|
榮譽會員
|
:**********.exe註冊碼算法分析--高手莫笑
=================================
inside Pandora's Box
*******
CrAcKeD BY alphakk/iPB
=================================
這東西寫得比較急,不對之處請指出來,不過註冊機沒問題,呵呵
軟體簡介:******是一款用來架設代理伺服器的軟體,設定很方便,有詳細的說明我的文件,軟體本身也很小。
5.0版未註冊可供3用戶試用28天。註冊界面上的「序列號」實際上是用戶名,本文用「用戶名」。
主算法為MD5。
=================================
.text:0040759C push ebp
.text:0040759D push esi
.text:0040759E push edx ; const char *
.text:0040759F push edx ; int
.text:004075A0 call sub_41CAD0 ; 算法CALL(第一輪)
.text:004075A5 mov edi, eax
.text:004075A7 or ecx, 0FFFFFFFFh
.text:004075AA xor eax, eax
.text:004075AC lea edx, [esp+181Ch+var_1804]
.text:004075B0 repne scasb
.text:004075B2 not ecx
.text:004075B4 sub edi, ecx
.text:004075B6 mov eax, ecx
.text:004075B8 mov esi, edi
.text:004075BA mov edi, edx
.text:004075BC shr ecx, 2
.text:004075BF repe movsd
.text:004075C1 mov ecx, eax
.text:004075C3 and ecx, 3
.text:004075C6 repe movsb
.text:004075C8 lea ecx, [esp+181Ch+var_1404]
.text:004075CF push ecx ; char *
.text:004075D0 call sub_421840
.text:004075D5 lea edx, [esp+1820h+var_1404]
.text:004075DC lea eax, [esp+1820h+var_1804]
.text:004075E0 push edx ; const char *
.text:004075E1 push eax ; int
.text:004075E2 call sub_41CAD0 ; 算法CALL(第二輪)
.text:004075E7 mov cl, byte_461350
.text:004075ED mov edx, eax
.text:004075EF mov [esp+1828h+var_1004], cl
.text:004075F6 mov ecx, 400h
.text:004075FB xor eax, eax
.text:004075FD lea edi, [esp+1828h+var_1003]
.text:00407604 repe stosd
.text:00407606 mov edi, edx
.text:00407608 or ecx, 0FFFFFFFFh
.text:0040760B repne scasb
.text:0040760D not ecx
.text:0040760F sub edi, ecx
.text:00407611 lea ebp, [esp+1828h+var_1004]
.text:00407618 mov edx, ecx
.text:0040761A mov esi, edi
.text:0040761C mov edi, ebp
.text:0040761E push offset aY ; int
.text:00407623 shr ecx, 2
.text:00407626 repe movsd
.text:00407628 mov ecx, edx
.text:0040762A lea eax, [esp+182Ch+var_1004]
.text:00407631 and ecx, 3
.text:00407634 push offset a__0 ; const char *
.text:00407639 repe movsb
.text:0040763B push eax ; const char *
.text:0040763C call sub_4211F0 ;對註冊碼的處理(轉換字串'.'為'y')
.text:00407641 push offset aA_0 ; int
.text:00407646 lea ecx, [esp+1838h+var_1004]
.text:0040764D push offset asc_45D628 ; const char *
.text:00407652 push ecx ; const char *
.text:00407653 call sub_4211F0 ;對註冊碼的處理(轉換字串'/'為'a')
.text:00407658 push offset aO ; int
.text:0040765D lea edx, [esp+1844h+var_1004]
.text:00407664 push offset asc_45D620 ; const char *
.text:00407669 push edx ; const char *
.text:0040766A call sub_4211F0 ;對註冊碼的處理(轉換字串'$'為'o')
.text:0040766F add esp, 38h
.text:00407672 mov esi, ebx
.text:00407674 lea eax, [esp+1814h+var_1004]
.text:0040767B
.text:0040767B loc_40767B: ; CODE XREF: sub_407560+13D�j
.text:0040767B mov dl, [eax] ;真假註冊碼比較
.text:0040767D mov bl, [esi]
