【小游戏】简单的软件练手（9楼、15楼已给出算法分析）

junren2ys · 发表于 2008-9-11 07:47:00

下载试一下。不过。。。。估计俺的能力还不够/:011

llh001 · 发表于 2008-9-11 08:30:37

我的信息如下：

姓名：llh001
电邮：llh001@PYG.COM
密码：kgryyj4exu0m

截图：

汗，上边的邮件多了一个@，再来，信息如下图：

[ 本帖最后由 llh001 于 2008-9-11 09:49 编辑 ]

168493044 · 发表于 2008-9-11 10:04:22

wang
wang@PYG.com
jbv6m86b8ut6
算法不会啊 /:002

[ 本帖最后由 168493044 于 2008-9-11 10:12 编辑 ]

backgreen · 发表于 2008-9-11 10:37:09

count: pyg

E-MAIL: greenbluede@126.com

SN: whha2rk45sfq

噢耶！

hflywolf · 发表于 2008-9-11 18:25:41

/:L /:L /:L
   终于把算法流程搞出来了....
   简单分析下吧........
   邮箱名:hflywolf@pyg.com
   注册码:1234567890

0040C810 /$ 81EC 1C080000 sub esp, 81C ;在这下断,输入数据后点注册即可断下.
0040C816 |. 53 push ebx
0040C817 |. 55 push ebp
0040C818 |. 8B2D 20824100 mov ebp, dword ptr [<&USER32.GetDlgI>; USER32.GetDlgItemTextW
.......省略N行
0040C836 |. FFD5 call ebp ; \GetDlgItemTextW(取邮箱名)
0040C838 |. 8D9424 240400>lea edx, dword ptr [esp+424] ;邮箱名地址---》EDX
0040C83F |. 52 push edx ; 邮箱名地址压栈
0040C840 |. FF15 44814100 call dword ptr [<&MSVCRT.wcslen>] ; \wcslen(取邮箱名长度)
0040C846 |. 83C4 04 add esp, 4
0040C849 |. 83F8 04 cmp eax, 4 ;如果邮箱名长度不小于4就跳走
0040C84C 7D 1A jge short 0040C868
.......省略N行
0040C868 |> 56 push esi ;跳向这.
.......省略N行
0040C877 |. E8 849BFFFF call 00406400 ;算法CALL,F7进入
.......省略N行
0040C892 |. FFD5 call ebp ;取假码
0040C894 |. 66:837C24 2C >cmp word ptr [esp+2C], 0 ;判断假码是否为空
0040C89A |. 8D7424 2C lea esi, dword ptr [esp+2C] ;假码地址--》ESI
0040C89E |. 8D7C24 2C lea edi, dword ptr [esp+2C] ;假码地址--》EDI
0040C8A2 |. 74 48 je short 0040C8EC ;为空则跳
0040C8A4 |. 66:833E 00 cmp word ptr [esi], 0 ;;判断ESI地址的值是否为空
0040C8A8 |. 8B2D 88814100 mov ebp, dword ptr [<&MSVCRT.iswspac>; msvcrt.iswspace
0040C8AE |. 74 36 je short 0040C8E6 ;为空则跳
.......省略N行
0040C8E6 |> 8B2D 20824100 mov ebp, dword ptr [<&USER32.GetDlgI>; USER32.GetDlgItemTextW
0040C8EC |> 8D5424 10 lea edx, dword ptr [esp+10]
0040C8F0 |. 52 push edx ; /String2=真码
0040C8F1 |. 8D4424 30 lea eax, dword ptr [esp+30] ;
0040C8F5 |. 50 push eax ; |String1=假码
0040C8F6 |. 66:C707 0000 mov word ptr [edi], 0 ; |
0040C8FB |. FF15 E0804100 call dword ptr [<&KERNEL32.lstrcmpiW>>; \lstrcmpiW 比较。
0040C901 |. 85C0 test eax, eax ;相等则EAX=0。
.......省略N行
0040C905 |. 74 1A je short 0040C921 ;eax=0就跳向正确的地方

复制代码

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
0040C877 |. E8 849BFFFF call 00406400 ;算法CALL F7进入
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

00406400 /$ 55 push ebp
......省略N行
0040647B |> 53 push ebx ; /s
0040647C |. C607 00 mov byte ptr [edi], 0 ; |；将字符串中的大写转成小写
0040647F |. FF15 68814100 call dword ptr [<&MSVCRT._strlwr>] ; \_strlwr
......省略N行
00406491 |. 51 push ecx ;邮箱名长度压栈
00406492 |. 53 push ebx ;邮箱名压栈
00406493 |. E8 58FCFFFF call 004060F0 ;关键CALL，F7进入

