首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 看雪社区
  2. CTF对抗
    3. 发新帖
[原创]riijj CrackMe11 算法简析
2007-1-17 23:24 6117

[原创]riijj CrackMe11 算法简析

hawking 活跃值
12
2007-1-17 23:24
6117
【文章标题】: riijj CrackMe11 算法简析
【文章作者】: hawking
【作者邮箱】: rich_hawking@hotmail.com
【软件名称】: riijj crackme service pack 2 (第二修正版)
【软件大小】: 52K
【下载地址】: http://bbs.pediy.com/attachment.php?s=&attachmentid=4074
【加壳方式】: 无
【编写语言】: Microsoft Visual C++ 6.0
【使用工具】: OD
【操作平台】: Win2000 SP4
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
  这个CrackMe有一些Anti,直接用OD打开调试的话是跑不起来的。Anti部分绫濑遥(http://bbs.pediy.com/showthread.php?s=&threadid=38125)和Ryosuke分析的已经很清楚了,我就不再赘言。
  
  输入试炼码:
  hawking
  12345678901234567890
  
00401710   .  8B4424 08     [color=#0000D0]mov[/color]     [color=#FF0000]eax[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+8]
  00401714   .  3D 10010000   [color=#0000D0]cmp[/color]     [color=#FF0000]eax[/color], 110
  00401719   .  75 1C         [color=#0000D0]jnz[/color]     short 00401737
  0040171B   .  8B4424 04     [color=#0000D0]mov[/color]     [color=#FF0000]eax[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+4]
  0040171F   .  68 E8030000   [color=#0000D0]push[/color]    3E8                              [color=#008000]; /ControlID = 3E8 (1000.)[/color]
  00401724   .  50            [color=#0000D0]push[/color]    [color=#FF0000]eax[/color]                              [color=#008000]; |hWnd[/color]
  00401725   .  FF15 14A14000 [color=#0000D0]call[/color]    [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [<&USER32.GetDlgItem>] [color=#008000]; \GetDlgItem[/color]
  0040172B   .  50            [color=#0000D0]push[/color]    [color=#FF0000]eax[/color]                              [color=#008000]; /hWnd[/color]
  0040172C   .  FF15 18A14000 [color=#0000D0]call[/color]    [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [<&USER32.SetFocus>]   [color=#008000]; \SetFocus[/color]
  00401732   >  33C0          [color=#0000D0]xor[/color]     [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
  00401734   .  C2 1000       [color=#0000D0]retn[/color]    10
  00401737   >  3D 11010000   [color=#0000D0]cmp[/color]     [color=#FF0000]eax[/color], 111
  0040173C   .^ 75 F4         [color=#0000D0]jnz[/color]     short 00401732
  0040173E   .  66:817C24 0C >[color=#0000D0]cmp[/color]     [color=#b000b0]word[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+C], 3EA            [color=#008000];  Register Button Handle[/color]
  00401745   .^ 75 EB         [color=#0000D0]jnz[/color]     short 00401732
  00401747   .  56            [color=#0000D0]push[/color]    [color=#FF0000]esi[/color]
  00401748   .  8B7424 14     [color=#0000D0]mov[/color]     [color=#FF0000]esi[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+14]
  0040174C   .  57            [color=#0000D0]push[/color]    [color=#FF0000]edi[/color]
  0040174D   .  8B3D 1CA14000 [color=#0000D0]mov[/color]     [color=#FF0000]edi[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [<&USER32.EnableW>[color=#008000];  USER32.EnableWindow[/color]
  00401753   .  6A 00         [color=#0000D0]push[/color]    0                                [color=#008000]; /Enable = FALSE[/color]
  00401755   .  56            [color=#0000D0]push[/color]    [color=#FF0000]esi[/color]                              [color=#008000]; |hWnd[/color]
  00401756   .  FFD7          [color=#0000D0]call[/color]    [color=#FF0000]edi[/color]                              [color=#008000]; \EnableWindow[/color]
  00401758   .  E8 F3040000   [color=#0000D0]call[/color]    00401C50                         [color=#008000];  get name and key string[/color]
  0040175D   .  6A 01         [color=#0000D0]push[/color]    1
  0040175F   .  56            [color=#0000D0]push[/color]    [color=#FF0000]esi[/color]
  00401760   .  FFD7          [color=#0000D0]call[/color]    [color=#FF0000]edi[/color]
  00401762   .  5F            [color=#0000D0]pop[/color]     [color=#FF0000]edi[/color]
  00401763   .  33C0          [color=#0000D0]xor[/color]     [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
  00401765   .  5E            [color=#0000D0]pop[/color]     [color=#FF0000]esi[/color]
  00401766   .  C2 1000       [color=#0000D0]retn[/color]    10

  具体怎样定位一个按钮的click事件,请参考http://bbs.pediy.com/showthread.php?s=&threadid=20078及CCDebuger的OD入门系列文章。
  这里程序只是通过call    00401C50取得了name及key的文本框内容并复制到先前作者通过VirtualAlloc分配的空间就结束了,并没有对name及key作相关的运算及判断。这样的话程序又是怎样验证我们的输入的呢?
  如果看过riijj先前的另一个CrackMe3的话(http://bbs.pediy.com/showthread.php?threadid=8155),这里的情况就比较类似了。程序只是在这里取得用户的输入并设置相关的标志,然后通过一个定时器不断地在幕后对这里得到的数据进行相关运算及验证。
  
