菜鸟学习算法,破解Xilisoft DVD to PSP Converter
【软件名称】Xilisoft DVD to PSP Converter 4.0.52.0616【下载地址】http://www.onlinedown.net/soft/46397.htm
【运行环境】Win9x/Me/NT/2000/XP/2003
【软件类别】国外软件/共享版/视频工具
【保护方式】用户名、注册码、MD5
【作者声明】初学Crack,只是感兴趣,消遣业余时间,错误之处敬请诸位前辈不吝赐教。
【调试环境】Winxp、OllyDBD、PEiD
【软件信息】可以帮你把DVD影片,转换成在PSP上可播放的MP4影片文件或是MP3音乐文件。
一、算法跟踪
PEiD检查:Microsoft Visual C++ 7.0 Method2 [调试],注册验证过程是主程序调用安装目录里的UILib71.dll文件来完成。
OD 载入程序查找字串参考,没找到关键信息。输入用户名:wzwgp 假码:123456789223456789323456789423456789123
有“注册码不正确”提示。下断:BP MessageBoxA,在77D5050B处断下。
77D5050B >8BFF MOV EDI,EDI ; dvdrip.00458328
77D5050D 55 PUSH EBP
77D5050E 8BEC MOV EBP,ESP
77D50510 833D 1C04D777 0>CMP DWORD PTR DS:,0
77D50517 74 24 JE SHORT USER32.77D5053D
77D50519 64:A1 18000000MOV EAX,DWORD PTR FS:
77D5051F 6A 00 PUSH 0
取消断点,Alt+F9返回到1001B778处,向上在1001B720处下断。
1001B720 >/$64:A1 0000000>MOV EAX,DWORD PTR FS: ;下断
1001B726|.6A FF PUSH -1
1001B728|.68 02630210 PUSH UILib71.10026302
1001B72D|.50 PUSH EAX
1001B72E|.64:8925 00000>MOV DWORD PTR FS:,ESP
1001B735|.83EC 08 SUB ESP,8
1001B738|.56 PUSH ESI
1001B739|.8BF1 MOV ESI,ECX
1001B73B|.E8 D0F4FFFF CALL UILib71.?SaveRegInfo@ImRegDlg@@IAEX>;用户名、加密注册码写入注册表
1001B740|.E8 BBF8FFFF CALL UILib71.?IsValidRegInfo@ImRegDlg@@S>;还原注册表信息,验证注册码
1001B745|.85C0 TEST EAX,EAX ;EAX=0 注册失败
1001B747|.75 49 JNZ SHORT UILib71.1001B792 ;跳注册成功
1001B749|.8B0D CC040410 MOV ECX,DWORD PTR DS:
1001B74F|.68 442F0000 PUSH 2F44
1001B754|.8D4424 08 LEA EAX,DWORD PTR SS:
1001B758|.50 PUSH EAX
1001B759|.E8 F217FFFF CALL UILib71.?GetString@ImLanguage@@QBE?>
1001B75E|.6A 00 PUSH 0
1001B760|.6A 30 PUSH 30
1001B762|.8BC8 MOV ECX,EAX
1001B764|.C74424 1C 000>MOV DWORD PTR SS:,0
1001B76C|.FF15 CC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#876>]
1001B772|.50 PUSH EAX
1001B773|.E8 4C820000 CALL <JMP.&MFC71.#1123> ;注册失败提示
1001B778|.8D4C24 04 LEA ECX,DWORD PTR SS:
1001B77C|.FF15 E8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#578>]
1001B782|.5E POP ESI
1001B783|.8B4C24 08 MOV ECX,DWORD PTR SS:
1001B787|.64:890D 00000>MOV DWORD PTR FS:,ECX
1001B78E|.83C4 14 ADD ESP,14
1001B791|.C3 RETN
1001B792|>8D8E A4030000 LEA ECX,DWORD PTR DS:
1001B798|.FF15 7C770210 CALL NEAR DWORD PTR DS:[<&MFC71.#3934>];MFC71.7C1501A3
1001B79E|.84C0 TEST AL,AL
1001B7A0|.75 41 JNZ SHORT UILib71.1001B7E3
1001B7A2|.68 452F0000 PUSH 2F45
1001B7A7|.8D4C24 0C LEA ECX,DWORD PTR SS:
1001B7AB|.51 PUSH ECX
1001B7AC|.8B0D CC040410 MOV ECX,DWORD PTR DS:
1001B7B2|.E8 9917FFFF CALL UILib71.?GetString@ImLanguage@@QBE?>
1001B7B7|.6A 00 PUSH 0
1001B7B9|.6A 30 PUSH 30
1001B7BB|.8BC8 MOV ECX,EAX
1001B7BD|.C74424 1C 010>MOV DWORD PTR SS:,1
1001B7C5|.FF15 CC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#876>] ;注册成功提示
1001B7CB|.50 PUSH EAX
1001B7CC|.E8 F3810000 CALL <JMP.&MFC71.#1123>
1001B73B 处是将用户名写入注册表,用户名、注册码与常数通过xor shr or 运算加密注册码写入注册表,
与注册码的产生无关(仅验证注册码时还原注册码),因此略过。
1001B740 处F7进入,(还原注册表信息,验证注册码)
1001B000 >/$6A FF PUSH -1
1001B002|.68 BF620210 PUSH UILib71.100262BF ;SE 处理程序安装
1001B007|.64:A1 0000000>MOV EAX,DWORD PTR FS:
1001B00D|.50 PUSH EAX
1001B00E|.64:8925 00000>MOV DWORD PTR FS:,ESP
1001B015|.81EC A4000000 SUB ESP,0A4
1001B01B|.A1 70010410 MOV EAX,DWORD PTR DS:
1001B020|.53 PUSH EBX
1001B021|.56 PUSH ESI
1001B022|.8D4C24 10 LEA ECX,DWORD PTR SS:
1001B026|.898424 A80000>MOV DWORD PTR SS:,EAX
1001B02D|.FF15 D4770210 CALL NEAR DWORD PTR DS:[<&MFC71.#31>;MFC71.7C173199
1001B033|.8D4C24 18 LEA ECX,DWORD PTR SS:
1001B037|.C78424 B40000>MOV DWORD PTR SS:,0
1001B042|.FF15 D4770210 CALL NEAR DWORD PTR DS:[<&MFC71.#31>;MFC71.7C173199
1001B048|.8D4C24 14 LEA ECX,DWORD PTR SS:
1001B04C|.FF15 D4770210 CALL NEAR DWORD PTR DS:[<&MFC71.#31>;MFC71.7C173199
1001B052|.8B0D D0040410 MOV ECX,DWORD PTR DS: ;UILib71.?g_pref@@3VImAppPref@@A
1001B058|.8D4424 20 LEA EAX,DWORD PTR SS:
1001B05C|.50 PUSH EAX
1001B05D|.C68424 B80000>MOV BYTE PTR SS:,2
1001B065|.E8 F6A6FEFF CALL UILib71.?GetAppInfo@ImAppPref@>
1001B06A|.8BC8 MOV ECX,EAX
1001B06C|.83C1 2C ADD ECX,2C
1001B06F|.FF15 CC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#87>;读注册表信息
1001B075|.50 PUSH EAX ; |Subkey
1001B076|.68 01000080 PUSH 80000001 ; |hKey = HKEY_CURRENT_USER
1001B07B|.FF15 04700210 CALL NEAR DWORD PTR DS:[<&ADVAPI32.>; \RegCreateKeyA
1001B081|.85C0 TEST EAX,EAX
1001B083|.0F85 B1000000 JNZ UILib71.1001B13A
1001B089|.8D4C24 08 LEA ECX,DWORD PTR SS:
1001B08D|.51 PUSH ECX
1001B08E|.68 00020000 PUSH 200
1001B093|.8D4C24 18 LEA ECX,DWORD PTR SS:
1001B097|.C74424 10 000>MOV DWORD PTR SS:,200
1001B09F|.FF15 40720210 CALL NEAR DWORD PTR DS:[<&MFC71.#24>;MFC71.7C15102A
1001B0A5|.8B5424 24 MOV EDX,DWORD PTR SS: ; |
1001B0A9|.8B35 10700210 MOV ESI,DWORD PTR DS:[<&ADVAPI32.Re>; |ADVAPI32.RegQueryValueExA
1001B0AF|.50 PUSH EAX ; |Buffer
1001B0B0|.6A 00 PUSH 0 ; |pValueType = NULL
1001B0B2|.6A 00 PUSH 0 ; |Reserved = NULL
1001B0B4|.68 3C810210 PUSH UILib71.1002813C ; |name
1001B0B9|.52 PUSH EDX ; |hKey
1001B0BA|.FFD6 CALL NEAR ESI ; \RegQueryValueExA
1001B0BC|.6A FF PUSH -1
1001B0BE|.8D4C24 14 LEA ECX,DWORD PTR SS:
1001B0C2|.FF15 3C720210 CALL NEAR DWORD PTR DS:[<&MFC71.#54>;取用户名长度
1001B0C8|.8D4424 08 LEA EAX,DWORD PTR SS:
1001B0CC|.50 PUSH EAX
1001B0CD|.68 00020000 PUSH 200
1001B0D2|.8D4C24 20 LEA ECX,DWORD PTR SS:
1001B0D6|.C74424 10 000>MOV DWORD PTR SS:,200
1001B0DE|.FF15 40720210 CALL NEAR DWORD PTR DS:[<&MFC71.#24>
1001B0E4|.8B4C24 24 MOV ECX,DWORD PTR SS:
1001B0E8|.50 PUSH EAX
1001B0E9|.6A 00 PUSH 0
1001B0EB|.6A 00 PUSH 0
1001B0ED|.68 30E10210 PUSH UILib71.1002E130
1001B0F2|.51 PUSH ECX
1001B0F3|.FFD6 CALL NEAR ESI
1001B0F5|.6A FF PUSH -1
1001B0F7|.8D4C24 1C LEA ECX,DWORD PTR SS:
1001B0FB|.FF15 3C720210 CALL NEAR DWORD PTR DS:[<&MFC71.#54>
1001B101|.8D5424 08 LEA EDX,DWORD PTR SS:
1001B105|.52 PUSH EDX
1001B106|.68 00020000 PUSH 200
1001B10B|.8D4C24 1C LEA ECX,DWORD PTR SS:
1001B10F|.C74424 10 000>MOV DWORD PTR SS:,200
1001B117|.FF15 40720210 CALL NEAR DWORD PTR DS:[<&MFC71.#24>
1001B11D|.50 PUSH EAX
1001B11E|.8B4424 28 MOV EAX,DWORD PTR SS:
1001B122|.6A 00 PUSH 0
1001B124|.6A 00 PUSH 0
1001B126|.68 38E10210 PUSH UILib71.1002E138
1001B12B|.50 PUSH EAX
1001B12C|.FFD6 CALL NEAR ESI ;取保存在注册表中的计算结果
1001B12E|.6A FF PUSH -1
1001B130|.8D4C24 18 LEA ECX,DWORD PTR SS:
1001B134|.FF15 3C720210 CALL NEAR DWORD PTR DS:[<&MFC71.#54>
1001B13A|>8D4C24 14 LEA ECX,DWORD PTR SS:
1001B13E|.FF15 7C770210 CALL NEAR DWORD PTR DS:[<&MFC71.#39>
1001B144|.84C0 TEST AL,AL
1001B146|.0F85 8E000000 JNZ UILib71.1001B1DA
1001B14C|.8D4C24 14 LEA ECX,DWORD PTR SS:
1001B150|.FF15 CC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#87>
1001B156|.50 PUSH EAX
1001B157|.8D4C24 0C LEA ECX,DWORD PTR SS:
1001B15B|.51 PUSH ECX
1001B15C|.E8 CFF3FFFF CALL UILib71.?Hex2StringA@ImRegDlg@>
1001B161|.83C4 08 ADD ESP,8
1001B164|.B3 03 MOV BL,3
1001B166|.8D4C24 34 LEA ECX,DWORD PTR SS:
1001B16A|.889C24 B40000>MOV BYTE PTR SS:,BL
1001B171|.E8 DA700000 CALL UILib71.10022250 ;处理常数(加密注册码写入注册表用)
1001B176|.8D4C24 08 LEA ECX,DWORD PTR SS:
1001B17A|.C68424 B40000>MOV BYTE PTR SS:,4
1001B182|.FF15 78750210 CALL NEAR DWORD PTR DS:[<&MFC71.#24>
1001B188|.50 PUSH EAX
1001B189|.8D4C24 14 LEA ECX,DWORD PTR SS:
1001B18D|.FF15 CC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#87>
1001B193|.50 PUSH EAX
