Protected: 萊鳥破解入門之演算法分析

【軟體名稱】:Pascal Analyzer 3.0
【軟體大小】:3M
【軟體簡介】:近日到上面網站看了下,東東升了,3.2了.
【軟體限制】:
【破解聲明】:初學Crack,只是感興趣,沒有其他目的。失誤之處敬請諸位大俠賜教!
【破解工具】:windows2003,flyodbg,peid

———————————————————————————————————————————
【破解過程】:

為不負各位大蝦的厚愛,近日惡補ASM,以期看明讓我暈頭轉向的演算法,幾位元同事大呼–不錯不錯,小子學E文了。學的心癢,從硬碟的角落找到一個東東,裝起一看,是PAL語言分析器(是前些時日想學DELPHI時下的),用peid查了一下,嘿嘿,竟然無殼—-你不下地獄誰下地獄?拿起利器OD,向它猛攻一氣,結果,幾小時下來,我又不知東西南北了。只好再次惡補ASM—-我不下地獄誰下地獄?~~~~~…….當再次操刀時,只覺OD鋒利了不少……感謝OD的作者,感謝前輩們對OD的改造……..感謝上帝給我好運….感謝各位觀賞與支持!

閒話多了,現貼出詳細過程,與萊鳥們共同研究,一起進步:
試註冊(名:scxtb;公司:www.pediy.com請看雪大哥原諒,萊鳥無門無派,借個名號;key:7878),有出錯提示:wrong key(7878).於是,方法有二:1,找wrong key;2,下斷 messagebox;1,找wrong key:失敗!
2,下斷:bp messageboxA,中斷後ctrl+F9返回:
004B63A3   |.  50        push eax                              ; |Text
004B63A4   |.  53        push ebx                              ; |hOwner
004B63A5   |.  E8 5E37F5>call <jmp.&user32.MessageBoxA>        ; \MessageBoxA
004B63AA   |.  5F        pop edi                               ;  0006E83C     <<<—–返回到這!
004B63AB   |.  5E        pop esi

<<<<<<<<<<<<<<<<<<< 我在上一破文中說到的東東這裏從簡.>>>>>>>>>>>>> >>>>>>>>>
向上一看,沒有cmp,也沒了jmp,要返回到上一層才行.點這個call的第一句(004B6384處),提示有7處調用,看堆疊我們從哪來?

004B6384   /$  55        push ebp      <<<—–多處call
004B6385   |.  8BEC      mov ebp,esp
004B6387   |.  53        push ebx

7處調用:
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Local Calls from 004B893B, 004B898F, 004B8A36, 0061F114, 0063267A, 00637D53, 00637D94
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

看堆疊中有:
\\\\\\\\\\\\\\\\\\堆疊中有\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
……
0006E674   004B8A3B   返回到 PAL.004B8A3B 來自 PAL.004B6384
……
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

調用與返回最近的是004B8A36,所以ctrl+G,輸入004B8A36,到這:

004B8A06   |.  8B55 D0       mov edx,dword ptr ss:[ebp-30]            ; |
004B8A09   |.  8D83 1C030000 lea eax,dword ptr ds:[ebx+31C]           ; |
004B8A0F   |.  59            pop ecx                                  ; |
004B8A10   |.  E8 A3F8FFFF   call PAL.004B82B8                        ; \PAL.004B82B8  <<<—-關鍵1!
004B8A15   |.  84C0          test al,al
004B8A17   |.  74 09         je short PAL.004B8A22                    ;1.這裏跳樓!要是這不跳就好了
004B8A19   |.  C683 2C030000>mov byte ptr ds:[ebx+32C],1
004B8A20   |.  EB 21         jmp short PAL.004B8A43                   ;2.這裏不會跳樓的
004B8A22   |>  68 10200100   push 12010
004B8A27   |.  8BC3          mov eax,ebx
004B8A29   |.  E8 9EB8FBFF   call PAL.004742CC
004B8A2E   |.  B9 E48A4B00   mov ecx,PAL.004B8AE4                     ; |ASCII “Error”
004B8A33   |.  8B55 FC       mov edx,dword ptr ss:[ebp-4]             ; |
004B8A36   |.  E8 49D9FFFF   call PAL.004B6384                        ; \PAL.004B6384
004B8A3B   |.  33C0          xor eax,eax                              ;它要回這,所以必跳過上面的call才行!
004B8A3D   |.  8983 4C020000 mov dword ptr ds:[ebx+24C],eax
004B8A43   |>  33C0          xor eax,eax
004B8A45   |.  5A            pop edx
004B8A46   |.  59            pop ecx
004B8A47   |.  59            pop ecx
顯然,004B8A10處是關鍵的call,它的返回值AL決定是否跳樓,我們進去看看:

004B82B8   /$  55             push ebp
004B82B9   |.  8BEC           mov ebp,esp
004B82BB   |.  83C4 F8        add esp,-8
004B82BE   |.  53             push ebx
004B82BF   |.  56             push esi
004B82C0   |.  57             push edi
004B82C1   |.  8BF1           mov esi,ecx
004B82C3   |.  8BDA           mov ebx,edx
004B82C5   |.  8945 FC        mov [local.1],eax
004B82C8   |.  8B7D 14        mov edi,[arg.4]
004B82CB   |.  C645 FB 00     mov byte ptr ss:[ebp-5],0             ;<<—–1
004B82CF   |.  B8 80616400    mov eax,PAL.00646180
004B82D4   |.  8BD3           mov edx,ebx
004B82D6   |.  E8 1DD2F4FF    call PAL.004054F8
004B82DB   |.  B8 84616400    mov eax,PAL.00646184
004B82E0   |.  8BD6           mov edx,esi
004B82E2   |.  E8 11D2F4FF    call PAL.004054F8
004B82E7   |.  B8 88616400    mov eax,PAL.00646188
004B82EC   |.  8BD7           mov edx,edi
004B82EE   |.  E8 05D2F4FF    call PAL.004054F8
004B82F3   |.  8B45 0C        mov eax,[arg.2]
004B82F6   |.  50             push eax
004B82F7   |.  8B45 08        mov eax,[arg.1]
004B82FA   |.  50             push eax
004B82FB   |.  8B45 FC        mov eax,[local.1]
004B82FE   |.  8B4D 10        mov ecx,[arg.3]
004B8301   |.  33D2           xor edx,edx
004B8303   |.  E8 C0F9FFFF    call PAL.004B7CC8                    ;<<—–關鍵2!
004B8308   |.  84C0           test al,al
004B830A   |.  74 17          je short PAL.004B8323
004B830C   |.  C645 FB 01     mov byte ptr ss:[ebp-5],1            ;<<—–2
004B8310   |.  8B45 10        mov eax,[arg.3]
004B8313   |.  50             push eax
004B8314   |.  8B45 0C        mov eax,[arg.2]
004B8317   |.  50             push eax
004B8318   |.  8BCF           mov ecx,edi
004B831A   |.  8BD6           mov edx,esi
004B831C   |.  8BC3           mov eax,ebx
004B831E   |.  E8 E5FDFFFF    call PAL.004B8108
004B8323   |>  8A45 FB        mov al,byte ptr ss:[ebp-5]          ;<<—–3
004B8326   |.  5F             pop edi
004B8327   |.  5E             pop esi
004B8328   |.  5B             pop ebx
004B8329   |.  59             pop ecx
004B832A   |.  59             pop ecx
004B832B   |.  5D             pop ebp
004B832C   \.  C2 1000        retn 10

縱觀這個call(1),我找到另一個關鍵call(關鍵2),因為它的值決定了(關鍵1)的返回結果,還得進入.我看不出什麼苗頭,只好一路F8,逢崖跳崖,
摸黑到這時眼前一亮,真是柳暗花明又一村:
004B7EF4    .  E8 8FD0FEFF    call PAL.004A4F88               ;  關鍵3!
004B7EF9    .  85C0           test eax,eax
004B7EFB    .  74 33          je short PAL.004B7F30
004B7EFD    .  8D55 90        lea edx,dword ptr ss:[ebp-70]
004B7F00    .  B8 F07F4B00    mov eax,PAL.004B7FF0
004B7F05    .  E8 0A010000    call PAL.004B8014
004B7F0A    .  FF75 90        push dword ptr ss:[ebp-70]      ;  停在這!
004B7F0D    .  68 04804B00    push PAL.004B8004               ;  ASCII ” (”

\\\\\\\\\\\4B7F0A處\\\\\\\\\\\\\\\\\\\\\\\\\\\
堆疊 ss:[0006E5D0]=01EEE5D8, (ASCII “Wrong key”)
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