.text:0040767F mov cl, dl
.text:00407681 cmp dl, bl
.text:00407683 jnz short loc_4076B5
===========================================================
進入 call sub_41CAD0 (為方便理解,只對第一輪進行詳細說明)
===========================================================
.text:0041CAD0 ; int __cdecl sub_41CAD0(int,const char *)
.text:0041CAD0 sub_41CAD0 proc near ; CODE XREF: sub_407560+40�p
.text:0041CAD0 ; sub_407560+82�p
.text:0041CAD0
.text:0041CAD0 var_C8 = dword ptr -0C8h
.text:0041CAD0 var_C4 = dword ptr -0C4h
.text:0041CAD0 var_C0 = dword ptr -0C0h
.text:0041CAD0 var_BC = dword ptr -0BCh
.text:0041CAD0 var_B4 = dword ptr -0B4h
.text:0041CAD0 var_B0 = byte ptr -0B0h
.text:0041CAD0 var_58 = byte ptr -58h
.text:0041CAD0 arg_0 = dword ptr 4
.text:0041CAD0 arg_4 = dword ptr 8
.text:0041CAD0
.text:0041CAD0 sub esp, 0C8h
.text:0041CAD6 or ecx, 0FFFFFFFFh
.text:0041CAD9 xor eax, eax
.text:0041CADB mov edx, [esp+0C8h+arg_4]
.text:0041CAE2 push ebx
.text:0041CAE3 push ebp
.text:0041CAE4 push esi
.text:0041CAE5 push edi
.text:0041CAE6 mov edi, offset a1_3 ; "$1$"
.text:0041CAEB mov dword_46AEE8, edx
.text:0041CAF1 repne scasb
.text:0041CAF3 not ecx
.text:0041CAF5 dec ecx
.text:0041CAF6 push ecx ; size_t
.text:0041CAF7 push offset a1_3 ; const char *
.text:0041CAFC push edx ; const char *
.text:0041CAFD call _strncmp ;比較用戶名與字串串"$1$"
.text:0041CB02 add esp, 0Ch
.text:0041CB05 test eax, eax
.text:0041CB07 jnz short loc_41CB26
.text:0041CB09 mov edi, offset a1_3 ; "$1$"
.text:0041CB0E or ecx, 0FFFFFFFFh
.text:0041CB11 repne scasb
.text:0041CB13 mov edx, dword_46AEE8
.text:0041CB19 not ecx
.text:0041CB1B dec ecx
.text:0041CB1C add edx, ecx
.text:0041CB1E mov dword_46AEE8, edx
.text:0041CB24 jmp short loc_41CB2C
.text:0041CB26 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0041CB26 //////////////////////////////////////////////////////////////////////
如果用戶名長度不小於8字元,則取用戶名前8個字元,否則取整個用戶名
.text:0041CB26 loc_41CB26: ; CODE XREF: sub_41CAD0+37�j
.text:0041CB26 mov edx, dword_46AEE8
.text:0041CB2C
.text:0041CB2C loc_41CB2C: ; CODE XREF: sub_41CAD0+54�j
.text:0041CB2C mov eax, edx
.text:0041CB2E mov dword_46AEE4, eax
.text:0041CB33 mov cl, [edx]
.text:0041CB35 test cl, cl
.text:0041CB37 jz short loc_41CB51
.text:0041CB39
.text:0041CB39 loc_41CB39: ; CODE XREF: sub_41CAD0+7F�j
.text:0041CB39 cmp cl, 24h
.text:0041CB3C jz short loc_41CB51
.text:0041CB3E lea ecx, [edx+8]
.text:0041CB41 cmp eax, ecx
.text:0041CB43 jnb short loc_41CB51
.text:0041CB45 inc eax
.text:0041CB46 mov dword_46AEE4, eax
.text:0041CB4B mov cl, [eax]
.text:0041CB4D test cl, cl
.text:0041CB4F jnz short loc_41CB39
.text:0041CB51 ////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////////
這一段是為整個算法的第二步作資料填充
.text:0041CB51 loc_41CB51: ; CODE XREF: sub_41CAD0+67�j
.text:0041CB51 ; sub_41CAD0+6C�j ...
