- UID
- 6880
注册时间2006-1-12
阅读权限30
最后登录1970-1-1
龙战于野
TA的每日心情 | 开心
2018-2-26 08:32 |
|---|
签到天数: 19 天 [LV.4]偶尔看看III
|
【破解软件】Hootech MP3 to SWF Converter 2.4.841
【软件语言】英文
【软件类别】国外软件/共享版/视频工具
【运行环境】Win9x/Me/NT/2000/XP/2003
【保护方式】注册码
【作者声明】初学Crack,只是感兴趣,消遣业余时间,错误之处敬请诸位前辈不吝赐教。
【编写语言】Microsoft Visual C++ 6.0
【调试工具】OllyDBD
【下载地址】http://www.onlinedown.net/soft/51005.htm
【软件信息】是一个 MP3/WAV 文件转换软件。它可以转换 MP3/WAV 文件为 SWF 文件。支持下列功能:支持以多种质量转换大体积的 MP3/WAV
文件为小体积的 SWF 文件;支持直接录音并转换为 SWF 文件;生成的流式 SWF 文件可以在线直接播放,无需等待下载完成;支持生成带控制
栏的 SWF 文件并内建多种美观的按钮;支持拖放操作,批量转换,转换快速且易于使用。
一、算法跟踪
根据注册框提示信息,很容易找到下面;
0040B106 . 6A FF PUSH -1
0040B108 . 68 088A4700 PUSH MP32SWF.00478A08
0040B10D . 50 PUSH EAX
0040B10E . 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
0040B115 . 53 PUSH EBX
0040B116 . 56 PUSH ESI
0040B117 . 57 PUSH EDI
0040B118 . 8BF1 MOV ESI,ECX
0040B11A . E8 2C980600 CALL MP32SWF.0047494B
0040B11F . 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4]
0040B122 . E8 4CF30500 CALL MP32SWF.0046A473
0040B127 . 6A 01 PUSH 1
0040B129 . 8BCE MOV ECX,ESI
0040B12B . C74424 18 00000000 MOV DWORD PTR SS:[ESP+18],0
0040B133 . E8 EDDC0500 CALL MP32SWF.00468E25
0040B138 . 8D7E 5C LEA EDI,DWORD PTR DS:[ESI+5C] ; [ESI+5C]用户名地址
0040B13B . 8BCF MOV ECX,EDI
0040B13D . E8 0F900500 CALL MP32SWF.00464151
0040B142 . 8BCF MOV ECX,EDI
0040B144 . E8 BC8F0500 CALL MP32SWF.00464105
0040B149 . 8D5E 60 LEA EBX,DWORD PTR DS:[ESI+60] ; [ESI+60]假码地址
0040B14C . 8BCB MOV ECX,EBX
0040B14E . E8 FE8F0500 CALL MP32SWF.00464151
0040B153 . 8BCB MOV ECX,EBX
0040B155 . E8 AB8F0500 CALL MP32SWF.00464105
0040B15A . 8B07 MOV EAX,DWORD PTR DS:[EDI]
0040B15C . 8B48 F8 MOV ECX,DWORD PTR DS:[EAX-8]
0040B15F . 85C9 TEST ECX,ECX ; 是否输入用户名
0040B161 . 75 0E JNZ SHORT MP32SWF.0040B171
0040B163 . 6A 30 PUSH 30
0040B165 . 68 00D34700 PUSH MP32SWF.0047D300 ; mp3 to swf converter
0040B16A . 68 18D34700 PUSH MP32SWF.0047D318 ; please enter your name.
0040B16F . EB 3B JMP SHORT MP32SWF.0040B1AC
0040B171 > 8B1B MOV EBX,DWORD PTR DS:[EBX]
0040B173 . 8D4E 64 LEA ECX,DWORD PTR DS:[ESI+64]
0040B176 . 51 PUSH ECX
0040B177 . 53 PUSH EBX
0040B178 . E8 43710100 CALL MP32SWF.004222C0 ; 关键Call
0040B17D . 83C4 08 ADD ESP,8
0040B180 . 85C0 TEST EAX,EAX ; EAX=1注册成功
0040B182 . 74 1C JE SHORT MP32SWF.0040B1A0 ; 跳注册失败
0040B184 . 6A 40 PUSH 40
0040B186 . 68 00D34700 PUSH MP32SWF.0047D300 ; mp3 to swf converter
0040B18B . 68 30D34700 PUSH MP32SWF.0047D330 ; register successfully. thank you for your support.
0040B190 . 8BCE MOV ECX,ESI
0040B192 . E8 98D40500 CALL MP32SWF.0046862F
0040B197 . 8BCE MOV ECX,ESI
0040B199 . E8 C5FD0500 CALL MP32SWF.0046AF63
0040B19E . EB 13 JMP SHORT MP32SWF.0040B1B3
0040B1A0 > 6A 10 PUSH 10
0040B1A2 . 68 00D34700 PUSH MP32SWF.0047D300 ; mp3 to swf converter
0040B1A7 . 68 64D34700 PUSH MP32SWF.0047D364 ; invalid registration code.\nplease check that you entered
exact information.\n\nif you have any problem with your registration code,\nplease contact <[email protected]>.