00401B46  |.  A1 CCDD4000   [color=#0000D0]mov[/color]     [color=#FF0000]eax[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDCC]
  00401B4B  |.  68 101B4000   [color=#0000D0]push[/color]    00401B10                         [color=#008000]; /Timerproc = riijjcm1.00401B10  [/color]
  00401B50  |.  68 F4010000   [color=#0000D0]push[/color]    1F4                              [color=#008000]; |Timeout = 500. ms[/color]
  00401B55  |.  6A 01         [color=#0000D0]push[/color]    1                                [color=#008000]; |TimerID = 1[/color]
  00401B57  |.  50            [color=#0000D0]push[/color]    [color=#FF0000]eax[/color]                              [color=#008000]; |hWnd => 00130752 ('Riijj crackme 11 - 20070115',class='myWindowClass')[/color]
  00401B58  |.  FF15 E0A04000 [color=#0000D0]call[/color]    [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [<&USER32.SetTimer>]   [color=#008000]; \SetTimer[/color]
  00401B5E  |.  C705 D4DD4000>[color=#0000D0]mov[/color]     [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDD4], 0
  00401B68  |.  C3            [color=#0000D0]retn[/color]

  
00401880  /$  81EC 9C000000 [color=#0000D0]sub[/color]     [color=#FF0000]esp[/color], 9C
  00401886  |.  B0 E9         [color=#0000D0]mov[/color]     [color=#FF0000]al[/color], 0E9
  00401888  |.  C64424 02 B6  [color=#0000D0]mov[/color]     [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+2], 0B6
  0040188D  |.  884424 03     [color=#0000D0]mov[/color]     [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+3], [color=#FF0000]al[/color]
  00401891  |.  884424 01     [color=#0000D0]mov[/color]     [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+1], [color=#FF0000]al[/color]
  00401895  |.  A1 D4DD4000   [color=#0000D0]mov[/color]     [color=#FF0000]eax[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDD4]
  0040189A  |.  C64424 00 BF  [color=#0000D0]mov[/color]     [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]], 0BF
  0040189F  |.  85C0          [color=#0000D0]test[/color]    [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
  004018A1  |.  0F85 F0000000 [color=#0000D0]jnz[/color]     00401997
  004018A7  |.  8D4424 02     [color=#0000D0]lea[/color]     [color=#FF0000]eax[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+2]
  004018AB  |.  56            [color=#0000D0]push[/color]    [color=#FF0000]esi[/color]
  004018AC  |.  50            [color=#0000D0]push[/color]    [color=#FF0000]eax[/color]
  004018AD  |.  C705 D4DD4000>[color=#0000D0]mov[/color]     [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDD4], 1
  004018B7  |.  E8 D4FEFFFF   [color=#0000D0]call[/color]    00401790
  004018BC  |.  8D4C24 08     [color=#0000D0]lea[/color]     [color=#FF0000]ecx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+8]
  004018C0  |.  51            [color=#0000D0]push[/color]    [color=#FF0000]ecx[/color]
  004018C1  |.  E8 CAFEFFFF   [color=#0000D0]call[/color]    00401790
  004018C6  |.  A1 D8DD4000   [color=#0000D0]mov[/color]     [color=#FF0000]eax[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDD8]
  004018CB  |.  8D5424 0E     [color=#0000D0]lea[/color]     [color=#FF0000]edx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+E]
  004018CF  |.  52            [color=#0000D0]push[/color]    [color=#FF0000]edx[/color]
  004018D0  |.  50            [color=#0000D0]push[/color]    [color=#FF0000]eax[/color]
  004018D1  |.  E8 6AFFFFFF   [color=#0000D0]call[/color]    00401840
  004018D6  |.  8B15 DCDD4000 [color=#0000D0]mov[/color]     [color=#FF0000]edx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDDC]
  004018DC  |.  8D4C24 14     [color=#0000D0]lea[/color]     [color=#FF0000]ecx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+14]
  004018E0  |.  51            [color=#0000D0]push[/color]    [color=#FF0000]ecx[/color]
  004018E1  |.  52            [color=#0000D0]push[/color]    [color=#FF0000]edx[/color]
  004018E2  |.  8BF0          [color=#0000D0]mov[/color]     [color=#FF0000]esi[/color], [color=#FF0000]eax[/color]
  004018E4  |.  E8 57FFFFFF   [color=#0000D0]call[/color]    00401840
  004018E9  |.  83C4 18       [color=#0000D0]add[/color]     [color=#FF0000]esp[/color], 18
  004018EC  |.  8BD0          [color=#0000D0]mov[/color]     [color=#FF0000]edx[/color], [color=#FF0000]eax[/color]
  004018EE  |.  85F6          [color=#0000D0]test[/color]    [color=#FF0000]esi[/color], [color=#FF0000]esi[/color]
  004018F0  |.  74 67         [color=#0000D0]je[/color]      short 00401959
  004018F2  |.  85D2          [color=#0000D0]test[/color]    [color=#FF0000]edx[/color], [color=#FF0000]edx[/color]
  004018F4  |.  74 63         [color=#0000D0]je[/color]      short 00401959
  004018F6  |.  53            [color=#0000D0]push[/color]    [color=#FF0000]ebx[/color]
  004018F7  |.  57            [color=#0000D0]push[/color]    [color=#FF0000]edi[/color]
  004018F8  |.  8D7E 02       [color=#0000D0]lea[/color]     [color=#FF0000]edi[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+2]
  004018FB  |.  83C9 FF       [color=#0000D0]or[/color]      [color=#FF0000]ecx[/color], FFFFFFFF
  004018FE  |.  33C0          [color=#0000D0]xor[/color]     [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
  00401900  |.  8D5C24 10     [color=#0000D0]lea[/color]     [color=#FF0000]ebx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+10]
  00401904  |.  F2:AE         [color=#0000D0]repne[/color]   [color=#0000D0]scas[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [color=#FF0000]es[/color]:[[color=#FF0000]edi[/color]]
  00401906  |.  F7D1          [color=#0000D0]not[/color]     [color=#FF0000]ecx[/color]
  00401908  |.  2BF9          [color=#0000D0]sub[/color]     [color=#FF0000]edi[/color], [color=#FF0000]ecx[/color]
