热门关键字:   网站安全  黑客攻防  安全漏洞  系统安全  网络安全
站外
广告
域名申请虚拟主机 信息安全 域名注册 云主机 网络安全技术 企业网络安全 站外
广告
文字广告位招租 文字广告位招租 文字广告位招租 文字广告位招租 云安全

对某CrackMe算法分析

发布时间:2013-08-20 10:46文章来源:网络文章作者:一川 点击次数:
摘要:脱壳就不说了,压缩壳,esp直接秒下来,发现是一个Delphi的crackme。 用DEDE找到下断处,OD载入,下断,输入用户名和假码,F9跑起来 00456F00 /$ 55 PUSH EBP /断在此处 00456F01 |. 8BEC MOV EBP,ESP 00456F03 |. 83C4 A8 ADD ESP,-58 00456F06 |. 53 PUSH...

脱壳就不说了,压缩壳,esp直接秒下来,发现是一个Delphi的crackme。

用DEDE找到下断处,OD载入,下断,输入用户名和假码,F9跑起来…

00456F00 /$ 55 PUSH EBP /断在此处
00456F01 |. 8BEC MOV EBP,ESP
00456F03 |. 83C4 A8 ADD ESP,-58
00456F06 |. 53 PUSH EBX
00456F07 |. 56 PUSH ESI
00456F08 |. 57 PUSH EDI
00456F09 |. 33C0 XOR EAX,EAX
00456F0B |. 8945 D0 MOV DWORD PTR SS:[EBP-30],EAX
00456F0E |. 8945 B4 MOV DWORD PTR SS:[EBP-4C],EAX
00456F11 |. 8945 B0 MOV DWORD PTR SS:[EBP-50],EAX
00456F14 |. 8945 AC MOV DWORD PTR SS:[EBP-54],EAX
00456F17 |. 8945 A8 MOV DWORD PTR SS:[EBP-58],EAX
00456F1A |. 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX
00456F1D |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
00456F20 |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
00456F23 |. 33C0 XOR EAX,EAX
00456F25 |. 55 PUSH EBP
00456F26 |. 68 18734500 PUSH 576EC.00457318
00456F2B |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00456F2E |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00456F31 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
00456F34 |. E8 FBC8FAFF CALL 576EC.00403834
00456F39 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00456F3C |. E8 F3C8FAFF CALL 576EC.00403834
00456F41 |. A1 34A84500 MOV EAX,DWORD PTR DS:[45A834]
00456F46 |. 05 F8020000 ADD EAX,2F8
00456F4B |. E8 E4C8FAFF CALL 576EC.00403834
00456F50 |. BB 01000000 MOV EBX,1
00456F55 |. BE 1B000000 MOV ESI,1B
00456F5A |. EB 21 JMP SHORT 576EC.00456F7D
00456F5C |> 8D55 D4 /LEA EDX,DWORD PTR SS:[EBP-2C]
00456F5F |. A1 34A84500 |MOV EAX,DWORD PTR DS:[45A834]
00456F64 |. 8B80 C4020000 |MOV EAX,DWORD PTR DS:[EAX+2C4]
00456F6A |. E8 B5DAFCFF |CALL 576EC.00424A24
00456F6F |. 8B45 D4 |MOV EAX,DWORD PTR SS:[EBP-2C]
00456F72 |. 0FB64418 FF |MOVZX EAX,BYTE PTR DS:[EAX+EBX-1]             / 用户名ASCII码
00456F77 |. 03F0 |ADD ESI,EAX
00456F79 |. 43 |INC EBX
00456F7A |. 0FAFF3 |IMUL ESI,EBX
00456F7D |> 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
00456F80 |. A1 34A84500 |MOV EAX,DWORD PTR DS:[45A834]
00456F85 |. 8B80 C4020000 |MOV EAX,DWORD PTR DS:[EAX+2C4]
00456F8B |. E8 94DAFCFF |CALL 576EC.00424A24
00456F90 |. 8B45 D4 |MOV EAX,DWORD PTR SS:[EBP-2C]                     / 用户名放入EAX
00456F93 |. E8 18CBFAFF |CALL 576EC.00403AB0                           / 用户名位数
00456F98 |. 3BD8 |CMP EBX,EAX
00456F9A |.^ 7C C0 \JL SHORT 576EC.00456F5C
 
/ 循环,把结果级为A

这个循环取(用户名第一位ASCII码+1B)*2,然后取(上次计算的结果+用户名第二位ASCII玛)*3,依次类推,最后一为用户名没有参与运算,所的结果的低8位记为A。
高8位没有用处,就不统计,下面的运算如果没有特别指名,都指结果的低8位。

