【破文标题】 System commander 8 算法分析
【破文作者】 daxia2002
【作者邮箱】 daxia2002@126.com
【使用工具】 Peid,Ollydbg,ida
【破解平台】 Win2000/XP
【软件名称】 system commander 8
【下载地址】 http://www.v-com.com
【软件大小】9.53MB
【保护方式】无。
【破解目的】研究软件的算法
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
【破解内容】
启动安装程序,输入用户名:“dx”、公司名:“ml”、注册码:第一栏固定的灰色信息“SC8”,大概是system commander 8的简写;第二栏输入“111111”,字符长度6位,程序友好的给限制了;第三栏输入“2222222”,字符长度7位,程序也友好的给限制了;第四栏输入“3333”,字符长度4位,程序还是友好的给限制了。点击“下一步”按钮,提示“The Serila is incorrect.please reenter it.”,早在预料之中,嘿嘿。
好了启动Olldby,选择“文件”->“附加”,在附加窗口里,选中窗口名为“System Commander”,点击“附加”按钮,好了Olldby已附加上了,中断在系统空间,在代码窗口右键->“查看”->“console”切换到程序控件,F9运行一下。
下断点bp MessageBoxA,重新输入伪注册码“SC8-111111-2222222-3333”,点击“下一步”,被ollydbg断了下来,老办法,ALT+K打开调用堆栈窗口:
调用堆栈
地址 堆栈 例程 / 参数 调用来自 Frame
0012E9B4 004461CF USER32.MessageBoxA console.004461C9 0012EAE8
0012E9B8 000C04CE hOwner = 000C04CE ('Customer Information',class='#32770',paren
0012E9BC 00A34170 Text = "The serial number is incorrect. Please re-enter it."
0012E9C0 00A32490 Title = "System Commander"
0012E9C4 00000030 Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
0012EAEC 00446220 Maybe console.00446117 console.0044621A 0012EAE8
0012EAF0 00A34170 Arg1 = 00A34170 ASCII "The serial number is incorrect. Please
0012EAF4 00000030 Arg2 = 00000030
0012EAF8 0000EF5F Arg3 = 0000EF5F
0012EB00 00446270 console.004461FE console.0044626B 0012EAFC
0012EB04 00A34170 Arg1 = 00A34170 ASCII "The serial number is incorrect. Please
0012EB08 00000030 Arg2 = 00000030
0012EB0C 0000EF5F Arg3 = 0000EF5F
0012EB28 0042211E console.00446236 console.00422119 0012EB24
0012EB2C 0000EF5F Arg1 = 0000EF5F
0012EB30 00000030 Arg2 = 00000030
0012EB34 FFFFFFFF Arg3 = FFFFFFFF
堆栈友好显示调用来自console.00422119,双击跳转到00422119:
0042207A > /8A10 mov dl,byte ptr ds:[eax]
0042207C . |8A1E mov bl,byte ptr ds:[esi]
0042207E . |8ACA mov cl,dl
00422080 . |3AD3 cmp dl,bl
00422082 . |75 1E jnz short console.004220A2
00422084 . |84C9 test cl,cl
00422086 . |74 16 je short console.0042209E
00422088 . |8A50 01 mov dl,byte ptr ds:[eax+1]
0042208B . |8A5E 01 mov bl,byte ptr ds:[esi+1]
0042208E . |8ACA mov cl,dl
00422090 . |3AD3 cmp dl,bl
00422092 . |75 0E jnz short console.004220A2
00422094 . |83C0 02 add eax,2
00422097 . |83C6 02 add esi,2
0042209A . |84C9 test cl,cl
0042209C .^\75 DC jnz short console.0042207A
0042209E > 33C0 xor eax,eax
004220A0 . EB 05 jmp short console.004220A7
004220A2 > 1BC0 sbb eax,eax
004220A4 . 83D8 FF sbb eax,-1
004220A7 > 85C0 test eax,eax
004220A9 . 74 7C je short console.00422127
004220AB . 8D7424 70 lea esi,dword ptr ss:[esp+70]
004220AF . 8D4424 14 lea eax,dword ptr ss:[esp+14]
004220B3 > 8A10 mov dl,byte ptr ds:[eax]
004220B5 . 8A1E mov bl,byte ptr ds:[esi]
004220B7 . 8ACA mov cl,dl
004220B9 . 3AD3 cmp dl,bl
004220BB . 75 1E jnz short console.004220DB
004220BD . 84C9 test cl,cl
004220BF . 74 16 je short console.004220D7
004220C1 . 8A50 01 mov dl,byte ptr ds:[eax+1]
004220C4 . 8A5E 01 mov bl,byte ptr ds:[esi+1]
004220C7 . 8ACA mov cl,dl
