下载:http://newhua.infosail.com/down/protectz.exe
* Referenced by a CALL at Address:
|:0048926F
|
:00488F8C 55
push ebp
:00488F8D 8BEC
mov ebp, esp
:00488F8F 83C4B0
add esp, FFFFFFB0
:00488F92 33D2
xor edx, edx
:00488F94 8955B0
mov dword ptr [ebp-50], edx
:00488F97 8955B4
mov dword ptr [ebp-4C], edx
:00488F9A 8955B8
mov dword ptr [ebp-48],
edx
:00488F9D 8955BC
mov dword ptr [ebp-44], edx
:00488FA0 8955C8
mov dword ptr [ebp-38], edx
:00488FA3
8955C4 mov dword
ptr [ebp-3C], edx
:00488FA6 8945FC
mov dword ptr [ebp-04], eax
:00488FA9 33C0
xor eax, eax
:00488FAB
55
push ebp
:00488FAC 6898914800
push 00489198
:00488FB1 64FF30
push dword ptr fs:[eax]
:00488FB4 648920
mov dword ptr fs:[eax], esp
:00488FB7
8D55C8 lea edx,
dword ptr [ebp-38]
:00488FBA 8B45FC
mov eax, dword ptr [ebp-04]
:00488FBD 8B8004030000
mov eax, dword ptr [eax+00000304]
:00488FC3
E8687EFAFF call 00430E30<---------------------------------读取注册码
:00488FC8 8B45C8
mov eax, dword ptr [ebp-38]
:00488FCB 50
push eax
:00488FCC 8D55C4
lea edx, dword ptr [ebp-3C]
:00488FCF 8B45FC
mov eax, dword ptr [ebp-04]
:00488FD2 8B8000030000
mov eax, dword ptr [eax+00000300]
:00488FD8 E8537EFAFF
call 00430E30<---------------------------------读取用户名
:00488FDD 8B45C4
mov eax, dword ptr [ebp-3C]
:00488FE0 5A
pop edx
:00488FE1 E8AEF9FFFF
call 00488994<-----------------(1)-------------比较核心,跟入
:00488FE6 85C0
test eax, eax
:00488FE8 0F8482010000
je 00489170
================================================================================================
* Referenced by a CALL at Address:<------------------------call (1)
|:00488FE1
|
:00488994 55
push ebp
:00488995 8BEC
mov ebp, esp
:00488997 B905000000
mov ecx, 00000005
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004889A1(C)
|
:0048899C 6A00
push 00000000
:0048899E 6A00
push 00000000
:004889A0 49
dec ecx
:004889A1
75F9 jne
0048899C
:004889A3 51
push ecx
:004889A4 8955F8
mov dword ptr [ebp-08], edx<-------------注册码
:004889A7 8945FC
mov dword ptr [ebp-04], eax<-------------用户名
:004889AA 8B45FC
mov eax, dword ptr [ebp-04]
:004889AD E86AB6F7FF call 0040401C
:004889B2 8B45F8
mov eax, dword ptr [ebp-08]
:004889B5 E862B6F7FF
call 0040401C
:004889BA 33C0
xor eax, eax
:004889BC 55
push ebp
:004889BD 68AE8B4800 push
00488BAE
:004889C2 64FF30
push dword ptr fs:[eax]
:004889C5 648920
mov dword ptr fs:[eax], esp
:004889C8
33C0 xor
eax, eax
:004889CA 8945F4
mov dword ptr [ebp-0C], eax
:004889CD 8D45F0
lea eax, dword ptr [ebp-10]
:004889D0
8B55F8 mov edx,
dword ptr [ebp-08]
:004889D3 E8A8B2F7FF
call 00403C80
:004889D8 8B55F0
mov edx, dword ptr [ebp-10]
:004889DB B8C48B4800
