[原创]一个桌面软件的破解及注册算法分析-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[原创]一个桌面软件的破解及注册算法分析

发表于: 2005-9-4 16:22 9369

[原创]一个桌面软件的破解及注册算法分析

blackeyes

2005-9-4 16:22

9369

【软件介绍】：桌面软件
【软件下载】：http://gamerstower.com/updates/
【软件限制】：注册码
【作者声明】：初学Crack，只是感兴趣，没有其它目的。失误之处敬请诸位大侠赐教！
【破解工具】：PEiD, DeDe, OllyDbg, W32DSM, FileMon
【破解过程】:

软件无壳, PEiD 检测为 Borland Delphi 6.0-7.0

用OLLYDBG载入
004C4F20 >/$  55          PUSH EBP                               ; 停在这儿, F8先单步跟几下
004C4F21  |.  8BEC       MOV EBP,ESP
004C4F23  |.  83C4 E4    ADD ESP,-1C
004C4F26  |.  53          PUSH EBX
004C4F27  |.  33C0       XOR EAX,EAX
...
004C50B4  |.  A1 40B74C00 MOV EAX,DWORD PTR DS:[4CB740]          ; [4CB740]=4CA7C0
004C50B9  |.  8038 00    CMP BYTE PTR DS:[EAX],0                ; [4CA7C0]=1, 会出现注册提示
004C50BC  |.  75 14       JNZ SHORT MUD2004.004C50D2
004C50BE  |.  A1 60B44C00 MOV EAX,DWORD PTR DS:[4CB460]
004C50C3  |.  8038 00    CMP BYTE PTR DS:[EAX],0
004C50C6  |.  74 2B       JE SHORT MUD2004.004C50F3
004C50C8  |.  A1 54B64C00 MOV EAX,DWORD PTR DS:[4CB654]
004C50CD  |.  8038 00    CMP BYTE PTR DS:[EAX],0
004C50D0  |.  75 21       JNZ SHORT MUD2004.004C50F3
004C50D2  |>  6A 00       PUSH 0                                  ; /Arg1 = 00000000
004C50D4  |.  66:8B0D 50534>MOV CX,WORD PTR DS:[4C5350]             ; |
004C50DB  |.  B2 03       MOV DL,3                               ; |
004C50DD  |.  B8 5C534C00 MOV EAX,MUD2004.004C535C                ; |ASCII "Do you want to register your copy Multi User Desktop 2004?"
004C50E2  |.  E8 B1A2F7FF CALL MUD2004.0043F398                   ; \MUD2004.0043F398
004C50E7  |.  83F8 06    CMP EAX,6
004C50EA  |.  75 07       JNZ SHORT MUD2004.004C50F3
004C50EC  |.  C605 E4B14C00>MOV BYTE PTR DS:[4CB1E4],1
004C50F3  |>  A1 54B64C00 MOV EAX,DWORD PTR DS:[4CB654]          ; [4CB654]=4CA7D8
004C50F8  |.  8038 00    CMP BYTE PTR DS:[EAX],0                ; 如果[4CA7D8]=1,  会出现激活提示
004C50FB  |.  74 21       JE SHORT MUD2004.004C511E
004C50FD  |.  6A 00       PUSH 0                                  ; /Arg1 = 00000000
004C50FF  |.  66:8B0D 50534>MOV CX,WORD PTR DS:[4C5350]             ; |
004C5106  |.  B2 03       MOV DL,3                               ; |
004C5108  |.  B8 A0534C00 MOV EAX,MUD2004.004C53A0                ; |ASCII "Do you want to activate your copy Multi User Desktop 2004?"
004C510D  |.  E8 86A2F7FF CALL MUD2004.0043F398                   ; \MUD2004.0043F398
004C5112  |.  83F8 06    CMP EAX,6
004C5115  |.  75 07       JNZ SHORT MUD2004.004C511E
004C5117  |.  C605 E8B14C00>MOV BYTE PTR DS:[4CB1E8],1
004C511E  |>  A1 B0B54C00 MOV EAX,DWORD PTR DS:[4CB5B0]
...

收获:
[4CB740]=4CA7C0
[4CA7C0]=1, 会出现注册提示
[4CB654]=4CA7D8
[4CA7D8]=1, 会出现激活提示

用 DeDe3.50 分析, 再配合OLLYDBG动态跟踪:

procedure TMD2004SettingsWnd.FormCreate(Sender : TObject);
004B9E34  /.  55          PUSH EBP
004B9E35  |.  8BEC       MOV EBP,ESP
004B9E37  |.  33C9       XOR ECX,ECX
...

* Reference to: Unit_00491B98.Proc_004922CC
|
004B9EB4  |.  E8 1384FDFF CALL MUD2004.004922CC                   ; 重要的CALL, 需要仔细跟踪与分析
004B9EB9  |.  A1 40B74C00 MOV EAX,DWORD PTR DS:[4CB740]          ; [4CB740]=4CA7C0
004B9EBE  |.  8038 00    CMP BYTE PTR DS:[EAX],0                ; [4CA7C0]=01, need_register
004B9EC1  |.  75 18       JNZ SHORT MUD2004.004B9EDB
004B9EC3  |.  A1 60B44C00 MOV EAX,DWORD PTR DS:[4CB460]
004B9EC8  |.  8038 00    CMP BYTE PTR DS:[EAX],0
004B9ECB  |.  74 0A       JE SHORT MUD2004.004B9ED7
004B9ECD  |.  A1 54B64C00 MOV EAX,DWORD PTR DS:[4CB654]          ; [4CB654]=4CA7D8
004B9ED2  |.  8038 00    CMP BYTE PTR DS:[EAX],0                ; [4CA7D8]=01, need_activate
004B9ED5  |.  74 04       JE SHORT MUD2004.004B9EDB
004B9ED7  |>  33D2       XOR EDX,EDX
004B9ED9  |.  EB 02       JMP SHORT MUD2004.004B9EDD
004B9EDB  |>  B2 01       MOV DL,1

* Reference to control TMD2004SettingsWnd.tsRegistration : TTabSheet
|
004B9EDD  |>  8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+2FC]

* Reference to: ComCtrls.TTabSheet.SetTabVisible(TTabSheet;Boolean);
|
004B9EE3  |.  E8 842DFEFF CALL MUD2004.0049CC6C
004B9EE8  |.  8B15 54B64C00 MOV EDX,DWORD PTR DS:[4CB654]          ;  MUD2004.004CA7D8
004B9EEE  |.  8A12       MOV DL,BYTE PTR DS:[EDX]

* Reference to control TMD2004SettingsWnd.tsAct : TTabSheet
|
004B9EF0  |.  8B83 E8030000 MOV EAX,DWORD PTR DS:[EBX+3E8]

* Reference to: ComCtrls.TTabSheet.SetTabVisible(TTabSheet;Boolean);
|
004B9EF6  |.  E8 712DFEFF CALL MUD2004.0049CC6C
004B9EFB  |.  8D45 FC    LEA EAX,DWORD PTR SS:[EBP-4]

* Reference to: Unit_00484894.Proc_00484BA8
|
004B9EFE  |.  E8 A5ACFCFF CALL MUD2004.00484BA8
004B9F03  |.  8B55 FC    MOV EDX,DWORD PTR SS:[EBP-4]

* Reference to control TMD2004SettingsWnd.eUser : TLabeledEdit
|
004B9F06  |.  8B83 C4030000 MOV EAX,DWORD PTR DS:[EBX+3C4]

* Reference to: Controls.TControl.SetText(TControl;TCaption);
|
004B9F0C  |.  E8 63BEF8FF CALL MUD2004.00445D74
004B9F11  |.  8D55 F8    LEA EDX,DWORD PTR SS:[EBP-8]
004B9F14  |.  A1 F4B54C00 MOV EAX,DWORD PTR DS:[4CB5F4]          ; [4CB5F4]=4CA7C8
004B9F19  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]             ; [4CA7C8]=trial_period days

* Reference to: Unit_00407F88.Proc_00408F9C
|
004B9F1B  |.  E8 7CF0F4FF CALL MUD2004.00408F9C
004B9F20  |.  8D45 F8    LEA EAX,DWORD PTR SS:[EBP-8]

* Possible String Reference to: ' days'
|
004B9F23  |.  BA 94A14B00 MOV EDX,MUD2004.004BA194                ;  ASCII " days"

* Reference to: System.@LStrCat;
|
004B9F28  |.  E8 17ABF4FF CALL MUD2004.00404A44
004B9F2D  |.  8B55 F8    MOV EDX,DWORD PTR SS:[EBP-8]

* Reference to control TMD2004SettingsWnd.lPeriod : TLabel
|
004B9F30  |.  8B83 B8030000 MOV EAX,DWORD PTR DS:[EBX+3B8]

* Reference to: Controls.TControl.SetText(TControl;TCaption);
|
004B9F36  |.  E8 39BEF8FF CALL MUD2004.00445D74

* Reference to pointer to GlobalVar_004CD2D4
|
004B9F3B  |.  8D55 F4    LEA EDX,DWORD PTR SS:[EBP-C]
004B9F3E  |.  A1 7CB74C00 MOV EAX,DWORD PTR DS:[4CB77C]          ; [4CB77C] = 4CD2D4
004B9F43  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]             ; [4CD2D4] = active_period days
...

