某工程软件注册算法简单分析-软件逆向-看雪-安全社区|安全招聘|kanxue.com

某工程软件注册算法简单分析

发表于: 2005-5-4 04:03 4469

某工程软件注册算法简单分析

ikki

2005-5-4 04:03

4469

软件采用机器码->注册码方式注册。
1,根据机器码计算出32个hex数值,形式为:
7801 xxxx xxxx xxxx xxxx xxxx xxxxxxxx
第5-24位由机器码通过查表等计算得到，具体如下:

00520DD9 >  8B88 9C160000    mov ecx,dword ptr ds:[eax+169C]             ; loc_520DD9
00520DDF 8B5C24 04       mov ebx,dword ptr ss:[esp+4]
00520DE3 0FB73459          movzx esi,word ptr ds:[ecx+ebx*2]
00520DE7 8B88 90160000    mov ecx,dword ptr ds:[eax+1690]
00520DED 8B5C24 04       mov ebx,dword ptr ss:[esp+4]
00520DF1 0FB63C19          movzx edi,byte ptr ds:[ecx+ebx]
00520DF5 FF4424 04       inc dword ptr ss:[esp+4]
00520DF9 85F6             test esi,esi
00520DFB 0F85 AD000000    jnz <SDQD.loc_520EAE>
00520E01 0FB75CBA 02       movzx ebx,word ptr ds:[edx+edi*4+2]          ; 查表(edx=5ccaea)

