AutoDWG DWG2DWF Converter v2.32菜鸟分析-软件逆向-看雪-安全社区|安全招聘|kanxue.com

AutoDWG DWG2DWF Converter v2.32菜鸟分析

发表于: 2005-5-12 18:14 10842

AutoDWG DWG2DWF Converter v2.32菜鸟分析

lajue

2005-5-12 18:14

10842

AutoDWG DWG2DWF Converter v2.32注册分析
【破解作者】 lajue
【作者邮箱】 lajue@etang.com
【使用工具】 PEID v0.92  OllyDbg.V1.10 聆风听雨汉化第二版  W32Dasm v8.93汉化版
【破解平台】 Winxp SP2
【软件名称】 AutoDWG DWG2DWF Converter v2.32
【官方网址】 http://www.autodwg.com/DWG_DWF_Converter/
【编写语言】 Microsoft Visual C++ 6.0
【软件介绍】不需要autocad,将cad的图形文件dwg转化成dwf文件可以进行批处理
【保护方式】注册码保护,14天试用时间限制
【破解声明】初学crack,只是感兴趣，失误再所难免，请多多指教
【破解过程】一天同事拿这个软件问我有没有破解版，上网查，竟然没有！晕，刚开始学习crack，看看先。PEID查壳,无

壳,Microsoft Visual C++ 6.0编写（还好还好，偶就懂点C＋＋）.开始做手术了！^_^
      打开G2F.exe，点"Regedit",随便输入E-mail,试炼码12345678901234567890123456（26位）（为什么是26位呢，后面就知道

了），点"Regedit"，出现错误对话框"Regedit failed",记住，用W32asm载入，“参考”－“串式参考”，找到"Regedit failed"，

双击来到如下地址：

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004012D4(C)
|
:004012FE 6A00                   push 00000000

* Possible StringData Ref from Data Obj ->"AutodwgDwg2Dwf"
                              |
:00401300 6808598700             push 00875908

* Possible StringData Ref from Data Obj ->"Register failed!"
                              |http://www.autodwg.com/DWG_DWF_Converter/
:00401305 6870588700             push 00875870
:0040130A 8BCE                   mov ecx, esi

向上找到地址004012D4处

* Reference To: MFC42.Ordinal:0685, Ord:0685h
                              |
:004012BF E83C182D00             Call 006D2B00
:004012C4 8B1B                   mov ebx, dword ptr [ebx] //取得假试炼码
:004012C6 8B3F                   mov edi, dword ptr [edi] //取得E-mail
:004012C8 53                   push ebx
:004012C9 57                   push edi
:004012CA E8D1DE0000             call 0040F1A0
:004012CF 83C408                add esp, 00000008
:004012D2 84C0                   test al, al
:004012D4 7428                   je 004012FE

可见在地址004012D4处有个比较，如果al=0则跳到错误处，则地址004012CA处应是一个关键call，用OD在地址004012CA处下断，F7跟

进：
0040F1A0 6A FF          push -1
0040F1A2 68 206F7900    push G2F.00796F20
0040F1A7 64:A1 00000000  mov eax,dword ptr fs:[0]
0040F1AD 50             push eax
0040F1AE 64:8925 0000000>mov dword ptr fs:[0],esp
0040F1B5 83EC 08       sub esp,8
0040F1B8 53             push ebx
0040F1B9 56             push esi
0040F1BA 8B7424 24    mov esi,dword ptr ss:[esp+24]
0040F1BE 8D4C24 24    lea ecx,dword ptr ss:[esp+24]
0040F1C2 56             push esi
0040F1C3 B3 01          mov bl,1
0040F1C5 E8 863A2C00    call <jmp.&MFC42.#537_CString::CString>
0040F1CA 56             push esi
0040F1CB C74424 1C 00000>mov dword ptr ss:[esp+1C],0
0040F1D3 E8 C8010000    call G2F.0040F3A0
0040F1D8 83C4 04       add esp,4
0040F1DB 84C0          test al,al
0040F1DD 75 04          jnz short G2F.0040F1E3
0040F1DF 32DB          xor bl,bl
0040F1E1 EB 6A          jmp short G2F.0040F24D
0040F1E3 68 02000080    push 80000002
0040F1E8 8D4C24 0C    lea ecx,dword ptr ss:[esp+C]
0040F1EC E8 3F0A0000    call G2F.0040FC30
0040F1F1 68 24978700    push G2F.00879724                            ; ASCII "SOFTWARE\AutoDwg\DWG_DWF_CONVER"
0040F1F6 8D4C24 0C    lea ecx,dword ptr ss:[esp+C]
0040F1FA 885C24 1C    mov byte ptr ss:[esp+1C],bl
0040F1FE E8 BD0A0000    call G2F.0040FCC0
0040F203 85C0          test eax,eax
0040F205 74 0F          je short G2F.0040F216
0040F207 56             push esi
0040F208 68 20978700    push G2F.00879720                            ; ASCII "Key"
0040F20D 8D4C24 10    lea ecx,dword ptr ss:[esp+10]
0040F211 E8 5A0B0000    call G2F.0040FD70
可见在地址0040F1D3处有个call，如果call后al不等于0，则对注册表进行操作，应该是在注册表中存放注册码，以便软件重起后验

证是否注册，跟进call G2F.0040FCC0
0040F3A0 64:A1 00000000  mov eax,dword ptr fs:[0]
0040F3A6 8B5424 04    mov edx,dword ptr ss:[esp+4]
0040F3AA 6A FF          push -1
0040F3AC 68 786F7900    push G2F.00796F78
0040F3B1 50             push eax
0040F3B2 83C9 FF       or ecx,FFFFFFFF
0040F3B5 64:8925 0000000>mov dword ptr fs:[0],esp
0040F3BC 83EC 08       sub esp,8
0040F3BF 33C0          xor eax,eax
0040F3C1 57             push edi
0040F3C2 8BFA          mov edi,edx                      //取得试炼码
0040F3C4 F2:AE          repne scas byte ptr es:[edi]
0040F3C6 F7D1          not ecx
0040F3C8 49             dec ecx
0040F3C9 83F9 1A       cmp ecx,1A                      //计算试炼码的位数，如果不等于1A（十进制26）则跳出
0040F3CC 0F85 C9000000 jnz G2F.0040F49B
0040F3D2 52             push edx
0040F3D3 8D4C24 08    lea ecx,dword ptr ss:[esp+8]
0040F3D7 E8 74382C00    call <jmp.&MFC42.#537_CString::CString>
0040F3DC 8D4C24 1C    lea ecx,dword ptr ss:[esp+1C]
0040F3E0 C74424 14 00000>mov dword ptr ss:[esp+14],0
0040F3E8 E8 F5362C00    call <jmp.&MFC42.#540_CString::CString>
0040F3ED 6A 00          push 0
0040F3EF 68 18598700    push G2F.00875918             //ASCII" "
0040F3F4 8D4C24 0C    lea ecx,dword ptr ss:[esp+C]
0040F3F8 C64424 1C 01 mov byte ptr ss:[esp+1C],1
0040F3FD E8 10372C00    call <jmp.&MFC42.#6877_CString::Replace>  //如果试炼码中有空格的话则以0代替（是不是这个

