SuperCHM2.2註冊破解算法分析

[psac]

SuperCHM2.2註冊破解算法分析

【破文標題】SuperCHM2.2註冊破解算法分析
【破文作者】gg1211[CZG][PYG][PCG]
【破解平台】WinXp
【作者郵信箱】QIBINLEI@YAHOO.COM.CN
【破解工具】PEiD 、OD
【保護方式】機器碼+用戶名＋序列號
【破解目的】學習簡單算法破解
【破解宣告】我是一隻小小鳥，偶得一點心得，願與大家分享：）
【軟體名稱】SuperCHM2.2
【下載位址】http://www.xmqm.com/ty/
【軟體簡介】SuperCHM是真正所見即所得的CHM製作工具，內裝簡單易用、功能齊全的網頁編輯器，使您可以輕鬆地完成CHM製作，而不必在多個軟體之間來回切換。SuperCHM具有以下特點：
軟體採用hhp格式儲存和讀取，使軟體通用性增強。
目錄、索引可以直接定位到網頁中的標籤。
強大的反編譯功能，反編譯後直接在SuperCHM中讀取出來，使用輕鬆便捷。
SuperCHM支持絕大部分CHM的功能設定，使您製作的CHM與眾不同。
內裝網頁編輯器較好地結合了DHTMLEDIT，所見即所得，功能齊全。
採用MDI設計，同時可以編輯多個網頁。
最新版本：V2.2
系統需求
SuperCHM適合於執行在Windows 98、Windows ME、Windows2000、Windows XP的平台
【破解步驟】
先用PEiD 偵測，發現為Borland Delphi 6.0 - 7.0，無殼
執行機器碼為101701111149輸入實驗碼gg1211
123456789
有錯誤提示」你的註冊碼不正確，情重新輸入「
od載入，根據錯誤提示向上翻來到這裡下斷
0050FBD4 /. 55 push ebp \\我在這裡下斷
0050FBD5 |. 8BEC mov ebp, esp
0050FBD7 |. 33C9 xor ecx, ecx
0050FBD9 |. 51 push ecx
0050FBDA |. 51 push ecx
0050FBDB |. 51 push ecx
0050FBDC |. 51 push ecx
0050FBDD |. 51 push ecx
0050FBDE |. 53 push ebx
0050FBDF |. 56 push esi
0050FBE0 |. 8BD8 mov ebx, eax \\機器碼101701111149給edx
0050FBE2 |. 33C0 xor eax, eax
0050FBE4 |. 55 push ebp
0050FBE5 |. 68 F2FC5000 push 0050FCF2
0050FBEA |. 64:FF30 push dword ptr fs:[eax]
0050FBED |. 64:8920 mov fs:[eax], esp
0050FBF0 |. 8D4D FC lea ecx, [ebp-4]
0050FBF3 |. 8B93 1C030000 mov edx, [ebx+31C]
0050FBF9 |. 8BC3 mov eax, ebx
0050FBFB |. E8 BCFEFFFF call 0050FABC \\這個call要跟進，他是明碼比較
0050FC00 |. 8B45 FC mov eax, [ebp-4] \\在這裡就出現註冊碼了，可以在這裡
0050FC03 |. 50 push eax 做記憶體註冊機，我們的目的是學習算法
0050FC04 |. 8D55 F8 lea edx, [ebp-8] 跟進
0050FC07 |. 8B83 04030000 mov eax, [ebx+304]
0050FC0D |. E8 D6CEF6FF call 0047CAE8
0050FC12 |. 8B45 F8 mov eax, [ebp-8]
0050FC15 |. 5A pop edx
0050FC16 |. E8 7192EFFF call 00408E8C
0050FC1B |. 84C0 test al, al
0050FC1D |. 0F84 A2000000 je 0050FCC5
0050FC23 |. B2 01 mov dl, 1
0050FC25 |. A1 DC2D4400 mov eax, [442DDC]
0050FC2A |. E8 AD32F3FF call 00442EDC
0050FC2F |. 8BF0 mov esi, eax
0050FC31 |. BA 01000080 mov edx, 80000001
0050FC36 |. 8BC6 mov eax, esi
0050FC38 |. E8 7B33F3FF call 00442FB8
0050FC3D |. B1 01 mov cl, 1
0050FC3F |. BA 08FD5000 mov edx, 0050FD08 ; software\superchm
0050FC44 |. 8BC6 mov eax, esi
0050FC46 |. E8 D533F3FF call 00443020
0050FC4B |. 8D55 F4 lea edx, [ebp-C]
0050FC4E |. 8B83 14030000 mov eax, [ebx+314]
0050FC54 |. E8 8FCEF6FF call 0047CAE8
0050FC59 |. 8B4D F4 mov ecx, [ebp-C]
0050FC5C |. BA 24FD5000 mov edx, 0050FD24 ; regname
0050FC61 |. 8BC6 mov eax, esi
0050FC63 |. E8 EC38F3FF call 00443554
0050FC68 |. 8D55 F0 lea edx, [ebp-10]
0050FC6B |. 8B83 04030000 mov eax, [ebx+304]
0050FC71 |. E8 72CEF6FF call 0047CAE8
0050FC76 |. 8B4D F0 mov ecx, [ebp-10]
0050FC79 |. BA 34FD5000 mov edx, 0050FD34 ; regkey
0050FC7E |. 8BC6 mov eax, esi
0050FC80 |. E8 CF38F3FF call 00443554
0050FC85 |. 8BC6 mov eax, esi
0050FC87 |. E8 FC32F3FF call 00442F88
0050FC8C |. 8BC6 mov eax, esi
0050FC8E |. E8 E93CEFFF call 0040397C
0050FC93 |. 8D55 EC lea edx, [ebp-14]
0050FC96 |. 8B83 04030000 mov eax, [ebx+304]
0050FC9C |. E8 47CEF6FF call 0047CAE8
0050FCA1 |. 8B55 EC mov edx, [ebp-14]
0050FCA4 |. 8D83 20030000 lea eax, [ebx+320]
0050FCAA |. E8 714BEFFF call 00404820
0050FCAF |. B8 44FD5000 mov eax, 0050FD44 ; 非常感謝您註冊本軟體！您的註冊成功了。
0050FCB4 |. E8 1F93F2FF call 00438FD8
0050FCB9 |. A1 44125B00 mov eax, [5B1244]
0050FCBE |. E8 49A0F8FF call 00499D0C
0050FCC3 |. EB 0A jmp short 0050FCCF
0050FCC5 |> B8 74FD5000 mov eax, 0050FD74 ; 您的註冊碼不正確，請重新輸入。


跟進來到這裡
0050FABC /$ 55 push ebp
0050FABD |. 8BEC mov ebp, esp
0050FABF |. 6A 00 push 0
0050FAC1 |. 6A 00 push 0
0050FAC3 |. 6A 00 push 0
0050FAC5 |. 6A 00 push 0
0050FAC7 |. 6A 00 push 0
0050FAC9 |. 53 push ebx
0050FACA |. 8BD9 mov ebx, ecx
0050FACC |. 8955 FC mov [ebp-4], edx
0050FACF |. 8B45 FC mov eax, [ebp-4]
0050FAD2 |. E8 A551EFFF call 00404C7C
0050FAD7 |. 33C0 xor eax, eax
0050FAD9 |. 55 push ebp
0050FADA |. 68 A1FB5000 push 0050FBA1
0050FADF |. 64:FF30 push dword ptr fs:[eax]
0050FAE2 |. 64:8920 mov fs:[eax], esp
0050FAE5 |. 8D4D F8 lea ecx, [ebp-8]
0050FAE8 |. BA 04000000 mov edx, 4
0050FAED |. 8B45 FC mov eax, [ebp-4]
0050FAF0 |. E8 6BF9F2FF call 0043F460
0050FAF5 |. 8B45 F8 mov eax, [ebp-8] \\取前四位機器碼
0050FAF8 |. E8 CF98EFFF call 004093CC 跟進004093CC
0050FAFD |. 8D4D F4 lea ecx, [ebp-C]
0050FB00 |. BA 04000000 mov edx, 4
0050FB05 |. E8 9A98EFFF call 004093A4
0050FB0A |. 8D45 F8 lea eax, [ebp-8]
0050FB0D |. 50 push eax
0050FB0E |. B9 04000000 mov ecx, 4
0050FB13 |. BA 05000000 mov edx, 5
0050FB18 |. 8B45 FC mov eax, [ebp-4]
0050FB1B |. E8 34FAF2FF call 0043F554
0050FB20 |. 8B45 F8 mov eax, [ebp-8]
0050FB23 |. E8 A498EFFF call 004093CC
0050FB28 |. 05 3E080000 add eax, 83E
0050FB2D |. 8D4D F0 lea ecx, [ebp-10]
0050FB30 |. BA 05000000 mov edx, 5
0050FB35 |. E8 6A98EFFF call 004093A4
0050FB3A |. 8D4D F8 lea ecx, [ebp-8]
0050FB3D |. BA 04000000 mov edx, 4
0050FB42 |. 8B45 FC mov eax, [ebp-4]
0050FB45 |. E8 86F9F2FF call 0043F4D0
0050FB4A |. 8B45 F8 mov eax, [ebp-8]
0050FB4D |. E8 7A98EFFF call 004093CC
0050FB52 |. 83C0 6E add eax, 6E
0050FB55 |. 8D4D EC lea ecx, [ebp-14]
0050FB58 |. BA 04000000 mov edx, 4
0050FB5D |. E8 4298EFFF call 004093A4
0050FB62 |. 68 B8FB5000 push 0050FBB8 ; t
0050FB67 |. FF75 F4 push dword ptr [ebp-C]
0050FB6A |. 68 C4FB5000 push 0050FBC4 ; -y
0050FB6F |. FF75 F0 push dword ptr [ebp-10]
0050FB72 |. 68 D0FB5000 push 0050FBD0 ; -
0050FB77 |. FF75 EC push dword ptr [ebp-14]
0050FB7A |. 8BC3 mov eax, ebx
0050FB7C |. BA 06000000 mov edx, 6
0050FB81 |. E8 C64FEFFF call 00404B4C
0050FB86 |. 33C0 xor eax, eax
0050FB88 |. 5A pop edx
0050FB89 |. 59 pop ecx
0050FB8A |. 59 pop ecx
0050FB8B |. 64:8910 mov fs:[eax], edx
0050FB8E |. 68 A8FB5000 push 0050FBA8
0050FB93 |> 8D45 EC lea eax, [ebp-14]
0050FB96 |. BA 05000000 mov edx, 5
0050FB9B |. E8 504CEFFF call 004047F0
0050FBA0 \. C3 retn


跟進來到這裡
004093CC /$ 53 push ebx
004093CD |. 56 push esi
004093CE |. 83C4 F4 add esp, -0C
004093D1 |. 8BD8 mov ebx, eax
004093D3 |. 8BD4 mov edx, esp
004093D5 |. 8BC3 mov eax, ebx
004093D7 |. E8 609FFFFF call 0040333C \\跟進
004093DC |. 8BF0 mov esi, eax
004093DE |. 833C24 00 cmp dword ptr [esp], 0
004093E2 |. 74 19 je short 004093FD
004093E4 |. 895C24 04 mov [esp+4], ebx
004093E8 |. C64424 08 0B mov byte ptr [esp+8], 0B
004093ED |. 8D5424 04 lea edx, [esp+4]
004093F1 |. A1 D0EC5A00 mov eax, [5AECD0]
004093F6 |. 33C9 xor ecx, ecx
004093F8 |. E8 CBF8FFFF call 00408CC8
004093FD |> 8BC6 mov eax, esi
004093FF |. 83C4 0C add esp, 0C
00409402 |. 5E pop esi
00409403 |. 5B pop ebx
00409404 \. C3 retn

到這裡
0040333C /$ 53 push ebx
0040333D |. 56 push esi
0040333E |. 57 push edi
0040333F |. 89C6 mov esi, eax
00403341 |. 50 push eax
00403342 |. 85C0 test eax, eax
00403344 |. 74 6C je short 004033B2
00403346 |. 31C0 xor eax, eax
00403348 |. 31DB xor ebx, ebx
0040334A |. BF CCCCCC0C mov edi, 0CCCCCCC
0040334F |> 8A1E /mov bl, [esi]
00403351 |. 46 |inc esi
00403352 |. 80FB 20 |cmp bl, 20 \\是否為空格
00403355 |.^ 74 F8 \je short 0040334F
00403357 |. B5 00 mov ch, 0
00403359 |. 80FB 2D cmp bl, 2D \\是否為-
0040335C |. 74 62 je short 004033C0
0040335E |. 80FB 2B cmp bl, 2B \\是否為+
00403361 |. 74 5F je short 004033C2
00403363 |> 80FB 24 cmp bl, 24 \\是否為$
00403366 |. 74 5F je short 004033C7
00403368 |. 80FB 78 cmp bl, 78 \\是否為x
0040336B |. 74 5A je short 004033C7
0040336D |. 80FB 58 cmp bl, 58 \\是否為X
00403370 |. 74 55 je short 004033C7
00403372 |. 80FB 30 cmp bl, 30 \\是否為0
00403375 |. 75 13 jnz short 0040338A
00403377 |. 8A1E mov bl, [esi] ； Case 30 ('0') ofswitch00403363
00403379 |. 46 inc esi
0040337A |. 80FB 78 cmp bl, 78
0040337D |. 74 48 je short 004033C7
0040337F |. 80FB 58 cmp bl, 58
00403382 |. 74 43 je short 004033C7
00403384 |. 84DB test bl, bl
00403386 |. 74 20 je short 004033A8
00403388 |. EB 04 jmp short 0040338E
0040338A |> 84DB test bl, bl
0040338C |. 74 2D je short 004033BB
0040338E |> 80EB 30 /sub bl, 30 \\這裡就很重要了，這個循環進行最重要的程式碼
00403391 |. 80FB 09 |cmp bl, 9 \\運算
00403394 |. 77 25 |ja short 004033BB \\將得到的3段四位機器碼的值
00403396 |. 39F8 |cmp eax, edi \\逐為循環
00403398 |. 77 21 |ja short 004033BB
0040339A |. 8D0480 |lea eax, [eax+eax*4]
0040339D |. 01C0 |add eax, eax
0040339F |. 01D8 |add eax, ebx \\得到的值存放在eax中
004033A1 |. 8A1E |mov bl, [esi]
004033A3 |. 46 |inc esi
004033A4 |. 84DB |test bl, bl
004033A6 |.^ 75 E6 \jnz short 0040338E
004033A8 |> FECD dec ch
004033AA |. 74 09 je short 004033B5
004033AC |. 85C0 test eax, eax
004033AE |. 7D 54 jge short 00403404
004033B0 |. EB 09 jmp short 004033BB
004033B2 |> 46 inc esi
004033B3 |. EB 06 jmp short 004033BB
004033B5 |> F7D8 neg eax
004033B7 |. 7E 4B jle short 00403404
004033B9 |. 78 49 js short 00403404
004033BB |> 5B pop ebx ; Default case of switch 004033DB
004033BC |. 29DE sub esi, ebx
004033BE |. EB 47 jmp short 00403407
004033C0 |> FEC5 inc ch
004033C2 |> 8A1E mov bl, [esi]
004033C4 |. 46 inc esi
004033C5 |.^ EB 9C jmp short 00403363
004033C7 |> BF FFFFFF0F mov edi, 0FFFFFFF ; Cases 24 ('$'),58 ('X'),78 ('x') of switch 00403363
004033CC |. 8A1E mov bl, [esi]
004033CE |. 46 inc esi
004033CF |. 84DB test bl, bl
004033D1 |.^ 74 DF je short 004033B2
004033D3 |> 80FB 61 /cmp bl, 61
004033D6 |. 72 03 |jb short 004033DB
004033D8 |. 80EB 20 |sub bl, 20
004033DB |> 80EB 30 |sub bl, 30 ; Switch (cases 30..46)
004033DE |. 80FB 09 |cmp bl, 9
004033E1 |. 76 0B |jbe short 004033EE
004033E3 |. 80EB 11 |sub bl, 11
004033E6 |. 80FB 05 |cmp bl, 5
004033E9 |.^ 77 D0 |ja short 004033BB
004033EB |. 80C3 0A |add bl, 0A ; Cases 41 ('A'),42 ('B'),43 ('C'),44 ('D'),45 ('E'),46 ('F') of switch 004033DB
004033EE |> 39F8 |cmp eax, edi ; Cases 30 ('0'),31 ('1'),32 ('2'),33 ('3'),34 ('4'),35 ('5'),36 ('6'),37 ('7'),38 ('8'),39 ('9') of switch 004033DB
004033F0 |.^ 77 C9 |ja short 004033BB
004033F2 |. C1E0 04 |shl eax, 4
004033F5 |. 01D8 |add eax, ebx
004033F7 |. 8A1E |mov bl, [esi]
004033F9 |. 46 |inc esi
004033FA |. 84DB |test bl, bl
004033FC |.^ 75 D5 \jnz short 004033D3
004033FE |. FECD dec ch
00403400 |. 75 02 jnz short 00403404
00403402 |. F7D8 neg eax
00403404 |> 59 pop ecx
00403405 |. 31F6 xor esi, esi
00403407 |> 8932 mov [edx], esi
00403409 |. 5F pop edi
0040340A |. 5E pop esi
0040340B |. 5B pop ebx
0040340C \. C3 retn


算了，這個是在不好寫破文，這麼多的call使用
我直接總結算法
給除我寫的算法註冊機得了
剛剛學vb編程，書都沒有看就在上，程序寫得是在是難，請高手指導一二

Dim jiqima As String
Private Sub Form_Load()
End Sub
Private Sub Label4_Click()
End
End Sub
Public Sub Label5_Click()
jiqima = Text1.Text
If Len(jiqima) <> 12 Then
e = MsgBox("錯誤！請輸入本機機註冊時顯示的12位機器碼！", 0, "錯誤提示")
GoTo kk
End If
a = Left(jiqima, 4)
temp = Right(jiqima, 8)
b = Left(temp, 4)
c = Right(temp, 4)
For i = 1 To 4
eax1 = eax1 * &HA
ebx1 = Val(Mid(a, i, 1))
eax1 = eax1 + ebx1
Next i
eax1 = Hex(eax1)
d = Len(eax1)
Select Case d
Case 1
eax1 = "000" + eax1
Case 2
eax1 = "00" + eax1
Case 3
eax1 = "0" + eax1
Case 4
ex1 = "eax1"
End Select
For i = 1 To 4
eax2 = eax2 * &HA
ebx2 = Val(Mid(b, i, 1))
eax2 = eax2 + ebx2
Next i
eax2 = Hex(eax2 + &H83E)
e = Len(eax2)
Select Case e
Case 1
eax2 = "0000" + eax2
Case 2
eax2 = "000" + eax2
Case 3
eax2 = "00" + eax2
Case 4
eax2 = "0" + eax2
Case 4
eax2 = "eax2"
End Select
For i = 1 To 4
eax3 = eax3 * &HA
ebx3 = Val(Mid(c, i, 1))
eax3 = eax3 + ebx3
Next i
eax3 = Hex(eax3 + &H6E)
f = Len(eax3)
Select Case f
Case 1
eax3 = "000" + eax3
Case 2
eax3 = "00" + eax3
Case 3
eax3 = "0" + eax3
Case 4
ex3 = "eax3"
End Select
Text2.Text = "T" + eax1 + "-" + "Y" + eax2 + "-" + eax3
kk: End Sub