[原创]Sweeet Dream 1.0 CrackMe算法分析-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创]Sweeet Dream 1.0 CrackMe算法分析

发表于: 2006-8-27 07:31 5550

[原创]Sweeet Dream 1.0 CrackMe算法分析

网游难民

2006-8-27 07:31

5550

【文章标题】: Sweeet Dream 1.0 CrackMe算法分析
【文章作者】: 网游难民
【作者主页】: bbs.chinapyg.com
【软件名称】: Sweeet Dream 1.0 CrackMe
【软件大小】: 180 KB
【下载地址】: 本地下载
【加壳方式】: ASPACK2层，UPX1层
【保护方式】: ASPACK2层，UPX1层，注册码
【编写语言】: Borland Delphi 4.0 - 5.0
【使用工具】: PEID,OD
【操作平台】: win xp
【软件介绍】: 好麻烦的crackme,累死偶拉：）
【作者声明】: 菜鸟分析了下算法，如有失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
  一。脱壳，ASPACK2层，UPX1层，三次ESP定律搞定，我就不细说了~
  二。用DEDE找到下断处，OD载入，下断，输入用户名注册码，F9运行~

  00456F00  /$  55          PUSH EBP                            ;断在这里~
  00456F01  |.  8BEC       MOV EBP,ESP
  00456F03  |.  83C4 A8    ADD ESP,-58
  00456F06  |.  53          PUSH EBX
  00456F07  |.  56          PUSH ESI
  00456F08  |.  57          PUSH EDI
  00456F09  |.  33C0       XOR EAX,EAX
  00456F0B  |.  8945 D0    MOV DWORD PTR SS:[EBP-30],EAX
  00456F0E  |.  8945 B4    MOV DWORD PTR SS:[EBP-4C],EAX
  00456F11  |.  8945 B0    MOV DWORD PTR SS:[EBP-50],EAX
  00456F14  |.  8945 AC    MOV DWORD PTR SS:[EBP-54],EAX
  00456F17  |.  8945 A8    MOV DWORD PTR SS:[EBP-58],EAX
  00456F1A  |.  8945 D4    MOV DWORD PTR SS:[EBP-2C],EAX
  00456F1D  |.  8945 F8    MOV DWORD PTR SS:[EBP-8],EAX
  00456F20  |.  8945 F4    MOV DWORD PTR SS:[EBP-C],EAX
  00456F23  |.  33C0       XOR EAX,EAX
  00456F25  |.  55          PUSH EBP
  00456F26  |.  68 18734500 PUSH 576EC.00457318
  00456F2B  |.  64:FF30    PUSH DWORD PTR FS:[EAX]
  00456F2E  |.  64:8920    MOV DWORD PTR FS:[EAX],ESP
  00456F31  |.  8D45 F8    LEA EAX,DWORD PTR SS:[EBP-8]
  00456F34  |.  E8 FBC8FAFF CALL 576EC.00403834
  00456F39  |.  8D45 F4    LEA EAX,DWORD PTR SS:[EBP-C]
  00456F3C  |.  E8 F3C8FAFF CALL 576EC.00403834
  00456F41  |.  A1 34A84500 MOV EAX,DWORD PTR DS:[45A834]
  00456F46  |.  05 F8020000 ADD EAX,2F8
  00456F4B  |.  E8 E4C8FAFF CALL 576EC.00403834
  00456F50  |.  BB 01000000 MOV EBX,1
  00456F55  |.  BE 1B000000 MOV ESI,1B
  00456F5A  |.  EB 21       JMP SHORT 576EC.00456F7D
  00456F5C  |>  8D55 D4    /LEA EDX,DWORD PTR SS:[EBP-2C]
  00456F5F  |.  A1 34A84500 |MOV EAX,DWORD PTR DS:[45A834]
  00456F64  |.  8B80 C4020000 |MOV EAX,DWORD PTR DS:[EAX+2C4]
  00456F6A  |.  E8 B5DAFCFF |CALL 576EC.00424A24
  00456F6F  |.  8B45 D4    |MOV EAX,DWORD PTR SS:[EBP-2C]
  00456F72  |.  0FB64418 FF |MOVZX EAX,BYTE PTR DS:[EAX+EBX-1]    ;  用户名ASCII码
  00456F77  |.  03F0       |ADD ESI,EAX
  00456F79  |.  43          |INC EBX
  00456F7A  |.  0FAFF3       |IMUL ESI,EBX
  00456F7D  |>  8D55 D4       LEA EDX,DWORD PTR SS:[EBP-2C]
  00456F80  |.  A1 34A84500 |MOV EAX,DWORD PTR DS:[45A834]
  00456F85  |.  8B80 C4020000 |MOV EAX,DWORD PTR DS:[EAX+2C4]
  00456F8B  |.  E8 94DAFCFF |CALL 576EC.00424A24
  00456F90  |.  8B45 D4    |MOV EAX,DWORD PTR SS:[EBP-2C]          ;  用户名放入EAX
  00456F93  |.  E8 18CBFAFF |CALL 576EC.00403AB0                   ;  用户名位数
  00456F98  |.  3BD8       |CMP EBX,EAX
  00456F9A  |.^ 7C C0       \JL SHORT 576EC.00456F5C                ;  循环，把结果级为A
  这个循环取（用户名第一位ASCII码+1B）*2，然后取（上次计算的结果+用户名第二位ASCII玛）*3，依次类推，最后一为用户名没有参与运算，所的结果的低8位记为A。
  高8位没有用处，就不统计，下面的运算如果没有特别指名，都指结果的低8位。
  00456F9C  |.  BF 1A000000 MOV EDI,1A
  00456FA1  |.  BB 01000000 MOV EBX,1
  00456FA6  |.  EB 1E       JMP SHORT 576EC.00456FC6
  00456FA8  |>  8D55 D4    /LEA EDX,DWORD PTR SS:[EBP-2C]
  00456FAB  |.  A1 34A84500 |MOV EAX,DWORD PTR DS:[45A834]
  00456FB0  |.  8B80 D0020000 |MOV EAX,DWORD PTR DS:[EAX+2D0]
  00456FB6  |.  E8 69DAFCFF |CALL 576EC.00424A24
  00456FBB  |.  8B45 D4    |MOV EAX,DWORD PTR SS:[EBP-2C]
  00456FBE  |.  0FB64418 FF |MOVZX EAX,BYTE PTR DS:[EAX+EBX-1]
  00456FC3  |.  03F8       |ADD EDI,EAX
  00456FC5  |.  43          |INC EBX
  00456FC6  |>  8D55 D4       LEA EDX,DWORD PTR SS:[EBP-2C]
  00456FC9  |.  A1 34A84500 |MOV EAX,DWORD PTR DS:[45A834]
  00456FCE  |.  8B80 D0020000 |MOV EAX,DWORD PTR DS:[EAX+2D0]
  00456FD4  |.  E8 4BDAFCFF |CALL 576EC.00424A24
  00456FD9  |.  8B45 D4    |MOV EAX,DWORD PTR SS:[EBP-2C]          ;  机器码放入EAX
  00456FDC  |.  E8 CFCAFAFF |CALL 576EC.00403AB0
  00456FE1  |.  3BD8       |CMP EBX,EAX
  00456FE3  |.^ 7C C3       \JL SHORT 576EC.00456FA8                ;  循环，得到B
  这个循环是1A+机器码的ASCII和，结果记为B
  00456FE5  |.  B9 01000000 MOV ECX,1                               ;  ECX置1
  00456FEA  |.  BB 01000000 MOV EBX,1                               ;  EBX置1
  00456FEF  |.  8BC7       MOV EAX,EDI
  00456FF1  |.  F7EE       IMUL ESI                               ;  B*A，低8位结果记为C。
  00456FF3  |.  99          CDQ
  00456FF4  |.  8945 E8    MOV DWORD PTR SS:[EBP-18],EAX
  00456FF7  |.  8955 EC    MOV DWORD PTR SS:[EBP-14],EDX
  00456FFA  |.  8BC6       MOV EAX,ESI
  00456FFC  |.  99          CDQ
  00456FFD  |.  2345 E8    AND EAX,DWORD PTR SS:[EBP-18]          ;  A与C逻辑与运算,结果记为D
  00457000  |.  2355 EC    AND EDX,DWORD PTR SS:[EBP-14]
  00457003  |.  8945 E8    MOV DWORD PTR SS:[EBP-18],EAX
  00457006  |.  8955 EC    MOV DWORD PTR SS:[EBP-14],EDX
  00457009  |.  81F9 93300000 CMP ECX,3093
  0045700F  |.  7D 15       JGE SHORT 576EC.00457026
  00457011  |>  83C1 16    /ADD ECX,16
  00457014  |.  83E9 15    |SUB ECX,15
  00457017  |.  43          |INC EBX
  00457018  |.  83C1 04    |ADD ECX,4
  0045701B  |.  83E9 03    |SUB ECX,3
  0045701E  |.  81F9 93300000 |CMP ECX,3093
  00457024  |.^ 7C EB       \JL SHORT 576EC.00457011
  00457026  |>  81FB 4A180000 CMP EBX,184A
  0045702C  |.  0F85 AE020000 JNZ 576EC.004572E0
  00457032  |.  8BC7       MOV EAX,EDI                            ;  B放入A中
  00457034  |.  99          CDQ
  00457035  |.  0345 E8    ADD EAX,DWORD PTR SS:[EBP-18]          ;  D与B相加，结果记为E
  00457038  |.  1355 EC    ADC EDX,DWORD PTR SS:[EBP-14]
  0045703B  |.  8945 E0    MOV DWORD PTR SS:[EBP-20],EAX
  0045703E  |.  8955 E4    MOV DWORD PTR SS:[EBP-1C],EDX
  00457041  |.  FF75 EC    PUSH DWORD PTR SS:[EBP-14]
  00457044  |.  FF75 E8    PUSH DWORD PTR SS:[EBP-18]             ;  D入栈
  00457047  |.  8BC7       MOV EAX,EDI                            ;  B放入EAX
  00457049  |.  99          CDQ
  0045704A  |.  E8 E1E6FAFF CALL 576EC.00405730                   ;  B与D想乘，结果记为F。
  +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  跟进上面CALL：
  00405731 50             PUSH EAX
  00405732 8B4424 10    MOV EAX,DWORD PTR SS:[ESP+10]
  00405736 F72424       MUL DWORD PTR SS:[ESP]
  00405739 8BC8          MOV ECX,EAX
  0040573B 8B4424 04    MOV EAX,DWORD PTR SS:[ESP+4]
  0040573F F76424 0C    MUL DWORD PTR SS:[ESP+C]
  00405743 03C8          ADD ECX,EAX
  00405745 8B0424       MOV EAX,DWORD PTR SS:[ESP]             ; B放入EAX
  00405748 F76424 0C    MUL DWORD PTR SS:[ESP+C]                ; B*D
  0040574C 03D1          ADD EDX,ECX
  0040574E 59             POP ECX
  0040574F 59             POP ECX
  00405750 C2 0800       RETN 8