  0040190A  |.  8BC1          [color=#0000D0]mov[/color]     [color=#FF0000]eax[/color], [color=#FF0000]ecx[/color]
  0040190C  |.  8BF7          [color=#0000D0]mov[/color]     [color=#FF0000]esi[/color], [color=#FF0000]edi[/color]
  0040190E  |.  8BFB          [color=#0000D0]mov[/color]     [color=#FF0000]edi[/color], [color=#FF0000]ebx[/color]
  00401910  |.  C1E9 02       [color=#0000D0]shr[/color]     [color=#FF0000]ecx[/color], 2
  00401913  |.  F3:A5         [color=#0000D0]rep[/color]     [color=#0000D0]movs[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]es[/color]:[[color=#FF0000]edi[/color]], [color=#b000b0]dword[/color] p>
  00401915  |.  8BC8          [color=#0000D0]mov[/color]     [color=#FF0000]ecx[/color], [color=#FF0000]eax[/color]
  00401917  |.  33C0          [color=#0000D0]xor[/color]     [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
  00401919  |.  83E1 03       [color=#0000D0]and[/color]     [color=#FF0000]ecx[/color], 3
  0040191C  |.  F3:A4         [color=#0000D0]rep[/color]     [color=#0000D0]movs[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [color=#FF0000]es[/color]:[[color=#FF0000]edi[/color]], [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color]>
  0040191E  |.  8D7A 02       [color=#0000D0]lea[/color]     [color=#FF0000]edi[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]edx[/color]+2]
  00401921  |.  83C9 FF       [color=#0000D0]or[/color]      [color=#FF0000]ecx[/color], FFFFFFFF
  00401924  |.  F2:AE         [color=#0000D0]repne[/color]   [color=#0000D0]scas[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [color=#FF0000]es[/color]:[[color=#FF0000]edi[/color]]
  00401926  |.  F7D1          [color=#0000D0]not[/color]     [color=#FF0000]ecx[/color]
  00401928  |.  2BF9          [color=#0000D0]sub[/color]     [color=#FF0000]edi[/color], [color=#FF0000]ecx[/color]
  0040192A  |.  8D5424 44     [color=#0000D0]lea[/color]     [color=#FF0000]edx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+44]
  0040192E  |.  8BC1          [color=#0000D0]mov[/color]     [color=#FF0000]eax[/color], [color=#FF0000]ecx[/color]
  00401930  |.  8BF7          [color=#0000D0]mov[/color]     [color=#FF0000]esi[/color], [color=#FF0000]edi[/color]
  00401932  |.  8BFA          [color=#0000D0]mov[/color]     [color=#FF0000]edi[/color], [color=#FF0000]edx[/color]
  00401934  |.  C1E9 02       [color=#0000D0]shr[/color]     [color=#FF0000]ecx[/color], 2
  00401937  |.  F3:A5         [color=#0000D0]rep[/color]     [color=#0000D0]movs[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]es[/color]:[[color=#FF0000]edi[/color]], [color=#b000b0]dword[/color] p>
  00401939  |.  8BC8          [color=#0000D0]mov[/color]     [color=#FF0000]ecx[/color], [color=#FF0000]eax[/color]
  0040193B  |.  83E1 03       [color=#0000D0]and[/color]     [color=#FF0000]ecx[/color], 3
  0040193E  |.  F3:A4         [color=#0000D0]rep[/color]     [color=#0000D0]movs[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [color=#FF0000]es[/color]:[[color=#FF0000]edi[/color]], [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color]>
  00401940  |.  E8 DB010000   [color=#0000D0]call[/color]    00401B20
  00401945  |.  8D4C24 44     [color=#0000D0]lea[/color]     [color=#FF0000]ecx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+44]
  00401949  |.  8D5424 10     [color=#0000D0]lea[/color]     [color=#FF0000]edx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+10]
  0040194D  |.  51            [color=#0000D0]push[/color]    [color=#FF0000]ecx[/color]
  0040194E  |.  52            [color=#0000D0]push[/color]    [color=#FF0000]edx[/color]
  0040194F  |.  E8 9CF7FFFF   [color=#0000D0]call[/color]    004010F0                                            [color=#008000];关键Call F7跟进[/color]
  00401954  |.  83C4 08       [color=#0000D0]add[/color]     [color=#FF0000]esp[/color], 8
  00401957  |.  5F            [color=#0000D0]pop[/color]     [color=#FF0000]edi[/color]
  00401958  |.  5B            [color=#0000D0]pop[/color]     [color=#FF0000]ebx[/color]
  00401959  |>  E8 72050000   [color=#0000D0]call[/color]    00401ED0
  0040195E  |.  99            [color=#0000D0]cdq[/color]
  0040195F  |.  B9 84030000   [color=#0000D0]mov[/color]     [color=#FF0000]ecx[/color], 384
  00401964  |.  F7F9          [color=#0000D0]idiv[/color]    [color=#FF0000]ecx[/color]
  00401966  |.  0315 C8DD4000 [color=#0000D0]add[/color]     [color=#FF0000]edx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDC8]
  0040196C  |.  8915 D8DD4000 [color=#0000D0]mov[/color]     [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDD8], [color=#FF0000]edx[/color]
  00401972  |.  E8 59050000   [color=#0000D0]call[/color]    00401ED0
  00401977  |.  99            [color=#0000D0]cdq[/color]
  00401978  |.  B9 84030000   [color=#0000D0]mov[/color]     [color=#FF0000]ecx[/color], 384
  0040197D  |.  C705 D4DD4000>[color=#0000D0]mov[/color]     [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDD4], 0
  00401987  |.  F7F9          [color=#0000D0]idiv[/color]    [color=#FF0000]ecx[/color]
  00401989  |.  A1 E4DD4000   [color=#0000D0]mov[/color]     [color=#FF0000]eax[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDE4]
  0040198E  |.  5E            [color=#0000D0]pop[/color]     [color=#FF0000]esi[/color]
  0040198F  |.  03D0          [color=#0000D0]add[/color]     [color=#FF0000]edx[/color], [color=#FF0000]eax[/color]
  00401991  |.  8915 DCDD4000 [color=#0000D0]mov[/color]     [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDDC], [color=#FF0000]edx[/color]
  00401997  |>  81C4 9C000000 [color=#0000D0]add[/color]     [color=#FF0000]esp[/color], 9C
  0040199D  \.  C3            [color=#0000D0]retn[/color]
  
