Setup2Go 1.97破解手记--算法分析 -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → Setup2Go 1.97破解手记--算法分析

Setup2Go 1.97破解手记--算法分析 时间：2004/10/15 0:54:00来源：本站整理作者：蓝点我要评论(0): 　

Setup2Go 1.97破解手记--算法分析
作者：newlaos[CCG][DFCG]

软件名称：Setup2Go 1.97(安装制作)
整理日期：2003.4.23
最新版本：1.97 (04.15)
文件大小：955KB
软件授权：共享软件
使用平台：Win9x/Me/NT/2000/XP
发布公司："http://www.dev4pc.com/products.html"
软件简介：Setup2Go 是一个很不错的安装程序制作工具，易于使用且交互性强，它不需要使用者具备多少编程知识和编程经验就可在极短的时间内轻松完成制作，该软件还支持当前所有的32 位 Windows 操作系统的程序，包括 Windows 95、98、ME、NT4、2000、XP等。软件还自带工程向导帮助你快速生成安装项目，像建立快捷方式、写入注册表、文件类型关联、定制对话框及屏幕样式、使用外部工具、修改 INI文件、添加安装密码、测试运行等等这些功能它都具备，并且你还可以利用 Setup2Go制作出支持多国语言的安装程序，便于你向外国人出售自己的软件产品。

加密方式：注册码+VC6.0
功能限制：功能限制
PJ工具：TRW20001.23注册版，W32Dasm8.93黄金版，FI2.5，Ollydbg V1.09b中文版
PJ日期：2003-04-17
作者newlaos申明：只是学习，请不用于商业用途或是将本文方法制作的注册机任意传播，造成后果，本人一概不负。

1、用FI2.5查壳，发现是VC6.0程序(其实加了一个压缩壳)

2、用W32Dasm黄金修正版本进行静态反汇编，什么也找不到

3、只好动态跟踪调试。请出国宝TRW2000，输入姓名newlaos,假码78787878，下断点BPX hmemcpy(万能断点)。点确定被断下来，用命令pmodule，发现却来到这里00415F55，而在W32Dasm黄金修正版本进行静态反汇编时，没有这个代码段，说明原程序被压缩过了。

4、最好用Ollydbg V1.09b中文版来调试，有人问为什么？原因就是这样我才好为大家写破文呀，在TRW2000动态跟踪里，汇编代码也不可能手抄呀。在00415F55处，按F2下断点：
.......
.......
00415F4F FF15 C4124000 CALL DWORD PTR DS:[<&USER32.SendMessageA>
00415F55 8BFB MOV EDI,EBX <===程序来到这里，EAX=7(注册名的长度)，EBX=newlaos
00415F57 83C9 FF OR ECX,FFFFFFFF
00415F5A 33C0 XOR EAX,EAX
00415F5C 8D95 F4FDFFFF LEA EDX,DWORD PTR SS:[EBP-20C]
00415F62 F2:AE REPNE SCAS BYTE PTR ES:[EDI]
00415F64 F7D1 NOT ECX
00415F66 2BF9 SUB EDI,ECX
00415F68 53 PUSH EBX
00415F69 8BC1 MOV EAX,ECX
00415F6B 8BF7 MOV ESI,EDI
00415F6D 8BFA MOV EDI,EDX
00415F6F 68 00020000 PUSH 200
00415F74 C1E9 02 SHR ECX,2
00415F77 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
00415F79 8BC8 MOV ECX,EAX
00415F7B 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00415F7E 6A 0D PUSH 0D
00415F80 83E1 03 AND ECX,3
00415F83 FF70 38 PUSH DWORD PTR DS:[EAX+38]
00415F86 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
00415F88 FF15 C4124000 CALL DWORD PTR DS:[<&USER32.SendMessageA>
00415F8E 8BFB MOV EDI,EBX <===EAX=8(假码的长度)，EBX=78787878
00415F90 83C9 FF OR ECX,FFFFFFFF
00415F93 33C0 XOR EAX,EAX
00415F95 8D95 F8FEFFFF LEA EDX,DWORD PTR SS:[EBP-108]
00415F9B F2:AE REPNE SCAS BYTE PTR ES:[EDI]
00415F9D F7D1 NOT ECX
00415F9F 2BF9 SUB EDI,ECX
00415FA1 8BC1 MOV EAX,ECX
00415FA3 8BF7 MOV ESI,EDI
00415FA5 8BFA MOV EDI,EDX
00415FA7 C1E9 02 SHR ECX,2
00415FAA F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
00415FAC 8BC8 MOV ECX,EAX
00415FAE 8D85 F8FEFFFF LEA EAX,DWORD PTR SS:[EBP-108]
00415FB4 50 PUSH EAX
00415FB5 83E1 03 AND ECX,3
00415FB8 8D85 F4FDFFFF LEA EAX,DWORD PTR SS:[EBP-20C]
00415FBE F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
00415FC0 50 PUSH EAX
00415FC1 E8 DA3A0200 CALL SETUP2GO.00439AA0
00415FC6 8BC8 MOV ECX,EAX
00415FC8 E8 5AE5FFFF CALL SETUP2GO.00414527 <===这里是关键的CALL，F8跟进
00415FCD 5F POP EDI
00415FCE 5E POP ESI
00415FCF 84C0 TEST AL,AL <===要想注册成功，则这里AL不能为0
00415FD1 5B POP EBX
00415FD2 ^0F84 5DFFFFFF JE SETUP2GO.00415F35 <===这里是关键的跳转，这里不能跳
00415FD8 68 0D080000 PUSH 80D
00415FDD EB 18 JMP SHORT SETUP2GO.00415FF7
00415FDF 68 10040000 PUSH 410
00415FE4 6A 01 PUSH 1
00415FE6 E8 7F3B0200 CALL SETUP2GO.00439B6A
00415FEB 59 POP ECX
00415FEC 59 POP ECX
00415FED ^E9 43FFFFFF JMP SETUP2GO.00415F35
00415FF2 68 01080000 PUSH 801
00415FF7 FF75 08 PUSH DWORD PTR SS:[EBP+8]
00415FFA FF15 8C134000 CALL DWORD PTR DS:[<&USER32.EndDialog>] <===结束对话框函数，胜利的标志
00416000 B0 01 MOV AL,1
00416002 C9 LEAVE
00416003 C2 1000 RETN 10

