Analysis on Registration Algorithm of lianzhong landlords card recorder V2.36

"Software name": lianzhong landlords card recorder V2.36
"Software size": 642 KB
': Http://www.skycn.com/soft/1436.html
"Software introduction": This product can be used in a landlord game with one or two cards. It can automatically record the cards that have been issued, the remaining cards, and the remaining number of cards, after the user registers, the user can view the base card (when the second sub-card is used) without the landlord. The software interface is beautiful and easy to use.
"Protection Method": Registration Code Protection
"Statement of cracking": I am only interested in Crack. If you make any mistakes, please enlighten me!
"Cracking tool": flyODBG. V1.10 Gbit/s, Chinese Version 2, PeID 0.93, ASPackDie v1.41.HH
"Cracking Process 』:

I. Shell check, shelling + anti-debugging Removal

PeID 0.93, shell check, ASPack 2.12-> Alexey Solodovnikov, old shell, tool handoffs are very convenient, I am a lazy, with ASPackDie v1.41.HH done, by default saved as Unpacked. eXe, OD loading, F9 running, dizzy, flyODBG is automatically disabled, there is Anti-Bebug, get it done, re-run OD, command line breakpoint bp TerminateProcess, F9 run, the OD is interrupted:
7C801E16 k> 8BFF mov edi, edi; Unpacked.0045A7E0
7C801E18 55 push ebp
7C801E19 8BEC mov ebp, esp
7C801E1B 837D 08 00 cmp dword ptr ss: [ebp + 8], 0
7C801E1F 75 09 jnz short kernel32.7C801E2A

Stack prompt:

0012FDE4 0045ABA0/CALL to TerminateProcess from Unpacked.0045AB9B // Source
0012FDE8 000000A4 | hProcess = 000000A4 (window)
0012 FDEC 00000000 ExitCode = 0

Ctrl + G: 0045AB9B

0045AB7D. BA D8AB4500 mov edx, Unpacked.0045ABD8; ASCII "EXPLORER. EXE"
0045AB82. E8 219 CFAFF call Unpacked.004047A8
0045AB87. 74 1D je short Unpacked.0045ABA6; change to JMP to release Anti-Debug
0045AB89. 56 push esi;/ProcessId
0045AB8A. 6A 00 push 0; | Inheritable = FALSE
0045AB8C. 68 FF0F1F00 push 1F0FFF; | Access = PROCESS_ALL_ACCESS
0045AB91. E8 86 BEFAFF call <jmp. & kernel32.OpenProcess>; OpenProcess
0045AB96. 8BD8 mov ebx, eax
0045AB98. 6A 00 push 0;/ExitCode = 0
0045AB9A. 53 push ebx; | hProcess
0045AB9B. E8 CCBEFAFF call <jmp. & kernel32.TerminateProcess>; TerminateProcess here
0045ABA0. 53 push ebx;/hObject
0045ABA1. E8 16 BDFAFF call <jmp. & kernel32.CloseHandle>; CloseHandle

The original method is to find the parent path. modify it to jmpor change the flyodbg.exe file name to EXPLORER. EXE to remove Anti-Debug;

Ii. Registration Verification Algorithm Analysis

After shelling, it is detected that it is Borland Delphi 6.0-7.0. It is easy to run. Dede finds the Registration button and the event address 0045A570 is disconnected. Run F9, enter the trial code 1234567890, and click "register". The OD is interrupted:
0045A570 <>/. 55 push ebp; <-TForm2 @ BRegClick
0045A571 |. 8BEC mov ebp, esp
0045A573 |. 6A 00 push 0
0045A575 |. 53 push ebx
0045A576 |. 8BD8 mov ebx, eax
0045A578 |. 33C0 xor eax, eax
0045A57A |. 55 push ebp
0045A57B |. 68 06A64500 push <Unpacked.-> System. @ HandleFinally;>
0045A580 |. 64: FF30 push dword ptr fs: [eax]
0045A583 |. 64: 8920 mov dword ptr fs: [eax], esp
0045A586 <> |. 8B83 04030000 mov eax, dword ptr ds: [ebx + 304]; * RCode: N..
0045A58C |. 8B10 mov edx, dword ptr ds: [eax]
0045A58E |. FF52 50