解析fonge's crackme 10.4
我们先看一段东东作者:刘涛涛 [email protected]
网址:http://liutaotao.com/nqby.txt
一,一般来讲,加密就是加壳
我们经常考虑,一个可执行文件,怎么样加密才能安全呢?
一般用的手段,是加壳。加壳工具的工作原理,就是把可执行文件的代码与数据都进行加密变换,作为数据存放。生成的目标文件入口代码是加壳软件
准备好的防跟踪代码。经过漫长的防跟踪代码后,会把原始可执行文件的代码与数据段恢复,然后跳转到原来的入口处,继续运行。这样做的缺点是,不管
你的加密多强,防跟踪代码多牛,只要一运行,在内存中就全部恢复了。只要把内存映象dump下来,反汇编一下,就清清楚楚了。甚至有工具可以直接把
dump下来的内存映象存为可执行文件。这样加密就彻底失败了。
简单加壳是不安全的,这大家都知道了。我们一般把上述简单的加壳方式叫“压缩壳”。
所以现在的加壳软件都在上述“压缩壳”的基础上,多做了一些工作,比如:
* 防止内存被 dump 。这实际上是不可能做到的。因为Windows操作系统就不是一个安全系统,你怎么可能做到内存不被dump呢?曾有一个壳,我用了多种方法
dump都不成功。但最后还是找到了一个方法成功dump了。我这才惊叹dump原来有这么多种方法,真是防不胜防。
* 修改文件入口代码。因为一般软件都是用常用的几种编译器编译生成的。如果加壳软件知道你是用什么编译器编的(这很容易),把入口代码破坏掉,用另外一
段功能类似的代码替换它。这样dump下来的代码就比较难找到正确的入口,直接被存为一个EXE的可能性就小多了。但还是会被反汇编的。
* 还有一些加壳软件,支持对一个或几个重点函数加密。甚至使用了虚拟机。但他们都只能重点加密少数几个函数,不可能把所有函数都加密。而且对这个函数还有很多
要求。这可以想象。如果用汇编写一个函数,不加ret它可能连函数结束地址都找不到,怎么可能加密呢
******
尽管加壳软件可以使用以上多种技术防止被跟踪,分析,还原,但我认为,它们仍然没没摆脱“壳”的这个中心思想。以上的这些技术不过是在“壳”的大前提下所做的一些小的插曲。它仍然是不安全的
二,扭曲编译的思想
做个比喻。加壳保护就好比是你桌上有宝贝,为了保护它,你在屋外围了一圈铁丝网。只要有人突破了这道铁丝网,进入你的屋子,一眼就看到了桌上的宝贝。这当然不安全。
重点函数加密的思想,就好比是,我屋外围了一圈铁丝网,我还把宝贝放进了保险箱里。如果有人突破了铁丝网,进入屋子,一眼就看到了保险箱。虽然保险箱不会被轻
易打开,但他如果把保险箱搬走,慢慢分析呢?这也不够安全。
最安全的,就是进了屋子,却什么也找不着。没有目标,这才是最让人头疼的。
这个东东在加密方面会给你什么样的启发呢?
先聊聊再说! 虽然说加壳对于加密来说,确实在一定程度上抗破解了!
你的加密多强,防跟踪代码多牛,只要一运行,在内存中就全部恢复了。
程序要完全按照原程序运行,当然原程序代码最终必然在内存中出现,
在现在的壳中,有偷代码的技术,那又怎么样呢,都是始终会出现在内存中,始终逃不过dump的命运
现在我们要做到的,是提高我们原程序的抗解密度!
做个比喻。加壳保护就好比是你桌上有宝贝,为了保护它,你在屋外围了一圈铁丝网。只要有人突破了这道铁丝网,进入你的屋子,一眼就看到了桌上的宝贝。这当然不安全。
首先,我们要防爆破!
加密算法再全再精,那又能怎么样呢,被爆破不是一件好事情!
重点函数加密的思想,就好比是,我屋外围了一圈铁丝网,我还把宝贝放进了保险箱里。如果有人突破了铁丝网,进入屋子,一眼就看到了保险箱。虽然保险箱不会被轻
易打开,但他如果把保险箱搬走,慢慢分析呢?这也不够安全。
防爆破也不是加密之道,
一但dump下来加密那一段,下来慢慢分析,结果可想而知!
最安全的,就是进了屋子,却什么也找不着。没有目标,这才是最让人头疼的。
这样的结果当然只能把整个屋子找遍,才有可能找出想要的东东来。
比如说吧,
你没有电脑,你要来我家找电脑,
我把他给拆了,
放在了不同的地方,
但都在这个屋里
所以你要要必须把所有部件找齐,
但我多了一个心眼,
我把主板上的一个二极管取下来放到牙刷缝里,
你找到了除这个二极管之外的所有东东,都还是运行不了
是不
不够仔细或没有运气当然就无法完成了
问题又出来了,再怎么隐藏也躲不过百分百搜索啊
这个已经不是问题了
百分百逆向还不如自己去努力学习写一个同类型的东东
所以
BT的隐藏信息才是抗解密之道,
crackme10.4已基本加了这些思维,开始试水了! HOHO,说的极是。。。,学习ing...
贴上crackme10.4的完全逆向代码
这个放在看雪供破解
但没有人去搞定他
所以只好自己把他给逆向了
如果你破解他是用完全逆向的方式,解他当然不在话下
所以我就是用完全逆向的方式,
所以很轻松的dump出关键部位来,
因为我有源码,当然是比别人方便好多
但如果没有源码的情况下,决定要完全逆向他,也是很容易的事!
仅仅是理解一些汇编指令的意义而已
00455E88 .50 push eax
00455E89 .A1 C45E4500 mov eax, dword ptr
00455E8E .25 FF000000 and eax, 0FF ;测试点击按钮第一字节是否为CC
00455E93 .3C CC cmp al, 0CC
00455E95 .74 0A je short 00455EA1
00455E97 .C705 5F644500>mov dword ptr , 4
00455EA1 >58 pop eax
00455EA2 .C3 retn
00455EA3 90 nop
00455EA4 .53 push ebx
00455EA5 .8BD8 mov ebx, eax
00455EA7 .33D2 xor edx, edx
00455EA9 .8B83 04030000 mov eax, dword ptr [ebx+304]
00455EAF .E8 C8EDFDFF call 00434C7C
00455EB4 .33D2 xor edx, edx
00455EB6 .8B83 08030000 mov eax, dword ptr [ebx+308]
00455EBC .E8 BBEDFDFF call 00434C7C
00455EC1 .5B pop ebx
00455EC2 .C3 retn
00455EC3 90 nop
00455EC4 .558BECB9 dd B9EC8B55
00455EC8 17 db 17
00455EC9 00 db 00
00455ECA 00 db 00
00455ECB 00 db 00
00455ECC >6A 00 push 0
00455ECE .6A 00 push 0
00455ED0 .49 dec ecx
00455ED1 .^ 75 F9 jnz short 00455ECC
00455ED3 .53 push ebx
00455ED4 .56 push esi
00455ED5 .57 push edi
00455ED6 .8955 FC mov dword ptr [ebp-4], edx
00455ED9 .8BD8 mov ebx, eax
00455EDB .33C0 xor eax, eax
00455EDD .55 push ebp
00455EDE .68 156D4500 push 00456D15
00455EE3 .64:FF30 push dword ptr fs:[eax]
00455EE6 .64:8920 mov dword ptr fs:[eax], esp ;一个巨大的try on,delphi结构!
00455EE9 .33FF xor edi, edi
00455EEB .33C0 xor eax, eax
00455EED .8945 B0 mov dword ptr [ebp-50], eax
00455EF0 .33C0 xor eax, eax
00455EF2 .8945 C4 mov dword ptr [ebp-3C], eax
00455EF5 .33C0 xor eax, eax
00455EF7 .8945 C0 mov dword ptr [ebp-40], eax
00455EFA .33C0 xor eax, eax
00455EFC .8945 BC mov dword ptr [ebp-44], eax
00455EFF .33C0 xor eax, eax
00455F01 .8945 B8 mov dword ptr [ebp-48], eax
00455F04 .33C0 xor eax, eax
00455F06 .8945 B4 mov dword ptr [ebp-4C], eax
00455F09 .33C0 xor eax, eax
00455F0B .8945 E8 mov dword ptr [ebp-18], eax
00455F0E .C745 AC 01000>mov dword ptr [ebp-54], 1
00455F15 .C745 A8 01000>mov dword ptr [ebp-58], 1
00455F1C .8D55 9C lea edx, dword ptr [ebp-64]
00455F1F .8B83 04030000 mov eax, dword ptr [ebx+304]
00455F25 .E8 22EDFDFF call 00434C4C
00455F2A .8D55 98 lea edx, dword ptr [ebp-68]
00455F2D .8B83 08030000 mov eax, dword ptr [ebx+308]
00455F33 .E8 14EDFDFF call 00434C4C
00455F38 .8D45 88 lea eax, dword ptr [ebp-78]
00455F3B .BA 2C6D4500 mov edx, 00456D2C ;abcdefghijklmnopqrstuvwxyz
00455F40 .E8 DBDFFAFF call 00403F20
00455F45 .C685 7BFFFFFF>mov byte ptr [ebp-85], 1
00455F4C .8D85 70FFFFFF lea eax, dword ptr [ebp-90]
00455F52 .8B55 88 mov edx, dword ptr [ebp-78] ;edx=字串'a-z'
00455F55 .8A52 16 mov dl, byte ptr [edx+16] ;指向第16h个字符'w'
00455F58 .8850 01 mov byte ptr [eax+1], dl
00455F5B .C600 01 mov byte ptr [eax], 1
00455F5E .8D95 70FFFFFF lea edx, dword ptr [ebp-90]
00455F64 .8D85 6CFFFFFF lea eax, dword ptr [ebp-94]
00455F6A .E8 C9CAFAFF call 00402A38 ;计数器+1
00455F6F .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
00455F75 .8B55 88 mov edx, dword ptr [ebp-78] ;edx=字串'a-z'
00455F78 .8A52 11 mov dl, byte ptr [edx+11] ;指向第11h个字符'r'
00455F7B .8850 01 mov byte ptr [eax+1], dl
00455F7E .C600 01 mov byte ptr [eax], 1
00455F81 .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
00455F87 .8D85 6CFFFFFF lea eax, dword ptr [ebp-94]
00455F8D .B1 02 mov cl, 2
00455F8F .E8 74CAFAFF call 00402A08 ;这个call步过,可以看到这是call的结果,是用来拼加的!
