-
-
[原创]Ashampoo Burning Studio v9.21算法分析 by:樊盟 2010.2.7
-
发表于: 2010-2-7 14:31 4349
-
Ashampoo Burning Studio v9.21算法分析 by:樊盟 2010.2.7
Ashampoo Burning Studio v9.21
软件下载地址:http://www.crsky.com/soft/4449.html
软件介绍:
CD/DVD刻录工具。提供的功能有: * 创建MP3 CD/DVD * 将电影刻录为DVD/VCD/SVCD * 创建和刻录CD/DVD映像文件 * 保存和加载项目文件 * 擦除CD-RW/DVD+RW/DVD-RW * 从资源管理器中用拖放式操作添加文件 * 支持255个字符的DVD文件名和64个字符的CD文件名 * 自动设置刻录速度及其他选项 * 无需任何插件直接把WAV、MP3、FLAC、WMA和Ogg Vorbis文件刻录为音频CD * 非常方便地复制各种CD/DVD * 已支持的CD和DVD刻录机超过1500种 * 还有更多功能。
随意输入注册信息点击“注册”弹出错误提示:“请输入有效的密钥”。
用F12暂停法回溯来找程序的关键点:
调整试炼码位数为20位,为了便于算法分析,我们让每一个试炼码都用不同的字符,调整后试炼码:1234567890ABCDEFGHIJ,继续调整试炼码:123456-890ABC-EFGHIJ,
继续调整:BRS956-890ABC-EFGHIJ
分析后可用注册信息:BRS956-890A34-EFG78J,注册成功提示:注册密钥有效.谢谢!
算法总结:
1.注册码必须是20位;
2.注册码第七位和第十四位必须是-,也就是说注册码形式必须是:XXXXXXX-XXXXXX-XXXXXX;
3.注册码前四位必须是:BRS9;
4.".$tf>wse453R754/&%!))8<>d9e12bb"这个字符串只用了前三个字符串“.$t”的十六进制($→24,.→2E,t→74)进行计算,算出真注册码的12~13位和18~19位与试炼码;
5.现在所有的算法分析都一步一步写出来了,但由于自己水平有限,还不能用简洁的“公式”写出算法表达式,正在继续努力,还是分析的太少,以后分析的多了,也许可以写的破文可读性强一些,凑合着看吧,希望有时间的高手能指点指点,让小菜鸟也学习一下^_^
6.软件的注册信息保存在进注册表里,地址太长我就不贴了。
由于代码贴的比较长,附上我的OD算法分析笔记,希望有兴趣的朋友共同研究!
Ashampoo Burning Studio v9.21算法分析.rar
文章太长了,用代码插件美观了一下,希望能让各位破友看的能舒服一点哈^_^:D:
Ashampoo Burning Studio v9.21
软件下载地址:http://www.crsky.com/soft/4449.html
软件介绍:
CD/DVD刻录工具。提供的功能有: * 创建MP3 CD/DVD * 将电影刻录为DVD/VCD/SVCD * 创建和刻录CD/DVD映像文件 * 保存和加载项目文件 * 擦除CD-RW/DVD+RW/DVD-RW * 从资源管理器中用拖放式操作添加文件 * 支持255个字符的DVD文件名和64个字符的CD文件名 * 自动设置刻录速度及其他选项 * 无需任何插件直接把WAV、MP3、FLAC、WMA和Ogg Vorbis文件刻录为音频CD * 非常方便地复制各种CD/DVD * 已支持的CD和DVD刻录机超过1500种 * 还有更多功能。
随意输入注册信息点击“注册”弹出错误提示:“请输入有效的密钥”。
用F12暂停法回溯来找程序的关键点:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 0047DF6B > $ E8 FA730000 call 0048536A ; //载入程序后停在这里! 0047DF70 .^ E9 17FEFFFF jmp 0047DD8C 0047DF75 /$ 55 push ebp 0047DF76 |. 8BEC mov ebp, esp 0047DF78 |. 56 push esi 0047DF79 |. 8B75 14 mov esi, dword ptr [ebp+14] -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-F9运行,输入试炼信息:123456789012345678901234567890,点击注册弹出错误提示框,此时不要点击确定,F12,Alt+K:
调用堆栈: 主线程 地址 堆栈 函数过程 / 参数 调用来自 结构 00F3D200 77D19418 包含ntdll.KiFastSystemCallRet USER32.77D19416 00F3D234 00F3D204 77D2770A USER32.WaitMessage USER32.77D27705 00F3D234 00F3D238 77D249C4 USER32.77D2757B USER32.77D249BF 00F3D234 00F3D260 77D3A956 USER32.77D2490E USER32.77D3A951 00F3D25C 00F3D520 77D3A2BC USER32.SoftModalMessageBox USER32.77D3A2B7 00F3D51C 00F3D670 77D663FD USER32.77D3A147 USER32.77D663F8 00F3D66C 00F3D6C8 77D50853 USER32.MessageBoxTimeoutW USER32.77D5084E 00F3D6C4 00F3D6E8 77D66579 USER32.MessageBoxExW USER32.77D66574 00F3D6E4 00F3D6EC 00BB057A hOwner = 00BB057A ('注册 Ashampoo 00F3D6F0 01C96CF8 Text = "请输入有效的密钥" 00F3D6F4 01BD4C98 Title = "Ashampoo Burning Studio 9 00F3D6F8 00000030 Style = MB_OK|MB_ICONEXCLAMATION|M 00F3D6FC 00000000 LanguageID = 0 (LANG_NEUTRAL) 00F3D704 004640A9 USER32.MessageBoxW burnings.004640A3 00F3D700 //双击跟随! 00F3D708 00BB057A hOwner = 00BB057A ('注册 Ashampoo 00F3D70C 01C96CF8 Text = "请输入有效的密钥" 00F3D710 01BD4C98 Title = "Ashampoo Burning Studio 9 00F3D714 00000030 Style = MB_OK|MB_ICONEXCLAMATION|M 00F3D750 004642F3 ? burnings.00464061 burnings.004642EE 00F3D74C 00F3D994 00464377 ? burnings.004641D7 burnings.00464372 00F3D7F0 00F3D9A8 00440BD0 burnings.00464334 burnings.00440BCB 00F3D9CC 00F3D9C0 00465FA6 包含burnings.00440BD0 burnings.00465FA3 00F3D9CC 00F3D9D0 004661B3 burnings.00465F63 burnings.004661AE 00F3D9CC 00F3DA00 0046519C burnings.0046609B burnings.00465197 00F3D9FC 00F3DA24 0046BD45 burnings.00465181 burnings.0046BD42 00F3DA20 00F3DA74 0046C74C 可能 burnings.0046BCB5 burnings.0046C746 00F3DA70
