加密金刚锁V3.00

标题：加密金刚锁V3.00注册算法----(上集） (7千字)
作者：crackjack[CCG]
时间：2001-11-9 1:42:39
链接：http://bbs.pediy.com

“加密金刚锁”的前身就是“fedt for windows”，是一款专业的文件加密解密工具。它适用于windows9x/me/nt/2000/XP 等操作平台。

这个软件的加密有一点过份，如果你暴破得不彻底的话，它会很不礼貌的说你的解密水平很差等等啦，我看到这些东西就他妈的反胃了，呵呵，所以破它是天经地义的啦。

工具：
trw2000
hview
w32dasm

破解:crackjack[CCG]

好，我们看看他是用什么样的保护方式，以至作者那么的嚣张。用fi245检查，发现它是用aspack V2.11加的壳，呵呵，这个壳是很温柔的呵，解它就随便在网上拉一个工具下来就可以解它了，我们今天要研究它的加密方法。这个软件采取动态注册的方法，如果输入的注册码不正确，注册按钮就不可用。破解这类软件一般用的中断是bpx hmemcpy，我们先输入名字，名字不小于4个字符，并且输入7个注册码，然后切换到TRW,下断点bpx hmemcpy，然后输入第八个字符，程序被中点了，如下：

:0041175B 8B4DFC mov ecx, dword ptr [ebp-04] <====返回到这里
:0041175E 85C9 test ecx, ecx
:00411760 7408 je 0041176A
:00411762 8B45FC mov eax, dword ptr [ebp-04]
:00411765 8B50FC mov edx, dword ptr [eax-04] <=====取注册用户名长度过
:00411768 EB02 jmp 0041176C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411760(C)
|
:0041176A 33D2 xor edx, edx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411768(U)
|
:0041176C 83FA04 cmp edx, 00000004 <=====比较用户名长度，如果小于4则注册失败
:00411775 33C0 xor eax, eax
:00411777 8945F8 mov dword ptr [ebp-08], eax
:0041177A 8D55F8 lea edx, dword ptr [ebp-08]
:0041177D FF45E4 inc [ebp-1C]
:00411780 8B83EC020000 mov eax, dword ptr [ebx+000002EC]
:00411786 E839B70400 call 0045CEC4
:0041178B 8B4DF8 mov ecx, dword ptr [ebp-08]
:0041178E 85C9 test ecx, ecx
:00411790 7408 je 0041179A
:00411792 8B45F8 mov eax, dword ptr [ebp-08]
:00411795 8B50FC mov edx, dword ptr [eax-04] <====取注册码长度
:00411798 EB02 jmp 0041179C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411790(C)
|
:0041179A 33D2 xor edx, edx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411798(U)
|
:0041179C 83FA08 cmp edx, 00000008 <====比较注册码长度,如果小于8则注册失败

然后按f10，来到下面的地方：

:004117D8 33C0 xor eax, eax
:004117DA 8D4DEC lea ecx, dword ptr [ebp-14]
:004117DD 8B12 mov edx, dword ptr [edx]
:004117DF 8945EC mov dword ptr [ebp-14], eax
:004117E2 A1446E4C00 mov eax, dword ptr [004C6E44]
:004117E7 FF45E4 inc [ebp-1C]
:004117EA 8B00 mov eax, dword ptr [eax]
:004117EC E8EFBDFFFF call 0040D5E0 <=====注册算法
:004117F1 8D55EC lea edx, dword ptr [ebp-14] <====真正的注册码地址
:004117F4 33C9 xor ecx, ecx
:004117F6 52 push edx
:004117F7 894DF4 mov dword ptr [ebp-0C], ecx

:0041176F 0F8CDD000000 jl 00411852

好，我们追进4117ec的CALL，看它的注册算法是怎么样的：

程序将用户名和机器码连接在一起做为注册码的运算常数，如用户名是linjie，机器码是3CG5A3D8,则运算码为linjie3CG5A3D8(0),注意,还要在运算码最后加一个0H

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D69A(U)
|
:0040D6A1 021C01 add bl, byte ptr [ecx+eax] <=====累加运算码，取结果的一个字节(total)
:0040D6A4 40 inc eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D68E(U)
|
:0040D6A5 8B55F8 mov edx, dword ptr [ebp-08]
:0040D6A8 85D2 test edx, edx
:0040D6AA 7408 je 0040D6B4
:0040D6AC 8B55F8 mov edx, dword ptr [ebp-08]
:0040D6AF 8B4AFC mov ecx, dword ptr [edx-04]
:0040D6B2 EB02 jmp 0040D6B6