  004010F0  /$  83EC 0C       [color=#0000D0]sub[/color]     [color=#FF0000]esp[/color], 0C
  004010F3  |.  8B5424 10     [color=#0000D0]mov[/color]     [color=#FF0000]edx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+10]
  004010F7  |.  56            [color=#0000D0]push[/color]    [color=#FF0000]esi[/color]
  004010F8  |.  57            [color=#0000D0]push[/color]    [color=#FF0000]edi[/color]
  004010F9  |.  8BFA          [color=#0000D0]mov[/color]     [color=#FF0000]edi[/color], [color=#FF0000]edx[/color]
  004010FB  |.  83C9 FF       [color=#0000D0]or[/color]      [color=#FF0000]ecx[/color], FFFFFFFF
  004010FE  |.  33C0          [color=#0000D0]xor[/color]     [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
  00401100  |.  F2:AE         [color=#0000D0]repne[/color]   [color=#0000D0]scas[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [color=#FF0000]es[/color]:[[color=#FF0000]edi[/color]]
  00401102  |.  F7D1          [color=#0000D0]not[/color]     [color=#FF0000]ecx[/color]
  00401104  |.  49            [color=#0000D0]dec[/color]     [color=#FF0000]ecx[/color]
  00401105  |.  8BF1          [color=#0000D0]mov[/color]     [color=#FF0000]esi[/color], [color=#FF0000]ecx[/color]
  00401107  |.  33C9          [color=#0000D0]xor[/color]     [color=#FF0000]ecx[/color], [color=#FF0000]ecx[/color]
  00401109  |.  85F6          [color=#0000D0]test[/color]    [color=#FF0000]esi[/color], [color=#FF0000]esi[/color]
  0040110B  |.  897424 10     [color=#0000D0]mov[/color]     [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+10], [color=#FF0000]esi[/color]
  0040110F  |.  7E 18         [color=#0000D0]jle[/color]     short 00401129
  00401111  |>  8A0411        /[color=#0000D0]mov[/color]     [color=#FF0000]al[/color], [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]ecx[/color]+[color=#FF0000]edx[/color]]
  00401114  |.  3C 20         |[color=#0000D0]cmp[/color]     [color=#FF0000]al[/color], 20
  00401116  |.  0F8C AA000000 |[color=#0000D0]jl[/color]      004011C6
  0040111C  |.  3C 7E         |[color=#0000D0]cmp[/color]     [color=#FF0000]al[/color], 7E
  0040111E  |.  0F8F A2000000 |[color=#0000D0]jg[/color]      004011C6
  00401124  |.  41            |[color=#0000D0]inc[/color]     [color=#FF0000]ecx[/color]
  00401125  |.  3BCE          |[color=#0000D0]cmp[/color]     [color=#FF0000]ecx[/color], [color=#FF0000]esi[/color]
  00401127  |.^ 7C E8         \jl      short 00401111                                   [color=#008000];name必须为可见字符[/color]
  00401129  |>  53            [color=#0000D0]push[/color]    [color=#FF0000]ebx[/color]
  0040112A  |.  55            [color=#0000D0]push[/color]    [color=#FF0000]ebp[/color]
  0040112B  |.  8B6C24 24     [color=#0000D0]mov[/color]     [color=#FF0000]ebp[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+24]
  0040112F  |.  83C9 FF       [color=#0000D0]or[/color]      [color=#FF0000]ecx[/color], FFFFFFFF
  00401132  |.  8BFD          [color=#0000D0]mov[/color]     [color=#FF0000]edi[/color], [color=#FF0000]ebp[/color]
  00401134  |.  33C0          [color=#0000D0]xor[/color]     [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
  00401136  |.  F2:AE         [color=#0000D0]repne[/color]   [color=#0000D0]scas[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [color=#FF0000]es[/color]:[[color=#FF0000]edi[/color]]
  00401138  |.  F7D1          [color=#0000D0]not[/color]     [color=#FF0000]ecx[/color]
  0040113A  |.  49            [color=#0000D0]dec[/color]     [color=#FF0000]ecx[/color]
  0040113B  |.  6A 20         [color=#0000D0]push[/color]    20
  0040113D  |.  8BD9          [color=#0000D0]mov[/color]     [color=#FF0000]ebx[/color], [color=#FF0000]ecx[/color]
  0040113F  |.  E8 D00C0000   [color=#0000D0]call[/color]    00401E14
  00401144  |.  83C4 04       [color=#0000D0]add[/color]     [color=#FF0000]esp[/color], 4
  00401147  |.  8BF8          [color=#0000D0]mov[/color]     [color=#FF0000]edi[/color], [color=#FF0000]eax[/color]
  00401149  |.  33F6          [color=#0000D0]xor[/color]     [color=#FF0000]esi[/color], [color=#FF0000]esi[/color]
  0040114B  |.  897C24 10     [color=#0000D0]mov[/color]     [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+10], [color=#FF0000]edi[/color]
  0040114F  |.  85DB          [color=#0000D0]test[/color]    [color=#FF0000]ebx[/color], [color=#FF0000]ebx[/color]
  00401151  |.  7E 28         [color=#0000D0]jle[/color]     short 0040117B
  00401153  |>  8D4424 24     /[color=#0000D0]lea[/color]     [color=#FF0000]eax[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+24]
  00401157  |.  8D0C2E        |[color=#0000D0]lea[/color]     [color=#FF0000]ecx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+[color=#FF0000]ebp[/color]]
  0040115A  |.  50            |[color=#0000D0]push[/color]    [color=#FF0000]eax[/color]
  0040115B  |.  68 94B04000   |[color=#0000D0]push[/color]    0040B094                        [color=#008000];  ASCII "%2X"[/color]
  00401160  |.  51            |[color=#0000D0]push[/color]    [color=#FF0000]ecx[/color]
  00401161  |.  E8 7A0C0000   |[color=#0000D0]call[/color]    00401DE0
  00401166  |.  8A5424 30     |[color=#0000D0]mov[/color]     [color=#FF0000]dl[/color], [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+30]
  0040116A  |.  83C4 0C       |[color=#0000D0]add[/color]     [color=#FF0000]esp[/color], 0C
  0040116D  |.  8817          |[color=#0000D0]mov[/color]     [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]edi[/color]], [color=#FF0000]dl[/color]
  0040116F  |.  83C6 02       |[color=#0000D0]add[/color]     [color=#FF0000]esi[/color], 2
  00401172  |.  47            |[color=#0000D0]inc[/color]     [color=#FF0000]edi[/color]
  00401173  |.  3BF3          |[color=#0000D0]cmp[/color]     [color=#FF0000]esi[/color], [color=#FF0000]ebx[/color]
  00401175  |.^ 7C DC         \jl      short 00401153                               [color=#008000];把我们输入的key当成Hex字符串进行转换 暂且称之为X[/color]
  00401177  |.  8B7C24 10     [color=#0000D0]mov[/color]     [color=#FF0000]edi[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+10]
  0040117B  |>  DD05 48A14000 [color=#0000D0]fld[/color]     [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A148]                            [color=#008000];st(1) = 1.00000000[/color]
  00401181  |.  8B4C24 18     [color=#0000D0]mov[/color]     [color=#FF0000]ecx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+18]
  00401185  |.  33C0          [color=#0000D0]xor[/color]     [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
  00401187  |.  DD5424 10     [color=#0000D0]fst[/color]     [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+10]
  0040118B  |.  5D            [color=#0000D0]pop[/color]     [color=#FF0000]ebp[/color]
  0040118C  |.  5B            [color=#0000D0]pop[/color]     [color=#FF0000]ebx[/color]
  0040118D  |.  85C9          [color=#0000D0]test[/color]    [color=#FF0000]ecx[/color], [color=#FF0000]ecx[/color]                                       [color=#008000];length of name[/color]
  0040118F  |.  7E 3B         [color=#0000D0]jle[/color]     short 004011CC
  00401191  |>  8B5424 18     /[color=#0000D0]mov[/color]     [color=#FF0000]edx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+18]                       [color=#008000];name[/color]
  00401195  |.  40            |[color=#0000D0]inc[/color]     [color=#FF0000]eax[/color]                                           [color=#008000];i++[/color]
  00401196  |.  3BC1          |[color=#0000D0]cmp[/color]     [color=#FF0000]eax[/color], [color=#FF0000]ecx[/color]                                      [color=#008000];i<length of name?[/color]
  00401198  |.  0FBE5410 FF   |[color=#0000D0]movsx[/color]   [color=#FF0000]edx[/color], [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]eax[/color]+[color=#FF0000]edx[/color]-1]                     [color=#008000];name[i][/color]
  0040119D  |.  895424 10     |[color=#0000D0]mov[/color]     [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+10], [color=#FF0000]edx[/color]                       [color=#008000];st(0) = name[i][/color]
  004011A1  |.  DB4424 10     |[color=#0000D0]fild[/color]    [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+10]
  004011A5  |.  DEC1          |[color=#0000D0]faddp[/color]   [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]                                     [color=#008000];st(1) = st(1) + st(0)[/color]
  004011A7  |.  DC0D 40A14000 |[color=#0000D0]fmul[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A140]                            [color=#008000];st(1) = st(1) * 1.20000000[/color]
  004011AD  |.^ 7C E2         \jl      short 00401191                                [color=#008000];最后的结果作为我们最终验算的一个参数,暂且称之为Y[/color]
  004011AF  |.  DD5C24 08     [color=#0000D0]fstp[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+8]
  004011B3  |>  8B4424 0C     [color=#0000D0]mov[/color]     [color=#FF0000]eax[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+C]
  004011B7  |.  8B4C24 08     [color=#0000D0]mov[/color]     [color=#FF0000]ecx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+8]
  004011BB  |.  57            [color=#0000D0]push[/color]    [color=#FF0000]edi[/color]                                             [color=#008000];X地址[/color]
  004011BC  |.  50            [color=#0000D0]push[/color]    [color=#FF0000]eax[/color]                                             [color=#008000];Y值高位[/color]
  004011BD  |.  51            [color=#0000D0]push[/color]    [color=#FF0000]ecx[/color]                                             [color=#008000];Y值低位[/color]
  004011BE  |.  E8 1D010000   [color=#0000D0]call[/color]    004012E0                                        [color=#008000];关键Call F7跟进[/color]
  004011C3  |.  83C4 0C       [color=#0000D0]add[/color]     [color=#FF0000]esp[/color], 0C
  004011C6  |>  5F            [color=#0000D0]pop[/color]     [color=#FF0000]edi[/color]
  004011C7  |.  5E            [color=#0000D0]pop[/color]     [color=#FF0000]esi[/color]
  004011C8  |.  83C4 0C       [color=#0000D0]add[/color]     [color=#FF0000]esp[/color], 0C
  004011CB  |.  C3            [color=#0000D0]retn[/color]
  004011CC  |>  DDD8          [color=#0000D0]fstp[/color]    [color=#FF0000]st[/color]
  004011CE  \.^ EB E3         [color=#0000D0]jmp[/color]     short 004011B3
  
