- UID
- 32678
注册时间2007-8-2
阅读权限20
最后登录1970-1-1
以武会友
 
该用户从未签到
|
【文章标题】: A1档案管理系统算法简单分析(高手飞过)
【文章作者】: 网络断魂
【软件名称】: A1档案管理系统
【下载地址】: http://www.cometgroup.com.cn
【加壳方式】: ASPACK
【保护方式】: 机器码
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: OD PEID PYG密码学综合工具
【操作平台】: winxp2
【作者声明】: 菜鸟学习算法,失误之处请多指教!
1、查壳:ASPack 2.12 -> Alexey Solodovnikov
2、用脱壳机或ESP定律脱壳修复后:Borland Delphi 6.0 - 7.0
3、进入软件后点“注册授权”,输入假码1111111111,提示“注册号码不正确,请重新输入!”
4、根据消息断点及字符串,找到注册算法函数,
003844A3 8B45 08 mov eax, dword ptr [ebp+8] ; //送机器码
003844A6 50 push eax
003844A7 8D45 F8 lea eax, dword ptr [ebp-8]
003844AA 50 push eax
003844AB E8 B8F8FFFF call 00383D68 ; //关键算法,跟进第一层,
003844B0 8B55 F8 mov edx, dword ptr [ebp-8] ; //送真码,
003844B3 8B45 0C mov eax, dword ptr [ebp+C] ; //送假码,此处做注册机!
003844B6 E8 ADFCFEFF call 00374168
003844AB E8 B8F8FFFF call 00383D68跟进后来到:
00383D68 55 push ebp
00383D69 8BEC mov ebp, esp
00383D6B B9 0D000000 mov ecx, 0D ; //13
00383D70 6A 00 push 0
00383D72 6A 00 push 0
00383D74 49 dec ecx
00383D75 ^ 75 F9 jnz short 00383D70
00383D77 51 push ecx
00383D78 53 push ebx
00383D79 8B5D 08 mov ebx, dword ptr [ebp+8]
00383D7C 8B45 0C mov eax, dword ptr [ebp+C] ; //送机器码
00383D7F E8 8804FFFF call 0037420C ; // EDX=3
00383D84 33C0 xor eax, eax
00383D86 55 push ebp
00383D87 68 BB403800 push 003840BB
00383D8C 64:FF30 push dword ptr fs:[eax]
00383D8F 64:8920 mov dword ptr fs:[eax], esp
00383D92 8BC3 mov eax, ebx
00383D94 E8 E7FFFEFF call 00373D80
00383D99 8D4D FC lea ecx, dword ptr [ebp-4]
00383D9C 8B15 8C573800 mov edx, dword ptr [38578C] ; //“SalaKey2005” 常量
00383DA2 8B45 0C mov eax, dword ptr [ebp+C] ; //送机器码
00383DA5 E8 D2F4FFFF call 0038327C ; //计算得出一串字符串,(跟进第二层)
00383DAA 8B45 FC mov eax, dword ptr [ebp-4] ; //送计算后的一串字符串,
00383DAD E8 6A02FFFF call 0037401C ; //计算上面字符串长度
00383DB2 83F8 20 cmp eax, 20 ; //长度与20(32)比较,
00383DB5 0F8E FC000000 jle 00383EB7 ; //小于或等于则跳走
00383DBB 8D45 F8 lea eax, dword ptr [ebp-8]
00383DBE 50 push eax
00383DBF B9 02000000 mov ecx, 2 ; //取2位,
00383DC4 BA 01000000 mov edx, 1 ; //从第1位开始取
00383DC9 8B45 FC mov eax, dword ptr [ebp-4] ; //送加密后的字符串
00383DCC E8 AB04FFFF call 0037427C ; //取字符
00383DD1 FF75 F8 push dword ptr [ebp-8] ; //储存取值结果给016ADAC8
00383DD4 8D45 F4 lea eax, dword ptr [ebp-C]
00383DD7 50 push eax
00383DD8 B9 02000000 mov ecx, 2 ; //取2位,
00383DDD BA 07000000 mov edx, 7 ; //从第7位开始取
00383DE2 8B45 FC mov eax, dword ptr [ebp-4] ; //送字符串
00383DE5 E8 9204FFFF call 0037427C ; //取字符
00383DEA FF75 F4 push dword ptr [ebp-C] ; //储存取值结果给016ADAC8
00383DED 8D45 F0 lea eax, dword ptr [ebp-10]
00383DF0 50 push eax
00383DF1 B9 01000000 mov ecx, 1 ; //取1位
00383DF6 BA 11000000 mov edx, 11 ; //从第17位开始取
00383DFB 8B45 FC mov eax, dword ptr [ebp-4] ; //送字符串
00383DFE E8 7904FFFF call 0037427C ; //取字符
00383E03 FF75 F0 push dword ptr [ebp-10] ; //保存结果
00383E06 68 D4403800 push 003840D4 ; //以上5位做为第一段注册码!
