WinASO Registry Optimizer Version 3.2算法分析--第一次分析出算法

unpack · 发表于 2008-3-18 20:55:11

【文章标题】: WinASO Registry Optimizer Version 3.2算法分析
【文章作者】: unpack
【软件名称】: WinASO Registry Optimizer Version 3.2
【下载地址】: 自己搜索下载
【加壳方式】: 无
【保护方式】: 注册码
【编写语言】: Borland Delphi 6.0 - 7.0 [Overlay]
【使用工具】: PEiD，OD
【操作平台】: Windows XP
【软件介绍】: WinASO Registry Optimizer scans the Windows registry and finds incorrect or obsolete information in the registry. By fixing these obsolete information in Windows registry, your system will run faster and error free.

【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
  【破解内容】
  首先，在飘云阁看到了老鸟的一篇文章
  https://www.chinapyg.com/viewthr ... &extra=page%3D1
  然后下了去下载软件，已经有这个最新版本了！
  于是试着破解，用了几个小时，有了菜鸟我的第一次分析出算法！
  只在于交流，不要散布注册码，否则后果自负！
  --------------------------------------------------------------
  **************************************************************
  一、用PEiD对这个软件查壳，为 Borland Delphi 6.0 - 7.0 [Overlay]
  **************************************************************
  二、运行程序，进行注册，输入错误的注册信息进行检测，提示信息
  "Sorry,that is an invalid license key.Please ensure you have entered the license key exactly as provided."
  **************************************************************
  三、运行OD，按F9运行，然后注册，输入假注册码（我的为5555-4444-3333-2222-1111），然后插件-->API断点设置工具-->常用断点设置-->勾选MessageBoxA和MessageBoxExA，然后点Register（注册）
  四、程序中断下来，F8单步走，弹出注册失败对话框，点确定，再接着F8跟踪，来到到领空（还是有点不完全理解领空），往上，找到

0056A38C /. 55 push ebp

复制代码

然后下断，按F9运行，再点 “注册”  中断下来，进行下面的分析！
  **************************************************************
  【详细过程】