.text:0041CB51 sub eax, edx
.text:0041CB53 lea edx, [esp+0D8h+var_58]
.text:0041CB5A mov esi, eax
.text:0041CB5C push edx
.text:0041CB5D mov [esp+0DCh+var_B4], esi
.text:0041CB61 call sub_41CF80 ; 啟始化MD5的四個參數
.text:0041CB66 mov ebp, [esp+0DCh+arg_0]
.text:0041CB6D or ecx, 0FFFFFFFFh
.text:0041CB70 mov edi, ebp
.text:0041CB72 xor eax, eax
.text:0041CB74 repne scasb
.text:0041CB76 not ecx
.text:0041CB78 dec ecx
.text:0041CB79 lea eax, [esp+0DCh+var_58]
.text:0041CB80 push ecx
.text:0041CB81 push ebp
.text:0041CB82 push eax
.text:0041CB83 call sub_41CFB0 ;Update( BYTE* Input(用戶名),ULONG nInputLen(用戶名長度) )
.text:0041CB88 mov edi, offset a1_3 ; "$1$"
.text:0041CB8D or ecx, 0FFFFFFFFh
.text:0041CB90 xor eax, eax
.text:0041CB92 repne scasb
.text:0041CB94 not ecx
.text:0041CB96 dec ecx
.text:0041CB97 push ecx
.text:0041CB98 lea ecx, [esp+0ECh+var_58]
.text:0041CB9F push offset a1_3 ; "$1$"
.text:0041CBA4 push ecx
.text:0041CBA5 call sub_41CFB0 ;Update( BYTE* Input("$1$"),ULONG nInputLen (3))
.text:0041CBAA mov edx, dword_46AEE8
.text:0041CBB0 push esi
.text:0041CBB1 lea eax, [esp+0F8h+var_58]
.text:0041CBB8 push edx
.text:0041CBB9 push eax
.text:0041CBBA call sub_41CFB0 ; Update( BYTE* Input(用戶名前8字元,如果用戶名長度小於8字元,則用整個用戶名),ULONG nInputLen )
/////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
算法第一步:
.text:0041CBBF lea ecx, [esp+100h+var_B0]
.text:0041CBC3 push ecx
.text:0041CBC4 call sub_41CF80 ; 啟始化MD5的四個參數
.text:0041CBC9 mov edi, ebp
.text:0041CBCB or ecx, 0FFFFFFFFh
.text:0041CBCE xor eax, eax
.text:0041CBD0 lea edx, [esp+104h+var_B0]
.text:0041CBD4 repne scasb
.text:0041CBD6 not ecx
.text:0041CBD8 dec ecx
.text:0041CBD9 push ecx
.text:0041CBDA push ebp
.text:0041CBDB push edx
.text:0041CBDC call sub_41CFB0 ; Update( 用戶名,用戶名長度)
.text:0041CBE1 mov eax, dword_46AEE8
.text:0041CBE6 push esi
.text:0041CBE7 lea ecx, [esp+114h+var_B0]
.text:0041CBEB push eax
.text:0041CBEC push ecx
.text:0041CBED call sub_41CFB0 ;Update( 用戶名(前8字元,如果用戶名長度小於8字元,則用整個用戶名),ULONG nInputLen )
.text:0041CBF2 mov edi, ebp
.text:0041CBF4 or ecx, 0FFFFFFFFh
.text:0041CBF7 xor eax, eax
.text:0041CBF9 add esp, 44h
.text:0041CBFC repne scasb
.text:0041CBFE not ecx
.text:0041CC00 dec ecx
.text:0041CC01 lea edx, [esp+0D8h+var_B0]
.text:0041CC05 push ecx
.text:0041CC06 push ebp
.text:0041CC07 push edx
.text:0041CC08 call sub_41CFB0 ; Update( 用戶名,用戶名長度)
.text:0041CC0D lea eax, [esp+0E4h+var_B0]
.text:0041CC11 lea ecx, [esp+0E4h+var_C8]
.text:0041CC15 push eax
.text:0041CC16 push ecx
.text:0041CC17 call sub_41D0A0 ;MD5變換:設結果為Result1[16]
.text:0041CC1C mov edi, ebp
.text:0041CC1E or ecx, 0FFFFFFFFh
.text:0041CC21 xor eax, eax
.text:0041CC23 add esp, 14h
.text:0041CC26 repne scasb
.text:0041CC28 not ecx
.text:0041CC2A dec ecx
.text:0041CC2B mov esi, ecx
.text:0041CC2D test esi, esi
.text:0041CC2F jle short loc_41CC5A
.text:0041CC31
.text:0041CC31 loc_41CC31: ; CODE XREF: sub_41CAD0+188�j
.text:0041CC31 cmp esi, 10h ;用戶名長度>16?
