Hidden Carema　v2.27算法分析

鹭影依凌 · 发表于 2007-12-17 02:36:37

【破解作者】鹭影依凌
【作者邮箱】 [email][email protected][/email]
【使用工具】 ODv1.10
【破解平台】 Win9x/NT/2000/XP
【软件简介】可以同时监控局域网里的50台电脑，并且能够对电脑显示器上的画面进行截屏
【加壳方式】 UPX
【破解声明】我是一只小菜鸟，偶得一点心得，愿与大家分享：）
--------------------------------------------------------------------------------
【破解内容】

->试练码<-
UserName:luying10
E-mail:[email protected]
Quanty:256
Key:9876543210abcdef

标志：wrong key!

PEiD查壳:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
ESP定律搞定，不用修复就可以正常运行

OllyDbg超级字符串定位
在段首00419127下断,运行程序，程序被断下(未出现注册窗口)，Ｆ８继续
在地址00419184处弹出注册窗口，重新填入注册信息

程序没有马上继续正常判断，先闪了一小会儿，然后才停在00419189处

分析如下：

;=================================================================|
00419127 B8 2D634500    mov    eax, 0045632D                ; //开始
0041912C E8 2F5E0100    call 0042EF60
00419131 81EC 20010000 sub    esp, 120
00419137 A1 34244700    mov    eax, dword ptr [472434]
0041913C 3345 04       xor    eax, dword ptr [ebp+4]
0041913F 53             push ebx
00419140 56             push esi
00419141 57             push edi
00419142 8BF1          mov    esi, ecx
00419144 33DB          xor    ebx, ebx
00419146 33FF          xor    edi, edi
00419148 8965 F0       mov    dword ptr [ebp-10], esp
0041914B 47             inc    edi
0041914C 53             push ebx
0041914D 8D8E 54240100 lea    ecx, dword ptr [esi+12454]
00419153 8945 EC       mov    dword ptr [ebp-14], eax
00419156 8975 94       mov    dword ptr [ebp-6C], esi
00419159 895D FC       mov    dword ptr [ebp-4], ebx
0041915C 89BE 002E0100 mov    dword ptr [esi+12E00], edi
00419162 E8 A9470200    call 0043D910
00419167 8BCE          mov    ecx, esi
00419169 E8 32F7FEFF    call 004088A0
0041916E 53             push ebx
0041916F 8D8D D4FEFFFF lea    ecx, dword ptr [ebp-12C]
00419175 E8 978C0000    call 00421E11
0041917A 8D8D D4FEFFFF lea    ecx, dword ptr [ebp-12C]
00419180 C645 FC 01    mov    byte ptr [ebp-4], 1
00419184 E8 84430200    call 0043D50D                   ; //弹出注册对话框
00419189 3BC7          cmp    eax, edi                   ; 未填入注册信息则跳走
0041918B 0F85 B4030000 jnz    00419545                   ; //跳转(未实现)
;---------------------------<密码地址初始化为零>------------------|
00419191 8D86 18240100 lea    eax, dword ptr [esi+12418] ; 载入数量的地址
00419197 50             push eax
00419198 8D86 14240100 lea    eax, dword ptr [esi+12414] ; 载入序列号地址
0041919E 50             push eax
0041919F 8D86 10240100 lea    eax, dword ptr [esi+12410] ; 加载:{用数量+邮箱}的地址
004191A5 50             push eax
004191A6 8D86 0C240100 lea    eax, dword ptr [esi+1240C] ; 加载:{用户名+数量}地址
004191AC 50             push eax
004191AD 8D8D D4FEFFFF lea    ecx, dword ptr [ebp-12C]
004191B3 E8 528A0000    call 00421C0A
004191B8 68 4C974500    push 0045974C
004191BD 8D4D A0       lea    ecx, dword ptr [ebp-60]    ; (ASCII " s8")
004191C0 E8 6E8BFEFF    call 00401D33
004191C5 C645 FC 02    mov    byte ptr [ebp-4], 2
004191C9 895D E8       mov    dword ptr [ebp-18], ebx
004191CC 33C0          xor    eax, eax                   ; EAX置零
.
004191CE 83F8 20       cmp    eax, 20                      ;
004191D1 7D 15          jge    short 004191E8             ; //跳出循环体
004191D3 806405 C4 00 and    byte ptr [ebp+eax-3C], 0    ; 0012FB2C - 0012FB4B
004191D8 806405 A4 00 and    byte ptr [ebp+eax-5C], 0    ; 0012FB0C - 0012FB2B
004191DD 80A405 64FFFFFF>and    byte ptr [ebp+eax-9C], 0    ; 0012FACC - 0012FAEB
004191E5 40             inc    eax                         ; EAX++
004191E6  ^ EB E6          jmp    short 004191CE             ; //循环(20H)次
;-----------|
004191E8 33C0          xor    eax, eax                   ; EAX置零
004191EA 83F8 10       cmp    eax, 10
004191ED 7D 08          jge    short 004191F7
004191EF 806405 84 00 and    byte ptr [ebp+eax-7C], 0    ; 数据清零(2)
004191F4 40             inc    eax                         ;
004191F5  ^ EB F3          jmp    short 004191EA             ;  //循环(10H次)
;-----------------------------------------------------------------|
004191F7 8DBE 0C240100 lea    edi, dword ptr [esi+1240C]
004191FD 57             push edi
004191FE 8D4D 9C       lea    ecx, dword ptr [ebp-64]    ; //

