超级RM转换大师 V1.10算法简单分析
【文章标题】: 超级RM转换大师 V1.10算法简单分析【文章作者】: evilangel
【软件名称】: 超级RM转换大师 V1.10
【下载地址】: 自己搜索下
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: OD
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
通过下消息断点,可以跟到关键地方,也可以通过DEDE按钮事件来这儿,就不分析如何找到这儿的了,简单分析下了!
004C0128/.55 push ebp
004C0129|.8BEC mov ebp, esp
004C012B|.6A 00 push 0
004C012D|.6A 00 push 0
004C012F|.53 push ebx
004C0130|.8BD8 mov ebx, eax
004C0132|.33C0 xor eax, eax
004C0134|.55 push ebp
004C0135|.68 E8014C00 push 004C01E8
004C013A|.64:FF30 push dword ptr fs:
004C013D|.64:8920 mov fs:, esp
004C0140|.8D55 FC lea edx,
004C0143|.8B83 20030000 mov eax,
004C0149|.E8 7E43FAFF call 004644CC
004C014E|.8B45 FC mov eax, ;//获取用户名位数
004C0151|.E8 3E44F4FF call 00404594
004C0156|.85C0 test eax, eax ;//判断是否输入了用户名
004C0158|.75 29 jnz short 004C0183
004C015A|.6A 40 push 40
004C015C|.68 F4014C00 push 004C01F4 ;警告
004C0161|.68 FC014C00 push 004C01FC ;请输入用户名!
004C0166|.8BC3 mov eax, ebx
004C0168|.E8 47ABFAFF call 0046ACB4
004C016D|.50 push eax ; |hOwner
004C016E|.E8 216FF4FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004C0173|.8B83 20030000 mov eax,
004C0179|.8B10 mov edx,
004C017B|.FF92 C4000000 call
004C0181|.EB 4A jmp short 004C01CD
004C0183|>8D55 F8 lea edx,
004C0186|.8B83 24030000 mov eax,
004C018C|.E8 3B43FAFF call 004644CC ;//获取注册码位数
004C0191|.8B45 F8 mov eax,
004C0194|.E8 FB43F4FF call 00404594
004C0199|.85C0 test eax, eax ;//判断是否输入了注册码
004C019B|.75 29 jnz short 004C01C6
004C019D|.6A 40 push 40
004C019F|.68 F4014C00 push 004C01F4 ;警告
004C01A4|.68 0C024C00 push 004C020C ;请输入注册码!
004C01A9|.8BC3 mov eax, ebx
004C01AB|.E8 04ABFAFF call 0046ACB4
004C01B0|.50 push eax ; |hOwner
004C01B1|.E8 DE6EF4FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004C01B6|.8B83 24030000 mov eax,
004C01BC|.8B10 mov edx,
004C01BE|.FF92 C4000000 call
004C01C4|.EB 07 jmp short 004C01CD
004C01C6|>8BC3 mov eax, ebx
004C01C8|.E8 47F9FFFF call 004BFB14 ;//关键call
004C01CD|>33C0 xor eax, eax
004C01CF|.5A pop edx
004C01D0|.59 pop ecx
004C01D1|.59 pop ecx
004C01D2|.64:8910 mov fs:, edx
004C01D5|.68 EF014C00 push 004C01EF
004C01DA|>8D45 F8 lea eax,
004C01DD|.BA 02000000 mov edx, 2
004C01E2|.E8 1141F4FF call 004042F8
004C01E7\.C3 retn
004C01E8 .^ E9 473AF4FF jmp 00403C34
004C01ED .^ EB EB jmp short 004C01DA
004C01EF .5B pop ebx
004C01F0 .59 pop ecx
004C01F1 .59 pop ecx
004C01F2 .5D pop ebp
004C01F3 .C3 retn
关键call进入后来到
004BFB14 $55 push ebp
004BFB15 .8BEC mov ebp, esp
004BFB17 .33C9 xor ecx, ecx
004BFB19 .51 push ecx
004BFB1A .51 push ecx
004BFB1B .51 push ecx
004BFB1C .51 push ecx
004BFB1D .51 push ecx
