首页
社区
课程
招聘
苍鹰象棋1.0 注册算法分析
发表于: 2004-5-16 11:42 10815

苍鹰象棋1.0 注册算法分析

2004-5-16 11:42
10815
【破文作者】 simonzh2000[US]

【使用工具】 Ollydbg1.10B, UnPECompact, PEid0.92

【破解平台】 Win2000SP4 English

【软件名称】 苍鹰象棋 1.0 

【软件简介】 象棋苍鹰软件是中国大陆大连金星工作室生产的一款人工智能软件。本程序的特点是功能多,棋力强,集人机对弈和打谱软件于一身,是学习象棋,提高象棋水平的好帮手。
           本程式的联众对弈功能是采用了联众外挂软件的方式实现的,一旦联众的内部协议改变了,本系统也会正常运行。

【软件主页】 [url]http://www.cangying.com[/url]

【加壳方式】 PECompact, 用UNPECompact脱壳即可
	   
【作者声明】 本软件用了 机器码 + Keyfile 的注册方式. MFC 程序.
           注册机是我去年写的, 但一直没有公布, 现在苍鹰象棋 2.0 快推出了, 公布本文对作者影响不大吧.
           本笔记只用于学习交流, 初学Crack,只是感兴趣技术,没有其他目的, 如有不妥之处, 希望作者谅解.


【破解之旅】

程序启动后找 Keyfile, 如没有弹出一对话框, 显示机器码, 要求用户提供 Keyfile 位置.

OD 出场,   对 MFC42.#4710_?OnInitDialog@CDialog@@UAEHXZ  下断, F9, 


00408CD0   .  81EC 84030000 SUB ESP,384                                                        ;  // InitDialog
00408CD6   .  53            PUSH EBX
00408CD7   .  55            PUSH EBP
00408CD8   .  56            PUSH ESI
00408CD9   .  57            PUSH EDI
00408CDA   .  8BD9          MOV EBX,ECX
00408CDC   .  E8 1B780200   CALL <JMP.&MFC42.#4710_?OnInitDialog@CDialog@@UAEHXZ>
00408CE1   .  6A 00         PUSH 0                                                             ; /Arg2 = 00000000
00408CE3   .  53            PUSH EBX                                                           ; |Arg1
00408CE4   .  8D4B 60       LEA ECX,DWORD PTR DS:[EBX+60]                                      ; |
00408CE7   .  E8 34220100   CALL chess.0041AF20                                                ; \chess.0041AF20
00408CEC   .  8D4424 74     LEA EAX,DWORD PTR SS:[ESP+74]
00408CF0   .  50            PUSH EAX
00408CF1   .  E8 6A200200   CALL chess.0042AD60                                                ;  //取程序路径
00408CF6   .  BF ECF44300   MOV EDI,chess.0043F4EC                                             ;  ASCII "\buy.html"

...

00408D64   .  8D4C24 10     LEA ECX,DWORD PTR SS:[ESP+10]
00408D68   .  51            PUSH ECX
00408D69   .  E8 12680000   CALL chess.0040F580                                                ;  //计算机器码, 我们就不跟了, F8
00408D6E   .  83C4 04       ADD ESP,4
00408D71   .  8D5424 10     LEA EDX,DWORD PTR SS:[ESP+10]
00408D75   .  8D8B 00020000 LEA ECX,DWORD PTR DS:[EBX+200]
00408D7B   .  52            PUSH EDX
00408D7C   .  E8 4B770200   CALL <JMP.&MFC42.#860_??4CString@@QAEABV0@PBD@Z>
00408D81   .  6A 00         PUSH 0
00408D83   .  8BCB          MOV ECX,EBX
00408D85   .  E8 6C770200   CALL <JMP.&MFC42.#6334_?UpdateData@CWnd@@QAEHH@Z>
00408D8A   .  BF D0084400   MOV EDI,chess.004408D0
00408D8F   .  83C9 FF       OR ECX,FFFFFFFF
00408D92   .  33C0          XOR EAX,EAX
00408D94   .  F2:AE         REPNE SCAS BYTE PTR ES:[EDI]
00408D96   .  F7D1          NOT ECX
00408D98   .  2BF9          SUB EDI,ECX
00408D9A   .  8BC1          MOV EAX,ECX
00408D9C   .  8BF7          MOV ESI,EDI
00408D9E   .  BF 9C684D00   MOV EDI,chess.004D689C
00408DA3   .  C1E9 02       SHR ECX,2
00408DA6   .  F3:A5         REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
00408DA8   .  8BC8          MOV ECX,EAX
00408DAA   .  83E1 03       AND ECX,3
00408DAD   .  F3:A4         REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
00408DAF   .  8BCB          MOV ECX,EBX
00408DB1   .  E8 4A040000   CALL chess.00409200                                                ;  //检查注册文件, F7 跟进
00408DB6   .  5F            POP EDI
00408DB7   .  5E            POP ESI
00408DB8   .  5D            POP EBP
00408DB9   .  B8 01000000   MOV EAX,1
00408DBE   .  5B            POP EBX
00408DBF   .  81C4 84030000 ADD ESP,384
00408DC5   .  C3            RETN






00409200   $  55            PUSH EBP
00409201   .  8BEC          MOV EBP,ESP
00409203   .  6A FF         PUSH -1
00409205   .  68 C8184300   PUSH chess.004318C8                                                ;  SE handler installation
0040920A   .  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00409210   .  50            PUSH EAX
00409211   .  64:8925 00000>MOV DWORD PTR FS:[0],ESP
00409218   .  81EC 4C070000 SUB ESP,74C
0040921E   .  8B81 00020000 MOV EAX,DWORD PTR DS:[ECX+200]
00409224   .  894D D8       MOV DWORD PTR SS:[EBP-28],ECX
00409227   .  81C1 00020000 ADD ECX,200
0040922D   .  53            PUSH EBX
0040922E   .  8B40 F8       MOV EAX,DWORD PTR DS:[EAX-8]
00409231   .  56            PUSH ESI
00409232   .  57            PUSH EDI
00409233   .  8965 F0       MOV DWORD PTR SS:[EBP-10],ESP
00409236   .  50            PUSH EAX
00409237   .  E8 FA710200   CALL <JMP.&MFC42.#2915_?GetBuffer@CString@@QAEPADH@Z>              ;  //分配20个char的buffer,机器码
0040923C   .  8D8D A8F8FFFF LEA ECX,DWORD PTR SS:[EBP-758]
00409242   .  8945 D4       MOV DWORD PTR SS:[EBP-2C],EAX
00409245   .  51            PUSH ECX
00409246   .  E8 151B0200   CALL chess.0042AD60                                                ;  //得到程序路径
0040924B   .  BF 14F54300   MOV EDI,chess.0043F514                                             ;  ASCII "\goshawk.dat"
00409250   .  83C9 FF       OR ECX,FFFFFFFF
00409253   .  33C0          XOR EAX,EAX
00409255   .  83C4 04       ADD ESP,4
00409258   .  F2:AE         REPNE SCAS BYTE PTR ES:[EDI]
0040925A   .  F7D1          NOT ECX
0040925C   .  2BF9          SUB EDI,ECX
0040925E   .  8D95 A8F8FFFF LEA EDX,DWORD PTR SS:[EBP-758]
00409264   .  8BF7          MOV ESI,EDI
00409266   .  8BD9          MOV EBX,ECX
00409268   .  8BFA          MOV EDI,EDX
0040926A   .  83C9 FF       OR ECX,FFFFFFFF
0040926D   .  F2:AE         REPNE SCAS BYTE PTR ES:[EDI]
0040926F   .  8BCB          MOV ECX,EBX
00409271   .  4F            DEC EDI
00409272   .  C1E9 02       SHR ECX,2
00409275   .  F3:A5         REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
00409277   .  8BCB          MOV ECX,EBX
00409279   .  83E1 03       AND ECX,3
0040927C   .  F3:A4         REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
0040927E   .  8D4D E0       LEA ECX,DWORD PTR SS:[EBP-20]
00409281   .  E8 FA720200   CALL <JMP.&MFC42.#354_??0CFile@@QAE@XZ>
00409286   .  33DB          XOR EBX,EBX
00409288   .  8D85 A8F8FFFF LEA EAX,DWORD PTR SS:[EBP-758]
0040928E   .  53            PUSH EBX
0040928F   .  53            PUSH EBX
00409290   .  50            PUSH EAX
00409291   .  8D4D E0       LEA ECX,DWORD PTR SS:[EBP-20]
00409294   .  895D FC       MOV DWORD PTR SS:[EBP-4],EBX
00409297   .  E8 DE720200   CALL <JMP.&MFC42.#5186_?Open@CFile@@UAEHPBDIPAVCFileException@@@Z> ;  //打开注册文件 "goshawk.dat"
0040929C   .  85C0          TEST EAX,EAX
0040929E   .  0F84 88010000 JE chess.0040942C                                                  ;  //打开失败, 显示对话框, 到下面 408F80
                                                                                               