00456F9C  |.  BF 1A000000   MOV EDI,1A
00456FA1  |.  BB 01000000   MOV EBX,1
00456FA6  |.  EB 1E         JMP SHORT 576EC.00456FC6
00456FA8  |>  8D55 D4       /LEA EDX,DWORD PTR SS:[EBP-2C]
00456FAB  |.  A1 34A84500   |MOV EAX,DWORD PTR DS:[45A834]
00456FB0  |.  8B80 D0020000 |MOV EAX,DWORD PTR DS:[EAX+2D0]
00456FB6  |.  E8 69DAFCFF   |CALL 576EC.00424A24
00456FBB  |.  8B45 D4       |MOV EAX,DWORD PTR SS:[EBP-2C]
00456FBE  |.  0FB64418 FF   |MOVZX EAX,BYTE PTR DS:[EAX+EBX-1]
00456FC3  |.  03F8          |ADD EDI,EAX
00456FC5  |.  43            |INC EBX
00456FC6  |>  8D55 D4        LEA EDX,DWORD PTR SS:[EBP-2C]
00456FC9  |.  A1 34A84500   |MOV EAX,DWORD PTR DS:[45A834]
00456FCE  |.  8B80 D0020000 |MOV EAX,DWORD PTR DS:[EAX+2D0]
00456FD4  |.  E8 4BDAFCFF   |CALL 576EC.00424A24
00456FD9  |.  8B45 D4       |MOV EAX,DWORD PTR SS:[EBP-2C]           /  机器码放入EAX
00456FDC  |.  E8 CFCAFAFF   |CALL 576EC.00403AB0
00456FE1  |.  3BD8          |CMP EBX,EAX
00456FE3  |.^ 7C C3         \JL SHORT 576EC.00456FA8                 /  循环,得到B
这个循环是1A+机器码的ASCII和,结果记为B
00456FE5  |.  B9 01000000   MOV ECX,1                                /  ECX置1
00456FEA  |.  BB 01000000   MOV EBX,1                                /  EBX置1
00456FEF  |.  8BC7          MOV EAX,EDI
00456FF1  |.  F7EE          IMUL ESI                                 /  B*A,低8位结果记为C。
00456FF3  |.  99            CDQ
00456FF4  |.  8945 E8       MOV DWORD PTR SS:[EBP-18],EAX
00456FF7  |.  8955 EC       MOV DWORD PTR SS:[EBP-14],EDX
00456FFA  |.  8BC6          MOV EAX,ESI
00456FFC  |.  99            CDQ
00456FFD  |.  2345 E8       AND EAX,DWORD PTR SS:[EBP-18]            /  A与C逻辑与运算,结果记为D
00457000  |.  2355 EC       AND EDX,DWORD PTR SS:[EBP-14]
00457003  |.  8945 E8       MOV DWORD PTR SS:[EBP-18],EAX
00457006  |.  8955 EC       MOV DWORD PTR SS:[EBP-14],EDX
00457009  |.  81F9 93300000 CMP ECX,3093
0045700F  |.  7D 15         JGE SHORT 576EC.00457026
00457011  |>  83C1 16       /ADD ECX,16
00457014  |.  83E9 15       |SUB ECX,15
00457017  |.  43            |INC EBX
00457018  |.  83C1 04       |ADD ECX,4
0045701B  |.  83E9 03       |SUB ECX,3
0045701E  |.  81F9 93300000 |CMP ECX,3093
00457024  |.^ 7C EB         \JL SHORT 576EC.00457011
00457026  |>  81FB 4A180000 CMP EBX,184A
0045702C  |.  0F85 AE020000 JNZ 576EC.004572E0
00457032  |.  8BC7          MOV EAX,EDI                              /  B放入A中
00457034  |.  99            CDQ
00457035  |.  0345 E8       ADD EAX,DWORD PTR SS:[EBP-18]            /  D与B相加,结果记为E
00457038  |.  1355 EC       ADC EDX,DWORD PTR SS:[EBP-14]
0045703B  |.  8945 E0       MOV DWORD PTR SS:[EBP-20],EAX
0045703E  |.  8955 E4       MOV DWORD PTR SS:[EBP-1C],EDX
00457041  |.  FF75 EC       PUSH DWORD PTR SS:[EBP-14]
00457044  |.  FF75 E8       PUSH DWORD PTR SS:[EBP-18]               /  D入栈
00457047  |.  8BC7          MOV EAX,EDI                              /  B放入EAX
00457049  |.  99            CDQ
0045704A  |.  E8 E1E6FAFF   CALL 576EC.00405730                      ;  B与D想乘,结果记为F。
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
跟进上面CALL:
00405731    50              PUSH EAX
00405732    8B4424 10       MOV EAX,DWORD PTR SS:[ESP+10]
00405736    F72424          MUL DWORD PTR SS:[ESP]
00405739    8BC8            MOV ECX,EAX
0040573B    8B4424 04       MOV EAX,DWORD PTR SS:[ESP+4]
0040573F    F76424 0C       MUL DWORD PTR SS:[ESP+C]
00405743    03C8            ADD ECX,EAX
00405745    8B0424          MOV EAX,DWORD PTR SS:[ESP]               / B放入EAX
00405748    F76424 0C       MUL DWORD PTR SS:[ESP+C]                 / B*D
0040574C    03D1            ADD EDX,ECX
0040574E    59              POP ECX
0040574F    59              POP ECX
00405750    C2 0800         RETN 8
 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
0045704F  |.  52            PUSH EDX
00457050  |.  50            PUSH EAX
00457051  |.  8BC6          MOV EAX,ESI                              /  A放入EAX
00457053  |.  99            CDQ
00457054  |.  E8 D7E6FAFF   CALL 576EC.00405730                      /  得到G,H
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
00405730    52              PUSH EDX
00405731    50              PUSH EAX
00405732    8B4424 10       MOV EAX,DWORD PTR SS:[ESP+10]
00405736    F72424          MUL DWORD PTR SS:[ESP]
00405739    8BC8            MOV ECX,EAX
0040573B    8B4424 04       MOV EAX,DWORD PTR SS:[ESP+4]
0040573F    F76424 0C       MUL DWORD PTR SS:[ESP+C]
00405743    03C8            ADD ECX,EAX
00405745    8B0424          MOV EAX,DWORD PTR SS:[ESP]               / A放入EAX
00405748    F76424 0C       MUL DWORD PTR SS:[ESP+C]                 / A*D,低8位记为G,高8位记为H。
0040574C    03D1            ADD EDX,ECX
0040574E    59              POP ECX
0040574F    59              POP ECX
00405750    C2 0800         RETN 8
00405753    52              PUSH EDX
00405754    50              PUSH EAX
00405755    8B4424 10       MOV EAX,DWORD PTR SS:[ESP+10]
00405759    F72424          MUL DWORD PTR SS:[ESP]
0040575C    8BC8            MOV ECX,EAX
0040575E    8B4424 04       MOV EAX,DWORD PTR SS:[ESP+4]
00405762    F76424 0C       MUL DWORD PTR SS:[ESP+C]
00405766    03C8            ADD ECX,EAX
00405768    8B0424          MOV EAX,DWORD PTR SS:[ESP]
0040576B    F76424 0C       MUL DWORD PTR SS:[ESP+C]
0040576F    03D1            ADD EDX,ECX
00405771    59              POP ECX
00405772    59              POP ECX
00405773    C2 0800         RETN 8
 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=
 
