下载:http://newhua.ruyi.com/down/p2k270.exe
这个软件其实算法并不难,翻来覆去的用同一个call,作者只是报定了一个宗旨:烦死你!
呵呵,有兴趣的人自己看吧 ... ...
===============================================================================================
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041C446(C)
|
:0041C3BA 6A08
push 00000008
:0041C3BC 8D4C2420
lea ecx, dword ptr [esp+20]
:0041C3C0 55
push ebp
:0041C3C1 51
push ecx
:0041C3C2 8D4C2458
lea ecx, dword ptr [esp+58]
:0041C3C6
E82BCA0100 call 00438DF6<-----------------------------取用户名的前8位
:0041C3CB 50
push eax
:0041C3CC 8D4C2414
lea ecx, dword ptr [esp+14]
:0041C3D0 C644244005
mov [esp+40], 05
:0041C3D5 E8D6300200
call 0043F4B0
:0041C3DA 8D4C241C
lea ecx, dword ptr [esp+1C]
:0041C3DE 885C243C mov
byte ptr [esp+3C], bl
:0041C3E2 E8902F0200
call 0043F377
:0041C3E7 51
push ecx
:0041C3E8 8D542414
lea edx, dword ptr [esp+14]
:0041C3EC 8BCC
mov ecx, esp
:0041C3EE 89642430
mov dword ptr [esp+30], esp
:0041C3F2 52
push edx
:0041C3F3
E8F42C0200 call 0043F0EC
:0041C3F8 51
push ecx
:0041C3F9 8D442450
lea eax, dword ptr [esp+50]
:0041C3FD 8BCC
mov ecx, esp
:0041C3FF 89642438
mov dword ptr [esp+38], esp
:0041C403 50
push eax
:0041C404 C644244806
mov [esp+48], 06
:0041C409 E8DE2C0200
call 0043F0EC
:0041C40E 8D4C2428
lea ecx, dword ptr [esp+28]
:0041C412 885C2444
mov byte ptr [esp+44], bl
:0041C416 51
push ecx
:0041C417 8BCE
mov ecx, esi
:0041C419 E862FBFFFF
call 0041BF80<-------------(1)---------计算(由用户名前8位),算法详见下
:0041C41E 50
push eax<------------------------------call(1)的结果1943803359447161397
:0041C41F 8D4C2418
lea ecx, dword ptr [esp+18]
:0041C423 C644244007
mov [esp+40], 07
:0041C428 E862330200
call 0043F78F
:0041C42D 8D4C2420
lea ecx, dword ptr [esp+20]
:0041C431
885C243C mov byte ptr [esp+3C],
bl
:0041C435 E83D2F0200 call
0043F377
:0041C43A 8B442418
mov eax, dword ptr [esp+18]
:0041C43E 83C508
add ebp, 00000008
:0041C441 48
dec eax
:0041C442
89442418 mov dword ptr
[esp+18], eax
:0041C446 0F856EFFFFFF
jne 0041C3BA
:0041C44C 8B6C2424
mov ebp, dword ptr [esp+24]
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0041C3AE(C)
|
:0041C450 8D14FD00000000
lea edx, dword ptr [8*edi+00000000]
:0041C457
55
push ebp
:0041C458 8D442428
lea eax, dword ptr [esp+28]
:0041C45C 52
push edx
:0041C45D 50
push eax
:0041C45E 8D4C2458
lea ecx, dword ptr [esp+58]
:0041C462 E88FC90100
call 00438DF6<-----------------------------取用户名的后5位
:0041C467 50
push eax
:0041C468 8D4C2414
lea ecx, dword ptr [esp+14]
:0041C46C C644244008
mov [esp+40], 08
:0041C471 E83A300200
call 0043F4B0
:0041C476 8D4C2424
lea ecx, dword ptr [esp+24]
:0041C47A 885C243C mov
byte ptr [esp+3C], bl
:0041C47E E8F42E0200
call 0043F377
:0041C483 51
push ecx
:0041C484 8D542414
lea edx, dword ptr [esp+14]
:0041C488 8BCC
mov ecx, esp
:0041C48A 89642434
mov dword ptr [esp+34], esp
:0041C48E 52
push edx
:0041C48F
E8582C0200 call 0043F0EC
:0041C494 51
push ecx
:0041C495 8D442450
