【文章标题】: 罕见奇难的大数算法-Registry Winner多语版注册算法分析(VB注册机源码) 【文章作者】: suredwang 【作者邮箱】: suredwang@126.com 【软件名称】: Registry Winner 【软件大小】: 3242KB 【下载地址】: http://www.onlinedown.net/soft/84289.htm 【加壳方式】: 无壳 【保护方式】: 注册码 【编写语言】: Microsoft Visual C++ 6.0 [Overlay] 【使用工具】: OD 【操作平台】: XP-SP3 【软件说明】Registry Winner是一款一流的注册表错误清理及系统性能优化软件,有数十种主流语言供不同语种使用,该软件不仅能修复计算机的常见错误还能最大限度的优化系统性能。在使用中越来越多的错误便会堆积在电脑系统中,从而导致系统速度减慢不稳定。严重时会发生系统死机、崩溃等现象。世界顶级的系统清理及优化工具Registry Winner,看名称好像它只是一个注册表维护工具,事实上它是一款全能型的系统维护工具,其功能包括:注册表清理、隐私清理、垃圾文件清理、文件粉碎、启动项管理、程序卸载、系统优化、服务优化、内存优化,还包括IE修复、Windows管理等等诸多强大功能 Registry Winner运用最先进的技术在十几秒种的时间内扫描系统的注册表,并给予最全方位的诊断。提供一种专业的高效的解决方法,使您的电脑功能趋于完美。通过使用Registry Winner,您的系统不仅会保持稳定,而且不需要花费高昂的硬件升级费用。 【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教! 高手飘过,没有耐心的也不要看了,过程很多很复杂交叉循环上万次,纯粹是力气活,没技术含量 -------------------------------------------------------------------------------- 【详细过程】 这个软件注册算法是本人历中遇到最复杂奇难的大数算法,经过上万次循环,包含了大数运算的加减乘除,加进位减借位,任一个地方的进位或借位错了,结果都大相径庭,可谓是“差之毫厘,谬之千里”,所以根本无法逆算,只能暴力算号。想爆破也很难,爆破点多达数百之多(未统计),而且渗透在修复过程中的每一步中,要想完全爆破成功,工程量可想而知。也难怪这个软件未加壳等其他保护措施,竟用数十种语言叫卖,可见其实力和自信不一般啊。网上也发现好多给出的注册码都是不能注册的,就是爆破版绿色版也是不完全的,无法正常使用,本人在调试过程中发现跳转越来越复杂,暗桩也越来越多,纯粹是个力气活,一度曾放弃过,但心中一直不爽,半途而废,在学习过程是很不好的现象,特别是老外的软件咱们不能软了,呵呵,所以又跟踪整理了一番,就是注册机还不通过,由于VB 不能调用ASM大数都要经过多次转换,所以速度就慢下来,达不到暴力算号的要求,所以改用DELPHI编写,时间水平有限,DELPHI可以调用ASM,不用大数转换,但本人太菜,DELPHI调用数据上出现问题,一直没拿下来,有DELPHI大牛们能帮写出注册机就最好了,现在先把笔记拿来大家分享下,有感兴趣的可以跟跟试试 首先用查壳工具PEID查无壳Microsoft Visual C++ 6.0 [Overlay]语言编写,用OD载入查找注册相关的字符,无,因为点注册按钮弹出错误对话框,所以就下对话框拦截 BP MessageBoxA ,点注册后断下往上翻来到这里 00454254 /$ 55 push ebp ; 在这里下断点,再重新注册,断在这里 00454255 |. 8BEC mov ebp, esp 00454257 |. 6A FF push -1 00454259 |. 68 A6A75800 push 0058A7A6 ; SE 处理程序安装 0045425E |. 64:A1 0000000>mov eax, dword ptr fs:[0] 00454264 |. 50 push eax 00454265 |. 64:8925 00000>mov dword ptr fs:[0], esp 0045426C |. 81EC A0020000 sub esp, 2A0 00454272 |. 898D 78FDFFFF mov dword ptr [ebp-288], ecx 00454278 |. A1 9C7C5E00 mov eax, dword ptr [5E7C9C] 0045427D |. 8945 F0 mov dword ptr [ebp-10], eax 00454280 |. C745 FC 00000>mov dword ptr [ebp-4], 0 00454287 |. 8D4D F0 lea ecx, dword ptr [ebp-10] 0045428A |. 51 push ecx 0045428B |. 8B8D 78FDFFFF mov ecx, dword ptr [ebp-288] 00454291 |. 81C1 E00B0000 add ecx, 0BE0 00454297 |. E8 00BB1100 call 0056FD9C 0045429C |. 8B55 F0 mov edx, dword ptr [ebp-10] 0045429F |. 8B42 F8 mov eax, dword ptr [edx-8] 004542A2 |. 8985 88FDFFFF mov dword ptr [ebp-278], eax 004542A8 |. 83BD 88FDFFFF>cmp dword ptr [ebp-278], 0 ; 注册码长度不能为0 004542AF |. 0F84 DC020000 je 00454591 004542B5 |. 68 08020000 push 208 ; /BufSize = 208 (520.) 004542BA |. 8D8D E8FDFFFF lea ecx, dword ptr [ebp-218] ; | 004542C0 |. 51 push ecx ; |PathBuffer 004542C1 |. 6A 00 push 0 ; |hModule = NULL 004542C3 |. FF15 B4E45900 call dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameW 004542C9 |. 8D95 E8FDFFFF lea edx, dword ptr [ebp-218] 004542CF |. 52 push edx 004542D0 |. 8D8D E4FDFFFF lea ecx, dword ptr [ebp-21C] 004542D6 |. E8 AB9C1100 call 0056DF86 004542DB |. C645 FC 01 mov byte ptr [ebp-4], 1 004542DF |. 6A 5C push 5C 004542E1 |. 8D8D E4FDFFFF lea ecx, dword ptr [ebp-21C] 004542E7 |. E8 5A701100 call 0056B346 004542EC |. 8985 D8FDFFFF mov dword ptr [ebp-228], eax 004542F2 |. 8B85 D8FDFFFF mov eax, dword ptr [ebp-228] 004542F8 |. 83C0 01 add eax, 1 004542FB |. 50 push eax 004542FC |. 8D8D E0FDFFFF lea ecx, dword ptr [ebp-220] 00454302 |. 51 push ecx 00454303 |. 8D8D E4FDFFFF lea ecx, dword ptr [ebp-21C] 00454309 |. E8 C06F1100 call 0056B2CE 0045430E |. C645 FC 02 mov byte ptr [ebp-4], 2 00454312 |. E8 4FBF1200 call 00580266 00454317 |. 8B50 04 mov edx, dword ptr [eax+4] 0045431A |. 8995 DCFDFFFF mov dword ptr [ebp-224], edx 00454320 |. 51 push ecx 00454321 |. 8BCC mov ecx, esp 00454323 |. 89A5 9CFDFFFF mov dword ptr [ebp-264], esp 00454329 |. 8D45 F0 lea eax, dword ptr [ebp-10] 0045432C |. 50 push eax 0045432D |. E8 4D991100 call 0056DC7F 00454332 |. 8985 74FDFFFF mov dword ptr [ebp-28C], eax 00454338 |. 8B8D DCFDFFFF mov ecx, dword ptr [ebp-224] 0045433E |. E8 ED500700 call 004C9430 ; 总关键算法CALL F7进入 00454343 |. 8985 70FDFFFF mov dword ptr [ebp-290], eax 00454349 |. 83BD 70FDFFFF>cmp dword ptr [ebp-290], 1 00454350 0F85 C7010000 jnz 0045451D ; 不通过就跳走,一个爆破点 00454356 |. 8D8D BCFDFFFF lea ecx, dword ptr [ebp-244] 0045435C |. E8 18F51100 call 00573879 00454361 |. C645 FC 03 mov byte ptr [ebp-4], 3 00454365 |. 8D8D A8FDFFFF lea ecx, dword ptr [ebp-258] 0045436B |. E8 86F01100 call 005733F6 00454370 |. C645 FC 04 mov byte ptr [ebp-4], 4 00454374 |. 8D8D B8FDFFFF lea ecx, dword ptr [ebp-248] 0045437A |. 898D 84FDFFFF mov dword ptr [ebp-27C], ecx 00454380 |. 8B95 84FDFFFF mov edx, dword ptr [ebp-27C] 00454386 |. A1 9C7C5E00 mov eax, dword ptr [5E7C9C] 0045438B |. 8902 mov dword ptr [edx], eax 0045438D |. C645 FC 05 mov byte ptr [ebp-4], 5 00454391 |. C785 A8FDFFFF>mov dword ptr [ebp-258], 005ACDF4 0045439B |. C785 B0FDFFFF>mov dword ptr [ebp-250], 0 004543A5 |. C785 B4FDFFFF>mov dword ptr [ebp-24C], -1 004543AF |. 6A 00 push 0 004543B1 |. 8D8D B8FDFFFF lea ecx, dword ptr [ebp-248] 004543B7 |. E8 ED9C1100 call 0056E0A9 ; 生成文件 004543BC |. C645 FC 06 mov byte ptr [ebp-4], 6 004543C0 |. 68 08635D00 push 005D6308 ; r -----005D6308=005D6308 (UNICODE "reg.ini") 004543C5 |. 8D8D E0FDFFFF lea ecx, dword ptr [ebp-220] 004543CB |. 51 push ecx 004543CC |. 8D95 98FDFFFF lea edx, dword ptr [ebp-268] 004543D2 |. 52 push edx 004543D3 |. E8 DF9D1100 call 0056E1B7 004543D8 |. 8985 6CFDFFFF mov dword ptr [ebp-294], eax 004543DE |. 8B85 6CFDFFFF mov eax, dword ptr [ebp-294] 004543E4 |. 8985 80FDFFFF mov dword ptr [ebp-280], eax 004543EA |. C645 FC 07 mov byte ptr [ebp-4], 7 004543EE |. 8B8D 80FDFFFF mov ecx, dword ptr [ebp-280] 004543F4 |. 8B11 mov edx, dword ptr [ecx] 004543F6 |. 8995 7CFDFFFF mov dword ptr [ebp-284], edx 004543FC |. 8D85 A8FDFFFF lea eax, dword ptr [ebp-258] 00454402 |. 50 push eax 00454403 |. 68 01100000 push 1001 00454408 |. 8B8D 7CFDFFFF mov ecx, dword ptr [ebp-284] 0045440E |. 51 push ecx 0045440F |. 8D8D BCFDFFFF lea ecx, dword ptr [ebp-244] 00454415 |. E8 6DF51100 call 00573987 0045441A |. C645 FC 06 mov byte ptr [ebp-4], 6 0045441E |. 8D8D 98FDFFFF lea ecx, dword ptr [ebp-268] 00454424 |. E8 E99A1100 call 0056DF12 00454429 |. 8B55 F0 mov edx, dword ptr [ebp-10] 0045442C |. 52 push edx 0045442D |. 8D8D BCFDFFFF lea ecx, dword ptr [ebp-244] 00454433 |. E8 C2F61100 call 00573AFA ; 注册成功就把真码写入REG.INI文件中 00454438 |. 8D8D BCFDFFFF lea ecx, dword ptr [ebp-244] 0045443E |. E8 7CF81100 call 00573CBF 00454443 |. 51 push ecx 00454444 |. 8BCC mov ecx, esp 00454446 |. 89A5 94FDFFFF mov dword ptr [ebp-26C], esp 0045444C |. 68 18635D00 push 005D6318 ; m -----005D6318=005D6318 (UNICODE "M_THANK_REGISTER") 00454451 |. E8 309B1100 call 0056DF86 ; 成功对话框 00454456 |. 8985 68FDFFFF mov dword ptr [ebp-298], eax 0045445C |. 8D85 D0FDFFFF lea eax, dword ptr [ebp-230] 00454462 |. 50 push eax 00454463 |. 8B8D DCFDFFFF mov ecx, dword ptr [ebp-224] 00454469 |. E8 E9770700 call 004CBC57 0045446E |. 8985 64FDFFFF mov dword ptr [ebp-29C], eax 00454474 |. C645 FC 08 mov byte ptr [ebp-4], 8 00454478 |. 6A 00 push 0 0045447A |. 6A 40 push 40 0045447C |. 8B8D D0FDFFFF mov ecx, dword ptr [ebp-230] 00454482 |. 51 push ecx 00454483 |. E8 3D241200 call 005768C5 00454488 |. 8B95 78FDFFFF mov edx, dword ptr [ebp-288] 0045448E |. 8B42 1C mov eax, dword ptr [edx+1C] 00454491 |. 50 push eax ; /hWnd 00454492 |. FF15 B0E85900 call dword ptr [<&USER32.GetParent>] ; \GetParent 00454498 |. 50 push eax 00454499 |. E8 3EAF1100 call 0056F3DC 0045449E |. 8985 D4FDFFFF mov dword ptr [ebp-22C], eax 004544A4 |. 6A 00 push 0 004544A6 |. 8B8D D4FDFFFF mov ecx, dword ptr [ebp-22C] 004544AC |. 81C1 E0B40200 add ecx, 2B4E0 004544B2 |. E8 DBDD1100 call 00572292 004544B7 |. 68 94C75E00 push 005EC794 004544BC |. 8B8D D4FDFFFF mov ecx, dword ptr [ebp-22C] 004544C2 |. 81C1 E0B40200 add ecx, 2B4E0 004544C8 |. E8 A9DC1100 call 00572176 004544CD |. 6A 00 push 0 004544CF |. 6A 0A push 0A 004544D1 |. 8B8D D4FDFFFF mov ecx, dword ptr [ebp-22C] 004544D7 |. E8 44140800 call 004D5920 004544DC |. C645 FC 06 mov byte ptr [ebp-4], 6 004544E0 |. 8D8D D0FDFFFF lea ecx, dword ptr [ebp-230] 004544E6 |. E8 279A1100 call 0056DF12 004544EB |. C645 FC 03 mov byte ptr [ebp-4], 3 004544EF |. C785 A8FDFFFF>mov dword ptr [ebp-258], 005ACDF4 004544F9 |. C645 FC 09 mov byte ptr [ebp-4], 9 004544FD |. 8D8D B8FDFFFF lea ecx, dword ptr [ebp-248] 00454503 |. E8 0A9A1100 call 0056DF12 00454508 |. C645 FC 03 mov byte ptr [ebp-4], 3 0045450C |. C645 FC 02 mov byte ptr [ebp-4], 2 00454510 |. 8D8D BCFDFFFF lea ecx, dword ptr [ebp-244] 00454516 |. E8 29F41100 call 00573944 0045451B |. EB 54 jmp short 00454571 0045451D |> 51 push ecx 0045451E |. 8BCC mov ecx, esp 00454520 |. 89A5 90FDFFFF mov dword ptr [ebp-270], esp 00454526 |. 68 3C635D00 push 005D633C ; m ----005D633C=005D633C (UNICODE "M_WRONGNUMBER") 0045452B |. E8 569A1100 call 0056DF86 ; 失败对话框 00454530 |. 8985 60FDFFFF mov dword ptr [ebp-2A0], eax 00454536 |. 8D8D A4FDFFFF lea ecx, dword ptr [ebp-25C] 0045453C |. 51 push ecx 0045453D |. 8B8D DCFDFFFF mov ecx, dword ptr [ebp-224] 00454543 |. E8 0F770700 call 004CBC57 00454548 |. 8985 5CFDFFFF mov dword ptr [ebp-2A4], eax 0045454E |. C645 FC 0A mov byte ptr [ebp-4], 0A 00454552 |. 6A 00 push 0 00454554 |. 6A 30 push 30 00454556 |. 8B95 A4FDFFFF mov edx, dword ptr [ebp-25C] 0045455C |. 52 push edx 0045455D |. E8 63231200 call 005768C5 00454562 |. C645 FC 02 mov byte ptr [ebp-4], 2 00454566 |. 8D8D A4FDFFFF lea ecx, dword ptr [ebp-25C] 0045456C |. E8 A1991100 call 0056DF12 00454571 |> C645 FC 01 mov byte ptr [ebp-4], 1 00454575 |. 8D8D E0FDFFFF lea ecx, dword ptr [ebp-220] 0045457B |. E8 92991100 call 0056DF12 00454580 |. C645 FC 00 mov byte ptr [ebp-4], 0 00454584 |. 8D8D E4FDFFFF lea ecx, dword ptr [ebp-21C] 0045458A |. E8 83991100 call 0056DF12 0045458F |. EB 57 jmp short 004545E8 00454591 |> 51 push ecx 00454592 |. 8BCC mov ecx, esp ; 注册码为空就来到这 00454594 |. 89A5 8CFDFFFF mov dword ptr [ebp-274], esp 0045459A |. 68 58635D00 push 005D6358 ; m ---005D6358=005D6358 (UNICODE "M_INPUTSERIAL") 0045459F |. E8 E2991100 call 0056DF86 004545A4 |. 8985 58FDFFFF mov dword ptr [ebp-2A8], eax 004545AA |. 8D85 A0FDFFFF lea eax, dword ptr [ebp-260] 004545B0 |. 50 push eax 004545B1 |. 8B8D 78FDFFFF mov ecx, dword ptr [ebp-288] 004545B7 |. 8B49 64 mov ecx, dword ptr [ecx+64] 004545BA |. E8 98760700 call 004CBC57 004545BF |. 8985 54FDFFFF mov dword ptr [ebp-2AC], eax 004545C5 |. C645 FC 0B mov byte ptr [ebp-4], 0B 004545C9 |. 