005CCAEA  08 00 8C 00 08 00 4C 00 08 00 CC 00 08 00 2C 00  .?.L..?.,.
005CCAFA  08 00 AC 00 08 00 6C 00 08 00 EC 00 08 00 1C 00  .?.l..?..
005CCB0A  08 00 9C 00 08 00 5C 00 08 00 DC 00 08 00 3C 00  .?.\..?.<.
005CCB1A  08 00 BC 00 08 00 7C 00 08 00 FC 00 08 00 02 00  .?.|..?..
005CCB2A  08 00 82 00 08 00 42 00 08 00 C2 00 08 00 22 00  .?.B..?.".
005CCB3A  08 00 A2 00 08 00 62 00 08 00 E2 00 08 00 12 00  .?.b..?..
005CCB4A  08 00 92 00 08 00 52 00 08 00 D2 00 08 00 32 00  .?.R..?.2.
005CCB5A  08 00 B2 00 08 00 72 00 08 00 F2 00 08 00 0A 00  .?.r..?...
005CCB6A  08 00 8A 00 08 00 4A 00 08 00 CA 00 08 00 2A 00  .?.J..?.*.
005CCB7A  08 00 AA 00 08 00 6A 00 08 00 EA 00 08 00 1A 00  .?.j..?..
005CCB8A  08 00 9A 00 08 00 5A 00 08 00 DA 00 08 00 3A 00  .?.Z..?.:.
005CCB9A  08 00 BA 00 08 00 7A 00 08 00 FA 00 08 00 06 00  .?.z..?..
005CCBAA  08 00 86 00 08 00 46 00 08 00 C6 00 08 00 26 00  .?.F..?.&.
005CCBBA  08 00 A6 00 08 00 66 00 08 00 E6 00 08 00 16 00  .?.f..?..
005CCBCA  08 00 96 00 08 00 56 00 08 00 D6 00 08 00 36 00  .?.V..?.6.
005CCBDA  08 00 B6 00 08 00 76 00 08 00 F6 00 08 00 0E 00  .?.v..?..
005CCBEA  08 00 8E 00 08 00 4E 00 08 00 CE 00 08 00 2E 00  .?.N..?...
005CCBFA  08 00 AE 00 08 00 6E 00 08 00 EE 00 08 00 1E 00  .?.n..?..
005CCC0A  08 00 9E 00 08 00 5E 00 08 00 DE 00 08 00 3E 00  .?.^..?.>.
005CCC1A  08 00 BE 00 08 00 7E 00 08 00 FE 00 08 00 01 00  .?.~..?..
005CCC2A  08 00 81 00 08 00 41 00 08 00 C1 00 08 00 21 00  .?.A..?.!.
005CCC3A  08 00 A1 00 08 00 61 00 08 00 E1 00 08 00 11 00  .?.a..?..
005CCC4A  08 00 91 00 08 00 51 00 08 00 D1 00 08 00 31 00  .?.Q..?.1.
005CCC5A  08 00 B1 00 08 00 71 00 08 00 F1 00 08 00 09 00  .?.q..?...
005CCC6A  08 00 89 00 08 00 49 00 08 00 C9 00 08 00 29 00  .?.I..?.).
005CCC7A  08 00 A9 00 08 00 69 00 08 00 E9 00 08 00 19 00  .?.i..?..
005CCC8A  08 00 99 00 08 00 59 00 08 00 D9 00 08 00 39 00  .?.Y..?.9.
005CCC9A  08 00 B9 00 08 00 79 00 08 00 F9 00 08 00 05 00  .?.y..?..
005CCCAA  08 00 85 00 08 00 45 00 08 00 C5 00 08 00 25 00  .?.E..?.%.
005CCCBA  08 00 A5 00 08 00 65 00 08 00 E5 00 08 00 15 00  .?.e..?..
005CCCCA  08 00 95 00 08 00 55 00 08 00 D5 00 08 00 35 00  .?.U..?.5.
005CCCDA  08 00 B5 00 08 00 75 00 08 00 F5 00 08 00 0D 00  .?.u..?...
005CCCEA  08 00 8D 00 08 00 4D 00 08 00 CD 00 08 00 2D 00  .?.M..?.-.
005CCCFA  08 00 AD 00 08 00 6D 00 08 00 ED 00 08 00 1D 00  .?.m..?..
005CCD0A  08 00 9D 00 08 00 5D 00 08 00 DD 00 08 00 3D 00  .?.]..?.=.
005CCD1A  08 00 BD 00 08 00 7D 00 08 00 FD 00 08 00 13 00  .?.}..?..
005CCD2A  09 00 13 01 09 00 93 00 09 00 93 01 09 00 53 00  ....?..?..S.
005CCD3A  09 00 53 01 09 00 D3 00 09 00 D3 01 09 00 33 00  ..S..?..?..3.
005CCD4A  09 00 33 01 09 00 B3 00 09 00 B3 01 09 00 73 00  ..3..?..?..s.
005CCD5A  09 00 73 01 09 00 F3 00 09 00 F3 01 09 00 0B 00  ..s..?..?...
005CCD6A  09 00 0B 01 09 00 8B 00 09 00 8B 01 09 00 4B 00  ....?..?..K.
005CCD7A  09 00 4B 01 09 00 CB 00 09 00 CB 01 09 00 2B 00  ..K..?..?..+.
005CCD8A  09 00 2B 01 09 00 AB 00 09 00 AB 01 09 00 6B 00  ..+..?..?..k.
005CCD9A  09 00 6B 01 09 00 EB 00 09 00 EB 01 09 00 1B 00  ..k..?..?...
005CCDAA  09 00 1B 01 09 00 9B 00 09 00 9B 01 09 00 5B 00  ....?..?..[.
005CCDBA  09 00 5B 01 09 00 DB 00 09 00 DB 01 09 00 3B 00  ..[..?..?..;.
005CCDCA  09 00 3B 01 09 00 BB 00 09 00 BB 01 09 00 7B 00  ..;..?..?..{.
005CCDDA  09 00 7B 01 09 00 FB 00 09 00 FB 01 09 00 07 00  ..{..?..?...
005CCDEA  09 00 07 01 09 00 87 00 09 00 87 01 09 00 47 00  ....?..?..G.
005CCDFA  09 00 47 01 09 00 C7 00 09 00 C7 01 09 00 27 00  ..G..?..?..'.
005CCE0A  09 00 27 01 09 00 A7 00 09 00 A7 01 09 00 67 00  ..'..?..?..g.
005CCE1A  09 00 67 01 09 00 E7 00 09 00 E7 01 09 00 17 00  ..g..?..?...
005CCE2A  09 00 17 01 09 00 97 00 09 00 97 01 09 00 57 00  ....?..?..W.
005CCE3A  09 00 57 01 09 00 D7 00 09 00 D7 01 09 00 37 00  ..W..?..?..7.
005CCE4A  09 00 37 01 09 00 B7 00 09 00 B7 01 09 00 77 00  ..7..?..?..w.
005CCE5A  09 00 77 01 09 00 F7 00 09 00 F7 01 09 00 0F 00  ..w..?..?...
005CCE6A  09 00 0F 01 09 00 8F 00 09 00 8F 01 09 00 4F 00  ....?..?..O.
005CCE7A  09 00 4F 01 09 00 CF 00 09 00 CF 01 09 00 2F 00  ..O..?..?../.
005CCE8A  09 00 2F 01 09 00 AF 00 09 00 AF 01 09 00 6F 00  ../..?..?..o.
005CCE9A  09 00 6F 01 09 00 EF 00 09 00 EF 01 09 00 1F 00  ..o..?..?...
005CCEAA  09 00 1F 01 09 00 9F 00 09 00 9F 01 09 00 5F 00  ....?..?.._.
005CCEBA  09 00 5F 01 09 00 DF 00 09 00 DF 01 09 00 3F 00  .._..?..?..?.
005CCECA  09 00 3F 01 09 00 BF 00 09 00 BF 01 09 00 7F 00  ..?..?..?...
005CCEDA  09 00 7F 01 09 00 FF 00 09 00 FF 01 09          ....?..?.