00383E0B 8D45 EC lea eax, dword ptr [ebp-14]
00383E0E 50 push eax
00383E0F B9 01000000 mov ecx, 1 ; //取1位
00383E14 BA 12000000 mov edx, 12 ; //从第18位开始取
00383E19 8B45 FC mov eax, dword ptr [ebp-4] ; //送字符串
00383E1C E8 5B04FFFF call 0037427C ; //取字符
00383E21 FF75 EC push dword ptr [ebp-14] ; //存结果 到01697340中
00383E24 8D45 E8 lea eax, dword ptr [ebp-18]
00383E27 50 push eax
00383E28 B9 02000000 mov ecx, 2 ; //取2位
00383E2D BA 17000000 mov edx, 17 ; //从第23位开始取
00383E32 8B45 FC mov eax, dword ptr [ebp-4] ; //送字符串
00383E35 E8 4204FFFF call 0037427C ; //取字符
00383E3A FF75 E8 push dword ptr [ebp-18] ; //存结果到016A9CF4中
00383E3D 8D45 E4 lea eax, dword ptr [ebp-1C]
00383E40 50 push eax
00383E41 B9 02000000 mov ecx, 2 ; //取2位
00383E46 BA 1D000000 mov edx, 1D ; //从第29位开始取
00383E4B 8B45 FC mov eax, dword ptr [ebp-4] ; //送字符串
00383E4E E8 2904FFFF call 0037427C ; //取字符
00383E53 FF75 E4 push dword ptr [ebp-1C] ; //存结果到016A9CF4中
00383E56 68 D4403800 push 003840D4 ; //以上5位作为第二段注册码
00383E5B 8D45 E0 lea eax, dword ptr [ebp-20]
00383E5E 50 push eax
00383E5F B9 02000000 mov ecx, 2 ; //取2位
00383E64 BA 23000000 mov edx, 23 ; //从第35位开始取
00383E69 8B45 FC mov eax, dword ptr [ebp-4] ; //送字符串
00383E6C E8 0B04FFFF call 0037427C ; //取字符
00383E71 FF75 E0 push dword ptr [ebp-20] ; //存结果
00383E74 8D45 DC lea eax, dword ptr [ebp-24]
00383E77 50 push eax
00383E78 B9 02000000 mov ecx, 2 ; //取2位
00383E7D BA 29000000 mov edx, 29 ; //从第41位开始取
00383E82 8B45 FC mov eax, dword ptr [ebp-4] ; //送字符串
00383E85 E8 F203FFFF call 0037427C ; //取字符
00383E8A FF75 DC push dword ptr [ebp-24] ; //存结果 016B6CA0中
00383E8D 8D45 D8 lea eax, dword ptr [ebp-28]
00383E90 50 push eax
00383E91 B9 01000000 mov ecx, 1 ; //取第1位
00383E96 BA 2F000000 mov edx, 2F ; //从第47位开始取
00383E9B 8B45 FC mov eax, dword ptr [ebp-4] ; //送字符串
00383E9E E8 D903FFFF call 0037427C ; //取字符
00383EA3 FF75 D8 push dword ptr [ebp-28] ; //存结果
00383EA6 8BC3 mov eax, ebx
00383EA8 BA 0B000000 mov edx, 0B
00383EAD E8 2A02FFFF call 003740DC
00383EB2 E9 E1010000 jmp 00384098
00383EB7 8B45 FC mov eax, dword ptr [ebp-4] ; //若加密后字符串小于或等于32位,则跳来此处
00383EBA E8 5D01FFFF call 0037401C ; //再次计算字符串长度
00383EBF 83F8 10 cmp eax, 10 ; //与16比较
00383EC2 0F8E FC000000 jle 00383FC4 ; //小于或等于16位则跳走
00383EC8 8D45 D4 lea eax, dword ptr [ebp-2C]
00383ECB 50 push eax
00383ECC B9 02000000 mov ecx, 2 ; //取2位,
