【文章标题】: atani V3.71算法分析
【文章作者】: OCNZHAO[OCN]
【作者邮箱】: ocnzhao@163.com
【软件名称】: atani V3.71
【软件大小】: 1.2M
【下载地址】: 华军软件园
【加壳方式】: 无
【保护方式】: 序列号
【使用工具】: OD,PEID V0.94
【软件介绍】: 动画GIF制作软件,制作动画只需五个步骤。你可以使
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
关键的注册代码的定位比较简单,我们主要看一下算法,算法不是很复杂,高手略过。本想写个注册机,写了几下
发现超出我的能力了,等学会C再补吧!大体的跟了一下,注释大多是后面加上的。
00456808 /. 55 push ebp
00456809 |. 8BEC mov ebp, esp
0045680B |. 83C4 8C add esp, -74
0045680E |. 53 push ebx
0045680F |. 56 push esi
00456810 |. 57 push edi
00456811 |. 8BF0 mov esi, eax
00456813 |. B8 387D5F00 mov eax, 005F7D38
00456818 |. E8 6F381700 call 005CA08C
0045681D |. 66:C745 B4 0800 mov word ptr [ebp-4C], 8
00456823 |. 8B15 383E6200 mov edx, [623E38] ; atani.00624A20
00456829 |. 8B0A mov ecx, [edx]
0045682B |. B2 01 mov dl, 1
0045682D |. A1 E4A66000 mov eax, [60A6E4]
00456832 |. E8 A50B0800 call 004D73DC
00456837 |. 8BD8 mov ebx, eax
00456839 |. 895D FC mov [ebp-4], ebx
0045683C |. 8BC3 mov eax, ebx
0045683E |. FF45 C0 inc dword ptr [ebp-40]
00456841 |. 66:C745 B4 1400 mov word ptr [ebp-4C], 14
00456847 |. 8B10 mov edx, [eax]
00456849 |. FF92 D8000000 call [edx+D8]
0045684F |. 48 dec eax
00456850 |. 0F85 68030000 jnz 00456BBE
00456856 |. 68 3B1B5F00 push 005F1B3B ; /EventName = ""
0045685B |. 6A 00 push 0 ; |InitiallySignaled = FALSE
0045685D |. 6A 01 push 1 ; |ManualReset = TRUE
0045685F |. 6A 00 push 0 ; |pSecurity = NULL
00456861 |. E8 BA291900 call <jmp.&KERNEL32.CreateEve>; \CreateEventA
00456866 |. 8BF8 mov edi, eax
00456868 |. 68 E8030000 push 3E8 ; /Timeout = 1000. ms
0045686D |. 57 push edi ; |hObject
0045686E |. E8 4D2C1900 call <jmp.&KERNEL32.WaitForSi>; \WaitForSingleObject
00456873 |. 3D 02010000 cmp eax, 102
00456878 |. 0F85 40030000 jnz 00456BBE
0045687E |. 33D2 xor edx, edx
00456880 |. 8B86 CC040000 mov eax, [esi+4CC]
00456886 |. E8 F9BC1000 call 00562584
0045688B |. 56 push esi ; /Arg1
0045688C |. E8 EB030000 call 00456C7C ; 跟进此CALL***************************
00456891 |. 59 pop ecx ; 010A2E20
00456892 |. 84C0 test al, al ; 看见下边的提示了吧,EAX返回0,注册失败
00456894 75 52 jnz short 004568E8 ; 不跳失败
00456896 |. 6A 00 push 0
00456898 |. BA 3C1B5F00 mov edx, 005F1B3C ; ASCII "Your registration code is wrong. Restart the
program and repeat the registration once again."
