首页
社区
课程
招聘
[原创]Ashampoo Burning Studio v9.21算法分析 by:樊盟 2010.2.7
发表于: 2010-2-7 14:31 4350

[原创]Ashampoo Burning Studio v9.21算法分析 by:樊盟 2010.2.7

2010-2-7 14:31
4350
Ashampoo Burning Studio v9.21算法分析 by:樊盟 2010.2.7

Ashampoo Burning Studio v9.21
软件下载地址:http://www.crsky.com/soft/4449.html
软件介绍:
CD/DVD刻录工具。提供的功能有: * 创建MP3 CD/DVD * 将电影刻录为DVD/VCD/SVCD * 创建和刻录CD/DVD映像文件 * 保存和加载项目文件 * 擦除CD-RW/DVD+RW/DVD-RW * 从资源管理器中用拖放式操作添加文件 * 支持255个字符的DVD文件名和64个字符的CD文件名 * 自动设置刻录速度及其他选项 * 无需任何插件直接把WAV、MP3、FLAC、WMA和Ogg Vorbis文件刻录为音频CD * 非常方便地复制各种CD/DVD * 已支持的CD和DVD刻录机超过1500种 * 还有更多功能。
随意输入注册信息点击“注册”弹出错误提示:“请输入有效的密钥”。
用F12暂停法回溯来找程序的关键点:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
0047DF6B > $  E8 FA730000   call    0048536A                     ;  //载入程序后停在这里!
0047DF70   .^ E9 17FEFFFF   jmp     0047DD8C
0047DF75  /$  55            push    ebp
0047DF76  |.  8BEC          mov     ebp, esp
0047DF78  |.  56            push    esi
0047DF79  |.  8B75 14       mov     esi, dword ptr [ebp+14]
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
F9运行,输入试炼信息:123456789012345678901234567890,点击注册弹出错误提示框,此时不要点击确定,F12,Alt+K:
调用堆栈:     主线程
地址       堆栈       函数过程 / 参数                       调用来自                      结构
00F3D200   77D19418   包含ntdll.KiFastSystemCallRet         USER32.77D19416               00F3D234
00F3D204   77D2770A   USER32.WaitMessage                    USER32.77D27705               00F3D234
00F3D238   77D249C4   USER32.77D2757B                       USER32.77D249BF               00F3D234
00F3D260   77D3A956   USER32.77D2490E                       USER32.77D3A951               00F3D25C
00F3D520   77D3A2BC   USER32.SoftModalMessageBox            USER32.77D3A2B7               00F3D51C
00F3D670   77D663FD   USER32.77D3A147                       USER32.77D663F8               00F3D66C
00F3D6C8   77D50853   USER32.MessageBoxTimeoutW             USER32.77D5084E               00F3D6C4
00F3D6E8   77D66579   USER32.MessageBoxExW                  USER32.77D66574               00F3D6E4
00F3D6EC   00BB057A     hOwner = 00BB057A ('注册 Ashampoo
00F3D6F0   01C96CF8     Text = "请输入有效的密钥"
00F3D6F4   01BD4C98     Title = "Ashampoo Burning Studio 9
00F3D6F8   00000030     Style = MB_OK|MB_ICONEXCLAMATION|M
00F3D6FC   00000000     LanguageID = 0 (LANG_NEUTRAL)
00F3D704   004640A9   USER32.MessageBoxW                    burnings.004640A3             00F3D700        //双击跟随!
00F3D708   00BB057A     hOwner = 00BB057A ('注册 Ashampoo
00F3D70C   01C96CF8     Text = "请输入有效的密钥"
00F3D710   01BD4C98     Title = "Ashampoo Burning Studio 9
00F3D714   00000030     Style = MB_OK|MB_ICONEXCLAMATION|M
00F3D750   004642F3   ? burnings.00464061                   burnings.004642EE             00F3D74C
00F3D994   00464377   ? burnings.004641D7                   burnings.00464372             00F3D7F0
00F3D9A8   00440BD0   burnings.00464334                     burnings.00440BCB             00F3D9CC
00F3D9C0   00465FA6   包含burnings.00440BD0                   burnings.00465FA3             00F3D9CC
00F3D9D0   004661B3   burnings.00465F63                     burnings.004661AE             00F3D9CC
00F3DA00   0046519C   burnings.0046609B                     burnings.00465197             00F3D9FC
00F3DA24   0046BD45   burnings.00465181                     burnings.0046BD42             00F3DA20
00F3DA74   0046C74C   可能 burnings.0046BCB5                  burnings.0046C746             00F3DA70
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
00464061  /$  6A 14         push    14                           ;  //在这里下断点,运行,再点击注册
00464063  |.  68 384D4E00   push    004E4D38                     ;  //断下来后,看堆栈提示
00464068  |.  E8 E7DD0100   call    00481E54
0046406D  |.  33DB          xor     ebx, ebx
0046406F  |.  895D E0       mov     dword ptr [ebp-20], ebx
00464072  |.  8D45 E0       lea     eax, dword ptr [ebp-20]
00464075  |.  50            push    eax
00464076  |.  E8 EFE5FFFF   call    0046266A
0046407B  |.  FFB0 80000000 push    dword ptr [eax+80]
00464081  |.  E8 E3DDFFFF   call    00461E69
00464086  |.  8945 DC       mov     dword ptr [ebp-24], eax
00464089  |.  895D E4       mov     dword ptr [ebp-1C], ebx
0046408C  |.  3BC3          cmp     eax, ebx
0046408E  |.  75 04         jnz     short 00464094
00464090  |.  33C0          xor     eax, eax
00464092  |.  EB 27         jmp     short 004640BB
00464094  |>  895D FC       mov     dword ptr [ebp-4], ebx
00464097  |.  FF75 14       push    dword ptr [ebp+14]           ; /Style
0046409A  |.  FF75 10       push    dword ptr [ebp+10]           ; |Title
0046409D  |.  FF75 0C       push    dword ptr [ebp+C]            ; |Text
004640A0  |.  FF75 08       push    dword ptr [ebp+8]            ; |hOwner
004640A3  |.  FF15 80854B00 call    dword ptr [<&USER32.MessageB>; \MessageBoxW
004640A9  |.  8945 E4       mov     dword ptr [ebp-1C], eax      ;  //跟随到这里
004640AC  |.  C745 FC FEFFF>mov     dword ptr [ebp-4], -2
004640B3  |.  E8 0B000000   call    004640C3
004640B8  |.  8B45 E4       mov     eax, dword ptr [ebp-1C]
004640BB  |>  E8 D9DD0100   call    00481E99
004640C0  \.  C3            retn
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
堆栈提示:
00F3D750   004642F3  返回到 burnings.004642F3 来自 burnings.00464061  //取消断点,在本行上面点击右键,选择反汇编窗口中跟随!