004922CC  /$  55          PUSH EBP
004922CD  |.  8BEC       MOV EBP,ESP
004922CF  |.  E8 BCBEFDFF CALL MUD2004.0046E190                   ; 检测调试器
004922D4  |.  84C0       TEST AL,AL
004922D6  |.  75 42       JNZ SHORT MUD2004.0049231A             ; 调试器被检测到, 跳
004922D8  |.  E8 83FBFFFF CALL MUD2004.00491E60                   ; *******关键都在这里了, 需要仔细跟踪与分析
004922DD  |.  833D CCA74C00>CMP DWORD PTR DS:[4CA7CC],0             ; 0=trial version?
004922E4  |.  75 0E       JNZ SHORT MUD2004.004922F4             ; No
004922E6  |.  E8 EDF9FFFF CALL MUD2004.00491CD8
004922EB  |.  C605 D8A74C00>MOV BYTE PTR DS:[4CA7D8],0             ; 0 = 不要显示激活
004922F2  |.  EB 4C       JMP SHORT MUD2004.00492340
004922F4  |>  C605 C0A74C00>MOV BYTE PTR DS:[4CA7C0],0             ; 0 = 不要显示注册
004922FB  |.  803D D8A74C00>CMP BYTE PTR DS:[4CA7D8],0             ; need_activate?
00492302  |.  74 09       JE SHORT MUD2004.0049230D             ;
00492304  |.  833D D4D24C00>CMP DWORD PTR DS:[4CD2D4],0             ; activate_period==0?
0049230B  |.  74 04       JE SHORT MUD2004.00492311
0049230D  |>  33C0       XOR EAX,EAX                            ; expired=0
0049230F  |.  EB 02       JMP SHORT MUD2004.00492313
00492311  |>  B0 01       MOV AL,1                               ; expired=1, 已过期
00492313  |>  A2 C4A74C00 MOV BYTE PTR DS:[4CA7C4],AL             ; expired
00492318  |.  EB 26       JMP SHORT MUD2004.00492340
//Debug_present, here
0049231A  |>  C605 C4A74C00>MOV BYTE PTR DS:[4CA7C4],0             ; No expired
00492321  |.  C605 D8A74C00>MOV BYTE PTR DS:[4CA7D8],0             ; No activate
00492328  |.  33C0       XOR EAX,EAX
0049232A  |.  A3 CCA74C00 MOV DWORD PTR DS:[4CA7CC],EAX          ; trial version
0049232F  |.  C605 C0A74C00>MOV BYTE PTR DS:[4CA7C0],1             ; need register
00492336  |.  C705 C8A74C00>MOV DWORD PTR DS:[4CA7C8],0E          ; trial_period = 14 days
00492340  |>  803D C4A74C00>CMP BYTE PTR DS:[4CA7C4],0             ; expired?
00492347  |.  74 25       JE SHORT MUD2004.0049236E
00492349  |.  803D D8A74C00>CMP BYTE PTR DS:[4CA7D8],0             ; need_activate?
00492350  |.  75 1C       JNZ SHORT MUD2004.0049236E
00492352  |.  33C0       XOR EAX,EAX
00492354  |.  A3 CCA74C00 MOV DWORD PTR DS:[4CA7CC],EAX          ; trial version
00492359  |.  C605 D8A74C00>MOV BYTE PTR DS:[4CA7D8],0             ; no activate
00492360  |.  C605 C0A74C00>MOV BYTE PTR DS:[4CA7C0],1             ; need_register
00492367  |.  33C0       XOR EAX,EAX
00492369  |.  A3 C8A74C00 MOV DWORD PTR DS:[4CA7C8],EAX          ; trial_period = 0 days
0049236E  |>  5D          POP EBP
0049236F  \.  C3          RETN

通过在OLLYDBG中动态修改下面的值, 很容易分析出各处的意义.
dword [004CD2D4]  activate_period
byte  [004CA7C0]  1=need_register
byte  [004CA7C4]  expired
dword [004CA7C8]  trial_period
dword [004CA7CC]  0=trial, 1= st, 2=pr,3=?
byte  [004CA7D8]  1=need_activate

若要在这里爆破, 可将
004922E4  75 0E       JNZ SHORT MUD2004.004922F4
改成
004922E4  EB 0E       JMP SHORT MUD2004.004922F4

不过程序有自校验,还得破自校验,

还是跟踪注册码,分析算法

用FileMon可看到, 输入username与registercode后, 软件对
C:\Documents and Settings\All Users\Application Data\Gamers Tower\Multi User Desktop 2004.lic
有读写, 用记事本打开, username 在第1行, registercode 在第2行

// 开始跟踪
00491E60 $  55          PUSH EBP
00491E61 .  8BEC       MOV EBP,ESP
00491E63 .  B9 42000000 MOV ECX,42
00491E68 >  6A 00       PUSH 0
00491E6A .  6A 00       PUSH 0
00491E6C .  49          DEC ECX
00491E6D .^ 75 F9       JNZ SHORT MUD2004.00491E68
00491E6F .  51          PUSH ECX
00491E70 .  33C0       XOR EAX,EAX
00491E72 .  55          PUSH EBP
00491E73 .  68 42224900 PUSH MUD2004.00492242
00491E78 .  64:FF30    PUSH DWORD PTR FS:[EAX]
00491E7B .  64:8920    MOV DWORD PTR FS:[EAX],ESP
00491E7E .  8D85 24FEFFFF LEA EAX,DWORD PTR SS:[EBP-1DC]
00491E84 .  E8 9F8EFEFF CALL MUD2004.0047AD28
00491E89 .  FFB5 24FEFFFF PUSH DWORD PTR SS:[EBP-1DC]
00491E8F .  68 58224900 PUSH MUD2004.00492258
00491E94 .  68 64224900 PUSH MUD2004.00492264                   ;  ASCII "Gamers Tower"
00491E99 .  68 58224900 PUSH MUD2004.00492258
00491E9E .  68 7C224900 PUSH MUD2004.0049227C                   ;  ASCII "Multi User Desktop 2004"
00491EA3 .  68 9C224900 PUSH MUD2004.0049229C                   ;  ASCII ".lic"
00491EA8 .  8D45 FC    LEA EAX,DWORD PTR SS:[EBP-4]
00491EAB .  BA 06000000 MOV EDX,6
00491EB0 .  E8 472CF7FF CALL MUD2004.00404AFC
00491EB5 .  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]          ; EAX=010A5A9C

010A5A9C  43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64  C:\Documents and
010A5AAC  20 53 65 74 74 69 6E 67 73 5C 41 6C 6C 20 55 73 Settings\All Us
010A5ABC  65 72 73 5C 41 70 70 6C 69 63 61 74 69 6F 6E 20  ers\Application
010A5ACC  44 61 74 61 5C 47 61 6D 65 72 73 20 54 6F 77 65  Data\Gamers Towe
010A5ADC  72 5C 4D 75 6C 74 69 20 55 73 65 72 20 44 65 73  r\Multi User Des
010A5AEC  6B 74 6F 70 20 32 30 30 34 2E 6C 69 63 00       ktop 2004.lic.

