中华搜索宝注册算法分析
■、作者声明:初学破解,纯属技术交流,无其它目的。
■、工具:ollyDBg1.09,W32Dasm10。
■、基本知识:基础汇编知识,基本工具使用。
■、注册形式:反跟踪+机器码+密码
■、软件介绍:
中华搜索宝(CHINASSB) 2003c
软件大小: 616 KB
软件语言: 简体中文
软件类别:
国产软件 /搜索引擎
应用平台: Win9x/NT/2000/XP
界面预览: 无
加入时间: 2002-12-18
15:07:17
下载次数: 33673
推荐等级:
联 系
人: wfan99@163.net
开 发 商: http://www.chinassb.com/
软件介绍:
中华搜索宝CHINASSB是一款专业为中国人编写的互联网信息搜索工具.结合了传统搜索引擎的优点,采用多线程快速检索技术,准确查找各类网站、网页信息,从而让您提高了上网效率、节省了搜索时间、降低了上网费用。在使用上中华搜索宝CHINASSB,符合大众日常使用电脑习惯,操作简单而没有特殊的设置。对搜索到的网址,进行鼠标双击就可以通过浏览器进行浏览。而且还支持对搜索结果进行保存、编辑、管理等强大功能。因此,中华搜索宝CHINASSB是您上网找网站、查信息之宝
假设:
机器码:870889
邮箱:lordor820@sina.com
密码:abcdefghijabcdefghij
一查找出错信息
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00492A38(C)
|
:00492A62
A12C664900 mov eax, dword ptr
[0049662C]
:00492A67 80785C00
cmp byte ptr [eax+5C], 00
:00492A6B 752C
jne 00492A99
:00492A6D 8D45F8
lea eax, dword ptr [ebp-08]
*
Possible StringData Ref from Code Obj ->"无效的注册密码! "
|
:00492A70 BA0C2B4900
mov edx, 00492B0C
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004929A4(C)
|
:00492A0B
8B45FC mov eax,
dword ptr [ebp-04]
:00492A0E E8E55CF7FF
call 004086F8
:00492A13 8B55EC
mov edx, dword ptr [ebp-14]
:00492A16 8D45FC
lea eax, dword ptr [ebp-04]
:00492A19
E8AA12F7FF call 00403CC8
:00492A1E
8B45FC mov eax,
dword ptr [ebp-04]
:00492A21 E866FCFFFF
call 0049268C
:00492A26 8BD8
mov ebx, eax
:00492A28 A12C664900
mov eax, dword ptr [0049662C]
:00492A2D
88585C mov byte
ptr [eax+5C], bl
:00492A30 A12C664900
mov eax, dword ptr [0049662C]
:00492A35 80FB01
cmp bl, 01
:00492A38 7528
jne 00492A62=====
二动态分析
004929D4
|. 8B86 F4020000 MOV EAX,DWORD PTR DS:[ESI+2F4]
004929DA |.
E8 3DE1F9FF CALL ssb.00430B1C
; 取邮箱 ss
004929DF
|. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
004929E2
|. A1 2C664900 MOV EAX,DWORD PTR DS:[49662C]
004929E7 |.
83C0 64 ADD EAX,64
004929EA |. E8 9512F7FF
CALL ssb.00403C84
004929EF |. 8D55 F0
LEA EDX,DWORD PTR SS:[EBP-10]
004929F2 |. 8B86 E0020000 MOV
EAX,DWORD PTR DS:[ESI+2E0]
004929F8 |. E8 1FE1F9FF CALL
ssb.00430B1C
; 取密码 ss
004929FD |. 8B45 F0
MOV EAX,DWORD PTR SS:[EBP-10]
00492A00 |. 8D55 FC
LEA EDX,DWORD PTR SS:[EBP-4]
00492A03 |. E8 C85EF7FF
CALL ssb.004088D0
; 取密码 ss
00492A08 |. 8D55 EC
LEA EDX,DWORD PTR SS:[EBP-14]
00492A0B |. 8B45 FC
MOV EAX,DWORD PTR SS:[EBP-4]
00492A0E |. E8
E55CF7FF CALL ssb.004086F8
; 密码小写变大写.004086
00492A13
|. 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
00492A16
|. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00492A19
|. E8 AA12F7FF CALL ssb.00403CC8
00492A1E |. 8B45
FC MOV EAX,DWORD PTR SS:[EBP-4]
00492A21 |.
E8 66FCFFFF CALL ssb.0049268C
; 关键call(2),进入0492
00492A26
8BD8 MOV EBX,EAX
00492A28
A1 2C664900 MOV EAX,DWORD PTR DS:[49662C]
00492A2D
8858 5C MOV BYTE PTR DS:[EAX+5C],BL
00492A30
A1 2C664900 MOV EAX,DWORD PTR DS:[49662C]
00492A35
|. 80FB 01 CMP BL,1
00492A38 |. 75 28
JNZ SHORT ssb.00492A62
; 密码检验,如不正确,出错.00492A62
00492A3A
|. 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
00492A3D
|. E8 7EF3FFFF CALL ssb.00491DC0
; 取机器码ssb.
00492A42
|. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
; 机器码870889,入eaxTR S
00492A45 |.
E8 0E61F7FF CALL ssb.00408B58
; 机器码转换为十六进制, eax=000D49E9
00492A4A
|. 8BD0 MOV EDX,EAX
;
转换为十六进制的机器码入edx
00492A4C |. B9 37010000 MOV ECX,137
; 137入ecx1
00492A51 |. 8B45 FC
MOV EAX,DWORD PTR SS:[EBP-4]
; 密码串入eaxDWOR
00492A54 |. E8 B7F5FFFF CALL ssb.00492010
;
关键call(2)
00492A59 |. 8B15 2C664900 MOV EDX,DWORD PTR DS:[49662C]
; ssb.004979B0
--------------------------------
关键call(1)
004926AD
|. 68 E1284900 PUSH ssb.004928E1
004926B2 |. 64:FF30
PUSH DWORD PTR FS:[EAX]
004926B5 |. 64:8920
MOV DWORD PTR FS:[EAX],ESP
004926B8 |. C645
FB 00 MOV BYTE PTR SS:[EBP-5],0
004926BC |. 8B45 FC
MOV EAX,DWORD PTR SS:[EBP-4]
004926BF |. E8 EC17F7FF
CALL ssb.00403EB0
; 取密码的长度
004926C4 |. 83F8
14 CMP EAX,14
; 密码的长度是否为20位
004926C7
|. 0F85 F1010000 JNZ ssb.004928BE
004926CD |. 8D45 F4
LEA EAX,DWORD PTR SS:[EBP-C]
004926D0 |. 8B55 FC
MOV EDX,DWORD PTR SS:[EBP-4]
004926D3 |. E8
F015F7FF CALL ssb.00403CC8
004926D8 |. E8 3B75F7FF
CALL ssb.00409C18
004926DD |. 83C4 F8 ADD
ESP,-8
; /
004926E0 |. DD1C24
FSTP QWORD PTR SS:[ESP]
; |Arg1 (8-byte)
004926E3 |. 9B
WAIT
;
|
004926E4 |. 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
; |
004926E7 |. B8 FC284900
MOV EAX,ssb.004928FC
; |ASCII "hhnnss"
004926EC |. E8 6781F7FF
CALL ssb.0040A858
; \ssb.0040A858
004926F1 |. 8B45
E8 MOV EAX,DWORD PTR SS:[EBP-18]
004926F4 |.