  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  0045704F  |.  52          PUSH EDX
  00457050  |.  50          PUSH EAX
  00457051  |.  8BC6       MOV EAX,ESI                            ;  A放入EAX
  00457053  |.  99          CDQ
  00457054  |.  E8 D7E6FAFF CALL 576EC.00405730                   ;  得到G，H
  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  00405730 52             PUSH EDX
  00405731 50             PUSH EAX
  00405732 8B4424 10    MOV EAX,DWORD PTR SS:[ESP+10]
  00405736 F72424       MUL DWORD PTR SS:[ESP]
  00405739 8BC8          MOV ECX,EAX
  0040573B 8B4424 04    MOV EAX,DWORD PTR SS:[ESP+4]
  0040573F F76424 0C    MUL DWORD PTR SS:[ESP+C]
  00405743 03C8          ADD ECX,EAX
  00405745 8B0424       MOV EAX,DWORD PTR SS:[ESP]             ; A放入EAX
  00405748 F76424 0C    MUL DWORD PTR SS:[ESP+C]                ; A*D，低8位记为G，高8位记为H。
  0040574C 03D1          ADD EDX,ECX
  0040574E 59             POP ECX
  0040574F 59             POP ECX
  00405750 C2 0800       RETN 8
  00405753 52             PUSH EDX
  00405754 50             PUSH EAX
  00405755 8B4424 10    MOV EAX,DWORD PTR SS:[ESP+10]
  00405759 F72424       MUL DWORD PTR SS:[ESP]
  0040575C 8BC8          MOV ECX,EAX
  0040575E 8B4424 04    MOV EAX,DWORD PTR SS:[ESP+4]
  00405762 F76424 0C    MUL DWORD PTR SS:[ESP+C]
  00405766 03C8          ADD ECX,EAX
  00405768 8B0424       MOV EAX,DWORD PTR SS:[ESP]
  0040576B F76424 0C    MUL DWORD PTR SS:[ESP+C]
  0040576F 03D1          ADD EDX,ECX
  00405771 59             POP ECX
  00405772 59             POP ECX
  00405773 C2 0800       RETN 8

