【破文标题】我酷单词连连看1.00(DES+Base64)
【破文作者】风间仁
【作者邮箱】fenjianzhun@gmail.com
【破解工具】OD
【软件名称】我酷单词连连看
【原版下载】自己搜索下载
【保护方式】序列号
【软件简介】软件采用热门休闲游戏连连看的方式记忆英文单词。只要用户点击选取显示有英文单词及其相应释
义的图案,游戏自动消去这对图案。游戏包括四种模式:混合模式、分离模式、释义选择模式及单词选择模式,
用户可以根据自身情况,选择喜欢的游戏模式。
【破解声明】只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
------------------------------------------------------------------------
【破解过程】此软件网上已经内存注册机,偶只拿来练手,学习一下其注册算法!
新手发贴,大侠别笑话偶就行了。
合法注册信息:
注册名:fenjianren
注册码:0VY3-QM7E-UPGU-Y4E4
00414560 /$ 6A FF push -1 ; 下面是关键注册部分
00414562 |. 68 848A4200 push Wordllk.00428A84 ; SE 句柄安装
00414567 |. 64:A1 00000>mov eax,dword ptr fs:[0]
0041456D |. 50 push eax
0041456E |. 64:8925 000>mov dword ptr fs:[0],esp
00414575 |. 81EC 900100>sub esp,190
0041457B |. 53 push ebx
0041457C |. 55 push ebp
0041457D |. 56 push esi
0041457E |. 57 push edi
0041457F |. C74424 38 0>mov dword ptr ss:[esp+38],0
00414587 |. A1 D8844300 mov eax,dword ptr ds:[4384D8]
0041458C |. 8B0D DC8443>mov ecx,dword ptr ds:[4384DC]
00414592 |. 8A15 E08443>mov dl,byte ptr ds:[4384E0]
00414598 |. 8B35 44BA42>mov esi,dword ptr ds:[<&MSVCRT.strncpy>] ; msvcrt.strncpy
0041459E |. 894424 18 mov dword ptr ss:[esp+18],eax
004145A2 |. 33C0 xor eax,eax
004145A4 |. 894C24 1C mov dword ptr ss:[esp+1C],ecx
004145A8 |. 8B8C24 B401>mov ecx,dword ptr ss:[esp+1B4]
004145AF |. 885424 20 mov byte ptr ss:[esp+20],dl
004145B3 |. 894424 24 mov dword ptr ss:[esp+24],eax
004145B7 |. 6A 08 push 8 ; /maxlen = 8
004145B9 |. 8D5424 28 lea edx,dword ptr ss:[esp+28] ; |
004145BD |. 894424 2C mov dword ptr ss:[esp+2C],eax ; |
004145C1 |. 51 push ecx ; |src
004145C2 |. 52 push edx ; |dest
004145C3 |. C78424 B401>mov dword ptr ss:[esp+1B4],1 ; |
004145CE |. 884424 38 mov byte ptr ss:[esp+38],al ; |
004145D2 |. FFD6 call esi ; \strncpy 复制8位用户名
004145D4 |. 8B8424 C001>mov eax,dword ptr ss:[esp+1C0]
004145DB |. 6A 08 push 8 ; /maxlen = 8
004145DD |. 8D8C24 8400>lea ecx,dword ptr ss:[esp+84] ; |
004145E4 |. 50 push eax ; |src
004145E5 |. 51 push ecx ; |dest
004145E6 |. FFD6 call esi ; \strncpy 复制8位用户名
004145E8 |. 83C4 18 add esp,18
004145EB |. 33C0 xor eax,eax ; i=0
004145ED |. 8D4C24 7C lea ecx,dword ptr ss:[esp+7C]
004145F1 |> 8A11 /mov dl,byte ptr ds:[ecx] ; 取name[8-i]
004145F3 |. 885404 24 |mov byte ptr ss:[esp+eax+24],dl ; 移动用户名
004145F7 |. 40 |inc eax ; i++
004145F8 |. 49 |dec ecx
004145F9 |. 83F8 08 |cmp eax,8
004145FC |.^ 7C F3 \jl short Wordllk.004145F1
004145FE |. 33C0 xor eax,eax
00414600 |> 8A4C04 24 /mov cl,byte ptr ss:[esp+eax+24] ; 依次取倒序后的用户名每1位
(8位)
00414604 |. 8A5C04 18 |mov bl,byte ptr ss:[esp+eax+18] ; 依次取串"12345678"的每1位
00414608 |. 02D9 |add bl,cl ; 相加
0041460A |. 885C04 18 |mov byte ptr ss:[esp+eax+18],bl
0041460E |. 40 |inc eax
0041460F |. 83F8 08 |cmp eax,8
00414612 |.^ 7C EC \jl short Wordllk.00414600
地址[esp+eax+18]的内容为:
0013F964 31 A4 A1 95 9E A0 A5 9D;这就是DES的8位密钥
00414614 |. 8B0D CC8443>mov ecx,dword ptr ds:[4384CC] ; ecx=34333231
