菜鸟学习算法，破解Xilisoft DVD to PSP Converter

wzwgp · 发表于 2006-7-4 01:00:31

【软件名称】Xilisoft DVD to PSP Converter 4.0.52.0616
【下载地址】http://www.onlinedown.net/soft/46397.htm
【运行环境】Win9x/Me/NT/2000/XP/2003
【软件类别】国外软件/共享版/视频工具
【保护方式】用户名、注册码、MD5
【作者声明】初学Crack，只是感兴趣，消遣业余时间，错误之处敬请诸位前辈不吝赐教。
【调试环境】Winxp、OllyDBD、PEiD
【软件信息】可以帮你把DVD影片，转换成在PSP上可播放的MP4影片文件或是MP3音乐文件。

一、算法跟踪

PEiD检查：Microsoft Visual C++ 7.0 Method2 [调试]，注册验证过程是主程序调用安装目录里的UILib71.dll文件来完成。
OD 载入程序查找字串参考，没找到关键信息。输入用户名:wzwgp　假码:123456789223456789323456789423456789123　
有“注册码不正确”提示。下断：BP MessageBoxA，在77D5050B处断下。　

77D5050B >  8BFF          MOV EDI,EDI                            ; dvdrip.00458328
77D5050D 55             PUSH EBP
77D5050E 8BEC          MOV EBP,ESP
77D50510 833D 1C04D777 0>CMP DWORD PTR DS:[77D7041C],0
77D50517 74 24          JE SHORT USER32.77D5053D
77D50519 64:A1 18000000  MOV EAX,DWORD PTR FS:[18]
77D5051F 6A 00          PUSH 0

取消断点，Alt+F9返回到1001B778处，向上在1001B720处下断。

1001B720 >/$  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]                ;  下断
1001B726  |.  6A FF       PUSH -1
1001B728  |.  68 02630210 PUSH UILib71.10026302
1001B72D  |.  50          PUSH EAX
1001B72E  |.  64:8925 00000>MOV DWORD PTR FS:[0],ESP
1001B735  |.  83EC 08    SUB ESP,8
1001B738  |.  56          PUSH ESI
1001B739  |.  8BF1       MOV ESI,ECX
1001B73B  |.  E8 D0F4FFFF CALL UILib71.?SaveRegInfo@ImRegDlg@@IAEX>;  用户名、加密注册码写入注册表
1001B740  |.  E8 BBF8FFFF CALL UILib71.?IsValidRegInfo@ImRegDlg@@S>;  还原注册表信息，验证注册码
1001B745  |.  85C0       TEST EAX,EAX                            ;  EAX=0 注册失败
1001B747  |.  75 49       JNZ SHORT UILib71.1001B792             ;  跳注册成功
1001B749  |.  8B0D CC040410 MOV ECX,DWORD PTR DS:[100404CC]
1001B74F  |.  68 442F0000 PUSH 2F44
1001B754  |.  8D4424 08    LEA EAX,DWORD PTR SS:[ESP+8]
1001B758  |.  50          PUSH EAX
1001B759  |.  E8 F217FFFF CALL UILib71.?GetString@ImLanguage@@QBE?>
1001B75E  |.  6A 00       PUSH 0
1001B760  |.  6A 30       PUSH 30
1001B762  |.  8BC8       MOV ECX,EAX
1001B764  |.  C74424 1C 000>MOV DWORD PTR SS:[ESP+1C],0
1001B76C  |.  FF15 CC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#876>]
1001B772  |.  50          PUSH EAX
1001B773  |.  E8 4C820000 CALL <JMP.&MFC71.#1123>                ;  注册失败提示
1001B778  |.  8D4C24 04    LEA ECX,DWORD PTR SS:[ESP+4]
1001B77C  |.  FF15 E8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#578>]
1001B782  |.  5E          POP ESI
1001B783  |.  8B4C24 08    MOV ECX,DWORD PTR SS:[ESP+8]
1001B787  |.  64:890D 00000>MOV DWORD PTR FS:[0],ECX
1001B78E  |.  83C4 14    ADD ESP,14
1001B791  |.  C3          RETN
1001B792  |>  8D8E A4030000 LEA ECX,DWORD PTR DS:[ESI+3A4]
1001B798  |.  FF15 7C770210 CALL NEAR DWORD PTR DS:[<&MFC71.#3934>]  ;  MFC71.7C1501A3
1001B79E  |.  84C0       TEST AL,AL
1001B7A0  |.  75 41       JNZ SHORT UILib71.1001B7E3
1001B7A2  |.  68 452F0000 PUSH 2F45
1001B7A7  |.  8D4C24 0C    LEA ECX,DWORD PTR SS:[ESP+C]
1001B7AB  |.  51          PUSH ECX
1001B7AC  |.  8B0D CC040410 MOV ECX,DWORD PTR DS:[100404CC]
1001B7B2  |.  E8 9917FFFF CALL UILib71.?GetString@ImLanguage@@QBE?>
1001B7B7  |.  6A 00       PUSH 0
1001B7B9  |.  6A 30       PUSH 30
1001B7BB  |.  8BC8       MOV ECX,EAX
1001B7BD  |.  C74424 1C 010>MOV DWORD PTR SS:[ESP+1C],1
1001B7C5  |.  FF15 CC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#876>] ;  注册成功提示
1001B7CB  |.  50          PUSH EAX
1001B7CC  |.  E8 F3810000 CALL <JMP.&MFC71.#1123>

1001B73B 处是将用户名写入注册表，用户名、注册码与常数通过xor shr or 运算加密注册码写入注册表，
　　　　与注册码的产生无关(仅验证注册码时还原注册码)，因此略过。

1001B740 处F7进入，(还原注册表信息，验证注册码)