;---------------------------<(用于计算的)密码表初始化>------------|
00419201 C645 C4 2B    mov    byte ptr [ebp-3C], 2B
00419205 C645 A4 59    mov    byte ptr [ebp-5C], 59
00419209 C645 C5 2D    mov    byte ptr [ebp-3B], 2D
0041920D C645 A5 77    mov    byte ptr [ebp-5B], 77
00419211 C645 C6 26    mov    byte ptr [ebp-3A], 26
00419215 C645 A6 82    mov    byte ptr [ebp-5A], 82
00419219 C645 C7 EA    mov    byte ptr [ebp-39], 0EA
0041921D C645 A7 75    mov    byte ptr [ebp-59], 75
00419221 C645 C8 5A    mov    byte ptr [ebp-38], 5A
00419225 C645 A8 3B    mov    byte ptr [ebp-58], 3B
00419229 C645 C9 56    mov    byte ptr [ebp-37], 56
0041922D C645 A9 59    mov    byte ptr [ebp-57], 59
00419231 C645 CA 22    mov    byte ptr [ebp-36], 22
00419235 C645 AA 47    mov    byte ptr [ebp-56], 47
00419239 C645 CB 5D    mov    byte ptr [ebp-35], 5D
0041923D C645 AB 58    mov    byte ptr [ebp-55], 58
00419241 C645 CC 4B    mov    byte ptr [ebp-34], 4B
00419245 C645 AC 9E    mov    byte ptr [ebp-54], 9E
00419249 C645 CD CB    mov    byte ptr [ebp-33], 0CB
0041924D C645 AD 3B    mov    byte ptr [ebp-53], 3B
00419251 C645 CE 40    mov    byte ptr [ebp-32], 40
00419255 C645 AE 8B    mov    byte ptr [ebp-52], 8B
00419259 C645 CF 9A    mov    byte ptr [ebp-31], 9A
0041925D C645 AF 94    mov    byte ptr [ebp-51], 94
00419261 C645 D0 23    mov    byte ptr [ebp-30], 23
00419265 C645 B0 BF    mov    byte ptr [ebp-50], 0BF
00419269 C645 D1 A4    mov    byte ptr [ebp-2F], 0A4
0041926D C645 B1 93    mov    byte ptr [ebp-4F], 93
00419271 C645 D2 61    mov    byte ptr [ebp-2E], 61
00419275 C645 B2 B2    mov    byte ptr [ebp-4E], 0B2
00419279 C645 D3 AB    mov    byte ptr [ebp-2D], 0AB
0041927D C645 B3 7F    mov    byte ptr [ebp-4D], 7F
00419281 C645 D4 ED    mov    byte ptr [ebp-2C], 0ED
00419285 C645 B4 B2    mov    byte ptr [ebp-4C], 0B2
00419289 C645 D5 94    mov    byte ptr [ebp-2B], 94
0041928D C645 B5 B7    mov    byte ptr [ebp-4B], 0B7
00419291 C645 D6 83    mov    byte ptr [ebp-2A], 83
00419295 C645 B6 3B    mov    byte ptr [ebp-4A], 3B
00419299 C645 D7 1F    mov    byte ptr [ebp-29], 1F
0041929D C645 B7 B9    mov    byte ptr [ebp-49], 0B9
004192A1 C645 D8 DB    mov    byte ptr [ebp-28], 0DB
004192A5 C645 B8 8F    mov    byte ptr [ebp-48], 8F
004192A9 C645 D9 8B    mov    byte ptr [ebp-27], 8B
004192AD C645 B9 53    mov    byte ptr [ebp-47], 53
004192B1 C645 DA 19    mov    byte ptr [ebp-26], 19
004192B5 C645 BA 70    mov    byte ptr [ebp-46], 70
004192B9 C645 DB D8    mov    byte ptr [ebp-25], 0D8
004192BD C645 BB 5F    mov    byte ptr [ebp-45], 5F
004192C1 C645 DC C4    mov    byte ptr [ebp-24], 0C4
