CDRWin 4.0A BETA

标题：破解心得之CDRWin 4.0A BETA篇 (18千字)
作者：时空幻影
时间：2001-4-24 16:28:01
链接：http://bbs.pediy.com

破解心得之CDRWin 4.0A BETA篇

作者：时空幻影
时间：2001年4月20日
破解工具：W32DASM v8.93白金版汉化版、TRW2000 v1.23注册版

软件名称：CDRWin
发布公司：Golden Hawk Technology
最新版本：4.0A Beta
操作系统：Win9x/ME/NT4/2000
软件简介：CDRWin 是一套强力的特点极多的刻录软件，它可以：支持 AUDIO、CDROM (Mode1)、CDROM-XA (Mode2)、CD-I、混合型、多重扇区盘片；独有的 CUE SHEET 语言可以 100% 定制盘片的布局，避免其他刻录软件在不同 track 之间产生间隔的现象；强大的备份功能可以防止盘片上原有数据的损失；符合 ISO9660 磁盘控制标准；可以制作光盘启动盘；支持 Karaoke CD G 盘片（需要Sony CDW-900E, Panasonic 或 Yamaha 刻录机）；仅有的支持 Philips/Kodak/HP 家族刻录机 Disc-at-once 技术的软件；支持盘片的 UPC 码和 track 的 ISRC 码；支持“Kodak Disc Transporter”高速盘片复制技术。

由于该软件没有加壳，所以破解相对容易一些！！！呵呵，希望大家指出不足之处！！！
1.执行CDRWin 4.0A BETA，点击unlock图标，填入
name：shikonghuanying
company：Changsha
Unlock Key：12345-67890-09876-54321
Check Key：ABCDE-BCDEF-FEDCB-EDCBA（为什么要这样？待会儿再告知）
2.执行TRW2000，按ctrl+N激活它，用BPX HMEMCPY设置断点，再按F5继续.
3.点击Unlock，会被TRW2000拦下，输入BD *使断点暂时失效，再输入PMODULE跳入程序领空。
4.再按几下F10，会到以下所指的地方：

* Possible Reference to String Resource ID=00255: "Invalid disc count specified."
|
:0041DF43 6AFF push FFFFFFFF
:0041DF45 68D0664700 push 004766D0
:0041DF4A 64A100000000 mov eax, dword ptr fs:[00000000]
:0041DF50 50 push eax
:0041DF51 64892500000000 mov dword ptr fs:[00000000], esp
:0041DF58 83EC38 sub esp, 00000038
:0041DF5B A1F0A04A00 mov eax, dword ptr [004AA0F0]
:0041DF60 53 push ebx
:0041DF61 56 push esi
:0041DF62 57 push edi
:0041DF63 8965F0 mov dword ptr [ebp-10], esp
:0041DF66 8BF1 mov esi, ecx
:0041DF68 8945E0 mov dword ptr [ebp-20], eax
:0041DF6B C745FC00000000 mov [ebp-04], 00000000
:0041DF72 8945E4 mov dword ptr [ebp-1C], eax
:0041DF75 8945E8 mov dword ptr [ebp-18], eax
:0041DF78 8945EC mov dword ptr [ebp-14], eax
:0041DF7B 8B4E68 mov ecx, dword ptr [esi+68]
:0041DF7E 8D45E0 lea eax, dword ptr [ebp-20]
:0041DF81 BB03000000 mov ebx, 00000003
:0041DF86 50 push eax
:0041DF87 885DFC mov byte ptr [ebp-04], bl
:0041DF8A E81DC30400 call 0046A2AC
:0041DF8F 8D4DE4 lea ecx, dword ptr [ebp-1C]
:0041DF92 51 push ecx <--按F10会到这里，然后继续按F10
:0041DF93 8B4E6C mov ecx, dword ptr [esi+6C]
:0041DF96 E811C30400 call 0046A2AC
:0041DF9B 8B4E70 mov ecx, dword ptr [esi+70]
:0041DF9E 8D55E8 lea edx, dword ptr [ebp-18]
:0041DFA1 52 push edx
:0041DFA2 E805C30400 call 0046A2AC
:0041DFA7 8B4E74 mov ecx, dword ptr [esi+74]
:0041DFAA 8D45EC lea eax, dword ptr [ebp-14]
:0041DFAD 50 push eax
:0041DFAE E8F9C20400 call 0046A2AC
:0041DFB3 8D4DBC lea ecx, dword ptr [ebp-44]
:0041DFB6 8D55C0 lea edx, dword ptr [ebp-40]
:0041DFB9 51 push ecx
:0041DFBA 8D45C4 lea eax, dword ptr [ebp-3C]
:0041DFBD 52 push edx
:0041DFBE 8B55E8 mov edx, dword ptr [ebp-18]
:0041DFC1 8D4DC8 lea ecx, dword ptr [ebp-38]
:0041DFC4 50 push eax
:0041DFC5 51 push ecx

* Possible StringData Ref from Data Obj ->"%lx-%lx-%lx-%lx" <--指明了Unlock Key的格式
|
:0041DFC6 68FC214A00 push 004A21FC
:0041DFCB 52 push edx
:0041DFCC E82C860300 call 004565FD <--检查是不是符合上面的格式，并把字符转为HEX
:0041DFD1 83C418 add esp, 00000018
:0041DFD4 83F804 cmp eax, 00000004
:0041DFD7 0F8597000000 jne 0041E074
:0041DFDD 8D45CC lea eax, dword ptr [ebp-34]
:0041DFE0 8D4DD0 lea ecx, dword ptr [ebp-30]
:0041DFE3 50 push eax
:0041DFE4 8D55D4 lea edx, dword ptr [ebp-2C]
:0041DFE7 51 push ecx
:0041DFE8 8B4DEC mov ecx, dword ptr [ebp-14]
:0041DFEB 8D45D8 lea eax, dword ptr [ebp-28]
:0041DFEE 52 push edx
:0041DFEF 50 push eax

