圣诞闲来无聊,拿个缘分测试软件测试了自己与女孩子的缘分,结果竟然有98分,评语是“千年等一回”,真的有这么神吗?于是产生了看看它计算过程的冲动。
软件名称:缘分测试
下载地址:http://www.skycn.net/soft/21402.html 天空软件的东西,可以放心的。
调试工具:OD
开工。首先用OD插件Ultra String Reference查找“千年等一回”,在
0040195A push 200401.00429068 “千年等一回”
在该过程的起始处401780下断,开始调试。
00401780 push -1
00401782 push 200401.00420E18
00401787 mov eax,dword ptr fs:[0]
0040178D push eax
0040178E mov dword ptr fs:[0],esp
00401795 sub esp,0C
00401798 push ebx
00401799 push ebp
0040179A push esi
0040179B push edi
0040179C mov esi,ecx
0040179E push 1
004017A0 call <jmp.&MFC42.#6334>
004017A5 mov edx,dword ptr ds:[esi+60]
004017A8 xor edi,edi
004017AA xor ebx,ebx
004017AC xor eax,eax
004017AE mov ecx,dword ptr ds:[edx-8]
004017B1 mov dword ptr ss:[esp+14],edi
004017B5 test ecx,ecx
004017B7 mov dword ptr ss:[esp+18],ebx
004017BB jle short 200401.004017CC
004017BD movsx ebp,byte ptr ds:[edx+eax] ; 循环计算boy name
004017C1 add edi,ebp ; 累和
004017C3 inc eax ; 计数器
004017C4 cmp eax,ecx
004017C6 jl short 200401.004017BD ; 循环
004017C8 mov dword ptr ss:[esp+14],edi ; 保存结果在[esp+14]
004017CC mov ecx,dword ptr ds:[esi+64]
004017CF xor eax,eax
004017D1 mov edi,dword ptr ds:[ecx-8]
004017D4 test edi,edi
004017D6 jle short 200401.004017E7
004017D8 movsx ebp,byte ptr ds:[ecx+eax] ; 循环计算girl name
004017DC add ebx,ebp
004017DE inc eax
004017DF cmp eax,edi
004017E1 jl short 200401.004017D8
004017E3 mov dword ptr ss:[esp+18],ebx ; 保存结果在[esp+18]
004017E7 mov edi,dword ptr ds:[<&MSVCRT._mbscmp>] ; MSVCRT._mbscmp
004017ED push 200401.004297E4 ;
004017F2 push edx ;
004017F3 call edi ;
004017F5 add esp,8
004017F8 test eax,eax
004017FA je 200401.0040198C
00401800 mov eax,dword ptr ds:[esi+64]
00401803 push 200401.004297E4
00401808 push eax ; girl name
00401809 call edi
0040180B add esp,8
0040180E test eax,eax
00401810 je 200401.0040198C
00401816 fild dword ptr ss:[esp+14] ; boy name 结果入栈 (-167)
0040181A fadd qword ptr ds:[4228D8] ; 加3.76793
00401820 fimul dword ptr ss:[esp+18] ; 与girl name相乘 (-182)
00401824 fsin ; 取正弦值,结果介于-1到1之间
00401826 fadd qword ptr ds:[4228D0] ; 加1,结果介于0-2
0040182C fmul qword ptr ds:[4228C8] ; 乘50,结果介于0-100
00401832 call <jmp.&MSVCRT._ftol> ; 结果出栈
00401837 mov ebx,eax ; 得分
00401839 mov eax,dword ptr ds:[esi+60]
0040183C push 200401.00429248 ; ASCII "Romeo"
00401841 push eax ; boy name
00401842 call edi 是否是Romeo
00401844 add esp,8
00401847 test eax,eax
00401849 jnz short 200401.00401864
0040184B mov eax,dword ptr ds:[esi+64]
0040184E push 200401.00429240 ; ASCII "Julia"
00401853 push eax
00401854 call edi 是否是Julia
00401856 add esp,8
00401859 test eax,eax
0040185B jnz short 200401.00401864
0040185D mov ebx,64 ; 分数为100
00401862 jmp short 200401.004018B8
00401864 mov eax,dword ptr ds:[esi+60]
00401867 push 200401.00429238 ; ASCII "romeo"
0040186C push eax ; boy name
0040186D call edi
0040186F add esp,8
00401872 test eax,eax
00401874 jnz short 200401.0040188F
00401876 mov eax,dword ptr ds:[esi+64]
00401879 push 200401.00429230 ; ASCII "julia"
0040187E push eax
0040187F call edi
00401881 add esp,8
00401884 test eax,eax
00401886 jnz short 200401.0040188F
00401888 mov ebx,64
0040188D jmp short 200401.004018B8
0040188F mov eax,dword ptr ds:[esi+60]
00401892 push 200401.00429228 ; 梁山伯
00401897 push eax
00401898 call edi
0040189A add esp,8
0040189D test eax,eax
0040189F jnz short 200401.004018B8