  004012E0  /$  51            [color=#0000D0]push[/color]    [color=#FF0000]ecx[/color]
  004012E1  |.  53            [color=#0000D0]push[/color]    [color=#FF0000]ebx[/color]
  004012E2  |.  55            [color=#0000D0]push[/color]    [color=#FF0000]ebp[/color]
  004012E3  |.  56            [color=#0000D0]push[/color]    [color=#FF0000]esi[/color]
  004012E4  |.  8B7424 1C     [color=#0000D0]mov[/color]     [color=#FF0000]esi[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+1C]
  004012E8  |.  57            [color=#0000D0]push[/color]    [color=#FF0000]edi[/color]
  004012E9  |.  33ED          [color=#0000D0]xor[/color]     [color=#FF0000]ebp[/color], [color=#FF0000]ebp[/color]
  004012EB  |.  DD46 08       [color=#0000D0]fld[/color]     [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+8]                             [color=#008000];X每8Byte作为一个浮点数参与运算 这里是X2[/color]
  004012EE  |.  DC0D 00A24000 [color=#0000D0]fmul[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A200]                            [color=#008000];X2 * 37[/color]
  004012F4  |.  DD06          [color=#0000D0]fld[/color]     [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]]                               
  004012F6  |.  DC0D F8A14000 [color=#0000D0]fmul[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A1F8]                            [color=#008000];X1 * 112[/color]
  004012FC  |.  83EC 08       [color=#0000D0]sub[/color]     [color=#FF0000]esp[/color], 8
  004012FF  |.  33FF          [color=#0000D0]xor[/color]     [color=#FF0000]edi[/color], [color=#FF0000]edi[/color]
  00401301  |.  33DB          [color=#0000D0]xor[/color]     [color=#FF0000]ebx[/color], [color=#FF0000]ebx[/color]
  00401303  |.  896C24 18     [color=#0000D0]mov[/color]     [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+18], [color=#FF0000]ebp[/color]
  00401307  |.  DEC1          [color=#0000D0]faddp[/color]   [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
  00401309  |.  DD4424 20     [color=#0000D0]fld[/color]     [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+20]
  0040130D  |.  DC0D F0A14000 [color=#0000D0]fmul[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A1F0]                             [color=#008000];Y * 7[/color]
  00401313  |.  DEC1          [color=#0000D0]faddp[/color]   [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
  00401315  |.  DD46 18       [color=#0000D0]fld[/color]     [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+18]
  00401318  |.  DC0D 38A14000 [color=#0000D0]fmul[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A138]                             [color=#008000];X4 * 5[/color]
  0040131E  |.  DEC1          [color=#0000D0]faddp[/color]   [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
  00401320  |.  DD46 10       [color=#0000D0]fld[/color]     [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+10]
  00401323  |.  DC0D E8A14000 [color=#0000D0]fmul[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A1E8]                             [color=#008000];X3 * 60[/color]
  00401329  |.  DEC1          [color=#0000D0]faddp[/color]   [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
  0040132B  |.  DC25 E0A14000 [color=#0000D0]fsub[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A1E0]                             [color=#008000];100[/color]
  00401331  |.  DD1C24        [color=#0000D0]fstp[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]]                                [color=#008000];Result = X2*37+X1*112+Y*7+X4*5+X3*60-100[/color]
  00401334  |.  E8 C7FCFFFF   [color=#0000D0]call[/color]    00401000                                       [color=#008000];验证成功则返回1[/color]
  00401339  |.  83C4 08       [color=#0000D0]add[/color]     [color=#FF0000]esp[/color], 8
  0040133C  |.  85C0          [color=#0000D0]test[/color]    [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
  0040133E  |.  74 05         [color=#0000D0]je[/color]      short 00401345
  00401340  |.  BF 01000000   [color=#0000D0]mov[/color]     [color=#FF0000]edi[/color], 1                                          [color=#008000];成功则置标志[/color]
  00401345  |>  DD46 08       [color=#0000D0]fld[/color]     [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+8]
  00401348  |.  DC0D D8A14000 [color=#0000D0]fmul[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A1D8]                              [color=#008000];X2 * 39[/color]
  0040134E  |.  DD06          [color=#0000D0]fld[/color]     [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]]
  00401350  |.  DC0D D0A14000 [color=#0000D0]fmul[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A1D0]                              [color=#008000];X1 * 67[/color]
  00401356  |.  83EC 08       [color=#0000D0]sub[/color]     [color=#FF0000]esp[/color], 8
  00401359  |.  DEC1          [color=#0000D0]faddp[/color]   [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
  0040135B  |.  DD4424 20     [color=#0000D0]fld[/color]     [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+20]
  0040135F  |.  DC0D C8A14000 [color=#0000D0]fmul[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A1C8]                              [color=#008000];Y * 12[/color]
  00401365  |.  DEC1          [color=#0000D0]faddp[/color]   [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
  00401367  |.  DD46 18       [color=#0000D0]fld[/color]     [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+18]
  0040136A  |.  DC0D C0A14000 [color=#0000D0]fmul[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A1C0]                              [color=#008000];X4 * 50[/color]
  00401370  |.  DEC1          [color=#0000D0]faddp[/color]   [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
  00401372  |.  DD46 10       [color=#0000D0]fld[/color]     [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+10]
  00401375  |.  DC0D B8A14000 [color=#0000D0]fmul[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A1B8]                              [color=#008000];X3 * 30[/color]
  0040137B  |.  DEC1          [color=#0000D0]faddp[/color]   [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
  0040137D  |.  DC25 B0A14000 [color=#0000D0]fsub[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A1B0]                              [color=#008000];80[/color]
  00401383  |.  DD1C24        [color=#0000D0]fstp[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]]                                 [color=#008000];Result = X2*39+X1*67+Y*12+X4*50+X3*30-80[/color]
  00401386  |.  E8 75FCFFFF   [color=#0000D0]call[/color]    00401000
  0040138B  |.  83C4 08       [color=#0000D0]add[/color]     [color=#FF0000]esp[/color], 8
  0040138E  |.  85C0          [color=#0000D0]test[/color]    [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