  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=

  00457059  |.  52          PUSH EDX                               ;  H入栈
  0045705A  |.  50          PUSH EAX                               ;  G入栈
  0045705B  |.  8BC6       MOV EAX,ESI                            ;  A放入EAX
  0045705D  |.  99          CDQ
  0045705E  |.  0B0424       OR EAX,DWORD PTR SS:[ESP]             ;  A与G逻辑或运算，结果记为I。
  00457061  |.  0B5424 04    OR EDX,DWORD PTR SS:[ESP+4]             ;  G还保存在EDX中
  00457065  |.  83C4 08    ADD ESP,8
  00457068  |.  8945 E0    MOV DWORD PTR SS:[EBP-20],EAX
  0045706B  |.  8955 E4    MOV DWORD PTR SS:[EBP-1C],EDX
  0045706E  |.  FF75 E4    PUSH DWORD PTR SS:[EBP-1C]
  00457071  |.  FF75 E0    PUSH DWORD PTR SS:[EBP-20]
  00457074  |.  8D45 F8    LEA EAX,DWORD PTR SS:[EBP-8]
  00457077  |.  E8 FC07FBFF CALL 576EC.00407878                   ;  最关键，也是最麻烦的CALL，这里将得出真码的第二列，在后面详细解释~
  0045707C  |.  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]          ;  第二列真码放入EAX
  0045707F  |.  8A00       MOV AL,BYTE PTR DS:[EAX]
  00457081  |.  3C 2D       CMP AL,2D
  00457083  |.  75 17       JNZ SHORT 576EC.0045709C
  00457085  |.  6A FF       PUSH -1
  00457087  |.  6A FF       PUSH -1
  00457089  |.  8B45 E0    MOV EAX,DWORD PTR SS:[EBP-20]
  0045708C  |.  8B55 E4    MOV EDX,DWORD PTR SS:[EBP-1C]
  0045708F  |.  E8 9CE6FAFF CALL 576EC.00405730
  00457094  |.  8945 D8    MOV DWORD PTR SS:[EBP-28],EAX
  00457097  |.  8955 DC    MOV DWORD PTR SS:[EBP-24],EDX
  0045709A  |.  EB 15       JMP SHORT 576EC.004570B1
  0045709C  |>  6A 00       PUSH 0
  0045709E  |.  6A 01       PUSH 1
  004570A0  |.  8B45 E0    MOV EAX,DWORD PTR SS:[EBP-20]          ;  I放入EAX
  004570A3  |.  8B55 E4    MOV EDX,DWORD PTR SS:[EBP-1C]          ;  H放入EDX
  004570A6  |.  E8 85E6FAFF CALL 576EC.00405730
  004570AB  |.  8945 D8    MOV DWORD PTR SS:[EBP-28],EAX
  004570AE  |.  8955 DC    MOV DWORD PTR SS:[EBP-24],EDX
  004570B1  |>  8D45 F8    LEA EAX,DWORD PTR SS:[EBP-8]
  004570B4  |.  E8 7BC7FAFF CALL 576EC.00403834
  004570B9  |.  A1 34A84500 MOV EAX,DWORD PTR DS:[45A834]
  004570BE  |.  05 F4020000 ADD EAX,2F4
  004570C3  |.  E8 6CC7FAFF CALL 576EC.00403834
  004570C8  |.  FF75 DC    PUSH DWORD PTR SS:[EBP-24]
  004570CB  |.  FF75 D8    PUSH DWORD PTR SS:[EBP-28]
  004570CE  |.  8D45 D0    LEA EAX,DWORD PTR SS:[EBP-30]
  004570D1  |.  E8 A207FBFF CALL 576EC.00407878                   ;  第二列真码
  004570D6  |.  8B45 D0    MOV EAX,DWORD PTR SS:[EBP-30]
  004570D9  |.  E8 D2C9FAFF CALL 576EC.00403AB0
  004570DE  |.  8BD8       MOV EBX,EAX                            ;  求出第二列真码长度
  004570E0  |.  8D4D F4    LEA ECX,DWORD PTR SS:[EBP-C]
  004570E3  |.  BA 03000000 MOV EDX,3
  004570E8  |.  8BC3       MOV EAX,EBX
  004570EA  |.  E8 BD07FBFF CALL 576EC.004078AC
  004570EF  |.  FF75 DC    PUSH DWORD PTR SS:[EBP-24]
  004570F2  |.  FF75 D8    PUSH DWORD PTR SS:[EBP-28]
  004570F5  |.  8D45 F8    LEA EAX,DWORD PTR SS:[EBP-8]
  004570F8  |.  E8 7B07FBFF CALL 576EC.00407878
  004570FD  |.  8D45 CC    LEA EAX,DWORD PTR SS:[EBP-34]
  00457100  |.  8B55 F8    MOV EDX,DWORD PTR SS:[EBP-8]          ;  第二列真码首地址放入EDX
  00457103  |.  8A52 02    MOV DL,BYTE PTR DS:[EDX+2]             ;  第二列真码第三位-1
  00457106  |.  8850 01    MOV BYTE PTR DS:[EAX+1],DL
  00457109  |.  C600 01    MOV BYTE PTR DS:[EAX],1
  0045710C  |.  8D55 CC    LEA EDX,DWORD PTR SS:[EBP-34]
  0045710F  |.  8D45 C8    LEA EAX,DWORD PTR SS:[EBP-38]
  00457112  |.  E8 49B7FAFF CALL 576EC.00402860
  00457117  |.  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
  0045711A  |.  8B55 F8    MOV EDX,DWORD PTR SS:[EBP-8]          ;  第二列真码首地址放入EDX
  0045711D  |.  8A12       MOV DL,BYTE PTR DS:[EDX]                ;  第二列真码第一位-2
  0045711F  |.  8850 01    MOV BYTE PTR DS:[EAX+1],DL
  00457122  |.  C600 01    MOV BYTE PTR DS:[EAX],1
  00457125  |.  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
  00457128  |.  8D45 C8    LEA EAX,DWORD PTR SS:[EBP-38]
  0045712B  |.  B1 02       MOV CL,2
  0045712D  |.  E8 FEB6FAFF CALL 576EC.00402830
  00457132  |.  8D55 C8    LEA EDX,DWORD PTR SS:[EBP-38]
  00457135  |.  8D45 C0    LEA EAX,DWORD PTR SS:[EBP-40]
  00457138  |.  E8 23B7FAFF CALL 576EC.00402860
  0045713D  |.  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
  00457140  |.  8B55 F8    MOV EDX,DWORD PTR SS:[EBP-8]          ;第二列真码首地址放入EDX
  00457143  |.  8A52 01    MOV DL,BYTE PTR DS:[EDX+1]             ;第二列真码第二位-3
  00457146  |.  8850 01    MOV BYTE PTR DS:[EAX+1],DL
  00457149  |.  C600 01    MOV BYTE PTR DS:[EAX],1
  0045714C  |.  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
  0045714F  |.  8D45 C0    LEA EAX,DWORD PTR SS:[EBP-40]
  00457152  |.  B1 03       MOV CL,3
  00457154  |.  E8 D7B6FAFF CALL 576EC.00402830
  00457159  |.  8D55 C0    LEA EDX,DWORD PTR SS:[EBP-40]
  0045715C  |.  8D45 B8    LEA EAX,DWORD PTR SS:[EBP-48]
  0045715F  |.  E8 FCB6FAFF CALL 576EC.00402860
  00457164  |.  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
  00457167  |.  8B55 F8    MOV EDX,DWORD PTR SS:[EBP-8]          ;  第二列真码首地址放入EDX
  0045716A  |.  8A52 02    MOV DL,BYTE PTR DS:[EDX+2]             ;  第二列真码第三位-4
  0045716D  |.  8850 01    MOV BYTE PTR DS:[EAX+1],DL
  00457170  |.  C600 01    MOV BYTE PTR DS:[EAX],1
  00457173  |.  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
  00457176  |.  8D45 B8    LEA EAX,DWORD PTR SS:[EBP-48]
  00457179  |.  B1 04       MOV CL,4
  0045717B  |.  E8 B0B6FAFF CALL 576EC.00402830
  00457180  |.  8D55 B8    LEA EDX,DWORD PTR SS:[EBP-48]          ;  前四位出来了~
  00457183  |.  A1 34A84500 MOV EAX,DWORD PTR DS:[45A834]
  00457188  |.  05 F4020000 ADD EAX,2F4
  0045718D  |.  E8 C2C8FAFF CALL 576EC.00403A54
  00457192  |.  8D55 D4    LEA EDX,DWORD PTR SS:[EBP-2C]
  00457195  |.  A1 34A84500 MOV EAX,DWORD PTR DS:[45A834]
  0045719A  |.  8B80 C4020000 MOV EAX,DWORD PTR DS:[EAX+2C4]
  004571A0  |.  E8 7FD8FCFF CALL 576EC.00424A24
  004571A5  |.  8B45 D4    MOV EAX,DWORD PTR SS:[EBP-2C]          ;  注册名放入EAX
  004571A8  |.  8D55 F8    LEA EDX,DWORD PTR SS:[EBP-8]
  004571AB  |.  E8 A003FBFF CALL 576EC.00407550
  004571B0  |.  A1 34A84500 MOV EAX,DWORD PTR DS:[45A834]
