文章作者:KuNgBiM
信息来源:看雪论坛
【破文标题】:Multi desktop V3.00 注册算法分析
【破文作者】:KuNgBiM[DFCG]
【作者邮箱】:
gb_1227@163.com
【软件名称】:Multi desktop V3.00
【软件大小】:528 KB
【软件语言】:英文
【软件类别】:国外软件 / 共享版 / 桌面工具
【整理时间】:2005-10-27
【开 发 商】:
http://www.8848soft.com/
【下载地址】:
http://www.8848soft.com/d1/multidesktop_setup.exe
【软件简介】:Multi Desktop 是一个非常不错的虚拟桌面管理软件!支持4个虚拟桌面;支持为各个虚拟桌面建立自己的图标、名字、壁纸,通过拖放操作将窗口在虚拟桌面之间移动;支持使用快捷键在虚拟桌面之间切换;支持为虚拟桌面选择壁纸风格。
【保护方式】:注册码 + 启动NAG + 15天试用限制
【编译语言】:Microsoft Visual C++ 6.0
【调试环境】:WinXP、PEiD、Ollydbg
【破解日期】:2005-10-29
【破解目的】:研究算法分析
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
—————————————————————————————————
【破解过程】:
侦测:用PEiD查壳,无壳,Microsoft Visual C++ 6.0 编译。
试探:运行主程序注册,输入试炼码,确认!程序提示:"Registration failed, please check the code and try again!"
下药:Ollydbg载入主程序,命令下断:bpx MessageBoxA,回车,F9运行,输入试炼信息:
************* 试炼信息 **************
Registered name:KuNgBiM
Registered code:1111-2222-3333-4444
*************************************
0041CB34 51 push ecx
0041CB35 FF15 2CD34200 call dword ptr ds:[<&USER32.MessageBoxA>] ; 这里中断,Alt+F9返回!
0041CB3B 5E pop esi
0041CB3C C2 0C00 retn 0C
........
返回到:
00409E60 64:A1 00000000 mov eax,dword ptr fs:[0] ; 这里F2下断!Ctrl+F2重新加载程序!
00409E66 6A FF push -1
00409E68 68 68BD4200 push MultiDes.0042BD68
00409E6D 50 push eax
00409E6E 64:8925 0000000>mov dword ptr fs:[0],esp
00409E75 83EC 14 sub esp,14
00409E78 53 push ebx
00409E79 55 push ebp
00409E7A 56 push esi
00409E7B 8BF1 mov esi,ecx
00409E7D 57 push edi
00409E7E 8B86 70010000 mov eax,dword ptr ds:[esi+170]
00409E84 83F8 02 cmp eax,2
00409E87 0F8F E8010000 jg MultiDes.0040A075
00409E8D 40 inc eax
00409E8E 6A 01 push 1
00409E90 8986 70010000 mov dword ptr ds:[esi+170],eax
00409E96 E8 A2350100 call MultiDes.0041D43D
00409E9B 8D86 60010000 lea eax,dword ptr ds:[esi+160]
00409EA1 8DBE 5C010000 lea edi,dword ptr ds:[esi+15C]
00409EA7 50 push eax
00409EA8 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
00409EAC 57 push edi
00409EAD 51 push ecx
00409EAE E8 154D0100 call MultiDes.0041EBC8
00409EB3 8D96 64010000 lea edx,dword ptr ds:[esi+164]
00409EB9 33DB xor ebx,ebx
00409EBB 52 push edx
00409EBC 50 push eax
00409EBD 8D4424 1C lea eax,dword ptr ss:[esp+1C]
00409EC1 895C24 34 mov dword ptr ss:[esp+34],ebx
00409EC5 50 push eax
00409EC6 E8 FD4C0100 call MultiDes.0041EBC8
00409ECB 8D8E 68010000 lea ecx,dword ptr ds:[esi+168]
00409ED1 8D5424 10 lea edx,dword ptr ss:[esp+10]
00409ED5 51 push ecx
00409ED6 50 push eax
00409ED7 52 push edx
00409ED8 C64424 38 01 mov byte ptr ss:[esp+38],1
00409EDD E8 E64C0100 call MultiDes.0041EBC8
00409EE2 50 push eax
00409EE3 8BCF mov ecx,edi
00409EE5 C64424 30 02 mov byte ptr ss:[esp+30],2
00409EEA E8 E34B0100 call MultiDes.0041EAD2
00409EEF 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
00409EF3 C64424 2C 01 mov byte ptr ss:[esp+2C],1
00409EF8 E8 E84A0100 call MultiDes.0041E9E5
