【破文标题】:Clever Boxman 2.50 注册算法分析
【破文作者】:KuNgBiM[DFCG]
【作者邮箱】:gb_1227@163.com
【软件名称】:Clever Boxman 2.50
【软件大小】:823 KB
【软件语言】:英文
【软件类别】:国外软件 / 共享版 / 游戏娱乐
【整理时间】:2005-11-06
【下载地址】:http://www.8848soft.com/d1/cleverboxman_setup.exe
【软件简介】:Clever Box Man V2.50 is a fun logic and strategy puzzle board game, it's a brain teaser featuring the clever porter Box Man, it has beautiful sceneries, orphan background music and sound. This game is very easy to operate but maybe very difficult to solve, it's really a great challenge to your brain! Fun for the whole family.
【保护方式】:注册码 + 启动NAG + 15天试用限制
【编译语言】:Microsoft Visual C++ 6.0
【调试环境】:WinXP、PEiD、Ollydbg
【破解日期】:2005-11-06
【破解目的】:研究算法分析
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
—————————————————————————————————
【破解过程】:
侦测:用PEiD查壳,无壳,Microsoft Visual C++ 6.0 编译。
试探:运行主程序注册,输入试炼码,确认!程序提示:"Registration Code Error!"
下药:Ollydbg载入主程序,命令下断:bpx MessageBoxA,回车,F9运行,输入试炼信息:
******************* 试炼信息 ********************
Registration Name:KuNgBiM
Enter your registered Code:1111-2222-3333-4444
*************************************************
00428233 53 push ebx
00428234 57 push edi
00428235 FF75 08 push dword ptr ss:[ebp+8]
00428238 FF75 F4 push dword ptr ss:[ebp-C]
0042823B FF15 D8644300 call dword ptr ds:[<&USER32.MessageBoxA>] ; 这里中断,Alt+F9返回!
00428241 85F6 test esi,esi
00428243 8BF8 mov edi,eax
00428245 74 05 je short BoxMan.0042824C
........
返回到:
0040DE00 64:A1 00000000 mov eax,dword ptr fs:[0] ; 这里F2下断!Ctrl+F2重新加载程序!
0040DE06 6A FF push -1
0040DE08 68 18484300 push BoxMan.00434818
0040DE0D 50 push eax
0040DE0E 64:8925 0000000>mov dword ptr fs:[0],esp
0040DE15 83EC 1C sub esp,1C
0040DE18 53 push ebx
0040DE19 56 push esi
0040DE1A 8BF1 mov esi,ecx
0040DE1C BB 01000000 mov ebx,1
0040DE21 57 push edi
0040DE22 8B86 34010000 mov eax,dword ptr ds:[esi+134]
0040DE28 3BC3 cmp eax,ebx
0040DE2A 0F8D BC010000 jge BoxMan.0040DFEC
0040DE30 55 push ebp
0040DE31 40 inc eax
0040DE32 53 push ebx
0040DE33 8986 34010000 mov dword ptr ds:[esi+134],eax
0040DE39 E8 74690100 call BoxMan.004247B2
0040DE3E 8D86 24010000 lea eax,dword ptr ds:[esi+124]
0040DE44 8DBE 20010000 lea edi,dword ptr ds:[esi+120]
0040DE4A 50 push eax
0040DE4B 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
0040DE4F 57 push edi
0040DE50 51 push ecx
0040DE51 E8 69400100 call BoxMan.00421EBF
0040DE56 8D96 28010000 lea edx,dword ptr ds:[esi+128]
0040DE5C C74424 34 00000>mov dword ptr ss:[esp+34],0
0040DE64 52 push edx
0040DE65 50 push eax
0040DE66 8D4424 20 lea eax,dword ptr ss:[esp+20]
0040DE6A 50 push eax
0040DE6B E8 4F400100 call BoxMan.00421EBF
0040DE70 8D8E 2C010000 lea ecx,dword ptr ds:[esi+12C]
0040DE76 8D5424 14 lea edx,dword ptr ss:[esp+14]
0040DE7A 51 push ecx
0040DE7B 50 push eax
0040DE7C 52 push edx
0040DE7D 885C24 40 mov byte ptr ss:[esp+40],bl
0040DE81 E8 39400100 call BoxMan.00421EBF
0040DE86 50 push eax
0040DE87 8BCF mov ecx,edi
