【文章标题】: ABAQUS 6.7不完全分析
【文章作者】: fangawxs
【作者邮箱】: fangawxs@163.com
【软件名称】: ABAQUS 6.7
【软件大小】: 584m
【下载地址】: 自己搜索下载
【加壳方式】: 无壳
【保护方式】: Flexlm+blowfish验证
【使用工具】: ida,OD,flexlm sdk10.8
【详细过程】
不会写破文,所以潜水不敢发。都已经成了资深级的潜水员了,这段时间刚好想玩一下flexlm,手头上又有这个软件,加上
网上的license刚好缺一个feature,正好可以拿来开刀.
通过拜读laoqian等大大的大作,很快就找到了重点:可见前人的知识是多么重要的
用这个方法来定位seed的位置:
搜索这样一句话 mov dword ptr [ebp-1BC], 3D4DA1D6
下断,往上翻找到第一个出现的call ,下断,这个函数返回你的seed1,
再往上翻,找到第一个出现的je ,将je改成jne,下断,
然后重新运行,就会在执行这条指令了,mov dword ptr [ebp-1BC], 3D4DA1D6
关键就是往上翻的第一个call,然后上翻的第一个je,将je改成jne,不改当然不会执行到
mov dword ptr [ebp-1BC], 3D4DA1D6
当然 mov dword ptr [ebp-1C0], 3D4DA1D6就是seed2.
不过用这个方法来试了其它的,好像没什么用,这个可能是不小心捡到了软茄子吧,不知各位有什么快速找到seed的方法?
先把程序的daemon abaquslm的进口改为int 3,以便可以用od来调试.
载入后,直接在00422203和004223CB处下断,很快就找到了seed1和seed2
.text:004221FE E8 1B 07 00 00 call sub_42291E
.text:00422203 83 C4 04 add esp, 4 ;eax=seed1
.text:00422206 89 85 44 FE FF FF mov [ebp+var_1BC], eax
.text:0042220C 8B 95 44 FE FF FF mov edx, [ebp+var_1BC]
.text:00422212 81 E2 FF 00 00 00 and edx, 0FFh
.text:00422218 8B 85 48 FE FF FF mov eax, [ebp+var_1B8]
.text:0042221E 8A 08 mov cl, [eax]
.text:00422220 32 CA xor cl, dl
.text:00422222 8B 95 48 FE FF FF mov edx, [ebp+var_1B8]
.text:00422228 88 0A mov [edx], cl
.text:0042222A 8B 85 48 FE FF FF mov eax, [ebp+var_1B8]
.text:00422230 83 C0 01 add eax, 1
.text:00422233 89 85 48 FE FF FF mov [ebp+var_1B8], eax
.text:00422239 81 BD 44 FE FF FF FF 00+ cmp [ebp+var_1BC], 0FFh
.text:00422243 7F 0C jg short loc_422251
.text:00422245 81 BD 44 FE FF FF 00 FF+ cmp [ebp+var_1BC], 0FFFFFF00h
.text:0042224F 7D 30 jge short loc_422281
.text:00422251
.text:00422251 loc_422251: ; CODE XREF: sub_421650+BF3j
.text:00422251 8B 8D 44 FE FF FF mov ecx, [ebp+var_1BC]
.text:00422257 C1 F9 08 sar ecx, 8
.text:0042225A 81 E1 FF 00 00 00 and ecx, 0FFh
.text:00422260 8B 95 48 FE FF FF mov edx, [ebp+var_1B8]
.text:00422266 8A 02 mov al, [edx]
.text:00422268 32 C1 xor al, cl
.text:0042226A 8B 8D 48 FE FF FF mov ecx, [ebp+var_1B8]
.text:00422270 88 01 mov [ecx], al
.text:00422272 8B 95 48 FE FF FF mov edx, [ebp+var_1B8]
.text:00422278 83 C2 01 add edx, 1
.text:0042227B 89 95 48 FE FF FF mov [ebp+var_1B8], edx
.text:00422281
.text:00422281 loc_422281: ; CODE XREF: sub_421650+BFFj
.text:00422281 81 BD 44 FE FF FF 00 7D+ cmp [ebp+var_1BC], 7D00h
.text:0042228B 7F 0C jg short loc_422299
.text:0042228D 81 BD 44 FE FF FF 00 83+ cmp [ebp+var_1BC], 0FFFF8300h
.text:00422297 7D 2F jge short loc_4222C8
.text:00422299
.text:00422299 loc_422299: ; CODE XREF: sub_421650+C3Bj
.text:00422299 8B 85 44 FE FF FF mov eax, [ebp+var_1BC]
.text:0042229F C1 F8 10 sar eax, 10h
.text:004222A2 25 FF 00 00 00 and eax, 0FFh
.text:004222A7 8B 8D 48 FE FF FF mov ecx, [ebp+var_1B8]
.text:004222AD 8A 11 mov dl, [ecx]
.text:004222AF 32 D0 xor dl, al
.text:004222B1 8B 85 48 FE FF FF mov eax, [ebp+var_1B8]
.text:004222B7 88 10 mov [eax], dl
.text:004222B9 8B 8D 48 FE FF FF mov ecx, [ebp+var_1B8]
.text:004222BF 83 C1 01 add ecx, 1
.text:004222C2 89 8D 48 FE FF FF mov [ebp+var_1B8], ecx
.text:004222C8
.text:004222C8 loc_4222C8: ; CODE XREF: sub_421650+C47j
.text:004222C8 81 BD 44 FE FF FF 00 24+ cmp [ebp+var_1BC], 0F42400h
.text:004222D2 7F 0C jg short loc_4222E0
.text:004222D4 81 BD 44 FE FF FF 00 DC+ cmp [ebp+var_1BC], 0FF0BDC00h
.text:004222DE 7D 30 jge short loc_422310
.text:004222E0
.text:004222E0 loc_4222E0: ; CODE XREF: sub_421650+C82j
.text:004222E0 8B 95 44 FE FF FF mov edx, [ebp+var_1BC]
.text:004222E6 C1 FA 18 sar edx, 18h
.text:004222E9 81 E2 FF 00 00 00 and edx, 0FFh
.text:004222EF 8B 85 48 FE FF FF mov eax, [ebp+var_1B8]
.text:004222F5 8A 08 mov cl, [eax]
.text:004222F7 32 CA xor cl, dl
.text:004222F9 8B 95 48 FE FF FF mov edx, [ebp+var_1B8]
.text:004222FF 88 0A mov [edx], cl
.text:00422301 8B 85 48 FE FF FF mov eax, [ebp+var_1B8]
.text:00422307 83 C0 01 add eax, 1
.text:0042230A 89 85 48 FE FF FF mov [ebp+var_1B8], eax
.text:00422310
.text:00422310 loc_422310: ; CODE XREF: sub_421650+C8Ej
.text:00422310 C7 85 44 FE FF FF D6 A1+ mov [ebp+var_1BC], 3D4DA1D6h
.text:0042231A 8B 4D 08 mov ecx, [ebp+arg_0]
.text:0042231D 8B 91 98 01 00 00 mov edx, [ecx+198h]
.text:00422323 8B 82 DC 1C 00 00 mov eax, [edx+1CDCh]
.text:00422329 8B 4D F8 mov ecx, [ebp+var_8]
.text:0042232C C1 E1 04 shl ecx, 4
.text:0042232F 8B 94 0D B0 FE FF FF mov edx, [ebp+ecx+var_150]
.text:00422336 33 C9 xor ecx, ecx
.text:00422338 8A 8C 10 30 05 00 00 mov cl, [eax+edx+530h]
.text:0042233F 8B 55 14 mov edx, [ebp+arg_C]
.text:00422342 8B 42 08 mov eax, [edx+8]
.text:00422345 33 C1 xor eax, ecx
.text:00422347 8B 4D 08 mov ecx, [ebp+arg_0]
.text:0042234A 8B 91 98 01 00 00 mov edx, [ecx+198h]
.text:00422350 8B 8A DC 1C 00 00 mov ecx, [edx+1CDCh]
.text:00422356 8B 55 F8 mov edx, [ebp+var_8]
.text:00422359 C1 E2 04 shl edx, 4
.text:0042235C 8B 94 15 B4 FE FF FF mov edx, [ebp+edx+var_14C]
.text:00422363 33 DB xor ebx, ebx
.text:00422365 8A 9C 11 30 05 00 00 mov bl, [ecx+edx+530h]
.text:0042236C C1 E3 08 shl ebx, 8
.text:0042236F 33 C3 xor eax, ebx
.text:00422371 8B 4D 08 mov ecx, [ebp+arg_0]
.text:00422374 8B 91 98 01 00 00 mov edx, [ecx+198h]
.text:0042237A 8B 8A DC 1C 00 00 mov ecx, [edx+1CDCh]
.text:00422380 8B 55 F8 mov edx, [ebp+var_8]
.text:00422383 C1 E2 04 shl edx, 4
.text:00422386 8B 94 15 B8 FE FF FF mov edx, [ebp+edx+var_148]
.text:0042238D 33 DB xor ebx, ebx
.text:0042238F 8A 9C 11 30 05 00 00 mov bl, [ecx+edx+530h]
.text:00422396 C1 E3 10 shl ebx, 10h
.text:00422399 33 C3 xor eax, ebx
.text:0042239B 8B 4D 08 mov ecx, [ebp+arg_0]
.text:0042239E 8B 91 98 01 00 00 mov edx, [ecx+198h]
.text:004223A4 8B 8A DC 1C 00 00 mov ecx, [edx+1CDCh]
.text:004223AA 8B 55 F8 mov edx, [ebp+var_8]
.text:004223AD C1 E2 04 shl edx, 4
.text:004223B0 8B 94 15 BC FE FF FF mov edx, [ebp+edx+var_144]
.text:004223B7 33 DB xor ebx, ebx
.text:004223B9 8A 9C 11 30 05 00 00 mov bl, [ecx+edx+530h]
.text:004223C0 C1 E3 18 shl ebx, 18h
.text:004223C3 33 C3 xor eax, ebx
.text:004223C5 50 push eax
.text:004223C6 E8 53 05 00 00 call sub_42291E
.text:004223CB 83 C4 04 add esp, 4 ;eax=seed2
.text:004223CE 89 85 40 FE FF FF mov [ebp+var_1C0], eax
.text:004223D4 8B 85 40 FE FF FF mov eax, [ebp+var_1C0]
.text:004223DA 25 FF 00 00 00 and eax, 0FFh
.text:004223DF 8B 8D 48 FE FF FF mov ecx, [ebp+var_1B8]
.text:004223E5 8A 11 mov dl, [ecx]
.text:004223E7 32 D0 xor dl, al
.text:004223E9 8B 85 48 FE FF FF mov eax, [ebp+var_1B8]
.text:004223EF 88 10 mov [eax], dl
.text:004223F1 8B 8D 48 FE FF FF mov ecx, [ebp+var_1B8]
.text:004223F7 83 C1 01 add ecx, 1
.text:004223FA 89 8D 48 FE FF FF mov [ebp+var_1B8], ecx
.text:00422400 81 BD 40 FE FF FF FF 00+ cmp [ebp+var_1C0], 0FFh
.text:0042240A 7F 0C jg short loc_422418
.text:0042240C 81 BD 40 FE FF FF 00 FF+ cmp [ebp+var_1C0], 0FFFFFF00h
.text:00422416 7D 30 jge short loc_422448
.text:00422418
.text:00422418 loc_422418: ; CODE XREF: sub_421650+DBAj
.text:00422418 8B 95 40 FE FF FF mov edx, [ebp+var_1C0]
