《恒特画王》的注册算法分析(浮点运算)
【破文标题】《恒特画王》的注册算法分析(浮点运算)
【破文作者】水中花
【作者邮箱】
【作者主页】
【破解工具】
【破解平台】
【软件名称】恒特画王
【软件大小】
【原版下载】上网自己搜索
【保护方式】sn
【软件简介】
恒特画王正式版集名片、画像、配发、试衣、美容、婚纱、叠加背景、大字标语、广告、原子印章、证卡设计真正的十
大功能,只用一种软件,即可开展多种业务,除了一般画像软件的画像及婚纱业务外,还可以开展名片、标语广告等,
含制作向导及模板,即使电脑初学者也能在一天内掌握使用方法。
【破解声明】纯为学习
------------------------------------------------------------------------
【破解过程】
下断在此处:
0041526B/$55 push ebp
0041526C|.8BEC mov ebp, esp
0041526E|.6A FF push -1
00415270|.68 728D4A00 push dnhx.004A8D72 ;SE 处理程序安装
00415275|.64:A1 0000000>mov eax, dword ptr fs:
0041527B|.50 push eax
0041527C|.64:8925 00000>mov dword ptr fs:, esp
00415283|.81EC EC010000 sub esp, 1EC
00415289|.898D 1CFEFFFF mov dword ptr , ecx
0041528F|.6A 00 push 0 ; /Arg1 = 00000000
00415291|.8D4D 90 lea ecx, dword ptr ; |
00415294|.E8 07360400 call dnhx.004588A0 ; \dnhx.004588A0
00415299|.C745 FC 00000>mov dword ptr , 0
004152A0|.8D4D 90 lea ecx, dword ptr
004152A3|.E8 1BED0600 call dnhx.00483FC3
004152A8|.8D45 EC lea eax, dword ptr ;密码
004152AB|.50 push eax
004152AC|.8D4D F0 lea ecx, dword ptr
004152AF|.E8 FA2D0700 call dnhx.004880AE ;是否有输入密码
004152B4|.C645 FC 01 mov byte ptr , 1
004152B8|.8D8D 2CFEFFFF lea ecx, dword ptr
004152BE|.51 push ecx ; /Arg1
004152BF|.8B8D 1CFEFFFF mov ecx, dword ptr ; |
004152C5|.E8 C8DEFFFF call dnhx.00413192 ; \关键处,跟进
004152CA|.8985 18FEFFFF mov dword ptr , eax 真码地址
004152D0|.8B95 18FEFFFF mov edx, dword ptr
004152D6|.8995 14FEFFFF mov dword ptr , edx
004152DC|.C645 FC 02 mov byte ptr , 2
004152E0|.8B85 14FEFFFF mov eax, dword ptr
004152E6|.50 push eax ; /Arg2
004152E7|.8D4D F0 lea ecx, dword ptr ; |
004152EA|.51 push ecx ; |Arg1
004152EB|.E8 60090000 call dnhx.00415C50 真假码比较
004152F0|.25 FF000000 and eax, 0FF
004152F5|.85C0 test eax, eax
004152F7|.74 52 je short dnhx.0041534B
004152F9|.68 C0A64C00 push dnhx.004CA6C0 ; /无光盘
004152FE|.8D55 F0 lea edx, dword ptr ; |
00415301|.52 push edx ; |Arg1
00415302|.E8 2987FFFF call dnhx.0040DA30 ; \dnhx.0040DA30
00415307|.8885 28FEFFFF mov byte ptr , al
0041530D|.8B85 28FEFFFF mov eax, dword ptr
00415313|.25 FF000000 and eax, 0FF
00415318|.85C0 test eax, eax
0041531A|.74 2F je short dnhx.0041534B
0041531C|.8D4D F0 lea ecx, dword ptr
0041531F|.E8 ACDAFEFF call dnhx.00402DD0
00415324|.F7D8 neg eax
00415326|.1BC0 sbb eax, eax
00415328|.40 inc eax
00415329|.8885 24FEFFFF mov byte ptr , al
0041532F|.8B8D 24FEFFFF mov ecx, dword ptr
00415335|.81E1 FF000000 and ecx, 0FF
0041533B|.85C9 test ecx, ecx
