【破文标题】 System commander 8 算法分析
【破文作者】 daxia2002
【作者邮箱】 [email]daxia2002@126.com[/email]
【使用工具】 Peid,Ollydbg,ida
【破解平台】 Win2000/XP
【软件名称】 system commander 8
【下载地址】
http://www.v-com.com
【软件简介】Features System Commander provides a number of unique capabilities:
OS Wizard determines the best configuration for a new OS and prepares your system for the new OS.
Management of over 100 different operating systems in primary and logical partitions, the ability to boot from CDs, floppy drives A and B, or through specific master boot records. Management of up to 32 different FAT/FAT32 compatible operating systems in a single primary partition, including different DOS versions, Windows 95/98/Me, Windows NT/2000/XP/2003, and OS/2.
Optional security protection against unauthorized system use prevents hard disk access and booting from floppy disks.
Automatically saves and maintains system files and critical configuration files for each OS such as CONFIG.SYS, AUTOEXEC.BAT, BOOT.INI, and others.
Boot sector virus protection checks for infections on every boot with instant replacement of the infected boot sector and system files.
【软件大小】9.53MB
【保护方式】无。
【破解目的】研究软件的算法
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
【破解内容】
启动安装程序,输入用户名:“dx”、公司名:“ml”、注册码:第一栏固定的灰色信息“SC8”,大概是system commander 8的简写;第二栏输入“111111”,字符长度6位,程序友好的给限制了;第三栏输入“2222222”,字符长度7位,程序也友好的给限制了;第四栏输入“3333”,字符长度4位,程序还是友好的给限制了。点击“下一步”按钮,提示“The Serila is incorrect.please reenter it.”,早在预料之中,嘿嘿。
好了启动Olldby,选择“文件”->“附加”,在附加窗口里,选中窗口名为“System Commander”,点击“附加”按钮,好了Olldby已附加上了,中断在系统空间,在代码窗口右键->“查看”->“console”切换到程序控件,F9运行一下。
下断点bp MessageBoxA,重新输入伪注册码“SC8-111111-2222222-3333”,点击“下一步”,被ollydbg断了下来,老办法,ALT+K打开调用堆栈窗口:
调用堆栈
地址 堆栈 例程 / 参数 调用来自 Frame
0012E9B4 004461CF USER32.MessageBoxA console.004461C9 0012EAE8
0012E9B8 000C04CE hOwner = 000C04CE ('Customer Information',class='#32770',paren
0012E9BC 00A34170 Text = "The serial number is incorrect. Please re-enter it."
0012E9C0 00A32490 Title = "System Commander"
0012E9C4 00000030 Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
0012EAEC 00446220 Maybe console.00446117 console.0044621A 0012EAE8
0012EAF0 00A34170 Arg1 = 00A34170 ASCII "The serial number is incorrect. Please
0012EAF4 00000030 Arg2 = 00000030
0012EAF8 0000EF5F Arg3 = 0000EF5F
0012EB00 00446270 console.004461FE console.0044626B 0012EAFC
0012EB04 00A34170 Arg1 = 00A34170 ASCII "The serial number is incorrect. Please
0012EB08 00000030 Arg2 = 00000030
0012EB0C 0000EF5F Arg3 = 0000EF5F
0012EB28 0042211E console.00446236 console.00422119 0012EB24
0012EB2C 0000EF5F Arg1 = 0000EF5F
0012EB30 00000030 Arg2 = 00000030
0012EB34 FFFFFFFF Arg3 = FFFFFFFF
堆栈友好显示调用来自console.00422119,双击跳转到00422119:
0042207A > /8A10 mov dl,byte ptr ds:[eax]
0042207C . |8A1E mov bl,byte ptr ds:[esi]
0042207E . |8ACA mov cl,dl
00422080 . |3AD3 cmp dl,bl
00422082 . |75 1E jnz short console.004220A2
00422084 . |84C9 test cl,cl
00422086 . |74 16 je short console.0042209E
00422088 . |8A50 01 mov dl,byte ptr ds:[eax+1]
