[原创]Hootech MP3 to SWF Converter注册算法分析-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[原创]Hootech MP3 to SWF Converter注册算法分析

发表于: 2007-2-18 11:17 8098

[原创]Hootech MP3 to SWF Converter注册算法分析

wzwgp

2007-2-18 11:17

8098

【破解软件】Hootech MP3 to SWF Converter 2.4.841
【软件语言】英文
【软件类别】国外软件/共享版/视频工具
【运行环境】Win9x/Me/NT/2000/XP/2003
【保护方式】注册码
【作者声明】初学Crack，只是感兴趣,消遣业余时间,错误之处敬请诸位前辈不吝赐教。
【编写语言】Microsoft Visual C++ 6.0
【调试工具】OllyDBD
【下载地址】http://www.onlinedown.net/soft/51005.htm
【软件信息】是一个 MP3/WAV 文件转换软件。它可以转换 MP3/WAV 文件为 SWF 文件。支持下列功能：支持以多种质量转换大体积的 MP3/WAV

文件为小体积的 SWF 文件；支持直接录音并转换为 SWF 文件；生成的流式 SWF 文件可以在线直接播放，无需等待下载完成；支持生成带控制

栏的 SWF 文件并内建多种美观的按钮；支持拖放操作，批量转换，转换快速且易于使用。

一、算法跟踪

根据注册框提示信息，很容易找到下面；

0040B106 .  6A FF             PUSH -1
0040B108 .  68 088A4700       PUSH MP32SWF.00478A08
0040B10D .  50                PUSH EAX
0040B10E .  64:8925 00000000 MOV DWORD PTR FS:[0],ESP
0040B115 .  53                PUSH EBX
0040B116 .  56                PUSH ESI
0040B117 .  57                PUSH EDI
0040B118 .  8BF1             MOV ESI,ECX
0040B11A .  E8 2C980600       CALL MP32SWF.0047494B
0040B11F .  8B48 04          MOV ECX,DWORD PTR DS:[EAX+4]
0040B122 .  E8 4CF30500       CALL MP32SWF.0046A473
0040B127 .  6A 01             PUSH 1
0040B129 .  8BCE             MOV ECX,ESI
0040B12B .  C74424 18 00000000 MOV DWORD PTR SS:[ESP+18],0
0040B133 .  E8 EDDC0500       CALL MP32SWF.00468E25
0040B138 .  8D7E 5C          LEA EDI,DWORD PTR DS:[ESI+5C] ;  [ESI+5C]用户名地址
0040B13B .  8BCF             MOV ECX,EDI
0040B13D .  E8 0F900500       CALL MP32SWF.00464151
0040B142 .  8BCF             MOV ECX,EDI
0040B144 .  E8 BC8F0500       CALL MP32SWF.00464105
0040B149 .  8D5E 60          LEA EBX,DWORD PTR DS:[ESI+60] ;  [ESI+60]假码地址
0040B14C .  8BCB             MOV ECX,EBX
0040B14E .  E8 FE8F0500       CALL MP32SWF.00464151
0040B153 .  8BCB             MOV ECX,EBX
0040B155 .  E8 AB8F0500       CALL MP32SWF.00464105
0040B15A .  8B07             MOV EAX,DWORD PTR DS:[EDI]
0040B15C .  8B48 F8          MOV ECX,DWORD PTR DS:[EAX-8]
0040B15F .  85C9             TEST ECX,ECX                   ;  是否输入用户名
0040B161 .  75 0E             JNZ SHORT MP32SWF.0040B171
0040B163 .  6A 30             PUSH 30
0040B165 .  68 00D34700       PUSH MP32SWF.0047D300          ;  mp3 to swf converter
0040B16A .  68 18D34700       PUSH MP32SWF.0047D318          ;  please enter your name.
0040B16F .  EB 3B             JMP SHORT MP32SWF.0040B1AC
0040B171 >  8B1B             MOV EBX,DWORD PTR DS:[EBX]
0040B173 .  8D4E 64          LEA ECX,DWORD PTR DS:[ESI+64]
0040B176 .  51                PUSH ECX
0040B177 .  53                PUSH EBX
0040B178 .  E8 43710100       CALL MP32SWF.004222C0          ;  关键Call
0040B17D .  83C4 08          ADD ESP,8
0040B180 .  85C0             TEST EAX,EAX                   ;  EAX=1注册成功
0040B182 .  74 1C             JE SHORT MP32SWF.0040B1A0    ;  跳注册失败
0040B184 .  6A 40             PUSH 40
0040B186 .  68 00D34700       PUSH MP32SWF.0047D300          ;  mp3 to swf converter
0040B18B .  68 30D34700       PUSH MP32SWF.0047D330          ;  register successfully. thank you for your support.
0040B190 .  8BCE             MOV ECX,ESI
0040B192 .  E8 98D40500       CALL MP32SWF.0046862F
0040B197 .  8BCE             MOV ECX,ESI
0040B199 .  E8 C5FD0500       CALL MP32SWF.0046AF63
0040B19E .  EB 13             JMP SHORT MP32SWF.0040B1B3
0040B1A0 >  6A 10             PUSH 10
0040B1A2 .  68 00D34700       PUSH MP32SWF.0047D300          ;  mp3 to swf converter
0040B1A7 .  68 64D34700       PUSH MP32SWF.0047D364          ;  invalid registration code.\nplease check that you entered

exact information.\n\nif you have any problem with your registration code,\nplease contact <sales@hootech.com>.
0040B1AC >  8BCE             MOV ECX,ESI

