OJOsoft MP3 Converter2.5.0.1009简单分析

冰糖

【破文标题】OJOsoft MP3 Converter2.5.0.1009简单分析
【破文作者】冰糖[BST]
【作者邮箱】bthulu#gmail.com
【作者主页】http://bbs.thulu.com
【破解工具】peid0.94+OD
【破解平台】XPsp3
【软件名称】OJOsoft MP3 Converter2.5.0.1009
【软件大小】15M
【原版下载】自己找
【保护方式】注册码
【软件简介】一个音频格式转换软件，转换格式挺多的，我数了一下有十多种
【破解声明】本文仅供研究学习，本人对因这篇文章而导致的一切后果，不承担任何法律责任。本文中的不足之处
------------------------------------------------------------------------
【破解过程】Microsoft Visual C++ 7.0 Method2 [Debug]无壳，OD直接载入运行输入假码BCDE-FGHI-JKLM-NOPQ-RSTU（为什么输入这个假码？因为这个假码便于下面的观察），跳出错误提示，F12大法，返回下断

00401D10 .6A FF push-1 ;F2下断
00401D12 .68 4DFE4100 push0041FE4D ;SE 处理程序安装
00401D17 .64:A1 0000000>mov eax, dword ptr fs:[0]
00401D1D .50pusheax
00401D1E .64:8925 00000>mov dword ptr fs:[0], esp
00401D25 .83EC 0C sub esp, 0C
00401D28 .56pushesi
00401D29 .8BF1mov esi, ecx
00401D2B .8D4C24 04 lea ecx, dword ptr [esp+4]
00401D2F .FF15 18424200 calldword ptr [<&MFC71.#310>];MFC71.7C173199
00401D35 .8D4424 04 lea eax, dword ptr [esp+4]
00401D39 .50pusheax
00401D3A .8D4E 74 lea ecx, dword ptr [esi+74]
00401D3D .C74424 1C 000>mov dword ptr [esp+1C], 0
00401D45 .E8 46D40100 call<jmp.&MFC71.#3761>
00401D4A .51pushecx;假码BCDE-FGHI-JKLM-NOPQ-RSTU
00401D4B .8D5424 08 lea edx, dword ptr [esp+8]
00401D4F .8BCCmov ecx, esp
00401D51 .896424 10 mov dword ptr [esp+10], esp
00401D55 .52pushedx
00401D56 .FF15 D8414200 calldword ptr [<&MFC71.#297>];MFC71.7C14E575
00401D5C .8B8E C8000000 mov ecx, dword ptr [esi+C8]
00401D62 .FF15 28404200 calldword ptr [<&Control.AVProxy::Re>;算法比较CALL，F7跟入
00401D68 .85C0testeax, eax
00401D6A .8B86 CC000000 mov eax, dword ptr [esi+CC]
00401D70 .75 6A jnz short 00401DDC ;关键跳转，跳就失败
00401D72 .05 34010000 add eax, 134
00401D77 .50pusheax
00401D78 .8D4C24 10 lea ecx, dword ptr [esp+10]
00401D7C .FF15 D8414200 calldword ptr [<&MFC71.#297>];MFC71.7C14E575
00401D82 .8B8E CC000000 mov ecx, dword ptr [esi+CC]
00401D88 .81C1 38010000 add ecx, 138