mov eax, 00488BC4
:004889E0 E86FB7F7FF
call 00404154<--------------------------注册码中'-'的位置
:004889E5 8845EB
mov byte ptr [ebp-15], al<--------------在第9位
:004889E8 807DEB00
cmp byte ptr [ebp-15], 00
:004889EC 0F8687010000 jbe 00488B79<---------------------------没有'-'就完了
:004889F2 33D2
xor edx, edx
:004889F4 8A55EB
mov dl, byte ptr [ebp-15]
:004889F7 8D45F0
lea eax, dword ptr [ebp-10]
:004889FA B901000000 mov ecx,
00000001
:004889FF E8ACB6F7FF
call 004040B0<--------------------------去掉注册码中的'-'
:00488A04 8B45F0
mov eax, dword ptr [ebp-10]
:00488A07 E85CB4F7FF call
00403E68<--------------------------计算注册码的长度
:00488A0C 83F810
cmp eax, 00000010<----------------------不包括'-',要16位
:00488A0F 0F8564010000 jne 00488B79<---------------------------不然就完蛋
:00488A15 8D45EC
lea eax, dword ptr [ebp-14]
:00488A18 E8CBB1F7FF
call 00403BE8
:00488A1D C645EB01
mov [ebp-15], 01
* Referenced by
a (U)nconditional or (C)onditional Jump at Address:
|:00488A60(C)
|
:00488A21 8D45E0
lea eax, dword ptr [ebp-20]
:00488A24 50
push eax
:00488A25 33C0
xor eax, eax
:00488A27
8A45EB mov al, byte
ptr [ebp-15]
:00488A2A 8BD0
mov edx, eax
:00488A2C 03D2
add edx, edx
:00488A2E 4A
dec edx
:00488A2F B902000000 mov
ecx, 00000002
:00488A34 8B45F0
mov eax, dword ptr [ebp-10]<-----------去掉'-'后,的注册码
:00488A37
E834B6F7FF call 00404070<-------------------------取前两位
:00488A3C 8B45E0
mov eax, dword ptr [ebp-20]
:00488A3F E870FDFFFF
call 004887B4<-------------------------转换成16进制并放在al中
:00488A44 8BD0
mov edx, eax<--------------------------"12"==>0x12
:00488A46 8D45E4
lea eax, dword ptr [ebp-1C]
:00488A49 E842B3F7FF call
00403D90
:00488A4E 8B55E4
mov edx, dword ptr [ebp-1C]
:00488A51 8D45EC
lea eax, dword ptr [ebp-14]
:00488A54
E817B4F7FF call 00403E70
:00488A59 FE45EB
inc [ebp-15]
:00488A5C 807DEB09
cmp byte ptr [ebp-15], 09
:00488A60 75BF
jne 00488A21<--------------------------循环8次
:00488A62 8D45F0
lea eax, dword ptr [ebp-10]
:00488A65 E87EB1F7FF
call 00403BE8
:00488A6A 8B45EC
mov eax, dword ptr [ebp-14]
:00488A6D
E8F6B3F7FF call 00403E68
:00488A72 84C0
test al, al
:00488A74 7636
jbe 00488AAC
:00488A76 8845EA
mov byte ptr [ebp-16], al
:00488A79 C645EB01
mov [ebp-15], 01
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00488AAA(C)
|
:00488A7D 8D45DC
lea eax, dword ptr [ebp-24]
:00488A80 33D2
xor edx, edx
:00488A82 8A55EB
mov dl, byte ptr [ebp-15]
:00488A85 8B4DEC
mov ecx, dword ptr [ebp-14]
:00488A88 8A5411FF
mov dl, byte ptr [ecx+edx-01]
:00488A8C 8A4DEB
mov cl, byte ptr [ebp-15]
:00488A8F 80C134
add cl, 34
12 xor (1+34)==0x27
:00488A92 32D1
xor dl, cl
34 xor (2+34)==0x02