  00401390  |.  74 05         [color=#0000D0]je[/color]      short 00401397
  00401392  |.  BB 01000000   [color=#0000D0]mov[/color]     [color=#FF0000]ebx[/color], 1                                          [color=#008000];成功则置标志[/color]
  00401397  |>  DD46 08       [color=#0000D0]fld[/color]     [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+8]
  0040139A  |.  DC0D A8A14000 [color=#0000D0]fmul[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A1A8]
  004013A0  |.  DD06          [color=#0000D0]fld[/color]     [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]]
  004013A2  |.  DC0D A0A14000 [color=#0000D0]fmul[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A1A0]
  004013A8  |.  83EC 08       [color=#0000D0]sub[/color]     [color=#FF0000]esp[/color], 8
  004013AB  |.  DEC1          [color=#0000D0]faddp[/color]   [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
  004013AD  |.  DD4424 20     [color=#0000D0]fld[/color]     [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+20]
  004013B1  |.  DC0D 98A14000 [color=#0000D0]fmul[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A198]
  004013B7  |.  DEC1          [color=#0000D0]faddp[/color]   [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
  004013B9  |.  DD46 18       [color=#0000D0]fld[/color]     [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+18]
  004013BC  |.  DC0D 90A14000 [color=#0000D0]fmul[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A190]
  004013C2  |.  DEC1          [color=#0000D0]faddp[/color]   [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
  004013C4  |.  DD46 10       [color=#0000D0]fld[/color]     [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+10]
  004013C7  |.  DC0D 88A14000 [color=#0000D0]fmul[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A188]
  004013CD  |.  DEC1          [color=#0000D0]faddp[/color]   [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
  004013CF  |.  DC25 80A14000 [color=#0000D0]fsub[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A180]
  004013D5  |.  DD1C24        [color=#0000D0]fstp[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]]                                 [color=#008000];Result = X2*54+X1*72+Y*15+X4*28+X3*33-92[/color]
  004013D8  |.  E8 23FCFFFF   [color=#0000D0]call[/color]    00401000
  004013DD  |.  83C4 08       [color=#0000D0]add[/color]     [color=#FF0000]esp[/color], 8
  004013E0  |.  85C0          [color=#0000D0]test[/color]    [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
  004013E2  |.  74 05         [color=#0000D0]je[/color]      short 004013E9
  004013E4  |.  BD 01000000   [color=#0000D0]mov[/color]     [color=#FF0000]ebp[/color], 1                                          [color=#008000];成功则置标志[/color]
  004013E9  |>  DD46 08       [color=#0000D0]fld[/color]     [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+8]
  004013EC  |.  DC0D E8A14000 [color=#0000D0]fmul[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A1E8]
  004013F2  |.  DD06          [color=#0000D0]fld[/color]     [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]]
  004013F4  |.  DC0D B0A14000 [color=#0000D0]fmul[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A1B0]
  004013FA  |.  83EC 08       [color=#0000D0]sub[/color]     [color=#FF0000]esp[/color], 8
  004013FD  |.  DEC1          [color=#0000D0]faddp[/color]   [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
  004013FF  |.  DD4424 20     [color=#0000D0]fld[/color]     [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+20]
  00401403  |.  DC0D 78A14000 [color=#0000D0]fmul[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A178]
  00401409  |.  DEC1          [color=#0000D0]faddp[/color]   [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
  0040140B  |.  DD46 18       [color=#0000D0]fld[/color]     [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+18]
  0040140E  |.  DC0D 70A14000 [color=#0000D0]fmul[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A170]
  00401414  |.  DEC1          [color=#0000D0]faddp[/color]   [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
  00401416  |.  DD46 10       [color=#0000D0]fld[/color]     [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+10]
  00401419  |.  DC0D 68A14000 [color=#0000D0]fmul[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A168]
  0040141F  |.  DEC1          [color=#0000D0]faddp[/color]   [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
  00401421  |.  DC25 60A14000 [color=#0000D0]fsub[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A160]
  00401427  |.  DD1C24        [color=#0000D0]fstp[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]]                                 [color=#008000];Result = X2*60+X1*80+Y*21+X4*20+X3*42-105[/color]
  0040142A  |.  E8 D1FBFFFF   [color=#0000D0]call[/color]    00401000
  0040142F  |.  83C4 08       [color=#0000D0]add[/color]     [color=#FF0000]esp[/color], 8
  00401432  |.  85C0          [color=#0000D0]test[/color]    [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
  00401434  |.  B8 01000000   [color=#0000D0]mov[/color]     [color=#FF0000]eax[/color], 1                                          [color=#008000];成功则置标志[/color]
  00401439  |.  75 04         [color=#0000D0]jnz[/color]     short 0040143F
  0040143B  |.  8B4424 10     [color=#0000D0]mov[/color]     [color=#FF0000]eax[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+10]
  0040143F  |>  85FF          [color=#0000D0]test[/color]    [color=#FF0000]edi[/color], [color=#FF0000]edi[/color]
  00401441  |.  74 11         [color=#0000D0]je[/color]      short 00401454
  00401443  |.  85DB          [color=#0000D0]test[/color]    [color=#FF0000]ebx[/color], [color=#FF0000]ebx[/color]
  00401445  |.  74 0D         [color=#0000D0]je[/color]      short 00401454
  00401447  |.  85ED          [color=#0000D0]test[/color]    [color=#FF0000]ebp[/color], [color=#FF0000]ebp[/color]
  00401449  |.  74 09         [color=#0000D0]je[/color]      short 00401454
  0040144B  |.  85C0          [color=#0000D0]test[/color]    [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
  0040144D  |.  74 05         [color=#0000D0]je[/color]      short 00401454
  0040144F  |.  E8 DCFBFFFF   [color=#0000D0]call[/color]    00401030                                          [color=#008000];这个Call显示注册成功信息[/color]
  00401454  |>  5F            [color=#0000D0]pop[/color]     [color=#FF0000]edi[/color]
  00401455  |.  5E            [color=#0000D0]pop[/color]     [color=#FF0000]esi[/color]
  00401456  |.  5D            [color=#0000D0]pop[/color]     [color=#FF0000]ebp[/color]
  00401457  |.  5B            [color=#0000D0]pop[/color]     [color=#FF0000]ebx[/color]
  00401458  |.  59            [color=#0000D0]pop[/color]     [color=#FF0000]ecx[/color]
  00401459  \.  C3            [color=#0000D0]retn[/color]
  
