• 标 题:十四位数仿真科学计算器 算法分析,各位大大都不屑于和这种东东周旋,我就在这里献丑了... (8千字)
  • 作 者:RoBa
  • 时 间:2003-10-19 16:31:11
  • 链 接:http://bbs.pediy.com

先用FrogICE隐藏一下,进去后可以来到下面:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA12A(C)
|
:004AA0F4 8D8558FFFFFF            lea eaxdword ptr [ebp+FFFFFF58]
:004AA0FA 8B15C4ED4A00            mov edxdword ptr [004AEDC4]
:004AA100 8A5432FF                mov dlbyte ptr [edx+esi-01] <--EDX是软件给的序列号,依次取出来
:004AA104 E8ABA5F5FF              call 004046B4
:004AA109 8B8558FFFFFF            mov eaxdword ptr [ebp+FFFFFF58]
:004AA10F E8D4E9F5FF              call 00408AE8  <--把取出来的结果转成数值放在EAX
:004AA114 8B048520CA4A00          mov eaxdword ptr [4*eax+004ACA20]<--从4ACA20处按EAX来取数
:004AA11B 99                      cdq
:004AA11C 3345D8                  xor eaxdword ptr [ebp-28] <--[ebp-28]开始是假码的值,和取出来的数异或
:004AA11F 3355DC                  xor edxdword ptr [ebp-24]
:004AA122 8945D8                  mov dword ptr [ebp-28], eax <--把结果再放在[ebp-28]继续计算
:004AA125 8955DC                  mov dword ptr [ebp-24], edx
:004AA128 46                      inc esi      <--循环变量+1
:004AA129 4B                      dec ebx
:004AA12A 75C8                    jne 004AA0F4 <--循环计算(记为计算1)

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA0ED(C)
|
:004AA12C 33F6                    xor esiesi
:004AA12E B920CA4A00              mov ecx, 004ACA20

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA15F(C)
|
:004AA133 8B01                    mov eaxdword ptr [ecx] <--从4ACA20处取数
:004AA135 99                      cdq
:004AA136 3345D8                  xor eaxdword ptr [ebp-28] <--和上面的计算结果异或
:004AA139 3355DC                  xor edxdword ptr [ebp-24]
:004AA13C 8945D8                  mov dword ptr [ebp-28], eax <--结果仍放在[EBP-28]
:004AA13F 8955DC                  mov dword ptr [ebp-24], edx
:004AA142 8B8100020000            mov eaxdword ptr [ecx+00000200] <--从4ACC20处取数
:004AA148 99                      cdq
:004AA149 3345D8                  xor eaxdword ptr [ebp-28] <--再异或
:004AA14C 3355DC                  xor edxdword ptr [ebp-24]
:004AA14F 8945D8                  mov dword ptr [ebp-28], eax <--仍放在[EBP-28]
:004AA152 8955DC                  mov dword ptr [ebp-24], edx
:004AA155 46                      inc esi           <--循环变量+1
:004AA156 83C104                  add ecx, 00000004 <--ECX+4,取数指针后移4个字节
:004AA159 81FE80000000            cmp esi, 00000080 <--取0x80次
:004AA15F 75D2                    jne 004AA133      <--循环(记为计算2)
:004AA161 DF6DD8                  fild qword ptr [ebp-28]
:004AA164 83C4F4                  add esp, FFFFFFF4
:004AA167 DB3C24                  fstp tbyte ptr [esp]
:004AA16A 9B                      wait
:004AA16B 8D8554FFFFFF            lea eaxdword ptr [ebp+FFFFFF54]
:004AA171 E8E6FEF5FF              call 0040A05C
:004AA176 8B9554FFFFFF            mov edxdword ptr [ebp+FFFFFF54]
:004AA17C B8C4ED4A00              mov eax, 004AEDC4
:004AA181 E8A2A3F5FF              call 00404528
:004AA186 BB08000000              mov ebx, 00000008

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA1FB(C)
|
:004AA18B 8D45CC                  lea eaxdword ptr [ebp-34]
:004AA18E 50                      push eax
:004AA18F B901000000              mov ecx, 00000001
:004AA194 8BD3                    mov edxebx
:004AA196 A1C4ED4A00              mov eaxdword ptr [004AEDC4]
:004AA19B E844A8F5FF              call 004049E4
:004AA1A0 8D45A8                  lea eaxdword ptr [ebp-58]
:004AA1A3 50                      push eax
:004AA1A4 8D7B02                  lea edidword ptr [ebx+02]
:004AA1A7 8BD7                    mov edxedi
:004AA1A9 B901000000              mov ecx, 00000001
:004AA1AE A1C4ED4A00              mov eaxdword ptr [004AEDC4]
:004AA1B3 E82CA8F5FF              call 004049E4
:004AA1B8 B8C4ED4A00              mov eax, 004AEDC4
:004AA1BD B901000000              mov ecx, 00000001
:004AA1C2 8BD3                    mov edxebx
:004AA1C4 E85BA8F5FF              call 00404A24
:004AA1C9 BAC4ED4A00              mov edx, 004AEDC4
:004AA1CE 8BCB                    mov ecxebx
:004AA1D0 8B45A8                  mov eaxdword ptr [ebp-58]
:004AA1D3 E894A8F5FF              call 00404A6C
:004AA1D8 8BD7                    mov edxedi
:004AA1DA B8C4ED4A00              mov eax, 004AEDC4
:004AA1DF B901000000              mov ecx, 00000001
:004AA1E4 E83BA8F5FF              call 00404A24
:004AA1E9 8BCF                    mov ecxedi
:004AA1EB BAC4ED4A00              mov edx, 004AEDC4
:004AA1F0 8B45CC                  mov eaxdword ptr [ebp-34]
:004AA1F3 E874A8F5FF              call 00404A6C
:004AA1F8 4B                      dec ebx
:004AA1F9 85DB                    test ebxebx
:004AA1FB 758E                    jne 004AA18B <--又是一个循环计算,这里变态得很,每循环一次把计算结果的十位字符中的后两位向前移动一位,循环8次的结果是使最后两位插入到最前面,这就是最终结果了.
:004AA1FD 8D45B0                  lea eaxdword ptr [ebp-50]
:004AA200 8B15C4ED4A00            mov edxdword ptr [004AEDC4]
:004AA206 E861A3F5FF              call 0040456C
:004AA20B 8B45FC                  mov eaxdword ptr [ebp-04]
:004AA20E E89D99FFFF              call 004A3BB0