.text:0042241E C1 FA 08 sar edx, 8
.text:00422421 81 E2 FF 00 00 00 and edx, 0FFh
.text:00422427 8B 85 48 FE FF FF mov eax, [ebp+var_1B8]
.text:0042242D 8A 08 mov cl, [eax]
.text:0042242F 32 CA xor cl, dl
.text:00422431 8B 95 48 FE FF FF mov edx, [ebp+var_1B8]
.text:00422437 88 0A mov [edx], cl
.text:00422439 8B 85 48 FE FF FF mov eax, [ebp+var_1B8]
.text:0042243F 83 C0 01 add eax, 1
.text:00422442 89 85 48 FE FF FF mov [ebp+var_1B8], eax
.text:00422448
.text:00422448 loc_422448: ; CODE XREF: sub_421650+DC6j
.text:00422448 81 BD 40 FE FF FF 00 7D+ cmp [ebp+var_1C0], 7D00h
.text:00422452 7F 0C jg short loc_422460
.text:00422454 81 BD 40 FE FF FF 00 83+ cmp [ebp+var_1C0], 0FFFF8300h
.text:0042245E 7D 30 jge short loc_422490
.text:00422460
.text:00422460 loc_422460: ; CODE XREF: sub_421650+E02j
.text:00422460 8B 8D 40 FE FF FF mov ecx, [ebp+var_1C0]
.text:00422466 C1 F9 10 sar ecx, 10h
.text:00422469 81 E1 FF 00 00 00 and ecx, 0FFh
.text:0042246F 8B 95 48 FE FF FF mov edx, [ebp+var_1B8]
.text:00422475 8A 02 mov al, [edx]
.text:00422477 32 C1 xor al, cl
.text:00422479 8B 8D 48 FE FF FF mov ecx, [ebp+var_1B8]
.text:0042247F 88 01 mov [ecx], al
.text:00422481 8B 95 48 FE FF FF mov edx, [ebp+var_1B8]
.text:00422487 83 C2 01 add edx, 1
.text:0042248A 89 95 48 FE FF FF mov [ebp+var_1B8], edx
.text:00422490
.text:00422490 loc_422490: ; CODE XREF: sub_421650+E0Ej
.text:00422490 81 BD 40 FE FF FF 00 24+ cmp [ebp+var_1C0], 0F42400h
.text:0042249A 7F 0C jg short loc_4224A8
.text:0042249C 81 BD 40 FE FF FF 00 DC+ cmp [ebp+var_1C0], 0FF0BDC00h
.text:004224A6 7D 2F jge short loc_4224D7
.text:004224A8
.text:004224A8 loc_4224A8: ; CODE XREF: sub_421650+E4Aj
.text:004224A8 8B 85 40 FE FF FF mov eax, [ebp+var_1C0]
.text:004224AE C1 F8 18 sar eax, 18h
.text:004224B1 25 FF 00 00 00 and eax, 0FFh
.text:004224B6 8B 8D 48 FE FF FF mov ecx, [ebp+var_1B8]
.text:004224BC 8A 11 mov dl, [ecx]
.text:004224BE 32 D0 xor dl, al
.text:004224C0 8B 85 48 FE FF FF mov eax, [ebp+var_1B8]
.text:004224C6 88 10 mov [eax], dl
.text:004224C8 8B 8D 48 FE FF FF mov ecx, [ebp+var_1B8]
.text:004224CE 83 C1 01 add ecx, 1
.text:004224D1 89 8D 48 FE FF FF mov [ebp+var_1B8], ecx
.text:004224D7
.text:004224D7 loc_4224D7: ; CODE XREF: sub_421650+E56j
.text:004224D7 C7 85 40 FE FF FF D6 A1+ mov [ebp+var_1C0], 3D4DA1D6h
其seed1=25f7e5b3,seed2=1c8047d5,用sdk作出的license通过了服务端的验证,但是运行主程序时出现错误:
ABAQUS Error: Bad instruction reference (10128). Please contact your local ABAQU
S office.
ABAQUS Error: ABAQUS/CAE Kernel exited with an error.
请按任意键继续. . .
网上流传的是通过修改程序来解决这个问题的,看了不爽.就继续跟踪看看主程序是怎样验证的!
在这里先给出license文件的格式:
FEATURE cae ABAQUSLM 6.7 07-jul-2012 99 VENDOR_STRING=commercial \
vendor_info=XO5w4Afg20bJLyTtK!w54A ISSUER=AWXS \
ISSUED=03-jun-2006 NOTICE="TEAM AWXS" ck=222 SN=305419896 \
START=03-jun-2006 SIGN=636DADACCEA4
参考网上提供的破解版,很快就定位在ABQcaeK这个文件里,同样,因为是由主程序调用的,就把入口字节改为int 3,以便可以
用od来调试.根据出错信息,在这里下断:
.text:0040C3E5 83 C3 04 add ebx, 4
.text:0040C3E8
.text:0040C3E8 loc_40C3E8: ; CODE XREF: sub_40C2E0+E9j
.text:0040C3E8 ; sub_40C2E0+F3j ...
.text:0040C3E8 56 push esi
.text:0040C3E9 8B CF mov ecx, edi ;断点
.text:0040C3EB E8 90 A1 FF FF call sub_406580 ;重点,验证算法call
.text:0040C3F0 3D D8 59 00 00 cmp eax, 59D8h
.text:0040C3F5 7D 02 jge short loc_40C3F9
.text:0040C3F7 03 D8 add ebx, eax
.text:0040C3F9
.text:0040C3F9 loc_40C3F9: ; CODE XREF: sub_40C2E0+115j
.text:0040C3F9 81 FB 10 27 00 00 cmp ebx, 2710h
.text:0040C3FF 7E 6F jle short loc_40C470
.text:0040C401 53 push ebx ;出错
.text:0040C402 8D 45 EC lea eax, [ebp+var_14]
.text:0040C405 68 F8 15 4C 00 push offset aAbaqusErrorB_0 ; "ABAQUS Error: Bad instruction reference"...
.text:0040C40A 50 push eax
.text:0040C40B E8 D0 8D FF FF call sub_4051E0
.text:0040C410 83 C4 0C add esp, 0Ch
.text:0040C413 8D 4D EC lea ecx, [ebp+var_14]
由.text:0040C3EB处的call返回一个给eax,通过比较eax的值来判断是否通过验证
进入text:0040C3EB的call sub_406580:
.text:00406580 55 push ebp
.text:00406581 8B EC mov ebp, esp
.text:00406583 6A FF push 0FFFFFFFFh
.text:00406585 68 76 E0 4B 00 push offset loc_4BE076
.text:0040658A 64 A1 00 00 00 00 mov eax, large fs:0
.text:00406590 50 push eax
.text:00406591 64 89 25 00 00 00 00 mov large fs:0, esp
.text:00406598 51 push ecx ; X3L
.text:00406599 B8 58 15 00 00 mov eax, 1558h
.text:0040659E E8 BD 6A 0B 00 call __alloca_probe
.text:004065A3 53 push ebx
.text:004065A4 56 push esi
.text:004065A5 57 push edi
.text:004065A6 89 65 F0 mov [ebp+var_10], esp
.text:004065A9 68 B7 1D C1 04 push 4C11DB7h ; wrong
.text:004065AE 8D 8D E4 FA FF FF lea ecx, [ebp+var_51C]
.text:004065B4 E8 37 F6 00 00 call ??0eli_Crc32@@QAE@I@Z ; eli_Crc32::eli_Crc32(uint)
.text:004065B4 ; 对var_11c~var_51c初始化
.text:004065B4 ; 计算用到f(sign)用到
.text:004065B9 8B 75 08 mov esi, [ebp+arg_0] ; arg_0指向feature name
.text:004065BC 8D 86 48 02 00 00 lea eax, [esi+248h] ; 使eax指向sign
.text:004065C2 50 push eax
.text:004065C3 8D 4D E8 lea ecx, [ebp+var_18]
.text:004065C6 E8 F5 F8 00 00 call ??0atr_StringBase@@IAE@PBD@Z ; atr_StringBase::atr_StringBase(char const *)
.text:004065CB 8D 4D E8 lea ecx, [ebp+var_18]
.text:004065CE 51 push ecx
.text:004065CF 8D 8D E4 FA FF FF lea ecx, [ebp+var_51C]
.text:004065D5 C7 45 FC 00 00 00 00 mov [ebp+var_4], 0
.text:004065DC E8 09 F6 00 00 call ?ProcessMessage@eli_Crc32@@QAEXABVcow_String@@@Z ;
.text:004065E1 8B 45 EC mov eax, [ebp+var_14] ;这个对sign进行计算,返回一个16进制的值f(sign),这个值在后
.text:004065E4 83 CF FF or edi, 0FFFFFFFFh ;面有用.
.text:004065E7 85 C0 test eax, eax
.text:004065E9 89 7D FC mov [ebp+var_4], edi
.text:004065EC 74 0F jz short loc_4065FD
.text:004065EE FF 08 dec dword ptr [eax]
.text:004065F0 83 38 00 cmp dword ptr [eax], 0
.text:004065F3 75 08 jnz short loc_4065FD
.text:004065F5 8D 4D E8 lea ecx, [ebp+var_18]
.text:004065F8 E8 BD F8 00 00 call atr_StringBase__Delete_void_
.text:004065FD
.text:004065FD loc_4065FD: ; CODE XREF: sub_406580+6Cj
.text:004065FD ; sub_406580+73j
.text:004065FD 8D 8D E4 FA FF FF lea ecx, [ebp+var_51C]
.text:00406603 E8 DC F5 00 00 call ?Done@eli_Crc32@@QAEIXZ ; eli_Crc32::Done(void)
.text:00406608 50 push eax ;f(sign)
.text:00406609 8D 95 EC FE FF FF lea edx, [ebp+var_114]
.text:0040660F 68 A0 16 4C 00 push offset aU_1 ; "%u"
.text:00406614 52 push edx ; char *
.text:00406615 FF 15 FC 04 4C 00 call ds:sprintf ; f(sign)转为十进制数的字符串
.text:0040661B 83 C4 0C add esp, 0Ch
.text:0040661E 8D 85 EC FE FF FF lea eax, [ebp+var_114] ;
.text:00406624 50 push eax
.text:00406625 8D 4D E0 lea ecx, [ebp+var_20]
.text:00406628 E8 93 F8 00 00 call ??0atr_StringBase@@IAE@PBD@Z ; atr_StringBase::atr_StringBase(char const *)
.text:0040662D C7 45 FC 01 00 00 00 mov [ebp+var_4], 1
.text:00406634 BB 0A 00 00 00 mov ebx, 0Ah
.text:00406639 8D A4 24 00 00 00 00 lea esp, [esp+0]
.text:00406640
.text:00406640 loc_406640: ; CODE XREF: sub_406580+E2j
.text:00406640 8B 45 E4 mov eax, [ebp+var_1C]
.text:00406643 85 C0 test eax, eax
.text:00406645 74 05 jz short loc_40664C
.text:00406647 39 58 08 cmp [eax+8], ebx ;f(sign)是10位的字符串吗?