:00488A94 E8F7B2F7FF call
00403D90
56 xor (3+34)==0x61
:00488A99 8B55DC
mov edx, dword ptr [ebp-24]
78 xor (4+34)==0x40
:00488A9C 8D45F0
lea eax, dword ptr [ebp-10]
87 xor (5+34)==0xbe
:00488A9F E8CCB3F7FF
call 00403E70
65 xor (6+34)==0x5f
:00488AA4 FE45EB
inc [ebp-15]
43 xor (7+34)==0x78
:00488AA7 FE4DEA
dec [ebp-16]<----------------------- 21 xor (8+34)==0x1d
:00488AAA 75D1
jne 00488A7D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00488A74(C)
|
:00488AAC 8D45EC
lea eax, dword ptr [ebp-14]
:00488AAF 50
push eax
:00488AB0
B9BB000000 mov ecx, 000000BB
:00488AB5 BA07000000 mov edx,
00000007
:00488ABA 8B45F0
mov eax, dword ptr [ebp-10]<-----------27 02 61 40 be 5f 78 1d
:00488ABD E8AEFDFFFF call
00488870<--------------(1.1)------计算出8位的用户名,跟入
:00488AC2 8D45F0
lea eax, dword ptr [ebp-10]
:00488AC5 E81EB1F7FF call
00403BE8
:00488ACA 8B45FC
mov eax, dword ptr [ebp-04]<-----------输入的用户名
:00488ACD
E896B3F7FF call 00403E68<-------------------------计算长度
:00488AD2 84C0
test al, al
:00488AD4 764C
jbe 00488B22
:00488AD6 8845EA
mov byte ptr [ebp-16], al
:00488AD9
C645EB01 mov [ebp-15],
01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00488B20(C)
|
:00488ADD 33C0
xor eax, eax
:00488ADF 8A45EB
mov al, byte ptr [ebp-15]
:00488AE2 8B55FC
mov edx, dword ptr [ebp-04]
:00488AE5 807C02FF20
cmp byte ptr [edx+eax-01], 20<---------是否小于0x20
:00488AEA
762E jbe
00488B1A
:00488AEC 33C0
xor eax, eax
:00488AEE 8A45EB
mov al, byte ptr [ebp-15]
:00488AF1 8B55FC
mov edx, dword ptr [ebp-04]
:00488AF4 807C02FF7B cmp
byte ptr [edx+eax-01], 7B<---------是否大于0x7b
:00488AF9 731F
jnb 00488B1A
:00488AFB
8D45D8 lea eax,
dword ptr [ebp-28]
:00488AFE 33D2
xor edx, edx
:00488B00 8A55EB
mov dl, byte ptr [ebp-15]
:00488B03
8B4DFC mov ecx,
dword ptr [ebp-04]
:00488B06 8A5411FF
mov dl, byte ptr [ecx+edx-01]
:00488B0A E881B2F7FF
call 00403D90
:00488B0F 8B55D8
mov edx, dword ptr [ebp-28]
:00488B12 8D45F0
lea eax, dword ptr [ebp-10]
:00488B15 E856B3F7FF
call 00403E70
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:00488AEA(C), :00488AF9(C)
|
:00488B1A FE45EB
inc [ebp-15]
:00488B1D FE4DEA
dec [ebp-16]
:00488B20 75BB
jne 00488ADD
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00488AD4(C)
|
:00488B22 8D55D4
lea edx, dword ptr [ebp-2C]
:00488B25 8B45F0
mov eax, dword ptr [ebp-10]
:00488B28 E8D3FAF7FF
call 00408600<------------------------转换成大写字母
:00488B2D
8B55D4 mov edx,
dword ptr [ebp-2C]
:00488B30 8D45F0
lea eax, dword ptr [ebp-10]
:00488B33 E848B1F7FF
call 00403C80
:00488B38 8B45F0
mov eax, dword ptr [ebp-10]
:00488B3B E828B3F7FF call
00403E68
:00488B40 83F808
