快捷反垃圾邮件破解手记--找出注册码

发布者：Editor

发布于：2015-11-15 16:08

快捷反垃圾邮件破解手记--找出注册码
作者：newlaos[DFCG]

软件名称：快捷反垃圾邮件 [国产]
软件授权：共享软件
注册费用：
使用平台： Win9X/Me/NT/2000/XP
软件开发： http://www.chinaantispam.com/
联系信箱： support@chinaantispam.com?subject=From_海阔天空下载站

软件简介：
　　为每个拥有email地址的用户快速杀除垃圾邮件！提供多种邮件过滤方式，支持特有的通配符及国家代码邮件规则，完整的个人用户反垃圾邮件解决方案。多POP3帐户同时处理，可设置仅预读邮件前几行信息，速度飞快；无需接收邮件全部信息即可以最快速度杀除包括“求职信”在内的邮件病毒；可向垃圾邮件发送人自动或手工发送投诉及报错邮件；支持垃圾邮件特征库随时网上升级。快捷反垃圾邮件，垃圾邮件终结者，让垃圾邮件无处可逃！

加密方式：注册码
功能限制：未注册信息提示
PJ工具：TRW20001.23注册版，W32Dasm8.93黄金版，FI2.5，eXeScope6.30
PJ日期：2003-03-31
作者newlaos申明：只是学习，请不用于商业用途或是将本文方法制作的注册机任意传播，造成后果，本人一概不负。

1、先用FI2.5看一下主文件“AntiSpam.exe”，没加壳。程序是用BC++编的

2、用W32Dasm8.93黄金版对AntiSpam.exe进行静态反汇编，再用串式数据参考，找不到什么经典的句子，怎么办？先用eXeScope6.30对文件的资源进行分析，在“资源\字串表\85”，可以看见：
1357,对不起，您的注册码输入有误。请重新输入。
1358,恭喜您！软件注册成功！$0D$0A您的姓名：%0:s$0D$0A注册码：%1:s$0D$0A请记住这个注册码。今后若您重装系统、更换硬盘或升级电脑，需要重新安装本软件，这时软件可能又会提示您注册，您用这个注册码注册即可。

再回到W32Dasm8.93，找到"String Resource ID=01357: "?we?魍e"(这就是注册码输入有误)
双击来到下列代码段

3、再用TRW20001.23注册版进行动态跟踪，下断BPX 0058BFE4(通常在注册成功与否的前面一些下断，这样，才能找到关键部分)，
先输入注册名：newlaos[DFCG]
假码: 78787878

.......
.......
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0058BF51(C)
|
:0058BFE4 66C746103800 mov [esi+10], 0038
:0058BFEA 33C0 xor eax, eax
:0058BFEC 8945F8 mov dword ptr [ebp-08], eax
:0058BFEF 8D55F8 lea edx, dword ptr [ebp-08]
:0058BFF2 FF461C inc [esi+1C]
:0058BFF5 8B8300030000 mov eax, dword ptr [ebx+00000300]
:0058BFFB E890A1F5FF call 004E6190
:0058C000 66C746100800 mov [esi+10], 0008
:0058C006 8B55F8 mov edx, dword ptr [ebp-08]<===EDX=78787878
:0058C009 52 push edx
:0058C00A E8AD330000 call 0058F3BC <===毫无疑问，这就是算法CALL了，F8跟进
:0058C00F 59 pop ecx
:0058C010 84C0 test al, al <===要想注册成功，则AL不能为0
:0058C012 0F859E000000 jne 0058C0B6 <===呵呵，这里就是关键的跳转了。跳了，就正确注册成功
:0058C018 6A30 push 00000030
:0058C01A 833DF8F4600000 cmp dword ptr [0060F4F8], 00000000
:0058C021 7408 je 0058C02B
:0058C023 8B0DF8F46000 mov ecx, dword ptr [0060F4F8]
:0058C029 EB05 jmp 0058C030

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0058C021(C)
|
:0058C02B B981F25F00 mov ecx, 005FF281

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0058C029(U)
|
:0058C030 51 push ecx
:0058C031 33C0 xor eax, eax
:0058C033 66C746104400 mov [esi+10], 0044
:0058C039 8945DC mov dword ptr [ebp-24], eax