复制代码

我们现在F7进入上面的那个关键CALL.
00406493 |. E8 58FCFFFF call 004060F0 ；关键CALL，F7进入

004060F0 /$ 83EC 08 sub esp, 8
.......省略N行
00406125 |> 83F9 01 cmp ecx, 1 ;ECX-1
00406128 |. 57 push edi
00406129 |. B8 D311EC47 mov eax, 47EC11D3 ;固定常数47EC11D3--->EAX
0040612E |. BA 507C923F mov edx, 3F927C50 ;固定常数3F927C50 -->EDX
00406133 |. 7E 1A jle short 0040614F ;ECX-1如果<=0就跳
00406135 |. 8D79 FF lea edi, dword ptr [ecx-1] ;edi=1
hflywolf@pyg.com
68666C79 776F6C66 40707967 2E636F6D
00406138 |> /8B4E 04 /mov ecx, dword ptr [esi+4] ;flow(ASCALL值666C6F77)---> ECX
0040613B |. |51 |push ecx ;ECX压入堆栈
0040613C |. |8B0E |mov ecx, dword ptr [esi] ;ylfh(ASCALL值796C6668)---> ECX
0040613E |. |51 |push ecx ;ECX压入堆栈
0040613F |. |52 |push edx ;3F927C50压入堆栈
00406140 |. |50 |push eax ;47EC11D3压入堆栈
00406141 |. |E8 8A000000 |call 004061D0 ;关键CALL F7进入(eax=A4306ECE,edx=126D93811)
00406146 |. |83C4 10 |add esp, 10
00406149 |. |83C6 08 |add esi, 8
0040614C |. |4F |dec edi
0040614D |.^\75 E9 \jnz short 00406138
.............
00406175 |. 8B4C24 14 mov ecx, dword ptr [esp+14] ;ecx=6D6F632E
00406179 |. 51 push ecx ;6D6F632E压栈
0040617A |. 8B4C24 14 mov ecx, dword ptr [esp+14] ;ecx=67797040
0040617E |. 51 push ecx ;67797040压栈
0040617F |. 52 push edx ;126D93811压栈
00406180 |. 50 push eax ;A4306ECE压栈
00406181 |. E8 4A000000 call 004061D0 ;关键CALL (eax=6A1B4395,edx=C744BEOF)
00406186 |. 8B6C24 30 mov ebp, dword ptr [esp+30] ;邮箱名长度到EBP
0040618A |. 83C4 10 add esp, 10
0040618D |> 55 push ebp ;邮箱名长度压栈
0040618E |. 53 push ebx ;邮箱名压栈
0040618F |. 52 push edx ;C744BEOF压栈
00406190 |. 50 push eax ;6A1B4395压栈
00406191 |. E8 0A010000 call 004062A0 ;关键CALL,F7进入(eax=6A1B4395,edx=C744BEOF)
00406196 |. 8BF2 mov esi, edx ;返回这里.esi=4F119BDB
00406198 |. 8BF8 mov edi, eax ;EDI=2E63C942
0040619A |. 8BCE mov ecx, esi ;ECX=4F119BDB
0040619C |. 81E1 000000F0 and ecx, F0000000 ;ECX=4F119BDB AND F0000000 =40000000
004061A2 |. 33C0 xor eax, eax ;EAX=0
004061A4 |. 83C4 10 add esp, 10 ;ESP=12E944
004061A7 |. 0BC1 or eax, ecx ;EAX=0 OR 40000000 = 40000000
004061A9 |. 75 0F jnz short 004061BA ;上面OR不相等就跳
......省N行
004061BA |> 8BC7 mov eax, edi ;跳到这里.eax=2E63C942
004061BD |. 8BD6 mov edx, esi ;edx=4F119BDB
......省N行
004061C5 \. C3 retn ;返回406498

复制代码

---------------------------------------------------------------------------------------------
用代码简单说一下以上函数的功能:(时间关系,就不管语法了.凑合着看吧)
EmailStr1=邮箱名
EmailLen1=邮箱名长度
sub_4060F0(EmailStr1,EmailLen1)
{

ebp = EmailLen1;
ecx = ebp+7;
ecx = ecx shr 3;
esi = (邮箱名的地址);
eax=固定常数47EC11D3;
edx=固定常数3F927C50;
if (ecx-1>0)
   { edi = ecx-1;
   for(i=1;i<=edi;i++)
   {
      NUM1=邮箱名第1+(i-1)*8位到第i*8位字符逆序后的前4位字符的ASCALL值;
      NUM2=邮箱名第1+(i-1)*8位到第i*8位字符逆序后的后4位字符的ASCALL值;
      //不足8位补0。
      sub_4061DO(eax,edx,NUM2,NUM1);//返回edx=126D93811,eax=A4306ECE.
      esi = esi+8;//邮箱名截取前i*8字符以后的地址。
   }
   }
   ecx=邮箱名地址;
   ecx = ecx - esi;
   ecx = ecx + (邮箱名长度）;
   edi = edi xor edi;
   if (ecx-edi>0)
      {
      tNUM1 =邮箱名第1+(i-1)*8位到第i*8位位字符逆序后的前4位字符的ASCALL值;
      tNUM2 =邮箱名第1+(i-1)*8位到第i*8位位字符逆序后的后4位字符的ASCALL值;
      sub_4061DO(tNUM1,tNUM2,edx,eax);//返回edx=C744BE0F,eax=6A1B4395.
      ebp=邮箱名长度;
      ebx = 邮箱名地址

      }
   sub_4062A0(ebp,ebx,edx,eax);//返edx=4F119BDB,eax=2E63C942
   esi = edx;
   edx = eax;
   ecx = esi;
   ecx = ecx and F0000000;
   eax = eax xor eax;
   eax = eax or ecx;
   if(eax=0)
   {
      sub_4063C0(esi,edi);//返回
      eax = eax shl 1C;
      esi = esi or eax;
   }
   eax = edi;
   edx = esi;
   retn edx/eax;
}
--------------------------------------------------------------------------------------------
   继续F7跟进00406141处的CALL(由于多处调用这个CALL,时间关系,我就把这CALL的功能简单的描绘一下)
   00406141  |. |E8 8A000000 |call 004061D0                ;关键CALL F7进入

04061D0 /$ 8B4424 10 mov eax, dword ptr [esp+10] ;flow(ASCALL值666C6F77)---> EAX
004061D4 |. 8B4C24 0C mov ecx, dword ptr [esp+C] ;ylfh(ASCALL值796C6668)---> ECX
004061D8 |. 53 push ebx ;12e96c压栈(存的是邮箱名)
004061D9 |. 55 push ebp ;邮箱名长度压栈（这里是9）
004061DA |. 56 push esi ;12e96c压栈(存的是邮箱名)
004061DB |. 57 push edi ;1压栈
004061DC |. 50 push eax ;EAX压入堆栈
004061DD |. 51 push ecx ;ECX压入堆栈
004061DE |. E8 3D000000 call 00406220 ;关键CALL F7跟入(eax==CC5956CA,edx=C7B4AAF2)
004061E3 |. 8B7424 20 mov esi, dword ptr [esp+20] ;返回这.esi=3F927C50
004061E7 |. 8B7C24 1C mov edi, dword ptr [esp+1C] ;edi=47EC11D3
004061EB |. 83C4 08 add esp, 898
004061EE |. 56 push esi ;ESI压栈
004061EF |. 57 push edi ;EDI入栈
004061F0 |. 52 push edx ;FFFFFFFFC7B4AAF2压栈
004061F1 |. 50 push eax ;FFFFFFFFCC5956CA压栈
004061F2 |. E8 69000100 call 00416260 ;关键CALL F7跟入(eax==649DF27E,edx=DEED263E)
004061F7 |. 8BEA mov ebp, edx ;ebp=DEED263E
004061F9 |. 33D2 xor edx, edx ;edx=0
004061FB |. 6A 01 push 1 ;1压栈
004061FD |. 52 push edx ;0压栈
004061FE |. 8BD8 mov ebx, eax ;ebx=eax=649DF27E
00406200 |. 52 push edx ;0压栈
00406201 |. 03DE add ebx, esi ;649DF27E+3F927C50=A4306ECE(ebx)
00406203 |. 57 push edi ;47EC11D3压
00406204 |. 13EA adc ebp, edx ;DEED263E+0=ebp
00406206 |. E8 55000100 call 00416260 ;关键CALL F7跟入(eax=0,edx=47EC11D3)
0040620B |. 03D8 add ebx, eax ;返回这里.ebx=A4306ECE
0040620D |. 5F pop edi ;1出栈
0040620E |. 13EA adc ebp, edx ;DEED263E+47EC11D3=126D93811(ebp)
00406210 |. 5E pop esi ;邮箱名出栈
00406211 |. 8BD5 mov edx, ebp ;edx=126D93811
00406213 |. 5D pop ebp ;邮箱名长度出栈
00406214 |. 8BC3 mov eax, ebx ;eax=ebx=A4306ECE
00406216 |. 5B pop ebx ;邮箱名出栈
00406217 \. C3 retn ;返回406146

