Spy Emergency 2005 注册算法

标题： Spy Emergency 2005 注册算法
作者：hunter_boy
时间：2005-10-28 23:30
链接：http://bbs.pediy.com/showthread.php?threadid=18003

Spy Emergency 2005

http://www.download.com/Spy-Emergency-2005/3000-8022_4-10450742.html?tag=lst-0-1

Spy Emergency 2005 is an antispyware software that quickly and
securely removes spyware and other Internet infections, including
spyware, adware, malware, home-page hijackers, remote administration
tools, dialers, and keyloggers.

Version 2.0.310 adds Spanish translation.

无壳食之有味(呵呵，没出息)

搜索字符参考就可以找到这里了，很敏感的提示

00410DA3   .  >call    SpyEmerg.004115F0             ;  [xp-sp2-x002]
00410DA8   .  >sub     esp, 0C
00410DAB   .  >test    eax, eax                      ; |
00410DAD   .  >mov     dword ptr ss:[esp+14], esp    ; |
00410DB1   .  >jnz     short SpyEmerg.00410DE8       ; | 这个判断让我不得不看上面的call  [xp-sp2-x002]
00410DB3   .  >mov     ecx, esp                      ; |
00410DB5   .  >push    SpyEmerg.004B9D78             ; |/Arg4 = 004B9D78 ASCII "Invalid serial number! Please enter correct
00410DBA   .  >push    SpyEmerg.004B9D68             ; ||Arg3 = 004B9D68 ASCII "DL_N_101_261"
00410DBF   .  >push    SpyEmerg.004B8940             ; ||Arg2 = 004B8940 ASCII "Language"
00410DC4   .  >push    ecx                           ; ||Arg1
00410DC5   .  >lea     ecx, dword ptr ds:[esi+650]   ; ||
00410DCB   .  >call    SpyEmerg.004026A0             ; |\SpyEmerg.004026A0
00410DD0   .  >lea     ecx, dword ptr ss:[esp+44]    ; |
00410DD4   .  >call    SpyEmerg.00410FC0             ; \SpyEmerg.00410FC0
00410DD9   .  >mov     byte ptr ss:[esp+344], 5
00410DE1   .  >push    0BE
00410DE6   .  >jmp     short SpyEmerg.00410E1B
00410DE8   >  >mov     edx, esp                      ; |
00410DEA   .  >push    SpyEmerg.004B9D20             ; |/Arg4 = 004B9D20 ASCII "Your version of Spy Emergency 2004 has been
00410DEF   .  >push    SpyEmerg.004B9D0C             ; ||Arg3 = 004B9D0C ASCII "DL_N_101_262"
00410DF4   .  >push    SpyEmerg.004B8940             ; ||Arg2 = 004B8940 ASCII "Language"
00410DF9   .  >push    edx                           ; ||Arg1
00410DFA   .  >lea     ecx, dword ptr ds:[esi+650]   ; ||
00410E00   .  >call    SpyEmerg.004026A0             ; |\SpyEmerg.004026A0
00410E05   .  >lea     ecx, dword ptr ss:[esp+44]    ; |
00410E09   .  >call    SpyEmerg.00410FC0             ; \SpyEmerg.00410FC0
00410E0E   .  >mov     byte ptr ss:[esp+344], 6
00410E16   .  >push    0C7
00410E1B   >  >lea     ecx, dword ptr ss:[esp+3C]