E8 5F64F7FF CALL ssb.00408B58
004926F9 |. 8BF0
MOV ESI,EAX
004926FB |. BB 01000000 MOV
EBX,1
00492700 |> 83FE 0A /CMP ESI,0A
00492703
|. 7C 59 |JL SHORT ssb.0049275E
00492705
|. 8B45 F4 |MOV EAX,DWORD PTR SS:[EBP-C]
00492708
|. E8 A317F7FF |CALL ssb.00403EB0
0049270D |. 85C0
|TEST EAX,EAX
0049270F |. 7E 2E
|JLE SHORT ssb.0049273F
00492711 |. E8 0275F7FF
|CALL ssb.00409C18
00492716 |. 83C4 F8
|ADD ESP,-8
; /
00492719 |. DD1C24
|FSTP QWORD PTR SS:[ESP]
; |Arg1 (8-byte)
0049271C |. 9B
|WAIT
;
|
0049271D |. 8D55 E4 |LEA EDX,DWORD PTR SS:[EBP-1C]
; |
00492720 |. B8 FC284900
|MOV EAX,ssb.004928FC
; |ASCII "hhnnss"
00492725 |. E8 2E81F7FF
|CALL ssb.0040A858
; \ssb.0040A858
0049272A |. 8B45 E4
|MOV EAX,DWORD PTR SS:[EBP-1C]
0049272D |. E8 2664F7FF
|CALL ssb.00408B58
00492732 |. 2BC6
|SUB EAX,ESI
00492734 |. 83F8 0A |CMP
EAX,0A
00492737 |. 0F8F 81010000 |JG ssb.004928BE
0049273D |.
EB 1F |JMP SHORT ssb.0049275E
0049273F |>
8B45 F4 |MOV EAX,DWORD PTR SS:[EBP-C]
00492742 |.
E8 6917F7FF |CALL ssb.00403EB0
00492747 |. 3BD8
|CMP EBX,EAX
00492749 |. 7D 13
|JGE SHORT ssb.0049275E
0049274B |. 8D45 F0
|LEA EAX,DWORD PTR SS:[EBP-10]
0049274E |. 50
|PUSH EAX
0049274F |. B9 01000000
|MOV ECX,1
00492754 |. 8BD3
|MOV EDX,EBX
00492756 |. 8B45 F4 |MOV EAX,DWORD
PTR SS:[EBP-C]
00492759 |. E8 5A19F7FF |CALL ssb.004040B8
0049275E
|> 43 |INC EBX
0049275F
|. 81FB F5010000 |CMP EBX,1F5
00492765 |.^75 99
\JNZ SHORT ssb.00492700
; 上面是一段反跟踪代码,所以必须在下面下断才有效
00492767 |.
BB 01000000 MOV EBX,1
0049276C |> 8D45 E0
/LEA EAX,DWORD PTR SS:[EBP-20]
0049276F |. 50
|PUSH EAX
00492770 |. B9 01000000
|MOV ECX,1
00492775 |. 8BD3
|MOV EDX,EBX
00492777 |. 8B45 F4 |MOV EAX,DWORD
PTR SS:[EBP-C] ; 密码入eax
0049277A
|. E8 3919F7FF |CALL ssb.004040B8
0049277F |. 8B45
E0 |MOV EAX,DWORD PTR SS:[EBP-20]
00492782 |.
BA 0C294900 |MOV EDX,ssb.0049290C
; Z入edx
00492787 |. E8 3418F7FF
|CALL ssb.00403FC0
0049278C |. 0F87 2C010000 |JA ssb.004928BE
00492792
|. 8D45 DC |LEA EAX,DWORD PTR SS:[EBP-24]
00492795
|. 50 |PUSH EAX
00492796 |.
B9 01000000 |MOV ECX,1
0049279B |. 8BD3
|MOV EDX,EBX
0049279D |. 8B45 F4 |MOV
EAX,DWORD PTR SS:[EBP-C] ; 密码入eax
004927A0
|. E8 1319F7FF |CALL ssb.004040B8
004927A5 |. 8B45
DC |MOV EAX,DWORD PTR SS:[EBP-24]
004927A8 |.
BA 18294900 |MOV EDX,ssb.00492918
; A入edx
004927AD |. E8 0E18F7FF
|CALL ssb.00403FC0
004927B2 |. 0F82 06010000 |JB ssb.004928BE
004927B8
|. 43 |INC EBX
004927B9 |.
83FB 15 |CMP EBX,15
004927BC |.^75 AE
\JNZ SHORT ssb.0049276C
; 以上判断密码是否是A-Z间的字母
004927BE |.
8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004927C1 |.
8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
; 密码入edx
004927C4 |. E8 FF14F7FF
CALL ssb.00403CC8
; 取第5位
004927C9 |. 33FF
XOR EDI,EDI
004927CB |. BB 01000000
MOV EBX,1
004927D0 |> 8D45 EC /LEA
EAX,DWORD PTR SS:[EBP-14]
004927D3 |. 50
|PUSH EAX
004927D4 |. B9 01000000 |MOV ECX,1
004927D9
|. 8BD3 |MOV EDX,EBX
004927DB |.
8B45 F0 |MOV EAX,DWORD PTR SS:[EBP-10]
; 密码入eax
004927DE |. E8 D518F7FF
|CALL ssb.004040B8
; 取一位密码
004927E3 |. BA 24294900
|MOV EDX,ssb.00492924
; ASCII "GFEDCBANMLKJIHTSRQPOZYXWVU"
004927E8
|. 8B45 EC |MOV EAX,DWORD PTR SS:[EBP-14]
; 取得一位密码入eax
004927EB |. E8 AC19F7FF
|CALL ssb.0040419C
; 密码第N位在字符串中的位置
004927F0 |. 8BF0
|MOV ESI,EAX
; 位置数入esi
004927F2
|. 4E |DEC ESI
; 位置数减1,入esi
004927F3 |. 0FAFF3
|IMUL ESI,EBX
; 与第N位相乘,入esi
004927F6 |.
03FE |ADD EDI,ESI
; 结果相加
004927F8
|. 43 |INC EBX
004927F9 |.
83FB 14 |CMP EBX,14
004927FC |.^75 D2
\JNZ SHORT ssb.004927D0
; 以上总结:edi=0;edi=edi+(第N位密码在串中的位置数-1)*N
004927FE
|. 8BC7 MOV EAX,EDI
00492800 |.
B9 1A000000 MOV ECX,1A
00492805 |. 99
CDQ
00492806 |. F7F9
IDIV ECX
00492808 |. 42
INC EDX
; 取以上计算结果值的26的模并加1,入edx
00492809
|. 8BFA MOV EDI,EDX
;
edx入edi,edx=edi=F
0049280B |. 8D45 EC LEA
EAX,DWORD PTR SS:[EBP-14] ; 密码倒数第二位入eax
0049280E
|. 50 PUSH EAX
0049280F |.
B8 24294900 MOV EAX,ssb.00492924
; ASCII "GFEDCBANMLKJIHTSRQPOZYXWVU"
00492814
|. B9 01000000 MOV ECX,1
00492819 |. 8BD7
MOV EDX,EDI
0049281B |. E8 9818F7FF CALL
ssb.004040B8
; 取串中第(模数值+1)位,将与密码最后一位比较
00492820 |. 8D45 D8
LEA EAX,DWORD PTR SS:[EBP-28]
00492823 |.