0041461A |. 8B15 C48443>mov edx,dword ptr ds:[4384C4] ; edx=64636261
00414620 |. A1 C8844300 mov eax,dword ptr ds:[4384C8] ; eax=68676665
00414625 |. 894C24 48 mov dword ptr ss:[esp+48],ecx
00414629 |. 895424 40 mov dword ptr ss:[esp+40],edx
0041462D |. 8B15 D08443>mov edx,dword ptr ds:[4384D0] ; edx=38373635
00414633 |. 894424 44 mov dword ptr ss:[esp+44],eax
00414637 |. A0 D4844300 mov al,byte ptr ds:[4384D4]
0041463C |. 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
00414640 |. 6A 00 push 0
00414642 |. 51 push ecx
00414643 |. 895424 54 mov dword ptr ss:[esp+54],edx
地址[esp+40]的内容为:
0013F98C 61 62 63 64 65 66 67 68 31 32 33 34 35 36 37 38 abcdefgh12345678
00414647 |. 884424 58 mov byte ptr ss:[esp+58],al
0041464B |. E8 80E3FEFF call Wordllk.004029D0 ; 对密钥的处理
00414650 |. 8D9424 8800>lea edx,dword ptr ss:[esp+88]
00414657 |. 8D4424 48 lea eax,dword ptr ss:[esp+48]
0041465B |. 52 push edx ; 返回地址13F9CC
0041465C |. 50 push eax ; "abcdefgh"
0041465D |. E8 6EE5FEFF call Wordllk.00402BD0 ; DES加密
0013F9CC D1 5C B7 A8 CE C4 BA 98
00414662 |. 8D8C24 9800>lea ecx,dword ptr ss:[esp+98]
00414669 |. 8D5424 58 lea edx,dword ptr ss:[esp+58] ; ASCII "12345678"
0041466D |. 51 push ecx ; 返回地址13F9D4
0041466E |. 52 push edx ; 要加密的串"12345678"
0041466F |. E8 5CE5FEFF call Wordllk.00402BD0 ; DES加密
0013F9D4 2E 63 87 B8 9F 5B 2E C5 .c嚫焄.?..
00414674 |. B9 10000000 mov ecx,10
00414679 |. BE 80844300 mov esi,Wordllk.00438480 ; ASCII
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
0041467E |. 8DBC24 7401>lea edi,dword ptr ss:[esp+174]
00414685 |. 83C4 18 add esp,18
00414688 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[e>
0041468A |. A4 movs byte ptr es:[edi],byte ptr ds:[esi]
0041468B |. B9 10000000 mov ecx,10
00414690 |. BE 80844300 mov esi,Wordllk.00438480 ; ASCII
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
00414695 |. 8DBC24 D400>lea edi,dword ptr ss:[esp+D4]
0041469C |. 8D9C24 8000>lea ebx,dword ptr ss:[esp+80]
004146A3 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[e>
004146A5 |. A4 movs byte ptr es:[edi],byte ptr ds:[esi]
004146A6 |. B9 10000000 mov ecx,10
004146AB |. BE 80844300 mov esi,Wordllk.00438480 ; ASCII
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
004146B0 |. 8DBC24 1801>lea edi,dword ptr ss:[esp+118]
004146B7 |. 8D6C24 54 lea ebp,dword ptr ss:[esp+54]
004146BB |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[e>
004146BD |. A4 movs byte ptr es:[edi],byte ptr ds:[esi]
004146BE |. B9 10000000 mov ecx,10
004146C3 |. BE 80844300 mov esi,Wordllk.00438480 ; ASCII
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
004146C8 |. 8DBC24 9000>lea edi,dword ptr ss:[esp+90]
004146CF |. C74424 10 0>mov dword ptr ss:[esp+10],5
004146D7 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[e>
004146D9 |. A4 movs byte ptr es:[edi],byte ptr ds:[esi]
004146DA |> 8B03 /mov eax,dword ptr ds:[ebx] ; 取DES加密后的串“裓法文簶.c嚫焄.”
