申请会员ID：wslvic

吾爱游客 *发表于 2020-5-9 02:21* · 发表于 2020-5-9 02:21

申请标题：申请会员ID：wslvic

1、申请 I D：wslvic
2、个人邮箱：wslvic@163.com

3、原创技术文章：

   本人是看雪技术论坛会员, 有早年的数篇精华帖，如图：

看雪账号

精华帖：
Icon Craft v4.4 注册算法(搞笑)及 KeyGen

原帖地址：
https://bbs.pediy.com/thread-138583.htm

精华帖原文：

Icon Craft v4.4 注册算法

【软件名称】:
Icon Craft

【下载地址】:
Http://www.iconempire.com/

【软件简介】:
Icon Craft 是一款相当不错的 Windows 图标,光标,图标库的编辑,创建,和管理工具.

【软件限制】:
30 天的试用期

【破解声明】:
仅用于探索,学习软件注册算法及其保护方式的研究.

【破解工具】:
PEID v0.94,OllyDbg v1.10

【破文作者】:
WSLVIC 电邮:Crk4u@163.com

【破解时间】:
二〇一一年八月八日

【破解过程】:
———————————————————————————————————————————
这东西没加壳,是 Borland Delphi 4.0 - 5.0 写的,文件也不大,用 OD 载入后,很快就分析完毕了,软件注册很"方便",因为进入/退出时都会提示你注册!晕!既然如此,就随便写个什么试试吧,在 Name 一栏中写入 "WSLVIC",注册码就写 "u r crazy",便弹出了 "Please reenter key.Key is required.",什么意思-你懂的.仔细看看注册窗口,发现在 Name 一栏后面有一串字符 "(You can enter any name or empty string)","empty string"! 看来不输入姓名也行,换句话说,注册码与注册名无关!呵呵,不错的信息,对于懒人来说这是最好不过的了.

回到 OD 领空,"查找"→"所有参考文本字符串",稍等之后,→"查找文本"→输入关键字 "reenter",很快就找到了 "Please reenter key.".可是没找到其后面的 "Key is required."上下翻了翻,还是没有,但是却看到了下面这些信息:

ASCII "Please reenter key.
ASCII "- KEY BEGIN KEY -"
ASCII "- KEY END KEY -"
ASCII "Not found row: - KEY BEGIN KEY -"
ASCII "Not found row: - KEY END KEY -"
ASCII "Software\IconEmpire\"
ASCII "Key"
ASCII "Key"
ASCII "Time"
ASCII "FullProductName"
ASCII "<BR>"
ASCII " - "
ASCII "licenses -"
ASCII "UserName"
ASCII "You should restart application now"