00409EFD 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00409F01 885C24 2C mov byte ptr ss:[esp+2C],bl
00409F05 E8 DB4A0100 call MultiDes.0041E9E5
00409F0A 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
00409F0E C74424 2C FFFFF>mov dword ptr ss:[esp+2C],-1
00409F16 E8 CA4A0100 call MultiDes.0041E9E5
00409F1B 68 90C54300 push MultiDes.0043C590
00409F20 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00409F24 E8 2A4B0100 call MultiDes.0041EA53
00409F29 8DAE 58010000 lea ebp,dword ptr ds:[esi+158]
00409F2F 8D4424 18 lea eax,dword ptr ss:[esp+18]
00409F33 BB 03000000 mov ebx,3
00409F38 55 push ebp
00409F39 50 push eax
00409F3A B9 88C64300 mov ecx,MultiDes.0043C688
00409F3F 895C24 34 mov dword ptr ss:[esp+34],ebx
00409F43 E8 D8F4FFFF call MultiDes.00409420 ; ★用户名检测CALL★F7跟进
00409F48 50 push eax
00409F49 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00409F4D C64424 30 04 mov byte ptr ss:[esp+30],4
00409F52 E8 7B4B0100 call MultiDes.0041EAD2
00409F57 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
00409F5B 885C24 2C mov byte ptr ss:[esp+2C],bl
00409F5F E8 814A0100 call MultiDes.0041E9E5 ; 取用户名前2位转为大写后与“wfeewwf3deda”相连
00409F64 8B4424 10 mov eax,dword ptr ss:[esp+10] ; ASCII "KUwfeewwf3deda"
00409F68 8B48 F8 mov ecx,dword ptr ds:[eax-8] ; 得到组合后的计算名长度,ds:[009138C8]=0000000E
00409F6B 51 push ecx ; ecx=0000000E,(14位)
00409F6C 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
00409F70 50 push eax ; 计算名压栈,ASCII "KUwfeewwf3deda"
00409F71 51 push ecx
00409F72 E8 59C9FFFF call MultiDes.004068D0 ; ★重要CALL★F7跟进
00409F77 83C4 0C add esp,0C
00409F7A 50 push eax
00409F7B 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00409F7F C64424 30 05 mov byte ptr ss:[esp+30],5
00409F84 E8 494B0100 call MultiDes.0041EAD2
00409F89 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00409F8D 885C24 2C mov byte ptr ss:[esp+2C],bl
00409F91 E8 4F4A0100 call MultiDes.0041E9E5
00409F96 8D5424 1C lea edx,dword ptr ss:[esp+1C]
00409F9A 6A 10 push 10
00409F9C 52 push edx
00409F9D 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
00409FA1 E8 4CE00000 call MultiDes.00417FF2
00409FA6 50 push eax
00409FA7 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00409FAB C64424 30 06 mov byte ptr ss:[esp+30],6
00409FB0 E8 1D4B0100 call MultiDes.0041EAD2
00409FB5 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
00409FB9 885C24 2C mov byte ptr ss:[esp+2C],bl
00409FBD E8 234A0100 call MultiDes.0041E9E5 ; 获得用户输入的假注册码
00409FC2 8B07 mov eax,dword ptr ds:[edi]
00409FC4 50 push eax ; 假码压栈,ASCII "1111222233334444"
00409FC5 8B4424 14 mov eax,dword ptr ss:[esp+14] ; 取出真注册码,准备与假码比较!
00409FC9 50 push eax ; 真码压栈,ASCII "687fcda714009cf4"
00409FCA E8 653E0000 call MultiDes.0040DE34 ; ★真假码经典比较CALL★
00409FCF 83C4 08 add esp,8
00409FD2 85C0 test eax,eax
00409FD4 75 53 jnz short MultiDes.0040A029 ; 若不相等,跳走则Game Over!