00491EB8 .  E8 9B74F7FF CALL MUD2004.00409358
00491EBD .  84C0       TEST AL,AL
00491EBF .  74 6E       JE SHORT MUD2004.00491F2F
00491EC1 .  8B55 FC    MOV EDX,DWORD PTR SS:[EBP-4]
00491EC4 .  8D85 28FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D8]
00491ECA .  E8 6D0FF7FF CALL MUD2004.00402E3C
00491ECF .  8D85 28FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D8]
00491ED5 .  E8 F20CF7FF CALL MUD2004.00402BCC
00491EDA .  E8 250AF7FF CALL MUD2004.00402904
00491EDF .  BA D4A74C00 MOV EDX,MUD2004.004CA7D4
00491EE4 .  8D85 28FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D8]
00491EEA .  E8 ED12F7FF CALL MUD2004.004031DC
00491EEF .  8D85 28FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D8]
00491EF5 .  E8 4E13F7FF CALL MUD2004.00403248
00491EFA .  E8 050AF7FF CALL MUD2004.00402904
00491EFF .  BA D0A74C00 MOV EDX,MUD2004.004CA7D0
00491F04 .  8D85 28FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D8]
00491F0A .  E8 CD12F7FF CALL MUD2004.004031DC
00491F0F .  8D85 28FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D8]
00491F15 .  E8 2E13F7FF CALL MUD2004.00403248
00491F1A .  E8 E509F7FF CALL MUD2004.00402904
00491F1F .  8D85 28FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D8]
00491F25 .  E8 DA0FF7FF CALL MUD2004.00402F04
00491F2A .  E8 D509F7FF CALL MUD2004.00402904
00491F2F >  33C0       XOR EAX,EAX
00491F31 .  A3 CCA74C00 MOV DWORD PTR DS:[4CA7CC],EAX
00491F36 .  8B15 D0A74C00 MOV EDX,DWORD PTR DS:[4CA7D0]          ; 输入的RegisterCode
00491F3C .  A1 D4A74C00 MOV EAX,DWORD PTR DS:[4CA7D4]          ; 输入的UserName
00491F41 .  E8 76FBFFFF CALL MUD2004.00491ABC                   ; *** 返回 EAX==-1 就 GAMEOVER
00491F46 .  8945 F4    MOV DWORD PTR SS:[EBP-C],EAX
00491F49 .  837D F4 FF CMP DWORD PTR SS:[EBP-C],-1
00491F4D .  0F8E E4000000 JLE MUD2004.00492037
00491F53 .  8D85 1CFEFFFF LEA EAX,DWORD PTR SS:[EBP-1E4]
00491F59 .  50          PUSH EAX
00491F5A .  B9 02000000 MOV ECX,2
00491F5F .  BA 06000000 MOV EDX,6
00491F64 .  A1 D0A74C00 MOV EAX,DWORD PTR DS:[4CA7D0]
00491F69 .  E8 262DF7FF CALL MUD2004.00404C94
00491F6E .  8B85 1CFEFFFF MOV EAX,DWORD PTR SS:[EBP-1E4]
00491F74 .  8D95 20FEFFFF LEA EDX,DWORD PTR SS:[EBP-1E0]
00491F7A .  E8 E56CF7FF CALL MUD2004.00408C64
00491F7F .  8B85 20FEFFFF MOV EAX,DWORD PTR SS:[EBP-1E0]
00491F85 .  BA AC224900 MOV EDX,MUD2004.004922AC                ;  ASCII "ST"
00491F8A .  E8 F12BF7FF CALL MUD2004.00404B80
00491F8F .  75 0A       JNZ SHORT MUD2004.00491F9B
00491F91 .  C705 CCA74C00>MOV DWORD PTR DS:[4CA7CC],1             ; 1 = Standard Version
00491F9B >  8D85 14FEFFFF LEA EAX,DWORD PTR SS:[EBP-1EC]
00491FA1 .  50          PUSH EAX
00491FA2 .  B9 02000000 MOV ECX,2
00491FA7 .  BA 06000000 MOV EDX,6
00491FAC .  A1 D0A74C00 MOV EAX,DWORD PTR DS:[4CA7D0]
00491FB1 .  E8 DE2CF7FF CALL MUD2004.00404C94
00491FB6 .  8B85 14FEFFFF MOV EAX,DWORD PTR SS:[EBP-1EC]
00491FBC .  8D95 18FEFFFF LEA EDX,DWORD PTR SS:[EBP-1E8]
00491FC2 .  E8 9D6CF7FF CALL MUD2004.00408C64
00491FC7 .  8B85 18FEFFFF MOV EAX,DWORD PTR SS:[EBP-1E8]
00491FCD .  BA B8224900 MOV EDX,MUD2004.004922B8                ;  ASCII "PR"
00491FD2 .  E8 A92BF7FF CALL MUD2004.00404B80
00491FD7 . /75 0A       JNZ SHORT MUD2004.00491FE3
00491FD9 . |C705 CCA74C00>MOV DWORD PTR DS:[4CA7CC],2             ; 2 = Professional Version
00491FE3 > \8D85 0CFEFFFF LEA EAX,DWORD PTR SS:[EBP-1F4]
00491FE9 .  50          PUSH EAX
00491FEA .  B9 02000000 MOV ECX,2
00491FEF .  BA 06000000 MOV EDX,6
00491FF4 .  A1 D0A74C00 MOV EAX,DWORD PTR DS:[4CA7D0]
00491FF9 .  E8 962CF7FF CALL MUD2004.00404C94
00491FFE .  8B85 0CFEFFFF MOV EAX,DWORD PTR SS:[EBP-1F4]
00492004 .  8D95 10FEFFFF LEA EDX,DWORD PTR SS:[EBP-1F0]
0049200A .  E8 556CF7FF CALL MUD2004.00408C64
0049200F .  8B85 10FEFFFF MOV EAX,DWORD PTR SS:[EBP-1F0]
00492015 .  BA C4224900 MOV EDX,MUD2004.004922C4                ;  ASCII "LT"
0049201A .  E8 612BF7FF CALL MUD2004.00404B80
0049201F .  75 0A       JNZ SHORT MUD2004.0049202B
00492021 .  C705 CCA74C00>MOV DWORD PTR DS:[4CA7CC],3             ; 3 = LT version
0049202B >  C605 D8A74C00>MOV BYTE PTR DS:[4CA7D8],0
00492032 .  E9 C5010000 JMP MUD2004.004921FC
00492037 >  33C0       XOR EAX,EAX                            ;
00492039 .  8945 F4    MOV DWORD PTR SS:[EBP-C],EAX          ;  0 = Trial Version
0049203C .  8B0D C8B54C00 MOV ECX,DWORD PTR DS:[4CB5C8]          ;  MUD2004.004CCC3C
00492042 .  8B09       MOV ECX,DWORD PTR DS:[ECX]
00492044 .  B2 01       MOV DL,1
00492046 .  A1 48A34800 MOV EAX,DWORD PTR DS:[48A348]
0049204B .  E8 8C84FFFF CALL MUD2004.0048A4DC
00492050 .  8945 F8    MOV DWORD PTR SS:[EBP-8],EAX
00492053 .  A1 D0A74C00 MOV EAX,DWORD PTR DS:[4CA7D0]
00492058 .  E8 DF29F7FF CALL MUD2004.00404A3C
0049205D .  83F8 07    CMP EAX,7
00492060 .  0F8E 96010000 JLE MUD2004.004921FC
00492066 .  33C0       XOR EAX,EAX
00492068 .  55          PUSH EBP
00492069 .  68 F2214900 PUSH MUD2004.004921F2
0049206E .  64:FF30    PUSH DWORD PTR FS:[EAX]
00492071 .  64:8920    MOV DWORD PTR FS:[EAX],ESP
00492074 .  6A 00       PUSH 0
00492076 .  6A 00       PUSH 0
