作者: cyclotron
【软件名称】:WindowBlinds V3.5 Enhanced
【破解过程】:下断点GetWindowTextA,来到下面的地方:(以下代码使用Softice抓取的,W32Dasm似乎对Wload.exe反汇编无效)
【第一部分】:追踪用户名无关注册码!
代码:——————————————————————————–
017F:0040ED69 MOV EBX,0040A660
017F:0040ED6E LEA ECX,[EBP-4C]
017F:0040ED71 PUSH EBX
017F:0040ED72 CALL 00428F0E
017F:0040ED77 PUSH 0040A658
017F:0040ED7C LEA ECX,[EBP-4C]
017F:0040ED7F CALL 00428F0E
017F:0040ED84 PUSH DWORD PTR [ESI+5C]
017F:0040ED87 LEA ECX,[EBP-4C]
017F:0040ED8A CALL 00428F0E
017F:0040ED8F PUSH EBX
017F:0040ED90 LEA ECX,[EBP-4C]
017F:0040ED93 CALL 00428F0E
017F:0040ED98 LEA ECX,[EBP-4C]
017F:0040ED9B CALL 004290CB
017F:0040EDA0 PUSH 0040A64C
/* 黑名单wb-g1de774入栈 */
017F:0040EDA5 PUSH DWORD PTR [EDI]
/* 试炼码入栈 */
017F:0040EDA7 CALL 00417870
017F:0040EDAC POP ECX
017F:0040EDAD TEST EAX,EAX
017F:0040EDAF POP ECX
017F:0040EDB0 JNZ 0040EDD3
017F:0040EDB2 PUSH 10
017F:0040EDB4 PUSH 0040A634
017F:0040EDB9 PUSH 0040A5C0
017F:0040EDBE PUSH 0040A5B8
017F:0040EDC3 PUSH 0040A5B0
017F:0040EDC8 CALL 0040F4A2
017F:0040EDCD PUSH EAX
017F:0040EDCE JMP 0040F190
017F:0040EDD3 LEA EAX,[EBP-18]
017F:0040EDD6 PUSH 03
017F:0040EDD8 PUSH EAX
017F:0040EDD9 MOV ECX,EDI
017F:0040EDDB CALL 00423811
017F:0040EDE0 PUSH 0040A5AC
017F:0040EDE5 PUSH DWORD PTR [EAX]
017F:0040EDE7 CALL 00417870
/* 比较序列号前三位是否为WB- */
017F:0040EDEC POP ECX
017F:0040EDED POP ECX
017F:0040EDEE TEST EAX,EAX
017F:0040EDF0 LEA ECX,[EBP-18]
017F:0040EDF3 SETNZ BL
017F:0040EDF6 CALL 00428901
017F:0040EDFB TEST BL,BL
017F:0040EDFD JZ 0040EE4C
/* 比较结果一致就跳,目的地是用户名相关注册码的验证部分(见第二部分),但经我尝试,这里假如不跳,只要下面的关键call返回值为1,也能注册成功 */
017F:0040EDFF PUSH ECX
017F:0040EE00 MOV ECX,ESP
017F:0040EE02 MOV [EBP-1C],ESP
017F:0040EE05 PUSH EDI
017F:0040EE06 CALL 00428676
017F:0040EE0B CALL 00410E1C
/* 关键call,追入 */
017F:0040EE10 TEST EAX,EAX
017F:0040EE12 JZ 0040EDB2
/* 关键跳转 */
017F:0040EE14 MOV EAX,0040A5A4
017F:0040EE19 PUSH 40
017F:0040EE1B PUSH EAX
017F:0040EE1C PUSH 0040A56C
017F:0040EE21 PUSH EAX
017F:0040EE22 PUSH 0040A5B0
017F:0040EE27 CALL 0040F4A2
017F:0040EE2C PUSH EAX
017F:0040EE2D MOV ECX,ESI
017F:0040EE2F CALL 00425ECA
017F:0040EE34 PUSH 40
017F:0040EE36 PUSH 0040A54C
017F:0040EE3B PUSH 0040A4C4
017F:0040EE40 MOV ECX,ESI
017F:0040EE42 CALL 00425ECA
017F:0040EE47 JMP 0040F1D5
017F:0040EE4C LEA EAX,[EBP-014C]
017F:0040EE52 PUSH 0040A4C0
017F:0040EE57 PUSH EAX
017F:0040EE58 CALL 00417690
017F:0040EE5D PUSH DWORD PTR [ESI+5C]
017F:0040EE60 LEA EAX,[EBP-014C]
017F:0040EE66 PUSH EAX
017F:0040EE67 CALL 004176A0
**********************************************************
关键CALL 00410E1C:
017F:00410E1C MOV EAX,0042F800
017F:00410E21 CALL 0041762C
017F:00410E26 SUB ESP,24
017F:00410E29 PUSH EBX
017F:00410E2A PUSH ESI
017F:00410E2B PUSH EDI
017F:00410E2C MOV EAX,[0040BE60]
017F:00410E31 XOR EDI,EDI
017F:00410E33 MOV [EBP-04],EDI
017F:00410E36 MOV [EBP-10],EAX
017F:00410E39 LEA EAX,[EBP+08]
017F:00410E3C LEA ECX,[EBP-10]
017F:00410E3F PUSH EAX
017F:00410E40 MOV BYTE PTR [EBP-04],01
017F:00410E44 CALL 004289EE
017F:00410E49 LEA ECX,[EBP-10]
017F:00410E4C CALL 00428D14
/* 这个call把注册码中的大写字母全部转换为小写字母 */
017F:00410E51 LEA EAX,[EBP-14]
017F:00410E54 PUSH 02
017F:00410E56 PUSH EAX
017F:00410E57 LEA ECX,[EBP-10]