00409FD6 83CB FF or ebx,FFFFFFFF
00409FD9 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
00409FDD 895C24 2C mov dword ptr ss:[esp+2C],ebx
00409FE1 E8 FF490100 call MultiDes.0041E9E5
00409FE6 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
00409FEA 51 push ecx
00409FEB B9 88C64300 mov ecx,MultiDes.0043C688
00409FF0 E8 BBF5FFFF call MultiDes.004095B0
00409FF5 8B00 mov eax,dword ptr ds:[eax]
00409FF7 6A 40 push 40
00409FF9 50 push eax
00409FFA 68 9C874300 push MultiDes.0043879C ; ASCII "Registration finished, thank for your registration!"
00409FFF 8BCE mov ecx,esi
0040A001 C74424 38 07000>mov dword ptr ss:[esp+38],7
0040A009 E8 FF2A0100 call MultiDes.0041CB0D
0040A00E 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
0040A012 895C24 2C mov dword ptr ss:[esp+2C],ebx
0040A016 E8 CA490100 call MultiDes.0041E9E5
0040A01B 57 push edi
0040A01C 55 push ebp
0040A01D B9 88C64300 mov ecx,MultiDes.0043C688
0040A022 E8 99F2FFFF call MultiDes.004092C0
0040A027 EB 45 jmp short MultiDes.0040A06E
0040A029 83CF FF or edi,FFFFFFFF
0040A02C 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0040A030 897C24 2C mov dword ptr ss:[esp+2C],edi
0040A034 E8 AC490100 call MultiDes.0041E9E5
0040A039 8D5424 20 lea edx,dword ptr ss:[esp+20]
0040A03D B9 88C64300 mov ecx,MultiDes.0043C688
0040A042 52 push edx
0040A043 E8 68F5FFFF call MultiDes.004095B0
0040A048 8B00 mov eax,dword ptr ds:[eax]
0040A04A 6A 10 push 10
0040A04C 50 push eax
0040A04D 68 60874300 push MultiDes.00438760 ; ASCII "Registration failed, please check the code and try again!"
0040A052 8BCE mov ecx,esi
0040A054 C74424 38 08000>mov dword ptr ss:[esp+38],8
0040A05C E8 AC2A0100 call MultiDes.0041CB0D
0040A061 8D4C24 20 lea ecx,dword ptr ss:[esp+20] ; 返回到这里,向上找到可以处下断!
0040A065 897C24 2C mov dword ptr ss:[esp+2C],edi
0040A069 E8 77490100 call MultiDes.0041E9E5
0040A06E 8BCE mov ecx,esi
0040A070 E8 500D0100 call MultiDes.0041ADC5
0040A075 8B4C24 24 mov ecx,dword ptr ss:[esp+24]
0040A079 5F pop edi
0040A07A 5E pop esi
0040A07B 5D pop ebp
0040A07C 5B pop ebx
0040A07D 64:890D 0000000>mov dword ptr fs:[0],ecx
0040A084 83C4 20 add esp,20
0040A087 C3 retn ; 返回程序界面
........
========================= 跟进 00409F43 E8 D8F4FFFF call MultiDes.00409420 =========================
00409420 6A FF push -1 ; 跟进来到这里
00409422 68 8FBB4200 push MultiDes.0042BB8F
00409427 64:A1 00000000 mov eax,dword ptr fs:[0]
0040942D 50 push eax
0040942E 64:8925 0000000>mov dword ptr fs:[0],esp
00409435 83EC 0C sub esp,0C
00409438 8B4424 20 mov eax,dword ptr ss:[esp+20]
0040943C 53 push ebx
0040943D 56 push esi
0040943E 50 push eax
0040943F 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
00409443 C74424 14 00000>mov dword ptr ss:[esp+14],0
0040944B E8 0A530100 call MultiDes.0041E75A
00409450 BB 01000000 mov ebx,1
00409455 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
00409459 895C24 1C mov dword ptr ss:[esp+1C],ebx
0040945D E8 EDEF0000 call MultiDes.0041844F ; 取用户名
00409462 8D4C24 28 lea ecx,dword ptr ss:[esp+28] ; ASCII "KuNgBiM"
00409466 E8 98EF0000 call MultiDes.00418403
0040946B 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
0040946F E8 125A0100 call MultiDes.0041EE86 ; 用户名所有字符由小写转为大写
00409474 6A 42 push 42 ; ASCII "KUNGBIM"
00409476 6A 2E push 2E
00409478 8D4C24 30 lea ecx,dword ptr ss:[esp+30] ; 转换完毕后,重新赋值给ecx
0040947C E8 34EB0000 call MultiDes.00417FB5
00409481 6A 42 push 42
00409483 6A 20 push 20
00409485 8D4C24 30 lea ecx,dword ptr ss:[esp+30]
00409489 E8 27EB0000 call MultiDes.00417FB5
0040948E 8B4C24 28 mov ecx,dword ptr ss:[esp+28] ; 取转换后的用户名,ASCII "KUNGBIM"
00409492 8B41 F8 mov eax,dword ptr ds:[ecx-8] ; 取用户名长度,ds:[009139B8]=00000007
00409495 83F8 02 cmp eax,2 ; 用户名长度与2比较
00409498 7E 4C jle short MultiDes.004094E6 ; 若用户名长度小于或等于2就跳向自定义用户名
0040949A 8D5424 0C lea edx,dword ptr ss:[esp+C]
0040949E 6A 02 push 2 ; (取用户名个数)2入栈
004094A0 52 push edx
004094A1 8D4C24 30 lea ecx,dword ptr ss:[esp+30] ; 取前2位转换后的用户名,ASCII "KUNGBIM"
004094A5 E8 48EB0000 call MultiDes.00417FF2 ; 取固定字符串
004094AA 68 44844300 push MultiDes.00438444 ; ASCII "wfeewwf3deda"
004094AF 50 push eax
004094B0 8D4424 10 lea eax,dword ptr ss:[esp+10]
004094B4 C64424 24 02 mov byte ptr ss:[esp+24],2
004094B9 50 push eax
004094BA E8 6F570100 call MultiDes.0041EC2E
004094BF 50 push eax
004094C0 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
004094C4 C64424 20 03 mov byte ptr ss:[esp+20],3
004094C9 E8 04560100 call MultiDes.0041EAD2
004094CE 8D4C24 08 lea ecx,dword ptr ss:[esp+8]
004094D2 C64424 1C 02 mov byte ptr ss:[esp+1C],2
004094D7 E8 09550100 call MultiDes.0041E9E5
004094DC 885C24 1C mov byte ptr ss:[esp+1C],bl
004094E0 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
004094E4 EB 58 jmp short MultiDes.0040953E
004094E6 68 40844300 push MultiDes.00438440 ; 程序自定义用户名为“AA”来计算,ASCII "AA"
004094EB 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
004094EF E8 81580100 call MultiDes.0041ED75
004094F4 8D4C24 08 lea ecx,dword ptr ss:[esp+8]
004094F8 6A 02 push 2
004094FA 51 push ecx
004094FB 8D4C24 30 lea ecx,dword ptr ss:[esp+30] ; 取自定义用户名,ASCII "AA"
004094FF E8 EEEA0000 call MultiDes.00417FF2 ; 取固定字符串
00409504 68 44844300 push MultiDes.00438444 ; ASCII "wfeewwf3deda"
00409509 8D5424 10 lea edx,dword ptr ss:[esp+10]
0040950D 50 push eax
0040950E 52 push edx
0040950F C64424 28 04 mov byte ptr ss:[esp+28],4
00409514 E8 15570100 call MultiDes.0041EC2E
00409519 50 push eax
0040951A 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
0040951E C64424 20 05 mov byte ptr ss:[esp+20],5
00409523 E8 AA550100 call MultiDes.0041EAD2
00409528 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
0040952C C64424 1C 04 mov byte ptr ss:[esp+1C],4
00409531 E8 AF540100 call MultiDes.0041E9E5
00409536 885C24 1C mov byte ptr ss:[esp+1C],bl
0040953A 8D4C24 08 lea ecx,dword ptr ss:[esp+8]
0040953E E8 A2540100 call MultiDes.0041E9E5
00409543 8B7424 24 mov esi,dword ptr ss:[esp+24]
00409547 8D4424 28 lea eax,dword ptr ss:[esp+28]
0040954B 50 push eax
0040954C 8BCE mov ecx,esi
0040954E E8 07520100 call MultiDes.0041E75A
00409553 895C24 10 mov dword ptr ss:[esp+10],ebx
00409557 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
0040955B C64424 1C 00 mov byte ptr ss:[esp+1C],0
00409560 E8 80540100 call MultiDes.0041E9E5
00409565 8B4C24 14 mov ecx,dword ptr ss:[esp+14]
00409569 8BC6 mov eax,esi
0040956B 5E pop esi
0040956C 5B pop ebx
0040956D 64:890D 0000000>mov dword ptr fs:[0],ecx
00409574 83C4 18 add esp,18
00409577 C2 0800 retn 8
........