* Possible Reference to String Resource ID=01357: "?we?魍e"
<===1357,对不起，您的注册码输入有误。请重新输入。 |
:0058C03C B84D050000 mov eax, 0000054D
:0058C041 FF461C inc [esi+1C]
:0058C044 8D55DC lea edx, dword ptr [ebp-24]
:0058C047 E8AC74F9FF call 005234F8
:0058C04C 837DDC00 cmp dword ptr [ebp-24], 00000000
:0058C050 7405 je 0058C057
:0058C052 8B55DC mov edx, dword ptr [ebp-24]
:0058C055 EB05 jmp 0058C05C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0058C050(C)
|
:0058C057 BA80F25F00 mov edx, 005FF280

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0058C055(U)
|
:0058C05C 52 push edx
:0058C05D 8BC3 mov eax, ebx
:0058C05F E80402F6FF call 004EC268
:0058C064 50 push eax

* Reference To: USER32.MessageBoxA, Ord:0000h
|
:0058C065 E83EFD0200 Call 005BBDA8
:0058C06A FF4E1C dec [esi+1C]
:0058C06D 8D45DC lea eax, dword ptr [ebp-24]
:0058C070 BA02000000 mov edx, 00000002
:0058C075 E866E90200 call 005BA9E0
:0058C07A 8B8300030000 mov eax, dword ptr [ebx+00000300]
:0058C080 8B10 mov edx, dword ptr [eax]
:0058C082 FF92B0000000 call dword ptr [edx+000000B0]
:0058C088 FF4E1C dec [esi+1C]
:0058C08B 8D45F8 lea eax, dword ptr [ebp-08]
:0058C08E BA02000000 mov edx, 00000002
:0058C093 E848E90200 call 005BA9E0
:0058C098 FF4E1C dec [esi+1C]
:0058C09B 8D45FC lea eax, dword ptr [ebp-04]
:0058C09E BA02000000 mov edx, 00000002
:0058C0A3 E838E90200 call 005BA9E0
:0058C0A8 8B0E mov ecx, dword ptr [esi]
:0058C0AA 64890D00000000 mov dword ptr fs:[00000000], ecx
:0058C0B1 E9E0010000 jmp 0058C296 <===注册信息错误提示完后，跳走

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0058C012(C) <===这里可以看到，要正确是从哪里跳来的，向上看
|
:0058C0B6 66C746105000 mov [esi+10], 0050
:0058C0BC 8D45EC lea eax, dword ptr [ebp-14]
:0058C0BF 50 push eax
:0058C0C0 E8EB200000 call 0058E1B0
:0058C0C5 59 pop ecx
:0058C0C6 83461C03 add dword ptr [esi+1C], 00000003
:0058C0CA 66C746100800 mov [esi+10], 0008
:0058C0D0 8B55FC mov edx, dword ptr [ebp-04]
:0058C0D3 52 push edx
:0058C0D4 8D4DEC lea ecx, dword ptr [ebp-14]
:0058C0D7 51 push ecx
:0058C0D8 E8F30F0000 call 0058D0D0
:0058C0DD 83C408 add esp, 00000008
:0058C0E0 8B45F8 mov eax, dword ptr [ebp-08]
:0058C0E3 50 push eax
:0058C0E4 8D55EC lea edx, dword ptr [ebp-14]
:0058C0E7 52 push edx
:0058C0E8 E813110000 call 0058D200
:0058C0ED 83C408 add esp, 00000008
:0058C0F0 833DF8F4600000 cmp dword ptr [0060F4F8], 00000000
:0058C0F7 6A40 push 00000040
:0058C0F9 7408 je 0058C103 <===这里也可以跳向成功
:0058C0FB 8B0DF8F46000 mov ecx, dword ptr [0060F4F8]
:0058C101 EB05 jmp 0058C108 <===这里可以跳向成功

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0058C0F9(C)
|
:0058C103 B984F25F00 mov ecx, 005FF284
.......
***********************************
此处省略一段代码，功能是将验证为正确的注册信息，进行保存，与算法无关
***********************************
.......
:0058C17F FF461C inc [esi+1C]
:0058C182 894DA0 mov dword ptr [ebp-60], ecx
:0058C185 8B45A0 mov eax, dword ptr [ebp-60]
:0058C188 33C9 xor ecx, ecx
:0058C18A 8B10 mov edx, dword ptr [eax]