017F:00410E5A CALL 00423811
017F:00410E5F PUSH 0040B030
/* wb入栈 */
017F:00410E64 PUSH DWORD PTR [EAX]
/* 序列号前两位入栈 */
017F:00410E66 CALL 00417870
/* 比较是否一致 */
017F:00410E6B POP ECX
017F:00410E6C CMP EAX,EDI
017F:00410E6E POP ECX
017F:00410E6F LEA ECX,[EBP-14]
017F:00410E72 SETNZ BL
017F:00410E75 CALL 00428901
017F:00410E7A TEST BL,BL
017F:00410E7C JZ 00410E85
/* 序列号前两位是wb就跳 */
017F:00410E7E XOR ESI,ESI
017F:00410E80 JMP 004110C1
017F:00410E85 PUSH 02
017F:00410E87 LEA EAX,[EBP-14]
017F:00410E8A PUSH 02
017F:00410E8C PUSH EAX
017F:00410E8D LEA ECX,[EBP-10]
017F:00410E90 CALL 004236FF
017F:00410E95 PUSH DWORD PTR [EAX]
017F:00410E97 CALL 0041797F
/* 这是一个很关键的call,返回值eax */
017F:00410E9C POP ECX
017F:00410E9D MOV [EBP-2C],EAX
/* [ebp-2c]处是一个后面要用到的关键值。根据上面这个call,这个值取决于注册码的第四位,若第四位是数字i,则该处取值为dword[neg i];若第四位不是数字,则该处取值恒为dword 0 */
017F:00410EA0 LEA ECX,[EBP-14]
017F:00410EA3 CALL 00428901
017F:00410EA8 MOV EAX,[0040BE60]
017F:00410EAD MOV [EBP-24],EAX
017F:00410EB0 MOV [EBP-20],EAX
017F:00410EB3 MOV [EBP-1C],EAX
017F:00410EB6 MOV [EBP-18],EAX
017F:00410EB9 PUSH 04
017F:00410EBB LEA EAX,[EBP-14]
017F:00410EBE POP ESI
017F:00410EBF LEA ECX,[EBP-10]
017F:00410EC2 PUSH ESI
017F:00410EC3 PUSH 05
017F:00410EC5 PUSH EAX
017F:00410EC6 MOV BYTE PTR [EBP-04],05
017F:00410ECA CALL 004236FF
/* 分离注册码的第6至9位,字串地址送*eax */
017F:00410ECF PUSH EAX
017F:00410ED0 LEA ECX,[EBP-24]
017F:00410ED3 MOV BYTE PTR [EBP-04],06
017F:00410ED7 CALL 004289EE
017F:00410EDC LEA ECX,[EBP-14]
017F:00410EDF MOV BYTE PTR [EBP-04],05
017F:00410EE3 CALL 00428901
017F:00410EE8 PUSH ESI
017F:00410EE9 LEA EAX,[EBP-14]
017F:00410EEC PUSH 0A
017F:00410EEE PUSH EAX
017F:00410EEF LEA ECX,[EBP-10]
017F:00410EF2 CALL 004236FF
/* 分离注册码的第11至14位(如果有的话),字串地址送*eax */
017F:00410EF7 PUSH EAX
017F:00410EF8 LEA ECX,[EBP-20]
017F:00410EFB MOV BYTE PTR [EBP-04],07
017F:00410EFF CALL 004289EE
017F:00410F04 LEA ECX,[EBP-14]
017F:00410F07 MOV BYTE PTR [EBP-04],05
017F:00410F0B CALL 00428901
017F:00410F10 PUSH ESI
017F:00410F11 LEA EAX,[EBP-14]
017F:00410F14 PUSH 0F
017F:00410F16 PUSH EAX
017F:00410F17 LEA ECX,[EBP-10]
017F:00410F1A CALL 004236FF
/* 分离注册码的第16至19位(如果有的话),字串地址送*eax */
017F:00410F1F PUSH EAX
017F:00410F20 LEA ECX,[EBP-1C]
017F:00410F23 MOV BYTE PTR [EBP-04],08
017F:00410F27 CALL 004289EE
017F:00410F2C LEA ECX,[EBP-14]
017F:00410F2F MOV BYTE PTR [EBP-04],05
017F:00410F33 CALL 00428901
017F:00410F38 PUSH ESI
017F:00410F39 LEA EAX,[EBP-28]
017F:00410F3C PUSH 14
017F:00410F3E PUSH EAX
017F:00410F3F LEA ECX,[EBP-10]
017F:00410F42 CALL 004236FF
/* 分离注册码的第16至19位(如果有的话),字串地址送*eax */
017F:00410F47 PUSH EAX
017F:00410F48 LEA ECX,[EBP-18]
017F:00410F4B MOV BYTE PTR [EBP-04],09
017F:00410F4F CALL 004289EE
017F:00410F54 LEA ECX,[EBP-28]
017F:00410F57 MOV BYTE PTR [EBP-04],05
017F:00410F5B CALL 00428901
017F:00410F60 MOV EAX,[0040BE60]
017F:00410F65 MOV [EBP-30],EAX
017F:00410F68 MOV EDX,[EBP-24]
/* 取注册码6至9位字串的地址送edx */
017F:00410F6B XOR ESI,ESI
/* esi清零 */
017F:00410F6D MOV EAX,[EDX-08]
017F:00410F70 TEST EAX,EAX
017F:00410F72 JLE 00410F8E
/* 长度大于零? */
017F:00410F74 MOVSX ECX,BYTE PTR [EDX+ESI]
/* 依次取字串的每一位送ecx */
017F:00410F78 SUB ECX,30
/* ecx=ecx-30h */
017F:00410F7B CMP ECX,09