===== [xp-sp2-x002]===================

004115F0   $  >push    ebp
004115F1   .  >mov     ebp, esp
004115F3   .  >push    -1
004115F5   .  >push    SpyEmerg.004B0368             ;  SE handler installation
004115FA   .  >mov     eax, dword ptr fs:[0]
00411600   .  >push    eax
00411601   .  >mov     dword ptr fs:[0], esp
00411608   .  >sub     esp, 68
0041160B   .  >push    ebx
0041160C   .  >push    esi
0041160D   .  >push    edi
0041160E   .  >mov     esi, ecx
00411610   .  >mov     dword ptr ss:[ebp-10], esp
00411613   .  >mov     dword ptr ss:[ebp-14], esi
00411616   .  >mov     dword ptr ss:[ebp-4], 0
0041161D   .  >lea     eax, dword ptr ss:[ebp-34]
00411620   .  >push    eax                           ; /Arg1
00411621   .  >mov     byte ptr ss:[ebp-4], 3        ; |
00411625   .  >call    SpyEmerg.0040E470             ; \SpyEmerg.0040E470
0041162A   .  >push    SpyEmerg.004B9EE4             ;  ASCII "\Infiltration\SpyEmergency.pfa"
0041162F   .  >lea     ecx, dword ptr ss:[ebp-34]
00411632   .  >mov     byte ptr ss:[ebp-4], 4
00411636   .  >call    SpyEmerg.00442BF0
0041163B   .  >lea     ecx, dword ptr ss:[ebp-28]
0041163E   .  >call    SpyEmerg.00401BB0
00411643   .  >mov     eax, dword ptr ss:[ebp-30]
00411646   .  >test    eax, eax
00411648   .  >mov     byte ptr ss:[ebp-4], 5
0041164C   .  >jnz     short SpyEmerg.00411653
0041164E   .  >mov     eax, SpyEmerg.004B8630
00411653   >  >push    eax                           ; /Arg1
00411654   .  >lea     ecx, dword ptr ss:[ebp-28]    ; |
00411657   .  >call    SpyEmerg.00401D40             ; \SpyEmerg.00401D40
0041165C   .  >or      edi, FFFFFFFF
0041165F   .  >push    edi
00411660   .  >push    SpyEmerg.004B9EC0             ;  ASCII "select * from infiltration_serial;"
00411665   .  >lea     ecx, dword ptr ss:[ebp-4C]
00411668   .  >call    SpyEmerg.00442D80
0041166D   .  >mov     eax, dword ptr ss:[ebp-48]
00411670   .  >test    eax, eax
00411672   .  >mov     byte ptr ss:[ebp-4], 6
00411676   .  >jnz     short SpyEmerg.0041167D
00411678   .  >mov     eax, SpyEmerg.004B8630
0041167D   >  >push    eax
0041167E   .  >lea     ecx, dword ptr ss:[ebp-74]
00411681   .  >push    ecx
00411682   .  >lea     ecx, dword ptr ss:[ebp-28]
00411685   .  >call    SpyEmerg.004021B0
0041168A   .  >mov     byte ptr ss:[ebp-4], 7
0041168E   .  >mov     bl, 8
00411690   >  >lea     ecx, dword ptr ss:[ebp-74]
00411693   .  >call    SpyEmerg.00402010
00411698   .  >test    al, al
0041169A   .  >jnz     SpyEmerg.00411721
004116A0   .  >push    SpyEmerg.004B8630
004116A5   .  >push    1
004116A7   .  >lea     ecx, dword ptr ss:[ebp-74]
004116AA   .  >call    SpyEmerg.00402330
004116AF   .  >push    edi
004116B0   .  >push    eax
004116B1   .  >lea     ecx, dword ptr ss:[ebp-40]
004116B4   .  >call    SpyEmerg.00442D80
004116B9   .  >lea     edx, dword ptr ss:[ebp+20]
004116BC   .  >push    edx
004116BD   .  >lea     ecx, dword ptr ss:[ebp-40]
004116C0   .  >mov     byte ptr ss:[ebp-4], bl
004116C3   .  >call    SpyEmerg.004421A0
004116C8   .  >test    eax, eax
004116CA   .  >je      short SpyEmerg.00411708
004116CC   .  >lea     ecx, dword ptr ss:[ebp-40]
004116CF   .  >mov     byte ptr ss:[ebp-4], 7
004116D3   .  >call    SpyEmerg.00442110
004116D8   .  >lea     ecx, dword ptr ss:[ebp-74]
004116DB   .  >mov     byte ptr ss:[ebp-4], 6
004116DF   .  >call    SpyEmerg.00401ED0
004116E4   .  >lea     ecx, dword ptr ss:[ebp-4C]
004116E7   .  >mov     byte ptr ss:[ebp-4], 5
004116EB   .  >call    SpyEmerg.00442110
004116F0   .  >lea     ecx, dword ptr ss:[ebp-28]
004116F3   .  >mov     byte ptr ss:[ebp-4], 4
004116F7   .  >call    SpyEmerg.00401D10
004116FC   .  >mov     byte ptr ss:[ebp-4], 3
00411700   .  >lea     ecx, dword ptr ss:[ebp-34]
00411703   .  >jmp     SpyEmerg.0041197C
00411708   >  >lea     ecx, dword ptr ss:[ebp-74]
0041170B   .  >call    SpyEmerg.00402020
00411710   .  >lea     ecx, dword ptr ss:[ebp-40]
00411713   .  >mov     byte ptr ss:[ebp-4], 7
00411717   .  >call    SpyEmerg.00442110
0041171C   .^ >jmp     SpyEmerg.00411690
00411721   >  >lea     ecx, dword ptr ss:[ebp-28]
00411724   .  >call    SpyEmerg.00401BD0
00411729   .  >lea     ecx, dword ptr ss:[ebp-74]
0041172C   .  >mov     byte ptr ss:[ebp-4], 6
00411730   .  >call    SpyEmerg.00401ED0
00411735   .  >lea     ecx, dword ptr ss:[ebp-4C]
00411738   .  >mov     byte ptr ss:[ebp-4], 5
0041173C   .  >call    SpyEmerg.00442110
00411741   .  >lea     ecx, dword ptr ss:[ebp-28]
00411744   .  >mov     byte ptr ss:[ebp-4], 4
00411748   .  >call    SpyEmerg.00401D10
0041174D   .  >lea     ecx, dword ptr ss:[ebp-34]
00411750   .  >mov     byte ptr ss:[ebp-4], 3
00411754   .  >call    SpyEmerg.00442110
00411759   .  >jmp     short SpyEmerg.00411767
0041175B   .  >mov     eax, SpyEmerg.00411761
00411760   .  >ret
00411761   .  >mov     esi, dword ptr ss:[ebp-14]
00411764   .  >or      edi, FFFFFFFF
00411767   >  >sub     esp, 0C
0041176A   .  >lea     eax, dword ptr ss:[ebp+14]
0041176D   .  >mov     ecx, esp
0041176F   .  >mov     dword ptr ss:[ebp-14], esp
00411772   .  >push    eax
00411773   .  >mov     dword ptr ss:[ebp-4], 2
0041177A   .  >call    SpyEmerg.004420E0
0041177F   .  >sub     esp, 0C
00411782   .  >lea     edx, dword ptr ss:[ebp+8]
00411785   .  >mov     ecx, esp
00411787   .  >mov     dword ptr ss:[ebp-18], esp
0041178A   .  >push    edx
0041178B   .  >mov     byte ptr ss:[ebp-4], 0A
0041178F   .  >call    SpyEmerg.004420E0
00411794   .  >lea     eax, dword ptr ss:[ebp-58]
00411797   .  >push    eax
00411798   .  >mov     byte ptr ss:[ebp-4], 2
0041179C   .  >call    SpyEmerg.004324A0             ; [xp-sp2-x006]
004117A1   .  >add     esp, 1C
004117A4   .  >lea     ecx, dword ptr ss:[ebp+20]
004117A7   .  >push    ecx
004117A8   .  >mov     bl, 0B
004117AA   .  >lea     ecx, dword ptr ss:[ebp-58]
004117AD   .  >mov     byte ptr ss:[ebp-4], bl
004117B0   .  >call    SpyEmerg.004421A0             ; [xp-sp2-x004]
004117B5   .  >test    eax, eax
004117B7   .  >je      SpyEmerg.00411975               这个call跳得很远，足以引起注意，如果不跳走，
004117BD   .  >sub     esp, 0C                         下面即是将用户信息写入注册表
004117C0   .  >lea     edx, dword ptr ss:[ebp+8]       所以我们一定要看上面的call啦,当然是看[xp-sp2-x004]
004117C3   .  >mov     ecx, esp
004117C5   .  >mov     dword ptr ss:[ebp-18], esp
004117C8   .  >push    edx
004117C9   .  >call    SpyEmerg.004420E0
004117CE   .  >sub     esp, 0C
004117D1   .  >mov     ecx, esp
004117D3   .  >mov     dword ptr ss:[ebp-14], esp
004117D6   .  >push    edi
004117D7   .  >push    SpyEmerg.004B9EAC             ;  ASCII "RegisteredUserName"
004117DC   .  >mov     byte ptr ss:[ebp-4], 0C
004117E0   .  >call    SpyEmerg.00442D80
004117E5   .  >mov     ecx, esi                      ; |
004117E7   .  >mov     byte ptr ss:[ebp-4], bl       ; |
004117EA   .  >call    SpyEmerg.004119C0             ; \SpyEmerg.004119C0

=======[xp-sp2-x004]=============================================================