0042208B . |8A5E 01 mov bl,byte ptr ds:[esi+1]
0042208E . |8ACA mov cl,dl
00422090 . |3AD3 cmp dl,bl
00422092 . |75 0E jnz short console.004220A2
00422094 . |83C0 02 add eax,2
00422097 . |83C6 02 add esi,2
0042209A . |84C9 test cl,cl
0042209C .^\75 DC jnz short console.0042207A
0042209E > 33C0 xor eax,eax
004220A0 . EB 05 jmp short console.004220A7
004220A2 > 1BC0 sbb eax,eax
004220A4 . 83D8 FF sbb eax,-1
004220A7 > 85C0 test eax,eax
004220A9 . 74 7C je short console.00422127
004220AB . 8D7424 70 lea esi,dword ptr ss:[esp+70]
004220AF . 8D4424 14 lea eax,dword ptr ss:[esp+14]
004220B3 > 8A10 mov dl,byte ptr ds:[eax]
004220B5 . 8A1E mov bl,byte ptr ds:[esi]
004220B7 . 8ACA mov cl,dl
004220B9 . 3AD3 cmp dl,bl
004220BB . 75 1E jnz short console.004220DB
004220BD . 84C9 test cl,cl
004220BF . 74 16 je short console.004220D7
004220C1 . 8A50 01 mov dl,byte ptr ds:[eax+1]
004220C4 . 8A5E 01 mov bl,byte ptr ds:[esi+1]
004220C7 . 8ACA mov cl,dl
004220C9 . 3AD3 cmp dl,bl
004220CB . 75 0E jnz short console.004220DB
004220CD . 83C0 02 add eax,2
004220D0 . 83C6 02 add esi,2
004220D3 . 84C9 test cl,cl
004220D5 .^ 75 DC jnz short console.004220B3
004220D7 > 33C0 xor eax,eax
004220D9 . EB 05 jmp short console.004220E0
004220DB > 1BC0 sbb eax,eax
004220DD . 83D8 FF sbb eax,-1
004220E0 > 85C0 test eax,eax
004220E2 . 74 43 je short console.00422127
004220E4 . 8B7424 20 mov esi,dword ptr ss:[esp+20]
004220E8 . 68 60C44600 push console.0046C460
004220ED . 8BCE mov ecx,esi
004220EF . E8 6CD30100 call console.0043F460
004220F4 . 8B4C24 28 mov ecx,dword ptr ss:[esp+28]
004220F8 . 68 60C44600 push console.0046C460
004220FD . E8 5ED30100 call console.0043F460
00422102 . 8B4C24 24 mov ecx,dword ptr ss:[esp+24]
00422106 . 68 60C44600 push console.0046C460
0042210B . E8 50D30100 call console.0043F460
00422110 . 6A FF push -1
00422112 . 6A 30 push 30
00422114 . 68 5FEF0000 push 0EF5F
00422119 . E8 18410200 call console.00446236 //我们来到这里,向上很容易发现,004220E0处进行判断,可以爆破了。
0042211E . 8BCE mov ecx,esi
00422120 . E8 8AD40100 call console.0043F5AF
00422125 . EB 2C jmp short console.00422153
我们用winrar直接展开安装包,ida来智能分析一下程序console.exe,跳转到上面过程的起始处00421dc0:
.text:00421DC0 6A FF push 0FFFFFFFFh
.text:00421DC2 68 C6 37 45 00 push offset loc_4537C6
.text:00421DC7 64 A1 00 00 00 00 mov eax, large fs:0
.text:00421DCD 50 push eax
.text:00421DCE 64 89 25 00 00 00+mov large fs:0, esp
.text:00421DD5 81 EC 90 00 00 00 sub esp, 90h
.text:00421DDB A1 00 8F 46 00 mov eax, off_468F00
.text:00421DE0 53 push ebx
.text:00421DE1 55 push ebp
.text:00421DE2 56 push esi
.text:00421DE3 8B E9 mov ebp, ecx
.text:00421DE5 89 44 24 10 mov [esp+10h], eax
.text:00421DE9 C7 84 24 A4 00 00+mov dword ptr [esp+0A4h], 0
.text:00421DF4 89 44 24 0C mov [esp+0Ch], eax
.text:00421DF8 C6 84 24 A4 00 00+mov byte ptr [esp+0A4h], 1
.text:00421E00 E8 A9 BE 02 00 call ?AfxGetModuleState@@YGPAVAFX_MODULE_STATE@@XZ ; AfxGetModuleState(void)
.text:00421E05 8B 58 04 mov ebx, [eax+4]
.text:00421E08 6A 01 push 1
.text:00421E0A 8B CD mov ecx, ebp