                                                                                               ;  //下面是打开成功后的判断, 我们等一会再来


004092A4   .  8D4D E0       LEA ECX,DWORD PTR SS:[EBP-20]
004092A7   .  C645 FC 01    MOV BYTE PTR SS:[EBP-4],1
004092AB   .  E8 C4720200   CALL <JMP.&MFC42.#3318_?GetLength@CFile@@UBEKXZ>
004092B0   .  3D 120C0000   CMP EAX,0C12                                                       ;  //文件要>=3090字节
004092B5   .  0F82 69010000 JB chess.00409424                                                  ;  //小于则先关闭文件, 显示对话框
004092BB   .  8D4D C8       LEA ECX,DWORD PTR SS:[EBP-38]
004092BE   .  6A 0A         PUSH 0A
004092C0   .  51            PUSH ECX
004092C1   .  8D4D E0       LEA ECX,DWORD PTR SS:[EBP-20]
004092C4   .  E8 A5720200   CALL <JMP.&MFC42.#5442_?Read@CFile@@UAEIPAXI@Z>                    ;  // 读10个字节
004092C9   .  BE 48F54300   MOV ESI,chess.0043F548                                             ;  ASCII "GHKFORREG"
004092CE   .  8D45 C8       LEA EAX,DWORD PTR SS:[EBP-38]
004092D1   >  8A10          MOV DL,BYTE PTR DS:[EAX]                                           ;  //比较是否为"GHKFORREG"
004092D3   .  8ACA          MOV CL,DL
004092D5   .  3A16          CMP DL,BYTE PTR DS:[ESI]
004092D7   .  75 1C         JNZ SHORT chess.004092F5
004092D9   .  3ACB          CMP CL,BL
004092DB   .  74 14         JE SHORT chess.004092F1
004092DD   .  8A50 01       MOV DL,BYTE PTR DS:[EAX+1]
004092E0   .  8ACA          MOV CL,DL
004092E2   .  3A56 01       CMP DL,BYTE PTR DS:[ESI+1]
004092E5   .  75 0E         JNZ SHORT chess.004092F5
004092E7   .  83C0 02       ADD EAX,2
004092EA   .  83C6 02       ADD ESI,2
004092ED   .  3ACB          CMP CL,BL
004092EF   .^ 75 E0         JNZ SHORT chess.004092D1                                           ;  //===============================
004092F1   >  33C0          XOR EAX,EAX
004092F3   .  EB 05         JMP SHORT chess.004092FA
004092F5   >  1BC0          SBB EAX,EAX
004092F7   .  83D8 FF       SBB EAX,-1
004092FA   >  3BC3          CMP EAX,EBX
004092FC   .  0F85 22010000 JNZ chess.00409424                                                 ;  //不对则先关闭文件, 显示对话框
00409302   .  8D45 DC       LEA EAX,DWORD PTR SS:[EBP-24]
00409305   .  6A 04         PUSH 4
00409307   .  50            PUSH EAX
00409308   .  8D4D E0       LEA ECX,DWORD PTR SS:[EBP-20]
0040930B   .  895D DC       MOV DWORD PTR SS:[EBP-24],EBX
0040930E   .  E8 5B720200   CALL <JMP.&MFC42.#5442_?Read@CFile@@UAEIPAXI@Z>                    ;  //读入4字节表示的长度
00409313   .  8B45 DC       MOV EAX,DWORD PTR SS:[EBP-24]
00409316   .  3D 00040000   CMP EAX,400                                                        ;  //要小于1024
0040931B   .  0F83 03010000 JNB chess.00409424                                                 ;  //不对则先关闭文件, 显示对话框
00409321   .  8D8D C8FBFFFF LEA ECX,DWORD PTR SS:[EBP-438]
00409327   .  50            PUSH EAX
00409328   .  51            PUSH ECX
00409329   .  8D4D E0       LEA ECX,DWORD PTR SS:[EBP-20]
0040932C   .  E8 3D720200   CALL <JMP.&MFC42.#5442_?Read@CFile@@UAEIPAXI@Z>                    ;  //读密文, 这次放在 10AE6C
00409331   .  8B75 DC       MOV ESI,DWORD PTR SS:[EBP-24]
00409334   .  33C0          XOR EAX,EAX
00409336   .  889C35 C8FBFF>MOV BYTE PTR SS:[EBP+ESI-438],BL
0040933D   >  3BC6          CMP EAX,ESI
0040933F   .  7D 16         JGE SHORT chess.00409357                                           ;  //处理完了吗?
00409341   .  8A8C05 C8FBFF>MOV CL,BYTE PTR SS:[EBP+EAX-438]
00409348   .  80CA FF       OR DL,0FF
0040934B   .  2AD1          SUB DL,CL
0040934D   .  889405 C8FBFF>MOV BYTE PTR SS:[EBP+EAX-438],DL                                   ;  //取反
00409354   .  40            INC EAX
00409355   .^ EB E6         JMP SHORT chess.0040933D                                           ;  //===================================
00409357   >  33C9          XOR ECX,ECX
00409359   >  8BC6          MOV EAX,ESI
0040935B   .  99            CDQ
0040935C   .  2BC2          SUB EAX,EDX
0040935E   .  D1F8          SAR EAX,1
00409360   .  3BC8          CMP ECX,EAX
00409362   .  7D 27         JGE SHORT chess.0040938B
00409364   .  8BC6          MOV EAX,ESI
00409366   .  8A940D C8FBFF>MOV DL,BYTE PTR SS:[EBP+ECX-438]
0040936D   .  2BC1          SUB EAX,ECX
0040936F   .  41            INC ECX
00409370   .  8A9C05 C7FBFF>MOV BL,BYTE PTR SS:[EBP+EAX-439]
00409377   .  8D8405 C7FBFF>LEA EAX,DWORD PTR SS:[EBP+EAX-439]
0040937E   .  889C0D C7FBFF>MOV BYTE PTR SS:[EBP+ECX-439],BL
00409385   .  33DB          XOR EBX,EBX
00409387   .  8810          MOV BYTE PTR DS:[EAX],DL
00409389   .^ EB CE         JMP SHORT chess.00409359                                           ;  //交换顺序
0040938B   >  8B75 D4       MOV ESI,DWORD PTR SS:[EBP-2C]                                      ;  //比较机器码
0040938E   .  8D85 C8FBFFFF LEA EAX,DWORD PTR SS:[EBP-438]
00409394   >  8A10          MOV DL,BYTE PTR DS:[EAX]
00409396   .  8ACA          MOV CL,DL
00409398   .  3A16          CMP DL,BYTE PTR DS:[ESI]
0040939A   .  75 1C         JNZ SHORT chess.004093B8
0040939C   .  3ACB          CMP CL,BL
0040939E   .  74 14         JE SHORT chess.004093B4
004093A0   .  8A50 01       MOV DL,BYTE PTR DS:[EAX+1]
004093A3   .  8ACA          MOV CL,DL
004093A5   .  3A56 01       CMP DL,BYTE PTR DS:[ESI+1]
004093A8   .  75 0E         JNZ SHORT chess.004093B8
004093AA   .  83C0 02       ADD EAX,2
004093AD   .  83C6 02       ADD ESI,2
004093B0   .  3ACB          CMP CL,BL
004093B2   .^ 75 E0         JNZ SHORT chess.00409394                                           ;  //比较机器码结束
004093B4   >  33C0          XOR EAX,EAX
004093B6   .  EB 05         JMP SHORT chess.004093BD
004093B8   >  1BC0          SBB EAX,EAX
004093BA   .  83D8 FF       SBB EAX,-1
004093BD   >  3BC3          CMP EAX,EBX
004093BF   .  75 63         JNZ SHORT chess.00409424                                           ;  //不对则先关闭文件, 显示对话框
004093C1   .  BF 6CF54300   MOV EDI,chess.0043F56C                                             ;  ASCII "NOTABCDE"
004093C6   .  83C9 FF       OR ECX,FFFFFFFF
004093C9   .  33C0          XOR EAX,EAX
004093CB   .  895D FC       MOV DWORD PTR SS:[EBP-4],EBX
004093CE   .  F2:AE         REPNE SCAS BYTE PTR ES:[EDI]
004093D0   .  F7D1          NOT ECX                                                            ;  //"NOTABCDE" 长度为9
004093D2   .  2BF9          SUB EDI,ECX
004093D4   .  8BC1          MOV EAX,ECX
004093D6   .  8BF7          MOV ESI,EDI
004093D8   .  BF 9C684D00   MOV EDI,chess.004D689C
004093DD   .  C1E9 02       SHR ECX,2                                                          ;  // ECX / 4
004093E0   .  F3:A5         REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
004093E2   .  8BC8          MOV ECX,EAX
004093E4   .  83E1 03       AND ECX,3
004093E7   .  F3:A4         REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
004093E9   .  8B4D D8       MOV ECX,DWORD PTR SS:[EBP-28]
004093EC   .  E8 23710200   CALL <JMP.&MFC42.#4853_?OnOK@CDialog@@MAEXXZ>                      ; // 如上面检查通过, 不再显示对话框
004093F1   .  8D4D E0       LEA ECX,DWORD PTR SS:[EBP-20]
004093F4   .  C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
004093FB   .  E8 56710200   CALL <JMP.&MFC42.#665_??1CFile@@UAE@XZ>
00409400   .  B8 01000000   MOV EAX,1
00409405   .  8B4D F4       MOV ECX,DWORD PTR SS:[EBP-C]
00409408   .  64:890D 00000>MOV DWORD PTR FS:[0],ECX
0040940F   .  5F            POP EDI
00409410   .  5E            POP ESI
00409411   .  5B            POP EBX
00409412   .  8BE5          MOV ESP,EBP
00409414   .  5D            POP EBP
00409415   .  C3            RETN
00409416   .  8B4D D8       MOV ECX,DWORD PTR SS:[EBP-28]
00409419   .  E8 3C700200   CALL <JMP.&MFC42.#4376_?OnCancel@CDialog@@MAEXXZ>
0040941E   .  B8 2C944000   MOV EAX,chess.0040942C
00409423   .  C3            RETN
00409424   >  8D4D E0       LEA ECX,DWORD PTR SS:[EBP-20]
00409427   .  E8 3C710200   CALL <JMP.&MFC42.#1979_?Close@CFile@@UAEXXZ>
0040942C   >  8D4D E0       LEA ECX,DWORD PTR SS:[EBP-20]
0040942F   .  C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
00409436   .  E8 1B710200   CALL <JMP.&MFC42.#665_??1CFile@@UAE@XZ>
0040943B   .  8B4D F4       MOV ECX,DWORD PTR SS:[EBP-C]
0040943E   .  5F            POP EDI
0040943F   .  5E            POP ESI
00409440   .  33C0          XOR EAX,EAX
00409442   .  64:890D 00000>MOV DWORD PTR FS:[0],ECX
00409449   .  5B            POP EBX
0040944A   .  8BE5          MOV ESP,EBP
0040944C   .  5D            POP EBP
0040944D   .  C3            RETN