004220C9 . 3AD3 cmp dl,bl
004220CB . 75 0E jnz short console.004220DB
004220CD . 83C0 02 add eax,2
004220D0 . 83C6 02 add esi,2
004220D3 . 84C9 test cl,cl
004220D5 .^ 75 DC jnz short console.004220B3
004220D7 > 33C0 xor eax,eax
004220D9 . EB 05 jmp short console.004220E0
004220DB > 1BC0 sbb eax,eax
004220DD . 83D8 FF sbb eax,-1
004220E0 > 85C0 test eax,eax
004220E2 . 74 43 je short console.00422127
004220E4 . 8B7424 20 mov esi,dword ptr ss:[esp+20]
004220E8 . 68 60C44600 push console.0046C460
004220ED . 8BCE mov ecx,esi
004220EF . E8 6CD30100 call console.0043F460
004220F4 . 8B4C24 28 mov ecx,dword ptr ss:[esp+28]
004220F8 . 68 60C44600 push console.0046C460
004220FD . E8 5ED30100 call console.0043F460
00422102 . 8B4C24 24 mov ecx,dword ptr ss:[esp+24]
00422106 . 68 60C44600 push console.0046C460
0042210B . E8 50D30100 call console.0043F460
00422110 . 6A FF push -1
00422112 . 6A 30 push 30
00422114 . 68 5FEF0000 push 0EF5F
00422119 . E8 18410200 call console.00446236 //我们来到这里,向上很容易发现,004220E0处进行判断,可以爆破了。
0042211E . 8BCE mov ecx,esi
00422120 . E8 8AD40100 call console.0043F5AF
00422125 . EB 2C jmp short console.00422153
我们用winrar直接展开安装包,ida来智能分析一下程序console.exe,跳转到上面过程的起始处00421dc0:
.text:00421DC0 6A FF push 0FFFFFFFFh
.text:00421DC2 68 C6 37 45 00 push offset loc_4537C6
.text:00421DC7 64 A1 00 00 00 00 mov eax, large fs:0
.text:00421DCD 50 push eax
.text:00421DCE 64 89 25 00 00 00+mov large fs:0, esp
.text:00421DD5 81 EC 90 00 00 00 sub esp, 90h
.text:00421DDB A1 00 8F 46 00 mov eax, off_468F00
.text:00421DE0 53 push ebx
.text:00421DE1 55 push ebp
.text:00421DE2 56 push esi
.text:00421DE3 8B E9 mov ebp, ecx
.text:00421DE5 89 44 24 10 mov [esp+10h], eax
.text:00421DE9 C7 84 24 A4 00 00+mov dword ptr [esp+0A4h], 0
.text:00421DF4 89 44 24 0C mov [esp+0Ch], eax
.text:00421DF8 C6 84 24 A4 00 00+mov byte ptr [esp+0A4h], 1
.text:00421E00 E8 A9 BE 02 00 call ?AfxGetModuleState@@YGPAVAFX_MODULE_STATE@@XZ ; AfxGetModuleState(void)
.text:00421E05 8B 58 04 mov ebx, [eax+4]
.text:00421E08 6A 01 push 1
.text:00421E0A 8B CD mov ecx, ebp
.text:00421E0C E8 1B CA 01 00 call sub_43E82C
.text:00421E11 8D 44 24 10 lea eax, [esp+10h]
.text:00421E15 8B CD mov ecx, ebp
.text:00421E17 50 push eax
.text:00421E18 68 FA 03 00 00 push 3FAh
.text:00421E1D E8 93 B3 01 00 call sub_43D1B5 //取得输入的用户名
.text:00421E22 8D 4C 24 0C lea ecx, [esp+0Ch]
.text:00421E26 51 push ecx
.text:00421E27 68 FB 03 00 00 push 3FBh
.text:00421E2C 8B CD mov ecx, ebp
.text:00421E2E E8 82 B3 01 00 call sub_43D1B5 //取得输入公司的名称
.text:00421E33 8B 54 24 10 mov edx, [esp+10h]
.text:00421E37 68 60 C4 46 00 push offset ValueName
.text:00421E3C 52 push edx
.text:00421E3D E8 37 95 00 00 call __mbscmp //比较输入的用户名是否为空
.text:00421E42 83 C4 08 add esp, 8
.text:00421E45 85 C0 test eax, eax
.text:00421E47 75 15 jnz short loc_421E5E //不为空跳到421E5E继续
.text:00421E49 6A FF push 0FFFFFFFFh
.text:00421E4B 6A 30 push 30h
.text:00421E4D 68 62 EF 00 00 push 0EF62h
.text:00421E52 E8 DF 43 02 00 call sub_446236