* Possible StringData Ref from Data Obj ->"%lx-%lx-%lx-%lx" <--指明了Check Key的格式
|
:0041DFF0 68FC214A00 push 004A21FC
:0041DFF5 51 push ecx
:0041DFF6 E802860300 call 004565FD <--检查是不是符合上面的格式，并把字符转为HEX
:0041DFFB 83C418 add esp, 00000018
:0041DFFE 83F804 cmp eax, 00000004
:0041E001 7571 jne 0041E074
:0041E003 8B4DE4 mov ecx, dword ptr [ebp-1C]
:0041E006 8845FC mov byte ptr [ebp-04], al
:0041E009 8D55CC lea edx, dword ptr [ebp-34]
:0041E00C 8D45BC lea eax, dword ptr [ebp-44]
:0041E00F 52 push edx
:0041E010 8B55E0 mov edx, dword ptr [ebp-20]
:0041E013 50 push eax
:0041E014 51 push ecx
:0041E015 52 push edx
:0041E016 E845630000 call 00424360 <--按F8进入
:0041E01B 83C410 add esp, 00000010
:0041E01E 895DFC mov dword ptr [ebp-04], ebx

下面为Unlock Key和Check Key比较的部分，假设Key的各部分为：
Unlock Key：12345-67890-09876-54321
^^^^^ ^^^^^ ^^^^^ ^^^^^
u1 u2 u3 u4

Check Key：ABCDE-BCDEF-FEDCB-EDCBA
^^^^^ ^^^^^ ^^^^^ ^^^^^
c1 c2 c3 c4

* Referenced by a CALL at Address:
|:0041E016
|
:00424360 8B4C2410 mov ecx, dword ptr [esp+10]
:00424364 53 push ebx
:00424365 55 push ebp
:00424366 56 push esi
:00424367 8B742418 mov esi, dword ptr [esp+18]
:0042436B 8B19 mov ebx, dword ptr [ecx] <--ebx=c4
:0042436D 57 push edi
:0042436E 8B3E mov edi, dword ptr [esi] <--edi=u4
:00424370 8B4604 mov eax, dword ptr [esi+04] <--eax=u3
:00424373 8BD7 mov edx, edi
:00424375 33D0 xor edx, eax
:00424377 3BDA cmp ebx, edx
:00424379 7525 jne 004243A0 <--这个和下面两个jne一定不能跳转
:0042437B 8B5608 mov edx, dword ptr [esi+08] <--edx=u2
:0042437E 8BDA mov ebx, edx
:00424380 33D8 xor ebx, eax
:00424382 8B4104 mov eax, dword ptr [ecx+04] <--eax=c3
:00424385 3BC3 cmp eax, ebx
:00424387 7517 jne 004243A0
:00424389 8B460C mov eax, dword ptr [esi+0C] <--eax=u1
:0042438C 8BD8 mov ebx, eax
:0042438E 33DA xor ebx, edx
:00424390 8B5108 mov edx, dword ptr [ecx+08] <--edx=c2
:00424393 3BD3 cmp edx, ebx
:00424395 7509 jne 004243A0
:00424397 8B510C mov edx, dword ptr [ecx+0C] <--edx=c1
:0042439A 33C7 xor eax, edi
:0042439C 3BD0 cmp edx, eax
:0042439E 7413 je 004243B3 <--这个则一定要跳转

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00424379(C), :00424387(C), :00424395(C)
|
:004243A0 6A00 push 00000000
:004243A2 6A00 push 00000000
:004243A4 6A00 push 00000000
:004243A6 6838FFFFFF push FFFFFF38
:004243AB E8F0360000 call 00427AA0 <--弹出注册失败窗口
:004243B0 83C410 add esp, 00000010

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042439E(C)
|
:004243B3 8B6C2418 mov ebp, dword ptr [esp+18]
:004243B7 8B7C2414 mov edi, dword ptr [esp+14]
:004243BB 56 push esi
:004243BC 55 push ebp
:004243BD 57 push edi
:004243BE E8ED040000 call 004248B0 <--按F8进入
:004243C3 83C40C add esp, 0000000C
:004243C6 85C0 test eax, eax
:004243C8 7510 jne 004243DA
:004243CA 50 push eax
:004243CB 50 push eax
:004243CC 50 push eax
:004243CD 6837FFFFFF push FFFFFF37
:004243D2 E8C9360000 call 00427AA0 <--弹出注册失败窗口
:004243D7 83C410 add esp, 00000010

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004243C8(C)
|
:004243DA 8B1E mov ebx, dword ptr [esi]
:004243DC C1EB10 shr ebx, 10
:004243DF 66335E04 xor bx, word ptr [esi+04]
:004243E3 81E3FFFF0000 and ebx, 0000FFFF
:004243E9 8D43F1 lea eax, dword ptr [ebx-0F]
:004243EC 3DBC040000 cmp eax, 000004BC
:004243F1 7E13 jle 00424406 <--这个一定要跳转
:004243F3 6A00 push 00000000
:004243F5 6A00 push 00000000
:004243F7 6A00 push 00000000
:004243F9 6834FFFFFF push FFFFFF34
:004243FE E89D360000 call 00427AA0 <--弹出注册失败窗口
:00424403 83C410 add esp, 00000010

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004243F1(C)
|
:00424406 83C30F add ebx, 0000000F
:00424409 81FBBC040000 cmp ebx, 000004BC
:0042440F 7D13 jge 00424424 <--这个也一定要跳转
:00424411 6A00 push 00000000
:00424413 6A00 push 00000000
:00424415 6A00 push 00000000
:00424417 6835FFFFFF push FFFFFF35
:0042441C E87F360000 call 00427AA0 <--弹出注册失败窗口
:00424421 83C410 add esp, 00000010