004146DC |. 8BC8 |mov ecx,eax ; 下面是对加密后的串进行Base64变换
004146DE |. C1E9 02 |shr ecx,2
004146E1 |. 83E1 3F |and ecx,3F
004146E4 |. 7C 0E |jl short Wordllk.004146F4
004146E6 |. 83F9 40 |cmp ecx,40
004146E9 |. 7D 09 |jge short Wordllk.004146F4
004146EB |. 8A8C0C 5C01>|mov cl,byte ptr ss:[esp+ecx+15C]
004146F2 |. EB 02 |jmp short Wordllk.004146F6
004146F4 |> B1 3D |mov cl,3D
004146F6 |> 0FBEF1 |movsx esi,cl
004146F9 |. 8BC8 |mov ecx,eax
004146FB |. 8BD0 |mov edx,eax
004146FD |. C1E9 0C |shr ecx,0C
00414700 |. 83E2 03 |and edx,3
00414703 |. 83E1 0F |and ecx,0F
00414706 |. C1E2 04 |shl edx,4
00414709 |. 0BCA |or ecx,edx
0041470B |. 7C 0E |jl short Wordllk.0041471B
0041470D |. 83F9 40 |cmp ecx,40
00414710 |. 7D 09 |jge short Wordllk.0041471B
00414712 |. 8A8C0C D400>|mov cl,byte ptr ss:[esp+ecx+D4]
00414719 |. EB 02 |jmp short Wordllk.0041471D
0041471B |> B1 3D |mov cl,3D
0041471D |> 0FBED1 |movsx edx,cl
00414720 |. 8BC8 |mov ecx,eax
00414722 |. 8BF8 |mov edi,eax
00414724 |. C1E9 08 |shr ecx,8
00414727 |. 83E1 0F |and ecx,0F
0041472A |. C1EF 16 |shr edi,16
0041472D |. C1E1 02 |shl ecx,2
00414730 |. 83E7 03 |and edi,3
00414733 |. 0BCF |or ecx,edi
00414735 |. 7C 0E |jl short Wordllk.00414745
00414737 |. 83F9 40 |cmp ecx,40
0041473A |. 7D 09 |jge short Wordllk.00414745
0041473C |. 8A8C0C 1801>|mov cl,byte ptr ss:[esp+ecx+118]
00414743 |. EB 02 |jmp short Wordllk.00414747
00414745 |> B1 3D |mov cl,3D
00414747 |> C1E8 10 |shr eax,10
0041474A |. 83E0 3F |and eax,3F
0041474D |. 0FBEC9 |movsx ecx,cl
00414750 |. 7C 0E |jl short Wordllk.00414760
00414752 |. 83F8 40 |cmp eax,40
00414755 |. 7D 09 |jge short Wordllk.00414760
00414757 |. 8A8404 9000>|mov al,byte ptr ss:[esp+eax+90]
0041475E |. EB 02 |jmp short Wordllk.00414762
00414760 |> B0 3D |mov al,3D
00414762 |> 0FBEC0 |movsx eax,al
00414765 |. C1E0 08 |shl eax,8
00414768 |. 0BC1 |or eax,ecx
0041476A |. 83C5 04 |add ebp,4
0041476D |. C1E0 08 |shl eax,8
00414770 |. 0BC2 |or eax,edx
00414772 |. 83C3 03 |add ebx,3
00414775 |. C1E0 08 |shl eax,8
00414778 |. 0BC6 |or eax,esi
0041477A |. 8945 FC |mov dword ptr ss:[ebp-4],eax
0041477D |. 8B4424 10 |mov eax,dword ptr ss:[esp+10]
00414781 |. 48 |dec eax
00414782 |. 894424 10 |mov dword ptr ss:[esp+10],eax
00414786 |.^ 0F85 4EFFFF>\jnz Wordllk.004146DA
0041478C |. 8A03 mov al,byte ptr ds:[ebx]
0041478E |. B9 10000000 mov ecx,10
00414793 |. BE 80844300 mov esi,Wordllk.00438480 ; ASCII
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
00414798 |. 8DBC24 9000>lea edi,dword ptr ss:[esp+90]
0041479F |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[e>
