TrayIcon Pro V2.1.251 Registration Algorithm Analysis

Text/figure zjjtr
TrayIcon Pro is a system tray management software that allows you to quickly and quickly run your favorite programs and folders from the system tray. It is a shared software and must be registered to use all its functions. Next we will perform a registration algorithm analysis for TrayIcon Pro V2.1.251.
After querying the shell with PEiD, we found that there was no shell, which was written in Microsoft Visual C ++ 5.0. Register at will. An error message is displayed, as shown in figure 1.

Use OD to load and find the ASCII code of the error message. No useful information is found. It seems that you can only debug it dynamically. Run F9, enter the username zjtr, registration code 12345678, because it was written by VC, I initially failed to break the breakpoint MessageBoxA, and then thought of the next omnipotent breakpoint, the program was broken at 77D3352D, in addition, our registration code appears in the register, which looks like a good situation. F2 cancels the breakpoint and returns Alt + F9 to the program's airspace.

00421B42 |. 8B4D 10 mov ecx, dword ptr ss: [EBP + 10]; back here
00421B45 |. 6A ff push-1
00421B47 |. E8 13D5FFFF CALL trayicon.0041F05F
00421B4C |. EB 0B jmp short trayicon.00421B59

This is the place to be called, regardless of it, all the way F8, after 3 ret, return to the initial call, to 408DEB. We keep looking forward until we find the first ret. This should be the beginning of the algorithm. Press the F2 breakpoint at DBA and reload the program. After you click "register", the program will be disconnected at DBA. Then, press f8.
00408DBA. B8 B07C4200 mov eax, trayicon.00427CB0
00408DBF. E8 4C2C0000 CALL trayicon.0040BA10
00408DC4. 83EC 60 sub esp, 60
00408DC7. 56 PUSH ESI
00408DC8. 8BF1 mov esi, ECX
00408DCA. 8D4D ec lea ecx, dword ptr ss: [EBP-14]
00408DCD. E8 595D0100 CALL trayicon.0041EB2B
00408DD2. 8365 FC 00 and dword ptr ss: [EBP-4], 0
00408DD6. 8D4D F0 lea ecx, dword ptr ss: [EBP-10]
00408DD9. E8 4D5D0100 CALL trayicon.0041EB2B
00408DDE. 6A 01 PUSH 1
00408DE0. 8BCE mov ecx, ESI
00408DE2. C645 FC 01 mov byte ptr ss: [EBP-4], 1
00408DE6. E8 F84C0100 CALL trayicon.0041DAE3
; Get the user name and press it into the stack
00408DEB. FF76 5C push dword ptr ds: [ESI + 5C]
; Here, let's look forward
00408DEE. 8D45 94 lea eax, dword ptr ss: [EBP-6C]
00408DF1. 50 PUSH EAX
00408DF2. E8 49310000 CALL trayicon.0040BF40
00408DF7. 59 POP ECX
00408DF8. 8D45 C0 lea eax, dword ptr ss: [EBP-40]
00408DFB. 59 POP ECX
00408DFC. FF76 60 push dword ptr ds: [ESI + 60]
; Registration code pushed into the stack
00408DFF. 50 PUSH EAX
00408E00. E8 3B310000 CALL trayicon.0040BF40
00408E05. 59 POP ECX
00408E06. 8D45 C0 lea eax, dword ptr ss: [EBP-40]
00408E09. 59 POP ECX
00408E0A. 50 PUSH EAX
00408E0B. 8D45 94 lea eax, dword ptr ss: [EBP-6C]
00408E0E. 50 PUSH EAX
00408E0F. E8 D88DFFFF CALL trayicon.00401BEC
; Key call, F7 followed
00408E14. 59 POP ECX
00408E15. 85C0 test eax, EAX
00408E17. 59 POP ECX
00408E18 74 5D je short trayicon.00408E77
; EAX is set as the flag, 0 registration fails, it can be cracked here, but it must be registered every time it is started
00408E1A. 57 PUSH EDI
00408E1B. 53 PUSH EBX
00408E1C. E8 DACB0100 CALL trayicon.0000009fb
00408E21. FF76 5C push dword ptr ds: [ESI + 5C];/Arg3
00408E24. 8B58 04 mov ebx, dword ptr ds: [EAX + 4]; |
00408E27. BF 1C414300 mov edi, trayicon.0043411C; | options
00408E2C. 8BCB mov ecx, EBX; |
00408E2E. 68 24414300 PUSH trayicon.00434124; | username
00408E33. 57 push edi; | Arg1 => 0043411C ASCII "Options"
00408E34. E8 EE8B0100 CALL trayicon.00421A27; rayicon.00421A27
00408E39. FF76 60 push dword ptr ds: [ESI + 60];/Arg3
00408E3C. 8BCB mov ecx, EBX; |
00408E3E. 68 24444300 PUSH trayicon.00434424; | code
00408E43. 57 push edi; | Arg1
00408E44. E8 DE8B0100 CALL trayicon.00421A27; rayicon.00421A27
00408e49. 8325 688D4300> and dword ptr ds: [438D68], 0
00408E50. 68 C4494300 PUSH trayicon.004349C4; rtmsgtitle
00408E55. 6A 40 PUSH 40
00408E57. 68 BC494300 PUSH trayicon.004349BC; rtmsg1
00408E5C. 68 788C4300 PUSH trayicon.00438C78
00408E61. C705 D08D4300> mov dword ptr ds: [438DD0], 1
00408E6B. E8 2A090000 CALL trayicon.0040979A
00408E70. 83C4 10 add esp, 10
00408E73. 5B POP EBX
00408E74. 5F POP EDI
00408E75. EB 19 jmp short trayicon.00408E90
00408E77> 68 C4494300 PUSH trayicon.004349C4; rtmsgtitle
00408E7C. 6A 10 PUSH 10
00408E7E. 68 B4494300 PUSH trayicon.004349B4; rtmsg2
00408E83. 68 788C4300 PUSH trayicon.00438C78
00408E88. E8 0D090000 CALL trayicon.0040979A
00408E8D. 83C4 10 add esp, 10
00408E90> 8BCE mov ecx, ESI
00408E92. E8 A9230100 CALL trayicon.0041B240; error location
00408E97. 8065 FC 00 and byte ptr ss: [EBP-4], 0
00408E9B. 8D4D F0 lea ecx, dword ptr ss: [EBP-10]
00408E9E. E8 D35D0100 CALL trayicon.0041EC76
00408EA3. 834D fc ff or dword ptr ss: [EBP-4], FFFFFFFF
00408EA7. 8D4D ec lea ecx, dword ptr ss: [EBP-14]
00408EAA. E8 C75D0100 CALL trayicon.0041EC76
00408EAF. 8B4D F4 mov ecx, dword ptr ss: [EBP-C]
00408EB2. 5E POP ESI
00408EB3. 64: 890D 00000> mov dword ptr fs: [0], ECX
00408EBA. C9 LEAVE