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D6AA(C)
|
:0040D6B4 33C9 xor ecx, ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D6B2(U)
|
:0040D6B6 3BC1 cmp eax, ecx
:0040D6B8 7CD6 jl 0040D690
:0040D6BA 8B45F8 mov eax, dword ptr [ebp-08] <====取运算码地址
。
。
。
:0040D6CB 8B45A4 mov eax, dword ptr [ebp-5C] <====取运算码地址
:0040D6CE 8A0C02 mov cl, byte ptr [edx+eax] <====取运算码第N位
:0040D6D1 8BC6 mov eax, esi <====运算码的位置
:0040D6D3 02C8 add cl, al <====cl=运算码ASCII值+运算码位置(fx1)
:0040D6D5 8BD6 mov edx, esi <====运算码位置
:0040D6D7 02DA add bl, dl <====累加总数(total)+运算码(fx2)位置
:0040D6D9 32CB xor cl, bl <=====cl(fx)=fx1 xor fx2
:0040D6DB 8B45F8 mov eax, dword ptr [ebp-08]
:0040D6DE 85C0 test eax, eax
:0040D6E0 7408 je 0040D6EA
:0040D6E2 8B55F8 mov edx, dword ptr [ebp-08]
:0040D6E5 8B42FC mov eax, dword ptr [edx-04]
:0040D6E8 EB02 jmp 0040D6EC
.
.
.
:0040D702 8A0402 mov al, byte ptr [edx+eax] <====取运算码的最后一位
:0040D705 8BD6 mov edx, esi <=====要计算的注册码位置regcode(第一位注册码是0,第二位是1,其它的类推)
:0040D707 02C2 add al, dl <=====运算码+运算码位置
:0040D709 8BD6 mov edx, esi
:0040D70B 0FAFD6 imul edx, esi <=====regcode*regcode
:0040D70E 02C2 add al, dl <=====(运算码+运算码位置)+(regcode*regcode)
:0040D710 8B55A0 mov edx, dword ptr [ebp-60] <=====循环变量
:0040D713 0FAF55A0 imul edx, dword ptr [ebp-60] <=====循环变量*循环变量
:0040D717 2AC2 sub al, dl <=====相减(fy)
:0040D719 8B55F8 mov edx, dword ptr [ebp-08]
:0040D71C 85D2 test edx, edx
:0040D71E 7408 je 0040D728
:0040D720 8B55F8 mov edx, dword ptr [ebp-08]
:0040D723 8B52FC mov edx, dword ptr [edx-04]
:0040D726 EB02 jmp 0040D72A
.
.
.
:0040D72A 66C745C82000 mov [ebp-38], 0020
:0040D730 2AC2 sub al, dl <====fy-0E(运算码长度)
:0040D732 8D55F0 lea edx, dword ptr [ebp-10]
:0040D735 32C8 xor cl, al <====fx xor (fy-0E)结果作为第一个注册码运算函数的参数
:0040D737 33C0 xor eax, eax
:0040D739 8945F0 mov dword ptr [ebp-10], eax
:0040D73C 8BD9 mov ebx, ecx
:0040D73E FF45D4 inc [ebp-2C]
:0040D741 8B45B4 mov eax, dword ptr [ebp-4C]
:0040D744 E887FCFFFF call 0040D3D0
:0040D749 8B4DF0 mov ecx, dword ptr [ebp-10]
:0040D74C 85C9 test ecx, ecx
:0040D74E 7405 je 0040D755
:0040D750 8B4DF0 mov ecx, dword ptr [ebp-10]
:0040D753 EB05 jmp 0040D75A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D74E(C)
|
:0040D755 B90A7F4B00 mov ecx, 004B7F0A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D753(U)
|
:0040D75A 8BD3 mov edx, ebx
:0040D75C 8B45B4 mov eax, dword ptr [ebp-4C]
:0040D75F E81CE0FFFF call 0040B780 <====第一个注册码运算函数

(未完待续)
:0040D764 8B55A0 mov edx, dword ptr [ebp-60]

