姓名:llh001
电邮:[email protected]
密码:kgryyj4exu0m
截图:
汗,上边的邮件多了一个@,再来,信息如下图:
[ 本帖最后由 llh001 于 2008-9-11 09:49 编辑 ] wang
[email protected]
jbv6m86b8ut6
算法不会啊 /:002
[ 本帖最后由 168493044 于 2008-9-11 10:12 编辑 ]
我的-----KEY
count: pygE-MAIL: [email protected]
SN: whha2rk45sfq
噢耶!
/:L /:L /:L
终于把算法流程搞出来了....
简单分析下吧........
邮箱名:[email protected]
注册码:12345678900040C810/$81EC 1C080000 sub esp, 81C ;在这下断,输入数据后点注册即可断下.
0040C816|.53 push ebx
0040C817|.55 push ebp
0040C818|.8B2D 20824100 mov ebp, dword ptr [<&USER32.GetDlgI>;USER32.GetDlgItemTextW
.......省略N行
0040C836|.FFD5 call ebp ; \GetDlgItemTextW(取邮箱名)
0040C838|.8D9424 240400>lea edx, dword ptr ;邮箱名地址---》EDX
0040C83F|.52 push edx ; 邮箱名地址压栈
0040C840|.FF15 44814100 call dword ptr [<&MSVCRT.wcslen>] ; \wcslen(取邮箱名长度)
0040C846|.83C4 04 add esp, 4
0040C849|.83F8 04 cmp eax, 4 ;如果邮箱名长度不小于4就跳走
0040C84C 7D 1A jge short 0040C868
.......省略N行
0040C868|>56 push esi ;跳向这.
.......省略N行
0040C877|.E8 849BFFFF call 00406400 ;算法CALL,F7进入
.......省略N行
0040C892|.FFD5 call ebp ;取假码
0040C894|.66:837C24 2C >cmp word ptr , 0 ;判断假码是否为空
0040C89A|.8D7424 2C lea esi, dword ptr ;假码地址--》ESI
0040C89E|.8D7C24 2C lea edi, dword ptr ;假码地址--》EDI
0040C8A2|.74 48 je short 0040C8EC ;为空则跳
0040C8A4|.66:833E 00 cmp word ptr , 0 ;;判断ESI地址的值是否为空
0040C8A8|.8B2D 88814100 mov ebp, dword ptr [<&MSVCRT.iswspac>;msvcrt.iswspace
0040C8AE|.74 36 je short 0040C8E6 ;为空则跳
.......省略N行
0040C8E6|>8B2D 20824100 mov ebp, dword ptr [<&USER32.GetDlgI>;USER32.GetDlgItemTextW
0040C8EC|>8D5424 10 lea edx, dword ptr
0040C8F0|.52 push edx ; /String2=真码
0040C8F1|.8D4424 30 lea eax, dword ptr ;
0040C8F5|.50 push eax ; |String1=假码
0040C8F6|.66:C707 0000mov word ptr , 0 ; |
0040C8FB|.FF15 E0804100 call dword ptr [<&KERNEL32.lstrcmpiW>>; \lstrcmpiW 比较。
0040C901|.85C0 test eax, eax ;相等则EAX=0。
.......省略N行
0040C905|.74 1A je short 0040C921 ;eax=0就跳向正确的地方~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
0040C877|.E8 849BFFFF call 00406400 ;算法CALL F7进入
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~00406400/$55 push ebp
......省略N行
0040647B|>53 push ebx ; /s
0040647C|.C607 00 mov byte ptr , 0 ; |;将字符串中的大写转成小写
0040647F|.FF15 68814100 call dword ptr [<&MSVCRT._strlwr>] ; \_strlwr
......省略N行
00406491|.51 push ecx ;邮箱名长度压栈
00406492|.53 push ebx ;邮箱名压栈
00406493|.E8 58FCFFFF call 004060F0 ;关键CALL,F7进入我们现在F7进入上面的那个关键CALL.