我操刀就找wrong key卻失敗!這裏自己跑了出來!停住分析一下,就知004B7EF4是關鍵call,進入有如下代碼:
004A4F88   /$  57                push edi
004A4F89   |.  56                push esi
004A4F8A   |.  89C6              mov esi,eax
004A4F8C   |.  89D7              mov edi,edx
004A4F8E   |.  31C0              xor eax,eax
004A4F90   |.  09C9              or ecx,ecx
004A4F92   |.  74 0A             je short PAL.004A4F9E
004A4F94   |.  F3:A6             repe cmps byte ptr es:[edi],byte ptr ds:[esi] <<<———明碼比較(跟了n 次後知道的)!
004A4F96   |.  74 06             je short PAL.004A4F9E
004A4F98   |.  40                inc eax
004A4F99   |.  77 03             ja short PAL.004A4F9E
004A4F9B   |.  83C8 FF           or eax,FFFFFFFF
004A4F9E   |>  5E                pop esi
004A4F9F   |.  5F                pop edi
004A4FA0   \.  C3                retn

這裏面沒有call,也跳不出去,仔細看看,僅有004A4F94處可疑(我在這上當不小,不知跟了多少次,竟然…..總之,萊!),看看這時的記憶體:

\\\\\\\\\\\\\**004A4F94處**\\\\\\\\\\\\\\\\\\
ecx=00000008 (十進位 8.)
ds:[esi]=stack [0006E62B]=00
es:[edi]=stack [0006E633]=AC
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

顯然是以ecx作計數器共8次迴圈,這是第一次cmp,”00″與”AC”是什麼與什麼在比?加密後的註冊碼與假碼比較是最大嫌疑犯!在資料段內

ctrl+G,到 0006E62B, 請看下面資料區:

\\\\\\\\\\\\\\\\\\04A4F94處數據區 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
0006E62B  00 00 00 00 00 00 00 00 AC 88 89 D3 9A D9 71 48  ……..瑘売氋qH
0006E63B  01 7C 86 20 01 64 E6 06 00 08 83 4B 00 BC E6 06   |? d?. 僈.兼
0006E64B  00 48 1D 06 01 3C E8 06 00 F0 44 46 00 60 83 20  .H   <?.餌F.`?
0006E65B  01 F0 44 46 00 7C 86 20 01 C0 E6 06 00 15 8A 4B   餌F.|? 梨 . 奒
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

我之所以上當,是這裏沒有資料.就算是非明碼比較,我的假碼也應被變個樣放在這吧?夠狠的!忘了是哪位大蝦說過,做crack是要好運的,n次後,上帝給了我好運(所以要感謝上帝),我想這樣子不正是”AC8889D39AD97148″與”0000000000000000″比較麼?把key換成”AC8889D39AD97148″一試,把我高興的那樣了……同一段資料區比較下:
把key換成”AC8889D39AD97148″之後:  同上面的比較下.

\\\\\\\\\\\\\\\\\ 004A4F94處數據區 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
0006E62B  AC 88 89 D3 9A D9 71 48 AC 88 89 D3 9A D9 71 48  瑘売氋qH瑘売氋qH
0006E63B  01 7C 86 20 01 64 E6 06 00 08 83 4B 00 BC E6 06   |? d?. 僈.兼
0006E64B  00 48 1D 06 01 3C E8 06 00 F0 44 46 00 60 83 20  .H   <?.餌F.`?
0006E65B  01 F0 44 46 00 7C 86 20 01 C0 E6 06 00 15 8A 4B   餌F.|? 梨 . 奒
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

註冊成功之後,我失去了繼續分析演算法的機會,只好卸下重來.如果作者把真碼加密後再比較,我可能現在也沒有結果!

