XXX五笔2006的破解
在安装目录下我们找到ImeXXX.exe,运行后可以看到有软件注册的地方。可以知道软件的注册需要软件序列号和注册码,但是注册码不能输入,所以猜想程序先判断软件的序列号,序列号满足一定的条件后才能输入注册码。我们先查壳:ASProtect 2.1x SKE -> Alexey Solodovnikov,真搞不懂,为什么很多软件都用这个壳,幸亏有VolX大侠写的Script,轻松脱壳,再用ImportREC修复IAT,虽然还有两个无效的输入表函数,不用理他,直接修复转存的文件,可以运行。本来想用Ultra String Reference Plugin V0.12查找有用的字符,真让人失望,一个也没有。真是奇怪,好像很多加壳的程序脱壳后用Ultra String Reference Plugin V0.12都没办法查找到有用的字符,但od原来的那个就可以。找是找到了很多,但是好像没有我们想要的字符。而且你输入错误的序列号时,程序不会弹出对话框,只是在注册码旁边显示了一个X。迷茫中选择了查找所有模块间的调用,由于不知对程序下什么断好,直接在每一个命令都下断点(为了更快来到我们想要的断点,我们在设断之前应该进入软件注册的界面)。点击程序界面,程序中断,F2取消断点,F9运行,程序中断,F2取消断点,循环几次后我们输入序列号,又是程序中断,F2取消断点,F9运行,程序中断,F2取消断点,循环几次我们点击确定按钮。很快我们来到0040AC00:
0040AC00|.56 push esi ; /String = "HYUYUYTUTYUTYUYTUTYUYTUYTUU67"
0040AC01|.8BE8 mov ebp, eax ; |
0040AC03|.FFD7 call edi ; \lstrlenA
0040AC05|.83F8 18 cmp eax, 18 ;到这里我们就可以知道序列号必须为20位
0040AC08|.74 06 je short 0040AC10
0040AC0A|.5F pop edi
0040AC0B|.5E pop esi
0040AC0C|.33C0 xor eax, eax
0040AC0E|.5D pop ebp
0040AC0F|.C3 retn
0040AC10|>33FF xor edi, edi
0040AC12|.53 push ebx
0040AC13|.85ED test ebp, ebp
0040AC15|.B8 01000000 mov eax, 1
0040AC1A|.76 67 jbe short 0040AC83
0040AC1C|.8B1D B0C24100 mov ebx, dword ptr [<&user32.IsCha>;USER32.IsCharAlphaNumericA
0040AC22|>83FF 17 /cmp edi, 17 ;Switch (cases 0..17)
0040AC25|.77 53 |ja short 0040AC7A
0040AC27|.33C9 |xor ecx, ecx
0040AC29|.8A8F A0AC4000 |mov cl, byte ptr
0040AC2F|.FF248D 88AC40>|jmp dword ptr
0040AC36|>803E 4E |cmp byte ptr , 4E ;Case 0 of switch 0040AC22
0040AC39|.75 46 |jnz short 0040AC81 ;第一位必须为N
0040AC3B|.EB 38 |jmp short 0040AC75
0040AC3D|>807E 01 57 |cmp byte ptr , 57 ;Case 1 of switch 0040AC22
0040AC41|.75 3E |jnz short 0040AC81 ;第二位必须为W
0040AC43|.EB 30 |jmp short 0040AC75
0040AC45|>807E 02 42 |cmp byte ptr , 42 ;Case 2 of switch 0040AC22
0040AC49|.75 36 |jnz short 0040AC81 ;第三位必须为B
0040AC4B|.EB 28 |jmp short 0040AC75
0040AC4D|>807E 03 45 |cmp byte ptr , 45 ;Case 3 of switch 0040AC22
0040AC51|.75 2E |jnz short 0040AC81 ;第四位必须为E
0040AC53|.EB 20 |jmp short 0040AC75
0040AC55|>803C37 2D |cmp byte ptr , 2D ;Cases 4,9,E,13 of switch 0040AC22
0040AC59|.75 26 |jnz short 0040AC81 ;第5,10,15,20位必须为-
0040AC5B|.EB 18 |jmp short 0040AC75
0040AC5D|>8A1437 |mov dl, byte ptr ;Cases 5,6,7,8,A,B,C,D,F,10,11,12,14,15,16,17 of switch 0040AC22
0040AC60|.52 |push edx
0040AC61|.FFD3 |call ebx
0040AC63|.85C0 |test eax, eax
0040AC65|.74 1A |je short 0040AC81
0040AC67|.8A0437 |mov al, byte ptr
0040AC6A|.50 |push eax ; /Char