.text:00421E57 68 FA 03 00 00 push 3FAh
.text:00421E5C EB 29 jmp short loc_421E87
.text:00421E5E ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
.text:00421E5E
.text:00421E5E loc_421E5E: ; CODE XREF: .text:00421E47j
.text:00421E5E 8B 54 24 0C mov edx, [esp+0Ch]
.text:00421E62 68 60 C4 46 00 push offset ValueName
.text:00421E67 52 push edx
.text:00421E68 E8 0C 95 00 00 call __mbscmp //比较输入的公司名是否为空
.text:00421E6D 83 C4 08 add esp, 8
.text:00421E70 85 C0 test eax, eax
.text:00421E72 75 31 jnz short loc_421EA5 //不为空跳到421EA5继续
.text:00421E74 6A FF push 0FFFFFFFFh
.text:00421E76 6A 30 push 30h
.text:00421E78 68 60 EF 00 00 push 0EF60h
.text:00421E7D E8 B4 43 02 00 call sub_446236
.text:00421E82 68 FB 03 00 00 push 3FBh
.text:00421E87
.text:00421E87 loc_421E87: ; CODE XREF: .text:00421E5Cj
.text:00421E87 8B CD mov ecx, ebp
.text:00421E89 E8 4A D4 01 00 call sub_43F2D8
.text:00421E8E 8B 40 1C mov eax, [eax+1Ch]
.text:00421E91 8B 4D 1C mov ecx, [ebp+1Ch]
.text:00421E94 6A 01 push 1
.text:00421E96 50 push eax
.text:00421E97 6A 28 push 28h
.text:00421E99 51 push ecx
.text:00421E9A FF 15 C4 55 45 00 call ds:SendMessageA
.text:00421EA0 E9 AE 02 00 00 jmp loc_422153
.text:00421EA5 ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
.text:00421EA5
.text:00421EA5 loc_421EA5: ; CODE XREF: .text:00421E72j
.text:00421EA5 57 push edi
.text:00421EA6 8D 54 24 3C lea edx, [esp+3Ch]
.text:00421EAA 6A 1E push 1Eh
.text:00421EAC 52 push edx //保存注册码第一栏“SC8”的内存地址
.text:00421EAD 8D 8D FC 00 00 00 lea ecx, [ebp+0FCh]
.text:00421EB3 E8 CF D5 01 00 call sub_43F487 //取得注册码第一栏内容,这里为:“SC8”
.text:00421EB8 8D 44 24 5C lea eax, [esp+5Ch]
.text:00421EBC 8D 8D 38 01 00 00 lea ecx, [ebp+138h]
.text:00421EC2 6A 0A push 0Ah
.text:00421EC4 50 push eax //保存注册码第二栏“111111”的内存地址
.text:00421EC5 89 4C 24 2C mov [esp+2Ch], ecx
.text:00421EC9 E8 B9 D5 01 00 call sub_43F487 //取得注册码第二栏内容,这里为:“111111”
.text:00421ECE 8D 54 24 68 lea edx, [esp+68h]
.text:00421ED2 8D 8D 74 01 00 00 lea ecx, [ebp+174h]
.text:00421ED8 6A 0A push 0Ah
.text:00421EDA 52 push edx //保存注册码第三栏“2222222”的内存地址
.text:00421EDB 89 4C 24 34 mov [esp+34h], ecx
.text:00421EDF E8 A3 D5 01 00 call sub_43F487 //取得注册码第三栏内容,这里为:“2222222”
.text:00421EE4 8D 44 24 18 lea eax, [esp+18h]
.text:00421EE8 8D 8D C0 00 00 00 lea ecx, [ebp+0C0h]
.text:00421EEE 6A 0A push 0Ah
.text:00421EF0 50 push eax //保存注册码第四栏“3333”的内存地址
.text:00421EF1 89 4C 24 30 mov [esp+30h], ecx
.text:00421EF5 E8 8D D5 01 00 call sub_43F487 //取得注册码第四栏内容,这里为:“3333”
.text:00421EFA 83 C9 FF or ecx, 0FFFFFFFFh
.text:00421EFD BF 38 86 46 00 mov edi, offset asc_468638 ; "-"
.text:00421F02 33 C0 xor eax, eax
.text:00421F04 8D 54 24 3C lea edx, [esp+3Ch]
.text:00421F08 F2 AE repne scasb
.text:00421F0A F7 D1 not ecx
.text:00421F0C 2B F9 sub edi, ecx
.text:00421F0E 8B F7 mov esi, edi
.text:00421F10 8B FA mov edi, edx
.text:00421F12 8B D1 mov edx, ecx
.text:00421F14 83 C9 FF or ecx, 0FFFFFFFFh
.text:00421F17 F2 AE repne scasb
.text:00421F19 8B CA mov ecx, edx
