【文章标题】: HexAssistant1.9算法分析
【文章作者】: fangawxs
【作者邮箱】: fangawxs@163.com
【软件名称】: HexAssistant1.9
【软件大小】: 2.34M
【下载地址】: 自己搜索下载
【加壳方式】: 无
【保护方式】: serial
【编写语言】: VC++
【使用工具】: 0D,IDA Pro5.0
【操作平台】: win32
【软件介绍】: HexAssistant is an Internet-ready 32-bit hex edi
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
运行软件,出现注册对话框,输入注册名:fangawxs,注册码:123456789123456789后,出现错误提示:Invalid User Name
or Registration Code!
反汇编很快就找到出错的地方:
.text:0041224D 50 push eax ; lpData;指向用户名
.text:0041224E B9 38 17 4E 00 mov ecx, offset unk_4E1738
.text:00412253 E8 5D E4 03 00 call sub_4506B5 ;关键call,进入
.text:00412258 85 C0 test eax, eax
.text:0041225A 74 0A jz short loc_412266
.text:0041225C 8B 4D E8 mov ecx, [ebp+var_18]
.text:0041225F E8 D8 CD 04 00 call ?OnOK@CDialog@@MAEXXZ ; CDialog::OnOK(void)
.text:00412264 EB 17 jmp short loc_41227D
.text:00412266 ; ---------------------------------------------------------------------------
.text:00412266
.text:00412266 loc_412266: ; CODE XREF: sub_4121D3+87j
.text:00412266 6A 00 push 0
.text:00412268 6A 01 push 1
.text:0041226A 68 3A F0 00 00 push 0F03Ah ; 出错(Invalid User Name
or Registration Code!
.text:0041226F 8B 55 E8 mov edx, [ebp-18h]
.text:00412272 52 push edx
.text:00412273 B9 88 16 4E 00 mov ecx, offset unk_4E1688
.text:00412278 E8 63 24 FF FF call sub_4046E0
.text:0041227D
.text:0041227D loc_41227D: ; CODE XREF: sub_4121D3+91j
.text:0041227D C6 45 FC 00 mov byte ptr [ebp+var_4], 0
.text:00412281 8D 4D F0 lea ecx, [ebp+var_10]
进入.text:00412253处的call sub_4506B5
.text:004506B5 55 push ebp ; *lpData="用户名"
.text:004506B5 ; *arg_4="注册码"
.text:004506B6 8B EC mov ebp, esp
.text:004506B8 81 EC 1C 01 00 00 sub esp, 11Ch
.text:004506BE 89 8D E4 FE FF FF mov [ebp+var_11C], ecx ; 一个指针,*ecx=004c7834
.text:004506C4 C6 45 B8 00 mov byte ptr [ebp+var_48], 0 ; var_48=0
.text:004506C8 33 C0 xor eax, eax ; set eax to zero
.text:004506CA 89 45 B9 mov [ebp+var_48+1], eax ; var_48+1=var_47
.text:004506CD 89 45 BD mov [ebp+var_43], eax
.text:004506D0 89 45 C1 mov [ebp+var_3F], eax
.text:004506D3 66 89 45 C5 mov [ebp+var_3B], ax
.text:004506D7 88 45 C7 mov [ebp+var_39], al
.text:004506DA C6 45 E0 00 mov byte ptr [ebp+var_20], 0
.text:004506DE 33 C9 xor ecx, ecx ; set ecx to zero
.text:004506E0 89 4D E1 mov [ebp+var_20+1], ecx ; var_20+1=var_1F
.text:004506E3 89 4D E5 mov [ebp+var_1B], ecx
.text:004506E6 89 4D E9 mov [ebp+var_17], ecx
.text:004506E9 66 89 4D ED mov [ebp+var_13], cx
.text:004506ED 88 4D EF mov [ebp+var_11], cl
.text:004506F0 C6 45 F0 00 mov byte ptr [ebp+var_10], 0
.text:004506F4 33 D2 xor edx, edx ; set edx=0
.text:004506F6 89 55 F1 mov [ebp+var_10+1], edx ; var_10+1=var_0F
.text:004506F9 89 55 F5 mov [ebp+var_B], edx
.text:004506FC 89 55 F9 mov [ebp+var_7], edx
.text:004506FF 66 89 55 FD mov [ebp+var_3], dx
.text:00450703 88 55 FF mov [ebp+var_1], dl
.text:00450706 C6 45 CC 00 mov byte ptr [ebp+var_34], 0
.text:0045070A 33 C0 xor eax, eax ; eax=0
.text:0045070C 89 45 CD mov [ebp+var_34+1], eax ; var_34+1=var_33
.text:0045070F 89 45 D1 mov [ebp+var_2F], eax
.text:00450712 89 45 D5 mov [ebp+var_2B], eax
.text:00450715 66 89 45 D9 mov [ebp+var_27], ax
.text:00450719 88 45 DB mov [ebp+var_25], al
.text:0045071C 8B 4D 08 mov ecx, [ebp+lpData]
.text:0045071F 51 push ecx ; char *
.text:00450720 E8 6B F0 00 00 call strlen
.text:00450725 83 C4 04 add esp, 4
.text:00450728 83 F8 10 cmp eax, 10h ; 用户名 > 10h?