00406493|.E8 58FCFFFF call 004060F0 ;关键CALL,F7进入004060F0/$83EC 08 sub esp, 8
.......省略N行
00406125|>83F9 01 cmp ecx, 1 ;ECX-1
00406128|.57 push edi
00406129|.B8 D311EC47 mov eax, 47EC11D3 ;固定常数47EC11D3--->EAX
0040612E|.BA 507C923F mov edx, 3F927C50 ;固定常数3F927C50 -->EDX
00406133|.7E 1A jle short 0040614F ;ECX-1如果<=0就跳
00406135|.8D79 FF lea edi, dword ptr ;edi=1
[email protected]
68666C79 776F6C66 40707967 2E636F6D
00406138|> /8B4E 04 /mov ecx, dword ptr ;flow(ASCALL值666C6F77)---> ECX
0040613B|. |51 |push ecx ;ECX压入堆栈
0040613C|. |8B0E |mov ecx, dword ptr ;ylfh(ASCALL值796C6668)---> ECX
0040613E|. |51 |push ecx ;ECX压入堆栈
0040613F|. |52 |push edx ;3F927C50压入堆栈
00406140|. |50 |push eax ;47EC11D3压入堆栈
00406141|. |E8 8A000000 |call 004061D0 ;关键CALL F7进入(eax=A4306ECE,edx=126D93811)
00406146|. |83C4 10 |add esp, 10
00406149|. |83C6 08 |add esi, 8
0040614C|. |4F |dec edi
0040614D|.^\75 E9 \jnz short 00406138
.............
00406175|.8B4C24 14 mov ecx, dword ptr ;ecx=6D6F632E
00406179|.51 push ecx ;6D6F632E压栈
0040617A|.8B4C24 14 mov ecx, dword ptr ;ecx=67797040
0040617E|.51 push ecx ;67797040压栈
0040617F|.52 push edx ;126D93811压栈
00406180|.50 push eax ;A4306ECE压栈
00406181|.E8 4A000000 call 004061D0 ;关键CALL (eax=6A1B4395,edx=C744BEOF)
00406186|.8B6C24 30 mov ebp, dword ptr ;邮箱名长度到EBP
0040618A|.83C4 10 add esp, 10
0040618D|>55 push ebp ;邮箱名长度压栈
0040618E|.53 push ebx ;邮箱名压栈
0040618F|.52 push edx ;C744BEOF压栈
00406190|.50 push eax ;6A1B4395压栈
00406191|.E8 0A010000 call 004062A0 ;关键CALL,F7进入(eax=6A1B4395,edx=C744BEOF)
00406196|.8BF2 mov esi, edx ;返回这里.esi=4F119BDB
00406198|.8BF8 mov edi, eax ;EDI=2E63C942
0040619A|.8BCE mov ecx, esi ;ECX=4F119BDB
0040619C|.81E1 000000F0 and ecx, F0000000 ;ECX=4F119BDB AND F0000000 =40000000
004061A2|.33C0 xor eax, eax ;EAX=0
004061A4|.83C4 10 add esp, 10 ;ESP=12E944
004061A7|.0BC1 or eax, ecx ;EAX=0 OR 40000000 = 40000000
004061A9|.75 0F jnz short 004061BA ;上面OR不相等就跳
......省N行
004061BA|>8BC7 mov eax, edi ;跳到这里.eax=2E63C942
004061BD|.8BD6 mov edx, esi ;edx=4F119BDB
......省N行
004061C5\.C3 retn ;返回406498---------------------------------------------------------------------------------------------
用代码简单说一下以上函数的功能:(时间关系,就不管语法了.凑合着看吧)
EmailStr1=邮箱名
EmailLen1=邮箱名长度
sub_4060F0(EmailStr1,EmailLen1)
{
ebp = EmailLen1;
ecx = ebp+7;
ecx = ecx shr 3;
esi = (邮箱名的地址);
eax=固定常数47EC11D3;
edx=固定常数3F927C50;
if (ecx-1>0)
{ edi = ecx-1;
for(i=1;i<=edi;i++)
{
NUM1=邮箱名第1+(i-1)*8位到第i*8位字符逆序后的前4位字符的ASCALL值;
NUM2=邮箱名第1+(i-1)*8位到第i*8位字符逆序后的后4位字符的ASCALL值;
//不足8位补0。
sub_4061DO(eax,edx,NUM2,NUM1);//返回edx=126D93811,eax=A4306ECE.