017F:00410F7E JLE 00410F83
/* 小于等于9? */
017F:00410F80 SUB ECX,27
/* 不满足就再减27h */
017F:00410F83 LEA EDI,[EDI*8+EDI]
/* edi=edi*9,edi初值为零 */
017F:00410F86 INC ESI
/* esi=esi+1 */
017F:00410F87 CMP ESI,EAX
/* 是否取完? */
017F:00410F89 LEA EDI,[EDI*2+ECX]
/* edi=edi*2+ecx,即最后取得的值送edi */
017F:00410F8C JL 00410F74
/* 没取完则返回继续 */
017F:00410F8E MOV EDX,[EBP-20]
/* 取注册码11至14位字串的地址送edx */
017F:00410F91 XOR ESI,ESI
017F:00410F93 XOR ECX,ECX
017F:00410F95 MOV [EBP-14],ESI
017F:00410F98 MOV EBX,[EDX-08]
017F:00410F9B TEST EBX,EBX
017F:00410F9D JLE 00410FC1
/* 没有这段字串就跳走,且[ebp-14]置零 */
017F:00410F9F JMP 00410FA4
017F:00410FA1 MOV ESI,[EBP-14]
017F:00410FA4 MOVSX EAX,BYTE PTR [EDX+ECX]
017F:00410FA8 SUB EAX,30
017F:00410FAB CMP EAX,09
017F:00410FAE JLE 00410FB3
017F:00410FB0 SUB EAX,27
017F:00410FB3 LEA ESI,[ESI*8+ESI]
017F:00410FB6 INC ECX
017F:00410FB7 CMP ECX,EBX
017F:00410FB9 LEA EAX,[ESI*2+EAX]
017F:00410FBC MOV [EBP-14],EAX
017F:00410FBF JL 00410FA1
/* 以上代码取注册码11至14位字串进行运算(如果有的话),运算结果保存在[ebp-14] */
017F:00410FC1 MOV EDX,[EBP-1C]
/* 取注册码16至19位字串的地址送edx */
017F:00410FC4 XOR ESI,ESI
017F:00410FC6 XOR ECX,ECX
017F:00410FC8 MOV EBX,[EDX-08]
017F:00410FCB TEST EBX,EBX
017F:00410FCD JLE 00410FE9
/* 没有这段字串就跳走,且esi置零 */
017F:00410FCF MOVSX EAX,BYTE PTR [EDX+ECX]
017F:00410FD3 SUB EAX,30
017F:00410FD6 CMP EAX,09
017F:00410FD9 JLE 00410FDE
017F:00410FDB SUB EAX,27
017F:00410FDE LEA ESI,[ESI*8+ESI]
017F:00410FE1 INC ECX
017F:00410FE2 CMP ECX,EBX
017F:00410FE4 LEA ESI,[ESI*2+EAX]
017F:00410FE7 JL 00410FCF
/* 以上代码取注册码16至19位字串进行运算(如果有的话),运算结果保存在[ebp-14] */
017F:00410FE9 MOV EBX,[EBP-18]
/* 取注册码21至24位字串的地址送edx */
017F:00410FEC XOR EDX,EDX
017F:00410FEE XOR ECX,ECX
017F:00410FF0 CMP [EBX-08],EDX
017F:00410FF3 JLE 00411010
/* 没有这段字串就跳走,且ecx置零 */
017F:00410FF5 MOVSX EAX,BYTE PTR [EBX+EDX]
017F:00410FF9 SUB EAX,30
017F:00410FFC CMP EAX,09
017F:00410FFF JLE 00411004
017F:00411001 SUB EAX,27
017F:00411004 LEA ECX,[ECX*8+ECX]
017F:00411007 INC EDX
017F:00411008 CMP EDX,[EBX-08]
017F:0041100B LEA ECX,[ECX*2+EAX]
017F:0041100E JL 00410FF5
/* 以上代码取注册码21至24位字串进行运算(如果有的话),运算结果保存在[ebp-14] */
017F:00411010 MOV EAX,[EBP-2C]
/* 取得关键值送eax */
017F:00411013 PUSH 03
017F:00411015 SUB [EBP-14],EAX
017F:00411018 SUB EDI,EAX
017F:0041101A SUB ESI,EAX
017F:0041101C SUB ECX,EAX
/* 四个运算结果分别减去eax,结果依次设为num2,num1,num3,num4 */
017F:0041101E MOV EAX,EDI
017F:00411020 POP EBX
/* ebx=3 */
017F:00411021 CDQ
017F:00411022 IDIV EBX
017F:00411024 TEST EDX,EDX
/* 余数是否为零 */
017F:00411026 JZ 0041102C
/* 为零就跳,意即num1能被3整除 */
017F:00411028 XOR ESI,ESI
017F:0041102A JMP 00411085
/* 上面不跳的话,这里就直接走向出口,注册失败*/
017F:0041102C MOV EAX,[EBP-14]
017F:0041102F PUSH 02
017F:00411031 CDQ
017F:00411032 POP EBX
/* ebx=2 */
017F:00411033 IDIV EBX
017F:00411035 TEST EDX,EDX
017F:00411037 JNZ 00411028
/* 不能跳,意即num2能被2整除 */
017F:00411039 MOV EAX,ESI
017F:0041103B PUSH 06
017F:0041103D CDQ
017F:0041103E POP EBX
/* ebx=6 */
017F:0041103F IDIV EBX
017F:00411041 TEST EDX,EDX
017F:00411043 JNZ 00411028
/* 不能跳,意即num3能被6整除 */
017F:00411045 MOV EAX,ECX
017F:00411047 PUSH 04
017F:00411049 CDQ
017F:0041104A POP EBX
/* ebx=4 */
017F:0041104B IDIV EBX
017F:0041104D TEST EDX,EDX
017F:0041104F JNZ 00411028
/* 不能跳,意即num4能被4整除 */