00457059  |.  52            PUSH EDX                                 /  H入栈
0045705A  |.  50            PUSH EAX                                 /  G入栈
0045705B  |.  8BC6          MOV EAX,ESI                              /  A放入EAX
0045705D  |.  99            CDQ
0045705E  |.  0B0424        OR EAX,DWORD PTR SS:[ESP]                /  A与G逻辑或运算,结果记为I。
00457061  |.  0B5424 04     OR EDX,DWORD PTR SS:[ESP+4]              /  G还保存在EDX中
00457065  |.  83C4 08       ADD ESP,8
00457068  |.  8945 E0       MOV DWORD PTR SS:[EBP-20],EAX
0045706B  |.  8955 E4       MOV DWORD PTR SS:[EBP-1C],EDX
0045706E  |.  FF75 E4       PUSH DWORD PTR SS:[EBP-1C]
00457071  |.  FF75 E0       PUSH DWORD PTR SS:[EBP-20]
00457074  |.  8D45 F8       LEA EAX,DWORD PTR SS:[EBP-8]
00457077  |.  E8 FC07FBFF   CALL 576EC.00407878                      /  最关键,也是最麻烦的CALL,这里将得出真码的第二列,在后面详细解释~
0045707C  |.  8B45 F8       MOV EAX,DWORD PTR SS:[EBP-8]             /  第二列真码放入EAX
0045707F  |.  8A00          MOV AL,BYTE PTR DS:[EAX]
00457081  |.  3C 2D         CMP AL,2D
00457083  |.  75 17         JNZ SHORT 576EC.0045709C
00457085  |.  6A FF         PUSH -1
00457087  |.  6A FF         PUSH -1
00457089  |.  8B45 E0       MOV EAX,DWORD PTR SS:[EBP-20]
0045708C  |.  8B55 E4       MOV EDX,DWORD PTR SS:[EBP-1C]
0045708F  |.  E8 9CE6FAFF   CALL 576EC.00405730
00457094  |.  8945 D8       MOV DWORD PTR SS:[EBP-28],EAX
00457097  |.  8955 DC       MOV DWORD PTR SS:[EBP-24],EDX
0045709A  |.  EB 15         JMP SHORT 576EC.004570B1
0045709C  |>  6A 00         PUSH 0
0045709E  |.  6A 01         PUSH 1
004570A0  |.  8B45 E0       MOV EAX,DWORD PTR SS:[EBP-20]            /  I放入EAX
004570A3  |.  8B55 E4       MOV EDX,DWORD PTR SS:[EBP-1C]            /  H放入EDX
004570A6  |.  E8 85E6FAFF   CALL 576EC.00405730
004570AB  |.  8945 D8       MOV DWORD PTR SS:[EBP-28],EAX
004570AE  |.  8955 DC       MOV DWORD PTR SS:[EBP-24],EDX
004570B1  |>  8D45 F8       LEA EAX,DWORD PTR SS:[EBP-8]
004570B4  |.  E8 7BC7FAFF   CALL 576EC.00403834
004570B9  |.  A1 34A84500   MOV EAX,DWORD PTR DS:[45A834]
004570BE  |.  05 F4020000   ADD EAX,2F4
004570C3  |.  E8 6CC7FAFF   CALL 576EC.00403834
004570C8  |.  FF75 DC       PUSH DWORD PTR SS:[EBP-24]
004570CB  |.  FF75 D8       PUSH DWORD PTR SS:[EBP-28]
004570CE  |.  8D45 D0       LEA EAX,DWORD PTR SS:[EBP-30]
004570D1  |.  E8 A207FBFF   CALL 576EC.00407878                      /  第二列真码
004570D6  |.  8B45 D0       MOV EAX,DWORD PTR SS:[EBP-30]
004570D9  |.  E8 D2C9FAFF   CALL 576EC.00403AB0
004570DE  |.  8BD8          MOV EBX,EAX                              /  求出第二列真码长度
004570E0  |.  8D4D F4       LEA ECX,DWORD PTR SS:[EBP-C]
004570E3  |.  BA 03000000   MOV EDX,3
004570E8  |.  8BC3          MOV EAX,EBX
004570EA  |.  E8 BD07FBFF   CALL 576EC.004078AC
004570EF  |.  FF75 DC       PUSH DWORD PTR SS:[EBP-24]
004570F2  |.  FF75 D8       PUSH DWORD PTR SS:[EBP-28]
004570F5  |.  8D45 F8       LEA EAX,DWORD PTR SS:[EBP-8]
004570F8  |.  E8 7B07FBFF   CALL 576EC.00407878
004570FD  |.  8D45 CC       LEA EAX,DWORD PTR SS:[EBP-34]
00457100  |.  8B55 F8       MOV EDX,DWORD PTR SS:[EBP-8]             /  第二列真码首地址放入EDX
00457103  |.  8A52 02       MOV DL,BYTE PTR DS:[EDX+2]               /  第二列真码第三位-1
00457106  |.  8850 01       MOV BYTE PTR DS:[EAX+1],DL
00457109  |.  C600 01       MOV BYTE PTR DS:[EAX],1
0045710C  |.  8D55 CC       LEA EDX,DWORD PTR SS:[EBP-34]
0045710F  |.  8D45 C8       LEA EAX,DWORD PTR SS:[EBP-38]
00457112  |.  E8 49B7FAFF   CALL 576EC.00402860
00457117  |.  8D45 C4       LEA EAX,DWORD PTR SS:[EBP-3C]
0045711A  |.  8B55 F8       MOV EDX,DWORD PTR SS:[EBP-8]             /  第二列真码首地址放入EDX
0045711D  |.  8A12          MOV DL,BYTE PTR DS:[EDX]                 /  第二列真码第一位-2
0045711F  |.  8850 01       MOV BYTE PTR DS:[EAX+1],DL
00457122  |.  C600 01       MOV BYTE PTR DS:[EAX],1
00457125  |.  8D55 C4       LEA EDX,DWORD PTR SS:[EBP-3C]
00457128  |.  8D45 C8       LEA EAX,DWORD PTR SS:[EBP-38]
0045712B  |.  B1 02         MOV CL,2
0045712D  |.  E8 FEB6FAFF   CALL 576EC.00402830
00457132  |.  8D55 C8       LEA EDX,DWORD PTR SS:[EBP-38]
00457135  |.  8D45 C0       LEA EAX,DWORD PTR SS:[EBP-40]
00457138  |.  E8 23B7FAFF   CALL 576EC.00402860
0045713D  |.  8D45 C4       LEA EAX,DWORD PTR SS:[EBP-3C]
00457140  |.  8B55 F8       MOV EDX,DWORD PTR SS:[EBP-8]             /第二列真码首地址放入EDX
00457143  |.  8A52 01       MOV DL,BYTE PTR DS:[EDX+1]               /第二列真码第二位-3
00457146  |.  8850 01       MOV BYTE PTR DS:[EAX+1],DL
00457149  |.  C600 01       MOV BYTE PTR DS:[EAX],1
0045714C  |.  8D55 C4       LEA EDX,DWORD PTR SS:[EBP-3C]
0045714F  |.  8D45 C0       LEA EAX,DWORD PTR SS:[EBP-40]
00457152  |.  B1 03         MOV CL,3
00457154  |.  E8 D7B6FAFF   CALL 576EC.00402830
00457159  |.  8D55 C0       LEA EDX,DWORD PTR SS:[EBP-40]
0045715C  |.  8D45 B8       LEA EAX,DWORD PTR SS:[EBP-48]
0045715F  |.  E8 FCB6FAFF   CALL 576EC.00402860
00457164  |.  8D45 C4       LEA EAX,DWORD PTR SS:[EBP-3C]
00457167  |.  8B55 F8       MOV EDX,DWORD PTR SS:[EBP-8]             /  第二列真码首地址放入EDX
0045716A  |.  8A52 02       MOV DL,BYTE PTR DS:[EDX+2]               /  第二列真码第三位-4
0045716D  |.  8850 01       MOV BYTE PTR DS:[EAX+1],DL
00457170  |.  C600 01       MOV BYTE PTR DS:[EAX],1
00457173  |.  8D55 C4       LEA EDX,DWORD PTR SS:[EBP-3C]
00457176  |.  8D45 B8       LEA EAX,DWORD PTR SS:[EBP-48]
00457179  |.  B1 04         MOV CL,4
0045717B  |.  E8 B0B6FAFF   CALL 576EC.00402830
00457180  |.  8D55 B8       LEA EDX,DWORD PTR SS:[EBP-48]            /  前四位出来了~
00457183  |.  A1 34A84500   MOV EAX,DWORD PTR DS:[45A834]
00457188  |.  05 F4020000   ADD EAX,2F4
0045718D  |.  E8 C2C8FAFF   CALL 576EC.00403A54
00457192  |.  8D55 D4       LEA EDX,DWORD PTR SS:[EBP-2C]
00457195  |.  A1 34A84500   MOV EAX,DWORD PTR DS:[45A834]
0045719A  |.  8B80 C4020000 MOV EAX,DWORD PTR DS:[EAX+2C4]
004571A0  |.  E8 7FD8FCFF   CALL 576EC.00424A24
004571A5  |.  8B45 D4       MOV EAX,DWORD PTR SS:[EBP-2C]            /  注册名放入EAX
004571A8  |.  8D55 F8       LEA EDX,DWORD PTR SS:[EBP-8]
004571AB  |.  E8 A003FBFF   CALL 576EC.00407550
004571B0  |.  A1 34A84500   MOV EAX,DWORD PTR DS:[45A834]
004571B5  |.  FFB0 F4020000 PUSH DWORD PTR DS:[EAX+2F4]
004571BB  |.  8D45 D0       LEA EAX,DWORD PTR SS:[EBP-30]
004571BE  |.  8B55 F8       MOV EDX,DWORD PTR SS:[EBP-8]             /  注册名字母大写,首地址放入EDX
004571C1  |.  8A52 03       MOV DL,BYTE PTR DS:[EDX+3]               /  注册名第四位-5
004571C4  |.  E8 0FC8FAFF   CALL 576EC.004039D8
004571C9  |.  FF75 D0       PUSH DWORD PTR SS:[EBP-30]
004571CC  |.  8D45 B4       LEA EAX,DWORD PTR SS:[EBP-4C]
004571CF  |.  8B55 F8       MOV EDX,DWORD PTR SS:[EBP-8]             /  注册名字母大写,首地址放入EDX
004571D2  |.  8A52 01       MOV DL,BYTE PTR DS:[EDX+1]               /  注册名第二位-6