50 PUSH EAX
00492824 |. B9
01000000 MOV ECX,1
00492829 |. BA 14000000 MOV
EDX,14
0049282E |. 8B45 F0 MOV EAX,DWORD PTR
SS:[EBP-10] ; 密码入eax
00492831
|. E8 8218F7FF CALL ssb.004040B8
; 取密码第20位的1位值,得J
00492836
|. 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28]
00492839
|. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
0049283C
|. E8 7F17F7FF CALL ssb.00403FC0
00492841
74 7B JE SHORT ssb.004928BE=====>⑴
; 上面与密码的最后一位比较
00492843 |. 33FF
XOR EDI,EDI
00492845 |. BB 01000000 MOV
EBX,1
0049284A |> 8D45 EC /LEA EAX,DWORD
PTR SS:[EBP-14] ; 取得的密码最后1位
0049284D
|. 50 |PUSH EAX
0049284E |.
B9 01000000 |MOV ECX,1
00492853 |. 8BD3
|MOV EDX,EBX
00492855 |. 8B45 F0 |MOV
EAX,DWORD PTR SS:[EBP-10] ; 密码串入eax
00492858
|. E8 5B18F7FF |CALL ssb.004040B8
; 取密码串的第N位
0049285D
|. BA 24294900 |MOV EDX,ssb.00492924
; ASCII "GFEDCBANMLKJIHTSRQPOZYXWVU"
00492862
|. 8B45 EC |MOV EAX,DWORD PTR SS:[EBP-14]
00492865
|. E8 3219F7FF |CALL ssb.0040419C
; 密码第N位在字符串中的位置
0049286A
|. 8BF0 |MOV ESI,EAX
;
位置数入esi
0049286C |. 4E
|DEC ESI
; 位置数减1,入esi
0049286D |.
03FE |ADD EDI,ESI
; 各位置数相加
0049286F
|. 43 |INC EBX
00492870 |.
83FB 13 |CMP EBX,13
00492873 |.^75 D5
\JNZ SHORT ssb.0049284A
; 密码中除了最后一位,其它参与运算
00492875 |.
8BC7 MOV EAX,EDI
00492877 |. B9 1A000000
MOV ECX,1A
0049287C |. 99
CDQ
0049287D |. F7F9 IDIV ECX
; 取26的模
0049287F |. 42
INC EDX
;
模数加1
00492880 |. 8BFA MOV EDI,EDX
00492882
|. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00492885
|. 50 PUSH EAX
00492886 |.
B8 24294900 MOV EAX,ssb.00492924
; ASCII "GFEDCBANMLKJIHTSRQPOZYXWVU"
0049288B
|. B9 01000000 MOV ECX,1
00492890 |. 8BD7
MOV EDX,EDI
00492892 |. E8 2118F7FF CALL
ssb.004040B8
; 取串中第(模数值+1)位,将与密码倒数第2位比较
00492897 |. 8D45 D4
LEA EAX,DWORD PTR SS:[EBP-2C]
0049289A |.
50 PUSH EAX
0049289B |. B9
01000000 MOV ECX,1
004928A0 |. BA 13000000 MOV
EDX,13
004928A5 |. 8B45 F0 MOV EAX,DWORD PTR
SS:[EBP-10]
004928A8 |. E8 0B18F7FF CALL ssb.004040B8
;
取密码的倒数第2位
004928AD |. 8B55 D4 MOV EDX,DWORD
PTR SS:[EBP-2C]
004928B0 |. 8B45 EC MOV EAX,DWORD
PTR SS:[EBP-14]
004928B3 |. E8 0817F7FF CALL ssb.00403FC0
004928B8
74 04 JE SHORT ssb.004928BE========>⑵
004928BA
|. C645 FB 01 MOV BYTE PTR SS:[EBP-5],1
; 以上都相等,[ebp-5]赋1
004928BE |>
33C0 XOR EAX,EAX
call(1)总结:
串:GFEDCBANMLKJIHTSRQPOZYXWVU
1、第一步
Y=0
for(int
i=1;i<21;i++)//共20位运算
{
密码第i位在串中的位置数X;
Y=Y+(X-1)*i;
}
Y=mode(Y,26);
Y=Y+1;
取在串中第Y位的字母与密码的最后1位比较;
2、第二步
Y=0;
for(int
i=1;i<20;i++)//共19位运算
{
密码第i位在串中的位置数X;
Y=Y+(X-1);
}
Y=mode(Y,26);
Y=Y+1;
取在串中第Y位的字母与密码的最后第2位比较;
--------------------------------
关键call(2)
00492020
|. 874D FC XCHG DWORD PTR SS:[EBP-4],ECX
00492023
|. 53 PUSH EBX
00492024 |.
56 PUSH ESI
00492025 |. 57
PUSH EDI
00492026 |. 894D F4
MOV DWORD PTR SS:[EBP-C],ECX
00492029 |. 8955
F8 MOV DWORD PTR SS:[EBP-8],EDX
0049202C |.
8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0049202F |.
8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00492032 |.
E8 2D20F7FF CALL ssb.00404064
00492037 |. 33C0
XOR EAX,EAX
00492039 |. 55
PUSH EBP
0049203A |. 68 16264900 PUSH
ssb.00492616
0049203F |. 64:FF30 PUSH DWORD
PTR FS:[EAX]
00492042 |. 64:8920 MOV DWORD
PTR FS:[EAX],ESP
00492045 |. C645 F3 00 MOV BYTE PTR SS:[EBP-D],0
00492049
|. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049204C
|. E8 5F1EF7FF CALL ssb.00403EB0
00492051 |. 83F8
14 CMP EAX,14
;比较注册码是否为20位
00492054 |.
0F85 89050000 JNZ ssb.004925E3
0049205A |. 8D45 EC
LEA EAX,DWORD PTR SS:[EBP-14]
0049205D |. 8B55 FC
MOV EDX,DWORD PTR SS:[EBP-4]
00492060 |. E8 631CF7FF
CALL ssb.00403CC8
00492065 |. E8 AE7BF7FF CALL
ssb.00409C18
0049206A |. 83C4 F8 ADD ESP,-8
; /
0049206D |. DD1C24
FSTP QWORD PTR SS:[ESP]
; |Arg1 (8-byte)
00492070 |. 9B
WAIT
; |
00492071
|. 8D55 C4 LEA EDX,DWORD PTR SS:[EBP-3C]
; |
00492074 |. B8 30264900
MOV EAX,ssb.00492630
; |ASCII "hhnnss"
00492079 |. E8 DA87F7FF
CALL ssb.0040A858
; \ssb.0040A858
0049207E |. 8B45
C4 MOV EAX,DWORD PTR SS:[EBP-3C]
00492081 |.
E8 D26AF7FF CALL ssb.00408B58
00492086 |. 8BF8
MOV EDI,EAX
00492088 |. BB 01000000 MOV
EBX,1
0049208D |> 83FF 0A /CMP EDI,0A
00492090
|. 7C 59 |JL SHORT ssb.004920EB
00492092
|. 8B45 EC |MOV EAX,DWORD PTR SS:[EBP-14]
00492095
|. E8 161EF7FF |CALL ssb.00403EB0
0049209A |. 85C0
|TEST EAX,EAX
0049209C |. 7E 2E
|JLE SHORT ssb.004920CC
0049209E |. E8 757BF7FF
|CALL ssb.00409C18
004920A3 |. 83C4 F8
|ADD ESP,-8
; /
004920A6 |. DD1C24
|FSTP QWORD PTR SS:[ESP]
; |Arg1 (8-byte)
004920A9 |. 9B
|WAIT
;
|
004920AA |. 8D55 C0 |LEA EDX,DWORD PTR SS:[EBP-40]
; |
004920AD |. B8 30264900
|MOV EAX,ssb.00492630
; |ASCII "hhnnss"
004920B2 |. E8 A187F7FF
|CALL ssb.0040A858
; \ssb.0040A858
004920B7 |. 8B45 C0
|MOV EAX,DWORD PTR SS:[EBP-40]
004920BA |. E8 996AF7FF
|CALL ssb.00408B58
004920BF |. 2BC7
|SUB EAX,EDI
004920C1 |. 83F8 0A |CMP
EAX,0A
004920C4 |. 0F8F 19050000 |JG ssb.004925E3
004920CA |.