017F:00411051 MOV EDX,[EBP-14]
017F:00411054 LEA EAX,[EDI+ESI]
/* eax=num1+num3 */
017F:00411057 ADD ESI,EDX
/* esi=num3+num2 */
017F:00411059 PUSH 06
017F:0041105B LEA EBX,[EDX+ECX]
/* ebx=num2+num4 */
017F:0041105E MOV [EBP-2C],ESI
017F:00411061 XOR EDX,EDX
017F:00411063 POP ESI
017F:00411064 DIV ESI
017F:00411066 ADD ECX,EDI
/* ecx=num4+num1 */
017F:00411068 TEST EDX,EDX
017F:0041106A JNZ 00411028
/* num1+num3能被6整除 */
017F:0041106C PUSH 03
017F:0041106E MOV EAX,EBX
017F:00411070 POP ESI
017F:00411071 DIV ESI
017F:00411073 TEST EDX,EDX
017F:00411075 JNZ 00411028
/* num2+num4能被3整除 */
017F:00411077 TEST BYTE PTR [EBP-2C],01
017F:0041107B JNZ 00411028
/* num3+num2最末位不是1 */
017F:0041107D TEST CL,01
/* num4+num1最末位不是1 */
017F:00411080 JNZ 00411028
017F:00411082 PUSH 01
017F:00411084 POP ESI
/* 上面两句是给esi赋值1,由于esi的值最终要传给eax作为返回值,这两句必须走过 */
017F:00411085 LEA ECX,[EBP-30]
017F:00411088 MOV BYTE PTR [EBP-04],05
017F:0041108C CALL 00428901
017F:00411091 LEA ECX,[EBP-18]
017F:00411094 MOV BYTE PTR [EBP-04],04
017F:00411098 CALL 00428901
017F:0041109D LEA ECX,[EBP-1C]
017F:004110A0 MOV BYTE PTR [EBP-04],03
017F:004110A4 CALL 00428901
017F:004110A9 LEA ECX,[EBP-20]
017F:004110AC MOV BYTE PTR [EBP-04],02
017F:004110B0 CALL 00428901
017F:004110B5 LEA ECX,[EBP-24]
017F:004110B8 MOV BYTE PTR [EBP-04],01
017F:004110BC CALL 00428901
017F:004110C1 AND BYTE PTR [EBP-04],00
017F:004110C5 LEA ECX,[EBP-10]
017F:004110C8 CALL 00428901
017F:004110CD OR DWORD PTR [EBP-04],-01
017F:004110D1 LEA ECX,[EBP+08]
017F:004110D4 CALL 00428901
017F:004110D9 MOV ECX,[EBP-0C]
017F:004110DC MOV EAX,ESI
/* 返回值eax的值取决于esi */
017F:004110DE POP EDI
017F:004110DF POP ESI
017F:004110E0 POP EBX
017F:004110E1 MOV FS:[00000000],ECX
017F:004110E8 LEAVE
017F:004110E9 RET 0004
以上运算过程与用户名无关,因而是通用注册码。
******************************************************************
【整 理】:
General Regcode:
wb-677knun5hveu569uks3my
wb-6fkefuyoiv60qmp6ivsbc
wb-7yjb35yyzi13h28nyer3r
wb-2lkr64f6bfugrvv433qt8
wb-5fa6m7pg7zzipm179pu8r
wb-7y3c8znz87lym0zhwq9h7
【Turbo C 注册机】:
#include "stdio.h"
#include "string.h"
#include "stdlib.h"
#include "ctype.h"
long calnum(char *start,char extra)
{int i;
long num=0;
char temp;
for(i=0;i<4;i++)
{temp=isdigit(start[i])?start[i]-0x30:start[i]-0x57;
num=num*18+temp;
}
return num+extra;
}
void main()
{int i;
long num[4];
char regcode[22],regname[30];
regcode[21]='\0';
printf("\t*************************************************\n");
printf("\n\t\tKeyGen for WindowBlinds V3.5 Enhanced\n\t\t\tProduced by cyclotron\n");
printf("\n\t*************************************************\n");
do
printf("\n\tPlease input your Regname:");
while(!strlen(gets(regname)));
randomize();
do
{regcode[0]=0x30+random(10);
for(i=1;i<21;i++)
do
regcode[i]=0x30+random(0x50);
while(!isdigit(regcode[i])&&!islower(regcode[i]));
for(i=0;i<4;i++)
num[i]=calnum(regcode+2+i*5,regcode[0]);
}
while(num[0]%3||num[1]%2||num[2]%6||num[3]%4||(num[0]+num[2])%6||(num[1]+num[3])%3||(num[2]+num[1])&(num[3]+num[0])&1);
printf("\n\tYour Regcode is:\twb-%s\n\n\tThank you for your use!",regcode);
getchar();
}
________________________________________________________
【第二部分】:追踪用户名相关注册码!
