**********.exe註冊碼演算法分析--高手莫笑 (31千字)
=================================
inside Pandora's Box
*******
CrAcKeD BY alphakk/iPB
=================================
這東西寫得比較急,不對之處請指出來,不過序號產生器沒問題,呵呵
軟體簡介:******是一款用來架設代理伺服器的軟體,設定很方便,有詳細的說明文件,軟體本身也很小。
5.0版未註冊可供3使用者試用28天。註冊介面上的“序列號”實際上是使用者名稱,本文用“使用者名稱”。
主演算法為MD5。
=================================
.text:0040759C
push ebp
.text:0040759D
push esi
.text:0040759E
push edx
; const char *
.text:0040759F
push edx
; int
.text:004075A0
call sub_41CAD0 ; 演算法CALL(第一輪)
.text:004075A5 mov
edi, eax
.text:004075A7
or ecx, 0FFFFFFFFh
.text:004075AA
xor eax, eax
.text:004075AC
lea edx, [esp+181Ch+var_1804]
.text:004075B0 repne
scasb
.text:004075B2
not ecx
.text:004075B4
sub edi, ecx
.text:004075B6
mov eax, ecx
.text:004075B8
mov esi, edi
.text:004075BA mov
edi, edx
.text:004075BC
shr ecx, 2
.text:004075BF
repe movsd
.text:004075C1
mov ecx, eax
.text:004075C3
and ecx, 3
.text:004075C6 repe movsb
.text:004075C8 lea
ecx, [esp+181Ch+var_1404]
.text:004075CF
push ecx
; char *
.text:004075D0
call sub_421840
.text:004075D5
lea edx, [esp+1820h+var_1404]
.text:004075DC
lea eax, [esp+1820h+var_1804]
.text:004075E0 push
edx ; const char *
.text:004075E1
push eax
; int
.text:004075E2
call sub_41CAD0 ; 演算法CALL(第二輪)
.text:004075E7 mov
cl, byte_461350
.text:004075ED
mov edx, eax
.text:004075EF
mov [esp+1828h+var_1004], cl
.text:004075F6 mov
ecx, 400h
.text:004075FB
xor eax, eax
.text:004075FD
lea edi, [esp+1828h+var_1003]
.text:00407604 repe
stosd
.text:00407606
mov edi, edx
.text:00407608
or ecx, 0FFFFFFFFh
.text:0040760B
repne scasb
.text:0040760D
not ecx
.text:0040760F
sub edi, ecx
.text:00407611 lea
ebp, [esp+1828h+var_1004]
.text:00407618
mov edx, ecx
.text:0040761A
mov esi, edi
.text:0040761C mov
edi, ebp
.text:0040761E
push offset aY ; int
.text:00407623
shr ecx, 2
.text:00407626 repe movsd
.text:00407628 mov
ecx, edx
.text:0040762A
lea eax, [esp+182Ch+var_1004]
.text:00407631
and ecx, 3
.text:00407634
push offset a__0
; const char *
.text:00407639
repe movsb
.text:0040763B
push eax
; const char *
.text:0040763C
call sub_4211F0 ;對註冊碼的處理(轉換字元'.'為'y')
.text:00407641
push offset aA_0
; int
.text:00407646
lea ecx, [esp+1838h+var_1004]
.text:0040764D
push offset asc_45D628
; const char *
.text:00407652
push ecx ; const
char *
.text:00407653
call sub_4211F0 ;對註冊碼的處理(轉換字元'/'為'a')
.text:00407658
push offset aO
; int
.text:0040765D
lea edx, [esp+1844h+var_1004]
.text:00407664
push offset asc_45D620
; const char *
.text:00407669
push edx ; const
char *
.text:0040766A
call sub_4211F0 ;對註冊碼的處理(轉換字元'$'為'o')
.text:0040766F
add esp, 38h
.text:00407672 mov
esi, ebx
.text:00407674
lea eax, [esp+1814h+var_1004]
.text:0040767B
.text:0040767B
loc_40767B:
; CODE XREF: sub_407560+13Dj
.text:0040767B
mov dl, [eax]
;真假註冊碼比較
.text:0040767D
mov bl, [esi]
