全系列性价比分析 HotkeyMaster算法分析

无主之地2七号档升级来了，新增了沙鹰武器系列，大家对沙鹰武器了解多少呢？下面小编就来给大家介绍一下沙鹰武器

软件主页： http://www.southbaypc.com/ 软件作品：AutoConnect,FolderView,Hot Corners,PrinterExpress,SuperCleaner,SysDate...破解对象：SuperCleaner破解工具：trw2000...程序用VC编写，未加壳。用trw2000载入SuperCleaner.exe，程序运行，提示没有注册，只能使用30天，不管它，点击Enter Registration，弹出注册框，name输入LeNgHoSt[DFCG]，code输入78787878，然后ctrl+n打开trw2000，bpx hmemcpy，F5回到程序，点击OK，程序被拦截，bc *，pmodule，来到下面：************************************************************:00412007 FFD7 call edi----获得用户名:00412009 8D542408 lea edx, dword ptr [esp+08]:0041200D 6800010000 push 00000100:00412012 52 push edx* Possible Reference to Dialog: DialogID_0065, CONTROL_ID:03FC, "|:00412013 68FC030000 push 000003FC:00412018 56 push esi:00412019 FFD7 call edi----获得注册码:0041201B 8D442408 lea eax, dword ptr [esp+08]----注册码放入eax:0041201F 8D8C2408010000 lea ecx, dword ptr [esp+00000108]----注册名放入ecx:00412026 50 push eax----注册码入栈:00412027 51 push ecx----注册名入栈:00412028 E8B3050000 call 004125E0----关键call，见下面:0041202D 83C408 add esp, 00000008:00412030 85C0 test eax, eax:00412032 5F pop edi:00412033 7443 je 00412078:00412035 8D542404 lea edx, dword ptr [esp+04]:00412039 8D842404010000 lea eax, dword ptr [esp+00000104]:00412040 52 push edx:00412041 50 push eax******************************************************************接上面00412028----关键call**************************:004125E0 81EC00010000 sub esp, 00000100:004125E6 A080964200 mov al, byte ptr [00429680]:004125EB 56 push esi:004125EC 57 push edi:004125ED 88442408 mov byte ptr [esp+08], al* Possible Reference to String Resource ID=00063: The location you specified does not contain a Netscape 4 pro"|:004125F1 B93F000000 mov ecx, 0000003F:004125F6 33C0 xor eax, eax:004125F8 8D7C2409 lea edi, dword ptr [esp+09]:004125FC 8B94240C010000 mov edx, dword ptr [esp+0000010C]:00412603 F3 repz:00412604 AB stosd:00412605 66AB stosw:00412607 8D4C2408 lea ecx, dword ptr [esp+08]:0041260B 33F6 xor esi, esi:0041260D 51 push ecx----存放注册码的空间:0041260E 52 push edx----注册名入栈:0041260F AA stosb:00412610 E8AB000000 call 004126C0----计算注册码，分析见下面:00412615 8B8C2418010000 mov ecx, dword ptr [esp+00000118]----假注册码:0041261C 8D442410 lea eax, dword ptr [esp+10]----真注册码:00412620 50 push eax----真注册码入栈:00412621 51 push ecx----假注册码入栈:00412622 E869FFFFFF call 00412590----比较真假注册码:00412627 83C410 add esp, 00000010:0041262A 85C0 test eax, eax* Possible Reference to String Resource ID=00001: Registered to: %s"|:0041262C B801000000 mov eax, 00000001:00412631 7502 jne 00412635:00412633 8BC6 mov eax, esi* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00412631(C)|:00412635 5F pop edi:00412636 5E pop esi:00412637 81C400010000 add esp, 00000100:0041263D C3 ret************************************************************接上面00412610----计算注册码****************************:004126C0 81EC00010000 sub esp, 00000100:004126C6 A080964200 mov al, byte ptr [00429680]:004126CB 53 push ebx:004126CC 55 push ebp:004126CD 56 push esi:004126CE 57 push edi:004126CF 88442410 mov byte ptr [esp+10], al* Possible Reference to String Resource ID=00063: The location you specified does not contain a Netscape 4 pro"|:004126D3 B93F000000 mov ecx, 0000003F:004126D8 33C0 xor eax, eax:004126DA 8D7C2411 lea edi, dword ptr [esp+11]:004126DE F3 repz:004126DF AB stosd:004126E0 66AB stosw:004126E2 AA stosb:004126E3 8BBC2414010000 mov edi, dword ptr [esp+00000114]----用户名放到edi:004126EA 57 push edi----入栈* Reference To: KERNEL32.lstrlenA, Ord:03AEh|:004126EB FF1538024200 Call dword ptr [00420238]----取用户名长度:004126F1 8BF0 mov esi, eax----esi=用户名长度:004126F3 33C9 xor ecx, ecx----ecx清空放计算结果:004126F5 33C0 xor eax, eax----计数器从0开始:004126F7 85F6 test esi, esi----用户名是否为空:004126F9 7E13 jle 0041270E:004126FB 8B1530664200 mov edx, dword ptr [00426630]----edx=26h* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:0041270C(C)|:00412701 0FBE1C38 movsx ebx, byte ptr [eax+edi]----用户名每一位ascii放到ebx:00412705 03DA add ebx, edx----ebx=ebx+edx:00412707 03CB add ecx, ebx----ecx=ecx+ebx:00412709 40 inc eax----eax计数器加1:0041270A 3BC6 cmp eax, esi----是否取完:0041270C 7CF3 jl 00412701----循环* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:004126F9(C)|:0041270E 8B9C2418010000 mov ebx, dword ptr [esp+00000118]:00412715 51 push ecx* Possible StringData Ref from Data Obj ->"%ld-"|:00412716 6844664200 push 00426644:0041271B 53 push ebx* Reference To: USER32.wsprintfA, Ord:02D6h|:0041271C FF151C034200 Call dword ptr [0042031C]----将上面的结果ecx转化为10进制放到ebx:00412722 83C40C add esp, 0000000C----注册码第1部分计算完毕，共4部分:00412725 33C9 xor ecx, ecx----ecx清空放计算结果:00412727 33C0 xor eax, eax----计数器从0开始:00412729 85F6 test esi, esi----用户名是否为空:0041272B 7E14 jle 00412741:0041272D 8B1534664200 mov edx, dword ptr [00426634]----edx=34h* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:0041273F(C)|:00412733 0FBE2C38 movsx ebp, byte ptr [eax+edi]----用户名每一位ascii放到ebp:00412737 0FAFEA imul ebp, edx----ebp=ebp*edx:0041273A 03CD add ecx, ebp----ecx=ecx+ebp:0041273C 40 inc eax----计数器加1:0041273D 3BC6 cmp eax, esi----是否取完:0041273F 7CF2 jl 00412733----循环* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:0041272B(C)|:00412741 51 push ecx:00412742 8D4C2414 lea ecx, dword ptr [esp+14]* Possible StringData Ref from Data Obj ->"%ld-"|:00412746 6844664200 push 00426644:0041274B 51 push ecx* Reference To: USER32.wsprintfA, Ord:02D6h|:0041274C FF151C034200 Call dword ptr [0042031C]:00412752 83C40C add esp, 0000000C:00412755 8D542410 lea edx, dword ptr [esp+10]----同样将10进制结果放到edx:00412759 52 push edx----注册码第2部分:0041275A 53 push ebx----注册码第1部分* Reference To: KERNEL32.lstrcatA, Ord:039Fh|:0041275B FF1520024200 Call dword ptr [00420220]----两部分用"-"连接放到eax:00412761 33C9 xor ecx, ecx----ecx清空放计算结果:00412763 33C0 xor eax, eax----计数器从0开始:00412765 85F6 test esi, esi----用户名是否为空:00412767 