0040AC6B|.FF15 B4C24100 |call dword ptr [<&user32.IsCharAlp>; \IsCharAlphaA
0040AC71|.85C0 |test eax, eax
0040AC73|.75 0C |jnz short 0040AC81
0040AC75|>B8 01000000 |mov eax, 1 ;其它的必须为数字
0040AC7A|>47 |inc edi ;Default case of switch 0040AC22
0040AC7B|.3BFD |cmp edi, ebp
0040AC7D|.73 04 |jnb short 0040AC83
0040AC7F|.^ EB A1 \jmp short 0040AC22
0040AC81|>33C0 xor eax, eax
0040AC83|>5B pop ebx
0040AC84|.5F pop edi
0040AC85|.5E pop esi
0040AC86|.5D pop ebp
0040AC87\.C3 retn
通过上面的分析我们可以知道序列号的格式是:NWBE-XXXX-XXXX-XXXX-XXXX,我们输入NWBE-1111-1111-1111-1111,取消所有中断,并在0040AC00下段。这是可以输入注册码了,我们输入1111-1111-1111-1111-1111,点击确定。程序中断,在0040AC87行按F4,F8返回到0040C0D9。
0040C0CF > \68 FC824400 push 004482FC ;ASCII "NWBE-1111-1111-1111-1111"
0040C0D4 .E8 17EBFFFF call 0040ABF0 ;上面是我们输入的序列号
0040C0D9 .83C4 04 add esp, 4
0040C0DC .85C0 test eax, eax
0040C0DE .0F84 4E030000 je 0040C432
0040C0E4 .68 FC824400 push 004482FC ;ASCII "NWBE-1111-1111-1111-1111"
0040C0E9 .E8 D2EBFFFF call 0040ACC0 ;跟进去
0040C0EE .83C4 04 add esp, 4
0040C0F1 .85C0 test eax, eax
0040C0F3 .0F84 39030000 je 0040C432 ;下面是我们输入的注册码
0040C0F9 .68 C8834400 push 004483C8 ;ASCII "1111-1111-1111-1111-1111"
0040C0FE .E8 BDEEFFFF call 0040AFC0 ;跟进去
0040C103 .83C4 04 add esp, 4
0040C106 .85C0 test eax, eax
0040C108 .0F84 24030000 je 0040C432 ;过这里就完了
0040C10E .8A15 BC884400 mov dl, byte ptr
跟进call 0040ACC0:有两处调用0040B3F1, 0040C0E9,两处都下断点。
0040ACC0/$81EC A0020000 sub esp, 2A0
0040ACC6|.8A15 BC884400 mov dl, byte ptr
0040ACCC|.53 push ebx
0040ACCD|.55 push ebp
0040ACCE|.56 push esi
0040ACCF|.57 push edi
0040ACD0|.B9 18000000 mov ecx, 18
0040ACD5|.33C0 xor eax, eax
0040ACD7|.8DBC24 A10000>lea edi, dword ptr
0040ACDE|.889424 A00000>mov byte ptr , dl
0040ACE5|.889424 040100>mov byte ptr , dl
0040ACEC|.F3:AB rep stos dword ptr es:
0040ACEE|.66:AB stos word ptr es:
0040ACF0|.AA stos byte ptr es:
0040ACF1|.B9 18000000 mov ecx, 18
0040ACF6|.33C0 xor eax, eax
0040ACF8|.8DBC24 050100>lea edi, dword ptr
0040ACFF|.885424 3C mov byte ptr , dl
0040AD03|.F3:AB rep stos dword ptr es:
0040AD05|.66:AB stos word ptr es:
0040AD07|.AA stos byte ptr es:
0040AD08|.B9 18000000 mov ecx, 18
0040AD0D|.33C0 xor eax, eax
0040AD0F|.8D7C24 3D lea edi, dword ptr
0040AD13|.889424 680100>mov byte ptr , dl
0040AD1A|.F3:AB rep stos dword ptr es:
0040AD1C|.66:AB stos word ptr es:
0040AD1E|.AA stos byte ptr es:
0040AD1F|.B9 18000000 mov ecx, 18
0040AD24|.33C0 xor eax, eax
0040AD26|.8DBC24 690100>lea edi, dword ptr