在那个call 00427AA0按F8进入后来到以下：

* Referenced by a CALL at Addresses:
|:004242D8 , :004243BE
|
:004248B0 8B44240C mov eax, dword ptr [esp+0C]
:004248B4 8B542404 mov edx, dword ptr [esp+04]
:004248B8 53 push ebx
:004248B9 55 push ebp
:004248BA 8B18 mov ebx, dword ptr [eax] <--ebx=54321
:004248BC 57 push edi
:004248BD 8BFA mov edi, edx
:004248BF 83C9FF or ecx, FFFFFFFF
:004248C2 33C0 xor eax, eax
:004248C4 F2 repnz
:004248C5 AE scasb
:004248C6 F7D1 not ecx
:004248C8 49 dec ecx
:004248C9 83F906 cmp ecx, 00000006 <--检查name的长度是否大于等于6，
:004248CC 726B jb 00424939 name的长度应该>=6
:004248CE 8B6C2414 mov ebp, dword ptr [esp+14]
:004248D2 83C9FF or ecx, FFFFFFFF
:004248D5 8BFD mov edi, ebp
:004248D7 F2 repnz
:004248D8 AE scasb
:004248D9 F7D1 not ecx
:004248DB 49 dec ecx
:004248DC 83F906 cmp ecx, 00000006 <--检查company的长度是否大于等于6,
:004248DF 7258 jb 00424939 company的长度应该>=6
:004248E1 F7C3FFFF0000 test ebx, 0000FFFF
:004248E7 7450 je 00424939
:004248E9 F7C30000FFFF test ebx, FFFF0000
:004248EF 7448 je 00424939
:004248F1 56 push esi
:004248F2 6A02 push 00000002
:004248F4 52 push edx
:004248F5 E846000000 call 00424940 <--按F8进入
:004248FA 6A02 push 00000002
:004248FC 55 push ebp
:004248FD 8BF0 mov esi, eax
:004248FF E83C000000 call 00424940 <--按F8进入
:00424904 8BC8 mov ecx, eax
:00424906 8BD0 mov edx, eax
:00424908 81E10000FF00 and ecx, 00FF0000
:0042490E 83C410 add esp, 00000010
:00424911 C1EA10 shr edx, 10
:00424914 0BCA or ecx, edx
:00424916 8BD0 mov edx, eax
:00424918 81E200FF0000 and edx, 0000FF00
:0042491E C1E010 shl eax, 10
:00424921 0BD0 or edx, eax
:00424923 33C0 xor eax, eax
:00424925 C1E908 shr ecx, 08
:00424928 C1E208 shl edx, 08
:0042492B 0BCA or ecx, edx
:0042492D 33CE xor ecx, esi
:0042492F 5E pop esi
:00424930 3BCB cmp ecx, ebx
:00424932 5F pop edi
:00424933 5D pop ebp
:00424934 5B pop ebx
:00424935 0F94C0 sete al
:00424938 C3 ret

第一个call 00424940是把name进行计算，第二个call 00424940是把company进行计算。

* Referenced by a CALL at Addresses:
|:004248F5 , :004248FF
|
:00424940 8B442408 mov eax, dword ptr [esp+08]
:00424944 56 push esi
:00424945 48 dec eax
:00424946 740E je 00424956
:00424948 48 dec eax
:00424949 7404 je 0042494F <--在这里一般都会跳转，而且应该要跳转
:0042494B 33C0 xor eax, eax
:0042494D 5E pop esi
:0042494E C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00424949(C)
|
:0042494F BEA0804A00 mov esi, 004A80A0
:00424954 EB05 jmp 0042495B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00424946(C)
|
:00424956 BE60804A00 mov esi, 004A8060

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00424954(U)
|
:0042495B 8B542408 mov edx, dword ptr [esp+08]
:0042495F 57 push edi
:00424960 8BFA mov edi, edx
:00424962 83C9FF or ecx, FFFFFFFF
:00424965 33C0 xor eax, eax
:00424967 6A00 push 00000000
:00424969 F2 repnz
:0042496A AE scasb
:0042496B F7D1 not ecx
:0042496D 49 dec ecx
:0042496E 51 push ecx
:0042496F 52 push edx
:00424970 56 push esi
:00424971 E8DA2E0200 call 00447850 <--按F8进入
:00424976 83C410 add esp, 00000010
:00424979 5F pop edi
:0042497A 5E pop esi
:0042497B C3 ret

进入后的这一段代码比较重要，对求出注册码的u4部分起关键作用。

   进入后的这一段代码比较重要，对求出注册码的u4部分起关键作用。

* Referenced by a CALL at Addresses:
|:0042463C   , :004247FE   , :00424971   , :0042508B   , :00447F8D   
|
:00447850 8B442410                mov eax, dword ptr [esp+10]
:00447854 8B542408                mov edx, dword ptr [esp+08]
:00447858 57                      push edi
:00447859 8B7C2410                mov edi, dword ptr [esp+10]
:0044785D 6685FF                  test di, di
:00447860 743E                    je 004478A0
:00447862 53                      push ebx
:00447863 55                      push ebp
:00447864 56                      push esi
:00447865 8B742414                mov esi, dword ptr [esp+14]
:00447869 81E7FFFF0000            and edi, 0000FFFF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044789B(C)
|
:0044786F 33C9                    xor ecx, ecx
:00447871 8BE8                    mov ebp, eax
:00447873 8A0A                    mov cl, byte ptr [edx]      <--edx为存放name或company的内存地址
:00447875 42                      inc edx
:00447876 8BD9                    mov ebx, ecx
:00447878 33D8                    xor ebx, eax
:0044787A 83E30F                  and ebx, 0000000F
:0044787D C1ED04                  shr ebp, 04
:00447880 8B049E                  mov eax, dword ptr [esi+4*ebx]     <--esi为存放密码表的内存地址
:00447883 33C5                    xor eax, ebp
:00447885 C1E904                  shr ecx, 04
:00447888 8BD8                    mov ebx, eax
:0044788A 83E10F                  and ecx, 0000000F
:0044788D 83E30F                  and ebx, 0000000F
:00447890 33CB                    xor ecx, ebx
:00447892 C1E804                  shr eax, 04
:00447895 8B0C8E                  mov ecx, dword ptr [esi+4*ecx]
:00447898 33C1                    xor eax, ecx
:0044789A 4F                      dec edi
:0044789B 75D2                    jne 0044786F
:0044789D 5E                      pop esi
:0044789E 5D                      pop ebp
:0044789F 5B                      pop ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00447860(C)
|
:004478A0 5F                      pop edi
:004478A1 C3                      ret

密码表：
     0x00000000     0x1C3E887E     0x387D10FC     0x24439882
     0x70FA21F8     0x6CC4A986     0x48873104     0x54B9B97A
     0xE1F443F0     0xFDCACB8E     0xD989530C     0xC5B7DB72
     0x910E6208     0x8D30EA76     0xA97372F4     0xB54DFA8A

    到这里，相信大家应该对其注册算法比较清楚了，自己写一下注册机，提高一下自己的编程能力。

我的注册码为：
          name：时空幻影
       company：湖南长沙
    Unlock Key：3520A324-303B8C46-1810AD6E-A9D27FF5
     Check Key：9CF2DCD1-051B2F62-282B2128-B1C2D29B