.text:0040767F
mov cl, dl
.text:00407681
cmp dl, bl
.text:00407683 jnz
short loc_4076B5
===========================================================
進入 call sub_41CAD0 (為方便理解,只對第一輪進行詳細說明)
===========================================================
.text:0041CAD0 ; int __cdecl sub_41CAD0(int,const char *)
.text:0041CAD0
sub_41CAD0 proc near
; CODE XREF: sub_407560+40p
.text:0041CAD0
; sub_407560+82p
.text:0041CAD0
.text:0041CAD0
var_C8 = dword ptr -0C8h
.text:0041CAD0
var_C4 = dword ptr -0C4h
.text:0041CAD0
var_C0 = dword ptr -0C0h
.text:0041CAD0
var_BC = dword ptr -0BCh
.text:0041CAD0
var_B4 = dword ptr -0B4h
.text:0041CAD0
var_B0 = byte ptr -0B0h
.text:0041CAD0
var_58 = byte ptr -58h
.text:0041CAD0 arg_0
= dword ptr 4
.text:0041CAD0 arg_4
= dword ptr 8
.text:0041CAD0
.text:0041CAD0
sub esp, 0C8h
.text:0041CAD6 or
ecx, 0FFFFFFFFh
.text:0041CAD9
xor eax, eax
.text:0041CADB
mov edx, [esp+0C8h+arg_4]
.text:0041CAE2 push
ebx
.text:0041CAE3
push ebp
.text:0041CAE4
push esi
.text:0041CAE5
push edi
.text:0041CAE6
mov edi, offset
a1_3 ; "$1$"
.text:0041CAEB
mov dword_46AEE8, edx
.text:0041CAF1
repne scasb
.text:0041CAF3
not ecx
.text:0041CAF5
dec ecx
.text:0041CAF6
push ecx
; size_t
.text:0041CAF7
push offset a1_3 ; const
char *
.text:0041CAFC
push edx ; const char *
.text:0041CAFD call
_strncmp ;比較使用者名稱與字串"$1$"
.text:0041CB02
add esp, 0Ch
.text:0041CB05 test
eax, eax
.text:0041CB07
jnz short loc_41CB26
.text:0041CB09
mov edi, offset a1_3 ; "$1$"
.text:0041CB0E or
ecx, 0FFFFFFFFh
.text:0041CB11
repne scasb
.text:0041CB13
mov edx, dword_46AEE8
.text:0041CB19
not ecx
.text:0041CB1B
dec ecx
.text:0041CB1C
add edx, ecx
.text:0041CB1E mov
dword_46AEE8, edx
.text:0041CB24
jmp short loc_41CB2C
.text:0041CB26 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0041CB26 //////////////////////////////////////////////////////////////////////
如果使用者名稱長度不小於8位元組,則取使用者名稱前8個位元組,否則取整個使用者名稱
.text:0041CB26 loc_41CB26:
; CODE XREF: sub_41CAD0+37j
.text:0041CB26 mov
edx, dword_46AEE8
.text:0041CB2C
.text:0041CB2C loc_41CB2C:
; CODE XREF: sub_41CAD0+54j
.text:0041CB2C
mov eax, edx
.text:0041CB2E
mov dword_46AEE4,
eax
.text:0041CB33
mov cl, [edx]
.text:0041CB35
test cl, cl
.text:0041CB37
jz short loc_41CB51
.text:0041CB39
.text:0041CB39 loc_41CB39:
; CODE XREF:
sub_41CAD0+7Fj
.text:0041CB39
cmp cl, 24h
.text:0041CB3C
jz short loc_41CB51
.text:0041CB3E
lea ecx, [edx+8]
.text:0041CB41 cmp
eax, ecx
.text:0041CB43
jnb short loc_41CB51
.text:0041CB45
inc eax
.text:0041CB46
mov dword_46AEE4,
eax
.text:0041CB4B
mov cl, [eax]
.text:0041CB4D
test cl, cl
.text:0041CB4F
jnz short loc_41CB39
.text:0041CB51 ////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////////
這一段是為整個演算法的第二步作資料填充
.text:0041CB51 loc_41CB51:
; CODE XREF:
sub_41CAD0+67j
.text:0041CB51
; sub_41CAD0+6Cj ...