00401D8E .51pushecx
00401D8F .8D4C24 0C lea ecx, dword ptr [esp+C]
00401D93 .C64424 1C 01mov byte ptr [esp+1C], 1
00401D98 .FF15 D8414200 calldword ptr [<&MFC71.#297>];MFC71.7C14E575
00401D9E .6A 40 push40
00401DA0 .8D4C24 10 lea ecx, dword ptr [esp+10]
00401DA4 .C64424 1C 02mov byte ptr [esp+1C], 2
00401DA9 .FF15 D0414200 calldword ptr [<&MFC71.#876>];MFC71.7C158BCD
00401DAF .50pusheax
00401DB0 .8D4C24 10 lea ecx, dword ptr [esp+10]
00401DB4 .FF15 D0414200 calldword ptr [<&MFC71.#876>];MFC71.7C158BCD
00401DBA .50pusheax
00401DBB .8BCEmov ecx, esi
00401DBD .E8 BCD30100 call<jmp.&MFC71.#4104> ;正确提示
00401DC2 .8B16mov edx, dword ptr [esi]
00401DC4 .8BCEmov ecx, esi
00401DC6 .FF92 54010000 calldword ptr [edx+154]
00401DCC .8D4C24 08 lea ecx, dword ptr [esp+8]
00401DD0 .FF15 C0414200 calldword ptr [<&MFC71.#578>];MFC71.7C1771B1
00401DD6 .8D4C24 0C lea ecx, dword ptr [esp+C]
00401DDA .EB 5E jmp short 00401E3A
00401DDC >05 34010000 add eax, 134
00401DE1 .50pusheax
00401DE2 .8D4C24 0C lea ecx, dword ptr [esp+C]
00401DE6 .FF15 D8414200 calldword ptr [<&MFC71.#297>];MFC71.7C14E575
00401DEC .8B8E CC000000 mov ecx, dword ptr [esi+CC]
00401DF2 .81C1 40010000 add ecx, 140
00401DF8 .51pushecx
00401DF9 .8D4C24 10 lea ecx, dword ptr [esp+10]
00401DFD .C64424 1C 03mov byte ptr [esp+1C], 3
00401E02 .FF15 D8414200 calldword ptr [<&MFC71.#297>];MFC71.7C14E575
00401E08 .6A 40 push40
00401E0A .8D4C24 0C lea ecx, dword ptr [esp+C]
00401E0E .C64424 1C 04mov byte ptr [esp+1C], 4
00401E13 .FF15 D0414200 calldword ptr [<&MFC71.#876>];MFC71.7C158BCD
00401E19 .50pusheax
00401E1A .8D4C24 14 lea ecx, dword ptr [esp+14]
00401E1E .FF15 D0414200 calldword ptr [<&MFC71.#876>];MFC71.7C158BCD
00401E24 .50pusheax
00401E25 .8BCEmov ecx, esi
00401E27 .E8 52D30100 call<jmp.&MFC71.#4104> ;错误提示
00401E2C .8D4C24 0C lea ecx, dword ptr [esp+C]
00401E30 .FF15 C0414200 calldword ptr [<&MFC71.#578>];MFC71.7C1771B1