004192C5 C645 BC EB    mov    byte ptr [ebp-44], 0EB
004192C9 C645 DD 63    mov    byte ptr [ebp-23], 63
004192CD C645 BD 7B    mov    byte ptr [ebp-43], 7B
004192D1 C645 DE EB    mov    byte ptr [ebp-22], 0EB
004192D5 C645 BE 87    mov    byte ptr [ebp-42], 87
004192D9 C645 DF 95    mov    byte ptr [ebp-21], 95
004192DD C645 BF 05    mov    byte ptr [ebp-41], 5
004192E1 C645 E0 9D    mov    byte ptr [ebp-20], 9D
004192E5 C645 C0 96    mov    byte ptr [ebp-40], 96
004192E9 C645 E1 0E    mov    byte ptr [ebp-1F], 0E
004192ED C645 C1 03    mov    byte ptr [ebp-3F], 3
004192F1 C645 E2 73    mov    byte ptr [ebp-1E], 73
004192F5 C645 C2 5B    mov    byte ptr [ebp-3E], 5B
004192F9 C645 E3 C7    mov    byte ptr [ebp-1D], 0C7
004192FD C645 C3 9F    mov    byte ptr [ebp-3D], 9F
;-----------------------------------------------------------------|
00419301 E8 1F82FEFF    call 00401525                   ; //
00419306 8D86 10240100 lea    eax, dword ptr [esi+12410] ; 载入邮箱的地址
0041930C 50             push eax
0041930D 8D4D 98       lea    ecx, dword ptr [ebp-68]    ; themewnd
00419310 C645 FC 03    mov    byte ptr [ebp-4], 3
00419314 E8 0C82FEFF    call 00401525
00419319 8D9E 18240100 lea    ebx, dword ptr [esi+12418] ; 载入用户数量地址
0041931F 53             push ebx
00419320 8BCF          mov    ecx, edi
00419322 C645 FC 04    mov    byte ptr [ebp-4], 4
00419326 E8 A087FEFF    call 00401ACB                   ; ECX = ASCII "luying10256"
0041932B 8D86 10240100 lea    eax, dword ptr [esi+12410] ; 载入邮箱地址
00419331 50             push eax
00419332 8D45 E4       lea    eax, dword ptr [ebp-1C]
00419335 53             push ebx
00419336 50             push eax
00419337 E8 3985FEFF    call 00401875                   ; 堆栈窗口
0041933C 83C4 0C       add    esp, 0C                      ; (ASCII "[email protected]")
0041933F 50             push eax
00419340 8D8E 10240100 lea    ecx, dword ptr [esi+12410] ; 载入邮箱地址
00419346 C645 FC 05    mov    byte ptr [ebp-4], 5
0041934A E8 A784FEFF    call 004017F6
0041934F 8B4D E4       mov    ecx, dword ptr [ebp-1C]    ;  ECX = (ASCII "[email protected]")
00419352 83C1 F0       add    ecx, -10
00419355 C645 FC 04    mov    byte ptr [ebp-4], 4
00419359 E8 877EFEFF    call 004011E5
;---------------------------<对[ID-Num]进行"异或"加密运算>--------|
0041935E 33DB          xor    ebx, ebx                   ; EBX置零
00419360 33C0          xor    eax, eax                   ; EAX置零
.
00419362 8B0F          mov    ecx, dword ptr [edi]       ; (ASCII "luying10256")
00419364 3B41 F4       cmp    eax, dword ptr [ecx-C]
00419367 7D 10          jge    short 00419379             ; //跳出循环体
00419369 8A0C01       mov    cl, byte ptr [ecx+eax]       ; 字符串的第i个字符