0040B178 处进入关键Call

004222C0  /$  83EC 60          SUB ESP,60
004222C3  |.  56                PUSH ESI
004222C4  |.  8B7424 68       MOV ESI,DWORD PTR SS:[ESP+68] ;  [ESP+68]假码地址
004222C8  |.  56                PUSH ESI                      ; /String
004222C9  |.  FF15 E8C14700    CALL NEAR DWORD PTR DS:[<&KERNE>; \lstrlenA
004222CF  |.  83F8 40          CMP EAX,40                   ;  比较假码长度
004222D2  |.  74 07             JE SHORT MP32SWF.004222DB
004222D4  |.  33C0             XOR EAX,EAX
004222D6  |.  5E                POP ESI
004222D7  |.  83C4 60          ADD ESP,60
004222DA  |.  C3                RETN
004222DB  |>  53                PUSH EBX
004222DC  |.  55                PUSH EBP
004222DD  |.  8B2D 54C34700    MOV EBP,DWORD PTR DS:[<&KERNEL3>;  kernel32.lstrcpynA
004222E3  |.  57                PUSH EDI
004222E4  |.  8D7C24 10       LEA EDI,DWORD PTR SS:[ESP+10]
004222E8  |.  BB 08000000       MOV EBX,8
004222ED  |>  6A 09             PUSH 9
004222EF  |.  8D4424 34       LEA EAX,DWORD PTR SS:[ESP+34]
004222F3  |.  56                PUSH ESI
004222F4  |.  50                PUSH EAX
004222F5  |.  FFD5             CALL NEAR EBP
004222F7  |.  57                PUSH EDI
004222F8  |.  8D4C24 34       LEA ECX,DWORD PTR SS:[ESP+34]
004222FC  |.  68 40A24900       PUSH MP32SWF.0049A240          ;  %x
00422301  |.  51                PUSH ECX
00422302  |.  83C6 08          ADD ESI,8
00422305  |.  E8 6F160300       CALL MP32SWF.00453979
0042230A  |.  83C4 0C          ADD ESP,0C
0042230D  |.  83C7 04          ADD EDI,4
00422310  |.  4B                DEC EBX
00422311  |.^ 75 DA             JNZ SHORT MP32SWF.004222ED    ;  将假码分成8组,设为(s1…s8)
00422313  |.  8B7C24 78       MOV EDI,DWORD PTR SS:[ESP+78]
00422317  |.  B9 08000000       MOV ECX,8
0042231C  |.  8D7424 10       LEA ESI,DWORD PTR SS:[ESP+10]
00422320  |.  8D5424 10       LEA EDX,DWORD PTR SS:[ESP+10]
00422324  |.  F3:A5             REP MOVS DWORD PTR ES:[EDI],DWO>
00422326  |.  52                PUSH EDX
00422327  |.  E8 14000000       CALL MP32SWF.00422340          ;  F7进入算法Call
0042232C  |.  83C4 04          ADD ESP,4
0042232F  |.  5F                POP EDI
00422330  |.  5D                POP EBP
00422331  |.  5B                POP EBX
00422332  |.  5E                POP ESI
00422333  |.  83C4 60          ADD ESP,60
00422336  \.  C3                RETN