.text:00421E0C E8 1B CA 01 00 call sub_43E82C
.text:00421E11 8D 44 24 10 lea eax, [esp+10h]
.text:00421E15 8B CD mov ecx, ebp
.text:00421E17 50 push eax
.text:00421E18 68 FA 03 00 00 push 3FAh
.text:00421E1D E8 93 B3 01 00 call sub_43D1B5 //取得输入的用户名
.text:00421E22 8D 4C 24 0C lea ecx, [esp+0Ch]
.text:00421E26 51 push ecx
.text:00421E27 68 FB 03 00 00 push 3FBh
.text:00421E2C 8B CD mov ecx, ebp
.text:00421E2E E8 82 B3 01 00 call sub_43D1B5 //取得输入公司的名称
.text:00421E33 8B 54 24 10 mov edx, [esp+10h]
.text:00421E37 68 60 C4 46 00 push offset ValueName
.text:00421E3C 52 push edx
.text:00421E3D E8 37 95 00 00 call __mbscmp //比较输入的用户名是否为空
.text:00421E42 83 C4 08 add esp, 8
.text:00421E45 85 C0 test eax, eax
.text:00421E47 75 15 jnz short loc_421E5E //不为空跳到421E5E继续
.text:00421E49 6A FF push 0FFFFFFFFh
.text:00421E4B 6A 30 push 30h
.text:00421E4D 68 62 EF 00 00 push 0EF62h
.text:00421E52 E8 DF 43 02 00 call sub_446236
.text:00421E57 68 FA 03 00 00 push 3FAh
.text:00421E5C EB 29 jmp short loc_421E87
.text:00421E5E ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
.text:00421E5E
.text:00421E5E loc_421E5E: ; CODE XREF: .text:00421E47j
.text:00421E5E 8B 54 24 0C mov edx, [esp+0Ch]
.text:00421E62 68 60 C4 46 00 push offset ValueName
.text:00421E67 52 push edx
.text:00421E68 E8 0C 95 00 00 call __mbscmp //比较输入的公司名是否为空
.text:00421E6D 83 C4 08 add esp, 8
.text:00421E70 85 C0 test eax, eax
.text:00421E72 75 31 jnz short loc_421EA5 //不为空跳到421EA5继续
.text:00421E74 6A FF push 0FFFFFFFFh
.text:00421E76 6A 30 push 30h
.text:00421E78 68 60 EF 00 00 push 0EF60h
.text:00421E7D E8 B4 43 02 00 call sub_446236
.text:00421E82 68 FB 03 00 00 push 3FBh
.text:00421E87
.text:00421E87 loc_421E87: ; CODE XREF: .text:00421E5Cj
.text:00421E87 8B CD mov ecx, ebp
.text:00421E89 E8 4A D4 01 00 call sub_43F2D8
.text:00421E8E 8B 40 1C mov eax, [eax+1Ch]
.text:00421E91 8B 4D 1C mov ecx, [ebp+1Ch]
.text:00421E94 6A 01 push 1
.text:00421E96 50 push eax
.text:00421E97 6A 28 push 28h
.text:00421E99 51 push ecx
.text:00421E9A FF 15 C4 55 45 00 call ds:SendMessageA
.text:00421EA0 E9 AE 02 00 00 jmp loc_422153
.text:00421EA5 ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
.text:00421EA5
.text:00421EA5 loc_421EA5: ; CODE XREF: .text:00421E72j
.text:00421EA5 57 push edi
.text:00421EA6 8D 54 24 3C lea edx, [esp+3Ch]
.text:00421EAA 6A 1E push 1Eh
.text:00421EAC 52 push edx //保存注册码第一栏“SC8”的内存地址
.text:00421EAD 8D 8D FC 00 00 00 lea ecx, [ebp+0FCh]
.text:00421EB3 E8 CF D5 01 00 call sub_43F487 //取得注册码第一栏内容,这里为:“SC8”
.text:00421EB8 8D 44 24 5C lea eax, [esp+5Ch]
.text:00421EBC 8D 8D 38 01 00 00 lea ecx, [ebp+138h]
.text:00421EC2 6A 0A push 0Ah
.text:00421EC4 50 push eax //保存注册码第二栏“111111”的内存地址
.text:00421EC5 89 4C 24 2C mov [esp+2Ch], ecx
.text:00421EC9 E8 B9 D5 01 00 call sub_43F487 //取得注册码第二栏内容,这里为:“111111”
.text:00421ECE 8D 54 24 68 lea edx, [esp+68h]
.text:00421ED2 8D 8D 74 01 00 00 lea ecx, [ebp+174h]
.text:00421ED8 6A 0A push 0Ah
.text:00421EDA 52 push edx //保存注册码第三栏“2222222”的内存地址