00492078 .  8D85 08FEFFFF LEA EAX,DWORD PTR SS:[EBP-1F8]
0049207E .  8B15 D4A74C00 MOV EDX,DWORD PTR DS:[4CA7D4]
00492084 .  E8 772FF7FF CALL MUD2004.00405000
00492089 .  8B85 08FEFFFF MOV EAX,DWORD PTR SS:[EBP-1F8]
0049208F .  50          PUSH EAX
00492090 .  8D85 04FEFFFF LEA EAX,DWORD PTR SS:[EBP-1FC]
00492096 .  8B15 D0A74C00 MOV EDX,DWORD PTR DS:[4CA7D0]
0049209C .  E8 5F2FF7FF CALL MUD2004.00405000
004920A1 .  8B95 04FEFFFF MOV EDX,DWORD PTR SS:[EBP-1FC]
004920A7 .  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
004920AA .  59          POP ECX
004920AB .  E8 2885FFFF CALL MUD2004.0048A5D8
004920B0 .  8945 F4    MOV DWORD PTR SS:[EBP-C],EAX
004920B3 .  33C0       XOR EAX,EAX
004920B5 .  5A          POP EDX
004920B6 .  59          POP ECX
004920B7 .  59          POP ECX
004920B8 .  64:8910    MOV DWORD PTR FS:[EAX],EDX
004920BB .  68 FC214900 PUSH MUD2004.004921FC
004920C0 >  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
004920C3 .  E8 CC18F7FF CALL MUD2004.00403994
004920C8 .  837D F4 FF CMP DWORD PTR SS:[EBP-C],-1
004920CC .  0F8E 1F010000 JLE MUD2004.004921F1
004920D2 .  E8 898AF7FF CALL MUD2004.0040AB60
004920D7 .  DB45 F4    FILD DWORD PTR SS:[EBP-C]
004920DA .  DEE9       FSUBP ST(1),ST
004920DC .  D825 C8224900 FSUB DWORD PTR DS:[4922C8]
004920E2 .  E8 4D0AF7FF CALL MUD2004.00402B34
004920E7 .  BA 1E000000 MOV EDX,1E
004920EC .  2BD0       SUB EDX,EAX
004920EE .  8915 D4D24C00 MOV DWORD PTR DS:[4CD2D4],EDX
004920F4 .  833D D4D24C00>CMP DWORD PTR DS:[4CD2D4],0
004920FB .  7C 09       JL SHORT MUD2004.00492106
004920FD .  833D D4D24C00>CMP DWORD PTR DS:[4CD2D4],1E
00492104 .  7E 07       JLE SHORT MUD2004.0049210D
00492106 >  33C0       XOR EAX,EAX
00492108 .  A3 D4D24C00 MOV DWORD PTR DS:[4CD2D4],EAX
0049210D >  E8 5AFCFFFF CALL MUD2004.00491D6C
00492112 .  34 01       XOR AL,1
00492114 .  A2 D8A74C00 MOV BYTE PTR DS:[4CA7D8],AL
00492119 .  8D85 FCFDFFFF LEA EAX,DWORD PTR SS:[EBP-204]
0049211F .  50          PUSH EAX
00492120 .  B9 02000000 MOV ECX,2
00492125 .  BA 06000000 MOV EDX,6
0049212A .  A1 D0A74C00 MOV EAX,DWORD PTR DS:[4CA7D0]
0049212F .  E8 602BF7FF CALL MUD2004.00404C94
00492134 .  8B85 FCFDFFFF MOV EAX,DWORD PTR SS:[EBP-204]
0049213A .  8D95 00FEFFFF LEA EDX,DWORD PTR SS:[EBP-200]
00492140 .  E8 1F6BF7FF CALL MUD2004.00408C64
00492145 .  8B85 00FEFFFF MOV EAX,DWORD PTR SS:[EBP-200]
0049214B .  BA AC224900 MOV EDX,MUD2004.004922AC                ;  ASCII "ST"
00492150 .  E8 2B2AF7FF CALL MUD2004.00404B80
00492155 .  75 0A       JNZ SHORT MUD2004.00492161
00492157 .  C705 CCA74C00>MOV DWORD PTR DS:[4CA7CC],1
00492161 >  8D85 F4FDFFFF LEA EAX,DWORD PTR SS:[EBP-20C]
00492167 .  50          PUSH EAX
00492168 .  B9 02000000 MOV ECX,2
0049216D .  BA 06000000 MOV EDX,6
00492172 .  A1 D0A74C00 MOV EAX,DWORD PTR DS:[4CA7D0]
00492177 .  E8 182BF7FF CALL MUD2004.00404C94
0049217C .  8B85 F4FDFFFF MOV EAX,DWORD PTR SS:[EBP-20C]
00492182 .  8D95 F8FDFFFF LEA EDX,DWORD PTR SS:[EBP-208]
00492188 .  E8 D76AF7FF CALL MUD2004.00408C64
0049218D .  8B85 F8FDFFFF MOV EAX,DWORD PTR SS:[EBP-208]
00492193 .  BA B8224900 MOV EDX,MUD2004.004922B8                ;  ASCII "PR"
00492198 .  E8 E329F7FF CALL MUD2004.00404B80
0049219D .  75 0A       JNZ SHORT MUD2004.004921A9
0049219F .  C705 CCA74C00>MOV DWORD PTR DS:[4CA7CC],2
004921A9 >  8D85 ECFDFFFF LEA EAX,DWORD PTR SS:[EBP-214]
004921AF .  50          PUSH EAX
004921B0 .  B9 02000000 MOV ECX,2
004921B5 .  BA 06000000 MOV EDX,6
004921BA .  A1 D0A74C00 MOV EAX,DWORD PTR DS:[4CA7D0]
004921BF .  E8 D02AF7FF CALL MUD2004.00404C94
004921C4 .  8B85 ECFDFFFF MOV EAX,DWORD PTR SS:[EBP-214]
004921CA .  8D95 F0FDFFFF LEA EDX,DWORD PTR SS:[EBP-210]
004921D0 .  E8 8F6AF7FF CALL MUD2004.00408C64
004921D5 .  8B85 F0FDFFFF MOV EAX,DWORD PTR SS:[EBP-210]
004921DB .  BA C4224900 MOV EDX,MUD2004.004922C4                ;  ASCII "LT"
004921E0 .  E8 9B29F7FF CALL MUD2004.00404B80
004921E5 .  75 0A       JNZ SHORT MUD2004.004921F1
004921E7 .  C705 CCA74C00>MOV DWORD PTR DS:[4CA7CC],3
004921F1 >  C3          RETN
004921F2 .^ E9 311FF7FF JMP MUD2004.00404128
004921F7 .^ E9 C4FEFFFF JMP MUD2004.004920C0
004921FC >  33C0       XOR EAX,EAX
004921FE .  5A          POP EDX
004921FF .  59          POP ECX
00492200 .  59          POP ECX
00492201 .  64:8910    MOV DWORD PTR FS:[EAX],EDX
00492204 .  68 49224900 PUSH MUD2004.00492249
00492209 >  8D85 ECFDFFFF LEA EAX,DWORD PTR SS:[EBP-214]
0049220F .  BA 06000000 MOV EDX,6
00492214 .  E8 8F25F7FF CALL MUD2004.004047A8
00492219 .  8D85 04FEFFFF LEA EAX,DWORD PTR SS:[EBP-1FC]
0049221F .  BA 02000000 MOV EDX,2
00492224 .  E8 972CF7FF CALL MUD2004.00404EC0
00492229 .  8D85 0CFEFFFF LEA EAX,DWORD PTR SS:[EBP-1F4]
0049222F .  BA 07000000 MOV EDX,7
00492234 .  E8 6F25F7FF CALL MUD2004.004047A8
00492239 .  8D45 FC    LEA EAX,DWORD PTR SS:[EBP-4]
0049223C .  E8 4325F7FF CALL MUD2004.00404784
00492241 .  C3          RETN
00492242 .^ E9 E11EF7FF JMP MUD2004.00404128
00492247 .^ EB C0       JMP SHORT MUD2004.00492209
00492249 .  8BE5       MOV ESP,EBP
0049224B .  5D          POP EBP
0049224C .  C3          RETN