意思呢）
0040F402 51             push ecx
0040F403 8D4424 08    lea eax,dword ptr ss:[esp+8]
0040F407 8BCC          mov ecx,esp
0040F409 896424 0C    mov dword ptr ss:[esp+C],esp
0040F40D 50             push eax
0040F40E E8 41372C00    call <jmp.&MFC42.#535_CString::CString>  //重新取得改变后的试炼码
0040F413 8D4C24 0C    lea ecx,dword ptr ss:[esp+C]
0040F417 51             push ecx
0040F418 E8 53070000    call G2F.0040FB70                //又一call,跟进，eax存放结果
0040F41D 83C4 08       add esp,8
0040F420 50             push eax
0040F421 8D4C24 20    lea ecx,dword ptr ss:[esp+20]
0040F425 C64424 18 02 mov byte ptr ss:[esp+18],2
0040F42A E8 19372C00    call <jmp.&MFC42.#858_CString::operator=>
0040F42F 8D4C24 08    lea ecx,dword ptr ss:[esp+8]
0040F433 C64424 14 01 mov byte ptr ss:[esp+14],1
0040F438 E8 93362C00    call <jmp.&MFC42.#800_CString::~CString>
0040F43D 8B5424 1C    mov edx,dword ptr ss:[esp+1C]                ;取得地址0040F418处call后的结果
0040F441 68 58978700    push G2F.00879758                            ; ASCII "&G#2f#"
0040F446 52             push edx
0040F447 FF15 18457D00 call dword ptr ds:[<&MSVCRT._mbscmp>]       ; MSVCRT._mbscmp  将结果和ASCII "&G#2f#"做

比较，如果相等则eax=0
0040F44D 83C4 08       add esp,8
0040F450 C64424 14 00 mov byte ptr ss:[esp+14],0
0040F455 85C0          test eax,eax
0040F457 8D4C24 1C    lea ecx,dword ptr ss:[esp+1C]
0040F45B 75 28          jnz short G2F.0040F485                      ;不为0则跳处

由上可见，地址0040F418处call的结果必须与ASCII "&G#2f#"相等，跟进

0040FB70 6A FF          push -1
0040FB72 68 57707900    push G2F.00797057
0040FB77 64:A1 00000000  mov eax,dword ptr fs:[0]
0040FB7D 50             push eax
0040FB7E 64:8925 0000000>mov dword ptr fs:[0],esp
0040FB85 83EC 0C       sub esp,0C
0040FB88 56             push esi
0040FB89 33F6          xor esi,esi
0040FB8B 897424 0C    mov dword ptr ss:[esp+C],esi
0040FB8F 8D4C24 04    lea ecx,dword ptr ss:[esp+4]
0040FB93 C74424 18 01000>mov dword ptr ss:[esp+18],1
0040FB9B E8 422F2C00    call <jmp.&MFC42.#540_CString::CString>
0040FBA0 51             push ecx
0040FBA1 C64424 1C 02 mov byte ptr ss:[esp+1C],2
0040FBA6 8BCC          mov ecx,esp
0040FBA8 896424 0C    mov dword ptr ss:[esp+C],esp
0040FBAC 68 90978700    push G2F.00879790                            ; ASCII "2r%e*RE$"
0040FBB1 E8 9A302C00    call <jmp.&MFC42.#537_CString::CString>
0040FBB6 8D4424 28    lea eax,dword ptr ss:[esp+28]
0040FBBA 50             push eax                                     ;将试炼码压入堆栈
0040FBBB E8 F01AFFFF    call G2F.004016B0                            ;又一call,跟进
0040FBC0 83C4 08       add esp,8
0040FBC3 8B4C24 24    mov ecx,dword ptr ss:[esp+24]                ;取得call后的结果
0040FBC7 8A140E       mov dl,byte ptr ds:[esi+ecx]
0040FBCA 8D4C24 04    lea ecx,dword ptr ss:[esp+4]
0040FBCE 885424 08    mov byte ptr ss:[esp+8],dl
0040FBD2 8B4424 08    mov eax,dword ptr ss:[esp+8]
0040FBD6 50             push eax
0040FBD7 E8 8A2F2C00    call <jmp.&MFC42.#940_CString::operator+=>
0040FBDC 83C6 02       add esi,2
0040FBDF 83FE 0C       cmp esi,0C
0040FBE2  ^ 7C DF          jl short G2F.0040FBC3          ;依次取第0、2、4、6、8、10、12共6位，并将结果送给eax
0040FBE4 8B7424 20    mov esi,dword ptr ss:[esp+20]
0040FBE8 8D4C24 04    lea ecx,dword ptr ss:[esp+4]
0040FBEC 51             push ecx
0040FBED 8BCE          mov ecx,esi
0040FBEF E8 602F2C00    call <jmp.&MFC42.#535_CString::CString>
0040FBF4 C74424 0C 01000>mov dword ptr ss:[esp+C],1
0040FBFC 8D4C24 04    lea ecx,dword ptr ss:[esp+4]
0040FC00 C64424 18 01 mov byte ptr ss:[esp+18],1
0040FC05 E8 C62E2C00    call <jmp.&MFC42.#800_CString::~CString>
0040FC0A 8D4C24 24    lea ecx,dword ptr ss:[esp+24]
0040FC0E C64424 18 00 mov byte ptr ss:[esp+18],0
0040FC13 E8 B82E2C00    call <jmp.&MFC42.#800_CString::~CString>
0040FC18 8B4C24 10    mov ecx,dword ptr ss:[esp+10]
0040FC1C 8BC6          mov eax,esi
0040FC1E 64:890D 0000000>mov dword ptr fs:[0],ecx
0040FC25 5E             pop esi
0040FC26 83C4 18       add esp,18
0040FC29 C3             retn

就拿试炼码来说，经过地址0040FBBB处的call计算得到的结果是"BC 72 D9 EC AB 02 AA 97 6E EC 91 BC",依次取第0、2、4、6、8

、10、12位即"BC D9 AB AA 6E 91",然后于ASCII "&G#2f#"比较，即"26 47 23 32 66 23"比较，如果相等则注册成功。那么地址

0040FBBB处的call是如何运行的呢？跟进call G2F.004016B0

004016B0 6A FF          push -1
004016B2 68 F84B7900    push G2F.00794BF8
004016B7 64:A1 00000000  mov eax,dword ptr fs:[0]
004016BD 50             push eax
004016BE 64:8925 0000000>mov dword ptr fs:[0],esp
004016C5 83EC 0C       sub esp,0C
004016C8 53             push ebx
004016C9 55             push ebp
004016CA 56             push esi
004016CB 57             push edi
004016CC 33FF          xor edi,edi
004016CE 8D4C24 10    lea ecx,dword ptr ss:[esp+10]
004016D2 897C24 24    mov dword ptr ss:[esp+24],edi
004016D6 E8 07142D00    call <jmp.&MFC42.#540_CString::CString>
004016DB 8D4C24 14    lea ecx,dword ptr ss:[esp+14]
004016DF C64424 24 01 mov byte ptr ss:[esp+24],1
004016E4 E8 F9132D00    call <jmp.&MFC42.#540_CString::CString>
004016E9 8B7424 2C    mov esi,dword ptr ss:[esp+2C]
004016ED BB 02000000    mov ebx,2
004016F2 8D4424 2C    lea eax,dword ptr ss:[esp+2C]
004016F6 53             push ebx
004016F7 50             push eax
004016F8 8BCE          mov ecx,esi                            ;取得试炼码
004016FA 885C24 2C    mov byte ptr ss:[esp+2C],bl
004016FE E8 7B142D00    call <jmp.&MFC42.#5710_CString::Right> ;取试炼码的右边2位，即最后2位，即"56"
00401703 50             push eax
00401704 8D4C24 14    lea ecx,dword ptr ss:[esp+14]
00401708 C64424 28 03 mov byte ptr ss:[esp+28],3
0040170D E8 36142D00    call <jmp.&MFC42.#858_CString::operator=>
00401712 8D4C24 2C    lea ecx,dword ptr ss:[esp+2C]
00401716 885C24 24    mov byte ptr ss:[esp+24],bl
0040171A E8 B1132D00    call <jmp.&MFC42.#800_CString::~CString>
0040171F 8B0E          mov ecx,dword ptr ds:[esi]
00401721 8D5424 2C    lea edx,dword ptr ss:[esp+2C]
00401725 8B41 F8       mov eax,dword ptr ds:[ecx-8]                ;取得试炼码位数，即1A
00401728 8BCE          mov ecx,esi                               ;取得试炼码
0040172A 83C0 FE       add eax,-2                                  ;eax=18(十进制24）
0040172D 50             push eax
0040172E 52             push edx
0040172F E8 44142D00    call <jmp.&MFC42.#4129_CString::Left>       ;取得试炼码左边24位，即试炼码去掉最后2位
00401734 50             push eax
00401735 8BCE          mov ecx,esi
00401737 C64424 28 04 mov byte ptr ss:[esp+28],4
0040173C E8 07142D00    call <jmp.&MFC42.#858_CString::operator=>
00401741 8D4C24 2C    lea ecx,dword ptr ss:[esp+2C]
00401745 885C24 24    mov byte ptr ss:[esp+24],bl
00401749 E8 82132D00    call <jmp.&MFC42.#800_CString::~CString>
0040174E 8B4424 10    mov eax,dword ptr ss:[esp+10]
00401752 50             push eax
00401753 FF15 68457D00 call dword ptr ds:[<&MSVCRT.atoi>]          ; MSVCRT.atoi  将试炼码最后2位转化为数字，