  00401000  /$  DD4424 04     [color=#0000D0]fld[/color]     [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+4]                                  [color=#008000];Result[/color]
  00401004  |.  DC1D 38A14000 [color=#0000D0]fcomp[/color]   [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A138]                                 [color=#008000];5.00000000[/color]
  0040100A  |.  DFE0          [color=#0000D0]fstsw[/color]   [color=#FF0000]ax[/color]
  0040100C  |.  F6C4 01       [color=#0000D0]test[/color]    [color=#FF0000]ah[/color], 1
  0040100F  |.  74 17         [color=#0000D0]je[/color]      short 00401028                                      [color=#008000];如果Result<5.00000000则return 1[/color]
  00401011  |.  DD4424 04     [color=#0000D0]fld[/color]     [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+4]                                   [color=#008000];Result[/color]
  00401015  |.  DC1D 30A14000 [color=#0000D0]fcomp[/color]   [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A130]                                  [color=#008000];-5.00000000[/color]
  0040101B  |.  DFE0          [color=#0000D0]fstsw[/color]   [color=#FF0000]ax[/color]
  0040101D  |.  F6C4 41       [color=#0000D0]test[/color]    [color=#FF0000]ah[/color], 41
  00401020  |.  75 06         [color=#0000D0]jnz[/color]     short 00401028                                       [color=#008000];如果Result>-5.00000000则return 1[/color]
  00401022  |.  B8 01000000   [color=#0000D0]mov[/color]     [color=#FF0000]eax[/color], 1
  00401027  |.  C3            [color=#0000D0]retn[/color]
  00401028  |>  33C0          [color=#0000D0]xor[/color]     [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
  0040102A  \.  C3            [color=#0000D0]retn[/color]