.text:0040664A 7D 18 jge short loc_406664 是就跳
.text:0040664C
.text:0040664C loc_40664C: ; CODE XREF: sub_406580+C5j
.text:0040664C 68 FF FF FF 7F push 7FFFFFFFh ;f(sign)不是10位的字符串就在后面加x,保证长度为10位
.text:00406651 6A 00 push 0
.text:00406653 6A 01 push 1
.text:00406655 68 A4 16 4C 00 push offset asc_4C16A4 ; "x"
.text:0040665A 8D 4D E0 lea ecx, [ebp+var_20]
.text:0040665D E8 82 F8 00 00 call ?append@atr_StringBase@@IAEAAV1@PBDHHH@Z ; atr_StringBase::append(char const *,int,int,int)
.text:00406662 EB DC jmp short loc_406640
.text:00406664 ; ---------------------------------------------------------------------------
.text:00406664
.text:00406664 loc_406664: ; CODE XREF: sub_406580+CAj
.text:00406664 8B 8E A4 02 00 00 mov ecx, [esi+2A4h] ; 指向vendor_info的字串
.text:0040666A 85 C9 test ecx, ecx
.text:0040666C 75 2A jnz short loc_406698
.text:0040666E FF 08 dec dword ptr [eax]
.text:00406670 83 38 00 cmp dword ptr [eax], 0
.text:00406673 89 7D FC mov [ebp+var_4], edi
.text:00406676 75 08 jnz short loc_406680
.text:00406678 8D 4D E0 lea ecx, [ebp+var_20]
.text:0040667B E8 3A F8 00 00 call atr_StringBase__Delete_void_
.text:00406680
.text:00406680 loc_406680: ; CODE XREF: sub_406580+F6j
.text:00406680 B8 08 00 00 00 mov eax, 8
.text:00406685 8B 4D F4 mov ecx, [ebp+var_C]
.text:00406688 64 89 0D 00 00 00 00 mov large fs:0, ecx
.text:0040668F 5F pop edi
.text:00406690 5E pop esi
.text:00406691 5B pop ebx
.text:00406692 8B E5 mov esp, ebp
.text:00406694 5D pop ebp
.text:00406695 C2 04 00 retn 4
.text:00406698 ; ---------------------------------------------------------------------------
.text:00406698
.text:00406698 loc_406698: ; CODE XREF: sub_406580+ECj
.text:00406698 51 push ecx ; 指向vendor_info的字串
.text:00406699 8D 4D C8 lea ecx, [ebp+var_38]
.text:0040669C E8 1F F8 00 00 call ??0atr_StringBase@@IAE@PBD@Z ; atr_StringBase::atr_StringBase(char const *)
.text:004066A1 68 A8 16 4C 00 push offset asc_4C16A8 ; " "
.text:004066A6 8D 4D C8 lea ecx, [ebp+var_38]
.text:004066A9 C6 45 FC 02 mov byte ptr [ebp+var_4], 2
.text:004066AD E8 4A F8 00 00 call ?Trim@atr_StringBase@@IAEAAV1@PBD@Z ; atr_StringBase::Trim(char const *)
.text:004066B2 8B 45 CC mov eax, [ebp+var_34]
.text:004066B5 85 C0 test eax, eax
.text:004066B7 74 08 jz short loc_4066C1
.text:004066B9 8B 48 08 mov ecx, [eax+8]
.text:004066BC 83 F9 16 cmp ecx, 16h ; vendor_info字符串的长度大于等于0x16h位?
.text:004066BF 7D 48 jge short loc_406709
.text:004066C1
.text:004066C1 loc_4066C1: ; CODE XREF: sub_406580+137j
.text:004066C1 85 C0 test eax, eax
.text:004066C3 C6 45 FC 01 mov byte ptr [ebp+var_4], 1
.text:004066C7 74 0F jz short loc_4066D8
.text:004066C9 FF 08 dec dword ptr [eax]
.text:004066CB 83 38 00 cmp dword ptr [eax], 0
.text:004066CE 75 08 jnz short loc_4066D8
.text:004066D0 8D 4D C8 lea ecx, [ebp+var_38]
.text:004066D3 E8 E2 F7 00 00 call atr_StringBase__Delete_void_
.text:004066D8
.text:004066D8 loc_4066D8: ; CODE XREF: sub_406580+147j
.text:004066D8 ; sub_406580+14Ej
.text:004066D8 8B 45 E4 mov eax, [ebp+var_1C]
.text:004066DB 85 C0 test eax, eax
.text:004066DD 89 7D FC mov [ebp+var_4], edi
.text:004066E0 74 0F jz short loc_4066F1
.text:004066E2 FF 08 dec dword ptr [eax]
.text:004066E4 83 38 00 cmp dword ptr [eax], 0
.text:004066E7 75 08 jnz short loc_4066F1
.text:004066E9 8D 4D E0 lea ecx, [ebp+var_20]
.text:004066EC E8 C9 F7 00 00 call atr_StringBase__Delete_void_
.text:004066F1
.text:004066F1 loc_4066F1: ; CODE XREF: sub_406580+160j
.text:004066F1 ; sub_406580+167j
.text:004066F1 B8 10 00 00 00 mov eax, 10h
.text:004066F6 8B 4D F4 mov ecx, [ebp+var_C]
.text:004066F9 64 89 0D 00 00 00 00 mov large fs:0, ecx
.text:00406700 5F pop edi
.text:00406701 5E pop esi
.text:00406702 5B pop ebx
.text:00406703 8B E5 mov esp, ebp
.text:00406705 5D pop ebp
.text:00406706 C2 04 00 retn 4
.text:00406709 ; ---------------------------------------------------------------------------
.text:00406709
.text:00406709 loc_406709: ; CODE XREF: sub_406580+13Fj
.text:00406709 83 C1 EA add ecx, 0FFFFFFEAh
.text:0040670C 68 FF FF FF 7F push 7FFFFFFFh
.text:00406711 51 push ecx
.text:00406712 8D 4D B0 lea ecx, [ebp+var_50]
.text:00406715 51 push ecx
.text:00406716 8D 4D C8 lea ecx, [ebp+var_38]
.text:00406719 E8 A2 B8 FF FF call sub_401FC0
.text:0040671E 68 FF FF FF 7F push 7FFFFFFFh
.text:00406723 6A 00 push 0
.text:00406725 6A 02 push 2
.text:00406727 68 AC 16 4C 00 push offset asc_4C16AC ; "=="
.text:0040672C 8D 4D B0 lea ecx, [ebp+var_50]
.text:0040672F C6 45 FC 03 mov byte ptr [ebp+var_4], 3
.text:00406733 E8 AC F7 00 00 call ?append@atr_StringBase@@IAEAAV1@PBDHHH@Z ;在vendor_info字符串后面连接==
.text:00406738 68 D9 0A 00 00 push 0AD9h ;2777
.text:0040673D 8D 8D 70 FF FF FF lea ecx, [ebp+var_90]
.text:00406743 E8 90 F7 00 00 call atr_StringBase__atr_StringBase_int_ ; 把十六进数转为十进制数字符2777
.text:00406748 8D 95 70 FF FF FF lea edx, [ebp+var_90]
.text:0040674E 52 push edx
.text:0040674F 6A 52 push 52h ; 82
.text:00406751 8D 8D 78 FF FF FF lea ecx, [ebp+var_88]
.text:00406757 C6 45 FC 04 mov byte ptr [ebp+var_4], 4
.text:0040675B E8 78 F7 00 00 call atr_StringBase__atr_StringBase_int_ ;82
.text:00406760 83 EC 08 sub esp, 8
.text:00406763 8B C4 mov eax, esp
.text:00406765 89 65 08 mov [ebp+arg_0], esp
.text:00406768 8D 8D 78 FF FF FF lea ecx, [ebp+var_88]
.text:0040676E 51 push ecx
.text:0040676F 6A 65 push 65h
.text:00406771 8D 8D 08 FF FF FF lea ecx, [ebp+var_F8]
.text:00406777 C6 45 FC 05 mov byte ptr [ebp+var_4], 5
.text:0040677B 89 45 D4 mov [ebp+var_2C], eax
.text:0040677E E8 55 F7 00 00 call atr_StringBase__atr_StringBase_int_
.text:00406783 83 EC 08 sub esp, 8
.text:00406786 8B D4 mov edx, esp
.text:00406788 89 65 08 mov [ebp+arg_0], esp
.text:0040678B 8D 85 08 FF FF FF lea eax, [ebp+var_F8]
.text:00406791 50 push eax
.text:00406792 6A 54 push 54h
.text:00406794 8D 8D 38 FF FF FF lea ecx, [ebp+var_C8]
.text:0040679A C6 45 FC 06 mov byte ptr [ebp+var_4], 6
.text:0040679E 89 55 A4 mov [ebp+var_5C], edx
.text:004067A1 E8 32 F7 00 00 call atr_StringBase__atr_StringBase_int_ ;
.text:004067A6 83 EC 08 sub esp, 8
.text:004067A9 8B CC mov ecx, esp
.text:004067AB 89 65 08 mov [ebp+arg_0], esp
.text:004067AE 8D 95 38 FF FF FF lea edx, [ebp+var_C8]
.text:004067B4 52 push edx
.text:004067B5 89 4D A8 mov [ebp+var_58], ecx
.text:004067B8 6A 75 push 75h ; 117
.text:004067BA 8D 8D 00 FF FF FF lea ecx, [ebp+var_100]
.text:004067C0 C6 45 FC 07 mov byte ptr [ebp+var_4], 7
.text:004067C4 E8 0F F7 00 00 call atr_StringBase__atr_StringBase_int_
.text:004067C9 83 EC 08 sub esp, 8
.text:004067CC 8B C4 mov eax, esp
.text:004067CE 89 65 08 mov [ebp+arg_0], esp
.text:004067D1 8D 8D 00 FF FF FF lea ecx, [ebp+var_100]
.text:004067D7 51 push ecx
.text:004067D8 6A 70 push 70h ; 112
.text:004067DA 8D 8D 48 FF FF FF lea ecx, [ebp+var_B8]
.text:004067E0 C6 45 FC 08 mov byte ptr [ebp+var_4], 8
.text:004067E4 89 45 AC mov [ebp+var_54], eax
.text:004067E7 E8 EC F6 00 00 call atr_StringBase__atr_StringBase_int_
.text:004067EC 83 EC 08 sub esp, 8
.text:004067EF 8B D4 mov edx, esp
.text:004067F1 89 65 08 mov [ebp+arg_0], esp
.text:004067F4 8D 85 48 FF FF FF lea eax, [ebp+var_B8]
.text:004067FA 50 push eax
.text:004067FB 6A 4D push 4Dh ; 77
.text:004067FD 8D 8D 18 FF FF FF lea ecx, [ebp+var_E8]
.text:00406803 C6 45 FC 09 mov byte ptr [ebp+var_4], 9
.text:00406807 89 55 9C mov [ebp+var_64], edx
.text:0040680A E8 C9 F6 00 00 call atr_StringBase__atr_StringBase_int_
.text:0040680F 83 EC 08 sub esp, 8
.text:00406812 8B CC mov ecx, esp
.text:00406814 89 65 08 mov [ebp+arg_0], esp
.text:00406817 8D 95 18 FF FF FF lea edx, [ebp+var_E8]
.text:0040681D 52 push edx
.text:0040681E 89 4D 8C mov [ebp+var_74], ecx
.text:00406821 6A 4F push 4Fh ; 79
.text:00406823 8D 8D 58 FF FF FF lea ecx, [ebp+var_A8]
