【标 题】:Search32-PRO v6.05注册算法分析 - OCG(2)
【关键字】:c,C,算法分析,RO,PRO,05,32,Search,PR,CG,Search32,PRO,v6,05,OCG
【来 源】:网络
Exported fn(): ?checkData@@YGHPAD0@Z - Ord:0001h
:10001320 81ECDC020000 sub esp, 000002DC
:10001326 53 push ebx
:10001327 55 push ebp
:10001328 56 push esi
:10001329 57 push edi
:1000132A 8BBC24F0020000 mov edi, dword ptr [esp+000002F0]
:10001331 83C9FF or ecx, FFFFFFFF
:10001334 33C0 xor eax, eax
:10001336 33DB xor ebx, ebx
:10001338 F2 repnz
:10001339 AE scasb
:1000133A F7D1 not ecx
:1000133C 2BF9 sub edi, ecx
:1000133E 8D9424A8000000 lea edx, dword ptr [esp+000000A8]
:10001345 8BC1 mov eax, ecx
:10001347 8BF7 mov esi, edi
:10001349 8BFA mov edi, edx
:1000134B 895C241C mov dword ptr [esp+1C], ebx
:1000134F C1E902 shr ecx, 02
:10001352 F3 repz
:10001353 A5 movsd
:10001354 8BC8 mov ecx, eax
:10001356 895C2424 mov dword ptr [esp+24], ebx
:1000135A 83E103 and ecx, 00000003
:1000135D BD05000000 mov ebp, 00000005
:10001362 F3 repz
:10001363 A4 movsb
:10001364 8D8C24A8000000 lea ecx, dword ptr [esp+000000A8]
:1000136B 895C2420 mov dword ptr [esp+20], ebx
:1000136F 51 push ecx
:10001370 E8A11E0100 call 10013216
:10001375 83C404 add esp, 00000004
:10001378 53 push ebx
* Reference To: KERNEL32.GetDriveTypeA, Ord:0104h
|
:10001379 FF1530400110 Call dword ptr [10014030]
:1000137F 3BC5 cmp eax, ebp=5
:10001381 8B8424A8000000 mov eax, dword ptr [esp+000000A8]=X4X3X2X1
:10001388 750F jne 10001399====>通常应该是不会等于的,也就跳
:1000138A 3C43 cmp al, 43=C
:1000138C 7418 je 100013A6
:1000138E 80FC44 cmp ah, 44=D
:10001391 0F8582040000 jne 10001819============>错误1
//======================>(应该不会出现此错误)
:10001397 EB0D jmp 100013A6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001388(C)
|
:10001399 3C43 cmp al, 43
:1000139B 7509 jne 100013A6
:1000139D 80FC44 cmp ah, 44
:100013A0 0F8473040000 je 10001819============>错误2
//======================>用户名为CD则错误
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1000138C(C), :10001397(U), :1000139B(C)
|
:100013A6 A1308F0110 mov eax, dword ptr [10018F30]
:100013AB 8D9424E8010000 lea edx, dword ptr [esp+000001E8]
:100013B2 6804010000 push 00000104
:100013B7 52 push edx
:100013B8 50 push eax
* Reference To: KERNEL32.GetModuleFileNameA, Ord:0124h
|
:100013B9 FF152C400110 Call dword ptr [1001402C]
:100013BF 85C0 test eax, eax
:100013C1 0F8452040000 je 10001819============>错误3
//====================>装入模块错误
:100013C7 8D8C24E8010000 lea ecx, dword ptr [esp+000001E8]
:100013CE 6A5C push 0000005C
:100013D0 51 push ecx
:100013D1 E89A9C0000 call 1000B070
:100013D6 8BF0 mov esi, eax
:100013D8 83C408 add esp, 00000008
:100013DB 3BF3 cmp esi, ebx=0
:100013DD 0F8436040000 je 10001819============>错误4
//====================>装入模块文件名错误
:100013E3 46 inc esi
:100013E4 56 push esi
:100013E5 89742418 mov dword ptr [esp+18], esi
:100013E9 E8281E0100 call 10013216
:100013EE 8DBC24AC000000 lea edi, dword ptr [esp+000000AC]=用户名
:100013F5 83C9FF or ecx, FFFFFFFF
:100013F8 33C0 xor eax, eax
:100013FA 83C404 add esp, 00000004
:100013FD F2 repnz
:100013FE AE scasb
:100013FF 8B9C24F4020000 mov ebx, dword ptr [esp+000002F4]
:10001406 F7D1 not ecx
:10001408 49 dec ecx
:10001409 8BFB mov edi, ebx
:1000140B 8BD1 mov edx, ecx
:1000140D 83C9FF or ecx, FFFFFFFF
:10001410 F2 repnz
:10001411 AE scasb
:10001412 F7D1 not ecx
:10001414 49 dec ecx
:10001415 83F918 cmp ecx, 00000018
:10001418 894C2418 mov dword ptr [esp+18], ecx
:1000141C 0F82F7030000 jb 10001819============>错误5
//====================>CODE长度检测,>=$15($18-length(SP6))
:10001422 7639 jbe 1000145D
:10001424 8D7B18 lea edi, dword ptr [ebx+18]
:10001427 83C9FF or ecx, FFFFFFFF
:1000142A F2 repnz
:1000142B AE scasb
:1000142C F7D1 not ecx
:1000142E 2BF9 sub edi, ecx
:10001430 8D9C24A8000000 lea ebx, dword ptr [esp+000000A8]
:10001437 8BF7 mov esi, edi
:10001439 8BFB mov edi, ebx
:1000143B 8BD9 mov ebx, ecx
:1000143D 83C9FF or ecx, FFFFFFFF
:10001440 F2 repnz
:10001441 AE scasb
:10001442 8BCB mov ecx, ebx
:10001444 4F dec edi
:10001445 C1E902 shr ecx, 02
:10001448 F3 repz
:10001449 A5 movsd
:1000144A 8BCB mov ecx, ebx
:1000144C C744241818000000 mov [esp+18], 00000018
:10001454 83E103 and ecx, 00000003
:10001457 F3 repz
:10001458 A4 movsb
:10001459 8B742414 mov esi, dword ptr [esp+14]
余下的字符串连接到用户名后面
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001422(C)
|
:1000145D 83FA20 cmp edx, 00000020====>用户名长度
:10001460 7330 jnb 10001492
:10001462 8BFE mov edi, esi
:10001464 83C9FF or ecx, FFFFFFFF
:10001467 33C0 xor eax, eax
:10001469 8D9424A8000000 lea edx, dword ptr [esp+000000A8]
:10001470 F2 repnz
:10001471 AE scasb
:10001472 F7D1 not ecx
:10001474 2BF9 sub edi, ecx
:10001476 8BF7 mov esi, edi
:10001478 8BD9 mov ebx, ecx
:1000147A 8BFA mov edi, edx
:1000147C 83C9FF or ecx, FFFFFFFF
:1000147F F2 repnz
:10001480 AE scasb
:10001481 8BCB mov ecx, ebx
:10001483 4F dec edi
:10001484 C1E902 shr ecx, 02
:10001487 F3 repz
:10001488 A5 movsd
:10001489 8BCB mov ecx, ebx
:1000148B 83E103 and ecx, 00000003
:1000148E F3 repz
:1000148F A4 movsb
:10001490 EB0B jmp 1000149D====>用户名连接DIKEN+余下的注册码+'SRCH32_D.DLL'
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001460(C)
|
:10001492 8D84149C000000 lea eax, dword ptr [esp+edx+0000009C]
:10001499 89442414 mov dword ptr [esp+14], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001490(U)
|
:1000149D B907000000 mov ecx, 00000007
:100014A2 B84D4D4D4D mov eax, 4D4D4D4D
:100014A7 8D7C2448 lea edi, dword ptr [esp+48]
:100014AB F3 repz
:100014AC AB stosd
:100014AD 66AB stosw
:100014AF AA stosb
:100014B0 B81F000000 mov eax, 0000001F
:100014B5 B14D mov cl, 4D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100014BC(C)
|
:100014B7 48 dec eax
:100014B8 884C2429 mov byte ptr [esp+29], cl
:100014BC 75F9 jne 100014B7
:100014BE 8B7C2418 mov edi, dword ptr [esp+18]=注册码长度
:100014C2 33DB xor ebx, ebx
:100014C4 85FF test edi, edi
:100014C6 C644244700 mov [esp+47], 00
:100014CB C644246700 mov [esp+67], 00
:100014D0 0F868F000000 jbe 10001565
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000155F(C)
|
:100014D6 8BB424F4020000 mov esi, dword ptr [esp+000002F4]=Code
:100014DD 0FBE0C33 movsx ecx, byte ptr [ebx+esi]
:100014E1 51 push ecx
===ODBG==00DE14E1 51 PUSH ECX
:100014E2 E85F9B0000 call 1000B046==>转为数字?
