C Programming unban Software Installation Wizard

Author: Hokkien
I haven't seen the registration and cracking of the software wizard after reading so many black lines of defense. Today, I will set a precedent. Screen Saver Construction Set 2.0 is a Screen Saver software. It feels good. Let's get rid of it now.
Understanding Software
Shell check shows that it is compiled by Borland C ++ without shelling. Run the Installation Wizard. The registration information shown in 1 is displayed. It seems that no registration code can be installed, so I have to be self-reliant. Load with OD to see if there are any important characters. Sorry, no. But don't be afraid. Select the breakpoint under the API function GetWindowTextA. After filtering, you can locate the key code.

Figure 1

Algorithm Analysis
After a successful disconnection, you can locate the following code and start the analysis.
00405317 |. 51 push ecx; The entered registration code
00405318 |. E8 CF590200 call 0042 ACEC; ScreenSa.0042ACEC
0040531D |. 59 pop ecx
0040531E |. 83F8 11 cmp eax, 11; compare the length of the registration code to 17, including 3 "-"
00405321 74 07 je short 0040532A

We know from the above that the length of the registration code should be 17 characters. After many tracking found that the final form of registration code should be like this: "XXXXX-XX-XXXXX-XX ". F8 goes down and comes to the following code.

00405373 |>/33C0/xor eax, eax
00405375 |. | 8A8435 08E3FF> | mov al, byte ptr [ebp + esi-1CF8]; Registration Name
0040537C |. | 50 | push eax;/Arg1
0040537D |. | E8 BEB30200 | call 00430740; converted to lowercase letters
00405382 |. | 59 | pop ecx
00405383 |. | 8BD6 | mov edx, esi
00405385 |. | 83E2 07 | and edx, 7
00405388 |. | 33C9 | xor ecx, ecx
0040538A |. | 8A8A 88504300 | mov cl, byte ptr [edx + 435088]; a table
00405390 |. | 33C1 | xor eax, ecx
00405392 |. | 0185 38 FFFFFF | add dword ptr [ebp-C8], eax
00405398 |. | 46 | inc esi
00405399 |> | 80BC35 08E3FF> cmp byte ptr [ebp + esi-1CF8], 0; Registration Name
004053A1 |. ^ 75 D0 jnz short 00405373
The above operation is performed on the Registration Name. As for the table mentioned above, the form is: "0X80, 0X40, 0X20, 0X10, 0X08,0X04,0X02, 0X01 ". Now, Let's sum up the processing algorithm for the Registration Name: The corresponding character of the registration name is different from the corresponding digit number in the preceding table, and then the result is added. We assume it is recorded as CN. Next, come here:

004053A3 |. 8B85 38 FFFFFF mov eax, dword ptr [ebp-C8]; Is the above calculation of CN
004053A9 |. B9 64000000 mov ecx, 64
004053AE |. 99 cdq
004053AF |. F7F9 idiv ecx
004053B1 |. 8995 40 FFFFFF mov dword ptr [ebp-C0], edx; remainder
004053B7 |. 83BD 40 FFFFFF> cmp dword ptr [ebp-C0], 0
004053BE 75 06 jnz short 004053C6
004053C0 |. FF85 40 FFFFFF inc dword ptr [ebp-C0]
004053C6 |> 8D85 06E2FFFF lea eax, dword ptr [ebp-1DFA]
004053CC |. 50 push eax; registration code 2nd group
004053CD |. E8 5AB50200 call 00000092c; function of the 2nd operation on the registration code
004053D2 |. 59 pop ecx
004053D3 |. 3B85 40 FFFFFF cmp eax, dword ptr [ebp-C0]
004053D9 74 08 je short 004053E3
Now we know the role of the Registration Name calculation, that is, CN % 0X64 = Fun (registration code group 2nd ). So how does this Fun function perform operations on the registration code 2nd group? We enter 0020.92c for F7 and come here.

0036692c/$55 push ebp
0036692d |. 8BEC mov ebp, esp
0036692f |. 53 push ebx
00430930 |. 56 push esi
00430931 |. 8B55 08 mov edx, dword ptr [ebp + 8]
00430934 |. 33C9 xor ecx, ecx
00430936 |> 8A02/mov al, byte ptr [edx]
00430938 |. 42 | inc edx
00430939 |. 0FBED8 | movsx ebx, al
00000093c |. F683 DD204400> | test byte ptr [ebx + 4420DD], 1
00430943 |. ^ 75 F1 jnz short 00430936
00430945 |. 3C 2B cmp al, 2B
00430947 |. 74 04 je short 00000094d
00430949 |. 3C 2D cmp al, 2D
00000094b |. 75 0F jnz short 00000095c
0034794d |> 3C 2D cmp al, 2D
0034794f |. 0F94C0 sete al
00430952 |. 83E0 01 and eax, 1
00430955 |. 8BF0 mov esi, eax
00430957 |. 8A02 mov al, byte ptr [edx]
00430959 |. 42 inc edx
001000095a |. EB 14 jmp short 00430970
00000095c |> 33F6 xor esi, esi
0036695e |. EB 10 jmp short 00430970; below is the key computing
00430960 |> 0FBEC0/movsx eax, al
00430963 |. 03C9 | add ecx, ecx
00430965 |. 8D0C89 | lea ecx, dword ptr [ecx + ecx * 4]
00430968 |. 03C8 | add ecx, eax
00000096a |. 8A02 | mov al, byte ptr [edx]
001000096c |. 83C1 D0 | add ecx,-30
0036696f |. 42 | inc edx
00430970 |> 3C 30 cmp al, 30
00430972 |. 7C 04 | jl short 00430978
00430974 |. 3C 39 | cmp al, 39
00430976 |. ^ 7E E8 jle short 00430960
00430978 |> 85F6 test esi, esi
00000097a |. 74 06 je short 00430982
0036697c |. 8BC1 mov eax, ecx
00000097e |. F7D8 neg eax
00430980 |. EB 02 jmp short 00430984
00430982 |> 8BC1 mov eax, ecx
00430984 |> 5E pop esi
00430985 |. 5B pop ebx
00430986 |. 5D pop ebp
00430987. C3 retn

The above code is calculated in this way. We will explain it with "67. First, convert "6" to 6 of the number, and then 6*10 = 60. Then, 60 + ASC ("7") = 60 + 47 = 107 = 0X47, is the final result. F8. come here:

004053FC |>/8A8435 00E2FF>/mov al, byte ptr [ebp + esi-1E00]; 1st group registration code
00