0041936C 304C05 C4    xor    byte ptr [ebp+eax-3C], cl    ; [ebp+eax-3C] = [ebp+eax-3C] | cl
00419370 0FB6C9       movzx ecx, cl
00419373 014D E8       add    dword ptr [ebp-18], ecx    ; [ebp-18] = [ebp-18] + ECX
00419376 40             inc    eax                         ; EAX++
00419377  ^ EB E9          jmp    short 00419362             ; //循环20H次
;---------------------------<对[Num-Email]进行"异或"加密运算>-----|
00419379 33C0          xor    eax, eax
.
0041937B 8B8E 10240100 mov    ecx, dword ptr [esi+12410] ; (ASCII "[email protected]")
00419381 3B41 F4       cmp    eax, dword ptr [ecx-C]
00419384 7D 10          jge    short 00419396             ; //跳出循环体
00419386 8A0C01       mov    cl, byte ptr [ecx+eax]
00419389 304C05 A4    xor    byte ptr [ebp+eax-5C], cl    ; 上表
0041938D 0FB6C9       movzx ecx, cl
00419390 014D E8       add    dword ptr [ebp-18], ecx    ; [ebp-18] = [ebp-18] + ECX
00419393 40             inc    eax                         ; EAX++
00419394  ^ EB E5          jmp    short 0041937B             ; //循环20H次
;-----------------------------------------------------------------|
00419396 8B45 E8       mov    eax, dword ptr [ebp-18]    ; ss:[0012FB50]=00000979
00419399 6A 19          push 19
0041939B 33D2          xor    edx, edx                   ; EDX置零
0041939D 59             pop    ecx                         ; ECX = 19H
0041939E F7F1          div    ecx                         ; EDX = EAX % ECX
004193A0 8BFA          mov    edi, edx                   ; EDI = EDX
004193A2 83FF 03       cmp    edi, 3                      ;
004193A5 73 02          jnb    short 004193A9             ; <=3,则跳走
.
004193A7 51             push ecx                         ; ECX = 19H
004193A8 5F             pop    edi                         ; EDI = 19H
;---------------------------<对两组"异或"结果进行"异或"运算>------|
004193A9 33C0          xor    eax, eax                   ; EAX置零
.
004193AB 83F8 20       cmp    eax, 20                      ;
004193AE 7D 12          jge    short 004193C2             ; >= 20H,则跳出循环体
.
004193B0 8A4C05 A4    mov    cl, byte ptr [ebp+eax-5C]    ; cl = [ebp+eax-5C]
004193B4 324C05 C4    xor    cl, byte ptr [ebp+eax-3C]    ; cl = cl | [ebp+eax-5C]
004193B8 40             inc    eax                         ; EAX++
004193B9 888C05 63FFFFFF mov    byte ptr [ebp+eax-9D], cl    ; 保存结果:[ebp+eax-9D]
004193C0  ^ EB E9          jmp    short 004193AB             ; //循环(20H次)
;-----------------------------------------------------------------|
004193C2 33C9          xor    ecx, ecx
004193C4 83F9 10       cmp    ecx, 10
004193C7 7D 20          jge    short 004193E9             ; >=10H,跳出循环体

