文章作者:liyangsj
【使用工具】peidOllyDbg1.10
【破解平台】Winxp
【软件名称】屏幕监视专家2.1
【软件地址】http://www.tlxsoft.com/pmjszj/index.htm
【编写语言】C
一直在用它,不错。分析还是上个学期的事了,不能在拖了(不然忘了)。这里稍微整理了一下下。
此软件烦在全局变量上,败也在全局变量上。
如果看到注册成功就收手,呵呵录像白屏!!
全局变量--下内存断点。
过程:
0041EF38/.55pushebp
0041EF39|.8BECmovebp,esp
0041EF3B|.83C4>addesp,-3C
0041EF3E|.8955>movdwordptrss:[ebp-3C],edx
0041EF41|.8945>movdwordptrss:[ebp-38],eax
0041EF44|.B8B>moveax,pmjszj.004A4BBC
0041EF49|.E86>callpmjszj.0048EDB8
0041EF4E|.66:C>movwordptrss:[ebp-24],8
0041EF54|.8D45>leaeax,dwordptrss:[ebp-4]
0041EF57|.E85>callpmjszj.004035AC
0041EF5C|.8BD0movedx,eax
0041EF5E|.FF45>incdwordptrss:[ebp-18]
0041EF61|.8B4D>movecx,dwordptrss:[ebp-38]
0041EF64|.8B81>moveax,dwordptrds:[ecx+2E4]
0041EF6A|.E83>callpmjszj.0045B2A0
0041EF6F|.8D55>leaedx,dwordptrss:[ebp-4]
0041EF72|.FF32pushdwordptrds:[edx];压入注册码
0041EF74|.8D45>leaeax,dwordptrss:[ebp-8]
0041EF77|.E83>callpmjszj.004035AC
0041EF7C|.8BD0movedx,eax
0041EF7E|.FF45>incdwordptrss:[ebp-18]
0041EF81|.8B4D>movecx,dwordptrss:[ebp-38]
0041EF84|.8B81>moveax,dwordptrds:[ecx+2DC]
0041EF8A|.E81>callpmjszj.0045B2A0
0041EF8F|.8D55>leaedx,dwordptrss:[ebp-8];|
0041EF92|.FF32pushdwordptrds:[edx];|压入用户名
0041EF94|.8B0D>movecx,dwordptrds:[4A93D0];|pmjszj._MainForm
0041EF9A|.FF31pushdwordptrds:[ecx];|Arg1
0041EF9C|.E8A>callpmjszj.0040EE44;\pmjszj.0040EE44
0041EFA1|.83C4>addesp,0C
0041EFA4|.FF4D>decdwordptrss:[ebp-18]
0041EFA7|.8D45>leaeax,dwordptrss:[ebp-8]
0041EFAA|.BA0>movedx,2
0041EFAF|.E8F>callpmjszj.004991AC
0041EFB4|.FF4D>decdwordptrss:[ebp-18]
0041EFB7|.8D45>leaeax,dwordptrss:[ebp-4]
0041EFBA|.BA0>movedx,2
0041EFBF|.E8E>callpmjszj.004991AC
0041EFC4|.8B0D>movecx,dwordptrds:[4A93D0];pmjszj._MainForm
0041EFCA|.FF31pushdwordptrds:[ecx];/Arg1
0041EFCC|.E84>callpmjszj.00409A14;\对注册码第一次判断--注册码码输入格式是否正确
0041EFD1|.59popecx
0041EFD2|.3C0>cmpal,1
0041EFD4|.0F85>jnzpmjszj.0041F05E
0041EFDA|.A1D>moveax,dwordptrds:[4A93D0]
0041EFDF|.FF30pushdwordptrds:[eax];/Arg1
0041EFE1|.E88>callpmjszj.00409A68;\第二次判断--用注册的前5位运算结果与机器码用户名计算的结果比较
0041EFE6|.59popecx
0041EFE7|.3C0>cmpal,1
0041EFE9|.757>jnzshortpmjszj.0041F05E;关键比较
0041EFEB|.66:C>movwordptrss:[ebp-24],14
0041EFF1|.BA3>movedx,pmjszj.004A4B30;注册成功
0041EFF6|.8D45>leaeax,dwordptrss:[ebp-C]
0041EFF9|.E8A>callpmjszj.00498FA0
0041EFFE|.FF45>incdwordptrss:[ebp-18]
0041F001|.8B00moveax,dwordptrds:[eax]
0041F003|.E86>callpmjszj.00456168
0041F008|.FF4D>decdwordptrss:[ebp-18]
0041F00B|.8D45>leaeax,dwordptrss:[ebp-C]
0041F00E|.BA0>movedx,2
0041F013|.E89>callpmjszj.004991AC
0041F018|.8B0D>movecx,dwordptrds:[4A93D0];pmjszj._MainForm
0041F01E|.8B01moveax,dwordptrds:[ecx]
0041F020|.C680>movbyteptrds:[eax+414],1
0041F027|.8B15>movedx,dwordptrds:[4A93D0];pmjszj._MainForm
0041F02D|.8B0Amovecx,dwordptrds:[edx]
0041F02F|.8B81>moveax,dwordptrds:[ecx+3C4]
0041F035|.B20>movdl,1
0041F037|.E85>callpmjszj.0043478C
0041F03C|.8B0D>movecx,dwordptrds:[4A93D0];pmjszj._MainForm
0041F042|.FF31pushdwordptrds:[ecx];/Arg1
0041F044|.E80>callpmjszj.0040AC54;\pmjszj.0040AC54
0041F049|.59popecx
0041F04A|.8B45>moveax,dwordptrss:[ebp-38]
0041F04D|.C680>movbyteptrds:[eax+2F4],1
0041F054|.8B45>moveax,dwordptrss:[ebp-38]
0041F057|.E84>callpmjszj.004490A0
0041F05C|.EB3>jmpshortpmjszj.0041F09A
0041F05E|>66:C>movwordptrss:[ebp-24],20
0041F064|.BA3>movedx,pmjszj.004A4B39;注册失败
0041F069|.8D45>leaeax,dwordptrss:[ebp-10]
0041F06C|.E82>callpmjszj.00498FA0
0041F071|.FF45>incdwordptrss:[ebp-18]
0041F074|.8B00moveax,dwordptrds:[eax]
0041F076|.E8E>callpmjszj.00456168
0041F07B|.FF4D>decdwordptrss:[ebp-18]
0041F07E|.8D45>leaeax,dwordptrss:[ebp-10]
………………………………………………………………………………………………………………………………
进入:0041EFCC|.E84>callpmjszj.00409A14;\对注册码第一次判断--注册码码输入格式是否正确
………………………………………………………………………………………………………………………………
00409A14/$55pushebp
00409A15|.8BECmovebp,esp
00409A17|.83C4>addesp,-8
00409A1A|.33C0xoreax,eax
00409A1C|.8945>movdwordptrss:[ebp-8],eax
00409A1F|.33D2xoredx,edx
00409A21|.8955>movdwordptrss:[ebp-4],edx
00409A24|>8B4D>/movecx,dwordptrss:[ebp+8];全加起来
00409A27|.8B45>|moveax,dwordptrss:[ebp-4]
00409A2A|.0FBE>|movsxedx,byteptrds:[ecx+eax+445];得到每一位注册码
00409A32|.0155>|adddwordptrss:[ebp-8],edx;把得到的每一位的ASCII加起来
00409A35|.FF45>|incdwordptrss:[ebp-4];计数器