F7跟入部分
00396CC8|.C68424 800400>mov byte ptr [esp+480], 4
00396CD0|.FF15 88503A00 calldword ptr [<&MFC71.#297>];MFC71.7C14E575
00396CD6|.8D4C24 1C lea ecx, dword ptr [esp+1C]
00396CDA|.889C24 7C0400>mov byte ptr [esp+47C], bl
00396CE1|.E8 4AB60000 call003A2330 ;算法比较CALL,继续F7
00396CE6|.0FB6C0movzx eax, al
00396CE9|.85C0testeax, eax
00396CEB|.0F84 38020000 je00396F29 ;关键跳转，跳就失败
00396CF1|.8D4C24 1C lea ecx, dword ptr [esp+1C]
00396CF5|.FF15 98503A00 calldword ptr [<&MFC71.#310>];MFC71.7C173199
00396CFB|.8D4C24 10 lea ecx, dword ptr [esp+10]
00396CFF|.B3 05 mov bl, 5
00396D01|.51pushecx
00396D02|.889C24 780400>mov byte ptr [esp+478], bl
00396D09|.E8 C2D1FFFF call00393ED0
00396D0E|.8BC8mov ecx, eax
00396D10|.E8 ABC2FFFF call00392FC0
00396D15|.8B10mov edx, dword ptr [eax] ;下面是注册信息保存地点config\config.ini
00396D17|.68 28543A00 push003A5428 ;ASCII "config.ini"
00396D1C|.52pushedx
00396D1D|.8D4424 24 lea eax, dword ptr [esp+24]
00396D21|.68 18543A00 push003A5418 ;ASCII "%s\config\%s"
00396D26|.50pusheax
00396D27|.C68424 840400>mov byte ptr [esp+484], 6
00396D2F|.FF15 B8503A00 calldword ptr [<&MFC71.#2322>] ;MFC71.7C146A9D
00396D35|.83C4 10 add esp, 10


