菜鸟学注册机编写之 “sha1”

1. 首先运行程序随便输入用户与注册码如下图所示:

2.将程序载入OD, 下MessageBoxA函数断点, F9运行程序, 程序运行后随便输入用户名与注册码,点"OK"后断下，F8一直走，就会看出如下的代码，我们在函数开头下好断点。(或者直接搜索字符串 "Thank you for registration!"，也能快速定位到这里)

 1 0041B190          55              push ebp
 2 0041B191          8BEC            mov ebp,esp
 3 0041B193          6A FF           push -0x1
 4 0041B195          68 9B555900     push dvdiphon.0059559B
 5 0041B19A          64:A1 00000000  mov eax,dword ptr fs:[0]
 6 0041B1A0          50              push eax
 7 0041B1A1          81EC 98010000   sub esp,0x198
 8 0041B1A7          A1 F8E66000     mov eax,dword ptr ds:[0x60E6F8]
 9 0041B1AC          33C5            xor eax,ebp
10 0041B1AE          8985 68FFFFFF   mov dword ptr ss:[ebp-0x98],eax
11 0041B1B4          50              push eax
12 0041B1B5          8D45 F4         lea eax,dword ptr ss:[ebp-0xC]
13 0041B1B8          64:A3 00000000  mov dword ptr fs:[0],eax
14 0041B1BE          898D 60FEFFFF   mov dword ptr ss:[ebp-0x1A0],ecx
15 0041B1C4          C745 F0 0000000>mov dword ptr ss:[ebp-0x10],0x0
16 0041B1CB          6A 00           push 0x0
17 0041B1CD          8D8D 6CFFFFFF   lea ecx,dword ptr ss:[ebp-0x94]
18 0041B1D3          E8 38B1FEFF     call dvdiphon.00406310
19 0041B1D8          C745 FC 0000000>mov dword ptr ss:[ebp-0x4],0x0
20 0041B1DF          8D8D 6CFFFFFF   lea ecx,dword ptr ss:[ebp-0x94]
21 0041B1E5          E8 04570400     call dvdiphon.004608EE
22 0041B1EA          8945 F0         mov dword ptr ss:[ebp-0x10],eax
23 0041B1ED          837D F0 01      cmp dword ptr ss:[ebp-0x10],0x1
24 0041B1F1          0F85 F6000000   jnz dvdiphon.0041B2ED
25 0041B1F7          8D8D 6CFFFFFF   lea ecx,dword ptr ss:[ebp-0x94]
26 0041B1FD          E8 9ED6FFFF     call dvdiphon.004188A0
27 0041B202          50              push eax
28 0041B203          8B8D 60FEFFFF   mov ecx,dword ptr ss:[ebp-0x1A0]
29 0041B209          81C1 CCDC0200   add ecx,0x2DCCC
30 0041B20F          E8 7C90FEFF     call dvdiphon.00404290
31 0041B214          8D8D 6CFFFFFF   lea ecx,dword ptr ss:[ebp-0x94]
32 0041B21A          E8 A1D6FFFF     call dvdiphon.004188C0
33 0041B21F          50              push eax
34 0041B220          8B8D 60FEFFFF   mov ecx,dword ptr ss:[ebp-0x1A0]
35 0041B226          81C1 D0DC0200   add ecx,0x2DCD0
36 0041B22C          E8 5F90FEFF     call dvdiphon.00404290
37 0041B231          8B8D 60FEFFFF   mov ecx,dword ptr ss:[ebp-0x1A0]
38 0041B237          81C1 D0DC0200   add ecx,0x2DCD0
39 0041B23D          E8 3E470200     call dvdiphon.0043F980                ; 注册码
40 0041B242          50              push eax
41 0041B243          8B8D 60FEFFFF   mov ecx,dword ptr ss:[ebp-0x1A0]
42 0041B249          81C1 CCDC0200   add ecx,0x2DCCC
43 0041B24F          E8 2C470200     call dvdiphon.0043F980                ; 用户名
44 0041B254          50              push eax
45 0041B255          E8 C6FCFFFF     call dvdiphon.0041AF20
46 0041B25A          83C4 08         add esp,0x8
47 0041B25D          8B85 60FEFFFF   mov eax,dword ptr ss:[ebp-0x1A0]
48 0041B263          C780 D4DC0200 0>mov dword ptr ds:[eax+0x2DCD4],0x1
49 0041B26D          68 00010000     push 0x100
50 0041B272          6A 00           push 0x0
51 0041B274          8D8D 64FEFFFF   lea ecx,dword ptr ss:[ebp-0x19C]
52 0041B27A          51              push ecx
53 0041B27B          E8 F00B1500     call dvdiphon.0056BE70
54 0041B280          83C4 0C         add esp,0xC
55 0041B283          B9 481E6200     mov ecx,dvdiphon.00621E48             ; tK^
56 0041B288          E8 63BBFFFF     call dvdiphon.00416DF0
57 0041B28D          8985 5CFEFFFF   mov dword ptr ss:[ebp-0x1A4],eax
58 0041B293          8B95 5CFEFFFF   mov edx,dword ptr ss:[ebp-0x1A4]
59 0041B299          8B02            mov eax,dword ptr ds:[edx]
60 0041B29B          8B8D 5CFEFFFF   mov ecx,dword ptr ss:[ebp-0x1A4]
61 0041B2A1          8B50 18         mov edx,dword ptr ds:[eax+0x18]
62 0041B2A4          FFD2            call edx
63 0041B2A6          8BC8            mov ecx,eax
64 0041B2A8          E8 E398FFFF     call dvdiphon.00414B90
65 0041B2AD          50              push eax
66 0041B2AE          68 988C5D00     push dvdiphon.005D8C98                ; Thank you for registration!\r\n%s will verify\r\nthe registration  
67 information after you restart it.
68 0041B2B3          68 FF000000     push 0xFF
69 0041B2B8          8D85 64FEFFFF   lea eax,dword ptr ss:[ebp-0x19C]
70 0041B2BE          50              push eax
71 0041B2BF          E8 A9FB1400     call dvdiphon.0056AE6D
72 0041B2C4          83C4 10         add esp,0x10
73 0041B2C7          6A 00           push 0x0
74 0041B2C9          8D8D 64FEFFFF   lea ecx,dword ptr ss:[ebp-0x19C]
75 0041B2CF          51              push ecx
76 0041B2D0          8B8D 60FEFFFF   mov ecx,dword ptr ss:[ebp-0x1A0]
77 0041B2D6          81C1 F8030000   add ecx,0x3F8
78 0041B2DC          8B95 60FEFFFF   mov edx,dword ptr ss:[ebp-0x1A0]
79 0041B2E2          8B82 F8030000   mov eax,dword ptr ds:[edx+0x3F8]
80 0041B2E8          8B50 28         mov edx,dword ptr ds:[eax+0x28]
81 0041B2EB          FFD2            call edx
82 0041B2ED          C745 FC FFFFFFF>mov dword ptr ss:[ebp-0x4],-0x1
83 0041B2F4          8D8D 6CFFFFFF   lea ecx,dword ptr ss:[ebp-0x94]
84 0041B2FA          E8 D1B0FEFF     call dvdiphon.004063D0
85 0041B2FF          8B4D F4         mov ecx,dword ptr ss:[ebp-0xC]
86 0041B302          64:890D 0000000>mov dword ptr fs:[0],ecx
87 0041B309          59              pop ecx
88 0041B30A          8B8D 68FFFFFF   mov ecx,dword ptr ss:[ebp-0x98]
89 0041B310          33CD            xor ecx,ebp
90 0041B312          E8 F4E31400     call dvdiphon.0056970B
91 0041B317          8BE5            mov esp,ebp
92 0041B319          5D              pop ebp
93 0041B31A          C3              retn

3. 重新加载程序，F9运行程序随便输入用户名与注册码。点击"OK"程序就会被断下。

获得用户名与注册码。

1 用户名 test
2 注册码 123456789abcdefghijklmnopqlstuvwxyztrwm
3 
4 0041B23D E8 3E470200 call dvdiphon.0043F980 ; 注册码
5 0041B242 50 push eax
6 0041B243 8B8D 60FEFFFF mov ecx,dword ptr ss:[ebp-0x1A0]
7 0041B249 81C1 CCDC0200 add ecx,0x2DCCC
8 0041B24F E8 2C470200 call dvdiphon.0043F980 ; 用户名

4.加密注册码

 1 0041B0C4    83C4 0C         add esp,0xC
 2 0041B0C7    8D8D 54FFFFFF   lea ecx,dword ptr ss:[ebp-0xAC]
 3 0041B0CD    898D 50FFFFFF   mov dword ptr ss:[ebp-0xB0],ecx
 4 0041B0D3    8B95 50FFFFFF   mov edx,dword ptr ss:[ebp-0xB0]
 5 0041B0D9    0FBE02          movsx eax,byte ptr ds:[edx]
 6 0041B0DC    85C0            test eax,eax
 7 0041B0DE    74 25           je short dvdiphon.0041B105
 8 0041B0E0    8B8D 50FFFFFF   mov ecx,dword ptr ss:[ebp-0xB0]          ; 加密注册码
 9 0041B0E6    0FBE11          movsx edx,byte ptr ds:[ecx]
10 0041B0E9    83EA 19         sub edx,0x19                             ; 减0x19
11 0041B0EC    8B85 50FFFFFF   mov eax,dword ptr ss:[ebp-0xB0]
12 0041B0F2    8810            mov byte ptr ds:[eax],dl                 ; 存放减后的值
13 0041B0F4    8B8D 50FFFFFF   mov ecx,dword ptr ss:[ebp-0xB0]
14 0041B0FA    83C1 01         add ecx,0x1
15 0041B0FD    898D 50FFFFFF   mov dword ptr ss:[ebp-0xB0],ecx
16 0041B103  ^ EB CE           jmp short dvdiphon.0041B0D3
17 0041B105    33D2            xor edx,edx
18 0041B107  ^ 75 BE           jnz short dvdiphon.0041B0C7
19 0041B109    B9 481E6200     mov ecx,dvdiphon.00621E48                ; tK^
20 
21 加密前
22 123456789abcdefghijklmnopqlstuvwxyztrwm
23 
24 加密后的值
25 
26 18 19 1A 1B 1C 1D 1E 1F 20 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 53 5A 5B 5C 5D 5E
27 5F 60 61 5B 59 5E 54