内存中的一些数值: (没有贴全)
_____________________________________________

:004ACA20 70 50 30 10 96 30 07 77  pP0..0.w
:004ACA28 2C 61 0E EE BA 51 09 99  ,a...Q..
:004ACA30 19 C4 6D 07 8F F4 6B 70  ..m...kp
:004ACA38 35 A5 63 E9 A3 95 65 9E  5.c...e.
:004ACA40 32 88 DC 0E A4 E8 DC 79  2......y
:004ACA48 1E E9 D5 E0 88 D9 D2 97  ........

:004ACC20 20 83 B8 ED B6 B3 BF 9A   .......
:004ACC28 0C E2 B6 03 9A D2 B1 74  .......t
:004ACC30 39 47 D6 EA AF 77 D2 9D  9G...w..
:004ACC38 15 26 DB 04 83 16 DC 73  .&.....s
:004ACC40 12 0B 63 E3 84 3B 64 94  ..c..;d.
:004ACC48 3E 6A 6D 0D A8 5A 6A 7A  >jm..Zjz
:004ACC50 0B CF 0E E4 9D FF 09 93  ........
:004ACC58 27 AE 00 0A B1 9E 07 7D  '......}
:004ACC60 44 93 0F F0 D2 A3 08 87  D.......
_____________________________________________

下面是比较过程,大概作者觉得这样写比较隐蔽,我怎么觉得更明显了 :),反正一看到这里我就知道程序想干什么了...

:004AA30A 8B45B0                  mov eaxdword ptr [ebp-50] 
:004AA30D 8A4002                  mov albyte ptr [eax+02]
:004AA310 8B15C4ED4A00            mov edxdword ptr [004AEDC4]
:004AA316 3A4202                  cmp albyte ptr [edx+02]
:004AA319 0F85E5030000            jne 004AA704
:004AA31F 8B45B0                  mov eaxdword ptr [ebp-50]
:004AA322 8A00                    mov albyte ptr [eax]
:004AA324 8B15C4ED4A00            mov edxdword ptr [004AEDC4]
:004AA32A 3A02                    cmp albyte ptr [edx]
:004AA32C 0F85D2030000            jne 004AA704
:004AA332 8B45B0                  mov eaxdword ptr [ebp-50]
:004AA335 8A4004                  mov albyte ptr [eax+04]
:004AA338 8B15C4ED4A00            mov edxdword ptr [004AEDC4]
:004AA33E 3A4204                  cmp albyte ptr [edx+04]
:004AA341 0F85BD030000            jne 004AA704
:004AA347 8B45B0                  mov eaxdword ptr [ebp-50]
:004AA34A 8A4006                  mov albyte ptr [eax+06]
:004AA34D 8B15C4ED4A00            mov edxdword ptr [004AEDC4]
:004AA353 3A4206                  cmp albyte ptr [edx+06]
:004AA356 0F85A8030000            jne 004AA704
:004AA35C 8B45B0                  mov eaxdword ptr [ebp-50]
:004AA35F 8A4003                  mov albyte ptr [eax+03]
:004AA362 8B15C4ED4A00            mov edxdword ptr [004AEDC4]
:004AA368 3A4203                  cmp albyte ptr [edx+03]
:004AA36B 0F8593030000            jne 004AA704
:004AA371 8B45B0                  mov eaxdword ptr [ebp-50]
:004AA374 8A4005                  mov albyte ptr [eax+05]
:004AA377 8B15C4ED4A00            mov edxdword ptr [004AEDC4]
:004AA37D 3A4205                  cmp albyte ptr [edx+05]
:004AA380 0F857E030000            jne 004AA704
:004AA386 8B45B0                  mov eaxdword ptr [ebp-50]
:004AA389 8A4001                  mov albyte ptr [eax+01]
:004AA38C 8B15C4ED4A00            mov edxdword ptr [004AEDC4]
:004AA392 3A4201                  cmp albyte ptr [edx+01]
:004AA395 0F8569030000            jne 004AA704
:004AA39B 8B45B0                  mov eaxdword ptr [ebp-50]
:004AA39E 8A4007                  mov albyte ptr [eax+07]
:004AA3A1 8B15C4ED4A00            mov edxdword ptr [004AEDC4]
:004AA3A7 3A4207                  cmp albyte ptr [edx+07]
:004AA3AA 0F8580010000            jne 004AA530

写注册机的算法是,把软件给的机器码前两位移到最后,然后是计算2处异或80次,再把结果按机器码每位的数字取出不同的数再异或10次(计算1),结果就是注册码了.那80次的计算太烦了,我根据结果求出来实际上是与229898081异或,高手写个注册机吧..

软件中有许多乱七八糟的计算,好像是迷惑人的,因为没有仔细分析,失误之处还请各位大大指出.


--------------------------------------------------------------------------------

标 题:一个计算器的算法,前几天有人贴过简单的分析,这几天终于有时间了,当作复习就拿来作了一下! (14千字)
发信人:PowerBoy 
时 间:2003-11-03 17:48:16
详细信息:


*******科学计算器 1.8+
机器码:2654328163-->9E35D563
注册码:123456789

软件的算法用到了CRC32的变形TABLE(其中有很多元素不同),算法好像是作者在CRC32的基础上修改的
不过,个人认为他的修改根本没有起到提高算法难度的作用,反到把算法难度降低了很多(把算法变成了
一个简单的查表算法)!!!不过和以前的版本相比已经有很大的进步了,希望作者多分析一下CRC32算法
真正理解这个算法之后在作修改!开始以为是CRC32算法等分析了发现....(不说废话了开始分析!)