我的註冊資訊:
name:scxtb
C.O.:www.pediy.com
key :AC8889D39AD97148

【演算法分析】:

由寫0006E62B至0006E63C兩處記憶體代碼(用F8過call,看看哪寫記憶體),跟到如下代碼:

004B7EC9    .  8B55 9C           mov edx,dword ptr ss:[ebp-64]
004B7ECC    .  8D4D F3           lea ecx,dword ptr ss:[ebp-D]
004B7ECF    .  8D45 D4           lea eax,dword ptr ss:[ebp-2C]
004B7ED2    .  E8 71C5FDFF       call PAL.00494448                    <<<——–這裏寫0006e633!
004B7ED7    .  8D55 EB           lea edx,dword ptr ss:[ebp-15]
004B7EDA    .  B9 08000000       mov ecx,8
004B7EDF    .  A1 88616400       mov eax,dword ptr ds:[646188]
004B7EE4    .  E8 AF98FDFF       call PAL.00491798                    <<<——–這裏寫0006e62B!
call PAL.00494448:

0049437E   |.  8B4424 04         mov eax,dword ptr ss:[esp+4]
00494382   |.  8B5424 10         mov edx,dword ptr ss:[esp+10]
00494386   |.  8910              mov dword ptr ds:[eax],edx             <<<——–這裏寫0006e633!
00494388   |.  8B4424 04         mov eax,dword ptr ss:[esp+4]
0049438C   |.  8B5424 0C         mov edx,dword ptr ss:[esp+C]
00494390   |.  8950 04           mov dword ptr ds:[eax+4],edx           <<<——–這裏寫0006e637!
00494393   |.  83C4 18           add esp,18

………..
0049448C   |.  8BD8              mov ebx,eax
0049448E   |.  83FB 01           cmp ebx,1
00494491   |.  7C 1F             jl short PAL.004944B2
00494493   |>  8B45 FC           /mov eax,[local.1]                          ;EAX=SCXTB;WWW.PEDIY.COM
00494496   |.  8A4418 FF         |mov al,byte ptr ds:[eax+ebx-1]             ;從最後一位開始卓位傳al;
0049449A   |.  3C 7F             |cmp al,7F                                  ;al>127?
0049449C   |.  76 0F             |jbe short PAL.004944AD
0049449E   |.  8D45 FC           |lea eax,[local.1]
004944A1   |.  B9 01000000       |mov ecx,1
004944A6   |.  8BD3              |mov edx,ebx
004944A8   |.  E8 5715F7FF       |call PAL.00405A04
004944AD   |>  4B                |dec ebx
004944AE   |.  85DB              |test ebx,ebx
004944B0   |.^ 75 E1             \jnz short PAL.00494493
004944B2   |>  8D55 F8           lea edx,[local.2]
004944B5   |.  8B45 FC           mov eax,[local.1]
004944B8   |.  E8 939EF7FF       call PAL.0040E350                           ;轉為大寫,用’;’連接
004944BD   |.  8B45 F8           mov eax,[local.2]                           ;eax=SCXTB;WWW.PEDIY.COM
004944C0   |.  E8 0FFFFFFF       call PAL.004943D4                           ;關鍵,加密字串
004944C5   |.  8946 04           mov dword ptr ds:[esi+4],eax                ;轉換後(加密)的串送[0006e65f]
004944C8   |.  8BD6              mov edx,esi                                 ;edx=d9f6 這個值不變?
004944CA   |.  8BC7              mov eax,edi                                 ;eax=E11C1456這個值也不變?
004944CC   |.  B1 01             mov cl,1                                    ;
004944CE   |.  E8 D9FDFFFF       call PAL.004942AC                           ;關鍵,用加密的字串計算真碼
004944D3   |.  33C0              xor eax,eax
004944D5   |.  5A                pop edx
…………

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
\   註冊碼演算法:
\  1.用”;”連接用戶名和公司名:a=用戶名+;+公司名;
\  2.轉換為大寫             :A=f(a);
\  3.加密A                  :B=f(A);
\  4.由B計算註冊碼C         :C=f(B,d9f6,E11C1456,1);
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

call PAL.00491798:
0049185E   |.  8D55 F0       |lea edx,dword ptr ss:[ebp-10]
00491861   |.  E8 EE24F7FF   |call PAL.00403D54
00491866   |.  8807          |mov byte ptr ds:[edi],al                  <<<———寫0006e62B!
00491868   |.  837D F0 00    |cmp dword ptr ss:[ebp-10],0
0049186C   |.  75 09         |jnz short PAL.00491877
call PAL.00491798的入口參數:

………..
004B7ED7    .  8D55 EB           lea edx,dword ptr ss:[ebp-15]
004B7EDA    .  B9 08000000       mov ecx,8                                   ;假碼要8個字,也就是註冊碼要16個字元
004B7EDF    .  A1 88616400       mov eax,dword ptr ds:[646188]               ;
004B7EE4    .  E8 AF98FDFF       call PAL.00491798                           ;檢查假碼
004B7EE9    .  8D55 F3           lea edx,dword ptr ss:[ebp-D]

********************************************************************
在004B7EE4處的call中,可以看出假碼要8個字,也就是註冊碼要16個字元,如果假碼少於16位會出錯(不寫記憶體0006E62B處),但沒有任何提示,而且不與假碼比較,只同0比較,如果假碼有16位元,記憶體中才會有真碼與假碼的比較.