00F3D754   00BB057A
00F3D758   01C96CF8
00F3D75C   01BD4C98  UNICODE "Ashampoo Burning Studio 9"
00F3D760   00000030
00F3D764   00F3E2C0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
004641D7  /$  55            push    ebp                          ;  //这里下断点,运行,再点击注册
004641D8  |.  8DAC24 60FEFF>lea     ebp, dword ptr [esp-1A0]     ;  //断下来后,看堆栈提示
004641DF  |.  81EC 20020000 sub     esp, 220
004641E5  |.  A1 442D4F00   mov     eax, dword ptr [4F2D44]
004641EA  |.  33C5          xor     eax, ebp
…………………………………………………………………………………………………………
004642E8  |.  FF75 80       push    dword ptr [ebp-80]
004642EB  |.  FF75 84       push    dword ptr [ebp-7C]
004642EE  |.  E8 6EFDFFFF   call    00464061
004642F3  |.  83C4 10       add     esp, 10                      ;  //跟随到此处
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
堆栈提示:
00F3D994   00464377  返回到 burnings.00464377 来自 burnings.004641D7  //取消断点,在本行上面点击右键,选择反汇编窗口中跟随!
00F3D998   004F6668  burnings.004F6668
00F3D99C   01C96CF8
00F3D9A0   00000030
00F3D9A4   00000000
00F3D9A8   00440BD0  返回到 burnings.00440BD0 来自 burnings.00464334
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
00464365   .  FF7424 0C     push    dword ptr [esp+C]            ;  //这里下断点,运行,再点击注册
00464369   .  FF7424 0C     push    dword ptr [esp+C]            ;  //断下来后,看堆栈提示
0046436D   .  FF7424 0C     push    dword ptr [esp+C]
00464371   .  51            push    ecx
00464372   .  E8 60FEFFFF   call    004641D7
00464377   .  83C4 10       add     esp, 10                      ;  //跟随到此处
0046437A   .  C2 0C00       retn    0C
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
堆栈提示:
00F3D9A8   00440BD0  返回到 burnings.00440BD0 来自 burnings.00464334  //取消断点,在本行上面点击右键,选择反汇编窗口中跟随!
00F3D9AC   01C96CF8
00F3D9B0   00000030
00F3D9B4   00000000
00F3D9B8   00F3E150
00F3D9BC   004C9B34  burnings.004C9B34
00F3D9C0   00465FA6  返回到 burnings.00465FA6
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
00440B90   .  56            push    esi                           ;  //回溯到这里开始分析
00440B91   .  57            push    edi
00440B92   .  6A 01         push    1
00440B94   .  8BF1          mov     esi, ecx
00440B96   .  E8 3B990200   call    0046A4D6
00440B9B   .  E8 CA1A0200   call    0046266A
00440BA0   .  8B40 04       mov     eax, dword ptr [eax+4]
00440BA3   .  6A 00         push    0
00440BA5   .  8DBE 70010000 lea     edi, dword ptr [esi+170]
00440BAB   .  57            push    edi
00440BAC   .  8BC8          mov     ecx, eax
00440BAE   .  E8 6DDAFFFF   call    0043E620                      ;  //关键CALL!!!
00440BB3   .  84C0          test    al, al
00440BB5   .  75 1C         jnz     short 00440BD3                ;  //关键跳!!!
00440BB7   .  6A 00         push    0
00440BB9   .  6A 30         push    30
00440BBB   .  68 C0634C00   push    004C63C0                      ;  Please enter a valid code
00440BC0   .  68 88634C00   push    004C6388                      ;  CRegisterDlg.EnterValidCode
00440BC5   .  E8 C6AAFFFF   call    0043B690
00440BCA   .  50            push    eax
00440BCB   .  E8 64370200   call    00464334
00440BD0   .  5F            pop     edi                           ;  //跟随到此处
00440BD1   .  5E            pop     esi
00440BD2   .  C3            retn
00440BD3   >  80BE 78010000>cmp     byte ptr [esi+178], 0
00440BDA   .  74 30         je      short 00440C0C
00440BDC   .  E8 891A0200   call    0046266A
00440BE1   .  8B40 04       mov     eax, dword ptr [eax+4]
00440BE4   .  57            push    edi
00440BE5   .  8BC8          mov     ecx, eax
00440BE7   .  E8 84DEFFFF   call    0043EA70
00440BEC   .  84C0          test    al, al
00440BEE   .  75 1C         jnz     short 00440C0C
00440BF0   .  6A 00         push    0
00440BF2   .  6A 30         push    30
00440BF4   .  68 48634C00   push    004C6348                      ;  Full version key code required!
00440BF9   .  68 0C634C00   push    004C630C                      ;  CRegisterDlg.CodeOk
00440BFE   .  E8 8DAAFFFF   call    0043B690
00440C03   .  50            push    eax
00440C04   .  E8 2B370200   call    00464334
00440C09   .  5F            pop     edi
00440C0A   .  5E            pop     esi
00440C0B   .  C3            retn
00440C0C   >  6A 00         push    0
00440C0E   .  6A 40         push    40
00440C10   .  68 C0624C00   push    004C62C0                      ;  The key code was accepted. Thank you!