0041533D|.74 0C je short dnhx.0041534B
0041533F|.C785 10FEFFFF>mov dword ptr , 1
00415349|.EB 0A jmp short dnhx.00415355
0041534B|>C785 10FEFFFF>mov dword ptr , 0
00415355|>8A95 10FEFFFF mov dl, byte ptr
0041535B|.8895 30FEFFFF mov byte ptr , dl
00415361|.C645 FC 01 mov byte ptr , 1
00415365|.8D8D 2CFEFFFF lea ecx, dword ptr
0041536B|.E8 C92F0700 call dnhx.00488339 比较处
00415370|.8B85 30FEFFFF mov eax, dword ptr
00415376|.25 FF000000 and eax, 0FF
0041537B|.85C0 test eax, eax
0041537D|.0F84 2B010000 je dnhx.004154AE 为0跳向错误处
00415383|.6A 00 push 0
00415385|.68 C8A64C00 push dnhx.004CA6C8 ;密码正确
0041538A|.68 D4A64C00 push dnhx.004CA6D4 ;谢谢支持使用恒特软件产品!
0041538F|.8B8D 1CFEFFFF mov ecx, dword ptr
00415395|.E8 690C0700 call dnhx.00486003
0041539A|.68 04010000 push 104 ; /BufSize = 104 (260.)
0041539F|.8D8D 78FEFFFF lea ecx, dword ptr ; |
004153A5|.51 push ecx ; |Buffer
004153A6|.FF15 B4F24A00 call dword ptr [<&KERNEL32.GetS>; \GetSystemDirectoryA
004153AC|.8D95 78FEFFFF lea edx, dword ptr
004153B2|.52 push edx
004153B3|.8D8D 7CFFFFFF lea ecx, dword ptr
004153B9|.E8 E92F0700 call dnhx.004883A7
004153BE|.C645 FC 03 mov byte ptr , 3
004153C2|.68 F0A64C00 push dnhx.004CA6F0 ;\configa.hps
004153C7|.8D8D 7CFFFFFF lea ecx, dword ptr
004153CD|.E8 43330700 call dnhx.00488715
004153D2|.8D85 20FEFFFF lea eax, dword ptr
004153D8|.50 push eax ; /Arg1
004153D9|.8B8D 1CFEFFFF mov ecx, dword ptr ; |
004153DF|.E8 AEDDFFFF call dnhx.00413192 ; \dnhx.00413192
004153E4|.8985 0CFEFFFF mov dword ptr , eax
004153EA|.8B8D 0CFEFFFF mov ecx, dword ptr
004153F0|.898D 08FEFFFF mov dword ptr , ecx
004153F6|.C645 FC 04 mov byte ptr , 4
004153FA|.8B95 08FEFFFF mov edx, dword ptr
00415400|.52 push edx
00415401|.8D4D F0 lea ecx, dword ptr
00415404|.E8 69300700 call dnhx.00488472
00415409|.C645 FC 03 mov byte ptr , 3
0041540D|.8D8D 20FEFFFF lea ecx, dword ptr
00415413|.E8 212F0700 call dnhx.00488339
00415418|.8D4D 80 lea ecx, dword ptr
0041541B|.E8 AF350700 call dnhx.004889CF
00415420|.C645 FC 05 mov byte ptr , 5
00415424|.6A 00 push 0
00415426|.68 01100000 push 1001
0041542B|.8D8D 7CFFFFFF lea ecx, dword ptr
00415431|.E8 DAD9FEFF call dnhx.00402E10
00415436|.50 push eax ; |Arg1
00415437|.8D4D 80 lea ecx, dword ptr ; |
0041543A|.E8 42370700 call dnhx.00488B81 ; \dnhx.00488B81
0041543F|.85C0 test eax, eax
00415441|.74 4E je short dnhx.00415491
00415443|.6A 00 push 0
00415445|.68 00100000 push 1000
0041544A|.6A 00 push 0
0041544C|.8D45 80 lea eax, dword ptr