6A 00 push 0 004545CB |. 6A 30 push 30 004545CD |. 8B95 A0FDFFFF mov edx, dword ptr [ebp-260] 004545D3 |. 52 push edx 004545D4 |. E8 EC221200 call 005768C5 004545D9 |. C645 FC 00 mov byte ptr [ebp-4], 0 004545DD |. 8D8D A0FDFFFF lea ecx, dword ptr [ebp-260] 004545E3 |. E8 2A991100 call 0056DF12 004545E8 |> C745 FC FFFFF>mov dword ptr [ebp-4], -1 004545EF |. 8D4D F0 lea ecx, dword ptr [ebp-10] 004545F2 |. E8 1B991100 call 0056DF12 004545F7 |. 8B4D F4 mov ecx, dword ptr [ebp-C] 004545FA |. 64:890D 00000>mov dword ptr fs:[0], ecx 00454601 |. 8BE5 mov esp, ebp 00454603 |. 5D pop ebp 00454604 \. C3 retn 总算法CALL 004C9430进入: 004C9430 /$ 55 push ebp 004C9431 |. 8BEC mov ebp, esp 004C9433 |. 6A FF push -1 004C9435 |. 68 5A6D5900 push 00596D5A ; 膏-\; SE 处理程序安装 004C943A |. 64:A1 0000000>mov eax, dword ptr fs:[0] 004C9440 |. 50 push eax 004C9441 |. 64:8925 00000>mov dword ptr fs:[0], esp 004C9448 |. 81EC 98060000 sub esp, 698 004C944E |. 56 push esi 004C944F |. 57 push edi 004C9450 |. 898D B4F9FFFF mov dword ptr [ebp-64C], ecx 004C9456 |. C745 FC 00000>mov dword ptr [ebp-4], 0 004C945D |. A1 9C7C5E00 mov eax, dword ptr [5E7C9C] 004C9462 |. 8985 24FBFFFF mov dword ptr [ebp-4DC], eax 004C9468 |. C645 FC 01 mov byte ptr [ebp-4], 1 004C946C |. 68 782A5E00 push 005E2A78 ; 9 出现固定字符串,经多台电脑测试,字符串固定的,但不完整,后来又多出28位,估计是由短字符串的计算结果 004C9471 |. 68 7C2B5E00 push 005E2B7C ; % 004C9476 |. 8D8D 24FBFFFF lea ecx, dword ptr [ebp-4DC] 004C947C |. 51 push ecx 004C947D |. E8 5A220A00 call 0056B6DC 004C9482 |. 83C4 0C add esp, 0C 004C9485 |. 68 08020000 push 208 ; /BufSize = 208 (520.) 004C948A |. 8D95 14FDFFFF lea edx, dword ptr [ebp-2EC] ; | 004C9490 |. 52 push edx ; |PathBuffer 004C9491 |. 6A 00 push 0 ; |hModule = NULL 004C9493 |. FF15 B4E45900 call dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameW 004C9499 |. 8D85 14FDFFFF lea eax, dword ptr [ebp-2EC] 004C949F |. 50 push eax 004C94A0 |. 8D8D 78FCFFFF lea ecx, dword ptr [ebp-388] 004C94A6 |. E8 DB4A0A00 call 0056DF86 004C94AB |. C645 FC 02 mov byte ptr [ebp-4], 2 004C94AF |. 6A 5C push 5C 004C94B1 |. 8D8D 78FCFFFF lea ecx, dword ptr [ebp-388] 004C94B7 |. E8 8A1E0A00 call 0056B346 004C94BC |. 8985 28FBFFFF mov dword ptr [ebp-4D8], eax 004C94C2 |. 8B8D 28FBFFFF mov ecx, dword ptr [ebp-4D8] 004C94C8 |. 83C1 01 add ecx, 1 004C94CB |. 51 push ecx 004C94CC |. 8D95 60FCFFFF lea edx, dword ptr [ebp-3A0] 004C94D2 |. 52 push edx 004C94D3 |. 8D8D 78FCFFFF lea ecx, dword ptr [ebp-388] 004C94D9 |. E8 F01D0A00 call 0056B2CE 004C94DE |. C645 FC 03 mov byte ptr [ebp-4], 3 004C94E2 |. A1 9C7C5E00 mov eax, dword ptr [5E7C9C] 004C94E7 |. 8945 BC mov dword ptr [ebp-44], eax 004C94EA |. C645 FC 04 mov byte ptr [ebp-4], 4 004C94EE |. 8B0D 9C7C5E00 mov ecx, dword ptr [5E7C9C] ; Registry.005E7CB0 004C94F4 |. 898D 1CFFFFFF mov dword ptr [ebp-E4], ecx 004C94FA |. C645 FC 05 mov byte ptr [ebp-4], 5 004C94FE |. 68 ACD45E00 push 005ED4AC 004C9503 |. 8B55 08 mov edx, dword ptr [ebp+8] ; 取出假码 004C9506 |. 52 push edx 004C9507 |. E8 59F20800 call 00558765 ; 判断是否上次已注册 004C950C |. 83C4 08 add esp, 8 004C950F |. 8985 F0F9FFFF mov dword ptr [ebp-610], eax 004C9515 |. 33C0 xor eax, eax 004C9517 |. 83BD F0F9FFFF>cmp dword ptr [ebp-610], 0 004C951E |. 0F94C0 sete al 004C9521 |. 25 FF000000 and eax, 0FF 004C9526 |. 85C0 test eax, eax 004C9528 |. 0F84 18020000 je 004C9746 ; 未注册过就跳走去注册 004C952E |. 68 842B5E00 push 005E2B84 ; r ---005E2B84=005E2B84 (UNICODE "reg.ini") 004C9533 |. 8D8D 60FCFFFF lea ecx, dword ptr [ebp-3A0] 004C9539 |. 51 push ecx ; ---注册成功过就来到这里再次验证成功后产生REG.INI文件 004C953A |. 8D95 F0FAFFFF lea edx, dword ptr [ebp-510] 004C9540 |. 52 push edx 004C9541 |. E8 714C0A00 call 0056E1B7 004C9546 |. 8985 ECF9FFFF mov dword ptr [ebp-614], eax 004C954C |. 8B85 ECF9FFFF mov eax, dword ptr [ebp-614] 004C9552 |. 8B08 mov ecx, dword ptr [eax] 004C9554 |. 898D E8F9FFFF mov dword ptr [ebp-618], ecx 004C955A |. 8B95 E8F9FFFF mov edx, dword ptr [ebp-618] 004C9560 |. 52 push edx ; /Path 004C9561 |. FF15 34E55900 call dword ptr [<&SHLWAPI.PathFileExi>; \PathFileExistsW 004C9567 |. F7D8 neg eax 004C9569 |. 1BC0 sbb eax, eax 004C956B |. 40 inc eax 004C956C |. 8885 F4FAFFFF mov byte ptr [ebp-50C], al 004C9572 |. 8D8D F0FAFFFF lea ecx, dword ptr [ebp-510] 004C9578 |. E8 95490A00 call 0056DF12 004C957D |. 8B85 F4FAFFFF mov eax, dword ptr [ebp-50C] 004C9583 |. 25 FF000000 and eax, 0FF 004C9588 |. 85C0 test eax, eax 004C958A |. 74 6C je short 004C95F8 004C958C |. C785 ECFAFFFF>mov dword ptr [ebp-514], 0 004C9596 |. C645 FC 04 mov byte ptr [ebp-4], 4 004C959A |. 8D8D 1CFFFFFF lea ecx, dword ptr [ebp-E4] 004C95A0 |. E8 6D490A00 call 0056DF12 004C95A5 |. C645 FC 03 mov byte ptr [ebp-4], 3 004C95A9 |. 8D4D BC lea ecx, dword ptr [ebp-44] 004C95AC |. E8 61490A00 call 0056DF12 004C95B1 |. C645 FC 02 mov byte ptr [ebp-4], 2 004C95B5 |. 8D8D 60FCFFFF lea ecx, dword ptr [ebp-3A0] 004C95BB |. E8 52490A00 call 0056DF12 004C95C0 |. C645 FC 01 mov byte ptr [ebp-4], 1 004C95C4 |. 8D8D 78FCFFFF lea ecx, dword ptr [ebp-388] 004C95CA |. E8 43490A00 call 0056DF12 004C95CF |. C645 FC 00 mov byte ptr [ebp-4], 0 004C95D3 |. 8D8D 24FBFFFF lea ecx, dword ptr [ebp-4DC] 004C95D9 |. E8 34490A00 call 0056DF12 004C95DE |. C745 FC FFFFF>mov dword ptr [ebp-4], -1 004C95E5 |. 8D4D 08 lea ecx, dword ptr [ebp+8] 004C95E8 |. E8 25490A00 call 0056DF12 004C95ED |. 8B85 ECFAFFFF mov eax, dword ptr [ebp-514] 004C95F3 |. E9 C00E0000 jmp 004CA4B8 004C95F8 |> 8D8D 0CFBFFFF lea ecx, dword ptr [ebp-4F4] 004C95FE |. E8 76A20A00 call 00573879 004C9603 |. C645 FC 06 mov byte ptr [ebp-4], 6 004C9607 |. 8D8D F8FAFFFF lea ecx, dword ptr [ebp-508] 004C960D |. E8 E49D0A00 call 005733F6 004C9612 |. C645 FC 07 mov byte ptr [ebp-4], 7 004C9616 |. 8D8D 08FBFFFF lea ecx, dword ptr [ebp-4F8] 004C961C |. 898D E4F9FFFF mov dword ptr [ebp-61C], ecx 004C9622 |. 8B95 E4F9FFFF mov edx, dword ptr [ebp-61C] 004C9628 |. A1 9C7C5E00 mov eax, dword ptr [5E7C9C] 004C962D |. 8902 mov dword ptr [edx], eax 004C962F |. C645 FC 08 mov byte ptr [ebp-4], 8 004C9633 |. C785 F8FAFFFF>mov dword ptr [ebp-508], 005ACDF4 004C963D |. C785 00FBFFFF>mov dword ptr [ebp-500], 0 004C9647 |. C785 04FBFFFF>mov dword ptr [ebp-4FC], -1 004C9651 |. 6A 00 push 0 004C9653 |. 8D8D 08FBFFFF lea ecx, dword ptr [ebp-4F8] 004C9659 |. E8 4B4A0A00 call 0056E0A9 004C965E |. C645 FC 09 mov byte ptr [ebp-4], 9 004C9662 |. 68 942B5E00 push 005E2B94 ; UNICODE "reg.ini" 004C9667 |. 8D8D 60FCFFFF lea ecx, dword ptr [ebp-3A0] 004C966D |. 51 push ecx 004C966E |. 8D95 E8FAFFFF lea edx, dword ptr [ebp-518] 004C9674 |. 52 push edx 004C9675 |. E8 3D4B0A00 call 0056E1B7 004C967A |. 8985 B0F9FFFF mov dword ptr [ebp-650], eax 004C9680 |. 8B85 B0F9FFFF mov eax, dword ptr [ebp-650] 004C9686 |. 8985 E0F9FFFF mov dword ptr [ebp-620], eax 004C968C |. C645 FC 0A mov byte ptr [ebp-4], 0A 004C9690 |. 8B8D E0F9FFFF mov ecx, dword ptr [ebp-620] 004C9696 |. 8B11 mov edx, dword ptr [ecx] 004C9698 |. 8995 DCF9FFFF mov dword ptr [ebp-624], edx 004C969E |. 8D85 F8FAFFFF lea eax, dword ptr [ebp-508] 004C96A4 |. 50 push eax 004C96A5 |. 6A 00 push 0 004C96A7 |. 8B8D DCF9FFFF mov ecx, dword ptr [ebp-624] 004C96AD |. 51 push ecx 004C96AE |. 8D8D 0CFBFFFF lea ecx, dword ptr [ebp-4F4] 004C96B4 |. E8 CEA20A00 call 00573987 004C96B9 |. C645 FC 09 mov byte ptr [ebp-4], 9 004C96BD |. 8D8D E8FAFFFF lea ecx, dword ptr [ebp-518] 004C96C3 |. E8 4A480A00 call 0056DF12 004C96C8 |> 8D95 1CFFFFFF /lea edx, dword ptr [ebp-E4] 004C96CE |. 52 |push edx 004C96CF |. 8D8D 0CFBFFFF |lea ecx, dword ptr [ebp-4F4] 004C96D5 |. E8 92A40A00 |call 00573B6C 004C96DA |. 85C0 |test eax, eax 004C96DC |. 74 11 |je short 004C96EF 004C96DE |. 8D85 1CFFFFFF |lea eax, dword ptr [ebp-E4] 004C96E4 |. 50 |push eax 004C96E5 |. 8D4D BC |lea ecx, dword ptr [ebp-44] 004C96E8 |. E8 524C0A00 |call 0056E33F 004C96ED |.^ EB D9 \jmp short 004C96C8 004C96EF |> 8D8D 1CFFFFFF lea ecx, dword ptr [ebp-E4] 004C96F5 |. 51 push ecx 004C96F6 |. 8D4D BC lea ecx, dword ptr [ebp-44] 004C96F9 |. E8 414C0A00 call 0056E33F 004C96FE |. 8D8D 0CFBFFFF lea ecx, dword ptr [ebp-4F4] 004C9704 |. E8 B6A50A00 call 00573CBF 004C9709 |. 8D8D 1CFFFFFF lea ecx, dword ptr [ebp-E4] 004C970F |. E8 86470A00 call 0056DE9A 004C9714 |. C645 FC 06 mov byte ptr [ebp-4], 6 004C9718 |. C785 F8FAFFFF>mov dword ptr [ebp-508], 005ACDF4 004C9722 |. C645 FC 0B mov byte ptr [ebp-4], 0B 004C9726 |. 8D8D 08FBFFFF lea ecx, dword ptr [ebp-4F8] 004C972C |. E8 E1470A00 call 0056DF12 004C9731 |. C645 FC 06 mov byte ptr [ebp-4], 6 004C9735 |. C645 FC 05 mov byte ptr [ebp-4], 5 004C9739 |. 8D8D 0CFBFFFF lea ecx, dword ptr [ebp-4F4] 004C973F |. E8 00A20A00 call 00573944 004C9744 |. EB 0C jmp short 004C9752 004C9746 |> 8D55 08 lea edx, dword ptr [ebp+8] ; 首次注册来到这 004C9749 |. 52 push edx 004C974A |. 8D4D BC lea ecx, dword ptr [ebp-44] 004C974D |. E8 07490A00 call 0056E059 004C9752 |> 8D4D BC lea ecx, dword ptr [ebp-44] 004C9755 |. E8 19210A00 call 0056B873 004C975A |. 8D4D BC lea ecx, dword ptr [ebp-44] ; 假码 004C975D |. E8 20200A00 call 0056B782 004C9762 |. 68 B0D45E00 push 005ED4B0 004C9767 |. 68 A42B5E00 push 005E2BA4 ; \n 004C976C |. 8D4D BC lea ecx, dword ptr [ebp-44] 004C976F |. E8 B4180A00 call 0056B028 004C9774 |. 68 B4D45E00 push 005ED4B4 004C9779 |. 68 A82B5E00 push 005E2BA8 ; \n 004C977E |. 8D4D BC lea ecx, dword ptr [ebp-44] 004C9781 |. E8 A2180A00 call 0056B028 004C9786 |. 68 B8D45E00 push 005ED4B8 004C978B |. 68 AC2B5E00 push 005E2BAC ; \ 004C9790 |. 8D4D BC lea ecx, dword ptr [ebp-44] 004C9793 |. E8 90180A00 call 0056B028 ; 算出注册码长度 004C9798 |. 8B45 BC mov eax, dword ptr [ebp-44] 004C979B |. 8B48 F8 mov ecx, dword ptr [eax-8] 004C979E |. 898D D8F9FFFF mov dword ptr [ebp-628], ecx 004C97A4 |. 83BD D8F9FFFF>cmp dword ptr [ebp-628], 78 ; 限定注册码长度要大于等于78H 004C97AB |. 7C 18 jl short 004C97C5 004C97AD |. 8B55 BC mov edx, dword ptr [ebp-44] 004C97B0 |. 8B42 F8 mov eax, dword ptr [edx-8] 004C97B3 |. 8985 D4F9FFFF mov dword ptr [ebp-62C], eax 004C97B9 |. 81BD D4F9FFFF>cmp dword ptr [ebp-62C], 82 ; 注册码长度小于等于82H 004C97C3 |. 7E 6C jle short 004C9831 ; 否则不跳,注册失败 004C97C5 |> C785 E4FAFFFF>mov dword ptr [ebp-51C], 0 004C97CF |. C645 FC 04 mov byte ptr [ebp-4], 4 004C97D3 |. 8D8D 1CFFFFFF lea ecx, dword ptr [ebp-E4] 004C97D9 |. E8 34470A00 call 0056DF12 004C97DE |. C645 FC 03 mov byte ptr [ebp-4], 3 004C97E2 |. 8D4D BC lea ecx, dword ptr [ebp-44] 004C97E5 |. E8 28470A00 call 0056DF12 004C97EA |. C645 FC 02 mov byte ptr [ebp-4], 2 004C97EE |. 