显示对话框后, 我们选中作者给我们的一个文件, 比如 key.dat,   下断 MFC42.#5186_?Open@CFile@@UAEHPBDIPAVCFileException@@@Z ,  点注册,

00408F80  /.  55            PUSH EBP
00408F81  |.  8BEC          MOV EBP,ESP
00408F83  |.  6A FF         PUSH -1
00408F85  |.  68 A8184300   PUSH chess.004318A8                                                ;  SE handler installation
00408F8A  |.  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00408F90  |.  50            PUSH EAX
00408F91  |.  64:8925 00000>MOV DWORD PTR FS:[0],ESP
00408F98  |.  81EC 48070000 SUB ESP,748
00408F9E  |.  53            PUSH EBX
00408F9F  |.  56            PUSH ESI
00408FA0  |.  57            PUSH EDI
00408FA1  |.  8BD9          MOV EBX,ECX
00408FA3  |.  8965 F0       MOV DWORD PTR SS:[EBP-10],ESP
00408FA6  |.  6A 01         PUSH 1
00408FA8  |.  895D D8       MOV DWORD PTR SS:[EBP-28],EBX
00408FAB  |.  E8 46750200   CALL <JMP.&MFC42.#6334_?UpdateData@CWnd@@QAEHH@Z>
00408FB0  |.  8B83 00020000 MOV EAX,DWORD PTR DS:[EBX+200]
00408FB6  |.  8D8B 00020000 LEA ECX,DWORD PTR DS:[EBX+200]
00408FBC  |.  8B40 F8       MOV EAX,DWORD PTR DS:[EAX-8]
00408FBF  |.  50            PUSH EAX
00408FC0  |.  E8 71740200   CALL <JMP.&MFC42.#2915_?GetBuffer@CString@@QAEPADH@Z>
00408FC5  |.  8D4D E0       LEA ECX,DWORD PTR SS:[EBP-20]
00408FC8  |.  8BF0          MOV ESI,EAX
00408FCA  |.  E8 B1750200   CALL <JMP.&MFC42.#354_??0CFile@@QAE@XZ>
00408FCF  |.  8B83 FC010000 MOV EAX,DWORD PTR DS:[EBX+1FC]
00408FD5  |.  6A 00         PUSH 0
00408FD7  |.  6A 00         PUSH 0
00408FD9  |.  50            PUSH EAX
00408FDA  |.  8D4D E0       LEA ECX,DWORD PTR SS:[EBP-20]
00408FDD  |.  C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0
00408FE4  |.  E8 91750200   CALL <JMP.&MFC42.#5186_?Open@CFile@@UAEHPBDIPAVCFileException@@@Z> ; //打开 Key.dat
00408FE9  |.  85C0          TEST EAX,EAX
00408FEB  |.  75 35         JNZ SHORT chess.00409022
00408FED  |.  50            PUSH EAX
00408FEE  |.  68 54F54300   PUSH chess.0043F554
00408FF3  |>  E8 88600200   CALL chess.0042F080
00408FF8  |.  83C4 08       ADD ESP,8
00408FFB  |>  8BCB          MOV ECX,EBX
00408FFD  |.  E8 58740200   CALL <JMP.&MFC42.#4376_?OnCancel@CDialog@@MAEXXZ>
00409002  |>  8D4D E0       LEA ECX,DWORD PTR SS:[EBP-20]
00409005  |.  C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
0040900C  |.  E8 45750200   CALL <JMP.&MFC42.#665_??1CFile@@UAE@XZ>
00409011  |.  8B4D F4       MOV ECX,DWORD PTR SS:[EBP-C]
00409014  |.  5F            POP EDI
00409015  |.  5E            POP ESI
00409016  |.  64:890D 00000>MOV DWORD PTR FS:[0],ECX
0040901D  |.  5B            POP EBX
0040901E  |.  8BE5          MOV ESP,EBP
00409020  |.  5D            POP EBP
00409021  |.  C3            RETN
00409022  |>  8D4D E0       LEA ECX,DWORD PTR SS:[EBP-20]
00409025  |.  C645 FC 01    MOV BYTE PTR SS:[EBP-4],1
00409029  |.  E8 46750200   CALL <JMP.&MFC42.#3318_?GetLength@CFile@@UBEKXZ>                   ; //比较文件大小
0040902E  |.  3D 120C0000   CMP EAX,0C12                                                       ; // >3090
00409033  |.  0F82 05010000 JB chess.0040913E
00409039  |.  8D4D CC       LEA ECX,DWORD PTR SS:[EBP-34]
0040903C  |.  6A 0A         PUSH 0A
0040903E  |.  51            PUSH ECX
0040903F  |.  8D4D E0       LEA ECX,DWORD PTR SS:[EBP-20]
00409042  |.  E8 27750200   CALL <JMP.&MFC42.#5442_?Read@CFile@@UAEIPAXI@Z>                    ;  //读10个字节文件头
00409047  |.  BF 48F54300   MOV EDI,chess.0043F548                                             ;  ASCII "GHKFORREG"
0040904C  |.  8D45 CC       LEA EAX,DWORD PTR SS:[EBP-34]
0040904F  |>  8A10          /MOV DL,BYTE PTR DS:[EAX]                                          ;  //判断是否是"GHKFORREG",0
00409051  |.  8ACA          |MOV CL,DL
00409053  |.  3A17          |CMP DL,BYTE PTR DS:[EDI]
00409055  |.  75 1C         |JNZ SHORT chess.00409073
00409057  |.  84C9          |TEST CL,CL
00409059  |.  74 14         |JE SHORT chess.0040906F
0040905B  |.  8A50 01       |MOV DL,BYTE PTR DS:[EAX+1]
0040905E  |.  8ACA          |MOV CL,DL
00409060  |.  3A57 01       |CMP DL,BYTE PTR DS:[EDI+1]
00409063  |.  75 0E         |JNZ SHORT chess.00409073
00409065  |.  83C0 02       |ADD EAX,2
00409068  |.  83C7 02       |ADD EDI,2
0040906B  |.  84C9          |TEST CL,CL
0040906D  |.^ 75 E0         \JNZ SHORT chess.0040904F
0040906F  |>  33C0          XOR EAX,EAX
00409071  |.  EB 05         JMP SHORT chess.00409078
00409073  |>  1BC0          SBB EAX,EAX
00409075  |.  83D8 FF       SBB EAX,-1
00409078  |>  85C0          TEST EAX,EAX
0040907A  |.  0F85 BE000000 JNZ chess.0040913E
00409080  |.  8945 DC       MOV DWORD PTR SS:[EBP-24],EAX
00409083  |.  8D45 DC       LEA EAX,DWORD PTR SS:[EBP-24]
00409086  |.  6A 04         PUSH 4
00409088  |.  50            PUSH EAX
00409089  |.  8D4D E0       LEA ECX,DWORD PTR SS:[EBP-20]
0040908C  |.  E8 DD740200   CALL <JMP.&MFC42.#5442_?Read@CFile@@UAEIPAXI@Z>                    ;  //读4个字节, 包的长度
00409091  |.  8B45 DC       MOV EAX,DWORD PTR SS:[EBP-24]
00409094  |.  3D 00040000   CMP EAX,400                                                        ;  //要小于1024
00409099  |.  0F83 AE000000 JNB chess.0040914D
0040909F  |.  8D8D CCFBFFFF LEA ECX,DWORD PTR SS:[EBP-434]
004090A5  |.  50            PUSH EAX
004090A6  |.  51            PUSH ECX
004090A7  |.  8D4D E0       LEA ECX,DWORD PTR SS:[EBP-20]                                      ;  //读上述长度的数据包
004090AA  |.  E8 BF740200   CALL <JMP.&MFC42.#5442_?Read@CFile@@UAEIPAXI@Z>                    ;  //放在堆栈 0010AF48
004090AF  |.  8B7D DC       MOV EDI,DWORD PTR SS:[EBP-24]
004090B2  |.  33C0          XOR EAX,EAX
004090B4  |.  C6843D CCFBFF>MOV BYTE PTR SS:[EBP+EDI-434],0                                    ;  //在内存数据包最后放 0
004090BC  |>  3BC7          /CMP EAX,EDI                                                       ;  //处理每一字节
004090BE  |.  7D 16         |JGE SHORT chess.004090D6
004090C0  |.  8A8C05 CCFBFF>|MOV CL,BYTE PTR SS:[EBP+EAX-434]                                  ;  //原来 XX
004090C7  |.  80CA FF       |OR DL,0FF
004090CA  |.  2AD1          |SUB DL,CL                                                         ;  //现在 FF-XX
004090CC  |.  889405 CCFBFF>|MOV BYTE PTR SS:[EBP+EAX-434],DL                                  ;  //相当于每一 Bit 取反
004090D3  |.  40            |INC EAX
