Hex Comparison 1.82算法分析
本帖最后由 老万 于 2010-6-2 20:35 编辑【目标程序】Hex Comparison 1.82
【下载地址】http://exeicon.com/hex-comparison/
【目的】自己的一点心得,与大家分享
【分析过程】
1.PEID查壳:ASPack 2.001 -> Alexey Solodovnikov
2.脱壳:ESP定律脱壳,ImportREC修复(OEP:00001450 ,RVA :00881304 ,大小:D44),脱壳后显示;Borland C++ 1999
3.DEDE找按钮事件:0040D28C
4.分析算法
输入注册信息 Email:[email protected] ,注册码:1234567890 ,直接来到关键部分0040D28C/.55 PUSH EBP
0040D28D|.8BEC MOV EBP,ESP
0040D28F|.81C4 64FFFFFF ADD ESP,-9C
0040D295|.8995 74FFFFFF MOV DWORD PTR SS:,EDX
0040D29B|.8985 78FFFFFF MOV DWORD PTR SS:,EAX
0040D2A1|.B8 9C1B4D00 MOV EAX,dumped_.004D1B9C
0040D2A6|.E8 193E0B00 CALL dumped_.004C10C4
0040D2AB|.8B15 C0924D00 MOV EDX,DWORD PTR DS:
0040D2B1|.8A8A CC040000 MOV CL,BYTE PTR DS:
0040D2B7|.84C9 TEST CL,CL
0040D2B9|.0F85 7B060000 JNZ dumped_.0040D93A
0040D2BF|.66:C745 8C 08>MOV WORD PTR SS:,8
0040D2C5|.8D45 FC LEA EAX,DWORD PTR SS:
0040D2C8|.E8 4B46FFFF CALL dumped_.00401918
0040D2CD|.8BD0 MOV EDX,EAX
0040D2CF|.FF45 98 INC DWORD PTR SS:
0040D2D2|.8B8D 78FFFFFF MOV ECX,DWORD PTR SS:
0040D2D8|.8B81 F0020000 MOV EAX,DWORD PTR DS:
0040D2DE|.E8 E18C0600 CALL dumped_.00475FC4 ;取邮箱长度
0040D2E3|.8D55 FC LEA EDX,DWORD PTR SS:
0040D2E6|.FF32 PUSH DWORD PTR DS: ;邮箱地址
0040D2E8|.8D45 F8 LEA EAX,DWORD PTR SS:
0040D2EB|.E8 2846FFFF CALL dumped_.00401918
0040D2F0|.8BD0 MOV EDX,EAX
0040D2F2|.FF45 98 INC DWORD PTR SS:
0040D2F5|.58 POP EAX ;邮箱
0040D2F6|.E8 15E90900 CALL dumped_.004ABC10
0040D2FB|.8D55 F8 LEA EDX,DWORD PTR SS:
0040D2FE|.8B12 MOV EDX,DWORD PTR DS:
0040D300|.8B85 78FFFFFF MOV EAX,DWORD PTR SS:
0040D306|.8B80 F0020000 MOV EAX,DWORD PTR DS:
0040D30C|.E8 E38C0600 CALL dumped_.00475FF4
0040D311|.FF4D 98 DEC DWORD PTR SS:
0040D314|.8D45 F8 LEA EAX,DWORD PTR SS:
0040D317|.BA 02000000 MOV EDX,2
0040D31C|.E8 CBDE0B00 CALL dumped_.004CB1EC
0040D321|.FF4D 98 DEC DWORD PTR SS:
0040D324|.8D45 FC LEA EAX,DWORD PTR SS:
0040D327|.BA 02000000 MOV EDX,2
0040D32C|.E8 BBDE0B00 CALL dumped_.004CB1EC
0040D331|.66:C745 8C 14>MOV WORD PTR SS:,14
0040D337|.8D45 F4 LEA EAX,DWORD PTR SS:
0040D33A|.E8 D945FFFF CALL dumped_.00401918
0040D33F|.8BD0 MOV EDX,EAX
0040D341|.FF45 98 INC DWORD PTR SS:
0040D344|.8B8D 78FFFFFF MOV ECX,DWORD PTR SS:
0040D34A|.8B81 FC020000 MOV EAX,DWORD PTR DS:
0040D350|.E8 6F8C0600 CALL dumped_.00475FC4
0040D355|.8D55 F4 LEA EDX,DWORD PTR SS:
0040D358|.FF32 PUSH DWORD PTR DS: ;假注册码
0040D35A|.8D45 F0 LEA EAX,DWORD PTR SS:
0040D35D|.E8 B645FFFF CALL dumped_.00401918
0040D362|.8BD0 MOV EDX,EAX
0040D364|.FF45 98 INC DWORD PTR SS:
0040D367|.58 POP EAX
0040D368|.E8 A3E80900 CALL dumped_.004ABC10
0040D36D|.8D55 F0 LEA EDX,DWORD PTR SS:
0040D370|.8B12 MOV EDX,DWORD PTR DS:
0040D372|.8B85 78FFFFFF MOV EAX,DWORD PTR SS:
0040D378|.8B80 FC020000 MOV EAX,DWORD PTR DS:
0040D37E|.E8 718C0600 CALL dumped_.00475FF4
0040D383|.FF4D 98 DEC DWORD PTR SS:
0040D386|.8D45 F0 LEA EAX,DWORD PTR SS:
0040D389|.BA 02000000 MOV EDX,2
0040D38E|.E8 59DE0B00 CALL dumped_.004CB1EC
0040D393|.FF4D 98 DEC DWORD PTR SS:
0040D396|.8D45 F4 LEA EAX,DWORD PTR SS:
0040D399|.BA 02000000 MOV EDX,2
0040D39E|.E8 49DE0B00 CALL dumped_.004CB1EC
0040D3A3|.66:C745 8C 20>MOV WORD PTR SS:,20
0040D3A9|.8D45 EC LEA EAX,DWORD PTR SS:
0040D3AC|.E8 6745FFFF CALL dumped_.00401918
0040D3B1|.8BD0 MOV EDX,EAX
0040D3B3|.FF45 98 INC DWORD PTR SS:
0040D3B6|.8B8D 78FFFFFF MOV ECX,DWORD PTR SS:
0040D3BC|.8B81 F0020000 MOV EAX,DWORD PTR DS:
0040D3C2|.E8 FD8B0600 CALL dumped_.00475FC4
0040D3C7|.8D45 EC LEA EAX,DWORD PTR SS:
0040D3CA|.E8 7945FFFF CALL dumped_.00401948
0040D3CF|.83F8 03 CMP EAX,3 ;邮箱长度与3比较
0040D3D2|.7C 6D JL SHORT dumped_.0040D441
0040D3D4|.8D45 E8 LEA EAX,DWORD PTR SS:
0040D3D7|.E8 3C45FFFF CALL dumped_.00401918
0040D3DC|.8BD0 MOV EDX,EAX
0040D3DE|.FF45 98 INC DWORD PTR SS:
0040D3E1|.8B8D 78FFFFFF MOV ECX,DWORD PTR SS:
0040D3E7|.8B81 F0020000 MOV EAX,DWORD PTR DS:
0040D3ED|.E8 D28B0600 CALL dumped_.00475FC4
0040D3F2|.8D55 E8 LEA EDX,DWORD PTR SS:
0040D3F5|.52 PUSH EDX
0040D3F6|.BA 0E104D00 MOV EDX,dumped_.004D100E
0040D3FB|.8D45 E4 LEA EAX,DWORD PTR SS:
0040D3FE|.E8 89DC0B00 CALL dumped_.004CB08C
0040D403|.FF45 98 INC DWORD PTR SS:
0040D406|.8D55 E4 LEA EDX,DWORD PTR SS:
0040D409|.58 POP EAX
0040D40A|.E8 F1DF0B00 CALL dumped_.004CB400
0040D40F|.85C0 TEST EAX,EAX
0040D411|.0F94C1 SETE CL
0040D414|.83E1 01 AND ECX,1
0040D417|.51 PUSH ECX
0040D418|.FF4D 98 DEC DWORD PTR SS:
0040D41B|.8D45 E4 LEA EAX,DWORD PTR SS:
0040D41E|.BA 02000000 MOV EDX,2
0040D423|.E8 C4DD0B00 CALL dumped_.004CB1EC
0040D428|.FF4D 98 DEC DWORD PTR SS: ; |
0040D42B|.8D45 E8 LEA EAX,DWORD PTR SS: ; |
0040D42E|.BA 02000000 MOV EDX,2 ; |
0040D433|.E8 B4DD0B00 CALL dumped_.004CB1EC ; \dumped_.004CB1EC
0040D438|.59 POP ECX
0040D439|.85C9 TEST ECX,ECX
0040D43B|.75 04 JNZ SHORT dumped_.0040D441
0040D43D|.33C0 XOR EAX,EAX
0040D43F|.EB 05 JMP SHORT dumped_.0040D446
0040D441|>B8 01000000 MOV EAX,1
0040D446|>50 PUSH EAX ; /Arg1
0040D447|.FF4D 98 DEC DWORD PTR SS: ; |
0040D44A|.8D45 EC LEA EAX,DWORD PTR SS: ; |
0040D44D|.BA 02000000 MOV EDX,2 ; |
0040D452|.E8 95DD0B00 CALL dumped_.004CB1EC ; \dumped_.004CB1EC
0040D457|.59 POP ECX
0040D458|.84C9 TEST CL,CL
0040D45A|.74 3F JE SHORT dumped_.0040D49B
0040D45C|.66:C745 8C 2C>MOV WORD PTR SS:,2C
0040D462|.BA 10104D00 MOV EDX,dumped_.004D1010 ;ASCII "Please input your Email address!"
