Hootech MP3 to SWF Converter注册算法分析
【破解软件】Hootech MP3 to SWF Converter 2.4.841【软件语言】英文
【软件类别】国外软件/共享版/视频工具
【运行环境】Win9x/Me/NT/2000/XP/2003
【保护方式】注册码
【作者声明】初学Crack,只是感兴趣,消遣业余时间,错误之处敬请诸位前辈不吝赐教。
【编写语言】Microsoft Visual C++ 6.0
【调试工具】OllyDBD
【下载地址】http://www.onlinedown.net/soft/51005.htm
【软件信息】是一个 MP3/WAV 文件转换软件。它可以转换 MP3/WAV 文件为 SWF 文件。支持下列功能:支持以多种质量转换大体积的 MP3/WAV
文件为小体积的 SWF 文件;支持直接录音并转换为 SWF 文件;生成的流式 SWF 文件可以在线直接播放,无需等待下载完成;支持生成带控制
栏的 SWF 文件并内建多种美观的按钮;支持拖放操作,批量转换,转换快速且易于使用。
一、算法跟踪
根据注册框提示信息,很容易找到下面;
0040B106 .6A FF PUSH -1
0040B108 .68 088A4700 PUSH MP32SWF.00478A08
0040B10D .50 PUSH EAX
0040B10E .64:8925 00000000 MOV DWORD PTR FS:,ESP
0040B115 .53 PUSH EBX
0040B116 .56 PUSH ESI
0040B117 .57 PUSH EDI
0040B118 .8BF1 MOV ESI,ECX
0040B11A .E8 2C980600 CALL MP32SWF.0047494B
0040B11F .8B48 04 MOV ECX,DWORD PTR DS:
0040B122 .E8 4CF30500 CALL MP32SWF.0046A473
0040B127 .6A 01 PUSH 1
0040B129 .8BCE MOV ECX,ESI
0040B12B .C74424 18 00000000 MOV DWORD PTR SS:,0
0040B133 .E8 EDDC0500 CALL MP32SWF.00468E25
0040B138 .8D7E 5C LEA EDI,DWORD PTR DS: ;用户名地址
0040B13B .8BCF MOV ECX,EDI
0040B13D .E8 0F900500 CALL MP32SWF.00464151
0040B142 .8BCF MOV ECX,EDI
0040B144 .E8 BC8F0500 CALL MP32SWF.00464105
0040B149 .8D5E 60 LEA EBX,DWORD PTR DS: ;假码地址
0040B14C .8BCB MOV ECX,EBX
0040B14E .E8 FE8F0500 CALL MP32SWF.00464151
0040B153 .8BCB MOV ECX,EBX
0040B155 .E8 AB8F0500 CALL MP32SWF.00464105
0040B15A .8B07 MOV EAX,DWORD PTR DS:
0040B15C .8B48 F8 MOV ECX,DWORD PTR DS:
0040B15F .85C9 TEST ECX,ECX ;是否输入用户名
0040B161 .75 0E JNZ SHORT MP32SWF.0040B171
0040B163 .6A 30 PUSH 30
0040B165 .68 00D34700 PUSH MP32SWF.0047D300 ;mp3 to swf converter
0040B16A .68 18D34700 PUSH MP32SWF.0047D318 ;please enter your name.
0040B16F .EB 3B JMP SHORT MP32SWF.0040B1AC
0040B171 >8B1B MOV EBX,DWORD PTR DS:
0040B173 .8D4E 64 LEA ECX,DWORD PTR DS:
0040B176 .51 PUSH ECX
0040B177 .53 PUSH EBX
0040B178 .E8 43710100 CALL MP32SWF.004222C0 ;关键Call
0040B17D .83C4 08 ADD ESP,8
0040B180 .85C0 TEST EAX,EAX ;EAX=1注册成功
0040B182 .74 1C JE SHORT MP32SWF.0040B1A0 ;跳注册失败
0040B184 .6A 40 PUSH 40
0040B186 .68 00D34700 PUSH MP32SWF.0047D300 ;mp3 to swf converter
0040B18B .68 30D34700 PUSH MP32SWF.0047D330 ;register successfully. thank you for your support.
0040B190 .8BCE MOV ECX,ESI
0040B192 .E8 98D40500 CALL MP32SWF.0046862F
0040B197 .8BCE MOV ECX,ESI
0040B199 .E8 C5FD0500 CALL MP32SWF.0046AF63
0040B19E .EB 13 JMP SHORT MP32SWF.0040B1B3
0040B1A0 >6A 10 PUSH 10
0040B1A2 .68 00D34700 PUSH MP32SWF.0047D300 ;mp3 to swf converter
0040B1A7 .68 64D34700 PUSH MP32SWF.0047D364 ;invalid registration code.\nplease check that you entered
exact information.\n\nif you have any problem with your registration code,\nplease contact <[email protected]>.