0040AD2D|.889424 CC0100>mov byte ptr , dl
0040AD34|.F3:AB rep stos dword ptr es:
0040AD36|.66:AB stos word ptr es:
0040AD38|.AA stos byte ptr es:
0040AD39|.B9 18000000 mov ecx, 18
0040AD3E|.33C0 xor eax, eax
0040AD40|.8DBC24 CD0100>lea edi, dword ptr
0040AD47|.8BB424 B40200>mov esi, dword ptr
0040AD4E|.F3:AB rep stos dword ptr es:
0040AD50|.66:AB stos word ptr es:
0040AD52|.AA stos byte ptr es:
0040AD53|.8B3D 20C14100 mov edi, dword ptr [<&kernel32>;KERNEL32.lstrcpynA
0040AD59|.885424 14 mov byte ptr , dl
0040AD5D|.33C0 xor eax, eax
0040AD5F|.885424 20 mov byte ptr , dl
0040AD63|.33C9 xor ecx, ecx
0040AD65|.6A 15 push 15 ; /n = 15 (21.)
0040AD67|.8D9424 6C0100>lea edx, dword ptr ; |
0040AD6E|.33DB xor ebx, ebx ; |
0040AD70|.894424 19 mov dword ptr , eax ; |
0040AD74|.894C24 25 mov dword ptr , ecx ; |
0040AD78|.56 push esi ; |String2
0040AD79|.52 push edx ; |String1
0040AD7A|.895C24 38 mov dword ptr , ebx ; |
0040AD7E|.895C24 3C mov dword ptr , ebx ; |
0040AD82|.895C24 40 mov dword ptr , ebx ; |
0040AD86|.895C24 44 mov dword ptr , ebx ; |
0040AD8A|.894424 25 mov dword ptr , eax ; |
0040AD8E|.894C24 31 mov dword ptr , ecx ; |
0040AD92|.FFD7 call edi ; \lstrcpynA
0040AD94|.83C6 14 add esi, 14
0040AD97|.6A 05 push 5 ; /n = 5
0040AD99|.8D8424 D00100>lea eax, dword ptr ; |
0040ADA0|.56 push esi ; |String2
0040ADA1|.50 push eax ; |String1
0040ADA2|.FFD7 call edi ; \lstrcpynA
0040ADA4|.8A0D BC884400 mov cl, byte ptr
0040ADAA|.8B2D D8C04100 mov ebp, dword ptr [<&kernel32>;KERNEL32.lstrcatA
0040ADB0|.884C24 12 mov byte ptr , cl
0040ADB4|.885C24 13 mov byte ptr , bl
0040ADB8|.33F6 xor esi, esi
0040ADBA|>B9 19000000 /mov ecx, 19
0040ADBF|.33C0 |xor eax, eax
0040ADC1|.8DBC24 040100>|lea edi, dword ptr
0040ADC8|.8D9424 680100>|lea edx, dword ptr
0040ADCF|.F3:AB |rep stos dword ptr es:
0040ADD1|.B9 19000000 |mov ecx, 19
0040ADD6|.8D7C24 3C |lea edi, dword ptr
0040ADDA|.F3:AB |rep stos dword ptr es:
0040ADDC|.B9 19000000 |mov ecx, 19
0040ADE1|.8DBC24 A00000>|lea edi, dword ptr
0040ADE8|.F3:AB |rep stos dword ptr es:
0040ADEA|.8D8424 A00000>|lea eax, dword ptr
0040ADF1|.52 |push edx ; /String2
0040ADF2|.50 |push eax ; |String1
0040ADF3|.FF15 C0C04100 |call dword ptr [<&kernel32.lst>; \lstrcpyA
0040ADF9|.8D8C24 A00000>|lea ecx, dword ptr
0040AE00|.68 60834400 |push 00448360 ;ASCII "3738505823"
0040AE05|.51 |push ecx
0040AE06|.FFD5 |call ebp
0040AE08|.8D9424 040100>|lea edx, dword ptr
0040AE0F|.8D8424 A00000>|lea eax, dword ptr