* Possible Reference to String Resource ID=01358: "mo鲨??<===这里就是注册成功的标志
?%0:s
%1:s
靼O??濞团bl?G?"
<===1358,恭喜您！软件注册成功！$0D$0A您的姓名：%0:s$0D$0A注册码：%1:s$0D$0A请记住这个注册码。今后若您重装系统、更换硬盘或升级电脑，需要重新安装本软件，这时软件可能又会提示您注册，您用这个注册码注册即可。
|
:0058C18C B84E050000 mov eax, 0000054E
:0058C191 52 push edx
:0058C192 894DD8 mov dword ptr [ebp-28], ecx
:0058C195 FF461C inc [esi+1C]
:0058C198 8D55D8 lea edx, dword ptr [ebp-28]
:0058C19B E85873F9FF call 005234F8
:0058C1A0 837DD800 cmp dword ptr [ebp-28], 00000000
:0058C1A4 7405 je 0058C1AB
:0058C1A6 8B55D8 mov edx, dword ptr [ebp-28]
:0058C1A9 EB05 jmp 0058C1B0
.......
.......

------0058C00A call 0058F3BC 算法CALL了，F8跟进-----------------------

:0058F3BC 55 push ebp
:0058F3BD 8BEC mov ebp, esp
:0058F3BF 83C4B8 add esp, FFFFFFB8
:0058F3C2 B83C096000 mov eax, 0060093C
:0058F3C7 53 push ebx
:0058F3C8 8D5DB8 lea ebx, dword ptr [ebp-48]
:0058F3CB 56 push esi
:0058F3CC E813EB0100 call 005ADEE4
:0058F3D1 C7431C01000000 mov [ebx+1C], 00000001
:0058F3D8 8D5508 lea edx, dword ptr [ebp+08]
:0058F3DB 8D4508 lea eax, dword ptr [ebp+08]
:0058F3DE E8D5B40200 call 005BA8B8
:0058F3E3 FF431C inc [ebx+1C]
:0058F3E6 66C743100800 mov [ebx+10], 0008
:0058F3EC 833D4807600000 cmp dword ptr [00600748], 00000000
:0058F3F3 740B je 0058F400
:0058F3F5 8B1548076000 mov edx, dword ptr [00600748]<===EDX=KJAS100-(一看就知道，这是正确注册码的前缀)
:0058F3FB 8B72FC mov esi, dword ptr [edx-04]
:0058F3FE EB02 jmp 0058F402

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0058F3F3(C)
|
:0058F400 33F6 xor esi, esi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0058F3FE(U)
|
:0058F402 837D0800 cmp dword ptr [ebp+08], 00000000
:0058F406 7408 je 0058F410
:0058F408 8B4508 mov eax, dword ptr [ebp+08]<===EAX=78787878
:0058F40B 8B50FC mov edx, dword ptr [eax-04]<===EDX=8(注册码的长度)
:0058F40E EB02 jmp 0058F412

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0058F406(C)
|
:0058F410 33D2 xor edx, edx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0058F40E(U)
|
:0058F412 8D4611 lea eax, dword ptr [esi+11]
<===EAX=19(也就是长注册码的长度为25)，将注册码改为KJAS100-1234567890abcdefg(因为后面要对后面部分按不同位置取值，所以用78787878已经不合适，因为很难判断程序具体取的是哪个位置上的值)，重新来
:0058F415 3BD0 cmp edx, eax <===注册码的长度对比
:0058F417 754C jne 0058F465 <===如果输入的注册码长度没有25，就跳向OVER!
:0058F419 66C743101400 mov [ebx+10], 0014
:0058F41F 33C9 xor ecx, ecx
:0058F421 8D45F4 lea eax, dword ptr [ebp-0C]
:0058F424 894DF4 mov dword ptr [ebp-0C], ecx
:0058F427 50 push eax
:0058F428 FF431C inc [ebx+1C]
:0058F42B 8D4508 lea eax, dword ptr [ebp+08]
:0058F42E 8BCE mov ecx, esi
:0058F430 BA01000000 mov edx, 00000001
:0058F435 E8EAB90200 call 005BAE24
:0058F43A 8D45F4 lea eax, dword ptr [ebp-0C]
:0058F43D BA48076000 mov edx, 00600748
:0058F442 E895B60200 call 005BAADC
:0058F447 84C0 test al, al
:0058F449 8D45F4 lea eax, dword ptr [ebp-0C]
:0058F44C 0F95C1 setne cl
:0058F44F 83E101 and ecx, 00000001
:0058F452 BA02000000 mov edx, 00000002
:0058F457 51 push ecx
:0058F458 FF4B1C dec [ebx+1C]
:0058F45B E880B50200 call 005BA9E0
:0058F460 59 pop ecx
:0058F461 85C9 test ecx, ecx
:0058F463 7422 je 0058F487 <===程序从这里跳走