0040B1AC > 8BCE MOV ECX,ESI
0040B178 处进入关键Call
004222C0 /$ 83EC 60 SUB ESP,60
004222C3 |. 56 PUSH ESI
004222C4 |. 8B7424 68 MOV ESI,DWORD PTR SS:[ESP+68] ; [ESP+68]假码地址
004222C8 |. 56 PUSH ESI ; /String
004222C9 |. FF15 E8C14700 CALL NEAR DWORD PTR DS:[<&KERNE>; \lstrlenA
004222CF |. 83F8 40 CMP EAX,40 ; 比较假码长度
004222D2 |. 74 07 JE SHORT MP32SWF.004222DB
004222D4 |. 33C0 XOR EAX,EAX
004222D6 |. 5E POP ESI
004222D7 |. 83C4 60 ADD ESP,60
004222DA |. C3 RETN
004222DB |> 53 PUSH EBX
004222DC |. 55 PUSH EBP
004222DD |. 8B2D 54C34700 MOV EBP,DWORD PTR DS:[<&KERNEL3>; kernel32.lstrcpynA
004222E3 |. 57 PUSH EDI
004222E4 |. 8D7C24 10 LEA EDI,DWORD PTR SS:[ESP+10]
004222E8 |. BB 08000000 MOV EBX,8
004222ED |> 6A 09 PUSH 9
004222EF |. 8D4424 34 LEA EAX,DWORD PTR SS:[ESP+34]
004222F3 |. 56 PUSH ESI
004222F4 |. 50 PUSH EAX
004222F5 |. FFD5 CALL NEAR EBP
004222F7 |. 57 PUSH EDI
004222F8 |. 8D4C24 34 LEA ECX,DWORD PTR SS:[ESP+34]
004222FC |. 68 40A24900 PUSH MP32SWF.0049A240 ; %x
00422301 |. 51 PUSH ECX
00422302 |. 83C6 08 ADD ESI,8
00422305 |. E8 6F160300 CALL MP32SWF.00453979
0042230A |. 83C4 0C ADD ESP,0C
0042230D |. 83C7 04 ADD EDI,4
00422310 |. 4B DEC EBX
00422311 |.^ 75 DA JNZ SHORT MP32SWF.004222ED ; 将假码分成8组,设为(s1…s8)
00422313 |. 8B7C24 78 MOV EDI,DWORD PTR SS:[ESP+78]
00422317 |. B9 08000000 MOV ECX,8
0042231C |. 8D7424 10 LEA ESI,DWORD PTR SS:[ESP+10]
00422320 |. 8D5424 10 LEA EDX,DWORD PTR SS:[ESP+10]
00422324 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWO>
00422326 |. 52 PUSH EDX
00422327 |. E8 14000000 CALL MP32SWF.00422340 ; F7进入算法Call
0042232C |. 83C4 04 ADD ESP,4
0042232F |. 5F POP EDI
00422330 |. 5D POP EBP
00422331 |. 5B POP EBX
00422332 |. 5E POP ESI
00422333 |. 83C4 60 ADD ESP,60
00422336 \. C3 RETN
00422327 处 F7进入算法Call
下面代码中有四处判断运算结果,如果符合条件将注册成功。排除三处迷惑人的判断,可以忽略许多迷惑人的运算代码。
00422340 /$ 81EC B0000000 SUB ESP,0B0
00422346 |. 53 PUSH EBX
00422347 |. 55 PUSH EBP
00422348 |. 56 PUSH ESI
00422349 |. 8BB424 C0000000 MOV ESI,DWORD PTR SS:[ESP+C0]
00422350 |. 57 PUSH EDI
00422351 |. C74424 3C 00000000 MOV DWORD PTR SS:[ESP+3C],0
00422359 |. 8B7E 1C MOV EDI,DWORD PTR DS:[ESI+1C] ; [ESI+1C]=s8
0042235C |. 8B56 14 MOV EDX,DWORD PTR DS:[ESI+14] ; [ESI+14]=s6
0042235F |. 8BC2 MOV EAX,EDX
00422361 |. 8BCF MOV ECX,EDI
00422363 |. 25 AFFEABAF AND EAX,AFABFEAF
00422368 |. 81E1 50015450 AND ECX,50540150
0042236E |. 0FAFC1 IMUL EAX,ECX
00422371 |. 8B4E 10 MOV ECX,DWORD PTR DS:[ESI+10] ; [ESI+10]=s5
00422374 |. 8B5E 04 MOV EBX,DWORD PTR DS:[ESI+4] ; [ESI+4]=s2
00422377 |. 894424 40 MOV DWORD PTR SS:[ESP+40],EAX
0042237B |. 8BC3 MOV EAX,EBX
0042237D |. 8BE9 MOV EBP,ECX
0042237F |. 25 594C8EA9 AND EAX,A98E4C59
00422384 |. 81E5 A6B37156 AND EBP,5671B3A6
0042238A |. C74424 64 00000000 MOV DWORD PTR SS:[ESP+64],0
00422392 |. 0FAFC5 IMUL EAX,EBP
00422395 |. 894424 58 MOV DWORD PTR SS:[ESP+58],EAX