lea eax, dword ptr [esp+50]
:0041C499 8BCC
mov ecx, esp
:0041C49B 89642434
mov dword ptr [esp+34], esp
:0041C49F 50
push eax
:0041C4A0 C644244809
mov [esp+48], 09
:0041C4A5 E8422C0200
call 0043F0EC
:0041C4AA 8D4C242C
lea ecx, dword ptr [esp+2C]
:0041C4AE 885C2444
mov byte ptr [esp+44], bl
:0041C4B2 51
push ecx
:0041C4B3 8BCE
mov ecx, esi
:0041C4B5 E8C6FAFFFF
call 0041BF80<-------------(2)---------计算(由用户名后5位),算法同call
(1)
:0041C4BA 50
push eax<------------------------------call(2)的结果1056146343234067490
:0041C4BB 8D4C2418
lea ecx, dword ptr [esp+18]
:0041C4BF C64424400A
mov [esp+40], 0A
:0041C4C4 E8C6320200
call 0043F78F<----------------------合并call(1)和call(2)的结果
:0041C4C9 8D4C2424
lea ecx, dword ptr [esp+24] 9438033594471613971056146343234067490
:0041C4CD 885C243C
mov byte ptr [esp+3C], bl
:0041C4D1 E8A12E0200
call 0043F377
:0041C4D6 51
push ecx
:0041C4D7 8D542418
lea edx, dword ptr [esp+18]
:0041C4DB 8BCC
mov ecx, esp
:0041C4DD 89642434
mov dword ptr [esp+34], esp
:0041C4E1 52
push edx
:0041C4E2
E8052C0200 call 0043F0EC
:0041C4E7 8B7C2448 mov
edi, dword ptr [esp+48]
:0041C4EB 8BCE
mov ecx, esi
:0041C4ED 57
push edi
:0041C4EE
E85DFDFFFF call 0041C250<-------------(3)------根据合并后的数计算出最终注册码
:0041C4F3 BB01000000 mov
ebx, 00000001
:0041C4F8 895C2428
mov dword ptr [esp+28], ebx
:0041C4FC 8D4C2414
lea ecx, dword ptr [esp+14]
:0041C500
C644243C03 mov [esp+3C], 03
:0041C505 E86D2E0200 call 0043F377
:0041C50A 8D4C2410
lea ecx, dword ptr [esp+10]
:0041C50E C644243C02
mov [esp+3C], 02
:0041C513 E85F2E0200
call 0043F377
:0041C518 8D4C2448
lea ecx, dword ptr [esp+48]
:0041C51C
885C243C mov byte ptr [esp+3C],
bl
:0041C520 E8522E0200 call
0043F377
:0041C525 8D4C244C
lea ecx, dword ptr [esp+4C]
:0041C529 C644243C00
mov [esp+3C], 00
:0041C52E E8442E0200
call 0043F377
:0041C533 8B4C2434
mov ecx, dword ptr [esp+34]
:0041C537 8BC7
mov eax, edi
:0041C539 5F
pop edi
:0041C53A 5E
pop esi
:0041C53B 5D
pop ebp
:0041C53C 64890D00000000 mov dword ptr
fs:[00000000], ecx
:0041C543 5B
pop ebx
:0041C544 83C430
add esp, 00000030
:0041C547
C20C00 ret 000C<---------------------------返回
==============================================================================================
* Referenced by a CALL at Addresses:<------------------------------------call
(1)(2)(3.1)
|:0041BE59 , :0041BEF5 , :0041C2D9 , :0041C419
, :0041C4B5
|:0041C83E
|
* Possible Reference
to Dialog: DialogID_01BF, CONTROL_ID:00FF, ""
|
:0041BF80 6AFF
push FFFFFFFF
:0041BF82 680FCE4500
push 0045CE0F
:0041BF87 64A100000000
mov eax, dword ptr fs:[00000000]
:0041BF8D 50
push eax
:0041BF8E 64892500000000 mov dword ptr
fs:[00000000], esp
:0041BF95 83EC38
sub esp, 00000038
:0041BF98 55
push ebp
:0041BF99 56
push esi
:0041BF9A 57
push edi
:0041BF9B 8BE9
mov ebp, ecx
:0041BF9D C744242C00000000
mov [esp+2C], 00000000
:0041BFA5 8D442458
lea eax, dword ptr [esp+58]<-----8430110010883617(固定数字)
... ... 略 ... ...