========================= 跟进 00409F72 E8 59C9FFFF call MultiDes.004068D0 =========================
004068D0 6A FF push -1 ; 跟进来到这里
004068D2 68 F8B54200 push MultiDes.0042B5F8
004068D7 64:A1 00000000 mov eax,dword ptr fs:[0] ; 取出计算名,ASCII "KUwfeewwf3deda"
004068DD 50 push eax
004068DE 64:8925 0000000>mov dword ptr fs:[0],esp
004068E5 83EC 60 sub esp,60
004068E8 56 push esi
004068E9 8B7424 7C mov esi,dword ptr ss:[esp+7C] ; 得到计算名位数
004068ED 57 push edi
004068EE 8B7C24 7C mov edi,dword ptr ss:[esp+7C] ; 得到计算名
004068F2 6A 00 push 0
004068F4 56 push esi ; esi=0000000E(14位)
004068F5 57 push edi ; edi=009138D0, (ASCII "KUwfeewwf3deda")
004068F6 C74424 14 00000>mov dword ptr ss:[esp+14],0
004068FE E8 9E1B0100 call MultiDes.004184A1
00406903 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
00406907 E8 A40A0000 call MultiDes.004073B0 ; ★调用MD5标准算法常数★F7跟进
0040690C 56 push esi
0040690D 57 push edi
0040690E 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00406912 C74424 78 00000>mov dword ptr ss:[esp+78],0
0040691A E8 810C0000 call MultiDes.004075A0 ; ★调用MD5标准算法机制★F7跟进
0040691F 8B7424 78 mov esi,dword ptr ss:[esp+78]
00406923 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
00406927 56 push esi
00406928 E8 130B0000 call MultiDes.00407440 ; ★使用MD5标准算法,转换计算名★
0040692D 8B4C24 68 mov ecx,dword ptr ss:[esp+68]
00406931 8BC6 mov eax,esi
00406933 5F pop edi
00406934 5E pop esi
00406935 64:890D 0000000>mov dword ptr fs:[0],ecx
0040693C 83C4 6C add esp,6C
0040693F C3 retn
........
========================= 跟进 00406907 E8 A40A0000 call MultiDes.004073B0 =========================
004073B0 8BD1 mov edx,ecx ; 下面是MD5算法的标准常数
004073B2 57 push edi
004073B3 B9 10000000 mov ecx,10
004073B8 33C0 xor eax,eax
004073BA 8D7A 04 lea edi,dword ptr ds:[edx+4]
004073BD C702 78DE4200 mov dword ptr ds:[edx],MultiDes.0042DE78
004073C3 F3:AB rep stos dword ptr es:[edi]
004073C5 8942 48 mov dword ptr ds:[edx+48],eax
004073C8 8942 44 mov dword ptr ds:[edx+44],eax
004073CB C742 4C 0123456>mov dword ptr ds:[edx+4C],67452301
004073D2 C742 50 89ABCDE>mov dword ptr ds:[edx+50],EFCDAB89
004073D9 C742 54 FEDCBA9>mov dword ptr ds:[edx+54],98BADCFE
004073E0 C742 58 7654321>mov dword ptr ds:[edx+58],10325476
004073E7 8BC2 mov eax,edx
004073E9 5F pop edi
004073EA C3 retn
........