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0058F417(C)
|
:0058F465 33C0 xor eax, eax
:0058F467 BA02000000 mov edx, 00000002
:0058F46C 50 push eax
:0058F46D 8D4508 lea eax, dword ptr [ebp+08]
:0058F470 FF4B1C dec [ebx+1C]
:0058F473 E868B50200 call 005BA9E0
:0058F478 58 pop eax
:0058F479 8B13 mov edx, dword ptr [ebx]
:0058F47B 64891500000000 mov dword ptr fs:[00000000], edx
:0058F482 E905020000 jmp 0058F68C <===如果到这里，就等于OVER了。

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0058F463(C)
|
:0058F487 66C743102000 mov [ebx+10], 0020 <===从上面跳到这里
:0058F48D 33C9 xor ecx, ecx
:0058F48F 8D45F0 lea eax, dword ptr [ebp-10]
:0058F492 894DF0 mov dword ptr [ebp-10], ecx
:0058F495 50 push eax
:0058F496 FF431C inc [ebx+1C]
:0058F499 837D0800 cmp dword ptr [ebp+08], 00000000
:0058F49D 7408 je 0058F4A7
:0058F49F 8B5508 mov edx, dword ptr [ebp+08]
:0058F4A2 8B4AFC mov ecx, dword ptr [edx-04]
:0058F4A5 EB02 jmp 0058F4A9 <===从这里跳走

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0058F49D(C)
|
:0058F4A7 33C9 xor ecx, ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0058F4A5(U)
|
:0058F4A9 2BCE sub ecx, esi <===从上面跳到这里
:0058F4AB 8D5601 lea edx, dword ptr [esi+01]
:0058F4AE 8D4508 lea eax, dword ptr [ebp+08]
:0058F4B1 E86EB90200 call 005BAE24
:0058F4B6 8D55F0 lea edx, dword ptr [ebp-10]
:0058F4B9 8D4508 lea eax, dword ptr [ebp+08]
:0058F4BC E84FB50200 call 005BAA10
:0058F4C1 FF4B1C dec [ebx+1C]
:0058F4C4 8D45F0 lea eax, dword ptr [ebp-10]
:0058F4C7 BA02000000 mov edx, 00000002
:0058F4CC E80FB50200 call 005BA9E0
<===提出注册码的后面部分1234567890abcdefg，放在EDX里
:0058F4D1 66C743102C00 mov [ebx+10], 002C
:0058F4D7 33C9 xor ecx, ecx
:0058F4D9 8D45E8 lea eax, dword ptr [ebp-18]
:0058F4DC 894DE8 mov dword ptr [ebp-18], ecx
:0058F4DF 50 push eax
:0058F4E0 FF431C inc [ebx+1C]
:0058F4E3 8D4508 lea eax, dword ptr [ebp+08]
:0058F4E6 B903000000 mov ecx, 00000003 <===取值的长度(针对注册码的后部分)
:0058F4EB BA07000000 mov edx, 00000007 <===取值的起始位置
:0058F4F0 E82FB90200 call 005BAE24 <===取出的值为789
:0058F4F5 8D45E8 lea eax, dword ptr [ebp-18]
:0058F4F8 33D2 xor edx, edx
:0058F4FA 50 push eax
:0058F4FB 8955EC mov dword ptr [ebp-14], edx
:0058F4FE 8D4DEC lea ecx, dword ptr [ebp-14]
:0058F501 BA01000000 mov edx, 00000001 <===取值的长度
:0058F506 51 push ecx