In the past, the program used the identification space. No wonder it cannot be cracked. It seems that we can only continue to analyze the algorithm. The call at 00408E0F is a key point, and EAX is the flag bit. If it is 0, the registration fails. Here we come to F7 and the call at 00408E0F.
00401BEC/$55 PUSH EBP
00401BED |. 8BEC mov ebp, ESP
00401BEF |. 81EC 14010000 sub esp, 114
00401BF5 |. 53 PUSH EBX
00401BF6 |. 56 PUSH ESI
00401BF7 |. 8B75 08 mov esi, dword ptr ss: [EBP + 8]; Add the user name to ESI
00401BFA |. 57 PUSH EDI
00401BFB |. BF 508B4300 mov edi, trayicon.00438B50
00401C00 |. 33DB xor ebx, EBX
00401C02 |. 57 PUSH EDI
00401C03 |. 56 PUSH ESI
00401C04 |. 895D F0 mov dword ptr ss: [EBP-10], EBX
00401C07 |. E8 742E0100 CALL trayicon.00414A80
00401C0C |. 59 POP ECX
00401C0D 85C0 test eax, EAX; whether the user name is blank
00401C0F |. 59 POP ECX
00401C10 |. 0F84 EF000000 JE trayicon.00401D05
00401C16 |. 57 PUSH EDI
00401C17 |. FF75 0C push dword ptr ss: [EBP + C]
00401C1A |. E8 612E0100 CALL trayicon.00414A80
00401C1F |. 59 POP ECX
00401C20 85C0 test eax, EAX; whether the registration code is null
00401C22 |. 59 POP ECX
00401C23 |. 0F84 DC000000 JE trayicon.00401D05
00401C29 |. 56 PUSH ESI
00401C2A |. E8 91A00000 CALL trayicon.0040BCC0; change the username to uppercase in lower case
00401C2F |. 59 POP ECX
00401C30 |. 895D F4 mov dword ptr ss: [EBP-C], EBX
00401C33 |. 56 PUSH ESI
00401C34 |. 895D F8 mov dword ptr ss: [EBP-8], EBX
00401C37 |. & n