016movsw
.text:00423018movecx,[eax+4]
.text:0042301Baddecx,12;第四组注册码
.text:0042301Emovsb
.text:0042301Fadddl,'0';模加上'0'
.text:00423022mov[ebp+var_1],dl
.text:00423025callCString::Mid(int,int);取索引处一个字符
.text:0042302Apushdwordptr[eax];char*
.text:0042302Cleaeax,[ebp+var_30]
.text:0042302Fpusheax;char*
.text:00423030call_strcpy;拷贝到var_30
.text:00423035popecx
.text:00423036popecx
.text:00423037leaecx,[ebp+var_18]
.text:0042303AcallCString::~CString(void)
.text:0042303Fmoval,[ebp+var_1]
.text:00423042cmpal,[ebp+var_30];比较
.text:00423045jnzshortloc_42305C
.text:00423047inc[ebp+var_8];索引加1
.text:0042304Acmp[ebp+var_8],3;共比较3次
.text:0042304Ejlloc_422F82
.text:00423054
.text:00423054loc_423054:
.text:00423054
.text:00423054push1
.text:00423056popeax
.text:00423057
.text:00423057loc_423057:
.text:00423057popedi
.text:00423058popesi
.text:00423059popebx
.text:0042305Aleave
.text:0042305Bretn
.text:0042305C;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
.text:0042305C
.text:0042305Cloc_42305C:
.text:0042305Cxoreax,eax
.text:0042305Ejmpshortloc_423057
.text:0042305Efun2_422EF1endp

===================================================================

跟踪对话框的调用过程，可以来到下面，这里是取协议到多少用户的。
第三组注册码第一个字符决定协议类型。
如果协议类型是'G'则第二组注册码前两个字符是协议用户数。

.text:00423130sub_423130procnear
.text:00423130
.text:00423130pushesi
.text:00423131xoresi,esi
.text:00423133pushmy_5ED30C;char*
.text:00423139pushq_5DFE94_D;char*
.text:0042313Fcall_strcmp
.text:00423144popecx
.text:00423145testeax,eax
.text:00423147popecx
.text:00423148jnzshortloc_423152
.text:0042314Apush1
.text:0042314C
.text:0042314Cloc_42314C:
.text:0042314Cpopesi
.text:0042314Djmploc_42329A
.text:00423152;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
.text:00423152
.text:00423152loc_423152:
.text:00423152pushmy_5ED30C;char*
.text:00423158pushq_5DFE8C_M;char*
.text:0042315Ecall_strcmp
.text:00423163popecx
.text:00423164testeax,eax
.text:00423166popecx
.text:00423167jnzshortloc_42316D
.text:00423169push5
.text:0042316Bjmpshortloc_42314C
.text:0042316D;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
.text:0042316D
.text:0042316Dloc_42316D:
.text:0042316Dpushmy_5ED30C;char*
.text:00423173pushq_5DFE88_P;char*
.text:00423179call_strcmp
.text:0042317Epopecx
.text:0042317Ftesteax,eax
.text:00423181popecx
.text:00423182jnzshortloc_423188
.text:00423184push10
.text:00423186jmpshortloc_42314C
.text:00423188;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
.text:00423188
.text:00423188loc_423188:
.text:00423188pushmy_5ED30C;char*
.text:0042318Epushq_5DFE84_Q;char*
.text:00423194call_strcmp
.text:00423199popecx
.text:0042319Atesteax,eax
.text:0042319Cpopecx
.text:0042319Djnzshortloc_4231A3
.text:0042319Fpush20
.text:004231A1jmpshortloc_42314C
.text:004231A3;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
.text:004231A3
.text:004231A3loc_4231A3:
.text:004231A3pushmy_5ED30C;char*
.text:004231A9pushq_5DFE80_R;char*
.text:004231AFcall_strcmp
.text:004231B4popecx
.text:004231B5testeax,eax
.text:004231B7popecx
.text:004231B8jnzshortloc_4231BE
.text:004231BApush50
.text:004231BCjmpshortloc_42314C
.text:004231BE;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
.text:004231BE
.text:004231BEloc_4231BE:
.text:004231BEpushmy_5ED30C;char*
.text:004231C4pushq_5DFE7C_S;char*
.text:004231CAcall_strcmp
.text:004231CFpopecx
.text:004231D0testeax,eax
.text:004231D2popecx
.text:004231D3jnzshortloc_4231DC
.text:004231D5push100
.text:004231D7jmploc_42314C
.text:004231DC;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
.text:004231DC
.text:004231DCloc_4231DC:
.text:004231DCpushmy_5ED30C;char*
.text:004231E2pushq_5DFE78_T;char*
.text:004231E8call_strcmp
.text:004231EDpopecx
.text:004231EEtesteax,eax
.text:004231F0popecx
.text:004231F1jnzshortloc_4231FD
.text:004231F3movesi,200
.text:004231F8jmploc_42329A
.text:004231FD;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
.text:004231FD
.text:004231FDloc_4231FD:
.text:004231FDpushmy_5ED30C;char*
.text:00423203pushq_5DFE74_U;char*
.text:00423209call_strcmp
.text:0042320Epopecx
.text:0042320Ftesteax,eax
.text:00423211popecx
.text:00423212jnzshortloc_42321B
.text:00423214movesi,500
.text:00423219jmpshortloc_42329A
.text:0042321B;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
.text:0042321B
.text:0042321Bloc_42321B:
.text:0042321Bpushmy_5ED30C;char*
.text:00423221pushq_5DFE70_V;char*
.text:00423227call_strcmp
.text:0042322Cpopecx
.text:0042322Dtesteax,eax
.text:0042322Fpopecx
.text:00423230jnzshortloc_423239
.text:00423232movesi,1000
.text:00423237jmpshortloc_42329A
.text:00423239;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
.text:00423239
.text:00423239loc_423239:
.text:00423239pushmy_5ED30C;char*
.text:0042323Fpushq_5DFE6C_W;char*
.text:00423245call_strcmp
.text:0042324Apopecx
.text:0042324Btesteax,eax
.text:0042324Dpopecx
.text:0042324Ejnzshortloc_423257
.text:00423250movesi,2000
.text:00423255jmpshortloc_42329A
.text:00423257;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
.text:00423257
.text:00423257loc_423257:
.text:00423257pushmy_5ED30C;char*
.text:0042325Dpushq_5DFE68_X;char*
.text:00423263call_strcmp
.text:00423268popecx
.text:00423269testeax,eax
.text:0042326Bpopecx
.text:0042326Cjnzshortloc_423275
.text:0042326Emovesi,5000
.text:00423273jmpshortloc_42329A
.text:00423275;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
.text:00423275
.text:00423275loc_423275:
.text:00423275pushmy_5ED30C;char*
.text:0042327Bpushq_5DFE90_G;char*
.text:00423281call_strcmp
.text:00423286popecx
.text:00423287testeax,eax
.text:00423289popecx
.text:0042328Ajnzshortloc_42329A
.text:0042328Cpushmy_5ED310;char*
.text:00423292call_atoi
.text:00423297popecx
.text:00423298movesi,eax
.text:0042329A
.text:0042329Aloc_42329A:
.text:0042329Amoveax,esi
.text:0042329Cpopesi
.text:0042329Dretn
.text:0042329Dsub_423130endp

