XX起名大师 v18.0算法分析
本帖最后由 ubuntu 于 2019-6-6 19:01 编辑周易起名大师 v18.0算法分析 By:Sendige
最近无聊,继续捡起算法继续研究,看到了吾爱论坛有很多人破解了周易起名大师这个软件,貌似到我发表这篇算法分析文章时,还没有看到过有非内存注册机出现,所以我就一来用来练手,二来用来练习编程和锻炼思维。其实这个我前几天就分析出一个大概了,只不过是在里面的生成一个新的解密表那里卡住了,一直是输出错误的结果,就这个问题都研究了我一天,不过我都是在工作之余的时间来搞的,时间并不是很多。好了,就吹到这里吧,都是些业余作品,大家发现有什么错误之处,还请各位看官多多指教!!!
查壳是显示C++程序,这个软件应该大家都知道了,是易语言写的,连图标都是易语言,O(∩_∩)O哈哈~自我感觉自己对易语言还是算比较了解的,所以直接下易语言按钮事件,就可以找到大量有用的信息。。。。。FF 55 FC 5F 5E 断下来后,前面的是一大堆初始化的东西,有加载皮肤和字符串什么的不用管它直接来到这个地址0041AA31|.E8 10DF0000 call 周易起名.00428946
0041AA36|.83C4 1C add esp,0x1C
0041AA39|.8B5D EC mov ebx,
0041AA3C|.83C3 08 add ebx,0x8
0041AA3F|.895D DC mov ,ebx ;周易起名.00493470
0041AA42|.68 04000080 push 0x80000004
0041AA47|.6A 00 push 0x0
0041AA49|.8B5D DC mov ebx,
0041AA4C|.8B03 mov eax,dword ptr ds:
0041AA4E|.85C0 test eax,eax
这个地址是获取电脑的硬盘序列号,然后接着把获取到的硬盘序列号MD5一下。我这里的硬盘序列号为 “S2ATTJKG” md5后为24bee7b964f030e863811b7a89a87787其实看下数据的排列特征就知道是用了MD5算法了,这个见多了就知道了。0041AAE5|.83C4 04 add esp,0x4
0041AAE8|.8945 DC mov ,eax
0041AAEB|.68 A03C4D00 push 周易起名.004D3CA0 ;ASCII "\zc.fne"
0041AAF0|.FF75 DC push
0041AAF3|.B9 02000000 mov ecx,0x2
0041AAF8|.E8 206DFEFF call 周易起名.0040181D
0041AAFD|.83C4 08 add esp,0x8
0041AB00|.8945 D8 mov ,eax
0041AB03|.8B5D DC mov ebx,
0041AB06|.85DB test ebx,ebx
0041AB08|.74 09 je short 周易起名.0041AB13
0041AB0A|.53 push ebx
0041AB0B|.E8 18DE0000 call 周易起名.00428928
0041AB10|.83C4 04 add esp,0x4
0041AB13|>68 04000080 push 0x80000004
0041AB18|.6A 00 push 0x0
0041AB1A|.8B45 D8 mov eax,
0041AB1D|.85C0 test eax,eax
0041AB1F|.75 05 jnz short 周易起名.0041AB26
0041AB21|.B8 2B3B4D00 mov eax,周易起名.004D3B2B
0041AB26|>50 push eax
0041AB27|.68 01000000 push 0x1
0041AB2C|.BB 00A94200 mov ebx,周易起名.0042A900
0041AB31|.E8 F8DD0000 call 周易起名.0042892E
0041AB36|.83C4 10 add esp,0x10
0041AB39|.8945 D4 mov ,eax
0041AB3C|.8B5D D8 mov ebx,
0041AB3F|.85DB test ebx,ebx
0041AB41|.74 09 je short 周易起名.0041AB4C
检测根目录下是否存在zc.fne 这个文件,这个是用来存放注册码的。
0041AB5D|.83C4 04 add esp,0x4
0041AB60|>58 pop eax
0041AB61|.8945 E8 mov ,eax
0041AB64|.6A FF push -0x1
0041AB66|.6A 08 push 0x8
0041AB68|.68 E1010116 push 0x160101E1
0041AB6D|.68 01000152 push 0x52010001
0041AB72|.E8 DBDD0000 call 周易起名.00428952
0041AB77|.83C4 10 add esp,0x10
0041AB7A|.8945 DC mov ,eax
0041AB7D|.68 A83C4D00 push 周易起名.004D3CA8 ;ASCII "sfsrerewfsddsfersdfdsfdserdfsht98765432"
0041AB82|.FF75 DC push
0041AB85|.B9 02000000 mov ecx,0x2
压入了一个特定的字符串 sfsrerewfsddsfersdfdsfdserdfsht98765432
为了方便研究算法,我就不在初始化那里研究了,来到这个界面点注册按钮,经过的代码和初始化检测是否为正版用户是一样的。00401BBF/.55 push ebp
00401BC0|.8BEC mov ebp,esp
00401BC2|.81EC 2C000000 sub esp,0x2C
00401BC8|.C745 FC 00000>mov ,0x0
00401BCF|.6A FF push -0x1
00401BD1|.6A 08 push 0x8
00401BD3|.68 2C0E0116 push 0x16010E2C
00401BD8|.68 01000152 push 0x52010001
00401BDD|.E8 706D0200 call 周易起名.00428952
00401BE2|.83C4 10 add esp,0x10 ;获取假码
00401BE5|.8945 F8 mov ,eax
00401BE8|.6A 00 push 0x0
00401BEA|.6A 00 push 0x0
00401BEC|.6A 00 push 0x0
00401BEE|.68 04000080 push 0x80000004
00401BF3|.6A 00 push 0x0
00401BF5|.8B45 F8 mov eax,
00401BF8|.85C0 test eax,eax
00401BFA|.75 05 jnz short 周易起名.00401C01
00401BFC|.B8 2B3B4D00 mov eax,周易起名.004D3B2B
00401C01|>50 push eax
00401C02|.68 02000000 push 0x2
00401C07|.B8 06000000 mov eax,0x6
00401C0C|.BB A0674900 mov ebx,周易起名.004967A0
00401C11|.E8 306D0200 call 周易起名.00428946
00401C16|.83C4 1C add esp,0x1C
00401C19|.8945 F4 mov ,eax
00401C1C|.8B5D F8 mov ebx,
00401C1F|.85DB test ebx,ebx
00401C21|.74 09 je short 周易起名.00401C2C
00401C23|.53 push ebx
00401C24|.E8 FF6C0200 call 周易起名.00428928
00401C29|.83C4 04 add esp,0x4
00401C2C|>8B45 F4 mov eax,
00401C2F|.50 push eax
00401C30|.8B5D FC mov ebx, ;周易起名.00401BBF
00401C33|.85DB test ebx,ebx
00401C35|.74 09 je short 周易起名.00401C40
00401C37|.53 push ebx
00401C38|.E8 EB6C0200 call 周易起名.00428928
00401C3D|.83C4 04 add esp,0x4
00401C40|>58 pop eax ;周易起名.004499E0
00401C41|.8945 FC mov ,eax
00401C44|.68 00000000 push 0x0
00401C49|.BB D08F4200 mov ebx,周易起名.00428FD0
00401C4E|.E8 DB6C0200 call 周易起名.0042892E
00401C53|.83C4 04 add esp,0x4
00401C56|.8945 F8 mov ,eax
00401C59|.68 A03C4D00 push 周易起名.004D3CA0 ;ASCII "\zc.fne"
00401C5E|.FF75 F8 push
00401C61|.B9 02000000 mov ecx,0x2
00401C66|.E8 B2FBFFFF call 周易起名.0040181D ;获取注册文件路径
00401C6B|.83C4 08 add esp,0x8
00401C6E|.8945 F4 mov ,eax
00401C71|.8B5D F8 mov ebx,
00401C74|.85DB test ebx,ebx
00401C76|.74 09 je short 周易起名.00401C81
00401C78|.53 push ebx
00401C79|.E8 AA6C0200 call 周易起名.00428928
00401C7E|.83C4 04 add esp,0x4
00401C81|>6A FF push -0x1
00401C83|.6A 08 push 0x8
00401C85|.68 2C0E0116 push 0x16010E2C
00401C8A|.68 01000152 push 0x52010001
00401C8F|.E8 BE6C0200 call 周易起名.00428952
00401C94|.83C4 10 add esp,0x10 ;获取注册文件里面的假码
00401C97|.8945 F0 mov ,eax
00401C9A|.6A 00 push 0x0
00401C9C|.6A 00 push 0x0
00401C9E|.6A 00 push 0x0
00401CA0|.68 04000080 push 0x80000004
00401CA5|.6A 00 push 0x0
00401CA7|.8B45 F0 mov eax,
00401CAA|.85C0 test eax,eax
00401CAC|.75 05 jnz short 周易起名.00401CB3
00401CAE|.B8 2B3B4D00 mov eax,周易起名.004D3B2B
00401CB3|>50 push eax
00401CB4|.68 02000000 push 0x2
00401CB9|.B8 06000000 mov eax,0x6
00401CBE|.BB A0674900 mov ebx,周易起名.004967A0
00401CC3|.E8 7E6C0200 call 周易起名.00428946
00401CC8|.83C4 1C add esp,0x1C ;假码
00401CCB|.8945 EC mov ,eax
00401CCE|.8B5D F0 mov ebx,
00401CD1|.85DB test ebx,ebx
00401CD3|.74 09 je short 周易起名.00401CDE
00401CD5|.53 push ebx
00401CD6|.E8 4D6C0200 call 周易起名.00428928
00401CDB|.83C4 04 add esp,0x4
00401CDE|>68 04000080 push 0x80000004
00401CE3|.6A 00 push 0x0
00401CE5|.8B45 EC mov eax,
00401CE8|.85C0 test eax,eax
00401CEA|.75 05 jnz short 周易起名.00401CF1
00401CEC|.B8 2B3B4D00 mov eax,周易起名.004D3B2B
00401CF1|>50 push eax
00401CF2|.68 01000000 push 0x1
00401CF7|.BB B0A04200 mov ebx,周易起名.0042A0B0
00401CFC|.E8 2D6C0200 call 周易起名.0042892E
00401D01|.83C4 10 add esp,0x10 ;假码转字节集
00401D04|.8945 E8 mov ,eax
00401D07|.8B5D EC mov ebx,
00401D0A|.85DB test ebx,ebx
00401D0C|.74 09 je short 周易起名.00401D17
00401D0E|.53 push ebx
00401D0F|.E8 146C0200 call 周易起名.00428928
00401D14|.83C4 04 add esp,0x4
00401D17|>68 05000080 push 0x80000005
00401D1C|.6A 00 push 0x0
00401D1E|.8B45 E8 mov eax, ;周易起名.006658A8
00401D21|.85C0 test eax,eax
00401D23|.75 05 jnz short 周易起名.00401D2A
00401D25|.B8 2C3B4D00 mov eax,周易起名.004D3B2C
00401D2A|>50 push eax
00401D2B|.68 04000080 push 0x80000004
00401D30|.6A 00 push 0x0
00401D32|.8B45 F4 mov eax,
00401D35|.85C0 test eax,eax
00401D37|.75 05 jnz short 周易起名.00401D3E
00401D39|.B8 2B3B4D00 mov eax,周易起名.004D3B2B
00401D3E|>50 push eax
00401D3F|.68 02000000 push 0x2
00401D44|.BB 70A94200 mov ebx,周易起名.0042A970
00401D49|.E8 E06B0200 call 周易起名.0042892E
00401D4E|.83C4 1C add esp,0x1C
00401D51|.8B5D F4 mov ebx,
00401D54|.85DB test ebx,ebx
00401D56|.74 09 je short 周易起名.00401D61
00401D58|.53 push ebx
00401D59|.E8 CA6B0200 call 周易起名.00428928
00401D5E|.83C4 04 add esp,0x4
00401D61|>8B5D E8 mov ebx, ;周易起名.006658A8
00401D64|.85DB test ebx,ebx
00401D66|.74 09 je short 周易起名.00401D71
00401D68|.53 push ebx
00401D69|.E8 BA6B0200 call 周易起名.00428928