0040D467|.8D45 E0 LEA EAX,DWORD PTR SS:
0040D46A|.E8 1DDC0B00 CALL dumped_.004CB08C
0040D46F|.FF45 98 INC DWORD PTR SS:
0040D472|.8B00 MOV EAX,DWORD PTR DS:
0040D474|.E8 B72E0600 CALL dumped_.00470330
0040D479|.FF4D 98 DEC DWORD PTR SS:
0040D47C|.8D45 E0 LEA EAX,DWORD PTR SS:
0040D47F|.BA 02000000 MOV EDX,2
0040D484|.E8 63DD0B00 CALL dumped_.004CB1EC
0040D489|.8B8D 7CFFFFFF MOV ECX,DWORD PTR SS:
0040D48F|.64:890D 00000>MOV DWORD PTR FS:,ECX
0040D496|.E9 B7040000 JMP dumped_.0040D952
0040D49B|>66:C745 8C 44>MOV WORD PTR SS:,44
0040D4A1|.8D45 D8 LEA EAX,DWORD PTR SS:
0040D4A4|.E8 6F44FFFF CALL dumped_.00401918
0040D4A9|.8BD0 MOV EDX,EAX
0040D4AB|.FF45 98 INC DWORD PTR SS:
0040D4AE|.8B8D 78FFFFFF MOV ECX,DWORD PTR SS:
0040D4B4|.8B81 F0020000 MOV EAX,DWORD PTR DS:
0040D4BA|.E8 058B0600 CALL dumped_.00475FC4
0040D4BF|.8D55 D8 LEA EDX,DWORD PTR SS:
0040D4C2|.52 PUSH EDX
0040D4C3|.8D45 DC LEA EAX,DWORD PTR SS:
0040D4C6|.E8 4D44FFFF CALL dumped_.00401918
0040D4CB|.8BD0 MOV EDX,EAX
0040D4CD|.FF45 98 INC DWORD PTR SS:
0040D4D0|.58 POP EAX
0040D4D1|.E8 4EDF0B00 CALL dumped_.004CB424
0040D4D6|.FF4D 98 DEC DWORD PTR SS:
0040D4D9|.8D45 D8 LEA EAX,DWORD PTR SS:
0040D4DC|.BA 02000000 MOV EDX,2
0040D4E1|.E8 06DD0B00 CALL dumped_.004CB1EC
0040D4E6|.66:C745 8C 38>MOV WORD PTR SS:,38
0040D4EC|.8D45 DC LEA EAX,DWORD PTR SS:
0040D4EF|.E8 5444FFFF CALL dumped_.00401948 ;邮箱小写转换为大写
0040D4F4|.8985 70FFFFFF MOV DWORD PTR SS:,EAX
0040D4FA|.8B95 70FFFFFF MOV EDX,DWORD PTR SS:
0040D500|.42 INC EDX
0040D501|.52 PUSH EDX ; /Arg1
0040D502|.E8 152C0B00 CALL dumped_.004C011C ; \dumped_.004C011C
0040D507|.59 POP ECX
0040D508|.8985 6CFFFFFF MOV DWORD PTR SS:,EAX
0040D50E|.8D45 DC LEA EAX,DWORD PTR SS:
0040D511|.E8 5644FFFF CALL dumped_.0040196C
0040D516|.50 PUSH EAX ; /Arg2
0040D517|.FFB5 6CFFFFFF PUSH DWORD PTR SS: ; |Arg1
0040D51D|.E8 36390B00 CALL dumped_.004C0E58 ; \dumped_.004C0E58
0040D522|.83C4 08 ADD ESP,8
0040D525|.33D2 XOR EDX,EDX
0040D527|.8995 68FFFFFF MOV DWORD PTR SS:,EDX
0040D52D|.8B8D 68FFFFFF MOV ECX,DWORD PTR SS:
0040D533|.8B85 70FFFFFF MOV EAX,DWORD PTR SS:
0040D539|.3BC8 CMP ECX,EAX
0040D53B|.7D 3B JGE SHORT dumped_.0040D578
0040D53D|>8B95 6CFFFFFF /MOV EDX,DWORD PTR SS: ;邮箱送入EDX
0040D543|.8B8D 68FFFFFF |MOV ECX,DWORD PTR SS:
0040D549|.0FBE040A |MOVSX EAX,BYTE PTR DS: ;邮箱的ASCII码依次送入EAX
0040D54D|.83F8 2E |CMP EAX,2E ;判断是否为“.”
0040D550|.75 10 |JNZ SHORT dumped_.0040D562
0040D552|.8B95 6CFFFFFF |MOV EDX,DWORD PTR SS:
0040D558|.8B8D 68FFFFFF |MOV ECX,DWORD PTR SS:
0040D55E|.C6040A 40 |MOV BYTE PTR DS:,40 ;如果是“.” ,用“@”替换“.”