00383ED1 BA 01000000 mov edx, 1 ; 从第1位开始取
00383ED6 8B45 FC mov eax, dword ptr [ebp-4]
00383ED9 E8 9E03FFFF call 0037427C
00383EDE FF75 D4 push dword ptr [ebp-2C]
00383EE1 8D45 D0 lea eax, dword ptr [ebp-30]
00383EE4 50 push eax
00383EE5 B9 02000000 mov ecx, 2 ; //取2位
00383EEA BA 05000000 mov edx, 5 ; 从第5位开始取
00383EEF 8B45 FC mov eax, dword ptr [ebp-4]
00383EF2 E8 8503FFFF call 0037427C
00383EF7 FF75 D0 push dword ptr [ebp-30]
00383EFA 8D45 CC lea eax, dword ptr [ebp-34]
00383EFD 50 push eax
00383EFE B9 01000000 mov ecx, 1 ; //取1位,
00383F03 BA 0B000000 mov edx, 0B ; //从第11位开始取
00383F08 8B45 FC mov eax, dword ptr [ebp-4]
00383F0B E8 6C03FFFF call 0037427C
00383F10 FF75 CC push dword ptr [ebp-34]
00383F13 68 D4403800 push 003840D4
00383F18 8D45 C8 lea eax, dword ptr [ebp-38]
00383F1B 50 push eax
00383F1C B9 01000000 mov ecx, 1 ; //取1位
00383F21 BA 0C000000 mov edx, 0C ; //从第12位开始取
00383F26 8B45 FC mov eax, dword ptr [ebp-4]
00383F29 E8 4E03FFFF call 0037427C
00383F2E FF75 C8 push dword ptr [ebp-38]
00383F31 8D45 C4 lea eax, dword ptr [ebp-3C]
00383F34 50 push eax
00383F35 B9 02000000 mov ecx, 2 ; //取2位,
00383F3A BA 0F000000 mov edx, 0F ; //从第15位开始取
00383F3F 8B45 FC mov eax, dword ptr [ebp-4]
00383F42 E8 3503FFFF call 0037427C
00383F47 FF75 C4 push dword ptr [ebp-3C]
00383F4A 8D45 C0 lea eax, dword ptr [ebp-40]
00383F4D 50 push eax
00383F4E B9 02000000 mov ecx, 2 ; //取2位,
00383F53 BA 13000000 mov edx, 13 ; //从第19位开始取
00383F58 8B45 FC mov eax, dword ptr [ebp-4]
00383F5B E8 1C03FFFF call 0037427C
00383F60 FF75 C0 push dword ptr [ebp-40]
00383F63 68 D4403800 push 003840D4
00383F68 8D45 BC lea eax, dword ptr [ebp-44]
00383F6B 50 push eax
00383F6C B9 02000000 mov ecx, 2 ; //取2位,
00383F71 BA 17000000 mov edx, 17 ; //从第23位开始取
00383F76 8B45 FC mov eax, dword ptr [ebp-4]
00383F79 E8 FE02FFFF call 0037427C
00383F7E FF75 BC push dword ptr [ebp-44]
00383F81 8D45 B8 lea eax, dword ptr [ebp-48]
00383F84 50 push eax
00383F85 B9 02000000 mov ecx, 2 ; //取2位,
00383F8A BA 1B000000 mov edx, 1B ; //从第27位开始取
00383F8F 8B45 FC mov eax, dword ptr [ebp-4]
00383F92 E8 E502FFFF call 0037427C
00383F97 FF75 B8 push dword ptr [ebp-48]
00383F9A 8D45 B4 lea eax, dword ptr [ebp-4C]
00383F9D 50 push eax
00383F9E B9 01000000 mov ecx, 1 ; //取1位
00383FA3 BA 1F000000 mov edx, 1F ; //从第31位开始取