.text:0041CC34 mov eax, 10h
.text:0041CC39 jg short loc_41CC3D
.text:0041CC3B mov eax, esi
.text:0041CC3D
.text:0041CC3D loc_41CC3D: ; CODE XREF: sub_41CAD0+169�j
.text:0041CC3D push eax
.text:0041CC3E lea edx, [esp+0DCh+var_C8]
.text:0041CC42 lea eax, [esp+0DCh+var_58]
.text:0041CC49 push edx
.text:0041CC4A push eax
.text:0041CC4B call sub_41CFB0 ;Update(Result1,EAX)
.text:0041CC50 sub esi, 10h
.text:0041CC53 add esp, 0Ch
.text:0041CC56 test esi, esi ;ESI>0?
.text:0041CC58 jg short loc_41CC31
.text:0041CC5A
.text:0041CC5A loc_41CC5A: ; CODE XREF: sub_41CAD0+15F�j
.text:0041CC5A xor ecx, ecx
.text:0041CC5C mov edi, ebp
.text:0041CC5E mov [esp+0D8h+var_C8], ecx
.text:0041CC62 xor eax, eax
.text:0041CC64 mov [esp+0D8h+var_C4], ecx
.text:0041CC68 mov [esp+0D8h+var_C0], ecx
.text:0041CC6C mov [esp+0D8h+var_BC], ecx
.text:0041CC70 or ecx, 0FFFFFFFFh
.text:0041CC73 repne scasb
.text:0041CC75 not ecx
.text:0041CC77 dec ecx
.text:0041CC78 mov ebx, ecx ;用戶名長度->EBX
.text:0041CC7A jz short loc_41CCA7
.text:0041CC7C
.text:0041CC7C loc_41CC7C: ; CODE XREF: sub_41CAD0+1D5�j
.text:0041CC7C test bl, 1 ;為偶數?
.text:0041CC7F push 1
.text:0041CC81 jz short loc_41CC92 ;是則跳
.text:0041CC83 lea edx, [esp+0DCh+var_C8]
.text:0041CC87 lea eax, [esp+0DCh+var_58]
.text:0041CC8E push edx
.text:0041CC8F push eax
.text:0041CC90 jmp short loc_41CC9B
.text:0041CC92 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0041CC92
.text:0041CC92 loc_41CC92: ; CODE XREF: sub_41CAD0+1B1�j
.text:0041CC92 lea ecx, [esp+0DCh+var_58]
.text:0041CC99 push ebp
.text:0041C
.text:0041CC99 push ebp
.text:0041CC9A push ecx
.text:0041CC9B
.text:0041CC9B loc_41CC9B: ; CODE XREF: sub_41CAD0+1C0�j
.text:0041CC9B call sub_41CFB0 ;用戶名長度為偶數則Update(用戶名第1個字元,1)否則Update(""(空串),1)
.text:0041CCA0 add esp, 0Ch
.text:0041CCA3 sar ebx, 1
.text:0041CCA5 jnz short loc_41CC7C
.text:0041CCA7
.text:0041CCA7 loc_41CCA7: ; CODE XREF: sub_41CAD0+1AA�j
.text:0041CCA7 mov edi, offset a1_3 ; "$1$"
.text:0041CCAC or ecx, 0FFFFFFFFh
.text:0041CCAF xor eax, eax
.text:0041CCB1 repne scasb
.text:0041CCB3 not ecx
.text:0041CCB5 sub edi, ecx
.text:0041CCB7 mov eax, [esp+0D8h+var_B4]
.text:0041CCBB mov edx, ecx
.text:0041CCBD mov esi, edi
.text:0041CCBF mov edi, offset unk_46AE6C
.text:0041CCC4 push eax ; size_t
.text:0041CCC5 shr ecx, 2
.text:0041CCC8 repe movsd
.text:0041CCCA mov ecx, edx
.text:0041CCCC and ecx, 3
.text:0041CCCF repe movsb
.text:0041CCD1 mov ecx, dword_46AEE8
.text:0041CCD7 push ecx ; const char *
.text:0041CCD8 push offset unk_46AE6C ; char *
.text:0041CCDD call _strncat
.text:0041CCE2 mov edi, offset asc_45D620 ; "$"
.text:0041CCE7 or ecx, 0FFFFFFFFh
.text:0041CCEA xor eax, eax
.text:0041CCEC repne scasb
.text:0041CCEE not ecx
.text:0041CCF0 sub edi, ecx
.text:0041CCF2 mov esi, edi
.text:0041CCF4 mov edx, ecx