00409A38|.837D>|cmpdwordptrss:[ebp-4],13;总共19位
00409A3C|.^7CE>\jlshortpmjszj.00409A24;将每一位值相加
00409A3E|.8B4D>movecx,dwordptrss:[ebp+8]
00409A41|.0FBE>movsxeax,byteptrds:[ecx+458];第20位的注册
00409A48|.83C0>addeax,-41;第20位的注册码的ASCII减去16进制41
00409A4B|.8945>movdwordptrss:[ebp-4],eax
00409A4E|.8B45>moveax,dwordptrss:[ebp-8];得到前19位相加之和
00409A51|.B91>movecx,14
00409A56|.99cdq
00409A57|.F7F9idivecx;得到前19位相加之和除以16进制14
00409A59|.3B55>cmpedx,dwordptrss:[ebp-4];相除的余数与第20位的注册码的ASCII减去16进制41的结果比较
00409A5C|.750>jnzshortpmjszj.00409A62
00409A5E|.B00>moval,1
00409A60|.EB0>jmpshortpmjszj.00409A64
00409A62|>33C0xoreax,eax
00409A64|>59popecx
00409A65|.59popecx
00409A66|.5Dpopebp
…………………………………………………………………………………………………………………………
上面检查输入格式,注册码一共有20位,第20位的注册码的ASCII减去41得到的结果
一定要等于前19位的输入码的ASCII相加的和除以20得到的余数。
…………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………
进入0041EFE1|.E88>callpmjszj.00409A68;\第二次判断--用注册的前5位运算结果与机器码用户名计算的结果比较
…………………………………………………………………………………………………………………………………………
00409A68/$55pushebp
00409A69|.8BECmovebp,esp
00409A6B|.83C4>addesp,-58
00409A6E|.B81>moveax,pmjszj.0049E518
00409A73|.E84>callpmjszj.0048EDB8
00409A78|.33D2xoredx,edx
00409A7A|.8955>movdwordptrss:[ebp-30],edx
00409A7D|>8B4D>/movecx,dwordptrss:[ebp-30];控制位数
00409A80|.8B45>|moveax,dwordptrss:[ebp+8];用户名的基地址
00409A83|.8A94>|movdl,byteptrds:[eax+ecx+430];得到用户名各个字符的ASCII
00409A8A|.8B4D>|movecx,dwordptrss:[ebp-30]
00409A8D|.8B45>|moveax,dwordptrss:[ebp+8]
00409A90|.3294>|xordl,byteptrds:[eax+ecx+46F];用依次得到的用户名ASCII与依次得到机器码的每个字符的ASCII进行XOR运算
00409A97|.8B4D>|movecx,dwordptrss:[ebp-30];位数
00409A9A|.8854>|movbyteptrss:[ebp+ecx-54],dl;上面XOR结果存储了
00409A9E|.FF45>|incdwordptrss:[ebp-30];位数加1
00409AA1|.837D>|cmpdwordptrss:[ebp-30],14;一共20位
00409AA5|.^7CD>\jlshortpmjszj.00409A7D
…………………………………………………………………………………………………………………………
把用户名与机器码对应的ASCIIXOR储存用于下面再次运算
…………………………………………………………………………………………………………………………
00409AA7|.33D2xoredx,edx
00409AA9|.8955>movdwordptrss:[ebp-34],edx
00409AAC|.33C0xoreax,eax
00409AAE|.8945>movdwordptrss:[ebp-30],eax;计数器
00409AB1|>8B55>/movedx,dwordptrss:[ebp-30]
00409AB4|.0FBE>|movsxecx,byteptrss:[ebp+edx-54];依次得到上面刚刚处理好的20位结果
00409AB9|.894D>|movdwordptrss:[ebp-58],ecx
00409ABC|.DB45>|filddwordptrss:[ebp-58];把得到的ASCII码转化为10进制实数
00409ABF|.83C4>|addesp,-8;/
00409AC2|.DD1C>|fstpqwordptrss:[esp];|Arg1(8-byte)
00409AC5|.E82>|callpmjszj.004920F0;\pmjszj.004920F0
00409ACA|.83C4>|addesp,8
00409ACD|.DB45>|filddwordptrss:[ebp-30]
00409AD0|.DEC9|fmulpst(1),st;依次得到上面对应XOR的20个结果乘以位数
00409AD2|.DB45>|filddwordptrss:[ebp-34];得到上一次相加的结果
00409AD5|.DEC1|faddpst(1),st;加上这次计算(与位数相乘)的结果
00409AD7|.E83>|callpmjszj.00492118;把实数转化为16进制数
00409ADC|.8945>|movdwordptrss:[ebp-34],eax;结果储存
00409ADF|.FF45>|incdwordptrss:[ebp-30]
00409AE2|.837D>|cmpdwordptrss:[ebp-30],14
00409AE6|.^7CC>\jlshortpmjszj.00409AB1
00409AE8|.8145>adddwordptrss:[ebp-34],0D431;最后结果加上0D431
…………………………………………………………………………………………………………………………
把上面得到的结果用20位,每一位的ASCII分别乘以它自己的位数全部相加起来最后结果加上D431(16进制)
位数从0开始的
…………………………………………………………………………………………………………………………
00409AEF|.33D2xoredx,edx
00409AF1|.8955>movdwordptrss:[ebp-30],edx
00409AF4|>8B4D>/movecx,dwordptrss:[ebp-30];计数器
00409AF7|.8B45>|moveax,dwordptrss:[ebp+8]
00409AFA|.8A94>|movdl,byteptrds:[eax+ecx+445];依次得到得到注册码
00409B01|.80C2>|adddl,0E7;每一位注册码的ASCII加上0E7只有两位进位不算
00409B04|.8B4D>|movecx,dwordptrss:[ebp-30];位数
00409B07|.8854>|movbyteptrss:[ebp+ecx-3C],dl;储存了
00409B0B|.FF45>|incdwordptrss:[ebp-30]
00409B0E|.837D>|cmpdwordptrss:[ebp-30],5;只取前5位
00409B12|.^7CE>\jlshortpmjszj.00409AF4
00409B14|.C645>movbyteptrss:[ebp-37],0
00409B18|.8B45>moveax,dwordptrss:[ebp-34];得到上面加上0D431后的数据
00409B1B|.8B55>movedx,dwordptrss:[ebp+8]
00409B1E|.8982>movdwordptrds:[edx+418],eax;转存在另一个地方,重要的数据后面第三次用到的(由第三次计算后下内存断点得到这里)
00409B24|.8D45>leaeax,dwordptrss:[ebp-8]
00409B27|.8B55>movedx,dwordptrss:[ebp-34]
00409B2A|.E88>callpmjszj.004990B8;进入用机器码与用户名得到的结果计算出1个字符串
00409B2F|.50pusheax
00409B30|.FF45>incdwordptrss:[ebp-10]
00409B33|.66:C>movwordptrss:[ebp-1C],8
00409B39|.8D55>leaedx,dwordptrss:[ebp-3C]
00409B3C|.8D45>leaeax,dwordptrss:[ebp-4]
00409B3F|.E85>callpmjszj.00498FA0
00409B44|.FF45>incdwordptrss:[ebp-10]
00409B47|.5Apopedx
00409B48|.E82>callpmjszj.0049927C
