|
 |
推荐文章 |
|
|
|
|
|
|
|
|
|
|
|
工具:trw 2000 娃娃版,w32dasm,windows 计算器,regmon.
运行注册对话框,输入 happycreator,注册码: 123456789
在trw 2000 中下断点bpx hmemcpy
点“确定”中断
来到004317d2
向下看:
:004317EE 8D4C2460 lea ecx, dword ptr [esp+60]
:004317F2 50 push eax
:004317F3 51 push ecx
:004317F4 E8F7FBFFFF call 004313F0 <-----关键call!
:004317F9 83C408 add esp, 00000008
:004317FC 85C0 test eax, eax
:004317FE 0F84AD000000 je 004318B1
:00431804 8D542410 lea edx, dword ptr [esp+10]
:00431808 8D44240C lea eax, dword ptr [esp+0C]
:0043180C 52 push edx
:0043180D 50 push eax
:0043180E 6A00 push 00000000
:00431810 683F000F00 push 000F003F
:00431815 6A00 push 00000000
:00431817 6814ED4400 push 0044ED14
:0043181C 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"Software\gamani\GIFMovieGear\2.0"
|
:0043181E 68B8B34400 push 0044B3B8
:00431823 6801000080 push 80000001
* Reference To: ADVAPI32.RegCreateKeyExA, Ord:015Fh
|
:00431828 FF1514804400 Call dword ptr [00448014]
:0043182E 8D7C2460 lea edi, dword ptr [esp+60]
:00431832 83C9FF or ecx, FFFFFFFF
:00431835 33C0 xor eax, eax
:00431837 8B54240C mov edx, dword ptr [esp+0C]
:0043183B F2 repnz
:0043183C AE scasb
:0043183D F7D1 not ecx
* Reference To: ADVAPI32.RegSetvalueExA, Ord:0186h
|
:0043183F 8B1D08804400 mov ebx, dword ptr [00448008]
:00431845 51 push ecx
:00431846 8D4C2464 lea ecx, dword ptr [esp+64]
:0043184A 51 push ecx
:0043184B 6A01 push 00000001
:0043184D 50 push eax
* Possible StringData Ref from Data Obj ->"RegName3"
|
:0043184E 6890D44400 push 0044D490
:00431853 52 push edx
:00431854 FFD3 call ebx
:00431856 8DBC24C4000000 lea edi, dword ptr [esp+000000C4]
:0043185D 83C9FF or ecx, FFFFFFFF
:00431860 33C0 xor eax, eax
:00431862 F2 repnz
:00431863 AE scasb
:00431864 F7D1 not ecx
:00431866 8D8424C4000000 lea eax, dword ptr [esp+000000C4]
:0043186D 51 push ecx
:0043186E 8B4C2410 mov ecx, dword ptr [esp+10]
:00431872 50 push eax
:00431873 6A01 push 00000001
:00431875 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"RegCode3"
|
:00431877 689CD44400 push 0044D49C
:0043187C 51 push ecx
:0043187D FFD3 call ebx
:0043187F 8B54240C mov edx, dword ptr [esp+0C]
:00431883 52 push edx
* Reference To: ADVAPI32.RegCloseKey, Ord:015Bh
|
:00431884 FF1518804400 Call dword ptr [00448018]
* Possible StringData Ref from Data Obj ->"Software\Loani\MG3t"
|
:0043188A 68A8D44400 push 0044D4A8
:0043188F 6802000080 push 80000002
* Reference To: ADVAPI32.RegDeleteKeyA, Ord:0162h
|
:00431894 FF1510804400 Call dword ptr [00448010]
:0043189A 6A01 push 00000001
:0043189C 56 push esi
-------------------------------------------------------------------------
:004313F0 53 push ebx
:004313F1 55 push ebp
:004313F2 8B6C2410 mov ebp, dword ptr [esp+10]
:004313F6 56 push esi
:004313F7 57 push edi
:004313F8 807D006D cmp byte ptr [ebp+00], 6D<----首位为"m"否则失败
:004313FC 0F85A0000000 jne 004314A2
:00431402 807D0167 cmp byte ptr [ebp+01], 67<------第二位为"g"
:00431406 0F8596000000 jne 004314A2
:0043140C 807D0233 cmp byte ptr [ebp+02], 33<-----第三位为“3”
:00431410 0F858C000000 jne 004314A2
:00431416 807D0337 cmp byte ptr [ebp+03], 37<-----第四位为“7”
:0043141A 0F8582000000 jne 004314A2
<---改过来,再试。
* Possible Indirect StringData Ref from Data Obj ->"mvg21951736"<---不知道是不是从前的非法注册码?
