[原创]首钢环星排队机系统算法简单分析-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[原创]首钢环星排队机系统算法简单分析

发表于: 2007-10-8 02:31 6334

[原创]首钢环星排队机系统算法简单分析

网络断魂

2007-10-8 02:31

6334

【文章标题】: 首钢环星排队机系统算法简单分析
【文章作者】: 网络断魂
【作者邮箱】: raojianbo@tom.com
【软件名称】: 首钢环星排队机系统
【软件大小】: 11.7M
【下载地址】: 无
【加壳方式】: 无壳,注册码保护
【编写语言】: Microsoft Visual C++ 6.0
【操作平台】: XP-SP2
【破解工具】: PEID，OD,PYG密码学工具

第一次做算法分析，属于半猜半分析，大侠们不要见笑哦，

语音动画下载地址:http://bbs.chinapyg.com/viewthread.php?tid=20037&extra=page%3D1  (没有上传权限,转个贴,)

用PEID查壳，Microsoft Visual C++ 6.0
软件未注册则提示"您使用的是测试版……"

下消息断点,断在下面:

0040518F .  E8 4E9E0000 call <jmp.&MFC42.#800>
00405194 >  8B86 24010000 mov    eax, dword ptr [esi+124]
0040519A .  85C0       test eax, eax
0040519C .  0F85 D9000000 jnz    0040527B
004051A2 .  8A0D C8CB4100 mov    cl, byte ptr [41CBC8]
004051A8 .  33C0       xor    eax, eax
004051AA .  888C24 280100>mov    byte ptr [esp+128], cl
004051B1 .  B9 18000000 mov    ecx, 18
004051B6 .  8DBC24 290100>lea    edi, dword ptr [esp+129]
004051BD .  8D9424 280100>lea    edx, dword ptr [esp+128]
004051C4 .  F3:AB       rep    stos dword ptr es:[edi]
004051C6 .  6A 64       push 64
004051C8 .  52          push edx
004051C9 .  66:AB       stos word ptr es:[edi]
004051CB .  68 ECC24100 push 0041C2EC                      ;  queue_bank
004051D0 .  68 D0C24100 push 0041C2D0                      ;  software\brief\serializeno
004051D5 .  68 02000080 push 80000002
004051DA .  AA          stos byte ptr es:[edi]
004051DB .  E8 40870000 call 0040D920                      ;  //取假码
004051E0 .  83C4 14    add    esp, 14
004051E3 .  8D8424 280100>lea    eax, dword ptr [esp+128]
004051EA .  8D4C24 24    lea    ecx, dword ptr [esp+24]       ;  //长度+1入ECX
004051EE .  50          push eax                            ;  //假码入栈
004051EF .  E8 189E0000 call <jmp.&MFC42.#537>
004051F4 .  8D4C24 24    lea    ecx, dword ptr [esp+24]
004051F8 .  C68424 940100>mov    byte ptr [esp+194], 3A
00405200 .  51          push ecx
00405201 .  E8 CA820000 call 0040D4D0                      ;  //算法CALL
00405206 .  83C4 04    add    esp, 4
00405209 .  8D4C24 24    lea    ecx, dword ptr [esp+24]
0040520D .  8BF8       mov    edi, eax
0040520F .  C68424 940100>mov    byte ptr [esp+194], 0B
00405217 .  E8 C69D0000 call <jmp.&MFC42.#800>
0040521C .  8BC7       mov    eax, edi
0040521E .  83E8 00    sub    eax, 0
00405221 .  74 58       je    short 0040527B                ;  //跳往正确
00405223 .  83E8 02    sub    eax, 2
00405226 .  74 53       je    short 0040527B                ;  //跳往正确，不跳则死
00405228 .  8D4C24 34    lea    ecx, dword ptr [esp+34]
0040522C .  E8 C39D0000 call <jmp.&MFC42.#540>
00405231 .  6A 6D       push 6D
00405233 .  8D4C24 38    lea    ecx, dword ptr [esp+38]
00405237 .  C68424 980100>mov    byte ptr [esp+198], 3B
0040523F .  E8 DE9F0000 call <jmp.&MFC42.#4160>
00405244 .  8D4C24 24    lea    ecx, dword ptr [esp+24]
00405248 .  E8 A79D0000 call <jmp.&MFC42.#540>
0040524D .  6A 6E       push 6E
0040524F .  8D4C24 28    lea    ecx, dword ptr [esp+28]
00405253 .  C68424 980100>mov    byte ptr [esp+198], 3C
0040525B .  E8 C29F0000 call <jmp.&MFC42.#4160>
00405260 .  8B5424 24    mov    edx, dword ptr [esp+24]
00405264 .  8B4424 34    mov    eax, dword ptr [esp+34]
00405268 .  6A 00       push 0
0040526A .  52          push edx
0040526B .  50          push eax
0040526C .  8BCE       mov    ecx, esi
0040526E .  E8 CFA00000 call <jmp.&MFC42.#4224>             ;  //提示测试版！
00405273 .  6A 00       push 0                               ; /status = 0
00405275 .  FF15 74354100 call dword ptr [<&MSVCRT.exit>]    ; \exit
0040527B >  8D8E D8000000 lea    ecx, dword ptr [esi+D8]
00405281 .  51          push ecx
00405282 .  8D8E F4030000 lea    ecx, dword ptr [esi+3F4]
00405288 .  FF15 78364100 call dword ptr [<&ext.CPrintContent::>;  ext.CPrintContent::LoadIni
0040528E .  85C0       test eax, eax
00405290 .  74 0B       je    short 0040529D