标题：破解心得之CDRWin 4.0A BETA篇（续） (24千字)
作者：时空幻影
时间：2001-4-24 16:29:18

破解心得之CDRWin 4.0A BETA篇（续）

作者：时空幻影
时间：2001年4月20日
破解工具：W32DASM v8.93白金版汉化版、TRW2000 v1.23注册版

软件名称：CDRWin
发布公司：Golden Hawk Technology
最新版本：4.0A Beta
操作系统：Win9x/ME/NT4/2000
软件简介：CDRWin 是一套强力的特点极多的刻录软件，它可以：支持 AUDIO、CDROM (Mode1)、CDROM-XA (Mode2)、CD-I、混合型、多重扇区盘片；独有的 CUE SHEET 语言可以 100% 定制盘片的布局，避免其他刻录软件在不同 track 之间产生间隔的现象；强大的备份功能可以防止盘片上原有数据的损失；符合 ISO9660 磁盘控制标准；可以制作光盘启动盘；支持 Karaoke CD G 盘片（需要Sony CDW-900E, Panasonic 或 Yamaha 刻录机）；仅有的支持 Philips/Kodak/HP 家族刻录机 Disc-at-once 技术的软件；支持盘片的 UPC 码和 track 的 ISRC 码；支持“Kodak Disc Transporter”高速盘片复制技术。

但是我高兴的太早了，输入后的确注册成功，然而在退出软件重新运行时，弹出了一个窗口，大意是说我是通过非法手段注册的（气死我了，我的注册机已经写好了，看来我又要重新写了！55555……）。继续祭出我们的两大法宝TRW2000和W32DASM搞定它。
在上一节这么一段代码如下：
* Referenced by a CALL at Addresses:
|:004242D8 , :004243BE <==这里有两个调用该CALL的地址，其中:004243BE是上一节用过的，那么剩下的
| 就应该是启动时用到的
:004248B0 8B44240C mov eax, dword ptr [esp+0C]
:004248B4 8B542404 mov edx, dword ptr [esp+04]
:004248B8 53 push ebx
:004248B9 55 push ebp
:004248BA 8B18 mov ebx, dword ptr [eax] <--ebx=54321
:004248BC 57 push edi
:004248BD 8BFA mov edi, edx
:004248BF 83C9FF or ecx, FFFFFFFF
:004248C2 33C0 xor eax, eax
:004248C4 F2 repnz
:004248C5 AE scasb
:004248C6 F7D1 not ecx
:004248C8 49 dec ecx
:004248C9 83F906 cmp ecx, 00000006 <--检查name的长度是否大于等于6，
:004248CC 726B jb 00424939 name的长度应该>=6
:004248CE 8B6C2414 mov ebp, dword ptr [esp+14]
:004248D2 83C9FF or ecx, FFFFFFFF
:004248D5 8BFD mov edi, ebp
:004248D7 F2 repnz
:004248D8 AE scasb
:004248D9 F7D1 not ecx
:004248DB 49 dec ecx
:004248DC 83F906 cmp ecx, 00000006 <--检查company的长度是否大于等于6,
:004248DF 7258 jb 00424939 company的长度应该>=6
:004248E1 F7C3FFFF0000 test ebx, 0000FFFF
:004248E7 7450 je 00424939
:004248E9 F7C30000FFFF test ebx, FFFF0000
:004248EF 7448 je 00424939
:004248F1 56 push esi
:004248F2 6A02 push 00000002
:004248F4 52 push edx
:004248F5 E846000000 call 00424940 <--按F8进入
:004248FA 6A02 push 00000002
:004248FC 55 push ebp
:004248FD 8BF0 mov esi, eax
:004248FF E83C000000 call 00424940 <--按F8进入
:00424904 8BC8 mov ecx, eax
:00424906 8BD0 mov edx, eax
:00424908 81E10000FF00 and ecx, 00FF0000
:0042490E 83C410 add esp, 00000010
:00424911 C1EA10 shr edx, 10
:00424914 0BCA or ecx, edx
:00424916 8BD0 mov edx, eax
:00424918 81E200FF0000 and edx, 0000FF00
:0042491E C1E010 shl eax, 10
:00424921 0BD0 or edx, eax
:00424923 33C0 xor eax, eax
:00424925 C1E908 shr ecx, 08
:00424928 C1E208 shl edx, 08
:0042492B 0BCA or ecx, edx
:0042492D 33CE xor ecx, esi
:0042492F 5E pop esi
:00424930 3BCB cmp ecx, ebx
:00424932 5F pop edi
:00424933 5D pop ebp
:00424934 5B pop ebx
:00424935 0F94C0 sete al
:00424938 C3 ret

因此用TRW2000载入它后设置断点BPX 004242D8，按F5继续执行，程序会被拦下，然后按F10单步执行。

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042416A(C)
|
:004242C9 6820DD4A00 push 004ADD20
:004242CE 68F0DB4A00 push 004ADBF0
:004242D3 68B0DB4A00 push 004ADBB0
:004242D8 E8D3050000 call 004248B0 <--程序会在这里被拦下，然后按F10单步执行
:004242DD 83C40C add esp, 0000000C
:004242E0 85C0 test eax, eax
:004242E2 7510 jne 004242F4 <--会跳转
:004242E4 50 push eax
:004242E5 50 push eax
:004242E6 50 push eax
:004242E7 6836FFFFFF push FFFFFF36
:004242EC E8AF370000 call 00427AA0
:004242F1 83C410 add esp, 00000010

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004242E2(C)
|
:004242F4 A124DD4A00 mov eax, dword ptr [004ADD24]
:004242F9 56 push esi
:004242FA 8B3520DD4A00 mov esi, dword ptr [004ADD20]
:00424300 C1EE10 shr esi, 10
:00424303 33F0 xor esi, eax
:00424305 81E6FFFF0000 and esi, 0000FFFF
:0042430B 8D46F1 lea eax, dword ptr [esi-0F]
:0042430E 3DBC040000 cmp eax, 000004BC
:00424313 7E13 jle 00424328 <--会跳转
:00424315 6A00 push 00000000
:00424317 6A00 push 00000000
:00424319 6A00 push 00000000
:0042431B 6834FFFFFF push FFFFFF34
:00424320 E87B370000 call 00427AA0
:00424325 83C410 add esp, 00000010

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00424313(C)
|
:00424328 83C60F add esi, 0000000F
:0042432B 81FEBC040000 cmp esi, 000004BC
:00424331 5E pop esi
:00424332 7D13 jge 00424347 <--会跳转
:00424334 6A00 push 00000000
:00424336 6A00 push 00000000
:00424338 6A00 push 00000000
:0042433A 6835FFFFFF push FFFFFF35
:0042433F E85C370000 call 00427AA0
:00424344 83C410 add esp, 00000010

