豪杰超级解霸3000[英雄版]算法分析
2007-07-24 16:45:26 来源:WEB开发网核心提示:看见有朋友分析了一下XXXXX3000英雄版的注册码的比较过程的分析,就想也分析一下,豪杰超级解霸3000[英雄版]算法分析,写出它的注册码的生成的算法过程,也写了一个注册机,所用工具:TRW2000,W32DASMReferenced by a CALL at Addresses::00401C93, :00401E
看见有朋友分析了一下XXXXX3000英雄版的注册码的比较过程的分析,就想也分析一下,写出它的注册码的生成的算法过程,也写了一个注册机。
所用工具:TRW2000,W32DASM
Referenced by a CALL at Addresses:
:00401C93 , :00401EF9
:00402840 83EC20 sub esp, 00000020
:00402843 56 push esi
:00402844 57 push edi
:00402845 B908000000 mov ecx, 00000008
:0040284A 33C0 xor eax, eax
:0040284C 8D7C2408 lea edi, dWord ptr [esp+08]<----存入第一组注册码的局部变量,以下记为reg1,是一个DWORD类型,也可以看成4个字符形式。
:00402850 F3 repz
:00402851 AB stosd
:00402852 8B44242C mov eax, dword ptr [esp+2C] <----得到用户名的地址
:00402856 50 push eax <----将用户名作为参数传入
:00402857 E8B4010000 call 00402A10 <----此CALL(记为CALL 1)内将用户名进行变化后在EAX以长整数返回,按F8进入.
:0040285C 83C404 add esp, 00000004
:0040285F 89442408 mov dword ptr [esp+08], eax <----将返回的值放入reg1中
:00402863 33F6 xor esi, esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:00402888(C)
:00402865 0FBE443408 movsx eax, byte ptr [esp+esi+08]
:0040286A 83F841 cmp eax, 00000041
:0040286D 7C08 jl 00402877
:0040286F 83F85A cmp eax, 0000005A
:00402872 7F03 jg 00402877
:00402874 83C020 add eax, 00000020 <---- 如果是大写的,则变为小写。
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
:0040286D(C), :00402872(C)
:00402877 50 push eax
:00402878 E863020000 call 00402AE0 <---- 将EAX 转化为一个字符。(记为CALL 3)
:0040287D 83C404 add esp, 00000004
:00402880 88443408 mov byte ptr [esp+esi+08], <----保存这个字符到reg1中。
:00402884 46 inc esi
:00402885 83FE04 cmp esi, 00000004
:00402888 7CDB jl 00402865 <----是否完成第一组
:0040288A 8B7C2430 mov edi, dword ptr [esp+30]
:0040288E 8D4C2408 lea ecx, dword ptr [esp+08]
:00402892 8BF7 mov esi, edi
:00402894 33D2 xor edx, edx
:00402896 2BF1 sub esi, ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:004028BC(C)
:00402898 8D4C1408 lea ecx, dword ptr [esp+edx+08]
:0040289C 0FBE040E movsx eax, byte ptr [esi+ecx]
:004028A0 83F841 cmp eax, 00000041
:004028A3 7C08 jl 004028AD
:004028A5 83F85A cmp eax, 0000005A
:004028A8 7F03 jg 004028AD
:004028AA 83C020 add eax, 00000020
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
:004028A3(C), :004028A8(C)
:004028AD 0FBE09 movsx ecx, byte ptr [ecx]
:004028B0 3BC1 cmp eax, ecx <----比较第一组注册码
:004028B2 0F8520010000 jne 004029D8
:004028B8 42 inc edx
:004028B9 83FA04 cmp edx, 00000004
:004028BC 7CDA jl 00402898
:004028BE 8B442408 mov eax, dword ptr [esp+08]
:004028C2 8D1480 lea edx, dword ptr [eax+4*eax]
:004028C5 8D0450 lea eax, dword ptr [eax+2*edx]
:004028C8 03C0 add eax, eax
:004028CA 33F6 xor esi, esi
:004028CC 8944240C mov dword ptr [esp+0C], eax <----将reg1的值进行第二次变化.放入第二个地址中,以下记为reg2, reg2 = reg1 *22;
:00402922 8BD0 mov edx, eax
:00402924 33D1 xor edx, ecx
:00402926 8D0440 lea eax, dword ptr [eax+2*eax]
:00402929 83C208 add edx, 00000008
:0040292C 0FAFD1 imul edx, ecx
:0040292F 03D0 add edx, eax
:00402931 33F6 xor esi, esi
:00402933 89542410 mov dword ptr [esp+10], edx <----将用户名转化的值进行第三次变化记为 reg3 = reg2*3 + ((reg2 ^ reg1)+8)*reg1;
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:0040294D(C)
:00402937 0FBE4C3410 movsx ecx, byte ptr [esp+esi+10]
:0040293C 51 push ecx
:0040293D E89E010000 call 00402AE0 <----转化成第三组注册码
:00402942 83C404 add esp, 00000004
:00402945 88443410 mov byte ptr [esp+esi+10], al
:00402949 46 inc esi
:0040294A 83FE04 cmp esi, 00000004