* Possible Reference to String Resource ID=00005: "Cannot Remove System Shell Notification Icon"
|
:0058F507 B905000000 mov ecx, 00000005 <===取值的起始位置
:0058F50C FF431C inc [ebx+1C]
:0058F50F 8D4508 lea eax, dword ptr [ebp+08]
:0058F512 E80DB90200 call 005BAE24 <===取出的值为12345
:0058F517 8D45EC lea eax, dword ptr [ebp-14]
:0058F51A 33D2 xor edx, edx
:0058F51C 8955FC mov dword ptr [ebp-04], edx
:0058F51F 8D4DFC lea ecx, dword ptr [ebp-04]
:0058F522 FF431C inc [ebx+1C]
:0058F525 5A pop edx
:0058F526 E80DB50200 call 005BAA38
:0058F52B FF4B1C dec [ebx+1C]
:0058F52E 8D45E8 lea eax, dword ptr [ebp-18]
:0058F531 BA02000000 mov edx, 00000002
:0058F536 E8A5B40200 call 005BA9E0
:0058F53B FF4B1C dec [ebx+1C]
:0058F53E 8D45EC lea eax, dword ptr [ebp-14]
:0058F541 BA02000000 mov edx, 00000002
:0058F546 E895B40200 call 005BA9E0
:0058F54B 66C743100800 mov [ebx+10], 0008
:0058F551 66C743103800 mov [ebx+10], 0038
:0058F557 33C0 xor eax, eax
:0058F559 8D4DE0 lea ecx, dword ptr [ebp-20]
:0058F55C 8945E0 mov dword ptr [ebp-20], eax
:0058F55F 51 push ecx
:0058F560 FF431C inc [ebx+1C]

* Possible Reference to String Resource ID=00005: "Cannot Remove System Shell Notification Icon"
|
:0058F563 B905000000 mov ecx, 00000005 <===取值的长度
:0058F568 8D4508 lea eax, dword ptr [ebp+08]
:0058F56B BA0D000000 mov edx, 0000000D <===取值的起始位置
:0058F570 E8AFB80200 call 005BAE24 <===取出的值为cdefg (关键1)
:0058F575 8D45E0 lea eax, dword ptr [ebp-20]
:0058F578 33D2 xor edx, edx
:0058F57A 50 push eax
:0058F57B 8955E4 mov dword ptr [ebp-1C], edx
:0058F57E 8D4DE4 lea ecx, dword ptr [ebp-1C]
:0058F581 BA0A000000 mov edx, 0000000A <===取值的起始位置
:0058F586 51 push ecx
:0058F587 B902000000 mov ecx, 00000002 <===取值的长度
:0058F58C FF431C inc [ebx+1C]
:0058F58F 8D4508 lea eax, dword ptr [ebp+08]
:0058F592 E88DB80200 call 005BAE24 <===取出的值为0a (关键2)
:0058F597 8D45E4 lea eax, dword ptr [ebp-1C]
:0058F59A 33D2 xor edx, edx
:0058F59C 8955F8 mov dword ptr [ebp-08], edx
:0058F59F 8D4DF8 lea ecx, dword ptr [ebp-08]
:0058F5A2 FF431C inc [ebx+1C]
:0058F5A5 5A pop edx
:0058F5A6 E88DB40200 call 005BAA38
<===将关键1和关键2的值合起来，为0acedfg(这样大家都可以看清软件对输入的注册码的取值情况)
:0058F5AB FF4B1C dec [ebx+1C]
:0058F5AE 8D45E0 lea eax, dword ptr [ebp-20]
:0058F5B1 BA02000000 mov edx, 00000002
:0058F5B6 E825B40200 call 005BA9E0
:0058F5BB FF4B1C dec [ebx+1C]
:0058F5BE 8D45E4 lea eax, dword ptr [ebp-1C]
:0058F5C1 BA02000000 mov edx, 00000002
:0058F5C6 E815B40200 call 005BA9E0
:0058F5CB 66C743100800 mov [ebx+10], 0008
:0058F5D1 66C743104400 mov [ebx+10], 0044
:0058F5D7 8B45FC mov eax, dword ptr [ebp-04]
:0058F5DA 33C9 xor ecx, ecx
:0058F5DC 50 push eax
:0058F5DD 8D45DC lea eax, dword ptr [ebp-24]
:0058F5E0 894DDC mov dword ptr [ebp-24], ecx
:0058F5E3 50 push eax
:0058F5E4 FF431C inc [ebx+1C]
:0058F5E7 E8FCFAFFFF call 0058F0E8
<===算出需要验证的注册码段，对于后面部分1234567890abcdefg而言，是用前9位变形为7位值，对应第10，11，13，14，15，16，17位的值，第12位无关
:0058F5EC 83C408 add esp, 00000008
:0058F5EF 8D45DC lea eax, dword ptr [ebp-24] <===EAX里放了一个地址指针，指向4221943(前9位字符的变形结果)
:0058F5F2 8D55F8 lea edx, dword ptr [ebp-08] <===EDX里放了一个地址指针，指向0acedfg(除第12)
:0058F5F5 E8E2B40200 call 005BAADC
<===上面的EAX和EDX的指针的值必须相等，返回时EAX等于0，才能正确注册，到此我们就能推断出正确注册码是 KJAS100-12345678942b21943，如果还要研究算法，就向上看0058F5E7
:0058F5FA 50 push eax <===将EAX的值压入堆栈，由下面可以得知，EAX必须为0
:0058F5FB FF4B1C dec [ebx+1C]
:0058F5FE 8D45DC lea eax, dword ptr [ebp-24]
:0058F601 BA02000000 mov edx, 00000002
:0058F606 E8D5B30200 call 005BA9E0<===这个CALL并不会改为堆栈顶的值
:0058F60B 59 pop ecx <===这里就要看堆栈顶的值了
:0058F60C 84C9 test cl, cl <===CL必须等于0
:0058F60E 743F je 0058F64F <===要想正确注册，这里必跳走
:0058F610 33C0 xor eax, eax
:0058F612 BA02000000 mov edx, 00000002
:0058F617 50 push eax
:0058F618 8D45F8 lea eax, dword ptr [ebp-08]
:0058F61B FF4B1C dec [ebx+1C]
:0058F61E E8BDB30200 call 005BA9E0
:0058F623 FF4B1C dec [ebx+1C]
:0058F626 8D45FC lea eax, dword ptr [ebp-04]
:0058F629 BA02000000 mov edx, 00000002
:0058F62E E8ADB30200 call 005BA9E0
:0058F633 FF4B1C dec [ebx+1C]
:0058F636 8D4508 lea eax, dword ptr [ebp+08]
:0058F639 BA02000000 mov edx, 00000002
:0058F63E E89DB30200 call 005BA9E0
:0058F643 58 pop eax
:0058F644 8B13 mov edx, dword ptr [ebx]
:0058F646 64891500000000 mov dword ptr fs:[00000000], edx
:0058F64D EB3D jmp 0058F68C <===从这里跳走，就等于OVER了。

