010Editor Cracked分析详文

010Editor的破解，做个记录

首先在OD中打开010Editor，然后搜索字符串"Invalid name"，可以看到有字符串"Invalid name or password. Please enter your name and password exactly as given when you purchased 010 Editor (make sure no quotes are included)."

跟踪到汇编窗口中，向上查找头部开始处

015380E0   > \6A FF         push    -1

接下来一段是取用户名和密码，略过

在下来是验证过程：

// 开始校验0153846F   .  51            push    ecx01538470   .  8B0D CC4D8701 mov     ecx, dword ptr [1874DCC]01538476   .  E8 60A1E8FF   call    013C25DB0153847B   .  8B0D CC4D8701 mov     ecx, dword ptr [1874DCC]01538481   .  68 23400000   push    402301538486   .  6A 07         push    701538488   .  E8 7E11E9FF   call    013C960B    ;校验0153848D   .  8B0D CC4D8701 mov     ecx, dword ptr [1874DCC]01538493   .  68 23400000   push    402301538498   .  6A 07         push    70153849A   .  8BD8          mov     ebx, eax0153849C   .  E8 D807E9FF   call    013C8C79    ;校验push ecx,结构0018D43C  98 A6 7D 08 01 00 00 00 60 FF 89 08 10 A6 7D 08  槮}...`?0018D44C  70 F4 83 08 00 D5 18 00 32 4B 6C 01 01 00 00 00  p魞.?.2Kl...{    QString u"01234-4567-89ab-cdef-3456"    NUM 1    QString u"01"    QString u"01234-4567-89ab-cdef-3456"    QString u"deadash"}mov ecx,x00852BC8       00 18 26 6C 70 F4 83 08 88 A5 7D 08 50 72 81 08  .&lp魞垾}Pr?{    QString::shared_null    QString u"deadash"    QString u"01234-4567-89ab-cdef-3456"    QString u""}=========================================================================================013C25DB：0161E0AE   .  52            push    edx0161E0AF   .  8BCE          mov     ecx, esi0161E0B1   .  E8 C4AADAFF   call    013C8B7A// 转化字符串为 16进制值 保存到堆栈临时变量中esp -> 0018D3DC// 01234-4567-89ab-cdef-3456$+1C     > 67452301$+20     > EFCDAB890018D3F8<$+1C>     01 23 45 67 89 AB CD EF 34 56 18 00              #Eg壂惋4V.≡pass[10] = { 01 23 45 67 89 AB CD EF 34 56};0161E0DE   .  8A4424 1F     mov     al, byte ptr [esp+1F]    ;670161E0E2   .  8A5C24 21     mov     bl, byte ptr [esp+21]    ;AB// al = pass[3], bl = pass[5];BYTE bRet = 0;switch(al){case 0x9C:    L_EOEA:    break;case 0xFC:    break;case 0xAC:    break;default:    bRet = 0xE7    break;}------------------------------------------------------------------------------------------L_EOEA：([esp+1c] -> pass[0])0161E0EA   .  8A5424 23     mov     dl, byte ptr [esp+23]                        ;  Case 9C of switch 0161E0E60161E0EE   .  325424 1D     xor     dl, byte ptr [esp+1D]0161E0F2   .  8A4C24 22     mov     cl, byte ptr [esp+22]0161E0F6   .  324C24 1C     xor     cl, byte ptr [esp+1C]0161E0FA   .  66:0FB6C2     movzx   ax, dl0161E0FE   .  884C24 18     mov     byte ptr [esp+18], cl// ax = p[7] ^ p[1] // t  = p[6] ^ p[0]    ; t-> [esp+18]0161E102   .  B9 00010000   mov     ecx, 1000161E107   .  66:0FAFC1     imul    ax, cx// ax *= 0x100;0161E10B   .  8AD3          mov     dl, bl    ; bl = pass[5]0161E10D   .  325424 1E     xor     dl, byte ptr [esp+1E]0161E111   .  66:0FB6CA     movzx   cx, dl0161E115   .  8B5424 18     mov     edx, dword ptr [esp+18]0161E119   .  66:03C1       add     ax, cx// ax += pass[5] ^ pass[2];0161E11C   .  52            push    edx        ;t0161E11D   .  0FB7F8        movzx   edi, ax    ;规避值 -> edi0161E120   .  E8 BA8BDAFF   call    013C6CDFL_6CDF: 0161C870   > \8A4424 04     mov     al, byte ptr [esp+4] 0161C874   .  34 18         xor     al, 18 0161C876   .  04 3D         add     al, 3D 0161C878   .  34 A7         xor     al, 0A7 0161C87A   .  C3            retn // return ((param ^ 0x18) + 0x3D) ^ 0xA7;//L_6CDF(t);0161E125   .  0FB6C0        movzx   eax, al0161E128   .  57            push    edi0161E129   .  8946 1C       mov     dword ptr [esi+1C], eax0161E12C   .  E8 3997DAFF   call    013C786A// save eax -> [esi+0x1c]L_C880: 0161C880   > \8B4424 04     mov     eax, dword ptr [esp+4] 0161C884   .  35 92780000   xor     eax, 7892 0161C889   .  05 304D0000   add     eax, 4D30 0161C88E   .  35 21340000   xor     eax, 3421 0161C893   .  0FB7C0        movzx   eax, ax 0161C896   .  99            cdq 0161C897   .  B9 0B000000   mov     ecx, 0B 0161C89C   .  F7F9          idiv    ecx 0161C89E   .  85D2          test    edx, edx 0161C8A0   .  74 02         je      short 0161C8A4 0161C8A2   .  33C0          xor     eax, eax 0161C8A4   >  C3            retn //WORD k = (((param^0x7892+0x4D30)^0x3421)); // if(k % 0x0B !=0) return 0; // else return (k/0x0B);//L_C880(edi);0161E131   .  8B4E 1C       mov     ecx, dword ptr [esi+1C]0161E134   .  0FB7C0        movzx   eax, ax0161E137   .  83C4 08       add     esp, 80161E13A   .  8946 20       mov     dword ptr [esi+20], eax// 保存 -> [esi+0x20];// 取ecx<- [esi+0x1C];0161E13D   .  85C9          test    ecx, ecx0161E13F   .  0F84 3B010000 je      0161E2800161E145   .  85C0          test    eax, eax0161E147   .  0F84 33010000 je      0161E2800161E14D   .  3D E8030000   cmp     eax, 3E80161E152   .  0F87 28010000 ja      0161E280// if(ecx == 0 || eax ==0 || eax >0x3E8) return 0xE7;0161E158   .  83F9 02       cmp     ecx, 20161E15B   .  1BFF          sbb     edi, edi0161E15D   .  23F9          and     edi, ecx// (ecx<2.cf=1) (ecx>=2.cf=0) edi=0-cf. edi&=ecx// edi = ecx \  edi = 0 。对下面的调用有影响0161E23B   .  8B41 0C       mov     eax, dword ptr [ecx+C]    ; name="deadash"0161E23E   .  8B56 20       mov     edx, dword ptr [esi+20]    ; 上面保存的值 /0x0B,可能是点击次数0161E243   .  807C24 1F FC  cmp     byte ptr [esp+1F], 0FC// 比较 pass[3] == 0xFC============================================================================================0161E248   .  52            push    edx0161E249   .  0F95C1        setne   cl0161E24C   .  57            push    edi0161E24D   .  51            push    ecx0161E24E   .  50            push    eax0161E24F   .  E8 9846DAFF   call    013C28EC// 用户名处理堆栈$-10     > 0880EAC0  ASCII "deadash"    ;eax            // name$-C      > 00000001    ;cl = (pass[3]==0xFC)?0:1.        // param1$-8      > 00000000    ;edi    // 可能是版本            // param2$-4      > 00000001    ;edx    // 手工赋值为 1         // param30161C510   > /8A08          mov     cl, byte ptr [eax]0161C512   . |40            inc     eax0161C513   . |84C9          test    cl, cl0161C515   .^\75 F9         jnz     short 0161C5100161C51B   .  894424 10     mov     dword ptr [esp+10], eax// strlen(name) -> 临时变量 [esp+10]0161C525   .  8B4424 24     mov     eax, dword ptr [esp+24]// eax <- param30161C52B   .  8BF8          mov     edi, eax0161C52D   .  C1E7 04       shl     edi, 40161C530   .  2BF8          sub     edi, eax            ; param3 << 4 - param3(param3 *15)0161C532   .  8B4424 28     mov     eax, dword ptr [esp+28]    ;param20161C536   .  8BF0          mov     esi, eax0161C538   .  C1E6 04       shl     esi, 40161C53B   .  895C24 14     mov     dword ptr [esp+14], ebx    ; ebx 固定00161C53F   .  895C24 10     mov     dword ptr [esp+10], ebx    0161C543   .  03F0          add     esi, eax            ;param2 << 4 + param2 (param2 *17)    LOOP:0161C545   > /8B4424 20     mov     eax, dword ptr [esp+20]    ;name,"deadash"0161C549   . |0FB60C03      movzx   ecx, byte ptr [ebx+eax]    ;eax ->&pName, ebx-> i(0)0161C54D   .  51            push    ecx                                          ; /c0161C54E   .  FF15 60908701 call    dword ptr [<&MSVCR90.toupper>]               ; \toupper// c = name[i].toupper;0161C557   .  837C24 24 00  cmp     dword ptr [esp+24], 0    ;param10161C55C   .  74 5B         je      short 0161C5B9if(param1 != 0)---> L_C55Eelse---> L_C5B9L_C55E:0161C55E   .  8B0C85 F0B586>mov     ecx, dword ptr [eax*4+186B5F0]    0161C565   .  