-
-
tengxing的CrackMe v1.1 注册算法分析
-
2006-4-15 14:08 5308
-
tengxing的CrackMe v1.1 注册算法分析
工具:ODbyDYK v1.10[12.25] , IDA Pro v4.8.0.847
详细的分析过程见后面的反汇编代码,这里先给出分析结果,最后给出注册机
注册信息输入要求:
输入的用户名长度为4~15个字符,必须为字母'A'-'Z','a'-'z'
序列号必须为数字'0'-'9'和字母'A'-'Z','a'-'z'
注册码生成算法:
用户名各字符正向运算,逆向运算、排序后正向运算的结果依次连接,总长度应为用户名长度的3倍,如果中间运算结果遇到非有效字符则跳过
例如用户名为abcdefg,逆向后为gfedcba,按ASCII码由小到大排序后为abcdefg
最终运算结果为 `_^]\[Zea]YUQM[ZYXWVU (共21位),实际注册码为ZeaYUQMZYXWVU
第一次运算算法为:
x=(name_len*3-(i+1)*2-0x14+name[i])&0xff;
第二次算法为:
x=(name_len*3-(i+1)*3-0x14+name[i])&0xff; 《--此时name为逆序结果
第三次算法为:
x=((name_len-3)*(name_len-3)-(i+1)*2-0x14+name[i])&0xff; 《--name为由小到大排序结果
CODE:00459EF0 ; =============== S U B R O U T I N E ?=====================================
CODE:00459EF0
CODE:00459EF0 ; Attributes: bp-based frame
CODE:00459EF0
CODE:00459EF0 sub_459EF0 proc near ; DATA XREF: CODE:00459DB8o
CODE:00459EF0
CODE:00459EF0 var_64 = dword ptr -64h
CODE:00459EF0 var_44 = dword ptr -44h
CODE:00459EF0 var_24 = dword ptr -24h
CODE:00459EF0 var_1D = byte ptr -1Dh
CODE:00459EF0 var_1C = dword ptr -1Ch
CODE:00459EF0 var_18 = dword ptr -18h
CODE:00459EF0 var_14 = dword ptr -14h
CODE:00459EF0 var_10 = dword ptr -10h
CODE:00459EF0 var_C = dword ptr -0Ch
CODE:00459EF0 var_8 = dword ptr -8
CODE:00459EF0 var_4 = dword ptr -4
CODE:00459EF0
CODE:00459EF0 push ebp
CODE:00459EF1 mov ebp, esp
CODE:00459EF3 add esp, 0FFFFFF9Ch
CODE:00459EF6 push ebx
CODE:00459EF7 push esi
CODE:00459EF8 push edi
CODE:00459EF9 xor ecx, ecx
CODE:00459EFB mov [ebp+var_4], ecx
CODE:00459EFE mov [ebp+var_8], ecx
CODE:00459F01 mov [ebp+var_C], ecx
CODE:00459F04 mov [ebp+var_10], ecx
CODE:00459F07 mov [ebp+var_24], ecx
CODE:00459F0A mov edi, eax
CODE:00459F0C xor eax, eax
CODE:00459F0E push ebp
CODE:00459F0F push offset loc_45A419
CODE:00459F14 push dword ptr fs:[eax]
CODE:00459F17 mov fs:[eax], esp
CODE:00459F1A push edi
CODE:00459F1B mov esi, offset dword_45A428
CODE:00459F20 lea edi, [ebp+var_44]
CODE:00459F23 mov ecx, 8
CODE:00459F28 rep movsd
CODE:00459F2A pop edi
CODE:00459F2B push edi
CODE:00459F2C mov esi, offset dword_45A448
CODE:00459F31 lea edi, [ebp+var_64]
CODE:00459F34 mov ecx, 8
CODE:00459F39 rep movsd
CODE:00459F3B pop edi
CODE:00459F3C lea edx, [ebp+var_4] <-- name
CODE:00459F3F mov eax, [edi+2F8h]
CODE:00459F45 call @TControl@GetText$qqrv ; TControl::GetText(void)
CODE:00459F4A mov eax, [ebp+var_4]
CODE:00459F4D call @System@_16823 ; System::_16823
CODE:00459F52 mov [ebp+var_18], eax <--- len(name)
CODE:00459F55 cmp [ebp+var_18], 4
CODE:00459F59 jl loc_45A3F0
CODE:00459F5F cmp [ebp+var_18], 0Fh
CODE:00459F63 jg loc_45A3F0 0xF>=len_name>=4
CODE:00459F69 mov ebx, [ebp+var_18]
CODE:00459F6C test ebx, ebx
CODE:00459F6E jle short loc_459F9F
CODE:00459F70 mov esi, 1
CODE:00459F75
CODE:00459F75 loc_459F75: ; CODE XREF: sub_459EF0+ADj
CODE:00459F75 mov eax, [ebp+var_4]
CODE:00459F78 dec esi
CODE:00459F79 test eax, eax
CODE:00459F7B jz short loc_459F82
CODE:00459F7D cmp esi, [eax-4]
CODE:00459F80 jb short loc_459F87
CODE:00459F82
CODE:00459F82 loc_459F82: ; CODE XREF: sub_459EF0+8Bj
CODE:00459F82 call sub_403044
CODE:00459F87
CODE:00459F87 loc_459F87: ; CODE XREF: sub_459EF0+90j
CODE:00459F87 inc esi
CODE:00459F88 mov al, [eax+esi-1]
CODE:00459F8C and eax, 0FFh
CODE:00459F91 bt [ebp+var_44], eax <--测试是否为数字和字母 构造了独特的检测字符串
CODE:00459F95 jnb loc_45A3F0 <--如果不是则结束
CODE:00459F9B inc esi
CODE:00459F9C dec ebx
CODE:00459F9D jnz short loc_459F75
CODE:00459F9F
CODE:00459F9F loc_459F9F: ; CODE XREF: sub_459EF0+7Ej
CODE:00459F9F mov esi, 1
CODE:00459FA4
CODE:00459FA4 loc_459FA4: ; CODE XREF: sub_459EF0+DEj
CODE:00459FA4 mov eax, [ebp+var_4]
CODE:00459FA7 dec esi
CODE:00459FA8 test eax, eax
CODE:00459FAA jz short loc_459FB1
CODE:00459FAC cmp esi, [eax-4]
CODE:00459FAF jb short loc_459FB6
CODE:00459FB1
CODE:00459FB1 loc_459FB1: ; CODE XREF: sub_459EF0+BAj
CODE:00459FB1 call sub_403044
CODE:00459FB6
CODE:00459FB6 loc_459FB6: ; CODE XREF: sub_459EF0+BFj
CODE:00459FB6 inc esi
CODE:00459FB7 mov al, [eax+esi-1]
CODE:00459FBB and eax, 0FFh
CODE:00459FC0 bt [ebp+var_64], eax 《---检测输入的用户名是否为字母
CODE:00459FC4 jnb loc_45A3F0
CODE:00459FCA inc esi
CODE:00459FCB cmp esi, 4
CODE:00459FCE jnz short loc_459FA4
CODE:00459FD0 lea edx, [ebp+var_8]
CODE:00459FD3 mov eax, [edi+2FCh]
CODE:00459FD9 call @TControl@GetText$qqrv ; TControl::GetText(void)
CODE:00459FDE mov eax, [ebp+var_8]
CODE:00459FE1 call @System@_16823 ; System::_16823
CODE:00459FE6 mov [ebp+var_1C], eax
CODE:00459FE9 cmp [ebp+var_8], 0
CODE:00459FED jz loc_45A3F0
CODE:00459FF3 mov eax, [ebp+var_8]
CODE:00459FF6 call @System@_16823 ; System::_16823
CODE:00459FFB mov ebx, eax
CODE:00459FFD test ebx, ebx
CODE:00459FFF jle short loc_45A030
CODE:0045A001 mov esi, 1
CODE:0045A006
CODE:0045A006 loc_45A006: ; CODE XREF: sub_459EF0+13Ej
CODE:0045A006 mov eax, [ebp+var_8]
CODE:0045A009 dec esi
CODE:0045A00A test eax, eax
CODE:0045A00C jz short loc_45A013
CODE:0045A00E cmp esi, [eax-4]
CODE:0045A011 jb short loc_45A018
CODE:0045A013
CODE:0045A013 loc_45A013: ; CODE XREF: sub_459EF0+11Cj
CODE:0045A013 call sub_403044
CODE:0045A018
CODE:0045A018 loc_45A018: ; CODE XREF: sub_459EF0+121j
CODE:0045A018 inc esi
CODE:0045A019 mov al, [eax+esi-1]
CODE:0045A01D and eax, 0FFh
CODE:0045A022 bt [ebp+var_44], eax <--如果含有非有效字符则结束
