=====================================================
00401C27 |> 8B4424 18 /mov eax, dword ptr [esp+18] ; 关键算法
00401C2B |> 8B4C24 48 mov ecx, dword ptr [esp+48] ;
00401C2F |. 8A140E |mov dl, byte ptr [esi+ecx]
00401C32 |. 8B4C24 44 |mov ecx, dword ptr [esp+44] ;
00401C36 |. 8A1C0E |mov bl, byte ptr [esi+ecx]
00401C39 |. 8D0C3E |lea ecx, dword ptr [esi+edi] ;
00401C3C |. 8A0408 |mov al, byte ptr [eax+ecx]
00401C3F |. 32C3 |xor al, bl ;
00401C41 |. 32C2 |xor al, dl
00401C43 |. 0FBED0 |movsx edx, al
00401C46 |. 8801 |mov byte ptr [ecx], al
00401C48 |. 52 |push edx
00401C49 |. 8D4424 18 |lea eax, dword ptr [esp+18]
00401C4D |. 68 34504C00 |push 004C5034 ; ASCII "%d"
00401C52 |. 50 |push eax
00401C53 |. E8 A0730900 |call <jmp.&MFC42.#2818>
00401C58 |. 83C4 0C |add esp, 0C
00401C5B |. 8D4C24 14 |lea ecx, dword ptr [esp+14]
00401C5F |. 51 |push ecx
00401C60 |. 8D4C24 14 |lea ecx, dword ptr [esp+14]
00401C64 |. E8 9B730900 |call <jmp.&MFC42.#939>
00401C69 |. 46 |inc esi
00401C6A |. 3BF5 |cmp esi, ebp ;
00401C6C |.^ 7C B9 \jl short 00401C27
举例:
al 为: VisualTB10 (应该是固定的字符串,每台电脑上都是一样的)
bl 1209359162 (这是我电脑的 MACHINE ID)
dl zucc_bug (我输入的用户名)
以下是正确的注册码
29 46 32 47 13 59 24 20
//以下是计算序列号的过程:
xor al, bl ; al = 56('V') xor bl=31('1') -> al = 67
xor al, dl ; al = 67 xor dl=7A('z') -> al = 1D = 29
——————————————————————————————————————————————
xor al, bl ; al = 69('i') xor bl=32('2') -> al = 5B
xor al, dl ; al = 5B xor dl=75('u') -> al = 2E = 46
——————————————————————————————————————————————
xor al, bl ; al = 73('s') xor bl=30('0') -> al = 43
xor al, dl ; al = 43 xor dl=63('c') -> al = 20 = 32
xor al, bl ; al = 75('u') xor bl=39('9') -> al = 4C
xor al, dl ; al = 4C xor dl=63('c') -> al = 2F = 47
......................
[课程]Linux pwn 探索篇!