0045689D |. 66:C745 B4 2000 mov word ptr [ebp-4C], 20
004568A3 |. 8D45 F8 lea eax, [ebp-8]
004568A6 |. E8 45E31700 call 005D4BF0
004568AB |. FF45 C0 inc dword ptr [ebp-40]
004568AE |. 8B08 mov ecx, [eax]
00456DF8 /$ 55 push ebp
00456DF9 |. 8BEC mov ebp, esp
00456DFB |. 81C4 58FEFFFF add esp, -1A8
00456E01 |. B8 64815F00 mov eax, 005F8164
00456E06 |. 53 push ebx
00456E07 |. 56 push esi
00456E08 |. 57 push edi
00456E09 |. E8 7E321700 call 005CA08C ; 依次压入下面这些常数,根据注册码来取值
00456E0E |. 66:C785 2CFFFFFF >mov word ptr [ebp-D4], 8 ; 注册码是几就取对应的那个,例如0的话取第一个0x87
00456E17 |. BA 451C5F00 mov edx, 005F1C45 ; ASCII "87"
00456E1C |. 8D85 70FFFFFF lea eax, [ebp-90]
00456E22 |. E8 C9DD1700 call 005D4BF0
00456E27 |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00456E2D |. BA 481C5F00 mov edx, 005F1C48 ; ASCII "74"
00456E32 |. 8D85 74FFFFFF lea eax, [ebp-8C]
00456E38 |. E8 B3DD1700 call 005D4BF0
00456E3D |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00456E43 |. BA 4B1C5F00 mov edx, 005F1C4B ; ASCII "90"
00456E48 |. 8D85 78FFFFFF lea eax, [ebp-88]
00456E4E |. E8 9DDD1700 call 005D4BF0
00456E53 |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00456E59 |. BA 4E1C5F00 mov edx, 005F1C4E ; ASCII "39"
00456E5E |. 8D85 7CFFFFFF lea eax, [ebp-84]
00456E64 |. E8 87DD1700 call 005D4BF0
00456E69 |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00456E6F |. BA 511C5F00 mov edx, 005F1C51 ; ASCII "64"
00456E74 |. 8D45 80 lea eax, [ebp-80]
00456E77 |. E8 74DD1700 call 005D4BF0
00456E7C |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00456E82 |. BA 541C5F00 mov edx, 005F1C54 ; ASCII "53"
00456E87 |. 8D45 84 lea eax, [ebp-7C]
00456E8A |. E8 61DD1700 call 005D4BF0
00456E8F |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00456E95 |. BA 571C5F00 mov edx, 005F1C57 ; ASCII "97"
00456E9A |. 8D45 88 lea eax, [ebp-78]
00456E9D |. E8 4EDD1700 call 005D4BF0
00456EA2 |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00456EA8 |. BA 5A1C5F00 mov edx, 005F1C5A ; ASCII "99"
00456EAD |. 8D45 8C lea eax, [ebp-74]
00456EB0 |. E8 3BDD1700 call 005D4BF0
00456EB5 |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00456EBB |. BA 5D1C5F00 mov edx, 005F1C5D ; ASCII "56"
00456EC0 |. 8D45 90 lea eax, [ebp-70]
00456EC3 |. E8 28DD1700 call 005D4BF0
00456EC8 |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00456ECE |. BA 601C5F00 mov edx, 005F1C60 ; ASCII "72"
00456ED3 |. 8D45 94 lea eax, [ebp-6C]
00456ED6 |. E8 15DD1700 call 005D4BF0
00456EDB |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00456EE1 |. BA 631C5F00 mov edx, 005F1C63 ; ASCII "30"
00456EE6 |. 8D45 98 lea eax, [ebp-68]
00456EE9 |. E8 02DD1700 call 005D4BF0
00456EEE |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00456EF4 |. BA 661C5F00 mov edx, 005F1C66 ; ASCII "24"
00456EF9 |. 8D45 9C lea eax, [ebp-64]
00456EFC |. E8 EFDC1700 call 005D4BF0
00456F01 |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00456F07 |. BA 691C5F00 mov edx, 005F1C69 ; ASCII "41"
