Subject: [HC] ZIP98Plus v3.0
Date: Sat, 25 Apr 1998 20:10:00 +0800
From: chengnet <chengnet@ms15.hinet.net>
To: post@hc.ml.org

ZIP98Plus v3.0 (http://www.zip98.base.org)
这个程式刚开始时一直解不出来,最近再拿出来
研究研究,终於看出端倪,提供给大家参考!

Name : Registered
Key : 077E6161

Name : KYMCO
Key : 47582E39

-----------------------------------------

以 BPX HMEMCPY 下中断
.
.
.
0137:0046083F LEA EDX,[EBP-04]
0137:00460842 MOV EAX,[EBX+00000200]
0137:00460848 CALL 0041E3B4
0137:0046084D MOV EAX,[EBP-04]
0137:00460850 PUSH EAX
0137:00460851 LEA EDX,[EBP-08]
0137:00460854 MOV EAX,[EBX+000001FC]
0137:0046085A CALL 0041E3B4
0137:0046085F MOV EDX,[EBP-08]
0137:00460862 MOV EAX,ESI
0137:00460864 POP ECX
0137:00460865 CALL 0045FEEC ;注册码比对 (追进去)
0137:0046086A TEST AL,AL
0137:0046086C JZ 0046088C ;GO则注册失败
0137:0046086E MOV EAX,[EBX+0000021C]
0137:00460874 CALL 0045FF70 ;显示注册成功视窗
0137:00460879 MOV DWORD PTR [EBX+00000218],00000001
0137:00460883 MOV EAX,EBX
0137:00460885 CALL 0042BE5C
0137:0046088A JMP 004608A1
0137:0046088C PUSH 00
0137:0046088E MOV CX,[004608CC]
0137:00460895 MOV DL,01
0137:00460897 MOV EAX,004608D8
0137:0046089C CALL 0043CA58 ;显示注册失败视窗
0137:004608A1 XOR EAX,EAX
0137:004608A3 POP EDX
0137:004608A4 POP ECX
0137:004608A5 POP ECX
0137:004608A6 MOV FS:[EAX],EDX
0137:004608A9 PUSH 004608C3
0137:004608AE LEA EAX,[EBP-08]
0137:004608B1 MOV EDX,00000002
0137:004608B6 CALL 00403AE8
0137:004608BB RET
.
.
.
0137:0045FEEC PUSH EBX ; <------------
0137:0045FEED PUSH ESI
0137:0045FEEE PUSH EDI
0137:0045FEEF MOV EDI,ECX
0137:0045FEF1 MOV ESI,EDX
0137:0045FEF3 MOV EBX,EAX
0137:0045FEF5 MOV AL,[EBX+25]
0137:0045FEF8 CALL 0045A1A0
0137:0045FEFD MOV ECX,EDI
0137:0045FEFF MOV EDX,ESI
0137:0045FF01 MOV EAX,[EBX+40]
0137:0045FF04 CALL 0045D690 ;追进去
0137:0045FF09 POP EDI
0137:0045FF0A POP ESI
0137:0045FF0B POP EBX
0137:0045FF0C RET
.
.
.
0137:0045D690 PUSH EBP ; <------------
0137:0045D691 MOV EBP,ESP
0137:0045D693 ADD ESP,FFFFFBEC
0137:0045D699 PUSH EBX
0137:0045D69A PUSH ESI
0137:0045D69B PUSH EDI
0137:0045D69C XOR EBX,EBX
0137:0045D69E MOV [EBP-14],EBX
0137:0045D6A1 MOV [EBP-08],EBX
0137:0045D6A4 MOV EDI,ECX
0137:0045D6A6 MOV [EBP-04],EDX
0137:0045D6A9 MOV ESI,EAX