8D8D 60FCFFFF lea ecx, dword ptr [ebp-3A0] 004C97F4 |. E8 19470A00 call 0056DF12 004C97F9 |. C645 FC 01 mov byte ptr [ebp-4], 1 004C97FD |. 8D8D 78FCFFFF lea ecx, dword ptr [ebp-388] 004C9803 |. E8 0A470A00 call 0056DF12 004C9808 |. C645 FC 00 mov byte ptr [ebp-4], 0 004C980C |. 8D8D 24FBFFFF lea ecx, dword ptr [ebp-4DC] 004C9812 |. E8 FB460A00 call 0056DF12 004C9817 |. C745 FC FFFFF>mov dword ptr [ebp-4], -1 004C981E |. 8D4D 08 lea ecx, dword ptr [ebp+8] 004C9821 |. E8 EC460A00 call 0056DF12 004C9826 |. 8B85 E4FAFFFF mov eax, dword ptr [ebp-51C] 004C982C |. E9 870C0000 jmp 004CA4B8 004C9831 |> 68 B42B5E00 push 005E2BB4 ; 1---005E2BB4=005E2BB4 (UNICODE "116AB") 004C9836 |. 8D8D 64FCFFFF lea ecx, dword ptr [ebp-39C] ; 又出现固定字符串 004C983C |. E8 45470A00 call 0056DF86 004C9841 |. C645 FC 0C mov byte ptr [ebp-4], 0C 004C9845 |. 8B0D 9C7C5E00 mov ecx, dword ptr [5E7C9C] ; Registry.005E7CB0 004C984B |. 898D 20FBFFFF mov dword ptr [ebp-4E0], ecx 004C9851 |. C645 FC 0D mov byte ptr [ebp-4], 0D 004C9855 |. 8D8D 2CFBFFFF lea ecx, dword ptr [ebp-4D4] 004C985B |. E8 D086F3FF call 00401F30 ; 取到存放空间 004C9860 |. C645 FC 0E mov byte ptr [ebp-4], 0E 004C9864 |. 8D8D 84FCFFFF lea ecx, dword ptr [ebp-37C] 004C986A |. E8 C186F3FF call 00401F30 004C986F |. C645 FC 0F mov byte ptr [ebp-4], 0F 004C9873 |. 8D8D C0FBFFFF lea ecx, dword ptr [ebp-440] 004C9879 |. E8 B286F3FF call 00401F30 004C987E |. C645 FC 10 mov byte ptr [ebp-4], 10 004C9882 |. 8D8D 20FFFFFF lea ecx, dword ptr [ebp-E0] 004C9888 |. E8 A386F3FF call 00401F30 004C988D |. C645 FC 11 mov byte ptr [ebp-4], 11 004C9891 |. 6A 10 push 10 004C9893 |. 8D95 24FBFFFF lea edx, dword ptr [ebp-4DC] 004C9899 |. 52 push edx 004C989A |. 8D8D 2CFBFFFF lea ecx, dword ptr [ebp-4D4] 004C98A0 |. E8 229DF3FF call 004035C7 ; 转为十六进制字符 004C98A5 |. 6A 10 push 10 004C98A7 |. 8D85 64FCFFFF lea eax, dword ptr [ebp-39C] 004C98AD |. 50 push eax 004C98AE |. 8D8D 84FCFFFF lea ecx, dword ptr [ebp-37C] 004C98B4 |. E8 0E9DF3FF call 004035C7 ; 固定字符串"116AB"转十六制字符 004C98B9 |. 6A 10 push 10 004C98BB |. 8D4D BC lea ecx, dword ptr [ebp-44] 004C98BE |. 51 push ecx 004C98BF |. 8D8D 20FFFFFF lea ecx, dword ptr [ebp-E0] 004C98C5 |. E8 FD9CF3FF call 004035C7 ; 假码转为十六制字符,所以说假码要是0到F之间的字符 004C98CA |. 8D95 2CFBFFFF lea edx, dword ptr [ebp-4D4] 004C98D0 |. 52 push edx 004C98D1 |. 8D85 84FCFFFF lea eax, dword ptr [ebp-37C] 004C98D7 |. 50 push eax 004C98D8 |. 8D8D 54FAFFFF lea ecx, dword ptr [ebp-5AC] 004C98DE |. 51 push ecx 004C98DF |. 8D8D 20FFFFFF lea ecx, dword ptr [ebp-E0] 004C98E5 |. E8 0DA5F3FF call 00403DF7 ; 关键算法CALL F7进入 004C98EA |. 8985 ACF9FFFF mov dword ptr [ebp-654], eax 004C98F0 |. 8BB5 ACF9FFFF mov esi, dword ptr [ebp-654] 004C98F6 |. B9 24000000 mov ecx, 24 004C98FB |. 8DBD C0FBFFFF lea edi, dword ptr [ebp-440] 004C9901 |. F3:A5 rep movs dword ptr es:[edi], dword p> 004C9903 |. 8D8D 54FAFFFF lea ecx, dword ptr [ebp-5AC] 004C9909 |. E8 6386F3FF call 00401F71 004C990E |. 6A 10 push 10 004C9910 |. 8D95 20FBFFFF lea edx, dword ptr [ebp-4E0] 004C9916 |. 52 push edx 004C9917 |. 8D8D C0FBFFFF lea ecx, dword ptr [ebp-440] 004C991D |. E8 109FF3FF call 00403832 ; 处理关键算法CALL的计算结果并连接成字符串 004C9922 |. 8B85 20FBFFFF mov eax, dword ptr [ebp-4E0] 004C9928 |. 8B48 F8 mov ecx, dword ptr [eax-8] ; 第一次判断注册码正确与否 004C992B |. 898D D0F9FFFF mov dword ptr [ebp-630], ecx 004C9931 |. 8B95 D0F9FFFF mov edx, dword ptr [ebp-630] 004C9937 |. 81E2 01000080 and edx, 80000001 ;尾数与1相与 004C993D |. 79 05 jns short 004C9944 004C993F |. 4A dec edx 004C9940 |. 83CA FE or edx, FFFFFFFE 004C9943 |. 42 inc edx 004C9944 |> 83FA 01 cmp edx, 1 ; 这里也就是限定经过上面计算的结果长度尾数要为0才通过 004C9947 |. 0F85 C6000000 jnz 004C9A13 ; 不跳即失败 004C994D |. C785 50FAFFFF>mov dword ptr [ebp-5B0], 0 004C9957 |. C645 FC 10 mov byte ptr [ebp-4], 10 004C995B |. 8D8D 20FFFFFF lea ecx, dword ptr [ebp-E0] 004C9961 |. E8 0B86F3FF call 00401F71 ...........................此处省略多行 004C9A0E |. E9 A50A0000 jmp 004CA4B8 004C9A13 |> 51 push ecx 004C9A14 |. 8BCC mov ecx, esp 004C9A16 |. 89A5 4CFAFFFF mov dword ptr [ebp-5B4], esp 004C9A1C |. 8D85 20FBFFFF lea eax, dword ptr [ebp-4E0] 004C9A22 |. 50 push eax 004C9A23 |. E8 57420A00 call 0056DC7F ; 锁定上面计算结果 004C9A28 |. 8985 A8F9FFFF mov dword ptr [ebp-658], eax 004C9A2E |. 8D8D 48FAFFFF lea ecx, dword ptr [ebp-5B8] 004C9A34 |. 51 push ecx 004C9A35 |. 8B8D B4F9FFFF mov ecx, dword ptr [ebp-64C] 004C9A3B |. E8 80680000 call 004D02C0 ; 对上面结果双字节处理,并调整成反顺序作为ASC码转为字符串 004C9A40 |. 8985 A4F9FFFF mov dword ptr [ebp-65C], eax 004C9A46 |. 8B95 A4F9FFFF mov edx, dword ptr [ebp-65C] 004C9A4C |. 8995 A0F9FFFF mov dword ptr [ebp-660], edx 004C9A52 |. C645 FC 12 mov byte ptr [ebp-4], 12 004C9A56 |. 8B85 A0F9FFFF mov eax, dword ptr [ebp-660] 004C9A5C |. 50 push eax 004C9A5D |. 8D8D 1CFFFFFF lea ecx, dword ptr [ebp-E4] 004C9A63 |. E8 F1450A00 call 0056E059 004C9A68 |. C645 FC 11 mov byte ptr [ebp-4], 11 004C9A6C |. 8D8D 48FAFFFF lea ecx, dword ptr [ebp-5B8] 004C9A72 |. E8 9B440A00 call 0056DF12 004C9A77 |. 8D8D 1CFFFFFF lea ecx, dword ptr [ebp-E4] 004C9A7D |. 51 push ecx 004C9A7E |. 8D8D 78FCFFFF lea ecx, dword ptr [ebp-388] 004C9A84 |. E8 D0450A00 call 0056E059 004C9A89 |. 6A 02 push 2 004C9A8B |. 8D95 44FAFFFF lea edx, dword ptr [ebp-5BC] 004C9A91 |. 52 push edx 004C9A92 |. 8D8D 78FCFFFF lea ecx, dword ptr [ebp-388] 004C9A98 |. E8 31180A00 call 0056B2CE 004C9A9D |. 8985 9CF9FFFF mov dword ptr [ebp-664], eax 004C9AA3 |. 8B85 9CF9FFFF mov eax, dword ptr [ebp-664] 004C9AA9 |. 8985 98F9FFFF mov dword ptr [ebp-668], eax 004C9AAF |. C645 FC 13 mov byte ptr [ebp-4], 13 004C9AB3 |. 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668] 004C9AB9 |. 51 push ecx 004C9ABA |. 8D8D 78FCFFFF lea ecx, dword ptr [ebp-388] 004C9AC0 |. E8 94450A00 call 0056E059 004C9AC5 |. C645 FC 11 mov byte ptr [ebp-4], 11 004C9AC9 |. 8D8D 44FAFFFF lea ecx, dword ptr [ebp-5BC] 004C9ACF |. E8 3E440A00 call 0056DF12 004C9AD4 |. 68 C02B5E00 push 005E2BC0 ; 计算结果前两位数转为字符必须为RW 004C9AD9 |. 8B95 78FCFFFF mov edx, dword ptr [ebp-388] 004C9ADF |. 52 push edx 004C9AE0 |. E8 80EC0800 call 00558765 ; 比较CALL 004C9AE5 |. 83C4 08 add esp, 8 004C9AE8 |. 8985 CCF9FFFF mov dword ptr [ebp-634], eax 004C9AEE |. 33C0 xor eax, eax 004C9AF0 |. 83BD CCF9FFFF>cmp dword ptr [ebp-634], 0 ; 比较成功的EAX值与0比较 004C9AF7 |. 0F95C0 setne al ; 为0就是不相等就赋值AL为1 004C9AFA |. 25 FF000000 and eax, 0FF 004C9AFF |. 85C0 test eax, eax 004C9B01 0F84 D6000000 je 004C9BDD ; 应该是关键跳,不跳失败 004C9B07 |. 8B8D B4F9FFFF mov ecx, dword ptr [ebp-64C] 004C9B0D |. C781 14010000>mov dword ptr [ecx+114], 0 004C9B17 |. C785 40FAFFFF>mov dword ptr [ebp-5C0], 0 004C9B21 |. C645 FC 10 mov byte ptr [ebp-4], 10 004C9B25 |. 8D8D 20FFFFFF lea ecx, dword ptr [ebp-E0] 004C9B2B |. E8 4184F3FF call 00401F71 004C9B30 |. C645 FC 0F mov byte ptr [ebp-4], 0F 004C9B34 |. 8D8D C0FBFFFF lea ecx, dword ptr [ebp-440] 004C9B3A |. E8 3284F3FF call 00401F71 004C9B3F |. C645 FC 0E mov byte ptr [ebp-4], 0E 004C9B43 |. 8D8D 84FCFFFF lea ecx, dword ptr [ebp-37C] 004C9B49 |. E8 2384F3FF call 00401F71 004C9B4E |. C645 FC 0D mov byte ptr [ebp-4], 0D 004C9B52 |. 8D8D 2CFBFFFF lea ecx, dword ptr [ebp-4D4] 004C9B58 |. E8 1484F3FF call 00401F71 004C9B5D |. C645 FC 0C mov byte ptr [ebp-4], 0C 004C9B61 |. 8D8D 20FBFFFF lea ecx, dword ptr [ebp-4E0] 004C9B67 |. E8 A6430A00 call 0056DF12 004C9B6C |. C645 FC 05 mov byte ptr [ebp-4], 5 004C9B70 |. 8D8D 64FCFFFF lea ecx, dword ptr [ebp-39C] 004C9B76 |. E8 97430A00 call 0056DF12 004C9B7B |. C645 FC 04 mov byte ptr [ebp-4], 4 004C9B7F |. 8D8D 1CFFFFFF lea ecx, dword ptr [ebp-E4] 004C9B85 |. E8 88430A00 call 0056DF12 004C9B8A |. C645 FC 03 mov byte ptr [ebp-4], 3 004C9B8E |. 8D4D BC lea ecx, dword ptr [ebp-44] 004C9B91 |. E8 7C430A00 call 0056DF12 004C9B96 |. C645 FC 02 mov byte ptr [ebp-4], 2 004C9B9A |. 8D8D 60FCFFFF lea ecx, dword ptr [ebp-3A0] 004C9BA0 |. E8 6D430A00 call 0056DF12 004C9BA5 |. C645 FC 01 mov byte ptr [ebp-4], 1 004C9BA9 |. 8D8D 78FCFFFF lea ecx, dword ptr [ebp-388] 004C9BAF |. E8 5E430A00 call 0056DF12 004C9BB4 |. C645 FC 00 mov byte ptr [ebp-4], 0 004C9BB8 |. 8D8D 24FBFFFF lea ecx, dword ptr [ebp-4DC] 004C9BBE |. E8 4F430A00 call 0056DF12 004C9BC3 |. C745 FC FFFFF>mov dword ptr [ebp-4], -1 004C9BCA |. 8D4D 08 lea ecx, dword ptr [ebp+8] 004C9BCD |. E8 40430A00 call 0056DF12 004C9BD2 |. 8B85 40FAFFFF mov eax, dword ptr [ebp-5C0] 004C9BD8 |. E9 DB080000 jmp 004CA4B8 004C9BDD |> C785 6CFCFFFF>mov dword ptr [ebp-394], 0 ; 比较相等就跳到这继续 004C9BE7 |. C785 68FCFFFF>mov dword ptr [ebp-398], 0 004C9BF1 |. C785 70FCFFFF>mov dword ptr [ebp-390], 0 004C9BFB |. 8D95 1CFFFFFF lea edx, dword ptr [ebp-E4] 004C9C01 |. 52 push edx 004C9C02 |. 8D8D 78FCFFFF lea ecx, dword ptr [ebp-388] 004C9C08 |. E8 4C440A00 call 0056E059 ; 取出字符串的第4--7位 004C9C0D |. 6A 04 push 4 004C9C0F |. 6A 03 push 3 004C9C11 |. 8D85 3CFAFFFF lea eax, dword ptr [ebp-5C4] 004C9C17 |. 50 push eax 004C9C18 |. 8D8D 78FCFFFF lea ecx, dword ptr [ebp-388] 004C9C1E |. E8 99150A00 call 0056B1BC 004C9C23 |. 8985 94F9FFFF mov dword ptr [ebp-66C], eax 004C9C29 |. 8B8D 94F9FFFF mov ecx, dword ptr [ebp-66C] 004C9C2F |. 898D 90F9FFFF mov dword ptr [ebp-670], ecx 004C9C35 |. C645 FC 14 mov byte ptr [ebp-4], 14 004C9C39 |. 8B95 90F9FFFF mov edx, dword ptr [ebp-670] 004C9C3F |. 52 push edx 004C9C40 |. 8D8D 78FCFFFF lea ecx, dword ptr [ebp-388] 004C9C46 |. E8 0E440A00 call 0056E059 ; 取出字符串的第9--10位 004C9C4B |. C645 FC 11 mov byte ptr [ebp-4], 11 004C9C4F |. 8D8D 3CFAFFFF lea ecx, dword ptr [ebp-5C4] 004C9C55 |. E8 B8420A00 call 0056DF12 004C9C5A |. 8B85 78FCFFFF mov eax, dword ptr [ebp-388] 004C9C60 |. 50 push eax 004C9C61 |. E8 98E30800 call 00557FFE 004C9C66 |. 83C4 04 add esp, 4 004C9C69 |. 8985 6CFCFFFF mov dword ptr [ebp-394], eax 004C9C6F |. 8D8D 1CFFFFFF lea ecx, dword ptr [ebp-E4] 004C9C75 |. 51 push ecx 004C9C76 |. 8D8D 78FCFFFF lea ecx, dword ptr [ebp-388] 004C9C7C |. E8 D8430A00 call 0056E059 ; 取出字符串的第12--13位 004C9C81 |. 6A 02 push 2 004C9C83 |. 6A 08 push 8 004C9C85 |. 8D95 38FAFFFF lea edx, dword ptr [ebp-5C8] 004C9C8B |. 52 push edx 004C9C8C |. 8D8D 78FCFFFF lea ecx, dword ptr [ebp-388] 004C9C92 |. E8 25150A00 call 0056B1BC 004C9C97 |. 8985 8CF9FFFF mov dword ptr [ebp-674], eax 004C9C9D |. 8B85 8CF9FFFF mov eax, dword ptr [ebp-674] 004C9CA3 |. 8985 88F9FFFF mov dword ptr [ebp-678], eax 004C9CA9 |. C645 FC 15 mov byte ptr [ebp-4], 15 004C9CAD |. 8B8D 88F9FFFF mov ecx, dword ptr [ebp-678] 004C9CB3 |. 51 push ecx 004C9CB4 |. 8D8D 78FCFFFF lea ecx, dword ptr [ebp-388] 004C9CBA |. E8 9A430A00 call 0056E059 ; 取出字符串 004C9CBF |. C645 FC 11 mov byte ptr [ebp-4], 11 004C9CC3 |. 