.text:00406829 88 5D FC mov byte ptr [ebp+var_4], bl
.text:0040682C E8 A7 F6 00 00 call atr_StringBase__atr_StringBase_int_
.text:00406831 83 EC 08 sub esp, 8
.text:00406834 8B C4 mov eax, esp
.text:00406836 89 65 08 mov [ebp+arg_0], esp
.text:00406839 8D 8D 58 FF FF FF lea ecx, [ebp+var_A8]
.text:0040683F 51 push ecx
.text:00406840 6A 63 push 63h ; 99
.text:00406842 8D 4D 80 lea ecx, [ebp+var_80]
.text:00406845 C6 45 FC 0B mov byte ptr [ebp+var_4], 0Bh
.text:00406849 89 45 94 mov [ebp+var_6C], eax
.text:0040684C E8 87 F6 00 00 call atr_StringBase__atr_StringBase_int_
.text:00406851 83 EC 08 sub esp, 8
.text:00406854 8B D4 mov edx, esp
.text:00406856 89 65 EC mov [ebp+var_14], esp
.text:00406859 8D 45 80 lea eax, [ebp+var_80]
.text:0040685C 50 push eax
.text:0040685D 68 89 01 00 00 push 189h ; 393
.text:00406862 8D 8D 68 FF FF FF lea ecx, [ebp+var_98]
.text:00406868 C6 45 FC 0C mov byte ptr [ebp+var_4], 0Ch
.text:0040686C 89 55 08 mov [ebp+arg_0], edx
.text:0040686F E8 64 F6 00 00 call atr_StringBase__atr_StringBase_int_
.text:00406874 83 EC 08 sub esp, 8
.text:00406877 8B F4 mov esi, esp
.text:00406879 89 65 EC mov [ebp+var_14], esp
.text:0040687C 8D 8D 68 FF FF FF lea ecx, [ebp+var_98]
.text:00406882 51 push ecx
.text:00406883 6A 4B push 4Bh ; 75
.text:00406885 8D 8D 28 FF FF FF lea ecx, [ebp+var_D8]
.text:0040688B C6 45 FC 0D mov byte ptr [ebp+var_4], 0Dh
.text:0040688F E8 44 F6 00 00 call atr_StringBase__atr_StringBase_int_
.text:00406894 83 EC 08 sub esp, 8
.text:00406897 8B FC mov edi, esp
.text:00406899 89 65 EC mov [ebp+var_14], esp
.text:0040689C 8D 95 28 FF FF FF lea edx, [ebp+var_D8]
.text:004068A2 52 push edx
.text:004068A3 6A 6F push 6Fh ; 111
.text:004068A5 8D 8D F8 FE FF FF lea ecx, [ebp+var_108]
.text:004068AB C6 45 FC 0E mov byte ptr [ebp+var_4], 0Eh
.text:004068AF E8 24 F6 00 00 call atr_StringBase__atr_StringBase_int_
.text:004068B4 83 EC 08 sub esp, 8
.text:004068B7 89 65 EC mov [ebp+var_14], esp
.text:004068BA 8B DC mov ebx, esp
.text:004068BC 8D 85 F8 FE FF FF lea eax, [ebp+var_108]
.text:004068C2 50 push eax
.text:004068C3 83 EC 08 sub esp, 8
.text:004068C6 89 65 EC mov [ebp+var_14], esp
.text:004068C9 8B CC mov ecx, esp
.text:004068CB 68 3C 01 00 00 push 13Ch ; 316
.text:004068D0 C6 45 FC 0F mov byte ptr [ebp+var_4], 0Fh
.text:004068D4 E8 FF F5 00 00 call atr_StringBase__atr_StringBase_int_
.text:004068D9 53 push ebx
.text:004068DA E8 F1 EC FF FF call sub_4055D0
.text:004068DF 83 C4 10 add esp, 10h
.text:004068E2 57 push edi
.text:004068E3 E8 E8 EC FF FF call sub_4055D0
.text:004068E8 83 C4 10 add esp, 10h
.text:004068EB 56 push esi
.text:004068EC E8 DF EC FF FF call sub_4055D0
.text:004068F1 8B 4D 08 mov ecx, [ebp+arg_0]
.text:004068F4 83 C4 10 add esp, 10h
.text:004068F7 51 push ecx
.text:004068F8 E8 D3 EC FF FF call sub_4055D0
.text:004068FD 8B 55 94 mov edx, [ebp+var_6C]
.text:00406900 83 C4 10 add esp, 10h
.text:00406903 52 push edx
.text:00406904 E8 C7 EC FF FF call sub_4055D0
.text:00406909 83 C4 10 add esp, 10h
.text:0040690C 8B 45 8C mov eax, [ebp+var_74]
.text:0040690F 50 push eax
.text:00406910 E8 BB EC FF FF call sub_4055D0
.text:00406915 8B 4D 9C mov ecx, [ebp+var_64]
.text:00406918 83 C4 10 add esp, 10h
.text:0040691B 51 push ecx
.text:0040691C E8 AF EC FF FF call sub_4055D0
.text:00406921 8B 55 AC mov edx, [ebp+var_54]
.text:00406924 83 C4 10 add esp, 10h
.text:00406927 52 push edx
.text:00406928 E8 A3 EC FF FF call sub_4055D0
.text:0040692D 8B 45 A8 mov eax, [ebp+var_58]
.text:00406930 83 C4 10 add esp, 10h
.text:00406933 50 push eax
.text:00406934 E8 97 EC FF FF call sub_4055D0
.text:00406939 8B 4D A4 mov ecx, [ebp+var_5C]
.text:0040693C 83 C4 10 add esp, 10h
.text:0040693F 51 push ecx
.text:00406940 E8 8B EC FF FF call sub_4055D0
.text:00406945 8B 55 D4 mov edx, [ebp+var_2C]
.text:00406948 83 C4 10 add esp, 10h
.text:0040694B 52 push edx
.text:0040694C E8 7F EC FF FF call sub_4055D0
.text:00406951 8D 45 C0 lea eax, [ebp+var_40]
.text:00406954 83 C4 10 add esp, 10h
.text:00406957 50 push eax
.text:00406958 E8 73 EC FF FF call sub_4055D0
.text:0040695D 83 C4 10 add esp, 10h
.text:00406960 8B 85 FC FE FF FF mov eax, [ebp+var_104]
.text:00406966 85 C0 test eax, eax ; 上面的连接成字串3161117539399797711211784101822777
.text:00406968 C6 45 FC 1C mov byte ptr [ebp+var_4], 1Ch ;该字串作为blowfish的key2
.text:0040696C 74 12 jz short loc_406980
.text:0040696E FF 08 dec dword ptr [eax]
.text:00406970 83 38 00 cmp dword ptr [eax], 0
.text:00406973 75 0B jnz short loc_406980
.text:00406975 8D 8D F8 FE FF FF lea ecx, [ebp+var_108]
.text:0040697B E8 3A F5 00 00 call atr_StringBase__Delete_void_
.text:00406980
.text:00406980 loc_406980: ; CODE XREF: sub_406580+3ECj
.text:00406980 ; sub_406580+3F3j
.text:00406980 8B 85 2C FF FF FF mov eax, [ebp+var_D4]
.text:00406986 85 C0 test eax, eax
.text:00406988 C6 45 FC 1B mov byte ptr [ebp+var_4], 1Bh
.text:0040698C 74 12 jz short loc_4069A0
.text:0040698E FF 08 dec dword ptr [eax]
.text:00406990 83 38 00 cmp dword ptr [eax], 0
.text:00406993 75 0B jnz short loc_4069A0
.text:00406995 8D 8D 28 FF FF FF lea ecx, [ebp+var_D8]
.text:0040699B E8 1A F5 00 00 call atr_StringBase__Delete_void_
.text:004069A0
.text:004069A0 loc_4069A0: ; CODE XREF: sub_406580+40Cj
.text:004069A0 ; sub_406580+413j
.text:004069A0 8B 85 6C FF FF FF mov eax, [ebp+var_94]
.text:004069A6 85 C0 test eax, eax
.text:004069A8 C6 45 FC 1A mov byte ptr [ebp+var_4], 1Ah
.text:004069AC 74 12 jz short loc_4069C0
.text:004069AE FF 08 dec dword ptr [eax]
.text:004069B0 83 38 00 cmp dword ptr [eax], 0
.text:004069B3 75 0B jnz short loc_4069C0
.text:004069B5 8D 8D 68 FF FF FF lea ecx, [ebp+var_98]
.text:004069BB E8 FA F4 00 00 call atr_StringBase__Delete_void_
.text:004069C0
.text:004069C0 loc_4069C0: ; CODE XREF: sub_406580+42Cj
.text:004069C0 ; sub_406580+433j
.text:004069C0 8B 45 84 mov eax, [ebp+var_7C]
.text:004069C3 85 C0 test eax, eax
.text:004069C5 C6 45 FC 19 mov byte ptr [ebp+var_4], 19h
.text:004069C9 74 0F jz short loc_4069DA
.text:004069CB FF 08 dec dword ptr [eax]
.text:004069CD 83 38 00 cmp dword ptr [eax], 0
.text:004069D0 75 08 jnz short loc_4069DA
.text:004069D2 8D 4D 80 lea ecx, [ebp+var_80]
.text:004069D5 E8 E0 F4 00 00 call atr_StringBase__Delete_void_
.text:004069DA
.text:004069DA loc_4069DA: ; CODE XREF: sub_406580+449j
.text:004069DA ; sub_406580+450j
.text:004069DA 8B 85 5C FF FF FF mov eax, [ebp+var_A4]
.text:004069E0 85 C0 test eax, eax
.text:004069E2 C6 45 FC 18 mov byte ptr [ebp+var_4], 18h
.text:004069E6 74 12 jz short loc_4069FA
.text:004069E8 FF 08 dec dword ptr [eax]
.text:004069EA 83 38 00 cmp dword ptr [eax], 0
.text:004069ED 75 0B jnz short loc_4069FA
.text:004069EF 8D 8D 58 FF FF FF lea ecx, [ebp+var_A8]
.text:004069F5 E8 C0 F4 00 00 call atr_StringBase__Delete_void_
.text:004069FA
.text:004069FA loc_4069FA: ; CODE XREF: sub_406580+466j
.text:004069FA ; sub_406580+46Dj
.text:004069FA 8B 85 1C FF FF FF mov eax, [ebp+var_E4]
.text:00406A00 85 C0 test eax, eax
.text:00406A02 C6 45 FC 17 mov byte ptr [ebp+var_4], 17h
.text:00406A06 74 12 jz short loc_406A1A
.text:00406A08 FF 08 dec dword ptr [eax]
.text:00406A0A 83 38 00 cmp dword ptr [eax], 0
.text:00406A0D 75 0B jnz short loc_406A1A
.text:00406A0F 8D 8D 18 FF FF FF lea ecx, [ebp+var_E8]
.text:00406A15 E8 A0 F4 00 00 call atr_StringBase__Delete_void_
.text:00406A1A
.text:00406A1A loc_406A1A: ; CODE XREF: sub_406580+486j
.text:00406A1A ; sub_406580+48Dj
.text:00406A1A 8B 85 4C FF FF FF mov eax, [ebp+var_B4]
.text:00406A20 85 C0 test eax, eax
.text:00406A22 C6 45 FC 16 mov byte ptr [ebp+var_4], 16h
.text:00406A26 74 12 jz short loc_406A3A
.text:00406A28 FF 08 dec dword ptr [eax]
.text:00406A2A 83 38 00 cmp dword ptr [eax], 0