0040D562|>FF85 68FFFFFF |INC DWORD PTR SS:
0040D568|.8B85 68FFFFFF |MOV EAX,DWORD PTR SS:
0040D56E|.8B95 70FFFFFF |MOV EDX,DWORD PTR SS:
0040D574|.3BC2 |CMP EAX,EDX
0040D576|.^ 7C C5 \JL SHORT dumped_.0040D53D
0040D578|>66:C745 8C 50>MOV WORD PTR SS:,50
0040D57E|.8D45 D4 LEA EAX,DWORD PTR SS:
0040D581|.8B95 6CFFFFFF MOV EDX,DWORD PTR SS:
0040D587|.E8 00DB0B00 CALL dumped_.004CB08C
0040D58C|.8BD0 MOV EDX,EAX
0040D58E|.FF45 98 INC DWORD PTR SS:
0040D591|.8D45 DC LEA EAX,DWORD PTR SS:
0040D594|.E8 83DC0B00 CALL dumped_.004CB21C
0040D599|.FF4D 98 DEC DWORD PTR SS:
0040D59C|.8D45 D4 LEA EAX,DWORD PTR SS:
0040D59F|.BA 02000000 MOV EDX,2
0040D5A4|.E8 43DC0B00 CALL dumped_.004CB1EC
0040D5A9|.66:C745 8C 5C>MOV WORD PTR SS:,5C
0040D5AF|.8D45 D0 LEA EAX,DWORD PTR SS:
0040D5B2|.E8 6143FFFF CALL dumped_.00401918
0040D5B7|.8BD0 MOV EDX,EAX
0040D5B9|.FF45 98 INC DWORD PTR SS:
0040D5BC|.8B8D 78FFFFFF MOV ECX,DWORD PTR SS:
0040D5C2|.8B81 FC020000 MOV EAX,DWORD PTR DS:
0040D5C8|.E8 F7890600 CALL dumped_.00475FC4
0040D5CD|.8D45 D0 LEA EAX,DWORD PTR SS: ;假注册码
0040D5D0|.8D55 DC LEA EDX,DWORD PTR SS: ;转换变形后的邮箱地址
0040D5D3|.E8 28DE0B00 CALL dumped_.004CB400 ;判断注册码的前面部分是否是转换后的邮箱地址,如果不是,就显示注册码错误
0040D5D8|.85C0 TEST EAX,EAX
0040D5DA|.0F94C1 SETE CL
0040D5DD|.83E1 01 AND ECX,1
0040D5E0|.51 PUSH ECX ; /Arg1
0040D5E1|.FF4D 98 DEC DWORD PTR SS: ; |
0040D5E4|.8D45 D0 LEA EAX,DWORD PTR SS: ; |
0040D5E7|.BA 02000000 MOV EDX,2 ; |
0040D5EC|.E8 FBDB0B00 CALL dumped_.004CB1EC ; \dumped_.004CB1EC
0040D5F1|.59 POP ECX
0040D5F2|.84C9 TEST CL,CL
0040D5F4|.74 4F JE SHORT dumped_.0040D645
0040D5F6|.66:C745 8C 68>MOV WORD PTR SS:,68
0040D5FC|.BA 31104D00 MOV EDX,dumped_.004D1031 ;ASCII "Your registration code is invalid! Please confirm you have gotten the lastest version."
0040D601|.8D45 CC LEA EAX,DWORD PTR SS:
调整注册信息,Email:[email protected] ,注册码:LAOWAN@163@COM123456789012345678901234567890,
继续0040D684|.E8 3B890600 CALL dumped_.00475FC4
0040D689|.8D55 C8 LEA EDX,DWORD PTR SS:
0040D68C|.FF32 PUSH DWORD PTR DS: ; /假注册码
0040D68E|.E8 09DFFFFF CALL dumped_.0040B59C ; \算法,F7进去
0040D693|.59 POP ECX
0040D694|.8B0D C0924D00 MOV ECX,DWORD PTR DS:
0040D69A|.8881 CC040000 MOV BYTE PTR DS:,AL
0040D6A0|.FF4D 98 DEC DWORD PTR SS:
0040D6A3|.8D45 C8 LEA EAX,DWORD PTR SS:
0040D6A6|.BA 02000000 MOV EDX,2
0040D6AB|.E8 3CDB0B00 CALL dumped_.004CB1EC
0040D6B0|.8B0D C0924D00 MOV ECX,DWORD PTR DS:
0040D6B6|.8A81 CC040000 MOV AL,BYTE PTR DS:
0040D6BC|.84C0 TEST AL,AL
0040D6BE|.0F84 47020000 JE dumped_.0040D90B ;关键跳
0040D6C4|.66:C745 8C 80>MOV WORD PTR SS:,80
0040D6CA|.8D45 C4 LEA EAX,DWORD PTR SS:
0040D6CD|.E8 4642FFFF CALL dumped_.00401918
0040D6D2|.8BD0 MOV EDX,EAX