----------00415FC8 CALL 00414527 这里是关键的CALL，F8跟进-------------------------
00414527 55 PUSH EBP
00414528 8BEC MOV EBP,ESP
0041452A 51 PUSH ECX
0041452B 51 PUSH ECX
0041452C 53 PUSH EBX <===EBX=78787878
0041452D 56 PUSH ESI
0041452E 57 PUSH EDI
0041452F 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8] <===EDI=newlaos
00414532 FF75 0C PUSH DWORD PTR SS:[EBP+C]
00414535 8BD9 MOV EBX,ECX
00414537 57 PUSH EDI
00414538 E8 97FFFFFF CALL SETUP2GO.004144D4 <===又是关键的CALL，F8跟进
0041453D 84C0 TEST AL,AL <===AL不能为0
0041453F 0F84 C0000000 JE SETUP2GO.00414605 <===这里一就OVER了
00414545 33F6 XOR ESI,ESI
00414547 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0041454A 56 PUSH ESI
0041454B 50 PUSH EAX
0041454C 56 PUSH ESI
0041454D 68 3F000F00 PUSH 0F003F
00414552 56 PUSH ESI
00414553 68 2CB14000 PUSH SETUP2GO.0040B12C ; ASCII "Setup2GO"
00414558 56 PUSH ESI
00414559 68 B0B14000 PUSH SETUP2GO.0040B1B0 ; ASCII "software\SDS Software\Setup2GO"
.......
.......此处略去一段正确的注册信息保存代码
00414601 B0 01 MOV AL,1 <===关键的标志位赋值，必须经过
00414603 EB 02 JMP SHORT SETUP2GO.00414607
00414605 32C0 XOR AL,AL <===标志位清0，就OVER了
00414607 5F POP EDI
00414608 5E POP ESI
00414609 5B POP EBX
0041460A C9 LEAVE
0041460B C2 0800 RETN 8

-----------00414538 CALL 004144D4 又是关键的CALL，F8跟进--------------------
004144D4 55 PUSH EBP
004144D5 8BEC MOV EBP,ESP
004144D7 51 PUSH ECX
004144D8 33D2 XOR EDX,EDX
004144DA 57 PUSH EDI
004144DB 3955 08 CMP DWORD PTR SS:[EBP+8],EDX <===看是否输入的用户名
004144DE 74 40 JE SHORT SETUP2GO.00414520 <===这里不能跳
004144E0 3955 0C CMP DWORD PTR SS:[EBP+C],EDX <===看是否输入的注册码
004144E3 74 3B JE SHORT SETUP2GO.00414520 <===这里不能跳
004144E5 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8] <===EDI=newlaos
004144E8 83C9 FF OR ECX,FFFFFFFF
004144EB 33C0 XOR EAX,EAX
004144ED F2:AE REPNE SCAS BYTE PTR ES:[EDI]
004144EF F7D1 NOT ECX
004144F1 49 DEC ECX
004144F2 74 2C JE SHORT SETUP2GO.00414520
004144F4 8B7D 0C MOV EDI,DWORD PTR SS:[EBP+C]
004144F7 83C9 FF OR ECX,FFFFFFFF
004144FA F2:AE REPNE SCAS BYTE PTR ES:[EDI]
004144FC F7D1 NOT ECX
004144FE 49 DEC ECX
004144FF 83F9 0A CMP ECX,0A <===注册码的长度，必须为10位
00414502 75 1C JNZ SHORT SETUP2GO.00414520 <===如果不是，一跳就OVER了
00414504 FF75 0C PUSH DWORD PTR SS:[EBP+C] <===重新输入假码7878787878，来到这里
00414507 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0041450A 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
0041450D 50 PUSH EAX
0041450E 68 74B44000 PUSH SETUP2GO.0040B474 ; ASCII "pasha and andrey"
00414513 FF75 08 PUSH DWORD PTR SS:[EBP+8] <===压入newlaos
00414516 E8 BB130100 CALL SETUP2GO.004258D6 <===关键的CALL了，F8跟进
0041451B 83C4 10 ADD ESP,10 <===ECX就出来了真正的注册码了
0041451E EB 02 JMP SHORT SETUP2GO.00414522
00414520 32C0 XOR AL,AL
00414522 5F POP EDI
00414523 C9 LEAVE
00414524 C2 0800 RETN 8