004571D5  |.  E8 FEC7FAFF   CALL 576EC.004039D8
004571DA  |.  FF75 B4       PUSH DWORD PTR SS:[EBP-4C]
004571DD  |.  8D45 B0       LEA EAX,DWORD PTR SS:[EBP-50]
004571E0  |.  8B55 F8       MOV EDX,DWORD PTR SS:[EBP-8]             /  注册名字母大写,首地址放入EDX
004571E3  |.  8A52 04       MOV DL,BYTE PTR DS:[EDX+4]               /  注册名第五位-7
004571E6  |.  E8 EDC7FAFF   CALL 576EC.004039D8
004571EB  |.  FF75 B0       PUSH DWORD PTR SS:[EBP-50]
004571EE  |.  8D45 AC       LEA EAX,DWORD PTR SS:[EBP-54]
004571F1  |.  8B55 F8       MOV EDX,DWORD PTR SS:[EBP-8]             /  注册名字母大写,首地址放入EDX
004571F4  |.  8A12          MOV DL,BYTE PTR DS:[EDX]                 /  注册名第一位-8
004571F6  |.  E8 DDC7FAFF   CALL 576EC.004039D8
004571FB  |.  FF75 AC       PUSH DWORD PTR SS:[EBP-54]
004571FE  |.  8D45 A8       LEA EAX,DWORD PTR SS:[EBP-58]
00457201  |.  8B55 F8       MOV EDX,DWORD PTR SS:[EBP-8]             /  注册名字母大写,首地址放入EDX
00457204  |.  8A52 02       MOV DL,BYTE PTR DS:[EDX+2]               /  注册名第三位-9
前面标-1.-2....-9取的几个数构成真码的第一列。
00457207  |.  E8 CCC7FAFF   CALL 576EC.004039D8
0045720C  |.  FF75 A8       PUSH DWORD PTR SS:[EBP-58]
0045720F  |.  A1 34A84500   MOV EAX,DWORD PTR DS:[45A834]
00457214  |.  05 F4020000   ADD EAX,2F4
00457219  |.  BA 06000000   MOV EDX,6
0045721E  |.  E8 4DC9FAFF   CALL 576EC.00403B70
00457223  |.  8D55 D4       LEA EDX,DWORD PTR SS:[EBP-2C]
00457226  |.  A1 34A84500   MOV EAX,DWORD PTR DS:[45A834]
0045722B  |.  8B80 C4020000 MOV EAX,DWORD PTR DS:[EAX+2C4]
00457231  |.  E8 EED7FCFF   CALL 576EC.00424A24
00457236  |.  8B45 D4       MOV EAX,DWORD PTR SS:[EBP-2C]            /  注册名恢复小写
00457239  |.  8D55 F8       LEA EDX,DWORD PTR SS:[EBP-8]
0045723C  |.  E8 4B03FBFF   CALL 576EC.0040758C
00457241  |.  A1 34A84500   MOV EAX,DWORD PTR DS:[45A834]
00457246  |.  FFB0 F4020000 PUSH DWORD PTR DS:[EAX+2F4]              /  第一列真码全部出现
0045724C  |.  68 34734500   PUSH 576EC.00457334                      /  -
00457251  |.  FF75 DC       PUSH DWORD PTR SS:[EBP-24]
00457254  |.  FF75 D8       PUSH DWORD PTR SS:[EBP-28]
00457257  |.  8D45 D0       LEA EAX,DWORD PTR SS:[EBP-30]
0045725A  |.  E8 1906FBFF   CALL 576EC.00407878
0045725F  |.  FF75 D0       PUSH DWORD PTR SS:[EBP-30]               /  第二列注册码入栈
00457262  |.  68 34734500   PUSH 576EC.00457334                      /  -
00457267  |.  8D45 B4       LEA EAX,DWORD PTR SS:[EBP-4C]
0045726A  |.  8B55 F8       MOV EDX,DWORD PTR SS:[EBP-8]             /  注册名首地址放入EDX
0045726D  |.  8A52 02       MOV DL,BYTE PTR DS:[EDX+2]               /  注册名第三位-1
00457270  |.  E8 63C7FAFF   CALL 576EC.004039D8
00457275  |.  FF75 B4       PUSH DWORD PTR SS:[EBP-4C]
00457278  |.  8D45 B0       LEA EAX,DWORD PTR SS:[EBP-50]
0045727B  |.  8B55 F8       MOV EDX,DWORD PTR SS:[EBP-8]             /  注册名首地址放入EDX
0045727E  |.  8A12          MOV DL,BYTE PTR DS:[EDX]                 /  注册名第一位-2
00457280  |.  E8 53C7FAFF   CALL 576EC.004039D8
00457285  |.  FF75 B0       PUSH DWORD PTR SS:[EBP-50]
00457288  |.  8D45 AC       LEA EAX,DWORD PTR SS:[EBP-54]
0045728B  |.  8B55 F8       MOV EDX,DWORD PTR SS:[EBP-8]             /  注册名首地址放入EDX
0045728E  |.  8A52 03       MOV DL,BYTE PTR DS:[EDX+3]               /  注册名第四位-3
00457291  |.  E8 42C7FAFF   CALL 576EC.004039D8
00457296  |.  FF75 AC       PUSH DWORD PTR SS:[EBP-54]
00457299  |.  8D45 A8       LEA EAX,DWORD PTR SS:[EBP-58]
0045729C  |.  8B55 F8       MOV EDX,DWORD PTR SS:[EBP-8]             /  注册名首地址放入EDX
0045729F  |.  8A52 01       MOV DL,BYTE PTR DS:[EDX+1]               /  注册名第二位-4
004572A2  |.  E8 31C7FAFF   CALL 576EC.004039D8
004572A7  |.  FF75 A8       PUSH DWORD PTR SS:[EBP-58]
004572AA  |.  FF75 F4       PUSH DWORD PTR SS:[EBP-C]                /  取三位数的第二列真码长度-5
004572AD  |.  A1 34A84500   MOV EAX,DWORD PTR DS:[45A834]
004572B2  |.  05 F4020000   ADD EAX,2F4
004572B7  |.  BA 09000000   MOV EDX,9
004572BC  |.  E8 AFC8FAFF   CALL 576EC.00403B70
004572C1  |.  A1 34A84500   MOV EAX,DWORD PTR DS:[45A834]
004572C6  |.  8B90 F4020000 MOV EDX,DWORD PTR DS:[EAX+2F4]
004572CC  |.  A1 34A84500   MOV EAX,DWORD PTR DS:[45A834]            /  前面所求的已经连接起来了~~
004572D1  |.  05 F8020000   ADD EAX,2F8
004572D6  |.  B9 40734500   MOV ECX,576EC.00457340                   /  Z8,固定值,注册码的最后两位,和上面的数连起来构成全部真码
004572DB  |.  E8 1CC8FAFF   CALL 576EC.00403AFC
004572E0  |>  33C0          XOR EAX,EAX
004572E2  |.  5A            POP EDX
004572E3  |.  59            POP ECX
004572E4  |.  59            POP ECX
004572E5  |.  64:8910       MOV DWORD PTR FS:[EAX],EDX
004572E8  |.  68 1F734500   PUSH 576EC.0045731F
004572ED  |>  8D45 A8       LEA EAX,DWORD PTR SS:[EBP-58]
004572F0  |.  BA 04000000   MOV EDX,4
004572F5  |.  E8 5EC5FAFF   CALL 576EC.00403858
004572FA  |.  8D45 D0       LEA EAX,DWORD PTR SS:[EBP-30]
004572FD  |.  E8 32C5FAFF   CALL 576EC.00403834
00457302  |.  8D45 D4       LEA EAX,DWORD PTR SS:[EBP-2C]
00457305  |.  E8 2AC5FAFF   CALL 576EC.00403834
0045730A  |.  8D45 F4       LEA EAX,DWORD PTR SS:[EBP-C]
0045730D  |.  BA 02000000   MOV EDX,2
00457312  |.  E8 41C5FAFF   CALL 576EC.00403858
00457317  \.  C3            RETN
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
求第二列真码的关键CALL:
00407878    55              PUSH EBP
00407879    8BEC            MOV EBP,ESP
0040787B    83C4 F8         ADD ESP,-8
0040787E    6A 00           PUSH 0
00407880    8D55 08         LEA EDX,DWORD PTR SS:[EBP+8]
00407883    8955 F8         MOV DWORD PTR SS:[EBP-8],EDX
00407886    C645 FC 10      MOV BYTE PTR SS:[EBP-4],10
0040788A    8D4D F8         LEA ECX,DWORD PTR SS:[EBP-8]
0040788D    BA A8784000     MOV EDX,576EC.004078A8
00407892    E8 6D0A0000     CALL 576EC.00408304                      / 求出注册码,关键CALL-1,跟进。
00407897    59              POP ECX
00407898    59              POP ECX
00407899    5D              POP EBP
0040789A    C2 0800         RETN 8
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
关键CALL-1:
00408304    55              PUSH EBP
00408305    8BEC            MOV EBP,ESP
00408307    81C4 04F0FFFF   ADD ESP,-0FFC
0040830D    50              PUSH EAX
0040830E    83C4 F4         ADD ESP,-0C
00408311    53              PUSH EBX
00408312    56              PUSH ESI
00408313    894D F8         MOV DWORD PTR SS:[EBP-8],ECX
00408316    8955 FC         MOV DWORD PTR SS:[EBP-4],EDX
00408319    8BF0            MOV ESI,EAX
0040831B    BB 02100000     MOV EBX,1002
00408320    8B45 FC         MOV EAX,DWORD PTR SS:[EBP-4]
00408323    E8 88B7FFFF     CALL 576EC.00403AB0
00408328    8BD3            MOV EDX,EBX
0040832A    85D2            TEST EDX,EDX
0040832C    79 03           JNS SHORT 576EC.00408331
0040832E    83C2 03         ADD EDX,3
00408331    C1FA 02         SAR EDX,2
00408334    8BCB            MOV ECX,EBX
