中華搜尋寶2003c註冊演算法分析
中華搜尋寶註冊演算法分析
■、作者宣告:初學破解,純屬技術交流,無其它目的。
■、工具:ollyDBg1.09,W32Dasm10。
■、基本知識:基礎彙編知識,基本工具使用。
■、註冊形式:反跟蹤+機器碼+密碼
■、軟體介紹:
中華搜尋寶(CHINASSB) 2003c
軟體大小: 616 KB
軟體語言: 簡體中文
軟體類別:
國產軟體 /搜尋引擎
應用平臺: Win9x/NT/2000/XP
介面預覽: 無
加入時間: 2002-12-18
15:07:17
下載次數: 33673
推薦等級:
聯 系
人: wfan99@163.net
開 發 商: http://www.chinassb.com/
軟體介紹:
中華搜尋寶CHINASSB是一款專業為中國人編寫的網際網路資訊搜尋工具.結合了傳統搜尋引擎的優點,採用多執行緒快速檢索技術,準確查詢各類網站、網頁資訊,從而讓您提高了上網效率、節省了搜尋時間、降低了上網費用。在使用上中華搜尋寶CHINASSB,符合大眾日常使用電腦習慣,操作簡單而沒有特殊的設定。對搜尋到的網址,進行滑鼠雙擊就可以透過瀏覽器進行瀏覽。而且還支援對搜尋結果進行儲存、編輯、管理等強大功能。因此,中華搜尋寶CHINASSB是您上網找網站、查資訊之寶
假設:
機器碼:870889
郵箱:lordor820@sina.com
密碼:abcdefghijabcdefghij
一查詢出錯資訊
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00492A38(C)
|
:00492A62
A12C664900 mov eax, dword ptr
[0049662C]
:00492A67 80785C00
cmp byte ptr [eax+5C], 00
:00492A6B 752C
jne 00492A99
:00492A6D 8D45F8
lea eax, dword ptr [ebp-08]
*
Possible StringData Ref from Code Obj ->"無效的註冊密碼! "
|
:00492A70 BA0C2B4900
mov edx, 00492B0C
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004929A4(C)
|
:00492A0B
8B45FC mov eax,
dword ptr [ebp-04]
:00492A0E E8E55CF7FF
call 004086F8
:00492A13 8B55EC
mov edx, dword ptr [ebp-14]
:00492A16 8D45FC
lea eax, dword ptr [ebp-04]
:00492A19
E8AA12F7FF call 00403CC8
:00492A1E
8B45FC mov eax,
dword ptr [ebp-04]
:00492A21 E866FCFFFF
call 0049268C
:00492A26 8BD8
mov ebx, eax
:00492A28 A12C664900
mov eax, dword ptr [0049662C]
:00492A2D
88585C mov byte
ptr [eax+5C], bl
:00492A30 A12C664900
mov eax, dword ptr [0049662C]
:00492A35 80FB01
cmp bl, 01
:00492A38 7528
jne 00492A62=====
二動態分析
004929D4
|. 8B86 F4020000 MOV EAX,DWORD PTR DS:[ESI+2F4]
004929DA |.
E8 3DE1F9FF CALL ssb.00430B1C
; 取郵箱 ss
004929DF
|. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
004929E2
|. A1 2C664900 MOV EAX,DWORD PTR DS:[49662C]
004929E7 |.
83C0 64 ADD EAX,64
004929EA |. E8 9512F7FF
CALL ssb.00403C84
004929EF |. 8D55 F0
LEA EDX,DWORD PTR SS:[EBP-10]
004929F2 |. 8B86 E0020000 MOV
EAX,DWORD PTR DS:[ESI+2E0]
004929F8 |. E8 1FE1F9FF CALL
ssb.00430B1C
; 取密碼 ss
004929FD |. 8B45 F0
MOV EAX,DWORD PTR SS:[EBP-10]
00492A00 |. 8D55 FC
LEA EDX,DWORD PTR SS:[EBP-4]
00492A03 |. E8 C85EF7FF
CALL ssb.004088D0
; 取密碼 ss
00492A08 |. 8D55 EC
LEA EDX,DWORD PTR SS:[EBP-14]
00492A0B |. 8B45 FC
MOV EAX,DWORD PTR SS:[EBP-4]
00492A0E |. E8
E55CF7FF CALL ssb.004086F8
; 密碼小寫變大寫.004086
00492A13
|. 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
00492A16
|. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00492A19
|. E8 AA12F7FF CALL ssb.00403CC8
00492A1E |. 8B45
FC MOV EAX,DWORD PTR SS:[EBP-4]
00492A21 |.
E8 66FCFFFF CALL ssb.0049268C
; 關鍵call(2),進入0492
00492A26
8BD8 MOV EBX,EAX
00492A28
A1 2C664900 MOV EAX,DWORD PTR DS:[49662C]
00492A2D
8858 5C MOV BYTE PTR DS:[EAX+5C],BL
00492A30
A1 2C664900 MOV EAX,DWORD PTR DS:[49662C]
00492A35
|. 80FB 01 CMP BL,1
00492A38 |. 75 28
JNZ SHORT ssb.00492A62
; 密碼檢驗,如不正確,出錯.00492A62
00492A3A
|. 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
00492A3D
|. E8 7EF3FFFF CALL ssb.00491DC0
; 取機器碼ssb.
00492A42
|. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
; 機器碼870889,入eaxTR S
00492A45 |.
E8 0E61F7FF CALL ssb.00408B58
; 機器碼轉換為十六進位制, eax=000D49E9
00492A4A
|. 8BD0 MOV EDX,EAX
;
轉換為十六進位制的機器碼入edx
00492A4C |. B9 37010000 MOV ECX,137
; 137入ecx1
00492A51 |. 8B45 FC
MOV EAX,DWORD PTR SS:[EBP-4]
; 密碼串入eaxDWOR
00492A54 |. E8 B7F5FFFF CALL ssb.00492010
;
關鍵call(2)
00492A59 |. 8B15 2C664900 MOV EDX,DWORD PTR DS:[49662C]
; ssb.004979B0
--------------------------------
關鍵call(1)
004926AD
|. 68 E1284900 PUSH ssb.004928E1
004926B2 |. 64:FF30
PUSH DWORD PTR FS:[EAX]
004926B5 |. 64:8920
MOV DWORD PTR FS:[EAX],ESP
004926B8 |. C645
FB 00 MOV BYTE PTR SS:[EBP-5],0
004926BC |. 8B45 FC
MOV EAX,DWORD PTR SS:[EBP-4]
004926BF |. E8 EC17F7FF
CALL ssb.00403EB0
; 取密碼的長度
004926C4 |. 83F8
14 CMP EAX,14
; 密碼的長度是否為20位
004926C7
|. 0F85 F1010000 JNZ ssb.004928BE
004926CD |. 8D45 F4
LEA EAX,DWORD PTR SS:[EBP-C]
004926D0 |. 8B55 FC
MOV EDX,DWORD PTR SS:[EBP-4]
004926D3 |. E8
F015F7FF CALL ssb.00403CC8
004926D8 |. E8 3B75F7FF
CALL ssb.00409C18
004926DD |. 83C4 F8 ADD
ESP,-8
; /
004926E0 |. DD1C24
FSTP QWORD PTR SS:[ESP]
; |Arg1 (8-byte)
004926E3 |. 9B
WAIT
;
|
004926E4 |. 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
; |
004926E7 |. B8 FC284900
MOV EAX,ssb.004928FC
; |ASCII "hhnnss"
004926EC |. E8 6781F7FF
CALL ssb.0040A858
; \ssb.0040A858
004926F1 |. 8B45
E8 MOV EAX,DWORD PTR SS:[EBP-18]
004926F4 |.