------------00414516 CALL 004258D6 关键的算法CALL了，F8跟进--------------------
004258D6 55 PUSH EBP
004258D7 8BEC MOV EBP,ESP
004258D9 51 PUSH ECX
004258DA 53 PUSH EBX
004258DB 8B5D 14 MOV EBX,DWORD PTR SS:[EBP+14] <===EBX=7878787878
004258DE 56 PUSH ESI
004258DF 57 PUSH EDI
004258E0 8BFB MOV EDI,EBX
004258E2 83C9 FF OR ECX,FFFFFFFF
004258E5 33C0 XOR EAX,EAX
004258E7 F2:AE REPNE SCAS BYTE PTR ES:[EDI]
004258E9 F7D1 NOT ECX
004258EB 49 DEC ECX
004258EC 8BF9 MOV EDI,ECX
004258EE 8D47 01 LEA EAX,DWORD PTR DS:[EDI+1]
004258F1 50 PUSH EAX
004258F2 E8 26F70200 CALL SETUP2GO.0045501D <===这个CALL就算出了EAX=78KB0HS6MA，还要F8跟进
004258F7 8B75 10 MOV ESI,DWORD PTR SS:[EBP+10] <===在这里不知道能不能做内存注册机
.......
.......此处略去一段无关代码
00425961 C3 RETN

--------004258F2 CALL 0045501D 算出了注册码(78KB0HS6MA)，还要F8跟进-----------
0045501D 6A 01 PUSH 1
0045501F FF7424 08 PUSH DWORD PTR SS:[ESP+8]
00455023 E8 43210000 CALL SETUP2GO.0045716B <===这个CALL，就出来注册码，F8跟进
00455028 59 POP ECX
00455029 59 POP ECX
0045502A C3 RETN

--------00455023 CALL 0045716B 再次F8跟进-------------------------------------
0045716B 837C24 04 E0 CMP DWORD PTR SS:[ESP+4],-20
00457170 77 22 JA SHORT SETUP2GO.00457194
00457172 FF7424 04 PUSH DWORD PTR SS:[ESP+4]
00457176 E8 1C000000 CALL SETUP2GO.00457197 <===这个CALL，就出来注册码，F8跟进
0045717B 85C0 TEST EAX,EAX
0045717D 59 POP ECX
0045717E 75 16 JNZ SHORT SETUP2GO.00457196
00457180 394424 08 CMP DWORD PTR SS:[ESP+8],EAX
00457184 74 10 JE SHORT SETUP2GO.00457196
00457186 FF7424 04 PUSH DWORD PTR SS:[ESP+4]
0045718A E8 F5E5FFFF CALL SETUP2GO.00455784
0045718F 85C0 TEST EAX,EAX
00457191 59 POP ECX
00457192 ^75 DE JNZ SHORT SETUP2GO.00457172
00457194 33C0 XOR EAX,EAX
00457196 C3 RETN

-------------00457176 CALL 00457197 出来注册码，F8跟进----------------------
00457197 55 PUSH EBP
00457198 8BEC MOV EBP,ESP
0045719A 6A FF PUSH -1
0045719C 68 38394000 PUSH SETUP2GO.00403938
004571A1 68 A86B4500 PUSH SETUP2GO.00456BA8
004571A6 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
004571AC 50 PUSH EAX
004571AD 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
004571B4 83EC 0C SUB ESP,0C
004571B7 53 PUSH EBX
004571B8 56 PUSH ESI
004571B9 57 PUSH EDI
004571BA A1 C49A4600 MOV EAX,DWORD PTR DS:[469AC4]
004571BF 83F8 03 CMP EAX,3
004571C2 75 43 JNZ SHORT SETUP2GO.00457207 <===不跳
004571C4 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
004571C7 3B35 BC9A4600 CMP ESI,DWORD PTR DS:[469ABC]
004571CD 0F87 93000000 JA SETUP2GO.00457266
004571D3 6A 09 PUSH 9
004571D5 E8 13220000 CALL SETUP2GO.004593ED
004571DA 59 POP ECX
004571DB 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
004571DF 56 PUSH ESI
004571E0 E8 314E0000 CALL SETUP2GO.0045C016 <===这个CALL，就出来注册码，F8跟进(真的放的很深呀)
004571E5 59 POP ECX
004571E6 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
004571E9 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
004571ED E8 0C000000 CALL SETUP2GO.004571FE
004571F2 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
004571F5 85C0 TEST EAX,EAX
004571F7 74 6D JE SHORT SETUP2GO.00457266
004571F9 E9 86000000 JMP SETUP2GO.00457284
004571FE 6A 09 PUSH 9
00457200 E8 49220000 CALL SETUP2GO.0045944E
00457205 59 POP ECX
00457206 C3 RETN