004193C9 0FB6940D 64FFFF>movzx edx, byte ptr [ebp+ecx-9C] ; EDX = [ebp+ecx-9C]
004193D1 0FB6840D 74FFFF>movzx eax, byte ptr [ebp+ecx-8C] ; EDX = [ebp+ecx-8C]
004193D9 33C2          xor    eax, edx                   ; EAX = EAX + EDX
004193DB 33D2          xor    edx, edx                   ; EDX = 0
004193DD F7F7          div    edi                         ; EDX = EAX % EDI
004193DF 80C2 41       add    dl, 41                      ; dl = dl + 41H
004193E2 88540D 84    mov    byte ptr [ebp+ecx-7C], dl    ; 保存结果:[ebp+ecx-7C]
004193E6 41             inc    ecx                         ; ECX++
004193E7  ^ EB DB          jmp    short 004193C4             ; //循环(10H次)
;---------------------------<从内存地址中取出注册码>--------------|
004193E9 33FF          xor    edi, edi
.
004193EB 83FF 10       cmp    edi, 10
004193EE 7D 30          jge    short 00419420
004193F0 33C0          xor    eax, eax
004193F2 8A443D 84    mov    al, byte ptr [ebp+edi-7C]    ; 堆栈 ss:[0012FAEC]=44 ('D')
004193F6 6A 01          push 1
004193F8 8D4D E4       lea    ecx, dword ptr [ebp-1C]
004193FB 50             push eax
004193FC E8 71EDFEFF    call 00408172
00419401 50             push eax
00419402 8D4D A0       lea    ecx, dword ptr [ebp-60]
00419405 C645 FC 06    mov    byte ptr [ebp-4], 6
00419409 E8 BD86FEFF    call 00401ACB
0041940E 8B4D E4       mov    ecx, dword ptr [ebp-1C]
00419411 83C1 F0       add    ecx, -10
00419414 C645 FC 04    mov    byte ptr [ebp-4], 4
00419418 E8 C87DFEFF    call 004011E5
0041941D 47             inc    edi
0041941E  ^ EB CB          jmp    short 004193EB             ;  //循环(10H次)
;---------------------------<真假码比较>--------------------------|
00419420 8D45 A0       lea    eax, dword ptr [ebp-60]    ;  加载真码地址
00419423 50             push eax
00419424 8D86 14240100 lea    eax, dword ptr [esi+12414] ; 加载假码地址
0041942A 50             push eax
0041942B E8 1CE1FEFF    call 0040754C                   ; |*|真假码比较
00419430 84C0          test al, al                      ; 测试标志位
00419432 59             pop    ecx
00419433 59             pop    ecx
00419434 0F84 CF000000 je    00419509                   ; //跳则挂
;---------------------------<提示:注册成功>-----------------------|
0041943A FFB6 18240100 push dword ptr [esi+12418]       ;  数量压栈
00419440 E8 C45E0100    call 0042F309                   ;  转化为10进制放入EAX中
00419445 59             pop    ecx
00419446 8BF8          mov    edi, eax                   ;  EDI = EAX
00419448 C786 00240100 0>mov    dword ptr [esi+12400], 1
00419452 8B86 B8000000 mov    eax, dword ptr [esi+B8]
00419458 3BC7          cmp    eax, edi
0041945A 7E 10          jle    short 0041946C
0041945C 48             dec    eax
0041945D 8BCE          mov    ecx, esi
0041945F 8986 04240100 mov    dword ptr [esi+12404], eax
00419465 E8 C8D7FFFF    call 00416C32
0041946A  ^ EB E6          jmp    short 00419452
0041946C 8D86 18240100 lea    eax, dword ptr [esi+12418]
00419472 50             push eax
00419473 8D45 E8       lea    eax, dword ptr [ebp-18]
00419476 68 F8C04500    push 0045C0F8                   ; oleansoft hidden camera 250x1 v2.27 manager & remote control - full version -
0041947B 50             push eax
0041947C 899E 00240100 mov    dword ptr [esi+12400], ebx
00419482 E8 DC84FEFF    call 00401963
00419487 83C4 0C       add    esp, 0C
0041948A 68 E4C04500    push 0045C0E4                   ;  employees pcs