00491ABC $  55          PUSH EBP
00491ABD .  8BEC       MOV EBP,ESP
00491ABF .  83C4 F0    ADD ESP,-10
00491AC2 .  53          PUSH EBX
00491AC3 .  56          PUSH ESI
00491AC4 .  57          PUSH EDI
00491AC5 .  8955 F8    MOV DWORD PTR SS:[EBP-8],EDX
00491AC8 .  8945 FC    MOV DWORD PTR SS:[EBP-4],EAX
00491ACB .  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
00491ACE .  E8 5131F7FF CALL MUD2004.00404C24
00491AD3 .  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
00491AD6 .  E8 4931F7FF CALL MUD2004.00404C24
00491ADB .  33C0       XOR EAX,EAX
00491ADD .  55          PUSH EBP
00491ADE .  68 4D1B4900 PUSH MUD2004.00491B4D
00491AE3 .  64:FF30    PUSH DWORD PTR FS:[EAX]
00491AE6 .  64:8920    MOV DWORD PTR FS:[EAX],ESP
00491AE9 .  83CB FF    OR EBX,FFFFFFFF
00491AEC .  33C0       XOR EAX,EAX
00491AEE .  55          PUSH EBP
00491AEF .  68 251B4900 PUSH MUD2004.00491B25
00491AF4 .  64:FF30    PUSH DWORD PTR FS:[EAX]
00491AF7 .  64:8920    MOV DWORD PTR FS:[EAX],ESP
00491AFA .  8D4D F0    LEA ECX,DWORD PTR SS:[EBP-10]
00491AFD .  8B55 F8    MOV EDX,DWORD PTR SS:[EBP-8]
00491B00 .  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
00491B03 .  E8 9CFAFFFF CALL MUD2004.004915A4                   ; *******************
00491B08 .  84C0       TEST AL,AL
00491B0A .  74 0F       JE SHORT MUD2004.00491B1B
00491B0C .  E8 7B90F7FF CALL MUD2004.0040AB8C
00491B11 .  DC65 F0    FSUB QWORD PTR SS:[EBP-10]
00491B14 .  E8 1B10F7FF CALL MUD2004.00402B34
00491B19 .  8BD8       MOV EBX,EAX
00491B1B >  33C0       XOR EAX,EAX
00491B1D .  5A          POP EDX
00491B1E .  59          POP ECX
00491B1F .  59          POP ECX
00491B20 .  64:8910    MOV DWORD PTR FS:[EAX],EDX
00491B23 .  EB 0D       JMP SHORT MUD2004.00491B32
00491B25 .^ E9 4A23F7FF JMP MUD2004.00403E74
00491B2A .  83CB FF    OR EBX,FFFFFFFF
00491B2D .  E8 AA26F7FF CALL MUD2004.004041DC
00491B32 >  33C0       XOR EAX,EAX
00491B34 .  5A          POP EDX
00491B35 .  59          POP ECX
00491B36 .  59          POP ECX
00491B37 .  64:8910    MOV DWORD PTR FS:[EAX],EDX
00491B3A .  68 541B4900 PUSH MUD2004.00491B54
00491B3F >  8D45 F8    LEA EAX,DWORD PTR SS:[EBP-8]
00491B42 .  BA 02000000 MOV EDX,2
00491B47 .  E8 5C2CF7FF CALL MUD2004.004047A8
00491B4C .  C3          RETN
00491B4D .^ E9 D625F7FF JMP MUD2004.00404128
00491B52 .^ EB EB       JMP SHORT MUD2004.00491B3F
00491B54 .  8BC3       MOV EAX,EBX
00491B56 .  5F          POP EDI
00491B57 .  5E          POP ESI
00491B58 .  5B          POP EBX
00491B59 .  8BE5       MOV ESP,EBP
00491B5B .  5D          POP EBP
00491B5C .  C3          RETN
00491B5D    8D40 00    LEA EAX,DWORD PTR DS:[EAX]
00491B60 .  55          PUSH EBP
00491B61 .  8BEC       MOV EBP,ESP
00491B63 .  33C0       XOR EAX,EAX
00491B65 .  55          PUSH EBP
00491B66 .  68 851B4900 PUSH MUD2004.00491B85
00491B6B .  64:FF30    PUSH DWORD PTR FS:[EAX]
00491B6E .  64:8920    MOV DWORD PTR FS:[EAX],ESP
00491B71 .  FF05 D0D24C00 INC DWORD PTR DS:[4CD2D0]
00491B77 .  33C0       XOR EAX,EAX
00491B79 .  5A          POP EDX
00491B7A .  59          POP ECX
00491B7B .  59          POP ECX
00491B7C .  64:8910    MOV DWORD PTR FS:[EAX],EDX
00491B7F .  68 8C1B4900 PUSH MUD2004.00491B8C
00491B84 >  C3          RETN                                  ;  RET used as a jump to 00491B8C
00491B85 .^ E9 9E25F7FF JMP MUD2004.00404128
00491B8A .^ EB F8       JMP SHORT MUD2004.00491B84
00491B8C >  5D          POP EBP
00491B8D .  C3          RETN
00491B8E    8BC0       MOV EAX,EAX
00491B90 .  832D D0D24C00>SUB DWORD PTR DS:[4CD2D0],1
00491B97 .  C3          RETN

