Chapter 7 - Looking for Software Registration Codes
Let's find the real registration code of the software!
Looking for software registration code is like hiding by your hidden cat, simple and interesting, although you will not feel like this.
Ok, we start.
I don't know if you have something that I am in front of the principles, if I don't understand, I will say it again.
The software creates a registration code you entered by the username or machine code you entered, if two identical, that is, the registration code you entered is correct, the software will complete registered. If you are incorrect, hehe, of course, will not register success.
Ok, now you already know that the software will have a process of comparing two registration code, this is the key. Generally, if you are experiencing the basic software, this will be a very happy thing.
The software will first calculate the correct registration code and then compare it with the one you entered. That is to say that the correct registration code will be calculated by the software! Hey, is you searching for you? Although law and morality do not allow us to search, ...
I then said, although the current software is much better than before, but that kind of class is compared, it is still a lot. The so-called coded comparison is that the software first calculates the correct registration code, then put it below the memory or your home sofa, then get the registration code you entered, then compare it. Oh, I understand it, let's find that comparison, look at the software where the registration code is placed in memory, and then go to the corresponding memory, I'm ok!
Is it more common (also the best food) that you said to you? I am the easiest one of them to explain again:
MOV EAX [] This can be an address, or other registers can also be MOV EAX []
MOV EDX [] The two addresses are usually stored in this instruction. This instruction can also be POP EDX.
Call 00 ?????? Key CALL
JZ (JNZ) or JNE (JE) key jump
The first MOV EAX [] instruction is to load a memory address or another register (the memory address in the register is in the register) into EAX. The second instructions are the same, and is the memory address in one memory address or another register into the EDX. What is the two instructions do? Hey Hey…
These two instructions are used to store the address of the true and false two registration code, that is, one installed in the two registers of Eax and EDX is the correct registration memory address, one is the error you entered. The memory address of the registration code. The software is loaded into two registers before comparing the registration code, and then the key Call appears. When comparing the registration code in this key CALL, the software will take two registration code from the corresponding register, then it is a key jump, through the comparison result in the above CALL to do the corresponding jump ...
What should you already have to think! That's right, we just find the key CALL of the software, then you can find the correct registration code at the key CALL to see the corresponding memory address, all of which can be done through the debugger. In a sense, if you can repair your own microwave oven, then you will definitely use the debugger, we will be in the debugger. Just perform a key CALL in one step, then use D EAX and D EDX You can view the two registration code placed in the two addresses. If you find one of them is you just entered, then another one is correct
And what about the so-called memory registration machine? I will not say more here, it is to automatically interrupt to the corresponding place when the software is registered, and displays the value of the corresponding memory, of course it is configured ... Such software has CrackCode2000 and registration machine Writer Keymake, specific usage You can refer to the software online help ^ _ ^ Our remaining question is how to find this key CALL, basically, you can use the way to tell you the blow to you. ,Very simple
But just like the glass of your home, the glass can always be cleaned, the glass of our home is never wiped officer: Ng! Heavy, just like everything, some software's key CALL will be more difficult to find, but if you have a proper method, you will also find it well ...
Let's play, play:
First of all, we also use CHINAZIP software to get on the hand ^ _ ^
It is already our old friend, so you don't have to introduce it.
Ok, let's install it first (嘿, I just like to talk nonsense, you don't want to say ^ _ ^), then we can help - register, enter name: Suunb [ccg], Code: 19870219
Then I invite our elderly TRW2000. The lower bpx hmemcpy is determined by F5 point:
KERNEL? HMEMCPY
0147: 9E62 PUSH BP
0147: 9E63 MOV BP, SP
0147: 9E65 Push DS
0147: 9E66 Push EDI
0147: 9E68 PUSH ESI
0147: 9E6A CLD
0147: 9E6B MOV ECX, [BP 06]
0147: 9E6F JCXZ 9EE9
... 省略 N multi-code ...
Enter BC *, delete breakpoints. PMODULE, jump directly to the programs:
0167: 00436D13 MOV [EBX 0C], EAX
0167: 00436D16 MOV EAX, [EBX]
0167: 00436D18 CMP EAX, BYTE 0C
0167: 00436D1B jnz 00436d38
0167: 00436D1D MOV EDX, [EBX 08]
0167: 00436D20 Push EDX
0167: 00436D21 MOV ECX, [EBX 04]
0167: 00436D24 MOV EDX, EAX
0167: 00436D26 MOV EAX, ESI
0167: 00436D28 CALL 00432B24
... 省略 N multi-code ...