004090D4  |.^ EB E6         \JMP SHORT chess.004090BC
004090D6  |>  33C9          XOR ECX,ECX
004090D8  |>  8BC7          /MOV EAX,EDI                                                       ;  //EAX = 长度
004090DA  |.  99            |CDQ                                                               ;  //符号扩展 EAX -> EDX:EAX
004090DB  |.  2BC2          |SUB EAX,EDX                                                       ;  // if EAX<0 then EAX-0xFFFFFFFF
004090DD  |.  D1F8          |SAR EAX,1                                                         ;  // EAX / 2
004090DF  |.  3BC8          |CMP ECX,EAX
004090E1  |.  7D 28         |JGE SHORT chess.0040910B
004090E3  |.  8BC7          |MOV EAX,EDI
004090E5  |.  8A940D CCFBFF>|MOV DL,BYTE PTR SS:[EBP+ECX-434]                                  ;  //从前往后取一字节 -> DL
004090EC  |.  2BC1          |SUB EAX,ECX
004090EE  |.  41            |INC ECX
004090EF  |.  8A9C05 CBFBFF>|MOV BL,BYTE PTR SS:[EBP+EAX-435]                                  ;  //从后往前取一字节 -> BL
004090F6  |.  8D8405 CBFBFF>|LEA EAX,DWORD PTR SS:[EBP+EAX-435]
004090FD  |.  889C0D CBFBFF>|MOV BYTE PTR SS:[EBP+ECX-435],BL                                  ;  //后面移到前面
00409104  |.  8B5D D8       |MOV EBX,DWORD PTR SS:[EBP-28]
00409107  |.  8810          |MOV BYTE PTR DS:[EAX],DL                                          ;  //前面移到后面
00409109  |.^ EB CD         \JMP SHORT chess.004090D8
0040910B  |>  8D85 CCFBFFFF LEA EAX,DWORD PTR SS:[EBP-434]                                     ;  //解密后与机器码比较
00409111  |>  8A10          /MOV DL,BYTE PTR DS:[EAX]                                          
00409113  |.  8ACA          |MOV CL,DL
00409115  |.  3A16          |CMP DL,BYTE PTR DS:[ESI]
00409117  |.  75 1C         |JNZ SHORT chess.00409135
00409119  |.  84C9          |TEST CL,CL
0040911B  |.  74 14         |JE SHORT chess.00409131
0040911D  |.  8A50 01       |MOV DL,BYTE PTR DS:[EAX+1]
00409120  |.  8ACA          |MOV CL,DL
00409122  |.  3A56 01       |CMP DL,BYTE PTR DS:[ESI+1]
00409125  |.  75 0E         |JNZ SHORT chess.00409135
00409127  |.  83C0 02       |ADD EAX,2
0040912A  |.  83C6 02       |ADD ESI,2
0040912D  |.  84C9          |TEST CL,CL
0040912F  |.^ 75 E0         \JNZ SHORT chess.00409111
00409131  |>  33C0          XOR EAX,EAX                                                        ;  //对了才到这里
00409133  |.  EB 05         JMP SHORT chess.0040913A
00409135  |>  1BC0          SBB EAX,EAX
00409137  |.  83D8 FF       SBB EAX,-1
0040913A  |>  85C0          TEST EAX,EAX
0040913C  |.  74 1C         JE SHORT chess.0040915A
0040913E  |>  6A 00         PUSH 0
00409140  |.  68 24F54300   PUSH chess.0043F524
00409145  |.  E8 365F0200   CALL chess.0042F080
0040914A  |.  83C4 08       ADD ESP,8
0040914D  |>  8D4D E0       LEA ECX,DWORD PTR SS:[EBP-20]
00409150  |.  E8 13740200   CALL <JMP.&MFC42.#1979_?Close@CFile@@UAEXXZ>
00409155  |.^ E9 A1FEFFFF   JMP chess.00408FFB
0040915A  |>  8D4D E0       LEA ECX,DWORD PTR SS:[EBP-20]                                      ;  //对了才到这里
0040915D  |.  E8 06740200   CALL <JMP.&MFC42.#1979_?Close@CFile@@UAEXXZ>                       ;  //关闭key.dat
00409162  |.  8D85 ACF8FFFF LEA EAX,DWORD PTR SS:[EBP-754]
00409168  |.  C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0
0040916F  |.  50            PUSH EAX
00409170  |.  E8 EB1B0200   CALL chess.0042AD60                                                ;  //取EXE文件路径
00409175  |.  BF 14F54300   MOV EDI,chess.0043F514                                             ;  ASCII "\goshawk.dat"
0040917A  |.  83C9 FF       OR ECX,FFFFFFFF
0040917D  |.  33C0          XOR EAX,EAX
0040917F  |.  83C4 04       ADD ESP,4
00409182  |.  F2:AE         REPNE SCAS BYTE PTR ES:[EDI]
00409184  |.  F7D1          NOT ECX
00409186  |.  2BF9          SUB EDI,ECX
00409188  |.  8D95 ACF8FFFF LEA EDX,DWORD PTR SS:[EBP-754]
0040918E  |.  8BF7          MOV ESI,EDI
00409190  |.  8BFA          MOV EDI,EDX
00409192  |.  8BD1          MOV EDX,ECX
00409194  |.  83C9 FF       OR ECX,FFFFFFFF
00409197  |.  F2:AE         REPNE SCAS BYTE PTR ES:[EDI]
00409199  |.  8BCA          MOV ECX,EDX
0040919B  |.  4F            DEC EDI
0040919C  |.  C1E9 02       SHR ECX,2
0040919F  |.  F3:A5         REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]                     ;  //得到 goshawk.dat 全路径名
004091A1  |.  8B83 FC010000 MOV EAX,DWORD PTR DS:[EBX+1FC]
004091A7  |.  8BCA          MOV ECX,EDX
004091A9  |.  83E1 03       AND ECX,3
004091AC  |.  6A 00         PUSH 0                                                             ; /FailIfExists = FALSE
004091AE  |.  F3:A4         REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]                       ; |
004091B0  |.  8D8D ACF8FFFF LEA ECX,DWORD PTR SS:[EBP-754]                                     ; |
004091B6  |.  51            PUSH ECX                                                           ; |NewFileName
004091B7  |.  50            PUSH EAX                                                           ; |ExistingFileName
004091B8  |.  FF15 64404300 CALL DWORD PTR DS:[<&KERNEL32.CopyFileA>]                          ; \CopyFileA
004091BE  |.  85C0          TEST EAX,EAX                                                       ;  //key.dat 拷贝到 goshawk.dat
004091C0  |.  75 0B         JNZ SHORT chess.004091CD                                           ;  //if EAX>0 则拷贝文件正确
004091C2  |.  50            PUSH EAX
004091C3  |.  68 04F54300   PUSH chess.0043F504
004091C8  |.^ E9 26FEFFFF   JMP chess.00408FF3
004091CD  |>  8BCB          MOV ECX,EBX
004091CF  |.  E8 2C000000   CALL chess.00409200                                                ;  //用goshawk.dat再来判断是否注册成功, 见上面 409200
004091D4  \.^ E9 29FEFFFF   JMP chess.00409002                                                 ;  //下次直接打开 goshawk.dat
004091D9   .  8D4D E0       LEA ECX,DWORD PTR SS:[EBP-20]
004091DC   .  E8 87730200   CALL <JMP.&MFC42.#1979_?Close@CFile@@UAEXXZ>
004091E1   .  6A 00         PUSH 0
004091E3   .  68 04F54300   PUSH chess.0043F504
004091E8   .  E8 935E0200   CALL chess.0042F080
004091ED   .  8B4D D8       MOV ECX,DWORD PTR SS:[EBP-28]
004091F0   .  83C4 08       ADD ESP,8
004091F3   .  E8 62720200   CALL <JMP.&MFC42.#4376_?OnCancel@CDialog@@MAEXXZ>
004091F8   .  B8 02904000   MOV EAX,chess.00409002
004091FD   .  C3            RETN