004421A0  /$  8>mov     eax, dword ptr ss:[esp+4]
004421A4  |.  3>cmp     eax, ecx
004421A6  |.  7>je      short SpyEmerg.004421C9
004421A8  |.  8>mov     ecx, dword ptr ds:[ecx+4]
004421AB  |.  8>test    ecx, ecx
004421AD  |.  7>je      short SpyEmerg.004421C4
004421AF  |.  8>mov     eax, dword ptr ds:[eax+4]
004421B2  |.  8>test    eax, eax
004421B4  |.  7>je      short SpyEmerg.004421C4
004421B6  |.  5>push    eax
004421B7  |.  5>push    ecx
004421B8  |.  E>call    SpyEmerg.0049E689
004421BD  |.  8>add     esp, 8
004421C0  |.  8>test    eax, eax  ==1==
004421C2  |.  7>je      short SpyEmerg.004421C9
004421C4  |>  3>xor     eax, eax  ==2==
004421C6  |.  C>ret     4
004421C9  |>  B>mov     eax, 1    ==3==  三步曲，最常见的标志位设置，说明信息已经处理完毕
004421CE  \.  C>ret     4                所以我们要看此同一层的上一个call [xp-sp2-x006]

=======[xp-sp2-x006]================================================================

004324A0  /$  6>push    -1
004324A2  |.  6>push    SpyEmerg.004B4CD0             ;  SE handler installation
004324A7  |.  6>mov     eax, dword ptr fs:[0]
004324AD  |.  5>push    eax
004324AE  |.  6>mov     dword ptr fs:[0], esp
004324B5  |.  8>sub     esp, 0E8
004324BB  |.  5>push    esi
004324BC  |.  C>mov     dword ptr ss:[esp+20], 0
004324C4  |.  6>push    38
004324C6  |.  8>lea     eax, dword ptr ss:[esp+104]
004324CD  |.  5>push    eax
004324CE  |.  8>lea     ecx, dword ptr ss:[esp+AC]
004324D5  |.  5>push    ecx
004324D6  |.  C>mov     dword ptr ss:[esp+100], 2
004324E1  |.  E>call    SpyEmerg.00432420
004324E6  |.  6>push    62
004324E8  |.  5>push    eax
004324E9  |.  8>lea     edx, dword ptr ss:[esp+88]
004324F0  |.  5>push    edx
004324F1  |.  C>mov     byte ptr ss:[esp+10C], 3
004324F9  |.  E>call    SpyEmerg.00432420
004324FE  |.  6>push    33
00432500  |.  5>push    eax
00432501  |.  8>lea     eax, dword ptr ss:[esp+AC]
00432508  |.  5>push    eax
00432509  |.  C>mov     byte ptr ss:[esp+118], 4
00432511  |.  E>call    SpyEmerg.00432420
00432516  |.  6>push    7A
00432518  |.  5>push    eax
00432519  |.  8>lea     ecx, dword ptr ss:[esp+E8]
00432520  |.  5>push    ecx
00432521  |.  C>mov     byte ptr ss:[esp+124], 5
00432529  |.  E>call    SpyEmerg.00432420
0043252E  |.  6>push    6F
00432530  |.  5>push    eax
00432531  |.  8>lea     edx, dword ptr ss:[esp+68]
00432535  |.  5>push    edx
00432536  |.  C>mov     byte ptr ss:[esp+130], 6
0043253E  |.  E>call    SpyEmerg.00432420
00432543  |.  8>add     esp, 3C
00432546  |.  8>lea     ecx, dword ptr ss:[esp+BC]
0043254D  |.  C>mov     byte ptr ss:[esp+F4], 0B
00432555  |.  E>call    SpyEmerg.00442110
0043255A  |.  8>lea     ecx, dword ptr ss:[esp+8C]
00432561  |.  C>mov     byte ptr ss:[esp+F4], 0A
00432569  |.  E>call    SpyEmerg.00442110
0043256E  |.  8>lea     ecx, dword ptr ss:[esp+74]
00432572  |.  C>mov     byte ptr ss:[esp+F4], 9
0043257A  |.  E>call    SpyEmerg.00442110
0043257F  |.  8>lea     ecx, dword ptr ss:[esp+A4]
00432586  |.  C>mov     byte ptr ss:[esp+F4], 8
0043258E  |.  E>call    SpyEmerg.00442110
00432593  |.  8>mov     eax, dword ptr ss:[esp+34]
/////////////停在这里看堆栈//////////////////////////////////////
//Stack ss:[0011A138]=00D2AEEC, (ASCII "HUNTER-BOY8b3zo")
//eax=00000001
//////////////////////////////////////////////////////////////
00432597  |.  8>test    eax, eax                        用户名+8b3zo
00432599  |.  7>je      short SpyEmerg.004325A0
0043259B  |.  8>mov     ecx, dword ptr ds:[eax-8]
0043259E  |.  E>jmp     short SpyEmerg.004325A7
004325A0  |>  3>xor     ecx, ecx
004325A2  |.  B>mov     eax, SpyEmerg.004B8630
004325A7  |>  6>push    0                             ; /Arg4 = 00000000
004325A9  |.  6>push    SpyEmerg.004B8630             ; |Arg3 = 004B8630
004325AE  |.  5>push    ecx                           ; |Arg2
004325AF  |.  5>push    eax                           ; |Arg1
004325B0  |.  E>call    SpyEmerg.00432040             ; \SpyEmerg.00432040  [xp-sp2-x008]
004325B5  |.  8>mov     eax, dword ptr ss:[esp+44]      通过字典对字符串处理，看[xp-sp2-x008]
//////////////停在这里看堆栈////////////////////////////////////
//Stack ss:[0011A138]=00D2AEEC   地址
//eax=0000000F   长度
//转存中跟随，获得
//00D2AEEC  C6 F6 5C 7A 9A 68 5B D6 E4 5C EB 5B 96 8F 8C 00  砌\z歨[咒\隱枏?
//C6F65C7A9A685BD6E45CEB5B968F8C  (hex) (00是终结符)
//////////////////////////////////////////////////////////////
004325B9  |.  8>add     esp, 10
004325BC  |.  8>test    eax, eax
004325BE  |.  7>jnz     short SpyEmerg.004325C5
004325C0  |.  B>mov     eax, SpyEmerg.004B8630
004325C5  |>  6>push    -1
004325C7  |.  5>push    eax