.text:0041CCF6 mov edi, offset unk_46AE6C
.text:0041CCFB or ecx, 0FFFFFFFFh
.text:0041CCFE repne scasb
.text:0041CD00 mov ecx, edx
.text:0041CD02 dec edi
.text:0041CD03 shr ecx, 2
.text:0041CD06 repe movsd
.text:0041CD08 mov ecx, edx
.text:0041CD0A lea eax, [esp+0E4h+var_58]
.text:0041CD11 and ecx, 3
.text:0041CD14 push eax
.text:0041CD15 repe movsb
.text:0041CD17 lea ecx, [esp+0E8h+var_C8]
.text:0041CD1B push ecx
.text:0041CD1C call sub_41D0A0 ;MD5變換,設結果為Result2[16]
.text:0041CD21 add esp, 14h
算法第二步完成
/////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////
算法第三步:
.text:0041CD24 xor esi, esi ; 計數器清零
.text:0041CD26
.text:0041CD26 loc_41CD26: ; CODE XREF: sub_41CAD0+328�j
.text:0041CD26 lea edx, [esp+0D8h+var_B0]
.text:0041CD2A push edx
.text:0041CD2B call sub_41CF80 ;MD5啟始化
.text:0041CD30 mov ebx, esi
.text:0041CD32 add esp, 4
.text:0041CD35 and ebx, 1
.text:0041CD38 jz short loc_41CD4F
.text:0041CD3A mov edi, ebp
.text:0041CD3C or ecx, 0FFFFFFFFh
.text:0041CD3F xor eax, eax
.text:0041CD41 repne scasb
.text:0041CD43 not ecx
.text:0041CD45 dec ecx
.text:0041CD46 lea eax, [esp+0D8h+var_B0]
.text:0041CD4A push ecx
.text:0041CD4B push ebp
.text:0041CD4C push eax
.text:0041CD4D jmp short loc_41CD5B ; Update(Result2,16)
.text:0041CD4F ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0041CD4F
.text:0041CD4F loc_41CD4F: ; CODE XREF: sub_41CAD0+268�j
.text:0041CD4F lea ecx, [esp+0D8h+var_C8]
.text:0041CD53 push 10h
.text:0041CD55 lea edx, [esp+0DCh+var_B0]
.text:0041CD59 push ecx
.text:0041CD5A push edx
.text:0041CD5B
.text:0041CD5B loc_41CD5B: ; CODE XREF: sub_41CAD0+27D�j
.text:0041CD5B call sub_41CFB0 ; Update(Result2,16)
.text:0041CD60 mov eax, esi
.text:0041CD62 mov ecx, 3
.text:0041CD67 cdq
.text:0041CD68 idiv ecx
.text:0041CD6A add esp, 0Ch
.text:0041CD6D test edx, edx
.text:0041CD6F jz short loc_41CD89 ; 餘數為零則跳
.text:0041CD71 mov edx, [esp+0D8h+var_B4]
.text:0041CD75 mov eax, dword_46AEE8
.text:0041CD7A push edx
.text:0041CD7B lea ecx, [esp+0DCh+var_B0]
.text:0041CD7F push eax
.text:0041CD80 push ecx
.text:0041CD81 call sub_41CFB0 ; Update( 用戶名(前8字元,如果用戶名長度小於8字元,則用整個用戶名),ULONG nInputLen )
.text:0041CD86 add esp, 0Ch
.text:0041CD89
.text:0041CD89 loc_41CD89: ; CODE XREF: sub_41CAD0+29F�j
.text:0041CD89 mov eax, esi
.text:0041CD8B mov ecx, 7
.text:0041CD90 cdq
.text:0041CD91 idiv ecx
.text:0041CD93 test edx, edx
.text:0041CD95 jz short loc_41CDB2 ; 餘數為零則跳
.text:0041CD97 mov edi, ebp
.text:0041CD99 or ecx, 0FFFFFFFFh
.text:0041CD9C xor eax, eax
.text:0041CD9E lea edx, [esp+0D8h+var_B0]
.text:0041CDA2 repne scasb
.text:0041CDA4 not ecx
.text:0041CDA6 dec ecx
.text:0041CDA7 push ecx
.text:0041CDA8 push ebp
.text:0041CDA9 push edx
.text:0041CDAA call sub_41CFB0 ;Update(用戶名,用戶名長度)
.text:0041CDAF add esp, 0Ch
.text:0041CDB2