0041544F|.50 push eax
00415450|.8D8D 34FEFFFF lea ecx, dword ptr
00415456|.E8 8C760700 call dnhx.0048CAE7
0041545B|.C645 FC 06 mov byte ptr , 6
0041545F|.8D4D F0 lea ecx, dword ptr
00415462|.51 push ecx ; /Arg2
00415463|.8D95 34FEFFFF lea edx, dword ptr ; |
00415469|.52 push edx ; |Arg1
0041546A|.E8 4D740700 call dnhx.0048C8BC ; \dnhx.0048C8BC
0041546F|.8D8D 34FEFFFF lea ecx, dword ptr
00415475|.E8 D1770700 call dnhx.0048CC4B
0041547A|.8D4D 80 lea ecx, dword ptr
0041547D|.E8 1A390700 call dnhx.00488D9C
00415482|.C645 FC 05 mov byte ptr , 5
00415486|.8D8D 34FEFFFF lea ecx, dword ptr
0041548C|.E8 32770700 call dnhx.0048CBC3
00415491|>C645 FC 03 mov byte ptr , 3
00415495|.8D4D 80 lea ecx, dword ptr
00415498|.E8 27360700 call dnhx.00488AC4
0041549D|.C645 FC 01 mov byte ptr , 1
004154A1|.8D8D 7CFFFFFF lea ecx, dword ptr
004154A7|.E8 8D2E0700 call dnhx.00488339
004154AC|.EB 17 jmp short dnhx.004154C5
004154AE|>6A 00 push 0
004154B0|.68 00A74C00 push dnhx.004CA700 ;密码错误!
004154B5|.68 0CA74C00 push dnhx.004CA70C
004154BA|.8B8D 1CFEFFFF mov ecx, dword ptr
004154C0|.E8 3E0B0700 call dnhx.00486003
004154C5|>C645 FC 00 mov byte ptr , 0
004154C9|.8D4D F0 lea ecx, dword ptr
004154CC|.E8 682E0700 call dnhx.00488339
004154D1|.C745 FC FFFFF>mov dword ptr , -1
004154D8|.8D4D 90 lea ecx, dword ptr
004154DB|.E8 B0070000 call dnhx.00415C90
004154E0|.8B4D F4 mov ecx, dword ptr
004154E3|.64:890D 00000>mov dword ptr fs:, ecx
004154EA|.8BE5 mov esp, ebp
004154EC|.5D pop ebp
004154ED\.C3 retn
关键处:
00413192/$55 push ebp
00413193|.8BEC mov ebp, esp
00413195|.6A FF push -1
00413197|.68 BB894A00 push dnhx.004A89BB ;SE 处理程序安装
0041319C|.64:A1 0000000>mov eax, dword ptr fs:
004131A2|.50 push eax
004131A3|.64:8925 00000>mov dword ptr fs:, esp
004131AA|.83EC 20 sub esp, 20
004131AD|.894D E4 mov dword ptr , ecx
004131B0|.C745 E8 00000>mov dword ptr , 0
004131B7|.51 push ecx
004131B8|.8BCC mov ecx, esp
004131BA|.8965 F0 mov dword ptr , esp
004131BD|.68 70A24C00 push dnhx.004CA270 ;固定值:23345107
004131C2|.E8 E0510700 call dnhx.004883A7
004131C7|.8945 E0 mov dword ptr , eax ; |固定值
004131CA|.8B45 E0 mov eax, dword ptr ; |
004131CD|.8945 DC mov dword ptr , eax ; |
004131D0|.C745 FC 00000>mov dword ptr , 0 ; |
004131D7|.51 push ecx ; |Arg2
004131D8|.8BCC mov ecx, esp ; |
004131DA|.8965 EC mov dword ptr , esp ; |
004131DD|.51 push ecx ; |/Arg1
004131DE|.8B4D E4 mov ecx, dword ptr ; ||
004131E1|.E8 1F030000 call dnhx.00413505 ; |\由硬盘的序列号进行计算获取机器码