跟进算法CALL:

0040D4D0  /$  64:A1 0000000>mov    eax, dword ptr fs:[0]
0040D4D6  |.  6A FF       push -1
0040D4D8  |.  68 301E4100 push 00411E30                      ;  咐ua
0040D4DD  |.  50          push eax
0040D4DE  |.  64:8925 00000>mov    dword ptr fs:[0], esp
0040D4E5  |.  83EC 4C    sub    esp, 4C
0040D4E8  |.  53          push ebx
0040D4E9  |.  55          push ebp
0040D4EA  |.  56          push esi
0040D4EB  |.  57          push edi
0040D4EC  |.  8B7C24 6C    mov    edi, dword ptr [esp+6C]
0040D4F0  |.  8B07       mov    eax, dword ptr [edi]          ;  //送假码
0040D4F2  |.  8378 F8 28 cmp    dword ptr [eax-8], 28          ;  //假码长度与28(40)比较，
0040D4F6  |.  0F85 05040000 jnz    0040D901                      ;  //不等则跳
0040D4FC  |.  8D4C24 6C    lea    ecx, dword ptr [esp+6C]
0040D500  |.  6A 08       push 8                               ;  //取倒数8位假码
0040D502  |.  51          push ecx
0040D503  |.  8BCF       mov    ecx, edi
0040D505  |.  E8 F81E0000 call <jmp.&MFC42.#5710>
0040D50A  |.  8D5424 20    lea    edx, dword ptr [esp+20]
0040D50E  |.  6A 04       push 4                               ;  //从上面取出的值中取前4位
0040D510  |.  52          push edx
0040D511  |.  8D4C24 74    lea    ecx, dword ptr [esp+74]
0040D515  |.  C74424 6C 000>mov    dword ptr [esp+6C], 0
0040D51D  |.  E8 021B0000 call <jmp.&MFC42.#4129>
0040D522  |.  8B00       mov    eax, dword ptr [eax]          ;  //得到的4位假码送EAX
0040D524  |.  8B35 68354100 mov    esi, dword ptr [<&MSVCRT.atoi>]  ;  //将字符串转换为整型
0040D52A  |.  50          push eax                            ; /s
0040D52B  |.  FFD6       call esi                            ; \//取出其中的第一位ASCII值
0040D52D  |.  83C4 04    add    esp, 4
0040D530  |.  8D4C24 20    lea    ecx, dword ptr [esp+20]
0040D534  |.  8BE8       mov    ebp, eax
0040D536  |.  E8 A71A0000 call <jmp.&MFC42.#800>
0040D53B  |.  6A 02       push 2
0040D53D  |.  8D4424 24    lea    eax, dword ptr [esp+24]
0040D541  |.  6A 04       push 4
0040D543  |.  50          push eax
0040D544  |.  8D4C24 78    lea    ecx, dword ptr [esp+78]
0040D548  |.  E8 CD1E0000 call <jmp.&MFC42.#4278>             ;  //取后四位中的前两位
0040D54D  |.  8B00       mov    eax, dword ptr [eax]          ;  //取出的两位值送给EAX
0040D54F  |.  50          push eax
0040D550  |.  FFD6       call esi                            ;  //将字符串转换为整型
0040D552  |.  83C4 04    add    esp, 4
0040D555  |.  8D4C24 20    lea    ecx, dword ptr [esp+20]
0040D559  |.  8BD8       mov    ebx, eax
0040D55B  |.  E8 821A0000 call <jmp.&MFC42.#800>
0040D560  |.  6A 02       push 2
0040D562  |.  8D4C24 24    lea    ecx, dword ptr [esp+24]
0040D566  |.  6A 06       push 6
0040D568  |.  51          push ecx
0040D569  |.  8D4C24 78    lea    ecx, dword ptr [esp+78]
0040D56D  |.  E8 A81E0000 call <jmp.&MFC42.#4278>             ;  //取最后两位
