2188查看
1回复

[转贴] 某软件算法分析-比较Easy^_

主题	好友	4976 积分

论坛元老

发消息

发表于 2010-2-5 18:48:05 |显示全部楼层

00500234 55             PUSH EBP                               ; 按钮事件
00500235 8BEC          MOV EBP,ESP
00500237 B9 49000000    MOV ECX,49
0050023C 6A 00          PUSH 0
0050023E 6A 00          PUSH 0
00500240 49             DEC ECX
00500241  ^ 75 F9          JNZ SHORT 0050023C
00500243 51             PUSH ECX
00500244 53             PUSH EBX
00500245 56             PUSH ESI
00500246 57             PUSH EDI
00500247 8BF2          MOV ESI,EDX
00500249 8BD8          MOV EBX,EAX
0050024B 33C0          XOR EAX,EAX
0050024D 55             PUSH EBP
0050024E 68 97065000    PUSH 00500697
00500253 64:FF30       PUSH DWORD PTR FS:[EAX]
00500256 64:8920       MOV DWORD PTR FS:[EAX],ESP
00500259 8B46 08       MOV EAX,DWORD PTR DS:[ESI+8]
0050025C BA B0065000    MOV EDX,005006B0                      ; ASCII "fdkfwefrweirjodfdsf_434"
00500261 E8 964DF0FF    CALL 00404FFC
00500266 0F85 AA030000 JNZ 00500616
0050026C 8D95 20FEFFFF LEA EDX,DWORD PTR SS:[EBP-1E0]
00500272 8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+2FC]
00500278 E8 ABE3F5FF    CALL 0045E628                         ; 获取假码
0050027D 83BD 20FEFFFF 0>CMP DWORD PTR SS:[EBP-1E0],0
00500284 0F84 8C030000 JE 00500616                            ; 注册码为空？
0050028A 8D85 1CFEFFFF LEA EAX,DWORD PTR SS:[EBP-1E4]
00500290 50             PUSH EAX
00500291 8D95 18FEFFFF LEA EDX,DWORD PTR SS:[EBP-1E8]
00500297 8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+2FC]
0050029D E8 86E3F5FF    CALL 0045E628
005002A2 8B85 18FEFFFF MOV EAX,DWORD PTR SS:[EBP-1E8]
005002A8 B9 02000000    MOV ECX,2
005002AD BA 01000000    MOV EDX,1
005002B2 E8 594EF0FF    CALL 00405110
005002B7 8B85 1CFEFFFF MOV EAX,DWORD PTR SS:[EBP-1E4]
005002BD BA D0065000    MOV EDX,005006D0                      ; ASCII "36"
005002C2 E8 354DF0FF    CALL 00404FFC                         ; 假码头两位与 36 比较，不等完蛋
005002C7 0F85 49030000 JNZ 00500616
005002CD 8D95 10FEFFFF LEA EDX,DWORD PTR SS:[EBP-1F0]
005002D3 8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+2FC]
005002D9 E8 4AE3F5FF    CALL 0045E628
005002DE 8B85 10FEFFFF MOV EAX,DWORD PTR SS:[EBP-1F0]
005002E4 8D8D 14FEFFFF LEA ECX,DWORD PTR SS:[EBP-1EC]
005002EA BA 02000000    MOV EDX,2
005002EF E8 18F4FFFF    CALL 004FF70C
005002F4 8B85 14FEFFFF MOV EAX,DWORD PTR SS:[EBP-1EC]
005002FA BA DC065000    MOV EDX,005006DC                      ; ASCII "94"
005002FF E8 F84CF0FF    CALL 00404FFC                         ; 假码最后两位与94比较，不等完蛋
00500304 0F85 0C030000 JNZ 00500616
0050030A 8D45 FC       LEA EAX,DWORD PTR SS:[EBP-4]
0050030D 50             PUSH EAX
0050030E 8D95 0CFEFFFF LEA EDX,DWORD PTR SS:[EBP-1F4]
00500314 8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+2FC]
0050031A E8 09E3F5FF    CALL 0045E628
0050031F 8B85 0CFEFFFF MOV EAX,DWORD PTR SS:[EBP-1F4]
00500325 B9 20000000    MOV ECX,20
0050032A BA 03000000    MOV EDX,3
0050032F E8 DC4DF0FF    CALL 00405110                         ; 从第三位起取假码32位
00500334 8D95 08FEFFFF LEA EDX,DWORD PTR SS:[EBP-1F8]
0050033A 8BC3          MOV EAX,EBX
0050033C E8 33FEFFFF    CALL 00500174                         ; 关键call
00500341 8B95 08FEFFFF MOV EDX,DWORD PTR SS:[EBP-1F8]          ; 真码中间部分出现
00500347 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]          ; 上面取的32位
0050034A E8 AD4CF0FF    CALL 00404FFC                         ; 比较，不等则完蛋
0050034F 0F85 C1020000 JNZ 00500616
00500355 8D45 F8       LEA EAX,DWORD PTR SS:[EBP-8]
00500358 E8 E7FAFFFF    CALL 004FFE44
0050035D 8B45 F8       MOV EAX,DWORD PTR SS:[EBP-8]          ; 机器码
00500360 E8 4B4BF0FF    CALL 00404EB0
注册总结：很简单，程序首先比较注册码前两位（必须为36），然后比较最后两位（必须为94），最终比较中间的32位；其中中间的32位是关键，机器码每位循环运算得到一字符串，然后MD5加密下，与中间的32位比较。

给个VB的注册机源码：

Private Sub Command1_Click()
Dim Length As Integer
Dim I As Integer
Dim str As String
Dim sun As String
Dim jieguo As String

Length = Len(Trim(Text1.Text))
For I = 1 To Length
str = Mid(Trim(Text1.Text), I, 1)
sun = Asc(str)
sun = Hex(sun + 537)  '我把原来程序中的4步并作一步了
jieguo = jieguo & sun
Next I
Text2.Text = "36" & MD5(jieguo) & "94"
End Sub

使用道具举报