004131E6|.8945 D8 mov dword ptr , eax ; |机器码
004131E9|.8B55 08 mov edx, dword ptr ; |
004131EC|.52 push edx ; |Arg1
004131ED|.8B4D E4 mov ecx, dword ptr ; |
004131F0|.C745 FC FFFFF>mov dword ptr , -1 ; |
004131F7|.E8 A2040000 call dnhx.0041369E ; \算法处,跟进
004131FC|.8945 D4 mov dword ptr , eax
004131FF|.8B45 E8 mov eax, dword ptr
00413202|.0C 01 or al, 1
00413204|.8945 E8 mov dword ptr , eax
00413207|.8B45 08 mov eax, dword ptr
0041320A|.8B4D F4 mov ecx, dword ptr
0041320D|.64:890D 00000>mov dword ptr fs:, ecx
00413214|.8BE5 mov esp, ebp
00413216|.5D pop ebp
00413217\.C2 0400 retn 4
算法处,跟进:
0041369E/$55 push ebp
0041369F|.8BEC mov ebp, esp
004136A1|.6A FF push -1
004136A3|.68 E18A4A00 push dnhx.004A8AE1 ;SE 处理程序安装
004136A8|.64:A1 0000000>mov eax, dword ptr fs:
004136AE|.50 push eax
004136AF|.64:8925 00000>mov dword ptr fs:, esp
004136B6|.83EC 50 sub esp, 50
004136B9|.894D B8 mov dword ptr , ecx
004136BC|.C745 BC 00000>mov dword ptr , 0
004136C3|.C745 FC 02000>mov dword ptr , 2
004136CA|.68 B4A24C00 push dnhx.004CA2B4 ; /固定值:23345107
004136CF|.8D45 10 lea eax, dword ptr ; |
004136D2|.50 push eax ; |Arg1
004136D3|.E8 58A3FFFF call dnhx.0040DA30 ; \dnhx.0040DA30
004136D8|.25 FF000000 and eax, 0FF
004136DD|.85C0 test eax, eax
004136DF|.74 36 je short dnhx.00413717
004136E1|.68 A0014D00 push dnhx.004D01A0
004136E6|.8B4D 08 mov ecx, dword ptr
004136E9|.E8 B94C0700 call dnhx.004883A7
004136EE|.8B4D BC mov ecx, dword ptr
004136F1|.83C9 01 or ecx, 1
004136F4|.894D BC mov dword ptr , ecx
004136F7|.C645 FC 01 mov byte ptr , 1
004136FB|.8D4D 0C lea ecx, dword ptr
004136FE|.E8 364C0700 call dnhx.00488339
00413703|.C645 FC 00 mov byte ptr , 0
00413707|.8D4D 10 lea ecx, dword ptr
0041370A|.E8 2A4C0700 call dnhx.00488339
0041370F|.8B45 08 mov eax, dword ptr
00413712|.E9 96010000 jmp dnhx.004138AD
00413717|>8D4D E4 lea ecx, dword ptr ;69
0041371A|.E8 91F6FEFF call dnhx.00402DB0
0041371F|.C645 FC 03 mov byte ptr , 3
00413723|.8D4D DC lea ecx, dword ptr
00413726|.E8 85F6FEFF call dnhx.00402DB0
0041372B|.C645 FC 04 mov byte ptr , 4
0041372F|.8D4D D0 lea ecx, dword ptr
00413732|.E8 79F6FEFF call dnhx.00402DB0
00413737|.C645 FC 05 mov byte ptr , 5
0041373B|.8D4D 0C lea ecx, dword ptr
0041373E|.E8 9DA2FFFF call dnhx.0040D9E0
00413743|.83F8 08 cmp eax, 8
00413746|.7E 33 jle short dnhx.0041377B
00413748|.6A 08 push 8
0041374A|.8D55 C4 lea edx, dword ptr
0041374D|.52 push edx
0041374E|.8D4D 0C lea ecx, dword ptr
00413751|.E8 79D30600 call dnhx.00480ACF ;获取序列号的后8位