0040B1AC >8BCE MOV ECX,ESI
0040B178 处进入关键Call
004222C0/$83EC 60 SUB ESP,60
004222C3|.56 PUSH ESI
004222C4|.8B7424 68 MOV ESI,DWORD PTR SS: ;假码地址
004222C8|.56 PUSH ESI ; /String
004222C9|.FF15 E8C14700 CALL NEAR DWORD PTR DS:[<&KERNE>; \lstrlenA
004222CF|.83F8 40 CMP EAX,40 ;比较假码长度
004222D2|.74 07 JE SHORT MP32SWF.004222DB
004222D4|.33C0 XOR EAX,EAX
004222D6|.5E POP ESI
004222D7|.83C4 60 ADD ESP,60
004222DA|.C3 RETN
004222DB|>53 PUSH EBX
004222DC|.55 PUSH EBP
004222DD|.8B2D 54C34700 MOV EBP,DWORD PTR DS:[<&KERNEL3>;kernel32.lstrcpynA
004222E3|.57 PUSH EDI
004222E4|.8D7C24 10 LEA EDI,DWORD PTR SS:
004222E8|.BB 08000000 MOV EBX,8
004222ED|>6A 09 PUSH 9
004222EF|.8D4424 34 LEA EAX,DWORD PTR SS:
004222F3|.56 PUSH ESI
004222F4|.50 PUSH EAX
004222F5|.FFD5 CALL NEAR EBP
004222F7|.57 PUSH EDI
004222F8|.8D4C24 34 LEA ECX,DWORD PTR SS:
004222FC|.68 40A24900 PUSH MP32SWF.0049A240 ;%x
00422301|.51 PUSH ECX
00422302|.83C6 08 ADD ESI,8
00422305|.E8 6F160300 CALL MP32SWF.00453979
0042230A|.83C4 0C ADD ESP,0C
0042230D|.83C7 04 ADD EDI,4
00422310|.4B DEC EBX
00422311|.^ 75 DA JNZ SHORT MP32SWF.004222ED ;将假码分成8组,设为(s1…s8)
00422313|.8B7C24 78 MOV EDI,DWORD PTR SS:
00422317|.B9 08000000 MOV ECX,8
0042231C|.8D7424 10 LEA ESI,DWORD PTR SS:
00422320|.8D5424 10 LEA EDX,DWORD PTR SS:
00422324|.F3:A5 REP MOVS DWORD PTR ES:,DWO>
00422326|.52 PUSH EDX
00422327|.E8 14000000 CALL MP32SWF.00422340 ;F7进入算法Call
0042232C|.83C4 04 ADD ESP,4
0042232F|.5F POP EDI
00422330|.5D POP EBP
00422331|.5B POP EBX
00422332|.5E POP ESI
00422333|.83C4 60 ADD ESP,60
00422336\.C3 RETN
00422327 处 F7进入算法Call
下面代码中有四处判断运算结果,如果符合条件将注册成功。排除三处迷惑人的判断,可以忽略许多迷惑人的运算代码。
00422340/$81EC B0000000 SUB ESP,0B0
00422346|.53 PUSH EBX
00422347|.55 PUSH EBP
00422348|.56 PUSH ESI
00422349|.8BB424 C0000000 MOV ESI,DWORD PTR SS:
00422350|.57 PUSH EDI
00422351|.C74424 3C 00000000 MOV DWORD PTR SS:,0
00422359|.8B7E 1C MOV EDI,DWORD PTR DS: ;=s8
0042235C|.8B56 14 MOV EDX,DWORD PTR DS: ;=s6
0042235F|.8BC2 MOV EAX,EDX
00422361|.8BCF MOV ECX,EDI
00422363|.25 AFFEABAF AND EAX,AFABFEAF
00422368|.81E1 50015450 AND ECX,50540150
0042236E|.0FAFC1 IMUL EAX,ECX
00422371|.8B4E 10 MOV ECX,DWORD PTR DS: ;=s5
00422374|.8B5E 04 MOV EBX,DWORD PTR DS: ;=s2
00422377|.894424 40 MOV DWORD PTR SS:,EAX
0042237B|.8BC3 MOV EAX,EBX
0042237D|.8BE9 MOV EBP,ECX
0042237F|.25 594C8EA9 AND EAX,A98E4C59
00422384|.81E5 A6B37156 AND EBP,5671B3A6
0042238A|.C74424 64 00000000 MOV DWORD PTR SS:,0
00422392|.0FAFC5 IMUL EAX,EBP
00422395|.894424 58 MOV DWORD PTR SS:,EAX
