好友
阅读权限10
听众
最后登录1970-1-1
|
本帖最后由 pendan2001 于 2016-6-30 20:03 编辑
【文章标题】:Macromedia FLASH 4.0简体中文正式版序列号分析
【软件名称】: Macromedia FLASH 4.0简体中文正式版
【下载地址】: 自己找吧
【使用工具】: OD等
【操作平台】:Winxp
【软件介绍】: 一看就明白干什么的。
【 声 明】: 仅为算法研究,勿作它途。
这个现在都是古董了,很多年前写的,没什么技术含量,写的不好别笑我,当时没留截图,大家凑合着看把,
00603FC0 . 837D 8C 00 cmp dword ptr [ebp-74], 0////这里下断点,F9运行后断在这里
00603FC4 . 74 39 je short 00603FFF
00603FC6 . 8B45 8C mov eax, dword ptr [ebp-74]
00603FC9 . 83B8 8C230000>cmp dword ptr [eax+238C], 0
00603FD0 . 74 07 je short 00603FD9
00603FD2 . 8BC8 mov ecx, eax
00603FD4 . E8 8777FFFF call 005FB760
00603FD9 > 8B45 8C mov eax, dword ptr [ebp-74]
00603FDC . 83B8 88230000>cmp dword ptr [eax+2388], 0
00603FE3 . 74 07 je short 00603FEC
00603FE5 . 8BC8 mov ecx, eax
00603FE7 . E8 147FFFFF call 005FBF00
00603FEC > 8B45 8C mov eax, dword ptr [ebp-74]
00603FEF . 83B8 94230000>cmp dword ptr [eax+2394], 0
00603FF6 . 74 07 je short 00603FFF
00603FF8 . 8BC8 mov ecx, eax
00603FFA . E8 617CFFFF call 005FBC60
00603FFF > 8B45 F0 mov eax, dword ptr [ebp-10]
00604002 . 05 CC010000 add eax, 1CC
00604007 . 8338 00 cmp dword ptr [eax], 0
0060400A . 75 0F jnz short 0060401B
0060400C . 6A 00 push 0 ; /Reserved = 0
0060400E . 6A 10 push 10 ; |Flags = APPCLASS_STANDARD|APPCMD_CLIENTONLY
00604010 . 68 B0306000 push 006030B0 ; |Callback = Flash.006030B0
00604015 . 50 push eax ; |pInstID
00604016 . E8 3182F5FF call <jmp.&USER32.DdeInitializeA> ; \DdeInitializeA
往上看,找个合适地方下断点
0060401E . E8 4D060000 call 00604670//@@@@@@@@@@@@@@@@ F7 @@@@@@@@@@@@@@@@
00604023 . 85C0 test eax, eax
00604025 . 75 11 jnz short 00604038
00604670 $ 64:A1 0000000>mov eax, dword ptr fs:[0]
00604676 . 55 push ebp
00604677 . 8BEC mov ebp, esp
00604679 . 6A FF push -1
0060467B . 68 6C496000 push 0060496C
00604680 . 50 push eax
00604681 . 64:8925 00000>mov dword ptr fs:[0], esp
00604688 . 81EC EC010000 sub esp, 1EC
0060468E . 894D EC mov dword ptr [ebp-14], ecx
00604691 . 53 push ebx
00604692 . 56 push esi
00604693 . 8D4D E4 lea ecx, dword ptr [ebp-1C]
00604696 . 57 push edi
00604697 . 33DB xor ebx, ebx
00604699 . E8 A53DF6FF call 00568443
0060469E . 68 8A020000 push 28A
006046A3 . 8D4D E4 lea ecx, dword ptr [ebp-1C]
006046A6 . 895D FC mov dword ptr [ebp-4], ebx
006046A9 . E8 5745F6FF call 00568C05
006046AE . 8B45 E4 mov eax, dword ptr [ebp-1C]
006046B1 . 68 C02E6E00 push 006E2EC0 ; ASCII "yes"
006046B6 . 50 push eax
006046B7 . E8 A471F4FF call 0054B860
006046BC . 83C4 08 add esp, 8
006046BF . 83F8 01 cmp eax, 1
006046C2 . 1BC0 sbb eax, eax
006046C4 . 8B4D EC mov ecx, dword ptr [ebp-14]
006046C7 . F7D8 neg eax
006046C9 . 53 push ebx
006046CA . 8945 DC mov dword ptr [ebp-24], eax
006046CD . 68 B42E6E00 push 006E2EB4 ; ASCII "Register"
006046D2 . 68 A42E6E00 push 006E2EA4 ; ASCII "Registration"
006046D7 . E8 E4FBFFFF call 006042C0
006046DC . 53 push ebx
006046DD . 8D4D E0 lea ecx, dword ptr [ebp-20]
006046E0 . 68 942E6E00 push 006E2E94 ; ASCII "Serial Number"
006046E5 . 8945 F0 mov dword ptr [ebp-10], eax
006046E8 . 68 A42E6E00 push 006E2EA4 ; ASCII "Registration"
006046ED . 51 push ecx
006046EE . 8B4D EC mov ecx, dword ptr [ebp-14]
006046F1 . E8 DAFCFFFF call 006043D0
006046F6 . B9 FFFFFFFF mov ecx, -1
