【标题】楚汉棋缘 v1.43 nag窗口的注册按钮的代码逆向
【作者】ForEver[CCG][RCT]
【工具】ida 4.6
【加壳】aspack2.12修改版
【算法】RSA
【感谢】xIkUg 帮助脱壳。这个壳我搞不定(~!@#$%^&*)
【正文】下面算法部分使用到了 RSA 算法,用的是 freelip 库。大致方法就是把用户名变换成一个verylong型数,然后再把注册码的每一组查表变换后形成一个加密数据。然后用RSA的公匙解密。得到另一个verylong型数,再和前面的比较。如果相同就会做些标记。注册信息保存在chess.dat里。
如果你还不太清楚RSA算法,就先看看前面的高手发的贴子吧。在看雪的精华里能找到几篇。或者也可以看看密码学的书。(不要仍鸡蛋给我。这个帖子已经够长了。再说老重复发相同的内容也不好吧。^_^)
下面进入正文,中间的代码是用VC表达的。(我还不会C++ builder,汗!)
.text:0043FCFC _TForm1_SpeedButton1Click proc near ; DATA XREF: .data:00505A9Fo
.text:0043FCFC
.text:0043FCFC var_1D8 = qword ptr -1D8h
.text:0043FCFC var_1C4 = qword ptr -1C4h
.text:0043FCFC var_1BC = qword ptr -1BCh
.text:0043FCFC var_1B4 = dword ptr -1B4h
.text:0043FCFC var_1B0 = dword ptr -1B0h
.text:0043FCFC var_1AC = dword ptr -1ACh
.text:0043FCFC s = dword ptr -160h
.text:0043FCFC var_14D = dword ptr -14Dh
.text:0043FCFC buffer = byte ptr -0E8h
.text:0043FCFC var_D4 = dword ptr -0D4h
.text:0043FCFC var_D0 = dword ptr -0D0h
.text:0043FCFC var_CC = dword ptr -0CCh
.text:0043FCFC var_C8 = dword ptr -0C8h
.text:0043FCFC var_C4 = dword ptr -0C4h
.text:0043FCFC var_C0 = dword ptr -0C0h
.text:0043FCFC var_B4 = dword ptr -0B4h
.text:0043FCFC var_B0 = dword ptr -0B0h
.text:0043FCFC var_AC = dword ptr -0ACh
.text:0043FCFC var_A8 = dword ptr -0A8h
.text:0043FCFC var_A4 = dword ptr -0A4h
.text:0043FCFC var_A0 = dword ptr -0A0h
.text:0043FCFC var_9C = dword ptr -9Ch
.text:0043FCFC var_98 = dword ptr -98h
.text:0043FCFC var_94 = word ptr -94h
.text:0043FCFC var_88 = dword ptr -88h
.text:0043FCFC var_80 = dword ptr -80h
.text:0043FCFC var_7C = dword ptr -7Ch
.text:0043FCFC var_78 = dword ptr -78h
.text:0043FCFC var_74 = dword ptr -74h
.text:0043FCFC var_70 = dword ptr -70h
.text:0043FCFC var_6C = dword ptr -6Ch
.text:0043FCFC var_68 = dword ptr -68h
.text:0043FCFC var_64 = dword ptr -64h
.text:0043FCFC var_60 = dword ptr -60h
.text:0043FCFC var_5C = dword ptr -5Ch
.text:0043FCFC var_58 = dword ptr -58h
.text:0043FCFC var_54 = dword ptr -54h
.text:0043FCFC var_50 = dword ptr -50h
.text:0043FCFC var_4C = dword ptr -4Ch
.text:0043FCFC var_48 = dword ptr -48h
.text:0043FCFC var_44 = dword ptr -44h
.text:0043FCFC var_40 = dword ptr -40h
.text:0043FCFC var_3C = dword ptr -3Ch
.text:0043FCFC var_38 = dword ptr -38h
.text:0043FCFC var_34 = dword ptr -34h
.text:0043FCFC var_30 = dword ptr -30h
.text:0043FCFC var_2C = dword ptr -2Ch
.text:0043FCFC var_28 = dword ptr -28h
.text:0043FCFC var_24 = dword ptr -24h
.text:0043FCFC var_20 = dword ptr -20h
.text:0043FCFC var_1C = dword ptr -1Ch
.text:0043FCFC var_18 = dword ptr -18h
.text:0043FCFC var_14 = dword ptr -14h
.text:0043FCFC var_10 = dword ptr -10h
.text:0043FCFC var_C = dword ptr -0Ch
.text:0043FCFC rcode = dword ptr -8
.text:0043FCFC var_4 = dword ptr -4
.text:0043FCFC
.text:0043FCFC push ebp
.text:0043FCFD mov ebp, esp
.text:0043FCFF add esp, 0FFFFFE3Ch
.text:0043FD05 push ebx
.text:0043FD06 push esi
.text:0043FD07 push edi
.text:0043FD08 mov [ebp+var_AC], edx
.text:0043FD0E mov [ebp+var_A8], eax
.text:0043FD14 xor eax, eax
.text:0043FD16 mov [ebp+var_9C], offset unk_505750
.text:0043FD20 mov [ebp+var_98], esp
.text:0043FD26 mov [ebp+var_A0], offset unk_4C62F7
.text:0043FD30 mov [ebp+var_94], 0
.text:0043FD39 mov [ebp+var_88], eax
.text:0043FD3F mov edx, large fs:0
.text:0043FD46 mov [ebp+var_A4], edx
.text:0043FD4C lea ecx, [ebp+var_A4]
.text:0043FD52 mov large fs:0, ecx
.text:0043FD59 mov [ebp+var_94], 14h
.text:0043FD62 mov edx, offset a1234567890abcd ; "1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZabc"...
.text:0043FD67 lea eax, [ebp+var_4] ****** var_4是一张表
.text:0043FD6A call tostring
.text:0043FD6F inc [ebp+var_88]
.text:0043FD75 xor ecx, ecx
.text:0043FD77 mov [ebp+var_94], 8
.text:0043FD80 mov [ebp+var_94], 20h
.text:0043FD89 mov [ebp+rcode], ecx
.text:0043FD8C xor eax, eax
.text:0043FD8E inc [ebp+var_88]
.text:0043FD94 xor edx, edx
.text:0043FD96 mov [ebp+var_94], 8
.text:0043FD9F mov [ebp+var_94], 2Ch
.text:0043FDA8 mov [ebp+var_C], eax ****** var_c = 0
.text:0043FDAB xor ecx, ecx
.text:0043FDAD inc [ebp+var_88]
.text:0043FDB3 lea eax, [ebp+s]
.text:0043FDB9 mov [ebp+var_94], 8
.text:0043FDC2 mov [ebp+var_94], 38h
.text:0043FDCB mov [ebp+var_10], edx ****** var_10 = 0
.text:0043FDCE xor edi, edi
.text:0043FDD0 inc [ebp+var_88]
.text:0043FDD6 mov [ebp+var_94], 8
.text:0043FDDF mov [ebp+var_94], 44h
.text:0043FDE8 mov [ebp+var_14], ecx ****** var_14 = 0
.text:0043FDEB inc [ebp+var_88]
.text:0043FDF1 xor esi, esi
.text:0043FDF3 mov [ebp+var_94], 8
.text:0043FDFC push 14h ; n
.text:0043FDFE push 0 ; c
.text:0043FE00 push eax ; s
.text:0043FE01 call _memset ****** memset(s,0,20);
.text:0043FE06 mov [ebp+var_94], 50h
.text:0043FE0F xor edx, edx
.text:0043FE11 add esp, 0Ch
.text:0043FE14 mov [ebp+var_2C], edx
.text:0043FE17 lea edx, [ebp+var_2C] ******* 用户名缓冲区
.text:0043FE1A inc [ebp+var_88]
.text:0043FE20 mov eax, [ebp+var_A8]
.text:0043FE26 mov eax, [eax+2E0h]
.text:0043FE2C call @TControl@GetText$qqrv ; TControl::GetText(void) 取用户名
.text:0043FE31 cmp [ebp+var_2C], 0
.text:0043FE35 jz short loc_43FE3C ****** 用户名为空则跳
.text:0043FE37 mov edx, [ebp+var_2C]
.text:0043FE3A jmp short loc_43FE41
.text:0043FE3C ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0043FE3C
.text:0043FE3C loc_43FE3C: ; CODE XREF: _TForm1_SpeedButton1Click+139j
.text:0043FE3C mov edx, offset unk_505431
.text:0043FE41
.text:0043FE41 loc_43FE41: ; CODE XREF: _TForm1_SpeedButton1Click+13Ej
.text:0043FE41 push esi
.text:0043FE42 push edi
.text:0043FE43 xor eax, eax
.text:0043FE45 mov edi, edx
.text:0043FE47 or ecx, 0FFFFFFFFh
.text:0043FE4A lea esi, [ebp+s] ******* 用户名拷贝到 s
.text:0043FE50 repne scasb
.text:0043FE52 not ecx
.text:0043FE54 sub edi, ecx
.text:0043FE56 mov edx, ecx
.text:0043FE58 xchg esi, edi
.text:0043FE5A shr ecx, 2
.text:0043FE5D mov eax, edi
.text:0043FE5F rep movsd
.text:0043FE61 mov ecx, edx
.text:0043FE63 mov edx, 2
.text:0043FE68 and ecx, 3
.text:0043FE6B lea eax, [ebp+var_2C] ****** 释放用户名缓冲区
.text:0043FE6E rep movsb
.text:0043FE70 pop edi
.text:0043FE71 pop esi
.text:0043FE72 dec [ebp+var_88]
.text:0043FE78 call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:0043FE7D lea ebx, [ebp+esi+s] ****** 指向用户名
.text:0043FE84
.text:0043FE84 loc_43FE84: ; CODE XREF: _TForm1_SpeedButton1Click+1A4j
.text:0043FE84 cmp byte ptr [ebx], 20h *******取一个字节,比较是否是空格
.text:0043FE87 jnz short loc_43FEA2
.text:0043FE89 mov esi, 1
.text:0043FE8E lea eax, [ebp+s+1]
.text:0043FE94
.text:0043FE94 loc_43FE94: ; CODE XREF: _TForm1_SpeedButton1Click+1A2j
.text:0043FE94 mov dl, [eax]
.text:0043FE96 inc esi
.text:0043FE97 mov [eax-1], dl ******如果是空格则整个向前移
.text:0043FE9A inc eax
.text:0043FE9B cmp esi, 14h ******取20位
.text:0043FE9E jl short loc_43FE94
.text:0043FEA0 jmp short loc_43FE84
.text:0043FEA2 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0043FEA2
.text:0043FEA2 loc_43FEA2: ; CODE XREF: _TForm1_SpeedButton1Click+18Bj
.text:0043FEA2 mov esi, 13h
.text:0043FEA7 lea ebx, [ebp+var_14D]******指向第20位
.text:0043FEAD
.text:0043FEAD loc_43FEAD: ; CODE XREF: _TForm1_SpeedButton1Click+1C2j
.text:0043FEAD mov al, [ebx] *******取一个字节
.text:0043FEAF cmp al, 20h *******比较是不是空格
.text:0043FEB1 jz short loc_43FEB7
.text:0043FEB3 test al, al
.text:0043FEB5 jnz short loc_43FEC0
.text:0043FEB7
.text:0043FEB7 loc_43FEB7: ; CODE XREF: _TForm1_SpeedButton1Click+1B5j
.text:0043FEB7 mov byte ptr [ebx], 0 ******是空格则清零
.text:0043FEBA dec esi
.text:0043FEBB dec ebx
.text:0043FEBC test esi, esi
.text:0043FEBE jge short loc_43FEAD
=========================================================上面这段逆向如下:
char var_4[] = "1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijkmnpqrstuvwxyz";
char var_c[100];
char name[20];
memset(var_c,0,100);
memset(name,0,20);
strcpy(name,username);
while(name[0]==' ')
{
for(i=1;i<20;i++)
name[i-1] = name[i];
}
i = 19;
do{
if(name[i] != ' ')
{
if(name[i] != 0)break;
}
name[i] = 0;
i--;
}while(i >= 0);
=========================================================
.text:0043FEC0
.text:0043FEC0 loc_43FEC0: ; CODE XREF: _TForm1_SpeedButton1Click+1B9j
.text:0043FEC0 xor esi, esi
.text:0043FEC2 lea ebx, [ebp+s] ******指向用户名
.text:0043FEC8
.text:0043FEC8 loc_43FEC8: ; CODE XREF: _TForm1_SpeedButton1Click+1E4j
.text:0043FEC8 xor eax, eax
.text:0043FECA lea ecx, [esi+1]
.text:0043FECD mov al, [ebx] ******取一个字节,设为x
.text:0043FECF inc ebx
.text:0043FED0 mov edx, eax