00409B4D|.50pusheax
00409B4E|.FF4D>decdwordptrss:[ebp-10]
00409B51|.8D45>leaeax,dwordptrss:[ebp-8]
00409B54|.BA0>movedx,2
00409B59|.E84>callpmjszj.004991AC
00409B5E|.FF4D>decdwordptrss:[ebp-10]
00409B61|.8D45>leaeax,dwordptrss:[ebp-4]
00409B64|.BA0>movedx,2
00409B69|.E83>callpmjszj.004991AC
00409B6E|.58popeax
00409B6F|.84C0testal,al
00409B71|.740>jeshortpmjszj.00409B81
00409B73|.B00>moval,1
00409B75|.8B55>movedx,dwordptrss:[ebp-2C]
00409B78|.64:8>movdwordptrfs:[0],edx
00409B7F|.EB0>jmpshortpmjszj.00409B8D
00409B81|>33C0xoreax,eax
00409B83|.8B55>movedx,dwordptrss:[ebp-2C]
00409B86|.64:8>movdwordptrfs:[0],edx
00409B8D|>8BE5movesp,ebp
00409B8F|.5Dpopebp
……………………………………………………………………………………………………………………………………………………
00409B2A|.E88>callpmjszj.004990B8;进入用机器码与用户名得到的结果计算出1个字符串
……………………………………………………………………………………………………………………………………………………
004990D4|.8B55>movedx,dwordptrss:[ebp-4]
004990D7|.33C9xorecx,ecx
004990D9|.890Amovdwordptrds:[edx],ecx
004990DB|.53pushebx;/由用户名与机器码计算出来的数据
004990DC|.68E>pushpmjszj.004A8EE3;|Arg2=004A8EE3ASCII"%i"
004990E1|.FF75>pushdwordptrss:[ebp-4];|Arg1
004990E4|.E8F>callpmjszj.004992E8;\进入
004990E9|.83C4>addesp,0C
004990EC|.8B45>moveax,dwordptrss:[ebp-28]
004990EF|.64:6>movdwordptrfs:[0],eax
…………………………………………………………………………………………
进入004990E4|.E8F>callpmjszj.004992E8;\进入
…………………………………………………………………………………………………………………………
004992EF|.8D45>leaeax,dwordptrss:[ebp+10]
004992F2|.50pusheax;/Arg3
004992F3|.FF75>pushdwordptrss:[ebp+C];|Arg2
004992F6|.53pushebx;|Arg1
004992F7|.E8B>callpmjszj.004992AC;\进入
004992FC|.83C4>addesp,0C
004992FF|.8BC3moveax,ebx
…………………………………………………………………………………………………………………………
004992F7|.E8B>callpmjszj.004992AC;\进入
……………………………………………………………………………………………………………………………………
004992B0|.56pushesi
004992B1|.57pushedi
004992B2|.8B7D>movedi,dwordptrss:[ebp+C]
004992B5|.8B5D>movebx,dwordptrss:[ebp+8]
004992B8|.FF75>pushdwordptrss:[ebp+10];/Arg4
004992BB|.57pushedi;|Arg3
004992BC|.6A0>push0;|Arg2=00000000
004992BE|.6A0>push0;|Arg1=00000000
004992C0|.E89>callpmjszj.00490560;\进入
004992C5|.83C4>addesp,10
004992C8|.8BF0movesi,eax
004992CA|.8BD6movedx,esi
……………………………………………………………………………………………………
004992C0|.E89>callpmjszj.00490560;\进入
…………………………………………………………………………………………………………………………
0049057C|.8D45>leaeax,dwordptrss:[ebp+8];|
0049057F|.50pusheax;|Arg2
00490580|.680>pushpmjszj.00490500;|Arg1=00490500
00490585|.E80>callpmjszj.00490998;\pmjszj.00490998
0049058A|.83C4>addesp,18
……………………………………………………………………………………………………………………………………
进入00490585|.E80>callpmjszj.00490998;\pmjszj.00490998
………………………………………………………………………………………………………………………………
00490DD2|>\8A45>|moval,byteptrss:[ebp-1D]
00490DD5|.50|pusheax;/Arg6
00490DD6|.51|pushecx;|Arg5
00490DD7|.8B55>|movedx,dwordptrss:[ebp-38];|
00490DDA|.52|pushedx;|Arg4
00490DDB|.8B4D>|movecx,dwordptrss:[ebp-18];|
00490DDE|.51|pushecx;|Arg3
00490DDF|.FF75>|pushdwordptrss:[ebp-24];|Arg2
00490DE2|.FF75>|pushdwordptrss:[ebp-28];|Arg1
00490DE5|.E8B>|callpmjszj.004921A8;\进入计算出注册码的前5位
00490DEA|.83C4>|addesp,18
00490DED|>837D>|cmpdwordptrss:[ebp-8],0
00490DF1|.0F8C>|jlpmjszj.00491010
00490DF7|.8B55>|movedx,dwordptrss:[ebp-18]
…………………………………………………………………………………………………………
进入
……………………………………………………………………………………………………………………
004921A8/$55pushebp
004921A9|.8BECmovebp,esp
004921AB|.83C4>addesp,-44
004921AE|.53pushebx
004921AF|.56pushesi
004921B0|.57pushedi
004921B1|.8B7D>movedi,dwordptrss:[ebp+14]
004921B4|.8B75>movesi,dwordptrss:[ebp+10]
004921B7|.83FF>cmpedi,2
004921BA|.0F8C>jlpmjszj.0049224C
004921C0|.83FF>cmpedi,24
004921C3|.0F8F>jgpmjszj.0049224C
004921C9|.837D>cmpdwordptrss:[ebp+C],0
004921CD|.750>jnzshortpmjszj.004921D7
004921CF|.837D>cmpdwordptrss:[ebp+8],0
004921D3|.732>jnbshortpmjszj.004921F6
004921D5|.EB0>jmpshortpmjszj.004921D9
004921D7|>7D1>jgeshortpmjszj.004921F6
004921D9|>807D>cmpbyteptrss:[ebp+18],0
004921DD|.741>jeshortpmjszj.004921F6
004921DF|.C606>movbyteptrds:[esi],2D
004921E2|.46incesi
004921E3|.8B45>moveax,dwordptrss:[ebp+8]
004921E6|.8B55>movedx,dwordptrss:[ebp+C]
004921E9|.F7D8negeax
004921EB|.83D2>adcedx,0
004921EE|.8945>movdwordptrss:[ebp+8],eax
004921F1|.F7DAnegedx
004921F3|.8955>movdwordptrss:[ebp+C],edx
004921F6|>8D5D>leaebx,dwordptrss:[ebp-44];这里是计算前5位注册码的地方