Press 8 F12 will prompt an error, we will press the second time, then press F10 again, press 16, it will report an error, ok, let's come: This time we press F10, press me before I said The method, when it is five or six times as the number of times the last press is five or six times. Ok, we slow down when we press 10, huh, huh, I saw the jump at 004f4Dec and the key CALL above it, and we press the F10 to perform to 004F4DE7 (ie key Call) At the beginning of the instruction D Edx, you can see the real registration code, and D EAX can see the 19870219 code I just given to you:
0167: 004F4DC4 MOV EAX, [EBP-08] <- 7 below F12, 1 F10 is here (at this time, EBP-08 is put in the registration code 19870219)
0167: 004F4DC7 Push Eax <--- Put EAX Stack;
0167: 004f4dc8 Lea EDX, [EBP-10]
0167: 004F4DCB MOV EAX, [EBX 02E0]
0167: 004f4dd1 call 00432f24 <--- This Call is used to get the username entered by the user, in fact, an API function, 嘿, curious, you can follow 0167: 004f4dd6 MOV EDX, [EBP-10] <- - Add the username to EDX;
0167: 004f4dd9 Lea ECX, [EBP-0C]
0167F4DDC MOV EAX, EBX
0167: 004f4dde call 004f4fac <--- This Call is used to calculate the true registration code;
0167: 004F4DE3 MOV EDX, [EBP-0C] <--- will calculate the true. Registration code is placed in EDX, and D Edx can be viewed when the lower instruction is viewed;
0167: 004F4DE6 POP EAX <- - Previously pressed registration code out of the stack;
0167: 004f4de7 call 0040411C <--- This Call is used to compare two registration code, the culprit!;
0167F4DEC JNZ 004F4E64 <--- Do not wait, jump, jump, vault will change 75 to 74 or EB, of course, 90 is also
0167: 004f4dee MoV DL, 01
0167: 004F4DF0 MOV Eax, [00452558]
0167: 004f4df5 call 00452658
0167: 004F4DFA MOV [EBP-04], EAX
0167: 004f4dfd xor Eax, EAX
0167: 004F4DFF PUSH EBP
0167: 004f4e00 Push DWORD 004F4E5D
0167: 004f4e05 push dword [fs: EAX]
0167: 004F4E08 MOV [fs: eax], ESP
0167: 004F4E0B MOV CL, 01
0167: 004F4E0D MOV EDX, 004F4EA8
0167: 004f4e12 MOV EAX, [EBP-04]
0167: 004F4E15 Call 0045283C
0167: 004F4E1A MOV ECX, 004F4ECC
0167: 004f4e1f MOV EDX, 004F4EF4
0167: 004f4e24 MOV EAX, [EBP-04]
0167: 004F4E27 Call 00452C80
0167: 004f4e2c MOV EAX, 004F4F00
0167: 004F4E31 Call 00458B8C
0167: 004f4e36 MOV Eax, [0050306C]
0167: 004f4e3b MOV Eax, [EAX]
0167: 004F4E3D MOV EDX, 004F4F24
0167: 004F4E42 Call 00432F54
0167: 004f4E47 xor Eax, EAX
0167: 004F4E49 POP EDX
0167: 004F4E4A POP ECX
0167: 004F4E4B POP ECX
0167: 004F4E4C MOV [fs: eax], EDX
0167: 004F4E4F Push DWORD 004F4E6E
0167: 004F4E54 MOV EAX, [EBP-04]
0167: 004F4E57 Call 004030C4
0167: 004f4e5c RET
0167: 004F4E5D JMP 00403824
0167: 004f4e62 JMP Short 004f4e54
0167: 004f4e64 MOV EAX, 004F4F48 <--- Jumping by the above 0167: 004f4dec, hanging!;
0167: 004F4E69 Call 00458B8C
0167: 004f4e6e xor Eax, EAX
sort out:
Name: Suunb [ccg]
Code: sccg5296
It can really connect to the BPX 004F4DE6 in TRW2000. After the interrupt is interrupted, you can view true. Registration code.