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 00464061 /$ 6A 14 push 14 ; //在这里下断点,运行,再点击注册 00464063 |. 68 384D4E00 push 004E4D38 ; //断下来后,看堆栈提示 00464068 |. E8 E7DD0100 call 00481E54 0046406D |. 33DB xor ebx, ebx 0046406F |. 895D E0 mov dword ptr [ebp-20], ebx 00464072 |. 8D45 E0 lea eax, dword ptr [ebp-20] 00464075 |. 50 push eax 00464076 |. E8 EFE5FFFF call 0046266A 0046407B |. FFB0 80000000 push dword ptr [eax+80] 00464081 |. E8 E3DDFFFF call 00461E69 00464086 |. 8945 DC mov dword ptr [ebp-24], eax 00464089 |. 895D E4 mov dword ptr [ebp-1C], ebx 0046408C |. 3BC3 cmp eax, ebx 0046408E |. 75 04 jnz short 00464094 00464090 |. 33C0 xor eax, eax 00464092 |. EB 27 jmp short 004640BB 00464094 |> 895D FC mov dword ptr [ebp-4], ebx 00464097 |. FF75 14 push dword ptr [ebp+14] ; /Style 0046409A |. FF75 10 push dword ptr [ebp+10] ; |Title 0046409D |. FF75 0C push dword ptr [ebp+C] ; |Text 004640A0 |. FF75 08 push dword ptr [ebp+8] ; |hOwner 004640A3 |. FF15 80854B00 call dword ptr [<&USER32.MessageB>; \MessageBoxW 004640A9 |. 8945 E4 mov dword ptr [ebp-1C], eax ; //跟随到这里 004640AC |. C745 FC FEFFF>mov dword ptr [ebp-4], -2 004640B3 |. E8 0B000000 call 004640C3 004640B8 |. 8B45 E4 mov eax, dword ptr [ebp-1C] 004640BB |> E8 D9DD0100 call 00481E99 004640C0 \. C3 retn -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 堆栈提示: 00F3D750 004642F3 返回到 burnings.004642F3 来自 burnings.00464061 //取消断点,在本行上面点击右键,选择反汇编窗口中跟随! 00F3D754 00BB057A 00F3D758 01C96CF8 00F3D75C 01BD4C98 UNICODE "Ashampoo Burning Studio 9" 00F3D760 00000030 00F3D764 00F3E2C0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 004641D7 /$ 55 push ebp ; //这里下断点,运行,再点击注册 004641D8 |. 8DAC24 60FEFF>lea ebp, dword ptr [esp-1A0] ; //断下来后,看堆栈提示 004641DF |. 81EC 20020000 sub esp, 220 004641E5 |. A1 442D4F00 mov eax, dword ptr [4F2D44] 004641EA |. 33C5 xor eax, ebp ………………………………………………………………………………………………………… 004642E8 |. FF75 80 push dword ptr [ebp-80] 004642EB |. FF75 84 push dword ptr [ebp-7C] 004642EE |. E8 6EFDFFFF call 00464061 004642F3 |. 83C4 10 add esp, 10 ; //跟随到此处 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 堆栈提示: 00F3D994 00464377 返回到 burnings.00464377 来自 burnings.004641D7 //取消断点,在本行上面点击右键,选择反汇编窗口中跟随! 00F3D998 004F6668 burnings.004F6668 00F3D99C 01C96CF8 00F3D9A0 00000030 00F3D9A4 00000000 00F3D9A8 00440BD0 返回到 burnings.00440BD0 来自 burnings.00464334 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 00464365 . FF7424 0C push dword ptr [esp+C] ; //这里下断点,运行,再点击注册 00464369 . FF7424 0C push dword ptr [esp+C] ; //断下来后,看堆栈提示 0046436D . FF7424 0C push dword ptr [esp+C] 00464371 . 51 push ecx 00464372 . E8 60FEFFFF call 004641D7 00464377 . 83C4 10 add esp, 10 ; //跟随到此处 0046437A . C2 0C00 retn 0C -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 堆栈提示: 00F3D9A8 00440BD0 返回到 burnings.00440BD0 来自 burnings.00464334 //取消断点,在本行上面点击右键,选择反汇编窗口中跟随! 00F3D9AC 01C96CF8 00F3D9B0 00000030 00F3D9B4 00000000 00F3D9B8 00F3E150 00F3D9BC 004C9B34 burnings.004C9B34 00F3D9C0 00465FA6 返回到 burnings.00465FA6 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
00440B90 . 56 push esi ; //回溯到这里开始分析 00440B91 . 57 push edi 00440B92 . 6A 01 push 1 00440B94 . 8BF1 mov esi, ecx 00440B96 . E8 3B990200 call 0046A4D6 00440B9B . E8 CA1A0200 call 0046266A 00440BA0 . 8B40 04 mov eax, dword ptr [eax+4] 00440BA3 . 6A 00 push 0 00440BA5 . 8DBE 70010000 lea edi, dword ptr [esi+170] 00440BAB . 57 push edi 00440BAC . 8BC8 mov ecx, eax 00440BAE . E8 6DDAFFFF call 0043E620 ; //关键CALL!!! 00440BB3 . 84C0 test al, al 00440BB5 . 75 1C jnz short 00440BD3 ; //关键跳!!! 00440BB7 . 6A 00 push 0 00440BB9 . 6A 30 push 30 00440BBB . 68 C0634C00 push 004C63C0 ; Please enter a valid code 00440BC0 . 68 88634C00 push 004C6388 ; CRegisterDlg.EnterValidCode 00440BC5 . E8 C6AAFFFF call 0043B690 00440BCA . 50 push eax 00440BCB . E8 64370200 call 00464334 00440BD0 . 5F pop edi ; //跟随到此处 00440BD1 . 5E pop esi 00440BD2 . C3 retn 00440BD3 > 80BE 78010000>cmp byte ptr [esi+178], 0 00440BDA . 74 30 je short 00440C0C 00440BDC . E8 891A0200 call 0046266A 00440BE1 . 