即56，即eax=38H=56D
00401759 8D5424 34    lea edx,dword ptr ss:[esp+34]
0040175D 8BCC          mov ecx,esp
0040175F 896424 30    mov dword ptr ss:[esp+30],esp
00401763 52             push edx
00401764 8BE8          mov ebp,eax                               ;ebp=eax=38H
00401766 E8 E9132D00    call <jmp.&MFC42.#535_CString::CString>
0040176B 56             push esi                                  ;将试炼码的前24位压入堆栈
0040176C E8 2F030000    call G2F.00401AA0                         ;又一个call,此call将试炼码的前24位转化

为"bc72d9ecab02aa976eec91bc"
00401771 83C4 08       add esp,8
00401774 8D442D 00    lea eax,dword ptr ss:[ebp+ebp]             ;eax=2*ebp=70H
00401778 8D4C24 2C    lea ecx,dword ptr ss:[esp+2C]
0040177C 50             push eax
0040177D 51             push ecx
0040177E 8BCE          mov ecx,esi                               ;ecx指向"bc72d9ecab02aa976eec91bc"
00401780 E8 F3132D00    call <jmp.&MFC42.#4129_CString::Left>       ;取"bc72d9ecab02aa976eec91bc"左边的70H位，

由此可见，试炼码最后2位必须是数字，且大于12（十进制）
00401785 50             push eax
00401786 8D4C24 18    lea ecx,dword ptr ss:[esp+18]
0040178A C64424 28 05 mov byte ptr ss:[esp+28],5
0040178F E8 B4132D00    call <jmp.&MFC42.#858_CString::operator=>
00401794 8D4C24 2C    lea ecx,dword ptr ss:[esp+2C]
00401798 885C24 24    mov byte ptr ss:[esp+24],bl
0040179C E8 2F132D00    call <jmp.&MFC42.#800_CString::~CString>
004017A1 8BCE          mov ecx,esi
004017A3 E8 CA132D00    call <jmp.&MFC42.#2614_CString::Empty>    ;此处判断试炼码最后2位是否包含数字，如有则

不跳，没有则跳，此处应不跳
004017A8 3BEF          cmp ebp,edi
004017AA 7E 52          jle short G2F.004017FE
004017AC 53             push ebx
004017AD 8D5424 30    lea edx,dword ptr ss:[esp+30]
004017B1 57             push edi
004017B2 52             push edx
004017B3 8D4C24 20    lea ecx,dword ptr ss:[esp+20]
004017B7 E8 B0132D00    call <jmp.&MFC42.#4278_CString::Mid>
004017BC 50             push eax
004017BD 8D4C24 14    lea ecx,dword ptr ss:[esp+14]
004017C1 C64424 28 06 mov byte ptr ss:[esp+28],6
004017C6 E8 7D132D00    call <jmp.&MFC42.#858_CString::operator=>
004017CB 8D4C24 2C    lea ecx,dword ptr ss:[esp+2C]
004017CF 885C24 24    mov byte ptr ss:[esp+24],bl
004017D3 E8 F8122D00    call <jmp.&MFC42.#800_CString::~CString>
004017D8 51             push ecx
004017D9 8D4424 14    lea eax,dword ptr ss:[esp+14]
004017DD 8BCC          mov ecx,esp
004017DF 896424 1C    mov dword ptr ss:[esp+1C],esp
004017E3 50             push eax
004017E4 E8 6B132D00    call <jmp.&MFC42.#535_CString::CString>
004017E9 E8 920B0000    call G2F.00402380
004017EE 83C4 04       add esp,4
004017F1 8BCE          mov ecx,esi
004017F3 50             push eax
004017F4 E8 6D132D00    call <jmp.&MFC42.#940_CString::operator+=>
004017F9 03FB          add edi,ebx
004017FB 4D             dec ebp
004017FC  ^ 75 AE          jnz short G2F.004017AC                   ;依次将"bc72d9ecab02aa976eec91bc"转换为大

写"BC72D9ECAB02AA976EEC91BC"
004017FE 8D4C24 14    lea ecx,dword ptr ss:[esp+14]
00401802 C64424 24 01 mov byte ptr ss:[esp+24],1
00401807 E8 C4122D00    call <jmp.&MFC42.#800_CString::~CString>
0040180C 8D4C24 10    lea ecx,dword ptr ss:[esp+10]
00401810 C64424 24 00 mov byte ptr ss:[esp+24],0
00401815 E8 B6122D00    call <jmp.&MFC42.#800_CString::~CString>
0040181A 8D4C24 30    lea ecx,dword ptr ss:[esp+30]
0040181E C74424 24 FFFFF>mov dword ptr ss:[esp+24],-1
00401826 E8 A5122D00    call <jmp.&MFC42.#800_CString::~CString>
0040182B 8B4C24 1C    mov ecx,dword ptr ss:[esp+1C]
0040182F 5F             pop edi
00401830 5E             pop esi
00401831 5D             pop ebp
00401832 64:890D 0000000>mov dword ptr fs:[0],ecx
00401839 5B             pop ebx
0040183A 83C4 18       add esp,18
0040183D C3             retn

我们来看看地址0040176C地址处的call是如何将试炼码的前24位"123456789012345678901234"转换为"bc72d9ecab02aa976eec91bc"

00401AA0 6A FF          push -1
00401AA2 68 184D7900    push G2F.00794D18
00401AA7 64:A1 00000000  mov eax,dword ptr fs:[0]
00401AAD 50             push eax
00401AAE 64:8925 0000000>mov dword ptr fs:[0],esp
00401AB5 83EC 3C       sub esp,3C
00401AB8 53             push ebx
00401AB9 56             push esi
00401ABA 8D4C24 24    lea ecx,dword ptr ss:[esp+24]
00401ABE C74424 4C 00000>mov dword ptr ss:[esp+4C],0
00401AC6 E8 17102D00    call <jmp.&MFC42.#540_CString::CString>
00401ACB 8D4C24 20    lea ecx,dword ptr ss:[esp+20]
00401ACF C64424 4C 01 mov byte ptr ss:[esp+4C],1
00401AD4 E8 09102D00    call <jmp.&MFC42.#540_CString::CString>
00401AD9 8D4C24 1C    lea ecx,dword ptr ss:[esp+1C]
00401ADD C64424 4C 02 mov byte ptr ss:[esp+4C],2
00401AE2 E8 FB0F2D00    call <jmp.&MFC42.#540_CString::CString>
00401AE7 8D4C24 18    lea ecx,dword ptr ss:[esp+18]
00401AEB C64424 4C 03 mov byte ptr ss:[esp+4C],3
00401AF0 E8 ED0F2D00    call <jmp.&MFC42.#540_CString::CString>
00401AF5 8D4C24 14    lea ecx,dword ptr ss:[esp+14]
00401AF9 C64424 4C 04 mov byte ptr ss:[esp+4C],4
00401AFE E8 DF0F2D00    call <jmp.&MFC42.#540_CString::CString>
00401B03 8B7424 54    mov esi,dword ptr ss:[esp+54]
00401B07 8D4C24 10    lea ecx,dword ptr ss:[esp+10]
00401B0B 56             push esi
00401B0C C64424 50 05 mov byte ptr ss:[esp+50],5
00401B11 E8 3E102D00    call <jmp.&MFC42.#535_CString::CString>
00401B16 8D4C24 0C    lea ecx,dword ptr ss:[esp+C]
00401B1A C64424 4C 06 mov byte ptr ss:[esp+4C],6
00401B1F E8 BE0F2D00    call <jmp.&MFC42.#540_CString::CString>
00401B24 8D4C24 08    lea ecx,dword ptr ss:[esp+8]
00401B28 C64424 4C 07 mov byte ptr ss:[esp+4C],7
00401B2D E8 B00F2D00    call <jmp.&MFC42.#540_CString::CString>
00401B32 8D4424 18    lea eax,dword ptr ss:[esp+18]
00401B36 8D4C24 1C    lea ecx,dword ptr ss:[esp+1C]
00401B3A 50             push eax
00401B3B 8D5424 24    lea edx,dword ptr ss:[esp+24]
00401B3F 51             push ecx
00401B40 8D4424 2C    lea eax,dword ptr ss:[esp+2C]
00401B44 52             push edx
00401B45 50             push eax
00401B46 51             push ecx
00401B47 8D5424 6C    lea edx,dword ptr ss:[esp+6C]
00401B4B BB 08000000    mov ebx,8
00401B50 8BCC          mov ecx,esp
00401B52 896424 68    mov dword ptr ss:[esp+68],esp
00401B56 52             push edx
00401B57 885C24 64    mov byte ptr ss:[esp+64],bl
00401B5B E8 F40F2D00    call <jmp.&MFC42.#535_CString::CString>
00401B60 E8 DBFCFFFF    call G2F.00401840                            ; 经此call后，会产生4个，分别为