8D8D 38FAFFFF lea ecx, dword ptr [ebp-5C8] 004C9CC9 |. E8 44420A00 call 0056DF12 004C9CCE |. 8B95 78FCFFFF mov edx, dword ptr [ebp-388] 004C9CD4 |. 52 push edx 004C9CD5 |. E8 24E30800 call 00557FFE 004C9CDA |. 83C4 04 add esp, 4 004C9CDD |. 8985 68FCFFFF mov dword ptr [ebp-398], eax 004C9CE3 |. 8D85 1CFFFFFF lea eax, dword ptr [ebp-E4] 004C9CE9 |. 50 push eax 004C9CEA |. 8D8D 78FCFFFF lea ecx, dword ptr [ebp-388] 004C9CF0 |. E8 64430A00 call 0056E059 ; 取出字符串 004C9CF5 |. 6A 02 push 2 004C9CF7 |. 6A 0B push 0B 004C9CF9 |. 8D8D 34FAFFFF lea ecx, dword ptr [ebp-5CC] 004C9CFF |. 51 push ecx 004C9D00 |. 8D8D 78FCFFFF lea ecx, dword ptr [ebp-388] 004C9D06 |. E8 B1140A00 call 0056B1BC 004C9D0B |. 8985 84F9FFFF mov dword ptr [ebp-67C], eax 004C9D11 |. 8B95 84F9FFFF mov edx, dword ptr [ebp-67C] 004C9D17 |. 8995 80F9FFFF mov dword ptr [ebp-680], edx 004C9D1D |. C645 FC 16 mov byte ptr [ebp-4], 16 004C9D21 |. 8B85 80F9FFFF mov eax, dword ptr [ebp-680] 004C9D27 |. 50 push eax 004C9D28 |. 8D8D 78FCFFFF lea ecx, dword ptr [ebp-388] 004C9D2E |. E8 26430A00 call 0056E059 ; 取出字符串 004C9D33 |. C645 FC 11 mov byte ptr [ebp-4], 11 004C9D37 |. 8D8D 34FAFFFF lea ecx, dword ptr [ebp-5CC] 004C9D3D |. E8 D0410A00 call 0056DF12 004C9D42 |. 8B8D 78FCFFFF mov ecx, dword ptr [ebp-388] 004C9D48 |. 51 push ecx 004C9D49 |. E8 B0E20800 call 00557FFE 004C9D4E |. 83C4 04 add esp, 4 004C9D51 |. 8985 70FCFFFF mov dword ptr [ebp-390], eax 004C9D57 |. 6A FF push -1 004C9D59 |. 6A 00 push 0 004C9D5B |. 6A 00 push 0 004C9D5D |. 6A 00 push 0 004C9D5F |. 8B95 70FCFFFF mov edx, dword ptr [ebp-390] 004C9D65 |. 52 push edx 004C9D66 |. 8B85 68FCFFFF mov eax, dword ptr [ebp-398] 004C9D6C |. 50 push eax 004C9D6D |. 8B8D 6CFCFFFF mov ecx, dword ptr [ebp-394] 004C9D73 |. 51 push ecx 004C9D74 |. 8D8D 7CFCFFFF lea ecx, dword ptr [ebp-384] 004C9D7A |. E8 2C1C0A00 call 0056B9AB 004C9D7F |. C745 B4 00000>mov dword ptr [ebp-4C], 0 004C9D86 |. 6A 34 push 34 004C9D88 |. 6A 00 push 0 004C9D8A |. 8D55 C0 lea edx, dword ptr [ebp-40] 004C9D8D |. 52 push edx 004C9D8E |. E8 8DDD0800 call 00557B20 004C9D93 |. 83C4 0C add esp, 0C 004C9D96 |. 68 08020000 push 208 ; /BufSize = 208 (520.) 004C9D9B |. 8D85 14FDFFFF lea eax, dword ptr [ebp-2EC] ; | 004C9DA1 |. 50 push eax ; |PathBuffer 004C9DA2 |. 6A 00 push 0 ; |hModule = NULL 004C9DA4 |. FF15 B4E45900 call dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameW 004C9DAA |. 6A 00 push 0 ; /hTemplateFile = NULL 004C9DAC |. 6A 27 push 27 ; |Attributes = READONLY|HIDDEN|SYSTEM|ARCHIVE 004C9DAE |. 6A 03 push 3 ; |Mode = OPEN_EXISTING 004C9DB0 |. 6A 00 push 0 ; |pSecurity = NULL 004C9DB2 |. 6A 01 push 1 ; |ShareMode = FILE_SHARE_READ 004C9DB4 |. 68 00000080 push 80000000 ; |Access = GENERIC_READ 004C9DB9 |. 8D8D 14FDFFFF lea ecx, dword ptr [ebp-2EC] ; | 004C9DBF |. 51 push ecx ; |FileName 004C9DC0 |. FF15 B8E45900 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileW 004C9DC6 |. 8985 BCFBFFFF mov dword ptr [ebp-444], eax 004C9DCC |. 83BD BCFBFFFF>cmp dword ptr [ebp-444], -1 004C9DD3 |. 0F85 C6000000 jnz 004C9E9F 004C9DD9 |. C785 30FAFFFF>mov dword ptr [ebp-5D0], 0 004C9DE3 |. C645 FC 10 mov byte ptr [ebp-4], 10 004C9DE7 |. 8D8D 20FFFFFF lea ecx, dword ptr [ebp-E0] 004C9DED |. E8 7F81F3FF call 00401F71 004C9DF2 |. C645 FC 0F mov byte ptr [ebp-4], 0F 004C9DF6 |. 8D8D C0FBFFFF lea ecx, dword ptr [ebp-440] 004C9DFC |. E8 7081F3FF call 00401F71 004C9E01 |. C645 FC 0E mov byte ptr [ebp-4], 0E 004C9E05 |. 8D8D 84FCFFFF lea ecx, dword ptr [ebp-37C] 004C9E0B |. E8 6181F3FF call 00401F71 004C9E10 |. C645 FC 0D mov byte ptr [ebp-4], 0D 004C9E14 |. 8D8D 2CFBFFFF lea ecx, dword ptr [ebp-4D4] 004C9E1A |. E8 5281F3FF call 00401F71 004C9E1F |. C645 FC 0C mov byte ptr [ebp-4], 0C 004C9E23 |. 8D8D 20FBFFFF lea ecx, dword ptr [ebp-4E0] 004C9E29 |. E8 E4400A00 call 0056DF12 004C9E2E |. C645 FC 05 mov byte ptr [ebp-4], 5 004C9E32 |. 8D8D 64FCFFFF lea ecx, dword ptr [ebp-39C] 004C9E38 |. E8 D5400A00 call 0056DF12 004C9E3D |. C645 FC 04 mov byte ptr [ebp-4], 4 004C9E41 |. 8D8D 1CFFFFFF lea ecx, dword ptr [ebp-E4] 004C9E47 |. E8 C6400A00 call 0056DF12 004C9E4C |. C645 FC 03 mov byte ptr [ebp-4], 3 004C9E50 |. 8D4D BC lea ecx, dword ptr [ebp-44] 004C9E53 |. E8 BA400A00 call 0056DF12 004C9E58 |. C645 FC 02 mov byte ptr [ebp-4], 2 004C9E5C |. 8D8D 60FCFFFF lea ecx, dword ptr [ebp-3A0] 004C9E62 |. E8 AB400A00 call 0056DF12 004C9E67 |. C645 FC 01 mov byte ptr [ebp-4], 1 004C9E6B |. 8D8D 78FCFFFF lea ecx, dword ptr [ebp-388] 004C9E71 |. E8 9C400A00 call 0056DF12 004C9E76 |. C645 FC 00 mov byte ptr [ebp-4], 0 004C9E7A |. 8D8D 24FBFFFF lea ecx, dword ptr [ebp-4DC] 004C9E80 |. E8 8D400A00 call 0056DF12 004C9E85 |. C745 FC FFFFF>mov dword ptr [ebp-4], -1 004C9E8C |. 8D4D 08 lea ecx, dword ptr [ebp+8] 004C9E8F |. E8 7E400A00 call 0056DF12 004C9E94 |. 8B85 30FAFFFF mov eax, dword ptr [ebp-5D0] 004C9E9A |. E9 19060000 jmp 004CA4B8 004C9E9F |> 8D55 C0 lea edx, dword ptr [ebp-40] 004C9EA2 |. 52 push edx ; /pFileInformation 004C9EA3 |. 8B85 BCFBFFFF mov eax, dword ptr [ebp-444] ; | 004C9EA9 |. 50 push eax ; |hFile 004C9EAA |. FF15 80E45900 call dword ptr [<&KERNEL32.GetFileInf>; \GetFileInformationByHandle 004C9EB0 |. 8985 54FCFFFF mov dword ptr [ebp-3AC], eax 004C9EB6 |. 8B8D BCFBFFFF mov ecx, dword ptr [ebp-444] 004C9EBC |. 51 push ecx ; /hObject 004C9EBD |. FF15 C0E45900 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle 004C9EC3 |. 8D55 C4 lea edx, dword ptr [ebp-3C] 004C9EC6 |. 8955 B4 mov dword ptr [ebp-4C], edx 004C9EC9 |. 837D B4 00 cmp dword ptr [ebp-4C], 0 004C9ECD |. 74 22 je short 004C9EF1 004C9ECF |. 6A FF push -1 004C9ED1 |. 8B45 B4 mov eax, dword ptr [ebp-4C] 004C9ED4 |. 50 push eax 004C9ED5 |. 8D8D 2CFAFFFF lea ecx, dword ptr [ebp-5D4] 004C9EDB |. E8 631B0A00 call 0056BA43 004C9EE0 |. 8985 C8F9FFFF mov dword ptr [ebp-638], eax 004C9EE6 |. 8B8D C8F9FFFF mov ecx, dword ptr [ebp-638] 004C9EEC |. 8B11 mov edx, dword ptr [ecx] 004C9EEE |. 8955 B0 mov dword ptr [ebp-50], edx 004C9EF1 |> 68 C82B5E00 push 005E2BC8 ; % 004C9EF6 |. 8D85 28FAFFFF lea eax, dword ptr [ebp-5D8] 004C9EFC |. 50 push eax 004C9EFD |. 8D4D B0 lea ecx, dword ptr [ebp-50] 004C9F00 |. E8 231C0A00 call 0056BB28 ; 可能是规定注册时间格式 004C9F05 |. 8985 7CF9FFFF mov dword ptr [ebp-684], eax 004C9F0B |. 8B8D 7CF9FFFF mov ecx, dword ptr [ebp-684] 004C9F11 |. 898D 78F9FFFF mov dword ptr [ebp-688], ecx 004C9F17 |. C645 FC 17 mov byte ptr [ebp-4], 17 004C9F1B |. 8B95 78F9FFFF mov edx, dword ptr [ebp-688] 004C9F21 |. 52 push edx 004C9F22 |. 8D8D 78FCFFFF lea ecx, dword ptr [ebp-388] 004C9F28 |. E8 2C410A00 call 0056E059 004C9F2D |. C645 FC 11 mov byte ptr [ebp-4], 11 004C9F31 |. 8D8D 28FAFFFF lea ecx, dword ptr [ebp-5D8] 004C9F37 |. E8 D63F0A00 call 0056DF12 004C9F3C |. 8D45 B8 lea eax, dword ptr [ebp-48] 004C9F3F |. 50 push eax 004C9F40 |. E8 4A1B0A00 call 0056BA8F 004C9F45 |. 51 push ecx 004C9F46 |. 8BCC mov ecx, esp 004C9F48 |. 89A5 24FAFFFF mov dword ptr [ebp-5DC], esp 004C9F4E |. 898D C4F9FFFF mov dword ptr [ebp-63C], ecx 004C9F54 |. 8B95 C4F9FFFF mov edx, dword ptr [ebp-63C] 004C9F5A |. 8B45 B8 mov eax, dword ptr [ebp-48] 004C9F5D |. 8902 mov dword ptr [edx], eax 004C9F5F |. 8D8D 20FAFFFF lea ecx, dword ptr [ebp-5E0] 004C9F65 |. 51 push ecx 004C9F66 |. 8D4D B0 lea ecx, dword ptr [ebp-50] 004C9F69 |. E8 F27AF7FF call 00441A60 ; 用以上结果计算出新结果,作用不清楚 004C9F6E |. 8985 74F9FFFF mov dword ptr [ebp-68C], eax 004C9F74 |. 8B95 74F9FFFF mov edx, dword ptr [ebp-68C] 004C9F7A |. 8B02 mov eax, dword ptr [edx] 004C9F7C |. 8985 50FCFFFF mov dword ptr [ebp-3B0], eax 004C9F82 |. 8B85 50FCFFFF mov eax, dword ptr [ebp-3B0] 004C9F88 |. 99 cdq 004C9F89 |. B9 80510100 mov ecx, 15180 004C9F8E |. F7F9 idiv ecx 004C9F90 |. 85C0 test eax, eax 004C9F92 |. 0F8E D6000000 jle 004CA06E 004C9F98 |. 8B95 B4F9FFFF mov edx, dword ptr [ebp-64C] 004C9F9E |. C782 14010000>mov dword ptr [edx+114], 0 004C9FA8 |. C785 1CFAFFFF>mov dword ptr [ebp-5E4], 0 004C9FB2 |. C645 FC 10 mov byte ptr [ebp-4], 10 004C9FB6 |. 8D8D 20FFFFFF lea ecx, dword ptr [ebp-E0] 004C9FBC |. E8 B07FF3FF call 00401F71 004C9FC1 |. C645 FC 0F mov byte ptr [ebp-4], 0F 004C9FC5 |. 8D8D C0FBFFFF lea ecx, dword ptr [ebp-440] 004C9FCB |. E8 A17FF3FF call 00401F71 004C9FD0 |. C645 FC 0E mov byte ptr [ebp-4], 0E 004C9FD4 |. 8D8D 84FCFFFF lea ecx, dword ptr [ebp-37C] 004C9FDA |. E8 927FF3FF call 00401F71 004C9FDF |. C645 FC 0D mov byte ptr [ebp-4], 0D 004C9FE3 |. 8D8D 2CFBFFFF lea ecx, dword ptr [ebp-4D4] 004C9FE9 |. E8 837FF3FF call 00401F71 004C9FEE |. C645 FC 0C mov byte ptr [ebp-4], 0C 004C9FF2 |. 8D8D 20FBFFFF lea ecx, dword ptr [ebp-4E0] 004C9FF8 |. E8 153F0A00 call 0056DF12 ;下面这几个CALL应该是储存上面所有运算出字符串的结果,写入RWJunk.dll文件中 004C9FFD |. C645 FC 05 mov byte ptr [ebp-4], 5 004CA001 |. 8D8D 64FCFFFF lea ecx, dword ptr [ebp-39C] 004CA007 |. E8 063F0A00 call 0056DF12 ...............................算了,还是省略掉吧,代码太多看着就头晕哦,呵呵 004CA438 |. E8 347BF3FF call 00401F71 004CA43D |. C645 FC 0C mov byte ptr [ebp-4], 0C 004CA441 |. 8D8D 20FBFFFF lea ecx, dword ptr [ebp-4E0] 004CA447 |. E8 C63A0A00 call 0056DF12 ; 下面这几个CALL应该是储存上面所有运算出字符串的结果 004CA44C |. C645 FC 05 mov byte ptr [ebp-4], 5 004CA450 |. 8D8D 64FCFFFF lea ecx, dword ptr [ebp-39C] 004CA456 |. E8 B73A0A00 call 0056DF12 004CA45B |. C645 FC 04 mov byte ptr [ebp-4], 4 004CA45F |. 8D8D 1CFFFFFF lea ecx, dword ptr [ebp-E4] 004CA465 |. E8 A83A0A00 call 0056DF12 004CA46A |. C645 FC 03 mov byte ptr [ebp-4], 3 004CA46E |. 8D4D BC lea ecx, dword ptr [ebp-44] 004CA471 |. E8 9C3A0A00 call 0056DF12 004CA476 |. C645 FC 02 mov byte ptr [ebp-4], 2 004CA47A |. 8D8D 60FCFFFF lea ecx, dword ptr [ebp-3A0] 004CA480 |. E8 8D3A0A00 call 0056DF12 004CA485 |. C645 FC 01 mov byte ptr [ebp-4], 1 004CA489 |. 8D8D 78FCFFFF lea ecx, dword ptr [ebp-388] 004CA48F |. E8 7E3A0A00 call 0056DF12 004CA494 |. C645 FC 00 mov byte ptr [ebp-4], 0 004CA498 |. 8D8D 24FBFFFF lea ecx, dword ptr [ebp-4DC] 004CA49E |. E8 6F3A0A00 call 0056DF12 004CA4A3 |. C745 FC FFFFF>mov dword ptr [ebp-4], -1 004CA4AA |. 8D4D 08 lea ecx, dword ptr [ebp+8] 004CA4AD |. E8 603A0A00 call 0056DF12 004CA4B2 |. 8B85 F4F9FFFF mov eax, dword ptr [ebp-60C] 004CA4B8 |> 8B4D F4 mov ecx, dword ptr [ebp-C] 004CA4BB |. 64:890D 00000>mov dword ptr fs:[0], ecx 004CA4C2 |. 5F pop edi 004CA4C3 |. 5E pop esi 004CA4C4 |. 8BE5 mov esp, ebp 004CA4C6 |. 5D pop ebp 004CA4C7 \. C2 0400 retn 4 关键算法CALL 00403DF7 F7进入 00403DF7 /$ 55 push ebp 00403DF8 |. 8BEC mov ebp, esp 00403DFA |. 