esi = esi+8;//邮箱名截取前i*8字符以后的地址。
}
}
ecx=邮箱名地址;
ecx = ecx - esi;
ecx = ecx + (邮箱名长度);
edi = edi xor edi;
if (ecx-edi>0)
{
tNUM1 =邮箱名第1+(i-1)*8位到第i*8位位字符逆序后的前4位字符的ASCALL值;
tNUM2 =邮箱名第1+(i-1)*8位到第i*8位位字符逆序后的后4位字符的ASCALL值;
sub_4061DO(tNUM1,tNUM2,edx,eax);//返回edx=C744BE0F,eax=6A1B4395.
ebp=邮箱名长度;
ebx = 邮箱名地址
}
sub_4062A0(ebp,ebx,edx,eax);//返edx=4F119BDB,eax=2E63C942
esi = edx;
edx = eax;
ecx = esi;
ecx = ecx and F0000000;
eax = eax xor eax;
eax = eax or ecx;
if(eax=0)
{
sub_4063C0(esi,edi);//返回
eax = eax shl 1C;
esi = esi or eax;
}
eax = edi;
edx = esi;
retn edx/eax;
}
--------------------------------------------------------------------------------------------
继续F7跟进00406141处的CALL(由于多处调用这个CALL,时间关系,我就把这CALL的功能简单的描绘一下)
00406141|. |E8 8A000000 |call 004061D0 ;关键CALL F7进入04061D0/$8B4424 10 mov eax, dword ptr ;flow(ASCALL值666C6F77)---> EAX
004061D4|.8B4C24 0C mov ecx, dword ptr ;ylfh(ASCALL值796C6668)---> ECX
004061D8|.53 push ebx ;12e96c压栈(存的是邮箱名)
004061D9|.55 push ebp ;邮箱名长度压栈(这里是9)
004061DA|.56 push esi ;12e96c压栈(存的是邮箱名)
004061DB|.57 push edi ;1压栈
004061DC|.50 push eax ;EAX压入堆栈
004061DD|.51 push ecx ;ECX压入堆栈
004061DE|.E8 3D000000 call 00406220 ;关键CALL F7跟入(eax==CC5956CA,edx=C7B4AAF2)
004061E3|.8B7424 20 mov esi, dword ptr ;返回这.esi=3F927C50
004061E7|.8B7C24 1C mov edi, dword ptr ;edi=47EC11D3
004061EB|.83C4 08 add esp, 898
004061EE|.56 push esi ;ESI压栈
004061EF|.57 push edi ;EDI入栈
004061F0|.52 push edx ;FFFFFFFFC7B4AAF2压栈
004061F1|.50 push eax ;FFFFFFFFCC5956CA压栈
004061F2|.E8 69000100 call 00416260 ;关键CALL F7跟入(eax==649DF27E,edx=DEED263E)
004061F7|.8BEA mov ebp, edx ;ebp=DEED263E
004061F9|.33D2 xor edx, edx ;edx=0
004061FB|.6A 01 push 1 ;1压栈
004061FD|.52 push edx ;0压栈
004061FE|.8BD8 mov ebx, eax ;ebx=eax=649DF27E
00406200|.52 push edx ;0压栈
00406201|.03DE add ebx, esi ;649DF27E+3F927C50=A4306ECE(ebx)
00406203|.57 push edi ;47EC11D3压
00406204|.13EA adc ebp, edx ;DEED263E+0=ebp
00406206|.E8 55000100 call 00416260 ;关键CALL F7跟入(eax=0,edx=47EC11D3)
0040620B|.03D8 add ebx, eax ;返回这里.ebx=A4306ECE
0040620D|.5F pop edi ;1出栈
0040620E|.13EA adc ebp, edx ;DEED263E+47EC11D3=126D93811(ebp)
00406210|.5E pop esi ;邮箱名出栈
00406211|.8BD5 mov edx, ebp ;edx=126D93811
00406213|.5D pop ebp ;邮箱名长度出栈
00406214|.8BC3 mov eax, ebx ;eax=ebx=A4306ECE
00406216|.5B pop ebx ;邮箱名出栈
00406217\.C3 retn ;返回406146-------------------------------------------------------------------------------------------
用代码简单说一下以上函数的功能:
sub_4061DO(tEAX,tEDX,NUM2,NUM1)
{
EmailStr1=邮箱名;
EmailLen1=邮箱名长度;
tEsi = 邮箱名;
tEdi = 1;
NUM1=邮箱名前8位字符逆序后的前四位字符的ASCALL值;
NUM2=邮箱名前8位字符逆序后的后四位字符的ASCALL值;
sub_406220(EmailStr1,EmailLen1,tEsi,tEdi,NUM2,NUM1);//返回edx,eax.
