[转帖]-reywen's crackme2[Easy]-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[转帖]-reywen's crackme2[Easy]

发表于: 2005-5-12 12:41 4812

[转帖]-reywen's crackme2[Easy]

winndy

2005-5-12 12:41

4812

reywen's crackme2分析
【破解作者】 winndy[FCG][PYG]
【作者邮箱】 CNwinndy@hotmail.com
【使用工具】 PEID v0.93  OllyDbg v1.10 fly修改版,fsg2.0dumper(download from 17dK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4m8J5L8$3N6J5j5h3#2E0k6i4u0K6N6r3!0G2L8s2y4Q4x3X3g2U0L8$3#2Q4x3U0V1`.
【破解平台】 Winxp SP2
【软件名称】 reywen's crackme2
【下载地址】 6c6K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3y4J5j5h3y4C8L8h3g2K6i4K6u0W2k6r3g2Q4x3V1k6#2M7$3g2J5M7#2)9J5c8Y4u0W2P5i4N6W2L8W2)9J5c8X3y4J5j5h3y4C8L8h3g2Q4y4h3j5J5i4K6u0r3
【编写语言】 masm32
【破解声明】 For Study ,For Fun,
            昨天搞定了PYG的crackme....
         在crackmes.de逛的时候,看到这个,已经有Kreet破出来了,自己也想玩玩,于是.....
【保护方式】 fsg2.0,花指令,非标准MD5,暴力方式
【破解过程】 PEID查壳,fsg2.0,用fsg2.0dumper脱壳.
            搜索字符串,未果!
            bpx GetDlgItemTextA,在USER32.GetDlgItem也下,结果中断在下面.
            call <jmp.&user32.GetDlgItemTextA> F8之后,全部都用F7下去.
            一步一步,会发现很多都是无用的代码.只要细心点,F7下去,一遍就可以发现算法.
            我输入的密码是:12345678901234567890
code:
004018F8 .  E8 F9010000                call <jmp.&user32.GetDlgItemTextA>             ; \GetDlgItemTextA
004018FD .  51                         push ecx
004018FE .  EB 01                      jmp short dump.00401901
00401900    69                         db 69                                        ;  CHAR 'i'
00401901 >  EB 02                      jmp short dump.00401905
00401903    CD                         db CD
00401904    20                         db 20                                        ;  CHAR ' '
00401905 >  6A 15                      push 15
00401907 .  59                         pop ecx
00401908 .  E8 01000000                call dump.0040190E
0040190D .  5A                         pop edx
0040190E $  76 03                      jbe short dump.00401913
00401910 .  C1F1 00                   sal ecx,0
00401913 >  EB 01                      jmp short dump.00401916
00401915 .  5A                         pop edx
00401916 >  49                         dec ecx
00401917 .^ 75 F5                      jnz short dump.0040190E
00401919 .  59                         pop ecx
0040191A .  E3 01                      jecxz short dump.0040191D
0040191C .  59                         pop ecx
0040191D >  EB 01                      jmp short dump.00401920
0040191F    69                         db 69                                        ;  CHAR 'i'
00401920 >  EB 07                      jmp short dump.00401929
00401922    5A                         db 5A                                        ;  CHAR 'Z'
00401923    DB                         db DB
00401924 >  83C4 04                   add esp,4
00401927 .  EB 08                      jmp short dump.00401931
00401929 >  E8 01000000                call dump.0040192F
0040192E .  5A                         pop edx
0040192F $^ EB F3                      jmp short dump.00401924
00401931 >  83F8 08                   cmp eax,8                                     ;比较注册码长度,不能小于8
00401934 .  0F82 83010000             jb dump.00401ABD
0040193A .  51                         push ecx
0040193B .  EB 01                      jmp short dump.0040193E
0040193D    69                         db 69                                        ;  CHAR 'i'
0040193E >  EB 02                      jmp short dump.00401942
00401940    CD                         db CD
00401941    20                         db 20                                        ;  CHAR ' '
00401942 >  6A 0C                      push 0C
00401944 .  59                         pop ecx                                     ;这句和上面一句为mov ecx 0c
00401945 .  E8 01000000                call dump.0040194B
0040194A .  5A                         pop edx

0040194B $  76 03                      jbe short dump.00401950                      ;注册码等于8则跳
0040194D .  C1F1 00                   sal ecx,0
00401950 >  EB 01                      jmp short dump.00401953
00401952 .  5A                         pop edx                                     ;不会执行
00401953 >  49                         dec ecx                                     ;
00401954 .^ 75 F5                      jnz short dump.0040194B

00401956 .  59                         pop ecx                                     ;0040194A
00401957 .  E3 01                      jecxz short dump.0040195A
00401959 .  59                         pop ecx
0040195A >  EB 01                      jmp short dump.0040195D
0040195C    69                         db 69                                        ;  CHAR 'i'
0040195D >  EB 07                      jmp short dump.00401966
0040195F    5A                         db 5A                                        ;  CHAR 'Z'
00401960    DB                         db DB
00401961 >  83C4 04                   add esp,4
00401964 .  EB 08                      jmp short dump.0040196E
00401966 >  E8 01000000                call dump.0040196C
0040196B .  5A                         pop edx
0040196C $^ EB F3                      jmp short dump.00401961
0040196E >  A3 B4304000                mov dword ptr ds:[4030B4],eax                ;save 用户名长度
00401973 .  EB 07                      jmp short dump.0040197C
00401975    5A                         db 5A                                        ;  CHAR 'Z'
00401976    DB                         db DB
00401977 >  83C4 04                   add esp,4
0040197A .  EB 08                      jmp short dump.00401984
0040197C >  E8 01000000                call dump.00401982
00401981 .  5A                         pop edx
00401982 $^ EB F3                      jmp short dump.00401977
00401984 >  8BC8                      mov ecx,eax
00401986 .  51                         push ecx
00401987 .  EB 01                      jmp short dump.0040198A
00401989    69                         db 69                                        ;  CHAR 'i'
0040198A >  EB 02                      jmp short dump.0040198E
0040198C    CD                         db CD
0040198D    20                         db 20                                        ;  CHAR ' '
0040198E >  6A 1A                      push 1A
00401990 .  59                         pop ecx                                        ;mov ecx 1A
00401991 .  E8 01000000                call dump.00401997
00401996 .  5A                         pop edx

00401997 $  76 03                      jbe short dump.0040199C
00401999 .  C1F1 00                   sal ecx,0
0040199C >  EB 01                      jmp short dump.0040199F
0040199E .  5A                         pop edx
0040199F >  49                         dec ecx
004019A0 .^ 75 F5                      jnz short dump.00401997

004019A2 .  59                         pop ecx
004019A3 .  E3 01                      jecxz short dump.004019A6
004019A5 .  59                         pop ecx                                        ;ecx=00000014
004019A6 >  EB 01                      jmp short dump.004019A9
004019A8    69                         db 69                                        ;  CHAR 'i'
004019A9 >  EB 07                      jmp short dump.004019B2
004019AB    5A                         db 5A                                        ;  CHAR 'Z'
004019AC    DB                         db DB
004019AD >  83C4 04                   add esp,4
004019B0 .  EB 08                      jmp short dump.004019BA
004019B2 >  E8 01000000                call dump.004019B8
004019B7 .  5A                         pop edx
004019B8 $^ EB F3                      jmp short dump.004019AD
004019BA >  BE 50304000                mov esi,dump.00403050                         ;  esi 00403050 ASCII "12345678901234567890"
004019BF .  51                         push ecx
004019C0 .  EB 01                      jmp short dump.004019C3
004019C2    69                         db 69                                        ;  CHAR 'i'
004019C3 >  EB 02                      jmp short dump.004019C7
004019C5    CD                         db CD
004019C6    20                         db 20                                        ;  CHAR ' '
004019C7 >  6A 1A                      push 1A
004019C9 .  59                         pop ecx
004019CA .  E8 01000000                call dump.004019D0
004019CF .  5A                         pop edx