004921F9|>8BC7/moveax,edi
004921FB|.99|cdq
004921FC|.52|pushedx;0
004921FD|.50|pusheax;A
004921FE|.8B45>|moveax,dwordptrss:[ebp+8];得到机器码与用户名计算出来的数据
00492201|.8B55>|movedx,dwordptrss:[ebp+C]
00492204|.E82>|callpmjszj.00491C2E;机器码与用户名计算出来的数据计算出来的值除以A得到余数
00492209|.8803|movbyteptrds:[ebx],al;余数储存
0049220B|.8BC7|moveax,edi
0049220D|.99|cdq
0049220E|.52|pushedx;0
0049220F|.50|pusheax;A
00492210|.8B45>|moveax,dwordptrss:[ebp+8];得到机器码与用户名计算出来的数据
00492213|.8B55>|movedx,dwordptrss:[ebp+C]
00492216|.43|incebx
00492217|.E84>|callpmjszj.00491B6B;机器码与用户名计算出来的数据计算出来的值除以A得到商
0049221C|.8945>|movdwordptrss:[ebp+8],eax;把得到的商储存覆盖原来的计算出来的值
0049221F|.8955>|movdwordptrss:[ebp+C],edx
00492222|.83FA>|cmpedx,0
00492225|.^75D>|jnzshortpmjszj.004921F9
00492227|.83F8>|cmpeax,0
0049222A|.^75C>\jnzshortpmjszj.004921F9;上面的循环是把机器码与用户名计算的值一次一次除以A得到余数
0049222C|.EB1>jmpshortpmjszj.00492245
0049222E|>4B/decebx
0049222F|.8A03|moval,byteptrds:[ebx];依次从最后得到的余数值
00492231|.3C0>|cmpal,0A
00492233|.7D0>|jgeshortpmjszj.0049223D;是否大于A不可能的必不跳
00492235|.83C0>|addeax,30;加30
00492238|.8806|movbyteptrds:[esi],al;储存了!!
0049223A|.46|incesi
0049223B|.EB0>|jmpshortpmjszj.00492245
0049223D|>0245>|addal,byteptrss:[ebp+1C]
00492240|.04F>|addal,0F6
00492242|.8806|movbyteptrds:[esi],al
00492244|.46|incesi
00492245|>8D55>leaedx,dwordptrss:[ebp-44];得到上面余数地址
00492248|.3BDA|cmpebx,edx
0049224A|.^75E>\jnzshortpmjszj.0049222E
0049224C|>C606>movbyteptrds:[esi],0
0049224F|.8B45>moveax,dwordptrss:[ebp+10];得到一串字符串,肯定为0~9
00492252|.5Fpopedi
00492253|.5Epopesi
00492254|.5Bpopebx
00492255|.8BE5movesp,ebp
00492257|.5Dpopebp
…………………………………………………………………………………………………………………………
用机器码与用户名得到的结果(乘以位数加上D341之后的)分别除以A得到余数在加上30得到一串字符串
必定在0~9之间用这个字符串与输入码的处理后的前5位进行比较
…………………………………………………………………………………………………………………………
00409B6E|.58popeax
00409B6F|.84C0testal,al
00409B71|.740>jeshortpmjszj.00409B81
00409B73|.B00>moval,1
00409B75|.8B55>movedx,dwordptrss:[ebp-2C]
00409B78|.64:8>movdwordptrfs:[0],edx
00409B7F|.EB0>jmpshortpmjszj.00409B8D
00409B81|>33C0xoreax,eax
…………………………………………………………………………………………………………………………
0041EFE1|.E88>callpmjszj.00409A68;\第二次判断--用注册的前5位运算结果与机器码用户名计算的结果比较
0041EFE6|.59popecx
0041EFE7|.3C0>cmpal,1
0041EFE9|.757>jnzshortpmjszj.0041F05E;关键比较
0041EFEB|.66:C>movwordptrss:[ebp-24],14
0041EFF1|.BA3>movedx,pmjszj.004A4B30;注册成功
0041EFF6|.8D45>leaeax,dwordptrss:[ebp-C]
0041EFF9|.E8A>callpmjszj.00498FA0
0041EFFE|.FF45>incdwordptrss:[ebp-18]
0041F001|.8B00moveax,dwordptrds:[eax]
0041F003|.E86>callpmjszj.00456168
0041F008|.FF4D>decdwordptrss:[ebp-18]
0041F00B|.8D45>leaeax,dwordptrss:[ebp-C]
0041F00E|.BA0>movedx,2
0041F013|.E89>callpmjszj.004991AC
0041F018|.8B0D>movecx,dwordptrds:[4A93D0];pmjszj._MainForm
0041F01E|.8B01moveax,dwordptrds:[ecx]
0041F020|.C680>movbyteptrds:[eax+414],1
0041F027|.8B15>movedx,dwordptrds:[4A93D0];pmjszj._MainForm
0041F02D|.8B0Amovecx,dwordptrds:[edx]
0041F02F|.8B81>moveax,dwordptrds:[ecx+3C4]
0041F035|.B20>movdl,1
0041F037|.E85>callpmjszj.0043478C
0041F03C|.8B0D>movecx,dwordptrds:[4A93D0];pmjszj._MainForm
0041F042|.FF31pushdwordptrds:[ecx];/Arg1
0041F044|.E80>callpmjszj.0040AC54;\pmjszj.0040AC54
0041F049|.59popecx
0041F04A|.8B45>moveax,dwordptrss:[ebp-38]
0041F04D|.C680>movbyteptrds:[eax+2F4],1
0041F054|.8B45>moveax,dwordptrss:[ebp-38]
0041F057|.E84>callpmjszj.004490A0
0041F05C|.EB3>jmpshortpmjszj.0041F09A
0041F05E|>66:C>movwordptrss:[ebp-24],20
0041F064|.BA3>movedx,pmjszj.004A4B39;注册失败
0041F069|.8D45>leaeax,dwordptrss:[ebp-10]
0041F06C|.E82>callpmjszj.00498FA0
0041F071|.FF45>incdwordptrss:[ebp-18]
0041F074|.8B00moveax,dwordptrds:[eax]
0041F076|.E8E>callpmjszj.00456168
0041F07B|.FF4D>decdwordptrss:[ebp-18]
0041F07E|.8D45>leaeax,dwordptrss:[ebp-10]
………………………………………………………………………………………………………………………………………………
总结:
把用户名与机器码对应的ASCIIXOR运算得到20位结果,得到的结果用20位,每一位的ASCII分别乘以它自己的
位数全部相加起来最后结果加上D431(16进制)位数从0开始的;结果分别除以A得到余数在加上30得到一串字符串
必定在0~9之间用这个字符串一共有5字符,用这5个字符的ASCII加上16进制19,即得到输入码的前5位字符
输入码一共有20位字符,第20位有要求:
第20位的注册码的ASCII减去41得到的结果
一定要等于前19位的输入码的ASCII相加的和除以20得到的余数
其中:把用户名与机器码对应的ASCIIXOR运算得到20位结果,得到的结果用20位,每一位的ASCII分别乘以它自己的
位数全部相加起来最后结果加上D431(16进制)位数从0开始的用到第三次。结果为A。
…………………………………………………………………………………………………………………………………………
如果看到注册成功就收手,呵呵录像白屏!!