00383FA8 8B45 FC mov eax, dword ptr [ebp-4]
00383FAB E8 CC02FFFF call 0037427C
00383FB0 FF75 B4 push dword ptr [ebp-4C]
00383FB3 8BC3 mov eax, ebx
00383FB5 BA 0B000000 mov edx, 0B
00383FBA E8 1D01FFFF call 003740DC
00383FBF E9 D4000000 jmp 00384098
00383FC4 8D45 B0 lea eax, dword ptr [ebp-50] ; //若加密后的字符串小于或等于16位则跳来此处
00383FC7 50 push eax
00383FC8 B9 01000000 mov ecx, 1 ; //取1位
00383FCD BA 01000000 mov edx, 1 ; //从第1位开始取
00383FD2 8B45 FC mov eax, dword ptr [ebp-4]
00383FD5 E8 A202FFFF call 0037427C
00383FDA FF75 B0 push dword ptr [ebp-50]
00383FDD 8D45 AC lea eax, dword ptr [ebp-54]
00383FE0 50 push eax
00383FE1 B9 01000000 mov ecx, 1 ; //取1位
00383FE6 BA 03000000 mov edx, 3 ; //从第3位开始取(隔1位取1位,类推下去,取到15位)
00383FEB 8B45 FC mov eax, dword ptr [ebp-4]
00383FEE E8 8902FFFF call 0037427C
00383FF3 FF75 AC push dword ptr [ebp-54]
00383FF6 8D45 A8 lea eax, dword ptr [ebp-58]
00383FF9 50 push eax
00383FFA B9 01000000 mov ecx, 1 ; //1
00383FFF BA 05000000 mov edx, 5 ; //5
00384004 8B45 FC mov eax, dword ptr [ebp-4]
00384007 E8 7002FFFF call 0037427C
0038400C FF75 A8 push dword ptr [ebp-58]
0038400F 8D45 A4 lea eax, dword ptr [ebp-5C]
00384012 50 push eax
00384013 B9 01000000 mov ecx, 1 ; //1
00384018 BA 07000000 mov edx, 7 ; //7
0038401D 8B45 FC mov eax, dword ptr [ebp-4]
00384020 E8 5702FFFF call 0037427C
00384025 FF75 A4 push dword ptr [ebp-5C]
00384028 8D45 A0 lea eax, dword ptr [ebp-60]
0038402B 50 push eax
0038402C B9 01000000 mov ecx, 1 ; //1
00384031 BA 09000000 mov edx, 9 ; //9
00384036 8B45 FC mov eax, dword ptr [ebp-4]
00384039 E8 3E02FFFF call 0037427C
0038403E FF75 A0 push dword ptr [ebp-60]
00384041 8D45 9C lea eax, dword ptr [ebp-64]
00384044 50 push eax
00384045 B9 01000000 mov ecx, 1 ; //1
0038404A BA 0B000000 mov edx, 0B ; //11
0038404F 8B45 FC mov eax, dword ptr [ebp-4]
00384052 E8 2502FFFF call 0037427C
00384057 FF75 9C push dword ptr [ebp-64]
0038405A 8D45 98 lea eax, dword ptr [ebp-68]
0038405D 50 push eax
0038405E B9 01000000 mov ecx, 1 ; //1
00384063 BA 0D000000 mov edx, 0D ; //13
00384068 8B45 FC mov eax, dword ptr [ebp-4]
0038406B E8 0C02FFFF call 0037427C
00384070 FF75 98 push dword ptr [ebp-68]
00384073 8D45 94 lea eax, dword ptr [ebp-6C]
00384076 50 push eax
00384077 B9 01000000 mov ecx, 1 ; //1
0038407C BA 0F000000 mov edx, 0F ; //15
00384081 8B45 FC mov eax, dword ptr [ebp-4]