========================= 跟进 0040691A E8 810C0000 call MultiDes.004075A0 =========================
004075A0 53 push ebx ; 以下是MD5算法的标准变换运算机制
004075A1 8BD9 mov ebx,ecx
004075A3 8B4C24 0C mov ecx,dword ptr ss:[esp+C]
004075A7 55 push ebp
004075A8 8B53 44 mov edx,dword ptr ds:[ebx+44]
004075AB 56 push esi
004075AC 8BC2 mov eax,edx
004075AE 8D34CD 00000000 lea esi,dword ptr ds:[ecx*8]
004075B5 C1E8 03 shr eax,3
004075B8 8D14CA lea edx,dword ptr ds:[edx+ecx*8]
004075BB 83E0 3F and eax,3F
004075BE 3BD6 cmp edx,esi
004075C0 57 push edi
004075C1 8953 44 mov dword ptr ds:[ebx+44],edx
004075C4 73 03 jnb short MultiDes.004075C9
004075C6 FF43 48 inc dword ptr ds:[ebx+48]
004075C9 8B7B 48 mov edi,dword ptr ds:[ebx+48]
004075CC 8BD1 mov edx,ecx
004075CE BD 40000000 mov ebp,40
004075D3 C1EA 1D shr edx,1D
004075D6 2BE8 sub ebp,eax
004075D8 03FA add edi,edx
004075DA 3BCD cmp ecx,ebp
004075DC 897B 48 mov dword ptr ds:[ebx+48],edi
004075DF 72 52 jb short MultiDes.00407633
004075E1 8B7424 14 mov esi,dword ptr ss:[esp+14]
004075E5 8BCD mov ecx,ebp
004075E7 8D7C18 04 lea edi,dword ptr ds:[eax+ebx+4]
004075EB 8BC1 mov eax,ecx
004075ED C1E9 02 shr ecx,2
004075F0 F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
004075F2 8BC8 mov ecx,eax
004075F4 83E1 03 and ecx,3
004075F7 F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
004075F9 8D4B 04 lea ecx,dword ptr ds:[ebx+4]
004075FC 51 push ecx
004075FD 8BCB mov ecx,ebx
004075FF E8 8CF3FFFF call MultiDes.00406990
00407604 8BFD mov edi,ebp
00407606 8D75 3F lea esi,dword ptr ss:[ebp+3F]
00407609 8B6C24 18 mov ebp,dword ptr ss:[esp+18]
0040760D 3BF5 cmp esi,ebp
0040760F 73 1A jnb short MultiDes.0040762B
00407611 8B5424 14 mov edx,dword ptr ss:[esp+14]
00407615 8BCB mov ecx,ebx
00407617 8D4432 C1 lea eax,dword ptr ds:[edx+esi-3F]
0040761B 50 push eax
0040761C E8 6FF3FFFF call MultiDes.00406990
00407621 83C6 40 add esi,40
00407624 83C7 40 add edi,40
00407627 3BF5 cmp esi,ebp
00407629 ^ 72 E6 jb short MultiDes.00407611
0040762B 8B4C24 18 mov ecx,dword ptr ss:[esp+18]
0040762F 33C0 xor eax,eax
00407631 EB 02 jmp short MultiDes.00407635
00407633 33FF xor edi,edi
00407635 8B5424 14 mov edx,dword ptr ss:[esp+14]
00407639 2BCF sub ecx,edi
0040763B 8D3417 lea esi,dword ptr ds:[edi+edx]
0040763E 8D7C18 04 lea edi,dword ptr ds:[eax+ebx+4]
00407642 8BC1 mov eax,ecx
00407644 C1E9 02 shr ecx,2
00407647 F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
00407649 8BC8 mov ecx,eax
0040764B 83E1 03 and ecx,3
0040764E F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
00407650 5F pop edi
00407651 5E pop esi
00407652 5D pop ebp
00407653 5B pop ebx
00407654 C2 0800 retn 8
........
-------------------------------------------------------------------------------------------------------------------------
【算法总结】:
注册验证非常简单:
1、注册码固定为16位。
2、用户名位数小于或等于2位,则调用程序固定用户名“AA”来作为用户名。
3、把用户名所有字符由小写转为大写,结果记为N1。
4、N1前两位与固定字符串“wfeewwf3deda”连接组合成计算名,结果记为N2。
5、将N2进行标准MD5运算转换,结果记为KEY1。
6、取KEY1前16位转换为小写输出,则为注册码,结果记为KEY2。
【完美爆破点】:
00409FD4 75 53 jnz short MultiDes.0040A029 ; nop掉!
-------------------------------------------------------------------------------------------------------------------------
【注册机】:
注册机我就不写了,很简单的。。。
【注册信息】:
Registered name:KuNgBiM
Registered code:687f-cda7-1400-9cf4