.text:00450728 ; 如果大于16位,就取前16位
.text:0045072B 76 14 jbe short loc_450741
.text:0045072D 6A 10 push 10h ; size_t
.text:0045072F 8B 55 08 mov edx, [ebp+lpData] ; src
.text:00450732 52 push edx ; void *
.text:00450733 8D 45 B8 lea eax, [ebp+var_48] ; dest
.text:00450736 50 push eax ; void *
.text:00450737 E8 60 F0 00 00 call memcpy ; copy src to dest
.text:0045073C 83 C4 0C add esp, 0Ch
.text:0045073F EB 1D jmp short loc_45075E
.text:00450741 ; ---------------------------------------------------------------------------
.text:00450741
.text:00450741 loc_450741: ; CODE XREF: sub_4506B5+76j
.text:00450741 8B 4D 08 mov ecx, [ebp+lpData]
.text:00450744 51 push ecx ; char *
.text:00450745 E8 46 F0 00 00 call strlen
.text:0045074A 83 C4 04 add esp, 4
.text:0045074D 50 push eax ; size_t
.text:0045074E 8B 55 08 mov edx, [ebp+lpData] ; src
.text:00450751 52 push edx ; void *
.text:00450752 8D 45 B8 lea eax, [ebp+var_48] ; dest
.text:00450755 50 push eax ; void *
.text:00450756 E8 41 F0 00 00 call memcpy
.text:0045075B 83 C4 0C add esp, 0Ch
.text:0045075E
.text:0045075E loc_45075E: ; CODE XREF: sub_4506B5+8Aj
.text:0045075E 8D 4D E0 lea ecx, [ebp+var_20]
.text:00450761 51 push ecx
.text:00450762 8D 55 B8 lea edx, [ebp+var_48] ; *var_48=用户名
.text:00450765 52 push edx
.text:00450766 B9 28 1C 4E 00 mov ecx, offset table1
.text:0045076B E8 EB F6 FE FF call sub_43FE5B ; 用户名的算法.
.text:0045076B ; 结果放在var_20处
.text:00450770 C6 45 DC 00 mov [ebp+var_24], 0
.text:00450774 33 C0 xor eax, eax
.text:00450776 66 89 45 DD mov [ebp-23h], ax
.text:0045077A C7 45 B4 00 00 00 00 mov [ebp+var_4C], 0
.text:00450781 EB 09 jmp short loc_45078C
.text:00450783 ; ---------------------------------------------------------------------------
.text:00450783
.text:00450783 loc_450783: ; CODE XREF: sub_4506B5+115j
.text:00450783 8B 4D B4 mov ecx, [ebp+var_4C]
.text:00450786 83 C1 01 add ecx, 1
.text:00450789 89 4D B4 mov [ebp+var_4C], ecx ; var_4C为计数器
.text:0045078C
.text:0045078C loc_45078C: ; CODE XREF: sub_4506B5+CCj
.text:0045078C 83 7D B4 10 cmp [ebp+var_4C], 10h
.text:00450790 7D 3A jge short loc_4507CC
.text:00450792 6A 02 push 2 ; size_t,复制为2个字节
.text:00450792 ; 循环16次,因此注册码要32个字节
.text:00450794 8B 55 B4 mov edx, [ebp+var_4C]
.text:00450797 8B 45 0C mov eax, [ebp+arg_4] ; arg_4指向注册码
.text:0045079A 8D 0C 50 lea ecx, [eax+edx*2] ; src
.text:0045079D 51 push ecx ; void *
.text:0045079E 8D 55 DC lea edx, [ebp+var_24] ; dest
.text:004507A1 52 push edx ; void *
.text:004507A2 E8 F5 EF 00 00 call memcpy ; 复制
.text:004507A7 83 C4 0C add esp, 0Ch
.text:004507AA 8D 45 C8 lea eax, [ebp+var_38]
.text:004507AD 50 push eax ; 存放地址
.text:004507AE 68 00 F9 4D 00 push offset asc_4DF900 ; 以16进制数输入%x
.text:004507B3 8D 4D DC lea ecx, [ebp+var_24]
.text:004507B6 51 push ecx ; char *
.text:004507B7 FF 15 94 0C 4C 00 call ds:sscanf
.text:004507BD 83 C4 0C add esp, 0Ch
.text:004507C0 8B 55 B4 mov edx, [ebp+var_4C]
.text:004507C3 8A 45 C8 mov al, byte ptr [ebp+var_38]
.text:004507C6 88 44 15 F0 mov byte ptr [ebp+edx+var_10], al ; 处理结果写到var_10处
.text:004507C6 ; 注册码的字符应该为0-F,共有32位
.text:004507CA EB B7 jmp short loc_450783
.text:004507CC ; ---------------------------------------------------------------------------
.text:004507CC
.text:004507CC loc_4507CC: ; CODE XREF: sub_4506B5+DBj
.text:004507CC 8D 4D CC lea ecx, [ebp+var_34]
.text:004507CF 51 push ecx
.text:004507D0 8D 55 F0 lea edx, [ebp+var_10]
.text:004507D3 52 push edx ; 注册码,为32位的十六进制数
.text:004507D4 B9 80 1B 4E 00 mov ecx, offset table
.text:004507D9 E8 99 06 FF FF call sub_440E77 ; 对注册码处理,注册码算法
.text:004507DE 6A 10 push 10h ; size_t
.text:004507E0 8D 45 CC lea eax, [ebp+var_34] ; var_34为字符串
.text:004507E3 50 push eax ; void *
.text:004507E4 8D 4D E0 lea ecx, [ebp+var_20] ; var_20为字符串
.text:004507E7 51 push ecx ; void *
.text:004507E8 E8 25 F3 00 00 call memcmp ; 比较两个字符串是否相等
.text:004507ED 83 C4 0C add esp, 0Ch ; 相等则注册成功!