8B40 04 mov eax, dword ptr [eax+4] 00440BE4 . 57 push edi 00440BE5 . 8BC8 mov ecx, eax 00440BE7 . E8 84DEFFFF call 0043EA70 00440BEC . 84C0 test al, al 00440BEE . 75 1C jnz short 00440C0C 00440BF0 . 6A 00 push 0 00440BF2 . 6A 30 push 30 00440BF4 . 68 48634C00 push 004C6348 ; Full version key code required! 00440BF9 . 68 0C634C00 push 004C630C ; CRegisterDlg.CodeOk 00440BFE . E8 8DAAFFFF call 0043B690 00440C03 . 50 push eax 00440C04 . E8 2B370200 call 00464334 00440C09 . 5F pop edi 00440C0A . 5E pop esi 00440C0B . C3 retn 00440C0C > 6A 00 push 0 00440C0E . 6A 40 push 40 00440C10 . 68 C0624C00 push 004C62C0 ; The key code was accepted. Thank you! 00440C15 . 68 94624C00 push 004C6294 ; CRegisterDlg.CodeOk 00440C1A . E8 71AAFFFF call 0043B690 00440C1F . 50 push eax 00440C20 . E8 0F370200 call 00464334 00440C25 . 5F pop edi 00440C26 . 8BCE mov ecx, esi 00440C28 . 5E pop esi 00440C29 . E9 4C440200 jmp 0046507A-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=☆跟进去继续分析☆=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
0043E620 /$ 6A FF push -1 ; //跟进来后往下跟踪 0043E622 |. 68 A0DF4A00 push 004ADFA0 0043E627 |. 64:A1 0000000>mov eax, dword ptr fs:[0] 0043E62D |. 50 push eax 0043E62E |. 83EC 1C sub esp, 1C 0043E631 |. A1 442D4F00 mov eax, dword ptr [4F2D44] 0043E636 |. 33C4 xor eax, esp 0043E638 |. 894424 18 mov dword ptr [esp+18], eax 0043E63C |. 53 push ebx 0043E63D |. 55 push ebp 0043E63E |. 56 push esi 0043E63F |. 57 push edi 0043E640 |. A1 442D4F00 mov eax, dword ptr [4F2D44] 0043E645 |. 33C4 xor eax, esp 0043E647 |. 50 push eax 0043E648 |. 8D4424 30 lea eax, dword ptr [esp+30] 0043E64C |. 64:A3 0000000>mov dword ptr fs:[0], eax 0043E652 |. 8B4424 40 mov eax, dword ptr [esp+40] 0043E656 |. 8B00 mov eax, dword ptr [eax] 0043E658 |. 8B5C24 44 mov ebx, dword ptr [esp+44] 0043E65C |. 83E8 10 sub eax, 10 0043E65F |. 50 push eax 0043E660 |. 8BE9 mov ebp, ecx 0043E662 |. E8 E935FCFF call 00401C50 0043E667 |. 8D70 10 lea esi, dword ptr [eax+10] 0043E66A |. 83C4 04 add esp, 4 0043E66D |. 897424 18 mov dword ptr [esp+18], esi 0043E671 |. 83BD EC000000>cmp dword ptr [ebp+EC], 1 0043E678 |. C74424 38 000>mov dword ptr [esp+38], 0 0043E680 |. 0F85 4D020000 jnz 0043E8D3 ; ***这里感觉程序下面这一段也是一种算法,但是不知道怎样让它不跳转 ……………………………………………………………………………………☆省略中间不必要代码☆…………………………………………………………………………………… 0043E976 |. E8 45080600 call 0049F1C0 ; //算法CALL,跟进去继续分析! 0043E97B |. 83C4 14 add esp, 14 0043E97E |. 84C0 test al, al 0043E980 |. 0F84 95000000 je 0043EA1B 0043E986 |> 56 push esi ; //123456-890ABC-EFGHIJ 0043E987 |. E8 B7300200 call 00461A43 0043E98C |. 83C4 04 add esp, 4 0043E98F |. 8D4424 24 lea eax, dword ptr [esp+24] ; //取试炼码前四位:1234 0043E993 |. 50 push eax 0043E994 |. 8D4C24 18 lea ecx, dword ptr [esp+18] 0043E998 |. 33F6 xor esi, esi 0043E99A |. E8 815DFCFF call 00404720 0043E99F |. 8B4C24 14 mov ecx, dword ptr [esp+14] ; //取试炼码前四位:1234 0043E9A3 |. 8BAD B4000000 mov ebp, dword ptr [ebp+B4] ; //BRS9 0043E9A9 |. 51 push ecx 0043E9AA |. 55 push ebp 0043E9AB |. E8 9BF80300 call 0047E24B ; //比较字符串,注册码前四位必须是BRS9 0043E9B0 |. 83C4 08 add esp, 8 0043E9B3 |. 85C0 test eax, eax 0043E9B5 |. 8B4424 14 mov eax, dword ptr [esp+14] 0043E9B9 |. 75 44 jnz short 0043E9FF ; //判断跳转 0043E9BB |. 83C0 F0 add eax, -10 0043E9BE |. 8D50 0C lea edx, dword ptr [eax+C] 0043E9C1 |. 83C9 FF or ecx, FFFFFFFF 0043E9C4 |. F0:0FC10A lock xadd dword ptr [edx], ecx 0043E9C8 |. 49 dec ecx 0043E9C9 |. 85C9 test ecx, ecx 0043E9CB |. 7F 0A jg short 0043E9D7 0043E9CD |. 8B08 mov ecx, dword ptr [eax] 0043E9CF |. 8B11 mov edx, dword ptr [ecx] 0043E9D1 |. 50 push eax 0043E9D2 |. 8B42 04 mov eax, dword ptr [edx+4] 0043E9D5 |. FFD0 call eax 0043E9D7 |> 83C7 F0 add edi, -10 ; BRS956-789032-CDE54H 0043E9DA |. C74424 38 FFF>mov dword ptr [esp+38], -1 0043E9E2 |. 