00413756|.8945 B4 mov dword ptr , eax ;序列号的后8位保存在中
00413759|.8B45 B4 mov eax, dword ptr
0041375C|.8945 B0 mov dword ptr , eax
0041375F|.C645 FC 06 mov byte ptr , 6
00413763|.8B4D B0 mov ecx, dword ptr
00413766|.51 push ecx
00413767|.8D4D 0C lea ecx, dword ptr
0041376A|.E8 034D0700 call dnhx.00488472
0041376F|.C645 FC 05 mov byte ptr , 5
00413773|.8D4D C4 lea ecx, dword ptr
00413776|.E8 BE4B0700 call dnhx.00488339
0041377B|>8D4D 0C lea ecx, dword ptr
0041377E|.E8 8DF6FEFF call dnhx.00402E10
00413783|.50 push eax
00413784|.E8 CD070600 call dnhx.00473F56
00413789|.83C4 04 add esp, 4
0041378C|.8945 D8 mov dword ptr , eax
0041378F|.8B55 D8 mov edx, dword ptr
00413792|.81C2 2990CC01 add edx, 1CC9029 ;序列号后8位 add 1CC9029,所得值设为A
00413798|.8955 D8 mov dword ptr , edx ;保存在
0041379B|.6A 0A push 0A ; /Arg3 = 0000000A
0041379D|.8D45 E8 lea eax, dword ptr ; |
004137A0|.50 push eax ; |Arg2
004137A1|.8B4D D8 mov ecx, dword ptr ; |
004137A4|.51 push ecx ; |Arg1
004137A5|.E8 9B050600 call dnhx.00473D45 ; \将A转化为十进制,设为B
004137AA|.83C4 0C add esp, 0C
004137AD|.50 push eax
004137AE|.8D4D DC lea ecx, dword ptr
004137B1|.E8 0C4D0700 call dnhx.004884C2
004137B6|.C745 D4 00000>mov dword ptr , 0
004137BD|.EB 09 jmp short dnhx.004137C8
004137BF|>8B55 D4 /mov edx, dword ptr
004137C2|.83C2 01 |add edx, 1
004137C5|.8955 D4 |mov dword ptr , edx
004137C8|>8D4D DC lea ecx, dword ptr ;B
004137CB|.E8 10A2FFFF |call dnhx.0040D9E0 ;获取B的长度
004137D0|.3945 D4 |cmp dword ptr , eax ;eax为B值的长度
004137D3|.7D 44 |jge short dnhx.00413819 ;下面开始循环取B,进行运算
004137D5|.8B45 D4 |mov eax, dword ptr
004137D8|.50 |push eax ; /Arg1
004137D9|.8D4D DC |lea ecx, dword ptr ; |B
004137DC|.E8 5FD7FFFF |call dnhx.00410F40 ; \取B的字符
004137E1|.8845 CC |mov byte ptr , al ;B的字符的ASC值
004137E4|.0FBE4D CC |movsx ecx, byte ptr
004137E8|.894D AC |mov dword ptr , ecx
004137EB|.DB45 AC |fild dword ptr ;装入整数到
004137EE|.DC0D E0074B00 |fmul qword ptr ;乘上一个实数,*
(值为1.5),设为C1
004137F4|.E8 37010600 |call dnhx.00473930 ;跟进一
004137F9|.8945 C8 |mov dword ptr , eax ;浮点运算后所得值设为D
004137FC|.6A 0A |push 0A ; /Arg3 = 0000000A
004137FE|.8D55 E0 |lea edx, dword ptr ; |
00413801|.52 |push edx ; |Arg2
00413802|.8B45 C8 |mov eax, dword ptr ; |
00413805|.50 |push eax ; |Arg1
00413806|.E8 3A050600 |call dnhx.00473D45 ; \跟进二
0041380B|.83C4 0C |add esp, 0C
0041380E|.50 |push eax
0041380F|.8D4D D0 |lea ecx, dword ptr ;地址
00413812|.E8 FE4E0700 |call dnhx.00488715 ;将E值存入栈中