F7跟入部分
003A2330/$6A FF push-1
003A2332|.68 824E3A00 push003A4E82 ;SE 处理程序安装
003A2337|.64:A1 0000000>mov eax, dword ptr fs:[0]
003A233D|.50pusheax
003A233E|.64:8925 00000>mov dword ptr fs:[0], esp
003A2345|.81EC B8000000 sub esp, 0B8
003A234B|.53pushebx
003A234C|.55pushebp
003A234D|.56pushesi
003A234E|.8BF1mov esi, ecx
003A2350|.57pushedi
003A2351|.897424 14 mov dword ptr [esp+14], esi
003A2355|.51pushecx
003A2356|.8D8424 E00000>lea eax, dword ptr [esp+E0]
003A235D|.8BCCmov ecx, esp
003A235F|.896424 14 mov dword ptr [esp+14], esp
003A2363|.50pusheax
003A2364|.C78424 D80000>mov dword ptr [esp+D8], 1
003A236F|.33FFxor edi, edi
003A2371|.FF15 88503A00 calldword ptr [<&MFC71.#297>];MFC71.7C14E575
003A2377|.8BCEmov ecx, esi
003A2379|.E8 32FCFFFF call003A1FB0 ;算法CALL，检验输入假码格式是否正确，F7跟入
003A237E|.84C0testal, al
003A2380|.0F84 49010000 je003A24CF ;不正确就失败
003A2386|.8B2D 8C513A00 mov ebp, dword ptr [<&MSVCR71.touppe>;MSVCR71.toupper
003A238C|.33DBxor ebx, ebx
003A238E|.8D7424 68 lea esi, dword ptr [esp+68]
003A2392|>83FF 04 /cmp edi, 4;EDI与4比较，即省略计算“-”
003A2395|.75 04 |jnz short 003A239B
003A2397|.33FF|xor edi, edi
003A2399|.EB 23 |jmp short 003A23BE
003A239B|>53|pushebx
003A239C|.8D8C24 E00000>|lea ecx, dword ptr [esp+E0]
003A23A3|.FF15 18513A00 |calldword ptr [<&MFC71.#865>] ;MFC71.7C1894E7
003A23A9|.0FBEC8|movsx ecx, al ;分别取输入假码每个非"-"字符
003A23AC|.51|pushecx
003A23AD|.FFD5|callebp
003A23AF|.0FBED0|movsx edx, al
003A23B2|.83EA 41 |sub edx, 41 ;edi-65即每个非“-”字符ASCII-65
003A23B5|.83C4 04 |add esp, 4
003A23B8|.8916|mov dword ptr [esi], edx;将结果告别存入[ESI]
003A23BA|.47|inc edi
003A23BB|.83C6 04 |add esi, 4;esi 加 4,即隔四位分别存放上面的计算结果
003A23BE|>43|inc ebx
003A23BF|.83FB 18 |cmp ebx, 18 ;判断24个字符是否取完
003A23C2|.^ 7C CE \jlshort 003A2392
003A23C4|.68 80000000 push80
003A23C9|.51pushecx
003A23CA|.8D8424 E00000>lea eax, dword ptr [esp+E0]
003A23D1|.8BCCmov ecx, esp
003A23D3|.896424 18 mov dword ptr [esp+18], esp
003A23D7|.50pusheax
003A23D8|.FF15 88503A00 calldword ptr [<&MFC71.#297>];MFC71.7C14E575
003A23DE|.8D8C24 C00000>lea ecx, dword ptr [esp+C0]
003A23E5|.51pushecx
003A23E6|.8B4C24 20 mov ecx, dword ptr [esp+20]
003A23EA|.E8 81FCFFFF call003A2070 ;这个CALL是计算几个固定的值用于下面的计算,F7跟入看看
003A23EF|.8B5424 68 mov edx, dword ptr [esp+68];1
003A23F3|.8B4C24 70 mov ecx, dword ptr [esp+70];3
003A23F7|.8B4424 6C mov eax, dword ptr [esp+6C];2
003A23FB|.895424 18 mov dword ptr [esp+18], edx;=1
003A23FF|.8B5424 74 mov edx, dword ptr [esp+74];4
003A2403|.894C24 20 mov dword ptr [esp+20], ecx;=3
003A2407|.8B4C24 7C mov ecx, dword ptr [esp+7C];6
003A240B|.894424 1C mov dword ptr [esp+1C], eax;=2