00408336    2BCA            SUB ECX,EDX
00408338    3BC1            CMP EAX,ECX
0040833A    7D 24           JGE SHORT 576EC.00408360
0040833C    8B45 FC         MOV EAX,DWORD PTR SS:[EBP-4]             / (初始 cpu 选择)
0040833F    E8 6CB7FFFF     CALL 576EC.00403AB0                      / 进过
00408344    50              PUSH EAX
00408345    8B45 F8         MOV EAX,DWORD PTR SS:[EBP-8]
00408348    50              PUSH EAX
00408349    8B45 08         MOV EAX,DWORD PTR SS:[EBP+8]
0040834C    50              PUSH EAX
0040834D    8B4D FC         MOV ECX,DWORD PTR SS:[EBP-4]
00408350    8BD3            MOV EDX,EBX
00408352    4A              DEC EDX
00408353    8D85 F6EFFFFF   LEA EAX,DWORD PTR SS:[EBP-100A]
00408359    E8 32FBFFFF     CALL 576EC.00407E90                      / 关键CALL-2,跟进。
0040835E    EB 0C           JMP SHORT 576EC.0040836C
00408360    8B45 FC         MOV EAX,DWORD PTR SS:[EBP-4]
00408363    E8 48B7FFFF     CALL 576EC.00403AB0
00408368    8BD8            MOV EBX,EAX
0040836A    8BC3            MOV EAX,EBX
0040836C    8BD3            MOV EDX,EBX
0040836E    4A              DEC EDX
0040836F    3BC2            CMP EAX,EDX
00408371    7C 43           JL SHORT 576EC.004083B6
00408373    EB 30           JMP SHORT 576EC.004083A5
00408375    03DB            ADD EBX,EBX
00408377    8BC6            MOV EAX,ESI
00408379    E8 B6B4FFFF     CALL 576EC.00403834
0040837E    8BC6            MOV EAX,ESI
00408380    8BD3            MOV EDX,EBX
00408382    E8 FDB9FFFF     CALL 576EC.00403D84
00408387    8B45 FC         MOV EAX,DWORD PTR SS:[EBP-4]
0040838A    E8 21B7FFFF     CALL 576EC.00403AB0
0040838F    50              PUSH EAX
00408390    8B45 F8         MOV EAX,DWORD PTR SS:[EBP-8]
00408393    50              PUSH EAX
00408394    8B45 08         MOV EAX,DWORD PTR SS:[EBP+8]
00408397    50              PUSH EAX
00408398    8B4D FC         MOV ECX,DWORD PTR SS:[EBP-4]
0040839B    8BD3            MOV EDX,EBX
0040839D    4A              DEC EDX
0040839E    8B06            MOV EAX,DWORD PTR DS:[ESI]
004083A0    E8 EBFAFFFF     CALL 576EC.00407E90
004083A5    8BD3            MOV EDX,EBX
004083A7    4A              DEC EDX
004083A8    3BC2            CMP EAX,EDX
004083AA  ^ 7D C9           JGE SHORT 576EC.00408375
004083AC    8BD6            MOV EDX,ESI
004083AE    92              XCHG EAX,EDX
004083AF    E8 D0B9FFFF     CALL 576EC.00403D84
004083B4    EB 0E           JMP SHORT 576EC.004083C4
004083B6    8D95 F6EFFFFF   LEA EDX,DWORD PTR SS:[EBP-100A]
004083BE    91              XCHG EAX,ECX
004083BF    E8 54B5FFFF     CALL 576EC.00403918
004083C4    5E              POP ESI
004083C5    5B              POP EBX
004083C6    8BE5            MOV ESP,EBP
004083C8    5D              POP EBP
004083C9    C2 0400         RETN 4
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
关键CALL-2:
00407E90    55              PUSH EBP
00407E91    8BEC            MOV EBP,ESP
00407E93    83C4 8C         ADD ESP,-74
00407E96    53              PUSH EBX
00407E97    33DB            XOR EBX,EBX
00407E99    895D F0         MOV DWORD PTR SS:[EBP-10],EBX
00407E9C    53              PUSH EBX
00407E9D    56              PUSH ESI
00407E9E    57              PUSH EDI
00407E9F    89C7            MOV EDI,EAX
00407EA1    89CE            MOV ESI,ECX
00407EA3    034D 10         ADD ECX,DWORD PTR SS:[EBP+10]
00407EA6    897D FC         MOV DWORD PTR SS:[EBP-4],EDI
00407EA9    31C0            XOR EAX,EAX
00407EAB    8945 F8         MOV DWORD PTR SS:[EBP-8],EAX
00407EAE    8945 F4         MOV DWORD PTR SS:[EBP-C],EAX
00407EB1    8945 F0         MOV DWORD PTR SS:[EBP-10],EAX
00407EB4    09D2            OR EDX,EDX
00407EB6    74 0E           JE SHORT 576EC.00407EC6
00407EB8    39CE            CMP ESI,ECX
00407EBA    74 0A           JE SHORT 576EC.00407EC6
00407EBC    AC              LODS BYTE PTR DS:[ESI]
00407EBD    80F8 25         CMP AL,25
00407EC0    74 0E           JE SHORT 576EC.00407ED0
00407EC2    AA              STOS BYTE PTR ES:[EDI]
00407EC3    4A              DEC EDX
00407EC4  ^ 75 F2           JNZ SHORT 576EC.00407EB8
00407EC6    89F8            MOV EAX,EDI
00407EC8    2B45 FC         SUB EAX,DWORD PTR SS:[EBP-4]
00407ECB    E9 A8030000     JMP 576EC.00408278
00407ED0    39CE            CMP ESI,ECX
00407ED2  ^ 74 F2           JE SHORT 576EC.00407EC6
00407ED4    AC              LODS BYTE PTR DS:[ESI]
00407ED5    80F8 25         CMP AL,25
00407ED8  ^ 74 E8           JE SHORT 576EC.00407EC2
00407EDA    8D5E FE         LEA EBX,DWORD PTR DS:[ESI-2]
00407EDD    895D EC         MOV DWORD PTR SS:[EBP-14],EBX
00407EE0    8845 EB         MOV BYTE PTR SS:[EBP-15],AL
00407EE3    80F8 2D         CMP AL,2D
00407EE6    75 05           JNZ SHORT 576EC.00407EED
00407EE8    39CE            CMP ESI,ECX
00407EEA  ^ 74 DA           JE SHORT 576EC.00407EC6
00407EEC    AC              LODS BYTE PTR DS:[ESI]
00407EED    E8 80000000     CALL 576EC.00407F72
00407EF2    80F8 3A         CMP AL,3A
00407EF5    75 0A           JNZ SHORT 576EC.00407F01
00407EF7    895D F8         MOV DWORD PTR SS:[EBP-8],EBX
00407EFA    39CE            CMP ESI,ECX
00407EFC  ^ 74 C8           JE SHORT 576EC.00407EC6
00407EFE    AC              LODS BYTE PTR DS:[ESI]
00407EFF  ^ EB DF           JMP SHORT 576EC.00407EE0
00407F01    895D E4         MOV DWORD PTR SS:[EBP-1C],EBX
00407F04    BB FFFFFFFF     MOV EBX,-1
00407F09    80F8 2E         CMP AL,2E
00407F0C    75 0A           JNZ SHORT 576EC.00407F18
00407F0E    39CE            CMP ESI,ECX
00407F10  ^ 74 B4           JE SHORT 576EC.00407EC6
00407F12    AC              LODS BYTE PTR DS:[ESI]
00407F13    E8 5A000000     CALL 576EC.00407F72
00407F18    895D E0         MOV DWORD PTR SS:[EBP-20],EBX
00407F1B    8975 DC         MOV DWORD PTR SS:[EBP-24],ESI
00407F1E    51              PUSH ECX
00407F1F    52              PUSH EDX
00407F20    E8 96000000     CALL 576EC.00407FBB                      / 关键CALL-3,跟进
00407F25    5A              POP EDX
00407F26    8B5D E4         MOV EBX,DWORD PTR SS:[EBP-1C]
00407F29    29CB            SUB EBX,ECX
00407F2B    73 02           JNB SHORT 576EC.00407F2F
00407F2D    31DB            XOR EBX,EBX
00407F2F    807D EB 2D      CMP BYTE PTR SS:[EBP-15],2D
00407F33    75 0A           JNZ SHORT 576EC.00407F3F
00407F35    29CA            SUB EDX,ECX
00407F37    73 04           JNB SHORT 576EC.00407F3D
00407F39    01D1            ADD ECX,EDX
00407F3B    31D2            XOR EDX,EDX
00407F3D    F3:A4           REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
00407F3F    87CB            XCHG EBX,ECX
00407F41    29CA            SUB EDX,ECX
00407F43    73 04           JNB SHORT 576EC.00407F49
00407F45    01D1            ADD ECX,EDX