00413817|.^ EB A6 \jmp short dnhx.004137BF
00413819|>8D4D D0 lea ecx, dword ptr ;上面计算所得串E
0041381C|.E8 BFA1FFFF call dnhx.0040D9E0
00413821|.83F8 08 cmp eax, 8
00413824|.7E 33 jle short dnhx.00413859
00413826|.6A 08 push 8
00413828|.8D4D C0 lea ecx, dword ptr
0041382B|.51 push ecx
0041382C|.8D4D D0 lea ecx, dword ptr
0041382F|.E8 9BD20600 call dnhx.00480ACF ;取E串的后8位,即为注册码(密码)
00413834|.8945 A8 mov dword ptr , eax
00413837|.8B55 A8 mov edx, dword ptr
0041383A|.8955 A4 mov dword ptr , edx
0041383D|.C645 FC 07 mov byte ptr , 7
00413841|.8B45 A4 mov eax, dword ptr
00413844|.50 push eax
00413845|.8D4D D0 lea ecx, dword ptr
00413848|.E8 254C0700 call dnhx.00488472
0041384D|.C645 FC 05 mov byte ptr , 5
00413851|.8D4D C0 lea ecx, dword ptr
00413854|.E8 E04A0700 call dnhx.00488339
00413859|>8D4D D0 lea ecx, dword ptr
0041385C|.51 push ecx
0041385D|.8B4D 08 mov ecx, dword ptr
00413860|.E8 49480700 call dnhx.004880AE
00413865|.8B55 BC mov edx, dword ptr
00413868|.83CA 01 or edx, 1
0041386B|.8955 BC mov dword ptr , edx
0041386E|.C645 FC 04 mov byte ptr , 4
00413872|.8D4D D0 lea ecx, dword ptr
00413875|.E8 BF4A0700 call dnhx.00488339
0041387A|.C645 FC 03 mov byte ptr , 3
0041387E|.8D4D DC lea ecx, dword ptr
00413881|.E8 B34A0700 call dnhx.00488339
00413886|.C645 FC 02 mov byte ptr , 2
0041388A|.8D4D E4 lea ecx, dword ptr
0041388D|.E8 A74A0700 call dnhx.00488339
00413892|.C645 FC 01 mov byte ptr , 1
00413896|.8D4D 0C lea ecx, dword ptr
00413899|.E8 9B4A0700 call dnhx.00488339
0041389E|.C645 FC 00 mov byte ptr , 0
004138A2|.8D4D 10 lea ecx, dword ptr
004138A5|.E8 8F4A0700 call dnhx.00488339
004138AA|.8B45 08 mov eax, dword ptr
004138AD|>8B4D F4 mov ecx, dword ptr
004138B0|.64:890D 00000>mov dword ptr fs:, ecx
004138B7|.8BE5 mov esp, ebp
004138B9|.5D pop ebp
004138BA\.C2 0C00 retn 0C
跟进一处:
00473930/$55 push ebp
00473931|.8BEC mov ebp, esp
00473933|.83C4 F4 add esp, -0C
00473936|.9B wait
00473937|.D97D FE fstcw word ptr ;将FPU的控制字保存到dest
0047393A|.9B wait
0047393B|.66:8B45 FE mov ax, word ptr
0047393F|.80CC 0C or ah, 0C
00473942|.66:8945 FC mov word ptr , ax
00473946|.D96D FC fldcw word ptr ;从src装入FPU的控制字
00473949|.DF7D F4 fistp qword ptr ;dest <- st(0),目的操作数->浮点寄存器
,然后再执行一次出栈操作
0047394C|.D96D FE fldcw word ptr ;从源操作数装入FPU的控制字
0047394F|.8B45 F4 mov eax, dword ptr
00473952|.8B55 F8 mov edx, dword ptr
00473955|.C9 leave
00473956\.C3 retn
跟进二处:
00473D45/$55 push ebp
00473D46|.8BEC mov ebp, esp
00473D48|.837D 10 0A cmp dword ptr , 0A