E8 5F64F7FF CALL ssb.00408B58
004926F9 |. 8BF0
MOV ESI,EAX
004926FB |. BB 01000000 MOV
EBX,1
00492700 |> 83FE 0A /CMP ESI,0A
00492703
|. 7C 59 |JL SHORT ssb.0049275E
00492705
|. 8B45 F4 |MOV EAX,DWORD PTR SS:[EBP-C]
00492708
|. E8 A317F7FF |CALL ssb.00403EB0
0049270D |. 85C0
|TEST EAX,EAX
0049270F |. 7E 2E
|JLE SHORT ssb.0049273F
00492711 |. E8 0275F7FF
|CALL ssb.00409C18
00492716 |. 83C4 F8
|ADD ESP,-8
; /
00492719 |. DD1C24
|FSTP QWORD PTR SS:[ESP]
; |Arg1 (8-byte)
0049271C |. 9B
|WAIT
;
|
0049271D |. 8D55 E4 |LEA EDX,DWORD PTR SS:[EBP-1C]
; |
00492720 |. B8 FC284900
|MOV EAX,ssb.004928FC
; |ASCII "hhnnss"
00492725 |. E8 2E81F7FF
|CALL ssb.0040A858
; \ssb.0040A858
0049272A |. 8B45 E4
|MOV EAX,DWORD PTR SS:[EBP-1C]
0049272D |. E8 2664F7FF
|CALL ssb.00408B58
00492732 |. 2BC6
|SUB EAX,ESI
00492734 |. 83F8 0A |CMP
EAX,0A
00492737 |. 0F8F 81010000 |JG ssb.004928BE
0049273D |.
EB 1F |JMP SHORT ssb.0049275E
0049273F |>
8B45 F4 |MOV EAX,DWORD PTR SS:[EBP-C]
00492742 |.
E8 6917F7FF |CALL ssb.00403EB0
00492747 |. 3BD8
|CMP EBX,EAX
00492749 |. 7D 13
|JGE SHORT ssb.0049275E
0049274B |. 8D45 F0
|LEA EAX,DWORD PTR SS:[EBP-10]
0049274E |. 50
|PUSH EAX
0049274F |. B9 01000000
|MOV ECX,1
00492754 |. 8BD3
|MOV EDX,EBX
00492756 |. 8B45 F4 |MOV EAX,DWORD
PTR SS:[EBP-C]
00492759 |. E8 5A19F7FF |CALL ssb.004040B8
0049275E
|> 43 |INC EBX
0049275F
|. 81FB F5010000 |CMP EBX,1F5
00492765 |.^75 99
\JNZ SHORT ssb.00492700
; 上面是一段反跟蹤程式碼,所以必須在下面下斷才有效
00492767 |.
BB 01000000 MOV EBX,1
0049276C |> 8D45 E0
/LEA EAX,DWORD PTR SS:[EBP-20]
0049276F |. 50
|PUSH EAX
00492770 |. B9 01000000
|MOV ECX,1
00492775 |. 8BD3
|MOV EDX,EBX
00492777 |. 8B45 F4 |MOV EAX,DWORD
PTR SS:[EBP-C] ; 密碼入eax
0049277A
|. E8 3919F7FF |CALL ssb.004040B8
0049277F |. 8B45
E0 |MOV EAX,DWORD PTR SS:[EBP-20]
00492782 |.
BA 0C294900 |MOV EDX,ssb.0049290C
; Z入edx
00492787 |. E8 3418F7FF
|CALL ssb.00403FC0
0049278C |. 0F87 2C010000 |JA ssb.004928BE
00492792
|. 8D45 DC |LEA EAX,DWORD PTR SS:[EBP-24]
00492795
|. 50 |PUSH EAX
00492796 |.
B9 01000000 |MOV ECX,1
0049279B |. 8BD3
|MOV EDX,EBX
0049279D |. 8B45 F4 |MOV
EAX,DWORD PTR SS:[EBP-C] ; 密碼入eax
004927A0
|. E8 1319F7FF |CALL ssb.004040B8
004927A5 |. 8B45
DC |MOV EAX,DWORD PTR SS:[EBP-24]
004927A8 |.
BA 18294900 |MOV EDX,ssb.00492918
; A入edx
004927AD |. E8 0E18F7FF
|CALL ssb.00403FC0
004927B2 |. 0F82 06010000 |JB ssb.004928BE
004927B8
|. 43 |INC EBX
004927B9 |.
83FB 15 |CMP EBX,15
004927BC |.^75 AE
\JNZ SHORT ssb.0049276C
; 以上判斷密碼是否是A-Z間的字母
004927BE |.
8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004927C1 |.
8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
; 密碼入edx
004927C4 |. E8 FF14F7FF
CALL ssb.00403CC8
; 取第5位
004927C9 |. 33FF
XOR EDI,EDI
004927CB |. BB 01000000
MOV EBX,1
004927D0 |> 8D45 EC /LEA
EAX,DWORD PTR SS:[EBP-14]
004927D3 |. 50
|PUSH EAX
004927D4 |. B9 01000000 |MOV ECX,1
004927D9
|. 8BD3 |MOV EDX,EBX
004927DB |.
8B45 F0 |MOV EAX,DWORD PTR SS:[EBP-10]
; 密碼入eax
004927DE |. E8 D518F7FF
|CALL ssb.004040B8
; 取一位密碼
004927E3 |. BA 24294900
|MOV EDX,ssb.00492924
; ASCII "GFEDCBANMLKJIHTSRQPOZYXWVU"
004927E8
|. 8B45 EC |MOV EAX,DWORD PTR SS:[EBP-14]
; 取得一位密碼入eax
004927EB |. E8 AC19F7FF
|CALL ssb.0040419C
; 密碼第N位在字串中的位置
004927F0 |. 8BF0
|MOV ESI,EAX
; 位置數入esi
004927F2
|. 4E |DEC ESI
; 位置數減1,入esi
004927F3 |. 0FAFF3
|IMUL ESI,EBX
; 與第N位相乘,入esi
004927F6 |.
03FE |ADD EDI,ESI
; 結果相加
004927F8
|. 43 |INC EBX
004927F9 |.
83FB 14 |CMP EBX,14
004927FC |.^75 D2
\JNZ SHORT ssb.004927D0
; 以上總結:edi=0;edi=edi+(第N位密碼在串中的位置數-1)*N
004927FE
|. 8BC7 MOV EAX,EDI
00492800 |.
B9 1A000000 MOV ECX,1A
00492805 |. 99
CDQ
00492806 |. F7F9
IDIV ECX
00492808 |. 42
INC EDX
; 取以上計算結果值的26的模並加1,入edx
00492809
|. 8BFA MOV EDI,EDX
;
edx入edi,edx=edi=F
0049280B |. 8D45 EC LEA
EAX,DWORD PTR SS:[EBP-14] ; 密碼倒數第二位入eax
0049280E
|. 50 PUSH EAX
0049280F |.
B8 24294900 MOV EAX,ssb.00492924
; ASCII "GFEDCBANMLKJIHTSRQPOZYXWVU"
00492814
|. B9 01000000 MOV ECX,1
00492819 |. 8BD7
MOV EDX,EDI
0049281B |. E8 9818F7FF CALL
ssb.004040B8
; 取串中第(模數值+1)位,將與密碼最後一位比較
00492820 |. 8D45 D8
LEA EAX,DWORD PTR SS:[EBP-28]
00492823 |.
50 PUSH EAX
00492824 |. B9
01000000 MOV ECX,1
00492829 |. BA 14000000 MOV
EDX,14
0049282E |. 8B45 F0 MOV EAX,DWORD PTR
SS:[EBP-10] ; 密碼入eax
00492831
|. E8 8218F7FF CALL ssb.004040B8
; 取密碼第20位的1位值,得J
00492836
|. 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28]
00492839
|. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
0049283C
|. E8 7F17F7FF CALL ssb.00403FC0
00492841
74 7B JE SHORT ssb.004928BE=====>⑴
; 上面與密碼的最後一位比較
00492843 |. 33FF
XOR EDI,EDI
00492845 |. BB 01000000 MOV
EBX,1
0049284A |> 8D45 EC /LEA EAX,DWORD
PTR SS:[EBP-14] ; 取得的密碼最後1位
0049284D
|. 50 |PUSH EAX
0049284E |.