00384084 E8 F301FFFF call 0037427C
00384089 FF75 94 push dword ptr [ebp-6C]
0038408C 8BC3 mov eax, ebx
0038408E BA 08000000 mov edx, 8
00384093 E8 4400FFFF call 003740DC
00384098 33C0 xor eax, eax
0038409A 5A pop edx
0038409B 59 pop ecx
0038409C 59 pop ecx
0038409D 64:8910 mov dword ptr fs:[eax], edx
003840A0 68 C2403800 push 003840C2
003840A5 8D45 94 lea eax, dword ptr [ebp-6C]
003840A8 BA 1B000000 mov edx, 1B
003840AD E8 F2FCFEFF call 00373DA4
003840B2 8D45 0C lea eax, dword ptr [ebp+C]
003840B5 E8 C6FCFEFF call 00373D80
003840BA C3 retn
003840BB ^ E9 38F6FEFF jmp 003736F8
003840C0 ^ EB E3 jmp short 003840A5
003840C2 5B pop ebx
003840C3 8BE5 mov esp, ebp
003840C5 5D pop ebp
003840C6 C2 0800 retn 8
00383DA5 E8 D2F4FFFF call 0038327C ; //计算得出一串字符串,(跟进第二层)跟进后来到:
0038327C 55 push ebp
0038327D 8BEC mov ebp, esp
0038327F 83C4 E4 add esp, -1C
00383282 53 push ebx
00383283 56 push esi
00383284 57 push edi
00383285 33DB xor ebx, ebx
00383287 895D F4 mov dword ptr [ebp-C], ebx
0038328A 895D F0 mov dword ptr [ebp-10], ebx
0038328D 895D EC mov dword ptr [ebp-14], ebx
00383290 8BF9 mov edi, ecx
00383292 8955 F8 mov dword ptr [ebp-8], edx
00383295 8945 FC mov dword ptr [ebp-4], eax
00383298 8B45 FC mov eax, dword ptr [ebp-4]
0038329B E8 6C0FFFFF call 0037420C
003832A0 8B45 F8 mov eax, dword ptr [ebp-8]
003832A3 E8 640FFFFF call 0037420C
003832A8 33C0 xor eax, eax
003832AA 55 push ebp
003832AB 68 4E333800 push 0038334E
003832B0 64:FF30 push dword ptr fs:[eax]
003832B3 64:8920 mov dword ptr fs:[eax], esp
003832B6 8D4D F0 lea ecx, dword ptr [ebp-10]
003832B9 8B55 F8 mov edx, dword ptr [ebp-8] ; //送常量
003832BC 8B45 FC mov eax, dword ptr [ebp-4] ; //送机器码
003832BF E8 40FCFFFF call 00382F04 ; //跟进此CALL,第三层
003832C4 8D45 F4 lea eax, dword ptr [ebp-C]
003832C7 E8 B40AFFFF call 00373D80
003832CC 8B45 F0 mov eax, dword ptr [ebp-10]
003832CF E8 480DFFFF call 0037401C
003832D4 8BD8 mov ebx, eax
003832D6 4B dec ebx
003832D7 85DB test ebx, ebx
003832D9 7C 4E jl short 00383329
003832DB 43 inc ebx
003832DC 33F6 xor esi, esi
003832DE 8D45 EC lea eax, dword ptr [ebp-14]
003832E1 50 push eax
003832E2 8B45 F0 mov eax, dword ptr [ebp-10]
003832E5 0FB60430 movzx eax, byte ptr [eax+esi]
003832E9 8945 E4 mov dword ptr [ebp-1C], eax
003832EC C645 E8 00 mov byte ptr [ebp-18], 0
003832F0 8D55 E4 lea edx, dword ptr [ebp-1C]