0040D6D4|.FF45 98 INC DWORD PTR SS:
0040D6D7|.8B8D 78FFFFFF MOV ECX,DWORD PTR SS:
0040D6DD|.8B81 FC020000 MOV EAX,DWORD PTR DS:
0040D6E3|.E8 DC880600 CALL dumped_.00475FC4
0040D6E8|.8D55 C4 LEA EDX,DWORD PTR SS:
0040D6EB|.8B85 78FFFFFF MOV EAX,DWORD PTR SS:
0040D6F1|.05 18030000 ADD EAX,318
0040D6F6|.E8 21DB0B00 CALL dumped_.004CB21C
0040D6FB|.FF4D 98 DEC DWORD PTR SS:
0040D6FE|.8D45 C4 LEA EAX,DWORD PTR SS:
0040D701|.BA 02000000 MOV EDX,2
0040D706|.E8 E1DA0B00 CALL dumped_.004CB1EC
0040D70B|.8B85 78FFFFFF MOV EAX,DWORD PTR SS:
0040D711|.05 18030000 ADD EAX,318
0040D716|.E8 5142FFFF CALL dumped_.0040196C
0040D71B|.0FBE50 17 MOVSX EDX,BYTE PTR DS: ; 判断注册码第4位是否为数字
0040D71F|.83FA 30 CMP EDX,30
0040D722|.7C 19 JL SHORT dumped_.0040D73D
0040D724|.8B85 78FFFFFF MOV EAX,DWORD PTR SS:
0040D72A|.05 18030000 ADD EAX,318
0040D72F|.E8 3842FFFF CALL dumped_.0040196C
0040D734|.0FBE50 17 MOVSX EDX,BYTE PTR DS:
0040D738|.83FA 39 CMP EDX,39
0040D73B|.7E 0D JLE SHORT dumped_.0040D74A
0040D73D|>8B0D C0924D00 MOV ECX,DWORD PTR DS:
0040D743|.C681 CC040000>MOV BYTE PTR DS:,0
0040D74A|>B2 01 MOV DL,1
0040D74C|.A1 64904A00 MOV EAX,DWORD PTR DS:
0040D751|.E8 0EBA0900 CALL dumped_.004A9164
0040D756|.8985 64FFFFFF MOV DWORD PTR SS:,EAX
0040D75C|.BA 01000080 MOV EDX,80000001
0040D761|.8B85 64FFFFFF MOV EAX,DWORD PTR SS:
0040D767|.E8 94D80B00 CALL dumped_.004CB000
0040D76C|.8B0D C0924D00 MOV ECX,DWORD PTR DS:
0040D772|.8A81 CC040000 MOV AL,BYTE PTR DS:
0040D778|.84C0 TEST AL,AL
0040D77A|.0F84 15010000 JE dumped_.0040D895
0040D780|.66:C745 8C 8C>MOV WORD PTR SS:,8C
0040D786|.BA 88104D00 MOV EDX,dumped_.004D1088 ;ASCII "Software\ExeIcon\HexCmp"
0040D78B|.8D45 C0 LEA EAX,DWORD PTR SS:
0040D78E|.E8 F9D80B00 CALL dumped_.004CB08C进入0040D68E CALL dumped_.0040B59C0040B59C/$55 PUSH EBP
0040B59D|.8BEC MOV EBP,ESP
0040B59F|.81C4 74FFFFFF ADD ESP,-8C
0040B5A5|.56 PUSH ESI
0040B5A6|.57 PUSH EDI
0040B5A7|.B8 8C114D00 MOV EAX,dumped_.004D118C
0040B5AC|.E8 135B0B00 CALL dumped_.004C10C4
0040B5B1|.C745 F8 01000>MOV DWORD PTR SS:,1
0040B5B8|.8D55 08 LEA EDX,DWORD PTR SS:
0040B5BB|.8D45 08 LEA EAX,DWORD PTR SS:
0040B5BE|.E8 01FB0B00 CALL dumped_.004CB0C4
0040B5C3|.FF45 F8 INC DWORD PTR SS:
0040B5C6|.66:C745 EC 08>MOV WORD PTR SS:,8
0040B5CC|.C645 DB 00 MOV BYTE PTR SS:,0
0040B5D0|.8D45 08 LEA EAX,DWORD PTR SS:
0040B5D3|.E8 7063FFFF CALL dumped_.00401948
0040B5D8|.83F8 2C CMP EAX,2C ;判断注册码长度是否是44
0040B5DB|.7E 0D JLE SHORT dumped_.0040B5EA
0040B5DD|.8D45 08 LEA EAX,DWORD PTR SS:
0040B5E0|.BA 2C000000 MOV EDX,2C
0040B5E5|.E8 F6FD0B00 CALL dumped_.004CB3E0
0040B5EA|>8D45 08 LEA EAX,DWORD PTR SS:
0040B5ED|.E8 5663FFFF CALL dumped_.00401948
0040B5F2|.83F8 2C CMP EAX,2C ;判断注册码长度是否是44,如果不是,就跳向错误