6A FF push -1 00403DFC |. 68 83475800 push 00584783 ; SE 处理程序安装 00403E01 |. 64:A1 0000000>mov eax, dword ptr fs:[0] 00403E07 |. 50 push eax 00403E08 |. 64:8925 00000>mov dword ptr fs:[0], esp 00403E0F |. 81EC 2C070000 sub esp, 72C 00403E15 |. 56 push esi 00403E16 |. 57 push edi 00403E17 |. 898D 18F9FFFF mov dword ptr [ebp-6E8], ecx 00403E1D |. C785 1CF9FFFF>mov dword ptr [ebp-6E4], 0 00403E27 |. 8D8D 64FFFFFF lea ecx, dword ptr [ebp-9C] 00403E2D |. E8 FEE0FFFF call 00401F30 ; 生成存放地址 00403E32 |. C745 FC 01000>mov dword ptr [ebp-4], 1 00403E39 |. 8D8D D0FEFFFF lea ecx, dword ptr [ebp-130] 00403E3F |. E8 ECE0FFFF call 00401F30 00403E44 |. C645 FC 02 mov byte ptr [ebp-4], 2 00403E48 |. 8B45 0C mov eax, dword ptr [ebp+C] 00403E4B |. 8B08 mov ecx, dword ptr [eax] 00403E4D |. C1E1 05 shl ecx, 5 00403E50 |. 83E9 20 sub ecx, 20 00403E53 |. 898D C8FEFFFF mov dword ptr [ebp-138], ecx 00403E59 |. 8B55 0C mov edx, dword ptr [ebp+C] 00403E5C |. 8B02 mov eax, dword ptr [edx] 00403E5E |. 8B4D 0C mov ecx, dword ptr [ebp+C] 00403E61 |. 8B1481 mov edx, dword ptr [ecx+eax*4] 00403E64 |. 8995 C4FEFFFF mov dword ptr [ebp-13C], edx 00403E6A |> 83BD C4FEFFFF>/cmp dword ptr [ebp-13C], 0 00403E71 |. 74 1F |je short 00403E92 00403E73 |. 8B85 C4FEFFFF |mov eax, dword ptr [ebp-13C] ; 这个小算法循环算出"116AB"右移一位的次数 00403E79 |. D1E8 |shr eax, 1 ; 求得短字符串的除2的方数 00403E7B |. 8985 C4FEFFFF |mov dword ptr [ebp-13C], eax 00403E81 |. 8B8D C8FEFFFF |mov ecx, dword ptr [ebp-138] 00403E87 |. 83C1 01 |add ecx, 1 00403E8A |. 898D C8FEFFFF |mov dword ptr [ebp-138], ecx 00403E90 |.^ EB D8 \jmp short 00403E6A 00403E92 |> 8B95 18F9FFFF mov edx, dword ptr [ebp-6E8] ; 得到11次方 00403E98 |. 52 push edx 00403E99 |. 8D8D 64FFFFFF lea ecx, dword ptr [ebp-9C] 00403E9F |. E8 65E1FFFF call 00402009 ; 存放地址 00403EA4 |. 8B85 C8FEFFFF mov eax, dword ptr [ebp-138] 00403EAA |. 83E8 02 sub eax, 2 00403EAD |. 8985 60FFFFFF mov dword ptr [ebp-A0], eax 00403EB3 |. EB 0F jmp short 00403EC4 00403EB5 |> 8B8D 60FFFFFF /mov ecx, dword ptr [ebp-A0] 00403EBB |. 83E9 01 |sub ecx, 1 00403EBE |. 898D 60FFFFFF |mov dword ptr [ebp-A0], ecx 00403EC4 |> 83BD 60FFFFFF> cmp dword ptr [ebp-A0], 0 ; 对短字符串的循环开始 00403ECB |. 0F8C 81040000 |jl 00404352 ; 第一段循环开始 00403ED1 |. 8B95 64FFFFFF |mov edx, dword ptr [ebp-9C] 00403ED7 |. 8B8495 64FFFF>|mov eax, dword ptr [ebp+edx*4-9C] 00403EDE |. 50 |push eax 00403EDF |. 8D8D 30FEFFFF |lea ecx, dword ptr [ebp-1D0] 00403EE5 |. 51 |push ecx 00403EE6 |. 8D8D 64FFFFFF |lea ecx, dword ptr [ebp-9C] 00403EEC |. E8 90EBFFFF |call 00402A81 ; 算法A CALL---前后八位数相乘后再以十六位字符串前后再相加 00403EF1 |. 8985 14F9FFFF |mov dword ptr [ebp-6EC], eax 00403EF7 |. 8B95 14F9FFFF |mov edx, dword ptr [ebp-6EC] 00403EFD |. 8995 10F9FFFF |mov dword ptr [ebp-6F0], edx 00403F03 |. C645 FC 03 |mov byte ptr [ebp-4], 3 00403F07 |. 8B85 10F9FFFF |mov eax, dword ptr [ebp-6F0] 00403F0D |. 50 |push eax 00403F0E |. 8D8D D0FEFFFF |lea ecx, dword ptr [ebp-130] 00403F14 |. E8 F0E0FFFF |call 00402009 00403F19 |. C645 FC 02 |mov byte ptr [ebp-4], 2 00403F1D |. 8D8D 30FEFFFF |lea ecx, dword ptr [ebp-1D0] 00403F23 |. E8 49E0FFFF |call 00401F71 00403F28 |. 8B4D 10 |mov ecx, dword ptr [ebp+10] 00403F2B |. 51 |push ecx 00403F2C |. 8D95 A0FDFFFF |lea edx, dword ptr [ebp-260] 00403F32 |. 52 |push edx 00403F33 |. 8D8D D0FEFFFF |lea ecx, dword ptr [ebp-130] 00403F39 |. E8 8CF2FFFF |call 004031CA ; 算法B CALL---作取商等相乘相加相减的运算 00403F3E |. 8985 0CF9FFFF |mov dword ptr [ebp-6F4], eax 00403F44 |. 8B85 0CF9FFFF |mov eax, dword ptr [ebp-6F4] 00403F4A |. 8985 08F9FFFF |mov dword ptr [ebp-6F8], eax 00403F50 |. C645 FC 04 |mov byte ptr [ebp-4], 4 00403F54 |. 8B8D 08F9FFFF |mov ecx, dword ptr [ebp-6F8] 00403F5A |. 51 |push ecx 00403F5B |. 8D8D D0FEFFFF |lea ecx, dword ptr [ebp-130] 00403F61 |. E8 A3E0FFFF |call 00402009 00403F66 |. C645 FC 02 |mov byte ptr [ebp-4], 2 00403F6A |. 8D8D A0FDFFFF |lea ecx, dword ptr [ebp-260] 00403F70 |. E8 FCDFFFFF |call 00401F71 00403F75 |. C785 C0FEFFFF>|mov dword ptr [ebp-140], 1 00403F7F |. EB 0F |jmp short 00403F90 00403F81 |> 8B95 C0FEFFFF |/mov edx, dword ptr [ebp-140] 00403F87 |. 83C2 01 ||add edx, 1 00403F8A |. 8995 C0FEFFFF ||mov dword ptr [ebp-140], edx 00403F90 |> 8B85 C0FEFFFF | mov eax, dword ptr [ebp-140] 00403F96 |. 3B85 64FFFFFF ||cmp eax, dword ptr [ebp-9C] ; 第二段循环M2开始,循环10H 00403F9C |. 0F83 48010000 ||jnb 004040EA 00403FA2 |. 8B8D D0FEFFFF ||mov ecx, dword ptr [ebp-130] 00403FA8 |. 898D CCFEFFFF ||mov dword ptr [ebp-134], ecx 00403FAE |. EB 0F ||jmp short 00403FBF 00403FB0 |> 8B95 CCFEFFFF ||/mov edx, dword ptr [ebp-134] 00403FB6 |. 83EA 01 |||sub edx, 1 00403FB9 |. 8995 CCFEFFFF |||mov dword ptr [ebp-134], edx 00403FBF |> 83BD CCFEFFFF>|| cmp dword ptr [ebp-134], 0 00403FC6 |. 7E 1C |||jle short 00403FE4 00403FC8 |. 8B85 CCFEFFFF |||mov eax, dword ptr [ebp-134] 00403FCE |. 8B8D CCFEFFFF |||mov ecx, dword ptr [ebp-134] 00403FD4 |. 8B948D D0FEFF>|||mov edx, dword ptr [ebp+ecx*4-130>; 上面循环运算出的结果全部储存起来 00403FDB |. 899485 D4FEFF>|||mov dword ptr [ebp+eax*4-12C], ed> 00403FE2 |.^ EB CC ||\jmp short 00403FB0 00403FE4 |> C785 D4FEFFFF>||mov dword ptr [ebp-12C], 0 00403FEE |. 8B85 D0FEFFFF ||mov eax, dword ptr [ebp-130] 00403FF4 |. 83C0 01 ||add eax, 1 00403FF7 |. 8985 D0FEFFFF ||mov dword ptr [ebp-130], eax 00403FFD |. 8B8D 64FFFFFF ||mov ecx, dword ptr [ebp-9C] 00404003 |. 2B8D C0FEFFFF ||sub ecx, dword ptr [ebp-140] 00404009 |. 8B948D 64FFFF>||mov edx, dword ptr [ebp+ecx*4-9C] 00404010 |. 52 ||push edx 00404011 |. 8D85 10FDFFFF ||lea eax, dword ptr [ebp-2F0] 00404017 |. 50 ||push eax 00404018 |. 8D8D 64FFFFFF ||lea ecx, dword ptr [ebp-9C] 0040401E |. E8 5EEAFFFF ||call 00402A81 ; 第二段循环M2重复第一算法A(赋值不一样) 00404023 |. 8985 04F9FFFF ||mov dword ptr [ebp-6FC], eax 00404029 |. 8B8D 04F9FFFF ||mov ecx, dword ptr [ebp-6FC] 0040402F |. 898D 00F9FFFF ||mov dword ptr [ebp-700], ecx 00404035 |. C645 FC 05 ||mov byte ptr [ebp-4], 5 00404039 |. 8B95 00F9FFFF ||mov edx, dword ptr [ebp-700] 0040403F |. 52 ||push edx 00404040 |. 8D85 80FCFFFF ||lea eax, dword ptr [ebp-380] 00404046 |. 50 ||push eax 00404047 |. 8D8D D0FEFFFF ||lea ecx, dword ptr [ebp-130] 0040404D |. E8 80E0FFFF ||call 004020D2 ; 对上面计算结果保存 00404052 |. 8985 FCF8FFFF ||mov dword ptr [ebp-704], eax 00404058 |. 8B8D FCF8FFFF ||mov ecx, dword ptr [ebp-704] 0040405E |. 898D F8F8FFFF ||mov dword ptr [ebp-708], ecx 00404064 |. C645 FC 06 ||mov byte ptr [ebp-4], 6 00404068 |. 8B95 F8F8FFFF ||mov edx, dword ptr [ebp-708] 0040406E |. 52 ||push edx 0040406F |. 8D8D D0FEFFFF ||lea ecx, dword ptr [ebp-130] 00404075 |. E8 8FDFFFFF ||call 00402009 0040407A |. C645 FC 05 ||mov byte ptr [ebp-4], 5 0040407E |. 8D8D 80FCFFFF ||lea ecx, dword ptr [ebp-380] 00404084 |. E8 E8DEFFFF ||call 00401F71 00404089 |. C645 FC 02 ||mov byte ptr [ebp-4], 2 0040408D |. 8D8D 10FDFFFF ||lea ecx, dword ptr [ebp-2F0] 00404093 |. E8 D9DEFFFF ||call 00401F71 00404098 |. 8B45 10 ||mov eax, dword ptr [ebp+10] 0040409B |. 50 ||push eax 0040409C |. 8D8D F0FBFFFF ||lea ecx, dword ptr [ebp-410] 004040A2 |. 51 ||push ecx 004040A3 |. 8D8D D0FEFFFF ||lea ecx, dword ptr [ebp-130] 004040A9 |. E8 1CF1FFFF ||call 004031CA ; M2 结合上面结果的算法B (赋值不一样) 004040AE |. 8985 F4F8FFFF ||mov dword ptr [ebp-70C], eax 004040B4 |. 8B95 F4F8FFFF ||mov edx, dword ptr [ebp-70C] 004040BA |. 8995 F0F8FFFF ||mov dword ptr [ebp-710], edx 004040C0 |. C645 FC 07 ||mov byte ptr [ebp-4], 7 004040C4 |. 8B85 F0F8FFFF ||mov eax, dword ptr [ebp-710] 004040CA |. 50 ||push eax 004040CB |. 8D8D D0FEFFFF ||lea ecx, dword ptr [ebp-130] 004040D1 |. E8 33DFFFFF ||call 00402009 004040D6 |. C645 FC 02 ||mov byte ptr [ebp-4], 2 004040DA |. 8D8D F0FBFFFF ||lea ecx, dword ptr [ebp-410] 004040E0 |. E8 8CDEFFFF ||call 00401F71 004040E5 |.^ E9 97FEFFFF |\jmp 00403F81 004040EA |> 8D8D D0FEFFFF |lea ecx, dword ptr [ebp-130] 004040F0 |. 51 |push ecx 004040F1 |. 8D8D 64FFFFFF |lea ecx, dword ptr [ebp-9C] 004040F7 |. E8 0DDFFFFF |call 00402009 004040FC |. 8B95 60FFFFFF |mov edx, dword ptr [ebp-A0] 00404102 |. C1FA 05 |sar edx, 5 00404105 |. 8B8D 60FFFFFF |mov ecx, dword ptr [ebp-A0] 0040410B |. 83E1 1F |and ecx, 1F 0040410E |. 8B45 0C |mov eax, dword ptr [ebp+C] 00404111 |. 8B5490 04 |mov edx, dword ptr [eax+edx*4+4] ; 取短固定字符串 00404115 |. D3EA |shr edx, cl ; 右移上面计算2的次方位 00404117 |. 83E2 01 |and edx, 1 ; 与1相与 作为不同大循环的路径的判断 0040411A |. 85D2 |test edx, edx 0040411C |. 0F84 2B020000 |je 0040434D ; 跳就是到M循环,不跳就到N循环 00404122 |. 8B85 64FFFFFF |mov eax, dword ptr [ebp-9C] 00404128 |. 8B8C85 64FFFF>|mov ecx, dword ptr [ebp+eax*4-9C] 0040412F |. 51 |push ecx 00404130 |. 8D95 60FBFFFF |lea edx, dword ptr [ebp-4A0] 00404136 |. 52 |push edx 00404137 |. 8B8D 18F9FFFF |mov ecx, dword ptr [ebp-6E8] 0040413D |. E8 3FE9FFFF |call 00402A81 ; 第二种循环N算法A 00404142 |. 8985 ECF8FFFF |mov dword ptr [ebp-714], eax 00404148 |. 8B85 ECF8FFFF |mov eax, dword ptr [ebp-714] 0040414E |. 8985 E8F8FFFF |mov dword ptr [ebp-718], eax 00404154 |. C645 FC 08 |mov byte ptr [ebp-4], 8 00404158 |. 8B8D E8F8FFFF |mov ecx, dword ptr [ebp-718] 0040415E |. 51 |push ecx 0040415F |. 8D8D D0FEFFFF |lea ecx, dword ptr [ebp-130] 00404165 |. E8 9FDEFFFF |call 00402009 0040416A |. C645 FC 02 |mov byte ptr [ebp-4], 2 0040416E |. 8D8D 60FBFFFF |lea ecx, dword ptr [ebp-4A0] 00404174 |. E8 F8DDFFFF |call 00401F71 00404179 |. 8B55 10 |mov edx, dword ptr [ebp+10] 0040417C |. 52 |push edx 0040417D |. 8D85 D0FAFFFF |lea eax, dword ptr [ebp-530] 00404183 |. 50 |push eax 00404184 |. 8D8D D0FEFFFF |lea ecx, dword ptr [ebp-130] 0040418A |. E8 3BF0FFFF |call 004031CA ; 第二种循环N的算法B 0040418F |. 8985 E4F8FFFF |mov dword ptr [ebp-71C], eax 00404195 |. 8B8D E4F8FFFF |mov ecx, dword ptr [ebp-71C] 0040419B |. 898D E0F8FFFF |mov dword ptr [ebp-720], ecx 004041A1 |. C645 FC 09 |mov byte ptr [ebp-4], 9 004041A5 |. 8B95 E0F8FFFF |mov edx, dword ptr [ebp-720] 004041AB |. 52 |push edx 004041AC |. 8D8D D0FEFFFF |lea ecx, dword ptr [ebp-130] 004041B2 |. E8 52DEFFFF |call 00402009 004041B7 |. C645 FC 02 |mov byte ptr [ebp-4], 2 004041BB |. 8D8D D0FAFFFF |lea ecx, dword ptr [ebp-530] 004041C1 |. E8 ABDDFFFF |call 00401F71 004041C6 |. C785 C0FEFFFF>|mov dword ptr [ebp-140], 1 004041D0 |. EB 0F |jmp short 004041E1 004041D2 |> 8B85 C0FEFFFF |/mov eax, dword ptr [ebp-140] 004041D8 |. 83C0 01 ||add eax, 1 004041DB |. 8985 C0FEFFFF ||mov dword ptr [ebp-140], eax 004041E1 |> 8B8D C0FEFFFF | mov ecx, dword ptr [ebp-140] 004041E7 |. 3B8D 64FFFFFF ||cmp ecx, dword ptr [ebp-9C] ; 第二种循环N第二段循环M2的开始 004041ED |. 0F83 48010000 ||jnb 0040433B 004041F3 |. 