017F:0040EE4C LEA EAX,[EBP-014C]
017F:0040EE52 PUSH 0040A4C0
/* 字符WB入栈 */
017F:0040EE57 PUSH EAX
/* 存放WB的空地址入栈 */
017F:0040EE58 CALL 00417690
017F:0040EE5D PUSH DWORD PTR [ESI+5C]
/* 用户名地址入栈 */
017F:0040EE60 LEA EAX,[EBP-014C]
/* 这还是前面用于存放"WB"的地址 */
017F:0040EE66 PUSH EAX
/* 地址入栈 */
017F:0040EE67 CALL 004176A0
/* 这个call把WB和用户名连接起来 */
017F:0040EE6C MOV EAX,[ESI+5C]
/* 用户名的地址 */
017F:0040EE6F XOR EBX,EBX
017F:0040EE71 ADD ESP,10
017F:0040EE74 MOV [EBP-28],EBX
017F:0040EE77 CMP [EAX-08],EBX
/* 用户名长度是否为零? */
017F:0040EE7A JLE 0040EF1A
017F:0040EE80 LEA EAX,[EBP-014C]
/* 字串“WBcyclotron”的地址 */
017F:0040EE86 MOV DWORD PTR [EBP-10],00000001
017F:0040EE8D SUB [EBP-10],EAX
017F:0040EE90 FLD REAL8 PTR [EBP-30]
/* 8字节浮点数送st(0) */
1). 80114111.103114
2). 81527323.91804
……
017F:0040EE93 CALL 00416EF4
/* 取整送eax */
1). 80114111即0x4C671BF
2). 81527323即0x4DC021B
……
017F:0040EE98 PUSH EAX
017F:0040EE99 CALL 0041785B
017F:0040EE9E MOV [EBP-18],EAX
/* 该整数送局部变量(ebp-18) */
017F:0040EEA1 MOV EAX,[ESI+5C]
/* eax取得用户名地址 */
017F:0040EEA4 MOVZX EDX,BYTE PTR [EBX+EBP-014C]
/* 依次取"WBcyclotron"的每一位 */
017F:0040EEAC FILD DWORD PTR [EBP-18]
/* (ebp-18)装入st(0) */
1). st(0)=80114111
2). st(0)=81527323
……
017F:0040EEAF POP ECX
017F:0040EEB0 MOV [EBP-18],EDX
017F:0040EEB3 MOV ECX,[EAX-08]
/* ecx取得用户名长度 */
017F:0040EEB6 LEA EAX,[EBX+EBP-014C]
017F:0040EEBD MOV EDX,[EBP-10]
017F:0040EEC0 MOV [EBP-1C],ECX
017F:0040EEC3 ADD EDX,EAX
1). edx=1
2). edx=2
……
017F:0040EEC5 MOV EAX,[EBP-18]
017F:0040EEC8 MOV [EBP-2C],EDX
017F:0040EECB CDQ
017F:0040EECC FILD DWORD PTR [EBP-2C]
1). (ebp-2C)=1
2). (ebp-2C)=2
……
017F:0040EECF IDIV ECX
017F:0040EED1 FMUL REAL8 PTR [00401E68]
/* st(0)=st(0)*2.12 */
017F:0040EED7 FISUB DWORD PTR [EBP-28]
1). (ebp-28)=0
2). (ebp-28)=1
……
017F:0040EEDA MOV ECX,000000FF
/* ecx=0xFF */
017F:0040EEDF MOVZX EAX,BYTE PTR [EDX+EBP-014C]
/* 根据余数取得"WBcyclotron"中的字符 */
1). eax=0x6F
1). eax=0x79
……
017F:0040EEE7 IMUL EAX,EBX
/* eax=eax*ebx */
017F:0040EEEA MOV [EBP-2C],EAX
/* 乘积送(ebp-2C) */
017F:0040EEED MOV EAX,[EBP-18]
/* eax取得刚才字符的ASCII值 */
017F:0040EEF0 CDQ
017F:0040EEF1 FILD DWORD PTR [EBP-2C]
/* st(0)=(ebp-2C) */
017F:0040EEF4 IDIV ECX
017F:0040EEF6 FMULP ST(1),ST
/* st(1)=st(1)*st(0) */
017F:0040EEF8 INC EBX
/* ebx++ */
017F:0040EEF9 CMP EBX,[EBP-1C]
/* 是否取完用户名 */
017F:0040EEFC MOV [EBP-28],EBX
/* (ebp-28)=ebx */
017F:0040EEFF MOV [EBP-2C],EAX
/* (ebp-2C)=eax */
017F:0040EF02 FILD DWORD PTR [EBP-2C]
/* st(0)=(ebp-2C) */
017F:0040EF05 FADDP ST(1),ST
/* st(1)=st(1)+st(0)并出栈 */
017F:0040EF07 FADD REAL8 PTR [00401E60]
/* st(0)=st(0)+1.01764 */
017F:0040EF0D FMUL ST,ST(1)
/* st(0)=st(1)*st(0) */
017F:0040EF0F FSTP REAL8 PTR [EBP-30]
/* st(0)送(ebp-30)并出栈 */
017F:0040EF12 FSTP ST(0)
/* st(0)出栈 */
017F:0040EF14 JL 0040EE90
/* 未取完则返回 */
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
以上运算用TC2.0实现:
#include "string.h"
#include "math.h"
double floatize(char *regname,char *link)
{int i,length;
double time=80114111.103114;
length=strlen(regname);
strcpy(link+2,regname);
for(i=0;i<length;i++)
time=fabs((link[link[i]%length]*i*(2.12*(i+1)-i)+1.01764)*(long)time);
return time;
}
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
