Algorithm Analysis of the delphi control ImageEn2.26

[Article Title]: Analysis of the ImageEn2.26 algorithm of the delphi Control
[Author]: 8713007
[Software name]: ImageEn2.26
[Software size]: 12 M
[]: Search and download by yourself
[Shelling method]: No shell
[Protection method]: serial number
[Programming language]: delphi
[Tools]: W32dsm8.93 +, OD
[Operating platform]: winxp
[Software introduction]: a very good image control that can achieve a variety of image operations
[Author's statement]: I am only interested and have no other purpose. For errors, please enlighten us!
--------------------------------------------------------------------------------
[Detailed process]
Imageen2.26is a very good software. After installation, run setup.exe in the installation directory, select I have the serial Number, and enter
Username SDlingying, Serial Number 12345678901234, click Next to display Invalid Serial Number, use W32dsm8.93 + disassembly,
Search for a string and find that at 00447B09, use OD to load and break it down at 00447A7B on it. Run F9, check I have the serial Number, and fill in
Username SDlingying, serial number 12345678901234, click Next, the program is disconnected
00447A7B. 8B45 FC mov eax, [ebp-4]; section here
00447A7E. 8B80 E4020000 mov eax, [eax + 2E4]
00447A84. 8B10 mov edx, [eax]
00447A86. FF92 B4000000 call [edx + B4]; setup.00420F5C
00447A8C. 84C0 test al, al
00447A8E. 0F84 84000000 je 00447B18
00447A94. 8D55 E0 lea edx, [ebp-20]
00447A97. 8B45 FC mov eax, [ebp-4]
00447A9A. 8B80 DC020000 mov eax, [eax + 2DC]
00447AA0. E8 C3E2FDFF call 00366d68; get the user name
00447AA5. 837D E0 00 cmp dword ptr [ebp-20], 0; compare whether bit is null
00447AA9. 74 6D je short 00447B18
00447AAB. 6A 12 push 12; 12 Pressure Stack
00447AAD. 68 73010000 push 173; 173 pressure Stack
00447AB2. 8D55 DC lea edx, [ebp-24]
00447AB5. 8B45 FC mov eax, [ebp-4]
00447AB8. 8B80 DC020000 mov eax, [eax + 2DC]
00447ABE. E8 A5E2FDFF call 00366d68; get the username length into eax
00447AC3. 8B45 DC mov eax, [ebp-24]; |
00447AC6. 8D55 E5 lea edx, [ebp-1B]; | [ebp-1b] into edx here is 0013f40d
00447AC9. B9 12000000 mov ecx, 12; | 12 inbound Ecx
00447ACE. E8 89040000 call 00447F5C; key call, F7 follow-up
00447AD3. C645 F7 00 mov byte ptr [ebp-9], 0
00447AD7. 8D55 D8 lea edx, [ebp-28]
00447ADA. 8B45 FC mov eax, [ebp-4]
00447ADD. 8B80 E0020000 mov eax, [eax + 2E0]
00447AE3. E8 80E2FDFF call 00366d68
00447AE8. 8B45 D8 mov eax, [ebp-28]
00447AEB. E8 64C3FBFF call 00403E54
00447AF0. 8BD0 mov edx, eax
00447AF2. 8D45 E5 lea eax, [ebp-1B]
00447AF5. E8 220 AFCFF call 0040851C
00447AFA. 85C0 test eax, eax
00447AFC. 74 1A je short 00447B18; modify it here
00447AFE. 6A 00 push 0;/Arg1 = 00000000
00447B00. 66: 8B0D A87C4> mov cx, [447CA8]; |
00447B07. 33D2 xor edx, edx; |
00447B09. B8 B47C4400 mov eax, 00447CB4; | ASCII "Invalid serial number"
00447B0E. E8 C9E4FFFF call 00445FDC; setup.00445FDC
00447B13. E9 52010000 jmp 00447C6A

//////////////////////////////////////// ///// // Follow up F7 and come here
00447F5C/$ Content $ nbsp; 55 push ebp
00447F5D |. 8BEC mov ebp, esp
00447F5F |. 83C4 F4 add esp,-0C
00447F62 |. 53 push ebx
00447F63 |. 56 push & nbs