.text:0043FED2 inc esi
.text:0043FED3 imul edx, eax
.text:0043FED6 add edx, eax ****** x*x+x
.text:0043FED8 imul edx, ecx ****** 乘以 索引加1
.text:0043FEDB add edi, edx ****** 累加到edi
.text:0043FEDD cmp esi, 14h
.text:0043FEE0 jl short loc_43FEC8 ******没到20位继续循环
.text:0043FEE2 lea eax, [edi+5BA0h] ****** 结果加上0x5ba0
.text:0043FEE8 xor edx, edx
.text:0043FEEA mov [ebp+var_B4], eax ******保存结果
.text:0043FEF0 mov [ebp+var_B0], edx
.text:0043FEF6 cmp [ebp+var_B0], 0
.text:0043FEFD jnz short loc_43FF1B
.text:0043FEFF cmp [ebp+var_B4], 5C25Ch ****结果是否等于0x5c25c
.text:0043FF09 jnz short loc_43FF1B
.text:0043FF0B add [ebp+var_B4], 78h ****加上0x78
.text:0043FF12 adc [ebp+var_B0], 0
.text:0043FF19 jmp short loc_43FF3E
.text:0043FF1B ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0043FF1B
.text:0043FF1B loc_43FF1B: ; CODE XREF: _TForm1_SpeedButton1Click+201j
.text:0043FF1B ; _TForm1_SpeedButton1Click+20Dj
.text:0043FF1B cmp [ebp+var_B0], 0
.text:0043FF22 jnz short loc_43FF3E
.text:0043FF24 cmp [ebp+var_B4], 8C5BCh ******结果是否等于0x8c8bc
.text:0043FF2E jnz short loc_43FF3E
.text:0043FF30 add [ebp+var_B4], 64h ******加上0x64
.text:0043FF37 adc [ebp+var_B0], 0
.text:0043FF3E
.text:0043FF3E loc_43FF3E: ; CODE XREF: _TForm1_SpeedButton1Click+21Dj
.text:0043FF3E ; _TForm1_SpeedButton1Click+226j ...
.text:0043FF3E push [ebp+var_B0]
.text:0043FF44 push [ebp+var_B4]
.text:0043FF4A push offset off_505432 ****** "%ld"
.text:0043FF4F lea eax, [ebp+var_10] ******转换成十进制字符串
.text:0043FF52 push eax
.text:0043FF53 call @System@WideString@printf$qpxbe ; System::WideString::printf(wchar_t *,...)
=========================================================上面这段逆向如下:
int sum;
sum = 0;
for(i=0;i<20;i++)
sum += name[i]*(name[i]+1)*(i+1);
sum += 0x5ba0;
if(sum == 0x5c25c)sum += 0x78;
else if(sum == 0x8c5bc)sum += 0x64;
sprintf(var_10,"%ld",sum);
=========================================================
.text:0043FF58 add esp, 10h
.text:0043FF5B lea edx, [ebp+buffer]
.text:0043FF61 push 14h ; n
.text:0043FF63 push 0 ; c
.text:0043FF65 push edx ; s
.text:0043FF66 call _memset
.text:0043FF6B add esp, 0Ch
.text:0043FF6E lea ecx, [ebp+var_14C]
.text:0043FF74 push 64h ; n
.text:0043FF76 push 0 ; c
.text:0043FF78 push ecx ; s
.text:0043FF79 call _memset
.text:0043FF7E add esp, 0Ch
.text:0043FF81 cmp [ebp+var_10], 0
.text:0043FF85 jz short loc_43FF8C
.text:0043FF87 mov eax, [ebp+var_10] ******指向字符串
.text:0043FF8A jmp short loc_43FF91
.text:0043FF8C ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0043FF8C
.text:0043FF8C loc_43FF8C: ; CODE XREF: _TForm1_SpeedButton1Click+289j
.text:0043FF8C mov eax, offset unk_505436
.text:0043FF91
.text:0043FF91 loc_43FF91: ; CODE XREF: _TForm1_SpeedButton1Click+28Ej
.text:0043FF91 mov edi, eax
.text:0043FF93 xor eax, eax
.text:0043FF95 or ecx, 0FFFFFFFFh
.text:0043FF98 lea esi, [ebp+buffer] ******拷贝到 buffer
.text:0043FF9E repne scasb
.text:0043FFA0 not ecx
.text:0043FFA2 sub edi, ecx
.text:0043FFA4 mov edx, ecx
.text:0043FFA6 xchg esi, edi
.text:0043FFA8 shr ecx, 2
.text:0043FFAB mov eax, edi
.text:0043FFAD rep movsd
.text:0043FFAF mov ecx, edx
.text:0043FFB1 lea edx, [ebp+var_30] ******注册码缓冲区
.text:0043FFB4 and ecx, 3
.text:0043FFB7 rep movsb
=========================================================上面这段逆向如下:
memset(buffer,0,20);
memset(var_14c,0,100);
strcpy(buffer,var_10);
=========================================================
.text:0043FFB9 mov [ebp+var_94], 5Ch
.text:0043FFC2 xor eax, eax
.text:0043FFC4 mov [ebp+var_30], eax
.text:0043FFC7 inc [ebp+var_88]
.text:0043FFCD mov ecx, [ebp+var_A8]
.text:0043FFD3 mov eax, [ecx+2D4h]
.text:0043FFD9 call @TControl@GetText$qqrv ; TControl::GetText(void)
.text:0043FFDE lea edx, [ebp+var_30]
.text:0043FFE1 lea eax, [ebp+rcode] ****** 保存到这里
.text:0043FFE4 call @System@AnsiString@$basg$qqrrx17System@AnsiString ; System::AnsiString::operator=(System::AnsiString &)
.text:0043FFE9 dec [ebp+var_88]
.text:0043FFEF lea eax, [ebp+var_30] *****释放缓冲区
.text:0043FFF2 mov edx, 2
.text:0043FFF7 call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:0043FFFC
.text:0043FFFC loc_43FFFC: ; CODE XREF: _TForm1_SpeedButton1Click+34Fj
.text:0043FFFC ; DATA XREF: .text:00489A88o
.text:0043FFFC mov [ebp+var_94], 68h
.text:00440005 mov edx, offset unk_505437 ; ' '
.text:0044000A lea eax, [ebp+var_34] ****** var_34 = ' '
.text:0044000D call tostring
.text:00440012 inc [ebp+var_88]
.text:00440018 lea edx, [ebp+var_34]
.text:0044001B lea eax, [ebp+rcode]
.text:0044001E call @System@AnsiString@Pos$xqqrrx17System@AnsiString ; System::AnsiString::Pos(System::AnsiString &)
.text:00440023 mov edi, eax ****** 返回空格的位置
.text:00440025 dec [ebp+var_88]
.text:0044002B lea eax, [ebp+var_34]****** 释放 var_34
.text:0044002E mov edx, 2
.text:00440033 call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:00440038 test edi, edi
.text:0044003A jz short loc_44004D ******没有空格则跳
.text:0044003C lea eax, [ebp+rcode]
.text:0044003F mov ecx, 1
.text:00440044 mov edx, edi ******删除掉空格
.text:00440046 call @System@AnsiString@Delete$qqrii ; System::AnsiString::Delete(int,int)
.text:0044004B jmp short loc_43FFFC ******循环
.text:0044004D ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
=========================================================上面这段逆向如下:
char rcode[100];
while(rcode[0] == ' ')
{
len = strlen(rcode);
for(i = 1; i < len; i++)
rcode[i-1] = rcode[i];
rcode[len-1] = 0;
}
=========================================================
.text:0044004D
.text:0044004D loc_44004D: ; CODE XREF: _TForm1_SpeedButton1Click+33Ej
.text:0044004D lea edi, [ebp+var_1B0]
.text:00440053 mov esi, offset unk_5053A4 ;0
.text:00440058 mov ecx, 14h ****** 每组注册码最多20个字节
.text:0044005D mov edx, offset unk_505439 ;0
.text:00440062 rep movsd ****** memset(var_1b0,0,80);
.text:00440064 mov [ebp+var_94], 8
.text:0044006D mov [ebp+var_94], 74h
.text:00440076 lea eax, [ebp+var_18]
.text:00440079 call tostring
.text:0044007E inc [ebp+var_88]
.text:00440084 mov edx, offset unk_50543A ; '-'
.text:00440089 mov [ebp+var_94], 8
.text:00440092 mov [ebp+var_94], 80h
.text:0044009B lea eax, [ebp+var_38] '-'
.text:0044009E call tostring
.text:004400A3 inc [ebp+var_88]
.text:004400A9 lea edx, [ebp+var_38]
.text:004400AC lea eax, [ebp+rcode]
.text:004400AF call @System@AnsiString@Pos$xqqrrx17System@AnsiString ; System::AnsiString::Pos(System::AnsiString &)
.text:004400B4 mov edi, eax ******取第一个'-'的位置
.text:004400B6 dec [ebp+var_88]
.text:004400BC lea eax, [ebp+var_38]
.text:004400BF mov edx, 2
.text:004400C4 call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:004400C9 mov [ebp+var_94], 8Ch
.text:004400D2 xor ecx, ecx
.text:004400D4 lea eax, [ebp+var_3C]
.text:004400D7 mov [ebp+var_3C], ecx
.text:004400DA push eax
.text:004400DB inc [ebp+var_88]
.text:004400E1 lea eax, [ebp+rcode] ****** AnsiString
.text:004400E4 lea ecx, [edi-1] ****** count 不包括'-'号
.text:004400E7 mov edx, 1 ****** index
.text:004400EC call @System@AnsiString@SubString$xqqrii ; System::AnsiString::SubString(int,int)
.text:004400F1 lea edx, [ebp+var_3C]
.text:004400F4 lea eax, [ebp+var_18] ; 取第一组注册码到这里
.text:004400F7 call @System@AnsiString@$basg$qqrrx17System@AnsiString ; System::AnsiString::operator=(System::AnsiString &)
.text:004400FC dec [ebp+var_88]
.text:00440102 lea eax, [ebp+var_3C]
.text:00440105 mov edx, 2
.text:0044010A call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:0044010F lea eax, [ebp+rcode] ; 原字符串里删除第一组
.text:00440112 mov ecx, edi ***** count
.text:00440114 mov edx, 1 ***** index
.text:00440119 call @System@AnsiString@Delete$qqrii ; System::AnsiString::Delete(int,int)
.text:0044011E mov esi, 1
.text:00440123 lea ebx, [ebp+var_1B0]******这里是一张表,用来保存索引的
.text:00440129 cmp edi, esi
.text:0044012B jle short loc_440191 ;******第一组注册码为空则跳
.text:0044012D
.text:0044012D loc_44012D: ; CODE XREF: _TForm1_SpeedButton1Click+493j
.text:0044012D mov [ebp+var_94], 98h
.text:00440136 xor eax, eax
.text:00440138 lea edx, [ebp+var_40]
.text:0044013B mov [ebp+var_40], eax
.text:0044013E push edx
.text:0044013F inc [ebp+var_88]
.text:00440145 mov edx, esi ;index
.text:00440147 lea eax, [ebp+var_18] ;******指向第一组注册码
.text:0044014A mov ecx, 1 ;count
.text:0044014F call @System@AnsiString@SubString$xqqrii ; System::AnsiString::SubString(int,int)
.text:00440154 lea edx, [ebp+var_40]
.text:00440157 lea eax, [ebp+var_10] ;****** 取一个字符