004019D0 $  76 03                      jbe short dump.004019D5
004019D2 .  C1F1 00                   sal ecx,0
004019D5 >  EB 01                      jmp short dump.004019D8
004019D7 .  5A                         pop edx
004019D8 >  49                         dec ecx
004019D9 .^ 75 F5                      jnz short dump.004019D0

004019DB .  59                         pop ecx                                        ;0040194F
004019DC .  E3 01                      jecxz short dump.004019DF
004019DE .  59                         pop ecx                                        ;0014
004019DF >  EB 01                      jmp short dump.004019E2
004019E1    69                         db 69                                        ;  CHAR 'i'

004019E2 >  8B1E                      mov ebx,dword ptr ds:[esi]                   ;34333231
004019E4 .  035E 04                   add ebx,dword ptr ds:[esi+4]                   ;34333231+38373635=6C6A6866

004019E7 >  81EB 9A020000             sub ebx,29A
004019ED .  81C3 78320400             add ebx,43278
004019F3 .  81EB 4CB30000             sub ebx,0B34C                                  ;43278-29A-0B34C =37C92
004019F9 .  46                         inc esi
004019FA .^ E2 EB                      loopd short dump.004019E7                      ;ecx=14为计数器初值

//最终结果ebx=6CB023CE

004019FC .  B9 DC304000                mov ecx,dump.004030DC
00401A01 .  EB 07                      jmp short dump.00401A0A
00401A03    5A                         db 5A                                        ;  CHAR 'Z'
00401A04    DB                         db DB
00401A05 >  83C4 04                   add esp,4
00401A08 .  EB 08                      jmp short dump.00401A12
00401A0A >  E8 01000000                call dump.00401A10
00401A0F .  5A                         pop edx
00401A10 $^ EB F3                      jmp short dump.00401A05
00401A12 >  52                         push edx                                  ;EDX 7C92EB94 ntdll.KiFastSystemCallRet
00401A13 .  BA DC304000                mov edx,dump.004030DC
00401A18 .  891A                      mov dword ptr ds:[edx],ebx                ;保存计算结果到004030DC
00401A1A .  5A                         pop edx
00401A1B .  6A 20                      push 20
00401A1D .  68 DC304000                push dump.004030DC
00401A22 .  68 BC304000                push dump.004030BC
00401A27 .  E8 D4F5FFFF                call dump.00401000                      ;非标准MD5算法,见后面

//004030BC  27 F7 0D DA 68 7D E1 F3  '?阼}狍
//004030C4  9F 0C 59 33 2D C2 A9 69  ?Y3-漏i
//004030CC  00 00 00 00 00 00 00 00  ........
//004030D4  00 00 00 00 00 00 00 00  ........
//004030DC  CE 23 B0 6C             ?办..

00401A2C .  B9 04000000                mov ecx,4
00401A31 .  BA BC304000                mov edx,dump.004030BC                   ;MD5结果

00401A36 >  2B1A                      sub ebx,dword ptr ds:[edx]             ;ebx=6CB023CE
00401A38 .  81EB E8030000             sub ebx,3E8
00401A3E .  83C2 04                   add edx,4
00401A41 .^ E2 F3                      loopd short dump.00401A36

//最后ebx=01BDD0D3

00401A43 .  51                         push ecx
00401A44 .  EB 01                      jmp short dump.00401A47
00401A46    69                         db 69                                        ;  CHAR 'i'
00401A47 >  EB 02                      jmp short dump.00401A4B
00401A49    CD                         db CD
00401A4A    20                         db 20                                        ;  CHAR ' '

00401A4B >  6A 1A                      push 1A
00401A4D .  59                         pop ecx                ;mov ecx ,1A
00401A4E .  E8 01000000                call dump.00401A54
00401A53 .  5A                         pop edx

00401A54 $  76 03                      jbe short dump.00401A59
00401A56 .  C1F1 00                   sal ecx,0
00401A59 >  EB 01                      jmp short dump.00401A5C
00401A5B .  5A                         pop edx
00401A5C >  49                         dec ecx
00401A5D .^ 75 F5                      jnz short dump.00401A54

00401A5F .  59                         pop ecx
00401A60 .  E3 01                      jecxz short dump.00401A63
00401A62 .  59                         pop ecx
00401A63 >  EB 01                      jmp short dump.00401A66
00401A65    69                         db 69                                        ;  CHAR 'i'

00401A66 >  81EB E6D699CE             sub ebx,CE99D6E6                               ;*************
00401A6C .  74 25                      je short dump.00401A93                         ;相等就OK

00401A6E .  EB 4D                      jmp short dump.00401ABD
00401A70 .  51                         push ecx
00401A71 .  EB 01                      jmp short dump.00401A74
00401A73    69                         db 69                                        ;  CHAR 'i'
00401A74 >  EB 02                      jmp short dump.00401A78
00401A76    CD                         db CD
00401A77    20                         db 20                                        ;  CHAR ' '
00401A78 >  6A 1A                      push 1A
00401A7A .  59                         pop ecx
00401A7B .  E8 01000000                call dump.00401A81
00401A80 .  5A                         pop edx
00401A81 $  76 03                      jbe short dump.00401A86
00401A83 .  C1F1 00                   sal ecx,0
00401A86 >  EB 01                      jmp short dump.00401A89
00401A88 .  5A                         pop edx
00401A89 >  49                         dec ecx
00401A8A .^ 75 F5                      jnz short dump.00401A81
00401A8C .  59                         pop ecx
00401A8D .  E3 01                      jecxz short dump.00401A90
00401A8F .  59                         pop ecx
00401A90 >  EB 01                      jmp short dump.00401A93
00401A92    69                         db 69                                        ;  CHAR 'i'
00401A93 >  BA 19304000                mov edx,dump.00403019                         ;  ASCII "y>y.wa{.coek.zfg}.5J .cogb.ck4.|kwyk`

icogb mac"
00401A98 .  8B1A                      mov ebx,dword ptr ds:[edx]
00401A9A .  80FB 77                   cmp bl,77
00401A9D .  74 0A                      je short dump.00401AA9
00401A9F .  B9 31000000                mov ecx,31
00401AA4 .  E8 1D000000                call dump.00401AC6
00401AA9 >  6A 00                      push 0                                        ; /Style = MB_OK|MB_APPLMODAL
00401AAB .  68 0F304000                push dump.0040300F                            ; |Title = "[G.o.o.D]"
00401AB0 .  68 19304000                push dump.00403019                            ; |Text = "y>y.wa{.coek.zfg}.5J

.cogb.ck4.|kwyk` icogb mac"
00401AB5 .  FF75 08                   push dword ptr ss:[ebp+8]                      ; |hOwner
00401AB8 .  E8 45000000                call <jmp.&user32.MessageBoxA>                ; \MessageBoxA
00401ABD >  EB 00                      jmp short dump.00401ABF
00401ABF >  61                         popad
00401AC0 .  33C0                      xor eax,eax
00401AC2 .  C9                         leave
00401AC3 .  C2 1000                   retn 10

00401AC6 /$  4A          dec edx
00401AC7 |>  42          inc edx
00401AC8 |.  8A02       mov al,byte ptr ds:[edx]
00401ACA |.  34 0E       xor al,0E
00401ACC |.  8802       mov byte ptr ds:[edx],al
00401ACE |.^ E2 F7       loopd short dump.00401AC7
00401AD0 \.  C3          retn
//上面这段代码用来解码,显示的消息
// 密文:"y>y.wa{.coek.zfg}.5J .cogb.ck4.|kwyk` icogb mac"
// 明文 "w0w you make this ;D... mail me: reywen.gmail.com"

00401AD1 /$  4A          dec edx
00401AD2 |.  B9 20000000 mov ecx,20
00401AD7 |>  42          inc edx
00401AD8 |.  C602 00    mov byte ptr ds:[edx],0
00401ADB |.^ E2 FA       loopd short dump.00401AD7
00401ADD \.  C3          retn

=================================
MD5算法
00401000 /$  60          pushad
00401001 |.  8B7424 24    mov esi,dword ptr ss:[esp+24]
00401005 |.  C706 01234567 mov dword ptr ds:[esi],67452301
0040100B |.  C746 04 89ABC>mov dword ptr ds:[esi+4],EFCDAB89
00401012 |.  C746 08 FEDCB>mov dword ptr ds:[esi+8],98BADCFE
00401019 |.  C746 0C 76543>mov dword ptr ds:[esi+C],10325476
00401020 |.  8B4424 2C    mov eax,dword ptr ss:[esp+2C]
00401024 |.  50          push eax
00401025 |.  33D2       xor edx,edx
00401027 |.  B9 40000000 mov ecx,40
0040102C |.  F7F1       div ecx
0040102E |.  40          inc eax
0040102F |.  5A          pop edx
00401030 |.  83EC 40    sub esp,40
00401033 |.  8BDC       mov ebx,esp
00401035 |.  8B7424 68    mov esi,dword ptr ss:[esp+68]
00401039 |.  92          xchg eax,edx
0040103A |>  8BFB       /mov edi,ebx
0040103C |.  4A          |dec edx
0040103D |.  75 41       |jnz short dump.00401080
0040103F |.  85C0       |test eax,eax
00401041 |.  78 06       |js short dump.00401049
00401043 |.  C60418 80    |mov byte ptr ds:[eax+ebx],80
00401047 |.  EB 03       |jmp short dump.0040104C
00401049 |>  33C0       |xor eax,eax
0040104B |.  48          |dec eax
0040104C |>  B9 40000000 |mov ecx,40
00401051 |.  2BC8       |sub ecx,eax
00401053 |.  03F8       |add edi,eax
00401055 |.  50          |push eax
00401056 |.  33C0       |xor eax,eax
00401058 |.  47          |inc edi
00401059 |.  49          |dec ecx
0040105A |.  F3:AA       |rep stos byte ptr es:[edi]
0040105C |.  58          |pop eax
0040105D |.  85C0       |test eax,eax
0040105F |.  78 05       |js short dump.00401066
00401061 |.  83F8 38    |cmp eax,38
00401064 |.  73 19       |jnb short dump.0040107F
00401066 |>  50          |push eax
00401067 |.  8B4424 70    |mov eax,dword ptr ss:[esp+70]
0040106B |.  52          |push edx
0040106C |.  33D2       |xor edx,edx
0040106E |.  B9 08000000 |mov ecx,8
00401073 |.  F7E1       |mul ecx
00401075 |.  8943 38    |mov dword ptr ds:[ebx+38],eax
00401078 |.  8953 3C    |mov dword ptr ds:[ebx+3C],edx
0040107B |.  5A          |pop edx
0040107C |.  58          |pop eax
0040107D |.  EB 01       |jmp short dump.00401080
0040107F |>  42          |inc edx
00401080 |>  85C0       |test eax,eax
00401082 |.  78 07       |js short dump.0040108B
00401084 |.  83F8 40    |cmp eax,40
00401087 |.  73 08       |jnb short dump.00401091
00401089 |.  EB 02       |jmp short dump.0040108D
0040108B |>  33C0       |xor eax,eax
0040108D |>  8BC8       |mov ecx,eax
0040108F |.  EB 05       |jmp short dump.00401096
00401091 |>  B9 40000000 |mov ecx,40
00401096 |>  8BFB       |mov edi,ebx
00401098 |.  F3:A4       |rep movs byte ptr es:[edi],byte ptr ds:[esi]

//d edi
//0012F9BC  CE 23 B0 6C 00 00 00 00  ?办....
//0012F9C4  00 00 00 00 00 00 00 00  ........
//0012F9CC  00 00 00 00 00 00 00 00  ........
//0012F9D4  00 00 00 00 00 00 00 00  ........
//0012F9DC  80 00 00 00 00 00 00 00  ?......
//0012F9E4  00 00 00 00 00 00 00 00  ........
//0012F9EC  00 00 00 00 00 00 00 00  ........
//0012F9F4  00 01 00 00 00 00 00 00  .......

//从padding来看,是非标准MD5

0040109A |.  50          |push eax
0040109B |.  52          |push edx
0040109C |.  53          |push ebx
0040109D |.  56          |push esi
0040109E |.  8D7424 10    |lea esi,dword ptr ss:[esp+10]
004010A2 |.  8B7C24 74    |mov edi,dword ptr ss:[esp+74]
004010A6 |.  57          |push edi
004010A7 |.  8B07       |mov eax,dword ptr ds:[edi]
004010A9 |.  8B5F 04    |mov ebx,dword ptr ds:[edi+4]
004010AC |.  8B4F 08    |mov ecx,dword ptr ds:[edi+8]
004010AF |.  8B57 0C    |mov edx,dword ptr ds:[edi+C]
004010B2 |.  8BFB       |mov edi,ebx
004010B4 |.  8BEB       |mov ebp,ebx
004010B6 |.  23F9       |and edi,ecx
004010B8 |.  F7D5       |not ebp
004010BA |.  23EA       |and ebp,edx
004010BC |.  0BFD       |or edi,ebp
004010BE |.  8D8407 24A46A>|lea eax,dword ptr ds:[edi+eax+D76AA424]
004010C5 |.  0306       |add eax,dword ptr ds:[esi]
004010C7 |.  C1C0 07    |rol eax,7
004010CA |.  03C3       |add eax,ebx
004010CC |.  8BF8       |mov edi,eax
004010CE |.  8BE8       |mov ebp,eax
004010D0 |.  23FB       |and edi,ebx
004010D2 |.  F7D5       |not ebp
004010D4 |.  23E9       |and ebp,ecx
004010D6 |.  0BFD       |or edi,ebp
004010D8 |.  8D9417 14B7C7>|lea edx,dword ptr ds:[edi+edx+E8C7B714]
004010DF |.  0356 04    |add edx,dword ptr ds:[esi+4]
004010E2 |.  C1C2 0C    |rol edx,0C
004010E5 |.  03D0       |add edx,eax
004010E7 |.  8BFA       |mov edi,edx
004010E9 |.  8BEA       |mov ebp,edx
004010EB |.  23F8       |and edi,eax
004010ED |.  F7D5       |not ebp
004010EF |.  23EB       |and ebp,ebx
004010F1 |.  0BFD       |or edi,ebp
004010F3 |.  8D8C0F DB7020>|lea ecx,dword ptr ds:[edi+ecx+242070DB]
004010FA |.  034E 08    |add ecx,dword ptr ds:[esi+8]
004010FD |.  C1C1 11    |rol ecx,11
00401100 |.  03CA       |add ecx,edx
00401102 |.  8BF9       |mov edi,ecx
00401104 |.  8BE9       |mov ebp,ecx
00401106 |.  23FA       |and edi,edx
00401108 |.  F7D5       |not ebp
0040110A |.  23E8       |and ebp,eax
0040110C |.  0BFD       |or edi,ebp
0040110E |.  8D9C1F EECEBD>|lea ebx,dword ptr ds:[edi+ebx+C1BDCEEE]
00401115 |.  035E 0C    |add ebx,dword ptr ds:[esi+C]
00401118 |.  C1C3 16    |rol ebx,16
0040111B |.  03D9       |add ebx,ecx
0040111D |.  8BFB       |mov edi,ebx
0040111F |.  8BEB       |mov ebp,ebx
00401121 |.  23F9       |and edi,ecx
00401123 |.  F7D5       |not ebp
00401125 |.  23EA       |and ebp,edx
00401127 |.  0BFD       |or edi,ebp
00401129 |.  8D8407 AF0F7C>|lea eax,dword ptr ds:[edi+eax+F57C0FAF]
00401130 |.  0346 10    |add eax,dword ptr ds:[esi+10]
00401133 |.  C1C0 07    |rol eax,7
00401136 |.  03C3       |add eax,ebx
00401138 |.  8BF8       |mov edi,eax
0040113A |.  8BE8       |mov ebp,eax
0040113C |.  23FB       |and edi,ebx
0040113E |.  F7D5       |not ebp
00401140 |.  23E9       |and ebp,ecx
00401142 |.  0BFD       |or edi,ebp
00401144 |.  8D9417 2AC687>|lea edx,dword ptr ds:[edi+edx+4787C62A]
0040114B |.  0356 14    |add edx,dword ptr ds:[esi+14]
0040114E |.  C1C2 0C    |rol edx,0C
00401151 |.  03D0       |add edx,eax
00401153 |.  8BFA       |mov edi,edx
00401155 |.  8BEA       |mov ebp,edx
00401157 |.  23F8       |and edi,eax
00401159 |.  F7D5       |not ebp
0040115B |.  23EB       |and ebp,ebx
0040115D |.  0BFD       |or edi,ebp
0040115F |.  8D8C0F 134630>|lea ecx,dword ptr ds:[edi+ecx+A8304613]
00401166 |.  034E 18    |add ecx,dword ptr ds:[esi+18]
00401169 |.  C1C1 11    |rol ecx,11
0040116C |.  03CA       |add ecx,edx
0040116E |.  8BF9       |mov edi,ecx
00401170 |.  8BE9       |mov ebp,ecx
00401172 |.  23FA       |and edi,edx
00401174 |.  F7D5       |not ebp
00401176 |.  23E8       |and ebp,eax
00401178 |.  0BFD       |or edi,ebp
0040117A |.  8D9C1F 019546>|lea ebx,dword ptr ds:[edi+ebx+FD469501]
00401181 |.  035E 1C    |add ebx,dword ptr ds:[esi+1C]
00401184 |.  C1C3 16    |rol ebx,16
00401187 |.  03D9       |add ebx,ecx
00401189 |.  8BFB       |mov edi,ebx
0040118B |.  8BEB       |mov ebp,ebx
0040118D |.  23F9       |and edi,ecx
0040118F |.  F7D5       |not ebp
00401191 |.  23EA       |and ebp,edx
00401193 |.  0BFD       |or edi,ebp
00401195 |.  8D8407 D89880>|lea eax,dword ptr ds:[edi+eax+698098D8]
0040119C |.  0346 20    |add eax,dword ptr ds:[esi+20]
0040119F |.  C1C0 07    |rol eax,7
004011A2 |.  03C3       |add eax,ebx
004011A4 |.  8BF8       |mov edi,eax
004011A6 |.  8BE8       |mov ebp,eax
004011A8 |.  23FB       |and edi,ebx
004011AA |.  F7D5       |not ebp
004011AC |.  23E9       |and ebp,ecx
004011AE |.  0BFD       |or edi,ebp
004011B0 |.  8D9417 AFF744>|lea edx,dword ptr ds:[edi+edx+8B44F7AF]
004011B7 |.  0356 24    |add edx,dword ptr ds:[esi+24]
004011BA |.  C1C2 0C    |rol edx,0C
004011BD |.  03D0       |add edx,eax
004011BF |.  8BFA       |mov edi,edx
004011C1 |.  8BEA       |mov ebp,edx
004011C3 |.  23F8       |and edi,eax
004011C5 |.  F7D5       |not ebp
004011C7 |.  23EB       |and ebp,ebx
004011C9 |.  0BFD       |or edi,ebp
004011CB |.  8D8C0F B15BFF>|lea ecx,dword ptr ds:[edi+ecx+FFFF5BB1]
004011D2 |.  034E 28    |add ecx,dword ptr ds:[esi+28]
004011D5 |.  C1C1 11    |rol ecx,11
004011D8 |.  03CA       |add ecx,edx
004011DA |.  8BF9       |mov edi,ecx
004011DC |.  8BE9       |mov ebp,ecx
004011DE |.  23FA       |and edi,edx
004011E0 |.  F7D5       |not ebp
004011E2 |.  23E8       |and ebp,eax
004011E4 |.  0BFD       |or edi,ebp
004011E6 |.  8D9C1F BED75C>|lea ebx,dword ptr ds:[edi+ebx+895CD7BE]
004011ED |.  035E 2C    |add ebx,dword ptr ds:[esi+2C]
004011F0 |.  C1C3 16    |rol ebx,16
004011F3 |.  03D9       |add ebx,ecx
004011F5 |.  8BFB       |mov edi,ebx
004011F7 |.  8BEB       |mov ebp,ebx
004011F9 |.  23F9       |and edi,ecx
004011FB |.  F7D5       |not ebp
004011FD |.  23EA       |and ebp,edx
004011FF |.  0BFD       |or edi,ebp
00401201 |.  8D8407 221190>|lea eax,dword ptr ds:[edi+eax+6B901122]
00401208 |.  0346 30    |add eax,dword ptr ds:[esi+30]
0040120B |.  C1C0 07    |rol eax,7
0040120E |.  03C3       |add eax,ebx
00401210 |.  8BF8       |mov edi,eax
00401212 |.  8BE8       |mov ebp,eax
00401214 |.  23FB       |and edi,ebx
00401216 |.  F7D5       |not ebp
00401218 |.  23E9       |and ebp,ecx
0040121A |.  0BFD       |or edi,ebp
0040121C |.  8D9417 937198>|lea edx,dword ptr ds:[edi+edx+FD987193]
00401223 |.  0356 34    |add edx,dword ptr ds:[esi+34]
00401226 |.  C1C2 0C    |rol edx,0C
00401229 |.  03D0       |add edx,eax
0040122B |.  8BFA       |mov edi,edx
0040122D |.  8BEA       |mov ebp,edx
0040122F |.  23F8       |and edi,eax
00401231 |.  F7D5       |not ebp
00401233 |.  23EB       |and ebp,ebx
00401235 |.  0BFD       |or edi,ebp
00401237 |.  8D8C0F 8E4379>|lea ecx,dword ptr ds:[edi+ecx+A679438E]
0040123E |.  034E 38    |add ecx,dword ptr ds:[esi+38]
00401241 |.  C1C1 11    |rol ecx,11
00401244 |.  03CA       |add ecx,edx
00401246 |.  8BF9       |mov edi,ecx
00401248 |.  8BE9       |mov ebp,ecx
0040124A |.  23FA       |and edi,edx
0040124C |.  F7D5       |not ebp
0040124E |.  23E8       |and ebp,eax
00401250 |.  0BFD       |or edi,ebp
00401252 |.  8D9C1F 2D08B4>|lea ebx,dword ptr ds:[edi+ebx+49B4082D]
00401259 |.  035E 3C    |add ebx,dword ptr ds:[esi+3C]
0040125C |.  C1C3 16    |rol ebx,16
0040125F |.  03D9       |add ebx,ecx
00401261 |.  8BFA       |mov edi,edx
00401263 |.  8BEA       |mov ebp,edx
00401265 |.  23FB       |and edi,ebx
00401267 |.  F7D5       |not ebp
00401269 |.  23E9       |and ebp,ecx
0040126B |.  0BFD       |or edi,ebp
0040126D |.  8D8407 14251E>|lea eax,dword ptr ds:[edi+eax+F61E2514]
00401274 |.  0346 04    |add eax,dword ptr ds:[esi+4]
00401277 |.  C1C0 05    |rol eax,5
0040127A |.  03C3       |add eax,ebx
0040127C |.  8BF9       |mov edi,ecx
0040127E |.  8BE9       |mov ebp,ecx
00401280 |.  23F8       |and edi,eax
00401282 |.  F7D5       |not ebp
00401284 |.  23EB       |and ebp,ebx
00401286 |.  0BFD       |or edi,ebp
00401288 |.  8D9417 40B340>|lea edx,dword ptr ds:[edi+edx+C040B340]
0040128F |.  0356 18    |add edx,dword ptr ds:[esi+18]
00401292 |.  C1C2 09    |rol edx,9
00401295 |.  03D0       |add edx,eax
00401297 |.  8BFB       |mov edi,ebx
00401299 |.  8BEB       |mov ebp,ebx
0040129B |.  23FA       |and edi,edx
0040129D |.  F7D5       |not ebp
0040129F |.  23E8       |and ebp,eax
004012A1 |.  0BFD       |or edi,ebp
004012A3 |.  8D8C0F 515A5E>|lea ecx,dword ptr ds:[edi+ecx+265E5A51]
004012AA |.  034E 2C    |add ecx,dword ptr ds:[esi+2C]
004012AD |.  C1C1 0E    |rol ecx,0E
004012B0 |.  03CA       |add ecx,edx
004012B2 |.  8BF8       |mov edi,eax
004012B4 |.  8BE8       |mov ebp,eax
004012B6 |.  23F9       |and edi,ecx
004012B8 |.  F7D5       |not ebp
004012BA |.  23EA       |and ebp,edx
004012BC |.  0BFD       |or edi,ebp
004012BE |.  8D9C1F AAC7B6>|lea ebx,dword ptr ds:[edi+ebx+E9B6C7AA]
004012C5 |.  031E       |add ebx,dword ptr ds:[esi]
004012C7 |.  C1C3 14    |rol ebx,14
004012CA |.  03D9       |add ebx,ecx
004012CC |.  8BFA       |mov edi,edx
004012CE |.  8BEA       |mov ebp,edx
004012D0 |.  23FB       |and edi,ebx
004012D2 |.  F7D5       |not ebp
004012D4 |.  23E9       |and ebp,ecx
004012D6 |.  0BFD       |or edi,ebp
004012D8 |.  8D8407 52102F>|lea eax,dword ptr ds:[edi+eax+D62F1052]
004012DF |.  0346 14    |add eax,dword ptr ds:[esi+14]
004012E2 |.  C1C0 05    |rol eax,5
004012E5 |.  03C3       |add eax,ebx
004012E7 |.  8BF9       |mov edi,ecx
004012E9 |.  8BE9       |mov ebp,ecx
004012EB |.  23F8       |and edi,eax
004012ED |.  F7D5       |not ebp
004012EF |.  23EB       |and ebp,ebx
004012F1 |.  0BFD       |or edi,ebp
004012F3 |.  8D9417 531444>|lea edx,dword ptr ds:[edi+edx+2441453]
004012FA |.  0356 28    |add edx,dword ptr ds:[esi+28]
004012FD |.  C1C2 09    |rol edx,9
00401300 |.  03D0       |add edx,eax
00401302 |.  8BFB       |mov edi,ebx
00401304 |.  8BEB       |mov ebp,ebx
00401306 |.  23FA       |and edi,edx
00401308 |.  F7D5       |not ebp
0040130A |.  23E8       |and ebp,eax
0040130C |.  0BFD       |or edi,ebp
0040130E |.  8D8C0F 81E6A1>|lea ecx,dword ptr ds:[edi+ecx+D8A1E681]
00401315 |.  034E 3C    |add ecx,dword ptr ds:[esi+3C]
00401318 |.  C1C1 0E    |rol ecx,0E
0040131B |.  03CA       |add ecx,edx
0040131D |.  8BF8       |mov edi,eax
0040131F |.  8BE8       |mov ebp,eax
00401321 |.  23F9       |and edi,ecx
00401323 |.  F7D5       |not ebp
00401325 |.  23EA       |and ebp,edx
00401327 |.  0BFD       |or edi,ebp
00401329 |.  8D9C1F C8FBD3>|lea ebx,dword ptr ds:[edi+ebx+E7D3FBC8]
00401330 |.  035E 10    |add ebx,dword ptr ds:[esi+10]
00401333 |.  C1C3 14    |rol ebx,14
00401336 |.  03D9       |add ebx,ecx
00401338 |.  8BFA       |mov edi,edx
0040133A |.  8BEA       |mov ebp,edx
0040133C |.  23FB       |and edi,ebx
0040133E |.  F7D5       |not ebp
00401340 |.  23E9       |and ebp,ecx
00401342 |.  0BFD       |or edi,ebp
00401344 |.  8D8407 E6CDE1>|lea eax,dword ptr ds:[edi+eax+21E1CDE6]
0040134B |.  0346 24    |add eax,dword ptr ds:[esi+24]
0040134E |.  C1C0 05    |rol eax,5
00401351 |.  03C3       |add eax,ebx
00401353 |.  8BF9       |mov edi,ecx
00401355 |.  8BE9       |mov ebp,ecx
00401357 |.  23F8       |and edi,eax
00401359 |.  F7D5       |not ebp
0040135B |.  23EB       |and ebp,ebx
0040135D |.  0BFD       |or edi,ebp
0040135F |.  8D9417 D60737>|lea edx,dword ptr ds:[edi+edx+C33707D6]
00401366 |.  0356 38    |add edx,dword ptr ds:[esi+38]
00401369 |.  C1C2 09    |rol edx,9
0040136C |.  03D0       |add edx,eax
0040136E |.  8BFB       |mov edi,ebx
00401370 |.  8BEB       |mov ebp,ebx
00401372 |.  23FA       |and edi,edx
00401374 |.  F7D5       |not ebp
00401376 |.  23E8       |and ebp,eax
00401378 |.  0BFD       |or edi,ebp
0040137A |.  8D8C0F 870DD5>|lea ecx,dword ptr ds:[edi+ecx+F4D50D87]
00401381 |.  034E 0C    |add ecx,dword ptr ds:[esi+C]
00401384 |.  C1C1 0E    |rol ecx,0E
00401387 |.  03CA       |add ecx,edx
00401389 |.  8BF8       |mov edi,eax
0040138B |.  8BE8       |mov ebp,eax
0040138D |.  23F9       |and edi,ecx
0040138F |.  F7D5       |not ebp
00401391 |.  23EA       |and ebp,edx
00401393 |.  0BFD       |or edi,ebp
00401395 |.  8D9C1F ED145A>|lea ebx,dword ptr ds:[edi+ebx+455A14ED]
0040139C |.  035E 20    |add ebx,dword ptr ds:[esi+20]
0040139F |.  C1C3 14    |rol ebx,14
004013A2 |.  03D9       |add ebx,ecx
004013A4 |.  8BFA       |mov edi,edx
004013A6 |.  8BEA       |mov ebp,edx
004013A8 |.  23FB       |and edi,ebx
004013AA |.  F7D5       |not ebp
004013AC |.  23E9       |and ebp,ecx
004013AE |.  0BFD       |or edi,ebp
004013B0 |.  8D8407 02E9E3>|lea eax,dword ptr ds:[edi+eax+A9E3E902]
004013B7 |.  0346 34    |add eax,dword ptr ds:[esi+34]
004013BA |.  C1C0 05    |rol eax,5
004013BD |.  03C3       |add eax,ebx
004013BF |.  8BF9       |mov edi,ecx
004013C1 |.  8BE9       |mov ebp,ecx
004013C3 |.  23F8       |and edi,eax
004013C5 |.  F7D5       |not ebp
004013C7 |.  23EB       |and ebp,ebx
004013C9 |.  0BFD       |or edi,ebp
004013CB |.  8D9417 F8A3EF>|lea edx,dword ptr ds:[edi+edx+FCEFA3F8]
004013D2 |.  0356 08    |add edx,dword ptr ds:[esi+8]
004013D5 |.  C1C2 09    |rol edx,9
004013D8 |.  03D0       |add edx,eax
004013DA |.  8BFB       |mov edi,ebx
004013DC |.  8BEB       |mov ebp,ebx
004013DE |.  23FA       |and edi,edx
004013E0 |.  F7D5       |not ebp
004013E2 |.  23E8       |and ebp,eax
004013E4 |.  0BFD       |or edi,ebp
004013E6 |.  8D8C0F D9026F>|lea ecx,dword ptr ds:[edi+ecx+676F02D9]
004013ED |.  034E 1C    |add ecx,dword ptr ds:[esi+1C]
004013F0 |.  C1C1 0E    |rol ecx,0E
004013F3 |.  03CA       |add ecx,edx
004013F5 |.  8BF8       |mov edi,eax
004013F7 |.  8BE8       |mov ebp,eax
004013F9 |.  23F9       |and edi,ecx
004013FB |.  F7D5       |not ebp
004013FD |.  23EA       |and ebp,edx
004013FF |.  0BFD       |or edi,ebp
00401401 |.  8D9C1F 844C2A>|lea ebx,dword ptr ds:[edi+ebx+8D2A4C84]
00401408 |.  035E 30    |add ebx,dword ptr ds:[esi+30]
0040140B |.  C1C3 14    |rol ebx,14
0040140E |.  03D9       |add ebx,ecx
00401410 |.  8BEB       |mov ebp,ebx
00401412 |.  33E9       |xor ebp,ecx
00401414 |.  33EA       |xor ebp,edx
00401416 |.  8D8405 4239FA>|lea eax,dword ptr ss:[ebp+eax+FFFA3942]
0040141D |.  0346 14    |add eax,dword ptr ds:[esi+14]
00401420 |.  C1C0 04    |rol eax,4
00401423 |.  03C3       |add eax,ebx
00401425 |.  8BE8       |mov ebp,eax
00401427 |.  33EB       |xor ebp,ebx
00401429 |.  33E9       |xor ebp,ecx
0040142B |.  8D9415 81F671>|lea edx,dword ptr ss:[ebp+edx+8771F681]
00401432 |.  0356 20    |add edx,dword ptr ds:[esi+20]
00401435 |.  C1C2 0B    |rol edx,0B
00401438 |.  03D0       |add edx,eax
0040143A |.  8BEA       |mov ebp,edx
0040143C |.  33E8       |xor ebp,eax
0040143E |.  33EB       |xor ebp,ebx
00401440 |.  8D8C0D 22619D>|lea ecx,dword ptr ss:[ebp+ecx+6D9D6122]
00401447 |.  034E 2C    |add ecx,dword ptr ds:[esi+2C]
0040144A |.  C1C1 10    |rol ecx,10
0040144D |.  03CA       |add ecx,edx
0040144F |.  8BE9       |mov ebp,ecx
00401451 |.  33EA       |xor ebp,edx
00401453 |.  33E8       |xor ebp,eax
00401455 |.  8D9C1D 0C38E5>|lea ebx,dword ptr ss:[ebp+ebx+FDE5380C]
0040145C |.  035E 38    |add ebx,dword ptr ds:[esi+38]
0040145F |.  C1C3 17    |rol ebx,17
00401462 |.  03D9       |add ebx,ecx
00401464 |.  8BEB       |mov ebp,ebx
00401466 |.  33E9       |xor ebp,ecx
00401468 |.  33EA       |xor ebp,edx
0040146A |.  8D8405 44EABE>|lea eax,dword ptr ss:[ebp+eax+A4BEEA44]
00401471 |.  0346 04    |add eax,dword ptr ds:[esi+4]
00401474 |.  C1C0 04    |rol eax,4
00401477 |.  03C3       |add eax,ebx
00401479 |.  8BE8       |mov ebp,eax
0040147B |.  33EB       |xor ebp,ebx
0040147D |.  33E9       |xor ebp,ecx
0040147F |.  8D9415 A9CFDE>|lea edx,dword ptr ss:[ebp+edx+4BDECFA9]
00401486 |.  0356 10    |add edx,dword ptr ds:[esi+10]
00401489 |.  C1C2 0B    |rol edx,0B
0040148C |.  03D0       |add edx,eax
0040148E |.  8BEA       |mov ebp,edx
00401490 |.  33E8       |xor ebp,eax
00401492 |.  33EB       |xor ebp,ebx
00401494 |.  8D8C0D 644BBB>|lea ecx,dword ptr ss:[ebp+ecx+F6BB4B64]
0040149B |.  034E 1C    |add ecx,dword ptr ds:[esi+1C]
0040149E |.  C1C1 10    |rol ecx,10
004014A1 |.  03CA       |add ecx,edx
004014A3 |.  8BE9       |mov ebp,ecx
004014A5 |.  33EA       |xor ebp,edx
004014A7 |.  33E8       |xor ebp,eax
004014A9 |.  8D9C1D 7BBCBF>|lea ebx,dword ptr ss:[ebp+ebx+BEBFBC7B]
004014B0 |.  035E 28    |add ebx,dword ptr ds:[esi+28]
004014B3 |.  C1C3 17    |rol ebx,17
004014B6 |.  03D9       |add ebx,ecx
004014B8 |.  8BEB       |mov ebp,ebx
004014BA |.  33E9       |xor ebp,ecx
004014BC |.  33EA       |xor ebp,edx
004014BE |.  8D8405 C67E9B>|lea eax,dword ptr ss:[ebp+eax+289B7EC6]
004014C5 |.  0346 34    |add eax,dword ptr ds:[esi+34]
004014C8 |.  C1C0 04    |rol eax,4
004014CB |.  03C3       |add eax,ebx
004014CD |.  8BE8       |mov ebp,eax
004014CF |.  33EB       |xor ebp,ebx
004014D1 |.  33E9       |xor ebp,ecx
004014D3 |.  8D9415 FA27A1>|lea edx,dword ptr ss:[ebp+edx+EAA127FA]
004014DA |.  0316       |add edx,dword ptr ds:[esi]
004014DC |.  C1C2 0B    |rol edx,0B
004014DF |.  03D0       |add edx,eax
004014E1 |.  8BEA       |mov ebp,edx
004014E3 |.  33E8       |xor ebp,eax
004014E5 |.  33EB       |xor ebp,ebx
004014E7 |.  8D8C0D 8530EF>|lea ecx,dword ptr ss:[ebp+ecx+D4EF3085]
004014EE |.  034E 0C    |add ecx,dword ptr ds:[esi+C]
004014F1 |.  C1C1 10    |rol ecx,10
004014F4 |.  03CA       |add ecx,edx
004014F6 |.  8BE9       |mov ebp,ecx
004014F8 |.  33EA       |xor ebp,edx
004014FA |.  33E8       |xor ebp,eax
004014FC |.  8D9C1D 051D88>|lea ebx,dword ptr ss:[ebp+ebx+4881D05]
00401503 |.  035E 18    |add ebx,dword ptr ds:[esi+18]
00401506 |.  C1C3 17    |rol ebx,17
00401509 |.  03D9       |add ebx,ecx
0040150B |.  8BEB       |mov ebp,ebx
0040150D |.  33E9       |xor ebp,ecx
0040150F |.  33EA       |xor ebp,edx
00401511 |.  8D8405 32D0D4>|lea eax,dword ptr ss:[ebp+eax+D9D4D032]
00401518 |.  0346 24    |add eax,dword ptr ds:[esi+24]
0040151B |.  C1C0 04    |rol eax,4
0040151E |.  03C3       |add eax,ebx
00401520 |.  8BE8       |mov ebp,eax
00401522 |.  33EB       |xor ebp,ebx
00401524 |.  33E9       |xor ebp,ecx
00401526 |.  8D9415 E599DB>|lea edx,dword ptr ss:[ebp+edx+E6DB99E5]
0040152D |.  0356 30    |add edx,dword ptr ds:[esi+30]
00401530 |.  C1C2 0B    |rol edx,0B
00401533 |.  03D0       |add edx,eax
00401535 |.  8BEA       |mov ebp,edx
00401537 |.  33E8       |xor ebp,eax
00401539 |.  33EB       |xor ebp,ebx
0040153B |.  8D8C0D F87CA2>|lea ecx,dword ptr ss:[ebp+ecx+1FA27CF8]
00401542 |.  034E 3C    |add ecx,dword ptr ds:[esi+3C]
00401545 |.  C1C1 10    |rol ecx,10
00401548 |.  03CA       |add ecx,edx
0040154A |.  8BE9       |mov ebp,ecx
0040154C |.  33EA       |xor ebp,edx
0040154E |.  33E8       |xor ebp,eax
00401550 |.  8D9C1D 6556AC>|lea ebx,dword ptr ss:[ebp+ebx+C4AC5665]
00401557 |.  035E 08    |add ebx,dword ptr ds:[esi+8]
0040155A |.  C1C3 17    |rol ebx,17
0040155D |.  03D9       |add ebx,ecx
0040155F |.  8BEA       |mov ebp,edx
00401561 |.  F7D5       |not ebp
00401563 |.  0BEB       |or ebp,ebx
00401565 |.  33E9       |xor ebp,ecx
00401567 |.  8D8405 442229>|lea eax,dword ptr ss:[ebp+eax+F4292244]
0040156E |.  0306       |add eax,dword ptr ds:[esi]
00401570 |.  C1C0 06    |rol eax,6
00401573 |.  03C3       |add eax,ebx
00401575 |.  8BE9       |mov ebp,ecx
00401577 |.  F7D5       |not ebp
00401579 |.  0BE8       |or ebp,eax
0040157B |.  33EB       |xor ebp,ebx
0040157D |.  8D9415 B2FF2A>|lea edx,dword ptr ss:[ebp+edx+432AFFB2]
00401584 |.  0356 1C    |add edx,dword ptr ds:[esi+1C]
00401587 |.  C1C2 0A    |rol edx,0A
0040158A |.  03D0       |add edx,eax
0040158C |.  8BEB       |mov ebp,ebx
0040158E |.  F7D5       |not ebp
00401590 |.  0BEA       |or ebp,edx
00401592 |.  33E8       |xor ebp,eax
00401594 |.  8D8C0D A72394>|lea ecx,dword ptr ss:[ebp+ecx+AB9423A7]
0040159B |.  034E 38    |add ecx,dword ptr ds:[esi+38]
0040159E |.  C1C1 0F    |rol ecx,0F
004015A1 |.  03CA       |add ecx,edx
004015A3 |.  8BE8       |mov ebp,eax
004015A5 |.  F7D5       |not ebp
004015A7 |.  0BE9       |or ebp,ecx
004015A9 |.  33EA       |xor ebp,edx
004015AB |.  8D9C1D 39A093>|lea ebx,dword ptr ss:[ebp+ebx+FC93A039]
004015B2 |.  035E 14    |add ebx,dword ptr ds:[esi+14]
004015B5 |.  C1C3 15    |rol ebx,15
004015B8 |.  03D9       |add ebx,ecx
004015BA |.  8BEA       |mov ebp,edx
004015BC |.  F7D5       |not ebp
004015BE |.  0BEB       |or ebp,ebx
004015C0 |.  33E9       |xor ebp,ecx
004015C2 |.  8D8405 C3595B>|lea eax,dword ptr ss:[ebp+eax+655B59C3]
004015C9 |.  0346 30    |add eax,dword ptr ds:[esi+30]
004015CC |.  C1C0 06    |rol eax,6
004015CF |.  03C3       |add eax,ebx
004015D1 |.  8BE9       |mov ebp,ecx
004015D3 |.  F7D5       |not ebp
004015D5 |.  0BE8       |or ebp,eax
004015D7 |.  33EB       |xor ebp,ebx
004015D9 |.  8D9415 92CC0C>|lea edx,dword ptr ss:[ebp+edx+8F0CCC92]
004015E0 |.  0356 0C    |add edx,dword ptr ds:[esi+C]
004015E3 |.  C1C2 0A    |rol edx,0A
004015E6 |.  03D0       |add edx,eax
004015E8 |.  8BEB       |mov ebp,ebx
004015EA |.  F7D5       |not ebp
004015EC |.  0BEA       |or ebp,edx
004015EE |.  33E8       |xor ebp,eax
004015F0 |.  8D8C0D 7DF4EF>|lea ecx,dword ptr ss:[ebp+ecx+FFEFF47D]
004015F7 |.  034E 28    |add ecx,dword ptr ds:[esi+28]
004015FA |.  C1C1 0F    |rol ecx,0F
004015FD |.  03CA       |add ecx,edx
004015FF |.  8BE8       |mov ebp,eax
00401601 |.  F7D5       |not ebp
00401603 |.  0BE9       |or ebp,ecx
00401605 |.  33EA       |xor ebp,edx
00401607 |.  8D9C1D D15D84>|lea ebx,dword ptr ss:[ebp+ebx+85845DD1]
0040160E |.  035E 04    |add ebx,dword ptr ds:[esi+4]
00401611 |.  C1C3 15    |rol ebx,15
00401614 |.  03D9       |add ebx,ecx
00401616 |.  8BEA       |mov ebp,edx
00401618 |.  F7D5       |not ebp
0040161A |.  0BEB       |or ebp,ebx
0040161C |.  33E9       |xor ebp,ecx
0040161E |.  8D8405 4F7EA8>|lea eax,dword ptr ss:[ebp+eax+6FA87E4F]
00401625 |.  0346 20    |add eax,dword ptr ds:[esi+20]
00401628 |.  C1C0 06    |rol eax,6
0040162B |.  03C3       |add eax,ebx
0040162D |.  8BE9       |mov ebp,ecx
0040162F |.  F7D5       |not ebp
00401631 |.  0BE8       |or ebp,eax
00401633 |.  33EB       |xor ebp,ebx
00401635 |.  8D9415 E2E62C>|lea edx,dword ptr ss:[ebp+edx+FE2CE6E2]
0040163C |.  0356 3C    |add edx,dword ptr ds:[esi+3C]
0040163F |.  C1C2 0A    |rol edx,0A
00401642 |.  03D0       |add edx,eax
00401644 |.  8BEB       |mov ebp,ebx
00401646 |.  F7D5       |not ebp
00401648 |.  0BEA       |or ebp,edx
0040164A |.  33E8       |xor ebp,eax
0040164C |.  8D8C0D 144301>|lea ecx,dword ptr ss:[ebp+ecx+A3014314]
00401653 |.  034E 18    |add ecx,dword ptr ds:[esi+18]
00401656 |.  C1C1 0F    |rol ecx,0F
00401659 |.  03CA       |add ecx,edx
0040165B |.  8BE8       |mov ebp,eax
0040165D |.  F7D5       |not ebp
0040165F |.  0BE9       |or ebp,ecx
00401661 |.  33EA       |xor ebp,edx
00401663 |.  8D9C1D A11108>|lea ebx,dword ptr ss:[ebp+ebx+4E0811A1]
0040166A |.  035E 34    |add ebx,dword ptr ds:[esi+34]
0040166D |.  C1C3 15    |rol ebx,15
00401670 |.  03D9       |add ebx,ecx
00401672 |.  8BEA       |mov ebp,edx
00401674 |.  F7D5       |not ebp
00401676 |.  0BEB       |or ebp,ebx
00401678 |.  33E9       |xor ebp,ecx
0040167A |.  8D8405 827E53>|lea eax,dword ptr ss:[ebp+eax+F7537E82]
00401681 |.  0346 10    |add eax,dword ptr ds:[esi+10]
00401684 |.  C1C0 06    |rol eax,6
00401687 |.  03C3       |add eax,ebx
00401689 |.  8BE9       |mov ebp,ecx
0040168B |.  F7D5       |not ebp
0040168D |.  0BE8       |or ebp,eax
0040168F |.  33EB       |xor ebp,ebx
00401691 |.  8D9415 35F23A>|lea edx,dword ptr ss:[ebp+edx+BD3AF235]
00401698 |.  0356 2C    |add edx,dword ptr ds:[esi+2C]
0040169B |.  C1C2 0A    |rol edx,0A
0040169E |.  03D0       |add edx,eax
004016A0 |.  8BEB       |mov ebp,ebx
004016A2 |.  F7D5       |not ebp
004016A4 |.  0BEA       |or ebp,edx
004016A6 |.  33E8       |xor ebp,eax
004016A8 |.  8D8C0D BBD2D7>|lea ecx,dword ptr ss:[ebp+ecx+2AD7D2BB]
004016AF |.  034E 08    |add ecx,dword ptr ds:[esi+8]
004016B2 |.  C1C1 0F    |rol ecx,0F
004016B5 |.  03CA       |add ecx,edx
004016B7 |.  8BE8       |mov ebp,eax
004016B9 |.  F7D5       |not ebp
004016BB |.  0BE9       |or ebp,ecx
004016BD |.  33EA       |xor ebp,edx
004016BF |.  8D9C1D 94D386>|lea ebx,dword ptr ss:[ebp+ebx+EB86D394]
004016C6 |.  035E 24    |add ebx,dword ptr ds:[esi+24]
004016C9 |.  C1C3 15    |rol ebx,15
004016CC |.  03D9       |add ebx,ecx
004016CE |.  5F          |pop edi
004016CF |.  0107       |add dword ptr ds:[edi],eax
004016D1 |.  015F 04    |add dword ptr ds:[edi+4],ebx
004016D4 |.  014F 08    |add dword ptr ds:[edi+8],ecx
004016D7 |.  0157 0C    |add dword ptr ds:[edi+C],edx
004016DA |.  5E          |pop esi
004016DB |.  5B          |pop ebx
004016DC |.  5A          |pop edx
004016DD |.  58          |pop eax
004016DE |.  83E8 40    |sub eax,40
004016E1 |.  85D2       |test edx,edx
004016E3 |.^ 0F85 51F9FFFF \jnz dump.0040103A
004016E9 |.  83C4 40    add esp,40
004016EC |.  61          popad
004016ED \.  C2 0C00    retn 0C

MD5算法结束
======================================================

【算法总结】
下面总结算法,输入的密码不小于八位,设为pass,
每四位的ascii码组成一个字,第一个字和第二个字相加,再加上Length(pass)*37C92,和为sum1,sum1+Len(pass)*37C92=sum,
然后调用非标准MD5算法,得到MD5Hash,32个byte,组成4个字,然后用sum减去这四个字的和,再减去4*3E8,
得到sum2.如果sum2=CE99D6E6,则密码正确.

逆向:CE99D6E6+4*3E8=CE99E686

do
MD5Hash=MD5(sum)
while(sum!=MD5Hash(1)+MD5Hash(2)+MD5Hash(3)+MD5Hash(4)+CE99E686)
找到sum之后,就可以写注册机了.

本想自己做个暴力计算sum的东东,因为手动删除的md5前面的那些地址实在手软,
于是便去看看Kreet的solve,Kreet做得不错!!牛!

【Greetings】  看雪论坛,FCG论坛,DFCG论坛等


【完稿时间等】2005.05.12，12:16,天气:阴,广州

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

免费・0

支持