00422327 处 F7进入算法Call

  下面代码中有四处判断运算结果，如果符合条件将注册成功。排除三处迷惑人的判断，可以忽略许多迷惑人的运算代码。

00422340  /$  81EC B0000000    SUB ESP,0B0
00422346  |.  53                PUSH EBX
00422347  |.  55                PUSH EBP
00422348  |.  56                PUSH ESI
00422349  |.  8BB424 C0000000 MOV ESI,DWORD PTR SS:[ESP+C0]
00422350  |.  57                PUSH EDI
00422351  |.  C74424 3C 00000000 MOV DWORD PTR SS:[ESP+3C],0
00422359  |.  8B7E 1C          MOV EDI,DWORD PTR DS:[ESI+1C] ;  [ESI+1C]=s8
0042235C  |.  8B56 14          MOV EDX,DWORD PTR DS:[ESI+14] ;  [ESI+14]=s6
0042235F  |.  8BC2             MOV EAX,EDX
00422361  |.  8BCF             MOV ECX,EDI
00422363  |.  25 AFFEABAF       AND EAX,AFABFEAF
00422368  |.  81E1 50015450    AND ECX,50540150
0042236E  |.  0FAFC1          IMUL EAX,ECX
00422371  |.  8B4E 10          MOV ECX,DWORD PTR DS:[ESI+10] ;  [ESI+10]=s5
00422374  |.  8B5E 04          MOV EBX,DWORD PTR DS:[ESI+4]    ;  [ESI+4]=s2
00422377  |.  894424 40       MOV DWORD PTR SS:[ESP+40],EAX
0042237B  |.  8BC3             MOV EAX,EBX
0042237D  |.  8BE9             MOV EBP,ECX
0042237F  |.  25 594C8EA9       AND EAX,A98E4C59
00422384  |.  81E5 A6B37156    AND EBP,5671B3A6
0042238A  |.  C74424 64 00000000 MOV DWORD PTR SS:[ESP+64],0
00422392  |.  0FAFC5          IMUL EAX,EBP
00422395  |.  894424 58       MOV DWORD PTR SS:[ESP+58],EAX
00422399  |.  8BC3             MOV EAX,EBX
0042239B  |.  33C7             XOR EAX,EDI                   ;  s2^s8
0042239D  |.  8BEF             MOV EBP,EDI
0042239F  |.  25 58244948       AND EAX,48492458                ;  EAX=(s2^s8)&48492458
004223A4  |.  81E5 37422398    AND EBP,98234237
004223AA  |.  894424 18       MOV DWORD PTR SS:[ESP+18],EAX ;  保存(s2^s8)&48492458
004223AE  |.  33C7             XOR EAX,EDI                   ;  EAX=((s2^s8)&48492458)^s8
004223B0  |.  894424 28       MOV DWORD PTR SS:[ESP+28],EAX ;  保存EAX
004223B4  |.  8BC3             MOV EAX,EBX
004223B6  |.  33C2             XOR EAX,EDX
004223B8  |.  8BD3             MOV EDX,EBX
004223BA  |.  25 AFFADB76       AND EAX,76DBFAAF
004223BF  |.  81E2 50015450    AND EDX,50540150
004223C5  |.  33C3             XOR EAX,EBX
004223C7  |.  898424 B8000000 MOV DWORD PTR SS:[ESP+B8],EAX
004223CE  |.  8BC7             MOV EAX,EDI
004223D0  |.  F7D0             NOT EAX
004223D2  |.  25 A7DBB6B7       AND EAX,B7B6DBA7
004223D7  |.  0BC2             OR EAX,EDX
004223D9  |.  8B56 18          MOV EDX,DWORD PTR DS:[ESI+18] ;  [ESI+18]=s7
004223DC  |.  894424 70       MOV DWORD PTR SS:[ESP+70],EAX ;
004223E0  |.  8B46 0C          MOV EAX,DWORD PTR DS:[ESI+C]    ;  [ESI+C]=s4
004223E3  |.  894424 14       MOV DWORD PTR SS:[ESP+14],EAX
004223E7  |.  33C2             XOR EAX,EDX                   ;  EAX=s4^s7
004223E9  |.  25 A6B37156       AND EAX,5671B3A6                ;  EAX=(s4^s7)&5671B3A6
004223EE  |.  895424 10       MOV DWORD PTR SS:[ESP+10],EDX
004223F2  |.  33C2             XOR EAX,EDX                   ;  EAX=((s4^s7)&5671B3A6)^s7
004223F4  |.  33D2             XOR EDX,EDX                   ;  EDX清零
004223F6  |.  894424 1C       MOV DWORD PTR SS:[ESP+1C],EAX ;  保存((s4^s7)&5671B3A6)^s7
004223FA  |.  894424 20       MOV DWORD PTR SS:[ESP+20],EAX
004223FE  |.  69C0 73853409    IMUL EAX,EAX,9348573
00422404  |.  25 87A93434       AND EAX,3434A987
00422409  |.  81E2 9823FEAD    AND EDX,ADFE2398
0042240F  |.  894424 30       MOV DWORD PTR SS:[ESP+30],EAX
00422413  |.  8B46 08          MOV EAX,DWORD PTR DS:[ESI+8]    ;  [ESI+8]=s3
00422416  |.  895424 34       MOV DWORD PTR SS:[ESP+34],EDX ;  EDX=0
0042241A  |.  8BD0             MOV EDX,EAX
0042241C  |.  33D1             XOR EDX,ECX                   ;  EDX=s3^s5
0042241E  |.  81E2 AFFADB76    AND EDX,76DBFAAF                ;  EDX=(s3^s5)&76DBFAAF
00422424  |.  33D1             XOR EDX,ECX                   ;  EDX=((s3^s5)&76DBFAAF)^s5
00422426  |.  895424 24       MOV DWORD PTR SS:[ESP+24],EDX ;  保存((s3^s5)&76DBFAAF)^s5
0042242A  |.  8B16             MOV EDX,DWORD PTR DS:[ESI]    ;  [ESI]=s1
0042242C  |.  81E2 E93A8290    AND EDX,90823AE9
00422432  |.  0FAFD5          IMUL EDX,EBP
00422435  |.  895424 38       MOV DWORD PTR SS:[ESP+38],EDX