.text:0041CDB2 loc_41CDB2: ; CODE XREF: sub_41CAD0+2C5�j
.text:0041CDB2 test ebx, ebx
.text:0041CDB4 jz short loc_41CDC4
.text:0041CDB6 lea eax, [esp+0D8h+var_C8]
.text:0041CDBA push 10h
.text:0041CDBC lea ecx, [esp+0DCh+var_B0]
.text:0041CDC0 push eax
.text:0041CDC1 push ecx
.text:0041CDC2 jmp short loc_41CDD7
.text:0041CDC4 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0041CDC4
.text:0041CDC4 loc_41CDC4: ; CODE XREF: sub_41CAD0+2E4�j
.text:0041CDC4 mov edi, ebp
.text:0041CDC6 or ecx, 0FFFFFFFFh
.text:0041CDC9 xor eax, eax
.text:0041CDCB lea edx, [esp+0D8h+var_B0]
.text:0041CDCF repne scasb
.text:0041CDD1 not ecx
.text:0041CDD3 dec ecx
.text:0041CDD4 push ecx
.text:0041CDD5 push ebp
.text:0041CDD6 push edx
.text:0041CDD7
.text:0041CDD7 loc_41CDD7: ; CODE XREF: sub_41CAD0+2F2�j
.text:0041CDD7 call sub_41CFB0 ;Update(Result2,16)/Update(用戶名,用戶長度)
.text:0041CDDC add esp, 0Ch
.text:0041CDDF lea eax, [esp+0D8h+var_B0]
.text:0041CDE3 lea ecx, [esp+0D8h+var_C8]
.text:0041CDE7 push eax
.text:0041CDE8 push ecx
.text:0041CDE9 call sub_41D0A0 ;MD5變換,設結果為Result3[16],此結果即是下一次循環中的Result2[16]
.text:0041CDEE add esp, 8
.text:0041CDF1 inc esi
.text:0041CDF2 cmp esi, 3E8h
.text:0041CDF8 jl loc_41CD26
算法第三步完成
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
算法第四步:將第三步結果轉換為規則的可見字串串,長度變為22字元
變換表為:"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
.text:0041CDFE mov edi, offset unk_46AE6C
.text:0041CE03 or ecx, 0FFFFFFFFh
.text:0041CE06 xor eax, eax
.text:0041CE08 xor edx, edx
.text:0041CE0A mov dh, byte ptr [esp+0D8h+var_C8]
.text:0041CE0E push 4
.text:0041CE10 repne scasb
.text:0041CE12 mov eax, [esp+0DCh+var_C4+2]
.text:0041CE16 and eax, 0FFh
.text:0041CE1B or edx, eax
.text:0041CE1D mov eax, [esp+0DCh+var_BC]
.text:0041CE21 not ecx
.text:0041CE23 shl edx, 8
.text:0041CE26 and eax, 0FFh
.text:0041CE2B dec ecx
.text:0041CE2C or edx, eax
.text:0041CE2E add ecx, offset unk_46AE6C
.text:0041CE34 push edx
.text:0041CE35 push ecx
.text:0041CE36 mov dword_46AE68, ecx
.text:0041CE3C call sub_41D9B0
.text:0041CE41 mov ecx, [esp+0E4h+var_C8+1]
.text:0041CE45 mov edx, [esp+0E4h+var_C4+3]
.text:0041CE49 mov eax, dword_46AE68
.text:0041CE4E and ecx, 0FFh
.text:0041CE54 shl ecx, 8
.text:0041CE57 and edx, 0FFh
.text:0041CE5D add eax, 4
.text:0041CE60 or ecx, edx
.text:0041CE62 mov edx, [esp+0E4h+var_BC+1]
.text:0041CE66 shl ecx, 8
.text:0041CE69 and edx, 0FFh
.text:0041CE6F push 4
.text:0041CE71 or ecx, edx
.text:0041CE73 mov dword_46AE68, eax
.text:0041CE78 push ecx
.text:0041CE79 push eax
.text:0041CE7A call sub_41D9B0
.text:0041CE7F mov ecx, [esp+0F0h+var_C8+2]
.text:0041CE83 mov edx, [esp+0F0h+var_C0]
.text:0041CE87 mov eax, dword_46AE68
.text:0041CE8C and ecx, 0FFh
.text:0041CE92 shl ecx, 8
.text:0041CE95 and edx, 0FFh
.text:0041CE9B add eax, 4
.text:0041CE9E or ecx, edx