0040B5F5|.0F85 49020000 JNZ dumped_.0040B844
0040B5FB|.BE 840C4D00 MOV ESI,dumped_.004D0C84 ;字符串"1z1h+2a0n-0g8y*9a1n|"记为S1
0040B600|.8D7D 88 LEA EDI,DWORD PTR SS:
0040B603|.B9 05000000 MOV ECX,5
0040B608|.F3:A5 REP MOVS DWORD PTR ES:,DWORD PTR DS>
0040B60A|.A4 MOVS BYTE PTR ES:,BYTE PTR DS:
0040B60B|.8D45 08 LEA EAX,DWORD PTR SS:
0040B60E|.E8 5963FFFF CALL dumped_.0040196C
0040B613|.0FBE50 28 MOVSX EDX,BYTE PTR DS:
0040B617|.83FA 48 CMP EDX,48 ;判断注册码第41位是否为H
0040B61A|.74 23 JE SHORT dumped_.0040B63F
0040B61C|.33C0 XOR EAX,EAX
0040B61E|.50 PUSH EAX
0040B61F|.FF4D F8 DEC DWORD PTR SS:
0040B622|.8D45 08 LEA EAX,DWORD PTR SS:
0040B625|.BA 02000000 MOV EDX,2
0040B62A|.E8 BDFB0B00 CALL dumped_.004CB1EC
0040B62F|.58 POP EAX
0040B630|.8B55 DC MOV EDX,DWORD PTR SS:
0040B633|.64:8915 00000>MOV DWORD PTR FS:,EDX
0040B63A|.E9 24020000 JMP dumped_.0040B863
0040B63F|>8D45 08 LEA EAX,DWORD PTR SS:
0040B642|.E8 2563FFFF CALL dumped_.0040196C
0040B647|.0FBE50 29 MOVSX EDX,BYTE PTR DS:
0040B64B|.83FA 46 CMP EDX,46 ;判断注册码第42位是否为F
0040B64E|.74 23 JE SHORT dumped_.0040B673
0040B650|.33C0 XOR EAX,EAX
0040B652|.50 PUSH EAX
0040B653|.FF4D F8 DEC DWORD PTR SS:
0040B656|.8D45 08 LEA EAX,DWORD PTR SS:
0040B659|.BA 02000000 MOV EDX,2
0040B65E|.E8 89FB0B00 CALL dumped_.004CB1EC
0040B663|.58 POP EAX
0040B664|.8B55 DC MOV EDX,DWORD PTR SS:
0040B667|.64:8915 00000>MOV DWORD PTR FS:,EDX
0040B66E|.E9 F0010000 JMP dumped_.0040B863
0040B673|>8D45 08 LEA EAX,DWORD PTR SS:
0040B676|.E8 F162FFFF CALL dumped_.0040196C
0040B67B|.0FBE50 2A MOVSX EDX,BYTE PTR DS:
0040B67F|.83FA 43 CMP EDX,43 ;判断注册码第43位是否为C
0040B682|.74 23 JE SHORT dumped_.0040B6A7
0040B684|.33C0 XOR EAX,EAX
0040B686|.50 PUSH EAX
0040B687|.FF4D F8 DEC DWORD PTR SS:
0040B68A|.8D45 08 LEA EAX,DWORD PTR SS:
0040B68D|.BA 02000000 MOV EDX,2
0040B692|.E8 55FB0B00 CALL dumped_.004CB1EC
0040B697|.58 POP EAX
0040B698|.8B55 DC MOV EDX,DWORD PTR SS:
0040B69B|.64:8915 00000>MOV DWORD PTR FS:,EDX
0040B6A2|.E9 BC010000 JMP dumped_.0040B863
0040B6A7|>8D45 08 LEA EAX,DWORD PTR SS:
0040B6AA|.E8 BD62FFFF CALL dumped_.0040196C
0040B6AF|.0FBE50 2B MOVSX EDX,BYTE PTR DS:
0040B6B3|.83FA 31 CMP EDX,31 ;判断注册码第44位是否为1
0040B6B6|.74 23 JE SHORT dumped_.0040B6DB
0040B6B8|.33C0 XOR EAX,EAX
0040B6BA|.50 PUSH EAX
0040B6BB|.FF4D F8 DEC DWORD PTR SS:
0040B6BE|.8D45 08 LEA EAX,DWORD PTR SS:
0040B6C1|.BA 02000000 MOV EDX,2
0040B6C6|.E8 21FB0B00 CALL dumped_.004CB1EC
0040B6CB|.58 POP EAX
0040B6CC|.8B55 DC MOV EDX,DWORD PTR SS:
0040B6CF|.64:8915 00000>MOV DWORD PTR FS:,EDX
0040B6D6|.E9 88010000 JMP dumped_.0040B863
0040B6DB|>8D45 08 LEA EAX,DWORD PTR SS:
0040B6DE|.E8 8962FFFF CALL dumped_.0040196C