// 注册码判断
004915A4 $  55          PUSH EBP
004915A5 .  8BEC       MOV EBP,ESP
004915A7 .  51          PUSH ECX
004915A8 .  B9 10000000 MOV ECX,10
004915AD >  6A 00       PUSH 0
004915AF .  6A 00       PUSH 0
004915B1 .  49          DEC ECX
004915B2 .^ 75 F9       JNZ SHORT MUD2004.004915AD
004915B4 .  51          PUSH ECX
004915B5 .  874D FC    XCHG DWORD PTR SS:[EBP-4],ECX
004915B8 .  53          PUSH EBX
004915B9 .  56          PUSH ESI
004915BA .  57          PUSH EDI
004915BB .  894D F4    MOV DWORD PTR SS:[EBP-C],ECX
004915BE .  8955 F8    MOV DWORD PTR SS:[EBP-8],EDX
004915C1 .  8945 FC    MOV DWORD PTR SS:[EBP-4],EAX
004915C4 .  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
004915C7 .  E8 5836F7FF CALL MUD2004.00404C24
004915CC .  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
004915CF .  E8 5036F7FF CALL MUD2004.00404C24
004915D4 .  33C0       XOR EAX,EAX
004915D6 .  55          PUSH EBP
004915D7 .  68 F4194900 PUSH MUD2004.004919F4
004915DC .  64:FF30    PUSH DWORD PTR FS:[EAX]
004915DF .  64:8920    MOV DWORD PTR FS:[EAX],ESP
004915E2 .  C645 F3 00 MOV BYTE PTR SS:[EBP-D],0
004915E6 .  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
004915E9 .  E8 4E34F7FF CALL MUD2004.00404A3C
004915EE .  83F8 23    CMP EAX,23                            ; 注册码长 < 35 ?
004915F1 .  0F8C D2030000 JL MUD2004.004919C9                   ; 小于35, GAMEOVER
004915F7 .  8D45 E8    LEA EAX,DWORD PTR SS:[EBP-18]
004915FA .  50          PUSH EAX
004915FB .  B9 07000000 MOV ECX,7
00491600 .  BA 01000000 MOV EDX,1
00491605 .  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]          ;  String1=reg[1...7], 注册码的第1位到第7位
00491608 .  E8 8736F7FF CALL MUD2004.00404C94
0049160D .  8B45 E8    MOV EAX,DWORD PTR SS:[EBP-18]
00491610 .  BA 101A4900 MOV EDX,MUD2004.00491A10                ;  ASCII "MUD04PR"
00491615 .  E8 6635F7FF CALL MUD2004.00404B80                   ;  String1 是 "MUD04PR" 吗?
0049161A .  75 0F       JNZ SHORT MUD2004.0049162B
0049161C .  8D45 DC    LEA EAX,DWORD PTR SS:[EBP-24]          ;  是, String2 =
0049161F .  BA 201A4900 MOV EDX,MUD2004.00491A20                ;  ASCII "Multi User Desktop 2004 Professional"
00491624 .  E8 F331F7FF CALL MUD2004.0040481C
00491629 .  EB 3E       JMP SHORT MUD2004.00491669
0049162B >  8B45 E8    MOV EAX,DWORD PTR SS:[EBP-18]
0049162E .  BA 501A4900 MOV EDX,MUD2004.00491A50                ;  ASCII "MUD04ST"
00491633 .  E8 4835F7FF CALL MUD2004.00404B80                   ;  String1 是 "MUD04ST" 吗?
00491638 .  75 0F       JNZ SHORT MUD2004.00491649
0049163A .  8D45 DC    LEA EAX,DWORD PTR SS:[EBP-24]          ;  是, String2 =
0049163D .  BA 601A4900 MOV EDX,MUD2004.00491A60                ;  ASCII "Multi User Desktop 2004 Standard"
00491642 .  E8 D531F7FF CALL MUD2004.0040481C
00491647 .  EB 20       JMP SHORT MUD2004.00491669
00491649 >  8B45 E8    MOV EAX,DWORD PTR SS:[EBP-18]
0049164C .  BA 8C1A4900 MOV EDX,MUD2004.00491A8C                ;  ASCII "MUD04LT"
00491651 .  E8 2A35F7FF CALL MUD2004.00404B80                   ;  String1 是 "MUD04LT" 吗?
00491656 .  0F85 6D030000 JNZ MUD2004.004919C9
0049165C .  8D45 DC    LEA EAX,DWORD PTR SS:[EBP-24]          ;  是, String2 =
0049165F .  BA 9C1A4900 MOV EDX,MUD2004.00491A9C                ;  ASCII "Multi User Desktop 2004 Lite"
00491664 .  E8 B331F7FF CALL MUD2004.0040481C
00491669 >  33C0       XOR EAX,EAX
0049166B .  55          PUSH EBP
0049166C .  68 A1164900 PUSH MUD2004.004916A1
00491671 .  64:FF30    PUSH DWORD PTR FS:[EAX]
00491674 .  64:8920    MOV DWORD PTR FS:[EAX],ESP
00491677 .  8D45 D8    LEA EAX,DWORD PTR SS:[EBP-28]
0049167A .  50          PUSH EAX
0049167B .  B9 03000000 MOV ECX,3
00491680 .  BA 08000000 MOV EDX,8
00491685 .  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
00491688 .  E8 0736F7FF CALL MUD2004.00404C94
0049168D .  8B45 D8    MOV EAX,DWORD PTR SS:[EBP-28]          ; String3=Reg[8...10]
00491690 .  E8 A779F7FF CALL MUD2004.0040903C                   ; Num1=atoi(String3)
00491695 .  8BF0       MOV ESI,EAX                            ; => ESI
00491697 .  33C0       XOR EAX,EAX
00491699 .  5A          POP EDX
0049169A .  59          POP ECX
0049169B .  59          POP ECX
0049169C .  64:8910    MOV DWORD PTR FS:[EAX],EDX
0049169F .  EB 14       JMP SHORT MUD2004.004916B5
004916A1 .^ E9 CE27F7FF JMP MUD2004.00403E74
004916A6 .  E8 312BF7FF CALL MUD2004.004041DC
004916AB .  E9 19030000 JMP MUD2004.004919C9
004916B0 .  E8 272BF7FF CALL MUD2004.004041DC
004916B5 >  8D55 D4    LEA EDX,DWORD PTR SS:[EBP-2C]
004916B8 .  8B45 DC    MOV EAX,DWORD PTR SS:[EBP-24]          ; String2
004916BB .  E8 64E0FAFF CALL MUD2004.0043F724                   ; Sub_StrReverse, 即"ABCDE" => "EDCBA"
004916C0 .  8B45 D4    MOV EAX,DWORD PTR SS:[EBP-2C]          ; String4 = Sub_StrReverse(String2)
004916C3 .  E8 48FCFFFF CALL MUD2004.00491310                   ; Num2 = Sub_Crc32(String4)
004916C8 .  8BD8       MOV EBX,EAX                            ; Num2 => EBX
004916CA .  8B45 DC    MOV EAX,DWORD PTR SS:[EBP-24]          ; String2
004916CD .  E8 3EFCFFFF CALL MUD2004.00491310                   ; Num3 = Sub_Crc32(String2)
004916D2 .  33D8       XOR EBX,EAX                            ; Num3 XOR EBX => EBX
004916D4 .  8D55 D0    LEA EDX,DWORD PTR SS:[EBP-30]          ; String5
004916D7 .  8BC6       MOV EAX,ESI
004916D9 .  E8 C2FCFFFF CALL MUD2004.004913A0                   ; Sub1_IntToString(Num1, String5)
004916DE .  8B45 D0    MOV EAX,DWORD PTR SS:[EBP-30]          ; String5
004916E1 .  E8 2AFCFFFF CALL MUD2004.00491310                   ; Num4 = Sub_Crc32(String5)
004916E6 .  33D8       XOR EBX,EAX                            ; Num4 XOR EBX => EBX
004916E8 .  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]          ; UserName
004916EB .  E8 20FCFFFF CALL MUD2004.00491310                   ; Num5 = Sub_Crc32(UserName)
004916F0 .  03D8       ADD EBX,EAX                            ; Num5 + EBX => EBX
004916F2 .  03F3       ADD ESI,EBX                            ; Num1 + EBX => ESI, Num6
004916F4 .  8BDE       MOV EBX,ESI
004916F6 .  83E3 FF    AND EBX,FFFFFFFF
004916F9 .  8D55 E8    LEA EDX,DWORD PTR SS:[EBP-18]          ; String6
004916FC .  8BC3       MOV EAX,EBX                            ; Num6
004916FE .  E8 9DFCFFFF CALL MUD2004.004913A0                   ; Sub1_IntToString(Num6, String6)
00491703 .  8D45 CC    LEA EAX,DWORD PTR SS:[EBP-34]
00491706 .  50          PUSH EAX
00491707 .  B9 01000000 MOV ECX,1
0049170C .  BA 12000000 MOV EDX,12
00491711 .  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
00491714 .  E8 7B35F7FF CALL MUD2004.00404C94
00491719 .  FF75 CC    PUSH DWORD PTR SS:[EBP-34]
0049171C .  8D45 C8    LEA EAX,DWORD PTR SS:[EBP-38]
0049171F .  50          PUSH EAX
00491720 .  B9 01000000 MOV ECX,1
00491725 .  BA 14000000 MOV EDX,14
0049172A .  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
0049172D .  E8 6235F7FF CALL MUD2004.00404C94
00491732 .  FF75 C8    PUSH DWORD PTR SS:[EBP-38]
00491735 .  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
00491738 .  50          PUSH EAX
00491739 .  B9 01000000 MOV ECX,1
0049173E .  BA 17000000 MOV EDX,17
00491743 .  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
00491746 .  E8 4935F7FF CALL MUD2004.00404C94
0049174B .  FF75 C4    PUSH DWORD PTR SS:[EBP-3C]
0049174E .  8D45 C0    LEA EAX,DWORD PTR SS:[EBP-40]
00491751 .  50          PUSH EAX
00491752 .  B9 01000000 MOV ECX,1
00491757 .  BA 19000000 MOV EDX,19
0049175C .  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
0049175F .  E8 3035F7FF CALL MUD2004.00404C94
00491764 .  FF75 C0    PUSH DWORD PTR SS:[EBP-40]
00491767 .  8D45 BC    LEA EAX,DWORD PTR SS:[EBP-44]
0049176A .  50          PUSH EAX
0049176B .  B9 01000000 MOV ECX,1
00491770 .  BA 1C000000 MOV EDX,1C
00491775 .  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
00491778 .  E8 1735F7FF CALL MUD2004.00404C94
0049177D .  FF75 BC    PUSH DWORD PTR SS:[EBP-44]
00491780 .  8D45 B8    LEA EAX,DWORD PTR SS:[EBP-48]
00491783 .  50          PUSH EAX
00491784 .  B9 01000000 MOV ECX,1
00491789 .  BA 1E000000 MOV EDX,1E
0049178E .  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
00491791 .  E8 FE34F7FF CALL MUD2004.00404C94
00491796 .  FF75 B8    PUSH DWORD PTR SS:[EBP-48]
00491799 .  8D45 B4    LEA EAX,DWORD PTR SS:[EBP-4C]
0049179C .  50          PUSH EAX
0049179D .  B9 01000000 MOV ECX,1
004917A2 .  BA 21000000 MOV EDX,21
004917A7 .  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
004917AA .  E8 E534F7FF CALL MUD2004.00404C94
004917AF .  FF75 B4    PUSH DWORD PTR SS:[EBP-4C]
004917B2 .  8D45 B0    LEA EAX,DWORD PTR SS:[EBP-50]
004917B5 .  50          PUSH EAX
004917B6 .  B9 01000000 MOV ECX,1
004917BB .  BA 23000000 MOV EDX,23