017F:0040EF1A FLD REAL8 PTR [EBP-30]
017F:0040EF1D CALL 00416EF4
017F:0040EF22 PUSH EAX
017F:0040EF23 CALL 0041785B
017F:0040EF28 MOV [EBP-1C],EAX
017F:0040EF2B MOV EAX,[ESI+5C]
017F:0040EF2E FILD DWORD PTR [EBP-1C]
017F:0040EF31 MOV EAX,[EAX-08]
/* 取得用户名长度 */
017F:0040EF34 POP ECX
017F:0040EF35 CMP EAX,08
017F:0040EF38 JGE 0040EF3E
017F:0040EF3A MOV AL,0E
/* 用户名长度小于8,则al=0xE */
017F:0040EF3C JMP 0040EF49
017F:0040EF3E CMP EAX,1F
/* 用户名长度大于等于8且小于0x1F的,al=strlen(regname)+0x6 */
017F:0040EF41 JGE 0040EF47
017F:0040EF43 ADD AL,06
017F:0040EF45 JMP 0040EF49
017F:0040EF47 MOV AL,17
/* 用户名长度大于等于0x1F的,al=0x17 */
017F:0040EF49 MOVZX EAX,AL
017F:0040EF4C PUSH EAX
017F:0040EF4D LEA EAX,[EBP-014C]
017F:0040EF53 PUSH EAX
017F:0040EF54 CALL 00416EF4
017F:0040EF59 PUSH EAX
017F:0040EF5A CALL 00422A30
/* 关键call,进入(设al的值为divisor) */
017F:0040EF5F ADD ESP,0C
017F:0040EF62 LEA ECX,[EBP-14]
017F:0040EF65 PUSH 0040A5AC
017F:0040EF6A CALL 00428A3E
017F:0040EF6F MOV EAX,[0040BE60]
017F:0040EF74 LEA ECX,[EBP-10]
017F:0040EF77 MOV [EBP-10],EAX
017F:0040EF7A LEA EAX,[EBP-014C]
017F:0040EF80 PUSH EAX
017F:0040EF81 CALL 00428A3E
017F:0040EF86 LEA EAX,[EBP-10]
017F:0040EF89 LEA ECX,[EBP-14]
017F:0040EF8C PUSH EAX
017F:0040EF8D MOV BYTE PTR [EBP-04],03
017F:0040EF91 CALL 00428C18
/* *eax指向1.x版的注册码 */
017F:0040EF96 LEA ECX,[EBP-10]
017F:0040EF99 MOV BYTE PTR [EBP-04],02
017F:0040EF9D CALL 00428901
017F:0040EFA2 CMP BYTE PTR [EBP-014C],77
017F:0040EFA9 JNZ 0040EFB2
017F:0040EFAB MOV BYTE PTR [EBP-014C],57
017F:0040EFB2 CMP BYTE PTR [EBP-014B],62
017F:0040EFB9 JNZ 0040EFC2
017F:0040EFBB MOV BYTE PTR [EBP-014B],42
017F:0040EFC2 PUSH DWORD PTR [EBP-14]
017F:0040EFC5 PUSH DWORD PTR [EDI]
017F:0040EFC7 CALL 00417870
017F:0040EFCC XOR EBX,EBX
017F:0040EFCE POP ECX
017F:0040EFCF CMP EAX,EBX
017F:0040EFD1 POP ECX
017F:0040EFD2 JNZ 0040F016
/* 比较是否为1.x版的注册码 */
017F:0040EFD4 PUSH 0040A4AC
017F:0040EFD9 PUSH DWORD PTR [ESI+5C]
017F:0040EFDC CALL 00417870
017F:0040EFE1 POP ECX
017F:0040EFE2 CMP EAX,EBX
017F:0040EFE4 POP ECX
017F:0040EFE5 JZ 0040F016
017F:0040EFE7 PUSH EBX
017F:0040EFE8 LEA ECX,[EBP-01A8]
017F:0040EFEE CALL 0040E74F
017F:0040EFF3 LEA ECX,[EBP-01A8]
017F:0040EFF9 MOV BYTE PTR [EBP-04],05
017F:0040EFFD CALL 0042828A
017F:0040F002 LEA ECX,[EBP-01A8]
017F:0040F008 MOV BYTE PTR [EBP-04],02
017F:0040F00C CALL 00427EC0
017F:0040F011 JMP 0040F2A7
017F:0040F016 FLD REAL8 PTR [00401E58]
017F:0040F01C LEA EAX,[EBP-02A8]
017F:0040F022 PUSH 0040A4C0
017F:0040F027 FSTP REAL8 PTR [EBP-20]
/* 4111.103114送st(0),下面部分的计算和前面的完全一样 */
017F:0040F02A PUSH EAX
017F:0040F02B CALL 00417690
017F:0040F030 PUSH DWORD PTR [ESI+5C]
017F:0040F033 LEA EAX,[EBP-02A8]
017F:0040F039 PUSH EAX
017F:0040F03A CALL 004176A0
017F:0040F03F MOV EAX,[ESI+5C]
017F:0040F042 ADD ESP,10
017F:0040F045 MOV [EBP-28],EBX
017F:0040F048 CMP DWORD PTR [EAX-08],00
017F:0040F04C JLE 0040F0EC
017F:0040F052 LEA EAX,[EBP-02A8]
017F:0040F058 MOV DWORD PTR [EBP-10],00000001
017F:0040F05F SUB [EBP-10],EAX
017F:0040F062 FLD REAL8 PTR [EBP-20]
017F:0040F065 CALL 00416EF4
017F:0040F06A PUSH EAX
017F:0040F06B CALL 0041785B
017F:0040F070 MOV [EBP-1C],EAX
017F:0040F073 MOV EAX,[ESI+5C]
017F:0040F076 MOVZX EDX,BYTE PTR [EBX+EBP-02A8]