0040AE16|.52 |push edx
0040AE17|.50 |push eax
0040AE18|.E8 43CA0000 |call 00417860
0040AE1D|.83C4 08 |add esp, 8
0040AE20|.8D4C24 3C |lea ecx, dword ptr
0040AE24|.8D9424 040100>|lea edx, dword ptr
0040AE2B|.51 |push ecx
0040AE2C|.52 |push edx ; /String
0040AE2D|.FF15 DCC04100 |call dword ptr [<&kernel32.lst>; \lstrlenA
0040AE33|.50 |push eax
0040AE34|.8D8424 0C0100>|lea eax, dword ptr
0040AE3B|.50 |push eax
0040AE3C|.E8 BF980000 |call 00414700
0040AE41|.83C4 0C |add esp, 0C
0040AE44|.33C0 |xor eax, eax
0040AE46|>385C04 3C |/cmp byte ptr , b>
0040AE4A|.75 05 ||jnz short 0040AE51
0040AE4C|.C64404 3C 41||mov byte ptr , 4>
0040AE51|>40 ||inc eax
0040AE52|.83F8 08 ||cmp eax, 8
0040AE55|.^ 7C EF |\jl short 0040AE46
0040AE57|.33C9 |xor ecx, ecx
0040AE59|.33D2 |xor edx, edx
0040AE5B|.894C24 14 |mov dword ptr , ecx
0040AE5F|.895424 20 |mov dword ptr , edx
0040AE63|.894C24 18 |mov dword ptr , ecx
0040AE67|.8D4424 3C |lea eax, dword ptr
0040AE6B|.884C24 1C |mov byte ptr , cl
0040AE6F|.6A 09 |push 9 ; /n = 9
0040AE71|.8D4C24 18 |lea ecx, dword ptr ; |
0040AE75|.895424 28 |mov dword ptr , edx ; |
0040AE79|.50 |push eax ; |String2
0040AE7A|.51 |push ecx ; |String1
0040AE7B|.885424 34 |mov byte ptr , dl ; |
0040AE7F|.FF15 20C14100 |call dword ptr [<&kernel32.lst>; \lstrcpynA
0040AE85|.8D5424 14 |lea edx, dword ptr
0040AE89|.53 |push ebx
0040AE8A|.52 |push edx
0040AE8B|.E8 7061FFFF |call 00401000
0040AE90|.8D4424 28 |lea eax, dword ptr
0040AE94|.8D4C24 1C |lea ecx, dword ptr
0040AE98|.50 |push eax
0040AE99|.51 |push ecx
0040AE9A|.E8 8163FFFF |call 00401220
0040AE9F|.8D5424 30 |lea edx, dword ptr
0040AEA3|.53 |push ebx
0040AEA4|.52 |push edx
0040AEA5|.E8 5661FFFF |call 00401000
0040AEAA|.8D8424 480200>|lea eax, dword ptr
0040AEB1|.50 |push eax
0040AEB2|.E8 2963FFFF |call 004011E0
0040AEB7|.8B84B4 4C0200>|mov eax, dword ptr [esp+esi*4>
0040AEBE|.33D2 |xor edx, edx
0040AEC0|.B9 39000000 |mov ecx, 39
0040AEC5|.83C4 1C |add esp, 1C
0040AEC8|.F7F1 |div ecx
0040AECA|.8BC2 |mov eax, edx
0040AECC|.83F8 30 |cmp eax, 30
0040AECF|.73 0D |jnb short 0040AEDE
0040AED1|.33D2 |xor edx, edx
0040AED3|.B9 0A000000 |mov ecx, 0A
0040AED8|.F7F1 |div ecx
0040AEDA|.8BC2 |mov eax, edx
0040AEDC|.04 30 |add al, 30
0040AEDE|>884424 12 |mov byte ptr , al
0040AEE2|.8D5424 12 |lea edx, dword ptr
0040AEE6|.8D8424 680100>|lea eax, dword ptr
0040AEED|.52 |push edx
0040AEEE|.50 |push eax
0040AEEF|.FFD5 |call ebp
0040AEF1|.8A4C24 12 |mov cl, byte ptr