8B95 D0FEFFFF ||mov edx, dword ptr [ebp-130] 004041F9 |. 8995 CCFEFFFF ||mov dword ptr [ebp-134], edx 004041FF |. EB 0F ||jmp short 00404210 00404201 |> 8B85 CCFEFFFF ||/mov eax, dword ptr [ebp-134] 00404207 |. 83E8 01 |||sub eax, 1 0040420A |. 8985 CCFEFFFF |||mov dword ptr [ebp-134], eax 00404210 |> 83BD CCFEFFFF>|| cmp dword ptr [ebp-134], 0 00404217 |. 7E 1C |||jle short 00404235 00404219 |. 8B8D CCFEFFFF |||mov ecx, dword ptr [ebp-134] 0040421F |. 8B95 CCFEFFFF |||mov edx, dword ptr [ebp-134] 00404225 |. 8B8495 D0FEFF>|||mov eax, dword ptr [ebp+edx*4-130> 0040422C |. 89848D D4FEFF>|||mov dword ptr [ebp+ecx*4-12C], ea> 00404233 |.^ EB CC ||\jmp short 00404201 00404235 |> C785 D4FEFFFF>||mov dword ptr [ebp-12C], 0 0040423F |. 8B8D D0FEFFFF ||mov ecx, dword ptr [ebp-130] 00404245 |. 83C1 01 ||add ecx, 1 00404248 |. 898D D0FEFFFF ||mov dword ptr [ebp-130], ecx 0040424E |. 8B95 64FFFFFF ||mov edx, dword ptr [ebp-9C] 00404254 |. 2B95 C0FEFFFF ||sub edx, dword ptr [ebp-140] 0040425A |. 8B8495 64FFFF>||mov eax, dword ptr [ebp+edx*4-9C] 00404261 |. 50 ||push eax 00404262 |. 8D8D 40FAFFFF ||lea ecx, dword ptr [ebp-5C0] 00404268 |. 51 ||push ecx 00404269 |. 8B8D 18F9FFFF ||mov ecx, dword ptr [ebp-6E8] 0040426F |. E8 0DE8FFFF ||call 00402A81 ; 算法A 00404274 |. 8985 DCF8FFFF ||mov dword ptr [ebp-724], eax 0040427A |. 8B95 DCF8FFFF ||mov edx, dword ptr [ebp-724] 00404280 |. 8995 D8F8FFFF ||mov dword ptr [ebp-728], edx 00404286 |. C645 FC 0A ||mov byte ptr [ebp-4], 0A 0040428A |. 8B85 D8F8FFFF ||mov eax, dword ptr [ebp-728] 00404290 |. 50 ||push eax 00404291 |. 8D8D B0F9FFFF ||lea ecx, dword ptr [ebp-650] 00404297 |. 51 ||push ecx 00404298 |. 8D8D D0FEFFFF ||lea ecx, dword ptr [ebp-130] 0040429E |. E8 2FDEFFFF ||call 004020D2 004042A3 |. 8985 D4F8FFFF ||mov dword ptr [ebp-72C], eax 004042A9 |. 8B95 D4F8FFFF ||mov edx, dword ptr [ebp-72C] 004042AF |. 8995 D0F8FFFF ||mov dword ptr [ebp-730], edx 004042B5 |. C645 FC 0B ||mov byte ptr [ebp-4], 0B 004042B9 |. 8B85 D0F8FFFF ||mov eax, dword ptr [ebp-730] 004042BF |. 50 ||push eax 004042C0 |. 8D8D D0FEFFFF ||lea ecx, dword ptr [ebp-130] 004042C6 |. E8 3EDDFFFF ||call 00402009 004042CB |. C645 FC 0A ||mov byte ptr [ebp-4], 0A 004042CF |. 8D8D B0F9FFFF ||lea ecx, dword ptr [ebp-650] 004042D5 |. E8 97DCFFFF ||call 00401F71 004042DA |. C645 FC 02 ||mov byte ptr [ebp-4], 2 004042DE |. 8D8D 40FAFFFF ||lea ecx, dword ptr [ebp-5C0] 004042E4 |. E8 88DCFFFF ||call 00401F71 004042E9 |. 8B4D 10 ||mov ecx, dword ptr [ebp+10] 004042EC |. 51 ||push ecx 004042ED |. 8D95 20F9FFFF ||lea edx, dword ptr [ebp-6E0] 004042F3 |. 52 ||push edx 004042F4 |. 8D8D D0FEFFFF ||lea ecx, dword ptr [ebp-130] 004042FA |. E8 CBEEFFFF ||call 004031CA '算法B 004042FF |. 8985 CCF8FFFF ||mov dword ptr [ebp-734], eax 00404305 |. 8B85 CCF8FFFF ||mov eax, dword ptr [ebp-734] 0040430B |. 8985 C8F8FFFF ||mov dword ptr [ebp-738], eax 00404311 |. C645 FC 0C ||mov byte ptr [ebp-4], 0C 00404315 |. 8B8D C8F8FFFF ||mov ecx, dword ptr [ebp-738] 0040431B |. 51 ||push ecx 0040431C |. 8D8D D0FEFFFF ||lea ecx, dword ptr [ebp-130] 00404322 |. E8 E2DCFFFF ||call 00402009 00404327 |. C645 FC 02 ||mov byte ptr [ebp-4], 2 0040432B |. 8D8D 20F9FFFF ||lea ecx, dword ptr [ebp-6E0] 00404331 |. E8 3BDCFFFF ||call 00401F71 00404336 |.^ E9 97FEFFFF |\jmp 004041D2 0040433B |> 8D95 D0FEFFFF |lea edx, dword ptr [ebp-130] 00404341 |. 52 |push edx 00404342 |. 8D8D 64FFFFFF |lea ecx, dword ptr [ebp-9C] 00404348 |. E8 BCDCFFFF |call 00402009 0040434D |>^ E9 63FBFFFF \jmp 00403EB5 ; 继续循环 00404352 |> B9 24000000 mov ecx, 24 ; 全部循环完毕,跳到这里 00404357 |. 8DB5 64FFFFFF lea esi, dword ptr [ebp-9C] 0040435D |. 8B7D 08 mov edi, dword ptr [ebp+8] 00404360 |. F3:A5 rep movs dword ptr es:[edi], dword p> 00404362 |. 8B85 1CF9FFFF mov eax, dword ptr [ebp-6E4] 00404368 |. 0C 01 or al, 1 0040436A |. 8985 1CF9FFFF mov dword ptr [ebp-6E4], eax 00404370 |. C645 FC 01 mov byte ptr [ebp-4], 1 00404374 |. 8D8D D0FEFFFF lea ecx, dword ptr [ebp-130] 0040437A |. E8 F2DBFFFF call 00401F71 0040437F |. C645 FC 00 mov byte ptr [ebp-4], 0 00404383 |. 8D8D 64FFFFFF lea ecx, dword ptr [ebp-9C] 00404389 |. E8 E3DBFFFF call 00401F71 0040438E |. 8B45 08 mov eax, dword ptr [ebp+8] 00404391 |. 8B4D F4 mov ecx, dword ptr [ebp-C] 00404394 |. 64:890D 00000>mov dword ptr fs:[0], ecx 0040439B |. 5F pop edi 0040439C |. 5E pop esi 0040439D |. 8BE5 mov esp, ebp 0040439F |. 5D pop ebp 004043A0 \. C2 0C00 retn 0C 下面分别列出上面几个内循环的算法CALL 算法A 00402A81 /$ 55 push ebp 00402A82 |. 8BEC mov ebp, esp 00402A84 |. 6A FF push -1 00402A86 |. 68 BA445800 push 005844BA ; SE 处理程序安装 00402A8B |. 64:A1 0000000>mov eax, dword ptr fs:[0] 00402A91 |. 50 push eax 00402A92 |. 64:8925 00000>mov dword ptr fs:[0], esp 00402A99 |. 81EC A8000000 sub esp, 0A8 00402A9F |. 56 push esi 00402AA0 |. 57 push edi 00402AA1 |. 898D 4CFFFFFF mov dword ptr [ebp-B4], ecx 00402AA7 |. C785 50FFFFFF>mov dword ptr [ebp-B0], 0 00402AB1 |. 8D8D 64FFFFFF lea ecx, dword ptr [ebp-9C] 00402AB7 |. E8 74F4FFFF call 00401F30 ; 存放空间 00402ABC |. C745 FC 01000>mov dword ptr [ebp-4], 1 00402AC3 |. C785 54FFFFFF>mov dword ptr [ebp-AC], 0 00402ACD |. 8B85 4CFFFFFF mov eax, dword ptr [ebp-B4] 00402AD3 |. 50 push eax 00402AD4 |. 8D8D 64FFFFFF lea ecx, dword ptr [ebp-9C] 00402ADA |. E8 2AF5FFFF call 00402009 00402ADF |. C785 60FFFFFF>mov dword ptr [ebp-A0], 0 00402AE9 |. EB 0F jmp short 00402AFA 00402AEB |> 8B8D 60FFFFFF /mov ecx, dword ptr [ebp-A0] ; 算法循环 00402AF1 |. 83C1 01 |add ecx, 1 ; 次数加1 00402AF4 |. 898D 60FFFFFF |mov dword ptr [ebp-A0], ecx 00402AFA |> 8B95 4CFFFFFF mov edx, dword ptr [ebp-B4] 00402B00 |. 8B85 60FFFFFF |mov eax, dword ptr [ebp-A0] 00402B06 |. 3B02 |cmp eax, dword ptr [edx] ; 循环10H 次 00402B08 |. 0F83 84000000 |jnb 00402B92 00402B0E |. 8B8D 60FFFFFF |mov ecx, dword ptr [ebp-A0] 00402B14 |. 8B95 4CFFFFFF |mov edx, dword ptr [ebp-B4] 00402B1A |. 8B448A 04 |mov eax, dword ptr [edx+ecx*4+4] ; 取出假码最后的八位数 00402B1E |. 33C9 |xor ecx, ecx 00402B20 |. 8985 58FFFFFF |mov dword ptr [ebp-A8], eax 00402B26 |. 898D 5CFFFFFF |mov dword ptr [ebp-A4], ecx 00402B2C |. 8B55 0C |mov edx, dword ptr [ebp+C] 00402B2F |. 33C0 |xor eax, eax 00402B31 |. 50 |push eax 00402B32 |. 52 |push edx 00402B33 |. 8B8D 5CFFFFFF |mov ecx, dword ptr [ebp-A4] 00402B39 |. 51 |push ecx 00402B3A |. 8B95 58FFFFFF |mov edx, dword ptr [ebp-A8] ; 假码最后的八位数转到寄存器准备计算 00402B40 |. 52 |push edx 00402B41 |. E8 AA551500 |call 005580F0 ; 二个八位相成的算法CALL F7进入 00402B46 |. 8B8D 54FFFFFF |mov ecx, dword ptr [ebp-AC] 00402B4C |. 33F6 |xor esi, esi 00402B4E |. 03C1 |add eax, ecx ; 前一个高八位与后一个低八位相加 00402B50 |. 13D6 |adc edx, esi ; 加上进位值 00402B52 |. 8985 58FFFFFF |mov dword ptr [ebp-A8], eax ; 计算结果分别储存起来 00402B58 |. 8995 5CFFFFFF |mov dword ptr [ebp-A4], edx 00402B5E |. 8B95 58FFFFFF |mov edx, dword ptr [ebp-A8] 00402B64 |. 8B85 60FFFFFF |mov eax, dword ptr [ebp-A0] 00402B6A |. 899485 68FFFF>|mov dword ptr [ebp+eax*4-98], edx ; 计算结果再转到相应的地址中 00402B71 |. B9 20000000 |mov ecx, 20 00402B76 |. 8B85 58FFFFFF |mov eax, dword ptr [ebp-A8] 00402B7C |. 8B95 5CFFFFFF |mov edx, dword ptr [ebp-A4] 00402B82 |. E8 49551500 |call 005580D0 00402B87 |. 8985 54FFFFFF |mov dword ptr [ebp-AC], eax 00402B8D |.^ E9 59FFFFFF \jmp 00402AEB ; 继续循环 00402B92 |> 83BD 54FFFFFF>cmp dword ptr [ebp-AC], 0 00402B99 |. 74 22 je short 00402BBD 00402B9B |. 8B8D 64FFFFFF mov ecx, dword ptr [ebp-9C] 00402BA1 |. 83C1 01 add ecx, 1 ; 循环总数加1 = 11H 00402BA4 |. 898D 64FFFFFF mov dword ptr [ebp-9C], ecx 00402BAA |. 8B95 64FFFFFF mov edx, dword ptr [ebp-9C] 00402BB0 |. 8B85 54FFFFFF mov eax, dword ptr [ebp-AC] 00402BB6 |. 898495 64FFFF>mov dword ptr [ebp+edx*4-9C], eax 00402BBD |> B9 24000000 mov ecx, 24 00402BC2 |. 8DB5 64FFFFFF lea esi, dword ptr [ebp-9C] 00402BC8 |. 8B7D 08 mov edi, dword ptr [ebp+8] 00402BCB |. F3:A5 rep movs dword ptr es:[edi], dword p> 00402BCD |. 8B8D 50FFFFFF mov ecx, dword ptr [ebp-B0] 00402BD3 |. 83C9 01 or ecx, 1 00402BD6 |. 898D 50FFFFFF mov dword ptr [ebp-B0], ecx 00402BDC |. C645 FC 00 mov byte ptr [ebp-4], 0 00402BE0 |. 8D8D 64FFFFFF lea ecx, dword ptr [ebp-9C] 00402BE6 |. E8 86F3FFFF call 00401F71 00402BEB |. 8B45 08 mov eax, dword ptr [ebp+8] 00402BEE |. 8B4D F4 mov ecx, dword ptr [ebp-C] 00402BF1 |. 64:890D 00000>mov dword ptr fs:[0], ecx 00402BF8 |. 5F pop edi 00402BF9 |. 5E pop esi 00402BFA |. 8BE5 mov esp, ebp 00402BFC |. 5D pop ebp 00402BFD \. C2 0800 retn 8 二个八位相乘的算法CALL F7进入 005580F0 /$ 8B4424 08 mov eax, dword ptr [esp+8] 005580F4 |. 8B4C24 10 mov ecx, dword ptr [esp+10] 005580F8 |. 0BC8 or ecx, eax 005580FA |. 8B4C24 0C mov ecx, dword ptr [esp+C] ; 假码的前面八位数 005580FE |. 75 09 jnz short 00558109 ; 不为0不跳 00558100 |. 8B4424 04 mov eax, dword ptr [esp+4] 00558104 |. F7E1 mul ecx ; 与假码最后八位数相乘结果变为十六位数放在EAX与EDX里 00558106 |. C2 1000 retn 10 00558109 |> 53 push ebx 0055810A |. F7E1 mul ecx 0055810C |. 8BD8 mov ebx, eax 0055810E |. 8B4424 08 mov eax, dword ptr [esp+8] 00558112 |. F76424 14 mul dword ptr [esp+14] 00558116 |. 03D8 add ebx, eax 00558118 |. 8B4424 08 mov eax, dword ptr [esp+8] 0055811C |. F7E1 mul ecx 0055811E |. 03D3 add edx, ebx 00558120 |. 5B pop ebx 00558121 \. C2 1000 retn 10 算法B 004031CA /$ 55 push ebp 004031CB |. 8BEC mov ebp, esp 004031CD |. 6A FF push -1 004031CF |. 68 C2455800 push 005845C2 ; SE 处理程序安装 004031D4 |. 64:A1 0000000>mov eax, dword ptr fs:[0] 004031DA |. 50 push eax 004031DB |. 64:8925 00000>mov dword ptr fs:[0], esp 004031E2 |. 81EC 0C030000 sub esp, 30C 004031E8 |. 56 push esi 004031E9 |. 57 push edi 004031EA |. 898D 00FDFFFF mov dword ptr [ebp-300], ecx 004031F0 |. C785 04FDFFFF>mov dword ptr [ebp-2FC], 0 004031FA |. 8D8D 5CFFFFFF lea ecx, dword ptr [ebp-A4] 00403200 |. E8 2BEDFFFF call 00401F30 00403205 |. C745 FC 01000>mov dword ptr [ebp-4], 1 0040320C |. 8D8D C8FEFFFF lea ecx, dword ptr [ebp-138] 00403212 |. E8 19EDFFFF call 00401F30 00403217 |. C645 FC 02 mov byte ptr [ebp-4], 2 0040321B |. C785 C0FEFFFF>mov dword ptr [ebp-140], 0 00403225 |. 8B85 00FDFFFF mov eax, dword ptr [ebp-300] 0040322B |. 50 push eax 0040322C |. 8D8D 5CFFFFFF lea ecx, dword ptr [ebp-A4] 00403232 |. E8 D2EDFFFF call 00402009 00403237 |> 8B4D 0C /mov ecx, dword ptr [ebp+C] 0040323A |. 51 |push ecx 0040323B |. 8D8D 5CFFFFFF |lea ecx, dword ptr [ebp-A4] 00403241 |. E8 36EDFFFF |call 00401F7C ; 循环次数比较 00403246 |. 85C0 |test eax, eax 00403248 |. 0F8C 90020000 |jl 004034DE 0040324E |. 8B95 5CFFFFFF |mov edx, dword ptr [ebp-A4] 00403254 |. 8B8495 5CFFFF>|mov eax, dword ptr [ebp+edx*4-A4] 0040325B |. 33C9 |xor ecx, ecx 0040325D |. 