:100014E7 83C404 add esp, 00000004
:100014EA 85C0 test eax, eax
:100014EC 7512 jne 10001500
:100014EE 8B442424 mov eax, dword ptr [esp+24]
:100014F2 8A1433 mov dl, byte ptr [ebx+esi]
:100014F5 88540428 mov byte ptr [esp+eax+28], dl
:100014F9 40 inc eax
:100014FA 89442424 mov dword ptr [esp+24], eax
:100014FE EB5C jmp 1000155C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100014EC(C)
|
:10001500 F6C301 test bl, 01=========>奇数偶数位
:10001503 7512 jne 10001517
:10001505 8B442424 mov eax, dword ptr [esp+24]
:10001509 8A0C33 mov cl, byte ptr [ebx+esi]
:1000150C 884C0428 mov byte ptr [esp+eax+28], cl
:10001510 40 inc eax
:10001511 89442424 mov dword ptr [esp+24], eax
:10001515 EB45 jmp 1000155C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001503(C)
|
:10001517 8A1433 mov dl, byte ptr [ebx+esi]
:1000151A 88542C48 mov byte ptr [esp+ebp+48], dl
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:10001539(U), :10001548(U), :1000154B(U)
|
:1000151E 0FBE442C48 movsx eax, byte ptr [esp+ebp+48]
:10001523 50 push eax
:10001524 E81D9B0000 call 1000B046
:10001529 83C404 add esp, 00000004
:1000152C 85C0 test eax, eax
:1000152E 741D je 1000154D
:10001530 8B442420 mov eax, dword ptr [esp+20]
:10001534 85C0 test eax, eax
:10001536 7403 je 1000153B
:10001538 45 inc ebp
:10001539 EBE3 jmp 1000151E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001536(C)
|
:1000153B 85DB test ebx, ebx
:1000153D 750B jne 1000154A
:1000153F C744242001000000 mov [esp+20], 00000001
:10001547 45 inc ebp
:10001548 EBD4 jmp 1000151E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000153D(C)
|
:1000154A 4D dec ebp
:1000154B EBD1 jmp 1000151E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000152E(C)
|
:1000154D 8B442420 mov eax, dword ptr [esp+20]
:10001551 33C9 xor ecx, ecx
:10001553 85C0 test eax, eax
:10001555 0F94C1 sete cl
:10001558 894C2420 mov dword ptr [esp+20], ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:100014FE(U), :10001515(U)
|
:1000155C 43 inc ebx
:1000155D 3BDF cmp ebx, edi
:1000155F 0F8271FFFFFF jb 100014D6
用户名会去掉前后空格
注册码+'SP6'分割成前后两部分:
NameXor的串就是奇数串
Name的累加和
NameXOR的异或
NameXOR mod $7FFFFFFFF===>转为字符串
xor $67C2D76C=
Code2==>数字,去只取一定范围的
Code1:=Code1+Name2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100014D0(C)
|
:10001565 8D7C2448 lea edi, dword ptr [esp+48]
:10001569 83C9FF or ecx, FFFFFFFF
:1000156C 33C0 xor eax, eax
:1000156E C6442C4800 mov [esp+ebp+48], 00
:10001573 F2 repnz
:10001574 AE scasb
:10001575 8B542424 mov edx, dword ptr [esp+24]
:10001579 F7D1 not ecx
:1000157B 49 dec ecx
:1000157C C644142800 mov [esp+edx+28], 00
:10001581 83E1FE and ecx, FFFFFFFE
:10001584 83F90A cmp ecx, 0000000A
:10001587 0F828C020000 jb 10001819============>错误6
//====================>转换后的串2长度
:1000158D 8D442448 lea eax, dword ptr [esp+48]
:10001591 50 push eax
:10001592 E8A49A0000 call 1000B03B==>串2转为数字32bits有效
:10001597 8B7C2418 mov edi, dword ptr [esp+18]
:1000159B 8BD8 mov ebx, eax
:1000159D A1388F0110 mov eax, dword ptr [10018F38]
:100015A2 83C9FF or ecx, FFFFFFFF
:100015A5 33D8 xor ebx, eax
:100015A7 33C0 xor eax, eax
:100015A9 83C404 add esp, 00000004
:100015AC 8D542428 lea edx, dword ptr [esp+28]
:100015B0 F2 repnz
:100015B1 AE scasb
:100015B2 F7D1 not ecx
:100015B4 2BF9 sub edi, ecx
:100015B6 8BF7 mov esi, edi
:100015B8 8BE9 mov ebp, ecx
:100015BA 8BFA mov edi, edx
:100015BC 83C9FF or ecx, FFFFFFFF
:100015BF F2 repnz
:100015C0 AE scasb
:100015C1 8BCD mov ecx, ebp
:100015C3 4F dec edi
:100015C4 C1E902 shr ecx, 02
:100015C7 F3 repz
:100015C8 A5 movsd
:100015C9 8BCD mov ecx, ebp
:100015CB 83E103 and ecx, 00000003
:100015CE F3 repz
:100015CF A4 movsb
:100015D0 8DBC24A8000000 lea edi, dword ptr [esp+000000A8]
========================>串1+DLL名
:100015D7 83C9FF or ecx, FFFFFFFF
:100015DA F2 repnz
:100015DB AE scasb
:100015DC F7D1 not ecx
:100015DE 49 dec ecx
:100015DF 8D7C2428 lea edi, dword ptr [esp+28]
:100015E3 8BD1 mov edx, ecx
:100015E5 83C9FF or ecx, FFFFFFFF
:100015E8 F2 repnz
:100015E9 AE scasb
:100015EA F7D1 not ecx
:100015EC 49 dec ecx
:100015ED 83FA20 cmp edx, 00000020
:100015F0 894C2418 mov dword ptr [esp+18], ecx
:100015F4 0F821F020000 jb 10001819============>错误7
========================>用户名长度>=$20的时候,Name+余串
========================>否则Name+余串+''
========================>DLL为12
========================>串1的长必须>=20
========================>重新输入假注册码40字节长
:100015FA 85D2 test edx, edx
:100015FC 7617 jbe 10001615
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001613(C)
|
:100015FE 0FBE8C04A8000000 movsx ecx, byte ptr [esp+eax+000000A8]
DIKEN5678901234567890SP6SRCH32_D.DLL
:10001606 8B7C241C mov edi, dword ptr [esp+1C]
:1000160A 03F9 add edi, ecx
:1000160C 40 inc eax
:1000160D 3BC2 cmp eax, edx
:1000160F 897C241C mov dword ptr [esp+1C], edi====>累加结果
:10001613 72E9 jb 100015FE
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100015FC(C)
|
:10001615 8BFA mov edi, edx
:10001617 83E703 and edi, 00000003 是否为4的倍数
:1000161A 7420 je 1000163C=======>是则转