bSum1 = tEDX;
bSum2 = tEAX;
bSum3 = edx;
bSum4 = eax;
sub_416262(bSum1,bSum2,bSum3,bSum4); //返回edx,eax.
bSum5 = edx;
edx = edx xor edx
bSum1 = 1;
bSum2 = edx;
bSum6 = eax;
bSum3 = edx;
bSum6 = bSum6 + tEDX;
bSum4 = tEAX;
adc bSum5,edx;
sub_416262(bSum1,bSum2,bSum3,bSum4); //返回edx,eax.
bSum6 = bSum6 + eax;
adc bSum5,edx;
edx = bSum5;
eax = bSum6;
RETN edx/eax;
}
-------------------------------------------------------------------------------------------
再继续F7跟入4061DE处的CALL(一样也是多处调用)
004061DE|.E8 3D000000 call 00406220 ;关键CALL F7跟入00406220/$8B4424 04 mov eax, dword ptr ;ylfh(ASCALL值796C6668)---> EAX
00406224|.8BC8 mov ecx, eax ;EAX---->ECX(即ECX=796C6668)
00406226|.56 push esi ;12e96c压栈(存的是邮箱名)
00406227|.8B7424 0C mov esi, dword ptr ;flow(ASCALL值666C6F77)----> ESI=666C6F77
0040622B|.81E1 00000080 and ecx, 80000000 ;796C6668 AND 80000000 = ECX(00000000)
00406231|.57 push edi ;1压栈
00406232|.894C24 0C mov dword ptr , ecx ;ecx--->(12e918)
00406236|.8D0400 lea eax, dword ptr ;eax=eax*2(796C6668*2=F2D8CCD0)
00406239|.74 03 je short 0040623E ;跳转实现
0040623B|.83C8 01 or eax, 1
0040623E|>8BCE mov ecx, esi ;666C6F77--->ecx
00406240|.83E1 01 and ecx, 1 ;ecx and 1(即ecx=1)
00406243|.D1EE shr esi, 1 ;666C6F77 shr 1(即ESI = 333637BB)
00406245|.85C9 test ecx, ecx
00406247|.74 06 je short 0040624F ;跳转不实现
00406249|.81CE 00000080 or esi, 80000000 ;333637BB OR 80000000 = B33637BB(esi)
0040624F|>8BC8 mov ecx, eax ;F2D8CCD0-->ecx
00406251|.81E1 00010000 and ecx, 100 ;F2D8CCD0 and 100 (ecx =0)
00406257|.25 FFFEFFFF and eax, FFFFFEFF ;F2D8CCD0 and FFFFFEFF (eax = F2D8CCD0)
0040625C|.F7C6 00000002 test esi, 2000000
00406262|.74 05 je short 00406269 ;跳转不实现
00406264|.0D 00010000 or eax, 100 ;F2D8CCD0 or 100 (eax = F2D8CDD0)
00406269|>81E6 FFFFFFFD and esi, FDFFFFFF ;B33637BB and FDFFFFFF (esi =B13637BB)
0040626F|.85C9 test ecx, ecx
00406271|.74 06 je short 00406279 ;跳转实现
00406273|.81CE 00000002 or esi, 2000000
00406279|>6A 01 push 1 ;1入栈
0040627B|.6A 00 push 0 ;0入栈
0040627D|.6A 00 push 0 ;0入栈
0040627F|.50 push eax ;F2D8CDD0入栈
00406280|.E8 DBFF0000 call 00416260 ;关键CALLF7跟入
00406285|.8BC8 mov ecx, eax ;返回到此.ecx=0
00406287|.8BFA mov edi, edx ;edi=F2D8CDD0
00406289|.B8 858E8F7D mov eax, 7D8F8E85 ;eax=7D8F8E85
0040628E|.2BC1 sub eax, ecx ;eax-0=7D8F8E85
00406290|.BA C3788DBA mov edx, BA8D78C3 ;edx=BA8D78C3
00406295|.1BD7 sbb edx, edi ;BA8D78C3-F2D8CDD0=FFFFFFFFC7B4AAF3(edx)
00406297|.33C9 xor ecx, ecx ;ecx=0
00406299|.2BC6 sub eax, esi ;7D8F8E85-B13637BB=FFFFFFFFCC5956CA(eax)