B9 01000000 |MOV ECX,1
00492853 |. 8BD3
|MOV EDX,EBX
00492855 |. 8B45 F0 |MOV
EAX,DWORD PTR SS:[EBP-10] ; 密碼串入eax
00492858
|. E8 5B18F7FF |CALL ssb.004040B8
; 取密碼串的第N位
0049285D
|. BA 24294900 |MOV EDX,ssb.00492924
; ASCII "GFEDCBANMLKJIHTSRQPOZYXWVU"
00492862
|. 8B45 EC |MOV EAX,DWORD PTR SS:[EBP-14]
00492865
|. E8 3219F7FF |CALL ssb.0040419C
; 密碼第N位在字串中的位置
0049286A
|. 8BF0 |MOV ESI,EAX
;
位置數入esi
0049286C |. 4E
|DEC ESI
; 位置數減1,入esi
0049286D |.
03FE |ADD EDI,ESI
; 各位置數相加
0049286F
|. 43 |INC EBX
00492870 |.
83FB 13 |CMP EBX,13
00492873 |.^75 D5
\JNZ SHORT ssb.0049284A
; 密碼中除了最後一位,其它參與運算
00492875 |.
8BC7 MOV EAX,EDI
00492877 |. B9 1A000000
MOV ECX,1A
0049287C |. 99
CDQ
0049287D |. F7F9 IDIV ECX
; 取26的模
0049287F |. 42
INC EDX
;
模數加1
00492880 |. 8BFA MOV EDI,EDX
00492882
|. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00492885
|. 50 PUSH EAX
00492886 |.
B8 24294900 MOV EAX,ssb.00492924
; ASCII "GFEDCBANMLKJIHTSRQPOZYXWVU"
0049288B
|. B9 01000000 MOV ECX,1
00492890 |. 8BD7
MOV EDX,EDI
00492892 |. E8 2118F7FF CALL
ssb.004040B8
; 取串中第(模數值+1)位,將與密碼倒數第2位比較
00492897 |. 8D45 D4
LEA EAX,DWORD PTR SS:[EBP-2C]
0049289A |.
50 PUSH EAX
0049289B |. B9
01000000 MOV ECX,1
004928A0 |. BA 13000000 MOV
EDX,13
004928A5 |. 8B45 F0 MOV EAX,DWORD PTR
SS:[EBP-10]
004928A8 |. E8 0B18F7FF CALL ssb.004040B8
;
取密碼的倒數第2位
004928AD |. 8B55 D4 MOV EDX,DWORD
PTR SS:[EBP-2C]
004928B0 |. 8B45 EC MOV EAX,DWORD
PTR SS:[EBP-14]
004928B3 |. E8 0817F7FF CALL ssb.00403FC0
004928B8
74 04 JE SHORT ssb.004928BE========>⑵
004928BA
|. C645 FB 01 MOV BYTE PTR SS:[EBP-5],1
; 以上都相等,[ebp-5]賦1
004928BE |>
33C0 XOR EAX,EAX
call(1)總結:
串:GFEDCBANMLKJIHTSRQPOZYXWVU
1、第一步
Y=0
for(int
i=1;i<21;i++)//共20位運算
{
密碼第i位在串中的位置數X;
Y=Y+(X-1)*i;
}
Y=mode(Y,26);
Y=Y+1;
取在串中第Y位的字母與密碼的最後1位比較;
2、第二步
Y=0;
for(int
i=1;i<20;i++)//共19位運算
{
密碼第i位在串中的位置數X;
Y=Y+(X-1);
}
Y=mode(Y,26);
Y=Y+1;
取在串中第Y位的字母與密碼的最後第2位比較;
--------------------------------
關鍵call(2)
00492020
|. 874D FC XCHG DWORD PTR SS:[EBP-4],ECX
00492023
|. 53 PUSH EBX
00492024 |.
56 PUSH ESI
00492025 |. 57
PUSH EDI
00492026 |. 894D F4
MOV DWORD PTR SS:[EBP-C],ECX
00492029 |. 8955
F8 MOV DWORD PTR SS:[EBP-8],EDX
0049202C |.
8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0049202F |.
8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00492032 |.
E8 2D20F7FF CALL ssb.00404064
00492037 |. 33C0
XOR EAX,EAX
00492039 |. 55
PUSH EBP
0049203A |. 68 16264900 PUSH
ssb.00492616
0049203F |. 64:FF30 PUSH DWORD
PTR FS:[EAX]
00492042 |. 64:8920 MOV DWORD
PTR FS:[EAX],ESP
00492045 |. C645 F3 00 MOV BYTE PTR SS:[EBP-D],0
00492049
|. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049204C
|. E8 5F1EF7FF CALL ssb.00403EB0
00492051 |. 83F8
14 CMP EAX,14
;比較註冊碼是否為20位
00492054 |.
0F85 89050000 JNZ ssb.004925E3
0049205A |. 8D45 EC
LEA EAX,DWORD PTR SS:[EBP-14]
0049205D |. 8B55 FC
MOV EDX,DWORD PTR SS:[EBP-4]
00492060 |. E8 631CF7FF
CALL ssb.00403CC8
00492065 |. E8 AE7BF7FF CALL
ssb.00409C18
0049206A |. 83C4 F8 ADD ESP,-8
; /
0049206D |. DD1C24
FSTP QWORD PTR SS:[ESP]
; |Arg1 (8-byte)
00492070 |. 9B
WAIT
; |
00492071
|. 8D55 C4 LEA EDX,DWORD PTR SS:[EBP-3C]
; |
00492074 |. B8 30264900
MOV EAX,ssb.00492630
; |ASCII "hhnnss"
00492079 |. E8 DA87F7FF
CALL ssb.0040A858
; \ssb.0040A858
0049207E |. 8B45
C4 MOV EAX,DWORD PTR SS:[EBP-3C]
00492081 |.
E8 D26AF7FF CALL ssb.00408B58
00492086 |. 8BF8
MOV EDI,EAX
00492088 |. BB 01000000 MOV
EBX,1
0049208D |> 83FF 0A /CMP EDI,0A
00492090
|. 7C 59 |JL SHORT ssb.004920EB
00492092
|. 8B45 EC |MOV EAX,DWORD PTR SS:[EBP-14]
00492095
|. E8 161EF7FF |CALL ssb.00403EB0
0049209A |. 85C0
|TEST EAX,EAX
0049209C |. 7E 2E
|JLE SHORT ssb.004920CC
0049209E |. E8 757BF7FF
|CALL ssb.00409C18
004920A3 |. 83C4 F8
|ADD ESP,-8
; /
004920A6 |. DD1C24
|FSTP QWORD PTR SS:[ESP]
; |Arg1 (8-byte)
004920A9 |. 9B
|WAIT
;
|
004920AA |. 8D55 C0 |LEA EDX,DWORD PTR SS:[EBP-40]
; |
004920AD |. B8 30264900
|MOV EAX,ssb.00492630
; |ASCII "hhnnss"
004920B2 |. E8 A187F7FF
|CALL ssb.0040A858
; \ssb.0040A858
004920B7 |. 8B45 C0
|MOV EAX,DWORD PTR SS:[EBP-40]
004920BA |. E8 996AF7FF
|CALL ssb.00408B58
004920BF |. 2BC7
|SUB EAX,EDI
004920C1 |. 83F8 0A |CMP
EAX,0A
004920C4 |. 0F8F 19050000 |JG ssb.004925E3
004920CA |.
EB 1F |JMP SHORT ssb.004920EB
004920CC |>
8B45 EC |MOV EAX,DWORD PTR SS:[EBP-14]
004920CF
|. E8 DC1DF7FF |CALL ssb.00403EB0
004920D4 |. 3BD8
|CMP EBX,EAX
004920D6 |. 7D 13
|JGE SHORT ssb.004920EB
004920D8 |. 8D45 E8
|LEA EAX,DWORD PTR SS:[EBP-18]
004920DB |.