003A240F|.8B4424 78 mov eax, dword ptr [esp+78];5
003A2413|.895424 24 mov dword ptr [esp+24], edx;=4
003A2417|.8B9424 800000>mov edx, dword ptr [esp+80];7
003A241E|.894C24 2C mov dword ptr [esp+2C], ecx;=6
003A2422|.8B8C24 880000>mov ecx, dword ptr [esp+88];9
003A2429|.894424 28 mov dword ptr [esp+28], eax;=5
003A242D|.8B8424 840000>mov eax, dword ptr [esp+84];8
003A2434|.895424 30 mov dword ptr [esp+30], edx;=7
003A2438|.8B9424 8C0000>mov edx, dword ptr [esp+8C];A
003A243F|.894C24 38 mov dword ptr [esp+38], ecx;=9
003A2443|.8B8C24 940000>mov ecx, dword ptr [esp+94];C
003A244A|.894424 34 mov dword ptr [esp+34], eax;=8
003A244E|.8B8424 900000>mov eax, dword ptr [esp+90];B
003A2455|.895424 3C mov dword ptr [esp+3C], edx;=A
003A2459|.8B9424 980000>mov edx, dword ptr [esp+98];D
003A2460|.894C24 44 mov dword ptr [esp+44], ecx;=C
003A2464|.8B8C24 A00000>mov ecx, dword ptr [esp+A0];F
003A246B|.894424 40 mov dword ptr [esp+40], eax;=B
003A246F|.8B8424 9C0000>mov eax, dword ptr [esp+9C];E
003A2476|.895424 48 mov dword ptr [esp+48], edx;=D
003A247A|.8B9424 A40000>mov edx, dword ptr [esp+A4];10
003A2481|.894C24 50 mov dword ptr [esp+50], ecx;=F
003A2485|.894424 4C mov dword ptr [esp+4C], eax;=E
003A2489|.895424 54 mov dword ptr [esp+54], edx;=10
003A248D|.B3 01 mov bl, 1;上面一段两次交换，相当于没有交换，作用是把由输入假码计算的值的前16位复制一份用于下面的计算，1,2,3,4等是我为了方便标示记下的计算结果，这也是为什么假码用BCDE-FGHI-JKLM-NOPQ-RSTU而不用其他的原因
003A248F|.33C9xor ecx, ecx ;ECX清零
003A2491|>8B6C0C 18 /mov ebp, dword ptr [esp+ecx+18] ;1，2，3，4
003A2495|.8B840C B80000>|mov eax, dword ptr [esp+ecx+B8] ;11，5，13，7
003A249C|.8B7C0C 28 |mov edi, dword ptr [esp+ecx+28] ;5，6，7，8
003A24A0|.8B740C 48 |mov esi, dword ptr [esp+ecx+48] ;D,E,F,10
003A24A4|.8B540C 38 |mov edx, dword ptr [esp+ecx+38] ;9,A,B,C,D
003A24A8|.03C5|add eax, ebp
003A24AA|.03C7|add eax, edi
003A24AC|.03C6|add eax, esi
003A24AE|.03C2|add eax, edx;上面4个数相加
003A24B0|.99|cdq
003A24B1|.BE 1A000000 |mov esi, 1A
003A24B6|.F7FE|idivesi
003A24B8|.3B940C A80000>|cmp edx, dword ptr [esp+ecx+A8] ;余数分别与输入假码计算结果的后四位比较
003A24BF|.89540C 58 |mov dword ptr [esp+ecx+58], edx
003A24C375 0A jnz short 003A24CF ;不相等就失败
003A24C5|.83C1 04 |add ecx, 4;地址偏移
003A24C8|.83F9 10 |cmp ecx, 10 ;是否取完四次
003A24CB|.^ 7C C4 \jlshort 003A2491
003A24CD|.EB 02 jmp short 003A24D1 ;不跳就失败
003A24CF32DBxor bl, bl ;BL清零，标志位破解只需要把这里改成mov bl, 1
003A24D1|>8D8C24 D80000>lea ecx, dword ptr [esp+D8]
003A24D8|.FF15 94503A00 calldword ptr [<&MFC71.#578>];MFC71.7C1771B1
003A24DE|.8D8C24 DC0000>lea ecx, dword ptr [esp+DC]
003A24E5|.FF15 94503A00 calldword ptr [<&MFC71.#578>];MFC71.7C1771B1
003A24EB|.8B8C24 C80000>mov ecx, dword ptr [esp+C8]
003A24F2|.5Fpop edi