.text:004507F0 85 C0 test eax, eax
.text:004507F2 0F 85 E5 00 00 00 jnz loc_4508DD
.text:004507F8 8D 95 E8 FE FF FF lea edx, [ebp+hKey]
.text:004507FE 52 push edx ; phkResult
.text:004507FF 68 3F 00 0F 00 push 0F003Fh ; samDesired
.text:00450804 6A 00 push 0 ; ulOptions
.text:00450806 68 04 F9 4D 00 push offset SubKey ; "SOFTWARE\\Microsoft\\sabdu"
.text:0045080B 68 02 00 00 80 push 80000002h ; hKey
.text:00450810 FF 15 08 00 4C 00 call ds:RegOpenKeyExA
.text:00450816 85 C0 test eax, eax
.text:00450818 74 31 jz short loc_45084B
.text:0045081A 6A 00 push 0 ; lpdwDisposition
.text:0045081C 8D 85 E8 FE FF FF lea eax, [ebp+hKey]
.text:00450822 50 push eax ; phkResult
.text:00450823 6A 00 push 0 ; lpSecurityAttributes
.text:00450825 68 3F 00 0F 00 push 0F003Fh ; samDesired
.text:0045082A 6A 00 push 0 ; dwOptions
.text:0045082C 6A 00 push 0 ; lpClass
.text:0045082E 6A 00 push 0 ; Reserved
.text:00450830 68 20 F9 4D 00 push offset aSoftwareMicr_0 ; "SOFTWARE\\Microsoft\\sabdu"
.text:00450835 68 02 00 00 80 push 80000002h ; hKey
.text:0045083A FF 15 04 00 4C 00 call ds:RegCreateKeyExA
.text:00450840 85 C0 test eax, eax
.text:00450842 74 07 jz short loc_45084B
.text:00450844 33 C0 xor eax, eax
.text:00450846 E9 94 00 00 00 jmp loc_4508DF
.text:0045084B ; ---------------------------------------------------------------------------
.text:0045084B
.text:0045084B loc_45084B: ; CODE XREF: sub_4506B5+163j
.text:0045084B ; sub_4506B5+18Dj
.text:0045084B 8B 4D 08 mov ecx, [ebp+lpData] ; 写注册表
.text:0045084E 51 push ecx ; char *
.text:0045084F E8 3C EF 00 00 call strlen
.text:00450854 83 C4 04 add esp, 4
.text:00450857 83 C0 01 add eax, 1
.text:0045085A 50 push eax ; cbData
.text:0045085B 8B 55 08 mov edx, [ebp+lpData]
.text:0045085E 52 push edx ; lpData
.text:0045085F 6A 01 push 1 ; dwType
.text:00450861 6A 00 push 0 ; Reserved
.text:00450863 68 3C F9 4D 00 push offset ValueName ; "name"
.text:00450868 8B 85 E8 FE FF FF mov eax, [ebp+hKey]
.text:0045086E 50 push eax ; hKey
.text:0045086F FF 15 18 00 4C 00 call ds:RegSetValueExA
.text:00450875 85 C0 test eax, eax
.text:00450877 74 11 jz short loc_45088A
.text:00450879 8B 8D E8 FE FF FF mov ecx, [ebp+hKey]
.text:0045087F 51 push ecx ; hKey
.text:00450880 FF 15 00 00 4C 00 call ds:RegCloseKey
.text:00450886 33 C0 xor eax, eax
.text:00450888 EB 55 jmp short loc_4508DF
.text:0045088A ; ---------------------------------------------------------------------------
.text:0045088A
.text:0045088A loc_45088A: ; CODE XREF: sub_4506B5+1C2j
.text:0045088A 8B 55 0C mov edx, [ebp+arg_4] ; 写注册表
.text:0045088D 52 push edx ; char *
.text:0045088E E8 FD EE 00 00 call strlen
.text:00450893 83 C4 04 add esp, 4
.text:00450896 83 C0 01 add eax, 1
.text:00450899 50 push eax ; cbData
.text:0045089A 8B 45 0C mov eax, [ebp+arg_4]
.text:0045089D 50 push eax ; lpData
.text:0045089E 6A 01 push 1 ; dwType
.text:004508A0 6A 00 push 0 ; Reserved
.text:004508A2 68 44 F9 4D 00 push offset aCode ; "code"
.text:004508A7 8B 8D E8 FE FF FF mov ecx, [ebp+hKey]
.text:004508AD 51 push ecx ; hKey
.text:004508AE FF 15 18 00 4C 00 call ds:RegSetValueExA
.text:004508B4 85 C0 test eax, eax
.text:004508B6 74 11 jz short loc_4508C9
.text:004508B8 8B 95 E8 FE FF FF mov edx, [ebp+hKey]
.text:004508BE 52 push edx ; hKey
.text:004508BF FF 15 00 00 4C 00 call ds:RegCloseKey
.text:004508C5 33 C0 xor eax, eax
.text:004508C7 EB 16 jmp short loc_4508DF
.text:004508C9 ; ---------------------------------------------------------------------------
.text:004508C9
.text:004508C9 loc_4508C9: ; CODE XREF: sub_4506B5+201j
.text:004508C9 8B 85 E8 FE FF FF mov eax, [ebp+hKey]
.text:004508CF 50 push eax ; hKey
.text:004508D0 FF 15 00 00 4C 00 call ds:RegCloseKey
.text:004508D6 B8 01 00 00 00 mov eax, 1
.text:004508DB EB 02 jmp short loc_4508DF
.text:004508DD ; ---------------------------------------------------------------------------
.text:004508DD
.text:004508DD loc_4508DD: ; CODE XREF: sub_4506B5+13Dj
.text:004508DD 33 C0 xor eax, eax
.text:004508DF
.text:004508DF loc_4508DF: ; CODE XREF: sub_4506B5+191j
.text:004508DF ; sub_4506B5+1D3j ...