004018A1 mov eax,dword ptr ds:[esi+64]
004018A4 push 200401.00429220 祝英台
004018A9 push eax
004018AA call edi
004018AC add esp,8
004018AF test eax,eax
004018B1 jnz short 200401.004018B8
004018B3 mov ebx,63
004018B8 push ebx
004018B9 lea eax,dword ptr ds:[esi+68]
004018BC push 200401.0042921C ;
004018C1 push eax
004018C2 call <jmp.&MFC42.#2818>
004018C7 add esp,0C
004018CA mov ecx,esi
004018CC push 0
004018CE call <jmp.&MFC42.#6334>
004018D3 mov ecx,dword ptr ds:[esi+20]
004018D6 push 1 ;
004018D8 push 0 ;
004018DA push ecx ;
004018DB call dword ptr ds:[<&USER32.InvalidateRect>] ; \InvalidateRect
004018E1 lea ecx,dword ptr ds:[ebx+5] ; 以下计算分数分级,分数+5
004018E4 mov eax,66666667 ; 应该是四舍五入计算,但不知为什么代码这样。
004018E9 imul ecx
004018EB sar edx,2
004018EE mov eax,edx
004018F0 lea ecx,dword ptr ss:[esp+10]
004018F4 shr eax,1F
004018F7 add edx,eax
004018F9 mov edi,edx ; 等级保存在EDI,11个等级,0-4,5-14,类推。
004018FB call <jmp.&MFC42.#540>
00401900 cmp edi,0A ; 等级是否大于A,Switch (cases 0..A)
00401903 mov dword ptr ss:[esp+24],0
0040190B ja short 200401.00401968
0040190D jmp dword ptr ds:[edi*4+4019A0]
00401914 push 200401.00429204 ; Case 0 of switch 00401900
00401919 jmp short 200401.0040195F
0040191B push 200401.004291F0 ; Case 1 of switch 00401900
00401920 jmp short 200401.0040195F
00401922 push 200401.004291D8 ; Case 2 of switch 00401900
00401927 jmp short 200401.0040195F
00401929 push 200401.004291C0 ; Case 3 of switch 00401900
0040192E jmp short 200401.0040195F
00401930 push 200401.00429178 ; Case 4 of switch 00401900
00401935 jmp short 200401.0040195F
00401937 push 200401.00429150 ; Case 5 of switch 00401900
0040193C jmp short 200401.0040195F
0040193E push 200401.00429110 ; Case 6 of switch 00401900
00401943 jmp short 200401.0040195F
00401945 push 200401.004290E0 ; Case 7 of switch 00401900
0040194A jmp short 200401.0040195F
0040194C push 200401.004290B0 ; Case 8 of switch 00401900
00401951 jmp short 200401.0040195F
00401953 push 200401.00429078 ; Case 9 of switch 00401900
00401958 jmp short 200401.0040195F
0040195A push 200401.00429068 ; Case A of switch 00401900,千年等一回啊!
0040195F lea ecx,dword ptr ss:[esp+14]
00401963 call <jmp.&MFC42.#860>
00401968 mov ecx,dword ptr ss:[esp+10] ; Default case of switch 00401900
0040196C push 0
0040196E push 200401.0042905C
00401973 push ecx
00401974 mov ecx,esi
00401976 call <jmp.&MFC42.#4224>
0040197B lea ecx,dword ptr ss:[esp+10]
0040197F mov dword ptr ss:[esp+24],-1
00401987 call <jmp.&MFC42.#800>
0040198C mov ecx,dword ptr ss:[esp+1C]
00401990 pop edi
00401991 pop esi
00401992 pop ebp
00401993 pop ebx
00401994 mov dword ptr fs:[0],ecx
0040199B add esp,18
0040199E retn
0040199F nop
004019A0 dd 200401.00401914 ; Switch table used at 0040190D, 等级表
004019A4 dd 200401.0040191B
004019A8 dd 200401.00401922
004019AC dd 200401.00401929
004019B0 dd 200401.00401930
004019B4 dd 200401.00401937
004019B8 dd 200401.0040193E
004019BC dd 200401.00401945
004019C0 dd 200401.0040194C
004019C4 dd 200401.00401953
004019C8 dd 200401.0040195A
004019CC nop
004019CD nop
004019CE nop
004019CF nop
004019D0 jmp 200401.00401780
总结:其实软件是取男孩名字的每个字节相加,结果为A;女孩名字的每个字节相加,结果为B,
{Sin[(A+3.76793)*B]+1}*50即为最终分数(取正弦后加1是为了保证结果在0-100之间)
然后分数四舍五入获得等级(11个等级,对应0-A),不同等级有不同评语。
想哄女孩子的赶紧拿去玩玩吧。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课