.text:0041CB51
sub eax, edx
.text:0041CB53
lea edx, [esp+0D8h+var_58]
.text:0041CB5A mov
esi, eax
.text:0041CB5C
push edx
.text:0041CB5D
mov [esp+0DCh+var_B4], esi
.text:0041CB61
call sub_41CF80
; 初始化MD5的四個引數
.text:0041CB66
mov ebp, [esp+0DCh+arg_0]
.text:0041CB6D
or ecx, 0FFFFFFFFh
.text:0041CB70 mov
edi, ebp
.text:0041CB72
xor eax, eax
.text:0041CB74
repne scasb
.text:0041CB76
not ecx
.text:0041CB78
dec ecx
.text:0041CB79
lea eax, [esp+0DCh+var_58]
.text:0041CB80 push
ecx
.text:0041CB81
push ebp
.text:0041CB82
push eax
.text:0041CB83
call sub_41CFB0
;Update( BYTE* Input(使用者名稱),ULONG nInputLen(使用者名稱長度) )
.text:0041CB88
mov edi, offset a1_3 ;
"$1$"
.text:0041CB8D
or ecx, 0FFFFFFFFh
.text:0041CB90
xor eax, eax
.text:0041CB92
repne scasb
.text:0041CB94
not ecx
.text:0041CB96
dec ecx
.text:0041CB97
push ecx
.text:0041CB98
lea ecx, [esp+0ECh+var_58]
.text:0041CB9F push
offset a1_3 ; "$1$"
.text:0041CBA4
push ecx
.text:0041CBA5
call sub_41CFB0
;Update( BYTE* Input("$1$"),ULONG nInputLen (3))
.text:0041CBAA
mov edx, dword_46AEE8
.text:0041CBB0 push
esi
.text:0041CBB1
lea eax, [esp+0F8h+var_58]
.text:0041CBB8
push edx
.text:0041CBB9
push eax
.text:0041CBBA
call sub_41CFB0
; Update( BYTE* Input(使用者名稱前8位元組,如果使用者名稱長度小於8位元組,則用整個使用者名稱),ULONG nInputLen
)
/////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
演算法第一步:
.text:0041CBBF
lea ecx, [esp+100h+var_B0]
.text:0041CBC3
push ecx
.text:0041CBC4
call sub_41CF80
; 初始化MD5的四個引數
.text:0041CBC9
mov edi, ebp
.text:0041CBCB
or ecx, 0FFFFFFFFh
.text:0041CBCE xor
eax, eax
.text:0041CBD0
lea edx, [esp+104h+var_B0]
.text:0041CBD4
repne scasb
.text:0041CBD6
not ecx
.text:0041CBD8
dec ecx
.text:0041CBD9
push ecx
.text:0041CBDA
push ebp
.text:0041CBDB
push edx
.text:0041CBDC
call sub_41CFB0
; Update( 使用者名稱,使用者名稱長度)
.text:0041CBE1
mov eax, dword_46AEE8
.text:0041CBE6
push esi
.text:0041CBE7
lea ecx, [esp+114h+var_B0]
.text:0041CBEB push
eax
.text:0041CBEC
push ecx
.text:0041CBED
call sub_41CFB0 ;Update(
使用者名稱(前8位元組,如果使用者名稱長度小於8位元組,則用整個使用者名稱),ULONG nInputLen )
.text:0041CBF2
mov edi, ebp
.text:0041CBF4
or ecx, 0FFFFFFFFh
.text:0041CBF7 xor
eax, eax
.text:0041CBF9
add esp, 44h
.text:0041CBFC
repne scasb
.text:0041CBFE
not ecx
.text:0041CC00
dec ecx
.text:0041CC01
lea edx, [esp+0D8h+var_B0]
.text:0041CC05 push
ecx
.text:0041CC06
push ebp
.text:0041CC07
push edx
.text:0041CC08
call sub_41CFB0
; Update( 使用者名稱,使用者名稱長度)
.text:0041CC0D
lea eax, [esp+0E4h+var_B0]
.text:0041CC11
lea ecx, [esp+0E4h+var_C8]
.text:0041CC15 push
eax
.text:0041CC16
push ecx
.text:0041CC17
call sub_41D0A0 ;MD5變換:設結果為Result1[16]
.text:0041CC1C mov
edi, ebp
.text:0041CC1E
or ecx, 0FFFFFFFFh
.text:0041CC21
xor eax, eax
.text:0041CC23
add esp, 14h
.text:0041CC26 repne scasb
.text:0041CC28 not
ecx
.text:0041CC2A
dec ecx
.text:0041CC2B
mov esi, ecx
.text:0041CC2D
test esi, esi
.text:0041CC2F
jle short loc_41CC5A
.text:0041CC31
.text:0041CC31 loc_41CC31:
; CODE XREF:
sub_41CAD0+188j
.text:0041CC31
cmp esi, 10h ;使用者名稱長度>16?