1001B194|.8D4C24 3C LEA ECX,DWORD PTR SS:
1001B198|.E8 C3750000 CALL UILib71.10022760 ;还原(解密)保存在注册表中的假码
1001B19D|.6A FF PUSH -1
1001B19F|.8D4C24 0C LEA ECX,DWORD PTR SS:
1001B1A3|.FF15 3C720210 CALL NEAR DWORD PTR DS:[<&MFC71.#54>;取假码位数
1001B1A9|.8D5424 08 LEA EDX,DWORD PTR SS:
1001B1AD|.52 PUSH EDX
1001B1AE|.8D4C24 18 LEA ECX,DWORD PTR SS:
1001B1B2|.FF15 70770210 CALL NEAR DWORD PTR DS:[<&MFC71.#78>
1001B1B8|.8D4C24 34 LEA ECX,DWORD PTR SS:
1001B1BC|.889C24 B40000>MOV BYTE PTR SS:,BL
1001B1C3|.E8 F8700000 CALL UILib71.100222C0
1001B1C8|.8D4C24 08 LEA ECX,DWORD PTR SS:
1001B1CC|.C68424 B40000>MOV BYTE PTR SS:,2
1001B1D4|.FF15 E8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#57>
1001B1DA|>6A 14 PUSH 14
1001B1DC|.8D4424 0C LEA EAX,DWORD PTR SS:
1001B1E0|.50 PUSH EAX
1001B1E1|.8D4C24 1C LEA ECX,DWORD PTR SS:
1001B1E5|.FF15 8C770210 CALL NEAR DWORD PTR DS:[<&MFC71.#39>
1001B1EB|.50 PUSH EAX
1001B1EC|.8D4C24 1C LEA ECX,DWORD PTR SS:
1001B1F0|.C68424 B80000>MOV BYTE PTR SS:,5
1001B1F8|.FF15 70770210 CALL NEAR DWORD PTR DS:[<&MFC71.#78>;取假码前20位地址
1001B1FE|.8D4C24 08 LEA ECX,DWORD PTR SS:
1001B202|.C68424 B40000>MOV BYTE PTR SS:,2
1001B20A|.FF15 E8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#57>
1001B210|.8D4C24 10 LEA ECX,DWORD PTR SS:
1001B214|.FF15 7C770210 CALL NEAR DWORD PTR DS:[<&MFC71.#39>
1001B21A|.84C0 TEST AL,AL
1001B21C|.0F85 D3030000 JNZ UILib71.1001B5F5
1001B222|.8D4C24 14 LEA ECX,DWORD PTR SS:
1001B226|.FF15 7C770210 CALL NEAR DWORD PTR DS:[<&MFC71.#39>
1001B22C|.84C0 TEST AL,AL
1001B22E|.0F85 C1030000 JNZ UILib71.1001B5F5
1001B234|.8D4C24 14 LEA ECX,DWORD PTR SS:
1001B238|.FF15 C8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#29>;取假码位数
1001B23E|.83F8 27 CMP EAX,27 ;注册码位数=27
1001B241|.0F85 AE030000 JNZ UILib71.1001B5F5
1001B247|.8D4C24 18 LEA ECX,DWORD PTR SS: ;=假码前20位地址
1001B24B|.FF15 CC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#87>
1001B251|.8B0D D0040410 MOV ECX,DWORD PTR DS: ;UILib71.?g_pref@@3VImAppPref@@A
1001B257|.E8 04A5FEFF CALL UILib71.?GetAppInfo@ImAppPref@>
1001B25C|.83C0 38 ADD EAX,38
1001B25F|.50 PUSH EAX
1001B260|.8D4C24 14 LEA ECX,DWORD PTR SS: ;用户名地址
1001B264|.FF15 70770210 CALL NEAR DWORD PTR DS:[<&MFC71.#78>;EAX= "Xilisoftdvdtopspconverter4"
1001B26A|.8D4C24 0C LEA ECX,DWORD PTR SS:
1001B26E|.FF15 D4770210 CALL NEAR DWORD PTR DS:[<&MFC71.#31>;MFC71.7C173199
1001B274|.8D4C24 10 LEA ECX,DWORD PTR SS:
1001B278|.C68424 B40000>MOV BYTE PTR SS:,6
1001B280|.33F6 XOR ESI,ESI
1001B282|.FF15 C8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#29>;取"Xilisoftdvdtopspconverter4"长度
1001B288|.85C0 TEST EAX,EAX
1001B28A|.7E 5C JLE SHORT UILib71.1001B2E8
1001B28C|.8D6424 00 LEA ESP,DWORD PTR SS:
1001B290|>8BCE /MOV ECX,ESI
1001B292|.81E1 01000080 |AND ECX,80000001
1001B298|.79 05 |JNS SHORT UILib71.1001B29F
1001B29A|.49 |DEC ECX
1001B29B|.83C9 FE |OR ECX,FFFFFFFE
1001B29E|.41 |INC ECX
1001B29F|>75 38 |JNZ SHORT UILib71.1001B2D9
1001B2A1|.56 |PUSH ESI
1001B2A2|.8D4C24 14 |LEA ECX,DWORD PTR SS: ;=ASCII "Xilisoftdvdtopspconverter4"
1001B2A6|.FF15 B8770210 |CALL NEAR DWORD PTR DS:[<&MFC71.#8>;AL=58(X)取中的奇数位Ascii码
1001B2AC|.8D4C24 0C |LEA ECX,DWORD PTR SS:
1001B2B0|.50 |PUSH EAX
1001B2B1|.FF15 6C750210 |CALL NEAR DWORD PTR DS:[<&MFC71.#9>;保存58(X)
1001B2B7|.8D46 01 |LEA EAX,DWORD PTR DS: ;=已取到第几位字符+1
1001B2BA|.99 |CDQ
1001B2BB|.B9 FF000000 |MOV ECX,0FF
1001B2C0|.F7F9 |IDIV ECX
1001B2C2|.84D2 |TEST DL,DL
1001B2C4|.885424 08 |MOV BYTE PTR SS:,DL ;DL=01、03(偶数位)
1001B2C8|.74 0F |JE SHORT UILib71.1001B2D9
1001B2CA|.8B5424 08 |MOV EDX,DWORD PTR SS:
1001B2CE|.52 |PUSH EDX