003832F3 33C9 xor ecx, ecx
003832F5 B8 64333800 mov eax, 00383364 ; ASCII "%x"
003832FA E8 B547FFFF call 00377AB4
003832FF 8B45 EC mov eax, dword ptr [ebp-14]
00383302 E8 150DFFFF call 0037401C
00383307 48 dec eax
00383308 75 10 jnz short 0038331A
0038330A 8D45 EC lea eax, dword ptr [ebp-14]
0038330D 8B4D EC mov ecx, dword ptr [ebp-14]
00383310 BA 70333800 mov edx, 00383370
00383315 E8 4E0DFFFF call 00374068
0038331A 8D45 F4 lea eax, dword ptr [ebp-C]
0038331D 8B55 EC mov edx, dword ptr [ebp-14]
00383320 E8 FF0CFFFF call 00374024
00383325 46 inc esi
00383326 4B dec ebx
00383327 ^ 75 B5 jnz short 003832DE ; //循环取加密后的值
00383329 8BC7 mov eax, edi
0038332B 8B55 F4 mov edx, dword ptr [ebp-C]
0038332E E8 A10AFFFF call 00373DD4
00383333 33C0 xor eax, eax
00383335 5A pop edx
00383336 59 pop ecx
00383337 59 pop ecx
00383338 64:8910 mov dword ptr fs:[eax], edx
0038333B 68 55333800 push 00383355
00383340 8D45 EC lea eax, dword ptr [ebp-14]
00383343 BA 05000000 mov edx, 5
00383348 E8 570AFFFF call 00373DA4
0038334D C3 retn
003832BF E8 40FCFFFF call 00382F04 ; //跟进此CALL,第三层,跟进后来到:
00382F04 55 push ebp
00382F05 8BEC mov ebp, esp
00382F07 83C4 CC add esp, -34
00382F0A 53 push ebx
00382F0B 56 push esi
00382F0C 33DB xor ebx, ebx
00382F0E 895D CC mov dword ptr [ebp-34], ebx
00382F11 895D D8 mov dword ptr [ebp-28], ebx
00382F14 894D F4 mov dword ptr [ebp-C], ecx
00382F17 8955 F8 mov dword ptr [ebp-8], edx ; //送常量
00382F1A 8945 FC mov dword ptr [ebp-4], eax ; //送机器码
00382F1D 8B45 FC mov eax, dword ptr [ebp-4]
00382F20 E8 E712FFFF call 0037420C
00382F25 8B45 F8 mov eax, dword ptr [ebp-8]
00382F28 E8 DF12FFFF call 0037420C
00382F2D 33C0 xor eax, eax
00382F2F 55 push ebp
00382F30 68 A1303800 push 003830A1
00382F35 64:FF30 push dword ptr fs:[eax]
00382F38 64:8920 mov dword ptr fs:[eax], esp
00382F3B 8B45 FC mov eax, dword ptr [ebp-4] ; //送机器码
00382F3E E8 D910FFFF call 0037401C ; //计算长度
00382F43 85C0 test eax, eax ; //是否为空
00382F45 7E 28 jle short 00382F6F
00382F47 8B45 FC mov eax, dword ptr [ebp-4] ; //送机器码
00382F4A E8 CD10FFFF call 0037401C ; //计算长度
00382F4F 8B55 FC mov edx, dword ptr [ebp-4]
00382F52 807C02 FF 00 cmp byte ptr [edx+eax-1], 0 ; //机器码最后一位是否为0
00382F57 75 16 jnz short 00382F6F
00382F59 B9 B8303800 mov ecx, 003830B8 ; ASCII "Error: the last char is NULL char."