00520E06 B9 10000000       mov ecx,10
00520E0B 2BCB             sub ecx,ebx
00520E0D 3B88 B4160000    cmp ecx,dword ptr ds:[eax+16B4]             ;起判断是否计算了2位机器码的作用
00520E13 7D 7A             jge short <SDQD.loc_520E8F>
00520E15 0FB734BA          movzx esi,word ptr ds:[edx+edi*4]
00520E19 8BFE             mov edi,esi
00520E1B 8B88 B4160000    mov ecx,dword ptr ds:[eax+16B4]
00520E21 8BEF             mov ebp,edi
00520E23 83EB 10          sub ebx,10
00520E26 66:D3E5          shl bp,cl
00520E29 66:09A8 B0160000 or word ptr ds:[eax+16B0],bp
00520E30 0FB7F7          movzx esi,di
00520E33 8B48 14          mov ecx,dword ptr ds:[eax+14]
00520E36 FF40 14          inc dword ptr ds:[eax+14]
00520E39 8B68 08          mov ebp,dword ptr ds:[eax+8]
00520E3C 8D4C0D 00       lea ecx,dword ptr ss:[ebp+ecx]
00520E40 51                push ecx
00520E41 5D                pop ebp
00520E42 8A88 B0160000    mov cl,byte ptr ds:[eax+16B0]
00520E48 80E1 FF          and cl,0FF
00520E4B 884D 00          mov byte ptr ss:[ebp],cl                   ；写入计算结果的高位
00520E4E 8B48 14          mov ecx,dword ptr ds:[eax+14]
00520E51 FF40 14          inc dword ptr ds:[eax+14]
00520E54 8B68 08          mov ebp,dword ptr ds:[eax+8]
00520E57 8D4C0D 00       lea ecx,dword ptr ss:[ebp+ecx]
00520E5B 51                push ecx
00520E5C 0FB788 B0160000 movzx ecx,word ptr ds:[eax+16B0]
00520E63 5D                pop ebp
00520E64 C1F9 08          sar ecx,8
00520E67 884D 00          mov byte ptr ss:[ebp],cl                   ；写入计算结果的低位
00520E6A B9 10000000       mov ecx,10
00520E6F 2B88 B4160000    sub ecx,dword ptr ds:[eax+16B4]             ;
00520E75 D3FE             sar esi,cl
00520E77 66:89B0 B0160000 mov word ptr ds:[eax+16B0],si
00520E7E 0398 B4160000    add ebx,dword ptr ds:[eax+16B4]
00520E84 8998 B4160000    mov dword ptr ds:[eax+16B4],ebx
00520E8A E9 22030000       jmp <SDQD.loc_5211B1>
00520E8F >  66:8B34BA       mov si,word ptr ds:[edx+edi*4]             ; 查表
00520E93 8B88 B4160000    mov ecx,dword ptr ds:[eax+16B4]             ;ds:[eax+16B4]初始值为3
00520E99 66:D3E6          shl si,cl
00520E9C 66:09B0 B0160000 or word ptr ds:[eax+16B0],si
00520EA3 0198 B4160000    add dword ptr ds:[eax+16B4],ebx
00520EA9 E9 03030000       jmp <SDQD.loc_5211B1>
00520EAE >  33DB             xor ebx,ebx                                  ; loc_520EAE
00520EB0 8A9F 1BD35C00    mov bl,byte ptr ds:[edi+5CD31B]
00520EB6 0FB78C9A 06040000  movzx ecx,word ptr ds:[edx+ebx*4+406]
00520EBE 894C24 08       mov dword ptr ss:[esp+8],ecx
00520EC2 B9 10000000       mov ecx,10
00520EC7 2B4C24 08       sub ecx,dword ptr ss:[esp+8]
00520ECB 3B88 B4160000    cmp ecx,dword ptr ds:[eax+16B4]
00520ED1 0F8D 86000000    jge <SDQD.loc_520F5D>
00520ED7 0FB78C9A 04040000  movzx ecx,word ptr ds:[edx+ebx*4+404]
00520EDF 894C24 0C       mov dword ptr ss:[esp+C],ecx
00520EE3 66:8B6C24 0C    mov bp,word ptr ss:[esp+C]
00520EE8 8B88 B4160000    mov ecx,dword ptr ds:[eax+16B4]
00520EEE 66:D3E5          shl bp,cl
00520EF1 66:09A8 B0160000 or word ptr ds:[eax+16B0],bp
00520EF8 8B48 14          mov ecx,dword ptr ds:[eax+14]
00520EFB FF40 14          inc dword ptr ds:[eax+14]
00520EFE 8B68 08          mov ebp,dword ptr ds:[eax+8]
00520F01 8D4C0D 00       lea ecx,dword ptr ss:[ebp+ecx]
00520F05 51                push ecx
00520F06 5D                pop ebp
00520F07 8A88 B0160000    mov cl,byte ptr ds:[eax+16B0]
00520F0D 80E1 FF          and cl,0FF
00520F10 884D 00          mov byte ptr ss:[ebp],cl
00520F13 8B48 14          mov ecx,dword ptr ds:[eax+14]
00520F16 FF40 14          inc dword ptr ds:[eax+14]
00520F19 8B68 08          mov ebp,dword ptr ds:[eax+8]
00520F1C 8D4C0D 00       lea ecx,dword ptr ss:[ebp+ecx]
00520F20 51                push ecx
00520F21 0FB788 B0160000 movzx ecx,word ptr ds:[eax+16B0]
00520F28 5D                pop ebp
00520F29 C1F9 08          sar ecx,8
00520F2C 884D 00          mov byte ptr ss:[ebp],cl
00520F2F B9 10000000       mov ecx,10
00520F34 0FB76C24 0C       movzx ebp,word ptr ss:[esp+C]
00520F39 2B88 B4160000    sub ecx,dword ptr ds:[eax+16B4]
00520F3F D3FD             sar ebp,cl