00455F94 .8D95 6CFFFFFF lea edx, dword ptr [ebp-94] ;edx='wr',拼加出来的结果!
00455F9A .8D85 64FFFFFF lea eax, dword ptr [ebp-9C]
00455FA0 .E8 93CAFAFF call 00402A38 ;计数器+1
00455FA5 .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
00455FAB .8B55 88 mov edx, dword ptr [ebp-78]
00455FAE .8A52 0E mov dl, byte ptr [edx+E] ;指向第Eh位字符‘o’
00455FB1 .8850 01 mov byte ptr [eax+1], dl
00455FB4 .C600 01 mov byte ptr [eax], 1
00455FB7 .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
00455FBD .8D85 64FFFFFF lea eax, dword ptr [ebp-9C]
00455FC3 .B1 03 mov cl, 3
00455FC5 .E8 3ECAFAFF call 00402A08 ;加成‘wro’
00455FCA .8D95 64FFFFFF lea edx, dword ptr [ebp-9C]
00455FD0 .8D85 5CFFFFFF lea eax, dword ptr [ebp-A4]
00455FD6 .E8 5DCAFAFF call 00402A38
00455FDB .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
00455FE1 .8B55 88 mov edx, dword ptr [ebp-78]
00455FE4 .8A52 0D mov dl, byte ptr [edx+D]
00455FE7 .8850 01 mov byte ptr [eax+1], dl
00455FEA .C600 01 mov byte ptr [eax], 1
00455FED .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
00455FF3 .8D85 5CFFFFFF lea eax, dword ptr [ebp-A4]
00455FF9 .B1 04 mov cl, 4
00455FFB .E8 08CAFAFF call 00402A08
00456000 .8D95 5CFFFFFF lea edx, dword ptr [ebp-A4]
00456006 .8D85 54FFFFFF lea eax, dword ptr [ebp-AC]
0045600C .E8 27CAFAFF call 00402A38
00456011 .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
00456017 .8B55 88 mov edx, dword ptr [ebp-78]
0045601A .8A52 06 mov dl, byte ptr [edx+6]
0045601D .8850 01 mov byte ptr [eax+1], dl
00456020 .C600 01 mov byte ptr [eax], 1
00456023 .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
00456029 .8D85 54FFFFFF lea eax, dword ptr [ebp-AC]
0045602F .B1 05 mov cl, 5
00456031 .E8 D2C9FAFF call 00402A08 ;一直就这样加到了这里,结果出来了'wrong'字符串!
00456036 .8D95 54FFFFFF lea edx, dword ptr [ebp-AC] ;(initial cpu selection)
0045603C .8D85 7CFFFFFF lea eax, dword ptr [ebp-84]
00456042 .E8 A5E0FAFF call 004040EC
00456047 .8B45 98 mov eax, dword ptr [ebp-68] ;指向输入的试炼码
0045604A .E8 F9E0FAFF call 00404148 ;获取长度
0045604F .83F8 05 cmp eax, 5
00456052 .0F8C 8F0C0000 jl 00456CE7 ;小于就跳走!
00456058 .FF45 E8 inc dword ptr [ebp-18]
0045605B .8B45 9C mov eax, dword ptr [ebp-64] ;指向用户名
0045605E .E8 E5E0FAFF call 00404148 ;这个call上面见过,获取长度的
00456063 .83F8 06 cmp eax, 6 ;十进制6
00456066 .0F8C 06040000 jl 00456472 ;小于就跳走!////觉得这一段代码比较怪,如果是我就会用
0045606C .FF45 E8 inc dword ptr [ebp-18] ; //// cmp eax,6
0045606F .8B45 9C mov eax, dword ptr [ebp-64] ;指向用户名 //// jl 00456472
00456072 .E8 D1E0FAFF call 00404148 ;获取长度 //// cmp eax,0a
00456077 .83F8 0A cmp eax, 0A ;十进制10 //// jg 00456472
0045607A .0F8F F2030000 jg 00456472 ;大于就跳走!看得出来,这个456472不是一个好地方。
00456080 .FF45 E8 inc dword ptr [ebp-18] ;这一个值上面加过一次,这又加了一次!
00456083 .8B45 9C mov eax, dword ptr [ebp-64]
00456086 .E8 BDE0FAFF call 00404148 ;又看到获取长度的call,难怪很多人不愿意解这玩意!
0045608B .85C0 test eax, eax
0045608D .7E 70 jle short 004560FF
0045608F .8985 74FFFFFF mov dword ptr [ebp-8C], eax
00456095 .C745 F8 01000>mov dword ptr [ebp-8], 1
0045609C >8B45 9C mov eax, dword ptr [ebp-64]
0045609F .E8 A4E0FAFF call 00404148 ;又是获取长度!
004560A4 .8BD8 mov ebx, eax
004560A6 .85DB test ebx, ebx
004560A8 .7E 2B jle short 004560D5
004560AA .BE 01000000 mov esi, 1 ;这个是ESI归1用的
004560AF >8B45 9C mov eax, dword ptr [ebp-64] ;变化的赋值给eax,参与小循环的运算!
004560B2 .E8 91E0FAFF call 00404148 ;又是获取长度,参与计算!一个小循环!
004560B7 .2B45 F8 sub eax, dword ptr [ebp-8] ;这也是个计算器,看45609c,还有4560f4
004560BA .8B55 9C mov edx, dword ptr [ebp-64]
004560BD .0FB64402 FF movzx eax, byte ptr [edx+eax-1];跟据外围的EAX变化,加上在这里看到的结果,得出这里是倒序取用户名ASCII值
004560C2 .8B55 9C mov edx, dword ptr [ebp-64] ;这个位置可以看得到出是取用户名单位的ASCII码值
004560C5 .0FB65432 FF movzx edx, byte ptr [edx+esi-1]
004560CA .F7EA imul edx ;eax*edx,在这个小循环中乘算EAX值不变!
004560CC .C1E8 06 shr eax, 6 ;eax右移6位
004560CF .03F8 add edi, eax ;EDI在这里等他们运算,算出来之后在这里累加就可以了
004560D1 .46 inc esi ;计数!累加
004560D2 .4B dec ebx ;计算用累减
004560D3 .^ 75 DA jnz short 004560AF ;得出在这个小循环中,以最终由edi累加结果,由一个不变的eax值顺序与用户名中每一位ASCII值计算!
004560D5 >017D B0 add dword ptr [ebp-50], edi ;EDI的值加给了,在这里又充当累加王!
004560D8 .8D95 50FFFFFF lea edx, dword ptr [ebp-B0]
004560DE .8B45 B0 mov eax, dword ptr [ebp-50]
004560E1 .E8 461CFBFF call 00407D2C ;看返回值,得知是十六进制转十进制
004560E6 .8B95 50FFFFFF mov edx, dword ptr [ebp-B0]
004560EC .8D45 90 lea eax, dword ptr [ebp-70]
004560EF .E8 5CE0FAFF call 00404150 ;把所得结果顺次平行存贮起来了
004560F4 .FF45 F8 inc dword ptr [ebp-8] ;计数器,总算明白他是计数器了!累加
004560F7 .FF8D 74FFFFFF dec dword ptr [ebp-8C] ;累减
004560FD .^ 75 9D jnz short 0045609C ;大循环体!
004560FF >8B45 90 mov eax, dword ptr [ebp-70] ;存贮的是这一轮计算的最终结果!
00456102 .E8 41E0FAFF call 00404148 ;获取长度
00456107 .85C0 test eax, eax
00456109 .7E 6F jle short 0045617A
0045610B .8985 74FFFFFF mov dword ptr [ebp-8C], eax
00456111 .BF 01000000 mov edi, 1
00456116 >8B45 90 mov eax, dword ptr [ebp-70] ;下面这一段跟上面一样,除了参与运算的数据!这里可以看到一个刚才上面算出的结果!
00456119 .E8 2AE0FAFF call 00404148 ;获取长度
0045611E .8BD8 mov ebx, eax
00456120 .85DB test ebx, ebx
00456122 .7E 2B jle short 0045614F ;跳出循环!
00456124 .BE 01000000 mov esi, 1
00456129 >8B45 90 mov eax, dword ptr [ebp-70]
0045612C .E8 17E0FAFF call 00404148 ;获取长度
00456131 .2BC7 sub eax, edi
00456133 .8B55 90 mov edx, dword ptr [ebp-70]
00456136 .0FB64402 FF movzx eax, byte ptr [edx+eax-1]
0045613B .8B55 90 mov edx, dword ptr [ebp-70]
0045613E .0FB65432 FF movzx edx, byte ptr [edx+esi-1]
00456143 .F7EA imul edx
00456145 .C1E8 06 shr eax, 6
00456148 .0145 CC add dword ptr [ebp-34], eax
0045614B .46 inc esi
0045614C .4B dec ebx
0045614D .^ 75 DA jnz short 00456129 ;向上面那个小循环一样的东东!
0045614F >8B45 CC mov eax, dword ptr [ebp-34]
00456152 .0145 C4 add dword ptr [ebp-3C], eax
00456155 .8D95 4CFFFFFF lea edx, dword ptr [ebp-B4]
0045615B .8B45 C4 mov eax, dword ptr [ebp-3C]
0045615E .E8 C91BFBFF call 00407D2C ;十六进制转十进制
00456163 .8B95 4CFFFFFF mov edx, dword ptr [ebp-B4]
00456169 .8D45 94 lea eax, dword ptr [ebp-6C] ;存放计算值的!
0045616C .E8 DFDFFAFF call 00404150 ;跟上面一样的call,一样的结构!
00456171 .47 inc edi
00456172 .FF8D 74FFFFFF dec dword ptr [ebp-8C]
00456178 .^ 75 9C jnz short 00456116 ;跟上面大循环一样!