-------------004571E0 CALL 0045C016 出来注册码，F8跟进-------------
0045C016 55 PUSH EBP
.......
.......此处略去一大段无关代码
0045C31A 5F POP EDI
0045C31B 5E POP ESI
0045C31C 5B POP EBX <===EBX=7878787878
0045C31D C9 LEAVE
0045C31E C3 RETN
......
......这个RETN来到下面代码段：
004571E5 59 POP ECX ; 007C000C
004571E6 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
004571E9 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
004571ED E8 0C000000 CALL SETUP2GO.004571FE <===这个CALL出来EAX=8187BD44
004571F2 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
004571F5 85C0 TEST EAX,EAX
004571F7 74 6D JE SHORT SETUP2GO.00457266
004571F9 E9 86000000 JMP SETUP2GO.00457284 <===从这里就跳走了
.......
.......
00457284 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10] <===跳到这里
00457287 64:890D 00000000 MOV DWORD PTR FS:[0],ECX
0045728E 5F POP EDI
0045728F 5E POP ESI
00457290 5B POP EBX
00457291 C9 LEAVE
00457292 C3 RETN
.......
.......这个RETN来到下面代码段：
0045717B 85C0 TEST EAX,EAX
0045717D 59 POP ECX
0045717E 75 16 JNZ SHORT SETUP2GO.00457196 <===我跳
00457180 394424 08 CMP DWORD PTR SS:[ESP+8],EAX
00457184 74 10 JE SHORT SETUP2GO.00457196
00457186 FF7424 04 PUSH DWORD PTR SS:[ESP+4]
0045718A E8 F5E5FFFF CALL SETUP2GO.00455784
0045718F 85C0 TEST EAX,EAX
00457191 59 POP ECX
00457192 ^75 DE JNZ SHORT SETUP2GO.00457172
00457194 33C0 XOR EAX,EAX
00457196 C3 RETN <===跳到这里
........
........这个RETN来到下面代码段：
00455028 59 POP ECX
00455029 59 POP ECX
0045502A C3 RETN
.......
.......这个RETN来到下面代码段：
004258F7 8B75 10 MOV ESI,DWORD PTR SS:[EBP+10]
004258FA 59 POP ECX
004258FB 85F6 TEST ESI,ESI
004258FD 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00425900 74 2B JE SHORT SETUP2GO.0042592D
00425902 8A43 01 MOV AL,BYTE PTR DS:[EBX+1] <===这里取出的就是"7878787878"，第2个值的
00425905 50 PUSH EAX
00425906 E8 A9FFFFFF CALL SETUP2GO.004258B4
0042590B 8BD0 MOV EDX,EAX <===EAX=8(提取出来了)，EBX=38(为ASC值)
0042590D 8A03 MOV AL,BYTE PTR DS:[EBX] <===这里取出的就是"7878787878"，第1个值的
0042590F 50 PUSH EAX
00425910 8955 10 MOV DWORD PTR SS:[EBP+10],EDX
00425913 E8 9CFFFFFF CALL SETUP2GO.004258B4 <===EAX=7(提取出来了)，EBX=37(为ASC值)
00425918 59 POP ECX
00425919 59 POP ECX
0042591A 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
0042591D C1E0 04 SHL EAX,4 <===EAX=7 SHL 4=70
00425920 03C8 ADD ECX,EAX <===ECX=8+70=78
00425922 81F1 FF000000 XOR ECX,0FF <===ECX=87
00425928 83E9 55 SUB ECX,55 <===ECX=87-55=32
0042592B 890E MOV DWORD PTR DS:[ESI],ECX
0042592D 57 PUSH EDI
0042592E FF75 FC PUSH DWORD PTR SS:[EBP-4]
00425931 FF36 PUSH DWORD PTR DS:[ESI] <===32
00425933 FF75 0C PUSH DWORD PTR SS:[EBP+C] <==="pasha and andrey"
00425936 FF75 08 PUSH DWORD PTR SS:[EBP+8] <==="newlaos"
00425939 E8 6AFEFFFF CALL SETUP2GO.004257A8 <===ECX="newlaosnew" (被循环补足了10位)，F8跟进
0042593E 57 PUSH EDI
0042593F 53 PUSH EBX <===假码7878787878
00425940 FF75 FC PUSH DWORD PTR SS:[EBP-4] <==="78KB0HS6MA"
00425943 E8 E8100300 CALL SETUP2GO.00456A30
00425948 FF75 FC PUSH DWORD PTR SS:[EBP-4]
0042594B 8BD8 MOV EBX,EAX
0042594D F7DB NEG EBX
0042594F 1ADB SBB BL,BL
00425951 FEC3 INC BL
00425953 E8 CAF10200 CALL SETUP2GO.00454B22
00425958 83C4 24 ADD ESP,24
0042595B 8AC3 MOV AL,BL
0042595D 5F POP EDI
0042595E 5E POP ESI
0042595F 5B POP EBX
00425960 C9 LEAVE
00425961 C3 RETN

