* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402AAF(C)
|
:00402A95 8B5CB410 mov ebx, dword ptr [esp+4*esi+10] <----取出第一次处理后用户名的4位。
:00402A99 8BC6 mov eax, esi
:00402A9B 83E01F and eax, 0000001F
:00402A9E 03EB add ebp, ebx <----将处理的结果进行累加。
:00402AA0 50 push eax
:00402AA1 55 push ebp
:00402AA2 E819000000 call 00402AC0 <----此CALL内比较简单,是将EBP的值通过CF进行循环移位EAX次。
:00402AA7 83C408 add esp, 00000008
:00402AAA 46 inc esi
:00402AAB 3BF7 cmp esi, edi
:00402AAD 8BE8 mov ebp, eax <----是否处理完
:00402AAF 7CE4 jl 00402A95
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402A93(C)
|
:00402AB1 5F pop edi
:00402AB2 8BC5 mov eax, ebp <----将最后累加的值放入EAX后返回。
:00402AB4 5E pop esi
:00402AB5 5D pop ebp
:00402AB6 5B pop ebx
:00402AB7 81C400020000 add esp, 00000200
:00402ABD C3 ret
-----------------------------------------------------------------------------
-----------------CALL 2 分析--------------------------------------
-----------------------------------------------------------------
:004029F0 55 push ebp
:004029F1 8BEC mov ebp, esp
:004029F3 53 push ebx
:004029F4 8A4508 mov al, byte ptr [ebp+08] <----取第一个参数,即上面ECX的值
:004029F7 8A5D0C mov bl, byte ptr [ebp+0C] <----取第二个参数,即上面DL的值
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402A04(C)
|
:004029FA F6C3C3 test bl, C3 <----将BL与C3进行逻辑与后看结果是否为偶数
:004029FD 7A01 jpe 00402A00 <----是偶数就不跳.
:004029FF F9 stc <----将CF置1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004029FD(C)
|
:00402A00 D0DB rcr bl, 1 <----通过CF进行向右位移
:00402A02 FEC8 dec al
:00402A04 75F4 jne 004029FA <----循环,直到AL为0
:00402A06 885D0C mov byte ptr [ebp+0C], bl
:00402A09 8A450C mov al, byte ptr [ebp+0C] <----将结果放入AL中返回
:00402A0C 5B pop ebx
:00402A0D 5D pop ebp
:00402A0E C3 ret
-------------------------------------------------------------------
----------------此CALL结束-----------------------------------------
进入CALL 3--------------------------------
----------------------------------------------------------------------
----------------------------------------------------------------------
:00402AE0 8B442404 mov eax, dword ptr [esp+04] <----取出参数到EAX
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402B02(U), :00402B13(U), :00402B2E(U)
|
:00402AE4 83E07F and eax, 0000007F
:00402AE7 83F841 cmp eax, 00000041
:00402AEA 7C07 jl 00402AF3
:00402AEC 83F85A cmp eax, 0000005A
:00402AEF 7F02 jg 00402AF3
:00402AF1 0C20 or al, 20 <----如果是大写,则转为小写
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402AEA(C), :00402AEF(C)
|
:00402AF3 83F86F cmp eax, 0000006F <----如果是o,再继续
:00402AF6 750C jne 00402B04
:00402AF8 B890000000 mov eax, 00000090
:00402AFD 83F00E xor eax, 0000000E
:00402B00 0C31 or al, 31
:00402B02 EBE0 jmp 00402AE4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402AF6(C)
|
:00402B04 83F830 cmp eax, 00000030 <----如果是0,再继续
:00402B07 750C jne 00402B15
:00402B09 B8CF000000 mov eax, 000000CF
:00402B0E 83F00E xor eax, 0000000E
:00402B11 0C31 or al, 31
:00402B13 EBCF jmp 00402AE4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402B07(C)
|
:00402B15 83F861 cmp eax, 00000061
:00402B18 7C05 jl 00402B1F
:00402B1A 83F87A cmp eax, 0000007A
:00402B1D 7E11 jle 00402B30 <----如果是小写字母,则返回
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402B18(C)
|
:00402B1F 83F831 cmp eax, 00000031
:00402B22 7C05 jl 00402B29
:00402B24 83F839 cmp eax, 00000039
:00402B27 7E07 jle 00402B30 <----如果是数学,则返回
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402B22(C)
|
:00402B29 83F00E xor eax, 0000000E
:00402B2C 0C31 or al, 31
:00402B2E EBB4 jmp 00402AE4 <----再继续处理.