:1000161C 33F6 xor esi, esi
:1000161E 33C9 xor ecx, ecx
:10001620 33C0 xor eax, eax
:10001622 85FF test edi, edi
:10001624 7622 jbe 10001648
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001638(C)
|
:10001626 0FBEAC04A8000000 movsx ebp, byte ptr [esp+eax+000000A8]====>Name串
:1000162E D3E5 shl ebp, cl
:10001630 83C108 add ecx, 00000008
:10001633 0BF5 or esi, ebp
:10001635 40 inc eax
:10001636 3BC7 cmp eax, edi
:10001638 72EC jb 10001626
:1000163A EB0C jmp 10001648
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000161A(C)
|
:1000163C 8BB424A8000000 mov esi, dword ptr [esp+000000A8]
:10001643 B804000000 mov eax, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:10001624(C), :1000163A(U)
|
:10001648 3BC2 cmp eax, edx
:1000164A 7310 jnb 1000165C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000165A(C)
|
:1000164C 8BAC04A8000000 mov ebp, dword ptr [esp+eax+000000A8]
:10001653 83C004 add eax, 00000004
:10001656 33F5 xor esi, ebp=========>ESI的值261B0109(我的)
:10001658 3BC2 cmp eax, edx
:1000165A 72F0 jb 1000164C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000164A(C)
|
:1000165C 8B542418 mov edx, dword ptr [esp+18]
:10001660 83E203 and edx, 00000003
:10001663 741D je 10001682
:10001665 33ED xor ebp, ebp
:10001667 33C9 xor ecx, ecx
:10001669 33C0 xor eax, eax
:1000166B 85D2 test edx, edx
:1000166D 761C jbe 1000168B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000167E(C)
|
:1000166F 0FBE7C0428 movsx edi, byte ptr [esp+eax+28]===>Code串1+用户名余串
:10001674 D3E7 shl edi, cl
:10001676 83C108 add ecx, 00000008
:10001679 0BEF or ebp, edi
:1000167B 40 inc eax
:1000167C 3BC2 cmp eax, edx
:1000167E 72EF jb 1000166F
:10001680 EB09 jmp 1000168B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001663(C)
|
:10001682 8B6C2428 mov ebp, dword ptr [esp+28]=======>串1
:10001686 B804000000 mov eax, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1000166D(C), :10001680(U)
|
:1000168B 8B4C2418 mov ecx, dword ptr [esp+18]
:1000168F 3BC1 cmp eax, ecx
:10001691 730D jnb 100016A0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000169E(C)
|
:10001693 8B540428 mov edx, dword ptr [esp+eax+28]
:10001697 83C004 add eax, 00000004
:1000169A 33EA xor ebp, edx============>结果63382C54(我的)
:1000169C 3BC1 cmp eax, ecx
:1000169E 72F3 jb 10001693
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001691(C)
|
:100016A0 8D542468 lea edx, dword ptr [esp+68]
:100016A4 6A0A push 0000000A
:100016A6 52 push edx
:100016A7 8BC6 mov eax, esi
:100016A9 33D2 xor edx, edx
:100016AB B9FFFFFF7F mov ecx, 7FFFFFFF
:100016B0 F7F1 div ecx
:100016B2 33EB xor ebp, ebx==========>ebp
:100016B4 52 push edx===>
:100016B5 E805100100 call 100126BF=======>
EAX=960575048
ECX=75048
:100016BA 8B5C2428 mov ebx, dword ptr [esp+28]
:100016BE 8B3D388F0110 mov edi, dword ptr [10018F38]
:100016C4 8D9424B4010000 lea edx, dword ptr [esp+000001B4]
:100016CB 6A0A push 0000000A
:100016CD 52 push edx
:100016CE 53 push ebx=================>累加和
:100016CF 33F7 xor esi, edi==========>esi
:100016D1 E8E90F0100 call 100126BF
EAX=12159
ECX=159
取后3个
:100016D6 8DBC2480000000 lea edi, dword ptr [esp+00000080]
:100016DD 83C9FF or ecx, FFFFFFFF
:100016E0 33C0 xor eax, eax
:100016E2 83C418 add esp, 00000018
:100016E5 F2 repnz
:100016E6 AE scasb
:100016E7 F7D1 not ecx
:100016E9 49 dec ecx
:100016EA 8DBC24A8010000 lea edi, dword ptr [esp+000001A8]
:100016F1 894C2420 mov dword ptr [esp+20], ecx
:100016F5 83C9FF or ecx, FFFFFFFF
:100016F8 F2 repnz
:100016F9 AE scasb
:100016FA F7D1 not ecx
:100016FC 49 dec ecx
:100016FD 8BC3 mov eax, ebx==========>累加和
:100016FF 894C2418 mov dword ptr [esp+18], ecx
:10001703 33D2 xor edx, edx
:10001705 B905000000 mov ecx, 00000005
:1000170A F7F1 div ecx
:1000170C 85D2 test edx, edx
:1000170E 8954241C mov dword ptr [esp+1C], edx
:10001712 7504 jne 10001718========是5的倍数则=0否则=5
:10001714 894C241C mov dword ptr [esp+1C], ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001712(C)
|
:10001718 33DB xor ebx, ebx
:1000171A 33FF xor edi, edi
:1000171C 3BF5 cmp esi, ebp
:1000171E C644241400 mov [esp+14], 00
:10001723 0F85F0000000 jne 10001819============>错误8
====================================================================
00DE171A
====================================================================
[这段循环检测条件]
共14次检测
这儿使用的是ODBG中的代码,因为我分析使用的
====================================================================
====================================================================
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:100017FA(C), :10001802(U)
|
00DE1729 8A443C 68 MOV AL,BYTE PTR SS:[ESP+EDI+68]
00DE172D 8A4C24 1C MOV CL,BYTE PTR SS:[ESP+1C]=5NameAdd的和
00DE1731 02C1 ADD AL,CL
00DE1733 0FBED0 MOVSX EDX,AL
00DE1736 52 PUSH EDX
00DE1737 884424 16 MOV BYTE PTR SS:[ESP+16],AL==========
00DE173B E8 06990000 CALL Srch32_d.00DEB046 +
00DE1740 83C4 04 ADD ESP,4 +===>同一位置
00DE1743 85C0 TEST EAX,EAX +
00DE1745 75 05 JNZ SHORT Srch32_d.00DE174C==========
00DE1747 804424 12 F7 ADD BYTE PTR SS:[ESP+12],F7
00DE174C 8A4424 12 MOV AL,BYTE PTR SS:[ESP+12]
00DE1750 8A4C1C 28 MOV CL,BYTE PTR SS:[ESP+EBX+28]===>奇数位值的串
00DE1754 3AC1 CMP AL,CL
00DE1756 0F85 BD000000 JNZ Srch32_d.00DE1819============>错误9
00DE175C 43 INC EBX
00DE175D 83FB 0E CMP EBX,E
00DE1760 0F83 A1000000 JNB Srch32_d.00DE1807=====================>正确1
00DE1766 0FBE4C1C 28 MOVSX ECX,BYTE PTR SS:[ESP+EBX+28]
00DE176B 51 PUSH ECX
00DE176C E8 D5980000 CALL Srch32_d.00DEB046
00DE1771 83C4 04 ADD ESP,4
00DE1774 85C0 TEST EAX,EAX
00DE1776 75 0A JNZ SHORT Srch32_d.00DE1782
00DE1778 43 INC EBX
00DE1779 83FB 0E CMP EBX,E
00DE177C 0F83 85000000 JNB Srch32_d.00DE1807=====================>正确2
00DE1782 8B7424 20 MOV ESI,DWORD PTR SS:[ESP+20]=====>NameXor串长度
00DE1786 47 INC EDI
00DE1787 3BFE CMP EDI,ESI
00DE1789 72 02 JB SHORT Srch32_d.00DE178D
00DE178B 33FF XOR EDI,EDI
00DE178D 8BC7 MOV EAX,EDI
00DE178F 33D2 XOR EDX,EDX
00DE1791 F77424 18 DIV DWORD PTR SS:[ESP+18]=========>Name串累加和串长度
00DE1795 8A4C3C 68 MOV CL,BYTE PTR SS:[ESP+EDI+68]
00DE1799 8A4424 14 MOV AL,BYTE PTR SS:[ESP+14]=========+
00DE179D 6A 0A PUSH A +
00DE179F 8A9414 AC010000 MOV DL,BYTE PTR SS:[ESP+EDX+1AC]=========>Name串累加和串
00DE17A6 32D1 XOR DL,CL +
00DE17A8 B9 0A000000 MOV ECX,A +
00DE17AD 02C2 ADD AL,DL +
00DE17AF 884424 18 MOV BYTE PTR SS:[ESP+18],AL=========+===>同一个地址
00DE17B3 8D4424 16 LEA EAX,DWORD PTR SS:[ESP+16] +
00DE17B7 50 PUSH EAX +
00DE17B8 8B4424 1C MOV EAX,DWORD PTR SS:[ESP+1C]=======+
00DE17BC 25 FF000000 AND EAX,FF
00DE17C1 99 CDQ
00DE17C2 F7F9 IDIV ECX
00DE17C4 52 PUSH EDX
00DE17C5 E8 F50E0100 CALL Srch32_d.00DF26BF====>得到字符['0'..'9']
00DE17CA 8A5424 1E MOV DL,BYTE PTR SS:[ESP+1E]=========>
00DE17CE 8A441C 34 MOV AL,BYTE PTR SS:[ESP+EBX+34]========>奇数位置串
00DE17D2 83C4 0C ADD ESP,C
00DE17D5 3AD0 CMP DL,AL
00DE17D7 75 40 JNZ SHORT Srch32_d.00DE1819============>错误10
00DE17D9 43 INC EBX
00DE17DA 83FB 0E CMP EBX,E
00DE17DD 73 28 JNB SHORT Srch32_d.00DE1807=====================>正确3
00DE17DF 0FBE441C 28 MOVSX EAX,BYTE PTR SS:[ESP+EBX+28]====>奇数位置串
00DE17E4 50 PUSH EAX
00DE17E5 E8 5C980000 CALL Srch32_d.00DEB046
00DE17EA 83C4 04 ADD ESP,4
00DE17ED 85C0 TEST EAX,EAX
00DE17EF 75 06 JNZ SHORT Srch32_d.00DE17F7
00DE17F1 43 INC EBX
00DE17F2 83FB 0E CMP EBX,E
00DE17F5 73 10 JNB SHORT Srch32_d.00DE1807=====================>正确4
00DE17F7 47 INC EDI
00DE17F8 3BFE CMP EDI,ESI
00DE17FA 0F82 29FFFFFF JB Srch32_d.00DE1729
00DE1800 33FF XOR EDI,EDI
00DE1802 E9 22FFFFFF JMP Srch32_d.00DE1729
===========================================================================
主要循环过程结束
===========================================================================
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:10001760(C), :1000177C(C), :100017DD(C), :100017F5(C)
|
:10001807 5F pop edi
:10001808 5E pop esi
:10001809 5D pop ebp
:1000180A B801000000 mov eax, 00000001
:1000180F 5B pop ebx
:10001810 81C4DC020000 add esp, 000002DC
:10001816 C20800 ret 0008
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:10001391(C), :100013A0(C), :100013C1(C), :100013DD(C), :1000141C(C)
|:10001587(C), :100015F4(C), :10001723(C), :10001756(C), :100017D7(C)
|
:10001819 5F pop edi
:1000181A 5E pop esi
:1000181B 5D pop ebp
:1000181C 33C0 xor eax, eax
:1000181E 5B pop ebx
:1000181F 81C4DC020000 add esp, 000002DC
:10001825 C20800 ret 0008
=================================================================
=
=虽然没找到正确的Code,但可以给大家一个可以通过前面检测的Code
=但我觉得,应该主要分析后面的14次比较,算法还原,还在思考中
=Name:DiKeN/OCG
=Code:8891933687692150361075Open Cracking Group
=
=======================Open Cracking Group=======================
=
= Search32-PRO v6.05注册算法分析
= DiKeN/OCG
=
= http://www.newclw.com/lllufh/cgi-bin/leoboard.cgi
====================Open Cracking Group==========================
【关键字】:c,C,算法分析,RO,PRO,05,32,Search,PR,CG,Search32,PRO,v6,05,OCG
【来 源】:网络
Search32-PRO v6.05注册算法分析 - OCG(2)
:10001320 81ECDC020000 sub esp, 000002DC
:10001326 53 push ebx
:10001327 55 push ebp
:10001328 56 push esi
:10001329 57 push edi
:1000132A 8BBC24F0020000 mov edi, dword ptr [esp+000002F0]
:10001331 83C9FF or ecx, FFFFFFFF
:10001334 33C0 xor eax, eax
:10001336 33DB xor ebx, ebx
:10001338 F2 repnz
:10001339 AE scasb
:1000133A F7D1 not ecx
:1000133C 2BF9 sub edi, ecx
:1000133E 8D9424A8000000 lea edx, dword ptr [esp+000000A8]
:10001345 8BC1 mov eax, ecx
:10001347 8BF7 mov esi, edi
:10001349 8BFA mov edi, edx
:1000134B 895C241C mov dword ptr [esp+1C], ebx
:1000134F C1E902 shr ecx, 02
:10001352 F3 repz
:10001353 A5 movsd
:10001354 8BC8 mov ecx, eax
:10001356 895C2424 mov dword ptr [esp+24], ebx
:1000135A 83E103 and ecx, 00000003
:1000135D BD05000000 mov ebp, 00000005
:10001362 F3 repz
:10001363 A4 movsb
:10001364 8D8C24A8000000 lea ecx, dword ptr [esp+000000A8]
:1000136B 895C2420 mov dword ptr [esp+20], ebx
:1000136F 51 push ecx
:10001370 E8A11E0100 call 10013216
:10001375 83C404 add esp, 00000004
:10001378 53 push ebx
* Reference To: KERNEL32.GetDriveTypeA, Ord:0104h
|