00382F5E B2 01 mov dl, 1
00382F60 A1 4C613700 mov eax, dword ptr [37614C]
00382F65 E8 1A74FFFF call 0037A384
00382F6A E8 C107FFFF call 00373730
00382F6F 8B45 F8 mov eax, dword ptr [ebp-8] ; //送常量
00382F72 E8 A510FFFF call 0037401C ; //计算长度
00382F77 83F8 08 cmp eax, 8 ; //长度与8比较
00382F7A 7D 2B jge short 00382FA7 ; //大于或等于转移
00382F7C EB 0D jmp short 00382F8B
00382F7E 8D45 F8 lea eax, dword ptr [ebp-8]
00382F81 BA E4303800 mov edx, 003830E4
00382F86 E8 9910FFFF call 00374024
00382F8B 8B45 F8 mov eax, dword ptr [ebp-8] ; //小于8位则转到此处
00382F8E E8 8910FFFF call 0037401C
00382F93 83F8 08 cmp eax, 8
00382F96 ^ 7C E6 jl short 00382F7E
00382F98 EB 0D jmp short 00382FA7
00382F9A 8D45 FC lea eax, dword ptr [ebp-4]
00382F9D BA E4303800 mov edx, 003830E4
00382FA2 E8 7D10FFFF call 00374024
00382FA7 8B45 FC mov eax, dword ptr [ebp-4] ; //常量KEY的长度大于或等于8位则转到此处,送机器码
00382FAA E8 6D10FFFF call 0037401C ; //取机器码长度
00382FAF 25 07000080 and eax, 80000007 ; //长度跟80000007作“与”运算
00382FB4 79 05 jns short 00382FBB ; //JNS 符号位为 "0" 时转移
00382FB6 48 dec eax
00382FB7 83C8 F8 or eax, FFFFFFF8
00382FBA 40 inc eax
00382FBB 85C0 test eax, eax ; //EAX是否为0
00382FBD ^ 75 DB jnz short 00382F9A ; //不为0则跳
00382FBF 33DB xor ebx, ebx
00382FC1 8D45 DC lea eax, dword ptr [ebp-24]
00382FC4 8B55 F8 mov edx, dword ptr [ebp-8] ; //送常量
00382FC7 8A141A mov dl, byte ptr [edx+ebx]
00382FCA 8810 mov byte ptr [eax], dl
00382FCC 43 inc ebx
00382FCD 40 inc eax
00382FCE 83FB 08 cmp ebx, 8
00382FD1 ^ 75 F1 jnz short 00382FC4 ; //循环取常量的前8位,作为KEY
00382FD3 6A 0F push 0F
00382FD5 B9 80683800 mov ecx, 00386880
00382FDA 8D45 DC lea eax, dword ptr [ebp-24]
00382FDD BA 07000000 mov edx, 7
00382FE2 E8 EDFAFFFF call 00382AD4
00382FE7 8D45 D8 lea eax, dword ptr [ebp-28]
00382FEA E8 910DFFFF call 00373D80
00382FEF 8B45 FC mov eax, dword ptr [ebp-4]
00382FF2 E8 2510FFFF call 0037401C
00382FF7 85C0 test eax, eax
00382FF9 79 03 jns short 00382FFE
00382FFB 83C0 07 add eax, 7
00382FFE C1F8 03 sar eax, 3
00383001 48 dec eax
00383002 85C0 test eax, eax
00383004 7C 65 jl short 0038306B
00383006 40 inc eax
00383007 8945 D0 mov dword ptr [ebp-30], eax
0038300A C745 D4 0000000>mov dword ptr [ebp-2C], 0
00383011 33DB xor ebx, ebx
00383013 8D45 EC lea eax, dword ptr [ebp-14]
00383016 8B55 D4 mov edx, dword ptr [ebp-2C]
