某软件安装序列号算法分析之二
本帖最后由 pendan2001 于 2016-6-30 20:03 编辑【文章标题】:Macromedia FLASH 4.0简体中文正式版序列号分析
【软件名称】: Macromedia FLASH 4.0简体中文正式版
【下载地址】: 自己找吧
【使用工具】: OD等
【操作平台】:Winxp
【软件介绍】: 一看就明白干什么的。
【 声 明】: 仅为算法研究,勿作它途。
这个现在都是古董了,很多年前写的,没什么技术含量,写的不好别笑我,当时没留截图,大家凑合着看把,
00603FC0 .837D 8C 00 cmp dword ptr , 0////这里下断点,F9运行后断在这里
00603FC4 .74 39 je short 00603FFF
00603FC6 .8B45 8C mov eax, dword ptr
00603FC9 .83B8 8C230000>cmp dword ptr , 0
00603FD0 .74 07 je short 00603FD9
00603FD2 .8BC8 mov ecx, eax
00603FD4 .E8 8777FFFF call 005FB760
00603FD9 >8B45 8C mov eax, dword ptr
00603FDC .83B8 88230000>cmp dword ptr , 0
00603FE3 .74 07 je short 00603FEC
00603FE5 .8BC8 mov ecx, eax
00603FE7 .E8 147FFFFF call 005FBF00
00603FEC >8B45 8C mov eax, dword ptr
00603FEF .83B8 94230000>cmp dword ptr , 0
00603FF6 .74 07 je short 00603FFF
00603FF8 .8BC8 mov ecx, eax
00603FFA .E8 617CFFFF call 005FBC60
00603FFF >8B45 F0 mov eax, dword ptr
00604002 .05 CC010000 add eax, 1CC
00604007 .8338 00 cmp dword ptr , 0
0060400A .75 0F jnz short 0060401B
0060400C .6A 00 push 0 ; /Reserved = 0
0060400E .6A 10 push 10 ; |Flags = APPCLASS_STANDARD|APPCMD_CLIENTONLY
00604010 .68 B0306000 push 006030B0 ; |Callback = Flash.006030B0
00604015 .50 push eax ; |pInstID
00604016 .E8 3182F5FF call <jmp.&USER32.DdeInitializeA> ; \DdeInitializeA
往上看,找个合适地方下断点
0060401E .E8 4D060000 call 00604670//@@@@@@@@@@@@@@@@ F7 @@@@@@@@@@@@@@@@
00604023 .85C0 test eax, eax
00604025 .75 11 jnz short 00604038
00604670 $64:A1 0000000>mov eax, dword ptr fs:
00604676 .55 push ebp
00604677 .8BEC mov ebp, esp
00604679 .6A FF push -1
0060467B .68 6C496000 push 0060496C
00604680 .50 push eax
00604681 .64:8925 00000>mov dword ptr fs:, esp
00604688 .81EC EC010000 sub esp, 1EC
0060468E .894D EC mov dword ptr , ecx
00604691 .53 push ebx
00604692 .56 push esi
00604693 .8D4D E4 lea ecx, dword ptr
00604696 .57 push edi
00604697 .33DB xor ebx, ebx
00604699 .E8 A53DF6FF call 00568443
0060469E .68 8A020000 push 28A
006046A3 .8D4D E4 lea ecx, dword ptr
006046A6 .895D FC mov dword ptr , ebx
006046A9 .E8 5745F6FF call 00568C05
006046AE .8B45 E4 mov eax, dword ptr
006046B1 .68 C02E6E00 push 006E2EC0 ;ASCII "yes"
006046B6 .50 push eax
006046B7 .E8 A471F4FF call 0054B860
006046BC .83C4 08 add esp, 8
006046BF .83F8 01 cmp eax, 1
006046C2 .1BC0 sbb eax, eax
006046C4 .8B4D EC mov ecx, dword ptr
006046C7 .F7D8 neg eax
006046C9 .53 push ebx
006046CA .8945 DC mov dword ptr , eax
006046CD .68 B42E6E00 push 006E2EB4 ;ASCII "Register"
006046D2 .68 A42E6E00 push 006E2EA4 ;ASCII "Registration"
006046D7 .E8 E4FBFFFF call 006042C0
006046DC .53 push ebx
006046DD .8D4D E0 lea ecx, dword ptr
006046E0 .68 942E6E00 push 006E2E94 ;ASCII "Serial Number"
006046E5 .8945 F0 mov dword ptr , eax
006046E8 .68 A42E6E00 push 006E2EA4 ;ASCII "Registration"
006046ED .51 push ecx
006046EE .8B4D EC mov ecx, dword ptr
006046F1 .E8 DAFCFFFF call 006043D0