8D4F 0C lea ecx, dword ptr [edi+C] 0043E9E5 |. 83CA FF or edx, FFFFFFFF 0043E9E8 |. F0:0FC111 lock xadd dword ptr [ecx], edx 0043E9EC |. 4A dec edx 0043E9ED |. 85D2 test edx, edx 0043E9EF |. 7F 0A jg short 0043E9FB 0043E9F1 |. 8B0F mov ecx, dword ptr [edi] 0043E9F3 |. 8B01 mov eax, dword ptr [ecx] 0043E9F5 |. 8B50 04 mov edx, dword ptr [eax+4] 0043E9F8 |. 57 push edi 0043E9F9 |. FFD2 call edx 0043E9FB |> B0 01 mov al, 1 0043E9FD |. EB 4B jmp short 0043EA4A 0043E9FF |> 83C0 F0 add eax, -10 0043EA02 |. 8D48 0C lea ecx, dword ptr [eax+C] 0043EA05 |. 83CA FF or edx, FFFFFFFF 0043EA08 |. F0:0FC111 lock xadd dword ptr [ecx], edx 0043EA0C |. 4A dec edx 0043EA0D |. 85D2 test edx, edx 0043EA0F |. 7F 0A jg short 0043EA1B 0043EA11 |. 8B08 mov ecx, dword ptr [eax] 0043EA13 |. 8B11 mov edx, dword ptr [ecx] 0043EA15 |. 50 push eax 0043EA16 |. 8B42 04 mov eax, dword ptr [edx+4] 0043EA19 |. FFD0 call eax 0043EA1B |> 56 push esi 0043EA1C |. E8 22300200 call 00461A43 0043EA21 |. 83C7 F0 add edi, -10 0043EA24 |. 83C4 04 add esp, 4 0043EA27 |. C74424 38 FFF>mov dword ptr [esp+38], -1 0043EA2F |. 8D4F 0C lea ecx, dword ptr [edi+C] 0043EA32 |. 83CA FF or edx, FFFFFFFF 0043EA35 |. F0:0FC111 lock xadd dword ptr [ecx], edx 0043EA39 |. 4A dec edx 0043EA3A |. 85D2 test edx, edx 0043EA3C |. 7F 0A jg short 0043EA48 0043EA3E |. 8B0F mov ecx, dword ptr [edi] 0043EA40 |. 57 push edi 0043EA41 |> 8B01 mov eax, dword ptr [ecx] 0043EA43 |. 8B50 04 mov edx, dword ptr [eax+4] 0043EA46 |. FFD2 call edx 0043EA48 |> 32C0 xor al, al ; eax清零 0043EA4A |> 8B4C24 30 mov ecx, dword ptr [esp+30] 0043EA4E |. 64:890D 00000>mov dword ptr fs:[0], ecx 0043EA55 |. 59 pop ecx 0043EA56 |. 5F pop edi 0043EA57 |. 5E pop esi 0043EA58 |. 5D pop ebp 0043EA59 |. 5B pop ebx 0043EA5A |. 8B4C24 18 mov ecx, dword ptr [esp+18] 0043EA5E |. 33CC xor ecx, esp 0043EA60 |. E8 E6F50300 call 0047E04B 0043EA65 |. 83C4 28 add esp, 28 0043EA68 \. C2 0800 retn 8-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=☆跟进去继续分析☆=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
0049F1C0 /$ 83EC 58 sub esp, 58 ; //进来后来到这里,继续分析 0049F1C3 |. A1 442D4F00 mov eax, dword ptr [4F2D44] 0049F1C8 |. 33C4 xor eax, esp 0049F1CA |. 894424 54 mov dword ptr [esp+54], eax 0049F1CE |. 8B4424 64 mov eax, dword ptr [esp+64] 0049F1D2 |. 8B5424 6C mov edx, dword ptr [esp+6C] 0049F1D6 |. 8B4C24 68 mov ecx, dword ptr [esp+68] 0049F1DA |. 53 push ebx 0049F1DB |. 56 push esi ; //试炼码 0049F1DC |. 8B7424 64 mov esi, dword ptr [esp+64] 0049F1E0 |. 894424 14 mov dword ptr [esp+14], eax 0049F1E4 |. 8BC6 mov eax, esi 0049F1E6 |. 57 push edi 0049F1E7 |. 8B7C24 6C mov edi, dword ptr [esp+6C] ; //.$tf>wse453R754/&%!))8<>d9e12bb存入edi 0049F1EB |. 895424 14 mov dword ptr [esp+14], edx 0049F1EF |. 894C24 1C mov dword ptr [esp+1C], ecx 0049F1F3 |. 8D50 01 lea edx, dword ptr [eax+1] 0049F1F6 |. 33DB xor ebx, ebx 0049F1F8 |> 8A08 /mov cl, byte ptr [eax] 0049F1FA |. 83C0 01 |add eax, 1 0049F1FD |. 3ACB |cmp cl, bl 0049F1FF |.^ 75 F7 \jnz short 0049F1F8 ; //计算试炼码位数 0049F201 |. 2BC2 sub eax, edx ; //eax-edx=EAX,结果是试炼码的位数 0049F203 |. 83F8 14 cmp eax, 14 ; //eax与14H比较,注册码必须是20位 0049F206 |. 74 14 je short 0049F21C ; //判断跳转 0049F208 |> 5F pop edi 0049F209 |. 5E pop esi 0049F20A |. 32C0 xor al, al 0049F20C |. 5B pop ebx 0049F20D |. 8B4C24 54 mov ecx, dword ptr [esp+54] 0049F211 |. 33CC xor ecx, esp 0049F213 |. E8 33EEFDFF call 0047E04B 0049F218 |. 83C4 58 add esp, 58 0049F21B |. C3 retn 0049F21C |> B0 2D mov al, 2D ; //2D=al,- 0049F21E |. 3846 06 cmp byte ptr [esi+6], al ; //注册码第七位5与2D比较,注册码第七位必须是- 0049F221 |.^ 75 E5 jnz short 0049F208 ; //判断跳转 0049F223 |. 3846 0D cmp byte ptr [esi+D], al ; //注册码第14位5与2D比较,注册码第14位必须是- 0049F226 |.^ 75 E0 jnz short 0049F208 ; //判断跳转 0049F228 |. 55 push ebp 0049F229 |. 6A 04 push 4 0049F22B |. 8D4424 38 lea eax, dword ptr [esp+38] 0049F22F |. 