0137:0045D6AB XOR EAX,EAX
0137:0045D6AD PUSH EBP
0137:0045D6AE PUSH 0045D8AB
0137:0045D6B3 PUSH DWORD PTR FS:[EAX]
0137:0045D6B6 MOV FS:[EAX],ESP
0137:0045D6B9 XOR EBX,EBX
0137:0045D6BB CALL 0045A1BC
0137:0045D6C0 TEST AL,AL
0137:0045D6C2 JZ 0045D6CE
0137:0045D6C4 LEA EAX,[EBP-08]
0137:0045D6C7 CALL 0045A6C4
0137:0045D6CC JMP 0045D6D6
0137:0045D6CE LEA EAX,[EBP-08]
0137:0045D6D1 CALL 00403AC4
0137:0045D6D6 PUSH EDI
0137:0045D6D7 MOV ECX,[EBP-08]
0137:0045D6DA MOV EDX,[EBP-04]
0137:0045D6DD MOV EAX,ESI
0137:0045D6DF CALL 0045CFEC ;注册码比对 (追进去)
0137:0045D6E4 TEST AL,AL
0137:0045D6E6 JZ 0045D88D ;GO则注册失败
0137:0045D6EC PUSH EDI
0137:0045D6ED LEA EAX,[EBP-09]
0137:0045D6F0 PUSH EAX
0137:0045D6F1 LEA EAX,[EBP-10]
.
.
.
0137:0045CFEC PUSH EBP ; <------------
0137:0045CFED MOV EBP,ESP
0137:0045CFEF ADD ESP,FFFFFA94
0137:0045CFF5 PUSH EBX
0137:0045CFF6 PUSH ESI
0137:0045CFF7 PUSH EDI
0137:0045CFF8 XOR EBX,EBX
0137:0045CFFA MOV [EBP-04],EBX
0137:0045CFFD MOV EDI,ECX
0137:0045CFFF MOV ESI,EDX
0137:0045D001 MOV EBX,EAX
0137:0045D003 XOR EAX,EAX
0137:0045D005 PUSH EBP
0137:0045D006 PUSH 0045D239
0137:0045D00B PUSH DWORD PTR FS:[EAX]
0137:0045D00E MOV FS:[EAX],ESP
0137:0045D011 LEA EAX,[EBP-0248]
0137:0045D017 MOV EDX,[EBP+08]
0137:0045D01A MOV ECX,000000FF
0137:0045D01F CALL 00403D1C
0137:0045D024 LEA EAX,[EBP-0248]
0137:0045D02A LEA EDX,[EBP-0148]
0137:0045D030 CALL 0045B1E8
0137:0045D035 LEA EDX,[EBP-0148]
0137:0045D03B LEA EAX,[EBP-04]
0137:0045D03E CALL 00403CE4
0137:0045D043 CALL 0045A108
0137:0045D048 CMP AL,01
0137:0045D04A JA 0045D0F2
0137:0045D050 LEA EAX,[EBP-0248]
0137:0045D056 MOV EDX,[EBP-04]
0137:0045D059 MOV ECX,000000FF
0137:0045D05E CALL 00403D1C
0137:0045D063 LEA EAX,[EBP-0248]
0137:0045D069 LEA EDX,[EBP-0148]
0137:0045D06F CALL 0045B0E4
0137:0045D074 LEA EAX,[EBP-0148]
0137:0045D07A PUSH EAX
0137:0045D07B PUSH 01
0137:0045D07D PUSH 00
0137:0045D07F LEA EAX,[EBP-0248]
0137:0045D085 PUSH EAX
0137:0045D086 LEA EAX,[EBP-0348]
0137:0045D08C MOV EDX,EDI
0137:0045D08E MOV ECX,000000FF
0137:0045D093 CALL 00403D1C
0137:0045D098 LEA EAX,[EBP-0348]
0137:0045D09E PUSH EAX
0137:0045D09F LEA EAX,[EBP+FFFFFBB8]
0137:0045D0A5 MOV EDX,ESI