ASCII"5243",ASCII"a524",ASCII"5652",ASCII"2722"
00401B65 83C4 14       add esp,14
00401B68 8BCE          mov ecx,esi
00401B6A E8 03102D00    call <jmp.&MFC42.#2614_CString::Empty>
00401B6F 8B4424 10    mov eax,dword ptr ss:[esp+10]
00401B73 8B48 F8       mov ecx,dword ptr ds:[eax-8]                ; 取试炼码前24位的位数
00401B76 85C9          test ecx,ecx
00401B78 0F84 5C020000 je G2F.00401DDA                            ; 为0则跳走，此处不应跳
00401B7E 8D4C24 54    lea ecx,dword ptr ss:[esp+54]
00401B82 53             push ebx
00401B83 51             push ecx
00401B84 8D4C24 18    lea ecx,dword ptr ss:[esp+18]                ; 第一次，ECX指向试炼码前24位，

即"123456789012345678901234"
00401B88 E8 EB0F2D00    call <jmp.&MFC42.#4129_CString::Left>       ; 取左边8位，即"12345678"
00401B8D 50             push eax
00401B8E 8D4C24 18    lea ecx,dword ptr ss:[esp+18]
00401B92 C64424 50 09 mov byte ptr ss:[esp+50],9
00401B97 E8 AC0F2D00    call <jmp.&MFC42.#858_CString::operator=>
00401B9C 8D4C24 54    lea ecx,dword ptr ss:[esp+54]
00401BA0 885C24 4C    mov byte ptr ss:[esp+4C],bl
00401BA4 E8 270F2D00    call <jmp.&MFC42.#800_CString::~CString>
00401BA9 8B5424 10    mov edx,dword ptr ss:[esp+10]
00401BAD 8D4C24 10    lea ecx,dword ptr ss:[esp+10]
00401BB1 8B42 F8       mov eax,dword ptr ds:[edx-8]
00401BB4 83C0 F8       add eax,-8
00401BB7 50             push eax
00401BB8 8D4424 2C    lea eax,dword ptr ss:[esp+2C]
00401BBC 50             push eax
00401BBD E8 BC0F2D00    call <jmp.&MFC42.#5710_CString::Right>       ; 第一次，取试炼码前24位的右边16位，