.text:004508DF 8B E5 mov esp, ebp
.text:004508E1 5D pop ebp
.text:004508E2 C2 08 00 retn 8
.text:004508E2 sub_4506B5 endp
在上面的可知用户名如果超过16位,就只取前面的16位,注册码为32位,而且字符为0-F,不能为其它的字符,是作为一个整数
输进去的.
从上面可以看出注册的算法为:
if F(name)=G(serial)
注册成功;
因此重点是G(serial)的逆函数
进入.text:004507D9处的call sub_440E77
为了表达方便,把代码中处理注册码的分割为小段,不同的处理方式为一大段
.text:00440E77 55 push ebp ; 对注册码处理
.text:00440E77 ; arg_0为注册码处理后的数据,共16个字节
.text:00440E77 ; arg_4为结果存放地址
.text:00440E77 ; 设注册码=s1s2s3s4
.text:00440E78 8B EC mov ebp, esp
.text:00440E7A 83 EC 20 sub esp, 20h
.text:00440E7D 89 4D E0 mov [ebp+var_20], ecx ; ecx这一个地址,指向一个table
.text:00440E80 8B 45 08 mov eax, [ebp+arg_0]
.text:00440E83 8B 08 mov ecx, [eax]
.text:00440E85 8B 55 E0 mov edx, [ebp+var_20]
.text:00440E88 03 8A 94 00 00 00 add ecx, [edx+94h]
.text:00440E8E 89 4D EC mov [ebp+var_14], ecx ; 第一个双字:var_14,s1=s1+table[94h]
.text:00440E91 8B 45 08 mov eax, [ebp+arg_0]
.text:00440E94 8B 48 04 mov ecx, [eax+4]
.text:00440E97 8B 55 E0 mov edx, [ebp+var_20]
.text:00440E9A 03 8A 98 00 00 00 add ecx, [edx+98h]
.text:00440EA0 89 4D F0 mov [ebp+var_10], ecx ; 第二个双字:var_10,s2=s2+table[98h]
.text:00440EA3 8B 45 08 mov eax, [ebp+arg_0]
.text:00440EA6 8B 48 08 mov ecx, [eax+8]
.text:00440EA9 8B 55 E0 mov edx, [ebp+var_20]
.text:00440EAC 03 8A 9C 00 00 00 add ecx, [edx+9Ch]
.text:00440EB2 89 4D F4 mov [ebp+var_C], ecx ; 第三个双字:var_C,s3=s3+table[9Ch]
.text:00440EB5 8B 45 08 mov eax, [ebp+arg_0]
.text:00440EB8 8B 48 0C mov ecx, [eax+0Ch]
.text:00440EBB 8B 55 E0 mov edx, [ebp+var_20]
.text:00440EBE 03 8A A0 00 00 00 add ecx, [edx+0A0h]
.text:00440EC4 89 4D FC mov [ebp+var_4], ecx ; 第四个双字:var_4,s4=s4+table[0A0h]
=================================================================== ; _________________
上面的的逆算法为: ; 上面为一段
; __________________
s1=s1-table[94h]
s2=s2-table[98h]
s3=s3-table[9Ch]
s4=s4-table[0A0h]
===================================================================
.text:00440EC4
.text:00440EC4
.text:00440EC4
.text:00440EC4 ;
.text:00440EC4 ;
.text:00440EC7 8B 45 FC mov eax, [ebp+var_4] ; s4
.text:00440ECA C1 C8 08 ror eax, 8
.text:00440ECD 89 45 F8 mov [ebp+var_8], eax ; var_8=tmp=(ror s4,8)
.text:00440ED0 8B 4D FC mov ecx, [ebp+var_4]
.text:00440ED3 81 E1 FF 00 00 00 and ecx, 0FFh
.text:00440ED9 8B 55 F4 mov edx, [ebp+var_C]
.text:00440EDC 33 14 8D BC ED 4D 00 xor edx, table_1[ecx*4]
.text:00440EE3 89 55 F4 mov [ebp+var_C], edx ; s3=s3^(table_1[(s4&0FFh)*4])
.text:00440EE6 8B 45 F8 mov eax, [ebp+var_8]
.text:00440EE9 25 FF 00 00 00 and eax, 0FFh
.text:00440EEE 8B 4D F4 mov ecx, [ebp+var_C]
.text:00440EF1 03 0C 85 BC F1 4D 00 add ecx, table_2[eax*4]
.text:00440EF8 89 4D F4 mov [ebp+var_C], ecx ; s3=s3+table_2[(tmp&0FFh)*4]
.text:00440EFB 8B 55 FC mov edx, [ebp+var_4]
.text:00440EFE C1 CA 10 ror edx, 10h
.text:00440F01 89 55 F8 mov [ebp+var_8], edx ; var_8=tmp=(ror s4,10h)
.text:00440F04 8B 45 FC mov eax, [ebp+var_4]
.text:00440F07 C1 C8 18 ror eax, 18h
.text:00440F0A 89 45 FC mov [ebp+var_4], eax ; s4=(ror s4,18h)
.text:00440F0D 8B 4D F8 mov ecx, [ebp+var_8]
.text:00440F10 81 E1 FF 00 00 00 and ecx, 0FFh
.text:00440F16 8B 55 F0 mov edx, [ebp+var_10]
.text:00440F19 03 14 8D BC ED 4D 00 add edx, table_1[ecx*4]
.text:00440F20 89 55 F0 mov [ebp+var_10], edx ; s2=s2+table_1[(tmp&0FFh)*4]
.text:00440F23 8B 45 FC mov eax, [ebp+var_4]
.text:00440F26 25 FF 00 00 00 and eax, 0FFh
.text:00440F2B 8B 4D EC mov ecx, [ebp+var_14]