CODE:0045A026 jnb loc_45A3F0
CODE:0045A02C inc esi
CODE:0045A02D dec ebx
CODE:0045A02E jnz short loc_45A006
CODE:0045A030
CODE:0045A030 loc_45A030: ; CODE XREF: sub_459EF0+10Fj
CODE:0045A030 mov [ebp+var_14], 1
CODE:0045A037 mov ebx, [ebp+var_18]
CODE:0045A03A test ebx, ebx
CODE:0045A03C jle loc_45A0DD
CODE:0045A042 mov esi, 1
CODE:0045A047
CODE:0045A047 loc_45A047: ; CODE XREF: sub_459EF0+1E7j
CODE:0045A047 imul edx, [ebp+var_18], 3 <--- edx=name[i]*3
CODE:0045A04B jno short loc_45A052
CODE:0045A04D call sub_40304C
CODE:0045A052
CODE:0045A052 loc_45A052: ; CODE XREF: sub_459EF0+15Bj
CODE:0045A052 imul eax, esi, 2 <--- eax=esi*2
CODE:0045A055 jno short loc_45A05C
CODE:0045A057 call sub_40304C
CODE:0045A05C
CODE:0045A05C loc_45A05C: ; CODE XREF: sub_459EF0+165j
CODE:0045A05C sub edx, eax <--- edx=edx-eax
CODE:0045A05E jno short loc_45A065
CODE:0045A060 call sub_40304C
CODE:0045A065
CODE:0045A065 loc_45A065: ; CODE XREF: sub_459EF0+16Ej
CODE:0045A065 sub edx, 14h <--- edx=edx-0x14
CODE:0045A068 jno short loc_45A06F
CODE:0045A06A call sub_40304C
CODE:0045A06F
CODE:0045A06F loc_45A06F: ; CODE XREF: sub_459EF0+178j
CODE:0045A06F mov eax, [ebp+var_4] <--- name
CODE:0045A072 dec esi
CODE:0045A073 test eax, eax
CODE:0045A075 jz short loc_45A07C
CODE:0045A077 cmp esi, [eax-4] <--- ?? esi<len_name
CODE:0045A07A jb short loc_45A081
CODE:0045A07C
CODE:0045A07C loc_45A07C: ; CODE XREF: sub_459EF0+185j
CODE:0045A07C call sub_403044
CODE:0045A081
CODE:0045A081 loc_45A081: ; CODE XREF: sub_459EF0+18Aj
CODE:0045A081 inc esi
CODE:0045A082 movzx eax, byte ptr [eax+esi-1]
CODE:0045A087 add eax, edx <---- eax=name[esi]+edx
CODE:0045A089 jno short loc_45A090
CODE:0045A08B call sub_40304C
CODE:0045A090
CODE:0045A090 loc_45A090: ; CODE XREF: sub_459EF0+199j
CODE:0045A090 mov edx, eax <------ edx=eax=name[esi]+edx
CODE:0045A092 and edx, 0FFh <------- edx=edx & 0xff
CODE:0045A098 bt [ebp+var_44], edx
CODE:0045A09C jnb short loc_45A0D5 <---如果当前计算出的结果为非有效字符,则跳过,自动转入下一个用户名字符的处理
CODE:0045A09E mov edx, [ebp+var_14]
CODE:0045A0A1 cmp edx, [ebp+var_1C]
CODE:0045A0A4 jg loc_45A3F0
CODE:0045A0AA mov edx, [ebp+var_14]
CODE:0045A0AD mov ecx, [ebp+var_8] <--- serial
CODE:0045A0B0 dec edx
CODE:0045A0B1 test ecx, ecx
CODE:0045A0B3 jz short loc_45A0BA
CODE:0045A0B5 cmp edx, [ecx-4]
CODE:0045A0B8 jb short loc_45A0BF
CODE:0045A0BA
CODE:0045A0BA loc_45A0BA: ; CODE XREF: sub_459EF0+1C3j
CODE:0045A0BA call sub_403044
CODE:0045A0BF
CODE:0045A0BF loc_45A0BF: ; CODE XREF: sub_459EF0+1C8j
CODE:0045A0BF inc edx
CODE:0045A0C0 cmp al, [ecx+edx-1] ? al==serial[edx]
CODE:0045A0C4 jnz loc_45A3F0 不等则跳转,注册失败
CODE:0045A0CA add [ebp+var_14], 1
CODE:0045A0CE jno short loc_45A0D5
CODE:0045A0D0 call sub_40304C
CODE:0045A0D5
CODE:0045A0D5 loc_45A0D5: ; CODE XREF: sub_459EF0+1ACj
CODE:0045A0D5 ; sub_459EF0+1DEj
CODE:0045A0D5 inc esi
CODE:0045A0D6 dec ebx
CODE:0045A0D7 jnz loc_45A047 <---- 循环进行, 用户名长度作为循环次数
CODE:0045A0DD
CODE:0045A0DD loc_45A0DD: ; CODE XREF: sub_459EF0+14Cj
CODE:0045A0DD mov eax, [ebp+var_4]
CODE:0045A0E0 call @System@@LStrToPChar$qqrv ; System::__linkproc__ LStrToPChar(void)
CODE:0045A0E5 lea edx, [ebp+var_C]
CODE:0045A0E8 call sub_459E38
CODE:0045A0ED mov ebx, [ebp+var_18]
CODE:0045A0F0 test ebx, ebx
CODE:0045A0F2 jle loc_45A193
CODE:0045A0F8 mov esi, 1
CODE:0045A0FD 《--将用户名前后颠倒,重复上面的运算仅CODE:0045A108有微小差别
CODE:0045A0FD loc_45A0FD: ; CODE XREF: sub_459EF0+29Dj
CODE:0045A0FD imul edx, [ebp+var_18], 3
CODE:0045A101 jno short loc_45A108
CODE:0045A103 call sub_40304C
CODE:0045A108
CODE:0045A108 loc_45A108: ; CODE XREF: sub_459EF0+211j
CODE:0045A108 imul eax, esi, 3 <--- eax=esi*3 ,仅有此处和上面不同,其它的运算完全一样
CODE:0045A10B jno short loc_45A112
CODE:0045A10D call sub_40304C
CODE:0045A112
CODE:0045A112 loc_45A112: ; CODE XREF: sub_459EF0+21Bj
CODE:0045A112 sub edx, eax
CODE:0045A114 jno short loc_45A11B
CODE:0045A116 call sub_40304C
CODE:0045A11B
CODE:0045A11B loc_45A11B: ; CODE XREF: sub_459EF0+224j
CODE:0045A11B sub edx, 14h
CODE:0045A11E jno short loc_45A125
CODE:0045A120 call sub_40304C
CODE:0045A125
CODE:0045A125 loc_45A125: ; CODE XREF: sub_459EF0+22Ej
CODE:0045A125 mov eax, [ebp+var_C]
CODE:0045A128 dec esi
CODE:0045A129 test eax, eax
CODE:0045A12B jz short loc_45A132
CODE:0045A12D cmp esi, [eax-4]
CODE:0045A130 jb short loc_45A137
CODE:0045A132
CODE:0045A132 loc_45A132: ; CODE XREF: sub_459EF0+23Bj
CODE:0045A132 call sub_403044
CODE:0045A137
CODE:0045A137 loc_45A137: ; CODE XREF: sub_459EF0+240j
CODE:0045A137 inc esi
CODE:0045A138 movzx eax, byte ptr [eax+esi-1]
CODE:0045A13D add eax, edx
CODE:0045A13F jno short loc_45A146
CODE:0045A141 call sub_40304C
CODE:0045A146
CODE:0045A146 loc_45A146: ; CODE XREF: sub_459EF0+24Fj
CODE:0045A146 mov edx, eax
CODE:0045A148 and edx, 0FFh
CODE:0045A14E bt [ebp+var_44], edx
CODE:0045A152 jnb short loc_45A18B
CODE:0045A154 mov edx, [ebp+var_14]
CODE:0045A157 cmp edx, [ebp+var_1C]
CODE:0045A15A jg loc_45A3F0
CODE:0045A160 mov edx, [ebp+var_14]
CODE:0045A163 mov ecx, [ebp+var_8]
CODE:0045A166 dec edx
CODE:0045A167 test ecx, ecx
CODE:0045A169 jz short loc_45A170
CODE:0045A16B cmp edx, [ecx-4]
CODE:0045A16E jb short loc_45A175
CODE:0045A170
CODE:0045A170 loc_45A170: ; CODE XREF: sub_459EF0+279j
CODE:0045A170 call sub_403044
CODE:0045A175