004325C8  |.  E>call    SpyEmerg.00403410              ; [xp-sp2-x00A] MD5运算(标准)
//////////////停在这里看堆栈////////////////////////////////////
//hex string  C6F65C7A9A685BD6E45CEB5B968F8C
//md5 hash    3ce3e64f4ef7f65d023666760273e0b9
////////////////////////////////////////////////////////////////////
004325CD  |.  8>add     esp, 4
004325D0  |.  5>push    eax
004325D1  |.  8>lea     ecx, dword ptr ss:[esp+70]
004325D5  |.  E>call    SpyEmerg.00442D80
004325DA  |.  6>push    63
004325DC  |.  8>lea     eax, dword ptr ss:[esp+110]
004325E3  |.  5>push    eax
004325E4  |.  8>lea     ecx, dword ptr ss:[esp+B8]
004325EB  |.  5>push    ecx
004325EC  |.  C>mov     byte ptr ss:[esp+100], 0C
004325F4  |.  E>call    SpyEmerg.00432420
004325F9  |.  6>push    36
004325FB  |.  5>push    eax
004325FC  |.  8>lea     edx, dword ptr ss:[esp+AC]
00432603  |.  5>push    edx
00432604  |.  C>mov     byte ptr ss:[esp+10C], 0D
0043260C  |.  E>call    SpyEmerg.00432420
00432611  |.  6>push    65
00432613  |.  5>push    eax
00432614  |.  8>lea     eax, dword ptr ss:[esp+A0]
0043261B  |.  5>push    eax
0043261C  |.  C>mov     byte ptr ss:[esp+118], 0E
00432624  |.  E>call    SpyEmerg.00432420
00432629  |.  6>push    74
0043262B  |.  5>push    eax
0043262C  |.  8>lea     ecx, dword ptr ss:[esp+100]
00432633  |.  5>push    ecx
00432634  |.  C>mov     byte ptr ss:[esp+124], 0F
0043263C  |.  E>call    SpyEmerg.00432420
00432641  |.  6>push    65
00432643  |.  5>push    eax
00432644  |.  8>lea     edx, dword ptr ss:[esp+5C]
00432648  |.  5>push    edx
00432649  |.  C>mov     byte ptr ss:[esp+130], 10
00432651  |.  E>call    SpyEmerg.00432420
00432656  |.  8>add     esp, 3C
00432659  |.  8>lea     ecx, dword ptr ss:[esp+D4]
00432660  |.  C>mov     byte ptr ss:[esp+F4], 15
00432668  |.  E>call    SpyEmerg.00442110
0043266D  |.  8>lea     ecx, dword ptr ss:[esp+80]
00432674  |.  C>mov     byte ptr ss:[esp+F4], 14
0043267C  |.  E>call    SpyEmerg.00442110
00432681  |.  8>lea     ecx, dword ptr ss:[esp+98]
00432688  |.  C>mov     byte ptr ss:[esp+F4], 13
00432690  |.  E>call    SpyEmerg.00442110
00432695  |.  8>lea     ecx, dword ptr ss:[esp+B0]
0043269C  |.  C>mov     byte ptr ss:[esp+F4], 12
004326A4  |.  E>call    SpyEmerg.00442110
004326A9  |.  8>mov     eax, dword ptr ss:[esp+28]
/////////////停在这里看堆栈//////////////////////////////////////
//Stack ss:[0011A12C]=00D355D4, (ASCII "draw.dragon@msn.comc6ete")
//eax=00000001
//////////////////////////////////////////////////////////////////
004326AD  |.  8>test    eax, eax                        邮件地址+c6ete
004326AF  |.  7>je      short SpyEmerg.004326B6
004326B1  |.  8>mov     ecx, dword ptr ds:[eax-8]
004326B4  |.  E>jmp     short SpyEmerg.004326BD
004326B6  |>  3>xor     ecx, ecx
004326B8  |.  B>mov     eax, SpyEmerg.004B8630
004326BD  |>  6>push    0                             ; /Arg4 = 00000000
004326BF  |.  6>push    SpyEmerg.004B8630             ; |Arg3 = 004B8630
004326C4  |.  5>push    ecx                           ; |Arg2
004326C5  |.  5>push    eax                           ; |Arg1
004326C6  |.  E>call    SpyEmerg.00432040             ; \SpyEmerg.00432040  [xp-sp2-x008]
004326CB  |.  8>mov     eax, dword ptr ss:[esp+38]    通过字典对字符串处理，看[xp-sp2-x008]
/////////////停在这里看堆栈////////////////////////////////////
//Stack ss:[0011A12C]=00D355D4  地址
//eax=00000018  长度
//转存中跟随，获得
//00D355D4  EA D1 73 59 F1 5E 04 F5 CC 6A BD 79 C8 86 8D 71  暄sY馸跆j統葐峲
//00D355E4  B8 85 E6 D3 25 EB F5 E1 00                       竻嬗%膈?瓠?瓠
//EAD17359F15E04F5CC6ABD79C8868D71B885E6D325EBF5E1   (hex) (00是终结符)
/////////////////////////////////////////////////////////////////
004326CF  |.  8>add     esp, 10
004326D2  |.  8>test    eax, eax
004326D4  |.  7>jnz     short SpyEmerg.004326DB
004326D6  |.  B>mov     eax, SpyEmerg.004B8630
004326DB  |>  6>push    -1
004326DD  |.  5>push    eax
004326DE  |.  E>call    SpyEmerg.00403410             ; [xp-sp2-x00A] MD5运算(标准)
//////////////停在这里看堆栈////////////////////////////////////
//hex string EAD17359F15E04F5CC6ABD79C8868D71B885E6D325EBF5E1
//md5 hash   05861f2f698e5125a8c5fca2dc6532d2
////////////////////////////////////////////////////////////////
004326E3  |.  8>add     esp, 4
004326E6  |.  5>push    eax
004326E7  |.  8>lea     ecx, dword ptr ss:[esp+44]
004326EB  |.  E>call    SpyEmerg.00442D80
004326F0  |.  6>push    -1
004326F2  |.  6>push    SpyEmerg.004B8630
004326F7  |.  8>lea     ecx, dword ptr ss:[esp+18]
004326FB  |.  C>mov     byte ptr ss:[esp+FC], 16
00432703  |.  E>call    SpyEmerg.00442D80
00432708  |.  6>push    36CEC                         ; /Arg1 = 00036CEC