标题：加密金刚锁V3.00注册算法----(中集） (9千字)
作者：crackjack[CCG]
时间：2001-11-9 15:44:49

续

我们假设运算函数为f1(x),机器码为N0,N1,N2,N3,N4,N5,N6,N7，相应的机器码位置为：LNx（x=0

to 7),实际用到运算的机器码只有N0,N1,N3,N4,N5:
-----------------------------------------------
:0040B785 8BF1 mov esi, ecx
:0040B787 881424 mov byte ptr [esp], dl
:0040B78A 33DB xor ebx, ebx
:0040B78C 56 push esi
:0040B78D E8A6720800 call 00492A38 <=====取机器码长度L(8)
:0040B792 59 pop ecx
:0040B793 8BF8 mov edi, eax
:0040B795 D1EF shr edi, 1 <=====右移一位
:0040B797 56 push esi

:0040B7A3 8A141E mov dl, byte ptr [esi+ebx] <====取机器码N0
:0040B7A6 59 pop ecx
:0040B7A7 02C2 add al, dl
:0040B7A9 8BD7 mov edx, edi
:0040B7AB 0FAFD7 imul edx, edi <====(L shr 1)*(L shr 1)
:0040B7AE 8A0C24 mov cl, byte ptr [esp] <====取函数参数x
:0040B7B1 43 inc ebx <====EBX=EBX=1
:0040B7B2 32C1 xor al, cl <====N0 xor X
:0040B7B4 8A0C3E mov cl, byte ptr [esi+edi] <=====取N4
:0040B7B7 02D1 add dl, cl <=====N4+(L shr 1)*(L shr 1)
:0040B7B9 8A0C2E mov cl, byte ptr [esi+ebp] <=====取N1
:0040B7BC 32C2 xor al, dl <=====(N0 xor X) xor (N4+(L shr 1)*(L

shr 1))
:0040B7BE 8BD5 mov edx, ebp
:0040B7C0 0FAFD5 imul edx, ebp <====L*L
:0040B7C3 02D1 add dl, cl
:0040B7C5 4D dec ebp
:0040B7C6 4F dec edi
:0040B7C7 32C2 xor al, dl <====从这里整理出公式：R1=(((N0 xor X)

xor ((L shr 1)*(L shr 1)+N4)) xor L*L
:0040B7C9 4F dec edi
:0040B7CA 4D dec ebp
:0040B7CB 4D dec ebp
:0040B7CC 4F dec edi
:0040B7CD 880424 mov byte ptr [esp], al <===保存R1，作为下一个数的计

算的参数
-------------------------------------------------

:0040B7FB 8BC3 mov eax, ebx <====EAX=LN3
:0040B7FD 8A0C24 mov cl, byte ptr [esp] <====取R1
:0040B800 F7EB imul ebx <=====LN3*LN3
:0040B802 8A141E mov dl, byte ptr [esi+ebx] <=====取N3
:0040B805 43 inc ebx
:0040B806 02C2 add al, dl <=====N3+LN3*LN3
:0040B808 8BD7 mov edx, edi <=====LN1
:0040B80A 0FAFD7 imul edx, edi <=====LN1*LN1
:0040B80D 32C1 xor al, cl <=====R1 xor (N3+LN3*LN3)
:0040B80F 8A0C3E mov cl, byte ptr [esi+edi] <=====取N1
:0040B812 02D1 add dl, cl <=====N1+LN1*LN1
:0040B814 8A0C2E mov cl, byte ptr [esi+ebp] <=====取N5
:0040B817 32C2 xor al, dl <====(R1 xor (N3+LN3*LN3)) xor

(N1+LN1*LN1)
:0040B819 8BD5 mov edx, ebp <====LN5
:0040B81B 0FAFD5 imul edx, ebp <====LN5*LN5
:0040B81E 02D1 add dl, cl <====LN5*LN5+N5
:0040B820 4D dec ebp
:0040B821 4F dec edi
:0040B822 32C2 xor al, dl <====整理出公式:R2=((R1 xor