00456F0C |. 8D45 A0 lea eax, [ebp-60]
00456F0F |. E8 DCDC1700 call 005D4BF0
00456F14 |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00456F1A |. BA 6C1C5F00 mov edx, 005F1C6C ; ASCII "15"
00456F1F |. 8D45 A4 lea eax, [ebp-5C]
00456F22 |. E8 C9DC1700 call 005D4BF0
00456F27 |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00456F2D |. BA 6F1C5F00 mov edx, 005F1C6F ; ASCII "69"
00456F32 |. 8D45 A8 lea eax, [ebp-58]
00456F35 |. E8 B6DC1700 call 005D4BF0
00456F3A |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00456F40 |. BA 721C5F00 mov edx, 005F1C72 ; ASCII "92"
00456F45 |. 8D45 AC lea eax, [ebp-54]
00456F48 |. E8 A3DC1700 call 005D4BF0
00456F4D |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00456F53 |. BA 751C5F00 mov edx, 005F1C75 ; ASCII "85"
00456F58 |. 8D45 B0 lea eax, [ebp-50]
00456F5B |. E8 90DC1700 call 005D4BF0
00456F60 |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00456F66 |. BA 781C5F00 mov edx, 005F1C78 ; ASCII "98"
00456F6B |. 8D45 B4 lea eax, [ebp-4C]
00456F6E |. E8 7DDC1700 call 005D4BF0
00456F73 |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00456F79 |. BA 7B1C5F00 mov edx, 005F1C7B ; ASCII "55"
00456F7E |. 8D45 B8 lea eax, [ebp-48]
00456F81 |. E8 6ADC1700 call 005D4BF0
00456F86 |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00456F8C |. BA 7E1C5F00 mov edx, 005F1C7E ; ASCII "19"
00456F91 |. 8D45 BC lea eax, [ebp-44]
00456F94 |. E8 57DC1700 call 005D4BF0
00456F99 |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00456F9F |. BA 811C5F00 mov edx, 005F1C81 ; ASCII "57"
00456FA4 |. 8D45 C0 lea eax, [ebp-40]
00456FA7 |. E8 44DC1700 call 005D4BF0
00456FAC |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00456FB2 |. BA 841C5F00 mov edx, 005F1C84 ; ASCII "23"
00456FB7 |. 8D45 C4 lea eax, [ebp-3C]
00456FBA |. E8 31DC1700 call 005D4BF0
00456FBF |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00456FC5 |. BA 871C5F00 mov edx, 005F1C87 ; ASCII "32"
00456FCA |. 8D45 C8 lea eax, [ebp-38]
00456FCD |. E8 1EDC1700 call 005D4BF0
00456FD2 |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00456FD8 |. BA 8A1C5F00 mov edx, 005F1C8A ; ASCII "21"
00456FDD |. 8D45 CC lea eax, [ebp-34]
00456FE0 |. E8 0BDC1700 call 005D4BF0
00456FE5 |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00456FEB |. BA 8D1C5F00 mov edx, 005F1C8D ; ASCII "27"
00456FF0 |. 8D45 D0 lea eax, [ebp-30]
00456FF3 |. E8 F8DB1700 call 005D4BF0
00456FF8 |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00456FFE |. BA 901C5F00 mov edx, 005F1C90 ; ASCII "35"
00457003 |. 8D45 D4 lea eax, [ebp-2C]
00457006 |. E8 E5DB1700 call 005D4BF0
0045700B |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00457011 |. BA 931C5F00 mov edx, 005F1C93 ; ASCII "44"
00457016 |. 8D45 D8 lea eax, [ebp-28]
00457019 |. E8 D2DB1700 call 005D4BF0
0045701E |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00457024 |. BA 961C5F00 mov edx, 005F1C96 ; ASCII "42"