00422399 |. 8BC3 MOV EAX,EBX
0042239B |. 33C7 XOR EAX,EDI ; s2^s8
0042239D |. 8BEF MOV EBP,EDI
0042239F |. 25 58244948 AND EAX,48492458 ; EAX=(s2^s8)&48492458
004223A4 |. 81E5 37422398 AND EBP,98234237
004223AA |. 894424 18 MOV DWORD PTR SS:[ESP+18],EAX ; 保存(s2^s8)&48492458
004223AE |. 33C7 XOR EAX,EDI ; EAX=((s2^s8)&48492458)^s8
004223B0 |. 894424 28 MOV DWORD PTR SS:[ESP+28],EAX ; 保存EAX
004223B4 |. 8BC3 MOV EAX,EBX
004223B6 |. 33C2 XOR EAX,EDX
004223B8 |. 8BD3 MOV EDX,EBX
004223BA |. 25 AFFADB76 AND EAX,76DBFAAF
004223BF |. 81E2 50015450 AND EDX,50540150
004223C5 |. 33C3 XOR EAX,EBX
004223C7 |. 898424 B8000000 MOV DWORD PTR SS:[ESP+B8],EAX
004223CE |. 8BC7 MOV EAX,EDI
004223D0 |. F7D0 NOT EAX
004223D2 |. 25 A7DBB6B7 AND EAX,B7B6DBA7
004223D7 |. 0BC2 OR EAX,EDX
004223D9 |. 8B56 18 MOV EDX,DWORD PTR DS:[ESI+18] ; [ESI+18]=s7
004223DC |. 894424 70 MOV DWORD PTR SS:[ESP+70],EAX ;
004223E0 |. 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C] ; [ESI+C]=s4
004223E3 |. 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
004223E7 |. 33C2 XOR EAX,EDX ; EAX=s4^s7
004223E9 |. 25 A6B37156 AND EAX,5671B3A6 ; EAX=(s4^s7)&5671B3A6
004223EE |. 895424 10 MOV DWORD PTR SS:[ESP+10],EDX
004223F2 |. 33C2 XOR EAX,EDX ; EAX=((s4^s7)&5671B3A6)^s7
004223F4 |. 33D2 XOR EDX,EDX ; EDX清零
004223F6 |. 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX ; 保存((s4^s7)&5671B3A6)^s7
004223FA |. 894424 20 MOV DWORD PTR SS:[ESP+20],EAX
004223FE |. 69C0 73853409 IMUL EAX,EAX,9348573
00422404 |. 25 87A93434 AND EAX,3434A987
00422409 |. 81E2 9823FEAD AND EDX,ADFE2398
0042240F |. 894424 30 MOV DWORD PTR SS:[ESP+30],EAX
00422413 |. 8B46 08 MOV EAX,DWORD PTR DS:[ESI+8] ; [ESI+8]=s3
00422416 |. 895424 34 MOV DWORD PTR SS:[ESP+34],EDX ; EDX=0
0042241A |. 8BD0 MOV EDX,EAX
0042241C |. 33D1 XOR EDX,ECX ; EDX=s3^s5
0042241E |. 81E2 AFFADB76 AND EDX,76DBFAAF ; EDX=(s3^s5)&76DBFAAF
00422424 |. 33D1 XOR EDX,ECX ; EDX=((s3^s5)&76DBFAAF)^s5
00422426 |. 895424 24 MOV DWORD PTR SS:[ESP+24],EDX ; 保存((s3^s5)&76DBFAAF)^s5
0042242A |. 8B16 MOV EDX,DWORD PTR DS:[ESI] ; [ESI]=s1
0042242C |. 81E2 E93A8290 AND EDX,90823AE9
00422432 |. 0FAFD5 IMUL EDX,EBP
00422435 |. 895424 38 MOV DWORD PTR SS:[ESP+38],EDX
00422439 |. 8B5424 10 MOV EDX,DWORD PTR SS:[ESP+10]
0042243D |. 8BEF MOV EBP,EDI
0042243F |. 81E2 58244948 AND EDX,48492458
00422445 |. 81E5 A7DBB6B7 AND EBP,B7B6DBA7
0042244B |. 0FAFD5 IMUL EDX,EBP
0042244E |. 8B6E 14 MOV EBP,DWORD PTR DS:[ESI+14] ; [ESI+14]=s6
00422451 |. 895424 60 MOV DWORD PTR SS:[ESP+60],EDX
00422455 |. 8B16 MOV EDX,DWORD PTR DS:[ESI] ; [ESI]=s1
00422457 |. 33D5 XOR EDX,EBP ; EDX=s1^s6
00422459 |. 8B2E MOV EBP,DWORD PTR DS:[ESI]
0042245B |. 81E2 50015450 AND EDX,50540150 ; EDX=(s1^s6)&50540150
00422461 |. 33D5 XOR EDX,EBP ; EDX=((s1^s6)&50540150)^s1