cmp eax, 00000008<-------------------要大于8个字
:00488B43 7E0D
jle 00488B52
:00488B45 8D45F0
lea eax, dword ptr [ebp-10]
:00488B48 BA08000000
mov edx, 00000008
:00488B4D E84AB6F7FF
call 0040419C<-----------------------取前8个字
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00488B43(C)
|
:00488B52 8B45F0
mov eax, dword ptr [ebp-10]
:00488B55 E80EB3F7FF
call 00403E68
:00488B5A 8BD0
mov edx, eax
:00488B5C 8D45EC
lea eax, dword ptr [ebp-14]
:00488B5F E838B6F7FF
call 0040419C
:00488B64 8B45EC
mov eax, dword ptr [ebp-14]
:00488B67
8B55F0 mov edx,
dword ptr [ebp-10]
:00488B6A E809B4F7FF
call 00403F78<--------------------输入的用户名和
:00488B6F 0F94C0
sete al
由注册码算出的用户名比较
:00488B72 F6D8
neg al
:00488B74 1BC0
sbb eax, eax
:00488B76 8945F4
mov dword ptr [ebp-0C], eax<----------此处让eax==1则注册成功
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004889EC(C), :00488A0F(C)
|
:00488B79 33C0
xor eax, eax
:00488B7B 5A
pop edx
:00488B7C 59
pop ecx
:00488B7D 59
pop ecx
:00488B7E 648910
mov dword ptr fs:[eax], edx
:00488B81 68B58B4800 push 00488BB5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00488BB3(U)
|
:00488B86 8D45D4
lea eax, dword ptr [ebp-2C]
:00488B89 BA05000000
mov edx, 00000005
:00488B8E E879B0F7FF
call 00403C0C
:00488B93 8D45EC
lea eax, dword ptr [ebp-14]
:00488B96 BA02000000 mov
edx, 00000002
:00488B9B E86CB0F7FF
call 00403C0C
:00488BA0 8D45F8
lea eax, dword ptr [ebp-08]
:00488BA3 BA02000000
mov edx, 00000002
:00488BA8 E85FB0F7FF
call 00403C0C
:00488BAD C3
ret
================================================================================================
* Referenced by a CALL at Address:<----------------------------call (1.1)
|:00488ABD
|
:00488870 55
push ebp
:00488871 8BEC
mov ebp, esp
:00488873
83C4D4 add esp,
FFFFFFD4
:00488876 53
push ebx
:00488877 33DB
xor ebx, ebx
:00488879 895DD4
mov dword ptr [ebp-2C], ebx
:0048887C 895DEC
mov dword ptr [ebp-14], ebx
:0048887F 894DF4
mov dword ptr [ebp-0C], ecx
:00488882 8955F8
mov dword ptr [ebp-08],
edx
:00488885 8945FC
mov dword ptr [ebp-04], eax
:00488888 8B45FC
mov eax, dword ptr [ebp-04]
:0048888B
E88CB7F7FF call 0040401C
:00488890 33C0
xor eax, eax
:00488892 55
push ebp
:00488893 6884894800
push 00488984
:00488898 64FF30
push dword ptr fs:[eax]
:0048889B
648920 mov dword
ptr fs:[eax], esp
:0048889E 8B45FC
mov eax, dword ptr [ebp-04]
:004888A1 E8C2B5F7FF
call 00403E68
:004888A6 8845F1
mov byte ptr [ebp-0F],
al
:004888A9 807DF108
cmp byte ptr [ebp-0F], 08
:004888AD 7604
jbe 004888B3
:004888AF C645F108
mov [ebp-0F], 08
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004888AD(C)
|
:004888B3 8D45EC