CODE:0045A175 loc_45A175: ; CODE XREF: sub_459EF0+27Ej
CODE:0045A175 inc edx
CODE:0045A176 cmp al, [ecx+edx-1]
CODE:0045A17A jnz loc_45A3F0
CODE:0045A180 add [ebp+var_14], 1
CODE:0045A184 jno short loc_45A18B
CODE:0045A186 call sub_40304C
CODE:0045A18B
CODE:0045A18B loc_45A18B: ; CODE XREF: sub_459EF0+262j
CODE:0045A18B ; sub_459EF0+294j
CODE:0045A18B inc esi
CODE:0045A18C dec ebx
CODE:0045A18D jnz loc_45A0FD
CODE:0045A193
CODE:0045A193 loc_45A193: ; CODE XREF: sub_459EF0+202j
CODE:0045A193 mov eax, [ebp+var_C]
CODE:0045A196 call @System@_16823 ; System::_16823
CODE:0045A19B add eax, 1
CODE:0045A19E jno short loc_45A1A5
CODE:0045A1A0 call sub_40304C
CODE:0045A1A5
CODE:0045A1A5 loc_45A1A5: ; CODE XREF: sub_459EF0+2AEj
CODE:0045A1A5 push eax
CODE:0045A1A6 lea eax, [ebp+var_24]
CODE:0045A1A9 mov ecx, 1
CODE:0045A1AE mov edx, off_459ECC
CODE:0045A1B4 call unknown_libname_25 ; Borland Visual Component Library & Packages
CODE:0045A1B9 add esp, 4
CODE:0045A1BC mov ebx, [ebp+var_18]
CODE:0045A1BF test ebx, ebx
CODE:0045A1C1 jle short loc_45A1F7
CODE:0045A1C3 mov esi, 1
CODE:0045A1C8
CODE:0045A1C8 loc_45A1C8: ; CODE XREF: sub_459EF0+305j
CODE:0045A1C8 mov eax, [ebp+var_4]
CODE:0045A1CB dec esi
CODE:0045A1CC test eax, eax
CODE:0045A1CE jz short loc_45A1D5
CODE:0045A1D0 cmp esi, [eax-4]
CODE:0045A1D3 jb short loc_45A1DA
CODE:0045A1D5
CODE:0045A1D5 loc_45A1D5: ; CODE XREF: sub_459EF0+2DEj
CODE:0045A1D5 call sub_403044
CODE:0045A1DA
CODE:0045A1DA loc_45A1DA: ; CODE XREF: sub_459EF0+2E3j
CODE:0045A1DA inc esi
CODE:0045A1DB mov al, [eax+esi-1]
CODE:0045A1DF mov edx, [ebp+var_24]
CODE:0045A1E2 test edx, edx
CODE:0045A1E4 jz short loc_45A1EB
CODE:0045A1E6 cmp esi, [edx-4]
CODE:0045A1E9 jb short loc_45A1F0
CODE:0045A1EB
CODE:0045A1EB loc_45A1EB: ; CODE XREF: sub_459EF0+2F4j
CODE:0045A1EB call sub_403044
CODE:0045A1F0
CODE:0045A1F0 loc_45A1F0: ; CODE XREF: sub_459EF0+2F9j
CODE:0045A1F0 mov [edx+esi], al
CODE:0045A1F3 inc esi
CODE:0045A1F4 dec ebx
CODE:0045A1F5 jnz short loc_45A1C8
CODE:0045A1F7
CODE:0045A1F7 loc_45A1F7: ; CODE XREF: sub_459EF0+2D1j
CODE:0045A1F7 mov esi, 1
CODE:0045A1FC
CODE:0045A1FC loc_45A1FC: ; CODE XREF: sub_459EF0+3F9j
CODE:0045A1FC mov [ebp+var_1D], 1
CODE:0045A200 mov ebx, [ebp+var_18]
CODE:0045A203 sub ebx, esi
CODE:0045A205 jno short loc_45A20C
CODE:0045A207 call sub_40304C
CODE:0045A20C
CODE:0045A20C loc_45A20C: ; CODE XREF: sub_459EF0+315j
CODE:0045A20C test ebx, ebx
CODE:0045A20E jle loc_45A2DB
CODE:0045A214 mov eax, 1
CODE:0045A219
CODE:0045A219 loc_45A219: ; CODE XREF: sub_459EF0+3E5j
CODE:0045A219 mov edx, [ebp+var_24]
CODE:0045A21C test edx, edx
CODE:0045A21E jz short loc_45A225
CODE:0045A220 cmp eax, [edx-4]
CODE:0045A223 jb short loc_45A22A
CODE:0045A225
CODE:0045A225 loc_45A225: ; CODE XREF: sub_459EF0+32Ej
CODE:0045A225 call sub_403044
CODE:0045A22A
CODE:0045A22A loc_45A22A: ; CODE XREF: sub_459EF0+333j
CODE:0045A22A mov dl, [edx+eax]
CODE:0045A22D mov ecx, eax
CODE:0045A22F add ecx, 1
CODE:0045A232 jno short loc_45A239
CODE:0045A234 call sub_40304C
CODE:0045A239
CODE:0045A239 loc_45A239: ; CODE XREF: sub_459EF0+342j
CODE:0045A239 mov edi, [ebp+var_24]
CODE:0045A23C test edi, edi
CODE:0045A23E jz short loc_45A245
CODE:0045A240 cmp ecx, [edi-4]
CODE:0045A243 jb short loc_45A24A
CODE:0045A245
CODE:0045A245 loc_45A245: ; CODE XREF: sub_459EF0+34Ej
CODE:0045A245 call sub_403044
CODE:0045A24A
CODE:0045A24A loc_45A24A: ; CODE XREF: sub_459EF0+353j
CODE:0045A24A cmp dl, [edi+ecx]
CODE:0045A24D jbe loc_45A2D3
CODE:0045A253 mov edx, eax
CODE:0045A255 add edx, 1
CODE:0045A258 jno short loc_45A25F
CODE:0045A25A call sub_40304C
CODE:0045A25F
CODE:0045A25F loc_45A25F: ; CODE XREF: sub_459EF0+368j
CODE:0045A25F mov ecx, [ebp+var_24]
CODE:0045A262 test ecx, ecx
CODE:0045A264 jz short loc_45A26B
CODE:0045A266 cmp edx, [ecx-4]
CODE:0045A269 jb short loc_45A270
CODE:0045A26B
CODE:0045A26B loc_45A26B: ; CODE XREF: sub_459EF0+374j
CODE:0045A26B call sub_403044
CODE:0045A270
CODE:0045A270 loc_45A270: ; CODE XREF: sub_459EF0+379j
CODE:0045A270 movzx edx, byte ptr [ecx+edx]
CODE:0045A274 mov ecx, [ebp+var_24]
CODE:0045A277 test ecx, ecx
CODE:0045A279 jz short loc_45A280
CODE:0045A27B cmp eax, [ecx-4]
CODE:0045A27E jb short loc_45A285
CODE:0045A280
CODE:0045A280 loc_45A280: ; CODE XREF: sub_459EF0+389j
CODE:0045A280 call sub_403044
CODE:0045A285
CODE:0045A285 loc_45A285: ; CODE XREF: sub_459EF0+38Ej
CODE:0045A285 mov cl, [ecx+eax]
CODE:0045A288 push ecx
CODE:0045A289 mov ecx, eax
CODE:0045A28B add ecx, 1
CODE:0045A28E jno short loc_45A295
CODE:0045A290 call sub_40304C
CODE:0045A295
CODE:0045A295 loc_45A295: ; CODE XREF: sub_459EF0+39Ej
CODE:0045A295 mov edi, [ebp+var_24]
CODE:0045A298 test edi, edi
CODE:0045A29A jz short loc_45A2A1
CODE:0045A29C cmp ecx, [edi-4]
CODE:0045A29F jb short loc_45A2A6
CODE:0045A2A1
CODE:0045A2A1 loc_45A2A1: ; CODE XREF: sub_459EF0+3AAj
CODE:0045A2A1 call sub_403044
CODE:0045A2A6
CODE:0045A2A6 loc_45A2A6: ; CODE XREF: sub_459EF0+3AFj
CODE:0045A2A6 add edi, ecx
CODE:0045A2A8 pop ecx
CODE:0045A2A9 mov [edi], cl
CODE:0045A2AB mov ecx, [ebp+var_24]
CODE:0045A2AE test ecx, ecx
CODE:0045A2B0 jz short loc_45A2B7
CODE:0045A2B2 cmp eax, [ecx-4]
CODE:0045A2B5 jb short loc_45A2BC
CODE:0045A2B7
CODE:0045A2B7 loc_45A2B7: ; CODE XREF: sub_459EF0+3C0j