56 push esi ; 123456-890ABC-EFGHIJ 0049F230 |. 50 push eax 0049F231 |. E8 0A3C0000 call 004A2E40 0049F236 |. 6A 01 push 1 0049F238 |. 8D6E 04 lea ebp, dword ptr [esi+4] ; 56-890ABC-EFGHIJ 0049F23B |. 8D4C24 20 lea ecx, dword ptr [esp+20] 0049F23F |. 55 push ebp ; 56-890ABC-EFGHIJ 0049F240 |. 51 push ecx 0049F241 |. E8 FA3B0000 call 004A2E40 ; //提出了第五位注册码5,字符串变为6-890ABC-EFGHIJ 0049F246 |. 6A 01 push 1 0049F248 |. 8D56 05 lea edx, dword ptr [esi+5] ; 6-890ABC-EFGHIJ 0049F24B |. 52 push edx ; 6-890ABC-EFGHIJ 0049F24C |. 8D4424 4C lea eax, dword ptr [esp+4C] 0049F250 |. 50 push eax 0049F251 |. E8 EA3B0000 call 004A2E40 ; //每次跟进去都会提取排在前面的第一位字符,字符串变为890ABC-EFGHIJ 0049F256 |. 6A 02 push 2 0049F258 |. 8D4E 07 lea ecx, dword ptr [esi+7] ; 890ABC-EFGHIJ 0049F25B |. 51 push ecx ; 890ABC-EFGHIJ 0049F25C |. 8D5424 40 lea edx, dword ptr [esp+40] ; 6-890ABC-EFGHIJ 0049F260 |. 52 push edx 0049F261 |. E8 DA3B0000 call 004A2E40 ; //提出注册码第8~9位89 0049F266 |. 6A 02 push 2 ; //两位,89 0049F268 |. 8D46 09 lea eax, dword ptr [esi+9] ; 0ABC-EFGHIJ 0049F26B |. 50 push eax ; 0ABC-EFGHIJ 0049F26C |. 8D4C24 65 lea ecx, dword ptr [esp+65] 0049F270 |. 51 push ecx 0049F271 |. E8 CA3B0000 call 004A2E40 ; //提出注册码第10~11位0A 0049F276 |. 6A 02 push 2 ; //两位,0A 0049F278 |. 8D56 0B lea edx, dword ptr [esi+B] ; BC-EFGHIJ 0049F27B |. 52 push edx ; BC-EFGHIJ 0049F27C |. 8D4424 68 lea eax, dword ptr [esp+68] ; 0A 0049F280 |. 50 push eax 0049F281 |. E8 BA3B0000 call 004A2E40 0049F286 |. 83C4 48 add esp, 48 ; //34-EFG78J 0049F289 |. 6A 03 push 3 0049F28B |. 8D4E 0E lea ecx, dword ptr [esi+E] ; EFGHIJ 0049F28E |. 51 push ecx ; EFGHIJ 0049F28F |. 8D5424 37 lea edx, dword ptr [esp+37] ; BC-EFGHIJ 0049F293 |. 52 push edx 0049F294 |. E8 A73B0000 call 004A2E40 ; //提出注册码第15~17位 0049F299 |. 6A 02 push 2 0049F29B |. 8D46 11 lea eax, dword ptr [esi+11] ; //HIJ 0049F29E |. 50 push eax 0049F29F |. 8D4C24 3A lea ecx, dword ptr [esp+3A] 0049F2A3 |. 51 push ecx 0049F2A4 |. E8 973B0000 call 004A2E40 0049F2A9 |. 6A 01 push 1 0049F2AB |. 8D56 13 lea edx, dword ptr [esi+13] 0049F2AE |. 52 push edx 0049F2AF |. 8D4424 52 lea eax, dword ptr [esp+52] 0049F2B3 |. 50 push eax 0049F2B4 |. E8 873B0000 call 004A2E40 0049F2B9 |. 6A 07 push 7 0049F2BB |. 8D4C24 54 lea ecx, dword ptr [esp+54] 0049F2BF |. 51 push ecx 0049F2C0 |. 8D5424 70 lea edx, dword ptr [esp+70] 0049F2C4 |. 52 push edx 0049F2C5 |. 885C24 68 mov byte ptr [esp+68], bl 0049F2C9 |. 885C24 41 mov byte ptr [esp+41], bl ; //60AEFGJ|1234,6+0A+EFG+J+|+1234 0049F2CD |. 885C24 58 mov byte ptr [esp+58], bl 0049F2D1 |. 885C24 63 mov byte ptr [esp+63], bl ; 7C ('|') 0049F2D5 |. 885C24 46 mov byte ptr [esp+46], bl ; 60AEFGJ 0049F2D9 |. E8 623B0000 call 004A2E40 ; 60AEFGJ 0049F2DE |. 6A 01 push 1 0049F2E0 |. 8D4424 44 lea eax, dword ptr [esp+44] 0049F2E4 |. 50 push eax 0049F2E5 |. 8D8C24 830000>lea ecx, dword ptr [esp+83] 0049F2EC |. 51 push ecx 0049F2ED |. E8 4E3B0000 call 004A2E40 0049F2F2 |. 6A 02 push 2 0049F2F4 |. 8D5424 54 lea edx, dword ptr [esp+54] ; 89 0049F2F8 |. 52 push edx 0049F2F9 |. 8D8424 900000>lea eax, dword ptr [esp+90] 0049F300 |. 50 push eax 0049F301 |. E8 3A3B0000 call 004A2E40 0049F306 |. 83C4 48 add esp, 48 0049F309 |. 6A 04 push 4 0049F30B |. 8D4C24 38 lea ecx, dword ptr [esp+38] ; 1234 0049F30F |. 51 push ecx ; 1234 0049F310 |. 8D5424 56 lea edx, dword ptr [esp+56] ; 89 0049F314 |. 52 push edx 0049F315 |. E8 263B0000 call 004A2E40 0049F31A |. 57 push edi ; ".$tf>wse453R754/&%!))8<>d9e12bb" 0049F31B |. 8D4424 54 lea eax, dword ptr [esp+54] 0049F31F |. 6A 0E push 0E 0049F321 |. 50 push eax 0049F322 |. E8 99020000 call 0049F5C0 0049F327 |. 57 push edi ; ".$tf>wse453R754/&%!))8<>d9e12bb" 0049F328 |. 8D4C24 60 lea ecx, dword ptr [esp+60] 0049F32C |. 6A 0E push 0E 0049F32E |. 