00422399|.8BC3 MOV EAX,EBX
0042239B|.33C7 XOR EAX,EDI ;s2^s8
0042239D|.8BEF MOV EBP,EDI
0042239F|.25 58244948 AND EAX,48492458 ;EAX=(s2^s8)&48492458
004223A4|.81E5 37422398 AND EBP,98234237
004223AA|.894424 18 MOV DWORD PTR SS:,EAX ;保存(s2^s8)&48492458
004223AE|.33C7 XOR EAX,EDI ;EAX=((s2^s8)&48492458)^s8
004223B0|.894424 28 MOV DWORD PTR SS:,EAX ;保存EAX
004223B4|.8BC3 MOV EAX,EBX
004223B6|.33C2 XOR EAX,EDX
004223B8|.8BD3 MOV EDX,EBX
004223BA|.25 AFFADB76 AND EAX,76DBFAAF
004223BF|.81E2 50015450 AND EDX,50540150
004223C5|.33C3 XOR EAX,EBX
004223C7|.898424 B8000000 MOV DWORD PTR SS:,EAX
004223CE|.8BC7 MOV EAX,EDI
004223D0|.F7D0 NOT EAX
004223D2|.25 A7DBB6B7 AND EAX,B7B6DBA7
004223D7|.0BC2 OR EAX,EDX
004223D9|.8B56 18 MOV EDX,DWORD PTR DS: ;=s7
004223DC|.894424 70 MOV DWORD PTR SS:,EAX ;
004223E0|.8B46 0C MOV EAX,DWORD PTR DS: ;=s4
004223E3|.894424 14 MOV DWORD PTR SS:,EAX
004223E7|.33C2 XOR EAX,EDX ;EAX=s4^s7
004223E9|.25 A6B37156 AND EAX,5671B3A6 ;EAX=(s4^s7)&5671B3A6
004223EE|.895424 10 MOV DWORD PTR SS:,EDX
004223F2|.33C2 XOR EAX,EDX ;EAX=((s4^s7)&5671B3A6)^s7
004223F4|.33D2 XOR EDX,EDX ;EDX清零
004223F6|.894424 1C MOV DWORD PTR SS:,EAX ;保存((s4^s7)&5671B3A6)^s7
004223FA|.894424 20 MOV DWORD PTR SS:,EAX
004223FE|.69C0 73853409 IMUL EAX,EAX,9348573
00422404|.25 87A93434 AND EAX,3434A987
00422409|.81E2 9823FEAD AND EDX,ADFE2398
0042240F|.894424 30 MOV DWORD PTR SS:,EAX
00422413|.8B46 08 MOV EAX,DWORD PTR DS: ;=s3
00422416|.895424 34 MOV DWORD PTR SS:,EDX ;EDX=0
0042241A|.8BD0 MOV EDX,EAX
0042241C|.33D1 XOR EDX,ECX ;EDX=s3^s5
0042241E|.81E2 AFFADB76 AND EDX,76DBFAAF ;EDX=(s3^s5)&76DBFAAF
00422424|.33D1 XOR EDX,ECX ;EDX=((s3^s5)&76DBFAAF)^s5
00422426|.895424 24 MOV DWORD PTR SS:,EDX ;保存((s3^s5)&76DBFAAF)^s5
0042242A|.8B16 MOV EDX,DWORD PTR DS: ;=s1
0042242C|.81E2 E93A8290 AND EDX,90823AE9
00422432|.0FAFD5 IMUL EDX,EBP
00422435|.895424 38 MOV DWORD PTR SS:,EDX
00422439|.8B5424 10 MOV EDX,DWORD PTR SS:
0042243D|.8BEF MOV EBP,EDI
0042243F|.81E2 58244948 AND EDX,48492458
00422445|.81E5 A7DBB6B7 AND EBP,B7B6DBA7
0042244B|.0FAFD5 IMUL EDX,EBP
0042244E|.8B6E 14 MOV EBP,DWORD PTR DS: ;=s6
00422451|.895424 60 MOV DWORD PTR SS:,EDX
00422455|.8B16 MOV EDX,DWORD PTR DS: ;=s1
00422457|.33D5 XOR EDX,EBP ;EDX=s1^s6
00422459|.8B2E MOV EBP,DWORD PTR DS:
0042245B|.81E2 50015450 AND EDX,50540150 ;EDX=(s1^s6)&50540150
00422461|.33D5 XOR EDX,EBP ;EDX=((s1^s6)&50540150)^s1
00422463|.895424 7C MOV DWORD PTR SS:,EDX ;保存((s1^s6)&50540150)^s1
00422467|.8B5424 10 MOV EDX,DWORD PTR SS: ;=s7
0042246B|.8BE8 MOV EBP,EAX
