对于刚接触这个软件的朋友同样发现这个注册有点小难度。相比微信是绑定QQ账号一键登入,陌陌在重新注册上也难住了各位陌友使用兴趣,基于这个原因小编就来了个自己注册的过程
===================Open Cracking Group======================== = = MouseStar V3.01注册算法分析 = = ssljx/OCG = http://www.newclw.com/lllufh/cgi-bin/leoboard.cgi = ===================Open Cracking Group======================== :0047A051 E81E24FBFF call 0042C474 :0047A056 8B45E4 mov eax, dword ptr [ebp-1C] :0047A059 8D55F8 lea edx, dword ptr [ebp-08] :0047A05C E843DEF8FF call 00407EA4 :0047A061 8D4DFC lea ecx, dword ptr [ebp-04] :0047A064 8B55F8 mov edx, dword ptr [ebp-08] :0047A067 8BC3 mov eax, ebx :0047A069 E87EFEFFFF call 00479EEC去掉注册名最后空格 :00479F24 8B45E4 mov eax, dword ptr [ebp-1C] :00479F27 8D55E8 lea edx, dword ptr [ebp-18] :00479F2A E865DDF8FF call 00407C94======>将注册名全部转换成大写字母 :00479F2F 8B55E8 mov edx, dword ptr [ebp-18] :00479F32 8D45F8 lea eax, dword ptr [ebp-08] * Possible StringData Ref from Code Obj ->"delphi" | :00479F35 B9A89F4700 mov ecx, 00479FA8 :00479F3A E8E59DF8FF call 00403D24======>大写的注册名+'delphi' :00479F3F 8D45F4 lea eax, dword ptr [ebp-0C] * Possible StringData Ref from Code Obj ->"MagicUtils" | :00479F42 BAB89F4700 mov edx, 00479FB8 :00479F47 E8A49BF8FF call 00403AF0 :00479F4C 8D45F0 lea eax, dword ptr [ebp-10] * Possible StringData Ref from Code Obj ->"zhiyuan" | :00479F4F BACC9F4700 mov edx, 00479FCC :00479F54 E8979BF8FF call 00403AF0 :00479F59 8D45EC lea eax, dword ptr [ebp-14] * Possible StringData Ref from Code Obj ->"3.0" | :00479F5C BADC9F4700 mov edx, 00479FDC :00479F61 E88A9BF8FF call 00403AF0 :00479F66 8B45EC mov eax, dword ptr [ebp-14]==>'3.0' :00479F69 50 push eax :00479F6A 53 push ebx :00479F6B 8B4DF0 mov ecx, dword ptr [ebp-10]==>'zhiyuan' :00479F6E 8B55F4 mov edx, dword ptr [ebp-0C]==>'MagicUtils' :00479F71 8B45F8 mov eax, dword ptr [ebp-08]==>UpperCase(Name)+'delphi' :00479F74 E883A7FFFF call 004746FC======>进行计算 ===============================SUB 004746FC=========================== :004746FC 55 push ebp : : :00474751 50 push eax :00474752 8D45EC lea eax, dword ptr [ebp-14] :00474755 50 push eax :00474756 8B4DF4 mov ecx, dword ptr [ebp-0C] :00474759 8B55F8 mov edx, dword ptr [ebp-08] :0047475C 8B45FC mov eax, dword ptr [ebp-04] :0047475F E880FDFFFF call 004744E4==>产生后面十位字符串 ================================SUB 004744E4======================================= :004744E4 55 push ebp :004744E5 8BEC mov ebp, esp :004744E7 83C4E8 add esp, FFFFFFE8 :: :: :00474522 689F454700 push 0047459F :00474527 64FF30 push dword ptr fs:[eax] :0047452A 648920 mov dword ptr fs:[eax], esp :0047452D 33D2 xor edx, edx :0047452F 8B450C mov eax, dword ptr [ebp+0C] :00474532 E8993BF9FF call 004080D0 :00474537 8BD0 mov edx, eax :00474539 8D4DF0 lea ecx, dword ptr [ebp-10] :0047453C B8B0454700 mov eax, 004745B0 :00474541 E86E000000 call 004745B4 :00474546 8B45F4 mov eax, dword ptr [ebp-0C] :00474549 E84EF9F8FF call 00403E9C :0047454E 8D4DEC lea ecx, dword ptr [ebp-14]//'zhiyuan' :00474551 33D2 xor edx, edx :00474553 E85C000000 call 004745B4 ========================SUB 004745B4================================= :004745B4 55 push ebp :004745B5 8BEC mov ebp, esp :004745B7 83C4EC add esp, FFFFFFEC :004745BA 53 push ebx :004745BB 56 push esi :004745BC 57 push edi :004745BD 33DB xor ebx, ebx :004745BF 895DEC mov dword ptr [ebp-14], ebx :004745C2 895DF0 mov dword ptr [ebp-10], ebx :004745C5 894DF8 mov dword ptr [ebp-08], ecx :004745C8 8BF2 mov esi, edx :004745CA 8945FC mov dword ptr [ebp-04], eax :004745CD 33C0 xor eax, eax :004745CF 55 push ebp :004745D0 68EE464700 push 004746EE :004745D5 64FF30 push dword ptr fs:[eax] :004745D8 648920 mov dword ptr fs:[eax], esp :004745DB 8D45F0 lea eax, dword ptr [ebp-10] :004745DE 8B55FC mov edx, dword ptr [ebp-04] :004745E1 E82AF6F8FF call 00403C10 :004745E6 8B45F0 mov eax, dword ptr [ebp-10] :004745E9 E8EAF6F8FF call 00403CD8 :004745EE 8BD8 mov ebx, eax :004745F0 85DB test ebx, ebx :004745F2 7513 jne 00474607 :004745F4 8935F8E94700 mov dword ptr [0047E9F8], esi :004745FA 6BC664 imul eax, esi, 00000064 :004745FD A3FCE94700 mov dword ptr [0047E9FC], eax :00474602 E9CC000000 jmp 004746D3 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004745F2(C) | :00474607 8B45F8 mov eax, dword ptr [ebp-08] :0047460A E849F4F8FF call 00403A58 :0047460F 8BFB mov edi, ebx :00474611 4F dec edi :00474612 85FF test edi, edi :00474614 0F8CB9000000 jl 004746D3 :0047461A 47 inc edi :0047461B 33F6 xor esi, esi =============================================================================== * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004746CD(C) | :0047461D 8B45FC mov eax, dword ptr [ebp-04] :00474620 8A0430 mov al, byte ptr [eax+esi] :00474623 3C20 cmp al, 20---------\ :00474625 0F82A0000000 jb 004746CB 规定了注册名的范围 :0047462B 3C7E cmp al, 7E :0047462D 0F8798000000 ja 004746CB--------/ :00474633 8B15F8E94700 mov edx, dword ptr [0047E9F8] :00474639 81E2FFFFFF1F and edx, 1FFFFFFF :0047463F 8B0DF8E94700 mov ecx, dword ptr [0047E9F8] :00474645 C1E91D shr ecx, 1D :00474648 83E131 and ecx, 00000031 :0047464B 33D1 xor edx, ecx :0047464D 8915F8E94700 mov dword ptr [0047E9F8], edx :00474653 8845F7 mov byte ptr [ebp-09], al :00474656 A1F8E94700 mov eax, dword ptr [0047E9F8] :0047465B B95F000000 mov ecx, 0000005F :00474660 99 cdq :00474661 F7F9 idiv ecx :00474663 33D2 xor edx, edx :00474665 8A55F7 mov dl, byte ptr [ebp-09] :00474668 83EA20 sub edx, 00000020 :0047466B 2BC2 sub eax, edx :0047466D E832FEFFFF call 004744A4 :00474672 8BD8 mov ebx, eax :00474674 80C320 add bl, 20 :00474677 FF05FCE94700 inc dword ptr [0047E9FC] :0047467D 813DFCE9470079510000 cmp dword ptr [0047E9FC], 00005179 :00474687 7C07 jl 00474690 :00474689 33C0 xor eax, eax :0047468B A3FCE94700 mov dword ptr [0047E9FC], eax * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00474687(C) | :00474690 8A45F7 mov al, byte ptr [ebp-09] :00474693 32C3 xor al, bl :00474695 25FF000000 and eax, 000000FF :0047469A 8B15F8E94700 mov edx, dword ptr [0047E9F8] :004746A0 0315F8E94700 add edx, dword ptr [0047E9F8] :004746A6 03C2 add eax, edx :004746A8 0305FCE94700 add eax, dword ptr [0047E9FC] :004746AE A3F8E94700 mov dword ptr [0047E9F8], eax :004746B3 8D45EC lea eax, dword ptr [ebp-14] :004746B6 8BD3 mov edx, ebx :004746B8 E843F5F8FF call 00403C00 :004746BD 8B55EC mov edx, dword ptr [ebp-14] :004746C0 8B45F8 mov eax, dword ptr [ebp-08] :004746C3 E818F6F8FF call 00403CE0//将ebx转化为字符,而产生字符串 :004746C8 8B45F8 mov eax, dword ptr [ebp-08] * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00474625(C), :0047462D(C) | :004746CB 46 inc esi :004746CC 4F dec edi :004746CD 0F854AFFFFFF jne 0047461D ========================================================================= Buf:=BBuf;====>[0047E9F8] temp:=ttmp;===>[0047E9FC] Lencode:=length(STrCode); for index:=1 to Lencode do begin if (ord(STrCode[index])< $7e) and (ord(STrCode[index]) > $20) then begin edx:=buf and $1fffffff; ecx:=(Buf shr $1d) and $31; edx:=edx xor ecx; Buf:=edx; eax:=Buf div $5f; eax:=eax-(ord(STrCode[index])-$20); eax:=CHAG(eax); ebx:=eax+$20; temp:=temp+1; if index >= $5179 then temp:=0; eax:=(ord(STrCode[index]) xor ebx ) and $000000ff; eax:=eax+2*Buf; eax:=eax+temp; Buf:=eax; STrpcode:=STrpcode+chr(ebx); end; end; 这个过程主要计算[0047E9F8],返回[0047E9F8],[0047E9FC]作为下次调用的参数 ============================================================================ :: :: :004746E0 8D45EC lea eax, dword ptr [ebp-14] :004746E3 BA02000000 mov edx, 00000002 :004746E8 E88FF3F8FF call 00403A7C :004746ED C3 ret ============================END 004745B4===================================== :00474558 8B45FC mov eax, dword ptr [ebp-04] :0047455B E83CF9F8FF call 00403E9C :00474560 8D4DE8 lea ecx, dword ptr [ebp-18]//UpperCase(Name)+'delphi' :00474563 33D2 xor edx, edx :00474565 E84A000000 call 004745B4 :0047456A 8B45F8 mov eax, dword ptr [ebp-08] :0047456D E82AF9F8FF call 00403E9C :00474572 8B4D08 mov ecx, dword ptr [ebp+08]//'MagicUtils' =========================================================================== 这次调用产生的字符串将串到UpperCase(Name)+'delphi'+'MagicUtils'+'zhiyuan'+'3.0'后面,作为计算CRC32(不标准)的strName =========================================================================== :00474575 33D2 xor edx, edx :00474577 E838000000 call 004745B4 :0047457C 33C0 xor eax, eax :0047457E 5A pop edx ==========================END 004744E4======================================= :00474764 FF75EC push [ebp-14] :00474767 8D45F0 lea eax, dword ptr [ebp-10] :0047476A BA05000000 mov edx, 00000005 :0047476F E824F6F8FF call 00403D98 :00474774 8B5508 mov edx, dword ptr [ebp+08] :00474777 8B45F0 mov eax, dword ptr [ebp-10] :0047477A E831000000 call 004747B0====>计算CRC32(不标准) ========================SUB 00474B0(CRC32)================================== :004747B0 55 push ebp :004747B1 8BEC mov ebp, esp :004747B3 83C4F4 add esp, FFFFFFF4 :004747B6 53 push ebx :004747B7 56 push esi :004747B8 33C9 xor ecx, ecx :004747BA 894DF4 mov dword ptr [ebp-0C], ecx :004747BD 8955F8 mov dword ptr [ebp-08], edx :004747C0 8945FC mov dword ptr [ebp-04], eax :004747C3 8B45FC mov eax, dword ptr [ebp-04] :004747C6 E8C1F6F8FF call 00403E8C :004747CB 33C0 xor eax, eax :004747CD 55 push ebp :004747CE 684F484700 push 0047484F :004747D3 64FF30 push dword ptr fs:[eax] :004747D6 648920 mov dword ptr fs:[eax], esp :004747D9 33DB xor ebx, ebx :004747DB 8B45FC mov eax, dword ptr [ebp-04] :004747DE E8F5F4F8FF call 00403CD8 :004747E3 85C0 test eax, eax :004747E5 7E2C jle 00474813 :004747E7 BE01000000 mov esi, 00000001 ==============================CRC32=========================================== * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00474811(C) | :004747EC 8B55FC mov edx, dword ptr [ebp-04]=====>strName :004747EF 8A5432FF mov dl, byte ptr [edx+esi-01]===>ord(strName[edx+esi-01]) :004747F3 32D3 xor dl, bl======================>dl:=dl xor bl :004747F5 81E2FF000000 and edx, 000000FF===============>edx:=edx and $000000ff :004747FB 8B1495D0D54700 mov edx, dword ptr [4*edx+0047D5D0]==>码表数据固定[0-$FF] :00474802 C1EB08 shr ebx, 08=====================>ebx:=ebx shr 8 :00474805 81E3FFFFFF00 and ebx, 00FFFFFF===============>ebx:=ebx and $00ffffff; :0047480B 33D3 xor edx, ebx====================>edx:=edx xor ebx :0047480D 8BDA mov ebx, edx====================>ebx:=edx :0047480F 46 inc esi :00474810 48 dec eax :00474811 75D9 jne 004747EC ========================================================= 下面将刚才的结果转化成小写字母输出!!!!!!!!! ========================================================= * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004747E5(C) | :00474813 8BC3 mov eax, ebx :00474815 33D2 xor edx, edx :00474817 52 push edx :00474818 50 push eax :00474819 8D55F4 lea edx, dword ptr [ebp-0C] :0047481C B808000000 mov eax, 00000008 :00474821 E82E38F9FF call 00408054 :00474826 8B45F4 mov eax, dword ptr [ebp-0C] :00474829 8B55F8 mov edx, dword ptr [ebp-08] :0047482C E89F34F9FF call 00407CD0 :00474831 33C0 xor eax, eax :00474833 5A pop edx ===========================END SUB 00474B0(CRC32)======================== :0047477F 33C0 xor eax, eax :00474781 5A pop edx :00474782 59 pop ecx :00474783 59 pop ecx :00474784 648910 mov dword ptr fs:[eax], edx :00474787 68A9474700 push 004747A9 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004747A7(U) | :0047478C 8D45EC lea eax, dword ptr [ebp-14] :0047478F BA05000000 mov edx, 00000005 :00474794 E8E3F2F8FF call 00403A7C :00474799 8D450C lea eax, dword ptr [ebp+0C] :0047479C E8B7F2F8FF call 00403A58 :004747A1 C3 ret =======================================END 004746FC============================== :00479F79 33C0 xor eax, eax :00479F7B 5A pop edx :00479F7C 59 pop ecx :00479F7D 59 pop ecx :00479F7E 648910 mov dword ptr fs:[eax], edx :00479F81 689B9F4700 push 00479F9B * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00479F99(U) | :00479F86 8D45E4 lea eax, dword ptr [ebp-1C] :00479F89 BA07000000 mov edx, 00000007 :00479F8E E8E99AF8FF call 00403A7C :00479F93 C3 ret =================================END 00479EEC=================== :0047A06E 8D55E0 lea edx, dword ptr [ebp-20] :0047A071 8B833C030000 mov eax, dword ptr [ebx+0000033C] :0047A077 E8F823FBFF call 0042C474 :0047A07C 8B45E0 mov eax, dword ptr [ebp-20]