00407F47    31D2            XOR EDX,EDX
00407F49    B0 20           MOV AL,20
00407F4B    F3:AA           REP STOS BYTE PTR ES:[EDI]
00407F4D    87CB            XCHG EBX,ECX
00407F4F    29CA            SUB EDX,ECX
00407F51    73 04           JNB SHORT 576EC.00407F57
00407F53    01D1            ADD ECX,EDX
00407F55    31D2            XOR EDX,EDX
00407F57    F3:A4           REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
00407F59    837D F4 00      CMP DWORD PTR SS:[EBP-C],0
00407F5D    74 0A           JE SHORT 576EC.00407F69
00407F5F    52              PUSH EDX
00407F60    8D45 F4         LEA EAX,DWORD PTR SS:[EBP-C]
00407F63    E8 1CFFFFFF     CALL 576EC.00407E84
00407F68    5A              POP EDX
00407F69    59              POP ECX
00407F6A    8B75 DC         MOV ESI,DWORD PTR SS:[EBP-24]
00407F6D  ^ E9 42FFFFFF     JMP 576EC.00407EB4
00407F72    31DB            XOR EBX,EBX
00407F74    80F8 2A         CMP AL,2A
00407F77    74 22           JE SHORT 576EC.00407F9B
00407F79    80F8 30         CMP AL,30
00407F7C    72 3C           JB SHORT 576EC.00407FBA
00407F7E    80F8 39         CMP AL,39
00407F81    77 37           JA SHORT 576EC.00407FBA
00407F83    6BDB 0A         IMUL EBX,EBX,0A
00407F86    80E8 30         SUB AL,30
00407F89    0FB6C0          MOVZX EAX,AL
00407F8C    01C3            ADD EBX,EAX
00407F8E    39CE            CMP ESI,ECX
00407F90    74 03           JE SHORT 576EC.00407F95
00407F92    AC              LODS BYTE PTR DS:[ESI]
00407F93  ^ EB E4           JMP SHORT 576EC.00407F79
00407F95    58              POP EAX
00407F96  ^ E9 2BFFFFFF     JMP 576EC.00407EC6
00407F9B    8B45 F8         MOV EAX,DWORD PTR SS:[EBP-8]
00407F9E    3B45 08         CMP EAX,DWORD PTR SS:[EBP+8]
00407FA1    77 12           JA SHORT 576EC.00407FB5
00407FA3    FF45 F8         INC DWORD PTR SS:[EBP-8]
00407FA6    8B5D 0C         MOV EBX,DWORD PTR SS:[EBP+C]
00407FA9    807CC3 04 00    CMP BYTE PTR DS:[EBX+EAX*8+4],0
00407FAE    8B1CC3          MOV EBX,DWORD PTR DS:[EBX+EAX*8]
00407FB1    74 02           JE SHORT 576EC.00407FB5
00407FB3    31DB            XOR EBX,EBX
00407FB5    39CE            CMP ESI,ECX
00407FB7  ^ 74 DC           JE SHORT 576EC.00407F95
00407FB9    AC              LODS BYTE PTR DS:[ESI]
00407FBA    C3              RETN
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
关键CALL-3:
00407FBB    24 DF           AND AL,0DF
00407FBD    88C1            MOV CL,AL
00407FBF    B8 01000000     MOV EAX,1
00407FC4    8B5D F8         MOV EBX,DWORD PTR SS:[EBP-8]
00407FC7    3B5D 08         CMP EBX,DWORD PTR SS:[EBP+8]
00407FCA    77 5C           JA SHORT 576EC.00408028
00407FCC    FF45 F8         INC DWORD PTR SS:[EBP-8]
00407FCF    8B75 0C         MOV ESI,DWORD PTR SS:[EBP+C]
00407FD2    8D34DE          LEA ESI,DWORD PTR DS:[ESI+EBX*8]
00407FD5    8B06            MOV EAX,DWORD PTR DS:[ESI]
00407FD7    0FB65E 04       MOVZX EBX,BYTE PTR DS:[ESI+4]
00407FDB    FF249D E27F4000 JMP DWORD PTR DS:[EBX*4+407FE2]
00407FE2    D6              SALC
00407FE3    8040 00 26      ADD BYTE PTR DS:[EAX],26
00407FE7    8040 00 3D      ADD BYTE PTR DS:[EAX],3D
00407FEB    8140 00 FB81400>ADD DWORD PTR DS:[EAX],576EC.004081FB
00407FF2    6D              INS DWORD PTR ES:[EDI],DX                / I/O 命令
00407FF3    8140 00 DD81400>ADD DWORD PTR DS:[EAX],576EC.004081DD
00407FFA    BD 81400026     MOV EBP,26004081
00407FFF    8040 00 26      ADD BYTE PTR DS:[EAX],26
00408003    8040 00 26      ADD BYTE PTR DS:[EAX],26
00408007    8040 00 7E      ADD BYTE PTR DS:[EAX],7E
0040800B    8140 00 A181400>ADD DWORD PTR DS:[EAX],576EC.004081A1
00408012    F781 40004C81 4>TEST DWORD PTR DS:[ECX+814C0040],8026004>
0040801C    40              INC EAX
0040801D    0085 8140003A   ADD BYTE PTR SS:[EBP+3A004081],AL
00408023    8040 00 31      ADD BYTE PTR DS:[EAX],31
00408027    C0E8 40         SHR AL,40                                / 移位常量超出 1..31 的范围
0040802A    0200            ADD AL,BYTE PTR DS:[EAX]
0040802C    008B 55EC8B4D   ADD BYTE PTR DS:[EBX+4D8BEC55],CL
00408032    DC29            FSUBR QWORD PTR DS:[ECX]
00408034    D1E8            SHR EAX,1
00408036    DEFD            FDIVP ST(5),ST
00408038    FFFF            ???                                      / 未知命令
0040803A    8D5D D0         LEA EBX,DWORD PTR SS:[EBP-30]
0040803D    8B10            MOV EDX,DWORD PTR DS:[EAX]               / I放入EDX
0040803F    8913            MOV DWORD PTR DS:[EBX],EDX
00408041    8B50 04         MOV EDX,DWORD PTR DS:[EAX+4]
00408044    8953 04         MOV DWORD PTR DS:[EBX+4],EDX             / H放入EDX
00408047    80F9 44         CMP CL,44
0040804A    74 11           JE SHORT 576EC.0040805D
0040804C    80F9 55         CMP CL,55
0040804F    74 2A           JE SHORT 576EC.0040807B
00408051    80F9 58         CMP CL,58
00408054  ^ 75 D0           JNZ SHORT 576EC.00408026
00408056    B9 10000000     MOV ECX,10
0040805B    EB 23           JMP SHORT 576EC.00408080
0040805D    F743 04 0000008>TEST DWORD PTR DS:[EBX+4],80000000
00408064    74 15           JE SHORT 576EC.0040807B
00408066    F71B            NEG DWORD PTR DS:[EBX]
00408068    8353 04 00      ADC DWORD PTR DS:[EBX+4],0
0040806C    F75B 04         NEG DWORD PTR DS:[EBX+4]
0040806F    E8 07000000     CALL 576EC.0040807B
00408074    B0 2D           MOV AL,2D
00408076    41              INC ECX
00408077    4E              DEC ESI
00408078    8806            MOV BYTE PTR DS:[ESI],AL
0040807A    C3              RETN
0040807B    B9 0A000000     MOV ECX,0A
00408080    8D75 AF         LEA ESI,DWORD PTR SS:[EBP-51]
00408083    51              PUSH ECX
00408084    6A 00           PUSH 0
00408086    51              PUSH ECX
00408087    8B03            MOV EAX,DWORD PTR DS:[EBX]
00408089    8B53 04         MOV EDX,DWORD PTR DS:[EBX+4]
0040808C    E8 84D8FFFF     CALL 576EC.00405915                      / 关键CALL-4,跟进
00408091    59              POP ECX
00408092    92              XCHG EAX,EDX
00408093    80C2 30         ADD DL,30
00408096    80FA 3A         CMP DL,3A
00408099    72 03           JB SHORT 576EC.0040809E
0040809B    80C2 07         ADD DL,7
0040809E    4E              DEC ESI
0040809F    8816            MOV BYTE PTR DS:[ESI],DL
004080A1    51              PUSH ECX
004080A2    6A 00           PUSH 0
004080A4    51              PUSH ECX
004080A5    8B03            MOV EAX,DWORD PTR DS:[EBX]
004080A7    8B53 04         MOV EDX,DWORD PTR DS:[EBX+4]
004080AA    E8 71D7FFFF     CALL 576EC.00405820                      / 关键CALL-5,跟进
004080AF    59              POP ECX
004080B0    8903            MOV DWORD PTR DS:[EBX],EAX
004080B2    8953 04         MOV DWORD PTR DS:[EBX+4],EDX
004080B5    09D0            OR EAX,EDX
004080B7  ^ 75 CA           JNZ SHORT 576EC.00408083