0043270D  |.  8>lea     ecx, dword ptr ss:[esp+14]    ; |
00432711  |.  C>mov     byte ptr ss:[esp+F8], 17      ; |
00432719  |.  E>call    SpyEmerg.00443090             ; \SpyEmerg.00443090
0043271E  |.  6>push    1F6                           ; /Arg1 = 000001F6
00432723  |.  8>lea     ecx, dword ptr ss:[esp+14]    ; |
00432727  |.  E>call    SpyEmerg.00443090             ; \SpyEmerg.00443090
//////////////停在这里看堆栈////////////////////////////////////
//Stack ss:[0011A118]=00D6B144, (ASCII "224492502")
//eax=0011A114
//对push进去的两个值做运算，这样应该就是一个固定值了吧
//运算循环除A将余数连接"224492"+"502"
//////////////////////////////////////////////////////////////
0043272C  |.  8>mov     eax, dword ptr ss:[esp+14]
00432730  |.  8>test    eax, eax
00432732  |.  7>je      short SpyEmerg.00432739
00432734  |.  8>mov     ecx, dword ptr ds:[eax-8]
00432737  |.  E>jmp     short SpyEmerg.00432740
00432739  |>  3>xor     ecx, ecx
0043273B  |.  B>mov     eax, SpyEmerg.004B8630
00432740  |>  6>push    0                             ; /Arg4 = 00000000
00432742  |.  6>push    SpyEmerg.004B8630             ; |Arg3 = 004B8630
00432747  |.  5>push    ecx                           ; |Arg2
00432748  |.  5>push    eax                           ; |Arg1
00432749  |.  E>call    SpyEmerg.00432040             ; \SpyEmerg.00432040  [xp-sp2-x008]
0043274E  |.  8>mov     eax, dword ptr ss:[esp+24]     通过字典对字符串处理，看[xp-sp2-x008]
/////////////停在这里看堆栈////////////////////////////////////
//Stack ss:[0011A118]=00D6B144
//eax=00000009
//00D6B144  BC 91 26 1A E6 08 43 A4 99 00                    紤&?C..瓠
//BC91261AE60843A499  (hex)
//////////////////////////////////////////////////////////////////
00432752  |.  8>add     esp, 10
00432755  |.  8>test    eax, eax
00432757  |.  7>jnz     short SpyEmerg.0043275E
00432759  |.  B>mov     eax, SpyEmerg.004B8630
0043275E  |>  6>push    -1
00432760  |.  5>push    eax
00432761  |.  E>call    SpyEmerg.00403410              ; [xp-sp2-x00A] MD5运算(标准)
//////////////停在这里看堆栈////////////////////////////////////
//hex string  BC91261AE60843A499
//md5 hash    87b5a586aa0d78fbb23c5d48a4fce316
//////////////////////////////////////////////////////////////////
00432766  |.  8>add     esp, 4
00432769  |.  5>push    eax
0043276A  |.  8>lea     ecx, dword ptr ss:[esp+50]
0043276E  |.  E>call    SpyEmerg.00442D80
00432773  |.  8>sub     esp, 0C
00432776  |.  8>lea     eax, dword ptr ss:[esp+54]
0043277A  |.  8>mov     ecx, esp
0043277C  |.  8>mov     dword ptr ss:[esp+64], esp
00432780  |.  5>push    eax
00432781  |.  C>mov     byte ptr ss:[esp+104], 18
00432789  |.  E>call    SpyEmerg.004420E0
0043278E  |.  6>push    SpyEmerg.004B8FE8
00432793  |.  8>sub     esp, 0C
00432796  |.  8>mov     dword ptr ss:[esp+38], esp
0043279A  |.  8>mov     esi, esp
0043279C  |.  8>sub     esp, 0C
0043279F  |.  8>lea     edx, dword ptr ss:[esp+64]
004327A3  |.  8>mov     ecx, esp
004327A5  |.  8>mov     dword ptr ss:[esp+44], esp
004327A9  |.  5>push    edx
004327AA  |.  C>mov     byte ptr ss:[esp+120], 19
004327B2  |.  E>call    SpyEmerg.004420E0
004327B7  |.  6>push    SpyEmerg.004B8FE8
004327BC  |.  8>sub     esp, 0C
004327BF  |.  8>lea     eax, dword ptr ss:[esp+A0]
004327C6  |.  8>mov     ecx, esp
004327C8  |.  8>mov     dword ptr ss:[esp+8C], esp
004327CF  |.  5>push    eax
004327D0  |.  C>mov     byte ptr ss:[esp+130], 1A
004327D8  |.  E>call    SpyEmerg.004420E0
004327DD  |.  8>lea     ecx, dword ptr ss:[esp+118]
004327E4  |.  5>push    ecx
004327E5  |.  E>call    SpyEmerg.0040D1F0
004327EA  |.  8>add     esp, 14
004327ED  |.  5>push    eax
004327EE  |.  5>push    esi
004327EF  |.  C>mov     byte ptr ss:[esp+124], 1C
004327F7  |.  E>call    SpyEmerg.0040D160
004327FC  |.  8>lea     edx, dword ptr ss:[esp+F8]
00432803  |.  8>add     esp, 14
00432806  |.  5>push    edx
00432807  |.  E>call    SpyEmerg.0040D1F0
0043280C  |.  8>add     esp, 14
0043280F  |.  5>push    eax
00432810  |.  8>lea     eax, dword ptr ss:[esp+14]
00432814  |.  5>push    eax
00432815  |.  C>mov     byte ptr ss:[esp+108], 1F
0043281D  |.  E>call    SpyEmerg.0040D160
00432822  |.  8>add     esp, 14
00432825  |.  8>lea     ecx, dword ptr ss:[esp+C8]
0043282C  |.  C>mov     byte ptr ss:[esp+F4], 22
00432834  |.  E>call    SpyEmerg.00442110
00432839  |.  8>lea     ecx, dword ptr ss:[esp+E0]
00432840  |.  C>mov     byte ptr ss:[esp+F4], 21
00432848  |.  E>call    SpyEmerg.00442110
0043284D  |.  8>mov     eax, dword ptr ss:[esp+8]
//////////////停在这里看堆栈////////////////////////////////////