8D50 0D       lea     edx, dword ptr [eax+D]        0161C568   .  81E2 FF000000 and     edx, 0FF                0161C56E   .  03CD          add     ecx, ebp                // ecx = p[c]+ ebp; -- ebp初始值为00161C570   .  330C95 F0B586>xor     ecx, dword ptr [edx*4+186B5F0]    // ecx ^= p[ BYTE(c+D)];0161C577   .  83C0 2F       add     eax, 2F0161C57A   .  25 FF000000   and     eax, 0FF0161C57F   .  0FAF0C85 F0B5>imul    ecx, dword ptr [eax*4+186B5F0]    // ecx *= p[ BYTE(c+0x2F)];0161C587   .  8BD6          mov     edx, esi                0161C589   .  81E2 FF000000 and     edx, 0FF0161C58F   .  030C95 F0B586>add     ecx, dword ptr [edx*4+186B5F0]    // ecx += p[ BYTE(esi)]; -- esi有初始值0161C596   .  8B5424 10     mov     edx, dword ptr [esp+10]        // 初始值为00161C59A   .  8BC7          mov     eax, edi0161C59C   .  25 FF000000   and     eax, 0FF0161C5A1   .  030C85 F0B586>add     ecx, dword ptr [eax*4+186B5F0]    // ecx += p[ BYTE(edi)]; -- edi有初始值0161C5A8   .  81E2 FF000000 and     edx, 0FF0161C5AE   .  030C95 F0B586>add     ecx, dword ptr [edx*4+186B5F0]       // ecx += p[ BYTE(t1)]; --临时变量 [esp+10],初始00161C5B5   .  8BE9          mov     ebp, ecx                // ebp <- ecx ,保存值// k = (k + p[c]) ^ p[c+d] * p[c+2F] + p[esi]+ p[edi] + p[t1] ; L_c5b9:0161C5B9   > \8B1485 F0B586>mov     edx, dword ptr [eax*4+186B5F0]0161C5C0   .  8D48 3F       lea     ecx, dword ptr [eax+3F]0161C5C3   .  03D5          add     edx, ebp0161C5C5   .  83C0 17       add     eax, 170161C5C8   .  81E1 FF000000 and     ecx, 0FF0161C5CE   .  33148D F0B586>xor     edx, dword ptr [ecx*4+186B5F0]0161C5D5   .  25 FF000000   and     eax, 0FF0161C5DA   .  0FAF1485 F0B5>imul    edx, dword ptr [eax*4+186B5F0]0161C5E2   .  8BC6          mov     eax, esi0161C5E4   .  25 FF000000   and     eax, 0FF0161C5E9   .  031485 F0B586>add     edx, dword ptr [eax*4+186B5F0]0161C5F0   .  8B4424 14     mov     eax, dword ptr [esp+14]        // 临时变量 t2 初始00161C5F4   .  8BCF          mov     ecx, edi0161C5F6   .  81E1 FF000000 and     ecx, 0FF0161C5FC   .  03148D F0B586>add     edx, dword ptr [ecx*4+186B5F0]0161C603   .  25 FF000000   and     eax, 0FF0161C608   .  031485 F0B586>add     edx, dword ptr [eax*4+186B5F0]0161C60F   .  8BEA          mov     ebp, edx// k = (k + p[c]) ^ p[c+3f] *p[c+17] + p[esi] + p[edi] + p[t2] ;// 全部跳转 <循环判断>0161C611   > \834424 10 13  add     dword ptr [esp+10], 13    ; t1 += 130161C616   .  834424 14 07  add     dword ptr [esp+14], 7    ; t2 += 70161C61B   .  43            inc     ebx                ;i++0161C61C   .  83C6 09       add     esi, 9            ; esi += 90161C61F   .  83C7 0D       add     edi, 0D            ; edi += 0x0d0161C622   .  3B5C24 18     cmp     ebx, dword ptr [esp+18]    ; i < len,goto loop0161C626   .^ 0F8C 19FFFFFF jl      0161C545// return ebp=============================================================================================================0161E257   .  384424 20     cmp     byte ptr [esp+20], al// 比较最低位 是否和 pass[4]相等 不等返回 0xE70161E28A   > \8BD0          mov     edx, eax0161E28C   .  C1EA 08       shr     edx, 8    0161E28F   .  3ADA          cmp     bl, dl    ; bl = pass[5]// 比较第二位 是否和 pass[5]相等 不等返回 0xE70161E2C0   > \8BC8          mov     ecx, eax0161E2C2   .  C1E9 10       shr     ecx, 100161E2C5   .  384C24 22     cmp     byte ptr [esp+22], cl0161E2C9   .^ 75 92         jnz     short 0161E25D// 比较第三位, 是否和 pass[6]相等 不等返回 0xE70161E2CB   .  8BD0          mov     edx, eax0161E2CD   .  C1EA 18       shr     edx, 180161E2D0   .  385424 23     cmp     byte ptr [esp+23], dl// 比较第四位 是否和 pass[7]相等 不等返回 0xE7002CE2DA   .  80F9 9C       cmp     cl, 9C                                 ;  Switch (cases 9C..FC)002CE2DD   .  75 4E         jnz     short 002CE32D全部相等 且 pass[3] == 0x9C,0xFC,0xAC:返回 0x2d返回 0xDB.

接下来把上面代码转换成伪代码，更便于我们分析

取 用户名 string name;取 密码char pass[10];BYTE type = pass[3];    // 注册码类型BYTE ret;         // 返回结果 返回 0x2D 即注册成功switch(type){case 0x9C:// 只关注这个        break;case 0xFC:case 0xAC:default:    ret = 0xE7;    break;}==========================================================// 使用了 0,1,2,3,5,6,7// 返回校验 使用了 4,5,6,7ax = pass[7] ^ pass[1];t = pass[6] ^ pass[0];ax *= 0x100;ax += pass[5] ^ pass[2];hash_1(byte param){return ((param ^0x18) + 0x3D) ^ 0xA7;}x = hash_1(t);hash_2(word param){word k = (((param^0x7892+0x4D30)^0x3421));if(k % 0x0b !=0) return 0;else return (k / 0x0b);}y = hash_2(ax);if(x ==0 || y==0 || y > 0x3e8) return 0xE7;dword check_name(string name,     // "deadash"  bool type,             // (type==0xFC)?false:true  int version,            // x<2?x:0  int number            // y,可能是人数);value = check_name("deadash",true,0,1);value[0-3]; ==pass[4],pass[5],pass[6],pass[7]相等返回 0x2D;================================================================dword check_name(string name,     // "deadash"  bool type,             // (type==0xFC)?false:true  int version,            // x<2?x:0  int number            // y,可能是人数){  esi = number * 15;  edi = version * 17;  dword ret = 0;  for(int i = 0; i < strlen(name); i++){    char k = toupper(name[i]);     // 转化为大写    if(type){      ret = (ret + p[k]) ^ p[k+d] * p[k+2F] + p[esi]+ p[edi] + p[t1] ;    }else{      ret = (ret + p[k]) ^ p[k+3f] *p[k+17] + p[esi] + p[edi] + p[t2] ;    }    t1 += 13; t2 += 7;    esi += 9; edi += 0x0D;  }}===================================================================加密数据 (p)0051B5F0  B8 44 CB 39 67 4F 75 23 11 72 01 5F DA 24 BB 3E  窪?gOu#r_??0051B600  C6 07 17 35 4B 77 F9 63 88 72 82 17 21 48 E7 0F  ?5Kw鵦坮?!H?0051B610  0F 67 5F 5B E8 5A 31 48 69 77 5B 78 47 15 7A 2B  g_[鑊1Hiw[xGz+0051B620  92 12 D1 38 32 1B A1 42 44 22 33 35 60 7B 43 77  ??2D"35`{Cw0051B630  10 3B AB 1E 00 00 81 53 AE 12 02 1D A8 77 03 6F  ;?..丼?╳o0051B640  92 30 C0 43 8E 0A 3C 2D BF 0C 95 62 FA 6F F0 30  ?繡?<-?昩鷒?0051B650  E0 10 F7 34 FB 17 F4 28 95 2F 0D 35 5A 1D 36 5A  ?????.5Z6Z0051B660  0B 06 CC 15 CC 13 FD 0A CF 3B 60 28 6B 06 71 33  ????`(kq30051B670  E4 14 CD 30 67 3A 5D 17 13 6A D6 6D F9 09 34 2D  ??g:]j謒?4-0051B680  82 7B 1E 58 99 6B 52 76 88 51 8D 5C 71 79 85 2C  倇X檏Rv圦峔qy?0051B690  C0 1F F5 15 11 0D CC 68 5C 5E F5 49 64 43 5E 27  ??.蘦\^鮅dC^'0051B6A0  BC 0D 1E 2D E3 7C EE 4C 40 58 55 32 08 2E 2E 11  ?-銃頛@XU2..0051B6B0  5A 06 78 69 06 14 92 72 E7 78 45 31 B7 21 56 17  Zxi抮鐇E1?V0051B6C0  BF 1D 77 40 D6 38 C2 3F 8A 12 31 4A 6E 03 AD 2D  ?w@???1Jn?0051B6D0  D6 69 A0 41 92 01 40 25 67 46 DD 00 4F 1F FC 6A  謎燗?@%gF?O黬0051B6E0  CE 40 10 57 DF 66 FE 62 3E 4B DB 41 1F 23 82 35  蜙W遞>K跘#?0051B6F0  9A 07 F6 55 44 06 A7 1C D2 43 16 1B C9 28 72 3F  ?鯱D?褻?r?0051B700  70 10 14 5F AB 74 14 3E 6E 25 4B 44 D9 50 70 53  p_玹>n%KD貾pS0051B710  4B 09 42 0F E6 20 D8 2F 5E 2E 8B 77 02 6D 17 71  K.B??^.媤mq0051B720  69 7A EA 7F 28 46 B5 5B 71 6C BA 19 99 3A 76 39  iz?(F礫ql??v90051B730  CD 54 8D 17 88 6E 24 01 7E 53 13 33 17 2D 8E 2B  蚑?坣$~S3-?0051B740  BE 10 3D 2A 82 05 D1 59 DB 63 A1 37 9A 48 D6 30  ?=*?裏踓?欻?0051B750  46 5C 21 6A 76 7A 1C 0E E7 60 C7 1F 65 0C B8 79  F\!jvz鏯?e.竬0051B760  B4 59 F4 27 26 73 9A 79 82 17 BA 50 5C 6D 11 2A  碮?&s歽?篜\m*0051B770  1B 6E 86 63 3C 0E 92 3F 90 34 02 55 89 60 B5 55  n哻<??U塦礥0051B780  D1 1F 39 2C C2 35 80 2F 7A 2B FD 64 9A 75 E8 4C  ?9,?€/z+齞歶鐻0051B790  F0 04 85 51 A8 01 95 79 AD 2C 5B 3F 60 01 E6 38  ?匭?晊?[?`?0051B7A0  D8 41 76 63 42 2A 35 33 19 2C A2 51 51 58 5C 08  谹vcB*53,QX\0051B7B0  AB 17 29 03 C7 0A 77 2B B3 77 AC 30 07 19 EC 2B  ?)?w+硍??0051B7C0  D0 02 52 03 D3 33 A9 0F F3 5D 25 61 BF 06 AD 22  ?R??骫%a??0051B7D0  71 69 B8 58 E5 0D CA 5F 56 64 0D 70 DB 73 A9 56  qi竂?蔩Vd.p踫￢0051B7E0  FD 59 B7 5A E2 0B 0E 33 DD 0D 3C 5B 60 3C 5D 49  齓穁?3?<[`<]I0051B7F0  A6 59 BD 53 91 6D 5E 4C 8D 31 D9 49 79 50 3D 10  絊憁^L?買yP=0051B800  E3 42 CE 61 1D 12 D5 7E ED 60 E1 14 F2 4E 2D 21  鉈蝍諂韅?騈-!0051B810  F0 33 01 27 96 5A 43 62 8B 5E A7 1F BE 2F 09 6F  ?'朲Cb媈??.o0051B820  49 0D 00 4A 70 1C AE 57 77 24 4E 00 72 7E 1E 56  I..Jp甒w$N.r~V0051B830  33 00 8C 46 02 24 CC 5D C6 7A 50 78 C7 24 AF 58  3.孎$蘛苲Px?疿0051B840  34 2D F6 0D 08 47 8A 35 11 1E FB 3C 1C 45 71 2B  4-?G??Eq+0051B850  95 52 A7 77 21 07 89 56 F3 75 EF 0F F1 24 0F 12  昍!塚髐??0051B860  E7 0A 99 01 52 44 9C 33 8E 5B A1 27 6D 27 A7 0B  ??RD?嶽?m'?0051B870  7B 1B DC 60 82 7F 4B 4F 07 70 DB 67 D9 57 4A 4F  {躟?KOp踘賅JO0051B880  E8 52 12 62 FC 2C 53 20 06 03 39 6A 23 04 80 18  鑂b?S 9j#€0051B890  8A 77 F3 19 F0 16 23 46 37 09 AE 56 5C 67 C2 43  妛??#F7.甐\g翪0051B8A0  FD 45 CA 65 F2 4F 60 0D CB 22 FD 0B 3B 64 FE 3A  鼸蔱騉`.??;d?0051B8B0  A6 7F F6 3B 79 35 62 44 F8 31 40 18 97 4F 17 32  ??y5bD?@桹20051B8C0  2A 09 6A 4C 61 02 B5 5F 74 01 65 01 F1 4A 63 33  *.jLa礯te馢c30051B8D0  F4 18 2D 71 69 71 99 6E FE 7A AB 5D E8 2E 2B 7C  ?-qiq檔玗?+|0051B8E0  B4 75 DB 6E B6 6F 83 5F D6 6D 2A 3C C2 05 2D 29  磚踤秓僟謒*<?-)0051B8F0  DB 44 22 05 4F 5F 9A 14 40 65 48 5D EA 15 1D 33  跠"O_?@eH]?30051B900  20 69 45 4F 9F 69 3A 48 05 0F 45 3B 6C 7C 20 3B   iEO焛:HE;l| ;0051B910  FE 70 9D 74 F6 61 74 41 F1 31 B0 62 7B 57 50 27  漷鯽tA?癰{WP'0051B920  33 15 13 29 08 38 8C 58 56 34 EF 1A EC 00 3C 0F  3)8孹V4??<0051B930  42 47 A7 7D 6C 7A 79 4B 87 32 BB 5E B8 58 65 78  BGlzyK?籢竂ex0051B940  F2 4F ED 00 1E 69 69 62 5F 25 A2 24 7E 1F C1 62  騉?iib_%?~羈0051B950  CD 7D 8A 2F FE 17 3B 64 B8 18 83 77 FE 60 3B 25  蛚??;d?僿;%0051B960  A3 63 BB 34 4F 21 03 5B F4 71 15 5F 9F 6E 31 1A  ?O![魆_焠10051B970  04 27 CF 7A 38 68 89 28 77 46 61 18 EB 69 F5 1B  '蟴8h?wFa雐?0051B980  C9 5E A8 0B 46 6B CA 6A 2A 42 43 1E 0E 5F 4D 51  蒦?Fk蔶*BC_MQ0051B990  8C 01 3E 41 E9 26 76 30 FA 1D ED 01 5A 6F F4 49  ?>A?v0??Zo鬒0051B9A0  2B 64 1B 46 F2 07 70 7D 57 26 65 13 C5 0B 16 6B  +dF?p}W&e?k0051B9B0  49 48 E0 65 1C 6E 52 1F B6 51 02 5A 69 3F D7 2B  IH鄀nR禥Zi??0051B9C0  CD 7A BF 2D 80 3E E6 51 0F 67 F2 5C 03 0A CD 21  蛕?€>鍽g騖.?0051B9D0  61 02 FF 5C 1E 06 AE 33 5F 34 B6 3B 75 4A 81 5D  a\?_4?uJ乚0051B9E0  F4 5D 7B 25 5B 2C 5C 0A 27 55 A4 16 45 39 F2 16  鬩{%[,\.'U?E9?

最后，根据伪代码的分析，写出一个注册机，注册机关键代码如下所示：

typedef unsigned char u_char;typedef unsigned int  u_int;typedef unsigned short u_short;u_int generate(const char *name,// 用户名u_char type,// 类型 固定 0x9Cu_char version,// 版本 -- version < 2?version:0, version必须大于7u_char number// 用户数 (1-200 个人 200以上 site license) );/************************************************************************//* 注册码结构                                                           *//************************************************************************/// pass[3] = 0x9C;// 版本 0x9C// pass[4] = gen & 0xFF; // 低位// pass[5] = gen >> 0x08 & 0xFF; // pass[6] = gen >> 0x10 & 0xFF;// pass[7] = gen >> 0x18 & 0xFF;/************************************************************************//* 校验许可人数                                                         *//************************************************************************///number = _check_number( (pass[7] ^x1) * 0x100 + (pass[5] ^x2) );u_short check_number(u_short number); // number >0 && < 1000;// pass[1] = (HIBYTE(chk) ^ pass[7]);// pass[2] = (LOBYTE(chk) ^ pass[5]);/************************************************************************//* 校验版本                                                             *//************************************************************************/u_char check_version(u_char version);// 必须大于等于 7// pass[0] = chk ^ pass[6];

/************************************************************************//* 关键数据                                                             *//************************************************************************/unsigned char data[1024] = {0xB8, 0x44, 0xCB, 0x39, 0x67, 0x4F, 0x75, 0x23, 0x11, 0x72, 0x01, 0x5F, 0xDA, 0x24, 0xBB, 0x3E, 0xC6, 0x07, 0x17, 0x35, 0x4B, 0x77, 0xF9, 0x63, 0x88, 0x72, 0x82, 0x17, 0x21, 0x48, 0xE7, 0x0F, 0x0F, 0x67, 0x5F, 0x5B, 0xE8, 0x5A, 0x31, 0x48, 0x69, 0x77, 0x5B, 0x78, 0x47, 0x15, 0x7A, 0x2B, 0x92, 0x12, 0xD1, 0x38, 0x32, 0x1B, 0xA1, 0x42, 0x44, 0x22, 0x33, 0x35, 0x60, 0x7B, 0x43, 0x77, 0x10, 0x3B, 0xAB, 0x1E, 0x00, 0x00, 0x81, 0x53, 0xAE, 0x12, 0x02, 0x1D, 0xA8, 0x77, 0x03, 0x6F, 0x92, 0x30, 0xC0, 0x43, 0x8E, 0x0A, 0x3C, 0x2D, 0xBF, 0x0C, 0x95, 0x62, 0xFA, 0x6F, 0xF0, 0x30, 0xE0, 0x10, 0xF7, 0x34, 0xFB, 0x17, 0xF4, 0x28, 0x95, 0x2F, 0x0D, 0x35, 0x5A, 0x1D, 0x36, 0x5A, 0x0B, 0x06, 0xCC, 0x15, 0xCC, 0x13, 0xFD, 0x0A, 0xCF, 0x3B, 0x60, 0x28, 0x6B, 0x06, 0x71, 0x33, 0xE4, 0x14, 0xCD, 0x30, 0x67, 0x3A, 0x5D, 0x17, 0x13, 0x6A, 0xD6, 0x6D, 0xF9, 0x09, 0x34, 0x2D, 0x82, 0x7B, 0x1E, 0x58, 0x99, 0x6B, 0x52, 0x76, 0x88, 0x51, 0x8D, 0x5C, 0x71, 0x79, 0x85, 0x2C, 0xC0, 0x1F, 0xF5, 0x15, 0x11, 0x0D, 0xCC, 0x68, 0x5C, 0x5E, 0xF5, 0x49, 0x64, 0x43, 0x5E, 0x27, 0xBC, 0x0D, 0x1E, 0x2D, 0xE3, 0x7C, 0xEE, 0x4C, 0x40, 0x58, 0x55, 0x32, 0x08, 0x2E, 0x2E, 0x11, 0x5A, 0x06, 0x78, 0x69, 0x06, 0x14, 0x92, 0x72, 0xE7, 0x78, 0x45, 0x31, 0xB7, 0x21, 0x56, 0x17, 0xBF, 0x1D, 0x77, 0x40, 0xD6, 0x38, 0xC2, 0x3F, 0x8A, 0x12, 0x31, 0x4A, 0x6E, 0x03, 0xAD, 0x2D, 0xD6, 0x69, 0xA0, 0x41, 0x92, 0x01, 0x40, 0x25, 0x67, 0x46, 0xDD, 0x00, 0x4F, 0x1F, 0xFC, 0x6A, 0xCE, 0x40, 0x10, 0x57, 0xDF, 0x66, 0xFE, 0x62, 0x3E, 0x4B, 0xDB, 0x41, 0x1F, 0x23, 0x82, 0x35, 0x9A, 0x07, 0xF6, 0x55, 0x44, 0x06, 0xA7, 0x1C, 0xD2, 0x43, 0x16, 0x1B, 0xC9, 0x28, 0x72, 0x3F, 0x70, 0x10, 0x14, 0x5F, 0xAB, 0x74, 0x14, 0x3E, 0x6E, 0x25, 0x4B, 0x44, 0xD9, 0x50, 0x70, 0x53, 0x4B, 0x09, 0x42, 0x0F, 0xE6, 0x20, 0xD8, 0x2F, 0x5E, 0x2E, 0x8B, 0x77, 0x02, 0x6D, 0x17, 0x71, 0x69, 0x7A, 0xEA, 0x7F, 0x28, 0x46, 0xB5, 0x5B, 0x71, 0x6C, 0xBA, 0x19, 0x99, 0x3A, 0x76, 0x39, 0xCD, 0x54, 0x8D, 0x17, 0x88, 0x6E, 0x24, 0x01, 0x7E, 0x53, 0x13, 0x33, 0x17, 0x2D, 0x8E, 0x2B, 0xBE, 0x10, 0x3D, 0x2A, 0x82, 0x05, 0xD1, 0x59, 0xDB, 0x63, 0xA1, 0x37, 0x9A, 0x48, 0xD6, 0x30, 0x46, 0x5C, 0x21, 0x6A, 0x76, 0x7A, 0x1C, 0x0E, 0xE7, 0x60, 0xC7, 0x1F, 0x65, 0x0C, 0xB8, 0x79, 0xB4, 0x59, 0xF4, 0x27, 0x26, 0x73, 0x9A, 0x79, 0x82, 0x17, 0xBA, 0x50, 0x5C, 0x6D, 0x11, 0x2A, 0x1B, 0x6E, 0x86, 0x63, 0x3C, 0x0E, 0x92, 0x3F, 0x90, 0x34, 0x02, 0x55, 0x89, 0x60, 0xB5, 0x55, 0xD1, 0x1F, 0x39, 0x2C, 0xC2, 0x35, 0x80, 0x2F, 0x7A, 0x2B, 0xFD, 0x64, 0x9A, 0x75, 0xE8, 0x4C, 0xF0, 0x04, 0x85, 0x51, 0xA8, 0x01, 0x95, 0x79, 0xAD, 0x2C, 0x5B, 0x3F, 0x60, 0x01, 0xE6, 0x38, 0xD8, 0x41, 0x76, 0x63, 0x42, 0x2A, 0x35, 0x33, 0x19, 0x2C, 0xA2, 0x51, 0x51, 0x58, 0x5C, 0x08, 0xAB, 0x17, 0x29, 0x03, 0xC7, 0x0A, 0x77, 0x2B, 0xB3, 0x77, 0xAC, 0x30, 0x07, 0x19, 0xEC, 0x2B, 0xD0, 0x02, 0x52, 0x03, 0xD3, 0x33, 0xA9, 0x0F, 0xF3, 0x5D, 0x25, 0x61, 0xBF, 0x06, 0xAD, 0x22, 0x71, 0x69, 0xB8, 0x58, 0xE5, 0x0D, 0xCA, 0x5F, 0x56, 0x64, 0x0D, 0x70, 0xDB, 0x73, 0xA9, 0x56, 0xFD, 0x59, 0xB7, 0x5A, 0xE2, 0x0B, 0x0E, 0x33, 0xDD, 0x0D, 0x3C, 0x5B, 0x60, 0x3C, 0x5D, 0x49, 0xA6, 0x59, 0xBD, 0x53, 0x91, 0x6D, 0x5E, 0x4C, 0x8D, 0x31, 0xD9, 0x49, 0x79, 0x50, 0x3D, 0x10, 0xE3, 0x42, 0xCE, 0x61, 0x1D, 0x12, 0xD5, 0x7E, 0xED, 0x60, 0xE1, 0x14, 0xF2, 0x4E, 0x2D, 0x21, 0xF0, 0x33, 0x01, 0x27, 0x96, 0x5A, 0x43, 0x62, 0x8B, 0x5E, 0xA7, 0x1F, 0xBE, 0x2F, 0x09, 0x6F, 0x49, 0x0D, 0x00, 0x4A, 0x70, 0x1C, 0xAE, 0x57, 0x77, 0x24, 0x4E, 0x00, 0x72, 0x7E, 0x1E, 0x56, 0x33, 0x00, 0x8C, 0x46, 0x02, 0x24, 0xCC, 0x5D, 0xC6, 0x7A, 0x50, 0x78, 0xC7, 0x24, 0xAF, 0x58, 0x34, 0x2D, 0xF6, 0x0D, 0x08, 0x47, 0x8A, 0x35, 0x11, 0x1E, 0xFB, 0x3C, 0x1C, 0x45, 0x71, 0x2B, 0x95, 0x52, 0xA7, 0x77, 0x21, 0x07, 0x89, 0x56, 0xF3, 0x75, 0xEF, 0x0F, 0xF1, 0x24, 0x0F, 0x12, 0xE7, 0x0A, 0x99, 0x01, 0x52, 0x44, 0x9C, 0x33, 0x8E, 0x5B, 0xA1, 0x27, 0x6D, 0x27, 0xA7, 0x0B, 0x7B, 0x1B, 0xDC, 0x60, 0x82, 0x7F, 0x4B, 0x4F, 0x07, 0x70, 0xDB, 0x67, 0xD9, 0x57, 0x4A, 0x4F, 0xE8, 0x52, 0x12, 0x62, 0xFC, 0x2C, 0x53, 0x20, 0x06, 0x03, 0x39, 0x6A, 0x23, 0x04, 0x80, 0x18, 0x8A, 0x77, 0xF3, 0x19, 0xF0, 0x16, 0x23, 0x46, 0x37, 0x09, 0xAE, 0x56, 0x5C, 0x67, 0xC2, 0x43, 0xFD, 0x45, 0xCA, 0x65, 0xF2, 0x4F, 0x60, 0x0D, 0xCB, 0x22, 0xFD, 0x0B, 0x3B, 0x64, 0xFE, 0x3A, 0xA6, 0x7F, 0xF6, 0x3B, 0x79, 0x35, 0x62, 0x44, 0xF8, 0x31, 0x40, 0x18, 0x97, 0x4F, 0x17, 0x32, 0x2A, 0x09, 0x6A, 0x4C, 0x61, 0x02, 0xB5, 0x5F, 0x74, 0x01, 0x65, 0x01, 0xF1, 0x4A, 0x63, 0x33, 0xF4, 0x18, 0x2D, 0x71, 0x69, 0x71, 0x99, 0x6E, 0xFE, 0x7A, 0xAB, 0x5D, 0xE8, 0x2E, 0x2B, 0x7C, 0xB4, 0x75, 0xDB, 0x6E, 0xB6, 0x6F, 0x83, 0x5F, 0xD6, 0x6D, 0x2A, 0x3C, 0xC2, 0x05, 0x2D, 0x29, 0xDB, 0x44, 0x22, 0x05, 0x4F, 0x5F, 0x9A, 0x14, 0x40, 0x65, 0x48, 0x5D, 0xEA, 0x15, 0x1D, 0x33, 0x20, 0x69, 0x45, 0x4F, 0x9F, 0x69, 0x3A, 0x48, 0x05, 0x0F, 0x45, 0x3B, 0x6C, 0x7C, 0x20, 0x3B, 0xFE, 0x70, 0x9D, 0x74, 0xF6, 0x61, 0x74, 0x41, 0xF1, 0x31, 0xB0, 0x62, 0x7B, 0x57, 0x50, 0x27, 0x33, 0x15, 0x13, 0x29, 0x08, 0x38, 0x8C, 0x58, 0x56, 0x34, 0xEF, 0x1A, 0xEC, 0x00, 0x3C, 0x0F, 0x42, 0x47, 0xA7, 0x7D, 0x6C, 0x7A, 0x79, 0x4B, 0x87, 0x32, 0xBB, 0x5E, 0xB8, 0x58, 0x65, 0x78, 0xF2, 0x4F, 0xED, 0x00, 0x1E, 0x69, 0x69, 0x62, 0x5F, 0x25, 0xA2, 0x24, 0x7E, 0x1F, 0xC1, 0x62, 0xCD, 0x7D, 0x8A, 0x2F, 0xFE, 0x17, 0x3B, 0x64, 0xB8, 0x18, 0x83, 0x77, 0xFE, 0x60, 0x3B, 0x25, 0xA3, 0x63, 0xBB, 0x34, 0x4F, 0x21, 0x03, 0x5B, 0xF4, 0x71, 0x15, 0x5F, 0x9F, 0x6E, 0x31, 0x1A, 0x04, 0x27, 0xCF, 0x7A, 0x38, 0x68, 0x89, 0x28, 0x77, 0x46, 0x61, 0x18, 0xEB, 0x69, 0xF5, 0x1B, 0xC9, 0x5E, 0xA8, 0x0B, 0x46, 0x6B, 0xCA, 0x6A, 0x2A, 0x42, 0x43, 0x1E, 0x0E, 0x5F, 0x4D, 0x51, 0x8C, 0x01, 0x3E, 0x41, 0xE9, 0x26, 0x76, 0x30, 0xFA, 0x1D, 0xED, 0x01, 0x5A, 0x6F, 0xF4, 0x49, 0x2B, 0x64, 0x1B, 0x46, 0xF2, 0x07, 0x70, 0x7D, 0x57, 0x26, 0x65, 0x13, 0xC5, 0x0B, 0x16, 0x6B, 0x49, 0x48, 0xE0, 0x65, 0x1C, 0x6E, 0x52, 0x1F, 0xB6, 0x51, 0x02, 0x5A, 0x69, 0x3F, 0xD7, 0x2B, 0xCD, 0x7A, 0xBF, 0x2D, 0x80, 0x3E, 0xE6, 0x51, 0x0F, 0x67, 0xF2, 0x5C, 0x03, 0x0A, 0xCD, 0x21, 0x61, 0x02, 0xFF, 0x5C, 0x1E, 0x06, 0xAE, 0x33, 0x5F, 0x34, 0xB6, 0x3B, 0x75, 0x4A, 0x81, 0x5D, 0xF4, 0x5D, 0x7B, 0x25, 0x5B, 0x2C, 0x5C, 0x0A, 0x27, 0x55, 0xA4, 0x16, 0x45, 0x39, 0xF2, 0x16};/************************************************************************//* 生成注册码                                                           *//************************************************************************/u_int generate(const char *name,u_char type,u_char version,u_char number){version = version<2?version:0;u_char edi = number * 15;u_char esi = version *17;u_char t1 = 0,t2 = 0;DWORD *p = (DWORD *)data;unsigned int ret = 0;int len = strlen(name);for(int i = 0; i < len; i++){u_char k = toupper(name[i]);if(type != 0xFC ){ret = ( (ret + p[k]) ^ p[BYTE(k+ 0x0D)] ) * p[BYTE(k+ 0x2F)] + p[esi] + p[edi] + p[t1] ;}else {ret = ( (ret + p[k]) ^ p[BYTE(k+ 0x3F)] ) * p[BYTE(k+ 0x17)] + p[esi] + p[edi] + p[t2] ;}t1 += 0x13; t2 += 0x07;esi += 9; edi += 0x0D;}return ret;}// old functionu_char _check_number(u_short param){u_short k = (((param^0x7892+0x4D30)^0x3421));if( k % 0x0b != 0) return 0;// 不能整除else return (k / 0x0b);}u_short check_number(u_short number){return (((0xB * number// 0xB 的整数倍) ^ 0x3421) - 0x4D30 ) ^ 0x7892;}// old_functionu_char _check_version(u_char param){return ((param ^ 0x18)+ 0x3D) ^ 0xA7;}u_char check_version(u_char param){return (((param ^ 0xA7) - 0x3D) ^ 0x18);}