8945 EC |mov dword ptr [ebp-14], eax ; 最后一组的前八位取出作比较 00403260 |. 894D F0 |mov dword ptr [ebp-10], ecx 00403263 |. 8B55 0C |mov edx, dword ptr [ebp+C] 00403266 |. 8B02 |mov eax, dword ptr [edx] 00403268 |. 8B4D 0C |mov ecx, dword ptr [ebp+C] 0040326B |. 8B1481 |mov edx, dword ptr [ecx+eax*4] ; 取固定字符串的前八位 0040326E |. 33C0 |xor eax, eax 00403270 |. 8995 B8FEFFFF |mov dword ptr [ebp-148], edx 00403276 |. 8985 BCFEFFFF |mov dword ptr [ebp-144], eax 0040327C |. 8B4D 0C |mov ecx, dword ptr [ebp+C] 0040327F |. 8B95 5CFFFFFF |mov edx, dword ptr [ebp-A4] 00403285 |. 2B11 |sub edx, dword ptr [ecx] ; 次数相减 00403287 |. 8995 C4FEFFFF |mov dword ptr [ebp-13C], edx 0040328D |. 8B45 EC |mov eax, dword ptr [ebp-14] 00403290 |. 3B85 B8FEFFFF |cmp eax, dword ptr [ebp-148] ; 比较相等就不跳走 00403296 |. 75 66 |jnz short 004032FE 00403298 |. 8B4D F0 |mov ecx, dword ptr [ebp-10] 0040329B |. 3B8D BCFEFFFF |cmp ecx, dword ptr [ebp-144] 004032A1 |. 75 5B |jnz short 004032FE 004032A3 |. 83BD C4FEFFFF>|cmp dword ptr [ebp-13C], 0 004032AA |. 75 52 |jnz short 004032FE 004032AC |. 8B55 0C |mov edx, dword ptr [ebp+C] 004032AF |. 52 |push edx 004032B0 |. 8D85 28FEFFFF |lea eax, dword ptr [ebp-1D8] 004032B6 |. 50 |push eax 004032B7 |. 8D8D 5CFFFFFF |lea ecx, dword ptr [ebp-A4] 004032BD |. E8 DBF0FFFF |call 0040239D ; 如果结果后八位与固定字符串前八位相等就作减法CALL 004032C2 |. 8985 FCFCFFFF |mov dword ptr [ebp-304], eax 004032C8 |. 8B8D FCFCFFFF |mov ecx, dword ptr [ebp-304] 004032CE |. 898D F8FCFFFF |mov dword ptr [ebp-308], ecx 004032D4 |. C645 FC 03 |mov byte ptr [ebp-4], 3 004032D8 |. 8B95 F8FCFFFF |mov edx, dword ptr [ebp-308] 004032DE |. 52 |push edx 004032DF |. 8D8D 5CFFFFFF |lea ecx, dword ptr [ebp-A4] 004032E5 |. E8 1FEDFFFF |call 00402009 004032EA |. C645 FC 02 |mov byte ptr [ebp-4], 2 004032EE |. 8D8D 28FEFFFF |lea ecx, dword ptr [ebp-1D8] 004032F4 |. E8 78ECFFFF |call 00401F71 004032F9 |. E9 E0010000 |jmp 004034DE 004032FE |> 8B45 F0 |mov eax, dword ptr [ebp-10] 00403301 |. 3B85 BCFEFFFF |cmp eax, dword ptr [ebp-144] 00403307 |. 77 4E |ja short 00403357 00403309 |. 72 0B |jb short 00403316 0040330B |. 8B4D EC |mov ecx, dword ptr [ebp-14] 0040330E |. 3B8D B8FEFFFF |cmp ecx, dword ptr [ebp-148] 00403314 |. 77 41 |ja short 00403357 00403316 |> 83BD C4FEFFFF>|cmp dword ptr [ebp-13C], 0 0040331D |. 74 38 |je short 00403357 0040331F |. 8B95 C4FEFFFF |mov edx, dword ptr [ebp-13C] 00403325 |. 83EA 01 |sub edx, 1 00403328 |. 8995 C4FEFFFF |mov dword ptr [ebp-13C], edx 0040332E |. B9 20000000 |mov ecx, 20 00403333 |. 8B45 EC |mov eax, dword ptr [ebp-14] 00403336 |. 8B55 F0 |mov edx, dword ptr [ebp-10] 00403339 |. E8 624E1500 |call 005581A0 0040333E |. 8B8D 5CFFFFFF |mov ecx, dword ptr [ebp-A4] 00403344 |. 8B8C8D 58FFFF>|mov ecx, dword ptr [ebp+ecx*4-A8] 0040334B |. 33F6 |xor esi, esi 0040334D |. 03C1 |add eax, ecx 0040334F |. 13D6 |adc edx, esi 00403351 |. 8945 EC |mov dword ptr [ebp-14], eax 00403354 |. 8955 F0 |mov dword ptr [ebp-10], edx 00403357 |> 8B95 B8FEFFFF |mov edx, dword ptr [ebp-148] 0040335D |. 83C2 01 |add edx, 1 ; 固定字符串前八位加1 00403360 |. 8B85 BCFEFFFF |mov eax, dword ptr [ebp-144] 00403366 |. 83D0 00 |adc eax, 0 00403369 |. 50 |push eax 0040336A |. 52 |push edx 0040336B |. 8B4D F0 |mov ecx, dword ptr [ebp-10] 0040336E |. 51 |push ecx 0040336F |. 8B55 EC |mov edx, dword ptr [ebp-14] 00403372 |. 52 |push edx 00403373 |. E8 B84D1500 |call 00558130 ; 取商 算法CALL F7进入 00403378 |. 8945 EC |mov dword ptr [ebp-14], eax 0040337B |. 8955 F0 |mov dword ptr [ebp-10], edx 0040337E |. 8B45 F0 |mov eax, dword ptr [ebp-10] 00403381 |. 50 |push eax 00403382 |. 8B4D EC |mov ecx, dword ptr [ebp-14] 00403385 |. 51 |push ecx 00403386 |. 8D8D C8FEFFFF |lea ecx, dword ptr [ebp-138] 0040338C |. E8 C1ECFFFF |call 00402052 00403391 |. 8D95 C8FEFFFF |lea edx, dword ptr [ebp-138] 00403397 |. 52 |push edx 00403398 |. 8D85 98FDFFFF |lea eax, dword ptr [ebp-268] 0040339E |. 50 |push eax 0040339F |. 8B4D 0C |mov ecx, dword ptr [ebp+C] 004033A2 |. E8 0EF4FFFF |call 004027B5 ; 用上面的商计算算法CALL F7进入 004033A7 |. 8985 F4FCFFFF |mov dword ptr [ebp-30C], eax 004033AD |. 8B8D F4FCFFFF |mov ecx, dword ptr [ebp-30C] 004033B3 |. 898D F0FCFFFF |mov dword ptr [ebp-310], ecx 004033B9 |. C645 FC 04 |mov byte ptr [ebp-4], 4 004033BD |. 8B95 F0FCFFFF |mov edx, dword ptr [ebp-310] 004033C3 |. 52 |push edx 004033C4 |. 8D8D C8FEFFFF |lea ecx, dword ptr [ebp-138] 004033CA |. E8 3AECFFFF |call 00402009 004033CF |. C645 FC 02 |mov byte ptr [ebp-4], 2 004033D3 |. 8D8D 98FDFFFF |lea ecx, dword ptr [ebp-268] 004033D9 |. E8 93EBFFFF |call 00401F71 004033DE |. 83BD C4FEFFFF>|cmp dword ptr [ebp-13C], 0 ; 判断标志位是否为0 004033E5 |. 0F84 9E000000 |je 00403489 ; 跳到下面计算 004033EB |. 8B85 C8FEFFFF |mov eax, dword ptr [ebp-138] 004033F1 |. 0385 C4FEFFFF |add eax, dword ptr [ebp-13C] 004033F7 |. 8985 C8FEFFFF |mov dword ptr [ebp-138], eax 004033FD |. 8B8D C8FEFFFF |mov ecx, dword ptr [ebp-138] 00403403 |. 83E9 01 |sub ecx, 1 00403406 |. 898D 58FFFFFF |mov dword ptr [ebp-A8], ecx 0040340C |. EB 0F |jmp short 0040341D 0040340E |> 8B95 58FFFFFF |/mov edx, dword ptr [ebp-A8] 00403414 |. 83EA 01 ||sub edx, 1 00403417 |. 8995 58FFFFFF ||mov dword ptr [ebp-A8], edx 0040341D |> 8B85 58FFFFFF | mov eax, dword ptr [ebp-A8] 00403423 |. 3B85 C4FEFFFF ||cmp eax, dword ptr [ebp-13C] 00403429 |. 72 22 ||jb short 0040344D 0040342B |. 8B8D 58FFFFFF ||mov ecx, dword ptr [ebp-A8] 00403431 |. 2B8D C4FEFFFF ||sub ecx, dword ptr [ebp-13C] 00403437 |. 8B95 58FFFFFF ||mov edx, dword ptr [ebp-A8] 0040343D |. 8B848D CCFEFF>||mov eax, dword ptr [ebp+ecx*4-134] 00403444 |. 898495 CCFEFF>||mov dword ptr [ebp+edx*4-134], eax 0040344B |.^ EB C1 |\jmp short 0040340E 0040344D |> C785 58FFFFFF>|mov dword ptr [ebp-A8], 0 00403457 |. EB 0F |jmp short 00403468 00403459 |> 8B8D 58FFFFFF |/mov ecx, dword ptr [ebp-A8] 0040345F |. 83C1 01 ||add ecx, 1 00403462 |. 898D 58FFFFFF ||mov dword ptr [ebp-A8], ecx 00403468 |> 8B95 58FFFFFF | mov edx, dword ptr [ebp-A8] 0040346E |. 3B95 C4FEFFFF ||cmp edx, dword ptr [ebp-13C] 00403474 |. 73 13 ||jnb short 00403489 00403476 |. 8B85 58FFFFFF ||mov eax, dword ptr [ebp-A8] 0040347C |. C78485 CCFEFF>||mov dword ptr [ebp+eax*4-134], 0 00403487 |.^ EB D0 |\jmp short 00403459 00403489 |> 8D8D C8FEFFFF |lea ecx, dword ptr [ebp-138] 0040348F |. 51 |push ecx 00403490 |. 8D95 08FDFFFF |lea edx, dword ptr [ebp-2F8] 00403496 |. 52 |push edx 00403497 |. 8D8D 5CFFFFFF |lea ecx, dword ptr [ebp-A4] 0040349D |. E8 FBEEFFFF |call 0040239D ; 每次循环的最后一道相减的算法 F7进入 004034A2 |. 8985 ECFCFFFF |mov dword ptr [ebp-314], eax 004034A8 |. 8B85 ECFCFFFF |mov eax, dword ptr [ebp-314] 004034AE |. 8985 E8FCFFFF |mov dword ptr [ebp-318], eax 004034B4 |. C645 FC 05 |mov byte ptr [ebp-4], 5 004034B8 |. 8B8D E8FCFFFF |mov ecx, dword ptr [ebp-318] 004034BE |. 51 |push ecx 004034BF |. 8D8D 5CFFFFFF |lea ecx, dword ptr [ebp-A4] 004034C5 |. E8 3FEBFFFF |call 00402009 004034CA |. C645 FC 02 |mov byte ptr [ebp-4], 2 004034CE |. 8D8D 08FDFFFF |lea ecx, dword ptr [ebp-2F8] 004034D4 |. E8 98EAFFFF |call 00401F71 004034D9 |.^ E9 59FDFFFF \jmp 00403237 004034DE |> B9 24000000 mov ecx, 24 004034E3 |. 8DB5 5CFFFFFF lea esi, dword ptr [ebp-A4] 004034E9 |. 8B7D 08 mov edi, dword ptr [ebp+8] 004034EC |. F3:A5 rep movs dword ptr es:[edi], dword p> 004034EE |. 8B95 04FDFFFF mov edx, dword ptr [ebp-2FC] 004034F4 |. 83CA 01 or edx, 1 004034F7 |. 8995 04FDFFFF mov dword ptr [ebp-2FC], edx 004034FD |. C645 FC 01 mov byte ptr [ebp-4], 1 00403501 |. 8D8D C8FEFFFF lea ecx, dword ptr [ebp-138] 00403507 |. E8 65EAFFFF call 00401F71 0040350C |. C645 FC 00 mov byte ptr [ebp-4], 0 00403510 |. 8D8D 5CFFFFFF lea ecx, dword ptr [ebp-A4] 00403516 |. E8 56EAFFFF call 00401F71 0040351B |. 8B45 08 mov eax, dword ptr [ebp+8] 0040351E |. 8B4D F4 mov ecx, dword ptr [ebp-C] 00403521 |. 64:890D 00000>mov dword ptr fs:[0], ecx 00403528 |. 5F pop edi 00403529 |. 5E pop esi 0040352A |. 8BE5 mov esp, ebp 0040352C |. 5D pop ebp ; 01651FEC 0040352D \. C2 0800 retn 8 取商 算法CALL F7进入 00558130 /$ 53 push ebx 00558131 |. 56 push esi 00558132 |. 8B4424 18 mov eax, dword ptr [esp+18] 00558136 |. 0BC0 or eax, eax ;相OR不为0即跳出 00558138 |. 75 18 jnz short 00558152 0055813A |. 8B4C24 14 mov ecx, dword ptr [esp+14] ; 固定字符串的前八位加1后的 “9F17F275” 0055813E |. 8B4424 10 mov eax, dword ptr [esp+10] ; 计算结果的后序第二组八位 00558142 |. 33D2 xor edx, edx 00558144 |. F7F1 div ecx 00558146 |. 8BD8 mov ebx, eax 00558148 |. 8B4424 0C mov eax, dword ptr [esp+C] ; 计算结果的后序最后八位 0055814C |. F7F1 div ecx ; 二者合为十六位被除数与9F17F275 除取商 0055814E |. 8BD3 mov edx, ebx 00558150 |. EB 41 jmp short 00558193 00558152 |> 8BC8 mov ecx, eax 00558154 |. 8B5C24 14 mov ebx, dword ptr [esp+14] 00558158 |. 8B5424 10 mov edx, dword ptr [esp+10] 0055815C |. 8B4424 0C mov eax, dword ptr [esp+C] 00558160 |> D1E9 /shr ecx, 1 00558162 |. D1DB |rcr ebx, 1 00558164 |. D1EA |shr edx, 1 00558166 |. D1D8 |rcr eax, 1 00558168 |. 0BC9 |or ecx, ecx 0055816A |.^ 75 F4 \jnz short 00558160 0055816C |. F7F3 div ebx 0055816E |. 8BF0 mov esi, eax 00558170 |. F76424 18 mul dword ptr [esp+18] 00558174 |. 8BC8 mov ecx, eax 00558176 |. 8B4424 14 mov eax, dword ptr [esp+14] 0055817A |. F7E6 mul esi 0055817C |. 03D1 add edx, ecx 0055817E |. 72 0E jb short 0055818E 00558180 |. 3B5424 10 cmp edx, dword ptr [esp+10] 00558184 |. 77 08 ja short 0055818E 00558186 |. 72 07 jb short 0055818F 00558188 |. 3B4424 0C cmp eax, dword ptr [esp+C] 0055818C |. 76 01 jbe short 0055818F 0055818E |> 4E dec esi 0055818F |> 33D2 xor edx, edx 00558191 |. 8BC6 mov eax, esi 00558193 |> 5E pop esi 00558194 |. 5B pop ebx 00558195 \. C2 1000 retn 10 用上面的商计算算法CALL F7进入 004027B5 /$ 55 push ebp 004027B6 |. 8BEC mov ebp, esp 004027B8 |. 6A FF push -1 004027BA |. 68 8A445800 push 0058448A ; SE 处理程序安装 004027BF |. 64:A1 0000000>mov eax, dword ptr fs:[0] 004027C5 |. 50 push eax 004027C6 |. 64:8925 00000>mov dword ptr fs:[0], esp 004027CD |. 81EC B8000000 sub esp, 0B8 004027D3 |. 56 push esi 004027D4 |. 57 push edi 004027D5 |. 898D 3CFFFFFF mov dword ptr [ebp-C4], ecx 004027DB |. C785 40FFFFFF>mov dword ptr [ebp-C0], 0 004027E5 |. 8B45 0C mov eax, dword ptr [ebp+C] 004027E8 |. 8338 01 cmp dword ptr [eax], 1 ; 判断地址里标志值是否为1 004027EB |. 75 2D jnz short 0040281A ; 不为1 跳走 004027ED |. 8B4D 0C mov ecx, dword ptr [ebp+C] 004027F0 |. 8B51 04 mov edx, dword ptr [ecx+4] 004027F3 |. 52 push edx 004027F4 |. 8B45 08 mov eax, dword ptr [ebp+8] 004027F7 |. 50 push eax 004027F8 |. 8B8D 3CFFFFFF mov ecx, dword ptr [ebp-C4] 004027FE |. E8 7E020000 call 00402A81 ; 上面计算的商加入计算,同算法A 00402803 |. 