00422439  |.  8B5424 10       MOV EDX,DWORD PTR SS:[ESP+10]
0042243D  |.  8BEF             MOV EBP,EDI
0042243F  |.  81E2 58244948    AND EDX,48492458
00422445  |.  81E5 A7DBB6B7    AND EBP,B7B6DBA7
0042244B  |.  0FAFD5          IMUL EDX,EBP
0042244E  |.  8B6E 14          MOV EBP,DWORD PTR DS:[ESI+14] ;  [ESI+14]=s6
00422451  |.  895424 60       MOV DWORD PTR SS:[ESP+60],EDX
00422455  |.  8B16             MOV EDX,DWORD PTR DS:[ESI]    ;  [ESI]=s1
00422457  |.  33D5             XOR EDX,EBP                   ;  EDX=s1^s6
00422459  |.  8B2E             MOV EBP,DWORD PTR DS:[ESI]
0042245B  |.  81E2 50015450    AND EDX,50540150                ;  EDX=(s1^s6)&50540150
00422461  |.  33D5             XOR EDX,EBP                   ;  EDX=((s1^s6)&50540150)^s1
00422463  |.  895424 7C       MOV DWORD PTR SS:[ESP+7C],EDX ;  保存((s1^s6)&50540150)^s1
00422467  |.  8B5424 10       MOV EDX,DWORD PTR SS:[ESP+10] ;  [ESP+10]=s7
0042246B  |.  8BE8             MOV EBP,EAX
0042246D  |.  25 A7DBB6B7       AND EAX,B7B6DBA7
00422472  |.  81E1 594C8EA9    AND ECX,A98E4C59
00422478  |.  0FAFC1          IMUL EAX,ECX
0042247B  |.  33EA             XOR EBP,EDX
0042247D  |.  894424 48       MOV DWORD PTR SS:[ESP+48],EAX
00422481  |.  8B4424 14       MOV EAX,DWORD PTR SS:[ESP+14]
00422485  |.  81E5 A6B37156    AND EBP,5671B3A6
0042248B  |.  33EA             XOR EBP,EDX
0042248D  |.  8B5424 18       MOV EDX,DWORD PTR SS:[ESP+18] ;  [ESP+18]=(s2^s8)&48492458
00422491  |.  68 98720000       PUSH 7298
00422496  |.  68 988776A8       PUSH A8768798
0042249B  |.  33D3             XOR EDX,EBX                   ;  EDX=(s2^s8)&48492458^s2
0042249D  |.  6A 00             PUSH 0
0042249F  |.  50                PUSH EAX
004224A0  |.  895424 28       MOV DWORD PTR SS:[ESP+28],EDX ;  保存((s2^s8)&48492458)^s2
004224A4  |.  E8 27100300       CALL MP32SWF.004534D0
004224A9  |.  8B4C24 30       MOV ECX,DWORD PTR SS:[ESP+30]
004224AD  |.  23C1             AND EAX,ECX
004224AF  |.  8B4C24 34       MOV ECX,DWORD PTR SS:[ESP+34] ;  [ESP+34]=0
004224B3  |.  23D1             AND EDX,ECX
004224B5  |.  3D 80A628C4       CMP EAX,C428A680                ;  迷惑人的比较
004224BA  |.  75 3E             JNZ SHORT MP32SWF.004224FA
004224BC  |.  81FA 723AE792    CMP EDX,92E73A72                ;  EDX永远等于0
004224C2  |.  75 36             JNZ SHORT MP32SWF.004224FA
004224C4  |.  8B5C24 1C       MOV EBX,DWORD PTR SS:[ESP+1C]
004224C8  |.  8B7C24 18       MOV EDI,DWORD PTR SS:[ESP+18]
004224CC  |.  33ED             XOR EBP,EBP
004224CE  |.  33C0             XOR EAX,EAX
004224D0  |.  899C24 90000000 MOV DWORD PTR SS:[ESP+90],EBX
004224D7  |.  89AC24 94000000 MOV DWORD PTR SS:[ESP+94],EBP
004224DE  |.  23DF             AND EBX,EDI
004224E0  |.  23E8             AND EBP,EAX
004224E2  |.  81F3 46838419    XOR EBX,19848346
004224E8  |.  898424 8C000000 MOV DWORD PTR SS:[ESP+8C],EAX
004224EF  |.  81F5 35716887    XOR EBP,87687135
004224F5  |.  E9 92010000       JMP MP32SWF.0042268C
004224FA  |>  0FAFAC24 B8000000  IMUL EBP,DWORD PTR SS:[ESP+B8]
00422502  |.  8B5424 40       MOV EDX,DWORD PTR SS:[ESP+40]
00422506  |.  8BC5             MOV EAX,EBP
00422508  |.  33ED             XOR EBP,EBP
0042250A  |.  33C9             XOR ECX,ECX                   ;  ECX清零
0042250C  |.  3BC2             CMP EAX,EDX                   ;  迷惑人的比较
0042250E  |.  75 57             JNZ SHORT MP32SWF.00422567
00422510  |.  33C0             XOR EAX,EAX
00422512  |.  3BC8             CMP ECX,EAX
00422514  |.  75 51             JNZ SHORT MP32SWF.00422567
00422516  |.  8B4424 14       MOV EAX,DWORD PTR SS:[ESP+14]
0042251A  |.  8B4C24 10       MOV ECX,DWORD PTR SS:[ESP+10]
0042251E  |.  25 A6B37156       AND EAX,5671B3A6
00422523  |.  81E1 50015450    AND ECX,50540150
00422529  |.  81E7 58244948    AND EDI,48492458
0042252F  |.  81E3 AFFEABAF    AND EBX,AFABFEAF
00422535  |.  0BC1             OR EAX,ECX
00422537  |.  0BFB             OR EDI,EBX
00422539  |.  8BD8             MOV EBX,EAX
0042253B  |.  33D2             XOR EDX,EDX
0042253D  |.  89AC24 94000000 MOV DWORD PTR SS:[ESP+94],EBP
00422544  |.  33DF             XOR EBX,EDI
00422546  |.  33EA             XOR EBP,EDX
00422548  |.  81F3 858F0019    XOR EBX,19008F85
