软件采用机器码->注册码方式注册。
1,根据机器码计算出32个hex数值,形式为:
7801 xxxx xxxx xxxx xxxx xxxx xxxxxxxx
第5-24位由机器码通过查表等计算得到,具体如下:
00520DD9 > 8B88 9C160000 mov ecx,dword ptr ds:[eax+169C] ; loc_520DD9
00520DDF 8B5C24 04 mov ebx,dword ptr ss:[esp+4]
00520DE3 0FB73459 movzx esi,word ptr ds:[ecx+ebx*2]
00520DE7 8B88 90160000 mov ecx,dword ptr ds:[eax+1690]
00520DED 8B5C24 04 mov ebx,dword ptr ss:[esp+4]
00520DF1 0FB63C19 movzx edi,byte ptr ds:[ecx+ebx]
00520DF5 FF4424 04 inc dword ptr ss:[esp+4]
00520DF9 85F6 test esi,esi
00520DFB 0F85 AD000000 jnz <SDQD.loc_520EAE>
00520E01 0FB75CBA 02 movzx ebx,word ptr ds:[edx+edi*4+2] ; 查表(edx=5ccaea)
005CCAEA 08 00 8C 00 08 00 4C 00 08 00 CC 00 08 00 2C 00 .?.L..?.,.
005CCAFA 08 00 AC 00 08 00 6C 00 08 00 EC 00 08 00 1C 00 .?.l..?..
005CCB0A 08 00 9C 00 08 00 5C 00 08 00 DC 00 08 00 3C 00 .?.\..?.<.
005CCB1A 08 00 BC 00 08 00 7C 00 08 00 FC 00 08 00 02 00 .?.|..?..
005CCB2A 08 00 82 00 08 00 42 00 08 00 C2 00 08 00 22 00 .?.B..?.".
005CCB3A 08 00 A2 00 08 00 62 00 08 00 E2 00 08 00 12 00 .?.b..?..
005CCB4A 08 00 92 00 08 00 52 00 08 00 D2 00 08 00 32 00 .?.R..?.2.
005CCB5A 08 00 B2 00 08 00 72 00 08 00 F2 00 08 00 0A 00 .?.r..?...
005CCB6A 08 00 8A 00 08 00 4A 00 08 00 CA 00 08 00 2A 00 .?.J..?.*.
005CCB7A 08 00 AA 00 08 00 6A 00 08 00 EA 00 08 00 1A 00 .?.j..?..
005CCB8A 08 00 9A 00 08 00 5A 00 08 00 DA 00 08 00 3A 00 .?.Z..?.:.
005CCB9A 08 00 BA 00 08 00 7A 00 08 00 FA 00 08 00 06 00 .?.z..?..
005CCBAA 08 00 86 00 08 00 46 00 08 00 C6 00 08 00 26 00 .?.F..?.&.
005CCBBA 08 00 A6 00 08 00 66 00 08 00 E6 00 08 00 16 00 .?.f..?..
005CCBCA 08 00 96 00 08 00 56 00 08 00 D6 00 08 00 36 00 .?.V..?.6.
005CCBDA 08 00 B6 00 08 00 76 00 08 00 F6 00 08 00 0E 00 .?.v..?..
005CCBEA 08 00 8E 00 08 00 4E 00 08 00 CE 00 08 00 2E 00 .?.N..?...
005CCBFA 08 00 AE 00 08 00 6E 00 08 00 EE 00 08 00 1E 00 .?.n..?..
005CCC0A 08 00 9E 00 08 00 5E 00 08 00 DE 00 08 00 3E 00 .?.^..?.>.
005CCC1A 08 00 BE 00 08 00 7E 00 08 00 FE 00 08 00 01 00 .?.~..?..
005CCC2A 08 00 81 00 08 00 41 00 08 00 C1 00 08 00 21 00 .?.A..?.!.
005CCC3A 08 00 A1 00 08 00 61 00 08 00 E1 00 08 00 11 00 .?.a..?..
005CCC4A 08 00 91 00 08 00 51 00 08 00 D1 00 08 00 31 00 .?.Q..?.1.
005CCC5A 08 00 B1 00 08 00 71 00 08 00 F1 00 08 00 09 00 .?.q..?...
005CCC6A 08 00 89 00 08 00 49 00 08 00 C9 00 08 00 29 00 .?.I..?.).
005CCC7A 08 00 A9 00 08 00 69 00 08 00 E9 00 08 00 19 00 .?.i..?..
005CCC8A 08 00 99 00 08 00 59 00 08 00 D9 00 08 00 39 00 .?.Y..?.9.
005CCC9A 08 00 B9 00 08 00 79 00 08 00 F9 00 08 00 05 00 .?.y..?..
005CCCAA 08 00 85 00 08 00 45 00 08 00 C5 00 08 00 25 00 .?.E..?.%.
005CCCBA 08 00 A5 00 08 00 65 00 08 00 E5 00 08 00 15 00 .?.e..?..
005CCCCA 08 00 95 00 08 00 55 00 08 00 D5 00 08 00 35 00 .?.U..?.5.
005CCCDA 08 00 B5 00 08 00 75 00 08 00 F5 00 08 00 0D 00 .?.u..?...
005CCCEA 08 00 8D 00 08 00 4D 00 08 00 CD 00 08 00 2D 00 .?.M..?.-.
005CCCFA 08 00 AD 00 08 00 6D 00 08 00 ED 00 08 00 1D 00 .?.m..?..
005CCD0A 08 00 9D 00 08 00 5D 00 08 00 DD 00 08 00 3D 00 .?.]..?.=.
005CCD1A 08 00 BD 00 08 00 7D 00 08 00 FD 00 08 00 13 00 .?.}..?..
005CCD2A 09 00 13 01 09 00 93 00 09 00 93 01 09 00 53 00 ....?..?..S.
005CCD3A 09 00 53 01 09 00 D3 00 09 00 D3 01 09 00 33 00 ..S..?..?..3.
005CCD4A 09 00 33 01 09 00 B3 00 09 00 B3 01 09 00 73 00 ..3..?..?..s.
005CCD5A 09 00 73 01 09 00 F3 00 09 00 F3 01 09 00 0B 00 ..s..?..?...
005CCD6A 09 00 0B 01 09 00 8B 00 09 00 8B 01 09 00 4B 00 ....?..?..K.
005CCD7A 09 00 4B 01 09 00 CB 00 09 00 CB 01 09 00 2B 00 ..K..?..?..+.
005CCD8A 09 00 2B 01 09 00 AB 00 09 00 AB 01 09 00 6B 00 ..+..?..?..k.
005CCD9A 09 00 6B 01 09 00 EB 00 09 00 EB 01 09 00 1B 00 ..k..?..?...
005CCDAA 09 00 1B 01 09 00 9B 00 09 00 9B 01 09 00 5B 00 ....?..?..[.
005CCDBA 09 00 5B 01 09 00 DB 00 09 00 DB 01 09 00 3B 00 ..[..?..?..;.
005CCDCA 09 00 3B 01 09 00 BB 00 09 00 BB 01 09 00 7B 00 ..;..?..?..{.
005CCDDA 09 00 7B 01 09 00 FB 00 09 00 FB 01 09 00 07 00 ..{..?..?...
005CCDEA 09 00 07 01 09 00 87 00 09 00 87 01 09 00 47 00 ....?..?..G.
005CCDFA 09 00 47 01 09 00 C7 00 09 00 C7 01 09 00 27 00 ..G..?..?..'.
005CCE0A 09 00 27 01 09 00 A7 00 09 00 A7 01 09 00 67 00 ..'..?..?..g.
005CCE1A 09 00 67 01 09 00 E7 00 09 00 E7 01 09 00 17 00 ..g..?..?...
005CCE2A 09 00 17 01 09 00 97 00 09 00 97 01 09 00 57 00 ....?..?..W.
005CCE3A 09 00 57 01 09 00 D7 00 09 00 D7 01 09 00 37 00 ..W..?..?..7.
005CCE4A 09 00 37 01 09 00 B7 00 09 00 B7 01 09 00 77 00 ..7..?..?..w.
005CCE5A 09 00 77 01 09 00 F7 00 09 00 F7 01 09 00 0F 00 ..w..?..?...
005CCE6A 09 00 0F 01 09 00 8F 00 09 00 8F 01 09 00 4F 00 ....?..?..O.
005CCE7A 09 00 4F 01 09 00 CF 00 09 00 CF 01 09 00 2F 00 ..O..?..?../.
005CCE8A 09 00 2F 01 09 00 AF 00 09 00 AF 01 09 00 6F 00 ../..?..?..o.
005CCE9A 09 00 6F 01 09 00 EF 00 09 00 EF 01 09 00 1F 00 ..o..?..?...
005CCEAA 09 00 1F 01 09 00 9F 00 09 00 9F 01 09 00 5F 00 ....?..?.._.
005CCEBA 09 00 5F 01 09 00 DF 00 09 00 DF 01 09 00 3F 00 .._..?..?..?.
005CCECA 09 00 3F 01 09 00 BF 00 09 00 BF 01 09 00 7F 00 ..?..?..?...
005CCEDA 09 00 7F 01 09 00 FF 00 09 00 FF 01 09 ....?..?.
00520E06 B9 10000000 mov ecx,10
00520E0B 2BCB sub ecx,ebx
00520E0D 3B88 B4160000 cmp ecx,dword ptr ds:[eax+16B4] ;起判断是否计算了2位机器码的作用
00520E13 7D 7A jge short <SDQD.loc_520E8F>
00520E15 0FB734BA movzx esi,word ptr ds:[edx+edi*4]
00520E19 8BFE mov edi,esi
00520E1B 8B88 B4160000 mov ecx,dword ptr ds:[eax+16B4]
00520E21 8BEF mov ebp,edi
00520E23 83EB 10 sub ebx,10
00520E26 66:D3E5 shl bp,cl
00520E29 66:09A8 B0160000 or word ptr ds:[eax+16B0],bp
00520E30 0FB7F7 movzx esi,di
00520E33 8B48 14 mov ecx,dword ptr ds:[eax+14]
00520E36 FF40 14 inc dword ptr ds:[eax+14]
00520E39 8B68 08 mov ebp,dword ptr ds:[eax+8]
00520E3C 8D4C0D 00 lea ecx,dword ptr ss:[ebp+ecx]
00520E40 51 push ecx
00520E41 5D pop ebp
00520E42 8A88 B0160000 mov cl,byte ptr ds:[eax+16B0]
00520E48 80E1 FF and cl,0FF
00520E4B 884D 00 mov byte ptr ss:[ebp],cl ;写入计算结果的高位
00520E4E 8B48 14 mov ecx,dword ptr ds:[eax+14]
00520E51 FF40 14 inc dword ptr ds:[eax+14]
00520E54 8B68 08 mov ebp,dword ptr ds:[eax+8]
00520E57 8D4C0D 00 lea ecx,dword ptr ss:[ebp+ecx]
00520E5B 51 push ecx
00520E5C 0FB788 B0160000 movzx ecx,word ptr ds:[eax+16B0]
00520E63 5D pop ebp
00520E64 C1F9 08 sar ecx,8
00520E67 884D 00 mov byte ptr ss:[ebp],cl ;写入计算结果的低位
00520E6A B9 10000000 mov ecx,10
00520E6F 2B88 B4160000 sub ecx,dword ptr ds:[eax+16B4] ;
00520E75 D3FE sar esi,cl
00520E77 66:89B0 B0160000 mov word ptr ds:[eax+16B0],si
00520E7E 0398 B4160000 add ebx,dword ptr ds:[eax+16B4]
00520E84 8998 B4160000 mov dword ptr ds:[eax+16B4],ebx
00520E8A E9 22030000 jmp <SDQD.loc_5211B1>
00520E8F > 66:8B34BA mov si,word ptr ds:[edx+edi*4] ; 查表
00520E93 8B88 B4160000 mov ecx,dword ptr ds:[eax+16B4] ;ds:[eax+16B4]初始值为3
00520E99 66:D3E6 shl si,cl
00520E9C 66:09B0 B0160000 or word ptr ds:[eax+16B0],si
00520EA3 0198 B4160000 add dword ptr ds:[eax+16B4],ebx
00520EA9 E9 03030000 jmp <SDQD.loc_5211B1>
00520EAE > 33DB xor ebx,ebx ; loc_520EAE
00520EB0 8A9F 1BD35C00 mov bl,byte ptr ds:[edi+5CD31B]
00520EB6 0FB78C9A 06040000 movzx ecx,word ptr ds:[edx+ebx*4+406]
00520EBE 894C24 08 mov dword ptr ss:[esp+8],ecx
00520EC2 B9 10000000 mov ecx,10
00520EC7 2B4C24 08 sub ecx,dword ptr ss:[esp+8]
00520ECB 3B88 B4160000 cmp ecx,dword ptr ds:[eax+16B4]
00520ED1 0F8D 86000000 jge <SDQD.loc_520F5D>
00520ED7 0FB78C9A 04040000 movzx ecx,word ptr ds:[edx+ebx*4+404]
00520EDF 894C24 0C mov dword ptr ss:[esp+C],ecx
00520EE3 66:8B6C24 0C mov bp,word ptr ss:[esp+C]
00520EE8 8B88 B4160000 mov ecx,dword ptr ds:[eax+16B4]
00520EEE 66:D3E5 shl bp,cl
00520EF1 66:09A8 B0160000 or word ptr ds:[eax+16B0],bp
00520EF8 8B48 14 mov ecx,dword ptr ds:[eax+14]
00520EFB FF40 14 inc dword ptr ds:[eax+14]
00520EFE 8B68 08 mov ebp,dword ptr ds:[eax+8]
00520F01 8D4C0D 00 lea ecx,dword ptr ss:[ebp+ecx]
00520F05 51 push ecx
00520F06 5D pop ebp
00520F07 8A88 B0160000 mov cl,byte ptr ds:[eax+16B0]
00520F0D 80E1 FF and cl,0FF
00520F10 884D 00 mov byte ptr ss:[ebp],cl
00520F13 8B48 14 mov ecx,dword ptr ds:[eax+14]
00520F16 FF40 14 inc dword ptr ds:[eax+14]
00520F19 8B68 08 mov ebp,dword ptr ds:[eax+8]
00520F1C 8D4C0D 00 lea ecx,dword ptr ss:[ebp+ecx]
00520F20 51 push ecx
00520F21 0FB788 B0160000 movzx ecx,word ptr ds:[eax+16B0]
00520F28 5D pop ebp
00520F29 C1F9 08 sar ecx,8
00520F2C 884D 00 mov byte ptr ss:[ebp],cl
00520F2F B9 10000000 mov ecx,10
00520F34 0FB76C24 0C movzx ebp,word ptr ss:[esp+C]
00520F39 2B88 B4160000 sub ecx,dword ptr ds:[eax+16B4]
00520F3F D3FD sar ebp,cl
00520F41 66:89A8 B0160000 mov word ptr ds:[eax+16B0],bp
00520F48 8B4C24 08 mov ecx,dword ptr ss:[esp+8]
00520F4C 83E9 10 sub ecx,10
00520F4F 0388 B4160000 add ecx,dword ptr ds:[eax+16B4]
00520F55 8988 B4160000 mov dword ptr ds:[eax+16B4],ecx
00520F5B EB 22 jmp short <SDQD.loc_520F7F>
00520F5D > 66:8BAC9A 04040000 mov bp,word ptr ds:[edx+ebx*4+404] ; loc_520F5D
00520F65 8B88 B4160000 mov ecx,dword ptr ds:[eax+16B4]
00520F6B 66:D3E5 shl bp,cl
00520F6E 66:09A8 B0160000 or word ptr ds:[eax+16B0],bp
00520F75 8B4C24 08 mov ecx,dword ptr ss:[esp+8]
00520F79 0188 B4160000 add dword ptr ds:[eax+16B4],ecx
00520F7F > 8B0C9D B0C95C00 mov ecx,dword ptr ds:[ebx*4+5CC9B0] ; loc_520F7F
00520F86 85C9 test ecx,ecx
00520F88 0F84 9F000000 je <SDQD.loc_52102D>
00520F8E 2B3C9D E0CF5C00 sub edi,dword ptr ds:[ebx*4+5CCFE0]
00520F95 8BD9 mov ebx,ecx
00520F97 B9 10000000 mov ecx,10
00520F9C 2BCB sub ecx,ebx
00520F9E 3B88 B4160000 cmp ecx,dword ptr ds:[eax+16B4]
00520FA4 7D 71 jge short <SDQD.loc_521017>
00520FA6 8B88 B4160000 mov ecx,dword ptr ds:[eax+16B4]
00520FAC 8BEF mov ebp,edi
00520FAE 66:D3E5 shl bp,cl
00520FB1 66:09A8 B0160000 or word ptr ds:[eax+16B0],bp
00520FB8 8B48 14 mov ecx,dword ptr ds:[eax+14]
00520FBB FF40 14 inc dword ptr ds:[eax+14]
00520FBE 8B68 08 mov ebp,dword ptr ds:[eax+8]
00520FC1 8D4C0D 00 lea ecx,dword ptr ss:[ebp+ecx]
00520FC5 51 push ecx
00520FC6 8A88 B0160000 mov cl,byte ptr ds:[eax+16B0]
00520FCC 80E1 FF and cl,0FF
00520FCF 5D pop ebp
00520FD0 884D 00 mov byte ptr ss:[ebp],cl
00520FD3 8B48 14 mov ecx,dword ptr ds:[eax+14]
00520FD6 FF40 14 inc dword ptr ds:[eax+14]
00520FD9 8B68 08 mov ebp,dword ptr ds:[eax+8]
00520FDC 8D4C0D 00 lea ecx,dword ptr ss:[ebp+ecx]
00520FE0 51 push ecx
00520FE1 0FB788 B0160000 movzx ecx,word ptr ds:[eax+16B0]
00520FE8 C1F9 08 sar ecx,8
00520FEB 5D pop ebp
00520FEC 884D 00 mov byte ptr ss:[ebp],cl
00520FEF B9 10000000 mov ecx,10
00520FF4 2B88 B4160000 sub ecx,dword ptr ds:[eax+16B4]
00520FFA 0FB7FF movzx edi,di
00520FFD D3FF sar edi,cl
00520FFF 66:89B8 B0160000 mov word ptr ds:[eax+16B0],di
00521006 83EB 10 sub ebx,10
00521009 0398 B4160000 add ebx,dword ptr ds:[eax+16B4]
0052100F 8998 B4160000 mov dword ptr ds:[eax+16B4],ebx
00521015 EB 16 jmp short <SDQD.loc_52102D>
00521017 > 8B88 B4160000 mov ecx,dword ptr ds:[eax+16B4] ; loc_521017
0052101D 66:D3E7 shl di,cl
00521020 66:09B8 B0160000 or word ptr ds:[eax+16B0],di
00521027 0198 B4160000 add dword ptr ds:[eax+16B4],ebx
0052102D > 4E dec esi ; loc_52102D
0052102E 81FE 00010000 cmp esi,100
00521034 73 08 jnb short <SDQD.loc_52103E>
00521036 8A9E 1BD15C00 mov bl,byte ptr ds:[esi+5CD11B]
0052103C EB 0B jmp short <SDQD.loc_521049>
0052103E > 8BCE mov ecx,esi ; loc_52103E
00521040 C1E9 07 shr ecx,7
00521043 8A99 1BD25C00 mov bl,byte ptr ds:[ecx+5CD21B]
00521049 > 81E3 FF000000 and ebx,0FF ; loc_521049
0052104F 8B0C24 mov ecx,dword ptr ss:[esp]
00521052 0FB77C99 02 movzx edi,word ptr ds:[ecx+ebx*4+2]
00521057 B9 10000000 mov ecx,10
0052105C 2BCF sub ecx,edi
0052105E 3B88 B4160000 cmp ecx,dword ptr ds:[eax+16B4]
00521064 0F8D 81000000 jge <SDQD.loc_5210EB>
0052106A 8B0C24 mov ecx,dword ptr ss:[esp]
0052106D 83EF 10 sub edi,10
00521070 0FB70C99 movzx ecx,word ptr ds:[ecx+ebx*4]
00521074 894C24 10 mov dword ptr ss:[esp+10],ecx
00521078 66:8B6C24 10 mov bp,word ptr ss:[esp+10]
0052107D 8B88 B4160000 mov ecx,dword ptr ds:[eax+16B4]
00521083 66:D3E5 shl bp,cl
00521086 66:09A8 B0160000 or word ptr ds:[eax+16B0],bp
0052108D 8B48 14 mov ecx,dword ptr ds:[eax+14]
00521090 FF40 14 inc dword ptr ds:[eax+14]
00521093 8B68 08 mov ebp,dword ptr ds:[eax+8]
00521096 8D4C0D 00 lea ecx,dword ptr ss:[ebp+ecx]
0052109A 51 push ecx
0052109B 5D pop ebp
0052109C 8A88 B0160000 mov cl,byte ptr ds:[eax+16B0]
005210A2 80E1 FF and cl,0FF
005210A5 884D 00 mov byte ptr ss:[ebp],cl
005210A8 8B48 14 mov ecx,dword ptr ds:[eax+14]
005210AB FF40 14 inc dword ptr ds:[eax+14]
005210AE 8B68 08 mov ebp,dword ptr ds:[eax+8]
005210B1 8D4C0D 00 lea ecx,dword ptr ss:[ebp+ecx]
005210B5 51 push ecx
005210B6 0FB788 B0160000 movzx ecx,word ptr ds:[eax+16B0]
005210BD 5D pop ebp
005210BE C1F9 08 sar ecx,8
005210C1 884D 00 mov byte ptr ss:[ebp],cl
005210C4 B9 10000000 mov ecx,10
005210C9 0FB76C24 10 movzx ebp,word ptr ss:[esp+10]
005210CE 2B88 B4160000 sub ecx,dword ptr ds:[eax+16B4]
005210D4 D3FD sar ebp,cl
005210D6 66:89A8 B0160000 mov word ptr ds:[eax+16B0],bp
005210DD 03B8 B4160000 add edi,dword ptr ds:[eax+16B4]
005210E3 89B8 B4160000 mov dword ptr ds:[eax+16B4],edi
005210E9 EB 1E jmp short <SDQD.loc_521109>
005210EB > 8B88 B4160000 mov ecx,dword ptr ds:[eax+16B4] ; loc_5210EB
005210F1 8B2C24 mov ebp,dword ptr ss:[esp]
005210F4 66:8B6C9D 00 mov bp,word ptr ss:[ebp+ebx*4]
005210F9 66:D3E5 shl bp,cl
005210FC 66:09A8 B0160000 or word ptr ds:[eax+16B0],bp
00521103 01B8 B4160000 add dword ptr ds:[eax+16B4],edi
00521109 > 8B0C9D 24CA5C00 mov ecx,dword ptr ds:[ebx*4+5CCA24] ; loc_521109
00521110 85C9 test ecx,ecx
00521112 0F84 99000000 je <SDQD.loc_5211B1>
00521118 2B349D 54D05C00 sub esi,dword ptr ds:[ebx*4+5CD054]
0052111F 8BD9 mov ebx,ecx
00521121 B9 10000000 mov ecx,10
00521126 2BCB sub ecx,ebx
00521128 8BB8 B4160000 mov edi,dword ptr ds:[eax+16B4]
0052112E 3BCF cmp ecx,edi
00521130 7D 69 jge short <SDQD.loc_52119B>
00521132 8BCF mov ecx,edi
00521134 8BFE mov edi,esi
00521136 66:D3E7 shl di,cl
00521139 66:09B8 B0160000 or word ptr ds:[eax+16B0],di
00521140 8B48 14 mov ecx,dword ptr ds:[eax+14]
00521143 FF40 14 inc dword ptr ds:[eax+14]
00521146 8B78 08 mov edi,dword ptr ds:[eax+8]
00521149 8D0C0F lea ecx,dword ptr ds:[edi+ecx]
0052114C 51 push ecx
0052114D 8A88 B0160000 mov cl,byte ptr ds:[eax+16B0]
00521153 80E1 FF and cl,0FF
00521156 5F pop edi
00521157 880F mov byte ptr ds:[edi],cl
00521159 8B48 14 mov ecx,dword ptr ds:[eax+14]
0052115C FF40 14 inc dword ptr ds:[eax+14]
0052115F 8B78 08 mov edi,dword ptr ds:[eax+8]
00521162 8D0C0F lea ecx,dword ptr ds:[edi+ecx]
00521165 51 push ecx
00521166 0FB788 B0160000 movzx ecx,word ptr ds:[eax+16B0]
0052116D C1F9 08 sar ecx,8
00521170 5F pop edi
00521171 880F mov byte ptr ds:[edi],cl
00521173 B9 10000000 mov ecx,10
00521178 2B88 B4160000 sub ecx,dword ptr ds:[eax+16B4]
0052117E 0FB7F6 movzx esi,si
00521181 D3FE sar esi,cl
00521183 66:89B0 B0160000 mov word ptr ds:[eax+16B0],si
0052118A 83EB 10 sub ebx,10
0052118D 0398 B4160000 add ebx,dword ptr ds:[eax+16B4]
00521193 8998 B4160000 mov dword ptr ds:[eax+16B4],ebx
00521199 EB 16 jmp short <SDQD.loc_5211B1>
0052119B > 8B88 B4160000 mov ecx,dword ptr ds:[eax+16B4] ; loc_52119B
005211A1 66:D3E6 shl si,cl
005211A4 66:09B0 B0160000 or word ptr ds:[eax+16B0],si
005211AB 0198 B4160000 add dword ptr ds:[eax+16B4],ebx
005211B1 > 8B4C24 04 mov ecx,dword ptr ss:[esp+4] ; loc_5211B1
005211B5 3B88 98160000 cmp ecx,dword ptr ds:[eax+1698] ; 循环记数
005211BB ^ 0F82 18FCFFFF jb <SDQD.loc_520DD9>
这个循环依次计算2位机器码得到一个dword值,为此次计算的结果,8位的机器码,得到
4组dword值,即5-20位.代码比较多,但计算并不复杂.
0052124B > 66:8BB2 00040000 mov si,word ptr ds:[edx+400] ; 这个值最后一次计算的结果决定
00521252 8B88 B4160000 mov ecx,dword ptr ds:[eax+16B4]
00521258 66:D3E6 shl si,cl
0052125B 66:09B0 B0160000 or word ptr ds:[eax+16B0],si ;第21-24位.
00521573 > 33D2 xor edx,edx ; //计算最后8个字符
00521575 8A16 mov dl,byte ptr ds:[esi] ; //就是计算ascii和和and操作,很简单
00521577 03DA add ebx,edx
00521579 46 inc esi
0052157A 03FB add edi,ebx
0052157C 48 dec eax
0052157D ^ 75 F4 jnz short <SDQD.loc_521573>
0052157F > B9 F1FF0000 mov ecx,0FFF1 ; loc_52157F
00521584 8BC3 mov eax,ebx
00521586 33D2 xor edx,edx
00521588 F7F1 div ecx
0052158A 89D3 mov ebx,edx
0052158C B9 F1FF0000 mov ecx,0FFF1
00521591 8BC7 mov eax,edi
00521593 33D2 xor edx,edx
00521595 F7F1 div ecx
00521597 89D7 mov edi,edx
00521599 85ED test ebp,ebp
0052159B ^ 0F87 14FFFFFF ja <SDQD.loc_5214B5>
005215A1 > 8BC7 mov eax,edi ; loc_5215A1
005215A3 C1E0 10 shl eax,10
005215A6 0BC3 or eax,ebx
005215A8 > 5D pop ebp ; loc_5215A8
005215A9 5F pop edi
005215AA 5E pop esi
005215AB 5B pop ebx
005215AC C3 retn
依次连接上面的结果得到一个32位的hex串(以机器码:85FCF180为例子):
7801B33075737633B4300000087901D6
2,通过hash算法ripemd-128得到以后用到的数据:
0052EAFD 8B45 FC mov eax,dword ptr ss:[ebp-4]
0052EB00 8D50 18 lea edx,dword ptr ds:[eax+18]
0052EB03 8B45 FC mov eax,dword ptr ss:[ebp-4]
0052EB06 8B08 mov ecx,dword ptr ds:[eax] ; text:qd //(这个字符串估计是地区缩写,固定)
0052EB08 FF51 34 call dword ptr ds:[ecx+34] ; ripemd-128(qd)//调用ripemd函数了,
0052EB0B 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 有兴趣可以跟进去看
对字符串'qd'进行计算,得到结果:
aa29237be9f07377962eca6c64d85a35
保存做后面的rijndael-128的加密密钥.
初始化...
生成子密钥...
0052C31F 8B45 FC mov eax,dword ptr ss:[ebp-4]
0052C322 8B50 30 mov edx,dword ptr ds:[eax+30] ; textbuffer
0052C325 8B45 FC mov eax,dword ptr ss:[ebp-4]
0052C328 8B08 mov ecx,dword ptr ds:[eax]
0052C32A FF51 2C call dword ptr ds:[ecx+2C] ; rijndael_cipher
0052C32D EB 14 jmp short <SDQD.loc_52C343>
以密钥(hex:aa29237be9f07377962eca6c64d85a35)
对hex:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF加密,
得到:
hex:886179173C19D0EF7A670734D64DAF2B
0052C94F 8B45 FC mov eax,dword ptr ss:[ebp-4]
0052C952 8B48 24 mov ecx,dword ptr ds:[eax+24]
0052C955 8B45 FC mov eax,dword ptr ss:[ebp-4]
0052C958 8B50 34 mov edx,dword ptr ds:[eax+34] ;
[edx]:886179173C19D0EF7A670734D64DAF2B
0052C95B 8B45 F0 mov eax,dword ptr ss:[ebp-10] ;
[eax]:7801B33075737633B4300000087901D6
0052C95E E8 BDECFFFF call <SDQD.@Decutil@XORBuffers$qqrpvt1it1> ;按位异或两个32位hex串
结果为:
hex:F060CA27496AA6DCCE570734DE34AEFD?
0052C963 8B55 EC mov edx,dword ptr ss:[ebp-14] ; textbuffer
0052C966 8B45 FC mov eax,dword ptr ss:[ebp-4]
0052C969 8B08 mov ecx,dword ptr ds:[eax]
0052C96B FF51 2C call dword ptr ds:[ecx+2C] ; rijndael_cipher
0052C96E 8B45 FC mov eax,dword ptr ss:[ebp-4]
以密钥(hex:aa29237be9f07377962eca6c64d85a35)
对hex:F060CA27496AA6DCCE570734DE34AEFD加密,
得到:
hex:B679451F194B692085F038D7092789C0
3,字符转换,得到注册码
hex->str:
0052AB9C 0FB600 movzx eax,byte ptr ds:[eax] ;
[eax]:
00D1D91C 41 41 43 53 10 00 00 00 08 00 00 00 38 02 0F 00 AACS......8.
00D1D92C 01 00 01 01 00 00 00 00 B6 79 45 1F 19 4B 69 20 .....儿EKi
00D1D93C 85 F0 38 D7 09 27 89 C0 ?8?'?...
0052AB9F C1E8 04 shr eax,4
0052ABA2 8B55 EC mov edx,dword ptr ss:[ebp-14]
0052ABA5 8A0402 mov al,byte ptr ds:[edx+eax]
0052ABA8 8B55 F0 mov edx,dword ptr ss:[ebp-10]
0052ABAB 8802 mov byte ptr ds:[edx],al
0052ABAD 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0052ABB0 8A00 mov al,byte ptr ds:[eax]
0052ABB2 24 0F and al,0F
0052ABB4 25 FF000000 and eax,0FF
0052ABB9 8B55 EC mov edx,dword ptr ss:[ebp-14]
0052ABBC 8A0402 mov al,byte ptr ds:[edx+eax]
0052ABBF 8B55 F0 mov edx,dword ptr ss:[ebp-10]
0052ABC2 8842 01 mov byte ptr ds:[edx+1],al
0052ABC5 8345 F0 02 add dword ptr ss:[ebp-10],2
0052ABC9 FF45 F8 inc dword ptr ss:[ebp-8]
0052ABCC FF4D F4 dec dword ptr ss:[ebp-C]
0052ABCF 837D F4 00 cmp dword ptr ss:[ebp-C],0
0052ABD3 ^ 7F C4 jg short <SDQD.loc_52AB99>
0052ABD5 > 8BE5 mov esp,ebp ; loc_52ABD5
0052ABD7 5D pop ebp
0052ABD8 C2 0400 retn 4
这段代码其实就是把内存中eax所指向的80位hex转换成字符串:
00D1D91C 41 41 43 53 10 00 00 00 08 00 00 00 38 02 0F 00 AACS......8.
00D1D92C 01 00 01 01 00 00 00 00 B6 79 45 1F 19 4B 69 20 .....儿EKi
00D1D93C 85 F0 38 D7 09 27 89 C0 ?8?'?...
转换结果:
41414353100000000800000038020F00
0100010100000000B679451F194B6920
85F038D7092789C0
005AEEB4 8D4D EC lea ecx,dword ptr ss:[ebp-14]
005AEEB7 BA 08000000 mov edx,8
005AEEBC 8B45 FC mov eax,dword ptr ss:[ebp-4]
005AEEBF > E8 786FE9FF call <SDQD.sub_445E3C> ;取转换结果的后8位,即为正确注册码
005AEEC4 8B45 EC mov eax,dword ptr ss:[ebp-14]
005AEEC7 50 push eax
005AEEC8 8D55 E8 lea edx,dword ptr ss:[ebp-18]
005AEECB > 8B86 FC020000 mov eax,dword ptr ds:[esi+2FC]
005AEED1 > E8 6AE3E9FF call <SDQD.sub_44D240>
005AEED6 8B55 E8 mov edx,dword ptr ss:[ebp-18] ;输入的注册码
005AEED9 58 pop eax ;正确注册码
005AEEDA > E8 E55FE5FF call <SDQD.sub_404EC4> ;比较
005AEEDF 0F85 04010000 jnz <SDQD.loc_5AEFE9>
例子:
机器码:
85FCF180
注册码:
092789C0
程序下载:
http://www.dxd37az.com.cn/rjxz/sdqd.exe
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课