5.将上面加密后的注册码写入注册表中(CLSID\{D2D219BC-BCE8-4249-8636-DE8BEFCD28C3}\ProgID)提示重启。

1 0012F8B0   004402B9  /CALL 到 RegSetValueExA 来自 dvdiphon.004402B3
2 0012F8B4   00000166  |hKey = 0x166
3 0012F8B8   00F979F8  |ValueName = "1"
4 0012F8BC   00000000  |Reserved = 0x0
5 0012F8C0   00000003  |ValueType = REG_BINARY
6 0012F8C4   0012F920  |Buffer = 0012F920
7 0012F8C8   00000027  \BufSize = 27 (39.)

6.明显的重启验证型式的,我们下好操作注册表的api函数，重启软件F9运行

打开存放加密后注册码的注册表键值

 1 0012FA34   0044005F  /CALL 到 RegCreateKeyExA 来自 dvdiphon.00440059
 2 0012FA38   80000000  |hKey = HKEY_CLASSES_ROOT
 3 0012FA3C   00E67300  |Subkey = "CLSID\{D2D219BC-BCE8-4249-8636-DE8BEFCD28C3}\ProgID"
 4 0012FA40   00000000  |Reserved = 0x0
 5 0012FA44   00000000  |Class = NULL
 6 0012FA48   00000000  |Options = REG_OPTION_NON_VOLATILE
 7 0012FA4C   0002003F  |Access = KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_CREATE_LINK|20000
 8 0012FA50   00000000  |pSecurity = NULL
 9 0012FA54   0012FB94  |pHandle = 0012FB94
10 0012FA58   0012FA68  \pDisposition = 0012FA68

查找CLSID\{D2D219BC-BCE8-4249-8636-DE8BEFCD28C3}\ProgID中的"1"是否存在

1 0012FA5C   00440309  /CALL 到 RegQueryValueExA 来自 dvdiphon.00440303
2 0012FA60   000000A6  |hKey = 0xA6
3 0012FA64   00E67350  |ValueName = "1"
4 0012FA68   00000000  |Reserved = NULL
5 0012FA6C   0012FA8C  |pValueType = 0012FA8C
6 0012FA70   00000000  |Buffer = NULL
7 0012FA74   0012FA88  \pBufSize = 0012FA88

获取"1"中的值 (加密后的注册码)

1 0012FA5C   0044035D  /CALL 到 RegQueryValueExA 来自 dvdiphon.00440357
2 0012FA60   000000A6  |hKey = 0xA6
3 0012FA64   00E67350  |ValueName = "1"
4 0012FA68   00000000  |Reserved = NULL
5 0012FA6C   00000000  |pValueType = NULL
6 0012FA70   00E67360  |Buffer = 00E67360
7 0012FA74   0012FA88  \pBufSize = 0012FA88

获取的的值
18 19 1A 1B 1C 1D 1E 1F 20 17 18 19 1A 1B 1C 1D 1E 1F 20 17 18 19 1A 1B 1C 1D 1E 1F 20 17 18 19
1A 1B 1C 1D 1E 1F 20

7.解密从注册表读取出来的注册码

 1 00417F2D   /0F84 70020000         je dvdiphon.004181A3
 2 00417F33   |C785 6CFFFFFF 0000000>mov dword ptr ss:[ebp-0x94],0x0
 3 00417F3D   |8D4D 84               lea ecx,dword ptr ss:[ebp-0x7C]
 4 00417F40   |898D B0FEFFFF         mov dword ptr ss:[ebp-0x150],ecx
 5 00417F46   |8B95 B0FEFFFF         mov edx,dword ptr ss:[ebp-0x150]
 6 00417F4C   |0FBE02                movsx eax,byte ptr ds:[edx]
 7 00417F4F   |85C0                  test eax,eax        ;判断是否为空
 8 00417F51   |74 25                 je short dvdiphon.00417F78
 9 00417F53   |8B8D B0FEFFFF         mov ecx,dword ptr ss:[ebp-0x150]
10 00417F59   |0FBE11                movsx edx,byte ptr ds:[ecx]              ; 获得加密后的注册码1字节
11 00417F5C   |83C2 19               add edx,0x19                             ; 解密注册码(加上0x19)
12 00417F5F   |8B85 B0FEFFFF         mov eax,dword ptr ss:[ebp-0x150]
13 00417F65   |8810                  mov byte ptr ds:[eax],dl                 ; 存放
14 00417F67   |8B8D B0FEFFFF         mov ecx,dword ptr ss:[ebp-0x150]
15 00417F6D   |83C1 01               add ecx,0x1
16 00417F70   |898D B0FEFFFF         mov dword ptr ss:[ebp-0x150],ecx
17 00417F76  ^|EB CE                 jmp short dvdiphon.00417F46
18 00417F78   |33D2                  xor edx,edx                              ; 完成
19 00417F7A  ^|75 C1                 jnz short dvdiphon.00417F3D

解密后

31 32 33 34 35 36 37 38 39 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 6C 73 74 75 76 77
78 79 7A 74 72 77 6D

8.将解密后的注册码分组,(其中第1组参与注册码计算,第2组为真实的注册码)

1 00418079              E8 B2FAFFFF                             call dvdiphon.00417B30                   ; 将长度为0x27的注册码 分成2组
具体算法如下:

  1 00417B30                 55                                 push ebp
  2 00417B31                 8BEC                               mov ebp,esp
  3 00417B33                 83EC 10                            sub esp,0x10
  4 00417B36                 C745 FC 00000000                   mov dword ptr ss:[ebp-0x4],0x0
  5 00417B3D                 C745 F8 00000000                   mov dword ptr ss:[ebp-0x8],0x0
  6 00417B44                 C745 F0 00000000                   mov dword ptr ss:[ebp-0x10],0x0
  7 00417B4B                 C745 F4 00000000                   mov dword ptr ss:[ebp-0xC],0x0
  8 00417B52                 837D 0C 27                         cmp dword ptr ss:[ebp+0xC],0x27     ;判断注册码长度是否为0x27
  9 00417B56                 74 07                              je short dvdiphon.00417B5F
 10 00417B58                 33C0                               xor eax,eax
 11 00417B5A                 E9 E8020000                        jmp dvdiphon.00417E47
 12 00417B5F                 C745 FC 00000000                   mov dword ptr ss:[ebp-0x4],0x0
 13 00417B66                 EB 1B                              jmp short dvdiphon.00417B83
 14 00417B68                 8B45 FC                            mov eax,dword ptr ss:[ebp-0x4]
 15 00417B6B                 83C0 01                            add eax,0x1                                      ; 计数加1
 16 00417B6E                 8945 FC                            mov dword ptr ss:[ebp-0x4],eax
 17 00417B71                 8B4D F8                            mov ecx,dword ptr ss:[ebp-0x8]
 18 00417B74                 83C1 01                            add ecx,0x1                                      ; 计数加1
 19 00417B77                 894D F8                            mov dword ptr ss:[ebp-0x8],ecx
 20 00417B7A                 8B55 F0                            mov edx,dword ptr ss:[ebp-0x10]
 21 00417B7D                 83C2 01                            add edx,0x1                                      ; 计数加1
 22 00417B80                 8955 F0                            mov dword ptr ss:[ebp-0x10],edx
 23 00417B83                 837D FC 03                         cmp dword ptr ss:[ebp-0x4],0x3                   ; 判断计数是否大于等于3
 24 00417B87                 7D 12                              jge short dvdiphon.00417B9B
 25 00417B89                 8B45 10                            mov eax,dword ptr ss:[ebp+0x10]                  ; 存放第1组注册码首地址
 26 00417B8C                 0345 F0                            add eax,dword ptr ss:[ebp-0x10]                  ; 存放第1组注册码首地址加上计数
 27 00417B8F                 8B4D 08                            mov ecx,dword ptr ss:[ebp+0x8]                   ; 注册码首地址
 28 00417B92                 034D F8                            add ecx,dword ptr ss:[ebp-0x8]                   ; 注册码首地址加上计数
 29 00417B95                 8A11                               mov dl,byte ptr ds:[ecx]                         ; 取注册码
 30 00417B97                 8810                               mov byte ptr ds:[eax],dl                         ; 存放
 31 00417B99               ^ EB CD                              jmp short dvdiphon.00417B68
 32 00417B9B                 8B45 F8                            mov eax,dword ptr ss:[ebp-0x8]                   ; 取计数值
 33 00417B9E                 83C0 01                            add eax,0x1                                      ; 计数加1
 34 00417BA1                 8945 F8                            mov dword ptr ss:[ebp-0x8],eax
 35 00417BA4                 C745 FC 00000000                   mov dword ptr ss:[ebp-0x4],0x0                   ; 计数清0
 36 00417BAB                 EB 1B                              jmp short dvdiphon.00417BC8
 37 00417BAD                 8B4D FC                            mov ecx,dword ptr ss:[ebp-0x4]
 38 00417BB0                 83C1 01                            add ecx,0x1                                      ; 计数加1
 39 00417BB3                 894D FC                            mov dword ptr ss:[ebp-0x4],ecx
 40 00417BB6                 8B55 F8                            mov edx,dword ptr ss:[ebp-0x8]
 41 00417BB9                 83C2 01                            add edx,0x1                                      ; 计数加1
 42 00417BBC                 8955 F8                            mov dword ptr ss:[ebp-0x8],edx
 43 00417BBF                 8B45 F4                            mov eax,dword ptr ss:[ebp-0xC]
 44 00417BC2                 83C0 01                            add eax,0x1                                      ; 计数加1
 45 00417BC5                 8945 F4                            mov dword ptr ss:[ebp-0xC],eax
 46 00417BC8                 837D FC 03                         cmp dword ptr ss:[ebp-0x4],0x3                   ; 判断计数是否大于等于3
 47 00417BCC                 7D 12                              jge short dvdiphon.00417BE0
 48 00417BCE                 8B4D 18                            mov ecx,dword ptr ss:[ebp+0x18]                  ; 存放第2组注册码首地址
 49 00417BD1                 034D F4                            add ecx,dword ptr ss:[ebp-0xC]                   ; 存放第2组注册码首地址加上计数
 50 00417BD4                 8B55 08                            mov edx,dword ptr ss:[ebp+0x8]                   ; 注册码首地址
 51 00417BD7                 0355 F8                            add edx,dword ptr ss:[ebp-0x8]                   ; 注册码首地址加上计数
 52 00417BDA                 8A02                               mov al,byte ptr ds:[edx]                         ; 取注册码
 53 00417BDC                 8801                               mov byte ptr ds:[ecx],al                         ; 存放
 54 00417BDE               ^ EB CD                              jmp short dvdiphon.00417BAD
 55 00417BE0                 C745 FC 00000000                   mov dword ptr ss:[ebp-0x4],0x0                   ; 计数清0
 56 00417BE7                 EB 1B                              jmp short dvdiphon.00417C04
 57 00417BE9                 8B4D FC                            mov ecx,dword ptr ss:[ebp-0x4]
 58 00417BEC                 83C1 01                            add ecx,0x1                                      ; 计数加1
 59 00417BEF                 894D FC                            mov dword ptr ss:[ebp-0x4],ecx
 60 00417BF2                 8B55 F8                            mov edx,dword ptr ss:[ebp-0x8]
 61 00417BF5                 83C2 01                            add edx,0x1                                      ; 计数加1
 62 00417BF8                 8955 F8                            mov dword ptr ss:[ebp-0x8],edx
 63 00417BFB                 8B45 F0                            mov eax,dword ptr ss:[ebp-0x10]
 64 00417BFE                 83C0 01                            add eax,0x1                                      ; 计数加1
 65 00417C01                 8945 F0                            mov dword ptr ss:[ebp-0x10],eax
 66 00417C04                 837D FC 02                         cmp dword ptr ss:[ebp-0x4],0x2                   ; 判断计数是否大于等于3
 67 00417C08                 7D 12                              jge short dvdiphon.00417C1C
 68 00417C0A                 8B4D 10                            mov ecx,dword ptr ss:[ebp+0x10]                  ; 存放第1组注册码首地址
 69 00417C0D                 034D F0                            add ecx,dword ptr ss:[ebp-0x10]                  ; 存放第1组注册码首地址加上计数
 70 00417C10                 8B55 08                            mov edx,dword ptr ss:[ebp+0x8]                   ; 注册码首地址
 71 00417C13                 0355 F8                            add edx,dword ptr ss:[ebp-0x8]                   ; 注册码首地址加上计数
 72 00417C16                 8A02                               mov al,byte ptr ds:[edx]                         ; 取注册码
 73 00417C18                 8801                               mov byte ptr ds:[ecx],al                         ; 存放
 74 00417C1A               ^ EB CD                              jmp short dvdiphon.00417BE9
 75 00417C1C                 8B4D F8                            mov ecx,dword ptr ss:[ebp-0x8]                   ; 取计数值
 76 00417C1F                 83C1 01                            add ecx,0x1                                      ; 计数值加1
 77 00417C22                 894D F8                            mov dword ptr ss:[ebp-0x8],ecx
 78 00417C25                 C745 FC 00000000                   mov dword ptr ss:[ebp-0x4],0x0                   ; 计数清0
 79 00417C2C                 EB 1B                              jmp short dvdiphon.00417C49
 80 00417C2E                 8B55 FC                            mov edx,dword ptr ss:[ebp-0x4]
 81 00417C31                 83C2 01                            add edx,0x1                                      ; 计数值加1
 82 00417C34                 8955 FC                            mov dword ptr ss:[ebp-0x4],edx
 83 00417C37                 8B45 F8                            mov eax,dword ptr ss:[ebp-0x8]
 84 00417C3A                 83C0 01                            add eax,0x1                                      ; 计数值加1
 85 00417C3D                 8945 F8                            mov dword ptr ss:[ebp-0x8],eax
 86 00417C40                 8B4D F4                            mov ecx,dword ptr ss:[ebp-0xC]
 87 00417C43                 83C1 01                            add ecx,0x1                                      ; 计数值加1
 88 00417C46                 894D F4                            mov dword ptr ss:[ebp-0xC],ecx
 89 00417C49                 837D FC 03                         cmp dword ptr ss:[ebp-0x4],0x3                   ; 判断计数是否大于等于3
 90 00417C4D                 7D 12                              jge short dvdiphon.00417C61
 91 00417C4F                 8B55 18                            mov edx,dword ptr ss:[ebp+0x18]                  ; 存放第2组注册码首地址
 92 00417C52                 0355 F4                            add edx,dword ptr ss:[ebp-0xC]                   ; 存放第2组注册码首地址加上计数
 93 00417C55                 8B45 08                            mov eax,dword ptr ss:[ebp+0x8]                   ; 注册码首地址
 94 00417C58                 0345 F8                            add eax,dword ptr ss:[ebp-0x8]                   ; 注册码首地址加上计数
 95 00417C5B                 8A08                               mov cl,byte ptr ds:[eax]                         ; 取注册码
 96 00417C5D                 880A                               mov byte ptr ds:[edx],cl                         ; 存放
 97 00417C5F               ^ EB CD                              jmp short dvdiphon.00417C2E
 98 00417C61                 C745 FC 00000000                   mov dword ptr ss:[ebp-0x4],0x0                   ; 计数清0
 99 00417C68                 EB 1B                              jmp short dvdiphon.00417C85
100 00417C6A                 8B55 FC                            mov edx,dword ptr ss:[ebp-0x4]
101 00417C6D                 83C2 01                            add edx,0x1                                      ; 计数值加1
102 00417C70                 8955 FC                            mov dword ptr ss:[ebp-0x4],edx
103 00417C73                 8B45 F8                            mov eax,dword ptr ss:[ebp-0x8]
104 00417C76                 83C0 01                            add eax,0x1                                      ; 计数值加1
105 00417C79                 8945 F8                            mov dword ptr ss:[ebp-0x8],eax
106 00417C7C                 8B4D F0                            mov ecx,dword ptr ss:[ebp-0x10]
107 00417C7F                 83C1 01                            add ecx,0x1                                      ; 计数值加1
108 00417C82                 894D F0                            mov dword ptr ss:[ebp-0x10],ecx
109 00417C85                 837D FC 02                         cmp dword ptr ss:[ebp-0x4],0x2                   ; 判断计数是否大于等于2
110 00417C89                 7D 12                              jge short dvdiphon.00417C9D
111 00417C8B                 8B55 10                            mov edx,dword ptr ss:[ebp+0x10]                  ; 存放第1组注册码首地址
112 00417C8E                 0355 F0                            add edx,dword ptr ss:[ebp-0x10]                  ; 存放第1组注册码首地址加上计数
113 00417C91                 8B45 08                            mov eax,dword ptr ss:[ebp+0x8]                   ; 注册码首地址
114 00417C94                 0345 F8                            add eax,dword ptr ss:[ebp-0x8]                   ; 注册码首地址加上计数
115 00417C97                 8A08                               mov cl,byte ptr ds:[eax]                         ; 取注册码
116 00417C99                 880A                               mov byte ptr ds:[edx],cl                         ; 存放
117 00417C9B               ^ EB CD                              jmp short dvdiphon.00417C6A
118 00417C9D                 8B55 F8                            mov edx,dword ptr ss:[ebp-0x8]                   ; 取计数值
119 00417CA0                 83C2 01                            add edx,0x1                                      ; 计数值加1
120 00417CA3                 8955 F8                            mov dword ptr ss:[ebp-0x8],edx
121 00417CA6                 C745 FC 00000000                   mov dword ptr ss:[ebp-0x4],0x0                   ; 计数清0
122 00417CAD                 EB 1B                              jmp short dvdiphon.00417CCA
123 00417CAF                 8B45 FC                            mov eax,dword ptr ss:[ebp-0x4]
124 00417CB2                 83C0 01                            add eax,0x1                                      ; 计数值加1
125 00417CB5                 8945 FC                            mov dword ptr ss:[ebp-0x4],eax
126 00417CB8                 8B4D F8                            mov ecx,dword ptr ss:[ebp-0x8]
127 00417CBB                 83C1 01                            add ecx,0x1                                      ; 计数值加1
128 00417CBE                 894D F8                            mov dword ptr ss:[ebp-0x8],ecx
129 00417CC1                 8B55 F4                            mov edx,dword ptr ss:[ebp-0xC]
130 00417CC4                 83C2 01                            add edx,0x1                                      ; 计数值加1
131 00417CC7                 8955 F4                            mov dword ptr ss:[ebp-0xC],edx
132 00417CCA                 837D FC 03                         cmp dword ptr ss:[ebp-0x4],0x3                   ; 判断计数是否大于等于3