lea eax, dword ptr [ebp-14]
:004888B6 E82DB3F7FF
call 00403BE8
:004888BB 8A45F1
mov al, byte ptr [ebp-0F]
:004888BE
84C0 test
al, al
:004888C0 0F868D000000 jbe
00488953
:004888C6 8845DF
mov byte ptr [ebp-21], al
:004888C9 C645F201
mov [ebp-0E], 01
* Referenced by
a (U)nconditional or (C)onditional Jump at Address:
|:0048894D(C)
|
:004888CD 33C0
xor eax, eax
:004888CF 8A45F2
mov al, byte ptr [ebp-0E]
:004888D2 8B55FC
mov edx, dword ptr [ebp-04]
:004888D5 8A4402FF mov
al, byte ptr [edx+eax-01]
:004888D9 8845F3
mov byte ptr [ebp-0D], al
:004888DC C745E401000000
mov [ebp-1C], 00000001
:004888E3 33C0
xor eax, eax
:004888E5
8A45F3 mov al, byte
ptr [ebp-0D]
:004888E8 8945E8
mov dword ptr [ebp-18], eax
:004888EB 8B45F8
mov eax, dword ptr [ebp-08]
:004888EE
85C0 test
eax, eax
:004888F0 763A
jbe 0048892C
:004888F2 8945D8
mov dword ptr [ebp-28], eax
:004888F5 C745E001000000
mov [ebp-20], 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048892A(C)
|
:004888FC 8B45E4 mov eax, dword ptr [ebp-1C]<----------0x1
:004888FF F76DE8 imul [ebp-18]<------------------------0x1*0x27==0x27
:00488902 8945E4 mov dword ptr [ebp-1C], eax<----------0xbb
:00488905 8B45F4 mov eax, dword ptr [ebp-0C]<----------0xbb
:00488908 F76DF4 imul [ebp-0C]<------------------------0xbb*0xbb==0x8899
:0048890B 3B45E4 cmp eax, dword ptr [ebp-1C]<----------0x27 < 0x8899 ?
:0048890E 7314 jnb 00488924<-------------------------再乘
:00488910 8B45F4 mov eax, dword ptr [ebp-0C]<----------0xbb
:00488913 F76DF4 imul [ebp-0C]<------------------------0x8899
:00488916 50 push eax
:00488917 8B45E4 mov eax, dword ptr [ebp-1C]
:0048891A 5A pop edx
:0048891B 8BCA mov ecx, edx
:0048891D 33D2 xor edx, edx
:0048891F F7F1 div ecx<------------------------------(0x1*0x27*0x27*0x27)%0x8899==0x5f1e
:00488921 8955E4 mov dword ptr [ebp-1C], edx<----------0x5f1e
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048890E(C)
|
:00488924 FF45E0 inc [ebp-20]
:00488927 FF4DD8 dec [ebp-28]<-------------------------乘7次
:0048892A 75D0 jne 004888FC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004888F0(C)
|
:0048892C 8B45E4 mov eax, dword ptr [ebp-1C]<----------最后的结果0x68f6
:0048892F 33D2 xor edx, edx
:00488931 F775F4 div [ebp-0C]<-------------------------0x68f6%0xbb==0x81
:00488934 8D45D4 lea eax, dword ptr [ebp-2C]<----------用户名的第一个字的ASCII值
:00488937 E854B4F7FF call 00403D90 要等于0x81
:0048893C 8B55D4 mov edx, dword ptr [ebp-2C]
:0048893F 8D45EC lea eax, dword ptr [ebp-14]
:00488942 E829B5F7FF call 00403E70
:00488947 FE45F2 inc [ebp-0E]
:0048894A FE4DDF dec [ebp-21]<-------------------------循环计算8个字
:0048894D 0F857AFFFFFF jne 004888CD