分析一下就知道,注册码一定以 "- KEY BEGIN KEY -" 开头,以 "- KEY END KEY -" 结束,中间才是真正的注册码,其形式必然是:
- KEY BEGIN KEY -
注册码
- KEY END KEY -
再往下,看到 "Software\IconEmpire\",明眼人一看就知道这是注册表项,可能是读入或写入某些信息,那些信息呢,很可能就是 "Key","Time","FullProductName"...当然现在只是猜测,要 OD 动态调试才会知道,好了要重新修改测试注册码了,就用下面这个
- KEY BEGIN KEY -
u r crazy
- KEY END KEY -
走到这里是很重要的,会大大节省调试时间,提高调试效率,因为这里的分析已经得出了注册码格式的一些关键信息,就我个人经验而言,对于比较复杂的注册算法,花在了解注册码的格式上的时间,往往数倍于注册码本身的计算,因为你不知道那些字符是合法的,那些是非法的,其长度多少,是否有特定字符等诸多一系列问题.
好了言归正传,在字符串参考窗口中双击 "Please reenter key."来到这里,
┌──────────────────────────────────────────────┐
│00642920  /$PUSH EBP
│00642921  |.MOV EBP,ESP
│00642923  |.PUSH 0
│00642925  |.PUSH EBX
│00642926  |.MOV EBX,EAX
│00642928  |.XOR EAX,EAX
│0064292A  |.PUSH EBP
│0064292B  |.PUSH ICONCRAF.0064296F
│00642930  |.PUSH DWORD PTR FS:[EAX]
│00642933  |.MOV DWORD PTR FS:[EAX],ESP
│00642936  |.LEA EAX,DWORD PTR SS:[EBP-4]
│00642939  |.MOV ECX,EBX
   ───────────────────────────────────────────────
│0064293B  |.MOV EDX,ICONCRAF.00642984             ; ASCII "Please reenter key."
   ───────────────────────────────────────────────
│00642940  |.CALL ICONCRAF.004041D8
│00642945  |.MOV ECX,DWORD PTR SS:[EBP-4]
│00642948  |.MOV DL,1
│0064294A  |.MOV EAX,DWORD PTR DS:[408A60]
│0064294F  |.CALL ICONCRAF.0040D134
│00642954  |.CALL ICONCRAF.0040392C
│00642959  |.XOR EAX,EAX
│0064295B  |.POP EDX
│0064295C  |.POP ECX
│0064295D  |.POP ECX
│0064295E  |.MOV DWORD PTR FS:[EAX],EDX
│00642961  |.PUSH ICONCRAF.00642976
│00642966  |>LEA EAX,DWORD PTR SS:[EBP-4]
│00642969  |.CALL ICONCRAF.00403EFC
│0064296E  \.RETN
└──────────────────────────────────────────────┘
运气不太好,看不到关键跳转,看来注册失败信息,是用函数调用进行的,只好在函数入口处 642920 下断点了,之后重新载入 Icon Craft,输入注册码,终于断在了 642920,打开 OD 调用堆栈窗口,得知调用来自 642C16,上下翻了翻,发现跳转标志不是很明显,索性在 642C16 的段入口处 64299C 下断点,重新载入 Icon Craft,断在了 64299C
┌──────────────────────────────────────────────┐
│0064299C  /$PUSH EBP
│0064299D  |.MOV EBP,ESP
│0064299F  |.MOV ECX,0F
│006429A4  |>/PUSH 0
│006429A6  |.|PUSH 0
│006429A8  |.|DEC ECX
│006429A9  |.\JNZ SHORT ICONCRAF.006429A4
│006429AB  |.PUSH EBX
│006429AC  |.PUSH ESI
│006429AD  |.PUSH EDI
│006429AE  |.MOV DWORD PTR SS:[EBP-4],EAX
│006429B1  |.XOR EAX,EAX
│006429B3  |.PUSH EBP
│006429B4  |.PUSH ICONCRAF.00643000
│006429B9  |.PUSH DWORD PTR FS:[EAX]
│006429BC  |.MOV DWORD PTR FS:[EAX],ESP
│006429BF  |.MOV DWORD PTR SS:[EBP-18],-1
│006429C6  |.MOV DWORD PTR SS:[EBP-1C],-1
│006429CD  |.MOV EAX,DWORD PTR SS:[EBP-4]
│006429D0  |.MOV EAX,DWORD PTR DS:[EAX+2E0]
│006429D6  |.MOV EAX,DWORD PTR DS:[EAX+208]
│006429DC  |.MOV EDX,DWORD PTR DS:[EAX]
│006429DE  |.CALL DWORD PTR DS:[EDX+14]
│006429E1  |.MOV ESI,EAX
│006429E3  |.DEC ESI
│006429E4  |.TEST ESI,ESI
│006429E6  |.JL SHORT ICONCRAF.00642A4E
│006429E8  |.INC ESI
│006429E9  |.XOR EBX,EBX
│006429EB  |>/LEA ECX,DWORD PTR SS:[EBP-40]
│006429EE  |.|MOV EAX,DWORD PTR SS:[EBP-4]
│006429F1  |.|MOV EAX,DWORD PTR DS:[EAX+2E0]
│006429F7  |.|MOV EAX,DWORD PTR DS:[EAX+208]
│006429FD  |.|MOV EDX,EBX
│006429FF  |.|MOV EDI,DWORD PTR DS:[EAX]
│00642A01  |.|CALL DWORD PTR DS:[EDI+C]
│00642A04  |.|MOV EAX,DWORD PTR SS:[EBP-40]
│00642A07  |.|LEA EDX,DWORD PTR SS:[EBP-3C]
│00642A0A  |.|CALL ICONCRAF.00409678
│00642A0F  |.|MOV EAX,DWORD PTR SS:[EBP-3C]
│00642A12  |.|LEA EDX,DWORD PTR SS:[EBP-10]
│00642A15  |.|CALL ICONCRAF.004098EC
│00642A1A  |.|MOV EDX,DWORD PTR SS:[EBP-10]
│00642A1D  |.|MOV EAX,ICONCRAF.0064301C    ;ASCII "- KEY BEGIN KEY -"
│00642A22  |.|CALL ICONCRAF.00404478
│00642A27  |.|TEST EAX,EAX
│00642A29  |.|JLE SHORT ICONCRAF.00642A33
│00642A2B  |.|LEA EAX,DWORD PTR DS:[EBX+1]
│00642A2E  |.|MOV DWORD PTR SS:[EBP-18],EAX
│00642A31  |.|JMP SHORT ICONCRAF.00642A4A