0040629B|.5F pop edi ;1出栈
0040629C|.1BD1 sbb edx, ecx ;FFFFFFFFC7B4AAF3-1=FFFFFFFFC7B4AAF2(edx)
0040629E|.5E pop esi ;邮箱名出栈
0040629F\.C3 retn ;返回4061e3-------------------------------------------------------------------------------------------
用代码简单说一下以上函数的功能:
sub_406220(EmailStr1,EmailLen1,tEsi,tEdi,NUM2,NUM1)
{
tNum1 = NUM2;
tNum2 = NUM1;
tNum1 = tNum1 and 80000000;
NUM2= NUM2 * 2;
tNum2 = tNum2 and 1
NUM1= NUM1 shr 1;
if (tNum2!=0)
NUM1= NUM1 or 80000000;
tNum2 = NUM2;
tNum2 = tNum2 and 100
NUM2= NUM2 and FFFFFEFF
if (NUM1!=0)
NUM2= NUM2 or 100
NUM1= NUM1 and FDFFFFFF
if (tNum2!=0)
NUM1 = NUM1 or 20000000
CALL 416260;
else
CALL 416260;
else
NUM1= NUM1 and FDFFFFFF
if (tNum2!=0)
NUM1 = NUM1 or 20000000
CALL 416260;
else
CALL 416260;
else
tNum2 = NUM2;
tNum2 = tNum2 and 100
NUM2= NUM2 and FFFFFEFF
if (NUM1!=0)
NUM2= NUM2 or 100
NUM1= NUM1 and FDFFFFFF
if (tNum2!=0)
NUM1 = NUM1 or 20000000
CALL 416260;
else
CALL 416260;
else
NUM1= NUM1 and FDFFFFFF
if (tNum2!=0)
NUM1 = NUM1 or 20000000
CALL 416260;
else
CALL 416260;
tNum2 = tSum1;
tNum3 = tSum3;
NUM2= 7D8F8E85;
NUM2= NUM2 - tNum2;
tNum4 = BA8D78C3;
sbb tNum4,tNum3;
tNum2 = tNum2 xor tNum2;
sub NUM2,NUM1;
sbb tNum4,tNum2;
retn edx/eax;
}
-------------------------------------------------------------------------------------------
继续F7跟入00406280的CALL(也是多处调用)
00406280|.E8 DBFF0000 call 00416260 ;关键CALLF7跟入00416260/$8B4424 08 mov eax, dword ptr ;esp+8--->eax
00416264|.8B4C24 10 mov ecx, dword ptr ;esp+10--->ecx
00416268|.0BC8 or ecx, eax ;esp+10 or esp+8--->ecx
0041626A|.8B4C24 0C mov ecx, dword ptr ;esp+c--->ecx
0041626E|.75 09 jnz short 00416279 ;上面OR运算不相等变跳
00416279|>53 push ebx ;跳到这里。邮箱名压栈
0041627A|.F7E1 mul ecx ;ecx * eax (高16位放在EDX中,低16位放EAX中)
0041627C|.8BD8 mov ebx, eax ;eax--->ebx(0)
0041627E|.8B4424 08 mov eax, dword ptr ;eax=F2D8CDD0
00416282|.F76424 14 mul dword ptr ;1*F2D8CDD0=eax
00416286|.03D8 add ebx, eax ;ebx=F2D8CDD0
00416288|.8B4424 08 mov eax, dword ptr ;eax=F2D8CDD0
0041628C|.F7E1 mul ecx ;0*F2D8CDD0=eax
0041628E|.03D3 add edx, ebx ;edx=F2D8CDD0
00416290|.5B pop ebx ;邮箱名出栈
00416291\.C2 1000 retn 10 ;返回406285-------------------------------------------------------------------------------------------
用代码简单说一下以上函数的功能:
sub_416260(sum1,sum2,sum3,sum4)
{
tSum1 = sum3;
tSum2 = sum1;
tSum2 = tSum2 or tSum1;
tSum2 = sum2;
mul tSum2,tSum1;
tSum3 = edx;
tSum1 = eax;
tSum4 = tSum1;
tSum1 = sum4;
mul dword ptr ,tSum1;
tSum3 = edx;
tSum1 = eax;
add tSum4,tSum1;
mul tSum2,tSum1;
add tSum3,tSum4;
retn tSum3/tSum1;
}