  004571B5  |.  FFB0 F4020000 PUSH DWORD PTR DS:[EAX+2F4]
  004571BB  |.  8D45 D0    LEA EAX,DWORD PTR SS:[EBP-30]
  004571BE  |.  8B55 F8    MOV EDX,DWORD PTR SS:[EBP-8]          ;  注册名字母大写，首地址放入EDX
  004571C1  |.  8A52 03    MOV DL,BYTE PTR DS:[EDX+3]             ;  注册名第四位-5
  004571C4  |.  E8 0FC8FAFF CALL 576EC.004039D8
  004571C9  |.  FF75 D0    PUSH DWORD PTR SS:[EBP-30]
  004571CC  |.  8D45 B4    LEA EAX,DWORD PTR SS:[EBP-4C]
  004571CF  |.  8B55 F8    MOV EDX,DWORD PTR SS:[EBP-8]          ;  注册名字母大写，首地址放入EDX
  004571D2  |.  8A52 01    MOV DL,BYTE PTR DS:[EDX+1]             ;  注册名第二位-6
  004571D5  |.  E8 FEC7FAFF CALL 576EC.004039D8
  004571DA  |.  FF75 B4    PUSH DWORD PTR SS:[EBP-4C]
  004571DD  |.  8D45 B0    LEA EAX,DWORD PTR SS:[EBP-50]
  004571E0  |.  8B55 F8    MOV EDX,DWORD PTR SS:[EBP-8]          ;  注册名字母大写，首地址放入EDX
  004571E3  |.  8A52 04    MOV DL,BYTE PTR DS:[EDX+4]             ;  注册名第五位-7
  004571E6  |.  E8 EDC7FAFF CALL 576EC.004039D8
  004571EB  |.  FF75 B0    PUSH DWORD PTR SS:[EBP-50]
  004571EE  |.  8D45 AC    LEA EAX,DWORD PTR SS:[EBP-54]
  004571F1  |.  8B55 F8    MOV EDX,DWORD PTR SS:[EBP-8]          ;  注册名字母大写，首地址放入EDX
  004571F4  |.  8A12       MOV DL,BYTE PTR DS:[EDX]                ;  注册名第一位-8
  004571F6  |.  E8 DDC7FAFF CALL 576EC.004039D8
  004571FB  |.  FF75 AC    PUSH DWORD PTR SS:[EBP-54]
  004571FE  |.  8D45 A8    LEA EAX,DWORD PTR SS:[EBP-58]
  00457201  |.  8B55 F8    MOV EDX,DWORD PTR SS:[EBP-8]          ;  注册名字母大写，首地址放入EDX
  00457204  |.  8A52 02    MOV DL,BYTE PTR DS:[EDX+2]             ;  注册名第三位-9
  前面标-1.-2....-9取的几个数构成真码的第一列。
  00457207  |.  E8 CCC7FAFF CALL 576EC.004039D8
  0045720C  |.  FF75 A8    PUSH DWORD PTR SS:[EBP-58]
  0045720F  |.  A1 34A84500 MOV EAX,DWORD PTR DS:[45A834]
  00457214  |.  05 F4020000 ADD EAX,2F4
  00457219  |.  BA 06000000 MOV EDX,6
  0045721E  |.  E8 4DC9FAFF CALL 576EC.00403B70
  00457223  |.  8D55 D4    LEA EDX,DWORD PTR SS:[EBP-2C]
  00457226  |.  A1 34A84500 MOV EAX,DWORD PTR DS:[45A834]
  0045722B  |.  8B80 C4020000 MOV EAX,DWORD PTR DS:[EAX+2C4]
  00457231  |.  E8 EED7FCFF CALL 576EC.00424A24
  00457236  |.  8B45 D4    MOV EAX,DWORD PTR SS:[EBP-2C]          ;  注册名恢复小写
  00457239  |.  8D55 F8    LEA EDX,DWORD PTR SS:[EBP-8]
  0045723C  |.  E8 4B03FBFF CALL 576EC.0040758C
  00457241  |.  A1 34A84500 MOV EAX,DWORD PTR DS:[45A834]
  00457246  |.  FFB0 F4020000 PUSH DWORD PTR DS:[EAX+2F4]             ;  第一列真码全部出现
  0045724C  |.  68 34734500 PUSH 576EC.00457334                   ;  -
  00457251  |.  FF75 DC    PUSH DWORD PTR SS:[EBP-24]
  00457254  |.  FF75 D8    PUSH DWORD PTR SS:[EBP-28]
  00457257  |.  8D45 D0    LEA EAX,DWORD PTR SS:[EBP-30]
  0045725A  |.  E8 1906FBFF CALL 576EC.00407878
  0045725F  |.  FF75 D0    PUSH DWORD PTR SS:[EBP-30]             ;  第二列注册码入栈
  00457262  |.  68 34734500 PUSH 576EC.00457334                   ;  -
  00457267  |.  8D45 B4    LEA EAX,DWORD PTR SS:[EBP-4C]
  0045726A  |.  8B55 F8    MOV EDX,DWORD PTR SS:[EBP-8]          ;  注册名首地址放入EDX
  0045726D  |.  8A52 02    MOV DL,BYTE PTR DS:[EDX+2]             ;  注册名第三位-1
  00457270  |.  E8 63C7FAFF CALL 576EC.004039D8
  00457275  |.  FF75 B4    PUSH DWORD PTR SS:[EBP-4C]
  00457278  |.  8D45 B0    LEA EAX,DWORD PTR SS:[EBP-50]
  0045727B  |.  8B55 F8    MOV EDX,DWORD PTR SS:[EBP-8]          ;  注册名首地址放入EDX
  0045727E  |.  8A12       MOV DL,BYTE PTR DS:[EDX]                ;  注册名第一位-2
  00457280  |.  E8 53C7FAFF CALL 576EC.004039D8
  00457285  |.  FF75 B0    PUSH DWORD PTR SS:[EBP-50]
  00457288  |.  8D45 AC    LEA EAX,DWORD PTR SS:[EBP-54]
  0045728B  |.  8B55 F8    MOV EDX,DWORD PTR SS:[EBP-8]          ;  注册名首地址放入EDX
  0045728E  |.  8A52 03    MOV DL,BYTE PTR DS:[EDX+3]             ;  注册名第四位-3
  00457291  |.  E8 42C7FAFF CALL 576EC.004039D8
  00457296  |.  FF75 AC    PUSH DWORD PTR SS:[EBP-54]
  00457299  |.  8D45 A8    LEA EAX,DWORD PTR SS:[EBP-58]
  0045729C  |.  8B55 F8    MOV EDX,DWORD PTR SS:[EBP-8]          ;  注册名首地址放入EDX
  0045729F  |.  8A52 01    MOV DL,BYTE PTR DS:[EDX+1]             ;  注册名第二位-4
  004572A2  |.  E8 31C7FAFF CALL 576EC.004039D8
  004572A7  |.  FF75 A8    PUSH DWORD PTR SS:[EBP-58]
  004572AA  |.  FF75 F4    PUSH DWORD PTR SS:[EBP-C]             ;  取三位数的第二列真码长度-5
  004572AD  |.  A1 34A84500 MOV EAX,DWORD PTR DS:[45A834]
  004572B2  |.  05 F4020000 ADD EAX,2F4
  004572B7  |.  BA 09000000 MOV EDX,9
  004572BC  |.  E8 AFC8FAFF CALL 576EC.00403B70
  004572C1  |.  A1 34A84500 MOV EAX,DWORD PTR DS:[45A834]
  004572C6  |.  8B90 F4020000 MOV EDX,DWORD PTR DS:[EAX+2F4]
  004572CC  |.  A1 34A84500 MOV EAX,DWORD PTR DS:[45A834]          ;  前面所求的已经连接起来了~~
  004572D1  |.  05 F8020000 ADD EAX,2F8
  004572D6  |.  B9 40734500 MOV ECX,576EC.00457340                ;  Z8，固定值，注册码的最后两位，和上面的数连起来构成全部真码
  004572DB  |.  E8 1CC8FAFF CALL 576EC.00403AFC
  004572E0  |>  33C0       XOR EAX,EAX
  004572E2  |.  5A          POP EDX
  004572E3  |.  59          POP ECX
  004572E4  |.  59          POP ECX
  004572E5  |.  64:8910    MOV DWORD PTR FS:[EAX],EDX
  004572E8  |.  68 1F734500 PUSH 576EC.0045731F
  004572ED  |>  8D45 A8    LEA EAX,DWORD PTR SS:[EBP-58]
  004572F0  |.  BA 04000000 MOV EDX,4
  004572F5  |.  E8 5EC5FAFF CALL 576EC.00403858
  004572FA  |.  8D45 D0    LEA EAX,DWORD PTR SS:[EBP-30]
  004572FD  |.  E8 32C5FAFF CALL 576EC.00403834
  00457302  |.  8D45 D4    LEA EAX,DWORD PTR SS:[EBP-2C]
  00457305  |.  E8 2AC5FAFF CALL 576EC.00403834
  0045730A  |.  8D45 F4    LEA EAX,DWORD PTR SS:[EBP-C]
  0045730D  |.  BA 02000000 MOV EDX,2
  00457312  |.  E8 41C5FAFF CALL 576EC.00403858
  00457317  \.  C3          RETN
  +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  求第二列真码的关键CALL：
  00407878 55             PUSH EBP
  00407879 8BEC          MOV EBP,ESP
  0040787B 83C4 F8       ADD ESP,-8
  0040787E 6A 00          PUSH 0
  00407880 8D55 08       LEA EDX,DWORD PTR SS:[EBP+8]
  00407883 8955 F8       MOV DWORD PTR SS:[EBP-8],EDX
  00407886 C645 FC 10    MOV BYTE PTR SS:[EBP-4],10
  0040788A 8D4D F8       LEA ECX,DWORD PTR SS:[EBP-8]
  0040788D BA A8784000    MOV EDX,576EC.004078A8                ; %d
  00407892 E8 6D0A0000    CALL 576EC.00408304                   ; 求出注册码，关键CALL-1，跟进。
  00407897 59             POP ECX