  至此,整个算法就跟完了。程序将用户输入的name进行运算后得到Y,将key进行运算后得到X1、X2、X3、X4,只要以下方程式成立,则注册成功。
  
-5 < X2*37+X1*112+Y*7+X4*5+X3*60-100 < 5
  -5 < X2*39+X1*67+Y*12+X4*50+X3*30-80 < 5
  -5 < X2*54+X1*72+Y*15+X4*28+X3*33-92 < 5
  -5 < X2*60+X1*80+Y*21+X4*20+X3*42-105 < 5
由于用户名是我们自行输入的,这里Y己知,只要联立上述方程,代入我们自己的Y,就可以求出各个X的值了。这里X理论上应该有无数组解,所以这里的用户名和注册码是一对多的,而且注册码只是前64位字符起作用。
  这里附上一组可用的注册码:
  
haw
  008BD375CC1C7440217B1EA657D468C02F4268FF726580C084FA2BA733C851C0
  hawking
  B850BEFC46DA9140B68FCB818B1F86C084E702195B269DC0A21C10126DAA6FC0
注册机由于不会编程解方程,搞不定,还请哪位兄弟不吝赐教。
  
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!

                                                       2007年01月17日 23:27:58

[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法

收藏
免费 7
打赏
分享
最新回复 (7)
riijj
雪    币: 2319
活跃值: (565)
能力值: (RANK:300 )
在线值:
发帖
回帖
粉丝
私信
riijj 7 2007-1-18 00:17
2
0
很清楚  
warshon
雪    币: 191
活跃值: (205)
能力值: ( LV9,RANK:250 )
在线值:
发帖
回帖
粉丝
私信
warshon 6 2007-1-18 08:41
3
0
直接解不等式是麻烦了一些,可以换一个思路:从第二个Result<5入手,先根据诸Result=5解出一组根fk1,fk2,fk3,fk4,然后在其中某个或某几个根上加上一个适当小的浮点数即可使不等号满足。

btw:关于解方程组的算法,有很多;我用的是列主元的Gauss消去法。

附件中,为KG代码的关键部分。
上传的附件:
beyondhkm
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
beyondhkm 2007-1-18 09:10
4
0
晕倒,都写得那么详细,我还是看不懂,真是痛苦
hawking
雪    币: 1969
活跃值: (46)
能力值: (RANK:550 )
在线值:
发帖
回帖
粉丝
私信
hawking 12 2007-1-18 10:44
5
0
写这篇文章主要是因为自己以前没接触过浮点指令,正好借这个机会学习一下。
我对数据结构及算法了解不多,完全是个门外汉, warshon兄台能不能将您写的注册机代码公布出来,让我们学习一下。
warshon
雪    币: 191
活跃值: (205)
能力值: ( LV9,RANK:250 )
在线值:
发帖
回帖
粉丝
私信
warshon 6 2007-1-18 12:06
6
0
最初由 hawking 发布
写这篇文章主要是因为自己以前没接触过浮点指令,正好借这个机会学习一下。
我对数据结构及算法了解不多,完全是个门外汉, warshon兄台能不能将您写的注册机代码公布出来,让我们学习一下。


代码见3楼。+U
hawking
雪    币: 1969
活跃值: (46)
能力值: (RANK:550 )
在线值:
发帖
回帖
粉丝
私信
hawking 12 2007-1-18 12:34
7
0
谢谢,学习中。
dewar
雪    币: 297
活跃值: (21)
能力值: ( LV9,RANK:330 )
在线值:
发帖
回帖
粉丝
私信
dewar 8 2007-2-6 19:21
8
0
很清楚,支持楼主!
游客
登录 | 注册 方可回帖
 回帖  表情 雪币赚取及消费
高级回复
返回