输入注册码:123456789
怎么来到这里的我就不在多说了之前已经有人作了简单的分析了!
:004AA0EF BE01000000              mov esi, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA12A(C)                                                        //第1段计算(暂时叫CRC32_1)
|
:004AA0F4 8D8558FFFFFF            lea eaxdword ptr [ebp+FFFFFF58]  //计算1开始
:004AA0FA 8B15C4ED4A00            mov edxdword ptr [004AEDC4]
:004AA100 8A5432FF                mov dlbyte ptr [edx+esi-01]      //DL开始按位取机器码 
:004AA104 E8ABA5F5FF              call 004046B4
:004AA109 8B8558FFFFFF            mov eaxdword ptr [ebp+FFFFFF58]
:004AA10F E8D4E9F5FF              call 00408AE8                      //TEMP:=STRTOINT(MN[A])
:004AA114 8B048520CA4A00          mov eaxdword ptr [4*eax+004ACA20]//取CRC32_TABLE[TEMP]
:004AA11B 99                      cdq                  //用机器码的每位作为索引取CRC32_TABLE
:004AA11C 3345D8                  xor eaxdword ptr [ebp-28]//EAX=EAX XOR SN(把SN作为初始值进行异或)
:004AA11F 3355DC                  xor edxdword ptr [ebp-24]
:004AA122 8945D8                  mov dword ptr [ebp-28], eax
:004AA125 8955DC                  mov dword ptr [ebp-24], edx
:004AA128 46                      inc esi
:004AA129 4B                      dec ebx
:004AA12A 75C8                    jne 004AA0F4         //聪明的大家一定会想到上面的计算,CRC32_TABLE只能用到前10个元素

经过上面的计算:123456789-->$09864527

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA0ED(C)
|
:004AA12C 33F6                    xor esiesi
:004AA12E B920CA4A00              mov ecx, 004ACA20

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA15F(C)                                                      //第2段计算(CRC32_2)
|
:004AA133 8B01                    mov eaxdword ptr [ecx]        //EAX=EAX XOR CRC_TABLE[A]
:004AA135 99                      cdq
:004AA136 3345D8                  xor eaxdword ptr [ebp-28]
:004AA139 3355DC                  xor edxdword ptr [ebp-24]
:004AA13C 8945D8                  mov dword ptr [ebp-28], eax
:004AA13F 8955DC                  mov dword ptr [ebp-24], edx
:004AA142 8B8100020000            mov eaxdword ptr [ecx+00000200]//EAX=EAX XOR CRC_TABLE[128+A]
:004AA148 99                      cdq
:004AA149 3345D8                  xor eaxdword ptr [ebp-28]
:004AA14C 3355DC                  xor edxdword ptr [ebp-24]
:004AA14F 8945D8                  mov dword ptr [ebp-28], eax
:004AA152 8955DC                  mov dword ptr [ebp-24], edx
:004AA155 46                      inc esi
:004AA156 83C104                  add ecx, 00000004
:004AA159 81FE80000000            cmp esi, 00000080
:004AA15F 75D2                    jne 004AA133                     //这里是把CRC32_TABLE所有的元素进行异或
                                                                   //所以就相当于和一个数异或这个值就是$DB3F761

经过上面的计算$09864527-->$0435B246

下面的数据就是内存中的表和标准的CRC32_TABLE有很多的不同可能是作者有意改变的!
004ACA20  70 50 30 10 96 30 07 77  pP0?w0
004ACA28  2C 61 0E EE BA 51 09 99  ,a詈Q.
004ACB30  89 85 B1 71 1F B5 B6 06  墔眖刀 B1
004ACB38  A5 E4 BF 9F 33 D4 B8 E8  ヤ繜3愿
004ACA40  32 88 DC 0E A4 E8 DC 79  2堒よ躽 DC
004ACA48  1E E9 D5 E0 88 D9 D2 97  檎鄨僖
....
004ACD78  E1 77 B0 6F 77 47 B7 18  醱皁wG? B0
004ACD80  E6 5A 08 88 70 6A 0F FF  鎆坧j08
004ACD88  CA 3B 06 66 5C 0B 01 12  ?f\ 6
004ACD90  FF 9E 65 8F 69 AE 63 F8  瀍廼甤
CRC_TABLE[0]=$10305070其实还有很多的变化的!

:004AA161 DF6DD8                  fild qword ptr [ebp-28]          //上面计算所得的值装入浮点寄存器
:004AA164 83C4F4                  add esp, FFFFFFF4
:004AA167 DB3C24                  fstp tbyte ptr [esp]             //假计算,没有用途
:004AA16A 9B                      wait
:004AA16B 8D8554FFFFFF            lea eaxdword ptr [ebp+FFFFFF54]
:004AA171 E8E6FEF5FF              call 0040A05C
:004AA176 8B9554FFFFFF            mov edxdword ptr [ebp+FFFFFF54]//EDX=上面所得的数值
:004AA17C B8C4ED4A00              mov eax, 004AEDC4
:004AA181 E8A2A3F5FF              call 00404528
:004AA186 BB08000000              mov ebx, 00000008