CODE:0045A2B7 call sub_403044
CODE:0045A2BC
CODE:0045A2BC loc_45A2BC: ; CODE XREF: sub_459EF0+3C5j
CODE:0045A2BC add ecx, eax
CODE:0045A2BE push ecx
CODE:0045A2BF cmp edx, 0FFh
CODE:0045A2C5 jbe short loc_45A2CC
CODE:0045A2C7 call sub_403044
CODE:0045A2CC
CODE:0045A2CC loc_45A2CC: ; CODE XREF: sub_459EF0+3D5j
CODE:0045A2CC pop ecx
CODE:0045A2CD mov [ecx], dl
CODE:0045A2CF mov [ebp+var_1D], 0
CODE:0045A2D3
CODE:0045A2D3 loc_45A2D3: ; CODE XREF: sub_459EF0+35Dj
CODE:0045A2D3 inc eax
CODE:0045A2D4 dec ebx
CODE:0045A2D5 jnz loc_45A219
CODE:0045A2DB
CODE:0045A2DB loc_45A2DB: ; CODE XREF: sub_459EF0+31Ej
CODE:0045A2DB add esi, 1
CODE:0045A2DE jno short loc_45A2E5
CODE:0045A2E0 call sub_40304C
CODE:0045A2E5
CODE:0045A2E5 loc_45A2E5: ; CODE XREF: sub_459EF0+3EEj
CODE:0045A2E5 cmp [ebp+var_1D], 0
CODE:0045A2E9 jz loc_45A1FC
CODE:0045A2EF lea eax, [ebp+var_10]
CODE:0045A2F2 mov edx, [ebp+var_18]
CODE:0045A2F5 call sub_4044A8
CODE:0045A2FA mov ebx, [ebp+var_18]
CODE:0045A2FD test ebx, ebx
CODE:0045A2FF jle short loc_45A33A
CODE:0045A301 mov esi, 1
CODE:0045A306
CODE:0045A306 loc_45A306: ; CODE XREF: sub_459EF0+448j
CODE:0045A306 lea eax, [ebp+var_10]
CODE:0045A309 call sub_404374
CODE:0045A30E dec esi
CODE:0045A30F test eax, eax
CODE:0045A311 jz short loc_45A318
CODE:0045A313 cmp esi, [eax-4]
CODE:0045A316 jb short loc_45A31D
CODE:0045A318
CODE:0045A318 loc_45A318: ; CODE XREF: sub_459EF0+421j
CODE:0045A318 call sub_403044
CODE:0045A31D
CODE:0045A31D loc_45A31D: ; CODE XREF: sub_459EF0+426j
CODE:0045A31D inc esi
CODE:0045A31E mov edx, [ebp+var_24]
CODE:0045A321 test edx, edx
CODE:0045A323 jz short loc_45A32A
CODE:0045A325 cmp esi, [edx-4]
CODE:0045A328 jb short loc_45A32F
CODE:0045A32A
CODE:0045A32A loc_45A32A: ; CODE XREF: sub_459EF0+433j
CODE:0045A32A call sub_403044
CODE:0045A32F
CODE:0045A32F loc_45A32F: ; CODE XREF: sub_459EF0+438j
CODE:0045A32F mov dl, [edx+esi]
CODE:0045A332 mov [eax+esi-1], dl
CODE:0045A336 inc esi
CODE:0045A337 dec ebx
CODE:0045A338 jnz short loc_45A306
CODE:0045A33A
CODE:0045A33A loc_45A33A: ; CODE XREF: sub_459EF0+40Fj
CODE:0045A33A mov ebx, [ebp+var_18]
CODE:0045A33D test ebx, ebx 《----下一部分的循环计数器
CODE:0045A33F jle loc_45A3E6
CODE:0045A345 mov esi, 1
CODE:0045A34A
CODE:0045A34A loc_45A34A: ; CODE XREF: sub_459EF0+4F0j
CODE:0045A34A mov eax, [ebp+var_18]
CODE:0045A34D sub eax, 3 <-- eax = name_len-3
CODE:0045A350 jno short loc_45A357
CODE:0045A352 call sub_40304C
CODE:0045A357
CODE:0045A357 loc_45A357: ; CODE XREF: sub_459EF0+460j
CODE:0045A357 mov edx, eax
CODE:0045A359 imul edx, eax <--- edx=eax*eax
CODE:0045A35C jno short loc_45A363
CODE:0045A35E call sub_40304C
CODE:0045A363
CODE:0045A363 loc_45A363: ; CODE XREF: sub_459EF0+46Cj
CODE:0045A363 imul eax, esi, 2 <--- eax= esi*2
CODE:0045A366 jno short loc_45A36D
CODE:0045A368 call sub_40304C
CODE:0045A36D
CODE:0045A36D loc_45A36D: ; CODE XREF: sub_459EF0+476j
CODE:0045A36D sub edx, eax <-- edx=edx-esi*2
CODE:0045A36F jno short loc_45A376
CODE:0045A371 call sub_40304C
CODE:0045A376
CODE:0045A376 loc_45A376: ; CODE XREF: sub_459EF0+47Fj
CODE:0045A376 sub edx, 14h <-- edx= edx -0x14
CODE:0045A379 jno short loc_45A380
CODE:0045A37B call sub_40304C
CODE:0045A380
CODE:0045A380 loc_45A380: ; CODE XREF: sub_459EF0+489j
CODE:0045A380 mov eax, [ebp+var_10]
CODE:0045A383 dec esi
CODE:0045A384 test eax, eax
CODE:0045A386 jz short loc_45A38D
CODE:0045A388 cmp esi, [eax-4]
CODE:0045A38B jb short loc_45A392
CODE:0045A38D
CODE:0045A38D loc_45A38D: ; CODE XREF: sub_459EF0+496j
CODE:0045A38D call sub_403044
CODE:0045A392
CODE:0045A392 loc_45A392: ; CODE XREF: sub_459EF0+49Bj
CODE:0045A392 inc esi
CODE:0045A393 movzx eax, byte ptr [eax+esi-1]
CODE:0045A398 add eax, edx <-- eax=edx+name[esi] <--- name 经过了排序处理:按ASCII码由小到大排序
CODE:0045A39A jno short loc_45A3A1
CODE:0045A39C call sub_40304C
CODE:0045A3A1
CODE:0045A3A1 loc_45A3A1: ; CODE XREF: sub_459EF0+4AAj
CODE:0045A3A1 mov edx, eax
CODE:0045A3A3 and edx, 0FFh
CODE:0045A3A9 bt [ebp+var_44], edx
CODE:0045A3AD jnb short loc_45A3DE
CODE:0045A3AF mov edx, [ebp+var_14]
CODE:0045A3B2 cmp edx, [ebp+var_1C]
CODE:0045A3B5 jg short loc_45A3F0
CODE:0045A3B7 mov edx, [ebp+var_14]
CODE:0045A3BA mov ecx, [ebp+var_8]
CODE:0045A3BD dec edx
CODE:0045A3BE test ecx, ecx
CODE:0045A3C0 jz short loc_45A3C7
CODE:0045A3C2 cmp edx, [ecx-4]
CODE:0045A3C5 jb short loc_45A3CC
CODE:0045A3C7
CODE:0045A3C7 loc_45A3C7: ; CODE XREF: sub_459EF0+4D0j
CODE:0045A3C7 call sub_403044
CODE:0045A3CC
CODE:0045A3CC loc_45A3CC: ; CODE XREF: sub_459EF0+4D5j
CODE:0045A3CC inc edx
CODE:0045A3CD cmp al, [ecx+edx-1] 《----继续比较
CODE:0045A3D1 jnz short loc_45A3F0
CODE:0045A3D3 add [ebp+var_14], 1
CODE:0045A3D7 jno short loc_45A3DE
CODE:0045A3D9 call sub_40304C
CODE:0045A3DE
CODE:0045A3DE loc_45A3DE: ; CODE XREF: sub_459EF0+4BDj
CODE:0045A3DE ; sub_459EF0+4E7j
CODE:0045A3DE inc esi
CODE:0045A3DF dec ebx
CODE:0045A3E0 jnz loc_45A34A
CODE:0045A3E6
CODE:0045A3E6 loc_45A3E6: ; CODE XREF: sub_459EF0+44Fj 《----输入的序列号通过检测,注册成功
CODE:0045A3E6 mov eax, offset _str________________.Text
CODE:0045A3EB call @Dialogs@ShowMessage$qqrx17System@AnsiString ; Dialogs::ShowMessage(System::AnsiString)
CODE:0045A3F0
CODE:0045A3F0 loc_45A3F0: ; CODE XREF: sub_459EF0+69j
CODE:0045A3F0 ; sub_459EF0+73j ...
