zen-rfkg.asm

破解很多程序的序列号算法程序

	 mov	 [esp+290h+var_280], ebx
	 fild	 [esp+290h+var_280]
	 fmul	 [esp+edx*4+290h+var_228]
	 call	 ftol
	 mov	 edx, [esp+290h+arg_0]
	 add	 eax, ebx
	 add	 ebp, eax
	 inc	 esi
	 cmp	 esi, edi
	 jl	 short loc_4442BD
loc_4442EC:
	 xor	 ebx, ebx
	 test	 edi, edi
	 mov	 [esp+290h+var_280], ebx
	 jle	 loc_44437B
	 mov	 edi, 1
	 mov	 esi, edx
	 sub	 edi, edx
loc_444303:
	 mov	 edx, [esp+290h+var_280]
	 and	 edx, 80000001h
	 jns	 short loc_444314
	 dec	 edx
	 or	 edx, 0FFFFFFFEh
	 inc	 edx
loc_444314:
	 jnz	 short loc_44433D
	 movsx	 eax, byte ptr [esi]
	 mov	 [esp+290h+var_27C], eax
	 lea	 eax, [edi+esi]
	 cdq
	 fild	 [esp+290h+var_27C]
	 mov	 ecx, 0Ah
	 idiv	 ecx
	 fmul	 [esp+edx*4+290h+var_228]
	 call	 ftol
	 add	 eax, [esp+290h+var_27C]
	 add	 ebx, eax
	 jmp	 short loc_444362
loc_44433D:
	 movsx	 edx, byte ptr [esi]
	 lea	 eax, [edi+esi]
	 mov	 [esp+290h+var_27C], edx
	 cdq
	 fild	 [esp+290h+var_27C]
	 mov	 ecx, 0Ah
	 idiv	 ecx
	 fmul	 [esp+edx*4+290h+var_228]
	 call	 ftol
	 add	 eax, [esp+290h+var_27C]
	 sub	 ebx, eax
loc_444362:
	 mov	 eax, [esp+290h+var_280]
	 mov	 ecx, [esp+290h+var_274]
	 inc	 eax
	 inc	 esi
	 cmp	 eax, ecx
	 mov	 [esp+290h+var_280], eax
	 jl	 short loc_444303
	 mov	 edx, [esp+290h+arg_0]
loc_44437B:
	 mov	 edi, [esp+290h+arg_4]
	 or	 ecx, 0FFFFFFFFh
	 xor	 eax, eax
	 xor	 esi, esi
	 repne scasb
	 not	 ecx
	 dec	 ecx
	 xor	 edi, edi
	 cmp	 ecx, edi
	 mov	 [esp+290h+var_274], ecx
	 jle	 short loc_4443E3
	 sub	 edx, [esp+290h+arg_4]
	 mov	 [esp+290h+var_280], edx
loc_4443A3:
	 mov	 edx, [esp+290h+arg_4]
	 mov	 eax, esi
	 mov	 ecx, 0Ah
	 lea	 edi, [esi+edx]
	 cdq
	 idiv	 ecx
	 mov	 eax, [esp+290h+var_280]
	 movsx	 ecx, byte ptr [eax+edi]
	 mov	 [esp+290h+var_27C], ecx
	 fild	 [esp+290h+var_27C]
	 fmul	 [esp+edx*4+290h+var_228]
	 call	 ftol
	 movsx	 edx, byte ptr [edi]
	 add	 edx, ebp
	 inc	 esi
	 lea	 ebp, [edx+eax]
	 mov	 eax, [esp+290h+var_274]
	 cmp	 esi, eax
	 jl	 short loc_4443A3
	 xor	 edi, edi
loc_4443E3:
	 cmp	 ebx, edi
	 jge	 short loc_4443E9
	 neg	 ebx
loc_4443E9:
	 xor	 ebx, ebp
	 imul	 ebx, ebp
	 mov	 esi, ebx
	 cmp	 esi, edi
	 jz	 end_keygen
	 mov	 dword ptr [esp+290h+var_260], esi
	 mov	 dword ptr [esp+290h+var_260+4], edi
	 fild	 [esp+290h+var_260]
	 fcomp	 ds:dbl_1e9
	 fnstsw	 ax
	 test	 ah, 41h
	 jnz	 short loc_44443C
loc_444411:
	 mov	 eax, 0CCCCCCCDh
	 mov	 dword ptr [esp+290h+var_270+4], 0
	 mul	 esi
	 shr	 edx, 3
	 mov	 esi, edx
	 mov	 dword ptr [esp+290h+var_270], esi
	 fild	 [esp+290h+var_270]
	 fcomp	 ds:dbl_1e9
	 fnstsw	 ax
	 test	 ah, 41h
	 jz	 short loc_444411
	 xor	 edi, edi
loc_44443C:
	 mov	 dword ptr [esp+290h+var_268], esi
	 mov	 dword ptr [esp+290h+var_268+4], edi
	 fild	 [esp+290h+var_268]
	 fcomp	 ds:dbl_1e8
	 fnstsw	 ax
	 test	 ah, 1
	 jz	 short loc_444473
loc_444455:
	 lea	 esi, [esi+esi*4]
	 mov	 dword ptr [esp+290h+var_258+4], edi
	 shl	 esi, 1
	 mov	 dword ptr [esp+290h+var_258], esi
	 fild	 [esp+290h+var_258]
	 fcomp	 ds:dbl_1e8
	 fnstsw	 ax
	 test	 ah, 1
	 jnz	 short loc_444455
loc_444473:
	 push	 esi
	 lea	 eax, [esp+294h+var_200]
         push    offset uppercase_hex_format            ; "%X"
         push    eax
         call    _wsprintfA                             ; _sprintf
	 lea	 edi, [esp+29Ch+var_200]
	 or	 ecx, 0FFFFFFFFh
	 xor	 eax, eax
	 add	 esp, 0Ch
	 repne scasb
	 not	 ecx
	 dec	 ecx
	 xor	 edx, edx
	 test	 ecx, ecx
	 jle	 short loc_4444AF
loc_4444A0:
	 movsx	 edi, [esp+edx+290h+var_200]
	 add	 eax, edi
	 inc	 edx
	 cmp	 edx, ecx
	 jl	 short loc_4444A0
loc_4444AF:
	 xor	 eax, ebp
	 push	 esi
	 imul	 eax, ebp
	 push	 eax
	 lea	 ecx, [esp+298h+var_100]
         push    offset decimal_hex_format              ; "%d-%X"
         push    ecx
         call    _wsprintfA                             ; _sprintf