│00642A33  |>|MOV EDX,DWORD PTR SS:[EBP-10]
│00642A36  |.|MOV EAX,ICONCRAF.00643038    ;ASCII "- KEY END KEY -"
│00642A3B  |.|CALL ICONCRAF.00404478
│00642A40  |.|TEST EAX,EAX
│00642A42  |.|JLE SHORT ICONCRAF.00642A4A
│00642A44  |.|MOV EAX,EBX
│00642A46  |.|DEC EAX
│00642A47  |.|MOV DWORD PTR SS:[EBP-1C],EAX
│00642A4A  |>|INC EBX
│00642A4B  |.|DEC ESI
│00642A4C  |.\JNZ SHORT ICONCRAF.006429EB
│00642A4E  |>LEA EAX,DWORD PTR SS:[EBP-14]
│00642A51  |.CALL ICONCRAF.00403EFC
│00642A56  |.CMP DWORD PTR SS:[EBP-18],-1
│00642A5A  |.JNZ SHORT ICONCRAF.00642A71
│00642A5C  |.CMP DWORD PTR SS:[EBP-1C],0
│00642A60  |.JLE SHORT ICONCRAF.00642A71
│00642A62  |.LEA EAX,DWORD PTR SS:[EBP-14]
│00642A65  |.MOV EDX,ICONCRAF.00643050       ;ASCII "Not found row: - KEY BEGIN KEY -"
│00642A6A  |.CALL ICONCRAF.00403F94
│00642A6F  |.JMP SHORT ICONCRAF.00642A8A
│00642A71  |>CMP DWORD PTR SS:[EBP-1C],-1
│00642A75  |.JNZ SHORT ICONCRAF.00642A8A
│00642A77  |.CMP DWORD PTR SS:[EBP-18],0
│00642A7B  |.JLE SHORT ICONCRAF.00642A8A
│00642A7D  |.LEA EAX,DWORD PTR SS:[EBP-14]
│00642A80  |.MOV EDX,ICONCRAF.0064307C       ;ASCII "Not found row: - KEY END KEY -"
│00642A85  |.CALL ICONCRAF.00403F94
│00642A8A  |>CMP DWORD PTR SS:[EBP-14],0
│00642A8E  |.JE SHORT ICONCRAF.00642A98
│00642A90  |.MOV EAX,DWORD PTR SS:[EBP-14]
│00642A93  |.CALL ICONCRAF.00642920
│00642A98  |>LEA EAX,DWORD PTR SS:[EBP-C]
│00642A9B  |.CALL ICONCRAF.00403EFC
│00642AA0  |.CMP DWORD PTR SS:[EBP-18],0
│00642AA4  |.JLE SHORT ICONCRAF.00642AAC
│00642AA6  |.CMP DWORD PTR SS:[EBP-1C],0
│00642AAA  |.JG SHORT ICONCRAF.00642AC9
│00642AAC  |>XOR EAX,EAX
│00642AAE  |.MOV DWORD PTR SS:[EBP-18],EAX
│00642AB1  |.MOV EAX,DWORD PTR SS:[EBP-4]
│00642AB4  |.MOV EAX,DWORD PTR DS:[EAX+2E0]
│00642ABA  |.MOV EAX,DWORD PTR DS:[EAX+208]
│00642AC0  |.MOV EDX,DWORD PTR DS:[EAX]
│00642AC2  |.CALL DWORD PTR DS:[EDX+14]
│00642AC5  |.DEC EAX
│00642AC6  |.MOV DWORD PTR SS:[EBP-1C],EAX
│00642AC9  |>MOV EAX,DWORD PTR SS:[EBP-4]
│00642ACC  |.MOV EAX,DWORD PTR DS:[EAX+300]
│00642AD2  |.MOV EDX,DWORD PTR DS:[EAX]
│00642AD4  |.CALL DWORD PTR DS:[EDX+40]
│00642AD7  |.XOR EAX,EAX
│00642AD9  |.MOV DWORD PTR SS:[EBP-20],EAX
│00642ADC  |.MOV EBX,DWORD PTR SS:[EBP-18]
│00642ADF  |.MOV ESI,DWORD PTR SS:[EBP-1C]
│00642AE2  |.SUB ESI,EBX
│00642AE4  |.JL ICONCRAF.00642B78
│00642AEA  |.INC ESI
│00642AEB  |>/LEA ECX,DWORD PTR SS:[EBP-44]
│00642AEE  |.|MOV EAX,DWORD PTR SS:[EBP-4]
│00642AF1  |.|MOV EAX,DWORD PTR DS:[EAX+2E0]
│00642AF7  |.|MOV EAX,DWORD PTR DS:[EAX+208]
│00642AFD  |.|MOV EDX,EBX
│00642AFF  |.|MOV EDI,DWORD PTR DS:[EAX]
│00642B01  |.|CALL DWORD PTR DS:[EDI+C]
│00642B04  |.|MOV EAX,DWORD PTR SS:[EBP-44]
│00642B07  |.|LEA EDX,DWORD PTR SS:[EBP-2C]
│00642B0A  |.|CALL ICONCRAF.004098EC
│00642B0F  |.|LEA EAX,DWORD PTR SS:[EBP-48]
│00642B12  |.|PUSH EAX
│00642B13  |.|XOR ECX,ECX
│00642B15  |.|MOV EDX,ICONCRAF.006430A4
│00642B1A  |.|MOV EAX,DWORD PTR SS:[EBP-2C]
│00642B1D  |.|CALL ICONCRAF.00466218
│00642B22  |.|MOV EDX,DWORD PTR SS:[EBP-48]
│00642B25  |.|LEA EAX,DWORD PTR SS:[EBP-2C]
│00642B28  |.|CALL ICONCRAF.00403F94
│00642B2D  |.|LEA EAX,DWORD PTR SS:[EBP-C]
│00642B30  |.|MOV EDX,DWORD PTR SS:[EBP-2C]
│00642B33  |.|CALL ICONCRAF.00404194
│00642B38  |.|MOV EAX,DWORD PTR SS:[EBP-2C]
│00642B3B  |.|CALL ICONCRAF.0040418C
│00642B40  |.|CMP EAX,0A
│00642B43  |.|JLE SHORT ICONCRAF.00642B5C
│00642B45  |.|CMP DWORD PTR SS:[EBP-20],0
│00642B49  |.|JNZ SHORT ICONCRAF.00642B5C
│00642B4B  |.|MOV EAX,DWORD PTR SS:[EBP-4]
│00642B4E  |.|MOV EAX,DWORD PTR DS:[EAX+300]
│00642B54  |.|MOV EDX,DWORD PTR SS:[EBP-2C]
│00642B57  |.|MOV ECX,DWORD PTR DS:[EAX]
