可以找到是明码比较的
一步步跟就能找到算法
程序可以用unaspack脱壳,虽然不能再正常使用,但是研究算法过程已经够了。
程序入口点在:
004CEB48 55 PUSH EBP
跟踪过程就不写了,很长的一段要慢慢过,因为写在INI里面的信息太多了
最后到这里:
:004BB2C0 8B95E8FAFFFF mov edx, dword ptr [ebp+FFFFFAE8];edx="80368332833078277730"
:004BB2C6 8D8DECFAFFFF lea ecx, dword ptr [ebp+FFFFFAEC]
:004BB2CC 8B45F0 mov eax, dword ptr [ebp-10];eax="SMARTSL"
:004BB2CF E8FC7EFEFF call 004A31D0;<----计算过程在内
:004BB2D4 8B85ECFAFFFF mov eax, dword ptr [ebp+FFFFFAEC]
:004BB2DA 8D95F0FAFFFF lea edx, dword ptr [ebp+FFFFFAF0];此时eax就是正确注册码
:004BB2E0 E8BB93FEFF call 004A46A0
其中我的用户ID是"80368332833078277730",用户名是"SMARTSL",它是根据C盘的序列号计算出来的,怎么算的我没看。然后进去call 004A31D0:
* Referenced by a CALL at Address:
|:004BB2CF
|
:004A31D0 55 push ebp
:004A31D1 8BEC mov ebp, esp
:004A31D3 51 push ecx
:004A31D4 B96C000000 mov ecx, 0000006C
* Referenced by a (U)nconditional or ?ondITional Jump at Address:
|:004A31DE?
|
:004A31D9 6A00 push 00000000
:004A31DB 6A00 push 00000000
:004A31DD 49 dec ecx
:004A31DE 75F9 jne 004A31D9
:004A31E0 874DFC xchg dword ptr [ebp-04], ecx
:004A31E3 53 push ebx
:004A31E4 56 push esi
:004A31E5 57 push edi
:004A31E6 894DF4 mov dword ptr [ebp-0C], ecx
:004A31E9 8955F8 mov dword ptr [ebp-08], edx
:004A31EC 8945FC mov dword ptr [ebp-04], eax
:004A31EF 8B45FC mov eax, dword ptr [ebp-04]
:004A31F2 E8C10EF6FF call 004040B8
:004A31F7 8B45F8 mov eax, dword ptr [ebp-08]
:004A31FA E8B90EF6FF call 004040B8
:004A31FF 33C0 xor eax, eax
:004A3201 55 push ebp
:004A3202 6830354A00 push 004A3530
:004A3207 64FF30 push dword ptr fs:[eax]
:004A320A 648920 mov dword ptr fs:[eax], esp
:004A320D 8B45F4 mov eax, dword ptr [ebp-0C]
:004A3210 E86F0AF6FF call 00403C84
:004A3215 E965010000 jmp 004A337F
* Referenced by a (U)nconditional or ?ondITional Jump at Address:
|:004A338C?
|
:004A321A 33DB xor ebx, ebx
:004A321C 8B45FC mov eax, dword ptr [ebp-04];eax="SMARSL"
:004A321F E8E00CF6FF call 00403F04;求长度
:004A3224 8BF8 mov edi, eax;eax=7
:004A3226 85FF test edi, edi
:004A3228 7E13 jle 004A323D
:004A322A BE01000000 mov esi, 00000001
* Referenced by a (U)nconditional or ?ondITional Jump at Address:
|:004A323B?
|
:004A322F 8B45FC mov eax, dword ptr [ebp-04]
:004A3232 0FB64430FF movzx eax, byte ptr [eax+esi-01]
:004A3237 03D8 add ebx, eax
:004A3239 46 inc esi
:004A323A 4F dec edi
:004A323B 75F2 jne 004A322F;循环求各位累加和
* Referenced by a (U)nconditional or ?ondITional Jump at Address:
|:004A3228?