133 00417CCE                 7D 12                              jge short dvdiphon.00417CE2
134 00417CD0                 8B45 18                            mov eax,dword ptr ss:[ebp+0x18]                  ; 存放第2组注册码首地址
135 00417CD3                 0345 F4                            add eax,dword ptr ss:[ebp-0xC]                   ; 存放第2组注册码首地址加上计数
136 00417CD6                 8B4D 08                            mov ecx,dword ptr ss:[ebp+0x8]                   ; 注册码首地址
137 00417CD9                 034D F8                            add ecx,dword ptr ss:[ebp-0x8]                   ; 注册码首地址加上计数
138 00417CDC                 8A11                               mov dl,byte ptr ds:[ecx]                         ; 取注册码
139 00417CDE                 8810                               mov byte ptr ds:[eax],dl                         ; 存放
140 00417CE0               ^ EB CD                              jmp short dvdiphon.00417CAF
141 00417CE2                 C745 FC 00000000                   mov dword ptr ss:[ebp-0x4],0x0                   ; 计数清0
142 00417CE9                 EB 1B                              jmp short dvdiphon.00417D06
143 00417CEB                 8B45 FC                            mov eax,dword ptr ss:[ebp-0x4]
144 00417CEE                 83C0 01                            add eax,0x1                                      ; 计数值加1
145 00417CF1                 8945 FC                            mov dword ptr ss:[ebp-0x4],eax
146 00417CF4                 8B4D F8                            mov ecx,dword ptr ss:[ebp-0x8]
147 00417CF7                 83C1 01                            add ecx,0x1                                      ; 计数值加1
148 00417CFA                 894D F8                            mov dword ptr ss:[ebp-0x8],ecx
149 00417CFD                 8B55 F0                            mov edx,dword ptr ss:[ebp-0x10]
150 00417D00                 83C2 01                            add edx,0x1                                      ; 计数值加1
151 00417D03                 8955 F0                            mov dword ptr ss:[ebp-0x10],edx
152 00417D06                 837D FC 02                         cmp dword ptr ss:[ebp-0x4],0x2                   ; 判断计数是否大于等于2
153 00417D0A                 7D 12                              jge short dvdiphon.00417D1E
154 00417D0C                 8B45 10                            mov eax,dword ptr ss:[ebp+0x10]                  ; 存放第1组注册码首地址
155 00417D0F                 0345 F0                            add eax,dword ptr ss:[ebp-0x10]                  ; 存放第1组注册码首地址加上计数
156 00417D12                 8B4D 08                            mov ecx,dword ptr ss:[ebp+0x8]                   ; 注册码首地址
157 00417D15                 034D F8                            add ecx,dword ptr ss:[ebp-0x8]                   ; 注册码首地址加上计数
158 00417D18                 8A11                               mov dl,byte ptr ds:[ecx]                         ; 取注册码
159 00417D1A                 8810                               mov byte ptr ds:[eax],dl                         ; 存放
160 00417D1C               ^ EB CD                              jmp short dvdiphon.00417CEB
161 00417D1E                 8B45 F8                            mov eax,dword ptr ss:[ebp-0x8]                   ; 取计数值
162 00417D21                 83C0 01                            add eax,0x1                                      ; 计数加1
163 00417D24                 8945 F8                            mov dword ptr ss:[ebp-0x8],eax
164 00417D27                 C745 FC 00000000                   mov dword ptr ss:[ebp-0x4],0x0                   ; 计数清0
165 00417D2E                 EB 1B                              jmp short dvdiphon.00417D4B
166 00417D30                 8B4D FC                            mov ecx,dword ptr ss:[ebp-0x4]
167 00417D33                 83C1 01                            add ecx,0x1                                      ; 计数加1
168 00417D36                 894D FC                            mov dword ptr ss:[ebp-0x4],ecx
169 00417D39                 8B55 F8                            mov edx,dword ptr ss:[ebp-0x8]
170 00417D3C                 83C2 01                            add edx,0x1                                      ; 计数加1
171 00417D3F                 8955 F8                            mov dword ptr ss:[ebp-0x8],edx
172 00417D42                 8B45 F4                            mov eax,dword ptr ss:[ebp-0xC]
173 00417D45                 83C0 01                            add eax,0x1                                      ; 计数加1
174 00417D48                 8945 F4                            mov dword ptr ss:[ebp-0xC],eax
175 00417D4B                 837D FC 03                         cmp dword ptr ss:[ebp-0x4],0x3                   ; 判断计数是否大于等于3
176 00417D4F                 7D 12                              jge short dvdiphon.00417D63
177 00417D51                 8B4D 18                            mov ecx,dword ptr ss:[ebp+0x18]                  ; 存放第2组注册码首地址
178 00417D54                 034D F4                            add ecx,dword ptr ss:[ebp-0xC]                   ; 存放第2组注册码首地址加上计数
179 00417D57                 8B55 08                            mov edx,dword ptr ss:[ebp+0x8]                   ; 注册码首地址
180 00417D5A                 0355 F8                            add edx,dword ptr ss:[ebp-0x8]                   ; 注册码首地址加上计数
181 00417D5D                 8A02                               mov al,byte ptr ds:[edx]                         ; 取注册码
182 00417D5F                 8801                               mov byte ptr ds:[ecx],al                         ; 存放
183 00417D61               ^ EB CD                              jmp short dvdiphon.00417D30
184 00417D63                 C745 FC 00000000                   mov dword ptr ss:[ebp-0x4],0x0                   ; 计数清0
185 00417D6A                 EB 1B                              jmp short dvdiphon.00417D87
186 00417D6C                 8B4D FC                            mov ecx,dword ptr ss:[ebp-0x4]
187 00417D6F                 83C1 01                            add ecx,0x1                                      ; 计数加1
188 00417D72                 894D FC                            mov dword ptr ss:[ebp-0x4],ecx
189 00417D75                 8B55 F8                            mov edx,dword ptr ss:[ebp-0x8]
190 00417D78                 83C2 01                            add edx,0x1                                      ; 计数加1
191 00417D7B                 8955 F8                            mov dword ptr ss:[ebp-0x8],edx
192 00417D7E                 8B45 F0                            mov eax,dword ptr ss:[ebp-0x10]
193 00417D81                 83C0 01                            add eax,0x1                                      ; 计数加1
194 00417D84                 8945 F0                            mov dword ptr ss:[ebp-0x10],eax
195 00417D87                 837D FC 02                         cmp dword ptr ss:[ebp-0x4],0x2                   ; 判断计数是否大于等于2
196 00417D8B                 7D 12                              jge short dvdiphon.00417D9F
197 00417D8D                 8B4D 10                            mov ecx,dword ptr ss:[ebp+0x10]                  ; 存放第1组注册码首地址
198 00417D90                 034D F0                            add ecx,dword ptr ss:[ebp-0x10]                  ; 存放第1组注册码首地址加上计数
199 00417D93                 8B55 08                            mov edx,dword ptr ss:[ebp+0x8]                   ; 注册码首地址
200 00417D96                 0355 F8                            add edx,dword ptr ss:[ebp-0x8]                   ; 注册码首地址加上计数
201 00417D99                 8A02                               mov al,byte ptr ds:[edx]                         ; 取注册码
202 00417D9B                 8801                               mov byte ptr ds:[ecx],al                         ; 存放
203 00417D9D               ^ EB CD                              jmp short dvdiphon.00417D6C
204 00417D9F                 8B4D F8                            mov ecx,dword ptr ss:[ebp-0x8]                   ; 取计数值
205 00417DA2                 83C1 01                            add ecx,0x1                                      ; 计数加1
206 00417DA5                 894D F8                            mov dword ptr ss:[ebp-0x8],ecx
207 00417DA8                 C745 FC 00000000                   mov dword ptr ss:[ebp-0x4],0x0                   ; 计数清0
208 00417DAF                 EB 1B                              jmp short dvdiphon.00417DCC
209 00417DB1                 8B55 FC                            mov edx,dword ptr ss:[ebp-0x4]
210 00417DB4                 83C2 01                            add edx,0x1                                      ; 计数加1
211 00417DB7                 8955 FC                            mov dword ptr ss:[ebp-0x4],edx
212 00417DBA                 8B45 F8                            mov eax,dword ptr ss:[ebp-0x8]
213 00417DBD                 83C0 01                            add eax,0x1                                      ; 计数加1
214 00417DC0                 8945 F8                            mov dword ptr ss:[ebp-0x8],eax
215 00417DC3                 8B4D F4                            mov ecx,dword ptr ss:[ebp-0xC]
216 00417DC6                 83C1 01                            add ecx,0x1                                      ; 计数加1
217 00417DC9                 894D F4                            mov dword ptr ss:[ebp-0xC],ecx
218 00417DCC                 837D FC 05                         cmp dword ptr ss:[ebp-0x4],0x5                   ; 判断计数是否大于等于5
219 00417DD0                 7D 12                              jge short dvdiphon.00417DE4
220 00417DD2                 8B55 18                            mov edx,dword ptr ss:[ebp+0x18]                  ; 存放第2组注册码首地址
221 00417DD5                 0355 F4                            add edx,dword ptr ss:[ebp-0xC]                   ; 存放第2组注册码首地址加上计数
222 00417DD8                 8B45 08                            mov eax,dword ptr ss:[ebp+0x8]                   ; 注册码首地址
223 00417DDB                 0345 F8                            add eax,dword ptr ss:[ebp-0x8]                   ; 注册码首地址加上计数
224 00417DDE                 8A08                               mov cl,byte ptr ds:[eax]                         ; 取注册码
225 00417DE0                 880A                               mov byte ptr ds:[edx],cl                         ; 存放
226 00417DE2               ^ EB CD                              jmp short dvdiphon.00417DB1
227 00417DE4                 8B55 F8                            mov edx,dword ptr ss:[ebp-0x8]                   ; 取计数值
228 00417DE7                 83C2 01                            add edx,0x1                                      ; 计数值加1
229 00417DEA                 8955 F8                            mov dword ptr ss:[ebp-0x8],edx
230 00417DED                 C745 FC 00000000                   mov dword ptr ss:[ebp-0x4],0x0                   ; 计数清0
231 00417DF4                 EB 1B                              jmp short dvdiphon.00417E11
232 00417DF6                 8B45 FC                            mov eax,dword ptr ss:[ebp-0x4]
233 00417DF9                 83C0 01                            add eax,0x1                                      ; 计数加1
234 00417DFC                 8945 FC                            mov dword ptr ss:[ebp-0x4],eax
235 00417DFF                 8B4D F8                            mov ecx,dword ptr ss:[ebp-0x8]
236 00417E02                 83C1 01                            add ecx,0x1                                      ; 计数加1
237 00417E05                 894D F8                            mov dword ptr ss:[ebp-0x8],ecx
238 00417E08                 8B55 F4                            mov edx,dword ptr ss:[ebp-0xC]
239 00417E0B                 83C2 01                            add edx,0x1                                      ; 计数加1
240 00417E0E                 8955 F4                            mov dword ptr ss:[ebp-0xC],edx
241 00417E11                 837D FC 05                         cmp dword ptr ss:[ebp-0x4],0x5                   ; 判断计数是否大于等于5
242 00417E15                 7D 12                              jge short dvdiphon.00417E29
243 00417E17                 8B45 18                            mov eax,dword ptr ss:[ebp+0x18]                  ; 存放第2组注册码首地址
244 00417E1A                 0345 F4                            add eax,dword ptr ss:[ebp-0xC]                   ; 存放第2组注册码首地址加上计数
245 00417E1D                 8B4D 08                            mov ecx,dword ptr ss:[ebp+0x8]                   ; 注册码首地址
246 00417E20                 034D F8                            add ecx,dword ptr ss:[ebp-0x8]                   ; 注册码首地址加上计数
247 00417E23                 8A11                               mov dl,byte ptr ds:[ecx]                         ; 取注册码
248 00417E25                 8810                               mov byte ptr ds:[eax],dl                         ; 存放
249 00417E27               ^ EB CD                              jmp short dvdiphon.00417DF6
250 00417E29                 8B45 F8                            mov eax,dword ptr ss:[ebp-0x8]                   ; 取计数值
251 00417E2C                 83C0 01                            add eax,0x1                                      ; 计数值加1
252 00417E2F                 8945 F8                            mov dword ptr ss:[ebp-0x8],eax
253 00417E32                 8B4D 14                            mov ecx,dword ptr ss:[ebp+0x14]
254 00417E35                 8B55 F0                            mov edx,dword ptr ss:[ebp-0x10]
255 00417E38                 8911                               mov dword ptr ds:[ecx],edx                       ; 第1组注册码长度 0xB
256 00417E3A                 8B45 1C                            mov eax,dword ptr ss:[ebp+0x1C]
257 00417E3D                 8B4D F4                            mov ecx,dword ptr ss:[ebp-0xC]
258 00417E40                 8908                               mov dword ptr ds:[eax],ecx                       ; 第2组注册码长度 0x16
259 00417E42                 B8 01000000                        mov eax,0x1
260 00417E47                 8BE5                               mov esp,ebp
261 00417E49                 5D                                 pop ebp
262 00417E4A                 C3                                 retn

分组后为:
0012FAD8 31 32 33 38 39 65 66 6B 6C 71 6C 00 00 00 00 00 12389efklql.....
0012FAE8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3B 00 ..............;.
0012FAF8 35 36 37 62 63 64 68 69 6A 6E 6F 70 74 75 76 77 567bcdhijnoptuvw
0012FB08 78 7A 74 72 77 6D xztrwm

//-分组后与原始对照
123456789abcdefghijklmnopqlstuvwxyztrwm
123 89 ef kl ql
567 bcd hij nop tuvwx ztrwm

9.计算sha1值

常量数据 0x20
CD 25 BA 43 73 ED 72 80 EF 82 B1 41 10 B1 71 81 25 CC BB B4 CC CC B7 B8 37 92 92 9B 98 AA 96 97

第1组注册码
0012FAD8 31 32 33 38 39 65 66 6B 6C 71 6C "12389efklql"

0x20字节的常量与0x36 xor 长度为0x40

 1 00417727              8B95 70EFFFFF                mov edx,dword ptr ss:[ebp-0x1090]
 2 0041772D              83C2 01                      add edx,0x1
 3 00417730              8995 70EFFFFF                mov dword ptr ss:[ebp-0x1090],edx
 4 00417736              83BD 70EFFFFF 40             cmp dword ptr ss:[ebp-0x1090],0x40
 5 0041773D              7D 26                        jge short dvdiphon.00417765
 6 0041773F              8B85 70EFFFFF                mov eax,dword ptr ss:[ebp-0x1090]
 7 00417745              0FB68C05 30EFFFFF            movzx ecx,byte ptr ss:[ebp+eax-0x10D0]
 8 0041774D              0FB695 76EFFFFF              movzx edx,byte ptr ss:[ebp-0x108A]
 9 00417754              33CA                         xor ecx,edx                              ; 常量与0x36 xor
10 00417756              8B85 70EFFFFF                mov eax,dword ptr ss:[ebp-0x1090]
11 0041775C              888C05 D0EDFFFF              mov byte ptr ss:[ebp+eax-0x1230],cl      ; 存放xor后的值
12 00417763            ^ EB C2                        jmp short dvdiphon.00417727
13 00417765              C785 70EFFFFF 00000000       mov dword ptr ss:[ebp-0x1090],0x0

结果为
FB 13 8C 75 45 DB 44 B6 D9 B4 87 77 26 87 47 B7 13 FA 8D 82 FA FA 81 8E 01 A4 A4 AD AE 9C A0 A1
36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36

拷贝第1组注册码与xor后的数据组合在一起
0012E9E0 FB 13 8C 75 45 DB 44 B6 D9 B4 87 77 26 87 47 B7 ?寀E跠顿磭w&嘒
0012E9F0 13 FA 8D 82 FA FA 81 8E 01 A4 A4 AD AE 9C A0 A1 鷯傶鷣?い湢
0012EA00 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 6666666666666666
0012EA10 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 6666666666666666
0012EA20 31 32 33 38 39 65 66 6B 6C 71 6C 12389efklql

计算组合后数据sha1值

1 004177FA              FF95 CCEDFFFF                call dword ptr ss:[ebp-0x1234]        ; sha1算法 (计算组合后的数据0x4b长度)

该函数有如下常量特征, 应当是sha1算法

 1 00417048    8B55 08         mov edx,dword ptr ss:[ebp+0x8]
 2 0041704B    0355 0C         add edx,dword ptr ss:[ebp+0xC]
 3 0041704E    C602 80         mov byte ptr ds:[edx],0x80
 4 00417051    8B85 0CEEFFFF   mov eax,dword ptr ss:[ebp-0x11F4]
 5 00417057    25 FF000000     and eax,0xFF
 6 0041705C    8B8D 14EEFFFF   mov ecx,dword ptr ss:[ebp-0x11EC]
 7 00417062    C1E1 06         shl ecx,0x6
 8 00417065    8B55 08         mov edx,dword ptr ss:[ebp+0x8]
 9 00417068    88440A FF       mov byte ptr ds:[edx+ecx-0x1],al
10 0041706C    8B85 0CEEFFFF   mov eax,dword ptr ss:[ebp-0x11F4]
11 00417072    C1E8 08         shr eax,0x8
12 00417075    25 FF000000     and eax,0xFF
13 0041707A    8B8D 14EEFFFF   mov ecx,dword ptr ss:[ebp-0x11EC]
14 00417080    C1E1 06         shl ecx,0x6
15 00417083    8B55 08         mov edx,dword ptr ss:[ebp+0x8]
16 00417086    88440A FE       mov byte ptr ds:[edx+ecx-0x2],al
17 0041708A    8B85 0CEEFFFF   mov eax,dword ptr ss:[ebp-0x11F4]
18 00417090    C1E8 10         shr eax,0x10
19 00417093    25 FF000000     and eax,0xFF
20 00417098    8B8D 14EEFFFF   mov ecx,dword ptr ss:[ebp-0x11EC]
21 0041709E    C1E1 06         shl ecx,0x6
22 004170A1    8B55 08         mov edx,dword ptr ss:[ebp+0x8]
23 004170A4    88440A FD       mov byte ptr ds:[edx+ecx-0x3],al
24 004170A8    8B85 0CEEFFFF   mov eax,dword ptr ss:[ebp-0x11F4]
25 004170AE    C1E8 18         shr eax,0x18
26 004170B1    25 FF000000     and eax,0xFF
27 004170B6    8B8D 14EEFFFF   mov ecx,dword ptr ss:[ebp-0x11EC]
28 004170BC    C1E1 06         shl ecx,0x6
29 004170BF    8B55 08         mov edx,dword ptr ss:[ebp+0x8]
30 004170C2    88440A FC       mov byte ptr ds:[edx+ecx-0x4],al
31 004170C6    C785 ACFEFFFF 0>mov dword ptr ss:[ebp-0x154],0x67452301
32 004170D0    C785 B0FEFFFF 8>mov dword ptr ss:[ebp-0x150],0xEFCDAB89
33 004170DA    C785 B4FEFFFF F>mov dword ptr ss:[ebp-0x14C],0x98BADCFE
34 004170E4    C785 B8FEFFFF 7>mov dword ptr ss:[ebp-0x148],0x10325476
35 004170EE    C785 BCFEFFFF F>mov dword ptr ss:[ebp-0x144],0xC3D2E1F0
36 004170F8    C785 A0FEFFFF 0>mov dword ptr ss:[ebp-0x160],0x0
37 00417102    EB 0F           jmp short dvdiphon.00417113

结果为
23 91 90 CD 1D C6 63 3E 3F 81 EA 9E 9D 24 4A C4 99 03 9E B0

再次将常量值与0x5c xor 长度0x40

常量数据 0x20
CD 25 BA 43 73 ED 72 80 EF 82 B1 41 10 B1 71 81 25 CC BB B4 CC CC B7 B8 37 92 92 9B 98 AA 96 97

1 0041782D              0FB68415 30EFFFFF            movzx eax,byte ptr ss:[ebp+edx-0x10D0]                  ; 取常量
2 00417835              0FB68D 77EFFFFF              movzx ecx,byte ptr ss:[ebp-0x1089]                      ; 0x5c
3 0041783C              33C1                         xor eax,ecx                                             ; xor
4 0041783E              8B95 70EFFFFF                mov edx,dword ptr ss:[ebp-0x1090]
5 00417844              888415 10EEFFFF              mov byte ptr ss:[ebp+edx-0x11F0],al                     ; 存放
6 0041784B            ^ EB C2                        jmp short dvdiphon.0041780F

xor后的结果与上面计算的sha1值组合在一起
0012E8C0 91 79 E6 1F 2F B1 2E DC B3 DE ED 1D 4C ED 2D DD 憏?/?艹揄L?
0012E8D0 79 90 E7 E8 90 90 EB E4 6B CE CE C7 C4 F6 CA CB y愮钀愲鋕挝悄鍪
0012E8E0 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C \\\\\\\\\\\\\\\\
0012E8F0 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C \\\\\\\\\\\\\\\\
0012E900 23 91 90 CD 1D C6 63 3E 3F 81 EA 9E 9D 24 4A C4 #憪?芻>?侁灊$J
0012E910 99 03 9E B0

对组合在一起的数据进行sha1计算长度为0x54

1 004178CB    8B55 1C         mov edx,dword ptr ss:[ebp+0x1C]
2 004178CE    52              push edx
3 004178CF    8B85 54EEFFFF   mov eax,dword ptr ss:[ebp-0x11AC]
4 004178D5    83C0 14         add eax,0x14
5 004178D8    50              push eax
6 004178D9    8D8D 58EEFFFF   lea ecx,dword ptr ss:[ebp-0x11A8]
7 004178DF    51              push ecx
8 004178E0    FF95 CCEDFFFF   call dword ptr ss:[ebp-0x1234]           ; sha1算法

结果为
68 51 1C E5 09 94 70 95 53 97 82 C9 E7 3F 0F 8D C8 C6 CD 93

10. 根据反回的sha1值来查找字符

字符表
00613B78 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 ABCDEFGHIJKLMNOP
00613B88 51 52 53 54 55 56 57 58 59 5A 61 62 63 64 65 66 QRSTUVWXYZabcdef
00613B98 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 75 76 ghijklmnopqrstuv
00613BA8 77 78 79 7A 30 31 32 33 34 35 36 37 38 39 2B 2F wxyz0123456789+/

1 004180AD    83C4 14         add esp,0x14
2 004180B0    8D85 3CFFFFFF   lea eax,dword ptr ss:[ebp-0xC4]
3 004180B6    50              push eax
4 004180B7    6A 14           push 0x14                                ; 长度
5 004180B9    8D8D 28FFFFFF   lea ecx,dword ptr ss:[ebp-0xD8]
6 004180BF    51              push ecx                                 ; sha1值
7 004180C0    E8 6BF8FFFF     call dvdiphon.00417930                   ; 查找字符串算法(取sha值的每3个字节做为一个整数进行运算做为字符表的下标值)

具体算法如下

  1 00417930    55              push ebp
  2 00417931    8BEC            mov ebp,esp
  3 00417933    83EC 24         sub esp,0x24
  4 00417936    8B45 10         mov eax,dword ptr ss:[ebp+0x10]
  5 00417939    8945 F4         mov dword ptr ss:[ebp-0xC],eax
  6 0041793C    8B4D F4         mov ecx,dword ptr ss:[ebp-0xC]
  7 0041793F    894D FC         mov dword ptr ss:[ebp-0x4],ecx
  8 00417942    8B55 08         mov edx,dword ptr ss:[ebp+0x8]
  9 00417945    8955 F0         mov dword ptr ss:[ebp-0x10],edx
 10 00417948    C745 F8 0000000>mov dword ptr ss:[ebp-0x8],0x0
 11 0041794F    C745 F8 0000000>mov dword ptr ss:[ebp-0x8],0x0
 12 00417956    8B45 F8         mov eax,dword ptr ss:[ebp-0x8]
 13 00417959    3B45 0C         cmp eax,dword ptr ss:[ebp+0xC]
 14 0041795C    0F8D EF000000   jge dvdiphon.00417A51                    ; 判断是否结束
 15 00417962    8B4D F0         mov ecx,dword ptr ss:[ebp-0x10]
 16 00417965    034D F8         add ecx,dword ptr ss:[ebp-0x8]
 17 00417968    0FB611          movzx edx,byte ptr ds:[ecx]
 18 0041796B    8955 EC         mov dword ptr ss:[ebp-0x14],edx
 19 0041796E    8B45 F8         mov eax,dword ptr ss:[ebp-0x8]
 20 00417971    83C0 01         add eax,0x1
 21 00417974    8945 F8         mov dword ptr ss:[ebp-0x8],eax
 22 00417977    8B4D EC         mov ecx,dword ptr ss:[ebp-0x14]
 23 0041797A    C1E1 08         shl ecx,0x8                              ; 第1字节左移8位
 24 0041797D    894D EC         mov dword ptr ss:[ebp-0x14],ecx
 25 00417980    8B55 F8         mov edx,dword ptr ss:[ebp-0x8]
 26 00417983    3B55 0C         cmp edx,dword ptr ss:[ebp+0xC]
 27 00417986    7D 0F           jge short dvdiphon.00417997
 28 00417988    8B45 F0         mov eax,dword ptr ss:[ebp-0x10]
 29 0041798B    0345 F8         add eax,dword ptr ss:[ebp-0x8]
 30 0041798E    0FB608          movzx ecx,byte ptr ds:[eax]
 31 00417991    034D EC         add ecx,dword ptr ss:[ebp-0x14]          ; 第2字节加上前面左移8位后的值
 32 00417994    894D EC         mov dword ptr ss:[ebp-0x14],ecx          ; 存放
 33 00417997    8B55 F8         mov edx,dword ptr ss:[ebp-0x8]
 34 0041799A    83C2 01         add edx,0x1
 35 0041799D    8955 F8         mov dword ptr ss:[ebp-0x8],edx
 36 004179A0    8B45 EC         mov eax,dword ptr ss:[ebp-0x14]
 37 004179A3    C1E0 08         shl eax,0x8                              ; 左移8位
 38 004179A6    8945 EC         mov dword ptr ss:[ebp-0x14],eax
 39 004179A9    8B4D F8         mov ecx,dword ptr ss:[ebp-0x8]
 40 004179AC    3B4D 0C         cmp ecx,dword ptr ss:[ebp+0xC]
 41 004179AF    7D 0F           jge short dvdiphon.004179C0
 42 004179B1    8B55 F0         mov edx,dword ptr ss:[ebp-0x10]
 43 004179B4    0355 F8         add edx,dword ptr ss:[ebp-0x8]
 44 004179B7    0FB602          movzx eax,byte ptr ds:[edx]
 45 004179BA    0345 EC         add eax,dword ptr ss:[ebp-0x14]          ; 第3字节加上前面左移8位后的值
 46 004179BD    8945 EC         mov dword ptr ss:[ebp-0x14],eax
 47 004179C0    8B4D F8         mov ecx,dword ptr ss:[ebp-0x8]
 48 004179C3    83C1 01         add ecx,0x1
 49 004179C6    894D F8         mov dword ptr ss:[ebp-0x8],ecx
 50 004179C9    8B55 EC         mov edx,dword ptr ss:[ebp-0x14]
 51 004179CC    81E2 0000FC00   and edx,0xFC0000                         ; 将上面计算得到的整数值进逻辑运算
 52 004179D2    C1FA 12         sar edx,0x12                             ; 算术右移0x12 (逻辑运算后的值做为下标取字符)
 53 004179D5    8B45 FC         mov eax,dword ptr ss:[ebp-0x4]
 54 004179D8    8A8A 783B6100   mov cl,byte ptr ds:[edx+0x613B78]        ; ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
 55 004179DE    8808            mov byte ptr ds:[eax],cl                 ; 存放查找到的字符
 56 004179E0    8B55 EC         mov edx,dword ptr ss:[ebp-0x14]
 57 004179E3    81E2 00F00300   and edx,0x3F000
 58 004179E9    C1FA 0C         sar edx,0xC
 59 004179EC    8B45 FC         mov eax,dword ptr ss:[ebp-0x4]
 60 004179EF    8A8A 783B6100   mov cl,byte ptr ds:[edx+0x613B78]        ; ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
 61 004179F5    8848 01         mov byte ptr ds:[eax+0x1],cl             ; 存放查找到的字符
 62 004179F8    8B55 EC         mov edx,dword ptr ss:[ebp-0x14]
 63 004179FB    81E2 C00F0000   and edx,0xFC0
 64 00417A01    C1FA 06         sar edx,0x6
 65 00417A04    8B45 FC         mov eax,dword ptr ss:[ebp-0x4]
 66 00417A07    8A8A 783B6100   mov cl,byte ptr ds:[edx+0x613B78]        ; ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
 67 00417A0D    8848 02         mov byte ptr ds:[eax+0x2],cl             ; 存放查找到的字符
 68 00417A10    8B55 EC         mov edx,dword ptr ss:[ebp-0x14]
 69 00417A13    83E2 3F         and edx,0x3F
 70 00417A16    8B45 FC         mov eax,dword ptr ss:[ebp-0x4]
 71 00417A19    8A8A 783B6100   mov cl,byte ptr ds:[edx+0x613B78]        ; ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
 72 00417A1F    8848 03         mov byte ptr ds:[eax+0x3],cl             ; 存放查找到的字符
 73 00417A22    8B55 F8         mov edx,dword ptr ss:[ebp-0x8]
 74 00417A25    3B55 0C         cmp edx,dword ptr ss:[ebp+0xC]
 75 00417A28    7E 07           jle short dvdiphon.00417A31
 76 00417A2A    8B45 FC         mov eax,dword ptr ss:[ebp-0x4]
 77 00417A2D    C640 03 3D      mov byte ptr ds:[eax+0x3],0x3D
 78 00417A31    8B4D 0C         mov ecx,dword ptr ss:[ebp+0xC]
 79 00417A34    83C1 01         add ecx,0x1
 80 00417A37    394D F8         cmp dword ptr ss:[ebp-0x8],ecx
 81 00417A3A    7E 07           jle short dvdiphon.00417A43
 82 00417A3C    8B55 FC         mov edx,dword ptr ss:[ebp-0x4]
 83 00417A3F    C642 02 3D      mov byte ptr ds:[edx+0x2],0x3D
 84 00417A43    8B45 FC         mov eax,dword ptr ss:[ebp-0x4]
 85 00417A46    83C0 04         add eax,0x4
 86 00417A49    8945 FC         mov dword ptr ss:[ebp-0x4],eax
 87 00417A4C  ^ E9 05FFFFFF     jmp dvdiphon.00417956
 88 00417A51    8B4D FC         mov ecx,dword ptr ss:[ebp-0x4]           ; 结束
 89 00417A54    C601 00         mov byte ptr ds:[ecx],0x0
 90 00417A57    8B55 F4         mov edx,dword ptr ss:[ebp-0xC]
 91 00417A5A    8955 E8         mov dword ptr ss:[ebp-0x18],edx
 92 00417A5D    8B45 E8         mov eax,dword ptr ss:[ebp-0x18]
 93 00417A60    83C0 01         add eax,0x1
 94 00417A63    8945 E4         mov dword ptr ss:[ebp-0x1C],eax
 95 00417A66    8B4D E8         mov ecx,dword ptr ss:[ebp-0x18]
 96 00417A69    8A11            mov dl,byte ptr ds:[ecx]
 97 00417A6B    8855 E3         mov byte ptr ss:[ebp-0x1D],dl
 98 00417A6E    8345 E8 01      add dword ptr ss:[ebp-0x18],0x1
 99 00417A72    807D E3 00      cmp byte ptr ss:[ebp-0x1D],0x0
100 00417A76  ^ 75 EE           jnz short dvdiphon.00417A66
101 00417A78    8B45 E8         mov eax,dword ptr ss:[ebp-0x18]
102 00417A7B    2B45 E4         sub eax,dword ptr ss:[ebp-0x1C]
103 00417A7E    8945 DC         mov dword ptr ss:[ebp-0x24],eax
104 00417A81    8B45 DC         mov eax,dword ptr ss:[ebp-0x24]
105 00417A84    8BE5            mov esp,ebp
106 00417A86    5D              pop ebp

11.将查找到的字符中小写字母转换成大写并判断是否有字符 '/' '+', 如果有就替换成替换成 'O' 'E'

 1 004180C8    C785 ACFEFFFF 0>mov dword ptr ss:[ebp-0x154],0x0
 2 004180D2    EB 0F           jmp short dvdiphon.004180E3
 3 004180D4    8B95 ACFEFFFF   mov edx,dword ptr ss:[ebp-0x154]         ; 转换成大写
 4 004180DA    83C2 01         add edx,0x1
 5 004180DD    8995 ACFEFFFF   mov dword ptr ss:[ebp-0x154],edx
 6 004180E3    83BD ACFEFFFF 1>cmp dword ptr ss:[ebp-0x154],0x16
 7 004180EA    0F8D 8F000000   jge dvdiphon.0041817F
 8 004180F0    8B85 ACFEFFFF   mov eax,dword ptr ss:[ebp-0x154]
 9 004180F6    0FBE8C05 3CFFFF>movsx ecx,byte ptr ss:[ebp+eax-0xC4]
10 004180FE    83F9 61         cmp ecx,0x61
11 00418101    7C 33           jl short dvdiphon.00418136
12 00418103    8B95 ACFEFFFF   mov edx,dword ptr ss:[ebp-0x154]
13 00418109    0FBE8415 3CFFFF>movsx eax,byte ptr ss:[ebp+edx-0xC4]
14 00418111    83F8 7A         cmp eax,0x7A
15 00418114    7F 20           jg short dvdiphon.00418136
16 00418116    8B8D ACFEFFFF   mov ecx,dword ptr ss:[ebp-0x154]
17 0041811C    0FBE940D 3CFFFF>movsx edx,byte ptr ss:[ebp+ecx-0xC4]
18 00418124    83EA 20         sub edx,0x20
19 00418127    8B85 ACFEFFFF   mov eax,dword ptr ss:[ebp-0x154]
20 0041812D    889405 3CFFFFFF mov byte ptr ss:[ebp+eax-0xC4],dl
21 00418134    EB 44           jmp short dvdiphon.0041817A
22 00418136    8B8D ACFEFFFF   mov ecx,dword ptr ss:[ebp-0x154]
23 0041813C    0FBE940D 3CFFFF>movsx edx,byte ptr ss:[ebp+ecx-0xC4]
24 00418144    83FA 2B         cmp edx,0x2B                             ; 是否为 '+'
25 00418147    75 10           jnz short dvdiphon.00418159
26 00418149    8B85 ACFEFFFF   mov eax,dword ptr ss:[ebp-0x154]
27 0041814F    C68405 3CFFFFFF>mov byte ptr ss:[ebp+eax-0xC4],0x45      ; 替换成 'E'
28 00418157    EB 21           jmp short dvdiphon.0041817A
29 00418159    8B8D ACFEFFFF   mov ecx,dword ptr ss:[ebp-0x154]
30 0041815F    0FBE940D 3CFFFF>movsx edx,byte ptr ss:[ebp+ecx-0xC4]
31 00418167    83FA 2F         cmp edx,0x2F                             ; 是否为 '/'
32 0041816A    75 0E           jnz short dvdiphon.0041817A
33 0041816C    8B85 ACFEFFFF   mov eax,dword ptr ss:[ebp-0x154]
34 00418172    C68405 3CFFFFFF>mov byte ptr ss:[ebp+eax-0xC4],0x4F      ; 替换成 'O'
35 0041817A  ^ E9 55FFFFFF     jmp dvdiphon.004180D4

12.比较注册码是否相同, 长度为0x16

 1 0041817F    6A 16           push 0x16
 2 00418181    8D8D DCFEFFFF   lea ecx,dword ptr ss:[ebp-0x124]
 3 00418187    51              push ecx
 4 00418188    8D95 3CFFFFFF   lea edx,dword ptr ss:[ebp-0xC4]
 5 0041818E    52              push edx
 6 0041818F    E8 3CF9FFFF     call dvdiphon.00417AD0                   ; 判断注册码是否相同(输入的注册码分组后第2组注册码与计算出来的进行比较0x16字
 7 
 8 节)
 9 00418194    83C4 0C         add esp,0xC
10 00418197    F7D8            neg eax
11 00418199    1BC0            sbb eax,eax
12 0041819B    83C0 01         add eax,0x1
13 0041819E    A3 D81B6200     mov dword ptr ds:[0x621BD8],eax          ; 注册码相同则给全局变量值为1,否则为0
14 004181A3    8B85 6CFFFFFF   mov eax,dword ptr ss:[ebp-0x94]
15 004181A9    8985 A0FEFFFF   mov dword ptr ss:[ebp-0x160],eax
16 004181AF    C745 FC FFFFFFF>mov dword ptr ss:[ebp-0x4],-0x1
17 004181B6    8D8D 70FFFFFF   lea ecx,dword ptr ss:[ebp-0x90]
18 004181BC    E8 3F7D0200     call dvdiphon.0043FF00

13.分析总结

a) 将用户输入的注册码加密(减0x19)写入注册表(CLSID\{D2D219BC-BCE8-4249-8636-DE8BEFCD28C3}\ProgID)，提示重启软件。
b) 重启软件时从注册表中读取注册码将其解密(加上0x19)，并将解密后的注册码分成2组。
c) 用第1组注册码参与sha1计算得到sha1值
d) 根据sha1值查找字符。
e) 比较查找到的字符是否与第2组注册码相同, 相同则注册成功，否则失败。

14. 算法分析明白，就开始写注册机。

  1 #include "stdafx.h"
  2 #include <stdio.h>
  3 #include <malloc.h>
  4 #include <stdlib.h>
  5 #include <time.h>
  6 #include <Windows.h>
  7 #include "sha1.h"
  8 
  9 //随机数
 10 int genrand(long num, char * outrand)
 11 {
 12     BYTE *dat = (BYTE *)malloc(num * sizeof(BYTE));
 13     BYTE *p = dat, i;
 14 
 15     if (0 == num)
 16     {
 17         return -1;
 18     }
 19 
 20     if (dat == NULL){
 21         printf("malloc error, memory not enough!\n");
 22         return -1;
 23     }
 24 
 25     srand( (unsigned int)time(0) );
 26     for (i = 0; i < num; i += 3){
 27 
 28         dat[i] = 'A'+ rand()%4;
 29         dat[i+1] = 'a'+rand()%4;
 30         dat[i+2] = '0'+rand()%10;
 31 
 32     }
 33 
 34     memcpy(outrand, dat, num);
 35     return 0;    
 36 }
 37 
 38 
 39 //根据sha1值获取字符
 40 void FindLicense(BYTE* sha1data, int len, char* outLicense)
 41 {
 42     unsigned long offset = 0;
 43     unsigned long temp = 0x0;
 44     char tempLong[3] = {0};
 45     char szTable[256] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
 46     int index = 0;
 47 
 48     if (NULL == sha1data || 0 == len)
 49     {
 50         return;
 51     }
 52     
 53     for (int i=0; i<len; i+=3)
 54     {
 55 
 56         //取3位sha1值为一个整数
 57         for (int j=0; j<3; j++)
 58         {
 59             if (0 == j)
 60             {
 61                 temp = sha1data[i+j];
 62                 temp <<= 8;
 63                 offset = temp;
 64             }
 65             if (1 == j)
 66             {
 67                 temp = sha1data[i+j];
 68                 offset += temp;
 69             }
 70             if (2 == j)
 71             {
 72                 temp = sha1data[i+j];
 73                 offset <<=8;
 74                 offset += temp;
 75             }
 76         }
 77 
 78         temp = offset;
 79         temp &= 0xFC0000;
 80         temp >>= 0x12;
 81         outLicense[index] = szTable[temp];
 82         index++;
 83         temp = offset;
 84         temp &= 0x3F000;
 85         temp >>= 0xc;
 86         outLicense[index] = szTable[temp];
 87         index++;
 88         
 89         temp = offset;
 90         temp &= 0xFC0;
 91         temp >>= 0x6;
 92         outLicense[index] = szTable[temp];
 93         index++;
 94 
 95         temp = offset;
 96         temp &= 0x3F;
 97         outLicense[index] = szTable[temp];
 98         index++;
 99     }
100     outLicense[index] = '=';
101 
102 }
103 
104 void GenerateLicense(char* License,int Licenselen, char* randchar, int randlen, char* outLincenes)
105 {
106 
107     /*
108     //-分组后与原始对照
109     123456789abcdefghijklmnopqlstuvwxyztrwm
110     123    89    ef    kl    ql
111         567   bcd   hij   nop   tuvwx ztrwm
112 
113     1234 AFE89a C5Qefg MUCklm JVTqlsL4LJ5y Z8PJCjGzZM
114 
115     //--正确的注册码
116     1234AFE89aC5QefgMUCklmJVTqlsL4LJ5yZ8PJC
117     */
118     char randchartemp[5] = {0};
119     char randchartemp1[4] = {0};
120     char randchartemp2[4] = {0};
121     char randchartemp3[4] = {0};
122     char randchartemp4[4] = {0};
123 
124 
125     char Licensetemp[5] = {0};
126     char Licensetemp1[5] = {0};
127     char Licensetemp2[5] = {0};
128     char Licensetemp3[5] = {0};
129     char Licensetemp4[7] = {0};
130     char Licensetemp5[20] = {0};
131 
132     char stastr[256] = {0};
133 
134     if (NULL == License || 0 == Licenselen || NULL == randchar || 0 == randlen)
135     {
136         return;
137     }
138 
139     //-先将随机数分组
140     strncpy(randchartemp, randchar, 3);
141     randchartemp[3] = '8';
142     strncpy(randchartemp1, randchar+3, 2);
143     randchartemp1[2] = '8';
144 
145     strncpy(randchartemp2, randchar+5, 2);
146     randchartemp2[2] = '8';
147     strncpy(randchartemp3, randchar+7, 2);
148     randchartemp3[2] = '8';
149 
150     strncpy(randchartemp4, randchar+9, 2);
151     randchartemp4[2] = '8';
152 
153     //--注册码分组
154     strncpy(Licensetemp, License, 3);
155     strncpy(Licensetemp1, License+3, 3);
156     strncpy(Licensetemp2, License+6, 3);
157     strncpy(Licensetemp3, License+9, 3);
158     strncpy(Licensetemp4, License+12, 5);
159     Licensetemp4[5] = '8';
160     strncpy(Licensetemp5, License+17, Licenselen-17);
161 
162     //组合注册码
163     strncpy(stastr, randchartemp, 4);
164     strncpy(stastr+4, Licensetemp, 3);
165     strncpy(stastr+7, randchartemp1, 3);
166     strncpy(stastr+10, Licensetemp1, 3);
167     strncpy(stastr+13, randchartemp2, 3);
168     strncpy(stastr+16, Licensetemp2, 3);
169     strncpy(stastr+19, randchartemp3, 3);
170     strncpy(stastr+22, Licensetemp3, 3);
171     strncpy(stastr+25, randchartemp4, 3);
172     strncpy(stastr+28, Licensetemp4, 6);
173     strncpy(stastr+34, Licensetemp5, strlen(Licensetemp5));
174 
175     strncpy(outLincenes, stastr, 0x27);
176 }
177 int _tmain(int argc, _TCHAR* argv[])
178 {
179     //软件中的常量数据,参与计算注册码
180     const BYTE data[0x100] = {0xCD, 0x25, 0xBA, 0x43, 0x73, 0xED, 0x72, 0x80, 0xEF, 0x82, 0xB1, 0x41, 0x10, 0xB1, 0x71, 0x81,
181                              0x25, 0xCC, 0xBB, 0xB4, 0xCC, 0xCC, 0xB7, 0xB8, 0x37, 0x92, 0x92, 0x9B, 0x98, 0xAA, 
182 
183 0x96, 0x97};
184     BYTE XorData[0x100] = {0x00};
185     BYTE XorData1[0x100] = {0x00};
186     char randdata[16] = {0x31, 0x32, 0x33, 0x38, 0x39, 0x65, 0x66, 0x6B, 0x6C, 0x71, 0x6C};
187     char License[256] = {0};
188     char TempLicense[256] = {0};
189     int ret = 0;
190     int len = 0;
191     unsigned char sha1output[30] = {0x00};
192     unsigned char sha1output1[30] = {0x00};
193 
194 
195     ret = genrand(11,randdata);
196     if (-1 == ret)
197     {
198         printf("生成注册码出错!\n");
199         return -1;
200     }
201 
202     //软件中的常量数据与0x36 进行xor
203     for (int i=0; i <= 0x40; i++)
204     {
205         XorData[i] = data[i] ^ 0x36;
206         len = i;
207     }
208 
209     //将xor后的数据与随机数组合
210     memcpy(XorData+len, randdata, 11);
211 
212     //计算组合后数据的sha1值
213     sha1(XorData, len+11,sha1output);
214 
215     //软件中的常量数据与0x5c 进行xor
216     for (int i=0; i <= 0x40; i++)
217     {
218         XorData1[i] = data[i] ^ 0x5c;
219         len = i;
220     }
221 
222     //将上面计算出来的sha1值与XorData1数据组合
223     memcpy(XorData1+len, sha1output, 20);
224     //计算组合后数据的sha1值
225     sha1(XorData1, len+20,sha1output1);
226 
227     FindLicense(sha1output1, 20, TempLicense);
228 
229     //--将字符转换成大写,并将其中的字符'/'与'+'替换成 'O'与'E'
230     for (int n=0; n<strlen(TempLicense); n++)
231     {
232         //--判断大小写并转换成大写
233         if(TempLicense[n]>='a'&& TempLicense[n]<='z') 
234         {
235             TempLicense[n] -= 32;
236             continue;
237         }
238 
239         if (TempLicense[n] == '/')
240         {
241             TempLicense[n] = 'O';
242         }
243 
244         if (TempLicense[n] == '+')
245         {
246             TempLicense[n] = 'E';
247         }
248     }
249 
250     //--生成注册码
251     GenerateLicense(TempLicense, strlen(TempLicense), randdata, strlen(randdata), License);
252     printf("用户名注册时随便输入\n");
253     printf("注册码: %s\n",License);
254     getchar();
255     return 0;
256 }

15.测试注册机

16.输入用户名test 输入注册码码，成功注册

bin及src下载

http://yunpan.cn/cKqeUcp35e2i7 （提取码：97cc）

posted @ 2015-01-30 09:17 我是小三阅读(2012) 评论(0) 编辑收藏举报

刷新页面返回顶部

逆向与安全

菜鸟学注册机编写之 “sha1”

公告

逆向与安全

菜鸟 学注册机编写之 “sha1”

公告

菜鸟学注册机编写之 “sha1”