Marine Aquarium v2.6(水族馆屏保)-简单分析
一款屏幕保护程序将程序扩展名.SCR改成.EXE然后用OD载入就可以调试了。。
Ctrl+N 查找 GetDlgItemTextA 然后全部下断分析得到下面地址
00427484|.6A 20 PUSH 20 ; /Count = 20 (32.)
00427486|.68 74CA4500 PUSH MA2_6.0045CA74 ; |Buffer = MA2_6.0045CA74
0042748B|.68 92000000 PUSH 92 ; |ControlID = 92 (146.)
00427490|.50 PUSH EAX ; |hWnd => 00080DEC (class='SereneDlgClass',parent=007100A2)
00427491|.894424 28 MOV DWORD PTR SS:,EAX ; |
00427495|.C605 88F64500>MOV BYTE PTR DS:,0 ; |
0042749C|.FF15 1CA34400 CALL DWORD PTR DS:[<&USER32.GetDlgItemTe>; \获取注册码
004274A2|.8A0D 74CA4500 MOV CL,BYTE PTR DS: ;首字母送 CL
004274A8|.B8 74CA4500 MOV EAX,MA2_6.0045CA74 ;假码送 EAX
004274AD|.33F6 XOR ESI,ESI
004274AF|.8BD0 MOV EDX,EAX ;假码再送 EDX
004274B1|.84C9 TEST CL,CL ;输入注册码了吗?
004274B3|.74 40 JE SHORT MA2_6.004274F5 ;空就跳走
004274B5|>8038 30 /CMP BYTE PTR DS:,30 ;当前字母是 0 吗?
004274B8|.75 03 |JNZ SHORT MA2_6.004274BD ;不是就跳
004274BA|.C600 6F |MOV BYTE PTR DS:,6F ;6F 是 o
004274BD|>8038 31 |CMP BYTE PTR DS:,31 ;当前字母是 1 吗?
004274C0|.75 03 |JNZ SHORT MA2_6.004274C5 ;不是就跳
004274C2|.C600 6C |MOV BYTE PTR DS:,6C ;6C 是 l
004274C5|>8A08 |MOV CL,BYTE PTR DS: ;当前字母送到 CL
004274C7|.80F9 61 |CMP CL,61 ;是 a 吗?
004274CA|.7C 05 |JL SHORT MA2_6.004274D1 ;小于跳
004274CC|.80F9 7A |CMP CL,7A ;是 z 吗?
004274CF|.7E 14 |JLE SHORT MA2_6.004274E5 ;小于等于跳
004274D1|>80F9 41 |CMP CL,41 ;是 A 吗?
004274D4|.7C 05 |JL SHORT MA2_6.004274DB ;小于跳
004274D6|.80F9 5A |CMP CL,5A ;是 Z 吗?
004274D9|.7E 0A |JLE SHORT MA2_6.004274E5 ;小于等于跳
004274DB|>80F9 32 |CMP CL,32 ;是 2 吗?
004274DE|.7C 0D |JL SHORT MA2_6.004274ED ;小于跳
004274E0|.80F9 37 |CMP CL,37 ;是 7 吗?
004274E3|.7F 08 |JG SHORT MA2_6.004274ED ;大余跳
004274E5|>46 |INC ESI ;ESI作为记数器 ESI++
004274E6|.3BD0 |CMP EDX,EAX
004274E8|.74 02 |JE SHORT MA2_6.004274EC
004274EA|.880A |MOV BYTE PTR DS:,CL
004274EC|>42 |INC EDX ;EDX++
004274ED|>8A48 01 |MOV CL,BYTE PTR DS: ;下一字母送 CL
004274F0|.40 |INC EAX ;EAX++
004274F1|.84C9 |TEST CL,CL ;全部检查完了吗?
004274F3|.^ 75 C0 \JNZ SHORT MA2_6.004274B5 ;没有就继续循环
004274F5|>83FE 14 CMP ESI,14 ;输入了 20 个字母吗?
004274F8|.C602 00 MOV BYTE PTR DS:,0
004274FB|.0F85 6C050000 JNZ MA2_6.00427A6D ;输入注册码不够 20 位就 OVER
00427501|.BF 74CA4500 MOV EDI,MA2_6.0045CA74 ;假码送 EDI
00427506|.BA 88F54500 MOV EDX,MA2_6.0045F588 ;ASCII "1101010110"
0042750B|.8BEF MOV EBP,EDI ;假码送 EBP
0042750D|.C74424 14 000>MOV DWORD PTR SS:,0
00427515|>8A07 /MOV AL,BYTE PTR DS: ;送当前字母进 AL
00427517|.3C 61 |CMP AL,61 ;是 a 吗?
00427519|.72 08 |JB SHORT MA2_6.00427523 ;小于跳
0042751B|.3C 7A |CMP AL,7A ;是 z 吗?
0042751D|.77 04 |JA SHORT MA2_6.00427523 ;大余跳
0042751F|.2C 5B |SUB AL,5B ;当前字母 -5B
00427521|.EB 1E |JMP SHORT MA2_6.00427541
00427523|>3C 41 |CMP AL,41
00427525|.72 08 |JB SHORT MA2_6.0042752F
00427527|.3C 5A |CMP AL,5A
00427529|.77 04 |JA SHORT MA2_6.0042752F
0042752B|.2C 3B |SUB AL,3B
0042752D|.EB 12 |JMP SHORT MA2_6.00427541
0042752F|>3C 32 |CMP AL,32 ;分支 (案例 32..37)
00427531|.0F82 36050000 |JB MA2_6.00427A6D
00427537|.3C 37 |CMP AL,37
00427539|.0F87 2E050000 |JA MA2_6.00427A6D
0042753F|.2C 32 |SUB AL,32 ;案例 32 ('2'),33 ('3'),34 ('4'),35 ('5'),36 ('6'),37 ('7') --> 分支 0042752F
00427541|>B1 10 |MOV CL,10
00427543|.BE 05000000 |MOV ESI,5
00427548|>84C8 |/TEST AL,CL
0042754A|.0F95C3 ||SETNE BL
0042754D|.83C3 30 ||ADD EBX,30
00427550|.881A ||MOV BYTE PTR DS:,BL
00427552|.42 ||INC EDX
00427553|.D0E9 ||SHR CL,1
00427555|.4E ||DEC ESI
00427556|.^ 75 F0 |\JNZ SHORT MA2_6.00427548
00427558|.8B4424 14 |MOV EAX,DWORD PTR SS:
0042755C|.40 |INC EAX
0042755D|.47 |INC EDI
0042755E|.83F8 14 |CMP EAX,14
00427561|.894424 14 |MOV DWORD PTR SS:,EAX
00427565|.^ 7C AE \JL SHORT MA2_6.00427515
00427567|.B9 05000000 MOV ECX,5
0042756C|>8A45 00 /MOV AL,BYTE PTR SS: ;转换前5个字母为大写
0042756F|.3C 61 |CMP AL,61
00427571|.7C 06 |JL SHORT MA2_6.00427579
00427573|.3C 7A |CMP AL,7A
00427575|.7F 02 |JG SHORT MA2_6.00427579
00427577|.2C 20 |SUB AL,20
00427579|>8802 |MOV BYTE PTR DS:,AL
0042757B|.42 |INC EDX
0042757C|.45 |INC EBP
0042757D|.49 |DEC ECX
0042757E|.^ 75 EC \JNZ SHORT MA2_6.0042756C ;循环
00427580|.C602 00 MOV BYTE PTR DS:,0
00427583|.33DB XOR EBX,EBX
00427585|.33D2 XOR EDX,EDX
00427587|.BD 503F4500 MOV EBP,MA2_6.00453F50
0042758C|.33C9 XOR ECX,ECX
0042758E|.BF 01000000 MOV EDI,1
00427593|>8A81 ECF54500 /MOV AL,BYTE PTR DS:
00427599|.85C9 |TEST ECX,ECX
0042759B|.75 0A |JNZ SHORT MA2_6.004275A7
0042759D|.3C 63 |CMP AL,63 ;是 c 吗?
0042759F|.74 3F |JE SHORT MA2_6.004275E0
004275A1|.3C 43 |CMP AL,43 ;是 C 吗?
004275A3|.75 3C |JNZ SHORT MA2_6.004275E1
004275A5|.EB 39 |JMP SHORT MA2_6.004275E0
004275A7|>83F9 02 |CMP ECX,2
004275AA|.75 0A |JNZ SHORT MA2_6.004275B6
004275AC|.3C 72 |CMP AL,72 ;是 r 吗?
004275AE|.74 30 |JE SHORT MA2_6.004275E0
004275B0|.3C 52 |CMP AL,52 ;是 R 吗?
004275B2|.75 2D |JNZ SHORT MA2_6.004275E1
004275B4|.EB 2A |JMP SHORT MA2_6.004275E0
004275B6|>83F9 04 |CMP ECX,4
004275B9|.75 0A |JNZ SHORT MA2_6.004275C5
004275BB|.3C 6B |CMP AL,6B ;是 k 吗?
004275BD|.74 21 |JE SHORT MA2_6.004275E0
004275BF|.3C 4B |CMP AL,4B ;是 K 吗?
004275C1|.75 1E |JNZ SHORT MA2_6.004275E1
004275C3|.EB 1B |JMP SHORT MA2_6.004275E0
004275C5|>3BCF |CMP ECX,EDI
004275C7|.75 0A |JNZ SHORT MA2_6.004275D3
004275C9|.3C 6F |CMP AL,6F ;是 o 吗?
004275CB|.74 13 |JE SHORT MA2_6.004275E0
004275CD|.3C 4F |CMP AL,4F ;是 O 吗?
004275CF|.75 10 |JNZ SHORT MA2_6.004275E1
004275D1|.EB 0D |JMP SHORT MA2_6.004275E0
004275D3|>83F9 03 |CMP ECX,3
004275D6|.75 09 |JNZ SHORT MA2_6.004275E1
004275D8|.3C 65 |CMP AL,65 ;是 e 吗?
004275DA|.74 04 |JE SHORT MA2_6.004275E0
004275DC|.3C 45 |CMP AL,45 ;是 E 吗?
004275DE|.75 01 |JNZ SHORT MA2_6.004275E1
004275E0|>42 |INC EDX
004275E1|>41 |INC ECX
004275E2|.83F9 05 |CMP ECX,5
004275E5|.^ 7C AC \JL SHORT MA2_6.00427593
004275E7|.83FA 05 CMP EDX,5
004275EA|.0F85 25010000 JNZ MA2_6.00427715 ;关键跳,跳就死
004275EA 这里跳不跳都无所谓了。经过分析后得到注册码是20个字符,只要前5个字符是COREK后15个字符随意,但不能是空格字符就可以成功注册。
给出一个注册码:COREKxxxxxxxxxxxxxxx
文件下载 呵呵,没啥技术含量,发贴混点积分而已
[ 本帖最后由 RegKiller 于 2006-12-31 18:51 编辑 ] 兄弟谦虚了。学习顺祝新年快乐! 元旦快乐~~
学习了~~ 还看的懂
哇哈哈~! 学习了,文章不错,屏保也不错。新年快乐。:lol: /:D 学习了,下来用一下 屏保下来用用,破文不错,分析详细,学习了:) 分析得不错,学习了 这软件不错,楼主的算法分析的更不错 ;P
页:
[1]
2