--------00425939 CALL SETUP2GO.004257A8- 跟进来到下面代码段-------------
004257A8 55 PUSH EBP
004257A9 8BEC MOV EBP,ESP
004257AB 51 PUSH ECX
004257AC 51 PUSH ECX
004257AD 53 PUSH EBX
004257AE 8B5D 18 MOV EBX,DWORD PTR SS:[EBP+18]
004257B1 56 PUSH ESI
004257B2 57 PUSH EDI
004257B3 8D73 01 LEA ESI,DWORD PTR DS:[EBX+1]
004257B6 56 PUSH ESI
004257B7 E8 61F80200 CALL SETUP2GO.0045501D <===EAX=Setup2Go
004257BC 56 PUSH ESI
004257BD 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
004257C0 E8 58F80200 CALL SETUP2GO.0045501D
004257C5 8365 18 00 AND DWORD PTR SS:[EBP+18],0
004257C9 53 PUSH EBX
004257CA FF75 08 PUSH DWORD PTR SS:[EBP+8]<===newlaos
004257CD 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
004257D0 FF75 FC PUSH DWORD PTR SS:[EBP-4]
004257D3 E8 31FFFFFF CALL SETUP2GO.00425709 <===EAX="newlaosnew" (被循环补足了10位)
004257D8 53 PUSH EBX
004257D9 FF75 0C PUSH DWORD PTR SS:[EBP+C] <==="pasha and andrey"
004257DC FF75 F8 PUSH DWORD PTR SS:[EBP-8]
004257DF E8 25FFFFFF CALL SETUP2GO.00425709 <===EAX="pasha and "(只留10位)
004257E4 8B75 10 MOV ESI,DWORD PTR SS:[EBP+10] <===32(就是前面用注册码前两位计算出来的结果)
004257E7 BF FF000000 MOV EDI,0FF
004257EC 23F7 AND ESI,EDI
004257EE 83C6 55 ADD ESI,55 <===ESI=32+55=87
004257F1 33F7 XOR ESI,EDI <===ESI=78(呵呵，又回来了？难道真正注册码的前两位为任意？)
004257F3 8BC6 MOV EAX,ESI
004257F5 C1E8 04 SHR EAX,4 <===EAX=78 SHR 4=7
004257F8 50 PUSH EAX
004257F9 E8 74FFFFFF CALL SETUP2GO.00425772 <===EAX=37回到的ASC值了
004257FE 8B4D 14 MOV ECX,DWORD PTR SS:[EBP+14] <===ECX=7umber
00425801 83E6 0F AND ESI,0F <===ESI=8
00425804 56 PUSH ESI
00425805 8801 MOV BYTE PTR DS:[ECX],AL
00425807 E8 66FFFFFF CALL SETUP2GO.00425772 <===eax=38回到的ASC值了
0042580C 8B55 14 MOV EDX,DWORD PTR SS:[EBP+14]
0042580F 83C4 28 ADD ESP,28
00425812 33F6 XOR ESI,ESI
00425814 85DB TEST EBX,EBX
00425816 8842 01 MOV BYTE PTR DS:[EDX+1],AL <===ECX=78mber
00425819 7E 26 JLE SHORT SETUP2GO.00425841
0042581B 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] <==="pasha and andrey"
0042581E 8B4D 18 MOV ECX,DWORD PTR SS:[EBP+18]
00425821 23CF AND ECX,EDI
00425823 8A0406 MOV AL,BYTE PTR DS:[ESI+EAX] <===依次将"pasha and andrey"每个字符的ASC值，放入AL
00425826 23C7 AND EAX,EDI
00425828 33C1 XOR EAX,ECX
0042582A 8B4D 18 MOV ECX,DWORD PTR SS:[EBP+18]
0042582D C1E9 08 SHR ECX,8
00425830 8B0485 24C24000 MOV EAX,DWORD PTR DS:[EAX*4+40C224]<===又是一个天大的256个位码表(和木马克星5.41的是一样的。小楼老师曾说过这是CRC32，但我不明白，只能用笨办法--抄)
*********************码表如下，共有256个数******************************
77073096 EE0E612C 990951BA 076DC419 706AF48F E963A535 9E6495A3 0EDB8832
79DCB8A4 E0D5E91E 97D2D988 09B64C2B 7EB17CBD E7B82D07 90BF1D91 00000000
6AB020F2 F3B97148 84BE41DE 1ADAD47D 6DDDE4EB F4D4B551 83D385C7 136C9856
646BA8C0 FD62F97A 8A65C9EC 14015C4F 63066CD9 FA0F3D63 8D080DF5 3B6E20C8
4C69105E D56041E4 A2677172 3C03E4D1 4B04D447 D20D85FD A50AB56B 35B5A8FA
42B2986C DBBBC9D6 ACBCF940 32D86CE3 45DF5C75 DCD60DCF ABD13D59 26D930AC
51DE003A C8D75180 BFD06116 21B4F4B5 56B3C423 CFBA9599 B8BDA50F 2802B89E
5F058808 C60CD9B2 B10BE924 2F6F7C87 58684C11 C1611DAB B6662D3D 76DC4190
01DB7106 98D220BC EFD5102A 71B18589 06B6B51F 9FBFE4A5 E8B8D433 7807C9A2
0F00F934 9609A88E E10E9818 7F6A0DBB 086D3D2D 91646C97 E6635C01 6B6B51F4
1C6C6162 856530D8 F262004E 6C0695ED 1B01A57B 8208F4C1 F50FC457 65B0D9C6
12B7E950 8BBEB8EA FCB9887C 62DD1DDF 15DA2D49 8CD37CF3 FBD44C65 4DB26158
3AB551CE A3BC0074 D4BB30E2 4ADFA541 3DD895D7 A4D1C46D D3D6F4FB 4369E96A
346ED9FC AD678846 DA60B8D0 44042D73 33031DE5 AA0A4C5F DD0D7CC9 5005713C
270241AA BE0B1010 C90C2086 5768B525 206F85B3 B966D409 CE61E49F 5EDEF90E
29D9C998 B0D09822 C7D7A8B4 59B33D17 2EB40D81 B7BD5C3B C0BA6CAD EDB88320
9ABFB3B6 03B6E20C 74B1D29A EAD54739 9DD277AF 04DB2615 73DC1683 E3630B12
94643B84 0D6D6A3E 7A6A5AA8 E40ECF0B 9309FF9D 0A00AE27 7D079EB1 F00F9344
8708A3D2 1E01F268 6906C2FE F762575D 806567CB 196C3671 6E6B06E7 FED41B76
89D32BE0 10DA7A5A 67DD4ACC F9B9DF6F 8EBEEFF9 17B7BE43 60B08ED5 D6D6A3E8
A1D1937E 38D8C2C4 4FDFF252 D1BB67F1 A6BC5767 3FB506DD 48B2364B D80D2BDA
AF0A1B4C 36034AF6 41047A60 DF60EFC3 A867DF55 316E8EEF 4669BE79 CB61B38C
BC66831A 256FD2A0 5268E236 CC0C7795 BB0B4703 220216B9 5505262F C5BA3BBE
B2BD0B28 2BB45A92 5CB36A04 C2D7FFA7 B5D0CF31 2CD99E8B 5BDEAE1D 9B64C2B0
EC63F226 756AA39C 026D930A 9C0906A9 EB0E363F 72076785 05005713 95BF4A82
E2B87A14 7BB12BAE 0CB61B38 92D28E9B E5D5BE0D 7CDCEFB7 0BDBDF21 86D3D2D4
F1D4E242 68DDB3F8 1FDA836E 81BE16CD F6B9265B 6FB077E1 18B74777 88085AE6
FF0F6A70 66063BCA 11010B5C 8F659EFF F862AE69 616BFFD3 166CCF45 A00AE278
D70DD2EE 4E048354 3903B3C2 A7672661 D06016F7 4969474D 3E6E77DB AED16A4A
D9D65ADC 40DF0B66 37D83BF0 A9BCAE53 DEBB9EC5 47B2CF7F 30B5FFE9 BDBDF21C
CABAC28A 53B39330 24B4A3A6 BAD03605 CDD70693 54DE5729 23D967BF B3667A2E
C4614AB8 5D681B02 2A6F2B94 B40BBE37 C30C8EA1 5A05DF1B 2D02EF8D 0000003D <===就是最后一个与木马克星的不一样
************************************************************************

00425837 33C1 XOR EAX,ECX
00425839 46 INC ESI <===ESI=ESI+1
0042583A 3BF3 CMP ESI,EBX <===EBX=10，所以这个循环要经过10次(比木马克星的71次好多了)
0042583C 8945 18 MOV DWORD PTR SS:[EBP+18],EAX <===最后的关键值放在SS:[EBP+18]里(得出DE928F52)，因为这是定值，所以在做算法注册机时，完全可以直接拿来用!(偷点懒)
0042583F ^7C DA JL SHORT SETUP2GO.0042581B<===向上跳构成循环，10次
00425841 83FB 02 CMP EBX,2
00425844 7E 53 JLE SHORT SETUP2GO.00425899
00425846 8B75 FC MOV ESI,DWORD PTR SS:[EBP-4] <===EAX="newlaosnew"
00425849 8D43 FE LEA EAX,DWORD PTR DS:[EBX-2]
0042584C 2BF2 SUB ESI,EDX <===EDX="78mber"
0042584E 8D4A 02 LEA ECX,DWORD PTR DS:[EDX+2] <===ECX="mber"
00425851 8975 08 MOV DWORD PTR SS:[EBP+8],ESI
00425854 8945 0C MOV DWORD PTR SS:[EBP+C],EAX
00425857 EB 03 JMP SHORT SETUP2GO.0042585C <===我跳
**************这里开始循环结构*************
00425859 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
0042585C 8A040E MOV AL,BYTE PTR DS:[ESI+ECX]
<===依次第三位开始取"newlaosnew"每个字符的ASC值，如果是中文字符，也是只取半个
0042585F 8B55 18 MOV EDX,DWORD PTR SS:[EBP+18]
<===EDX依次DE928F52，4BDA46C8，D1F0BDB7，6F61875C,BFBF0091,4EBB3C54,C642628E,371E7992
00425862 23C7 AND EAX,EDI <===EDI=FF，也就是只保留EAX的最后两位EAX=77(w的ASC值)
00425864 23D7 AND EDX,EDI <===EDI=FF，也就是只保留EDX的最后两位EDX=52
00425866 33C2 XOR EAX,EDX <===EAX=77 XOR 52 = 25
00425868 8B55 18 MOV EDX,DWORD PTR SS:[EBP+18] <===EDX=DE928F52
0042586B C1EA 08 SHR EDX,8 <===EDX=DE928F
0042586E 8B0485 24C24000 MOV EAX,DWORD PTR DS:[EAX*4+40C224] <===又在码表中取值，EAX=4B04D447
00425875 6A 24 PUSH 24 <===老朋友24(10进制是36，正好是10个数字+26个英文字母，也是是说要根据除以24得到的余数，取值成注册码)
00425877 33C2 XOR EAX,EDX <===EAX=4B04D447 XOR DE928F=4BDA46C8
<===EAX依次4BDA46C8，D1F0BDB7，6F61875C,BFBF0091,4EBB3C54,C642628E,371E7992,D057088E
00425879 33D2 XOR EDX,EDX <===EDX清0
0042587B 5E POP ESI <===ESI=24
0042587C 8945 18 MOV DWORD PTR SS:[EBP+18],EAX <===这个值又入关键位置
0042587F F7F6 DIV ESI <===现在开始取码了，先除一下
00425881 83FA 0A CMP EDX,0A <===如果大于10，就跳
00425884 73 05 JNB SHORT SETUP2GO.0042588B
00425886 80C2 30 ADD DL,30 <===如果余数小于等于9，就加上30，对应其ASC值
00425889 EB 03 JMP SHORT SETUP2GO.0042588E
0042588B 80C2 37 ADD DL,37 <===如果余数大于9，就加37，对应大写的英文字符
0042588E 8811 MOV BYTE PTR DS:[ECX],DL <===取出的字符就放入[ECX]，逐个出来真正的注册码(K,B,0,H,S,6,M,A)
00425890 41 INC ECX
00425891 FF4D 0C DEC DWORD PTR SS:[EBP+C] <===SS:[EBP+C]初始值8
00425894 ^75 C3 JNZ SHORT SETUP2GO.00425859 <===向上跳8次，出来后面8个注册码
00425896 8B55 14 MOV EDX,DWORD PTR SS:[EBP+14]
00425899 FF75 FC PUSH DWORD PTR SS:[EBP-4]
0042589C 80241A 00 AND BYTE PTR DS:[EDX+EBX],0
004258A0 E8 7DF20200 CALL SETUP2GO.00454B22
004258A5 FF75 F8 PUSH DWORD PTR SS:[EBP-8]
004258A8 E8 75F20200 CALL SETUP2GO.00454B22
004258AD 59 POP ECX
004258AE 59 POP ECX
004258AF 5F POP EDI
004258B0 5E POP ESI
004258B1 5B POP EBX
004258B2 C9 LEAVE
004258B3 C3 RETN