.text:00421EDB 89 4C 24 34 mov [esp+34h], ecx
.text:00421EDF E8 A3 D5 01 00 call sub_43F487 //取得注册码第三栏内容,这里为:“2222222”
.text:00421EE4 8D 44 24 18 lea eax, [esp+18h]
.text:00421EE8 8D 8D C0 00 00 00 lea ecx, [ebp+0C0h]
.text:00421EEE 6A 0A push 0Ah
.text:00421EF0 50 push eax //保存注册码第四栏“3333”的内存地址
.text:00421EF1 89 4C 24 30 mov [esp+30h], ecx
.text:00421EF5 E8 8D D5 01 00 call sub_43F487 //取得注册码第四栏内容,这里为:“3333”
.text:00421EFA 83 C9 FF or ecx, 0FFFFFFFFh
.text:00421EFD BF 38 86 46 00 mov edi, offset asc_468638 ; "-"
.text:00421F02 33 C0 xor eax, eax
.text:00421F04 8D 54 24 3C lea edx, [esp+3Ch]
.text:00421F08 F2 AE repne scasb
.text:00421F0A F7 D1 not ecx
.text:00421F0C 2B F9 sub edi, ecx
.text:00421F0E 8B F7 mov esi, edi
.text:00421F10 8B FA mov edi, edx
.text:00421F12 8B D1 mov edx, ecx
.text:00421F14 83 C9 FF or ecx, 0FFFFFFFFh
.text:00421F17 F2 AE repne scasb
.text:00421F19 8B CA mov ecx, edx
.text:00421F1B 4F dec edi
.text:00421F1C C1 E9 02 shr ecx, 2
.text:00421F1F F3 A5 rep movsd
.text:00421F21 8B CA mov ecx, edx
.text:00421F23 8D 54 24 3C lea edx, [esp+3Ch]
.text:00421F27 83 E1 03 and ecx, 3
.text:00421F2A F3 A4 rep movsb
.text:00421F2C 8D 7C 24 5C lea edi, [esp+5Ch]
.text:00421F30 83 C9 FF or ecx, 0FFFFFFFFh
.text:00421F33 F2 AE repne scasb
.text:00421F35 F7 D1 not ecx
.text:00421F37 2B F9 sub edi, ecx
.text:00421F39 8B F7 mov esi, edi
.text:00421F3B 8B FA mov edi, edx
.text:00421F3D 8B D1 mov edx, ecx
.text:00421F3F 83 C9 FF or ecx, 0FFFFFFFFh
.text:00421F42 F2 AE repne scasb
.text:00421F44 8B CA mov ecx, edx
.text:00421F46 4F dec edi
.text:00421F47 C1 E9 02 shr ecx, 2
.text:00421F4A F3 A5 rep movsd
.text:00421F4C 8B CA mov ecx, edx
.text:00421F4E 8D 54 24 3C lea edx, [esp+3Ch]
.text:00421F52 83 E1 03 and ecx, 3
.text:00421F55 F3 A4 rep movsb
.text:00421F57 BF 38 86 46 00 mov edi, offset asc_468638 ; "-"
.text:00421F5C 83 C9 FF or ecx, 0FFFFFFFFh
.text:00421F5F F2 AE repne scasb
.text:00421F61 F7 D1 not ecx
.text:00421F63 2B F9 sub edi, ecx
.text:00421F65 8B F7 mov esi, edi
.text:00421F67 8B FA mov edi, edx
.text:00421F69 8B D1 mov edx, ecx
.text:00421F6B 83 C9 FF or ecx, 0FFFFFFFFh
.text:00421F6E F2 AE repne scasb
.text:00421F70 8B CA mov ecx, edx
.text:00421F72 4F dec edi
.text:00421F73 C1 E9 02 shr ecx, 2
.text:00421F76 F3 A5 rep movsd
.text:00421F78 8B CA mov ecx, edx
.text:00421F7A 8D 54 24 3C lea edx, [esp+3Ch]
.text:00421F7E 83 E1 03 and ecx, 3
.text:00421F81 F3 A4 rep movsb
.text:00421F83 8D 7C 24 68 lea edi, [esp+68h]
.text:00421F87 83 C9 FF or ecx, 0FFFFFFFFh
.text:00421F8A F2 AE repne scasb
.text:00421F8C F7 D1 not ecx
.text:00421F8E 2B F9 sub edi, ecx
.text:00421F90 8B F7 mov esi, edi
.text:00421F92 8B FA mov edi, edx
.text:00421F94 8B D1 mov edx, ecx
.text:00421F96 83 C9 FF or ecx, 0FFFFFFFFh
.text:00421F99 F2 AE repne scasb
.text:00421F9B 8B CA mov ecx, edx
.text:00421F9D 4F dec edi
.text:00421F9E C1 E9 02 shr ecx, 2
.text:00421FA1 F3 A5 rep movsd
.text:00421FA3 8B CA mov ecx, edx
.text:00421FA5 8D 94 24 80 00 00+lea edx, [esp+80h]