(N3+LN3*LN3)) xor (N1+LN1*LN1)) xor (LN5*LN5+N5)
:0040B824 4F dec edi
:0040B825 4D dec ebp
:0040B826 4D dec ebp
:0040B827 4F dec edi
:0040B828 880424 mov byte ptr [esp], al <====保存R2
----------------------------------------------
:0040B84C 33C0 xor eax, eax
:0040B84E 8A1424 mov dl, byte ptr [esp] <====取R2
:0040B851 8A0424 mov al, byte ptr [esp] <====取R2
:0040B854 8BFE mov edi, esi
:0040B856 C1E202 shl edx, 02 <===
:0040B859 C1F806 sar eax, 06 <===
:0040B85C 0AC2 or al, dl <===整理出公式:R3=(R2 shl 2) or (R2 sar

6)
:0040B85E 33DB xor ebx, ebx
:0040B860 880424 mov byte ptr [esp], al <===保存R3
:0040B863 EB0B jmp 0040B870
----------------------------------------------
下面是前四位机器码运算:
:0040B865 8A17 mov dl, byte ptr [edi] <====取N0
:0040B867 8BC3 mov eax, ebx <====LN0
:0040B869 02C2 add al, dl <====N0+LN0
:0040B86B 43 inc ebx
:0040B86C 300424 xor byte ptr [esp], al <====循环xor,结果为R4
:0040B86F 47 inc edi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040B863(U)
|
:0040B870 56 push esi
:0040B871 E8C2710800 call 00492A38
:0040B876 D1E8 shr eax, 1
:0040B878 59 pop ecx
:0040B879 3BD8 cmp ebx, eax
:0040B87B 72E8 jb 0040B865
:0040B87D 8A0424 mov al, byte ptr [esp] <====取R4
:0040B880 C1E006 shl eax, 06 <====
:0040B883 33D2 xor edx, edx
:0040B885 8A1424 mov dl, byte ptr [esp]
:0040B888 C1FA02 sar edx, 02
:0040B88B 0AC2 or al, dl <==== 整理出公式:R5=(R4 shl 6) or (R4

sar 2)
:0040B88D 880424 mov byte ptr [esp], al <====保存R5
:0040B890 56 push esi
:0040B891 E8A2710800 call 00492A38
:0040B896 59 pop ecx
:0040B897 8BD8 mov ebx, eax
:0040B899 D1EB shr ebx, 1
:0040B89B 8D3C1E lea edi, dword ptr [esi+ebx]
:0040B89E EB0D jmp 0040B8AD
-------------------------------------------------
下面是后四位运算:
:0040B8A0 8BC3 mov eax, ebx <====LN5
:0040B8A2 F7EB imul ebx <====LN5*LN5
:0040B8A4 8A17 mov dl, byte ptr [edi] <====取R5
:0040B8A6 43 inc ebx
:0040B8A7 02C2 add al, dl
:0040B8A9 300424 xor byte ptr [esp], al <===循环xor,结果为R6
:0040B8AC 47 inc edi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040B89E(U)
|
:0040B8AD 56 push esi
:0040B8AE E885710800 call 00492A38
:0040B8B3 59 pop ecx
:0040B8B4 3BD8 cmp ebx, eax
:0040B8B6 72E8 jb 0040B8A0
:0040B8B8 33C0 xor eax, eax
:0040B8BA 8A0424 mov al, byte ptr [esp] <====取R6
:0040B8BD C1F806 sar eax, 06 <=====
:0040B8C0 8A1424 mov dl, byte ptr [esp]
:0040B8C3 C1E202 shl edx, 02 <=====
:0040B8C6 0AC2 or al, dl <=====整理出公式:R7=(R6 sar 6) or (R6

shl 2)
:0040B8C8 880424 mov byte ptr [esp], al <====保存R7,同时作为函数的返

回值
:0040B8CB 8A0424 mov al, byte ptr [esp] <====取结果R7
:0040B8CE 5A pop edx
:0040B8CF 5D pop ebp
:0040B8D0 5F pop edi
:0040B8D1 5E pop esi
:0040B8D2 5B pop ebx
:0040B8D3 C3 ret
------------------------------------------
下面是函数返回后的代码:
:0040D764 8B55A0 mov edx, dword ptr [ebp-60] <===取运算码位置LNX
:0040D767 8A4DA0 mov cl, byte ptr [ebp-60] <===取循环变量
:0040D76A 0FAFD6 imul edx, esi <===相乘
:0040D76D 02C2 add al, dl <===R7+LNX*J
:0040D76F 8BD6 mov edx, esi
:0040D771 2AC1 sub al, cl <===R7+LNX*J-J
:0040D773 32C2 xor al, dl <===(R7+LNX*J-J) xor