.text:0044015A call @System@AnsiString@$basg$qqrrx17System@AnsiString ; System::AnsiString::operator=(System::AnsiString &)
.text:0044015F dec [ebp+var_88]
.text:00440165 lea eax, [ebp+var_40]
.text:00440168 mov edx, 2
.text:0044016D call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:00440172 lea edx, [ebp+var_10]
.text:00440175 lea eax, [ebp+var_4]
.text:00440178 call @System@AnsiString@Pos$xqqrrx17System@AnsiString ; System::AnsiString::Pos(System::AnsiString &)
.text:0044017D mov [ebp+var_94], 8 ; ******查表
.text:00440186 dec eax ; ******位置减1
.text:00440187 mov [ebx], eax ; ******保存索引
.text:00440189 inc esi
.text:0044018A add ebx, 4
.text:0044018D cmp edi, esi
.text:0044018F jg short loc_44012D
.text:00440191
.text:00440191 loc_440191: ; CODE XREF: _TForm1_SpeedButton1Click+42Fj
.text:00440191 lea esi, [edi-2]
.text:00440194 xor edx, edx
.text:00440196 mov [ebp+var_C0], edx
.text:0044019C test esi, esi
.text:0044019E lea ebx, [ebp+esi*4+var_1B0] ;****** 指向最后一个索引
.text:004401A5 jl short loc_44020F ;****** 表为空则跳
.text:004401A7
.text:004401A7 loc_4401A7: ; CODE XREF: _TForm1_SpeedButton1Click+511j
.text:004401A7 mov [ebp+var_1B4], esi ***** 表索引(以0开始算的)
.text:004401AD fild [ebp+var_1B4]
.text:004401B3 add esp, -8 ; y
.text:004401B6 fstp [esp+1D8h+var_1D8]
.text:004401B9 push 404D8000h
.text:004401BE push 0 ; 59
.text:004401C0 call _pow ; ****** 59的索引次方(59^3,59^2,59^1,59^0,...)
.text:004401C5 mov eax, [ebx] ; ****** 表中的数据
.text:004401C7 xor edx, edx
.text:004401C9 mov dword ptr [ebp+var_1BC], eax
.text:004401CF mov dword ptr [ebp+var_1BC+4], edx
.text:004401D5 fild [ebp+var_1BC]
.text:004401DB mov ecx, [ebp+var_C0]
.text:004401E1 add esp, 10h
.text:004401E4 xor eax, eax
.text:004401E6 mov dword ptr [ebp+var_1C4], ecx
.text:004401EC fmulp st(1), st ; ****** 相乘
.text:004401EE mov dword ptr [ebp+var_1C4+4], eax
.text:004401F4 fild [ebp+var_1C4]
.text:004401FA faddp st(1), st
.text:004401FC call @_ftol$qv ; _ftol(void)
.text:00440201 mov [ebp+var_C0], eax ; ****** 保存累加和
.text:00440207 dec esi
.text:00440208 add ebx, 0FFFFFFFCh ;****** 指向前一个数据
.text:0044020B test esi, esi
.text:0044020D jge short loc_4401A7
.text:0044020F
.text:0044020F loc_44020F: ; CODE XREF: _TForm1_SpeedButton1Click+4A9j
.text:0044020F mov edx, [ebp+var_C0] ******* 那个数据在这里
.text:00440215 lea ecx, [ebp+var_10]
.text:00440218 push edx
.text:00440219 push offset off_50543C ; %ld
.text:0044021E push ecx
.text:0044021F call @System@WideString@printf$qpxbe ; System::WideString::printf(wchar_t *,...)
.text:00440224 add esp, 0Ch
.text:00440227 lea edx, [ebp+var_10]
.text:0044022A lea eax, [ebp+var_C] ; ****** 转成十进制字符串连接
.text:0044022D call @System@AnsiString@$brplu$qqrrx17System@AnsiString ; System::AnsiString::operator+=(System::AnsiString &)
=========================================================上面这段逆向如下:
char code[20];
int icode[20];
int codelen;
char *p;
double x1;
long codesum;
char tmp[20];
memset(code,0,20);
memset(icode,0,80);
p = strchr(rcode,'-');
if(p == NULL)codelen = 0;
else
codelen = p - rcode + 1;
if(codelen > 0)
strncpy(code,rcode,codelen - 1); //拷贝子串
strcpy(rcode,rcode+codelen); //原来的串里删除第一组注册码
if(codelen > 1)
{
i = 1;
do{
p = strchr(var_4,code[i-1]);
icode[i-1] = p - var_4;
i ++;
}while(codelen > i);
}
codesum = 0;
codelen -= 2;
if(codelen >= 0)
{
do{
x1 = pow(59.0,codelen) * icode1[codelen];
x1 = x1 + codesum;
codesum = _ftol(x1);
codelen --;
}while(codelen >= 0);
}
sprintf(tmp,"%ld",codesum);
strcat(var_c,tmp);
=========================================================
.text:00440232 mov [ebp+var_94], 0A4h
.text:0044023B mov edx, offset unk_505440 ; 0
.text:00440240 lea eax, [ebp+var_1C] ****** 定义字符串变量
.text:00440243 call tostring
.text:00440248 inc [ebp+var_88]
.text:0044024E mov edx, offset unk_505441 ; ‘-’
.text:00440253 mov [ebp+var_94], 8
.text:0044025C mov [ebp+var_94], 0B0h
.text:00440265 lea eax, [ebp+var_44]
.text:00440268 call tostring
.text:0044026D inc [ebp+var_88]
.text:00440273 lea edx, [ebp+var_44]
.text:00440276 lea eax, [ebp+rcode] ****** 取第二个'-'的位置
.text:00440279 call @System@AnsiString@Pos$xqqrrx17System@AnsiString ; System::AnsiString::Pos(System::AnsiString &)
.text:0044027E mov edi, eax ****** 保存在 edi
.text:00440280 dec [ebp+var_88]
.text:00440286 lea eax, [ebp+var_44]
.text:00440289 mov edx, 2
.text:0044028E call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:00440293 mov [ebp+var_94], 0BCh
.text:0044029C xor ecx, ecx
.text:0044029E lea eax, [ebp+var_48]
.text:004402A1 mov [ebp+var_48], ecx
.text:004402A4 push eax
.text:004402A5 inc [ebp+var_88]
.text:004402AB lea eax, [ebp+rcode]
.text:004402AE lea ecx, [edi-1] ****** 不包括 '-' 号
.text:004402B1 mov edx, 1
.text:004402B6 call @System@AnsiString@SubString$xqqrii ; System::AnsiString::SubString(int,int)
.text:004402BB lea edx, [ebp+var_48]
.text:004402BE lea eax, [ebp+var_1C] ****** 取第二组注册码
.text:004402C1 call @System@AnsiString@$basg$qqrrx17System@AnsiString ; System::AnsiString::operator=(System::AnsiString &)
.text:004402C6 dec [ebp+var_88]
.text:004402CC lea eax, [ebp+var_48]
.text:004402CF mov edx, 2
.text:004402D4 call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:004402D9 lea eax, [ebp+rcode]
.text:004402DC mov ecx, edi
.text:004402DE mov edx, 1 ****** 总注册码里删除掉第二组注册码
.text:004402E3 call @System@AnsiString@Delete$qqrii ; System::AnsiString::Delete(int,int)
.text:004402E8 mov esi, 1
.text:004402ED lea ebx, [ebp+var_1B0]
.text:004402F3 cmp edi, esi
.text:004402F5 jle short loc_44035B ****** 第二组注册码为空则跳
.text:004402F7
.text:004402F7 loc_4402F7: ; CODE XREF: _TForm1_SpeedButton1Click+65Dj
.text:004402F7 mov [ebp+var_94], 0C8h
.text:00440300 xor eax, eax
.text:00440302 lea edx, [ebp+var_4C]
.text:00440305 mov [ebp+var_4C], eax
.text:00440308 push edx
.text:00440309 inc [ebp+var_88]
.text:0044030F mov edx, esi ; index
.text:00440311 lea eax, [ebp+var_1C]
.text:00440314 mov ecx, 1 ; count ******在第二组注册码里取一个字符
.text:00440319 call @System@AnsiString@SubString$xqqrii ; System::AnsiString::SubString(int,int)
.text:0044031E lea edx, [ebp+var_4C]
.text:00440321 lea eax, [ebp+var_10]
.text:00440324 call @System@AnsiString@$basg$qqrrx17System@AnsiString ; System::AnsiString::operator=(System::AnsiString &)
.text:00440329 dec [ebp+var_88]
.text:0044032F lea eax, [ebp+var_4C]
.text:00440332 mov edx, 2
.text:00440337 call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:0044033C lea edx, [ebp+var_10] ****** 字符
.text:0044033F lea eax, [ebp+var_4] ****** 表
.text:00440342 call @System@AnsiString@Pos$xqqrrx17System@AnsiString ; System::AnsiString::Pos(System::AnsiString &)
.text:00440347 mov [ebp+var_94], 8
.text:00440350 dec eax ****** 查表,位置减 1
.text:00440351 mov [ebx], eax ****** 保存
.text:00440353 inc esi ****** index + 1
.text:00440354 add ebx, 4
.text:00440357 cmp edi, esi
.text:00440359 jg short loc_4402F7 ****** 没处理完则继续循环
.text:0044035B
.text:0044035B loc_44035B: ; CODE XREF: _TForm1_SpeedButton1Click+5F9j
.text:0044035B xor edx, edx
.text:0044035D mov [ebp+var_C0], edx
.text:00440363
.text:00440363 loc_440363: ; CODE XREF: _TForm1_SpeedButton1Click+6C7j
.text:00440363 cmp [ebp+var_1B0], 3Bh *****比较第一个索引是不是 0x3b
.text:0044036A jnz short loc_4403C5 ***** 不是则跳
.text:0044036C mov [ebp+var_94], 0D4h
.text:00440375 lea eax, [ebp+var_50]
.text:00440378 mov dl, 30h
.text:0044037A call unknown_libname_617
.text:0044037F inc [ebp+var_88]
.text:00440385 lea edx, [ebp+var_50] ; '0'
.text:00440388 lea eax, [ebp+var_C] ;连接到要处理的串
.text:0044038B call @System@AnsiString@$brplu$qqrrx17System@AnsiString ; System::AnsiString::operator+=(System::AnsiString &)
.text:00440390 dec [ebp+var_88]
.text:00440396 lea eax, [ebp+var_50]
.text:00440399 mov edx, 2
.text:0044039E call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:004403A3 mov [ebp+var_94], 8
.text:004403AC xor edx, edx
.text:004403AE lea eax, [ebp+var_1AC]
.text:004403B4
.text:004403B4 loc_4403B4: ; CODE XREF: _TForm1_SpeedButton1Click+6C4j
.text:004403B4 mov ecx, [eax] ****** 把后面的数据依次往前移动
.text:004403B6 mov [eax-4], ecx
.text:004403B9 inc edx
.text:004403BA add eax, 4
.text:004403BD cmp edx, 13h ****** 第二组注册码最长20位
.text:004403C0 jl short loc_4403B4
.text:004403C2 dec edi ****** 长度减1
.text:004403C3 jmp short loc_440363
.text:004403C5 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
上面这段检查第二组注册码的最前面的索引是不是0x3b(59),如果是则在最终的串上用 '0' 代替。
从查表可以看出第59位是'z'。
.text:004403C5
.text:004403C5 loc_4403C5: ; CODE XREF: _TForm1_SpeedButton1Click+66Ej
.text:004403C5 lea esi, [edi-2]
.text:004403C8 lea ebx, [ebp+esi*4+var_1B0] ****** 指向表最后一位
.text:004403CF test esi, esi
.text:004403D1 jl short loc_44043B ****** 表为空则跳
.text:004403D3
.text:004403D3 loc_4403D3: ; CODE XREF: _TForm1_SpeedButton1Click+73Dj
.text:004403D3 mov [ebp+var_1B4], esi ****** 表的索引
.text:004403D9 fild [ebp+var_1B4]
.text:004403DF add esp, 0FFFFFFF8h ; y
.text:004403E2 fstp [esp+1D8h+var_1D8]
.text:004403E5 push 404D8000h
.text:004403EA push 0 ; x
.text:004403EC call _pow ****** 59的索引次方
.text:004403F1 mov eax, [ebx]
.text:004403F3 xor edx, edx
.text:004403F5 mov dword ptr [ebp+var_1BC], eax
.text:004403FB mov dword ptr [ebp+var_1BC+4], edx
.text:00440401 fild [ebp+var_1BC] ****** 加载表数据
.text:00440407 mov ecx, [ebp+var_C0]
.text:0044040D add esp, 10h
.text:00440410 xor eax, eax
.text:00440412 mov dword ptr [ebp+var_1C4], ecx
.text:00440418 fmulp st(1), st ****** 相乘
.text:0044041A mov dword ptr [ebp+var_1C4+4], eax
.text:00440420 fild [ebp+var_1C4]
.text:00440426 faddp st(1), st ****** 累加
.text:00440428 call @_ftol$qv ; _ftol(void)
.text:0044042D mov [ebp+var_C0], eax ****** 保存结果
.text:00440433 dec esi
.text:00440434 add ebx, 0FFFFFFFCh
.text:00440437 test esi, esi
.text:00440439 jge short loc_4403D3
这段处理方法如上。把索引表的数据转换成59进制的数据
.text:0044043B
.text:0044043B loc_44043B: ; CODE XREF: _TForm1_SpeedButton1Click+6D5j
.text:0044043B mov edx, [ebp+var_C0]
.text:00440441 lea ecx, [ebp+var_10]
.text:00440444 push edx
.text:00440445 push offset off_505443 ;"%ld"
.text:0044044A push ecx
.text:0044044B call @System@WideString@printf$qpxbe ; System::WideString::printf(wchar_t *,...)
.text:00440450 add esp, 0Ch
.text:00440453 lea edx, [ebp+var_10]
.text:00440456 lea eax, [ebp+var_C] ****** 连接到要处理的串
.text:00440459 call @System@AnsiString@$brplu$qqrrx17System@AnsiString ; System::AnsiString::operator+=(System::AnsiString &)
=========================================================上面这段逆向如下:
memset(code,0,20);
memset(icode,0,80);
p = strchr(rcode,'-');
if(p == NULL)codelen = 0;
else
codelen = p - rcode + 1;
if(codelen > 0)
strncpy(code,rcode,codelen - 1); //拷贝子串
strcpy(rcode,rcode+codelen); //原来的串里删除第二组注册码
if(codelen > 1)
{
i = 1;
do{
p = strchr(var_4,code[i-1]);
icode[i-1] = p - var_4;
i ++;
}while(codelen > i);
}
codesum = 0;
while(icode[0] == 0x3b)
{
strcat(var_c,'0');
i =0;
do{
icode[i] = icode[i+1];
i++;
}while(i < 19);
codelen --;
}
codelen -= 2;
if(codelen >= 0)
{
do{
x1 = pow(59.0,codelen) * icode1[codelen];
x1 = x1 + codesum;
codesum = _ftol(x1);
codelen --;
}while(codelen >= 0);
}
sprintf(tmp,"%ld",codesum);
strcat(var_c,tmp);
=========================================================
.text:0044045E mov [ebp+var_94], 0E0h
.text:00440467 mov edx, offset unk_505447 ;'0'
.text:0044046C lea eax, [ebp+var_20]
.text:0044046F call tostring
.text:00440474 inc [ebp+var_88]
.text:0044047A mov edx, offset unk_505448 ;'-'
.text:0044047F mov [ebp+var_94], 8
.text:00440488 mov [ebp+var_94], 0ECh
.text:00440491 lea eax, [ebp+var_54]
.text:00440494 call tostring
.text:00440499 inc [ebp+var_88]
.text:0044049F lea edx, [ebp+var_54] ****** 找第三个'-'的位置
.text:004404A2 lea eax, [ebp+rcode]
.text:004404A5 call @System@AnsiString@Pos$xqqrrx17System@AnsiString ; System::AnsiString::Pos(System::AnsiString &)
.text:004404AA mov edi, eax ****** 结果保存在这里
.text:004404AC dec [ebp+var_88]
.text:004404B2 lea eax, [ebp+var_54]
.text:004404B5 mov edx, 2
.text:004404BA call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:004404BF test edi, edi
.text:004404C1 jnz short loc_4404D4 ****** 结果不为0则跳(即至少有四组注册码)
.text:004404C3 cmp [ebp+rcode], 0 ****** 否则检查是否还有数据
.text:004404C7 jz short loc_4404D1 ****** 没有则跳
.text:004404C9 mov ecx, [ebp+rcode] ****** 如果有数据则说明只有三组注册码
.text:004404CC mov edi, [ecx-4] ****** 取长度
.text:004404CF jmp short loc_4404D3
.text:004404D1 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004404D1
.text:004404D1 loc_4404D1: ; CODE XREF: _TForm1_SpeedButton1Click+7CBj
.text:004404D1 xor edi, edi
.text:004404D3
.text:004404D3 loc_4404D3: ; CODE XREF: _TForm1_SpeedButton1Click+7D3j
.text:004404D3 inc edi
.text:004404D4
.text:004404D4 loc_4404D4: ; CODE XREF: _TForm1_SpeedButton1Click+7C5j
.text:004404D4 mov [ebp+var_94], 0F8h
.text:004404DD xor eax, eax
.text:004404DF lea edx, [ebp+var_58]
.text:004404E2 mov [ebp+var_58], eax
.text:004404E5 push edx
.text:004404E6 inc [ebp+var_88]
.text:004404EC mov edx, 1
.text:004404F1 lea eax, [ebp+rcode]
.text:004404F4 lea ecx, [edi-1]
.text:004404F7 call @System@AnsiString@SubString$xqqrii ; System::AnsiString::SubString(int,int)
.text:004404FC lea edx, [ebp+var_58]
.text:004404FF lea eax, [ebp+var_20] ****** 取出第三组注册码
.text:00440502 call @System@AnsiString@$basg$qqrrx17System@AnsiString ; System::AnsiString::operator=(System::AnsiString &)
.text:00440507 dec [ebp+var_88]
.text:0044050D lea eax, [ebp+var_58]
.text:00440510 mov edx, 2
.text:00440515 call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:0044051A lea eax, [ebp+rcode]
.text:0044051D mov ecx, edi
.text:0044051F mov edx, 1 ****** 原串里删除第三组注册码
.text:00440524 call @System@AnsiString@Delete$qqrii ; System::AnsiString::Delete(int,int)
.text:00440529 mov esi, 1
.text:0044052E lea ebx, [ebp+var_1B0]
.text:00440534 cmp edi, esi
.text:00440536 jle short loc_44059C ****** 第三组注册码为空则跳
.text:00440538
.text:00440538 loc_440538: ; CODE XREF: _TForm1_SpeedButton1Click+89Ej
.text:00440538 mov [ebp+var_94], 104h
.text:00440541 xor eax, eax
.text:00440543 lea edx, [ebp+var_5C]
.text:00440546 mov [ebp+var_5C], eax
.text:00440549 push edx
.text:0044054A inc [ebp+var_88]
.text:00440550 mov edx, esi
.text:00440552 lea eax, [ebp+var_20] ****** 取第三组注册码的一个字符
.text:00440555 mov ecx, 1
.text:0044055A call @System@AnsiString@SubString$xqqrii ; System::AnsiString::SubString(int,int)
.text:0044055F lea edx, [ebp+var_5C]
.text:00440562 lea eax, [ebp+var_10]
.text:00440565 call @System@AnsiString@$basg$qqrrx17System@AnsiString ; System::AnsiString::operator=(System::AnsiString &)
.text:0044056A dec [ebp+var_88]
.text:00440570 lea eax, [ebp+var_5C]
.text:00440573 mov edx, 2
.text:00440578 call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:0044057D lea edx, [ebp+var_10]
.text:00440580 lea eax, [ebp+var_4] ****** 查表
.text:00440583 call @System@AnsiString@Pos$xqqrrx17System@AnsiString ; System::AnsiString::Pos(System::AnsiString &)
.text:00440588 mov [ebp+var_94], 8
.text:00440591 dec eax ****** 结果减 1
.text:00440592 mov [ebx], eax ****** 保存结果
.text:00440594 inc esi
.text:00440595 add ebx, 4
.text:00440598 cmp edi, esi
.text:0044059A jg short loc_440538 ***** 没完则循环
.text:0044059C
.text:0044059C loc_44059C: ; CODE XREF: _TForm1_SpeedButton1Click+83Aj
.text:0044059C xor edx, edx
.text:0044059E mov [ebp+var_C0], edx
.text:004405A4
.text:004405A4 loc_4405A4: ; CODE XREF: _TForm1_SpeedButton1Click+908j
.text:004405A4 cmp [ebp+var_1B0], 3Bh ***** 比较第一个索引是不是0x3b(对应注册码字符为'z')
.text:004405AB jnz short loc_440606 ***** 不等则跳
.text:004405AD mov [ebp+var_94], 110h
.text:004405B6 lea eax, [ebp+var_60]
.text:004405B9 mov dl, 30h
.text:004405BB call unknown_libname_617
.text:004405C0 inc [ebp+var_88]
.text:004405C6 lea edx, [ebp+var_60]
.text:004405C9 lea eax, [ebp+var_C] ******是则在要处理的串上替换为 '0'
.text:004405CC call @System@AnsiString@$brplu$qqrrx17System@AnsiString ; System::AnsiString::operator+=(System::AnsiString &)
.text:004405D1 dec [ebp+var_88]
.text:004405D7 lea eax, [ebp+var_60]
.text:004405DA mov edx, 2
.text:004405DF call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:004405E4 mov [ebp+var_94], 8
.text:004405ED xor edx, edx
.text:004405EF lea eax, [ebp+var_1AC]
.text:004405F5
.text:004405F5 loc_4405F5: ; CODE XREF: _TForm1_SpeedButton1Click+905j
.text:004405F5 mov ecx, [eax] ****** 第三组注册码中删除掉第一个字符
.text:004405F7 mov [eax-4], ecx
.text:004405FA inc edx
.text:004405FB add eax, 4
.text:004405FE cmp edx, 13h ****** 最多20位
.text:00440601 jl short loc_4405F5
.text:00440603 dec edi ****** 第三组注册码长度减 1
.text:00440604 jmp short loc_4405A4
.text:00440606 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00440606
.text:00440606 loc_440606: ; CODE XREF: _TForm1_SpeedButton1Click+8AFj
.text:00440606 lea esi, [edi-2]
.text:00440609 lea ebx, [ebp+esi*4+var_1B0] ****** 指向表中最后一个
.text:00440610 test esi, esi
.text:00440612 jl short loc_44067C ****** 表为空则跳
.text:00440614
.text:00440614 loc_440614: ; CODE XREF: _TForm1_SpeedButton1Click+97Ej
.text:00440614 mov [ebp+var_1B4], esi
.text:0044061A fild [ebp+var_1B4]
.text:00440620 add esp, 0FFFFFFF8h ; y
.text:00440623 fstp [esp+1D8h+var_1D8]
.text:00440626 push 404D8000h
.text:0044062B push 0 ; x
.text:0044062D call _pow
.text:00440632 mov eax, [ebx]
.text:00440634 xor edx, edx
.text:00440636 mov dword ptr [ebp+var_1BC], eax
.text:0044063C mov dword ptr [ebp+var_1BC+4], edx
.text:00440642 fild [ebp+var_1BC]
.text:00440648 mov ecx, [ebp+var_C0]
.text:0044064E add esp, 10h
.text:00440651 xor eax, eax
.text:00440653 mov dword ptr [ebp+var_1C4], ecx
.text:00440659 fmulp st(1), st
.text:0044065B mov dword ptr [ebp+var_1C4+4], eax
.text:00440661 fild [ebp+var_1C4]
.text:00440667 faddp st(1), st
.text:00440669 call @_ftol$qv ; _ftol(void)
.text:0044066E mov [ebp+var_C0], eax
.text:00440674 dec esi
.text:00440675 add ebx, 0FFFFFFFCh
.text:00440678 test esi, esi
.text:0044067A jge short loc_440614
.text:0044067C
.text:0044067C loc_44067C: ; CODE XREF: _TForm1_SpeedButton1Click+916j
.text:0044067C mov edx, [ebp+var_C0]
.text:00440682 lea ecx, [ebp+var_10]
.text:00440685 push edx
.text:00440686 push offset off_50544A
.text:0044068B push ecx
.text:0044068C call @System@WideString@printf$qpxbe ; System::WideString::printf(wchar_t *,...)
.text:00440691 add esp, 0Ch
.text:00440694 lea edx, [ebp+var_10]
.text:00440697 lea eax, [ebp+var_C]
.text:0044069A call @System@AnsiString@$brplu$qqrrx17System@AnsiString ; System::AnsiString::operator+=(System::AnsiString &)
=========================================================上面这段逆向如下:
memset(code,0,20);
memset(icode,0,80);
p = strchr(rcode,'-');
if(p == NULL) //为空说明最多只有三组注册码
{
if(rcode[0] != 0)
{
codelen = strlen(rcode) + 1;
}
else
codelen = 1;
}
else
codelen = p - rcode + 1;
if(codelen > 0)
strncpy(code,rcode,codelen - 1); //拷贝子串
strcpy(rcode,rcode+codelen); //原来的串里删除第三组注册码
if(codelen > 1)
{
i = 1;
do{
p = strchr(var_4,code[i-1]);
icode[i-1] = p - var_4;
i ++;
}while(codelen > i);
}
codesum = 0;
while(icode[0] == 0x3b)
{
strcat(var_c,'0');
i =0;
do{
icode[i] = icode[i+1];
i++;
}while(i < 19);
codelen --;
}
codelen -= 2;
if(codelen >= 0)
{
do{
x1 = pow(59.0,codelen) * icode1[codelen];
x1 = x1 + codesum;
codesum = _ftol(x1);
codelen --;
}while(codelen >= 0);
}
sprintf(tmp,"%ld",codesum);
strcat(var_c,tmp);
=========================================================
.text:0044069F mov [ebp+var_94], 11Ch
.text:004406A8 mov edx, offset unk_50544E ; 0
.text:004406AD lea eax, [ebp+var_24]
.text:004406B0 call tostring
.text:004406B5 inc [ebp+var_88]
.text:004406BB mov edx, offset unk_50544F ; '-'
.text:004406C0 mov [ebp+var_94], 8
.text:004406C9 mov [ebp+var_94], 128h
.text:004406D2 lea eax, [ebp+var_64]
.text:004406D5 call tostring
.text:004406DA inc [ebp+var_88]
.text:004406E0 lea edx, [ebp+var_64]
.text:004406E3 lea eax, [ebp+rcode] ****** 查找第四个'-'的位置
.text:004406E6 call @System@AnsiString@Pos$xqqrrx17System@AnsiString ; System::AnsiString::Pos(System::AnsiString &)
.text:004406EB mov edi, eax ****** 保存结果
.text:004406ED dec [ebp+var_88]
.text:004406F3 lea eax, [ebp+var_64]
.text:004406F6 mov edx, 2
.text:004406FB call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:00440700 test edi, edi ****** 结果不为0则跳走(说明至少有5组注册码)
.text:00440702 jnz short loc_440715
.text:00440704 cmp [ebp+rcode], 0 ****** 注册码串为空吗?
.text:00440708 jz short loc_440712 ****** 为空则跳走(只有3组)
.text:0044070A mov ecx, [ebp+rcode] ****** 不为空(有4组)
.text:0044070D mov edi, [ecx-4] ****** 则取长度
.text:00440710 jmp short loc_440714
.text:00440712 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00440712
.text:00440712 loc_440712: ; CODE XREF: _TForm1_SpeedButton1Click+A0Cj
.text:00440712 xor edi, edi
.text:00440714
.text:00440714 loc_440714: ; CODE XREF: _TForm1_SpeedButton1Click+A14j
.text:00440714 inc edi
.text:00440715
.text:00440715 loc_440715: ; CODE XREF: _TForm1_SpeedButton1Click+A06j
.text:00440715 mov [ebp+var_94], 134h
.text:0044071E xor eax, eax
.text:00440720 lea edx, [ebp+var_68]
.text:00440723 mov [ebp+var_68], eax
.text:00440726 push edx
.text:00440727 inc [ebp+var_88]
.text:0044072D mov edx, 1 ; index
.text:00440732 lea eax, [ebp+rcode] ; AnsiString
.text:00440735 lea ecx, [edi-1] ; count ******取出第四组注册码
.text:00440738 call @System@AnsiString@SubString$xqqrii ; System::AnsiString::SubString(int,int)
.text:0044073D lea edx, [ebp+var_68]
.text:00440740 lea eax, [ebp+var_24] ****** 保存在这里
.text:00440743 call @System@AnsiString@$basg$qqrrx17System@AnsiString ; System::AnsiString::operator=(System::AnsiString &)
.text:00440748 dec [ebp+var_88]
.text:0044074E lea eax, [ebp+var_68]
.text:00440751 mov edx, 2
.text:00440756 call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:0044075B lea eax, [ebp+rcode]
.text:0044075E mov ecx, edi ;count
.text:00440760 mov edx, 1 ;index ****** 原串里删除第四组注册码
.text:00440765 call @System@AnsiString@Delete$qqrii ; System::AnsiString::Delete(int,int)
.text:0044076A mov esi, 1
.text:0044076F lea ebx, [ebp+var_1B0]
.text:00440775 cmp edi, esi
.text:00440777 jle short loc_4407DD ******* 第四组注册码为空则跳走
.text:00440779
.text:00440779 loc_440779: ; CODE XREF: _TForm1_SpeedButton1Click+ADFj
.text:00440779 mov [ebp+var_94], 140h
.text:00440782 xor eax, eax
.text:00440784 lea edx, [ebp+var_6C]
.text:00440787 mov [ebp+var_6C], eax
.text:0044078A push edx
.text:0044078B inc [ebp+var_88]
.text:00440791 mov edx, esi ; index
.text:00440793 lea eax, [ebp+var_24]
.text:00440796 mov ecx, 1 ; count 取第四组注册码中的一个字符
.text:0044079B call @System@AnsiString@SubString$xqqrii ; System::AnsiString::SubString(int,int)
.text:004407A0 lea edx, [ebp+var_6C]
.text:004407A3 lea eax, [ebp+var_10]
.text:004407A6 call @System@AnsiString@$basg$qqrrx17System@AnsiString ; System::AnsiString::operator=(System::AnsiString &)
.text:004407AB dec [ebp+var_88]
.text:004407B1 lea eax, [ebp+var_6C]
.text:004407B4 mov edx, 2
.text:004407B9 call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:004407BE lea edx, [ebp+var_10]
.text:004407C1 lea eax, [ebp+var_4] ******* 查表
.text:004407C4 call @System@AnsiString@Pos$xqqrrx17System@AnsiString ; System::AnsiString::Pos(System::AnsiString &)
.text:004407C9 mov [ebp+var_94], 8
.text:004407D2 dec eax ******* 结果减 1
.text:004407D3 mov [ebx], eax ******* 保存结果
.text:004407D5 inc esi
.text:004407D6 add ebx, 4
.text:004407D9 cmp edi, esi
.text:004407DB jg short loc_440779 ******* 没完则继续循环
.text:004407DD
.text:004407DD loc_4407DD: ; CODE XREF: _TForm1_SpeedButton1Click+A7Bj
.text:004407DD xor edx, edx
.text:004407DF mov [ebp+var_C0], edx
.text:004407E5
.text:004407E5 loc_4407E5: ; CODE XREF: _TForm1_SpeedButton1Click+B49j
.text:004407E5 cmp [ebp+var_1B0], 3Bh ******* 比较表中第一项是不是0x3b ( 'z')
.text:004407EC jnz short loc_440847 ******* 不是则跳
.text:004407EE mov [ebp+var_94], 14Ch
.text:004407F7 lea eax, [ebp+var_70]
.text:004407FA mov dl, 30h
.text:004407FC call unknown_libname_617
.text:00440801 inc [ebp+var_88]
.text:00440807 lea edx, [ebp+var_70]
.text:0044080A lea eax, [ebp+var_C] ******* 是则在要处理的串上代替为'0'
.text:0044080D call @System@AnsiString@$brplu$qqrrx17System@AnsiString ; System::AnsiString::operator+=(System::AnsiString &)
.text:00440812 dec [ebp+var_88]
.text:00440818 lea eax, [ebp+var_70]
.text:0044081B mov edx, 2
.text:00440820 call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:00440825 mov [ebp+var_94], 8
.text:0044082E xor edx, edx
.text:00440830 lea eax, [ebp+var_1AC]
.text:00440836
.text:00440836 loc_440836: ; CODE XREF: _TForm1_SpeedButton1Click+B46j
.text:00440836 mov ecx, [eax] ******后面的数据往前移
.text:00440838 mov [eax-4], ecx
.text:0044083B inc edx
.text:0044083C add eax, 4
.text:0044083F cmp edx, 13h ******最多20位
.text:00440842 jl short loc_440836
.text:00440844 dec edi ******长度减1
.text:00440845 jmp short loc_4407E5
.text:00440847 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00440847
.text:00440847 loc_440847: ; CODE XREF: _TForm1_SpeedButton1Click+AF0j
.text:00440847 lea esi, [edi-2]
.text:0044084A lea ebx, [ebp+esi*4+var_1B0] ****** 指向表中最后一项
.text:00440851 test esi, esi
.text:00440853 jl short loc_4408BD ****** 表为空则跳
.text:00440855
.text:00440855 loc_440855: ; CODE XREF: _TForm1_SpeedButton1Click+BBFj
.text:00440855 mov [ebp+var_1B4], esi
.text:0044085B fild [ebp+var_1B4]
.text:00440861 add esp, 0FFFFFFF8h ; y
.text:00440864 fstp [esp+1D8h+var_1D8]
.text:00440867 push 404D8000h
.text:0044086C push 0 ; x
.text:0044086E call _pow
.text:00440873 mov eax, [ebx]
.text:00440875 xor edx, edx
.text:00440877 mov dword ptr [ebp+var_1BC], eax
.text:0044087D mov dword ptr [ebp+var_1BC+4], edx
.text:00440883 fild [ebp+var_1BC]
.text:00440889 mov ecx, [ebp+var_C0]
.text:0044088F add esp, 10h
.text:00440892 xor eax, eax
.text:00440894 mov dword ptr [ebp+var_1C4], ecx
.text:0044089A fmulp st(1), st
.text:0044089C mov dword ptr [ebp+var_1C4+4], eax
.text:004408A2 fild [ebp+var_1C4]
.text:004408A8 faddp st(1), st
.text:004408AA call @_ftol$qv ; _ftol(void)
.text:004408AF mov [ebp+var_C0], eax
.text:004408B5 dec esi
.text:004408B6 add ebx, 0FFFFFFFCh
.text:004408B9 test esi, esi
.text:004408BB jge short loc_440855
.text:004408BD
.text:004408BD loc_4408BD: ; CODE XREF: _TForm1_SpeedButton1Click+B57j
.text:004408BD mov edx, [ebp+var_C0]
.text:004408C3 lea ecx, [ebp+var_10]
.text:004408C6 push edx
.text:004408C7 push offset off_505451
.text:004408CC push ecx
.text:004408CD call @System@WideString@printf$qpxbe ; System::WideString::printf(wchar_t *,...)
.text:004408D2 add esp, 0Ch
.text:004408D5 lea edx, [ebp+var_10]
.text:004408D8 lea eax, [ebp+var_C] *******结果连接到要处理的串上
.text:004408DB call @System@AnsiString@$brplu$qqrrx17System@AnsiString ; System::AnsiString::operator+=(System::AnsiString &)
=========================================================上面这段逆向如下:
memset(code,0,20);
memset(icode,0,80);
p = strchr(rcode,'-');
if(p == NULL) //为空说明最多只有四组注册码
{
if(rcode[0] != 0)
{
codelen = strlen(rcode) + 1;
}
else
codelen = 1;
}
else
codelen = p - rcode + 1;
if(codelen > 0)
strncpy(code,rcode,codelen - 1); //拷贝子串
strcpy(rcode,rcode+codelen); //原来的串里删除第四组注册码
if(codelen > 1)
{
i = 1;
do{
p = strchr(var_4,code[i-1]);
icode[i-1] = p - var_4;
i ++;
}while(codelen > i);
}
codesum = 0;
while(icode[0] == 0x3b)
{
strcat(var_c,'0');
i =0;
do{
icode[i] = icode[i+1];
i++;
}while(i < 19);
codelen --;
}
codelen -= 2;
if(codelen >= 0)
{
do{
x1 = pow(59.0,codelen) * icode1[codelen];
x1 = x1 + codesum;
codesum = _ftol(x1);
codelen --;
}while(codelen >= 0);
}
sprintf(tmp,"%ld",codesum);
strcat(var_c,tmp);
=========================================================
.text:004408E0 mov [ebp+var_94], 158h
.text:004408E9 mov edx, offset unk_505455 ; 0
.text:004408EE lea eax, [ebp+var_28]
.text:004408F1 call tostring
.text:004408F6 inc [ebp+var_88]
.text:004408FC mov [ebp+var_94], 8
.text:00440905 cmp [ebp+rcode], 0 ****** 比较注册码串是否为空
.text:00440909 jz short loc_440913 ****** 为空则跳
.text:0044090B mov ecx, [ebp+rcode]
.text:0044090E mov edi, [ecx-4] ******否则取长度(可见最多5组)
.text:00440911 jmp short loc_440915
.text:00440913 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00440913
.text:00440913 loc_440913: ; CODE XREF: _TForm1_SpeedButton1Click+C0Dj
.text:00440913 xor edi, edi
.text:00440915
.text:00440915 loc_440915: ; CODE XREF: _TForm1_SpeedButton1Click+C15j
.text:00440915 mov [ebp+var_94], 164h
.text:0044091E xor eax, eax
.text:00440920 lea edx, [ebp+var_74]
.text:00440923 mov [ebp+var_74], eax
.text:00440926 push edx
.text:00440927 inc edi ******调整长度(为了统一处理^_^)
.text:00440928 mov edx, 1
.text:0044092D inc [ebp+var_88]
.text:00440933 lea eax, [ebp+rcode]
.text:00440936 lea ecx, [edi-1] ****** 取出第五组注册码
.text:00440939 call @System@AnsiString@SubString$xqqrii ; System::AnsiString::SubString(int,int)
.text:0044093E lea edx, [ebp+var_74]
.text:00440941 lea eax, [ebp+var_28] ****** 保存在这里
.text:00440944 call @System@AnsiString@$basg$qqrrx17System@AnsiString ; System::AnsiString::operator=(System::AnsiString &)
.text:00440949 dec [ebp+var_88]
.text:0044094F lea eax, [ebp+var_74]
.text:00440952 mov edx, 2
.text:00440957 call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:0044095C lea eax, [ebp+rcode]
.text:0044095F mov ecx, edi
.text:00440961 mov edx, 1 ****** 原串里删除第五组注册码
.text:00440966 call @System@AnsiString@Delete$qqrii ; System::AnsiString::Delete(int,int)
.text:0044096B mov esi, 1
.text:00440970 lea ebx, [ebp+var_1B0]
.text:00440976 cmp edi, esi
.text:00440978 jle short loc_4409DE ****** 第五组注册码为空则跳
.text:0044097A
.text:0044097A loc_44097A: ; CODE XREF: _TForm1_SpeedButton1Click+CE0j
.text:0044097A mov [ebp+var_94], 170h
.text:00440983 xor eax, eax
.text:00440985 lea edx, [ebp+var_78]
.text:00440988 mov [ebp+var_78], eax
.text:0044098B push edx
.text:0044098C inc [ebp+var_88]
.text:00440992 mov edx, esi ; count
.text:00440994 lea eax, [ebp+var_28]
.text:00440997 mov ecx, 1 ; index ****** 取一个字符
.text:0044099C call @System@AnsiString@SubString$xqqrii ; System::AnsiString::SubString(int,int)
.text:004409A1 lea edx, [ebp+var_78]
.text:004409A4 lea eax, [ebp+var_10] ****** 保存在这里
.text:004409A7 call @System@AnsiString@$basg$qqrrx17System@AnsiString ; System::AnsiString::operator=(System::AnsiString &)
.text:004409AC dec [ebp+var_88]
.text:004409B2 lea eax, [ebp+var_78]
.text:004409B5 mov edx, 2
.text:004409BA call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:004409BF lea edx, [ebp+var_10]
.text:004409C2 lea eax, [ebp+var_4] ****** 查表
.text:004409C5 call @System@AnsiString@Pos$xqqrrx17System@AnsiString ; System::AnsiString::Pos(System::AnsiString &)
.text:004409CA mov [ebp+var_94], 8
.text:004409D3 dec eax ******结果减 1
.text:004409D4 mov [ebx], eax ******保存结果
.text:004409D6 inc esi
.text:004409D7 add ebx, 4
.text:004409DA cmp edi, esi
.text:004409DC jg short loc_44097A ******没完则继续
.text:004409DE
.text:004409DE loc_4409DE: ; CODE XREF: _TForm1_SpeedButton1Click+C7Cj
.text:004409DE xor edx, edx
.text:004409E0 mov [ebp+var_C0], edx
.text:004409E6
.text:004409E6 loc_4409E6: ; CODE XREF: _TForm1_SpeedButton1Click+D4Aj
.text:004409E6 cmp [ebp+var_1B0], 3Bh ******比较第一个字符是不是'z'
.text:004409ED jnz short loc_440A48
.text:004409EF mov [ebp+var_94], 17Ch
.text:004409F8 lea eax, [ebp+var_7C]
.text:004409FB mov dl, 30h
.text:004409FD call unknown_libname_617
.text:00440A02 inc [ebp+var_88]
.text:00440A08 lea edx, [ebp+var_7C]
.text:00440A0B lea eax, [ebp+var_C] ******是则在要处理的串上用'0'代替
.text:00440A0E call @System@AnsiString@$brplu$qqrrx17System@AnsiString ; System::AnsiString::operator+=(System::AnsiString &)
.text:00440A13 dec [ebp+var_88]
.text:00440A19 lea eax, [ebp+var_7C]
.text:00440A1C mov edx, 2
.text:00440A21 call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:00440A26 mov [ebp+var_94], 8
.text:00440A2F xor edx, edx
.text:00440A31 lea eax, [ebp+var_1AC]
.text:00440A37
.text:00440A37 loc_440A37: ; CODE XREF: _TForm1_SpeedButton1Click+D47j
.text:00440A37 mov ecx, [eax] ******* 后面的数据往前移
.text:00440A39 mov [eax-4], ecx
.text:00440A3C inc edx
.text:00440A3D add eax, 4
.text:00440A40 cmp edx, 13h ******* 最多 20 位
.text:00440A43 jl short loc_440A37
.text:00440A45 dec edi ******* 长度减 1
.text:00440A46 jmp short loc_4409E6
.text:00440A48 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00440A48
.text:00440A48 loc_440A48: ; CODE XREF: _TForm1_SpeedButton1Click+CF1j
.text:00440A48 lea esi, [edi-2]
.text:00440A4B lea ebx, [ebp+esi*4+var_1B0] ****** 指向表中最后一项
.text:00440A52 test esi, esi
.text:00440A54 jl short loc_440ABE ****** 表为空则跳
.text:00440A56
.text:00440A56 loc_440A56: ; CODE XREF: _TForm1_SpeedButton1Click+DC0j
.text:00440A56 mov [ebp+var_1B4], esi
.text:00440A5C fild [ebp+var_1B4]
.text:00440A62 add esp, 0FFFFFFF8h ; y
.text:00440A65 fstp [esp+1D8h+var_1D8]
.text:00440A68 push 404D8000h
.text:00440A6D push 0 ; x
.text:00440A6F call _pow
.text:00440A74 mov eax, [ebx]
.text:00440A76 xor edx, edx
.text:00440A78 mov dword ptr [ebp+var_1BC], eax
.text:00440A7E mov dword ptr [ebp+var_1BC+4], edx
.text:00440A84 fild [ebp+var_1BC]
.text:00440A8A mov ecx, [ebp+var_C0]
.text:00440A90 add esp, 10h
.text:00440A93 xor eax, eax
.text:00440A95 mov dword ptr [ebp+var_1C4], ecx
.text:00440A9B fmulp st(1), st
.text:00440A9D mov dword ptr [ebp+var_1C4+4], eax
.text:00440AA3 fild [ebp+var_1C4]
.text:00440AA9 faddp st(1), st
.text:00440AAB call @_ftol$qv ; _ftol(void)
.text:00440AB0 mov [ebp+var_C0], eax
.text:00440AB6 dec esi
.text:00440AB7 add ebx, 0FFFFFFFCh
.text:00440ABA test esi, esi
.text:00440ABC jge short loc_440A56
.text:00440ABE
.text:00440ABE loc_440ABE: ; CODE XREF: _TForm1_SpeedButton1Click+D58j
.text:00440ABE mov edx, [ebp+var_C0]
.text:00440AC4 lea ecx, [ebp+var_10]
.text:00440AC7 push edx
.text:00440AC8 push offset off_505456
.text:00440ACD push ecx
.text:00440ACE call @System@WideString@printf$qpxbe ; System::WideString::printf(wchar_t *,...)
.text:00440AD3 add esp, 0Ch
.text:00440AD6 lea edx, [ebp+var_10]
.text:00440AD9 lea eax, [ebp+var_C] ******结果连接在这里
.text:00440ADC call @System@AnsiString@$brplu$qqrrx17System@AnsiString ; System::AnsiString::operator+=(System::AnsiString &)
=========================================================上面这段逆向如下:
memset(code,0,20);
memset(icode,0,80);
if(rcode[0] == 0)codelen = 0;
else codelen = strlen(rcode);
codelen ++;
if(codelen > 0)
strncpy(code,rcode,codelen - 1); //拷贝子串
strcpy(rcode,rcode+codelen); //原来的串里删除第五组注册码
if(codelen > 1)
{
i = 1;
do{
p = strchr(var_4,code[i-1]);
icode[i-1] = p - var_4;
i ++;
}while(codelen > i);
}
codesum = 0;
while(icode[0] == 0x3b)
{
strcat(var_c,'0');
i =0;
do{
icode[i] = icode[i+1];
i++;
}while(i < 19);
codelen --;
}
codelen -= 2;
if(codelen >= 0)
{
do{
x1 = pow(59.0,codelen) * icode1[codelen];
x1 = x1 + codesum;
codesum = _ftol(x1);
codelen --;
}while(codelen >= 0);
}
sprintf(tmp,"%ld",codesum);
strcat(var_c,tmp);
=========================================================
.text:00440AE1 cmp [ebp+var_C], 0 ******要处理的串是否为空
.text:00440AE5 jz short loc_440AEC
.text:00440AE7 mov ecx, [ebp+var_C]
.text:00440AEA jmp short loc_440AF1
.text:00440AEC ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00440AEC
.text:00440AEC loc_440AEC: ; CODE XREF: _TForm1_SpeedButton1Click+DE9j
.text:00440AEC mov ecx, offset unk_50545A
.text:00440AF1
.text:00440AF1 loc_440AF1: ; CODE XREF: _TForm1_SpeedButton1Click+DEEj
.text:00440AF1 mov edi, ecx *******在这里
.text:00440AF3 xor eax, eax
.text:00440AF5 or ecx, 0FFFFFFFFh
.text:00440AF8 lea esi, [ebp+var_14C] ****** 移到 var_14c
.text:00440AFE repne scasb
.text:00440B00 not ecx
.text:00440B02 sub edi, ecx
.text:00440B04 mov edx, ecx
.text:00440B06 xchg esi, edi
.text:00440B08 shr ecx, 2
.text:00440B0B mov eax, edi
.text:00440B0D rep movsd
.text:00440B0F mov ecx, edx
.text:00440B11 and ecx, 3
.text:00440B14 rep movsb
=========================================================下面这段不用理会
.text:00440B16 mov eax, dword_50AAB4
.text:00440B1B mov edx, [eax]
.text:00440B1D mov byte ptr [edx+2161h], 0
.text:00440B24 mov [ebp+var_94], 8
.text:00440B2D xor ebx, ebx
.text:00440B2F
.text:00440B2F loc_440B2F: ; CODE XREF: _TForm1_SpeedButton1Click+E61j
.text:00440B2F call sub_4CD910
.text:00440B34 cdq
.text:00440B35 mov ecx, 32h
.text:00440B3A idiv ecx
.text:00440B3C lea eax, [ebx+ebx*4]
.text:00440B3F mov ecx, dword_50AAB4
.text:00440B45 lea eax, [ebx+eax*2]
.text:00440B48 mov ecx, [ecx]
.text:00440B4A shl eax, 3
.text:00440B4D sub eax, ebx
.text:00440B4F lea eax, [ebx+eax*4]
.text:00440B52 mov [ecx+eax*4+0A46h], dl
.text:00440B59 inc ebx
.text:00440B5A cmp ebx, 5
.text:00440B5D jl short loc_440B2F
=========================================================
.text:00440B5F xor eax, eax
.text:00440B61 xor edx, edx
.text:00440B63 mov [ebp+var_C4], eax
.text:00440B69 xor eax, eax
.text:00440B6B mov [ebp+var_94], 8
.text:00440B74 mov [ebp+var_C8], edx
.text:00440B7A xor edx, edx
.text:00440B7C mov [ebp+var_CC], eax
.text:00440B82 mov [ebp+var_D0], edx
.text:00440B88 xor ecx, ecx
.text:00440B8A lea eax, [ebp+var_C8]
.text:00440B90 mov [ebp+var_D4], ecx
.text:00440B96 push eax ; int
.text:00440B97 push offset a504337c07ebd_0 ; buffer
.text:00440B9C call zshread *********读入E
.text:00440BA1 add esp, 8
.text:00440BA4 lea edx, [ebp+var_CC]
.text:00440BAA push edx
.text:00440BAB lea ecx, [ebp+var_14C]
.text:00440BB1 push ecx
.text:00440BB2 call zsread *********读入数据
.text:00440BB7 add esp, 8
.text:00440BBA lea eax, [ebp+var_C4]
.text:00440BC0 push eax ; int
.text:00440BC1 push offset a1f3662faa8e2_0 ; buffer
.text:00440BC6 call zshread *********读入N
.text:00440BCB add esp, 8
.text:00440BCE lea edx, [ebp+var_D4]
.text:00440BD4 push edx
.text:00440BD5 mov ecx, [ebp+var_C4]
.text:00440BDB push ecx
.text:00440BDC mov eax, [ebp+var_C8]
.text:00440BE2 push eax
.text:00440BE3 mov edx, [ebp+var_CC]
.text:00440BE9 push edx
.text:00440BEA call zexpmod **********RSA解密
.text:00440BEF add esp, 10h
.text:00440BF2 lea ecx, [ebp+var_D0]
.text:00440BF8 push ecx ; int
.text:00440BF9 lea eax, [ebp+buffer]
.text:00440BFF push eax ; buffer
.text:00440C00 call zshread ***********读入用户名变换后的数据
.text:00440C05 add esp, 8
.text:00440C08 mov edx, [ebp+var_D4]
.text:00440C0E push edx
.text:00440C0F mov ecx, [ebp+var_D0]
.text:00440C15 push ecx
.text:00440C16 call sub_43C80C ************比较
.text:00440C1B add esp, 8
.text:00440C1E test eax, eax
.text:00440C20 jz short loc_440C30 ************相等则继续处理
.text:00440C22 mov [ebp+var_94], 8
.text:00440C2B jmp loc_440CF2
.text:00440C30 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00440C30
.text:00440C30 loc_440C30: ; CODE XREF: _TForm1_SpeedButton1Click+F24j
=========================================================下面这段不用理会
.text:00440C30 mov eax, dword_50AAB4
.text:00440C35 lea edi, [ebp+s]
.text:00440C3B mov edx, [eax]
.text:00440C3D xor eax, eax
.text:00440C3F add edx, 2111h
.text:00440C45 or ecx, 0FFFFFFFFh
.text:00440C48 repne scasb
.text:00440C4A not ecx
.text:00440C4C sub edi, ecx
.text:00440C4E mov esi, edx
.text:00440C50 xchg esi, edi
.text:00440C52 mov edx, ecx
.text:00440C54 mov eax, edi
.text:00440C56 shr ecx, 2
.text:00440C59 rep movsd
.text:00440C5B mov ecx, edx
.text:00440C5D and ecx, 3
.text:00440C60 rep movsb
.text:00440C62 mov eax, dword_50AAB4
.text:00440C67 lea edi, [ebp+var_14D+1]
.text:00440C6D mov edx, [eax]
.text:00440C6F xor eax, eax
.text:00440C71 add edx, 212Ah
.text:00440C77 or ecx, 0FFFFFFFFh
.text:00440C7A repne scasb
.text:00440C7C not ecx
.text:00440C7E sub edi, ecx
.text:00440C80 mov esi, edx
.text:00440C82 xchg esi, edi
.text:00440C84 mov edx, ecx
.text:00440C86 mov eax, edi
.text:00440C88 shr ecx, 2
.text:00440C8B rep movsd
.text:00440C8D mov ecx, edx
.text:00440C8F and ecx, 3
.text:00440C92 rep movsb
========================================================
.text:00440C94 mov eax, [ebp+var_D4]
.text:00440C9A push eax
.text:00440C9B mov edx, [ebp+var_D0]
.text:00440CA1 push edx
.text:00440CA2 call sub_43C80C ****************这里再比较一次(不放心? @##$$% ^_^)
.text:00440CA7 add esp, 8
=========================================================下面这段不用理会
.text:00440CAA test eax, eax
.text:00440CAC jnz short loc_440CF2
.text:00440CAE mov ecx, dword_50AAB4
.text:00440CB4 mov eax, [ecx]
.text:00440CB6 mov byte ptr [eax+2161h], 1
.text:00440CBD xor ebx, ebx
.text:00440CBF
.text:00440CBF loc_440CBF: ; CODE XREF: _TForm1_SpeedButton1Click+FF4j
.text:00440CBF call sub_4CD910
.text:00440CC4 cdq
.text:00440CC5 mov ecx, 32h
.text:00440CCA idiv ecx
.text:00440CCC lea eax, [ebx+ebx*4]
.text:00440CCF add dl, 65h
.text:00440CD2 mov ecx, dword_50AAB4
.text:00440CD8 lea eax, [ebx+eax*2]
.text:00440CDB shl eax, 3
.text:00440CDE sub eax, ebx
.text:00440CE0 mov ecx, [ecx]
.text:00440CE2 lea eax, [ebx+eax*4]
.text:00440CE5 mov [ecx+eax*4+0A46h], dl
.text:00440CEC inc ebx
.text:00440CED cmp ebx, 3
.text:00440CF0 jl short loc_440CBF
=========================================================
.text:00440CF2
.text:00440CF2 loc_440CF2: ; CODE XREF: _TForm1_SpeedButton1Click+F2Fj
.text:00440CF2 ; _TForm1_SpeedButton1Click+FB0j
.text:00440CF2 mov [ebp+var_94], 188h
.text:00440CFB mov edx, offset aPVSgb ; "关闭程序重新启动完成注册!"
.text:00440D00 lea eax, [ebp+var_80]
.text:00440D03 call tostring
.text:00440D08 inc [ebp+var_88]
.text:00440D0E mov eax, [eax]
.text:00440D10 call @Dialogs@ShowMessage$qqrx17System@AnsiString ; Dialogs::ShowMessage(System::AnsiString)
.text:00440D15 dec [ebp+var_88]
.text:00440D1B lea eax, [ebp+var_80]
.text:00440D1E mov edx, 2
.text:00440D23 call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:00440D28 mov ecx, dword_50AAB4
.text:00440D2E mov eax, [ecx]
.text:00440D30 call @Forms@TCustomForm@Close$qqrv ; Forms::TCustomForm::Close(void)
.text:00440D35 dec [ebp+var_88]
.text:00440D3B lea eax, [ebp+var_28]
.text:00440D3E mov edx, 2
.text:00440D43 call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:00440D48 dec [ebp+var_88]
.text:00440D4E lea eax, [ebp+var_24]
.text:00440D51 mov edx, 2
.text:00440D56 call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:00440D5B dec [ebp+var_88]
.text:00440D61 lea eax, [ebp+var_20]
.text:00440D64 mov edx, 2
.text:00440D69 call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:00440D6E dec [ebp+var_88]
.text:00440D74 lea eax, [ebp+var_1C]
.text:00440D77 mov edx, 2
.text:00440D7C call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:00440D81 dec [ebp+var_88]
.text:00440D87 lea eax, [ebp+var_18]
.text:00440D8A mov edx, 2
.text:00440D8F call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:00440D94 dec [ebp+var_88]
.text:00440D9A lea eax, [ebp+var_14]
.text:00440D9D mov edx, 2
.text:00440DA2 call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:00440DA7 dec [ebp+var_88]
.text:00440DAD lea eax, [ebp+var_10]
.text:00440DB0 mov edx, 2
.text:00440DB5 call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:00440DBA dec [ebp+var_88]
.text:00440DC0 lea eax, [ebp+var_C]
.text:00440DC3 mov edx, 2
.text:00440DC8 call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:00440DCD dec [ebp+var_88]
.text:00440DD3 lea eax, [ebp+rcode]
.text:00440DD6 mov edx, 2
.text:00440DDB call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:00440DE0 dec [ebp+var_88]
.text:00440DE6 lea eax, [ebp+var_4]
.text:00440DE9 mov edx, 2
.text:00440DEE call @System@AnsiString@$bdtr$qqrv ; System::AnsiString::~AnsiString(void)
.text:00440DF3 mov ecx, [ebp+var_A4]
.text:00440DF9 mov large fs:0, ecx
.text:00440E00 pop edi
.text:00440E01 pop esi
.text:00440E02 pop ebx
.text:00440E03 mov esp, ebp
.text:00440E05 pop ebp
.text:00440E06 retn
.text:00440E06 _TForm1_SpeedButton1Click endp
////////////////////////////////////////////////////////////////////////////////////////////
整理一下,那个注册按钮的逆向如下:
char N[] = "1F3662FAA8E266F962E0F02439186AC00561";
char E[] = "504337C07EBD946C1CB";
char var_4[] = "1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijkmnpqrstuvwxyz";
char var_c[100];
char name[20];
memset(var_c,0,100);
memset(name,0,20);
strcpy(name,username);
while(name[0]==' ')
{
for(i=1;i<20;i++)
name[i-1] = name[i];
}
i = 19;
do{
if(name[i] != ' ')
{
if(name[i] != 0)break;
}
name[i] = 0;
i--;
}while(i >= 0);
int sum;
sum = 0;
for(i=0;i<20;i++)
sum += name[i]*(name[i]+1)*(i+1);
sum += 0x5ba0;
if(sum == 0x5c25c)sum += 0x78;
else if(sum == 0x8c5bc)sum += 0x64;
sprintf(var_10,"%ld",sum);
memset(buffer,0,20);
memset(var_14c,0,100);
strcpy(buffer,var_10);
char rcode[100];
while(rcode[0] == ' ')
{
len = strlen(rcode);
for(i = 1; i < len; i++)
rcode[i-1] = rcode[i];
rcode[len-1] = 0;
}
char code[20];
int icode[20];
int codelen;
char *p;
double x1;
long codesum;
char tmp[20];
memset(code,0,20);
memset(icode,0,80);
p = strchr(rcode,'-');
if(p == NULL)codelen = 0;
else
codelen = p - rcode + 1;
if(codelen > 0)
strncpy(code,rcode,codelen - 1); //拷贝子串
strcpy(rcode,rcode+codelen); //原来的串里删除第一组注册码
if(codelen > 1)
{
i = 1;
do{
p = strchr(var_4,code[i-1]);
icode[i-1] = p - var_4;
i ++;
}while(codelen > i);
}
codesum = 0;
codelen -= 2;
if(codelen >= 0) //可以看出,下面这段实际上转换成59进制数据
{
do{
x1 = pow(59.0,codelen) * icode1[codelen];
x1 = x1 + codesum;
codesum = _ftol(x1);
codelen --;
}while(codelen >= 0);
}
sprintf(tmp,"%ld",codesum);
strcat(var_c,tmp);
memset(code,0,20);
memset(icode,0,80);
p = strchr(rcode,'-');
if(p == NULL)codelen = 0;
else
codelen = p - rcode + 1;
if(codelen > 0)
strncpy(code,rcode,codelen - 1); //拷贝子串
strcpy(rcode,rcode+codelen); //原来的串里删除第二组注册码
if(codelen > 1)
{
i = 1;
do{
p = strchr(var_4,code[i-1]);
icode[i-1] = p - var_4;
i ++;
}while(codelen > i);
}
codesum = 0;
while(icode[0] == 0x3b)
{
strcat(var_c,'0');
i =0;
do{
icode[i] = icode[i+1];
i++;
}while(i < 19);
codelen --;
}
codelen -= 2;
if(codelen >= 0)
{
do{
x1 = pow(59.0,codelen) * icode1[codelen];
x1 = x1 + codesum;
codesum = _ftol(x1);
codelen --;
}while(codelen >= 0);
}
sprintf(tmp,"%ld",codesum);
strcat(var_c,tmp);
memset(code,0,20);
memset(icode,0,80);
p = strchr(rcode,'-');
if(p == NULL) //为空说明最多只有三组注册码
{
if(rcode[0] != 0)
{
codelen = strlen(rcode) + 1;
}
else
codelen = 1;
}
else
codelen = p - rcode + 1;
if(codelen > 0)
strncpy(code,rcode,codelen - 1); //拷贝子串
strcpy(rcode,rcode+codelen); //原来的串里删除第三组注册码
if(codelen > 1)
{
i = 1;
do{
p = strchr(var_4,code[i-1]);
icode[i-1] = p - var_4;
i ++;
}while(codelen > i);
}
codesum = 0;
while(icode[0] == 0x3b)
{
strcat(var_c,'0');
i =0;
do{
icode[i] = icode[i+1];
i++;
}while(i < 19);
codelen --;
}
codelen -= 2;
if(codelen >= 0)
{
do{
x1 = pow(59.0,codelen) * icode1[codelen];
x1 = x1 + codesum;
codesum = _ftol(x1);
codelen --;
}while(codelen >= 0);
}
sprintf(tmp,"%ld",codesum);
strcat(var_c,tmp);
memset(code,0,20);
memset(icode,0,80);
p = strchr(rcode,'-');
if(p == NULL) //为空说明最多只有四组注册码
{
if(rcode[0] != 0)
{
codelen = strlen(rcode) + 1;
}
else
codelen = 1;
}
else
codelen = p - rcode + 1;
if(codelen > 0)
strncpy(code,rcode,codelen - 1); //拷贝子串
strcpy(rcode,rcode+codelen); //原来的串里删除第四组注册码
if(codelen > 1)
{
i = 1;
do{
p = strchr(var_4,code[i-1]);
icode[i-1] = p - var_4;
i ++;
}while(codelen > i);
}
codesum = 0;
while(icode[0] == 0x3b)
{
strcat(var_c,'0');
i =0;
do{
icode[i] = icode[i+1];
i++;
}while(i < 19);
codelen --;
}
codelen -= 2;
if(codelen >= 0)
{
do{
x1 = pow(59.0,codelen) * icode1[codelen];
x1 = x1 + codesum;
codesum = _ftol(x1);
codelen --;
}while(codelen >= 0);
}
sprintf(tmp,"%ld",codesum);
strcat(var_c,tmp);
memset(code,0,20);
memset(icode,0,80);
if(rcode[0] == 0)codelen = 0;
else codelen = strlen(rcode);
codelen ++;
if(codelen > 0)
strncpy(code,rcode,codelen - 1); //拷贝子串
strcpy(rcode,rcode+codelen); //原来的串里删除第五组注册码
if(codelen > 1)
{
i = 1;
do{
p = strchr(var_4,code[i-1]);
icode[i-1] = p - var_4;
i ++;
}while(codelen > i);
}
codesum = 0;
while(icode[0] == 0x3b)
{
strcat(var_c,'0');
i =0;
do{
icode[i] = icode[i+1];
i++;
}while(i < 19);
codelen --;
}
codelen -= 2;
if(codelen >= 0)
{
do{
x1 = pow(59.0,codelen) * icode1[codelen];
x1 = x1 + codesum;
codesum = _ftol(x1);
codelen --;
}while(codelen >= 0);
}
sprintf(tmp,"%ld",codesum);
strcat(var_c,tmp);
varylong a,b,c,d,e;
zshread(E,&a);
zsread(var_c,&b);
zshread(N,&c);
zexpmod(b,a,c,&d);
zshread(buffer,&e);
if(zcompare(d,e) == 0)
{
//注册成功,作些处理
}
char szT[] = "关闭程序重新启动完成注册!";
char szC[] = "楚汉棋缘 v1.43";
MessageBox(0,szT,szC,MB_OK);
////////////////////////////////////////////////////////////////////////////////////////////
[完]
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
