吾爱破解 - LCG - LSG |安卓破解|病毒分析|www.52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 22204|回复: 63
上一主题 下一主题
收起左侧

[原创] XXX加密工具算法分析+网络注册机编写

  [复制链接]
跳转到指定楼层
楼主
红绡枫叶 发表于 2015-1-11 00:09 回帖奖励
本帖最后由 zjh16529 于 2019-6-6 21:48 编辑

Protected Folder,这是一款我比较喜欢的软件,保护文件挺方便的.可以看图:

注册方式是本地验证后再网络验证.因此分两部分分析.delphi2009编译的.
第一部分: 本地注册算法分析.

首先应该明白delphi编译器的特点.参数三个之内用寄存器,多的用堆栈.即
delphi(eax,edx,ecx,stack...) 从右往左依次传参!参数位置使用的传参变量固定.
所有的符号分析有IDR完成,生成map给od用还是挺方便的.在IDR中可以找到注册按钮事件地址:
[Asm] 纯文本查看 复制代码
005D0DB8 > .  55            push ebp                                     ;  UnitUserRegister_TFormUserRegister_Button_ActivateClick
005D0DB9   .  8BEC          mov ebp,esp
005D0DBB   .  B9 39000000   mov ecx,0x39
005D0DC0   >  6A 00         push 0x0
005D0DC2   .  6A 00         push 0x0
005D0DC4   .  49            dec ecx
005D0DC5   .^ 75 F9         jnz short Protecte.005D0DC0
005D0DC7   .  53            push ebx
005D0DC8   .  56            push esi
005D0DC9   .  57            push edi
005D0DCA   .  8985 0CFFFFFF mov dword ptr ss:[ebp-0xF4],eax
005D0DD0   .  8D85 10FFFFFF lea eax,dword ptr ss:[ebp-0xF0]
005D0DD6   .  8B15 D0C34500 mov edx,dword ptr ds:[0x45C3D0]              ;  Protecte.0045C3D4
005D0DDC   .  E8 8363E3FF   call <Protecte.System_@InitializeRecord>
005D0DE1   .  33C0          xor eax,eax
005D0DE3   .  55            push ebp
005D0DE4   .  68 DB1C5D00   push Protecte.005D1CDB
005D0DE9   .  64:FF30       push dword ptr fs:[eax]
005D0DEC   .  64:8920       mov dword ptr fs:[eax],esp
005D0DEF   .  8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0DF5   .  8B80 A8030000 mov eax,dword ptr ds:[eax+0x3A8]
005D0DFB   .  33D2          xor edx,edx
005D0DFD   .  E8 6AF2F0FF   call <Protecte.TControl_SetVisible>
005D0E02   .  8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0E08   .  8B80 90030000 mov eax,dword ptr ds:[eax+0x390]
005D0E0E   .  33D2          xor edx,edx
005D0E10   .  8B08          mov ecx,dword ptr ds:[eax]
005D0E12   .  FF51 64       call dword ptr ds:[ecx+0x64]
005D0E15   .  8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0E1B   .  8B80 94030000 mov eax,dword ptr ds:[eax+0x394]
005D0E21   .  8B80 A8010000 mov eax,dword ptr ds:[eax+0x1A8]
005D0E27   .  8B40 0C       mov eax,dword ptr ds:[eax+0xC]
005D0E2A   .  BA 58020000   mov edx,0x258
005D0E2F   .  E8 00CCFFFF   call <Protecte.TGIFImage_SetAnimationSpeed>
005D0E34   .  8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0E3A   .  8B80 94030000 mov eax,dword ptr ds:[eax+0x394]
005D0E40   .  B2 01         mov dl,0x1
005D0E42   .  E8 25F2F0FF   call <Protecte.TControl_SetVisible>
005D0E47   .  8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0E4D   .  8B80 94030000 mov eax,dword ptr ds:[eax+0x394]
005D0E53   .  8B80 A8010000 mov eax,dword ptr ds:[eax+0x1A8]
005D0E59   .  8B40 0C       mov eax,dword ptr ds:[eax+0xC]
005D0E5C   .  B2 01         mov dl,0x1
005D0E5E   .  E8 ADCBFFFF   call <Protecte.GIFImg_TGIFImage_SetAnimate>
005D0E63   .  A1 54075F00   mov eax,dword ptr ds:[0x5F0754]
005D0E68   .  8B00          mov eax,dword ptr ds:[eax]
005D0E6A   .  E8 BD0CF3FF   call <Protecte.Forms_TApplication_ProcessMes>
005D0E6F   .  8D95 00FFFFFF lea edx,dword ptr ss:[ebp-0x100]
005D0E75   .  8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0E7B   .  8B80 90030000 mov eax,dword ptr ds:[eax+0x390]
005D0E81   .  E8 9EF2F0FF   call <Protecte.TControl_GetText> //IDR分析得不错,看标签就知道取注册码了
005D0E86   .  8B95 00FFFFFF mov edx,dword ptr ss:[ebp-0x100]
005D0E8C   .  8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0E92   .  E8 39180000   call <Protecte.regkeyValidate>  //那么这个就是非常关键的call了.现在进去分析.(名字是我自己取的)
005D0E97   .  84C0          test al,al
005D0E99   .  0F85 D5000000 jnz Protecte.005D0F74  //如果不跳转,就马上到下面的出错提示了
005D0E9F   .  8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0EA5   .  8B80 90030000 mov eax,dword ptr ds:[eax+0x390]
005D0EAB   .  B2 01         mov dl,0x1
005D0EAD   .  8B08          mov ecx,dword ptr ds:[eax]
005D0EAF   .  FF51 64       call dword ptr ds:[ecx+0x64]
005D0EB2   .  A1 54075F00   mov eax,dword ptr ds:[0x5F0754]
005D0EB7   .  8B00          mov eax,dword ptr ds:[eax]
005D0EB9   .  E8 6E0CF3FF   call <Protecte.Forms_TApplication_ProcessMes>
005D0EBE   .  8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0EC4   .  8B80 94030000 mov eax,dword ptr ds:[eax+0x394]
005D0ECA   .  33D2          xor edx,edx
005D0ECC   .  E8 9BF1F0FF   call <Protecte.TControl_SetVisible>
005D0ED1   .  8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0ED7   .  8B80 94030000 mov eax,dword ptr ds:[eax+0x394]
005D0EDD   .  8B80 A8010000 mov eax,dword ptr ds:[eax+0x1A8]
005D0EE3   .  8B40 0C       mov eax,dword ptr ds:[eax+0xC]
005D0EE6   .  33D2          xor edx,edx
005D0EE8   .  E8 23CBFFFF   call <Protecte.GIFImg_TGIFImage_SetAnimate>
005D0EED   .  8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0EF3   .  8B80 90030000 mov eax,dword ptr ds:[eax+0x390]
005D0EF9   .  BA E08A8A00   mov edx,0x8A8AE0
005D0EFE   .  E8 D9F3F0FF   call <Protecte.TControl_SetColor>
005D0F03   .  8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0F09   .  8B80 90030000 mov eax,dword ptr ds:[eax+0x390]
005D0F0F   .  E8 C43BEDFF   call <Protecte.StdCtrls_TCustomEdit_SelectAl>
005D0F14   .  8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0F1A   .  8B80 90030000 mov eax,dword ptr ds:[eax+0x390]
005D0F20   .  8B10          mov edx,dword ptr ds:[eax]
005D0F22   .  FF92 D8000000 call dword ptr ds:[edx+0xD8]
005D0F28   .  8D85 FCFEFFFF lea eax,dword ptr ss:[ebp-0x104]
005D0F2E   .  50            push eax
005D0F2F   .  A1 84055F00   mov eax,dword ptr ds:[0x5F0584]
005D0F34   .  8B00          mov eax,dword ptr ds:[eax]
005D0F36   .  B9 F81C5D00   mov ecx,<Protecte.aInvalidLicense>           ;  UNICODE "Invalid license code!Please retry."
005D0F3B   .  BA 4C1D5D00   mov edx,<Protecte.aInvalic>                  ;  UNICODE "invaLic" 出错提示太明显了....
005D0F40   .  E8 CBC6FBFF   call <Protecte.PLabelNote_sub_0058D610>
005D0F45   .  8B95 FCFEFFFF mov edx,dword ptr ss:[ebp-0x104]
005D0F4B   .  8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0F51   .  8B80 A8030000 mov eax,dword ptr ds:[eax+0x3A8]
005D0F57   .  E8 00F2F0FF   call <Protecte.Controls_TControl_SetText>
005D0F5C   .  8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0F62   .  8B80 A8030000 mov eax,dword ptr ds:[eax+0x3A8]
005D0F68   .  B2 01         mov dl,0x1
005D0F6A   .  E8 FDF0F0FF   call <Protecte.TControl_SetVisible>
005D0F6F   .  E9 200D0000   jmp Protecte.005D1C94
005D0F74   >  8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4] 