004A4F94   |.  F3:A6             repe cmps byte ptr es:[edi],byte ptr ds:[esi] <<<———明碼比較!

作者在其他處的保護還是較好的,但在這卻使用明碼比較,讓我等萊鳥也能破了它,真是不幸!
********************************************************************
加密字串的演算法(3.加密A call PAL.0049439C:

0049439C   /$  53               push ebx
0049439D   |.  56               push esi
0049439E   |.  33C9             xor ecx,ecx                 ;ecx中將保存計算結果,清0
004943A0   |.  8BDA             mov ebx,edx
004943A2   |.  4B               dec ebx
004943A3   |.  85DB             test ebx,ebx
004943A5   |.  7C 25            jl short PAL.004943CC       ;如果未輸入用戶名和註冊碼,跳!
004943A7   |.  43               inc ebx                     ;計數器+1
004943A8   |>  C1E1 04          /shl ecx,4                  ;上次計算結果左移4位 (*2^4=16?)
004943AB   |.  33D2             |xor edx,edx                ;edx清0 ,edx是每次計算的臨時結果
004943AD   |.  8A10             |mov dl,byte ptr ds:[eax]   ;字串按位(從第一位開始)傳dl
004943AF   |.  03CA             |add ecx,edx                ;本次取的字元與ecx相加
004943B1   |.  8BD1             |mov edx,ecx                ;
004943B3   |.  81E2 000000F0    |and edx,F0000000           ;把計算結果的低7個位元組置0
004943B9   |.  85D2             |test edx,edx               ;
004943BB   |.  74 07            |je short PAL.004943C4      ;如果edx=0則直截取反,否則計算後取反
004943BD   |.  8BF2             |mov esi,edx                ;計算方法是:
004943BF   |.  C1EE 18          |shr esi,18                 ;先把結果右移18位(除2^24=16777216?)
004943C2   |.  33CE             |xor ecx,esi                ;再把右移前後的值作xor
004943C4   |>  F7D2             |not edx                    ;edx取反
004943C6   |.  23CA             |and ecx,edx                ;取反結果與xor結果作and
004943C8   |.  40               |inc eax                    ;指向下一位元字元
004943C9   |.  4B               |dec ebx                    ;計數器減1
004943CA   |.^ 75 DC            \jnz short PAL.004943A8     ;計算未完則迴圈
004943CC   |>  8BC1              mov eax,ecx                ;把結果放入eax中反回
004943CE   |.  5E                pop esi
004943CF   |.  5B                pop ebx
004943D0   \.  C3                retn

註冊碼演算法(4.由B計算註冊碼C):
call PAL.004942AC:

004942AC   /$  53                push ebx
004942AD   |.  56                push esi
004942AE   |.  57                push edi
004942AF   |.  83C4 E8           add esp,-18
004942B2   |.  884C24 08         mov byte ptr ss:[esp+8],cl              ;[006e590]=01
004942B6   |.  895424 04         mov dword ptr ss:[esp+4],edx            ;ss:[0006E58C]=0006E65B
004942BA   |.  890424            mov dword ptr ss:[esp],eax              ;ss:[esp]=0006E63C
004942BD   |.  8B4424 04         mov eax,dword ptr ss:[esp+4]            ;eax=0006E65B
004942C1   |.  8B00              mov eax,dword ptr ds:[eax]              ;eax=0000D9F6
004942C3   |.  894424 0C         mov dword ptr ss:[esp+C],eax            ;ss:[0006E594]=0000D9F6
004942C7   |.  8B4424 04         mov eax,dword ptr ss:[esp+4]            ;eax=0006E65B
004942CB   |.  8B40 04           mov eax,dword ptr ds:[eax+4]            ;eax=03AF96FD
004942CE   |.  894424 10         mov dword ptr ss:[esp+10],eax           ;ss:[0006E598]=03AF96FD
004942D2   |.  C74424 14 0400000>mov dword ptr ss:[esp+14],4             ;計數器,迴圈4次
004942DA   |.  BE 14B46300       mov esi,PAL.0063B414                    ;
004942DF   |>  8B5424 0C         /mov edx,dword ptr ss:[esp+C]           ;上次結果A,第一次為d9f6
004942E3   |.  33C0              |xor eax,eax                            ;
004942E5   |.  8A4424 08         |mov al,byte ptr ss:[esp+8]             ;al=01
004942E9   |.  8BD8              |mov ebx,eax                            ;
004942EB   |.  03DB              |add ebx,ebx                            ;
004942ED   |.  8D1C5B            |lea ebx,dword ptr ds:[ebx+ebx*2]       ;
004942F0   |.  8B04DE            |mov eax,dword ptr ds:[esi+ebx*8]       ;
004942F3   |.  8B0C24            |mov ecx,dword ptr ss:[esp]             ;
004942F6   |.  8B0C81            |mov ecx,dword ptr ds:[ecx+eax*4]       ;ecx=04D3661E
004942F9   |.  8B44DE 04         |mov eax,dword ptr ds:[esi+ebx*8+>      ;
004942FD   |.  8B3C24            |mov edi,dword ptr ss:[esp]             ;
00494300   |.  8B0487            |mov eax,dword ptr ds:[edi+eax*4]       ;eax=D705870F
00494303   |.  8B5CDE 08         |mov ebx,dword ptr ds:[esi+ebx*8+>      ;
00494307   |.  8B3C24            |mov edi,dword ptr ss:[esp]             ;
0049430A   |.  8B1C9F            |mov ebx,dword ptr ds:[edi+ebx*4]       ;ebx=E11C1456
0049430D   |.  03D3              |add edx,ebx                            ;兩常數相加:A+D=E11CEE4C
0049430F   |.  03DA              |add ebx,edx                            ;A+D*2
00494311   |.  8BFA              |mov edi,edx                            ;edi=E11CEE4C
00494313   |.  C1EF 07           |shr edi,7                              ;(A+D)/(2^7)
00494316   |.  33D7              |xor edx,edi                            ;xor (A+D)
00494318   |.  03CA              |add ecx,edx                            ;+B
0049431A   |.  03D1              |add edx,ecx                            ;+[(A+D)/(2^7)xor (A+D)]
0049431C   |.  8BF9              |mov edi,ecx                            ;
0049431E   |.  C1E7 0D           |shl edi,0D                             ;*2^14
00494321   |.  33CF              |xor ecx,edi                            ;
00494323   |.  03C1              |add eax,ecx                            ;
00494325   |.  03C8              |add ecx,eax                            ;
00494327   |.  8BF8              |mov edi,eax                            ;
00494329   |.  C1EF 11           |shr edi,11                             ;……..
0049432C   |.  33C7              |xor eax,edi                            ;
0049432E   |.  03D8              |add ebx,eax                            ;
00494330   |.  03C3              |add eax,ebx                            ;
00494332   |.  8BFB              |mov edi,ebx                            ;
00494334   |.  C1E7 09           |shl edi,9                              ;
00494337   |.  33DF              |xor ebx,edi                            ;
00494339   |.  03D3              |add edx,ebx                            ;……..
0049433B   |.  03DA              |add ebx,edx                            ;
0049433D   |.  8BFA              |mov edi,edx                            ;
0049433F   |.  C1EF 03           |shr edi,3                              ;
00494342   |.  33D7              |xor edx,edi                            ;
00494344   |.  03CA              |add ecx,edx                            ;
00494346   |.  8BD1              |mov edx,ecx                            ;………
00494348   |.  C1E2 07           |shl edx,7                              ;
0049434B   |.  33CA              |xor ecx,edx                            ;
0049434D   |.  03C1              |add eax,ecx                            ;
0049434F   |.  8BD3              |mov edx,ebx                            ;
00494351   |.  C1EA 0F           |shr edx,0F                             ;
00494354   |.  33C2              |xor eax,edx                            ;……..
00494356   |.  03D8              |add ebx,eax                            ;
00494358   |.  8BC3              |mov eax,ebx                            ;
0049435A   |.  C1E0 0B           |shl eax,0B                             ;
0049435D   |.  33D8              |xor ebx,eax                            ;
0049435F   |.  8B4424 10         |mov eax,dword ptr ss:[esp+10]          ;
00494363   |.  33C3              |xor eax,ebx                            ;A={Q xor …}
00494365   |.  8B5424 0C         |mov edx,dword ptr ss:[esp+C]           ;
00494369   |.  895424 10         |mov dword ptr ss:[esp+10],edx          ;
0049436D   |.  894424 0C         |mov dword ptr ss:[esp+C],eax           ;
00494371   |.  83C6 0C           |add esi,0C                             ;
00494374   |.  FF4C24 14         |dec dword ptr ss:[esp+14]              ;
00494378   |.^ 0F85 61FFFFFF     \jnz PAL.004942DF                       ;
0049437E   |.  8B4424 04         mov eax,dword ptr ss:[esp+4]
00494382   |.  8B5424 10         mov edx,dword ptr ss:[esp+10]
00494386   |.  8910              mov dword ptr ds:[eax],edx
00494388   |.  8B4424 04         mov eax,dword ptr ss:[esp+4]
0049438C   |.  8B5424 0C         mov edx,dword ptr ss:[esp+C]
00494390   |.  8950 04           mov dword ptr ds:[eax+4],edx
00494393   |.  83C4 18           add esp,18
00494396   |.  5F                pop edi
00494397   |.  5E                pop esi
00494398   |.  5B                pop ebx
00494399   \.  C3                retn