00401D6E|.83C4 04 add esp,0x4
00401D71|>68 00000000 push 0x0
00401D76|.BB D08F4200 mov ebx,周易起名.00428FD0
00401D7B|.E8 AE6B0200 call 周易起名.0042892E
00401D80|.83C4 04 add esp,0x4
00401D83|.8945 F8 mov ,eax
00401D86|.68 A03C4D00 push 周易起名.004D3CA0 ;ASCII "\zc.fne"
00401D8B|.FF75 F8 push
00401D8E|.B9 02000000 mov ecx,0x2
00401D93|.E8 85FAFFFF call 周易起名.0040181D
00401D98|.83C4 08 add esp,0x8
00401D9B|.8945 F4 mov ,eax
00401D9E|.8B5D F8 mov ebx,
00401DA1|.85DB test ebx,ebx
00401DA3|.74 09 je short 周易起名.00401DAE
00401DA5|.53 push ebx
00401DA6|.E8 7D6B0200 call 周易起名.00428928
00401DAB|.83C4 04 add esp,0x4
00401DAE|>6A FF push -0x1
00401DB0|.6A 08 push 0x8
00401DB2|.68 2C0E0116 push 0x16010E2C
00401DB7|.68 01000152 push 0x52010001
00401DBC|.E8 916B0200 call 周易起名.00428952
00401DC1|.83C4 10 add esp,0x10 ;假码
00401DC4|.8945 F0 mov ,eax
00401DC7|.6A 00 push 0x0
00401DC9|.6A 00 push 0x0
00401DCB|.6A 00 push 0x0
00401DCD|.68 04000080 push 0x80000004
00401DD2|.6A 00 push 0x0
00401DD4|.8B45 F0 mov eax,
00401DD7|.85C0 test eax,eax
00401DD9|.75 05 jnz short 周易起名.00401DE0
00401DDB|.B8 2B3B4D00 mov eax,周易起名.004D3B2B
00401DE0|>50 push eax
00401DE1|.68 02000000 push 0x2
00401DE6|.B8 06000000 mov eax,0x6
00401DEB|.BB A0674900 mov ebx,周易起名.004967A0
00401DF0|.E8 516B0200 call 周易起名.00428946
00401DF5|.83C4 1C add esp,0x1C ;假码
00401DF8|.8945 EC mov ,eax
00401DFB|.8B5D F0 mov ebx,
00401DFE|.85DB test ebx,ebx
00401E00|.74 09 je short 周易起名.00401E0B
00401E02|.53 push ebx
00401E03|.E8 206B0200 call 周易起名.00428928
00401E08|.83C4 04 add esp,0x4
00401E0B|>68 04000080 push 0x80000004
00401E10|.6A 00 push 0x0
00401E12|.8B45 EC mov eax,
00401E15|.85C0 test eax,eax
00401E17|.75 05 jnz short 周易起名.00401E1E
00401E19|.B8 2B3B4D00 mov eax,周易起名.004D3B2B
00401E1E|>50 push eax
00401E1F|.68 01000000 push 0x1
00401E24|.BB B0A04200 mov ebx,周易起名.0042A0B0
00401E29|.E8 006B0200 call 周易起名.0042892E
00401E2E|.83C4 10 add esp,0x10
00401E31|.8945 E8 mov ,eax
00401E34|.8B5D EC mov ebx,
00401E37|.85DB test ebx,ebx
00401E39|.74 09 je short 周易起名.00401E44
00401E3B|.53 push ebx
00401E3C|.E8 E76A0200 call 周易起名.00428928
00401E41|.83C4 04 add esp,0x4
00401E44|>68 05000080 push 0x80000005
00401E49|.6A 00 push 0x0
00401E4B|.8B45 E8 mov eax, ;周易起名.006658A8
00401E4E|.85C0 test eax,eax
00401E50|.75 05 jnz short 周易起名.00401E57
00401E52|.B8 2C3B4D00 mov eax,周易起名.004D3B2C
00401E57|>50 push eax
00401E58|.68 04000080 push 0x80000004
00401E5D|.6A 00 push 0x0
00401E5F|.8B45 F4 mov eax,
00401E62|.85C0 test eax,eax
00401E64|.75 05 jnz short 周易起名.00401E6B
00401E66|.B8 2B3B4D00 mov eax,周易起名.004D3B2B
00401E6B|>50 push eax
00401E6C|.68 02000000 push 0x2
00401E71|.BB 70A94200 mov ebx,周易起名.0042A970
00401E76|.E8 B36A0200 call 周易起名.0042892E
00401E7B|.83C4 1C add esp,0x1C
00401E7E|.8B5D F4 mov ebx,
00401E81|.85DB test ebx,ebx
00401E83|.74 09 je short 周易起名.00401E8E
00401E85|.53 push ebx
00401E86|.E8 9D6A0200 call 周易起名.00428928
00401E8B|.83C4 04 add esp,0x4
00401E8E|>8B5D E8 mov ebx, ;周易起名.006658A8
00401E91|.85DB test ebx,ebx
00401E93|.74 09 je short 周易起名.00401E9E
00401E95|.53 push ebx
00401E96|.E8 8D6A0200 call 周易起名.00428928
00401E9B|.83C4 04 add esp,0x4
00401E9E|>6A FF push -0x1
00401EA0|.6A 08 push 0x8
00401EA2|.68 E1010116 push 0x160101E1
00401EA7|.68 01000152 push 0x52010001
00401EAC|.E8 A16A0200 call 周易起名.00428952
00401EB1|.83C4 10 add esp,0x10 ;24bee7b964f030e863811b7a89a87787 机器码
00401EB4|.8945 F8 mov ,eax
00401EB7|.68 A83C4D00 push 周易起名.004D3CA8 ;ASCII "sfsrerewfsddsfersdfdsfdserdfsht98765432"
00401EBC|.FF75 F8 push
00401EBF|.B9 02000000 mov ecx,0x2
00401EC4|.E8 54F9FFFF call 周易起名.0040181D ;合并
将机器码和特定字符合并记为 mergestr= “24bee7b964f030e863811b7a89a87787sfsrerewfsddsfersdfdsfdserdfsht98765432”00401F15|.83C4 04 add esp,0x4
00401F18|>C745 EC 00000>mov ,0x0
00401F1F|.6A 00 push 0x0
00401F21|.FF75 EC push
00401F24|.C745 E8 00000>mov ,0x0
00401F2B|.6A 00 push 0x0
00401F2D|.FF75 E8 push
00401F30|.8D45 F0 lea eax,
00401F33|.50 push eax
00401F34|.68 2C976500 push 周易起名.0065972C ;ASCII "炔&"
00401F39|.8B0424 mov eax,dword ptr ss:
00401F3C|.8B00 mov eax,dword ptr ds:
00401F3E|.8B00 mov eax,dword ptr ds:
00401F40|.FF50 18 call dword ptr ds: ;算法call这段其实是一个标准的MD5加密 函数F7进入这个call00401F40
00425BD9/.55 push ebp
00425BDA|.8BEC mov ebp,esp
00425BDC|.81EC 08000000 sub esp,0x8
00425BE2|.C745 FC 00000>mov ,0x0
00425BE9|.68 10000000 push 0x10
00425BEE|.68 03800000 push 0x8003
00425BF3|.FF75 0C push ;压入mergestr
00425BF6|.FF75 08 push
00425BF9|.8B0424 mov eax,dword ptr ss: ;周易起名.00401F43
00425BFC|.8B00 mov eax,dword ptr ds: ;周易起名.004275BD
00425BFE|.8B00 mov eax,dword ptr ds: ;周易起名.004275BD
00425C00|.FF50 14 call dword ptr ds: ;算法call
继续F7进入 00425C00其实里面大量调用了api函数,都是关于hash值的,比如这个api CryptCreateHash,或者就算这个call不知道干什么都好,跑出call,看下最后得出的结果,str_md5_1=6CB6BEFFD0F68B54D869F10D05D9AF04 也是和md5很相似,他把md5后的结果全部转换为大写而已,因为易语言里面计算MD5后的结果是小写的。
00401FA2|.83C4 10 add esp,0x10
00401FA5|.8945 DC mov ,eax
00401FA8|.6A 01 push 0x1
00401FAA|.8D45 DC lea eax,
00401FAD|.50 push eax
00401FAE|.6A 01 push 0x1
00401FB0|.8D45 E0 lea eax,
00401FB3|.50 push eax
00401FB4|.68 28976500 push 周易起名.00659728
00401FB9|.8B0424 mov eax,dword ptr ss:
00401FBC|.8B00 mov eax,dword ptr ds:
00401FBE|.8B00 mov eax,dword ptr ds:
00401FC0|.FF50 1C call dword ptr ds:
继续下一个MD5,这次是把机器码进行MD5操作,结果记为str_md5_2=3980F8B260C71A86FAF4CF8CC74523A8
0041F07E|.83C4 04 add esp,0x4
0041F081|>C745 E8 00000>mov ,0x0
0041F088|.6A 00 push 0x0
0041F08A|.FF75 E8 push
0041F08D|.C745 E4 00000>mov ,0x0
0041F094|.6A 00 push 0x0
0041F096|.FF75 E4 push
0041F099|.FF75 0C push
0041F09C|.68 2C976500 push 周易起名.0065972C ;ASCII "炔&"
0041F0A1|.8B0424 mov eax,dword ptr ss: ;周易起名.0065972C
0041F0A4|.8B00 mov eax,dword ptr ds: ;周易起名.004275BD
0041F0A6|.8B00 mov eax,dword ptr ds: ;周易起名.004275BD
0041F0A8|.FF50 18 call dword ptr ds: ;周易起名.00425BD9
也是和上面一样,继续进行MD5操作。把str_md5_1进行md5操作 得出str_md5_3=7648433C11EDF02CB490098B3D1E6664
0041F0AB|.8945 E0 mov ,eax ;7648433C11EDF02CB490098B3D1E6664
0041F0AE|.FF75 E0 push
0041F0B1|.FF75 EC push
0041F0B4|.B9 02000000 mov ecx,0x2
0041F0B9|.E8 5F27FEFF call 周易起名.0040181D ;合并
0041F0BE|.83C4 08 add esp,0x8
0041F0C1|.8945 DC mov ,eax
0041F0C4|.8B5D EC mov ebx,
0041F0C7|.85DB test ebx,ebx进行合并操作 str_md5_2+str_md5_3=3980F8B260C71A86FAF4CF8CC74523A87648433C11EDF02CB490098B3D1E6664 记为str_md5_4
0041F12E|.83C4 04 add esp,0x4
0041F131|>58 pop eax ;002643A8
0041F132|.8945 FC mov ,eax
0041F135|.8D45 FC lea eax,
0041F138|.50 push eax
0041F139|.68 80976500 push 周易起名.00659780
0041F13E|.8B0424 mov eax,dword ptr ss:
0041F141|.8B00 mov eax,dword ptr ds:
0041F143|.8B00 mov eax,dword ptr ds:
0041F145|.FF50 08 call dword ptr ds: ;base64
0041F148|.8945 F8 mov ,eax ;Mzk4MEY4QjI2MEM3MUE4NkZBRjRDRjhDQzc0NTIzQTg3NjQ4NDMzQzExRURGMDJDQjQ5MDA5OEIzRDFFNjY2NA==
0041F14B|.68 04000080 push 0x80000004
0041F150|.6A 00 push 0x0
0041F152|.8B45 F8 mov eax,
0041F155|.85C0 test eax,eax
0041F157|.75 05 jnz short 周易起名.0041F15E