EB 1F |JMP SHORT ssb.004920EB
004920CC |>
8B45 EC |MOV EAX,DWORD PTR SS:[EBP-14]
004920CF
|. E8 DC1DF7FF |CALL ssb.00403EB0
004920D4 |. 3BD8
|CMP EBX,EAX
004920D6 |. 7D 13
|JGE SHORT ssb.004920EB
004920D8 |. 8D45 E8
|LEA EAX,DWORD PTR SS:[EBP-18]
004920DB |.
50 |PUSH EAX
004920DC |. B9
01000000 |MOV ECX,1
004920E1 |. 8BD3
|MOV EDX,EBX
004920E3 |. 8B45 EC |MOV
EAX,DWORD PTR SS:[EBP-14]
004920E6 |. E8 CD1FF7FF |CALL
ssb.004040B8
004920EB |> 43
|INC EBX
004920EC |. 81FB F5010000 |CMP EBX,1F5
004920F2 |.^75
99 \JNZ SHORT ssb.0049208D
004920F4 |.
BB 01000000 MOV EBX,1
;以上为反跟踪代码
004920F9
|> 8D45 BC /LEA EAX,DWORD PTR SS:[EBP-44]
004920FC
|. 50 |PUSH EAX
004920FD |.
B9 01000000 |MOV ECX,1
00492102 |. 8BD3
|MOV EDX,EBX
00492104 |. 8B45 EC |MOV
EAX,DWORD PTR SS:[EBP-14] ; 密码入eax
00492107
|. E8 AC1FF7FF |CALL ssb.004040B8
0049210C |. 8B45
BC |MOV EAX,DWORD PTR SS:[EBP-44]
0049210F |.
BA 40264900 |MOV EDX,ssb.00492640
; Z入edx
00492114 |. E8 A71EF7FF
|CALL ssb.00403FC0
00492119 |. 0F87 C4040000 |JA ssb.004925E3
0049211F
|. 8D45 B8 |LEA EAX,DWORD PTR SS:[EBP-48]
00492122
|. 50 |PUSH EAX
00492123 |.
B9 01000000 |MOV ECX,1
00492128 |. 8BD3
|MOV EDX,EBX
0049212A |. 8B45 EC |MOV
EAX,DWORD PTR SS:[EBP-14] ; 密码入eax
0049212D
|. E8 861FF7FF |CALL ssb.004040B8
00492132 |. 8B45
B8 |MOV EAX,DWORD PTR SS:[EBP-48]
00492135 |.
BA 4C264900 |MOV EDX,ssb.0049264C
; A入edx
0049213A |. E8 811EF7FF
|CALL ssb.00403FC0
0049213F |. 0F82 9E040000 |JB ssb.004925E3
00492145
|. 43 |INC EBX
00492146 |.
83FB 15 |CMP EBX,15
00492149 |.^75 AE
\JNZ SHORT ssb.004920F9
; 以上为判断密码是否为大写字母
0049214B |.
8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
0049214E |.
8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
; 密码入edx
00492151 |. E8 721BF7FF
CALL ssb.00403CC8
00492156 |. 33F6
XOR ESI,ESI
00492158 |. BB 01000000 MOV EBX,1
0049215D
|> 8D45 E4 /LEA EAX,DWORD PTR SS:[EBP-1C]
00492160
|. 50 |PUSH EAX
00492161 |.
B9 01000000 |MOV ECX,1
00492166 |. 8BD3
|MOV EDX,EBX
00492168 |. 8B45 E8 |MOV
EAX,DWORD PTR SS:[EBP-18]
0049216B |. E8 481FF7FF |CALL
ssb.004040B8
; 依次取密码各位
00492170 |. BA 58264900 |MOV
EDX,ssb.00492658
; ASCII "GFEDCBANMLKJIHTSRQPOZYXWVU"
00492175 |.
8B45 E4 |MOV EAX,DWORD PTR SS:[EBP-1C]
00492178
|. E8 1F20F7FF |CALL ssb.0040419C
; 密码位在串的位置数
0049217D
|. 8BF8 |MOV EDI,EAX
0049217F |.
4F |DEC EDI
; 位数减1
00492180 |. 0FAFFB |IMUL
EDI,EBX
00492183 |. 03F7 |ADD ESI,EDI
00492185
|. 43 |INC EBX
00492186 |.
83FB 14 |CMP EBX,14
00492189 |.^75 D2
\JNZ SHORT ssb.0049215D
0049218B |. 8BC6
MOV EAX,ESI
0049218D |. B9 1A000000
MOV ECX,1A
00492192 |. 99
CDQ
00492193 |. F7F9 IDIV ECX
; 取26的模数
00492195 |. 42
INC EDX
00492196 |. 8BF2
MOV ESI,EDX
00492198 |. 8D45 E4 LEA
EAX,DWORD PTR SS:[EBP-1C]
0049219B |. 50
PUSH EAX
0049219C |. B8 58264900 MOV EAX,ssb.00492658
; ASCII
"GFEDCBANMLKJIHTSRQPOZYXWVU"
004921A1 |. B9 01000000
MOV ECX,1
004921A6 |. 8BD6 MOV
EDX,ESI
004921A8 |. E8 0B1FF7FF CALL ssb.004040B8
;
取串中的一位
004921AD |. 8D45 B4 LEA EAX,DWORD
PTR SS:[EBP-4C]
004921B0 |. 50
PUSH EAX
004921B1 |. B9 01000000 MOV ECX,1
004921B6 |.
BA 14000000 MOV EDX,14
004921BB |. 8B45 E8
MOV EAX,DWORD PTR SS:[EBP-18]
; 密码入eax
004921BE |. E8 F51EF7FF CALL ssb.004040B8
;
取密码最后一位
004921C3 |. 8B55 B4 MOV EDX,DWORD
PTR SS:[EBP-4C]
004921C6 |. 8B45 E4 MOV EAX,DWORD
PTR SS:[EBP-1C]
004921C9 |. E8 F21DF7FF CALL ssb.00403FC0
;
比较是否相等
004921CE 0F84 0F040000 JE ssb.004925E3 ======>⑶
;与call(1)第一步同
004921D4 |.
33F6 XOR ESI,ESI
004921D6 |. BB 01000000
MOV EBX,1
004921DB |> 8D45 E4 /LEA
EAX,DWORD PTR SS:[EBP-1C]
004921DE |. 50
|PUSH EAX
004921DF |. B9 01000000 |MOV ECX,1
004921E4
|. 8BD3 |MOV EDX,EBX
004921E6 |.
8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18]
004921E9
|. E8 CA1EF7FF |CALL ssb.004040B8
004921EE |. BA 58264900
|MOV EDX,ssb.00492658
; ASCII "GFEDCBANMLKJIHTSRQPOZYXWVU"
004921F3
|. 8B45 E4 |MOV EAX,DWORD PTR SS:[EBP-1C]
004921F6
|. E8 A11FF7FF |CALL ssb.0040419C
004921FB |. 8BF8
|MOV EDI,EAX
004921FD |. 4F
|DEC EDI
004921FE |. 03F7
|ADD ESI,EDI
00492200 |. 43
|INC EBX
00492201 |. 83FB 13
|CMP EBX,13
00492204 |.^75 D5 \JNZ
SHORT ssb.004921DB
00492206 |. 8BC6
MOV EAX,ESI
00492208 |. B9 1A000000 MOV ECX,1A
0049220D
|. 99 CDQ
0049220E |.