1001B000 >/$  6A FF       PUSH -1
1001B002  |.  68 BF620210 PUSH UILib71.100262BF             ;  SE 处理程序安装
1001B007  |.  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
1001B00D  |.  50          PUSH EAX
1001B00E  |.  64:8925 00000>MOV DWORD PTR FS:[0],ESP
1001B015  |.  81EC A4000000 SUB ESP,0A4
1001B01B  |.  A1 70010410 MOV EAX,DWORD PTR DS:[10040170]
1001B020  |.  53          PUSH EBX
1001B021  |.  56          PUSH ESI
1001B022  |.  8D4C24 10    LEA ECX,DWORD PTR SS:[ESP+10]
1001B026  |.  898424 A80000>MOV DWORD PTR SS:[ESP+A8],EAX
1001B02D  |.  FF15 D4770210 CALL NEAR DWORD PTR DS:[<&MFC71.#31>;  MFC71.7C173199
1001B033  |.  8D4C24 18    LEA ECX,DWORD PTR SS:[ESP+18]
1001B037  |.  C78424 B40000>MOV DWORD PTR SS:[ESP+B4],0
1001B042  |.  FF15 D4770210 CALL NEAR DWORD PTR DS:[<&MFC71.#31>;  MFC71.7C173199
1001B048  |.  8D4C24 14    LEA ECX,DWORD PTR SS:[ESP+14]
1001B04C  |.  FF15 D4770210 CALL NEAR DWORD PTR DS:[<&MFC71.#31>;  MFC71.7C173199
1001B052  |.  8B0D D0040410 MOV ECX,DWORD PTR DS:[100404D0]    ;  UILib71.?g_pref@@3VImAppPref@@A
1001B058  |.  8D4424 20    LEA EAX,DWORD PTR SS:[ESP+20]
1001B05C  |.  50          PUSH EAX
1001B05D  |.  C68424 B80000>MOV BYTE PTR SS:[ESP+B8],2
1001B065  |.  E8 F6A6FEFF CALL UILib71.?GetAppInfo@ImAppPref@>
1001B06A  |.  8BC8       MOV ECX,EAX
1001B06C  |.  83C1 2C    ADD ECX,2C
1001B06F  |.  FF15 CC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#87>;  读注册表信息
1001B075  |.  50          PUSH EAX                         ; |Subkey
1001B076  |.  68 01000080 PUSH 80000001                      ; |hKey = HKEY_CURRENT_USER
1001B07B  |.  FF15 04700210 CALL NEAR DWORD PTR DS:[<&ADVAPI32.>; \RegCreateKeyA
1001B081  |.  85C0       TEST EAX,EAX
1001B083  |.  0F85 B1000000 JNZ UILib71.1001B13A
1001B089  |.  8D4C24 08    LEA ECX,DWORD PTR SS:[ESP+8]
1001B08D  |.  51          PUSH ECX
1001B08E  |.  68 00020000 PUSH 200
1001B093  |.  8D4C24 18    LEA ECX,DWORD PTR SS:[ESP+18]
1001B097  |.  C74424 10 000>MOV DWORD PTR SS:[ESP+10],200
1001B09F  |.  FF15 40720210 CALL NEAR DWORD PTR DS:[<&MFC71.#24>;  MFC71.7C15102A
1001B0A5  |.  8B5424 24    MOV EDX,DWORD PTR SS:[ESP+24]    ; |
1001B0A9  |.  8B35 10700210 MOV ESI,DWORD PTR DS:[<&ADVAPI32.Re>; |ADVAPI32.RegQueryValueExA
1001B0AF  |.  50          PUSH EAX                         ; |Buffer
1001B0B0  |.  6A 00       PUSH 0                            ; |pValueType = NULL
1001B0B2  |.  6A 00       PUSH 0                            ; |Reserved = NULL
1001B0B4  |.  68 3C810210 PUSH UILib71.1002813C             ; |name
1001B0B9  |.  52          PUSH EDX                         ; |hKey
1001B0BA  |.  FFD6       CALL NEAR ESI                      ; \RegQueryValueExA
1001B0BC  |.  6A FF       PUSH -1
1001B0BE  |.  8D4C24 14    LEA ECX,DWORD PTR SS:[ESP+14]
1001B0C2  |.  FF15 3C720210 CALL NEAR DWORD PTR DS:[<&MFC71.#54>;  取用户名长度
1001B0C8  |.  8D4424 08    LEA EAX,DWORD PTR SS:[ESP+8]
1001B0CC  |.  50          PUSH EAX
1001B0CD  |.  68 00020000 PUSH 200
1001B0D2  |.  8D4C24 20    LEA ECX,DWORD PTR SS:[ESP+20]
1001B0D6  |.  C74424 10 000>MOV DWORD PTR SS:[ESP+10],200
1001B0DE  |.  FF15 40720210 CALL NEAR DWORD PTR DS:[<&MFC71.#24>
1001B0E4  |.  8B4C24 24    MOV ECX,DWORD PTR SS:[ESP+24]
1001B0E8  |.  50          PUSH EAX
1001B0E9  |.  6A 00       PUSH 0
1001B0EB  |.  6A 00       PUSH 0
1001B0ED  |.  68 30E10210 PUSH UILib71.1002E130
1001B0F2  |.  51          PUSH ECX
1001B0F3  |.  FFD6       CALL NEAR ESI
1001B0F5  |.  6A FF       PUSH -1
1001B0F7  |.  8D4C24 1C    LEA ECX,DWORD PTR SS:[ESP+1C]
1001B0FB  |.  FF15 3C720210 CALL NEAR DWORD PTR DS:[<&MFC71.#54>
1001B101  |.  8D5424 08    LEA EDX,DWORD PTR SS:[ESP+8]
1001B105  |.  52          PUSH EDX
1001B106  |.  68 00020000 PUSH 200
1001B10B  |.  8D4C24 1C    LEA ECX,DWORD PTR SS:[ESP+1C]
1001B10F  |.  C74424 10 000>MOV DWORD PTR SS:[ESP+10],200
1001B117  |.  FF15 40720210 CALL NEAR DWORD PTR DS:[<&MFC71.#24>
1001B11D  |.  50          PUSH EAX
1001B11E  |.  8B4424 28    MOV EAX,DWORD PTR SS:[ESP+28]
1001B122  |.  6A 00       PUSH 0
1001B124  |.  6A 00       PUSH 0
1001B126  |.  68 38E10210 PUSH UILib71.1002E138
1001B12B  |.  50          PUSH EAX
1001B12C  |.  FFD6       CALL NEAR ESI                      ;  取保存在注册表中的计算结果
1001B12E  |.  6A FF       PUSH -1
1001B130  |.  8D4C24 18    LEA ECX,DWORD PTR SS:[ESP+18]
1001B134  |.  FF15 3C720210 CALL NEAR DWORD PTR DS:[<&MFC71.#54>
1001B13A  |>  8D4C24 14    LEA ECX,DWORD PTR SS:[ESP+14]
1001B13E  |.  FF15 7C770210 CALL NEAR DWORD PTR DS:[<&MFC71.#39>
1001B144  |.  84C0       TEST AL,AL
1001B146  |.  0F85 8E000000 JNZ UILib71.1001B1DA
1001B14C  |.  8D4C24 14    LEA ECX,DWORD PTR SS:[ESP+14]
1001B150  |.  FF15 CC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#87>
1001B156  |.  50          PUSH EAX
1001B157  |.  8D4C24 0C    LEA ECX,DWORD PTR SS:[ESP+C]
1001B15B  |.  51          PUSH ECX
1001B15C  |.  E8 CFF3FFFF CALL UILib71.?Hex2StringA@ImRegDlg@>
1001B161  |.  83C4 08    ADD ESP,8
1001B164  |.  B3 03       MOV BL,3
1001B166  |.  8D4C24 34    LEA ECX,DWORD PTR SS:[ESP+34]
1001B16A  |.  889C24 B40000>MOV BYTE PTR SS:[ESP+B4],BL
1001B171  |.  E8 DA700000 CALL UILib71.10022250             ;  处理常数(加密注册码写入注册表用)