0042246D|.25 A7DBB6B7 AND EAX,B7B6DBA7
00422472|.81E1 594C8EA9 AND ECX,A98E4C59
00422478|.0FAFC1 IMUL EAX,ECX
0042247B|.33EA XOR EBP,EDX
0042247D|.894424 48 MOV DWORD PTR SS:,EAX
00422481|.8B4424 14 MOV EAX,DWORD PTR SS:
00422485|.81E5 A6B37156 AND EBP,5671B3A6
0042248B|.33EA XOR EBP,EDX
0042248D|.8B5424 18 MOV EDX,DWORD PTR SS: ;=(s2^s8)&48492458
00422491|.68 98720000 PUSH 7298
00422496|.68 988776A8 PUSH A8768798
0042249B|.33D3 XOR EDX,EBX ;EDX=(s2^s8)&48492458^s2
0042249D|.6A 00 PUSH 0
0042249F|.50 PUSH EAX
004224A0|.895424 28 MOV DWORD PTR SS:,EDX ;保存((s2^s8)&48492458)^s2
004224A4|.E8 27100300 CALL MP32SWF.004534D0
004224A9|.8B4C24 30 MOV ECX,DWORD PTR SS:
004224AD|.23C1 AND EAX,ECX
004224AF|.8B4C24 34 MOV ECX,DWORD PTR SS: ;=0
004224B3|.23D1 AND EDX,ECX
004224B5|.3D 80A628C4 CMP EAX,C428A680 ;迷惑人的比较
004224BA|.75 3E JNZ SHORT MP32SWF.004224FA
004224BC|.81FA 723AE792 CMP EDX,92E73A72 ;EDX永远等于0
004224C2|.75 36 JNZ SHORT MP32SWF.004224FA
004224C4|.8B5C24 1C MOV EBX,DWORD PTR SS:
004224C8|.8B7C24 18 MOV EDI,DWORD PTR SS:
004224CC|.33ED XOR EBP,EBP
004224CE|.33C0 XOR EAX,EAX
004224D0|.899C24 90000000 MOV DWORD PTR SS:,EBX
004224D7|.89AC24 94000000 MOV DWORD PTR SS:,EBP
004224DE|.23DF AND EBX,EDI
004224E0|.23E8 AND EBP,EAX
004224E2|.81F3 46838419 XOR EBX,19848346
004224E8|.898424 8C000000 MOV DWORD PTR SS:,EAX
004224EF|.81F5 35716887 XOR EBP,87687135
004224F5|.E9 92010000 JMP MP32SWF.0042268C
004224FA|>0FAFAC24 B8000000IMUL EBP,DWORD PTR SS:
00422502|.8B5424 40 MOV EDX,DWORD PTR SS:
00422506|.8BC5 MOV EAX,EBP
00422508|.33ED XOR EBP,EBP
0042250A|.33C9 XOR ECX,ECX ;ECX清零
0042250C|.3BC2 CMP EAX,EDX ;迷惑人的比较
0042250E|.75 57 JNZ SHORT MP32SWF.00422567
00422510|.33C0 XOR EAX,EAX
00422512|.3BC8 CMP ECX,EAX
00422514|.75 51 JNZ SHORT MP32SWF.00422567
00422516|.8B4424 14 MOV EAX,DWORD PTR SS:
0042251A|.8B4C24 10 MOV ECX,DWORD PTR SS:
0042251E|.25 A6B37156 AND EAX,5671B3A6
00422523|.81E1 50015450 AND ECX,50540150
00422529|.81E7 58244948 AND EDI,48492458
0042252F|.81E3 AFFEABAF AND EBX,AFABFEAF
00422535|.0BC1 OR EAX,ECX
00422537|.0BFB OR EDI,EBX
00422539|.8BD8 MOV EBX,EAX
0042253B|.33D2 XOR EDX,EDX
0042253D|.89AC24 94000000 MOV DWORD PTR SS:,EBP
00422544|.33DF XOR EBX,EDI
00422546|.33EA XOR EBP,EDX
00422548|.81F3 858F0019 XOR EBX,19008F85
0042254E|.899424 8C000000 MOV DWORD PTR SS:,EDX
00422555|.898424 90000000 MOV DWORD PTR SS:,EAX
0042255C|.81F5 66EC6827 XOR EBP,2768EC66
00422562|.E9 25010000 JMP MP32SWF.0042268C
00422567|>8B4C24 18 MOV ECX,DWORD PTR SS: ;=(s2^s8)&48492458
