很明显,004417F8处的call就是算法函数
CODE:004417B8 ; =============== S U B R O U T I N E =======================================
CODE:004417B8
CODE:004417B8 ; Attributes: bp-based frame
CODE:004417B8
CODE:004417B8 sub_4417B8 proc near ; DATA XREF: CODE:0044169D↑o
CODE:004417B8
CODE:004417B8 Name = dword ptr -0Ch
CODE:004417B8 var_8 = dword ptr -8
CODE:004417B8 Serial = dword ptr -4
CODE:004417B8
CODE:004417B8 push ebp
CODE:004417B9 mov ebp, esp
CODE:004417BB push 0 ; 初始化自变量
CODE:004417BD push 0
CODE:004417BF push 0
CODE:004417C1 push ebx
CODE:004417C2 mov ebx, eax
CODE:004417C4 xor eax, eax
CODE:004417C6 push ebp
CODE:004417C7 push offset loc_441860 ; SEH
CODE:004417CC push dword ptr fs:[eax]
CODE:004417CF mov fs:[eax], esp
CODE:004417D2 lea edx, [ebp+Serial]
CODE:004417D5 mov eax, [ebx+2C8h]
CODE:004417DB call @TControl@GetText ; TControl::GetText
CODE:004417E0 mov eax, [ebp+Serial]
CODE:004417E3 push eax
CODE:004417E4 lea edx, [ebp+Name]
CODE:004417E7 mov eax, [ebx+2C4h]
CODE:004417ED call @TControl@GetText ; TControl::GetText
CODE:004417F2 mov eax, [ebp+Name]
CODE:004417F5 lea edx, [ebp+var_8]
CODE:004417F8 call sub_4416F8
CODE:004417FD mov edx, [ebp+var_8]
CODE:00441800 pop eax
CODE:00441801 call @@LStrCmp ; __linkproc__ LStrCmp
CODE:00441806 jnz short loc_441822 ; 出错
CODE:00441808 push 40h ; uType
CODE:0044180A mov ecx, offset dword_44186C ; lpCaption
CODE:0044180F mov edx, offset dword_441878 ; lpText
CODE:00441814 mov eax, ds:off_442C30
CODE:00441819 mov eax, [eax]
CODE:0044181B call @TApplication@MessageBox ; TApplication::MessageBox
CODE:00441820 jmp short loc_44183A
CODE:00441822 ; ---------------------------------------------------------------------------
CODE:00441822
CODE:00441822 loc_441822: ; CODE XREF: sub_4417B8+4E↑j
CODE:00441822 push 10h ; uType
CODE:00441824 mov ecx, offset @Consts@_16652 ; @Consts@_16656
CODE:00441824 ; @Consts@_16646
CODE:00441829 mov edx, offset aWrongCode ; "Wrong Code"
CODE:0044182E mov eax, ds:off_442C30
CODE:00441833 mov eax, [eax]
CODE:00441835 call @TApplication@MessageBox ; TApplication::MessageBox
CODE:0044183A
CODE:0044183A loc_44183A: ; CODE XREF: sub_4417B8+68↑j
CODE:0044183A xor eax, eax
CODE:0044183C pop edx
CODE:0044183D pop ecx
CODE:0044183E pop ecx
CODE:0044183F mov fs:[eax], edx
CODE:00441842 push offset loc_441867
CODE:00441847
CODE:00441847 loc_441847: ; CODE XREF: sub_4417B8+AD↓j
CODE:00441847 lea eax, [ebp+Name]
CODE:0044184A call @@LStrClr ; __linkproc__ LStrClr
CODE:0044184F lea eax, [ebp+var_8]
CODE:00441852 call @@LStrClr ; __linkproc__ LStrClr
CODE:00441857 lea eax, [ebp+Serial]
CODE:0044185A call @@LStrClr ; __linkproc__ LStrClr
CODE:0044185F retn
————————————————————————————————————————————————————————
CODE:004416F8
CODE:004416F8 ; =============== S U B R O U T I N E =======================================
CODE:004416F8
CODE:004416F8
CODE:004416F8 sub_4416F8 proc near ; CODE XREF: sub_4417B8+40↓p
CODE:004416F8
CODE:004416F8 var_30 = dword ptr -30h
CODE:004416F8 var_2C = dword ptr -2Ch
CODE:004416F8 var_28 = byte ptr -28h
CODE:004416F8 var_24 = dword ptr -24h
CODE:004416F8 var_20 = byte ptr -20h
CODE:004416F8 var_1C = dword ptr -1Ch
CODE:004416F8 var_18 = byte ptr -18h
CODE:004416F8 var_14 = dword ptr -14h
CODE:004416F8 var_10 = byte ptr -10h
CODE:004416F8
CODE:004416F8 push ebx
CODE:004416F9 push esi
CODE:004416FA push edi
CODE:004416FB add esp, 0FFFFFFDCh
CODE:004416FE mov [esp+30h+var_30], edx ; 0
CODE:00441701 mov edi, eax ; edi=name
CODE:00441703 mov ebx, 49390305h
CODE:00441708 mov esi, 48631220h
CODE:0044170D mov eax, edi
CODE:0044170F call @@LStrLen ; __linkproc__ LStrLen
CODE:00441714 test eax, eax
CODE:00441716 jle short loc_441746 ; 用户名小于等于0左走
CODE:00441718 mov edx, 1
CODE:0044171D
CODE:0044171D loc_44171D: ; CODE XREF: sub_4416F8+4C↓j
CODE:0044171D xor ecx, ecx
CODE:0044171F mov cl, [edi+edx-1] ; 提取名字的一个字符
CODE:00441723 xor ebx, ecx ; 49390371
CODE:00441725 xor esi, ebx ; 015a1151
CODE:00441727 test bl, 1
CODE:0044172A jz short loc_44173B
CODE:0044172C sar ebx, 1
CODE:0044172E jns short loc_441733
CODE:00441730 adc ebx, 0
CODE:00441733
CODE:00441733 loc_441733: ; CODE XREF: sub_4416F8+36↑j
CODE:00441733 xor ebx, 1200311h
CODE:00441739 jmp short loc_441742
CODE:0044173B ; ---------------------------------------------------------------------------
CODE:0044173B
CODE:0044173B loc_44173B: ; CODE XREF: sub_4416F8+32↑j
CODE:0044173B sar ebx, 1
CODE:0044173D jns short loc_441742
CODE:0044173F adc ebx, 0
CODE:00441742
CODE:00441742 loc_441742: ; CODE XREF: sub_4416F8+41↑j
CODE:00441742 ; sub_4416F8+45↑j
CODE:00441742 inc edx
CODE:00441743 dec eax
CODE:00441744 jnz short loc_44171D
CODE:00441746
CODE:00441746 loc_441746: ; CODE XREF: sub_4416F8+1E↑j
CODE:00441746 mov eax, [esp+30h+var_30]
CODE:00441749 push eax
CODE:0044174A mov eax, ebx ; 算出两个DWORD放在ebx和esi
CODE:0044174C and eax, 0FFFFh
CODE:00441751 mov [esp+34h+var_2C], eax ; 低16位放这
CODE:00441755 mov [esp+34h+var_28], 0
CODE:0044175A shr ebx, 10h
CODE:0044175D mov [esp+34h+var_24], ebx ; 高16位放这
CODE:00441761 mov [esp+34h+var_20], 0
CODE:00441766 mov eax, esi
CODE:00441768 and eax, 0FFFFh
CODE:0044176D mov [esp+34h+var_1C], eax ; 低16
CODE:00441771 mov [esp+34h+var_18], 0
CODE:00441776 shr esi, 10h
CODE:00441779 mov [esp+34h+var_14], esi ; 高16
CODE:0044177D mov [esp+34h+var_10], 0
CODE:00441782 lea edx, [esp+34h+var_2C]
CODE:00441786 mov ecx, 3
CODE:0044178B mov eax, offset a_4x_4x_4x_4x ; "%.4x-%.4x-%.4x-%.4x"
CODE:00441790 call @Format ; ebx低-ebx高-esi低-esi高
CODE:00441795 add esp, 24h
CODE:00441798 pop edi
CODE:00441799 pop esi
CODE:0044179A pop ebx
CODE:0044179B retn
CODE:0044179B sub_4416F8 endp
CODE:0044179B
CODE:0044179B ; ---------------------------------------------------------------------------
中间那串跳来跳去的算法可以直接拷出来用
以下是解密程序
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main()
{
char* name=(char *)malloc(16);
short unsigned int a,b,c,d;
int nLen;
printf("Name:");
gets(name);
_asm{
push ebx
push esi
push edi
// add esp, 0FFFFFFDCh ;-24h
// mov [esp+30h+var_30], edx ; 0
mov edi,name
mov ebx, 49390305h
mov esi, 48631220h
// mov eax, edi
// call @@LStrLen ; __linkproc__ LStrLen
}
nLen=strlen(name);//汇编块调用函数编译不了,怪事,那几个调用我熟悉得很。而且还对着看雪绿皮书写呢,就不能编译
//请教各位了
_asm{
mov eax,nLen
test eax, eax
jle short loc_441746
mov edx, 1
loc_44171D:
xor ecx, ecx
mov cl, [edi+edx-1] ; 提取名字的一个字符
xor ebx, ecx ; 49390371
xor esi, ebx ; 015a1151
test bl, 1
jz short loc_44173B
sar ebx, 1
jns short loc_441733
adc ebx, 0
loc_441733:
xor ebx, 1200311h
jmp short loc_441742
loc_44173B:
sar ebx, 1
jns short loc_441742
adc ebx, 0
loc_441742:
inc edx
dec eax
jnz short loc_44171D
loc_441746:
/* mov eax, [esp+30h+var_30]
push eax
mov eax, ebx ; 算出两个DWORD放在ebx和esi
and eax, 0FFFFh
mov [esp+34h+var_2C], eax ; 低16位放这
mov [esp+34h+var_28], 0
shr ebx, 10h
mov [esp+34h+var_24], ebx ; 高16位放这
mov [esp+34h+var_20], 0
mov eax, esi
and eax, 0FFFFh
mov [esp+34h+var_1C], eax ; 低16
mov [esp+34h+var_18], 0
shr esi, 10h
mov [esp+34h+var_14], esi ; 高16
mov [esp+34h+var_10], 0
lea edx, [esp+34h+var_2C]
mov ecx, 3
mov eax, offset a_4x_4x_4x_4x ; "%.4x-%.4x-%.4x-%.4x" ebx低-ebx高-esi低-esi高
call @Format
add esp, 24h`*/
mov eax, ebx
and eax, 0FFFFh
shr ebx, 10h
mov ecx, esi
and ecx, 0FFFFh
shr esi, 10h
mov d,si
mov c,cx
mov b,bx
mov a,ax
}
printf("%04X-%04X-%04X-%04X",a,b,c,d);
_asm{
pop edi
pop esi
pop ebx
}
return 0;
}
如果要转载,请注明出处,虽然没多少字,但好歹也是原创的程序