《棋隐》的注册算法
作者:ratarice
工具:TRW2000、W32DSM89
废话少说,过程如下:
* Possible Reference to Dialog: DialogID_00FB, CONTROL_ID:03F7, ""
|
:00401EFF 68F7030000 push 000003F7
:00401F04 8BCF
mov ecx, edi
:00401F06 E86F990300 call 0043B87A
:00401F0B 8D4C2418 lea
ecx, dword ptr [esp+18]
:00401F0F 51
push ecx
* Possible StringData Ref from Data Obj ->"p"
|
:00401F10 6838364700 push 00473638
:00401F15 E866150100 call 00413480
------------------->关键,要进入!
:00401F1A 6A00
push 00000000
:00401F1C 8BD8
mov ebx, eax -------------------->将eax的值给ebx
:00401F1E E81A430200 call 0042623D
:00401F23 6A00
push 00000000
:00401F25 8D7005
lea esi, dword ptr [eax+05]
:00401F28 E810430200 call 0042623D
:00401F2D 83C410
add esp, 00000010
:00401F30 3BF0
cmp esi, eax
:00401F32 7E0E
jle 00401F42
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401F40(C)
|
:00401F34 6A00
push 00000000
:00401F36 E802430200 call 0042623D
:00401F3B 83C404
add esp, 00000004
:00401F3E 3BF0
cmp esi, eax
:00401F40 7FF2
jg 00401F34
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401F32(C)
|
:00401F42 8B542414 mov
edx, dword ptr [esp+14]
:00401F46 52
push edx
:00401F47 FFD5
call ebp
:00401F49 A198454900 mov eax,
dword ptr [00494598]
:00401F4E 89442410 mov
dword ptr [esp+10], eax
:00401F52 85DB
test ebx, ebx ------------------------->关键比较,其实是比较
:00401F54 C744246000000000 mov [esp+60], 00000000
eax
:00401F5C 7407
je 00401F65 --------------------------->关键跳转,不跳成功!
* Possible Reference to String Resource ID=00131: "Register was successful.
Enjoy the game."
|
:00401F5E 6883000000 push 00000083
:00401F63 EB05
jmp 00401F6A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401F5C(C)
|
* Possible Reference to String Resource ID=00132: "Invalid serial number. Please
input correct serial number."
|
:00401F65 6884000000 push 00000084
***************************************************************************
* Referenced by a CALL at Addresses:
|:00401F15 , :00413A35
|
:00413480 8B542408 mov
edx, dword ptr [esp+08] ---->将假注册码地址给edx
:00413484 83EC2C
sub esp, 0000002C
:00413487 83C9FF
or ecx, FFFFFFFF
:0041348A 33C0
xor eax, eax
:0041348C 56
push esi
:0041348D 57
push edi
:0041348E 8BFA
mov edi, edx
:00413490 33F6
xor esi, esi
:00413492 F2
repnz
:00413493 AE
scasb
:00413494 F7D1
not ecx
:00413496 49
dec ecx ----------------------->计算注册码的长度
:00413497 83F913
cmp ecx, 00000013 ------------->注册码要19位
:0041349A 7555
jne 004134F1
:0041349C 8B02
mov eax, dword ptr [edx] ------
:0041349E 8B4A05
mov ecx, dword ptr [edx+05] |
:004134A1 89442408 mov
dword ptr [esp+08], eax | 将注册码的第5、10、15位去掉
:004134A5 8B420A
mov eax, dword ptr [edx+0A] | 构成新注册码,并将它的地址给
:004134A8 894C240C mov
dword ptr [esp+0C], ecx | edx
:004134AC 8B4A0F
mov ecx, dword ptr [edx+0F] |
:004134AF 89442410 mov
dword ptr [esp+10], eax |
:004134B3 8D542408 lea
edx, dword ptr [esp+08] |
:004134B7 8D44241C lea
eax, dword ptr [esp+1C] |
:004134BB 52
push edx
|
:004134BC 50
push eax
|
:004134BD 894C241C mov
dword ptr [esp+1C], ecx |
:004134C1 C644242000 mov [esp+20],
00 --------------
:004134C6 E8C5FEFFFF call 00413390
----------------->又是关键!