.text:00421FAC 83 E1 03 and ecx, 3
.text:00421FAF F3 A4 rep movsb
.text:00421FB1 83 C9 FF or ecx, 0FFFFFFFFh
.text:00421FB4 8D 7C 24 3C lea edi, [esp+3Ch]
.text:00421FB8 F2 AE repne scasb
.text:00421FBA F7 D1 not ecx
.text:00421FBC 2B F9 sub edi, ecx
.text:00421FBE 8B C1 mov eax, ecx
.text:00421FC0 8B F7 mov esi, edi
.text:00421FC2 C1 E9 02 shr ecx, 2
.text:00421FC5 8B FA mov edi, edx
.text:00421FC7 8D 54 24 3C lea edx, [esp+3Ch]
.text:00421FCB F3 A5 rep movsd
.text:00421FCD 8B C8 mov ecx, eax
.text:00421FCF 33 C0 xor eax, eax
.text:00421FD1 83 E1 03 and ecx, 3
.text:00421FD4 F3 A4 rep movsb
.text:00421FD6 BF 38 86 46 00 mov edi, offset asc_468638 ; "-"
.text:00421FDB 83 C9 FF or ecx, 0FFFFFFFFh
.text:00421FDE F2 AE repne scasb
.text:00421FE0 F7 D1 not ecx
.text:00421FE2 2B F9 sub edi, ecx
.text:00421FE4 8B F7 mov esi, edi
.text:00421FE6 8B FA mov edi, edx
.text:00421FE8 8B D1 mov edx, ecx
.text:00421FEA 83 C9 FF or ecx, 0FFFFFFFFh
.text:00421FED F2 AE repne scasb
.text:00421FEF 8B CA mov ecx, edx
.text:00421FF1 4F dec edi
.text:00421FF2 C1 E9 02 shr ecx, 2
.text:00421FF5 F3 A5 rep movsd
.text:00421FF7 8B CA mov ecx, edx
.text:00421FF9 8D 54 24 3C lea edx, [esp+3Ch]
.text:00421FFD 83 E1 03 and ecx, 3
.text:00422000 F3 A4 rep movsb
.text:00422002 8D 7C 24 18 lea edi, [esp+18h]
.text:00422006 83 C9 FF or ecx, 0FFFFFFFFh
.text:00422009 F2 AE repne scasb
.text:0042200B F7 D1 not ecx
.text:0042200D 2B F9 sub edi, ecx
.text:0042200F 8B F7 mov esi, edi
.text:00422011 8B FA mov edi, edx
.text:00422013 8B D1 mov edx, ecx
.text:00422015 83 C9 FF or ecx, 0FFFFFFFFh
.text:00422018 F2 AE repne scasb
.text:0042201A 8B CA mov ecx, edx
.text:0042201C 4F dec edi
.text:0042201D C1 E9 02 shr ecx, 2
.text:00422020 F3 A5 rep movsd
.text:00422022 8B CA mov ecx, edx
.text:00422024 8D 44 24 74 lea eax, [esp+74h]
.text:00422028 83 E1 03 and ecx, 3
.text:0042202B 50 push eax
.text:0042202C F3 A4 rep movsb
//以上是把注册码1,2,3栏连接成:“SC8-111111-2222222”
.text:0042202E 8D 4C 24 34 lea ecx, [esp+34h]
.text:00422032 8D 94 24 84 00 00+lea edx, [esp+84h] //edx指向“SC8-111111-2222222”
.text:00422039 51 push ecx
.text:0042203A 52 push edx
.text:0042203B 8B CD mov ecx, ebp
.text:0042203D E8 9E FC FF FF call sub_421CE0 //关键的call,进入
{
sub_421CE0 proc near ; CODE XREF: .text:0042203Dp
.text:00421CE0
.text:00421CE0 var_48= byte ptr -48h
.text:00421CE0 var_18= dword ptr -18h
.text:00421CE0 arg_0= dword ptr 4
.text:00421CE0 arg_4= dword ptr 8
.text:00421CE0 arg_8= dword ptr 0Ch
.text:00421CE0
.text:00421CE0 83 EC 18 sub esp, 18h
.text:00421CE3 B9 06 00 00 00 mov ecx, 6
.text:00421CE8 53 push ebx
.text:00421CE9 8B 5C 24 20 mov ebx, [esp+1Ch+arg_0] //ebx指向输入参数“SC8-111111-2222222”
.text:00421CED 56 push esi
.text:00421CEE 57 push edi
.text:00421CEF BE 20 86 46 00 mov esi, offset aRhtlmwyaefXjpk ; "RHTLMWYAEF XJPKCG"
//esi指向字符串表:"RHTLMWYAEF XJPKCG"
.text:00421CF4 8D 7C 24 0C lea edi, [esp+24h+var_18]
.text:00421CF8 F3 A5 rep movsd
.text:00421CFA 53 push ebx ; char * //ebx指向“SC8-111111-2222222”入?