.text:00440F2E 33 0C 85 BC F1 4D 00 xor ecx, table_2[eax*4]
.text:00440F35 89 4D EC mov [ebp+var_14], ecx ; s1=s1^table_2[(s4&0FFh)*4]
===================================================================
上面的的逆算法为:
s1=s1^table_2[(s4&0FFh)*4]
s4=(rol s4,18h)
var_8=tmp=(ror s4,8)
s3=s3-table_2[(tmp&0FFh)*4]
s3=s3^table_1[(s4&0FFh)*4]
var_8=tmp=(ror s4,10h)
s2=s2-table_1[(tmp&0FFh)*4]
把上面的代码按上面的顺序改一下,加法变为减法,右移变为左移,就是逆算法了
====================================================================
.text:00440F35 ; __________________________
.text:00440F38 8B 55 FC mov edx, [ebp+var_4] ; s4
.text:00440F3B 03 55 EC add edx, [ebp+var_14]
.text:00440F3E 89 55 FC mov [ebp+var_4], edx ; s4=s4+s1
.text:00440F41 8B 45 F4 mov eax, [ebp+var_C]
.text:00440F44 C1 C8 08 ror eax, 8
.text:00440F47 89 45 F8 mov [ebp+var_8], eax ; var_8=tmp=(ror s3,8)
.text:00440F4A 8B 4D F4 mov ecx, [ebp+var_C]
.text:00440F4D 81 E1 FF 00 00 00 and ecx, 0FFh
.text:00440F53 8B 55 F0 mov edx, [ebp+var_10]
.text:00440F56 33 14 8D BC ED 4D 00 xor edx, table_1[ecx*4]
.text:00440F5D 89 55 F0 mov [ebp+var_10], edx ; s2=s2^table_1[(s3&0FFh)*4]
.text:00440F60 8B 45 F8 mov eax, [ebp+var_8]
.text:00440F63 25 FF 00 00 00 and eax, 0FFh
.text:00440F68 8B 4D F0 mov ecx, [ebp+var_10]
.text:00440F6B 03 0C 85 BC F1 4D 00 add ecx, table_2[eax*4]
.text:00440F72 89 4D F0 mov [ebp+var_10], ecx ; s2=s2+table_2[(tmp&0FFh)*4]
.text:00440F75 8B 55 F4 mov edx, [ebp+var_C]
.text:00440F78 C1 CA 10 ror edx, 10h
.text:00440F7B 89 55 F8 mov [ebp+var_8], edx ; var_8=tmp=(ror s3,10h)
.text:00440F7E 8B 45 F4 mov eax, [ebp+var_C]
.text:00440F81 C1 C8 18 ror eax, 18h
.text:00440F84 89 45 F4 mov [ebp+var_C], eax ; s3=(ror s3,18h)
.text:00440F87 8B 4D F8 mov ecx, [ebp+var_8]
.text:00440F8A 81 E1 FF 00 00 00 and ecx, 0FFh
.text:00440F90 8B 55 EC mov edx, [ebp+var_14]
.text:00440F93 03 14 8D BC ED 4D 00 add edx, table_1[ecx*4]
.text:00440F9A 89 55 EC mov [ebp+var_14], edx ; s1=s1+table_1[(tmp&0FFh)*4]
.text:00440F9D 8B 45 F4 mov eax, [ebp+var_C]
.text:00440FA0 25 FF 00 00 00 and eax, 0FFh
.text:00440FA5 8B 4D FC mov ecx, [ebp+var_4]
.text:00440FA8 33 0C 85 BC F1 4D 00 xor ecx, table_2[eax*4]
.text:00440FAF 89 4D FC mov [ebp+var_4], ecx ; s4=s4^table_2[(s3&0FFh)*4]
============================================================================
上面的的逆算法为:
s4=s4^table_2[(s3&0FFh)*4]
s3=(rol s3,18h)
var_8=tmp=(ror s3,8)
s2=s2^table_1[(s3&0FFh)*4]
s2=s2-table_2[(tmp&0FFh)*4]
var_8=tmp=(ror s3,10h)
s1=s1-table_1[(tmp&0FFh)*4]
s4=s4-s1
====================================================================
.text:00440FB2 8B 55 F4 mov edx, [ebp+var_C] ; s3
.text:00440FB5 03 55 F0 add edx, [ebp+var_10]
.text:00440FB8 89 55 F4 mov [ebp+var_C], edx ; s3=s3+s2
.text:00440FBB 8B 45 F0 mov eax, [ebp+var_10]
.text:00440FBE C1 C8 08 ror eax, 8
.text:00440FC1 89 45 F8 mov [ebp+var_8], eax ; var_8=tmp=(ror s2,8)
.text:00440FC4 8B 4D F0 mov ecx, [ebp+var_10]
.text:00440FC7 81 E1 FF 00 00 00 and ecx, 0FFh
.text:00440FCD 8B 55 EC mov edx, [ebp+var_14]
.text:00440FD0 33 14 8D BC ED 4D 00 xor edx, table_1[ecx*4]
.text:00440FD7 89 55 EC mov [ebp+var_14], edx ; s1=s1^table_1[(s2&0FFh)*4]
.text:00440FDA 8B 45 F8 mov eax, [ebp+var_8]
.text:00440FDD 25 FF 00 00 00 and eax, 0FFh
.text:00440FE2 8B 4D EC mov ecx, [ebp+var_14]
.text:00440FE5 03 0C 85 BC F1 4D 00 add ecx, table_2[eax*4]
.text:00440FEC 89 4D EC mov [ebp+var_14], ecx ; s1=s1+table_2[(tmp&0FFh)*4]
.text:00440FEF 8B 55 F0 mov edx, [ebp+var_10]
.text:00440FF2 C1 CA 10 ror edx, 10h
.text:00440FF5 89 55 F8 mov [ebp+var_8], edx ; var_8=tmp=(ror s2,10h)
.text:00440FF8 8B 45 F0 mov eax, [ebp+var_10]
.text:00440FFB C1 C8 18 ror eax, 18h
.text:00440FFE 89 45 F0 mov [ebp+var_10], eax ; s2=(ror s2,18h)
.text:00441001 8B 4D F8 mov ecx, [ebp+var_8]
.text:00441004 81 E1 FF 00 00 00 and ecx, 0FFh
.text:0044100A 8B 55 FC mov edx, [ebp+var_4]
.text:0044100D 03 14 8D BC ED 4D 00 add edx, table_1[ecx*4]
.text:00441014 89 55 FC mov [ebp+var_4], edx ; s4=s4+table_1[(tmp&0FFh)*4]
.text:00441017 8B 45 F0 mov eax, [ebp+var_10]
.text:0044101A 25 FF 00 00 00 and eax, 0FFh
.text:0044101F 8B 4D F4 mov ecx, [ebp+var_C]
.text:00441022 33 0C 85 BC F1 4D 00 xor ecx, table_2[eax*4]
.text:00441029 89 4D F4 mov [ebp+var_C], ecx ; s3=s3^table_2[(s2&0FFh)*4]
======================================================================
上面的的逆算法为:
s3=s3^table_2[(s2&0FFh)*4]
s2=(rol s2,18h)
var_8=tmp=(ror s2,8)
s1=s1^table_1[(s2&0FFh)*4]
s1=s1-table_2[(tmp&0FFh)*4]
var_8=tmp=(ror s2,10h)
s4=s4-table_1[(tmp&0FFh)*4]
s3=s3-s2
====================================================================
.text:0044102C 8B 55 EC mov edx, [ebp+var_14] ; s1
.text:0044102F C1 CA 08 ror edx, 8
.text:00441032 89 55 F8 mov [ebp+var_8], edx ; var_8=tmp=(ror s1,8)
.text:00441035 8B 45 EC mov eax, [ebp+var_14]
.text:00441038 25 FF 00 00 00 and eax, 0FFh
.text:0044103D 8B 4D FC mov ecx, [ebp+var_4]
.text:00441040 33 0C 85 BC ED 4D 00 xor ecx, table_1[eax*4]
.text:00441047 89 4D FC mov [ebp+var_4], ecx ; s4=s4^table_1[(s1&0FFh)*4]
.text:0044104A 8B 55 F8 mov edx, [ebp+var_8]
.text:0044104D 81 E2 FF 00 00 00 and edx, 0FFh
.text:00441053 8B 45 FC mov eax, [ebp+var_4]
.text:00441056 03 04 95 BC F1 4D 00 add eax, table_2[edx*4]
.text:0044105D 89 45 FC mov [ebp+var_4], eax ; s4=s4+table_2[(tmp&0FFh)*4]
.text:00441060 8B 4D EC mov ecx, [ebp+var_14]
.text:00441063 C1 C9 10 ror ecx, 10h
.text:00441066 89 4D F8 mov [ebp+var_8], ecx ; var_8=tmp=(ror s1,10h)
.text:00441069 8B 55 EC mov edx, [ebp+var_14]
.text:0044106C C1 CA 18 ror edx, 18h
.text:0044106F 89 55 EC mov [ebp+var_14], edx ; s1=(ror s1,18h)
.text:00441072 8B 45 F8 mov eax, [ebp+var_8]
.text:00441075 25 FF 00 00 00 and eax, 0FFh
.text:0044107A 8B 4D F4 mov ecx, [ebp+var_C]
.text:0044107D 03 0C 85 BC ED 4D 00 add ecx, table_1[eax*4]
.text:00441084 89 4D F4 mov [ebp+var_C], ecx ; s3=s3+table_1[(tmp&0FFh)*4]
.text:00441087 8B 55 EC mov edx, [ebp+var_14]
.text:0044108A 81 E2 FF 00 00 00 and edx, 0FFh
.text:00441090 8B 45 F0 mov eax, [ebp+var_10]
.text:00441093 33 04 95 BC F1 4D 00 xor eax, table_2[edx*4]
.text:0044109A 89 45 F0 mov [ebp+var_10], eax ; s2=s2^table_2[(s1&0FFh)*4]
===================================================================
上面的的逆算法为:
s2=s2^table_2[(s1&0FFh)*4]
s1=(rol s1,18h)
var_8=tmp=(ror s1,8)
s4=s4^table_1[(s1&0FFh)*4]
s4=s4-table_2[(tmp&0FFh)*4]
var_8=tmp=(ror s1,10h)
s3=s3-table_1[(tmp&0FFh)*4]
====================================================================
.text:0044109A ; ___________________________
.text:0044109A ; 重复一次上面的操作
.text:0044109A ; ___________________________
.text:0044109D 8B 4D FC mov ecx, [ebp+var_4] ; s4
.text:004410A0 C1 C9 08 ror ecx, 8
.text:004410A3 89 4D F8 mov [ebp+var_8], ecx ; var_8=tmp=(ror s4,8)
.text:004410A6 8B 55 FC mov edx, [ebp+var_4]
.text:004410A9 81 E2 FF 00 00 00 and edx, 0FFh