复制代码

-------------------------------------------------------------------------------------------
用代码简单说一下以上函数的功能:
sub_4061DO(tEAX,tEDX,NUM2,NUM1)
  {
EmailStr1=邮箱名;
EmailLen1=邮箱名长度;
tEsi = 邮箱名;
tEdi = 1;
NUM1=邮箱名前8位字符逆序后的前四位字符的ASCALL值;
NUM2=邮箱名前8位字符逆序后的后四位字符的ASCALL值;
sub_406220(EmailStr1,EmailLen1,tEsi,tEdi,NUM2,NUM1);//返回edx,eax.
bSum1 = tEDX;
bSum2 = tEAX;
bSum3 = edx;
bSum4 = eax;
sub_416262(bSum1,bSum2,bSum3,bSum4); //返回edx,eax.
bSum5 = edx;
edx = edx xor edx
bSum1 = 1;
bSum2 = edx;
bSum6 = eax;
bSum3 = edx;
bSum6 = bSum6 + tEDX;
bSum4 = tEAX;
adc bSum5,edx;
sub_416262(bSum1,bSum2,bSum3,bSum4); //返回edx,eax.
bSum6 = bSum6 + eax;
adc bSum5,edx;
edx = bSum5;
eax = bSum6;
RETN edx/eax;
}
-------------------------------------------------------------------------------------------
   再继续F7跟入4061DE处的CALL(一样也是多处调用)
   004061DE  |.  E8 3D000000 call 00406220                   ;关键CALL F7跟入

00406220 /$ 8B4424 04 mov eax, dword ptr [esp+4] ;ylfh(ASCALL值796C6668)---> EAX
00406224 |. 8BC8 mov ecx, eax ;EAX---->ECX(即ECX=796C6668)
00406226 |. 56 push esi ;12e96c压栈(存的是邮箱名)
00406227 |. 8B7424 0C mov esi, dword ptr [esp+C] ;flow(ASCALL值666C6F77)----> ESI=666C6F77
0040622B |. 81E1 00000080 and ecx, 80000000 ;796C6668 AND 80000000 = ECX(00000000)
00406231 |. 57 push edi ;1压栈
00406232 |. 894C24 0C mov dword ptr [esp+C], ecx ;ecx--->[esp+c](12e918)
00406236 |. 8D0400 lea eax, dword ptr [eax+eax] ;eax=eax*2(796C6668*2=F2D8CCD0)
00406239 |. 74 03 je short 0040623E ;跳转实现
0040623B |. 83C8 01 or eax, 1
0040623E |> 8BCE mov ecx, esi ;666C6F77--->ecx
00406240 |. 83E1 01 and ecx, 1 ;ecx and 1(即ecx=1)
00406243 |. D1EE shr esi, 1 ;666C6F77 shr 1(即ESI = 333637BB)
00406245 |. 85C9 test ecx, ecx
00406247 |. 74 06 je short 0040624F ;跳转不实现
00406249 |. 81CE 00000080 or esi, 80000000 ;333637BB OR 80000000 = B33637BB(esi)
0040624F |> 8BC8 mov ecx, eax ;F2D8CCD0-->ecx
00406251 |. 81E1 00010000 and ecx, 100 ;F2D8CCD0 and 100 (ecx =0)
00406257 |. 25 FFFEFFFF and eax, FFFFFEFF ;F2D8CCD0 and FFFFFEFF (eax = F2D8CCD0)
0040625C |. F7C6 00000002 test esi, 2000000
00406262 |. 74 05 je short 00406269 ;跳转不实现
00406264 |. 0D 00010000 or eax, 100 ;F2D8CCD0 or 100 (eax = F2D8CDD0)
00406269 |> 81E6 FFFFFFFD and esi, FDFFFFFF ;B33637BB and FDFFFFFF (esi =B13637BB)
0040626F |. 85C9 test ecx, ecx
00406271 |. 74 06 je short 00406279 ;跳转实现
00406273 |. 81CE 00000002 or esi, 2000000
00406279 |> 6A 01 push 1 ;1入栈
0040627B |. 6A 00 push 0 ;0入栈
0040627D |. 6A 00 push 0 ;0入栈
0040627F |. 50 push eax ;F2D8CDD0入栈
00406280 |. E8 DBFF0000 call 00416260 ;关键CALL F7跟入
00406285 |. 8BC8 mov ecx, eax ;返回到此.ecx=0
00406287 |. 8BFA mov edi, edx ;edi=F2D8CDD0
00406289 |. B8 858E8F7D mov eax, 7D8F8E85 ;eax=7D8F8E85
0040628E |. 2BC1 sub eax, ecx ;eax-0=7D8F8E85
00406290 |. BA C3788DBA mov edx, BA8D78C3 ;edx=BA8D78C3
00406295 |. 1BD7 sbb edx, edi ;BA8D78C3-F2D8CDD0=FFFFFFFFC7B4AAF3(edx)
00406297 |. 33C9 xor ecx, ecx ;ecx=0
00406299 |. 2BC6 sub eax, esi ;7D8F8E85-B13637BB=FFFFFFFFCC5956CA(eax)
0040629B |. 5F pop edi ;1出栈
0040629C |. 1BD1 sbb edx, ecx ;FFFFFFFFC7B4AAF3-1=FFFFFFFFC7B4AAF2(edx)
0040629E |. 5E pop esi ;邮箱名出栈
0040629F \. C3 retn ;返回4061e3

复制代码

-------------------------------------------------------------------------------------------
用代码简单说一下以上函数的功能:
sub_406220(EmailStr1,EmailLen1,tEsi,tEdi,NUM2,NUM1)
{
   tNum1 = NUM2;
   tNum2 = NUM1;
   tNum1 = tNum1 and 80000000;
   NUM2  = NUM2 * 2;
   tNum2 = tNum2 and 1
   NUM1  = NUM1 shr 1;
   if (tNum2!=0)
      NUM1  = NUM1 or 80000000;
      tNum2 = NUM2;
      tNum2 = tNum2 and 100
      NUM2  = NUM2 and FFFFFEFF
      if (NUM1!=0)
         NUM2  = NUM2 or 100
         NUM1  = NUM1 and FDFFFFFF
         if (tNum2!=0)
            NUM1 = NUM1 or 20000000
            CALL 416260;
         else
            CALL 416260;
      else
         NUM1  = NUM1 and FDFFFFFF
         if (tNum2!=0)
            NUM1 = NUM1 or 20000000
            CALL 416260;
         else
            CALL 416260;
   else
      tNum2 = NUM2;
      tNum2 = tNum2 and 100
      NUM2  = NUM2 and FFFFFEFF
      if (NUM1!=0)
         NUM2  = NUM2 or 100
         NUM1  = NUM1 and FDFFFFFF
         if (tNum2!=0)
            NUM1 = NUM1 or 20000000
            CALL 416260;
         else
            CALL 416260;
      else
         NUM1  = NUM1 and FDFFFFFF
         if (tNum2!=0)
            NUM1 = NUM1 or 20000000
            CALL 416260;
         else
            CALL 416260;
   tNum2 = tSum1;
   tNum3 = tSum3;
   NUM2  = 7D8F8E85;
   NUM2  = NUM2 - tNum2;
   tNum4 = BA8D78C3;
   sbb tNum4,tNum3;
   tNum2 = tNum2 xor tNum2;
   sub NUM2,NUM1;
   sbb tNum4,tNum2;
   retn edx/eax;
}
-------------------------------------------------------------------------------------------
   继续F7跟入00406280的CALL(也是多处调用)
   00406280  |.  E8 DBFF0000 call 00416260                   ;关键CALL  F7跟入

00416260 /$ 8B4424 08 mov eax, dword ptr [esp+8] ;esp+8--->eax
00416264 |. 8B4C24 10 mov ecx, dword ptr [esp+10] ;esp+10--->ecx
00416268 |. 0BC8 or ecx, eax ;esp+10 or esp+8--->ecx
0041626A |. 8B4C24 0C mov ecx, dword ptr [esp+C] ;esp+c--->ecx
0041626E |. 75 09 jnz short 00416279 ;上面OR运算不相等变跳
00416279 |> 53 push ebx ;跳到这里。邮箱名压栈
0041627A |. F7E1 mul ecx ;ecx * eax (高16位放在EDX中,低16位放EAX中)
0041627C |. 8BD8 mov ebx, eax ;eax--->ebx(0)
0041627E |. 8B4424 08 mov eax, dword ptr [esp+8] ;eax=F2D8CDD0
00416282 |. F76424 14 mul dword ptr [esp+14] ;1*F2D8CDD0=eax
00416286 |. 03D8 add ebx, eax ;ebx=F2D8CDD0
00416288 |. 8B4424 08 mov eax, dword ptr [esp+8] ;eax=F2D8CDD0
0041628C |. F7E1 mul ecx ;0*F2D8CDD0=eax
0041628E |. 03D3 add edx, ebx ;edx=F2D8CDD0
00416290 |. 5B pop ebx ;邮箱名出栈
00416291 \. C2 1000 retn 10 ;返回406285

复制代码

-------------------------------------------------------------------------------------------
用代码简单说一下以上函数的功能:
sub_416260(sum1,sum2,sum3,sum4)
{
tSum1 = sum3;
tSum2 = sum1;
tSum2 = tSum2 or tSum1;
tSum2 = sum2;
mul tSum2,tSum1;
tSum3 = edx;
tSum1 = eax;
tSum4 = tSum1;
tSum1 = sum4;
mul dword ptr [esp+14],tSum1;
tSum3 = edx;
tSum1 = eax;
add tSum4,tSum1;
mul tSum2,tSum1;
add tSum3,tSum4;
retn tSum3/tSum1;
}
-------------------------------------------------------------------------------------------

再继续跟进
00406191 |. E8 0A010000 call 004062A0 ;关键CALL,F7进入

004062A0 /$ 8B5424 10 mov edx, dword ptr [esp+10] ;
....................................
00406300 |. 8B4424 14 mov eax, dword ptr [esp+14] ;eax=6D6F632E
00406304 |. 8B4C24 10 mov ecx, dword ptr [esp+10] ;ecx=67797040
00406308 |. 50 push eax ;6D6F632E压栈
00406309 |. 51 push ecx ;67797040压栈
0040630A |. E8 61000000 call 00406370 ;关键CALL,将字符串逆序输出ASCALL值
0040630F |. 52 push edx ;40707967压栈
00406310 |. 8B5424 2C mov edx, dword ptr [esp+2C] ;edx=C744BEOF
00406314 |. 50 push eax ;2E636F6D压栈
00406315 |. 8B4424 2C mov eax, dword ptr [esp+2C] ;eax=C7E38780
00406319 |. 52 push edx ;C744BEOF压栈
0040631A |. 50 push eax ;6A1B4395压栈
0040631B |. E8 B0FEFFFF call 004061D0 ;关键CALL,F7(eax=AA75349,edx=60CFF171)
00406320 |. 83C4 18 add esp, 18
00406323 |. 8BF0 mov esi, eax ;ESI=AA75349
00406325 |. 8BFA mov edi, edx ;EDI=60CFF171
00406327 |. 83EB 08 sub ebx, 8
0040632A |. EB 08 jmp short 00406334
0040632C |> 8B7C24 20 mov edi, dword ptr [esp+20]
00406330 |. 8B7424 1C mov esi, dword ptr [esp+1C]
00406334 |> 3BEB cmp ebp, ebx ;EBP-EBX
00406336 |. 77 23 ja short 0040635B ;高于则跳
00406338 |> 8B4B 04 /mov ecx, dword ptr [ebx+4] ;ecx=666C6F77
0040633B |. 8B13 |mov edx, dword ptr [ebx] ;edx=796C6668
0040633D |. 51 |push ecx ;666C6F77(压栈)
0040633E |. 52 |push edx ;796C6668(压栈)
0040633F |. E8 2C000000 |call 00406370 ;关键CALL,F7进入(eax=776F6C66,ed=68666C79)
00406344 |. 52 |push edx ;68666C79压栈
00406345 |. 50 |push eax ;776F6C66压栈
00406346 |. 57 |push edi ;60CFF171压栈
00406347 |. 56 |push esi ;AA75349压栈
00406348 |. E8 83FEFFFF |call 004061D0 ;关键CALL F7(eax=2E63C942,edx=4F119BDB)
0040634D |. 83EB 08 |sub ebx, 8 ;EBX=12E964
00406350 |. 83C4 18 |add esp, 18 ;ESP=12E918
00406353 |. 3BDD |cmp ebx, ebp ;EBX-EBP(12E964-12E96C)
00406355 |. 8BF0 |mov esi, eax ;ESI=2E63C942
00406357 |. 8BFA |mov edi, edx ;EDI=4F119BDB
00406359 |.^ 73 DD \jnb short 00406338 ;不低于就跳
0040635B |> 8BD7 mov edx, edi ;edx=4F119BDB
0040635E |. 8BC6 mov eax, esi ;eax=2E63C942
00406366 \. C3 retn ;返回406196