下面是判断注册码格式的F7部分
003A1FCC .C74424 14 000>mov dword ptr [esp+14], 0
003A1FD4 .33FFxor edi, edi
003A1FD6 .FF15 A0503A00 calldword ptr [<&MFC71.#876>];MFC71.7C158BCD
003A1FDC .8D50 01 lea edx, dword ptr [eax+1] ;假码BCDE-FGHI-JKLM-NOPQ-RSTU
003A1FDF .90nop
003A1FE0 >8A08mov cl, byte ptr [eax]
003A1FE2 .40inc eax
003A1FE3 .84C9testcl, cl
003A1FE5 .^ 75 F9 jnz short 003A1FE0
003A1FE7 .2BC2sub eax, edx ;上面四行计算输入假码的位数
003A1FE9 .83F8 18 cmp eax, 18;输入的假码是否等于24
003A1FEC .75 62 jnz short 003A2050 ;不等于24位就注册失败
003A1FEE .8B1D 8C513A00 mov ebx, dword ptr [<&MSVCR71.touppe>;MSVCR71.toupper
003A1FF4 .33F6xor esi, esi
003A1FF6 .EB 08 jmp short 003A2000
003A1FF8 .8DA424 000000>lea esp, dword ptr [esp]
003A1FFF .90nop
003A2000 >56pushesi;下面判断输入注册码是不是都是大写字母
003A2001 .8D4C24 20 lea ecx, dword ptr [esp+20]
003A2005 .FF15 18513A00 calldword ptr [<&MFC71.#865>];MFC71.7C1894E7
003A200B .0FBEC0movsx eax, al
003A200E .50pusheax
003A200F .FFD3callebx
003A2011 .83C4 04 add esp, 4
003A2014 .83FF 04 cmp edi, 4 ;判读是不是隔了4个字符
003A2017 .75 08 jnz short 003A2021
003A2019 .3C 2D cmp al, 2D ;判读第五个字符是不是-
003A201B .75 33 jnz short 003A2050
003A201D .33FFxor edi, edi ;清空EDI重新计数
003A201F .EB 09 jmp short 003A202A ;上面5行判断每隔4个字符是不是出现“-”
003A2021 >3C 41 cmp al, 41 ;ASCII码是否大于41即字母"A"
003A2023 .7C 2B jlshort 003A2050 ;小于“A”就失败
003A2025 .3C 5A cmp al, 5A ;ASCII码是否小于5A即字母"Z"
003A2027 .7F 27 jgshort 003A2050 ;大于“Z”就失败
003A2029 .47inc edi;EDI加计数
003A202A >46inc esi
003A202B .83FE 18 cmp esi, 18
003A202E .^ 7C D0 jlshort 003A2000 ;上面判断输入注册码是不是都是大写字母
003A2030 .8D4C24 1C lea ecx, dword ptr [esp+1C]
003A2034 .FF15 94503A00 calldword ptr [<&MFC71.#578>];MFC71.7C1771B1
003A203A .B0 01 mov al, 1
003A203C .8B4C24 0C mov ecx, dword ptr [esp+C]
003A2040 .64:890D 00000>mov dword ptr fs:[0], ecx
003A2047 .5Fpop edi