0040DE89 C64424 38 02 mov byte ptr ss:[esp+38],2
0040DE8E E8 773F0100 call BoxMan.00421E0A
0040DE93 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0040DE97 885C24 34 mov byte ptr ss:[esp+34],bl
0040DE9B E8 7D3E0100 call BoxMan.00421D1D
0040DEA0 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
0040DEA4 C64424 34 00 mov byte ptr ss:[esp+34],0
0040DEA9 E8 6F3E0100 call BoxMan.00421D1D
0040DEAE 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
0040DEB2 C74424 34 FFFFF>mov dword ptr ss:[esp+34],-1
0040DEBA E8 5E3E0100 call BoxMan.00421D1D
0040DEBF 68 885A4400 push BoxMan.00445A88
0040DEC4 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0040DEC8 E8 BE3E0100 call BoxMan.00421D8B
0040DECD 8D86 1C010000 lea eax,dword ptr ds:[esi+11C]
0040DED3 BB 03000000 mov ebx,3
0040DED8 50 push eax
0040DED9 8D4424 24 lea eax,dword ptr ss:[esp+24]
0040DEDD 50 push eax
0040DEDE B9 88594400 mov ecx,BoxMan.00445988
0040DEE3 895C24 3C mov dword ptr ss:[esp+3C],ebx
0040DEE7 E8 74080000 call BoxMan.0040E760 ; ★用户名检测CALL★F7跟进
0040DEEC 50 push eax
0040DEED 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0040DEF1 C64424 38 04 mov byte ptr ss:[esp+38],4
0040DEF6 E8 0F3F0100 call BoxMan.00421E0A
0040DEFB 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
0040DEFF 885C24 34 mov byte ptr ss:[esp+34],bl
0040DF03 E8 153E0100 call BoxMan.00421D1D ; 取用户名前2位转为大写后与“asfwfawefaefawfawfaf”相连
0040DF08 8B4424 10 mov eax,dword ptr ss:[esp+10] ; ASCII "KUasfwfawefaefawfawfaf"
0040DF0C 8B48 F8 mov ecx,dword ptr ds:[eax-8] ; 得到组合后的计算名长度,ds:[00BEBD90]=00000016
0040DF0F 51 push ecx ; ecx=00000016,(22位)
0040DF10 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
0040DF14 50 push eax ; 计算名压栈,ASCII "KUasfwfawefaefawfawfaf"
0040DF15 51 push ecx
0040DF16 E8 65CFFFFF call BoxMan.0040AE80 ; ★重要CALL★F7跟进
0040DF1B 83C4 0C add esp,0C
0040DF1E 50 push eax
0040DF1F 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0040DF23 C64424 38 05 mov byte ptr ss:[esp+38],5
0040DF28 E8 DD3E0100 call BoxMan.00421E0A
0040DF2D 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
0040DF31 885C24 34 mov byte ptr ss:[esp+34],bl
0040DF35 E8 E33D0100 call BoxMan.00421D1D
0040DF3A 8D5424 28 lea edx,dword ptr ss:[esp+28]
0040DF3E 6A 10 push 10
0040DF40 52 push edx
0040DF41 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
0040DF45 E8 01020100 call BoxMan.0041E14B
0040DF4A 50 push eax
0040DF4B 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0040DF4F C64424 38 06 mov byte ptr ss:[esp+38],6
0040DF54 E8 B13E0100 call BoxMan.00421E0A
0040DF59 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
0040DF5D 885C24 34 mov byte ptr ss:[esp+34],bl
0040DF61 E8 B73D0100 call BoxMan.00421D1D ; 获得用户输入的假注册码
0040DF66 8B2F mov ebp,dword ptr ds:[edi] ; 假码压栈,ASCII "1111222233334444"
0040DF68 8B4424 10 mov eax,dword ptr ss:[esp+10] ; 取出真注册码,准备与假码比较!ASCII "89ecc085789cd0cc"
0040DF6C 8A10 mov dl,byte ptr ds:[eax] ; 逐位开始循环比较!