004917C0 .  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
004917C3 .  E8 CC34F7FF CALL MUD2004.00404C94
004917C8 .  FF75 B0    PUSH DWORD PTR SS:[EBP-50]
004917CB .  8D45 E4    LEA EAX,DWORD PTR SS:[EBP-1C]
004917CE .  BA 08000000 MOV EDX,8
004917D3 .  E8 2433F7FF CALL MUD2004.00404AFC
004917D8 .  8D55 AC    LEA EDX,DWORD PTR SS:[EBP-54]
004917DB .  8B45 E4    MOV EAX,DWORD PTR SS:[EBP-1C]
004917DE .  E8 41DFFAFF CALL MUD2004.0043F724
004917E3 .  8B55 AC    MOV EDX,DWORD PTR SS:[EBP-54]
004917E6 .  8D45 E4    LEA EAX,DWORD PTR SS:[EBP-1C]
004917E9 .  E8 2E30F7FF CALL MUD2004.0040481C
004917EE .  8B45 E4    MOV EAX,DWORD PTR SS:[EBP-1C]          ; Reg[35,33,30,28,25,23,20,18]
004917F1 .  8B55 E8    MOV EDX,DWORD PTR SS:[EBP-18]          ; String6
004917F4 .  E8 8733F7FF CALL MUD2004.00404B80                   ; *******比较
004917F9 .  0F85 CA010000 JNZ MUD2004.004919C9                   ; 不一样, GAMEOVER
004917FF .  8D45 A8    LEA EAX,DWORD PTR SS:[EBP-58]
00491802 .  50          PUSH EAX
00491803 .  B9 01000000 MOV ECX,1
00491808 .  BA 11000000 MOV EDX,11
0049180D .  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
00491810 .  E8 7F34F7FF CALL MUD2004.00404C94
00491815 .  FF75 A8    PUSH DWORD PTR SS:[EBP-58]
00491818 .  8D45 A4    LEA EAX,DWORD PTR SS:[EBP-5C]
0049181B .  50          PUSH EAX
0049181C .  B9 01000000 MOV ECX,1
00491821 .  BA 13000000 MOV EDX,13
00491826 .  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
00491829 .  E8 6634F7FF CALL MUD2004.00404C94
0049182E .  FF75 A4    PUSH DWORD PTR SS:[EBP-5C]
00491831 .  8D45 A0    LEA EAX,DWORD PTR SS:[EBP-60]
00491834 .  50          PUSH EAX
00491835 .  B9 01000000 MOV ECX,1
0049183A .  BA 16000000 MOV EDX,16
0049183F .  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
00491842 .  E8 4D34F7FF CALL MUD2004.00404C94
00491847 .  FF75 A0    PUSH DWORD PTR SS:[EBP-60]
0049184A .  8D45 9C    LEA EAX,DWORD PTR SS:[EBP-64]
0049184D .  50          PUSH EAX
0049184E .  B9 01000000 MOV ECX,1
00491853 .  BA 18000000 MOV EDX,18
00491858 .  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
0049185B .  E8 3434F7FF CALL MUD2004.00404C94
00491860 .  FF75 9C    PUSH DWORD PTR SS:[EBP-64]
00491863 .  8D45 98    LEA EAX,DWORD PTR SS:[EBP-68]
00491866 .  50          PUSH EAX
00491867 .  B9 01000000 MOV ECX,1
0049186C .  BA 1B000000 MOV EDX,1B
00491871 .  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
00491874 .  E8 1B34F7FF CALL MUD2004.00404C94
00491879 .  FF75 98    PUSH DWORD PTR SS:[EBP-68]
0049187C .  8D45 94    LEA EAX,DWORD PTR SS:[EBP-6C]
0049187F .  50          PUSH EAX
00491880 .  B9 01000000 MOV ECX,1
00491885 .  BA 1D000000 MOV EDX,1D
0049188A .  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
0049188D .  E8 0234F7FF CALL MUD2004.00404C94
00491892 .  FF75 94    PUSH DWORD PTR SS:[EBP-6C]
00491895 .  8D45 90    LEA EAX,DWORD PTR SS:[EBP-70]
00491898 .  50          PUSH EAX
00491899 .  B9 01000000 MOV ECX,1
0049189E .  BA 20000000 MOV EDX,20
004918A3 .  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
004918A6 .  E8 E933F7FF CALL MUD2004.00404C94
004918AB .  FF75 90    PUSH DWORD PTR SS:[EBP-70]
004918AE .  8D45 8C    LEA EAX,DWORD PTR SS:[EBP-74]
004918B1 .  50          PUSH EAX
004918B2 .  B9 01000000 MOV ECX,1
004918B7 .  BA 22000000 MOV EDX,22
004918BC .  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
004918BF .  E8 D033F7FF CALL MUD2004.00404C94
004918C4 .  FF75 8C    PUSH DWORD PTR SS:[EBP-74]
004918C7 .  8D45 E0    LEA EAX,DWORD PTR SS:[EBP-20]
004918CA .  BA 08000000 MOV EDX,8
004918CF .  E8 2832F7FF CALL MUD2004.00404AFC
004918D4 .  8B45 E0    MOV EAX,DWORD PTR SS:[EBP-20]          ; String7 = Reg[17,19,22,24,27,29,32,34]
004918D7 .  E8 2CFCFFFF CALL MUD2004.00491508                   ; Num7 = Sub1_StringToInt(String7)
004918DC .  8BD8       MOV EBX,EAX                            ;
004918DE .  8BF3       MOV ESI,EBX
004918E0 .  83E6 7F    AND ESI,7F                            ; ESI = Num7 的低 7 BITs
004918E3 .  8BFB       MOV EDI,EBX
004918E5 .  C1EF 07    SHR EDI,7
004918E8 .  83E7 1F    AND EDI,1F                            ; EDI = Num7 的中间 5 BITs
004918EB .  C1EB 0C    SHR EBX,0C                            ; EBX = Num7 的剩下的20 BITs
004918EE .  6A 00       PUSH 0                                  ; /Arg4 = 00000000
004918F0 .  6A 00       PUSH 0                                  ; |Arg3 = 00000000
004918F2 .  6A 00       PUSH 0                                  ; |Arg2 = 00000000
004918F4 .  6A 00       PUSH 0                                  ; |Arg1 = 00000000
004918F6 .  8BCB       MOV ECX,EBX                            ; |
004918F8 .  8BD7       MOV EDX,EDI                            ; |
004918FA .  8BC6       MOV EAX,ESI                            ; |
004918FC .  E8 0BF7FFFF CALL MUD2004.0049100C                   ; Sub_DateTime(YY,MM,DD,hh,mm,ss,usec, &days)?
00491901 .  8B45 F4    MOV EAX,DWORD PTR SS:[EBP-C]
00491904 .  DD18       FSTP QWORD PTR DS:[EAX]
00491906 .  9B          WAIT
00491907 .  8D45 EC    LEA EAX,DWORD PTR SS:[EBP-14]
0049190A .  E8 752EF7FF CALL MUD2004.00404784
0049190F .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
00491912 .  8B45 E8    MOV EAX,DWORD PTR SS:[EBP-18]
00491915 .  E8 0ADEFAFF CALL MUD2004.0043F724
0049191A .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0049191D .  8D45 E8    LEA EAX,DWORD PTR SS:[EBP-18]
00491920 .  E8 F72EF7FF CALL MUD2004.0040481C
00491925 .  8B45 E4    MOV EAX,DWORD PTR SS:[EBP-1C]
00491928 .  E8 0F31F7FF CALL MUD2004.00404A3C
0049192D .  8BF0       MOV ESI,EAX
0049192F .  85F6       TEST ESI,ESI
00491931 .  7E 3D       JLE SHORT MUD2004.00491970
00491933 .  BB 01000000 MOV EBX,1
00491938 >  FF75 EC    PUSH DWORD PTR SS:[EBP-14]
0049193B .  8D45 84    LEA EAX,DWORD PTR SS:[EBP-7C]
0049193E .  8B55 E0    MOV EDX,DWORD PTR SS:[EBP-20]
00491941 .  8A541A FF    MOV DL,BYTE PTR DS:[EDX+EBX-1]
00491945 .  E8 1A30F7FF CALL MUD2004.00404964
0049194A .  FF75 84    PUSH DWORD PTR SS:[EBP-7C]
0049194D .  8D45 80    LEA EAX,DWORD PTR SS:[EBP-80]
00491950 .  8B55 E8    MOV EDX,DWORD PTR SS:[EBP-18]
00491953 .  8A541A FF    MOV DL,BYTE PTR DS:[EDX+EBX-1]
00491957 .  E8 0830F7FF CALL MUD2004.00404964
0049195C .  FF75 80    PUSH DWORD PTR SS:[EBP-80]
0049195F .  8D45 EC    LEA EAX,DWORD PTR SS:[EBP-14]
00491962 .  BA 03000000 MOV EDX,3
00491967 .  E8 9031F7FF CALL MUD2004.00404AFC
0049196C .  43          INC EBX
0049196D .  4E          DEC ESI
0049196E .^ 75 C8       JNZ SHORT MUD2004.00491938
00491970 >  8D45 EC    LEA EAX,DWORD PTR SS:[EBP-14]
00491973 .  50          PUSH EAX
00491974 .  8B45 EC    MOV EAX,DWORD PTR SS:[EBP-14]          ; String8=Reg[17-20,22-25,27-30,32-35]
00491977 .  E8 00FBFFFF CALL MUD2004.0049147C                   ; Num8=Sub2_StringToInt(String8)
0049197C .  8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]          ; String9
00491982 .  E8 19FAFFFF CALL MUD2004.004913A0                   ; Sub1_IntToString(Num8, String9)
00491987 .  8B85 7CFFFFFF MOV EAX,DWORD PTR SS:[EBP-84]
0049198D .  B9 04000000 MOV ECX,4
00491992 .  BA 05000000 MOV EDX,5
00491997 .  E8 F832F7FF CALL MUD2004.00404C94                   ; String10=String9[5...8]
0049199C .  8D85 78FFFFFF LEA EAX,DWORD PTR SS:[EBP-88]          ;
004919A2 .  50          PUSH EAX
004919A3 .  B9 04000000 MOV ECX,4
004919A8 .  BA 0C000000 MOV EDX,0C
004919AD .  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
004919B0 .  E8 DF32F7FF CALL MUD2004.00404C94                   ; String11=Reg[12...15]
004919B5 .  8B95 78FFFFFF MOV EDX,DWORD PTR SS:[EBP-88]          ; String11
004919BB .  8B45 EC    MOV EAX,DWORD PTR SS:[EBP-14]          ; String10
004919BE .  E8 BD31F7FF CALL MUD2004.00404B80                   ; *******比较
004919C3 .  75 04       JNZ SHORT MUD2004.004919C9             ; 不一样, GAMEOVER
004919C5 .  C645 F3 01 MOV BYTE PTR SS:[EBP-D],1             ; OK!!!
004919C9 >  33C0       XOR EAX,EAX
004919CB .  5A          POP EDX
004919CC .  59          POP ECX
004919CD .  59          POP ECX
004919CE .  64:8910    MOV DWORD PTR FS:[EAX],EDX
004919D1 .  68 FB194900 PUSH MUD2004.004919FB
004919D6 >  8D85 78FFFFFF LEA EAX,DWORD PTR SS:[EBP-88]
004919DC .  BA 1E000000 MOV EDX,1E
004919E1 .  E8 C22DF7FF CALL MUD2004.004047A8
004919E6 .  8D45 F8    LEA EAX,DWORD PTR SS:[EBP-8]
004919E9 .  BA 02000000 MOV EDX,2
004919EE .  E8 B52DF7FF CALL MUD2004.004047A8
004919F3 .  C3          RETN
004919F4 .^ E9 2F27F7FF JMP MUD2004.00404128
004919F9 .^ EB DB       JMP SHORT MUD2004.004919D6
004919FB .  8A45 F3    MOV AL,BYTE PTR SS:[EBP-D]
004919FE .  5F          POP EDI
004919FF .  5E          POP ESI
00491A00 .  5B          POP EBX
00491A01 .  8BE5       MOV ESP,EBP
00491A03 .  5D          POP EBP
00491A04 .  C3          RETN