1001B2CF|.8D4C24 10 |LEA ECX,DWORD PTR SS:
1001B2D3|.FF15 6C750210 |CALL NEAR DWORD PTR DS:[<&MFC71.#9>;保存DL
1001B2D9|>8D4C24 10 |LEA ECX,DWORD PTR SS:
1001B2DD|.46 |INC ESI ;ESI 计数器
1001B2DE|.FF15 C8770210 |CALL NEAR DWORD PTR DS:[<&MFC71.#2>;MFC71.7C146AB0
1001B2E4|.3BF0 |CMP ESI,EAX ;EAX=1A(字符串长度)
1001B2E6|.^ 7C A8 \JL SHORT UILib71.1001B290
1001B2E8|>8D4C24 10 LEA ECX,DWORD PTR SS:
1001B2EC|.33F6 XOR ESI,ESI
1001B2EE|.FF15 C8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#29>;MFC71.7C146AB0
1001B2F4|.85C0 TEST EAX,EAX
1001B2F6|.7E 5F JLE SHORT UILib71.1001B357
1001B2F8|.EB 06 JMP SHORT UILib71.1001B300
1001B2FA| 8D9B 00000000 LEA EBX,DWORD PTR DS:
1001B300|>8BC6 /MOV EAX,ESI
1001B302|.25 01000080 |AND EAX,80000001
1001B307|.79 05 |JNS SHORT UILib71.1001B30E
1001B309|.48 |DEC EAX
1001B30A|.83C8 FE |OR EAX,FFFFFFFE
1001B30D|.40 |INC EAX
1001B30E|>74 38 |JE SHORT UILib71.1001B348
1001B310|.56 |PUSH ESI
1001B311|.8D4C24 14 |LEA ECX,DWORD PTR SS: ;=ASCII "Xilisoftdvdtopspconverter4"
1001B315|.FF15 B8770210 |CALL NEAR DWORD PTR DS:[<&MFC71.#8>;AL=58(i)取中的偶数位Ascii码
1001B31B|.8D4C24 0C |LEA ECX,DWORD PTR SS:
1001B31F|.50 |PUSH EAX
1001B320|.FF15 6C750210 |CALL NEAR DWORD PTR DS:[<&MFC71.#9>;保存58(i)
1001B326|.8D46 01 |LEA EAX,DWORD PTR DS: ;=已取到第几位字符+1
1001B329|.99 |CDQ
1001B32A|.B9 FF000000 |MOV ECX,0FF
1001B32F|.F7F9 |IDIV ECX
1001B331|.84D2 |TEST DL,DL
1001B333|.885424 08 |MOV BYTE PTR SS:,DL ;DL=2、4
1001B337|.74 0F |JE SHORT UILib71.1001B348
1001B339|.8B5424 08 |MOV EDX,DWORD PTR SS:
1001B33D|.52 |PUSH EDX
1001B33E|.8D4C24 10 |LEA ECX,DWORD PTR SS:
1001B342|.FF15 6C750210 |CALL NEAR DWORD PTR DS:[<&MFC71.#9>;保存DL
1001B348|>8D4C24 10 |LEA ECX,DWORD PTR SS:
1001B34C|.46 |INC ESI ;ESI 计数器
1001B34D|.FF15 C8770210 |CALL NEAR DWORD PTR DS:[<&MFC71.#2>;MFC71.7C146AB0
1001B353|.3BF0 |CMP ESI,EAX
1001B355|.^ 7C A9 \JL SHORT UILib71.1001B300 ;EAX=1A(字符串长度)
1001B357|>8D4C24 24 LEA ECX,DWORD PTR SS:
1001B35B|.FF15 D4770210 CALL NEAR DWORD PTR DS:[<&MFC71.#31>
1001B361|.6A 01 PUSH 1
1001B363|.8D4424 28 LEA EAX,DWORD PTR SS:
1001B367|.68 50E10210 PUSH UILib71.1002E150
1001B36C|.50 PUSH EAX
1001B36D|.C68424 C00000>MOV BYTE PTR SS:,7
1001B375|.FF15 D8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#23>
1001B37B|.83C4 0C ADD ESP,0C
1001B37E|.8D4C24 24 LEA ECX,DWORD PTR SS:
1001B382|.FF15 CC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#87>
1001B388|.50 PUSH EAX
1001B389|.6A 00 PUSH 0
1001B38B|.8D4C24 14 LEA ECX,DWORD PTR SS:
1001B38F|.FF15 84750210 CALL NEAR DWORD PTR DS:[<&MFC71.#38>;字符串头部加上1
1001B395|.8D4C24 28 LEA ECX,DWORD PTR SS:
1001B399|.FF15 D4770210 CALL NEAR DWORD PTR DS:[<&MFC71.#31>
1001B39F|.8D4C24 2C LEA ECX,DWORD PTR SS:
1001B3A3|.FF15 D4770210 CALL NEAR DWORD PTR DS:[<&MFC71.#31>
1001B3A9|.6A 00 PUSH 0
1001B3AB|.8D4C24 2C LEA ECX,DWORD PTR SS:
1001B3AF|.68 50E10210 PUSH UILib71.1002E150
1001B3B4|.B3 09 MOV BL,9
1001B3B6|.51 PUSH ECX
1001B3B7|.889C24 C00000>MOV BYTE PTR SS:,BL
1001B3BE|.FF15 D8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#23>
1001B3C4|.6A 00 PUSH 0
1001B3C6|.8D5424 3C LEA EDX,DWORD PTR SS:
1001B3CA|.68 50E10210 PUSH UILib71.1002E150
1001B3CF|.52 PUSH EDX
1001B3D0|.FF15 D8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#23>
1001B3D6|.8D4424 44 LEA EAX,DWORD PTR SS:
1001B3DA|.50 PUSH EAX
1001B3DB|.8D4C24 44 LEA ECX,DWORD PTR SS:
1001B3DF|.51 PUSH ECX
1001B3E0|.8D5424 28 LEA EDX,DWORD PTR SS:
1001B3E4|.52 PUSH EDX
1001B3E5|.E8 E66DFEFF CALL UILib71.100021D0
1001B3EA|.83C4 24 ADD ESP,24
1001B3ED|.50 PUSH EAX
1001B3EE|.8D4C24 10 LEA ECX,DWORD PTR SS:
1001B3F2|.C68424 B80000>MOV BYTE PTR SS:,0A