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA1FB(C)                           //计算3(最后2位到最前面)
|
:004AA18B 8D45CC                  lea eaxdword ptr [ebp-34]
:004AA18E 50                      push eax
:004AA18F B901000000              mov ecx, 00000001
:004AA194 8BD3                    mov edxebx
:004AA196 A1C4ED4A00              mov eaxdword ptr [004AEDC4]
:004AA19B E844A8F5FF              call 004049E4
:004AA1A0 8D45A8                  lea eaxdword ptr [ebp-58]
:004AA1A3 50                      push eax
:004AA1A4 8D7B02                  lea edidword ptr [ebx+02]
:004AA1A7 8BD7                    mov edxedi
:004AA1A9 B901000000              mov ecx, 00000001
:004AA1AE A1C4ED4A00              mov eaxdword ptr [004AEDC4]
:004AA1B3 E82CA8F5FF              call 004049E4
:004AA1B8 B8C4ED4A00              mov eax, 004AEDC4
:004AA1BD B901000000              mov ecx, 00000001
:004AA1C2 8BD3                    mov edxebx
:004AA1C4 E85BA8F5FF              call 00404A24
:004AA1C9 BAC4ED4A00              mov edx, 004AEDC4
:004AA1CE 8BCB                    mov ecxebx
:004AA1D0 8B45A8                  mov eaxdword ptr [ebp-58]
:004AA1D3 E894A8F5FF              call 00404A6C
:004AA1D8 8BD7                    mov edxedi
:004AA1DA B8C4ED4A00              mov eax, 004AEDC4
:004AA1DF B901000000              mov ecx, 00000001
:004AA1E4 E83BA8F5FF              call 00404A24
:004AA1E9 8BCF                    mov ecxedi
:004AA1EB BAC4ED4A00              mov edx, 004AEDC4
:004AA1F0 8B45CC                  mov eaxdword ptr [ebp-34]
:004AA1F3 E874A8F5FF              call 00404A6C
:004AA1F8 4B                      dec ebx
:004AA1F9 85DB                    test ebxebx
:004AA1FB 758E                    jne 004AA18B  //循环移位(最后2位到最前面)
   70627910-->10706279(当然是把上面的数值先变成十进制然后在移位)
////////////////////之后的一段计算没有用途,迷惑跟踪的CRACKER!///////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////
:004AA1FD 8D45B0                  lea eaxdword ptr [ebp-50]
:004AA200 8B15C4ED4A00            mov edxdword ptr [004AEDC4]
:004AA206 E861A3F5FF              call 0040456C
:004AA20B 8B45FC                  mov eaxdword ptr [ebp-04]
:004AA20E E89D99FFFF              call 004A3BB0
:004AA213 DD45D0                  fld qword ptr [ebp-30]
:004AA216 D9E1                    fabs
:004AA218 D8C8                    fmul st(0), st(0)
:004AA21A DBBD48FFFFFF            fstp tbyte ptr [ebp+FFFFFF48]
:004AA220 9B                      wait
:004AA221 DD45D0                  fld qword ptr [ebp-30]
:004AA224 D9E1                    fabs
:004AA226 D8C8                    fmul st(0), st(0)
:004AA228 DBAD48FFFFFF            fld tbyte ptr [ebp+FFFFFF48]
:004AA22E DEC1                    faddp st(1), st(0)
:004AA230 D9FA                    fsqrt
:004AA232 DD5DD0                  fstp qword ptr [ebp-30]
:004AA235 9B                      wait
:004AA236 6A00                    push 00000000
:004AA238 6A06                    push 00000006
:004AA23A 6A00                    push 00000000
:004AA23C 68A9A52513              push 1325A5A9
:004AA241 8B45D8                  mov eaxdword ptr [ebp-28]
:004AA244 8B55DC                  mov edxdword ptr [ebp-24]
:004AA247 0FACD001                shrd eaxedx, 01
:004AA24B D1EA                    shr edx, 1
:004AA24D E862B2F5FF              call 004054B4
:004AA252 E839B2F5FF              call 00405490
:004AA257 81F0640AB302            xor eax, 02B30A64
:004AA25D 81F200000000            xor edx, 00000000
:004AA263 52                      push edx
:004AA264 50                      push eax
:004AA265 A1FCED4A00              mov eaxdword ptr [004AEDFC]
:004AA26A 33D2                    xor edxedx
:004AA26C 3B542404                cmp edxdword ptr [esp+04]
:004AA270 7503                    jne 004AA275
:004AA272 3B0424                  cmp eaxdword ptr [esp]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA270(C)
|
:004AA275 5A                      pop edx
:004AA276 58                      pop eax
:004AA277 0F844B020000            je 004AA4C8
:004AA27D 8B45D8                  mov eaxdword ptr [ebp-28]
:004AA280 8B55DC                  mov edxdword ptr [ebp-24]
:004AA283 81F0A32F1A02            xor eax, 021A2FA3
:004AA289 81F200000000            xor edx, 00000000
:004AA28F 81F0A7CDB004            xor eax, 04B0CDA7
:004AA295 81F200000000            xor edx, 00000000
:004AA29B 0DA00A8002              or eax, 02800AA0
:004AA2A0 83FA00                  cmp edx, 00000000
:004AA2A3 7509                    jne 004AA2AE
:004AA2A5 83F800                  cmp eax, 00000000
:004AA2A8 0F8482020000            je 004AA530

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA2A3(C)
|
:004AA2AE A1FCED4A00              mov eaxdword ptr [004AEDFC]
:004AA2B3 3506BC0D02              xor eax, 020DBC06
:004AA2B8 35630AB302              xor eax, 02B30A63
:004AA2BD 33D2                    xor edxedx
:004AA2BF 3B55E4                  cmp edxdword ptr [ebp-1C]
:004AA2C2 7509                    jne 004AA2CD
:004AA2C4 3B45E0                  cmp eaxdword ptr [ebp-20]
:004AA2C7 0F84C7FBFFFF            je 004A9E94

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA2C2(C)
|
:004AA2CD A1FCED4A00              mov eaxdword ptr [004AEDFC]
:004AA2D2 3559600500              xor eax, 00056059
:004AA2D7 33D2                    xor edxedx
:004AA2D9 52                      push edx
:004AA2DA 50                      push eax
:004AA2DB 8B45D8                  mov eaxdword ptr [ebp-28]
:004AA2DE 8B55DC                  mov edxdword ptr [ebp-24]
:004AA2E1 81F0F25F3400            xor eax, 00345FF2
:004AA2E7 81F200000000            xor edx, 00000000
:004AA2ED 81F0640AB302            xor eax, 02B30A64
:004AA2F3 81F200000000            xor edx, 00000000
:004AA2F9 3B542404                cmp edxdword ptr [esp+04]
:004AA2FD 7503                    jne 004AA302
:004AA2FF 3B0424                  cmp eaxdword ptr [esp]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA2FD(C)
|
:004AA302 5A                      pop edx
:004AA303 58                      pop eax
:004AA304 0F84D0010000            je 004AA4DA