.text:004410AF 8B 45 F4 mov eax, [ebp+var_C]
.text:004410B2 33 04 95 BC ED 4D 00 xor eax, table_1[edx*4]
.text:004410B9 89 45 F4 mov [ebp+var_C], eax ; s3=s3^table_1[(s4&0FFh)*4]
.text:004410BC 8B 4D F8 mov ecx, [ebp+var_8]
.text:004410BF 81 E1 FF 00 00 00 and ecx, 0FFh
.text:004410C5 8B 55 F4 mov edx, [ebp+var_C]
.text:004410C8 03 14 8D BC F1 4D 00 add edx, table_2[ecx*4]
.text:004410CF 89 55 F4 mov [ebp+var_C], edx ; s3=s3+table_2[(tmp&0FFh)*4]
.text:004410D2 8B 45 FC mov eax, [ebp+var_4]
.text:004410D5 C1 C8 10 ror eax, 10h
.text:004410D8 89 45 F8 mov [ebp+var_8], eax ; var_8=tmp=(ror s4,10h)
.text:004410DB 8B 4D FC mov ecx, [ebp+var_4]
.text:004410DE C1 C9 18 ror ecx, 18h
.text:004410E1 89 4D FC mov [ebp+var_4], ecx ; s4=(ror s4,18h)
.text:004410E4 8B 55 F8 mov edx, [ebp+var_8]
.text:004410E7 81 E2 FF 00 00 00 and edx, 0FFh
.text:004410ED 8B 45 F0 mov eax, [ebp+var_10]
.text:004410F0 03 04 95 BC ED 4D 00 add eax, table_1[edx*4]
.text:004410F7 89 45 F0 mov [ebp+var_10], eax ; s2=s2+table_1[(tmp&0FFh)*4]
.text:004410FA 8B 4D FC mov ecx, [ebp+var_4]
.text:004410FD 81 E1 FF 00 00 00 and ecx, 0FFh
.text:00441103 8B 55 EC mov edx, [ebp+var_14]
.text:00441106 33 14 8D BC F1 4D 00 xor edx, table_2[ecx*4]
.text:0044110D 89 55 EC mov [ebp+var_14], edx ; s1=s1^table_2[(s4&0FFh)*4]
.text:0044110D ;
.text:0044110D ;
.text:0044110D ;
.text:0044110D ; __________________________
.text:00441110 8B 45 FC mov eax, [ebp+var_4] ; s4
.text:00441113 03 45 EC add eax, [ebp+var_14]
.text:00441116 89 45 FC mov [ebp+var_4], eax ; s4=s4+s1
.text:00441119 8B 4D F4 mov ecx, [ebp+var_C]
.text:0044111C C1 C9 08 ror ecx, 8
.text:0044111F 89 4D F8 mov [ebp+var_8], ecx ; var_8=tmp=(ror s3,8)
.text:00441122 8B 55 F4 mov edx, [ebp+var_C]
.text:00441125 81 E2 FF 00 00 00 and edx, 0FFh
.text:0044112B 8B 45 F0 mov eax, [ebp+var_10]
.text:0044112E 33 04 95 BC ED 4D 00 xor eax, table_1[edx*4]
.text:00441135 89 45 F0 mov [ebp+var_10], eax ; s2=s2^table_1[(s3&0FFh)*4]
.text:00441138 8B 4D F8 mov ecx, [ebp+var_8]
.text:0044113B 81 E1 FF 00 00 00 and ecx, 0FFh
.text:00441141 8B 55 F0 mov edx, [ebp+var_10]
.text:00441144 03 14 8D BC F1 4D 00 add edx, table_2[ecx*4]
.text:0044114B 89 55 F0 mov [ebp+var_10], edx ; s2=s2+table_2[(tmp&0FFh)*4]
.text:0044114E 8B 45 F4 mov eax, [ebp+var_C]
.text:00441151 C1 C8 10 ror eax, 10h
.text:00441154 89 45 F8 mov [ebp+var_8], eax ; var_8=tmp=(ror s3,10h)
.text:00441157 8B 4D F4 mov ecx, [ebp+var_C]
.text:0044115A C1 C9 18 ror ecx, 18h
.text:0044115D 89 4D F4 mov [ebp+var_C], ecx ; s3=(ror s3,18h)
.text:00441160 8B 55 F8 mov edx, [ebp+var_8]
.text:00441163 81 E2 FF 00 00 00 and edx, 0FFh
.text:00441169 8B 45 EC mov eax, [ebp+var_14]
.text:0044116C 03 04 95 BC ED 4D 00 add eax, table_1[edx*4]
.text:00441173 89 45 EC mov [ebp+var_14], eax ; s1=s1+table_1[(tmp&0FFh)*4]
.text:00441176 8B 4D F4 mov ecx, [ebp+var_C]
.text:00441179 81 E1 FF 00 00 00 and ecx, 0FFh
.text:0044117F 8B 55 FC mov edx, [ebp+var_4]
.text:00441182 33 14 8D BC F1 4D 00 xor edx, table_2[ecx*4]
.text:00441189 89 55 FC mov [ebp+var_4], edx ; s4=s4^table_2[(s3&0FFh)*4]
.text:00441189 ;
.text:00441189 ;
.text:00441189 ;
.text:00441189 ; ___________________________
.text:0044118C 8B 45 F4 mov eax, [ebp+var_C] ; s3
.text:0044118F 03 45 F0 add eax, [ebp+var_10]
.text:00441192 89 45 F4 mov [ebp+var_C], eax ; s3=s3+s2
.text:00441195 8B 4D F0 mov ecx, [ebp+var_10]