|
:004A323D 8D95C0FCFFFF lea edx, dword ptr [ebp+FFFFFCC0]
:004A3243 8B45FC mov eax, dword ptr [ebp-04];eax="SMARTSL"
:004A3246 E855140000 call 004A46A0;<---重要
:004A324B 8B95C0FCFFFF mov edx, dword ptr[ebp+FFFFFCC0];edx="U01BUlRTTA=="
:004A3251 8D45FC lea eax, dword ptr [ebp-04]
:004A3254 E8C30AF6FF call 00403D1C
:004A3259 8B45FC mov eax, dword ptr [ebp-04]
:004A325C E8A30CF6FF call 00403F04
:004A3261 8BF0 mov esi, eax
:004A3263 83C31B add ebx, 0000001B
:004A3266 03F3 add esi, ebx
:004A3268 8B45F8 mov eax, dword ptr [ebp-08];"80368332833078277730"
:004A326B E8940CF6FF call 00403F04
:004A3270 03F0 add esi, eax;eax=0x14
:004A3272 89B5C4FCFFFF mov dword ptr [ebp+FFFFFCC4], esi
:004A3278 8B45FC mov eax, dword ptr [ebp-04]
:004A327B E8840CF6FF call 00403F04
:004A3280 8BF8 mov edi, eax
:004A3282 85FF test edi, edi;edi=下面的循环次数
:004A3284 0F8ECD000000 jle 004A3357
:004A328A BE01000000 mov esi, 00000001
:004A328F 8D9DC4FCFFFF lea ebx, dword ptr [ebp+FFFFFCC4]
* Referenced by a (U)nconditional or ?ondITional Jump at Address:
|:004A3351?
|
:004A3295 8B45F8 mov eax, dword ptr [ebp-08];开始--------BEGIN
:004A3298 E8670CF6FF call 00403F04
:004A329D 3BF0 cmp esi, eax
:004A329F 7F2F jg 004A32D0;大于就跳
:004A32A1 8D85BCFCFFFF lea eax, dword ptr [ebp+FFFFFCBC]
:004A32A7 50 push eax
:004A32A8 8BCE mov ecx, esi
:004A32AA 8BD6 mov edx, esi
:004A32AC 8B45F8 mov eax, dword ptr [ebp-08]
:004A32AF E83CFDFFFF call 004A2FF0
:004A32B4 8B85BCFCFFFF mov eax, dword ptr [ebp+FFFFFCBC]
:004A32BA E8FD59F6FF call 00408CBC
:004A32BF 8B55FC mov edx, dword ptr [ebp-04];此时的eax=用户ID对应个位值
:004A32C2 0FB65432FF movzx edx, byte ptr [edx+esi-01];edx=取出用户名转换后的字串中第esi个字符的ascii值
:004A32C7 0313 add edx, dword ptr [ebx];[ebx]=前面的累加值
:004A32C9 03C2 add eax, edx
:004A32CB 894304 mov dword ptr [ebx+04], eax;eax=上面3者之和
:004A32CE EB0D jmp 004A32DD
* Referenced by a (U)nconditional or ?ondITional Jump at Address:
|:004A329F?
|
:004A32D0 8B45FC mov eax, dword ptr [ebp-04];如果超过用户ID的长度就到这里
:004A32D3 0FB64430FF movzx eax, byte ptr [eax+esi-01]
:004A32D8 0303 add eax, dword ptr [ebx]
:004A32DA 894304 mov dword ptr [ebx+04], eax;eax=上面2者之和
* Referenced by a (U)nconditional or ?ondITional Jump at Address:
|:004A32CE(U)
|
:004A32DD 8D55F0 lea edx, dword ptr [ebp-10]
:004A32E0 8B4304 mov eax, dword ptr [ebx+04]
:004A32E3 E8A459F6FF call 00408C8C
:004A32E8 8B45F0 mov eax, dword ptr [ebp-10];eax="702"运算结果
:004A32EB E8140CF6FF call 00403F04;求长度
:004A32F0 83F802 cmp eax, 00000002;no jump
:004A32F3 7E38 jle 004A332D
:004A32F5 8D85B8FCFFFF lea eax, dword ptr [ebp+FFFFFCB8]
:004A32FB 50 push eax
:004A32FC 8B45F0 mov eax, dword ptr [ebp-10]
:004A32FF E8000CF6FF call 00403F04
:004A3304 8BD0 mov edx, eax
:004A3306 4A dec edx
:004A3307 B9E8030000 mov ecx, 000003E8;0x3E8=1000
:004A330C 8B45F0 mov eax, dword ptr [ebp-10]
:004A330F E8DCFCFFFF call 004A2FF0
:004A3314 8B95B8FCFFFF mov edx, dword ptr [ebp+FFFFFCB8]
:004A331A 8D45F0 lea eax, dword ptr [ebp-10]
:004A331D E8FA09F6FF call 00403D1C
:004A3322 8B45F0 mov eax, dword ptr [ebp-10]
:004A3325 E89259F6FF call 00408CBC
:004A332A 894304 mov dword ptr [ebx+04], eax;eax为16进制数,保存
* Referenced by a (U)nconditional or ?ondITional Jump at Address:
|:004A32F3?