004BFB1E .53 push ebx
004BFB1F .56 push esi
004BFB20 .57 push edi
004BFB21 .8945 FC mov , eax
004BFB24 .33C0 xor eax, eax
004BFB26 .55 push ebp
004BFB27 .68 65FC4B00 push 004BFC65
004BFB2C .64:FF30 push dword ptr fs:
004BFB2F .64:8920 mov fs:, esp
004BFB32 .8B45 FC mov eax,
004BFB35 .E8 92020000 call 004BFDCC ;//关键call
004BFB3A .84C0 test al, al
004BFB3C .0F84 DB000000 je 004BFC1D ;//跳向注册失败
004BFB42 .33C0 xor eax, eax
004BFB44 .55 push ebp
004BFB45 .68 01FC4B00 push 004BFC01
004BFB4A .64:FF30 push dword ptr fs:
004BFB4D .64:8920 mov fs:, esp
004BFB50 .B2 01 mov dl, 1
004BFB52 .A1 00B84300 mov eax,
004BFB57 .E8 A4BDF7FF call 0043B900
004BFB5C .8BD8 mov ebx, eax
004BFB5E .BA 02000080 mov edx, 80000002
004BFB63 .8BC3 mov eax, ebx
004BFB65 .E8 36BEF7FF call 0043B9A0
004BFB6A .B1 01 mov cl, 1
004BFB6C .BA 7CFC4B00 mov edx, 004BFC7C ;software\zy\conver
004BFB71 .8BC3 mov eax, ebx ;//注册信息保存位置,带有重启验证
004BFB73 .E8 8CBEF7FF call 0043BA04
004BFB78 .8D55 F4 lea edx,
004BFB7B .8B45 FC mov eax,
004BFB7E .8B80 20030000 mov eax,
004BFB84 .E8 4349FAFF call 004644CC
004BFB89 .8B45 F4 mov eax,
004BFB8C .8D55 F8 lea edx,
004BFB8F .E8 F08BF4FF call 00408784
004BFB94 .8B4D F8 mov ecx,
004BFB97 .BA 98FC4B00 mov edx, 004BFC98 ;name
004BFB9C .8BC3 mov eax, ebx
004BFB9E .E8 FDBFF7FF call 0043BBA0
004BFBA3 .8D55 EC lea edx,
004BFBA6 .8B45 FC mov eax,
004BFBA9 .8B80 24030000 mov eax,
004BFBAF .E8 1849FAFF call 004644CC
004BFBB4 .8B45 EC mov eax,
004BFBB7 .8D55 F0 lea edx,
004BFBBA .E8 C58BF4FF call 00408784
004BFBBF .8B4D F0 mov ecx,
004BFBC2 .BA A8FC4B00 mov edx, 004BFCA8 ;pass
004BFBC7 .8BC3 mov eax, ebx
004BFBC9 .E8 D2BFF7FF call 0043BBA0
004BFBCE .8BC3 mov eax, ebx
004BFBD0 .E8 CB38F4FF call 004034A0
004BFBD5 .6A 40 push 40
004BFBD7 .68 B0FC4B00 push 004BFCB0 ;软件注册
004BFBDC .68 BCFC4B00 push 004BFCBC ;注册成功, 下次启动本软件将解除所有限制功能!
004BFBE1 .8B45 FC mov eax,
004BFBE4 .E8 CBB0FAFF call 0046ACB4
004BFBE9 .50 push eax ; |hOwner
004BFBEA .E8 A574F4FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004BFBEF .8B45 FC mov eax,
004BFBF2 .E8 590FFCFF call 00480B50
004BFBF7 .33C0 xor eax, eax
004BFBF9 .5A pop edx
004BFBFA .59 pop ecx
004BFBFB .59 pop ecx
004BFBFC .64:8910 mov fs:, edx
004BFBFF .EB 36 jmp short 004BFC37
004BFC01 .^ E9 7A3DF4FF jmp 00403980
004BFC06 .8B45 FC mov eax,
004BFC09 .E8 420FFCFF call 00480B50
004BFC0E .8B45 FC mov eax,
004BFC11 .E8 F6000000 call 004BFD0C
004BFC16 .E8 CD40F4FF call 00403CE8
004BFC1B .EB 1A jmp short 004BFC37
004BFC1D >6A 40 push 40
004BFC1F .68 B0FC4B00 push 004BFCB0 ;软件注册
004BFC24 .68 ECFC4B00 push 004BFCEC ;注册失败,请检查用户名与注册码!
004BFC29 .8B45 FC mov eax,
004BFC2C .E8 83B0FAFF call 0046ACB4
004BFC31 .50 push eax ; |hOwner
004BFC32 .E8 5D74F4FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004BFC37 >33C0 xor eax, eax
接着进入这个关键call
004BFDCC/$55 push ebp
004BFDCD|.8BEC mov ebp, esp
004BFDCF|.B9 04000000 mov ecx, 4
004BFDD4|>6A 00 /push 0
004BFDD6|.6A 00 |push 0
004BFDD8|.49 |dec ecx
004BFDD9|.^ 75 F9 \jnz short 004BFDD4
004BFDDB|.51 push ecx
004BFDDC|.53 push ebx
004BFDDD|.56 push esi
004BFDDE|.8BF0 mov esi, eax
004BFDE0|.33C0 xor eax, eax
004BFDE2|.55 push ebp
004BFDE3|.68 E1FE4B00 push 004BFEE1
004BFDE8|.64:FF30 push dword ptr fs:
004BFDEB|.64:8920 mov fs:, esp
004BFDEE|.8D55 F8 lea edx,
004BFDF1|.8B86 24030000 mov eax,
004BFDF7|.E8 D046FAFF call 004644CC
004BFDFC|.8B45 F8 mov eax, ;//假码
004BFDFF|.8D55 FC lea edx,
004BFE02|.E8 7D89F4FF call 00408784
004BFE07|.8B45 FC mov eax, ;//假码
004BFE0A|.50 push eax
004BFE0B|.8D55 EC lea edx,
004BFE0E|.8B86 20030000 mov eax,
004BFE14|.E8 B346FAFF call 004644CC
004BFE19|.8B45 EC mov eax, ;//用户名位数
004BFE1C|.8D55 F0 lea edx,
004BFE1F|.E8 6089F4FF call 00408784
004BFE24|.8B55 F0 mov edx,
004BFE27|.8D4D F4 lea ecx,
004BFE2A|.8BC6 mov eax, esi
004BFE2C|.E8 03010000 call 004BFF34 ;//关键call
004BFE31|.8B55 F4 mov edx, ;//得到真码
004BFE34|.58 pop eax
004BFE35|.E8 A648F4FF call 004046E0
004BFE3A|.75 50 jnz short 004BFE8C ;//注册码不对,就给ebx清零,再给eax
004BFE3C|.B3 01 mov bl, 1 ;//注册码对了,给BL为1,在给eax
下面有一句,delphi经典的给值
004BFEE8 .8BC3 mov eax, ebx
004BFEEA .5E pop esi
004BFEEB .5B pop ebx
004BFEEC .8BE5 mov esp, ebp
004BFEEE .5D pop ebp
004BFEEF .C3 retn
那么就是算法的地方了,接着进入这个关键call
004BFF34/$55 push ebp
004BFF35|.8BEC mov ebp, esp
004BFF37|.51 push ecx
004BFF38|.B9 04000000 mov ecx, 4
004BFF3D|>6A 00 /push 0
004BFF3F|.6A 00 |push 0
004BFF41|.49 |dec ecx
004BFF42|.^ 75 F9 \jnz short 004BFF3D
004BFF44|.51 push ecx
004BFF45|.874D FC xchg , ecx
004BFF48|.53 push ebx
004BFF49|.56 push esi
004BFF4A|.57 push edi
004BFF4B|.8BF9 mov edi, ecx
004BFF4D|.8955 FC mov , edx
004BFF50|.8B45 FC mov eax, ;//用户名给eax
004BFF53|.E8 2C48F4FF call 00404784
004BFF58|.33C0 xor eax, eax
004BFF5A|.55 push ebp
004BFF5B|.68 F5004C00 push 004C00F5
004BFF60|.64:FF30 push dword ptr fs:
004BFF63|.64:8920 mov fs:, esp
004BFF66|.8BC7 mov eax, edi
004BFF68|.E8 6743F4FF call 004042D4
004BFF6D|.8B45 FC mov eax,
004BFF70|.E8 1F46F4FF call 00404594
004BFF75|.8BF0 mov esi, eax ;//得到用户名的位数
004BFF77|.85F6 test esi, esi
004BFF79|.7E 26 jle short 004BFFA1 ;//如果用户名位数小于等于0跳走
004BFF7B|.BB 01000000 mov ebx, 1 ;//ebx给1
004BFF80|>8D4D EC /lea ecx,
004BFF83|.8B45 FC |mov eax, ;//用户名给eax
004BFF86|.0FB64418 FF |movzx eax, byte ptr ;//依次去用户名每一位,转化为16进制,给eax
004BFF8B|.33D2 |xor edx, edx ;//edx清零
004BFF8D|.E8 6E8BF4FF |call 00408B00
004BFF92|.8B55 EC |mov edx, ;//每一位的16进制给edx
004BFF95|.8D45 F8 |lea eax,
004BFF98|.E8 FF45F4FF |call 0040459C
004BFF9D|.43 |inc ebx
004BFF9E|.4E |dec esi
004BFF9F|.^ 75 DF \jnz short 004BFF80
004BFFA1|>8B45 F8 mov eax, ;//上面的循环,相当于将用户名转化为ASCII码,设为A
004BFFA4|.E8 EB45F4FF call 00404594
004BFFA9|.8BF0 mov esi, eax ;//得到的A的位数,也就是用户名位数的两倍
004BFFAB|.85F6 test esi, esi
004BFFAD|.7E 2C jle short 004BFFDB
004BFFAF|.BB 01000000 mov ebx, 1
004BFFB4|>8B45 F8 /mov eax, ;//将A给eax
004BFFB7|.E8 D845F4FF |call 00404594 ;//得到A的长度,设为B
004BFFBC|.2BC3 |sub eax, ebx ;//B-1
004BFFBE|.8B55 F8 |mov edx, ;//将A给edx
004BFFC1|.8A1402 |mov dl, ;//取A的第B-1位,A的位数从第0位开始
004BFFC4|.8D45 E8 |lea eax,
004BFFC7|.E8 F044F4FF |call 004044BC
004BFFCC|.8B55 E8 |mov edx,
004BFFCF|.8D45 F4 |lea eax,
004BFFD2|.E8 C545F4FF |call 0040459C
004BFFD7|.43 |inc ebx ;//ebx加1
004BFFD8|.4E |dec esi ;//esi减1
004BFFD9|.^ 75 D9 \jnz short 004BFFB4
004BFFDB|>8D45 F8 lea eax, ;//这里相当于将A从最后一个数开始读,最后变成C
004BFFDE|.50 push eax
004BFFDF|.B9 04000000 mov ecx, 4
004BFFE4|.BA 01000000 mov edx, 1
004BFFE9|.8B45 F4 mov eax,
004BFFEC|.E8 0348F4FF call 004047F4
004BFFF1|.8D45 F4 lea eax,
004BFFF4|.50 push eax
004BFFF5|.B9 04000000 mov ecx, 4
004BFFFA|.BA 05000000 mov edx, 5
004BFFFF|.8B45 F4 mov eax,
004C0002|.E8 ED47F4FF call 004047F4
004C0007|.8B45 F8 mov eax, ;//取C的前四位
004C000A|.E8 8545F4FF call 00404594
004C000F|.83F8 04 cmp eax, 4 ;//如果不够四位,不跳进行计算
004C0012|.7D 2F jge short 004C0043
004C0014|.8B45 F8 mov eax,
004C0017|.E8 7845F4FF call 00404594
004C001C|.8BD8 mov ebx, eax
004C001E|.83FB 03 cmp ebx, 3
004C0021|.7F 20 jg short 004C0043
004C0023|>8D4D E4 /lea ecx,
004C0026|.8BC3 |mov eax, ebx ;//位数给eax
004C0028|.C1E0 02 |shl eax, 2 ;//eax*4
004C002B|.33D2 |xor edx, edx
004C002D|.E8 CE8AF4FF |call 00408B00
004C0032|.8B55 E4 |mov edx,
004C0035|.8D45 F8 |lea eax,
004C0038|.E8 5F45F4FF |call 0040459C
004C003D|.43 |inc ebx
004C003E|.83FB 04 |cmp ebx, 4
004C0041|.^ 75 E0 \jnz short 004C0023 ;//位数*4,给相应位上,构成新的第一个四位
004C0043|>8B45 F4 mov eax, ;//再取四位
004C0046|.E8 4945F4FF call 00404594
004C004B|.83F8 04 cmp eax, 4
004C004E|.7D 2F jge short 004C007F
004C0050|.8B45 F4 mov eax,
004C0053|.E8 3C45F4FF call 00404594
004C0058|.8BD8 mov ebx, eax ;//如果不够四位,计算剩下的位数
004C005A|.83FB 03 cmp ebx, 3
004C005D|.7F 20 jg short 004C007F
004C005F|>8D4D E0 /lea ecx,
004C0062|.8BC3 |mov eax, ebx ;//位数给eax
004C0064|.C1E0 02 |shl eax, 2 ;//eax*4
004C0067|.33D2 |xor edx, edx
004C0069|.E8 928AF4FF |call 00408B00
004C006E|.8B55 E0 |mov edx,
004C0071|.8D45 F4 |lea eax,
004C0074|.E8 2345F4FF |call 0040459C
004C0079|.43 |inc ebx
004C007A|.83FB 04 |cmp ebx, 4
004C007D|.^ 75 E0 \jnz short 004C005F ;//位数*4,给相应位上,构成新的第二个四位
004C007F|>8D45 F0 lea eax,
004C0082|.BA 0C014C00 mov edx, 004C010C ;rmconv268d58k
004C0087|.E8 E042F4FF call 0040436C ;//这里进行的是将rmc换成大写
004C008C|.8D45 DC lea eax, ;//变成RMConv268d58k
004C008F|.50 push eax
004C0090|.B9 04000000 mov ecx, 4
004C0095|.BA 01000000 mov edx, 1
004C009A|.8B45 F0 mov eax,
004C009D|.E8 5247F4FF call 004047F4
004C00A2|.FF75 DC push dword ptr ;//取RMConv268d58k前四位RMCo
004C00A5|.68 24014C00 push 004C0124 ;-
004C00AA|.FF75 F8 push dword ptr ;//用-与C的前四位连起来
004C00AD|.8D45 D8 lea eax,
004C00B0|.50 push eax
004C00B1|.B9 05000000 mov ecx, 5 ;//从RMConv268d58k第5为开始取
004C00B6|.BA 05000000 mov edx, 5 ;//取5位
004C00BB|.8B45 F0 mov eax,
004C00BE|.E8 3147F4FF call 004047F4
004C00C3|.FF75 D8 push dword ptr ;//得到是nv268
004C00C6|.68 24014C00 push 004C0124 ;-
004C00CB|.FF75 F4 push dword ptr ;//再用-把C的第二个四位连接起来
004C00CE|.8BC7 mov eax, edi
004C00D0|.BA 06000000 mov edx, 6
004C00D5|.E8 7A45F4FF call 00404654 ;//得到完整的注册码
004C00DA|.33C0 xor eax, eax
004C00DC|.5A pop edx
004C00DD|.59 pop ecx
004C00DE|.59 pop ecx
004C00DF|.64:8910 mov fs:, edx
004C00E2|.68 FC004C00 push 004C00FC
004C00E7|>8D45 D8 lea eax,
004C00EA|.BA 0A000000 mov edx, 0A
004C00EF|.E8 0442F4FF call 004042F8
004C00F4\.C3 retn
004C00F5 .^ E9 3A3BF4FF jmp 00403C34
004C00FA .^ EB EB jmp short 004C00E7
004C00FC .5F pop edi
004C00FD .5E pop esi
004C00FE .5B pop ebx
004C00FF .8BE5 mov esp, ebp
004C0101 .5D pop ebp
004C0102 .C3 retn
--------------------------------------------------------------------------------
【算法总结】
1、将用户名转化成ASCII码,设为A,然后反向排列(即最后一位排到第一位,第一位就自然推到最后一位了),得到的设
为C
2、固定码为:rmconv268d58k,将其转换成RMConv268d58k
3、组合注册码:RMCo-(C的前四位)nv268-(C的第二个四位)
4、如果用户名位数少于4位的话就要进行相应的计算,相应位上为位数*4,即如果用户名只有一位,那么生成的ASCII只有
两位,那么第一个四位组成就是**8C,第二个四位就是048C了!
演示:
用户名大于等于四位时:
用户名:evilangel
ASCII(即A):6576696C616E67656C
那么C:C65676E616C6966756
所以注册码为:RMCo-C656nv268-76E6
用户名小于四位时:
用户名:e
ASCII(即A):65
C:56
注册码为:RMCo-568Cnv268-048C
说明:这个没什么技术含量,对算法有些不熟悉,有错误之处还望指出
--------------------------------------------------------------------------------
2009年03月25日 22:36:13 算法又见算法过两天写个文章叫《大牛是怎样炼成的》 算法又见算法 辛苦 辛苦 辛苦 辛苦 辛苦 辛苦 算法分析很详细,加精鼓励! 额 学习下前辈
页:
[1]