GetUserCnt(void)
{
charUserCnt;//第三组注册码左边一个字符
charcount[3];//第二组注册码左边两个字符

if(UserCnt=='D')return1;
if(UserCnt=='M')return5;
if(UserCnt=='P')return10;
if(UserCnt=='Q')return20;
if(UserCnt=='R')return50;
if(UserCnt=='S')return100;
if(UserCnt=='T')return200;
if(UserCnt=='U')return500;
if(UserCnt=='V')return1000;
if(UserCnt=='W')return2000;
if(UserCnt=='X')return5000;
if(UserCnt=='G')reutrnatoi(count);
return0;
}
======================================================================
好了,该总结一下了:

先看看注册码的格式:XXXX-XXXX-XXXX-XXXX-XXXX
这里注册码分了5组，每组4位。为了方便表示，我把5组注册码简称key[0],key[1],key[2],key[3],key[4],
并且把每组注册码中的一个字符简称key[0][0],key[0][1]...。
key[0]的前3位是固定的，为"SH4"。
key[1][2]也是固定的，为'9'。
key[3]的前3个字符由key[1],key[2]和字符串"815"决定。
每组的第4个字符由前面的3个字符决定。
第5组的4个字符由前面的4组决定。
第三组注册码前一个字符决定协议类型。
第二组注册码和协议用户数有关。

下面给出注册机的源代码：
{
SYSTEMTIMEtm;
unsignedlongseed;
charkey[5][5];
inti;
intsum;
chartmp[4]="815";
charlk[25];

GetSystemTime(&tm);
seed=tm.wDay+tm.wDayOfWeek+tm.wHour+tm.wMilliseconds
+tm.wMinute+tm.wMonth+tm.wSecond+tm.wYear;
srand(seed);

memset(key,0,sizeof(key)/sizeof(char));
strcpy(key[0],"SH4Y");

key[1][0]=rand()%9+'1';
key[1][1]=rand()%10+'0';
key[1][2]='9';

key[2][0]='X';
key[2][1]=rand()%26+'A';
key[2][2]=rand()%26+'A';

for(i=0;i<3;i++)
{
sum=tmp+key[1]+key[2];
sum=sum%10+'0';
key[3]=sum;
}

for(i=1;i<4;i++)
{
sum=key[0]+key[1]+key[2];
sum=sum%26+0x40;
if(sum==0x40)sum+=26;
key[3]=sum;
}
for(i=0;i<4;i++)
{
sum=key[0]+key[1]+key[2]+key[3];
sum=sum%36+64;
if(sum>'Z')sum-=42;
key[4]=sum;
}

sprintf(lk,"%s-%s-%s-%s-%s",key[0],key[1],key[2],key[3],key[4]);
m_key=lk;
UpdateData(false);
}

TOP

‹‹ 上一主题 | 下一主题 ››

邪恶八进制信息安全团队技术讨论组 » 工程学类分支{ Engineering Column } » 逆向工程[ Reverse Engineering ] » [转载]ScreenHunter 4.2 Pro 注册算法分析