004147A1 |. C74424 10 0>mov dword ptr ss:[esp+10],0
004147A9 |. 884424 10 mov byte ptr ss:[esp+10],al
004147AD |. 8B5424 10 mov edx,dword ptr ss:[esp+10]
004147B1 |. 8BC2 mov eax,edx
004147B3 |. C1E8 02 shr eax,2
004147B6 |. 83E0 3F and eax,3F
004147B9 |. A4 movs byte ptr es:[edi],byte ptr ds:[esi]
004147BA |. 7C 0E jl short Wordllk.004147CA
004147BC |. 83F8 40 cmp eax,40
004147BF |. 7D 09 jge short Wordllk.004147CA
004147C1 |. 8A8404 9000>mov al,byte ptr ss:[esp+eax+90]
004147C8 |. EB 02 jmp short Wordllk.004147CC
004147CA |> B0 3D mov al,3D
004147CC |> B9 10000000 mov ecx,10
004147D1 |. BE 80844300 mov esi,Wordllk.00438480 ; ASCII
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
004147D6 |. 8DBC24 9000>lea edi,dword ptr ss:[esp+90]
004147DD |. 8845 00 mov byte ptr ss:[ebp],al
004147E0 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[e>
004147E2 |. 8BC2 mov eax,edx
004147E4 |. 83E2 03 and edx,3
004147E7 |. C1E8 0C shr eax,0C
004147EA |. 83E0 0F and eax,0F
004147ED |. C1E2 04 shl edx,4
004147F0 |. 0BC2 or eax,edx
004147F2 |. A4 movs byte ptr es:[edi],byte ptr ds:[esi]
004147F3 |. 7C 0E jl short Wordllk.00414803
004147F5 |. 83F8 40 cmp eax,40
004147F8 |. 7D 09 jge short Wordllk.00414803
004147FA |. 8A8404 9000>mov al,byte ptr ss:[esp+eax+90]
00414801 |. EB 02 jmp short Wordllk.00414805
00414803 |> B0 3D mov al,3D
00414805 |> 8845 01 mov byte ptr ss:[ebp+1],al
00414808 |. C645 02 3D mov byte ptr ss:[ebp+2],3D
0041480C |. C645 03 3D mov byte ptr ss:[ebp+3],3D
00414810 |. 83C5 04 add ebp,4
00414813 |. 8D7C24 54 lea edi,dword ptr ss:[esp+54] ; Base64结
果"0Vy3qM7EupguY4e4n1suxQ=="
00414817 |. 83C9 FF or ecx,FFFFFFFF
0041481A |. 33C0 xor eax,eax
0041481C |. C645 00 00 mov byte ptr ss:[ebp],0
00414820 |. F2:AE repne scas byte ptr es:[edi]
00414822 |. F7D1 not ecx
00414824 |. 49 dec ecx
00414825 |. 85C9 test ecx,ecx ; ecx=24
00414827 |. 7E 29 jle short Wordllk.00414852 ; 依次取Base64变换后的每1位
00414829 |> 807C04 54 2>/cmp byte ptr ss:[esp+eax+54],2F ; 如果是/
0041482E |. 75 05 |jnz short Wordllk.00414835
00414830 |. C64404 54 3>|mov byte ptr ss:[esp+eax+54],31 ; 替换为'1'
00414835 |> 807C04 54 2>|cmp byte ptr ss:[esp+eax+54],2B ; 如果是+
0041483A |. 75 05 |jnz short Wordllk.00414841
0041483C |. C64404 54 3>|mov byte ptr ss:[esp+eax+54],32 ; 替换为'2'
00414841 |> 807C04 54 3>|cmp byte ptr ss:[esp+eax+54],3D ; 如果是=
00414846 |. 75 05 |jnz short Wordllk.0041484D
00414848 |. C64404 54 0>|mov byte ptr ss:[esp+eax+54],0 ; 替换为0
0041484D |> 40 |inc eax
0041484E |. 3BC1 |cmp eax,ecx
00414850 |.^ 7C D7 \jl short Wordllk.00414829
00414852 |> 8D4C24 54 lea ecx,dword ptr ss:[esp+54] ; ASCII