7E13 jle 0041277C:00412769 8B1538664200 mov edx, dword ptr [00426638]----edx=0Ch* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:0041277A(C)|:0041276F 0FBE2C38 movsx ebp, byte ptr [eax+edi]----用户名每一位ascii放到ebp:00412773 03EA add ebp, edx----ebp=ebp+edx:00412775 03CD add ecx, ebp----ecx=ecx+ebp:00412777 40 inc eax----计数器加1:00412778 3BC6 cmp eax, esi----是否取完:0041277A 7CF3 jl 0041276F----循环* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00412767(C)|:0041277C 51 push ecx:0041277D 8D442414 lea eax, dword ptr [esp+14]* Possible StringData Ref from Data Obj ->"%ld-"|:00412781 6844664200 push 00426644:00412786 50 push eax* Reference To: USER32.wsprintfA, Ord:02D6h|:00412787 FF151C034200 Call dword ptr [0042031C]:0041278D 83C40C add esp, 0000000C:00412790 8D4C2410 lea ecx, dword ptr [esp+10]----同样将10进制结果放到ecx:00412794 51 push ecx:00412795 53 push ebx* Reference To: KERNEL32.lstrcatA, Ord:039Fh|:00412796 FF1520024200 Call dword ptr [00420220]----注册码前3部分连接后放到eax:0041279C 33C9 xor ecx, ecx----ecx清空放计算结果:0041279E 33C0 xor eax, eax----计数器从0开始:004127A0 85F6 test esi, esi----用户名是否为空:004127A2 7E14 jle 004127B8:004127A4 8B153C664200 mov edx, dword ptr [0042663C]----edx=0Eh* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:004127B6(C)|:004127AA 0FBE2C38 movsx ebp, byte ptr [eax+edi]----用户名每一位ascii放到ebp:004127AE 0FAFEA imul ebp, edx----ebp=ebp*edx:004127B1 03CD add ecx, ebp----ecx=ecx+ebp:004127B3 40 inc eax----计数器加1:004127B4 3BC6 cmp eax, esi----是否取完:004127B6 7CF2 jl 004127AA----循环* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:004127A2(C)|:004127B8 51 push ecx:004127B9 8D542414 lea edx, dword ptr [esp+14]* Possible StringData Ref from Data Obj ->"%ld"|:004127BD 6840664200 push 00426640:004127C2 52 push edx* Reference To: USER32.wsprintfA, Ord:02D6h|:004127C3 FF151C034200 Call dword ptr [0042031C]:004127C9 83C40C add esp, 0000000C:004127CC 8D442410 lea eax, dword ptr [esp+10]----同样将10进制结果放到eax:004127D0 50 push eax:004127D1 53 push ebx* Reference To: KERNEL32.lstrcatA, Ord:039Fh|:004127D2 FF1520024200 Call dword ptr [00420220]----4部分连接成完整注册码放到eax，如XXXX-XXXX-XXXX-XXXX:004127D8 5F pop edi:004127D9 5E pop esi:004127DA 5D pop ebp:004127DB 5B pop ebx:004127DC 81C400010000 add esp, 00000100:004127E2 C3 ret************************************************************算法总结：（South Bay其它软件算法基本类似，详见下面的注册机）*********name:LeNgHoSt[DFCG]第1部分:name的每一位ascii+26h再全部相加得到6C4，转化10进制为1732第2部分:name的每一位ascii*34h再全部相加得到F3C0，转化10进制为62400第3部分:name的每一位ascii+0Ch再全部相加得到558，转化10进制为1368第4部分:name的每一位ascii*0Eh再全部相加得到41A0，转化10进制为16800合并后sn=1732-62400-1368-16800***************************************************************VC6注册机部分源程序（包括South Bay全系列软件）*******************//m_name为注册名，name_len取注册名长度，m_sn为注册码void CKEYDlg::Reg(){int i,name_len,name_x,name;long sn1,sn2,sn3,sn4;name_len=m_name.GetLength();switch(m_soft){case 0: //AutoConnect//code1:sn1=0;for(i=0;i