:0040294D 7CE8 jl 00402937
:0040294F 33C9 xor ecx, ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:00402970(C)
:00402951 0FBE440F0A movsx eax, byte ptr [edi+ecx+0A]
:00402956 83F841 cmp eax, 00000041
:00402959 7C08 jl 00402963
:0040295B 83F85A cmp eax, 0000005A
:0040295E 7F03 jg 00402963
:00402960 83C020 add eax, 00000020
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
:00402959(C), :0040295E(C)
:00402963 0FBE540C10 movsx edx, byte ptr [esp+ecx+10]
:00402968 3BC2 cmp eax, edx <----比较第三组注册码
:0040296A 756C jne 004029D8
:0040296C 41 inc ecx
:0040296D 83F904 cmp ecx, 00000004
:00402970 7CDF jl 00402951
:00402972 8B4C240C mov ecx, dword ptr [esp+0C]
:00402976 8B442408 mov eax, dword ptr [esp+08]
:0040297A 0FAFC8 imul ecx, eax
:0040297D 83C106 add ecx, 00000006
:00402980 8D1480 lea edx, dword ptr [eax+4*eax]
:00402983 0FAF4C2410 imul ecx, dword ptr [esp+10]
:00402988 03CA add ecx, edx
:0040298A 33F6 xor esi, esi
:0040298C 894C2414 mov dword ptr [esp+14], ecx <----将用户名转化的值进行第四次变化.记为 reg4 = reg1*5 + ((reg2 * reg1)+6)*reg3;
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:004029A6(C)
:00402990 0FBE443414 movsx eax, byte ptr [esp+esi+14]
:00402995 50 push eax
:00402996 E845010000 call 00402AE0 <----转化出第4组注册码
:0040299B 83C404 add esp, 00000004
:0040299E 88443414 mov byte ptr [esp+esi+14], al
:004029A2 46 inc esi
:004029A3 83FE04 cmp esi, 00000004
:004029A6 7CE8 jl 00402990
:004029A8 33C9 xor ecx, ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:004029C9(C)
:004029AA 0FBE440F0F movsx eax, byte ptr [edi+ecx+0F]
:004029AF 83F841 cmp eax, 00000041
:004029B2 7C08 jl 004029BC
:004029B4 83F85A cmp eax, 0000005A
:004029B7 7F03 jg 004029BC
:004029B9 83C020 add eax, 00000020
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
:004029B2(C), :004029B7(C)
:004029BC 0FBE540C14 movsx edx, byte ptr [esp+ecx+14]
:004029C1 3BC2 cmp eax, edx <----比较第四组注册码
:004029C3 7513 jne 004029D8
:004029C5 41 inc ecx
:004029C6 83F904 cmp ecx, 00000004
:004029C9 7CDF jl 004029AA
:004029CB 5F pop edi
* Possible Reference to String Resource ID=00001: "Register SUCcess"
:004029CC B801000000 mov eax, 00000001
:004029D1 5E pop esi
:004029D2 83C420 add esp, 00000020
:004029D5 C20800 ret 0008
-----------------以下是进入CALL 1后的内容---------------------------
00402A10 81EC00020000 sub esp, 00000200
:00402A16 B980000000 mov ecx, 00000080
:00402A1B 33C0 xor eax, eax
:00402A1D 53 push ebx
:00402A1E 55 push ebp
:00402A1F 56 push esi
:00402A20 8BB42410020000 mov esi, dword ptr [esp+00000210]
:00402A27 57 push edi
:00402A28 8D7C2410 lea edi, dword ptr [esp+10]
:00402A2C F3 repz
:00402A2D AB stosd
:00402A2E 56 push esi
:00402A2F 33ED xor ebp, ebp
* Reference To: KERNEL32.lstrlenA, Ord:0308h
:00402A31 FF1590704000 Call dword ptr [00407090] <----取用户名长度
:00402A37 8BD8 mov ebx, eax
:00402A39 81FB00020000 cmp ebx, 00000200 <----比较用户名是否超过512字符
:00402A3F 7612 jbe 00402A53
:00402A41 B980000000 mov ecx, 00000080
:00402A46 8D7C2410 lea edi, dword ptr [esp+10]
:00402A4A BB00020000 mov ebx, 00000200
:00402A4F F3 repz
:00402A50 A5 movsd
:00402A51 EB0C jmp 00402A5F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:00402A3F(C)
:00402A53 8D442410 lea eax, dword ptr [esp+10]
:00402A57 56 push esi
:00402A58 50 push eax
* Reference To: KERNEL32.lstrcpyA, Ord:0302h
:00402A59 FF1528704000 Call dword ptr [00407028] <----将用户名复制到另一地址(以下记作地址1).