00440C15   .  68 94624C00   push    004C6294                      ;  CRegisterDlg.CodeOk
00440C1A   .  E8 71AAFFFF   call    0043B690
00440C1F   .  50            push    eax
00440C20   .  E8 0F370200   call    00464334
00440C25   .  5F            pop     edi
00440C26   .  8BCE          mov     ecx, esi
00440C28   .  5E            pop     esi
00440C29   .  E9 4C440200   jmp     0046507A
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=☆跟进去继续分析☆=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
0043E620  /$  6A FF         push    -1                               ;  //跟进来后往下跟踪
0043E622  |.  68 A0DF4A00   push    004ADFA0
0043E627  |.  64:A1 0000000>mov     eax, dword ptr fs:[0]
0043E62D  |.  50            push    eax
0043E62E  |.  83EC 1C       sub     esp, 1C
0043E631  |.  A1 442D4F00   mov     eax, dword ptr [4F2D44]
0043E636  |.  33C4          xor     eax, esp
0043E638  |.  894424 18     mov     dword ptr [esp+18], eax
0043E63C  |.  53            push    ebx
0043E63D  |.  55            push    ebp
0043E63E  |.  56            push    esi
0043E63F  |.  57            push    edi
0043E640  |.  A1 442D4F00   mov     eax, dword ptr [4F2D44]
0043E645  |.  33C4          xor     eax, esp
0043E647  |.  50            push    eax
0043E648  |.  8D4424 30     lea     eax, dword ptr [esp+30]
0043E64C  |.  64:A3 0000000>mov     dword ptr fs:[0], eax
0043E652  |.  8B4424 40     mov     eax, dword ptr [esp+40]
0043E656  |.  8B00          mov     eax, dword ptr [eax]
0043E658  |.  8B5C24 44     mov     ebx, dword ptr [esp+44]
0043E65C  |.  83E8 10       sub     eax, 10
0043E65F  |.  50            push    eax
0043E660  |.  8BE9          mov     ebp, ecx
0043E662  |.  E8 E935FCFF   call    00401C50
0043E667  |.  8D70 10       lea     esi, dword ptr [eax+10]
0043E66A  |.  83C4 04       add     esp, 4
0043E66D  |.  897424 18     mov     dword ptr [esp+18], esi
0043E671  |.  83BD EC000000>cmp     dword ptr [ebp+EC], 1
0043E678  |.  C74424 38 000>mov     dword ptr [esp+38], 0
0043E680  |.  0F85 4D020000 jnz     0043E8D3                         ;  ***这里感觉程序下面这一段也是一种算法,但是不知道怎样让它不跳转
……………………………………………………………………………………☆省略中间不必要代码☆……………………………………………………………………………………
0043E976  |.  E8 45080600   call    0049F1C0                         ;  //算法CALL,跟进去继续分析!
0043E97B  |.  83C4 14       add     esp, 14
0043E97E  |.  84C0          test    al, al
0043E980  |.  0F84 95000000 je      0043EA1B
0043E986  |>  56            push    esi                              ;  //123456-890ABC-EFGHIJ
0043E987  |.  E8 B7300200   call    00461A43
0043E98C  |.  83C4 04       add     esp, 4
0043E98F  |.  8D4424 24     lea     eax, dword ptr [esp+24]          ;  //取试炼码前四位:1234
0043E993  |.  50            push    eax
0043E994  |.  8D4C24 18     lea     ecx, dword ptr [esp+18]
0043E998  |.  33F6          xor     esi, esi
0043E99A  |.  E8 815DFCFF   call    00404720
0043E99F  |.  8B4C24 14     mov     ecx, dword ptr [esp+14]          ;  //取试炼码前四位:1234
0043E9A3  |.  8BAD B4000000 mov     ebp, dword ptr [ebp+B4]          ;  //BRS9
0043E9A9  |.  51            push    ecx
0043E9AA  |.  55            push    ebp
0043E9AB  |.  E8 9BF80300   call    0047E24B                         ;  //比较字符串,注册码前四位必须是BRS9
0043E9B0  |.  83C4 08       add     esp, 8
0043E9B3  |.  85C0          test    eax, eax
0043E9B5  |.  8B4424 14     mov     eax, dword ptr [esp+14]
0043E9B9  |.  75 44         jnz     short 0043E9FF                   ;  //判断跳转
0043E9BB  |.  83C0 F0       add     eax, -10
0043E9BE  |.  8D50 0C       lea     edx, dword ptr [eax+C]
0043E9C1  |.  83C9 FF       or      ecx, FFFFFFFF
0043E9C4  |.  F0:0FC10A     lock xadd dword ptr [edx], ecx
0043E9C8  |.  49            dec     ecx
0043E9C9  |.  85C9          test    ecx, ecx
0043E9CB  |.  7F 0A         jg      short 0043E9D7
0043E9CD  |.  8B08          mov     ecx, dword ptr [eax]
0043E9CF  |.  8B11          mov     edx, dword ptr [ecx]
0043E9D1  |.  50            push    eax
0043E9D2  |.  8B42 04       mov     eax, dword ptr [edx+4]
0043E9D5  |.  FFD0          call    eax
0043E9D7  |>  83C7 F0       add     edi, -10                         ;  BRS956-789032-CDE54H
0043E9DA  |.  C74424 38 FFF>mov     dword ptr [esp+38], -1
0043E9E2  |.  8D4F 0C       lea     ecx, dword ptr [edi+C]
0043E9E5  |.  83CA FF       or      edx, FFFFFFFF
0043E9E8  |.  F0:0FC111     lock xadd dword ptr [ecx], edx
0043E9EC  |.  4A            dec     edx
0043E9ED  |.  85D2          test    edx, edx
0043E9EF  |.  7F 0A         jg      short 0043E9FB
0043E9F1  |.  8B0F          mov     ecx, dword ptr [edi]
0043E9F3  |.  8B01          mov     eax, dword ptr [ecx]
0043E9F5  |.  8B50 04       mov     edx, dword ptr [eax+4]
0043E9F8  |.  57            push    edi
0043E9F9  |.  FFD2          call    edx
0043E9FB  |>  B0 01         mov     al, 1
0043E9FD  |.  EB 4B         jmp     short 0043EA4A
0043E9FF  |>  83C0 F0       add     eax, -10
0043EA02  |.  8D48 0C       lea     ecx, dword ptr [eax+C]
0043EA05  |.  83CA FF       or      edx, FFFFFFFF
0043EA08  |.  F0:0FC111     lock xadd dword ptr [ecx], edx
0043EA0C  |.  4A            dec     edx
0043EA0D  |.  85D2          test    edx, edx