即"9012345678901234"
00401BC2 50             push eax
00401BC3 8D4C24 14    lea ecx,dword ptr ss:[esp+14]
00401BC7 C64424 50 0A mov byte ptr ss:[esp+50],0A
00401BCC E8 770F2D00    call <jmp.&MFC42.#858_CString::operator=>
00401BD1 8D4C24 28    lea ecx,dword ptr ss:[esp+28]
00401BD5 885C24 4C    mov byte ptr ss:[esp+4C],bl
00401BD9 E8 F20E2D00    call <jmp.&MFC42.#800_CString::~CString>
00401BDE 8D4C24 2C    lea ecx,dword ptr ss:[esp+2C]
00401BE2 6A 04          push 4
00401BE4 51             push ecx
00401BE5 8D4C24 1C    lea ecx,dword ptr ss:[esp+1C]
00401BE9 E8 8A0F2D00    call <jmp.&MFC42.#4129_CString::Left>       ; 取"12345678"左边4位，即"1234"
00401BEE 50             push eax
00401BEF 8D4C24 10    lea ecx,dword ptr ss:[esp+10]
00401BF3 C64424 50 0B mov byte ptr ss:[esp+50],0B
00401BF8 E8 4B0F2D00    call <jmp.&MFC42.#858_CString::operator=>
00401BFD 8D4C24 2C    lea ecx,dword ptr ss:[esp+2C]
00401C01 885C24 4C    mov byte ptr ss:[esp+4C],bl
00401C05 E8 C60E2D00    call <jmp.&MFC42.#800_CString::~CString>
00401C0A 8D5424 30    lea edx,dword ptr ss:[esp+30]
00401C0E 6A 04          push 4
00401C10 52             push edx
00401C11 8D4C24 1C    lea ecx,dword ptr ss:[esp+1C]
00401C15 E8 640F2D00    call <jmp.&MFC42.#5710_CString::Right>       ; 取"12345678"右边4位，即"5678"
00401C1A 50             push eax
00401C1B 8D4C24 0C    lea ecx,dword ptr ss:[esp+C]
00401C1F C64424 50 0C mov byte ptr ss:[esp+50],0C
00401C24 E8 1F0F2D00    call <jmp.&MFC42.#858_CString::operator=>
00401C29 8D4C24 30    lea ecx,dword ptr ss:[esp+30]
00401C2D 885C24 4C    mov byte ptr ss:[esp+4C],bl
00401C31 E8 9A0E2D00    call <jmp.&MFC42.#800_CString::~CString>
00401C36 51             push ecx
00401C37 8D4424 24    lea eax,dword ptr ss:[esp+24]
00401C3B 8BCC          mov ecx,esp
00401C3D 896424 40    mov dword ptr ss:[esp+40],esp
00401C41 50             push eax
00401C42 E8 0D0F2D00    call <jmp.&MFC42.#535_CString::CString>    ; 取得ASCII"5652"
00401C47 51             push ecx
00401C48 8D5424 2C    lea edx,dword ptr ss:[esp+2C]
00401C4C 8BCC          mov ecx,esp
00401C4E 896424 48    mov dword ptr ss:[esp+48],esp
00401C52 52             push edx
00401C53 C64424 58 0D mov byte ptr ss:[esp+58],0D
00401C58 E8 F70E2D00    call <jmp.&MFC42.#535_CString::CString>    ; 取得ASCII"2722"
00401C5D 8D4424 10    lea eax,dword ptr ss:[esp+10]                ; ASCII"5678"
00401C61 8D4C24 14    lea ecx,dword ptr ss:[esp+14]                ; ASCII"1234"
00401C65 50             push eax
00401C66 51             push ecx
00401C67 885C24 5C    mov byte ptr ss:[esp+5C],bl
00401C6B E8 00020000    call G2F.00401E70
00401C70 8D5424 18    lea edx,dword ptr ss:[esp+18]                ; ASCII"9078"
00401C74 8D4424 1C    lea eax,dword ptr ss:[esp+1C]                ; ASCII"6fae"
00401C78 52             push edx
00401C79 50             push eax
00401C7A E8 61050000    call G2F.004021E0                            ; 执行后，获得ASCII"7890",ASCII"ae6f"
00401C7F 83C4 14       add esp,14
00401C82 8D5424 1C    lea edx,dword ptr ss:[esp+1C]
00401C86 8BCC          mov ecx,esp
00401C88 896424 44    mov dword ptr ss:[esp+44],esp
00401C8C 52             push edx
00401C8D E8 C20E2D00    call <jmp.&MFC42.#535_CString::CString>    ; 取得ASCII"5243"
00401C92 51             push ecx
00401C93 8D4424 24    lea eax,dword ptr ss:[esp+24]
00401C97 8BCC          mov ecx,esp
00401C99 896424 44    mov dword ptr ss:[esp+44],esp
00401C9D 50             push eax
00401C9E C64424 58 0E mov byte ptr ss:[esp+58],0E
00401CA3 E8 AC0E2D00    call <jmp.&MFC42.#535_CString::CString>    ; 取得ASCII"a524"
00401CA8 8D4C24 10    lea ecx,dword ptr ss:[esp+10]                ; ASCII"ae6f"
00401CAC 8D5424 14    lea edx,dword ptr ss:[esp+14]                ; ASCII"7890"
00401CB0 51             push ecx
00401CB1 52             push edx
00401CB2 885C24 5C    mov byte ptr ss:[esp+5C],bl
00401CB6 E8 B5010000    call G2F.00401E70
00401CBB 8D4424 18    lea eax,dword ptr ss:[esp+18]                ; ASCII"d329"
00401CBF 8D4C24 1C    lea ecx,dword ptr ss:[esp+1C]                ; ASCII"2b03"
00401CC3 50             push eax
00401CC4 51             push ecx
00401CC5 E8 16050000    call G2F.004021E0                            ; 执行后，获得ASCII"29d3",ASCII"032b"
00401CCA 83C4 14       add esp,14
00401CCD 8D5424 20    lea edx,dword ptr ss:[esp+20]
00401CD1 8BCC          mov ecx,esp
00401CD3 896424 44    mov dword ptr ss:[esp+44],esp
00401CD7 52             push edx
00401CD8 E8 770E2D00    call <jmp.&MFC42.#535_CString::CString>    ; 取得ASCII"a524"
00401CDD 51             push ecx
00401CDE 8D4424 20    lea eax,dword ptr ss:[esp+20]
00401CE2 8BCC          mov ecx,esp
00401CE4 896424 44    mov dword ptr ss:[esp+44],esp
00401CE8 50             push eax
00401CE9 C64424 58 0F mov byte ptr ss:[esp+58],0F
00401CEE E8 610E2D00    call <jmp.&MFC42.#535_CString::CString>    ; 取得ASCII"5243"
00401CF3 8D4C24 10    lea ecx,dword ptr ss:[esp+10]                ; ASCII"032b"
00401CF7 8D5424 14    lea edx,dword ptr ss:[esp+14]                ; ASCII"29d3"
00401CFB 51             push ecx
00401CFC 52             push edx
00401CFD 885C24 5C    mov byte ptr ss:[esp+5C],bl
00401D01 E8 6A010000    call G2F.00401E70
00401D06 8D4424 18    lea eax,dword ptr ss:[esp+18]                ; ASCII"22ca"
00401D0A 8D4C24 1C    lea ecx,dword ptr ss:[esp+1C]                ; ASCII"7cbd"
00401D0E 50             push eax
00401D0F 51             push ecx
00401D10 E8 CB040000    call G2F.004021E0                            ; 执行后，获得ASCII"ca22",ASCII"bd7c"
00401D15 83C4 14       add esp,14
00401D18 8D5424 28    lea edx,dword ptr ss:[esp+28]
00401D1C 8BCC          mov ecx,esp
00401D1E 896424 44    mov dword ptr ss:[esp+44],esp
00401D22 52             push edx
00401D23 E8 2C0E2D00    call <jmp.&MFC42.#535_CString::CString>    ; 取得ASCII"2722"
00401D28 51             push ecx
00401D29 8D4424 28    lea eax,dword ptr ss:[esp+28]
00401D2D 8BCC          mov ecx,esp
00401D2F 896424 44    mov dword ptr ss:[esp+44],esp
00401D33 50             push eax
00401D34 C64424 58 10 mov byte ptr ss:[esp+58],10
00401D39 E8 160E2D00    call <jmp.&MFC42.#535_CString::CString>    ; 取得ASCII"5652"
00401D3E 8D4C24 10    lea ecx,dword ptr ss:[esp+10]                ; ASCII"bd7c"
00401D42 8D5424 14    lea edx,dword ptr ss:[esp+14]                ; ASCII"ca22"
00401D46 51             push ecx
00401D47 52             push edx
00401D48 885C24 5C    mov byte ptr ss:[esp+5C],bl
00401D4C E8 1F010000    call G2F.00401E70
00401D51 83C4 10       add esp,10
00401D54 8D4424 0C    lea eax,dword ptr ss:[esp+C]                ; ASCII"d9ec"
00401D58 8D4C24 14    lea ecx,dword ptr ss:[esp+14]                ; ASCII"12345678"
00401D5C 50             push eax
00401D5D E8 E60D2D00    call <jmp.&MFC42.#858_CString::operator=>    ; 取得ASCII"d9ec"
00401D62 8D4C24 08    lea ecx,dword ptr ss:[esp+8]
00401D66 51             push ecx
00401D67 8D4C24 10    lea ecx,dword ptr ss:[esp+10]
00401D6B E8 D80D2D00    call <jmp.&MFC42.#858_CString::operator=>
00401D70 8D5424 14    lea edx,dword ptr ss:[esp+14]                ; 取得ASCII"bc72"
00401D74 8D4C24 08    lea ecx,dword ptr ss:[esp+8]
00401D78 52             push edx
00401D79 E8 CA0D2D00    call <jmp.&MFC42.#858_CString::operator=>
00401D7E 8D4424 0C    lea eax,dword ptr ss:[esp+C]                ; 取得ASCII"d9ec"
00401D82 8D4C24 38    lea ecx,dword ptr ss:[esp+38]
00401D86 50             push eax
00401D87 56             push esi
00401D88 51             push ecx
00401D89 E8 C00D2D00    call <jmp.&MFC42.#922_operator+>             ; 得到ASCII"bc72"
00401D8E 8D5424 08    lea edx,dword ptr ss:[esp+8]
00401D92 C64424 4C 11 mov byte ptr ss:[esp+4C],11
00401D97 52             push edx
00401D98 50             push eax
00401D99 8D4424 3C    lea eax,dword ptr ss:[esp+3C]
00401D9D 50             push eax
00401D9E E8 AB0D2D00    call <jmp.&MFC42.#922_operator+>             ; 得到ASCII"bc72d9ec"
00401DA3 50             push eax
00401DA4 8BCE          mov ecx,esi
00401DA6 C64424 50 12 mov byte ptr ss:[esp+50],12
00401DAB E8 980D2D00    call <jmp.&MFC42.#858_CString::operator=>
00401DB0 8D4C24 34    lea ecx,dword ptr ss:[esp+34]
00401DB4 C64424 4C 11 mov byte ptr ss:[esp+4C],11
00401DB9 E8 120D2D00    call <jmp.&MFC42.#800_CString::~CString>
00401DBE 8D4C24 38    lea ecx,dword ptr ss:[esp+38]
00401DC2 885C24 4C    mov byte ptr ss:[esp+4C],bl
00401DC6 E8 050D2D00    call <jmp.&MFC42.#800_CString::~CString>
00401DCB 8B4C24 10    mov ecx,dword ptr ss:[esp+10]
00401DCF 8B41 F8       mov eax,dword ptr ds:[ecx-8]                ; eax=10H
00401DD2 85C0          test eax,eax
00401DD4  ^ 0F85 A4FDFFFF jnz G2F.00401B7E                            ; 共执行3次循环
00401DDA 8D4C24 08    lea ecx,dword ptr ss:[esp+8]
00401DDE C64424 4C 07 mov byte ptr ss:[esp+4C],7
00401DE3 E8 E80C2D00    call <jmp.&MFC42.#800_CString::~CString>
00401DE8 8D4C24 0C    lea ecx,dword ptr ss:[esp+C]
00401DEC C64424 4C 06 mov byte ptr ss:[esp+4C],6
00401DF1 E8 DA0C2D00    call <jmp.&MFC42.#800_CString::~CString>
00401DF6 8D4C24 10    lea ecx,dword ptr ss:[esp+10]
00401DFA C64424 4C 05 mov byte ptr ss:[esp+4C],5
00401DFF E8 CC0C2D00    call <jmp.&MFC42.#800_CString::~CString>
00401E04 8D4C24 14    lea ecx,dword ptr ss:[esp+14]
00401E08 C64424 4C 04 mov byte ptr ss:[esp+4C],4
00401E0D E8 BE0C2D00    call <jmp.&MFC42.#800_CString::~CString>
00401E12 8D4C24 18    lea ecx,dword ptr ss:[esp+18]
00401E16 C64424 4C 03 mov byte ptr ss:[esp+4C],3
00401E1B E8 B00C2D00    call <jmp.&MFC42.#800_CString::~CString>
00401E20 8D4C24 1C    lea ecx,dword ptr ss:[esp+1C]
00401E24 C64424 4C 02 mov byte ptr ss:[esp+4C],2
00401E29 E8 A20C2D00    call <jmp.&MFC42.#800_CString::~CString>
00401E2E 8D4C24 20    lea ecx,dword ptr ss:[esp+20]
00401E32 C64424 4C 01 mov byte ptr ss:[esp+4C],1
00401E37 E8 940C2D00    call <jmp.&MFC42.#800_CString::~CString>
00401E3C 8D4C24 24    lea ecx,dword ptr ss:[esp+24]
00401E40 C64424 4C 00 mov byte ptr ss:[esp+4C],0
00401E45 E8 860C2D00    call <jmp.&MFC42.#800_CString::~CString>
00401E4A 8D4C24 58    lea ecx,dword ptr ss:[esp+58]
00401E4E C74424 4C FFFFF>mov dword ptr ss:[esp+4C],-1
00401E56 E8 750C2D00    call <jmp.&MFC42.#800_CString::~CString>
00401E5B 8B4C24 44    mov ecx,dword ptr ss:[esp+44]
00401E5F 5E             pop esi
00401E60 64:890D 0000000>mov dword ptr fs:[0],ecx
00401E67 5B             pop ebx
00401E68 83C4 48       add esp,48
00401E6B C3             retn