0040DF6E 8A5D 00 mov bl,byte ptr ss:[ebp]
0040DF71 8ACA mov cl,dl
0040DF73 3AD3 cmp dl,bl
0040DF75 75 1E jnz short BoxMan.0040DF95 ; 若不相等,则终止比较!
0040DF77 84C9 test cl,cl
0040DF79 74 16 je short BoxMan.0040DF91 ; 比较结束则继续下一步!
0040DF7B 8A50 01 mov dl,byte ptr ds:[eax+1]
0040DF7E 8A5D 01 mov bl,byte ptr ss:[ebp+1]
0040DF81 8ACA mov cl,dl
0040DF83 3AD3 cmp dl,bl
0040DF85 75 0E jnz short BoxMan.0040DF95 ; 防止爆破,再次比较,原理同上!
0040DF87 83C0 02 add eax,2
0040DF8A 83C5 02 add ebp,2
0040DF8D 84C9 test cl,cl
0040DF8F ^ 75 DB jnz short BoxMan.0040DF6C ; 循环开始
0040DF91 33C0 xor eax,eax ; 比较值异或!
0040DF93 EB 05 jmp short BoxMan.0040DF9A
0040DF95 1BC0 sbb eax,eax
0040DF97 83D8 FF sbb eax,-1
0040DF9A 85C0 test eax,eax
0040DF9C 5D pop ebp
0040DF9D C74424 30 FFFFF>mov dword ptr ss:[esp+30],-1 ; 注册信息准备写入注册表
0040DFA5 8D4C24 0C lea ecx,dword ptr ss:[esp+C] ; ASCII "\8848soft,inc.\Clever Boxman\MapNowInfo"
0040DFA9 75 27 jnz short BoxMan.0040DFD2 ; 关键比较!跳走则Game Over!
0040DFAB E8 6D3D0100 call BoxMan.00421D1D
0040DFB0 6A 00 push 0
0040DFB2 6A 00 push 0
0040DFB4 68 901D4400 push BoxMan.00441D90 ; ASCII "Registration finished,thank for your registration!"
0040DFB9 E8 B2A20100 call BoxMan.00428270
0040DFBE 8D86 1C010000 lea eax,dword ptr ds:[esi+11C]
0040DFC4 57 push edi
0040DFC5 50 push eax
0040DFC6 B9 88594400 mov ecx,BoxMan.00445988
0040DFCB E8 A0050000 call BoxMan.0040E570
0040DFD0 EB 13 jmp short BoxMan.0040DFE5
0040DFD2 E8 463D0100 call BoxMan.00421D1D
0040DFD7 6A 00 push 0
0040DFD9 6A 00 push 0
0040DFDB 68 741D4400 push BoxMan.00441D74 ; ASCII "Registration Code Error!"
0040DFE0 E8 8BA20100 call BoxMan.00428270
0040DFE5 8BCE mov ecx,esi
0040DFE7 E8 E2290100 call BoxMan.004209CE ; 返回到这里,向上找到可以处下断!
0040DFEC 8B4C24 28 mov ecx,dword ptr ss:[esp+28]
0040DFF0 5F pop edi
0040DFF1 5E pop esi
0040DFF2 5B pop ebx
0040DFF3 64:890D 0000000>mov dword ptr fs:[0],ecx
0040DFFA 83C4 28 add esp,28
0040DFFD C3 retn ; 返回,程序运行界面
........