0042254E  |.  899424 8C000000 MOV DWORD PTR SS:[ESP+8C],EDX
00422555  |.  898424 90000000 MOV DWORD PTR SS:[ESP+90],EAX
0042255C  |.  81F5 66EC6827    XOR EBP,2768EC66
00422562  |.  E9 25010000       JMP MP32SWF.0042268C
00422567  |>  8B4C24 18       MOV ECX,DWORD PTR SS:[ESP+18] ;  [ESP+18]=(s2^s8)&48492458
0042256B  |.  8B5424 20       MOV EDX,DWORD PTR SS:[ESP+20] ;  [ESP+20]=((s4^s7)&5671B3A6)^s7
0042256F  |.  33CA             XOR ECX,EDX
00422571  |.  F7C1 472383AE    TEST ECX,AE832347
00422577  |.  0F84 C1000000    JE MP32SWF.0042263E
0042257D  |.  33FF             XOR EDI,EDI                   ;  EDI清零
0042257F  |.  89AC24 8C000000 MOV DWORD PTR SS:[ESP+8C],EBP ;  EBP=0
00422586  |.  89AC24 90000000 MOV DWORD PTR SS:[ESP+90],EBP
0042258D  |.  89AC24 94000000 MOV DWORD PTR SS:[ESP+94],EBP
00422594  |.  897424 10       MOV DWORD PTR SS:[ESP+10],ESI
00422598  |.  8D5E 18          LEA EBX,DWORD PTR DS:[ESI+18]
0042259B  |.  C74424 14 07000000 MOV DWORD PTR SS:[ESP+14],7
004225A3  |>  8B5424 10       /MOV EDX,DWORD PTR SS:[ESP+10] ; [ESP+10]=s7..s1
004225A7  |.  8B0B             |MOV ECX,DWORD PTR DS:[EBX]    ; [EBX]=s1..s7
004225A9  |.  F7D1             |NOT ECX
004225AB  |.  8B02             |MOV EAX,DWORD PTR DS:[EDX]
004225AD  |.  8BD1             |MOV EDX,ECX
004225AF  |.  8BE8             |MOV EBP,EAX
004225B1  |.  81E2 58244948    |AND EDX,48492458
004225B7  |.  81E5 AFFEABAF    |AND EBP,AFABFEAF
004225BD  |.  0FAFD5          |IMUL EDX,EBP
004225C0  |.  8BAC24 8C000000 |MOV EBP,DWORD PTR SS:[ESP+8C]
004225C7  |.  03FA             |ADD EDI,EDX
004225C9  |.  BA 00000000       |MOV EDX,0
004225CE  |.  13EA             |ADC EBP,EDX
004225D0  |.  25 A6B37156       |AND EAX,5671B3A6
004225D5  |.  81E1 50015450    |AND ECX,50540150
004225DB  |.  89AC24 8C000000 |MOV DWORD PTR SS:[ESP+8C],EBP
004225E2  |.  0FAFC1          |IMUL EAX,ECX
004225E5  |.  8B8C24 90000000 |MOV ECX,DWORD PTR SS:[ESP+90]
004225EC  |.  8BAC24 94000000 |MOV EBP,DWORD PTR SS:[ESP+94]
004225F3  |.  03C8             |ADD ECX,EAX
004225F5  |.  8B4424 14       |MOV EAX,DWORD PTR SS:[ESP+14]
004225F9  |.  898C24 90000000 |MOV DWORD PTR SS:[ESP+90],ECX
00422600  |.  8B4C24 10       |MOV ECX,DWORD PTR SS:[ESP+10]
00422604  |.  13EA             |ADC EBP,EDX
00422606  |.  83EB 04          |SUB EBX,4
00422609  |.  83C1 04          |ADD ECX,4
0042260C  |.  48                |DEC EAX
0042260D  |.  89AC24 94000000 |MOV DWORD PTR SS:[ESP+94],EBP
00422614  |.  894C24 10       |MOV DWORD PTR SS:[ESP+10],ECX
00422618  |.  894424 14       |MOV DWORD PTR SS:[ESP+14],EAX
0042261C  |.^ 75 85             \JNZ SHORT MP32SWF.004225A3    ; 此循环得到00422833处比较不相等
0042261E  |.  8B9C24 90000000 MOV EBX,DWORD PTR SS:[ESP+90]
00422625  |.  8B9424 8C000000 MOV EDX,DWORD PTR SS:[ESP+8C]
0042262C  |.  23DF             AND EBX,EDI
0042262E  |.  23EA             AND EBP,EDX
00422630  |.  81F3 4A98AE68    XOR EBX,68AE984A
00422636  |.  81F5 19974835    XOR EBP,35489719
0042263C  |.  EB 4E             JMP SHORT MP32SWF.0042268C
0042263E  |>  55                PUSH EBP
0042263F  |.  E8 B9030300       CALL MP32SWF.004529FD
00422644  |.  83C4 04          ADD ESP,4
00422647  |.  8BF8             MOV EDI,EAX
00422649  |.  E8 8D030300       CALL MP32SWF.004529DB
0042264E  |.  0FAFF8          IMUL EDI,EAX
00422651  |.  FF15 3CC34700    CALL NEAR DWORD PTR DS:[<&KERNEL>
00422657  |.  0FAFF8          IMUL EDI,EAX
0042265A  |.  8B4E 04          MOV ECX,DWORD PTR DS:[ESI+4]
0042265D  |.  33C0             XOR EAX,EAX
0042265F  |.  50                PUSH EAX
00422660  |.  57                PUSH EDI
00422661  |.  55                PUSH EBP
00422662  |.  51                PUSH ECX
00422663  |.  898424 9C000000 MOV DWORD PTR SS:[ESP+9C],EAX
0042266A  |.  E8 610E0300       CALL MP32SWF.004534D0
0042266F  |.  898424 90000000 MOV DWORD PTR SS:[ESP+90],EAX
00422676  |.  8BD8             MOV EBX,EAX
00422678  |.  8B8424 8C000000 MOV EAX,DWORD PTR SS:[ESP+8C]
0042267F  |.  8BEA             MOV EBP,EDX
00422681  |.  33DF             XOR EBX,EDI
00422683  |.  899424 94000000 MOV DWORD PTR SS:[ESP+94],EDX
0042268A  |.  33E8             XOR EBP,EAX
0042268C  |>  8B4E 14          MOV ECX,DWORD PTR DS:[ESI+14] ;  [ESI+14]=s6