0040D572  |.  8B00       mov    eax, dword ptr [eax]          ;  //送最后两位值送给EAX
0040D574  |.  50          push eax
0040D575  |.  FFD6       call esi
0040D577  |.  83C4 04    add    esp, 4
0040D57A  |.  8D4C24 20    lea    ecx, dword ptr [esp+20]
0040D57E  |.  8BF0       mov    esi, eax
0040D580  |.  E8 5D1A0000 call <jmp.&MFC42.#800>
0040D585  |.  6A FF       push -1
0040D587  |.  6A 00       push 0
0040D589  |.  6A 00       push 0
0040D58B  |.  6A 00       push 0
0040D58D  |.  56          push esi
0040D58E  |.  53          push ebx
0040D58F  |.  55          push ebp
0040D590  |.  8D4C24 4C    lea    ecx, dword ptr [esp+4C]
0040D594  |.  E8 A11C0000 call <jmp.&MFC42.#551>
0040D599  |.  8B28       mov    ebp, dword ptr [eax]
0040D59B  |.  8D5424 1C    lea    edx, dword ptr [esp+1C]
0040D59F  |.  6A 20       push 20
0040D5A1  |.  52          push edx
0040D5A2  |.  8BCF       mov    ecx, edi
0040D5A4  |.  E8 7B1A0000 call <jmp.&MFC42.#4129>
0040D5A9  |.  8D4424 18    lea    eax, dword ptr [esp+18]
0040D5AD  |.  C64424 64 01  mov    byte ptr [esp+64], 1
0040D5B2  |.  50          push eax
0040D5B3  |.  E8 38FEFFFF call 0040D3F0
0040D5B8  |.  83C4 04    add    esp, 4
0040D5BB  |.  8D4C24 6C    lea    ecx, dword ptr [esp+6C]
0040D5BF  |.  8D5424 18    lea    edx, dword ptr [esp+18]
0040D5C3  |.  51          push ecx
0040D5C4  |.  8D4424 30    lea    eax, dword ptr [esp+30]
0040D5C8  |.  52          push edx
0040D5C9  |.  50          push eax
0040D5CA  |.  C64424 70 02  mov    byte ptr [esp+70], 2          ;
0040D5CF  |.  E8 EA1C0000 call <jmp.&MFC42.#922>
0040D5D4  |.  68 ECCA4100 push 0041CAEC                      ;  zdbit_ok_!!@3 ,参于运算！
0040D5D9  |.  C64424 68 03  mov    byte ptr [esp+68], 3          ;
0040D5DE  |.  50          push eax
0040D5DF  |.  8D4C24 30    lea    ecx, dword ptr [esp+30]
0040D5E3  |.  51          push ecx
0040D5E4  |.  E8 2F1A0000 call <jmp.&MFC42.#924>
0040D5E9  |.  8D4C24 2C    lea    ecx, dword ptr [esp+2C]
0040D5ED  |.  C64424 64 05  mov    byte ptr [esp+64], 5
0040D5F2  |.  E8 EB190000 call <jmp.&MFC42.#800>
0040D5F7  |.  8D5424 6C    lea    edx, dword ptr [esp+6C]
0040D5FB  |.  8D4424 18    lea    eax, dword ptr [esp+18]
0040D5FF  |.  52          push edx
0040D600  |.  8D4C24 34    lea    ecx, dword ptr [esp+34]
0040D604  |.  50          push eax
0040D605  |.  51          push ecx
0040D606  |.  E8 B31C0000 call <jmp.&MFC42.#922>
0040D60B  |.  68 DCCA4100 push 0041CADC                      ;  zdbit_no_@@39  ，参于运算
0040D610  |.  8D5424 28    lea    edx, dword ptr [esp+28]
0040D614  |.  50          push eax
0040D615  |.  52          push edx
0040D616  |.  C64424 70 06  mov    byte ptr [esp+70], 6
0040D61B  |.  E8 F8190000 call <jmp.&MFC42.#924>