现在我们来看看这段程序：在地址00401B60处的call会产生4个ASCII码："5243","a524","5652","2722"，，通过跟入call

G2F.00401E70和call G2F.004021E0（代码太长了，而且还有子call,就不一一说明了），拿试炼码来做说明如下：
（一）、第一次循环，先取试炼码前24位的前8位，即"12345678",再分为"1234"和"5678"两部分，计为试炼码①部分和试炼码②部分

，计算如下：
（1）、先将0x5678（试炼码②部分）与0x2722相加，得0x7d9a,再与0x1234（试炼码①部分）异或得0x6fae;
         将0x6fae与0x5652相加，得0xc600,再与0x5678（试炼码②部分）异或得0x9078
      通过call G2F.004021E0将0x6fae和0x9078转换为0xea6f和0x7890

（2）、将0xae6f与0xa524相加得0x5393，再与0x7890异或得0x2b03
         将0x2b03与0x5243相加得0x7d46,再与0xae6f异或得0xd329
      通过call G2F.004021E0将0x2b03和0xd329转换为0x032b和0x29d3

（3）、将0x032b与0x5243相加得0x556e，再与0x29d3异或得0x7cbd
         将0x7cbd与0xa524相加得0x21e1,再与0x032b异或得0x22ca
      通过call G2F.004021E0将0x7cbd和0x22ca转换为0xbd7c和0xca22

（4）、将0xbd7c与0x5652相加得0x13ce，再与0xca22异或得0xd9ec
         将0xd9ec与0x2722相加得0x010e,再与0xbd7c异或得0xbc72

   最后将0xd9ec和0xbc72合并起来组成0xbc72d9ec
（二）、第二次循环，取得试炼码前24位中间的8位，即"90123456"，分为"9012"和"3456"两部分，计为试炼码③部分和试炼码④部

分，计算如下：
（1）、先将0x3456（试炼码④部分）与0x2722相加，得0x5b78,再与0x9012（试炼码③部分）异或得0xcb6a;
         将0xcb6a与0x5652相加，得0x21bc,再与0x3456（试炼码④部分）异或得0x15ea
      通过call G2F.004021E0将0xcb6a和0x15ea转换为0x6acb和0xea15

（2）、将0x6acb与0xa524相加得0x0fef，再与0xea15异或得0xe5fa
         将0xe5fa与0x5243相加得0x383d,再与0x6acb异或得0x52f6
      通过call G2F.004021E0将0xe5fa和0x52f6转换为0xfae5和0xf652

（3）、将0xfae5与0x5243相加得0x4d28，再与0xf652异或得0xbb7a
         将0xbb7a与0xa524相加得0x609e,再与0xfae5异或得0x9a7b
      通过call G2F.004021E0将0xbb7a和0x9a7b转换为0x7abb和0x7b9a

（4）、将0x7abb与0x5652相加得0xd10d，再与0x7b9a异或得0xaa97
         将0xaa97与0x2722相加得0xd1b9,再与0x7abb异或得0xab02

      最后将0xab02和0xaa97合并起来组成0xab02aa97,与第一次循环的结果0xbc72d9ec合并为0xbc72d9ecab02aa97
（三）、第三次循环，取得试炼码前24位的后8位，即"78901234",再分为"7890"和"1234"两部分，计为试炼码⑤部分和试炼码⑥部分

，计算如下：
（1）、先将0x1234（试炼码⑥部分）与0x2722相加，得0x3956,再与0x7890（试炼码⑤部分）异或得0x41c6;
         将0x41c6与0x5652相加，得0x9818,再与0x1234（试炼码⑥部分）异或得0x8a2c
      通过call G2F.004021E0将0x41c6和0x8a2c转换为0xc641和0x2c8a

（2）、将0xc641与0xa524相加得0x6b65，再与0x2c8a异或得0x47ef
         将0x47ef与0x5243相加得0x9a32,再与0xc641异或得0x5c73
      通过call G2F.004021E0将0x47ef和0x5c73转换为0xef47和0x735c

（3）、将0xef47与0x5243相加得0x418a，再与0x735c异或得0x32d6
         将0x32d6与0xa524相加得0xd7fa,再与0xef47异或得0x38bd
      通过call G2F.004021E0将0x32d6和0x38bd转换为0xd632和0xbd38

（4）、将0xd632与0x5652相加得0x2c84，再与0xbd38异或得0x91bc
         将0x91bc与0x2722相加得0xb8de,再与0xd632异或得0x6eec