0042268F  |.  8B16             MOV EDX,DWORD PTR DS:[ESI]    ;  [ESI]=s1
00422691  |.  8BC1             MOV EAX,ECX
00422693  |.  6A 00             PUSH 0
00422695  |.  33C2             XOR EAX,EDX                   ;  EAX=s6^s1
00422697  |.  8B56 08          MOV EDX,DWORD PTR DS:[ESI+8]    ;  [ESI+8]=s3
0042269A  |.  25 50015450       AND EAX,50540150                ;  EAX=(s6^s1)&50540150
0042269F  |.  33C1             XOR EAX,ECX                   ;  EAX=((s6^s1)&50540150)^s6
004226A1  |.  8B4C24 24       MOV ECX,DWORD PTR SS:[ESP+24] ;  [ESP+24]=((s4^s7)&5671B3A6)^s7
004226A5  |.  81F1 44894865    XOR ECX,65488944
004226AB  |.  894424 6C       MOV DWORD PTR SS:[ESP+6C],EAX ;  [+68]
004226AF  |.  894C24 24       MOV DWORD PTR SS:[ESP+24],ECX ;  保存(((s4^s7)&5671B3A6)^s7)^65488944
004226B3  |.  8B4E 18          MOV ECX,DWORD PTR DS:[ESI+18] ;  [ESI+18]=s7
004226B6  |.  F7D1             NOT ECX
004226B8  |.  8B7424 28       MOV ESI,DWORD PTR SS:[ESP+28] ;  [+24]=((s3^s5)&76DBFAAF)^s5
004226BC  |.  8BC1             MOV EAX,ECX
004226BE  |.  33C2             XOR EAX,EDX
004226C0  |.  81F6 00541612    XOR ESI,12165400                ;  ESI=((s3^s5)&76DBFAAF)^s5^12165400
004226C6  |.  25 A6B37156       AND EAX,5671B3A6
004226CB  |.  33C1             XOR EAX,ECX
004226CD  |.  894424 78       MOV DWORD PTR SS:[ESP+78],EAX
004226D1  |.  E8 27030300       CALL MP32SWF.004529FD
004226D6  |.  83C4 04          ADD ESP,4
004226D9  |.  E8 FD020300       CALL MP32SWF.004529DB
004226DE  |.  FF15 3CC34700    CALL NEAR DWORD PTR DS:[<&KERNEL>
004226E4  |.  8B5424 20       MOV EDX,DWORD PTR SS:[ESP+20] ;  [ESP+20]=(((s4^s7)&5671B3A6)^s7)^65488944
004226E8  |.  8B4424 28       MOV EAX,DWORD PTR SS:[ESP+28] ;  [ESP+28]=((s2^s8)&48492458)^s8
004226EC  |.  8B4C24 7C       MOV ECX,DWORD PTR SS:[ESP+7C] ;  [ESP+7C]=((s1^s6)&50540150)^s1
004226F0  |.  33D0             XOR EDX,EAX
004226F2  |.  81F1 2C5484AE    XOR ECX,AE84542C                ;  ECX=(((s1^s6)&50540150)^s1)^AE84542C
004226F8  |.  81FA 20817E89    CMP EDX,897E8120                ;  关键比较(1)
004226FE  |.  0F85 95000000    JNZ MP32SWF.00422799          ;  此处不能跳
00422704  |.  8B4424 68       MOV EAX,DWORD PTR SS:[ESP+68] ;  [ESP+68]=((s6^s1)&50540150)^s6
00422708  |.  33C6             XOR EAX,ESI                   ;  ESI=((s3^s5)&76DBFAAF)^s5^12165400
0042270A  |.  3D 65C494E8       CMP EAX,E894C465                ;  关键比较(2)
0042270F  |.  74 49             JE SHORT MP32SWF.0042275A       ;  此处要跳
00422711  |.  8B4424 60       MOV EAX,DWORD PTR SS:[ESP+60]
00422715  |.  8B7C24 48       MOV EDI,DWORD PTR SS:[ESP+48]
00422719  |.  8B4C24 64       MOV ECX,DWORD PTR SS:[ESP+64]
0042271D  |.  8B6C24 58       MOV EBP,DWORD PTR SS:[ESP+58]
00422721  |.  F7D0             NOT EAX
00422723  |.  23C7             AND EAX,EDI
00422725  |.  33D2             XOR EDX,EDX                   ;  EDX=0
00422727  |.  F7D1             NOT ECX
00422729  |.  33C5             XOR EAX,EBP
0042272B  |.  23CA             AND ECX,EDX                   ;  ECX=0
0042272D  |.  F7D0             NOT EAX
0042272F  |.  33CA             XOR ECX,EDX                   ;  ECX=0 xor 0=0
00422731  |.  3D 2802C042       CMP EAX,42C00228                ;  迷惑人的比较
00422736  |.  F7D1             NOT ECX
00422738  |.  0F85 14010000    JNZ MP32SWF.00422852
0042273E  |.  81F9 8AE96598    CMP ECX,9865E98A                ;  ECX=0
00422744  |.  0F85 08010000    JNZ MP32SWF.00422852
0042274A  |.  5F                POP EDI
0042274B  |.  5E                POP ESI
0042274C  |.  5D                POP EBP
0042274D  |.  B8 01000000       MOV EAX,1
00422752  |.  5B                POP EBX
00422753  |.  81C4 B0000000    ADD ESP,0B0
00422759  |.  C3                RETN                            ;  此处回不了家
0042275A  |>  B8 F1F0F0F0       MOV EAX,F0F0F0F1
0042275F  |.  F7E1             MUL ECX                   ; ECX=(((s1^s6)&50540150)^s1)^AE84542C
00422761  |.  C1EA 04          SHR EDX,4
00422764  |.  B8 4FECC44E       MOV EAX,4EC4EC4F
00422769  |.  8BFA             MOV EDI,EDX
0042276B  |.  F7E1             MUL ECX
0042276D  |.  0FAFFE          IMUL EDI,ESI                   ;  ESI=((s3^s5)&76DBFAAF)^s5^12165400)