Another attached: crackcode2000 Crackcode.ini [Options]
CommandLine = Chinazip.exe
Mode = 2
FigSt_break_address = 4f4de7
First_BREAK_ADDRESS_CODE = E8
FigSt_break_address_code_lent = 5
SECOND_BREAK_ADDRESS = 404123
SECOND_BREAK_ADDRESS_CODE_LENTH = 2
Save_code_address = EDX
Oh, isn't it very simple? I said, it's not difficult.
I don't know if you have found that the key CALL of the above software is still very good. I believe that you use W32DASM to find it, why don't you use it? Why do you want to debug for those relatively simple software?
Give you a key Call with W32DASM:
[Software Name] E family variable desktop
[Software version] 4.0
[Document size] 1316KB
[Applicable platform] Win9X / ME / NT / 2000
[Software Brief] Provides 25 ways of transforming desktops, let your desktop new. Simple operation, no effort to learn. Support a variety of Internet popular image formats. Pack the wallpaper file to make it easy to store, forward. Expand the wallpaper package, restore the image file.
Hey, I am too lazy to toss my kitten, let's use the computer newspaper in 2001 to book the software on the CD (I didn't buy it in 2002)
First install it (嘿, are you used to? Why don't you lose something? ^ _ ^) Run the software first, the software automatically generates the corresponding machine code and stays on the registration code, enter the registration code 19870219, point OK, hang!
Check with Fi, the software is compiled with Delphi, no housing.
Use W32DASM to open the execution file, refer to the reference - string reference, at the bottom side, see "The registration code is incorrect, please contact the author".
Double-click on the mouse, found that only one call is called, at 00488E97, followed by "The registration code is incorrect, please contact the author" in the string reference dialog box, "Thank you for supporting domestic software, I wish you good luck" (I am embarrassed to say it)
Double-click on the mouse, still only one call, at 00488DF7:
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 00488DCD (U)
|
: 00488DD9 8B45FC MOV EAX, DWORD PTR [EBP-04]
: 00488DDC 8B8020040000 MOV Eax, DWORD PTR [Eax 00000420]
: 00488DE2 35280BB61E xor Eax, 1eb60b28
: 00488DE7 3B45F8 CMP EAX, DWORD PTR [EBP-08] <--- Key Comparison, Eax to view the software correct registration code;
: 00488DEA 0F85A0000000 JNE 00488E90 <--- Key jump, not equal, jump!
: 00488DF0 6A40 Push 00000040
* Possible StringData Ref from code obj -> "Successful registration"
|
: 00488DF2 68D48E4800 Push 00488ed4
* Possible StringData Ref from code obj -> Thank you for supporting domestic software, I wish you good luck! "|
: 00488DF7 68E08E4800 PUSH 00488EE0 <- Double-click the strike reference to this line, we look up the first jump is the key jump, the key jump is the key comparison;
: 00488DFC 8B45FC MOV EAX, DWORD PTR [EBP-04]
: 00488DFF E81cd2fbff Call 00446020
: 00488E04 50 Push EAX
... 省略 代 代 ...
Look up, there is a jump at 00488DEA, not waiting to jump to 00488E90, jump! Remember the error dialog box at 00488E97! Culprit!
In the upward line, see 00488DE7: CMP EAX, DWORD PTR [EBP-08], this is a key comparison. Available? Eax View the software correct registration code.
sort out:
Open the software, enter 19870219 at the registration code, open the TRW2000, break down points BPX 00488DE7, and register is stopped. Enter? EAX gets the software correct registration code.
Machine code: 533226313
Registration code: 25061473
Write the Software Registration Machine with the registrar writer:
Point Other - Alternative Registration Machines (F8), Software Name Enter EPAPER.EXE, Registration Code Selection Register EAX Decoction.
Add breakpoints, interrupt addresses: 00488DE7, number of interrupts: 1, first byte: 3b, instruction length: 3.
After generating the registration machine, it is completed, everything is OK!
Hey, now I don't think the software's registration code is more and more like a child who is playing with a child? Unfortunately, there is no type of partner of Qingmei Bamboo Horse ...