0137:0045D0A7 MOV ECX,000000FF
0137:0045D0AC CALL 00403D1C
0137:0045D0B1 LEA EAX,[EBP+FFFFFBB8]
0137:0045D0B7 PUSH EAX
0137:0045D0B8 LEA EAX,[EBP+FFFFFAB8]
0137:0045D0BE MOV EDX,EBX
0137:0045D0C0 MOV ECX,000000FF
0137:0045D0C5 CALL 00403D1C
0137:0045D0CA LEA EAX,[EBP+FFFFFAB8]
0137:0045D0D0 POP EDX
0137:0045D0D1 POP ECX
0137:0045D0D2 CALL 0045B888 ;可能是注册码计算
0137:0045D0D7 LEA EDX,[EBP-0248] ;D EDX注册码(长度有8位)
0137:0045D0DD POP EAX
0137:0045D0DE XOR ECX,ECX
0137:0045D0E0 MOV CL,[EAX]
0137:0045D0E2 INC ECX
0137:0045D0E3 CALL 00402C0C ;真正注册码比对 (追进去)
0137:0045D0E8 SETZ AL
0137:0045D0EB MOV EBX,EAX
0137:0045D0ED JMP 0045D223
0137:0045D0F2 LEA EAX,[EBP-0248]
0137:0045D0F8 MOV EDX,[EBP-04]
0137:0045D0FB MOV ECX,000000FF
0137:0045D100 CALL 00403D1C
.
.
.
0137:00402C0A MOV EAX,EAX ; <------------
0137:00402C0C PUSH EBX
0137:00402C0D PUSH ESI
0137:00402C0E PUSH ECX
0137:00402C0F MOV ESI,ECX
0137:00402C11 SHR ESI,02
0137:00402C14 JZ 00402C3C
0137:00402C16 MOV ECX,[EAX] ;USER INPUT之注册码
0137:00402C18 MOV EBX,[EDX] ;真正之注册码
0137:00402C1A CMP ECX,EBX ;比较注册码的前3位与长度是否相符
0137:00402C1C JNZ 00402C63
0137:00402C1E DEC ESI
0137:00402C1F JZ 00402C36
0137:00402C21 MOV ECX,[EAX+04]
0137:00402C24 MOV EBX,[EDX+04]
0137:00402C27 CMP ECX,EBX ;比较注册码的第4~7位是否相符
0137:00402C29 JNZ 00402C63
0137:00402C2B ADD EAX,08
0137:00402C2E ADD EDX,08
0137:00402C31 DEC ESI
0137:00402C32 JNZ 00402C16
0137:00402C34 JMP 00402C3C
0137:00402C36 ADD EAX,04
0137:00402C39 ADD EDX,04
0137:00402C3C POP ESI
0137:00402C3D AND ESI,03
0137:00402C40 JZ 00402C78
0137:00402C42 MOV CL,[EAX]
0137:00402C44 CMP CL,[EDX] ;比较注册码的第8位是否相符
0137:00402C46 JNZ 00402C78
0137:00402C48 DEC ESI
0137:00402C49 JZ 00402C5E
0137:00402C4B MOV CL,[EAX+01]
0137:00402C4E CMP CL,[EDX+01]
0137:00402C51 JNZ 00402C78
0137:00402C53 DEC ESI
0137:00402C54 JZ 00402C5E
0137:00402C56 MOV CL,[EAX+02]
0137:00402C59 CMP CL,[EDX+02]
0137:00402C5C JNZ 00402C78
0137:00402C5E XOR EAX,EAX
0137:00402C60 POP ESI
0137:00402C61 POP EBX
0137:00402C62 RET
.
.
.
上面 0137:00402C1A CMP ECX,EBX 在注册码的比对上
会LOOP比较多次,但必需D ECX是USER INPUT S/N之注册码
时,D EBX才是真正注册码(多按几次F5就知)..........

-- 如欲取消订阅, 请 mailto:req@hc.ml.org , 内文写上 unsubscribe hc 即可,
谢谢.