• 标 题：平安全息万年历1.0.4算法分析
• 作 者：chn-boy
• 时 间：2000-12-2 9:27:39
• 链 接：http://bbs.pediy.com

Name： 66745923  &szlig; 由软件自动给出，不用填写
Code： 32194876
CTRL+D启用SoftICE4.05，下中断bpx hmemcpy，F5

s 30:0 l -1 56,57,8B,7C,24,10,8B,74,24,0C,8B,4C,24,14,33,C0,F3,66,A7

1）bpx 76380632 do “d ebx->8”  &szlig; 该中断为最后注册码比较处，ebx->8

2）bpx 7628bcd do “d ebp->8”  &szlig;该中断点其实就是bpx rtcmidbstr的外延
rtcmidbstr函数的功能就是用以从一个Table表中得到一个数据，入口参数为：
esp+4为Table表的地址偏移，esp+8为从距表多大偏移处得到数据，ecx中存放

1）第一个字符串：取出Name中奇数位四个数字6 7 5 2，逐一查表，合并得到

2）第二个字符串：将Name中偶数位和Code中奇数位取出，合并在一起，根据

A2 9E —— 0            FA 89 —— 1            6A 70 —— 2
28 72 —— 3            1F 65 —— 4            66 59 —— 5
80 7F —— 6            C4 6B —— 7            C1 5F —— 8
2E 9B —— 9

C4 6B FA 89 28 72 A2 9E-2E 9B 6A 70 C1 5F FA 89  .k..(r....jp._..
C4 6B C1 5F A2 9E 80 7F-C4 6B 80 7F 80 7F C4 6B  .k._....k...k
FA 89 2E 9B 28 72 28 72-66 59 28 72 C1 5F 28 72  ....(r(rfY(r._(r
FA 89 1F 65 6A 70 2E 9B-C4 6B A2 9E 28 72 FA 89  ...ejp...k..(r..
A2 9E C1 5F 1F 65 6A 70-6A 70 80 7F C1 5F 2E 9B  ..._.ejpjp.._..
28 72 C4 6B 66 59 C4 6B-80 7F 1F 65 28 72 C4 6B  (r.kfY.k..e(r.k
6A 70 FA 89 A2 9E 66 59-2E 9B FA 89 C4 6B FA 89  jp....fY.....k..
80 7F C4 6B C1 5F 28 72-C4 6B 6A 70 C1 5F 1F 65  ..k._(r.kjp._.e
2E 9B 66 59 66 59 80 7F-80 7F C4 6B 2E 9B FA 89  ..fYfY...k....
C4 6B 80 7F 66 59 A2 9E-1F 65 28 72 66 59 FA 89  .k.fY...e(rfY..
2E 9B 6A 70 6A 70 A2 9E-2E 9B 6A 70 66 59 C4 6B  ..jpjp....jpfY.k
A2 9E 1F 65 28 72 66 59-C1 5F FA 89 C1 5F FA 89  ...e(rfY._..._..
66 59 66 59 FA 89

注册机随后附上。

*_^        *_^        *_^

#include <stdio.h>
#include <ctype.h>
#define STR_LEN 8

unsigned char Table1[] = { 0xA2,0x9E,0xFA,0x89,0x6A,0x70,0x28,0x72,0x1F,
0x65,0x66,0x59,0x80,0x7F,0xC4,0x6B,0xC1,0x5F,
0x2E,0x9B };

unsigned char Table2[] = { 0xC4,0x6B,0xFA,0x89,0x28,0x72,0xA2,0x9E,0x2E,
0x9B,0x6A,0x70,0xC1,0x5F,0xFA,0x89,0xC4,0x6B,
0xC1,0x5F,0xA2,0x9E,0x80,0x7F,0xC4,0x6B,0x80,
0x7F,0x80,0x7F,0xC4,0x6B,0xFA,0x89,0x2E,0x9B,
0x28,0x72,0x28,0x72,0x66,0x59,0x28,0x72,0xC1,
0x5F,0x28,0x72,0xFA,0x89,0x1F,0x65,0x6A,0x70,
0x2E,0x9B,0xC4,0x6B,0xA2,0x9E,0x28,0x72,0xFA,
0x89,0xA2,0x9E,0xC1,0x5F,0x1F,0x65,0x6A,0x70,
0x6A,0x70,0x80,0x7F,0xC1,0x5F,0x2E,0x9B,0x28,
0x72,0xC4,0x6B,0x66,0x59,0xC4,0x6B,0x80,0x7F,
0x1F,0x65,0x28,0x72,0xC4,0x6B,0x6A,0x70,0xFA,
0x89,0xA2,0x9E,0x66,0x59,0x2E,0x9B,0xFA,0x89,
0xC4,0x6B,0xFA,0x89,0x80,0x7F,0xC4,0x6B,0xC1,
0x5F,0x28,0x72,0xC4,0x6B,0x6A,0x70,0xC1,0x5F,
0x1F,0x65,0x2E,0x9B,0x66,0x59,0x66,0x59,0x80,
0x7F,0x80,0x7F,0xC4,0x6B,0x2E,0x9B,0xFA,0x89,
0xC4,0x6B,0x80,0x7F,0x66,0x59,0xA2,0x9E,0x1F,
0x65,0x28,0x72,0x66,0x59,0xFA,0x89,0x2E,0x9B,
0x6A,0x70,0x6A,0x70,0xA2,0x9E,0x2E,0x9B,0x6A,
0x70,0x66,0x59,0xC4,0x6B,0xA2,0x9E,0x1F,0x65,
0x28,0x72,0x66,0x59,0xC1,0x5F,0xFA,0x89,0xC1,
0x5F,0xFA,0x89,0x66,0x59,0x66,0x59,0xFA,0x89,
'\0' };

unsigned char buf_str[] = "**";
unsigned char Number_str[STR_LEN+1];
unsigned char Code_str[] = "0*0*0*0*";
char *pstr,*pt;
int pos=0,k=0;

void main() {
scanf("%s",Number_str);
if(strlen(Number_str)>=STR_LEN){
pstr = Number_str;
pt = Table2;
while(k<STR_LEN){
buf_str[0] = Table1[(*(pstr+k)-0x30)*2];
buf_str[1] = Table1[(*(pstr+k)-0x30)*2+1];
pos = (*(pstr+k+1)-0x30)*10*2;
Code_str[k] = ((int)strstr(pt+pos,buf_str)-(int)pt-pos)/2+1+0x30;
k += 2;
}
printf("\nYour Code is: %s  [ * -- any digital ]",Code_str);
}else {
printf("Enter Number error.");
}
}