006046F6 .B9 FFFFFFFF mov ecx, -1
006046FB .2BC0 sub eax, eax
006046FD .C645 FC 01 mov byte ptr , 1
00604701 .8B7D E0 mov edi, dword ptr
00604704 .F2:AE repne scas byte ptr es:
00604706 .F7D1 not ecx
00604708 .2BF9 sub edi, ecx
0060470A .8BC1 mov eax, ecx
0060470C .C1E9 02 shr ecx, 2
0060470F .8BF7 mov esi, edi
00604711 .8DBD 08FEFFFF lea edi, dword ptr
00604717 .F3:A5 rep movs dword ptr es:, dword ptr
00604719 .8BC8 mov ecx, eax
0060471B .83E1 03 and ecx, 3
0060471E .F3:A4 rep movs byte ptr es:, byte ptr
00604720 .8D8D 08FEFFFF lea ecx, dword ptr
00604726 .51 push ecx
00604727 .E8 84FBFFFF call 006042B0
0060472C .83C4 04 add esp, 4
0060472F .8945 E8 mov dword ptr , eax
00604732 .3BC3 cmp eax, ebx
00604734 .0F85 4D010000 jnz 00604887
0060473A .53 push ebx
0060473B .8D8D 68FFFFFF lea ecx, dword ptr
00604741 .E8 7AC4E5FF call 00460BC0
00604746 .68 8C2E6E00 push 006E2E8C ;ASCII "FLW400-"
0060474B .8D4D C8 lea ecx, dword ptr
0060474E .C645 FC 02 mov byte ptr , 2
00604752 .E8 943FF6FF call 005686EB
00604757 .899D 64FFFFFF mov dword ptr , ebx
0060475D .895D E8 mov dword ptr , ebx
00604760 >83BD 64FFFFFF>cmp dword ptr , 5
00604767 .0F8D 0A010000 jge 00604877
0060476D .8D8D 68FFFFFF lea ecx, dword ptr
00604773 .E8 9847E2FF call 00428F10//跳出注册窗口,输入注册信息后,点“确定”后,继续往下
00604778 .83F8 01 cmp eax, 1
0060477B .74 0F je short 0060478C
0060477D .C785 64FFFFFF>mov dword ptr , 5
00604787 .E9 DB000000 jmp 00604867
0060478C >8B7D C8 mov edi, dword ptr //(ASCII "FLW400-12345-67890-54321")
0060478F .B9 FFFFFFFF mov ecx, -1
00604794 .2BC0 sub eax, eax
00604796 .F2:AE repne scas byte ptr es:
00604798 .F7D1 not ecx
0060479A .2BF9 sub edi, ecx
0060479C .8BC1 mov eax, ecx
0060479E .C1E9 02 shr ecx, 2
006047A1 .8BF7 mov esi, edi
006047A3 .8DBD 08FEFFFF lea edi, dword ptr
006047A9 .F3:A5 rep movs dword ptr es:, dword ptr
006047AB .8BC8 mov ecx, eax
006047AD .83E1 03 and ecx, 3
006047B0 .F3:A4 rep movs byte ptr es:, byte ptr
006047B2 .8D8D 08FEFFFF lea ecx, dword ptr
006047B8 .51 push ecx//(ASCII "FLW400-12345-67890-54321")
006047B9 .E8 F2FAFFFF call 006042B0//@@@@@@@@@@@@@@@@ F7 @@@@@@@@@@@@@@@@
006047BE .83C4 04 add esp, 4
006047C1 .8945 E8 mov dword ptr , eax
006047C4 .85C0 test eax, eax
006047C6 .75 31 jnz short 006047F9//不跳就over了。
006047C8 .8D4D F0 lea ecx, dword ptr
006047CB .E8 733CF6FF call 00568443
006047D0 .68 7F020000 push 27F
006047D5 .8D4D F0 lea ecx, dword ptr
006047D8 .C645 FC 03 mov byte ptr , 3
006047DC .E8 2444F6FF call 00568C05
006047E1 .6A 00 push 0/////(ASCII "Required Information",LF,LF,"This Macromedia product cannot run without your name and serial number. ")
________________________________________________
006042B0/$8B4424 04 mov eax, dword ptr
006042B4|.6A 00 push 0
006042B6|.50 push eax
006042B7|.E8 A404E5FF call 00454760//@@@@@@@@@@@@@@@@ F7 @@@@@@@@@@@@@@@@
006042BC|.83C4 08 add esp, 8
006042BF\.C3 retn
........