1001B3FA|.FF15 80770210 CALL NEAR DWORD PTR DS:[<&MFC71.#90>;字符串尾部加上00
1001B400|.8D4C24 08 LEA ECX,DWORD PTR SS:
1001B404|.889C24 B40000>MOV BYTE PTR SS:,BL
1001B40B|.FF15 E8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#57>
1001B411|.8D4424 18 LEA EAX,DWORD PTR SS:
1001B415|.50 PUSH EAX
1001B416|.8D4C24 20 LEA ECX,DWORD PTR SS:
1001B41A|.FF15 E4770210 CALL NEAR DWORD PTR DS:[<&MFC71.#29>
1001B420|.B3 0B MOV BL,0B
1001B422|.8D4C24 1C LEA ECX,DWORD PTR SS:
1001B426|.889C24 B40000>MOV BYTE PTR SS:,BL
1001B42D|.FF15 80750210 CALL NEAR DWORD PTR DS:[<&MFC71.#40>;[取假码前20位]
1001B433|.8D4C24 1C LEA ECX,DWORD PTR SS:
1001B437|.FF15 5C740210 CALL NEAR DWORD PTR DS:[<&MFC71.#61>
1001B43D|.8D4C24 1C LEA ECX,DWORD PTR SS:
1001B441|.FF15 58740210 CALL NEAR DWORD PTR DS:[<&MFC71.#61>
1001B447|.8D4C24 1C LEA ECX,DWORD PTR SS:
1001B44B|.FF15 7C770210 CALL NEAR DWORD PTR DS:[<&MFC71.#39>
1001B451|.84C0 TEST AL,AL
1001B453|.74 0F JE SHORT UILib71.1001B464
1001B455|.68 44E10210 PUSH UILib71.1002E144
1001B45A|.8D4C24 20 LEA ECX,DWORD PTR SS:
1001B45E|.FF15 78770210 CALL NEAR DWORD PTR DS:[<&MFC71.#78>
1001B464|>8B0D D0040410 MOV ECX,DWORD PTR DS: ;UILib71.?g_pref@@3VImAppPref@@A
1001B46A|.E8 F1A2FEFF CALL UILib71.?GetAppInfo@ImAppPref@>
1001B46F|.83C0 38 ADD EAX,38
1001B472|.50 PUSH EAX
1001B473|.8D4C24 20 LEA ECX,DWORD PTR SS:
1001B477|.51 PUSH ECX
1001B478|.8D5424 10 LEA EDX,DWORD PTR SS:
1001B47C|.52 PUSH EDX
1001B47D|.E8 4E6DFEFF CALL UILib71.100021D0 ;假码前20位与固定字符连接
1001B482|.83C4 0C ADD ESP,0C
1001B485|.50 PUSH EAX
1001B486|.8D4C24 10 LEA ECX,DWORD PTR SS:
1001B48A|.C68424 B80000>MOV BYTE PTR SS:,0C
1001B492|.FF15 80770210 CALL NEAR DWORD PTR DS:[<&MFC71.#90>;最后连接成101位长的字符串
1001B498|.8D4C24 08 LEA ECX,DWORD PTR SS:
1001B49C|.889C24 B40000>MOV BYTE PTR SS:,BL
1001B4A3|.FF15 E8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#57>;MFC71.7C1771B1
1001B4A9|.8D4C24 0C LEA ECX,DWORD PTR SS:
1001B4AD|.FF15 CC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#87>;MFC71.7C158BCD
1001B4B3|.50 PUSH EAX
1001B4B4|.8D4C24 70 LEA ECX,DWORD PTR SS:
1001B4B8|.E8 03740000 CALL UILib71.100228C0 ;进入MD5加密运算
1001B4BD|.8D4C24 6C LEA ECX,DWORD PTR SS:
1001B4C1|.C68424 B40000>MOV BYTE PTR SS:,0D
1001B4C9|.E8 32730000 CALL UILib71.10022800 ;EAX=(d96d58a51ae3c1f181c821811c8b751b)
1001B4CE|.50 PUSH EAX ;加密数据入栈
1001B4CF|.8D4C24 34 LEA ECX,DWORD PTR SS:
1001B4D3|.FF15 DC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#30>;EAX=加密数据地址
1001B4D9|.8D4C24 0C LEA ECX,DWORD PTR SS:
1001B4DD|.C68424 B40000>MOV BYTE PTR SS:,0E
1001B4E5|.FF15 D0730210 CALL NEAR DWORD PTR DS:[<&MFC71.#21>
1001B4EB|.33F6 XOR ESI,ESI
1001B4ED|.8D49 00 LEA ECX,DWORD PTR DS:
1001B4F0|>56 /PUSH ESI
1001B4F1|.8D4C24 34 |LEA ECX,DWORD PTR SS:
1001B4F5|.FF15 B8770210 |CALL NEAR DWORD PTR DS:[<&MFC71.#8>;取计算结果奇数位Ascii码
1001B4FB|.8D4C24 0C |LEA ECX,DWORD PTR SS:
1001B4FF|.50 |PUSH EAX
1001B500|.FF15 6C750210 |CALL NEAR DWORD PTR DS:[<&MFC71.#9>;连接取出的Ascii码
1001B506|.8BC6 |MOV EAX,ESI
1001B508|.D1E8 |SHR EAX,1
1001B50A|.40 |INC EAX
1001B50B|.25 03000080 |AND EAX,80000003 ;计算是否要加“-”
1001B510|.79 05 |JNS SHORT UILib71.1001B517
1001B512|.48 |DEC EAX
1001B513|.83C8 FC |OR EAX,FFFFFFFC
1001B516|.40 |INC EAX
1001B517|>75 0F |JNZ SHORT UILib71.1001B528
1001B519|.68 40E10210 |PUSH UILib71.1002E140 ;“-”地址入栈
1001B51E|.8D4C24 10 |LEA ECX,DWORD PTR SS:
1001B522|.FF15 C4730210 |CALL NEAR DWORD PTR DS:[<&MFC71.#9>;取满4位加“-”连接
1001B528|>83C6 02 |ADD ESI,2
1001B52B|.83FE 20 |CMP ESI,20
1001B52E|.^ 7C C0 \JL SHORT UILib71.1001B4F0
1001B530|.8D4C24 0C LEA ECX,DWORD PTR SS:
1001B534|.FF15 80750210 CALL NEAR DWORD PTR DS:[<&MFC71.#40>;转成大写
1001B53A|.6A 01 PUSH 1
1001B53C|.8D4C24 10 LEA ECX,DWORD PTR SS:
1001B540|.FF15 C8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#29>
1001B546|.48 DEC EAX
1001B547|.50 PUSH EAX
1001B548|.8D4C24 14 LEA ECX,DWORD PTR SS:
1001B54C|.FF15 7C750210 CALL NEAR DWORD PTR DS:[<&MFC71.#19>;去掉尾部“-”
1001B552|.8D4C24 18 LEA ECX,DWORD PTR SS:
1001B556|.FF15 CC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#87>;假码前20位
1001B55C|.50 PUSH EAX
1001B55D|.6A 00 PUSH 0
1001B55F|.8D4C24 14 LEA ECX,DWORD PTR SS:
1001B563|.FF15 84750210 CALL NEAR DWORD PTR DS:[<&MFC71.#38>;假码前20位与计算结果连接
1001B569|.8D4C24 14 LEA ECX,DWORD PTR SS:
1001B56D|.FF15 CC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#87>;MFC71.7C158BCD
1001B573|.50 PUSH EAX ;EAX=假码地址
1001B574|.8D4C24 10 LEA ECX,DWORD PTR SS: ;=计算结果地址
1001B578|.FF15 4C740210 CALL NEAR DWORD PTR DS:[<&MFC71.#14>;验证注册码
1001B57E|.F7D8 NEG EAX ;EAX=1注册验证失败
1001B580 1AC0 SBB AL,AL ;爆破点(xor al,al)
1001B582|.FEC0 INC AL
1001B584|.8D4C24 30 LEA ECX,DWORD PTR SS:
1001B588|.0FB6F0 MOVZX ESI,AL
1001B58B|.FF15 E8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#57>;MFC71.7C1771B1
二、算法小结
1. 字符串连接
1.1 软件名称奇数位与奇数连接
Xilisoftdvdtopspconverter4 --->Xlsfddoscnetr---> X1l3s5f7d9dbodsfc11n13e15t17r19
135 …… 151719
(58 01 6C 03 73 05 66 07 64 09 64 0B 6F 0D 73 0F 63 11 6E 13 65 15 74 17 72 19)
1.2 软件名称偶数位与偶数连接
Xilisoftdvdtopspconverter4 --->iiotvtppovre4 ---> i2i4o6t8vAtCpEp10o12v14r16e1841A
246 …… 16181A
(69 02 69 04 6F 06 74 08 76 0A 74 0C 70 0E 70 10 6F 12 76 14 72 16 65 18 34 1A)
1.3 头部加1尾部加00
1 + X1l3s5f7d9dbodsfc11n13e15t17r19 + i2i4o6t8vAtCpEp10o12v14r16e1841A + 00
------->
1X1l3s5f7d9dbodsfc11n13e15t17r19i2i4o6t8vAtCpEp10o12v14r16e1841A00
1.4 假码前20位与软件名称连接
12345678922345678932 + Xilisoftdvdtopspconverter4
------->
12345678922345678932Xilisoftdvdtopspconverter4
1.5 形成最后字符串(1.3 + 1.4)
1X1l3s5f7d9dbodsfc11n13e15t17r19i2i4o6t8vAtCpEp10o12v14r16e1841A0012345678922345678932Xilisoftdvdtopspconverter4
(31 58 01 6C 03 73 05 66 07 64 09 64 0B 6F 0D 73 0F 63 11 6E 13 65 15 74 17 72 19 69 02 69 04 6F 06 74 08 76 0A 74 0C
70 0E 70 10 6F 12 76 14 72 16 65 18 34 1A 30 30 31 32 33 34 35 36 37 38 39 32 32 33 34 35 36 37 38 39 33 32 58 69 6C
69 73 6F 66 74 64 76 64 74 6F 70 73 70 63 6F 6E 76 65 72 74 65 72 34)
2. MD5加密字符串
2.1 标准MD5加密字符串前64位
(1X1l3s5f7d9dbodsfc11n13e15t17r19i2i4o6t8vAtCpEp10o12v14r16e1841A00123456789)
得到:(F22B9292)(A1300D51)(66297222)(DF3639B7)
2.2 将2.1得到的4个数字作为MD5常数加密字符串后37位
(22345678932Xilisoftdvdtopspconverter4)
得到:94289881fc09a399b914279409095be1
2.3 取出2.2数字中的奇数位
94289881fc09a399b914279409095be1 ----> 9298f0a9b129005e ----> 9298-F0A9-B129-005E
3 假码前20位与2.3的结果连接得到注册码
注册码=12345678922345678932 + 9298-F0A9-B129-005E
---->
123456789223456789329298-F0A9-B129-005E
4 注册码位数必须是39位(27H)
注册信息保存在:HKEY_CURRENT_USER\Software\Xilisoft\DVD to PSP Converter 4\RegInfo 向老大学习~~~ 学习,收藏!!支持!!!!
算法学习好题材!! 唉,这个如果是菜鸟学的算法,那我对学算法的信心不大
看了这个算法,一个字,晕~~~~ 学习,楼主真有耐性,向楼主学习 好文章..莱鸟先学习了一下! 原帖由 浮云思音 于 2006-7-4 09:38 发表
唉,这个如果是菜鸟学的算法,那我对学算法的信心不大
看了这个算法,一个字,晕~~~~
MD5?也一个字~~~晕! 原帖由 wzwgp 于 2006-7-4 01:00 发表
【软件名称】Xilisoft DVD to PSP Converter 4.0.52.0616
【下载地址】http://www.onlinedown.net/soft/46397.htm
【运行环境】Win9x/Me/NT/2000/XP/2003
【软件类别】国外软件/共享版/视频工具
【保护方式 ...
2.2 将2.1得到的4个数字作为MD5常数加密字符串后37位
(22345678932Xilisoftdvdtopspconverter4)
得到:94289881fc09a399b914279409095be1
兄台辛苦了
另外请问有无可以自定义常数的MD5计算工具
(我指现成的,要编就算了:-),懒得动手) 原帖由 快雪时晴 于 2006-7-4 22:17 发表
兄台辛苦了
另外请问有无可以自定义常数的MD5计算工具
(我指现成的,要编就算了:-),懒得动手)
感谢版主鼓励。不好意思,我没有自定义常数的MD5计算工具。 原帖由 野猫III 于 2006-7-4 20:31 发表
MD5?也一个字~~~晕!