00422770  |.  8B4424 20       MOV EAX,DWORD PTR SS:[ESP+20] ;  [ESP+20]=((s4^s7)&5671B3A6)^s7
00422774  |.  8B4C24 18       MOV ECX,DWORD PTR SS:[ESP+18] ;  [ESP+18]=(s2^s8)&48492458
00422778  |.  C1EA 02          SHR EDX,2
0042277B  |.  0FAFF0          IMUL ESI,EAX
0042277E  |.  0FAFD0          IMUL EDX,EAX
00422781  |.  03FA             ADD EDI,EDX
00422783  |.  33C0             XOR EAX,EAX
00422785  |.  03FE             ADD EDI,ESI
00422787  |.  F7D7             NOT EDI
00422789  |.  3BF9             CMP EDI,ECX                   ;  关键比较(3)
0042278B  |.  5F                POP EDI
0042278C  |.  5E                POP ESI
0042278D  |.  5D                POP EBP
0042278E  |.  0F94C0          SETE AL
00422791  |.  5B                POP EBX
00422792  |.  81C4 B0000000    ADD ESP,0B0
00422798  |.  C3                RETN                            ;  只有此处满足条件返回才能注册成功
00422799  |>  8B4424 38       MOV EAX,DWORD PTR SS:[ESP+38]
0042279D  |.  8B5424 40       MOV EDX,DWORD PTR SS:[ESP+40]
004227A1  |.  33C2             XOR EAX,EDX
004227A3  |.  8B5424 3C       MOV EDX,DWORD PTR SS:[ESP+3C] ;  [ESP+3C]=0
004227A7  |.  C74424 44 00000000 MOV DWORD PTR SS:[ESP+44],0
004227AF  |.  335424 44       XOR EDX,DWORD PTR SS:[ESP+44]
004227B3  |.  3D E8005A5F       CMP EAX,5F5A00E8                ;  迷惑人的比较
004227B8  |.  75 5C             JNZ SHORT MP32SWF.00422816
004227BA  |.  81FA E48954A6    CMP EDX,A65489E4                ;  EDX=0
004227C0  |.  75 54             JNZ SHORT MP32SWF.00422816
004227C2  |.  B8 25499224       MOV EAX,24924925
004227C7  |.  F7E1             MUL ECX
004227C9  |.  8BC1             MOV EAX,ECX
004227CB  |.  2BC2             SUB EAX,EDX
004227CD  |.  D1E8             SHR EAX,1
004227CF  |.  03C2             ADD EAX,EDX
004227D1  |.  C1E8 02          SHR EAX,2
004227D4  |.  8BF8             MOV EDI,EAX
004227D6  |.  B8 CB6B28AF       MOV EAX,AF286BCB
004227DB  |.  F7E1             MUL ECX
004227DD  |.  0FAFFE          IMUL EDI,ESI
004227E0  |.  2BCA             SUB ECX,EDX
004227E2  |.  8B4424 74       MOV EAX,DWORD PTR SS:[ESP+74]
004227E6  |.  D1E9             SHR ECX,1
004227E8  |.  0FAF4424 70       IMUL EAX,DWORD PTR SS:[ESP+70]
004227ED  |.  03CA             ADD ECX,EDX
004227EF  |.  C1E9 04          SHR ECX,4
004227F2  |.  0FAF4C24 20       IMUL ECX,DWORD PTR SS:[ESP+20]
004227F7  |.  03F9             ADD EDI,ECX
004227F9  |.  8B8C24 B8000000 MOV ECX,DWORD PTR SS:[ESP+B8]
00422800  |.  03F8             ADD EDI,EAX
00422802  |.  33C0             XOR EAX,EAX
00422804  |.  F7D7             NOT EDI
00422806  |.  3BF9             CMP EDI,ECX
00422808  |.  5F                POP EDI
00422809  |.  5E                POP ESI
0042280A  |.  5D                POP EBP
0042280B  |.  0F94C0          SETE AL
0042280E  |.  5B                POP EBX
0042280F  |.  81C4 B0000000    ADD ESP,0B0
00422815  |.  C3                RETN                            ;  此处回不了家
00422816  |>  8B8424 90000000 MOV EAX,DWORD PTR SS:[ESP+90]
0042281D  |.  8B8C24 94000000 MOV ECX,DWORD PTR SS:[ESP+94]
00422824  |.  8B9424 8C000000 MOV EDX,DWORD PTR SS:[ESP+8C]
0042282B  |.  23C7             AND EAX,EDI
0042282D  |.  23CA             AND ECX,EDX
0042282F  |.  33C3             XOR EAX,EBX
00422831  |.  33CD             XOR ECX,EBP
00422833  |.  3D 4F79AE48       CMP EAX,48AE794F                ;  EAX永远等于68AE984A
00422838  |.  75 18             JNZ SHORT MP32SWF.00422852
0042283A  |.  81F9 34023784    CMP ECX,84370234
00422840  |.  75 10             JNZ SHORT MP32SWF.00422852
00422842  |.  5F                POP EDI
00422843  |.  5E                POP ESI
00422844  |.  5D                POP EBP
00422845  |.  B8 01000000       MOV EAX,1
0042284A  |.  5B                POP EBX
0042284B  |.  81C4 B0000000    ADD ESP,0B0
00422851  |.  C3                RETN                            ;  此处回不了家
00422852  |>  5F                POP EDI
00422853  |.  5E                POP ESI
00422854  |.  5D                POP EBP
00422855  |.  33C0             XOR EAX,EAX
00422857  |.  5B                POP EBX
00422858  |.  81C4 B0000000    ADD ESP,0B0
0042285E  \.  C3                RETN                            ;  此处返回注册失败