:0041C188 E873F9FFFF call
0041BB00<---------------------(1.1)(2.1)(3.1.1),跟入
:0041C18D 57
push edi<--------------------------447161397
:0041C18E 8D442418
lea eax, dword ptr [esp+18]
:0041C192 56
push esi<--------------------------1943803359
:0041C193 50
push eax
:0041C194 E80D340200
call 0043F5A6<---------------------合并
:0041C199 8B742454
mov esi, dword ptr [esp+54]
:0041C19D 8D4C2414 lea
ecx, dword ptr [esp+14]<-------合并后1943803359447161397
... ... 略 ... ...
:0041C247 C20C00
ret 000C
=================================================================================================
* Referenced by a CALL at Address:<---------------------------------call
(1.1)(2.1)(3.1.1)
|:0041C188
|
* Possible Reference
to Dialog: DialogID_01BF, CONTROL_ID:00FF, ""
|
:0041BB00 6AFF
push FFFFFFFF
:0041BB02 68B0CC4500
push 0045CCB0
:0041BB07 64A100000000
mov eax, dword ptr fs:[00000000]
:0041BB0D 50
push eax
:0041BB0E 64892500000000 mov dword ptr
fs:[00000000], esp
:0041BB15 83EC10
sub esp, 00000010
:0041BB18 53
push ebx
:0041BB19 55
push ebp
:0041BB1A 56
push esi
:0041BB1B 57
push edi
:0041BB1C 8BD9
mov ebx, ecx
:0041BB1E 51
push ecx
:0041BB1F 8D442434
lea eax, dword ptr [esp+34]<----------lanc
:0041BB23 8BCC
mov ecx, esp
:0041BB25
89642420 mov dword ptr
[esp+20], esp
:0041BB29 50
push eax
:0041BB2A C744243005000000
mov [esp+30], 00000005
:0041BB32 E8B5350200
call 0043F0EC
:0041BB37 8BCB
mov ecx, ebx
:0041BB39 E852010000
call 0041BC90<-----(1.1.1)(2.1.1)(3.1.1.1)-----0x40f3abfb,算法见下
:0041BB3E 51
push ecx
:0041BB3F 8D542438
lea edx, dword ptr [esp+38]<----------elot
:0041BB43
8BCC mov
ecx, esp
:0041BB45 89642420
mov dword ptr [esp+20], esp
:0041BB49 52
push edx
:0041BB4A 8BF0
mov esi, eax<-------------------------0x40f3abfb
:0041BB4C E89B350200 call
0043F0EC
:0041BB51 8BCB
mov ecx, ebx
:0041BB53 E838010000
call 0041BC90<------(1.1.2)(2.1.2)(3.1.1.2)----0x8a83570c,算法见下
:0041BB58 8BF8
mov edi, eax<-------------------------0x8a83570c
:0041BB5A 8B442438
mov eax, dword ptr [esp+38]<----------8430
:0041BB5E 50
push eax
:0041BB5F E855D50000
call 004290B9<------------------------转换成16进制,8430==0x20ee
:0041BB64 8B4C2440 mov
ecx, dword ptr [esp+40]<----------1100
:0041BB68 89442414
mov dword ptr [esp+14], eax
:0041BB6C
51
push ecx
:0041BB6D E847D50000
call 004290B9<------------------------转换成16进制,1100==0x44c
:0041BB72 8B542448
mov edx, dword ptr [esp+48]<----------1088
:0041BB76 8944241C
mov dword ptr [esp+1C], eax
:0041BB7A 52