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:00402A51(U)
:00402A5F 8BC3 mov eax, ebx
:00402A61 99 cdq
:00402A62 83E203 and edx, 00000003
:00402A65 03C2 add eax, edx
:00402A67 8BF8 mov edi, eax
:00402A69 C1FF02 sar edi, 02 <----EDI为用户名长度除4后取整
:00402A6C F6C303 test bl, 03
:00402A6F 7401 je 00402A72
:00402A71 47 inc edi <----如果有余数,再加1,该值用于第二次变化的循环变量.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:00402A6F(C)
:00402A72 33C9 xor ecx, ecx
:00402A74 85DB test ebx, ebx
:00402A76 7E17 jle 00402A8F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:00402A8D(C)
:00402A78 8A540C10 mov dl, byte ptr [esp+ecx+10] <----取出地址1中用户名的一位.
:00402A7C 52 push edx
:00402A7D 51 push ecx <----压入两个参数,ECX为循环变量,第一次时是0;
:00402A7E E86DFFFFFF call 004029F0 <----此CALL(记为CALL 2)将取出的字符进行变化,按F8可进入分析;
:00402A83 83C408 add esp, 00000008
:00402A86 88440C10 mov byte ptr [esp+ecx+10], al <----将处理后的字符再次写入
:00402A8A 41 inc ecx
:00402A8B 3BCB cmp ecx, ebx <----是否将用户名的第一位都处理了.
:00402A8D 7CE9 jl 00402A78 <----没有处理完就继续.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:00402A76(C)
:00402A8F 33F6 xor esi, esi
:00402A91 85FF test edi, edi
:00402A93 7E1C jle 00402AB1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:00402AAF(C)
:00402A95 8B5CB410 mov ebx, dword ptr [esp+4*esi+10] <----取出第一次处理后用户名的4位。
:00402A99 8BC6 mov eax, esi
:00402A9B 83E01F and eax, 0000001F
:00402A9E 03EB add ebp, ebx <----将处理的结果进行累加。
:00402AA0 50 push eax
:00402AA1 55 push ebp
:00402AA2 E819000000 call 00402AC0 <----此CALL内比较简单,是将EBP的值通过CF进行循环移位EAX次。
:00402AA7 83C408 add esp, 00000008
:00402AAA 46 inc esi
:00402AAB 3BF7 cmp esi, edi
:00402AAD 8BE8 mov ebp, eax <----是否处理完
:00402AAF 7CE4 jl 00402A95
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:00402A93(C)
:00402AB1 5F pop edi
:00402AB2 8BC5 mov eax, ebp <----将最后累加的值放入EAX后返回。
:00402AB4 5E pop esi
:00402AB5 5D pop ebp
:00402AB6 5B pop ebx
:00402AB7 81C400020000 add esp, 00000200
:00402ABD C3 ret
-----------------------------------------------------------------------------
中查找“豪杰超级解霸3000[英雄版]算法分析”更多相关内容
中查找“豪杰超级解霸3000[英雄版]算法分析”更多相关内容更多精彩
赞助商链接