   最后将0x91bc和0x6eec合并起来组成0x6eec91bc，再与前两次循环的结果合并为0xbc72d9ecab02aa976eec91bc

以上做加法运算时都忽略了最高位的进位。在将试炼码转换为相应的ASCII码时，将数字0－9转换为相应十六进制0－9，a-f和A-F转

换为相应十六进制的A-F，其余字母则转换为数字0，再做加法或异或运算，有兴趣的可以跟进各个call看看，不过里面还有几个子

call，看的头都晕了:(  现在我们再看看地址00401B60处的call是如何得到那4个ASCII码的：
00401840 6A FF          push -1
00401842 68 684C7900    push G2F.00794C68
00401847 64:A1 00000000  mov eax,dword ptr fs:[0]
0040184D 50             push eax
0040184E 64:8925 0000000>mov dword ptr fs:[0],esp
00401855 83EC 0C       sub esp,0C
00401858 53             push ebx
00401859 56             push esi
0040185A 8D4424 24    lea eax,dword ptr ss:[esp+24]
0040185E 8D4C24 0C    lea ecx,dword ptr ss:[esp+C]
00401862 50             push eax
00401863 C74424 20 00000>mov dword ptr ss:[esp+20],0
0040186B E8 E4122D00    call <jmp.&MFC42.#535_CString::CString>
00401870 8D4C24 08    lea ecx,dword ptr ss:[esp+8]
00401874 C64424 1C 01 mov byte ptr ss:[esp+1C],1
00401879 E8 64122D00    call <jmp.&MFC42.#540_CString::CString>
0040187E 8B4C24 24    mov ecx,dword ptr ss:[esp+24]                ; 取得ASCII"2r%e*RE$"
00401882 B3 02          mov bl,2
00401884 885C24 1C    mov byte ptr ss:[esp+1C],bl
00401888 8B41 F8       mov eax,dword ptr ds:[ecx-8]                ; 获得ASCII"2r%e*RE$"的位数
0040188B 83F8 08       cmp eax,8
0040188E 7D 18          jge short G2F.004018A8                      ; 是否大于等于8，是则跳到004018A8处
00401890 8D4C24 0C    lea ecx,dword ptr ss:[esp+C]
00401894 51             push ecx
00401895 8D4C24 28    lea ecx,dword ptr ss:[esp+28]
00401899 E8 BC122D00    call <jmp.&MFC42.#939_CString::operator+=>
0040189E 8B4C24 24    mov ecx,dword ptr ss:[esp+24]
004018A2 8379 F8 08    cmp dword ptr ds:[ecx-8],8
004018A6  ^ 7C E8          jl short G2F.00401890
004018A8 8379 F8 08    cmp dword ptr ds:[ecx-8],8
004018AC 7E 2C          jle short G2F.004018DA                      ; 位数是否小于等于8，是则跳到004018DA
004018AE 8D5424 10    lea edx,dword ptr ss:[esp+10]
004018B2 6A 08          push 8
004018B4 52             push edx
004018B5 8D4C24 2C    lea ecx,dword ptr ss:[esp+2C]
004018B9 E8 BA122D00    call <jmp.&MFC42.#4129_CString::Left>
004018BE 50             push eax
004018BF 8D4C24 28    lea ecx,dword ptr ss:[esp+28]
004018C3 C64424 20 03 mov byte ptr ss:[esp+20],3
004018C8 E8 7B122D00    call <jmp.&MFC42.#858_CString::operator=>
004018CD 8D4C24 10    lea ecx,dword ptr ss:[esp+10]
004018D1 885C24 1C    mov byte ptr ss:[esp+1C],bl
004018D5 E8 F6112D00    call <jmp.&MFC42.#800_CString::~CString>
004018DA 33F6          xor esi,esi                                  ; esi清零
004018DC 8B4424 24    mov eax,dword ptr ss:[esp+24]                ; 取得ASCII"2r%e*RE$"
004018E0 0FBE0406       movsx eax,byte ptr ds:[esi+eax]             ; 取得第一位2的ASCII码32H
004018E4 85C0          test eax,eax
004018E6 7D 05          jge short G2F.004018ED                      ; 大于等于0则跳走
004018E8 05 00010000    add eax,100
004018ED 50             push eax
004018EE 8D4C24 10    lea ecx,dword ptr ss:[esp+10]
004018F2 68 58598700    push G2F.00875958                            ; ASCII "%x"
004018F7 51             push ecx
004018F8 E8 2D122D00    call <jmp.&MFC42.#2818_CString::Format>    ; 格式化32H成ASCII"32"
004018FD 83C4 0C       add esp,0C
00401900 8D5424 0C    lea edx,dword ptr ss:[esp+C]
00401904 8D4C24 08    lea ecx,dword ptr ss:[esp+8]
00401908 52             push edx
00401909 E8 4C122D00    call <jmp.&MFC42.#939_CString::operator+=>
0040190E 46             inc esi
0040190F 83FE 08       cmp esi,8
00401912  ^ 7C C8          jl short G2F.004018DC                      ; 共执行8次，依次取得字符串"2r%e*RE$"的

ASCII码，组成"327225652a524524"
00401914 8D4424 10    lea eax,dword ptr ss:[esp+10]
00401918 6A 01          push 1
0040191A 50             push eax
0040191B 8D4C24 10    lea ecx,dword ptr ss:[esp+10]
0040191F E8 54122D00    call <jmp.&MFC42.#4129_CString::Left>       ; 取得ASCII"327225652a524524"左边一位"3"
00401924 50             push eax
00401925 8D4C24 10    lea ecx,dword ptr ss:[esp+10]
00401929 C64424 20 04 mov byte ptr ss:[esp+20],4
0040192E E8 15122D00    call <jmp.&MFC42.#858_CString::operator=>
00401933 8D4C24 10    lea ecx,dword ptr ss:[esp+10]
00401937 885C24 1C    mov byte ptr ss:[esp+1C],bl
0040193B E8 90112D00    call <jmp.&MFC42.#800_CString::~CString>
00401940 8D4C24 0C    lea ecx,dword ptr ss:[esp+C]
00401944 8D5424 08    lea edx,dword ptr ss:[esp+8]
00401948 51             push ecx
00401949 8D4424 14    lea eax,dword ptr ss:[esp+14]
0040194D 52             push edx
0040194E 50             push eax
0040194F E8 FA112D00    call <jmp.&MFC42.#922_operator+>             ; 将取得的"3"加入ASCII"327225652a524524"后

，得ASCII"327225652a5245243"
00401954 50             push eax
00401955 8D4C24 0C    lea ecx,dword ptr ss:[esp+C]
00401959 C64424 20 05 mov byte ptr ss:[esp+20],5
0040195E E8 E5112D00    call <jmp.&MFC42.#858_CString::operator=>
00401963 8D4C24 10    lea ecx,dword ptr ss:[esp+10]
00401967 885C24 1C    mov byte ptr ss:[esp+1C],bl
0040196B E8 60112D00    call <jmp.&MFC42.#800_CString::~CString>
00401970 8B4C24 08    mov ecx,dword ptr ss:[esp+8]
00401974 8D5424 10    lea edx,dword ptr ss:[esp+10]                ; 指向ASCII"327225652a5245243"
00401978 8B41 F8       mov eax,dword ptr ds:[ecx-8]                ; eax=11H,即ASCII"327225652a5245243"的位数
0040197B 8D4C24 08    lea ecx,dword ptr ss:[esp+8]
0040197F 48             dec eax                                     ; eax=10H
00401980 50             push eax
00401981 52             push edx
00401982 E8 F7112D00    call <jmp.&MFC42.#5710_CString::Right>       ; 取ASCII"327225652a5245243"右边的16位，得

ASCII"27225652a5245243"
00401987 50             push eax
00401988 8D4C24 28    lea ecx,dword ptr ss:[esp+28]
0040198C C64424 20 06 mov byte ptr ss:[esp+20],6
00401991 E8 B2112D00    call <jmp.&MFC42.#858_CString::operator=>
00401996 8D4C24 10    lea ecx,dword ptr ss:[esp+10]
0040199A 885C24 1C    mov byte ptr ss:[esp+1C],bl
0040199E E8 2D112D00    call <jmp.&MFC42.#800_CString::~CString>
004019A3 6A 04          push 4
004019A5 8D4424 14    lea eax,dword ptr ss:[esp+14]
004019A9 6A 00          push 0
004019AB 50             push eax
004019AC 8D4C24 30    lea ecx,dword ptr ss:[esp+30]
004019B0 E8 B7112D00    call <jmp.&MFC42.#4278_CString::Mid>       ; 取ASCII"27225652a5245243"左边4位，得