017F:0040F07E FILD DWORD PTR [EBP-1C]
017F:0040F081 POP ECX
017F:0040F082 MOV [EBP-18],EDX
017F:0040F085 MOV ECX,[EAX-08]
017F:0040F088 LEA EAX,[EBX+EBP-02A8]
017F:0040F08F MOV EDX,[EBP-10]
017F:0040F092 MOV [EBP-2C],ECX
017F:0040F095 ADD EDX,EAX
017F:0040F097 MOV EAX,[EBP-18]
017F:0040F09A MOV [EBP-1C],EDX
017F:0040F09D CDQ
017F:0040F09E FILD DWORD PTR [EBP-1C]
017F:0040F0A1 IDIV ECX
017F:0040F0A3 FMUL REAL8 PTR [00401E68]
/* 这里也是2.12 */
017F:0040F0A9 FISUB DWORD PTR [EBP-28]
017F:0040F0AC MOV ECX,000000D3
/* 注意这里ecx=0xD3 */
017F:0040F0B1 MOVZX EAX,BYTE PTR [EDX+EBP-02A8]
017F:0040F0B9 IMUL EAX,EBX
017F:0040F0BC MOV [EBP-1C],EAX
017F:0040F0BF MOV EAX,[EBP-18]
017F:0040F0C2 CDQ
017F:0040F0C3 FILD DWORD PTR [EBP-1C]
017F:0040F0C6 IDIV ECX
017F:0040F0C8 FMULP ST(1),ST
017F:0040F0CA INC EBX
017F:0040F0CB CMP EBX,[EBP-2C]
017F:0040F0CE MOV [EBP-28],EBX
017F:0040F0D1 MOV [EBP-1C],EAX
017F:0040F0D4 FILD DWORD PTR [EBP-1C]
017F:0040F0D7 FADDP ST(1),ST
017F:0040F0D9 FADD REAL8 PTR [00401E60]
017F:0040F0DF FMUL ST,ST(1)
017F:0040F0E1 FSTP REAL8 PTR [EBP-20]
017F:0040F0E4 FSTP ST(0)
017F:0040F0E6 JL 0040F062
017F:0040F0EC FLD REAL8 PTR [EBP-20]
017F:0040F0EF CALL 00416EF4
017F:0040F0F4 PUSH EAX
017F:0040F0F5 CALL 0041785B
017F:0040F0FA MOV [EBP-1C],EAX
017F:0040F0FD MOV EAX,[ESI+5C]
017F:0040F100 FILD DWORD PTR [EBP-1C]
017F:0040F103 MOV EAX,[EAX-08]
017F:0040F106 POP ECX
017F:0040F107 CMP EAX,08
017F:0040F10A JGE 0040F110
/* 用户名长度小于8,则al=0x10 */
017F:0040F10C MOV AL,10
017F:0040F10E JMP 0040F11B
017F:0040F110 CMP EAX,0F
017F:0040F113 JGE 0040F119
017F:0040F115 ADD AL,08
/* 用户名长度大于等于8且小于0xF的,al=strlen(regname)+0x8 */
017F:0040F117 JMP 0040F11B
017F:0040F119 MOV AL,17
/* 用户名长度大于等于0xF的,al=0x17 */
017F:0040F11B MOVZX EAX,AL
017F:0040F11E PUSH EAX
017F:0040F11F LEA EAX,[EBP-02A8]
017F:0040F125 PUSH EAX
017F:0040F126 CALL 00416EF4
017F:0040F12B PUSH EAX
017F:0040F12C CALL 00422A30
/* 这个跟前面的call一样 */
017F:0040F131 ADD ESP,0C
017F:0040F134 LEA ECX,[EBP-14]
017F:0040F137 PUSH 0040A5AC
017F:0040F13C CALL 00428A3E
017F:0040F141 MOV EAX,[0040BE60]
017F:0040F146 LEA ECX,[EBP-10]
017F:0040F149 MOV [EBP-10],EAX
017F:0040F14C LEA EAX,[EBP-02A8]
017F:0040F152 PUSH EAX
017F:0040F153 CALL 00428A3E
017F:0040F158 LEA EAX,[EBP-10]
017F:0040F15B LEA ECX,[EBP-14]
017F:0040F15E PUSH EAX
017F:0040F15F MOV BYTE PTR [EBP-04],04
017F:0040F163 CALL 00428C18
/* *eax指向真正的注册码 */
017F:0040F168 LEA ECX,[EBP-10]
017F:0040F16B MOV BYTE PTR [EBP-04],02
017F:0040F16F CALL 00428901
017F:0040F174 PUSH DWORD PTR [EBP-14]
/* 真正的注册码 */
017F:0040F177 PUSH DWORD PTR [EDI]
/* 试炼码 */
017F:0040F179 CALL 00417870
017F:0040F17E POP ECX
017F:0040F17F TEST EAX,EAX
017F:0040F181 POP ECX
017F:0040F182 JZ 0040F19C
017F:0040F184 PUSH 10
017F:0040F186 PUSH 0040A49C
017F:0040F18B PUSH 0040A3E4
**********************************************************
017F:0040EF5A CALL 00422A30 进入:
017F:00422A30 PUSH EBP
017F:00422A31 MOV EBP,ESP
017F:00422A33 XOR EAX,EAX
017F:00422A35 CMP DWORD PTR [EBP+10],0A
017F:00422A39 JNZ 00422A43
017F:00422A3B CMP [EBP+08],EAX
017F:00422A3E JGE 00422A43
017F:00422A40 PUSH 01
017F:00422A42 POP EAX
017F:00422A43 PUSH EAX
017F:00422A44 PUSH DWORD PTR [EBP+10]