.text:0041CC34
mov eax, 10h
.text:0041CC39 jg
short loc_41CC3D
.text:0041CC3B
mov eax, esi
.text:0041CC3D
.text:0041CC3D loc_41CC3D:
; CODE XREF: sub_41CAD0+169j
.text:0041CC3D
push eax
.text:0041CC3E
lea edx, [esp+0DCh+var_C8]
.text:0041CC42 lea
eax, [esp+0DCh+var_58]
.text:0041CC49
push edx
.text:0041CC4A
push eax
.text:0041CC4B
call sub_41CFB0
;Update(Result1,EAX)
.text:0041CC50
sub esi, 10h
.text:0041CC53
add esp, 0Ch
.text:0041CC56 test
esi, esi ;ESI>0?
.text:0041CC58
jg short loc_41CC31
.text:0041CC5A
.text:0041CC5A loc_41CC5A:
; CODE XREF:
sub_41CAD0+15Fj
.text:0041CC5A
xor ecx, ecx
.text:0041CC5C
mov edi, ebp
.text:0041CC5E
mov [esp+0D8h+var_C8],
ecx
.text:0041CC62
xor eax, eax
.text:0041CC64
mov [esp+0D8h+var_C4], ecx
.text:0041CC68
mov [esp+0D8h+var_C0],
ecx
.text:0041CC6C
mov [esp+0D8h+var_BC], ecx
.text:0041CC70
or ecx, 0FFFFFFFFh
.text:0041CC73 repne scasb
.text:0041CC75 not
ecx
.text:0041CC77
dec ecx
.text:0041CC78
mov ebx, ecx ;使用者名稱長度->EBX
.text:0041CC7A jz
short loc_41CCA7
.text:0041CC7C
.text:0041CC7C loc_41CC7C:
; CODE XREF: sub_41CAD0+1D5j
.text:0041CC7C
test bl, 1
;為偶數?
.text:0041CC7F
push 1
.text:0041CC81
jz short loc_41CC92 ;是則跳
.text:0041CC83
lea edx, [esp+0DCh+var_C8]
.text:0041CC87 lea
eax, [esp+0DCh+var_58]
.text:0041CC8E
push edx
.text:0041CC8F
push eax
.text:0041CC90
jmp short loc_41CC9B
.text:0041CC92 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0041CC92
.text:0041CC92 loc_41CC92:
; CODE XREF: sub_41CAD0+1B1j
.text:0041CC92 lea
ecx, [esp+0DCh+var_58]
.text:0041CC99
push ebp
.text:0041CC9A
push ecx
.text:0041CC9B
.text:0041CC9B loc_41CC9B:
; CODE XREF: sub_41CAD0+1C0j
.text:0041CC9B call
sub_41CFB0 ;使用者名稱長度為偶數則Update(使用者名稱第1個位元組,1)否則Update(""(空串),1)
.text:0041CCA0 add
esp, 0Ch
.text:0041CCA3
sar ebx, 1
.text:0041CCA5
jnz short loc_41CC7C
.text:0041CCA7
.text:0041CCA7 loc_41CCA7:
; CODE XREF: sub_41CAD0+1AAj
.text:0041CCA7 mov
edi, offset a1_3 ; "$1$"
.text:0041CCAC
or ecx, 0FFFFFFFFh
.text:0041CCAF
xor eax, eax
.text:0041CCB1 repne scasb
.text:0041CCB3 not
ecx
.text:0041CCB5
sub edi, ecx
.text:0041CCB7
mov eax, [esp+0D8h+var_B4]
.text:0041CCBB
mov edx, ecx
.text:0041CCBD mov
esi, edi
.text:0041CCBF
mov edi, offset unk_46AE6C
.text:0041CCC4
push eax
; size_t
.text:0041CCC5
shr ecx, 2
.text:0041CCC8
repe movsd
.text:0041CCCA
mov ecx, edx
.text:0041CCCC and
ecx, 3
.text:0041CCCF
repe movsb
.text:0041CCD1
mov ecx, dword_46AEE8
.text:0041CCD7
push ecx
; const char *
.text:0041CCD8
push offset unk_46AE6C ; char *
.text:0041CCDD call
_strncat
.text:0041CCE2
mov edi, offset asc_45D620 ; "$"
.text:0041CCE7