.text:00441198 C1 C9 08 ror ecx, 8
.text:0044119B 89 4D F8 mov [ebp+var_8], ecx ; var_8=tmp=(ror s2,8)
.text:0044119E 8B 55 F0 mov edx, [ebp+var_10]
.text:004411A1 81 E2 FF 00 00 00 and edx, 0FFh
.text:004411A7 8B 45 EC mov eax, [ebp+var_14]
.text:004411AA 33 04 95 BC ED 4D 00 xor eax, table_1[edx*4]
.text:004411B1 89 45 EC mov [ebp+var_14], eax ; s1=s1^table_1[(s2&0FFh)*4]
.text:004411B4 8B 4D F8 mov ecx, [ebp+var_8]
.text:004411B7 81 E1 FF 00 00 00 and ecx, 0FFh
.text:004411BD 8B 55 EC mov edx, [ebp+var_14]
.text:004411C0 03 14 8D BC F1 4D 00 add edx, table_2[ecx*4]
.text:004411C7 89 55 EC mov [ebp+var_14], edx ; s1=s1+table_2[(tmp&0FFh)*4]
.text:004411CA 8B 45 F0 mov eax, [ebp+var_10]
.text:004411CD C1 C8 10 ror eax, 10h
.text:004411D0 89 45 F8 mov [ebp+var_8], eax ; var_8=tmp=(ror s2,10h)
.text:004411D3 8B 4D F0 mov ecx, [ebp+var_10]
.text:004411D6 C1 C9 18 ror ecx, 18h
.text:004411D9 89 4D F0 mov [ebp+var_10], ecx ; s2=(ror s2,18h)
.text:004411DC 8B 55 F8 mov edx, [ebp+var_8]
.text:004411DF 81 E2 FF 00 00 00 and edx, 0FFh
.text:004411E5 8B 45 FC mov eax, [ebp+var_4]
.text:004411E8 03 04 95 BC ED 4D 00 add eax, table_1[edx*4]
.text:004411EF 89 45 FC mov [ebp+var_4], eax ; s4=s4+table_1[(tmp&0FFh)*4]
.text:004411F2 8B 4D F0 mov ecx, [ebp+var_10]
.text:004411F5 81 E1 FF 00 00 00 and ecx, 0FFh
.text:004411FB 8B 55 F4 mov edx, [ebp+var_C]
.text:004411FE 33 14 8D BC F1 4D 00 xor edx, table_2[ecx*4]
.text:00441205 89 55 F4 mov [ebp+var_C], edx ; s3=s3^table_2[(s2&0FFh)*4]
.text:00441205 ;
.text:00441205 ;
.text:00441205 ;
.text:00441205 ; _________________________
.text:00441208 8B 45 EC mov eax, [ebp+var_14] ; s1
.text:0044120B C1 C8 08 ror eax, 8
.text:0044120E 89 45 F8 mov [ebp+var_8], eax ; var_8=tmp=(ror s1,8)
.text:00441211 8B 4D EC mov ecx, [ebp+var_14]
.text:00441214 81 E1 FF 00 00 00 and ecx, 0FFh
.text:0044121A 8B 55 FC mov edx, [ebp+var_4]
.text:0044121D 33 14 8D BC ED 4D 00 xor edx, table_1[ecx*4]
.text:00441224 89 55 FC mov [ebp+var_4], edx ; s4=s1^table_1[(s1&0FFh)*4]
.text:00441227 8B 45 F8 mov eax, [ebp+var_8]
.text:0044122A 25 FF 00 00 00 and eax, 0FFh
.text:0044122F 8B 4D FC mov ecx, [ebp+var_4]
.text:00441232 03 0C 85 BC F1 4D 00 add ecx, table_2[eax*4]
.text:00441239 89 4D FC mov [ebp+var_4], ecx ; s4=s4+table_2[(tmp&0FFh)*4]
.text:0044123C 8B 55 EC mov edx, [ebp+var_14]
.text:0044123F C1 CA 10 ror edx, 10h
.text:00441242 89 55 F8 mov [ebp+var_8], edx ; var_8=tmp=(ror s1,10h)
.text:00441245 8B 45 EC mov eax, [ebp+var_14]
.text:00441248 C1 C8 18 ror eax, 18h
.text:0044124B 89 45 EC mov [ebp+var_14], eax ; s1=(ror s1,18h)
.text:0044124E 8B 4D F8 mov ecx, [ebp+var_8]
.text:00441251 81 E1 FF 00 00 00 and ecx, 0FFh
.text:00441257 8B 55 F4 mov edx, [ebp+var_C]
.text:0044125A 03 14 8D BC ED 4D 00 add edx, table_1[ecx*4]
.text:00441261 89 55 F4 mov [ebp+var_C], edx ; s3=s3+table_1[(tmp&0FFh)*4]
.text:00441264 8B 45 EC mov eax, [ebp+var_14]
.text:00441267 25 FF 00 00 00 and eax, 0FFh
.text:0044126C 8B 4D F0 mov ecx, [ebp+var_10]
.text:0044126F 33 0C 85 BC F1 4D 00 xor ecx, table_2[eax*4]
.text:00441276 89 4D F0 mov [ebp+var_10], ecx ; s2=s2^table_2[(s1&0FFh)*4]
.text:00441276 ;
.text:00441276 ; ______________________________
.text:00441276 ; 上面的为一大段
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- 标 题: HexAssistant1.9注册码算法部分的分析
- 作 者:fangawxs
- 时 间:2007-08-14 12:54
- 链 接:http://bbs.pediy.com/showthread.php?t=49621