下面是计算4个固定值的部分
003A2070/$81EC 8C000000 sub esp, 8C
003A2076|.A1 D4C53A00 mov eax, dword ptr [3AC5D4]
003A207B|.8D8C24 940000>lea ecx, dword ptr [esp+94]
003A2082|.898424 880000>mov dword ptr [esp+88], eax
003A2089|.FF15 A0503A00 calldword ptr [<&MFC71.#876>];MFC71.7C158BCD
003A208F|.8D50 01 lea edx, dword ptr [eax+1] ;“MP3 Converter"
003A2092|>8A08/mov cl, byte ptr [eax];分别取"MP3 Converter"的每个字符
003A2094|.40|inc eax
003A2095|.84C9|testcl, cl
003A2097|.^ 75 F9 \jnz short 003A2092
003A2099|.53pushebx
003A209A|.8B9C24 9C0000>mov ebx, dword ptr [esp+9C];80
003A20A1|.55pushebp
003A20A2|.2BC2sub eax, edx ;计算"MP3 Converter"字符数13
003A20A4|.3BC3cmp eax, ebx ;13和80比较
003A20A6|.56pushesi
003A20A7|.57pushedi
003A20A8|.77 21 jashort 003A20CB ;大于就跳
003A20AA|.8D8C24 A40000>lea ecx, dword ptr [esp+A4]
003A20B1|.FF15 A0503A00 calldword ptr [<&MFC71.#876>];MFC71.7C158BCD
003A20B7|.8D50 01 lea edx, dword ptr [eax+1]
003A20BA|.8D9B 00000000 lea ebx, dword ptr [ebx]
003A20C0|>8A08/mov cl, byte ptr [eax]
003A20C2|.40|inc eax
003A20C3|.84C9|testcl, cl
003A20C5|.^ 75 F9 \jnz short 003A20C0
003A20C7|.2BC2sub eax, edx ;上面计算"MP3 Converter"字符数13
003A20C9|.8BD8mov ebx, eax ;ebx=eax=13
003A20CB|>33C0xor eax, eax
003A20CD|.B9 20000000 mov ecx, 20;ecx=32
003A20D2|.8D7C24 14 lea edi, dword ptr [esp+14]
003A20D6|.F3:AB rep stos dword ptr es:[edi]
003A20D8|.8D8C24 A40000>lea ecx, dword ptr [esp+A4]
003A20DF|.AAstosbyte ptr es:[edi]
003A20E0|.FF15 A0503A00 calldword ptr [<&MFC71.#876>];MFC71.7C158BCD
003A20E6|.8BCBmov ecx, ebx
003A20E8|.8BF0mov esi, eax
003A20EA|.8BC1mov eax, ecx
003A20EC|.C1E9 02 shr ecx, 2
003A20EF|.8D7C24 14 lea edi, dword ptr [esp+14]
003A20F3|.F3:A5 rep movs dword ptr es:[edi], dword p>
003A20F5|.8BC8mov ecx, eax
003A20F7|.83E1 03 and ecx, 3
003A20FA|.F3:A4 rep movs byte ptr es:[edi], byte ptr>
003A20FC|.8B8C24 A00000>mov ecx, dword ptr [esp+A0]
003A2103|.894C24 10 mov dword ptr [esp+10], ecx
003A2107|.BB 01000000 mov ebx, 1
003A210C|.8D6424 00 lea esp, dword ptr [esp]
003A2110|>8D4424 14 /lea eax, dword ptr [esp+14]
003A2114|.33ED|xor ebp, ebp
003A2116|.8D50 01 |lea edx, dword ptr [eax+1]
003A2119|.8DA424 000000>|lea esp, dword ptr [esp]
003A2120|>8A08|/mov cl, byte ptr [eax]
003A2122|.40||inc eax
003A2123|.84C9||testcl, cl
003A2125|.^ 75 F9 |\jnz short 003A2120
003A2127|.2BC2|sub eax, edx
003A2129|.8BF8|mov edi, eax
003A212B|.33C9|xor ecx, ecx
003A212D|.85FF|testedi, edi
003A212F|.7E 18 |jle short 003A2149
003A2131|>0FBE740C 14 |/movsx esi, byte ptr [esp+ecx+14]
003A2136|.8BC3||mov eax, ebx
003A2138|.0FAFC6||imuleax, esi
003A213B|.99||cdq
003A213C|.2BC2||sub eax, edx
003A213E|.D1F8||sar eax, 1
003A2140|.03C6||add eax, esi
003A2142|.03E8||add ebp, eax
003A2144|.41||inc ecx
003A2145|.3BCF||cmp ecx, edi
003A2147|.^ 7C E8 |\jlshort 003A2131
003A2149|>8BC5|mov eax, ebp
003A214B|.99|cdq
003A214C|.B9 1A000000 |mov ecx, 1A
003A2151|.F7F9|idivecx
003A2153|.8B4424 10 |mov eax, dword ptr [esp+10]
003A2157|.83C3 06 |add ebx, 6
003A215A|.83C0 04 |add eax, 4
003A215D|.83FB 19 |cmp ebx, 19
003A2160|.894424 10 |mov dword ptr [esp+10], eax ;上面懒得分析了，是根据"MP3 Converter"算出固定值
003A2164|.8950 FC |mov dword ptr [eax-4], edx;这里是根据上面字符串计算的固定值，11，5，13，7，且在内存中接在由输入假码计算的值的后面每隔四位存放
003A2167|.^ 7C A7 \jlshort 003A2110
003A2169|.8D8C24 A40000>lea ecx, dword ptr [esp+A4]
003A2170|.FF15 94503A00 calldword ptr [<&MFC71.#578>];MFC71.7C1771B1
003A2176|.8B8C24 980000>mov ecx, dword ptr [esp+98]
003A217D|.5Fpop edi
003A217E|.5Epop esi
003A217F|.5Dpop ebp


