*** WordV3.9算法分析
【文章标题】: *** WordV3.9算法分析【文章作者】: yzs&yzslly
【软件名称】: BatchDoc for WordV3.9
【下载地址】: 自己搜索下载
【保护方式】: 注册码
【编写语言】: vb
【使用工具】: OD
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
输入试炼码:123-456,点注册中断在
0043CA80 > \55 push ebp
0043CA81 .8BEC mov ebp,esp
0043CA83 .83EC 0C sub esp,0C
0043CA86 .68 061E4000push ;SE 句柄安装
。。。省略往下
0043CB38 .52 push edx ;压入注册码
0043CB39 .68 60114100push BatchDoc.00411160 ;-
0043CB3E .53 push ebx
0043CB3F .FF15 7811400>call dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaInStr
0043CB45 .8BC8 mov ecx,eax
0043CB47 .FF15 D010400>call dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaI2I4
0043CB4D .8D4D DC lea ecx,dword ptr ss:
0043CB50 .8945 E8 mov dword ptr ss:,eax
0043CB53 .FF15 FC11400>call dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaFreeStr
0043CB59 .8D4D D4 lea ecx,dword ptr ss:
0043CB5C .FF15 F811400>call dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaFreeObj
0043CB62 .8B06 mov eax,dword ptr ds:
0043CB64 .56 push esi
0043CB65 .FF90 0803000>call dword ptr ds:
0043CB6B .8D4D D4 lea ecx,dword ptr ss:
0043CB6E .50 push eax
0043CB6F .51 push ecx
0043CB70 .FFD7 call edi
0043CB72 .8BD8 mov ebx,eax
0043CB74 .8D45 DC lea eax,dword ptr ss:
0043CB77 .50 push eax
0043CB78 .53 push ebx
0043CB79 .8B13 mov edx,dword ptr ds:
0043CB7B .FF92 A000000>call dword ptr ds:
0043CB81 .85C0 test eax,eax
0043CB83 .DBE2 fclex
0043CB85 .7D 12 jge short BatchDoc.0043CB99
0043CB87 .68 A0000000push 0A0
0043CB8C .68 58064100push BatchDoc.00410658
0043CB91 .53 push ebx
0043CB92 .50 push eax
0043CB93 .FF15 5C10400>call dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaHresultCheckObj
0043CB99 >8B4D DC mov ecx,dword ptr ss:
0043CB9C .51 push ecx
0043CB9D .FF15 2810400>call dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaLenBstr
0043CBA3 .33DB xor ebx,ebx
0043CBA5 .83F8 03 cmp eax,3 ;注册码长度大于3
0043CBA8 .0F9FC3 setg bl
0043CBAB .F7DB neg ebx
0043CBAD .33D2 xor edx,edx
0043CBAF .66:837D E8 0>cmp word ptr ss:,1
0043CBB4 .8D4D DC lea ecx,dword ptr ss:
0043CBB7 .0F9FC2 setg dl
0043CBBA .F7DA neg edx
0043CBBC .23DA and ebx,edx
0043CBBE .FF15 FC11400>call dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaFreeStr
0043CBC4 .8D4D D4 lea ecx,dword ptr ss:
0043CBC7 .FF15 F811400>call dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaFreeObj
0043CBCD .66:85DB test bx,bx
0043CBD0 .0F84 0104000>je BatchDoc.0043CFD7 ;判断注册码是否有“-”号,长度大于3
///////////////////////////////////////////////////////////////////////////////////////////////////
0043CBD6 .8B06 mov eax,dword ptr ds:
0043CBD8 .56 push esi
0043CBD9 .FF90 0803000>call dword ptr ds:
0043CBDF .8D4D D4 lea ecx,dword ptr ss:
0043CBE2 .50 push eax
0043CBE3 .51 push ecx
0043CBE4 .FFD7 call edi
0043CBE6 .8BD8 mov ebx,eax
0043CBE8 .8D45 DC lea eax,dword ptr ss:
0043CBEB .50 push eax
0043CBEC .53 push ebx
0043CBED .8B13 mov edx,dword ptr ds:
0043CBEF .FF92 A000000>call dword ptr ds:
0043CBF5 .85C0 test eax,eax
0043CBF7 .DBE2 fclex
0043CBF9 .7D 12 jge short BatchDoc.0043CC0D
0043CBFB .68 A0000000push 0A0
0043CC00 .68 58064100push BatchDoc.00410658
0043CC05 .53 push ebx
0043CC06 .50 push eax
0043CC07 .FF15 5C10400>call dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaHresultCheckObj
0043CC0D >66:8B4D E8 mov cx,word ptr ss:
0043CC11 .8B45 DC mov eax,dword ptr ss:
0043CC14 .66:83E9 01 sub cx,1
0043CC18 .8945 C4 mov dword ptr ss:,eax
0043CC1B .0F80 0606000>jo BatchDoc.0043D227
0043CC21 .0FBFD1 movsx edx,cx
0043CC24 .8D45 BC lea eax,dword ptr ss:
0043CC27 .52 push edx ; /Arg3
0043CC28 .8D4D AC lea ecx,dword ptr ss: ; |
0043CC2B .50 push eax ; |Arg2
0043CC2C .51 push ecx ; |Arg1
0043CC2D .C745 DC 0000>mov dword ptr ss:,0 ; |
0043CC34 .C745 BC 0800>mov dword ptr ss:,8 ; |
0043CC3B .FF15 CC11400>call dword ptr ds:[<&MSVBVM60.#61>; \rtcLeftCharVar
0043CC41 .8D55 AC lea edx,dword ptr ss:
0043CC44 .52 push edx
0043CC45 .FF15 2410400>call dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaStrVarMove
0043CC4B .8B1D D411400>mov ebx,dword ptr ds:[<&MSVBVM60.>;MSVBVM60.__vbaStrMove
0043CC51 .8BD0 mov edx,eax
0043CC53 .8D4D E4 lea ecx,dword ptr ss:
0043CC56 .FFD3 call ebx ;<&MSVBVM60.__vbaStrMove>
0043CC58 .8D4D D4 lea ecx,dword ptr ss:
0043CC5B .FF15 F811400>call dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaFreeObj
0043CC61 .8D45 AC lea eax,dword ptr ss:
0043CC64 .8D4D BC lea ecx,dword ptr ss:
0043CC67 .50 push eax
0043CC68 .51 push ecx
0043CC69 .6A 02 push 2
0043CC6B .FF15 2C10400>call dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaFreeVarList
0043CC71 .8B16 mov edx,dword ptr ds:
0043CC73 .83C4 0C add esp,0C
0043CC76 .56 push esi
0043CC77 .FF92 0803000>call dword ptr ds:
0043CC7D .50 push eax
0043CC7E .8D45 D4 lea eax,dword ptr ss:
0043CC81 .50 push eax
0043CC82 .FFD7 call edi
0043CC84 .8B08 mov ecx,dword ptr ds:
0043CC86 .8D55 DC lea edx,dword ptr ss:
0043CC89 .52 push edx
0043CC8A .50 push eax
0043CC8B .8985 58FFFFF>mov dword ptr ss:,eax
0043CC91 .FF91 A000000>call dword ptr ds:
0043CC97 .85C0 test eax,eax
0043CC99 .DBE2 fclex
0043CC9B .7D 18 jge short BatchDoc.0043CCB5
0043CC9D .8B8D 58FFFFF>mov ecx,dword ptr ss:
0043CCA3 .68 A0000000push 0A0
0043CCA8 .68 58064100push BatchDoc.00410658
0043CCAD .51 push ecx