就这么简单, 取反再交换顺序?  NO,  当启用了联众自动下棋, 还有复杂的比较等你啊.




启动联众,  过一会, 再次中断在 MFC42.#5186_?Open@CFile@@UAEHPBDIPAVCFileException@@@Z, 

00415400   .  6A FF         PUSH -1
00415402   .  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00415408   .  68 AB2C4300   PUSH chess.00432CAB
0041540D   .  50            PUSH EAX
0041540E   .  B8 30100000   MOV EAX,1030
00415413   .  64:8925 00000>MOV DWORD PTR FS:[0],ESP
0041541A   .  E8 21B60100   CALL chess.00430A40
0041541F   .  53            PUSH EBX
00415420   .  55            PUSH EBP
00415421   .  8BE9          MOV EBP,ECX
00415423   .  56            PUSH ESI
00415424   .  57            PUSH EDI
00415425   .  68 E8030000   PUSH 3E8                                                           ; /TimerID = 3E8 (1000.)
0041542A   .  8B45 20       MOV EAX,DWORD PTR SS:[EBP+20]                                      ; |
0041542D   .  50            PUSH EAX                                                           ; |hWnd
0041542E   .  FF15 50454300 CALL DWORD PTR DS:[<&USER32.KillTimer>]                            ; \KillTimer  //hehe
00415434   .  8D8C24 400400>LEA ECX,DWORD PTR SS:[ESP+440]
0041543B   .  51            PUSH ECX
0041543C   .  E8 3FA1FFFF   CALL chess.0040F580
00415441   .  8D9424 240100>LEA EDX,DWORD PTR SS:[ESP+124]
00415448   .  52            PUSH EDX
00415449   .  E8 12590100   CALL chess.0042AD60
0041544E   .  BF 14F54300   MOV EDI,chess.0043F514                                             ;  ASCII "\goshawk.dat"
00415453   .  83C9 FF       OR ECX,FFFFFFFF
00415456   .  33C0          XOR EAX,EAX
00415458   .  83C4 08       ADD ESP,8
0041545B   .  F2:AE         REPNE SCAS BYTE PTR ES:[EDI]
0041545D   .  F7D1          NOT ECX
0041545F   .  2BF9          SUB EDI,ECX
00415461   .  8D9424 200100>LEA EDX,DWORD PTR SS:[ESP+120]
00415468   .  8BF7          MOV ESI,EDI
0041546A   .  8BD9          MOV EBX,ECX
0041546C   .  8BFA          MOV EDI,EDX
0041546E   .  83C9 FF       OR ECX,FFFFFFFF
00415471   .  F2:AE         REPNE SCAS BYTE PTR ES:[EDI]
00415473   .  8BCB          MOV ECX,EBX
00415475   .  4F            DEC EDI
00415476   .  C1E9 02       SHR ECX,2
00415479   .  F3:A5         REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
0041547B   .  8BCB          MOV ECX,EBX
0041547D   .  83E1 03       AND ECX,3
00415480   .  F3:A4         REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
00415482   .  8D4C24 10     LEA ECX,DWORD PTR SS:[ESP+10]
00415486   .  E8 F5B00100   CALL <JMP.&MFC42.#354_??0CFile@@QAE@XZ>
0041548B   .  6A 00         PUSH 0
0041548D   .  8D8424 240100>LEA EAX,DWORD PTR SS:[ESP+124]
00415494   .  6A 00         PUSH 0
00415496   .  50            PUSH EAX
00415497   .  8D4C24 1C     LEA ECX,DWORD PTR SS:[ESP+1C]
0041549B   .  C78424 541000>MOV DWORD PTR SS:[ESP+1054],0
004154A6   .  E8 CFB00100   CALL <JMP.&MFC42.#5186_?Open@CFile@@UAEHPBDIPAVCFileException@@@Z> ;  //联众还要检查注册文件
004154AB   .  85C0          TEST EAX,EAX
004154AD   .  B3 6B         MOV BL,6B                                                         
004154AF   .  75 19         JNZ SHORT chess.004154CA
004154B1   .  C600 6F       MOV BYTE PTR DS:[EAX],6F
004154B4   .  B8 01000000   MOV EAX,1
004154B9   .  8BCD          MOV ECX,EBP
004154BB   .  8818          MOV BYTE PTR DS:[EAX],BL
004154BD   .  B8 02000000   MOV EAX,2
004154C2   .  C600 00       MOV BYTE PTR DS:[EAX],0
004154C5   .  E8 90AF0100   CALL <JMP.&MFC42.#4376_?OnCancel@CDialog@@MAEXXZ>
004154CA   >  8D4C24 10     LEA ECX,DWORD PTR SS:[ESP+10]
004154CE   .  E8 A1B00100   CALL <JMP.&MFC42.#3318_?GetLength@CFile@@UBEKXZ>
004154D3   .  3D 120C0000   CMP EAX,0C12                                                       ;  //比较长度
004154D8   .  73 1B         JNB SHORT chess.004154F5
004154DA   .  33C0          XOR EAX,EAX
004154DC   .  8BCD          MOV ECX,EBP
004154DE   .  C600 6F       MOV BYTE PTR DS:[EAX],6F
004154E1   .  B8 01000000   MOV EAX,1
004154E6   .  8818          MOV BYTE PTR DS:[EAX],BL
004154E8   .  B8 02000000   MOV EAX,2
004154ED   .  C600 00       MOV BYTE PTR DS:[EAX],0
004154F0   .  E8 65AF0100   CALL <JMP.&MFC42.#4376_?OnCancel@CDialog@@MAEXXZ>
004154F5   >  6A 00         PUSH 0
004154F7   .  68 12040000   PUSH 412
004154FC   .  8D4C24 18     LEA ECX,DWORD PTR SS:[ESP+18]
00415500   .  E8 CDB20100   CALL <JMP.&MFC42.#5773_?Seek@CFile@@UAEJJI@Z>                      ;  //文件指针移到 412h
00415505   .  8D8C24 400800>LEA ECX,DWORD PTR SS:[ESP+840]
0041550C   .  68 00040000   PUSH 400
00415511   .  51            PUSH ECX
00415512   .  8D4C24 18     LEA ECX,DWORD PTR SS:[ESP+18]                                      ;  //读 1024 字节