.text:00421CFB E8 21 82 01 00 call __strupr //把“SC8-111111-2222222”转成大写
.text:00421D00 8B FB mov edi, ebx
.text:00421D02 83 C9 FF or ecx, 0FFFFFFFFh
.text:00421D05 33 C0 xor eax, eax
.text:00421D07 83 C4 04 add esp, 4
.text:00421D0A F2 AE repne scasb
.text:00421D0C F7 D1 not ecx
.text:00421D0E 49 dec ecx
.text:00421D0F BE 01 00 00 00 mov esi, 1 //esi=1
.text:00421D14 8B F9 mov edi, ecx //edi为“SC8-111111-2222222”长度值
.text:00421D16 0F 84 8F 00 00 00 jz loc_421DAB
.text:00421D1C 33 D2 xor edx, edx
.text:00421D1E 85 FF test edi, edi
.text:00421D20 7E 2F jle short loc_421D51 //长度为0则结束
.text:00421D22 55 push ebp
.text:00421D23
.text:00421D23 loc_421D23: ; CODE XREF: sub_421CE0+6Ej
.text:00421D23 8A 03 mov al, [ebx] //al为ebx指向的第i个字符
.text:00421D25 8B CA mov ecx, edx //这里ecx=edx=0
.text:00421D27 81 E1 07 00 00 80 and ecx, 80000007h //ecx=ecx and 80000007h
.text:00421D2D 79 05 jns short loc_421D34 //ecx>0 则跳到loc_421D34
.text:00421D2F 49 dec ecx //否则ecx--
.text:00421D30 83 C9 F8 or ecx, 0FFFFFFF8h //ecx=ecx or 0FFFFFFF8h
.text:00421D33 41 inc ecx //ecx++
.text:00421D34
.text:00421D34 loc_421D34: ; CODE XREF: sub_421CE0+4Dj
.text:00421D34 66 0F BE E8 movsx bp, al //bp=al
.text:00421D38 D3 E5 shl ebp, cl //ebp=ebp 左移cl位
.text:00421D3A 33 F5 xor esi, ebp //esi=esi xor ebp
.text:00421D3C A8 01 test al, 1
.text:00421D3E 74 04 jz short loc_421D44 //判断(al and 1)的结果为0则跳到loc_421D44
.text:00421D40 03 F6 add esi, esi //否则esi=esi+esi
.text:00421D42 EB 06 jmp short loc_421D4A
.text:00421D44 ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
.text:00421D44
.text:00421D44 loc_421D44: ; CODE XREF: sub_421CE0+5Ej
.text:00421D44 81 F6 AD DE 00 00 xor esi, 0DEADh //esi=esi xor 0DEADh
.text:00421D4A
.text:00421D4A loc_421D4A: ; CODE XREF: sub_421CE0+62j
.text:00421D4A 43 inc ebx //ebx++
.text:00421D4B 42 inc edx //edx++
.text:00421D4C 3B D7 cmp edx, edi //比较dx与edi(为“SC8-111111-2222222”长度值)
.text:00421D4E 7C D3 jl short loc_421D23 //小于则继续循环比较
.text:00421D50 5D pop ebp
.text:00421D51
.text:00421D51 loc_421D51: ; CODE XREF: sub_421CE0+40j
.text:00421D51 8B 7C 24 2C mov edi, [esp+24h+arg_4]
.text:00421D55 81 E6 FF FF 00 00 and esi, 0FFFFh //esi=esi and 0FFFFh(esi为上面循环处理的中间结果数据)
.text:00421D5B 56 push esi //esi入?
.text:00421D5C 68 18 86 46 00 push offset a04x ; "%04X"
.text:00421D61 57 push edi
.text:00421D62 E8 8D 8C 00 00 call _sprintf //把esi转成长度为4位的16进制数据,保存到[edi]="AFE3"
.text:00421D67 83 C4 0C add esp, 0Ch
.text:00421D6A 81 F6 D1 BA 00 00 xor esi, 0BAD1h //esi=esi xor 0BAD1h
.text:00421D70 56 push esi //esi入?
.text:00421D71 8B 74 24 34 mov esi, [esp+28h+arg_8]
.text:00421D75 68 18 86 46 00 push offset a04x ; "%04X"
.text:00421D7A 56 push esi
.text:00421D7B E8 74 8C 00 00 call _sprintf //把esi转成长度为4位的16进制数据,保存到[esi]="1532"
.text:00421D80 83 C4 0C add esp, 0Ch
.text:00421D83 33 C0 xor eax, eax //eax=0
.text:00421D85
.text:00421D85 loc_421D85: ; CODE XREF: sub_421CE0+B5j
.text:00421D85 0F BE 0C 38 movsx ecx, byte ptr [eax+edi] //ecx指向[edi]第i个字符
.text:00421D89 40 inc eax //eax++
.text:00421D8A 8A 54 0C DC mov dl, [esp+ecx+24h+var_48] //取得字符串表"RHTLMWYAEF XJPKCG"中对应的字符
.text:00421D8E 83 F8 04 cmp eax, 4 //判断是否处理完
.text:00421D91 88 54 38 FF mov [eax+edi-1], dl //将取得的字符保存回去
.text:00421D95 7C EE jl short loc_421D85 //循环处理,处理完后[edi]="XGCL"