//Stack ss:[0011A10C]=00D070BC, (ASCII "3ce3e64f4ef7f65d023666760273e0b9-05861f2f698e5125a8c5fca2dc6532d2
//-87b5a586aa0d78fbb23c5d48a4fce316")
//eax=00000001          将三个hash值联起来作为text string
/////////////////////////////////////////////////////////////////
00432851  |.  8>test    eax, eax
00432853  |.  7>jnz     short SpyEmerg.0043285A
00432855  |.  B>mov     eax, SpyEmerg.004B8630
0043285A  |>  6>push    -1
0043285C  |.  5>push    eax
0043285D  |.  E>call    SpyEmerg.00403410             ;  [xp-sp2-x00A] MD5运算(标准)
//////////////停在这里看堆栈////////////////////////////////////
// text string 3ce3e64f4ef7f65d023666760273e0b9-05861f2f698e5125a8c5fca2dc6532d2-87b5a586aa0d78fbb23c5d48a4fce316
// md5 hash    f9c67d47ef264d325acda0f89f8a118b
/////////////////////////////////////////////////////////////////////////
00432862  |.  8>add     esp, 4
00432865  |.  5>push    eax
00432866  |.  8>lea     ecx, dword ptr ss:[esp+64]
0043286A  |.  E>call    SpyEmerg.00442D80
0043286F  |.  8>lea     ecx, dword ptr ss:[esp+5C]
00432873  |.  5>push    ecx
00432874  |.  8>lea     ecx, dword ptr ss:[esp+8]
00432878  |.  C>mov     byte ptr ss:[esp+F8], 23
00432880  |.  E>call    SpyEmerg.00442210
00432885  |.  8>mov     eax, dword ptr ss:[esp+8]
00432889  |.  8>test    eax, eax
0043288B  |.  7>je      short SpyEmerg.004328DB
0043288D  |.  8>mov     ecx, dword ptr ds:[eax-8]
00432890  |.  8>cmp     ecx, 8
00432893  |.  7>jl      short SpyEmerg.004328A7
00432895  |.  6>push    7
00432897  |.  8>lea     ecx, dword ptr ss:[esp+8]
0043289B  |.  E>call    SpyEmerg.00441FD0
004328A0  |.  C>mov     byte ptr ds:[eax], 2D
004328A3  |.  8>mov     eax, dword ptr ss:[esp+8]
004328A7  |>  8>test    eax, eax
004328A9  |.  7>je      short SpyEmerg.004328DB
004328AB  |.  8>cmp     dword ptr ds:[eax-8], 10
004328AF  |.  7>jl      short SpyEmerg.004328C3
004328B1  |.  6>push    0F
004328B3  |.  8>lea     ecx, dword ptr ss:[esp+8]
004328B7  |.  E>call    SpyEmerg.00441FD0
004328BC  |.  C>mov     byte ptr ds:[eax], 2D
004328BF  |.  8>mov     eax, dword ptr ss:[esp+8]
004328C3  |>  8>test    eax, eax
004328C5  |.  7>je      short SpyEmerg.004328DB
004328C7  |.  8>cmp     dword ptr ds:[eax-8], 18
004328CB  |.  7>jl      short SpyEmerg.004328DB
004328CD  |.  6>push    17
004328CF  |.  8>lea     ecx, dword ptr ss:[esp+8]
004328D3  |.  E>call    SpyEmerg.00441FD0
004328D8  |.  C>mov     byte ptr ds:[eax], 2D
004328DB  |>  8>lea     ecx, dword ptr ss:[esp+4]
004328DF  |.  E>call    SpyEmerg.00442750
004328E4  |.  8>mov     esi, dword ptr ss:[esp+FC]
004328EB  |.  8>lea     edx, dword ptr ss:[esp+4]
004328EF  |.  5>push    edx
004328F0  |.  8>mov     ecx, esi
//////////////停在这里看堆栈////////////////////////////////////
//F9C67D4-EF264D3-5ACDA0F-9F8A118B
//将hash值转大写，每7位用"-"替换下一个字符
//Serial key! enjoy it !
///////////////////////////////////////////////////////////////
004328F2  |.  E>call    SpyEmerg.004420E0
004328F7  |.  8>lea     ecx, dword ptr ss:[esp+5C]
004328FB  |.  C>mov     dword ptr ss:[esp+20], 1
00432903  |.  C>mov     byte ptr ss:[esp+F4], 21
0043290B  |.  E>call    SpyEmerg.00442110
00432910  |.  8>lea     ecx, dword ptr ss:[esp+4]
00432914  |.  C>mov     byte ptr ss:[esp+F4], 18
0043291C  |.  E>call    SpyEmerg.00442110
00432921  |.  8>lea     ecx, dword ptr ss:[esp+48]
00432925  |.  C>mov     byte ptr ss:[esp+F4], 17
0043292D  |.  E>call    SpyEmerg.00442110
00432932  |.  8>lea     ecx, dword ptr ss:[esp+10]
00432936  |.  C>mov     byte ptr ss:[esp+F4], 16
0043293E  |.  E>call    SpyEmerg.00442110
00432943  |.  8>lea     ecx, dword ptr ss:[esp+3C]
00432947  |.  C>mov     byte ptr ss:[esp+F4], 12
0043294F  |.  E>call    SpyEmerg.00442110
00432954  |.  8>lea     ecx, dword ptr ss:[esp+24]
00432958  |.  C>mov     byte ptr ss:[esp+F4], 0C
00432960  |.  E>call    SpyEmerg.00442110
00432965  |.  8>lea     ecx, dword ptr ss:[esp+68]
00432969  |.  C>mov     byte ptr ss:[esp+F4], 8
00432971  |.  E>call    SpyEmerg.00442110
00432976  |.  8>lea     ecx, dword ptr ss:[esp+30]
0043297A  |.  C>mov     byte ptr ss:[esp+F4], 2
00432982  |.  E>call    SpyEmerg.00442110
00432987  |.  8>lea     ecx, dword ptr ss:[esp+100]
0043298E  |.  C>mov     byte ptr ss:[esp+F4], 1
00432996  |.  E>call    SpyEmerg.00442110
0043299B  |.  8>lea     ecx, dword ptr ss:[esp+10C]
004329A2  |.  C>mov     byte ptr ss:[esp+F4], 0
004329AA  |.  E>call    SpyEmerg.00442110
004329AF  |.  8>mov     ecx, dword ptr ss:[esp+EC]
004329B6  |.  8>mov     eax, esi
004329B8  |.  6>mov     dword ptr fs:[0], ecx
004329BF  |.  5>pop     esi
004329C0  |.  8>add     esp, 0F4
004329C6  \.  C>ret