00457029 |. 8D45 DC lea eax, [ebp-24]
0045702C |. E8 BFDB1700 call 005D4BF0
00457031 |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00457037 |. BA 991C5F00 mov edx, 005F1C99 ; ASCII "14"
0045703C |. 8D45 E0 lea eax, [ebp-20]
0045703F |. E8 ACDB1700 call 005D4BF0
00457044 |. FF85 38FFFFFF inc dword ptr [ebp-C8]
0045704A |. BA 9C1C5F00 mov edx, 005F1C9C ; ASCII "11"
0045704F |. 8D45 E4 lea eax, [ebp-1C]
00457052 |. E8 99DB1700 call 005D4BF0
00457057 |. FF85 38FFFFFF inc dword ptr [ebp-C8]
0045705D |. BA 9F1C5F00 mov edx, 005F1C9F ; ASCII "43"
00457062 |. 8D45 E8 lea eax, [ebp-18]
00457065 |. E8 86DB1700 call 005D4BF0
0045706A |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00457070 |. BA A21C5F00 mov edx, 005F1CA2 ; ASCII "80"
00457075 |. 8D45 EC lea eax, [ebp-14]
00457078 |. E8 73DB1700 call 005D4BF0
0045707D |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00457083 |. BA A51C5F00 mov edx, 005F1CA5 ; ASCII "84"
00457088 |. 8D45 F0 lea eax, [ebp-10]
0045708B |. E8 60DB1700 call 005D4BF0
00457090 |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00457096 |. BA A81C5F00 mov edx, 005F1CA8 ; ASCII "33"
0045709B |. 8D45 F4 lea eax, [ebp-C]
0045709E |. E8 4DDB1700 call 005D4BF0
004570A3 |. FF85 38FFFFFF inc dword ptr [ebp-C8]
004570A9 |. BA AB1C5F00 mov edx, 005F1CAB ; ASCII "25"
004570AE |. 8D45 F8 lea eax, [ebp-8]
004570B1 |. E8 3ADB1700 call 005D4BF0
004570B6 |. FF85 38FFFFFF inc dword ptr [ebp-C8]
004570BC |. BA AE1C5F00 mov edx, 005F1CAE ; ASCII "10"
004570C1 |. 8D45 FC lea eax, [ebp-4]
004570C4 |. E8 27DB1700 call 005D4BF0
004570C9 |. FF85 38FFFFFF inc dword ptr [ebp-C8]
004570CF |. BE C0055F00 mov esi, 005F05C0
004570D4 |. 8DBD E8FEFFFF lea edi, [ebp-118]
004570DA |. B9 09000000 mov ecx, 9
004570DF |. F3:A5 rep movs dword ptr es:[edi],>
004570E1 |. BE E4055F00 mov esi, 005F05E4
004570E6 |. 8DBD 58FEFFFF lea edi, [ebp-1A8]
004570EC |. B9 24000000 mov ecx, 24
004570F1 |. F3:A5 rep movs dword ptr es:[edi],>
004570F3 |. 66:C785 2CFFFFFF >mov word ptr [ebp-D4], 14
004570FC |. 33C0 xor eax, eax
004570FE |. 8985 6CFFFFFF mov [ebp-94], eax
00457104 |. 8D95 6CFFFFFF lea edx, [ebp-94]
0045710A |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00457110 |. 8B45 10 mov eax, [ebp+10]
00457113 |. E8 A0E01700 call 005D51B8
00457118 |. 66:C785 2CFFFFFF >mov word ptr [ebp-D4], 8
00457121 |. 33D2 xor edx, edx
00457123 |. 33C9 xor ecx, ecx
00457125 |. 8995 18FFFFFF mov [ebp-E8], edx
0045712B |. 898D 14FFFFFF mov [ebp-EC], ecx
00457131 |. 66:C785 2CFFFFFF >mov word ptr [ebp-D4], 20
0045713A |. BA B11C5F00 mov edx, 005F1CB1
0045713F |. 8D85 68FFFFFF lea eax, [ebp-98]
00457145 |. E8 A6DA1700 call 005D4BF0
0045714A |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00457150 |. BA B21C5F00 mov edx, 005F1CB2
00457155 |. 66:C785 2CFFFFFF >mov word ptr [ebp-D4], 8
0045715E |. 66:C785 2CFFFFFF >mov word ptr [ebp-D4], 2C