00415516   .  E8 53B00100   CALL <JMP.&MFC42.#5442_?Read@CFile@@UAEIPAXI@Z>                    ;  //放到 10B96C
0041551B   .  8D8C24 400800>LEA ECX,DWORD PTR SS:[ESP+840]
00415522   .  B8 30024400   MOV EAX,chess.00440230                                             ;  //取其中最前面的 128 字节到 440230
                                                                                               ;  //密码表1
00415527   >  8BD1          MOV EDX,ECX
00415529   .  8BF0          MOV ESI,EAX
0041552B   .  83C0 10       ADD EAX,10
0041552E   .  83C1 10       ADD ECX,10
00415531   .  8B3A          MOV EDI,DWORD PTR DS:[EDX]
00415533   .  3D B0024400   CMP EAX,chess.004402B0
00415538   .  893E          MOV DWORD PTR DS:[ESI],EDI
0041553A   .  8B7A 04       MOV EDI,DWORD PTR DS:[EDX+4]
0041553D   .  897E 04       MOV DWORD PTR DS:[ESI+4],EDI
00415540   .  8B7A 08       MOV EDI,DWORD PTR DS:[EDX+8]
00415543   .  897E 08       MOV DWORD PTR DS:[ESI+8],EDI
00415546   .  8B52 0C       MOV EDX,DWORD PTR DS:[EDX+C]
00415549   .  8956 0C       MOV DWORD PTR DS:[ESI+C],EDX
0041554C   .^ 7C D9         JL SHORT chess.00415527                                            ;  //=================================
0041554E   .  B9 40000000   MOV ECX,40
00415553   .  8DB424 080900>LEA ESI,DWORD PTR SS:[ESP+908]
0041555A   .  8D7C24 20     LEA EDI,DWORD PTR SS:[ESP+20]
0041555E   .  8D4424 20     LEA EAX,DWORD PTR SS:[ESP+20]
00415562   .  F3:A5         REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]                     ;  // 拷贝从第200个开始的 256 字节到 10B14C
00415564   .  8D8C24 400C00>LEA ECX,DWORD PTR SS:[ESP+C40]                                     ;  //也就是注册文件的 0x4DA 处, 密码表2
0041556B   .  50            PUSH EAX
0041556C   .  8D9424 380A00>LEA EDX,DWORD PTR SS:[ESP+A38]                                     ;  //从第 500 个开始的字符
00415573   .  51            PUSH ECX                                                           ;  //也就是注册文件的 0x606 处
00415574   .  52            PUSH EDX
00415575   .  E8 A6830000   CALL chess.0041D920                                                ;  //密文转换到明文, 关键算法, F7
0041557A   .  83C4 0C       ADD ESP,0C
0041557D   .  8DB424 400400>LEA ESI,DWORD PTR SS:[ESP+440]                                     ;  //机器码
00415584   .  8D8424 400C00>LEA EAX,DWORD PTR SS:[ESP+C40]                                     ;  //明文应该等于机器码
0041558B   >  8A10          MOV DL,BYTE PTR DS:[EAX]
0041558D   .  8ACA          MOV CL,DL
0041558F   .  3A16          CMP DL,BYTE PTR DS:[ESI]
00415591   .  75 1C         JNZ SHORT chess.004155AF
00415593   .  84C9          TEST CL,CL
00415595   .  74 14         JE SHORT chess.004155AB
00415597   .  8A50 01       MOV DL,BYTE PTR DS:[EAX+1]
0041559A   .  8ACA          MOV CL,DL
0041559C   .  3A56 01       CMP DL,BYTE PTR DS:[ESI+1]
0041559F   .  75 0E         JNZ SHORT chess.004155AF
004155A1   .  83C0 02       ADD EAX,2
004155A4   .  83C6 02       ADD ESI,2
004155A7   .  84C9          TEST CL,CL
004155A9   .^ 75 E0         JNZ SHORT chess.0041558B
004155AB   >  33C0          XOR EAX,EAX
004155AD   .  EB 05         JMP SHORT chess.004155B4
004155AF   >  1BC0          SBB EAX,EAX
004155B1   .  83D8 FF       SBB EAX,-1
004155B4   >  85C0          TEST EAX,EAX
004155B6   .  75 11         JNZ SHORT chess.004155C9
004155B8   .  C68424 400400>MOV BYTE PTR SS:[ESP+440],6F                                       ;  // o
004155C0   .  889C24 410400>MOV BYTE PTR SS:[ESP+441],BL                                       ;  // k
004155C7   .  EB 12         JMP SHORT chess.004155DB
004155C9   >  33C0          XOR EAX,EAX
004155CB   .  8BCD          MOV ECX,EBP
004155CD      88            DB 88
004155CE   .  1D 01000000   SBB EAX,1
004155D3   .  C600 6F       MOV BYTE PTR DS:[EAX],6F
004155D6   .  E8 7FAE0100   CALL <JMP.&MFC42.#4376_?OnCancel@CDialog@@MAEXXZ>
004155DB   >  8D4C24 10     LEA ECX,DWORD PTR SS:[ESP+10]
004155DF   .  E8 84AF0100   CALL <JMP.&MFC42.#1979_?Close@CFile@@UAEXXZ>
004155E4   .  8BCD          MOV ECX,EBP
004155E6   .  E8 17AF0100   CALL <JMP.&MFC42.#2379_?Default@CWnd@@IAEJXZ>
004155EB   .  8D4C24 10     LEA ECX,DWORD PTR SS:[ESP+10]
004155EF   .  C78424 481000>MOV DWORD PTR SS:[ESP+1048],-1
004155FA   .  E8 57AF0100   CALL <JMP.&MFC42.#665_??1CFile@@UAE@XZ>
004155FF   .  8B8C24 401000>MOV ECX,DWORD PTR SS:[ESP+1040]
00415606   .  5F            POP EDI
00415607   .  5E            POP ESI
00415608   .  5D            POP EBP
00415609   .  5B            POP EBX
0041560A   .  64:890D 00000>MOV DWORD PTR FS:[0],ECX
00415611   .  81C4 3C100000 ADD ESP,103C
00415617   .  C2 0400       RETN 4