ASCII"2722"
004019B5 8B4C24 28    mov ecx,dword ptr ss:[esp+28]
004019B9 50             push eax
004019BA C64424 20 07 mov byte ptr ss:[esp+20],7
004019BF E8 84112D00    call <jmp.&MFC42.#858_CString::operator=>
004019C4 8D4C24 10    lea ecx,dword ptr ss:[esp+10]
004019C8 885C24 1C    mov byte ptr ss:[esp+1C],bl
004019CC E8 FF102D00    call <jmp.&MFC42.#800_CString::~CString>
004019D1 6A 04          push 4
004019D3 8D4C24 2C    lea ecx,dword ptr ss:[esp+2C]
004019D7 6A 04          push 4
004019D9 51             push ecx
004019DA 8D4C24 30    lea ecx,dword ptr ss:[esp+30]
004019DE E8 89112D00    call <jmp.&MFC42.#4278_CString::Mid>       ; 取ASCII"27225652a5245243"中间4位，得

ASCII"5652"
004019E3 8B4C24 2C    mov ecx,dword ptr ss:[esp+2C]
004019E7 50             push eax
004019E8 C64424 20 08 mov byte ptr ss:[esp+20],8
004019ED E8 56112D00    call <jmp.&MFC42.#858_CString::operator=>
004019F2 8D4C24 28    lea ecx,dword ptr ss:[esp+28]
004019F6 885C24 1C    mov byte ptr ss:[esp+1C],bl
004019FA E8 D1102D00    call <jmp.&MFC42.#800_CString::~CString>
004019FF 6A 04          push 4
00401A01 8D5424 2C    lea edx,dword ptr ss:[esp+2C]
00401A05 6A 08          push 8
00401A07 52             push edx
00401A08 8D4C24 30    lea ecx,dword ptr ss:[esp+30]
00401A0C E8 5B112D00    call <jmp.&MFC42.#4278_CString::Mid>       ; 取ASCII"27225652a5245243"中间另4位，得

ASCII"a524"
00401A11 C64424 1C 09 mov byte ptr ss:[esp+1C],9
00401A16 50             push eax
00401A17 8B4C24 34    mov ecx,dword ptr ss:[esp+34]
00401A1B E8 28112D00    call <jmp.&MFC42.#858_CString::operator=>
00401A20 8D4C24 28    lea ecx,dword ptr ss:[esp+28]
00401A24 885C24 1C    mov byte ptr ss:[esp+1C],bl
00401A28 E8 A3102D00    call <jmp.&MFC42.#800_CString::~CString>
00401A2D 6A 04          push 4
00401A2F 8D4424 2C    lea eax,dword ptr ss:[esp+2C]
00401A33 6A 0C          push 0C
00401A35 50             push eax
00401A36 8D4C24 30    lea ecx,dword ptr ss:[esp+30]
00401A3A E8 2D112D00    call <jmp.&MFC42.#4278_CString::Mid>       ; 取ASCII"27225652a5245243"最后4位，得

ASCII"5243"
00401A3F 8B4C24 34    mov ecx,dword ptr ss:[esp+34]
00401A43 50             push eax
00401A44 C64424 20 0A mov byte ptr ss:[esp+20],0A
00401A49 E8 FA102D00    call <jmp.&MFC42.#858_CString::operator=>
00401A4E 8D4C24 28    lea ecx,dword ptr ss:[esp+28]
00401A52 885C24 1C    mov byte ptr ss:[esp+1C],bl
00401A56 E8 75102D00    call <jmp.&MFC42.#800_CString::~CString>
00401A5B 8D4C24 08    lea ecx,dword ptr ss:[esp+8]
00401A5F C64424 1C 01 mov byte ptr ss:[esp+1C],1
00401A64 E8 67102D00    call <jmp.&MFC42.#800_CString::~CString>
00401A69 8D4C24 0C    lea ecx,dword ptr ss:[esp+C]
00401A6D C64424 1C 00 mov byte ptr ss:[esp+1C],0
00401A72 E8 59102D00    call <jmp.&MFC42.#800_CString::~CString>
00401A77 8D4C24 24    lea ecx,dword ptr ss:[esp+24]
00401A7B C74424 1C FFFFF>mov dword ptr ss:[esp+1C],-1
00401A83 E8 48102D00    call <jmp.&MFC42.#800_CString::~CString>
00401A88 8B4C24 14    mov ecx,dword ptr ss:[esp+14]
00401A8C 5E             pop esi
00401A8D 5B             pop ebx
00401A8E 64:890D 0000000>mov dword ptr fs:[0],ecx
00401A95 83C4 18       add esp,18
00401A98 C3             retn

可以看到这个子程序先取得字符串"2r%e*RE$"，然后依次取得对应的ASCII码"327225652a524524"，然后取左边一位放入最后，

得"327225652a5245243"，然后再取右边16位，即去掉左边第一位，得"27225652a5245243"，再分解为四个部

分"2722","5652","a524","5243"

这个程序的注册过程就是这样的了，E－mail不参与注册，注册后将注册码保存在注册表中的

HKEY_CURRENT_USER\SOFTWARE\AutoDwg\DWG_DWF_CONVER和HKEY_LOCAL_MACHINE\SOFTWARE\AutoDwg\DWG_DWF_CONVER的Key键中

一个可用的注册码：47B56EE059B8619146256D5C56

偶刚开始学习pj，有些知识还不是很懂，失误之处大大存在，表达不清再所难免，望各位大虾们不吝赐教！！！

PS：偶在使用的过程中发现这个软件在转换时不支持中文字体，保存路径也不支持中文字符，偶同事说你这怎么破的啊，这怎么用啊

，你再把它改成支持中文的，快点，偶＃￥％……※×

登录后可查看完整内容

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)

收藏・0

免费・7

支持

最新回复 (6)
ww990 雪币： 217 活跃值： (91) 能力值： ( LV4，RANK：50 ) 在线值：发帖 19 回帖 285 粉丝 0 关注私信	ww990 1 2 楼支持好文章 2005-5-13 07:51 0
王老关雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 7 粉丝 0 关注私信	王老关 3 楼支持！！！！！！！ 2005-5-13 08:08 0
fengercn 雪币： 214 活跃值： (70) 能力值： ( LV3，RANK：20 ) 在线值：发帖 20 回帖 241 粉丝 0 关注私信	fengercn 4 楼支持！ 2005-5-13 08:48 0
wdx 雪币： 202 活跃值： (11) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 85 粉丝 0 关注私信	wdx 5 楼好，感谢... 2005-5-13 09:37 0
liyangsj 雪币： 328 活跃值： (925) 能力值： ( LV9，RANK：1010 ) 在线值：发帖 34 回帖 195 粉丝 0 关注私信	liyangsj 25 6 楼支持!!!! 2005-5-13 12:35 0
lnn1123 雪币： 234 活跃值： (370) 能力值： ( LV9，RANK：530 ) 在线值：发帖 39 回帖 765 粉丝 0 关注私信	lnn1123 13 7 楼好文章啊！支持 2005-5-13 15:14 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

lajue

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (6)
ww990 雪币： 217 活跃值： (91) 能力值： ( LV4，RANK：50 ) 在线值：发帖 19 回帖 285 粉丝 0 关注私信	ww990 1 2 楼支持好文章 2005-5-13 07:51 0
王老关雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 7 粉丝 0 关注私信	王老关 3 楼支持！！！！！！！ 2005-5-13 08:08 0
fengercn 雪币： 214 活跃值： (70) 能力值： ( LV3，RANK：20 ) 在线值：发帖 20 回帖 241 粉丝 0 关注私信	fengercn 4 楼支持！ 2005-5-13 08:48 0
wdx 雪币： 202 活跃值： (11) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 85 粉丝 0 关注私信	wdx 5 楼好，感谢... 2005-5-13 09:37 0
liyangsj 雪币： 328 活跃值： (925) 能力值： ( LV9，RANK：1010 ) 在线值：发帖 34 回帖 195 粉丝 0 关注私信	liyangsj 25 6 楼支持!!!! 2005-5-13 12:35 0
lnn1123 雪币： 234 活跃值： (370) 能力值： ( LV9，RANK：530 ) 在线值：发帖 39 回帖 765 粉丝 0 关注私信	lnn1123 13 7 楼好文章啊！支持 2005-5-13 15:14 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复