这个循环以H和I作为初值开始运算,是一个包括关键CALL-4和关键CALL-5的循环,把关键CALL-4中求出的数一ASCII码的形式保存,把这些数连起来就是第二列真码,当关键CALL-5中求出的EAX=EDX=0时退出循环。

004080B9    8D4D AF         LEA ECX,DWORD PTR SS:[EBP-51]
004080BC    29F1            SUB ECX,ESI
004080BE    8B55 E0         MOV EDX,DWORD PTR SS:[EBP-20]
004080C1    83FA 10         CMP EDX,10
004080C4    72 01           JB SHORT 576EC.004080C7
004080C6    C3              RETN
004080C7    29CA            SUB EDX,ECX
004080C9    76 0A           JBE SHORT 576EC.004080D5
004080CB    01D1            ADD ECX,EDX
004080CD    B0 30           MOV AL,30
004080CF    4E              DEC ESI
004080D0    8806            MOV BYTE PTR DS:[ESI],AL
004080D2    4A              DEC EDX
004080D3  ^ 75 FA           JNZ SHORT 576EC.004080CF
004080D5    C3              RETN
004080D6    80F9 44         CMP CL,44
004080D9    74 15           JE SHORT 576EC.004080F0
004080DB    80F9 55         CMP CL,55
004080DE    74 22           JE SHORT 576EC.00408102
004080E0    80F9 58         CMP CL,58
004080E3  ^ 0F85 3DFFFFFF   JNZ 576EC.00408026
004080E9    B9 10000000     MOV ECX,10
004080EE    EB 17           JMP SHORT 576EC.00408107
004080F0    09C0            OR EAX,EAX
004080F2    79 0E           JNS SHORT 576EC.00408102
004080F4    F7D8            NEG EAX
004080F6    E8 07000000     CALL 576EC.00408102
004080FB    B0 2D           MOV AL,2D
004080FD    41              INC ECX
004080FE    4E              DEC ESI
004080FF    8806            MOV BYTE PTR DS:[ESI],AL
00408101    C3              RETN
++++++++++++++++++++++++++++++++++++++++++++++++++++++
关键CALL-4:
00405915    55              PUSH EBP
00405916    53              PUSH EBX
00405917    56              PUSH ESI
00405918    57              PUSH EDI
00405919    8B5C24 14       MOV EBX,DWORD PTR SS:[ESP+14]
0040591D    8B4C24 18       MOV ECX,DWORD PTR SS:[ESP+18]
00405921    0BC9            OR ECX,ECX
00405923    75 08           JNZ SHORT 576EC.0040592D
00405925    0BD2            OR EDX,EDX
00405927    74 33           JE SHORT 576EC.0040595C
00405929    0BDB            OR EBX,EBX
0040592B    74 2F           JE SHORT 576EC.0040595C
0040592D    8BE9            MOV EBP,ECX
0040592F    B9 40000000     MOV ECX,40                               / 循环40次
00405934    33FF            XOR EDI,EDI
00405936    33F6            XOR ESI,ESI                              / ESI清0
00405938    D1E0            SHL EAX,1                                 ;左移动一位
0040593A    D1D2            RCL EDX,1                                / 左移动一位
0040593C    D1D6            RCL ESI,1                                / 带进位左移动一位
0040593E    D1D7            RCL EDI,1
00405940    3BFD            CMP EDI,EBP
00405942    72 0B           JB SHORT 576EC.0040594F
00405944    77 04           JA SHORT 576EC.0040594A
00405946    3BF3            CMP ESI,EBX
00405948    72 05           JB SHORT 576EC.0040594F
0040594A    2BF3            SUB ESI,EBX
0040594C    1BFD            SBB EDI,EBP
0040594E    40              INC EAX
0040594F  ^ E2 E7           LOOPD SHORT 576EC.00405938