  00407898 59             POP ECX
  00407899 5D             POP EBP
  0040789A C2 0800       RETN 8
  +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  关键CALL-1：
  00408304 55             PUSH EBP
  00408305 8BEC          MOV EBP,ESP
  00408307 81C4 04F0FFFF ADD ESP,-0FFC
  0040830D 50             PUSH EAX
  0040830E 83C4 F4       ADD ESP,-0C
  00408311 53             PUSH EBX
  00408312 56             PUSH ESI
  00408313 894D F8       MOV DWORD PTR SS:[EBP-8],ECX
  00408316 8955 FC       MOV DWORD PTR SS:[EBP-4],EDX
  00408319 8BF0          MOV ESI,EAX
  0040831B BB 02100000    MOV EBX,1002
  00408320 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
  00408323 E8 88B7FFFF    CALL 576EC.00403AB0
  00408328 8BD3          MOV EDX,EBX
  0040832A 85D2          TEST EDX,EDX
  0040832C 79 03          JNS SHORT 576EC.00408331
  0040832E 83C2 03       ADD EDX,3
  00408331 C1FA 02       SAR EDX,2
  00408334 8BCB          MOV ECX,EBX
  00408336 2BCA          SUB ECX,EDX
  00408338 3BC1          CMP EAX,ECX
  0040833A 7D 24          JGE SHORT 576EC.00408360
  0040833C 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]          ; (初始 cpu 选择)
  0040833F E8 6CB7FFFF    CALL 576EC.00403AB0                   ; 进过
  00408344 50             PUSH EAX
  00408345 8B45 F8       MOV EAX,DWORD PTR SS:[EBP-8]
  00408348 50             PUSH EAX
  00408349 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
  0040834C 50             PUSH EAX
  0040834D 8B4D FC       MOV ECX,DWORD PTR SS:[EBP-4]
  00408350 8BD3          MOV EDX,EBX
  00408352 4A             DEC EDX
  00408353 8D85 F6EFFFFF LEA EAX,DWORD PTR SS:[EBP-100A]
  00408359 E8 32FBFFFF    CALL 576EC.00407E90                   ; 关键CALL-2，跟进。
  0040835E EB 0C          JMP SHORT 576EC.0040836C
  00408360 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
  00408363 E8 48B7FFFF    CALL 576EC.00403AB0
  00408368 8BD8          MOV EBX,EAX
  0040836A 8BC3          MOV EAX,EBX
  0040836C 8BD3          MOV EDX,EBX
  0040836E 4A             DEC EDX
  0040836F 3BC2          CMP EAX,EDX
  00408371 7C 43          JL SHORT 576EC.004083B6
  00408373 EB 30          JMP SHORT 576EC.004083A5
  00408375 03DB          ADD EBX,EBX
  00408377 8BC6          MOV EAX,ESI
  00408379 E8 B6B4FFFF    CALL 576EC.00403834
  0040837E 8BC6          MOV EAX,ESI
  00408380 8BD3          MOV EDX,EBX
  00408382 E8 FDB9FFFF    CALL 576EC.00403D84
  00408387 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
  0040838A E8 21B7FFFF    CALL 576EC.00403AB0
  0040838F 50             PUSH EAX
  00408390 8B45 F8       MOV EAX,DWORD PTR SS:[EBP-8]
  00408393 50             PUSH EAX
  00408394 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
  00408397 50             PUSH EAX
  00408398 8B4D FC       MOV ECX,DWORD PTR SS:[EBP-4]
  0040839B 8BD3          MOV EDX,EBX
  0040839D 4A             DEC EDX
  0040839E 8B06          MOV EAX,DWORD PTR DS:[ESI]
  004083A0 E8 EBFAFFFF    CALL 576EC.00407E90
  004083A5 8BD3          MOV EDX,EBX
  004083A7 4A             DEC EDX
  004083A8 3BC2          CMP EAX,EDX
  004083AA  ^ 7D C9          JGE SHORT 576EC.00408375
  004083AC 8BD6          MOV EDX,ESI
  004083AE 92             XCHG EAX,EDX
  004083AF E8 D0B9FFFF    CALL 576EC.00403D84
  004083B4 EB 0E          JMP SHORT 576EC.004083C4
  004083B6 8D95 F6EFFFFF LEA EDX,DWORD PTR SS:[EBP-100A]
  004083BE 91             XCHG EAX,ECX
  004083BF E8 54B5FFFF    CALL 576EC.00403918
  004083C4 5E             POP ESI
  004083C5 5B             POP EBX
  004083C6 8BE5          MOV ESP,EBP
  004083C8 5D             POP EBP
  004083C9 C2 0400       RETN 4
  +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  关键CALL-2：
  00407E90 55             PUSH EBP
  00407E91 8BEC          MOV EBP,ESP
  00407E93 83C4 8C       ADD ESP,-74
  00407E96 53             PUSH EBX
  00407E97 33DB          XOR EBX,EBX
  00407E99 895D F0       MOV DWORD PTR SS:[EBP-10],EBX
  00407E9C 53             PUSH EBX
  00407E9D 56             PUSH ESI
  00407E9E 57             PUSH EDI
  00407E9F 89C7          MOV EDI,EAX
  00407EA1 89CE          MOV ESI,ECX
  00407EA3 034D 10       ADD ECX,DWORD PTR SS:[EBP+10]
  00407EA6 897D FC       MOV DWORD PTR SS:[EBP-4],EDI
  00407EA9 31C0          XOR EAX,EAX
  00407EAB 8945 F8       MOV DWORD PTR SS:[EBP-8],EAX
  00407EAE 8945 F4       MOV DWORD PTR SS:[EBP-C],EAX
  00407EB1 8945 F0       MOV DWORD PTR SS:[EBP-10],EAX
  00407EB4 09D2          OR EDX,EDX
  00407EB6 74 0E          JE SHORT 576EC.00407EC6
  00407EB8 39CE          CMP ESI,ECX
  00407EBA 74 0A          JE SHORT 576EC.00407EC6
  00407EBC AC             LODS BYTE PTR DS:[ESI]
  00407EBD 80F8 25       CMP AL,25
  00407EC0 74 0E          JE SHORT 576EC.00407ED0
  00407EC2 AA             STOS BYTE PTR ES:[EDI]
  00407EC3 4A             DEC EDX
  00407EC4  ^ 75 F2          JNZ SHORT 576EC.00407EB8
  00407EC6 89F8          MOV EAX,EDI
  00407EC8 2B45 FC       SUB EAX,DWORD PTR SS:[EBP-4]
  00407ECB E9 A8030000    JMP 576EC.00408278
  00407ED0 39CE          CMP ESI,ECX
  00407ED2  ^ 74 F2          JE SHORT 576EC.00407EC6
  00407ED4 AC             LODS BYTE PTR DS:[ESI]
  00407ED5 80F8 25       CMP AL,25
  00407ED8  ^ 74 E8          JE SHORT 576EC.00407EC2
  00407EDA 8D5E FE       LEA EBX,DWORD PTR DS:[ESI-2]
  00407EDD 895D EC       MOV DWORD PTR SS:[EBP-14],EBX
  00407EE0 8845 EB       MOV BYTE PTR SS:[EBP-15],AL
  00407EE3 80F8 2D       CMP AL,2D
  00407EE6 75 05          JNZ SHORT 576EC.00407EED
  00407EE8 39CE          CMP ESI,ECX
  00407EEA  ^ 74 DA          JE SHORT 576EC.00407EC6
  00407EEC AC             LODS BYTE PTR DS:[ESI]
  00407EED E8 80000000    CALL 576EC.00407F72
  00407EF2 80F8 3A       CMP AL,3A
  00407EF5 75 0A          JNZ SHORT 576EC.00407F01
  00407EF7 895D F8       MOV DWORD PTR SS:[EBP-8],EBX
  00407EFA 39CE          CMP ESI,ECX
  00407EFC  ^ 74 C8          JE SHORT 576EC.00407EC6
  00407EFE AC             LODS BYTE PTR DS:[ESI]
  00407EFF  ^ EB DF          JMP SHORT 576EC.00407EE0
  00407F01 895D E4       MOV DWORD PTR SS:[EBP-1C],EBX
  00407F04 BB FFFFFFFF    MOV EBX,-1
  00407F09 80F8 2E       CMP AL,2E
  00407F0C 75 0A          JNZ SHORT 576EC.00407F18