.text:00421D97 33 C0 xor eax, eax
.text:00421D99
.text:00421D99 loc_421D99: ; CODE XREF: sub_421CE0+C9j
.text:00421D99 0F BE 0C 30 movsx ecx, byte ptr [eax+esi] //ecx指向[esi]第i个字符
.text:00421D9D 40 inc eax
.text:00421D9E 8A 54 0C DC mov dl, [esp+ecx+24h+var_48] //取得字符串表"RHTLMWYAEF XJPKCG"中对应的字符
.text:00421DA2 83 F8 04 cmp eax, 4 //判断是否处理完
.text:00421DA5 88 54 30 FF mov [eax+esi-1], dl //将取得的字符保存回去
.text:00421DA9 7C EE jl short loc_421D99 //循环处理,处理完后[esi]="HWLT"
.text:00421DAB
.text:00421DAB loc_421DAB: ; CODE XREF: sub_421CE0+36j
.text:00421DAB 5F pop edi
.text:00421DAC 5E pop esi
.text:00421DAD 5B pop ebx
.text:00421DAE 83 C4 18 add esp, 18h
.text:00421DB1 C2 0C 00 retn 0Ch
.text:00421DB1 sub_421CE0 endp
}
.text:00422042 8B 83 39 01 00 00 mov eax, [ebx+139h]
.text:00422048 85 C0 test eax, eax
.text:0042204A 74 25 jz short loc_422071
.text:0042204C 8D 7C 24 30 lea edi, [esp+30h]
.text:00422050 83 C9 FF or ecx, 0FFFFFFFFh
.text:00422053 33 C0 xor eax, eax
.text:00422055 8D 54 24 18 lea edx, [esp+18h]
.text:00422059 F2 AE repne scasb
.text:0042205B F7 D1 not ecx
.text:0042205D 2B F9 sub edi, ecx
.text:0042205F 8B C1 mov eax, ecx
.text:00422061 8B F7 mov esi, edi
.text:00422063 8B FA mov edi, edx
.text:00422065 C1 E9 02 shr ecx, 2
.text:00422068 F3 A5 rep movsd
.text:0042206A 8B C8 mov ecx, eax
.text:0042206C 83 E1 03 and ecx, 3
.text:0042206F F3 A4 rep movsb
.text:00422071
.text:00422071 loc_422071: ; CODE XREF: .text:0042204Aj
.text:00422071 8D 74 24 30 lea esi, [esp+30h] //esi指向"XGCL"
.text:00422075 8D 44 24 18 lea eax, [esp+18h] //eax指向"3333"
.text:00422079 5F pop edi
.text:0042207A
.text:0042207A loc_42207A: ; CODE XREF: .text:0042209Cj
.text:0042207A 8A 10 mov dl, [eax] //dl指向字符"3333"第1个字符
.text:0042207C 8A 1E mov bl, [esi] //bl指向字符"XGCL"第1个字符
.text:0042207E 8A CA mov cl, dl //cl=dl
.text:00422080 3A D3 cmp dl, bl //比较dl,bl
.text:00422082 75 1E jnz short loc_4220A2 //不等结束
.text:00422084 84 C9 test cl, cl //测试cl是否为0
.text:00422086 74 16 jz short loc_42209E //为0结束
.text:00422088 8A 50 01 mov dl, [eax+1] //dl指向字符"3333"第2个字符
.text:0042208B 8A 5E 01 mov bl, [esi+1] //bl指向字符"XGCL"第2个字符
.text:0042208E 8A CA mov cl, dl
.text:00422090 3A D3 cmp dl, bl //比较dl,bl
.text:00422092 75 0E jnz short loc_4220A2
.text:00422094 83 C0 02 add eax, 2
.text:00422097 83 C6 02 add esi, 2
.text:0042209A 84 C9 test cl, cl 测试cl是否为0
.text:0042209C 75 DC jnz short loc_42207A //不为0跳回继续比较下面2个字符
.text:0042209E
.text:0042209E loc_42209E: ; CODE XREF: .text:00422086j
.text:0042209E 33 C0 xor eax, eax //都相等后,由00422086跳到这里,eax=0
.text:004220A0 EB 05 jmp short loc_4220A7
.text:004220A2 ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
.text:004220A2
.text:004220A2 loc_4220A2: ; CODE XREF: .text:00422082j
.text:004220A2 ; .text:00422092j
.text:004220A2 1B C0 sbb eax, eax
.text:004220A4 83 D8 FF sbb eax, 0FFFFFFFFh
.text:004220A7
.text:004220A7 loc_4220A7: ; CODE XREF: .text:004220A0j
.text:004220A7 85 C0 test eax, eax
.text:004220A9 74 7C jz short loc_422127 //跳到loc_422127
.text:004220AB 8D 74 24 70 lea esi, [esp+70h]
.text:004220AF 8D 44 24 14 lea eax, [esp+14h]
.text:004220B3
.text:004220B3 loc_4220B3: ; CODE XREF: .text:004220D5j
.text:004220B3 8A 10 mov dl, [eax]
.text:004220B5 8A 1E mov bl, [esi]
.text:004220B7 8A CA mov cl, dl
.text:004220B9 3A D3 cmp dl, bl