0043EA0F  |.  7F 0A         jg      short 0043EA1B
0043EA11  |.  8B08          mov     ecx, dword ptr [eax]
0043EA13  |.  8B11          mov     edx, dword ptr [ecx]
0043EA15  |.  50            push    eax
0043EA16  |.  8B42 04       mov     eax, dword ptr [edx+4]
0043EA19  |.  FFD0          call    eax
0043EA1B  |>  56            push    esi
0043EA1C  |.  E8 22300200   call    00461A43
0043EA21  |.  83C7 F0       add     edi, -10
0043EA24  |.  83C4 04       add     esp, 4
0043EA27  |.  C74424 38 FFF>mov     dword ptr [esp+38], -1
0043EA2F  |.  8D4F 0C       lea     ecx, dword ptr [edi+C]
0043EA32  |.  83CA FF       or      edx, FFFFFFFF
0043EA35  |.  F0:0FC111     lock xadd dword ptr [ecx], edx
0043EA39  |.  4A            dec     edx
0043EA3A  |.  85D2          test    edx, edx
0043EA3C  |.  7F 0A         jg      short 0043EA48
0043EA3E  |.  8B0F          mov     ecx, dword ptr [edi]
0043EA40  |.  57            push    edi
0043EA41  |>  8B01          mov     eax, dword ptr [ecx]
0043EA43  |.  8B50 04       mov     edx, dword ptr [eax+4]
0043EA46  |.  FFD2          call    edx
0043EA48  |>  32C0          xor     al, al                           ;  eax清零
0043EA4A  |>  8B4C24 30     mov     ecx, dword ptr [esp+30]
0043EA4E  |.  64:890D 00000>mov     dword ptr fs:[0], ecx
0043EA55  |.  59            pop     ecx
0043EA56  |.  5F            pop     edi
0043EA57  |.  5E            pop     esi
0043EA58  |.  5D            pop     ebp
0043EA59  |.  5B            pop     ebx
0043EA5A  |.  8B4C24 18     mov     ecx, dword ptr [esp+18]
0043EA5E  |.  33CC          xor     ecx, esp
0043EA60  |.  E8 E6F50300   call    0047E04B
0043EA65  |.  83C4 28       add     esp, 28
0043EA68  \.  C2 0800       retn    8
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=☆跟进去继续分析☆=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
0049F1C0  /$  83EC 58       sub     esp, 58                       ;  //进来后来到这里,继续分析
0049F1C3  |.  A1 442D4F00   mov     eax, dword ptr [4F2D44]
0049F1C8  |.  33C4          xor     eax, esp
0049F1CA  |.  894424 54     mov     dword ptr [esp+54], eax
0049F1CE  |.  8B4424 64     mov     eax, dword ptr [esp+64]
0049F1D2  |.  8B5424 6C     mov     edx, dword ptr [esp+6C]
0049F1D6  |.  8B4C24 68     mov     ecx, dword ptr [esp+68]
0049F1DA  |.  53            push    ebx
0049F1DB  |.  56            push    esi                           ;  //试炼码
0049F1DC  |.  8B7424 64     mov     esi, dword ptr [esp+64]
0049F1E0  |.  894424 14     mov     dword ptr [esp+14], eax
0049F1E4  |.  8BC6          mov     eax, esi
0049F1E6  |.  57            push    edi
0049F1E7  |.  8B7C24 6C     mov     edi, dword ptr [esp+6C]       ;  //.$tf>wse453R754/&%!))8<>d9e12bb存入edi
0049F1EB  |.  895424 14     mov     dword ptr [esp+14], edx
0049F1EF  |.  894C24 1C     mov     dword ptr [esp+1C], ecx
0049F1F3  |.  8D50 01       lea     edx, dword ptr [eax+1]
0049F1F6  |.  33DB          xor     ebx, ebx
0049F1F8  |>  8A08          /mov     cl, byte ptr [eax]
0049F1FA  |.  83C0 01       |add     eax, 1
0049F1FD  |.  3ACB          |cmp     cl, bl
0049F1FF  |.^ 75 F7         \jnz     short 0049F1F8               ;  //计算试炼码位数
0049F201  |.  2BC2          sub     eax, edx                      ;  //eax-edx=EAX,结果是试炼码的位数
0049F203  |.  83F8 14       cmp     eax, 14                       ;  //eax与14H比较,注册码必须是20位
0049F206  |.  74 14         je      short 0049F21C                ;  //判断跳转
0049F208  |>  5F            pop     edi
0049F209  |.  5E            pop     esi
0049F20A  |.  32C0          xor     al, al
0049F20C  |.  5B            pop     ebx
0049F20D  |.  8B4C24 54     mov     ecx, dword ptr [esp+54]
0049F211  |.  33CC          xor     ecx, esp
0049F213  |.  E8 33EEFDFF   call    0047E04B
0049F218  |.  83C4 58       add     esp, 58
0049F21B  |.  C3            retn
0049F21C  |>  B0 2D         mov     al, 2D                        ;  //2D=al,-
0049F21E  |.  3846 06       cmp     byte ptr [esi+6], al          ;  //注册码第七位5与2D比较,注册码第七位必须是-
0049F221  |.^ 75 E5         jnz     short 0049F208                ;  //判断跳转
0049F223  |.  3846 0D       cmp     byte ptr [esi+D], al          ;  //注册码第14位5与2D比较,注册码第14位必须是-
0049F226  |.^ 75 E0         jnz     short 0049F208                ;  //判断跳转
0049F228  |.  55            push    ebp
0049F229  |.  6A 04         push    4
0049F22B  |.  8D4424 38     lea     eax, dword ptr [esp+38]
0049F22F  |.  56            push    esi                           ;  123456-890ABC-EFGHIJ
0049F230  |.  50            push    eax
0049F231  |.  E8 0A3C0000   call    004A2E40
0049F236  |.  6A 01         push    1
0049F238  |.  8D6E 04       lea     ebp, dword ptr [esi+4]        ;  56-890ABC-EFGHIJ
0049F23B  |.  8D4C24 20     lea     ecx, dword ptr [esp+20]
0049F23F  |.  55            push    ebp                           ;  56-890ABC-EFGHIJ
0049F240  |.  51            push    ecx
0049F241  |.  E8 FA3B0000   call    004A2E40                      ;  //提出了第五位注册码5,字符串变为6-890ABC-EFGHIJ
0049F246  |.  6A 01         push    1
0049F248  |.  8D56 05       lea     edx, dword ptr [esi+5]        ;  6-890ABC-EFGHIJ
0049F24B  |.  52            push    edx                           ;  6-890ABC-EFGHIJ
0049F24C  |.  8D4424 4C     lea     eax, dword ptr [esp+4C]
0049F250  |.  50            push    eax
0049F251  |.  E8 EA3B0000   call    004A2E40                      ;  //每次跟进去都会提取排在前面的第一位字符,字符串变为890ABC-EFGHIJ
0049F256  |.  6A 02         push    2
0049F258  |.  8D4E 07       lea     ecx, dword ptr [esi+7]        ;  890ABC-EFGHIJ
0049F25B  |.  51            push    ecx                           ;  890ABC-EFGHIJ
0049F25C  |.  8D5424 40     lea     edx, dword ptr [esp+40]       ;  6-890ABC-EFGHIJ
0049F260  |.  52            push    edx
0049F261  |.  E8 DA3B0000   call    004A2E40                      ;  //提出注册码第8~9位89
0049F266  |.  6A 02         push    2                             ;  //两位,89
0049F268  |.  8D46 09       lea     eax, dword ptr [esi+9]        ;  0ABC-EFGHIJ
0049F26B  |.  50            push    eax                           ;  0ABC-EFGHIJ
0049F26C  |.  8D4C24 65     lea     ecx, dword ptr [esp+65]
0049F270  |.  51            push    ecx
0049F271  |.  E8 CA3B0000   call    004A2E40                      ;  //提出注册码第10~11位0A
0049F276  |.  6A 02         push    2                             ;  //两位,0A
0049F278  |.  8D56 0B       lea     edx, dword ptr [esi+B]        ;  BC-EFGHIJ
0049F27B  |.  52            push    edx                           ;  BC-EFGHIJ
0049F27C  |.  8D4424 68     lea     eax, dword ptr [esp+68]       ;  0A
0049F280  |.  50            push    eax
0049F281  |.  E8 BA3B0000   call    004A2E40
0049F286  |.  83C4 48       add     esp, 48                       ;  //34-EFG78J
0049F289  |.  6A 03         push    3
0049F28B  |.  8D4E 0E       lea     ecx, dword ptr [esi+E]        ;  EFGHIJ
0049F28E  |.  51            push    ecx                           ;  EFGHIJ
0049F28F  |.  8D5424 37     lea     edx, dword ptr [esp+37]       ;  BC-EFGHIJ
0049F293  |.  52            push    edx
0049F294  |.  E8 A73B0000   call    004A2E40                      ;  //提出注册码第15~17位
0049F299  |.  6A 02         push    2
0049F29B  |.  8D46 11       lea     eax, dword ptr [esi+11]       ;  //HIJ
0049F29E  |.  50            push    eax
0049F29F  |.  8D4C24 3A     lea     ecx, dword ptr [esp+3A]
0049F2A3  |.  51            push    ecx
0049F2A4  |.  E8 973B0000   call    004A2E40
0049F2A9  |.  6A 01         push    1
0049F2AB  |.  8D56 13       lea     edx, dword ptr [esi+13]
0049F2AE  |.  52            push    edx
0049F2AF  |.  8D4424 52     lea     eax, dword ptr [esp+52]
0049F2B3  |.  50            push    eax
0049F2B4  |.  E8 873B0000   call    004A2E40
0049F2B9  |.  6A 07         push    7
0049F2BB  |.  8D4C24 54     lea     ecx, dword ptr [esp+54]
0049F2BF  |.  51            push    ecx
0049F2C0  |.  8D5424 70     lea     edx, dword ptr [esp+70]
0049F2C4  |.  52            push    edx
0049F2C5  |.  885C24 68     mov     byte ptr [esp+68], bl
0049F2C9  |.  885C24 41     mov     byte ptr [esp+41], bl         ;  //60AEFGJ|1234,6+0A+EFG+J+|+1234
0049F2CD  |.  885C24 58     mov     byte ptr [esp+58], bl
0049F2D1  |.  885C24 63     mov     byte ptr [esp+63], bl         ;  7C ('|')
0049F2D5  |.  885C24 46     mov     byte ptr [esp+46], bl         ;  60AEFGJ
0049F2D9  |.  E8 623B0000   call    004A2E40                      ;  60AEFGJ
0049F2DE  |.  6A 01         push    1
0049F2E0  |.  8D4424 44     lea     eax, dword ptr [esp+44]
0049F2E4  |.  50            push    eax
0049F2E5  |.  8D8C24 830000>lea     ecx, dword ptr [esp+83]
0049F2EC  |.  51            push    ecx
0049F2ED  |.  E8 4E3B0000   call    004A2E40
0049F2F2  |.  6A 02         push    2
0049F2F4  |.  8D5424 54     lea     edx, dword ptr [esp+54]       ;  89
0049F2F8  |.  52            push    edx
0049F2F9  |.  8D8424 900000>lea     eax, dword ptr [esp+90]
0049F300  |.  50            push    eax
0049F301  |.  E8 3A3B0000   call    004A2E40
0049F306  |.  83C4 48       add     esp, 48
0049F309  |.  6A 04         push    4
0049F30B  |.  8D4C24 38     lea     ecx, dword ptr [esp+38]       ;  1234
0049F30F  |.  51            push    ecx                           ;  1234
0049F310  |.  8D5424 56     lea     edx, dword ptr [esp+56]       ;  89
0049F314  |.  52            push    edx
0049F315  |.  E8 263B0000   call    004A2E40
0049F31A  |.  57            push    edi                           ;  ".$tf>wse453R754/&%!))8<>d9e12bb"
0049F31B  |.  8D4424 54     lea     eax, dword ptr [esp+54]
0049F31F  |.  6A 0E         push    0E
0049F321  |.  50            push    eax
0049F322  |.  E8 99020000   call    0049F5C0
0049F327  |.  57            push    edi                           ;  ".$tf>wse453R754/&%!))8<>d9e12bb"
0049F328  |.  8D4C24 60     lea     ecx, dword ptr [esp+60]
0049F32C  |.  6A 0E         push    0E
0049F32E  |.  51            push    ecx
0049F32F  |.  E8 FC010000   call    0049F530                      ;  //计算真码,计算值为3478
0049F334  |.  50            push    eax
0049F335  |.  8D5424 64     lea     edx, dword ptr [esp+64]
0049F339  |.  68 24F14C00   push    004CF124                      ;  %04x
0049F33E  |.  52            push    edx
0049F33F  |.  E8 AA14FEFF   call    004807EE
0049F344  |.  83C4 30       add     esp, 30                       ;  //3478,这里每次取得值都不一样,换过前四位以后又会不一样!
0049F347  |.  8D4C24 24     lea     ecx, dword ptr [esp+24]       ;  //BCHI,试炼码的第12~13位是BC,试炼码的第18~19位是HI
0049F34B  |.  8D4424 3C     lea     eax, dword ptr [esp+3C]       ;  //3478存入eax
0049F34F  |.  90            nop                                   ;  (initial cpu selection)
0049F350  |>  8A10          /mov     dl, byte ptr [eax]
0049F352  |.  3A11          |cmp     dl, byte ptr [ecx]           ;  //第一位字符,比较是否对应相等,第二次循环比较第三位字符是否相等
0049F354  |.  75 1A         |jnz     short 0049F370               ;  //判断跳转
0049F356  |.  3AD3          |cmp     dl, bl
0049F358  |.  74 12         |je      short 0049F36C
0049F35A  |.  8A50 01       |mov     dl, byte ptr [eax+1]
0049F35D  |.  3A51 01       |cmp     dl, byte ptr [ecx+1]         ;  //第二位字符,比较是否对应相等,第二次循环比较第四位字符是否相等
0049F360  |.  75 0E         |jnz     short 0049F370               ;  //判断跳转
0049F362  |.  83C0 02       |add     eax, 2
0049F365  |.  83C1 02       |add     ecx, 2
0049F368  |.  3AD3          |cmp     dl, bl
0049F36A  |.^ 75 E4         \jnz     short 0049F350               ;  //循环判断四位字符是否相等
0049F36C  |>  33C0          xor     eax, eax
0049F36E  |.  EB 05         jmp     short 0049F375
0049F370  |>  1BC0          sbb     eax, eax
0049F372  |.  83D8 FF       sbb     eax, -1
0049F375  |>  3BC3          cmp     eax, ebx
0049F377  |.  75 5A         jnz     short 0049F3D3
0049F379  |.  8B7C24 1C     mov     edi, dword ptr [esp+1C]       ;  .$tf>wse453R754/&%!))8<>d9e12bb
0049F37D  |.  3BFB          cmp     edi, ebx
0049F37F  |.  74 0F         je      short 0049F390
0049F381  |.  6A 04         push    4
0049F383  |.  56            push    esi                           ;  123456-789054-CDEC7H
0049F384  |.  57            push    edi
0049F385  |.  E8 B63A0000   call    004A2E40
0049F38A  |.  83C4 0C       add     esp, 0C
0049F38D  |.  885F 04       mov     byte ptr [edi+4], bl
0049F390  |>  8B7424 20     mov     esi, dword ptr [esp+20]
0049F394  |.  3BF3          cmp     esi, ebx
0049F396  |.  74 0F         je      short 0049F3A7
0049F398  |.  6A 01         push    1
0049F39A  |.  55            push    ebp                           ;  56-789054-CDEC7HIJ
0049F39B  |.  56            push    esi
0049F39C  |.  E8 9F3A0000   call    004A2E40
0049F3A1  |.  83C4 0C       add     esp, 0C
0049F3A4  |.  885E 01       mov     byte ptr [esi+1], bl
0049F3A7  |>  8B7424 18     mov     esi, dword ptr [esp+18]
0049F3AB  |.  3BF3          cmp     esi, ebx
0049F3AD  |.  74 0F         je      short 0049F3BE
0049F3AF  |.  8D4424 14     lea     eax, dword ptr [esp+14]
0049F3B3  |.  50            push    eax
0049F3B4  |.  E8 A772FFFF   call    00496660
0049F3B9  |.  83C4 04       add     esp, 4
0049F3BC  |.  8906          mov     dword ptr [esi], eax
0049F3BE  |>  5D            pop     ebp
0049F3BF  |.  5F            pop     edi
0049F3C0  |.  5E            pop     esi
0049F3C1  |.  B0 01         mov     al, 1                             ; //al置1,注册成功!                  
0049F3C3  |.  5B            pop     ebx
0049F3C4  |.  8B4C24 54     mov     ecx, dword ptr [esp+54]
0049F3C8  |.  33CC          xor     ecx, esp
0049F3CA  |.  E8 7CECFDFF   call    0047E04B
0049F3CF  |.  83C4 58       add     esp, 58
0049F3D2  |.  C3            retn
0049F3D3  |>  8B4C24 64     mov     ecx, dword ptr [esp+64]
0049F3D7  |.  5D            pop     ebp
0049F3D8  |.  5F            pop     edi
0049F3D9  |.  5E            pop     esi
0049F3DA  |.  5B            pop     ebx
0049F3DB  |.  33CC          xor     ecx, esp
0049F3DD  |.  32C0          xor     al, al                            ; //al清零,注册失败!
0049F3DF  |.  E8 67ECFDFF   call    0047E04B 
0049F3E4  |.  83C4 58       add     esp, 58
0049F3E7  \.  C3            retn
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=☆跟进去继续分析☆=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
0049F530  /$  8B5424 0C     mov     edx, dword ptr [esp+C]        ;  //".$tf>wse453R754/&%!))8<>d9e12bb"存入edx
0049F534  |.  8BC2          mov     eax, edx
0049F536  |.  56            push    esi
0049F537  |.  8D70 01       lea     esi, dword ptr [eax+1]
0049F53A  |.  8D9B 00000000 lea     ebx, dword ptr [ebx]
0049F540  |>  8A08          /mov     cl, byte ptr [eax]           ;  //逐位取字符串相邻两位
0049F542  |.  83C0 01       |add     eax, 1                       ;  //eax+1,取下一位
0049F545  |.  84C9          |test    cl, cl
0049F547  |.^ 75 F7         \jnz     short 0049F540               ;  //取完字符串以后退出循环
0049F549  |.  2BC6          sub     eax, esi                      ;  //eax-esi
0049F54B  |.  83F8 03       cmp     eax, 3                        ;  //eax与3比较
0049F54E  |.  73 04         jnb     short 0049F554                ;  //判断跳转
0049F550  |.  33C0          xor     eax, eax
0049F552  |.  EB 1B         jmp     short 0049F56F
0049F554  |>  0FBE42 01     movsx   eax, byte ptr [edx+1]         ;  //$(24)存入eax
0049F558  |.  0FBE0A        movsx   ecx, byte ptr [edx]           ;  //.(2E)存入ecx
0049F55B  |.  0FBE52 02     movsx   edx, byte ptr [edx+2]         ;  //t(74)存入edx
0049F55F  |.  C1E0 04       shl     eax, 4                        ;  //eax逻辑左移4位=00000240
0049F562  |.  0BC1          or      eax, ecx                      ;  //eax与ecx进行或运算,结果=0000026E
0049F564  |.  C1E0 10       shl     eax, 10                       ;  //eax逻辑左移10位=026E0000
0049F567  |.  0BC2          or      eax, edx                      ;  //eax与edx进行或运算,结果=026E0074
0049F569  |.  03C0          add     eax, eax                      ;  //eax+eax=04DC00E8
0049F56B  |.  03C0          add     eax, eax                      ;  //eax+eax=09B801D0
0049F56D  |.  03C0          add     eax, eax                      ;  //eax+eax=137003A0
0049F56F  |>  8B4C24 0C     mov     ecx, dword ptr [esp+C]        ;  //0000000E存入ecx
0049F573  |.  8B5424 08     mov     edx, dword ptr [esp+8]        ;  //00F3D934存入edx
0049F577  |.  51            push    ecx                           ;  //ecx压栈
0049F578  |.  52            push    edx                           ;  //edx压栈
0049F579  |.  50            push    eax                           ;  //eax压栈
0049F57A  |.  E8 71FEFFFF   call    0049F3F0                      ;  //继续进取分析,返回值:EAX=82890BDE
0049F57F  |.  8BC8          mov     ecx, eax                      ;  //eax存入ecx
0049F581  |.  C1E8 09       shr     eax, 9                        ;  //eax逻辑右移9位=00414485
0049F584  |.  25 00F87F00   and     eax, 7FF800                   ;  //eax与7FF800进行与运算,结果=414000
0049F589  |.  8BD1          mov     edx, ecx                      ;  //ecx存入edx
0049F58B  |.  81E2 80070000 and     edx, 780                      ;  //edx与780进行与运算,结果=00000380
0049F591  |.  0BC2          or      eax, edx                      ;  //eax与edx进行或运算,结果=00414380
0049F593  |.  8BD1          mov     edx, ecx                      ;  //ecx存入edx
0049F595  |.  8BF1          mov     esi, ecx                      ;  //ecx存入esi
0049F597  |.  C1EA 0B       shr     edx, 0B                       ;  //edx逻辑右移0B位=105121
0049F59A  |.  83E6 7F       and     esi, 7F                       ;  //esi与7F进行与运算,结果=0000005E
0049F59D  |.  C1E6 09       shl     esi, 9                        ;  //esi逻辑左移9位=0000BC00
0049F5A0  |.  81E2 FF010000 and     edx, 1FF                      ;  //edx与1FF进行与运算,结果=00000121
0049F5A6  |.  C1E8 07       shr     eax, 7                        ;  //eax逻辑右移7位=00008287
0049F5A9  |.  0BD6          or      edx, esi                      ;  //edx与esi进行或运算,结果=0000BD21
0049F5AB  |.  0FB7C9        movzx   ecx, cx                       ;  //ecx=00000BDE
0049F5AE  |.  83C4 0C       add     esp, 0C                       ;  //00F3D8B8+0C=00F3D8C4
0049F5B1  |.  33C2          xor     eax, edx                      ;  //eax与edx进行异或运算=00003FA6
0049F5B3  |.  33C1          xor     eax, ecx                      ;  //eax与ecx进行异或运算=00003478
0049F5B5  |.  5E            pop     esi
0049F5B6  \.  C3            retn                                  ;  //eax的值为3478
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=☆跟进去继续分析☆=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
0049F3F0  /$  56            push    esi                           ;  burnings.004B8DF1
0049F3F1  |.  8B7424 0C     mov     esi, dword ptr [esp+C]        ;  esi=00F3F8F0
0049F3F5  |.  57            push    edi
0049F3F6  |.  8B7C24 0C     mov     edi, dword ptr [esp+C]        ;  edi=137003A0
0049F3FA  |.  0FB7CF        movzx   ecx, di                       ;  ecx=000003A0
0049F3FD  |.  C1EF 10       shr     edi, 10                       ;  shr 137003A0,10=00001370
0049F400  |.  85F6          test    esi, esi
0049F402  |.  75 06         jnz     short 0049F40A
0049F404  |.  5F            pop     edi
0049F405  |.  8D46 01       lea     eax, dword ptr [esi+1]
0049F408  |.  5E            pop     esi
0049F409  |.  C3            retn
0049F40A  |>  53            push    ebx
0049F40B  |.  8B5C24 18     mov     ebx, dword ptr [esp+18]       ;  //0E存入ebx
0049F40F  |.  85DB          test    ebx, ebx
0049F411  |.  0F86 05010000 jbe     0049F51C
0049F417  |.  55            push    ebp
0049F418  |.  EB 06         jmp     short 0049F420
0049F41A  |   8D9B 00000000 lea     ebx, dword ptr [ebx]
0049F420  |>  81FB B0150000 /cmp     ebx, 15B0
0049F426  |.  8BC3          |mov     eax, ebx                     ;  //0E存入eax
0049F428  |.  72 05         |jb      short 0049F42F
0049F42A  |.  B8 B0150000   |mov     eax, 15B0
0049F42F  |>  2BD8          |sub     ebx, eax                     ;  //ebx-eax=0
0049F431  |.  83F8 10       |cmp     eax, 10                      ;  //eax与10比较
0049F434  |.  0F8C A1000000 |jl      0049F4DB
0049F43A  |.  8BD0          |mov     edx, eax
0049F43C  |.  C1EA 04       |shr     edx, 4
0049F43F  |.  8BEA          |mov     ebp, edx
0049F441  |.  F7DD          |neg     ebp
0049F443  |.  C1E5 04       |shl     ebp, 4
0049F446  |.  03C5          |add     eax, ebp
0049F448  |.  EB 06         |jmp     short 0049F450
0049F44A  |   8D9B 00000000 |lea     ebx, dword ptr [ebx]
0049F450  |>  0FB62E        |/movzx   ebp, byte ptr [esi]
0049F453  |.  03CD          ||add     ecx, ebp
0049F455  |.  0FB66E 01     ||movzx   ebp, byte ptr [esi+1]
0049F459  |.  03F9          ||add     edi, ecx
0049F45B  |.  03CD          ||add     ecx, ebp
0049F45D  |.  0FB66E 02     ||movzx   ebp, byte ptr [esi+2]
0049F461  |.  03F9          ||add     edi, ecx
0049F463  |.  03CD          ||add     ecx, ebp
0049F465  |.  0FB66E 03     ||movzx   ebp, byte ptr [esi+3]
0049F469  |.  03F9          ||add     edi, ecx
0049F46B  |.  03CD          ||add     ecx, ebp
0049F46D  |.  0FB66E 04     ||movzx   ebp, byte ptr [esi+4]
0049F471  |.  03F9          ||add     edi, ecx
0049F473  |.  03CD          ||add     ecx, ebp
0049F475  |.  0FB66E 05     ||movzx   ebp, byte ptr [esi+5]
0049F479  |.  03F9          ||add     edi, ecx