"0Vy3qM7EupguY4e4n1suxQ"
00414856 |. 51 push ecx ; /s
00414857 |. FF15 B0B942>call dword ptr ds:[<&MSVCRT._strupr>] ; \_strupr 转换为大写
0041485D |. 83C4 04 add esp,4
00414860 |. 8D5424 54 lea edx,dword ptr ss:[esp+54] ; ASCII
"0VY3QM7EUPGUY4E4N1SUXQ"
00414864 |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00414868 |. 52 push edx
00414869 |. E8 600D0100 call <jmp.&MFC42.#537>
0041486E |. 6A 10 push 10
00414870 |. 8D4424 14 lea eax,dword ptr ss:[esp+14]
00414874 |. B3 02 mov bl,2
00414876 |. 6A 00 push 0
00414878 |. 50 push eax
00414879 |. 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
0041487D |. 889C24 B401>mov byte ptr ss:[esp+1B4],bl
00414884 |. E8 6F0D0100 call <jmp.&MFC42.#4278>
00414889 |. 50 push eax
0041488A |. 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
0041488E |. C68424 AC01>mov byte ptr ss:[esp+1AC],3
00414896 |. E8 570D0100 call <jmp.&MFC42.#858>
0041489B |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0041489F |. 889C24 A801>mov byte ptr ss:[esp+1A8],bl
004148A6 |. E8 ED0C0100 call <jmp.&MFC42.#800>
004148AB |. 6A 04 push 4 ;取4位
004148AD |. 8D4C24 38 lea ecx,dword ptr ss:[esp+38]
004148B1 |. 6A 0C push 0C ;从第12位开始取
004148B3 |. 51 push ecx ;返回地址
004148B4 |. 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
004148B8 |. E8 3B0D0100 call <jmp.&MFC42.#4278>
004148BD |. 8BF0 mov esi,eax
004148BF |. 6A 04 push 4 ;取4位
004148C1 |. 8D5424 40 lea edx,dword ptr ss:[esp+40]
004148C5 |. 6A 08 push 8 ;从第8位开始取
004148C7 |. 52 push edx ;返回地址
004148C8 |. 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
004148CC |. C68424 B401>mov byte ptr ss:[esp+1B4],4
004148D4 |. E8 1F0D0100 call <jmp.&MFC42.#4278>
004148D9 |. 8BF8 mov edi,eax
004148DB |. 6A 04 push 4 ;取4位
004148DD |. 8D4424 34 lea eax,dword ptr ss:[esp+34]
004148E1 |. 6A 04 push 4 ;从第4位开始取
004148E3 |. 50 push eax ;返回地址
004148E4 |. 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
004148E8 |. C68424 B401>mov byte ptr ss:[esp+1B4],5
004148F0 |. E8 030D0100 call <jmp.&MFC42.#4278>
004148F5 |. 8BE8 mov ebp,eax
004148F7 |. 6A 04 push 4 ;取4位
004148F9 |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
004148FD |. 6A 00 push 0 ;从第0位开始取
004148FF |. 51 push ecx ;返回地址
00414900 |. 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
00414904 |. C68424 B401>mov byte ptr ss:[esp+1B4],6
0041490C |. E8 E70C0100 call <jmp.&MFC42.#4278>
00414911 |. 8B16 mov edx,dword ptr ds:[esi] ; EDX="Y4E4"
00414913 |. 8B0F mov ecx,dword ptr ds:[edi] ; ECX="UPGU"
00414915 |. 8B00 mov eax,dword ptr ds:[eax] ; EAX="0VY3"
00414917 |. 52 push edx ; edx入栈