CODE:0045A3F0 xor eax, eax
CODE:0045A3F2 pop edx
CODE:0045A3F3 pop ecx
CODE:0045A3F4 pop ecx
CODE:0045A3F5 mov fs:[eax], edx
CODE:0045A3F8 push offset loc_45A420
CODE:0045A3FD
CODE:0045A3FD loc_45A3FD: ; CODE XREF: sub_459EF0+52Ej
CODE:0045A3FD lea eax, [ebp+var_24]
CODE:0045A400 mov edx, off_459ECC
CODE:0045A406 call sub_404E48
CODE:0045A40B lea eax, [ebp+var_10]
CODE:0045A40E mov edx, 4
CODE:0045A413 call @System@@LStrArrayClr$qqrv ; System::__linkproc__ LStrArrayClr(void)
CODE:0045A418 retn
下面为注册机,serial为正确序列号,sero为用户名的运算结果,可对两者进行对比
char name[20];
strcpy(name,"abcdefg");
char serial[60],sero[60];
int name_len;
name_len=strlen(name);
int i,sc,so,j,tmp;
int x;
sc=0;
so=0;
for(i=0;i<name_len;i++)
{
x=(name_len*3-(i+1)*2-0x14+name[i])&0xff;
if((x>='a' && x<='z') ||(x>='A' && x<='Z')|| (x>='0' && x<='9'))
serial[sc++]=x;
sero[so++]=x;
}
for(i=0;i<name_len;i++)
{
x=(name_len*3-(i+1)*3-0x14+name[name_len-1-i])&0xff;
if((x>='a' && x<='z') ||(x>='A' && x<='Z') || (x>='0' && x<='9'))
serial[sc++]=x;
sero[so++]=x;
}
for(i=0;i<name_len;i++)
for(j=0;j<name_len-i-1;j++)
if(name[j]>name[j+1])
{
tmp=name[j+1];
name[j+1]=name[j];
name[j]=tmp;
}
for(i=0;i<name_len;i++)
{
x=((name_len-3)*(name_len-3)-(i+1)*2-0x14+name[i])&0xff;
if((x>='a' && x<='z') ||(x>='A' && x<='Z') || (x>='0' && x<='9'))
serial[sc++]=x;
sero[so++]=x;
}
serial[sc]='\0';
sero[so]='\0';
工具:ODbyDYK v1.10[12.25] , IDA Pro v4.8.0.847
详细的分析过程见后面的反汇编代码,这里先给出分析结果,最后给出注册机
注册信息输入要求:
输入的用户名长度为4~15个字符,必须为字母'A'-'Z','a'-'z'
序列号必须为数字'0'-'9'和字母'A'-'Z','a'-'z'
注册码生成算法:
用户名各字符正向运算,逆向运算、排序后正向运算的结果依次连接,总长度应为用户名长度的3倍,如果中间运算结果遇到非有效字符则跳过
例如用户名为abcdefg,逆向后为gfedcba,按ASCII码由小到大排序后为abcdefg
最终运算结果为 `_^]\[Zea]YUQM[ZYXWVU (共21位),实际注册码为ZeaYUQMZYXWVU
第一次运算算法为:
x=(name_len*3-(i+1)*2-0x14+name[i])&0xff;
第二次算法为:
x=(name_len*3-(i+1)*3-0x14+name[i])&0xff; 《--此时name为逆序结果
第三次算法为:
x=((name_len-3)*(name_len-3)-(i+1)*2-0x14+name[i])&0xff; 《--name为由小到大排序结果
CODE:00459EF0 ; =============== S U B R O U T I N E ?=====================================
CODE:00459EF0
CODE:00459EF0 ; Attributes: bp-based frame
CODE:00459EF0
CODE:00459EF0 sub_459EF0 proc near ; DATA XREF: CODE:00459DB8o
CODE:00459EF0
CODE:00459EF0 var_64 = dword ptr -64h
CODE:00459EF0 var_44 = dword ptr -44h
CODE:00459EF0 var_24 = dword ptr -24h
CODE:00459EF0 var_1D = byte ptr -1Dh
CODE:00459EF0 var_1C = dword ptr -1Ch
CODE:00459EF0 var_18 = dword ptr -18h
CODE:00459EF0 var_14 = dword ptr -14h
CODE:00459EF0 var_10 = dword ptr -10h
CODE:00459EF0 var_C = dword ptr -0Ch
CODE:00459EF0 var_8 = dword ptr -8
CODE:00459EF0 var_4 = dword ptr -4
CODE:00459EF0
CODE:00459EF0 push ebp
CODE:00459EF1 mov ebp, esp
CODE:00459EF3 add esp, 0FFFFFF9Ch
CODE:00459EF6 push ebx
CODE:00459EF7 push esi
CODE:00459EF8 push edi
CODE:00459EF9 xor ecx, ecx
CODE:00459EFB mov [ebp+var_4], ecx
CODE:00459EFE mov [ebp+var_8], ecx
CODE:00459F01 mov [ebp+var_C], ecx
CODE:00459F04 mov [ebp+var_10], ecx
CODE:00459F07 mov [ebp+var_24], ecx
CODE:00459F0A mov edi, eax
CODE:00459F0C xor eax, eax
CODE:00459F0E push ebp
CODE:00459F0F push offset loc_45A419
CODE:00459F14 push dword ptr fs:[eax]
CODE:00459F17 mov fs:[eax], esp
CODE:00459F1A push edi
CODE:00459F1B mov esi, offset dword_45A428
CODE:00459F20 lea edi, [ebp+var_44]
CODE:00459F23 mov ecx, 8
CODE:00459F28 rep movsd
CODE:00459F2A pop edi
CODE:00459F2B push edi
CODE:00459F2C mov esi, offset dword_45A448
CODE:00459F31 lea edi, [ebp+var_64]
CODE:00459F34 mov ecx, 8
CODE:00459F39 rep movsd
CODE:00459F3B pop edi
CODE:00459F3C lea edx, [ebp+var_4] <-- name
CODE:00459F3F mov eax, [edi+2F8h]
CODE:00459F45 call @TControl@GetText$qqrv ; TControl::GetText(void)
CODE:00459F4A mov eax, [ebp+var_4]
CODE:00459F4D call @System@_16823 ; System::_16823
CODE:00459F52 mov [ebp+var_18], eax <--- len(name)
CODE:00459F55 cmp [ebp+var_18], 4
CODE:00459F59 jl loc_45A3F0
CODE:00459F5F cmp [ebp+var_18], 0Fh
CODE:00459F63 jg loc_45A3F0 0xF>=len_name>=4
CODE:00459F69 mov ebx, [ebp+var_18]
CODE:00459F6C test ebx, ebx
CODE:00459F6E jle short loc_459F9F
CODE:00459F70 mov esi, 1
CODE:00459F75
CODE:00459F75 loc_459F75: ; CODE XREF: sub_459EF0+ADj
CODE:00459F75 mov eax, [ebp+var_4]
CODE:00459F78 dec esi
CODE:00459F79 test eax, eax
CODE:00459F7B jz short loc_459F82
CODE:00459F7D cmp esi, [eax-4]
CODE:00459F80 jb short loc_459F87
CODE:00459F82
CODE:00459F82 loc_459F82: ; CODE XREF: sub_459EF0+8Bj
CODE:00459F82 call sub_403044
CODE:00459F87
CODE:00459F87 loc_459F87: ; CODE XREF: sub_459EF0+90j
CODE:00459F87 inc esi
CODE:00459F88 mov al, [eax+esi-1]
CODE:00459F8C and eax, 0FFh
CODE:00459F91 bt [ebp+var_44], eax <--测试是否为数字和字母 构造了独特的检测字符串
CODE:00459F95 jnb loc_45A3F0 <--如果不是则结束
CODE:00459F9B inc esi
CODE:00459F9C dec ebx
CODE:00459F9D jnz short loc_459F75
CODE:00459F9F
CODE:00459F9F loc_459F9F: ; CODE XREF: sub_459EF0+7Ej
CODE:00459F9F mov esi, 1
CODE:00459FA4
CODE:00459FA4 loc_459FA4: ; CODE XREF: sub_459EF0+DEj
CODE:00459FA4 mov eax, [ebp+var_4]
CODE:00459FA7 dec esi
CODE:00459FA8 test eax, eax
CODE:00459FAA jz short loc_459FB1
CODE:00459FAC cmp esi, [eax-4]
CODE:00459FAF jb short loc_459FB6
CODE:00459FB1
CODE:00459FB1 loc_459FB1: ; CODE XREF: sub_459EF0+BAj
CODE:00459FB1 call sub_403044
CODE:00459FB6
CODE:00459FB6 loc_459FB6: ; CODE XREF: sub_459EF0+BFj
CODE:00459FB6 inc esi
CODE:00459FB7 mov al, [eax+esi-1]
CODE:00459FBB and eax, 0FFh
CODE:00459FC0 bt [ebp+var_64], eax 《---检测输入的用户名是否为字母
CODE:00459FC4 jnb loc_45A3F0
CODE:00459FCA inc esi
CODE:00459FCB cmp esi, 4
CODE:00459FCE jnz short loc_459FA4
CODE:00459FD0 lea edx, [ebp+var_8]
CODE:00459FD3 mov eax, [edi+2FCh]
CODE:00459FD9 call @TControl@GetText$qqrv ; TControl::GetText(void)
CODE:00459FDE mov eax, [ebp+var_8]
CODE:00459FE1 call @System@_16823 ; System::_16823
CODE:00459FE6 mov [ebp+var_1C], eax
CODE:00459FE9 cmp [ebp+var_8], 0
CODE:00459FED jz loc_45A3F0
CODE:00459FF3 mov eax, [ebp+var_8]
CODE:00459FF6 call @System@_16823 ; System::_16823
CODE:00459FFB mov ebx, eax
CODE:00459FFD test ebx, ebx
CODE:00459FFF jle short loc_45A030