.text:00406A2D 75 0B jnz short loc_406A3A
.text:00406A2F 8D 8D 48 FF FF FF lea ecx, [ebp+var_B8]
.text:00406A35 E8 80 F4 00 00 call atr_StringBase__Delete_void_
.text:00406A3A
.text:00406A3A loc_406A3A: ; CODE XREF: sub_406580+4A6j
.text:00406A3A ; sub_406580+4ADj
.text:00406A3A 8B 85 04 FF FF FF mov eax, [ebp+var_FC]
.text:00406A40 85 C0 test eax, eax
.text:00406A42 C6 45 FC 15 mov byte ptr [ebp+var_4], 15h
.text:00406A46 74 12 jz short loc_406A5A
.text:00406A48 FF 08 dec dword ptr [eax]
.text:00406A4A 83 38 00 cmp dword ptr [eax], 0
.text:00406A4D 75 0B jnz short loc_406A5A
.text:00406A4F 8D 8D 00 FF FF FF lea ecx, [ebp+var_100]
.text:00406A55 E8 60 F4 00 00 call atr_StringBase__Delete_void_
.text:00406A5A
.text:00406A5A loc_406A5A: ; CODE XREF: sub_406580+4C6j
.text:00406A5A ; sub_406580+4CDj
.text:00406A5A 8B 85 3C FF FF FF mov eax, [ebp+var_C4]
.text:00406A60 85 C0 test eax, eax
.text:00406A62 C6 45 FC 14 mov byte ptr [ebp+var_4], 14h
.text:00406A66 74 12 jz short loc_406A7A
.text:00406A68 FF 08 dec dword ptr [eax]
.text:00406A6A 83 38 00 cmp dword ptr [eax], 0
.text:00406A6D 75 0B jnz short loc_406A7A
.text:00406A6F 8D 8D 38 FF FF FF lea ecx, [ebp+var_C8]
.text:00406A75 E8 40 F4 00 00 call atr_StringBase__Delete_void_
.text:00406A7A
.text:00406A7A loc_406A7A: ; CODE XREF: sub_406580+4E6j
.text:00406A7A ; sub_406580+4EDj
.text:00406A7A 8B 85 0C FF FF FF mov eax, [ebp+var_F4]
.text:00406A80 85 C0 test eax, eax
.text:00406A82 C6 45 FC 13 mov byte ptr [ebp+var_4], 13h
.text:00406A86 74 12 jz short loc_406A9A
.text:00406A88 FF 08 dec dword ptr [eax]
.text:00406A8A 83 38 00 cmp dword ptr [eax], 0
.text:00406A8D 75 0B jnz short loc_406A9A
.text:00406A8F 8D 8D 08 FF FF FF lea ecx, [ebp+var_F8]
.text:00406A95 E8 20 F4 00 00 call atr_StringBase__Delete_void_
.text:00406A9A
.text:00406A9A loc_406A9A: ; CODE XREF: sub_406580+506j
.text:00406A9A ; sub_406580+50Dj
.text:00406A9A 8B 85 7C FF FF FF mov eax, [ebp+var_84]
.text:00406AA0 85 C0 test eax, eax
.text:00406AA2 C6 45 FC 12 mov byte ptr [ebp+var_4], 12h
.text:00406AA6 74 12 jz short loc_406ABA
.text:00406AA8 FF 08 dec dword ptr [eax]
.text:00406AAA 83 38 00 cmp dword ptr [eax], 0
.text:00406AAD 75 0B jnz short loc_406ABA
.text:00406AAF 8D 8D 78 FF FF FF lea ecx, [ebp+var_88]
.text:00406AB5 E8 00 F4 00 00 call atr_StringBase__Delete_void_
.text:00406ABA
.text:00406ABA loc_406ABA: ; CODE XREF: sub_406580+526j
.text:00406ABA ; sub_406580+52Dj
.text:00406ABA 8B 85 74 FF FF FF mov eax, [ebp+var_8C]
.text:00406AC0 85 C0 test eax, eax
.text:00406AC2 C6 45 FC 11 mov byte ptr [ebp+var_4], 11h
.text:00406AC6 74 12 jz short loc_406ADA ; 51
.text:00406AC8 FF 08 dec dword ptr [eax]
.text:00406ACA 83 38 00 cmp dword ptr [eax], 0
.text:00406ACD 75 0B jnz short loc_406ADA ; 51
.text:00406ACF 8D 8D 70 FF FF FF lea ecx, [ebp+var_90]
.text:00406AD5 E8 E0 F3 00 00 call atr_StringBase__Delete_void_
.text:00406ADA
.text:00406ADA loc_406ADA: ; CODE XREF: sub_406580+546j
.text:00406ADA ; sub_406580+54Dj
.text:00406ADA 6A 33 push 33h ; 51
.text:00406ADC 8D 8D 10 FF FF FF lea ecx, [ebp+var_F0]
.text:00406AE2 E8 F1 F3 00 00 call atr_StringBase__atr_StringBase_int_
.text:00406AE7 8D 8D 10 FF FF FF lea ecx, [ebp+var_F0]
.text:00406AED 51 push ecx
.text:00406AEE 6A 08 push 8 ; 8
.text:00406AF0 8D 8D 20 FF FF FF lea ecx, [ebp+var_E0]
.text:00406AF6 C6 45 FC 1D mov byte ptr [ebp+var_4], 1Dh
.text:00406AFA E8 D9 F3 00 00 call atr_StringBase__atr_StringBase_int_
.text:00406AFF 83 EC 08 sub esp, 8
.text:00406B02 8B D4 mov edx, esp
.text:00406B04 89 65 08 mov [ebp+arg_0], esp
.text:00406B07 8D 85 20 FF FF FF lea eax, [ebp+var_E0]
.text:00406B0D 50 push eax
.text:00406B0E 6A 12 push 12h ; 18
.text:00406B10 8D 8D 30 FF FF FF lea ecx, [ebp+var_D0]
.text:00406B16 C6 45 FC 1E mov byte ptr [ebp+var_4], 1Eh
.text:00406B1A 89 55 AC mov [ebp+var_54], edx
.text:00406B1D E8 B6 F3 00 00 call atr_StringBase__atr_StringBase_int_
.text:00406B22 83 EC 08 sub esp, 8
.text:00406B25 8B CC mov ecx, esp
.text:00406B27 89 65 08 mov [ebp+arg_0], esp
.text:00406B2A 8D 95 30 FF FF FF lea edx, [ebp+var_D0]
.text:00406B30 52 push edx
.text:00406B31 89 4D A8 mov [ebp+var_58], ecx
.text:00406B34 6A 24 push 24h ; 36
.text:00406B36 8D 8D 40 FF FF FF lea ecx, [ebp+var_C0]
.text:00406B3C C6 45 FC 1F mov byte ptr [ebp+var_4], 1Fh
.text:00406B40 E8 93 F3 00 00 call atr_StringBase__atr_StringBase_int_
.text:00406B45 83 EC 08 sub esp, 8
.text:00406B48 8B C4 mov eax, esp
.text:00406B4A 89 65 08 mov [ebp+arg_0], esp
.text:00406B4D 8D 8D 40 FF FF FF lea ecx, [ebp+var_C0]
.text:00406B53 51 push ecx
.text:00406B54 68 8E 00 00 00 push 8Eh ; 142
.text:00406B59 8D 8D 50 FF FF FF lea ecx, [ebp+var_B0]
.text:00406B5F C6 45 FC 20 mov byte ptr [ebp+var_4], 20h
.text:00406B63 89 45 A4 mov [ebp+var_5C], eax
.text:00406B66 E8 6D F3 00 00 call atr_StringBase__atr_StringBase_int_
.text:00406B6B 83 EC 08 sub esp, 8
.text:00406B6E 8B D4 mov edx, esp
.text:00406B70 89 65 08 mov [ebp+arg_0], esp
.text:00406B73 8D 85 50 FF FF FF lea eax, [ebp+var_B0]
.text:00406B79 50 push eax
.text:00406B7A 6A 09 push 9 ; 9
.text:00406B7C 8D 8D 60 FF FF FF lea ecx, [ebp+var_A0]
.text:00406B82 C6 45 FC 21 mov byte ptr [ebp+var_4], 21h
.text:00406B86 89 55 D4 mov [ebp+var_2C], edx
.text:00406B89 E8 4A F3 00 00 call atr_StringBase__atr_StringBase_int_
.text:00406B8E 83 EC 08 sub esp, 8
.text:00406B91 8B CC mov ecx, esp
.text:00406B93 89 65 EC mov [ebp+var_14], esp
.text:00406B96 8D 95 60 FF FF FF lea edx, [ebp+var_A0]
.text:00406B9C 52 push edx
.text:00406B9D 89 4D 08 mov [ebp+arg_0], ecx
.text:00406BA0 68 C8 00 00 00 push 0C8h ; 200
.text:00406BA5 8D 4D 90 lea ecx, [ebp+var_70]
.text:00406BA8 C6 45 FC 22 mov byte ptr [ebp+var_4], 22h
.text:00406BAC E8 27 F3 00 00 call atr_StringBase__atr_StringBase_int_
.text:00406BB1 83 EC 08 sub esp, 8
.text:00406BB4 8B F4 mov esi, esp
.text:00406BB6 89 65 EC mov [ebp+var_14], esp
.text:00406BB9 8D 45 90 lea eax, [ebp+var_70]
.text:00406BBC 50 push eax
.text:00406BBD 6A 48 push 48h ; 72
.text:00406BBF 8D 4D 88 lea ecx, [ebp+var_78]
.text:00406BC2 C6 45 FC 23 mov byte ptr [ebp+var_4], 23h
.text:00406BC6 E8 0D F3 00 00 call atr_StringBase__atr_StringBase_int_
.text:00406BCB 83 EC 08 sub esp, 8
.text:00406BCE C6 45 FC 24 mov byte ptr [ebp+var_4], 24h
.text:00406BD2 8B FC mov edi, esp
.text:00406BD4 89 65 EC mov [ebp+var_14], esp
.text:00406BD7 8D 4D 88 lea ecx, [ebp+var_78]
.text:00406BDA 51 push ecx
.text:00406BDB 6A 33 push 33h ; 51
.text:00406BDD 8D 4D 98 lea ecx, [ebp+var_68]
.text:00406BE0 E8 F3 F2 00 00 call atr_StringBase__atr_StringBase_int_
.text:00406BE5 83 EC 08 sub esp, 8
.text:00406BE8 89 65 EC mov [ebp+var_14], esp
.text:00406BEB 8B DC mov ebx, esp
.text:00406BED 8D 55 98 lea edx, [ebp+var_68]
.text:00406BF0 52 push edx
.text:00406BF1 83 EC 08 sub esp, 8
.text:00406BF4 89 65 EC mov [ebp+var_14], esp
.text:00406BF7 8B CC mov ecx, esp
.text:00406BF9 6A 02 push 2 ; 2
.text:00406BFB C6 45 FC 25 mov byte ptr [ebp+var_4], 25h
.text:00406BFF E8 D4 F2 00 00 call atr_StringBase__atr_StringBase_int_
.text:00406C04 53 push ebx
.text:00406C05 E8 C6 E9 FF FF call sub_4055D0
.text:00406C0A 83 C4 10 add esp, 10h
.text:00406C0D 57 push edi
.text:00406C0E E8 BD E9 FF FF call sub_4055D0
.text:00406C13 83 C4 10 add esp, 10h
.text:00406C16 56 push esi
.text:00406C17 E8 B4 E9 FF FF call sub_4055D0
.text:00406C1C 8B 45 08 mov eax, [ebp+arg_0]
.text:00406C1F 83 C4 10 add esp, 10h
.text:00406C22 50 push eax
.text:00406C23 E8 A8 E9 FF FF call sub_4055D0
.text:00406C28 8B 4D D4 mov ecx, [ebp+var_2C]
.text:00406C2B 83 C4 10 add esp, 10h
.text:00406C2E 51 push ecx
.text:00406C2F E8 9C E9 FF FF call sub_4055D0
.text:00406C34 8B 55 A4 mov edx, [ebp+var_5C]
.text:00406C37 83 C4 10 add esp, 10h