00457167 |. 8D85 64FFFFFF lea eax, [ebp-9C]
0045716D |. E8 7EDA1700 call 005D4BF0
00457172 |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00457178 |. 66:C785 2CFFFFFF >mov word ptr [ebp-D4], 8
00457181 |. C785 10FFFFFF 010>mov dword ptr [ebp-F0], 1
0045718B |. E9 85000000 jmp 00457215 ; 跳
00457190 |> 66:C785 2CFFFFFF >/mov word ptr [ebp-D4], 8 ; 开始处理注册码
00457199 |. 8D85 58FEFFFF |lea eax, [ebp-1A8]
0045719F |. 33F6 |xor esi, esi ; 清空ESI,内循环的计数器
004571A1 |. 8985 0CFFFFFF |mov [ebp-F4], eax
004571A7 |. 8DBD E8FEFFFF |lea edi, [ebp-118]
004571AD |> 8B9D 10FFFFFF |/mov ebx, [ebp-F0] ; 里面的小循环
004571B3 |. 53 ||push ebx ; /Arg2
004571B4 |. 8D85 6CFFFFFF ||lea eax, [ebp-94] ; |
004571BA |. 50 ||push eax ; |Arg1
004571BB |. E8 ACD91700 ||call 005D4B6C ; \atani.005D4B6C
004571C0 |. 83C4 08 ||add esp, 8
004571C3 |. 8D85 6CFFFFFF ||lea eax, [ebp-94]
004571C9 |. E8 E2DE1700 ||call 005D50B0 ; 取出注册码第二段
004571CE |. 039D 6CFFFFFF ||add ebx, [ebp-94]
004571D4 |. 4B ||dec ebx
004571D5 |. 8A13 ||mov dl, [ebx]
004571D7 |. 3A17 ||cmp dl, [edi] ; 一直累加计数器,直到等于SN_I
004571D9 |. 75 26 ||jnz short 00457201 ; 不相等,跳
004571DB |. 8BD6 ||mov edx, esi
004571DD |. C1E2 02 ||shl edx, 2 ; edx*4
004571E0 |. 8D85 70FFFFFF ||lea eax, [ebp-90]
004571E6 |. 03D0 ||add edx, eax
004571E8 |. 8D85 64FFFFFF ||lea eax, [ebp-9C]
004571EE |. E8 21DD1700 ||call 005D4F14 ; 取出对应上面给的表的数字,1时取0x74,依此类推
004571F3 |. 8B95 0CFFFFFF ||mov edx, [ebp-F4] ; 另一张表,记为T1[i]
004571F9 |. 8B0A ||mov ecx, [edx]
004571FB |. 018D 18FFFFFF ||add [ebp-E8], ecx ; 对应注册码查表的中值再相加
00457201 |> 8385 0CFFFFFF 04 ||add dword ptr [ebp-F4], 4 ; +4
00457208 |. 46 ||inc esi ; ESI加一
00457209 |. 47 ||inc edi ; EDI加一
0045720A |. 83FE 24 ||cmp esi, 24 ; 循环条件,ESI<0X24
0045720D |.^ 7C 9E |\jl short 004571AD ; 内循环
0045720F |. FF85 10FFFFFF |inc dword ptr [ebp-F0] ; 计数器加一
00457215 |> 83BD 6CFFFFFF 00 cmp dword ptr [ebp-94], 0 ; 判断第二段注册码
0045721C |. 74 0B |je short 00457229 ; 是0跳
0045721E |. 8B85 6CFFFFFF |mov eax, [ebp-94]
00457224 |. 8B50 FC |mov edx, [eax-4] ; 第二段注册码的位数
00457227 |. EB 02 |jmp short 0045722B
00457229 |> 33D2 |xor edx, edx
0045722B |> 3B95 10FFFFFF |cmp edx, [ebp-F0] ; 循环条件,[EBP-FO]<SN_1
00457231 |.^ 0F8D 59FFFFFF \jge 00457190 ; 跳回计算
00457237 |. 83BD 64FFFFFF 00 cmp dword ptr [ebp-9C], 0 ; [EBP-9C]中存放着查表结果,第二段是1111的结果0x74747474
0045723E |. 74 0B je short 0045724B
00457240 |. 8B85 64FFFFFF mov eax, [ebp-9C]
00457246 |. 8B58 FC mov ebx, [eax-4]
00457249 |. EB 02 jmp short 0045724D
0045724B |> 33DB xor ebx, ebx
0045724D |> 66:C785 2CFFFFFF >mov word ptr [ebp-D4], 8
00457256 |. 83FB 08 cmp ebx, 8 ; 第一位大于4
00457259 |. 7E 46 jle short 004572A1 ; 不跳
0045725B |. 83FB 12 cmp ebx, 12 ; 第一位如果大于6
0045725E |. 7F 41 jg short 004572A1 ; 跳
00457260 |. 83EB 08 sub ebx, 8 ;
00457263 |. 8D85 64FFFFFF lea eax, [ebp-9C]
00457269 |. 8BCB mov ecx, ebx
0045726B |. BA 01000000 mov edx, 1 ; EDX=1
00457270 |. E8 4FDE1700 call 005D50C4 ; 取串,从第2位开始取
00457275 |. 8BD0 mov edx, eax