	 lea	 eax, [esp+2A0h+var_100]		; contains correct serial

         push    edi                                    ; we need to copy the right key to a
         push    esi                                    ;  convenient location
         push    ecx
         mov     esi, eax                               ; source
         mov     edi, offset Serial                     ; destination
         mov     ecx, 30                                ; length of serial, 30 should be enough...
         rep     movsb                                  ; and copy the string
         pop     ecx
         pop     esi
         pop     edi

	 add	 esp, 10h				; fixup stack pointer
                                                                                                         
	 mov	 eax, [esp+290h+var_278]        	; we wanna generate SITE license                         
	 inc	 eax                                                                                     
	 cmp	 eax, 5                         	; 5 = SITE, 4 = PLATINUM, 3 = GOLD, 2 = STANDARD, 1 = EDU
	 mov	 [esp+290h+var_278], eax
	 jle	 loc_444282

end_keygen:
	 pop	 edi
	 pop	 esi
	 pop	 ebp
	 pop	 ebx
	 add	 esp, 280h
	 retn

KeyGen	 endp


; ############### SUBROUTINE #######################################
ftol             proc near

  var_C          =      qword   ptr -0Ch
  var_4          =      word    ptr -4
  var_2          =      word    ptr -2

         push    ebp
         mov     ebp, esp
         add     esp, 0FFFFFFF4h
         fstcw   [ebp+var_2]
         wait
         mov     ax, [ebp+var_2]
         or      ah, 0Ch
         mov     [ebp+var_4], ax
         fldcw   [ebp+var_4]
         fistp   [ebp+var_C]
         fldcw   [ebp+var_2]
         mov     eax, dword ptr [ebp+var_C]
         mov     edx, dword ptr [ebp+var_C+4]
         leave
         retn

ftol             endp



code_end:

end          code_begin