017F:00422A47 PUSH DWORD PTR [EBP+0C]
017F:00422A4A PUSH DWORD PTR [EBP+08]
017F:00422A4D CALL 004229D4
/* 关键,进入 */
017F:00422A52 MOV EAX,[EBP+0C]
017F:00422A55 ADD ESP,10
017F:00422A58 POP EBP
017F:00422A59 RET
**********************************************
017F:00422A4D CALL 004229D4 进入:
017F:004229D4 PUSH EBP
017F:004229D5 MOV EBP,ESP
017F:004229D7 CMP DWORD PTR [EBP+14],00
017F:004229DB MOV ECX,[EBP+0C]
017F:004229DE PUSH EBX
017F:004229DF PUSH ESI
017F:004229E0 PUSH EDI
017F:004229E1 JZ 004229EE
017F:004229E3 MOV ESI,[EBP+08]
017F:004229E6 MOV BYTE PTR [ECX],2D
017F:004229E9 INC ECX
017F:004229EA NEG ESI
017F:004229EC JMP 004229F1
017F:004229EE MOV ESI,[EBP+08]
017F:004229F1 MOV EDI,ECX
017F:004229F3 MOV EAX,ESI
/* 取得前面一轮浮点运算结果取整后的值 */
017F:004229F5 XOR EDX,EDX
017F:004229F7 DIV DWORD PTR [EBP+10]
/* 无符号除法,除数为divisor */
017F:004229FA MOV EAX,ESI
017F:004229FC MOV EBX,EDX
017F:004229FE XOR EDX,EDX
017F:00422A00 DIV DWORD PTR [EBP+10]
017F:00422A03 CMP EBX,09
/* 余数是否大于等于9 */
017F:00422A06 MOV ESI,EAX
017F:00422A08 JBE 00422A0F
017F:00422A0A ADD BL,57
/* 小于9就加57h */
017F:00422A0D JMP 00422A12
017F:00422A0F ADD BL,30
/* 余数大于等于9就加30h */
017F:00422A12 MOV [ECX],BL
/* 保存至ecx指向的内存单元 */
017F:00422A14 INC ECX
017F:00422A15 TEST ESI,ESI
017F:00422A17 JA 004229F3
017F:00422A19 AND BYTE PTR [ECX],00
017F:00422A1C DEC ECX
017F:00422A1D MOV DL,[EDI]
017F:00422A1F MOV AL,[ECX]
017F:00422A21 MOV [ECX],DL
017F:00422A23 MOV [EDI],AL
017F:00422A25 DEC ECX
017F:00422A26 INC EDI
017F:00422A27 CMP EDI,ECX
017F:00422A29 JB 00422A1D
/* 上面这段代码将运算获得的字串逆序保存 */
017F:00422A2B POP EDI
017F:00422A2C POP ESI
017F:00422A2D POP EBX
017F:00422A2E POP EBP
017F:00422A2F RET
【整理】:
name:cyclotron[BCG]
code:WB-hcjfb89
【Turbo C 注册机】:
#include "stdio.h"
#include "string.h"
#include "math.h"
#define ABS(x) x>0?x:-x
double floatize(char *regname,char *link)
{int i,length;
double time=4111.103114;
length=strlen(regname);
strcpy(link+2,regname);
for(i=0;i<length;i++)
time=fabs((link[link[i]%length]*i*(2.12*(i+1)-i)+1.01764)*(long)time);
return time;
}
void genereverse(int length,char *link,unsigned long power)
{int i=0,j=0,divisor,rest;
if(length<8) divisor=0x10;
else if(length>=8&&length<0xF) divisor=length+8;
else divisor=0x17;
do
{rest=power%divisor;
power/=divisor;
link[i++]=rest<=9?rest+0x30:rest+0x57;
}
while(power);
link[i]='\0';
do
{link[–i]^=link[j];
link[j]^=link[i];
link[i]^=link[j++];
}
while(i-1>j);
}
void main()
{char regname[30],regcode[13],link[32];
double iptr;
link[0]=regcode[0]='W';
link[1]=regcode[1]='B';
regcode[2]='-';
printf("\t***********************************************\n");
printf("\n\t\tKeyGen for WindowBlinds V3.5\n\t\t(Generating Regname-related Regcode)");
printf("\n\t\t\tProduced by cyclotron\n");
printf("\n\t***********************************************\n");
do
printf("\n\tPlease input your Regname:");
while(!strlen(gets(regname)));
modf(floatize(regname,link),&iptr);
genereverse(strlen(regname),link,ABS((long)iptr));
strcpy(regcode+3,link);
printf("\n\tYour Regcode is:\t%s\n",regcode);
printf("\n\tThank you for your use!\n");
getchar();
}
转载于:https://www.cnblogs.com/F4ncy/archive/2005/04/17/139377.html