-------------------------------------------------------------------------------------------
再继续跟进
00406191|.E8 0A010000 call 004062A0 ;关键CALL,F7进入004062A0/$8B5424 10 mov edx, dword ptr ;
....................................
00406300|.8B4424 14 mov eax, dword ptr ;eax=6D6F632E
00406304|.8B4C24 10 mov ecx, dword ptr ;ecx=67797040
00406308|.50 push eax ;6D6F632E压栈
00406309|.51 push ecx ;67797040压栈
0040630A|.E8 61000000 call 00406370 ;关键CALL,将字符串逆序输出ASCALL值
0040630F|.52 push edx ;40707967压栈
00406310|.8B5424 2C mov edx, dword ptr ;edx=C744BEOF
00406314|.50 push eax ;2E636F6D压栈
00406315|.8B4424 2C mov eax, dword ptr ;eax=C7E38780
00406319|.52 push edx ;C744BEOF压栈
0040631A|.50 push eax ;6A1B4395压栈
0040631B|.E8 B0FEFFFF call 004061D0 ;关键CALL,F7(eax=AA75349,edx=60CFF171)
00406320|.83C4 18 add esp, 18
00406323|.8BF0 mov esi, eax ;ESI=AA75349
00406325|.8BFA mov edi, edx ;EDI=60CFF171
00406327|.83EB 08 sub ebx, 8
0040632A|.EB 08 jmp short 00406334
0040632C|>8B7C24 20 mov edi, dword ptr
00406330|.8B7424 1C mov esi, dword ptr
00406334|>3BEB cmp ebp, ebx ;EBP-EBX
00406336|.77 23 ja short 0040635B ;高于则跳
00406338|>8B4B 04 /mov ecx, dword ptr ;ecx=666C6F77
0040633B|.8B13 |mov edx, dword ptr ;edx=796C6668
0040633D|.51 |push ecx ;666C6F77(压栈)
0040633E|.52 |push edx ;796C6668(压栈)
0040633F|.E8 2C000000 |call 00406370 ;关键CALL,F7进入(eax=776F6C66,ed=68666C79)
00406344|.52 |push edx ;68666C79压栈
00406345|.50 |push eax ;776F6C66压栈
00406346|.57 |push edi ;60CFF171压栈
00406347|.56 |push esi ;AA75349压栈
00406348|.E8 83FEFFFF |call 004061D0 ;关键CALL F7(eax=2E63C942,edx=4F119BDB)
0040634D|.83EB 08 |sub ebx, 8 ;EBX=12E964
00406350|.83C4 18 |add esp, 18 ;ESP=12E918
00406353|.3BDD |cmp ebx, ebp ;EBX-EBP(12E964-12E96C)
00406355|.8BF0 |mov esi, eax ;ESI=2E63C942
00406357|.8BFA |mov edi, edx ;EDI=4F119BDB
00406359|.^ 73 DD \jnb short 00406338 ;不低于就跳
0040635B|>8BD7 mov edx, edi ;edx=4F119BDB
0040635E|.8BC6 mov eax, esi ;eax=2E63C942
00406366\.C3 retn ;返回406196-------------------------------------------------------------------------------------------
用代码简单说一下以上函数的功能:
sub_4062A0(tebp,tebx,tedx,teax)
{
edx=(邮箱名长度);
eax = edx+7;
eax = eax shr 3;
ebp = 邮箱名地址;
ebx = ebp+eax*8-8;
ecx = 邮箱名地址;
ecx = ecx-ebx;
ecx = ecx+edx;
eax = eax xor eax;
if (ecx-eax>0)
{
eax =邮箱名第1+(i-1)*8位到第i*8位位字符逆序后的前4位字符的ASCALL值;
ecx =邮箱名第1+(i-1)*8位到第i*8位位字符逆序后的后4位字符的ASCALL值;
sub_406370(eax,ecx) //返回EAX对应的字符串逆序后的ASCALL值,edx对应的字符串逆序后的ASCALL值
lNum1 = tedx;
lNum2 = teax;
sub_4061DO(edx,eax,lNum1,lNum2)//返回edx=60CFF171,eax=AA75349.