Ok, we tell a little famous software, Winzip8.1, this software believes that everyone is used, anyway, I like to use RAR, but how many days this time ...
If you have never heard, then introduce it.
[Software Name] Winzip
[Software version] 8.1 Beta 2
[Document size] 1757KB
[Applicable platform] Win9X / ME / NT / 2000
[Software Introduction] A powerful and easy-to-use compression utility supports ZIP, CAB, TAR, GZIP, MIME, and more formatted compressed files. It is characterized by tightly dragging and dropping integration with the Windows Explorer, and is compressed without leaving the resource manager.
Don't tell me, the source is still a computer newspaper 2001 in a set of copies
The reason why I want to choose it is because I feel that it is as good as the two of the two (actually like that ^ _ ^), and it can make you feel Ollydbg this charm than you Opportunity a few big debuggers
The reason here mentioned ollydbg, it is a very great debugger ... I strongly recommend that you play more ... (MP3 nice? ^ _ ^)
Let's come, first of all, is of course it (left flash, right flash), then use ollydbg to load, at this time, the interface will be divided into four parts, the upper left is the software disassembly after the software, the upper right It is where the register is meeting, the lower left is the memory area, and the lower right is displayed in the stack.
Let's break down, press Alt F4, then select User32, then right click -> Search -> The name in the current module, then find getDlgitemtexta in that large heap function, press F2 to break down, It will prompt you for mistakes and say that it is not very enjoyable. Is it very enjoyable? (呜 ... ... big brother, I am wrong, I don't dare ...)
Oh, I don't know why, I am obviously using this function. It is not to break. In fact, I am not too much to ollydbg (the key is to hate it.) It seems to use our universal breakpoint. Let's enter the registration name Suunb [CCG], enter the registration code 19870219, then use TRW2000 to go to BPX HMemcpy, after disconnection, PModule returns a holiday, f12 will be wrong, it seems that all stuff is here ... We used TRW2000 and then returned to the first command, remember the address 0040bd5f of the first instruction, 呜 ... ... ... The following instructions are clearly calling getDlgitemtexta, why don't you do it in ollydbg?
It doesn't matter, let's write down this address, still use ollydbg to load the program, then find 0040BD5F in the reverse assembly window, then press F2 to go down (change to red), then press F9 to run the program, then Enter the registration name Suunb [CCG], after the registration code 19870219, the program will be disconnected by ollydbg to:
0040BD5F |. 57 Push EDI
0040bd60 |. E8 F34a0500 Call Winzip32.00460858
0040BD65 |. 57 push edi; / arg1
0040BD66 |. E8 164B0500 Call WinZip32.00460881; /WINZIP32.00460881
0040BD6B |. 59 POP ECX
0040BD6C |. Be 1cca4c00 MOV ESI, WinZip32.004cca1c
0040bd71 |. 59 POP ECX
0040bd72 |. 6a 0b push 0b; / count = b (11.)
0040BD74 |. 56 push esi; | buffer => WinZip32.004cca1c
0040BD75 |. 68 810C0000 Push 0C81; | ControlID = C81 (3201.)
0040bd7a |. 53 push ebx; | hwnd
0040BD7B |. FF15 F4C54A00 Call DWORD PTR DS: [<& user32.getdlgitemte>; / getdlgitemtexta
0040bd81 |. 56 Push ESI
0040BD82 |. E8 D14A0500 Call Winzip32.00460858
0040BD87 |. 56 Push ESI
0040BD88 |. E8 F44A0500 Call Winzip32.00460881
0040BD8D |. 803D F0C94C00> CMP BYTE PTR DS: [4cc9f0], 0
0040BD94 |. 59 POP ECX
0040bd95 |. 59 POP ECX
0040BD96 |. 74 5f Je Short Winzip32.0040BDF7
0040BD98 |. 803D 1cca4c00> CMP BYTE PTR DS: [4cca1c], 0
0040BD9F |. 74 56 Je Short Winzip32.0040BDF7
0040BDA1 |. E8 31f9fffffffffffffffffffffff7 <- Key Call, etc.
0040BDA6 |. 84c0 Test Al, Al <- Do the corresponding test based on the results compared in key CALL
0040BDA8 |. 74 4d Je Short Winzip32.0040BDF7 <- Jumping without play!