:004134CB 83C408
add esp, 00000008
:004134CE 85C0
test eax, eax
:004134D0 741F
je 004134F1
:004134D2 8D4C2422 lea
ecx, dword ptr [esp+22]
:004134D6 51
push ecx
:004134D7 E8C82E0100 call 004263A4
:004134DC 8B54243C mov
edx, dword ptr [esp+3C]
:004134E0 83C404
add esp, 00000004
:004134E3 3DA0860100 cmp eax,
000186A0
:004134E8 8902
mov dword ptr [edx], eax
:004134EA B801000000 mov eax,
00000001
:004134EF 7D02
jge 004134F3
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041349A(C), :004134D0(C)
|
:004134F1 8BC6
mov eax, esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004134EF(C)
|
:004134F3 5F
pop edi
:004134F4 5E
pop esi
:004134F5 83C42C
add esp, 0000002C
:004134F8 C3
ret
*****************************************************************************
* Referenced by a CALL at Address:
|:004134C6
|
:00413390 8B4C2408 mov
ecx, dword ptr [esp+08]
:00413394 83EC28
sub esp, 00000028
:00413397 33C0
xor eax, eax
:00413399 81E96C394700 sub ecx, 0047396C
:0041339F 53
push ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004133B6(C)
|
:004133A0 0FBE906C394700 movsx edx, byte ptr
[eax+0047396C] -----
:004133A7 8A9C016C394700 mov bl, byte ptr
[ecx+eax+0047396C] | 按照作者定的顺序
:004133AE 40
inc eax
| 排序:
:004133AF 83F810
cmp eax, 00000010
| 2837A9F061BD4C5E
:004133B2 885C1404 mov
byte ptr [esp+edx+04], bl |
:004133B6 7CE8
jl 004133A0 ----------------------------
:004133B8 55
push ebp
:004133B9 56
push esi
:004133BA 8D44240C lea
eax, dword ptr [esp+0C]
:004133BE 57
push edi
:004133BF 8D4C2424 lea
ecx, dword ptr [esp+24]
:004133C3 50
push eax
:004133C4 51
push ecx
:004133C5 C644242800 mov [esp+28],
00
:004133CA E821FFFFFF call 004132F0
-------------------------->又是关键,还要追入!
:004133CF 8B7C2444 mov
edi, dword ptr [esp+44]
:004133D3 8D6C242C lea
ebp, dword ptr [esp+2C]
:004133D7 83C408
add esp, 00000008
:004133DA 2BEF
sub ebp, edi
:004133DC 8D7701
lea esi, dword ptr [edi+01]
:004133DF BB0B000000 mov ebx,
0000000B ---------------------->ebx=B
:004133E4 89742440 mov
dword ptr [esp+40], esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041341B(C)
|
:004133E8 0FBE042E movsx
eax, byte ptr [esi+ebp] ---------->先符号扩展,再将注册码
的第二位传送给eax
:004133EC 83F85A
cmp eax, 0000005A ---------------------->比较eax和5A
:004133EF 7F17
jg 00413408 ---------------------------->大于就跳
:004133F1 B95A000000 mov ecx,
0000005A ---------------------->小于就ecx=5A
:004133F6 2BC8
sub ecx, eax --------------------------->ecx=ecx-eax
:004133F8 B856555555 mov eax,
55555556 ---------------------->eax=55555556
:004133FD F7E9
imul ecx ------------------------------->eax=eax*ecx
:004133FF 8BC2
mov eax, edx --------------------------->eax=edx
:00413401 C1EA1F
shr edx, 1F ---------------------------->edx逻辑右移1F
:00413404 03C2
add eax, edx --------------------------->eax=eax+edx
:00413406 EB0D
jmp 00413415 --------------------------->跳走
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004133EF(C)
|
:00413408 83F865
cmp eax, 00000065 ---------------------->比较eax和65
:0041340B 7C08
jl 00413415 ---------------------------->小于就跳走
:0041340D 83C09B
add eax, FFFFFF9B ---------------------->否则eax=eax+FFFFFF9B
:00413410 99
cdq ------------------------------------>双字扩展(把EAX中的字的