51 push ecx 0049F32F |. E8 FC010000 call 0049F530 ; //计算真码,计算值为3478 0049F334 |. 50 push eax 0049F335 |. 8D5424 64 lea edx, dword ptr [esp+64] 0049F339 |. 68 24F14C00 push 004CF124 ; %04x 0049F33E |. 52 push edx 0049F33F |. E8 AA14FEFF call 004807EE 0049F344 |. 83C4 30 add esp, 30 ; //3478,这里每次取得值都不一样,换过前四位以后又会不一样! 0049F347 |. 8D4C24 24 lea ecx, dword ptr [esp+24] ; //BCHI,试炼码的第12~13位是BC,试炼码的第18~19位是HI 0049F34B |. 8D4424 3C lea eax, dword ptr [esp+3C] ; //3478存入eax 0049F34F |. 90 nop ; (initial cpu selection) 0049F350 |> 8A10 /mov dl, byte ptr [eax] 0049F352 |. 3A11 |cmp dl, byte ptr [ecx] ; //第一位字符,比较是否对应相等,第二次循环比较第三位字符是否相等 0049F354 |. 75 1A |jnz short 0049F370 ; //判断跳转 0049F356 |. 3AD3 |cmp dl, bl 0049F358 |. 74 12 |je short 0049F36C 0049F35A |. 8A50 01 |mov dl, byte ptr [eax+1] 0049F35D |. 3A51 01 |cmp dl, byte ptr [ecx+1] ; //第二位字符,比较是否对应相等,第二次循环比较第四位字符是否相等 0049F360 |. 75 0E |jnz short 0049F370 ; //判断跳转 0049F362 |. 83C0 02 |add eax, 2 0049F365 |. 83C1 02 |add ecx, 2 0049F368 |. 3AD3 |cmp dl, bl 0049F36A |.^ 75 E4 \jnz short 0049F350 ; //循环判断四位字符是否相等 0049F36C |> 33C0 xor eax, eax 0049F36E |. EB 05 jmp short 0049F375 0049F370 |> 1BC0 sbb eax, eax 0049F372 |. 83D8 FF sbb eax, -1 0049F375 |> 3BC3 cmp eax, ebx 0049F377 |. 75 5A jnz short 0049F3D3 0049F379 |. 8B7C24 1C mov edi, dword ptr [esp+1C] ; .$tf>wse453R754/&%!))8<>d9e12bb 0049F37D |. 3BFB cmp edi, ebx 0049F37F |. 74 0F je short 0049F390 0049F381 |. 6A 04 push 4 0049F383 |. 56 push esi ; 123456-789054-CDEC7H 0049F384 |. 57 push edi 0049F385 |. E8 B63A0000 call 004A2E40 0049F38A |. 83C4 0C add esp, 0C 0049F38D |. 885F 04 mov byte ptr [edi+4], bl 0049F390 |> 8B7424 20 mov esi, dword ptr [esp+20] 0049F394 |. 3BF3 cmp esi, ebx 0049F396 |. 74 0F je short 0049F3A7 0049F398 |. 6A 01 push 1 0049F39A |. 55 push ebp ; 56-789054-CDEC7HIJ 0049F39B |. 56 push esi 0049F39C |. E8 9F3A0000 call 004A2E40 0049F3A1 |. 83C4 0C add esp, 0C 0049F3A4 |. 885E 01 mov byte ptr [esi+1], bl 0049F3A7 |> 8B7424 18 mov esi, dword ptr [esp+18] 0049F3AB |. 3BF3 cmp esi, ebx 0049F3AD |. 74 0F je short 0049F3BE 0049F3AF |. 8D4424 14 lea eax, dword ptr [esp+14] 0049F3B3 |. 50 push eax 0049F3B4 |. E8 A772FFFF call 00496660 0049F3B9 |. 83C4 04 add esp, 4 0049F3BC |. 8906 mov dword ptr [esi], eax 0049F3BE |> 5D pop ebp 0049F3BF |. 5F pop edi 0049F3C0 |. 5E pop esi 0049F3C1 |. B0 01 mov al, 1 ; //al置1,注册成功! 0049F3C3 |. 5B pop ebx 0049F3C4 |. 8B4C24 54 mov ecx, dword ptr [esp+54] 0049F3C8 |. 33CC xor ecx, esp 0049F3CA |. E8 7CECFDFF call 0047E04B 0049F3CF |. 83C4 58 add esp, 58 0049F3D2 |. C3 retn 0049F3D3 |> 8B4C24 64 mov ecx, dword ptr [esp+64] 0049F3D7 |. 5D pop ebp 0049F3D8 |. 5F pop edi 0049F3D9 |. 5E pop esi 0049F3DA |. 5B pop ebx 0049F3DB |. 33CC xor ecx, esp 0049F3DD |. 32C0 xor al, al ; //al清零,注册失败! 0049F3DF |. E8 67ECFDFF call 0047E04B 0049F3E4 |. 83C4 58 add esp, 58 0049F3E7 \. C3 retn-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=☆跟进去继续分析☆=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
0049F530 /$ 8B5424 0C mov edx, dword ptr [esp+C] ; //".$tf>wse453R754/&%!))8<>d9e12bb"存入edx 0049F534 |. 8BC2 mov eax, edx 0049F536 |. 56 push esi 0049F537 |. 8D70 01 lea esi, dword ptr [eax+1] 0049F53A |. 8D9B 00000000 lea ebx, dword ptr [ebx] 0049F540 |> 8A08 /mov cl, byte ptr [eax] ; //逐位取字符串相邻两位 0049F542 |. 83C0 01 |add eax, 1 ; //eax+1,取下一位 0049F545 |. 84C9 |test cl, cl 0049F547 |.^ 75 F7 \jnz short 0049F540 ; //取完字符串以后退出循环 0049F549 |. 2BC6 sub eax, esi ; //eax-esi 0049F54B |. 83F8 03 cmp eax, 3 ; //eax与3比较 0049F54E |. 73 04 jnb short 0049F554 ; //判断跳转 0049F550 |. 33C0 xor eax, eax 0049F552 |. EB 1B jmp short 0049F56F 0049F554 |> 0FBE42 01 movsx eax, byte ptr [edx+1] ; //$(24)存入eax 0049F558 |. 0FBE0A movsx ecx, byte ptr [edx] ; //.(2E)存入ecx 0049F55B |. 