LNX,结果作为第二个函数的参数
:0040D775 BA02000000 mov edx, 00000002
:0040D77A FF4DD4 dec [ebp-2C]
:0040D77D 8BD8 mov ebx, eax
:0040D77F 8D45F0 lea eax, dword ptr [ebp-10]
:0040D782 E8F9370900 call 004A0F80
:0040D787 66C745C82C00 mov [ebp-38], 002C
:0040D78D 33C0 xor eax, eax
:0040D78F 8945EC mov dword ptr [ebp-14], eax
:0040D792 8D55EC lea edx, dword ptr [ebp-14]
:0040D795 FF45D4 inc [ebp-2C]
:0040D798 8B45B4 mov eax, dword ptr [ebp-4C]
:0040D79B E830FCFFFF call 0040D3D0
:0040D7A0 8B4DEC mov ecx, dword ptr [ebp-14]
:0040D7A3 85C9 test ecx, ecx
:0040D7A5 7405 je 0040D7AC
:0040D7A7 8B4DEC mov ecx, dword ptr [ebp-14]
:0040D7AA EB05 jmp 0040D7B1

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D7A5(C)
|
:0040D7AC B90B7F4B00 mov ecx, 004B7F0B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D7AA(U)
|
:0040D7B1 8BD3 mov edx, ebx <====取参数
:0040D7B3 8B45B4 mov eax, dword ptr [ebp-4C]
:0040D7B6 E819E1FFFF call 0040B8D4 <====第二个运算函数

(未完待续)