0040D620  |.  8D4C24 30    lea    ecx, dword ptr [esp+30]
0040D624  |.  C64424 64 08  mov    byte ptr [esp+64], 8
0040D629  |.  E8 B4190000 call <jmp.&MFC42.#800>
0040D62E  |.  8D4C24 14    lea    ecx, dword ptr [esp+14]
0040D632  |.  E8 BD190000 call <jmp.&MFC42.#540>
0040D637  |.  B3 09       mov    bl, 9
0040D639  |.  8D4C24 10    lea    ecx, dword ptr [esp+10]
0040D63D  |.  885C24 64    mov    byte ptr [esp+64], bl
0040D641  |.  E8 AE190000 call <jmp.&MFC42.#540>
0040D646  |.  8D4424 28    lea    eax, dword ptr [esp+28]
0040D64A  |.  8D4C24 3C    lea    ecx, dword ptr [esp+3C]
0040D64E  |.  50          push eax
0040D64F  |.  51          push ecx
0040D650  |.  C64424 6C 0A  mov    byte ptr [esp+6C], 0A
0040D655  |.  E8 56D4FFFF call 0040AAB0                               //MD5计算
0040D65A  |.  8D5424 2C    lea    edx, dword ptr [esp+2C]
0040D65E  |.  8D4424 54    lea    eax, dword ptr [esp+54]
0040D662  |.  52          push edx
0040D663  |.  50          push eax
0040D664  |.  E8 47D4FFFF call 0040AAB0                            //MD5计算
0040D669  |.  83C4 10    add    esp, 10
0040D66C  |.  33F6       xor    esi, esi
0040D66E  |>  8D4C24 20    /lea    ecx, dword ptr [esp+20]
0040D672  |.  E8 7D190000 |call <jmp.&MFC42.#540>
0040D677  |.  33C9       |xor    ecx, ecx
0040D679  |.  8D5424 20    |lea    edx, dword ptr [esp+20]
0040D67D  |.  8A4C34 3C    |mov    cl, byte ptr [esp+esi+3C]
0040D681  |.  C64424 64 0B  |mov    byte ptr [esp+64], 0B
0040D686  |.  51          |push ecx
0040D687  |.  68 D4CA4100 |push 0041CAD4                      ;  %02x
0040D68C  |.  52          |push edx
0040D68D  |.  E8 4E1B0000 |call <jmp.&MFC42.#2818>
0040D692  |.  83C4 0C    |add    esp, 0C
0040D695  |.  8D4424 20    |lea    eax, dword ptr [esp+20]
0040D699  |.  8D4C24 14    |lea    ecx, dword ptr [esp+14]
0040D69D  |.  50          |push eax
0040D69E  |.  E8 E31D0000 |call <jmp.&MFC42.#939>
0040D6A3  |.  33C9       |xor    ecx, ecx
0040D6A5  |.  8D5424 20    |lea    edx, dword ptr [esp+20]
0040D6A9  |.  8A4C34 4C    |mov    cl, byte ptr [esp+esi+4C]
0040D6AD  |.  51          |push ecx
0040D6AE  |.  68 D4CA4100 |push 0041CAD4                      ;  %02x
0040D6B3  |.  52          |push edx
0040D6B4  |.  E8 271B0000 |call <jmp.&MFC42.#2818>
0040D6B9  |.  83C4 0C    |add    esp, 0C
0040D6BC  |.  8D4424 20    |lea    eax, dword ptr [esp+20]
0040D6C0  |.  8D4C24 10    |lea    ecx, dword ptr [esp+10]
0040D6C4  |.  50          |push eax
0040D6C5  |.  E8 BC1D0000 |call <jmp.&MFC42.#939>
0040D6CA  |.  8D4C24 20    |lea    ecx, dword ptr [esp+20]
0040D6CE  |.  C64424 64 0A  |mov    byte ptr [esp+64], 0A
0040D6D3  |.  E8 0A190000 |call <jmp.&MFC42.#800>
0040D6D8  |.  46          |inc    esi
0040D6D9  |.  83FE 10    |cmp    esi, 10
0040D6DC  |.^ 7C 90       \jl    short 0040D66E