5、算法注册机源码
------------VB6.0在WIN98下编译通过-----------------------------------------
Private Sub Command1_Click()
Dim i As Integer
Dim h As Integer
Dim edx As Long
Dim eax As Long
Dim ss As Long
Dim startin As String
Dim A As Variant
Dim B As Variant
startin = Text1.Text
nlen = Len(startin)
mabiao = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
A = Array(0, &H77073096, &HEE0E612C, &H990951BA, &H76DC419, &H706AF48F, &HE963A535, &H9E6495A3, &HEDB8832, &H79DCB8A4, &HE0D5E91E, &H97D2D988, &H9B64C2B, &H7EB17CBD, &HE7B82D07, &H90BF1D91, &H0 _
, &H6AB020F2, &HF3B97148, &H84BE41DE, &H1ADAD47D, &H6DDDE4EB, &HF4D4B551, &H83D385C7, &H136C9856, &H646BA8C0, &HFD62F97A, &H8A65C9EC, &H14015C4F, &H63066CD9, &HFA0F3D63, &H8D080DF5, &H3B6E20C8 _
, &H4C69105E, &HD56041E4, &HA2677172, &H3C03E4D1, &H4B04D447, &HD20D85FD, &HA50AB56B, &H35B5A8FA, &H42B2986C, &HDBBBC9D6, &HACBCF940, &H32D86CE3, &H45DF5C75, &HDCD60DCF, &HABD13D59, &H26D930AC _
, &H51DE003A, &HC8D75180, &HBFD06116, &H21B4F4B5, &H56B3C423, &HCFBA9599, &HB8BDA50F, &H2802B89E, &H5F058808, &HC60CD9B2, &HB10BE924, &H2F6F7C87, &H58684C11, &HC1611DAB, &HB6662D3D, &H76DC4190 _
, &H1DB7106, &H98D220BC, &HEFD5102A, &H71B18589, &H6B6B51F, &H9FBFE4A5, &HE8B8D433, &H7807C9A2, &HF00F934, &H9609A88E, &HE10E9818, &H7F6A0DBB, &H86D3D2D, &H91646C97, &HE6635C01, &H6B6B51F4 _
, &H1C6C6162, &H856530D8, &HF262004E, &H6C0695ED, &H1B01A57B, &H8208F4C1, &HF50FC457, &H65B0D9C6, &H12B7E950, &H8BBEB8EA, &HFCB9887C, &H62DD1DDF, &H15DA2D49, &H8CD37CF3, &HFBD44C65, &H4DB26158 _
, &H3AB551CE, &HA3BC0074, &HD4BB30E2, &H4ADFA541, &H3DD895D7, &HA4D1C46D, &HD3D6F4FB, &H4369E96A, &H346ED9FC, &HAD678846, &HDA60B8D0, &H44042D73, &H33031DE5, &HAA0A4C5F, &HDD0D7CC9, &H5005713C _
, &H270241AA, &HBE0B1010, &HC90C2086, &H5768B525, &H206F85B3, &HB966D409, &HCE61E49F, &H5EDEF90E, &H29D9C998, &HB0D09822, &HC7D7A8B4, &H59B33D17, &H2EB40D81, &HB7BD5C3B, &HC0BA6CAD, &HEDB88320 _
, &H9ABFB3B6, &H3B6E20C, &H74B1D29A, &HEAD54739, &H9DD277AF, &H4DB2615, &H73DC1683, &HE3630B12, &H94643B84, &HD6D6A3E, &H7A6A5AA8, &HE40ECF0B, &H9309FF9D, &HA00AE27, &H7D079EB1, &HF00F9344 _
, &H8708A3D2, &H1E01F268, &H6906C2FE, &HF762575D, &H806567CB, &H196C3671, &H6E6B06E7, &HFED41B76, &H89D32BE0, &H10DA7A5A, &H67DD4ACC, &HF9B9DF6F, &H8EBEEFF9, &H17B7BE43, &H60B08ED5, &HD6D6A3E8 _
, &HA1D1937E, &H38D8C2C4, &H4FDFF252, &HD1BB67F1, &HA6BC5767, &H3FB506DD, &H48B2364B, &HD80D2BDA, &HAF0A1B4C, &H36034AF6, &H41047A60, &HDF60EFC3, &HA867DF55, &H316E8EEF, &H4669BE79, &HCB61B38C _
, &HBC66831A, &H256FD2A0, &H5268E236, &HCC0C7795, &HBB0B4703, &H220216B9, &H5505262F, &HC5BA3BBE, &HB2BD0B28, &H2BB45A92, &H5CB36A04, &HC2D7FFA7, &HB5D0CF31, &H2CD99E8B, &H5BDEAE1D, &H9B64C2B0 _
, &HEC63F226, &H756AA39C, &H26D930A, &H9C0906A9, &HEB0E363F, &H72076785, &H5005713, &H95BF4A82, &HE2B87A14, &H7BB12BAE, &HCB61B38, &H92D28E9B, &HE5D5BE0D, &H7CDCEFB7, &HBDBDF21, &H86D3D2D4 _
, &HF1D4E242, &H68DDB3F8, &H1FDA836E, &H81BE16CD, &HF6B9265B, &H6FB077E1, &H18B74777, &H88085AE6, &HFF0F6A70, &H66063BCA, &H11010B5C, &H8F659EFF, &HF862AE69, &H616BFFD3, &H166CCF45, &HA00AE278 _
, &HD70DD2EE, &H4E048354, &H3903B3C2, &HA7672661, &HD06016F7, &H4969474D, &H3E6E77DB, &HAED16A4A, &HD9D65ADC, &H40DF0B66, &H37D83BF0, &HA9BCAE53, &HDEBB9EC5, &H47B2CF7F, &H30B5FFE9, &HBDBDF21C _
, &HCABAC28A, &H53B39330, &H24B4A3A6, &HBAD03605, &HCDD70693, &H54DE5729, &H23D967BF, &HB3667A2E, &HC4614AB8, &H5D681B02, &H2A6F2B94, &HB40BBE37, &HC30C8EA1, &H5A05DF1B, &H2D02EF8D, &H3D)