8B8D 40FFFFFF mov ecx, dword ptr [ebp-C0] 00402809 |. 83C9 01 or ecx, 1 0040280C |. 898D 40FFFFFF mov dword ptr [ebp-C0], ecx 00402812 |. 8B45 08 mov eax, dword ptr [ebp+8] 00402815 |. E9 55020000 jmp 00402A6F ; 计算完毕跳出 0040281A |> 8D8D 5CFFFFFF lea ecx, dword ptr [ebp-A4] 00402820 |. E8 0BF7FFFF call 00401F30 ; 下面部分代码没有用到,省略 了 00402825 |. C785 4CFFFFFF>mov dword ptr [ebp-B4], 0 0040282F |. C785 50FFFFFF>mov dword ptr [ebp-B0], 0 00402839 |. C785 44FFFFFF>mov dword ptr [ebp-BC], 0 00402843 |. C785 48FFFFFF>mov dword ptr [ebp-B8], 0 0040284D |. 8B95 3CFFFFFF mov edx, dword ptr [ebp-C4] 00402853 |. 8B02 mov eax, dword ptr [edx] ....................................省略一段代码 00402A61 |. 8D8D 5CFFFFFF lea ecx, dword ptr [ebp-A4] 00402A67 |. E8 05F5FFFF call 00401F71 00402A6C |. 8B45 08 mov eax, dword ptr [ebp+8] 00402A6F |> 8B4D F4 mov ecx, dword ptr [ebp-C] 00402A72 |. 64:890D 00000>mov dword ptr fs:[0], ecx 00402A79 |. 5F pop edi 00402A7A |. 5E pop esi 00402A7B |. 8BE5 mov esp, ebp 00402A7D |. 5D pop ebp 00402A7E \. C2 0800 retn 8 每次循环的最后一道相减的算法CALL F7进入 0040239D /$ 55 push ebp 0040239E |. 8BEC mov ebp, esp 004023A0 |. 6A FF push -1 004023A2 |. 68 36445800 push 00584436 ; SE 处理程序安装 004023A7 |. 64:A1 0000000>mov eax, dword ptr fs:[0] 004023AD |. 50 push eax 004023AE |. 64:8925 00000>mov dword ptr fs:[0], esp 004023B5 |. 81EC A8000000 sub esp, 0A8 004023BB |. 56 push esi 004023BC |. 57 push edi 004023BD |. 898D 4CFFFFFF mov dword ptr [ebp-B4], ecx 004023C3 |. C785 50FFFFFF>mov dword ptr [ebp-B0], 0 004023CD |. 8D8D 64FFFFFF lea ecx, dword ptr [ebp-9C] 004023D3 |. E8 58FBFFFF call 00401F30 004023D8 |. C745 FC 01000>mov dword ptr [ebp-4], 1 004023DF |. 8B85 4CFFFFFF mov eax, dword ptr [ebp-B4] 004023E5 |. 50 push eax 004023E6 |. 8D8D 64FFFFFF lea ecx, dword ptr [ebp-9C] 004023EC |. E8 18FCFFFF call 00402009 004023F1 |. 8B4D 0C mov ecx, dword ptr [ebp+C] 004023F4 |. 51 push ecx 004023F5 |. 8D8D 64FFFFFF lea ecx, dword ptr [ebp-9C] 004023FB |. E8 7CFBFFFF call 00401F7C 00402400 |. 85C0 test eax, eax 00402402 |. 7F 45 jg short 00402449 00402404 |. 6A 00 push 0 00402406 |. 6A 00 push 0 00402408 |. 8D8D 64FFFFFF lea ecx, dword ptr [ebp-9C] 0040240E |. E8 3FFCFFFF call 00402052 00402413 |. B9 24000000 mov ecx, 24 00402418 |. 8DB5 64FFFFFF lea esi, dword ptr [ebp-9C] 0040241E |. 8B7D 08 mov edi, dword ptr [ebp+8] 00402421 |. F3:A5 rep movs dword ptr es:[edi], dword p> 00402423 |. 8B95 50FFFFFF mov edx, dword ptr [ebp-B0] 00402429 |. 83CA 01 or edx, 1 0040242C |. 8995 50FFFFFF mov dword ptr [ebp-B0], edx 00402432 |. C645 FC 00 mov byte ptr [ebp-4], 0 00402436 |. 8D8D 64FFFFFF lea ecx, dword ptr [ebp-9C] 0040243C |. E8 30FBFFFF call 00401F71 00402441 |. 8B45 08 mov eax, dword ptr [ebp+8] 00402444 |. E9 79010000 jmp 004025C2 00402449 |> C785 5CFFFFFF>mov dword ptr [ebp-A4], 0 00402453 |. C785 60FFFFFF>mov dword ptr [ebp-A0], 0 0040245D |. EB 0F jmp short 0040246E 0040245F |> 8B85 60FFFFFF /mov eax, dword ptr [ebp-A0] 00402465 |. 83C0 01 |add eax, 1 00402468 |. 8985 60FFFFFF |mov dword ptr [ebp-A0], eax 0040246E |> 8B8D 4CFFFFFF mov ecx, dword ptr [ebp-B4] 00402474 |. 8B95 60FFFFFF |mov edx, dword ptr [ebp-A0] 0040247A |. 3B11 |cmp edx, dword ptr [ecx] ; 循环次数11H 0040247C |. 0F83 EE000000 |jnb 00402570 00402482 |. 8B85 60FFFFFF |mov eax, dword ptr [ebp-A0] 00402488 |. 8B8D 4CFFFFFF |mov ecx, dword ptr [ebp-B4] 0040248E |. 8B95 60FFFFFF |mov edx, dword ptr [ebp-A0] 00402494 |. 8B75 0C |mov esi, dword ptr [ebp+C] 00402497 |. 8B4481 04 |mov eax, dword ptr [ecx+eax*4+4] ; 取出循环A的计算结果 0040249B |. 3B4496 04 |cmp eax, dword ptr [esi+edx*4+4] ; 取出商数的计算结果比较大小 0040249F 77 28 ja short 004024C9 ; 大于就跳到作减法并减借位值 004024A1 |. 8B8D 60FFFFFF |mov ecx, dword ptr [ebp-A0] 004024A7 |. 8B95 4CFFFFFF |mov edx, dword ptr [ebp-B4] 004024AD |. 8B85 60FFFFFF |mov eax, dword ptr [ebp-A0] 004024B3 |. 8B75 0C |mov esi, dword ptr [ebp+C] 004024B6 |. 8B4C8A 04 |mov ecx, dword ptr [edx+ecx*4+4] ; 作下一个数比较是否有借位 004024BA |. 3B4C86 04 |cmp ecx, dword ptr [esi+eax*4+4] 004024BE |. 75 45 |jnz short 00402505 004024C0 |. 83BD 5CFFFFFF>|cmp dword ptr [ebp-A4], 0 004024C7 |. 75 3C |jnz short 00402505 004024C9 |> 8B95 60FFFFFF |mov edx, dword ptr [ebp-A0] 004024CF |. 8B85 4CFFFFFF |mov eax, dword ptr [ebp-B4] 004024D5 |. 8B4C90 04 |mov ecx, dword ptr [eax+edx*4+4] 004024D9 |. 2B8D 5CFFFFFF |sub ecx, dword ptr [ebp-A4] 004024DF |. 8B95 60FFFFFF |mov edx, dword ptr [ebp-A0] 004024E5 |. 8B45 0C |mov eax, dword ptr [ebp+C] 004024E8 |. 2B4C90 04 |sub ecx, dword ptr [eax+edx*4+4] ; 结果相减 004024EC |. 8B95 60FFFFFF |mov edx, dword ptr [ebp-A0] 004024F2 |. 898C95 68FFFF>|mov dword ptr [ebp+edx*4-98], ecx ; 结果保存 004024F9 |. C785 5CFFFFFF>|mov dword ptr [ebp-A4], 0 00402503 |. EB 66 |jmp short 0040256B 00402505 |> 8B85 60FFFFFF |mov eax, dword ptr [ebp-A0] 0040250B |. 8B8D 4CFFFFFF |mov ecx, dword ptr [ebp-B4] 00402511 |. 8B5481 04 |mov edx, dword ptr [ecx+eax*4+4] 00402515 |. 33C0 |xor eax, eax 00402517 |. 83C2 00 |add edx, 0 0040251A |. 83D0 01 |adc eax, 1 ; 进位加1 0040251D |. 8995 54FFFFFF |mov dword ptr [ebp-AC], edx 00402523 |. 8985 58FFFFFF |mov dword ptr [ebp-A8], eax 00402529 |. 8B8D 5CFFFFFF |mov ecx, dword ptr [ebp-A4] 0040252F |. 33D2 |xor edx, edx 00402531 |. 8B85 54FFFFFF |mov eax, dword ptr [ebp-AC] 00402537 |. 2BC1 |sub eax, ecx 00402539 |. 8B8D 58FFFFFF |mov ecx, dword ptr [ebp-A8] 0040253F |. 1BCA |sbb ecx, edx 00402541 |. 8B95 60FFFFFF |mov edx, dword ptr [ebp-A0] 00402547 |. 8B75 0C |mov esi, dword ptr [ebp+C] 0040254A |. 8B5496 04 |mov edx, dword ptr [esi+edx*4+4] 0040254E |. 33F6 |xor esi, esi 00402550 |. 2BC2 |sub eax, edx ; 结果相减 00402552 |. 1BCE |sbb ecx, esi ; 减去借位值 00402554 |. 8B8D 60FFFFFF |mov ecx, dword ptr [ebp-A0] 0040255A |. 89848D 68FFFF>|mov dword ptr [ebp+ecx*4-98], eax 00402561 |. C785 5CFFFFFF>|mov dword ptr [ebp-A4], 1 0040256B |>^ E9 EFFEFFFF \jmp 0040245F ; 继续循环 00402570 |> 8B95 64FFFFFF /mov edx, dword ptr [ebp-9C] 00402576 |. 83BC95 64FFFF>|cmp dword ptr [ebp+edx*4-9C], 0 0040257E |. 75 11 |jnz short 00402591 00402580 |. 8B85 64FFFFFF |mov eax, dword ptr [ebp-9C] 00402586 |. 83E8 01 |sub eax, 1 00402589 |. 8985 64FFFFFF |mov dword ptr [ebp-9C], eax 0040258F |.^ EB DF \jmp short 00402570 00402591 |> B9 24000000 mov ecx, 24 00402596 |. 8DB5 64FFFFFF lea esi, dword ptr [ebp-9C] 0040259C |. 8B7D 08 mov edi, dword ptr [ebp+8] 0040259F |. F3:A5 rep movs dword ptr es:[edi], dword p> 004025A1 |. 8B8D 50FFFFFF mov ecx, dword ptr [ebp-B0] 004025A7 |. 83C9 01 or ecx, 1 004025AA |. 898D 50FFFFFF mov dword ptr [ebp-B0], ecx 004025B0 |. C645 FC 00 mov byte ptr [ebp-4], 0 004025B4 |. 8D8D 64FFFFFF lea ecx, dword ptr [ebp-9C] 004025BA |. E8 B2F9FFFF call 00401F71 004025BF |. 8B45 08 mov eax, dword ptr [ebp+8] 004025C2 |> 8B4D F4 mov ecx, dword ptr [ebp-C] 004025C5 |. 64:890D 00000>mov dword ptr fs:[0], ecx 004025CC |. 5F pop edi 004025CD |. 5E pop esi 004025CE |. 8BE5 mov esp, ebp 004025D0 |. 5D pop ebp 004025D1 \. C2 0800 retn 8 爆破的可以看下面: 所有字符验证比较都是用这个CALL ,而且形式相似,想爆破的可以用查找来找所有爆破点 004FB436 |. E8 2AD30500 call 00558765 004FB43B |. 83C4 08 add esp, 8 004FB43E |. 8985 D0F7FFFF mov dword ptr [ebp-830], eax 004FB444 |. 33D2 xor edx, edx 004FB446 |. 83BD D0F7FFFF>cmp dword ptr [ebp-830], 0 004FB44D |. 0F94C2 sete dl 004FB450 |. 81E2 FF000000 and edx, 0FF 004FB456 |. 85D2 test edx, edx 004FB458 |. 74 42 je short 004FB49C 跟入 但在这里面不能爆破,因为这里还有验证其它功能的字符,如果爆破就出错 00558765 /$ 8B5424 04 mov edx, dword ptr [esp+4] 00558769 |. 56 push esi 0055876A |. 8B7424 0C mov esi, dword ptr [esp+C] 0055876E |. 57 push edi 0055876F |. 66:8B0E mov cx, word ptr [esi] 00558772 |> 0FB702 /movzx eax, word ptr [edx] 00558775 |. 0FB7F9 |movzx edi, cx 00558778 |. 2BC7 |sub eax, edi 0055877A 75 0E jnz short 0055878A 0055877C |. 66:85C9 |test cx, cx 0055877F |. 74 09 |je short 0055878A 00558781 |. 42 |inc edx 00558782 |. 42 |inc edx 00558783 |. 46 |inc esi 00558784 |. 46 |inc esi 00558785 |. 66:8B0E |mov cx, word ptr [esi] 00558788 |.^ EB E8 \jmp short 00558772 0055878A |> 5F pop edi 0055878B |. 5E pop esi 0055878C |. 85C0 test eax, eax 0055878E |. 7D 04 jge short 00558794 00558790 |. 83C8 FF or eax, FFFFFFFF 00558793 |. C3 retn 00558794 |> 7E 03 jle short 00558799 00558796 |. 6A 01 push 1 00558798 |. 58 pop eax 00558799 \> C3 retn 算法总结 这个软件是天文大数的算法,所以用高级语言写算法注册机很难,单一个循环就要二十秒之多,所以要暴 力算号是很难的,但如果用DELPHI 调用ASM应该会简单许多,而且速度要快不少,好了,现在先把具体的 算法详细介绍一下(先说明以下全为十六进制算): 计算要用到两个固定字符串常数 116AB 为 U 9F17F274FE7C95F89ADB8238CC24B60428F4C292EF4E22403729AFB78E46180957876B2D88363B2B7502A5B43187A44518D46A61D72B94188E4FF4B67CF5C811 为V 注册码必须为78h--82h位数,我只取80h位 0到F之间的字符,经多台电脑检测,跟机器ID无关,固定字符串也不变 第一段循环M1 1 、 第一段算法A 取注册码的第一个八位数与最后一个八位数开始起分别相乘 计算出十六个十六位数 前一个十六位数的高八位与后一个十六位的低八位分别相加 ,(有进位要加到下组计算),得到十六个数,最后要规整为八位字符串,作为下面计算使用 2 、第二算法B B1、 取商的被除数的判断 上面计算的最后一组数X与"9F17F275"比较,如果X大,就用X作被除数与"9F17F275"相除得商Y,用Y 分别与固定字符串V的后八位数开始相乘,作算法A一样运算,结果保存起来W 如果X小,则用算法A计算的最后一组十六位数,后八位与前八位作为新十六位被除数与"9F17F275"相除得 商Z ,用Z分别与V 的后八位数开始起相乘,作算法A一样运算,结果保存起来 B2、 算法B 的计算结果 分别与 算法A的计算结果相减,(有借位要留到下组计算) B3、 判断被除数是否大于8位,如果大于8位就直接奔到第二段循环,如果小于等于8位,还要用B1计算出的W的最后八位与B2计算的最后八位合为十六位作为被除数 与"9F17F275"相除得商 做B1里X小 的一样的运算,结果再做B2运算,这样第一段循环结束 第二段循环M2 本次为F次循环 1 、 取上面循环的计算结果的最后八位与注册码最后八位起分别相乘,作算法A的运算 2 、 上面计算结果分别与第一段循环的最后结果相加 (此处是与第一段循环的不同之处) 3 、 同上面算法B 的运算 4 、 最后上面计算结果的最后一组八位数与 9F17F274 比较,注意相等时,还要 把结果的从后面八位数取分别与固定字符串V的后面八位数相减 最后计算结果以八位为组顺序颠倒设为R 作为下一轮循环赋值 本次二段循环设为M 二段循环分别设为M1和M2 ( 软件中实际是两个大段循环分为M、N,不过后一大段N循环与M相似,只是赋值不同,所以我用下面赋值方法来表现) 下面是不同循环的赋值不同的判断 第一种 取小字符串U分别右移F得数 AND 1 为0时 作M循环,第二次循环M1 算法A 是以R的前八位分别与注册码最后八位数相乘 同样M2也是这样赋值 第二种 取小字符串U分别右移F得数 AND 1 为1时 作N循环,第一次循环M1 算法A 是以R的前八位分别与R最后八位数相乘 同样M2也是这样赋值 并连续作两次循环 结束条件: 如此循环直到小字符串U分别右移数为0时得数 AND 1 为1时,再N循环完,即结束 总结果为L L的长度尾数必须为0 ,同时前六位必须为525741 (即RWA) ,符合这样的注册码SN就成出现注册成功对话框,并显示“已注册”字样。 但在使用修复功能时会有暗桩验证,无法修复成功,经过跟踪发现结果L还要符合下面条件才行,第十五,十六位为4C(L) 第二十一位二十二位为49(I) 即 525741########4C####49#########.....(长度尾数必须为0) 符合以上条件的SN就是真码,成功后在安装夹生成REG.INI注册文件,删除即成试用版 由于用VB语言编写的注册机源码太多,放在附件里对看不懂我上面说的算法时可以参考下源码,(因为循环太复杂,很容易混淆)强调一下:注册机理论成功,但暴力算号时间太长,不理想仅做参考!等有时间用内联ASM方法编写再贴上,欢迎有兴趣大侠们补充一个! 先附一组可用的注册码(跟机器ID无关): 67C46F5829C4500AFD10BE352C690101B3EC2B4F3AAAFF2A582BFAC99FF93A1328AD56C97F460995723C145FB02673AE3E6DB9DFDE5CC833E9ABC01E23F2571E 用这个注册码经过上面循环后的最后结果是这样的,符合要求,所以可以成功注册 525741313935314C31324933304B3939414144333038353231414145434F524539344531344441384431413434373934 (为60h位) 转为字符为 RWA1951L12I30K99AAD308521AAECORE94E14DA8D1A44794 -------------------------------------------------------------------------------- 【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢! 2012年03月25日 13:58:31