0040B6E3|.50 PUSH EAX ; /Arg2
0040B6E4|.8D55 A0 LEA EDX,DWORD PTR SS: ; |
0040B6E7|.52 PUSH EDX ; |Arg1
0040B6E8|.E8 6B570B00 CALL dumped_.004C0E58 ; \dumped_.004C0E58
0040B6ED|.83C4 08 ADD ESP,8
0040B6F0|.0FBE4D A1 MOVSX ECX,BYTE PTR SS:
0040B6F4|.83F9 30 CMP ECX,30 ;判断注册码第2位是否为0
0040B6F7|.0F85 47010000 JNZ dumped_.0040B844
0040B6FD|.C645 A1 23 MOV BYTE PTR SS:,23 ;用#替换注册码的第2位
0040B701|.C645 DB 01 MOV BYTE PTR SS:,1 ;变量b1=1
0040B705|.C745 D4 02000>MOV DWORD PTR SS:,2 ;变量b2=2
0040B70C|>8B45 D4 /MOV EAX,DWORD PTR SS: ;EAX=1
0040B70F|.0FBE5405 88 |MOVSX EDX,BYTE PTR SS: ;字符串S1的第三位
0040B714|.8B4D D4 |MOV ECX,DWORD PTR SS: ;ECX=2
0040B717|.0FBE440D 9F |MOVSX EAX,BYTE PTR SS: ;替换后注册码的第二位#
0040B71C|.03D0 |ADD EDX,EAX ;字符串S1的第三位和注册码的第二位的ASCII码值相加
0040B71E|.8B4D D4 |MOV ECX,DWORD PTR SS:
0040B721|.0FBE440D A0 |MOVSX EAX,BYTE PTR SS: ;注册码第三位ASCII码值
0040B726|.33D0 |XOR EDX,EAX ;异或
0040B728|.8B4D D4 |MOV ECX,DWORD PTR SS:
0040B72B|.0FBE440D 88 |MOVSX EAX,BYTE PTR SS: ;字符串S1的第三位
0040B730|.33D0 |XOR EDX,EAX ;异或
0040B732|.52 |PUSH EDX ; /Arg1
0040B733|.E8 747BFFFF |CALL dumped_.004032AC ; \dumped_.004032AC
0040B738|.59 |POP ECX
0040B739|.B9 1A000000 |MOV ECX,1A ;ECX=1A
0040B73E|.99 |CDQ
0040B73F|.F7F9 |IDIV ECX ;相除
0040B741|.83C2 41 |ADD EDX,41 ;余数加上41
0040B744|.8B45 D4 |MOV EAX,DWORD PTR SS:
0040B747|.0FBE4C05 A9 |MOVSX ECX,BYTE PTR SS:
0040B74C|.3BD1 |CMP EDX,ECX ;与注册码的第12位进行比较
0040B74E 74 06 JE SHORT dumped_.0040B756
0040B750|.C645 DB 00 |MOV BYTE PTR SS:,0
0040B754|.EB 0B |JMP SHORT dumped_.0040B761
0040B756|>FF45 D4 |INC DWORD PTR SS:
0040B759|.8B55 D4 |MOV EDX,DWORD PTR SS:
0040B75C|.83FA 0A |CMP EDX,0A ;与10比较
0040B75F|.^ 7C AB \JL SHORT dumped_.0040B70C
0040B761|>8A45 DB MOV AL,BYTE PTR SS:
0040B764|.84C0 TEST AL,AL
0040B766|.0F84 CB000000 JE dumped_.0040B837
0040B76C|.C745 D0 18000>MOV DWORD PTR SS:,18
0040B773|.66:C745 EC 08>MOV WORD PTR SS:,8
0040B779|.8B55 D0 MOV EDX,DWORD PTR SS:
0040B77C|.83FA 28 CMP EDX,28
0040B77F|.7D 4D JGE SHORT dumped_.0040B7CE
0040B781|>8B4D D0 /MOV ECX,DWORD PTR SS:
0040B784|.0FBE440D 89 |MOVSX EAX,BYTE PTR SS: ;变换后的注册码第二位
0040B789|.B9 06000000 |MOV ECX,6 ;ECX=6
0040B78E|.99 |CDQ
0040B78F|.F7F9 |IDIV ECX ;相除
0040B791|.8BCA |MOV ECX,EDX ;余数送入ECX
0040B793|.8B45 D0 |MOV EAX,DWORD PTR SS: ;EAX=24
0040B796|.0FBE5405 8A |MOVSX EDX,BYTE PTR SS: ;变换后的注册码第三位ASCII码值
0040B79B|.D3E2 |SHL EDX,CL ;左移余数位
0040B79D|.8B45 D0 |MOV EAX,DWORD PTR SS:
0040B7A0|.0FBE4C05 8B |MOVSX ECX,BYTE PTR SS: ;变换后的注册码第四位ASCII码值
0040B7A5|.0BD1 |OR EDX,ECX ;取或
0040B7A7|.52 |PUSH EDX ; /Arg1
0040B7A8|.E8 FF7AFFFF |CALL dumped_.004032AC ; \dumped_.004032AC
0040B7AD|.59 |POP ECX
0040B7AE|.B9 1A000000 |MOV ECX,1A ;ECX=1A