'完成注册名的部分的前期工作
B = Array(0, 0, 0, 0, 0, 0, 0, 0, 0, 0)
k = 1 '是否为汉字的标志位
tlen = 0
For h = 1 To nlen
sumtmp = Asc(Mid(startin, h, 1))
If Abs(sumtmp) <> sumtmp Then '对中文特别设计
k = 2
Else
k = 1
End If
For e = 1 To k
B(tlen) = CInt("&H" + Mid(Hex(sumtmp), 2 * e - 1, 2))
tlen = tlen + 1
If tlen >= 10 Then '只处理前面10位
e = k
h = nlen
Else
If h = nlen Then '如果不满注册名10个的处理
h = 0 'h=0，一个循环上去，就又成初始值1了
End If
End If
Next e
Next h
If nlen < 1 Then
h = MsgBox("你输入的注册名有误或是还没有输入注册名", 0, "请确认你输入是否正确!")
Else
ebx = 0
ss = &HDE928F52
For i = 2 To 9
eax = B(i) And &HFF
edx = ss And &HFF
eax = eax Xor edx
TMPLEN = Len(Hex(ss))
edx = CLng("&h" + Mid(Hex(ss), 1, TMPLEN - 2))
eax = A(eax) Xor edx
ss = eax
tmpsum = eax Mod 36
If tmpsum < 0 Then '对于VB中出现负数的处理
tmpsum = 40 + tmpsum
End If
tmpmod = tmpsum + 1
TMPSTR = Mid(mabiao, tmpmod, 1)
laststr = laststr + TMPSTR
Next i
laststr = "88" + laststr
End If
Text2.Text = laststr
End Sub

-----------------------------------------------------
6、注册信息保存在注册表里：
[HKEY_LOCAL_MACHINE\Software\SDS Software\Setup2Go]
"username"="newlaos[CCG][DFCG]"
"regcode"="88KB0HSD9S"

文章评论

查看所有0条评论>>

热门文章 去除winrar注册框方法