0056A38C /. 55 push ebp
0056A38D |. 8BEC mov ebp, esp
0056A38F |. B9 0E000000 mov ecx, 0E ; 0E=14
0056A394 |> 6A 00 /push 0
0056A396 |. 6A 00 |push 0
0056A398 |. 49 |dec ecx
0056A399 ^ 75 F9 \jnz short 0056A394 ; 循环十四次
0056A39B 51 push ecx
0056A39C 53 push ebx
0056A39D 56 push esi
0056A39E 57 push edi
0056A39F 8BD8 mov ebx, eax
0056A3A1 33C0 xor eax, eax
0056A3A3 55 push ebp
0056A3A4 68 E4A95600 push 0056A9E4
0056A3A9 64:FF30 push dword ptr fs:[eax]
0056A3AC 64:8920 mov fs:[eax], esp
0056A3AF 8D45 FC lea eax, [ebp-4]
0056A3B2 8B15 84055A00 mov edx, [5A0584] ; RegOpt.005A55E0
0056A3B8 8B92 70080000 mov edx, [edx+870]
0056A3BE E8 6DAEE9FF call 00405230
0056A3C3 8D55 F4 lea edx, [ebp-C]
0056A3C6 8B83 A4030000 mov eax, [ebx+3A4]
0056A3CC E8 4BC9EEFF call 00456D1C
0056A3D1 8B45 F4 mov eax, [ebp-C] ; 把第一个框的注册码赋给eax！
0056A3D4 E8 9B45F6FF call 004CE974
0056A3D9 84C0 test al, al ; 比较第一个注册框是否为空，如果不是数字也定为空
0056A3DB 75 2E jnz short 0056A40B ; 不为空的话跳转
0056A3DD 6A 40 push 40
0056A3DF A1 84055A00 mov eax, [5A0584]
0056A3E4 8B80 6C080000 mov eax, [eax+86C]
0056A3EA E8 6DB2E9FF call 0040565C
0056A3EF 50 push eax
0056A3F0 8B45 FC mov eax, [ebp-4]
0056A3F3 E8 64B2E9FF call 0040565C
0056A3F8 50 push eax
0056A3F9 8BC3 mov eax, ebx
0056A3FB E8 1C44EFFF call 0045E81C
0056A400 50 push eax ; |hOwner
0056A401 E8 36DFE9FF call <jmp.&user32.MessageBoxA> ; \弹出注册失败对话框！
0056A406 E9 6D050000 jmp 0056A978
0056A40B 8D55 F0 lea edx, [ebp-10]
0056A40E 8B83 A8030000 mov eax, [ebx+3A8]
0056A414 E8 03C9EEFF call 00456D1C
0056A419 8B45 F0 mov eax, [ebp-10] ; 把第二个框的注册码赋给eax！
0056A41C E8 5345F6FF call 004CE974
0056A421 84C0 test al, al ; 比较第二个注册框是否为空，且不是数字也定为空处理
0056A423 75 2E jnz short 0056A453 ; 不为空的话跳转
0056A425 6A 40 push 40
0056A427 A1 84055A00 mov eax, [5A0584]
0056A42C 8B80 6C080000 mov eax, [eax+86C]
0056A432 E8 25B2E9FF call 0040565C
0056A437 50 push eax
0056A438 8B45 FC mov eax, [ebp-4]
0056A43B E8 1CB2E9FF call 0040565C
0056A440 50 push eax
0056A441 8BC3 mov eax, ebx
0056A443 E8 D443EFFF call 0045E81C
0056A448 50 push eax ; |hOwner
0056A449 E8 EEDEE9FF call <jmp.&user32.MessageBoxA> ; \弹出注册失败对话框！
0056A44E E9 25050000 jmp 0056A978
0056A453 8D55 EC lea edx, [ebp-14]
0056A456 8B83 AC030000 mov eax, [ebx+3AC]
0056A45C E8 BBC8EEFF call 00456D1C
0056A461 8B45 EC mov eax, [ebp-14] ; 把第三个框的注册码赋给eax！
0056A464 E8 0B45F6FF call 004CE974
0056A469 84C0 test al, al ; 比较第三个注册框是否为空，且同上
0056A46B 75 2E jnz short 0056A49B ; 不为空的话跳转
0056A46D 6A 40 push 40
0056A46F A1 84055A00 mov eax, [5A0584]
0056A474 8B80 6C080000 mov eax, [eax+86C]
0056A47A E8 DDB1E9FF call 0040565C
0056A47F 50 push eax
0056A480 8B45 FC mov eax, [ebp-4]
0056A483 E8 D4B1E9FF call 0040565C
0056A488 50 push eax