0049F47B  |.  03CD          ||add     ecx, ebp
0049F47D  |.  0FB66E 06     ||movzx   ebp, byte ptr [esi+6]
0049F481  |.  03F9          ||add     edi, ecx
0049F483  |.  03CD          ||add     ecx, ebp
0049F485  |.  0FB66E 07     ||movzx   ebp, byte ptr [esi+7]
0049F489  |.  03F9          ||add     edi, ecx
0049F48B  |.  03CD          ||add     ecx, ebp
0049F48D  |.  0FB66E 08     ||movzx   ebp, byte ptr [esi+8]
0049F491  |.  03F9          ||add     edi, ecx
0049F493  |.  03CD          ||add     ecx, ebp
0049F495  |.  0FB66E 09     ||movzx   ebp, byte ptr [esi+9]
0049F499  |.  03F9          ||add     edi, ecx
0049F49B  |.  03CD          ||add     ecx, ebp
0049F49D  |.  0FB66E 0A     ||movzx   ebp, byte ptr [esi+A]
0049F4A1  |.  03F9          ||add     edi, ecx
0049F4A3  |.  03CD          ||add     ecx, ebp
0049F4A5  |.  0FB66E 0B     ||movzx   ebp, byte ptr [esi+B]
0049F4A9  |.  03F9          ||add     edi, ecx
0049F4AB  |.  03CD          ||add     ecx, ebp
0049F4AD  |.  0FB66E 0C     ||movzx   ebp, byte ptr [esi+C]
0049F4B1  |.  03F9          ||add     edi, ecx
0049F4B3  |.  03CD          ||add     ecx, ebp
0049F4B5  |.  0FB66E 0D     ||movzx   ebp, byte ptr [esi+D]
0049F4B9  |.  03F9          ||add     edi, ecx
0049F4BB  |.  03CD          ||add     ecx, ebp
0049F4BD  |.  0FB66E 0E     ||movzx   ebp, byte ptr [esi+E]
0049F4C1  |.  03F9          ||add     edi, ecx
0049F4C3  |.  03CD          ||add     ecx, ebp
0049F4C5  |.  0FB66E 0F     ||movzx   ebp, byte ptr [esi+F]
0049F4C9  |.  03F9          ||add     edi, ecx
0049F4CB  |.  03CD          ||add     ecx, ebp
0049F4CD  |.  03F9          ||add     edi, ecx
0049F4CF  |.  83C6 10       ||add     esi, 10
0049F4D2  |.  83EA 01       ||sub     edx, 1
0049F4D5  |.^ 0F85 75FFFFFF |\jnz     0049F450
0049F4DB  |>  85C0          |test    eax, eax
0049F4DD  |.  74 10         |je      short 0049F4EF
0049F4DF  |.  90            |nop
0049F4E0  |>  0FB616        |/movzx   edx, byte ptr [esi]         ;  下面esi的地址低位放到这里开始计算,EDX=6A,BE,49,EA,A3,4B,B8,6D,F0,6E,92,BF,45,DC
0049F4E3  |.  03CA          ||add     ecx, edx                    ;  (3A0+6A=40A,4C8,511,5FB,69E,6E9,7A1,80E,8FE,96C,9FE,ABD,B02,BDE
0049F4E5  |.  83C6 01       ||add     esi, 1                      ;  计算结果作为下一轮循环计算的数据,↑,F3F8F0+1=F3F8F1,F3F8F2……00F3F8FE
0049F4E8  |.  03F9          ||add     edi, ecx                    ;  1370+40A=177A,1C42,2153,274E,2DEC,34D5,3C76,4484,4D82,56EE,60EC,6BA9,76AB,8289
0049F4EA  |.  83E8 01       ||sub     eax, 1                      ;  EAX-1,循环计数器,循环14次退出
0049F4ED  |.^ 75 F1         |\jnz     short 0049F4E0              ;  循环,eax=0,edi=00008289
0049F4EF  |>  B8 71800780   |mov     eax, 80078071                ;  80078071存入eax
0049F4F4  |.  F7E1          |mul     ecx                          ;  mul EAX,ECX=80078071*00000BDE=000005EF59063CFE,000005EF存入edx,59063CFE存入eax
0049F4F6  |.  C1EA 0F       |shr     edx, 0F                      ;  shr 000005EF,0F=00000000
0049F4F9  |.  69D2 0F00FFFF |imul    edx, edx, FFFF000F           ;  imul 0,0,FFFF000F=0
0049F4FF  |.  03CA          |add     ecx, edx                     ;  add 00000BDE,0=00000BDE
0049F501  |.  B8 71800780   |mov     eax, 80078071                ;  80078071存入eax
0049F506  |.  F7E7          |mul     edi                          ;  mul EAX,EDI=80078071*00008289=00004148533D1E79,00004148存入edx,533D1E79存入eax
0049F508  |.  C1EA 0F       |shr     edx, 0F                      ;  shr 00004148,0F=00000000
0049F50B  |.  69D2 0F00FFFF |imul    edx, edx, FFFF000F           ;  imul 0,0,FFFF000F=0
0049F511  |.  03FA          |add     edi, edx                     ;  add 00008289,00000000=00008289
0049F513  |.  85DB          |test    ebx, ebx
0049F515  |.^ 0F87 05FFFFFF \ja      0049F420
0049F51B  |.  5D            pop     ebp
0049F51C  |>  8BC7          mov     eax, edi                      ;  eax=00008289
0049F51E  |.  5B            pop     ebx
0049F51F  |.  C1E0 10       shl     eax, 10                       ;  shl 00008289,10=82890000
0049F522  |.  5F            pop     edi
0049F523  |.  0BC1          or      eax, ecx                      ;  or 82890000,00000BDE=82890BDE
0049F525  |.  5E            pop     esi
0049F526  \.  C3            retn                                  ;  返回EAX的值为82890BDE
输入试炼码:123456789012345678901234567890
调整试炼码位数为20位,为了便于算法分析,我们让每一个试炼码都用不同的字符,调整后试炼码:1234567890ABCDEFGHIJ,继续调整试炼码:123456-890ABC-EFGHIJ,
继续调整:BRS956-890ABC-EFGHIJ
分析后可用注册信息:BRS956-890A34-EFG78J,注册成功提示:注册密钥有效.谢谢!

算法总结:
1.注册码必须是20位;
2.注册码第七位和第十四位必须是-,也就是说注册码形式必须是:XXXXXXX-XXXXXX-XXXXXX;
3.注册码前四位必须是:BRS9;
4.".$tf>wse453R754/&%!))8<>d9e12bb"这个字符串只用了前三个字符串“.$t”的十六进制($→24,.→2E,t→74)进行计算,算出真注册码的12~13位和18~19位与试炼码;
5.现在所有的算法分析都一步一步写出来了,但由于自己水平有限,还不能用简洁的“公式”写出算法表达式,正在继续努力,还是分析的太少,以后分析的多了,也许可以写的破文可读性强一些,凑合着看吧,希望有时间的高手能指点指点,让小菜鸟也学习一下^_^
6.软件的注册信息保存在进注册表里,地址太长我就不贴了。


由于代码贴的比较长,附上我的OD算法分析笔记,希望有兴趣的朋友共同研究!
Ashampoo Burning Studio v9.21算法分析.rar

文章太长了,用代码插件美观了一下,希望能让各位破友看的能舒服一点哈^_^:D:

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

上传的附件:
收藏
免费 0
支持
分享
最新回复 (3)
雪    币: 433
活跃值: (1870)
能力值: ( LV17,RANK:1820 )
在线值:
发帖
回帖
粉丝
2
近来在论坛上好久不见到算法分析了,过来回味一下,呵呵
2010-2-7 16:18
0
雪    币: 1266
活跃值: (622)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
精!学习学习!
2010-2-15 18:12
0
雪    币: 350
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
下来学习。新年好
2010-2-15 18:58
0
游客
登录 | 注册 方可回帖
返回
//