1001B176  |.  8D4C24 08    LEA ECX,DWORD PTR SS:[ESP+8]
1001B17A  |.  C68424 B40000>MOV BYTE PTR SS:[ESP+B4],4
1001B182  |.  FF15 78750210 CALL NEAR DWORD PTR DS:[<&MFC71.#24>
1001B188  |.  50          PUSH EAX
1001B189  |.  8D4C24 14    LEA ECX,DWORD PTR SS:[ESP+14]
1001B18D  |.  FF15 CC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#87>
1001B193  |.  50          PUSH EAX
1001B194  |.  8D4C24 3C    LEA ECX,DWORD PTR SS:[ESP+3C]
1001B198  |.  E8 C3750000 CALL UILib71.10022760             ;  还原(解密)保存在注册表中的假码
1001B19D  |.  6A FF       PUSH -1
1001B19F  |.  8D4C24 0C    LEA ECX,DWORD PTR SS:[ESP+C]
1001B1A3  |.  FF15 3C720210 CALL NEAR DWORD PTR DS:[<&MFC71.#54>;  取假码位数
1001B1A9  |.  8D5424 08    LEA EDX,DWORD PTR SS:[ESP+8]
1001B1AD  |.  52          PUSH EDX
1001B1AE  |.  8D4C24 18    LEA ECX,DWORD PTR SS:[ESP+18]
1001B1B2  |.  FF15 70770210 CALL NEAR DWORD PTR DS:[<&MFC71.#78>
1001B1B8  |.  8D4C24 34    LEA ECX,DWORD PTR SS:[ESP+34]
1001B1BC  |.  889C24 B40000>MOV BYTE PTR SS:[ESP+B4],BL
1001B1C3  |.  E8 F8700000 CALL UILib71.100222C0
1001B1C8  |.  8D4C24 08    LEA ECX,DWORD PTR SS:[ESP+8]
1001B1CC  |.  C68424 B40000>MOV BYTE PTR SS:[ESP+B4],2
1001B1D4  |.  FF15 E8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#57>
1001B1DA  |>  6A 14       PUSH 14
1001B1DC  |.  8D4424 0C    LEA EAX,DWORD PTR SS:[ESP+C]
1001B1E0  |.  50          PUSH EAX
1001B1E1  |.  8D4C24 1C    LEA ECX,DWORD PTR SS:[ESP+1C]
1001B1E5  |.  FF15 8C770210 CALL NEAR DWORD PTR DS:[<&MFC71.#39>
1001B1EB  |.  50          PUSH EAX
1001B1EC  |.  8D4C24 1C    LEA ECX,DWORD PTR SS:[ESP+1C]
1001B1F0  |.  C68424 B80000>MOV BYTE PTR SS:[ESP+B8],5
1001B1F8  |.  FF15 70770210 CALL NEAR DWORD PTR DS:[<&MFC71.#78>;  取假码前20位地址
1001B1FE  |.  8D4C24 08    LEA ECX,DWORD PTR SS:[ESP+8]
1001B202  |.  C68424 B40000>MOV BYTE PTR SS:[ESP+B4],2
1001B20A  |.  FF15 E8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#57>
1001B210  |.  8D4C24 10    LEA ECX,DWORD PTR SS:[ESP+10]
1001B214  |.  FF15 7C770210 CALL NEAR DWORD PTR DS:[<&MFC71.#39>
1001B21A  |.  84C0       TEST AL,AL
1001B21C  |.  0F85 D3030000 JNZ UILib71.1001B5F5
1001B222  |.  8D4C24 14    LEA ECX,DWORD PTR SS:[ESP+14]
1001B226  |.  FF15 7C770210 CALL NEAR DWORD PTR DS:[<&MFC71.#39>
1001B22C  |.  84C0       TEST AL,AL
1001B22E  |.  0F85 C1030000 JNZ UILib71.1001B5F5
1001B234  |.  8D4C24 14    LEA ECX,DWORD PTR SS:[ESP+14]
1001B238  |.  FF15 C8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#29>;  取假码位数
1001B23E  |.  83F8 27    CMP EAX,27                         ;  注册码位数＝27
1001B241  |.  0F85 AE030000 JNZ UILib71.1001B5F5
1001B247  |.  8D4C24 18    LEA ECX,DWORD PTR SS:[ESP+18]    ;  [ESP+18]=假码前20位地址
1001B24B  |.  FF15 CC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#87>
1001B251  |.  8B0D D0040410 MOV ECX,DWORD PTR DS:[100404D0]    ;  UILib71.?g_pref@@3VImAppPref@@A
1001B257  |.  E8 04A5FEFF CALL UILib71.?GetAppInfo@ImAppPref@>
1001B25C  |.  83C0 38    ADD EAX,38
1001B25F  |.  50          PUSH EAX
1001B260  |.  8D4C24 14    LEA ECX,DWORD PTR SS:[ESP+14]    ;  [ESP+14]用户名地址
1001B264  |.  FF15 70770210 CALL NEAR DWORD PTR DS:[<&MFC71.#78>;  EAX= "Xilisoftdvdtopspconverter4"
1001B26A  |.  8D4C24 0C    LEA ECX,DWORD PTR SS:[ESP+C]
1001B26E  |.  FF15 D4770210 CALL NEAR DWORD PTR DS:[<&MFC71.#31>;  MFC71.7C173199
1001B274  |.  8D4C24 10    LEA ECX,DWORD PTR SS:[ESP+10]
1001B278  |.  C68424 B40000>MOV BYTE PTR SS:[ESP+B4],6
1001B280  |.  33F6       XOR ESI,ESI
1001B282  |.  FF15 C8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#29>;  取"Xilisoftdvdtopspconverter4"长度
1001B288  |.  85C0       TEST EAX,EAX
1001B28A  |.  7E 5C       JLE SHORT UILib71.1001B2E8
1001B28C  |.  8D6424 00    LEA ESP,DWORD PTR SS:[ESP]
1001B290  |>  8BCE       /MOV ECX,ESI
1001B292  |.  81E1 01000080 |AND ECX,80000001
1001B298  |.  79 05       |JNS SHORT UILib71.1001B29F
1001B29A  |.  49          |DEC ECX
1001B29B  |.  83C9 FE    |OR ECX,FFFFFFFE
1001B29E  |.  41          |INC ECX
1001B29F  |>  75 38       |JNZ SHORT UILib71.1001B2D9
1001B2A1  |.  56          |PUSH ESI
1001B2A2  |.  8D4C24 14    |LEA ECX,DWORD PTR SS:[ESP+14]    ;  [ESP+14]=ASCII "Xilisoftdvdtopspconverter4"
1001B2A6  |.  FF15 B8770210 |CALL NEAR DWORD PTR DS:[<&MFC71.#8>;  AL=58(X)取[ESP+14]中的奇数位Ascii码
1001B2AC  |.  8D4C24 0C    |LEA ECX,DWORD PTR SS:[ESP+C]
1001B2B0  |.  50          |PUSH EAX
1001B2B1  |.  FF15 6C750210 |CALL NEAR DWORD PTR DS:[<&MFC71.#9>;  保存58(X)
1001B2B7  |.  8D46 01    |LEA EAX,DWORD PTR DS:[ESI+1]    ;  [ESI+1]=已取到第几位字符+1
1001B2BA  |.  99          |CDQ
1001B2BB  |.  B9 FF000000 |MOV ECX,0FF
1001B2C0  |.  F7F9       |IDIV ECX
1001B2C2  |.  84D2       |TEST DL,DL
1001B2C4  |.  885424 08    |MOV BYTE PTR SS:[ESP+8],DL       ;  DL=01、03(偶数位)
1001B2C8  |.  74 0F       |JE SHORT UILib71.1001B2D9
1001B2CA  |.  8B5424 08    |MOV EDX,DWORD PTR SS:[ESP+8]
1001B2CE  |.  52          |PUSH EDX
1001B2CF  |.  8D4C24 10    |LEA ECX,DWORD PTR SS:[ESP+10]
1001B2D3  |.  FF15 6C750210 |CALL NEAR DWORD PTR DS:[<&MFC71.#9>;  保存DL
1001B2D9  |>  8D4C24 10    |LEA ECX,DWORD PTR SS:[ESP+10]
1001B2DD  |.  46          |INC ESI                         ;  ESI 计数器