00422463 |. 895424 7C MOV DWORD PTR SS:[ESP+7C],EDX ; 保存((s1^s6)&50540150)^s1
00422467 |. 8B5424 10 MOV EDX,DWORD PTR SS:[ESP+10] ; [ESP+10]=s7
0042246B |. 8BE8 MOV EBP,EAX
0042246D |. 25 A7DBB6B7 AND EAX,B7B6DBA7
00422472 |. 81E1 594C8EA9 AND ECX,A98E4C59
00422478 |. 0FAFC1 IMUL EAX,ECX
0042247B |. 33EA XOR EBP,EDX
0042247D |. 894424 48 MOV DWORD PTR SS:[ESP+48],EAX
00422481 |. 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14]
00422485 |. 81E5 A6B37156 AND EBP,5671B3A6
0042248B |. 33EA XOR EBP,EDX
0042248D |. 8B5424 18 MOV EDX,DWORD PTR SS:[ESP+18] ; [ESP+18]=(s2^s8)&48492458
00422491 |. 68 98720000 PUSH 7298
00422496 |. 68 988776A8 PUSH A8768798
0042249B |. 33D3 XOR EDX,EBX ; EDX=(s2^s8)&48492458^s2
0042249D |. 6A 00 PUSH 0
0042249F |. 50 PUSH EAX
004224A0 |. 895424 28 MOV DWORD PTR SS:[ESP+28],EDX ; 保存((s2^s8)&48492458)^s2
004224A4 |. E8 27100300 CALL MP32SWF.004534D0
004224A9 |. 8B4C24 30 MOV ECX,DWORD PTR SS:[ESP+30]
004224AD |. 23C1 AND EAX,ECX
004224AF |. 8B4C24 34 MOV ECX,DWORD PTR SS:[ESP+34] ; [ESP+34]=0
004224B3 |. 23D1 AND EDX,ECX
004224B5 |. 3D 80A628C4 CMP EAX,C428A680 ; 迷惑人的比较
004224BA |. 75 3E JNZ SHORT MP32SWF.004224FA
004224BC |. 81FA 723AE792 CMP EDX,92E73A72 ; EDX永远等于0
004224C2 |. 75 36 JNZ SHORT MP32SWF.004224FA
004224C4 |. 8B5C24 1C MOV EBX,DWORD PTR SS:[ESP+1C]
004224C8 |. 8B7C24 18 MOV EDI,DWORD PTR SS:[ESP+18]
004224CC |. 33ED XOR EBP,EBP
004224CE |. 33C0 XOR EAX,EAX
004224D0 |. 899C24 90000000 MOV DWORD PTR SS:[ESP+90],EBX
004224D7 |. 89AC24 94000000 MOV DWORD PTR SS:[ESP+94],EBP
004224DE |. 23DF AND EBX,EDI
004224E0 |. 23E8 AND EBP,EAX
004224E2 |. 81F3 46838419 XOR EBX,19848346
004224E8 |. 898424 8C000000 MOV DWORD PTR SS:[ESP+8C],EAX
004224EF |. 81F5 35716887 XOR EBP,87687135
004224F5 |. E9 92010000 JMP MP32SWF.0042268C
004224FA |> 0FAFAC24 B8000000 IMUL EBP,DWORD PTR SS:[ESP+B8]
00422502 |. 8B5424 40 MOV EDX,DWORD PTR SS:[ESP+40]
00422506 |. 8BC5 MOV EAX,EBP
00422508 |. 33ED XOR EBP,EBP
0042250A |. 33C9 XOR ECX,ECX ; ECX清零
0042250C |. 3BC2 CMP EAX,EDX ; 迷惑人的比较
0042250E |. 75 57 JNZ SHORT MP32SWF.00422567
00422510 |. 33C0 XOR EAX,EAX
00422512 |. 3BC8 CMP ECX,EAX
00422514 |. 75 51 JNZ SHORT MP32SWF.00422567
00422516 |. 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14]
0042251A |. 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
0042251E |. 25 A6B37156 AND EAX,5671B3A6
00422523 |. 81E1 50015450 AND ECX,50540150
00422529 |. 81E7 58244948 AND EDI,48492458
0042252F |. 81E3 AFFEABAF AND EBX,AFABFEAF
00422535 |. 0BC1 OR EAX,ECX
00422537 |. 0BFB OR EDI,EBX
00422539 |. 8BD8 MOV EBX,EAX
0042253B |. 33D2 XOR EDX,EDX
0042253D |. 89AC24 94000000 MOV DWORD PTR SS:[ESP+94],EBP
00422544 |. 33DF XOR EBX,EDI
00422546 |. 33EA XOR EBP,EDX
00422548 |. 81F3 858F0019 XOR EBX,19008F85
0042254E |. 899424 8C000000 MOV DWORD PTR SS:[ESP+8C],EDX
00422555 |. 898424 90000000 MOV DWORD PTR SS:[ESP+90],EAX