.text:00406C3A 52 push edx
.text:00406C3B E8 90 E9 FF FF call sub_4055D0
.text:00406C40 8B 45 A8 mov eax, [ebp+var_58]
.text:00406C43 83 C4 10 add esp, 10h
.text:00406C46 50 push eax
.text:00406C47 E8 84 E9 FF FF call sub_4055D0
.text:00406C4C 8B 4D AC mov ecx, [ebp+var_54]
.text:00406C4F 83 C4 10 add esp, 10h
.text:00406C52 51 push ecx
.text:00406C53 E8 78 E9 FF FF call sub_4055D0
.text:00406C58 8D 55 B8 lea edx, [ebp+var_48]
.text:00406C5B 83 C4 10 add esp, 10h
.text:00406C5E 52 push edx
.text:00406C5F E8 6C E9 FF FF call sub_4055D0
.text:00406C64 83 C4 10 add esp, 10h
.text:00406C67 8B 45 9C mov eax, [ebp+var_64]
.text:00406C6A 33 FF xor edi, edi ;上面的连接成字串 "2517220091423618851"
.text:00406C6C 3B C7 cmp eax, edi ;该字串作为blowfish的key1
.text:00406C6E C6 45 FC 2F mov byte ptr [ebp+var_4], 2Fh
.text:00406C72 74 0E jz short loc_406C82
.text:00406C74 FF 08 dec dword ptr [eax]
.text:00406C76 39 38 cmp [eax], edi
.text:00406C78 75 08 jnz short loc_406C82
.text:00406C7A 8D 4D 98 lea ecx, [ebp+var_68]
.text:00406C7D E8 38 F2 00 00 call atr_StringBase__Delete_void_
.text:00406C82
.text:00406C82 loc_406C82: ; CODE XREF: sub_406580+6F2j
.text:00406C82 ; sub_406580+6F8j
.text:00406C82 8B 45 8C mov eax, [ebp+var_74]
.text:00406C85 3B C7 cmp eax, edi
.text:00406C87 C6 45 FC 2E mov byte ptr [ebp+var_4], 2Eh
.text:00406C8B 74 0E jz short loc_406C9B
.text:00406C8D FF 08 dec dword ptr [eax]
.text:00406C8F 39 38 cmp [eax], edi
.text:00406C91 75 08 jnz short loc_406C9B
.text:00406C93 8D 4D 88 lea ecx, [ebp+var_78]
.text:00406C96 E8 1F F2 00 00 call atr_StringBase__Delete_void_
.text:00406C9B
.text:00406C9B loc_406C9B: ; CODE XREF: sub_406580+70Bj
.text:00406C9B ; sub_406580+711j
.text:00406C9B 8B 45 94 mov eax, [ebp+var_6C]
.text:00406C9E 3B C7 cmp eax, edi
.text:00406CA0 C6 45 FC 2D mov byte ptr [ebp+var_4], 2Dh
.text:00406CA4 74 0E jz short loc_406CB4
.text:00406CA6 FF 08 dec dword ptr [eax]
.text:00406CA8 39 38 cmp [eax], edi
.text:00406CAA 75 08 jnz short loc_406CB4
.text:00406CAC 8D 4D 90 lea ecx, [ebp+var_70]
.text:00406CAF E8 06 F2 00 00 call atr_StringBase__Delete_void_
.text:00406CB4
.text:00406CB4 loc_406CB4: ; CODE XREF: sub_406580+724j
.text:00406CB4 ; sub_406580+72Aj
.text:00406CB4 8B 85 64 FF FF FF mov eax, [ebp+var_9C]
.text:00406CBA 3B C7 cmp eax, edi
.text:00406CBC C6 45 FC 2C mov byte ptr [ebp+var_4], 2Ch
.text:00406CC0 74 11 jz short loc_406CD3
.text:00406CC2 FF 08 dec dword ptr [eax]
.text:00406CC4 39 38 cmp [eax], edi
.text:00406CC6 75 0B jnz short loc_406CD3
.text:00406CC8 8D 8D 60 FF FF FF lea ecx, [ebp+var_A0]
.text:00406CCE E8 E7 F1 00 00 call atr_StringBase__Delete_void_
.text:00406CD3
.text:00406CD3 loc_406CD3: ; CODE XREF: sub_406580+740j
.text:00406CD3 ; sub_406580+746j
.text:00406CD3 8B 85 54 FF FF FF mov eax, [ebp+var_AC]
.text:00406CD9 3B C7 cmp eax, edi
.text:00406CDB C6 45 FC 2B mov byte ptr [ebp+var_4], 2Bh
.text:00406CDF 74 11 jz short loc_406CF2
.text:00406CE1 FF 08 dec dword ptr [eax]
.text:00406CE3 39 38 cmp [eax], edi
.text:00406CE5 75 0B jnz short loc_406CF2
.text:00406CE7 8D 8D 50 FF FF FF lea ecx, [ebp+var_B0]
.text:00406CED E8 C8 F1 00 00 call atr_StringBase__Delete_void_
.text:00406CF2
.text:00406CF2 loc_406CF2: ; CODE XREF: sub_406580+75Fj
.text:00406CF2 ; sub_406580+765j
.text:00406CF2 8B 85 44 FF FF FF mov eax, [ebp+var_BC]
.text:00406CF8 3B C7 cmp eax, edi
.text:00406CFA C6 45 FC 2A mov byte ptr [ebp+var_4], 2Ah
.text:00406CFE 74 11 jz short loc_406D11
.text:00406D00 FF 08 dec dword ptr [eax]
.text:00406D02 39 38 cmp [eax], edi
.text:00406D04 75 0B jnz short loc_406D11
.text:00406D06 8D 8D 40 FF FF FF lea ecx, [ebp+var_C0]
.text:00406D0C E8 A9 F1 00 00 call atr_StringBase__Delete_void_
.text:00406D11
.text:00406D11 loc_406D11: ; CODE XREF: sub_406580+77Ej
.text:00406D11 ; sub_406580+784j
.text:00406D11 8B 85 34 FF FF FF mov eax, [ebp+var_CC]
.text:00406D17 3B C7 cmp eax, edi
.text:00406D19 C6 45 FC 29 mov byte ptr [ebp+var_4], 29h
.text:00406D1D 74 11 jz short loc_406D30
.text:00406D1F FF 08 dec dword ptr [eax]
.text:00406D21 39 38 cmp [eax], edi
.text:00406D23 75 0B jnz short loc_406D30
.text:00406D25 8D 8D 30 FF FF FF lea ecx, [ebp+var_D0]
.text:00406D2B E8 8A F1 00 00 call atr_StringBase__Delete_void_
.text:00406D30
.text:00406D30 loc_406D30: ; CODE XREF: sub_406580+79Dj
.text:00406D30 ; sub_406580+7A3j
.text:00406D30 8B 85 24 FF FF FF mov eax, [ebp+var_DC]
.text:00406D36 3B C7 cmp eax, edi
.text:00406D38 C6 45 FC 28 mov byte ptr [ebp+var_4], 28h
.text:00406D3C 74 11 jz short loc_406D4F
.text:00406D3E FF 08 dec dword ptr [eax]
.text:00406D40 39 38 cmp [eax], edi
.text:00406D42 75 0B jnz short loc_406D4F
.text:00406D44 8D 8D 20 FF FF FF lea ecx, [ebp+var_E0]
.text:00406D4A E8 6B F1 00 00 call atr_StringBase__Delete_void_
.text:00406D4F
.text:00406D4F loc_406D4F: ; CODE XREF: sub_406580+7BCj
.text:00406D4F ; sub_406580+7C2j
.text:00406D4F 8B 85 14 FF FF FF mov eax, [ebp+var_EC]
.text:00406D55 3B C7 cmp eax, edi
.text:00406D57 C6 45 FC 27 mov byte ptr [ebp+var_4], 27h
.text:00406D5B 74 11 jz short loc_406D6E
.text:00406D5D FF 08 dec dword ptr [eax]
.text:00406D5F 39 38 cmp [eax], edi
.text:00406D61 75 0B jnz short loc_406D6E
.text:00406D63 8D 8D 10 FF FF FF lea ecx, [ebp+var_F0]
.text:00406D69 E8 4C F1 00 00 call atr_StringBase__Delete_void_
.text:00406D6E
.text:00406D6E loc_406D6E: ; CODE XREF: sub_406580+7DBj
.text:00406D6E ; sub_406580+7E1j
.text:00406D6E 89 7D D8 mov [ebp+var_28], edi
.text:00406D71 89 7D DC mov [ebp+var_24], edi
.text:00406D74 8D 8D 9C EA FF FF lea ecx, [ebp+var_1564]
.text:00406D7A C6 45 FC 31 mov byte ptr [ebp+var_4], 31h
.text:00406D7E E8 B7 EF 00 00 call ??0uti_Blowfish@@QAE@XZ ;Blowfish初始化pbox和sbox
.text:00406D83 6A 01 push 1
.text:00406D85 8D 45 B0 lea eax, [ebp+var_50]
.text:00406D88 50 push eax
.text:00406D89 8D 4D D0 lea ecx, [ebp+var_30]
.text:00406D8C 51 push ecx
.text:00406D8D C6 45 FC 32 mov byte ptr [ebp+var_4], 32h
.text:00406D91 E8 F8 EF 00 00 call ?utl_base64Decode@@YA?AVcow_String@@AAV1@_N@Z ;对vendor_info字串进行base64解码
.text:00406D96 83 C4 0C add esp, 0Ch ;其中斜杆/用!感叹号来代替
.text:00406D99 8B 55 B8 mov edx, [ebp+var_48]
.text:00406D9C 83 EC 08 sub esp, 8
.text:00406D9F 8B C4 mov eax, esp
.text:00406DA1 89 10 mov [eax], edx
.text:00406DA3 8B 4D BC mov ecx, [ebp+var_44]
.text:00406DA6 89 48 04 mov [eax+4], ecx
.text:00406DA9 8B 45 BC mov eax, [ebp+var_44]
.text:00406DAC 3B C7 cmp eax, edi
.text:00406DAE C6 45 FC 33 mov byte ptr [ebp+var_4], 33h
.text:00406DB2 89 65 08 mov [ebp+arg_0], esp
.text:00406DB5 74 02 jz short loc_406DB9
.text:00406DB7 FF 00 inc dword ptr [eax]
.text:00406DB9
.text:00406DB9 loc_406DB9: ; CODE XREF: sub_406580+835j
.text:00406DB9 8D 8D 9C EA FF FF lea ecx, [ebp+var_1564] ;
.text:00406DB9 ; 用2517220091423618851字符串作为key来
.text:00406DBF E8 70 EF 00 00 call blowfish_init ; 初始化key_pbox和key_sbox
.text:00406DC4 8B 55 D0 mov edx, [ebp+var_30] ; 其中还有一个地址值参与运算
.text:00406DC7 83 EC 08 sub esp, 8
.text:00406DCA 8B C4 mov eax, esp
.text:00406DCC 89 10 mov [eax], edx
.text:00406DCE 8B 4D D4 mov ecx, [ebp+var_2C]
.text:00406DD1 89 48 04 mov [eax+4], ecx
.text:00406DD4 8B 45 D4 mov eax, [ebp+var_2C]
.text:00406DD7 3B C7 cmp eax, edi
.text:00406DD9 89 65 08 mov [ebp+arg_0], esp
.text:00406DDC 74 02 jz short loc_406DE0
.text:00406DDE FF 00 inc dword ptr [eax]
.text:00406DE0
.text:00406DE0 loc_406DE0: ; CODE XREF: sub_406580+85Cj
.text:00406DE0 8D 55 E8 lea edx, [ebp+var_18]
.text:00406DE3 52 push edx
.text:00406DE4 8D 8D 9C EA FF FF lea ecx, [ebp+var_1564]
.text:00406DEA E8 3F EF 00 00 call ?Decrypt@uti_Blowfish@@QAE?AVcow_String@@V2@@Z ;对由上面BASE64解码的数据处理进行blowfish解码
.text:00406DEF 8B 4D C0 mov ecx, [ebp+var_40] ;该函数在对数据解码前先进行高低的字节交换,解码
.text:00406DF2 83 EC 08 sub esp, 8 ;后再进行高低的字节交换.