0043CCAE .50 push eax
0043CCAF .FF15 5C10400>call dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaHresultCheckObj
0043CCB5 >8B16 mov edx,dword ptr ds:
0043CCB7 .56 push esi
0043CCB8 .FF92 0803000>call dword ptr ds:
0043CCBE .50 push eax
0043CCBF .8D45 D0 lea eax,dword ptr ss:
0043CCC2 .50 push eax
0043CCC3 .FFD7 call edi
0043CCC5 .8BF8 mov edi,eax
0043CCC7 .8D55 D8 lea edx,dword ptr ss:
0043CCCA .52 push edx
0043CCCB .57 push edi
0043CCCC .8B0F mov ecx,dword ptr ds:
0043CCCE .FF91 A000000>call dword ptr ds:
0043CCD4 .85C0 test eax,eax
0043CCD6 .DBE2 fclex
0043CCD8 .7D 12 jge short BatchDoc.0043CCEC
0043CCDA .68 A0000000push 0A0
0043CCDF .68 58064100push BatchDoc.00410658
0043CCE4 .57 push edi
0043CCE5 .50 push eax
0043CCE6 .FF15 5C10400>call dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaHresultCheckObj
0043CCEC >8B45 DC mov eax,dword ptr ss:
0043CCEF .C745 DC 0000>mov dword ptr ss:,0
0043CCF6 .8945 C4 mov dword ptr ss:,eax
0043CCF9 .8B45 D8 mov eax,dword ptr ss:
0043CCFC .50 push eax
0043CCFD .C745 BC 0800>mov dword ptr ss:,8
0043CD04 .FF15 2810400>call dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaLenBstr
0043CD0A .0FBF4D E8 movsx ecx,word ptr ss:
0043CD0E .2BC1 sub eax,ecx
0043CD10 .8D55 BC lea edx,dword ptr ss:
0043CD13 .0F80 0E05000>jo BatchDoc.0043D227
0043CD19 .50 push eax ; /Arg3
0043CD1A .8D45 AC lea eax,dword ptr ss: ; |
0043CD1D .52 push edx ; |Arg2
0043CD1E .50 push eax ; |Arg1
0043CD1F .FF15 E011400>call dword ptr ds:[<&MSVBVM60.#61>; \rtcRightCharVar
0043CD25 .8D4D AC lea ecx,dword ptr ss:
0043CD28 .51 push ecx
0043CD29 .FF15 2410400>call dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaStrVarMove
//////////////////////////////////////////////////////////////////////////////////////////////
上面这段代码是对输入的注册码按“-”进行分离
/////////////////////////////////////////////////////////////////////////////////////////////
0043CD2F .8BD0 mov edx,eax
0043CD31 .8D4D E0 lea ecx,dword ptr ss:
0043CD34 .FFD3 call ebx
0043CD36 .8D4D D8 lea ecx,dword ptr ss:
0043CD39 .FF15 FC11400>call dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaFreeStr
0043CD3F .8D55 D0 lea edx,dword ptr ss:
0043CD42 .8D45 D4 lea eax,dword ptr ss:
0043CD45 .52 push edx
0043CD46 .50 push eax
0043CD47 .6A 02 push 2
0043CD49 .FF15 3810400>call dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaFreeObjList
0043CD4F .8D4D AC lea ecx,dword ptr ss:
0043CD52 .8D55 BC lea edx,dword ptr ss:
0043CD55 .51 push ecx
0043CD56 .52 push edx
0043CD57 .6A 02 push 2
0043CD59 .FF15 2C10400>call dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaFreeVarList
0043CD5F .8B45 E0 mov eax,dword ptr ss:
0043CD62 .83C4 18 add esp,18
0043CD65 .8D4D E4 lea ecx,dword ptr ss:
0043CD68 .50 push eax
0043CD69 .51 push ecx
0043CD6A .E8 31F9FFFFcall BatchDoc.0043C6A0 ;关键算法
0043CD6F .8BD0 mov edx,eax
0043CD71 .8D4D DC lea ecx,dword ptr ss:
0043CD74 .FFD3 call ebx
0043CD76 .50 push eax
0043CD77 .FF15 C410400>call dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaStrCmp
0043CD7D .8BF8 mov edi,eax
0043CD7F .8D4D DC lea ecx,dword ptr ss:
0043CD82 .F7DF neg edi
0043CD84 .1BFF sbb edi,edi
0043CD86 .47 inc edi
0043CD87 .F7DF neg edi
0043CD89 .FF15 FC11400>call dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaFreeStr
0043CD8F .66:85FF test di,di
0043CD92 .0F84 4702000>je BatchDoc.0043CFDF ;跳OVER
跟进上面的关键算法来到
0043C6A0 $55 push ebp
0043C6A1 .8BEC mov ebp,esp
0043C6A3 .83EC 0C sub esp,0C
0043C6A6 .68 061E4000push ;SE 句柄安装
0043C6AB .64:A1 000000>mov eax,dword ptr fs:
。。。省略往下
0043C6EF .85C0 test eax,eax ;左边字符长度,后面循环用
0043C6F1 .0F84 2003000>je BatchDoc.0043CA17
。。。省略往下
0043C85F > \8B51 0C mov edx,dword ptr ds:
0043C862 .8BC3 mov eax,ebx
0043C864 .33DB xor ebx,ebx
0043C866 .8A1C02 mov bl,byte ptr ds: ;把倒数第二位的ASC码送入bl
0043C869 .8BF3 mov esi,ebx ;把bl的值送至esi,记为c
。。。省略往下
0043C8B0 .8A1C02 mov bl,byte ptr ds: ;左边每个字符的ASC
0043C8B3 .8B55 D0 mov edx,dword ptr ss: ;第一次为最后一位的ASC码,后为b值
0043C8B6 .23DA and ebx,edx ;和最后一位ASC码或b值做and运算,记为a
0043C8B8 .85C9 test ecx,ecx
0043C8BA .74 22 je short BatchDoc.0043C8DE
0043C8BC .66:8339 01 cmp word ptr ds:,1
0043C8C0 .75 1C jnz short BatchDoc.0043C8DE
0043C8C2 .8B7D 84 mov edi,dword ptr ss:
0043C8C5 .8B51 14 mov edx,dword ptr ds:
0043C8C8 .8B41 10 mov eax,dword ptr ds:
0043C8CB .2BFA sub edi,edx
0043C8CD .3BF8 cmp edi,eax
0043C8CF .72 09 jb short BatchDoc.0043C8DA
0043C8D1 .FF15 C010400>call dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaGenerateBoundsError
0043C8D7 .8B4D D8 mov ecx,dword ptr ss:
0043C8DA >8BC7 mov eax,edi
0043C8DC .EB 05 jmp short BatchDoc.0043C8E3
0043C8DE >FFD7 call edi
0043C8E0 .8B4D D8 mov ecx,dword ptr ss:
0043C8E3 >8B49 0C mov ecx,dword ptr ds:
0043C8E6 .33D2 xor edx,edx
0043C8E8 .8A1401 mov dl,byte ptr ds: ;每个字符的ASC码
0043C8EB .8BFA mov edi,edx
0043C8ED .0BFE or edi,esi ;与c做OR运算,记作b
0043C8EF .81FB 8000000>cmp ebx,80
0043C8F5 .7E 0F jle short BatchDoc.0043C906
0043C8F7 .B8 00010000mov eax,100
0043C8FC .2BC3 sub eax,ebx
0043C8FE .0F80 7501000>jo BatchDoc.0043CA79
0043C904 .8BD8 mov ebx,eax
0043C906 >81FF 8000000>cmp edi,80 ;b>80
0043C90C .7E 0F jle short BatchDoc.0043C91D
0043C90E .B9 00010000mov ecx,100
0043C913 .2BCF sub ecx,edi ;100-b
0043C915 .0F80 5E01000>jo BatchDoc.0043CA79
0043C91B .8BF9 mov edi,ecx ;b=100-b
0043C91D >8B45 C4 mov eax,dword ptr ss:
0043C920 .85C0 test eax,eax
0043C922 .74 22 je short BatchDoc.0043C946
0043C924 .66:8338 01 cmp word ptr ds:,1
0043C928 .75 1C jnz short BatchDoc.0043C946
0043C92A .8B4D 84 mov ecx,dword ptr ss:
0043C92D .8B50 14 mov edx,dword ptr ds:
0043C930 .2BCA sub ecx,edx
0043C932 .8BF1 mov esi,ecx
0043C934 .8B48 10 mov ecx,dword ptr ds:
0043C937 .3BF1 cmp esi,ecx
0043C939 .72 06 jb short BatchDoc.0043C941
0043C93B .FF15 C010400>call dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaGenerateBoundsError
0043C941 >8975 80 mov dword ptr ss:,esi
0043C944 .EB 09 jmp short BatchDoc.0043C94F
0043C946 >FF15 C010400>call dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaGenerateBoundsError
0043C94C .8945 80 mov dword ptr ss:,eax
0043C94F >68 981D4100push BatchDoc.00411D98 ; /a
0043C954 .FF15 3C10400>call dword ptr ds:[<&MSVBVM60.#51>; \rtcAnsiValueBstr
0043C95A .0FBFC8 movsx ecx,ax ;这里得到字符“A”的asc值41
0043C95D .8BC7 mov eax,edi
0043C95F .BE 34000000mov esi,34
0043C964 .0FAFC3 imul eax,ebx ;a*b
0043C967 .0F80 0C01000>jo BatchDoc.0043CA79
0043C96D .99 cdq
0043C96E .F7FE idiv esi ;a*b/34,余值入edx
0043C970 .03CA add ecx,edx ;edx+41,也就是余值加上41,记S
0043C972 .0F80 0101000>jo BatchDoc.0043CA79
0043C978 .FF15 1411400>call dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaUI1I4
0043C97E .8B55 C4 mov edx,dword ptr ss:
0043C981 .8BF7 mov esi,edi ;将b值移送esi
0043C983 .03F3 add esi,ebx ;b=a+b
0043C985 .8B5D C8 mov ebx,dword ptr ss:
0043C988 .8B4A 0C mov ecx,dword ptr ds:
0043C98B .8B55 80 mov edx,dword ptr ss:
0043C98E .0F80 E500000>jo BatchDoc.0043CA79
0043C994 .880411 mov byte ptr ds:,al ;将S转换成字符就是注册码
0043C997 .B8 01000000mov eax,1
0043C99C .81E6 FF00000>and esi,0FF
0043C9A2 .66:0345 E8 add ax,word ptr ss: ;a=b(b为没加a前的值)
0043C9A6 .897D D0 mov dword ptr ss:,edi
0043C9A9 .8B7D DC mov edi,dword ptr ss:
0043C9AC .0F80 C700000>jo BatchDoc.0043CA79
0043C9B2 .8945 E8 mov dword ptr ss:,eax
0043C9B5 .^ E9 EFFDFFFFjmp BatchDoc.0043C7A9 ;下个循环
--------------------------------------------------------------------------------
【经验总结】
1、注册码必须有“-”号,长度大于3
2、这给个源码,不然说还真不好写
l=左边注册码的长度
a = Asc(Mid(Text1.Text, l, 1))
b = Asc(Mid(Text1.Text, l - 1, 1))
zc = ""
For i = 1 To l
s = Mid(Text1.Text, i, 1)
a = a And Asc(s)
b = b Or Asc(s)
If b > 128 Then
b = 256 - b
End If
k = ((a * b) Mod 52) + 65
zc = zc + Chr(k)
c = b
b = a + b
a = c
Next
这样就可算出注册码的右边
3、如果注册码的右边字符=计算所得的字符,注册成功
4、可以有N组注册码,呵呵
--------------------------------------------------------------------------------
【版权声明】: 转载请注明作者并保持文章的完整, 谢谢!
2006年12月08日 下午 12:50:05
页:
[1]