0040BDAA |. 57 Push EDI
0040BDAB |. 68 08DE4B00 PUSH WINZIP32.004BDE08; ASCII "Name" 0040BDB0 |. FF35 1CC74A00 PUSH DWORD PTR DS: [4AC71C]; WinZip32.004BDDEC
0040BDB6 |. E8 8afa0400 Call WinZip32.0045B845
0040BDBB |. 56 Push ESI
0040BDBC |. 68 c8eb4b00 push winzip32.004bebc8; ascii "SN"
0040BDC1 |. FF35 1CC74A00 PUSH DWORD PTR DS: [4ac71c]; WinZip32.004BDDEC
0040BDC7 |. E8 79fa0400 Call WinZip32.0045B845
0040BDCC |. FF35 18C74A00 PUSH DWORD PTR DS: [4ac718]; | arg4 = 004bddf4 ASCII "Winzip32.ini"
0040bdd2 |. 6a 00 push 0; | arg3 = 00000000
0040bdd4 |. 6a 00 push 0; | arg2 = 00000000
0040BDD6 |. 68 14DE4B00 PUSH WinZip32.004BDE14; | ARG1 = 004BDE14 ASCII "RRS"
0040BDDB |. E8 4CFA0400 Call WinZip32.0045B82C; /WINZIP32.0045B82C
0040BDE0 |. A1 A8914C00 MOV EAX, DWORD PTR DS: [4C91A8]
0040BDE5 |. 83c4 28 Add ESP, 28
0040BDE8 |. 85c0 test Eax, EAX
0040bdea |. 74 07 Je Short Winzip32.0040BDF3
0040 bdec |. 50 push eax; / hobject => 000013f4 (font)
0040 bded |. FF15 80C04A00 Call DWORD PTR DS: [<& gdi32.deleteObject >>; / DeleteObject
0040BDF3 |> 6A 01 Push 1
0040BDF5 |. EB 30 JMP Short Winzip32.0040Be27
0040BDF7 |> E8 C3020000 Call WinZip32.0040c0BF
0040BDFC |. 68 8E020000 Push 28E
0040Be01 |. E8 61470500 Call WinZip32.00460567
0040BE06 |. 50 push eax; | arg3
0040Be07 |. 53 push ebx; | ARG2
0040Be08 |. 6A 3D PUSH 3D; | ARG1 = 0000003D
0040BE0A |. E8 C8050400 Call WinZip32.0044C3D7; /WINZIP32.0044C3D7
After disconnection with ollydbg, we can use F8 like the TRW2000 (this debugger is just like me, do not like F4 ^ _ ^) to single step executive, we press 32 F8 after the process will be wrong, then we When you press F8 in the second time, press F8 and take a closer look, you can see this key CALL at 0040BDA1 at a glance, and we will see it when you catch it. To the correct registration code
What are you waiting for? Let's go in ...
After following F7, you will look dazzling, everywhere is Push with POP, which is it? Now I know why I let you use ollydbg (the occasion is also used to use TRW2000, but temporary change ideas ^ _ ^) Use OllyDBG's biggest advantage is that you can see the value in the register, especially if you pass F8. When it is executed, there will be a small form in the lower side of the disassembly code, where you can display the value of the registers used in the relevant instructions! After we press 76 F8, you can see the correct registration code at 0040B803, huh, I am 71C20EDC, then you will still see a few times, cool?