1001B2DE  |.  FF15 C8770210 |CALL NEAR DWORD PTR DS:[<&MFC71.#2>;  MFC71.7C146AB0
1001B2E4  |.  3BF0       |CMP ESI,EAX                      ;  EAX=1A(字符串长度)
1001B2E6  |.^ 7C A8       \JL SHORT UILib71.1001B290
1001B2E8  |>  8D4C24 10    LEA ECX,DWORD PTR SS:[ESP+10]
1001B2EC  |.  33F6       XOR ESI,ESI
1001B2EE  |.  FF15 C8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#29>;  MFC71.7C146AB0
1001B2F4  |.  85C0       TEST EAX,EAX
1001B2F6  |.  7E 5F       JLE SHORT UILib71.1001B357
1001B2F8  |.  EB 06       JMP SHORT UILib71.1001B300
1001B2FA  | 8D9B 00000000 LEA EBX,DWORD PTR DS:[EBX]
1001B300  |>  8BC6       /MOV EAX,ESI
1001B302  |.  25 01000080 |AND EAX,80000001
1001B307  |.  79 05       |JNS SHORT UILib71.1001B30E
1001B309  |.  48          |DEC EAX
1001B30A  |.  83C8 FE    |OR EAX,FFFFFFFE
1001B30D  |.  40          |INC EAX
1001B30E  |>  74 38       |JE SHORT UILib71.1001B348
1001B310  |.  56          |PUSH ESI
1001B311  |.  8D4C24 14    |LEA ECX,DWORD PTR SS:[ESP+14]    ;  [ESP+14]=ASCII "Xilisoftdvdtopspconverter4"
1001B315  |.  FF15 B8770210 |CALL NEAR DWORD PTR DS:[<&MFC71.#8>;  AL=58(i)取[ESP+14]中的偶数位Ascii码
1001B31B  |.  8D4C24 0C    |LEA ECX,DWORD PTR SS:[ESP+C]
1001B31F  |.  50          |PUSH EAX
1001B320  |.  FF15 6C750210 |CALL NEAR DWORD PTR DS:[<&MFC71.#9>;  保存58(i)
1001B326  |.  8D46 01    |LEA EAX,DWORD PTR DS:[ESI+1]    ;  [ESI+1]=已取到第几位字符+1
1001B329  |.  99          |CDQ
1001B32A  |.  B9 FF000000 |MOV ECX,0FF
1001B32F  |.  F7F9       |IDIV ECX
1001B331  |.  84D2       |TEST DL,DL
1001B333  |.  885424 08    |MOV BYTE PTR SS:[ESP+8],DL       ;  DL=2、4
1001B337  |.  74 0F       |JE SHORT UILib71.1001B348
1001B339  |.  8B5424 08    |MOV EDX,DWORD PTR SS:[ESP+8]
1001B33D  |.  52          |PUSH EDX
1001B33E  |.  8D4C24 10    |LEA ECX,DWORD PTR SS:[ESP+10]
1001B342  |.  FF15 6C750210 |CALL NEAR DWORD PTR DS:[<&MFC71.#9>;  保存DL
1001B348  |>  8D4C24 10    |LEA ECX,DWORD PTR SS:[ESP+10]
1001B34C  |.  46          |INC ESI                         ;  ESI 计数器
1001B34D  |.  FF15 C8770210 |CALL NEAR DWORD PTR DS:[<&MFC71.#2>;  MFC71.7C146AB0
1001B353  |.  3BF0       |CMP ESI,EAX
1001B355  |.^ 7C A9       \JL SHORT UILib71.1001B300       ;  EAX=1A(字符串长度)
1001B357  |>  8D4C24 24    LEA ECX,DWORD PTR SS:[ESP+24]
1001B35B  |.  FF15 D4770210 CALL NEAR DWORD PTR DS:[<&MFC71.#31>
1001B361  |.  6A 01       PUSH 1
1001B363  |.  8D4424 28    LEA EAX,DWORD PTR SS:[ESP+28]
1001B367  |.  68 50E10210 PUSH UILib71.1002E150
1001B36C  |.  50          PUSH EAX
1001B36D  |.  C68424 C00000>MOV BYTE PTR SS:[ESP+C0],7
1001B375  |.  FF15 D8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#23>
1001B37B  |.  83C4 0C    ADD ESP,0C
1001B37E  |.  8D4C24 24    LEA ECX,DWORD PTR SS:[ESP+24]
1001B382  |.  FF15 CC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#87>
1001B388  |.  50          PUSH EAX
1001B389  |.  6A 00       PUSH 0
1001B38B  |.  8D4C24 14    LEA ECX,DWORD PTR SS:[ESP+14]
1001B38F  |.  FF15 84750210 CALL NEAR DWORD PTR DS:[<&MFC71.#38>;  字符串头部加上1
1001B395  |.  8D4C24 28    LEA ECX,DWORD PTR SS:[ESP+28]
1001B399  |.  FF15 D4770210 CALL NEAR DWORD PTR DS:[<&MFC71.#31>
1001B39F  |.  8D4C24 2C    LEA ECX,DWORD PTR SS:[ESP+2C]
1001B3A3  |.  FF15 D4770210 CALL NEAR DWORD PTR DS:[<&MFC71.#31>
1001B3A9  |.  6A 00       PUSH 0
1001B3AB  |.  8D4C24 2C    LEA ECX,DWORD PTR SS:[ESP+2C]
1001B3AF  |.  68 50E10210 PUSH UILib71.1002E150
1001B3B4  |.  B3 09       MOV BL,9
1001B3B6  |.  51          PUSH ECX
1001B3B7  |.  889C24 C00000>MOV BYTE PTR SS:[ESP+C0],BL
1001B3BE  |.  FF15 D8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#23>
1001B3C4  |.  6A 00       PUSH 0
1001B3C6  |.  8D5424 3C    LEA EDX,DWORD PTR SS:[ESP+3C]
1001B3CA  |.  68 50E10210 PUSH UILib71.1002E150
1001B3CF  |.  52          PUSH EDX
1001B3D0  |.  FF15 D8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#23>
1001B3D6  |.  8D4424 44    LEA EAX,DWORD PTR SS:[ESP+44]
1001B3DA  |.  50          PUSH EAX
1001B3DB  |.  8D4C24 44    LEA ECX,DWORD PTR SS:[ESP+44]
1001B3DF  |.  51          PUSH ECX
1001B3E0  |.  8D5424 28    LEA EDX,DWORD PTR SS:[ESP+28]
1001B3E4  |.  52          PUSH EDX
1001B3E5  |.  E8 E66DFEFF CALL UILib71.100021D0
1001B3EA  |.  83C4 24    ADD ESP,24
1001B3ED  |.  50          PUSH EAX
1001B3EE  |.  8D4C24 10    LEA ECX,DWORD PTR SS:[ESP+10]
1001B3F2  |.  C68424 B80000>MOV BYTE PTR SS:[ESP+B8],0A
1001B3FA  |.  FF15 80770210 CALL NEAR DWORD PTR DS:[<&MFC71.#90>;  字符串尾部加上00
1001B400  |.  8D4C24 08    LEA ECX,DWORD PTR SS:[ESP+8]
1001B404  |.  889C24 B40000>MOV BYTE PTR SS:[ESP+B4],BL
1001B40B  |.  FF15 E8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#57>
1001B411  |.  8D4424 18    LEA EAX,DWORD PTR SS:[ESP+18]
1001B415  |.  50          PUSH EAX
1001B416  |.  8D4C24 20    LEA ECX,DWORD PTR SS:[ESP+20]
1001B41A  |.  FF15 E4770210 CALL NEAR DWORD PTR DS:[<&MFC71.#29>
1001B420  |.  B3 0B       MOV BL,0B
1001B422  |.  8D4C24 1C    LEA ECX,DWORD PTR SS:[ESP+1C]
1001B426  |.  889C24 B40000>MOV BYTE PTR SS:[ESP+B4],BL
1001B42D  |.  FF15 80750210 CALL NEAR DWORD PTR DS:[<&MFC71.#40>;  [取假码前20位]
1001B433  |.  8D4C24 1C    LEA ECX,DWORD PTR SS:[ESP+1C]
1001B437  |.  FF15 5C740210 CALL NEAR DWORD PTR DS:[<&MFC71.#61>