006046FB . 2BC0 sub eax, eax
006046FD . C645 FC 01 mov byte ptr [ebp-4], 1
00604701 . 8B7D E0 mov edi, dword ptr [ebp-20]
00604704 . F2:AE repne scas byte ptr es:[edi]
00604706 . F7D1 not ecx
00604708 . 2BF9 sub edi, ecx
0060470A . 8BC1 mov eax, ecx
0060470C . C1E9 02 shr ecx, 2
0060470F . 8BF7 mov esi, edi
00604711 . 8DBD 08FEFFFF lea edi, dword ptr [ebp-1F8]
00604717 . F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
00604719 . 8BC8 mov ecx, eax
0060471B . 83E1 03 and ecx, 3
0060471E . F3:A4 rep movs byte ptr es:[edi], byte ptr [esi]
00604720 . 8D8D 08FEFFFF lea ecx, dword ptr [ebp-1F8]
00604726 . 51 push ecx
00604727 . E8 84FBFFFF call 006042B0
0060472C . 83C4 04 add esp, 4
0060472F . 8945 E8 mov dword ptr [ebp-18], eax
00604732 . 3BC3 cmp eax, ebx
00604734 . 0F85 4D010000 jnz 00604887
0060473A . 53 push ebx
0060473B . 8D8D 68FFFFFF lea ecx, dword ptr [ebp-98]
00604741 . E8 7AC4E5FF call 00460BC0
00604746 . 68 8C2E6E00 push 006E2E8C ; ASCII "FLW400-"
0060474B . 8D4D C8 lea ecx, dword ptr [ebp-38]
0060474E . C645 FC 02 mov byte ptr [ebp-4], 2
00604752 . E8 943FF6FF call 005686EB
00604757 . 899D 64FFFFFF mov dword ptr [ebp-9C], ebx
0060475D . 895D E8 mov dword ptr [ebp-18], ebx
00604760 > 83BD 64FFFFFF>cmp dword ptr [ebp-9C], 5
00604767 . 0F8D 0A010000 jge 00604877
0060476D . 8D8D 68FFFFFF lea ecx, dword ptr [ebp-98]
00604773 . E8 9847E2FF call 00428F10//跳出注册窗口,输入注册信息后,点“确定”后,继续往下
00604778 . 83F8 01 cmp eax, 1
0060477B . 74 0F je short 0060478C
0060477D . C785 64FFFFFF>mov dword ptr [ebp-9C], 5
00604787 . E9 DB000000 jmp 00604867
0060478C > 8B7D C8 mov edi, dword ptr [ebp-38]//(ASCII "FLW400-12345-67890-54321")
0060478F . B9 FFFFFFFF mov ecx, -1
00604794 . 2BC0 sub eax, eax
00604796 . F2:AE repne scas byte ptr es:[edi]
00604798 . F7D1 not ecx
0060479A . 2BF9 sub edi, ecx
0060479C . 8BC1 mov eax, ecx
0060479E . C1E9 02 shr ecx, 2
006047A1 . 8BF7 mov esi, edi
006047A3 . 8DBD 08FEFFFF lea edi, dword ptr [ebp-1F8]
006047A9 . F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
006047AB . 8BC8 mov ecx, eax
006047AD . 83E1 03 and ecx, 3
006047B0 . F3:A4 rep movs byte ptr es:[edi], byte ptr [esi]
006047B2 . 8D8D 08FEFFFF lea ecx, dword ptr [ebp-1F8]
006047B8 . 51 push ecx//(ASCII "FLW400-12345-67890-54321")
006047B9 . E8 F2FAFFFF call 006042B0//@@@@@@@@@@@@@@@@ F7 @@@@@@@@@@@@@@@@
006047BE . 83C4 04 add esp, 4
006047C1 . 8945 E8 mov dword ptr [ebp-18], eax
006047C4 . 85C0 test eax, eax
006047C6 . 75 31 jnz short 006047F9//不跳就over了。
006047C8 . 8D4D F0 lea ecx, dword ptr [ebp-10]
006047CB . E8 733CF6FF call 00568443
006047D0 . 68 7F020000 push 27F
006047D5 . 8D4D F0 lea ecx, dword ptr [ebp-10]
006047D8 . C645 FC 03 mov byte ptr [ebp-4], 3
006047DC . E8 2444F6FF call 00568C05
006047E1 . 6A 00 push 0/////(ASCII "Required Information",LF,LF,"This Macromedia product cannot run without your name and serial number. ")
________________________________________________
006042B0 /$ 8B4424 04 mov eax, dword ptr [esp+4]
006042B4 |. 6A 00 push 0
006042B6 |. 50 push eax
006042B7 |. E8 A404E5FF call 00454760//@@@@@@@@@@@@@@@@ F7 @@@@@@@@@@@@@@@@
006042BC |. 83C4 08 add esp, 8
006042BF \. C3 retn
........
0045478D |. 52 push edx//(ASCII "FLW400-12345-67890-54321")
0045478E |. E8 CD000000 call 00454860//@@@@@@@@@@@@@@@@ F7 @@@@@@@@@@@@@@@@
_________________________________
00454860 /$ 83EC 3C sub esp, 3C
00454863 |. B8 07000000 mov eax, 7
00454868 |. 884424 1C mov byte ptr [esp+1C], al
0045486C |. 53 push ebx
0045486D |. C64424 21 10 mov byte ptr [esp+21], 10
00454872 |. C64424 22 0F mov byte ptr [esp+22], 0F
00454877 |. C64424 23 16 mov byte ptr [esp+23], 16
0045487C |. 56 push esi
0045487D |. 57 push edi
0045487E |. C64424 2C 15 mov byte ptr [esp+2C], 15
00454883 |. C64424 2D 18 mov byte ptr [esp+2D], 18
00454888 |. C64424 2E 14 mov byte ptr [esp+2E], 14
0045488D |. BB 03000000 mov ebx, 3
00454892 |. B9 04000000 mov ecx, 4
00454897 |. 885C24 10 mov byte ptr [esp+10], bl
0045489B |. 884C24 14 mov byte ptr [esp+14], cl
0045489F |. C64424 2F 17 mov byte ptr [esp+2F], 17
004548A4 |. C64424 11 0B mov byte ptr [esp+11], 0B
004548A9 |. C64424 12 12 mov byte ptr [esp+12], 12
004548AE |. C64424 13 11 mov byte ptr [esp+13], 11
004548B3 |. 33D2 xor edx, edx
004548B5 |. 884424 40 mov byte ptr [esp+40], al
004548B9 |. C64424 15 09 mov byte ptr [esp+15], 9
004548BE |. C64424 16 0A mov byte ptr [esp+16], 0A
004548C3 |. 8D4424 41 lea eax, dword ptr [esp+41]
004548C7 |. 885C24 34 mov byte ptr [esp+34], bl
004548CB |. C64424 17 0C mov byte ptr [esp+17], 0C
004548D0 |. C64424 18 0E mov byte ptr [esp+18], 0E
004548D5 |. 8910 mov dword ptr [eax], edx
004548D7 |. 884C24 38 mov byte ptr [esp+38], cl
004548DB |. 66:8950 04 mov word ptr [eax+4], dx
004548DF |. 8B7424 4C mov esi, dword ptr [esp+4C]
004548E3 |. 8BFE mov edi, esi
004548E5 |. B9 FFFFFFFF mov ecx, -1
004548EA |. 8850 06 mov byte ptr [eax+6], dl
004548ED |. 895424 39 mov dword ptr [esp+39], edx
004548F1 |. 8D4424 35 lea eax, dword ptr [esp+35]
004548F5 |. 66:8910 mov word ptr [eax], dx
004548F8 |. 8850 02 mov byte ptr [eax+2], dl
004548FB |. 2BC0 sub eax, eax
004548FD |. F2:AE repne scas byte ptr es:[edi]
004548FF |. F7D1 not ecx
00454901 |. 49 dec ecx
00454902 |. 83F9 18 cmp ecx, 18//序列号是否是24位
00454905 |. 0F85 AC010000 jnz 00454AB7
0045490B |. 807E 06 2D cmp byte ptr [esi+6], 2D//第7位是否是“-”
0045490F |. 0F85 A2010000 jnz 00454AB7
00454915 |. 807E 0C 2D cmp byte ptr [esi+C], 2D//第13位是否是“-”
00454919 |. 0F85 98010000 jnz 00454AB7
0045491F |. 807E 12 2D cmp byte ptr [esi+12], 2D//第19位是否是“-”
00454923 |. 0F85 8E010000 jnz 00454AB7
00454929 |. 66:B9 0100 mov cx, 1
0045492D |> 0FBFC1 /movsx eax, cx
00454930 |. 66:41 |inc cx
00454932 |. 0FBE5404 28 |movsx edx, byte ptr [esp+eax+28]
00454937 |. 66:83F9 07 |cmp cx, 7
0045493B |. 8A5432 FF |mov dl, byte ptr [edx+esi-1]//依次取序列号第16位8,第15位7,第22位3,第21位4,第24位1,第20位5,第23位2,即8734152
0045493F |. 885404 3F |mov byte ptr [esp+eax+3F], dl
00454943 |.^ 7E E8 \jle short 0045492D
00454945 |. 66:B9 0100 mov cx, 1
00454949 |> 0FBFC1 /movsx eax, cx
0045494C |. 66:41 |inc cx
0045494E |. 0FBE5404 10 |movsx edx, byte ptr [esp+eax+10]
00454953 |. 66:83F9 03 |cmp cx, 3
00454957 |. 8A5432 FF |mov dl, byte ptr [edx+esi-1]//依次取序列号第11位4,第18位0,第17位9,即409
0045495B |. 885404 33 |mov byte ptr [esp+eax+33], dl
0045495F |.^ 7E E8 \jle short 00454949
00454961 |. 66:B9 0100 mov cx, 1
00454965 |> 0FBFC1 /movsx eax, cx
00454968 |. 66:41 |inc cx
0045496A |. 0FBE5404 14 |movsx edx, byte ptr [esp+eax+14]
0045496F |. 66:83F9 04 |cmp cx, 4
00454973 |. 8A5432 FF |mov dl, byte ptr [edx+esi-1]//依次取序列号第9位2,第10位3,第12位5,第14位6,即2356,16进制值为934
00454977 |. 885404 37 |mov byte ptr [esp+eax+37], dl
0045497B |.^ 7E E8 \jle short 00454965
0045497D |. 8D4424 20 lea eax, dword ptr [esp+20]
00454981 |. 8D4C24 40 lea ecx, dword ptr [esp+40]
00454985 |. 50 push eax
00454986 |. 68 A8F96D00 push 006DF9A8
0045498B |. 51 push ecx//ecx=0013F96C, (ASCII "8734152")
0045498C |. E8 0F510F00 call 00549AA0
00454991 |. 8D4C24 30 lea ecx, dword ptr [esp+30]
00454995 |. 8D5424 40 lea edx, dword ptr [esp+40]
00454999 |. 83C4 0C add esp, 0C
0045499C |. 51 push ecx
0045499D |. 68 A8F96D00 push 006DF9A8
004549A2 |. 52 push edx//edx=0013F960, (ASCII "409")
004549A3 |. E8 F8500F00 call 00549AA0
004549A8 |. 8D4C24 20 lea ecx, dword ptr [esp+20]
004549AC |. 8D5424 44 lea edx, dword ptr [esp+44]
004549B0 |. 83C4 0C add esp, 0C
004549B3 |. 8D7E 03 lea edi, dword ptr [esi+3]
004549B6 |. 51 push ecx
004549B7 |. 68 A8F96D00 push 006DF9A8
004549BC |. 52 push edx//edx=0013F964, (ASCII "2356")
004549BD |. E8 DE500F00 call 00549AA0
004549C2 |. 8D4C24 28 lea ecx, dword ptr [esp+28]
004549C6 |. 83C4 0C add esp, 0C
004549C9 |. 33DB xor ebx, ebx
004549CB |. 6A 03 push 3
004549CD |. 57 push edi
004549CE |. 51 push ecx
004549CF |. E8 FC7E0F00 call 0054C8D0
004549D4 |. 8D4424 3C lea eax, dword ptr [esp+3C]
004549D8 |. 8D4C24 28 lea ecx, dword ptr [esp+28]
004549DC |. 885C24 2B mov byte ptr [esp+2B], bl
004549E0 |. 83C4 0C add esp, 0C
004549E3 |. 50 push eax
004549E4 |. 68 A8F96D00 push 006DF9A8
004549E9 |. 51 push ecx//ecx=0013F948, (ASCII "400")
004549EA |. E8 B1500F00 call 00549AA0
004549EF |. 8D4C24 28 lea ecx, dword ptr [esp+28]
004549F3 |. 83C4 0C add esp, 0C
004549F6 |. 6A 02 push 2
004549F8 |. 57 push edi
004549F9 |. 51 push ecx//ecx=0013F948, (ASCII "400")
004549FA |. E8 D17E0F00 call 0054C8D0
004549FF |. 8D4C24 34 lea ecx, dword ptr [esp+34]
00454A03 |. 8D5424 28 lea edx, dword ptr [esp+28]
00454A07 |. 885C24 2A mov byte ptr [esp+2A], bl
00454A0B |. 83C4 0C add esp, 0C
00454A0E |. 51 push ecx
00454A0F |. 68 A8F96D00 push 006DF9A8
00454A14 |. 52 push edx//ecx=0013F948, (ASCII "40")
00454A15 |. E8 86500F00 call 00549AA0
00454A1A |. 8D5424 1A lea edx, dword ptr [esp+1A]
00454A1E |. 83C4 0C add esp, 0C
00454A21 |. 8D4E 07 lea ecx, dword ptr [esi+7]
00454A24 |. 6A 01 push 1
00454A26 |. 51 push ecx
00454A27 |. 52 push edx
00454A28 |. E8 A37E0F00 call 0054C8D0
00454A2D |. 8D4C24 1C lea ecx, dword ptr [esp+1C]
00454A31 |. 885C24 1B mov byte ptr [esp+1B], bl
00454A35 |. 83C4 0C add esp, 0C
00454A38 |. 51 push ecx
00454A39 |. 8D5424 12 lea edx, dword ptr [esp+12]
00454A3D |. 68 A8F96D00 push 006DF9A8
00454A42 |. 52 push edx
00454A43 |. E8 58500F00 call 00549AA0
00454A48 |. 8B4C24 3C mov ecx, dword ptr [esp+3C]
00454A4C |. 8B5424 30 mov edx, dword ptr [esp+30]
00454A50 |. 8B4424 1C mov eax, dword ptr [esp+1C]
00454A54 |. 83C4 0C add esp, 0C
00454A57 |. 51 push ecx//将400转化为16进制190
00454A58 |. 52 push edx//将409转化为16进制199
00454A59 |. 8B4C24 28 mov ecx, dword ptr [esp+28]
00454A5D |. 50 push eax
00454A5E |. 51 push ecx//将8734152转化为16进制8545C8
00454A5F |. E8 BC000000 call 00454B20//@@@@@@@@@@@@@@@@ F7 @@@@@@@@@@@@@@@@算法核心
___________________________________________
00454B20 /$ 83EC 24 sub esp, 24
00454B23 |. B9 A0860100 mov ecx, 186A0 //固定值186A0
00454B28 |. 53 push ebx
00454B29 |. 56 push esi
00454B2A |. 8B7424 30 mov esi, dword ptr [esp+30]
00454B2E |. 57 push edi
00454B2F |. 55 push ebp
00454B30 |. 8BC6 mov eax, esi
00454B32 |. BB 0A000000 mov ebx, 0A //固定值0A
00454B37 |. 8B7C24 40 mov edi, dword ptr [esp+40]
00454B3B |. 99 cdq
00454B3C |. F7F9 idiv ecx //8545C8 除 186A0=57+8568
00454B3E |. 894424 28 mov dword ptr [esp+28], eax
00454B42 |. 8BC7 mov eax, edi
00454B44 |. 99 cdq
00454B45 |. F7FB idiv ebx //199 除 0A=28+9
00454B47 |. 8BC8 mov ecx, eax
00454B49 |. BB 64000000 mov ebx, 64 //固定值64
00454B4E |. 8BC6 mov eax, esi
00454B50 |. BD 0A000000 mov ebp, 0A //固定值0A
00454B55 |. 99 cdq
00454B56 |. F7FB idiv ebx //8545C8 除 64=1552D+34
00454B58 |. BB E8030000 mov ebx, 3E8 //固定值3E8
00454B5D |. 894424 20 mov dword ptr [esp+20], eax
00454B61 |. 8BC6 mov eax, esi
00454B63 |. 99 cdq
00454B64 |. F7FD idiv ebp //8545C8 除0A=D53C7+2
00454B66 |. BD 10270000 mov ebp, 2710 //固定值2710
00454B6B |. 894424 10 mov dword ptr [esp+10], eax
00454B6F |. 8BC6 mov eax, esi //EAX=8545C8
00454B71 |. 99 cdq
00454B72 |. F7FB idiv ebx //8545C8 除3E8=221E+98
00454B74 |. 8B5C24 44 mov ebx, dword ptr [esp+44]
00454B78 |. 894424 24 mov dword ptr [esp+24], eax
00454B7C |. 8BC6 mov eax, esi //EAX=8545C8
00454B7E |. 99 cdq
00454B7F |. F7FD idiv ebp //8545C8 除2710=369+1038
00454B81 |. BD 64000000 mov ebp, 64
00454B86 |. 894424 14 mov dword ptr [esp+14], eax
00454B8A |. 8BC3 mov eax, ebx //EAX=190
00454B8C |. 99 cdq
00454B8D |. F7FD idiv ebp //190 除 64=4
00454B8F |. 894424 1C mov dword ptr [esp+1C], eax
00454B93 |. 8BC7 mov eax, edi //EDI=199
00454B95 |. 99 cdq
00454B96 |. F7FD idiv ebp //199除 64=4+9
00454B98 |. BD 40420F00 mov ebp, 0F4240 //固定值F4240
00454B9D |. 894424 2C mov dword ptr [esp+2C], eax
00454BA1 |. 8BC6 mov eax, esi //ESI=8545C8
00454BA3 |. 99 cdq
00454BA4 |. F7FD idiv ebp //8545C8 除F4240=8+B33C8
00454BA6 |. BD 0A000000 mov ebp, 0A //固定值A
00454BAB |. 894424 18 mov dword ptr [esp+18], eax
00454BAF |. 8BC3 mov eax, ebx //EBX=190
00454BB1 |. 99 cdq
00454BB2 |. F7FD idiv ebp //190除A=28
00454BB4 |. 8BE8 mov ebp, eax
00454BB6 |. 8B5424 3C mov edx, dword ptr [esp+3C]
00454BBA |. 035424 28 add edx, dword ptr [esp+28]//1+57=58
00454BBE |. 03D1 add edx, ecx //58+28=80
00454BC0 |. 8D1452 lea edx, dword ptr [edx+edx*2]//80*3=180
00454BC3 |. 035424 10 add edx, dword ptr [esp+10]//180+D53C7=D5547
00454BC7 |. 8B4424 24 mov eax, dword ptr [esp+24]
00454BCB |. 035424 20 add edx, dword ptr [esp+20]///D5547+1552D=EAA74
00454BCF |. 03C7 add eax, edi //221E+199=23B7
00454BD1 |. 8D1452 lea edx, dword ptr [edx+edx*2]//EAA74*3=2BFF5C
00454BD4 |. 2BD0 sub edx, eax ///2BFF5C-23B7=2BDBA5
00454BD6 |. BB 0A000000 mov ebx, 0A //固定值0A
00454BDB |. 8D14C2 lea edx, dword ptr [edx+eax*8]//2BDBA5+23B7*8=2CF95D
00454BDE |. 03D6 add edx, esi ///2CF95D+8545C8=B23F25
00454BE0 |. 035424 14 add edx, dword ptr [esp+14] //B23F25+369=B2428E
00454BE4 |. 035424 1C add edx, dword ptr [esp+1C] ///B2428E+4=B24292
00454BE8 |. 035424 2C add edx, dword ptr [esp+2C] //B24292+4=B24296
00454BEC |. 035424 18 add edx, dword ptr [esp+18] //B24296+8=B2429E
00454BF0 |. 8D042A lea eax, dword ptr [edx+ebp] //B2429E+28=B242C6
00454BF3 |. 99 cdq
00454BF4 |. F7FB idiv ebx //B242C6除A=11D37A+2
00454BF6 |. 8D1C92 lea ebx, dword ptr [edx+edx*4] //余数2*5=A
00454BF9 |. 8D147F lea edx, dword ptr [edi+edi*2] //199*3=4CB
00454BFC |. 035424 18 add edx, dword ptr [esp+18] //4CB+8=4D3
00454C00 |. 8B4424 10 mov eax, dword ptr [esp+10] //EAX=D53C7
00454C04 |. 035424 24 add edx, dword ptr [esp+24] //4D3+221E=26F1
00454C08 |. 03D1 add edx, ecx //26F1+28=2719
00454C0A |. 8D1452 lea edx, dword ptr [edx+edx*2] //2719*3=754B
00454C0D |. 2B5424 10 sub edx, dword ptr [esp+10] //754B-D53C7=FFF32184
00454C11 |. 8D14C2 lea edx, dword ptr [edx+eax*8] //FFF32184+D53C7*8=5DBFBC
00454C14 |. 035424 3C add edx, dword ptr [esp+3C] //5DBFBC+1=5DBFBD
00454C18 |. 03D6 add edx, esi //5DBFBD+8545C8=E30585
00454C1A |. 035424 14 add edx, dword ptr [esp+14] //E30585+369=E308EE
00454C1E |. 035424 20 add edx, dword ptr [esp+20] //E308EE+1552D=E45E1B
00454C22 |. 035424 28 add edx, dword ptr [esp+28] //E45E1B+57=E45E72
00454C26 |. 035424 1C add edx, dword ptr [esp+1C] //E45E72+4=E45E76
00454C2A |. 035424 2C add edx, dword ptr [esp+2C] //E45E76+4=E45E7A
00454C2E |. C74424 30 0A0>mov dword ptr [esp+30], 0A
00454C36 |. 8D042A lea eax, dword ptr [edx+ebp] //E45E7A+28=E45EA2
00454C39 |. 99 cdq
00454C3A |. F77C24 30 idiv dword ptr [esp+30] //E45EA2 除A=16D643+4
00454C3E |. 8D0449 lea eax, dword ptr [ecx+ecx*2] //28*3=78
00454C41 |. 8D1C5A lea ebx, dword ptr [edx+ebx*2] //余数4+A*2=18
00454C44 |. 034424 2C add eax, dword ptr [esp+2C] //78+4=7C
00454C48 |. 8B5424 18 mov edx, dword ptr [esp+18]
00454C4C |. 8D1C9B lea ebx, dword ptr [ebx+ebx*4] //18*5=78
00454C4F |. 034424 20 add eax, dword ptr [esp+20] //7C+1552D=155A9
00454C53 |. 03C5 add eax, ebp //155A9+28=155D1
00454C55 |. 035424 24 add edx, dword ptr [esp+24]// 8+221E=2226
00454C59 |. 8D0440 lea eax, dword ptr [eax+eax*2]//155D1*3=40173
00454C5C |. 2BC2 sub eax, edx //40173-2226=3DF4D
00454C5E |. 8D04D0 lea eax, dword ptr [eax+edx*8]//3DF4D+2226*8=4F07D
00454C61 |. C74424 30 0A0>mov dword ptr [esp+30], 0A
00454C69 |. 034424 3C add eax, dword ptr [esp+3C]//4F07D+1=4F07E
00454C6D |. 03C6 add eax, esi //4F07E+8545C8=8A3646
00454C6F |. 034424 14 add eax, dword ptr [esp+14] //8A3646+369=8A39AF
00454C73 |. 034424 28 add eax, dword ptr [esp+28] //8A39AF+57=8A3A06
00454C77 |. 034424 10 add eax, dword ptr [esp+10] //8A3A06+D53C7=978DCD
00454C7B |. 03EE add ebp, esi //28+8545C8=8545F0
00454C7D |. 034424 1C add eax, dword ptr [esp+1C]//978DCD+4=978DD1
00454C81 |. 03C7 add eax, edi //978DD1+199=978F6A
00454C83 |. 99 cdq
00454C84 |. F77C24 30 idiv dword ptr [esp+30]//978F6A除A=F27F1
00454C88 |. 8D1C5A lea ebx, dword ptr [edx+ebx*2]//0+78*2=F0
00454C8B |. 8D1C9B lea ebx, dword ptr [ebx+ebx*4]//F0*5=4B0
00454C8E |. 8D546D 00 lea edx, dword ptr [ebp+ebp*2]//8545F0*3=18FD1D0
00454C92 |. 035424 10 add edx, dword ptr [esp+10]//18FD1D0+D53C7=19D2597
00454C96 |. 8B4424 1C mov eax, dword ptr [esp+1C]
00454C9A |. 035424 14 add edx, dword ptr [esp+14]//19D2597+369=19D2900
00454C9E |. 034424 20 add eax, dword ptr [esp+20]//1552D+4=15531
00454CA2 |. 035424 18 add edx, dword ptr [esp+18]//19D2900+8=19D2908
00454CA6 |. 03C1 add eax, ecx //15531+28=15559
00454CA8 |. 8D1452 lea edx, dword ptr [edx+edx*2]//19D2908*3=4D77B18
00454CAB |. B9 0A000000 mov ecx, 0A
00454CB0 |. 2BD0 sub edx, eax //4D77B18-15559=4D625BF
00454CB2 |. 8D14C2 lea edx, dword ptr [edx+eax*8]//4D625BF+15559*8=4E0D087
00454CB5 |. 035424 3C add edx, dword ptr [esp+3C]//4E0D087+1=4E0D088
00454CB9 |. 035424 24 add edx, dword ptr [esp+24]//4E0D088+221E=4E0F2A6
00454CBD |. 035424 28 add edx, dword ptr [esp+28]//4E0F2A6+57=4E0F2FD
00454CC1 |. 035424 2C add edx, dword ptr [esp+2C]//4E0F2FD+4=4E0F301
00454CC5 |. 5D pop ebp
00454CC6 |. 8D043A lea eax, dword ptr [edx+edi]//4E0F301+199=4E0F49A
00454CC9 |. 5F pop edi
00454CCA |. 99 cdq
00454CCB |. F7F9 idiv ecx//4E0F49A除A=7CE542+6
00454CCD |. 5E pop esi
00454CCE |. 8D045A lea eax, dword ptr [edx+ebx*2]//余数6+4B0*2=966
00454CD1 |. 5B pop ebx
00454CD2 |. 83C4 24 add esp, 24
00454CD5 \. C3 retn
上面是不是觉得我很傻啊 呵呵,那时候不懂加密算法,编程也差。真是一步一步走来的。
_________________________________________________________________________________________________
00454A64 |. 816C24 30 1C4>sub dword ptr [esp+30], 0B491C //8545C8-固定值B491C=79FCAC
00454A6C |. 836C24 34 1B sub dword ptr [esp+34], 1B //199-固定值1B=17E
00454A71 |. 83C4 10 add esp, 10
00454A74 |. 395C24 10 cmp dword ptr [esp+10], ebx
00454A78 |. 7C 3D jl short 00454AB7
00454A7A |. 837C24 10 09 cmp dword ptr [esp+10], 9
00454A7F |. 7F 36 jg short 00454AB7
00454A81 |. 395C24 30 cmp dword ptr [esp+30], ebx//比较190是否小于0
00454A85 |. 7C 30 jl short 00454AB7
00454A87 |. 817C24 30 E70>cmp dword ptr [esp+30], 3E7//比较190是否大于3E7
00454A8F |. 7F 26 jg short 00454AB7
00454A91 |. 395C24 20 cmp dword ptr [esp+20], ebx//比较79FCAC是否小于0
00454A95 |. 7C 20 jl short 00454AB7
00454A97 |. 817C24 20 405>cmp dword ptr [esp+20], 895440//79FCAC是否大于895440
00454A9F |. 7F 16 jg short 00454AB7
00454AA1 |. 395C24 24 cmp dword ptr [esp+24], ebx//17E是否小于0
00454AA5 |. 7C 10 jl short 00454AB7
00454AA7 |. 817C24 24 840>cmp dword ptr [esp+24], 384///17E是否大于384
00454AAF |. 7F 06 jg short 00454AB7
00454AB1 |. 394424 14 cmp dword ptr [esp+14], eax//966是否等于934(第9,10,12,14位2356的16进制值)
因此假序列号应改为FLW400-12440-67890-54321
00454AB5 |. 74 09 je short 00454AC0//不等于就over
00454AB7 |> 33C0 xor eax, eax
00454AB9 |. 5F pop edi
00454ABA |. 5E pop esi
00454ABB |. 5B pop ebx
00454ABC |. 83C4 3C add esp, 3C
00454ABF |. C3 retn
.......
00454AD6 |. 8B4C24 24 mov ecx, dword ptr [esp+24] ///ECX=17E
00454ADA |. 8908 mov dword ptr [eax], ecx
00454ADC |> 8B4424 58 mov eax, dword ptr [esp+58]
00454AE0 |. 85C0 test eax, eax
00454AE2 |. 74 06 je short 00454AEA
00454AE4 |. 8B4C24 10 mov ecx, dword ptr [esp+10]
00454AE8 |. 8908 mov dword ptr [eax], ecx
00454AEA |> 8B4424 54 mov eax, dword ptr [esp+54]
00454AEE |. 85C0 test eax, eax
00454AF0 |. 74 06 je short 00454AF8
00454AF2 |. 8B4C24 30 mov ecx, dword ptr [esp+30] //ECX=190
00454AF6 |. 8908 mov dword ptr [eax], ecx
00454AF8 |> 8B7C24 50 mov edi, dword ptr [esp+50]
00454AFC |. 85FF test edi, edi
00454AFE |. 74 10 je short 00454B10
..
返回到00454793
_________________________
00454793 |. 83C4 18 add esp, 18
00454796 |. 85C0 test eax, eax
00454798 |. 0F84 B3000000 je 00454851
0045479E |. 8D4424 18 lea eax, dword ptr [esp+18]
004547A2 |. 8D4C24 14 lea ecx, dword ptr [esp+14]
004547A6 |. 50 push eax
004547A7 |. 51 push ecx
004547A8 |. E8 33050000 call 00454CE0
004547AD |. 83C4 08 add esp, 8
004547B0 |. 33D2 xor edx, edx
004547B2 |. 33C0 xor eax, eax
004547B4 |. 397424 14 cmp dword ptr [esp+14], esi////ESI=5
004547B8 |. 7E 2F jle short 004547E9
004547BA |. 8B4C24 18 mov ecx, dword ptr [esp+18] ; Flash.0067A0D0
004547BE |> 8B7C24 1C /mov edi, dword ptr [esp+1C] //EDI=17E
004547C2 |. 3939 |cmp dword ptr [ecx], edi //比较273,278,27A,275,275是否等于17E
004547C4 |. 74 0C |je short 004547D2//不等就over了
004547C6 |. 83C1 14 |add ecx, 14
004547C9 |. 40 |inc eax
004547CA |. 3B4424 14 |cmp eax, dword ptr [esp+14]//循环5次比较
004547CE |.^ 7C EE \jl short 004547BE
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
根据比较的4个值构造出4个对应的第11,18,17位
273+1B=28E,10进制为654,即第11,18,17位为654
275+1B=290,10进制为656,即第11,18,17位为656
278+1B=293,10进制为659,即第11,18,17位为659
27A+1B=295,10进制为661,即第11,18,17位为661
由此兼顾00454AB1处最后的运算结果必须相等的话,
第9,10,12,14位有4组合适的数字,分别是
4668,8480,9113,2222
即安装序列号有4个
FLW400-14666-87845-54321
FLW400-18468-07865-54321
FLW400-19161-37895-54321
FLW400-12262-27816-54321
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
004547D0 |. EB 17 jmp short 004547E9
004547D2 |> C1E0 02 shl eax, 2
004547D5 |. BA 01000000 mov edx, 1
004547DA |. 8D0C80 lea ecx, dword ptr [eax+eax*4]
004547DD |. 034C24 18 add ecx, dword ptr [esp+18]
004547E1 |. 8B41 0C mov eax, dword ptr [ecx+C]
004547E4 |. 8B49 10 mov ecx, dword ptr [ecx+10]
004547E7 |. EB 08 jmp short 004547F1
004547E9 |> 8B4424 0C mov eax, dword ptr [esp+C]
004547ED |. 8B4C24 0C mov ecx, dword ptr [esp+C]
004547F1 |> 85D2 test edx, edx
004547F3 |. 74 5C je short 00454851
004547F5 |. 8D7C24 0C lea edi, dword ptr [esp+C]
004547F9 |> 8A10 /mov dl, byte ptr [eax]
004547FB |. 3A17 |cmp dl, byte ptr [edi]
004547FD |. 75 1A |jnz short 00454819
004547FF |. 0AD2 |or dl, dl
00454801 |. 74 12 |je short 00454815
00454803 |. 8A50 01 |mov dl, byte ptr [eax+1]
00454806 |. 3A57 01 |cmp dl, byte ptr [edi+1]
00454809 |. 75 0E |jnz short 00454819
0045480B |. 83C0 02 |add eax, 2
0045480E |. 83C7 02 |add edi, 2
00454811 |. 0AD2 |or dl, dl
00454813 |.^ 75 E4 \jnz short 004547F9
00454815 |> 33C0 xor eax, eax
00454817 |. EB 05 jmp short 0045481E
00454819 |> 1BC0 sbb eax, eax
0045481B |. 83D8 FF sbb eax, -1
0045481E |> 85C0 test eax, eax
00454820 |. 75 2F jnz short 00454851
00454822 |. 837C24 34 00 cmp dword ptr [esp+34], 0
00454827 |. 75 07 jnz short 00454830
00454829 |. 837C24 20 08 cmp dword ptr [esp+20], 8
0045482E |. 74 21 je short 00454851
00454830 |> BF F6FFFFFF mov edi, -0A
00454835 |. 8B4424 24 mov eax, dword ptr [esp+24]
00454839 |. 99 cdq
0045483A |. F7FF idiv edi
0045483C |. 8BF8 mov edi, eax
0045483E |. BB F6FFFFFF mov ebx, -0A
00454843 |. 8BC1 mov eax, ecx
00454845 |. 99 cdq
00454846 |. F7FB idiv ebx
00454848 |. 3BF8 cmp edi, eax
0045484A |. 75 05 jnz short 00454851
0045484C |. BE 01000000 mov esi, 1
00454851 |> 8BC6 mov eax, esi
00454853 |. 5F pop edi
00454854 |. 5E pop esi
00454855 |. 5B pop ebx
00454856 |. 83C4 20 add esp, 20
00454859 \. C3 retn
_________________________________________________
006047BE . 83C4 04 add esp, 4
006047C1 . 8945 E8 mov dword ptr [ebp-18], eax
006047C4 . 85C0 test eax, eax
006047C6 . 75 31 jnz short 006047F9
006047C8 . 8D4D F0 lea ecx, dword ptr [ebp-10]
006047CB . E8 733CF6FF call 00568443
006047D0 . 68 7F020000 push 27F
006047D5 . 8D4D F0 lea ecx, dword ptr [ebp-10]
006047D8 . C645 FC 03 mov byte ptr [ebp-4], 3
006047DC . E8 2444F6FF call 00568C05
006047E1 . 6A 00 push 0
006047E3 . 8B45 F0 mov eax, dword ptr [ebp-10]
006047E6 . 6A 30 push 30
006047E8 . 50 push eax
006047E9 . E8 5408F7FF call 00575042
006047EE . C645 FC 02 mov byte ptr [ebp-4], 2
006047F2 . E8 E0000000 call 006048D7
006047F7 . EB 6E jmp short 00604867
006047F9 > 8B45 C8 mov eax, dword ptr [ebp-38]
006047FC . 8B4D EC mov ecx, dword ptr [ebp-14]
006047FF . 50 push eax
00604800 . 68 942E6E00 push 006E2E94 ; ASCII "Serial Number"
00604805 . 68 A42E6E00 push 006E2EA4 ; ASCII "Registration"
0060480A . E8 C1FDFFFF call 006045D0
0060480F . 8B45 CC mov eax, dword ptr [ebp-34]
00604812 . 8B4D EC mov ecx, dword ptr [ebp-14]
00604815 . 50 push eax
00604816 . 68 802E6E00 push 006E2E80 ; ASCII "First Name"
0060481B . 68 A42E6E00 push 006E2EA4 ; ASCII "Registration"
00604820 . E8 ABFDFFFF call 006045D0
00604825 . 8B45 D0 mov eax, dword ptr [ebp-30]
00604828 . 8B4D EC mov ecx, dword ptr [ebp-14]
0060482B . 50 push eax
0060482C . 68 742E6E00 push 006E2E74 ; ASCII "Last Name"
00604831 . 68 A42E6E00 push 006E2EA4 ; ASCII "Registration"
00604836 . E8 95FDFFFF call 006045D0
0060483B . 8B45 D4 mov eax, dword ptr [ebp-2C]
0060483E . 8B4D EC mov ecx, dword ptr [ebp-14]
00604841 . 50 push eax
00604842 . 68 682E6E00 push 006E2E68 ; ASCII "Middle Name"
00604847 . 68 A42E6E00 push 006E2EA4 ; ASCII "Registration"
0060484C . E8 7FFDFFFF call 006045D0
00604851 . 8B45 D8 mov eax, dword ptr [ebp-28]
00604854 . 8B4D EC mov ecx, dword ptr [ebp-14]
00604857 . 50 push eax
00604858 . 68 582E6E00 push 006E2E58 ; ASCII "Organization"
0060485D . 68 A42E6E00 push 006E2EA4 ; ASCII "Registration"
00604862 . E8 69FDFFFF call 006045D0
00604867 > FF85 64FFFFFF inc dword ptr [ebp-9C]
0060486D . 837D E8 00 cmp dword ptr [ebp-18], 0
00604871 .^ 0F84 E9FEFFFF je 00604760
00604877 > C745 F0 00000>mov dword ptr [ebp-10], 0
0060487E . C645 FC 01 mov byte ptr [ebp-4], 1
00604882 . E8 58000000 call 006048DF
00604887 > 837D E8 00 cmp dword ptr [ebp-18], 0
0060488B . 0F84 AA000000 je 0060493B
00604891 . 837D F0 00 cmp dword ptr [ebp-10], 0
00604895 . 0F8C A0000000 jl 0060493B
0060489B . 837D DC 00 cmp dword ptr [ebp-24], 0
0060489F . 0F84 96000000 je 0060493B
006048A5 . 837D F0 00 cmp dword ptr [ebp-10], 0
006048A9 . 75 77 jnz short 00604922
006048AB . 6A 00 push 0
006048AD . 8D8D 08FFFFFF lea ecx, dword ptr [ebp-F8]
006048B3 . E8 88C5E5FF call 00460E40
006048B8 . C645 FC 04 mov byte ptr [ebp-4], 4
006048BC . 8D8D 08FFFFFF lea ecx, dword ptr [ebp-F8]
006048C2 . E8 4946E2FF call 00428F10
006048C7 . 3D E9010000 cmp eax, 1E9 ; Switch (cases 1..1E9)
006048CC . 75 1C jnz short 006048EA
归纳起来正确的安装序列号是:
FLW400-14666-87845-54321
FLW400-18468-07865-54321
FLW400-19161-37895-54321
FLW400-12262-27816-54321
|
免费评分
-
查看全部评分
|
发表于 2016-6-30 10:04
发表于 2016-6-30 17:00
|
发表于 2016-6-30 10:28
牛人