0040AEF5|.8A8434 CC0100>|mov al, byte ptr [esp+esi+1CC>;在这里可以看到正确的注册码
0040AEFC|.3AC8 |cmp cl, al
0040AEFE|.75 0A |jnz short 0040AF0A
0040AF00|.C744B4 2C 010>|mov dword ptr ,>
0040AF08|.EB 04 |jmp short 0040AF0E
0040AF0A|>895CB4 2C |mov dword ptr ,>
0040AF0E|>46 |inc esi
0040AF0F|.83FE 04 |cmp esi, 4
0040AF12|.^ 0F8C A2FEFFFF \jl 0040ADBA
0040AF18|.33C0 xor eax, eax
0040AF1A|.8D4C24 2C lea ecx, dword ptr
0040AF1E|>3919 /cmp dword ptr , ebx
0040AF20|.74 19 |je short 0040AF3B
0040AF22|.40 |inc eax
0040AF23|.83C1 04 |add ecx, 4
0040AF26|.83F8 04 |cmp eax, 4
0040AF29|.^ 7C F3 \jl short 0040AF1E
0040AF2B|.5F pop edi
0040AF2C|.5E pop esi
0040AF2D|.5D pop ebp
0040AF2E|.B8 01000000 mov eax, 1
0040AF33|.5B pop ebx
0040AF34|.81C4 A0020000 add esp, 2A0
0040AF3A|.C3 retn
0040AF3B|>5F pop edi
0040AF3C|.5E pop esi
0040AF3D|.5D pop ebp
0040AF3E|.33C0 xor eax, eax
0040AF40|.5B pop ebx
0040AF41|.81C4 A0020000 add esp, 2A0
0040AF47\.C3 retn
跟进call 0040AFC0:有两处调用0040B53B, 0040C0FE,两处都下断点。
0040AFC0/$81EC 3C020000 sub esp, 23C
0040AFC6|.8A15 BC884400 mov dl, byte ptr
0040AFCC|.53 push ebx
0040AFCD|.55 push ebp
0040AFCE|.56 push esi
0040AFCF|.57 push edi
0040AFD0|.B9 18000000 mov ecx, 18
0040AFD5|.33C0 xor eax, eax
0040AFD7|.8DBC24 A10000>lea edi, dword ptr
0040AFDE|.889424 A00000>mov byte ptr , dl
0040AFE5|.885424 3C mov byte ptr , dl
0040AFE9|.F3:AB rep stos dword ptr es:
0040AFEB|.66:AB stos word ptr es:
0040AFED|.AA stos byte ptr es:
0040AFEE|.B9 18000000 mov ecx, 18
0040AFF3|.33C0 xor eax, eax
0040AFF5|.8D7C24 3D lea edi, dword ptr
0040AFF9|.889424 040100>mov byte ptr , dl
0040B000|.F3:AB rep stos dword ptr es:
0040B002|.66:AB stos word ptr es:
0040B004|.AA stos byte ptr es:
0040B005|.B9 18000000 mov ecx, 18
0040B00A|.33C0 xor eax, eax
0040B00C|.8DBC24 050100>lea edi, dword ptr
0040B013|.889424 680100>mov byte ptr , dl
0040B01A|.F3:AB rep stos dword ptr es:
0040B01C|.66:AB stos word ptr es:
0040B01E|.AA stos byte ptr es:
0040B01F|.B9 18000000 mov ecx, 18
0040B024|.33C0 xor eax, eax
0040B026|.8DBC24 690100>lea edi, dword ptr
0040B02D|.8BB424 500200>mov esi, dword ptr
0040B034|.F3:AB rep stos dword ptr es:
0040B036|.66:AB stos word ptr es:
0040B038|.8B2D 20C14100 mov ebp, dword ptr [<&kernel32>;KERNEL32.lstrcpynA
0040B03E|.885424 14 mov byte ptr , dl
0040B042|.AA stos byte ptr es:
0040B043|.33C0 xor eax, eax
0040B045|.885424 20 mov byte ptr , dl
0040B049|.33C9 xor ecx, ecx
0040B04B|.6A 15 push 15 ; /n = 15 (21.)