0056A489 8BC3 mov eax, ebx
0056A48B E8 8C43EFFF call 0045E81C
0056A490 50 push eax ; |hOwner
0056A491 E8 A6DEE9FF call <jmp.&user32.MessageBoxA> ; \弹出注册失败对话框！
0056A496 E9 DD040000 jmp 0056A978
0056A49B 8D55 E8 lea edx, [ebp-18]
0056A49E 8B83 B0030000 mov eax, [ebx+3B0]
0056A4A4 E8 73C8EEFF call 00456D1C
0056A4A9 8B45 E8 mov eax, [ebp-18] ; 把第四个框的注册码赋给eax！
0056A4AC E8 C344F6FF call 004CE974
0056A4B1 84C0 test al, al ; 比较第四个注册框是否为空，且同上
0056A4B3 75 2E jnz short 0056A4E3 ; 不为空的话跳转
0056A4B5 6A 40 push 40
0056A4B7 A1 84055A00 mov eax, [5A0584]
0056A4BC 8B80 6C080000 mov eax, [eax+86C]
0056A4C2 E8 95B1E9FF call 0040565C
0056A4C7 50 push eax
0056A4C8 8B45 FC mov eax, [ebp-4]
0056A4CB E8 8CB1E9FF call 0040565C
0056A4D0 50 push eax
0056A4D1 8BC3 mov eax, ebx
0056A4D3 E8 4443EFFF call 0045E81C
0056A4D8 50 push eax ; |hOwner
0056A4D9 E8 5EDEE9FF call <jmp.&user32.MessageBoxA> ; \弹出注册失败对话框！
0056A4DE E9 95040000 jmp 0056A978
0056A4E3 8D55 E4 lea edx, [ebp-1C]
0056A4E6 8B83 B4030000 mov eax, [ebx+3B4]
0056A4EC E8 2BC8EEFF call 00456D1C
0056A4F1 8B45 E4 mov eax, [ebp-1C] ; 把第五个框的注册码赋给eax！
0056A4F4 E8 7B44F6FF call 004CE974
0056A4F9 84C0 test al, al ; 比较第五个注册框是否为空，且同上
0056A4FB 75 2E jnz short 0056A52B ; 不为空的话跳转
0056A4FD 6A 40 push 40
0056A4FF A1 84055A00 mov eax, [5A0584]
0056A504 8B80 6C080000 mov eax, [eax+86C]
0056A50A E8 4DB1E9FF call 0040565C
0056A50F 50 push eax
0056A510 8B45 FC mov eax, [ebp-4]
0056A513 E8 44B1E9FF call 0040565C
0056A518 50 push eax
0056A519 8BC3 mov eax, ebx
0056A51B E8 FC42EFFF call 0045E81C
0056A520 50 push eax ; |hOwner
0056A521 E8 16DEE9FF call <jmp.&user32.MessageBoxA> ; \弹出注册失败对话框！
0056A526 E9 4D040000 jmp 0056A978
0056A52B 8D55 E0 lea edx, [ebp-20]
0056A52E 8B83 A4030000 mov eax, [ebx+3A4]
0056A534 E8 E3C7EEFF call 00456D1C
0056A539 8B45 E0 mov eax, [ebp-20] ; 将注册码第一个框的注册码给eax
0056A53C 8945 DC mov [ebp-24], eax
0056A53F 8B45 DC mov eax, [ebp-24]
0056A542 85C0 test eax, eax
0056A544 74 05 je short 0056A54B
0056A546 83E8 04 sub eax, 4
0056A549 8B00 mov eax, [eax]
0056A54B 83F8 04 cmp eax, 4 ; 将eax与4比较
0056A54E 74 2E je short 0056A57E ; 判断第一个框注册码是否是四位
0056A550 6A 40 push 40
0056A552 A1 84055A00 mov eax, [5A0584]
0056A557 8B80 6C080000 mov eax, [eax+86C]
0056A55D E8 FAB0E9FF call 0040565C
0056A562 50 push eax
0056A563 8B45 FC mov eax, [ebp-4]
0056A566 E8 F1B0E9FF call 0040565C
0056A56B 50 push eax
0056A56C 8BC3 mov eax, ebx
0056A56E E8 A942EFFF call 0045E81C
0056A573 50 push eax ; |hOwner
0056A574 E8 C3DDE9FF call <jmp.&user32.MessageBoxA> ; \注册失败对话框
0056A579 E9 FA030000 jmp 0056A978
0056A57E 8D55 D8 lea edx, [ebp-28]
0056A581 8B83 A8030000 mov eax, [ebx+3A8]
0056A587 E8 90C7EEFF call 00456D1C