注册码分析结果:

注册码格式:
AAAAAAABBB-EEEE-DCDC-DCDC-DCDC-DCDC
具体的注册机就不给了, 只是将其中的一些子函数说明一下:

Sub_Crc32()
程序中用的CRC32表的数值不是标准的,有几个与标准的稍有差别, 不知道是开发者的失误还是
故意如此.
在算CRC的过程中, 总是将每一步的CRC取绝对值,

void Sub1_IntToString(long Num, char *format)
这个子函数是将一个32 BITs 的数转化成一个长为8 的串
与 sprintf(format, "%08X", Num)的结果有区别:
1.) Num 要取绝对值
2.) 从最低位每 5 BITs 转化成一个字符, 若是每 4 BITs 转化成一个字符, 就与"%08X"一样.
00000 - 01001 ==> '0' - '9'
01010 - 11111 ==> 'A' - 'V'
看起来好象是32进制?!

long Sub1_StringToInt(char *str)
与上面的Sub1_IntToString刚好相反,
程序中只有一处 CALL 这个子程序, 结果还必须是有效的年, 月, 日的组合.

year: 1 ~ 9999
month:  1 ~ 12
day: 1 ~ days[month-1]
若是闰年
days[]={31,29,31,30,31,30,31,31,30,31,30,31}
否则
days[]={31,28,31,30,31,30,31,31,30,31,30,31}


unsigned Sub2_StringToInt(char *data)
{
int i,j;
int len = strlen(data); // 16
unsigned EAX, EBX;

EBX=0xFFFF;
for (i=0;i<len;i++)
{
EAX = (unsigned)data[i];
EBX ^= EAX;
for(j=0;j<8;j++)
{
if ((EBX&1)==0){
EBX >>=1;
}
else{
EBX >>=1;
EBX  ^= 0xA001;
}
}
}
return EBX;
}

登录后可查看完整内容

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)

收藏・0

免费・7

支持

最新回复 (5)
wenglingok 雪币： 671 活跃值： (723) 能力值： ( LV9，RANK：1060 ) 在线值：发帖 52 回帖 679 粉丝 1 关注私信	wenglingok 26 2 楼沙发 2005-9-4 16:46 0
lnn1123 雪币： 234 活跃值： (370) 能力值： ( LV9，RANK：530 ) 在线值：发帖 39 回帖 765 粉丝 0 关注私信	lnn1123 13 3 楼支持D: 2005-9-4 17:13 0
hrbx 雪币： 267 活跃值： (44) 能力值： ( LV9，RANK：330 ) 在线值：发帖 11 回帖 195 粉丝 1 关注私信	hrbx 8 4 楼支持，学习中 2005-9-4 18:41 0
pendan2001 雪币： 61 活跃值： (160) 能力值： ( LV9，RANK：170 ) 在线值：发帖 25 回帖 1180 粉丝 0 关注私信	pendan2001 4 5 楼做个沙发啊 2005-9-4 19:14 0
tcllct 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 38 粉丝 0 关注私信	tcllct 6 楼学习,学习再学习! 2005-9-4 21:02 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

blackeyes

发帖

回帖

530

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (5)
wenglingok 雪币： 671 活跃值： (723) 能力值： ( LV9，RANK：1060 ) 在线值：发帖 52 回帖 679 粉丝 1 关注私信	wenglingok 26 2 楼沙发 2005-9-4 16:46 0
lnn1123 雪币： 234 活跃值： (370) 能力值： ( LV9，RANK：530 ) 在线值：发帖 39 回帖 765 粉丝 0 关注私信	lnn1123 13 3 楼支持D: 2005-9-4 17:13 0
hrbx 雪币： 267 活跃值： (44) 能力值： ( LV9，RANK：330 ) 在线值：发帖 11 回帖 195 粉丝 1 关注私信	hrbx 8 4 楼支持，学习中 2005-9-4 18:41 0
pendan2001 雪币： 61 活跃值： (160) 能力值： ( LV9，RANK：170 ) 在线值：发帖 25 回帖 1180 粉丝 0 关注私信	pendan2001 4 5 楼做个沙发啊 2005-9-4 19:14 0
tcllct 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 38 粉丝 0 关注私信	tcllct 6 楼学习,学习再学习! 2005-9-4 21:02 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复