CODE:0045A001 mov esi, 1
CODE:0045A006
CODE:0045A006 loc_45A006: ; CODE XREF: sub_459EF0+13Ej
CODE:0045A006 mov eax, [ebp+var_8]
CODE:0045A009 dec esi
CODE:0045A00A test eax, eax
CODE:0045A00C jz short loc_45A013
CODE:0045A00E cmp esi, [eax-4]
CODE:0045A011 jb short loc_45A018
CODE:0045A013
CODE:0045A013 loc_45A013: ; CODE XREF: sub_459EF0+11Cj
CODE:0045A013 call sub_403044
CODE:0045A018
CODE:0045A018 loc_45A018: ; CODE XREF: sub_459EF0+121j
CODE:0045A018 inc esi
CODE:0045A019 mov al, [eax+esi-1]
CODE:0045A01D and eax, 0FFh
CODE:0045A022 bt [ebp+var_44], eax <--如果含有非有效字符则结束
CODE:0045A026 jnb loc_45A3F0
CODE:0045A02C inc esi
CODE:0045A02D dec ebx
CODE:0045A02E jnz short loc_45A006
CODE:0045A030
CODE:0045A030 loc_45A030: ; CODE XREF: sub_459EF0+10Fj
CODE:0045A030 mov [ebp+var_14], 1
CODE:0045A037 mov ebx, [ebp+var_18]
CODE:0045A03A test ebx, ebx
CODE:0045A03C jle loc_45A0DD
CODE:0045A042 mov esi, 1
CODE:0045A047
CODE:0045A047 loc_45A047: ; CODE XREF: sub_459EF0+1E7j
CODE:0045A047 imul edx, [ebp+var_18], 3 <--- edx=name[i]*3
CODE:0045A04B jno short loc_45A052
CODE:0045A04D call sub_40304C
CODE:0045A052
CODE:0045A052 loc_45A052: ; CODE XREF: sub_459EF0+15Bj
CODE:0045A052 imul eax, esi, 2 <--- eax=esi*2
CODE:0045A055 jno short loc_45A05C
CODE:0045A057 call sub_40304C
CODE:0045A05C
CODE:0045A05C loc_45A05C: ; CODE XREF: sub_459EF0+165j
CODE:0045A05C sub edx, eax <--- edx=edx-eax
CODE:0045A05E jno short loc_45A065
CODE:0045A060 call sub_40304C
CODE:0045A065
CODE:0045A065 loc_45A065: ; CODE XREF: sub_459EF0+16Ej
CODE:0045A065 sub edx, 14h <--- edx=edx-0x14
CODE:0045A068 jno short loc_45A06F
CODE:0045A06A call sub_40304C
CODE:0045A06F
CODE:0045A06F loc_45A06F: ; CODE XREF: sub_459EF0+178j
CODE:0045A06F mov eax, [ebp+var_4] <--- name
CODE:0045A072 dec esi
CODE:0045A073 test eax, eax
CODE:0045A075 jz short loc_45A07C
CODE:0045A077 cmp esi, [eax-4] <--- ?? esi<len_name
CODE:0045A07A jb short loc_45A081
CODE:0045A07C
CODE:0045A07C loc_45A07C: ; CODE XREF: sub_459EF0+185j
CODE:0045A07C call sub_403044
CODE:0045A081
CODE:0045A081 loc_45A081: ; CODE XREF: sub_459EF0+18Aj
CODE:0045A081 inc esi
CODE:0045A082 movzx eax, byte ptr [eax+esi-1]
CODE:0045A087 add eax, edx <---- eax=name[esi]+edx
CODE:0045A089 jno short loc_45A090
CODE:0045A08B call sub_40304C
CODE:0045A090
CODE:0045A090 loc_45A090: ; CODE XREF: sub_459EF0+199j
CODE:0045A090 mov edx, eax <------ edx=eax=name[esi]+edx
CODE:0045A092 and edx, 0FFh <------- edx=edx & 0xff
CODE:0045A098 bt [ebp+var_44], edx
CODE:0045A09C jnb short loc_45A0D5 <---如果当前计算出的结果为非有效字符,则跳过,自动转入下一个用户名字符的处理
CODE:0045A09E mov edx, [ebp+var_14]
CODE:0045A0A1 cmp edx, [ebp+var_1C]
CODE:0045A0A4 jg loc_45A3F0
CODE:0045A0AA mov edx, [ebp+var_14]
CODE:0045A0AD mov ecx, [ebp+var_8] <--- serial
CODE:0045A0B0 dec edx
CODE:0045A0B1 test ecx, ecx
CODE:0045A0B3 jz short loc_45A0BA
CODE:0045A0B5 cmp edx, [ecx-4]
CODE:0045A0B8 jb short loc_45A0BF
CODE:0045A0BA
CODE:0045A0BA loc_45A0BA: ; CODE XREF: sub_459EF0+1C3j
CODE:0045A0BA call sub_403044
CODE:0045A0BF
CODE:0045A0BF loc_45A0BF: ; CODE XREF: sub_459EF0+1C8j
CODE:0045A0BF inc edx
CODE:0045A0C0 cmp al, [ecx+edx-1] ? al==serial[edx]
CODE:0045A0C4 jnz loc_45A3F0 不等则跳转,注册失败
CODE:0045A0CA add [ebp+var_14], 1
CODE:0045A0CE jno short loc_45A0D5
CODE:0045A0D0 call sub_40304C
CODE:0045A0D5
CODE:0045A0D5 loc_45A0D5: ; CODE XREF: sub_459EF0+1ACj
CODE:0045A0D5 ; sub_459EF0+1DEj
CODE:0045A0D5 inc esi
CODE:0045A0D6 dec ebx
CODE:0045A0D7 jnz loc_45A047 <---- 循环进行, 用户名长度作为循环次数
CODE:0045A0DD
CODE:0045A0DD loc_45A0DD: ; CODE XREF: sub_459EF0+14Cj
CODE:0045A0DD mov eax, [ebp+var_4]
CODE:0045A0E0 call @System@@LStrToPChar$qqrv ; System::__linkproc__ LStrToPChar(void)
CODE:0045A0E5 lea edx, [ebp+var_C]
CODE:0045A0E8 call sub_459E38
CODE:0045A0ED mov ebx, [ebp+var_18]
CODE:0045A0F0 test ebx, ebx
CODE:0045A0F2 jle loc_45A193
CODE:0045A0F8 mov esi, 1
CODE:0045A0FD 《--将用户名前后颠倒,重复上面的运算仅CODE:0045A108有微小差别
CODE:0045A0FD loc_45A0FD: ; CODE XREF: sub_459EF0+29Dj
CODE:0045A0FD imul edx, [ebp+var_18], 3
CODE:0045A101 jno short loc_45A108
CODE:0045A103 call sub_40304C
CODE:0045A108
CODE:0045A108 loc_45A108: ; CODE XREF: sub_459EF0+211j
CODE:0045A108 imul eax, esi, 3 <--- eax=esi*3 ,仅有此处和上面不同,其它的运算完全一样
CODE:0045A10B jno short loc_45A112
CODE:0045A10D call sub_40304C
CODE:0045A112
CODE:0045A112 loc_45A112: ; CODE XREF: sub_459EF0+21Bj
CODE:0045A112 sub edx, eax
CODE:0045A114 jno short loc_45A11B
CODE:0045A116 call sub_40304C
CODE:0045A11B
CODE:0045A11B loc_45A11B: ; CODE XREF: sub_459EF0+224j
CODE:0045A11B sub edx, 14h
CODE:0045A11E jno short loc_45A125
CODE:0045A120 call sub_40304C
CODE:0045A125
CODE:0045A125 loc_45A125: ; CODE XREF: sub_459EF0+22Ej
CODE:0045A125 mov eax, [ebp+var_C]
CODE:0045A128 dec esi
CODE:0045A129 test eax, eax
CODE:0045A12B jz short loc_45A132
CODE:0045A12D cmp esi, [eax-4]
CODE:0045A130 jb short loc_45A137
CODE:0045A132
CODE:0045A132 loc_45A132: ; CODE XREF: sub_459EF0+23Bj
CODE:0045A132 call sub_403044
CODE:0045A137
CODE:0045A137 loc_45A137: ; CODE XREF: sub_459EF0+240j
CODE:0045A137 inc esi
CODE:0045A138 movzx eax, byte ptr [eax+esi-1]
CODE:0045A13D add eax, edx
CODE:0045A13F jno short loc_45A146
CODE:0045A141 call sub_40304C
CODE:0045A146
CODE:0045A146 loc_45A146: ; CODE XREF: sub_459EF0+24Fj
CODE:0045A146 mov edx, eax
CODE:0045A148 and edx, 0FFh
CODE:0045A14E bt [ebp+var_44], edx
CODE:0045A152 jnb short loc_45A18B
CODE:0045A154 mov edx, [ebp+var_14]
CODE:0045A157 cmp edx, [ebp+var_1C]
CODE:0045A15A jg loc_45A3F0
CODE:0045A160 mov edx, [ebp+var_14]
CODE:0045A163 mov ecx, [ebp+var_8]
CODE:0045A166 dec edx
CODE:0045A167 test ecx, ecx
CODE:0045A169 jz short loc_45A170
CODE:0045A16B cmp edx, [ecx-4]
CODE:0045A16E jb short loc_45A175
CODE:0045A170
CODE:0045A170 loc_45A170: ; CODE XREF: sub_459EF0+279j
CODE:0045A170 call sub_403044
CODE:0045A175
CODE:0045A175 loc_45A175: ; CODE XREF: sub_459EF0+27Ej
CODE:0045A175 inc edx
CODE:0045A176 cmp al, [ecx+edx-1]