or ecx, 0FFFFFFFFh
.text:0041CCEA xor
eax, eax
.text:0041CCEC
repne scasb
.text:0041CCEE
not ecx
.text:0041CCF0
sub edi, ecx
.text:0041CCF2
mov esi, edi
.text:0041CCF4 mov
edx, ecx
.text:0041CCF6
mov edi, offset unk_46AE6C
.text:0041CCFB
or ecx, 0FFFFFFFFh
.text:0041CCFE repne
scasb
.text:0041CD00
mov ecx, edx
.text:0041CD02
dec edi
.text:0041CD03
shr ecx, 2
.text:0041CD06
repe movsd
.text:0041CD08
mov ecx, edx
.text:0041CD0A lea
eax, [esp+0E4h+var_58]
.text:0041CD11
and ecx, 3
.text:0041CD14
push eax
.text:0041CD15
repe movsb
.text:0041CD17
lea ecx, [esp+0E8h+var_C8]
.text:0041CD1B push
ecx
.text:0041CD1C
call sub_41D0A0 ;MD5變換,設結果為Result2[16]
.text:0041CD21 add
esp, 14h
演算法第二步完成
/////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////
演算法第三步:
.text:0041CD24
xor esi, esi ; 計數器清零
.text:0041CD26
.text:0041CD26 loc_41CD26:
; CODE XREF: sub_41CAD0+328j
.text:0041CD26 lea
edx, [esp+0D8h+var_B0]
.text:0041CD2A
push edx
.text:0041CD2B
call sub_41CF80
;MD5初始化
.text:0041CD30
mov ebx, esi
.text:0041CD32
add esp, 4
.text:0041CD35
and ebx, 1
.text:0041CD38
jz short
loc_41CD4F
.text:0041CD3A
mov edi, ebp
.text:0041CD3C
or ecx, 0FFFFFFFFh
.text:0041CD3F
xor eax, eax
.text:0041CD41 repne scasb
.text:0041CD43 not
ecx
.text:0041CD45
dec ecx
.text:0041CD46
lea eax, [esp+0D8h+var_B0]
.text:0041CD4A
push ecx
.text:0041CD4B
push ebp
.text:0041CD4C
push eax
.text:0041CD4D
jmp short loc_41CD5B
; Update(Result2,16)
.text:0041CD4F ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0041CD4F
.text:0041CD4F loc_41CD4F:
; CODE XREF:
sub_41CAD0+268j
.text:0041CD4F
lea ecx, [esp+0D8h+var_C8]
.text:0041CD53
push 10h
.text:0041CD55
lea edx, [esp+0DCh+var_B0]
.text:0041CD59 push
ecx
.text:0041CD5A
push edx
.text:0041CD5B
.text:0041CD5B loc_41CD5B:
; CODE XREF: sub_41CAD0+27Dj
.text:0041CD5B
call sub_41CFB0 ;
Update(Result2,16)
.text:0041CD60
mov eax, esi
.text:0041CD62
mov ecx, 3
.text:0041CD67
cdq
.text:0041CD68
idiv ecx
.text:0041CD6A
add esp, 0Ch
.text:0041CD6D test
edx, edx
.text:0041CD6F
jz short loc_41CD89 ; 餘數為零則跳
.text:0041CD71
mov edx, [esp+0D8h+var_B4]
.text:0041CD75 mov
eax, dword_46AEE8
.text:0041CD7A
push edx
.text:0041CD7B
lea ecx, [esp+0DCh+var_B0]
.text:0041CD7F push
eax
.text:0041CD80
push ecx
.text:0041CD81
call sub_41CFB0 ; Update(
使用者名稱(前8位元組,如果使用者名稱長度小於8位元組,則用整個使用者名稱),ULONG nInputLen )
.text:0041CD86
add esp, 0Ch
.text:0041CD89
.text:0041CD89 loc_41CD89:
; CODE XREF: sub_41CAD0+29Fj
.text:0041CD89 mov
eax, esi
.text:0041CD8B
mov ecx, 7
.text:0041CD90
cdq
.text:0041CD91
idiv ecx
.text:0041CD93
test edx, edx
.text:0041CD95
jz short
loc_41CDB2 ; 餘數為零則跳