F7F9 IDIV ECX
00492210 |. 42
INC EDX
00492211 |. 8BF2
MOV ESI,EDX
00492213 |. 8D45 E4
LEA EAX,DWORD PTR SS:[EBP-1C]
00492216 |. 50
PUSH EAX
00492217 |. B8 58264900 MOV
EAX,ssb.00492658
; ASCII "GFEDCBANMLKJIHTSRQPOZYXWVU"
0049221C |.
B9 01000000 MOV ECX,1
00492221 |. 8BD6
MOV EDX,ESI
00492223 |. E8 901EF7FF CALL ssb.004040B8
00492228
|. 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50]
0049222B
|. 50 PUSH EAX
0049222C |.
B9 01000000 MOV ECX,1
00492231 |. BA 13000000 MOV
EDX,13
00492236 |. 8B45 E8 MOV EAX,DWORD PTR
SS:[EBP-18]
00492239 |. E8 7A1EF7FF CALL ssb.004040B8
0049223E
|. 8B55 B0 MOV EDX,DWORD PTR SS:[EBP-50]
00492241
|. 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
00492244
|. E8 771DF7FF CALL ssb.00403FC0
; 比较是否相等
00492249
0F84 94030000 JE ssb.004925E3======+======>⑷
与call(2)第二步相同
0049224F |. 8D45 E8
LEA EAX,DWORD PTR SS:[EBP-18]
00492252 |. 50
PUSH EAX
00492253 |. B9 12000000 MOV
ECX,12
00492258 |. BA 01000000 MOV EDX,1
0049225D |.
8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
; 密码入eax
00492260 |. E8 531EF7FF
CALL ssb.004040B8
; 从第1位开始,取18位
00492265 |.
8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00492268 |.
E8 C319F7FF CALL ssb.00403C30
0049226D |. BB 01000000
MOV EBX,1
00492272 |> 8D45 AC /LEA
EAX,DWORD PTR SS:[EBP-54]
00492275 |. 50
|PUSH EAX
00492276 |. BA 12000000 |MOV EDX,12
0049227B
|. 2BD3 |SUB EDX,EBX
0049227D |.
42 |INC EDX
0049227E |. B9
01000000 |MOV ECX,1
00492283 |. 8B45 E8
|MOV EAX,DWORD PTR SS:[EBP-18] ;
18位密码入eax
00492286 |. E8 2D1EF7FF |CALL ssb.004040B8
;
从最后一位开始,依次取1 位
0049228B |. 8B55 AC |MOV
EDX,DWORD PTR SS:[EBP-54]
0049228E |. 8D45 EC |LEA
EAX,DWORD PTR SS:[EBP-14]
00492291 |. E8 221CF7FF |CALL
ssb.00403EB8
00492296 |. 43
|INC EBX
00492297 |. 83FB 13 |CMP EBX,13
0049229A
|.^75 D6 \JNZ SHORT ssb.00492272
; 以上为把密码串反倒存放,如原来ABCDE,变为EDCBA
0049229C
|. 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
; 密码18位入eax
0049229F |. 8B55
EC MOV EDX,DWORD PTR SS:[EBP-14]
; 反倒的18位入edx
004922A2 |. E8 211AF7FF
CALL ssb.00403CC8
004922A7 |. 8D45 EC LEA
EAX,DWORD PTR SS:[EBP-14]
004922AA |. E8 8119F7FF CALL ssb.00403C30
004922AF
|. BB 01000000 MOV EBX,1
004922B4 |> FF75 EC
/PUSH DWORD PTR SS:[EBP-14]
004922B7 |. 8D45 A8
|LEA EAX,DWORD PTR SS:[EBP-58]
004922BA |. 50
|PUSH EAX
004922BB |. B9 01000000
|MOV ECX,1
004922C0 |. 8BD3
|MOV EDX,EBX
004922C2 |. 8B45 E8 |MOV
EAX,DWORD PTR SS:[EBP-18] ; 反倒的18位密码入edx
004922C5
|. E8 EE1DF7FF |CALL ssb.004040B8
; 依次从第1 位开始取1位
004922CA
|. FF75 A8 |PUSH DWORD PTR SS:[EBP-58]
004922CD
|. 8D45 A4 |LEA EAX,DWORD PTR SS:[EBP-5C]
004922D0
|. 50 |PUSH EAX
004922D1 |.
8D53 09 |LEA EDX,DWORD PTR DS:[EBX+9]
004922D4 |.
B9 01000000 |MOV ECX,1
004922D9 |. 8B45 E8
|MOV EAX,DWORD PTR SS:[EBP-18]
; 反倒的18位密码入edx
004922DC |. E8 D71DF7FF |CALL ssb.004040B8
;
从第1位开始,取第ebx+9位
004922E1 |. FF75 A4 |PUSH
DWORD PTR SS:[EBP-5C]
004922E4 |. 8D45 EC |LEA
EAX,DWORD PTR SS:[EBP-14]
004922E7 |. BA 03000000 |MOV EDX,3
004922EC
|. E8 7F1CF7FF |CALL ssb.00403F70
; 反倒18位密码,把第EBX位反倒密码+第(ebx+9)位反倒密码,两位依次存放,当(ebx+9)>18时把反到密码第ebx位依次存放在在后面,最后会形成共27位的密码串
004922F1
|. 43 |INC EBX
004922F2 |.
83FB 13 |CMP EBX,13
; 共进行18次循环
004922F5
|.^75 BD \JNZ SHORT ssb.004922B4
004922F7
|. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004922FA
|. 50 PUSH EAX
004922FB |.
B9 0F000000 MOV ECX,0F
; F入ecx
00492300
|. BA 01000000 MOV EDX,1
00492305 |. 8B45 EC
MOV EAX,DWORD PTR SS:[EBP-14]
; 上面所得的27位密码,入eax
00492308 |. E8 AB1DF7FF
CALL ssb.004040B8
; 从第1位开始,共取15位,形成15位密码
0049230D |.
8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
; 反倒的18位密码入eax
00492310 |. E8 1B19F7FF
CALL ssb.00403C30
00492315 |. BB 01000000 MOV
EBX,1
0049231A |> 8D45 E4 /LEA EAX,DWORD
PTR SS:[EBP-1C]
0049231D |. 50
|PUSH EAX
0049231E |. 8D149B |LEA EDX,DWORD
PTR DS:[EBX+EBX*4]
00492321 |. 83EA 04 |SUB
EDX,4
00492324 |. B9 05000000 |MOV ECX,5
00492329 |.
8B45 EC |MOV EAX,DWORD PTR SS:[EBP-14]
; 上面形成的15位密码,入eax
0049232C |. E8 871DF7FF
|CALL ssb.004040B8
; 从第(ebx+ebx*4)-4位开始,共取5位,形成5位密码
00492331
|. 33FF |XOR EDI,EDI
00492333 |.