…………………………………………………………………………………………………………
第二部分:
………………………………………………………………………………………………………………………………
004026C8$55pushebp;这里准备计算第二组(第10位到第16位)计算及判断
004026C9.8BECmovebp,esp
004026CB.83C4>addesp,-34
004026CE.53pushebx
004026CF.56pushesi
004026D0.57pushedi
004026D1.B83>moveax,pmjszj.0049BE38
004026D6.E8D>callpmjszj.0048EDB8
004026DB.33D2xoredx,edx
004026DD.8955>movdwordptrss:[ebp-2C],edx
004026E0.66:C>movwordptrss:[ebp-14],8
004026E6.FF35>pushdwordptrds:[_MainForm];/Arg1=00E720CC
004026EC.E8D>callpmjszj.004029D0;\处理机器码的地方(处理的结果为第二次判断作准备)
004026F1.59popecx
004026F2.B90>movecx,0A
004026F7.8B55>movedx,dwordptrss:[ebp+8]
004026FA.8B45>moveax,dwordptrss:[ebp+C]
004026FD.8B18movebx,dwordptrds:[eax]
004026FF.FF53>calldwordptrds:[ebx+8]
00402702.8B45>moveax,dwordptrss:[ebp+C]
00402705.E89>callpmjszj.00479FA4
0040270A.8945>movdwordptrss:[ebp-30],eax
0040270D.8D55>leaedx,dwordptrss:[ebp-2C]
00402710.B90>movecx,4
00402715.8B45>moveax,dwordptrss:[ebp+C]
00402718.8B18movebx,dwordptrds:[eax]
0040271A.FF53>calldwordptrds:[ebx+8]
0040271D.FF35>pushdwordptrds:[_MainForm]
00402723.E87>callpmjszj.00402AA0;这里要得到全局变量(注册码)进行转化后计算
00402728.59popecx
00402729.8B55>movedx,dwordptrss:[ebp+8]
0040272C.83C2>addedx,24
0040272F.B90>movecx,4
00402734.8B45>moveax,dwordptrss:[ebp+C]
00402737.8B18movebx,dwordptrds:[eax]
00402739.FF53>calldwordptrds:[ebx+8]
0040273C.8B55>movedx,dwordptrss:[ebp+8]
0040273F.83C2>addedx,28
00402742.B90>movecx,4
00402747.8B45>moveax,dwordptrss:[ebp+C]
0040274A.8B18movebx,dwordptrds:[eax]
0040274C.FF53>calldwordptrds:[ebx+8]
0040274F.8B55>movedx,dwordptrss:[ebp+8]
00402752.83C2>addedx,38
00402755.B90>movecx,4
0040275A.8B45>moveax,dwordptrss:[ebp+C]
0040275D.8B18movebx,dwordptrds:[eax]
0040275F.FF53>calldwordptrds:[ebx+8]
00402762.8B55>movedx,dwordptrss:[ebp+8]
00402765.83C2>addedx,3C
00402768.B90>movecx,4
0040276D.8B45>moveax,dwordptrss:[ebp+C]
00402770.8B18movebx,dwordptrds:[eax]
00402772.FF53>calldwordptrds:[ebx+8]
00402775.8B55>movedx,dwordptrss:[ebp+8]
00402778.83C2>addedx,2C
0040277B.B90>movecx,4
00402780.8B45>moveax,dwordptrss:[ebp+C]
00402783.8B18movebx,dwordptrds:[eax]
00402785.FF53>calldwordptrds:[ebx+8]
00402788.A14>moveax,dwordptrds:[_MainForm]
0040278D.80B8>cmpbyteptrds:[eax+414],0
00402794.752>jnzshortpmjszj.004027BF
00402796.8B15>movedx,dwordptrds:[_MainForm]
0040279C.8B8A>movecx,dwordptrds:[edx+3EC]
004027A2.8B41>moveax,dwordptrds:[ecx+6C]
004027A5.8B15>movedx,dwordptrds:[_MainForm]
004027AB.3B82>cmpeax,dwordptrds:[edx+484]
004027B1.7E0>jleshortpmjszj.004027BF
004027B3.8B4D>movecx,dwordptrss:[ebp+8]
004027B6.C741>movdwordptrds:[ecx+24],2
004027BD.EB0>jmpshortpmjszj.004027CB
004027BF>FF35>pushdwordptrds:[_MainForm]
004027C5.E8E>callpmjszj.00402BB4;这里两个结果相减了一定要保证等于0(其实是前6相减的绝对值小于10-6)
004027CA.59popecx;00E720CC
004027CB>8B45>moveax,dwordptrss:[ebp+8]
004027CE.8378>cmpdwordptrds:[eax+24],0
004027D2.740>jeshortpmjszj.004027E1
004027D4.8B55>movedx,dwordptrss:[ebp+8]
004027D7.837A>cmpdwordptrds:[edx+24],1
004027DB.0F85>jnzpmjszj.0040291F
004027E1>8B55>movedx,dwordptrss:[ebp+8]
004027E4.83C2>addedx,1C
004027E7.B90>movecx,4
004027EC.8B45>moveax,dwordptrss:[ebp+C]
004027EF.8B18movebx,dwordptrds:[eax]
004027F1.FF53>calldwordptrds:[ebx+8]
004027F4.8B55>movedx,dwordptrss:[ebp+8]
004027F7.83C2>addedx,20
004027FA.B90>movecx,4
004027FF.8B45>moveax,dwordptrss:[ebp+C]
00402802.8B18movebx,dwordptrds:[eax]
00402804.FF53>calldwordptrds:[ebx+8]
00402807.8B55>movedx,dwordptrss:[ebp+8]
0040280A.83C2>addedx,30
0040280D.B90>movecx,4
00402812.8B45>moveax,dwordptrss:[ebp+C]
00402815.8B18movebx,dwordptrds:[eax]
00402817.FF53>calldwordptrds:[ebx+8]
0040281A.A14>moveax,dwordptrds:[_MainForm];下面是验证上面两处是否相等
0040281F.D980>flddwordptrds:[eax+42C];又得到刚才的结果数据
00402825.D80D>fmuldwordptrds:[4029CC];乘以1000
0040282B.E8E>callpmjszj.00492118;将结果转化为16进制放到EAX中
00402830.8945>movdwordptrss:[ebp-2C],eax;存储此处一定要为0
00402833.8B45>moveax,dwordptrss:[ebp+C]
00402836.E86>callpmjszj.00479FA4
0040283B.8BD0movedx,eax
0040283D.8B0D>movecx,dwordptrds:[_MainForm]