|
:00431420 BBBCD44400 mov ebx, 0044D4BC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00431446(C)
|
:00431425 8B13 mov edx, dword ptr [ebx]
:00431427 83C9FF or ecx, FFFFFFFF
:0043142A 8BFA mov edi, edx
:0043142C 33C0 xor eax, eax
:0043142E F2 repnz
:0043142F AE scasb
:00431430 F7D1 not ecx
:00431432 49 dec ecx
:00431433 8BFA mov edi, edx
:00431435 8BF5 mov esi, ebp
:00431437 33C0 xor eax, eax
:00431439 F3 repz
:0043143A A6 cmpsb
:0043143B 7465 je 004314A2
:0043143D 83C304 add ebx, 00000004
:00431440 81FBC0D44400 cmp ebx, 0044D4C0
:00431446 7CDD jl 00431425
:00431448 807D0473 cmp byte ptr [ebp+04], 73<----第五位是否为"s",改之,试一下。
:0043144C 7501 jne 0043144F
:0043144E 45 inc ebp
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043144C(C)
|
:0043144F 83C507 add ebp, 00000007
:00431452 55 push ebp
:00431453 E8C4DD0000 call 0043F21C<-------对注册码的关键运算!
:00431458 8B542418 mov edx, dword ptr [esp+18]
:0043145C 83C404 add esp, 00000004
:0043145F 8BFA mov edi, edx<----对注册名开始运算!
:00431461 33C9 xor ecx, ecx
:00431463 8A12 mov dl, byte ptr [edx]
:00431465 BEDF0B0000 mov esi, 00000BDF<---esi的初始值。
:0043146A 84D2 test dl, dl
:0043146C 7426 je 00431494
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00431492(C)
|
:0043146E 0FBED2 movsx edx, dl 注册名各字符进edx
:00431471 41 inc ecx<------ecx计数
:00431472 0FAFD1 imul edx, ecx<------位数与注册名ASC码相乘。
:00431475 03F2 add esi, edx<-----和加入esi
:00431477 81FEBE170000 cmp esi, 000017BE
:0043147D 7E06 jle 00431485
:0043147F 81EEBE170000 sub esi, 000017BE<---最后取esi除17be的余数。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043147D(C)
|
:00431485 83F90A cmp ecx, 0000000A<----ecx以十为一组。
:00431488 7E02 jle 0043148C
:0043148A 33C9 xor ecx, ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00431488(C)
|
:0043148C 8A5701 mov dl, byte ptr [edi+01]
:0043148F 47 inc edi
:00431490 84D2 test dl, dl<----直到取尽注册名。
:00431492 75DA jne 0043146E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043146C(C)
|
:00431494 3BF0 cmp esi, eax<----与注册码计算结果比较,不等则失败!
:00431496 750A jne 004314A2
:00431498 5F pop edi
:00431499 5E pop esi
:0043149A 5D pop ebp
:0043149B B801000000 mov eax, 00000001
:004314A0 5B pop ebx
:004314A1 C3 ret
:0043F21C FF742404 push [esp+04]
:0043F220 E86CFFFFFF call 0043F191<-----跟进!
:0043F225 59 pop ecx
:0043F226 C3 ret
--------------------------------------------------------------------------
* Referenced by a CALL at Addresses:
|:0043F220 , :004463E3 , :00446411 , :0044643C
|
:0043F191 53 push ebx
:0043F192 55 push ebp
:0043F193 56 push esi
:0043F194 57 push edi
:0043F195 8B7C2414 mov edi, dword ptr [esp+14]<---edi指向第九位。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043F1C5(U)
|
:0043F199 833D4CE2440001 cmp dword ptr [0044E24C], 00000001<---查看是否取尽
:0043F1A0 7E0F jle 0043F1B1
:0043F1A2 0FB607 movzx eax, byte ptr [edi]
:0043F1A5 6A08 push 00000008
:0043F1A7 50 push eax
:0043F1A8 E812230000 call 004414BF
:0043F1AD 59 pop ecx
:0043F1AE 59 pop ecx
:0043F1AF EB0F jmp 0043F1C0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043F1A0(C)
|
:0043F1B1 0FB607 movzx eax, byte ptr [edi]
* Possible StringData Ref from Data Obj ->" ((((( "
->" H"
|
:0043F1B4 8B0D40E04400 mov ecx, dword ptr [0044E040]
:0043F1BA 8A0441 mov al, byte ptr [ecx+2*eax]
:0043F1BD 83E008 and eax, 00000008
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043F1AF(U)
|
:0043F1C0 85C0 test eax, eax
:0043F1C2 7403 je 0043F1C7
:0043F1C4 47 inc edi
:0043F1C5 EBD2 jmp 0043F199
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043F1C2(C)
|
:0043F1C7 0FB637 movzx esi, byte ptr [edi]
:0043F1CA 47 inc edi
:0043F1CB 83FE2D cmp esi, 0000002D<---第九位是否为"-"
:0043F1CE 8BEE mov ebp, esi
:0043F1D0 7405 je 0043F1D7<-----是则有另一种算法,最后取eax的补码。
:0043F1D2 83FE2B cmp esi, 0000002B<----第九位是不是"+"?