0FBE52 02 movsx edx, byte ptr [edx+2] ; //t(74)存入edx 0049F55F |. C1E0 04 shl eax, 4 ; //eax逻辑左移4位=00000240 0049F562 |. 0BC1 or eax, ecx ; //eax与ecx进行或运算,结果=0000026E 0049F564 |. C1E0 10 shl eax, 10 ; //eax逻辑左移10位=026E0000 0049F567 |. 0BC2 or eax, edx ; //eax与edx进行或运算,结果=026E0074 0049F569 |. 03C0 add eax, eax ; //eax+eax=04DC00E8 0049F56B |. 03C0 add eax, eax ; //eax+eax=09B801D0 0049F56D |. 03C0 add eax, eax ; //eax+eax=137003A0 0049F56F |> 8B4C24 0C mov ecx, dword ptr [esp+C] ; //0000000E存入ecx 0049F573 |. 8B5424 08 mov edx, dword ptr [esp+8] ; //00F3D934存入edx 0049F577 |. 51 push ecx ; //ecx压栈 0049F578 |. 52 push edx ; //edx压栈 0049F579 |. 50 push eax ; //eax压栈 0049F57A |. E8 71FEFFFF call 0049F3F0 ; //继续进取分析,返回值:EAX=82890BDE 0049F57F |. 8BC8 mov ecx, eax ; //eax存入ecx 0049F581 |. C1E8 09 shr eax, 9 ; //eax逻辑右移9位=00414485 0049F584 |. 25 00F87F00 and eax, 7FF800 ; //eax与7FF800进行与运算,结果=414000 0049F589 |. 8BD1 mov edx, ecx ; //ecx存入edx 0049F58B |. 81E2 80070000 and edx, 780 ; //edx与780进行与运算,结果=00000380 0049F591 |. 0BC2 or eax, edx ; //eax与edx进行或运算,结果=00414380 0049F593 |. 8BD1 mov edx, ecx ; //ecx存入edx 0049F595 |. 8BF1 mov esi, ecx ; //ecx存入esi 0049F597 |. C1EA 0B shr edx, 0B ; //edx逻辑右移0B位=105121 0049F59A |. 83E6 7F and esi, 7F ; //esi与7F进行与运算,结果=0000005E 0049F59D |. C1E6 09 shl esi, 9 ; //esi逻辑左移9位=0000BC00 0049F5A0 |. 81E2 FF010000 and edx, 1FF ; //edx与1FF进行与运算,结果=00000121 0049F5A6 |. C1E8 07 shr eax, 7 ; //eax逻辑右移7位=00008287 0049F5A9 |. 0BD6 or edx, esi ; //edx与esi进行或运算,结果=0000BD21 0049F5AB |. 0FB7C9 movzx ecx, cx ; //ecx=00000BDE 0049F5AE |. 83C4 0C add esp, 0C ; //00F3D8B8+0C=00F3D8C4 0049F5B1 |. 33C2 xor eax, edx ; //eax与edx进行异或运算=00003FA6 0049F5B3 |. 33C1 xor eax, ecx ; //eax与ecx进行异或运算=00003478 0049F5B5 |. 5E pop esi 0049F5B6 \. C3 retn ; //eax的值为3478-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=☆跟进去继续分析☆=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
0049F3F0 /$ 56 push esi ; burnings.004B8DF1 0049F3F1 |. 8B7424 0C mov esi, dword ptr [esp+C] ; esi=00F3F8F0 0049F3F5 |. 57 push edi 0049F3F6 |. 8B7C24 0C mov edi, dword ptr [esp+C] ; edi=137003A0 0049F3FA |. 0FB7CF movzx ecx, di ; ecx=000003A0 0049F3FD |. C1EF 10 shr edi, 10 ; shr 137003A0,10=00001370 0049F400 |. 85F6 test esi, esi 0049F402 |. 75 06 jnz short 0049F40A 0049F404 |. 5F pop edi 0049F405 |. 8D46 01 lea eax, dword ptr [esi+1] 0049F408 |. 5E pop esi 0049F409 |. C3 retn 0049F40A |> 53 push ebx 0049F40B |. 8B5C24 18 mov ebx, dword ptr [esp+18] ; //0E存入ebx 0049F40F |. 85DB test ebx, ebx 0049F411 |. 0F86 05010000 jbe 0049F51C 0049F417 |. 55 push ebp 0049F418 |. EB 06 jmp short 0049F420 0049F41A | 8D9B 00000000 lea ebx, dword ptr [ebx] 0049F420 |> 81FB B0150000 /cmp ebx, 15B0 0049F426 |. 8BC3 |mov eax, ebx ; //0E存入eax 0049F428 |. 72 05 |jb short 0049F42F 0049F42A |. B8 B0150000 |mov eax, 15B0 0049F42F |> 2BD8 |sub ebx, eax ; //ebx-eax=0 0049F431 |. 83F8 10 |cmp eax, 10 ; //eax与10比较 0049F434 |. 0F8C A1000000 |jl 0049F4DB 0049F43A |. 8BD0 |mov edx, eax 0049F43C |. C1EA 04 |shr edx, 4 0049F43F |. 8BEA |mov ebp, edx 0049F441 |. F7DD |neg ebp 0049F443 |. C1E5 04 |shl ebp, 4 0049F446 |. 03C5 |add eax, ebp 0049F448 |. EB 06 |jmp short 0049F450 0049F44A | 8D9B 00000000 |lea ebx, dword ptr [ebx] 0049F450 |> 0FB62E |/movzx ebp, byte ptr [esi] 0049F453 |. 03CD ||add ecx, ebp 0049F455 |. 0FB66E 01 ||movzx ebp, byte ptr [esi+1] 0049F459 |. 03F9 ||add edi, ecx 0049F45B |. 03CD ||add ecx, ebp 0049F45D |. 0FB66E 02 ||movzx ebp, byte ptr [esi+2] 0049F461 |. 03F9 ||add edi, ecx 0049F463 |. 03CD ||add ecx, ebp 0049F465 |. 0FB66E 03 ||movzx ebp, byte ptr [esi+3] 0049F469 |. 03F9 ||add edi, ecx 0049F46B |. 03CD ||add ecx, ebp 0049F46D |. 0FB66E 04 ||movzx ebp, byte ptr [esi+4] 0049F471 |. 03F9 ||add edi, ecx 0049F473 |. 03CD ||add ecx, ebp 0049F475 |. 0FB66E 05 ||movzx ebp, byte ptr [esi+5] 0049F479 |. 