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00424332(C)
|
:00424347 6820DD4A00 push 004ADD20
:0042434C E89F060000 call 004249F0 <--在这里按F8进入
:00424351 83C404 add esp, 00000004
:00424354 C705ECDE4A0001000000 mov dword ptr [004ADEEC], 00000001

进入后会到这里：

* Referenced by a CALL at Addresses:
|:0042434C , :00424425
|
:004249F0 81EC50020000 sub esp, 00000250
:004249F6 53 push ebx
:004249F7 B9947BECBE mov ecx, BEEC7B94 <--BEEC7B94和下一个的6962423E均为u4的黑名单
:004249FC B83E426269 mov eax, 6962423E
:00424A01 56 push esi
:00424A02 57 push edi
:00424A03 C7442414F219749C mov [esp+14], 9C7419F2 <--9C7419F2和以下的也是黑名单
:00424A0B C7442418026BCB74 mov [esp+18], 74CB6B02
:00424A13 C744241C6BE1237B mov [esp+1C], 7B23E16B
:00424A1B C744242087F1202E mov [esp+20], 2E20F187
:00424A23 C7442424E3BD575B mov [esp+24], 5B57BDE3
:00424A2B C7442428CB5E95FF mov [esp+28], FF955ECB
:00424A33 C744242C0F362704 mov [esp+2C], 0427360F
:00424A3B C7442430991AD3FC mov [esp+30], FCD31A99
:00424A43 C74424341F907CFA mov [esp+34], FA7C901F
:00424A4B C74424383096C30F mov [esp+38], 0FC39630
:00424A53 C744243C8876E44A mov [esp+3C], 4AE47688
:00424A5B C7442440207B6B77 mov [esp+40], 776B7B20
:00424A63 C7442444379F82C6 mov [esp+44], C6829F37
:00424A6B C7442448BD9B4A53 mov [esp+48], 534A9BBD
:00424A73 C744244C6E4AD346 mov [esp+4C], 46D34A6E
:00424A7B C74424508F31A8A7 mov [esp+50], A7A8318F
:00424A83 C7442454B6FF065E mov [esp+54], 5E06FFB6
:00424A8B C74424581040B78F mov [esp+58], 8FB74010
:00424A93 C744245C9B0083D9 mov [esp+5C], D983009B
:00424A9B C7442460F77F1105 mov [esp+60], 05117FF7
:00424AA3 C74424641889E956 mov [esp+64], 56E98918
:00424AAB C744246865F557DA mov [esp+68], DA57F565
:00424AB3 C744246CA340DE10 mov [esp+6C], 10DE40A3
:00424ABB C74424706D611D09 mov [esp+70], 091D616D
:00424AC3 C744247440F1DECF mov [esp+74], CFDEF140
:00424ACB C7442478C0CB2B0A mov [esp+78], 0A2BCBC0
:00424AD3 C744247CB437E178 mov [esp+7C], 78E137B4
:00424ADB C784248000000086B1D7CC mov dword ptr [esp+00000080], CCD7B186
:00424AE6 C78424840000002B400C9A mov dword ptr [esp+00000084], 9A0C402B
:00424AF1 C7842488000000CF24DEBE mov dword ptr [esp+00000088], BEDE24CF
:00424AFC C784248C0000004C0464E4 mov dword ptr [esp+0000008C], E464044C
:00424B07 C78424900000009F3DCD1C mov dword ptr [esp+00000090], 1CCD3D9F
:00424B12 C7842494000000C4F3FC0C mov dword ptr [esp+00000094], 0CFCF3C4
:00424B1D C78424980000005B6632E8 mov dword ptr [esp+00000098], E832665B
:00424B28 C784249C0000009573EABD mov dword ptr [esp+0000009C], BDEA7395
:00424B33 C78424A0000000AE960F86 mov dword ptr [esp+000000A0], 860F96AE
:00424B3E C78424A4000000EA0DE039 mov dword ptr [esp+000000A4], 39E00DEA
:00424B49 C78424A8000000702C89D2 mov dword ptr [esp+000000A8], D2892C70
:00424B54 C78424AC0000003B07435E mov dword ptr [esp+000000AC], 5E43073B
:00424B5F C78424B000000010925172 mov dword ptr [esp+000000B0], 72519210
:00424B6A C78424B4000000C856D743 mov dword ptr [esp+000000B4], 43D756C8
:00424B75 C78424B80000003BD6A585 mov dword ptr [esp+000000B8], 85A5D63B
:00424B80 898C24BC000000 mov dword ptr [esp+000000BC], ecx
:00424B87 898424C0000000 mov dword ptr [esp+000000C0], eax
:00424B8E C78424C4000000BCF1F1C4 mov dword ptr [esp+000000C4], C4F1F1BC
:00424B99 C78424C8000000B210BD6F mov dword ptr [esp+000000C8], 6FBD10B2
:00424BA4 C78424CC0000007150FCF2 mov dword ptr [esp+000000CC], F2FC5071
:00424BAF C78424D0000000A1AA5BF8 mov dword ptr [esp+000000D0], F85BAAA1
:00424BBA C78424D400000089E541A2 mov dword ptr [esp+000000D4], A241E589
:00424BC5 C78424D8000000E48ECBDD mov dword ptr [esp+000000D8], DDCB8EE4
:00424BD0 C78424DC000000F629A74C mov dword ptr [esp+000000DC], 4CA729F6
:00424BDB C78424E0000000115A059C mov dword ptr [esp+000000E0], 9C055A11
:00424BE6 C78424E400000086A0B24A mov dword ptr [esp+000000E4], 4AB2A086
:00424BF1 C78424E80000008FA4D3E3 mov dword ptr [esp+000000E8], E3D3A48F
:00424BFC C78424EC00000096878DCC mov dword ptr [esp+000000EC], CC8D8796
:00424C07 C78424F0000000B0F80B64 mov dword ptr [esp+000000F0], 640BF8B0
:00424C12 C78424F4000000FEDE03F4 mov dword ptr [esp+000000F4], F403DEFE
:00424C1D C78424F80000004EEA5B65 mov dword ptr [esp+000000F8], 655BEA4E
:00424C28 C78424FC000000791A49AE mov dword ptr [esp+000000FC], AE491A79
:00424C33 C7842400010000CA0708EE mov dword ptr [esp+00000100], EE0807CA
:00424C3E C78424040100004AC3A72E mov dword ptr [esp+00000104], 2EA7C34A
:00424C49 C784240801000077D0E14F mov dword ptr [esp+00000108], 4FE1D077
:00424C54 C784240C0100009C2FA21A mov dword ptr [esp+0000010C], 1AA22F9C
:00424C5F C7842410010000A19D120D mov dword ptr [esp+00000110], 0D129DA1
:00424C6A C7842414010000F5E9DAA3 mov dword ptr [esp+00000114], A3DAE9F5
:00424C75 C784241801000060571A3C mov dword ptr [esp+00000118], 3C1A5760
:00424C80 C784241C0100001AE50B72 mov dword ptr [esp+0000011C], 720BE51A
:00424C8B C7842420010000F4FFADF0 mov dword ptr [esp+00000120], F0ADFFF4
:00424C96 C78424240100004D955A7F mov dword ptr [esp+00000124], 7F5A954D
:00424CA1 C784242801000027E4CADF mov dword ptr [esp+00000128], DFCAE427
:00424CAC C784242C010000D4F3A51C mov dword ptr [esp+0000012C], 1CA5F3D4
:00424CB7 C78424300100003EADE8D6 mov dword ptr [esp+00000130], D6E8AD3E
:00424CC2 C78424340100002CB7896E mov dword ptr [esp+00000134], 6E89B72C
:00424CCD C78424380100000C22B146 mov dword ptr [esp+00000138], 46B1220C