.text:004220BB 75 1E jnz short loc_4220DB
.text:004220BD 84 C9 test cl, cl
.text:004220BF 74 16 jz short loc_4220D7
.text:004220C1 8A 50 01 mov dl, [eax+1]
.text:004220C4 8A 5E 01 mov bl, [esi+1]
.text:004220C7 8A CA mov cl, dl
.text:004220C9 3A D3 cmp dl, bl
.text:004220CB 75 0E jnz short loc_4220DB
.text:004220CD 83 C0 02 add eax, 2
.text:004220D0 83 C6 02 add esi, 2
.text:004220D3 84 C9 test cl, cl
.text:004220D5 75 DC jnz short loc_4220B3
.text:004220D7
.text:004220D7 loc_4220D7: ; CODE XREF: .text:004220BFj
.text:004220D7 33 C0 xor eax, eax
.text:004220D9 EB 05 jmp short loc_4220E0
.text:004220DB ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
.text:004220DB
.text:004220DB loc_4220DB: ; CODE XREF: .text:004220BBj
.text:004220DB ; .text:004220CBj
.text:004220DB 1B C0 sbb eax, eax
.text:004220DD 83 D8 FF sbb eax, 0FFFFFFFFh
.text:004220E0
.text:004220E0 loc_4220E0: ; CODE XREF: .text:004220D9j
.text:004220E0 85 C0 test eax, eax
.text:004220E2 74 43 jz short loc_422127
.text:004220E4 8B 74 24 20 mov esi, [esp+20h]
.text:004220E8 68 60 C4 46 00 push offset ValueName
.text:004220ED 8B CE mov ecx, esi
.text:004220EF E8 6C D3 01 00 call sub_43F460
.text:004220F4 8B 4C 24 28 mov ecx, [esp+28h]
.text:004220F8 68 60 C4 46 00 push offset ValueName
.text:004220FD E8 5E D3 01 00 call sub_43F460
.text:00422102 8B 4C 24 24 mov ecx, [esp+24h]
.text:00422106 68 60 C4 46 00 push offset ValueName
.text:0042210B E8 50 D3 01 00 call sub_43F460
.text:00422110 6A FF push 0FFFFFFFFh
.text:00422112 6A 30 push 30h
.text:00422114 68 5F EF 00 00 push 0EF5Fh
.text:00422119 E8 18 41 02 00 call sub_446236
.text:0042211E 8B CE mov ecx, esi
.text:00422120 E8 8A D4 01 00 call sub_43F5AF
.text:00422125 EB 2C jmp short loc_422153
.text:00422127 ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
.text:00422127
.text:00422127 loc_422127: ; CODE XREF: .text:004220A9j
.text:00422127 ; .text:004220E2j
.text:00422127 8D 44 24 7C lea eax, [esp+7Ch]
.text:0042212B 8D 8D B4 00 00 00 lea ecx, [ebp+0B4h]
.text:00422131 50 push eax
.text:00422132 E8 AC E6 01 00 call ??4CString@@QAEABV0@PBD@Z ; CString::operator=(char const *)
.text:00422137 8D 4C 24 14 lea ecx, [esp+14h]
.text:0042213B 51 push ecx
.text:0042213C 8D 8D B8 00 00 00 lea ecx, [ebp+0B8h]
.text:00422142 E8 9C E6 01 00 call ??4CString@@QAEABV0@PBD@Z ; CString::operator=(char const *)
.text:00422147 68 1F 04 00 00 push 41Fh
.text:0042214C 8B CD mov ecx, ebp
.text:0042214E E8 3B E0 01 00 call sub_44018E
.text:00422153
.text:00422153 loc_422153: ; CODE XREF: .text:00421EA0j
.text:00422153 ; .text:00422125j
.text:00422153 8D 4C 24 0C lea ecx, [esp+0Ch]
.text:00422157 C6 84 24 A4 00 00+mov byte ptr [esp+0A4h], 0
.text:0042215F E8 42 E5 01 00 call sub_4406A6
.text:00422164 8D 4C 24 10 lea ecx, [esp+10h]
.text:00422168 C7 84 24 A4 00 00+mov dword ptr [esp+0A4h], 0FFFFFFFFh
.text:00422173 E8 2E E5 01 00 call sub_4406A6
.text:00422178 8B 8C 24 9C 00 00+mov ecx, [esp+9Ch]
.text:0042217F 5E pop esi
.text:00422180 5D pop ebp
.text:00422181 5B pop ebx
.text:00422182 64 89 0D 00 00 00+mov large fs:0, ecx
.text:00422189 81 C4 9C 00 00 00 add esp, 9Ch
.text:0042218F C3 retn
注册机就不写了,可用的一组注册码“SC8-111111-2222222-XGCL”。
写的好累人,谢谢您耐心看完。
daxia2002 于2004-7-17
阿里云助力开发者!2核2G 3M带宽不限流量!6.18限时价,开
发者可享99元/年,续费同价!