0056A58C 8B45 D8 mov eax, [ebp-28] ; 将注册码第二个注册框的注册码给eax
0056A58F 8945 DC mov [ebp-24], eax
0056A592 8B45 DC mov eax, [ebp-24]
0056A595 85C0 test eax, eax
0056A597 74 05 je short 0056A59E
0056A599 83E8 04 sub eax, 4
0056A59C 8B00 mov eax, [eax]
0056A59E 83F8 04 cmp eax, 4 ; 与4比较
0056A5A1 74 2E je short 0056A5D1 ; 判断第二个注册框的注册码是否是四位
0056A5A3 6A 40 push 40
0056A5A5 A1 84055A00 mov eax, [5A0584]
0056A5AA 8B80 6C080000 mov eax, [eax+86C]
0056A5B0 E8 A7B0E9FF call 0040565C
0056A5B5 50 push eax
0056A5B6 8B45 FC mov eax, [ebp-4]
0056A5B9 E8 9EB0E9FF call 0040565C
0056A5BE 50 push eax
0056A5BF 8BC3 mov eax, ebx
0056A5C1 E8 5642EFFF call 0045E81C
0056A5C6 50 push eax ; |hOwner
0056A5C7 E8 70DDE9FF call <jmp.&user32.MessageBoxA> ; \注册失败对话框！
0056A5CC E9 A7030000 jmp 0056A978
0056A5D1 8D55 D4 lea edx, [ebp-2C]
0056A5D4 8B83 AC030000 mov eax, [ebx+3AC]
0056A5DA E8 3DC7EEFF call 00456D1C
0056A5DF 8B45 D4 mov eax, [ebp-2C] ; 将注册码第三个注册框的注册码给eax
0056A5E2 8945 DC mov [ebp-24], eax
0056A5E5 8B45 DC mov eax, [ebp-24]
0056A5E8 85C0 test eax, eax
0056A5EA 74 05 je short 0056A5F1
0056A5EC 83E8 04 sub eax, 4
0056A5EF 8B00 mov eax, [eax]
0056A5F1 83F8 04 cmp eax, 4 ; 与4比较
0056A5F4 74 2E je short 0056A624 ; 判断第三个注册框的注册码是否为四位
0056A5F6 6A 40 push 40
0056A5F8 A1 84055A00 mov eax, [5A0584]
0056A5FD 8B80 6C080000 mov eax, [eax+86C]
0056A603 E8 54B0E9FF call 0040565C
0056A608 50 push eax
0056A609 8B45 FC mov eax, [ebp-4]
0056A60C E8 4BB0E9FF call 0040565C
0056A611 50 push eax
0056A612 8BC3 mov eax, ebx
0056A614 E8 0342EFFF call 0045E81C
0056A619 50 push eax ; |hOwner
0056A61A E8 1DDDE9FF call <jmp.&user32.MessageBoxA> ; \注册失败对话框！
0056A61F E9 54030000 jmp 0056A978
0056A624 8D55 D0 lea edx, [ebp-30]
0056A627 8B83 B0030000 mov eax, [ebx+3B0]
0056A62D E8 EAC6EEFF call 00456D1C
0056A632 8B45 D0 mov eax, [ebp-30] ; 将注册码第四个注册框的注册码给eax
0056A635 8945 DC mov [ebp-24], eax
0056A638 8B45 DC mov eax, [ebp-24]
0056A63B 85C0 test eax, eax
0056A63D 74 05 je short 0056A644
0056A63F 83E8 04 sub eax, 4
0056A642 8B00 mov eax, [eax]
0056A644 83F8 04 cmp eax, 4 ; 与4比较
0056A647 74 2E je short 0056A677 ; 判断第四个注册框的注册码是否为四位
0056A649 6A 40 push 40
0056A64B A1 84055A00 mov eax, [5A0584]
0056A650 8B80 6C080000 mov eax, [eax+86C]
0056A656 E8 01B0E9FF call 0040565C
0056A65B 50 push eax
0056A65C 8B45 FC mov eax, [ebp-4]
0056A65F E8 F8AFE9FF call 0040565C
0056A664 50 push eax
0056A665 8BC3 mov eax, ebx
0056A667 E8 B041EFFF call 0045E81C
0056A66C 50 push eax ; |hOwner
0056A66D E8 CADCE9FF call <jmp.&user32.MessageBoxA> ; \注册失败对话框
0056A672 E9 01030000 jmp 0056A978
0056A677 8D55 CC lea edx, [ebp-34]
0056A67A 8B83 B4030000 mov eax, [ebx+3B4]
0056A680 E8 97C6EEFF call 00456D1C
0056A685 8B45 CC mov eax, [ebp-34] ; 将注册码第五个注册框的注册码给eax