00520F41 66:89A8 B0160000 mov word ptr ds:[eax+16B0],bp
00520F48 8B4C24 08       mov ecx,dword ptr ss:[esp+8]
00520F4C 83E9 10          sub ecx,10
00520F4F 0388 B4160000    add ecx,dword ptr ds:[eax+16B4]
00520F55 8988 B4160000    mov dword ptr ds:[eax+16B4],ecx
00520F5B EB 22             jmp short <SDQD.loc_520F7F>
00520F5D >  66:8BAC9A 04040000 mov bp,word ptr ds:[edx+ebx*4+404]          ; loc_520F5D
00520F65 8B88 B4160000    mov ecx,dword ptr ds:[eax+16B4]
00520F6B 66:D3E5          shl bp,cl
00520F6E 66:09A8 B0160000 or word ptr ds:[eax+16B0],bp
00520F75 8B4C24 08       mov ecx,dword ptr ss:[esp+8]
00520F79 0188 B4160000    add dword ptr ds:[eax+16B4],ecx
00520F7F >  8B0C9D B0C95C00 mov ecx,dword ptr ds:[ebx*4+5CC9B0]          ; loc_520F7F
00520F86 85C9             test ecx,ecx
00520F88 0F84 9F000000    je <SDQD.loc_52102D>
00520F8E 2B3C9D E0CF5C00 sub edi,dword ptr ds:[ebx*4+5CCFE0]
00520F95 8BD9             mov ebx,ecx
00520F97 B9 10000000       mov ecx,10
00520F9C 2BCB             sub ecx,ebx
00520F9E 3B88 B4160000    cmp ecx,dword ptr ds:[eax+16B4]
00520FA4 7D 71             jge short <SDQD.loc_521017>
00520FA6 8B88 B4160000    mov ecx,dword ptr ds:[eax+16B4]
00520FAC 8BEF             mov ebp,edi
00520FAE 66:D3E5          shl bp,cl
00520FB1 66:09A8 B0160000 or word ptr ds:[eax+16B0],bp
00520FB8 8B48 14          mov ecx,dword ptr ds:[eax+14]
00520FBB FF40 14          inc dword ptr ds:[eax+14]
00520FBE 8B68 08          mov ebp,dword ptr ds:[eax+8]
00520FC1 8D4C0D 00       lea ecx,dword ptr ss:[ebp+ecx]
00520FC5 51                push ecx
00520FC6 8A88 B0160000    mov cl,byte ptr ds:[eax+16B0]
00520FCC 80E1 FF          and cl,0FF
00520FCF 5D                pop ebp
00520FD0 884D 00          mov byte ptr ss:[ebp],cl
00520FD3 8B48 14          mov ecx,dword ptr ds:[eax+14]
00520FD6 FF40 14          inc dword ptr ds:[eax+14]
00520FD9 8B68 08          mov ebp,dword ptr ds:[eax+8]
00520FDC 8D4C0D 00       lea ecx,dword ptr ss:[ebp+ecx]
00520FE0 51                push ecx
00520FE1 0FB788 B0160000 movzx ecx,word ptr ds:[eax+16B0]
00520FE8 C1F9 08          sar ecx,8
00520FEB 5D                pop ebp
00520FEC 884D 00          mov byte ptr ss:[ebp],cl
00520FEF B9 10000000       mov ecx,10
00520FF4 2B88 B4160000    sub ecx,dword ptr ds:[eax+16B4]
00520FFA 0FB7FF          movzx edi,di
00520FFD D3FF             sar edi,cl
00520FFF 66:89B8 B0160000 mov word ptr ds:[eax+16B0],di
00521006 83EB 10          sub ebx,10
00521009 0398 B4160000    add ebx,dword ptr ds:[eax+16B4]
0052100F 8998 B4160000    mov dword ptr ds:[eax+16B4],ebx
00521015 EB 16             jmp short <SDQD.loc_52102D>
00521017 >  8B88 B4160000    mov ecx,dword ptr ds:[eax+16B4]             ; loc_521017
0052101D 66:D3E7          shl di,cl
00521020 66:09B8 B0160000 or word ptr ds:[eax+16B0],di
00521027 0198 B4160000    add dword ptr ds:[eax+16B4],ebx
0052102D >  4E                dec esi                                     ; loc_52102D
0052102E 81FE 00010000    cmp esi,100
00521034 73 08             jnb short <SDQD.loc_52103E>
00521036 8A9E 1BD15C00    mov bl,byte ptr ds:[esi+5CD11B]
0052103C EB 0B             jmp short <SDQD.loc_521049>
0052103E >  8BCE             mov ecx,esi                                  ; loc_52103E
00521040 C1E9 07          shr ecx,7
00521043 8A99 1BD25C00    mov bl,byte ptr ds:[ecx+5CD21B]
00521049 >  81E3 FF000000    and ebx,0FF                                  ; loc_521049
0052104F 8B0C24          mov ecx,dword ptr ss:[esp]
00521052 0FB77C99 02       movzx edi,word ptr ds:[ecx+ebx*4+2]
00521057 B9 10000000       mov ecx,10
0052105C 2BCF             sub ecx,edi
0052105E 3B88 B4160000    cmp ecx,dword ptr ds:[eax+16B4]
00521064 0F8D 81000000    jge <SDQD.loc_5210EB>
0052106A 8B0C24          mov ecx,dword ptr ss:[esp]
0052106D 83EF 10          sub edi,10
00521070 0FB70C99          movzx ecx,word ptr ds:[ecx+ebx*4]
00521074 894C24 10       mov dword ptr ss:[esp+10],ecx
00521078 66:8B6C24 10    mov bp,word ptr ss:[esp+10]
0052107D 8B88 B4160000    mov ecx,dword ptr ds:[eax+16B4]
00521083 66:D3E5          shl bp,cl
00521086 66:09A8 B0160000 or word ptr ds:[eax+16B0],bp
0052108D 8B48 14          mov ecx,dword ptr ds:[eax+14]
00521090 FF40 14          inc dword ptr ds:[eax+14]
00521093 8B68 08          mov ebp,dword ptr ds:[eax+8]
00521096 8D4C0D 00       lea ecx,dword ptr ss:[ebp+ecx]
0052109A 51                push ecx
0052109B 5D                pop ebp
0052109C 8A88 B0160000    mov cl,byte ptr ds:[eax+16B0]
005210A2 80E1 FF          and cl,0FF
005210A5 884D 00          mov byte ptr ss:[ebp],cl
005210A8 8B48 14          mov ecx,dword ptr ds:[eax+14]
005210AB FF40 14          inc dword ptr ds:[eax+14]
005210AE 8B68 08          mov ebp,dword ptr ds:[eax+8]
005210B1 8D4C0D 00       lea ecx,dword ptr ss:[ebp+ecx]
005210B5 51                push ecx
005210B6 0FB788 B0160000 movzx ecx,word ptr ds:[eax+16B0]
005210BD 5D                pop ebp
005210BE C1F9 08          sar ecx,8
005210C1 884D 00          mov byte ptr ss:[ebp],cl
005210C4 B9 10000000       mov ecx,10
005210C9 0FB76C24 10       movzx ebp,word ptr ss:[esp+10]
005210CE 2B88 B4160000    sub ecx,dword ptr ds:[eax+16B4]
005210D4 D3FD             sar ebp,cl
005210D6 66:89A8 B0160000 mov word ptr ds:[eax+16B0],bp
005210DD 03B8 B4160000    add edi,dword ptr ds:[eax+16B4]
005210E3 89B8 B4160000    mov dword ptr ds:[eax+16B4],edi
005210E9 EB 1E             jmp short <SDQD.loc_521109>
005210EB >  8B88 B4160000    mov ecx,dword ptr ds:[eax+16B4]             ; loc_5210EB
005210F1 8B2C24          mov ebp,dword ptr ss:[esp]
005210F4 66:8B6C9D 00    mov bp,word ptr ss:[ebp+ebx*4]
005210F9 66:D3E5          shl bp,cl
005210FC 66:09A8 B0160000 or word ptr ds:[eax+16B0],bp
00521103 01B8 B4160000    add dword ptr ds:[eax+16B4],edi
00521109 >  8B0C9D 24CA5C00 mov ecx,dword ptr ds:[ebx*4+5CCA24]          ; loc_521109
00521110 85C9             test ecx,ecx
00521112 0F84 99000000    je <SDQD.loc_5211B1>
00521118 2B349D 54D05C00 sub esi,dword ptr ds:[ebx*4+5CD054]
0052111F 8BD9             mov ebx,ecx
00521121 B9 10000000       mov ecx,10
00521126 2BCB             sub ecx,ebx
00521128 8BB8 B4160000    mov edi,dword ptr ds:[eax+16B4]
0052112E 3BCF             cmp ecx,edi
00521130 7D 69             jge short <SDQD.loc_52119B>
00521132 8BCF             mov ecx,edi
00521134 8BFE             mov edi,esi
00521136 66:D3E7          shl di,cl
00521139 66:09B8 B0160000 or word ptr ds:[eax+16B0],di
00521140 8B48 14          mov ecx,dword ptr ds:[eax+14]
00521143 FF40 14          inc dword ptr ds:[eax+14]
00521146 8B78 08          mov edi,dword ptr ds:[eax+8]
00521149 8D0C0F          lea ecx,dword ptr ds:[edi+ecx]
0052114C 51                push ecx
0052114D 8A88 B0160000    mov cl,byte ptr ds:[eax+16B0]
00521153 80E1 FF          and cl,0FF
00521156 5F                pop edi
00521157 880F             mov byte ptr ds:[edi],cl
00521159 8B48 14          mov ecx,dword ptr ds:[eax+14]
0052115C FF40 14          inc dword ptr ds:[eax+14]
0052115F 8B78 08          mov edi,dword ptr ds:[eax+8]
00521162 8D0C0F          lea ecx,dword ptr ds:[edi+ecx]
00521165 51                push ecx
00521166 0FB788 B0160000 movzx ecx,word ptr ds:[eax+16B0]
0052116D C1F9 08          sar ecx,8
00521170 5F                pop edi
00521171 880F             mov byte ptr ds:[edi],cl
00521173 B9 10000000       mov ecx,10
00521178 2B88 B4160000    sub ecx,dword ptr ds:[eax+16B4]
0052117E 0FB7F6          movzx esi,si
00521181 D3FE             sar esi,cl
00521183 66:89B0 B0160000 mov word ptr ds:[eax+16B0],si
0052118A 83EB 10          sub ebx,10
0052118D 0398 B4160000    add ebx,dword ptr ds:[eax+16B4]
00521193 8998 B4160000    mov dword ptr ds:[eax+16B4],ebx
00521199 EB 16             jmp short <SDQD.loc_5211B1>
0052119B >  8B88 B4160000    mov ecx,dword ptr ds:[eax+16B4]             ; loc_52119B
005211A1 66:D3E6          shl si,cl
005211A4 66:09B0 B0160000 or word ptr ds:[eax+16B0],si
005211AB 0198 B4160000    add dword ptr ds:[eax+16B4],ebx
005211B1 >  8B4C24 04       mov ecx,dword ptr ss:[esp+4]                ; loc_5211B1
005211B5 3B88 98160000    cmp ecx,dword ptr ds:[eax+1698]             ; 循环记数
005211BB  ^ 0F82 18FCFFFF    jb <SDQD.loc_520DD9>
这个循环依次计算2位机器码得到一个dword值，为此次计算的结果,8位的机器码，得到
4组dword值,即5-20位.代码比较多，但计算并不复杂.

0052124B >  66:8BB2 00040000 mov si,word ptr ds:[edx+400]                ; 这个值最后一次计算的结果决定
00521252 8B88 B4160000    mov ecx,dword ptr ds:[eax+16B4]
00521258 66:D3E6          shl si,cl
0052125B 66:09B0 B0160000 or word ptr ds:[eax+16B0],si                ;第21-24位.

00521573 >  33D2             xor edx,edx                                  ; //计算最后8个字符
00521575 8A16             mov dl,byte ptr ds:[esi]                   ; //就是计算ascii和和and操作，很简单
00521577 03DA             add ebx,edx
00521579 46                inc esi
0052157A 03FB             add edi,ebx
0052157C 48                dec eax
0052157D  ^ 75 F4             jnz short <SDQD.loc_521573>
0052157F >  B9 F1FF0000       mov ecx,0FFF1                               ; loc_52157F
00521584 8BC3             mov eax,ebx
00521586 33D2             xor edx,edx
00521588 F7F1             div ecx
0052158A 89D3             mov ebx,edx
0052158C B9 F1FF0000       mov ecx,0FFF1
00521591 8BC7             mov eax,edi
00521593 33D2             xor edx,edx
00521595 F7F1             div ecx
00521597 89D7             mov edi,edx
00521599 85ED             test ebp,ebp
0052159B  ^ 0F87 14FFFFFF    ja <SDQD.loc_5214B5>
005215A1 >  8BC7             mov eax,edi                                  ; loc_5215A1
005215A3 C1E0 10          shl eax,10
005215A6 0BC3             or eax,ebx
005215A8 >  5D                pop ebp                                     ; loc_5215A8
005215A9 5F                pop edi
005215AA 5E                pop esi
005215AB 5B                pop ebx
005215AC C3                retn

依次连接上面的结果得到一个32位的hex串(以机器码:85FCF180为例子):
7801B33075737633B4300000087901D6

2,通过hash算法ripemd-128得到以后用到的数据:

0052EAFD 8B45 FC          mov eax,dword ptr ss:[ebp-4]
0052EB00 8D50 18          lea edx,dword ptr ds:[eax+18]
0052EB03 8B45 FC          mov eax,dword ptr ss:[ebp-4]
0052EB06 8B08             mov ecx,dword ptr ds:[eax]                   ; text:qd //(这个字符串估计是地区缩写，固定)
0052EB08 FF51 34          call dword ptr ds:[ecx+34]                   ; ripemd-128(qd)//调用ripemd函数了,
0052EB0B 8B45 FC          mov eax,dword ptr ss:[ebp-4]                ; 有兴趣可以跟进去看

对字符串'qd'进行计算，得到结果:
aa29237be9f07377962eca6c64d85a35
保存做后面的rijndael-128的加密密钥.

初始化...
生成子密钥...

0052C31F 8B45 FC          mov eax,dword ptr ss:[ebp-4]
0052C322 8B50 30          mov edx,dword ptr ds:[eax+30]                ; textbuffer
0052C325 8B45 FC          mov eax,dword ptr ss:[ebp-4]
0052C328 8B08             mov ecx,dword ptr ds:[eax]
0052C32A FF51 2C          call dword ptr ds:[ecx+2C]                   ; rijndael_cipher
0052C32D EB 14             jmp short <SDQD.loc_52C343>

以密钥(hex:aa29237be9f07377962eca6c64d85a35)
对hex:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF加密，
得到:
hex:886179173C19D0EF7A670734D64DAF2B

0052C94F 8B45 FC          mov eax,dword ptr ss:[ebp-4]
0052C952 8B48 24          mov ecx,dword ptr ds:[eax+24]
0052C955 8B45 FC          mov eax,dword ptr ss:[ebp-4]
0052C958 8B50 34          mov edx,dword ptr ds:[eax+34]                ;
[edx]:886179173C19D0EF7A670734D64DAF2B
0052C95B 8B45 F0          mov eax,dword ptr ss:[ebp-10]                ;
[eax]:7801B33075737633B4300000087901D6
0052C95E E8 BDECFFFF       call <SDQD.@Decutil@XORBuffers$qqrpvt1it1> ;按位异或两个32位hex串

结果为:
hex:F060CA27496AA6DCCE570734DE34AEFD?

0052C963 8B55 EC          mov edx,dword ptr ss:[ebp-14]                ; textbuffer
0052C966 8B45 FC          mov eax,dword ptr ss:[ebp-4]
0052C969 8B08             mov ecx,dword ptr ds:[eax]
0052C96B FF51 2C          call dword ptr ds:[ecx+2C]                   ; rijndael_cipher
0052C96E 8B45 FC          mov eax,dword ptr ss:[ebp-4]

以密钥(hex:aa29237be9f07377962eca6c64d85a35)
对hex:F060CA27496AA6DCCE570734DE34AEFD加密，
得到:
hex:B679451F194B692085F038D7092789C0

3,字符转换，得到注册码
hex->str:
0052AB9C 0FB600          movzx eax,byte ptr ds:[eax]                ;

[eax]:
00D1D91C  41 41 43 53 10 00 00 00 08 00 00 00 38 02 0F 00  AACS......8.
00D1D92C  01 00 01 01 00 00 00 00 B6 79 45 1F 19 4B 69 20  .....儿EKi
00D1D93C  85 F0 38 D7 09 27 89 C0                         ?8?'?...