0045617A >C745 D8 01000>mov dword ptr [ebp-28], 1
00456181 >837D D8 05 cmp dword ptr [ebp-28], 5 ;这个看得出来是个变量,所以一直要注意他的变化!
00456185 .7D 1E jge short 004561A5 ;是否大于5,就跳!
00456187 .8B45 90 mov eax, dword ptr [ebp-70]
0045618A .8B55 D8 mov edx, dword ptr [ebp-28] ;edx=变量
0045618D .8A5C10 FF mov bl, byte ptr [eax+edx-1] ;取第一轮计算的结果,对应变量位的ASCII
00456191 .8B45 98 mov eax, dword ptr [ebp-68] ;输入注册码
00456194 .8B55 D8 mov edx, dword ptr [ebp-28]
00456197 .8A4410 FF mov al, byte ptr [eax+edx-1] ;输入的注册码对于位ASCII
0045619B .32D8 xor bl, al ;两个值异或
0045619D .81E3 FF000000 and ebx, 0FF ;EBX=bl吧!
004561A3 .EB 40 jmp short 004561E5 ;这是第一个比较神奇的跳转,下面也有
004561A5 >837D D8 08 cmp dword ptr [ebp-28], 8 ;变量
004561A9 .7E 1E jle short 004561C9 ;小于8,就跳!
004561AB .8B45 94 mov eax, dword ptr [ebp-6C] ;指向第二轮大循环计算出来的结果!
004561AE .8B55 D8 mov edx, dword ptr [ebp-28]
004561B1 .8A5C10 FF mov bl, byte ptr [eax+edx-1] ;第二轮计算的结果的位!
004561B5 .8B45 98 mov eax, dword ptr [ebp-68]
004561B8 .8B55 D8 mov edx, dword ptr [ebp-28]
004561BB .8A4410 FF mov al, byte ptr [eax+edx-1] ;注册码指向的相应位!
004561BF .32D8 xor bl, al
004561C1 .81E3 FF000000 and ebx, 0FF ;ebx=两个ascii值异或值
004561C7 .EB 1C jmp short 004561E5 ;这是第二个
004561C9 >8B45 90 mov eax, dword ptr [ebp-70] ;到这里大于8小于5的前面已经处理了,剩下的就留到这里来处理了。
004561CC .8B55 D8 mov edx, dword ptr [ebp-28]
004561CF .8A5C10 FF mov bl, byte ptr [eax+edx-1] ;这几行跟上面的那几个跳转以前的代码一样,这一轮是取值,
004561D3 .8B45 98 mov eax, dword ptr [ebp-68]
004561D6 .8B55 D8 mov edx, dword ptr [ebp-28]
004561D9 .8A4410 FF mov al, byte ptr [eax+edx-1]
004561DD .32D8 xor bl, al
004561DF .81E3 FF000000 and ebx, 0FF ;ebx=两个ascii值异或值
004561E5 >33C0 xor eax, eax ;很多跳跳到这里,说明这里比较奇特!
004561E7 .55 push ebp
004561E8 .68 65624500 push 00456265 ;跟try的话注意这个!先在00456265处下断!不然走到系统里想找出口就难了!
004561ED .64:FF30 push dword ptr fs:[eax]
004561F0 .64:8920 mov dword ptr fs:[eax], esp ;try 结构体!
004561F3 .8B45 98 mov eax, dword ptr [ebp-68]
004561F6 .E8 4DDFFAFF call 00404148 ;获取长度,
004561FB .99 cdq
004561FC .F7FB idiv ebx ;eax/ebx,而这个ebx是上面计算值与注册码相应位xor的结果,
004561FE .8945 AC mov dword ptr [ebp-54], eax ;这里出了个值,存EAX,表示idiv ebx是有效的!后来知道是诱导异常发生
00456201 .837D D8 04 cmp dword ptr [ebp-28], 4 ;小于等于4返回去继续循环!
00456205 .7E 54 jle short 0045625B
00456207 .837D D8 09 cmp dword ptr [ebp-28], 9 ;大于等于9返回去继续循环!
0045620B .7D 4E jge short 0045625B
0045620D .33F6 xor esi, esi ;esi清0
0045620F .8D45 8C lea eax, dword ptr [ebp-74]
00456212 .E8 71DCFAFF call 00403E88 ;跟进去就知道是清空,代码不长,都看得懂的,第一行就是指向EAX的地址,而EAX地址指向
00456217 .BB 05000000 mov ebx, 5 ;初始化EBX,
0045621C >8B45 90 mov eax, dword ptr [ebp-70]
0045621F .0FB64418 FF movzx eax, byte ptr [eax+ebx-1];指向的ebx位的ascii
00456224 .BA 0D000000 mov edx, 0D
00456229 .2BD3 sub edx, ebx ;0Dh-ebx,存到edx里去
0045622B .8B4D 90 mov ecx, dword ptr [ebp-70]
0045622E .0FB65411 FF movzx edx, byte ptr [ecx+edx-1];指向的edx位的ascii
00456233 .F7EA imul edx ;上面取的两个结果相乘
00456235 .03F0 add esi, eax ;累加结果到esi
00456237 .8D95 48FFFFFF lea edx, dword ptr [ebp-B8] ;数字值这样就变成了字串罗
0045623D .8BC6 mov eax, esi
0045623F .E8 E81AFBFF call 00407D2C ;十六进制转十进制
00456244 .8B95 48FFFFFF mov edx, dword ptr [ebp-B8]
0045624A .8D45 8C lea eax, dword ptr [ebp-74]
0045624D .E8 FEDEFAFF call 00404150 ;见过的call,把所得结果顺次平行存贮在
00456252 .43 inc ebx ;ebx计数器累加!
00456253 .83FB 09 cmp ebx, 9 ;小于9就可以跳回去循环!
00456256 .^ 75 C4 jnz short 0045621C
00456258 .FF45 BC inc dword ptr [ebp-44] ;计数器,累加
0045625B >33C0 xor eax, eax
0045625D .5A pop edx
0045625E .59 pop ecx
0045625F .59 pop ecx
00456260 .64:8910 mov dword ptr fs:[eax], edx
00456263 .EB 19 jmp short 0045627E
00456265 .^ E9 9AD4FAFF jmp 00403704 ;这就是跟try时要下的断,从这里往后面单步走!
0045626A 01 db 01 ;我可以直接说就是这个地址+0Dh,不信你就跟!你就会发现,其实就是那个push之后,弹到ecx里,后又把ecx+9值弹到ebx,最后JMP
0045626B 00 db 00
0045626C 00 db 00
0045626D 00 db 00
0045626E .04704000 dd fonge's_.00407004
00456272 .76624500 dd fonge's_.00456276
00456276 .FF45 C0 inc dword ptr [ebp-40] ;发生除0异常时累加1
00456279 .E8 C2D6FAFF call 00403940 ;步过他,try内调用结构之一,在这里不研究他!
0045627E >FF45 D8 inc dword ptr [ebp-28] ;在这里也在累加!
00456281 .837D D8 11 cmp dword ptr [ebp-28], 11 ;小于11h都跳回去循环,一个超大的循环,带try的
00456285 .^ 0F85 F6FEFFFF jnz 00456181
0045628B .C745 C8 01000>mov dword ptr [ebp-38], 1 ;看得出来,是个重要的变量
00456292 >33DB xor ebx, ebx ;ebx清0
00456294 .837D C8 05 cmp dword ptr [ebp-38], 5 ;大于或等于5跳走
00456298 .7D 50 jge short 004562EA
0045629A .837D C8 03 cmp dword ptr [ebp-38], 3 ;大于等于3跳走
0045629E .7D 25 jge short 004562C5
004562A0 .8B45 C8 mov eax, dword ptr [ebp-38] ;变量入eax
004562A3 .83C0 10 add eax, 10 ;+10h
004562A6 .8B55 90 mov edx, dword ptr [ebp-70] ;入edx!
004562A9 .8A4402 FF mov al, byte ptr [edx+eax-1] ;al指向的eax位,这里的eax正是变量+10h
004562AD .8B55 C8 mov edx, dword ptr [ebp-38]
004562B0 .83C2 10 add edx, 10 ;跟上面一模一样
004562B3 .8B4D 98 mov ecx, dword ptr [ebp-68] ;指向,输入的注册码
004562B6 .8A5411 FF mov dl, byte ptr [ecx+edx-1]
004562BA .32C2 xor al, dl ;两个值异或
004562BC .25 FF000000 and eax, 0FF ;eax=al
004562C1 .03D8 add ebx, eax ;ebx累加,上面清0,这里累加,无聊!
004562C3 .EB 7E jmp short 00456343 ;跳向一个地方
004562C5 >8B45 C8 mov eax, dword ptr [ebp-38] ;大于等于3时走到这里
004562C8 .83C0 10 add eax, 10
004562CB .8B55 94 mov edx, dword ptr [ebp-6C] ;指向第二轮大循环结果,不用多说了
004562CE .8A4402 FF mov al, byte ptr [edx+eax-1] ;的eax位,eax=
004562D2 .8B55 C8 mov edx, dword ptr [ebp-38]
004562D5 .83C2 10 add edx, 10
004562D8 .8B4D 98 mov ecx, dword ptr [ebp-68] ;指向输入码
004562DB .8A5411 FF mov dl, byte ptr [ecx+edx-1] ;这些我真的不想再说了,上面太多了!
004562DF .32C2 xor al, dl
004562E1 .25 FF000000 and eax, 0FF ;eax=al
004562E6 .03D8 add ebx, eax
004562E8 .EB 59 jmp short 00456343 ;跟上面一样跳向同一个地方
004562EA >837D C8 09 cmp dword ptr [ebp-38], 9 ;大于等5再大于等于9就再跳走
004562EE .7D 31 jge short 00456321 ;等同于5-8之间的运算!
004562F0 .8B45 8C mov eax, dword ptr [ebp-74] ;参看第45624A处的结果
004562F3 .E8 50DEFAFF call 00404148 ;获取长度
004562F8 .83F8 04 cmp eax, 4
004562FB .7E 46 jle short 00456343 ;小于等于4就跳
004562FD .8B45 8C mov eax, dword ptr [ebp-74]
00456300 .8B55 C8 mov edx, dword ptr [ebp-38] ;指向一个变量
00456303 .8A5C10 FB mov bl, byte ptr [eax+edx-5] ;这里edx-5又是变量了,所以这里指向的相应位
00456307 .8B45 C8 mov eax, dword ptr [ebp-38] ;bl指向的edx-5位
0045630A .83C0 10 add eax, 10
0045630D .8B55 98 mov edx, dword ptr [ebp-68]
00456310 .8A4402 FF mov al, byte ptr [edx+eax-1] ;这几段不再解释了,前面太多相同结构的了
00456314 .32D8 xor bl, al
00456316 .81E3 FF000000 and ebx, 0FF
0045631C .FF45 B8 inc dword ptr [ebp-48] ;一个变量在这里相加,值得注意
0045631F .EB 22 jmp short 00456343 ;第三次跳向同一个地方!
00456321 >8B45 C8 mov eax, dword ptr [ebp-38] ;大于等于9以上的在这里处理
00456324 .83C0 10 add eax, 10
00456327 .8B55 98 mov edx, dword ptr [ebp-68]
0045632A .8A5C02 FF mov bl, byte ptr [edx+eax-1] ;这几句就不再解释了吧
0045632E .8B45 C8 mov eax, dword ptr [ebp-38] ;太多了
00456331 .83C0 0A add eax, 0A
00456334 .8B55 94 mov edx, dword ptr [ebp-6C]
00456337 .8A4402 FF mov al, byte ptr [edx+eax-1]
0045633B .32D8 xor bl, al
0045633D .81E3 FF000000 and ebx, 0FF ;ebx=bl
00456343 >33C0 xor eax, eax ;eax清0
00456345 .55 push ebp
00456346 .68 38644500 push 00456438 ;try开始了,跟try注意这个值,不跟try也要注意,因为这个值+Dh指向异常处理的地方
0045634B .64:FF30 push dword ptr fs:[eax]
0045634E .64:8920 mov dword ptr fs:[eax], esp
00456351 .8B45 98 mov eax, dword ptr [ebp-68]
00456354 .E8 EFDDFAFF call 00404148 ;的长度从这里出
00456359 .99 cdq
0045635A .F7FB idiv ebx ;又来除以上面所以循环中的ebx值
0045635C .8945 AC mov dword ptr [ebp-54], eax ;存EAX,表示idiv ebx是有效的!
0045635F .837D C8 08 cmp dword ptr [ebp-38], 8 ;小于等于8就跳走
00456363 .0F8E C5000000 jle 0045642E
00456369 .8B45 98 mov eax, dword ptr [ebp-68]
0045636C .8A58 18 mov bl, byte ptr [eax+18] ;指向输入码第18h位
0045636F .80F3 22 xor bl, 22
00456372 .81E3 FF000000 and ebx, 0FF ;ebx=bl xor 22h
00456378 .8B45 98 mov eax, dword ptr [ebp-68]
0045637B .8A40 19 mov al, byte ptr [eax+19] ;第19h位
0045637E .34 3B xor al, 3B
00456380 .8BF0 mov esi, eax
00456382 .81E6 FF000000 and esi, 0FF ;esi=al xor 3bh
00456388 .8B45 98 mov eax, dword ptr [ebp-68] ;第1ah位
0045638B .8A40 1A mov al, byte ptr [eax+1A]
0045638E .34 3E xor al, 3E
00456390 .8BF8 mov edi, eax
00456392 .81E7 FF000000 and edi, 0FF ;edi=al xor 3eh
00456398 .8D85 70FFFFFF lea eax, dword ptr [ebp-90] ;返回是一个地址
0045639E .8B55 88 mov edx, dword ptr [ebp-78] ;指向字符串‘a-z’
004563A1 .8A541A FF mov dl, byte ptr [edx+ebx-1] ;ebx指向456372的值
004563A5 .8850 01 mov byte ptr [eax+1], dl ;相应位放入
004563A8 .C600 01 mov byte ptr [eax], 1 ;置1
004563AB .8D95 70FFFFFF lea edx, dword ptr [ebp-90]
004563B1 .8D85 6CFFFFFF lea eax, dword ptr [ebp-94]
004563B7 .E8 7CC6FAFF call 00402A38 ;是用来拼加ASCII的,前面见识过了!
004563BC .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
004563C2 .8B55 88 mov edx, dword ptr [ebp-78] ;查堆栈可知是什么,不用说了
004563C5 .8A5432 FF mov dl, byte ptr [edx+esi-1]
004563C9 .8850 01 mov byte ptr [eax+1], dl
004563CC .C600 01 mov byte ptr [eax], 1
004563CF .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
004563D5 .8D85 6CFFFFFF lea eax, dword ptr [ebp-94]
004563DB .B1 02 mov cl, 2
004563DD .E8 26C6FAFF call 00402A08 ;拼加
004563E2 .8D95 6CFFFFFF lea edx, dword ptr [ebp-94]
004563E8 .8D85 64FFFFFF lea eax, dword ptr [ebp-9C]
004563EE .E8 45C6FAFF call 00402A38
004563F3 .8D85 68FFFFFF lea eax, dword ptr [ebp-98] ;看到2A38和2A08就知道是取码用的
004563F9 .8B55 88 mov edx, dword ptr [ebp-78]
004563FC .8A543A FF mov dl, byte ptr [edx+edi-1]
00456400 .8850 01 mov byte ptr [eax+1], dl
00456403 .C600 01 mov byte ptr [eax], 1
00456406 .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
0045640C .8D85 64FFFFFF lea eax, dword ptr [ebp-9C]
00456412 .B1 03 mov cl, 3
00456414 .E8 EFC5FAFF call 00402A08 ;拼加
00456419 .8D95 64FFFFFF lea edx, dword ptr [ebp-9C] ;为最终上面结果
0045641F .8D45 84 lea eax, dword ptr [ebp-7C]
00456422 .E8 C5DCFAFF call 004040EC ;4040EC上面也有,总结拼加用的
00456427 .C685 7BFFFFFF>mov byte ptr [ebp-85], 2 ;置2,
0045642E >33C0 xor eax, eax
00456430 .5A pop edx
00456431 .59 pop ecx
00456432 .59 pop ecx
00456433 .64:8910 mov dword ptr fs:[eax], edx
00456436 .EB 19 jmp short 00456451
00456438 .^ E9 C7D2FAFF jmp 00403704
0045643D 01 db 01
0045643E 00 db 00
0045643F 00 db 00
00456440 00 db 00
00456441 .04704000 dd fonge's_.00407004
00456445 .49644500 dd fonge's_.00456449
00456449 .FF45 B4 inc dword ptr [ebp-4C] ;这里是发生异常的处理,记住这个
0045644C .E8 EFD4FAFF call 00403940
00456451 >FF45 C8 inc dword ptr [ebp-38] ;循环用的计数器
00456454 .837D C8 0C cmp dword ptr [ebp-38], 0C ;比较值
00456458 .^ 0F85 34FEFFFF jnz 00456292
0045645E .EB 12 jmp short 00456472 ;一个跳转,跟创建文件时有关!