0056A688 8945 DC mov [ebp-24], eax
0056A68B 8B45 DC mov eax, [ebp-24]
0056A68E 85C0 test eax, eax
0056A690 74 05 je short 0056A697
0056A692 83E8 04 sub eax, 4
0056A695 8B00 mov eax, [eax]
0056A697 83F8 04 cmp eax, 4 ; 与4比较
0056A69A 74 2E je short 0056A6CA ; 判断第五个注册框的注册码是否未四位！
0056A69C 6A 40 push 40
0056A69E A1 84055A00 mov eax, [5A0584]
0056A6A3 8B80 6C080000 mov eax, [eax+86C]
0056A6A9 E8 AEAFE9FF call 0040565C
0056A6AE 50 push eax
0056A6AF 8B45 FC mov eax, [ebp-4]
0056A6B2 E8 A5AFE9FF call 0040565C
0056A6B7 50 push eax
0056A6B8 8BC3 mov eax, ebx
0056A6BA E8 5D41EFFF call 0045E81C
0056A6BF 50 push eax ; |hOwner
0056A6C0 E8 77DCE9FF call <jmp.&user32.MessageBoxA> ; \注册失败对话框
0056A6C5 E9 AE020000 jmp 0056A978
0056A6CA 8D55 C8 lea edx, [ebp-38]
0056A6CD 8B83 A4030000 mov eax, [ebx+3A4]
0056A6D3 E8 44C6EEFF call 00456D1C
0056A6D8 8B45 C8 mov eax, [ebp-38] ; 将第一个注册框的注册码给eax
0056A6DB E8 D4F7E9FF call 00409EB4
0056A6E0 8BF0 mov esi, eax ; 将eax赋给esi（其中5555为十六进制的15B3）
0056A6E2 8D55 C4 lea edx, [ebp-3C]
0056A6E5 8B83 A8030000 mov eax, [ebx+3A8]
0056A6EB E8 2CC6EEFF call 00456D1C
0056A6F0 8B45 C4 mov eax, [ebp-3C] ; 将第二个注册框的注册码给eax
0056A6F3 E8 BCF7E9FF call 00409EB4
0056A6F8 8BF8 mov edi, eax ; 将eax赋给edi（4444为十六进制的115C）
0056A6FA 8D55 C0 lea edx, [ebp-40]
0056A6FD 8B83 AC030000 mov eax, [ebx+3AC]
0056A703 E8 14C6EEFF call 00456D1C
0056A708 8B45 C0 mov eax, [ebp-40] ; 将第三个注册框的注册码（3333）给eax
0056A70B E8 A4F7E9FF call 00409EB4
0056A710 8945 F8 mov [ebp-8], eax
0056A713 0FAFF7 imul esi, edi ; esi*edi=esi
0056A716 81EE 2B060000 sub esi, 62B ; esi-62B=esi（62B为十进制的1579）
0056A71C 81FE 10270000 cmp esi, 2710 ; esi与2710比较（十进制为10000）
0056A722 7D 2E jge short 0056A752 ; 大于等于则跳转
0056A724 6A 40 push 40
0056A726 A1 84055A00 mov eax, [5A0584]
0056A72B 8B80 6C080000 mov eax, [eax+86C]
0056A731 E8 26AFE9FF call 0040565C
0056A736 50 push eax
0056A737 8B45 FC mov eax, [ebp-4]
0056A73A E8 1DAFE9FF call 0040565C
0056A73F 50 push eax
0056A740 8BC3 mov eax, ebx
0056A742 E8 D540EFFF call 0045E81C
0056A747 50 push eax ; |hOwner
0056A748 E8 EFDBE9FF call <jmp.&user32.MessageBoxA> ; \注册失败对话框
0056A74D E9 26020000 jmp 0056A978
0056A752 8D55 B8 lea edx, [ebp-48]
0056A755 8BC6 mov eax, esi ; esi*edi-62B=esi赋给eax（算的十六进制为178A929）
0056A757 E8 1CF6E9FF call 00409D78 ; 178A929就是十进制的24684841
0056A75C 8B45 B8 mov eax, [ebp-48] ; 算的第四位的注册码为24684841
0056A75F 8D4D BC lea ecx, [ebp-44]
0056A762 BA 04000000 mov edx, 4 ; 将4赋给edx
0056A767 E8 24DDEDFF call 00448490
0056A76C 8B45 BC mov eax, [ebp-44] ; 取第四位注册码的后四位即4841
0056A76F 50 push eax ; eax压栈
0056A770 8D55 B4 lea edx, [ebp-4C]
0056A773 8B83 B0030000 mov eax, [ebx+3B0]
0056A779 E8 9EC5EEFF call 00456D1C
