关于非明码对比的追码算法求助

隐藏英雄

遇到一款软件，我已经爆破了，但是想追码，追了好久感觉有点无力，这个软件首先会对注册码逐个字符进行验证，中途只要一个字符错误就直接报码长度错误了。期中真实的注册码与电脑的时间，输入的用户名等各种因素进行取值，作为真码的一部分
我对算法又不太懂。看看哪位帮我，给我大概的方法，谢谢了
分析过程如下

[Asm] 纯文本查看 复制代码

1001C90A    55              push ebp                                 ; 这里开始对注册码进行计算和比对
1001C90B    8BEC            mov ebp,esp
1001C90D    6A FF           push -0x1
1001C90F    68 C1980410     push KeyPro.100498C1
1001C914    64:A1 00000000  mov eax,dword ptr fs:[0]
1001C91A    50              push eax
1001C91B    64:8925 0000000>mov dword ptr fs:[0],esp
1001C922    83EC 70         sub esp,0x70
1001C925    894D C4         mov dword ptr ss:[ebp-0x3C],ecx
1001C928    6A 01           push 0x1
1001C92A    8B4D C4         mov ecx,dword ptr ss:[ebp-0x3C]
1001C92D    E8 9A8D0200     call <jmp.&MFC42.#6334>                  ; 取了用户名
1001C932    8D4D E8         lea ecx,dword ptr ss:[ebp-0x18]
1001C935    E8 528B0200     call <jmp.&MFC42.#540>
1001C93A    C745 FC 0000000>mov dword ptr ss:[ebp-0x4],0x0
1001C941    8B45 C4         mov eax,dword ptr ss:[ebp-0x3C]
1001C944    83C0 74         add eax,0x74
1001C947    50              push eax
1001C948    8B4D C4         mov ecx,dword ptr ss:[ebp-0x3C]
1001C94B    83C1 70         add ecx,0x70
1001C94E    51              push ecx
1001C94F    8B55 C4         mov edx,dword ptr ss:[ebp-0x3C]
1001C952    83C2 6C         add edx,0x6C
1001C955    52              push edx                                 ; KeyPro.1001C90A
1001C956    8B45 C4         mov eax,dword ptr ss:[ebp-0x3C]
1001C959    83C0 68         add eax,0x68
1001C95C    50              push eax
1001C95D    8D4D E4         lea ecx,dword ptr ss:[ebp-0x1C]
1001C960    51              push ecx
1001C961    E8 928B0200     call <jmp.&MFC42.#922>                   ; 取时间和注册码
1001C966    8945 C0         mov dword ptr ss:[ebp-0x40],eax
1001C969    8B55 C0         mov edx,dword ptr ss:[ebp-0x40]
1001C96C    8955 BC         mov dword ptr ss:[ebp-0x44],edx          ; KeyPro.1001C90A
1001C96F    C645 FC 01      mov byte ptr ss:[ebp-0x4],0x1
1001C973    8B45 BC         mov eax,dword ptr ss:[ebp-0x44]
1001C976    50              push eax
1001C977    8D4D E0         lea ecx,dword ptr ss:[ebp-0x20]
1001C97A    51              push ecx
1001C97B    E8 788B0200     call <jmp.&MFC42.#922>                   ; 码长度已经报错
1001C980    8945 B8         mov dword ptr ss:[ebp-0x48],eax
1001C983    8B55 B8         mov edx,dword ptr ss:[ebp-0x48]
1001C986    8955 B4         mov dword ptr ss:[ebp-0x4C],edx          ; KeyPro.1001C90A
1001C989    C645 FC 02      mov byte ptr ss:[ebp-0x4],0x2
1001C98D    8B45 B4         mov eax,dword ptr ss:[ebp-0x4C]
1001C990    50              push eax
1001C991    8D4D DC         lea ecx,dword ptr ss:[ebp-0x24]
1001C994    51              push ecx
1001C995    E8 5E8B0200     call <jmp.&MFC42.#922>
1001C99A    8945 B0         mov dword ptr ss:[ebp-0x50],eax
1001C99D    8B55 B0         mov edx,dword ptr ss:[ebp-0x50]
1001C9A0    8955 AC         mov dword ptr ss:[ebp-0x54],edx          ; KeyPro.1001C90A
1001C9A3    C645 FC 03      mov byte ptr ss:[ebp-0x4],0x3
1001C9A7    8B45 AC         mov eax,dword ptr ss:[ebp-0x54]          ; mfc42.66F4DBBC
1001C9AA    50              push eax
1001C9AB    8D4D E8         lea ecx,dword ptr ss:[ebp-0x18]
1001C9AE    E8 F78A0200     call <jmp.&MFC42.#858>                   ; 取了完整注册码
1001C9B3    C645 FC 02      mov byte ptr ss:[ebp-0x4],0x2
1001C9B7    8D4D DC         lea ecx,dword ptr ss:[ebp-0x24]
1001C9BA    E8 C78A0200     call <jmp.&MFC42.#800>
1001C9BF    C645 FC 01      mov byte ptr ss:[ebp-0x4],0x1
1001C9C3    8D4D E0         lea ecx,dword ptr ss:[ebp-0x20]
1001C9C6    E8 BB8A0200     call <jmp.&MFC42.#800>                   ; 这里给了一个P
1001C9CB    C645 FC 00      mov byte ptr ss:[ebp-0x4],0x0
1001C9CF    8D4D E4         lea ecx,dword ptr ss:[ebp-0x1C]
1001C9D2    E8 AF8A0200     call <jmp.&MFC42.#800>                   ; 这里也是一个P
1001C9D7    51              push ecx
1001C9D8    8BCC            mov ecx,esp
1001C9DA    8965 D8         mov dword ptr ss:[ebp-0x28],esp
1001C9DD    8D55 E8         lea edx,dword ptr ss:[ebp-0x18]
1001C9E0    52              push edx                                 ; KeyPro.1001C90A
1001C9E1    E8 E28A0200     call <jmp.&MFC42.#535>
1001C9E6    8945 A8         mov dword ptr ss:[ebp-0x58],eax
1001C9E9    6A 00           push 0x0
1001C9EB    E8 33EFFEFF     call KeyPro.1000B923
1001C9F0    83C4 08         add esp,0x8
1001C9F3    8945 A4         mov dword ptr ss:[ebp-0x5C],eax
1001C9F6    8B45 A4         mov eax,dword ptr ss:[ebp-0x5C]
1001C9F9    8945 EC         mov dword ptr ss:[ebp-0x14],eax
1001C9FC    837D EC 01      cmp dword ptr ss:[ebp-0x14],0x1
1001CA00    74 4F           je short KeyPro.1001CA51                 ; 关键跳转
1001CA02    6A 00           push 0x0
1001CA04    6A 00           push 0x0
1001CA06    8B4D EC         mov ecx,dword ptr ss:[ebp-0x14]
1001CA09    51              push ecx
1001CA0A    8D55 D4         lea edx,dword ptr ss:[ebp-0x2C]
1001CA0D    52              push edx                                 ; KeyPro.1001C90A
1001CA0E    E8 762C0000     call KeyPro.1001F689                     ; 这里进去给到长度报错模块
1001CA13    83C4 08         add esp,0x8
1001CA16    8945 A0         mov dword ptr ss:[ebp-0x60],eax
1001CA19    8B45 A0         mov eax,dword ptr ss:[ebp-0x60]          ; mfc42.66F4DBA0
1001CA1C    8945 9C         mov dword ptr ss:[ebp-0x64],eax
1001CA1F    C645 FC 04      mov byte ptr ss:[ebp-0x4],0x4
1001CA23    8B4D 9C         mov ecx,dword ptr ss:[ebp-0x64]
1001CA26    E8 9583FEFF     call KeyPro.10004DC0
1001CA2B    50              push eax
1001CA2C    E8 E58A0200     call <jmp.&MFC42.#1200>                  ; 长度不正确
1001CA31    C645 FC 00      mov byte ptr ss:[ebp-0x4],0x0
1001CA35    8D4D D4         lea ecx,dword ptr ss:[ebp-0x2C]
1001CA38    E8 498A0200     call <jmp.&MFC42.#800>
1001CA3D    C745 FC FFFFFFF>mov dword ptr ss:[ebp-0x4],-0x1
1001CA44    8D4D E8         lea ecx,dword ptr ss:[ebp-0x18]

以上是我的分析部分内容，不知道是否违规，违规的话请版主删除，别关我小黑屋，我后期重新附上更详细的分析过程进行提问，谢谢了
下面附上软件 欢迎大家踊跃测试。

https://wwot.lanzouw.com/i22q90ijkdyf

无闻无问

搞算法用ida，f5…

隐藏英雄

有大佬下载看看嘛