1001B43D  |.  8D4C24 1C    LEA ECX,DWORD PTR SS:[ESP+1C]
1001B441  |.  FF15 58740210 CALL NEAR DWORD PTR DS:[<&MFC71.#61>
1001B447  |.  8D4C24 1C    LEA ECX,DWORD PTR SS:[ESP+1C]
1001B44B  |.  FF15 7C770210 CALL NEAR DWORD PTR DS:[<&MFC71.#39>
1001B451  |.  84C0       TEST AL,AL
1001B453  |.  74 0F       JE SHORT UILib71.1001B464
1001B455  |.  68 44E10210 PUSH UILib71.1002E144
1001B45A  |.  8D4C24 20    LEA ECX,DWORD PTR SS:[ESP+20]
1001B45E  |.  FF15 78770210 CALL NEAR DWORD PTR DS:[<&MFC71.#78>
1001B464  |>  8B0D D0040410 MOV ECX,DWORD PTR DS:[100404D0]    ;  UILib71.?g_pref@@3VImAppPref@@A
1001B46A  |.  E8 F1A2FEFF CALL UILib71.?GetAppInfo@ImAppPref@>
1001B46F  |.  83C0 38    ADD EAX,38
1001B472  |.  50          PUSH EAX
1001B473  |.  8D4C24 20    LEA ECX,DWORD PTR SS:[ESP+20]
1001B477  |.  51          PUSH ECX
1001B478  |.  8D5424 10    LEA EDX,DWORD PTR SS:[ESP+10]
1001B47C  |.  52          PUSH EDX
1001B47D  |.  E8 4E6DFEFF CALL UILib71.100021D0             ;  假码前20位与固定字符连接
1001B482  |.  83C4 0C    ADD ESP,0C
1001B485  |.  50          PUSH EAX
1001B486  |.  8D4C24 10    LEA ECX,DWORD PTR SS:[ESP+10]
1001B48A  |.  C68424 B80000>MOV BYTE PTR SS:[ESP+B8],0C
1001B492  |.  FF15 80770210 CALL NEAR DWORD PTR DS:[<&MFC71.#90>;  最后连接成101位长的字符串
1001B498  |.  8D4C24 08    LEA ECX,DWORD PTR SS:[ESP+8]
1001B49C  |.  889C24 B40000>MOV BYTE PTR SS:[ESP+B4],BL
1001B4A3  |.  FF15 E8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#57>;  MFC71.7C1771B1
1001B4A9  |.  8D4C24 0C    LEA ECX,DWORD PTR SS:[ESP+C]
1001B4AD  |.  FF15 CC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#87>;  MFC71.7C158BCD
1001B4B3  |.  50          PUSH EAX
1001B4B4  |.  8D4C24 70    LEA ECX,DWORD PTR SS:[ESP+70]
1001B4B8  |.  E8 03740000 CALL UILib71.100228C0             ;  进入MD5加密运算
1001B4BD  |.  8D4C24 6C    LEA ECX,DWORD PTR SS:[ESP+6C]
1001B4C1  |.  C68424 B40000>MOV BYTE PTR SS:[ESP+B4],0D
1001B4C9  |.  E8 32730000 CALL UILib71.10022800             ;  EAX=(d96d58a51ae3c1f181c821811c8b751b)
1001B4CE  |.  50          PUSH EAX                         ;  加密数据入栈
1001B4CF  |.  8D4C24 34    LEA ECX,DWORD PTR SS:[ESP+34]
1001B4D3  |.  FF15 DC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#30>;  EAX=加密数据地址
1001B4D9  |.  8D4C24 0C    LEA ECX,DWORD PTR SS:[ESP+C]
1001B4DD  |.  C68424 B40000>MOV BYTE PTR SS:[ESP+B4],0E
1001B4E5  |.  FF15 D0730210 CALL NEAR DWORD PTR DS:[<&MFC71.#21>
1001B4EB  |.  33F6       XOR ESI,ESI
1001B4ED  |.  8D49 00    LEA ECX,DWORD PTR DS:[ECX]
1001B4F0  |>  56          /PUSH ESI
1001B4F1  |.  8D4C24 34    |LEA ECX,DWORD PTR SS:[ESP+34]
1001B4F5  |.  FF15 B8770210 |CALL NEAR DWORD PTR DS:[<&MFC71.#8>;  取计算结果奇数位Ascii码
1001B4FB  |.  8D4C24 0C    |LEA ECX,DWORD PTR SS:[ESP+C]
1001B4FF  |.  50          |PUSH EAX
1001B500  |.  FF15 6C750210 |CALL NEAR DWORD PTR DS:[<&MFC71.#9>;  连接取出的Ascii码
1001B506  |.  8BC6       |MOV EAX,ESI
1001B508  |.  D1E8       |SHR EAX,1
1001B50A  |.  40          |INC EAX
1001B50B  |.  25 03000080 |AND EAX,80000003                ;  计算是否要加“-”
1001B510  |.  79 05       |JNS SHORT UILib71.1001B517
1001B512  |.  48          |DEC EAX
1001B513  |.  83C8 FC    |OR EAX,FFFFFFFC
1001B516  |.  40          |INC EAX
1001B517  |>  75 0F       |JNZ SHORT UILib71.1001B528
1001B519  |.  68 40E10210 |PUSH UILib71.1002E140             ;  “-”地址入栈
1001B51E  |.  8D4C24 10    |LEA ECX,DWORD PTR SS:[ESP+10]
1001B522  |.  FF15 C4730210 |CALL NEAR DWORD PTR DS:[<&MFC71.#9>;  取满4位加“-”连接
1001B528  |>  83C6 02    |ADD ESI,2
1001B52B  |.  83FE 20    |CMP ESI,20
1001B52E  |.^ 7C C0       \JL SHORT UILib71.1001B4F0
1001B530  |.  8D4C24 0C    LEA ECX,DWORD PTR SS:[ESP+C]
1001B534  |.  FF15 80750210 CALL NEAR DWORD PTR DS:[<&MFC71.#40>;  转成大写
1001B53A  |.  6A 01       PUSH 1
1001B53C  |.  8D4C24 10    LEA ECX,DWORD PTR SS:[ESP+10]
1001B540  |.  FF15 C8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#29>
1001B546  |.  48          DEC EAX
1001B547  |.  50          PUSH EAX
1001B548  |.  8D4C24 14    LEA ECX,DWORD PTR SS:[ESP+14]
1001B54C  |.  FF15 7C750210 CALL NEAR DWORD PTR DS:[<&MFC71.#19>;  去掉尾部“－”
1001B552  |.  8D4C24 18    LEA ECX,DWORD PTR SS:[ESP+18]
1001B556  |.  FF15 CC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#87>;  假码前20位
1001B55C  |.  50          PUSH EAX
1001B55D  |.  6A 00       PUSH 0
1001B55F  |.  8D4C24 14    LEA ECX,DWORD PTR SS:[ESP+14]
1001B563  |.  FF15 84750210 CALL NEAR DWORD PTR DS:[<&MFC71.#38>;  假码前20位与计算结果连接
1001B569  |.  8D4C24 14    LEA ECX,DWORD PTR SS:[ESP+14]
1001B56D  |.  FF15 CC770210 CALL NEAR DWORD PTR DS:[<&MFC71.#87>;  MFC71.7C158BCD
1001B573  |.  50          PUSH EAX                         ;  EAX=假码地址
1001B574  |.  8D4C24 10    LEA ECX,DWORD PTR SS:[ESP+10]    ;  [ESP+10]=计算结果地址
1001B578  |.  FF15 4C740210 CALL NEAR DWORD PTR DS:[<&MFC71.#14>;  验证注册码
1001B57E  |.  F7D8       NEG EAX                            ;  EAX=1注册验证失败
1001B580    1AC0       SBB AL,AL                         ;  爆破点(xor al,al)
1001B582  |.  FEC0       INC AL
1001B584  |.  8D4C24 30    LEA ECX,DWORD PTR SS:[ESP+30]
1001B588  |.  0FB6F0       MOVZX ESI,AL
1001B58B  |.  FF15 E8770210 CALL NEAR DWORD PTR DS:[<&MFC71.#57>;  MFC71.7C1771B1