0056A77E 8B55 B4 mov edx, [ebp-4C] ; 第四个注册框的注册码给edx为1234
0056A781 58 pop eax
0056A782 E8 21AEE9FF call 004055A8
0056A787 74 2E je short 0056A7B7 ; 比较假码与真码，相等则跳
0056A789 6A 40 push 40
0056A78B A1 84055A00 mov eax, [5A0584]
0056A790 8B80 6C080000 mov eax, [eax+86C]
0056A796 E8 C1AEE9FF call 0040565C
0056A79B 50 push eax
0056A79C 8B45 FC mov eax, [ebp-4]
0056A79F E8 B8AEE9FF call 0040565C
0056A7A4 50 push eax
0056A7A5 8BC3 mov eax, ebx
0056A7A7 E8 7040EFFF call 0045E81C
0056A7AC 50 push eax ; |hOwner
0056A7AD E8 8ADBE9FF call <jmp.&user32.MessageBoxA> ; \注册失败对话框
0056A7B2 E9 C1010000 jmp 0056A978
0056A7B7 8B75 F8 mov esi, [ebp-8] ; 将第三个对话框的注册码给esi（3333为十六进制的0D05）
0056A7BA 81C6 01020000 add esi, 201 ; esi+201（十进制为513）=F06
0056A7C0 0FAFF7 imul esi, edi ; esi*edi=esi(F06*115C=104CC28)
0056A7C3 81EE F50D0000 sub esi, 0DF5 ; esi-0DF5（十进制为3573）=esi(算的为104BE33)
0056A7C9 8D55 AC lea edx, [ebp-54]
0056A7CC 8BC6 mov eax, esi
0056A7CE E8 A5F5E9FF call 00409D78
0056A7D3 8B45 AC mov eax, [ebp-54] ; 算的注册码为十六进制104BE33等于十进制17088051
0056A7D6 8D4D B0 lea ecx, [ebp-50]
0056A7D9 BA 04000000 mov edx, 4 ; 将4赋给edx
0056A7DE E8 ADDCEDFF call 00448490
0056A7E3 8B45 B0 mov eax, [ebp-50] ; 将后四位给eax，即8051
0056A7E6 50 push eax
0056A7E7 8D55 A8 lea edx, [ebp-58]
0056A7EA 8B83 B4030000 mov eax, [ebx+3B4]
0056A7F0 E8 27C5EEFF call 00456D1C
0056A7F5 8B55 A8 mov edx, [ebp-58] ; 第五个对话框的假码给edx
0056A7F8 58 pop eax
0056A7F9 E8 AAADE9FF call 004055A8
0056A7FE 74 2E je short 0056A82E ; 真码假码比较
0056A800 6A 40 push 40
0056A802 A1 84055A00 mov eax, [5A0584]
0056A807 8B80 6C080000 mov eax, [eax+86C]
0056A80D E8 4AAEE9FF call 0040565C
0056A812 50 push eax
0056A813 8B45 FC mov eax, [ebp-4]
0056A816 E8 41AEE9FF call 0040565C
0056A81B 50 push eax
0056A81C 8BC3 mov eax, ebx
0056A81E E8 F93FEFFF call 0045E81C
0056A823 50 push eax ; |hOwner
0056A824 E8 13DBE9FF call <jmp.&user32.MessageBoxA> ; \注册失败对话框
0056A829 E9 4A010000 jmp 0056A978
0056A82E 8D55 A4 lea edx, [ebp-5C] 下面的代买好像是把注册码给注册表，并在同目录下生成一个注册信息文件。
0056A831 8B83 A4030000 mov eax, [ebx+3A4]
0056A837 E8 E0C4EEFF call 00456D1C
0056A83C FF75 A4 push dword ptr [ebp-5C]
0056A83F 8D55 A0 lea edx, [ebp-60]
0056A842 8B83 A8030000 mov eax, [ebx+3A8]
0056A848 E8 CFC4EEFF call 00456D1C
0056A84D FF75 A0 push dword ptr [ebp-60]
0056A850 8D55 9C lea edx, [ebp-64]
0056A853 8B83 AC030000 mov eax, [ebx+3AC]
0056A859 E8 BEC4EEFF call 00456D1C
0056A85E FF75 9C push dword ptr [ebp-64]
0056A861 8D55 98 lea edx, [ebp-68]
0056A864 8B83 B0030000 mov eax, [ebx+3B0]
0056A86A E8 ADC4EEFF call 00456D1C
0056A86F FF75 98 push dword ptr [ebp-68]
0056A872 8D55 94 lea edx, [ebp-6C]
0056A875 8B83 B4030000 mov eax, [ebx+3B4]
0056A87B E8 9CC4EEFF call 00456D1C