:00424CD8 C784243C0100004C30F574 mov dword ptr [esp+0000013C], 74F5304C
:00424CE3 C7842440010000E46A51A9 mov dword ptr [esp+00000140], A9516AE4
:00424CEE 8BB42460020000 mov esi, dword ptr [esp+00000260]
:00424CF5 898C242C020000 mov dword ptr [esp+0000022C], ecx
:00424CFC 89842430020000 mov dword ptr [esp+00000230], eax
:00424D03 33FF xor edi, edi
:00424D05 8B16 mov edx, dword ptr [esi]
:00424D07 C78424440100000007F858 mov dword ptr [esp+00000144], 58F80700
:00424D12 C78424480100007A2E6396 mov dword ptr [esp+00000148], 96632E7A
:00424D1D C784244C010000ED92EA4C mov dword ptr [esp+0000014C], 4CEA92ED
:00424D28 C7842450010000A3747F7A mov dword ptr [esp+00000150], 7A7F74A3
:00424D33 C7842454010000D4E5B9BC mov dword ptr [esp+00000154], BCB9E5D4
:00424D3E C7842458010000ED132F38 mov dword ptr [esp+00000158], 382F13ED
:00424D49 C784245C010000708F3F52 mov dword ptr [esp+0000015C], 523F8F70
:00424D54 C78424600100003C09796F mov dword ptr [esp+00000160], 6F79093C
:00424D5F C7842464010000C26B3CEB mov dword ptr [esp+00000164], EB3C6BC2
:00424D6A C7842468010000B85CD5BC mov dword ptr [esp+00000168], BCD55CB8
:00424D75 C784246C01000033D74E1B mov dword ptr [esp+0000016C], 1B4ED733
:00424D80 C7842470010000D9BB22F1 mov dword ptr [esp+00000170], F122BBD9
:00424D8B C78424740100004E80F4C7 mov dword ptr [esp+00000174], C7F4804E
:00424D96 C78424780100006ADA3DFD mov dword ptr [esp+00000178], FD3DDA6A
:00424DA1 C784247C010000BB6B47F9 mov dword ptr [esp+0000017C], F9476BBB
:00424DAC C7842480010000563242A5 mov dword ptr [esp+00000180], A5423256
:00424DB7 C78424840100002F33ADEC mov dword ptr [esp+00000184], ECAD332F
:00424DC2 C784248801000015635500 mov dword ptr [esp+00000188], 00556315
:00424DCD C784248C010000279EA928 mov dword ptr [esp+0000018C], 28A99E27
:00424DD8 C7842490010000C3D7A0D9 mov dword ptr [esp+00000190], D9A0D7C3
:00424DE3 C78424940100006EAF16C0 mov dword ptr [esp+00000194], C016AF6E
:00424DEE C784249801000053A1ACB6 mov dword ptr [esp+00000198], B6ACA153
:00424DF9 C784249C010000F311FF1B mov dword ptr [esp+0000019C], 1BFF11F3
:00424E04 C78424A00100007FFA4A11 mov dword ptr [esp+000001A0], 114AFA7F
:00424E0F C78424A40100002680190E mov dword ptr [esp+000001A4], 0E198026
:00424E1A C78424A801000009990021 mov dword ptr [esp+000001A8], 21009909
:00424E25 C78424AC010000D1A8A14D mov dword ptr [esp+000001AC], 4DA1A8D1
:00424E30 C78424B0010000ED000012 mov dword ptr [esp+000001B0], 120000ED
:00424E3B C78424B40100006A274114 mov dword ptr [esp+000001B4], 1441276A
:00424E46 C78424B8010000182975CE mov dword ptr [esp+000001B8], CE752918
:00424E51 C78424BC010000DC9DF7D8 mov dword ptr [esp+000001BC], D8F79DDC
:00424E5C C78424C00100009938A35C mov dword ptr [esp+000001C0], 5CA33899
:00424E67 C78424C4010000F2C0A635 mov dword ptr [esp+000001C4], 35A6C0F2
:00424E72 C78424C80100003BA6FC5D mov dword ptr [esp+000001C8], 5DFCA63B
:00424E7D C78424CC010000616CF549 mov dword ptr [esp+000001CC], 49F56C61
:00424E88 C78424D0010000F5D34ADD mov dword ptr [esp+000001D0], DD4AD3F5
:00424E93 C78424D4010000F9F39E77 mov dword ptr [esp+000001D4], 779EF3F9
:00424E9E C78424D801000093A56641 mov dword ptr [esp+000001D8], 4166A593
:00424EA9 C78424DC010000FBB547C8 mov dword ptr [esp+000001DC], C847B5FB
:00424EB4 C78424E0010000996E1682 mov dword ptr [esp+000001E0], 82166E99
:00424EBF C78424E4010000C1483A70 mov dword ptr [esp+000001E4], 703A48C1
:00424ECA C78424E8010000B05B00BF mov dword ptr [esp+000001E8], BF005BB0
:00424ED5 C78424EC0100008AE26E87 mov dword ptr [esp+000001EC], 876EE28A
:00424EE0 C78424F0010000FDC18C7D mov dword ptr [esp+000001F0], 7D8CC1FD
:00424EEB C78424F4010000E1C1329B mov dword ptr [esp+000001F4], 9B32C1E1
:00424EF6 C78424F8010000C5CEDF41 mov dword ptr [esp+000001F8], 41DFCEC5
:00424F01 C78424FC010000858A0B0F mov dword ptr [esp+000001FC], 0F0B8A85
:00424F0C C7842400020000A8F7B49B mov dword ptr [esp+00000200], 9BB4F7A8
:00424F17 C78424040200006F9BA29A mov dword ptr [esp+00000204], 9AA29B6F
:00424F22 C7842408020000DDCF7D82 mov dword ptr [esp+00000208], 827DCFDD
:00424F2D C784240C020000810829FE mov dword ptr [esp+0000020C], FE290881
:00424F38 C7842410020000D344D0EB mov dword ptr [esp+00000210], EBD044D3
:00424F43 C784241402000045621FF7 mov dword ptr [esp+00000214], F71F6245
:00424F4E C784241802000081DB5AF0 mov dword ptr [esp+00000218], F05ADB81
:00424F59 C784241C02000011E4F0AB mov dword ptr [esp+0000021C], ABF0E411
:00424F64 C7842420020000DFD567EB mov dword ptr [esp+00000220], EB67D5DF
:00424F6F C78424240200006F404C30 mov dword ptr [esp+00000224], 304C406F
:00424F7A C78424280200001941279A mov dword ptr [esp+00000228], 9A274119
:00424F85 C7842434020000C50A9410 mov dword ptr [esp+00000234], 10940AC5
:00424F90 C7842438020000FD37B872 mov dword ptr [esp+00000238], 72B837FD
:00424F9B C784243C0200008BE00FAE mov dword ptr [esp+0000023C], AE0FE08B
:00424FA6 C784244002000058050368 mov dword ptr [esp+00000240], 68030558
:00424FB1 C7842444020000F6F6D1C8 mov dword ptr [esp+00000244], C8D1F6F6
:00424FBC C7842448020000E41606BD mov dword ptr [esp+00000248], BD0616E4
:00424FC7 C784244C0200005B5FC673 mov dword ptr [esp+0000024C], 73C65F5B
:00424FD2 C78424500200006288114A mov dword ptr [esp+00000250], 4A118862
:00424FDD C7842454020000FA38D8DA mov dword ptr [esp+00000254], DAD838FA
:00424FE8 C7842458020000445C278A mov dword ptr [esp+00000258], 8A275C4