CODE:0045A17A jnz loc_45A3F0
CODE:0045A180 add [ebp+var_14], 1
CODE:0045A184 jno short loc_45A18B
CODE:0045A186 call sub_40304C
CODE:0045A18B
CODE:0045A18B loc_45A18B: ; CODE XREF: sub_459EF0+262j
CODE:0045A18B ; sub_459EF0+294j
CODE:0045A18B inc esi
CODE:0045A18C dec ebx
CODE:0045A18D jnz loc_45A0FD
CODE:0045A193
CODE:0045A193 loc_45A193: ; CODE XREF: sub_459EF0+202j
CODE:0045A193 mov eax, [ebp+var_C]
CODE:0045A196 call @System@_16823 ; System::_16823
CODE:0045A19B add eax, 1
CODE:0045A19E jno short loc_45A1A5
CODE:0045A1A0 call sub_40304C
CODE:0045A1A5
CODE:0045A1A5 loc_45A1A5: ; CODE XREF: sub_459EF0+2AEj
CODE:0045A1A5 push eax
CODE:0045A1A6 lea eax, [ebp+var_24]
CODE:0045A1A9 mov ecx, 1
CODE:0045A1AE mov edx, off_459ECC
CODE:0045A1B4 call unknown_libname_25 ; Borland Visual Component Library & Packages
CODE:0045A1B9 add esp, 4
CODE:0045A1BC mov ebx, [ebp+var_18]
CODE:0045A1BF test ebx, ebx
CODE:0045A1C1 jle short loc_45A1F7
CODE:0045A1C3 mov esi, 1
CODE:0045A1C8
CODE:0045A1C8 loc_45A1C8: ; CODE XREF: sub_459EF0+305j
CODE:0045A1C8 mov eax, [ebp+var_4]
CODE:0045A1CB dec esi
CODE:0045A1CC test eax, eax
CODE:0045A1CE jz short loc_45A1D5
CODE:0045A1D0 cmp esi, [eax-4]
CODE:0045A1D3 jb short loc_45A1DA
CODE:0045A1D5
CODE:0045A1D5 loc_45A1D5: ; CODE XREF: sub_459EF0+2DEj
CODE:0045A1D5 call sub_403044
CODE:0045A1DA
CODE:0045A1DA loc_45A1DA: ; CODE XREF: sub_459EF0+2E3j
CODE:0045A1DA inc esi
CODE:0045A1DB mov al, [eax+esi-1]
CODE:0045A1DF mov edx, [ebp+var_24]
CODE:0045A1E2 test edx, edx
CODE:0045A1E4 jz short loc_45A1EB
CODE:0045A1E6 cmp esi, [edx-4]
CODE:0045A1E9 jb short loc_45A1F0
CODE:0045A1EB
CODE:0045A1EB loc_45A1EB: ; CODE XREF: sub_459EF0+2F4j
CODE:0045A1EB call sub_403044
CODE:0045A1F0
CODE:0045A1F0 loc_45A1F0: ; CODE XREF: sub_459EF0+2F9j
CODE:0045A1F0 mov [edx+esi], al
CODE:0045A1F3 inc esi
CODE:0045A1F4 dec ebx
CODE:0045A1F5 jnz short loc_45A1C8
CODE:0045A1F7
CODE:0045A1F7 loc_45A1F7: ; CODE XREF: sub_459EF0+2D1j
CODE:0045A1F7 mov esi, 1
CODE:0045A1FC
CODE:0045A1FC loc_45A1FC: ; CODE XREF: sub_459EF0+3F9j
CODE:0045A1FC mov [ebp+var_1D], 1
CODE:0045A200 mov ebx, [ebp+var_18]
CODE:0045A203 sub ebx, esi
CODE:0045A205 jno short loc_45A20C
CODE:0045A207 call sub_40304C
CODE:0045A20C
CODE:0045A20C loc_45A20C: ; CODE XREF: sub_459EF0+315j
CODE:0045A20C test ebx, ebx
CODE:0045A20E jle loc_45A2DB
CODE:0045A214 mov eax, 1
CODE:0045A219
CODE:0045A219 loc_45A219: ; CODE XREF: sub_459EF0+3E5j
CODE:0045A219 mov edx, [ebp+var_24]
CODE:0045A21C test edx, edx
CODE:0045A21E jz short loc_45A225
CODE:0045A220 cmp eax, [edx-4]
CODE:0045A223 jb short loc_45A22A
CODE:0045A225
CODE:0045A225 loc_45A225: ; CODE XREF: sub_459EF0+32Ej
CODE:0045A225 call sub_403044
CODE:0045A22A
CODE:0045A22A loc_45A22A: ; CODE XREF: sub_459EF0+333j
CODE:0045A22A mov dl, [edx+eax]
CODE:0045A22D mov ecx, eax
CODE:0045A22F add ecx, 1
CODE:0045A232 jno short loc_45A239
CODE:0045A234 call sub_40304C
CODE:0045A239
CODE:0045A239 loc_45A239: ; CODE XREF: sub_459EF0+342j
CODE:0045A239 mov edi, [ebp+var_24]
CODE:0045A23C test edi, edi
CODE:0045A23E jz short loc_45A245
CODE:0045A240 cmp ecx, [edi-4]
CODE:0045A243 jb short loc_45A24A
CODE:0045A245
CODE:0045A245 loc_45A245: ; CODE XREF: sub_459EF0+34Ej
CODE:0045A245 call sub_403044
CODE:0045A24A
CODE:0045A24A loc_45A24A: ; CODE XREF: sub_459EF0+353j
CODE:0045A24A cmp dl, [edi+ecx]
CODE:0045A24D jbe loc_45A2D3
CODE:0045A253 mov edx, eax
CODE:0045A255 add edx, 1
CODE:0045A258 jno short loc_45A25F
CODE:0045A25A call sub_40304C
CODE:0045A25F
CODE:0045A25F loc_45A25F: ; CODE XREF: sub_459EF0+368j
CODE:0045A25F mov ecx, [ebp+var_24]
CODE:0045A262 test ecx, ecx
CODE:0045A264 jz short loc_45A26B
CODE:0045A266 cmp edx, [ecx-4]
CODE:0045A269 jb short loc_45A270
CODE:0045A26B
CODE:0045A26B loc_45A26B: ; CODE XREF: sub_459EF0+374j
CODE:0045A26B call sub_403044
CODE:0045A270
CODE:0045A270 loc_45A270: ; CODE XREF: sub_459EF0+379j
CODE:0045A270 movzx edx, byte ptr [ecx+edx]
CODE:0045A274 mov ecx, [ebp+var_24]
CODE:0045A277 test ecx, ecx
CODE:0045A279 jz short loc_45A280
CODE:0045A27B cmp eax, [ecx-4]
CODE:0045A27E jb short loc_45A285
CODE:0045A280
CODE:0045A280 loc_45A280: ; CODE XREF: sub_459EF0+389j
CODE:0045A280 call sub_403044
CODE:0045A285
CODE:0045A285 loc_45A285: ; CODE XREF: sub_459EF0+38Ej
CODE:0045A285 mov cl, [ecx+eax]
CODE:0045A288 push ecx
CODE:0045A289 mov ecx, eax
CODE:0045A28B add ecx, 1
CODE:0045A28E jno short loc_45A295
CODE:0045A290 call sub_40304C
CODE:0045A295
CODE:0045A295 loc_45A295: ; CODE XREF: sub_459EF0+39Ej
CODE:0045A295 mov edi, [ebp+var_24]
CODE:0045A298 test edi, edi
CODE:0045A29A jz short loc_45A2A1
CODE:0045A29C cmp ecx, [edi-4]
CODE:0045A29F jb short loc_45A2A6
CODE:0045A2A1
CODE:0045A2A1 loc_45A2A1: ; CODE XREF: sub_459EF0+3AAj
CODE:0045A2A1 call sub_403044
CODE:0045A2A6
CODE:0045A2A6 loc_45A2A6: ; CODE XREF: sub_459EF0+3AFj
CODE:0045A2A6 add edi, ecx
CODE:0045A2A8 pop ecx
CODE:0045A2A9 mov [edi], cl
CODE:0045A2AB mov ecx, [ebp+var_24]
CODE:0045A2AE test ecx, ecx
CODE:0045A2B0 jz short loc_45A2B7
CODE:0045A2B2 cmp eax, [ecx-4]
CODE:0045A2B5 jb short loc_45A2BC
CODE:0045A2B7
CODE:0045A2B7 loc_45A2B7: ; CODE XREF: sub_459EF0+3C0j
CODE:0045A2B7 call sub_403044
CODE:0045A2BC
CODE:0045A2BC loc_45A2BC: ; CODE XREF: sub_459EF0+3C5j
CODE:0045A2BC add ecx, eax
CODE:0045A2BE push ecx
CODE:0045A2BF cmp edx, 0FFh
CODE:0045A2C5 jbe short loc_45A2CC
CODE:0045A2C7 call sub_403044
CODE:0045A2CC
CODE:0045A2CC loc_45A2CC: ; CODE XREF: sub_459EF0+3D5j
CODE:0045A2CC pop ecx
CODE:0045A2CD mov [ecx], dl
CODE:0045A2CF mov [ebp+var_1D], 0
CODE:0045A2D3
CODE:0045A2D3 loc_45A2D3: ; CODE XREF: sub_459EF0+35Dj
CODE:0045A2D3 inc eax
CODE:0045A2D4 dec ebx
CODE:0045A2D5 jnz loc_45A219
CODE:0045A2DB
CODE:0045A2DB loc_45A2DB: ; CODE XREF: sub_459EF0+31Ej
CODE:0045A2DB add esi, 1
CODE:0045A2DE jno short loc_45A2E5
CODE:0045A2E0 call sub_40304C
CODE:0045A2E5
CODE:0045A2E5 loc_45A2E5: ; CODE XREF: sub_459EF0+3EEj