0042255C |. 81F5 66EC6827 XOR EBP,2768EC66
00422562 |. E9 25010000 JMP MP32SWF.0042268C
00422567 |> 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18] ; [ESP+18]=(s2^s8)&48492458
0042256B |. 8B5424 20 MOV EDX,DWORD PTR SS:[ESP+20] ; [ESP+20]=((s4^s7)&5671B3A6)^s7
0042256F |. 33CA XOR ECX,EDX
00422571 |. F7C1 472383AE TEST ECX,AE832347
00422577 |. 0F84 C1000000 JE MP32SWF.0042263E
0042257D |. 33FF XOR EDI,EDI ; EDI清零
0042257F |. 89AC24 8C000000 MOV DWORD PTR SS:[ESP+8C],EBP ; EBP=0
00422586 |. 89AC24 90000000 MOV DWORD PTR SS:[ESP+90],EBP
0042258D |. 89AC24 94000000 MOV DWORD PTR SS:[ESP+94],EBP
00422594 |. 897424 10 MOV DWORD PTR SS:[ESP+10],ESI
00422598 |. 8D5E 18 LEA EBX,DWORD PTR DS:[ESI+18]
0042259B |. C74424 14 07000000 MOV DWORD PTR SS:[ESP+14],7
004225A3 |> 8B5424 10 /MOV EDX,DWORD PTR SS:[ESP+10] ; [ESP+10]=s7..s1
004225A7 |. 8B0B |MOV ECX,DWORD PTR DS:[EBX] ; [EBX]=s1..s7
004225A9 |. F7D1 |NOT ECX
004225AB |. 8B02 |MOV EAX,DWORD PTR DS:[EDX]
004225AD |. 8BD1 |MOV EDX,ECX
004225AF |. 8BE8 |MOV EBP,EAX
004225B1 |. 81E2 58244948 |AND EDX,48492458
004225B7 |. 81E5 AFFEABAF |AND EBP,AFABFEAF
004225BD |. 0FAFD5 |IMUL EDX,EBP
004225C0 |. 8BAC24 8C000000 |MOV EBP,DWORD PTR SS:[ESP+8C]
004225C7 |. 03FA |ADD EDI,EDX
004225C9 |. BA 00000000 |MOV EDX,0
004225CE |. 13EA |ADC EBP,EDX
004225D0 |. 25 A6B37156 |AND EAX,5671B3A6
004225D5 |. 81E1 50015450 |AND ECX,50540150
004225DB |. 89AC24 8C000000 |MOV DWORD PTR SS:[ESP+8C],EBP
004225E2 |. 0FAFC1 |IMUL EAX,ECX
004225E5 |. 8B8C24 90000000 |MOV ECX,DWORD PTR SS:[ESP+90]
004225EC |. 8BAC24 94000000 |MOV EBP,DWORD PTR SS:[ESP+94]
004225F3 |. 03C8 |ADD ECX,EAX
004225F5 |. 8B4424 14 |MOV EAX,DWORD PTR SS:[ESP+14]
004225F9 |. 898C24 90000000 |MOV DWORD PTR SS:[ESP+90],ECX
00422600 |. 8B4C24 10 |MOV ECX,DWORD PTR SS:[ESP+10]
00422604 |. 13EA |ADC EBP,EDX
00422606 |. 83EB 04 |SUB EBX,4
00422609 |. 83C1 04 |ADD ECX,4
0042260C |. 48 |DEC EAX
0042260D |. 89AC24 94000000 |MOV DWORD PTR SS:[ESP+94],EBP
00422614 |. 894C24 10 |MOV DWORD PTR SS:[ESP+10],ECX
00422618 |. 894424 14 |MOV DWORD PTR SS:[ESP+14],EAX
0042261C |.^ 75 85 \JNZ SHORT MP32SWF.004225A3 ; 此循环得到00422833处比较不相等
0042261E |. 8B9C24 90000000 MOV EBX,DWORD PTR SS:[ESP+90]
00422625 |. 8B9424 8C000000 MOV EDX,DWORD PTR SS:[ESP+8C]
0042262C |. 23DF AND EBX,EDI
0042262E |. 23EA AND EBP,EDX
00422630 |. 81F3 4A98AE68 XOR EBX,68AE984A
00422636 |. 81F5 19974835 XOR EBP,35489719
0042263C |. EB 4E JMP SHORT MP32SWF.0042268C
0042263E |> 55 PUSH EBP
0042263F |. E8 B9030300 CALL MP32SWF.004529FD
00422644 |. 83C4 04 ADD ESP,4
00422647 |. 8BF8 MOV EDI,EAX
00422649 |. E8 8D030300 CALL MP32SWF.004529DB
0042264E |. 0FAFF8 IMUL EDI,EAX
00422651 |. FF15 3CC34700 CALL NEAR DWORD PTR DS:[<&KERNEL>
00422657 |. 0FAFF8 IMUL EDI,EAX
0042265A |. 8B4E 04 MOV ECX,DWORD PTR DS:[ESI+4]
0042265D |. 33C0 XOR EAX,EAX
0042265F |. 50 PUSH EAX
00422660 |. 57 PUSH EDI
00422661 |. 55 PUSH EBP
00422662 |. 51 PUSH ECX
00422663 |. 898424 9C000000 MOV DWORD PTR SS:[ESP+9C],EAX
0042266A |. E8 610E0300 CALL MP32SWF.004534D0
0042266F |. 898424 90000000 MOV DWORD PTR SS:[ESP+90],EAX
00422676 |. 8BD8 MOV EBX,EAX
00422678 |. 8B8424 8C000000 MOV EAX,DWORD PTR SS:[ESP+8C]
0042267F |. 8BEA MOV EBP,EDX
00422681 |. 33DF XOR EBX,EDI
00422683 |. 899424 94000000 MOV DWORD PTR SS:[ESP+94],EDX
0042268A |. 33E8 XOR EBP,EAX
0042268C |> 8B4E 14 MOV ECX,DWORD PTR DS:[ESI+14] ; [ESI+14]=s6
0042268F |. 8B16 MOV EDX,DWORD PTR DS:[ESI] ; [ESI]=s1
00422691 |. 8BC1 MOV EAX,ECX
00422693 |. 6A 00 PUSH 0
00422695 |. 33C2 XOR EAX,EDX ; EAX=s6^s1
00422697 |. 8B56 08 MOV EDX,DWORD PTR DS:[ESI+8] ; [ESI+8]=s3
0042269A |. 25 50015450 AND EAX,50540150 ; EAX=(s6^s1)&50540150
0042269F |. 33C1 XOR EAX,ECX ; EAX=((s6^s1)&50540150)^s6
004226A1 |. 8B4C24 24 MOV ECX,DWORD PTR SS:[ESP+24] ; [ESP+24]=((s4^s7)&5671B3A6)^s7
004226A5 |. 81F1 44894865 XOR ECX,65488944
004226AB |. 894424 6C MOV DWORD PTR SS:[ESP+6C],EAX ; [+68]
004226AF |. 894C24 24 MOV DWORD PTR SS:[ESP+24],ECX ; 保存(((s4^s7)&5671B3A6)^s7)^65488944
004226B3 |. 8B4E 18 MOV ECX,DWORD PTR DS:[ESI+18] ; [ESI+18]=s7
004226B6 |. F7D1 NOT ECX
004226B8 |. 8B7424 28 MOV ESI,DWORD PTR SS:[ESP+28] ; [+24]=((s3^s5)&76DBFAAF)^s5
004226BC |. 8BC1 MOV EAX,ECX
004226BE |. 33C2 XOR EAX,EDX
004226C0 |. 81F6 00541612 XOR ESI,12165400 ; ESI=((s3^s5)&76DBFAAF)^s5^12165400
004226C6 |. 25 A6B37156 AND EAX,5671B3A6
004226CB |. 33C1 XOR EAX,ECX
004226CD |. 894424 78 MOV DWORD PTR SS:[ESP+78],EAX
004226D1 |. E8 27030300 CALL MP32SWF.004529FD
004226D6 |. 83C4 04 ADD ESP,4
004226D9 |. E8 FD020300 CALL MP32SWF.004529DB
004226DE |. FF15 3CC34700 CALL NEAR DWORD PTR DS:[<&KERNEL>
004226E4 |. 8B5424 20 MOV EDX,DWORD PTR SS:[ESP+20] ; [ESP+20]=(((s4^s7)&5671B3A6)^s7)^65488944
004226E8 |. 8B4424 28 MOV EAX,DWORD PTR SS:[ESP+28] ; [ESP+28]=((s2^s8)&48492458)^s8
004226EC |. 8B4C24 7C MOV ECX,DWORD PTR SS:[ESP+7C] ; [ESP+7C]=((s1^s6)&50540150)^s1
004226F0 |. 33D0 XOR EDX,EAX
004226F2 |. 81F1 2C5484AE XOR ECX,AE84542C ; ECX=(((s1^s6)&50540150)^s1)^AE84542C
004226F8 |. 81FA 20817E89 CMP EDX,897E8120 ; 关键比较(1)
004226FE |. 0F85 95000000 JNZ MP32SWF.00422799 ; 此处不能跳
00422704 |. 8B4424 68 MOV EAX,DWORD PTR SS:[ESP+68] ; [ESP+68]=((s6^s1)&50540150)^s6
00422708 |. 33C6 XOR EAX,ESI ; ESI=((s3^s5)&76DBFAAF)^s5^12165400
0042270A |. 3D 65C494E8 CMP EAX,E894C465 ; 关键比较(2)
0042270F |. 74 49 JE SHORT MP32SWF.0042275A ; 此处要跳
00422711 |. 8B4424 60 MOV EAX,DWORD PTR SS:[ESP+60]
00422715 |. 8B7C24 48 MOV EDI,DWORD PTR SS:[ESP+48]
00422719 |. 8B4C24 64 MOV ECX,DWORD PTR SS:[ESP+64]
0042271D |. 8B6C24 58 MOV EBP,DWORD PTR SS:[ESP+58]
00422721 |. F7D0 NOT EAX
00422723 |. 23C7 AND EAX,EDI