========================= 跟进 0040DEE7 E8 74080000 call BoxMan.0040E760 =========================
0040E760 6A FF push -1 ; 跟进来到这里
0040E762 68 3F494300 push BoxMan.0043493F
0040E767 64:A1 00000000 mov eax,dword ptr fs:[0]
0040E76D 50 push eax
0040E76E 64:8925 0000000>mov dword ptr fs:[0],esp
0040E775 83EC 0C sub esp,0C
0040E778 8B4424 20 mov eax,dword ptr ss:[esp+20]
0040E77C 53 push ebx
0040E77D 56 push esi
0040E77E 50 push eax
0040E77F 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
0040E783 C74424 14 00000>mov dword ptr ss:[esp+14],0
0040E78B E8 02330100 call BoxMan.00421A92
0040E790 BB 01000000 mov ebx,1
0040E795 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
0040E799 895C24 1C mov dword ptr ss:[esp+1C],ebx
0040E79D E8 28FE0000 call BoxMan.0041E5CA ; 取用户名
0040E7A2 8D4C24 28 lea ecx,dword ptr ss:[esp+28] ; ASCII "KuNgBiM"
0040E7A6 E8 D3FD0000 call BoxMan.0041E57E
0040E7AB 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
0040E7AF E8 C9390100 call BoxMan.0042217D ; 用户名所有字符由小写转为大写
0040E7B4 6A 42 push 42 ; ASCII "KUNGBIM"
0040E7B6 6A 2E push 2E
0040E7B8 8D4C24 30 lea ecx,dword ptr ss:[esp+30] ; 转换完毕后,重新赋值给ecx
0040E7BC E8 D1F80000 call BoxMan.0041E092
0040E7C1 6A 42 push 42
0040E7C3 6A 20 push 20
0040E7C5 8D4C24 30 lea ecx,dword ptr ss:[esp+30]
0040E7C9 E8 C4F80000 call BoxMan.0041E092 ; 取转换后的用户名
0040E7CE 8B4C24 28 mov ecx,dword ptr ss:[esp+28] ; ASCII "KUNGBIM"
0040E7D2 8B41 F8 mov eax,dword ptr ds:[ecx-8] ; 取用户名长度,ds:[00BEBE80]=00000007
0040E7D5 83F8 02 cmp eax,2 ; 用户名长度与2比较
0040E7D8 7E 4C jle short BoxMan.0040E826 ; 若用户名长度小于或等于2就跳向自定义用户名
0040E7DA 8D5424 0C lea edx,dword ptr ss:[esp+C]
0040E7DE 6A 02 push 2 ; (取用户名个数)2入栈
0040E7E0 52 push edx
0040E7E1 8D4C24 30 lea ecx,dword ptr ss:[esp+30] ; 取前2位转换后的用户名,ASCII "KUNGBIM"
0040E7E5 E8 61F90000 call BoxMan.0041E14B ; 取固定字符串
0040E7EA 68 EC1E4400 push BoxMan.00441EEC ; ASCII "asfwfawefaefawfawfaf"
0040E7EF 50 push eax
0040E7F0 8D4424 10 lea eax,dword ptr ss:[esp+10]
0040E7F4 C64424 24 02 mov byte ptr ss:[esp+24],2
0040E7F9 50 push eax
0040E7FA E8 26370100 call BoxMan.00421F25
0040E7FF 50 push eax
0040E800 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
0040E804 C64424 20 03 mov byte ptr ss:[esp+20],3
0040E809 E8 FC350100 call BoxMan.00421E0A
0040E80E 8D4C24 08 lea ecx,dword ptr ss:[esp+8]
0040E812 C64424 1C 02 mov byte ptr ss:[esp+1C],2
0040E817 E8 01350100 call BoxMan.00421D1D
0040E81C 885C24 1C mov byte ptr ss:[esp+1C],bl
0040E820 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
0040E824 EB 58 jmp short BoxMan.0040E87E
0040E826 68 E81E4400 push BoxMan.00441EE8 ; 程序自定义用户名为“AA”来计算,ASCII "AA"
0040E82B 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
0040E82F E8 38380100 call BoxMan.0042206C
0040E834 8D4C24 08 lea ecx,dword ptr ss:[esp+8]
0040E838 6A 02 push 2
0040E83A 51 push ecx
0040E83B 8D4C24 30 lea ecx,dword ptr ss:[esp+30] ; 取自定义用户名,ASCII "AA"