00402843.33C0xoreax,eax
00402845.8A81>moval,byteptrds:[ecx+414]
0040284B.0FAF>imuleax,dwordptrss:[ebp-2C];上面的结果乘以0
0040284F.03D0addedx,eax
00402851.8B45>moveax,dwordptrss:[ebp+C]
00402854.E85>callpmjszj.00479FB4
00402859.8B55>movedx,dwordptrss:[ebp+8]
0040285C.8B4A>movecx,dwordptrds:[edx+14]
0040285F.8B41>moveax,dwordptrds:[ecx+8]
00402862.8945>movdwordptrss:[ebp-2C],eax
……………………………………………………………………………………………………………………………………………………
进入00402723.E87>callpmjszj.00402AA0;这里要得到全局变量(注册码)进行转化后计算
…………………………………………………………………………………………………………………………………………………………
00402AA0$55pushebp
00402AA1.8BECmovebp,esp
00402AA3.83C4>addesp,-48
00402AA6.53pushebx
00402AA7.56pushesi
00402AA8.57pushedi
00402AA9.B8F>moveax,pmjszj.0049DAFC
00402AAE.E80>callpmjszj.0048EDB8
00402AB3.66:C>movwordptrss:[ebp-1C],8
00402AB9.8D45>leaeax,dwordptrss:[ebp-4]
00402ABC.E8E>callpmjszj.004035AC
00402AC1.FF45>incdwordptrss:[ebp-10]
00402AC4.66:C>movwordptrss:[ebp-1C],14
00402ACA.33D2xoredx,edx
00402ACC.8955>movdwordptrss:[ebp-30],edx
00402ACF>B90>movecx,0F
00402AD4.2B4D>subecx,dwordptrss:[ebp-30]
00402AD7.8B45>moveax,dwordptrss:[ebp+8]
00402ADA.8A94>movdl,byteptrds:[eax+ecx+445];这里取值了第二次取值。(全局变量)!!(是下内存访问断点首先来到这里的)
00402AE1.80C2>adddl,0EC;从后面向前面取值(第16位到第10位)分别加上EC
00402AE4.8B4D>movecx,dwordptrss:[ebp-30]
00402AE7.8854>movbyteptrss:[ebp+ecx-48],dl;存储了
00402AEB.FF45>incdwordptrss:[ebp-30]
00402AEE.837D>cmpdwordptrss:[ebp-30],6
00402AF2.^7CD>jlshortpmjszj.00402ACF
00402AF4.C645>movbyteptrss:[ebp-42],0
00402AF8.66:C>movwordptrss:[ebp-1C],20
00402AFE.8D55>leaedx,dwordptrss:[ebp-48];取从第16位开始的6位向前是个小数
00402B01.8D45>leaeax,dwordptrss:[ebp-8]
00402B04.E89>callpmjszj.00498FA0
00402B09.FF45>incdwordptrss:[ebp-10]
00402B0C.8D55>leaedx,dwordptrss:[ebp-8]
00402B0F.8D45>leaeax,dwordptrss:[ebp-4]
00402B12.E8C>callpmjszj.004991DC
00402B17.FF4D>decdwordptrss:[ebp-10]
00402B1A.8D45>leaeax,dwordptrss:[ebp-8]
00402B1D.BA0>movedx,2
00402B22.E88>callpmjszj.004991AC
00402B27.66:C>movwordptrss:[ebp-1C],2C
00402B2D.8D45>leaeax,dwordptrss:[ebp-4]
00402B30.E8A>callpmjszj.004994E0;把上面根据注册码转变来的小数转化为实数
00402B35.8B55>movedx,dwordptrss:[ebp+8]
00402B38.D99A>fstpdwordptrds:[edx+428]
00402B3E.66:C>movwordptrss:[ebp-1C],14
00402B44.EB1>jmpshortpmjszj.00402B5C
00402B46.8B4D>movecx,dwordptrss:[ebp+8]
00402B49.33C0xoreax,eax
00402B4B.8981>movdwordptrds:[ecx+428],eax
00402B51.66:C>movwordptrss:[ebp-1C],34
00402B57.E83>callpmjszj.00496092
00402B5C>8B55>movedx,dwordptrss:[ebp+8]
00402B5F.D982>flddwordptrds:[edx+428]
00402B65.83C4>addesp,-8;/
00402B68.DD1C>fstpqwordptrss:[esp];|Arg1(8-byte)
00402B6B.E85>callpmjszj.004934C4;\将转化后的值进行取SIN值(计算器中的弧度值)
00402B70.83C4>addesp,8
00402B73.DC0D>fmulqwordptrds:[402BAC];SIN后的值与固定值进行相乘0.88891
00402B79.8B4D>movecx,dwordptrss:[ebp+8]
00402B7C.D8A9>fsubrdwordptrds:[ecx+428];再次用注册码转化来的小数减去上面得到的结果值
00402B82.8B45>moveax,dwordptrss:[ebp+8]
00402B85.D998>fstpdwordptrds:[eax+428];结果存储起来
00402B8B.FF4D>decdwordptrss:[ebp-10]
00402B8E.8D45>leaeax,dwordptrss:[ebp-4]
00402B91.BA0>movedx,2
00402B96.E81>callpmjszj.004991AC
00402B9B.8B4D>movecx,dwordptrss:[ebp-2C]
00402B9E.64:8>movdwordptrfs:[0],ecx
00402BA5.5Fpopedi
00402BA6.5Epopesi
00402BA7.5Bpopebx
00402BA8.8BE5movesp,ebp
00402BAA.5Dpopebp
00402BAB.C3retn
………………………………………………………………………………………………………………………………………………
这里是:将注册码的第16位开始向前取6位每一位加上EC变成ASCII其实是个小数,(转化为实数)结果为B再进行运算B-0.88891*SINB
这个值然后与机器码计算出来的值比较看是否相等。
…………………………………………………………………………………………………………………………………………………………
004027C5.E8E>callpmjszj.00402BB4;这里两个结果相减了一定要保证等于0(其实是前6相减的绝对值小于10-6)
……………………………………………………………………………………………………………………………………………………………………
00402BB4/$55pushebp;呵呵
00402BB5|.8BECmovebp,esp
00402BB7|.8B45>moveax,dwordptrss:[ebp+8]
00402BBA|.D980>flddwordptrds:[eax+428];得到刚才的值
00402BC0|.8B55>movedx,dwordptrss:[ebp+8]
00402BC3|.D8A2>fsubdwordptrds:[edx+424];减去由机器码计算出来的值
00402BC9|.83C4>addesp,-8;/
00402BCC|.DD1C>fstpqwordptrss:[esp];|Arg1(8-byte)
00402BCF|.E81>callpmjszj.004920F0;\将负数变位正数
00402BD4|.83C4>addesp,8
00402BD7|.8B4D>movecx,dwordptrss:[ebp+8]
00402BDA|.D999>fstpdwordptrds:[ecx+42C];存储
00402BE0|.5Dpopebp