  00407F0E 39CE          CMP ESI,ECX
  00407F10  ^ 74 B4          JE SHORT 576EC.00407EC6
  00407F12 AC             LODS BYTE PTR DS:[ESI]
  00407F13 E8 5A000000    CALL 576EC.00407F72
  00407F18 895D E0       MOV DWORD PTR SS:[EBP-20],EBX
  00407F1B 8975 DC       MOV DWORD PTR SS:[EBP-24],ESI
  00407F1E 51             PUSH ECX
  00407F1F 52             PUSH EDX
  00407F20 E8 96000000    CALL 576EC.00407FBB                   ; 关键CALL-3，跟进
  00407F25 5A             POP EDX
  00407F26 8B5D E4       MOV EBX,DWORD PTR SS:[EBP-1C]
  00407F29 29CB          SUB EBX,ECX
  00407F2B 73 02          JNB SHORT 576EC.00407F2F
  00407F2D 31DB          XOR EBX,EBX
  00407F2F 807D EB 2D    CMP BYTE PTR SS:[EBP-15],2D
  00407F33 75 0A          JNZ SHORT 576EC.00407F3F
  00407F35 29CA          SUB EDX,ECX
  00407F37 73 04          JNB SHORT 576EC.00407F3D
  00407F39 01D1          ADD ECX,EDX
  00407F3B 31D2          XOR EDX,EDX
  00407F3D F3:A4          REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
  00407F3F 87CB          XCHG EBX,ECX
  00407F41 29CA          SUB EDX,ECX
  00407F43 73 04          JNB SHORT 576EC.00407F49
  00407F45 01D1          ADD ECX,EDX
  00407F47 31D2          XOR EDX,EDX
  00407F49 B0 20          MOV AL,20
  00407F4B F3:AA          REP STOS BYTE PTR ES:[EDI]
  00407F4D 87CB          XCHG EBX,ECX
  00407F4F 29CA          SUB EDX,ECX
  00407F51 73 04          JNB SHORT 576EC.00407F57
  00407F53 01D1          ADD ECX,EDX
  00407F55 31D2          XOR EDX,EDX
  00407F57 F3:A4          REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
  00407F59 837D F4 00    CMP DWORD PTR SS:[EBP-C],0
  00407F5D 74 0A          JE SHORT 576EC.00407F69
  00407F5F 52             PUSH EDX
  00407F60 8D45 F4       LEA EAX,DWORD PTR SS:[EBP-C]
  00407F63 E8 1CFFFFFF    CALL 576EC.00407E84
  00407F68 5A             POP EDX
  00407F69 59             POP ECX
  00407F6A 8B75 DC       MOV ESI,DWORD PTR SS:[EBP-24]
  00407F6D  ^ E9 42FFFFFF    JMP 576EC.00407EB4
  00407F72 31DB          XOR EBX,EBX
  00407F74 80F8 2A       CMP AL,2A
  00407F77 74 22          JE SHORT 576EC.00407F9B
  00407F79 80F8 30       CMP AL,30
  00407F7C 72 3C          JB SHORT 576EC.00407FBA
  00407F7E 80F8 39       CMP AL,39
  00407F81 77 37          JA SHORT 576EC.00407FBA
  00407F83 6BDB 0A       IMUL EBX,EBX,0A
  00407F86 80E8 30       SUB AL,30
  00407F89 0FB6C0       MOVZX EAX,AL
  00407F8C 01C3          ADD EBX,EAX
  00407F8E 39CE          CMP ESI,ECX
  00407F90 74 03          JE SHORT 576EC.00407F95
  00407F92 AC             LODS BYTE PTR DS:[ESI]
  00407F93  ^ EB E4          JMP SHORT 576EC.00407F79
  00407F95 58             POP EAX
  00407F96  ^ E9 2BFFFFFF    JMP 576EC.00407EC6
  00407F9B 8B45 F8       MOV EAX,DWORD PTR SS:[EBP-8]
  00407F9E 3B45 08       CMP EAX,DWORD PTR SS:[EBP+8]
  00407FA1 77 12          JA SHORT 576EC.00407FB5
  00407FA3 FF45 F8       INC DWORD PTR SS:[EBP-8]
  00407FA6 8B5D 0C       MOV EBX,DWORD PTR SS:[EBP+C]
  00407FA9 807CC3 04 00 CMP BYTE PTR DS:[EBX+EAX*8+4],0
  00407FAE 8B1CC3       MOV EBX,DWORD PTR DS:[EBX+EAX*8]
  00407FB1 74 02          JE SHORT 576EC.00407FB5
  00407FB3 31DB          XOR EBX,EBX
  00407FB5 39CE          CMP ESI,ECX
  00407FB7  ^ 74 DC          JE SHORT 576EC.00407F95
  00407FB9 AC             LODS BYTE PTR DS:[ESI]
  00407FBA C3             RETN
  +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  关键CALL-3：
  00407FBB 24 DF          AND AL,0DF
  00407FBD 88C1          MOV CL,AL
  00407FBF B8 01000000    MOV EAX,1
  00407FC4 8B5D F8       MOV EBX,DWORD PTR SS:[EBP-8]
  00407FC7 3B5D 08       CMP EBX,DWORD PTR SS:[EBP+8]
  00407FCA 77 5C          JA SHORT 576EC.00408028
  00407FCC FF45 F8       INC DWORD PTR SS:[EBP-8]
  00407FCF 8B75 0C       MOV ESI,DWORD PTR SS:[EBP+C]
  00407FD2 8D34DE       LEA ESI,DWORD PTR DS:[ESI+EBX*8]
  00407FD5 8B06          MOV EAX,DWORD PTR DS:[ESI]
  00407FD7 0FB65E 04    MOVZX EBX,BYTE PTR DS:[ESI+4]
  00407FDB FF249D E27F4000 JMP DWORD PTR DS:[EBX*4+407FE2]
  00407FE2 D6             SALC
  00407FE3 8040 00 26    ADD BYTE PTR DS:[EAX],26
  00407FE7 8040 00 3D    ADD BYTE PTR DS:[EAX],3D
  00407FEB 8140 00 FB81400>ADD DWORD PTR DS:[EAX],576EC.004081FB
  00407FF2 6D             INS DWORD PTR ES:[EDI],DX             ; I/O 命令
  00407FF3 8140 00 DD81400>ADD DWORD PTR DS:[EAX],576EC.004081DD
  00407FFA BD 81400026    MOV EBP,26004081
  00407FFF 8040 00 26    ADD BYTE PTR DS:[EAX],26
  00408003 8040 00 26    ADD BYTE PTR DS:[EAX],26
  00408007 8040 00 7E    ADD BYTE PTR DS:[EAX],7E
  0040800B 8140 00 A181400>ADD DWORD PTR DS:[EAX],576EC.004081A1
  00408012 F781 40004C81 4>TEST DWORD PTR DS:[ECX+814C0040],8026004>
  0040801C 40             INC EAX
  0040801D 0085 8140003A ADD BYTE PTR SS:[EBP+3A004081],AL
  00408023 8040 00 31    ADD BYTE PTR DS:[EAX],31
  00408027 C0E8 40       SHR AL,40                               ; 移位常量超出 1..31 的范围
  0040802A 0200          ADD AL,BYTE PTR DS:[EAX]
  0040802C 008B 55EC8B4D ADD BYTE PTR DS:[EBX+4D8BEC55],CL
  00408032 DC29          FSUBR QWORD PTR DS:[ECX]
  00408034 D1E8          SHR EAX,1
  00408036 DEFD          FDIVP ST(5),ST
  00408038 FFFF          ???                                     ; 未知命令
  0040803A 8D5D D0       LEA EBX,DWORD PTR SS:[EBP-30]
  0040803D 8B10          MOV EDX,DWORD PTR DS:[EAX]             ; I放入EDX
  0040803F 8913          MOV DWORD PTR DS:[EBX],EDX
  00408041 8B50 04       MOV EDX,DWORD PTR DS:[EAX+4]
  00408044 8953 04       MOV DWORD PTR DS:[EBX+4],EDX          ; H放入EDX
  00408047 80F9 44       CMP CL,44
  0040804A 74 11          JE SHORT 576EC.0040805D
  0040804C 80F9 55       CMP CL,55
  0040804F 74 2A          JE SHORT 576EC.0040807B
  00408051 80F9 58       CMP CL,58
  00408054  ^ 75 D0          JNZ SHORT 576EC.00408026
  00408056 B9 10000000    MOV ECX,10
  0040805B EB 23          JMP SHORT 576EC.00408080
  0040805D F743 04 0000008>TEST DWORD PTR DS:[EBX+4],80000000
  00408064 74 15          JE SHORT 576EC.0040807B
  00408066 F71B          NEG DWORD PTR DS:[EBX]
  00408068 8353 04 00    ADC DWORD PTR DS:[EBX+4],0
  0040806C F75B 04       NEG DWORD PTR DS:[EBX+4]
  0040806F E8 07000000    CALL 576EC.0040807B
  00408074 B0 2D          MOV AL,2D