0040B7B3|.99 |CDQ
0040B7B4|.F7F9 |IDIV ECX ;相除
0040B7B6|.80C2 61 |ADD DL,61 ;余数加61
0040B7B9|.8B45 D0 |MOV EAX,DWORD PTR SS:
0040B7BC|.889405 5CFFFF>|MOV BYTE PTR SS:,DL ;保存字符
0040B7C3|.FF45 D0 |INC DWORD PTR SS: ;变量++
0040B7C6|.8B55 D0 |MOV EDX,DWORD PTR SS:
0040B7C9|.83FA 28 |CMP EDX,28
0040B7CC|.^ 7C B3 \JL SHORT dumped_.0040B781 ;计算出新的字符串S2,我这儿是“rqxlhhplmiiamqbt”
0040B7CE|>C645 84 5A MOV BYTE PTR SS:,5A
0040B7D2|.C645 85 59 MOV BYTE PTR SS:,59
0040B7D6|.C745 CC 18000>MOV DWORD PTR SS:,18
0040B7DD|.66:C745 EC 08>MOV WORD PTR SS:,8
0040B7E3|.8B45 CC MOV EAX,DWORD PTR SS:
0040B7E6|.83F8 28 CMP EAX,28
0040B7E9|.7D 4C JGE SHORT dumped_.0040B837
0040B7EB|>8B55 CC /MOV EDX,DWORD PTR SS: ;EDX =24
0040B7EE|.0FBE8C15 5CFF>|MOVSX ECX,BYTE PTR SS: ;字符串S2的第一位
0040B7F6|.C1E1 04 |SHL ECX,4 ;左移4位
0040B7F9|.8B45 CC |MOV EAX,DWORD PTR SS:
0040B7FC|.0FBE9405 5DFF>|MOVSX EDX,BYTE PTR SS: ;字符串S2的第二位
0040B804|.D1FA |SAR EDX,1 ;右移1位
0040B806|.33CA |XOR ECX,EDX ;异或
0040B808|.51 |PUSH ECX ; /Arg1
0040B809|.E8 9E7AFFFF |CALL dumped_.004032AC ; \dumped_.004032AC
0040B80E|.59 |POP ECX
0040B80F|.B9 1A000000 |MOV ECX,1A ;ECX=1A
0040B814|.99 |CDQ
0040B815|.F7F9 |IDIV ECX ;相除
0040B817|.83C2 41 |ADD EDX,41 ;余数加41
0040B81A|.8B45 CC |MOV EAX,DWORD PTR SS:
0040B81D|.0FBE4405 A0 |MOVSX EAX,BYTE PTR SS:
0040B822|.3BD0 |CMP EDX,EAX ;上面计算的结果与注册码第25位进行比较
0040B824 74 06 JE SHORT dumped_.0040B82C
0040B826|.C645 DB 00 |MOV BYTE PTR SS:,0
0040B82A|.EB 0B |JMP SHORT dumped_.0040B837
0040B82C|>FF45 CC |INC DWORD PTR SS:
0040B82F|.8B55 CC |MOV EDX,DWORD PTR SS:
0040B832|.83FA 28 |CMP EDX,28
0040B835|.^ 7C B4 \JL SHORT dumped_.0040B7EB
0040B837|>0FBE4D AA MOVSX ECX,BYTE PTR SS:
0040B83B|.83F9 59 CMP ECX,59 ;判断注册码的第11位是否为 Y
0040B83E|.74 04 JE SHORT dumped_.0040B844
0040B840|.C645 DB 00 MOV BYTE PTR SS:,0 ;修改此处可以爆破
0040B844|>8A45 DB MOV AL,BYTE PTR SS: ;标志位
0040B847|.50 PUSH EAX
0040B848|.FF4D F8 DEC DWORD PTR SS:
0040B84B|.8D45 08 LEA EAX,DWORD PTR SS:
0040B84E|.BA 02000000 MOV EDX,2
0040B853|.E8 94F90B00 CALL dumped_.004CB1EC
0040B858|.58 POP EAX
0040B859|.8B55 DC MOV EDX,DWORD PTR SS:
0040B85C|.64:8915 00000>MOV DWORD PTR FS:,EDX
0040B863|>5F POP EDI
0040B864|.5E POP ESI
0040B865|.8BE5 MOV ESP,EBP
0040B867|.5D POP EBP
0040B868\.C3 RETN
我留一组可用的注册码
邮箱地址:[email protected]
注册码:L0@163@COMYLHNBZDOC01234WQYMAEAOWKGOAFCDHFC1
1.注册码的长度为44位
2.邮箱地址的长度不能超过10位,因为注册码的前10位应包含邮箱地址的大写,其中“.”变成“@”
3.注册码的后4位必须是HFC1,第24位必须是数字
4.注册码的12到19位,25到40位,由于算法复杂,我编程不过关,不能用语言总结出来,希望高手完善一下。 向老万学习啊。/:good 本帖最后由 zaas 于 2010-6-2 20:41 编辑
这个算法看起来怎么这么眼熟。。。怀疑有暗桩。 这个算法看起来怎么这么眼熟。。。怀疑有暗桩。
zaas 发表于 2010-6-2 20:40 https://www.chinapyg.com/images/common/back.gif
和你写的那个爆破的很像哈,那些没出现比较的码应该在别的地方验证,我猜的哈
页:
[1]