push edx
:0041BB7B E839D50000
call 004290B9<------------------------转换成16进制,1088==0x440
:0041BB80 89442424
mov dword ptr [esp+24], eax
:0041BB84 8B442450
mov eax, dword ptr [esp+50]<----------3617
:0041BB88 50
push eax
:0041BB89 E82BD50000
call 004290B9<------------------------转换成16进制,3617==0xe21
:0041BB8E
83C410 add esp,
00000010
:0041BB91 8944241C
mov dword ptr [esp+1C], eax
:0041BB95 33C9
xor ecx, ecx
:0041BB97 BA20000000
mov edx, 00000020
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:0041BBE1(C)
|
:0041BB9C 8B6C2410
mov ebp, dword ptr [esp+10]<----------0x20ee
:0041BBA0 8BC7
mov eax, edi<-------------------------0x8a83570c
:0041BBA2 C1E004
shl eax, 04<--------------------------0x8a83570c<<4==0xa83570c0
:0041BBA5 03C5
add eax, ebp<-------------------------0xa83570c0+0x20ee==0xa83591ae
:0041BBA7
8B6C2414 mov ebp, dword
ptr [esp+14]<----------0x44c
:0041BBAB 03C6
add eax, esi<-------------------------0xa83591ae+0x44c==0xe9293da9
:0041BBAD 8BF7
mov esi, edi
:0041BBAF C1EE05
shr esi, 05<--------------------------0x8a83570c>>5==0x4541ab8
:0041BBB2 81E94786C861 sub ecx,
61C88647<--------------------0x9e3779b9
:0041BBB8 03F5
add esi, ebp<-------------------------0x4541ab8+0x44c==0x4541f04
:0041BBBA 8B6C2418
mov ebp, dword ptr [esp+18]<----------0x440
:0041BBBE 33C6
xor eax, esi<-------------------------0xe9293da9^0x440
==0xed7d22ad
:0041BBC0 8D3439
lea esi, dword ptr [ecx+edi]<---------0x9e3779b9+0x8a83570c==0x28dab0c5
:0041BBC3 33F0
xor esi, eax<-------------------------0x28dab0c5^0xed7d22ad==0xc5c7f268
:0041BBC5 8BC6
mov eax, esi
:0041BBC7 C1E004
shl eax, 04<--------------------------0xc5c7f268<<4==0x5c7f2680
:0041BBCA 03C5
add eax, ebp<-------------------------0x5c7f2680+0x440==0x5c7f2ac0
:0041BBCC 8B6C241C mov
ebp, dword ptr [esp+1C]<----------0xe21
:0041BBD0 03C7
add eax, edi<-------------------------0x5c7f2ac0+0x8a83570c==0xe70281cc
:0041BBD2 8BFE
mov edi, esi
:0041BBD4 C1EF05
shr edi, 05<--------------------------0xc5c7f268>>5==0x62e3f93
:0041BBD7 03FD
add edi, ebp<-------------------------0x62e3f93+0xe21==0x62e4db4
:0041BBD9 33C7
xor eax, edi<-------------------------0xe70281cc^0x62e4db4==0xe12ccc78
:0041BBDB 8D3C31
lea edi, dword ptr [ecx+esi]<---------0x9e3779b9+0xc5c7f268==0x63ff6c21
:0041BBDE 33F8
xor edi, eax<-------------------------0xe12ccc78^0x63ff6c21==0x82d3a059
:0041BBE0 4A
dec edx<------------------------------0x20
:0041BBE1 75B9
jne 0041BB9C<-------------------------天啊,计算32次?!