00422725 |. 33D2 XOR EDX,EDX ; EDX=0
00422727 |. F7D1 NOT ECX
00422729 |. 33C5 XOR EAX,EBP
0042272B |. 23CA AND ECX,EDX ; ECX=0
0042272D |. F7D0 NOT EAX
0042272F |. 33CA XOR ECX,EDX ; ECX=0 xor 0=0
00422731 |. 3D 2802C042 CMP EAX,42C00228 ; 迷惑人的比较
00422736 |. F7D1 NOT ECX
00422738 |. 0F85 14010000 JNZ MP32SWF.00422852
0042273E |. 81F9 8AE96598 CMP ECX,9865E98A ; ECX=0
00422744 |. 0F85 08010000 JNZ MP32SWF.00422852
0042274A |. 5F POP EDI
0042274B |. 5E POP ESI
0042274C |. 5D POP EBP
0042274D |. B8 01000000 MOV EAX,1
00422752 |. 5B POP EBX
00422753 |. 81C4 B0000000 ADD ESP,0B0
00422759 |. C3 RETN ; 此处回不了家
0042275A |> B8 F1F0F0F0 MOV EAX,F0F0F0F1
0042275F |. F7E1 MUL ECX ; ECX=(((s1^s6)&50540150)^s1)^AE84542C
00422761 |. C1EA 04 SHR EDX,4
00422764 |. B8 4FECC44E MOV EAX,4EC4EC4F
00422769 |. 8BFA MOV EDI,EDX
0042276B |. F7E1 MUL ECX
0042276D |. 0FAFFE IMUL EDI,ESI ; ESI=((s3^s5)&76DBFAAF)^s5^12165400)
00422770 |. 8B4424 20 MOV EAX,DWORD PTR SS:[ESP+20] ; [ESP+20]=((s4^s7)&5671B3A6)^s7
00422774 |. 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18] ; [ESP+18]=(s2^s8)&48492458
00422778 |. C1EA 02 SHR EDX,2
0042277B |. 0FAFF0 IMUL ESI,EAX
0042277E |. 0FAFD0 IMUL EDX,EAX
00422781 |. 03FA ADD EDI,EDX
00422783 |. 33C0 XOR EAX,EAX
00422785 |. 03FE ADD EDI,ESI
00422787 |. F7D7 NOT EDI
00422789 |. 3BF9 CMP EDI,ECX ; 关键比较(3)
0042278B |. 5F POP EDI
0042278C |. 5E POP ESI
0042278D |. 5D POP EBP
0042278E |. 0F94C0 SETE AL
00422791 |. 5B POP EBX
00422792 |. 81C4 B0000000 ADD ESP,0B0
00422798 |. C3 RETN ; 只有此处满足条件返回才能注册成功
00422799 |> 8B4424 38 MOV EAX,DWORD PTR SS:[ESP+38]
0042279D |. 8B5424 40 MOV EDX,DWORD PTR SS:[ESP+40]
004227A1 |. 33C2 XOR EAX,EDX
004227A3 |. 8B5424 3C MOV EDX,DWORD PTR SS:[ESP+3C] ; [ESP+3C]=0
004227A7 |. C74424 44 00000000 MOV DWORD PTR SS:[ESP+44],0
004227AF |. 335424 44 XOR EDX,DWORD PTR SS:[ESP+44]
004227B3 |. 3D E8005A5F CMP EAX,5F5A00E8 ; 迷惑人的比较
004227B8 |. 75 5C JNZ SHORT MP32SWF.00422816
004227BA |. 81FA E48954A6 CMP EDX,A65489E4 ; EDX=0
004227C0 |. 75 54 JNZ SHORT MP32SWF.00422816
004227C2 |. B8 25499224 MOV EAX,24924925
004227C7 |. F7E1 MUL ECX
004227C9 |. 8BC1 MOV EAX,ECX
004227CB |. 2BC2 SUB EAX,EDX
004227CD |. D1E8 SHR EAX,1
004227CF |. 03C2 ADD EAX,EDX
004227D1 |. C1E8 02 SHR EAX,2
004227D4 |. 8BF8 MOV EDI,EAX
004227D6 |. B8 CB6B28AF MOV EAX,AF286BCB
004227DB |. F7E1 MUL ECX
004227DD |. 0FAFFE IMUL EDI,ESI
004227E0 |. 2BCA SUB ECX,EDX
004227E2 |. 8B4424 74 MOV EAX,DWORD PTR SS:[ESP+74]
004227E6 |. D1E9 SHR ECX,1
004227E8 |. 0FAF4424 70 IMUL EAX,DWORD PTR SS:[ESP+70]
004227ED |. 03CA ADD ECX,EDX
004227EF |. C1E9 04 SHR ECX,4
004227F2 |. 0FAF4C24 20 IMUL ECX,DWORD PTR SS:[ESP+20]
004227F7 |. 03F9 ADD EDI,ECX
004227F9 |. 8B8C24 B8000000 MOV ECX,DWORD PTR SS:[ESP+B8]
00422800 |. 03F8 ADD EDI,EAX
00422802 |. 33C0 XOR EAX,EAX
00422804 |. F7D7 NOT EDI
00422806 |. 3BF9 CMP EDI,ECX
00422808 |. 5F POP EDI
00422809 |. 5E POP ESI
0042280A |. 5D POP EBP
0042280B |. 0F94C0 SETE AL
0042280E |. 5B POP EBX
0042280F |. 81C4 B0000000 ADD ESP,0B0
00422815 |. C3 RETN ; 此处回不了家
00422816 |> 8B8424 90000000 MOV EAX,DWORD PTR SS:[ESP+90]
0042281D |. 8B8C24 94000000 MOV ECX,DWORD PTR SS:[ESP+94]
00422824 |. 8B9424 8C000000 MOV EDX,DWORD PTR SS:[ESP+8C]
0042282B |. 23C7 AND EAX,EDI
0042282D |. 23CA AND ECX,EDX
0042282F |. 33C3 XOR EAX,EBX
00422831 |. 33CD XOR ECX,EBP
00422833 |. 3D 4F79AE48 CMP EAX,48AE794F ; EAX永远等于68AE984A
00422838 |. 75 18 JNZ SHORT MP32SWF.00422852
0042283A |. 81F9 34023784 CMP ECX,84370234
00422840 |. 75 10 JNZ SHORT MP32SWF.00422852
00422842 |. 5F POP EDI
00422843 |. 5E POP ESI
00422844 |. 5D POP EBP
00422845 |. B8 01000000 MOV EAX,1
0042284A |. 5B POP EBX
0042284B |. 81C4 B0000000 ADD ESP,0B0
00422851 |. C3 RETN ; 此处回不了家
00422852 |> 5F POP EDI
00422853 |. 5E POP ESI
00422854 |. 5D POP EBP
00422855 |. 33C0 XOR EAX,EAX
00422857 |. 5B POP EBX
00422858 |. 81C4 B0000000 ADD ESP,0B0
0042285E \. C3 RETN ; 此处返回注册失败
二、算法小结
1.根据上面的分析,要从 00422798 处成功返回,只要同时满足下面三个等式。
关键比较(1)
004226F8 处判断 CMP EDX,897E8120 此处要满足 EDX==897E8120
即: ((((s4^s7)&5671B3A6)^s7)^65488944) ^ (((s2^s8)&48492458)^s8)==897E8120
关键比较(2)
0042270A 处判断 CMP EAX,E894C465 此处要满足 EAX==E894C465
即: ((s6^s1)&50540150)^s6 ^ ((s3^s5)&76DBFAAF)^s5^12165400==897E8120
关键比较(3)
00422789 处判断 CMP EDI,ECX 此处要满足 EDI==ECX
EDI的值:
(1) F0F0F0F1 * ((((s1^s6)&50540150)^s1)^AE84542C)
积的高位逻辑右移4,设为x
(2) 4EC4EC4F * ((((s1^s6)&50540150)^s1)^AE84542C)
积的高位逻辑右移2,设为y
(3) x * ((s3^s5)&76DBFAAF)^s5^12165400)
(4) y * (4EC4EC4F * ((((s1^s6)&50540150)^s1)^AE84542C))
(5) ((s3^s5)&76DBFAAF)^s5^12165400) * (4EC4EC4F * ((((s1^s6)&50540150)^s1)^AE84542C))
(6) (3)+(4)+(5) 和取反
ECX的值:(s2^s8)&48492458
即: (s2^s8)&48492458==(6)
2. 上面算式看着有些复杂,快速得到可用注册码的方法是将上面算式简单变换为:
(1) (s2^s8)&48492458^s2==FFFFFFFF
(2) ((s2^s8)&48492458)^s8)==897E8120
(3) (((s4^s7)&5671B3A6)^s7)^65488944==0
(4) ((s1^s6)&50540150)^s1^AE84542C==0
(5) ((s3^s5)&76DBFAAF)^s5^12165400==0
(6) ((s6^s1)&50540150)^s6==E894C465
找出满足等式的s1~s8
根据:(4) (6)
((s1^s6)&50540150)^s1==AE84542C
((s6^s1)&50540150)^s6==E894C465
得到:
s1=EE94546C
s6=A884C425
根据:(3)
((s4^s7)&5671B3A6)^s7==65488944
得到:
s7=65488944
s4=CCC6C51D
根据:(5)
((s3^s5)&76DBFAAF)^s5==12165400
得到:
s5=12165400
s3=9B325150
根据:(1) (2)
(s2^s8)&48492458^s2==FFFFFFFF
((s2^s8)&48492458)^s8)==897E8120
得到:
s2=BFFEDBA7
s8=C97FA578
3.用户名与注册码无关
一组可用的注册码
Name:wzwgp
Registration Code:EE94546CBFFEDBA79B325150CCC6C51D12165400A884C42565488944C97FA578
注册信息保存在:HKEY_CURRENT_USER\Software\Hoo Technologies\MP32SWF
顺祝大家新春快乐! |
|
IP卡
发表于 2007-2-18 11:20:16
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2007-2-18 12:43:32
发表于 2007-2-20 20:05:00
发表于 2007-3-23 16:18:57
发表于 2007-3-24 02:04:36
发表于 2009-8-14 01:35:30