03F9 ||add edi, ecx 0049F47B |. 03CD ||add ecx, ebp 0049F47D |. 0FB66E 06 ||movzx ebp, byte ptr [esi+6] 0049F481 |. 03F9 ||add edi, ecx 0049F483 |. 03CD ||add ecx, ebp 0049F485 |. 0FB66E 07 ||movzx ebp, byte ptr [esi+7] 0049F489 |. 03F9 ||add edi, ecx 0049F48B |. 03CD ||add ecx, ebp 0049F48D |. 0FB66E 08 ||movzx ebp, byte ptr [esi+8] 0049F491 |. 03F9 ||add edi, ecx 0049F493 |. 03CD ||add ecx, ebp 0049F495 |. 0FB66E 09 ||movzx ebp, byte ptr [esi+9] 0049F499 |. 03F9 ||add edi, ecx 0049F49B |. 03CD ||add ecx, ebp 0049F49D |. 0FB66E 0A ||movzx ebp, byte ptr [esi+A] 0049F4A1 |. 03F9 ||add edi, ecx 0049F4A3 |. 03CD ||add ecx, ebp 0049F4A5 |. 0FB66E 0B ||movzx ebp, byte ptr [esi+B] 0049F4A9 |. 03F9 ||add edi, ecx 0049F4AB |. 03CD ||add ecx, ebp 0049F4AD |. 0FB66E 0C ||movzx ebp, byte ptr [esi+C] 0049F4B1 |. 03F9 ||add edi, ecx 0049F4B3 |. 03CD ||add ecx, ebp 0049F4B5 |. 0FB66E 0D ||movzx ebp, byte ptr [esi+D] 0049F4B9 |. 03F9 ||add edi, ecx 0049F4BB |. 03CD ||add ecx, ebp 0049F4BD |. 0FB66E 0E ||movzx ebp, byte ptr [esi+E] 0049F4C1 |. 03F9 ||add edi, ecx 0049F4C3 |. 03CD ||add ecx, ebp 0049F4C5 |. 0FB66E 0F ||movzx ebp, byte ptr [esi+F] 0049F4C9 |. 03F9 ||add edi, ecx 0049F4CB |. 03CD ||add ecx, ebp 0049F4CD |. 03F9 ||add edi, ecx 0049F4CF |. 83C6 10 ||add esi, 10 0049F4D2 |. 83EA 01 ||sub edx, 1 0049F4D5 |.^ 0F85 75FFFFFF |\jnz 0049F450 0049F4DB |> 85C0 |test eax, eax 0049F4DD |. 74 10 |je short 0049F4EF 0049F4DF |. 90 |nop 0049F4E0 |> 0FB616 |/movzx edx, byte ptr [esi] ; 下面esi的地址低位放到这里开始计算,EDX=6A,BE,49,EA,A3,4B,B8,6D,F0,6E,92,BF,45,DC 0049F4E3 |. 03CA ||add ecx, edx ; (3A0+6A=40A,4C8,511,5FB,69E,6E9,7A1,80E,8FE,96C,9FE,ABD,B02,BDE 0049F4E5 |. 83C6 01 ||add esi, 1 ; 计算结果作为下一轮循环计算的数据,↑,F3F8F0+1=F3F8F1,F3F8F2……00F3F8FE 0049F4E8 |. 03F9 ||add edi, ecx ; 1370+40A=177A,1C42,2153,274E,2DEC,34D5,3C76,4484,4D82,56EE,60EC,6BA9,76AB,8289 0049F4EA |. 83E8 01 ||sub eax, 1 ; EAX-1,循环计数器,循环14次退出 0049F4ED |.^ 75 F1 |\jnz short 0049F4E0 ; 循环,eax=0,edi=00008289 0049F4EF |> B8 71800780 |mov eax, 80078071 ; 80078071存入eax 0049F4F4 |. F7E1 |mul ecx ; mul EAX,ECX=80078071*00000BDE=000005EF59063CFE,000005EF存入edx,59063CFE存入eax 0049F4F6 |. C1EA 0F |shr edx, 0F ; shr 000005EF,0F=00000000 0049F4F9 |. 69D2 0F00FFFF |imul edx, edx, FFFF000F ; imul 0,0,FFFF000F=0 0049F4FF |. 03CA |add ecx, edx ; add 00000BDE,0=00000BDE 0049F501 |. B8 71800780 |mov eax, 80078071 ; 80078071存入eax 0049F506 |. F7E7 |mul edi ; mul EAX,EDI=80078071*00008289=00004148533D1E79,00004148存入edx,533D1E79存入eax 0049F508 |. C1EA 0F |shr edx, 0F ; shr 00004148,0F=00000000 0049F50B |. 69D2 0F00FFFF |imul edx, edx, FFFF000F ; imul 0,0,FFFF000F=0 0049F511 |. 03FA |add edi, edx ; add 00008289,00000000=00008289 0049F513 |. 85DB |test ebx, ebx 0049F515 |.^ 0F87 05FFFFFF \ja 0049F420 0049F51B |. 5D pop ebp 0049F51C |> 8BC7 mov eax, edi ; eax=00008289 0049F51E |. 5B pop ebx 0049F51F |. C1E0 10 shl eax, 10 ; shl 00008289,10=82890000 0049F522 |. 5F pop edi 0049F523 |. 0BC1 or eax, ecx ; or 82890000,00000BDE=82890BDE 0049F525 |. 5E pop esi 0049F526 \. C3 retn ; 返回EAX的值为82890BDE输入试炼码:123456789012345678901234567890
调整试炼码位数为20位,为了便于算法分析,我们让每一个试炼码都用不同的字符,调整后试炼码:1234567890ABCDEFGHIJ,继续调整试炼码:123456-890ABC-EFGHIJ,
继续调整:BRS956-890ABC-EFGHIJ
分析后可用注册信息:BRS956-890A34-EFG78J,注册成功提示:注册密钥有效.谢谢!
算法总结:
1.注册码必须是20位;
2.注册码第七位和第十四位必须是-,也就是说注册码形式必须是:XXXXXXX-XXXXXX-XXXXXX;
3.注册码前四位必须是:BRS9;
4.".$tf>wse453R754/&%!))8<>d9e12bb"这个字符串只用了前三个字符串“.$t”的十六进制($→24,.→2E,t→74)进行计算,算出真注册码的12~13位和18~19位与试炼码;
5.现在所有的算法分析都一步一步写出来了,但由于自己水平有限,还不能用简洁的“公式”写出算法表达式,正在继续努力,还是分析的太少,以后分析的多了,也许可以写的破文可读性强一些,凑合着看吧,希望有时间的高手能指点指点,让小菜鸟也学习一下^_^
6.软件的注册信息保存在进注册表里,地址太长我就不贴了。
由于代码贴的比较长,附上我的OD算法分析笔记,希望有兴趣的朋友共同研究!
Ashampoo Burning Studio v9.21算法分析.rar
文章太长了,用代码插件美观了一下,希望能让各位破友看的能舒服一点哈^_^:D:
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
他的文章
看原图
赞赏
雪币:
留言: