您的位置:首页精文荟萃破解文章 → CCProxy 5.0 注册码算法分析

CCProxy 5.0 注册码算法分析

时间:2004/10/15 0:55:00来源:本站整理作者:蓝点我要评论(1)

 
=================================
inside Pandora's Box
CCProxy 5.0


CrAcKeD BY alphakk/iPB
=================================

这东西写得比较急,不对的地方请指出来:)不过注册机没问题,呵呵。
软件简介:CCProxy是一款用来架设代理服务器的软件,设置很方便,有详细的说明文档,软件本身也很小。
     5.0版未注册可供3用户试用28天。注册界面上的“序列号”实际上是用户名,本文用“用户名”。
     主算法为MD5。
=================================

.text:0040759C push ebp
.text:0040759D push esi
.text:0040759E push edx ; const char *
.text:0040759F push edx ; int
.text:004075A0 call sub_41CAD0 ; 算法CALL(第一轮)
.text:004075A5 mov edi, eax
.text:004075A7 or ecx, 0FFFFFFFFh
.text:004075AA xor eax, eax
.text:004075AC lea edx, [esp+181Ch+var_1804]
.text:004075B0 repne scasb
.text:004075B2 not ecx
.text:004075B4 sub edi, ecx
.text:004075B6 mov eax, ecx
.text:004075B8 mov esi, edi
.text:004075BA mov edi, edx
.text:004075BC shr ecx, 2
.text:004075BF repe movsd
.text:004075C1 mov ecx, eax
.text:004075C3 and ecx, 3
.text:004075C6 repe movsb
.text:004075C8 lea ecx, [esp+181Ch+var_1404]
.text:004075CF push ecx ; char *
.text:004075D0 call sub_421840
.text:004075D5 lea edx, [esp+1820h+var_1404]
.text:004075DC lea eax, [esp+1820h+var_1804]
.text:004075E0 push edx ; const char *
.text:004075E1 push eax ; int
.text:004075E2 call sub_41CAD0    ; 算法CALL(第二轮)
.text:004075E7 mov cl, byte_461350
.text:004075ED mov edx, eax
.text:004075EF mov [esp+1828h+var_1004], cl
.text:004075F6 mov ecx, 400h
.text:004075FB xor eax, eax
.text:004075FD lea edi, [esp+1828h+var_1003]
.text:00407604 repe stosd
.text:00407606 mov edi, edx
.text:00407608 or ecx, 0FFFFFFFFh
.text:0040760B repne scasb
.text:0040760D not ecx
.text:0040760F sub edi, ecx
.text:00407611 lea ebp, [esp+1828h+var_1004]
.text:00407618 mov edx, ecx
.text:0040761A mov esi, edi
.text:0040761C mov edi, ebp
.text:0040761E push offset aY ; int
.text:00407623 shr ecx, 2
.text:00407626 repe movsd
.text:00407628 mov ecx, edx
.text:0040762A lea eax, [esp+182Ch+var_1004]
.text:00407631 and ecx, 3
.text:00407634 push offset a__0 ; const char *
.text:00407639 repe movsb
.text:0040763B push eax ; const char *
.text:0040763C call sub_4211F0    ;对注册码的处理(转换字符'.'为'y')
.text:00407641 push offset aA_0 ; int
.text:00407646 lea ecx, [esp+1838h+var_1004]
.text:0040764D push offset asc_45D628 ; const char *
.text:00407652 push ecx ; const char *
.text:00407653 call sub_4211F0 ;对注册码的处理(转换字符'/'为'a')
.text:00407658 push offset aO ; int
.text:0040765D lea edx, [esp+1844h+var_1004]
.text:00407664 push offset asc_45D620 ; const char *
.text:00407669 push edx ; const char *
.text:0040766A call sub_4211F0 ;对注册码的处理(转换字符'$'为'o')
.text:0040766F add esp, 38h
.text:00407672 mov esi, ebx
.text:00407674 lea eax, [esp+1814h+var_1004]
.text:0040767B
.text:0040767B loc_40767B: ; CODE XREF: sub_407560+13Dj
.text:0040767B mov dl, [eax] ;真假注册码比较
.text:0040767D mov bl, [esi]
.text:0040767F mov cl, dl
.text:00407681 cmp dl, bl
.text:00407683 jnz short loc_4076B5

===========================================================
进入  call sub_41CAD0 (为方便理解,只对第一轮进行详细说明)
===========================================================
.text:0041CAD0 ; int __cdecl sub_41CAD0(int,const char *)
.text:0041CAD0 sub_41CAD0 proc near ; CODE XREF: sub_407560+40p
.text:0041CAD0 ; sub_407560+82p
.text:0041CAD0
.text:0041CAD0 var_C8 = dword ptr -0C8h
.text:0041CAD0 var_C4 = dword ptr -0C4h
.text:0041CAD0 var_C0 = dword ptr -0C0h
.text:0041CAD0 var_BC = dword ptr -0BCh
.text:0041CAD0 var_B4 = dword ptr -0B4h
.text:0041CAD0 var_B0 = byte ptr -0B0h
.text:0041CAD0 var_58 = byte ptr -58h
.text:0041CAD0 arg_0 = dword ptr 4
.text:0041CAD0 arg_4 = dword ptr 8
.text:0041CAD0
.text:0041CAD0 sub esp, 0C8h
.text:0041CAD6 or ecx, 0FFFFFFFFh
.text:0041CAD9 xor eax, eax
.text:0041CADB mov edx, [esp+0C8h+arg_4]
.text:0041CAE2 push ebx
.text:0041CAE3 push ebp
.text:0041CAE4 push esi
.text:0041CAE5 push edi
.text:0041CAE6 mov edi, offset a1_3 ; "$1$"
.text:0041CAEB mov dword_46AEE8, edx
.text:0041CAF1 repne scasb
.text:0041CAF3 not ecx
.text:0041CAF5 dec ecx
.text:0041CAF6 push ecx ; size_t
.text:0041CAF7 push offset a1_3 ; const char *
.text:0041CAFC push edx ; const char *
.text:0041CAFD call _strncmp ;比较用户名与字符串"$1$"
.text:0041CB02 add esp, 0Ch
.text:0041CB05 test eax, eax
.text:0041CB07 jnz short loc_41CB26
.text:0041CB09 mov edi, offset a1_3 ; "$1$"
.text:0041CB0E or ecx, 0FFFFFFFFh
.text:0041CB11 repne scasb
.text:0041CB13 mov edx, dword_46AEE8
.text:0041CB19 not ecx
.text:0041CB1B dec ecx
.text:0041CB1C add edx, ecx
.text:0041CB1E mov dword_46AEE8, edx
.text:0041CB24 jmp short loc_41CB2C
.text:0041CB26 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0041CB26 //////////////////////////////////////////////////////////////////////
如果用户名长度不小于8字节,则取用户名前8个字节,否则取整个用户名
.text:0041CB26 loc_41CB26: ; CODE XREF: sub_41CAD0+37j
.text:0041CB26 mov edx, dword_46AEE8
.text:0041CB2C
.text:0041CB2C loc_41CB2C: ; CODE XREF: sub_41CAD0+54j
.text:0041CB2C mov eax, edx
.text:0041CB2E mov dword_46AEE4, eax
.text:0041CB33 mov cl, [edx]
.text:0041CB35 test cl, cl
.text:0041CB37 jz short loc_41CB51
.text:0041CB39
.text:0041CB39 loc_41CB39: ; CODE XREF: sub_41CAD0+7Fj
.text:0041CB39 cmp cl, 24h
.text:0041CB3C jz short loc_41CB51
.text:0041CB3E lea ecx, [edx+8]
.text:0041CB41 cmp eax, ecx
.text:0041CB43 jnb short loc_41CB51
.text:0041CB45 inc eax
.text:0041CB46 mov dword_46AEE4, eax
.text:0041CB4B mov cl, [eax]
.text:0041CB4D test cl, cl
.text:0041CB4F jnz short loc_41CB39
.text:0041CB51 ////////////////////////////////////////////////////////////////////////

//////////////////////////////////////////////////////////////////////////////////////
这一段是为整个算法的第二步作数据填充
.text:0041CB51 loc_41CB51: ; CODE XREF: sub_41CAD0+67j
.text:0041CB51 ; sub_41CAD0+6Cj ...
.text:0041CB51 sub eax, edx
.text:0041CB53 lea edx, [esp+0D8h+var_58]
.text:0041CB5A mov esi, eax
.text:0041CB5C push edx
.text:0041CB5D mov [esp+0DCh+var_B4], esi
.text:0041CB61 call sub_41CF80 ; 初始化MD5的四个参数
.text:0041CB66 mov ebp, [esp+0DCh+arg_0]
.text:0041CB6D or ecx, 0FFFFFFFFh
.text:0041CB70 mov edi, ebp
.text:0041CB72 xor eax, eax
.text:0041CB74 repne scasb
.text:0041CB76 not ecx
.text:0041CB78 dec ecx
.text:0041CB79 lea eax, [esp+0DCh+var_58]
.text:0041CB80 push ecx
.text:0041CB81 push ebp
.text:0041CB82 push eax
.text:0041CB83 call sub_41CFB0 ;Update( BYTE* Input(用户名),ULONG nInputLen(用户名长度) )
.text:0041CB88 mov edi, offset a1_3 ; "$1$"
.text:0041CB or ecx, 0FFFFFFFFh
.text:0041CB90 xor eax, eax
.text:0041CB92 repne scasb
.text:0041CB94 not ecx
.text:0041CB96 dec ecx
.text:0041CB97 push ecx
.text:0041CB98 lea ecx, [esp+0ECh+var_58]
.text:0041CB9F push offset a1_3 ; "$1$"
.text:0041CBA4 push ecx
.text:0041CBA5 call sub_41CFB0 ;Update( BYTE* Input("$1$"),ULONG nInputLen (3))
.text:0041CBAA mov edx, dword_46AEE8
.text:0041CBB0 push esi
.text:0041CBB1 lea eax, [esp+0F8h+var_58]
.text:0041CBB8 push edx
.text:0041CBB9 push eax
.text:0041CBBA call sub_41CFB0 ; Update( BYTE* Input(用户名前8字节,如果用户名长度小于8字节,则用整个用户名),ULONG nInputLen )
/////////////////////////////////////////////////////////////////////////////

/////////////////////////////////////////////////////////////////////////////
算法第一步:
.text:0041CBBF lea ecx, [esp+100h+var_B0]
.text:0041CBC3 push ecx
.text:0041CBC4 call sub_41CF80 ; 初始化MD5的四个参数
.text:0041CBC9 mov edi, ebp
.text:0041CBCB or ecx, 0FFFFFFFFh
.text:0041CBCE xor eax, eax
.text:0041CBD0 lea edx, [esp+104h+var_B0]
.text:0041CBD4 repne scasb
.text:0041CBD6 not ecx
.text:0041CBD8 dec ecx
.text:0041CBD9 push ecx
.text:0041CBDA push ebp
.text:0041CBDB push edx
.text:0041CBDC call sub_41CFB0 ; Update( 用户名,用户名长度)
.text:0041CBE1 mov eax, dword_46AEE8
.text:0041CBE6 push esi
.text:0041CBE7 lea ecx, [esp+114h+var_B0]
.text:0041CBEB push eax
.text:0041CBEC push ecx
.text:0041CBED call sub_41CFB0 ;Update( 用户名(前8字节,如果用户名长度小于8字节,则用整个用户名),ULONG nInputLen )
.text:0041CBF2 mov edi, ebp
.text:0041CBF4 or ecx, 0FFFFFFFFh
.text:0041CBF7 xor eax, eax
.text:0041CBF9 add esp, 44h
.text:0041CBFC repne scasb
.text:0041CBFE not ecx
.text:0041CC00 dec ecx
.text:0041CC01 lea edx, [esp+0D8h+var_B0]
.text:0041CC05 push ecx
.text:0041CC06 push ebp
.text:0041CC07 push edx
.text:0041CC08 call sub_41CFB0 ; Update( 用户名,用户名长度)
.text:0041CC0D lea eax, [esp+0E4h+var_B0]
.text:0041CC11 lea ecx, [esp+0E4h+var_C8]
.text:0041CC15 push eax
.text:0041CC16 push ecx
.text:0041CC17 call sub_41D0A0 ;MD5变换:设结果为Result1[16]
.text:0041CC1C mov edi, ebp
.text:0041CC1E or ecx, 0FFFFFFFFh
.text:0041CC21 xor eax, eax
.text:0041CC23 add esp, 14h
.text:0041CC26 repne scasb
.text:0041CC28 not ecx
.text:0041CC2A dec ecx
.text:0041CC2B mov esi, ecx
.text:0041CC2D test esi, esi
.text:0041CC2F jle short loc_41CC5A
.text:0041CC31
.text:0041CC31 loc_41CC31: ; CODE XREF: sub_41CAD0+188j
.text:0041CC31 cmp esi, 10h     ;用户名长度>16?
.text:0041CC34 mov eax, 10h
.text:0041CC39 jg short loc_41CC3D
.text:0041CC3B mov eax, esi
.text:0041CC3D
.text:0041CC3D loc_41CC3D: ; CODE XREF: sub_41CAD0+169j
.text:0041CC3D push eax
.text:0041CC3E lea edx, [esp+0DCh+var_C8]
.text:0041CC42 lea eax, [esp+0DCh+var_58]
.text:0041CC49 push edx
.text:0041CC4A push eax
.text:0041CC4B call sub_41CFB0 ;Update(Result1,EAX)
.text:0041CC50 sub esi, 10h
.text:0041CC53 add esp, 0Ch
.text:0041CC56 test esi, esi ;ESI>0?
.text:0041CC58 jg short loc_41CC31
.text:0041CC5A
.text:0041CC5A loc_41CC5A: ; CODE XREF: sub_41CAD0+15Fj
.text:0041CC5A xor ecx, ecx
.text:0041CC5C mov edi, ebp
.text:0041CC5E mov [esp+0D8h+var_C8], ecx
.text:0041CC62 xor eax, eax
.text:0041CC64 mov [esp+0D8h+var_C4], ecx
.text:0041CC68 mov [esp+0D8h+var_C0], ecx
.text:0041CC6C mov [esp+0D8h+var_BC], ecx
.text:0041CC70 or ecx, 0FFFFFFFFh
.text:0041CC73 repne scasb
.text:0041CC75 not ecx
.text:0041CC77 dec ecx
.text:0041CC78 mov ebx, ecx ;用户名长度->EBX
.text:0041CC7A jz short loc_41CCA7
.text:0041CC7C
.text:0041CC7C loc_41CC7C: ; CODE XREF: sub_41CAD0+1D5j
.text:0041CC7C test bl, 1 ;为偶数?
.text:0041CC7F push 1
.text:0041CC81 jz short loc_41CC92   ;是则跳
.text:0041CC83 lea edx, [esp+0DCh+var_C8]
.text:0041CC87 lea eax, [esp+0DCh+var_58]
.text:0041CC8E push edx
.text:0041CC8F push eax
.text:0041CC90 jmp short loc_41CC9B
.text:0041CC92 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0041CC92
.text:0041CC92 loc_41CC92: ; CODE XREF: sub_41CAD0+1B1j
.text:0041CC92 lea ecx, [esp+0DCh+var_58]
.text:0041CC99 push ebp
.text:0041CC9A push ecx
.text:0041CC9B
.text:0041CC9B loc_41CC9B: ; CODE XREF: sub_41CAD0+1C0j
.text:0041CC9B call sub_41CFB0 ;用户名长度为偶数则Update(用户名第1个字节,1)否则Update(""(空串),1)
.text:0041CCA0 add esp, 0Ch
.text:0041CCA3 sar ebx, 1
.text:0041CCA5 jnz short loc_41CC7C
.text:0041CCA7
.text:0041CCA7 loc_41CCA7: ; CODE XREF: sub_41CAD0+1AAj
.text:0041CCA7 mov edi, offset a1_3 ; "$1$"
.text:0041CCAC or ecx, 0FFFFFFFFh
.text:0041CCAF xor eax, eax
.text:0041CCB1 repne scasb
.text:0041CCB3 not ecx
.text:0041CCB5 sub edi, ecx
.text:0041CCB7 mov eax, [esp+0D8h+var_B4]
.text:0041CCBB mov edx, ecx
.text:0041CCBD mov esi, edi
.text:0041CCBF mov edi, offset unk_46AE6C
.text:0041CCC4 push eax ; size_t
.text:0041CCC5 shr ecx, 2
.text:0041CCC8 repe movsd
.text:0041CCCA mov ecx, edx
.text:0041CCCC and ecx, 3
.text:0041CCCF repe movsb
.text:0041CCD1 mov ecx, dword_46AEE8
.text:0041CCD7 push ecx ; const char *
.text:0041CCD8 push offset unk_46AE6C ; char *
.text:0041CCDD call _strncat
.text:0041CCE2 mov edi, offset asc_45D620 ; "$"
.text:0041CCE7 or ecx, 0FFFFFFFFh
.text:0041CCEA xor eax, eax
.text:0041CCEC repne scasb
.text:0041CCEE not ecx
.text:0041CCF0 sub edi, ecx
.text:0041CCF2 mov esi, edi
.text:0041CCF4 mov edx, ecx
.text:0041CCF6 mov edi, offset unk_46AE6C
.text:0041CCFB or ecx, 0FFFFFFFFh
.text:0041CCFE repne scasb
.text:0041CD00 mov ecx, edx
.text:0041CD02 dec edi
.text:0041CD03 shr ecx, 2
.text:0041CD06 repe movsd
.text:0041CD08 mov ecx, edx
.text:0041CD0A lea eax, [esp+0E4h+var_58]
.text:0041CD11 and ecx, 3
.text:0041CD14 push eax
.text:0041CD15 repe movsb
.text:0041CD17 lea ecx, [esp+0E8h+var_C8]
.text:0041CD1B push ecx
.text:0041CD1C call sub_41D0A0 ;MD5变换,设结果为Result2[16]
.text:0041CD21 add esp, 14h
算法第二步完成
/////////////////////////////////////////////////////////////////////

////////////////////////////////////////////////////////////////////
算法第三步:
.text:0041CD24 xor esi, esi ; 计数器清零
.text:0041CD26
.text:0041CD26 loc_41CD26: ; CODE XREF: sub_41CAD0+328j
.text:0041CD26 lea edx, [esp+0D8h+var_B0]
.text:0041CD2A push edx
.text:0041CD2B call sub_41CF80 ;MD5初始化
.text:0041CD30 mov ebx, esi
.text:0041CD32 add esp, 4
.text:0041CD35 and ebx, 1
.text:0041CD38 jz short loc_41CD4F
.text:0041CD3A mov edi, ebp
.text:0041CD3C or ecx, 0FFFFFFFFh
.text:0041CD3F xor eax, eax
.text:0041CD41 repne scasb
.text:0041CD43 not ecx
.text:0041CD45 dec ecx
.text:0041CD46 lea eax, [esp+0D8h+var_B0]
.text:0041CD4A push ecx
.text:0041CD4B push ebp
.text:0041CD4C push eax
.text:0041CD4D jmp short loc_41CD5B ; Update(Result2,16)
.text:0041CD4F ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0041CD4F
.text:0041CD4F loc_41CD4F: ; CODE XREF: sub_41CAD0+268j
.text:0041CD4F lea ecx, [esp+0D8h+var_C8]
.text:0041CD53 push 10h
.text:0041CD55 lea edx, [esp+0DCh+var_B0]
.text:0041CD59 push ecx
.text:0041CD5A push edx
.text:0041CD5B
.text:0041CD5B loc_41CD5B: ; CODE XREF: sub_41CAD0+27Dj
.text:0041CD5B call sub_41CFB0 ; Update(Result2,16)
.text:0041CD60 mov eax, esi
.text:0041CD62 mov ecx, 3
.text:0041CD67 cdq
.text:0041CD68 idiv ecx
.text:0041CD6A add esp, 0Ch
.text:0041CD6D test edx, edx
.text:0041CD6F jz short loc_41CD89 ; 余数为零则跳
.text:0041CD71 mov edx, [esp+0D8h+var_B4]
.text:0041CD75 mov eax, dword_46AEE8
.text:0041CD7A push edx
.text:0041CD7B lea ecx, [esp+0DCh+var_B0]
.text:0041CD7F push eax
.text:0041CD80 push ecx
.text:0041CD81 call sub_41CFB0 ; Update( 用户名(前8字节,如果用户名长度小于8字节,则用整个用户名),ULONG nInputLen )
.text:0041CD86 add esp, 0Ch
.text:0041CD89
.text:0041CD89 loc_41CD89: ; CODE XREF: sub_41CAD0+29Fj
.text:0041CD89 mov eax, esi
.text:0041CD8B mov ecx, 7
.text:0041CD90 cdq
.text:0041CD91 idiv ecx
.text:0041CD93 test edx, edx
.text:0041CD95 jz short loc_41CDB2 ; 余数为零则跳
.text:0041CD97 mov edi, ebp
.text:0041CD99 or ecx, 0FFFFFFFFh
.text:0041CD9C xor eax, eax
.text:0041CD9E lea edx, [esp+0D8h+var_B0]
.text:0041CDA2 repne scasb
.text:0041CDA4 not ecx
.text:0041CDA6 dec ecx
.text:0041CDA7 push ecx
.text:0041CDA8 push ebp
.text:0041CDA9 push edx
.text:0041CDAA call sub_41CFB0 ;Update(用户名,用户名长度)
.text:0041CDAF add esp, 0Ch
.text:0041CDB2
.text:0041CDB2 loc_41CDB2: ; CODE XREF: sub_41CAD0+2C5j
.text:0041CDB2 test ebx, ebx
.text:0041CDB4 jz short loc_41CDC4
.text:0041CDB6 lea eax, [esp+0D8h+var_C8]
.text:0041CDBA push 10h
.text:0041CDBC lea ecx, [esp+0DCh+var_B0]
.text:0041CDC0 push eax
.text:0041CDC1 push ecx
.text:0041CDC2 jmp short loc_41CDD7
.text:0041CDC4 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0041CDC4
.text:0041CDC4 loc_41CDC4: ; CODE XREF: sub_41CAD0+2E4j
.text:0041CDC4 mov edi, ebp
.text:0041CDC6 or ecx, 0FFFFFFFFh
.text:0041CDC9 xor eax, eax
.text:0041CDCB lea edx, [esp+0D8h+var_B0]
.text:0041CDCF repne scasb
.text:0041CDD1 not ecx
.text:0041CDD3 dec ecx
.text:0041CDD4 push ecx
.text:0041CDD5 push ebp
.text:0041CDD6 push edx
.text:0041CDD7
.text:0041CDD7 loc_41CDD7: ; CODE XREF: sub_41CAD0+2F2j
.text:0041CDD7 call sub_41CFB0 ;Update(Result2,16)/Update(用户名,用户长度)
.text:0041CDDC add esp, 0Ch
.text:0041CDDF lea eax, [esp+0D8h+var_B0]
.text:0041CDE3 lea ecx, [esp+0D8h+var_C8]
.text:0041CDE7 push eax
.text:0041CDE8 push ecx
.text:0041CDE9 call sub_41D0A0 ;MD5变换,设结果为Result3[16],此结果即是下一次循环中的Result2[16]
.text:0041CDEE add esp, 8
.text:0041CDF1 inc esi
.text:0041CDF2 cmp esi, 3E8h
.text:0041CDF8 jl loc_41CD26
算法第三步完成
///////////////////////////////////////////////////////////////////////

///////////////////////////////////////////////////////////////////////
算法第四步:将第三步结果转换为规则的可见字符串,长度变为22字节
变换表为:"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
.text:0041CDFE mov edi, offset unk_46AE6C
.text:0041CE03 or ecx, 0FFFFFFFFh
.text:0041CE06 xor eax, eax
.text:0041CE08 xor edx, edx
.text:0041CE0A mov dh, byte ptr [esp+0D8h+var_C8]
.text:0041CE0E push 4
.text:0041CE10 repne scasb
.text:0041CE12 mov eax, [esp+0DCh+var_C4+2]
.text:0041CE16 and eax, 0FFh
.text:0041CE1B or edx, eax
.text:0041CE1D mov eax, [esp+0DCh+var_BC]
.text:0041CE21 not ecx
.text:0041CE23 shl edx, 8
.text:0041CE26 and eax, 0FFh
.text:0041CE2B dec ecx
.text:0041CE2C or edx, eax
.text:0041CE2E add ecx, offset unk_46AE6C
.text:0041CE34 push edx
.text:0041CE35 push ecx
.text:0041CE36 mov dword_46AE68, ecx
.text:0041CE3C call sub_41D9B0
.text:0041CE41 mov ecx, [esp+0E4h+var_C8+1]
.text:0041CE45 mov edx, [esp+0E4h+var_C4+3]
.text:0041CE49 mov eax, dword_46AE68
.text:0041CE4E and ecx, 0FFh
.text:0041CE54 shl ecx, 8
.text:0041CE57 and edx, 0FFh
.text:0041CE5D add eax, 4
.text:0041CE60 or ecx, edx
.text:0041CE62 mov edx, [esp+0E4h+var_BC+1]
.text:0041CE66 shl ecx, 8
.text:0041CE69 and edx, 0FFh
.text:0041CE6F push 4
.text:0041CE71 or ecx, edx
.text:0041CE73 mov dword_46AE68, eax
.text:0041CE78 push ecx
.text:0041CE79 push eax
.text:0041CE7A call sub_41D9B0
.text:0041CE7F mov ecx, [esp+0F0h+var_C8+2]
.text:0041CE83 mov edx, [esp+0F0h+var_C0]
.text:0041CE87 mov eax, dword_46AE68
.text:0041CE8C and ecx, 0FFh
.text:0041CE92 shl ecx, 8
.text:0041CE95 and edx, 0FFh
.text:0041CE9B add eax, 4
.text:0041CE9E or ecx, edx
.text:0041CEA0 mov edx, [esp+0F0h+var_BC+2]
.text:0041CEA4 shl ecx, 8
.text:0041CEA7 and edx, 0FFh
.text:0041CEAD push 4
.text:0041CEAF or ecx, edx
.text:0041CEB1 mov dword_46AE68, eax
.text:0041CEB6 push ecx
.text:0041CEB7 push eax
.text:0041CEB8 call sub_41D9B0
.text:0041CEBD mov ecx, [esp+0FCh+var_C8+3]
.text:0041CEC1 mov edx, [esp+0FCh+var_C0+1]
.text:0041CEC5 mov eax, dword_46AE68
.text:0041CECA and ecx, 0FFh
.text:0041CED0 shl ecx, 8
.text:0041CED3 and edx, 0FFh
.text:0041CED9 add eax, 4
.text:0041CEDC or ecx, edx
.text:0041CEDE mov edx, [esp+0FCh+var_BC+3]
.text:0041CEE2 shl ecx, 8
.text:0041CEE5 and edx, 0FFh
.text:0041CEEB push 4
.text:0041CEED or ecx, edx
.text:0041CEEF mov dword_46AE68, eax
.text:0041CEF4 push ecx
.text:0041CEF5 push eax
.text:0041CEF6 call sub_41D9B0
.text:0041CEFB mov ecx, [esp+108h+var_C4]
.text:0041CEFF mov eax, dword_46AE68
.text:0041CF04 mov edx, [esp+108h+var_C0+2]
.text:0041CF08 and ecx, 0FFh
.text:0041CF0E add eax, 4
.text:0041CF11 push 4
.text:0041CF13 shl ecx, 8
.text:0041CF16 mov dword_46AE68, eax
.text:0041CF1B and edx, 0FFh
.text:0041CF21 or ecx, edx
.text:0041CF23 mov edx, [esp+10Ch+var_C4+1]
.text:0041CF27 shl ecx, 8
.text:0041CF2A and edx, 0FFh
.text:0041CF30 or ecx, edx
.text:0041CF32 push ecx
.text:0041CF33 push eax
.text:0041CF34 call sub_41D9B0
.text:0041CF39 mov ecx, [esp+114h+var_C0+3]
.text:0041CF3D mov eax, dword_46AE68
.text:0041CF42 and ecx, 0FFh
.text:0041CF48 add eax, 4
.text:0041CF4B push 2
.text:0041CF4D push ecx
.text:0041CF4E push eax
.text:0041CF4F mov dword_46AE68, eax
.text:0041CF54 call sub_41D9B0
.text:0041CF59 mov eax, dword_46AE68
.text:0041CF5E add esp, 48h
.text:0041CF61 add eax, 2
.text:0041CF64 pop edi
.text:0041CF65 mov dword_46AE68, eax
.text:0041CF6A pop esi
.text:0041CF6B mov byte ptr [eax], 0
.text:0041CF6E pop ebp
.text:0041CF6F mov eax, offset unk_46AE6C
算法第四步完成,结果为Result4[22]
//////////////////////////////////////////////////////////////////////
.text:0041CF74 pop ebx
.text:0041CF75 add esp, 0C8h
.text:0041CF7B retn
.text:0041CF7B sub_41CAD0 endp
.text:0041CF7B
.text:0041CF7B ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
/////////////////////////////////////////////////////////////////////////////////
=================================================================================

/////////////////////////////////////////////////////////////////////////////////
第五步:连接:"$1$"+用户名(前8个字节,用户名长度小于8个字节则用整个用户名)+"$"+Result4[22]
设结果为Result5

Result5参加下一轮运算
.text:004075E2 call sub_41CAD0    ; 算法CALL(第二轮)
这一轮用到了注册界面中的"特征码”,设结果为Result6
连接:"$1$+特征码前8个字节+"$"+Result6

.text:00407634 之后
最终结果转换

===================================================================
分析完成


    
    
     
    
    
     

相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么

文章评论
发表评论

热门文章 去除winrar注册框方法

最新文章 比特币病毒怎么破解 比去除winrar注册框方法 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据

人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程