0056A880 FF75 94 push dword ptr [ebp-6C]
0056A883 A1 CC115A00 mov eax, [5A11CC]
0056A888 BA 05000000 mov edx, 5
0056A88D E8 8AACE9FF call 0040551C
0056A892 B2 01 mov dl, 1
0056A894 A1 8CCC4200 mov eax, [42CC8C]
0056A899 E8 EE24ECFF call 0042CD8C
0056A89E 8BF0 mov esi, eax
0056A8A0 BA 02000080 mov edx, 80000002
0056A8A5 8BC6 mov eax, esi
0056A8A7 E8 8025ECFF call 0042CE2C
0056A8AC B1 01 mov cl, 1
0056A8AE BA FCA95600 mov edx, 0056A9FC ; ASCII "\SOFTWARE\WinASO\Registry Optimizer"
0056A8B3 8BC6 mov eax, esi
0056A8B5 E8 B626ECFF call 0042CF70
0056A8BA 84C0 test al, al
0056A8BC 74 14 je short 0056A8D2
0056A8BE |. 8B0D CC115A00 mov ecx, [5A11CC] ; RegOpt.005A62D8
0056A8C4 |. 8B09 mov ecx, [ecx]
0056A8C6 |. BA 28AA5600 mov edx, 0056AA28 ; ASCII "RegOptKey3.0"
0056A8CB |. 8BC6 mov eax, esi
0056A8CD |. E8 AA2DECFF call 0042D67C
0056A8D2 |> 8D55 8C lea edx, [ebp-74]
0056A8D5 |. A1 A40D5A00 mov eax, [5A0DA4]
0056A8DA |. 8B00 mov eax, [eax]
0056A8DC |. E8 83A9F0FF call 00475264
0056A8E1 |. 8B45 8C mov eax, [ebp-74]
0056A8E4 |. 8D55 90 lea edx, [ebp-70]
0056A8E7 |. E8 0CFDE9FF call 0040A5F8
0056A8EC |. 8D45 90 lea eax, [ebp-70]
0056A8EF |. BA 40AA5600 mov edx, 0056AA40 ; ASCII "regkey.ini"
0056A8F4 |. E8 6BABE9FF call 00405464
0056A8F9 |. 8B4D 90 mov ecx, [ebp-70]
0056A8FC |. B2 01 mov dl, 1
0056A8FE |. A1 BCAE4200 mov eax, [42AEBC]
0056A903 |. E8 6C06ECFF call 0042AF74
0056A908 |. 8BF0 mov esi, eax
0056A90A |. A1 CC115A00 mov eax, [5A11CC]
0056A90F |. 8B00 mov eax, [eax]
0056A911 |. 50 push eax
0056A912 |. B9 54AA5600 mov ecx, 0056AA54 ; ASCII "300"
0056A917 |. BA 60AA5600 mov edx, 0056AA60 ; ASCII "regkey"
0056A91C |. 8BC6 mov eax, esi
0056A91E |. 8B38 mov edi, [eax]
0056A920 |. FF57 04 call [edi+4]
0056A923 |. 8BC6 mov eax, esi
0056A925 |. E8 2E99E9FF call 00404258
0056A92A |. 6A 40 push 40
0056A92C |. A1 84055A00 mov eax, [5A0584]
0056A931 |. 8B80 6C080000 mov eax, [eax+86C]
0056A937 |. E8 20ADE9FF call 0040565C
0056A93C |. 50 push eax
0056A93D |. A1 84055A00 mov eax, [5A0584]
0056A942 |. 8B80 74080000 mov eax, [eax+874]
0056A948 |. E8 0FADE9FF call 0040565C
0056A94D |. 50 push eax
0056A94E |. 8BC3 mov eax, ebx
0056A950 |. E8 C73EEFFF call 0045E81C
0056A955 |. 50 push eax ; |hOwner
0056A956 |. E8 E1D9E9FF call <jmp.&user32.MessageBoxA> ; \注册成功弹框
0056A95B |. 8BC3 mov eax, ebx
0056A95D |. E8 DE63F0FF call 00470D40
0056A962 |. 6A 00 push 0 ; /lParam = 0
0056A964 |. 6A 00 push 0 ; |wParam = 0
0056A966 |. 68 78070000 push 778 ; |Message = MSG(778)
0056A96B |. A1 E00D5A00 mov eax, [5A0DE0] ; |
0056A970 |. 8B00 mov eax, [eax] ; |
0056A972 |. 50 push eax ; |hWnd
0056A973 |. E8 64DAE9FF call <jmp.&user32.SendMessageA> ; \SendMessageA