00383019 C1E2 03 shl edx, 3
0038301C 03D3 add edx, ebx
0038301E 8B4D FC mov ecx, dword ptr [ebp-4]
00383021 8A1411 mov dl, byte ptr [ecx+edx]
00383024 8810 mov byte ptr [eax], dl
00383026 43 inc ebx
00383027 40 inc eax
00383028 83FB 08 cmp ebx, 8
0038302B ^ 75 E9 jnz short 00383016 ; //循环取机器码8位进行DES标准加密
0038302D 8D45 E4 lea eax, dword ptr [ebp-1C]
00383030 50 push eax
00383031 6A 07 push 7
00383033 8D55 EC lea edx, dword ptr [ebp-14]
00383036 B9 07000000 mov ecx, 7
0038303B 33C0 xor eax, eax
0038303D E8 EAFCFFFF call 00382D2C
00383042 BB 08000000 mov ebx, 8
00383047 8D75 E4 lea esi, dword ptr [ebp-1C]
0038304A 8D45 CC lea eax, dword ptr [ebp-34]
0038304D 8A16 mov dl, byte ptr [esi]
0038304F E8 140FFFFF call 00373F68
00383054 8B55 CC mov edx, dword ptr [ebp-34]
00383057 8D45 D8 lea eax, dword ptr [ebp-28]
0038305A E8 C50FFFFF call 00374024
0038305F 46 inc esi
00383060 4B dec ebx
00383061 ^ 75 E7 jnz short 0038304A
00383063 FF45 D4 inc dword ptr [ebp-2C]
00383066 FF4D D0 dec dword ptr [ebp-30]
00383069 ^ 75 A6 jnz short 00383011
0038306B 8B45 F4 mov eax, dword ptr [ebp-C]
0038306E 8B55 D8 mov edx, dword ptr [ebp-28]
00383071 E8 5E0DFFFF call 00373DD4
00383076 33C0 xor eax, eax
00383078 5A pop edx
00383079 59 pop ecx
0038307A 59 pop ecx
0038307B 64:8910 mov dword ptr fs:[eax], edx
0038307E 68 A8303800 push 003830A8
00383083 8D45 CC lea eax, dword ptr [ebp-34]
00383086 E8 F50CFFFF call 00373D80
0038308B 8D45 D8 lea eax, dword ptr [ebp-28]
0038308E E8 ED0CFFFF call 00373D80
00383093 8D45 F8 lea eax, dword ptr [ebp-8]
00383096 BA 02000000 mov edx, 2
0038309B E8 040DFFFF call 00373DA4
003830A0 C3 retn
003830A1 ^ E9 5206FFFF jmp 003736F8
003830A6 ^ EB DB jmp short 00383083
003830A8 5E pop esi
003830A9 5B pop ebx
003830AA 8BE5 mov esp, ebp
003830AC 5D pop ebp
003830AD C3 retn
算法总结:
1、以SalaKey2005的前8位“SalaKey2”作为密钥KEY,对机器码(含中间的“-”)进行DES标准加密,每次加密8位,
2、加密后的字符串跟32,16比较(DES算法的结果长度都是16的倍数),
3、若加密后的字符串大于32位,则取第1、2、7、8、17位作为注册码第一段,第18、23、24、29、30位作为注册码第二段,第35、 36、41、42、47位作为注册码第三段,
4、若加密后的字符串小于等于32位且大于16位,则取第1、2、5、6、11位作为注册码第一段,第12、15、16、19、20作为注册码第 二段,第23、24、27、28、31作为注册码第三段,
5、若加密后的字符串小于等于16位,则取1、3、5、7、9、11、13、15作为注册码; |
评分
-
查看全部评分
|
IP卡
发表于 2007-10-24 16:17:48
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2007-10-24 19:32:10
楼主