标题：加密金刚锁V3.00注册算法----(下集) (13千字)
作者：crackjack[CCG]
时间：2001-11-9 17:52:42

第二个运算函数f2(Y):
-------------------------------------------------
:0040B8F4 89442404 mov dword ptr [esp+04], eax
:0040B8F8 8A0424 mov al, byte ptr [esp] <===取参数
:0040B8FB C1E006 shl eax, 06 <====
:0040B8FE 33D2 xor edx, edx
:0040B900 8A1424 mov dl, byte ptr [esp] <===取参数
:0040B903 C1FA02 sar edx, 02 <====
:0040B906 0AC2 or al, dl <====整理出公式：R8=(Y shl 6) or (x sar 2)
:0040B908 880424 mov byte ptr [esp], al <====保存R8
:0040B90B 56 push esi
:0040B90C E827710800 call 00492A38
:0040B911 59 pop ecx
:0040B912 8BD8 mov ebx, eax
:0040B914 D1EB shr ebx, 1
:0040B916 8D041E lea eax, dword ptr [esi+ebx]
:0040B919 89442408 mov dword ptr [esp+08], eax
:0040B91D EB15 jmp 0040B934
-------------------------------------------------
下面是机器码后四位的运算:
:0040B91F 8BD3 mov edx, ebx <=====取LNX(x=4 to 7)
:0040B921 8B4C2408 mov ecx, dword ptr [esp+08]
:0040B925 0FAFD3 imul edx, ebx <=====LNX*LNX
:0040B928 8A01 mov al, byte ptr [ecx] <=====取N4--N7
:0040B92A 43 inc ebx
:0040B92B 02D0 add dl, al <=====Nx+LNX
:0040B92D 301424 xor byte ptr [esp], dl <=====循环xor ,结果为R9
:0040B930 FF442408 inc [esp+08]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040B91D(U)
|
:0040B934 56 push esi
:0040B935 E8FE700800 call 00492A38
:0040B93A 59 pop ecx
:0040B93B 3BD8 cmp ebx, eax
:0040B93D 72E0 jb 0040B91F
:0040B93F 33C0 xor eax, eax
:0040B941 8A1424 mov dl, byte ptr [esp] <====取R9
:0040B944 8A0424 mov al, byte ptr [esp] <====取R9
:0040B947 C1E202 shl edx, 02 <====
:0040B94A C1F806 sar eax, 06 <====
:0040B94D 0AC2 or al, dl <====整理出公式:R10=(R9 shl 2) or (R9 sar 6)
:0040B94F 33DB xor ebx, ebx
:0040B951 880424 mov byte ptr [esp], al <====保存R10
:0040B954 8BC6 mov eax, esi
:0040B956 8944240C mov dword ptr [esp+0C], eax
:0040B95A EB12 jmp 0040B96E
-----------------------------------------------
下面是机器码前四位的运算:
:0040B95C 8BD3 mov edx, ebx <=====取LNX(x=0 to 3)
:0040B95E 8B4C240C mov ecx, dword ptr [esp+0C]
:0040B962 8A01 mov al, byte ptr [ecx] <=====取N0--N3
:0040B964 02D0 add dl, al <=====LNX+NX
:0040B966 301424 xor byte ptr [esp], dl <====循环xor ,结果为R11
:0040B969 43 inc ebx
:0040B96A FF44240C inc [esp+0C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040B95A(U)
|
:0040B96E 56 push esi
:0040B96F E8C4700800 call 00492A38
:0040B974 D1E8 shr eax, 1
:0040B976 59 pop ecx
:0040B977 3BD8 cmp ebx, eax
:0040B979 72E1 jb 0040B95C
:0040B97B 8BCF mov ecx, edi
:0040B97D 33D2 xor edx, edx
:0040B97F 0FAFCF imul ecx, edi
:0040B982 8A1424 mov dl, byte ptr [esp] <====取R11
:0040B985 8A0424 mov al, byte ptr [esp] <====取R11
:0040B988 C1FA02 sar edx, 02 <====
:0040B98B C1E006 shl eax, 06 <====
:0040B98E 0AC2 or al, dl <====整理出公式:R12=(R11 sar 2) or (R11 shl 6)
:0040B990 880424 mov byte ptr [esp], al <====保存R12
---------------------------------------------------
:0040B993 8A043E mov al, byte ptr [esi+edi] <====取N0
:0040B996 8A1424 mov dl, byte ptr [esp] <====取R12
:0040B999 02C8 add cl, al <====LN0+N0
:0040B99B 8BC5 mov eax, ebp
:0040B99D 32CA xor cl, dl <=====(LN0+N0) xor R12
:0040B99F 47 inc edi
:0040B9A0 F7ED imul ebp <====LN4*LN4
:0040B9A2 8A142E mov dl, byte ptr [esi+ebp] <====取N4
:0040B9A5 4D dec ebp
:0040B9A6 02C2 add al, dl <====N4+LN4*LN4
:0040B9A8 4D dec ebp
:0040B9A9 32C8 xor cl, al <====((LN0+N0) xor R12) xor (N4+LN4*LN4)
:0040B9AB 8B442404 mov eax, dword ptr [esp+04]
:0040B9AF F76C2404 imul [esp+04] <=====L*L
:0040B9B3 8B542404 mov edx, dword ptr [esp+04]
:0040B9B7 4D dec ebp
:0040B9B8 47 inc edi
:0040B9B9 8A1C16 mov bl, byte ptr [esi+edx]
:0040B9BC 02C3 add al, bl
:0040B9BE 32C8 xor cl, al <====(((LN0+N0) xor R12) xor (N4+LN4*LN4)) xor (L*L),结果为R13
:0040B9C0 880C24 mov byte ptr [esp], cl <====保存R13
----------------------------------------------------
:0040B9FF 8BD7 mov edx, edi <====LN3
:0040BA01 8A0C3E mov cl, byte ptr [esi+edi] <====取N3
:0040BA04 0FAFD7 imul edx, edi <====LN3*LN3
:0040BA07 02D1 add dl, cl <====N3+LN3*LN3
:0040BA09 8BCD mov ecx, ebp <====LN1
:0040BA0B 0FAFCD imul ecx, ebp <====LN1*LN1
:0040BA0E 8A0424 mov al, byte ptr [esp] <====取R13
:0040BA11 47 inc edi
:0040BA12 32D0 xor dl, al <====R13 xor (N3+LN3*LN3)
:0040BA14 8A042E mov al, byte ptr [esi+ebp] <====取N1
:0040BA17 02C8 add cl, al <====N1+LN1*LN1
:0040BA19 8B442404 mov eax, dword ptr [esp+04] <====取LN5
:0040BA1D 32D1 xor dl, cl <=====(R13 xor (N3+LN3*LN3)) xor (N1+LN1*LN1)
:0040BA1F 8B4C2404 mov ecx, dword ptr [esp+04]
:0040BA23 0FAF4C2404 imul ecx, dword ptr [esp+04] <====LN5*LN5
:0040BA28 8A1C06 mov bl, byte ptr [esi+eax] <====取N5
:0040BA2B 4D dec ebp
:0040BA2C 02CB add cl, bl <====N5+LN5*LN5
:0040BA2E 4D dec ebp
:0040BA2F 32D1 xor dl, cl <====[(R13 xor (N3+LN3*LN3)) xor (N1+LN1*LN1)] xor (N5+LN5*LN5)
:0040BA31 4D dec ebp
:0040BA32 881424 mov byte ptr [esp], dl <=====保存R14,同时这个数也做为函数的返回值
:0040BA35 47 inc edi
----------------------------------------------------
下面是函数返回后的代码:

:0040D7BB 8A55A0 mov dl, byte ptr [ebp-60] <====取循环变量J
:0040D7BE 0480 add al, 80 <====R14+80
:0040D7C0 2AC2 sub al, dl <====R14+80-J
:0040D7C2 8B55A0 mov edx, dword ptr [ebp-60] <====取循环变量J
:0040D7C5 0FAFD6 imul edx, esi <====J*LNX
:0040D7C8 8BCE mov ecx, esi
:0040D7CA 02CA add cl, dl <====J*LNX+LNX
:0040D7CC BA02000000 mov edx, 00000002
:0040D7D1 32C1 xor al, cl <====(R14+80-J) xor (J*LNX+LNX),结果作为下一个函数调用的参数
:0040D7D3 FF4DD4 dec [ebp-2C]
:0040D7D6 8BD8 mov ebx, eax
:0040D7D8 8D45EC lea eax, dword ptr [ebp-14]
:0040D7DB E8A0370900 call 004A0F80
:0040D7E0 66C745C83800 mov [ebp-38], 0038
:0040D7E6 33C0 xor eax, eax
:0040D7E8 8945E8 mov dword ptr [ebp-18], eax
:0040D7EB 8D55E8 lea edx, dword ptr [ebp-18]
:0040D7EE FF45D4 inc [ebp-2C]
:0040D7F1 8B45B4 mov eax, dword ptr [ebp-4C]
:0040D7F4 E8D7FBFFFF call 0040D3D0
:0040D7F9 8B4DE8 mov ecx, dword ptr [ebp-18]
:0040D7FC 85C9 test ecx, ecx
:0040D7FE 7405 je 0040D805
:0040D800 8B4DE8 mov ecx, dword ptr [ebp-18]
:0040D803 EB05 jmp 0040D80A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D7FE(C)
|
:0040D805 B90C7F4B00 mov ecx, 004B7F0C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D803(U)
|
:0040D80A 8BD3 mov edx, ebx <====取参数
:0040D80C 8B45B4 mov eax, dword ptr [ebp-4C]
:0040D80F E86CDFFFFF call 0040B780 <====第二次调用函数f1(X)
:0040D814 8B55A0 mov edx, dword ptr [ebp-60] <====取循环次数J
:0040D817 8BCE mov ecx, esi
:0040D819 0FAF55A0 imul edx, dword ptr [ebp-60] <====J*J
:0040D81D 02C2 add al, dl <=============f1+J*J
:0040D81F 8BD6 mov edx, esi <=============LNX
:0040D821 2AC1 sub al, cl <=============(f1+J*J)-LNX
:0040D823 32C2 xor al, dl <=============((f1+J*J)-LNX) xor LNX,结果作为下一个函数的参数
:0040D825 BA02000000 mov edx, 00000002
:0040D82A FF4DD4 dec [ebp-2C]
:0040D82D 8BD8 mov ebx, eax
:0040D82F 8D45E8 lea eax, dword ptr [ebp-18]
:0040D832 E849370900 call 004A0F80
:0040D837 66C745C84400 mov [ebp-38], 0044
:0040D83D 33C0 xor eax, eax
:0040D83F 8945E4 mov dword ptr [ebp-1C], eax
:0040D842 8D55E4 lea edx, dword ptr [ebp-1C]
:0040D845 FF45D4 inc [ebp-2C]
:0040D848 8B45B4 mov eax, dword ptr [ebp-4C]
:0040D84B E880FBFFFF call 0040D3D0
:0040D850 8B4DE4 mov ecx, dword ptr [ebp-1C]
:0040D853 85C9 test ecx, ecx
:0040D855 7405 je 0040D85C
:0040D857 8B4DE4 mov ecx, dword ptr [ebp-1C]
:0040D85A EB05 jmp 0040D861
----------------------------------------------
:0040D861 8BD3 mov edx, ebx <====取参数
:0040D863 8B45B4 mov eax, dword ptr [ebp-4C]
:0040D866 E869E0FFFF call 0040B8D4 <====第二次调用函数f2(Y)
:0040D86B 8A55A0 mov dl, byte ptr [ebp-60] <====取循环次数J
:0040D86E 0480 add al, 80 <=====f2+80
:0040D870 2AC2 sub al, dl <=====f2+80-J
:0040D872 8BD6 mov edx, esi <=====LNX
:0040D874 0FAFD6 imul edx, esi <=====LNX*LNX
:0040D877 8A4DA0 mov cl, byte ptr [ebp-60] <=====取循环次数J
:0040D87A 02CA add cl, dl <=====J+LNX*LNX
:0040D87C BA02000000 mov edx, 00000002
:0040D881 32C1 xor al, cl <====(f2+80-J) xor (J+LNX*LNX),结果为最终的运算结果
:0040D883 FF4DD4 dec [ebp-2C]
:0040D886 8BD8 mov ebx, eax
:0040D888 8D45E4 lea eax, dword ptr [ebp-1C]
:0040D88B E8F0360900 call 004A0F80
:0040D890 33C0 xor eax, eax
:0040D892 8AC3 mov al, bl
:0040D894 50 push eax
:0040D895 E8AE9E0800 call 00497748 <=====判断运算结果是不是大写字母
:0040D89A 59 pop ecx
:0040D89B 85C0 test eax, eax
:0040D89D 7416 je 0040D8B5 <=====如果不是,则循环变量J=J+1,继续运算,直到结果为合法的注册码为止
:0040D89F 8BFB mov edi, ebx
:0040D8A1 81E7FF000000 and edi, 000000FF
:0040D8A7 57 push edi
:0040D8A8 E83BBC0800 call 004994E8
:0040D8AD 59 pop ecx
:0040D8AE 8B559C mov edx, dword ptr [ebp-64]
:0040D8B1 8802 mov byte ptr [edx], al
:0040D8B3 EB08 jmp 0040D8BD