:10001379 FF1530400110 Call dword ptr [10014030]
:1000137F 3BC5 cmp eax, ebp=5
:10001381 8B8424A8000000 mov eax, dword ptr [esp+000000A8]=X4X3X2X1
:10001388 750F jne 10001399====>通常应该是不会等于的,也就跳
:1000138A 3C43 cmp al, 43=C
:1000138C 7418 je 100013A6
:1000138E 80FC44 cmp ah, 44=D
:10001391 0F8582040000 jne 10001819============>错误1
//======================>(应该不会出现此错误)
:10001397 EB0D jmp 100013A6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001388(C)
|
:10001399 3C43 cmp al, 43
:1000139B 7509 jne 100013A6
:1000139D 80FC44 cmp ah, 44
:100013A0 0F8473040000 je 10001819============>错误2
//======================>用户名为CD则错误
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1000138C(C), :10001397(U), :1000139B(C)
|
:100013A6 A1308F0110 mov eax, dword ptr [10018F30]
:100013AB 8D9424E8010000 lea edx, dword ptr [esp+000001E8]
:100013B2 6804010000 push 00000104
:100013B7 52 push edx
:100013B8 50 push eax
* Reference To: KERNEL32.GetModuleFileNameA, Ord:0124h
|
:100013B9 FF152C400110 Call dword ptr [1001402C]
:100013BF 85C0 test eax, eax
:100013C1 0F8452040000 je 10001819============>错误3
//====================>装入模块错误
:100013C7 8D8C24E8010000 lea ecx, dword ptr [esp+000001E8]
:100013CE 6A5C push 0000005C
:100013D0 51 push ecx
:100013D1 E89A9C0000 call 1000B070
:100013D6 8BF0 mov esi, eax
:100013D8 83C408 add esp, 00000008
:100013DB 3BF3 cmp esi, ebx=0
:100013DD 0F8436040000 je 10001819============>错误4
//====================>装入模块文件名错误
:100013E3 46 inc esi
:100013E4 56 push esi
:100013E5 89742418 mov dword ptr [esp+18], esi
:100013E9 E8281E0100 call 10013216
:100013EE 8DBC24AC000000 lea edi, dword ptr [esp+000000AC]=用户名
:100013F5 83C9FF or ecx, FFFFFFFF
:100013F8 33C0 xor eax, eax
:100013FA 83C404 add esp, 00000004
:100013FD F2 repnz
:100013FE AE scasb
:100013FF 8B9C24F4020000 mov ebx, dword ptr [esp+000002F4]
:10001406 F7D1 not ecx
:10001408 49 dec ecx
:10001409 8BFB mov edi, ebx
:1000140B 8BD1 mov edx, ecx
:1000140D 83C9FF or ecx, FFFFFFFF
:10001410 F2 repnz
:10001411 AE scasb
:10001412 F7D1 not ecx
:10001414 49 dec ecx
:10001415 83F918 cmp ecx, 00000018
:10001418 894C2418 mov dword ptr [esp+18], ecx
:1000141C 0F82F7030000 jb 10001819============>错误5
//====================>CODE长度检测,>=$15($18-length(SP6))
:10001422 7639 jbe 1000145D
:10001424 8D7B18 lea edi, dword ptr [ebx+18]
:10001427 83C9FF or ecx, FFFFFFFF
:1000142A F2 repnz
:1000142B AE scasb
:1000142C F7D1 not ecx
:1000142E 2BF9 sub edi, ecx
:10001430 8D9C24A8000000 lea ebx, dword ptr [esp+000000A8]
:10001437 8BF7 mov esi, edi
:10001439 8BFB mov edi, ebx
:1000143B 8BD9 mov ebx, ecx
:1000143D 83C9FF or ecx, FFFFFFFF
:10001440 F2 repnz
:10001441 AE scasb
:10001442 8BCB mov ecx, ebx
:10001444 4F dec edi
:10001445 C1E902 shr ecx, 02
:10001448 F3 repz
:10001449 A5 movsd
:1000144A 8BCB mov ecx, ebx
:1000144C C744241818000000 mov [esp+18], 00000018
:10001454 83E103 and ecx, 00000003
:10001457 F3 repz
:10001458 A4 movsb
:10001459 8B742414 mov esi, dword ptr [esp+14]
余下的字符串连接到用户名后面
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001422(C)
|
:1000145D 83FA20 cmp edx, 00000020====>用户名长度
:10001460 7330 jnb 10001492
:10001462 8BFE mov edi, esi
:10001464 83C9FF or ecx, FFFFFFFF
:10001467 33C0 xor eax, eax
:10001469 8D9424A8000000 lea edx, dword ptr [esp+000000A8]
:10001470 F2 repnz
:10001471 AE scasb
:10001472 F7D1 not ecx
:10001474 2BF9 sub edi, ecx
:10001476 8BF7 mov esi, edi
:10001478 8BD9 mov ebx, ecx
:1000147A 8BFA mov edi, edx
:1000147C 83C9FF or ecx, FFFFFFFF
:1000147F F2 repnz
:10001480 AE scasb
:10001481 8BCB mov ecx, ebx
:10001483 4F dec edi
:10001484 C1E902 shr ecx, 02
:10001487 F3 repz
:10001488 A5 movsd
:10001489 8BCB mov ecx, ebx
:1000148B 83E103 and ecx, 00000003
:1000148E F3 repz
:1000148F A4 movsb
:10001490 EB0B jmp 1000149D====>用户名连接DIKEN+余下的注册码+'SRCH32_D.DLL'
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001460(C)
|
:10001492 8D84149C000000 lea eax, dword ptr [esp+edx+0000009C]
:10001499 89442414 mov dword ptr [esp+14], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001490(U)
|
:1000149D B907000000 mov ecx, 00000007
:100014A2 B84D4D4D4D mov eax, 4D4D4D4D
:100014A7 8D7C2448 lea edi, dword ptr [esp+48]
:100014AB F3 repz
:100014AC AB stosd
:100014AD 66AB stosw
:100014AF AA stosb
:100014B0 B81F000000 mov eax, 0000001F
:100014B5 B14D mov cl, 4D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100014BC(C)
|
:100014B7 48 dec eax
:100014B8 884C2429 mov byte ptr [esp+29], cl
:100014BC 75F9 jne 100014B7
:100014BE 8B7C2418 mov edi, dword ptr [esp+18]=注册码长度
:100014C2 33DB xor ebx, ebx
:100014C4 85FF test edi, edi
:100014C6 C644244700 mov [esp+47], 00
:100014CB C644246700 mov [esp+67], 00
:100014D0 0F868F000000 jbe 10001565
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000155F(C)
|
:100014D6 8BB424F4020000 mov esi, dword ptr [esp+000002F4]=Code
:100014DD 0FBE0C33 movsx ecx, byte ptr [ebx+esi]
:100014E1 51 push ecx
===ODBG==00DE14E1 51 PUSH ECX
:100014E2 E85F9B0000 call 1000B046==>转为数字?
:100014E7 83C404 add esp, 00000004
:100014EA 85C0 test eax, eax
:100014EC 7512 jne 10001500
:100014EE 8B442424 mov eax, dword ptr [esp+24]
:100014F2 8A1433 mov dl, byte ptr [ebx+esi]
:100014F5 88540428 mov byte ptr [esp+eax+28], dl
:100014F9 40 inc eax
:100014FA 89442424 mov dword ptr [esp+24], eax
:100014FE EB5C jmp 1000155C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100014EC(C)
|
:10001500 F6C301 test bl, 01=========>奇数偶数位
:10001503 7512 jne 10001517
:10001505 8B442424 mov eax, dword ptr [esp+24]
:10001509 8A0C33 mov cl, byte ptr [ebx+esi]
:1000150C 884C0428 mov byte ptr [esp+eax+28], cl
:10001510 40 inc eax
:10001511 89442424 mov dword ptr [esp+24], eax
:10001515 EB45 jmp 1000155C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001503(C)
|
:10001517 8A1433 mov dl, byte ptr [ebx+esi]
:1000151A 88542C48 mov byte ptr [esp+ebp+48], dl
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:10001539(U), :10001548(U), :1000154B(U)
|
:1000151E 0FBE442C48 movsx eax, byte ptr [esp+ebp+48]
:10001523 50 push eax
:10001524 E81D9B0000 call 1000B046
:10001529 83C404 add esp, 00000004
:1000152C 85C0 test eax, eax
:1000152E 741D je 1000154D
:10001530 8B442420 mov eax, dword ptr [esp+20]
:10001534 85C0 test eax, eax
:10001536 7403 je 1000153B
:10001538 45 inc ebp
:10001539 EBE3 jmp 1000151E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001536(C)
|
:1000153B 85DB test ebx, ebx
:1000153D 750B jne 1000154A
:1000153F C744242001000000 mov [esp+20], 00000001
:10001547 45 inc ebp
:10001548 EBD4 jmp 1000151E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000153D(C)
|
:1000154A 4D dec ebp
:1000154B EBD1 jmp 1000151E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000152E(C)
|
:1000154D 8B442420 mov eax, dword ptr [esp+20]
:10001551 33C9 xor ecx, ecx
:10001553 85C0 test eax, eax
:10001555 0F94C1 sete cl
:10001558 894C2420 mov dword ptr [esp+20], ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:100014FE(U), :10001515(U)
|
:1000155C 43 inc ebx
:1000155D 3BDF cmp ebx, edi
:1000155F 0F8271FFFFFF jb 100014D6
用户名会去掉前后空格
注册码+'SP6'分割成前后两部分:
NameXor的串就是奇数串
Name的累加和
NameXOR的异或
NameXOR mod $7FFFFFFFF===>转为字符串
xor $67C2D76C=
Code2==>数字,去只取一定范围的
Code1:=Code1+Name2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100014D0(C)
|
:10001565 8D7C2448 lea edi, dword ptr [esp+48]
:10001569 83C9FF or ecx, FFFFFFFF
:1000156C 33C0 xor eax, eax
:1000156E C6442C4800 mov [esp+ebp+48], 00
:10001573 F2 repnz
:10001574 AE scasb
:10001575 8B542424 mov edx, dword ptr [esp+24]
:10001579 F7D1 not ecx
:1000157B 49 dec ecx
:1000157C C644142800 mov [esp+edx+28], 00
:10001581 83E1FE and ecx, FFFFFFFE
:10001584 83F90A cmp ecx, 0000000A
:10001587 0F828C020000 jb 10001819============>错误6
//====================>转换后的串2长度
:1000158D 8D442448 lea eax, dword ptr [esp+48]
:10001591 50 push eax
:10001592 E8A49A0000 call 1000B03B==>串2转为数字32bits有效
:10001597 8B7C2418 mov edi, dword ptr [esp+18]
:1000159B 8BD8 mov ebx, eax
:1000159D A1388F0110 mov eax, dword ptr [10018F38]
:100015A2 83C9FF or ecx, FFFFFFFF
:100015A5 33D8 xor ebx, eax
:100015A7 33C0 xor eax, eax
:100015A9 83C404 add esp, 00000004
:100015AC 8D542428 lea edx, dword ptr [esp+28]
:100015B0 F2 repnz
:100015B1 AE scasb
:100015B2 F7D1 not ecx
:100015B4 2BF9 sub edi, ecx
:100015B6 8BF7 mov esi, edi
:100015B8 8BE9 mov ebp, ecx
:100015BA 8BFA mov edi, edx
:100015BC 83C9FF or ecx, FFFFFFFF
:100015BF F2 repnz
:100015C0 AE scasb
:100015C1 8BCD mov ecx, ebp
:100015C3 4F dec edi
:100015C4 C1E902 shr ecx, 02
:100015C7 F3 repz
:100015C8 A5 movsd
:100015C9 8BCD mov ecx, ebp
:100015CB 83E103 and ecx, 00000003
:100015CE F3 repz
:100015CF A4 movsb
:100015D0 8DBC24A8000000 lea edi, dword ptr [esp+000000A8]
========================>串1+DLL名
:100015D7 83C9FF or ecx, FFFFFFFF
:100015DA F2 repnz
:100015DB AE scasb
:100015DC F7D1 not ecx
:100015DE 49 dec ecx
:100015DF 8D7C2428 lea edi, dword ptr [esp+28]
:100015E3 8BD1 mov edx, ecx
:100015E5 83C9FF or ecx, FFFFFFFF
:100015E8 F2 repnz
:100015E9 AE scasb
:100015EA F7D1 not ecx
:100015EC 49 dec ecx
:100015ED 83FA20 cmp edx, 00000020
:100015F0 894C2418 mov dword ptr [esp+18], ecx
:100015F4 0F821F020000 jb 10001819============>错误7
========================>用户名长度>=$20的时候,Name+余串
========================>否则Name+余串+''
========================>DLL为12
========================>串1的长必须>=20
========================>重新输入假注册码40字节长
:100015FA 85D2 test edx, edx
:100015FC 7617 jbe 10001615
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001613(C)
|
:100015FE 0FBE8C04A8000000 movsx ecx, byte ptr [esp+eax+000000A8]
DIKEN5678901234567890SP6SRCH32_D.DLL
:10001606 8B7C241C mov edi, dword ptr [esp+1C]
:1000160A 03F9 add edi, ecx
:1000160C 40 inc eax
:1000160D 3BC2 cmp eax, edx
:1000160F 897C241C mov dword ptr [esp+1C], edi====>累加结果
:10001613 72E9 jb 100015FE
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100015FC(C)
|
:10001615 8BFA mov edi, edx
:10001617 83E703 and edi, 00000003 是否为4的倍数
:1000161A 7420 je 1000163C=======>是则转
:1000161C 33F6 xor esi, esi
:1000161E 33C9 xor ecx, ecx
:10001620 33C0 xor eax, eax
:10001622 85FF test edi, edi
:10001624 7622 jbe 10001648
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001638(C)
|
:10001626 0FBEAC04A8000000 movsx ebp, byte ptr [esp+eax+000000A8]====>Name串
:1000162E D3E5 shl ebp, cl
:10001630 83C108 add ecx, 00000008
:10001633 0BF5 or esi, ebp
:10001635 40 inc eax
:10001636 3BC7 cmp eax, edi
:10001638 72EC jb 10001626
:1000163A EB0C jmp 10001648
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000161A(C)
|
:1000163C 8BB424A8000000 mov esi, dword ptr [esp+000000A8]
:10001643 B804000000 mov eax, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:10001624(C), :1000163A(U)
|
:10001648 3BC2 cmp eax, edx
:1000164A 7310 jnb 1000165C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000165A(C)
|
:1000164C 8BAC04A8000000 mov ebp, dword ptr [esp+eax+000000A8]
:10001653 83C004 add eax, 00000004
:10001656 33F5 xor esi, ebp=========>ESI的值261B0109(我的)
:10001658 3BC2 cmp eax, edx
:1000165A 72F0 jb 1000164C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000164A(C)
|
:1000165C 8B542418 mov edx, dword ptr [esp+18]
:10001660 83E203 and edx, 00000003
:10001663 741D je 10001682
:10001665 33ED xor ebp, ebp
:10001667 33C9 xor ecx, ecx
:10001669 33C0 xor eax, eax
:1000166B 85D2 test edx, edx
:1000166D 761C jbe 1000168B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000167E(C)
|
:1000166F 0FBE7C0428 movsx edi, byte ptr [esp+eax+28]===>Code串1+用户名余串
:10001674 D3E7 shl edi, cl
:10001676 83C108 add ecx, 00000008
:10001679 0BEF or ebp, edi
:1000167B 40 inc eax
:1000167C 3BC2 cmp eax, edx
:1000167E 72EF jb 1000166F
:10001680 EB09 jmp 1000168B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001663(C)
|
:10001682 8B6C2428 mov ebp, dword ptr [esp+28]=======>串1
:10001686 B804000000 mov eax, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1000166D(C), :10001680(U)
|
:1000168B 8B4C2418 mov ecx, dword ptr [esp+18]
:1000168F 3BC1 cmp eax, ecx
:10001691 730D jnb 100016A0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000169E(C)
|
:10001693 8B540428 mov edx, dword ptr [esp+eax+28]
:10001697 83C004 add eax, 00000004
:1000169A 33EA xor ebp, edx============>结果63382C54(我的)
:1000169C 3BC1 cmp eax, ecx
:1000169E 72F3 jb 10001693
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001691(C)
|
:100016A0 8D542468 lea edx, dword ptr [esp+68]
:100016A4 6A0A push 0000000A
:100016A6 52 push edx
:100016A7 8BC6 mov eax, esi
:100016A9 33D2 xor edx, edx
:100016AB B9FFFFFF7F mov ecx, 7FFFFFFF
:100016B0 F7F1 div ecx
:100016B2 33EB xor ebp, ebx==========>ebp
:100016B4 52 push edx===>
:100016B5 E805100100 call 100126BF=======>
EAX=960575048
ECX=75048
:100016BA 8B5C2428 mov ebx, dword ptr [esp+28]
:100016BE 8B3D388F0110 mov edi, dword ptr [10018F38]
:100016C4 8D9424B4010000 lea edx, dword ptr [esp+000001B4]
:100016CB 6A0A push 0000000A
:100016CD 52 push edx
:100016CE 53 push ebx=================>累加和
:100016CF 33F7 xor esi, edi==========>esi
:100016D1 E8E90F0100 call 100126BF
EAX=12159
ECX=159
取后3个
:100016D6 8DBC2480000000 lea edi, dword ptr [esp+00000080]
:100016DD 83C9FF or ecx, FFFFFFFF
:100016E0 33C0 xor eax, eax
:100016E2 83C418 add esp, 00000018
:100016E5 F2 repnz
:100016E6 AE scasb
:100016E7 F7D1 not ecx
:100016E9 49 dec ecx
:100016EA 8DBC24A8010000 lea edi, dword ptr [esp+000001A8]
:100016F1 894C2420 mov dword ptr [esp+20], ecx
:100016F5 83C9FF or ecx, FFFFFFFF
:100016F8 F2 repnz
:100016F9 AE scasb
:100016FA F7D1 not ecx
:100016FC 49 dec ecx
:100016FD 8BC3 mov eax, ebx==========>累加和
:100016FF 894C2418 mov dword ptr [esp+18], ecx
:10001703 33D2 xor edx, edx
:10001705 B905000000 mov ecx, 00000005
:1000170A F7F1 div ecx
:1000170C 85D2 test edx, edx
:1000170E 8954241C mov dword ptr [esp+1C], edx
:10001712 7504 jne 10001718========是5的倍数则=0否则=5
:10001714 894C241C mov dword ptr [esp+1C], ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001712(C)
|
:10001718 33DB xor ebx, ebx
:1000171A 33FF xor edi, edi
:1000171C 3BF5 cmp esi, ebp
:1000171E C644241400 mov [esp+14], 00
:10001723 0F85F0000000 jne 10001819============>错误8
====================================================================
00DE171A
====================================================================
[这段循环检测条件]
共14次检测
这儿使用的是ODBG中的代码,因为我分析使用的
====================================================================
====================================================================