設:四個參加運算的常數和加密後字串如下:
A=D6F9;(第二輪時A是第一輪的結果)
B=04D36614;
C=D705870F;
D=E11C1456;
Q=加密後字串;這就是第一輪計算的5個數.

得公式:
A={Q xor {(((((e/2^17 xor e)+A+D*2)+(((e/2^17 xor e)+A+D*2)*2^9 xor ((e/2^17 xor e)+A+D*2)))/2^15 xor ((((((((e/2^17 xor e)+A+D*2)*2^9 xor ((e/2^17 xor e)+A+D*2))/2^3 xor (((e/2^17 xor e)+A+D*2)*2^9 xor ((e/2^17 xor e)+A+D*2)))+(e*2+C))*2^7) xor (((((e/2^17 xor e)+A+D*2)*2^9 xor ((e/2^17 xor e)+A+D*2))/2^3 xor (((e/2^17 xor e)+A+D*2)*2^9 xor ((e/2^17 xor e)+A+D*2)))+(e*2+C)))+((e/2^17 xor e)+A+D*2)))+((e/2^17 xor e)+A+D*2)+(((e/2^17 xor e)+A+D*2)*2^9 xor ((e/2^17 xor e)+A+D*2)))*2^11 xor (((((e/2^17 xor e)+A+D*2)+(((e/2^17 xor e)+A+D*2)*2^9 xor ((e/2^17 xor e)+A+D*2)))/2^15 xor ((((((((e/2^17 xor e)+A+D*2)*2^9 xor ((e/2^17 xor e)+A+D*2))/2^3 xor (((e/2^17 xor e)+A+D*2)*2^9 xor ((e/2^17 xor e)+A+D*2)))+(e*2+C))*2^7) xor (((((e/2^17 xor e)+A+D*2)*2^9 xor ((e/2^17 xor e)+A+D*2))/2^3 xor (((e/2^17 xor e)+A+D*2)*2^9 xor ((e/2^17 xor e)+A+D*2)))+(e*2+C)))+((e/2^17 xor e)+A+D*2)))+((e/2^17 xor e)+A+D*2)+(((e/2^17 xor e)+A+D*2)*2^9 xor ((e/2^17 xor e)+A+D*2)))}}

其中:
e={(((((A+D)/2^7) xor (A+D))+B)*2^14) xor ((((A+D)/2^7) xor (A+D))+B)}

第一輪計算的結果A=B6739DD0;
第二輪計算的5個數:
A=B6739DD0;
B=9C60408B;
C=E11C1456;
D=D705870F;
第二輪計算的結果A=AAB54D56;

第三輪計算的5個數:
A=AAB54D56;
B=D705870F;
C=9C60408B;
D=04D36614;
第三輪計算的結果A=D38988AC;

第四輪計算的5個數:
A=D38988AC;
B=E11C1456;
C=04D36614;
D=9C60408B;
第四輪計算的結果A=4871D99A;

第三、四輪計算的結果就是註冊碼。

scxtb

www.pediy.com
AC8889D39AD97148

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s