0040B04D|.8D9424 080100>lea edx, dword ptr ; |
0040B054|.33DB xor ebx, ebx ; |
0040B056|.894424 19 mov dword ptr , eax ; |
0040B05A|.894C24 25 mov dword ptr , ecx ; |
0040B05E|.56 push esi ; |String2
0040B05F|.52 push edx ; |String1
0040B060|.895C24 38 mov dword ptr , ebx ; |
0040B064|.895C24 3C mov dword ptr , ebx ; |
0040B068|.895C24 40 mov dword ptr , ebx ; |
0040B06C|.895C24 44 mov dword ptr , ebx ; |
0040B070|.894424 25 mov dword ptr , eax ; |
0040B074|.894C24 31 mov dword ptr , ecx ; |
0040B078|.FFD5 call ebp ; \lstrcpynA
0040B07A|.83C6 14 add esi, 14
0040B07D|.6A 05 push 5 ; /n = 5
0040B07F|.8D8424 6C0100>lea eax, dword ptr ; |
0040B086|.56 push esi ; |String2
0040B087|.50 push eax ; |String1
0040B088|.FFD5 call ebp ; \lstrcpynA
0040B08A|.8A0D BC884400 mov cl, byte ptr
0040B090|.885C24 13 mov byte ptr , bl
0040B094|.884C24 12 mov byte ptr , cl
0040B098|.33F6 xor esi, esi
0040B09A|>B9 19000000 /mov ecx, 19
0040B09F|.33C0 |xor eax, eax
0040B0A1|.8DBC24 A00000>|lea edi, dword ptr
0040B0A8|.8D9424 A00000>|lea edx, dword ptr
0040B0AF|.F3:AB |rep stos dword ptr es:
0040B0B1|.B9 19000000 |mov ecx, 19
0040B0B6|.8D7C24 3C |lea edi, dword ptr
0040B0BA|.F3:AB |rep stos dword ptr es:
0040B0BC|.8D8424 040100>|lea eax, dword ptr
0040B0C3|.52 |push edx
0040B0C4|.50 |push eax
0040B0C5|.E8 96C70000 |call 00417860
0040B0CA|.83C4 08 |add esp, 8
0040B0CD|.8D4C24 3C |lea ecx, dword ptr
0040B0D1|.8D9424 A00000>|lea edx, dword ptr
0040B0D8|.51 |push ecx
0040B0D9|.52 |push edx ; /String
0040B0DA|.FF15 DCC04100 |call dword ptr [<&kernel32.lst>; \lstrlenA
0040B0E0|.50 |push eax
0040B0E1|.8D8424 A80000>|lea eax, dword ptr
0040B0E8|.50 |push eax
0040B0E9|.E8 12960000 |call 00414700
0040B0EE|.83C4 0C |add esp, 0C
0040B0F1|.33C0 |xor eax, eax
0040B0F3|>385C04 3C |/cmp byte ptr , b>
0040B0F7|.75 05 ||jnz short 0040B0FE
0040B0F9|.C64404 3C 41||mov byte ptr , 4>
0040B0FE|>40 ||inc eax
0040B0FF|.83F8 08 ||cmp eax, 8
0040B102|.^ 7C EF |\jl short 0040B0F3
0040B104|.33C9 |xor ecx, ecx
0040B106|.33D2 |xor edx, edx
0040B108|.894C24 14 |mov dword ptr , ecx
0040B10C|.895424 20 |mov dword ptr , edx
0040B110|.894C24 18 |mov dword ptr , ecx
0040B114|.8D4424 3C |lea eax, dword ptr
0040B118|.884C24 1C |mov byte ptr , cl
0040B11C|.6A 09 |push 9
0040B11E|.8D4C24 18 |lea ecx, dword ptr
0040B122|.895424 28 |mov dword ptr , edx
0040B126|.50 |push eax
0040B127|.51 |push ecx
0040B128|.885424 34 |mov byte ptr , dl