CODE:0045A2E5 cmp [ebp+var_1D], 0
CODE:0045A2E9 jz loc_45A1FC
CODE:0045A2EF lea eax, [ebp+var_10]
CODE:0045A2F2 mov edx, [ebp+var_18]
CODE:0045A2F5 call sub_4044A8
CODE:0045A2FA mov ebx, [ebp+var_18]
CODE:0045A2FD test ebx, ebx
CODE:0045A2FF jle short loc_45A33A
CODE:0045A301 mov esi, 1
CODE:0045A306
CODE:0045A306 loc_45A306: ; CODE XREF: sub_459EF0+448j
CODE:0045A306 lea eax, [ebp+var_10]
CODE:0045A309 call sub_404374
CODE:0045A30E dec esi
CODE:0045A30F test eax, eax
CODE:0045A311 jz short loc_45A318
CODE:0045A313 cmp esi, [eax-4]
CODE:0045A316 jb short loc_45A31D
CODE:0045A318
CODE:0045A318 loc_45A318: ; CODE XREF: sub_459EF0+421j
CODE:0045A318 call sub_403044
CODE:0045A31D
CODE:0045A31D loc_45A31D: ; CODE XREF: sub_459EF0+426j
CODE:0045A31D inc esi
CODE:0045A31E mov edx, [ebp+var_24]
CODE:0045A321 test edx, edx
CODE:0045A323 jz short loc_45A32A
CODE:0045A325 cmp esi, [edx-4]
CODE:0045A328 jb short loc_45A32F
CODE:0045A32A
CODE:0045A32A loc_45A32A: ; CODE XREF: sub_459EF0+433j
CODE:0045A32A call sub_403044
CODE:0045A32F
CODE:0045A32F loc_45A32F: ; CODE XREF: sub_459EF0+438j
CODE:0045A32F mov dl, [edx+esi]
CODE:0045A332 mov [eax+esi-1], dl
CODE:0045A336 inc esi
CODE:0045A337 dec ebx
CODE:0045A338 jnz short loc_45A306
CODE:0045A33A
CODE:0045A33A loc_45A33A: ; CODE XREF: sub_459EF0+40Fj
CODE:0045A33A mov ebx, [ebp+var_18]
CODE:0045A33D test ebx, ebx 《----下一部分的循环计数器
CODE:0045A33F jle loc_45A3E6
CODE:0045A345 mov esi, 1
CODE:0045A34A
CODE:0045A34A loc_45A34A: ; CODE XREF: sub_459EF0+4F0j
CODE:0045A34A mov eax, [ebp+var_18]
CODE:0045A34D sub eax, 3 <-- eax = name_len-3
CODE:0045A350 jno short loc_45A357
CODE:0045A352 call sub_40304C
CODE:0045A357
CODE:0045A357 loc_45A357: ; CODE XREF: sub_459EF0+460j
CODE:0045A357 mov edx, eax
CODE:0045A359 imul edx, eax <--- edx=eax*eax
CODE:0045A35C jno short loc_45A363
CODE:0045A35E call sub_40304C
CODE:0045A363
CODE:0045A363 loc_45A363: ; CODE XREF: sub_459EF0+46Cj
CODE:0045A363 imul eax, esi, 2 <--- eax= esi*2
CODE:0045A366 jno short loc_45A36D
CODE:0045A368 call sub_40304C
CODE:0045A36D
CODE:0045A36D loc_45A36D: ; CODE XREF: sub_459EF0+476j
CODE:0045A36D sub edx, eax <-- edx=edx-esi*2
CODE:0045A36F jno short loc_45A376
CODE:0045A371 call sub_40304C
CODE:0045A376
CODE:0045A376 loc_45A376: ; CODE XREF: sub_459EF0+47Fj
CODE:0045A376 sub edx, 14h <-- edx= edx -0x14
CODE:0045A379 jno short loc_45A380
CODE:0045A37B call sub_40304C
CODE:0045A380
CODE:0045A380 loc_45A380: ; CODE XREF: sub_459EF0+489j
CODE:0045A380 mov eax, [ebp+var_10]
CODE:0045A383 dec esi
CODE:0045A384 test eax, eax
CODE:0045A386 jz short loc_45A38D
CODE:0045A388 cmp esi, [eax-4]
CODE:0045A38B jb short loc_45A392
CODE:0045A38D
CODE:0045A38D loc_45A38D: ; CODE XREF: sub_459EF0+496j
CODE:0045A38D call sub_403044
CODE:0045A392
CODE:0045A392 loc_45A392: ; CODE XREF: sub_459EF0+49Bj
CODE:0045A392 inc esi
CODE:0045A393 movzx eax, byte ptr [eax+esi-1]
CODE:0045A398 add eax, edx <-- eax=edx+name[esi] <--- name 经过了排序处理:按ASCII码由小到大排序
CODE:0045A39A jno short loc_45A3A1
CODE:0045A39C call sub_40304C
CODE:0045A3A1
CODE:0045A3A1 loc_45A3A1: ; CODE XREF: sub_459EF0+4AAj
CODE:0045A3A1 mov edx, eax
CODE:0045A3A3 and edx, 0FFh
CODE:0045A3A9 bt [ebp+var_44], edx
CODE:0045A3AD jnb short loc_45A3DE
CODE:0045A3AF mov edx, [ebp+var_14]
CODE:0045A3B2 cmp edx, [ebp+var_1C]
CODE:0045A3B5 jg short loc_45A3F0
CODE:0045A3B7 mov edx, [ebp+var_14]
CODE:0045A3BA mov ecx, [ebp+var_8]
CODE:0045A3BD dec edx
CODE:0045A3BE test ecx, ecx
CODE:0045A3C0 jz short loc_45A3C7
CODE:0045A3C2 cmp edx, [ecx-4]
CODE:0045A3C5 jb short loc_45A3CC
CODE:0045A3C7
CODE:0045A3C7 loc_45A3C7: ; CODE XREF: sub_459EF0+4D0j
CODE:0045A3C7 call sub_403044
CODE:0045A3CC
CODE:0045A3CC loc_45A3CC: ; CODE XREF: sub_459EF0+4D5j
CODE:0045A3CC inc edx
CODE:0045A3CD cmp al, [ecx+edx-1] 《----继续比较
CODE:0045A3D1 jnz short loc_45A3F0
CODE:0045A3D3 add [ebp+var_14], 1
CODE:0045A3D7 jno short loc_45A3DE
CODE:0045A3D9 call sub_40304C
CODE:0045A3DE
CODE:0045A3DE loc_45A3DE: ; CODE XREF: sub_459EF0+4BDj
CODE:0045A3DE ; sub_459EF0+4E7j
CODE:0045A3DE inc esi
CODE:0045A3DF dec ebx
CODE:0045A3E0 jnz loc_45A34A
CODE:0045A3E6
CODE:0045A3E6 loc_45A3E6: ; CODE XREF: sub_459EF0+44Fj 《----输入的序列号通过检测,注册成功
CODE:0045A3E6 mov eax, offset _str________________.Text
CODE:0045A3EB call @Dialogs@ShowMessage$qqrx17System@AnsiString ; Dialogs::ShowMessage(System::AnsiString)
CODE:0045A3F0
CODE:0045A3F0 loc_45A3F0: ; CODE XREF: sub_459EF0+69j
CODE:0045A3F0 ; sub_459EF0+73j ...
CODE:0045A3F0 xor eax, eax
CODE:0045A3F2 pop edx
CODE:0045A3F3 pop ecx
CODE:0045A3F4 pop ecx
CODE:0045A3F5 mov fs:[eax], edx
CODE:0045A3F8 push offset loc_45A420
CODE:0045A3FD
CODE:0045A3FD loc_45A3FD: ; CODE XREF: sub_459EF0+52Ej
CODE:0045A3FD lea eax, [ebp+var_24]
CODE:0045A400 mov edx, off_459ECC
CODE:0045A406 call sub_404E48
CODE:0045A40B lea eax, [ebp+var_10]
CODE:0045A40E mov edx, 4
CODE:0045A413 call @System@@LStrArrayClr$qqrv ; System::__linkproc__ LStrArrayClr(void)
CODE:0045A418 retn
下面为注册机,serial为正确序列号,sero为用户名的运算结果,可对两者进行对比
char name[20];
strcpy(name,"abcdefg");
char serial[60],sero[60];
int name_len;
name_len=strlen(name);
int i,sc,so,j,tmp;
int x;
sc=0;
so=0;
for(i=0;i<name_len;i++)
{
x=(name_len*3-(i+1)*2-0x14+name[i])&0xff;
if((x>='a' && x<='z') ||(x>='A' && x<='Z')|| (x>='0' && x<='9'))
serial[sc++]=x;
sero[so++]=x;
}
for(i=0;i<name_len;i++)
{
x=(name_len*3-(i+1)*3-0x14+name[name_len-1-i])&0xff;
if((x>='a' && x<='z') ||(x>='A' && x<='Z') || (x>='0' && x<='9'))
serial[sc++]=x;
sero[so++]=x;
}
for(i=0;i<name_len;i++)
for(j=0;j<name_len-i-1;j++)
if(name[j]>name[j+1])
{
tmp=name[j+1];
name[j+1]=name[j];
name[j]=tmp;
}
for(i=0;i<name_len;i++)
{
x=((name_len-3)*(name_len-3)-(i+1)*2-0x14+name[i])&0xff;
if((x>='a' && x<='z') ||(x>='A' && x<='Z') || (x>='0' && x<='9'))
serial[sc++]=x;
sero[so++]=x;
}
serial[sc]='\0';
sero[so]='\0';
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
赞赏
他的文章
[求助]RLM的SET文件是作什么用的?
2736
[讨论]RLM v12 较以前是否有大的改进?
11921