.text:0041CEA0 mov edx, [esp+0F0h+var_BC+2]
.text:0041CEA4 shl ecx, 8
.text:0041CEA7 and edx, 0FFh
.text:0041CEAD push 4
.text:0041CEAF or ecx, edx
.text:0041CEB1 mov dword_46AE68, eax
.text:0041CEB6 push ecx
.text:0041CEB7 push eax
.text:0041CEB8 call sub_41D9B0
.text:0041CEBD mov ecx, [esp+0FCh+var_C8+3]
.text:0041CEC1 mov edx, [esp+0FCh+var_C0+1]
.text:0041CEC5 mov eax, dword_46AE68
.text:0041CECA and ecx, 0FFh
.text:0041CED0 shl ecx, 8
.text:0041CED3 and edx, 0FFh
.text:0041CED9 add eax, 4
.text:0041CEDC or ecx, edx
.text:0041CEDE mov edx, [esp+0FCh+var_BC+3]
.text:0041CEE2 shl ecx, 8
.text:0041CEE5 and edx, 0FFh
.text:0041CEEB push 4
.text:0041CEED or ecx, edx
.text:0041CEEF mov dword_46AE68, eax
.text:0041CEF4 push ecx
.text:0041CEF5 push eax
.text:0041CEF6 call sub_41D9B0
.text:0041CEFB mov ecx, [esp+108h+var_C4]
.text:0041CEFF mov eax, dword_46AE68
.text:0041CF04 mov edx, [esp+108h+var_C0+2]
.text:0041CF08 and ecx, 0FFh
.text:0041CF0E add eax, 4
.text:0041CF11 push 4
.text:0041CF13 shl ecx, 8
.text:0041CF16 mov dword_46AE68, eax
.text:0041CF1B and edx, 0FFh
.text:0041CF21 or ecx, edx
.text:0041CF23 mov edx, [esp+10Ch+var_C4+1]
.text:0041CF27 shl ecx, 8
.text:0041CF2A and edx, 0FFh
.text:0041CF30 or ecx, edx
.text:0041CF32 push ecx
.text:0041CF33 push eax
.text:0041CF34 call sub_41D9B0
.text:0041CF39 mov ecx, [esp+114h+var_C0+3]
.text:0041CF3D mov eax, dword_46AE68
.text:0041CF42 and ecx, 0FFh
.text:0041CF48 add eax, 4
.text:0041CF4B push 2
.text:0041CF4D push ecx
.text:0041CF4E push eax
.text:0041CF4F mov dword_46AE68, eax
.text:0041CF54 call sub_41D9B0
.text:0041CF59 mov eax, dword_46AE68
.text:0041CF5E add esp, 48h
.text:0041CF61 add eax, 2
.text:0041CF64 pop edi
.text:0041CF65 mov dword_46AE68, eax
.text:0041CF6A pop esi
.text:0041CF6B mov byte ptr [eax], 0
.text:0041CF6E pop ebp
.text:0041CF6F mov eax, offset unk_46AE6C
算法第四步完成,結果為Result4[22]
//////////////////////////////////////////////////////////////////////
.text:0041CF74 pop ebx
.text:0041CF75 add esp, 0C8h
.text:0041CF7B retn
.text:0041CF7B sub_41CAD0 endp
.text:0041CF7B
.text:0041CF7B ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
/////////////////////////////////////////////////////////////////////////////////
=================================================================================
/////////////////////////////////////////////////////////////////////////////////
第五步:連接:"$1$"+用戶名(前8個字元,用戶名長度小於8個字元則用整個用戶名)+"$"+Result4[22]
設結果為Result5
Result5參加下一輪運算
.text:004075E2 call sub_41CAD0 ; 算法CALL(第二輪)
這一輪用到了註冊界面中的"特徵碼」,設結果為Result6
連接:"$1$+特徵碼前8個字元+"$"+Result6
.text:00407634 之後
最終結果轉換
===================================================================
分析完成:)
=================================
inside Pandora's Box
**********
CrAcKeD BY alphakk/iPB
=================================
|
平板模式
