Xinhua Dictionary cracking note

Text/figure ‑
==========================================
My girlfriend wants to study Chinese language and literature, so she asked me to help her find a Chinese dictionary software. I have found a Xinhua Dictionary V2007 build 05.15 for a long time, which meets my girlfriend's requirements. However, I found that this software needs to be registered only when downloading and installing it. Otherwise, there will be some restrictions. The registration fee is 30 yuan, although not much, but I just don't want to pay for it (I belong to the iron rooster class, haha), so I have the following.
Start to get started. In the installation directory, xhzd.exe is the main program file. Check the basic information with PEiD. The obtained shell is ASPack 2.12-> Alexey Solodovnikov, which is a compression shell and can be easily removed using ESP laws or tools. Here, I use a shell removal tool that is effective for common compressed shells. By the way, I will share this tool with you, as shown in 1. The file name after the shell is automatically changed to new_xhzd.exe. You can use PEiD to check that the programming language is Borland Delphi 6.0-7.0.
 
Figure 1
I usually like to use the omnipotent breakpoint of the OD plug-in to disconnect and load data directly with the OD plug-in. Enter 327 in the verification code box (the verification code can only be a number) and 123567 in the registration code box, after you click "register", the system returns to the user's airspace through the system's airspace, and the system is disconnected at 00544536. The Code is as follows.

00544536. 8B85 A8FEFFFF mov eax, dword ptr ss: [EBP-158]
0054453C. 50 PUSH EAX
0054453D. 8D95 A0FEFFFF lea edx, dword ptr ss: [EBP-160]
00544543. 8B45 fc mov eax, dword ptr ss: [EBP-4]
00544546. 8B80 74040000 mov eax, dword ptr ds: [EAX + 474]
0054454C. E8 CB30F0FF CALL New_xhzd.0044761C
; Obtain the verification code
00544551. 8B85 A0FEFFFF mov eax, dword ptr ss: [EBP-160]
00544557. E8 6052 ecff call New_xhzd.004097BC
The verification code is converted to hexadecimal
0054455C. 05 83030000 add eax, 383; verification plus 383
00544561. 8D95 A4FEFFFF lea edx, dword ptr ss: [EBP-15C]
00544567. E8 9 cfeffff call new_xhzd.005400008
Key CALL: F7
0054456C. 8B95 A4FEFFFF mov edx, dword ptr ss: [EBP-15C]
00544572. 58 POP EAX
00544573. E8 740 aecff call New_xhzd.00404FEC
The entered false registration code and Verification Code are compared with the number obtained after CALL 00544408
00544578. 0F85 48010000 JNZ New_xhzd.005446C6
Fail to jump if not equal

As you can see from the comments above, the algorithm flow of the program is very clear. Set the verification code to user. Before entering call 0054408, user = user + 383. Now F7 goes into 00544408 to check the code.

00544425 |. 81F3 F1250B00 xor ebx, 0B25F1
; User = user xor 0B25F1
0054442B |. 8BC3 mov eax, EBX
0054442D |. 33D2 xor edx, EDX
0054442F |. 52 PUSH EDX
00544430 |. 50 PUSH EAX
00544431 |. 8D45 fc lea eax, dword ptr ss: [EBP-4]
00544434 |. E8 4F53ECFF CALL New_xhzd.00409788
Convert the user into a 10-digit System
00544439 |. 8B45 fc mov eax, dword ptr ss: [EBP-4]
0054443C |. 0FB600 movzx eax, byte ptr ds: [EAX]
0054443F |. 8B55 fc mov edx, dword ptr ss: [EBP-4]
00544442 |. 0FB652 01 movzx edx, byte ptr ds: [EDX + 1]
00544446 |. 03C2 add eax, EDX
; Add the first user and the second user digit = k1
00544448 |. B9 05000000 mov ecx, 5
0054444D |. 99 CDQ
0054444E |. F7F9 IDIV ECX
00544450 |. 80C2 34 add dl, 34
; (K1 mod 5) + 34 = sn1
00544453 |. 8855 F8 mov byte ptr ss: [EBP-8], DL
00544456 |. 8B45 fc mov eax, dword ptr ss: [EBP-4]
00544459 |. 0FB640 02 movzx eax, byte ptr ds: [EAX + 2]
0054445D |. 8B55 fc mov edx, dword ptr ss: [EBP-4]
00544460 |. 0FB652 03 movzx edx, byte ptr ds: [EDX + 3]
00544464 |. 03C2 add eax, EDX
The second digit of the user is used together with the third digit of the user = k2.
00544466 |. B9 05000000 mov ecx, 5
0054446B |. 99 CDQ
0054446C |. F7F9 IDIV ECX
0054446E |. 8347mov EBX, EDX
00544470 |. 80C3 33 add bl, 33
; (K2 mod 5) + 33 = sn2
00544473 |. 885D F9 mov byte ptr ss: [EBP-7], BL
00544476 |. 8D45 F4 lea eax, dword ptr ss: [EBP-C]
00544479 |. 8A55 F8 mov dl, byte ptr ss: [EBP-8]
0054447C |. E8 4F09ECFF CALL New_xhzd.00404DD0
00544481 |. 8B45 F4 mov eax, dword ptr ss: [EBP-C]
00544484 |. 8D55 fc lea edx, dword ptr ss: [EBP-4]
00544487 |. B9 1B000000 mov ecx, 1B
0054448C |. E8 F70CECFF CALL New_xhzd.00405188
00544491 |. 8D45 F0 lea eax, dword ptr ss: [EBP-10]
00544494 |. 8BD3 mov edx, EBX
00544496 |. E8 3509 ecff call New_xhzd.00404DD0
0054449B |. 8B45 F0 mov eax, dword ptr ss: [EBP-10]
0054449E |. 8D55 fc lea edx, dword ptr ss: [EBP-4]
005444A1 |. B9 19000000 mov ecx, 19
005444A6 |. E8 DD0CECFF CALL New_xhzd.00405188
; Connection user, sn1, sn2 is the registration code
005444AB |. 8BC6 mov eax, ESI
005444AD |. 8B55 fc mov edx, dword ptr ss: [EBP-4]
005444B0 |. E8 8F07ECFF CALL New_xhzd.00404C44

Through my comments above, we must all understand that this algorithm is very simple, so I will directly give the registration machine code, written in VB, the Code is as follows.

Private Sub commandementclick ()
User1 = Text1.Text
I = (user1 + & H383) Xor & HB25F1
K = Chr (Asc (Mid (I, 1, 1) + Asc (Mid (I, 2, 1) Mod 5) + & H34)
K1 = Chr (Asc (Mid (I, 3, 1) + Asc (Mid (I, 4, 1) Mod 5) + & H33)
Text2.Text = I & k & k1
End Sub

Now that the analysis is complete, use the compiled registration machine to generate a registration code. See figure 2. The generated registration code is successfully registered.