00408370 /$ 64:A1 0000000>mov eax,dword ptr fs:[0]
00408376 |. 6A FF push -0x1
00408378 |. 68 D8564500 push FolderPr.004556D8
0040837D |. 50 push eax
0040837E |. 64:8925 00000>mov dword ptr fs:[0],esp
00408385 |. 83EC 70 sub esp,0x70
00408388 |. 53 push ebx
00408389 |. 55 push ebp
0040838A |. 56 push esi ; FolderPr.0046A2A0
0040838B |. 8BB1 2C010000 mov esi,dword ptr ds:[ecx+0x12C]
00408391 |. 57 push edi ; FolderPr.0046A364
00408392 |. 8B4E F8 mov ecx,dword ptr ds:[esi-0x8]
00408395 |. 83F9 14 cmp ecx,0x14 ; 判断机器码是否为0x14位
00408398 |. 7E 05 jle
short
FolderPr.0040839F
0040839A |. B9 14000000 mov ecx,0x14
0040839F |> 33C0 xor eax,eax
004083A1 |. 85C9 test ecx,ecx ; FolderPr.0046A2A0
004083A3 |. 7E 11 jle
short
FolderPr.004083B6
004083A5 |> 8A1406 /mov dl,byte ptr ds:[esi+eax]
004083A8 |. 885404 14 |mov byte ptr ss:[esp+eax+0x14],dl ; 将机器码保存在临时变量里
004083AC |. 40 |inc eax
004083AD |. 3BC1 |cmp eax,ecx ; FolderPr.0046A2A0
004083AF |.^ 7C F4 \jl
short
FolderPr.004083A5
004083B1 |. 83F8 14 cmp eax,0x14
004083B4 |. 7D 0F jge
short
FolderPr.004083C5
004083B6 |> 8AC8 /mov cl,al
004083B8 |. 80C1 41 |add cl,0x41
004083BB |. 884C04 14 |mov byte ptr ss:[esp+eax+0x14],cl
004083BF |. 40 |inc eax
004083C0 |. 83F8 14 |cmp eax,0x14
004083C3 |.^ 7C F1 \jl
short
FolderPr.004083B6
004083C5 |> 8D5424 28 lea edx,dword ptr ss:[esp+0x28]
004083C9 |. 52 push edx
004083CA |. E8 716F0000 call FolderPr.0040F340 ; 初始化MD5
============================================================================================
0040F340处代码如下:
0040F340 /$ 8B4424 04 mov eax,dword ptr ss:[esp+0x4] ; FolderPr.0046A3D8
0040F344 |. 33C9 xor ecx,ecx ; FolderPr.0046A2A0
0040F346 |. 8948 14 mov dword ptr ds:[eax+0x14],ecx ; FolderPr.0046A2A0
0040F349 |. 8948 10 mov dword ptr ds:[eax+0x10],ecx ; FolderPr.0046A2A0
0040F34C |. C700 01234567 mov dword ptr ds:[eax],0x67452301
0040F352 |. C740 04 89ABC>mov dword ptr ds:[eax+0x4],0xEFCDAB89
0040F359 |. C740 08 FEDCB>mov dword ptr ds:[eax+0x8],0x98BADCFE
0040F360 |. C740 0C 76543>mov dword ptr ds:[eax+0xC],0x10325476
0040F367 \. C3 retn
var
int
h0 := 0x67452301
var
int
h1 := 0xEFCDAB89
var
int
h2 := 0x98BADCFE
var
int
h3 := 0x10325476
============================================================================================
004083CF |. 8D4424 18 lea eax,dword ptr ss:[esp+0x18]
004083D3 |. 6A 14 push 0x14
004083D5 |. 8D4C24 30 lea ecx,dword ptr ss:[esp+0x30]
004083D9 |. 50 push eax
004083DA |. 51 push ecx ; FolderPr.0046A2A0
004083DB |. E8 906F0000 call FolderPr.0040F370
004083E0 |. 8D5424 38 lea edx,dword ptr ss:[esp+0x38]
004083E4 |. 8D4424 20 lea eax,dword ptr ss:[esp+0x20]
004083E8 |. 52 push edx
004083E9 |. 50 push eax
004083EA |. E8 F17E0000 call FolderPr.004102E0 ; 将机器码进行MD5加密
004083EF |. 83C4 18 add esp,0x18
004083F2 |. 8B4C24 10 mov ecx,dword ptr ss:[esp+0x10] ; ecx=经MD5加密过的密码
004083F6 |. 33F6 xor esi,esi ; FolderPr.0046A2A0
004083F8 |. 8A01 mov al,byte ptr ds:[ecx] ; MD5加密后的密码第一位给机器码的第一位
004083FA |. 884424 14 mov byte ptr ss:[esp+0x14],al
004083FE |. 8A41 04 mov al,byte ptr ds:[ecx+0x4] ; MD5加密后的密码第五位给机器码的第五位
00408401 |. 884424 18 mov byte ptr ss:[esp+0x18],al
00408405 |. 8A41 06 mov al,byte ptr ds:[ecx+0x6] ; MD5加密后的密码第七位给机器码的第七位
00408408 |. 884424 1A mov byte ptr ss:[esp+0x1A],al
0040840C |. 8A51 0C mov dl,byte ptr ds:[ecx+0xC] ; MD5加密后的密码第十三位给机器码的第十三位
0040840F |. 885424 20 mov byte ptr ss:[esp+0x20],dl
00408413 |> 8A4434 14 /mov al,byte ptr ss:[esp+esi+0x14] ; 依次取经过处理后的机器码给al
00408417 |. 3C 30 |cmp al,0x30
00408419 |. 7C 0C |jl
short
FolderPr.00408427
0040841B |. 3C 39 |cmp al,0x39
0040841D |. 7F 08 |jg
short
FolderPr.00408427
0040841F |. B2 69 |mov dl,0x69 ; 当al在0x30和0x39之间时,0x69-al
00408421 |. 2AD0 |sub dl,al
00408423 |. 885434 14 |mov byte ptr ss:[esp+esi+0x14],dl ; 保存dl
00408427 |> 3C 41 |cmp al,0x41
00408429 |. 7C 0C |jl
short
FolderPr.00408437
0040842B |. 3C 5A |cmp al,0x5A
0040842D |. 7F 08 |jg
short
FolderPr.00408437
0040842F |. B2 9B |mov dl,0x9B ; 当al在0x41和0x5A之时间,0x9B-al
00408431 |. 2AD0 |sub dl,al
00408433 |. 885434 14 |mov byte ptr ss:[esp+esi+0x14],dl ; 保存dl
00408437 |> 3C 61 |cmp al,0x61
00408439 |. 7C 0C |jl
short
FolderPr.00408447
0040843B |. 3C 7A |cmp al,0x7A
0040843D |. 7F 08 |jg
short
FolderPr.00408447
0040843F |. B2 DB |mov dl,0xDB ; 当al在0x61和0x7A之时间,0xDB-al
00408441 |. 2AD0 |sub dl,al
00408443 |. 885434 14 |mov byte ptr ss:[esp+esi+0x14],dl ; 保存dl
00408447 |> 46 |inc esi ; FolderPr.0046A2A0
00408448 |. 83FE 14 |cmp esi,0x14
0040844B |.^ 7C C6 \jl
short
FolderPr.00408413
0040844D |. 8A5424 21 mov dl,byte ptr ss:[esp+0x21] ; 相互换位
00408451 |. 8A4424 15 mov al,byte ptr ss:[esp+0x15]
00408455 |. 885424 15 mov byte ptr ss:[esp+0x15],dl
00408459 |. 8A5424 1E mov dl,byte ptr ss:[esp+0x1E]
0040845D |. 884424 21 mov byte ptr ss:[esp+0x21],al
00408461 |. 8A4424 17 mov al,byte ptr ss:[esp+0x17]
00408465 |. 885424 17 mov byte ptr ss:[esp+0x17],dl
00408469 |. 8A5424 20 mov dl,byte ptr ss:[esp+0x20]
0040846D |. 8BAC24 900000>mov ebp,dword ptr ss:[esp+0x90]
00408474 |. 884424 1E mov byte ptr ss:[esp+0x1E],al
00408478 |. 8A4424 19 mov al,byte ptr ss:[esp+0x19]
0040847C |. 885424 19 mov byte ptr ss:[esp+0x19],dl
00408480 |. 8A5424 22 mov dl,byte ptr ss:[esp+0x22]
00408484 |. 884424 20 mov byte ptr ss:[esp+0x20],al
00408488 |. 8A4424 1B mov al,byte ptr ss:[esp+0x1B]
0040848C |. 885424 1B mov byte ptr ss:[esp+0x1B],dl
00408490 |. 8A5424 1C mov dl,byte ptr ss:[esp+0x1C]
00408494 |. 884424 1C mov byte ptr ss:[esp+0x1C],al
00408498 |. 885424 22 mov byte ptr ss:[esp+0x22],dl
0040849C |. 8BC5 mov eax,ebp
0040849E |. 8D5424 14 lea edx,dword ptr ss:[esp+0x14] ; edx=经过换位后的密码
004084A2 |. 33F6 xor esi,esi ; FolderPr.0046A2A0
004084A4 |. 2BC2 sub eax,edx
004084A6 |> 8D7C34 14 /lea edi,dword ptr ss:[esp+esi+0x14]
004084AA |. 33DB |xor ebx,ebx
004084AC |. 0FBE1438 |movsx edx,byte ptr ds:[eax+edi]
004084B0 |. 8A1F |mov bl,byte ptr ds:[edi]
004084B2 |. 3BD3 |cmp edx,ebx
004084B4 0F85 B8000000 |jnz FolderPr.00408572 ; 输入的注册码和密码比较,不等就跳
004084BA |. 46 |inc esi ; FolderPr.0046A2A0
004084BB |. 83FE 10 |cmp esi,0x10 ; 这里只比较0x10位
004084BE |.^ 7C E6 \jl
short
FolderPr.004084A6
004084C0 |. 8A41 1F mov al,byte ptr ds:[ecx+0x1F] ; MD5码的第0x1F位
004084C3 |. A2 F4664600 mov byte ptr ds:[0x4666F4],al ; 为真码的第0x11位
004084C8 |. 8A51 0F mov dl,byte ptr ds:[ecx+0xF] ; MD5码的第0xF位
004084CB |. 8815 F5664600 mov byte ptr ds:[0x4666F5],dl ; 为真码的第0x12位
004084D1 |. 8A59 07 mov bl,byte ptr ds:[ecx+0x7] ; MD5码的第0x7位
004084D4 |. 881D 5C694600 mov byte ptr ds:[0x46695C],bl ; 为真码的第0x13位
004084DA |. 8A49 03 mov cl,byte ptr ds:[ecx+0x3] ; MD5码的第0x3位
004084DD |. 3C 61 cmp al,0x61
004084DF |. 880D 5D694600 mov byte ptr ds:[0x46695D],cl ; 为真码的第0x14位
004084E5 |. 72 0B jb
short
FolderPr.004084F2
004084E7 |. 3C 7A cmp al,0x7A
004084E9 |. 77 07 ja
short
FolderPr.004084F2
004084EB |. 2C 20 sub al,0x20 ; 如果真码的第0x11位们于0x61和0x7A之间,刚减去0x20,然后再保存
004084ED |. A2 F4664600 mov byte ptr ds:[0x4666F4],al ; %&
004084F2 |> 80FA 61 cmp dl,0x61
004084F5 |. 72 0E jb
short
FolderPr.00408505
004084F7 |. 80FA 7A cmp dl,0x7A
004084FA |. 77 09 ja
short
FolderPr.00408505
004084FC |. 80EA 20 sub dl,0x20 ; 如果真码的第0x12位们于0x61和0x7A之间,刚减去0x20,然后再保存
004084FF |. 8815 F5664600 mov byte ptr ds:[0x4666F5],dl ; &
00408505 |> 80FB 61 cmp bl,0x61
00408508 |. 72 0E jb
short
FolderPr.00408518
0040850A |. 80FB 7A cmp bl,0x7A
0040850D |. 77 09 ja
short
FolderPr.00408518
0040850F |. 80EB 20 sub bl,0x20 ; 如果真码的第0x13位们于0x61和0x7A之间,刚减去0x20,然后再保存
00408512 |. 881D 5C694600 mov byte ptr ds:[0x46695C],bl ; '(
00408518 |> 80F9 61 cmp cl,0x61
0040851B |. 72 0E jb
short
FolderPr.0040852B
0040851D |. 80F9 7A cmp cl,0x7A
00408520 |. 77 09 ja
short
FolderPr.0040852B
00408522 |. 80E9 20 sub cl,0x20 ; 如果真码的第0x14位们于0x61和0x7A之间,刚减去0x20,然后再保存
00408525 |. 880D 5D694600 mov byte ptr ds:[0x46695D],cl ; (
0040852B |> 0FBE45 10 movsx eax,byte ptr ss:[ebp+0x10]
0040852F |. 8B15 F4664600 mov edx,dword ptr ds:[0x4666F4] ; %&
00408535 |. 81E2 FF000000 and edx,0xFF
0040853B |. 3BD0 cmp edx,eax ; 比较第0x11位
0040853D |. 75 4B jnz
short
FolderPr.0040858A
0040853F |. 0FBE45 11 movsx eax,byte ptr ss:[ebp+0x11]
00408543 |. 33D2 xor edx,edx
00408545 |. 8A15 F5664600 mov dl,byte ptr ds:[0x4666F5] ; &
0040854B |. 3BD0 cmp edx,eax ; 比较第0x12位
0040854D |. 75 3B jnz
short
FolderPr.0040858A
0040854F |. 0FBE45 12 movsx eax,byte ptr ss:[ebp+0x12]
00408553 |. 33D2 xor edx,edx
00408555 |. 8A15 5C694600 mov dl,byte ptr ds:[0x46695C] ; '(
0040855B |. 3BD0 cmp edx,eax ; 比较第0x13位
0040855D |. 75 2B jnz
short
FolderPr.0040858A
0040855F |. 0FBE45 13 movsx eax,byte ptr ss:[ebp+0x13]
00408563 |. 33D2 xor edx,edx
00408565 |. 8AD1 mov dl,cl
00408567 |. 3BD0 cmp edx,eax ; 比较第0x14位
00408569 |. 75 1F jnz
short
FolderPr.0040858A
0040856B |. BE 01000000 mov esi,0x1 ; 验证通过,esi=1
00408570 |. EB 1A jmp
short
FolderPr.0040858C
00408572 |> 8D4C24 10 lea ecx,dword ptr ss:[esp+0x10]
00408576 |. C78424 880000>mov dword ptr ss:[esp+0x88],-0x1
00408581 |. E8 A8D10000 call <jmp.&MFC42.#??1CString@@QAE@XZ_800>
00408586 |. 33C0 xor eax,eax
00408588 |. EB 18 jmp
short
FolderPr.004085A2
0040858A |> 33F6 xor esi,esi ; FolderPr.0046A2A0
0040858C |> 8D4C24 10 lea ecx,dword ptr ss:[esp+0x10]
00408590 |. C78424 880000>mov dword ptr ss:[esp+0x88],-0x1
0040859B |. E8 8ED10000 call <jmp.&MFC42.#??1CString@@QAE@XZ_800>
004085A0 |. 8BC6 mov eax,esi ; FolderPr.0046A2A0
004085A2 |> 8B8C24 800000>mov ecx,dword ptr ss:[esp+0x80]
004085A9 |. 5F pop edi ; FolderPr.00407BAC
004085AA |. 5E pop esi ; FolderPr.00407BAC
004085AB |. 5D pop ebp ; FolderPr.00407BAC
004085AC |. 5B pop ebx ; FolderPr.00407BAC
004085AD |. 64:890D 00000>mov dword ptr fs:[0],ecx ; FolderPr.0046A2A0
004085B4 |. 83C4 7C add esp,0x7C
004085B7 \. C2 0400 retn 0x4