复制代码

其中还有下面这些地方不懂，请高手指教！

0056A57E 8D55 D8 lea edx, [ebp-28]
0056A581 8B83 A8030000 mov eax, [ebx+3A8]
0056A587 E8 90C7EEFF call 00456D1C
0056A58C 8B45 D8 mov eax, [ebp-28] ; 将注册码第二个注册框的注册码给eax
0056A58F 8945 DC mov [ebp-24], eax
0056A592 8B45 DC mov eax, [ebp-24]
0056A595 85C0 test eax, eax
0056A597 74 05 je short 0056A59E
0056A599 83E8 04 sub eax, 4
0056A59C 8B00 mov eax, [eax]
0056A59E 83F8 04 cmp eax, 4 ; 与4比较
0056A5A1 74 2E je short 0056A5D1 ; 判断第二个注册框的注册码是否是四位

复制代码

中间的三个mov是用来干什么的没有很好地理解！
  感谢大家看完！
--------------------------------------------------------------------------------
【经验总结】
  算法总结：
  1、共五个注册框，其中每个框必须要四位，且必须为数字（0-9），也就是20位。
  2、第一个，第二个，第三个注册码只要求位数字就行，可以随便输入数字。
  3、我们假设第一个注册框的四位数设为A、第二个注册框的四位数字为B、第三个的为C、第四个的为D、第五个的为E，则先
  判断A*B-1579(十六进制为62B)，结果设等于X，即X=A*B-1579，然后将X与10000（十六进制为2710）比较，大于或等于就接
  着进行下一步，否者注册跳转失败。
  4、第四个和第五个是通过前三个注册框算的出来：第四个的注册框为第三步的X的后四位。
  5、第五个注册框的算法如下：(C+513(十六进制为201))*B-3573（即十六进制0DF5）结果设等于Y，即Y=(C+513)*B-3573,然
  后结果的后四位给第五个注册框。

  如果改为未注册版本的话，须删除注册表中注册信息，以及regkey.ini这个文件！
  ******************************************************************************
  【算法注册机】：
  不会做
  ******************************************************************************
  【注册码】
  用我开始注册的假码的到的注册码为：5555-4444-3333-4841-8051
  ******************************************************************************
  感谢论坛高手的破解算法文章，真的学到了很多！打算以后要好好打好基础，学会一些高级语言，和汇编语言！

--------------------------------------------------------------------------------
【版权声明】: 只是感兴趣；本破文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!

                                                   2008年03月18日 20:44:3

[ 本帖最后由 unpack 于 2008-3-18 21:02 编辑 ]

unpack · 发表于 2008-3-18 21:03:58

沙发自己做了
等待高手的指点以及批评！/:014

binke · 发表于 2008-3-20 23:41:59

改天我做算法注册机。

[ 本帖最后由 binke 于 2008-3-21 00:18 编辑 ]

tianxj · 发表于 2008-3-21 18:18:20

向楼主致敬,向楼主学习

binke · 发表于 2008-3-25 23:59:41

注册机基本完成了，还有些小问题需要优化。。以前做好的已经在论坛上发了。但是那个算法并不完美，这个算法注册机已经完美了。向楼主学习。。。完美的算法注册机见附件。

[ 本帖最后由 binke 于 2008-4-2 15:37 编辑 ]

		自动登录	找回密码
密码			加入我们

[原创] WinASO Registry Optimizer Version 3.2算法分析--第一次分析出算法

相关帖子