.text:00406DF5 8B C4 mov eax, esp
.text:00406DF7 89 08 mov [eax], ecx
.text:00406DF9 8B 55 C4 mov edx, [ebp+var_3C]
.text:00406DFC 89 50 04 mov [eax+4], edx
.text:00406DFF 8B 45 C4 mov eax, [ebp+var_3C]
.text:00406E02 3B C7 cmp eax, edi
.text:00406E04 B3 34 mov bl, 34h
.text:00406E06 88 5D FC mov byte ptr [ebp+var_4], bl
.text:00406E09 89 65 08 mov [ebp+arg_0], esp
.text:00406E0C 74 02 jz short loc_406E10
.text:00406E0E FF 00 inc dword ptr [eax]
.text:00406E10
.text:00406E10 loc_406E10: ; CODE XREF: sub_406580+88Cj
.text:00406E10 8D 8D 9C EA FF FF lea ecx, [ebp+var_1564] ; 用3161117539399797711211784101822777字符串作为key
.text:00406E16 E8 19 EF 00 00 call blowfish_init ; 来初始化key_pbox和key_sbox,其中还有一个地址值参与
.text:00406E1B 8B 4D E8 mov ecx, [ebp+var_18] ; 运算
.text:00406E1E 83 EC 08 sub esp, 8
.text:00406E21 8B C4 mov eax, esp
.text:00406E23 89 08 mov [eax], ecx
.text:00406E25 8B 55 EC mov edx, [ebp+var_14]
.text:00406E28 89 50 04 mov [eax+4], edx
.text:00406E2B 8B 45 EC mov eax, [ebp+var_14]
.text:00406E2E 3B C7 cmp eax, edi
.text:00406E30 89 65 08 mov [ebp+arg_0], esp
.text:00406E33 74 02 jz short loc_406E37
.text:00406E35 FF 00 inc dword ptr [eax]
.text:00406E37
.text:00406E37 loc_406E37: ; CODE XREF: sub_406580+8B3j
.text:00406E37 8D 45 A0 lea eax, [ebp+var_60]
.text:00406E3A 50 push eax
.text:00406E3B 8D 8D 9C EA FF FF lea ecx, [ebp+var_1564] ; 再对上次blowfish_de的结果进行解码,后得到一个长度为16的字符串
.text:00406E41 E8 E8 EE 00 00 call ?Decrypt@uti_Blowfish@@QAE?AVcow_String@@V2@@Z ; uti_Blowfish::Decrypt(cow_String)
.text:00406E46 8B F0 mov esi, eax
.text:00406E48 8B 46 04 mov eax, [esi+4]
.text:00406E4B 3B C7 cmp eax, edi
.text:00406E4D C6 45 FC 35 mov byte ptr [ebp+var_4], 35h
.text:00406E51 74 02 jz short loc_406E55
.text:00406E53 FF 00 inc dword ptr [eax]
.text:00406E55
.text:00406E55 loc_406E55: ; CODE XREF: sub_406580+8D1j
.text:00406E55 8B 45 DC mov eax, [ebp+var_24]
.text:00406E58 3B C7 cmp eax, edi
.text:00406E5A 74 0E jz short loc_406E6A
.text:00406E5C FF 08 dec dword ptr [eax]
.text:00406E5E 39 38 cmp [eax], edi
.text:00406E60 75 08 jnz short loc_406E6A
.text:00406E62 8D 4D D8 lea ecx, [ebp+var_28]
.text:00406E65 E8 50 F0 00 00 call atr_StringBase__Delete_void_
.text:00406E6A
.text:00406E6A loc_406E6A: ; CODE XREF: sub_406580+8DAj
.text:00406E6A ; sub_406580+8E0j
.text:00406E6A 8B 0E mov ecx, [esi]
.text:00406E6C 8B 45 A4 mov eax, [ebp+var_5C]
.text:00406E6F 3B C7 cmp eax, edi
.text:00406E71 89 4D D8 mov [ebp+var_28], ecx
.text:00406E74 8B 56 04 mov edx, [esi+4]
.text:00406E77 89 55 DC mov [ebp+var_24], edx
.text:00406E7A 88 5D FC mov byte ptr [ebp+var_4], bl
.text:00406E7D 74 0E jz short loc_406E8D
.text:00406E7F FF 08 dec dword ptr [eax]
.text:00406E81 39 38 cmp [eax], edi
.text:00406E83 75 08 jnz short loc_406E8D
.text:00406E85 8D 4D A0 lea ecx, [ebp+var_60]
.text:00406E88 E8 2D F0 00 00 call atr_StringBase__Delete_void_
.text:00406E8D
.text:00406E8D loc_406E8D: ; CODE XREF: sub_406580+8FDj
.text:00406E8D ; sub_406580+903j
.text:00406E8D 8B 45 EC mov eax, [ebp+var_14]
.text:00406E90 3B C7 cmp eax, edi
.text:00406E92 C6 45 FC 33 mov byte ptr [ebp+var_4], 33h
.text:00406E96 74 0E jz short loc_406EA6
.text:00406E98 FF 08 dec dword ptr [eax]
.text:00406E9A 39 38 cmp [eax], edi
.text:00406E9C 75 08 jnz short loc_406EA6
.text:00406E9E 8D 4D E8 lea ecx, [ebp+var_18]
.text:00406EA1 E8 14 F0 00 00 call atr_StringBase__Delete_void_
.text:00406EA6
.text:00406EA6 loc_406EA6: ; CODE XREF: sub_406580+916j
.text:00406EA6 ; sub_406580+91Cj
.text:00406EA6 8B 45 D4 mov eax, [ebp+var_2C]
.text:00406EA9 3B C7 cmp eax, edi
.text:00406EAB C6 45 FC 32 mov byte ptr [ebp+var_4], 32h
.text:00406EAF 74 0E jz short loc_406EBF
.text:00406EB1 FF 08 dec dword ptr [eax]
.text:00406EB3 39 38 cmp [eax], edi
.text:00406EB5 75 08 jnz short loc_406EBF
.text:00406EB7 8D 4D D0 lea ecx, [ebp+var_30]
.text:00406EBA E8 FB EF 00 00 call atr_StringBase__Delete_void_
.text:00406EBF
.text:00406EBF loc_406EBF: ; CODE XREF: sub_406580+92Fj
.text:00406EBF ; sub_406580+935j
.text:00406EBF 8D 8D 9C EA FF FF lea ecx, [ebp+var_1564]
.text:00406EC5 C6 45 FC 31 mov byte ptr [ebp+var_4], 31h ;
.text:00406EC9 E8 5A EE 00 00 call ??1uti_Blowfish@@QAE@XZ ; uti_Blowfish::~uti_Blowfish(void)
.text:00406ECE 8B 45 DC mov eax, [ebp+var_24]
.text:00406ED1 3B C7 cmp eax, edi
.text:00406ED3 C7 45 FC 30 00 00 00 mov [ebp+var_4], 30h
.text:00406EDA 74 0A jz short loc_406EE6
.text:00406EDC 83 78 08 10 cmp dword ptr [eax+8], 10h
.text:00406EE0 0F 84 AE 00 00 00 jz loc_406F94
.text:00406EE6
.text:00406EE6 loc_406EE6: ; CODE XREF: sub_406580+95Aj
.text:00406EE6 3B C7 cmp eax, edi
.text:00406EE8 C6 45 FC 27 mov byte ptr [ebp+var_4], 27h
.text:00406EEC 74 0E jz short loc_406EFC
.text:00406EEE FF 08 dec dword ptr [eax]
.text:00406EF0 39 38 cmp [eax], edi
.text:00406EF2 75 08 jnz short loc_406EFC
.text:00406EF4 8D 4D D8 lea ecx, [ebp+var_28]
.text:00406EF7 E8 BE EF 00 00 call atr_StringBase__Delete_void_
.text:00406EFC
.text:00406EFC loc_406EFC: ; CODE XREF: sub_406580+96Cj
.text:00406EFC ; sub_406580+972j
.text:00406EFC 8B 45 BC mov eax, [ebp+var_44]
.text:00406EFF 3B C7 cmp eax, edi
.text:00406F01 C6 45 FC 11 mov byte ptr [ebp+var_4], 11h
.text:00406F05 74 0E jz short loc_406F15
.text:00406F07 FF 08 dec dword ptr [eax]
.text:00406F09 39 38 cmp [eax], edi
.text:00406F0B 75 08 jnz short loc_406F15
.text:00406F0D 8D 4D B8 lea ecx, [ebp+var_48]
.text:00406F10 E8 A5 EF 00 00 call atr_StringBase__Delete_void_
.text:00406F15
.text:00406F15 loc_406F15: ; CODE XREF: sub_406580+985j
.text:00406F15 ; sub_406580+98Bj
.text:00406F15 8B 45 C4 mov eax, [ebp+var_3C]
.text:00406F18 3B C7 cmp eax, edi
.text:00406F1A C6 45 FC 03 mov byte ptr [ebp+var_4], 3
.text:00406F1E 74 0E jz short loc_406F2E
.text:00406F20 FF 08 dec dword ptr [eax]
.text:00406F22 39 38 cmp [eax], edi
.text:00406F24 75 08 jnz short loc_406F2E
.text:00406F26 8D 4D C0 lea ecx, [ebp+var_40]
.text:00406F29 E8 8C EF 00 00 call atr_StringBase__Delete_void_
.text:00406F2E
.text:00406F2E loc_406F2E: ; CODE XREF: sub_406580+99Ej
.text:00406F2E ; sub_406580+9A4j
.text:00406F2E 8B 45 B4 mov eax, [ebp+var_4C]
.text:00406F31 3B C7 cmp eax, edi
.text:00406F33 C6 45 FC 02 mov byte ptr [ebp+var_4], 2
.text:00406F37 74 0E jz short loc_406F47
.text:00406F39 FF 08 dec dword ptr [eax]
.text:00406F3B 39 38 cmp [eax], edi
.text:00406F3D 75 08 jnz short loc_406F47
.text:00406F3F 8D 4D B0 lea ecx, [ebp+var_50]
.text:00406F42 E8 73 EF 00 00 call atr_StringBase__Delete_void_
.text:00406F47
.text:00406F47 loc_406F47: ; CODE XREF: sub_406580+9B7j
.text:00406F47 ; sub_406580+9BDj
.text:00406F47 8B 45 CC mov eax, [ebp+var_34]
.text:00406F4A 3B C7 cmp eax, edi