二、算法小结

1. 字符串连接

1.1 软件名称奇数位与奇数连接
Xilisoftdvdtopspconverter4 --->  Xlsfddoscnetr  ---> X1l3s5f7d9dbodsfc11n13e15t17r19
                              135 …… 151719
(58 01 6C 03 73 05 66 07 64 09 64 0B 6F 0D 73 0F 63 11 6E 13 65 15 74 17 72 19)

1.2 软件名称偶数位与偶数连接
Xilisoftdvdtopspconverter4 --->  iiotvtppovre4 ---> i2i4o6t8vAtCpEp10o12v14r16e1841A
                              246 …… 16181A
(69 02 69 04 6F 06 74 08 76 0A 74 0C 70 0E 70 10 6F 12 76 14 72 16 65 18 34 1A)

1.3 头部加1尾部加00
1 + X1l3s5f7d9dbodsfc11n13e15t17r19 + i2i4o6t8vAtCpEp10o12v14r16e1841A + 00
         ------->
1X1l3s5f7d9dbodsfc11n13e15t17r19i2i4o6t8vAtCpEp10o12v14r16e1841A00

1.4 假码前20位与软件名称连接
12345678922345678932 + Xilisoftdvdtopspconverter4
　　　　　　------->
12345678922345678932Xilisoftdvdtopspconverter4

1.5 形成最后字符串(1.3 + 1.4)
1X1l3s5f7d9dbodsfc11n13e15t17r19i2i4o6t8vAtCpEp10o12v14r16e1841A0012345678922345678932Xilisoftdvdtopspconverter4
(31 58 01 6C 03 73 05 66 07 64 09 64 0B 6F 0D 73 0F 63 11 6E 13 65 15 74 17 72 19 69 02 69 04 6F 06 74 08 76 0A 74 0C

70 0E 70 10 6F 12 76 14 72 16 65 18 34 1A 30 30 31 32 33 34 35 36 37 38 39 32 32 33 34 35 36 37 38 39 33 32 58 69 6C

69 73 6F 66 74 64 76 64 74 6F 70 73 70 63 6F 6E 76 65 72 74 65 72 34)

2. MD5加密字符串

2.1 标准MD5加密字符串前64位
(1X1l3s5f7d9dbodsfc11n13e15t17r19i2i4o6t8vAtCpEp10o12v14r16e1841A00123456789)
得到：(F22B9292)(A1300D51)(66297222)(DF3639B7)

2.2 将2.1得到的4个数字作为MD5常数加密字符串后37位
(22345678932Xilisoftdvdtopspconverter4)
得到：94289881fc09a399b914279409095be1

2.3 取出2.2数字中的奇数位
94289881fc09a399b914279409095be1 ----> 9298f0a9b129005e ----> 9298-F0A9-B129-005E

3 假码前20位与2.3的结果连接得到注册码
注册码＝12345678922345678932 + 9298-F0A9-B129-005E
      ---->
      123456789223456789329298-F0A9-B129-005E

4 注册码位数必须是39位(27H)

注册信息保存在:HKEY_CURRENT_USER\Software\Xilisoft\DVD to PSP Converter 4\RegInfo

黑夜彩虹 · 发表于 2006-7-4 08:05:15

向老大学习~~~

ZHOU2X · 发表于 2006-7-4 09:08:02

学习，收藏！！支持！！！！
算法学习好题材！！

浮云思音 · 发表于 2006-7-4 09:38:54

唉,这个如果是菜鸟学的算法,那我对学算法的信心不大

看了这个算法,一个字,晕~~~~

寒湖鹤影 · 发表于 2006-7-4 14:58:26

学习，楼主真有耐性，向楼主学习

bfqyygy · 发表于 2006-7-4 15:53:29

好文章..莱鸟先学习了一下!

野猫III · 发表于 2006-7-4 20:31:18

原帖由 浮云思音 于 2006-7-4 09:38 发表
唉,这个如果是菜鸟学的算法,那我对学算法的信心不大

看了这个算法,一个字,晕~~~~

MD5?也一个字～～～晕！

快雪时晴 · 发表于 2006-7-4 22:17:54

原帖由 wzwgp 于 2006-7-4 01:00 发表
【软件名称】Xilisoft DVD to PSP Converter 4.0.52.0616
【下载地址】http://www.onlinedown.net/soft/46397.htm
【运行环境】Win9x/Me/NT/2000/XP/2003
【软件类别】国外软件/共享版/视频工具
【保护方式 ...

2.2 将2.1得到的4个数字作为MD5常数加密字符串后37位
(22345678932Xilisoftdvdtopspconverter4)
得到：94289881fc09a399b914279409095be1

兄台辛苦了

另外请问有无可以自定义常数的MD5计算工具
（我指现成的，要编就算了：-），懒得动手）

wzwgp · 发表于 2006-7-5 01:23:40

原帖由 快雪时晴 于 2006-7-4 22:17 发表

兄台辛苦了

另外请问有无可以自定义常数的MD5计算工具
（我指现成的，要编就算了：-），懒得动手）

感谢版主鼓励。不好意思，我没有自定义常数的MD5计算工具。

wzwgp · 发表于 2006-7-5 06:50:00

原帖由 野猫III 于 2006-7-4 20:31 发表

MD5?也一个字～～～晕！

猫兄不好意思，现贴上第一次MD5的代码，主要是太长了，显得累赘。

1001B4B8 处F7进入MD5加密运算

100228C0  /$  8B4424 04    MOV EAX,DWORD PTR SS:[ESP+4]
100228C4  |.  56          PUSH ESI
100228C5  |.  8BF1       MOV ESI,ECX
100228C7  |.  C706 0CF20210 MOV DWORD PTR DS:[ESI],UILib71.1002F20C
100228CD  |.  8946 38    MOV DWORD PTR DS:[ESI+38],EAX
100228D0  |.  C646 35 00 MOV BYTE PTR DS:[ESI+35],0
100228D4  |.  E8 37FFFFFF CALL UILib71.10022810                   ;  MD5加密
100228D9  |.  8846 04    MOV BYTE PTR DS:[ESI+4],AL
100228DC  |.  8BC6       MOV EAX,ESI
100228DE  |.  5E          POP ESI
100228DF  \.  C2 0400    RETN 4