esi = eax;
edi = edx;
ebx = ebx-8//邮箱名地址。
}
else
{
edi = tedx;
esi = teax;
}
if(ebp-ebx<=0)
{
i=1
do
{
edx = 邮箱名第1+(i-1)*4位到第i*4位字符的ASCALL值;
eax = 邮箱名第1+i*4位到第(i+1)*4位字符的ASCALL值;
sub_4061D0(edx,eax,edi,esi);//返回edx=4F119BDB,eax=2E63C942
ebx = ebx-8;
esi = eax;
edi = edx;
}
while(ebx-ebp>=0)
{
i= i+1;
}
}
edx = edi;
eax = esi;
retn edx/eax;
}
-------------------------------------------------------------------------------------------
以上的分析就是call 004060F0的内容了.
此时返回的值为
eax=B2E63C942
edx=4F119BDB
00406498|.8BDA mov ebx, edx ;返回这里.ebx=4F119BDB
0040649A|.6A 21 push 21 ;21入栈
0040649C|.8D55 B0 lea edx, dword ptr ;edx=12e984
0040649F|.52 push edx ;12e984入栈
004064A0|.8BF8 mov edi, eax ;edi=2E63C942
004064A2|.53 push ebx ;4F119BDB入栈
004064A3|.57 push edi ;2E63C942入栈
004064A4|.FF15 64814100 call dword ptr [<&MSVCRT._ui64tow>] ;将整数转换成ASCALL值
我们F7跟进004064A4的CALL...
004064A4|.FF15 64814100 call dword ptr [<&MSVCRT._ui64tow>] ;将整数转换成ASCALL值77BEC4C1 >8BFF mov edi, edi ;edi=2E63C942
77BEC4C3 55 push ebp ;ebp入栈
77BEC4C4 8BEC mov ebp, esp ;ebp=esp
77BEC4C6 8B45 10 mov eax, dword ptr ;eax=
77BEC4C9 6A 00 push 0 ;0入栈
77BEC4CB FF75 14 push dword ptr ;21入栈
77BEC4CE FF75 0C push dword ptr ;4F119BDB入栈
77BEC4D1 FF75 08 push dword ptr ;2E63C942入栈
77BEC4D4 E8 33FFFFFF call 77BEC40C ;关键CALL进入
77BEC4D9 8B45 10 mov eax, dword ptr
77BEC4DC 5D pop ebp
77BEC4DD C3 retn -------------------------------------------------------------------------------
上在的CALL大概意思就是
sub_ui64tow(0,21,eax,ebx)
{//eax=B2E63C942
//edx=4F119BDB
while(eax=0 || ebx=0)
{
tmp1 = edx;
tmp2 = eax;
eax = edx;
eax = eax / 21;
ebx = eax;
eax = tmp2;
eax = eax / 21;
esi = eax;
edx = tmp2;
edx = edx % 21;
eax = ebx;
eax = eax * 21;
ecx = eax;
eax = esi;
eax = eax * 21;
edx = edx + ecx
eax = eax -tmp1;
sbb edx,tmp2; edx =
neg edx; //edx按位求反再加上CF标志位值
neg eax; //eax按位求反再加上CF标志位值
sbb edx,0;
ecx = edx;
edx = ebx;
ebx = ecx;
ecx = eax;
eax = esi;
if(ecx-9<=0)
{ecx = ecx+30;
CodeStr = CodeStr & itoa(ecx)}
else
{
ecx = ecx+57
CodeStr = CodeStr & itoa(ecx)
}
}
例如:
eax=4F119BDB / 21 =26561D0
edx=B2E63C942 / 21 =56BD34A4
ecx =B2E63C942 % 21 = 1E
1E-9=15>0
1E+57=75(u)
经过以上循环.