0041D920  /$  53            PUSH EBX
0041D921  |.  55            PUSH EBP
0041D922  |.  56            PUSH ESI
0041D923  |.  57            PUSH EDI
0041D924  |.  68 00500000   PUSH 5000
0041D929  |.  E8 D22A0100   CALL <JMP.&MFC42.#823_??2@YAPAXI@Z>                                ;  //new (5000h)
0041D92E  |.  8BD8          MOV EBX,EAX                                                        ;  //分配的空间
0041D930  |.  8B4424 18     MOV EAX,DWORD PTR SS:[ESP+18]                                      ;  // 第 500个字符地址, 0x606
0041D934  |.  8BFB          MOV EDI,EBX
0041D936  |.  83C4 04       ADD ESP,4
0041D939  |.  8B10          MOV EDX,DWORD PTR DS:[EAX]
0041D93B  |.  8B68 04       MOV EBP,DWORD PTR DS:[EAX+4]
0041D93E  |.  83C0 04       ADD EAX,4
0041D941  |.  8BCD          MOV ECX,EBP
0041D943  |.  895424 14     MOV DWORD PTR SS:[ESP+14],EDX
0041D947  |.  8D70 04       LEA ESI,DWORD PTR DS:[EAX+4]
0041D94A  |.  8BC1          MOV EAX,ECX
0041D94C  |.  C1E9 02       SHR ECX,2
0041D94F  |.  F3:A5         REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]                     ;  //拷贝第508个字符到分配的空间
0041D951  |.  8BC8          MOV ECX,EAX                                                        ;  //长度为504字节里存放的数
0041D953  |.  83E1 03       AND ECX,3
0041D956  |.  F3:A4         REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]                       ;  //比如机器码 23 位,   那么还要再传 3 字节
0041D958  |.  33F6          XOR ESI,ESI
0041D95A  |.  85ED          TEST EBP,EBP
0041D95C  |.  7E 1C         JLE SHORT chess.0041D97A
0041D95E  |.  8B7C24 1C     MOV EDI,DWORD PTR SS:[ESP+1C]                                      ;  //第200个字符, 密码表2
0041D962  |>  8D0C1E        /LEA ECX,DWORD PTR DS:[ESI+EBX]                                    ;  //分配的空间, 放密文 2
0041D965  |.  57            |PUSH EDI
0041D966  |.  51            |PUSH ECX
0041D967  |.  E8 94FFFFFF   |CALL chess.0041D900                                               ;  //一次解密8个字符, F7
0041D96C  |.  83C6 08       |ADD ESI,8
0041D96F  |.  83C4 08       |ADD ESP,8
0041D972  |.  3BF5          |CMP ESI,EBP
0041D974  |.^ 7C EC         \JL SHORT chess.0041D962
0041D976  |.  8B5424 14     MOV EDX,DWORD PTR SS:[ESP+14]
0041D97A  |>  8B4424 18     MOV EAX,DWORD PTR SS:[ESP+18]
0041D97E  |.  8BCA          MOV ECX,EDX
0041D980  |.  8BE9          MOV EBP,ECX
0041D982  |.  8BF3          MOV ESI,EBX
0041D984  |.  8BF8          MOV EDI,EAX
0041D986  |.  53            PUSH EBX
0041D987  |.  C1E9 02       SHR ECX,2
0041D98A  |.  F3:A5         REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
0041D98C  |.  8BCD          MOV ECX,EBP
0041D98E  |.  83E1 03       AND ECX,3
0041D991  |.  F3:A4         REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
0041D993  |.  C60402 00     MOV BYTE PTR DS:[EDX+EAX],0                                        ;  // 以0 结尾
0041D997  |.  E8 702A0100   CALL <JMP.&MFC42.#825_??3@YAXPAX@Z>                                ;  //delete()
0041D99C  |.  83C4 04       ADD ESP,4
0041D99F  |.  5F            POP EDI
0041D9A0  |.  5E            POP ESI
0041D9A1  |.  5D            POP EBP
0041D9A2  |.  5B            POP EBX
0041D9A3  \.  C3            RETN


0041D900  /$  8B4424 08     MOV EAX,DWORD PTR SS:[ESP+8]
0041D904  |.  50            PUSH EAX
0041D905  |.  8B4424 08     MOV EAX,DWORD PTR SS:[ESP+8]
0041D909  |.  8D48 04       LEA ECX,DWORD PTR DS:[EAX+4]
0041D90C  |.  51            PUSH ECX
0041D90D  |.  50            PUSH EAX
0041D90E  |.  E8 9DFFFFFF   CALL chess.0041D8B0                                                ; // F7 
0041D913  |.  83C4 0C       ADD ESP,0C
0041D916  \.  C3            RETN


0041D8B0  /$  53            PUSH EBX
0041D8B1  |.  55            PUSH EBP
0041D8B2  |.  56            PUSH ESI
0041D8B3  |.  8B7424 14     MOV ESI,DWORD PTR SS:[ESP+14]
0041D8B7  |.  57            PUSH EDI
0041D8B8  |.  8B7C24 14     MOV EDI,DWORD PTR SS:[ESP+14]
0041D8BC  |.  BB 2C034400   MOV EBX,chess.0044032C
0041D8C1  |.  BD 20000000   MOV EBP,20                                                         ;  // 以下过程循环32次
0041D8C6  |>  8B03          MOV EAX,DWORD PTR DS:[EBX]                                         ;  //0...7,  7...0,  7...0,  7...0, 密码表 3,  在 EXE 中
0041D8C8  |.  8B4C24 1C     MOV ECX,DWORD PTR SS:[ESP+1C]
0041D8CC  |.  8B1481        MOV EDX,DWORD PTR DS:[ECX+EAX*4]                                   ;  // 密码表 2
0041D8CF  |.  8B0F          MOV ECX,DWORD PTR DS:[EDI]                                         ;  // 密文 2
0041D8D1  |.  03D1          ADD EDX,ECX
0041D8D3  |.  52            PUSH EDX
0041D8D4  |.  E8 07FFFFFF   CALL chess.0041D7E0                                                ;  //对EDX进行变换, 用到密码表 1,结果放EAX, F7
0041D8D9  |.  8B16          MOV EDX,DWORD PTR DS:[ESI]
0041D8DB  |.  56            PUSH ESI
0041D8DC  |.  33D0          XOR EDX,EAX                                                        ;  //后面4个字节与前面的结果异或
0041D8DE  |.  57            PUSH EDI
0041D8DF  |.  8916          MOV DWORD PTR DS:[ESI],EDX                                         ;  // 覆盖后4个字节
0041D8E1  |.  E8 AAFFFFFF   CALL chess.0041D890                                                ;  // 交换前后4个字节
0041D8E6  |.  83C4 0C       ADD ESP,0C
0041D8E9  |.  83EB 04       SUB EBX,4
0041D8EC  |.  4D            DEC EBP
0041D8ED  |.^ 75 D7         JNZ SHORT chess.0041D8C6                                           ;  //==============================
0041D8EF  |.  56            PUSH ESI
0041D8F0  |.  57            PUSH EDI
0041D8F1  |.  E8 9AFFFFFF   CALL chess.0041D890                                                ;  //最后再交换一次
0041D8F6  |.  83C4 08       ADD ESP,8
0041D8F9  |.  5F            POP EDI
0041D8FA  |.  5E            POP ESI
0041D8FB  |.  5D            POP EBP
0041D8FC  |.  5B            POP EBX
0041D8FD  \.  C3            RETN