0042256B|.8B5424 20 MOV EDX,DWORD PTR SS: ;=((s4^s7)&5671B3A6)^s7
0042256F|.33CA XOR ECX,EDX
00422571|.F7C1 472383AE TEST ECX,AE832347
00422577|.0F84 C1000000 JE MP32SWF.0042263E
0042257D|.33FF XOR EDI,EDI ;EDI清零
0042257F|.89AC24 8C000000 MOV DWORD PTR SS:,EBP ;EBP=0
00422586|.89AC24 90000000 MOV DWORD PTR SS:,EBP
0042258D|.89AC24 94000000 MOV DWORD PTR SS:,EBP
00422594|.897424 10 MOV DWORD PTR SS:,ESI
00422598|.8D5E 18 LEA EBX,DWORD PTR DS:
0042259B|.C74424 14 07000000 MOV DWORD PTR SS:,7
004225A3|>8B5424 10 /MOV EDX,DWORD PTR SS: ; =s7..s1
004225A7|.8B0B |MOV ECX,DWORD PTR DS: ; =s1..s7
004225A9|.F7D1 |NOT ECX
004225AB|.8B02 |MOV EAX,DWORD PTR DS:
004225AD|.8BD1 |MOV EDX,ECX
004225AF|.8BE8 |MOV EBP,EAX
004225B1|.81E2 58244948 |AND EDX,48492458
004225B7|.81E5 AFFEABAF |AND EBP,AFABFEAF
004225BD|.0FAFD5 |IMUL EDX,EBP
004225C0|.8BAC24 8C000000 |MOV EBP,DWORD PTR SS:
004225C7|.03FA |ADD EDI,EDX
004225C9|.BA 00000000 |MOV EDX,0
004225CE|.13EA |ADC EBP,EDX
004225D0|.25 A6B37156 |AND EAX,5671B3A6
004225D5|.81E1 50015450 |AND ECX,50540150
004225DB|.89AC24 8C000000 |MOV DWORD PTR SS:,EBP
004225E2|.0FAFC1 |IMUL EAX,ECX
004225E5|.8B8C24 90000000 |MOV ECX,DWORD PTR SS:
004225EC|.8BAC24 94000000 |MOV EBP,DWORD PTR SS:
004225F3|.03C8 |ADD ECX,EAX
004225F5|.8B4424 14 |MOV EAX,DWORD PTR SS:
004225F9|.898C24 90000000 |MOV DWORD PTR SS:,ECX
00422600|.8B4C24 10 |MOV ECX,DWORD PTR SS:
00422604|.13EA |ADC EBP,EDX
00422606|.83EB 04 |SUB EBX,4
00422609|.83C1 04 |ADD ECX,4
0042260C|.48 |DEC EAX
0042260D|.89AC24 94000000 |MOV DWORD PTR SS:,EBP
00422614|.894C24 10 |MOV DWORD PTR SS:,ECX
00422618|.894424 14 |MOV DWORD PTR SS:,EAX
0042261C|.^ 75 85 \JNZ SHORT MP32SWF.004225A3 ; 此循环得到00422833处比较不相等
0042261E|.8B9C24 90000000 MOV EBX,DWORD PTR SS:
00422625|.8B9424 8C000000 MOV EDX,DWORD PTR SS:
0042262C|.23DF AND EBX,EDI
0042262E|.23EA AND EBP,EDX
00422630|.81F3 4A98AE68 XOR EBX,68AE984A
00422636|.81F5 19974835 XOR EBP,35489719
0042263C|.EB 4E JMP SHORT MP32SWF.0042268C
0042263E|>55 PUSH EBP
0042263F|.E8 B9030300 CALL MP32SWF.004529FD
00422644|.83C4 04 ADD ESP,4
00422647|.8BF8 MOV EDI,EAX
00422649|.E8 8D030300 CALL MP32SWF.004529DB
0042264E|.0FAFF8 IMUL EDI,EAX
00422651|.FF15 3CC34700 CALL NEAR DWORD PTR DS:[<&KERNEL>
00422657|.0FAFF8 IMUL EDI,EAX
0042265A|.8B4E 04 MOV ECX,DWORD PTR DS:
0042265D|.33C0 XOR EAX,EAX
0042265F|.50 PUSH EAX
00422660|.57 PUSH EDI
00422661|.55 PUSH EBP
00422662|.51 PUSH ECX
00422663|.898424 9C000000 MOV DWORD PTR SS:,EAX
0042266A|.E8 610E0300 CALL MP32SWF.004534D0