50 |PUSH EAX
004920DC |. B9
01000000 |MOV ECX,1
004920E1 |. 8BD3
|MOV EDX,EBX
004920E3 |. 8B45 EC |MOV
EAX,DWORD PTR SS:[EBP-14]
004920E6 |. E8 CD1FF7FF |CALL
ssb.004040B8
004920EB |> 43
|INC EBX
004920EC |. 81FB F5010000 |CMP EBX,1F5
004920F2 |.^75
99 \JNZ SHORT ssb.0049208D
004920F4 |.
BB 01000000 MOV EBX,1
;以上為反跟蹤程式碼
004920F9
|> 8D45 BC /LEA EAX,DWORD PTR SS:[EBP-44]
004920FC
|. 50 |PUSH EAX
004920FD |.
B9 01000000 |MOV ECX,1
00492102 |. 8BD3
|MOV EDX,EBX
00492104 |. 8B45 EC |MOV
EAX,DWORD PTR SS:[EBP-14] ; 密碼入eax
00492107
|. E8 AC1FF7FF |CALL ssb.004040B8
0049210C |. 8B45
BC |MOV EAX,DWORD PTR SS:[EBP-44]
0049210F |.
BA 40264900 |MOV EDX,ssb.00492640
; Z入edx
00492114 |. E8 A71EF7FF
|CALL ssb.00403FC0
00492119 |. 0F87 C4040000 |JA ssb.004925E3
0049211F
|. 8D45 B8 |LEA EAX,DWORD PTR SS:[EBP-48]
00492122
|. 50 |PUSH EAX
00492123 |.
B9 01000000 |MOV ECX,1
00492128 |. 8BD3
|MOV EDX,EBX
0049212A |. 8B45 EC |MOV
EAX,DWORD PTR SS:[EBP-14] ; 密碼入eax
0049212D
|. E8 861FF7FF |CALL ssb.004040B8
00492132 |. 8B45
B8 |MOV EAX,DWORD PTR SS:[EBP-48]
00492135 |.
BA 4C264900 |MOV EDX,ssb.0049264C
; A入edx
0049213A |. E8 811EF7FF
|CALL ssb.00403FC0
0049213F |. 0F82 9E040000 |JB ssb.004925E3
00492145
|. 43 |INC EBX
00492146 |.
83FB 15 |CMP EBX,15
00492149 |.^75 AE
\JNZ SHORT ssb.004920F9
; 以上為判斷密碼是否為大寫字母
0049214B |.
8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
0049214E |.
8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
; 密碼入edx
00492151 |. E8 721BF7FF
CALL ssb.00403CC8
00492156 |. 33F6
XOR ESI,ESI
00492158 |. BB 01000000 MOV EBX,1
0049215D
|> 8D45 E4 /LEA EAX,DWORD PTR SS:[EBP-1C]
00492160
|. 50 |PUSH EAX
00492161 |.
B9 01000000 |MOV ECX,1
00492166 |. 8BD3
|MOV EDX,EBX
00492168 |. 8B45 E8 |MOV
EAX,DWORD PTR SS:[EBP-18]
0049216B |. E8 481FF7FF |CALL
ssb.004040B8
; 依次取密碼各位
00492170 |. BA 58264900 |MOV
EDX,ssb.00492658
; ASCII "GFEDCBANMLKJIHTSRQPOZYXWVU"
00492175 |.
8B45 E4 |MOV EAX,DWORD PTR SS:[EBP-1C]
00492178
|. E8 1F20F7FF |CALL ssb.0040419C
; 密碼位在串的位置數
0049217D
|. 8BF8 |MOV EDI,EAX
0049217F |.
4F |DEC EDI
; 位數減1
00492180 |. 0FAFFB |IMUL
EDI,EBX
00492183 |. 03F7 |ADD ESI,EDI
00492185
|. 43 |INC EBX
00492186 |.
83FB 14 |CMP EBX,14
00492189 |.^75 D2
\JNZ SHORT ssb.0049215D
0049218B |. 8BC6
MOV EAX,ESI
0049218D |. B9 1A000000
MOV ECX,1A
00492192 |. 99
CDQ
00492193 |. F7F9 IDIV ECX
; 取26的模數
00492195 |. 42
INC EDX
00492196 |. 8BF2
MOV ESI,EDX
00492198 |. 8D45 E4 LEA
EAX,DWORD PTR SS:[EBP-1C]
0049219B |. 50
PUSH EAX
0049219C |. B8 58264900 MOV EAX,ssb.00492658
; ASCII
"GFEDCBANMLKJIHTSRQPOZYXWVU"
004921A1 |. B9 01000000
MOV ECX,1
004921A6 |. 8BD6 MOV
EDX,ESI
004921A8 |. E8 0B1FF7FF CALL ssb.004040B8
;
取串中的一位
004921AD |. 8D45 B4 LEA EAX,DWORD
PTR SS:[EBP-4C]
004921B0 |. 50
PUSH EAX
004921B1 |. B9 01000000 MOV ECX,1
004921B6 |.
BA 14000000 MOV EDX,14
004921BB |. 8B45 E8
MOV EAX,DWORD PTR SS:[EBP-18]
; 密碼入eax
004921BE |. E8 F51EF7FF CALL ssb.004040B8
;
取密碼最後一位
004921C3 |. 8B55 B4 MOV EDX,DWORD
PTR SS:[EBP-4C]
004921C6 |. 8B45 E4 MOV EAX,DWORD
PTR SS:[EBP-1C]
004921C9 |. E8 F21DF7FF CALL ssb.00403FC0
;
比較是否相等
004921CE 0F84 0F040000 JE ssb.004925E3 ======>⑶
;與call(1)第一步同
004921D4 |.
33F6 XOR ESI,ESI
004921D6 |. BB 01000000
MOV EBX,1
004921DB |> 8D45 E4 /LEA
EAX,DWORD PTR SS:[EBP-1C]
004921DE |. 50
|PUSH EAX
004921DF |. B9 01000000 |MOV ECX,1
004921E4
|. 8BD3 |MOV EDX,EBX
004921E6 |.
8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18]
004921E9
|. E8 CA1EF7FF |CALL ssb.004040B8
004921EE |. BA 58264900
|MOV EDX,ssb.00492658
; ASCII "GFEDCBANMLKJIHTSRQPOZYXWVU"
004921F3
|. 8B45 E4 |MOV EAX,DWORD PTR SS:[EBP-1C]
004921F6
|. E8 A11FF7FF |CALL ssb.0040419C
004921FB |. 8BF8
|MOV EDI,EAX
004921FD |. 4F
|DEC EDI
004921FE |. 03F7
|ADD ESI,EDI
00492200 |. 43
|INC EBX
00492201 |. 83FB 13
|CMP EBX,13
00492204 |.^75 D5 \JNZ
SHORT ssb.004921DB
00492206 |. 8BC6
MOV EAX,ESI
00492208 |. B9 1A000000 MOV ECX,1A
0049220D
|. 99 CDQ
0049220E |.
F7F9 IDIV ECX
00492210 |. 42
INC EDX
00492211 |. 8BF2
MOV ESI,EDX
00492213 |. 8D45 E4
LEA EAX,DWORD PTR SS:[EBP-1C]
00492216 |. 50
PUSH EAX
00492217 |. B8 58264900 MOV
EAX,ssb.00492658
; ASCII "GFEDCBANMLKJIHTSRQPOZYXWVU"
0049221C |.
B9 01000000 MOV ECX,1
00492221 |. 8BD6
MOV EDX,ESI
00492223 |. E8 901EF7FF CALL ssb.004040B8
00492228
|. 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50]
0049222B
|. 50 PUSH EAX
0049222C |.