符号扩展到EDX中去)
:00413411 2BC2
sub eax, edx --------------------------->eax=eax-edx
:00413413 D1F8
sar eax, 1 ----------------------------->eax算术右移1
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00413406(U), :0041340B(C)
|
:00413415 0430
add al, 30 ----------------------------->al=al+30
:00413417 8806
mov byte ptr [esi], al ----------------->al给[esi]
:00413419 46
inc esi -------------------------------->esi加一
:0041341A 4B
dec ebx -------------------------------->ebx减一
:0041341B 75CB
jne 004133E8 --------------------------->循环;即得新注册码
:0041341D 8A5C2424 mov
bl, byte ptr [esp+24]
:00413421 C6470C00 mov
[edi+0C], 00
:00413425 881F
mov byte ptr [edi], bl ----------------->将注册码的第一位补到新
注册码的前面
:00413427 33C0
xor eax, eax ---------------------------
:00413429 B901000000 mov ecx,
00000001 |
| 将新注册码累乘
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
| 值给eax
|:0041343B(C)
|
|
|
:0041342E 0FBE1439 movsx
edx, byte ptr [ecx+edi] |
:00413432 0FAFC1
imul eax, ecx
|
:00413435 03C2
add eax, edx
|
:00413437 41
inc ecx
|
:00413438 83F90C
cmp ecx, 0000000C
|
:0041343B 7CF1
jl 0041342E ----------------------------
:0041343D 5F
pop edi
:0041343E 5E
pop esi
:0041343F 85C0
test eax, eax -------------------------->检查eax
:00413441 5D
pop ebp
:00413442 7D02
jge 00413446 --------------------------->eax大于等于43446就跳
:00413444 F7D8
neg eax -------------------------------->???
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00413442(C)
|
:00413446 99
cdq ------------------------------------>双字扩展
:00413447 B91A000000 mov ecx,
0000001A ---------------------->ecx=1A
:0041344C F7F9
idiv ecx ------------------------------->eax=eax/ecx
:0041344E 0FBEC3
movsx eax, bl -------------------------->先符号扩展,再把bl给al
:00413451 5B
pop ebx
:00413452 83C241
add edx, 00000041 ---------------------->edx=edx+41
:00413455 3BC2
cmp eax, edx --------------------------->比较eax和edx
:00413457 7512
jne 0041346B --------------------------->不相等就完蛋
:00413459 8B4C2430 mov
ecx, dword ptr [esp+30] ------------>将新注册码的第一位地址
给ecx
:0041345D 803932
cmp byte ptr [ecx], 32 ----------------->比较ecx和32
:00413460 7509
jne 0041346B --------------------------->不相等就完蛋
:00413462 B801000000 mov eax,
00000001
:00413467 83C428
add esp, 00000028
:0041346A C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00413457(C), :00413460(C)
|
:0041346B 33C0
xor eax, eax
:0041346D 83C428
add esp, 00000028
:00413470 C3
ret
***********************************************************************************
* Referenced by a CALL at Addresses:
|:0040808A , :004133CA
|
:004132F0 56
push esi
:004132F1 8B74240C mov
esi, dword ptr [esp+0C]
:004132F5 57
push edi
:004132F6 8BFE
mov edi, esi
:004132F8 83C9FF
or ecx, FFFFFFFF
:004132FB 33C0
xor eax, eax
:004132FD F2
repnz
:004132FE AE
scasb
:004132FF F7D1
not ecx
:00413301 49
dec ecx
:00413302 F6C103
test cl, 03
:00413305 7403
je 0041330A
:00413307 5F
pop edi
:00413308 5E
pop esi
:00413309 C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00413305(C)
|
:0041330A 8A06
mov al, byte ptr [esi] ------------->依次取注册码到al
:0041330C 84C0
test al, al ------------------------>检查是否是零
:0041330E 7467
je 00413377 ------------------------>是就完蛋!