:0041BBE3 8BC6
mov eax, esi
:0041BBE5 99
cdq
:0041BBE6 8BC8
mov ecx, eax<-------------------------0x73dc15df
:0041BBE8 8BC7
mov eax, edi<-------------------------0x1aa72435
:0041BBEA 33CA
xor ecx, edx<-------------------------0x73dc15df^0==0x73dc15df
:0041BBEC 2BCA
sub ecx, edx<-------------------------0x73dc15df-0==0x73dc15df
:0041BBEE 99
cdq
:0041BBEF 8BF0
mov esi, eax<-------------------------0x1aa72435
:0041BBF1 51
push ecx
:0041BBF2 8D4B04
lea ecx, dword ptr [ebx+04]
:0041BBF5 33F2
xor esi, edx
* Possible StringData Ref from Data Obj ->"%ld"
|
:0041BBF7 68F07B4700
push 00477BF0
:0041BBFC 51
push ecx
:0041BBFD 2BF2
sub esi, edx
:0041BBFF E824D70100
call 00439328<------------------------转换成10进制,0x73dc15df==1943803359
:0041BC04 83C40C
add esp, 0000000C
:0041BC07 83C308
add ebx, 00000008
:0041BC0A 56
push esi
* Possible
StringData Ref from Data Obj ->"%ld"
|
:0041BC0B 68F07B4700 push
00477BF0
:0041BC10 53
push ebx
:0041BC11 E812D70100
call 00439328<------------------------转换成10进制,0x1aa72435==447161397
... ... 略 ... ...
:0041BC82
C21800 ret 0018
========================================================
================================================================================================
* Referenced by a CALL at Addresses:<----------------------------call (1.1.1)(2.1.1)(3.1.1.2)
|:0041BB39 , :0041BB53
|
* Possible Reference to Dialog: DialogID_01BF, CONTROL_ID:00FF, ""
|
:0041BC90 6AFF push FFFFFFFF
:0041BC92 68D8CC4500 push 0045CCD8
:0041BC97 64A100000000 mov eax, dword ptr fs:[00000000]
:0041BC9D 50 push eax
:0041BC9E 64892500000000 mov dword ptr fs:[00000000], esp
:0041BCA5 83EC0C sub esp, 0000000C
:0041BCA8 53 push ebx
:0041BCA9 56 push esi
:0041BCAA A190814700 mov eax, dword ptr [00478190]
:0041BCAF 33F6 xor esi, esi
:0041BCB1 8974241C mov dword ptr [esp+1C], esi
:0041BCB5 8944240C mov dword ptr [esp+0C], eax
:0041BCB9 C644241C01 mov [esp+1C], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041BD21(C)
|
:0041BCBE 6A01 push 00000001
:0041BCC0 8D4C2414 lea ecx, dword ptr [esp+14]
:0041BCC4 56 push esi
:0041BCC5 51 push ecx
:0041BCC6 8D4C2430 lea ecx, dword ptr [esp+30]
:0041BCCA E827D10100 call 00438DF6
:0041BCCF 8B00 mov eax, dword ptr [eax]<---------------注册码第1位'l'==0x6c
:0041BCD1 8D4C2410 lea ecx, dword ptr [esp+10]
:0041BCD5 8A18 mov bl, byte ptr [eax]
:0041BCD7 E89B360200 call 0043F377
:0041BCDC 8B1590814700 mov edx, dword ptr [00478190]
:0041BCE2 89542408 mov dword ptr [esp+08], edx
:0041BCE6 0FBEC3 movsx eax, bl
:0041BCE9 50 push eax
:0041BCEA 8D4C240C lea ecx, dword ptr [esp+0C]
* Possible StringData Ref from Data Obj ->"%d"
|
:0041BCEE 6820784700 push 00477820
:0041BCF3 51 push ecx
:0041BCF4 C644242802 mov [esp+28], 02
:0041BCF9 E82AD60100 call 00439328<------------------------转换成10进制,0x6c==108
