变速精灵XP1.01算法分析
crack by 游上岸的鱼[DFCG][FCG][BCG]
:004036D3 C7476001000000 mov [edi+60], 00000001
:004036DA E8D1D9FFFF call 004010B0==》算法CALL F8进入。
:004036DF 8B8C242C040000 mov ecx, dword ptr [esp+0000042C]
:004036E6 83C404 add esp, 00000004
:004036E9 3BC1 cmp eax, ecx<<<<<<<比较的关键啊
:004036EB 0F8484010000 je 00403875
:004036F1 56 push esi
:004036F2 8D4C2410 lea ecx, dword ptr [esp+10]
:004036F6 C7476000000000 mov [edi+60], 00000000
我的机器码是762-272-1015-968
:004010B0 55 push ebp
:004010B1 8BEC mov ebp, esp
:004010B3 56 push esi==》用? ESI可以看到762968272显然是机器码的变形,具体哪里我就不找了。机器码变形设为SN1
:004010B4 8B7508 mov esi, dword ptr [ebp+08]==》SN1移到ebp+08
:004010B7 C1EE0A shr esi, 0A==》SN1右移A(10位)位=745086,结果存于ESI设为SN2
:004010BA 8D05D0104000 lea eax, dword ptr [004010D0]
:004010C0 50 push eax
:004010C1 E8CAFFFFFF call 00401090
:004010C6 C3 ret
:004010C7 50 push eax
:004010C8 E8C3FFFFFF call 00401090
:004010CD CC int 03
:004010CE 90 nop
:004010CF 90 nop
:004010D0 C14D080F ror dword ptr [ebp+08], 0F==》SN1循环右移F(15)位
:004010D4 8B4508 mov eax, dword ptr [ebp+08]==》结果移到EAX
:004010D7 33C9 xor ecx, ecx==》ECX寄存器清零,用于下面计算循环的计数器
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004010EA(C)
|
:004010D9 8BD0 mov edx, eax==》结果再移到EDX
:004010DB D3EA shr edx, cl==》右移,CL位(计数器值)
:004010DD 83E203 and edx, 00000003==》EDX=EDX AND 3
:004010E0 03D6 add edx, esi==》EDX=EDX+ESI(ESI=SN2)
:004010E2 D1E2 shl edx, 1==》EDX左移1位
:004010E4 41 inc ecx==》计数器加一
:004010E5 8BF2 mov esi, edx==》结果移到ESI变为新的SN2
:004010E7 83F91F cmp ecx, 0000001F==》比较循环次数是否小于1F
:004010EA 7CED jl 004010D9==》小于则转移,继续循环
:004010EC 8BC6 mov eax, esi==》把最后的结果(真注册码)移到EAX输出
:004010EE 5E pop esi
:004010EF 5D pop ebp
:004010F0 C3 ret
算法总结:以我注册码算法流程为例
机器码为
763-272-1015-968
①-②- ③-④
前期处理:
1.转换为:①④②形式:762968272=2D79F8D0
2.2D79F8D0右移0A位变位:B5E7E
3.2D79F8D0循环右移F位变为:F1A05AF3
4.开始15次的右移,逻辑右移的运算。