0041948F 50             push eax
00419490 8D45 E4       lea    eax, dword ptr [ebp-1C]
00419493 50             push eax
00419494 C645 FC 07    mov    byte ptr [ebp-4], 7
00419498 E8 4884FEFF    call 004018E5
0041949D 83C4 0C       add    esp, 0C
004194A0 8B38          mov    edi, dword ptr [eax]
004194A2 C645 FC 08    mov    byte ptr [ebp-4], 8
004194A6 E8 DE5D0300    call 0044F289
004194AB 8B40 04       mov    eax, dword ptr [eax+4]
004194AE 8B48 1C       mov    ecx, dword ptr [eax+1C]
004194B1 57             push edi
004194B2 E8 DF430200    call 0043D896
004194B7 8B4D E4       mov    ecx, dword ptr [ebp-1C]
004194BA 83C1 F0       add    ecx, -10
004194BD E8 237DFEFF    call 004011E5
004194C2 8B4D E8       mov    ecx, dword ptr [ebp-18]
004194C5 83C1 F0       add    ecx, -10
004194C8 C645 FC 04    mov    byte ptr [ebp-4], 4
004194CC E8 147DFEFF    call 004011E5
004194D1 53             push ebx
004194D2 53             push ebx
004194D3 68 ACC04500    push 0045C0AC                   ; full version activation has been successfully finished
004194D8 E8 4AD40200    call 00446927                   ;  //提示注册成功
004194DD 53             push ebx
004194DE 8D8E 202B0100 lea    ecx, dword ptr [esi+12B20]
004194E4 E8 27440200    call 0043D910
004194E9 8D45 9C       lea    eax, dword ptr [ebp-64]
004194EC 8D8E 0C240100 lea    ecx, dword ptr [esi+1240C]
004194F2 50             push eax
004194F3 E8 FE82FEFF    call 004017F6
004194F8 8D45 98       lea    eax, dword ptr [ebp-68]
004194FB 8D8E 10240100 lea    ecx, dword ptr [esi+12410]
00419501 50             push eax
00419502 E8 EF82FEFF    call 004017F6
00419507 EB 12          jmp    short 0041951B
;---------------------------<提示:注册失败>-----------------------|
00419509 53             push ebx
0041950A 53             push ebx
0041950B 68 90C04500    push 0045C090                   ; wrong key! please try againfull version activation has been successfully finished
00419510 E8 12D40200    call 00446927                   ; //提示出错
00419515 33C0          xor    eax, eax
00419517 3BC3          cmp    eax, ebx
00419519 74 07          je    short 00419522
0041951B C746 54 2C83863>mov    dword ptr [esi+54], 3F86832C
00419522 8B4D 98       mov    ecx, dword ptr [ebp-68]    ; (ASCII "[email protected]")
00419525 83C1 F0       add    ecx, -10
00419528 E8 B87CFEFF    call 004011E5
0041952D 8B4D 9C       mov    ecx, dword ptr [ebp-64]    ; (ASCII "luying10")
00419530 83C1 F0       add    ecx, -10
00419533 E8 AD7CFEFF    call 004011E5
00419538 8B4D A0       mov    ecx, dword ptr [ebp-60]    ; (ASCII "DJIMFVELLEJALJNO")
0041953B 83C1 F0       add    ecx, -10
0041953E E8 A27CFEFF    call 004011E5
00419543 33DB          xor    ebx, ebx
00419545 8065 FC 00    and    byte ptr [ebp-4], 0
00419549 8D8D D4FEFFFF lea    ecx, dword ptr [ebp-12C]
0041954F 899E 002E0100 mov    dword ptr [esi+12E00], ebx
00419555 E8 DE840000    call 00421A38
0041955A 8B4D F4       mov    ecx, dword ptr [ebp-C]
0041955D 64:890D 0000000>mov    dword ptr fs:[0], ecx
00419564 8B4D EC       mov    ecx, dword ptr [ebp-14]
00419567 334D 04       xor    ecx, dword ptr [ebp+4]
0041956A E8 A74C0100    call 0042E216
0041956F 5F             pop    edi
00419570 5E             pop    esi
00419571 5B             pop    ebx
00419572 C9             leave
00419573 C3             retn                               ; //结束