.text:00421F1B 4F dec edi
.text:00421F1C C1 E9 02 shr ecx, 2
.text:00421F1F F3 A5 rep movsd
.text:00421F21 8B CA mov ecx, edx
.text:00421F23 8D 54 24 3C lea edx, [esp+3Ch]
.text:00421F27 83 E1 03 and ecx, 3
.text:00421F2A F3 A4 rep movsb
.text:00421F2C 8D 7C 24 5C lea edi, [esp+5Ch]
.text:00421F30 83 C9 FF or ecx, 0FFFFFFFFh
.text:00421F33 F2 AE repne scasb
.text:00421F35 F7 D1 not ecx
.text:00421F37 2B F9 sub edi, ecx
.text:00421F39 8B F7 mov esi, edi
.text:00421F3B 8B FA mov edi, edx
.text:00421F3D 8B D1 mov edx, ecx
.text:00421F3F 83 C9 FF or ecx, 0FFFFFFFFh
.text:00421F42 F2 AE repne scasb
.text:00421F44 8B CA mov ecx, edx
.text:00421F46 4F dec edi
.text:00421F47 C1 E9 02 shr ecx, 2
.text:00421F4A F3 A5 rep movsd
.text:00421F4C 8B CA mov ecx, edx
.text:00421F4E 8D 54 24 3C lea edx, [esp+3Ch]
.text:00421F52 83 E1 03 and ecx, 3
.text:00421F55 F3 A4 rep movsb
.text:00421F57 BF 38 86 46 00 mov edi, offset asc_468638 ; "-"
.text:00421F5C 83 C9 FF or ecx, 0FFFFFFFFh
.text:00421F5F F2 AE repne scasb
.text:00421F61 F7 D1 not ecx
.text:00421F63 2B F9 sub edi, ecx
.text:00421F65 8B F7 mov esi, edi
.text:00421F67 8B FA mov edi, edx
.text:00421F69 8B D1 mov edx, ecx
.text:00421F6B 83 C9 FF or ecx, 0FFFFFFFFh
.text:00421F6E F2 AE repne scasb
.text:00421F70 8B CA mov ecx, edx
.text:00421F72 4F dec edi
.text:00421F73 C1 E9 02 shr ecx, 2
.text:00421F76 F3 A5 rep movsd
.text:00421F78 8B CA mov ecx, edx
.text:00421F7A 8D 54 24 3C lea edx, [esp+3Ch]
.text:00421F7E 83 E1 03 and ecx, 3
.text:00421F81 F3 A4 rep movsb
.text:00421F83 8D 7C 24 68 lea edi, [esp+68h]
.text:00421F87 83 C9 FF or ecx, 0FFFFFFFFh
.text:00421F8A F2 AE repne scasb
.text:00421F8C F7 D1 not ecx
.text:00421F8E 2B F9 sub edi, ecx
.text:00421F90 8B F7 mov esi, edi
.text:00421F92 8B FA mov edi, edx
.text:00421F94 8B D1 mov edx, ecx
.text:00421F96 83 C9 FF or ecx, 0FFFFFFFFh
.text:00421F99 F2 AE repne scasb
.text:00421F9B 8B CA mov ecx, edx
.text:00421F9D 4F dec edi
.text:00421F9E C1 E9 02 shr ecx, 2
.text:00421FA1 F3 A5 rep movsd
.text:00421FA3 8B CA mov ecx, edx
.text:00421FA5 8D 94 24 80 00 00+lea edx, [esp+80h]
.text:00421FAC 83 E1 03 and ecx, 3
.text:00421FAF F3 A4 rep movsb
.text:00421FB1 83 C9 FF or ecx, 0FFFFFFFFh
.text:00421FB4 8D 7C 24 3C lea edi, [esp+3Ch]
.text:00421FB8 F2 AE repne scasb
.text:00421FBA F7 D1 not ecx
.text:00421FBC 2B F9 sub edi, ecx
.text:00421FBE 8B C1 mov eax, ecx
.text:00421FC0 8B F7 mov esi, edi
.text:00421FC2 C1 E9 02 shr ecx, 2
.text:00421FC5 8B FA mov edi, edx
.text:00421FC7 8D 54 24 3C lea edx, [esp+3Ch]
.text:00421FCB F3 A5 rep movsd
.text:00421FCD 8B C8 mov ecx, eax
.text:00421FCF 33 C0 xor eax, eax
.text:00421FD1 83 E1 03 and ecx, 3
.text:00421FD4 F3 A4 rep movsb
.text:00421FD6 BF 38 86 46 00 mov edi, offset asc_468638 ; "-"
.text:00421FDB 83 C9 FF or ecx, 0FFFFFFFFh
.text:00421FDE F2 AE repne scasb
.text:00421FE0 F7 D1 not ecx
.text:00421FE2 2B F9 sub edi, ecx
.text:00421FE4 8B F7 mov esi, edi
.text:00421FE6 8B FA mov edi, edx