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0058F60E(C)
|
:0058F64F B001 mov al, 01 <===很关键的标志位赋值
:0058F651 BA02000000 mov edx, 00000002
:0058F656 50 push eax
:0058F657 8D45F8 lea eax, dword ptr [ebp-08]
:0058F65A FF4B1C dec [ebx+1C]
:0058F65D E87EB30200 call 005BA9E0
:0058F662 FF4B1C dec [ebx+1C]
:0058F665 8D45FC lea eax, dword ptr [ebp-04]
:0058F668 BA02000000 mov edx, 00000002
:0058F66D E86EB30200 call 005BA9E0
:0058F672 FF4B1C dec [ebx+1C]
:0058F675 8D4508 lea eax, dword ptr [ebp+08]
:0058F678 BA02000000 mov edx, 00000002
:0058F67D E85EB30200 call 005BA9E0
:0058F682 58 pop eax
:0058F683 8B13 mov edx, dword ptr [ebx]
:0058F685 64891500000000 mov dword ptr fs:[00000000], edx

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0058F482(U), :0058F64D(U)
|
:0058F68C 5E pop esi
:0058F68D 5B pop ebx
:0058F68E 8BE5 mov esp, ebp
:0058F690 5D pop ebp
:0058F691 C3 ret

-----------------------------------------------------------------------
4、算法说明：由于本人实力有限只能找出注册码，而没办法分析出算法，还请高手指点
a、类型是只对注册码进行验证，与用户名无关。KJAS100-1234567890a?cdefg(?为任意字符)
b、由后面部分的前9个字符，经过两次变形处理后，再与后面部分的第10，11，13，14，15，16，17位的值做比较，如果相等就注册成功，第12位无用

5、注册信息存放在注册表：
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\zycascn]
"xbrmd110"=hex:cb,c9,cd,c7,ce,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"xbrun"=hex:b7,be,a4,bd,a3,b8,8f,a0,8e,8a,99,92,93,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"xbrrc"=hex:ca,c8,ce,cf,9c,cd,ca,c8,cf,ca,c8,c6,ca,ce,cc,d0,d1,cc,ce,d0,d1,c0,\
b4,ab,b6,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

和文件reginfo.dat里，必须将它都删除，才能回到未注册状态。

6、我的注册注册信息：
newlaos[DFCG]
KJAS100-12345678942b21943

声明：该文观点仅代表作者本人，转载请注明来自看雪