0042266F|.898424 90000000 MOV DWORD PTR SS:,EAX
00422676|.8BD8 MOV EBX,EAX
00422678|.8B8424 8C000000 MOV EAX,DWORD PTR SS:
0042267F|.8BEA MOV EBP,EDX
00422681|.33DF XOR EBX,EDI
00422683|.899424 94000000 MOV DWORD PTR SS:,EDX
0042268A|.33E8 XOR EBP,EAX
0042268C|>8B4E 14 MOV ECX,DWORD PTR DS: ;=s6
0042268F|.8B16 MOV EDX,DWORD PTR DS: ;=s1
00422691|.8BC1 MOV EAX,ECX
00422693|.6A 00 PUSH 0
00422695|.33C2 XOR EAX,EDX ;EAX=s6^s1
00422697|.8B56 08 MOV EDX,DWORD PTR DS: ;=s3
0042269A|.25 50015450 AND EAX,50540150 ;EAX=(s6^s1)&50540150
0042269F|.33C1 XOR EAX,ECX ;EAX=((s6^s1)&50540150)^s6
004226A1|.8B4C24 24 MOV ECX,DWORD PTR SS: ;=((s4^s7)&5671B3A6)^s7
004226A5|.81F1 44894865 XOR ECX,65488944
004226AB|.894424 6C MOV DWORD PTR SS:,EAX ;[+68]
004226AF|.894C24 24 MOV DWORD PTR SS:,ECX ;保存(((s4^s7)&5671B3A6)^s7)^65488944
004226B3|.8B4E 18 MOV ECX,DWORD PTR DS: ;=s7
004226B6|.F7D1 NOT ECX
004226B8|.8B7424 28 MOV ESI,DWORD PTR SS: ;[+24]=((s3^s5)&76DBFAAF)^s5
004226BC|.8BC1 MOV EAX,ECX
004226BE|.33C2 XOR EAX,EDX
004226C0|.81F6 00541612 XOR ESI,12165400 ;ESI=((s3^s5)&76DBFAAF)^s5^12165400
004226C6|.25 A6B37156 AND EAX,5671B3A6
004226CB|.33C1 XOR EAX,ECX
004226CD|.894424 78 MOV DWORD PTR SS:,EAX
004226D1|.E8 27030300 CALL MP32SWF.004529FD
004226D6|.83C4 04 ADD ESP,4
004226D9|.E8 FD020300 CALL MP32SWF.004529DB
004226DE|.FF15 3CC34700 CALL NEAR DWORD PTR DS:[<&KERNEL>
004226E4|.8B5424 20 MOV EDX,DWORD PTR SS: ;=(((s4^s7)&5671B3A6)^s7)^65488944
004226E8|.8B4424 28 MOV EAX,DWORD PTR SS: ;=((s2^s8)&48492458)^s8
004226EC|.8B4C24 7C MOV ECX,DWORD PTR SS: ;=((s1^s6)&50540150)^s1
004226F0|.33D0 XOR EDX,EAX
004226F2|.81F1 2C5484AE XOR ECX,AE84542C ;ECX=(((s1^s6)&50540150)^s1)^AE84542C
004226F8|.81FA 20817E89 CMP EDX,897E8120 ;关键比较(1)
004226FE|.0F85 95000000 JNZ MP32SWF.00422799 ;此处不能跳
00422704|.8B4424 68 MOV EAX,DWORD PTR SS: ;=((s6^s1)&50540150)^s6
00422708|.33C6 XOR EAX,ESI ;ESI=((s3^s5)&76DBFAAF)^s5^12165400
0042270A|.3D 65C494E8 CMP EAX,E894C465 ;关键比较(2)
0042270F|.74 49 JE SHORT MP32SWF.0042275A ;此处要跳
00422711|.8B4424 60 MOV EAX,DWORD PTR SS:
00422715|.8B7C24 48 MOV EDI,DWORD PTR SS:
00422719|.8B4C24 64 MOV ECX,DWORD PTR SS:
0042271D|.8B6C24 58 MOV EBP,DWORD PTR SS:
00422721|.F7D0 NOT EAX
00422723|.23C7 AND EAX,EDI
00422725|.33D2 XOR EDX,EDX ;EDX=0
00422727|.F7D1 NOT ECX
00422729|.33C5 XOR EAX,EBP
0042272B|.23CA AND ECX,EDX ;ECX=0
0042272D|.F7D0 NOT EAX
0042272F|.33CA XOR ECX,EDX ;ECX=0 xor 0=0
00422731|.3D 2802C042 CMP EAX,42C00228 ;迷惑人的比较
00422736|.F7D1 NOT ECX
00422738|.0F85 14010000 JNZ MP32SWF.00422852