│00642B59  |.|CALL DWORD PTR DS:[ECX+34]
│00642B5C  |>|MOV EDX,DWORD PTR SS:[EBP-2C]
│00642B5F  |.|MOV EAX,ICONCRAF.006430B0
│00642B64  |.|CALL ICONCRAF.00404478
│00642B69  |.|TEST EAX,EAX
│00642B6B  |.|JLE SHORT ICONCRAF.00642B70
│00642B6D  |.|INC DWORD PTR SS:[EBP-20]
│00642B70  |>|INC EBX
│00642B71  |.|DEC ESI
│00642B72  |.\JNZ ICONCRAF.00642AEB
│00642B78  |>CMP DWORD PTR SS:[EBP-C],0
│00642B7C  |.JNZ SHORT ICONCRAF.00642B8A
│00642B7E  |.MOV EAX,DWORD PTR DS:[71EF10]
│00642B83  |.MOV EAX,DWORD PTR DS:[EAX]
│00642B85  |.CALL ICONCRAF.00642920
│00642B8A  |>MOV EAX,DWORD PTR SS:[EBP-C]
│00642B8D  |.CALL ICONCRAF.0040418C
│00642B92  |.MOV EDX,DWORD PTR SS:[EBP-C]
│00642B95  |.CMP BYTE PTR DS:[EDX+EAX-1],22
│00642B9A  |.JNZ SHORT ICONCRAF.00642BB3
│00642B9C  |.MOV EAX,DWORD PTR SS:[EBP-C]
│00642B9F  |.CALL ICONCRAF.0040418C
│00642BA4  |.MOV EDX,EAX
│00642BA6  |.LEA EAX,DWORD PTR SS:[EBP-C]
│00642BA9  |.MOV ECX,1
│00642BAE  |.CALL ICONCRAF.004043D4
│00642BB3  |>MOV EAX,DWORD PTR SS:[EBP-C]
│00642BB6  |.CALL ICONCRAF.0040418C
│00642BBB  |.MOV EBX,EAX
│00642BBD  |.CMP EBX,1
│00642BC0  |.JL SHORT ICONCRAF.00642BEC
│00642BC2  |>/MOV EAX,DWORD PTR SS:[EBP-C]
│00642BC5  |.|CMP BYTE PTR DS:[EAX+EBX-1],22
│00642BCA  |.|JNZ SHORT ICONCRAF.00642BE7
│00642BCC  |.|MOV EAX,DWORD PTR SS:[EBP-C]
│00642BCF  |.|CALL ICONCRAF.0040418C
│00642BD4  |.|CMP EBX,EAX
│00642BD6  |.|JG SHORT ICONCRAF.00642BE7
│00642BD8  |.|LEA EAX,DWORD PTR SS:[EBP-C]
│00642BDB  |.|MOV ECX,EBX
│00642BDD  |.|MOV EDX,1
│00642BE2  |.|CALL ICONCRAF.004043D4
│00642BE7  |>|DEC EBX
│00642BE8  |.|TEST EBX,EBX
│00642BEA  |.\JNZ SHORT ICONCRAF.00642BC2
│00642BEC  |>LEA EDX,DWORD PTR SS:[EBP-4C]
│00642BEF  |.MOV EAX,DWORD PTR SS:[EBP-C]
│00642BF2  |.CALL ICONCRAF.004098EC
│00642BF7  |.MOV EDX,DWORD PTR SS:[EBP-4C] ;EDX=注册码
│00642BFA  |.LEA EAX,DWORD PTR SS:[EBP-C]
│00642BFD  |.CALL ICONCRAF.00403F94
│00642C02  |.MOV EAX,DWORD PTR SS:[EBP-C]    ;EAX=注册码
│00642C05  |.CALL ICONCRAF.0040418C          ;计算注册码长度
│00642C0A  |.CMP EAX,64                      ;将注册码长度与 0x64(100) 比较
   ───────────────────────────────────────────────
│00642C0D  |.JGE SHORT ICONCRAF.00642C1B    ;不跳就死
   ───────────────────────────────────────────────
│00642C0F  |.MOV EAX,DWORD PTR DS:[71EF10]
│00642C14  |.MOV EAX,DWORD PTR DS:[EAX]
│00642C16  |.CALL ICONCRAF.00642920
│00642C1B  |>MOV EDX,DWORD PTR SS:[EBP-C]    ;EDX=注册码
│00642C1E  |.MOV EAX,ICONCRAF.006430B0
│00642C23  |.CALL ICONCRAF.00404478          ;计算 '=' 的开始位置
│00642C28  |.MOV DWORD PTR SS:[EBP-18],EAX
│00642C2B  |.MOV DWORD PTR SS:[EBP-20],1
│00642C32  |.MOV EAX,DWORD PTR SS:[EBP-C]    ;EAX=注册码
│00642C35  |.CALL ICONCRAF.0040418C          ;计算注册码长度
│00642C3A  |.CMP EAX,DWORD PTR SS:[EBP-18] ;'=' 在最后一位
│00642C3D  |.JE SHORT ICONCRAF.00642C84    ;最后一位是 '=' 时,就跳.
│00642C3F  |.CMP DWORD PTR SS:[EBP-18],0    ;注册码中不包含 '='
│00642C43  |.JE SHORT ICONCRAF.00642C84
│00642C45  |.XOR EAX,EAX
│00642C47  |.MOV DWORD PTR SS:[EBP-20],EAX
│00642C4A  |.MOV EAX,DWORD PTR SS:[EBP-C]    ;EAX=注册码
│00642C4D  |.CALL ICONCRAF.0040418C          ;计算注册码长度
│00642C52  |.MOV ESI,EAX
│00642C54  |.TEST ESI,ESI
│00642C56  |.JLE SHORT ICONCRAF.00642C6E
│00642C58  |.MOV EBX,1
│00642C5D  |>/MOV EAX,DWORD PTR SS:[EBP-C] ;/
│00642C60  |.|CMP BYTE PTR DS:[EAX+EBX-1],3D  ;|与 '=' 比较
│00642C65  |.|JNZ SHORT ICONCRAF.00642C6A
│00642C67  |.|INC DWORD PTR SS:[EBP-20]    ;|
│00642C6A  |>|INC EBX
│00642C6B  |.|DEC ESI                      ;|这个循环,用来计算 '=' 的个数,结果放在堆栈里.
│00642C6C  |.\JNZ SHORT ICONCRAF.00642C5D    ;\
│00642C6E  |>MOV EAX,DWORD PTR SS:[EBP-C]    ;EAX=注册码
│00642C71  |.CALL ICONCRAF.0040418C          ;计算注册码长度