.text:0041CD97
mov edi, ebp
.text:0041CD99
or ecx, 0FFFFFFFFh
.text:0041CD9C xor
eax, eax
.text:0041CD9E
lea edx, [esp+0D8h+var_B0]
.text:0041CDA2
repne scasb
.text:0041CDA4
not ecx
.text:0041CDA6
dec ecx
.text:0041CDA7
push ecx
.text:0041CDA8
push ebp
.text:0041CDA9
push edx
.text:0041CDAA
call sub_41CFB0
;Update(使用者名稱,使用者名稱長度)
.text:0041CDAF
add esp, 0Ch
.text:0041CDB2
.text:0041CDB2
loc_41CDB2:
; CODE XREF: sub_41CAD0+2C5j
.text:0041CDB2
test ebx, ebx
.text:0041CDB4 jz
short loc_41CDC4
.text:0041CDB6
lea eax, [esp+0D8h+var_C8]
.text:0041CDBA
push 10h
.text:0041CDBC
lea ecx, [esp+0DCh+var_B0]
.text:0041CDC0 push
eax
.text:0041CDC1
push ecx
.text:0041CDC2
jmp short loc_41CDD7
.text:0041CDC4 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0041CDC4
.text:0041CDC4 loc_41CDC4:
; CODE XREF:
sub_41CAD0+2E4j
.text:0041CDC4
mov edi, ebp
.text:0041CDC6
or ecx, 0FFFFFFFFh
.text:0041CDC9 xor
eax, eax
.text:0041CDCB
lea edx, [esp+0D8h+var_B0]
.text:0041CDCF
repne scasb
.text:0041CDD1
not ecx
.text:0041CDD3
dec ecx
.text:0041CDD4
push ecx
.text:0041CDD5
push ebp
.text:0041CDD6
push edx
.text:0041CDD7
.text:0041CDD7 loc_41CDD7:
; CODE XREF: sub_41CAD0+2F2j
.text:0041CDD7 call
sub_41CFB0 ;Update(Result2,16)/Update(使用者名稱,使用者長度)
.text:0041CDDC add
esp, 0Ch
.text:0041CDDF
lea eax, [esp+0D8h+var_B0]
.text:0041CDE3
lea ecx, [esp+0D8h+var_C8]
.text:0041CDE7 push
eax
.text:0041CDE8
push ecx
.text:0041CDE9
call sub_41D0A0 ;MD5變換,設結果為Result3[16],此結果即是下一次迴圈中的Result2[16]
.text:0041CDEE add
esp, 8
.text:0041CDF1
inc esi
.text:0041CDF2
cmp esi, 3E8h
.text:0041CDF8
jl loc_41CD26
演算法第三步完成
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
演算法第四步:將第三步結果轉換為規則的可見字串,長度變為22位元組
變換表為:"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
.text:0041CDFE mov
edi, offset unk_46AE6C
.text:0041CE03
or ecx, 0FFFFFFFFh
.text:0041CE06
xor eax, eax
.text:0041CE08 xor
edx, edx
.text:0041CE0A
mov dh, byte ptr [esp+0D8h+var_C8]
.text:0041CE0E
push 4
.text:0041CE10
repne scasb
.text:0041CE12
mov eax, [esp+0DCh+var_C4+2]
.text:0041CE16 and
eax, 0FFh
.text:0041CE1B
or edx, eax
.text:0041CE1D
mov eax, [esp+0DCh+var_BC]
.text:0041CE21 not
ecx
.text:0041CE23
shl edx, 8
.text:0041CE26
and eax, 0FFh
.text:0041CE2B
dec ecx
.text:0041CE2C
or edx, eax
.text:0041CE2E add
ecx, offset unk_46AE6C
.text:0041CE34
push edx
.text:0041CE35
push ecx
.text:0041CE36
mov dword_46AE68,
ecx
.text:0041CE3C
call sub_41D9B0
.text:0041CE41
mov ecx, [esp+0E4h+var_C8+1]
.text:0041CE45
mov edx, [esp+0E4h+var_C4+3]
.text:0041CE49 mov
eax, dword_46AE68
.text:0041CE4E
and ecx, 0FFh
.text:0041CE54
shl ecx, 8