B9 01000000 MOV ECX,1
00492231 |. BA 13000000 MOV
EDX,13
00492236 |. 8B45 E8 MOV EAX,DWORD PTR
SS:[EBP-18]
00492239 |. E8 7A1EF7FF CALL ssb.004040B8
0049223E
|. 8B55 B0 MOV EDX,DWORD PTR SS:[EBP-50]
00492241
|. 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
00492244
|. E8 771DF7FF CALL ssb.00403FC0
; 比較是否相等
00492249
0F84 94030000 JE ssb.004925E3======+======>⑷
與call(2)第二步相同
0049224F |. 8D45 E8
LEA EAX,DWORD PTR SS:[EBP-18]
00492252 |. 50
PUSH EAX
00492253 |. B9 12000000 MOV
ECX,12
00492258 |. BA 01000000 MOV EDX,1
0049225D |.
8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
; 密碼入eax
00492260 |. E8 531EF7FF
CALL ssb.004040B8
; 從第1位開始,取18位
00492265 |.
8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00492268 |.
E8 C319F7FF CALL ssb.00403C30
0049226D |. BB 01000000
MOV EBX,1
00492272 |> 8D45 AC /LEA
EAX,DWORD PTR SS:[EBP-54]
00492275 |. 50
|PUSH EAX
00492276 |. BA 12000000 |MOV EDX,12
0049227B
|. 2BD3 |SUB EDX,EBX
0049227D |.
42 |INC EDX
0049227E |. B9
01000000 |MOV ECX,1
00492283 |. 8B45 E8
|MOV EAX,DWORD PTR SS:[EBP-18] ;
18位密碼入eax
00492286 |. E8 2D1EF7FF |CALL ssb.004040B8
;
從最後一位開始,依次取1 位
0049228B |. 8B55 AC |MOV
EDX,DWORD PTR SS:[EBP-54]
0049228E |. 8D45 EC |LEA
EAX,DWORD PTR SS:[EBP-14]
00492291 |. E8 221CF7FF |CALL
ssb.00403EB8
00492296 |. 43
|INC EBX
00492297 |. 83FB 13 |CMP EBX,13
0049229A
|.^75 D6 \JNZ SHORT ssb.00492272
; 以上為把密碼串反倒存放,如原來ABCDE,變為EDCBA
0049229C
|. 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
; 密碼18位入eax
0049229F |. 8B55
EC MOV EDX,DWORD PTR SS:[EBP-14]
; 反倒的18位入edx
004922A2 |. E8 211AF7FF
CALL ssb.00403CC8
004922A7 |. 8D45 EC LEA
EAX,DWORD PTR SS:[EBP-14]
004922AA |. E8 8119F7FF CALL ssb.00403C30
004922AF
|. BB 01000000 MOV EBX,1
004922B4 |> FF75 EC
/PUSH DWORD PTR SS:[EBP-14]
004922B7 |. 8D45 A8
|LEA EAX,DWORD PTR SS:[EBP-58]
004922BA |. 50
|PUSH EAX
004922BB |. B9 01000000
|MOV ECX,1
004922C0 |. 8BD3
|MOV EDX,EBX
004922C2 |. 8B45 E8 |MOV
EAX,DWORD PTR SS:[EBP-18] ; 反倒的18位密碼入edx
004922C5
|. E8 EE1DF7FF |CALL ssb.004040B8
; 依次從第1 位開始取1位
004922CA
|. FF75 A8 |PUSH DWORD PTR SS:[EBP-58]
004922CD
|. 8D45 A4 |LEA EAX,DWORD PTR SS:[EBP-5C]
004922D0
|. 50 |PUSH EAX
004922D1 |.
8D53 09 |LEA EDX,DWORD PTR DS:[EBX+9]
004922D4 |.
B9 01000000 |MOV ECX,1
004922D9 |. 8B45 E8
|MOV EAX,DWORD PTR SS:[EBP-18]
; 反倒的18位密碼入edx
004922DC |. E8 D71DF7FF |CALL ssb.004040B8
;
從第1位開始,取第ebx+9位
004922E1 |. FF75 A4 |PUSH
DWORD PTR SS:[EBP-5C]
004922E4 |. 8D45 EC |LEA
EAX,DWORD PTR SS:[EBP-14]
004922E7 |. BA 03000000 |MOV EDX,3
004922EC
|. E8 7F1CF7FF |CALL ssb.00403F70
; 反倒18位密碼,把第EBX位反倒密碼+第(ebx+9)位反倒密碼,兩位依次存放,當(ebx+9)>18時把反到密碼第ebx位依次存放在在後面,最後會形成共27位的密碼串
004922F1
|. 43 |INC EBX
004922F2 |.
83FB 13 |CMP EBX,13
; 共進行18次迴圈
004922F5
|.^75 BD \JNZ SHORT ssb.004922B4
004922F7
|. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004922FA
|. 50 PUSH EAX
004922FB |.
B9 0F000000 MOV ECX,0F
; F入ecx
00492300
|. BA 01000000 MOV EDX,1
00492305 |. 8B45 EC
MOV EAX,DWORD PTR SS:[EBP-14]
; 上面所得的27位密碼,入eax
00492308 |. E8 AB1DF7FF
CALL ssb.004040B8
; 從第1位開始,共取15位,形成15位密碼
0049230D |.
8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
; 反倒的18位密碼入eax
00492310 |. E8 1B19F7FF
CALL ssb.00403C30
00492315 |. BB 01000000 MOV
EBX,1
0049231A |> 8D45 E4 /LEA EAX,DWORD
PTR SS:[EBP-1C]
0049231D |. 50
|PUSH EAX
0049231E |. 8D149B |LEA EDX,DWORD
PTR DS:[EBX+EBX*4]
00492321 |. 83EA 04 |SUB
EDX,4
00492324 |. B9 05000000 |MOV ECX,5
00492329 |.
8B45 EC |MOV EAX,DWORD PTR SS:[EBP-14]
; 上面形成的15位密碼,入eax
0049232C |. E8 871DF7FF
|CALL ssb.004040B8
; 從第(ebx+ebx*4)-4位開始,共取5位,形成5位密碼
00492331
|. 33FF |XOR EDI,EDI
00492333 |.
BE 05000000 |MOV ESI,5
00492338 |> 8D45 A0
|/LEA EAX,DWORD PTR SS:[EBP-60]
0049233B |. 50
||PUSH EAX
0049233C |. B9 01000000
||MOV ECX,1
00492341 |. 8BD6
||MOV EDX,ESI
00492343 |. 8B45 E4 ||MOV EAX,DWORD
PTR SS:[EBP-1C] ; 上面形成的5位密碼,入eax
00492346
|. E8 6D1DF7FF ||CALL ssb.004040B8
; 從第5位開始,取1位
0049234B
|. 8B45 A0 ||MOV EAX,DWORD PTR SS:[EBP-60]
0049234E
|. BA 58264900 ||MOV EDX,ssb.00492658
; ASCII "GFEDCBANMLKJIHTSRQPOZYXWVU"
00492353
|. E8 441EF7FF ||CALL ssb.0040419C
; 該位在串中的位置
00492358
|. 48 ||DEC EAX
; 位置數減1
00492359 |. 6BD7 1A
||IMUL EDX,EDI,1A
; edx=edi*1a
0049235C |. 03C2
||ADD EAX,EDX
; eax=eax+edx
0049235E
|. 8BF8 ||MOV EDI,EAX
;
edi=eax
00492360 |. 4E
||DEC ESI
00492361 |. 85F6 ||TEST
ESI,ESI
00492363 |.^75 D3
|\JNZ SHORT ssb.00492338
00492365 |. 8D55 E4
|LEA EDX,DWORD PTR SS:[EBP-1C] ;
上面形成的5位密碼,入edx
00492368 |. 8BC7
|MOV EAX,EDI
0049236A |. E8 4967F7FF |CALL ssb.00408AB8
;
上面計算的edi值轉換為十進位制
0049236F |. 8B45 E4 |MOV
EAX,DWORD PTR SS:[EBP-1C]
00492372 |. E8 391BF7FF |CALL
ssb.00403EB0
; 取位數
00492377 |. BF 07000000 |MOV EDI,7
0049237C
|. 2BF8 |SUB EDI,EAX
0049237E |.