///////////////////////////////////正式的比较/////////////////////////////////////////////
:004AA30A 8B45B0                  mov eaxdword ptr [ebp-50]    //EAX=移位之后的值(10706279)
:004AA30D 8A4002                  mov albyte ptr [eax+02]      //取第3位
:004AA310 8B15C4ED4A00            mov edxdword ptr [004AEDC4]  //EDX=机器码(2654328163)
:004AA316 3A4202                  cmp albyte ptr [edx+02]  //第3位比较
:004AA319 0F85E5030000            jne 004AA704
:004AA31F 8B45B0                  mov eaxdword ptr [ebp-50]
:004AA322 8A00                    mov albyte ptr [eax]  //取第1位
:004AA324 8B15C4ED4A00            mov edxdword ptr [004AEDC4]
:004AA32A 3A02                    cmp albyte ptr [edx]  //第1位比较
:004AA32C 0F85D2030000            jne 004AA704
:004AA332 8B45B0                  mov eaxdword ptr [ebp-50]
:004AA335 8A4004                  mov albyte ptr [eax+04]
:004AA338 8B15C4ED4A00            mov edxdword ptr [004AEDC4]
:004AA33E 3A4204                  cmp albyte ptr [edx+04]      //第5位比较
:004AA341 0F85BD030000            jne 004AA704
:004AA347 8B45B0                  mov eaxdword ptr [ebp-50]
:004AA34A 8A4006                  mov albyte ptr [eax+06]
:004AA34D 8B15C4ED4A00            mov edxdword ptr [004AEDC4]
:004AA353 3A4206                  cmp albyte ptr [edx+06]  //第7位比较
:004AA356 0F85A8030000            jne 004AA704
:004AA35C 8B45B0                  mov eaxdword ptr [ebp-50]
:004AA35F 8A4003                  mov albyte ptr [eax+03]
:004AA362 8B15C4ED4A00            mov edxdword ptr [004AEDC4]
:004AA368 3A4203                  cmp albyte ptr [edx+03]  //第4位比较
:004AA36B 0F8593030000            jne 004AA704
:004AA371 8B45B0                  mov eaxdword ptr [ebp-50]
:004AA374 8A4005                  mov albyte ptr [eax+05]
:004AA377 8B15C4ED4A00            mov edxdword ptr [004AEDC4]
:004AA37D 3A4205                  cmp albyte ptr [edx+05]  //第6位比较
:004AA380 0F857E030000            jne 004AA704
:004AA386 8B45B0                  mov eaxdword ptr [ebp-50]
:004AA389 8A4001                  mov albyte ptr [eax+01]
:004AA38C 8B15C4ED4A00            mov edxdword ptr [004AEDC4]
:004AA392 3A4201                  cmp albyte ptr [edx+01]  //第2位比较
:004AA395 0F8569030000            jne 004AA704
:004AA39B 8B45B0                  mov eaxdword ptr [ebp-50]
:004AA39E 8A4007                  mov albyte ptr [eax+07]
:004AA3A1 8B15C4ED4A00            mov edxdword ptr [004AEDC4]
:004AA3A7 3A4207                  cmp albyte ptr [edx+07]  //第8位比较
:004AA3AA 0F8580010000            jne 004AA530
//这里说明参与比较的机器码只有前8位,在求逆的时候用的着;
:004AA3B0 A1FCED4A00              mov eaxdword ptr [004AEDFC]
:004AA3B5 35BD44F001              xor eax, 01F044BD
:004AA3BA 83C00E                  add eax, 0000000E
:004AA3BD 33D2                    xor edxedx
:004AA3BF 52                      push edx
:004AA3C0 50                      push eax
:004AA3C1 8B45D8                  mov eaxdword ptr [ebp-28]
:004AA3C4 8B55DC                  mov edxdword ptr [ebp-24]
:004AA3C7 81F0C430C302            xor eax, 02C330C4
:004AA3CD 81F200000000            xor edx, 00000000
:004AA3D3 81F0A32F1A02            xor eax, 021A2FA3
:004AA3D9 81F200000000            xor edx, 00000000
:004AA3DF 3B542404                cmp edxdword ptr [esp+04]
:004AA3E3 7503                    jne 004AA3E8
:004AA3E5 3B0424                  cmp eaxdword ptr [esp]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA3E3(C)
|
:004AA3E8 5A                      pop edx
:004AA3E9 58                      pop eax
:004AA3EA 0F8414030000            je 004AA704
:004AA3F0 B201                    mov dl, 01
:004AA3F2 A12C354700              mov eaxdword ptr [0047352C]
:004AA3F7 E83092FCFF              call 0047362C
:004AA3FC 8945F8                  mov dword ptr [ebp-08], eax
:004AA3FF BA02000080              mov edx, 80000002
:004AA404 8B45F8                  mov eaxdword ptr [ebp-08]
:004AA407 E8C092FCFF              call 004736CC
:004AA40C 33C9                    xor ecxecx
                                                              //对要保存在注册表里的数据进行变形
* Possible StringData Ref from Code Obj ->"\Software\Microsoft\Active Setup\Installed "
                                        ->"Components"
                                  |
:004AA40E BAC8A84A00              mov edx, 004AA8C8
:004AA413 8B45F8                  mov eaxdword ptr [ebp-08]
:004AA416 E81593FCFF              call 00473730
:004AA41B 8D9544FFFFFF            lea edxdword ptr [ebp+FFFFFF44]
:004AA421 8B45FC                  mov eaxdword ptr [ebp-04]
:004AA424 8B8088040000            mov eaxdword ptr [eax+00000488]
:004AA42A E8992AF9FF              call 0043CEC8
:004AA42F 8B8D44FFFFFF            mov ecxdword ptr [ebp+FFFFFF44]

* Possible StringData Ref from Code Obj ->"Version"
                                  |
:004AA435 BA08A94A00              mov edx, 004AA908
:004AA43A 8B45F8                  mov eaxdword ptr [ebp-08]
:004AA43D E88A94FCFF              call 004738CC
:004AA442 8B45F8                  mov eaxdword ptr [ebp-08]
:004AA445 E85292FCFF              call 0047369C
........