进入关键call 005D0E92 call <Protecte.regkeyValidate> 分析:
[Asm] 纯文本查看 复制代码
005D26D0 >/$  55            push ebp                                     ;  regkeyValidate
005D26D1  |.  8BEC          mov ebp,esp
005D26D3  |.  B9 22000000   mov ecx,0x22
005D26D8  |>  6A 00         /push 0x0
005D26DA  |.  6A 00         |push 0x0
005D26DC  |.  49            |dec ecx
005D26DD  |.^ 75 F9         \jnz short Protecte.005D26D8
005D26DF  |.  51            push ecx
005D26E0  |.  53            push ebx
005D26E1  |.  8955 FC       mov [local.1],edx
005D26E4  |.  8B45 FC       mov eax,[local.1]
005D26E7  |.  E8 E83FE3FF   call <Protecte.j_System_@LStrAddRef>
005D26EC  |.  33C0          xor eax,eax
005D26EE  |.  55            push ebp
005D26EF  |.  68 112F5D00   push Protecte.005D2F11
005D26F4  |.  64:FF30       push dword ptr fs:[eax]
005D26F7  |.  64:8920       mov dword ptr fs:[eax],esp
005D26FA  |.  33DB          xor ebx,ebx
005D26FC  |.  8D55 E8       lea edx,[local.6]
005D26FF  |.  8B45 FC       mov eax,[local.1]
005D2702  |.  E8 BDA4E8FF   call <Protecte._Unit13_UpperCase> //将注册码转成大写
005D2707  |.  8B55 E8       mov edx,[local.6]
005D270A  |.  8D45 FC       lea eax,[local.1]
005D270D  |.  E8 2E40E3FF   call <Protecte.@UStrLAsg> //类似这些函数,是字符串赋值产生的(字符串都是对象)
005D2712  |.  0FB605 242F5D>movzx eax,byte ptr ds:[0x5D2F24]
005D2719  |.  50            push eax
005D271A  |.  8D45 E4       lea eax,[local.7]
005D271D  |.  50            push eax
005D271E  |.  B9 342F5D00   mov ecx,<Protecte.char_0>
005D2723  |.  BA 442F5D00   mov edx,<Protecte.char_O>//我这里已经做了注释,很重要的参数
005D2728  |.  8B45 FC       mov eax,[local.1]
005D272B  |.  E8 0C3FE9FF   call <Protecte.StringReplace> //看参数知道是将O换成0.
005D2730  |.  8B55 E4       mov edx,[local.7]
005D2733  |.  8D45 FC       lea eax,[local.1]
005D2736  |.  E8 0540E3FF   call <Protecte.@UStrLAsg>
005D273B  |.  0FB605 242F5D>movzx eax,byte ptr ds:[0x5D2F24]
005D2742  |.  50            push eax
005D2743  |.  8D45 E0       lea eax,[local.8]
005D2746  |.  50            push eax
005D2747  |.  B9 542F5D00   mov ecx,<Protecte.char_1>
005D274C  |.  BA 642F5D00   mov edx,<Protecte.char_L>
005D2751  |.  8B45 FC       mov eax,[local.1]
005D2754  |.  E8 E33EE9FF   call <Protecte.StringReplace>//将L换成1
005D2759  |.  8B55 E0       mov edx,[local.8]
005D275C  |.  8D45 FC       lea eax,[local.1]
005D275F  |.  E8 DC3FE3FF   call <Protecte.@UStrLAsg>
005D2764  |.  0FB605 242F5D>movzx eax,byte ptr ds:[0x5D2F24]
005D276B  |.  50            push eax
005D276C  |.  8D45 DC       lea eax,[local.9]
005D276F  |.  50            push eax
005D2770  |.  33C9          xor ecx,ecx
005D2772  |.  BA 742F5D00   mov edx,<Protecte.char_space>
005D2777  |.  8B45 FC       mov eax,[local.1]
005D277A  |.  E8 BD3EE9FF   call <Protecte.StringReplace>//清除空格
005D277F  |.  8B55 DC       mov edx,[local.9]
005D2782  |.  8D45 FC       lea eax,[local.1]
005D2785  |.  E8 B63FE3FF   call <Protecte.@UStrLAsg>
005D278A  |.  0FB605 242F5D>movzx eax,byte ptr ds:[0x5D2F24]
005D2791  |.  50            push eax
005D2792  |.  8D45 D8       lea eax,[local.10]
005D2795  |.  50            push eax
005D2796  |.  33C9          xor ecx,ecx
005D2798  |.  BA 842F5D00   mov edx,<Protecte.wchar_0>
005D279D  |.  8B45 FC       mov eax,[local.1]
005D27A0  |.  E8 973EE9FF   call <Protecte.StringReplace> //清除宽字符0....没用
005D27A5  |.  8B55 D8       mov edx,[local.10]
005D27A8  |.  8D45 FC       lea eax,[local.1]
005D27AB  |.  E8 903FE3FF   call <Protecte.@UStrLAsg>
005D27B0  |.  8B45 FC       mov eax,[local.1]
005D27B3  |.  85C0          test eax,eax
005D27B5  |.  74 16         je short Protecte.005D27CD
005D27B7  |.  8BD0          mov edx,eax
005D27B9  |.  83EA 0A       sub edx,0xA
005D27BC  |.  66:833A 02    cmp word ptr ds:[edx],0x2
005D27C0  |.  74 0B         je short Protecte.005D27CD
005D27C2  |.  8D45 FC       lea eax,[local.1]
005D27C5  |.  8B55 FC       mov edx,[local.1]
005D27C8  |.  E8 C331E3FF   call <Protecte.System_@InternalUStrFromLStr>
005D27CD  |>  85C0          test eax,eax
005D27CF  |.  74 05         je short Protecte.005D27D6
005D27D1  |.  83E8 04       sub eax,0x4
005D27D4  |.  8B00          mov eax,dword ptr ds:[eax]
005D27D6  |>  83F8 17       cmp eax,0x17 //比较字符串长度是不是23...包括"-"
005D27D9  |.  0F85 23060000 jnz Protecte.005D2E02 //不是就跳向 xor eax,eax....显然是让返回值为零
005D27DF  |.  8B45 FC       mov eax,[local.1]
005D27E2  |.  85C0          test eax,eax
005D27E4  |.  74 16         je short Protecte.005D27FC
005D27E6  |.  8BD0          mov edx,eax
005D27E8  |.  83EA 0A       sub edx,0xA
005D27EB  |.  66:833A 02    cmp word ptr ds:[edx],0x2 //这些看起来很奇怪的比较是检测字符串类型的
005D27EF  |.  74 0B         je short Protecte.005D27FC
005D27F1  |.  8D45 FC       lea eax,[local.1]
005D27F4  |.  8B55 FC       mov edx,[local.1]
005D27F7  |.  E8 9431E3FF   call <Protecte.System_@InternalUStrFromLStr>
005D27FC  |>  66:8378 0A 2D cmp word ptr ds:[eax+0xA],0x2D //比较第11个是不是"-"
005D2801  |.  74 04         je short Protecte.005D2807
005D2803  |.  B0 01         mov al,0x1
005D2805  |.  EB 25         jmp short Protecte.005D282C
005D2807  |>  8B45 FC       mov eax,[local.1]
005D280A  |.  85C0          test eax,eax
005D280C  |.  74 16         je short Protecte.005D2824
005D280E  |.  8BD0          mov edx,eax
005D2810  |.  83EA 0A       sub edx,0xA
005D2813  |.  66:833A 02    cmp word ptr ds:[edx],0x2
005D2817  |.  74 0B         je short Protecte.005D2824
005D2819  |.  8D45 FC       lea eax,[local.1]
005D281C  |.  8B55 FC       mov edx,[local.1]
005D281F  |.  E8 6C31E3FF   call <Protecte.System_@InternalUStrFromLStr>
005D2824  |>  66:8378 16 2D cmp word ptr ds:[eax+0x16],0x2D //比较第22个是不是"-"
005D2829  |.  0F95C0        setne al
005D282C  |>  84C0          test al,al
005D282E  |.  74 04         je short Protecte.005D2834
005D2830  |.  B0 01         mov al,0x1
005D2832  |.  EB 25         jmp short Protecte.005D2859
005D2834  |>  8B45 FC       mov eax,[local.1]
005D2837  |.  85C0          test eax,eax
005D2839  |.  74 16         je short Protecte.005D2851
005D283B  |.  8BD0          mov edx,eax
005D283D  |.  83EA 0A       sub edx,0xA
005D2840  |.  66:833A 02    cmp word ptr ds:[edx],0x2
005D2844  |.  74 0B         je short Protecte.005D2851
005D2846  |.  8D45 FC       lea eax,[local.1]
005D2849  |.  8B55 FC       mov edx,[local.1]
005D284C  |.  E8 3F31E3FF   call <Protecte.System_@InternalUStrFromLStr>
005D2851  |>  66:8378 22 2D cmp word ptr ds:[eax+0x22],0x2D //
005D2856  |.  0F95C0        setne al
005D2859  |>  84C0          test al,al
005D285B  |.  0F85 A1050000 jnz Protecte.005D2E02
005D2861  |.  0FB605 242F5D>movzx eax,byte ptr ds:[0x5D2F24]
005D2868  |.  50            push eax
005D2869  |.  8D45 D4       lea eax,[local.11]
005D286C  |.  50            push eax
005D286D  |.  33C9          xor ecx,ecx
005D286F  |.  BA 942F5D00   mov edx,<Protecte.char_2D>
005D2874  |.  8B45 FC       mov eax,[local.1]
005D2877  |.  E8 C03DE9FF   call <Protecte.StringReplace> //清除"-"
005D287C  |.  8B55 D4       mov edx,[local.11]
005D287F  |.  8D45 FC       lea eax,[local.1]
005D2882  |.  E8 B93EE3FF   call <Protecte.@UStrLAsg>
005D2887  |.  8B45 FC       mov eax,[local.1]
005D288A  |.  85C0          test eax,eax
005D288C  |.  74 16         je short Protecte.005D28A4
005D288E  |.  8BD0          mov edx,eax
005D2890  |.  83EA 0A       sub edx,0xA
005D2893  |.  66:833A 02    cmp word ptr ds:[edx],0x2
005D2897  |.  74 0B         je short Protecte.005D28A4
005D2899  |.  8D45 FC       lea eax,[local.1]
005D289C  |.  8B55 FC       mov edx,[local.1]
005D289F  |.  E8 EC30E3FF   call <Protecte.System_@InternalUStrFromLStr>
005D28A4  |>  85C0          test eax,eax
005D28A6  |.  74 05         je short Protecte.005D28AD
005D28A8  |.  83E8 04       sub eax,0x4
005D28AB  |.  8B00          mov eax,dword ptr ds:[eax]
005D28AD  |>  83F8 14       cmp eax,0x14
005D28B0  |.  0F85 4C050000 jnz Protecte.005D2E02
005D28B6  |.  B8 01000000   mov eax,0x1
005D28BB  |>  8B55 FC       /mov edx,[local.1]
005D28BE  |.  0FB75442 FE   |movzx edx,word ptr ds:[edx+eax*2-0x2]
005D28C3  |.  83C2 D0       |add edx,-0x30
005D28C6  |.  66:83EA 0A    |sub dx,0xA
005D28CA  |.  72 0D         |jb short Protecte.005D28D9
005D28CC  |.  83C2 F9       |add edx,-0x7
005D28CF  |.  66:83EA 06    |sub dx,0x6
005D28D3  |.  0F83 29050000 |jnb Protecte.005D2E02 //这一句又是跳向xor eax,eax
005D28D9  |>  40            |inc eax             //这个小循环只是检测输入的字符是否小于 0x3a
005D28DA  |.  83F8 15       |cmp eax,0x15       //或者是否小于0x47....说白了输入范围就是 0-9,A-F(不管大小)
005D28DD  |.^ 75 DC         \jnz short Protecte.005D28BB
005D28DF  |.  8D45 CC       lea eax,[local.13]
005D28E2  |.  8B55 FC       mov edx,[local.1]
005D28E5  |.  E8 7E40E3FF   call <Protecte.System_@WStrFromUStr>
005D28EA  |.  8B45 CC       mov eax,[local.13]
005D28ED  |.  8D4D D0       lea ecx,[local.12]
005D28F0  |.  BA 04000000   mov edx,0x4
005D28F5  |.  E8 7A89E8FF   call <Protecte._Unit13_LeftStr> //取注册码左4位...到时候要用的.
005D28FA  |.  8B55 D0       mov edx,[local.12]
005D28FD  |.  8D45 EC       lea eax,[local.5]