00414918 |. 8B55 00 mov edx,dword ptr ss:[ebp] ; edx="QM7E"
0041491B |. 51 push ecx
0041491C |. 52 push edx
0041491D |. 50 push eax
0041491E |. 8D8C24 C401>lea ecx,dword ptr ss:[esp+1C4]
00414925 |. 68 74844300 push Wordllk.00438474 ; ASCII "%s-%s-%s-%s"
0041492A |. 51 push ecx ; 返回值地址
0041492B |. C68424 C001>mov byte ptr ss:[esp+1C0],7
00414933 |. E8 7E0C0100 call <jmp.&MFC42.#2818> ; 格式化字符串
00414938 |. 83C4 18 add esp,18 ; ecx="0VY3-QM7E-UPGU-Y4E4"
0041493B |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0041493F |. C68424 A801>mov byte ptr ss:[esp+1A8],6
下面是0041464B |. E8 80E3FEFF call Wordllk.004029D0
其实下面就是对DES密钥的处理,偶比较笨,一开始没看出来,所以就跟了一遍,看来得多学习才行啊,呵呵
004029D0 /$ 81EC F40000>sub esp,0F4
004029D6 |. 33C9 xor ecx,ecx
004029D8 |. 53 push ebx
004029D9 |. 55 push ebp
004029DA |. 56 push esi
004029DB |. 8BB424 0401>mov esi,dword ptr ss:[esp+104]
004029E2 |. 57 push edi
004029E3 |> 33C0 /xor eax,eax
004029E5 |. 8A81 107443>|mov al,byte ptr ds:[ecx+437410] ; 取表1
004029EB |. 8BD0 |mov edx,eax
004029ED |. 83E0 07 |and eax,7 ; eax界于0到7之间
004029F0 |. C1FA 03 |sar edx,3 ; edx界于0到7之间
004029F3 |. 8A1C45 A073>|mov bl,byte ptr ds:[eax*2+4373A0] ; 取表2
004029FA |. 8A1432 |mov dl,byte ptr ds:[edx+esi] ; 取表3
004029FD |. 84D3 |test bl,dl
004029FF |. 0F95C0 |setne al
00402A02 |. 88440C 4C |mov byte ptr ss:[esp+ecx+4C],al
00402A06 |. 41 |inc ecx
00402A07 |. 83F9 38 |cmp ecx,38
00402A0A |.^ 7C D7 \jl short Wordllk.004029E3
00402A0C |. B8 1E000000 mov eax,1E
00402A11 |. 33D2 xor edx,edx
00402A13 |. 894424 10 mov dword ptr ss:[esp+10],eax
00402A17 |> 66:83BC24 0>/cmp word ptr ss:[esp+10C],1
00402A20 |. 74 03 |je short Wordllk.00402A25
00402A22 |. 8D0412 |lea eax,dword ptr ds:[edx+edx]
00402A25 |> 8DBC84 8800>|lea edi,dword ptr ss:[esp+eax*4+88]
00402A2C |. 8DAC84 8400>|lea ebp,dword ptr ss:[esp+eax*4+84]
00402A33 |. 33C0 |xor eax,eax
00402A35 |. 33C9 |xor ecx,ecx
00402A37 |. 8A8A 487443>|mov cl,byte ptr ds:[edx+437448]
00402A3D |. C707 000000>|mov dword ptr ds:[edi],0
00402A43 |. C745 00 000>|mov dword ptr ss:[ebp],0
00402A4A |. 8BF1 |mov esi,ecx
00402A4C |> 83F9 1C |/cmp ecx,1C
00402A4F |. 7D 06 ||jge short Wordllk.00402A57
00402A51 |. 8A5C0C 4C ||mov bl,byte ptr ss:[esp+ecx+4C] ; 取0,1表
00402A55 |. EB 04 ||jmp short Wordllk.00402A5B
00402A57 |> 8A5C0C 30 ||mov bl,byte ptr ss:[esp+ecx+30] ; 移动位置
00402A5B |> 885C04 14 ||mov byte ptr ss:[esp+eax+14],bl
00402A5F |. 40 ||inc eax
00402A60 |. 41 ||inc ecx
00402A61 |. 83F8 1C ||cmp eax,1C
00402A64 |.^ 7C E6 |\jl short Wordllk.00402A4C
00402A66 |. B8 1C000000 |mov eax,1C
00402A6B |. 8D4E 1C |lea ecx,dword ptr ds:[esi+1C]
