Tray. Commander. v2.3 Registration Algorithm Analysis

[Cracked by] invisible [BCG]
[Tools] Peid, OD
[Cracking platform] Win XP SP2
[Software name] Tray. Commander. v2.3
[] Http://www.ardamax.com
[Software Overview]
Tray Commander is a tray launcher that lets you gain quick access to your most frequently used applications
And system commands via a customizable menu. Not only can you open applications and files, but also
Launch screen savers, shutdown, reboot your computer and much more, all from the system tray!
[Software size] 912kb
[Shelling method] ACProtectV1.3X-1.4XDLL-> risco *
[Statement of cracking] I am a cainiao. I have some occasional experiences. I 'd like to share with you :)
--------------------------------------------------------------------------------
[Cracking content]

1. Peid detection shell, showing "ACProtectV1.3X-1.4XDLL-> risco *". Directly debug with Shell
2. OD loading. Use the IsDebugPresent plug-in to hide the debugger flag. Run F9
Place a breakpoint at all GetWindowTextA calls. Enter the following content for trial registration.
Registration Name: abcde
Registration Key: 123456789
The program is disconnected at 431749 and the breakpoint is canceled. When F8 is run in one step, the previous call is returned.
Check the register window. We can see that the previous Call (Call 431725) is used to obtain the input Name. Next, there is an identical Call,
Guess that it is used to obtain the Input Key. F8 runs to 41b7ad in a single step. Check the register window and you can see the Key we entered. This proves that
Their guesses.
The following code checks whether the input Name and Key are empty. F4 runs on 41b7fa.
F8 runs to 41b838 in a single step. We can see that all the names and keys we entered earlier are pushed into the stack. Follow up F7.
3. When running to 40464, we can see that two strings are inserted in the stack, one of which is the Key we input, and the other is like a real note.
Volume code. Facts prove that our guesses are correct.
4. Break down the previous 404b52 and re-register. It is broken at 404b52. Follow up with F7
Paste the disassembly code in this Call as follows:
00403190/$ Content $ nbsp; push ecx; TC.00489190
00403191 |. push ebx
00403192 |. push esi
00403193 |. push edi
00403194 |. mov edi, dword ptr ds: [<& KERNEL32.lstrlenA>]; kernel32.lstrlenA
0040319A |. push TC.0046AF88;/String = "5391026E7F829842"
0040319F |. call edi; lstrlenA
004031A1 |. mov esi, eax; eax = 0x10
004031A3 |. mov eax, dword ptr ss: [esp + 14]
004031A7 |. push eax;/String
004031A8 |. mov dword ptr ss: [esp + 10], esi; |
004031AC |. call edi; lstrlenA
004031AE |. mov ebx, eax
004031B0 |. test ebx, ebx
004031B2 |. jnz short TC.004031C1
004031B4 |. mov ecx, dword ptr ss: [esp + 18]
004031B8 |. pop edi
004031B9 |. pop esi
004031BA |. mov byte ptr ds: [ecx], al
004031BC |. pop ebx
004031BD |. pop ecx
004031BE |. retn 8
004031C1 |> mov edi, dword ptr ss: [esp + 18]
004031C5 |. push TC.0046AF88;/String2 = "5391026E7F829842"
004031CA |. push edi; | String1
004031CB |. call dword ptr ds: [<& KERNEL32.lstrcpyA>]; lstrcpyA
004031D1 |. cmp ebx, esi
004031D3 |. jle short TC.004031DD
004031D5 |. mov eax, ebx
004031D7 |. mov dword ptr ss: [esp + 18], eax
004031DB |. jmp short TC.004031E3
004031DD |> mov eax, esi
004031DF |. mov dword ptr ss: [esp + 18], esi
004031E3 |> xor ecx, ecx; ecx = index
004031E5 |. test eax, eax
004031E7 |. jle short TC.00403226
004031E9 |. push ebp
004031EA |. jmp short TC.004031F4
004031EC | lea esp, dword ptr ss: [esp]
004031F0 |> mov esi, dword ptr ss: [esp + 10]; esi <= len of STR
004031F4 |> mov eax, ecx
004031F6 |. cdq
004031F7 |. idiv esi; 0x10; len of STR
004031F9 |. mov eax, ecx; store index; edx!
004031FB |. mov ebp, 19
00403200 |. add ecx, 1; index ++
00403203 |. mov esi, edx; esi <= edx!
00403205 |. cdq
00403206 |. idiv ebx &