……………………………………………………………………………………………………………………………………
上面就是与机器码计算出来的值进行比较
……………………………………………………………………………………………………………………………………
这里就是进行处理机器码的地方:004026EC.E8D>callpmjszj.004029D0
…………………………………………………………………………………………………………………………
004029D0/$55pushebp;处理机器码的地方
004029D1|.8BECmovebp,esp
004029D3|.83C4>addesp,-2C
004029D6|.33C0xoreax,eax
004029D8|.8945>movdwordptrss:[ebp-C],eax
004029DB|>8B55>/movedx,dwordptrss:[ebp+8]
004029DE|.8B4D>|movecx,dwordptrss:[ebp-C]
004029E1|.8A84>|moval,byteptrds:[edx+ecx+46F];依次得到每一位机器码
004029E8|.8B55>|movedx,dwordptrss:[ebp+8]
004029EB|.8B4D>|movecx,dwordptrss:[ebp-C]
004029EE|.0A84>|oral,byteptrds:[edx+ecx+430];依次得到每一位机器码与用户名进行OR运算
004029F5|.8B55>|movedx,dwordptrss:[ebp-C]
004029F8|.8844>|movbyteptrss:[ebp+edx-24],al;保存
004029FC|.FF45>|incdwordptrss:[ebp-C]
004029FF|.837D>|cmpdwordptrss:[ebp-C],14
00402A03|.^7CD>\jlshortpmjszj.004029DB;这一段就是就机器码与用户名对应位进行OR运算最后结果保存
00402A05|.33C0xoreax,eax;这里处理机器码了
00402A07|.8945>movdwordptrss:[ebp-8],eax
00402A0A|.33C9xorecx,ecx
00402A0C|.894D>movdwordptrss:[ebp-C],ecx
00402A0F|>8B45>/moveax,dwordptrss:[ebp-C]
00402A12|.0FBE>|movsxedx,byteptrss:[ebp+eax-24];得到刚才计算出来的每一位
00402A17|.8955>|movdwordptrss:[ebp-28],edx
00402A1A|.DB45>|filddwordptrss:[ebp-28];将每一位机器码转化为实数
00402A1D|.83C4>|addesp,-8;/
00402A20|.DD1C>|fstpqwordptrss:[esp];|存储
00402A23|.E8C>|callpmjszj.004920F0;\负数转化为正数
00402A28|.83C4>|addesp,8
00402A2B|.B91>|movecx,14
00402A30|.2B4D>|subecx,dwordptrss:[ebp-C]
00402A33|.894D>|movdwordptrss:[ebp-2C],ecx
00402A36|.DB45>|filddwordptrss:[ebp-2C]
00402A39|.DEC9|fmulpst(1),st;将刚才计算出来的每一位机器码转化10进制后乘以(20减去位数)
00402A3B|.DB45>|filddwordptrss:[ebp-8];装入前一次的结果
00402A3E|.DEC1|faddpst(1),st;将每一次结果加起来
00402A40|.E8D>|callpmjszj.00492118;结果转化位16进制放到EAX中
00402A45|.8945>|movdwordptrss:[ebp-8],eax
00402A48|.FF45>|incdwordptrss:[ebp-C];下一位
00402A4B|.837D>|cmpdwordptrss:[ebp-C],14
00402A4F|.^7CB>\jlshortpmjszj.00402A0F
00402A51|.8B45>moveax,dwordptrss:[ebp-8]
00402A54|.B9A>movecx,186A0;固定值100000
00402A59|.99cdq
00402A5A|.F7F9idivecx;上面的结果除以100000
00402A5C|.8955>movdwordptrss:[ebp-4],edx;余数存储
00402A5F|.8B45>moveax,dwordptrss:[ebp-8];取上面相加的值
00402A62|.053>addeax,3039;将上面相加的值加上12345
00402A67|.250>andeax,80000007;结果与80000007进行与运算
00402A6C|.790>jnsshortpmjszj.00402A73;如果是E数
00402A6E|.48deceax
00402A6F|.83C8>oreax,FFFFFFF8
00402A72|.40inceax
00402A73|>8945>movdwordptrss:[ebp-8],eax;存储
00402A76|.DB45>filddwordptrss:[ebp-8];装入这个值
00402A79|.DB45>filddwordptrss:[ebp-4];在装入前面除以100000的余数值
00402A7C|.DB2D>fldtbyteptrds:[402A94];装入固定值1.5283002229637196370E-06
00402A82|.DEC9fmulpst(1),st;余数乘以固定值1.5283002229637196370E-06
00402A84|.DEC1faddpst(1),st;再加上2
00402A86|.8B55>movedx,dwordptrss:[ebp+8]
00402A89|.D99A>fstpdwordptrds:[edx+424];结果存储了
00402A8F|.8BE5movesp,ebp
00402A91|.5Dpopebp
00402A92\.C3retn
……………………………………………………………………………………………………………………………………………………
第三部分;注意来到这里是随机的
…………………………………………………………………………………………………………………………………………………………
00406A10/$55pushebp;这里就是计算正确第三组数据的地方
00406A11|.8BECmovebp,esp
00406A13|.83C4>addesp,-8
00406A16|.8B45>moveax,dwordptrss:[ebp+8]
00406A19|.8B90>movedx,dwordptrds:[eax+418];取出第一次计算计算出来的数据(是根据在EAX+418下内存访问断点知道是第一次计算中的结果)
00406A1F|.8955>movdwordptrss:[ebp-4],edx
00406A22|.8B4D>movecx,dwordptrss:[ebp-4]
00406A25|.81C1>addecx,4D44;取出的结果加上4D44
00406A2B|.894D>movdwordptrss:[ebp-8],ecx
00406A2E|.DB45>filddwordptrss:[ebp-8]
00406A31|.DC0D>fmulqwordptrds:[406A68];结果乘以3.14
00406A37|.DB2D>fldtbyteptrds:[406A70]
00406A3D|.DEC9fmulpst(1),st;结果再乘以0.1594896331738437110
00406A3F|.E8D>callpmjszj.00492118
00406A44|.8945>movdwordptrss:[ebp-4],eax
00406A47|.8B45>moveax,dwordptrss:[ebp-4]
00406A4A|.B9A>movecx,186A0
00406A4F|.99cdq
00406A50|.F7F9idivecx
00406A52|.8955>movdwordptrss:[ebp-4],edx
00406A55|.8B45>moveax,dwordptrss:[ebp-4]
00406A58|.8B55>movedx,dwordptrss:[ebp+8]
00406A5B|.8982>movdwordptrds:[edx+41C],eax;写入了(就是根据这里的地址(EDX+41C)下内存访问断点来到这里的)
00406A61|.59popecx
00406A62|.59popecx
00406A63|.5Dpopebp
00406A64\.C3retn
……………………………………………………………………………………………………………………………………………………………………