  00408076 41             INC ECX
  00408077 4E             DEC ESI
  00408078 8806          MOV BYTE PTR DS:[ESI],AL
  0040807A C3             RETN
  0040807B B9 0A000000    MOV ECX,0A
  00408080 8D75 AF       LEA ESI,DWORD PTR SS:[EBP-51]
  00408083 51             PUSH ECX
  00408084 6A 00          PUSH 0
  00408086 51             PUSH ECX
  00408087 8B03          MOV EAX,DWORD PTR DS:[EBX]
  00408089 8B53 04       MOV EDX,DWORD PTR DS:[EBX+4]
  0040808C E8 84D8FFFF    CALL 576EC.00405915                   ; 关键CALL-4，跟进
  00408091 59             POP ECX
  00408092 92             XCHG EAX,EDX
  00408093 80C2 30       ADD DL,30
  00408096 80FA 3A       CMP DL,3A
  00408099 72 03          JB SHORT 576EC.0040809E
  0040809B 80C2 07       ADD DL,7
  0040809E 4E             DEC ESI
  0040809F 8816          MOV BYTE PTR DS:[ESI],DL
  004080A1 51             PUSH ECX
  004080A2 6A 00          PUSH 0
  004080A4 51             PUSH ECX
  004080A5 8B03          MOV EAX,DWORD PTR DS:[EBX]
  004080A7 8B53 04       MOV EDX,DWORD PTR DS:[EBX+4]
  004080AA E8 71D7FFFF    CALL 576EC.00405820                   ; 关键CALL-5，跟进
  004080AF 59             POP ECX
  004080B0 8903          MOV DWORD PTR DS:[EBX],EAX
  004080B2 8953 04       MOV DWORD PTR DS:[EBX+4],EDX
  004080B5 09D0          OR EAX,EDX
  004080B7  ^ 75 CA          JNZ SHORT 576EC.00408083
  这个循环以H和I作为初值开始运算，是一个包括关键CALL-4和关键CALL-5的循环，把关键CALL-4中求出的数一ASCII码的形式保存，把这些数连起来就是第二列真码，当关键CALL-5中求出的EAX=EDX=0时退出循环。
  004080B9 8D4D AF       LEA ECX,DWORD PTR SS:[EBP-51]
  004080BC 29F1          SUB ECX,ESI
  004080BE 8B55 E0       MOV EDX,DWORD PTR SS:[EBP-20]
  004080C1 83FA 10       CMP EDX,10
  004080C4 72 01          JB SHORT 576EC.004080C7
  004080C6 C3             RETN
  004080C7 29CA          SUB EDX,ECX
  004080C9 76 0A          JBE SHORT 576EC.004080D5
  004080CB 01D1          ADD ECX,EDX
  004080CD B0 30          MOV AL,30
  004080CF 4E             DEC ESI
  004080D0 8806          MOV BYTE PTR DS:[ESI],AL
  004080D2 4A             DEC EDX
  004080D3  ^ 75 FA          JNZ SHORT 576EC.004080CF
  004080D5 C3             RETN
  004080D6 80F9 44       CMP CL,44
  004080D9 74 15          JE SHORT 576EC.004080F0
  004080DB 80F9 55       CMP CL,55
  004080DE 74 22          JE SHORT 576EC.00408102
  004080E0 80F9 58       CMP CL,58
  004080E3  ^ 0F85 3DFFFFFF JNZ 576EC.00408026
  004080E9 B9 10000000    MOV ECX,10
  004080EE EB 17          JMP SHORT 576EC.00408107
  004080F0 09C0          OR EAX,EAX
  004080F2 79 0E          JNS SHORT 576EC.00408102
  004080F4 F7D8          NEG EAX
  004080F6 E8 07000000    CALL 576EC.00408102
  004080FB B0 2D          MOV AL,2D
  004080FD 41             INC ECX
  004080FE 4E             DEC ESI
  004080FF 8806          MOV BYTE PTR DS:[ESI],AL
  00408101 C3             RETN
  ++++++++++++++++++++++++++++++++++++++++++++++++++++++
  关键CALL-4：
  00405915 55             PUSH EBP
  00405916 53             PUSH EBX
  00405917 56             PUSH ESI
  00405918 57             PUSH EDI
  00405919 8B5C24 14    MOV EBX,DWORD PTR SS:[ESP+14]
  0040591D 8B4C24 18    MOV ECX,DWORD PTR SS:[ESP+18]
  00405921 0BC9          OR ECX,ECX
  00405923 75 08          JNZ SHORT 576EC.0040592D
  00405925 0BD2          OR EDX,EDX
  00405927 74 33          JE SHORT 576EC.0040595C
  00405929 0BDB          OR EBX,EBX
  0040592B 74 2F          JE SHORT 576EC.0040595C
  0040592D 8BE9          MOV EBP,ECX
  0040592F B9 40000000    MOV ECX,40                            ; 循环40次
  00405934 33FF          XOR EDI,EDI
  00405936 33F6          XOR ESI,ESI                            ; ESI清0
  00405938 D1E0          SHL EAX,1                               ;左移动一位
  0040593A D1D2          RCL EDX,1                               ; 左移动一位
  0040593C D1D6          RCL ESI,1                               ; 带进位左移动一位
  0040593E D1D7          RCL EDI,1
  00405940 3BFD          CMP EDI,EBP
  00405942 72 0B          JB SHORT 576EC.0040594F
  00405944 77 04          JA SHORT 576EC.0040594A
  00405946 3BF3          CMP ESI,EBX
  00405948 72 05          JB SHORT 576EC.0040594F
  0040594A 2BF3          SUB ESI,EBX
  0040594C 1BFD          SBB EDI,EBP
  0040594E 40             INC EAX
  0040594F  ^ E2 E7          LOOPD SHORT 576EC.00405938
  这个循环里迷惑人的地方比较多，不仔细看看不出来~~偶就在这里困了好久：（，总结下就是EAX先左移一位，然后EDX带进位左移一位，然后ESI再带进位左移一为，然后比较ESI中的值是否大于A，不大于就继续循环，如果大于A，就减去A，EAX+1再继续循环，一直循环40次。最后把ESI中的值给EAX，EAX就是CALL-4的返回值。总之，只要关注好ESI就好~其它和程序无关，不必在意
  00405951 8BC6          MOV EAX,ESI
  00405953 8BD7          MOV EDX,EDI
  00405955 5F             POP EDI
  00405956 5E             POP ESI
  00405957 5B             POP EBX
  00405958 5D             POP EBP
  00405959 C2 0800       RETN 8
  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  关键CALL-5：
  00405820 55             PUSH EBP
  00405821 53             PUSH EBX
  00405822 56             PUSH ESI
  00405823 57             PUSH EDI
  00405824 8B5C24 14    MOV EBX,DWORD PTR SS:[ESP+14]
  00405828 8B4C24 18    MOV ECX,DWORD PTR SS:[ESP+18]
  0040582C 0BC9          OR ECX,ECX
  0040582E 75 08          JNZ SHORT 576EC.00405838
  00405830 0BD2          OR EDX,EDX
  00405832 74 2F          JE SHORT 576EC.00405863
  00405834 0BDB          OR EBX,EBX
  00405836 74 2B          JE SHORT 576EC.00405863
  00405838 8BE9          MOV EBP,ECX
  0040583A B9 40000000    MOV ECX,40
  0040583F 33FF          XOR EDI,EDI
  00405841 33F6          XOR ESI,ESI
  00405843 D1E0          SHL EAX,1
  00405845 D1D2          RCL EDX,1
  00405847 D1D6          RCL ESI,1
  00405849 D1D7          RCL EDI,1
  0040584B 3BFD          CMP EDI,EBP
  0040584D 72 0B          JB SHORT 576EC.0040585A
  0040584F 77 04          JA SHORT 576EC.00405855
  00405851 3BF3          CMP ESI,EBX
  00405853 72 05          JB SHORT 576EC.0040585A
  00405855 2BF3          SUB ESI,EBX
  00405857 1BFD          SBB EDI,EBP
  00405859 40             INC EAX
  0040585A  ^ E2 E7          LOOPD SHORT 576EC.00405843
  和上个循环没有太大区别，但这次要关注的是EAX和EDX中的值，其它和程序无关，不必在意，因为她计算出的值将用与下次循环，而且控制是否循环，它首次计算的就是初值H和I。
  总结下它运算的方法就是EAX先左移一位，然后EDX带进位左移一位，然后ESI再带进位左移一为，然后比较ESI中的值是否大于A，不大于就继续循环，如果大于A，就减去A，EAX+1再继续循环，一直循环40次。最后返回EAX和EDX中的值用做下次循环，如果EAX=EDX=0则结束循环