100228D4 处F7进入MD5加密

10022810  /$  83EC 5C    SUB ESP,5C                            ;  本地调用来自 100228D4
10022813  |.  A1 70010410 MOV EAX,DWORD PTR DS:[10040170]
10022818  |.  53          PUSH EBX
10022819  |.  55          PUSH EBP
1002281A  |.  56          PUSH ESI
1002281B  |.  894424 64    MOV DWORD PTR SS:[ESP+64],EAX
1002281F  |.  57          PUSH EDI
10022820  |.  8D4424 10    LEA EAX,DWORD PTR SS:[ESP+10]
10022824  |.  50          PUSH EAX
10022825  |.  8BF9       MOV EDI,ECX
10022827  |.  E8 C4000000 CALL UILib71.100228F0                   ;  初始化MD5变量
1002282C  |.  8B4F 38    MOV ECX,DWORD PTR DS:[EDI+38]
1002282F  |.  8BC1       MOV EAX,ECX
10022831  |.  83C4 04    ADD ESP,4
10022834  |.  8D70 01    LEA ESI,DWORD PTR DS:[EAX+1]
10022837  |>  8A10       /MOV DL,BYTE PTR DS:[EAX]
10022839  |.  40          |INC EAX
1002283A  |.  84D2       |TEST DL,DL
1002283C  |.^ 75 F9       \JNZ SHORT UILib71.10022837
1002283E  |.  2BC6       SUB EAX,ESI                            ;  计算字符串位数＝65(H) 101(D)
10022840  |.  50          PUSH EAX
10022841  |.  51          PUSH ECX
10022842  |.  8D4C24 18    LEA ECX,DWORD PTR SS:[ESP+18]
10022846  |.  51          PUSH ECX
10022847  |.  E8 B4090000 CALL UILib71.10023200                   ;  MD5加密字符串前64位
1002284C  |.  8D5424 1C    LEA EDX,DWORD PTR SS:[ESP+1C]
10022850  |.  52          PUSH EDX
10022851  |.  8D5F 05    LEA EBX,DWORD PTR DS:[EDI+5]
10022854  |.  53          PUSH EBX
10022855  |.  E8 660A0000 CALL UILib71.100232C0                   ;  MD5常数加密字符串后37位
1002285A  |.  8B2D A8780210 MOV EBP,DWORD PTR DS:[<&MSVCR71.sprintf>>
10022860  |.  83C4 14    ADD ESP,14
10022863  |.  33F6       XOR ESI,ESI
10022865  |.  83C7 15    ADD EDI,15
10022868  |.  EB 06       JMP SHORT UILib71.10022870
1002286A  | 8D9B 00000000 LEA EBX,DWORD PTR DS:[EBX]
10022870  |>  0FB60433    /MOVZX EAX,BYTE PTR DS:[EBX+ESI]
10022874  |.  50          |PUSH EAX
10022875  |.  68 10F20210 |PUSH UILib71.1002F210                ;  %02x
1002287A  |.  57          |PUSH EDI
1002287B  |.  FFD5       |CALL NEAR EBP
1002287D  |.  83C4 0C    |ADD ESP,0C
10022880  |.  83C7 02    |ADD EDI,2
10022883  |.  46          |INC ESI
10022884  |.  83FE 10    |CMP ESI,10
10022887  |.^ 7C E7       \JL SHORT UILib71.10022870
10022889  |.  8B4C24 68    MOV ECX,DWORD PTR SS:[ESP+68]
1002288D  |.  5F          POP EDI
1002288E  |.  5E          POP ESI
1002288F  |.  5D          POP EBP
10022890  |.  B0 01       MOV AL,1
10022892  |.  5B          POP EBX
10022893  |.  E8 5D140000 CALL UILib71.10023CF5
10022898  |.  83C4 5C    ADD ESP,5C
1002289B  \.  C3          RETN

10022847 处F7进入MD5加密字符串前64位

10023200  /$  53          PUSH EBX
10023201  |.  8B5C24 10    MOV EBX,DWORD PTR SS:[ESP+10]
10023205  |.  55          PUSH EBP                               ;  EBX=65
10023206  |.  56          PUSH ESI
10023207  |.  8B7424 10    MOV ESI,DWORD PTR SS:[ESP+10]          ;  [ESP+10]MD5常数地址
1002320B  |.  8B46 10    MOV EAX,DWORD PTR DS:[ESI+10]
1002320E  |.  8BC8       MOV ECX,EAX
10023210  |.  C1E9 03    SHR ECX,3
10023213  |.  8D04D8       LEA EAX,DWORD PTR DS:[EAX+EBX*8]
10023216  |.  8D14DD 000000>LEA EDX,DWORD PTR DS:[EBX*8]
1002321D  |.  83E1 3F    AND ECX,3F
10023220  |.  3BC2       CMP EAX,EDX
10023222  |.  57          PUSH EDI
10023223  |.  8946 10    MOV DWORD PTR DS:[ESI+10],EAX
10023226  |.  73 03       JNB SHORT UILib71.1002322B
10023228  |.  FF46 14    INC DWORD PTR DS:[ESI+14]
1002322B  |>  8B7E 14    MOV EDI,DWORD PTR DS:[ESI+14]
1002322E  |.  8BC3       MOV EAX,EBX
10023230  |.  C1E8 1D    SHR EAX,1D
10023233  |.  03F8       ADD EDI,EAX
10023235  |.  897E 14    MOV DWORD PTR DS:[ESI+14],EDI
10023238  |.  BF 40000000 MOV EDI,40
1002323D  |.  2BF9       SUB EDI,ECX
1002323F  |.  3BDF       CMP EBX,EDI
10023241  |.  72 50       JB SHORT UILib71.10023293
10023243  |.  33C0       XOR EAX,EAX
10023245  |.  85FF       TEST EDI,EDI
10023247  |.  76 16       JBE SHORT UILib71.1002325F
10023249  |.  8D6C31 18    LEA EBP,DWORD PTR DS:[ECX+ESI+18]
1002324D  |.  8D49 00    LEA ECX,DWORD PTR DS:[ECX]
10023250  |>  8B4C24 18    /MOV ECX,DWORD PTR SS:[ESP+18]
10023254  |.  8A1408       |MOV DL,BYTE PTR DS:[EAX+ECX]
10023257  |.  881428       |MOV BYTE PTR DS:[EAX+EBP],DL
1002325A  |.  40          |INC EAX
1002325B  |.  3BC7       |CMP EAX,EDI
1002325D  |.^ 72 F1       \JB SHORT UILib71.10023250             ;  字符串移入堆栈
1002325F  |>  8D4E 18    LEA ECX,DWORD PTR DS:[ESI+18]
10023262  |.  56          PUSH ESI
10023263  |.  E8 B8F6FFFF CALL UILib71.10022920                   ;  MD5
10023268  |.  8BEF       MOV EBP,EDI
1002326A  |.  83C7 3F    ADD EDI,3F
1002326D  |.  83C4 04    ADD ESP,4
10023270  |.  3BFB       CMP EDI,EBX
10023272  |.  73 1B       JNB SHORT UILib71.1002328F
10023274  |>  8B4424 18    /MOV EAX,DWORD PTR SS:[ESP+18]
10023278  |.  8D4C38 C1    |LEA ECX,DWORD PTR DS:[EAX+EDI-3F]
1002327C  |.  56          |PUSH ESI
1002327D  |.  E8 9EF6FFFF |CALL UILib71.10022920
10023282  |.  83C7 40    |ADD EDI,40
10023285  |.  83C4 04    |ADD ESP,4
10023288  |.  83C5 40    |ADD EBP,40
1002328B  |.  3BFB       |CMP EDI,EBX
1002328D  |.^ 72 E5       \JB SHORT UILib71.10023274
1002328F  |>  33C9       XOR ECX,ECX
10023291  |.  EB 02       JMP SHORT UILib71.10023295
10023293  |>  33ED       XOR EBP,EBP
10023295  |>  33C0       XOR EAX,EAX
10023297  |.  2BDD       SUB EBX,EBP
10023299  |.  8BFB       MOV EDI,EBX
1002329B  |.  74 15       JE SHORT UILib71.100232B2
1002329D  |.  8B5424 18    MOV EDX,DWORD PTR SS:[ESP+18]
100232A1  |.  03D5       ADD EDX,EBP                            ;  EDX=22345678932Xilisoftdvdtopspconverter4
100232A3  |.  8D7431 18    LEA ESI,DWORD PTR DS:[ECX+ESI+18]
100232A7  |>  8A0C02       /MOV CL,BYTE PTR DS:[EDX+EAX]
100232AA  |.  880C06       |MOV BYTE PTR DS:[ESI+EAX],CL
100232AD  |.  40          |INC EAX
100232AE  |.  3BC7       |CMP EAX,EDI
100232B0  |.^ 72 F5       \JB SHORT UILib71.100232A7
100232B2  |>  5F          POP EDI
100232B3  |.  5E          POP ESI
100232B4  |.  5D          POP EBP
100232B5  |.  5B          POP EBX
100232B6  \.  C3          RETN