0040E83F E8 07F90000 call BoxMan.0041E14B ; 取固定字符串
0040E844 68 D01E4400 push BoxMan.00441ED0 ; ASCII "rfwefawefawefaefawefa"
0040E849 8D5424 10 lea edx,dword ptr ss:[esp+10]
0040E84D 50 push eax
0040E84E 52 push edx
0040E84F C64424 28 04 mov byte ptr ss:[esp+28],4
0040E854 E8 CC360100 call BoxMan.00421F25
0040E859 50 push eax
0040E85A 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
0040E85E C64424 20 05 mov byte ptr ss:[esp+20],5
0040E863 E8 A2350100 call BoxMan.00421E0A
0040E868 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
0040E86C C64424 1C 04 mov byte ptr ss:[esp+1C],4
0040E871 E8 A7340100 call BoxMan.00421D1D
0040E876 885C24 1C mov byte ptr ss:[esp+1C],bl
0040E87A 8D4C24 08 lea ecx,dword ptr ss:[esp+8]
0040E87E E8 9A340100 call BoxMan.00421D1D
0040E883 8B7424 24 mov esi,dword ptr ss:[esp+24]
0040E887 8D4424 28 lea eax,dword ptr ss:[esp+28]
0040E88B 50 push eax
0040E88C 8BCE mov ecx,esi
0040E88E E8 FF310100 call BoxMan.00421A92
0040E893 895C24 10 mov dword ptr ss:[esp+10],ebx
0040E897 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
0040E89B C64424 1C 00 mov byte ptr ss:[esp+1C],0
0040E8A0 E8 78340100 call BoxMan.00421D1D
0040E8A5 8B4C24 14 mov ecx,dword ptr ss:[esp+14]
0040E8A9 8BC6 mov eax,esi
0040E8AB 5E pop esi
0040E8AC 5B pop ebx
0040E8AD 64:890D 0000000>mov dword ptr fs:[0],ecx
0040E8B4 83C4 18 add esp,18
0040E8B7 C2 0800 retn 8 ; 用户名取位合并结束,返回
........
========================= 跟进 0040DF16 E8 65CFFFFF call BoxMan.0040AE80 =========================
0040AE80 6A FF push -1 ; 跟进来到这里
0040AE82 68 C8464300 push BoxMan.004346C8
0040AE87 64:A1 00000000 mov eax,dword ptr fs:[0] ; 取出计算名,ASCII "KUasfwfawefaefawfawfaf"
0040AE8D 50 push eax
0040AE8E 64:8925 0000000>mov dword ptr fs:[0],esp
0040AE95 83EC 60 sub esp,60
0040AE98 56 push esi
0040AE99 8B7424 7C mov esi,dword ptr ss:[esp+7C] ; 得到计算名位数
0040AE9D 57 push edi
0040AE9E 8B7C24 7C mov edi,dword ptr ss:[esp+7C] ; 得到计算名
0040AEA2 6A 00 push 0
0040AEA4 56 push esi ; esi=00000016(22位)
0040AEA5 57 push edi ; edi=00BEBD98, (ASCII "KUasfwfawefaefawfawfaf")
0040AEA6 C74424 14 00000>mov dword ptr ss:[esp+14],0
0040AEAE E8 B93B0100 call BoxMan.0041EA6C
0040AEB3 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
0040AEB7 E8 A40A0000 call BoxMan.0040B960 ; ★调用MD5标准算法常数★F7跟进
0040AEBC 56 push esi
0040AEBD 57 push edi
0040AEBE 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0040AEC2 C74424 78 00000>mov dword ptr ss:[esp+78],0
0040AECA E8 810C0000 call BoxMan.0040BB50 ; ★调用MD5标准算法机制★F7跟进
0040AECF 8B7424 78 mov esi,dword ptr ss:[esp+78]
0040AED3 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
0040AED7 56 push esi
0040AED8 E8 130B0000 call BoxMan.0040B9F0 ; ★使用MD5标准算法,转换计算名★
0040AEDD 8B4C24 68 mov ecx,dword ptr ss:[esp+68]
0040AEE1 8BC6 mov eax,esi
0040AEE3 5F pop edi
0040AEE4 5E pop esi
0040AEE5 64:890D 0000000>mov dword ptr fs:[0],ecx
0040AEEC 83C4 6C add esp,6C
0040AEEF C3 retn ; 计算完毕,返回程序
........