00456460 00 db 00
00456461 00 db 00
00456462 00 db 00
00456463 00 db 00
00456464 .8D85 7CFFFFFF lea eax, dword ptr [ebp-84]
0045646A .8B55 84 mov edx, dword ptr [ebp-7C]
0045646D .E8 AEDAFAFF call 00403F20 ;让处等于处的值
00456472 >837D C0 0C cmp dword ptr [ebp-40], 0C ;开始比较了,
00456476 .0F8D 02010000 jge 0045657E
0045647C .8D85 70FFFFFF lea eax, dword ptr [ebp-90] ;跟上面454F4X一样,分析过的,是拼出来一个wrong
00456482 .8B55 88 mov edx, dword ptr [ebp-78]
00456485 .8A52 16 mov dl, byte ptr [edx+16]
00456488 .8850 01 mov byte ptr [eax+1], dl
0045648B .C600 01 mov byte ptr [eax], 1
0045648E .8D95 70FFFFFF lea edx, dword ptr [ebp-90]
00456494 .8D85 6CFFFFFF lea eax, dword ptr [ebp-94]
0045649A .E8 99C5FAFF call 00402A38
0045649F .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
004564A5 .8B55 88 mov edx, dword ptr [ebp-78]
004564A8 .8A52 11 mov dl, byte ptr [edx+11]
004564AB .8850 01 mov byte ptr [eax+1], dl
004564AE .C600 01 mov byte ptr [eax], 1
004564B1 .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
004564B7 .8D85 6CFFFFFF lea eax, dword ptr [ebp-94]
004564BD .B1 02 mov cl, 2
004564BF .E8 44C5FAFF call 00402A08
004564C4 .8D95 6CFFFFFF lea edx, dword ptr [ebp-94]
004564CA .8D85 64FFFFFF lea eax, dword ptr [ebp-9C]
004564D0 .E8 63C5FAFF call 00402A38
004564D5 .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
004564DB .8B55 88 mov edx, dword ptr [ebp-78]
004564DE .8A52 0E mov dl, byte ptr [edx+E]
004564E1 .8850 01 mov byte ptr [eax+1], dl
004564E4 .C600 01 mov byte ptr [eax], 1
004564E7 .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
004564ED .8D85 64FFFFFF lea eax, dword ptr [ebp-9C]
004564F3 .B1 03 mov cl, 3
004564F5 .E8 0EC5FAFF call 00402A08
004564FA .8D95 64FFFFFF lea edx, dword ptr [ebp-9C]
00456500 .8D85 5CFFFFFF lea eax, dword ptr [ebp-A4]
00456506 .E8 2DC5FAFF call 00402A38
0045650B .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
00456511 .8B55 88 mov edx, dword ptr [ebp-78]
00456514 .8A52 0D mov dl, byte ptr [edx+D]
00456517 .8850 01 mov byte ptr [eax+1], dl
0045651A .C600 01 mov byte ptr [eax], 1
0045651D .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
00456523 .8D85 5CFFFFFF lea eax, dword ptr [ebp-A4]
00456529 .B1 04 mov cl, 4
0045652B .E8 D8C4FAFF call 00402A08
00456530 .8D95 5CFFFFFF lea edx, dword ptr [ebp-A4]
00456536 .8D85 54FFFFFF lea eax, dword ptr [ebp-AC]
0045653C .E8 F7C4FAFF call 00402A38
00456541 .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
00456547 .8B55 88 mov edx, dword ptr [ebp-78]
0045654A .8A52 06 mov dl, byte ptr [edx+6]
0045654D .8850 01 mov byte ptr [eax+1], dl
00456550 .C600 01 mov byte ptr [eax], 1
00456553 .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
00456559 .8D85 54FFFFFF lea eax, dword ptr [ebp-AC]
0045655F .B1 05 mov cl, 5
00456561 .E8 A2C4FAFF call 00402A08
00456566 .8D95 54FFFFFF lea edx, dword ptr [ebp-AC]
0045656C .8D85 7CFFFFFF lea eax, dword ptr [ebp-84]
00456572 .E8 75DBFAFF call 004040EC ;到这里,下面也很多
00456577 .C685 7BFFFFFF>mov byte ptr [ebp-85], 1 ;置1,注意
0045657E >837D C0 10 cmp dword ptr [ebp-40], 10 ;还是比较
00456582 .0F8E 02010000 jle 0045668A
00456588 .8D85 70FFFFFF lea eax, dword ptr [ebp-90]
0045658E .8B55 88 mov edx, dword ptr [ebp-78]
00456591 .8A52 16 mov dl, byte ptr [edx+16]
00456594 .8850 01 mov byte ptr [eax+1], dl
00456597 .C600 01 mov byte ptr [eax], 1
0045659A .8D95 70FFFFFF lea edx, dword ptr [ebp-90]
004565A0 .8D85 6CFFFFFF lea eax, dword ptr [ebp-94]
004565A6 .E8 8DC4FAFF call 00402A38
004565AB .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
004565B1 .8B55 88 mov edx, dword ptr [ebp-78]
004565B4 .8A52 11 mov dl, byte ptr [edx+11]
004565B7 .8850 01 mov byte ptr [eax+1], dl
004565BA .C600 01 mov byte ptr [eax], 1
004565BD .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
004565C3 .8D85 6CFFFFFF lea eax, dword ptr [ebp-94]
004565C9 .B1 02 mov cl, 2
004565CB .E8 38C4FAFF call 00402A08
004565D0 .8D95 6CFFFFFF lea edx, dword ptr [ebp-94]
004565D6 .8D85 64FFFFFF lea eax, dword ptr [ebp-9C]
004565DC .E8 57C4FAFF call 00402A38
004565E1 .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
004565E7 .8B55 88 mov edx, dword ptr [ebp-78]
004565EA .8A52 0E mov dl, byte ptr [edx+E]
004565ED .8850 01 mov byte ptr [eax+1], dl
004565F0 .C600 01 mov byte ptr [eax], 1
004565F3 .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
004565F9 .8D85 64FFFFFF lea eax, dword ptr [ebp-9C]
004565FF .B1 03 mov cl, 3
00456601 .E8 02C4FAFF call 00402A08
00456606 .8D95 64FFFFFF lea edx, dword ptr [ebp-9C]
0045660C .8D85 5CFFFFFF lea eax, dword ptr [ebp-A4]
00456612 .E8 21C4FAFF call 00402A38
00456617 .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
0045661D .8B55 88 mov edx, dword ptr [ebp-78]
00456620 .8A52 0D mov dl, byte ptr [edx+D]
00456623 .8850 01 mov byte ptr [eax+1], dl
00456626 .C600 01 mov byte ptr [eax], 1
00456629 .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
0045662F .8D85 5CFFFFFF lea eax, dword ptr [ebp-A4]
00456635 .B1 04 mov cl, 4
00456637 .E8 CCC3FAFF call 00402A08
0045663C .8D95 5CFFFFFF lea edx, dword ptr [ebp-A4]
00456642 .8D85 54FFFFFF lea eax, dword ptr [ebp-AC]
00456648 .E8 EBC3FAFF call 00402A38
0045664D .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
00456653 .8B55 88 mov edx, dword ptr [ebp-78]
00456656 .8A52 06 mov dl, byte ptr [edx+6]
00456659 .8850 01 mov byte ptr [eax+1], dl
0045665C .C600 01 mov byte ptr [eax], 1
0045665F .8D95 68FFFFFF lea edx, dword ptr [ebp-98] ;代码跟上面一段一样
00456665 .8D85 54FFFFFF lea eax, dword ptr [ebp-AC]
0045666B .B1 05 mov cl, 5
0045666D .E8 96C3FAFF call 00402A08
00456672 .8D95 54FFFFFF lea edx, dword ptr [ebp-AC]
00456678 .8D85 7CFFFFFF lea eax, dword ptr [ebp-84]
0045667E .E8 69DAFAFF call 004040EC
00456683 .C685 7BFFFFFF>mov byte ptr [ebp-85], 1
0045668A >837D BC 01 cmp dword ptr [ebp-44], 1 ;这次是的值
0045668E .0F8D 02010000 jge 00456796
00456694 .8D85 70FFFFFF lea eax, dword ptr [ebp-90]
0045669A .8B55 88 mov edx, dword ptr [ebp-78]
0045669D .8A52 16 mov dl, byte ptr [edx+16]
004566A0 .8850 01 mov byte ptr [eax+1], dl
004566A3 .C600 01 mov byte ptr [eax], 1
004566A6 .8D95 70FFFFFF lea edx, dword ptr [ebp-90]
004566AC .8D85 6CFFFFFF lea eax, dword ptr [ebp-94]
004566B2 .E8 81C3FAFF call 00402A38
004566B7 .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
004566BD .8B55 88 mov edx, dword ptr [ebp-78]
004566C0 .8A52 11 mov dl, byte ptr [edx+11]
004566C3 .8850 01 mov byte ptr [eax+1], dl
004566C6 .C600 01 mov byte ptr [eax], 1
004566C9 .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
004566CF .8D85 6CFFFFFF lea eax, dword ptr [ebp-94]
004566D5 .B1 02 mov cl, 2
004566D7 .E8 2CC3FAFF call 00402A08
004566DC .8D95 6CFFFFFF lea edx, dword ptr [ebp-94]
004566E2 .8D85 64FFFFFF lea eax, dword ptr [ebp-9C]
004566E8 .E8 4BC3FAFF call 00402A38
004566ED .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
004566F3 .8B55 88 mov edx, dword ptr [ebp-78]
004566F6 .8A52 0E mov dl, byte ptr [edx+E]
004566F9 .8850 01 mov byte ptr [eax+1], dl
004566FC .C600 01 mov byte ptr [eax], 1
004566FF .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
00456705 .8D85 64FFFFFF lea eax, dword ptr [ebp-9C]
0045670B .B1 03 mov cl, 3
0045670D .E8 F6C2FAFF call 00402A08
00456712 .8D95 64FFFFFF lea edx, dword ptr [ebp-9C]
00456718 .8D85 5CFFFFFF lea eax, dword ptr [ebp-A4]
0045671E .E8 15C3FAFF call 00402A38
00456723 .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
00456729 .8B55 88 mov edx, dword ptr [ebp-78] ;同上面
0045672C .8A52 0D mov dl, byte ptr [edx+D]
0045672F .8850 01 mov byte ptr [eax+1], dl
00456732 .C600 01 mov byte ptr [eax], 1
00456735 .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
0045673B .8D85 5CFFFFFF lea eax, dword ptr [ebp-A4]
00456741 .B1 04 mov cl, 4
00456743 .E8 C0C2FAFF call 00402A08
00456748 .8D95 5CFFFFFF lea edx, dword ptr [ebp-A4]
0045674E .8D85 54FFFFFF lea eax, dword ptr [ebp-AC]
00456754 .E8 DFC2FAFF call 00402A38
00456759 .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
0045675F .8B55 88 mov edx, dword ptr [ebp-78]
00456762 .8A52 06 mov dl, byte ptr [edx+6]
00456765 .8850 01 mov byte ptr [eax+1], dl
00456768 .C600 01 mov byte ptr [eax], 1
