[MD5算法练习] Arial CD Ripper 1.9.8算法分析

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了[MD5算法练习] Arial CD Ripper 1.9.8算法分析相关的知识,希望对你有一定的参考价值。

【破文标题】[MD5算法练习] Arial CD Ripper 1.9.8算法分析
【破文作者】静心学习
【作者邮箱】[email protected]
【作者主页】http://www.cnblogs.com/dacainiao/
【破解工具】OD, DEDE, IDA
【破解平台】xp sp3
【软件名称】Arial CD Ripper 1.9.8
【软件大小】1833KB
【原版下载】http://www.onlinedown.net/soft/31096.htm
【保护方式】无壳
【软件简介】一款界面友好的CD抓轨和音频格式转换工具,能够把CD批处理地转换成MP3,WAV,OGG,FLAC,APE等文件格式,你可以在不损失质量的前提下只转换一条音轨或者转换整个光盘,同时具有在不同的音频格式之间互相转换的功能。Arial CD Ripper得到了CDDB的支持,可以自动在CDDB上寻找CD的相关信息。支持ID3标签,可以灵活设定各种输出参数。
【破解声明】初学密码学,跟着看雪前辈们的脚步学习,错误之处敬请诸位前辈不吝赐教。
------------------------------------------------------------------------
【破解过程】软件使用Borland Delphi 6.0 - 7.0编写,无壳,使用DEDE可以很快地找到按钮事件,并设置断点。

输入试炼码:
jingxinxuexi
123456789

断了下来,很快就进入了算法call中:
0055BC3C >/. 55 PUSH EBP ; _TRegForm_BtnOKClick
0055BC3D |. 8BEC MOV EBP, ESP
0055BC3F |. 6A 00 PUSH 0x0
0055BC41 |. 6A 00 PUSH 0x0
0055BC43 |. 53 PUSH EBX
0055BC44 |. 8BD8 MOV EBX, EAX
0055BC46 |. 33C0 XOR EAX, EAX
0055BC48 |. 55 PUSH EBP
0055BC49 |. 68 1FBD5500 PUSH <Arial_CD.loc_55BD1F>
0055BC4E |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0055BC51 |. 64:8920 MOV DWORD PTR FS:[EAX], ESP
0055BC54 |. 8D55 FC LEA EDX, [LOCAL.1]
0055BC57 |. 8B83 1C030000 MOV EAX, DWORD PTR DS:[EBX+0x31C]
0055BC5D |. E8 5A4DF0FF CALL <Arial_CD.Controls::TControl::GetText(void)>
0055BC62 |. 8D55 F8 LEA EDX, [LOCAL.2]
0055BC65 |. 8B83 24030000 MOV EAX, DWORD PTR DS:[EBX+0x324]
0055BC6B |. E8 4C4DF0FF CALL <Arial_CD.Controls::TControl::GetText(void)>
0055BC70 |. A1 90305700 MOV EAX, DWORD PTR DS:[<off_573090>]
0055BC75 |. 8B00 MOV EAX, DWORD PTR DS:[EAX]
0055BC77 |. 8B4D F8 MOV ECX, [LOCAL.2] ; //注册码
0055BC7A |. 8B55 FC MOV EDX, [LOCAL.1] ; //用户名
0055BC7D |. E8 5E3D0100 CALL <Arial_CD.sub_56F9E0> ; //算法call

F7跟进算法call:
0056F9E0 >/$ 55 PUSH EBP ; sub_56F9E0
0056F9E1 |. 8BEC MOV EBP, ESP
0056F9E3 |. 83C4 E4 ADD ESP, -0x1C
0056F9E6 |. 53 PUSH EBX
0056F9E7 |. 33DB XOR EBX, EBX
0056F9E9 |. 895D F4 MOV [LOCAL.3], EBX
0056F9EC |. 894D F8 MOV [LOCAL.2], ECX ; //保存注册码
0056F9EF |. 8955 FC MOV [LOCAL.1], EDX ; //保存用户名
0056F9F2 |. 8B45 FC MOV EAX, [LOCAL.1]
0056F9F5 |. E8 E257E9FF CALL <Arial_CD.System::__linkproc__ LStrAddRef(void *)>
0056F9FA |. 8B45 F8 MOV EAX, [LOCAL.2]
0056F9FD |. E8 DA57E9FF CALL <Arial_CD.System::__linkproc__ LStrAddRef(void *)>
0056FA02 |. 33C0 XOR EAX, EAX
0056FA04 |. 55 PUSH EBP
0056FA05 |. 68 52FA5600 PUSH <Arial_CD.loc_56FA52>
0056FA0A |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0056FA0D |. 64:8920 MOV DWORD PTR FS:[EAX], ESP
0056FA10 |. 33DB XOR EBX, EBX
0056FA12 |. 8D55 E4 LEA EDX, [LOCAL.7]
0056FA15 |. 8B45 FC MOV EAX, [LOCAL.1]
0056FA18 |. E8 E33CFEFF CALL <Arial_CD.sub_553700> ; //MD5
0056FA1D |. 8D45 E4 LEA EAX, [LOCAL.7]
0056FA20 |. 8D55 F4 LEA EDX, [LOCAL.3]
0056FA23 |. E8 4C3DFEFF CALL <Arial_CD.sub_553774>
0056FA28 |. 8B55 F4 MOV EDX, [LOCAL.3]
0056FA2B |. 8B45 F8 MOV EAX, [LOCAL.2]
0056FA2E |. E8 0557E9FF CALL <Arial_CD.System::__linkproc__ LStrCmp(void)>
0056FA33 |. 75 02 JNZ SHORT <Arial_CD.loc_56FA37>
0056FA35 |. B3 01 MOV BL, 0x1
0056FA37 >|> 33C0 XOR EAX, EAX ; loc_56FA37
0056FA39 |. 5A POP EDX
0056FA3A |. 59 POP ECX
0056FA3B |. 59 POP ECX
0056FA3C |. 64:8910 MOV DWORD PTR FS:[EAX], EDX
0056FA3F |. 68 59FA5600 PUSH <Arial_CD.loc_56FA59>
0056FA44 >|> 8D45 F4 LEA EAX, [LOCAL.3] ; loc_56FA44
0056FA47 |. BA 03000000 MOV EDX, 0x3
0056FA4C |. E8 FF52E9FF CALL <Arial_CD.System::__linkproc__ LStrArrayClr(void *,>
0056FA51 \\. C3 RETN

首先跟进0056FA18 |. E8 E33CFEFF CALL <Arial_CD.sub_553700>:
00553700 >/$ 55 PUSH EBP ; sub_553700
00553701 |. 8BEC MOV EBP, ESP
00553703 |. 83C4 A4 ADD ESP, -0x5C
00553706 |. 53 PUSH EBX
00553707 |. 8BDA MOV EBX, EDX
00553709 |. 8945 FC MOV [LOCAL.1], EAX
0055370C |. 8B45 FC MOV EAX, [LOCAL.1]
0055370F |. E8 C81AEBFF CALL <Arial_CD.System::__linkproc__ LStrAddRef(void *)>
00553714 |. 33C0 XOR EAX, EAX
00553716 |. 55 PUSH EBP
00553717 |. 68 66375500 PUSH <Arial_CD.loc_553766>
0055371C |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0055371F |. 64:8920 MOV DWORD PTR FS:[EAX], ESP
00553722 |. 8D45 A4 LEA EAX, [LOCAL.23]
00553725 |. E8 AEFEFFFF CALL <Arial_CD.sub_5535D8> ; //MD5_Init
0055372A |. 8B45 FC MOV EAX, [LOCAL.1]
0055372D |. E8 BA18EBFF CALL <Arial_CD.unknown_libname_90> ; //用户名长度
00553732 |. 50 PUSH EAX
00553733 |. 8B45 FC MOV EAX, [LOCAL.1]
00553736 |. E8 B11AEBFF CALL <Arial_CD.System::__linkproc__ LStrToPChar(System::AnsiString)>
0055373B |. 8BD0 MOV EDX, EAX
0055373D |. 8D45 A4 LEA EAX, [LOCAL.23]
00553740 |. 59 POP ECX
00553741 |. E8 C6FEFFFF CALL <Arial_CD.sub_55360C> ; //eax MD5的结构体, edx 用户名, ecx 用户名长度
00553746 |. 8BD3 MOV EDX, EBX
00553748 |. 8D45 A4 LEA EAX, [LOCAL.23]
0055374B |. E8 3CFFFFFF CALL <Arial_CD.sub_55368C> ; //eax MD5的结构体
00553750 |. 33C0 XOR EAX, EAX
00553752 |. 5A POP EDX
00553753 |. 59 POP ECX
00553754 |. 59 POP ECX
00553755 |. 64:8910 MOV DWORD PTR FS:[EAX], EDX
00553758 |. 68 6D375500 PUSH <Arial_CD.loc_55376D>
0055375D >|> 8D45 FC LEA EAX, [LOCAL.1] ; loc_55375D
00553760 |. E8 C715EBFF CALL <Arial_CD.System::__linkproc__ LStrClr(void *)>
00553765 \\. C3 RETN

可以看到CALL <Arial_CD.sub_5535D8> 中,像是MD5_Init初始化4个常量:
005535D8 >/$ C700 01234567 MOV DWORD PTR DS:[EAX], 0x67452301 ; sub_5535D8
005535DE |. C740 04 89ABC>MOV DWORD PTR DS:[EAX+0x4], 0xEFCDAB89
005535E5 |. C740 08 FEDCB>MOV DWORD PTR DS:[EAX+0x8], 0x98BADCFE
005535EC |. C740 0C 76543>MOV DWORD PTR DS:[EAX+0xC], 0x10325476 ; //初始化常量
005535F3 |. 33D2 XOR EDX, EDX
005535F5 |. 8950 10 MOV DWORD PTR DS:[EAX+0x10], EDX
005535F8 |. 33D2 XOR EDX, EDX
005535FA |. 8950 14 MOV DWORD PTR DS:[EAX+0x14], EDX ; //数据长度64位
005535FD |. 83C0 18 ADD EAX, 0x18
00553600 |. BA 40000000 MOV EDX, 0x40 ; //512数据的Buffer
00553605 |. E8 724BEBFF CALL <Arial_CD.Windows::ZeroMemory(void *,uint)>
0055360A \\. C3 RETN

初始化完成的内存数据:
0012F838 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 #Eg壂惋簶vT2
0012F848 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0012F858 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0012F868 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0012F878 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0012F888 00 00 00 00 00 00 00 00 ........

下面是关键算法call了,CALL <Arial_CD.sub_55360C>:
第一次没有进入MD5_Final函数,只是拷贝了数据到MD5的结构体中
0012F838 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 #Eg壂惋簶vT2
0012F848 60 00 00 00 00 00 00 00 6A 69 6E 67 78 69 6E 78 `.......jingxinx
0012F858 75 65 78 69 00 00 00 00 00 00 00 00 00 00 00 00 uexi............
0012F868 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0012F878 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0012F888 00 00 00 00 00 00 00 00 ........

此时还没有填充剩余数据,下面再进入CALL <Arial_CD.sub_55368C> :
0055368C >/$ 53 PUSH EBX ; sub_55368C
0055368D |. 56 PUSH ESI
0055368E |. 83C4 F8 ADD ESP, -0x8
00553691 |. 8BF2 MOV ESI, EDX
00553693 |. 8BD8 MOV EBX, EAX
00553695 |. 8BD4 MOV EDX, ESP
00553697 |. 8D43 10 LEA EAX, DWORD PTR DS:[EBX+0x10]
0055369A |. B9 02000000 MOV ECX, 0x2
0055369F |. E8 C8F7FFFF CALL <Arial_CD.sub_552E6C>
005536A4 |. 8B43 10 MOV EAX, DWORD PTR DS:[EBX+0x10]
005536A7 |. C1E8 03 SHR EAX, 0x3
005536AA |. 83E0 3F AND EAX, 0x3F
005536AD |. 83F8 38 CMP EAX, 0x38 ; //56
005536B0 |. 73 0B JNB SHORT <Arial_CD.loc_5536BD>
005536B2 |. BA 38000000 MOV EDX, 0x38
005536B7 |. 2BD0 SUB EDX, EAX
005536B9 |. 8BC2 MOV EAX, EDX
005536BB |. EB 09 JMP SHORT <Arial_CD.loc_5536C6>
005536BD >|> BA 78000000 MOV EDX, 0x78 ; loc_5536BD
005536C2 |. 2BD0 SUB EDX, EAX
005536C4 |. 8BC2 MOV EAX, EDX
005536C6 >|> BA 942D5700 MOV EDX, OFFSET <Arial_CD.unk_572D94> ; //填充位
005536CB |. 8BCB MOV ECX, EBX
005536CD |. 91 XCHG EAX, ECX
005536CE |. E8 39FFFFFF CALL <Arial_CD.sub_55360C> ; //填充剩余数据
005536D3 |. 8BD4 MOV EDX, ESP
005536D5 |. 8BC3 MOV EAX, EBX
005536D7 |. B9 08000000 MOV ECX, 0x8
005536DC |. E8 2BFFFFFF CALL <Arial_CD.sub_55360C> ; //开始计算MD5

填充完成数据:
0012F838 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 #Eg壂惋簶vT2
0012F848 C0 01 00 00 00 00 00 00 6A 69 6E 67 78 69 6E 78 ?......jingxinx
0012F858 75 65 78 69 80 00 00 00 00 00 00 00 00 00 00 00 uexi€...........
0012F868 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0012F878 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0012F888 00 00 00 00 00 00 00 00 ........

进入005536DC |. E8 2BFFFFFF CALL <Arial_CD.sub_55360C> ; //开始计算MD5
这次会进入到MD5_Final中,标准MD5 00553654 |. E8 4FF8FFFF CALL <Arial_CD.sub_552EA8> ; //MD5_Final, eax = 数据缓冲区首地址
00552EA8 >/$ 53 PUSH EBX ; sub_552EA8
00552EA9 |. 56 PUSH ESI
00552EAA |. 57 PUSH EDI
00552EAB |. 55 PUSH EBP
00552EAC |. 83C4 A8 ADD ESP, -0x58
00552EAF |. 895424 04 MOV DWORD PTR SS:[ESP+0x4], EDX
00552EB3 |. 890424 MOV DWORD PTR SS:[ESP], EAX
00552EB6 |. 8D5C24 08 LEA EBX, DWORD PTR SS:[ESP+0x8]
00552EBA |. 8D7424 0C LEA ESI, DWORD PTR SS:[ESP+0xC]
00552EBE |. 8D7C24 10 LEA EDI, DWORD PTR SS:[ESP+0x10]
00552EC2 |. 8D6C24 14 LEA EBP, DWORD PTR SS:[ESP+0x14]
00552EC6 |. 8D5424 18 LEA EDX, DWORD PTR SS:[ESP+0x18]
00552ECA |. B9 40000000 MOV ECX, 0x40
00552ECF |. 8B0424 MOV EAX, DWORD PTR SS:[ESP]
00552ED2 |. E8 5DFFFFFF CALL <Arial_CD.sub_552E34>
00552ED7 |. 8B4424 04 MOV EAX, DWORD PTR SS:[ESP+0x4]
00552EDB |. 8B00 MOV EAX, DWORD PTR DS:[EAX] ; //a
00552EDD |. 8903 MOV DWORD PTR DS:[EBX], EAX
00552EDF |. 8B4424 04 MOV EAX, DWORD PTR SS:[ESP+0x4]
00552EE3 |. 8B40 04 MOV EAX, DWORD PTR DS:[EAX+0x4] ; //b
00552EE6 |. 8906 MOV DWORD PTR DS:[ESI], EAX
00552EE8 |. 8B4424 04 MOV EAX, DWORD PTR SS:[ESP+0x4]
00552EEC |. 8B40 08 MOV EAX, DWORD PTR DS:[EAX+0x8] ; //c
00552EEF |. 8907 MOV DWORD PTR DS:[EDI], EAX
00552EF1 |. 8B4424 04 MOV EAX, DWORD PTR SS:[ESP+0x4]
00552EF5 |. 8B40 0C MOV EAX, DWORD PTR DS:[EAX+0xC] ; //d
00552EF8 |. 8945 00 MOV DWORD PTR SS:[EBP], EAX
00552EFB |. 8B45 00 MOV EAX, DWORD PTR SS:[EBP]
00552EFE |. 50 PUSH EAX ; //d
00552EFF |. 8B4424 1C MOV EAX, DWORD PTR SS:[ESP+0x1C] ; //数据512位
00552F03 |. 50 PUSH EAX
00552F04 |. 6A 07 PUSH 0x7
00552F06 |. 68 78A46AD7 PUSH 0xD76AA478
00552F0B |. 8BC3 MOV EAX, EBX
00552F0D |. 8B0F MOV ECX, DWORD PTR DS:[EDI] ; //c
00552F0F |. 8B16 MOV EDX, DWORD PTR DS:[ESI] ; //b
00552F11 |. E8 4EFEFFFF CALL <Arial_CD.sub_552D64>
00552F16 |. 8B07 MOV EAX, DWORD PTR DS:[EDI]
00552F18 |. 50 PUSH EAX
00552F19 |. 8B4424 20 MOV EAX, DWORD PTR SS:[ESP+0x20]
00552F1D |. 50 PUSH EAX
00552F1E |. 6A 0C PUSH 0xC
00552F20 |. 68 56B7C7E8 PUSH 0xE8C7B756
00552F25 |. 8BC5 MOV EAX, EBP
00552F27 |. 8B0E MOV ECX, DWORD PTR DS:[ESI]
00552F29 |. 8B13 MOV EDX, DWORD PTR DS:[EBX]
00552F2B |. E8 34FEFFFF CALL <Arial_CD.sub_552D64>
00552F30 |. 8B06 MOV EAX, DWORD PTR DS:[ESI]
00552F32 |. 50 PUSH EAX
00552F33 |. 8B4424 24 MOV EAX, DWORD PTR SS:[ESP+0x24]
00552F37 |. 50 PUSH EAX
00552F38 |. 6A 11 PUSH 0x11
00552F3A |. 68 DB702024 PUSH 0x242070DB
00552F3F |. 8BC7 MOV EAX, EDI
00552F41 |. 8B0B MOV ECX, DWORD PTR DS:[EBX]
00552F43 |. 8B55 00 MOV EDX, DWORD PTR SS:[EBP]
00552F46 |. E8 19FEFFFF CALL <Arial_CD.sub_552D64>
00552F4B |. 8B03 MOV EAX, DWORD PTR DS:[EBX]
00552F4D |. 50 PUSH EAX
00552F4E |. 8B4424 28 MOV EAX, DWORD PTR SS:[ESP+0x28]
00552F52 |. 50 PUSH EAX
00552F53 |. 6A 16 PUSH 0x16
00552F55 |. 68 EECEBDC1 PUSH 0xC1BDCEEE
00552F5A |. 8BC6 MOV EAX, ESI
00552F5C |. 8B4D 00 MOV ECX, DWORD PTR SS:[EBP]
00552F5F |. 8B17 MOV EDX, DWORD PTR DS:[EDI]
00552F61 |. E8 FEFDFFFF CALL <Arial_CD.sub_552D64>
00552F66 |. 8B45 00 MOV EAX, DWORD PTR SS:[EBP]
00552F69 |. 50 PUSH EAX
00552F6A |. 8B4424 2C MOV EAX, DWORD PTR SS:[ESP+0x2C]
00552F6E |. 50 PUSH EAX
00552F6F |. 6A 07 PUSH 0x7
00552F71 |. 68 AF0F7CF5 PUSH 0xF57C0FAF
00552F76 |. 8BC3 MOV EAX, EBX
00552F78 |. 8B0F MOV ECX, DWORD PTR DS:[EDI]
00552F7A |. 8B16 MOV EDX, DWORD PTR DS:[ESI]
00552F7C |. E8 E3FDFFFF CALL <Arial_CD.sub_552D64>
00552F81 |. 8B07 MOV EAX, DWORD PTR DS:[EDI]
00552F83 |. 50 PUSH EAX
00552F84 |. 8B4424 30 MOV EAX, DWORD PTR SS:[ESP+0x30]
00552F88 |. 50 PUSH EAX
00552F89 |. 6A 0C PUSH 0xC
00552F8B |. 68 2AC68747 PUSH 0x4787C62A
00552F90 |. 8BC5 MOV EAX, EBP
00552F92 |. 8B0E MOV ECX, DWORD PTR DS:[ESI]
00552F94 |. 8B13 MOV EDX, DWORD PTR DS:[EBX]
00552F96 |. E8 C9FDFFFF CALL <Arial_CD.sub_552D64>
00552F9B |. 8B06 MOV EAX, DWORD PTR DS:[ESI]
00552F9D |. 50 PUSH EAX
00552F9E |. 8B4424 34 MOV EAX, DWORD PTR SS:[ESP+0x34]
00552FA2 |. 50 PUSH EAX
00552FA3 |. 6A 11 PUSH 0x11
00552FA5 |. 68 134630A8 PUSH 0xA8304613
00552FAA |. 8BC7 MOV EAX, EDI
00552FAC |. 8B0B MOV ECX, DWORD PTR DS:[EBX]
00552FAE |. 8B55 00 MOV EDX, DWORD PTR SS:[EBP]
00552FB1 |. E8 AEFDFFFF CALL <Arial_CD.sub_552D64>
00552FB6 |. 8B03 MOV EAX, DWORD PTR DS:[EBX]
00552FB8 |. 50 PUSH EAX
00552FB9 |. 8B4424 38 MOV EAX, DWORD PTR SS:[ESP+0x38]
00552FBD |. 50 PUSH EAX
00552FBE |. 6A 16 PUSH 0x16
00552FC0 |. 68 019546FD PUSH 0xFD469501
00552FC5 |. 8BC6 MOV EAX, ESI
00552FC7 |. 8B4D 00 MOV ECX, DWORD PTR SS:[EBP]
00552FCA |. 8B17 MOV EDX, DWORD PTR DS:[EDI]
00552FCC |. E8 93FDFFFF CALL <Arial_CD.sub_552D64>
00552FD1 |. 8B45 00 MOV EAX, DWORD PTR SS:[EBP]
00552FD4 |. 50 PUSH EAX
00552FD5 |. 8B4424 3C MOV EAX, DWORD PTR SS:[ESP+0x3C]
00552FD9 |. 50 PUSH EAX
00552FDA |. 6A 07 PUSH 0x7
00552FDC |. 68 D8988069 PUSH 0x698098D8
00552FE1 |. 8BC3 MOV EAX, EBX
00552FE3 |. 8B0F MOV ECX, DWORD PTR DS:[EDI]
00552FE5 |. 8B16 MOV EDX, DWORD PTR DS:[ESI]
00552FE7 |. E8 78FDFFFF CALL <Arial_CD.sub_552D64>
00552FEC |. 8B07 MOV EAX, DWORD PTR DS:[EDI]
00552FEE |. 50 PUSH EAX
00552FEF |. 8B4424 40 MOV EAX, DWORD PTR SS:[ESP+0x40]
00552FF3 |. 50 PUSH EAX
00552FF4 |. 6A 0C PUSH 0xC
00552FF6 |. 68 AFF7448B PUSH 0x8B44F7AF
00552FFB |. 8BC5 MOV EAX, EBP
00552FFD |. 8B0E MOV ECX, DWORD PTR DS:[ESI]
00552FFF |. 8B13 MOV EDX, DWORD PTR DS:[EBX]
00553001 |. E8 5EFDFFFF CALL <Arial_CD.sub_552D64>
00553006 |. 8B06 MOV EAX, DWORD PTR DS:[ESI]
00553008 |. 50 PUSH EAX
00553009 |. 8B4424 44 MOV EAX, DWORD PTR SS:[ESP+0x44]
0055300D |. 50 PUSH EAX
0055300E |. 6A 11 PUSH 0x11
00553010 |. 68 B15BFFFF PUSH 0xFFFF5BB1
00553015 |. 8BC7 MOV EAX, EDI
00553017 |. 8B0B MOV ECX, DWORD PTR DS:[EBX]
00553019 |. 8B55 00 MOV EDX, DWORD PTR SS:[EBP]
0055301C |. E8 43FDFFFF CALL <Arial_CD.sub_552D64>
00553021 |. 8B03 MOV EAX, DWORD PTR DS:[EBX]
00553023 |. 50 PUSH EAX
00553024 |. 8B4424 48 MOV EAX, DWORD PTR SS:[ESP+0x48]
00553028 |. 50 PUSH EAX
00553029 |. 6A 16 PUSH 0x16
0055302B |. 68 BED75C89 PUSH 0x895CD7BE
00553030 |. 8BC6 MOV EAX, ESI
00553032 |. 8B4D 00 MOV ECX, DWORD PTR SS:[EBP]
00553035 |. 8B17 MOV EDX, DWORD PTR DS:[EDI]
00553037 |. E8 28FDFFFF CALL <Arial_CD.sub_552D64>
0055303C |. 8B45 00 MOV EAX, DWORD PTR SS:[EBP]
0055303F |. 50 PUSH EAX
00553040 |. 8B4424 4C MOV EAX, DWORD PTR SS:[ESP+0x4C]
00553044 |. 50 PUSH EAX
00553045 |. 6A 07 PUSH 0x7
00553047 |. 68 2211906B PUSH 0x6B901122
0055304C |. 8BC3 MOV EAX, EBX
0055304E |. 8B0F MOV ECX, DWORD PTR DS:[EDI]
00553050 |. 8B16 MOV EDX, DWORD PTR DS:[ESI]
00553052 |. E8 0DFDFFFF CALL <Arial_CD.sub_552D64>
00553057 |. 8B07 MOV EAX, DWORD PTR DS:[EDI]
00553059 |. 50 PUSH EAX
0055305A |. 8B4424 50 MOV EAX, DWORD PTR SS:[ESP+0x50]
0055305E |. 50 PUSH EAX
0055305F |. 6A 0C PUSH 0xC
00553061 |. 68 937198FD PUSH 0xFD987193
00553066 |. 8BC5 MOV EAX, EBP
00553068 |. 8B0E MOV ECX, DWORD PTR DS:[ESI]
0055306A |. 8B13 MOV EDX, DWORD PTR DS:[EBX]
0055306C |. E8 F3FCFFFF CALL <Arial_CD.sub_552D64>
00553071 |. 8B06 MOV EAX, DWORD PTR DS:[ESI]
00553073 |. 50 PUSH EAX
00553074 |. 8B4424 54 MOV EAX, DWORD PTR SS:[ESP+0x54]
00553078 |. 50 PUSH EAX
00553079 |. 6A 11 PUSH 0x11
0055307B |. 68 8E4379A6 PUSH 0xA679438E
00553080 |. 8BC7 MOV EAX, EDI
00553082 |. 8B0B MOV ECX, DWORD PTR DS:[EBX]
00553084 |. 8B55 00 MOV EDX, DWORD PTR SS:[EBP]
00553087 |. E8 D8FCFFFF CALL <Arial_CD.sub_552D64>
0055308C |. 8B03 MOV EAX, DWORD PTR DS:[EBX]
0055308E |. 50 PUSH EAX
0055308F |. 8B4424 58 MOV EAX, DWORD PTR SS:[ESP+0x58]
00553093 |. 50 PUSH EAX
00553094 |. 6A 16 PUSH 0x16
00553096 |. 68 2108B449 PUSH 0x49B40821
0055309B |. 8BC6 MOV EAX, ESI
0055309D |. 8B4D 00 MOV ECX, DWORD PTR SS:[EBP]
005530A0 |. 8B17 MOV EDX, DWORD PTR DS:[EDI]
005530A2 |. E8 BDFCFFFF CALL <Arial_CD.sub_552D64>
005530A7 |. 8B45 00 MOV EAX, DWORD PTR SS:[EBP]
005530AA |. 50 PUSH EAX
005530AB |. 8B4424 20 MOV EAX, DWORD PTR SS:[ESP+0x20]
005530AF |. 50 PUSH EAX
005530B0 |. 6A 05 PUSH 0x5
005530B2 |. 68 62251EF6 PUSH 0xF61E2562
005530B7 |. 8BC3 MOV EAX, EBX
005530B9 |. 8B0F MOV ECX, DWORD PTR DS:[EDI]
005530BB |. 8B16 MOV EDX, DWORD PTR DS:[ESI]
005530BD |. E8 D6FCFFFF CALL <Arial_CD.sub_552D98>
005530C2 |. 8B07 MOV EAX, DWORD PTR DS:[EDI]
005530C4 |. 50 PUSH EAX
005530C5 |. 8B4424 34 MOV EAX, DWORD PTR SS:[ESP+0x34]
005530C9 |. 50 PUSH EAX
005530CA |. 6A 09 PUSH 0x9
005530CC |. 68 40B340C0 PUSH 0xC040B340
005530D1 |. 8BC5 MOV EAX, EBP
005530D3 |. 8B0E MOV ECX, DWORD PTR DS:[ESI]
005530D5 |. 8B13 MOV EDX, DWORD PTR DS:[EBX]
005530D7 |. E8 BCFCFFFF CALL <Arial_CD.sub_552D98>
005530DC |. 8B06 MOV EAX, DWORD PTR DS:[ESI]
005530DE |. 50 PUSH EAX
005530DF |. 8B4424 48 MOV EAX, DWORD PTR SS:[ESP+0x48]
005530E3 |. 50 PUSH EAX
005530E4 |. 6A 0E PUSH 0xE
005530E6 |. 68 515A5E26 PUSH 0x265E5A51
005530EB |. 8BC7 MOV EAX, EDI
005530ED |. 8B0B MOV ECX, DWORD PTR DS:[EBX]
005530EF |. 8B55 00 MOV EDX, DWORD PTR SS:[EBP]
005530F2 |. E8 A1FCFFFF CALL <Arial_CD.sub_552D98>
005530F7 |. 8B03 MOV EAX, DWORD PTR DS:[EBX]
005530F9 |. 50 PUSH EAX
005530FA |. 8B4424 1C MOV EAX, DWORD PTR SS:[ESP+0x1C]
005530FE |. 50 PUSH EAX
005530FF |. 6A 14 PUSH 0x14
00553101 |. 68 AAC7B6E9 PUSH 0xE9B6C7AA
00553106 |. 8BC6 MOV EAX, ESI
00553108 |. 8B4D 00 MOV ECX, DWORD PTR SS:[EBP]
0055310B |. 8B17 MOV EDX, DWORD PTR DS:[EDI]
0055310D |. E8 86FCFFFF CALL <Arial_CD.sub_552D98>
00553112 |. 8B45 00 MOV EAX, DWORD PTR SS:[EBP]
00553115 |. 50 PUSH EAX
00553116 |. 8B4424 30 MOV EAX, DWORD PTR SS:[ESP+0x30]
0055311A |. 50 PUSH EAX
0055311B |. 6A 05 PUSH 0x5
0055311D |. 68 5D102FD6 PUSH 0xD62F105D
00553122 |. 8BC3 MOV EAX, EBX
00553124 |. 8B0F MOV ECX, DWORD PTR DS:[EDI]
00553126 |. 8B16 MOV EDX, DWORD PTR DS:[ESI]
00553128 |. E8 6BFCFFFF CALL <Arial_CD.sub_552D98>
0055312D |. 8B07 MOV EAX, DWORD PTR DS:[EDI]
0055312F |. 50 PUSH EAX
00553130 |. 8B4424 44 MOV EAX, DWORD PTR SS:[ESP+0x44]
00553134 |. 50 PUSH EAX
00553135 |. 6A 09 PUSH 0x9
00553137 |. 68 53144402 PUSH 0x2441453
0055313C |. 8BC5 MOV EAX, EBP
0055313E |. 8B0E MOV ECX, DWORD PTR DS:[ESI]
00553140 |. 8B13 MOV EDX, DWORD PTR DS:[EBX]
00553142 |. E8 51FCFFFF CALL <Arial_CD.sub_552D98>
00553147 |. 8B06 MOV EAX, DWORD PTR DS:[ESI]
00553149 |. 50 PUSH EAX
0055314A |. 8B4424 58 MOV EAX, DWORD PTR SS:[ESP+0x58]
0055314E |. 50 PUSH EAX
0055314F |. 6A 0E PUSH 0xE
00553151 |. 68 81E6A1D8 PUSH 0xD8A1E681
00553156 |. 8BC7 MOV EAX, EDI
00553158 |. 8B0B MOV ECX, DWORD PTR DS:[EBX]
0055315A |. 8B55 00 MOV EDX, DWORD PTR SS:[EBP]
0055315D |. E8 36FCFFFF CALL <Arial_CD.sub_552D98>
00553162 |. 8B03 MOV EAX, DWORD PTR DS:[EBX]
00553164 |. 50 PUSH EAX
00553165 |. 8B4424 2C MOV EAX, DWORD PTR SS:[ESP+0x2C]
00553169 |. 50 PUSH EAX
0055316A |. 6A 14 PUSH 0x14
0055316C |. 68 C8FBD3E7 PUSH 0xE7D3FBC8
00553171 |. 8BC6 MOV EAX, ESI
00553173 |. 8B4D 00 MOV ECX, DWORD PTR SS:[EBP]
00553176 |. 8B17 MOV EDX, DWORD PTR DS:[EDI]
00553178 |. E8 1BFCFFFF CALL <Arial_CD.sub_552D98>
0055317D |. 8B45 00 MOV EAX, DWORD PTR SS:[EBP]
00553180 |. 50 PUSH EAX
00553181 |. 8B4424 40 MOV EAX, DWORD PTR SS:[ESP+0x40]
00553185 |. 50 PUSH EAX
00553186 |. 6A 05 PUSH 0x5
00553188 |. 68 E6CDE121 PUSH 0x21E1CDE6
0055318D |. 8BC3 MOV EAX, EBX
0055318F |. 8B0F MOV ECX, DWORD PTR DS:[EDI]
00553191 |. 8B16 MOV EDX, DWORD PTR DS:[ESI]
00553193 |. E8 00FCFFFF CALL <Arial_CD.sub_552D98>
00553198 |. 8B07 MOV EAX, DWORD PTR DS:[EDI]
0055319A |. 50 PUSH EAX
0055319B |. 8B4424 54 MOV EAX, DWORD PTR SS:[ESP+0x54]
0055319F |. 50 PUSH EAX
005531A0 |. 6A 09 PUSH 0x9
005531A2 |. 68 D60737C3 PUSH 0xC33707D6
005531A7 |. 8BC5 MOV EAX, EBP
005531A9 |. 8B0E MOV ECX, DWORD PTR DS:[ESI]
005531AB |. 8B13 MOV EDX, DWORD PTR DS:[EBX]
005531AD |. E8 E6FBFFFF CALL <Arial_CD.sub_552D98>
005531B2 |. 8B06 MOV EAX, DWORD PTR DS:[ESI]
005531B4 |. 50 PUSH EAX
005531B5 |. 8B4424 28 MOV EAX, DWORD PTR SS:[ESP+0x28]
005531B9 |. 50 PUSH EAX
005531BA |. 6A 0E PUSH 0xE
005531BC |. 68 870DD5F4 PUSH 0xF4D50D87
005531C1 |. 8BC7 MOV EAX, EDI
005531C3 |. 8B0B MOV ECX, DWORD PTR DS:[EBX]
005531C5 |. 8B55 00 MOV EDX, DWORD PTR SS:[EBP]
005531C8 |. E8 CBFBFFFF CALL <Arial_CD.sub_552D98>
005531CD |. 8B03 MOV EAX, DWORD PTR DS:[EBX]
005531CF |. 50 PUSH EAX
005531D0 |. 8B4424 3C MOV EAX, DWORD PTR SS:[ESP+0x3C]
005531D4 |. 50 PUSH EAX
005531D5 |. 6A 14 PUSH 0x14
005531D7 |. 68 ED145A45 PUSH 0x455A14ED
005531DC |. 8BC6 MOV EAX, ESI
005531DE |. 8B4D 00 MOV ECX, DWORD PTR SS:[EBP]
005531E1 |. 8B17 MOV EDX, DWORD PTR DS:[EDI]
005531E3 |. E8 B0FBFFFF CALL <Arial_CD.sub_552D98>
005531E8 |. 8B45 00 MOV EAX, DWORD PTR SS:[EBP]
005531EB |. 50 PUSH EAX
005531EC |. 8B4424 50 MOV EAX, DWORD PTR SS:[ESP+0x50]
005531F0 |. 50 PUSH EAX
005531F1 |. 6A 05 PUSH 0x5
005531F3 |. 68 05E9E3A9 PUSH 0xA9E3E905
005531F8 |. 8BC3 MOV EAX, EBX
005531FA |. 8B0F MOV ECX, DWORD PTR DS:[EDI]
005531FC |. 8B16 MOV EDX, DWORD PTR DS:[ESI]
005531FE |. E8 95FBFFFF CALL <Arial_CD.sub_552D98>
00553203 |. 8B07 MOV EAX, DWORD PTR DS:[EDI]
00553205 |. 50 PUSH EAX
00553206 |. 8B4424 24 MOV EAX, DWORD PTR SS:[ESP+0x24]
0055320A |. 50 PUSH EAX
0055320B |. 6A 09 PUSH 0x9
0055320D |. 68 F8A3EFFC PUSH 0xFCEFA3F8
00553212 |. 8BC5 MOV EAX, EBP
00553214 |. 8B0E MOV ECX, DWORD PTR DS:[ESI]
00553216 |. 8B13 MOV EDX, DWORD PTR DS:[EBX]
00553218 |. E8 7BFBFFFF CALL <Arial_CD.sub_552D98>
0055321D |. 8B06 MOV EAX, DWORD PTR DS:[ESI]
0055321F |. 50 PUSH EAX
00553220 |. 8B4424 38 MOV EAX, DWORD PTR SS:[ESP+0x38]
00553224 |. 50 PUSH EAX
00553225 |. 6A 0E PUSH 0xE
00553227 |. 68 D9026F67 PUSH 0x676F02D9
0055322C |. 8BC7 MOV EAX, EDI
0055322E |. 8B0B MOV ECX, DWORD PTR DS:[EBX]
00553230 |. 8B55 00 MOV EDX, DWORD PTR SS:[EBP]
00553233 |. E8 60FBFFFF CALL <Arial_CD.sub_552D98>
00553238 |. 8B03 MOV EAX, DWORD PTR DS:[EBX]
0055323A |. 50 PUSH EAX
0055323B |. 8B4424 4C MOV EAX, DWORD PTR SS:[ESP+0x4C]
0055323F |. 50 PUSH EAX
00553240 |. 6A 14 PUSH 0x14
00553242 |. 68 8A4C2A8D PUSH 0x8D2A4C8A
00553247 |. 8BC6 MOV EAX, ESI
00553249 |. 8B4D 00 MOV ECX, DWORD PTR SS:[EBP]
0055324C |. 8B17 MOV EDX, DWORD PTR DS:[EDI]
0055324E |. E8 45FBFFFF CALL <Arial_CD.sub_552D98>
00553253 |. 8B45 00 MOV EAX, DWORD PTR SS:[EBP]
00553256 |. 50 PUSH EAX
00553257 |. 8B4424 30 MOV EAX, DWORD PTR SS:[ESP+0x30]
0055325B |. 50 PUSH EAX
0055325C |. 6A 04 PUSH 0x4
0055325E |. 68 4239FAFF PUSH 0xFFFA3942
00553263 |. 8BC3 MOV EAX, EBX
00553265 |. 8B0F MOV ECX, DWORD PTR DS:[EDI]
00553267 |. 8B16 MOV EDX, DWORD PTR DS:[ESI]
00553269 |. E8 5EFBFFFF CALL <Arial_CD.sub_552DCC>
0055326E |. 8B07 MOV EAX, DWORD PTR DS:[EDI]
00553270 |. 50 PUSH EAX
00553271 |. 8B4424 3C MOV EAX, DWORD PTR SS:[ESP+0x3C]
00553275 |. 50 PUSH EAX
00553276 |. 6A 0B PUSH 0xB
00553278 |. 68 81F67187 PUSH 0x8771F681
0055327D |. 8BC5 MOV EAX, EBP
0055327F |. 8B0E MOV ECX, DWORD PTR DS:[ESI]
00553281 |. 8B13 MOV EDX, DWORD PTR DS:[EBX]
00553283 |. E8 44FBFFFF CALL <Arial_CD.sub_552DCC>
00553288 |. 8B06 MOV EAX, DWORD PTR DS:[ESI]
0055328A |. 50 PUSH EAX
0055328B |. 8B4424 48 MOV EAX, DWORD PTR SS:[ESP+0x48]
0055328F |. 50 PUSH EAX
00553290 |. 6A 10 PUSH 0x10
00553292 |. 68 22619D6D PUSH 0x6D9D6122
00553297 |. 8BC7 MOV EAX, EDI
00553299 |. 8B0B MOV ECX, DWORD PTR DS:[EBX]
0055329B |. 8B55 00 MOV EDX, DWORD PTR SS:[EBP]
0055329E |. E8 29FBFFFF CALL <Arial_CD.sub_552DCC>
005532A3 |. 8B03 MOV EAX, DWORD PTR DS:[EBX]
005532A5 |. 50 PUSH EAX
005532A6 |. 8B4424 54 MOV EAX, DWORD PTR SS:[ESP+0x54]
005532AA |. 50 PUSH EAX
005532AB |. 6A 17 PUSH 0x17
005532AD |. 68 0C38E5FD PUSH 0xFDE5380C
005532B2 |. 8BC6 MOV EAX, ESI
005532B4 |. 8B4D 00 MOV ECX, DWORD PTR SS:[EBP]
005532B7 |. 8B17 MOV EDX, DWORD PTR DS:[EDI]
005532B9 |. E8 0EFBFFFF CALL <Arial_CD.sub_552DCC>
005532BE |. 8B45 00 MOV EAX, DWORD PTR SS:[EBP]
005532C1 |. 50 PUSH EAX
005532C2 |. 8B4424 20 MOV EAX, DWORD PTR SS:[ESP+0x20]
005532C6 |. 50 PUSH EAX
005532C7 |. 6A 04 PUSH 0x4
005532C9 |. 68 44EABEA4 PUSH 0xA4BEEA44
005532CE |. 8BC3 MOV EAX, EBX
005532D0 |. 8B0F MOV ECX, DWORD PTR DS:[EDI]
005532D2 |. 8B16 MOV EDX, DWORD PTR DS:[ESI]
005532D4 |. E8 F3FAFFFF CALL <Arial_CD.sub_552DCC>
005532D9 |. 8B07 MOV EAX, DWORD PTR DS:[EDI]
005532DB |. 50 PUSH EAX
005532DC |. 8B4424 2C MOV EAX, DWORD PTR SS:[ESP+0x2C]
005532E0 |. 50 PUSH EAX
005532E1 |. 6A 0B PUSH 0xB
005532E3 |. 68 A9CFDE4B PUSH 0x4BDECFA9
005532E8 |. 8BC5 MOV EAX, EBP
005532EA |. 8B0E MOV ECX, DWORD PTR DS:[ESI]
005532EC |. 8B13 MOV EDX, DWORD PTR DS:[EBX]
005532EE |. E8 D9FAFFFF CALL <Arial_CD.sub_552DCC>
005532F3 |. 8B06 MOV EAX, DWORD PTR DS:[ESI]
005532F5 |. 50 PUSH EAX
005532F6 |. 8B4424 38 MOV EAX, DWORD PTR SS:[ESP+0x38]
005532FA |. 50 PUSH EAX
005532FB |. 6A 10 PUSH 0x10
005532FD |. 68 604BBBF6 PUSH 0xF6BB4B60
00553302 |. 8BC7 MOV EAX, EDI
00553304 |. 8B0B MOV ECX, DWORD PTR DS:[EBX]
00553306 |. 8B55 00 MOV EDX, DWORD PTR SS:[EBP]
00553309 |. E8 BEFAFFFF CALL <Arial_CD.sub_552DCC>
0055330E |. 8B03 MOV EAX, DWORD PTR DS:[EBX]
00553310 |. 50 PUSH EAX
00553311 |. 8B4424 44 MOV EAX, DWORD PTR SS:[ESP+0x44]
00553315 |. 50 PUSH EAX
00553316 |. 6A 17 PUSH 0x17
00553318 |. 68 70BCBFBE PUSH 0xBEBFBC70
0055331D |. 8BC6 MOV EAX, ESI
0055331F |. 8B4D 00 MOV ECX, DWORD PTR SS:[EBP]
00553322 |. 8B17 MOV EDX, DWORD PTR DS:[EDI]
00553324 |. E8 A3FAFFFF CALL <Arial_CD.sub_552DCC>
00553329 |. 8B45 00 MOV EAX, DWORD PTR SS:[EBP]
0055332C |. 50 PUSH EAX
0055332D |. 8B4424 50 MOV EAX, DWORD PTR SS:[ESP+0x50]
00553331 |. 50 PUSH EAX
00553332 |. 6A 04 PUSH 0x4
00553334 |. 68 C67E9B28 PUSH 0x289B7EC6
00553339 |. 8BC3 MOV EAX, EBX
0055333B |. 8B0F MOV ECX, DWORD PTR DS:[EDI]
0055333D |. 8B16 MOV EDX, DWORD PTR DS:[ESI]
0055333F |. E8 88FAFFFF CALL <Arial_CD.sub_552DCC>
00553344 |. 8B07 MOV EAX, DWORD PTR DS:[EDI]
00553346 |. 50 PUSH EAX
00553347 |. 8B4424 1C MOV EAX, DWORD PTR SS:[ESP+0x1C]
0055334B |. 50 PUSH EAX
0055334C |. 6A 0B PUSH 0xB
0055334E |. 68 FA27A1EA PUSH 0xEAA127FA
00553353 |. 8BC5 MOV EAX, EBP
00553355 |. 8B0E MOV ECX, DWORD PTR DS:[ESI]
00553357 |. 8B13 MOV EDX, DWORD PTR DS:[EBX]
00553359 |. E8 6EFAFFFF CALL <Arial_CD.sub_552DCC>
0055335E |. 8B06 MOV EAX, DWORD PTR DS:[ESI]
00553360 |. 50 PUSH EAX
00553361 |. 8B4424 28 MOV EAX, DWORD PTR SS:[ESP+0x28]
00553365 |. 50 PUSH EAX
00553366 |. 6A 10 PUSH 0x10
00553368 |. 68 8530EFD4 PUSH 0xD4EF3085
0055336D |. 8BC7 MOV EAX, EDI
0055336F |. 8B0B MOV ECX, DWORD PTR DS:[EBX]
00553371 |. 8B55 00 MOV EDX, DWORD PTR SS:[EBP]
00553374 |. E8 53FAFFFF CALL <Arial_CD.sub_552DCC>
00553379 |. 8B03 MOV EAX, DWORD PTR DS:[EBX]
0055337B |. 50 PUSH EAX
0055337C |. 8B4424 34 MOV EAX, DWORD PTR SS:[ESP+0x34]
00553380 |. 50 PUSH EAX
00553381 |. 6A 17 PUSH 0x17
00553383 |. 68 051D8804 PUSH 0x4881D05
00553388 |. 8BC6 MOV EAX, ESI
0055338A |. 8B4D 00 MOV ECX, DWORD PTR SS:[EBP]
0055338D |. 8B17 MOV EDX, DWORD PTR DS:[EDI]
0055338F |. E8 38FAFFFF CALL <Arial_CD.sub_552DCC>
00553394 |. 8B45 00 MOV EAX, DWORD PTR SS:[EBP]
00553397 |. 50 PUSH EAX
00553398 |. 8B4424 40 MOV EAX, DWORD PTR SS:[ESP+0x40]
0055339C |. 50 PUSH EAX
0055339D |. 6A 04 PUSH 0x4
0055339F |. 68 39D0D4D9 PUSH 0xD9D4D039
005533A4 |. 8BC3 MOV EAX, EBX
005533A6 |. 8B0F MOV ECX, DWORD PTR DS:[EDI]
005533A8 |. 8B16 MOV EDX, DWORD PTR DS:[ESI]
005533AA |. E8 1DFAFFFF CALL <Arial_CD.sub_552DCC>
005533AF |. 8B07 MOV EAX, DWORD PTR DS:[EDI]
005533B1 |. 50 PUSH EAX
005533B2 |. 8B4424 4C MOV EAX, DWORD PTR SS:[ESP+0x4C]
005533B6 |. 50 PUSH EAX
005533B7 |. 6A 0B PUSH 0xB
005533B9 |. 68 E599DBE6 PUSH 0xE6DB99E5
005533BE |. 8BC5 MOV EAX, EBP
005533C0 |. 8B0E MOV ECX, DWORD PTR DS:[ESI]
005533C2 |. 8B13 MOV EDX, DWORD PTR DS:[EBX]
005533C4 |. E8 03FAFFFF CALL <Arial_CD.sub_552DCC>
005533C9 |. 8B06 MOV EAX, DWORD PTR DS:[ESI]
005533CB |. 50 PUSH EAX
005533CC |. 8B4424 58 MOV EAX, DWORD PTR SS:[ESP+0x58]
005533D0 |. 50 PUSH EAX
005533D1 |. 6A 10 PUSH 0x10
005533D3 |. 68 F87CA21F PUSH 0x1FA27CF8
005533D8 |. 8BC7 MOV EAX, EDI
005533DA |. 8B0B MOV ECX, DWORD PTR DS:[EBX]
005533DC |. 8B55 00 MOV EDX, DWORD PTR SS:[EBP]
005533DF |. E8 E8F9FFFF CALL <Arial_CD.sub_552DCC>
005533E4 |. 8B03 MOV EAX, DWORD PTR DS:[EBX]
005533E6 |. 50 PUSH EAX
005533E7 |. 8B4424 24 MOV EAX, DWORD PTR SS:[ESP+0x24]
005533EB |. 50 PUSH EAX
005533EC |. 6A 17 PUSH 0x17
005533EE |. 68 6556ACC4 PUSH 0xC4AC5665
005533F3 |. 8BC6 MOV EAX, ESI
005533F5 |. 8B4D 00 MOV ECX, DWORD PTR SS:[EBP]
005533F8 |. 8B17 MOV EDX, DWORD PTR DS:[EDI]
005533FA |. E8 CDF9FFFF CALL <Arial_CD.sub_552DCC>
005533FF |. 8B45 00 MOV EAX, DWORD PTR SS:[EBP]
00553402 |. 50 PUSH EAX
00553403 |. 8B4424 1C MOV EAX, DWORD PTR SS:[ESP+0x1C]
00553407 |. 50 PUSH EAX
00553408 |. 6A 06 PUSH 0x6
0055340A |. 68 442229F4 PUSH 0xF4292244
0055340F |. 8BC3 MOV EAX, EBX
00553411 |. 8B0F MOV ECX, DWORD PTR DS:[EDI]
00553413 |. 8B16 MOV EDX, DWORD PTR DS:[ESI]
00553415 |. E8 E6F9FFFF CALL <Arial_CD.sub_552E00>
0055341A |. 8B07 MOV EAX, DWORD PTR DS:[EDI]
0055341C |. 50 PUSH EAX
0055341D |. 8B4424 38 MOV EAX, DWORD PTR SS:[ESP+0x38]
00553421 |. 50 PUSH EAX
00553422 |. 6A 0A PUSH 0xA
00553424 |. 68 97FF2A43 PUSH 0x432AFF97
00553429 |. 8BC5 MOV EAX, EBP
0055342B |. 8B0E MOV ECX, DWORD PTR DS:[ESI]
0055342D |. 8B13 MOV EDX, DWORD PTR DS:[EBX]
0055342F |. E8 CCF9FFFF CALL <Arial_CD.sub_552E00>
00553434 |. 8B06 MOV EAX, DWORD PTR DS:[ESI]
00553436 |. 50 PUSH EAX
00553437 |. 8B4424 54 MOV EAX, DWORD PTR SS:[ESP+0x54]
0055343B |. 50 PUSH EAX
0055343C |. 6A 0F PUSH 0xF
0055343E |. 68 A72394AB PUSH 0xAB9423A7
00553443 |. 8BC7 MOV EAX, EDI
00553445 |. 8B0B MOV ECX, DWORD PTR DS:[EBX]
00553447 |. 8B55 00 MOV EDX, DWORD PTR SS:[EBP]
0055344A |. E8 B1F9FFFF CALL <Arial_CD.sub_552E00>
0055344F |. 8B03 MOV EAX, DWORD PTR DS:[EBX]
00553451 |. 50 PUSH EAX
00553452 |. 8B4424 30 MOV EAX, DWORD PTR SS:[ESP+0x30]
00553456 |. 50 PUSH EAX
00553457 |. 6A 15 PUSH 0x15
00553459 |. 68 39A093FC PUSH 0xFC93A039
0055345E |. 8BC6 MOV EAX, ESI
00553460 |. 8B4D 00 MOV ECX, DWORD PTR SS:[EBP]
00553463 |. 8B17 MOV EDX, DWORD PTR DS:[EDI]
00553465 |. E8 96F9FFFF CALL <Arial_CD.sub_552E00>
0055346A |. 8B45 00 MOV EAX, DWORD PTR SS:[EBP]
0055346D |. 50 PUSH EAX
0055346E |. 8B4424 4C MOV EAX, DWORD PTR SS:[ESP+0x4C]
00553472 |. 50 PUSH EAX
00553473 |. 6A 06 PUSH 0x6
00553475 |. 68 C3595B65 PUSH 0x655B59C3
0055347A |. 8BC3 MOV EAX, EBX
0055347C |. 8B0F MOV ECX, DWORD PTR DS:[EDI]
0055347E |. 8B16 MOV EDX, DWORD PTR DS:[ESI]
00553480 |. E8 7BF9FFFF CALL <Arial_CD.sub_552E00>
00553485 |. 8B07 MOV EAX, DWORD PTR DS:[EDI]
00553487 |. 50 PUSH EAX
00553488 |. 8B4424 28 MOV EAX, DWORD PTR SS:[ESP+0x28]
0055348C |. 50 PUSH EAX
0055348D |. 6A 0A PUSH 0xA
0055348F |. 68 92CC0C8F PUSH 0x8F0CCC92
00553494 |. 8BC5 MOV EAX, EBP
00553496 |. 8B0E MOV ECX, DWORD PTR DS:[ESI]
00553498 |. 8B13 MOV EDX, DWORD PTR DS:[EBX]
0055349A |. E8 61F9FFFF CALL <Arial_CD.sub_552E00>
0055349F |. 8B06 MOV EAX, DWORD PTR DS:[ESI]
005534A1 |. 50 PUSH EAX
005534A2 |. 8B4424 44 MOV EAX, DWORD PTR SS:[ESP+0x44]
005534A6 |. 50 PUSH EAX
005534A7 |. 6A 0F PUSH 0xF
005534A9 |. 68 7DF4EFFF PUSH 0xFFEFF47D
005534AE |. 8BC7 MOV EAX, EDI
005534B0 |. 8B0B MOV ECX, DWORD PTR DS:[EBX]
005534B2 |. 8B55 00 MOV EDX, DWORD PTR SS:[EBP]
005534B5 |. E8 46F9FFFF CALL <Arial_CD.sub_552E00>
005534BA |. 8B03 MOV EAX, DWORD PTR DS:[EBX]
005534BC |. 50 PUSH EAX
005534BD |. 8B4424 20 MOV EAX, DWORD PTR SS:[ESP+0x20]
005534C1 |. 50 PUSH EAX
005534C2 |. 6A 15 PUSH 0x15
005534C4 |. 68 D15D8485 PUSH 0x85845DD1
005534C9 |. 8BC6 MOV EAX, ESI
005534CB |. 8B4D 00 MOV ECX, DWORD PTR SS:[EBP]
005534CE |. 8B17 MOV EDX, DWORD PTR DS:[EDI]
005534D0 |. E8 2BF9FFFF CALL <Arial_CD.sub_552E00>
005534D5 |. 8B45 00 MOV EAX, DWORD PTR SS:[EBP]
005534D8 |. 50 PUSH EAX
005534D9 |. 8B4424 3C MOV EAX, DWORD PTR SS:[ESP+0x3C]
005534DD |. 50 PUSH EAX
005534DE |. 6A 06 PUSH 0x6
005534E0 |. 68 4F7EA86F PUSH 0x6FA87E4F
005534E5 |. 8BC3 MOV EAX, EBX
005534E7 |. 8B0F MOV ECX, DWORD PTR DS:[EDI]
005534E9 |. 8B16 MOV EDX, DWORD PTR DS:[ESI]
005534EB |. E8 10F9FFFF CALL <Arial_CD.sub_552E00>
005534F0 |. 8B07 MOV EAX, DWORD PTR DS:[EDI]
005534F2 |. 50 PUSH EAX
005534F3 |. 8B4424 58 MOV EAX, DWORD PTR SS:[ESP+0x58]
005534F7 |. 50 PUSH EAX
005534F8 |. 6A 0A PUSH 0xA
005534FA |. 68 E0E62CFE PUSH 0xFE2CE6E0
005534FF |. 8BC5 MOV EAX, EBP
00553501 |. 8B0E MOV ECX, DWORD PTR DS:[ESI]
00553503 |. 8B13 MOV EDX, DWORD PTR DS:[EBX]
00553505 |. E8 F6F8FFFF CALL <Arial_CD.sub_552E00>
0055350A |. 8B06 MOV EAX, DWORD PTR DS:[ESI]
0055350C |. 50 PUSH EAX
0055350D |. 8B4424 34 MOV EAX, DWORD PTR SS:[ESP+0x34]
00553511 |. 50 PUSH EAX
00553512 |. 6A 0F PUSH 0xF
00553514 |. 68 144301A3 PUSH 0xA3014314
00553519 |. 8BC7 MOV EAX, EDI
0055351B |. 8B0B MOV ECX, DWORD PTR DS:[EBX]
0055351D |. 8B55 00 MOV EDX, DWORD PTR SS:[EBP]
00553520 |. E8 DBF8FFFF CALL <Arial_CD.sub_552E00>
00553525 |. 8B03 MOV EAX, DWORD PTR DS:[EBX]
00553527 |. 50 PUSH EAX
00553528 |. 8B4424 50 MOV EAX, DWORD PTR SS:[ESP+0x50]
0055352C |. 50 PUSH EAX
0055352D |. 6A 15 PUSH 0x15
0055352F |. 68 A111084E PUSH 0x4E0811A1
00553534 |. 8BC6 MOV EAX, ESI
00553536 |. 8B4D 00 MOV ECX, DWORD PTR SS:[EBP]
00553539 |. 8B17 MOV EDX, DWORD PTR DS:[EDI]
0055353B |. E8 C0F8FFFF CALL <Arial_CD.sub_552E00>
00553540 |. 8B45 00 MOV EAX, DWORD PTR SS:[EBP]
00553543 |. 50 PUSH EAX
00553544 |. 8B4424 2C MOV EAX, DWORD PTR SS:[ESP+0x2C]
00553548 |. 50 PUSH EAX
00553549 |. 6A 06 PUSH 0x6
0055354B |. 68 827E53F7 PUSH 0xF7537E82
00553550 |. 8BC3 MOV EAX, EBX
00553552 |. 8B0F MOV ECX, DWORD PTR DS:[EDI]
00553554 |. 8B16 MOV EDX, DWORD PTR DS:[ESI]
00553556 |. E8 A5F8FFFF CALL <Arial_CD.sub_552E00>
0055355B |. 8B07 MOV EAX, DWORD PTR DS:[EDI]
0055355D |. 50 PUSH EAX
0055355E |. 8B4424 48 MOV EAX, DWORD PTR SS:[ESP+0x48]
00553562 |. 50 PUSH EAX
00553563 |. 6A 0A PUSH 0xA
00553565 |. 68 35F23ABD PUSH 0xBD3AF235
0055356A |. 8BC5 MOV EAX, EBP
0055356C |. 8B0E MOV ECX, DWORD PTR DS:[ESI]
0055356E |. 8B13 MOV EDX, DWORD PTR DS:[EBX]
00553570 |. E8 8BF8FFFF CALL <Arial_CD.sub_552E00>
00553575 |. 8B06 MOV EAX, DWORD PTR DS:[ESI]
00553577 |. 50 PUSH EAX
00553578 |. 8B4424 24 MOV EAX, DWORD PTR SS:[ESP+0x24]
0055357C |. 50 PUSH EAX
0055357D |. 6A 0F PUSH 0xF
0055357F |. 68 BBD2D72A PUSH 0x2AD7D2BB
00553584 |. 8BC7 MOV EAX, EDI
00553586 |. 8B0B MOV ECX, DWORD PTR DS:[EBX]
00553588 |. 8B55 00 MOV EDX, DWORD PTR SS:[EBP]
0055358B |. E8 70F8FFFF CALL <Arial_CD.sub_552E00>
00553590 |. 8B03 MOV EAX, DWORD PTR DS:[EBX]
00553592 |. 50 PUSH EAX
00553593 |. 8B4424 40 MOV EAX, DWORD PTR SS:[ESP+0x40]
00553597 |. 50 PUSH EAX
00553598 |. 6A 15 PUSH 0x15
0055359A |. 68 91D386EB PUSH 0xEB86D391
0055359F |. 8BC6 MOV EAX, ESI
005535A1 |. 8B4D 00 MOV ECX, DWORD PTR SS:[EBP]
005535A4 |. 8B17 MOV EDX, DWORD PTR DS:[EDI]
005535A6 |. E8 55F8FFFF CALL <Arial_CD.sub_552E00>
005535AB |. 8B4424 04 MOV EAX, DWORD PTR SS:[ESP+0x4]
005535AF |. 8B13 MOV EDX, DWORD PTR DS:[EBX]
005535B1 |. 0110 ADD DWORD PTR DS:[EAX], EDX ; //更新4个常量A, B, C, D
005535B3 |. 8B4424 04 MOV EAX, DWORD PTR SS:[ESP+0x4]
005535B7 |. 8B16 MOV EDX, DWORD PTR DS:[ESI]
005535B9 |. 0150 04 ADD DWORD PTR DS:[EAX+0x4], EDX
005535BC |. 8B4424 04 MOV EAX, DWORD PTR SS:[ESP+0x4]
005535C0 |. 8B17 MOV EDX, DWORD PTR DS:[EDI]
005535C2 |. 0150 08 ADD DWORD PTR DS:[EAX+0x8], EDX
005535C5 |. 8B4424 04 MOV EAX, DWORD PTR SS:[ESP+0x4]
005535C9 |. 8B55 00 MOV EDX, DWORD PTR SS:[EBP]
005535CC |. 0150 0C ADD DWORD PTR DS:[EAX+0xC], EDX
005535CF |. 83C4 58 ADD ESP, 0x58
005535D2 |. 5D POP EBP
005535D3 |. 5F POP EDI
005535D4 |. 5E POP ESI
005535D5 |. 5B POP EBX
005535D6 \\. C3 RETN

第一次四轮运算完,数据位:
0012F838 0F 3D F5 B8 96 F1 32 42 04 54 40 85 FE 5C 39 70 =醺栺2B[email protected]咡\\9p

由于没有下一个512位的数据,所以就运算完成了。
然后对生成的16字节ABCD数据处理:
00553774 >/$ 55 PUSH EBP ; sub_553774
00553775 |. 8BEC MOV EBP, ESP
00553777 |. 83C4 E8 ADD ESP, -0x18
0055377A |. 53 PUSH EBX
0055377B |. 56 PUSH ESI
0055377C |. 57 PUSH EDI
0055377D |. 33C9 XOR ECX, ECX
0055377F |. 894D EC MOV [LOCAL.5], ECX
00553782 |. 894D E8 MOV [LOCAL.6], ECX
00553785 |. 8BF0 MOV ESI, EAX
00553787 |. 8D7D F0 LEA EDI, [LOCAL.4]
0055378A |. A5 MOVS DWORD PTR ES:[EDI], DWORD PTR DS:[ESI]
0055378B |. A5 MOVS DWORD PTR ES:[EDI], DWORD PTR DS:[ESI]
0055378C |. A5 MOVS DWORD PTR ES:[EDI], DWORD PTR DS:[ESI]
0055378D |. A5 MOVS DWORD PTR ES:[EDI], DWORD PTR DS:[ESI]
0055378E |. 8BFA MOV EDI, EDX
00553790 |. 33C0 XOR EAX, EAX
00553792 |. 55 PUSH EBP
00553793 |. 68 0F385500 PUSH <Arial_CD.loc_55380F>
00553798 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0055379B |. 64:8920 MOV DWORD PTR FS:[EAX], ESP
0055379E |. 8BC7 MOV EAX, EDI
005537A0 |. E8 8715EBFF CALL <Arial_CD.System::__linkproc__ LStrClr(void *)>
005537A5 |. B3 10 MOV BL, 0x10
005537A7 |. 8D75 F0 LEA ESI, [LOCAL.4]
005537AA >|> FF37 /PUSH DWORD PTR DS:[EDI] ; loc_5537AA
005537AC |. 8D45 EC |LEA EAX, [LOCAL.5]
005537AF |. 33D2 |XOR EDX, EDX
005537B1 |. 8A16 |MOV DL, BYTE PTR DS:[ESI]
005537B3 |. C1EA 04 |SHR EDX, 0x4
005537B6 |. 83E2 0F |AND EDX, 0xF
005537B9 |. 8A92 D42D5700 |MOV DL, BYTE PTR DS:[EDX+<byte_572DD4>] ; //查表
005537BF |. E8 5017EBFF |CALL <Arial_CD.unknown_libname_85>
005537C4 |. FF75 EC |PUSH [LOCAL.5]
005537C7 |. 8D45 E8 |LEA EAX, [LOCAL.6]
005537CA |. 8A16 |MOV DL, BYTE PTR DS:[ESI]
005537CC |. 80E2 0F |AND DL, 0xF
005537CF |. 81E2 FF000000 |AND EDX, 0xFF
005537D5 |. 8A92 D42D5700 |MOV DL, BYTE PTR DS:[EDX+<byte_572DD4>] ; //查表
005537DB |. E8 3417EBFF |CALL <Arial_CD.unknown_libname_85>
005537E0 |. FF75 E8 |PUSH [LOCAL.6]
005537E3 |. 8BC7 |MOV EAX, EDI
005537E5 |. BA 03000000 |MOV EDX, 0x3
005537EA |. E8 BD18EBFF |CALL <Arial_CD.System::__linkproc__ LStrCatN(void)>
005537EF |. 46 |INC ESI
005537F0 |. FECB |DEC BL
005537F2 |.^ 75 B6 \\JNZ SHORT <Arial_CD.loc_5537AA>
005537F4 |. 33C0 XOR EAX, EAX
005537F6 |. 5A POP EDX
005537F7 |. 59 POP ECX
005537F8 |. 59 POP ECX
005537F9 |. 64:8910 MOV DWORD PTR FS:[EAX], EDX
005537FC |. 68 16385500 PUSH <Arial_CD.loc_553816>
00553801 >|> 8D45 E8 LEA EAX, [LOCAL.6] ; loc_553801
00553804 |. BA 02000000 MOV EDX, 0x2
00553809 |. E8 4215EBFF CALL <Arial_CD.System::__linkproc__ LStrArrayClr(void *,int)>
0055380E \\. C3 RETN

MD5处理前: 0F3DF5B896F1324204544085FE5C3970
MD5处理后: 0f3df5b896f1324204544085fe5c3970
最后使用处理完的MD5值跟输入的注册码比较,相等返回1注册成功,否则返回0注册失败:
0056FA28 |. 8B55 F4 MOV EDX, [LOCAL.3] ; //md5值
0056FA2B |. 8B45 F8 MOV EAX, [LOCAL.2] ; //注册码
0056FA2E |. E8 0557E9FF CALL <Arial_CD.System::__linkproc__ LStrCmp(void)>
0056FA33 |. 75 02 JNZ SHORT <Arial_CD.loc_56FA37>
0056FA35 |. B3 01 MOV BL, 0x1 ; //否则返回1
0056FA37 >|> 33C0 XOR EAX, EAX ; //不相等返回0
0056FA39 |. 5A POP EDX
0056FA3A |. 59 POP ECX
0056FA3B |. 59 POP ECX
0056FA3C |. 64:8910 MOV DWORD PTR FS:[EAX], EDX
0056FA3F |. 68 59FA5600 PUSH <Arial_CD.loc_56FA59>
0056FA44 >|> 8D45 F4 LEA EAX, [LOCAL.3] ; loc_56FA44
0056FA47 |. BA 03000000 MOV EDX, 0x3
0056FA4C |. E8 FF52E9FF CALL <Arial_CD.System::__linkproc__ LStrArrayClr(void *,int)>
0056FA51 \\. C3 RETN
0056FA52 > .^ E9 194CE9FF JMP <Arial_CD.unknown_libname_74> ; loc_56FA52
0056FA57 .^ EB EB JMP SHORT <Arial_CD.loc_56FA44>
0056FA59 > . 8BC3 MOV EAX, EBX ; //这里返回值置1
0056FA5B . 5B POP EBX
0056FA5C . 8BE5 MOV ESP, EBP
0056FA5E . 5D POP EBP
0056FA5F . C3 RETN
------------------------------------------------------------------------
【破解总结】软件使用标准MD5算法计算输入的用户名,然后将其中的字母转成小写,最后跟输入的注册码作比较,如果相等则注册成功,否则注册失败。

所以可以使用标准的MD5算法注册机实现对该软件的注册。

软件的注册信息保存在注册表:HKEY_CURRENT_USER\\Software\\Arial CD Ripper username键值
以及根目录下的AudioConverter.ini,[general]保存着用户名的md5值
当程序启动时,会读取注册表中的用户名,再次计算MD5值与AudioConverter.ini中保存的MD5值做比较
相等直接为注册版,否则为非注册版。
------------------------------------------------------------------------
【版权声明】无

以上是关于[MD5算法练习] Arial CD Ripper 1.9.8算法分析的主要内容,如果未能解决你的问题,请参考以下文章

Linux 第23天: 练习和作业

超好用弱口令扫描工具John the Ripper 图解使用教程

MD5的学习与练习

JS加密算法练习

歌曲格式转换

python ghdb_ripper.py