00402A6E |> 83F9 38 |/cmp ecx,38
00402A71 |. 7D 06 ||jge short Wordllk.00402A79
00402A73 |. 8A5C0C 4C ||mov bl,byte ptr ss:[esp+ecx+4C] ; 取0,1表
00402A77 |. EB 04 ||jmp short Wordllk.00402A7D
00402A79 |> 8A5C0C 30 ||mov bl,byte ptr ss:[esp+ecx+30]
00402A7D |> 885C04 14 ||mov byte ptr ss:[esp+eax+14],bl
00402A81 |. 40 ||inc eax
00402A82 |. 41 ||inc ecx
00402A83 |. 83F8 38 ||cmp eax,38
00402A86 |.^ 7C E6 |\jl short Wordllk.00402A6E
00402A88 |. 33C0 |xor eax,eax
00402A8A |> 33C9 |/xor ecx,ecx
00402A8C |. 8A88 587443>||mov cl,byte ptr ds:[eax+437458]
00402A92 |. 8A5C0C 14 ||mov bl,byte ptr ss:[esp+ecx+14]
00402A96 |. 84DB ||test bl,bl
00402A98 |. 74 0F ||je short Wordllk.00402AA9
00402A9A |. 8B0C85 B073>||mov ecx,dword ptr ds:[eax*4+4373B0]
00402AA1 |. 8B75 00 ||mov esi,dword ptr ss:[ebp]
00402AA4 |. 0BF1 ||or esi,ecx
00402AA6 |. 8975 00 ||mov dword ptr ss:[ebp],esi
00402AA9 |> 33C9 ||xor ecx,ecx
00402AAB |. 8A88 707443>||mov cl,byte ptr ds:[eax+437470]
00402AB1 |. 8A5C0C 14 ||mov bl,byte ptr ss:[esp+ecx+14]
00402AB5 |. 84DB ||test bl,bl
00402AB7 |. 74 0D ||je short Wordllk.00402AC6
00402AB9 |. 8B0C85 B073>||mov ecx,dword ptr ds:[eax*4+4373B0]
00402AC0 |. 8B37 ||mov esi,dword ptr ds:[edi]
00402AC2 |. 0BF1 ||or esi,ecx
00402AC4 |. 8937 ||mov dword ptr ds:[edi],esi
00402AC6 |> 40 ||inc eax
00402AC7 |. 83F8 18 ||cmp eax,18
00402ACA |.^ 7C BE |\jl short Wordllk.00402A8A
00402ACC |. 8B4424 10 |mov eax,dword ptr ss:[esp+10]
00402AD0 |. 42 |inc edx
00402AD1 |. 83E8 02 |sub eax,2
00402AD4 |. 83F8 FE |cmp eax,-2
00402AD7 |. 894424 10 |mov dword ptr ss:[esp+10],eax
00402ADB |.^ 0F8F 36FFFF>\jg Wordllk.00402A17
00402AE1 |. 8D9424 8400>lea edx,dword ptr ss:[esp+84]
00402AE8 |. 52 push edx
00402AE9 |. E8 12000000 call Wordllk.00402B00
00402AEE |. 83C4 04 add esp,4
00402AF1 |. 5F pop edi
00402AF2 |. 5E pop esi
00402AF3 |. 5D pop ebp
00402AF4 |. 5B pop ebx
00402AF5 |. 81C4 F40000>add esp,0F4
00402AFB \. C3 retn
------------------------------------------------------------------------
【破解总结】算法不难,偶比较笨,就用C来解释吧
1.
unsigned char name[9]="fenjianr",temp[8],str[9]="12345678";
int i;
for (i=0;i<8;i++) {
temp[i]=name[8-i];
temp[i]+=str[i];
}
2. 得出来的8字节temp的Hex形式为:31A4A1959EA0A59D,做为DES密钥,
DES加密“abcdefgh12345678”,得到串1="裓法文簶.c嚫焄.",其Hex形式为
D15CB7A8CEC4BA982E6387B89F5B2EC5
3. Base64Encode(串1)=0Vy3qM7EupguY4e4n1suxQ==,转换为大写并取前16位用'-'连接即可
------------------------------------------------------------------------
【版权声明】本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢! 2007年4月6日
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
,确实如wofan所说,
