图像大师 IV 注册码算法分析(2)

....关键call,F8跟入到这里....

004014D0 83EC 54 SUB ESP,54
004014D3 55 PUSH EBP
004014D4 56 PUSH ESI
004014D5 8BE9 MOV EBP,ECX
004014D7 57 PUSH EDI
004014D8 B9 07000000 MOV ECX,7
004014DD 33C0 XOR EAX,EAX
004014DF 8D7C24 40 LEA EDI,DWORD PTR SS:[ESP+40]
004014E3 F3:AB REP STOS DWORD PTR ES:[EDI]
004014E5 66:AB STOS WORD PTR ES:[EDI]
004014E7 B9 07000000 MOV ECX,7
004014EC 33C0 XOR EAX,EAX
004014EE 8D7C24 20 LEA EDI,DWORD PTR SS:[ESP+20]
004014F2 F3:AB REP STOS DWORD PTR ES:[EDI]
004014F4 66:AB STOS WORD PTR ES:[EDI]
004014F6 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+14]
004014FA 50 PUSH EAX
004014FB 68 6CC04100 PUSH 0041C06C
00401500 68 02000080 PUSH 80000002
00401505 FF15 04904100 CALL DWORD PTR DS:[<&ADVAPI32.RegOpenKey>;
0040150B 8B35 00904100 MOV ESI,DWORD PTR DS:[<&ADVAPI32.RegQuer>
00401511 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
00401515 8D5424 40 LEA EDX,DWORD PTR SS:[ESP+40]
00401519 51 PUSH ECX
0040151A 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]
0040151E 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+14]
00401522 52 PUSH EDX
00401523 50 PUSH EAX
00401524 6A 00 PUSH 0
00401526 BF 1E000000 MOV EDI,1E
0040152B 68 60C04100 PUSH 0041C060
00401530 51 PUSH ECX
00401531 C74424 28 0300>MOV DWORD PTR SS:[ESP+28],3
00401539 897C24 24 MOV DWORD PTR SS:[ESP+24],EDI
0040153D FFD6 CALL ESI
0040153F 8D5424 0C LEA EDX,DWORD PTR SS:[ESP+C]
00401543 8D4424 20 LEA EAX,DWORD PTR SS:[ESP+20]
00401547 52 PUSH EDX
00401548 8B5424 18 MOV EDX,DWORD PTR SS:[ESP+18]
0040154C 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
00401550 50 PUSH EAX
00401551 51 PUSH ECX
00401552 6A 00 PUSH 0
00401554 68 50C04100 PUSH 0041C050
00401559 52 PUSH EDX
0040155A C74424 28 0300>MOV DWORD PTR SS:[ESP+28],3
00401562 897C24 24 MOV DWORD PTR SS:[ESP+24],EDI
00401566 FFD6 CALL ESI
00401568 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14]
0040156C 50 PUSH EAX
0040156D FF15 14904100 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>;
00401573 8D7C24 40 LEA EDI,DWORD PTR SS:[ESP+40]取用户名
00401577 83C9 FF OR ECX,FFFFFFFF
0040157A 33C0 XOR EAX,EAX
0040157C F2:AE REPNE SCAS BYTE PTR ES:[EDI]
0040157E F7D1 NOT ECX
00401580 49 DEC ECX
00401581 74 7C JE SHORT 004015FF 标志位ZF为1跳转
00401583 8A4C24 25 MOV CL,BYTE PTR SS:[ESP+25]
00401587 B0 2D MOV AL,2D
00401589 3AC8 CMP CL,AL 比较是否是字符"-"
0040158B 75 72 JNZ SHORT 004015FF
0040158D 384424 2B CMP BYTE PTR SS:[ESP+2B],AL
00401591 75 6C JNZ SHORT 004015FF],AL
00401593 384424 31 CMP BYTE PTR SS:[ESP+31],AL
00401597 75 66 JNZ SHORT 004015FF],AL
00401599 384424 37 CMP BYTE PTR SS:[ESP+37],AL
0040159D 75 60 JNZ SHORT 004015FF],AL 从上面我们可以看出来注册码形式为
0040159F 33FF XOR EDI,EDI xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
004015A1 8D7424 22 LEA ESI,DWORD PTR SS:[ESP+22] 从第3位开始取xxx-xxxxx-xxxxx-xxxxx-xxxxx
004015A5 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18]
004015A9 8D5424 40 LEA EDX,DWORD PTR SS:[ESP+40]
004015AD 51 PUSH ECX
004015AE 57 PUSH EDI
004015AF 52 PUSH EDX
004015B0 8BCD MOV ECX,EBP
004015B2 E8 59000000 CALL 00401610 这是关键CALL-1
004015B7 8A46 FE MOV AL,BYTE PTR DS:[ESI-2]
004015BA 8A4C24 18 MOV CL,BYTE PTR SS:[ESP+18]
004015BE 3AC1 CMP AL,CL 比较每组注册码第一位
004015C0 75 3D JNZ SHORT 004015FF 不对就死
004015C2 8A4E FF MOV CL,BYTE PTR DS:[ESI-1]
004015C5 8A4424 19 MOV AL,BYTE PTR SS:[ESP+19]
004015C9 3AC8 CMP CL,AL 比较每组注册码第二位
004015CB 75 32 JNZ SHORT 004015FF 不对就死
004015CD 8A16 MOV DL,BYTE PTR DS:[ESI]
004015CF 8A4424 1A MOV AL,BYTE PTR SS:[ESP+1A]
004015D3 3AD0 CMP DL,AL 比较每组注册码第三位
004015D5 75 28 JNZ SHORT 004015FF 不对就死
004015D7 8A46 01 MOV AL,BYTE PTR DS:[ESI+1]
004015DA 8A4C24 1B MOV CL,BYTE PTR SS:[ESP+1B]
004015DE 3AC1 CMP AL,CL 比较每组注册码第四位
004015E0 75 1D JNZ SHORT 004015FF 不对就死
004015E2 8A4E 02 MOV CL,BYTE PTR DS:[ESI+2]
004015E5 8A4424 1C MOV AL,BYTE PTR SS:[ESP+1C]
004015E9 3AC8 CMP CL,AL 比较每组注册码第五位
004015EB 75 12 JNZ SHORT 004015FF 不对就死
004015ED 47 INC EDI
004015EE 83C6 06 ADD ESI,6 真码地址加6(包括"-")
004015F1 83FF 05 CMP EDI,5
004015F4 7C AF JL SHORT 004015A5 这个循环判断5组序列号,每次一组5个一位一位比!
004015F6 5F POP EDI
004015F7 5E POP ESI
004015F8 B0 01 MOV AL,1
004015FA 5D POP EBP
004015FB 83C4 54 ADD ESP,54
004015FE C3 RETN
004015FF 5F POP EDI
00401600 5E POP ESI
00401601 32C0 XOR AL,AL
00401603 5D POP EBP

....F8跟进关键call-1......

00401614 8B5424 08 MOV EDX,DWORD PTR SS:[ESP+8]
00401618 03D0 ADD EDX,EAX
0040161A 83EC 0C SUB ESP,0C
0040161D B9 01000000 MOV ECX,1 ECX=1
00401622 8A02 MOV AL,BYTE PTR DS:[EDX] 逐位取用户名ASCII码
00401624 84C0 TEST AL,AL
00401626 74 0E JE SHORT 00401636 不为空继续
00401628 0FBEC0 MOVSX EAX,AL 移到 eax
0040162B 0FAFC8 IMUL ECX,EAX 逐位取用户名ASCII乘ECX的值放回ECX
0040162E 8A42 01 MOV AL,BYTE PTR DS:[EDX+1] 用户名位置加一,(就是后移一位)
00401631 42 INC EDX 计数器加1
00401632 84C0 TEST AL,AL 是否取完
00401634 75 F2 JNZ SHORT 00401628 未完继续
00401636 56 PUSH ESI
00401637 8B7424 1C MOV ESI,DWORD PTR SS:[ESP+1C]
0040163B 8BC6 MOV EAX,ESI
0040163D 33D2 XOR EDX,EDX
0040163F 6A 24 PUSH 24
00401641 8910 MOV DWORD PTR DS:[EAX],EDX
00401643 66:8950 04 MOV WORD PTR DS:[EAX+4],DX
00401647 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8]
0040164B 52 PUSH EDX
0040164C 51 PUSH ECX
0040164D E8 3D680100 CALL 00417E8F 算法CALL-1
00401652 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]
00401656 50 PUSH EAX
00401657 68 7CC04100 PUSH 0041C07C
0040165C 56 PUSH ESI
0040165D E8 59C70000 CALL 0040DDBB
00401662 83C4 18 ADD ESP,18
00401665 33C9 XOR ECX,ECX
00401667 8A0431 MOV AL,BYTE PTR DS:[ECX+ESI]
0040166A 3C 61 CMP AL,61 是否小于$61
0040166C 7C 0B JL SHORT 00401679 是就跳走
0040166E 3C 7A CMP AL,7A 是否大于$7A
00401670 7F 07 JG SHORT 00401679 是就跳走
00401672 2C 20 SUB AL,20 在$61-7A中间就减$20, (小写字母变为大写字母)
00401674 880431 MOV BYTE PTR DS:[ECX+ESI],AL 放回去
00401677 EB 08 JMP SHORT 00401681
00401679 84C0 TEST AL,AL
0040167B 75 04 JNZ SHORT 00401681
0040167D C60431 30 MOV BYTE PTR DS:[ECX+ESI],30 如果不够5位的加$30,(就是补"0")
00401681 41 INC ECX
00401682 83F9 05 CMP ECX,5
00401685 7C E0 JL SHORT 00401667 字母转成大写,少于5个的序列号组用"0"添满,多的减去
00401687 5E POP ESI -------->这里可以看见每次返回的5位注册码
00401688 83C4 0C ADD ESP,0C
0040168B C2 0C00 RETN 0C

..... F8跟入算法CALL-1 .....

0167:00417E8F 55 PUSH EBP
0167:00417E90 8BEC MOV EBP,ESP
0167:00417E92 33C0 XOR EAX,EAX
0167:00417E94 837D100A CMP DWORD [EBP+10],BYTE +0A
0167:00417E98 7508 JNZ 00417EA2
0167:00417E9A 394508 CMP [EBP+08],EAX
0167:00417E9D 7D03 JNL 00417EA2
0167:00417E9F 6A01 PUSH BYTE +01
0167:00417EA1 58 POP EAX
0167:00417EA2 50 PUSH EAX
0167:00417EA3 FF7510 PUSH DWORD [EBP+10]
0167:00417EA6 FF750C PUSH DWORD [EBP+0C]
0167:00417EA9 FF7508 PUSH DWORD [EBP+08]
0167:00417EAC E882FFFFFF CALL 00417E33 算法CALL-2
0167:00417EB1 8B450C MOV EAX,[EBP+0C]
0167:00417EB4 83C410 ADD ESP,BYTE +10
0167:00417EB7 5D POP EBP

..... F8跟入算法CALL-2 .....

0167:00417E33 55 PUSH EBP
0167:00417E34 8BEC MOV EBP,ESP
0167:00417E36 837D1400 CMP DWORD [EBP+14],BYTE +00
0167:00417E3A 8B4D0C MOV ECX,[EBP+0C]
0167:00417E3D 53 PUSH EBX
0167:00417E3E 56 PUSH ESI
0167:00417E3F 57 PUSH EDI
0167:00417E40 740B JZ 00417E4D
0167:00417E42 8B7508 MOV ESI,[EBP+08]
0167:00417E45 C6012D MOV BYTE [ECX],2D
0167:00417E48 41 INC ECX
0167:00417E49 F7DE NEG ESI
0167:00417E4B EB03 JMP SHORT 00417E50
0167:00417E4D 8B7508 MOV ESI,[EBP+08]
0167:00417E50 8BF9 MOV EDI,ECX
0167:00417E52 8BC6 MOV EAX,ESI
0167:00417E54 33D2 XOR EDX,EDX
0167:00417E56 F77510 DIV DWORD [EBP+10] 除"$"(36)
0167:00417E59 8BC6 MOV EAX,ESI
0167:00417E5B 8BDA MOV EBX,EDX 余数到EBX
0167:00417E5D 33D2 XOR EDX,EDX EDX=0
0167:00417E5F F77510 DIV DWORD [EBP+10] 除"$"(36)
0167:00417E62 83FB09 CMP EBX,BYTE +09 ebx和9比较
0167:00417E65 8BF0 MOV ESI,EAX 除的结果到esi
0167:00417E67 7605 JNA 00417E6E 小于9就跳到417E6E
0167:00417E69 80C357 ADD BL,57 变为字母
0167:00417E6C EB03 JMP SHORT 00417E71
0167:00417E6E 80C330 ADD BL,30 变为数字
0167:00417E71 8819 MOV [ECX],BL 送到ecx
0167:00417E73 41 INC ECX
0167:00417E74 85F6 TEST ESI,ESI
0167:00417E76 77DA JA 00417E52 继续
0167:00417E78 802100 AND BYTE [ECX],00
0167:00417E7B 49 DEC ECX
0167:00417E7C 8A17 MOV DL,[EDI]
0167:00417E7E 8A01 MOV AL,[ECX]
0167:00417E80 8811 MOV [ECX],DL
0167:00417E82 8807 MOV [EDI],AL 上面这几句是把得到的结果前后置换
0167:00417E84 49 DEC ECX
0167:00417E85 47 INC EDI
0167:00417E86 3BF9 CMP EDI,ECX
0167:00417E88 72F2 JC 00417E7C
0167:00417E8A 5F POP EDI
0167:00417E8B 5E POP ESI
0167:00417E8C 5B POP EBX
0167:00417E8D 5D POP EBP

算法总结:
1,把用户名ASCII码逐位相乘,结果和"$"(36)逐次取余,一直循环到取完!先得到的在低位,然后转换成大写,不够的用"0"补全5位,
2.每次减少一个用户名字母,比如用户名:"jxtour"
第一组注册码用:jxtour计算
第二组注册码用:xtour计算
第三组注册码用:tour计算
第四组注册码用:our计算
第五组注册码用:ur计算

可以得到注册码如下:
用户名:jxtour
注册码:18HVG-1KPI4-2U8ZI-VQDI0-AAI00