00457277 |. 8D85 64FFFFFF lea eax, [ebp-9C]
0045727D |. E8 7EDC1700 call 005D4F00
00457282 |. 8B85 64FFFFFF mov eax, [ebp-9C]
00457288 |. E8 AB5A1600 call 005BCD38 ; 转换成十六进制
0045728D |. 83C3 07 add ebx, 7 ; EBX=EBX+2,EBX=9
00457290 |. 99 cdq ; 扩展
00457291 |. F7FB idiv ebx ; /EBX
00457293 |. 0385 18FFFFFF add eax, [ebp-E8] ; /EBX+(T1[2]++T1[SN_1+1])
00457299 |. 8985 14FFFFFF mov [ebp-EC], eax ; 保存
0045729F |. EB 49 jmp short 004572EA ; 计算完,跳
004572A1 |> 83FB 04 cmp ebx, 4 ; 第一位注册码<8计算
004572A4 |. 7C 44 jl short 004572EA
004572A6 |. 83FB 08 cmp ebx, 8
004572A9 |. 7F 3F jg short 004572EA
004572AB |. 83EB 04 sub ebx, 4
004572AE |. 8D85 64FFFFFF lea eax, [ebp-9C]
004572B4 |. 8BCB mov ecx, ebx
004572B6 |. BA 01000000 mov edx, 1
004572BB |. E8 04DE1700 call 005D50C4
004572C0 |. 8BD0 mov edx, eax
004572C2 |. 8D85 64FFFFFF lea eax, [ebp-9C]
004572C8 |. E8 33DC1700 call 005D4F00 ; 取后四位
004572CD |. 8B85 64FFFFFF mov eax, [ebp-9C] ;
004572D3 |. E8 605A1600 call 005BCD38 ; 转化成十六进制
004572D8 |. 83C3 02 add ebx, 2 ; EBX中是第一位注册码+2
004572DB |. 99 cdq ; 扩展,开除
004572DC |. F7FB idiv ebx ; S/6
004572DE |. 0385 18FFFFFF add eax, [ebp-E8] ; s/6+T1的查表和
004572E4 |. 8985 14FFFFFF mov [ebp-EC], eax
004572EA |> 66:C785 2CFFFFFF >mov word ptr [ebp-D4], 38
004572F3 |. 8D85 60FFFFFF lea eax, [ebp-A0] ;
004572F9 |. 8B95 14FFFFFF mov edx, [ebp-EC]
004572FF |. E8 50DA1700 call 005D4D54 ; 上面计算结果转化为十进制
---------------------------------
省略一段代码
---------------------------------
00457399 |> 83BD 60FFFFFF 00 cmp dword ptr [ebp-A0], 0
004573A0 |. 74 0B |je short 004573AD
004573A2 |. 8B8D 60FFFFFF |mov ecx, [ebp-A0]
004573A8 |. 8B41 FC |mov eax, [ecx-4]
004573AB |. EB 02 |jmp short 004573AF
004573AD |> 33C0 |xor eax, eax
004573AF |> 83F8 09 |cmp eax, 9
004573B2 |.^ 0F8C 60FFFFFF \jl 00457318
004573B8 |. 66:C785 2CFFFFFF >mov word ptr [ebp-D4], 50
004573C1 |. BA B51C5F00 mov edx, 005F1CB5
004573C6 |. 8D85 54FFFFFF lea eax, [ebp-AC]
004573CC |. E8 1FD81700 call 005D4BF0
004573D1 |. FF85 38FFFFFF inc dword ptr [ebp-C8]
004573D7 |. 8D95 54FFFFFF lea edx, [ebp-AC]
004573DD |. 8D85 68FFFFFF lea eax, [ebp-98]
004573E3 |. E8 18DB1700 call 005D4F00
004573E8 |. FF8D 38FFFFFF dec dword ptr [ebp-C8]
004573EE |. 8D85 54FFFFFF lea eax, [ebp-AC]
004573F4 |. BA 02000000 mov edx, 2
004573F9 |. E8 D2DA1700 call 005D4ED0
004573FE |. 66:C785 2CFFFFFF >mov word ptr [ebp-D4], 8
00457407 |. BB 01000000 mov ebx, 1
0045740C |> 66:C785 2CFFFFFF >/mov word ptr [ebp-D4], 68
00457415 |. 33C0 |xor eax, eax
00457417 |. 8D95 50FFFFFF |lea edx, [ebp-B0]
0045741D |. 8985 50FFFFFF |mov [ebp-B0], eax
00457423 |. 52 |push edx ; /Arg1
00457424 |. FF85 38FFFFFF |inc dword ptr [ebp-C8] ; |
0045742A |. 8BD3 |mov edx, ebx ; |
0045742C |. 8D85 60FFFFFF |lea eax, [ebp-A0] ; |
00457432 |. B9 02000000 |mov ecx, 2 ; |
00457437 |. E8 04DE1700 |call 005D5240 ; \atani.005D5240
0045743C |. 8D85 50FFFFFF |lea eax, [ebp-B0] ; 上面计算结果两两分组
00457442 |. E8 DDDE1700 |call 005D5324 ; 转换成十六进制