:0043F1D5 7504 jne 0043F1DB<---不是则跳!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043F1D0(C)
|
:0043F1D7 0FB637 movzx esi, byte ptr [edi] <-对于第九位“-”或“+”的对其后数
字进行计算。
:0043F1DA 47 inc edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043F1D5(C)
|
:0043F1DB 33DB xor ebx, ebx<--否则直接进行计算。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043F20C(U)
|
:0043F1DD 833D4CE2440001 cmp dword ptr [0044E24C], 00000001<--以下好像是在验证是否取完数码。
:0043F1E4 7E0C jle 0043F1F2
:0043F1E6 6A04 push 00000004
:0043F1E8 56 push esi
:0043F1E9 E8D1220000 call 004414BF
:0043F1EE 59 pop ecx
:0043F1EF 59 pop ecx
:0043F1F0 EB0B jmp 0043F1FD
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043F1E4(C)
|
* Possible StringData Ref from Data Obj ->" ((((( "
->" H"
|
:0043F1F2 A140E04400 mov eax, dword ptr [0044E040]
:0043F1F7 8A0470 mov al, byte ptr [eax+2*esi]
:0043F1FA 83E004 and eax, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043F1F0(U)
|
:0043F1FD 85C0 test eax, eax
:0043F1FF 740D je 0043F20E
:0043F201 8D049B lea eax, dword ptr [ebx+4*ebx]<---对eax取值!
:0043F204 8D5C46D0 lea ebx, dword ptr [esi+2*eax-30]<---对ebx取值!!
:0043F208 0FB637 movzx esi, byte ptr [edi] <----esi为相应数字的ASC码。
:0043F20B 47 inc edi<-- 下一位
:0043F20C EBCF jmp 0043F1DD
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043F1FF(C)
|
:0043F20E 83FD2D cmp ebp, 0000002D<--算法选择。
:0043F211 8BC3 mov eax, ebx <----返回eax的值!
:0043F213 7502 jne 0043F217
:0043F215 F7D8 neg eax <--是否取反,视有无"-"而定。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043F213(C)
|
:0043F217 5F pop edi
:0043F218 5E pop esi
:0043F219 5D pop ebp
:0043F21A 5B pop ebx
:0043F21B C3 ret
在00431494处的比较决定了注册成功与否。相等既大功告成!
在对注册码的计算中实际上是对输入的九至n位数字转化为十六进制,而在对注册名的算法中是在esi的初始值
上再加上各位字符和位数的积的和除17be的余数。两者相等既可成功。在前面还有一个对第五位的测试,时间原因就不能再分析了
我的结果:注册名:happycreator
注册码:mg37s6784216
注册后信息会保存在注册表中:HKCU\Software\gamani\GIFMovieGear\2.0
删除相关信息后又变为未注册。注册码第6、7、8三位无关。 |
|
|
|
|
|
特别声明: 本站除部分特别声明禁止转载的专稿外的其他文章可以自由转载,但请务必注明出处和原始作者。文章版权归文章原始作者所有。对于被本站转载文章的个人和网站,我们表示深深的谢意。如果本站转载的文章有版权问题请联系编辑人员,我们尽快予以更正。 |
|
|
|
|
|
责任编辑: 原点 |
投稿作者: 本站收集 |
|
|
信息来源: 网络 |
录入时间: 2005-5-26 |
|
|
|
| |
|
设为首页
加入收藏
总编信箱
投稿或申请专栏请先 [登 陆]