  0040585C 5F             POP EDI
  0040585D 5E             POP ESI
  0040585E 5B             POP EBX
  0040585F 5D             POP EBP
  00405860 C2 0800       RETN 8
  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

--------------------------------------------------------------------------------
【经验总结】
  用户名要大于5位~计算过程如下：
  1.取（用户名第一位ASCII码+1B）*2，然后取（上次计算的结果+用户名第二位ASCII玛）*3，依次类推，最后一为用户名没
  有参与运算，所的结果的低8位记为A
  2.1A+机器码的ASCII和，结果记为B
  3.B*A，低8位结果记为C。
  4.A与C逻辑与运算,结果记为D
  5.D与B相加，结果记为E
  6. B与D想乘，结果记为F。
  7.A*D，低8位记为G，高8位记为H。
  8.经过关键CALL，求出注册码第二列。破文中有详细说明。
  9.分别去第二列注册码和用户名中的字符作为第一列和第三列部分注册码，第三列再加上三位数的第二列真码长度加Z8构成
  第三列注册吗；
  一组可用的注册吗：
  goqq2008z
  6286QO2GQ-286394810309017384-qgqo012Z8

--------------------------------------------------------------------------------
【版权声明】: 本破文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!

登录后可查看完整内容

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！

上传的附件：

sweeet dream 1.0 crackme.rar （175.75kb，10次下载）

收藏・0

免费・7

支持

最新回复 (3)
网游难民雪币： 309 活跃值： (15) 能力值： ( LV9，RANK：610 ) 在线值：发帖 20 回帖 181 粉丝 1 关注私信	网游难民 15 2 楼郁闷中，今天看了下，少写了个地方，Ｂ的求出也是最后一位机器码不参加运算的～关键ＣＡＬＬ－３没有说清楚，是循环中求出的值倒排组成第二列注册码 2006-8-28 18:59 0
周子歆雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 16 粉丝 0 关注私信	周子歆 3 楼网游难民兄弟，我想向你请教两个问题，问题一：我的softice装了，为什么不能加载程序调试呀？该如何配置？问题二：TRW2000有没有可以运行在Windows XP系列的版本吗？我非常喜欢TRW2000,可惜我手头上的只能在Windows ME/Windows 98下运行。谢谢... 2006-9-2 13:27 0
KAN 雪币： 263 活跃值： (10) 能力值： ( LV9，RANK：250 ) 在线值：发帖 11 回帖 589 粉丝 0 关注私信	KAN 6 4 楼一。脱壳，ASPACK2层，UPX1层，三次ESP定律搞定，我就不细说了~ 有些初学者想按步跟下去，可能就在这步卡了比如我 2006-9-2 18:23 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

网游难民

发帖

181

回帖

610

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (3)
网游难民雪币： 309 活跃值： (15) 能力值： ( LV9，RANK：610 ) 在线值：发帖 20 回帖 181 粉丝 1 关注私信	网游难民 15 2 楼郁闷中，今天看了下，少写了个地方，Ｂ的求出也是最后一位机器码不参加运算的～关键ＣＡＬＬ－３没有说清楚，是循环中求出的值倒排组成第二列注册码 2006-8-28 18:59 0
周子歆雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 16 粉丝 0 关注私信	周子歆 3 楼网游难民兄弟，我想向你请教两个问题，问题一：我的softice装了，为什么不能加载程序调试呀？该如何配置？问题二：TRW2000有没有可以运行在Windows XP系列的版本吗？我非常喜欢TRW2000,可惜我手头上的只能在Windows ME/Windows 98下运行。谢谢... 2006-9-2 13:27 0
KAN 雪币： 263 活跃值： (10) 能力值： ( LV9，RANK：250 ) 在线值：发帖 11 回帖 589 粉丝 0 关注私信	KAN 6 4 楼一。脱壳，ASPACK2层，UPX1层，三次ESP定律搞定，我就不细说了~ 有些初学者想按步跟下去，可能就在这步卡了比如我 2006-9-2 18:23 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复