.text:00406F4C C6 45 FC 01 mov byte ptr [ebp+var_4], 1
.text:00406F50 74 0E jz short loc_406F60
.text:00406F52 FF 08 dec dword ptr [eax]
.text:00406F54 39 38 cmp [eax], edi
.text:00406F56 75 08 jnz short loc_406F60
.text:00406F58 8D 4D C8 lea ecx, [ebp+var_38]
.text:00406F5B E8 5A EF 00 00 call atr_StringBase__Delete_void_
.text:00406F60
.text:00406F60 loc_406F60: ; CODE XREF: sub_406580+9D0j
.text:00406F60 ; sub_406580+9D6j
.text:00406F60 8B 45 E4 mov eax, [ebp+var_1C]
.text:00406F63 3B C7 cmp eax, edi
.text:00406F65 C7 45 FC FF FF FF FF mov [ebp+var_4], 0FFFFFFFFh
.text:00406F6C 74 0E jz short loc_406F7C
.text:00406F6E FF 08 dec dword ptr [eax]
.text:00406F70 39 38 cmp [eax], edi
.text:00406F72 75 08 jnz short loc_406F7C
.text:00406F74 8D 4D E0 lea ecx, [ebp+var_20]
.text:00406F77 E8 3E EF 00 00 call atr_StringBase__Delete_void_
.text:00406F7C
.text:00406F7C loc_406F7C: ; CODE XREF: sub_406580+9ECj
.text:00406F7C ; sub_406580+9F2j
.text:00406F7C B8 40 00 00 00 mov eax, 40h
.text:00406F81 8B 4D F4 mov ecx, [ebp+var_C]
.text:00406F84 64 89 0D 00 00 00 00 mov large fs:0, ecx
.text:00406F8B 5F pop edi
.text:00406F8C 5E pop esi
.text:00406F8D 5B pop ebx
.text:00406F8E 8B E5 mov esp, ebp
.text:00406F90 5D pop ebp
.text:00406F91 C2 04 00 retn 4
.text:00406F94 ; ---------------------------------------------------------------------------
.text:00406F94
.text:00406F94 loc_406F94: ; CODE XREF: sub_406580+960j
.text:00406F94 6A 0A push 0Ah
.text:00406F96 6A 02 push 2
.text:00406F98 8D 45 D0 lea eax, [ebp+var_30]
.text:00406F9B 50 push eax
.text:00406F9C 8D 4D D8 lea ecx, [ebp+var_28]
.text:00406F9F E8 1C B0 FF FF call sub_401FC0 ; 对blowfish_de的结果去掉前面两个字符,然后按
.text:00406F9F ; 顺序取10个字符
.text:00406FA4 50 push eax
.text:00406FA5 8D 4D E0 lea ecx, [ebp+var_20]
.text:00406FA8 E8 B3 E4 FF FF call sub_405460
.text:00406FAD 85 C0 test eax, eax ; f(vendor_info)=f(sign)?如果相等由验证通过
.text:00406FAF 8B 45 D4 mov eax, [ebp+var_2C]
.text:00406FB2 0F 95 C3 setnz bl ;
.text:00406FB5 3B C7 cmp eax, edi
.text:00406FB7 74 0E jz short loc_406FC7
.text:00406FB9 FF 08 dec dword ptr [eax]
.text:00406FBB 39 38 cmp [eax], edi
.text:00406FBD 75 08 jnz short loc_406FC7
.text:00406FBF 8D 4D D0 lea ecx, [ebp+var_30]
.text:00406FC2 E8 F3 EE 00 00 call atr_StringBase__Delete_void_
.text:00406FC7
.text:00406FC7 loc_406FC7: ; CODE XREF: sub_406580+A37j
.text:00406FC7 ; sub_406580+A3Dj
.text:00406FC7 84 DB test bl, bl ;
.text:00406FC9 0F 84 B1 00 00 00 jz loc_407080 ;
.text:00406FCF 8B 45 DC mov eax, [ebp+var_24]
.text:00406FD2 3B C7 cmp eax, edi
.text:00406FD4 C6 45 FC 27 mov byte ptr [ebp+var_4], 27h
.text:00406FD8 74 0E jz short loc_406FE8
.text:00406FDA FF 08 dec dword ptr [eax]
.text:00406FDC 39 38 cmp [eax], edi
.text:00406FDE 75 08 jnz short loc_406FE8
.text:00406FE0 8D 4D D8 lea ecx, [ebp+var_28]
.text:00406FE3 E8 D2 EE 00 00 call atr_StringBase__Delete_void_
.text:00406FE8
.text:00406FE8 loc_406FE8: ; CODE XREF: sub_406580+A58j
.text:00406FE8 ; sub_406580+A5Ej
.text:00406FE8 8B 45 BC mov eax, [ebp+var_44]
.text:00406FEB 3B C7 cmp eax, edi
.text:00406FED C6 45 FC 11 mov byte ptr [ebp+var_4], 11h
.text:00406FF1 74 0E jz short loc_407001
.text:00406FF3 FF 08 dec dword ptr [eax]
.text:00406FF5 39 38 cmp [eax], edi
.text:00406FF7 75 08 jnz short loc_407001
.text:00406FF9 8D 4D B8 lea ecx, [ebp+var_48]
.text:00406FFC E8 B9 EE 00 00 call atr_StringBase__Delete_void_
.text:00407001
.text:00407001 loc_407001: ; CODE XREF: sub_406580+A71j
.text:00407001 ; sub_406580+A77j
.text:00407001 8B 45 C4 mov eax, [ebp+var_3C]
.text:00407004 3B C7 cmp eax, edi
.text:00407006 C6 45 FC 03 mov byte ptr [ebp+var_4], 3
.text:0040700A 74 0E jz short loc_40701A
.text:0040700C FF 08 dec dword ptr [eax]
.text:0040700E 39 38 cmp [eax], edi
.text:00407010 75 08 jnz short loc_40701A
.text:00407012 8D 4D C0 lea ecx, [ebp+var_40]
.text:00407015 E8 A0 EE 00 00 call atr_StringBase__Delete_void_
.text:0040701A
.text:0040701A loc_40701A: ; CODE XREF: sub_406580+A8Aj
.text:0040701A ; sub_406580+A90j
.text:0040701A 8B 45 B4 mov eax, [ebp+var_4C]
.text:0040701D 3B C7 cmp eax, edi
.text:0040701F C6 45 FC 02 mov byte ptr [ebp+var_4], 2
.text:00407023 74 0E jz short loc_407033
.text:00407025 FF 08 dec dword ptr [eax]
.text:00407027 39 38 cmp [eax], edi
.text:00407029 75 08 jnz short loc_407033
.text:0040702B 8D 4D B0 lea ecx, [ebp+var_50]
.text:0040702E E8 87 EE 00 00 call atr_StringBase__Delete_void_
.text:00407033
.text:00407033 loc_407033: ; CODE XREF: sub_406580+AA3j
.text:00407033 ; sub_406580+AA9j
.text:00407033 8B 45 CC mov eax, [ebp+var_34]
.text:00407036 3B C7 cmp eax, edi
.text:00407038 C6 45 FC 01 mov byte ptr [ebp+var_4], 1
.text:0040703C 74 0E jz short loc_40704C
.text:0040703E FF 08 dec dword ptr [eax]
.text:00407040 39 38 cmp [eax], edi
.text:00407042 75 08 jnz short loc_40704C
.text:00407044 8D 4D C8 lea ecx, [ebp+var_38]
.text:00407047 E8 6E EE 00 00 call atr_StringBase__Delete_void_
.text:0040704C
.text:0040704C loc_40704C: ; CODE XREF: sub_406580+ABCj
.text:0040704C ; sub_406580+AC2j
.text:0040704C 8B 45 E4 mov eax, [ebp+var_1C]
.text:0040704F 3B C7 cmp eax, edi
.text:00407051 C7 45 FC FF FF FF FF mov [ebp+var_4], 0FFFFFFFFh
.text:00407058 74 0E jz short loc_407068
.text:0040705A FF 08 dec dword ptr [eax]
.text:0040705C 39 38 cmp [eax], edi
.text:0040705E 75 08 jnz short loc_407068
.text:00407060 8D 4D E0 lea ecx, [ebp+var_20]
.text:00407063 E8 52 EE 00 00 call atr_StringBase__Delete_void_
.text:00407068
.text:00407068 loc_407068: ; CODE XREF: sub_406580+AD8j
.text:00407068 ; sub_406580+ADEj
.text:00407068 B8 80 00 00 00 mov eax, 80h
.text:0040706D 8B 4D F4 mov ecx, [ebp+var_C]
.text:00407070 64 89 0D 00 00 00 00 mov large fs:0, ecx
.text:00407077 5F pop edi
.text:00407078 5E pop esi
.text:00407079 5B pop ebx
.text:0040707A 8B E5 mov esp, ebp
.text:0040707C 5D pop ebp
.text:0040707D C2 04 00 retn 4
--------------------------------------------------------------------------------
【经验总结】
到此全部计算完毕,程序的验证流程:
1.计算sign,结果为长度10的数字串,如果长度不到10位,就在后面加x,算法没仔细看,直接让程序计算.算法大约就是通过sign 的字节来经过简单的运算,再查在 .text:004065B4 call ??0eli_Crc32@@QAE@I@Z建立的表,然后再与简单的异或运算得到的一个值
2.vendor_info进行base64解码
3.base64解码的数据的进行高低字节交换
即12345678h变成78563412h
4.用blowfish_de_key1对交换后的数据进行解码
5.用blowfish_de_key2对前次blowfish_de_key1的结果再进行解码
6.数据进行高低字节交换
7.最后对将数据的前两位去掉,按顺序10位和sign生成的数字串对比是否相等!相等则验证通过!
在编keygen时可把两次blowfish_init时key_pbox和key_sbox的值从内存中抓出来,然后直接调用blowfish_en进行处理,不必
再对key_box进行初始化
后记:到这里终于算是功德圆满啦,算是成功了。最后感谢论坛上的朋友的支持和鼓励!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
- 标 题: ABAQUS 6.7不完全分析(Flexlm+blowfish验证)
- 作 者:fangawxs
- 时 间:2007-07-24 09:21
- 链 接:http://bbs.pediy.com/showthread.php?t=48449