In addition, I also found an interesting thing. In WinZip8.1, a registration name can have two registration code, huh, I don't know if there is a special registration code for special users to use the special user to distinguish it. The program passed the comparison, found that the registration code you entered was incorrect, and once again calculated another registration code again, hey, my second registration code is 25170288
Pursue the code in key CALL:
0040B6D7 / $ 55 PUSH EBP
0040B6D8 | 8bec Mov EBP, ESP
0040B6DA |. 81ec 0c020000 SUB ESP, 20C
0040B6E0 |. 8065 ff 00 and byte PTR SS: [EBP-1], 0
0040B6E4 |. 803D F0C94C00> CMP BYTE PTR DS: [4cc9f0], 0
0040B6EB |. 53 Push EBX
0040B6EC |. 56 PUSH ESI
0040B6ED |. 57 Push EDI
0040B6EE |. 0F84 FB000000 JE Winzip32.0040B7EF
0040B6F4 |. 8D45 E8 Lea Eax, DWORD PTR SS: [EBP-18]
0040B6F7 |. 50 push eax
0040B6F8 |. 68 C0E84B00 Push Winzip32.004Be8c0
0040B6FD |. E8 de61ffffffffffff Call WinZip32.004018E0
0040B702 |. 8D45 E8 Lea Eax, DWORD PTR SS: [EBP-18]
0040b705 |. 50 push eax
0040B706 |. E8 F57C0800 Call Winzip32.00493400
0040B70B |. 83C4 0C Add ESP, 0C
0040B70E |. 83F8 14 CMP EAX, 14
0040b711 |. 72 11 JB Short Winzip32.0040B724
0040B713 |. BF 20C74A00 MOV EDI, WinZip32.004AC720; ASCII "Auth.c"
0040B718 |. 6A 21 Push 21
0040B71A |. 57 Push EDI
0040B71B |. E8 86F60000 Call Winzip32.0041ada6
0040B720 |. 59 POP ECX
0040b721 |. 59 POP ECX
0040B722 |. EB 05 JMP Short Winzip32.0040B729
0040B724 |> BF 20C74A00 MOV EDI, WinZip32.004AC720; ASCII "Auth.c"
0040B729 |> 8D85 F4FDfffff Lea Eax, DWORD PTR SS: [EBP-20C]
0040B72F |. BB F0C94C00 MOV EBX, WinZIP32.004CC9F0; ASCII "Suunb [CCG]" 0040B734 |. 50 PUSH EAX
0040b735 |. 53 Push EBX
0040B736 |. E8 50030000 Call Winzip32.0040ba8b
0040B73B |. 8D85 F4FDfffff Lea Eax, DWORD PTR SS: [EBP-20C]
0040b741 |. 50 push eax
0040B742 |. E8 b97c0800 call winzip32.00493400
0040B747 |. Be c8000000 MOV ESI, 0C8
0040B74C |. 83C4 0C Add ESP, 0C
0040B74F |. 3BC6 CMP EAX, ESI
0040b751 |. 72 0a JB Short WinZip32.0040B75D
0040B753 |. 6A 23 Push 23
0040B755 |. 57 Push EDI
0040B756 |. E8 4BF60000 Call WinZip32.0041ada6
0040B75B |. 59 POP ECX
0040B75C |. 59 POP ECX
0040B75D |> 8D85 F4FDffff Lea EAX, DWORD PTR SS: [EBP-20C]
0040B763 |. 50 push eax
0040B764 |. 8D45 E8 Lea Eax, DWORD PTR SS: [EBP-18]
0040B767 |. 50 push eax
0040B768 |. E8 03300900 Call Winzip32.0049E770
0040B76D |. 59 POP ECX
0040B76E |. 85c0 Test Eax, EAX
0040b770 |. 59 POP ECX
0040b771 |. 75 04 JNZ Short Winzip32.0040B777
0040B773 |. C645 FF 01 MOV BYTE PTR SS: [EBP-1], 1
0040B777 |> 8D45 E8 LEA EAX, DWORD PTR SS: [EBP-18]
0040B77A |. 50 push eax
0040B77B |. 68 D0E84B00 Push WinZip32.004Be8D0
0040b780 |. E8 5b61fffffffff Call WinZip32.004018E0
0040B785 |. 8D45 E8 LEA EAX, DWORD PTR SS: [EBP-18]
0040b788 |. 50 push eax
0040B789 |. E8 727c0800 Call WinZip32.00493400
0040B78E |. 83C4 0C Add ESP, 0C
0040b791 |. 83f8 14 CMP EAX, 14
0040B794 |. 72 0A JB Short Winzip32.0040B7A0
0040B796 |. 6A 27 Push 27
0040b798 |. 57 Push EDI