二、算法小结

1.根据上面的分析，要从 00422798 处成功返回，只要同时满足下面三个等式。

关键比较(1)
004226F8 处判断 CMP EDX,897E8120 此处要满足 EDX==897E8120

即: ((((s4^s7)&5671B3A6)^s7)^65488944) ^ (((s2^s8)&48492458)^s8)==897E8120

关键比较(2)
0042270A 处判断 CMP EAX,E894C465 此处要满足 EAX==E894C465

即: ((s6^s1)&50540150)^s6 ^ ((s3^s5)&76DBFAAF)^s5^12165400==897E8120

关键比较(3)
00422789 处判断  CMP EDI,ECX 此处要满足 EDI==ECX

EDI的值:

(1) F0F0F0F1 * ((((s1^s6)&50540150)^s1)^AE84542C)
积的高位逻辑右移4，设为x
(2) 4EC4EC4F * ((((s1^s6)&50540150)^s1)^AE84542C)
积的高位逻辑右移2，设为y
(3) x * ((s3^s5)&76DBFAAF)^s5^12165400)

(4) y * (4EC4EC4F * ((((s1^s6)&50540150)^s1)^AE84542C))

(5) ((s3^s5)&76DBFAAF)^s5^12165400) * (4EC4EC4F * ((((s1^s6)&50540150)^s1)^AE84542C))

(6) (3)+(4)+(5)  和取反

ECX的值:(s2^s8)&48492458

即: (s2^s8)&48492458==(6)

2. 上面算式看着有些复杂，快速得到可用注册码的方法是将上面算式简单变换为：

(1) (s2^s8)&48492458^s2==FFFFFFFF
(2) ((s2^s8)&48492458)^s8)==897E8120
(3) (((s4^s7)&5671B3A6)^s7)^65488944==0
(4) ((s1^s6)&50540150)^s1^AE84542C==0
(5) ((s3^s5)&76DBFAAF)^s5^12165400==0
(6) ((s6^s1)&50540150)^s6==E894C465

找出满足等式的s1～s8

根据：(4) (6)
((s1^s6)&50540150)^s1==AE84542C
((s6^s1)&50540150)^s6==E894C465
得到：
s1=EE94546C
s6=A884C425

根据：(3)
((s4^s7)&5671B3A6)^s7==65488944
得到：
s7=65488944
s4=CCC6C51D

根据：(5)
((s3^s5)&76DBFAAF)^s5==12165400
得到：
s5=12165400
s3=9B325150

根据：(1) (2)
(s2^s8)&48492458^s2==FFFFFFFF
((s2^s8)&48492458)^s8)==897E8120
得到：
s2=BFFEDBA7
s8=C97FA578

3.用户名与注册码无关

一组可用的注册码
Name:wzwgp
Registration Code:EE94546CBFFEDBA79B325150CCC6C51D12165400A884C42565488944C97FA578

注册信息保存在:HKEY_CURRENT_USER\Software\Hoo Technologies\MP32SWF

顺祝大家新春快乐！

登录后可查看完整内容

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・1

免费・7

支持

最新回复 (3)
sbright 雪币： 146 活跃值： (33) 能力值： ( LV6，RANK：90 ) 在线值：发帖 120 回帖 995 粉丝 1 关注私信	sbright 2 2 楼好文章 2007-2-18 11:27 0
lnn1123 雪币： 234 活跃值： (370) 能力值： ( LV9，RANK：530 ) 在线值：发帖 39 回帖 765 粉丝 0 关注私信	lnn1123 13 3 楼支持一下,老兄啊 2007-2-19 13:55 0
linhanshi 雪币： 97697 活跃值： (200834) 能力值： (RANK：10 ) 在线值：发帖 9249 回帖 27947 粉丝 453 关注私信	linhanshi 4 楼 prop up. 2007-2-19 14:15 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

wzwgp

发帖

141

回帖

730

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (3)
sbright 雪币： 146 活跃值： (33) 能力值： ( LV6，RANK：90 ) 在线值：发帖 120 回帖 995 粉丝 1 关注私信	sbright 2 2 楼好文章 2007-2-18 11:27 0
lnn1123 雪币： 234 活跃值： (370) 能力值： ( LV9，RANK：530 ) 在线值：发帖 39 回帖 765 粉丝 0 关注私信	lnn1123 13 3 楼支持一下,老兄啊 2007-2-19 13:55 0
linhanshi 雪币： 97697 活跃值： (200834) 能力值： (RANK：10 ) 在线值：发帖 9249 回帖 27947 粉丝 453 关注私信	linhanshi 4 楼 prop up. 2007-2-19 14:15 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复