------------------------------------------------------------------------
【破解总结】这个软件爆破非常简单，写这篇分析没有什么其他的意思，就是无聊了找点事做做
我用VB模拟了一下算法
Private Sub Command1_Click()
Dim a As Integer
Dim b(20) As Integer
Dim c(20) As Integer
Dim d(4) As Integer
zcm = Text1.Text
a = Len(zcm)
If a <> 24 Then
MsgBox ("输入必须是24位")
Exit Sub
End If
i = 0
For i = 1 To a
If i Mod 5 = 0 Then
If Mid(zcm, i, 1) <> "-" Then
MsgBox ("输入格式错")
Exit Sub
End If
ElseIf (Asc(Mid(zcm, i, 1)) < 65 Or Asc(Mid(zcm, i, 1)) > 90) Then
MsgBox ("输入必须是大写字母")
Exit Sub
End If
Next i

k = 0
For j = 1 To a
If j Mod 5 <> 0 Then
k = k + 1
b(k) = Asc(Mid(zcm, j, 1)) - 65
End If
Next j

For m = 1 To 16
c(m) = b(m)
Next m
d(1) = 17 &#39;D的值是根据字符串算从来的固定的
d(2) = 5
d(3) = 19
d(4) = 7

For n = 1 To 4
e = c(n) + d(n) + c(n + 4) + c(n + 12) + c(n + 8)
If (e Mod 26 = b(n + 11)) Then
MsgBox ("注册码正确")
Else
MsgBox ("注册码错误")
Exit Sub
End If

Next n

End Sub

继续改进写了个穷举的程序

Option Base 1
Private Sub Command1_Click()
Dim b() As Variant
Dim c() As Variant
Dim D() As Variant
D = Array(17, 5, 19, 7)

For h1 = 0 To 25
For h2 = 0 To 25
For h3 = 0 To 25
For h4 = 0 To 25
For h5 = 0 To 25
For h6 = 0 To 25
For h7 = 0 To 25
For h8 = 0 To 25
For h9 = 0 To 25
For h10 = 0 To 25
For h11 = 0 To 25
For h12 = 0 To 25
For h13 = 0 To 25
For h14 = 0 To 25
For h15 = 0 To 25
For h16 = 0 To 25
For h17 = 0 To 25
For h18 = 0 To 25
For h19 = 0 To 25
For h20 = 0 To 25

b = Array(h1, h2, h3, h4, h5, h6, h7, h8, h9, h10, h11, h12, h13, h14, h15, h16, h17, h18, h19, h20)
&#39;c = Array(h1, h2, h3, h4, h5, h6, h7, h8, h9, h10, h11, h12, h13, h14, h15, h16)

For n = 1 To 4
&#39;e = c(n) + D(n) + c(n + 4) + c(n + 12) + c(n + 8)
e = b(n) + D(n) + b(n + 4) + b(n + 12) + b(n + 8)

If (e Mod 26 = b(n + 11)) Then
zcm = Chr$(65 + b(1)) & Chr$(65 + b(2)) & Chr$(65 + b(3)) & Chr$(65 + b(4)) & "-" & Chr$(65 + b(5)) & Chr$(65 + b(6)) & Chr$(65 + b(7)) & Chr$(65 + b(8)) & "-" & Chr$(65 + b(9)) & Chr$(65 + b(10)) & Chr$(65 + b(11)) & Chr$(65 + b(12)) & "-" & Chr$(65 + b(13)) & Chr$(65 + b(14)) & Chr$(65 + b(15)) & Chr$(65 + b(16)) & "-" & Chr$(65 + b(17)) & Chr$(65 + b(18)) & Chr$(65 + b(19)) & Chr$(65 + b(20))
Text3.Text = Text3.Text & zcm & Chr$(13) & Chr$(10)
&#39;Exit Sub

Else
Exit For
End If

Next n

Next h20

Next h19

Next h18

Next h17

Next h16

Next h15

Next h14

Next h13

Next h12

Next h11

Next h10

Next h9

Next h8

Next h7

Next h6

Next h5

Next h4

Next h3

Next h2

Next h1
End Sub

电脑慢，跑了半天没出结果，谁有兴趣可以试试，最好改进下算法，降低点CPU，不然你就干不了别的事了o(∩_∩)o...

------------------------------------------------------------------------
【版权声明】来自于BBS.THULU.COM 转载请注明作者并保持文章的完整, 谢谢!

shaopeng

支持算法分析，呵呵。
喜欢算法

小糊涂虫

对算法不太懂.继续学习.....

xq811028

感谢楼主分享，学习一下。

killerzeno

算法分析精准！欣赏中。。。！O(∩_∩)O哈哈~！支持你！[s:349]