========================= 跟进 0040AEB7 E8 A40A0000 call BoxMan.0040B960 =========================
0040B960 8BD1 mov edx,ecx ; 下面是MD5算法的标准常数
0040B962 57 push edi
0040B963 B9 10000000 mov ecx,10
0040B968 33C0 xor eax,eax
0040B96A 8D7A 04 lea edi,dword ptr ds:[edx+4]
0040B96D C702 88744300 mov dword ptr ds:[edx],BoxMan.00437488
0040B973 F3:AB rep stos dword ptr es:[edi]
0040B975 8942 48 mov dword ptr ds:[edx+48],eax
0040B978 8942 44 mov dword ptr ds:[edx+44],eax
0040B97B C742 4C 0123456>mov dword ptr ds:[edx+4C],67452301
0040B982 C742 50 89ABCDE>mov dword ptr ds:[edx+50],EFCDAB89
0040B989 C742 54 FEDCBA9>mov dword ptr ds:[edx+54],98BADCFE
0040B990 C742 58 7654321>mov dword ptr ds:[edx+58],10325476
0040B997 8BC2 mov eax,edx
0040B999 5F pop edi
0040B99A C3 retn
........
========================= 跟进 0040AECA E8 810C0000 call BoxMan.0040BB50 =========================
0040BB50 53 push ebx ; 以下是MD5算法的标准变换运算机制
0040BB51 8BD9 mov ebx,ecx
0040BB53 8B4C24 0C mov ecx,dword ptr ss:[esp+C]
0040BB57 55 push ebp
0040BB58 8B53 44 mov edx,dword ptr ds:[ebx+44]
0040BB5B 56 push esi
0040BB5C 8BC2 mov eax,edx
0040BB5E 8D34CD 00000000 lea esi,dword ptr ds:[ecx*8]
0040BB65 C1E8 03 shr eax,3
0040BB68 8D14CA lea edx,dword ptr ds:[edx+ecx*8]
0040BB6B 83E0 3F and eax,3F
0040BB6E 3BD6 cmp edx,esi
0040BB70 57 push edi
0040BB71 8953 44 mov dword ptr ds:[ebx+44],edx
0040BB74 73 03 jnb short BoxMan.0040BB79
0040BB76 FF43 48 inc dword ptr ds:[ebx+48]
0040BB79 8B7B 48 mov edi,dword ptr ds:[ebx+48]
0040BB7C 8BD1 mov edx,ecx
0040BB7E BD 40000000 mov ebp,40
0040BB83 C1EA 1D shr edx,1D
0040BB86 2BE8 sub ebp,eax
0040BB88 03FA add edi,edx
0040BB8A 3BCD cmp ecx,ebp
0040BB8C 897B 48 mov dword ptr ds:[ebx+48],edi
0040BB8F 72 52 jb short BoxMan.0040BBE3
0040BB91 8B7424 14 mov esi,dword ptr ss:[esp+14]
0040BB95 8BCD mov ecx,ebp
0040BB97 8D7C18 04 lea edi,dword ptr ds:[eax+ebx+4]
0040BB9B 8BC1 mov eax,ecx
0040BB9D C1E9 02 shr ecx,2
0040BBA0 F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
0040BBA2 8BC8 mov ecx,eax
0040BBA4 83E1 03 and ecx,3
0040BBA7 F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
0040BBA9 8D4B 04 lea ecx,dword ptr ds:[ebx+4]