005D2900  |.  E8 4F40E3FF   call <Protecte.System_@UStrFromWStr>
005D2905  |.  8D45 C4       lea eax,[local.15]
005D2908  |.  8B55 FC       mov edx,[local.1]
005D290B  |.  E8 5840E3FF   call <Protecte.System_@WStrFromUStr>
005D2910  |.  8B45 C4       mov eax,[local.15]
005D2913  |.  8D4D C8       lea ecx,[local.14]
005D2916  |.  BA 10000000   mov edx,0x10
005D291B  |.  E8 7089E8FF   call <Protecte.RightStr> //取注册码右16位
005D2920  |.  8B55 C8       mov edx,[local.14]
005D2923  |.  8D45 FC       lea eax,[local.1]
005D2926  |.  E8 2940E3FF   call <Protecte.System_@UStrFromWStr>
005D292B  |.  8D45 BC       lea eax,[local.17]
005D292E  |.  8B55 FC       mov edx,[local.1]
005D2931  |.  E8 3240E3FF   call <Protecte.System_@WStrFromUStr>
005D2936  |.  8B45 BC       mov eax,[local.17]
005D2939  |.  8D4D C0       lea ecx,[local.16]
005D293C  |.  BA 05000000   mov edx,0x5
005D2941  |.  E8 2E89E8FF   call <Protecte._Unit13_LeftStr>//取注册码右16位的左5位
005D2946  |.  8B55 C0       mov edx,[local.16]
005D2949  |.  8D45 F0       lea eax,[local.4]
005D294C  |.  E8 0340E3FF   call <Protecte.System_@UStrFromWStr>
005D2951  |.  8D45 B4       lea eax,[local.19]
005D2954  |.  8B55 FC       mov edx,[local.1]
005D2957  |.  E8 0C40E3FF   call <Protecte.System_@WStrFromUStr>
005D295C  |.  8B45 B4       mov eax,[local.19]
005D295F  |.  8D4D B8       lea ecx,[local.18]
005D2962  |.  BA 0B000000   mov edx,0xB
005D2967  |.  E8 2489E8FF   call <Protecte.RightStr> //取注册码右11位
005D296C  |.  8B55 B8       mov edx,[local.18]
005D296F  |.  8D45 FC       lea eax,[local.1]
005D2972  |.  E8 DD3FE3FF   call <Protecte.System_@UStrFromWStr>
005D2977  |.  8D45 AC       lea eax,[local.21]
005D297A  |.  8B55 FC       mov edx,[local.1]
005D297D  |.  E8 E63FE3FF   call <Protecte.System_@WStrFromUStr>
005D2982  |.  8B45 AC       mov eax,[local.21]
005D2985  |.  8D4D B0       lea ecx,[local.20]
005D2988  |.  BA 04000000   mov edx,0x4
005D298D  |.  E8 E288E8FF   call <Protecte._Unit13_LeftStr>//取注册码右11位的左4位
005D2992  |.  8B55 B0       mov edx,[local.20]
005D2995  |.  8D45 F8       lea eax,[local.2]
005D2998  |.  E8 B73FE3FF   call <Protecte.System_@UStrFromWStr>
005D299D  |.  8D45 A4       lea eax,[local.23]
005D29A0  |.  8B55 FC       mov edx,[local.1]
005D29A3  |.  E8 C03FE3FF   call <Protecte.System_@WStrFromUStr>
005D29A8  |.  8B45 A4       mov eax,[local.23]
005D29AB  |.  8D4D A8       lea ecx,[local.22]
005D29AE  |.  BA 07000000   mov edx,0x7
005D29B3  |.  E8 D888E8FF   call <Protecte.RightStr>//取注册码右7位
005D29B8  |.  8B55 A8       mov edx,[local.22]
005D29BB  |.  8D45 FC       lea eax,[local.1]
005D29BE  |.  E8 913FE3FF   call <Protecte.System_@UStrFromWStr>
005D29C3  |.  8D45 9C       lea eax,[local.25]
005D29C6  |.  8B55 FC       mov edx,[local.1]
005D29C9  |.  E8 9A3FE3FF   call <Protecte.System_@WStrFromUStr>
005D29CE  |.  8B45 9C       mov eax,[local.25]
005D29D1  |.  8D4D A0       lea ecx,[local.24]
005D29D4  |.  BA 05000000   mov edx,0x5
005D29D9  |.  E8 9688E8FF   call <Protecte._Unit13_LeftStr>//取注册码右7位左5位
005D29DE  |.  8B55 A0       mov edx,[local.24]
005D29E1  |.  8D45 F4       lea eax,[local.3]
005D29E4  |.  E8 6B3FE3FF   call <Protecte.System_@UStrFromWStr>
005D29E9  |.  8D45 94       lea eax,[local.27]
005D29EC  |.  8B55 FC       mov edx,[local.1]
005D29EF  |.  E8 743FE3FF   call <Protecte.System_@WStrFromUStr>
005D29F4  |.  8B45 94       mov eax,[local.27]
005D29F7  |.  8D4D 98       lea ecx,[local.26]
005D29FA  |.  BA 02000000   mov edx,0x2
005D29FF  |.  E8 8C88E8FF   call <Protecte.RightStr>//取注册码右2位
005D2A04  |.  8B55 98       mov edx,[local.26]
005D2A07  |.  8D45 FC       lea eax,[local.1]
005D2A0A  |.  E8 453FE3FF   call <Protecte.System_@UStrFromWStr>
005D2A0F  |.  8D85 7CFFFFFF lea eax,[local.33]
005D2A15  |.  8B55 EC       mov edx,[local.5]
005D2A18  |.  B9 00000000   mov ecx,0x0
005D2A1D  |.  E8 0E3FE3FF   call <Protecte.System_@LStrFromUStr>
005D2A22  |.  8B85 7CFFFFFF mov eax,[local.33]      //左4位
005D2A28  |.  8D55 80       lea edx,[local.32]         
005D2A2B  |.  E8 A8B6FCFF   call <Protecte.calcMD5> //计算MD5...当初也分析了一会儿才知道,早该用Kypto analyzer的
005D2A30  |.  8D45 80       lea eax,[local.32]
005D2A33  |.  8D55 90       lea edx,[local.28]
005D2A36  |.  E8 35B7FCFF   call <Protecte.MD5Hex2Ustr>//MD5算出来是hex数值,要转成str...很简单的分析,不说了
005D2A3B  |.  8B45 90       mov eax,[local.28]
005D2A3E  |.  50            push eax
005D2A3F  |.  8D85 60FFFFFF lea eax,[local.40]
005D2A45  |.  8B55 F8       mov edx,[local.2]
005D2A48  |.  B9 00000000   mov ecx,0x0
005D2A4D  |.  E8 DE3EE3FF   call <Protecte.System_@LStrFromUStr>
005D2A52  |.  8B85 60FFFFFF mov eax,[local.40]
005D2A58  |.  8D55 80       lea edx,[local.32]
005D2A5B  |.  E8 78B6FCFF   call <Protecte.calcMD5> //计算右11位再取左四位的MD5
005D2A60  |.  8D45 80       lea eax,[local.32]
005D2A63  |.  8D95 64FFFFFF lea edx,[local.39]
005D2A69  |.  E8 02B7FCFF   call <Protecte.MD5Hex2Ustr>
005D2A6E  |.  8B85 64FFFFFF mov eax,[local.39]
005D2A74  |.  8D95 68FFFFFF lea edx,[local.38]
005D2A7A  |.  E8 45A1E8FF   call <Protecte._Unit13_UpperCase>
005D2A7F  |.  8B95 68FFFFFF mov edx,[local.38]
005D2A85  |.  8D85 6CFFFFFF lea eax,[local.37]
005D2A8B  |.  E8 D83EE3FF   call <Protecte.System_@WStrFromUStr>
005D2A90  |.  8B85 6CFFFFFF mov eax,[local.37]
005D2A96  |.  8D8D 70FFFFFF lea ecx,[local.36]
005D2A9C  |.  BA 04000000   mov edx,0x4
005D2AA1  |.  E8 EA87E8FF   call <Protecte.RightStr>
005D2AA6  |.  8B95 70FFFFFF mov edx,[local.36]
005D2AAC  |.  8D85 74FFFFFF lea eax,[local.35]
005D2AB2  |.  B9 00000000   mov ecx,0x0
005D2AB7  |.  E8 5C30E3FF   call <Protecte.System_@LStrFromWStr>
005D2ABC  |.  8B85 74FFFFFF mov eax,[local.35]
005D2AC2  |.  8D55 80       lea edx,[local.32]
005D2AC5  |.  E8 0EB6FCFF   call <Protecte.calcMD5>//计算右11位再取左4位的MD5的右4位的MD5....有点绕了
005D2ACA  |.  8D45 80       lea eax,[local.32]
005D2ACD  |.  8D95 78FFFFFF lea edx,[local.34]
005D2AD3  |.  E8 98B6FCFF   call <Protecte.MD5Hex2Ustr>
005D2AD8  |.  8B95 78FFFFFF mov edx,[local.34]
005D2ADE  |.  58            pop eax
005D2ADF  |.  E8 1443E3FF   call <Protecte.j_@UStrCmp>//比较上面计算的MD5值...换一种表达就是key[0-3]_md5, key[9-12]_md5_r4_md5
005D2AE4  |.  0F85 18030000 jnz Protecte.005D2E02
005D2AEA  |.  FF75 EC       push [local.5]
005D2AED  |.  FF75 F0       push [local.4]
005D2AF0  |.  FF75 F8       push [local.2]
005D2AF3  |.  FF75 F4       push [local.3]
005D2AF6  |.  FF75 FC       push [local.1]
005D2AF9  |.  8D45 FC       lea eax,[local.1]
005D2AFC  |.  BA 05000000   mov edx,0x5
005D2B01  |.  E8 4A41E3FF   call <Protecte.System_@UStrCatN>
005D2B06  |.  B8 01000000   mov eax,0x1
005D2B0B  |>  8B55 FC       /mov edx,[local.1]
005D2B0E  |.  0FB75442 FE   |movzx edx,word ptr ds:[edx+eax*2-0x2]
005D2B13  |.  83C2 D0       |add edx,-0x30
005D2B16  |.  66:83EA 0A    |sub dx,0xA
005D2B1A  |.  72 0D         |jb short Protecte.005D2B29
005D2B1C  |.  83C2 F9       |add edx,-0x7
005D2B1F  |.  66:83EA 09    |sub dx,0x9
005D2B23  |.  0F83 D9020000 |jnb Protecte.005D2E02
005D2B29  |>  40            |inc eax
005D2B2A  |.  83F8 15       |cmp eax,0x15 //这个小循环和上面是一样的.限制范围的
005D2B2D  |.^ 75 DC         \jnz short Protecte.005D2B0B
005D2B2F  |.  8D85 58FFFFFF lea eax,[local.42]
005D2B35  |.  8B55 FC       mov edx,[local.1]
005D2B38  |.  E8 2B3EE3FF   call <Protecte.System_@WStrFromUStr>
005D2B3D  |.  8B85 58FFFFFF mov eax,[local.42]
005D2B43  |.  8D8D 5CFFFFFF lea ecx,[local.41]
005D2B49  |.  BA 04000000   mov edx,0x4
005D2B4E  |.  E8 2187E8FF   call <Protecte._Unit13_LeftStr> //好吧,又开始取了,左4位
005D2B53  |.  8B95 5CFFFFFF mov edx,[local.41]
005D2B59  |.  8D45 EC       lea eax,[local.5]
005D2B5C  |.  E8 F33DE3FF   call <Protecte.System_@UStrFromWStr>
005D2B61  |.  8D85 50FFFFFF lea eax,[local.44]
005D2B67  |.  8B55 FC       mov edx,[local.1]
005D2B6A  |.  E8 F93DE3FF   call <Protecte.System_@WStrFromUStr>
005D2B6F  |.  8B85 50FFFFFF mov eax,[local.44]
005D2B75  |.  8D8D 54FFFFFF lea ecx,[local.43]
005D2B7B  |.  BA 10000000   mov edx,0x10
005D2B80  |.  E8 0B87E8FF   call <Protecte.RightStr> //右16位
005D2B85  |.  8B95 54FFFFFF mov edx,[local.43]
005D2B8B  |.  8D45 FC       lea eax,[local.1]
005D2B8E  |.  E8 C13DE3FF   call <Protecte.System_@UStrFromWStr>
005D2B93  |.  8D85 48FFFFFF lea eax,[local.46]
005D2B99  |.  8B55 FC       mov edx,[local.1]
005D2B9C  |.  E8 C73DE3FF   call <Protecte.System_@WStrFromUStr>
005D2BA1  |.  8B85 48FFFFFF mov eax,[local.46]
005D2BA7  |.  8D8D 4CFFFFFF lea ecx,[local.45]
005D2BAD  |.  BA 05000000   mov edx,0x5
005D2BB2  |.  E8 BD86E8FF   call <Protecte._Unit13_LeftStr> //右16位的左5位
005D2BB7  |.  8B95 4CFFFFFF mov edx,[local.45]
005D2BBD  |.  8D45 F0       lea eax,[local.4]
005D2BC0  |.  E8 8F3DE3FF   call <Protecte.System_@UStrFromWStr>
005D2BC5  |.  8D85 40FFFFFF lea eax,[local.48]
005D2BCB  |.  8B55 FC       mov edx,[local.1]
005D2BCE  |.  E8 953DE3FF   call <Protecte.System_@WStrFromUStr>
005D2BD3  |.  8B85 40FFFFFF mov eax,[local.48]
005D2BD9  |.  8D8D 44FFFFFF lea ecx,[local.47]
005D2BDF  |.  BA 0B000000   mov edx,0xB