0041D7E0  /$  8B4424 04     MOV EAX,DWORD PTR SS:[ESP+4]                                       ;  // 取出相加结果
0041D7E4  |.  33D2          XOR EDX,EDX
0041D7E6  |.  8BC8          MOV ECX,EAX
0041D7E8  |.  53            PUSH EBX
0041D7E9  |.  C1E9 18       SHR ECX,18                                                         ;  // 相加的结果 右移24次
0041D7EC  |.  83E1 0F       AND ECX,0F                                                         ;  // 相当于取最高字节的低 4 Bit
0041D7EF  |.  33DB          XOR EBX,EBX
0041D7F1  |.  8A91 90024400 MOV DL,BYTE PTR DS:[ECX+440290]                                    ;  // 440230 密码表 1
0041D7F7  |.  8BCA          MOV ECX,EDX
0041D7F9  |.  8BD0          MOV EDX,EAX
0041D7FB  |.  C1EA 1C       SHR EDX,1C                                                         ;  // 相加的结果 右移28次
0041D7FE  |.  8A9A A0024400 MOV BL,BYTE PTR DS:[EDX+4402A0]
0041D804  |.  8BD0          MOV EDX,EAX
0041D806  |.  C1E3 04       SHL EBX,4
0041D809  |.  C1EA 14       SHR EDX,14                                                         ;  // 相加的结果 右移20次
0041D80C  |.  0BCB          OR ECX,EBX
0041D80E  |.  83E2 0F       AND EDX,0F
0041D811  |.  33DB          XOR EBX,EBX
0041D813  |.  8A9A 80024400 MOV BL,BYTE PTR DS:[EDX+440280]
0041D819  |.  8BD0          MOV EDX,EAX
0041D81B  |.  C1E1 04       SHL ECX,4
0041D81E  |.  C1EA 10       SHR EDX,10                                                         ;  // 相加的结果 右移16次
0041D821  |.  0BCB          OR ECX,EBX
0041D823  |.  83E2 0F       AND EDX,0F
0041D826  |.  33DB          XOR EBX,EBX
0041D828  |.  8A9A 70024400 MOV BL,BYTE PTR DS:[EDX+440270]
0041D82E  |.  8BD0          MOV EDX,EAX
0041D830  |.  C1E1 04       SHL ECX,4
0041D833  |.  C1EA 0C       SHR EDX,0C                                                         ;  // 相加的结果 右移12次
0041D836  |.  0BCB          OR ECX,EBX
0041D838  |.  83E2 0F       AND EDX,0F
0041D83B  |.  33DB          XOR EBX,EBX
0041D83D  |.  8A9A 60024400 MOV BL,BYTE PTR DS:[EDX+440260]
0041D843  |.  8BD0          MOV EDX,EAX
0041D845  |.  C1E1 04       SHL ECX,4
0041D848  |.  C1EA 08       SHR EDX,8                                                          ;  // 相加的结果 右移8次
0041D84B  |.  0BCB          OR ECX,EBX
0041D84D  |.  83E2 0F       AND EDX,0F
0041D850  |.  33DB          XOR EBX,EBX
0041D852  |.  8A9A 50024400 MOV BL,BYTE PTR DS:[EDX+440250]
0041D858  |.  8BD0          MOV EDX,EAX
0041D85A  |.  C1E1 04       SHL ECX,4
0041D85D  |.  C1EA 04       SHR EDX,4                                                          ;  // 相加的结果 右移4次
0041D860  |.  0BCB          OR ECX,EBX
0041D862  |.  83E2 0F       AND EDX,0F
0041D865  |.  33DB          XOR EBX,EBX
0041D867  |.  83E0 0F       AND EAX,0F                                                         ;  // 相加的结果 右移0次
0041D86A  |.  8A9A 40024400 MOV BL,BYTE PTR DS:[EDX+440240]
0041D870  |.  33D2          XOR EDX,EDX
0041D872  |.  8A90 30024400 MOV DL,BYTE PTR DS:[EAX+440230]
0041D878  |.  C1E1 04       SHL ECX,4
0041D87B  |.  0BCB          OR ECX,EBX
0041D87D  |.  5B            POP EBX
0041D87E  |.  C1E1 04       SHL ECX,4
0041D881  |.  0BCA          OR ECX,EDX
0041D883  |.  8BC1          MOV EAX,ECX
0041D885  |.  C1E8 15       SHR EAX,15
0041D888  |.  C1E1 0B       SHL ECX,0B
0041D88B  |.  0BC1          OR EAX,ECX                                                         ;  高11Bit 与低 21Bit 交换
0041D88D  \.  C3            RETN



0041D890  /$  8B5424 04     MOV EDX,DWORD PTR SS:[ESP+4]
0041D894  |.  8B4424 08     MOV EAX,DWORD PTR SS:[ESP+8]
0041D898  |.  56            PUSH ESI
0041D899  |.  8B32          MOV ESI,DWORD PTR DS:[EDX]                                         ;  //前 4 个字节
0041D89B  |.  8B08          MOV ECX,DWORD PTR DS:[EAX]                                         ;  //后 4 个字节
0041D89D  |.  8930          MOV DWORD PTR DS:[EAX],ESI
0041D89F  |.  890A          MOV DWORD PTR DS:[EDX],ECX
0041D8A1  |.  5E            POP ESI
0041D8A2  \.  C3            RETN


累死了,  给出注册机代码 ,  各位慢慢看吧.


#include <stdio.h>
#include <string.h>
#include <fstream.h>

/*
	注册文件格式:
	
	1.  "GHKFORREG",0		10字节
	
	2.  密文1的长度 LEN < 0x400	 4字节
	
	3.  密文1  encrypted[LEN]    LEN个字节
	    
		对应的明文 decrypted[LEN] = machine[LEN]  
		对机器码每一字节取反
                     交换前后顺序即得到密文1

           4.  0000...     LEN+14 - 0x411
	
	5.  第二次检查     从 0x412 到 0x811   0x400字节
		
		密码表1    0x412 - 0x491      128字节
		密码表2    0x4DA - 0x5D9      256字节
                     密码表3    在苍鹰象棋 EXE 程序中     0, 1,..., 7, 7,6,..0, 7,...0, 7,...,0
		密文2      0x606 - 0x609   机器码长度LEN					  4字节
		           0x60A - 0x60D   (LEN/8 + (LEN%8 >0)) * 8           4字节    
                   0x60E - 0x60E+LEN   机器码密文                 LEN个字节
				   
    6.  0000...    0x812 - 0xC11
*/

void encrypt(unsigned *m1, unsigned *m2)
{
	unsigned a = *m1;
	unsigned b = *m2;
	
	unsigned temp = b;
	b = a;
	a = temp;

	for (int i=0; i<32; i++)
	{
		temp = b;
		b = a;
		a = temp;
		
		temp = (a>>21) | (a<<11);

		b ^= temp;
	}

	*m1 = a;
	*m2 = b;
}

void main(void)
{	
	char null=0;

	char machine[32]="";
	char regfileName[40]="C:\\";
    
	printf("输入机器码:");
	
	gets(machine);
	machine[31]=0;
	
    strcat(regfileName, machine);
	strcat(regfileName, ".DAT");

	printf("\n注册文件是 %s\n", regfileName);

	fstream regfile(regfileName, ios::out | ios::binary);
    
	//文件头
	regfile.write("GHKFORREG", 10);
	
	//密文 1 的长度
	int length=strlen(machine);
	regfile.write((char*)&length, sizeof(int));
 	
	//密文 1
	for (int i=length-1; i>=0; i--)
	{
		machine[i] = ~machine[i];
		regfile.write(&machine[i], 1);
		machine[i] = ~machine[i];
    }
	
	//空白
	for (i=length+14; i<0x412; i++)
		regfile.write(&null, 1);
	
	//密码表1, 最简单的一种
	char temp=0;
	for (i=0x412; i<0x492; i++)
	{
		regfile.write(&temp, 1);
		temp++;
		temp %= 0x10;
	}
	
	//空白
	for (i=0x492; i<0x4DA; i++)
        regfile.write(&null, 1);

   	//密码表2, 最简单放 0, 这样可以不管 密码表 3 
	for (i=0x4DA; i<0x5DA; i++)
        regfile.write(&null, 1);

	//空白
	for (i=0x5DA; i<0x606; i++)
        regfile.write(&null, 1);
	
	//机器码的长度
	regfile.write((char*)&length, 4);
	
	//密文 2 长度必须为 8 的倍数
	length = (length/8 + (length%8>0))*8;
	regfile.write((char*)&length, 4);

	//密文 2
	for (i=0; i<length; i+=8)
		encrypt( (unsigned*)&machine[i], (unsigned*)&machine[i+4]);
	
	regfile.write(machine,length);
	
	//空白
	for (i=0x60E+length; i<0xC12; i++)
		regfile.write(&null, 1);

	regfile.~fstream();
	
	getchar();
}



[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 10
支持
分享
最新回复 (7)
雪    币: 250
活跃值: (160)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
zdd
2
好,非常好!
2004-5-16 12:15
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
支持算法分析的文章!!
拜读中
2004-5-16 14:43
0
雪    币: 236
活跃值: (48)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
学习中……支持
2004-5-16 16:38
0
雪    币: 272
活跃值: (340)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
5
支持:D
2004-5-16 20:57
0
雪    币: 392
活跃值: (909)
能力值: ( LV9,RANK:690 )
在线值:
发帖
回帖
粉丝
6
呵呵,学习!:D
2004-5-16 20:59
0
雪    币: 898
活跃值: (4039)
能力值: ( LV9,RANK:3410 )
在线值:
发帖
回帖
粉丝
7
支持!现在发笔记的兄弟不太多啦
2004-5-17 00:31
0
雪    币: 209
活跃值: (55)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
8
用keyfile还用这么原始的算法 :D :D
2004-5-17 10:16
0
游客
登录 | 注册 方可回帖
返回
//