猫兄不好意思,现贴上第一次MD5的代码,主要是太长了,显得累赘。
1001B4B8 处F7进入MD5加密运算
100228C0/$8B4424 04 MOV EAX,DWORD PTR SS:
100228C4|.56 PUSH ESI
100228C5|.8BF1 MOV ESI,ECX
100228C7|.C706 0CF20210 MOV DWORD PTR DS:,UILib71.1002F20C
100228CD|.8946 38 MOV DWORD PTR DS:,EAX
100228D0|.C646 35 00 MOV BYTE PTR DS:,0
100228D4|.E8 37FFFFFF CALL UILib71.10022810 ;MD5加密
100228D9|.8846 04 MOV BYTE PTR DS:,AL
100228DC|.8BC6 MOV EAX,ESI
100228DE|.5E POP ESI
100228DF\.C2 0400 RETN 4
100228D4 处F7进入MD5加密
10022810/$83EC 5C SUB ESP,5C ;本地调用来自 100228D4
10022813|.A1 70010410 MOV EAX,DWORD PTR DS:
10022818|.53 PUSH EBX
10022819|.55 PUSH EBP
1002281A|.56 PUSH ESI
1002281B|.894424 64 MOV DWORD PTR SS:,EAX
1002281F|.57 PUSH EDI
10022820|.8D4424 10 LEA EAX,DWORD PTR SS:
10022824|.50 PUSH EAX
10022825|.8BF9 MOV EDI,ECX
10022827|.E8 C4000000 CALL UILib71.100228F0 ;初始化MD5变量
1002282C|.8B4F 38 MOV ECX,DWORD PTR DS:
1002282F|.8BC1 MOV EAX,ECX
10022831|.83C4 04 ADD ESP,4
10022834|.8D70 01 LEA ESI,DWORD PTR DS:
10022837|>8A10 /MOV DL,BYTE PTR DS:
10022839|.40 |INC EAX
1002283A|.84D2 |TEST DL,DL
1002283C|.^ 75 F9 \JNZ SHORT UILib71.10022837
1002283E|.2BC6 SUB EAX,ESI ;计算字符串位数=65(H) 101(D)
10022840|.50 PUSH EAX
10022841|.51 PUSH ECX
10022842|.8D4C24 18 LEA ECX,DWORD PTR SS:
10022846|.51 PUSH ECX
10022847|.E8 B4090000 CALL UILib71.10023200 ;MD5加密字符串前64位
1002284C|.8D5424 1C LEA EDX,DWORD PTR SS:
10022850|.52 PUSH EDX
10022851|.8D5F 05 LEA EBX,DWORD PTR DS:
10022854|.53 PUSH EBX
10022855|.E8 660A0000 CALL UILib71.100232C0 ;MD5常数加密字符串后37位
1002285A|.8B2D A8780210 MOV EBP,DWORD PTR DS:[<&MSVCR71.sprintf>>
10022860|.83C4 14 ADD ESP,14
10022863|.33F6 XOR ESI,ESI
10022865|.83C7 15 ADD EDI,15
10022868|.EB 06 JMP SHORT UILib71.10022870
1002286A| 8D9B 00000000 LEA EBX,DWORD PTR DS:
10022870|>0FB60433 /MOVZX EAX,BYTE PTR DS:
10022874|.50 |PUSH EAX
10022875|.68 10F20210 |PUSH UILib71.1002F210 ;%02x
1002287A|.57 |PUSH EDI
1002287B|.FFD5 |CALL NEAR EBP
1002287D|.83C4 0C |ADD ESP,0C
10022880|.83C7 02 |ADD EDI,2
10022883|.46 |INC ESI
10022884|.83FE 10 |CMP ESI,10
10022887|.^ 7C E7 \JL SHORT UILib71.10022870
10022889|.8B4C24 68 MOV ECX,DWORD PTR SS:
1002288D|.5F POP EDI
1002288E|.5E POP ESI
1002288F|.5D POP EBP
10022890|.B0 01 MOV AL,1
10022892|.5B POP EBX
10022893|.E8 5D140000 CALL UILib71.10023CF5
10022898|.83C4 5C ADD ESP,5C
1002289B\.C3 RETN
10022847 处F7进入MD5加密字符串前64位
10023200/$53 PUSH EBX
10023201|.8B5C24 10 MOV EBX,DWORD PTR SS:
10023205|.55 PUSH EBP ;EBX=65
10023206|.56 PUSH ESI
10023207|.8B7424 10 MOV ESI,DWORD PTR SS: ;MD5常数地址
1002320B|.8B46 10 MOV EAX,DWORD PTR DS:
1002320E|.8BC8 MOV ECX,EAX
10023210|.C1E9 03 SHR ECX,3
10023213|.8D04D8 LEA EAX,DWORD PTR DS:
10023216|.8D14DD 000000>LEA EDX,DWORD PTR DS:
1002321D|.83E1 3F AND ECX,3F
10023220|.3BC2 CMP EAX,EDX
10023222|.57 PUSH EDI
10023223|.8946 10 MOV DWORD PTR DS:,EAX
10023226|.73 03 JNB SHORT UILib71.1002322B
10023228|.FF46 14 INC DWORD PTR DS:
1002322B|>8B7E 14 MOV EDI,DWORD PTR DS:
1002322E|.8BC3 MOV EAX,EBX
10023230|.C1E8 1D SHR EAX,1D
10023233|.03F8 ADD EDI,EAX
10023235|.897E 14 MOV DWORD PTR DS:,EDI
10023238|.BF 40000000 MOV EDI,40
1002323D|.2BF9 SUB EDI,ECX
1002323F|.3BDF CMP EBX,EDI
10023241|.72 50 JB SHORT UILib71.10023293
10023243|.33C0 XOR EAX,EAX
10023245|.85FF TEST EDI,EDI
10023247|.76 16 JBE SHORT UILib71.1002325F
10023249|.8D6C31 18 LEA EBP,DWORD PTR DS:
1002324D|.8D49 00 LEA ECX,DWORD PTR DS:
10023250|>8B4C24 18 /MOV ECX,DWORD PTR SS:
10023254|.8A1408 |MOV DL,BYTE PTR DS:
10023257|.881428 |MOV BYTE PTR DS:,DL
1002325A|.40 |INC EAX
1002325B|.3BC7 |CMP EAX,EDI
1002325D|.^ 72 F1 \JB SHORT UILib71.10023250 ;字符串移入堆栈
1002325F|>8D4E 18 LEA ECX,DWORD PTR DS:
10023262|.56 PUSH ESI
10023263|.E8 B8F6FFFF CALL UILib71.10022920 ;MD5
10023268|.8BEF MOV EBP,EDI
1002326A|.83C7 3F ADD EDI,3F
1002326D|.83C4 04 ADD ESP,4
10023270|.3BFB CMP EDI,EBX
10023272|.73 1B JNB SHORT UILib71.1002328F
10023274|>8B4424 18 /MOV EAX,DWORD PTR SS:
10023278|.8D4C38 C1 |LEA ECX,DWORD PTR DS:
1002327C|.56 |PUSH ESI