0045676B .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
00456771 .8D85 54FFFFFF lea eax, dword ptr [ebp-AC]
00456777 .B1 05 mov cl, 5
00456779 .E8 8AC2FAFF call 00402A08
0045677E .8D95 54FFFFFF lea edx, dword ptr [ebp-AC]
00456784 .8D85 7CFFFFFF lea eax, dword ptr [ebp-84]
0045678A .E8 5DD9FAFF call 004040EC
0045678F .C685 7BFFFFFF>mov byte ptr [ebp-85], 1
00456796 >837D BC 04 cmp dword ptr [ebp-44], 4 ;还是
0045679A .0F8E 02010000 jle 004568A2
004567A0 .8D85 70FFFFFF lea eax, dword ptr [ebp-90]
004567A6 .8B55 88 mov edx, dword ptr [ebp-78]
004567A9 .8A52 16 mov dl, byte ptr [edx+16]
004567AC .8850 01 mov byte ptr [eax+1], dl
004567AF .C600 01 mov byte ptr [eax], 1
004567B2 .8D95 70FFFFFF lea edx, dword ptr [ebp-90]
004567B8 .8D85 6CFFFFFF lea eax, dword ptr [ebp-94]
004567BE .E8 75C2FAFF call 00402A38
004567C3 .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
004567C9 .8B55 88 mov edx, dword ptr [ebp-78]
004567CC .8A52 11 mov dl, byte ptr [edx+11]
004567CF .8850 01 mov byte ptr [eax+1], dl
004567D2 .C600 01 mov byte ptr [eax], 1
004567D5 .8D95 68FFFFFF lea edx, dword ptr [ebp-98] ;继续跟上面一样,跟死人了。呵呵~
004567DB .8D85 6CFFFFFF lea eax, dword ptr [ebp-94]
004567E1 .B1 02 mov cl, 2
004567E3 .E8 20C2FAFF call 00402A08
004567E8 .8D95 6CFFFFFF lea edx, dword ptr [ebp-94]
004567EE .8D85 64FFFFFF lea eax, dword ptr [ebp-9C]
004567F4 .E8 3FC2FAFF call 00402A38
004567F9 .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
004567FF .8B55 88 mov edx, dword ptr [ebp-78]
00456802 .8A52 0E mov dl, byte ptr [edx+E]
00456805 .8850 01 mov byte ptr [eax+1], dl
00456808 .C600 01 mov byte ptr [eax], 1
0045680B .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
00456811 .8D85 64FFFFFF lea eax, dword ptr [ebp-9C]
00456817 .B1 03 mov cl, 3
00456819 .E8 EAC1FAFF call 00402A08
0045681E .8D95 64FFFFFF lea edx, dword ptr [ebp-9C]
00456824 .8D85 5CFFFFFF lea eax, dword ptr [ebp-A4]
0045682A .E8 09C2FAFF call 00402A38
0045682F .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
00456835 .8B55 88 mov edx, dword ptr [ebp-78]
00456838 .8A52 0D mov dl, byte ptr [edx+D]
0045683B .8850 01 mov byte ptr [eax+1], dl
0045683E .C600 01 mov byte ptr [eax], 1
00456841 .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
00456847 .8D85 5CFFFFFF lea eax, dword ptr [ebp-A4]
0045684D .B1 04 mov cl, 4
0045684F .E8 B4C1FAFF call 00402A08
00456854 .8D95 5CFFFFFF lea edx, dword ptr [ebp-A4]
0045685A .8D85 54FFFFFF lea eax, dword ptr [ebp-AC]
00456860 .E8 D3C1FAFF call 00402A38
00456865 .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
0045686B .8B55 88 mov edx, dword ptr [ebp-78]
0045686E .8A52 06 mov dl, byte ptr [edx+6]
00456871 .8850 01 mov byte ptr [eax+1], dl
00456874 .C600 01 mov byte ptr [eax], 1
00456877 .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
0045687D .8D85 54FFFFFF lea eax, dword ptr [ebp-AC]
00456883 .B1 05 mov cl, 5
00456885 .E8 7EC1FAFF call 00402A08
0045688A .8D95 54FFFFFF lea edx, dword ptr [ebp-AC]
00456890 .8D85 7CFFFFFF lea eax, dword ptr [ebp-84]
00456896 .E8 51D8FAFF call 004040EC
0045689B .C685 7BFFFFFF>mov byte ptr [ebp-85], 1
004568A2 >837D B8 03 cmp dword ptr [ebp-48], 3 ;这里是
004568A6 .0F8D 02010000 jge 004569AE
004568AC .8D85 70FFFFFF lea eax, dword ptr [ebp-90]
004568B2 .8B55 88 mov edx, dword ptr [ebp-78]
004568B5 .8A52 16 mov dl, byte ptr [edx+16]
004568B8 .8850 01 mov byte ptr [eax+1], dl
004568BB .C600 01 mov byte ptr [eax], 1
004568BE .8D95 70FFFFFF lea edx, dword ptr [ebp-90]
004568C4 .8D85 6CFFFFFF lea eax, dword ptr [ebp-94]
004568CA .E8 69C1FAFF call 00402A38
004568CF .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
004568D5 .8B55 88 mov edx, dword ptr [ebp-78]
004568D8 .8A52 11 mov dl, byte ptr [edx+11]
004568DB .8850 01 mov byte ptr [eax+1], dl ;同上,一模一样,
004568DE .C600 01 mov byte ptr [eax], 1
004568E1 .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
004568E7 .8D85 6CFFFFFF lea eax, dword ptr [ebp-94]
004568ED .B1 02 mov cl, 2
004568EF .E8 14C1FAFF call 00402A08
004568F4 .8D95 6CFFFFFF lea edx, dword ptr [ebp-94]
004568FA .8D85 64FFFFFF lea eax, dword ptr [ebp-9C]
00456900 .E8 33C1FAFF call 00402A38
00456905 .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
0045690B .8B55 88 mov edx, dword ptr [ebp-78]
0045690E .8A52 0E mov dl, byte ptr [edx+E]
00456911 .8850 01 mov byte ptr [eax+1], dl
00456914 .C600 01 mov byte ptr [eax], 1
00456917 .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
0045691D .8D85 64FFFFFF lea eax, dword ptr [ebp-9C]
00456923 .B1 03 mov cl, 3
00456925 .E8 DEC0FAFF call 00402A08
0045692A .8D95 64FFFFFF lea edx, dword ptr [ebp-9C]
00456930 .8D85 5CFFFFFF lea eax, dword ptr [ebp-A4]
00456936 .E8 FDC0FAFF call 00402A38
0045693B .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
00456941 .8B55 88 mov edx, dword ptr [ebp-78]
00456944 .8A52 0D mov dl, byte ptr [edx+D]
00456947 .8850 01 mov byte ptr [eax+1], dl
0045694A .C600 01 mov byte ptr [eax], 1
0045694D .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
00456953 .8D85 5CFFFFFF lea eax, dword ptr [ebp-A4]
00456959 .B1 04 mov cl, 4
0045695B .E8 A8C0FAFF call 00402A08
00456960 .8D95 5CFFFFFF lea edx, dword ptr [ebp-A4]
00456966 .8D85 54FFFFFF lea eax, dword ptr [ebp-AC]
0045696C .E8 C7C0FAFF call 00402A38
00456971 .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
00456977 .8B55 88 mov edx, dword ptr [ebp-78]
0045697A .8A52 06 mov dl, byte ptr [edx+6]
0045697D .8850 01 mov byte ptr [eax+1], dl
00456980 .C600 01 mov byte ptr [eax], 1
00456983 .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
00456989 .8D85 54FFFFFF lea eax, dword ptr [ebp-AC]
0045698F .B1 05 mov cl, 5
00456991 .E8 72C0FAFF call 00402A08
00456996 .8D95 54FFFFFF lea edx, dword ptr [ebp-AC]
0045699C .8D85 7CFFFFFF lea eax, dword ptr [ebp-84]
004569A2 .E8 45D7FAFF call 004040EC
004569A7 .C685 7BFFFFFF>mov byte ptr [ebp-85], 1
004569AE >837D B4 08 cmp dword ptr [ebp-4C], 8 ;这里又开始了,
004569B2 .0F8D 02010000 jge 00456ABA
004569B8 .8D85 70FFFFFF lea eax, dword ptr [ebp-90]
004569BE .8B55 88 mov edx, dword ptr [ebp-78]
004569C1 .8A52 16 mov dl, byte ptr [edx+16]
004569C4 .8850 01 mov byte ptr [eax+1], dl
004569C7 .C600 01 mov byte ptr [eax], 1
004569CA .8D95 70FFFFFF lea edx, dword ptr [ebp-90]
004569D0 .8D85 6CFFFFFF lea eax, dword ptr [ebp-94] ;同上,一模一样,
004569D6 .E8 5DC0FAFF call 00402A38
004569DB .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
004569E1 .8B55 88 mov edx, dword ptr [ebp-78]
004569E4 .8A52 11 mov dl, byte ptr [edx+11]
004569E7 .8850 01 mov byte ptr [eax+1], dl
004569EA .C600 01 mov byte ptr [eax], 1
004569ED .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
004569F3 .8D85 6CFFFFFF lea eax, dword ptr [ebp-94]
004569F9 .B1 02 mov cl, 2
004569FB .E8 08C0FAFF call 00402A08
00456A00 .8D95 6CFFFFFF lea edx, dword ptr [ebp-94]
00456A06 .8D85 64FFFFFF lea eax, dword ptr [ebp-9C]
00456A0C .E8 27C0FAFF call 00402A38
00456A11 .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
00456A17 .8B55 88 mov edx, dword ptr [ebp-78]
00456A1A .8A52 0E mov dl, byte ptr [edx+E]
00456A1D .8850 01 mov byte ptr [eax+1], dl
00456A20 .C600 01 mov byte ptr [eax], 1
00456A23 .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
00456A29 .8D85 64FFFFFF lea eax, dword ptr [ebp-9C]
00456A2F .B1 03 mov cl, 3
00456A31 .E8 D2BFFAFF call 00402A08
00456A36 .8D95 64FFFFFF lea edx, dword ptr [ebp-9C]
00456A3C .8D85 5CFFFFFF lea eax, dword ptr [ebp-A4]
00456A42 .E8 F1BFFAFF call 00402A38
00456A47 .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
00456A4D .8B55 88 mov edx, dword ptr [ebp-78]
00456A50 .8A52 0D mov dl, byte ptr [edx+D]
00456A53 .8850 01 mov byte ptr [eax+1], dl
00456A56 .C600 01 mov byte ptr [eax], 1
00456A59 .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
00456A5F .8D85 5CFFFFFF lea eax, dword ptr [ebp-A4]
00456A65 .B1 04 mov cl, 4
00456A67 .E8 9CBFFAFF call 00402A08
00456A6C .8D95 5CFFFFFF lea edx, dword ptr [ebp-A4]
00456A72 .8D85 54FFFFFF lea eax, dword ptr [ebp-AC]
00456A78 .E8 BBBFFAFF call 00402A38
00456A7D .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
00456A83 .8B55 88 mov edx, dword ptr [ebp-78]
00456A86 .8A52 06 mov dl, byte ptr [edx+6]