0045478D|.52 push edx//(ASCII "FLW400-12345-67890-54321")
0045478E|.E8 CD000000 call 00454860//@@@@@@@@@@@@@@@@ F7 @@@@@@@@@@@@@@@@
_________________________________
00454860/$83EC 3C sub esp, 3C
00454863|.B8 07000000 mov eax, 7
00454868|.884424 1C mov byte ptr , al
0045486C|.53 push ebx
0045486D|.C64424 21 10mov byte ptr , 10
00454872|.C64424 22 0Fmov byte ptr , 0F
00454877|.C64424 23 16mov byte ptr , 16
0045487C|.56 push esi
0045487D|.57 push edi
0045487E|.C64424 2C 15mov byte ptr , 15
00454883|.C64424 2D 18mov byte ptr , 18
00454888|.C64424 2E 14mov byte ptr , 14
0045488D|.BB 03000000 mov ebx, 3
00454892|.B9 04000000 mov ecx, 4
00454897|.885C24 10 mov byte ptr , bl
0045489B|.884C24 14 mov byte ptr , cl
0045489F|.C64424 2F 17mov byte ptr , 17
004548A4|.C64424 11 0Bmov byte ptr , 0B
004548A9|.C64424 12 12mov byte ptr , 12
004548AE|.C64424 13 11mov byte ptr , 11
004548B3|.33D2 xor edx, edx
004548B5|.884424 40 mov byte ptr , al
004548B9|.C64424 15 09mov byte ptr , 9
004548BE|.C64424 16 0Amov byte ptr , 0A
004548C3|.8D4424 41 lea eax, dword ptr
004548C7|.885C24 34 mov byte ptr , bl
004548CB|.C64424 17 0Cmov byte ptr , 0C
004548D0|.C64424 18 0Emov byte ptr , 0E
004548D5|.8910 mov dword ptr , edx
004548D7|.884C24 38 mov byte ptr , cl
004548DB|.66:8950 04 mov word ptr , dx
004548DF|.8B7424 4C mov esi, dword ptr
004548E3|.8BFE mov edi, esi
004548E5|.B9 FFFFFFFF mov ecx, -1
004548EA|.8850 06 mov byte ptr , dl
004548ED|.895424 39 mov dword ptr , edx
004548F1|.8D4424 35 lea eax, dword ptr
004548F5|.66:8910 mov word ptr , dx
004548F8|.8850 02 mov byte ptr , dl
004548FB|.2BC0 sub eax, eax
004548FD|.F2:AE repne scas byte ptr es:
004548FF|.F7D1 not ecx
00454901|.49 dec ecx
00454902|.83F9 18 cmp ecx, 18//序列号是否是24位
00454905|.0F85 AC010000 jnz 00454AB7
0045490B|.807E 06 2D cmp byte ptr , 2D//第7位是否是“-”
0045490F|.0F85 A2010000 jnz 00454AB7
00454915|.807E 0C 2D cmp byte ptr , 2D//第13位是否是“-”
00454919|.0F85 98010000 jnz 00454AB7
0045491F|.807E 12 2D cmp byte ptr , 2D//第19位是否是“-”
00454923|.0F85 8E010000 jnz 00454AB7
00454929|.66:B9 0100 mov cx, 1
0045492D|>0FBFC1 /movsx eax, cx
00454930|.66:41 |inc cx
00454932|.0FBE5404 28 |movsx edx, byte ptr
00454937|.66:83F9 07 |cmp cx, 7
0045493B|.8A5432 FF |mov dl, byte ptr //依次取序列号第16位8,第15位7,第22位3,第21位4,第24位1,第20位5,第23位2,即8734152
0045493F|.885404 3F |mov byte ptr , dl
00454943|.^ 7E E8 \jle short 0045492D
00454945|.66:B9 0100 mov cx, 1
00454949|>0FBFC1 /movsx eax, cx
0045494C|.66:41 |inc cx
0045494E|.0FBE5404 10 |movsx edx, byte ptr
00454953|.66:83F9 03 |cmp cx, 3
00454957|.8A5432 FF |mov dl, byte ptr //依次取序列号第11位4,第18位0,第17位9,即409
0045495B|.885404 33 |mov byte ptr , dl
0045495F|.^ 7E E8 \jle short 00454949
00454961|.66:B9 0100 mov cx, 1
00454965|>0FBFC1 /movsx eax, cx
00454968|.66:41 |inc cx
0045496A|.0FBE5404 14 |movsx edx, byte ptr
0045496F|.66:83F9 04 |cmp cx, 4
00454973|.8A5432 FF |mov dl, byte ptr //依次取序列号第9位2,第10位3,第12位5,第14位6,即2356,16进制值为934
00454977|.885404 37 |mov byte ptr , dl
0045497B|.^ 7E E8 \jle short 00454965
0045497D|.8D4424 20 lea eax, dword ptr
00454981|.8D4C24 40 lea ecx, dword ptr
00454985|.50 push eax
00454986|.68 A8F96D00 push 006DF9A8
0045498B|.51 push ecx//ecx=0013F96C, (ASCII "8734152")
0045498C|.E8 0F510F00 call 00549AA0
00454991|.8D4C24 30 lea ecx, dword ptr
00454995|.8D5424 40 lea edx, dword ptr