:0041BCFE 83C40C add esp, 0000000C
:0041BD01 8D542408 lea edx, dword ptr [esp+08]<----------108
:0041BD05 8D4C240C lea ecx, dword ptr [esp+0C]
:0041BD09 52 push edx
:0041BD0A E8803A0200 call 0043F78F
:0041BD0F 8D4C2408 lea ecx, dword ptr [esp+08]
:0041BD13 C644241C01 mov [esp+1C], 01
:0041BD18 E85A360200 call 0043F377
:0041BD1D 46 inc esi
:0041BD1E 83FE04 cmp esi, 00000004<-----------------循环计算,并把结果放在一起
:0041BD21 7C9B jl 0041BCBE<-----------------------1089711099
:0041BD23 8B44240C mov eax, dword ptr [esp+0C]
:0041BD27 50 push eax
:0041BD28 E88CD30000 call 004290B9<---------------------转换成16进制,1089711099==0x40f3abfb
:0041BD2D 83C404 add esp, 00000004
:0041BD30 8D4C240C lea ecx, dword ptr [esp+0C]
:0041BD34 8BF0 mov esi, eax<-----------------------0x40f3abfb
:0041BD36 C644241C00 mov [esp+1C], 00
:0041BD3B E837360200 call 0043F377
:0041BD40 8D4C2424 lea ecx, dword ptr [esp+24]
:0041BD44 C744241CFFFFFFFF mov [esp+1C], FFFFFFFF
:0041BD4C E826360200 call 0043F377
:0041BD51 8B4C2414 mov ecx, dword ptr [esp+14]
:0041BD55 8BC6 mov eax, esi
:0041BD57 5E pop esi
:0041BD58 5B pop ebx
:0041BD59 64890D00000000 mov dword ptr fs:[00000000], ecx
:0041BD60 83C418 add esp, 00000018
:0041BD63 C20400 ret 0004
================================================================================================
* Referenced by a CALL at Address:<-------------------------------------call (3)
|:0041C4EE
|
* Possible Reference to Dialog: DialogID_01BF, CONTROL_ID:00FF, ""
|
:0041C250 6AFF push FFFFFFFF
... ... 略 ... ...
:0041C2D3 57 push edi
:0041C2D4 C644243003 mov [esp+30], 03
:0041C2D9 E8A2FCFFFF call 0041BF80<-------------(3.1)--------又是它,算法同call(1)
:0041C2DE C744241001000000 mov [esp+10], 00000001 参数不同,而已
:0041C2E6 8D4C2408 lea ecx, dword ptr [esp+08]
:0041C2EA C644242402 mov [esp+24], 02
:0041C2EF E883300200 call 0043F377
:0041C2F4 8D4C240C lea ecx, dword ptr [esp+0C]
:0041C2F8 C644242401 mov [esp+24], 01
:0041C2FD E875300200 call 0043F377
:0041C302 8D4C2430 lea ecx, dword ptr [esp+30]
:0041C306 C644242400 mov [esp+24], 00
:0041C30B E867300200 call 0043F377
:0041C310 8B4C241C mov ecx, dword ptr [esp+1C]
:0041C314 8BC7 mov eax, edi
:0041C316 5F pop edi
:0041C317 64890D00000000 mov dword ptr fs:[00000000], ecx
:0041C31E 5E pop esi
:0041C31F 83C420 add esp, 00000020
:0041C322 C20800 ret 0008
====================================================================================================
用户名:lancelot[CCG]
注册码:299343965474195577
=================================================================================================
,;~;,
/\_
( /
(() //)
| \\ ,,;;'\
__ _( )m=(lancelot(================--------
/' ' '()/~' '.(, |
,;( )|| | ~
,;' \ /-(.;, ) 兰斯洛特[CCG][FCG]
) / ) /
// || 2001.09.24
)_\ )_\