0040BBAC 51 push ecx
0040BBAD 8BCB mov ecx,ebx
0040BBAF E8 8CF3FFFF call BoxMan.0040AF40
0040BBB4 8BFD mov edi,ebp
0040BBB6 8D75 3F lea esi,dword ptr ss:[ebp+3F]
0040BBB9 8B6C24 18 mov ebp,dword ptr ss:[esp+18]
0040BBBD 3BF5 cmp esi,ebp
0040BBBF 73 1A jnb short BoxMan.0040BBDB
0040BBC1 8B5424 14 mov edx,dword ptr ss:[esp+14]
0040BBC5 8BCB mov ecx,ebx
0040BBC7 8D4432 C1 lea eax,dword ptr ds:[edx+esi-3F]
0040BBCB 50 push eax
0040BBCC E8 6FF3FFFF call BoxMan.0040AF40
0040BBD1 83C6 40 add esi,40
0040BBD4 83C7 40 add edi,40
0040BBD7 3BF5 cmp esi,ebp
0040BBD9 ^ 72 E6 jb short BoxMan.0040BBC1
0040BBDB 8B4C24 18 mov ecx,dword ptr ss:[esp+18]
0040BBDF 33C0 xor eax,eax
0040BBE1 EB 02 jmp short BoxMan.0040BBE5
0040BBE3 33FF xor edi,edi
0040BBE5 8B5424 14 mov edx,dword ptr ss:[esp+14]
0040BBE9 2BCF sub ecx,edi
0040BBEB 8D3417 lea esi,dword ptr ds:[edi+edx]
0040BBEE 8D7C18 04 lea edi,dword ptr ds:[eax+ebx+4]
0040BBF2 8BC1 mov eax,ecx
0040BBF4 C1E9 02 shr ecx,2
0040BBF7 F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
0040BBF9 8BC8 mov ecx,eax
0040BBFB 83E1 03 and ecx,3
0040BBFE F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
0040BC00 5F pop edi
0040BC01 5E pop esi
0040BC02 5D pop ebp
0040BC03 5B pop ebx
0040BC04 C2 0800 retn 8
........
-------------------------------------------------------------------------------------------------------------------------
【算法总结】:
注册验证非常简单:
1、注册码固定为16位。
2、把用户名所有字符由小写转为大写,结果记为N1。
3、N1前两位与密钥“asfwfawefaefawfawfaf”连接组合成计算名,结果记为N2。
(注意:用户名位数小于或等于2位,则调用程序固定用户名“AA”来作为用户名。密钥变为:rfwefawefawefaefawefa)
5、将N2进行标准MD5运算转换,结果记为KEY。
6、取KEY前16位转换为小写输出,则为注册码,结果记为SN。
-------------------------------------------------------------------------------------------------------------------------
【注册机】:
算法已经很清楚了,注册机我就不写了,自己试一试,很简单的哦。。。
【注册信息】:
Registration Name:KuNgBiM
Enter your registered Code:89ec-c085-789c-d0cc
--------------------------------------------------------------------------------------------
版权所有(C)2005 KuNgBiM[DFCG] Copyright (C) 2005 KuNgBiM[DFCG]
--------------------------------------------------------------------------------------------
Cracked By KuNgBiM[DFCG]
2005-11-06
03:23:33 AM