00454999|.83C4 0C add esp, 0C
0045499C|.51 push ecx
0045499D|.68 A8F96D00 push 006DF9A8
004549A2|.52 push edx//edx=0013F960, (ASCII "409")
004549A3|.E8 F8500F00 call 00549AA0
004549A8|.8D4C24 20 lea ecx, dword ptr
004549AC|.8D5424 44 lea edx, dword ptr
004549B0|.83C4 0C add esp, 0C
004549B3|.8D7E 03 lea edi, dword ptr
004549B6|.51 push ecx
004549B7|.68 A8F96D00 push 006DF9A8
004549BC|.52 push edx//edx=0013F964, (ASCII "2356")
004549BD|.E8 DE500F00 call 00549AA0
004549C2|.8D4C24 28 lea ecx, dword ptr
004549C6|.83C4 0C add esp, 0C
004549C9|.33DB xor ebx, ebx
004549CB|.6A 03 push 3
004549CD|.57 push edi
004549CE|.51 push ecx
004549CF|.E8 FC7E0F00 call 0054C8D0
004549D4|.8D4424 3C lea eax, dword ptr
004549D8|.8D4C24 28 lea ecx, dword ptr
004549DC|.885C24 2B mov byte ptr , bl
004549E0|.83C4 0C add esp, 0C
004549E3|.50 push eax
004549E4|.68 A8F96D00 push 006DF9A8
004549E9|.51 push ecx//ecx=0013F948, (ASCII "400")
004549EA|.E8 B1500F00 call 00549AA0
004549EF|.8D4C24 28 lea ecx, dword ptr
004549F3|.83C4 0C add esp, 0C
004549F6|.6A 02 push 2
004549F8|.57 push edi
004549F9|.51 push ecx//ecx=0013F948, (ASCII "400")
004549FA|.E8 D17E0F00 call 0054C8D0
004549FF|.8D4C24 34 lea ecx, dword ptr
00454A03|.8D5424 28 lea edx, dword ptr
00454A07|.885C24 2A mov byte ptr , bl
00454A0B|.83C4 0C add esp, 0C
00454A0E|.51 push ecx
00454A0F|.68 A8F96D00 push 006DF9A8
00454A14|.52 push edx//ecx=0013F948, (ASCII "40")
00454A15|.E8 86500F00 call 00549AA0
00454A1A|.8D5424 1A lea edx, dword ptr
00454A1E|.83C4 0C add esp, 0C
00454A21|.8D4E 07 lea ecx, dword ptr
00454A24|.6A 01 push 1
00454A26|.51 push ecx
00454A27|.52 push edx
00454A28|.E8 A37E0F00 call 0054C8D0
00454A2D|.8D4C24 1C lea ecx, dword ptr
00454A31|.885C24 1B mov byte ptr , bl
00454A35|.83C4 0C add esp, 0C
00454A38|.51 push ecx
00454A39|.8D5424 12 lea edx, dword ptr
00454A3D|.68 A8F96D00 push 006DF9A8
00454A42|.52 push edx
00454A43|.E8 58500F00 call 00549AA0
00454A48|.8B4C24 3C mov ecx, dword ptr
00454A4C|.8B5424 30 mov edx, dword ptr
00454A50|.8B4424 1C mov eax, dword ptr
00454A54|.83C4 0C add esp, 0C
00454A57|.51 push ecx//将400转化为16进制190
00454A58|.52 push edx//将409转化为16进制199
00454A59|.8B4C24 28 mov ecx, dword ptr
00454A5D|.50 push eax
00454A5E|.51 push ecx//将8734152转化为16进制8545C8
00454A5F|.E8 BC000000 call 00454B20//@@@@@@@@@@@@@@@@ F7 @@@@@@@@@@@@@@@@算法核心
___________________________________________
00454B20/$83EC 24 sub esp, 24
00454B23|.B9 A0860100 mov ecx, 186A0 //固定值186A0
00454B28|.53 push ebx
00454B29|.56 push esi
00454B2A|.8B7424 30 mov esi, dword ptr
00454B2E|.57 push edi
00454B2F|.55 push ebp
00454B30|.8BC6 mov eax, esi
00454B32|.BB 0A000000 mov ebx, 0A //固定值0A
00454B37|.8B7C24 40 mov edi, dword ptr
00454B3B|.99 cdq
00454B3C|.F7F9 idiv ecx //8545C8 除 186A0=57+8568
00454B3E|.894424 28 mov dword ptr , eax
00454B42|.8BC7 mov eax, edi
00454B44|.99 cdq
00454B45|.F7FB idiv ebx //199 除 0A=28+9
00454B47|.8BC8 mov ecx, eax
00454B49|.BB 64000000 mov ebx, 64 //固定值64
00454B4E|.8BC6 mov eax, esi
00454B50|.BD 0A000000 mov ebp, 0A //固定值0A
00454B55|.99 cdq
00454B56|.F7FB idiv ebx //8545C8 除 64=1552D+34
00454B58|.BB E8030000 mov ebx, 3E8 //固定值3E8
00454B5D|.894424 20 mov dword ptr , eax
00454B61|.8BC6 mov eax, esi
00454B63|.99 cdq
00454B64|.F7FD idiv ebp //8545C8 除0A=D53C7+2
00454B66|.BD 10270000 mov ebp, 2710 //固定值2710
00454B6B|.894424 10 mov dword ptr , eax
00454B6F|.8BC6 mov eax, esi //EAX=8545C8
00454B71|.99 cdq
00454B72|.F7FB idiv ebx //8545C8 除3E8=221E+98
00454B74|.8B5C24 44 mov ebx, dword ptr
00454B78|.894424 24 mov dword ptr , eax
00454B7C|.8BC6 mov eax, esi //EAX=8545C8
00454B7E|.99 cdq
00454B7F|.F7FD idiv ebp //8545C8 除2710=369+1038
00454B81|.BD 64000000 mov ebp, 64
00454B86|.894424 14 mov dword ptr , eax
00454B8A|.8BC3 mov eax, ebx //EAX=190
00454B8C|.99 cdq
00454B8D|.F7FD idiv ebp //190 除 64=4
00454B8F|.894424 1C mov dword ptr , eax
00454B93|.8BC7 mov eax, edi //EDI=199
00454B95|.99 cdq
00454B96|.F7FD idiv ebp //199除 64=4+9
00454B98|.BD 40420F00 mov ebp, 0F4240 //固定值F4240
00454B9D|.894424 2C mov dword ptr , eax
00454BA1|.8BC6 mov eax, esi //ESI=8545C8
00454BA3|.99 cdq
00454BA4|.F7FD idiv ebp //8545C8 除F4240=8+B33C8
00454BA6|.BD 0A000000 mov ebp, 0A //固定值A
00454BAB|.894424 18 mov dword ptr , eax
00454BAF|.8BC3 mov eax, ebx //EBX=190
00454BB1|.99 cdq
00454BB2|.F7FD idiv ebp //190除A=28
00454BB4|.8BE8 mov ebp, eax
00454BB6|.8B5424 3C mov edx, dword ptr
00454BBA|.035424 28 add edx, dword ptr //1+57=58
00454BBE|.03D1 add edx, ecx //58+28=80
00454BC0|.8D1452 lea edx, dword ptr //80*3=180
00454BC3|.035424 10 add edx, dword ptr //180+D53C7=D5547
00454BC7|.8B4424 24 mov eax, dword ptr
00454BCB|.035424 20 add edx, dword ptr ///D5547+1552D=EAA74
00454BCF|.03C7 add eax, edi //221E+199=23B7
00454BD1|.8D1452 lea edx, dword ptr //EAA74*3=2BFF5C
00454BD4|.2BD0 sub edx, eax ///2BFF5C-23B7=2BDBA5
00454BD6|.BB 0A000000 mov ebx, 0A //固定值0A
00454BDB|.8D14C2 lea edx, dword ptr //2BDBA5+23B7*8=2CF95D
00454BDE|.03D6 add edx, esi ///2CF95D+8545C8=B23F25
00454BE0|.035424 14 add edx, dword ptr //B23F25+369=B2428E
00454BE4|.035424 1C add edx, dword ptr ///B2428E+4=B24292
00454BE8|.035424 2C add edx, dword ptr //B24292+4=B24296
00454BEC|.035424 18 add edx, dword ptr //B24296+8=B2429E
00454BF0|.8D042A lea eax, dword ptr //B2429E+28=B242C6
00454BF3|.99 cdq
00454BF4|.F7FB idiv ebx //B242C6除A=11D37A+2
00454BF6|.8D1C92 lea ebx, dword ptr //余数2*5=A
00454BF9|.8D147F lea edx, dword ptr //199*3=4CB
00454BFC|.035424 18 add edx, dword ptr //4CB+8=4D3
00454C00|.8B4424 10 mov eax, dword ptr //EAX=D53C7
00454C04|.035424 24 add edx, dword ptr //4D3+221E=26F1
00454C08|.03D1 add edx, ecx //26F1+28=2719
00454C0A|.8D1452 lea edx, dword ptr //2719*3=754B
00454C0D|.2B5424 10 sub edx, dword ptr //754B-D53C7=FFF32184
00454C11|.8D14C2 lea edx, dword ptr //FFF32184+D53C7*8=5DBFBC
00454C14|.035424 3C add edx, dword ptr //5DBFBC+1=5DBFBD
00454C18|.03D6 add edx, esi //5DBFBD+8545C8=E30585
00454C1A|.035424 14 add edx, dword ptr //E30585+369=E308EE
00454C1E|.035424 20 add edx, dword ptr //E308EE+1552D=E45E1B
00454C22|.035424 28 add edx, dword ptr //E45E1B+57=E45E72
00454C26|.035424 1C add edx, dword ptr //E45E72+4=E45E76
00454C2A|.035424 2C add edx, dword ptr //E45E76+4=E45E7A
00454C2E|.C74424 30 0A0>mov dword ptr , 0A
00454C36|.8D042A lea eax, dword ptr //E45E7A+28=E45EA2
00454C39|.99 cdq
00454C3A|.F77C24 30 idiv dword ptr //E45EA2 除A=16D643+4
00454C3E|.8D0449 lea eax, dword ptr //28*3=78
00454C41|.8D1C5A lea ebx, dword ptr //余数4+A*2=18
00454C44|.034424 2C add eax, dword ptr //78+4=7C
00454C48|.8B5424 18 mov edx, dword ptr
00454C4C|.8D1C9B lea ebx, dword ptr //18*5=78
00454C4F|.034424 20 add eax, dword ptr //7C+1552D=155A9
00454C53|.03C5 add eax, ebp //155A9+28=155D1
00454C55|.035424 24 add edx, dword ptr // 8+221E=2226
00454C59|.8D0440 lea eax, dword ptr //155D1*3=40173
00454C5C|.2BC2 sub eax, edx //40173-2226=3DF4D
00454C5E|.8D04D0 lea eax, dword ptr //3DF4D+2226*8=4F07D
00454C61|.C74424 30 0A0>mov dword ptr , 0A
00454C69|.034424 3C add eax, dword ptr //4F07D+1=4F07E
00454C6D|.03C6 add eax, esi //4F07E+8545C8=8A3646
00454C6F|.034424 14 add eax, dword ptr //8A3646+369=8A39AF
00454C73|.034424 28 add eax, dword ptr //8A39AF+57=8A3A06
00454C77|.034424 10 add eax, dword ptr //8A3A06+D53C7=978DCD
00454C7B|.03EE add ebp, esi //28+8545C8=8545F0
00454C7D|.034424 1C add eax, dword ptr //978DCD+4=978DD1
00454C81|.03C7 add eax, edi //978DD1+199=978F6A
00454C83|.99 cdq
00454C84|.F77C24 30 idiv dword ptr //978F6A除A=F27F1
00454C88|.8D1C5A lea ebx, dword ptr //0+78*2=F0
00454C8B|.8D1C9B lea ebx, dword ptr //F0*5=4B0
00454C8E|.8D546D 00 lea edx, dword ptr //8545F0*3=18FD1D0
00454C92|.035424 10 add edx, dword ptr //18FD1D0+D53C7=19D2597
00454C96|.8B4424 1C mov eax, dword ptr
00454C9A|.035424 14 add edx, dword ptr //19D2597+369=19D2900
00454C9E|.034424 20 add eax, dword ptr //1552D+4=15531
00454CA2|.035424 18 add edx, dword ptr //19D2900+8=19D2908
00454CA6|.03C1 add eax, ecx //15531+28=15559
00454CA8|.8D1452 lea edx, dword ptr //19D2908*3=4D77B18
00454CAB|.B9 0A000000 mov ecx, 0A
00454CB0|.2BD0 sub edx, eax //4D77B18-15559=4D625BF
00454CB2|.8D14C2 lea edx, dword ptr //4D625BF+15559*8=4E0D087
00454CB5|.035424 3C add edx, dword ptr //4E0D087+1=4E0D088
00454CB9|.035424 24 add edx, dword ptr //4E0D088+221E=4E0F2A6
00454CBD|.035424 28 add edx, dword ptr //4E0F2A6+57=4E0F2FD
00454CC1|.035424 2C add edx, dword ptr //4E0F2FD+4=4E0F301
00454CC5|.5D pop ebp
00454CC6|.8D043A lea eax, dword ptr //4E0F301+199=4E0F49A
00454CC9|.5F pop edi
00454CCA|.99 cdq
00454CCB|.F7F9 idiv ecx//4E0F49A除A=7CE542+6
00454CCD|.5E pop esi
00454CCE|.8D045A lea eax, dword ptr //余数6+4B0*2=966
00454CD1|.5B pop ebx
00454CD2|.83C4 24 add esp, 24
00454CD5\.C3 retn
上面是不是觉得我很傻啊:loveliness:呵呵,那时候不懂加密算法,编程也差。真是一步一步走来的。
_________________________________________________________________________________________________
00454A64|.816C24 30 1C4>sub dword ptr , 0B491C //8545C8-固定值B491C=79FCAC
00454A6C|.836C24 34 1Bsub dword ptr , 1B //199-固定值1B=17E
00454A71|.83C4 10 add esp, 10
00454A74|.395C24 10 cmp dword ptr , ebx
00454A78|.7C 3D jl short 00454AB7
00454A7A|.837C24 10 09cmp dword ptr , 9
00454A7F|.7F 36 jg short 00454AB7
00454A81|.395C24 30 cmp dword ptr , ebx//比较190是否小于0
00454A85|.7C 30 jl short 00454AB7
00454A87|.817C24 30 E70>cmp dword ptr , 3E7//比较190是否大于3E7
00454A8F|.7F 26 jg short 00454AB7
00454A91|.395C24 20 cmp dword ptr , ebx//比较79FCAC是否小于0
00454A95|.7C 20 jl short 00454AB7
00454A97|.817C24 20 405>cmp dword ptr , 895440//79FCAC是否大于895440
00454A9F|.7F 16 jg short 00454AB7
00454AA1|.395C24 24 cmp dword ptr , ebx//17E是否小于0
00454AA5|.7C 10 jl short 00454AB7
00454AA7|.817C24 24 840>cmp dword ptr , 384///17E是否大于384
00454AAF|.7F 06 jg short 00454AB7
00454AB1|.394424 14 cmp dword ptr , eax//966是否等于934(第9,10,12,14位2356的16进制值)
因此假序列号应改为FLW400-12440-67890-54321
00454AB5|.74 09 je short 00454AC0//不等于就over
00454AB7|>33C0 xor eax, eax
00454AB9|.5F pop edi
00454ABA|.5E pop esi
00454ABB|.5B pop ebx
00454ABC|.83C4 3C add esp, 3C
00454ABF|.C3 retn
.......
00454AD6|.8B4C24 24 mov ecx, dword ptr ///ECX=17E
00454ADA|.8908 mov dword ptr , ecx
00454ADC|>8B4424 58 mov eax, dword ptr
00454AE0|.85C0 test eax, eax
00454AE2|.74 06 je short 00454AEA
00454AE4|.8B4C24 10 mov ecx, dword ptr
00454AE8|.8908 mov dword ptr , ecx
00454AEA|>8B4424 54 mov eax, dword ptr
00454AEE|.85C0 test eax, eax
00454AF0|.74 06 je short 00454AF8
00454AF2|.8B4C24 30 mov ecx, dword ptr //ECX=190
00454AF6|.8908 mov dword ptr , ecx
00454AF8|>8B7C24 50 mov edi, dword ptr
00454AFC|.85FF test edi, edi
00454AFE|.74 10 je short 00454B10
..
返回到00454793
_________________________
00454793|.83C4 18 add esp, 18
00454796|.85C0 test eax, eax
00454798|.0F84 B3000000 je 00454851
0045479E|.8D4424 18 lea eax, dword ptr
004547A2|.8D4C24 14 lea ecx, dword ptr
004547A6|.50 push eax
004547A7|.51 push ecx
004547A8|.E8 33050000 call 00454CE0
004547AD|.83C4 08 add esp, 8
004547B0|.33D2 xor edx, edx
004547B2|.33C0 xor eax, eax
004547B4|.397424 14 cmp dword ptr , esi////ESI=5
004547B8|.7E 2F jle short 004547E9
004547BA|.8B4C24 18 mov ecx, dword ptr ;Flash.0067A0D0
004547BE|>8B7C24 1C /mov edi, dword ptr //EDI=17E
004547C2|.3939 |cmp dword ptr , edi //比较273,278,27A,275,275是否等于17E
004547C4|.74 0C |je short 004547D2//不等就over了
004547C6|.83C1 14 |add ecx, 14
004547C9|.40 |inc eax
004547CA|.3B4424 14 |cmp eax, dword ptr //循环5次比较
004547CE|.^ 7C EE \jl short 004547BE
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
根据比较的4个值构造出4个对应的第11,18,17位
273+1B=28E,10进制为654,即第11,18,17位为654
275+1B=290,10进制为656,即第11,18,17位为656
278+1B=293,10进制为659,即第11,18,17位为659
27A+1B=295,10进制为661,即第11,18,17位为661
由此兼顾00454AB1处最后的运算结果必须相等的话,
第9,10,12,14位有4组合适的数字,分别是
4668,8480,9113,2222
即安装序列号有4个
FLW400-14666-87845-54321
FLW400-18468-07865-54321
FLW400-19161-37895-54321
FLW400-12262-27816-54321
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
004547D0|.EB 17 jmp short 004547E9
004547D2|>C1E0 02 shl eax, 2
004547D5|.BA 01000000 mov edx, 1
004547DA|.8D0C80 lea ecx, dword ptr
004547DD|.034C24 18 add ecx, dword ptr
004547E1|.8B41 0C mov eax, dword ptr
004547E4|.8B49 10 mov ecx, dword ptr
004547E7|.EB 08 jmp short 004547F1
004547E9|>8B4424 0C mov eax, dword ptr
004547ED|.8B4C24 0C mov ecx, dword ptr
004547F1|>85D2 test edx, edx
004547F3|.74 5C je short 00454851
004547F5|.8D7C24 0C lea edi, dword ptr
004547F9|>8A10 /mov dl, byte ptr
004547FB|.3A17 |cmp dl, byte ptr
004547FD|.75 1A |jnz short 00454819
004547FF|.0AD2 |or dl, dl
00454801|.74 12 |je short 00454815
00454803|.8A50 01 |mov dl, byte ptr
00454806|.3A57 01 |cmp dl, byte ptr
00454809|.75 0E |jnz short 00454819
0045480B|.83C0 02 |add eax, 2
0045480E|.83C7 02 |add edi, 2
00454811|.0AD2 |or dl, dl
00454813|.^ 75 E4 \jnz short 004547F9
00454815|>33C0 xor eax, eax
00454817|.EB 05 jmp short 0045481E
00454819|>1BC0 sbb eax, eax
0045481B|.83D8 FF sbb eax, -1
0045481E|>85C0 test eax, eax
00454820|.75 2F jnz short 00454851
00454822|.837C24 34 00cmp dword ptr , 0
00454827|.75 07 jnz short 00454830
00454829|.837C24 20 08cmp dword ptr , 8
0045482E|.74 21 je short 00454851
00454830|>BF F6FFFFFF mov edi, -0A
00454835|.8B4424 24 mov eax, dword ptr
00454839|.99 cdq
0045483A|.F7FF idiv edi
0045483C|.8BF8 mov edi, eax
0045483E|.BB F6FFFFFF mov ebx, -0A
00454843|.8BC1 mov eax, ecx
00454845|.99 cdq
00454846|.F7FB idiv ebx