:00424FF3 C744240C6A1A9E5C mov [esp+0C], 5C9E1A6A
:00424FFB C7442410144043EF mov [esp+10], EF434014
:00425003 33C9 xor ecx, ecx
:00425005 8D442418 lea eax, dword ptr [esp+18]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042501C(C)
|
:00425009 8B18 mov ebx, dword ptr [eax]
:0042500B 81F390AD34B8 xor ebx, B834AD90
:00425011 3BD3 cmp edx, ebx
:00425013 7434 je 00425049
:00425015 83C008 add eax, 00000008
:00425018 41 inc ecx
:00425019 83F949 cmp ecx, 00000049
:0042501C 7CEB jl 00425009
:0042501E 33C9 xor ecx, ecx
:00425020 8D442410 lea eax, dword ptr [esp+10]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00425037(C)
|
:00425024 8B30 mov esi, dword ptr [eax]
:00425026 81F690AD34B8 xor esi, B834AD90
:0042502C 3BD6 cmp edx, esi
:0042502E 740F je 0042503F
:00425030 83C008 add eax, 00000008
:00425033 41 inc ecx
:00425034 83F901 cmp ecx, 00000001
:00425037 7CEB jl 00425024
:00425039 893D30514A00 mov dword ptr [004A5130], edi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042502E(C)
|
:0042503F 5F pop edi
:00425040 5E pop esi
:00425041 5B pop ebx
:00425042 81C450020000 add esp, 00000250
:00425048 C3 ret

呵呵！这些黑名单还真不少啊，希望你的不会在此之列！继续按F10经过两个ret后会来到如下地方：

* Possible StringData Ref from Data Obj ->"CDRWIN.DAT"
|
:004034E6 68CC124A00 push 004A12CC
:004034EB C645FC01 mov [ebp-04], 01
:004034EF E83C0C0200 call 00424130
:004034F4 83C40C add esp, 0000000C <--来到这里
:004034F7 895DFC mov dword ptr [ebp-04], ebx
:004034FA E8711B0200 call 00425070 <--按F8进入
:004034FF 85C0 test eax, eax
:00403501 7542 jne 00403545 <--一定要跳转，否则就弹出了那讨厌的窗口
:00403503 53 push ebx
:00403504 8D4D88 lea ecx, dword ptr [ebp-78]
:00403507 E834F60000 call 00412B40
:0040350C 8D4D88 lea ecx, dword ptr [ebp-78]
:0040350F C645FC03 mov [ebp-04], 03
:00403513 E8CA5A0600 call 00468FE2
:00403518 8D4D88 lea ecx, dword ptr [ebp-78]
:0040351B 885DFC mov byte ptr [ebp-04], bl
:0040351E E800570600 call 00468C23
:00403523 8D4DEC lea ecx, dword ptr [ebp-14]
:00403526 C745FCFFFFFFFF mov [ebp-04], FFFFFFFF
:0040352D E811970600 call 0046CC43
:00403532 33C0 xor eax, eax
:00403534 8B4DF4 mov ecx, dword ptr [ebp-0C]
:00403537 64890D00000000 mov dword ptr fs:[00000000], ecx
:0040353E 5F pop edi
:0040353F 5E pop esi
:00403540 5B pop ebx
:00403541 8BE5 mov esp, ebp
:00403543 5D pop ebp
:00403544 C3 ret

按F8进入会来到如下地方：

* Referenced by a CALL at Address:
|:004034FA
|
:00425070 51 push ecx
:00425071 A120DD4A00 mov eax, dword ptr [004ADD20]
:00425076 6A00 push 00000000
:00425078 8D4C2404 lea ecx, dword ptr [esp+04]
:0042507C 6A04 push 00000004
:0042507E 83C064 add eax, 00000064
:00425081 51 push ecx
:00425082 68E07F4A00 push 004A7FE0
:00425087 89442410 mov dword ptr [esp+10], eax
:0042508B E8C0270200 call 00447850 <--按F8进入
:00425090 C1E810 shr eax, 10
:00425093 33D2 xor edx, edx
:00425095 66390526DD4A00 cmp word ptr [004ADD26], ax
:0042509C 0F94C2 sete dl
:0042509F 8BC2 mov eax, edx
:004250A1 83C414 add esp, 00000014
:004250A4 C3 ret