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004888C0(C)
|
:00488953 8B4508 mov eax, dword ptr [ebp+08]
:00488956 8B55EC mov edx, dword ptr [ebp-14]
:00488959 E8DEB2F7FF call 00403C3C
:0048895E 33C0 xor eax, eax
:00488960 5A pop edx
:00488961 59 pop ecx
:00488962 59 pop ecx
:00488963 648910 mov dword ptr fs:[eax], edx
:00488966 688B894800 push 0048898B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00488989(U)
|
:0048896B 8D45D4 lea eax, dword ptr [ebp-2C]
:0048896E E875B2F7FF call 00403BE8
:00488973 8D45EC lea eax, dword ptr [ebp-14]
:00488976 E86DB2F7FF call 00403BE8
:0048897B 8D45FC lea eax, dword ptr [ebp-04]
:0048897E E865B2F7FF call 00403BE8
:00488983 C3 ret
===============================================================================================
算法总结:
用户名:lancelot[CCG]的前8个字转换成大写LANCELOT==0x4c 0x41 0x4e 0x43 0x45 0x4c 0x4f 0x54
注册码:i0 i1 i2 i3 i4 i5 i6 i7 - i8 i9 ia ib ic id ie if
则: 0x4c xor 0x35==0x79, 0x41 xor 0x36==0x77, 0x4e xor 0x37==0x79, 0x43 xor 0x38==0x7b
0x45 xor 0x39==0x7c, 0x4c xor 0x3a==0x76, 0x4f xor 0x3b==0x74, 0x54 xor 0x3c==0x68
假设:已知0xi是一个两位的16进制数
(1) 1*0xi==0xi
(2) 如果 0xi*0xi>=0x8899 则取余--(0xi*0xi)%0x8899,余数参与下面计算
否则用0xi*0xi参与下面计算
(3) 如果 ((2)的结果*0xi)>=0x8899 则取余--((2)的结果*0xi)%0x8899,余数参与下面计算
否则用(2)的结果*0xi)参与下面计算,以下同
(4) 同上
(5) 同上
(6) 同上
(7) 同上
(8) 最后取余--(7)的结果%0xbb==A
例:(1) 1*0x27==0x27
(2) 0x27*0x27==0x0x5f1 < 0x8899
(3) 0x05f1*0x27==0xe7b7 >0x8899 取余 0xe7b7%0x8899==0x5f1e
(4) 0x5f1e*0x27==0xe7d92>0x8899 取余 0xe7d92%0x8899==0x156f
(5) 0x156f*0x27==0x343e9>0x8899 取余 0x343e9%0x8899==0x1053
(6) 0x1053*0x27==0x27ca5>0x8899 取余 0x27ca5%0x8899==0x5a41
(7) 0x5a41*0x27==0xdbfe7>0x8899 取余 0xdbfe7%0x8899==0x68f6
(8) 最后 0x68f6%0xbb==0x81
让 A 依次等于用户名的前8个字与0x35~0x3c异或后的值,逆运算求出0xi,即为注册码。
感谢hying的帮助,唯小弟愚钝,求逆运算,无果... ...
只好编个小程序穷举它:
#include <stdio.h>
void main()
{
int A=1;
char username[30];
printf("Please enter your username(in capitals): ");
gets(username);
printf("your register code is: ");
for(int i=0;i<8;i++)
{
for(int j=1;j<4095;j++)
{
for(int k=0;k<7;k++)
{
if(A*j>=34969) A=(A*j)%34969;
else A=A*j;
}
if(A>=187) A=A%187;
if(A==username[i])
{
if(i==4) printf(" - ");
printf("%x ",j^(53+i));
A=1;
break;
}
else A=1;
}
}
printf("\n");
}
=================================================================================================
用户名:lancelot[CCG]
注册码:15b80f7b-b01a9659
,;~;,
/\_
( /
(() //)
| \\ ,,;;'\
__ _( )m=(lancelot(================--------
/' ' '()/~' '.(, |
,;( )|| | ~
,;' \ /-(.;, ) 兰斯洛特[CCG][FCG]
) / ) /
// || 2001.09.25
)_\ )_\
========================================================