这个循环里迷惑人的地方比较多,不仔细看看不出来,容易在这里困了好久:(,总结下就是EAX先左移一位,然后EDX带进位左移一位,然后ESI再 带进位左移一为,然后比较ESI中的值是否大于A,不大于就继续循环,如果大于A,就减去A,EAX+1再继续循环,一直循环40次。最后把ESI中的值 给EAX,EAX就是CALL-4的返回值。总之,只要关注好ESI就好~其它和程序无关,不必在意!

00405951    8BC6            MOV EAX,ESI
00405953    8BD7            MOV EDX,EDI
00405955    5F              POP EDI
00405956    5E              POP ESI
00405957    5B              POP EBX
00405958    5D              POP EBP
00405959    C2 0800         RETN 8
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
关键CALL-5:
00405820    55              PUSH EBP
00405821    53              PUSH EBX
00405822    56              PUSH ESI
00405823    57              PUSH EDI
00405824    8B5C24 14       MOV EBX,DWORD PTR SS:[ESP+14]
00405828    8B4C24 18       MOV ECX,DWORD PTR SS:[ESP+18]
0040582C    0BC9            OR ECX,ECX
0040582E    75 08           JNZ SHORT 576EC.00405838
00405830    0BD2            OR EDX,EDX
00405832    74 2F           JE SHORT 576EC.00405863
00405834    0BDB            OR EBX,EBX
00405836    74 2B           JE SHORT 576EC.00405863
00405838    8BE9            MOV EBP,ECX
0040583A    B9 40000000     MOV ECX,40
0040583F    33FF            XOR EDI,EDI
00405841    33F6            XOR ESI,ESI
00405843    D1E0            SHL EAX,1
00405845    D1D2            RCL EDX,1
00405847    D1D6            RCL ESI,1
00405849    D1D7            RCL EDI,1
0040584B    3BFD            CMP EDI,EBP
0040584D    72 0B           JB SHORT 576EC.0040585A
0040584F    77 04           JA SHORT 576EC.00405855
00405851    3BF3            CMP ESI,EBX
00405853    72 05           JB SHORT 576EC.0040585A
00405855    2BF3            SUB ESI,EBX
00405857    1BFD            SBB EDI,EBP
00405859    40              INC EAX
0040585A  ^ E2 E7           LOOPD SHORT 576EC.00405843

和上个循环没有太大区别,但这次要关注的是EAX和EDX中的值,其它和程序无关,不必在意,因为她计算出的值将用与下次循环,而且控制是否循环,它首次计算的就是初值H和I。
总结下它运算的方法就是EAX先左移一位,然后EDX带进位左移一位,然后ESI再带进位左移一为,然后比较ESI中的值是否大于A,不大于就继续循环, 如果大于A,就减去A,EAX+1再继续循环,一直循环40次。最后返回EAX和EDX中的值用做下次循环,如果EAX=EDX=0则结束循环

  0040585C    5F              POP EDI
  0040585D    5E              POP ESI
  0040585E    5B              POP EBX
  0040585F    5D              POP EBP
  00405860    C2 0800         RETN 8
--------------------------------------------------------------------------------

本文链接:对某CrackMe算法分析

转载声明:本站文章若无特别说明,皆为原创,转载请注明来源:一川's Blog-XXbuG.Com,谢谢!

提示:软件如果过期不能使用在文章下方留言,我尽量抽时间去更新最新的破解版!

 

标签分类:

上一篇:udp反弹代码
下一篇:没有了