0052AB9F C1E8 04          shr eax,4
0052ABA2 8B55 EC          mov edx,dword ptr ss:[ebp-14]
0052ABA5 8A0402          mov al,byte ptr ds:[edx+eax]
0052ABA8 8B55 F0          mov edx,dword ptr ss:[ebp-10]
0052ABAB 8802             mov byte ptr ds:[edx],al
0052ABAD 8B45 F8          mov eax,dword ptr ss:[ebp-8]
0052ABB0 8A00             mov al,byte ptr ds:[eax]
0052ABB2 24 0F             and al,0F
0052ABB4 25 FF000000       and eax,0FF
0052ABB9 8B55 EC          mov edx,dword ptr ss:[ebp-14]
0052ABBC 8A0402          mov al,byte ptr ds:[edx+eax]
0052ABBF 8B55 F0          mov edx,dword ptr ss:[ebp-10]
0052ABC2 8842 01          mov byte ptr ds:[edx+1],al
0052ABC5 8345 F0 02       add dword ptr ss:[ebp-10],2
0052ABC9 FF45 F8          inc dword ptr ss:[ebp-8]
0052ABCC FF4D F4          dec dword ptr ss:[ebp-C]
0052ABCF 837D F4 00       cmp dword ptr ss:[ebp-C],0
0052ABD3  ^ 7F C4             jg short <SDQD.loc_52AB99>
0052ABD5 >  8BE5             mov esp,ebp                                  ; loc_52ABD5
0052ABD7 5D                pop ebp
0052ABD8 C2 0400          retn 4

这段代码其实就是把内存中eax所指向的80位hex转换成字符串:
00D1D91C  41 41 43 53 10 00 00 00 08 00 00 00 38 02 0F 00  AACS......8.
00D1D92C  01 00 01 01 00 00 00 00 B6 79 45 1F 19 4B 69 20  .....儿EKi
00D1D93C  85 F0 38 D7 09 27 89 C0                         ?8?'?...

转换结果:
41414353100000000800000038020F00
0100010100000000B679451F194B6920
85F038D7092789C0

005AEEB4 8D4D EC          lea ecx,dword ptr ss:[ebp-14]
005AEEB7 BA 08000000       mov edx,8
005AEEBC 8B45 FC          mov eax,dword ptr ss:[ebp-4]
005AEEBF >  E8 786FE9FF       call <SDQD.sub_445E3C>             ;取转换结果的后8位，即为正确注册码
005AEEC4 8B45 EC          mov eax,dword ptr ss:[ebp-14]
005AEEC7 50                push eax
005AEEC8 8D55 E8          lea edx,dword ptr ss:[ebp-18]
005AEECB >  8B86 FC020000    mov eax,dword ptr ds:[esi+2FC]
005AEED1 >  E8 6AE3E9FF       call <SDQD.sub_44D240>
005AEED6 8B55 E8          mov edx,dword ptr ss:[ebp-18]       ;输入的注册码
005AEED9 58                pop eax                            ;正确注册码
005AEEDA >  E8 E55FE5FF       call <SDQD.sub_404EC4>             ;比较
005AEEDF 0F85 04010000    jnz <SDQD.loc_5AEFE9>

例子:
机器码:
85FCF180
注册码:
092789C0

程序下载：
http://www.dxd37az.com.cn/rjxz/sdqd.exe

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

免费・0

支持

最新回复 (3)
kkx2008 雪币： 107 活跃值： (54) 能力值： ( LV2，RANK：10 ) 在线值：发帖 44 回帖 377 粉丝 0 关注私信	kkx2008 2 楼沙发 2005-5-4 04:34 0
小剑雪币： 110 活跃值： (13) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 375 粉丝 1 关注私信	小剑 3 楼 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2005-5-4 10:34 0
Nada 雪币： 207 活跃值： (40) 能力值： ( LV2，RANK：10 ) 在线值：发帖 16 回帖 52 粉丝 0 关注私信	Nada 4 楼好长啊晕晕 2005-5-4 12:27 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

ikki

发帖

316

回帖

370

RANK

关注

私信

他的文章

[讨论][讨论]Hex-Rays 太邪恶了 9706

关于我们

联系我们

企业服务

看雪公众号

最新回复 (3)
kkx2008 雪币： 107 活跃值： (54) 能力值： ( LV2，RANK：10 ) 在线值：发帖 44 回帖 377 粉丝 0 关注私信	kkx2008 2 楼沙发 2005-5-4 04:34 0
小剑雪币： 110 活跃值： (13) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 375 粉丝 1 关注私信	小剑 3 楼 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2005-5-4 10:34 0
Nada 雪币： 207 活跃值： (40) 能力值： ( LV2，RANK：10 ) 在线值：发帖 16 回帖 52 粉丝 0 关注私信	Nada 4 楼好长啊晕晕 2005-5-4 12:27 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复