005D2BE4  |.  E8 A786E8FF   call <Protecte.RightStr> //右11位
005D2BE9  |.  8B95 44FFFFFF mov edx,[local.47]
005D2BEF  |.  8D45 FC       lea eax,[local.1]
005D2BF2  |.  E8 5D3DE3FF   call <Protecte.System_@UStrFromWStr>
005D2BF7  |.  8D85 38FFFFFF lea eax,[local.50]
005D2BFD  |.  8B55 FC       mov edx,[local.1]
005D2C00  |.  E8 633DE3FF   call <Protecte.System_@WStrFromUStr>
005D2C05  |.  8B85 38FFFFFF mov eax,[local.50]
005D2C0B  |.  8D8D 3CFFFFFF lea ecx,[local.49]
005D2C11  |.  BA 04000000   mov edx,0x4
005D2C16  |.  E8 5986E8FF   call <Protecte._Unit13_LeftStr> //右11位的左4位
005D2C1B  |.  8B95 3CFFFFFF mov edx,[local.49]
005D2C21  |.  8D45 F8       lea eax,[local.2]
005D2C24  |.  E8 2B3DE3FF   call <Protecte.System_@UStrFromWStr>
005D2C29  |.  8D85 30FFFFFF lea eax,[local.52]
005D2C2F  |.  8B55 FC       mov edx,[local.1]
005D2C32  |.  E8 313DE3FF   call <Protecte.System_@WStrFromUStr>
005D2C37  |.  8B85 30FFFFFF mov eax,[local.52]
005D2C3D  |.  8D8D 34FFFFFF lea ecx,[local.51]
005D2C43  |.  BA 07000000   mov edx,0x7
005D2C48  |.  E8 4386E8FF   call <Protecte.RightStr> //右7位
005D2C4D  |.  8B95 34FFFFFF mov edx,[local.51]
005D2C53  |.  8D45 FC       lea eax,[local.1]
005D2C56  |.  E8 F93CE3FF   call <Protecte.System_@UStrFromWStr>
005D2C5B  |.  8D85 28FFFFFF lea eax,[local.54]
005D2C61  |.  8B55 FC       mov edx,[local.1]
005D2C64  |.  E8 FF3CE3FF   call <Protecte.System_@WStrFromUStr>
005D2C69  |.  8B85 28FFFFFF mov eax,[local.54]
005D2C6F  |.  8D8D 2CFFFFFF lea ecx,[local.53]
005D2C75  |.  BA 05000000   mov edx,0x5
005D2C7A  |.  E8 F585E8FF   call <Protecte._Unit13_LeftStr>//右7位的左5位
005D2C7F  |.  8B95 2CFFFFFF mov edx,[local.53]
005D2C85  |.  8D45 F4       lea eax,[local.3]
005D2C88  |.  E8 C73CE3FF   call <Protecte.System_@UStrFromWStr>
005D2C8D  |.  8D85 20FFFFFF lea eax,[local.56]
005D2C93  |.  8B55 FC       mov edx,[local.1]
005D2C96  |.  E8 CD3CE3FF   call <Protecte.System_@WStrFromUStr>
005D2C9B  |.  8B85 20FFFFFF mov eax,[local.56]
005D2CA1  |.  8D8D 24FFFFFF lea ecx,[local.55]
005D2CA7  |.  BA 02000000   mov edx,0x2
005D2CAC  |.  E8 DF85E8FF   call <Protecte.RightStr> //右两位
005D2CB1  |.  8B95 24FFFFFF mov edx,[local.55]
005D2CB7  |.  8D45 FC       lea eax,[local.1]
005D2CBA  |.  E8 953CE3FF   call <Protecte.System_@UStrFromWStr>
005D2CBF  |.  8D85 10FFFFFF lea eax,[local.60]
005D2CC5  |.  8B55 F0       mov edx,[local.4]
005D2CC8  |.  B9 00000000   mov ecx,0x0
005D2CCD  |.  E8 5E3CE3FF   call <Protecte.System_@LStrFromUStr>
005D2CD2  |.  8B85 10FFFFFF mov eax,[local.60]
005D2CD8  |.  8D55 80       lea edx,[local.32]
005D2CDB  |.  E8 F8B3FCFF   call <Protecte.calcMD5> //计算右16位的左5位MD5
005D2CE0  |.  8D45 80       lea eax,[local.32]
005D2CE3  |.  8D95 14FFFFFF lea edx,[local.59]
005D2CE9  |.  E8 82B4FCFF   call <Protecte.MD5Hex2Ustr>
005D2CEE  |.  8B95 14FFFFFF mov edx,[local.59]
005D2CF4  |.  8D85 18FFFFFF lea eax,[local.58]
005D2CFA  |.  B9 00000000   mov ecx,0x0
005D2CFF  |.  E8 2C3CE3FF   call <Protecte.System_@LStrFromUStr>
005D2D04  |.  8B85 18FFFFFF mov eax,[local.58]
005D2D0A  |.  8D55 80       lea edx,[local.32]
005D2D0D  |.  E8 C6B3FCFF   call <Protecte.calcMD5>//计算右16位的左5位MD5的MD5
005D2D12  |.  8D45 80       lea eax,[local.32]
005D2D15  |.  8D95 1CFFFFFF lea edx,[local.57]
005D2D1B  |.  E8 50B4FCFF   call <Protecte.MD5Hex2Ustr>
005D2D20  |.  8B85 1CFFFFFF mov eax,[local.57]
005D2D26  |.  50            push eax
005D2D27  |.  8D85 ECFEFFFF lea eax,[local.69]
005D2D2D  |.  8B55 F4       mov edx,[local.3]
005D2D30  |.  B9 00000000   mov ecx,0x0
005D2D35  |.  E8 F63BE3FF   call <Protecte.System_@LStrFromUStr>
005D2D3A  |.  8B85 ECFEFFFF mov eax,[local.69]
005D2D40  |.  8D55 80       lea edx,[local.32]
005D2D43  |.  E8 90B3FCFF   call <Protecte.calcMD5> //计算右7位的左5位MD5
005D2D48  |.  8D45 80       lea eax,[local.32]
005D2D4B  |.  8D95 F0FEFFFF lea edx,[local.68]
005D2D51  |.  E8 1AB4FCFF   call <Protecte.MD5Hex2Ustr>
005D2D56  |.  8B85 F0FEFFFF mov eax,[local.68]
005D2D5C  |.  8D95 F4FEFFFF lea edx,[local.67]
005D2D62  |.  E8 5D9EE8FF   call <Protecte._Unit13_UpperCase>
005D2D67  |.  8B95 F4FEFFFF mov edx,[local.67]
005D2D6D  |.  8D85 F8FEFFFF lea eax,[local.66]
005D2D73  |.  E8 F03BE3FF   call <Protecte.System_@WStrFromUStr>
005D2D78  |.  8B85 F8FEFFFF mov eax,[local.66]
005D2D7E  |.  8D8D FCFEFFFF lea ecx,[local.65]
005D2D84  |.  BA 05000000   mov edx,0x5
005D2D89  |.  E8 E684E8FF   call <Protecte._Unit13_LeftStr>//取右7位的左5位MD5的左5位
005D2D8E  |.  8B95 FCFEFFFF mov edx,[local.65]
005D2D94  |.  8D85 00FFFFFF lea eax,[local.64]
005D2D9A  |.  B9 00000000   mov ecx,0x0
005D2D9F  |.  E8 742DE3FF   call <Protecte.System_@LStrFromWStr>
005D2DA4  |.  8B85 00FFFFFF mov eax,[local.64]
005D2DAA  |.  8D55 80       lea edx,[local.32]
005D2DAD  |.  E8 26B3FCFF   call <Protecte.calcMD5>//计算右7位的左5位MD5的左5位的MD5
005D2DB2  |.  8D45 80       lea eax,[local.32]
005D2DB5  |.  8D95 04FFFFFF lea edx,[local.63]
005D2DBB  |.  E8 B0B3FCFF   call <Protecte.MD5Hex2Ustr>
005D2DC0  |.  8B95 04FFFFFF mov edx,[local.63]
005D2DC6  |.  8D85 08FFFFFF lea eax,[local.62]
005D2DCC  |.  B9 00000000   mov ecx,0x0
005D2DD1  |.  E8 5A3BE3FF   call <Protecte.System_@LStrFromUStr>
005D2DD6  |.  8B85 08FFFFFF mov eax,[local.62]
005D2DDC  |.  8D55 80       lea edx,[local.32]
005D2DDF  |.  E8 F4B2FCFF   call <Protecte.calcMD5>计算右7位的左5位MD5的左5位的MD5的MD5....我自己看着都晕了
005D2DE4  |.  8D45 80       lea eax,[local.32]          //简化一下就是key_r7_L5_md5_L5_md5_md5
005D2DE7  |.  8D95 0CFFFFFF lea edx,[local.61]
005D2DED  |.  E8 7EB3FCFF   call <Protecte.MD5Hex2Ustr>
005D2DF2  |.  8B95 0CFFFFFF mov edx,[local.61]
005D2DF8  |.  58            pop eax
005D2DF9  |.  E8 FA3FE3FF   call <Protecte.j_@UStrCmp>//比较上述计算出来的MD5,即key[4-8]_MD5_MD5 ,key[13-17]_MD5_L5_MD5_MD5比较
005D2DFE  |.  75 02         jnz short Protecte.005D2E02
005D2E00  |.  B3 01         mov bl,0x1
005D2E02  |>  33C0          xor eax,eax //不等就让返回值为0了...
005D2E04  |.  5A            pop edx
005D2E05  |.  59            pop ecx
005D2E06  |.  59            pop ecx
005D2E07  |.  64:8910       mov dword ptr fs:[eax],edx
005D2E0A  |.  68 1B2F5D00   push Protecte.005D2F1B
005D2E0F  |>  8D85 ECFEFFFF lea eax,[local.69]
005D2E15  |.  E8 8A29E3FF   call <Protecte.System_@LStrClr>
005D2E1A  |.  8D85 F0FEFFFF lea eax,[local.68]
005D2E20  |.  BA 02000000   mov edx,0x2
005D2E25  |.  E8 BA38E3FF   call <Protecte.j_@LStrArrayClr>
005D2E2A  |.  8D85 F8FEFFFF lea eax,[local.66]
005D2E30  |.  BA 02000000   mov edx,0x2
005D2E35  |.  E8 6A34E3FF   call <Protecte.System_@WStrArrayClr>
005D2E3A  |.  8D85 00FFFFFF lea eax,[local.64]
005D2E40  |.  E8 5F29E3FF   call <Protecte.System_@LStrClr>
005D2E45  |.  8D85 04FFFFFF lea eax,[local.63]
005D2E4B  |.  E8 8C38E3FF   call <Protecte.j_System_@LStrClr>
005D2E50  |.  8D85 08FFFFFF lea eax,[local.62]
005D2E56  |.  E8 4929E3FF   call <Protecte.System_@LStrClr>
005D2E5B  |.  8D85 0CFFFFFF lea eax,[local.61]
005D2E61  |.  E8 7638E3FF   call <Protecte.j_System_@LStrClr>
005D2E66  |.  8D85 10FFFFFF lea eax,[local.60]
005D2E6C  |.  E8 3329E3FF   call <Protecte.System_@LStrClr>
005D2E71  |.  8D85 14FFFFFF lea eax,[local.59]
005D2E77  |.  E8 6038E3FF   call <Protecte.j_System_@LStrClr>
005D2E7C  |.  8D85 18FFFFFF lea eax,[local.58]
005D2E82  |.  E8 1D29E3FF   call <Protecte.System_@LStrClr>
005D2E87  |.  8D85 1CFFFFFF lea eax,[local.57]
005D2E8D  |.  E8 4A38E3FF   call <Protecte.j_System_@LStrClr>
005D2E92  |.  8D85 20FFFFFF lea eax,[local.56]
005D2E98  |.  BA 10000000   mov edx,0x10
005D2E9D  |.  E8 0234E3FF   call <Protecte.System_@WStrArrayClr>
005D2EA2  |.  8D85 60FFFFFF lea eax,[local.40]
005D2EA8  |.  E8 F728E3FF   call <Protecte.System_@LStrClr>
005D2EAD  |.  8D85 64FFFFFF lea eax,[local.39]
005D2EB3  |.  BA 02000000   mov edx,0x2
005D2EB8  |.  E8 2738E3FF   call <Protecte.j_@LStrArrayClr>
005D2EBD  |.  8D85 6CFFFFFF lea eax,[local.37]
005D2EC3  |.  BA 02000000   mov edx,0x2
005D2EC8  |.  E8 D733E3FF   call <Protecte.System_@WStrArrayClr>
005D2ECD  |.  8D85 74FFFFFF lea eax,[local.35]
005D2ED3  |.  E8 CC28E3FF   call <Protecte.System_@LStrClr>
005D2ED8  |.  8D85 78FFFFFF lea eax,[local.34]
005D2EDE  |.  E8 F937E3FF   call <Protecte.j_System_@LStrClr>
005D2EE3  |.  8D85 7CFFFFFF lea eax,[local.33]
005D2EE9  |.  E8 B628E3FF   call <Protecte.System_@LStrClr>
005D2EEE  |.  8D45 90       lea eax,[local.28]
005D2EF1  |.  E8 E637E3FF   call <Protecte.j_System_@LStrClr>
005D2EF6  |.  8D45 94       lea eax,[local.27]
005D2EF9  |.  BA 10000000   mov edx,0x10
005D2EFE  |.  E8 A133E3FF   call <Protecte.System_@WStrArrayClr>
005D2F03  |.  8D45 D4       lea eax,[local.11]
005D2F06  |.  BA 0B000000   mov edx,0xB
005D2F0B  |.  E8 D437E3FF   call <Protecte.j_@LStrArrayClr>
005D2F10  \.  C3            retn
005D2F11   .^ E9 B21EE3FF   jmp <Protecte.@HandleFinally>
005D2F16   .^ E9 F4FEFFFF   jmp Protecte.005D2E0F
005D2F1B   .  8BC3          mov eax,ebx //返回值在ebx
005D2F1D   .  5B            pop ebx
005D2F1E   .  8BE5          mov esp,ebp
005D2F20   .  5D            pop ebp
005D2F21   .  C3            retn

综合以上分析,可以知道,对注册码的要求是: 范围:0-9,A-F.并且
key[0-3]_md5 == key[9-12]_md5_r4_md5
key[4-8]_MD5_MD5 == key[13-17]_MD5_L5_MD5_MD5
显然即 key[0-3]=key[9-12]_md5_r4,key[4-8]=key[13-17]_MD5_L5.

这个本地注册算法就很简单了,我写了C++版的供参考:
[C++] 纯文本查看 复制代码
class KeyMaker
{
public:

    KeyMaker::KeyMaker(const char* keyset="0123456789abcdeflo")
    {
        keyset_.assign(keyset);
        generator_ = nullptr;
        distribution_ = nullptr;
    }

    KeyMaker::~KeyMaker()
    {
    }
    std::string operator()()
    {
        if (distribution_ != nullptr)
            delete distribution_;
        if (generator_ != nullptr)
            delete generator_;
        distribution_ = new std::uniform_int_distribution<int>(0, keyset_.length() - 1);
        seed_ = std::chrono::system_clock::now().time_since_epoch().count();
        generator_ = new std::default_random_engine(seed_);
        makeKey();
        return rawkey_;
    }
private:
    void makeKey()
    {
        randomKey();
        kcer.prepare(key_[2]);
        kcer.prepare(key_[3]);
        kcer.upperStr(key_[2]);
        key_[0] = hasher(key_[2].c_str(), "md5");
        key_[0] = key_[0].substr(key_[0].length() - 4, 4);
        kcer.upperStr(key_[3]);
        key_[1] = hasher(key_[3].c_str(), "md5");
        key_[1] = key_[1].substr(0, 5);
        rawkey_.insert(0, key_[1]);
        rawkey_.insert(0, key_[0]);
        kcer.lowerStr(rawkey_);
        decorate();

    }
    char randomC()
    {
        return keyset_[(*distribution_)(*generator_)];
    }
    void randomKey()
    {
        for (int i = 0; i < 4; ++i)
        {
                key_[2] += randomC();
        }
        for (int i = 0; i < 5; ++i)
        {
            key_[3] += randomC();
        }
        key_[4] += randomC();
        key_[4] += randomC();
        rawkey_ = key_[2] + key_[3] + key_[4];
    }
    void decorate()
    {
        for (size_t i = 1; i < rawkey_.length()/5; i++)
        {
            rawkey_.insert(i * 5 + i - 1, "-");
        }
    }
private:
    std::string keyset_;
    std::string key_[5];
    std::string rawkey_;
    unsigned int seed_;
    std::default_random_engine *generator_;
    std::uniform_int_distribution<int> *distribution_;
    HASH hasher;
    KeyChecker kcer;//还原软件算法的类
};


我也还原了一下软件的算法,写成一个类:
[C++] 纯文本查看 复制代码
class KeyChecker
{
public:
    KeyChecker::KeyChecker()
    {
    }
    KeyChecker::~KeyChecker()
    {
    }
    void upperStr(std::string &str)
    {
        for (size_t i = 0; i < str.length(); i++)
        {
            str[i] = toupper(str[i]);
        }

    }
    void lowerStr(std::string &str)
    {
        for (size_t i = 0; i < str.length(); i++)
        {
            str[i] = tolower(str[i]);
        }
    }
    bool operator()(const char* kstr)
    {
        std::string edata(kstr);
        prepare(edata);
        key[0] = edata.substr(0, 4);
        key[2] = edata.substr(9, 4);
        key[1] = edata.substr(4, 5);
        key[3] = edata.substr(13, 5);
        makeK1();
        makeK2();
        makeK3();
        makeK4();
        printKeys();
        return key[0] == key[2] && key[1] == key[3];
    }
    void prepare(std::string& str)
    {
        lowerStr(str);
        replaceKc(str, "-", "");
        replaceKc(str, "o", "0");
        replaceKc(str, "l", "1");
        replaceKc(str, " ", "");
    }
private:

    
    void replaceKc(std::string& str, std::string oldpat, std::string newpat)
    {
        while (str.find(oldpat) != std::string::npos)
        {
            str.replace(str.find(oldpat), oldpat.length(), newpat);
        }
    }
    void makeK1()
    {
        upperStr(key[0]);
        key[0] = hashfunc(key[0].c_str(), "md5");
    }
    void makeK2()
    {
        upperStr(key[1]);
        key[1] = hashfunc(key[1].c_str(), "md5");
        key[1] = hashfunc(key[1].c_str(), "md5");
    }
    void makeK3()
    {
        upperStr(key[2]);
        key[2] = hashfunc(key[2].c_str(), "md5");
        key[2] = key[2].substr(key[2].length() - 4, 4);
        upperStr(key[2]);
        key[2] = hashfunc(key[2].c_str(), "md5");
    }
    void makeK4()
    {
        upperStr(key[3]);
        key[3] = hashfunc(key[3].c_str(), "md5");
        key[3] = key[3].substr(0, 5);
        upperStr(key[3]);
        key[3] = hashfunc(key[3].c_str(), "md5");
        key[3] = hashfunc(key[3].c_str(), "md5");
    }
    void printKeys()
    {
        printf("%s == %s &&\n%s == %s\n", key[0].c_str(), key[2].c_str(), key[1].c_str(), key[3].c_str());
    }

private:
    HASH hashfunc;//计算MD5的用的类,就不放出来了
    std::string key[4];
};

至此,第一部分本地算法验证部分就分析完了.

第二部分:网络验证的过程逻辑分析.
从 call <Protecte.regkeyValidate> 出来后本地验证正确的话:
005D0E92   .  E8 39180000   call <Protecte.regkeyValidate>
005D0E97   .  84C0          test al,al
005D0E99   .  0F85 D5000000 jnz Protecte.005D0F74 //本地验证正确会跳转
005D0E9F   .  8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
...............................
跳到这里:
[Asm] 纯文本查看 复制代码
005D0F74   > \8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0F7A   .  8B80 90030000 mov eax,dword ptr ds:[eax+0x390]
005D0F80   .  BA FFFFFF00   mov edx,0xFFFFFF
005D0F85   .  E8 52F3F0FF   call <Protecte.TControl_SetColor>
005D0F8A   .  8D85 24FFFFFF lea eax,dword ptr ss:[ebp-0xDC]
005D0F90   .  BA 681D5D00   mov edx,<Protecte.aMmDdYyyyHhMm_2>           ;  UNICODE "mm/dd/yyyy hh:mm:ss"
005D0F95   .  E8 A657E3FF   call <Protecte.@UStrLAsg>
005D0F9A   .  66:C785 18FFF>mov word ptr ss:[ebp-0xE8],0x2F
005D0FA3   .  66:C785 1AFFF>mov word ptr ss:[ebp-0xE6],0x3A
005D0FAC   .  8D55 F8       lea edx,dword ptr ss:[ebp-0x8]
005D0FAF   .  8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0FB5   .  8B80 90030000 mov eax,dword ptr ds:[eax+0x390]
005D0FBB   .  E8 64F1F0FF   call <Protecte.TControl_GetText>
005D0FC0   .  8D95 F8FEFFFF lea edx,dword ptr ss:[ebp-0x108]
005D0FC6   .  8B45 F8       mov eax,dword ptr ss:[ebp-0x8]
005D0FC9   .  E8 F6BBE8FF   call <Protecte._Unit13_UpperCase>
005D0FCE   .  8B95 F8FEFFFF mov edx,dword ptr ss:[ebp-0x108]
005D0FD4   .  8D45 F8       lea eax,dword ptr ss:[ebp-0x8]
005D0FD7   .  E8 6457E3FF   call <Protecte.@UStrLAsg>
005D0FDC   .  0FB605 901D5D>movzx eax,byte ptr ds:[0x5D1D90]
005D0FE3   .  50            push eax
005D0FE4   .  8D85 F4FEFFFF lea eax,dword ptr ss:[ebp-0x10C]
005D0FEA   .  50            push eax
005D0FEB   .  B9 A01D5D00   mov ecx,<Protecte.char_0_>
005D0FF0   .  BA B01D5D00   mov edx,<Protecte.char_O_>
005D0FF5   .  8B45 F8       mov eax,dword ptr ss:[ebp-0x8]
005D0FF8   .  E8 3F56E9FF   call <Protecte.StringReplace> //O用0替换
005D0FFD   .  8B95 F4FEFFFF mov edx,dword ptr ss:[ebp-0x10C]
005D1003   .  8D45 F8       lea eax,dword ptr ss:[ebp-0x8]
005D1006   .  E8 3557E3FF   call <Protecte.@UStrLAsg>
005D100B   .  0FB605 901D5D>movzx eax,byte ptr ds:[0x5D1D90]
005D1012   .  50            push eax
005D1013   .  8D85 F0FEFFFF lea eax,dword ptr ss:[ebp-0x110]
005D1019   .  50            push eax
005D101A   .  B9 C01D5D00   mov ecx,<Protecte.char_1_>
005D101F   .  BA D01D5D00   mov edx,<Protecte.char_L_>
005D1024   .  8B45 F8       mov eax,dword ptr ss:[ebp-0x8]
005D1027   .  E8 1056E9FF   call <Protecte.StringReplace>//L用1替换
005D102C   .  8B95 F0FEFFFF mov edx,dword ptr ss:[ebp-0x110]
005D1032   .  8D45 F8       lea eax,dword ptr ss:[ebp-0x8]
005D1035   .  E8 0657E3FF   call <Protecte.@UStrLAsg>
005D103A   .  0FB605 901D5D>movzx eax,byte ptr ds:[0x5D1D90]
005D1041   .  50            push eax
005D1042   .  8D85 ECFEFFFF lea eax,dword ptr ss:[ebp-0x114]
005D1048   .  50            push eax
005D1049   .  33C9          xor ecx,ecx
005D104B   .  BA E01D5D00   mov edx,<Protecte.char_space_>
005D1050   .  8B45 F8       mov eax,dword ptr ss:[ebp-0x8]
005D1053   .  E8 E455E9FF   call <Protecte.StringReplace> //清除空格
005D1058   .  8B95 ECFEFFFF mov edx,dword ptr ss:[ebp-0x114]
005D105E   .  8D45 F8       lea eax,dword ptr ss:[ebp-0x8]
005D1061   .  E8 DA56E3FF   call <Protecte.@UStrLAsg>
005D1066   .  0FB605 901D5D>movzx eax,byte ptr ds:[0x5D1D90]
005D106D   .  50            push eax
005D106E   .  8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-0x118]
005D1074   .  50            push eax
005D1075   .  33C9          xor ecx,ecx
005D1077   .  BA F01D5D00   mov edx,<Protecte.wchar_0_>
005D107C   .  8B45 F8       mov eax,dword ptr ss:[ebp-0x8]
005D107F   .  E8 B855E9FF   call <Protecte.StringReplace>
005D1084   .  8B95 E8FEFFFF mov edx,dword ptr ss:[ebp-0x118]
005D108A   .  8D45 F8       lea eax,dword ptr ss:[ebp-0x8]
005D108D   .  E8 AE56E3FF   call <Protecte.@UStrLAsg>
005D1092   .  B8 CC965F00   mov eax,Protecte.005F96CC
005D1097   .  8B55 F8       mov edx,dword ptr ss:[ebp-0x8]
005D109A   .  E8 4D56E3FF   call <Protecte.@UStrAsg>
005D109F   .  B8 D0965F00   mov eax,Protecte.005F96D0
005D10A4   .  BA 001E5D00   mov edx,<Protecte.aNA>                       ;  UNICODE "N/A"
005D10A9   .  E8 3E56E3FF   call <Protecte.@UStrAsg>
005D10AE   .  B8 D4965F00   mov eax,Protecte.005F96D4
005D10B3   .  33D2          xor edx,edx
005D10B5   .  E8 3256E3FF   call <Protecte.@UStrAsg>
005D10BA   .  B8 DC965F00   mov eax,Protecte.005F96DC
005D10BF   .  BA 001E5D00   mov edx,<Protecte.aNA>                       ;  UNICODE "N/A"
005D10C4   .  E8 2356E3FF   call <Protecte.@UStrAsg>
005D10C9   .  B8 E0965F00   mov eax,Protecte.005F96E0
005D10CE   .  BA C01D5D00   mov edx,<Protecte.char_1_>
005D10D3   .  E8 1456E3FF   call <Protecte.@UStrAsg>
005D10D8   .  C605 E4965F00>mov byte ptr ds:[0x5F96E4],0x0
005D10DF   .  C605 D8965F00>mov byte ptr ds:[0x5F96D8],0x0
005D10E6   .  E8 F1FEE8FF   call <Protecte.Now> //获取时间
005D10EB   .  83C4 F8       add esp,-0x8                                 ; /
005D10EE   .  DD1C24        fstp qword ptr ss:[esp]                      ; |Arg1 (8-byte)
005D10F1   .  9B            wait                                         ; |
005D10F2   .  8D8D E4FEFFFF lea ecx,dword ptr ss:[ebp-0x11C]             ; |
005D10F8   .  8D95 10FFFFFF lea edx,dword ptr ss:[ebp-0xF0]              ; |
005D10FE   .  B8 681D5D00   mov eax,<Protecte.aMmDdYyyyHhMm_2>           ; |UNICODE "mm/dd/yyyy hh:mm:ss"
005D1103   .  E8 7019E9FF   call <Protecte.formatTime>                   ; \formatTime
005D1108   .  8B95 E4FEFFFF mov edx,dword ptr ss:[ebp-0x11C]
005D110E   .  B8 E8965F00   mov eax,Protecte.005F96E8
005D1113   .  E8 D455E3FF   call <Protecte.@UStrAsg>
005D1118   .  B8 EC965F00   mov eax,Protecte.005F96EC
005D111D   .  33D2          xor edx,edx
005D111F   .  E8 C855E3FF   call <Protecte.@UStrAsg>
005D1124   .  A1 54075F00   mov eax,dword ptr ds:[0x5F0754]
005D1129   .  8B00          mov eax,dword ptr ds:[eax]
005D112B   .  E8 FC09F3FF   call <Protecte.Forms_TApplication_ProcessMes>
005D1130   .  8D85 E0FEFFFF lea eax,dword ptr ss:[ebp-0x120]
005D1136   .  E8 75ECFFFF   call <Protecte.getCPUIDStr> //这里有点意思,经过分析是获取CPUID的部分数据
005D113B   .  8B85 E0FEFFFF mov eax,dword ptr ss:[ebp-0x120]
005D1141   .  8D55 F0       lea edx,dword ptr ss:[ebp-0x10]
005D1144   .  E8 6FC0E8FF   call <Protecte._Unit13_Trim>
005D1149   .  8D85 DCFEFFFF lea eax,dword ptr ss:[ebp-0x124]
005D114F   .  E8 4CF4FCFF   call <Protecte.ZLIBArchiveGlobals2_sub_005A0>
005D1154   .  8B85 DCFEFFFF mov eax,dword ptr ss:[ebp-0x124]
005D115A   .  8D55 EC       lea edx,dword ptr ss:[ebp-0x14]
005D115D   .  E8 56C0E8FF   call <Protecte._Unit13_Trim>
005D1162   .  837D F0 00    cmp dword ptr ss:[ebp-0x10],0x0
005D1166   .  75 0D         jnz short Protecte.005D1175
005D1168   .  8D45 F0       lea eax,dword ptr ss:[ebp-0x10]
005D116B   .  BA 141E5D00   mov edx,<Protecte.aNone_0>                   ;  UNICODE "None"
005D1170   .  E8 CB55E3FF   call <Protecte.@UStrLAsg>
005D1175   >  837D EC 00    cmp dword ptr ss:[ebp-0x14],0x0
005D1179   .  75 0D         jnz short Protecte.005D1188
005D117B   .  8D45 EC       lea eax,dword ptr ss:[ebp-0x14]
005D117E   .  BA 141E5D00   mov edx,<Protecte.aNone_0>                   ;  UNICODE "None"
005D1183   .  E8 B855E3FF   call <Protecte.@UStrLAsg>
005D1188   >  8D45 F4       lea eax,dword ptr ss:[ebp-0xC]
005D118B   .  8B4D F8       mov ecx,dword ptr ss:[ebp-0x8]
005D118E   .  BA 2C1E5D00   mov edx,<Protecte.aCode_0>                   ;  UNICODE "Code="
005D1193   .  E8 E859E3FF   call <Protecte.System_@UStrCat3>
005D1198   .  FF75 F4       push dword ptr ss:[ebp-0xC]
005D119B   .  68 441E5D00   push <Protecte.CPU>                          ;  UNICODE "&CPU="
005D11A0   .  FF75 F0       push dword ptr ss:[ebp-0x10]
005D11A3   .  68 5C1E5D00   push <Protecte.DISK>                         ;  UNICODE "&Disk=" //想知道这是怎么来的吗?
005D11A8   .  FF75 EC       push dword ptr ss:[ebp-0x14]
005D11AB   .  68 781E5D00   push <Protecte.Ver>                          ;  UNICODE "&Ver=100"
005D11B0   .  8D45 F4       lea eax,dword ptr ss:[ebp-0xC]
005D11B3   .  BA 06000000   mov edx,0x6
005D11B8   .  E8 935AE3FF   call <Protecte.System_@UStrCatN>
005D11BD   .  B2 01         mov dl,0x1
005D11BF   .  A1 88424700   mov eax,dword ptr ds:[0x474288]
005D11C4   .  E8 6F90EAFF   call <Protecte.Classes_TStringList_Create>
005D11C9   .  8985 08FFFFFF mov dword ptr ss:[ebp-0xF8],eax
005D11CF   .  8B55 F4       mov edx,dword ptr ss:[ebp-0xC]
005D11D2   .  8B85 08FFFFFF mov eax,dword ptr ss:[ebp-0xF8]
005D11D8   .  E8 436FEAFF   call <Protecte.Classes_TStrings_Append>


上面那个Disk是你硬盘的serialnumber,他是如何来的呢?我简单跟踪一下,发现在
005D114F call <Protecte.ZLIBArchiveGlobals2_sub_005A0>里面,最终追踪到如下:

[Asm] 纯文本查看 复制代码
005A013F   .  E8 1068E6FF   call <Protecte.System_@UStrFromWStr>
005A0144   .  8B55 B4       mov edx,dword ptr ss:[ebp-0x4C]
005A0147   .  B8 38045A00   mov eax,Protecte.005A0438                    ;  UNICODE "SELECT"
005A014C   .  E8 C76FE6FF   call <Protecte.Pos_0>
005A0151   .  48            dec eax
005A0152   .  75 23         jnz short Protecte.005A0177
005A0154   .  8D45 F8       lea eax,dword ptr ss:[ebp-0x8]
005A0157   .  E8 3488E6FF   call <Protecte.System_@IntfClear>
005A015C   .  50            push eax
005A015D   .  6A 00         push 0x0
005A015F   .  6A 10         push 0x10
005A0161   .  68 4C045A00   push Protecte.005A044C                       ;  UNICODE "WQL"
005A0166   .  53            push ebx
005A0167   .  8B45 FC       mov eax,dword ptr ss:[ebp-0x4]
005A016A   .  50            push eax
005A016B   .  8B00          mov eax,dword ptr ds:[eax]
005A016D   .  FF50 3C       call dword ptr ds:[eax+0x3C]
005A0170   .  E8 2B89E6FF   call <Protecte.System_@CheckAutoResult>
005A0175   .  EB 1C         jmp short Protecte.005A0193

哈原来是WQL语言查询的(WMI中的查询语言).windows自带 wbemtest.exe WQL测试工具
通过查询语句SELECT * FROM Win32_PhysicalMedia可以看到一样的结果:
图................

向下继续分析来到:
[Asm] 纯文本查看 复制代码
005D1441   .  8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D1447   .  8B80 98030000 mov eax,dword ptr ds:[eax+0x398]
005D144D   .  8B8D 08FFFFFF mov ecx,dword ptr ss:[ebp-0xF8]
005D1453   .  8B55 FC       mov edx,dword ptr ss:[ebp-0x4]
005D1456   .  E8 E59AF8FF   call <Protecte.IdHTTP_TIdCustomHTTP_Post> //post数据,地址是[url=http://pf.iobit.com/functions/check.php]http://pf.iobit.com/functions/check.php[/url]
005D145B   .  A1 54075F00   mov eax,dword ptr ds:[0x5F0754]
005D1460   .  8B00          mov eax,dword ptr ds:[eax]
005D1462   .  E8 C506F3FF   call <Protecte.Forms_TApplication_ProcessMessages>
005D1467   .  8B85 08FFFFFF mov eax,dword ptr ss:[ebp-0xF8]
005D146D   .  8B10          mov edx,dword ptr ds:[eax]
005D146F   .  FF52 44       call dword ptr ds:[edx+0x44]
005D1472   .  8B85 08FFFFFF mov eax,dword ptr ss:[ebp-0xF8]
005D1478   .  50            push eax
005D1479   .  8D95 B4FEFFFF lea edx,dword ptr ss:[ebp-0x14C]
005D147F   .  8B85 04FFFFFF mov eax,dword ptr ss:[ebp-0xFC]
005D1485   .  E8 7699EAFF   call <Protecte.Classes_TStringStream_GetDataString>//获取服务器传回的数据
005D148A   .  8B85 B4FEFFFF mov eax,dword ptr ss:[ebp-0x14C]
005D1490   .  E8 E352E3FF   call <Protecte.System_@UStrToPWChar>
005D1495   .  8BC8          mov ecx,eax
005D1497   .  BA 50205D00   mov edx,Protecte.005D2050
005D149C   .  B8 70205D00   mov eax,<Protecte.char_@>
005D14A1   .  E8 BA52EAFF   call <Protecte.ExtractStrings>//结压缩服务器数据,其实就是分割,因为服务器传回的数据是XXX&XXX&XXX形式的.
005D14A6   .  8B85 08FFFFFF mov eax,dword ptr ss:[ebp-0xF8]
005D14AC   .  8B10          mov edx,dword ptr ds:[eax]
005D14AE   .  FF52 14       call dword ptr ds:[edx+0x14]//这里指针调用的是Classes_TStringList_GetCount,即数据分割后得到的数据项数.
005D14B1   .  85C0          test eax,eax //必须大于一项,不然就是下面的出错提示了
005D14B3   .  75 6A         jnz short Protecte.005D151F
005D14B5   .  6A 30         push 0x30
005D14B7   .  8D85 B0FEFFFF lea eax,dword ptr ss:[ebp-0x150]
005D14BD   .  50            push eax
005D14BE   .  A1 84055F00   mov eax,dword ptr ds:[0x5F0584]
005D14C3   .  8B00          mov eax,dword ptr ds:[eax]
005D14C5   .  B9 9C205D00   mov ecx,<Protecte.aActiveError>                        ;  UNICODE "Active Error"
005D14CA   .  BA C4205D00   mov edx,<Protecte.aAcerr>                              ;  UNICODE "acerr"
005D14CF   .  E8 3CC1FBFF   call <Protecte.PLabelNote_sub_0058D610>
005D14D4   .  8B85 B0FEFFFF mov eax,dword ptr ss:[ebp-0x150]
005D14DA   .  E8 9952E3FF   call <Protecte.System_@UStrToPWChar>
005D14DF   .  50            push eax
005D14E0   .  8D85 ACFEFFFF lea eax,dword ptr ss:[ebp-0x154]
005D14E6   .  50            push eax
005D14E7   .  A1 84055F00   mov eax,dword ptr ds:[0x5F0584]
005D14EC   .  8B00          mov eax,dword ptr ds:[eax]
005D14EE   .  B9 DC205D00   mov ecx,<Protecte.aUnknownError>                       ;  UNICODE "Unknown Error!"
005D14F3   .  BA 08215D00   mov edx,<Protecte.aUnerr>                              ;  UNICODE "unerr"
005D14F8   .  E8 13C1FBFF   call <Protecte.PLabelNote_sub_0058D610>
005D14FD   .  8B85 ACFEFFFF mov eax,dword ptr ss:[ebp-0x154]
005D1503   .  E8 7052E3FF   call <Protecte.System_@UStrToPWChar>
005D1508   .  50            push eax
005D1509   .  8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D150F   .  E8 2475F1FF   call <Protecte.Controls_TWinControl_GetHandle>
005D1514   .  50            push eax                                               ; |hOwner
005D1515   .  E8 E28FE3FF   call <Protecte.MessageBoxW>                            ; \MessageBoxW
005D151A   .  E9 10060000   jmp Protecte.005D1B2F
005D151F   >  8D8D A8FEFFFF lea ecx,dword ptr ss:[ebp-0x158]//服务器返回的数据项数大于一项会到这里
005D1525   .  33D2          xor edx,edx
005D1527   .  8B85 08FFFFFF mov eax,dword ptr ss:[ebp-0xF8]
005D152D   .  8B18          mov ebx,dword ptr ds:[eax]
005D152F   .  FF53 0C       call dword ptr ds:[ebx+0xC] //调用的是Classes_TStringList_Get,edx是获取的第几项,这里是第0项
005D1532   .  8B85 A8FEFFFF mov eax,dword ptr ss:[ebp-0x158]
005D1538   .  BA A01D5D00   mov edx,<Protecte.char_0_>
005D153D   .  E8 B658E3FF   call <Protecte.j_@UStrCmp> //也就是说,服务器返回数据的第一个是0才是正确的.
005D1542   .  0F85 8D010000 jnz Protecte.005D16D5
005D1548   .  8B85 08FFFFFF mov eax,dword ptr ss:[ebp-0xF8]
005D154E   .  8B10          mov edx,dword ptr ds:[eax]
005D1550   .  FF52 14       call dword ptr ds:[edx+0x14] //调用Classes_TStringList_GetCount,返回数据项数
005D1553   .  83F8 05       cmp eax,0x5                     //必须是5项
005D1556   .  0F85 79010000 jnz Protecte.005D16D5
005D155C   .  B8 CC965F00   mov eax,Protecte.005F96CC
005D1561   .  8B55 F8       mov edx,dword ptr ss:[ebp-0x8]
005D1564   .  E8 8351E3FF   call <Protecte.@UStrAsg>
005D1569   .  B8 D0965F00   mov eax,Protecte.005F96D0
005D156E   .  8B4D EC       mov ecx,dword ptr ss:[ebp-0x14]
005D1571   .  8B55 F0       mov edx,dword ptr ss:[ebp-0x10]
005D1574   .  E8 0756E3FF   call <Protecte.System_@UStrCat3>
005D1579   .  B8 D4965F00   mov eax,Protecte.005F96D4
005D157E   .  BA 20215D00   mov edx,<Protecte.aPro_0>                              ;  UNICODE "Pro"
005D1583   .  E8 6451E3FF   call <Protecte.@UStrAsg>
005D1588   .  8D8D A4FEFFFF lea ecx,dword ptr ss:[ebp-0x15C]

用wireshark拦截到发到服务器上去的数据:
POST /functions/check.php HTTP/1.0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 90
Host: pf.iobit.com
Accept: text/html, */*
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)

Code=22EAA-B9A86-4AC54-3FAAC&CPU=0003-06C3-BFEB-FBFF-7FFA-FBBF&Disk=J3390084J8V20D&Ver=100

继续往下分析:
[Asm] 纯文本查看 复制代码
005D158E   .  BA 01000000   mov edx,0x1
005D1593   .  8B85 08FFFFFF mov eax,dword ptr ss:[ebp-0xF8]
005D1599   .  8B18          mov ebx,dword ptr ds:[eax]
005D159B   .  FF53 0C       call dword ptr ds:[ebx+0xC] //Classes_TStringList_Get,edx是获取的第几项,这里是第1项
005D159E   .  8B95 A4FEFFFF mov edx,dword ptr ss:[ebp-0x15C]
005D15A4   .  B8 DC965F00   mov eax,Protecte.005F96DC
005D15A9   .  E8 3E51E3FF   call <Protecte.@UStrAsg>
005D15AE   .  8D8D A0FEFFFF lea ecx,dword ptr ss:[ebp-0x160]
005D15B4   .  BA 02000000   mov edx,0x2
005D15B9   .  8B85 08FFFFFF mov eax,dword ptr ss:[ebp-0xF8]
005D15BF   .  8B18          mov ebx,dword ptr ds:[eax]
005D15C1   .  FF53 0C       call dword ptr ds:[ebx+0xC]//Classes_TStringList_Get,edx是获取的第几项,这里是第2项
005D15C4   .  8B95 A0FEFFFF mov edx,dword ptr ss:[ebp-0x160]
005D15CA   .  B8 E0965F00   mov eax,Protecte.005F96E0
005D15CF   .  E8 1851E3FF   call <Protecte.@UStrAsg>
005D15D4   .  C605 E4965F00>mov byte ptr ds:[0x5F96E4],0x0
005D15DB   .  C605 D8965F00>mov byte ptr ds:[0x5F96D8],0x0
005D15E2   .  E8 F5F9E8FF   call <Protecte.Now>
005D15E7   .  83C4 F8       add esp,-0x8                                           ; /
005D15EA   .  DD1C24        fstp qword ptr ss:[esp]                                ; |Arg1 (8-byte)
005D15ED   .  9B            wait                                                   ; |
005D15EE   .  8D8D 9CFEFFFF lea ecx,dword ptr ss:[ebp-0x164]                       ; |
005D15F4   .  8D95 10FFFFFF lea edx,dword ptr ss:[ebp-0xF0]                        ; |
005D15FA   .  B8 681D5D00   mov eax,<Protecte.aMmDdYyyyHhMm_2>                     ; |UNICODE "mm/dd/yyyy hh:mm:ss"
005D15FF   .  E8 7414E9FF   call <Protecte.formatTime>                             ; \formatTime
005D1604   .  8B95 9CFEFFFF mov edx,dword ptr ss:[ebp-0x164]
005D160A   .  B8 E8965F00   mov eax,Protecte.005F96E8
005D160F   .  E8 D850E3FF   call <Protecte.@UStrAsg>
005D1614   .  8D8D 98FEFFFF lea ecx,dword ptr ss:[ebp-0x168]
005D161A   .  BA 04000000   mov edx,0x4
005D161F   .  8B85 08FFFFFF mov eax,dword ptr ss:[ebp-0xF8]
005D1625   .  8B18          mov ebx,dword ptr ds:[eax]
005D1627   .  FF53 0C       call dword ptr ds:[ebx+0xC]//Classes_TStringList_Get,edx是获取的第几项,这里是第4项
005D162A   .  8B95 98FEFFFF mov edx,dword ptr ss:[ebp-0x168]
005D1630   .  B8 EC965F00   mov eax,Protecte.005F96EC
005D1635   .  E8 B250E3FF   call <Protecte.@UStrAsg>
005D163A   .  8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D1640   .  E8 0B2B0000   call <Protecte.makeLicense>//分析得出这是存储服务器返回的数据,他是要验证的,因此很重要.
005D1645   .  6A 01         push 0x1
005D1647   .  6A 00         push 0x0
005D1649   .  68 0C050000   push 0x50C
005D164E   .  A1 30065F00   mov eax,dword ptr ds:[0x5F0630]
005D1653   .  8B00          mov eax,dword ptr ds:[eax]
005D1655   .  E8 DE73F1FF   call <Protecte.Controls_TWinControl_GetHandle>
005D165A   .  50            push eax                                               ; |hWnd
005D165B   .  E8 EC8EE3FF   call <Protecte.PostMessageW>                           ; \PostMessageW
005D1660   .  6A 40         push 0x40
005D1662   .  8D85 94FEFFFF lea eax,dword ptr ss:[ebp-0x16C]
005D1668   .  50            push eax
005D1669   .  A1 84055F00   mov eax,dword ptr ds:[0x5F0584]
005D166E   .  8B00          mov eax,dword ptr ds:[eax]
005D1670   .  B9 34215D00   mov ecx,<Protecte.aActivated>                          ;  UNICODE "Activated"
005D1675   .  BA 54215D00   mov edx,<Protecte.aActi>                               ;  UNICODE "acti"
005D167A   .  E8 91BFFBFF   call <Protecte.PLabelNote_sub_0058D610>
005D167F   .  8B85 94FEFFFF mov eax,dword ptr ss:[ebp-0x16C]
005D1685   .  E8 EE50E3FF   call <Protecte.System_@UStrToPWChar>
005D168A   .  50            push eax
005D168B   .  8D85 90FEFFFF lea eax,dword ptr ss:[ebp-0x170]
005D1691   .  50            push eax
005D1692   .  A1 84055F00   mov eax,dword ptr ds:[0x5F0584]
005D1697   .  8B00          mov eax,dword ptr ds:[eax]
005D1699   .  B9 6C215D00   mov ecx,<Protecte.aProtectedFol_7>                     ;  UNICODE "Protected Folder PRO activated successfully!"
005D169E   .  BA D4215D00   mov edx,<Protecte.aSuccess>                            ;  UNICODE "success"
005D16A3   .  E8 68BFFBFF   call <Protecte.PLabelNote_sub_0058D610>
005D16A8   .  8B85 90FEFFFF mov eax,dword ptr ss:[ebp-0x170]
005D16AE   .  E8 C550E3FF   call <Protecte.System_@UStrToPWChar>
005D16B3   .  50            push eax
005D16B4   .  8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D16BA   .  E8 7973F1FF   call <Protecte.Controls_TWinControl_GetHandle>
005D16BF   .  50            push eax                                               ; |hOwner
005D16C0   .  E8 378EE3FF   call <Protecte.MessageBoxW>                            ; \MessageBoxW到这里就是正确了!
005D16C5   .  8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]


我们去服务器返回数据验证存储的call <Protecte.makeLicense>看看:
可以找到关键处理数据的地方:
[Asm] 纯文本查看 复制代码
005D4283   .  B9 94445D00   mov ecx,<Protecte.aCode_2>                             ;  UNICODE "Code"
005D4288   .  BA AC445D00   mov edx,<Protecte.aMain_2>                             ;  UNICODE "main"
005D428D   .  8BC3          mov eax,ebx
005D428F   .  8B38          mov edi,dword ptr ds:[eax]
005D4291   .  FF57 04       call dword ptr ds:[edi+0x4]
005D4294   .  A1 D0965F00   mov eax,dword ptr ds:[0x5F96D0]
005D4299   .  50            push eax
005D429A   .  B9 C4445D00   mov ecx,<Protecte.aFingerprint_0>                      ;  UNICODE "FingerPrint"
005D429F   .  BA AC445D00   mov edx,<Protecte.aMain_2>                             ;  UNICODE "main"
005D42A4   .  8BC3          mov eax,ebx
005D42A6   .  8B38          mov edi,dword ptr ds:[eax]
005D42A8   .  FF57 04       call dword ptr ds:[edi+0x4]
005D42AB   .  A1 D4965F00   mov eax,dword ptr ds:[0x5F96D4]
005D42B0   .  50            push eax
005D42B1   .  B9 E8445D00   mov ecx,<Protecte.aLicensetype_0>                      ;  UNICODE "LicenseType"
005D42B6   .  BA AC445D00   mov edx,<Protecte.aMain_2>                             ;  UNICODE "main"
005D42BB   .  8BC3          mov eax,ebx
005D42BD   .  8B38          mov edi,dword ptr ds:[eax]
005D42BF   .  FF57 04       call dword ptr ds:[edi+0x4]
005D42C2   .  0FB605 D8965F>movzx eax,byte ptr ds:[0x5F96D8]
005D42C9   .  50            push eax
005D42CA   .  B9 0C455D00   mov ecx,<Protecte.aExpried_2>                          ;  UNICODE "Expried"
005D42CF   .  BA AC445D00   mov edx,<Protecte.aMain_2>                             ;  UNICODE "main"
005D42D4   .  8BC3          mov eax,ebx
005D42D6   .  8B38          mov edi,dword ptr ds:[eax]
005D42D8   .  FF57 14       call dword ptr ds:[edi+0x14]
005D42DB   .  A1 E0965F00   mov eax,dword ptr ds:[0x5F96E0]
005D42E0   .  50            push eax
005D42E1   .  B9 28455D00   mov ecx,<Protecte.aSeat_0>                             ;  UNICODE "Seat"
005D42E6   .  BA AC445D00   mov edx,<Protecte.aMain_2>                             ;  UNICODE "main"
005D42EB   .  8BC3          mov eax,ebx
005D42ED   .  8B38          mov edi,dword ptr ds:[eax]
005D42EF   .  FF57 04       call dword ptr ds:[edi+0x4]
005D42F2   .  A1 DC965F00   mov eax,dword ptr ds:[0x5F96DC]
005D42F7   .  50            push eax
005D42F8   .  B9 40455D00   mov ecx,<Protecte.aExpdate_0>                          ;  UNICODE "ExpDate"
005D42FD   .  BA AC445D00   mov edx,<Protecte.aMain_2>                             ;  UNICODE "main"
005D4302   .  8BC3          mov eax,ebx
005D4304   .  8B38          mov edi,dword ptr ds:[eax]
005D4306   .  FF57 04       call dword ptr ds:[edi+0x4]
005D4309   .  A1 E8965F00   mov eax,dword ptr ds:[0x5F96E8]
005D430E   .  50            push eax
005D430F   .  B9 5C455D00   mov ecx,<Protecte.aLastvalidate_0>                     ;  UNICODE "LastValidate"
005D4314   .  BA AC445D00   mov edx,<Protecte.aMain_2>                             ;  UNICODE "main"
005D4319   .  8BC3          mov eax,ebx
005D431B   .  8B38          mov edi,dword ptr ds:[eax]
005D431D   .  FF57 04       call dword ptr ds:[edi+0x4]
005D4320   .  0FB605 E4965F>movzx eax,byte ptr ds:[0x5F96E4]
005D4327   .  50            push eax
005D4328   .  B9 84455D00   mov ecx,<Protecte.aOverseat_2>                         ;  UNICODE "OverSeat"
005D432D   .  BA AC445D00   mov edx,<Protecte.aMain_2>                             ;  UNICODE "main"
005D4332   .  8BC3          mov eax,ebx
005D4334   .  8B38          mov edi,dword ptr ds:[eax]
005D4336   .  FF57 14       call dword ptr ds:[edi+0x14]
005D4339   .  A1 EC965F00   mov eax,dword ptr ds:[0x5F96EC]
005D433E   .  50            push eax
005D433F   .  B9 A4455D00   mov ecx,<Protecte.aLastserverda_0>                     ;  UNICODE "LastServerDate"
005D4344   .  BA AC445D00   mov edx,<Protecte.aMain_2>                             ;  UNICODE "main"
005D4349   .  8BC3          mov eax,ebx


上面是存了几项从服务器返回的数据,自己写个小服务器,
分析得到服务器返回最终的数据表示的含义是:
--------------------------------------------
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Fri, 09 Jan 2015 13:57:04 GMT
Server: Apache
Content-Length: 2
Connection: keep-alive

0&expiredate&seat&unknown&lastserverdate
---------------------------------------
第四个数据我没分析出来是干嘛用的,可以猜想是校验用的.
基本分析完全了.我写了一个简单的网络注册机,可以完美注册.(使用前要把pf.iobit.com加入host文件)


注册机用了boost的asio库.代码凌乱,源码实在不好意思放出来.提供一个现成的网络注册机下载吧.

系统版本过低可能不兼容.


PFolderCalcKeygen.zip

170.69 KB, 下载次数: 322, 下载积分: 吾爱币 -1 CB

完整keygen

免费评分

参与人数 17热心值 +17 收起 理由
valen33233 + 1 我很赞同!
水木鱼 + 1 感谢发布原创作品,吾爱破解论坛因你更精彩.
易木马 + 1 我很赞同!厉害呀。好有耐心
Start4RCE + 1 谢谢@Thanks!
Baltimore2012 + 1 谢谢@Thanks! 现在还在用免费的beta版……
盈盈一水间cc + 1 欢迎分析讨论交流,吾爱破解论坛有你更精彩.
这只猪 + 1 good work!
421717582 + 1 感谢发布原创作品,吾爱破解论坛因你更精彩.
黑龍 + 1 我很赞同!
zonesp0 + 1 我很赞同!
Avenshy + 1 膜拜之。
bxtww + 1 感谢发布原创作品,吾爱破解论坛因你更精彩.
wanttobeno + 1 谢谢@Thanks!
NewType + 1 欢迎分析讨论交流,吾爱破解论坛有你更精彩.
山顶的一棵草 + 1 我很赞同!
bigharvest + 1 我很赞同!
逍遥枷锁 + 1 我很赞同!

查看全部评分

本帖被以下淘专辑推荐:

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

推荐
Hmily 发表于 2015-1-11 00:26
Delphi用IDR【取代dede】分析一下导出个map,再倒入OD后分析确实会很爽,给大家提供一下地址:http://www.52pojie.cn/thread-178147-1-1.html

http://down.52pojie.cn/Tools/Dis ... econstructor%29.rar
沙发
liguhe 发表于 2015-1-11 00:22
3#
243205964 发表于 2015-1-11 00:26
5#
Ctrui 发表于 2015-1-11 00:35
收藏了,感谢分享!
6#
bigharvest 发表于 2015-1-11 00:37
牛掰  还不会写算法  惭愧啊
7#
2223862765 发表于 2015-1-11 01:05
不是有效的32位程序,我的是XP系统!
8#
NewType 发表于 2015-1-11 06:29
感谢楼主!
9#
wanttobeno 发表于 2015-1-11 08:36
简单明了,谢谢分享!
10#
逍遥子 发表于 2015-1-11 09:31
看不懂,算了,占个楼
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则 警告:本版块禁止灌水或回复与主题无关内容,违者重罚!

快速回复 收藏帖子 返回列表 搜索

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-3-28 16:38

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表