85FF |TEST EDI,EDI
00492380 |. 7E
13 |JLE SHORT ssb.00492395
00492382 |>
8D45 E4 |/LEA EAX,DWORD PTR SS:[EBP-1C]
00492385
|. 8B4D E4 ||MOV ECX,DWORD PTR SS:[EBP-1C]
00492388
|. BA 7C264900 ||MOV EDX,ssb.0049267C
; 0入edx
0049238D |.
E8 6A1BF7FF ||CALL ssb.00403EFC
00492392 |. 4F
||DEC EDI
00492393 |.^75 ED
|\JNZ SHORT ssb.00492382
; 十進位制數如小於7位,則在前面插入0
00492395 |> 8D45
E8 |LEA EAX,DWORD PTR SS:[EBP-18]
00492398 |.
8B55 E4 |MOV EDX,DWORD PTR SS:[EBP-1C]
0049239B
|. E8 181BF7FF |CALL ssb.00403EB8
; 生成的十進位制數依次連起來,形成21位數字
004923A0
|. 43 |INC EBX
004923A1 |.
83FB 04 |CMP EBX,4
004923A4 |.^0F85 70FFFFFF
\JNZ ssb.0049231A
; 以上迴圈3次
004923AA |. 8D45 EC
LEA EAX,DWORD PTR SS:[EBP-14]
; 倒轉的18位密碼
004923AD |. 8B55 E8
MOV EDX,DWORD PTR SS:[EBP-18] ;
生成的21位數字,入edx
004923B0 |. E8 1319F7FF CALL ssb.00403CC8
004923B5
|. BB 01000000 MOV EBX,1
004923BA |. 8D75 C8
LEA ESI,DWORD PTR SS:[EBP-38]
004923BD |> 8D45
9C /LEA EAX,DWORD PTR SS:[EBP-64]
004923C0 |.
50 |PUSH EAX
004923C1 |. 8D145B
|LEA EDX,DWORD PTR DS:[EBX+EBX*2]
004923C4 |.
83EA 02 |SUB EDX,2
004923C7 |. B9 03000000
|MOV ECX,3
004923CC |. 8B45 EC |MOV
EAX,DWORD PTR SS:[EBP-14] ; 生成的21位數字,入eax
004923CF
|. E8 E41CF7FF |CALL ssb.004040B8
; 從第[(ebx+ebx*2)-2]位開始,取3位
004923D4
|. 8B45 9C |MOV EAX,DWORD PTR SS:[EBP-64]
004923D7
|. E8 7C67F7FF |CALL ssb.00408B58
; 3位數字,轉換為十六進位制
004923DC
|. 8906 |MOV DWORD PTR DS:[ESI],EAX
004923DE
|. 43 |INC EBX
004923DF |.
83C6 04 |ADD ESI,4
004923E2 |. 83FB 08
|CMP EBX,8
; 迴圈7次
004923E5
|.^75 D6 \JNZ SHORT ssb.004923BD
; 以上為把21位十進位制數字,分成7段
004923E7
|. BB FAFFFFFF MOV EBX,-6
004923EC |. 8D45 E0
LEA EAX,DWORD PTR SS:[EBP-20]
004923EF |> 8B10
/MOV EDX,DWORD PTR DS:[EAX]
; 第(8-ebx)段入edx
004923F1 |. 3B50
FC |CMP EDX,DWORD PTR DS:[EAX-4]
; 第(8-ebx)段與第(8-ebx-1)段是否相等
004923F4 |.
7D 06 |JGE SHORT ssb.004923FC
; 如第(8-ebx)段比第(8-ebx-1)段小,則第(8-ebx)段+3e8
004923F6
|. 8100 E8030000 |ADD DWORD PTR DS:[EAX],3E8
; 如小,則第(8-ebx)段+3e8
004923FC |>
8B50 FC |MOV EDX,DWORD PTR DS:[EAX-4]
; 第(8-ebx)-1段入edx
004923FF |. 2910
|SUB DWORD PTR DS:[EAX],EDX
; 第(8-ebx)段-第6段
00492401 |. 83E8
04 |SUB EAX,4
00492404 |. 43
|INC EBX
00492405 |.^75 E8
\JNZ SHORT ssb.004923EF
; 迴圈7次,把以上分成7段,作相應變換7段
00492407 |.
8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
; 生成的21位數字,入eax
0049240A |. E8 2118F7FF
CALL ssb.00403C30
0049240F |. BB 07000000 MOV
EBX,7
00492414 |. 8D75 C8 LEA ESI,DWORD PTR
SS:[EBP-38]
00492417 |> 8D55 E8 /LEA EDX,DWORD
PTR SS:[EBP-18] ; 生成的21位數字,入edx
0049241A
|. 8B06 |MOV EAX,DWORD PTR DS:[ESI]
; 變換的第ebx段入eax
0049241C
|. E8 9766F7FF |CALL ssb.00408AB8
; 把十六進位制數轉換為十進位制
00492421
|. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18]
; 十進位制數入eax
00492424 |. E8 871AF7FF
|CALL ssb.00403EB0
; 取位數
00492429 |. BF 03000000
|MOV EDI,3
0049242E |. 2BF8
|SUB EDI,EAX
00492430 |. 85FF |TEST
EDI,EDI
00492432 |. 7E 13 |JLE SHORT
ssb.00492447
00492434 |> 8D45 E8 |/LEA
EAX,DWORD PTR SS:[EBP-18]
00492437 |. 8B4D E8 ||MOV
ECX,DWORD PTR SS:[EBP-18]
0049243A |. BA 7C264900 ||MOV
EDX,ssb.0049267C
; 0入edx
0049243F |. E8 B81AF7FF ||CALL ssb.00403EFC
00492444
|. 4F ||DEC EDI
00492445 |.^75
ED |\JNZ SHORT ssb.00492434
; 如果十進位制數小於3位,則在前面插入0
00492447
|> 8D45 EC |LEA EAX,DWORD PTR SS:[EBP-14]
0049244A
|. 8B55 E8 |MOV EDX,DWORD PTR SS:[EBP-18]
0049244D
|. E8 661AF7FF |CALL ssb.00403EB8
; 7段依次形成21位,3*7=21
00492452
|. 83C6 04 |ADD ESI,4
00492455 |. 4B
|DEC EBX
00492456 |.^75 BF
\JNZ SHORT ssb.00492417
00492458 |.
BB 01000000 MOV EBX,1
0049245D |> 8D45 98
/LEA EAX,DWORD PTR SS:[EBP-68]
00492460 |. 50
|PUSH EAX
00492461 |. B9 01000000
|MOV ECX,1
00492466 |. 8BD3
|MOV EDX,EBX
00492468 |. 8B45 EC |MOV EAX,DWORD
PTR SS:[EBP-14] ; 形成21位十進位制數入eax SS:
0049246B
|. E8 481CF7FF |CALL ssb.004040B8
; 從第ebx位開始,取1位數字0B8
00492470
|. 8B45 98 |MOV EAX,DWORD PTR SS:[EBP-68]
00492473
|. BA 88264900 |MOV EDX,ssb.00492688
; 9入edx
00492478 |.
E8 431BF7FF |CALL ssb.00403FC0
0049247D |. 0F87 60010000
|JA ssb.004925E3
00492483 |. 8D45 94 |LEA
EAX,DWORD PTR SS:[EBP-6C]
00492486 |. 50
|PUSH EAX
00492487 |. B9 01000000 |MOV ECX,1
0049248C
|. 8BD3 |MOV EDX,EBX
0049248E |.
8B45 EC |MOV EAX,DWORD PTR SS:[EBP-14]
; 形成21位十進位制數入eax
00492491 |. E8 221CF7FF
|CALL ssb.004040B8
00492496 |. 8B45 94
|MOV EAX,DWORD PTR SS:[EBP-6C] ;
0入eax
00492499 |. BA 7C264900 |MOV EDX,ssb.0049267C
0049249E
|. E8 1D1BF7FF |CALL ssb.00403FC0
004924A3 |. 0F82
3A010000 |JB ssb.004925E3
004924A9 |. 43
|INC EBX
004924AA |. 83FB 16 |CMP
EBX,16
; 迴圈21次BX,
004924AD |.^75 AE
\JNZ SHORT ssb.0049245D
; 以上為判斷從形成21位十進位制數是否為數字
004924AF
|. 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
004924B2
|. 50 PUSH EAX
004924B3 |.
8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
; 形成21位十進位制數入eax
004924B6 |. E8 F519F7FF
CALL ssb.00403EB0
; 取位數
004924BB |. 8BC8
MOV ECX,EAX
004924BD |. BA 03000000
MOV EDX,3
004924C2 |. 8B45 EC MOV EAX,DWORD
PTR SS:[EBP-14] ; 形成21位十進位制數入eax
004924C5
|. E8 EE1BF7FF CALL ssb.004040B8
; 從第3位開始,取21位,即取第3位開始的後面所有位,形成19位
004924CA
|. BE 01000000 MOV ESI,1
;esi=1
004924CF
|. BB 01000000 MOV EBX,1
004924D4 |> 8D45 90
/LEA EAX,DWORD PTR SS:[EBP-70]
004924D7 |. 50
|PUSH EAX
004924D8 |. B9 01000000
|MOV ECX,1
004924DD |. 8BD3
|MOV EDX,EBX
004924DF |. 8B45 E8 |MOV
EAX,DWORD PTR SS:[EBP-18] ; 形成19位數入eax
004924E2
|. E8 D11BF7FF |CALL ssb.004040B8
; 從第ebx開始取1位
004924E7
|. 8B45 90 |MOV EAX,DWORD PTR SS:[EBP-70]
004924EA
|. E8 6966F7FF |CALL ssb.00408B58
; 轉換為十六進位制,入eax
004924EF
|. 8BF8 |MOV EDI,EAX
;
edi=eax
004924F1 |. 85FF |TEST
EDI,EDI
004924F3 |. 74 03 |JE SHORT
ssb.004924F8
004924F5 |. 0FAFF7 |IMUL ESI,EDI
; esi=esi*edi,如數為0不參與運算
004924F8 |> 83FE 64
|CMP ESI,64
; esi是否小於64
004924FB
|. 7E 0C |JLE SHORT ssb.00492509
004924FD
|. 8BC6 |MOV EAX,ESI
004924FF |.
B9 64000000 |MOV ECX,64
00492504 |. 99
|CDQ
00492505 |. F7F9
|IDIV ECX
00492507 |. 8BF0
|MOV ESI,EAX
; 商入esi
00492509 |> 43
|INC EBX
0049250A |. 83FB 14
|CMP EBX,14
; 迴圈19次
0049250D
|.^75 C5 \JNZ SHORT ssb.004924D4
0049250F
|. 8BC6 MOV EAX,ESI
00492511 |.
B9 64000000 MOV ECX,64
00492516 |. 99
CDQ
00492517 |. F7F9
IDIV ECX
00492519 |. 8BF2 MOV
ESI,EDX
; 取esi的64模數,併入esi
0049251B |.
83FE 0A CMP ESI,0A
0049251E |. 7D 03
JGE SHORT ssb.00492523
; 如果esi小於0a,則esi=esi+0a
00492520
|. 83C6 0A ADD ESI,0A
00492523 |>
8D45 8C LEA EAX,DWORD PTR SS:[EBP-74]
00492526 |.
50 PUSH EAX
00492527 |. B9
02000000 MOV ECX,2
0049252C |. BA 01000000 MOV
EDX,1
00492531 |. 8B45 EC MOV EAX,DWORD PTR
SS:[EBP-14] ; 形成21位十進位制數入eax
00492534
|. E8 7F1BF7FF CALL ssb.004040B8
; 從第1位開始,共取2位
00492539
|. 8B45 8C MOV EAX,DWORD PTR SS:[EBP-74]
; 兩位數入eax
0049253C |. E8
1766F7FF CALL ssb.00408B58
; 轉換為十六進位制,入eax
00492541
|. 3BF0 CMP ESI,EAX
;
比較esi與eax
00492543 0F84 9A000000 JE ssb.004925E3
==============>⑸ ; 不等,出錯
00492549 |.
8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
0049254C |.
E8 DF16F7FF CALL ssb.00403C30
00492551 |. BB 01000000
MOV EBX,1
00492556 |> 8D45 88 /LEA
EAX,DWORD PTR SS:[EBP-78]
00492559 |. 50
|PUSH EAX
0049255A |. B9 01000000 |MOV ECX,1
0049255F
|. 8BD3 |MOV EDX,EBX
00492561 |.
8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18]
; 形成19位十進位制數(形成21位十進位制數去掉前兩位)入eax
00492564 |.
E8 4F1BF7FF |CALL ssb.004040B8
; 從第ebx開始,取1位數
00492569
|. 8B45 88 |MOV EAX,DWORD PTR SS:[EBP-78]
0049256C
|. E8 E765F7FF |CALL ssb.00408B58
; 轉換為十六進位制,入eax
00492571
|. BF 09000000 |MOV EDI,9
; 9入edi
00492576
|. 2BF8 |SUB EDI,EAX
;
edi=edi-eax
00492578 |. 8D55 84 |LEA
EDX,DWORD PTR SS:[EBP-7C]
0049257B |. 8BC7
|MOV EAX,EDI
0049257D |. E8 3665F7FF |CALL ssb.00408AB8
;
轉換為十六進位制
00492582 |. 8B55 84 |MOV EDX,DWORD
PTR SS:[EBP-7C]
00492585 |. 8D45 EC |LEA EAX,DWORD
PTR SS:[EBP-14]
00492588 |. E8 2B19F7FF |CALL ssb.00403EB8
0049258D
|. 43 |INC EBX
0049258E |.
83FB 14 |CMP EBX,14
; 迴圈19次
00492591
|.^75 C3 \JNZ SHORT ssb.00492556
; 以上為依次用9減去各位,形成新19位串
00492593
|. 8D45 80 LEA EAX,DWORD PTR SS:[EBP-80]
00492596
|. 50 PUSH EAX
00492597 |.
B9 03000000 MOV ECX,3
0049259C |. BA 03000000 MOV
EDX,3
004925A1 |. 8B45 EC MOV EAX,DWORD PTR
SS:[EBP-14] ; 形成新19位串,入eax
004925A4 |. E8 0F1BF7FF CALL ssb.004040B8
;
從第3位開始,取3位
004925A9 |. 8B45 80 MOV EAX,DWORD
PTR SS:[EBP-80]
004925AC |. E8 A765F7FF CALL ssb.00408B58
;
轉換為十六進位制,入eax
004925B1 |. 3B45 F4 CMP
EAX,DWORD PTR SS:[EBP-C] ; eax與[ebp-c]相比較,即與137比較
004925B4
74 2D JE SHORT ssb.004925E3 ============>⑹
; 不等出出錯
004925B6 |. 8D85 7CFFFFFF LEA
EAX,DWORD PTR SS:[EBP-84]
004925BC |. 50
PUSH EAX
004925BD |. B9 06000000 MOV ECX,6
004925C2
|. BA 0E000000 MOV EDX,0E
004925C7 |. 8B45 EC
MOV EAX,DWORD PTR SS:[EBP-14]
; 形成新19位串入eax
004925CA |. E8 E91AF7FF CALL
ssb.004040B8
; 從第E位開始,取6位
004925CF |. 8B85 7CFFFFFF MOV
EAX,DWORD PTR SS:[EBP-84] ; 6位資料入eax
004925D5
|. E8 7E65F7FF CALL ssb.00408B58
; 轉換為十六進位制,入eax8B58
004925DA
|. 3B45 F8 CMP EAX,DWORD PTR SS:[EBP-8]
; eax與[ebp-8]比較,即與機器碼相比較BP-8]
004925DD
74 04 JE SHORT ssb.004925E3 ============>⑺
; 不等,則出錯
004925DF |. C645 F3 01
MOV BYTE PTR SS:[EBP-D],1
004925E3 |> 33C0
XOR EAX,EAX
call(2)總結:
串:GFEDCBANMLKJIHTSRQPOZYXWVU
密碼串:abcdefghijabcdefghij
1、第一步
Y=0
for(int
i=1;i<21;i++)//共20位運算
{
密碼第i位在串中的位置數X;
Y=Y+(X-1)*i;
}
Y=mode(Y,26);
Y=Y+1;
取在串中第Y位的字母與密碼的最後1位比較;
2、第二步
Y=0;
for(int
i=1;i<20;i++)//共19位運算
{
密碼第i位在串中的位置數X;
Y=Y+(X-1);
}
Y=mode(Y,26);
Y=Y+1;
取在串中第Y位的字母與密碼的最後第2位比較;
3、第三步:偽C語言描述如下:
從密碼串第1位開始,共取18位,形成串A;
//密碼串:abcdefghijabcdefghij->abcdefghijabcdefgh(設為A)
上一步取得的18位密碼串A反倒存放,設為串B;
//如abcdefghijabcdefgh->hgfedcbaj
ihgfedcba
//下面形成新串C,共27位
//把串B平分為B1(hgfedcbaj)和B2(ihgfedcba)兩段
把B2串交叉插入B1串中,再在後面追加串B2,即形成串C:
//c串為:highfgefdecdbcabjaihgfedcba
從C串第1位開始,取15位,形成串D;
//D為highfgefdecdbca
依次從D串第1位、第6位、第11位開始,各取5位;
//設形成串,各設為串E,串F,串G:highf,gefde,cdbca
//上面三串各作下面運算:
int
tmp=0;
for(int i=5;i>0;i++)
{
int locate=f(E(i));
//串(E,F,G)從最高位開始,依次查詢其在串(GFEDCBANMLKJIHTSRQPOZYXWVU)中的位置值;
locate=locate-1;
tmp=locate+tmp*26
}
if(tmp的位數小於7位)
在tmp數前面插入0;
三個串各自生成的7位tmp組成21位串H;
串H從第1位開始各取3位,共分成7串,設為I(1,2,3''''7);//7*3=21
從最後I7段開始,與前面1段,兩相比較,如後1段比前1段小,則在後1段加上1000;//迴圈6次
從最後1段開始,如果其位數小於3位,則在前面插入0;
上面7段數依次追加,變換為21位J串;
從J串第3位開始,取後面所有位,形成19位串K;
int
tmp=1;
for(int i=1;i<20;i++)
{
if(串K第i位不等於0)
tmp=串K第i位*tmp;
if(tmp>100)
tmp=(int)(tmp/100);//取商
}
tmp=mode(tmp,100);
if(tmp<10)
tmp=tmp+10;
tmp與串J的前兩位相比較;
用9與串K各位相減,形成串L;
串L從第3位開始取3位,與311比較;
從串L第14位開始取6位,即取串L的後面6位,與機器碼比較;
反推:
1、機器碼:870889->L串:x1x2x3x4x5x6x7x8x9x10x11x12x13x14x15x16x17x18x19,
x1x2-311-x6x7x8x9x10x11x12x13-870889->
2、串K:(9-x1)(9-x2)688(9-x6)(9-x7)(9-x8)(9-x9)(9-x10)(9-x11)(9-x12)(9-x13)-129110->
在前面加兩位即為J串:Y1Y2(9-x1)(9-x2)688(9-x6)(9-x7)(9-x8)(9-x9)(9-x10)(9-x11)(9-x12)(9-x13)-129110
3、等式1:y1y2=串K非零各位依次相乘值(如果乘出數大於100取百位數繼續與後面各非零數相乘,最後取十位及個位)
4、串J等分為7段,兩相比較,處理,形成串H
5、串H分為3段,每段為7位
6、每段據串產生5位
......
三、破解:
驗證過程又長又煩,眼睛都看直了。邊用ollydbg動態跟蹤程式碼,一邊在ollydbg中註解程式碼,寫得很亂。
爆破如下,因水平太差了,共砍了7刀,技術有待進一步提高。
在(1)致(7)處把jne改為je即可。
依次改為:
Patches
Address
Size State Old
new
Comment
004921CE 6.
Active JNZ ssb.004925E3
JE ssb.004925E3
00492249 6. Active
JNZ ssb.004925E3 JE ssb.004925E3
00492543
6. Active JNZ ssb.004925E3
JE ssb.004925E3
不等,出錯
004925B4 2. Active JNZ SHORT
ssb.004925E3 JE SHORT ssb.004925E3
不等出出錯
004925DD 2. Active JNZ SHORT ssb.004925E3
JE SHORT ssb.004925E3 不等,則出錯
00492841
2. Active JNZ SHORT ssb.004928BE
JE SHORT ssb.004928BE
004928B8 2.
Active JNZ SHORT ssb.004928BE JE SHORT
ssb.004928BE
把以上由old的值改為new的值就會爆破了。
註冊時隨意輸入20個字母的密碼即可,與郵箱名無關。
cracked
by lordor
03.5.3
相關文章
- supercleaner註冊演算法分析2015-11-15演算法
- SpeedFlash註冊演算法分析(VB)2015-11-15演算法
- 財智老闆通3.04註冊版---註冊演算法分析2003-03-16演算法
- Instant Source 註冊演算法分析+註冊器原始碼2015-11-15演算法原始碼
- 淘寶搜尋演算法現狀分析2015-03-18演算法
- IP搜尋客 1.61 註冊碼計算 (2千字)2000-05-16
- 排名演算法(二)--淘寶搜尋排序演算法分析2018-12-31演算法排序
- Screen Demo Maker 3.0 註冊演算法分析2003-07-15演算法
- <<Anti-Hack>> 2.0註冊演算法分析2003-06-06演算法
- Personal Antispy 1.14 註冊演算法分析2015-11-15演算法
- 冰盾濾鏡註冊演算法分析2015-11-15演算法
- Dubbo 中 Zookeeper 註冊中心原理分析2023-02-02
- 尋路之 A* 搜尋演算法2017-06-21演算法
- DLL Show V4.4 註冊演算法分析2015-11-15演算法
- Disk
Chief 1.2 簡單註冊演算法分析2015-11-15演算法
- 深度優先搜尋(DFS)思路及演算法分析2019-05-11演算法
- A*搜尋演算法概述2020-02-10演算法
- leetcode 700. 二叉搜尋樹中的搜尋 思考分析2020-10-24LeetCode
- E族百變桌面6.0註冊演算法分析2015-11-15演算法
- FolderView 1.7
註冊演算法分析 (14千字)2015-11-15View演算法
- 如何計算 “IQ網際搜尋家99” 註冊碼 (4千字)2000-05-15
- 廣度優先搜尋(BFS)思路及演算法分析2019-05-12演算法
- 雙管齊下演算法分析-----FTP搜尋利器3.02015-11-15演算法FTP
- ffmpeg分析系列之一(註冊該註冊的)2010-11-04
- LanSee 註冊演算法2015-11-15演算法
- 【Java】NIO中Channel的註冊原始碼分析2019-05-17Java原始碼
- Netty原始碼分析--Channel註冊(中)(六)2019-07-02Netty原始碼
- A*搜尋演算法(python)2021-09-09演算法Python
- 演算法總結--搜尋2023-03-27演算法
- 搜尋演算法總結2024-06-08演算法
- 搜尋模組功能分析2020-12-18
- 易優searchform功能:文件標題搜尋,預設搜尋整站-EyouCms手冊2024-08-18ORM
- 淺談用“搜尋大法”來索取記憶體註冊碼 (4千字)2001-03-23記憶體
- 新狐傳真群發2.0註冊演算法分析2003-06-29演算法
- 網路精確時鐘 2.25註冊演算法分析2003-07-30演算法
- 重新貼過註冊演算法分析 (16千字)2001-10-23演算法
- 長沙vod點歌系統(註冊演算法分析)2015-11-15演算法
- Netscan pro 3.3 註冊演算法分析全過程2015-11-15演算法