.text:0041CE57
and edx, 0FFh
.text:0041CE5D add
eax, 4
.text:0041CE60
or ecx, edx
.text:0041CE62
mov edx, [esp+0E4h+var_BC+1]
.text:0041CE66 shl
ecx, 8
.text:0041CE69
and edx, 0FFh
.text:0041CE6F
push 4
.text:0041CE71
or ecx, edx
.text:0041CE73 mov
dword_46AE68, eax
.text:0041CE78
push ecx
.text:0041CE79
push eax
.text:0041CE7A
call sub_41D9B0
.text:0041CE7F mov
ecx, [esp+0F0h+var_C8+2]
.text:0041CE83
mov edx, [esp+0F0h+var_C0]
.text:0041CE87
mov eax, dword_46AE68
.text:0041CE8C and
ecx, 0FFh
.text:0041CE92
shl ecx, 8
.text:0041CE95
and edx, 0FFh
.text:0041CE9B
add eax, 4
.text:0041CE9E or
ecx, edx
.text:0041CEA0
mov edx, [esp+0F0h+var_BC+2]
.text:0041CEA4
shl ecx, 8
.text:0041CEA7 and
edx, 0FFh
.text:0041CEAD
push 4
.text:0041CEAF
or ecx, edx
.text:0041CEB1
mov dword_46AE68,
eax
.text:0041CEB6
push ecx
.text:0041CEB7
push eax
.text:0041CEB8
call sub_41D9B0
.text:0041CEBD
mov ecx, [esp+0FCh+var_C8+3]
.text:0041CEC1 mov
edx, [esp+0FCh+var_C0+1]
.text:0041CEC5
mov eax, dword_46AE68
.text:0041CECA
and ecx, 0FFh
.text:0041CED0 shl
ecx, 8
.text:0041CED3
and edx, 0FFh
.text:0041CED9
add eax, 4
.text:0041CEDC
or ecx, edx
.text:0041CEDE mov
edx, [esp+0FCh+var_BC+3]
.text:0041CEE2
shl ecx, 8
.text:0041CEE5
and edx, 0FFh
.text:0041CEEB push
4
.text:0041CEED
or ecx, edx
.text:0041CEEF
mov dword_46AE68, eax
.text:0041CEF4
push ecx
.text:0041CEF5
push eax
.text:0041CEF6
call sub_41D9B0
.text:0041CEFB mov
ecx, [esp+108h+var_C4]
.text:0041CEFF
mov eax, dword_46AE68
.text:0041CF04
mov edx, [esp+108h+var_C0+2]
.text:0041CF08 and
ecx, 0FFh
.text:0041CF0E
add eax, 4
.text:0041CF11
push 4
.text:0041CF13
shl ecx, 8
.text:0041CF16 mov
dword_46AE68, eax
.text:0041CF1B
and edx, 0FFh
.text:0041CF21
or ecx, edx
.text:0041CF23 mov
edx, [esp+10Ch+var_C4+1]
.text:0041CF27
shl ecx, 8
.text:0041CF2A
and edx, 0FFh
.text:0041CF30 or
ecx, edx
.text:0041CF32
push ecx
.text:0041CF33
push eax
.text:0041CF34
call sub_41D9B0
.text:0041CF39
mov ecx, [esp+114h+var_C0+3]
.text:0041CF3D mov
eax, dword_46AE68
.text:0041CF42
and ecx, 0FFh
.text:0041CF48
add eax, 4
.text:0041CF4B
push 2
.text:0041CF4D
push ecx
.text:0041CF4E
push eax
.text:0041CF4F
mov dword_46AE68,
eax
.text:0041CF54
call sub_41D9B0
.text:0041CF59
mov eax, dword_46AE68
.text:0041CF5E
add esp, 48h
.text:0041CF61 add
eax, 2
.text:0041CF64
pop edi
.text:0041CF65
mov dword_46AE68, eax
.text:0041CF6A
pop esi
.text:0041CF6B
mov byte ptr [eax],
0
.text:0041CF6E pop
ebp
.text:0041CF6F
mov eax, offset unk_46AE6C
演算法第四步完成,結果為Result4[22]
//////////////////////////////////////////////////////////////////////
.text:0041CF74
pop ebx
