某国外报表软件 Version 5.00 Release Notes
限制:授权限制,启动XLRregister.exe检查注册。
点Options菜单里的Enter key
出错后弹出对话框,可以看出先检查是否有”-”,然后分别检查前面和后面的字符串。
序列号的格式是:xxxxx-yyyyyy,其中xxxxx格式是数字,并且大于10000,小于100000。
lock是:361534-500-66538648
首先处理最后几位
66538648---à 3F 74C98 变为16进制数
98->cl
And ecx,ff ------à ecx=98
Mov dl,ah, ///dl= 4c
分析算法:
00401346 . FFD6 call esi ; /atol
00401348 . 83C4 04 add esp,4
0040134B . 3D 10270000 cmp eax,2710 ; 序列号"-"之前的大于10001
00401350 . 0F8E 15030000 jle XLRregis.0040166B ; 跳转就失败
00401356 . 3D A0860100 cmp eax, 186A0 ; 序列号"-"之前的小于100000
0040135B . 0F8D 0A030000 jge XLRregis.0040166B ; 跳转就失败
00401361 . 8B55 68 mov edx,dword ptr ss:[ebp+68] ; ascii:500
00401364 . 83C2 58 add edx,58
00401367 . 52 push edx ; id最后数字:66538648
00401368 . FFD6 call esi ; 66538648->变为整数放在eax里0x 03f 74c98
0040136A . 8AC8 mov cl,al
0040136C . 33D2 xor edx,edx
0040136E . 81E1 FF000000 and ecx,0FF
00401374 . 8AD4 mov dl,ah
00401376 . 894424 14 mov dword ptr ss:[esp+14],eax ; 变量14存放: 3f 74c98
0040137A . 66: 894C24 18 mov word ptr ss:[esp+18],cx ; 98
0040137F . 66:895424 1A mov word ptr ss:[esp+ 1A],dx ; 004c
00401384 . 33C0 xor eax,eax
00401386 . 8A4424 16 mov al,byte ptr ss:[esp+16] ; F7,猜测是 3f 74c98中的
0040138A . 33C9 xor ecx,ecx
0040138C . 8A 4C24 17 mov cl,byte ptr ss:[esp+17] ; 03 猜测是 3f 74c98中的03
00401390 . 8D5424 24 lea edx,dword ptr ss:[esp+24] ; 我输入的key后面几位 100000
00401394 . 52 push edx
00401395 . 66:894424 20 mov word ptr ss:[esp+20],ax ; f7
0040139A . 66: 894C24 22 mov word ptr ss:[esp+22],cx ; 03
0040139F . FFD6 call esi ; 得到值:100000-> 186a0
004013A1 . 8B 4C24 1C mov ecx,dword ptr ss:[esp+ 1C] ; 004c0098, lock拆开的, 4c98-> 004c0098
004013A5 . 8B5424 20 mov edx,dword ptr ss:[esp+20] ; 03f7-> 000300f7
004013A9 . 8BD8 mov ebx,eax ; 我输入的key: 186a0
004013AB . 8B4424 22 mov eax,dword ptr ss:[esp+22] ; ??? usp10.74b30003
004013AF . 25 FFFF0000 and eax,0FFFF ; 0003
004013B4 . 81E1 FFFF0000 and ecx,0FFFF ; 0098
004013BA . 03C1 add eax,ecx
004013BC . 81E2 FFFF0000 and edx,0FFFF ; edx= 000300f7
004013C2 . C1E0 08 shl eax,8 ; 009d移位
004013C5 . 03C2 add eax,edx ; eax=9b00,edx=f7
004013C7 . 8B5424 1E mov edx,dword ptr ss:[esp+1E]; 00f 7004c
004013CB . 8BC8 mov ecx,eax ; 9Bf7
004013CD . 81E2 FFFF0000 and edx,0FFFF ; 00f 7004c-> 004c
004013D3 . C1E1 08 shl ecx,8
004013D6 . 2BC8 sub ecx,eax ; 9bf700-9bf7
004013D8 . 8B4424 18 mov eax,dword ptr ss:[esp+18]
004013DC . 03C1 add eax,ecx ; eax= 03f 74c98,ecx=009b5b09
004013DE . 83C4 08 add esp,8
004013E1 . 03D0 add edx,eax
004013E3 . 8BC3 mov eax,ebx ; 我输入的key
004013E5 . 81E2 FFFF0001 and edx,100FFFF
004013EB . 25 FFFF00FF and eax,FF00FFFF
004013F0 . 81CA 00000002 or edx,2000000
004013F6 . 33D0 xor edx,eax
004013F8 . 74 1E je short XLRregis.00401418
004013FA . 6A 10 push 10
004013FC . 68 98714000 push XLRregis.00407198 ; ASCII "Invalid Key"
00401401 . 68 68714000 push XLRregis.00407168 ; ASCII "Entry after '-' is Invalid"
00401406 . 8BCD mov ecx,ebp
00401408 . E8 0D2E0000 call <jmp.&MFC42.#4224>
0040140D . 5F pop edi
0040140E . 5E pop esi
0040140F . 5D pop ebp
00401410 . 5B pop ebx
00401411 . 81C 4 F4010000 add esp, 1F4
00401417 . C3 retn
写出注册机:
var
lock: Integer;
tmp,tmp2,tmp3: integer;
str1: string;
idx: integer;
begin
sbar.SimpleText := '';
edtKey.Text := '';
idx := LastDelimiter('-',edtLock.Text);
if idx<=0 then
begin
sbar.SimpleText := 'lock非法!缺少-';
exit;
end;
str1 := Copy(edtLock.Text,idx+1,Length(edtLock.Text)-idx);
if not tryStrToInt(str1,lock) then
begin
sbar.SimpleText := 'lock非法!';
exit;
end;
tmp := lock and $ff;
tmp2 := lock shr 24;
//tmp2 := lock and $ff;
tmp := tmp + tmp2;
tmp := tmp shl 8;
tmp2 := lock shr 16;
tmp2 := tmp2 and $ff;
tmp := tmp+tmp2;
tmp2 := tmp shl 8;
tmp := tmp2-tmp;
tmp := lock+tmp;
tmp2 := lock shr 8;
tmp2 := tmp2 and $FF;
tmp := tmp + tmp2;
tmp := tmp and $100ffff;
tmp := tmp or $2000000;
Randomize;
str1 := IntToStr(Random(89999)+10000);
edtKey.Text := str1+ '-'+ IntToStr(tmp);
end;