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA576(C)
|
:004AA581 A1FCED4A00              mov eaxdword ptr [004AEDFC]
:004AA586 35B05B4500              xor eax, 00455BB0
:004AA58B 33D2                    xor edxedx
:004AA58D 52                      push edx
:004AA58E 50                      push eax
:004AA58F 8B45E0                  mov eaxdword ptr [ebp-20]
:004AA592 8B55E4                  mov edxdword ptr [ebp-1C]
:004AA595 81F0800A0000            xor eax, 00000A80
:004AA59B 81F200000000            xor edx, 00000000
:004AA5A1 0DA4600A02              or eax, 020A60A4
:004AA5A6 81F0CA880A00            xor eax, 000A88CA
:004AA5AC 81F200000000            xor edx, 00000000
:004AA5B2 3B542404                cmp edxdword ptr [esp+04]
:004AA5B6 7503                    jne 004AA5BB
:004AA5B8 3B0424                  cmp eaxdword ptr [esp]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA5B6(C)
|
:004AA5BB 5A                      pop edx
:004AA5BC 58                      pop eax
:004AA5BD 0F84D1F8FFFF            je 004A9E94
:004AA5C3 8D45C8                  lea eaxdword ptr [ebp-38]

* Possible StringData Ref from Code Obj ->"对不起!您的注册码不正确,请与作者联系以获取正确"
                                        ->"注册码!"

//////////////////////////////////////////////////////////////////////////////////////////
下面是机器码生成的过程有兴趣的人看一下!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A9F79(C)
|
:004A9F32 8D5E63                  lea ebxdword ptr [esi+63]
:004A9F35 8D8568FFFFFF            lea eaxdword ptr [ebp+FFFFFF68]
:004A9F3B 8BD3                    mov edxebx
:004A9F3D E872A7F5FF              call 004046B4
:004A9F42 8B9568FFFFFF            mov edxdword ptr [ebp+FFFFFF68]
:004A9F48 8D45AC                  lea eaxdword ptr [ebp-54]
:004A9F4B B9ACA84A00              mov ecx, 004AA8AC
:004A9F50 E883A8F5FF              call 004047D8
:004A9F55 8B45AC                  mov eaxdword ptr [ebp-54]
:004A9F58 E827AAF5FF              call 00404984
:004A9F5D 50                      push eax

* Reference To: kernel32.GetDriveTypeA, Ord:0000h
                                  |
:004A9F5E E879CBF5FF              Call 00406ADC
:004A9F63 8BD8                    mov ebxeax
:004A9F65 83FB03                  cmp ebx, 00000003
:004A9F68 7511                    jne 004A9F7B
:004A9F6A 8D45A8                  lea eaxdword ptr [ebp-58]
:004A9F6D 8B55AC                  mov edxdword ptr [ebp-54]
:004A9F70 E8F7A5F5FF              call 0040456C
:004A9F75 46                      inc esi
:004A9F76 83FE1C                  cmp esi, 0000001C
:004A9F79 75B7                    jne 004A9F32

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A9F68(C)
|

* Possible StringData Ref from Code Obj ->"a:\"
                                  |
:004A9F7B 68B0A84A00              push 004AA8B0

* Reference To: kernel32.GetDriveTypeA, Ord:0000h
                                  |
:004A9F80 E857CBF5FF              Call 00406ADC
:004A9F85 8BD8                    mov ebxeax
:004A9F87 83FB02                  cmp ebx, 00000002
:004A9F8A 750D                    jne 004A9F99
:004A9F8C 8D45B0                  lea eaxdword ptr [ebp-50]
:004A9F8F BABCA84A00              mov edx, 004AA8BC
:004A9F94 E8FBA7F5FF              call 00404794

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A9F8A(C)
|
:004A9F99 8D4598                  lea eaxdword ptr [ebp-68]
:004A9F9C 50                      push eax
:004A9F9D 8D459C                  lea eaxdword ptr [ebp-64]
:004A9FA0 50                      push eax
:004A9FA1 8D45A0                  lea eaxdword ptr [ebp-60]
:004A9FA4 50                      push eax
:004A9FA5 8D45A4                  lea eaxdword ptr [ebp-5C]
:004A9FA8 50                      push eax
:004A9FA9 8B45A8                  mov eaxdword ptr [ebp-58]
:004A9FAC E8D3A9F5FF              call 00404984
:004A9FB1 50                      push eax