用第一次计算出来的值A在加上4D44再乘以3.14再乘以0.1594896331738437110
……………………………………………………………………………………………………………………………………………………………………
00406E50/$55pushebp;注意来到这里是随机的!!这里是第三次比较判断:计算第三部分注册码的地方
00406E51|.8BECmovebp,esp
00406E53|.83C4>addesp,-34
00406E56|.33C0xoreax,eax
00406E58|.8945>movdwordptrss:[ebp-4],eax
00406E5B|>8B55>/movedx,dwordptrss:[ebp-4]
00406E5E|.8B4D>|movecx,dwordptrss:[ebp+8]
00406E61|.0FBE>|movsxeax,byteptrds:[ecx+edx+46F]
00406E69|.250>|andeax,80000001
00406E6E|.790>|jnsshortpmjszj.00406E75
00406E70|.48|deceax
00406E71|.83C8>|oreax,FFFFFFFE
00406E74|.40|inceax
00406E75|>85C0|testeax,eax
00406E77|.752>|jnzshortpmjszj.00406EA8
00406E79|.8B55>|movedx,dwordptrss:[ebp-4]
00406E7C|.8B4D>|movecx,dwordptrss:[ebp+8]
00406E7F|.8A84>|moval,byteptrds:[ecx+edx*2+44A]
00406E86|.04E>|addal,0E7
00406E88|.8B55>|movedx,dwordptrss:[ebp-4]
00406E8B|.8844>|movbyteptrss:[ebp+edx*2-1C],al
00406E8F|.8B4D>|movecx,dwordptrss:[ebp-4]
00406E92|.8B45>|moveax,dwordptrss:[ebp+8]
00406E95|.8A94>|movdl,byteptrds:[eax+ecx*2+44B]
00406E9C|.80C2>|adddl,0E7
00406E9F|.8B4D>|movecx,dwordptrss:[ebp-4]
00406EA2|.8854>|movbyteptrss:[ebp+ecx*2-1B],dl
00406EA6|.EB2>|jmpshortpmjszj.00406ED5
00406EA8|>8B45>|moveax,dwordptrss:[ebp-4]
00406EAB|.8B55>|movedx,dwordptrss:[ebp+8]
00406EAE|.8A8C>|movcl,byteptrds:[edx+eax*2+44B];取第6位开始这一组的输入码(在全局变量〔可以在保存时候可以看到我这里00e72511看到,[edx+eax*2+44B]下内存断点)
00406EB5|.80C1>|addcl,0E7
00406EB8|.8B45>|moveax,dwordptrss:[ebp-4]
00406EBB|.884C>|movbyteptrss:[ebp+eax*2-1C],cl
00406EBF|.8B55>|movedx,dwordptrss:[ebp-4]
00406EC2|.8B4D>|movecx,dwordptrss:[ebp+8]
00406EC5|.8A84>|moval,byteptrds:[ecx+edx*2+44A]
00406ECC|.04E>|addal,0E7
00406ECE|.8B55>|movedx,dwordptrss:[ebp-4]
00406ED1|.8844>|movbyteptrss:[ebp+edx*2-1B],al
00406ED5|>FF45>|incdwordptrss:[ebp-4]
00406ED8|.837D>|cmpdwordptrss:[ebp-4],2
00406EDC|.^0F8C>\jlpmjszj.00406E5B;这个循环取出四组数据
00406EE2|.8B4D>movecx,dwordptrss:[ebp+8]
00406EE5|.FFB1>pushdwordptrds:[ecx+41C];/取出ECX+41C地址的数据(根据这里地址ECX+41C下内存访问断点去上一层找怎么样计算出来的数据的)
00406EEB|.682>pushpmjszj.0049BB2E;|Arg2=0049BB2EASCII"%d"
00406EF0|.8D45>leaeax,dwordptrss:[ebp-34];|
00406EF3|.50pusheax;|Arg1
00406EF4|.E82>callpmjszj.00490628;\将前面计算出来的用于比较的值转化为十进制
00406EF9|.83C4>addesp,0C
00406EFC|.8B55>movedx,dwordptrss:[ebp+8]
00406EFF|.8A8A>movcl,byteptrds:[edx+44E];第5组了
00406F05|.80C1>addcl,0E7
00406F08|.884D>movbyteptrss:[ebp-18],cl
00406F0B|.C645>movbyteptrss:[ebp-17],0
00406F0F|.33C0xoreax,eax
00406F11|.8945>movdwordptrss:[ebp-4],eax
00406F14|>8B55>/movedx,dwordptrss:[ebp-4]
00406F17|.0FBE>|movsxecx,byteptrss:[ebp+edx-1C]
00406F1C|.83F9>|cmpecx,28
00406F1F|.750>|jnzshortpmjszj.00406F29
00406F21|.8B45>|moveax,dwordptrss:[ebp-4]
00406F24|.C644>|movbyteptrss:[ebp+eax-1C],0
00406F29|>FF45>|incdwordptrss:[ebp-4]
00406F2C|.837D>|cmpdwordptrss:[ebp-4],4
00406F30|.^7CE>\jlshortpmjszj.00406F14
00406F32|.8D55>leaedx,dwordptrss:[ebp-1C]
00406F35|.52pushedx
00406F36|.8D4D>leaecx,dwordptrss:[ebp-34]
00406F39|.51pushecx
00406F3A|.E8C>callpmjszj.0048EB00;取第6到10位与计算出来的进行比较
00406F3F|.83C4>addesp,8
00406F42|.8B55>movedx,dwordptrss:[ebp+8]
00406F45|.8982>movdwordptrds:[edx+420],eax
00406F4B|.8BE5movesp,ebp
00406F4D|.5Dpopebp
00406F4E\.C3retn
………………………………………………………………………………………………………………………………………………
第三次:
将用第一次计算出来的值A在加上4D44再乘以3.14再乘以0.1594896331738437110的结果取其整数部分与
输入码的第6、7、8、9、10位分别加上E7后的数比较
………………………………………………………………………………………………………………………………………………
总结:注册分三步:
第一步:(看上去成功,其实…………
把用户名与机器码对应的ASCIIXOR运算得到20位结果,得到的结果用20位,每一位的ASCII分别乘以它自己的
位数全部相加起来最后结果加上D431(16进制)位数从0开始的;结果分别除以A得到余数在加上30得到一串字符串
必定在0~9之间用这个字符串一共有5字符,用这5个字符的ASCII加上16进制19,即得到输入码的前5位字符
输入码一共有20位字符,第20位有要求:
第20位的注册码的ASCII减去41得到的结果
一定要等于前19位的输入码的ASCII相加的和除以20得到的余数
其中:把用户名与机器码对应的ASCIIXOR运算得到20位结果,得到的结果用20位,每一位的ASCII分别乘以它自己的
位数全部相加起来最后结果加上D431(16进制)位数从0开始的用到第三次。结果为A。
第二步:
将注册码的第16位开始向前取6位每一位加上EC变成ASCII其实是个小数,(转化为实数)结果为B再进行运算B-0.88891*SINB
这个值然后与机器码计算出来的值比较看是否相等。(当然要写注册机的会要反过来哦-解方程吧)
第三步:
第三次:
将用第一次计算出来的值A在加上4D44再乘以3.14再乘以0.1594896331738437110的结果取其整数部分与
输入码的第6、7、8、9、10位分别加上E7后的数比较
………………………………………………………………………………………………………………………………………………