这个经过分析,是进行Base64编码是把上面的str_md5_4进行base64编码,得出Mzk4MEY4QjI2MEM3MUE4NkZBRjRDRjhDQzc0NTIzQTg3NjQ4NDMzQzExRURGMDJDQjQ5MDA5OEIzRDFFNjY2NA== 记为str_Base64
0041F195|.83C4 04 add esp,0x4
0041F198|>58 pop eax ;002F9D38
0041F199|.8945 FC mov ,eax
0041F19C|.FF75 0C push
0041F19F|.8D45 FC lea eax,
0041F1A2|.50 push eax
0041F1A3|.68 2C976500 push 周易起名.0065972C ;ASCII "炔&"
0041F1A8|.8B0424 mov eax,dword ptr ss:
0041F1AB|.8B00 mov eax,dword ptr ds:
0041F1AD|.8B00 mov eax,dword ptr ds:
0041F1AF|.FF50 10 call dword ptr ds:
0041F1B2|.8945 F8 mov ,eax
0041F1B5|.8B45 F8 mov eax,
0041F1B8|.50 push eax
0041F1B9|.8B5D FC mov ebx,
0041F1BC|.85DB test ebx,ebx
好了,这个是本文的重点,我们F7进入0041F1AF|.FF50 10 call dword ptr ds:
00424BED|.B8 2C3B4D00 mov eax,周易起名.004D3B2C
00424BF2|>50 push eax ;周易起名.0050AE8D
00424BF3|.68 01000000 push 0x1
00424BF8|.BB B08F4200 mov ebx,周易起名.00428FB0
00424BFD|.E8 2C3D0000 call 周易起名.0042892E ;拿出str_Base64数据长度
00424C02|.83C4 10 add esp,0x10
00424C05|.8945 FC mov ,eax ;周易起名.0050AE8D
00424C08|.837D FC 01 cmp ,0x1
00424C0C|.0F8D 0A000000 jge 周易起名.00424C1C
00424C12|.B8 2C3B4D00 mov eax,周易起名.004D3B2C
00424C17|.E9 62080000 jmp 周易起名.0042547E
00424C1C|>68 05000080 push 0x80000005
00424C21|.6A 00 push 0x0
00424C23|.8B5D 10 mov ebx,
00424C26|.8B03 mov eax,dword ptr ds:
00424C28|.85C0 test eax,eax ;周易起名.0050AE8D
00424C2A|.75 05 jnz short 周易起名.00424C31
00424C2C|.B8 2C3B4D00 mov eax,周易起名.004D3B2C
00424C31|>50 push eax ;周易起名.0050AE8D
00424C32|.68 01000000 push 0x1
00424C37|.BB B08F4200 mov ebx,周易起名.00428FB0
00424C3C|.E8 ED3C0000 call 周易起名.0042892E ;拿出str_md5_1的长度32
00424C41|.83C4 10 add esp,0x10
00424C44|.8945 F8 mov ,eax ;周易起名.0050AE8D
00424C47|.68 01030080 push 0x80000301
00424C4C|.6A 00 push 0x0
00424C4E|.FF75 FC push ;58
00424C51|.68 01000000 push 0x1
00424C56|.BB F0A54200 mov ebx,周易起名.0042A5F0
00424C5B|.E8 CE3C0000 call 周易起名.0042892E ;创建58大小的缓冲区
00424C60|.83C4 10 add esp,0x10
00424C63|.8945 D4 mov ,eax ;周易起名.0050AE8D
00424C66|.8B45 D4 mov eax,
00424C69|.50 push eax ;周易起名.0050AE8D
00424C6A|.8B5D F4 mov ebx,
00424C6D|.85DB test ebx,ebx拿出str_Base64数据长度len=58H创建58大小的缓冲区
00424C85|> /41 /inc ecx
00424C86|. |51 |push ecx ;创建0-FF的数据表
00424C87|. |53 |push ebx
00424C88|. |890B |mov dword ptr ds:,ecx
00424C8A|. |81F9 00010000 |cmp ecx,0x100
00424C90|. |0F8F 58000000 |jg 周易起名.00424CEE
00424C96|. |8B5D EC |mov ebx,
00424C99|. |E8 D3C3FDFF |call 周易起名.00401071
00424C9E|. |53 |push ebx
00424C9F|. |51 |push ecx
00424CA0|. |8B45 F0 |mov eax,
00424CA3|. |48 |dec eax
00424CA4|. |79 0D |jns short 周易起名.00424CB3
00424CA6|. |68 04000000 |push 0x4
00424CAB|. |E8 843C0000 |call 周易起名.00428934
00424CB0|. |83C4 04 |add esp,0x4
00424CB3|> |59 |pop ecx
00424CB4|. |5B |pop ebx
00424CB5|. |3BC1 |cmp eax,ecx
00424CB7|. |7C 0D |jl short 周易起名.00424CC6
00424CB9|. |68 01000000 |push 0x1
00424CBE|. |E8 713C0000 |call 周易起名.00428934
00424CC3|. |83C4 04 |add esp,0x4
00424CC6|> |03D8 |add ebx,eax
00424CC8|. |895D D4 |mov ,ebx
00424CCB|. |DB45 F0 |fild
00424CCE|. |DD5D CC |fstp qword ptr ss:
00424CD1|. |DD45 CC |fld qword ptr ss:
00424CD4|. |DC25 903B4D00 |fsub qword ptr ds:
00424CDA|. |DD5D C4 |fstp qword ptr ss:
00424CDD|. |DD45 C4 |fld qword ptr ss:
00424CE0|. |E8 A6CAFDFF |call 周易起名.0040178B
00424CE5|. |8B5D D4 |mov ebx,
00424CE8|. |8803 |mov byte ptr ds:,al
00424CEA|. |5B |pop ebx
00424CEB|. |59 |pop ecx
00424CEC|.^\EB 97 \jmp short 周易起名.00424C85
这段循环是创建0-FF的数据表,后面拿来索引用的。
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F40 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F60 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 75 76 77 78 79 7A 7B 7C 7D 7E 7F80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F 90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9FA0 A1 A2 A3 A4 A5 A6 A7 A8 A9 AA AB AC AD AE AF B0 B1 B2 B3 B4 B5 B6 B7 B8 B9 BA BB BC BD BE BFC0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF D0 D1 D2 D3 D4 D5 D6 D7 D8 D9 DA DB DC DD DE DFE0 E1 E2 E3 E4 E5 E6 E7 E8 E9 EA EB EC ED EE EF F0 F1 F2 F3 F4 F5 F6 F7 F8 F9 FA FB FC FD FE FF
00424CFB|.68 05000080 push 0x80000005
00424D00|.6A 00 push 0x0
00424D02|.8B5D 10 mov ebx,
00424D05|.8B03 mov eax,dword ptr ds: ;指向str_md5_1
00424D07|.85C0 test eax,eax
00424D09|.75 05 jnz short 周易起名.00424D10
00424D0B|.B8 2C3B4D00 mov eax,周易起名.004D3B2C
00424D10|>50 push eax
00424D11|.68 01000000 push 0x1
00424D16|.BB B0A04200 mov ebx,周易起名.0042A0B0
00424D1B|.E8 0E3C0000 call 周易起名.0042892E
00424D20|.83C4 10 add esp,0x10
00424D23|.8945 D4 mov ,eax
00424D26|.8B45 D4 mov eax,
00424D29|.50 push eax
00424D2A|.8B5D E8 mov ebx,
00424D2D|.85DB test ebx,ebx
00424D2F|.74 09 je short 周易起名.00424D3A
00424D31|.53 push ebx
00424D32|.E8 F13B0000 call 周易起名.00428928
00424D37|.83C4 04 add esp,0x4
00424D3A|>58 pop eax
00424D3B|.8945 E8 mov ,eax ;6CB6BEFFD0F68B54D869F10D05D9AF04str_md5_1
00424D3E|.C745 E4 01000>mov ,0x1
00424D45|.33C9 xor ecx,ecx
00424D47|.8D45 F0 lea eax,
00424D4A|.8BD8 mov ebx,eax
00424D4C|> /41 /inc ecx
00424D4D|. |51 |push ecx
00424D4E|. |53 |push ebx ;取str_md5_1这个的长度这里为32
00424D4F|. |890B |mov dword ptr ds:,ecx
00424D51|. |81F9 00010000 |cmp ecx,0x100 ;循环256次
00424D57|. |0F8F 91000000 |jg 周易起名.00424DEE
00424D5D|. |8B5D E0 |mov ebx,
00424D60|. |E8 0CC3FDFF |call 周易起名.00401071
00424D65|. |53 |push ebx
00424D66|. |51 |push ecx
00424D67|. |8B45 F0 |mov eax,
00424D6A|. |48 |dec eax
00424D6B|. |79 0D |jns short 周易起名.00424D7A
00424D6D|. |68 04000000 |push 0x4
00424D72|. |E8 BD3B0000 |call 周易起名.00428934
00424D77|. |83C4 04 |add esp,0x4
00424D7A|> |59 |pop ecx
00424D7B|. |5B |pop ebx
00424D7C|. |3BC1 |cmp eax,ecx
00424D7E|. |7C 0D |jl short 周易起名.00424D8D
00424D80|. |68 01000000 |push 0x1
00424D85|. |E8 AA3B0000 |call 周易起名.00428934
00424D8A|. |83C4 04 |add esp,0x4
00424D8D|> |03D8 |add ebx,eax
00424D8F|. |895D D4 |mov ,ebx
00424D92|. |8B5D E8 |mov ebx,
00424D95|. |E8 D7C2FDFF |call 周易起名.00401071
00424D9A|. |53 |push ebx
00424D9B|. |51 |push ecx
00424D9C|. |8B45 E4 |mov eax,
00424D9F|. |48 |dec eax
00424DA0|. |79 0D |jns short 周易起名.00424DAF
00424DA2|. |68 04000000 |push 0x4
00424DA7|. |E8 883B0000 |call 周易起名.00428934
00424DAC|. |83C4 04 |add esp,0x4
00424DAF|> |59 |pop ecx
00424DB0|. |5B |pop ebx
00424DB1|. |3BC1 |cmp eax,ecx
00424DB3|. |7C 0D |jl short 周易起名.00424DC2
00424DB5|. |68 01000000 |push 0x1
00424DBA|. |E8 753B0000 |call 周易起名.00428934
00424DBF|. |83C4 04 |add esp,0x4
00424DC2|> |03D8 |add ebx,eax
00424DC4|. |895D D0 |mov ,ebx ;这里为32长度所以 256/32=8
00424DC7|. |8B5D D0 |mov ebx,
00424DCA|. |8A03 |mov al,byte ptr ds:
00424DCC|. |8B5D D4 |mov ebx,
00424DCF|. |8803 |mov byte ptr ds:,al ;即str_md5_1合并8次记为Astr_md5_1
00424DD1|. |FF45 E4 |inc
00424DD4|. |8B45 F8 |mov eax,
00424DD7|. |3945 E4 |cmp ,eax
00424DDA|. |0F8E 07000000 |jle 周易起名.00424DE7
00424DE0|. |C745 E4 01000>|mov ,0x1
00424DE7|> |5B |pop ebx
00424DE8|. |59 |pop ecx
00424DE9|.^\E9 5EFFFFFF \jmp 周易起名.00424D4C
00424DEE|>83C4 08 add esp,0x8