* Reference To: kernel32.GetDiskFreeSpaceA, Ord:0000h
                                  |
:004A9FB2 E815CBF5FF              Call 00406ACC
:004A9FB7 8B4598                  mov eaxdword ptr [ebp-68]
:004A9FBA F76DA4                  imul [ebp-5C]
:004A9FBD F76DA0                  imul [ebp-60]
:004A9FC0 C1E80A                  shr eax, 0A
:004A9FC3 C1E80A                  shr eax, 0A
:004A9FC6 89459C                  mov dword ptr [ebp-64], eax
:004A9FC9 8B459C                  mov eaxdword ptr [ebp-64]
:004A9FCC 33D2                    xor edxedx
:004A9FCE 52                      push edx
:004A9FCF 50                      push eax
:004A9FD0 8D8564FFFFFF            lea eaxdword ptr [ebp+FFFFFF64]
:004A9FD6 E899EAF5FF              call 00408A74
:004A9FDB 8B9564FFFFFF            mov edxdword ptr [ebp+FFFFFF64]
:004A9FE1 8D45B0                  lea eaxdword ptr [ebp-50]
:004A9FE4 E8ABA7F5FF              call 00404794
:004A9FE9 8D9560FFFFFF            lea edxdword ptr [ebp+FFFFFF60]
:004A9FEF 8B45FC                  mov eaxdword ptr [ebp-04]
:004A9FF2 8B8088040000            mov eaxdword ptr [eax+00000488]
:004A9FF8 E8CB2EF9FF              call 0043CEC8
:004A9FFD 8B8560FFFFFF            mov eaxdword ptr [ebp+FFFFFF60]
:004AA003 E8DC00F6FF              call 0040A0E4
:004AA008 DB7DE8                  fstp tbyte ptr [ebp-18]
:004AA00B 9B                      wait
:004AA00C DB6DE8                  fld tbyte ptr [ebp-18]
:004AA00F E8408BF5FF              call 00402B54
:004AA014 8945D8                  mov dword ptr [ebp-28], eax
:004AA017 8955DC                  mov dword ptr [ebp-24], edx
:004AA01A A1FCED4A00              mov eaxdword ptr [004AEDFC]
:004AA01F 35C0400818              xor eax, 180840C0
:004AA024 0D24080300              or eax, 00030824
:004AA029 0DA32F1A02              or eax, 021A2FA3
:004AA02E 3564082100              xor eax, 00210864
:004AA033 0D60A00900              or eax, 0009A060              
:004AA038 33D2                    xor edxedx
:004AA03A 8945E0                  mov dword ptr [ebp-20], eax
:004AA03D 8955E4                  mov dword ptr [ebp-1C], edx
:004AA040 8B45D8                  mov eaxdword ptr [ebp-28]   
:004AA043 8B55DC                  mov edxdword ptr [ebp-24]
:004AA046 81F0640AB302            xor eax, 02B30A64
:004AA04C 81F200000000            xor edx, 00000000
:004AA052 81F026924700            xor eax, 00479226
:004AA058 81F200000000            xor edx, 00000000
:004AA05E 0DA1240000              or eax, 000024A1
:004AA063 81F083720000            xor eax, 00007283
:004AA069 81F200000000            xor edx, 00000000
:004AA06F 3B55E4                  cmp edxdword ptr [ebp-1C]
:004AA072 7547                    jne 004AA0BB
:004AA074 3B45E0                  cmp eaxdword ptr [ebp-20]
:004AA077 7542                    jne 004AA0BB               

:004AA079 8B45E0                  mov eaxdword ptr [ebp-20]
:004AA07C 8B55E4                  mov edxdword ptr [ebp-1C]
:004AA07F 81E0A32F1A02            and eax, 021A2FA3
:004AA085 33D2                    xor edxedx
:004AA087 0D6CF21100              or eax, 0011F26C
:004AA08C 81F013C92300            xor eax, 0023C913
:004AA092 81F200000000            xor edx, 00000000
:004AA098 0D640AB302              or eax, 02B30A64
:004AA09D 81F013C92300            xor eax, 0023C913
:004AA0A3 81F200000000            xor edx, 00000000
:004AA0A9 81F011980A00            xor eax, 000A9811
:004AA0AF 81F200000000            xor edx, 00000000
:004AA0B5 8945E0                  mov dword ptr [ebp-20], eax
:004AA0B8 8955E4                  mov dword ptr [ebp-1C], edx

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004AA072(C), :004AA077(C)
|
:004AA0BB 8D955CFFFFFF            lea edxdword ptr [ebp+FFFFFF5C]
:004AA0C1 8B45FC                  mov eaxdword ptr [ebp-04]
:004AA0C4 8B8024040000            mov eaxdword ptr [eax+00000424]
:004AA0CA E8F92DF9FF              call 0043CEC8//机器码长度
:004AA0CF 8B955CFFFFFF            mov edxdword ptr [ebp+FFFFFF5C]
:004AA0D5 B8C4ED4A00              mov eax, 004AEDC4
:004AA0DA E849A4F5FF              call 00404528
:004AA0DF A1C4ED4A00              mov eaxdword ptr [004AEDC4]
:004AA0E4 E8A3A6F5FF              call 0040478C
:004AA0E9 8BD8                    mov ebxeax
:004AA0EB 85DB                    test ebxebx
:004AA0ED 7E3D                    jle 004AA12C

算法模拟和注册机源码!
算法中用到的CRC32的TABLE中有很多的数据是改变之后的!不知道是不是作者故意的!