00456A89 .8850 01 mov byte ptr [eax+1], dl
00456A8C .C600 01 mov byte ptr [eax], 1
00456A8F .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
00456A95 .8D85 54FFFFFF lea eax, dword ptr [ebp-AC]
00456A9B .B1 05 mov cl, 5
00456A9D .E8 66BFFAFF call 00402A08
00456AA2 .8D95 54FFFFFF lea edx, dword ptr [ebp-AC]
00456AA8 .8D85 7CFFFFFF lea eax, dword ptr [ebp-84]
00456AAE .E8 39D6FAFF call 004040EC
00456AB3 .C685 7BFFFFFF>mov byte ptr [ebp-85], 1
00456ABA >837D E8 02 cmp dword ptr [ebp-18], 2 ;
00456ABE .0F8D 07010000 jge 00456BCB
00456AC4 .8D85 70FFFFFF lea eax, dword ptr [ebp-90]
00456ACA .8B55 88 mov edx, dword ptr [ebp-78]
00456ACD .8A52 12 mov dl, byte ptr [edx+12]
00456AD0 .8850 01 mov byte ptr [eax+1], dl
00456AD3 .C600 01 mov byte ptr [eax], 1
00456AD6 .8D95 70FFFFFF lea edx, dword ptr [ebp-90]
00456ADC .8D85 6CFFFFFF lea eax, dword ptr [ebp-94]
00456AE2 .E8 51BFFAFF call 00402A38
00456AE7 .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
00456AED .8B55 88 mov edx, dword ptr [ebp-78]
00456AF0 .8A52 07 mov dl, byte ptr [edx+7]
00456AF3 .8850 01 mov byte ptr [eax+1], dl ;同上,一模一样,
00456AF6 .C600 01 mov byte ptr [eax], 1
00456AF9 .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
00456AFF .8D85 6CFFFFFF lea eax, dword ptr [ebp-94]
00456B05 .B1 02 mov cl, 2
00456B07 .E8 FCBEFAFF call 00402A08
00456B0C .8D95 6CFFFFFF lea edx, dword ptr [ebp-94]
00456B12 .8D85 64FFFFFF lea eax, dword ptr [ebp-9C]
00456B18 .E8 1BBFFAFF call 00402A38
00456B1D .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
00456B23 .8B55 88 mov edx, dword ptr [ebp-78]
00456B26 .8A52 0E mov dl, byte ptr [edx+E]
00456B29 .8850 01 mov byte ptr [eax+1], dl
00456B2C .C600 01 mov byte ptr [eax], 1
00456B2F .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
00456B35 .8D85 64FFFFFF lea eax, dword ptr [ebp-9C]
00456B3B .B1 03 mov cl, 3
00456B3D .E8 C6BEFAFF call 00402A08
00456B42 .8D95 64FFFFFF lea edx, dword ptr [ebp-9C]
00456B48 .8D85 5CFFFFFF lea eax, dword ptr [ebp-A4]
00456B4E .E8 E5BEFAFF call 00402A38
00456B53 .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
00456B59 .8B55 88 mov edx, dword ptr [ebp-78]
00456B5C .8A52 11 mov dl, byte ptr [edx+11]
00456B5F .8850 01 mov byte ptr [eax+1], dl
00456B62 .C600 01 mov byte ptr [eax], 1
00456B65 .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
00456B6B .8D85 5CFFFFFF lea eax, dword ptr [ebp-A4]
00456B71 .B1 04 mov cl, 4
00456B73 .E8 90BEFAFF call 00402A08
00456B78 .8D95 5CFFFFFF lea edx, dword ptr [ebp-A4]
00456B7E .8D85 54FFFFFF lea eax, dword ptr [ebp-AC]
00456B84 .E8 AFBEFAFF call 00402A38
00456B89 .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
00456B8F .8B55 88 mov edx, dword ptr [ebp-78]
00456B92 .8A52 13 mov dl, byte ptr [edx+13]
00456B95 .8850 01 mov byte ptr [eax+1], dl
00456B98 .C600 01 mov byte ptr [eax], 1
00456B9B .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
00456BA1 .8D85 54FFFFFF lea eax, dword ptr [ebp-AC]
00456BA7 .B1 05 mov cl, 5
00456BA9 .E8 5ABEFAFF call 00402A08
00456BAE .8D95 54FFFFFF lea edx, dword ptr [ebp-AC]
00456BB4 .8D85 7CFFFFFF lea eax, dword ptr [ebp-84]
00456BBA .E8 2DD5FAFF call 004040EC
00456BBF .C685 7BFFFFFF>mov byte ptr [ebp-85], 1
00456BC6 .E9 D6000000 jmp 00456CA1
00456BCB >837D E8 03 cmp dword ptr [ebp-18], 3 ;还是
00456BCF .0F8D CC000000 jge 00456CA1
00456BD5 .8D85 70FFFFFF lea eax, dword ptr [ebp-90]
00456BDB .8B55 88 mov edx, dword ptr [ebp-78]
00456BDE .8A52 0B mov dl, byte ptr [edx+B]
00456BE1 .8850 01 mov byte ptr [eax+1], dl
00456BE4 .C600 01 mov byte ptr [eax], 1
00456BE7 .8D95 70FFFFFF lea edx, dword ptr [ebp-90]
00456BED .8D85 6CFFFFFF lea eax, dword ptr [ebp-94]
00456BF3 .E8 40BEFAFF call 00402A38
00456BF8 .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
00456BFE .8B55 88 mov edx, dword ptr [ebp-78]
00456C01 .8A52 0E mov dl, byte ptr [edx+E]
00456C04 .8850 01 mov byte ptr [eax+1], dl ;同上,一模一样,
00456C07 .C600 01 mov byte ptr [eax], 1
00456C0A .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
00456C10 .8D85 6CFFFFFF lea eax, dword ptr [ebp-94]
00456C16 .B1 02 mov cl, 2
00456C18 .E8 EBBDFAFF call 00402A08
00456C1D .8D95 6CFFFFFF lea edx, dword ptr [ebp-94]
00456C23 .8D85 64FFFFFF lea eax, dword ptr [ebp-9C]
00456C29 .E8 0ABEFAFF call 00402A38
00456C2E .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
00456C34 .8B55 88 mov edx, dword ptr [ebp-78]
00456C37 .8A52 0D mov dl, byte ptr [edx+D]
00456C3A .8850 01 mov byte ptr [eax+1], dl
00456C3D .C600 01 mov byte ptr [eax], 1
00456C40 .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
00456C46 .8D85 64FFFFFF lea eax, dword ptr [ebp-9C]
00456C4C .B1 03 mov cl, 3
00456C4E .E8 B5BDFAFF call 00402A08
00456C53 .8D95 64FFFFFF lea edx, dword ptr [ebp-9C]
00456C59 .8D85 5CFFFFFF lea eax, dword ptr [ebp-A4]
00456C5F .E8 D4BDFAFF call 00402A38
00456C64 .8D85 68FFFFFF lea eax, dword ptr [ebp-98]
00456C6A .8B55 88 mov edx, dword ptr [ebp-78]
00456C6D .8A52 06 mov dl, byte ptr [edx+6]
00456C70 .8850 01 mov byte ptr [eax+1], dl
00456C73 .C600 01 mov byte ptr [eax], 1
00456C76 .8D95 68FFFFFF lea edx, dword ptr [ebp-98]
00456C7C .8D85 5CFFFFFF lea eax, dword ptr [ebp-A4]
00456C82 .B1 04 mov cl, 4
00456C84 .E8 7FBDFAFF call 00402A08
00456C89 .8D95 5CFFFFFF lea edx, dword ptr [ebp-A4]
00456C8F .8D85 7CFFFFFF lea eax, dword ptr [ebp-84]
00456C95 .E8 52D4FAFF call 004040EC ;反复的在写这个地址
00456C9A .C685 7BFFFFFF>mov byte ptr [ebp-85], 1
00456CA1 >837D AC 14 cmp dword ptr [ebp-54], 14 ;一个值
00456CA5 .7E 10 jle short 00456CB7
00456CA7 .8D85 7CFFFFFF lea eax, dword ptr [ebp-84]
00456CAD .BA 506D4500 mov edx, 00456D50 ;~
00456CB2 .E8 69D2FAFF call 00403F20 ;:='~'
00456CB7 >837D A8 14 cmp dword ptr [ebp-58], 14 ;一个值
00456CBB .7E 10 jle short 00456CCD
00456CBD .8D85 7CFFFFFF lea eax, dword ptr [ebp-84]
00456CC3 .BA 5C6D4500 mov edx, 00456D5C ;|
00456CC8 .E8 53D2FAFF call 00403F20 ;:='|'
00456CCD >6A 00 push 0 ; /Arg1 = 00000000
00456CCF .66:8B0D 606D4>mov cx, word ptr ; |
00456CD6 .8A95 7BFFFFFF mov dl, byte ptr [ebp-85] ; |在这里用到,所以翻回去可以看到其变化,
00456CDC .8B85 7CFFFFFF mov eax, dword ptr [ebp-84] ; |在这里用了,终于到了终点站。
00456CE2 .E8 6D06FDFF call 00427354 ; \fonge's_.00427354
00456CE7 >33C0 xor eax, eax
00456CE9 .5A pop edx
00456CEA .59 pop ecx
00456CEB .59 pop ecx
00456CEC .64:8910 mov dword ptr fs:[eax], edx ;巨大的try结束
00456CEF .68 1C6D4500 push 00456D1C
00456CF4 >8D85 48FFFFFF lea eax, dword ptr [ebp-B8]
00456CFA .BA 03000000 mov edx, 3
00456CFF .E8 A8D1FAFF call 00403EAC
00456D04 .8D85 7CFFFFFF lea eax, dword ptr [ebp-84]
00456D0A .BA 09000000 mov edx, 9
00456D0F .E8 98D1FAFF call 00403EAC
00456D14 .C3 retn
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
怎么样~
还不赖吧! 看得我头晕。。。:$ 我也觉得好像是在刷屏呵~
还好
至少证明一点
那就是冗长的加密代码也是让人头疼的;) 后面想要分析一下
借助源代码分析比较轻松
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, ExtCtrls, StdCtrls;
type
TForm1 = class(TForm)
GroupBox1: TGroupBox;
GroupBox2: TGroupBox;
GroupBox3: TGroupBox;
Edit1: TEdit;
Edit2: TEdit;
Label1: TLabel;
Button1: TButton;
Button2: TButton;
Panel1: TPanel;
Label2: TLabel;
Label3: TLabel;
Label4: TLabel;
GroupBox4: TGroupBox;
Label5: TLabel;
Label6: TLabel;
Label7: TLabel;
procedure Panel1Click(Sender: TObject);
procedure FormCreate(Sender: TObject);
procedure Button2Click(Sender: TObject);
procedure Button1Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
implementation
{$R *.dfm}
procedure TForm1.Panel1Click(Sender: TObject);
begin
messageDlg('其实每个男孩,本来都是想做一个感情专一的好男人的。'+#13+#13+
'其实每个男孩,本来看女孩子都是看脸而不是胸部的。'+#13+#13+
'其实每个男孩,本来都是不会讲黄色笑话的。'+#13+#13+
'其实每个男孩,本来都是渴望爱一个人直到永远的。'+#13+#13+
'只是,没有任何女孩爱这样的男孩,'+#13+#13+
'她们觉得这样的男孩太幼稚,太古板,没有情趣。'+#13+#13+
'于是男孩开始改变,'+#13+#13+
'变成女孩喜欢的那种嘴角挂着坏坏的笑,玩世不恭或者幽默'+#13+#13+
'开始学会说甜言蜜语而不是心里想说的话开始学会假装关心,'+#13+#13+
'学会给女孩送小饰物讨好她 学会如何追求,如何把握爱情。'+#13+#13+
'或者看破红尘,游戏情场,成为女人恨恨的那种男人'+#13+#13+
'他们可以很容易俘获女孩子的心,'+#13+#13+
'但是他们也会在黑的夜里叼着烟流泪,'+#13+#13+
'心里有爱的时候,没有女孩。有了女孩,却永远没有了爱的感觉。'+#13+#13+
'在听到女人抱怨世上没有一个好男人时候,'+#13+#13+
'他们不会再去努力做个好男人,只是微笑着擦肩而过. '+#13+#13+
'承诺只不过是谎言的另一种表达方式.对不对。'+#13+#13+
'其实...每个男孩的转变都是因为女孩...'+#13+#13+
'所以当男孩变的时候...'+#13+#13+
'女孩应该承担一定的责任...',
mtInformation,,0)
end;
procedure TForm1.FormCreate(Sender: TObject);
begin
asm
mov eax,eax ///留空间!