0040B799 |. E8 08F60000 Call Winzip32.0041ada6
0040B79E |. 59 POP ECX
0040b79f |. 59 POP ECX
0040B7A0 |> 8D45 E8 Lea Eax, DWORD PTR SS: [EBP-18]
0040B7A3 |. 50 push eax
0040B7A4 |. 53 Push EBX
0040B7A5 |. E8 C62F0900 Call Winzip32.0049E770
0040B7AA |. 59 POP ECX
0040B7AB |. 85c0 Test Eax, EAX
0040B7AD |. 59 POP ECX
0040B7AE |. 75 0e Jnz Short Winzip32.0040B7BE
0040B7B0 |. FF15 F0C14A00 Call DWORD PTR DS: [<& kernel32.GettickCou>; [GettickCount
0040B7B6 |. A8 01 TEST Al, 1
0040b7b8 |. 74 04 Je Short Winzip32.0040B7BE
0040B7BA |. C645 FF 01 MOV BYTE PTR SS: [EBP-1], 1
0040B7BE |> 6A 14 Push 14
0040B7C0 |. 8D45 E8 Lea Eax, DWORD PTR SS: [EBP-18]
0040b7c3 |. 6a 00 push 0
0040b7c5 |. 50 push eax
0040b7c6 |. E8 75820800 Call Winzip32.00493a40
0040b7cb |. 56 Push ESI
0040b7cc |. 8D85 F4FDffff Lea Eax, DWORD PTR SS: [EBP-20C]
0040B7D2 |. 6A 00 Push 0
0040B7D4 |. 50 push eax
0040B7D5 |. E8 66820800 Call Winzip32.00493a40
0040B7DA |. 83C4 18 Add ESP, 18
0040B7DD |. 807D FF 00 CMP BYTE PTR SS: [EBP-1], 0
0040B7E1 |. 74 13 Je Short Winzip32.0040B7F6
0040B7E3 |. E8 D7080000 Call WinZip32.0040c0BF
0040B7E8 |. 8025 edbf4c00> and byte PTR DS: [4CBFED], 0
0040B7EF |> 32c0 xor al, al
0040b7f1 |. E9 F5000000 JMP WinZip32.0040B8EB
0040B7F6 |> 8D85 BCFeffff Lea Eax, DWORD PTR SS: [EBP-144]
0040B7FC |. 50 push eax
0040B7FD |. 53 Push EBX
0040B7FE |. E8 ED000000 CALL WINZIP32.0040B8F0 <- Participate in computing soft correct registration code
0040B803 |. 8d85 BcFeffff Lea Eax, DWORD PTR SS: [EBP-144] <- here for the first time found software correct registration code
0040b809 |. 50 push eax
0040B80A |. E8 F17B0800 Call Winzip32.00493400
0040b80f |. Be 2c010000 MOV ESI, 12C
0040B814 |. 83c4 0C Add ESP, 0C
0040b817 |. 3BC6 CMP Eax, ESI
0040b819 |. 72 0a JB Short Winzip32.0040B825
0040b81b |. 6a 39 push 39
0040b81d |. 57 Push EDI
0040B81E |. E8 83F50000 Call Winzip32.0041ada6
0040b823 |. 59 POP ECX
0040B824 |. 59 POP ECX
0040B825 |> BF 1cca4c00 MOV EDI, WinZip32.004cca1c; ASCII "19870219" <- Put the wrong registration code just entered into EDI
. 0040B82A | 8D85 BCFEFFFF LEA EAX, DWORD PTR SS: [EBP-144] <- EAX charged address where the correct registration code 0040B830 | 57 PUSH EDI <- registration code entered by the user stack.
0040b831 |. 50 push eax <- The correct registration code calculated by the software
0040B832 |. E8 392F0900 Call winzip32.0049e770 <- Key Call for comparing registration code entered by the user
0040b837 |. F7d8 NEG EAX
0040B839 |. 1AC0 SBB Al, Al
0040B83B |. 59 POP ECX
0040B83C |. FEC0 INC AL
0040B83E |. 59 POP ECX
0040B83F |. A2 EDBF4C00 MOV BYTE PTR DS: [4CBFED], Al
0040B844 |. 0F85 8A000000 JNZ WinZip32.0040B8D4
0040B84A |. 8D85 BCFeffff Lea Eax, DWORD PTR SS: [EBP-144]
0040B850 |. 50 Push EAX
0040B851 |. 53 Push EBX
0040B852 |. E8 33010000 Call winzip32.0040b98a <- Participated in the second registration code for computing software
0040B857 |. 8d85 BcFeffff Lea EAX, DWORD PTR SS: [EBP-144] <- At this time, the software will count another registration code.