00473D4C|.75 0C jnz short dnhx.00473D5A
00473D4E|.837D 08 00 cmp dword ptr , 0
00473D52|.7D 06 jge short dnhx.00473D5A
00473D54|.6A 01 push 1
00473D56|.6A 0A push 0A
00473D58|.EB 05 jmp short dnhx.00473D5F
00473D5A|>6A 00 push 0
00473D5C|.FF75 10 push dword ptr
00473D5F|>FF75 0C push dword ptr ; |Arg2
00473D62|.FF75 08 push dword ptr ; |Arg1
00473D65|.E8 08000000 call dnhx.00473D72 ; 在此进行计算,跟进三
00473D6A|.8B45 0C mov eax, dword ptr E值
00473D6D|.83C4 10 add esp, 10
00473D70|.5D pop ebp
00473D71\.C3 retn
跟进三处:
00473D72/$55 push ebp
00473D73|.8BEC mov ebp, esp
00473D75|.837D 14 00 cmp dword ptr , 0
00473D79|.8B4D 0C mov ecx, dword ptr
00473D7C|.53 push ebx
00473D7D|.56 push esi
00473D7E|.57 push edi
00473D7F|.74 0B je short dnhx.00473D8C
00473D81|.8B75 08 mov esi, dword ptr
00473D84|.C601 2D mov byte ptr , 2D
00473D87|.41 inc ecx
00473D88|.F7DE neg esi
00473D8A|.EB 03 jmp short dnhx.00473D8F
00473D8C|>8B75 08 mov esi, dword ptr ;D值
00473D8F|>8BF9 mov edi, ecx
00473D91|>8BC6 /mov eax, esi
00473D93|.33D2 |xor edx, edx
00473D95|.F775 10 |div dword ptr ;D值 div 的值(值为A)
00473D98|.8BC6 |mov eax, esi
00473D9A|.8BDA |mov ebx, edx ;余数->ebx
00473D9C|.33D2 |xor edx, edx ;清0
00473D9E|.F775 10 |div dword ptr ;D值 div 的值(值为A)
00473DA1|.83FB 09 |cmp ebx, 9 ;比较余数是否大于9
00473DA4|.8BF0 |mov esi, eax ;商存入esi中
00473DA6|.76 05 |jbe short dnhx.00473DAD ;小于9跳
00473DA8|.80C3 57 |add bl, 57
00473DAB|.EB 03 |jmp short dnhx.00473DB0
00473DAD|>80C3 30 |add bl, 30 ;余数+30,化为数字
00473DB0|>8819 |mov byte ptr , bl ;放在
00473DB2|.41 |inc ecx
00473DB3|.85F6 |test esi, esi
00473DB5|.^ 77 DA \ja short dnhx.00473D91 ;再用商进行div运算操作
00473DB7|.8021 00 and byte ptr , 0
00473DBA|.49 dec ecx
00473DBB|>8A17 mov dl, byte ptr ;这边是将刚才所得的两位数进行倒置,设为E
00473DBD|.8A01 mov al, byte ptr
00473DBF|.8811 mov byte ptr , dl
00473DC1|.8807 mov byte ptr , al
00473DC3|.49 dec ecx
00473DC4|.47 inc edi
00473DC5|.3BF9 cmp edi, ecx
00473DC7|.^ 72 F2 jb short dnhx.00473DBB
00473DC9|.5F pop edi
00473DCA|.5E pop esi
00473DCB|.5B pop ebx
00473DCC|.5D pop ebp
00473DCD\.C3 retn
------------------------------------------------------------------------
【破解总结】
该软件的注册算法大致如下:
1、取硬盘序列进行运算产生序列号
2、取序列号的后8位的ASC值进行浮点运算
3、ASC值进行浮点运算后,进行div求余运算
4、将求余所得的串,截取后8位即为注册码
------------------------------------------------------------------------
【版权声明】
[ 本帖最后由 水中花 于 2007-4-29 13:40 编辑 ] 看不懂,有难度, 有难度:lol: 又是算法的文章 虽然不能完全看懂 但我有信心....... 先顶起,然后慢慢品味. 分析的不错,有助于学习浮点运算的算法分析,学习! 有点技术含量啊/:QQ3 又是算法的文章 虽然不能完全看懂 但我有信心.......
页:
[1]