1002327D|.E8 9EF6FFFF |CALL UILib71.10022920
10023282|.83C7 40 |ADD EDI,40
10023285|.83C4 04 |ADD ESP,4
10023288|.83C5 40 |ADD EBP,40
1002328B|.3BFB |CMP EDI,EBX
1002328D|.^ 72 E5 \JB SHORT UILib71.10023274
1002328F|>33C9 XOR ECX,ECX
10023291|.EB 02 JMP SHORT UILib71.10023295
10023293|>33ED XOR EBP,EBP
10023295|>33C0 XOR EAX,EAX
10023297|.2BDD SUB EBX,EBP
10023299|.8BFB MOV EDI,EBX
1002329B|.74 15 JE SHORT UILib71.100232B2
1002329D|.8B5424 18 MOV EDX,DWORD PTR SS:
100232A1|.03D5 ADD EDX,EBP ;EDX=22345678932Xilisoftdvdtopspconverter4
100232A3|.8D7431 18 LEA ESI,DWORD PTR DS:
100232A7|>8A0C02 /MOV CL,BYTE PTR DS:
100232AA|.880C06 |MOV BYTE PTR DS:,CL
100232AD|.40 |INC EAX
100232AE|.3BC7 |CMP EAX,EDI
100232B0|.^ 72 F5 \JB SHORT UILib71.100232A7
100232B2|>5F POP EDI
100232B3|.5E POP ESI
100232B4|.5D POP EBP
100232B5|.5B POP EBX
100232B6\.C3 RETN
10023263处F7进入MD5
10022920/$8B4424 04 MOV EAX,DWORD PTR SS:
10022924|.83EC 44 SUB ESP,44
10022927|.53 PUSH EBX
10022928|.55 PUSH EBP
10022929|.56 PUSH ESI
1002292A|.57 PUSH EDI
1002292B|.83C1 02 ADD ECX,2
1002292E|.8D7424 14 LEA ESI,DWORD PTR SS:
10022932|.BF 10000000 MOV EDI,10
10022937|>0FB659 FF MOVZX EBX,BYTE PTR DS:
1002293B|.33D2 XOR EDX,EDX
1002293D|.8A71 01 MOV DH,BYTE PTR DS:
10022940|.83C6 04 ADD ESI,4
10022943|.83C1 04 ADD ECX,4
10022946|.8A51 FC MOV DL,BYTE PTR DS:
10022949|.C1E2 08 SHL EDX,8
1002294C|.0BD3 OR EDX,EBX
1002294E|.0FB659 FA MOVZX EBX,BYTE PTR DS:
10022952|.C1E2 08 SHL EDX,8
10022955|.0BD3 OR EDX,EBX
10022957|.4F DEC EDI
10022958|.8956 FC MOV DWORD PTR DS:,EDX ;EDX=6C015831(字符串1-4)
1002295B|.^ 75 DA JNZ SHORT UILib71.10022937
1002295D|.8B70 04 MOV ESI,DWORD PTR DS: ;=EFCDAB89 ------> B
10022960|.8B78 08 MOV EDI,DWORD PTR DS: ;=98BADCFE ------> C
10022963|.8B50 0C MOV EDX,DWORD PTR DS: ;=10325476 ------> D
10022966|.8B00 MOV EAX,DWORD PTR DS: ;=67452301 ------> A
10022968|.8B6C24 14 MOV EBP,DWORD PTR SS: ;=6C015831
1002296C|.8BDF MOV EBX,EDI
1002296E|.23DE AND EBX,ESI ;EBX=98BADCFE and B=88888888
10022970|.8BCE MOV ECX,ESI
10022972|.F7D1 NOT ECX ;ECX=B not =D
10022974|.23CA AND ECX,EDX ;ECX=D and D=10325476
10022976|.0BCB OR ECX,EBX ;ECX=D or 88888888=C
10022978|.03CD ADD ECX,EBP ;ECX=C add 6C015831=04BC352F
1002297A|.8D8C08 78A46A>LEA ECX,DWORD PTR DS:;=436BFCA8
10022981|.8B6C24 18 MOV EBP,DWORD PTR SS: ;=66057303(字符串5-8)
10022985|.8BC1 MOV EAX,ECX
10022987|.C1E1 07 SHL ECX,7 ;ECX=436BFCA8 shl 7=B5FE5400
1002298A|.C1E8 19 SHR EAX,19 ;EAX=436BFCA8 shr 19=21
1002298D|.0BC1 OR EAX,ECX ;EAX=00000021 or B5FE5400=B5FE5421
1002298F|.03C6 ADD EAX,ESI ;EAX=B5FE5421 add B=A5CBFFAA
10022991|.8BC8 MOV ECX,EAX
10022993|.F7D1 NOT ECX ;ECX=A5CBFFAA not=5A340055
10022995|.23CF AND ECX,EDI ;ECX=5A340055 and C=18300054
10022997|.8BDE MOV EBX,ESI
10022999|.23D8 AND EBX,EAX ;EBX=EFCDAB89 and A5CBFFAA=A5C9AB88
1002299B|.0BCB OR ECX,EBX ;ECX=18300054 or A5C9AB88=BDF9ABDC
1002299D|.03CD ADD ECX,EBP ;ECX=BDF9ABDC add 66057303=23FF1EDF
1002299F|.8B6C24 1C MOV EBP,DWORD PTR SS: ;=64096407(字符串9-12)
100229A3|.8D940A 56B7C7>LEA EDX,DWORD PTR DS:
---------------------------中间省略---------------------------------
100231C6|.8B7424 58 MOV ESI,DWORD PTR SS:
100231CA|.8B1E MOV EBX,DWORD PTR DS:
100231CC|.03C3 ADD EAX,EBX
100231CE|.8906 MOV DWORD PTR DS:,EAX ;EAX=F22B9292 --->1
100231D0|.8BC1 MOV EAX,ECX
100231D2|.8B5E 04 MOV EBX,DWORD PTR DS:
100231D5|.C1E0 15 SHL EAX,15
100231D8|.C1E9 0B SHR ECX,0B
100231DB|.0BC1 OR EAX,ECX
100231DD|.03C3 ADD EAX,EBX
100231DF|.03C7 ADD EAX,EDI
100231E1|.8946 04 MOV DWORD PTR DS:,EAX ;EAX=A1300D51 --->2
100231E4|.8B46 08 MOV EAX,DWORD PTR DS:
100231E7|.03C7 ADD EAX,EDI
100231E9|.8946 08 MOV DWORD PTR DS:,EAX ;EAX=66297222 --->3
100231EC|.8B46 0C MOV EAX,DWORD PTR DS:
100231EF|.5F POP EDI
100231F0|.03C2 ADD EAX,EDX
100231F2|.8946 0C MOV DWORD PTR DS:,EAX ;EAX=DF3639B7 --->4
100231F5|.5E POP ESI
100231F6|.5D POP EBP
100231F7|.5B POP EBX
100231F8|.83C4 44 ADD ESP,44
100231FB\.C3 RETN
1、2、3、4是第二次MD5加密的常数。