0040B85D |. 50 push eax
0040B85E |. E8 9D7B0800 CALL Winzip32.00493400
0040B863 |. 83C4 0C Add ESP, 0C
0040B866 |. 3BC6 CMP EAX, ESI
0040B868 |. 72 0e JB Short Winzip32.0040B878
0040B86A |. 6A 3e Push 3e
0040B86C |. 68 20C74A00 PUSH Winzip32.004ac720; ASCII "Auth.c"
0040b871 |. E8 30F50000 Call WinZip32.0041ada6
0040b876 |. 59 POP ECX
0040B877 |. 59 POP ECX
0040b878 |> 8d85 BcFeffff Lea Eax, DWORD PTR SS: [EBP-144] <- The second registration code calculated by the software is loaded into EAX
0040B87E |. 57 Push EDI <- User Enter the Registration Code Facing
0040b87f |. 50 push eax <- The second registration code calculated by the software
0040B880 |. E8 EB2E0900 CALL WINZIP32.0049E770 <- Another key Call for comparing the second generated registration code
0040B885 |. F7D8 NEG EAX
0040B887 |. 1AC0 SBB AL, Al
0040B889 |. 59 POP ECX
0040B88A |. FEC0 INC Al
0040B88C |. 59 POP ECX
0040B88D |. A2 EDBF4C00 MOV BYTE PTR DS: [4CBFED], Al
0040b892 |. 75 40 JNZ Short Winzip32.0040B8D4
0040B894 |. 8D85 C0Feffff Lea EAX, DWORD PTR SS: [EBP-140]
0040B89A |. 6A 04 Push 4
0040b89c |. 50 push eax
0040B89D |. 57 Push EDI
0040B89E |. E8 DD690900 Call winzip32.004a22800040b8a3 |. 83c4 0c add esp, 0c
0040B8A6 |. 85c0 Test Eax, EAX
0040B8A8 |. 75 23 JNZ Short Winzip32.0040B8CD
0040B8AA |. 8D85 BCFeffff Lea EAX, DWORD PTR SS: [EBP-144]
0040B8B0 |. 6A 04 Push 4
0040B8B2 |. 50 push eax
0040B8B3 |. 68 20CA4C00 Push WinziP32.004cca20; ASCII "0219"
0040b8b8 |. E8 c3690900 call winzip32.004a2280
0040B8BD |. 83C4 0C Add ESP, 0C
0040B8C0 |. 85c0 test Eax, EAX
0040B8C2 |. 75 09 JNZ Short Winzip32.0040B8CD
0040B8C4 |. C605 EDBF4C00> MOV BYTE PTR DS: [4CBFED], 1
0040b8cb |. EB 07 JMP Short Winzip32.0040B8D4
0040b8cd |> 8025 edbf4c00> and byte PTR DS: [4CBFED], 0
0040B8D4 |> 56 PUSH ESI
0040B8D5 |. 8D85 BCFefffff Lea EAX, DWORD PTR SS: [EBP-144]
0040b8db |. 6a 00 push 0
0040b8dd |. 50 push eax
0040B8DE |. E8 5D810800 Call Winzip32.00493a40
0040B8E3 |. A0 EDBF4C00 MOV AL, BYTE PTR DS: [4CBFED]
0040B8E8 |. 83C4 0C Add ESP, 0C
0040B8EB |> 5F POP EDI
0040B8EC |. 5E POP ESI
0040B8ED |. 5B POP EBX
0040B8EE |. C9 Leave
0040B8EF /. C3 RETN
Organize:
Registration: Suunb [CCG]
Registration code: 71c20edc or 25170288
In fact, if you are sitting there, I will think about a cup of tea, I will know that it is not difficult to do, just a little bit of trouble.
This chapter is here, I am very sleepy now ...
Finally, it is, now there is still N more software to use the hypoded comparative method, so, if you want to find one or two software practice, it is very easy.
This chapter also intends to talk about the software of those non-code comparisons, but suddenly found that if the software can be found through the non-code comparison, then it should also give it a lot of algorithms, so. The next chapter, when analyzing the registration algorithm of the software ...