0040D6DE  |.  8B4C24 1C    mov    ecx, dword ptr [esp+1C]       ;  //送假码前32位字符串
0040D6E2  |.  8B5424 14    mov    edx, dword ptr [esp+14]       ;  //取第一串连接的字符串MD5加密后的值（OK）
0040D6E6  |.  8B35 7C354100 mov    esi, dword ptr [<&MSVCRT._mbscmp>;  MSVCRT._mbscmp
0040D6EC  |.  51          push ecx                            ; /s2
0040D6ED  |.  52          push edx                            ; |s1
0040D6EE  |.  FFD6       call esi                            ; \//字符串比较
0040D6F0  |.  83C4 08    add    esp, 8
0040D6F3  |.  85C0       test eax, eax
0040D6F5  |.  75 79       jnz    short 0040D770                ;  //不等则跳
0040D6F7  |.  8D4C24 10    lea    ecx, dword ptr [esp+10]
0040D6FB  |.  885C24 64    mov    byte ptr [esp+64], bl
0040D6FF  |.  E8 DE180000 call <jmp.&MFC42.#800>
0040D704  |.  8D4C24 14    lea    ecx, dword ptr [esp+14]
0040D708  |.  C64424 64 08  mov    byte ptr [esp+64], 8
0040D70D  |.  E8 D0180000 call <jmp.&MFC42.#800>
0040D712  |.  8D4C24 24    lea    ecx, dword ptr [esp+24]
0040D716  |.  C64424 64 05  mov    byte ptr [esp+64], 5
0040D71B  |.  E8 C2180000 call <jmp.&MFC42.#800>
0040D720  |.  8D4C24 28    lea    ecx, dword ptr [esp+28]
0040D724  |.  C64424 64 02  mov    byte ptr [esp+64], 2
0040D729  |.  E8 B4180000 call <jmp.&MFC42.#800>
0040D72E  |.  8D4C24 18    lea    ecx, dword ptr [esp+18]
0040D732  |.  C64424 64 01  mov    byte ptr [esp+64], 1
0040D737  |.  E8 A6180000 call <jmp.&MFC42.#800>
0040D73C  |.  8D4C24 1C    lea    ecx, dword ptr [esp+1C]
0040D740  |.  C64424 64 00  mov    byte ptr [esp+64], 0
0040D745  |.  E8 98180000 call <jmp.&MFC42.#800>
0040D74A  |.  8D4C24 6C    lea    ecx, dword ptr [esp+6C]
0040D74E  |.  C74424 64 FFF>mov    dword ptr [esp+64], -1
0040D756  |.  E8 87180000 call <jmp.&MFC42.#800>
0040D75B  |.  33C0       xor    eax, eax
0040D75D  |.  8B4C24 5C    mov    ecx, dword ptr [esp+5C]
0040D761  |.  64:890D 00000>mov    dword ptr fs:[0], ecx
0040D768  |.  5F          pop    edi
0040D769  |.  5E          pop    esi
0040D76A  |.  5D          pop    ebp
0040D76B  |.  5B          pop    ebx
0040D76C  |.  83C4 58    add    esp, 58
0040D76F  |.  C3          retn
0040D770  |>  8D4424 20    lea    eax, dword ptr [esp+20]
0040D774  |.  50          push eax
0040D775  |.  E8 EE190000 call <jmp.&MFC42.#3811>
0040D77A  |.  8B08       mov    ecx, dword ptr [eax]
0040D77C  |.  8B5424 1C    mov    edx, dword ptr [esp+1C]       ;  //送假码前32位字符串
0040D780  |.  8B4424 10    mov    eax, dword ptr [esp+10]       ;  //取第二串连接的字符串MD5加密后的值（NO）
0040D784  |.  52          push edx
0040D785  |.  50          push eax
0040D786  |.  894C24 3C    mov    dword ptr [esp+3C], ecx
0040D78A  |.  FFD6       call esi
0040D78C  |.  83C4 08    add    esp, 8
0040D78F  |.  85C0       test eax, eax