CodeStr = "3do0n4ka1wt5u"
-----------------------------------------------------------------------------------------------004064AA|.8D45 B0 lea eax, dword ptr
004064AD|.50 push eax
004064AE|.E8 6D000000 call 00406520 ;对字串前两位分析进行处理(谢谢nietsme
兄弟的指出错误)经过call 00406520 后
CodeStr = "do0n4ka1wt5u"004064C2|>8BCA /mov ecx, edx
004064C4|.81E1 FFFF0000 |and ecx, 0FFFF
004064CA|.83F9 69 |cmp ecx, 69 ;Switch (cases 69..6F)
004064CD|.74 18 |je short 004064E7
004064CF|.83F9 6C |cmp ecx, 6C
004064D2|.74 0C |je short 004064E0
004064D4|.83F9 6F |cmp ecx, 6F
004064D7|.75 13 |jnz short 004064EC
004064D9|.BA 7A000000 |mov edx, 7A ;Case 6F ('o') of switch 004064CA
004064DE|.EB 0C |jmp short 004064EC
004064E0|>BA 79000000 |mov edx, 79 ;Case 6C ('l') of switch 004064CA
004064E5|.EB 05 |jmp short 004064EC
004064E7|>BA 78000000 |mov edx, 78 ;Case 69 ('i') of switch 004064CA
004064EC|>66:8916 |mov word ptr , dx ;Default case of switch 004064CA
004064EF|.66:8B56 02 |mov dx, word ptr
004064F3|.83C6 02 |add esi, 2
004064F6|.66:85D2 |test dx, dx
004064F9|.^ 75 C7 \jnz short 004064C2
.....省略N行
00406516\.C3 retn以上这段循环的意思如下:
如果字符串的字符的ASCALL值等于69(i)就换成78(x)
如果是6C(l)就换成79(y)
如果是6F(o)就换成7A(z)
例如:CodeStr = "do0n4ka1wt5u"
第二位的字符为o(6F)所以要转换成z(7A)
CodeStr = "dz0n4ka1wt5u"
所以注册码为"dz0n4ka1wt5u"
:loveliness: /:013 /:013 水平有限...只能成这样子了.好像有点烦琐...../:010 /:010 /:010
BTW:谢谢nietsme 兄指出错误之处...粗心了,应该再耐心一点点...
[ 本帖最后由 hflywolf 于 2008-9-12 01:45 编辑 ] 楼上很强悍,学习了/:good 原帖由 孤漂江湖狼 于 2008-9-11 18:30 发表 https://www.chinapyg.com/images/common/back.gif
楼上很强悍,学习了/:good
/:L /:L /:L
自已分析出来好明了的.没想将流程分析写出来却这么烦琐...
也不知道说的是否明了....
表达能力+文字功底太差....
只能凑合着看吧...
/:017 /:017 /:017 强悍,我跟了好久都没结果。谢谢楼上! 原帖由 hflywolf 于 2008-9-11 18:25 发表 https://www.chinapyg.com/images/common/back.gif
/:L /:L /:L
终于把算法流程搞出来了....
简单分析下吧........
邮箱名:[email protected]
注册码:12345678900040C810/$81EC 1C080000 sub esp, 81C ;在这下断,输入 ...
这位好强悍,我搞了很久才搞出冰山一角,我要继续努力努力努力努力努力努力~~~ 还是15楼强,服了你了!看来学算法必须有点耐心。