│00642C76  |.MOV ECX,EAX
│00642C78  |.MOV EDX,DWORD PTR SS:[EBP-18] ;EDX=注册码第一个 '=' 所在位置
│00642C7B  |.INC EDX
│00642C7C  |.LEA EAX,DWORD PTR SS:[EBP-C]    ;EAX 指向注册码的堆栈地址
│00642C7F  |.CALL ICONCRAF.004043D4          ;取出 '=' 前的部分(包括 '=')
│00642C84  |>MOV EAX,DWORD PTR SS:[EBP-4]
│00642C87  |.MOV EAX,DWORD PTR DS:[EAX+300]
│00642C8D  |.MOV EDX,DWORD PTR DS:[EAX]
│00642C8F  |.CALL DWORD PTR DS:[EDX+14]    ;F2D3FC
│00642C92  |.CMP EAX,3
│00642C95  |.JL ICONCRAF.00642E29          ;
│00642C9B  |.LEA ECX,DWORD PTR SS:[EBP-50]
│00642C9E  |.MOV EAX,DWORD PTR SS:[EBP-4]
│00642CA1  |.MOV EAX,DWORD PTR DS:[EAX+300]
│00642CA7  |.XOR EDX,EDX
│00642CA9  |.MOV EBX,DWORD PTR DS:[EAX]
│00642CAB  |.CALL DWORD PTR DS:[EBX+C]
│00642CAE  |.CMP DWORD PTR SS:[EBP-50],0
│00642CB2  |.JE ICONCRAF.00642E29
│00642CB8  |.LEA ECX,DWORD PTR SS:[EBP-54]
│00642CBB  |.MOV EAX,DWORD PTR SS:[EBP-4]
│00642CBE  |.MOV EAX,DWORD PTR DS:[EAX+300]
│00642CC4  |.MOV EDX,1
│00642CC9  |.MOV EBX,DWORD PTR DS:[EAX]
│00642CCB  |.CALL DWORD PTR DS:[EBX+C]
│00642CCE  |.CMP DWORD PTR SS:[EBP-54],0
│00642CD2  |.JE ICONCRAF.00642E29
│00642CD8  |.LEA ECX,DWORD PTR SS:[EBP-58]
│00642CDB  |.MOV EAX,DWORD PTR SS:[EBP-4]
│00642CDE  |.MOV EAX,DWORD PTR DS:[EAX+300]
│00642CE4  |.MOV EDX,2
│00642CE9  |.MOV EBX,DWORD PTR DS:[EAX]
│00642CEB  |.CALL DWORD PTR DS:[EBX+C]
│00642CEE  |.CMP DWORD PTR SS:[EBP-58],0
│00642CF2  |.JE ICONCRAF.00642E29
│00642CF8  |.MOV EAX,DWORD PTR SS:[EBP-4]
│00642CFB  |.MOV EBX,DWORD PTR DS:[EAX+300]
│00642D01  |.MOV EAX,EBX
│00642D03  |.MOV EDX,DWORD PTR DS:[EAX]
│00642D05  |.CALL DWORD PTR DS:[EDX+14]
│00642D08  |.MOV EDX,EAX
│00642D0A  |.DEC EDX
│00642D0B  |.LEA ECX,DWORD PTR SS:[EBP-34]
│00642D0E  |.MOV EAX,EBX
│00642D10  |.MOV EBX,DWORD PTR DS:[EAX]
│00642D12  |.CALL DWORD PTR DS:[EBX+C]
│00642D15  |.MOV EAX,DWORD PTR SS:[EBP-34]
│00642D18  |.CALL ICONCRAF.0040418C
│00642D1D  |.MOV EDX,DWORD PTR SS:[EBP-34]
│00642D20  |.CMP BYTE PTR DS:[EDX+EAX-1],3D
│00642D25  |.JNZ ICONCRAF.00642E29
│00642D2B  |.XOR EAX,EAX
│00642D2D  |.MOV DWORD PTR SS:[EBP-1C],EAX
│00642D30  |.MOV EAX,DWORD PTR SS:[EBP-34]
│00642D33  |.CALL ICONCRAF.0040418C
│00642D38  |.MOV ESI,EAX
│00642D3A  |.TEST ESI,ESI
│00642D3C  |.JLE SHORT ICONCRAF.00642D9E
│00642D3E  |.MOV EBX,1
│00642D43  |>/MOV EAX,DWORD PTR SS:[EBP-4]
│00642D46  |.|MOV EAX,DWORD PTR DS:[EAX+300]
│00642D4C  |.|MOV EDX,DWORD PTR DS:[EAX]
│00642D4E  |.|CALL DWORD PTR DS:[EDX+14]
│00642D51  |.|SUB EAX,2
│00642D54  |.|TEST EAX,EAX
│00642D56  |.|JL SHORT ICONCRAF.00642D94
│00642D58  |.|INC EAX
│00642D59  |.|MOV DWORD PTR SS:[EBP-38],EAX
│00642D5C  |.|MOV DWORD PTR SS:[EBP-18],0
│00642D63  |>|/LEA ECX,DWORD PTR SS:[EBP-30]
│00642D66  |.||MOV EAX,DWORD PTR SS:[EBP-4]
│00642D69  |.||MOV EAX,DWORD PTR DS:[EAX+300]
│00642D6F  |.||MOV EDX,DWORD PTR SS:[EBP-18]
│00642D72  |.||MOV EDI,DWORD PTR DS:[EAX]
│00642D74  |.||CALL DWORD PTR DS:[EDI+C]
│00642D77  |.||MOV EAX,DWORD PTR SS:[EBP-30]
│00642D7A  |.||MOV AL,BYTE PTR DS:[EAX+EBX-1]
│00642D7E  |.||MOV EDX,DWORD PTR SS:[EBP-34]
│00642D81  |.||CMP AL,BYTE PTR DS:[EDX+EBX-1]
│00642D85  |.||JE SHORT ICONCRAF.00642D8C
│00642D87  |.||MOV DWORD PTR SS:[EBP-1C],EBX
│00642D8A  |.||JMP SHORT ICONCRAF.00642D94
│00642D8C  |>||INC DWORD PTR SS:[EBP-18]
│00642D8F  |.||DEC DWORD PTR SS:[EBP-38]
│00642D92  |.|\JNZ SHORT ICONCRAF.00642D63
│00642D94  |>|CMP DWORD PTR SS:[EBP-1C],0
│00642D98  |.|JNZ SHORT ICONCRAF.00642D9E
│00642D9A  |.|INC EBX
│00642D9B  |.|DEC ESI
│00642D9C  |.\JNZ SHORT ICONCRAF.00642D43
│00642D9E  |>CMP DWORD PTR SS:[EBP-1C],1
│00642DA2  |.JLE ICONCRAF.00642E29
