Algorithm Analysis of a PDF cutting business software

-Belongs to the super cainiao level

A pdf cut software itself does not have a typical shell registration code error prompt box, the process is saved, directly say that the algorithm is compared to the first section of the line 0040E5CC /. 55 push ebp segment first 0040E5CD |. 8BEC mov ebp, esp0040E5CF |. 83C4 BC add esp,-440040E5D2 |. 53 push ebx0040E5D3 |. 56 push esi0040E5D4 |. 8BD8 mov ebx, eax0040E5D6 |. BE D3CE6600 mov esi, 0066CED30040E5DB |. b8 E0D06600 mov eax, 0066D0E00040E5E0 |. e8 5F3D2300 call 006423440040E5E5 |. 66: C745 E0 14> mov word ptr [ebp-20], 140040E5EB |. 33D2 Xor edx, edx0040E5ED |. 8955 FC mov dword ptr [ebp-4], edx0040E5F0 |. 8D55 FC lea edx, dword ptr [ebp-4] 0040E5F3 |. FF45 EC inc dword ptr [ebp-14] 0040E5F6 |. 8B83 18030000 mov eax, dword ptr [ebx + 318] 0040E5FC |. e8 47B21D00 call 005E98480040E601 |. 66: C745 E0 08> mov word ptr [ebp-20], 80040E607 |. 837D FC 00 cmp dword ptr [ebp-4], 00040E60B |. 74 05 je short 0040E6120040E60D |. 8B55 FC mov edx, dw Ord ptr [ebp-4]; edx = false code 0040E610 |. EB 03 jmp short kernel |> 8D56 1D lea edx, dword ptr [esi + 1D] 0040E615 |> 8BC3 mov eax, ebx0040E617 E8 40040000 call 0040EA5C; key call0040E61C 84C0 test al, al0040E61E 75 67 jnz short limit 66: C745 E0 20> mov word ptr [ebp-20], 200040E626 8D56 1E lea edx, dword ptr [esi + 1E] 0040E629 8D45 F8 lea eax, dword ptr [ebp-8] 0040E62C E8 97352400 call 00 651BC80040E631 |. FF45 EC inc dword ptr [ebp-14] 0040E634 |. 8B10 mov edx, dword ptr [eax] 0040E636 |. 8B83 20030000 mov eax, dword ptr [ebx + 320] 0040E63C |. e8 37B21D00 call 005E98780040E641 |. FF4D EC dec dword ptr [ebp-14] 0040E644 |. 8D45 F8 lea eax, dword ptr [ebp-8] 0040E647 |. BA 02000000 mov edx, 20040E64C |. e8 D7362400 call 00651D280040E651 |. 6A 10 push 100040E653 |. 8D4E 5F lea ecx, dword p Tr [esi + 5F] 0040E656 |. 51 push ecx0040E657 |. 8D46 2C lea eax, dword ptr [esi + 2C] 0040E65A |. 50 push eax0040E65B |. 8BC3 mov eax, ebx0040E65D |. e8 FA181E00 call 005EFF5C0040E662 |. 50 push eax; | hOwner0040E663 |. e8 08762500 call <jmp. & USER32.MessageBoxA>; \ error prompt dialog box 0040E668 |. FF4D EC dec dword ptr [ebp-14] 0040E66B |. 8D45 FC lea eax, dword ptr [ebp-4] 0040E66E |. BA 02000000 mov edx, 20040E673 |. E8 B0362400 call 00651D280040E678 |. 8B4D D0 mov ecx, dword ptr [ebp-30] 0040E67B |. 64: 890D 00000> mov dword ptr fs: [0], ecx0040E682 |. e9 9F000000 jmp 0040E726 follow up the following from the preceding key call: call 0040EA5C/$53 push ebx0040EA5D |. 56 push esi0040EA5E |. 57 push edi0040EA5F |. 8127mov ebx, edx0040EA61 |. 85DB test ebx, ebx; edx = false code ebx = false code 0040EA63 |. 74 0C je short 0040EA710040EA65 |. 53 push ebx0040EA66 |. E8 01342300 call 00641E6C; it should be the length of the input string call0040EA6B |. 59 pop ecx0040EA6C |. 83F8 10 cmp eax, 10; eax = String Length 0040EA6F |. 74 04 je short 0040EA75; jump to 0040EA71 only when the character length is 16 |> 33C0 xor eax, eax0040EA73 |. EB 2F jmp short 0040EAA40040EA75 |> 0FBE73 02 movsx esi, byte ptr [ebx + 2]; get the input false code, third-digit ascii signed number, extended esi = 201700330040ea79 |. 8BC6 mov eax, esi; eax = 00000033 esi = 201700330040ea7b |. 0FBE7B 08 movsx edi, Byte ptr [ebx + 8]; obtain the ninth digit of the false code edi = 12700390040ea7f |. 03C7 add eax, edi; eax is equal to the third ascii plus the ninth ascii0040EA81 |. 3D 9B000000 cmp eax, 9B; Third ascii, ninth ascii and must be equal to 9b [COLOR = "rgb (0,255,255)"] 0040EA86 |. 75 1A jnz short 0040EAA2; the error [/COLOR] 0040EA88 will be displayed if the parameter is not set. |. 8BCE mov ecx, esi; esi = 00000033 ecx = 1000000330040ea8a |. 2BCF sub ecx, edi; ecx = 00000033 edi = 00000039 after execution ecx = fffffa0040ea8c |. 8BC1 mov e Ax, ecx; eax = FFFFFFFA0040EA8E after execution |. 99 cdq; EDX = FFFFFFFF0040EA8F after execution |. 33C2 xor eax, edx; after execution, eax = 000000050040EA91 |. 2BC2 sub eax, edx; eax = 00000005 edx = FFFFFFFF after execution eax = 000000060040EA93 |. 83C0 41 add eax, 41; eax = 00000006 after the sum is executed, eax = 000000470040EA96 |. 0FBE53 05 movsx edx, byte ptr [ebx + 5]; the sixth digit is edx = 000000360040EA9A |. 3BC2 cmp eax, edx; eax compared with edx [COLOR = "rgb (0,255,255)"] 0040E A9C |. 75 04 jnz short 0040EAA2; jump to error [/COLOR] 0040EA9E |. b0 01 mov al, 1; after execution, eax = 000000010040EAA0 |. EB 02 jmp short 0040EAA40040EAA2 |> 33C0 xor eax, eax0040EAA4 |> 5F pop edi0040EAA5 |. 5E pop esi0040EAA6 |. 5B pop ebx0040EAA7 \. the comments of C3 retn are clear to me. In the above key algorithms, all the [COLOR = "rgb (0,255,255)"] colors [/COLOR] are changed to the opposite, so that they can be cracked! Some people may think that modifying 0040E61C 84C0 test al, al [/COLOR] 0040E61E 75 67 jnz short 0040E687 can also be done, but if this call is verified elsewhere, the algorithm may not work. The registration code must be 16 digits, third digits, ascii plus ninth digits, ascii = 0x9B, third digits, ninth digits, XX digits, or 0 xFFFF = YY minus 0 xFFFF = ZZ. add 0x41 = P to get the sixth ascii. The sixth ascii = P is the correct registration code. I originally wanted to use VB to write a registration machine, but the level of helplessness is not very poor. After more than half a day, I couldn't help but endure any improper work. Please forgive me.