.text:0041CF75
add esp, 0C8h
.text:0041CF7B retn
.text:0041CF7B sub_41CAD0 endp
.text:0041CF7B
.text:0041CF7B
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
/////////////////////////////////////////////////////////////////////////////////
=================================================================================
/////////////////////////////////////////////////////////////////////////////////
第五步:連線:"$1$"+使用者名稱(前8個位元組,使用者名稱長度小於8個位元組則用整個使用者名稱)+"$"+Result4[22]
設結果為Result5
Result5參加下一輪運算
.text:004075E2
call sub_41CAD0 ; 演算法CALL(第二輪)
這一輪用到了註冊介面中的"特徵碼”,設結果為Result6
連線:"$1$+特徵碼前8個位元組+"$"+Result6
.text:00407634 之後
最終結果轉換
===================================================================
分析完成:)
=================================
inside Pandora's
Box
**********
CrAcKeD BY alphakk/iPB
=================================
相關文章
- SuperCleaner 2.31註冊碼演算法分析 - OCG (13千字)2002-04-02演算法
- 為Asp-Loader增加命令列功能,高手莫笑 (7千字)2002-10-15命令列
- Green Tea 2.60註冊碼演算法分析 (3千字)2000-07-17演算法
- vfp&exe1.70註冊碼計算 (2千字)2001-06-04
- 註冊碼演算法 (2千字)2001-01-14演算法
- 《ICONSCAN 2.4》註冊碼破解 高手莫入! (3千字)2001-05-06
- 《MAGICWIN RELEASE 1.2》註冊碼破解 高手莫入! (2千字)2001-05-07
- Registry Crawler 4.0註冊碼演算法分析 - OCG
(20千字)2002-04-07演算法
- UltraEdit-32
10註冊碼演算法分析 (19千字)2003-05-17演算法
- FolderView 1.7
註冊演算法分析 (14千字)2015-11-15View演算法
- Konvertor 3.03的註冊碼演算法模組的分析
(7千字)2015-11-15演算法
- Magic convertor 2.8註冊碼演算法分析
- OCG (9千字)2015-11-15演算法
- 財智證券結算軟體2.5 破解註冊碼分析!使用ollydbg 破解註冊動畫!高手莫入! (1千字)2001-11-20動畫
- Instant Source 註冊演算法分析+註冊器原始碼2015-11-15演算法原始碼
- 重新貼過註冊演算法分析 (16千字)2001-10-23演算法
- ClockWise 3.22e註冊碼演算法分析 - OCG (17千字)2002-04-10演算法
- 初學者請進,看far.exe的註冊碼! (7千字)2001-04-24
- 《EASY MP3 2.2》的註冊碼破解 高手莫入! (2千字)2001-05-05
- CPUCOOL 5.1000註冊碼分析 (6千字)2001-01-19
- EffeTech HTTP Sniffer 3.2註冊演算法分析 (5千字)2002-06-24HTTP演算法
- 《OFFLINE EXPLORER 1.0》的註冊碼破解 高手莫入!! (2千字)2001-05-18
- 完美解除安裝6.0註冊演算法分析 (2千字)2002-02-27演算法
- Directory Scanner v1.5 註冊演算法分析 (6千字)2015-11-15演算法
- MouseStar V3.01註冊演算法分析 (18千字)2015-11-15演算法
- Vopt99 v4.31的註冊碼破解 (11千字)2000-09-28
- Cleaner 3.2註冊分析 (18千字)2001-12-09
- supercleaner註冊演算法分析2015-11-15演算法
- EmEditor v3 Version 3.09 漢化版註冊碼演算法分析
(8千字)2001-01-09演算法
- Screen Demo Maker
V3.0註冊演算法分析 (8千字)2002-09-10演算法
- CoolClock V1.02註冊演算法分析 ---OCG (14千字)2015-11-15演算法
- 飄雪動畫秀3.02註冊演算法分析!
(11千字)2015-11-15動畫演算法
- 檔案密使2.6註冊碼分析詳解 (11千字)2001-11-30
- 盜文高手(DownFiles) Ver1.3 註冊演算法2015-11-15演算法
- 某電子書註冊破解實錄,高手莫入。 (6千字)2002-10-05
- 〖網際營銷〗V2.4 註冊演算法分析 (11千字)2001-11-03演算法
- GSview V4.12 for Windows註冊演算法分析 -
OCG (8千字)2015-11-15ViewWindows演算法
- EZ MP3 Recorder 1.15 註冊演算法分析 (14千字)2015-11-15演算法
- 一個區域網工具的註冊演算法分析
(5千字)2015-11-15演算法