00454848|.3BF8 cmp edi, eax
0045484A|.75 05 jnz short 00454851
0045484C|.BE 01000000 mov esi, 1
00454851|>8BC6 mov eax, esi
00454853|.5F pop edi
00454854|.5E pop esi
00454855|.5B pop ebx
00454856|.83C4 20 add esp, 20
00454859\.C3 retn
_________________________________________________
006047BE .83C4 04 add esp, 4
006047C1 .8945 E8 mov dword ptr , eax
006047C4 .85C0 test eax, eax
006047C6 .75 31 jnz short 006047F9
006047C8 .8D4D F0 lea ecx, dword ptr
006047CB .E8 733CF6FF call 00568443
006047D0 .68 7F020000 push 27F
006047D5 .8D4D F0 lea ecx, dword ptr
006047D8 .C645 FC 03 mov byte ptr , 3
006047DC .E8 2444F6FF call 00568C05
006047E1 .6A 00 push 0
006047E3 .8B45 F0 mov eax, dword ptr
006047E6 .6A 30 push 30
006047E8 .50 push eax
006047E9 .E8 5408F7FF call 00575042
006047EE .C645 FC 02 mov byte ptr , 2
006047F2 .E8 E0000000 call 006048D7
006047F7 .EB 6E jmp short 00604867
006047F9 >8B45 C8 mov eax, dword ptr
006047FC .8B4D EC mov ecx, dword ptr
006047FF .50 push eax
00604800 .68 942E6E00 push 006E2E94 ;ASCII "Serial Number"
00604805 .68 A42E6E00 push 006E2EA4 ;ASCII "Registration"
0060480A .E8 C1FDFFFF call 006045D0
0060480F .8B45 CC mov eax, dword ptr
00604812 .8B4D EC mov ecx, dword ptr
00604815 .50 push eax
00604816 .68 802E6E00 push 006E2E80 ;ASCII "First Name"
0060481B .68 A42E6E00 push 006E2EA4 ;ASCII "Registration"
00604820 .E8 ABFDFFFF call 006045D0
00604825 .8B45 D0 mov eax, dword ptr
00604828 .8B4D EC mov ecx, dword ptr
0060482B .50 push eax
0060482C .68 742E6E00 push 006E2E74 ;ASCII "Last Name"
00604831 .68 A42E6E00 push 006E2EA4 ;ASCII "Registration"
00604836 .E8 95FDFFFF call 006045D0
0060483B .8B45 D4 mov eax, dword ptr
0060483E .8B4D EC mov ecx, dword ptr
00604841 .50 push eax
00604842 .68 682E6E00 push 006E2E68 ;ASCII "Middle Name"
00604847 .68 A42E6E00 push 006E2EA4 ;ASCII "Registration"
0060484C .E8 7FFDFFFF call 006045D0
00604851 .8B45 D8 mov eax, dword ptr
00604854 .8B4D EC mov ecx, dword ptr
00604857 .50 push eax
00604858 .68 582E6E00 push 006E2E58 ;ASCII "Organization"
0060485D .68 A42E6E00 push 006E2EA4 ;ASCII "Registration"
00604862 .E8 69FDFFFF call 006045D0
00604867 >FF85 64FFFFFF inc dword ptr
0060486D .837D E8 00 cmp dword ptr , 0
00604871 .^ 0F84 E9FEFFFF je 00604760
00604877 >C745 F0 00000>mov dword ptr , 0
0060487E .C645 FC 01 mov byte ptr , 1
00604882 .E8 58000000 call 006048DF
00604887 >837D E8 00 cmp dword ptr , 0
0060488B .0F84 AA000000 je 0060493B
00604891 .837D F0 00 cmp dword ptr , 0
00604895 .0F8C A0000000 jl 0060493B
0060489B .837D DC 00 cmp dword ptr , 0
0060489F .0F84 96000000 je 0060493B
006048A5 .837D F0 00 cmp dword ptr , 0
006048A9 .75 77 jnz short 00604922
006048AB .6A 00 push 0
006048AD .8D8D 08FFFFFF lea ecx, dword ptr
006048B3 .E8 88C5E5FF call 00460E40
006048B8 .C645 FC 04 mov byte ptr , 4
006048BC .8D8D 08FFFFFF lea ecx, dword ptr
006048C2 .E8 4946E2FF call 00428F10
006048C7 .3D E9010000 cmp eax, 1E9 ;Switch (cases 1..1E9)
006048CC .75 1C jnz short 006048EA
归纳起来正确的安装序列号是:
FLW400-14666-87845-54321
FLW400-18468-07865-54321
FLW400-19161-37895-54321
FLW400-12262-27816-54321
”【使用工具】: TRW2000等“不是OD?
另外文章中的代码段最好用代码框属性添加一下,这样看起来会比较舒服。 很佩服会用OD分析算法的大牛。。 thanks许鹏0101:loveliness: FLASH 4.0
{:1_921:}牛人 会跟算法就是厉害啊 完全不懂的路过,感觉楼主好厉害额 为何不用IDA。。。 很多年前还不会IDA,呵呵:loveliness: 6666666666666666666
页:
[1]
2