|
:004A332D 8D95B4FCFFFF lea edx, dword ptr [ebp+FFFFFCB4]
:004A3333 8B4304 mov eax, dword ptr [ebx+04]
:004A3336 E85159F6FF call 00408C8C
:004A333B 8B95B4FCFFFF mov edx, dword ptr [ebp+FFFFFCB4]
:004A3341 8B45F4 mov eax, dword ptr [ebp-0C]
:004A3344 E8C30BF6FF call 00403F0C
:004A3349 8B45F4 mov eax, dword ptr [ebp-0C]
:004A334C 46 inc esi
:004A334D 83C304 add ebx, 00000004
:004A3350 4F dec edi
:004A3351 0F853EFFFFFF jne 004A3295;跳回---------END
* Referenced by a (U)nconditional or ?ondITional Jump at Address:
|:004A3284?
|
:004A3357 8B45F4 mov eax, dword ptr [ebp-0C]
:004A335A 8B00 mov eax, dword ptr [eax]
:004A335C E8A30BF6FF call 00403F04
:004A3361 8D95B0FCFFFF lea edx, dword ptr [ebp+FFFFFCB0]
:004A3367 E82059F6FF call 00408C8C
:004A336C 8B95B0FCFFFF mov edx, dword ptr [ebp+FFFFFCB0]
:004A3372 8B4DF4 mov ecx, dword ptr [ebp-0C]
:004A3375 8B09 mov ecx, dword ptr [ecx]
:004A3377 8D45FC lea eax, dword ptr [ebp-04]
:004A337A E8D10BF6FF call 00403F50
* Referenced by a (U)nconditional or ?ondITional Jump at Address:
|:004A3215(U)
|
:004A337F 8B45F4 mov eax, dword ptr [ebp-0C]
:004A3382 8B00 mov eax, dword ptr [eax];eax="250274677863494197334"
:004A3384 E87B0BF6FF call 00403F04;求长度
:004A3389 83F815 cmp eax, 00000015;必须大于等于0x15=21
:004A338C 0F8C88FEFFFF jl 004A321A;否则跳回去
:004A3392 8D85ACFCFFFF lea eax, dword ptr [ebp+FFFFFCAC]
:004A3398 50 push eax
:004A3399 8B45F4 mov eax, dword ptr [ebp-0C]
:004A339C 8B00 mov eax, dword ptr [eax]
:004A339E E8610BF6FF call 00403F04
:004A33A3 50 push eax
:004A33A4 8B45F4 mov eax, dword ptr [ebp-0C]
:004A33A7 8B00 mov eax, dword ptr [eax]
:004A33A9 E8560BF6FF call 00403F04
:004A33AE 8BD0 mov edx, eax
:004A33B0 83EA13 sub edx, 00000013
:004A33B3 8B45F4 mov eax, dword ptr [ebp-0C]
:004A33B6 8B00 mov eax, dword ptr [eax]
:004A33B8 59 pop ecx
:004A33B9 E832FCFFFF call 004A2FF0
:004A33BE 8B95ACFCFFFF mov edx, dword ptr [ebp+FFFFFCAC]
:004A33C4 8B45F4 mov eax, dword ptr [ebp-0C]
:004A33C7 E80C09F6FF call 00403CD8
:004A33CC 33DB xor ebx, ebx
:004A33CE 8B45F8 mov eax, dword ptr [ebp-08]
:004A33D1 E82E0BF6FF call 00403F04
:004A33D6 8BF8 mov edi, eax
:004A33D8 85FF test edi, edi
:004A33DA 7E28 jle 004A3404
:004A33DC BE01000000 mov esi, 00000001 [1] [2] 下一页 |