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:100017FA(C), :10001802(U)
|
00DE1729 8A443C 68 MOV AL,BYTE PTR SS:[ESP+EDI+68]
00DE172D 8A4C24 1C MOV CL,BYTE PTR SS:[ESP+1C]=5NameAdd的和
00DE1731 02C1 ADD AL,CL
00DE1733 0FBED0 MOVSX EDX,AL
00DE1736 52 PUSH EDX
00DE1737 884424 16 MOV BYTE PTR SS:[ESP+16],AL==========
00DE173B E8 06990000 CALL Srch32_d.00DEB046 +
00DE1740 83C4 04 ADD ESP,4 +===>同一位置
00DE1743 85C0 TEST EAX,EAX +
00DE1745 75 05 JNZ SHORT Srch32_d.00DE174C==========
00DE1747 804424 12 F7 ADD BYTE PTR SS:[ESP+12],F7
00DE174C 8A4424 12 MOV AL,BYTE PTR SS:[ESP+12]
00DE1750 8A4C1C 28 MOV CL,BYTE PTR SS:[ESP+EBX+28]===>奇数位值的串
00DE1754 3AC1 CMP AL,CL
00DE1756 0F85 BD000000 JNZ Srch32_d.00DE1819============>错误9
00DE175C 43 INC EBX
00DE175D 83FB 0E CMP EBX,E
00DE1760 0F83 A1000000 JNB Srch32_d.00DE1807=====================>正确1
00DE1766 0FBE4C1C 28 MOVSX ECX,BYTE PTR SS:[ESP+EBX+28]
00DE176B 51 PUSH ECX
00DE176C E8 D5980000 CALL Srch32_d.00DEB046
00DE1771 83C4 04 ADD ESP,4
00DE1774 85C0 TEST EAX,EAX
00DE1776 75 0A JNZ SHORT Srch32_d.00DE1782
00DE1778 43 INC EBX
00DE1779 83FB 0E CMP EBX,E
00DE177C 0F83 85000000 JNB Srch32_d.00DE1807=====================>正确2
00DE1782 8B7424 20 MOV ESI,DWORD PTR SS:[ESP+20]=====>NameXor串长度
00DE1786 47 INC EDI
00DE1787 3BFE CMP EDI,ESI
00DE1789 72 02 JB SHORT Srch32_d.00DE178D
00DE178B 33FF XOR EDI,EDI
00DE178D 8BC7 MOV EAX,EDI
00DE178F 33D2 XOR EDX,EDX
00DE1791 F77424 18 DIV DWORD PTR SS:[ESP+18]=========>Name串累加和串长度
00DE1795 8A4C3C 68 MOV CL,BYTE PTR SS:[ESP+EDI+68]
00DE1799 8A4424 14 MOV AL,BYTE PTR SS:[ESP+14]=========+
00DE179D 6A 0A PUSH A +
00DE179F 8A9414 AC010000 MOV DL,BYTE PTR SS:[ESP+EDX+1AC]=========>Name串累加和串
00DE17A6 32D1 XOR DL,CL +
00DE17A8 B9 0A000000 MOV ECX,A +
00DE17AD 02C2 ADD AL,DL +
00DE17AF 884424 18 MOV BYTE PTR SS:[ESP+18],AL=========+===>同一个地址
00DE17B3 8D4424 16 LEA EAX,DWORD PTR SS:[ESP+16] +
00DE17B7 50 PUSH EAX +
00DE17B8 8B4424 1C MOV EAX,DWORD PTR SS:[ESP+1C]=======+
00DE17BC 25 FF000000 AND EAX,FF
00DE17C1 99 CDQ
00DE17C2 F7F9 IDIV ECX
00DE17C4 52 PUSH EDX
00DE17C5 E8 F50E0100 CALL Srch32_d.00DF26BF====>得到字符['0'..'9']
00DE17CA 8A5424 1E MOV DL,BYTE PTR SS:[ESP+1E]=========>
00DE17CE 8A441C 34 MOV AL,BYTE PTR SS:[ESP+EBX+34]========>奇数位置串
00DE17D2 83C4 0C ADD ESP,C
00DE17D5 3AD0 CMP DL,AL
00DE17D7 75 40 JNZ SHORT Srch32_d.00DE1819============>错误10
00DE17D9 43 INC EBX
00DE17DA 83FB 0E CMP EBX,E
00DE17DD 73 28 JNB SHORT Srch32_d.00DE1807=====================>正确3
00DE17DF 0FBE441C 28 MOVSX EAX,BYTE PTR SS:[ESP+EBX+28]====>奇数位置串
00DE17E4 50 PUSH EAX
00DE17E5 E8 5C980000 CALL Srch32_d.00DEB046
00DE17EA 83C4 04 ADD ESP,4
00DE17ED 85C0 TEST EAX,EAX
00DE17EF 75 06 JNZ SHORT Srch32_d.00DE17F7
00DE17F1 43 INC EBX
00DE17F2 83FB 0E CMP EBX,E
00DE17F5 73 10 JNB SHORT Srch32_d.00DE1807=====================>正确4
00DE17F7 47 INC EDI
00DE17F8 3BFE CMP EDI,ESI
00DE17FA 0F82 29FFFFFF JB Srch32_d.00DE1729
00DE1800 33FF XOR EDI,EDI
00DE1802 E9 22FFFFFF JMP Srch32_d.00DE1729
===========================================================================
主要循环过程结束
===========================================================================
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:10001760(C), :1000177C(C), :100017DD(C), :100017F5(C)
|
:10001807 5F pop edi
:10001808 5E pop esi
:10001809 5D pop ebp
:1000180A B801000000 mov eax, 00000001
:1000180F 5B pop ebx
:10001810 81C4DC020000 add esp, 000002DC
:10001816 C20800 ret 0008
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:10001391(C), :100013A0(C), :100013C1(C), :100013DD(C), :1000141C(C)
|:10001587(C), :100015F4(C), :10001723(C), :10001756(C), :100017D7(C)
|
:10001819 5F pop edi
:1000181A 5E pop esi
:1000181B 5D pop ebp
:1000181C 33C0 xor eax, eax
:1000181E 5B pop ebx
:1000181F 81C4DC020000 add esp, 000002DC
:10001825 C20800 ret 0008
=================================================================
=
=虽然没找到正确的Code,但可以给大家一个可以通过前面检测的Code
=但我觉得,应该主要分析后面的14次比较,算法还原,还在思考中
=Name:DiKeN/OCG
=Code:8891933687692150361075Open Cracking Group
=
=======================Open Cracking Group=======================
=
= Search32-PRO v6.05注册算法分析
= DiKeN/OCG
=
= http://www.newclw.com/lllufh/cgi-bin/leoboard.cgi
====================Open Cracking Group==========================
【相关文章】
《 AceReader V4.5》 破文+注册机源码.TXT
Revival 的算法跟踪 算法分析
算法分析: <献给初学者> 之四
Registry Crawler 4.0注册码算法分析 - OCG
调酒师 CollegeBar V8.1 注册算法分析-VB6 上
算法分析之六
算法分析: <献给初学者> 之五
算法分析: <献给初学者> 之二
算法分析: <献给初学者> 之三
算法分析: <献给初学者> 之七
【随机文章】
引起SQL数据库超时的问题分析及解决办法
万年编辑器VI的使用
ValidationSummary Web 控件
VB学习:嵌入文件的非常规实现
用ACL构建防火墙体系
一个不太让人讨厌的自动弹出窗口
SQL 存储过程&算法
CRC-16/CRC-32 程序代码
VB.NET中实现"关机/休眠/重启/注销
X中的字体
【相关评论】
没有相关评论
【发表评论】
|