00457447 |. 8BF0 |mov esi, eax
00457449 |. FF8D 38FFFFFF |dec dword ptr [ebp-C8]
0045744F |. 8D85 50FFFFFF |lea eax, [ebp-B0]
00457455 |. BA 02000000 |mov edx, 2
0045745A |. E8 71DA1700 |call 005D4ED0
0045745F |. 66:C785 2CFFFFFF >|mov word ptr [ebp-D4], 5C
00457468 |. 83FE 24 |cmp esi, 24 ; 与0x24比较
0045746B 0F8D 84000000 jge 004574F5 ; ESI大于0x24跳到下面
00457471 |. 66:C785 2CFFFFFF >|mov word ptr [ebp-D4], 74
0045747A |. 8A9435 E8FEFFFF |mov dl, [ebp+esi-118] ; 查表
00457481 |. 8D85 4CFFFFFF |lea eax, [ebp-B4] ; 表是0123456789ABCDEFGHIJKLMNOPQRSTUVWXY
00457487 |. E8 34D81700 |call 005D4CC0
0045748C |. FF85 38FFFFFF |inc dword ptr [ebp-C8]
00457492 |. 8BD0 |mov edx, eax
00457494 |. 33C0 |xor eax, eax
00457496 |. 8D8D 48FFFFFF |lea ecx, [ebp-B8]
0045749C |. 8985 48FFFFFF |mov [ebp-B8], eax
004574A2 |. 8D85 68FFFFFF |lea eax, [ebp-98]
004574A8 |. FF85 38FFFFFF |inc dword ptr [ebp-C8]
004574AE |. E8 75DA1700 |call 005D4F28
004574B3 |. 8D95 48FFFFFF |lea edx, [ebp-B8]
004574B9 |. 8D85 68FFFFFF |lea eax, [ebp-98]
004574BF |. E8 3CDA1700 |call 005D4F00
004574C4 |. FF8D 38FFFFFF |dec dword ptr [ebp-C8]
004574CA |. 8D85 48FFFFFF |lea eax, [ebp-B8]
004574D0 |. BA 02000000 |mov edx, 2
004574D5 |. E8 F6D91700 |call 005D4ED0
004574DA |. FF8D 38FFFFFF |dec dword ptr [ebp-C8]
004574E0 |. 8D85 4CFFFFFF |lea eax, [ebp-B4]
004574E6 |. BA 02000000 |mov edx, 2
004574EB |. E8 E0D91700 |call 005D4ED0
004574F0 |. E9 92000000 |jmp 00457587
004574F5 |> 66:C785 2CFFFFFF >|mov word ptr [ebp-D4], 80
004574FE |. 33C9 |xor ecx, ecx
00457500 |. 8D85 44FFFFFF |lea eax, [ebp-BC]
00457506 |. 898D 44FFFFFF |mov [ebp-BC], ecx
0045750C |. 50 |push eax ; /Arg1
0045750D |. FF85 38FFFFFF |inc dword ptr [ebp-C8] ; |
00457513 |. 8D85 60FFFFFF |lea eax, [ebp-A0] ; |
00457519 |. B9 01000000 |mov ecx, 1 ; |
0045751E |. 8BD3 |mov edx, ebx ; |
00457520 |. E8 1BDD1700 |call 005D5240 ; \atani.005D5240
00457525 |. 8D95 44FFFFFF |lea edx, [ebp-BC]
0045752B |. 33C0 |xor eax, eax
0045752D |. 8985 40FFFFFF |mov [ebp-C0], eax
00457533 |. 8D8D 40FFFFFF |lea ecx, [ebp-C0]
00457539 |. FF85 38FFFFFF |inc dword ptr [ebp-C8]
0045753F |. 8D85 68FFFFFF |lea eax, [ebp-98]
00457545 |. E8 DED91700 |call 005D4F28
0045754A |. 8D95 40FFFFFF |lea edx, [ebp-C0]
00457550 |. 8D85 68FFFFFF |lea eax, [ebp-98]
00457556 |. E8 A5D91700 |call 005D4F00
0045755B |. FF8D 38FFFFFF |dec dword ptr [ebp-C8]
00457561 |. 8D85 40FFFFFF |lea eax, [ebp-C0]
00457567 |. BA 02000000 |mov edx, 2
0045756C |. E8 5FD91700 |call 005D4ED0
00457571 |. FF8D 38FFFFFF |dec dword ptr [ebp-C8]
00457577 |. 8D85 44FFFFFF |lea eax, [ebp-BC]
0045757D |. BA 02000000 |mov edx, 2
00457582 |. E8 49D91700 |call 005D4ED0
00457587 |> 66:C785 2CFFFFFF >|mov word ptr [ebp-D4], 8
00457590 |. 83C3 02 |add ebx, 2 ; 每次EBX加2
00457593 |. 83FB 09 |cmp ebx, 9 ; 小于9继续,可以看出查4次表
00457596 |.^ 0F8C 70FEFFFF \jl 0045740C ; <9,跳回继续计算
0045759C |. 66:C785 2CFFFFFF >mov word ptr [ebp-D4], 8C
004575A5 |. 8D95 68FFFFFF lea edx, [ebp-98]
004575AB |. 8B45 08 mov eax, [ebp+8]
004575AE |. E8 4DD91700 call 005D4F00
004575B3 |. 8B45 08 mov eax, [ebp+8]
004575B6 |. BA 02000000 mov edx, 2
004575BB |. 66:C785 2CFFFFFF >mov word ptr [ebp-D4], 98
004575C4 |. 50 push eax
004575C5 |. 8D85 60FFFFFF lea eax, [ebp-A0]
004575CB |. FF8D 38FFFFFF dec dword ptr [ebp-C8]
004575D1 |. E8 FAD81700 call 005D4ED0
004575D6 |. FF8D 38FFFFFF dec dword ptr [ebp-C8]
004575DC |. 8D85 64FFFFFF lea eax, [ebp-9C]
004575E2 |. BA 02000000 mov edx, 2
004575E7 |. E8 E4D81700 call 005D4ED0
004575EC |. FF8D 38FFFFFF dec dword ptr [ebp-C8]
004575F2 |. 8D85 68FFFFFF lea eax, [ebp-98]
004575F8 |. BA 02000000 mov edx, 2
004575FD |. E8 CED81700 call 005D4ED0
00457602 |. FF8D 38FFFFFF dec dword ptr [ebp-C8]
00457608 |. 8D85 6CFFFFFF lea eax, [ebp-94]
0045760E |. BA 02000000 mov edx, 2
00457613 |. E8 B8D81700 call 005D4ED0
00457618 |. 8385 38FFFFFF DC add dword ptr [ebp-C8], -24
0045761F |. 68 D04E5D00 push 005D4ED0 ; /Arg5 = 005D4ED0
00457624 |. 6A 03 push 3 ; |Arg4 = 00000003
00457626 |. 6A 24 push 24 ; |Arg3 = 00000024
00457628 |. 6A 04 push 4 ; |Arg2 = 00000004
0045762A |. 8D8D 70FFFFFF lea ecx, [ebp-90] ; |
00457630 |. 51 push ecx ; |Arg1
00457631 |. E8 36FE1600 call 005C746C ; \atani.005C746C
00457636 |. 83C4 14 add esp, 14
00457639 |. 58 pop eax
0045763A |. 66:C785 2CFFFFFF >mov word ptr [ebp-D4], 8C
00457643 |. FF85 38FFFFFF inc dword ptr [ebp-C8]
00457649 |. 8B95 1CFFFFFF mov edx, [ebp-E4]
0045764F |. 64:8915 00000000 mov fs:[0], edx
00457656 |. 5F pop edi
00457657 |. 5E pop esi
00457658 |. 5B pop ebx
00457659 |. 8BE5 mov esp, ebp
0045765B |. 5D pop ebp
0045765C \. C3 retn
--------------------------------------------------------------------------------
【经验总结】
算法总结:
(1)程序使用了三张表,分别记位T1,T2,T3.
T1[] = {0x3233C1C, 0x2568005, 0x534C840, 0x5E2635B,
0x16E3B35, 0x20C0463, 0x295FE40, 0x33ED42E,
0x4FBF23F, 0x245E91D};
T2[] ={0x30,0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,
0X41,0X42,0X43,0X44,0X45,0X46,0X47,0X48,0X49,0X50,
0X51,0X52,0X53,0X54,0X55,0X56,0X57,0X58,0X59};
T3[] = {0X87, 0X74, 0X90, 0X39,0X64,0X53, 0X97,0X99,0X56,0X72,0X30, 0X24,
0X41,0X15,0X69,0X92,0X85,0X98,0X55,0X19,0X57,0X23,0X32,0X21,0X27,
0X35,0X44,0X42,0X14,0X11,0X43,0X80,0X84, 0X33,0X25,0X10};
(2)注册码可以分为三段,第一段一位,第二段和第一段有关,第三段根据第二段计算。
(3)第一位注册码必须大于等于4;
(4)第一位注册码是几就对应的取后续的几位注册码;
例:第一位是5,则紧接着再取5位,假设是12345
(5)根据第二段注册码查表T1对应结果为0x3233C1C, 0x2568005, 0x534C840, 0x5E2635B,
0x16E3B35;查表T3的对应结果为0X87, 0X74, 0X90, 0X39,0X64;
(6)T3的查表结果组成一个数0X8774903964
后面的计算和第一位有关:
(7)如果第一位是4,则取第二段的后两位,除以6的商加上T1的查表结果之和,转化成十进制;
(8)如果是5,则取T3的查表结果的2-5位,转换成十六进制除以9的商再加T1的查表结果之和,转化成十进制;
(9)其它的就直接转化成十进制;
(10)上面的几种十进结果每次取出两位,循环4次,如果取出的值大于0x24就取10的商;小于0x24就用它查表T2
注:0x24就是十进制的36,正好等于T2的大小。
(11)组合上面的三段就是注册码
可用的注册码:
40004IPQI
500005P464
512345T375
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年05月10日 23:17:58
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课