按F8进入会来到如下地方：

* Referenced by a CALL at Addresses:
|:0042463C , :004247FE , :00424971 , :0042508B , :00447F8D
|
:00447850 8B442410 mov eax, dword ptr [esp+10]
:00447854 8B542408 mov edx, dword ptr [esp+08]
:00447858 57 push edi
:00447859 8B7C2410 mov edi, dword ptr [esp+10]
:0044785D 6685FF test di, di
:00447860 743E je 004478A0
:00447862 53 push ebx
:00447863 55 push ebp
:00447864 56 push esi
:00447865 8B742414 mov esi, dword ptr [esp+14]
:00447869 81E7FFFF0000 and edi, 0000FFFF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044789B(C)
|
:0044786F 33C9 xor ecx, ecx
:00447871 8BE8 mov ebp, eax
:00447873 8A0A mov cl, byte ptr [edx] <--edx为存放u4+100的内存地址
:00447875 42 inc edx
:00447876 8BD9 mov ebx, ecx
:00447878 33D8 xor ebx, eax
:0044787A 83E30F and ebx, 0000000F
:0044787D C1ED04 shr ebp, 04
:00447880 8B049E mov eax, dword ptr [esi+4*ebx] <--esi为存放密码表的内存地址
:00447883 33C5 xor eax, ebp
:00447885 C1E904 shr ecx, 04
:00447888 8BD8 mov ebx, eax
:0044788A 83E10F and ecx, 0000000F
:0044788D 83E30F and ebx, 0000000F
:00447890 33CB xor ecx, ebx
:00447892 C1E804 shr eax, 04
:00447895 8B0C8E mov ecx, dword ptr [esi+4*ecx]
:00447898 33C1 xor eax, ecx
:0044789A 4F dec edi
:0044789B 75D2 jne 0044786F
:0044789D 5E pop esi
:0044789E 5D pop ebp
:0044789F 5B pop ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00447860(C)
|
:004478A0 5F pop edi
:004478A1 C3 ret

大家对上面这段代码是不是有点眼熟，是的。可惜是“代码依旧，密码已非”。这次我想大家应该能够编出正确的注册机了吧！

附：密码表2
00000000 1DB71064 3B6E20C8 26D930AC
76DC4190 6B6B51F4 4DB26158 5005713C
EDB88320 F00F9344 D6D6A3E8 CB61B38C
9B64C2B0 86D3D2D4 A00AE278 BDBDF21C

我的正确的注册码：
name：时空幻影
company：湖南长沙
Unlock Key：69684041-65AD2ED1-4B34AD7F-A9D27FF5
Check Key：C0BA3FB4-0CC56E90-2E9983AE-E2E6D28A

//---------------------------------------------------------------------------

#include <vcl.h>
#pragma hdrstop

#include "Unit1.h"
//---------------------------------------------------------------------------
#pragma package(smart_init)
#pragma resource "*.dfm"
TForm1 *Form1;
//---------------------------------------------------------------------------
__fastcall TForm1::TForm1(TComponent* Owner)
: TForm(Owner)
{
}
//---------------------------------------------------------------------------

void __fastcall TForm1::Button1Click(TObject *Sender)
{
if (Edit1->Text.Length()<6||Edit2->Text.Length()<6)
{
Application->MessageBoxA("Name和Company字符数必须大于等于6","警告",MB_OK);
return;
}
AnsiString s1=Edit1->Text,s2=Edit2->Text,s3;
int passcode1[16]={0x00000000,0x1c3e887e,0x387d10fc,0x24439882,
0x70fa21f8,0x6cc4a986,0x48873104,0x54b9b97a,
0xe1f443f0,0xfdcacb8e,0xd989530c,0xc5b7db72,
0x910e6208,0x8d30ea76,0xa97372f4,0xb54dfa8a};
int passcode2[16]={0x00000000,0x1cb71064,0x3b6e20c8,0x26d930ac,
0x71dc4190,0x6b6b51f4,0x4db26158,0x5005713c,
0xedb88320,0xf00f9344,0xd6d6a3e8,0xcb61b38c,
0x9b64c2b0,0x86d3d2d4,0xa0cae278,0xbdbdf21c};
int u[4],c[4],t,t1,t2,t3,t4,i,sum=0,temp=0;
for (i=1;i<=Edit1->Text.Length();i++)
{
t=int(s1[i]);
if (t<0) t+=256;
t1=(t^temp)&0x0f;
t2=passcode1[t1]^((temp>>4)&0x0fffffff);
t3=(t>>4)&0x0f;
t4=t3^(t2&0x0f);
temp=((t2>>4)&0x0fffffff)^passcode1[t4];
}
sum=temp;
temp=0;
for (i=1;i<=Edit2->Text.Length();i++)
{
t=int(s2[i]);
if (t<0) t+=256;
t1=(t^temp)&0x0f;
t2=passcode1[t1]^((temp>>4)&0x0fffffff);
t3=(t>>4)&0x0f;
t4=t3^(t2&0x0f);
temp=((t2>>4)&0x0fffffff)^passcode1[t4];
}
temp=((temp>>0x18)&0xff)+((temp>>8)&0xff00)+((temp<<8)&0xff0000)+(temp<<0x18);
u[3]=sum^temp;
sum=u[3]+100;
temp=0;
for (i=1;i<=4;i++)
{
t=sum%0x100;
sum=sum>>8;
if (t<0) t+=256;
t1=(t^temp)&0x0f;
t2=passcode2[t1]^((temp>>4)&0x0fffffff);
t3=(t>>4)&0x0f;
t4=t3^(t2&0x0f);
temp=((t2>>4)&0x0fffffff)^passcode2[t4];
}
u[2]=(0x4bc^((u[3]>>0x10)&0xffff))+((temp>>0x10)<<0x10);
u[1]=u[2]*u[3];
u[0]=u[1]*u[2]*u[3];
c[0]=u[3]^u[0];
c[1]=u[0]^u[1];
c[2]=u[1]^u[2];
c[3]=u[2]^u[3];
Edit3->Text=IntToHex(u[0],8)+"-"+IntToHex(u[1],8)+"-"+IntToHex(u[2],8)+"-"+IntToHex(u[3],8);
Edit4->Text=IntToHex(c[0],8)+"-"+IntToHex(c[1],8)+"-"+IntToHex(c[2],8)+"-"+IntToHex(c[3],8);
}
//---------------------------------------------------------------------------