│00642DA8  |.LEA ECX,DWORD PTR SS:[EBP-C]
│00642DAB  |.MOV EAX,DWORD PTR SS:[EBP-4]
│00642DAE  |.MOV EAX,DWORD PTR DS:[EAX+300]
│00642DB4  |.XOR EDX,EDX
│00642DB6  |.MOV EBX,DWORD PTR DS:[EAX]
│00642DB8  |.CALL DWORD PTR DS:[EBX+C]
│00642DBB  |.MOV EAX,DWORD PTR SS:[EBP-4]
│00642DBE  |.MOV EAX,DWORD PTR DS:[EAX+300]
│00642DC4  |.MOV EDX,DWORD PTR DS:[EAX]
│00642DC6  |.CALL DWORD PTR DS:[EDX+14]
│00642DC9  |.MOV ESI,EAX
│00642DCB  |.DEC ESI
│00642DCC  |.TEST ESI,ESI
│00642DCE  |.JLE SHORT ICONCRAF.00642E29
│00642DD0  |.MOV DWORD PTR SS:[EBP-18],1
│00642DD7  |>/LEA EAX,DWORD PTR SS:[EBP-30]
│00642DDA  |.|PUSH EAX
│00642DDB  |.|LEA ECX,DWORD PTR SS:[EBP-5C]
│00642DDE  |.|MOV EAX,DWORD PTR SS:[EBP-4]
│00642DE1  |.|MOV EAX,DWORD PTR DS:[EAX+300]
│00642DE7  |.|MOV EDX,DWORD PTR SS:[EBP-18]
│00642DEA  |.|MOV EBX,DWORD PTR DS:[EAX]
│00642DEC  |.|CALL DWORD PTR DS:[EBX+C]
│00642DEF  |.|MOV EAX,DWORD PTR SS:[EBP-5C]
│00642DF2  |.|CALL ICONCRAF.0040418C
│00642DF7  |.|PUSH EAX
│00642DF8  |.|LEA ECX,DWORD PTR SS:[EBP-60]
│00642DFB  |.|MOV EAX,DWORD PTR SS:[EBP-4]
│00642DFE  |.|MOV EAX,DWORD PTR DS:[EAX+300]
│00642E04  |.|MOV EDX,DWORD PTR SS:[EBP-18]
│00642E07  |.|MOV EBX,DWORD PTR DS:[EAX]
│00642E09  |.|CALL DWORD PTR DS:[EBX+C]
│00642E0C  |.|MOV EAX,DWORD PTR SS:[EBP-60]
│00642E0F  |.|MOV EDX,DWORD PTR SS:[EBP-1C]
│00642E12  |.|POP ECX
│00642E13  |.|CALL ICONCRAF.00404394
│00642E18  |.|LEA EAX,DWORD PTR SS:[EBP-C]
│00642E1B  |.|MOV EDX,DWORD PTR SS:[EBP-30]
│00642E1E  |.|CALL ICONCRAF.00404194
│00642E23  |.|INC DWORD PTR SS:[EBP-18]
│00642E26  |.|DEC ESI
│00642E27  |.\JNZ SHORT ICONCRAF.00642DD7
│00642E29  |>MOV EAX,DWORD PTR SS:[EBP-C]    ;EAX=注册码
   ───────────────────────────────────────────────
│00642E2C  |.CALL ICONCRAF.00700D10          ;关键调用检查注册码
   ───────────────────────────────────────────────
│00642E31  |.MOV DL,1
│00642E33  |.MOV EAX,DWORD PTR DS:[4838D0]
│00642E38  |.CALL ICONCRAF.004839D0
│00642E3D  |.MOV DWORD PTR SS:[EBP-24],EAX
│00642E40  |.XOR EAX,EAX
│00642E42  |.PUSH EBP
│00642E43  |.PUSH ICONCRAF.00642F78
│00642E48  |.PUSH DWORD PTR FS:[EAX]
│00642E4B  |.MOV DWORD PTR FS:[EAX],ESP
│00642E4E  |.MOV EDX,80000001
│00642E53  |.MOV EAX,DWORD PTR SS:[EBP-24]
│00642E56  |.CALL ICONCRAF.00483AAC
│00642E5B  |.PUSH ICONCRAF.006430BC          ;ASCII "Software\IconEmpire\"
│00642E60  |.MOV EAX,DWORD PTR DS:[71F228]
│00642E65  |.PUSH DWORD PTR DS:[EAX]
│00642E67  |.PUSH ICONCRAF.006430DC
│00642E6C  |.LEA EAX,DWORD PTR SS:[EBP-68]
│00642E6F  |.CALL ICONCRAF.00700A90
│00642E74  |.PUSH DWORD PTR SS:[EBP-68]
│00642E77  |.LEA EAX,DWORD PTR SS:[EBP-64]
│00642E7A  |.MOV EDX,4
│00642E7F  |.CALL ICONCRAF.0040424C
│00642E84  |.MOV EDX,DWORD PTR SS:[EBP-64]
│00642E87  |.MOV CL,1
│00642E89  |.MOV EAX,DWORD PTR SS:[EBP-24]
│00642E8C  |.CALL ICONCRAF.00483B14
│00642E91  |.MOV BYTE PTR SS:[EBP-5],AL
│00642E94  |.CMP BYTE PTR SS:[EBP-5],0
   ───────────────────────────────────────────────
│00642E98  |.JE ICONCRAF.00642F62          ;一跳就死
   ───────────────────────────────────────────────
│00642E9E  |.MOV ECX,DWORD PTR SS:[EBP-C]
│00642EA1  |.MOV EDX,ICONCRAF.006430E8       ;ASCII "Key"
│00642EA6  |.MOV EAX,DWORD PTR SS:[EBP-24]
│00642EA9  |.CALL ICONCRAF.00484060
│00642EAE  |.MOV EDX,ICONCRAF.006430E8       ;ASCII "Key"
│00642EB3  |.LEA ECX,DWORD PTR SS:[EBP-6C]
│00642EB6  |.MOV EAX,DWORD PTR SS:[EBP-24]
│00642EB9  |.CALL ICONCRAF.0048408C
│00642EBE  |.MOV EDX,DWORD PTR SS:[EBP-6C]
│00642EC1  |.MOV EAX,DWORD PTR SS:[EBP-C]
│00642EC4  |.CALL ICONCRAF.0040429C
│00642EC9  |.SETE BYTE PTR SS:[EBP-5]
│00642ECD  |.CALL ICONCRAF.0040B358
│00642ED2  |.ADD ESP,-8                      ;