0042273E|.81F9 8AE96598 CMP ECX,9865E98A ;ECX=0
00422744|.0F85 08010000 JNZ MP32SWF.00422852
0042274A|.5F POP EDI
0042274B|.5E POP ESI
0042274C|.5D POP EBP
0042274D|.B8 01000000 MOV EAX,1
00422752|.5B POP EBX
00422753|.81C4 B0000000 ADD ESP,0B0
00422759|.C3 RETN ;此处回不了家
0042275A|>B8 F1F0F0F0 MOV EAX,F0F0F0F1
0042275F|.F7E1 MUL ECX ; ECX=(((s1^s6)&50540150)^s1)^AE84542C
00422761|.C1EA 04 SHR EDX,4
00422764|.B8 4FECC44E MOV EAX,4EC4EC4F
00422769|.8BFA MOV EDI,EDX
0042276B|.F7E1 MUL ECX
0042276D|.0FAFFE IMUL EDI,ESI ;ESI=((s3^s5)&76DBFAAF)^s5^12165400)
00422770|.8B4424 20 MOV EAX,DWORD PTR SS: ;=((s4^s7)&5671B3A6)^s7
00422774|.8B4C24 18 MOV ECX,DWORD PTR SS: ;=(s2^s8)&48492458
00422778|.C1EA 02 SHR EDX,2
0042277B|.0FAFF0 IMUL ESI,EAX
0042277E|.0FAFD0 IMUL EDX,EAX
00422781|.03FA ADD EDI,EDX
00422783|.33C0 XOR EAX,EAX
00422785|.03FE ADD EDI,ESI
00422787|.F7D7 NOT EDI
00422789|.3BF9 CMP EDI,ECX ;关键比较(3)
0042278B|.5F POP EDI
0042278C|.5E POP ESI
0042278D|.5D POP EBP
0042278E|.0F94C0 SETE AL
00422791|.5B POP EBX
00422792|.81C4 B0000000 ADD ESP,0B0
00422798|.C3 RETN ;只有此处满足条件返回才能注册成功
00422799|>8B4424 38 MOV EAX,DWORD PTR SS:
0042279D|.8B5424 40 MOV EDX,DWORD PTR SS:
004227A1|.33C2 XOR EAX,EDX
004227A3|.8B5424 3C MOV EDX,DWORD PTR SS: ;=0
004227A7|.C74424 44 00000000 MOV DWORD PTR SS:,0
004227AF|.335424 44 XOR EDX,DWORD PTR SS:
004227B3|.3D E8005A5F CMP EAX,5F5A00E8 ;迷惑人的比较
004227B8|.75 5C JNZ SHORT MP32SWF.00422816
004227BA|.81FA E48954A6 CMP EDX,A65489E4 ;EDX=0
004227C0|.75 54 JNZ SHORT MP32SWF.00422816
004227C2|.B8 25499224 MOV EAX,24924925
004227C7|.F7E1 MUL ECX
004227C9|.8BC1 MOV EAX,ECX
004227CB|.2BC2 SUB EAX,EDX
004227CD|.D1E8 SHR EAX,1
004227CF|.03C2 ADD EAX,EDX
004227D1|.C1E8 02 SHR EAX,2
004227D4|.8BF8 MOV EDI,EAX
004227D6|.B8 CB6B28AF MOV EAX,AF286BCB
004227DB|.F7E1 MUL ECX
004227DD|.0FAFFE IMUL EDI,ESI
004227E0|.2BCA SUB ECX,EDX
004227E2|.8B4424 74 MOV EAX,DWORD PTR SS:
004227E6|.D1E9 SHR ECX,1
004227E8|.0FAF4424 70 IMUL EAX,DWORD PTR SS:
004227ED|.03CA ADD ECX,EDX
004227EF|.C1E9 04 SHR ECX,4
004227F2|.0FAF4C24 20 IMUL ECX,DWORD PTR SS:
004227F7|.03F9 ADD EDI,ECX
004227F9|.8B8C24 B8000000 MOV ECX,DWORD PTR SS:
00422800|.03F8 ADD EDI,EAX
00422802|.33C0 XOR EAX,EAX
00422804|.F7D7 NOT EDI
00422806|.3BF9 CMP EDI,ECX
00422808|.5F POP EDI
00422809|.5E POP ESI
0042280A|.5D POP EBP
0042280B|.0F94C0 SETE AL
0042280E|.5B POP EBX
0042280F|.81C4 B0000000 ADD ESP,0B0
00422815|.C3 RETN ;此处回不了家
00422816|>8B8424 90000000 MOV EAX,DWORD PTR SS:
0042281D|.8B8C24 94000000 MOV ECX,DWORD PTR SS:
00422824|.8B9424 8C000000 MOV EDX,DWORD PTR SS:
0042282B|.23C7 AND EAX,EDI
0042282D|.23CA AND ECX,EDX
0042282F|.33C3 XOR EAX,EBX
00422831|.33CD XOR ECX,EBP
00422833|.3D 4F79AE48 CMP EAX,48AE794F ;EAX永远等于68AE984A
00422838|.75 18 JNZ SHORT MP32SWF.00422852
0042283A|.81F9 34023784 CMP ECX,84370234
00422840|.75 10 JNZ SHORT MP32SWF.00422852
00422842|.5F POP EDI
00422843|.5E POP ESI
00422844|.5D POP EBP
00422845|.B8 01000000 MOV EAX,1
0042284A|.5B POP EBX
0042284B|.81C4 B0000000 ADD ESP,0B0
00422851|.C3 RETN ;此处回不了家
00422852|>5F POP EDI
00422853|.5E POP ESI
00422854|.5D POP EBP
00422855|.33C0 XOR EAX,EAX
00422857|.5B POP EBX
00422858|.81C4 B0000000 ADD ESP,0B0
0042285E\.C3 RETN ;此处返回注册失败
二、算法小结
1.根据上面的分析,要从 00422798 处成功返回,只要同时满足下面三个等式。
关键比较(1)
004226F8 处判断 CMP EDX,897E8120 此处要满足 EDX==897E8120
即: ((((s4^s7)&5671B3A6)^s7)^65488944) ^ (((s2^s8)&48492458)^s8)==897E8120
关键比较(2)
0042270A 处判断 CMP EAX,E894C465 此处要满足 EAX==E894C465
即: ((s6^s1)&50540150)^s6 ^ ((s3^s5)&76DBFAAF)^s5^12165400==897E8120
关键比较(3)
00422789 处判断CMP EDI,ECX 此处要满足 EDI==ECX
EDI的值:
(1) F0F0F0F1 * ((((s1^s6)&50540150)^s1)^AE84542C)
积的高位逻辑右移4,设为x
(2) 4EC4EC4F * ((((s1^s6)&50540150)^s1)^AE84542C)
积的高位逻辑右移2,设为y
(3) x * ((s3^s5)&76DBFAAF)^s5^12165400)
(4) y * (4EC4EC4F * ((((s1^s6)&50540150)^s1)^AE84542C))
(5) ((s3^s5)&76DBFAAF)^s5^12165400) * (4EC4EC4F * ((((s1^s6)&50540150)^s1)^AE84542C))
(6) (3)+(4)+(5)和取反
ECX的值:(s2^s8)&48492458
即: (s2^s8)&48492458==(6)
2. 上面算式看着有些复杂,快速得到可用注册码的方法是将上面算式简单变换为:
(1) (s2^s8)&48492458^s2==FFFFFFFF
(2) ((s2^s8)&48492458)^s8)==897E8120
(3) (((s4^s7)&5671B3A6)^s7)^65488944==0
(4) ((s1^s6)&50540150)^s1^AE84542C==0
(5) ((s3^s5)&76DBFAAF)^s5^12165400==0
(6) ((s6^s1)&50540150)^s6==E894C465
找出满足等式的s1~s8
根据:(4) (6)
((s1^s6)&50540150)^s1==AE84542C
((s6^s1)&50540150)^s6==E894C465
得到:
s1=EE94546C
s6=A884C425
根据:(3)
((s4^s7)&5671B3A6)^s7==65488944
得到:
s7=65488944
s4=CCC6C51D
根据:(5)
((s3^s5)&76DBFAAF)^s5==12165400
得到:
s5=12165400
s3=9B325150
根据:(1) (2)
(s2^s8)&48492458^s2==FFFFFFFF
((s2^s8)&48492458)^s8)==897E8120
得到:
s2=BFFEDBA7
s8=C97FA578
3.用户名与注册码无关
一组可用的注册码
Name:wzwgp
Registration Code:EE94546CBFFEDBA79B325150CCC6C51D12165400A884C42565488944C97FA578
注册信息保存在:HKEY_CURRENT_USER\Software\Hoo Technologies\MP32SWF
顺祝大家新春快乐! 真牛X...我看着晕就做补丁了:L 辛苦了。认真看看 看不懂...:L 可惜的是注册成功后,重启软件仍需注册。 学习一下算法。 原帖由 30903861 于 2007-3-23 10:56 发表 https://www.chinapyg.com/images/common/back.gif
可惜的是注册成功后,重启软件仍需注册。 /:02 /:02 看了2次都没看懂..../:10 楼主算法分析的好厉害/:good
可能重启了还有验证。。。 无法判断……看来,基础知识太少了!/:L
页:
[1]
2