--------------------------------------------------------------------------------
【破解总结】

算法如下：
1.[UserName-Quanty]和特定数值组array_A[32]进行异或运算,更新、保存到array_A[32]

[ebp-18] = 0;

int array_A[32] = {0x2B, 0x2D, 0x26, 0xEA, 0x5A, 0x56, 0x22, 0x5D, 0x4B, 0xCB, 0x40, 0x9A, 0x23, 0xA4, 0x61, 0xAB,
               0xED, 0x94, 0x83, 0x1F, 0xDB, 0x8B, 0x19, 0xD8, 0xC4, 0x63, 0xEB, 0x95, 0x9D, 0x0E, 0x73, 0xC7}

for(int i = 0, i < 32, i++)
{
if(i > UserName-Quanty.length)
   break;

array_A[i] = array_A[i] | UserName-Quanty(i);
sum = sum + UserName-Quanty(i)
}

2.[Quanty-Email]和特定数值array_B[32]进行异或运算,更新、保存到array_B[32]

int array_B[32] = {0x59, 0x77, 0x82, 0x75, 0x3B, 0x59, 0x47, 0x58, 0x9E, 0x3B, 0x8B, 0x94, 0xBF, 0x93, 0xB2, 0x7F,
               0xB2, 0xB7, 0x3B, 0xB9, 0x8F, 0x53, 0x70, 0x5F, 0xEB, 0x7B, 0x87, 0x05, 0x96, 0x03, 0x5B, 0x9F}

for(int i = 0, i < 32, i++)
{
if(i > Quanty-Email.length)
   break;

array_B[i] = array_B[i] | Quanty-Email(i);
sum = sum + Quanty-Email(i)
}

3.计算EDI

int EDI = sum % 0x19;
if(EDI < 3)
EDI = 0x19;

4.将两个异或值再次进行异或运算,得到一组为32个数值的序列array_C[32]

int array_C[32] = {};

for(int i = 0, i < 32, i++)
array_C[i] = array_B[i] | array_A[i];


5.将所得的异或值的上下两行进行第三次异或运算,得到一组为16个数值的序列array_D[16]

int array_D[16] = {};

for(int i = 0, i < 16, i++)
{
array_D[i] = array_C[i] | array_C[i+16];
array_D[i] = array_D[i] % EDI + 0x41;
}

6.所得值转化为字符串作为注册码

说明:
(1).用户名长度不足32位
对应的数值的异或值不变

(2).用户名长度超过32位
取前32位进行运算

注册信息保存在C:\WINDOWS下的hcreg212.ini文件中：

         ultrain[email][email protected][/email]FFECCEEFECDBFDDF256
emptyemptyemptyemptyemptyemptyemptyemptyemptyempty
Group 00Group 01Group 02Group 03Group 04Group 05Group 06Group 07Group 08Group 09
Group 10Group 11Group 12Group 13Group 14Group 15Group 16Group 17Group 18Group 19
Group 20Group 21Group 22Group 23Group 24
--------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!

wxq · 发表于 2007-12-17 08:29:03

支持一下。原版哪里下载的呀？GOOGLE里找不到咧

sufeiyu · 发表于 2007-12-17 09:18:23

写作开始学习算法了不错的文章

lvcaolhx · 发表于 2007-12-17 09:55:15

找到了一个免费的 v2.27
软件大小：1.59 MB
软件语言：简体中文
软件类型：国产软件 - 网络软件 - 远程监控
运行环境：Win9X/Win2000/WinXP/Win2003
授权方式：免费软件

http://down.4j365.com/soft/show.asp?id=1917

用google搜"可以同时监控局域网里的50台电脑"可找到

共享版：http://www.itzoom.cn/down/soft/15702.html

[ 本帖最后由 lvcaolhx 于 2007-12-17 10:02 编辑 ]

		自动登录	找回密码
密码			加入我们

[原创] Hidden Carema　v2.27算法分析

相关帖子

[原创] Hidden Carema v2.27算法分析

相关帖子

[原创] Hidden Carema　v2.27算法分析