0040D791  |.  0F85 06010000 jnz    0040D89D                      ;  //不等则跳
0040D797  |.  51          push ecx
0040D798  |.  8D4C24 38    lea    ecx, dword ptr [esp+38]
0040D79C  |.  8BC4       mov    eax, esp
0040D79E  |.  896424 3C    mov    dword ptr [esp+3C], esp
0040D7A2  |.  8928       mov    dword ptr [eax], ebp
0040D7A4  |.  E8 17E1FFFF call 0040B8C0
0040D7A9  |.  85C0       test eax, eax
0040D7AB  |.  885C24 64    mov    byte ptr [esp+64], bl
0040D7AF  |.  8D4C24 10    lea    ecx, dword ptr [esp+10]
0040D7B3  |.  74 74       je    short 0040D829
0040D7B5  |.  E8 28180000 call <jmp.&MFC42.#800>
0040D7BA  |.  8D4C24 14    lea    ecx, dword ptr [esp+14]
0040D7BE  |.  C64424 64 08  mov    byte ptr [esp+64], 8
0040D7C3  |.  E8 1A180000 call <jmp.&MFC42.#800>
0040D7C8  |.  8D4C24 24    lea    ecx, dword ptr [esp+24]
0040D7CC  |.  C64424 64 05  mov    byte ptr [esp+64], 5
0040D7D1  |.  E8 0C180000 call <jmp.&MFC42.#800>
0040D7D6  |.  8D4C24 28    lea    ecx, dword ptr [esp+28]
0040D7DA  |.  C64424 64 02  mov    byte ptr [esp+64], 2
0040D7DF  |.  E8 FE170000 call <jmp.&MFC42.#800>
0040D7E4  |.  8D4C24 18    lea    ecx, dword ptr [esp+18]
0040D7E8  |.  C64424 64 01  mov    byte ptr [esp+64], 1
0040D7ED  |.  E8 F0170000 call <jmp.&MFC42.#800>
0040D7F2  |.  8D4C24 1C    lea    ecx, dword ptr [esp+1C]
0040D7F6  |.  C64424 64 00  mov    byte ptr [esp+64], 0
0040D7FB  |.  E8 E2170000 call <jmp.&MFC42.#800>
0040D800  |.  8D4C24 6C    lea    ecx, dword ptr [esp+6C]
0040D804  |.  C74424 64 FFF>mov    dword ptr [esp+64], -1
0040D80C  |.  E8 D1170000 call <jmp.&MFC42.#800>
0040D811  |.  B8 01000000 mov    eax, 1
0040D816  |.  8B4C24 5C    mov    ecx, dword ptr [esp+5C]
0040D81A  |.  64:890D 00000>mov    dword ptr fs:[0], ecx
0040D821  |.  5F          pop    edi
0040D822  |.  5E          pop    esi
0040D823  |.  5D          pop    ebp
0040D824  |.  5B          pop    ebx
0040D825  |.  83C4 58    add    esp, 58
0040D828  |.  C3          retn
0040D829  |>  E8 B4170000 call <jmp.&MFC42.#800>
0040D82E  |.  8D4C24 14    lea    ecx, dword ptr [esp+14]
0040D832  |.  C64424 64 08  mov    byte ptr [esp+64], 8
0040D837  |.  E8 A6170000 call <jmp.&MFC42.#800>
0040D83C  |.  8D4C24 24    lea    ecx, dword ptr [esp+24]
0040D840  |.  C64424 64 05  mov    byte ptr [esp+64], 5
0040D845  |.  E8 98170000 call <jmp.&MFC42.#800>
0040D84A  |.  8D4C24 28    lea    ecx, dword ptr [esp+28]
0040D84E  |.  C64424 64 02  mov    byte ptr [esp+64], 2
0040D853  |.  E8 8A170000 call <jmp.&MFC42.#800>
0040D858  |.  8D4C24 18    lea    ecx, dword ptr [esp+18]
0040D85C  |.  C64424 64 01  mov    byte ptr [esp+64], 1
0040D861  |.  E8 7C170000 call <jmp.&MFC42.#800>
0040D866  |.  8D4C24 1C    lea    ecx, dword ptr [esp+1C]
0040D86A  |.  C64424 64 00  mov    byte ptr [esp+64], 0