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402B1D(C), :00402B27(C)
|
:00402B30 C3 ret
---------------------------------------------------------------
---------------------------------------------------------------
---------------------------------------------------------------
注册算法
1.将用户名转化为DWORD值;
2.将DWORD值的4个字节依次转化为字符形式,得到第一组注册码
3.再进行3次变化,依次得到后面3组注册码.
-----------------VC++ 6.0 通过------------------
void CHero3000Dlg::OnOK()
{
char name[512];
unsigned char code1[5];
unsigned char code2[5];
unsigned char code3[5];
unsigned char code4[5];
int namelen;
long reg1,reg2,reg3,reg4,temp;
int i,n;
this->UpdateData();
memset(name,0,512);
namelen = this->m_name.GetLength();
strcpy(name,this->m_name);
for(i=0;i
{
name[i] = change(i,name[i]);
}
i = (namelen / 4);
if((namelen % 4)>0) i++;
reg1 = 0;
for(n=0;n{
memcpy(&temp,&name[n*4],4);
reg1 += temp;
_asm mov eax,reg1;
_asm mov ecx,n;
_asm ror eax,cl;
_asm mov reg1,eax;
}
memcpy(code1,®1,4);
for(i=0;i<4;i++)
{
code1[i] = this->regtoa(code1[i]);
}
code1[4]=0; //处理完第一组注册码
memcpy(®1,code1,4);
reg2 = reg1 * 22;
memcpy(code2,®2,4);
for(i=0;i<4;i++)
{
code2[i] = this->change(i,code2[i]);
code2[i] = this->regtoa(code2[i]);
}
code2[4] =0; //处理完第二组注册码
memcpy(®2,code2,4);
reg3 = reg2*3 + ((reg2 ^ reg1)+8)*reg1;
memcpy(code3,®3,4);
for(i=0;i<4;i++)
{
code3[i] = this->regtoa(code3[i]);
}
code3[4] =0; //处理完第三组注册码
memcpy(®3,code3,4);
reg4 = reg1*5 + ((reg2 * reg1)+6)*reg3;
memcpy(code4,®4,4);
for(i=0;i<4;i++)
{
code4[i] = this->regtoa(code4[i]);
}
code4[4] =0; //处理完第四组注册码
this->m_regcode = code1;
this->m_regcode += "-";
this->m_regcode += code2;
this->m_regcode += "-";
this->m_regcode += code3;
this->m_regcode += "-";
this->m_regcode += code4;
this->UpdateData(false);
// CDialog::OnOK();
}
char CHero3000Dlg::change(unsigned char a, char b)
{
do
{
_asm mov bl,b;
_asm test bl,0xC3;
_asm jpe st0;
_asm stc;
st0:
_asm rcr bl,1;
_asm mov b,bl;
if(a==0)
a=0xff;
else
a--;
}
while(a>0);
return b;
}
unsigned char CHero3000Dlg::regtoa(unsigned char a)
{
for(;1;)
{
a = a & 0x7f;
if(a == 0x6f)
{
a = 0x90;
a = a ^ 0x0e;
a = a | 0x31;
continue ;
}
if(a == 0x30)
{
a = 0xcf;
a = a ^ 0x0e;
a = a | 0x31;
continue;
}
if(a>='A' && a<='Z' )
a = a + 0x20;
if(a>='a' && a<='z')
{
return a;
}
if(a>='1' && a<='9')
{
return a;
}
a = a ^ 0x0e;
a = a | 0x31;
}
} 