========[xp-sp2-x008]=============================================================================

00432040  /$  5>push    ebp
00432041  |.  8>mov     ebp, esp
00432043  |.  8>and     esp, FFFFFFF8
00432046  |.  8>sub     esp, 214
0043204C  |.  B>mov     al, 41
0043204E  |.  5>push    ebx
0043204F  |.  A>mov     byte ptr ds:[4E0FA0], al
00432054  |.  A>mov     byte ptr ds:[4E0FA1], al
00432059  |.  B>mov     al, 31
0043205B  |.  5>push    esi
0043205C  |.  A>mov     byte ptr ds:[4E0FA5], al
00432061  |.  A>mov     byte ptr ds:[4E0FA8], al
00432066  |.  5>push    edi
00432067  |.  C>mov     byte ptr ds:[4E0FA2], 37
0043206E  |.  C>mov     byte ptr ds:[4E0FA3], 39
00432075  |.  C>mov     byte ptr ds:[4E0FA4], 65
0043207C  |.  C>mov     byte ptr ds:[4E0FA6], 30
00432083  |.  C>mov     byte ptr ds:[4E0FA7], 64
0043208A  |.  C>mov     byte ptr ds:[4E0FA9], 35
00432091  |.  C>mov     byte ptr ds:[4E0FAA], 6C
00432098  |.  C>mov     byte ptr ds:[4E0FAB], 36
0043209F  |.  C>mov     byte ptr ds:[4E0FAC], 6F
004320A6  |.  C>mov     byte ptr ds:[4E0FAD], 32
004320AD  |.  C>mov     byte ptr ds:[4E0FAE], 74
004320B4  |.  C>mov     byte ptr ds:[4E0FAF], 38
004320BB  |.  3>xor     eax, eax                          ;
004320BD  |.  8>lea     ecx, dword ptr ds:[ecx]
004320C0  |>  8>/mov     cl, byte ptr ds:[eax+4E0FA0]
004320C6  |.  8>|xor     cl, 0A4
004320C9  |.  8>|mov     byte ptr ds:[eax+4E0F90], cl     ;
004320CF  |.  4>|inc     eax
004320D0  |.  8>|cmp     eax, 10
004320D3  |.^ 7>\jb      short SpyEmerg.004320C0
004320D5  |.  3>xor     eax, eax                          ;
004320D7  |.  B>mov     ecx, 40
004320DC  |.  8>lea     edi, dword ptr ss:[esp+10]
004320E0  |.  F>rep     stosd
004320E2  |.  A>stosb
004320E3  |.  3>xor     eax, eax
004320E5  |.  B>mov     ecx, 40
004320EA  |.  8>lea     edi, dword ptr ss:[esp+118]
004320F1  |.  F>rep     stosd
004320F3  |.  A>stosb
004320F4  |.  3>xor     eax, eax
004320F6  |>  8>/mov     byte ptr ss:[esp+eax+10], al
004320FA  |.  4>|inc     eax
004320FB  |.  3>|cmp     eax, 100
00432100  |.^ 7>\jb      short SpyEmerg.004320F6
00432102  |.  8>mov     edi, dword ptr ss:[ebp+14]
00432105  |.  3>xor     eax, eax
00432107  |.  3>xor     ecx, ecx
00432109  |.  8>test    edi, edi
0043210B  |.  7>je      short SpyEmerg.00432130
0043210D  |.  8>mov     esi, dword ptr ss:[ebp+10]
00432110  |>  3>/cmp     eax, edi
00432112  |.  7>|jnz     short SpyEmerg.00432116
00432114  |.  3>|xor     eax, eax
00432116  |>  8>|mov     dl, byte ptr ds:[eax+esi]
00432119  |.  4>|inc     eax
0043211A  |.  8>|mov     byte ptr ss:[esp+ecx+118], dl
00432121  |.  4>|inc     ecx
00432122  |.  8>|cmp     ecx, 100
00432128  |.^ 7>\jb      short SpyEmerg.00432110
0043212A  |.  E>jmp     short SpyEmerg.0043214E
0043212C  |   8>lea     esp, dword ptr ss:[esp]
00432130  |>  8>/cmp     eax, 10
00432133  |.  7>|jnz     short SpyEmerg.00432137
00432135  |.  3>|xor     eax, eax
00432137  |>  8>|mov     dl, byte ptr ds:[eax+4E0F90]
0043213D  |.  4>|inc     eax
0043213E  |.  8>|mov     byte ptr ss:[esp+ecx+118], dl
00432145  |.  4>|inc     ecx
00432146  |.  8>|cmp     ecx, 100
0043214C  |.^ 7>\jb      short SpyEmerg.00432130
0043214E  |>  3>xor     esi, esi
00432150  |.  3>xor     eax, eax
00432152  |>  8>/mov     cl, byte ptr ss:[esp+eax+10]
00432156  |.  3>|xor     edx, edx
00432158  |.  8>|mov     dl, byte ptr ss:[esp+eax+118]
0043215F  |.  3>|xor     ebx, ebx
00432161  |.  8>|mov     bl, cl
00432163  |.  8>|add     eax, 4
00432166  |.  0>|add     ebx, esi
00432168  |.  0>|add     edx, ebx
0043216A  |.  8>|and     edx, 0FF
00432170  |.  8>|mov     esi, edx
00432172  |.  8>|mov     dl, byte ptr ss:[esp+esi+10]
00432176  |.  8>|mov     byte ptr ss:[esp+eax+C], dl
0043217A  |.  8>|mov     byte ptr ss:[esp+esi+10], cl
0043217E  |.  8>|mov     cl, byte ptr ss:[esp+eax+D]
00432182  |.  3>|xor     edx, edx
00432184  |.  8>|mov     dl, byte ptr ss:[esp+eax+115]
0043218B  |.  3>|xor     ebx, ebx
0043218D  |.  8>|mov     bl, cl
0043218F  |.  0>|add     ebx, esi
00432191  |.  0>|add     edx, ebx
00432193  |.  8>|and     edx, 0FF
00432199  |.  8>|mov     esi, edx
0043219B  |.  8>|mov     dl, byte ptr ss:[esp+esi+10]
0043219F  |.  8>|mov     byte ptr ss:[esp+eax+D], dl
004321A3  |.  8>|mov     byte ptr ss:[esp+esi+10], cl
004321A7  |.  8>|mov     cl, byte ptr ss:[esp+eax+E]
004321AB  |.  3>|xor     edx, edx
004321AD  |.  8>|mov     dl, byte ptr ss:[esp+eax+116]