mov eax,eax
mov eax,eax
mov eax,eax
mov eax,eax
mov eax,eax
mov eax,eax
mov eax,eax
mov eax,eax
mov eax,eax
mov eax,eax
mov eax,eax
mov eax,eax
end;
end; ///最终改成这样,其实就是检查执行button1Click第一个字节是否为CC,
00455E88 .50 push eax
00455E89 .A1 C45E4500 mov eax, dword ptr
00455E8E .25 FF000000 and eax, 0FF
00455E93 .3C CC cmp al, 0CC
00455E95 .74 0A je short 00455EA1
00455E97 .C705 5F644500>mov dword ptr , 4///这是修改got0cz1为gotocz0
00455EA1 >58 pop eax
procedure TForm1.Button2Click(Sender: TObject);
begin
edit1.text:='';
edit2.Text:='';
end;
procedure TForm1.button1Click(Sender: TObject);
var
i,i1,i2,i3,i4,j,m,m1,m2,m3,n1,n2,n3,d1,d2,d3,b,b0,b1,j1,j2,
j3,b2,b3,ad0,ad1,ad2,ad3,ad4,ad,tr1,tr2,sum1,sum2:integer;
name,input,sn0,sn1,sn2,at,sh,ss,wr:string;
tt:TMsgDlgType;
label
cz1,cz0; ///经典跳转,现call一样的东东!
begin
b:=0;
b2:=0;
b3:=0;
ad:=0;
ad0:=0;
ad1:=0;
ad2:=0;
ad3:=0;
ad4:=0;
d1:=0;
d2:=0;
d3:=0;
m:=0;
tr1:=1;
tr2:=1;
name:=edit1.text;
input:=edit2.text;
at:='abcdefghijklmnopqrstuvwxyz';
tt:=mtError; ///初始化!
wr:=at+at+at+at+at;
if length(input)<5 then exit;
m:=m+1;
if length(name)<6 then goto cz1;
m:=m+1;
if length(name)>10 then goto cz1; ///基础,要求注册码在长度5以上,用户名在6-10之间!
m:=m+1;
for i:=1 to length(name) do
begin
for j:=1 to length(name) do b:=b+ord(name)*ord(name) shr 6;
ad:=ad+b;
sn1:=sn1+inttostr(ad); ///第一轮计算结果为sn1!
end;
for j1:=1 to length(sn1) do
begin
for j2:=1 to length(sn1) do b0:=b0+ord(sn1)*ord(sn1) shr 6;
ad0:=ad0+b0;
sn0:=sn0+inttostr(ad0); ///第二轮运算结果为sn0!
end;
for n1:=1 to 16 do
begin
b1:=0;
if n1<5 then
begin
b1:=ord(sn1) xor ord(input);
end
else
begin ///1-4(4)位顺序比较,成功才行,成功的标志值ad1!
if n1>8 then
begin ///9-16位顺序比较,成功才行!
b1:=ord(sn0) xor ord(input);
end
else
begin
b1:=ord(sn1) xor ord(input); ///5-8(4)位顺序比较,但至少要不得失败1次!
end;
end;
try
begin
tr1:=length(input) div b1;
if n1>4 then
begin
if n1<9 then
begin
b3:=0;
sn2:='';
for i1:=5 to 8 do
begin
b3:=b3+ord(sn1)*ord(sn1); ///在第二轮失败比较的时候用来计算下面要用到的结果sn2!
sn2:=sn2+inttostr(b3);
end;
ad2:=ad2+1; ///ad2在1-4之间!
end;
end;
end;
except
on eDivByZero do
ad1:=ad1+1; ///ad1要在12-15之间才对,后面要用到!
end;
end; ///第一个循环结束,参与运算的是sn1!
for j3:=1 to 11 do
begin
b2:=0;
if j3<5 then ///注册码的第17-20位!取值来自于不同过程产生的结果!
begin
if j3<3 then b2:=b2+(ord(sn1) xor ord(input)) else b2:=b2+
(ord(sn0) xor ord(input));
end
else
begin
if j3<9 then ///注册码的21-24位!
begin
if length(sn2)>4 then
begin
b2:=ord(sn2) xor ord(input);
ad3:=ad3+1; ///ad3>3才对!
end;
end
else
begin
b2:=ord(input) xor ord(sn0); ///至少失败1次!
end;
end;
try
begin
tr1:=length(input) div b2;
if j3>8 then
begin
d1:=ord(input) xor 34;
d2:=ord(input) xor 59;
d3:=ord(input) xor 62 ;
sh:=at+at+at;
tt:=mtInformation;
end;
end;
except
on eDivByZero do
ad4:=ad4+1; ///ad4须大于7
end;
end;
goto cz0;
asm
mov eax,eax
mov eax,eax ///空间!这里会在生成后改成goto1
end;
cz0:
begin
wr:=sh ///只有所有条件成立,才有机会显示正确对话框!
end;
cz1:
begin
if ad1<12 then
begin
wr:=at+at+at+at+at;
tt:=mtError;
end;
if ad1>16 then
begin
wr:=at+at+at+at+at;
tt:=mtError;
end;
if ad2<1 then
begin
wr:=at+at+at+at+at;
tt:=mtError;
end;
if ad2>4 then
begin
wr:=at+at+at+at+at;
tt:=mtError;
end;
if ad3<3 then
begin
wr:=at+at+at+at+at;
tt:=mtError;
end;
if ad4<8 then
begin
wr:=at+at+at+at+at; ///标志值过滤,一不小心就玩完了!
tt:=mtError;
end;
if m<2 then
begin
wr:=at+at+at+at+at; ///这两个是过滤输入注册名的值!
tt:=mtError;
end
else
begin
if m<3 then
begin
wr:=at+at+at+at;
tt:=mtError;
end;
end;
if tr1>20 then wr:='~'; ///误导delphi不去优化try on语句!
if tr2>20 then wr:='|';
messageDlg(wr,tt,,0) ; ///弹出对话框!
exit;
end;
end;
end. 这个加密结构不带有强劲的加密算法,没有很牛的搞调试,没有BT的结构体,
强度主要集中在加密代码间的环环相扣,步步为营
整个过程,通过异常处理的方式来转向,怎么来确定转向的对和不对呢?
当然还是用标志,
标志我们倒着往前一步一步找:
先看这里
messageDlg(wr,tt,,0) ;
这里面的WR,TT
继续往上找影响WR,TT的标志:
找到比较大的一段
cz1:
begin
if ad1<12 then
begin
wr:=at+at+at+at+at;
tt:=mtError;
end;
if ad1>16 then
begin
wr:=at+at+at+at+at;
tt:=mtError;
end;
if ad2<1 then
begin
wr:=at+at+at+at+at;
tt:=mtError;
end;
if ad2>4 then
begin
wr:=at+at+at+at+at;
tt:=mtError;
end;
if ad3<3 then
begin
wr:=at+at+at+at+at;
tt:=mtError;
end;
if ad4<8 then
begin
wr:=at+at+at+at+at; ///标志值过滤,一不小心就玩完了!
tt:=mtError;
end;
if m<2 then
begin
wr:=at+at+at+at+at; ///这两个是过滤输入注册名的值!
tt:=mtError;
end
else
begin
if m<3 then
begin
wr:=at+at+at+at;
tt:=mtError;
当然还有藏在中的两段
try
begin
tr1:=length(input) div b2;
if j3>8 then
begin
d1:=ord(input) xor 34;
d2:=ord(input) xor 59;
d3:=ord(input) xor 62 ;
sh:=at+at+at;
tt:=mtInformation;
end;
end;
except
on eDivByZero do
ad4:=ad4+1; ///ad4须大于7
end;
end;
cz0:
begin
wr:=sh ///只有所有条件成立,才有机会显示正确对话框!
end;
现在再向前找的话
我不想找到了
都到代码里面去了
呵呵~
当然,这都是看着源码在这里分析,
那看着反汇编码那麻烦可想而知了
即完全分析
而近段时间,才发现冗长的代码也是一段抗破解方式:lol: 这贴子整理的我头晕了,fonge版主去看看《飘云阁论坛07版破解基础教》我整理的效果。要改的话尽快说明。 今天第一次把fonge老大的源码看完了,还无法完全接收下来.
一句话,fonge是有加密的天赋呀!膜拜中...
页:
[1]
2