BE 05000000 |MOV ESI,5
00492338 |> 8D45 A0
|/LEA EAX,DWORD PTR SS:[EBP-60]
0049233B |. 50
||PUSH EAX
0049233C |. B9 01000000
||MOV ECX,1
00492341 |. 8BD6
||MOV EDX,ESI
00492343 |. 8B45 E4 ||MOV EAX,DWORD
PTR SS:[EBP-1C] ; 上面形成的5位密码,入eax
00492346
|. E8 6D1DF7FF ||CALL ssb.004040B8
; 从第5位开始,取1位
0049234B
|. 8B45 A0 ||MOV EAX,DWORD PTR SS:[EBP-60]
0049234E
|. BA 58264900 ||MOV EDX,ssb.00492658
; ASCII "GFEDCBANMLKJIHTSRQPOZYXWVU"
00492353
|. E8 441EF7FF ||CALL ssb.0040419C
; 该位在串中的位置
00492358
|. 48 ||DEC EAX
; 位置数减1
00492359 |. 6BD7 1A
||IMUL EDX,EDI,1A
; edx=edi*1a
0049235C |. 03C2
||ADD EAX,EDX
; eax=eax+edx
0049235E
|. 8BF8 ||MOV EDI,EAX
;
edi=eax
00492360 |. 4E
||DEC ESI
00492361 |. 85F6 ||TEST
ESI,ESI
00492363 |.^75 D3
|\JNZ SHORT ssb.00492338
00492365 |. 8D55 E4
|LEA EDX,DWORD PTR SS:[EBP-1C] ;
上面形成的5位密码,入edx
00492368 |. 8BC7
|MOV EAX,EDI
0049236A |. E8 4967F7FF |CALL ssb.00408AB8
;
上面计算的edi值转换为十进制
0049236F |. 8B45 E4 |MOV
EAX,DWORD PTR SS:[EBP-1C]
00492372 |. E8 391BF7FF |CALL
ssb.00403EB0
; 取位数
00492377 |. BF 07000000 |MOV EDI,7
0049237C
|. 2BF8 |SUB EDI,EAX
0049237E |.
85FF |TEST EDI,EDI
00492380 |. 7E
13 |JLE SHORT ssb.00492395
00492382 |>
8D45 E4 |/LEA EAX,DWORD PTR SS:[EBP-1C]
00492385
|. 8B4D E4 ||MOV ECX,DWORD PTR SS:[EBP-1C]
00492388
|. BA 7C264900 ||MOV EDX,ssb.0049267C
; 0入edx
0049238D |.
E8 6A1BF7FF ||CALL ssb.00403EFC
00492392 |. 4F
||DEC EDI
00492393 |.^75 ED
|\JNZ SHORT ssb.00492382
; 十进制数如小于7位,则在前面插入0
00492395 |> 8D45
E8 |LEA EAX,DWORD PTR SS:[EBP-18]
00492398 |.
8B55 E4 |MOV EDX,DWORD PTR SS:[EBP-1C]
0049239B
|. E8 181BF7FF |CALL ssb.00403EB8
; 生成的十进制数依次连起来,形成21位数字
004923A0
|. 43 |INC EBX
004923A1 |.
83FB 04 |CMP EBX,4
004923A4 |.^0F85 70FFFFFF
\JNZ ssb.0049231A
; 以上循环3次
004923AA |. 8D45 EC
LEA EAX,DWORD PTR SS:[EBP-14]
; 倒转的18位密码
004923AD |. 8B55 E8
MOV EDX,DWORD PTR SS:[EBP-18] ;
生成的21位数字,入edx
004923B0 |. E8 1319F7FF CALL ssb.00403CC8
004923B5
|. BB 01000000 MOV EBX,1
004923BA |. 8D75 C8
LEA ESI,DWORD PTR SS:[EBP-38]
004923BD |> 8D45
9C /LEA EAX,DWORD PTR SS:[EBP-64]
004923C0 |.
50 |PUSH EAX
004923C1 |. 8D145B
|LEA EDX,DWORD PTR DS:[EBX+EBX*2]
004923C4 |.
83EA 02 |SUB EDX,2
004923C7 |. B9 03000000
|MOV ECX,3
004923CC |. 8B45 EC |MOV
EAX,DWORD PTR SS:[EBP-14] ; 生成的21位数字,入eax
004923CF
|. E8 E41CF7FF |CALL ssb.004040B8
; 从第[(ebx+ebx*2)-2]位开始,取3位
004923D4
|. 8B45 9C |MOV EAX,DWORD PTR SS:[EBP-64]
004923D7
|. E8 7C67F7FF |CALL ssb.00408B58
; 3位数字,转换为十六进制
004923DC
|. 8906 |MOV DWORD PTR DS:[ESI],EAX
004923DE
|. 43 |INC EBX
004923DF |.
83C6 04 |ADD ESI,4
004923E2 |. 83FB 08
|CMP EBX,8
; 循环7次
004923E5
|.^75 D6 \JNZ SHORT ssb.004923BD
; 以上为把21位十进制数字,分成7段
004923E7
|. BB FAFFFFFF MOV EBX,-6
004923EC |. 8D45 E0
LEA EAX,DWORD PTR SS:[EBP-20]
004923EF |> 8B10
/MOV EDX,DWORD PTR DS:[EAX]
; 第(8-ebx)段入edx
004923F1 |. 3B50
FC |CMP EDX,DWORD PTR DS:[EAX-4]
; 第(8-ebx)段与第(8-ebx-1)段是否相等
004923F4 |.
7D 06 |JGE SHORT ssb.004923FC
; 如第(8-ebx)段比第(8-ebx-1)段小,则第(8-ebx)段+3e8
004923F6
|. 8100 E8030000 |ADD DWORD PTR DS:[EAX],3E8
; 如小,则第(8-ebx)段+3e8
004923FC |>
8B50 FC |MOV EDX,DWORD PTR DS:[EAX-4]
; 第(8-ebx)-1段入edx
004923FF |. 2910
|SUB DWORD PTR DS:[EAX],EDX
; 第(8-ebx)段-第6段
00492401 |. 83E8
04 |SUB EAX,4
00492404 |. 43
|INC EBX
00492405 |.^75 E8
\JNZ SHORT ssb.004923EF
; 循环7次,把以上分成7段,作相应变换7段
00492407 |.
8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
; 生成的21位数字,入eax
0049240A |. E8 2118F7FF
CALL ssb.00403C30
0049240F |. BB 07000000 MOV
EBX,7
00492414 |. 8D75 C8 LEA ESI,DWORD PTR
SS:[EBP-38]
00492417 |> 8D55 E8 /LEA EDX,DWORD
PTR SS:[EBP-18] ; 生成的21位数字,入edx
0049241A
|. 8B06 |MOV EAX,DWORD PTR DS:[ESI]
; 变换的第ebx段入eax
0049241C
|. E8 9766F7FF |CALL ssb.00408AB8
; 把十六进制数转换为十进制
00492421
|. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18]
; 十进制数入eax
00492424 |. E8 871AF7FF
|CALL ssb.00403EB0
; 取位数
00492429 |. BF 03000000
|MOV EDI,3
0049242E |. 2BF8
|SUB EDI,EAX
00492430 |. 85FF |TEST
EDI,EDI
00492432 |. 7E 13 |JLE SHORT
ssb.00492447
00492434 |> 8D45 E8 |/LEA
EAX,DWORD PTR SS:[EBP-18]
00492437 |. 8B4D E8 ||MOV
ECX,DWORD PTR SS:[EBP-18]
0049243A |. BA 7C264900 ||MOV
EDX,ssb.0049267C
; 0入edx
0049243F |. E8 B81AF7FF ||CALL ssb.00403EFC
00492444
|. 4F ||DEC EDI
00492445 |.^75
ED |\JNZ SHORT ssb.00492434
; 如果十进制数小于3位,则在前面插入0
00492447
|> 8D45 EC |LEA EAX,DWORD PTR SS:[EBP-14]
0049244A
|. 8B55 E8 |MOV EDX,DWORD PTR SS:[EBP-18]
0049244D
|. E8 661AF7FF |CALL ssb.00403EB8
; 7段依次形成21位,3*7=21
00492452
|. 83C6 04 |ADD ESI,4
00492455 |. 4B
|DEC EBX
00492456 |.^75 BF
\JNZ SHORT ssb.00492417
00492458 |.
BB 01000000 MOV EBX,1
0049245D |> 8D45 98
/LEA EAX,DWORD PTR SS:[EBP-68]
00492460 |. 50
|PUSH EAX
00492461 |. B9 01000000
|MOV ECX,1
00492466 |. 8BD3
|MOV EDX,EBX
00492468 |. 8B45 EC |MOV EAX,DWORD
PTR SS:[EBP-14] ; 形成21位十进制数入eax SS:
0049246B
|. E8 481CF7FF |CALL ssb.004040B8
; 从第ebx位开始,取1位数字0B8
00492470
|. 8B45 98 |MOV EAX,DWORD PTR SS:[EBP-68]
00492473
|. BA 88264900 |MOV EDX,ssb.00492688
; 9入edx
00492478 |.
E8 431BF7FF |CALL ssb.00403FC0
0049247D |. 0F87 60010000
|JA ssb.004925E3
00492483 |. 8D45 94 |LEA
EAX,DWORD PTR SS:[EBP-6C]
00492486 |. 50
|PUSH EAX
00492487 |. B9 01000000 |MOV ECX,1
0049248C
|. 8BD3 |MOV EDX,EBX
0049248E |.
8B45 EC |MOV EAX,DWORD PTR SS:[EBP-14]
; 形成21位十进制数入eax
00492491 |. E8 221CF7FF
|CALL ssb.004040B8
00492496 |. 8B45 94
|MOV EAX,DWORD PTR SS:[EBP-6C] ;
0入eax
00492499 |. BA 7C264900 |MOV EDX,ssb.0049267C
0049249E
|. E8 1D1BF7FF |CALL ssb.00403FC0
004924A3 |. 0F82
3A010000 |JB ssb.004925E3
004924A9 |. 43
|INC EBX
004924AA |. 83FB 16 |CMP
EBX,16
; 循环21次BX,
004924AD |.^75 AE
\JNZ SHORT ssb.0049245D
; 以上为判断从形成21位十进制数是否为数字
004924AF
|. 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
004924B2
|. 50 PUSH EAX
004924B3 |.
8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
; 形成21位十进制数入eax
004924B6 |. E8 F519F7FF
CALL ssb.00403EB0
; 取位数
004924BB |. 8BC8
MOV ECX,EAX
004924BD |. BA 03000000
MOV EDX,3
004924C2 |. 8B45 EC MOV EAX,DWORD
PTR SS:[EBP-14] ; 形成21位十进制数入eax
004924C5
|. E8 EE1BF7FF CALL ssb.004040B8
; 从第3位开始,取21位,即取第3位开始的后面所有位,形成19位
004924CA
|. BE 01000000 MOV ESI,1
;esi=1
004924CF
|. BB 01000000 MOV EBX,1
004924D4 |> 8D45 90
/LEA EAX,DWORD PTR SS:[EBP-70]
004924D7 |. 50
|PUSH EAX
004924D8 |. B9 01000000
|MOV ECX,1
004924DD |. 8BD3
|MOV EDX,EBX
004924DF |. 8B45 E8 |MOV
EAX,DWORD PTR SS:[EBP-18] ; 形成19位数入eax
004924E2
|. E8 D11BF7FF |CALL ssb.004040B8
; 从第ebx开始取1位
004924E7
|. 8B45 90 |MOV EAX,DWORD PTR SS:[EBP-70]
004924EA
|. E8 6966F7FF |CALL ssb.00408B58
; 转换为十六进制,入eax
004924EF
|. 8BF8 |MOV EDI,EAX
;
edi=eax
004924F1 |. 85FF |TEST
EDI,EDI
004924F3 |. 74 03 |JE SHORT
ssb.004924F8
004924F5 |. 0FAFF7 |IMUL ESI,EDI
; esi=esi*edi,如数为0不参与运算
004924F8 |> 83FE 64
|CMP ESI,64
; esi是否小于64
004924FB
|. 7E 0C |JLE SHORT ssb.00492509
004924FD
|. 8BC6 |MOV EAX,ESI
004924FF |.
B9 64000000 |MOV ECX,64
00492504 |. 99
|CDQ
00492505 |. F7F9
|IDIV ECX
00492507 |. 8BF0
|MOV ESI,EAX
; 商入esi
00492509 |> 43
|INC EBX
0049250A |. 83FB 14
|CMP EBX,14
; 循环19次
0049250D
|.^75 C5 \JNZ SHORT ssb.004924D4
0049250F
|. 8BC6 MOV EAX,ESI
00492511 |.
B9 64000000 MOV ECX,64
00492516 |. 99
CDQ
00492517 |. F7F9
IDIV ECX
00492519 |. 8BF2 MOV
ESI,EDX
; 取esi的64模数,并入esi
0049251B |.
83FE 0A CMP ESI,0A
0049251E |. 7D 03
JGE SHORT ssb.00492523
; 如果esi小于0a,则esi=esi+0a
00492520
|. 83C6 0A ADD ESI,0A
00492523 |>
8D45 8C LEA EAX,DWORD PTR SS:[EBP-74]
00492526 |.
50 PUSH EAX
00492527 |. B9
02000000 MOV ECX,2
0049252C |. BA 01000000 MOV
EDX,1
00492531 |. 8B45 EC MOV EAX,DWORD PTR
SS:[EBP-14] ; 形成21位十进制数入eax
00492534
|. E8 7F1BF7FF CALL ssb.004040B8
; 从第1位开始,共取2位
00492539
|. 8B45 8C MOV EAX,DWORD PTR SS:[EBP-74]
; 两位数入eax
0049253C |. E8
1766F7FF CALL ssb.00408B58
; 转换为十六进制,入eax
00492541
|. 3BF0 CMP ESI,EAX
;
比较esi与eax
00492543 0F84 9A000000 JE ssb.004925E3
==============>⑸ ; 不等,出错
00492549 |.
8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
0049254C |.
E8 DF16F7FF CALL ssb.00403C30
00492551 |. BB 01000000
MOV EBX,1
00492556 |> 8D45 88 /LEA
EAX,DWORD PTR SS:[EBP-78]
00492559 |. 50
|PUSH EAX
0049255A |. B9 01000000 |MOV ECX,1
0049255F
|. 8BD3 |MOV EDX,EBX
00492561 |.
8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18]
; 形成19位十进制数(形成21位十进制数去掉前两位)入eax
00492564 |.
E8 4F1BF7FF |CALL ssb.004040B8
; 从第ebx开始,取1位数
00492569
|. 8B45 88 |MOV EAX,DWORD PTR SS:[EBP-78]
0049256C
|. E8 E765F7FF |CALL ssb.00408B58
; 转换为十六进制,入eax
00492571
|. BF 09000000 |MOV EDI,9
; 9入edi
00492576
|. 2BF8 |SUB EDI,EAX
;
edi=edi-eax
00492578 |. 8D55 84 |LEA
EDX,DWORD PTR SS:[EBP-7C]
0049257B |. 8BC7
|MOV EAX,EDI
0049257D |. E8 3665F7FF |CALL ssb.00408AB8
;
转换为十六进制
00492582 |. 8B55 84 |MOV EDX,DWORD
PTR SS:[EBP-7C]
00492585 |. 8D45 EC |LEA EAX,DWORD
PTR SS:[EBP-14]
00492588 |. E8 2B19F7FF |CALL ssb.00403EB8
0049258D
|. 43 |INC EBX
0049258E |.
83FB 14 |CMP EBX,14
; 循环19次
00492591
|.^75 C3 \JNZ SHORT ssb.00492556
; 以上为依次用9减去各位,形成新19位串
00492593
|. 8D45 80 LEA EAX,DWORD PTR SS:[EBP-80]
00492596
|. 50 PUSH EAX
00492597 |.
B9 03000000 MOV ECX,3
0049259C |. BA 03000000 MOV
EDX,3
004925A1 |. 8B45 EC MOV EAX,DWORD PTR
SS:[EBP-14] ; 形成新19位串,入eax
004925A4 |. E8 0F1BF7FF CALL ssb.004040B8
;
从第3位开始,取3位
004925A9 |. 8B45 80 MOV EAX,DWORD
PTR SS:[EBP-80]
004925AC |. E8 A765F7FF CALL ssb.00408B58
;
转换为十六进制,入eax
004925B1 |. 3B45 F4 CMP
EAX,DWORD PTR SS:[EBP-C] ; eax与[ebp-c]相比较,即与137比较
004925B4
74 2D JE SHORT ssb.004925E3 ============>⑹
; 不等出出错
004925B6 |. 8D85 7CFFFFFF LEA
EAX,DWORD PTR SS:[EBP-84]
004925BC |. 50
PUSH EAX
004925BD |. B9 06000000 MOV ECX,6
004925C2
|. BA 0E000000 MOV EDX,0E
004925C7 |. 8B45 EC
MOV EAX,DWORD PTR SS:[EBP-14]
; 形成新19位串入eax
004925CA |. E8 E91AF7FF CALL
ssb.004040B8
; 从第E位开始,取6位
004925CF |. 8B85 7CFFFFFF MOV
EAX,DWORD PTR SS:[EBP-84] ; 6位数据入eax
004925D5
|. E8 7E65F7FF CALL ssb.00408B58
; 转换为十六进制,入eax8B58
004925DA
|. 3B45 F8 CMP EAX,DWORD PTR SS:[EBP-8]
; eax与[ebp-8]比较,即与机器码相比较BP-8]
004925DD
74 04 JE SHORT ssb.004925E3 ============>⑺
; 不等,则出错
004925DF |. C645 F3 01
MOV BYTE PTR SS:[EBP-D],1
004925E3 |> 33C0
XOR EAX,EAX
call(2)总结:
串:GFEDCBANMLKJIHTSRQPOZYXWVU
密码串:abcdefghijabcdefghij
1、第一步
Y=0
for(int
i=1;i<21;i++)//共20位运算
{
密码第i位在串中的位置数X;
Y=Y+(X-1)*i;
}
Y=mode(Y,26);
Y=Y+1;
取在串中第Y位的字母与密码的最后1位比较;
2、第二步
Y=0;
for(int
i=1;i<20;i++)//共19位运算
{
密码第i位在串中的位置数X;
Y=Y+(X-1);
}
Y=mode(Y,26);
Y=Y+1;
取在串中第Y位的字母与密码的最后第2位比较;
3、第三步:伪C语言描述如下:
从密码串第1位开始,共取18位,形成串A;
//密码串:abcdefghijabcdefghij->abcdefghijabcdefgh(设为A)
上一步取得的18位密码串A反倒存放,设为串B;
//如abcdefghijabcdefgh->hgfedcbaj
ihgfedcba
//下面形成新串C,共27位
//把串B平分为B1(hgfedcbaj)和B2(ihgfedcba)两段
把B2串交叉插入B1串中,再在后面追加串B2,即形成串C:
//c串为:highfgefdecdbcabjaihgfedcba
从C串第1位开始,取15位,形成串D;
//D为highfgefdecdbca
依次从D串第1位、第6位、第11位开始,各取5位;
//设形成串,各设为串E,串F,串G:highf,gefde,cdbca
//上面三串各作下面运算:
int
tmp=0;
for(int i=5;i>0;i++)
{
int locate=f(E(i));
//串(E,F,G)从最高位开始,依次查找其在串(GFEDCBANMLKJIHTSRQPOZYXWVU)中的位置值;
locate=locate-1;
tmp=locate+tmp*26
}
if(tmp的位数小于7位)
在tmp数前面插入0;
三个串各自生成的7位tmp组成21位串H;
串H从第1位开始各取3位,共分成7串,设为I(1,2,3''''7);//7*3=21
从最后I7段开始,与前面1段,两相比较,如后1段比前1段小,则在后1段加上1000;//循环6次
从最后1段开始,如果其位数小于3位,则在前面插入0;
上面7段数依次追加,变换为21位J串;
从J串第3位开始,取后面所有位,形成19位串K;
int
tmp=1;
for(int i=1;i<20;i++)
{
if(串K第i位不等于0)
tmp=串K第i位*tmp;
if(tmp>100)
tmp=(int)(tmp/100);//取商
}
tmp=mode(tmp,100);
if(tmp<10)
tmp=tmp+10;
tmp与串J的前两位相比较;
用9与串K各位相减,形成串L;
串L从第3位开始取3位,与311比较;
从串L第14位开始取6位,即取串L的后面6位,与机器码比较;
反推:
1、机器码:870889->L串:x1x2x3x4x5x6x7x8x9x10x11x12x13x14x15x16x17x18x19,
x1x2-311-x6x7x8x9x10x11x12x13-870889->
2、串K:(9-x1)(9-x2)688(9-x6)(9-x7)(9-x8)(9-x9)(9-x10)(9-x11)(9-x12)(9-x13)-129110->
在前面加两位即为J串:Y1Y2(9-x1)(9-x2)688(9-x6)(9-x7)(9-x8)(9-x9)(9-x10)(9-x11)(9-x12)(9-x13)-129110
3、等式1:y1y2=串K非零各位依次相乘值(如果乘出数大于100取百位数继续与后面各非零数相乘,最后取十位及个位)
4、串J等分为7段,两相比较,处理,形成串H
5、串H分为3段,每段为7位
6、每段据串产生5位
......
三、破解:
验证过程又长又烦,眼睛都看直了。边用ollydbg动态跟踪代码,一边在ollydbg中注解代码,写得很乱。
爆破如下,因水平太差了,共砍了7刀,技术有待进一步提高。
在(1)致(7)处把jne改为je即可。
依次改为:
Patches
Address
Size State Old
new
Comment
004921CE 6.
Active JNZ ssb.004925E3
JE ssb.004925E3
00492249 6. Active
JNZ ssb.004925E3 JE ssb.004925E3
00492543
6. Active JNZ ssb.004925E3
JE ssb.004925E3
不等,出错
004925B4 2. Active JNZ SHORT
ssb.004925E3 JE SHORT ssb.004925E3
不等出出错
004925DD 2. Active JNZ SHORT ssb.004925E3
JE SHORT ssb.004925E3 不等,则出错
00492841
2. Active JNZ SHORT ssb.004928BE
JE SHORT ssb.004928BE
004928B8 2.
Active JNZ SHORT ssb.004928BE JE SHORT
ssb.004928BE
把以上由old的值改为new的值就会爆破了。
注册时随意输入20个字母的密码即可,与邮箱名无关。
cracked
by lordor
03.5.3