取str_md5_1的长度这里为32循环256次这里为32长度所以 256/32=8即str_md5_1合并8次记为Astr_md5_1Astr_md5_1=6CB6BEFFD0F68B54D869F10D05D9AF046CB6BEFFD0F68B54D869F10D05D9AF046CB6BEFFD0F68B54D869F10D05D9AF046CB6BEFFD0F68B54D869F10D05D9AF046CB6BEFFD0F68B54D869F10D05D9AF046CB6BEFFD0F68B54D869F10D05D9AF046CB6BEFFD0F68B54D869F10D05D9AF046CB6BEFFD0F68B54D869F10D05D9AF04
这段用易语言这么表示,就是计算出合并多少次str_md5_1,我这里计算出了合并次数为8
00424DFD|.8BD8 mov ebx,eax
00424DFF|>41 /inc ecx
00424E00|.51 |push ecx ;生成一张新的加密表
00424E01|.53 |push ebx
00424E02|.890B |mov dword ptr ds:,ecx
00424E04|.81F9 00010000 |cmp ecx,0x100
00424E0A|.0F8F F6010000 |jg 周易起名.00425006
00424E10|.8B5D EC |mov ebx, ;指向0-FF
00424E13|.E8 59C2FDFF |call 周易起名.00401071
00424E18|.53 |push ebx
00424E19|.51 |push ecx
00424E1A|.8B45 F0 |mov eax, ;local.4=1
00424E1D|.48 |dec eax ;1-1
00424E1E|.79 0D |jns short 周易起名.00424E2D
00424E20|.68 04000000 |push 0x4
00424E25|.E8 0A3B0000 |call 周易起名.00428934
00424E2A|.83C4 04 |add esp,0x4
00424E2D|>59 |pop ecx
00424E2E|.5B |pop ebx
00424E2F|.3BC1 |cmp eax,ecx
00424E31|.7C 0D |jl short 周易起名.00424E40
00424E33|.68 01000000 |push 0x1
00424E38|.E8 F73A0000 |call 周易起名.00428934
00424E3D|.83C4 04 |add esp,0x4
00424E40|>03D8 |add ebx,eax ;指向0-FF
00424E42|.895D D4 |mov ,ebx
00424E45|.8B5D E0 |mov ebx, ;指向Astr_md5_1
00424E48|.E8 24C2FDFF |call 周易起名.00401071
00424E4D|.53 |push ebx ;6CB6BEFFD0F68B54D869F10D05D9AF046CB6BEFFD0F68B54D869F10D05D9AF046CB6BEFFD0F68B54D869F10D05D9AF046CB6BEFFD0F68B54D869F10D05D9AF046CB6BEFFD0F68B54D869F10D05D9AF046CB6BEFFD0F68B54D869F10D05D9AF046CB6BEFFD0F68B54D869F10D05D9AF046CB6BEFFD0F68B54D869F10D05D9AF0
00424E4E|.51 |push ecx
00424E4F|.8B45 F0 |mov eax,
00424E52|.48 |dec eax ;1-1
00424E53|.79 0D |jns short 周易起名.00424E62
00424E55|.68 04000000 |push 0x4
00424E5A|.E8 D53A0000 |call 周易起名.00428934
00424E5F|.83C4 04 |add esp,0x4
00424E62|>59 |pop ecx
00424E63|.5B |pop ebx
00424E64|.3BC1 |cmp eax,ecx
00424E66|.7C 0D |jl short 周易起名.00424E75
00424E68|.68 01000000 |push 0x1
00424E6D|.E8 C23A0000 |call 周易起名.00428934
00424E72|.83C4 04 |add esp,0x4
00424E75|>03D8 |add ebx,eax ;指向Astr_md5_1
00424E77|.895D D0 |mov ,ebx
00424E7A|.DB45 E4 |fild ;0
00424E7D|.DD5D C8 |fstp qword ptr ss:
00424E80|.DD45 C8 |fld qword ptr ss:
00424E83|.8B5D D4 |mov ebx, ;指向0-FF
00424E86|.8A03 |mov al,byte ptr ds:
00424E88|.25 FF000000 |and eax,0xFF
00424E8D|.8945 C0 |mov ,eax
00424E90|.DB45 C0 |fild
00424E93|.DD5D C0 |fstp qword ptr ss:
00424E96|.DC45 C0 |fadd qword ptr ss: ;local 16
00424E99|.8B5D D0 |mov ebx, ;指向指向Astr_md5_1
00424E9C|.8A03 |mov al,byte ptr ds:
00424E9E|.25 FF000000 |and eax,0xFF
00424EA3|.8945 B8 |mov ,eax ;36
00424EA6|.DB45 B8 |fild ;36
00424EA9|.DD5D B8 |fstp qword ptr ss: ;54
00424EAC|.DC45 B8 |fadd qword ptr ss: ;54+0
00424EAF|.DD5D B0 |fstp qword ptr ss:
00424EB2|.68 01030080 |push 0x80000301
00424EB7|.6A 00 |push 0x0
00424EB9|.68 FF000000 |push 0xFF
00424EBE|.DD45 B0 |fld qword ptr ss:
00424EC1|.E8 C5C8FDFF |call 周易起名.0040178B ;转16进制54转16进制=36
00424EC6|.68 01030080 |push 0x80000301
00424ECB|.6A 00 |push 0x0
00424ECD|.50 |push eax
00424ECE|.68 02000000 |push 0x2
00424ED3|.BB A08D4200 |mov ebx,周易起名.00428DA0
00424ED8|.E8 513A0000 |call 周易起名.0042892E
00424EDD|.83C4 1C |add esp,0x1C
00424EE0|.8945 E4 |mov ,eax ;36
00424EE3|.8B5D EC |mov ebx,
00424EE6|.E8 86C1FDFF |call 周易起名.00401071
00424EEB|.53 |push ebx
00424EEC|.51 |push ecx
00424EED|.8B45 F0 |mov eax,
00424EF0|.48 |dec eax ;local4-1
00424EF1|.79 0D |jns short 周易起名.00424F00
00424EF3|.68 04000000 |push 0x4
00424EF8|.E8 373A0000 |call 周易起名.00428934
00424EFD|.83C4 04 |add esp,0x4
00424F00|>59 |pop ecx
00424F01|.5B |pop ebx
00424F02|.3BC1 |cmp eax,ecx
00424F04|.7C 0D |jl short 周易起名.00424F13
00424F06|.68 01000000 |push 0x1
00424F0B|.E8 243A0000 |call 周易起名.00428934
00424F10|.83C4 04 |add esp,0x4
00424F13|>03D8 |add ebx,eax
00424F15|.895D D4 |mov ,ebx
00424F18|.8B5D D4 |mov ebx, ;指向0-FF
00424F1B|.8A03 |mov al,byte ptr ds:
00424F1D|.8845 DC |mov byte ptr ss:,al ;local9
00424F20|.8B5D EC |mov ebx,
00424F23|.E8 49C1FDFF |call 周易起名.00401071
00424F28|.53 |push ebx
00424F29|.51 |push ecx
00424F2A|.8B45 F0 |mov eax,
00424F2D|.48 |dec eax
00424F2E|.79 0D |jns short 周易起名.00424F3D
00424F30|.68 04000000 |push 0x4
00424F35|.E8 FA390000 |call 周易起名.00428934
00424F3A|.83C4 04 |add esp,0x4
00424F3D|>59 |pop ecx
00424F3E|.5B |pop ebx
00424F3F|.3BC1 |cmp eax,ecx
00424F41|.7C 0D |jl short 周易起名.00424F50
00424F43|.68 01000000 |push 0x1
00424F48|.E8 E7390000 |call 周易起名.00428934
00424F4D|.83C4 04 |add esp,0x4
00424F50|>03D8 |add ebx,eax ;指向0-FF
00424F52|.895D D4 |mov ,ebx
00424F55|.8B5D EC |mov ebx,
00424F58|.E8 14C1FDFF |call 周易起名.00401071
00424F5D|.53 |push ebx
00424F5E|.51 |push ecx
00424F5F|.DB45 E4 |fild ;36
00424F62|.DD5D CC |fstp qword ptr ss: ;54
00424F65|.DD45 CC |fld qword ptr ss:
00424F68|.DC05 903B4D00 |fadd qword ptr ds: ;54+1
00424F6E|.DD5D C4 |fstp qword ptr ss:
00424F71|.DD45 C4 |fld qword ptr ss:
00424F74|.E8 12C8FDFF |call 周易起名.0040178B ;55 转16进制37
00424F79|.48 |dec eax ;37-1
00424F7A|.79 0D |jns short 周易起名.00424F89
00424F7C|.68 04000000 |push 0x4
00424F81|.E8 AE390000 |call 周易起名.00428934
00424F86|.83C4 04 |add esp,0x4
00424F89|>59 |pop ecx
00424F8A|.5B |pop ebx
00424F8B|.3BC1 |cmp eax,ecx
00424F8D|.7C 0D |jl short 周易起名.00424F9C
00424F8F|.68 01000000 |push 0x1
00424F94|.E8 9B390000 |call 周易起名.00428934
00424F99|.83C4 04 |add esp,0x4
00424F9C|>03D8 |add ebx,eax ;+36 指向0-FF
00424F9E|.895D C0 |mov ,ebx ;指向-FF第36个
00424FA1|.8B5D C0 |mov ebx,
00424FA4|.8A03 |mov al,byte ptr ds:
00424FA6|.8B5D D4 |mov ebx,
00424FA9|.8803 |mov byte ptr ds:,al ;36
00424FAB|.8B5D EC |mov ebx,
00424FAE|.E8 BEC0FDFF |call 周易起名.00401071
00424FB3|.53 |push ebx
00424FB4|.51 |push ecx
00424FB5|.DB45 E4 |fild
00424FB8|.DD5D D0 |fstp qword ptr ss: ;54
00424FBB|.DD45 D0 |fld qword ptr ss:
00424FBE|.DC05 903B4D00 |fadd qword ptr ds: ;54+1=55
00424FC4|.DD5D C8 |fstp qword ptr ss:
00424FC7|.DD45 C8 |fld qword ptr ss:
00424FCA|.E8 BCC7FDFF |call 周易起名.0040178B ;55转16进制 =37
00424FCF|.48 |dec eax ;37-1
00424FD0|.79 0D |jns short 周易起名.00424FDF
00424FD2|.68 04000000 |push 0x4
00424FD7|.E8 58390000 |call 周易起名.00428934
00424FDC|.83C4 04 |add esp,0x4
00424FDF|>59 |pop ecx
00424FE0|.5B |pop ebx
00424FE1|.3BC1 |cmp eax,ecx
00424FE3|.7C 0D |jl short 周易起名.00424FF2
00424FE5|.68 01000000 |push 0x1
00424FEA|.E8 45390000 |call 周易起名.00428934
00424FEF|.83C4 04 |add esp,0x4 ;指向0-FF
00424FF2|>03D8 |add ebx,eax ;36+
00424FF4|.895D C4 |mov ,ebx
00424FF7|.8B45 DC |mov eax,
00424FFA|.8B5D C4 |mov ebx,
00424FFD|.8803 |mov byte ptr ds:,al
00424FFF|.5B |pop ebx
00425000|.59 |pop ecx
00425001|.^ E9 F9FDFFFF \jmp 周易起名.00424DFF
00425006|>83C4 08 add esp,0x8
00425009|>C745 F0 00000>mov ,0x0
这段代码是这个算法的核心,我已经把过程简化了过程如下:生成一张新的加密表(在0-FF的表的基础上生成)过程如下addr=指向0-FF地址addr2=指向Astr_md5_1地址local4=1 每次自增1local4-1+addr =local11local4-1+addr2=local12lcoal7=0and ,0xFF结果给 local16local16 转10进制+local7转10进制结果记为resultand ,0xff 结果给local18local18转10进制 +result结果转16进制给local7lcoal4-1+addr 拿出里面的数据 给即lcoal9local4-1+addr给lcoal 11 local7+1 转16进制resres-1+addr =local16 给 转10进制 +1结果转16进制 -1 + addr结果给lcoal15给
最后结果是等于以下这个解密表
70 7A 42 E9 38 F4 6D 20 6C 1B E6 00 10 55 F2 4F A3 69 11 80 45 2B 66 6B 54 21 B5 18 AA 35 2F 4313 57 37 4A F8 A6 34 3A 3F 44 09 5D 60 2A 64 AE 7D 8B F3 5F B7 94 58 06 02 A9 1C 90 D4 47 51 9DB8 30 D5 7C BB DA A0 EA 76 EF 27 52 6F F6 31 CD 1F 72 F9 ED 05 CF 93 08 07 B1 F0 56 97 75 59 5E62 E3 49 5C 4B D8 7F 8F 78 D0 48 1E 5A D3 39 67 9A 6E D9 24 22 0B 2D CC 89 29 D2 86 6A AB 7B D733 E4 9F E8 9B BD A1 A5 BF FF E7 A2 26 B3 A4 77 73 3D 40 CA 0F 23 14 9C C7 96 B0 32 DD EB 68 A7FE E2 C6 8D DC B4 B2 53 2C 79 DE 4E CB BA C1 4C 36 7E 99 85 74 4D 71 81 65 1A 50 8A 0D 19 63 0A5B C3 C8 C4 0C 0E A8 91 AF 1D EE 84 9E BC 61 C9 EC 2E D1 E0 FD 25 FB 03 92 15 17 16 82 3E E5 E141 C5 B9 46 83 DB F1 8E 04 F7 AC C0 8C 12 95 B6 DF F5 01 AD 87 3B 88 FC 3C CE 98 28 D6 FA BE C2
块大小刚好是100H
00425022|.58 pop eax
00425023|>41 /inc ecx
00425024|.51 |push ecx
00425025|.53 |push ebx
00425026|.890B |mov dword ptr ds:,ecx
00425028|.50 |push eax ;循环str_Base64数据长度 58H
00425029|.3BC8 |cmp ecx,eax
0042502B|.0F8F 2B040000 |jg 周易起名.0042545C
00425031|.DB45 F0 |fild ;0
00425034|.DD5D D0 |fstp qword ptr ss:
00425037|.DD45 D0 |fld qword ptr ss:
0042503A|.DC05 903B4D00 |fadd qword ptr ds: ;0+1
00425040|.DD5D C8 |fstp qword ptr ss:
00425043|.68 01030080 |push 0x80000301
00425048|.6A 00 |push 0x0
0042504A|.68 FF000000 |push 0xFF
0042504F|.DD45 C8 |fld qword ptr ss:
00425052|.E8 34C7FDFF |call 周易起名.0040178B
00425057|.68 01030080 |push 0x80000301
0042505C|.6A 00 |push 0x0
0042505E|.50 |push eax
0042505F|.68 02000000 |push 0x2
00425064|.BB A08D4200 |mov ebx,周易起名.00428DA0
00425069|.E8 C0380000 |call 周易起名.0042892E ;and ,0xff
0042506E|.83C4 1C |add esp,0x1C
00425071|.8945 F0 |mov ,eax ;1
00425074|.8B5D EC |mov ebx,
00425077|.E8 F5BFFDFF |call 周易起名.00401071
0042507C|.53 |push ebx
0042507D|.51 |push ecx
0042507E|.DB45 F0 |fild
00425081|.DD5D D0 |fstp qword ptr ss:
00425084|.DD45 D0 |fld qword ptr ss:
00425087|.DC05 903B4D00 |fadd qword ptr ds:
0042508D|.DD5D C8 |fstp qword ptr ss:
00425090|.DD45 C8 |fld qword ptr ss:
00425093|.E8 F3C6FDFF |call 周易起名.0040178B
00425098|.48 |dec eax
00425099|.79 0D |jns short 周易起名.004250A8
0042509B|.68 04000000 |push 0x4
004250A0|.E8 8F380000 |call 周易起名.00428934
004250A5|.83C4 04 |add esp,0x4
004250A8|>59 |pop ecx
004250A9|.5B |pop ebx
004250AA|.3BC1 |cmp eax,ecx
004250AC|.7C 0D |jl short 周易起名.004250BB
004250AE|.68 01000000 |push 0x1
004250B3|.E8 7C380000 |call 周易起名.00428934
004250B8|.83C4 04 |add esp,0x4
004250BB|>03D8 |add ebx,eax
004250BD|.895D C4 |mov ,ebx
004250C0|.DB45 E4 |fild
004250C3|.DD5D BC |fstp qword ptr ss:
004250C6|.DD45 BC |fld qword ptr ss:
004250C9|.8B5D C4 |mov ebx,
004250CC|.8A03 |mov al,byte ptr ds:
004250CE|.25 FF000000 |and eax,0xFF
004250D3|.8945 B4 |mov ,eax
004250D6|.DB45 B4 |fild
004250D9|.DD5D B4 |fstp qword ptr ss:
004250DC|.DC45 B4 |fadd qword ptr ss:
004250DF|.DD5D AC |fstp qword ptr ss:
004250E2|.68 01030080 |push 0x80000301
004250E7|.6A 00 |push 0x0
004250E9|.68 FF000000 |push 0xFF
004250EE|.DD45 AC |fld qword ptr ss:
004250F1|.E8 95C6FDFF |call 周易起名.0040178B
004250F6|.68 01030080 |push 0x80000301
004250FB|.6A 00 |push 0x0
004250FD|.50 |push eax
004250FE|.68 02000000 |push 0x2
00425103|.BB A08D4200 |mov ebx,周易起名.00428DA0
00425108|.E8 21380000 |call 周易起名.0042892E ;and ,0xFF
0042510D|.83C4 1C |add esp,0x1C
00425110|.8945 E4 |mov ,eax
00425113|.8B5D EC |mov ebx,
00425116|.E8 56BFFDFF |call 周易起名.00401071
0042511B|.53 |push ebx
0042511C|.51 |push ecx
0042511D|.DB45 F0 |fild
00425120|.DD5D D0 |fstp qword ptr ss:
00425123|.DD45 D0 |fld qword ptr ss:
00425126|.DC05 903B4D00 |fadd qword ptr ds:
0042512C|.DD5D C8 |fstp qword ptr ss:
0042512F|.DD45 C8 |fld qword ptr ss:
00425132|.E8 54C6FDFF |call 周易起名.0040178B
00425137|.48 |dec eax
00425138|.79 0D |jns short 周易起名.00425147
0042513A|.68 04000000 |push 0x4
0042513F|.E8 F0370000 |call 周易起名.00428934
00425144|.83C4 04 |add esp,0x4
00425147|>59 |pop ecx
00425148|.5B |pop ebx
00425149|.3BC1 |cmp eax,ecx
0042514B|.7C 0D |jl short 周易起名.0042515A
0042514D|.68 01000000 |push 0x1
00425152|.E8 DD370000 |call 周易起名.00428934
00425157|.83C4 04 |add esp,0x4
0042515A|>03D8 |add ebx,eax
0042515C|.895D C4 |mov ,ebx
0042515F|.8B5D C4 |mov ebx,
00425162|.8A03 |mov al,byte ptr ds:
00425164|.8845 DC |mov byte ptr ss:,al ;local9
00425167|.8B5D EC |mov ebx,
0042516A|.E8 02BFFDFF |call 周易起名.00401071
0042516F|.53 |push ebx
00425170|.51 |push ecx
00425171|.DB45 F0 |fild
00425174|.DD5D D0 |fstp qword ptr ss:
00425177|.DD45 D0 |fld qword ptr ss:
0042517A|.DC05 903B4D00 |fadd qword ptr ds:
00425180|.DD5D C8 |fstp qword ptr ss:
00425183|.DD45 C8 |fld qword ptr ss:
00425186|.E8 00C6FDFF |call 周易起名.0040178B
0042518B|.48 |dec eax
0042518C|.79 0D |jns short 周易起名.0042519B
0042518E|.68 04000000 |push 0x4
00425193|.E8 9C370000 |call 周易起名.00428934
00425198|.83C4 04 |add esp,0x4
0042519B|>59 |pop ecx
0042519C|.5B |pop ebx
0042519D|.3BC1 |cmp eax,ecx
0042519F|.7C 0D |jl short 周易起名.004251AE
004251A1|.68 01000000 |push 0x1
004251A6|.E8 89370000 |call 周易起名.00428934
004251AB|.83C4 04 |add esp,0x4
004251AE|>03D8 |add ebx,eax
004251B0|.895D C4 |mov ,ebx
004251B3|.8B5D EC |mov ebx,
004251B6|.E8 B6BEFDFF |call 周易起名.00401071
004251BB|.53 |push ebx
004251BC|.51 |push ecx
004251BD|.DB45 E4 |fild
004251C0|.DD5D BC |fstp qword ptr ss:
004251C3|.DD45 BC |fld qword ptr ss:
004251C6|.DC05 903B4D00 |fadd qword ptr ds:
004251CC|.DD5D B4 |fstp qword ptr ss:
004251CF|.DD45 B4 |fld qword ptr ss:
004251D2|.E8 B4C5FDFF |call 周易起名.0040178B
004251D7|.48 |dec eax
004251D8|.79 0D |jns short 周易起名.004251E7
004251DA|.68 04000000 |push 0x4
004251DF|.E8 50370000 |call 周易起名.00428934
004251E4|.83C4 04 |add esp,0x4
004251E7|>59 |pop ecx
004251E8|.5B |pop ebx
004251E9|.3BC1 |cmp eax,ecx
004251EB|.7C 0D |jl short 周易起名.004251FA
004251ED|.68 01000000 |push 0x1
004251F2|.E8 3D370000 |call 周易起名.00428934
004251F7|.83C4 04 |add esp,0x4
004251FA|>03D8 |add ebx,eax
004251FC|.895D B0 |mov ,ebx
004251FF|.8B5D B0 |mov ebx,
00425202|.8A03 |mov al,byte ptr ds:
00425204|.8B5D C4 |mov ebx,
00425207|.8803 |mov byte ptr ds:,al
00425209|.8B5D EC |mov ebx,
0042520C|.E8 60BEFDFF |call 周易起名.00401071
00425211|.53 |push ebx
00425212|.51 |push ecx
00425213|.DB45 E4 |fild
00425216|.DD5D D0 |fstp qword ptr ss:
00425219|.DD45 D0 |fld qword ptr ss:
0042521C|.DC05 903B4D00 |fadd qword ptr ds:
00425222|.DD5D C8 |fstp qword ptr ss:
00425225|.DD45 C8 |fld qword ptr ss:
00425228|.E8 5EC5FDFF |call 周易起名.0040178B
0042522D|.48 |dec eax
0042522E|.79 0D |jns short 周易起名.0042523D
00425230|.68 04000000 |push 0x4
00425235|.E8 FA360000 |call 周易起名.00428934
0042523A|.83C4 04 |add esp,0x4
0042523D|>59 |pop ecx
0042523E|.5B |pop ebx
0042523F|.3BC1 |cmp eax,ecx
00425241|.7C 0D |jl short 周易起名.00425250
00425243|.68 01000000 |push 0x1
00425248|.E8 E7360000 |call 周易起名.00428934
0042524D|.83C4 04 |add esp,0x4
00425250|>03D8 |add ebx,eax
00425252|.895D C4 |mov ,ebx
00425255|.8B45 DC |mov eax,
00425258|.8B5D C4 |mov ebx,
0042525B|.8803 |mov byte ptr ds:,al
0042525D|.8B5D F4 |mov ebx,
00425260|.E8 0CBEFDFF |call 周易起名.00401071
00425265|.53 |push ebx
00425266|.51 |push ecx
00425267|.8B45 D8 |mov eax,
0042526A|.48 |dec eax
0042526B|.79 0D |jns short 周易起名.0042527A
0042526D|.68 04000000 |push 0x4
00425272|.E8 BD360000 |call 周易起名.00428934
00425277|.83C4 04 |add esp,0x4
0042527A|>59 |pop ecx
0042527B|.5B |pop ebx
0042527C|.3BC1 |cmp eax,ecx
0042527E|.7C 0D |jl short 周易起名.0042528D
00425280|.68 01000000 |push 0x1
00425285|.E8 AA360000 |call 周易起名.00428934
0042528A|.83C4 04 |add esp,0x4
0042528D|>03D8 |add ebx,eax
0042528F|.895D D4 |mov ,ebx
00425292|.8B5D 0C |mov ebx,
00425295|.8B1B |mov ebx,dword ptr ds: ;指向base64地址
00425297|.E8 D5BDFDFF |call 周易起名.00401071 ;拿出base64 的长度
0042529C|.53 |push ebx
0042529D|.51 |push ecx
0042529E|.8B45 D8 |mov eax,
004252A1|.48 |dec eax
004252A2|.79 0D |jns short 周易起名.004252B1
004252A4|.68 04000000 |push 0x4
004252A9|.E8 86360000 |call 周易起名.00428934
004252AE|.83C4 04 |add esp,0x4
004252B1|>59 |pop ecx
004252B2|.5B |pop ebx
004252B3|.3BC1 |cmp eax,ecx
004252B5|.7C 0D |jl short 周易起名.004252C4
004252B7|.68 01000000 |push 0x1
004252BC|.E8 73360000 |call 周易起名.00428934
004252C1|.83C4 04 |add esp,0x4
004252C4|>03D8 |add ebx,eax
004252C6|.895D D0 |mov ,ebx
004252C9|.8B5D EC |mov ebx,
004252CC|.E8 A0BDFDFF |call 周易起名.00401071
004252D1|.53 |push ebx
004252D2|.51 |push ecx
004252D3|.8B5D EC |mov ebx,
004252D6|.E8 96BDFDFF |call 周易起名.00401071
004252DB|.53 |push ebx
004252DC|.51 |push ecx
004252DD|.DB45 F0 |fild
004252E0|.DD5D C8 |fstp qword ptr ss:
004252E3|.DD45 C8 |fld qword ptr ss:
004252E6|.DC05 903B4D00 |fadd qword ptr ds:
004252EC|.DD5D C0 |fstp qword ptr ss:
004252EF|.DD45 C0 |fld qword ptr ss:
004252F2|.E8 94C4FDFF |call 周易起名.0040178B
004252F7|.48 |dec eax
004252F8|.79 0D |jns short 周易起名.00425307
004252FA|.68 04000000 |push 0x4
004252FF|.E8 30360000 |call 周易起名.00428934
00425304|.83C4 04 |add esp,0x4
00425307|>59 |pop ecx
00425308|.5B |pop ebx
00425309|.3BC1 |cmp eax,ecx
0042530B|.7C 0D |jl short 周易起名.0042531A
0042530D|.68 01000000 |push 0x1
00425312|.E8 1D360000 |call 周易起名.00428934
00425317|.83C4 04 |add esp,0x4
0042531A|>03D8 |add ebx,eax
0042531C|.895D BC |mov ,ebx ;2333333333
0042531F|.8B5D EC |mov ebx,
00425322|.E8 4ABDFDFF |call 周易起名.00401071
00425327|.53 |push ebx
00425328|.51 |push ecx
00425329|.DB45 E4 |fild
0042532C|.DD5D B4 |fstp qword ptr ss:
0042532F|.DD45 B4 |fld qword ptr ss:
00425332|.DC05 903B4D00 |fadd qword ptr ds:
00425338|.DD5D AC |fstp qword ptr ss:
0042533B|.DD45 AC |fld qword ptr ss:
0042533E|.E8 48C4FDFF |call 周易起名.0040178B
00425343|.48 |dec eax
00425344|.79 0D |jns short 周易起名.00425353
00425346|.68 04000000 |push 0x4
0042534B|.E8 E4350000 |call 周易起名.00428934
00425350|.83C4 04 |add esp,0x4
00425353|>59 |pop ecx
00425354|.5B |pop ebx
00425355|.3BC1 |cmp eax,ecx
00425357|.7C 0D |jl short 周易起名.00425366
00425359|.68 01000000 |push 0x1
0042535E|.E8 D1350000 |call 周易起名.00428934
00425363|.83C4 04 |add esp,0x4
00425366|>03D8 |add ebx,eax
00425368|.895D A8 |mov ,ebx
0042536B|.8B5D BC |mov ebx,
0042536E|.8A03 |mov al,byte ptr ds:
00425370|.25 FF000000 |and eax,0xFF
00425375|.8945 A0 |mov ,eax
00425378|.DB45 A0 |fild
0042537B|.DD5D A0 |fstp qword ptr ss:
0042537E|.DD45 A0 |fld qword ptr ss:
00425381|.8B5D A8 |mov ebx,
00425384|.8A03 |mov al,byte ptr ds:
00425386|.25 FF000000 |and eax,0xFF
0042538B|.8945 98 |mov ,eax
0042538E|.DB45 98 |fild
00425391|.DD5D 98 |fstp qword ptr ss:
00425394|.DC45 98 |fadd qword ptr ss:
00425397|.DD5D 90 |fstp qword ptr ss:
0042539A|.68 01030080 |push 0x80000301
0042539F|.6A 00 |push 0x0
004253A1|.68 FF000000 |push 0xFF
004253A6|.DD45 90 |fld qword ptr ss:
004253A9|.E8 DDC3FDFF |call 周易起名.0040178B
004253AE|.68 01030080 |push 0x80000301
004253B3|.6A 00 |push 0x0
004253B5|.50 |push eax
004253B6|.68 02000000 |push 0x2
004253BB|.BB A08D4200 |mov ebx,周易起名.00428DA0
004253C0|.E8 69350000 |call 周易起名.0042892E ;and ff
004253C5|.83C4 1C |add esp,0x1C
004253C8|.8945 84 |mov ,eax
004253CB|.DB45 84 |fild
004253CE|.DD5D 84 |fstp qword ptr ss:
004253D1|.DD45 84 |fld qword ptr ss:
004253D4|.DC05 903B4D00 |fadd qword ptr ds:
004253DA|.DD9D 7CFFFFFF |fstp qword ptr ss:
004253E0|.DD85 7CFFFFFF |fld qword ptr ss:
004253E6|.E8 A0C3FDFF |call 周易起名.0040178B
004253EB|.48 |dec eax
004253EC|.79 0D |jns short 周易起名.004253FB
004253EE|.68 04000000 |push 0x4
004253F3|.E8 3C350000 |call 周易起名.00428934
004253F8|.83C4 04 |add esp,0x4
004253FB|>59 |pop ecx
004253FC|.5B |pop ebx
004253FD|.3BC1 |cmp eax,ecx
004253FF|.7C 0D |jl short 周易起名.0042540E
00425401|.68 01000000 |push 0x1
00425406|.E8 29350000 |call 周易起名.00428934
0042540B|.83C4 04 |add esp,0x4
0042540E|>03D8 |add ebx,eax
00425410|.899D 78FFFFFF |mov ,ebx
00425416|.8B9D 78FFFFFF |mov ebx,
0042541C|.8A03 |mov al,byte ptr ds:
0042541E|.25 FF000000 |and eax,0xFF
00425423|.68 01030080 |push 0x80000301
00425428|.6A 00 |push 0x0
0042542A|.50 |push eax
0042542B|.8B5D D0 |mov ebx,
0042542E|.8A03 |mov al,byte ptr ds:
00425430|.25 FF000000 |and eax,0xFF
00425435|.68 01030080 |push 0x80000301
0042543A|.6A 00 |push 0x0
0042543C|.50 |push eax
0042543D|.68 02000000 |push 0x2
00425442|.BB E08D4200 |mov ebx,周易起名.00428DE0
00425447|.E8 E2340000 |call 周易起名.0042892E ;xor ,
0042544C|.83C4 1C |add esp,0x1C
0042544F|.8B5D D4 |mov ebx,
00425452|.8803 |mov byte ptr ds:,al
00425454|.58 |pop eax
00425455|.5B |pop ebx
00425456|.59 |pop ecx
00425457|.^ E9 C7FBFFFF \jmp 周易起名.00425023
0042545C|>83C4 0C add esp,0xC
addr 指向新地址表addrb 指向 base64地址Mzk4MEY4QjI2MEM3MUE4NkZBRjRDRjhDQzc0NTIzQTg3NjQ4NDMzQzExRURGMDJDQjQ5MDA5OEIzRDFFNjY2NA==循环次数为 str_Base64的数据长度 即58H88Tlcoal4=0 自增1local4 转10进制 +1 结果转16进制and ,0xFFlocal4+1-1+addr =local15local7=0转10进制and ,255=local 19local19 转10进制+local7 结果转16进制 resand res,0xFFlocal7=reslcoal4 转10进制 +1 结果转16进制 -1 + addr =local15 给 local9local4 转10进制 +1 结果转16进制 -1 + addr =local15lcoal7 转10进制 + 1 结果转16进制 -1 + addr =local 20 给lcoal7 转10进制 + 1 结果转16进制 -1 + addr =local15 to local10=1 自增1local10-1+addt=local11local10-1+addBase64=local12local4 转10进制 +1 结果转16进制 -1 + addr=local17local7 转10进制 +1 结果转16进制 -1 + addr=local22and ,255to 转10进制 and ,255to local26local26 转10进制 + local24结果转16进制 resand res,255 to lcoal31转10进制+1 -1 +addr = local34and ,255 =res1and ,255 =rs2xor res1,res2 to 指向空白地址得出22B780197A2670C4D922B8069C015437EE18C463F4FBFC76650F33FC462E4034C5A4FD3B139C9B98BC76A21FE7946E5D06D2B846849FE9D4A7154AE0CA90D4CF3D895A93CD7009FCFE31552AA3A4BB869E6F840B4D6384A7记为 str_long
0041F1F0|.83C4 10 add esp,0x10
0041F1F3|.8945 F8 mov ,eax
0041F1F6|.C745 F4 00000>mov ,0x0
0041F1FD|.6A 00 push 0x0
0041F1FF|.FF75 F4 push
0041F202|.C745 F0 00000>mov ,0x0
0041F209|.6A 00 push 0x0
0041F20B|.FF75 F0 push
0041F20E|.8D45 F8 lea eax,
0041F211|.50 push eax
0041F212|.68 2C976500 push 周易起名.0065972C ;ASCII "炔&"
0041F217|.8B0424 mov eax,dword ptr ss:
0041F21A|.8B00 mov eax,dword ptr ds:
0041F21C|.8B00 mov eax,dword ptr ds:
0041F21E|.FF50 18 call dword ptr ds: ;0071928F5F5B89A7A3E97CF3F9A8CEAE
得出0071928F5F5B89A7A3E97CF3F9A8CEAE记为str_md5_50041F231|.83C4 04 add esp,0x40041F234|>68 04000080 push 0x800000040041F239|.6A 00 push 0x00041F23B|.68 4D8A4D00 push 周易起名.004D8A4D ;ASCII "Super-EC"0041F240|.68 01000000 push 0x10041F245|.BB B0A04200 mov ebx,周易起名.0042A0B00041F24A|.E8 DF960000 call 周易起名.0042892E0041F24F|.83C4 10 add esp,0x100041F252|.8945 E8 mov ,eax0041F255|.FF75 E8 push 0041F258|.8B5D 0C mov ebx,0041F25B|.FF33 push dword ptr ds:0041F25D|.B9 02000000 mov ecx,0x20041F262|.E8 C4EDFFFF call 周易起名.0041E02B0041F267|.83C4 08 add esp,0x80041F26A|.8945 E4 mov ,eax0041F26D|.8B5D E8 mov ebx,0041F270|.85DB test ebx,ebx
str_md5_1+“Super-EC”6CB6BEFFD0F68B54D869F10D05D9AF04Super-EC
00426185|.8D45 F4 lea eax,
00426188|.8BD8 mov ebx,eax ;周易起名.0050AE8D
0042618A|.58 pop eax ;周易起名.0041F294
0042618B|>41 /inc ecx ;0071928F5F5B89A7A3E97CF3F9A8CEAE每个数字用0填充
0042618C|.51 |push ecx
0042618D|.53 |push ebx
0042618E|.890B |mov dword ptr ds:,ecx
00426190|.50 |push eax ;周易起名.0050AE8D
00426191|.3BC8 |cmp ecx,eax ;周易起名.0050AE8D
00426193|.0F8F 06010000 |jg 周易起名.0042629F
00426199|.8B5D F8 |mov ebx,
0042619C|.E8 D0AEFDFF |call 周易起名.00401071
004261A1|.53 |push ebx
004261A2|.51 |push ecx
004261A3|.8B45 F4 |mov eax,
004261A6|.48 |dec eax ;周易起名.0050AE8D
004261A7|.79 0D |jns short 周易起名.004261B6
004261A9|.68 04000000 |push 0x4
004261AE|.E8 81270000 |call 周易起名.00428934
004261B3|.83C4 04 |add esp,0x4
004261B6|>59 |pop ecx ;周易起名.0041F294
004261B7|.5B |pop ebx ;周易起名.0041F294
004261B8|.3BC1 |cmp eax,ecx
004261BA|.7C 0D |jl short 周易起名.004261C9
004261BC|.68 01000000 |push 0x1
004261C1|.E8 6E270000 |call 周易起名.00428934
004261C6|.83C4 04 |add esp,0x4
004261C9|>03D8 |add ebx,eax ;周易起名.0050AE8D
004261CB|.895D EC |mov ,ebx
004261CE|.8B5D F8 |mov ebx,
004261D1|.E8 9BAEFDFF |call 周易起名.00401071
004261D6|.53 |push ebx
004261D7|.51 |push ecx
004261D8|.8B45 F4 |mov eax,
004261DB|.48 |dec eax ;周易起名.0050AE8D
004261DC|.79 0D |jns short 周易起名.004261EB
004261DE|.68 04000000 |push 0x4
004261E3|.E8 4C270000 |call 周易起名.00428934
004261E8|.83C4 04 |add esp,0x4
004261EB|>59 |pop ecx ;周易起名.0041F294
004261EC|.5B |pop ebx ;周易起名.0041F294
004261ED|.3BC1 |cmp eax,ecx
004261EF|.7C 0D |jl short 周易起名.004261FE
004261F1|.68 01000000 |push 0x1
004261F6|.E8 39270000 |call 周易起名.00428934
004261FB|.83C4 04 |add esp,0x4
004261FE|>03D8 |add ebx,eax ;周易起名.0050AE8D
00426200|.895D E8 |mov ,ebx
00426203|.68 01010080 |push 0x80000101
00426208|.6A 00 |push 0x0
0042620A|.8B5D E8 |mov ebx,
0042620D|.8A03 |mov al,byte ptr ds:
0042620F|.50 |push eax ;周易起名.0050AE8D
00426210|.68 01000000 |push 0x1
00426215|.BB B0A04200 |mov ebx,周易起名.0042A0B0
0042621A|.E8 0F270000 |call 周易起名.0042892E
0042621F|.83C4 10 |add esp,0x10
00426222|.8945 E4 |mov ,eax ;周易起名.0050AE8D
00426225|.6A 00 |push 0x0
00426227|.6A 00 |push 0x0
00426229|.6A 00 |push 0x0
0042622B|.68 05000080 |push 0x80000005
00426230|.6A 00 |push 0x0
00426232|.8B45 E4 |mov eax,
00426235|.85C0 |test eax,eax ;周易起名.0050AE8D
00426237|.75 05 |jnz short 周易起名.0042623E
00426239|.B8 2C3B4D00 |mov eax,周易起名.004D3B2C
0042623E|>50 |push eax ;周易起名.0050AE8D
0042623F|.68 05000080 |push 0x80000005
00426244|.6A 00 |push 0x0
00426246|.8B45 FC |mov eax,
00426249|.85C0 |test eax,eax ;周易起名.0050AE8D
0042624B|.75 05 |jnz short 周易起名.00426252
0042624D|.B8 2C3B4D00 |mov eax,周易起名.004D3B2C
00426252|>50 |push eax ;周易起名.0050AE8D
00426253|.68 03000000 |push 0x3
00426258|.BB 00A54200 |mov ebx,周易起名.0042A500
0042625D|.E8 CC260000 |call 周易起名.0042892E
00426262|.83C4 28 |add esp,0x28
00426265|.8945 E0 |mov ,eax ;周易起名.0050AE8D
00426268|.8B5D E4 |mov ebx,
0042626B|.85DB |test ebx,ebx
0042626D|.74 09 |je short 周易起名.00426278
0042626F|.53 |push ebx
00426270|.E8 B3260000 |call 周易起名.00428928
00426275|.83C4 04 |add esp,0x4
00426278|>DB45 E0 |fild
0042627B|.DD5D D8 |fstp qword ptr ss:
0042627E|.DD45 D8 |fld qword ptr ss:
00426281|.DC25 903B4D00 |fsub qword ptr ds:
00426287|.DD5D D0 |fstp qword ptr ss:
0042628A|.DD45 D0 |fld qword ptr ss:
0042628D|.E8 F9B4FDFF |call 周易起名.0040178B
00426292|.8B5D EC |mov ebx,
00426295|.8803 |mov byte ptr ds:,al
00426297|.58 |pop eax ;周易起名.0041F294
00426298|.5B |pop ebx ;周易起名.0041F294
00426299|.59 |pop ecx ;周易起名.0041F294
0042629A|.^ E9 ECFEFFFF \jmp 周易起名.0042618B
0042629F|>83C4 0C add esp,0xC
004262A2|.68 05000080 push 0x80000005
str_md5_5每个数字前面加上一个“0”0071928F5F5B89A7A3E97CF3F9A8CEAE00 00 07 01 09 02 08 0F 05 0F 05 0B 08 09 0A 07 0A 03 0E 09 07 0C 0F 03 0F 09 0A 08 0C 0E 0A 0E
004262D3|> /41 /inc ecx
004262D4|. |51 |push ecx
004262D5|. |53 |push ebx
004262D6|. |890B |mov dword ptr ds:,ecx
004262D8|. |50 |push eax
004262D9|. |3BC8 |cmp ecx,eax
004262DB|. |0F8F 65010000 |jg 周易起名.00426446
004262E1|. |68 05000080 |push 0x80000005
004262E6|. |6A 00 |push 0x0
004262E8|. |8B45 F8 |mov eax,
004262EB|. |85C0 |test eax,eax
004262ED|. |75 05 |jnz short 周易起名.004262F4
004262EF|. |B8 2C3B4D00 |mov eax,周易起名.004D3B2C
004262F4|> |50 |push eax
004262F5|. |68 01000000 |push 0x1
004262FA|. |BB B08F4200 |mov ebx,周易起名.00428FB0
004262FF|. |E8 2A260000 |call 周易起名.0042892E ;获取md5次数 这里为20
00426304|. |83C4 10 |add esp,0x10
00426307|. |33C9 |xor ecx,ecx
00426309|. |50 |push eax
0042630A|. |8D45 F4 |lea eax,
0042630D|. |8BD8 |mov ebx,eax
0042630F|. |58 |pop eax ;0032A930
00426310|> |41 |/inc ecx
00426311|. |51 ||push ecx
00426312|. |53 ||push ebx
00426313|. |890B ||mov dword ptr ds:,ecx
00426315|. |50 ||push eax
00426316|. |3BC8 ||cmp ecx,eax
00426318|. |0F8F 1D010000 ||jg 周易起名.0042643B
0042631E|. |8B5D F8 ||mov ebx,
00426321|. |E8 4BADFDFF ||call 周易起名.00401071
00426326|. |53 ||push ebx
00426327|. |51 ||push ecx
00426328|. |8B45 F4 ||mov eax,
0042632B|. |48 ||dec eax
0042632C|. |79 0D ||jns short 周易起名.0042633B
0042632E|. |68 04000000 ||push 0x4
00426333|. |E8 FC250000 ||call 周易起名.00428934
00426338|. |83C4 04 ||add esp,0x4
0042633B|> |59 ||pop ecx ;0032A930
0042633C|. |5B ||pop ebx ;0032A930
0042633D|. |3BC1 ||cmp eax,ecx
0042633F|. |7C 0D ||jl short 周易起名.0042634E
00426341|. |68 01000000 ||push 0x1
00426346|. |E8 E9250000 ||call 周易起名.00428934
0042634B|. |83C4 04 ||add esp,0x4
0042634E|> |03D8 ||add ebx,eax
00426350|. |895D EC ||mov ,ebx
00426353|. |8B5D F8 ||mov ebx,
00426356|. |E8 16ADFDFF ||call 周易起名.00401071
0042635B|. |53 ||push ebx
0042635C|. |51 ||push ecx
0042635D|. |8B45 F4 ||mov eax,
00426360|. |48 ||dec eax
00426361|. |79 0D ||jns short 周易起名.00426370
00426363|. |68 04000000 ||push 0x4
00426368|. |E8 C7250000 ||call 周易起名.00428934
0042636D|. |83C4 04 ||add esp,0x4
00426370|> |59 ||pop ecx ;0032A930
00426371|. |5B ||pop ebx ;0032A930
00426372|. |3BC1 ||cmp eax,ecx
00426374|. |7C 0D ||jl short 周易起名.00426383
00426376|. |68 01000000 ||push 0x1
0042637B|. |E8 B4250000 ||call 周易起名.00428934
00426380|. |83C4 04 ||add esp,0x4
00426383|> |03D8 ||add ebx,eax
00426385|. |895D E8 ||mov ,ebx
00426388|. |8B5D 10 ||mov ebx,
0042638B|. |8B1B ||mov ebx,dword ptr ds:
0042638D|. |E8 DFACFDFF ||call 周易起名.00401071
00426392|. |53 ||push ebx
00426393|. |51 ||push ecx
00426394|. |8B45 F0 ||mov eax,
00426397|. |48 ||dec eax
00426398|. |79 0D ||jns short 周易起名.004263A7
0042639A|. |68 04000000 ||push 0x4
0042639F|. |E8 90250000 ||call 周易起名.00428934
004263A4|. |83C4 04 ||add esp,0x4
004263A7|> |59 ||pop ecx ;0032A930
004263A8|. |5B ||pop ebx ;0032A930
004263A9|. |3BC1 ||cmp eax,ecx
004263AB|. |7C 0D ||jl short 周易起名.004263BA
004263AD|. |68 01000000 ||push 0x1
004263B2|. |E8 7D250000 ||call 周易起名.00428934
004263B7|. |83C4 04 ||add esp,0x4
004263BA|> |03D8 ||add ebx,eax
004263BC|. |895D E4 ||mov ,ebx
004263BF|. |8B5D E8 ||mov ebx,
004263C2|. |8A03 ||mov al,byte ptr ds:
004263C4|. |25 FF000000 ||and eax,0xFF
004263C9|. |8945 DC ||mov ,eax
004263CC|. |DB45 DC ||fild
004263CF|. |DD5D DC ||fstp qword ptr ss:
004263D2|. |DD45 DC ||fld qword ptr ss:
004263D5|. |8B5D E4 ||mov ebx,
004263D8|. |8A03 ||mov al,byte ptr ds:
004263DA|. |25 FF000000 ||and eax,0xFF
004263DF|. |8945 D4 ||mov ,eax
004263E2|. |DB45 D4 ||fild
004263E5|. |DD5D D4 ||fstp qword ptr ss:
004263E8|. |DC45 D4 ||fadd qword ptr ss:
004263EB|. |DC05 903B4D00 ||fadd qword ptr ds:
004263F1|. |DD5D CC ||fstp qword ptr ss:
004263F4|. |68 01060080 ||push 0x80000601
004263F9|. |68 00003040 ||push 0x40300000
004263FE|. |68 00000000 ||push 0x0
00426403|. |68 01060080 ||push 0x80000601
00426408|. |FF75 D0 ||push
0042640B|. |FF75 CC ||push ;ntdll.778C2DD0
0042640E|. |68 02000000 ||push 0x2
00426413|. |BB C08C4200 ||mov ebx,周易起名.00428CC0
00426418|. |E8 11250000 ||call 周易起名.0042892E ;取余上面的结果除以16 得出余数
0042641D|. |83C4 1C ||add esp,0x1C
00426420|. |8945 BC ||mov ,eax
00426423|. |8955 C0 ||mov ,edx
00426426|. |DD45 BC ||fld qword ptr ss:
00426429|. |E8 5DB3FDFF ||call 周易起名.0040178B ;余数转16进制
0042642E|. |8B5D EC ||mov ebx,
00426431|. |8803 ||mov byte ptr ds:,al
00426433|. |58 ||pop eax ;0032A930
00426434|. |5B ||pop ebx ;0032A930
00426435|. |59 ||pop ecx ;0032A930
00426436|.^|E9 D5FEFFFF |\jmp 周易起名.00426310
0042643B|> |83C4 0C |add esp,0xC
0042643E|. |58 |pop eax ;0032A930
0042643F|. |5B |pop ebx ;0032A930
00426440|. |59 |pop ecx ;0032A930
00426441|.^\E9 8DFEFFFF \jmp 周易起名.004262D3
00426446|>83C4 0C add esp,0xC
这个是双重循环,这里不好好分析的话,写注册机的时候也是会容易出错的。
外面循环次数 “6CB6BEFFD0F68B54D869F10D05D9AF04Super-EC” 的长度这里是40次 str_md5_1+“Super-EC”
里面循环 6CB6BEFFD0F68B54D869F10D05D9AF04这个的长度 为32次
md5_1_addr 6CB6BEFFD0F68B54D869F10D05D9AF04local3=1local3-1+addr=local5local3-1+addr=local6local4=1local4-1+md5_1_addr=local7and ,255 =local9local9 转10进制 and ,255 = local11local11 转10进制 +local9 + 1=res res÷16 取余取余后结果 存放到空白地址 得出最后注册码
注意:这里的local3是进入内循环才会自增1,出了内循环,进入外循环的话会变为0的,当再次进入内循环才继续开始自增1,local4的话,就是每出一次外循环才自增1,不然在循环是不会变的。讲的比较笼统,详细看我源码。
.版本 2.支持库 spec
.局部变量 md5_1_addr, 文本型.局部变量 lastmd5, 文本型.局部变量 local3, 字节型.局部变量 local4, 字节型.局部变量 local6, 字节型.局部变量 local7, 文本型.局部变量 local9, 字节型.局部变量 local11, 字节型.局部变量 n, 整数型.局部变量 local5, 文本型.局部变量 m, 整数型.局部变量 res, 字节型.局部变量 result, 文本型.局部变量 len1, 整数型.局部变量 len2, 整数型
md5_1_addr = str_md5_1 + “Super-EC”lastmd5 = str_md5_5len1 = 取文本长度 (md5_1_addr)len2 = 取文本长度 (lastmd5)
.计次循环首 (len1, n) local4 = n .计次循环首 (len2, m) .如果真 (m > len2) 跳出循环 () .如果真结束
local3 = m local5 = 取文本中间 (lastmd5, local3, 1) local5 = 到文本 (进制_十六到十 (local5)) local6 = 到字节 (local5)
local7 = 取文本中间 (md5_1_addr, local4, 1) local7 = 取十六进制文本 (取字节集数据 (到字节集 (local7), 1, )) local7 = 到文本 (进制_十六到十 (local7))
local9 = 位与 (local6, 255) local11 = 位与 (到字节 (local7), 255)
res = local11 + local9 + 1 res = res % 16
result = result + 进制_十到十六 (res) .' 如果真 (取文本长度 (result) = 32) ' result = result + “|” .如果真结束 ' 调试输出 (result)
.计次循环尾 () 调试输出 (result) lastmd5 = result result = “”.计次循环尾 ()
编辑框2.内容 = lastmd5
00426478|> /41 /inc ecx
00426479|. |51 |push ecx
0042647A|. |53 |push ebx
0042647B|. |890B |mov dword ptr ds:,ecx
0042647D|. |50 |push eax
0042647E|. |3BC8 |cmp ecx,eax
00426480|. |0F8F D5000000 |jg 周易起名.0042655B
00426486|. |8B5D F8 |mov ebx,
00426489|. |E8 E3ABFDFF |call 周易起名.00401071
0042648E|. |53 |push ebx
0042648F|. |51 |push ecx
00426490|. |8B45 F4 |mov eax,
00426493|. |48 |dec eax
00426494|. |79 0D |jns short 周易起名.004264A3
00426496|. |68 04000000 |push 0x4
0042649B|. |E8 94240000 |call 周易起名.00428934
004264A0|. |83C4 04 |add esp,0x4
004264A3|> |59 |pop ecx ;0032A930
004264A4|. |5B |pop ebx ;0032A930
004264A5|. |3BC1 |cmp eax,ecx
004264A7|. |7C 0D |jl short 周易起名.004264B6
004264A9|. |68 01000000 |push 0x1
004264AE|. |E8 81240000 |call 周易起名.00428934
004264B3|. |83C4 04 |add esp,0x4
004264B6|> |03D8 |add ebx,eax
004264B8|. |895D EC |mov ,ebx
004264BB|. |8B5D FC |mov ebx,
004264BE|. |E8 AEABFDFF |call 周易起名.00401071
004264C3|. |53 |push ebx
004264C4|. |51 |push ecx
004264C5|. |8B5D F8 |mov ebx,
004264C8|. |E8 A4ABFDFF |call 周易起名.00401071
004264CD|. |53 |push ebx
004264CE|. |51 |push ecx
004264CF|. |8B45 F4 |mov eax,
004264D2|. |48 |dec eax
004264D3|. |79 0D |jns short 周易起名.004264E2
004264D5|. |68 04000000 |push 0x4
004264DA|. |E8 55240000 |call 周易起名.00428934
004264DF|. |83C4 04 |add esp,0x4
004264E2|> |59 |pop ecx ;0032A930
004264E3|. |5B |pop ebx ;0032A930
004264E4|. |3BC1 |cmp eax,ecx
004264E6|. |7C 0D |jl short 周易起名.004264F5
004264E8|. |68 01000000 |push 0x1
004264ED|. |E8 42240000 |call 周易起名.00428934
004264F2|. |83C4 04 |add esp,0x4
004264F5|> |03D8 |add ebx,eax
004264F7|. |895D E8 |mov ,ebx
004264FA|. |8B5D E8 |mov ebx,
004264FD|. |8A03 |mov al,byte ptr ds:
004264FF|. |25 FF000000 |and eax,0xFF
00426504|. |8945 E0 |mov ,eax
00426507|. |DB45 E0 |fild
0042650A|. |DD5D E0 |fstp qword ptr ss:
0042650D|. |DD45 E0 |fld qword ptr ss:
00426510|. |DC05 903B4D00 |fadd qword ptr ds:
00426516|. |DD5D D8 |fstp qword ptr ss:
00426519|. |DD45 D8 |fld qword ptr ss:
0042651C|. |E8 6AB2FDFF |call 周易起名.0040178B
00426521|. |48 |dec eax
00426522|. |79 0D |jns short 周易起名.00426531
00426524|. |68 04000000 |push 0x4
00426529|. |E8 06240000 |call 周易起名.00428934
0042652E|. |83C4 04 |add esp,0x4
00426531|> |59 |pop ecx ;0032A930
00426532|. |5B |pop ebx ;0032A930
00426533|. |3BC1 |cmp eax,ecx
00426535|. |7C 0D |jl short 周易起名.00426544
00426537|. |68 01000000 |push 0x1
0042653C|. |E8 F3230000 |call 周易起名.00428934
00426541|. |83C4 04 |add esp,0x4
00426544|> |03D8 |add ebx,eax
00426546|. |895D D4 |mov ,ebx
00426549|. |8B5D D4 |mov ebx,
0042654C|. |8A03 |mov al,byte ptr ds:
0042654E|. |8B5D EC |mov ebx,
00426551|. |8803 |mov byte ptr ds:,al
00426553|. |58 |pop eax ;0032A930
00426554|. |5B |pop ebx ;0032A930
00426555|. |59 |pop ecx ;0032A930
00426556|.^\E9 1DFFFFFF \jmp 周易起名.00426478
0042655B|>83C4 0C add esp,0xC
0042655E|.68 05000080 push 0x80000005
这段代码其实不是很重要,只是把以16进制显示的结果转换为ASCII码显示。最终注册码:66D7F8E5B5B1EF0D094FD2595F0E2404
易语言的经典文本比较特征。
结语:至此整个算法已经分析出来了,就差写注册机了,大家有不懂的话可以参考我的易语言源码,我会打包给大家的,真的是写分析文章比自己分析还要累,好了,就这样吧,谢谢你能看到这里!!
软件下载地址:https://share.weiyun.com/cc0b5d3db8955efc71842cf4f13e5ddc(已更新)
楼主写这个太复杂了···
观看***的教程
第一步
当然是先看看壳子,易语言么
OD载入软件
第二步
CTRL+G401000
第三步
CTRL+F test edx,3 在此处F2下段
第四步 运行软件按F9 一路噼里啪啦运行8次
弹出软件填写假码,点击注册返回到OD
运行5次 真码出现
编辑这个帖子实在是太累了{:1_906:} 楼主,不容易啊!热心热心 我居然看完了 {:1_921:}不错非常详细 感谢楼主的分享 辛苦了 虽然看不懂但也要顶一下 辛苦楼主了!{:1_921:}太负责任了。 认真看完了,说实话大部分不是很懂,不过写的很细致,赞。 给LZ大神赞一个,不明觉厉的看了一下