const
  CRC_Table: array[0..255] of LongWord =
   ($10305070, $77073096, $EE0E612C, $990951BA, $076DC419, $706BF48F, $E963A535, $9E6595A3,
    $0EDC8832, $79DCE8A4, $E0D5E91E, $97D2D988, $09B64C2B, $7EB17CBD, $E7B82D07, $90BF1D91,
    $1DB71064, $6AB020F2, $F3B97148, $84BE41DE, $1ADAD47D, $6DDDE4EB, $F4D4B551, $83D385C7,
    $136C9856, $646BA8C0, $FD62F97A, $8A65C9EC, $14015C4F, $63066CD9, $FA0F3D63, $8D080DF5,
    $3B6E20C8, $4C69105E, $D56041E4, $A2677172, $3C03E4D1, $4B04D447, $D20D85FD, $A50AB56B,
    $35B5A8FA, $42B2986C, $DBBBC9D6, $ACBCF940, $32D86CE3, $45DF5C75, $DCD60DCF, $ABD13D59,
    $26D930AC, $51DE003A, $C8D75180, $BFD06116, $21B4F4B5, $56B3C423, $CFBA9599, $B8BDA50F,
    $2802B89E, $5F058808, $C60CD9B2, $B10BE924, $2F6F7C87, $58684C11, $C1611DAB, $B6662D3D,
    $76DC4190, $01DB7106, $98D220BC, $EFD5102A, $71B18589, $06B6B51F, $9FBFE4A5, $E8B8D433,
    $7807C9A2, $0F00F934, $9609A88E, $E10E9818, $7F6A0DBB, $086D3D2D, $91646C97, $E6635C01,
    $6B6B51F4, $1C6C6162, $856530D8, $F262004E, $6C0695ED, $1B01A57B, $8208F4C1, $F50FC457,
    $65B0D9C6, $12B7E950, $8BBEB8EA, $FCB9887C, $62DD1DDF, $15DA2D49, $8CD37CF3, $FBD44C65,
    $4DB26158, $3AB551CE, $A3BC0074, $D4BB30E2, $4ADFA541, $3DD895D7, $A4D1C46D, $D3D6F4FB,
    $4369E96A, $346ED9FC, $AD678846, $DA60B8D0, $44042D73, $33031DE5, $AA0A4C5F, $DD0D7CC9,
    $5005713C, $270241AA, $BE0B1010, $C90C2086, $5768B525, $206F85B3, $B966D409, $CE61E49F,
    $5EDEF90E, $29D9C998, $B0D09822, $C7D7A8B4, $59B33D17, $2EB40D81, $B7BD5C3B, $C0BA6CAD,
    $EDB88320, $9ABFB3B6, $03B6E20C, $74B1D29A, $EAD64739, $9DD277AF, $04DB2615, $73DC1683,
    $E3630B12, $94643B84, $0D6D6A3E, $7A6A5AA8, $E40ECF0B, $9309FF9D, $0A00AE27, $7D079EB1,
    $F00F9344, $8708A3D2, $1E01F268, $6906C2FE, $F762575D, $806567CB, $196C3671, $6E6B06E7,
    $FED41B76, $89D32BE0, $10DA7A5A, $67DD4ACC, $F9B9DF6F, $8EBEEFF9, $17B7BE43, $60B08ED5,
    $D6D6A3E8, $A1D1937E, $38D8C2C4, $4FDFF252, $D1BB67F1, $A6BC5767, $3FB506DD, $48B2364B,
    $D80D2BDA, $AF0A1B4C, $36034AF6, $41047A60, $DF60EFC3, $A867DF55, $316E8EEF, $4669BE79,
    $CB61B38C, $BC66831A, $256FD2A0, $5268E236, $CC0C7795, $BB0B4703, $220216B9, $5505262F,
    $C5BA3BBE, $B2BD0B28, $2BB45A92, $5CB36A04, $C2D7FFA7, $B5D0CF31, $2CD99E8B, $5BDEAE1D,
    $9B64C2B0, $EC63F226, $756AA39C, $026D930A, $9C0906A9, $EB0E363F, $72076785, $05005713,
    $95BF4A82, $E2B87A14, $7BB12BAE, $0CB61B38, $92D28E9B, $E5D5BE0D, $7CDCEFB7, $0BDBDF21,
    $86D3D2D4, $F1D4E242, $68DDB3F8, $1FDA836E, $81BE16CD, $F6B9265B, $6FB077E1, $18B74777,
    $88085AE6, $FF0F6A70, $66063BCA, $11010B5C, $8F659EFF, $F862AE69, $616BFFD3, $166CCF45,
    $A00AE278, $D70DD2EE, $4E048354, $3903B3C2, $A7672661, $D06016F7, $4969474D, $3E6E77DB,
    $AED16A4A, $D9D65ADC, $40DF0B66, $37D83BF0, $A9BCAE53, $DEBB9EC5, $47B2CF7F, $30B5FFE9,
    $BDBDF21C, $CABAC28A, $53B39330, $24B4A3A6, $BAD03605, $CDD70693, $54DE5729, $23D967BF,
    $B3667A2E, $C4614AB8, $5D681B02, $2A6F2B94, $B40BBE37, $C30C8EA1, $5A05DF1B, $2D02EF8D);   
算法模拟:(只是按照软件算法进行还原的没有作优化!)

VAR
A,EAX,TEMP:INTEGER;
MN,SN,STR:STRING;
BEGIN
MN:='2654328163';//我的机器码
EAX:=STRTOINT(SN);
FOR A:=1 TO LENGTH(MN) DO
BEGIN
  TEMP:=STRTOINT(MN[A]);
  EAX:=EAX XOR CRC_TABLE[TEMP];
END;
FOR A:=0 TO $80 DO
BEGIN
   EAX:=EAX XOR CRC_TABLE[A];
   EAX:=EAX XOR CRC_TABLE[$200+A];
END;
//因为对所有的数据进行XOR所以等价于XOR一个值;
//等价于EAX:=EAX XOR $DB3F761;
STR:=INTTOSTR(EAX);
STR:=STR[LENGTH(STR)-1]+STR[LENGTH(STR)]+STR;
STR:=COPY(STR,1,8);
IF STR=COPY(MN,1,8) THEN SHOWMESSBOX('成功')
ELSE SHOWMESSAGEBOX('失败');
END;
//////////////////////////////////////////////////////////////////////
//算法求逆只是按照软件算法进行还原的没有作优化!
procedure TForm1.Button1Click(Sender: TObject);
VAR
A,EAX,TEMP:INTEGER;
MN,SN,STR:STRING;
BEGIN
MN:=edit1.Text;
//MN:='2654328163';

STR:=COPY(MN,1,8);       //STR:='26543281';
STR:=STR+MN[2]+MN[1];
STR:=COPY(STR,3,8);     //将前2位换到后面
EAX:=STRTOINT(STR);        //EAX:=54328162;
EAX:=EAX XOR $DB3F761;     //CRC32_2
{FOR A:=0 TO $80 DO
BEGIN
   EAX:=EAX XOR CRC_TABLE[A];
   EAX:=EAX XOR CRC_TABLE[$200+A];
END; }
FOR A:=1 TO LENGTH(MN) DO  //CRC32_1
BEGIN
  TEMP:=STRTOINT(MN[A]);
  EAX:=EAX XOR CRC_TABLE[TEMP];
END;

edit2.Text:=INTTOSTR(EAX);
end;
//不过请大家注意的是这样产生的注册码可能为负数,所以输入注册码的时候一定要连负号一起输入!!!!
就写这么多了,没有很多的时间进行验证,如有错误请大家多多包涵!!