.text:00421FE8 8B D1 mov edx, ecx
.text:00421FEA 83 C9 FF or ecx, 0FFFFFFFFh
.text:00421FED F2 AE repne scasb
.text:00421FEF 8B CA mov ecx, edx
.text:00421FF1 4F dec edi
.text:00421FF2 C1 E9 02 shr ecx, 2
.text:00421FF5 F3 A5 rep movsd
.text:00421FF7 8B CA mov ecx, edx
.text:00421FF9 8D 54 24 3C lea edx, [esp+3Ch]
.text:00421FFD 83 E1 03 and ecx, 3
.text:00422000 F3 A4 rep movsb
.text:00422002 8D 7C 24 18 lea edi, [esp+18h]
.text:00422006 83 C9 FF or ecx, 0FFFFFFFFh
.text:00422009 F2 AE repne scasb
.text:0042200B F7 D1 not ecx
.text:0042200D 2B F9 sub edi, ecx
.text:0042200F 8B F7 mov esi, edi
.text:00422011 8B FA mov edi, edx
.text:00422013 8B D1 mov edx, ecx
.text:00422015 83 C9 FF or ecx, 0FFFFFFFFh
.text:00422018 F2 AE repne scasb
.text:0042201A 8B CA mov ecx, edx
.text:0042201C 4F dec edi
.text:0042201D C1 E9 02 shr ecx, 2
.text:00422020 F3 A5 rep movsd
.text:00422022 8B CA mov ecx, edx
.text:00422024 8D 44 24 74 lea eax, [esp+74h]
.text:00422028 83 E1 03 and ecx, 3
.text:0042202B 50 push eax
.text:0042202C F3 A4 rep movsb
//以上是把注册码1,2,3栏连接成:“SC8-111111-2222222”
.text:0042202E 8D 4C 24 34 lea ecx, [esp+34h]
.text:00422032 8D 94 24 84 00 00+lea edx, [esp+84h] //edx指向“SC8-111111-2222222”
.text:00422039 51 push ecx
.text:0042203A 52 push edx
.text:0042203B 8B CD mov ecx, ebp
.text:0042203D E8 9E FC FF FF call sub_421CE0 //关键的call,进入
{
sub_421CE0 proc near ; CODE XREF: .text:0042203Dp
.text:00421CE0
.text:00421CE0 var_48= byte ptr -48h
.text:00421CE0 var_18= dword ptr -18h
.text:00421CE0 arg_0= dword ptr 4
.text:00421CE0 arg_4= dword ptr 8
.text:00421CE0 arg_8= dword ptr 0Ch
.text:00421CE0
.text:00421CE0 83 EC 18 sub esp, 18h
.text:00421CE3 B9 06 00 00 00 mov ecx, 6
.text:00421CE8 53 push ebx
.text:00421CE9 8B 5C 24 20 mov ebx, [esp+1Ch+arg_0] //ebx指向输入参数“SC8-111111-2222222”
.text:00421CED 56 push esi
.text:00421CEE 57 push edi
.text:00421CEF BE 20 86 46 00 mov esi, offset aRhtlmwyaefXjpk ; "RHTLMWYAEF XJPKCG"
//esi指向字符串表:"RHTLMWYAEF XJPKCG"
.text:00421CF4 8D 7C 24 0C lea edi, [esp+24h+var_18]
.text:00421CF8 F3 A5 rep movsd
.text:00421CFA 53 push ebx ; char * //ebx指向“SC8-111111-2222222”入桟
.text:00421CFB E8 21 82 01 00 call __strupr //把“SC8-111111-2222222”转成大写
.text:00421D00 8B FB mov edi, ebx
.text:00421D02 83 C9 FF or ecx, 0FFFFFFFFh
.text:00421D05 33 C0 xor eax, eax
.text:00421D07 83 C4 04 add esp, 4
.text:00421D0A F2 AE repne scasb
.text:00421D0C F7 D1 not ecx
.text:00421D0E 49 dec ecx
.text:00421D0F BE 01 00 00 00 mov esi, 1 //esi=1
.text:00421D14 8B F9 mov edi, ecx //edi为“SC8-111111-2222222”长度值
.text:00421D16 0F 84 8F 00 00 00 jz loc_421DAB
.text:00421D1C 33 D2 xor edx, edx
.text:00421D1E 85 FF test edi, edi
.text:00421D20 7E 2F jle short loc_421D51 //长度为0则结束
.text:00421D22 55 push ebp
.text:00421D23
.text:00421D23 loc_421D23: ; CODE XREF: sub_421CE0+6Ej
.text:00421D23 8A 03 mov al, [ebx] //al为ebx指向的第i个字符
.text:00421D25 8B CA mov ecx, edx //这里ecx=edx=0
.text:00421D27 81 E1 07 00 00 80 and ecx, 80000007h //ecx=ecx and 80000007h
.text:00421D2D 79 05 jns short loc_421D34 //ecx>0 则跳到loc_421D34
.text:00421D2F 49 dec ecx //否则ecx--
.text:00421D30 83 C9 F8 or ecx, 0FFFFFFF8h //ecx=ecx or 0FFFFFFF8h
.text:00421D33 41 inc ecx //ecx++
.text:00421D34
.text:00421D34 loc_421D34: ; CODE XREF: sub_421CE0+4Dj
.text:00421D34 66 0F BE E8 movsx bp, al //bp=al
.text:00421D38 D3 E5 shl ebp, cl //ebp=ebp 左移cl位
.text:00421D3A 33 F5 xor esi, ebp //esi=esi xor ebp
.text:00421D3C A8 01 test al, 1
.text:00421D3E 74 04 jz short loc_421D44 //判断(al and 1)的结果为0则跳到loc_421D44
.text:00421D40 03 F6 add esi, esi //否则esi=esi+esi
.text:00421D42 EB 06 jmp short loc_421D4A
.text:00421D44 ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
.text:00421D44
.text:00421D44 loc_421D44: ; CODE XREF: sub_421CE0+5Ej
.text:00421D44 81 F6 AD DE 00 00 xor esi, 0DEADh //esi=esi xor 0DEADh
.text:00421D4A
.text:00421D4A loc_421D4A: ; CODE XREF: sub_421CE0+62j
.text:00421D4A 43 inc ebx //ebx++
.text:00421D4B 42 inc edx //edx++
.text:00421D4C 3B D7 cmp edx, edi //比较dx与edi(为“SC8-111111-2222222”长度值)
.text:00421D4E 7C D3 jl short loc_421D23 //小于则继续循环比较
.text:00421D50 5D pop ebp
.text:00421D51
.text:00421D51 loc_421D51: ; CODE XREF: sub_421CE0+40j
.text:00421D51 8B 7C 24 2C mov edi, [esp+24h+arg_4]
.text:00421D55 81 E6 FF FF 00 00 and esi, 0FFFFh //esi=esi and 0FFFFh(esi为上面循环处理的中间结果数据)
.text:00421D5B 56 push esi //esi入桟
.text:00421D5C 68 18 86 46 00 push offset a04x ; "%04X"
.text:00421D61 57 push edi
.text:00421D62 E8 8D 8C 00 00 call _sprintf //把esi转成长度为4位的16进制数据,保存到[edi]="AFE3"
.text:00421D67 83 C4 0C add esp, 0Ch
.text:00421D6A 81 F6 D1 BA 00 00 xor esi, 0BAD1h //esi=esi xor 0BAD1h
.text:00421D70 56 push esi //esi入桟
.text:00421D71 8B 74 24 34 mov esi, [esp+28h+arg_8]
.text:00421D75 68 18 86 46 00 push offset a04x ; "%04X"
.text:00421D7A 56 push esi
.text:00421D7B E8 74 8C 00 00 call _sprintf //把esi转成长度为4位的16进制数据,保存到[esi]="1532"
.text:00421D80 83 C4 0C add esp, 0Ch
.text:00421D83 33 C0 xor eax, eax //eax=0
.text:00421D85
.text:00421D85 loc_421D85: ; CODE XREF: sub_421CE0+B5j
.text:00421D85 0F BE 0C 38 movsx ecx, byte ptr [eax+edi] //ecx指向[edi]第i个字符
.text:00421D89 40 inc eax //eax++
.text:00421D8A 8A 54 0C DC mov dl, [esp+ecx+24h+var_48] //取得字符串表"RHTLMWYAEF XJPKCG"中对应的字符
.text:00421D8E 83 F8 04 cmp eax, 4 //判断是否处理完
.text:00421D91 88 54 38 FF mov [eax+edi-1], dl //将取得的字符保存回去
.text:00421D95 7C EE jl short loc_421D85 //循环处理,处理完后[edi]="XGCL"
.text:00421D97 33 C0 xor eax, eax
.text:00421D99
.text:00421D99 loc_421D99: ; CODE XREF: sub_421CE0+C9j
.text:00421D99 0F BE 0C 30 movsx ecx, byte ptr [eax+esi] //ecx指向[esi]第i个字符
.text:00421D9D 40 inc eax
.text:00421D9E 8A 54 0C DC mov dl, [esp+ecx+24h+var_48] //取得字符串表"RHTLMWYAEF XJPKCG"中对应的字符
.text:00421DA2 83 F8 04 cmp eax, 4 //判断是否处理完
.text:00421DA5 88 54 30 FF mov [eax+esi-1], dl //将取得的字符保存回去
.text:00421DA9 7C EE jl short loc_421D99 //循环处理,处理完后[esi]="HWLT"
.text:00421DAB
.text:00421DAB loc_421DAB: ; CODE XREF: sub_421CE0+36j
.text:00421DAB 5F pop edi
.text:00421DAC 5E pop esi
.text:00421DAD 5B pop ebx
.text:00421DAE 83 C4 18 add esp, 18h
.text:00421DB1 C2 0C 00 retn 0Ch
.text:00421DB1 sub_421CE0 endp
}
.text:00422042 8B 83 39 01 00 00 mov eax, [ebx+139h]
.text:00422048 85 C0 test eax, eax
.text:0042204A 74 25 jz short loc_422071
.text:0042204C 8D 7C 24 30 lea edi, [esp+30h]
.text:00422050 83 C9 FF or ecx, 0FFFFFFFFh
.text:00422053 33 C0 xor eax, eax
.text:00422055 8D 54 24 18 lea edx, [esp+18h]
.text:00422059 F2 AE repne scasb
.text:0042205B F7 D1 not ecx
.text:0042205D 2B F9 sub edi, ecx
.text:0042205F 8B C1 mov eax, ecx
.text:00422061 8B F7 mov esi, edi
.text:00422063 8B FA mov edi, edx
.text:00422065 C1 E9 02 shr ecx, 2
.text:00422068 F3 A5 rep movsd
.text:0042206A 8B C8 mov ecx, eax
.text:0042206C 83 E1 03 and ecx, 3
.text:0042206F F3 A4 rep movsb
.text:00422071
.text:00422071 loc_422071: ; CODE XREF: .text:0042204Aj
.text:00422071 8D 74 24 30 lea esi, [esp+30h] //esi指向"XGCL"
.text:00422075 8D 44 24 18 lea eax, [esp+18h] //eax指向"3333"
.text:00422079 5F pop edi
.text:0042207A
.text:0042207A loc_42207A: ; CODE XREF: .text:0042209Cj
.text:0042207A 8A 10 mov dl, [eax] //dl指向字符"3333"第1个字符
.text:0042207C 8A 1E mov bl, [esi] //bl指向字符"XGCL"第1个字符
.text:0042207E 8A CA mov cl, dl //cl=dl
.text:00422080 3A D3 cmp dl, bl //比较dl,bl
.text:00422082 75 1E jnz short loc_4220A2 //不等结束
.text:00422084 84 C9 test cl, cl //测试cl是否为0
.text:00422086 74 16 jz short loc_42209E //为0结束
.text:00422088 8A 50 01 mov dl, [eax+1] //dl指向字符"3333"第2个字符
.text:0042208B 8A 5E 01 mov bl, [esi+1] //bl指向字符"XGCL"第2个字符
.text:0042208E 8A CA mov cl, dl
.text:00422090 3A D3 cmp dl, bl //比较dl,bl
.text:00422092 75 0E jnz short loc_4220A2
.text:00422094 83 C0 02 add eax, 2
.text:00422097 83 C6 02 add esi, 2
.text:0042209A 84 C9 test cl, cl 测试cl是否为0
.text:0042209C 75 DC jnz short loc_42207A //不为0跳回继续比较下面2个字符
.text:0042209E
.text:0042209E loc_42209E: ; CODE XREF: .text:00422086j
.text:0042209E 33 C0 xor eax, eax //都相等后,由00422086跳到这里,eax=0
.text:004220A0 EB 05 jmp short loc_4220A7
.text:004220A2 ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
.text:004220A2
.text:004220A2 loc_4220A2: ; CODE XREF: .text:00422082j
.text:004220A2 ; .text:00422092j
.text:004220A2 1B C0 sbb eax, eax
.text:004220A4 83 D8 FF sbb eax, 0FFFFFFFFh
.text:004220A7
.text:004220A7 loc_4220A7: ; CODE XREF: .text:004220A0j
.text:004220A7 85 C0 test eax, eax
.text:004220A9 74 7C jz short loc_422127 //跳到loc_422127
.text:004220AB 8D 74 24 70 lea esi, [esp+70h]
.text:004220AF 8D 44 24 14 lea eax, [esp+14h]
.text:004220B3
.text:004220B3 loc_4220B3: ; CODE XREF: .text:004220D5j
.text:004220B3 8A 10 mov dl, [eax]
.text:004220B5 8A 1E mov bl, [esi]
.text:004220B7 8A CA mov cl, dl
.text:004220B9 3A D3 cmp dl, bl
.text:004220BB 75 1E jnz short loc_4220DB
.text:004220BD 84 C9 test cl, cl
.text:004220BF 74 16 jz short loc_4220D7
.text:004220C1 8A 50 01 mov dl, [eax+1]
.text:004220C4 8A 5E 01 mov bl, [esi+1]
.text:004220C7 8A CA mov cl, dl
.text:004220C9 3A D3 cmp dl, bl
.text:004220CB 75 0E jnz short loc_4220DB
.text:004220CD 83 C0 02 add eax, 2
.text:004220D0 83 C6 02 add esi, 2
.text:004220D3 84 C9 test cl, cl
.text:004220D5 75 DC jnz short loc_4220B3
.text:004220D7
.text:004220D7 loc_4220D7: ; CODE XREF: .text:004220BFj
.text:004220D7 33 C0 xor eax, eax
.text:004220D9 EB 05 jmp short loc_4220E0
.text:004220DB ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
.text:004220DB
.text:004220DB loc_4220DB: ; CODE XREF: .text:004220BBj
.text:004220DB ; .text:004220CBj
.text:004220DB 1B C0 sbb eax, eax
.text:004220DD 83 D8 FF sbb eax, 0FFFFFFFFh
.text:004220E0
.text:004220E0 loc_4220E0: ; CODE XREF: .text:004220D9j
.text:004220E0 85 C0 test eax, eax
.text:004220E2 74 43 jz short loc_422127
.text:004220E4 8B 74 24 20 mov esi, [esp+20h]
.text:004220E8 68 60 C4 46 00 push offset ValueName
.text:004220ED 8B CE mov ecx, esi
.text:004220EF E8 6C D3 01 00 call sub_43F460
.text:004220F4 8B 4C 24 28 mov ecx, [esp+28h]
.text:004220F8 68 60 C4 46 00 push offset ValueName
.text:004220FD E8 5E D3 01 00 call sub_43F460
.text:00422102 8B 4C 24 24 mov ecx, [esp+24h]
.text:00422106 68 60 C4 46 00 push offset ValueName
.text:0042210B E8 50 D3 01 00 call sub_43F460
.text:00422110 6A FF push 0FFFFFFFFh
.text:00422112 6A 30 push 30h
.text:00422114 68 5F EF 00 00 push 0EF5Fh
.text:00422119 E8 18 41 02 00 call sub_446236
.text:0042211E 8B CE mov ecx, esi
.text:00422120 E8 8A D4 01 00 call sub_43F5AF
.text:00422125 EB 2C jmp short loc_422153
.text:00422127 ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
.text:00422127
.text:00422127 loc_422127: ; CODE XREF: .text:004220A9j
.text:00422127 ; .text:004220E2j
.text:00422127 8D 44 24 7C lea eax, [esp+7Ch]
.text:0042212B 8D 8D B4 00 00 00 lea ecx, [ebp+0B4h]
.text:00422131 50 push eax
.text:00422132 E8 AC E6 01 00 call ??4CString@@QAEABV0@PBD@Z ; CString::operator=(char const *)
.text:00422137 8D 4C 24 14 lea ecx, [esp+14h]
.text:0042213B 51 push ecx
.text:0042213C 8D 8D B8 00 00 00 lea ecx, [ebp+0B8h]
.text:00422142 E8 9C E6 01 00 call ??4CString@@QAEABV0@PBD@Z ; CString::operator=(char const *)
.text:00422147 68 1F 04 00 00 push 41Fh
.text:0042214C 8B CD mov ecx, ebp
.text:0042214E E8 3B E0 01 00 call sub_44018E
.text:00422153
.text:00422153 loc_422153: ; CODE XREF: .text:00421EA0j
.text:00422153 ; .text:00422125j
.text:00422153 8D 4C 24 0C lea ecx, [esp+0Ch]
.text:00422157 C6 84 24 A4 00 00+mov byte ptr [esp+0A4h], 0
.text:0042215F E8 42 E5 01 00 call sub_4406A6
.text:00422164 8D 4C 24 10 lea ecx, [esp+10h]
.text:00422168 C7 84 24 A4 00 00+mov dword ptr [esp+0A4h], 0FFFFFFFFh
.text:00422173 E8 2E E5 01 00 call sub_4406A6
.text:00422178 8B 8C 24 9C 00 00+mov ecx, [esp+9Ch]
.text:0042217F 5E pop esi
.text:00422180 5D pop ebp
.text:00422181 5B pop ebx
.text:00422182 64 89 0D 00 00 00+mov large fs:0, ecx
.text:00422189 81 C4 9C 00 00 00 add esp, 9Ch
.text:0042218F C3 retn
注册机就不写了,可用的一组注册码“SC8-111111-2222222-XGCL”。
写的好累人,谢谢您耐心看完。
daxia2002 于2004-7-17