004321B4  |.  3>|xor     ebx, ebx
004321B6  |.  8>|mov     bl, cl
004321B8  |.  0>|add     ebx, esi
004321BA  |.  0>|add     edx, ebx
004321BC  |.  8>|and     edx, 0FF
004321C2  |.  8>|mov     esi, edx
004321C4  |.  8>|mov     dl, byte ptr ss:[esp+esi+10]
004321C8  |.  8>|mov     byte ptr ss:[esp+eax+E], dl
004321CC  |.  8>|mov     byte ptr ss:[esp+esi+10], cl
004321D0  |.  8>|mov     cl, byte ptr ss:[esp+eax+F]
004321D4  |.  3>|xor     edx, edx
004321D6  |.  8>|mov     dl, byte ptr ss:[esp+eax+117]
004321DD  |.  3>|xor     ebx, ebx
004321DF  |.  8>|mov     bl, cl
004321E1  |.  0>|add     ebx, esi
004321E3  |.  0>|add     edx, ebx
004321E5  |.  8>|and     edx, 0FF
004321EB  |.  3>|cmp     eax, 100
004321F0  |.  8>|mov     esi, edx
004321F2  |.  8>|mov     dl, byte ptr ss:[esp+esi+10]
004321F6  |.  8>|mov     byte ptr ss:[esp+eax+F], dl
004321FA  |.  8>|mov     byte ptr ss:[esp+esi+10], cl
004321FE  |.^ 0>\jb      SpyEmerg.00432152
00432204  |.  8>mov     ecx, dword ptr ss:[ebp+C]
////////////////////////////////////////////////////////////////////
//生成字典，应该是固定的吧
//00119ED8 19 CB 60 C1 C5 5F 67 C0 5D 70 0D 4E 3D E0 58 69
//00119EE8 9B 15 06 55 F0 5A D2 1E 0B 3B E2 F2 2F 77 44 6B
//00119EF8 AC BB 05 84 37 F1 6A 22 87 EA B8 99 8D 53 51 76
//00119F08 20 2E 66 DB 79 9A 75 6F 28 42 E1 93 CF 31 40 F5
//00119F18 A2 36 FA 3F D5 88 41 C3 4F 18 68 ED 5C 03 08 61
//00119F28 D6 91 BC FE E8 34 17 7F C2 97 04 A6 BD 57 81 89
//00119F38 0E 7C 13 62 AF A0 39 F9 8A B5 B7 B4 EB EE F4 48
//00119F48 82 7B 95 09 6E 86 CD 1F DC 71 E6 83 D4 AD 8E 07
//00119F58 B0 B1 F6 DE 52 59 3A 3C 6D 92 0A CE 49 74 54 C8
//00119F68 94 2C 32 AE 33 BA FC FD 78 1C E3 2D 29 AA 56 5E
//00119F78 D8 27 96 A8 4A 16 BE 64 B2 26 25 02 D7 5B 43 23
//00119F88 12 6C 30 1D A5 73 F3 21 98 01 24 BF C9 EC CA DD
//00119F98 A1 C4 50 14 E5 8B 8C 4D 4C 10 F7 B3 A9 7A E9 FB
//00119FA8 CC B9 9C 72 E7 2B 7D D3 3E 47 11 A4 AB 2A DA 9E
//00119FB8 80 A7 D0 F8 65 46 63 0C 1A D1 B6 00 EF 35 FF 0F
//00119FC8 7E E4 8F 38 90 45 C6 85 1B A3 DF D9 9D C7 9F 4B
//00119FD8 00 EE 92 7C C8 6A 94 7C E5 E5 93 9D C1 95 94 C0
/////////////////////////////////////////////////////////////
00432207  |.  3>xor     edi, edi
00432209  |.  3>xor     esi, esi
0043220B  |.  3>xor     eax, eax
0043220D  |.  8>test    ecx, ecx
0043220F  |.  7>jbe     short SpyEmerg.0043225B
00432211  |.  8>mov     edx, dword ptr ss:[ebp+8]
00432214  |>  3>/xor     ebx, ebx
00432216  |.  4>|inc     esi
00432217  |.  8>|and     esi, 0FF
0043221D  |.  8>|mov     cl, byte ptr ss:[esp+esi+10]
00432221  |.  8>|mov     bl, cl
00432223  |.  0>|add     ebx, edi
00432225  |.  8>|and     ebx, 0FF
0043222B  |.  8>|mov     edi, ebx
0043222D  |.  8>|mov     bl, byte ptr ss:[esp+edi+10]
00432231  |.  8>|mov     byte ptr ss:[esp+esi+10], bl
00432235  |.  3>|xor     ebx, ebx
00432237  |.  8>|mov     byte ptr ss:[esp+edi+10], cl
0043223B  |.  8>|mov     bl, byte ptr ss:[esp+esi+10]
0043223F  |.  0>|add     ebx, ecx
00432241  |.  8>|and     ebx, 0FF
00432247  |.  8>|mov     cl, byte ptr ss:[esp+ebx+10]
0043224B  |.  8>|mov     bl, byte ptr ds:[eax+edx]
0043224E  |.  3>|xor     bl, cl
00432250  |.  8>|mov     ecx, dword ptr ss:[ebp+C]
00432253  |.  8>|mov     byte ptr ds:[eax+edx], bl
00432256  |.  4>|inc     eax
00432257  |.  3>|cmp     eax, ecx
00432259  |.^ 7>\jb      short SpyEmerg.00432214
/////////////////////////////////////////////////////////////
//通过字典和目标字符串做xor运算
//for (int i = 0; i < cs.length; i++)
// {
//  hs1 = (map.key[i + 1] + hs1) & 0xFF;
//  hs2 = (map.key[hs1] + map.key[i + 1]) & 0xFF;
//  int tmp = map.key[i + 1];
//  map.key[i + 1] = map.key[hs1];
//  map.key[hs1 & 0xFF] = tmp;
//  hs3 = map.key[hs2] ^ cs[i];
// }
////////////////////////////////////////////////////////////
0043225B  |>  5>pop     edi
0043225C  |.  5>pop     esi
0043225D  |.  5>pop     ebx
0043225E  |.  8>mov     esp, ebp
00432260  |.  5>pop     ebp
00432261  \.  C>ret

/////////////////////////////////////////////////////////////////////////////
Serial key = case(md5_text("md5_hex(dict(name+8b3zo))-md5_hex(dict(email+c6ete))-md5_hex(dict(224492502))"))

Build: 2.0.310.0
Name: HUNTER-BOY
Email: draw.dragon@msn.com
Serial key: F9C67D4-EF264D3-5ACDA0F-9F8A118B

附件中是一点java代码,由于自己的水平很菜，main时只能获得待md5的hex string 和 text string
的md5 hash，我自己是用论坛提供的HashCalc.exe获得hex string 的 md5 hash的，另外没有写字典的生成过程，
只是将字典直接拷贝进来了。工作太忙，好久没有写东西了，动手了才发现自己要学习的东西是多么的多呀

附件:java_code.rar