0040B12C|.FFD5 |call ebp
0040B12E|.8D5424 14 |lea edx, dword ptr
0040B132|.53 |push ebx
0040B133|.52 |push edx
0040B134|.E8 C75EFFFF |call 00401000
0040B139|.8D4424 28 |lea eax, dword ptr
0040B13D|.8D4C24 1C |lea ecx, dword ptr
0040B141|.50 |push eax
0040B142|.51 |push ecx
0040B143|.E8 D860FFFF |call 00401220
0040B148|.8D5424 30 |lea edx, dword ptr
0040B14C|.53 |push ebx
0040B14D|.52 |push edx
0040B14E|.E8 AD5EFFFF |call 00401000
0040B153|.8D8424 E40100>|lea eax, dword ptr
0040B15A|.50 |push eax
0040B15B|.E8 8060FFFF |call 004011E0
0040B160|.8B84B4 E80100>|mov eax, dword ptr [esp+esi*4>
0040B167|.33D2 |xor edx, edx
0040B169|.B9 39000000 |mov ecx, 39
0040B16E|.83C4 1C |add esp, 1C
0040B171|.F7F1 |div ecx
0040B173|.8BC2 |mov eax, edx
0040B175|.83F8 30 |cmp eax, 30
0040B178|.73 0D |jnb short 0040B187
0040B17A|.33D2 |xor edx, edx
0040B17C|.B9 0A000000 |mov ecx, 0A
0040B181|.F7F1 |div ecx
0040B183|.8BC2 |mov eax, edx
0040B185|.04 30 |add al, 30
0040B187|>884424 12 |mov byte ptr , al
0040B18B|.8D5424 12 |lea edx, dword ptr
0040B18F|.8D8424 040100>|lea eax, dword ptr
0040B196|.52 |push edx ; /StringToAdd
0040B197|.50 |push eax ; |ConcatString
0040B198|.FF15 D8C04100 |call dword ptr [<&kernel32.lst>; \lstrcatA
0040B19E|.8A4C24 12 |mov cl, byte ptr
0040B1A2|.8A8434 680100>|mov al, byte ptr [esp+esi+168>;这里可以看到正确的注册码
0040B1A9|.3AC8 |cmp cl, al
0040B1AB|.75 0A |jnz short 0040B1B7
0040B1AD|.C744B4 2C 010>|mov dword ptr ,>
0040B1B5|.EB 04 |jmp short 0040B1BB
0040B1B7|>895CB4 2C |mov dword ptr ,>
0040B1BB|>46 |inc esi
0040B1BC|.83FE 04 |cmp esi, 4
0040B1BF|.^ 0F8C D5FEFFFF \jl 0040B09A
0040B1C5|.33C0 xor eax, eax
0040B1C7|.8D4C24 2C lea ecx, dword ptr
0040B1CB|>3919 /cmp dword ptr , ebx
0040B1CD|.74 19 |je short 0040B1E8
0040B1CF|.40 |inc eax
0040B1D0|.83C1 04 |add ecx, 4
0040B1D3|.83F8 04 |cmp eax, 4
0040B1D6|.^ 7C F3 \jl short 0040B1CB
0040B1D8|.5F pop edi
0040B1D9|.5E pop esi
0040B1DA|.5D pop ebp
0040B1DB|.B8 01000000 mov eax, 1
0040B1E0|.5B pop ebx
0040B1E1|.81C4 3C020000 add esp, 23C
0040B1E7|.C3 retn
0040B1E8|>5F pop edi
0040B1E9|.5E pop esi
0040B1EA|.5D pop ebp
0040B1EB|.33C0 xor eax, eax
0040B1ED|.5B pop ebx
0040B1EE|.81C4 3C020000 add esp, 23C
0040B1F4\.C3 retn
正确的序列号:NWBE-1111-1111-1111-2672
正确的注册码:1111-1111-1111-1111-3597
把正确的注册码跟序列号都都输进去,注册成功。
程序有暗桩。有兴趣的朋友可以去跟跟。还有好像没办法用制作注册机。 不能做注册补丁吗? 加CB鼓励
楼主分析一下去暗桩 顺便写个注册机也不错哦:loveliness: 没看明白呵呵 仔细研究下………… 没看明白:@ 呵呵 仔细研究下…………:lol 收藏了!!谢谢!!
页:
[1]