10023263  处F7进入MD5

10022920  /$  8B4424 04    MOV EAX,DWORD PTR SS:[ESP+4]
10022924  |.  83EC 44    SUB ESP,44
10022927  |.  53          PUSH EBX
10022928  |.  55          PUSH EBP
10022929  |.  56          PUSH ESI
1002292A  |.  57          PUSH EDI
1002292B  |.  83C1 02    ADD ECX,2
1002292E  |.  8D7424 14    LEA ESI,DWORD PTR SS:[ESP+14]
10022932  |.  BF 10000000 MOV EDI,10
10022937  |>  0FB659 FF    MOVZX EBX,BYTE PTR DS:[ECX-1]
1002293B  |.  33D2       XOR EDX,EDX
1002293D  |.  8A71 01    MOV DH,BYTE PTR DS:[ECX+1]
10022940  |.  83C6 04    ADD ESI,4
10022943  |.  83C1 04    ADD ECX,4
10022946  |.  8A51 FC    MOV DL,BYTE PTR DS:[ECX-4]
10022949  |.  C1E2 08    SHL EDX,8
1002294C  |.  0BD3       OR EDX,EBX
1002294E  |.  0FB659 FA    MOVZX EBX,BYTE PTR DS:[ECX-6]
10022952  |.  C1E2 08    SHL EDX,8
10022955  |.  0BD3       OR EDX,EBX
10022957  |.  4F          DEC EDI
10022958  |.  8956 FC    MOV DWORD PTR DS:[ESI-4],EDX          ;  EDX=6C015831(字符串1-4)
1002295B  |.^ 75 DA       JNZ SHORT UILib71.10022937
1002295D  |.  8B70 04    MOV ESI,DWORD PTR DS:[EAX+4]          ;  [EAX+4]=EFCDAB89 ------> B
10022960  |.  8B78 08    MOV EDI,DWORD PTR DS:[EAX+8]          ;  [EAX+8]=98BADCFE ------> C
10022963  |.  8B50 0C    MOV EDX,DWORD PTR DS:[EAX+C]          ;  [EAX+C]=10325476 ------> D
10022966  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]             ;  [EAX]=67452301 ------> A
10022968  |.  8B6C24 14    MOV EBP,DWORD PTR SS:[ESP+14]          ;  [ESP+14]=6C015831
1002296C  |.  8BDF       MOV EBX,EDI
1002296E  |.  23DE       AND EBX,ESI                            ;  EBX=98BADCFE and B=88888888
10022970  |.  8BCE       MOV ECX,ESI
10022972  |.  F7D1       NOT ECX                               ;  ECX=B not =D
10022974  |.  23CA       AND ECX,EDX                            ;  ECX=D and D=10325476
10022976  |.  0BCB       OR ECX,EBX                            ;  ECX=D or 88888888=C
10022978  |.  03CD       ADD ECX,EBP                            ;  ECX=C add 6C015831=04BC352F
1002297A  |.  8D8C08 78A46A>LEA ECX,DWORD PTR DS:[EAX+ECX+D76AA478]  ;  [EAX+ECX+D76AA478]=436BFCA8
10022981  |.  8B6C24 18    MOV EBP,DWORD PTR SS:[ESP+18]          ;  [ESP+18]=66057303(字符串5-8)
10022985  |.  8BC1       MOV EAX,ECX
10022987  |.  C1E1 07    SHL ECX,7                               ;  ECX=436BFCA8 shl 7=B5FE5400
1002298A  |.  C1E8 19    SHR EAX,19                            ;  EAX=436BFCA8 shr 19=21
1002298D  |.  0BC1       OR EAX,ECX                            ;  EAX=00000021 or B5FE5400=B5FE5421
1002298F  |.  03C6       ADD EAX,ESI                            ;  EAX=B5FE5421 add B=A5CBFFAA
10022991  |.  8BC8       MOV ECX,EAX
10022993  |.  F7D1       NOT ECX                               ;  ECX=A5CBFFAA not=5A340055
10022995  |.  23CF       AND ECX,EDI                            ;  ECX=5A340055 and C=18300054
10022997  |.  8BDE       MOV EBX,ESI
10022999  |.  23D8       AND EBX,EAX                            ;  EBX=EFCDAB89 and A5CBFFAA=A5C9AB88
1002299B  |.  0BCB       OR ECX,EBX                            ;  ECX=18300054 or A5C9AB88=BDF9ABDC
1002299D  |.  03CD       ADD ECX,EBP                            ;  ECX=BDF9ABDC add 66057303=23FF1EDF
1002299F  |.  8B6C24 1C    MOV EBP,DWORD PTR SS:[ESP+1C]          ;  [ESP+1C]=64096407(字符串9-12)
100229A3  |.  8D940A 56B7C7>LEA EDX,DWORD PTR DS:[EDX+ECX+E8C7B756]
   ---------------------------中间省略---------------------------------
100231C6  |.  8B7424 58    MOV ESI,DWORD PTR SS:[ESP+58]
100231CA  |.  8B1E       MOV EBX,DWORD PTR DS:[ESI]
100231CC  |.  03C3       ADD EAX,EBX
100231CE  |.  8906       MOV DWORD PTR DS:[ESI],EAX             ;  EAX=F22B9292 --->1
100231D0  |.  8BC1       MOV EAX,ECX
100231D2  |.  8B5E 04    MOV EBX,DWORD PTR DS:[ESI+4]
100231D5  |.  C1E0 15    SHL EAX,15
100231D8  |.  C1E9 0B    SHR ECX,0B
100231DB  |.  0BC1       OR EAX,ECX
100231DD  |.  03C3       ADD EAX,EBX
100231DF  |.  03C7       ADD EAX,EDI
100231E1  |.  8946 04    MOV DWORD PTR DS:[ESI+4],EAX          ;  EAX=A1300D51 --->2
100231E4  |.  8B46 08    MOV EAX,DWORD PTR DS:[ESI+8]
100231E7  |.  03C7       ADD EAX,EDI
100231E9  |.  8946 08    MOV DWORD PTR DS:[ESI+8],EAX          ;  EAX=66297222 --->3
100231EC  |.  8B46 0C    MOV EAX,DWORD PTR DS:[ESI+C]
100231EF  |.  5F          POP EDI
100231F0  |.  03C2       ADD EAX,EDX
100231F2  |.  8946 0C    MOV DWORD PTR DS:[ESI+C],EAX          ;  EAX=DF3639B7 --->4
100231F5  |.  5E          POP ESI
100231F6  |.  5D          POP EBP
100231F7  |.  5B          POP EBX
100231F8  |.  83C4 44    ADD ESP,44
100231FB  \.  C3          RETN

1、2、3、4是第二次MD5加密的常数。

		自动登录	找回密码
密码			加入我们

菜鸟学习算法，破解Xilisoft DVD to PSP Converter

相关帖子