:00413310 8B7C240C mov
edi, dword ptr [esp+0C]
:00413314 53
push ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041336A(C)
|
:00413315 50
push eax
:00413316 46
inc esi
:00413317 E894FFFFFF call 004132B0
----------------------->也需要追入!(是换算)
:0041331C 8AD8
mov bl, al -------------------------->al给bl
:0041331E 8A06
mov al, byte ptr [esi] -------------->下一个注册码给al
:00413320 50
push eax
:00413321 46
inc esi ----------------------------->esi加一
:00413322 E889FFFFFF call 004132B0
----------------------->换算
:00413327 8AC8
mov cl, al -------------------------->al给cl
:00413329 240F
and al, 0F -------------------------->al and 0f
:0041332B C0F904
sar cl, 04 -------------------------->cl算术右移4
:0041332E C0E302
shl bl, 02 -------------------------->bl逻辑左移2
:00413331 02CB
add cl, bl -------------------------->cl=cl+bl
:00413333 8AD8
mov bl, al -------------------------->al给bl
:00413335 880F
mov byte ptr [edi], cl -------------->cl给[edi]
:00413337 8A06
mov al, byte ptr [esi] -------------->取下一个注册码给al
:00413339 47
inc edi ----------------------------->edi加一
:0041333A 50
push eax
:0041333B 46
inc esi ----------------------------->esi加一
:0041333C E86FFFFFFF call 004132B0
----------------------->换算
:00413341 8AD0
mov dl, al -------------------------->al给dl
:00413343 2403
and al, 03 -------------------------->al and 3
:00413345 C0FA02
sar dl, 02 -------------------------->dl算术右移2
:00413348 C0E304
shl bl, 04 -------------------------->bl逻辑左移4
:0041334B 02D3
add dl, bl -------------------------->dl=dl+bl
:0041334D 8AD8
mov bl, al -------------------------->bl给al
:0041334F 8817
mov byte ptr [edi], dl -------------->dl给[edi]
:00413351 8A06
mov al, byte ptr [esi] -------------->取下一个注册码给al
:00413353 47
inc edi ----------------------------->edi加一
:00413354 50
push eax
:00413355 46
inc esi ----------------------------->esi加一
:00413356 E855FFFFFF call 004132B0
----------------------->换算
:0041335B C0E306
shl bl, 06 -------------------------->bl逻辑左移6
:0041335E 02C3
add al, bl -------------------------->al=al+bl
:00413360 83C410
add esp, 00000010
:00413363 8807
mov byte ptr [edi], al -------------->al给edi
:00413365 8A06
mov al, byte ptr [esi] -------------->取下一个注册码给al
:00413367 47
inc edi ----------------------------->edi加一
:00413368 84C0
test al, al ------------------------->检查是否取完
:0041336A 75A9
jne 00413315 ------------------------>没有取完,循环!
:0041336C 5B
pop ebx
:0041336D 8807
mov byte ptr [edi], al -------------->将最后一个给[edi]
:0041336F 5F
pop edi
:00413370 B801000000 mov eax,
00000001
:00413375 5E
pop esi
:00413376 C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041330E(C)
|
:00413377 8B7C240C mov
edi, dword ptr [esp+0C]
:0041337B B801000000 mov eax,
00000001
:00413380 C60700
mov byte ptr [edi], 00
:00413383 5F
pop edi
:00413384 5E
pop esi
:00413385 C3
ret
************************************************************************
这个CALL作用是:如果注册码在41和5A之间,则注册码减41;
如果注册码在61和71之间,则注册码减47;
如果注册码在30和39之间,则注册码加4。
* Referenced by a CALL at Addresses:
|:00413317 , :00413322 , :0041333C , :00413356
|
:004132B0 8A442404 mov
al, byte ptr [esp+04]
:004132B4 3C41
cmp al, 41
:004132B6 7C08
jl 004132C0
:004132B8 3C5A
cmp al, 5A
:004132BA 7F04
jg 004132C0
:004132BC 83E841
sub eax, 00000041
:004132BF C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004132B6(C), :004132BA(C)
|
:004132C0 3C61
cmp al, 61
:004132C2 7C08
jl 004132CC
:004132C4 3C7A
cmp al, 7A
:004132C6 7F04
jg 004132CC
:004132C8 83E847
sub eax, 00000047
:004132CB C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004132C2(C), :004132C6(C)
|
:004132CC 3C30
cmp al, 30
:004132CE 7C08
jl 004132D8
:004132D0 3C39
cmp al, 39
:004132D2 7F04
jg 004132D8
:004132D4 83C004
add eax, 00000004
:004132D7 C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004132CE(C), :004132D2(C)
|
:004132D8 3C2B
cmp al, 2B
:004132DA 0F95C0
setne al
:004132DD 83C03E
add eax, 0000003E
:004132E0 C3
ret
由于本人的能力有限,做不出它的注册机,还请高人指点!!!!!
- 标 题:《棋隐》的注册算法 (19千字)
- 作 者:ratarice
- 时 间:2001-8-26 19:43:17
- 链 接:http://bbs.pediy.com