复制代码

-------------------------------------------------------------------------------------------
用代码简单说一下以上函数的功能:
sub_4062A0(tebp,tebx,tedx,teax)
{
edx=(邮箱名长度);
eax = edx+7;
eax = eax shr 3;
ebp = 邮箱名地址;
ebx = ebp+eax*8-8;
ecx = 邮箱名地址;
ecx = ecx-ebx;
ecx = ecx+edx;
eax = eax xor eax;
if (ecx-eax>0)
   {
   eax =邮箱名第1+(i-1)*8位到第i*8位位字符逆序后的前4位字符的ASCALL值;
   ecx =邮箱名第1+(i-1)*8位到第i*8位位字符逆序后的后4位字符的ASCALL值;
   sub_406370(eax,ecx) //返回EAX对应的字符串逆序后的ASCALL值,edx对应的字符串逆序后的ASCALL值
   lNum1 = tedx;
   lNum2 = teax;
   sub_4061DO(edx,eax,lNum1,lNum2)//返回edx=60CFF171,eax=AA75349.
   esi = eax;
   edi = edx;
   ebx = ebx-8//邮箱名地址。
   }
else
   {
   edi = tedx;
   esi = teax;
   }
if(ebp-ebx<=0)
   {
      i=1
      do
      {
         edx = 邮箱名第1+(i-1)*4位到第i*4位字符的ASCALL值；
         eax = 邮箱名第1+i*4位到第(i+1)*4位字符的ASCALL值；
         sub_4061D0(edx,eax,edi,esi)；//返回edx=4F119BDB,eax=2E63C942
         ebx = ebx-8;
         esi = eax;
         edi = edx;
      }
      while(ebx-ebp>=0)
      {
         i= i+1;
      }
   }
edx = edi;
eax = esi;
retn edx/eax;
}
-------------------------------------------------------------------------------------------
  以上的分析就是call 004060F0的内容了.
  此时返回的值为
  eax=B2E63C942
  edx=4F119BDB
[/code]
00406498  |.  8BDA       mov    ebx, edx                      ;返回这里.ebx=4F119BDB
0040649A  |.  6A 21       push 21                            ;21入栈
0040649C  |.  8D55 B0    lea    edx, dword ptr [ebp-50]       ;edx=12e984
0040649F  |.  52          push edx                            ;12e984入栈
004064A0  |.  8BF8       mov    edi, eax                      ;edi=2E63C942
004064A2  |.  53          push ebx                            ;4F119BDB入栈
004064A3  |.  57          push edi                            ;2E63C942入栈
004064A4  |.  FF15 64814100 call dword ptr [<&MSVCRT._ui64tow>] ;将整数转换成ASCALL值
[/code]

我们F7跟进004064A4的CALL...
004064A4  |.  FF15 64814100 call dword ptr [<&MSVCRT._ui64tow>] ;将整数转换成ASCALL值

77BEC4C1 > 8BFF mov edi, edi ;edi=2E63C942
77BEC4C3 55 push ebp ;ebp入栈
77BEC4C4 8BEC mov ebp, esp ;ebp=esp
77BEC4C6 8B45 10 mov eax, dword ptr [ebp+10] ;eax=
77BEC4C9 6A 00 push 0 ;0入栈
77BEC4CB FF75 14 push dword ptr [ebp+14] ;21入栈
77BEC4CE FF75 0C push dword ptr [ebp+C] ;4F119BDB入栈
77BEC4D1 FF75 08 push dword ptr [ebp+8] ;2E63C942入栈
77BEC4D4 E8 33FFFFFF call 77BEC40C ;关键CALL进入
77BEC4D9 8B45 10 mov eax, dword ptr [ebp+10]
77BEC4DC 5D pop ebp
77BEC4DD C3 retn

复制代码

-------------------------------------------------------------------------------
上在的CALL大概意思就是
sub_ui64tow(0,21,eax,ebx)
{  //eax=B2E63C942
//edx=4F119BDB
while(eax=0 || ebx=0)
{
   tmp1 = edx;
   tmp2 = eax;
   eax = edx;
   eax = eax / 21;
   ebx = eax;
   eax = tmp2;
   eax = eax / 21;
   esi = eax;
   edx = tmp2;
   edx = edx % 21;
   eax = ebx;
   eax = eax * 21;
   ecx = eax;
   eax = esi;
   eax = eax * 21;
   edx = edx + ecx
   eax = eax -tmp1;
   sbb edx,tmp2; edx =
   neg edx; //edx按位求反再加上CF标志位值
   neg eax; //eax按位求反再加上CF标志位值
   sbb edx,0;
   ecx = edx;
   edx = ebx;
   ebx = ecx;
   ecx = eax;
   eax = esi;
   if(ecx-9<=0)
      {ecx = ecx+30;
      CodeStr = CodeStr & itoa(ecx)}
   else
      {
      ecx = ecx+57
      CodeStr = CodeStr & itoa(ecx)
      }
   }

例如:
eax=4F119BDB / 21 =26561D0
edx=B2E63C942 / 21 =56BD34A4
ecx =B2E63C942 % 21 = 1E
1E-9=15>0
1E+57=75(u)
经过以上循环.
CodeStr = "3do0n4ka1wt5u"

-----------------------------------------------------------------------------------------------

004064AA |. 8D45 B0 lea eax, dword ptr [ebp-50]
004064AD |. 50 push eax
004064AE |. E8 6D000000 call 00406520 ;对字串前两位分析进行处理(谢谢nietsme
兄弟的指出错误)

复制代码

经过call 00406520 后
CodeStr = "do0n4ka1wt5u"

004064C2 |> 8BCA /mov ecx, edx
004064C4 |. 81E1 FFFF0000 |and ecx, 0FFFF
004064CA |. 83F9 69 |cmp ecx, 69 ; Switch (cases 69..6F)
004064CD |. 74 18 |je short 004064E7
004064CF |. 83F9 6C |cmp ecx, 6C
004064D2 |. 74 0C |je short 004064E0
004064D4 |. 83F9 6F |cmp ecx, 6F
004064D7 |. 75 13 |jnz short 004064EC
004064D9 |. BA 7A000000 |mov edx, 7A ; Case 6F ('o') of switch 004064CA
004064DE |. EB 0C |jmp short 004064EC
004064E0 |> BA 79000000 |mov edx, 79 ; Case 6C ('l') of switch 004064CA
004064E5 |. EB 05 |jmp short 004064EC
004064E7 |> BA 78000000 |mov edx, 78 ; Case 69 ('i') of switch 004064CA
004064EC |> 66:8916 |mov word ptr [esi], dx ; Default case of switch 004064CA
004064EF |. 66:8B56 02 |mov dx, word ptr [esi+2]
004064F3 |. 83C6 02 |add esi, 2
004064F6 |. 66:85D2 |test dx, dx
004064F9 |.^ 75 C7 \jnz short 004064C2
.....省略N行
00406516 \. C3 retn

复制代码

以上这段循环的意思如下:
   如果字符串的字符的ASCALL值等于69(i)就换成78(x)
   如果是6C(l)就换成79(y)
   如果是6F(o)就换成7A(z)
   例如:CodeStr = "do0n4ka1wt5u"
   第二位的字符为o(6F)所以要转换成z(7A)
   CodeStr = "dz0n4ka1wt5u"

所以注册码为"dz0n4ka1wt5u"

:loveliness: /:013 /:013 水平有限...只能成这样子了.好像有点烦琐...../:010 /:010 /:010

BTW:谢谢nietsme 兄指出错误之处...粗心了,应该再耐心一点点...

[ 本帖最后由 hflywolf 于 2008-9-12 01:45 编辑 ]

孤漂江湖狼 · 发表于 2008-9-11 18:30:02

楼上很强悍，学习了/:good

hflywolf · 发表于 2008-9-11 18:40:03

原帖由 孤漂江湖狼 于 2008-9-11 18:30 发表
楼上很强悍，学习了/:good

/:L /:L /:L

自已分析出来好明了的.没想将流程分析写出来却这么烦琐...
也不知道说的是否明了....
表达能力+文字功底太差....
只能凑合着看吧...

/:017 /:017 /:017

瀚海雄风 · 发表于 2008-9-11 20:10:05

强悍，我跟了好久都没结果。谢谢楼上！

nietsme · 发表于 2008-9-11 20:25:20

原帖由 hflywolf 于 2008-9-11 18:25 发表
/:L /:L /:L
   终于把算法流程搞出来了....
   简单分析下吧........
   邮箱名:hflywolf@pyg.com
   注册码:12345678900040C810  /$  81EC 1C080000 sub    esp, 81C             ;在这下断,输入 ...

这位好强悍，我搞了很久才搞出冰山一角，我要继续努力努力努力努力努力努力~~~

llh001 · 发表于 2008-9-11 20:34:56

还是15楼强，服了你了！看来学算法必须有点耐心。

		自动登录	找回密码
密码			加入我们

[讨论] 【小游戏】简单的软件练手（9楼、15楼已给出算法分析）

评分

我的-----KEY

评分

评分