│00642ED5  |.FSTP QWORD PTR SS:[ESP]       ;Arg1(8 字节)
│00642ED8  |.WAIT                            ;
│00642ED9  |.MOV EDX,ICONCRAF.006430F4       ;ASCII "Time"
│00642EDE  |.MOV EAX,DWORD PTR SS:[EBP-24] ;
│00642EE1  |.CALL ICONCRAF.00484104          ;iconcraf.00484104
│00642EE6  |.LEA EAX,DWORD PTR SS:[EBP-70]
│00642EE9  |.CALL ICONCRAF.006FFB18
│00642EEE  |.MOV ECX,DWORD PTR SS:[EBP-70]
│00642EF1  |.MOV EDX,ICONCRAF.00643104       ;ASCII "FullProductName"
│00642EF6  |.MOV EAX,DWORD PTR SS:[EBP-24]
│00642EF9  |.CALL ICONCRAF.00484060
│00642EFE  |.LEA EDX,DWORD PTR SS:[EBP-74]
│00642F01  |.MOV EAX,DWORD PTR SS:[EBP-4]
│00642F04  |.MOV EAX,DWORD PTR DS:[EAX+2F0]
│00642F0A  |.CALL ICONCRAF.00437B28
│00642F0F  |.MOV EAX,DWORD PTR SS:[EBP-74]
│00642F12  |.LEA EDX,DWORD PTR SS:[EBP-28]
│00642F15  |.CALL ICONCRAF.004098EC
│00642F1A  |.CMP DWORD PTR SS:[EBP-20],1
│00642F1E  |.JE SHORT ICONCRAF.00642F52
│00642F20  |.PUSH DWORD PTR SS:[EBP-28]
│00642F23  |.PUSH ICONCRAF.0064311C          ;ASCII "<BR>"
│00642F28  |.PUSH ICONCRAF.0064312C          ;ASCII " - "
│00642F2D  |.LEA EDX,DWORD PTR SS:[EBP-78]
│00642F30  |.MOV EAX,DWORD PTR SS:[EBP-20]
│00642F33  |.CALL ICONCRAF.00409AA0
│00642F38  |.PUSH DWORD PTR SS:[EBP-78]
│00642F3B  |.PUSH ICONCRAF.006430A4
│00642F40  |.PUSH ICONCRAF.00643138          ;ASCII "licenses -"
│00642F45  |.LEA EAX,DWORD PTR SS:[EBP-28]
│00642F48  |.MOV EDX,6
│00642F4D  |.CALL ICONCRAF.0040424C
│00642F52  |>MOV ECX,DWORD PTR SS:[EBP-28]
│00642F55  |.MOV EDX,ICONCRAF.0064314C       ;ASCII "UserName"
│00642F5A  |.MOV EAX,DWORD PTR SS:[EBP-24]
│00642F5D  |.CALL ICONCRAF.00484060
│00642F62  |>XOR EAX,EAX
│00642F64  |.POP EDX
│00642F65  |.POP ECX
│00642F66  |.POP ECX
│00642F67  |.MOV DWORD PTR FS:[EAX],EDX
│00642F6A  |.PUSH ICONCRAF.00642F7F
│00642F6F  |>MOV EAX,DWORD PTR SS:[EBP-24]
│00642F72  |.CALL ICONCRAF.00403194
│00642F77  \.RETN
└──────────────────────────────────────────────┘
呵呵,一看前面一大段都是在检查 "- KEY BEGIN KEY -" 和 "- KEY END KEY -" 字符串,就不多说了,关键是在 642E2C 处,其内容为,
┌──────────────────────────────────────────────┐
│00700D10  /$PUSH EBX
│00700D11  |.MOV EBX,EAX
   ───────────────────────────────────────────────
│00700D13  |.CMP BYTE PTR DS:[EBX],30                ;  注册码第一位与 0 比较
   ───────────────────────────────────────────────
│00700D16  |.JNZ SHORT ICONCRAF.00700D2F             ;  一跳就死
│00700D18  |.MOV EAX,EBX
│00700D1A  |.CALL ICONCRAF.0040418C                ;  计算注册码长度
   ───────────────────────────────────────────────
│00700D1F  |.CMP EAX,0AD                            ;  注册码长度与 0xAD(173) 比较
   ───────────────────────────────────────────────
│00700D24  |.JNZ SHORT ICONCRAF.00700D2F             ;  一跳就死
   ───────────────────────────────────────────────
│00700D26  |.CMP BYTE PTR DS:[EBX+AC],3D             ;  注册码最后一位与 '=' 比较
   ───────────────────────────────────────────────
│00700D2D  |.JE SHORT ICONCRAF.00700D45             ;  不跳就死
│00700D2F  |>MOV ECX,ICONCRAF.00700D50             ;  ASCII "Invalid key"
│00700D34  |.MOV DL,1
│00700D36  |.MOV EAX,DWORD PTR DS:[408A60]
│00700D3B  |.CALL ICONCRAF.0040D134
│00700D40  |.CALL ICONCRAF.0040392C
│00700D45  |>POP EBX
│00700D46  \.RETN
└──────────────────────────────────────────────┘
注册算法竟然这么简单!
其流程为,
1.首先检查注册码中是否含 "- KEY BEGIN KEY -" 和 "- KEY END KEY -" 字符串,如果有,则取它们之间的字符为注册码.空格会自动删除.可以为中文.
2.获得注册码后,查找注册码中 '=' 的个数.若 '=' 个数为 0,则调用注册失败对话框.
3.当 '=' 只有一个时,截取 '=' 以左部分(包括 '=')作为新注册码,验证其首位是否为 '0',末尾是否为 '=',长度是否为 0xAD(173d),是则注册成为单用户协议.
4.当 '=' 多于一个时,逐次将注册码分为 '......=' 格式的若干段,对每一段都进行首位是否为 '0',末尾是否为 '=',长度是否为 0xAD(173d)的验证,只要有一段符合要求,协议将注册为多用户协议,协议个数是 '=' 的个数.
5.写入注册表项.