0040D86F  |.  E8 6E170000 call <jmp.&MFC42.#800>
0040D874  |.  8D4C24 6C    lea    ecx, dword ptr [esp+6C]
0040D878  |.  C74424 64 FFF>mov    dword ptr [esp+64], -1
0040D880  |.  E8 5D170000 call <jmp.&MFC42.#800>
0040D885  |.  B8 02000000 mov    eax, 2
0040D88A  |.  8B4C24 5C    mov    ecx, dword ptr [esp+5C]
0040D88E  |.  64:890D 00000>mov    dword ptr fs:[0], ecx
0040D895  |.  5F          pop    edi
0040D896  |.  5E          pop    esi
0040D897  |.  5D          pop    ebp
0040D898  |.  5B          pop    ebx
0040D899  |.  83C4 58    add    esp, 58
0040D89C  |.  C3          retn
0040D89D  |>  8D4C24 10    lea    ecx, dword ptr [esp+10]
0040D8A1  |.  885C24 64    mov    byte ptr [esp+64], bl
0040D8A5  |.  E8 38170000 call <jmp.&MFC42.#800>
0040D8AA  |.  8D4C24 14    lea    ecx, dword ptr [esp+14]
0040D8AE  |.  C64424 64 08  mov    byte ptr [esp+64], 8
0040D8B3  |.  E8 2A170000 call <jmp.&MFC42.#800>
0040D8B8  |.  8D4C24 24    lea    ecx, dword ptr [esp+24]
0040D8BC  |.  C64424 64 05  mov    byte ptr [esp+64], 5
0040D8C1  |.  E8 1C170000 call <jmp.&MFC42.#800>
0040D8C6  |.  8D4C24 28    lea    ecx, dword ptr [esp+28]
0040D8CA  |.  C64424 64 02  mov    byte ptr [esp+64], 2
0040D8CF  |.  E8 0E170000 call <jmp.&MFC42.#800>
0040D8D4  |.  8D4C24 18    lea    ecx, dword ptr [esp+18]
0040D8D8  |.  C64424 64 01  mov    byte ptr [esp+64], 1
0040D8DD  |.  E8 00170000 call <jmp.&MFC42.#800>
0040D8E2  |.  8D4C24 1C    lea    ecx, dword ptr [esp+1C]
0040D8E6  |.  C64424 64 00  mov    byte ptr [esp+64], 0
0040D8EB  |.  E8 F2160000 call <jmp.&MFC42.#800>
0040D8F0  |.  8D4C24 6C    lea    ecx, dword ptr [esp+6C]
0040D8F4  |.  C74424 64 FFF>mov    dword ptr [esp+64], -1
0040D8FC  |.  E8 E1160000 call <jmp.&MFC42.#800>
0040D901  |>  8B4C24 5C    mov    ecx, dword ptr [esp+5C]
0040D905  |.  5F          pop    edi
0040D906  |.  5E          pop    esi
0040D907  |.  5D          pop    ebp
0040D908  |.  83C8 FF    or    eax, FFFFFFFF
0040D90B  |.  64:890D 00000>mov    dword ptr fs:[0], ecx
0040D912  |.  5B          pop    ebx
0040D913  |.  83C4 58    add    esp, 58
0040D916  \.  C3          retn

算法总结:

1、注册码后八位，记作A，
2、机器码（硬盘）+A+zdbit_ok_!!@3  连接成待加密字符串，记作B，
3、待加密字符串B经过MD5加密转换后输出32位字符串，记作C
4、C+A即为真正的注册码！

登录后可查看完整内容

[招生]系统0day安全班，企业级设备固件漏洞挖掘，Linux平台漏洞挖掘！

收藏・0

免费・7

支持

最新回复 (1)
卡秋莎雪币： 144 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 57 回帖 424 粉丝 0 关注私信	卡秋莎 2 楼断魂何时算法也有进步了啊看来要好好学习下了 2007-10-8 09:01 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

网络断魂

发帖

182

回帖

130

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (1)
卡秋莎雪币： 144 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 57 回帖 424 粉丝 0 关注私信	卡秋莎 2 楼断魂何时算法也有进步了啊看来要好好学习下了 2007-10-8 09:01 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复