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D89D(C)
|
:0040D8B5 FF45A0 inc [ebp-60]
:0040D8B8 E9B9FDFFFF jmp 0040D676
-----------------------------------------------
|
:0040D8CE 8B55A4 mov edx, dword ptr [ebp-5C]
:0040D8D1 3BC2 cmp eax, edx
:0040D8D3 7505 jne 0040D8DA
:0040D8D5 33C9 xor ecx, ecx
:0040D8D7 894DA4 mov dword ptr [ebp-5C], ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D8D3(C)
|
:0040D8DA FF4598 inc [ebp-68]
:0040D8DD 46 inc esi
:0040D8DE FF45A4 inc [ebp-5C]
:0040D8E1 83FE08 cmp esi, 00000008 <=====运算出所有的注册码了吗?
:0040D8E4 0F8C7FFDFFFF jl 0040D669 <=====如果没有,则继续运算

哗,好长啊,写得手都累了,呵呵,想不到一个小小的软件的注册算法有那么长啊.不过总的来说它的注册算法并不复杂,只是不断的调用函数来运算罢了.

标题：加密算法的补充 (885字)
作者：crackjack[CCG]
时间：2001-11-10 20:14:41

补充：

由于我的疏忽，忘记把小写字母的注册码转换成大写字母的代码贴出来了：
-----------------------------------------
:0040D890 33C0 xor eax, eax
:0040D892 8AC3 mov al, bl
:0040D894 50 push eax
:0040D895 E8AE9E0800 call 00497748 <=====判断运算结果是不是大写字母或者小

写字母
:0040D89A 59 pop ecx
:0040D89B 85C0 test eax, eax
------------------------------------------

:0040D8A1 81E7FF000000 and edi, 000000FF
:0040D8A7 57 push edi
:0040D8A8 E83BBC0800 call 004994E8 <====将小写字母转换成大写字母
:0040D8AD 59 pop ecx
:0040D8AE 8B559C mov edx, dword ptr [ebp-64]
:0040D8B1 8802 mov byte ptr [edx], al
:0040D8B3 EB08 jmp 0040D8BD