【破解总结】:
———————————————————————————————————————————
该注册算法是俺有史以来,见过的最简单的注册算法,但对 Cracker 新人来讲,多少有点意义,所以写出来,最后给出一个弱※注册码,供大家玩笑,
- KEY BEGIN KEY -
0鲁鲁拉,鲁鲁拉,弱※算法,鲁鲁拉!你笑它,我笑它,哈哈哈哈哈哈.鲁鲁拉,鲁鲁拉,弱※算法,鲁鲁拉!你笑它,我笑它,哈哈哈哈哈哈.鲁鲁拉,鲁鲁拉,弱※算法,鲁鲁拉!你笑它,我笑它,哈哈哈哈哈哈.=
- KEY END KEY -
然后,补一个注册机,这个注册机并非完整意义上的注册机,因为不能列出所有可能的注册码,当然如果非要写,也并非不可,只是觉得没必要.为这个简单注册码算法,写一个复杂注册机,不值得.
高手就不要来了.

注意:该注册算法同样可以注册 IconoMaker 3.20 及 Perfect Icon 2.30

Hmily · 发表于 2020-5-9 11:13

请在看雪论坛给hmilywen发一个短消息确认是本人申请，然后这里回复我一下。

帐号		自动登录	找回密码
密码			注册[Register]

选中篇:

[会员申请] 申请会员ID：wslvic


	选中篇: 置顶\|

选中 篇:

[会员申请] 申请会员ID：wslvic

选中篇: