驱动精灵2005算法简单分析(初学者)
【破文标题】驱动精灵2005算法简单分析
【破文作者】surge
【作者邮箱】[email protected]
【作者主页】www.chinapyg.com
【破解工具】OllyDbg IDA
【破解平台】xp+sp2
【软件名称】驱动精灵2005 简体中文专业版Version 3.11 (Build 2600)
【原版下载】http://www.softreg.com.cn/shareware_view.asp?id=/2D69A406-6C14-4F9A-997A-C220DFF50EF3/
【保护方式】序列号,明码比较。
【软件简介】为用户提供驱动备份、恢复、安装、删除、在线更新等实用功能。
------------------------------------------------------------------------
用IDA生成MAP文件用OD载入并用loadmap插件载入生成的MAP文件。
找到关键的地方如下:
可以看出对一些敏感的用户名做了测试,看来作者对破解组织及一些cracker是有一些了解的。
0049DA1C .55 push ebp
0049DA1D .8BEC mov ebp, esp
0049DA1F .B9 14000000 mov ecx, 14
0049DA24 >6A 00 push 0
0049DA26 .6A 00 push 0
0049DA28 .49 dec ecx
0049DA29 .^ 75 F9 jnz short 0049DA24
0049DA2B .53 push ebx
0049DA2C .56 push esi
0049DA2D .57 push edi
0049DA2E .8945 FC mov dword ptr ss:, eax
0049DA31 .33C0 xor eax, eax
0049DA33 .55 push ebp
0049DA34 .68 23E14900 push 0049E123
0049DA39 .64:FF30 push dword ptr fs:
0049DA3C .64:8920 mov dword ptr fs:, esp
0049DA3F .8D55 E4 lea edx, dword ptr ss:
0049DA42 .8B45 FC mov eax, dword ptr ss:
0049DA45 .8B80 00030000 mov eax, dword ptr ds:
0049DA4B .E8 4C5BFAFF call <@TControl@GetText$qqrv> ;取用户名
0049DA50 .8B45 E4 mov eax, dword ptr ss:
0049DA53 .E8 2074F6FF call <@System@_16823> ;计算长度
0049DA58 .05 AE080000 add eax, 8AE ;用户名字符串的长度加上0x8ae(2222d),下面要用到这个结果
0049DA5D .8D55 E8 lea edx, dword ptr ss:
0049DA60 .E8 87B9F6FF call <@Sysutils@IntToStr$qqri>
0049DA65 .8D55 E0 lea edx, dword ptr ss:
0049DA68 .8B45 FC mov eax, dword ptr ss:
0049DA6B .8B80 00030000 mov eax, dword ptr ds:
0049DA71 .E8 265BFAFF call <@TControl@GetText$qqrv>
0049DA76 .8B45 E0 mov eax, dword ptr ss:
0049DA79 .BA 3CE14900 mov edx, 0049E13C ;distinct
0049DA7E .E8 3975F6FF call <@System@@LStrCmp$qqrv>
0049DA83 .0F84 BF050000 je 0049E048
0049DA89 .8D55 DC lea edx, dword ptr ss:
0049DA8C .8B45 FC mov eax, dword ptr ss:
0049DA8F .8B80 00030000 mov eax, dword ptr ds:
0049DA95 .E8 025BFAFF call <@TControl@GetText$qqrv>
0049DA9A .8B45 DC mov eax, dword ptr ss:
0049DA9D .BA 50E14900 mov edx, 0049E150 ;team insane
0049DAA2 .E8 1575F6FF call <@System@@LStrCmp$qqrv>
0049DAA7 .0F84 9B050000 je 0049E048
0049DAAD .8D55 D8 lea edx, dword ptr ss:
0049DAB0 .8B45 FC mov eax, dword ptr ss:
0049DAB3 .8B80 00030000 mov eax, dword ptr ds:
0049DAB9 .E8 DE5AFAFF call <@TControl@GetText$qqrv>
0049DABE .8B45 D8 mov eax, dword ptr ss:
0049DAC1 .BA 64E14900 mov edx, 0049E164 ;tnt!2000
0049DAC6 .E8 F174F6FF call <@System@@LStrCmp$qqrv>
0049DACB .0F84 77050000 je 0049E048
0049DAD1 .8D55 D4 lea edx, dword ptr ss:
0049DAD4 .8B45 FC mov eax, dword ptr ss:
0049DAD7 .8B80 00030000 mov eax, dword ptr ds:
0049DADD .E8 BA5AFAFF call <@TControl@GetText$qqrv>
0049DAE2 .8B45 D4 mov eax, dword ptr ss:
0049DAE5 .BA 78E14900 mov edx, 0049E178 ;-=demian/tnt!=-
0049DAEA .E8 CD74F6FF call <@System@@LStrCmp$qqrv>
0049DAEF .0F84 53050000 je 0049E048
0049DAF5 .8D55 D0 lea edx, dword ptr ss:
0049DAF8 .8B45 FC mov eax, dword ptr ss:
0049DAFB .8B80 00030000 mov eax, dword ptr ds:
0049DB01 .E8 965AFAFF call <@TControl@GetText$qqrv>
0049DB06 .8B45 D0 mov eax, dword ptr ss:
0049DB09 .BA 90E14900 mov edx, 0049E190 ;-=demian/tnt!=-
0049DB0E .E8 A974F6FF call <@System@@LStrCmp$qqrv>
0049DB13 .0F84 2F050000 je 0049E048
0049DB19 .8D55 CC lea edx, dword ptr ss:
0049DB1C .8B45 FC mov eax, dword ptr ss:
0049DB1F .8B80 00030000 mov eax, dword ptr ds:
0049DB25 .E8 725AFAFF call <@TControl@GetText$qqrv>
0049DB2A .8B45 CC mov eax, dword ptr ss:
0049DB2D .BA ACE14900 mov edx, 0049E1AC ;北极熊
0049DB32 .E8 8574F6FF call <@System@@LStrCmp$qqrv>
0049DB37 .0F84 0B050000 je 0049E048
0049DB3D .8D55 C8 lea edx, dword ptr ss:
0049DB40 .8B45 FC mov eax, dword ptr ss:
0049DB43 .8B80 00030000 mov eax, dword ptr ds:
0049DB49 .E8 4E5AFAFF call <@TControl@GetText$qqrv>
0049DB4E .8B45 C8 mov eax, dword ptr ss:
0049DB51 .BA BCE14900 mov edx, 0049E1BC ;tsrh team
0049DB56 .E8 6174F6FF call <@System@@LStrCmp$qqrv>
0049DB5B .0F84 E7040000 je 0049E048
0049DB61 .8D55 C4 lea edx, dword ptr ss:
0049DB64 .8B45 FC mov eax, dword ptr ss:
0049DB67 .8B80 00030000 mov eax, dword ptr ds:
0049DB6D .E8 2A5AFAFF call <@TControl@GetText$qqrv>
0049DB72 .8B45 C4 mov eax, dword ptr ss:
0049DB75 .BA D0E14900 mov edx, 0049E1D0 ;ttdown
0049DB7A .E8 3D74F6FF call <@System@@LStrCmp$qqrv>
0049DB7F .0F84 C3040000 je 0049E048
0049DB85 .8D55 C0 lea edx, dword ptr ss:
0049DB88 .8B45 FC mov eax, dword ptr ss:
0049DB8B .8B80 00030000 mov eax, dword ptr ds:
0049DB91 .E8 065AFAFF call <@TControl@GetText$qqrv>
0049DB96 .8B45 C0 mov eax, dword ptr ss:
0049DB99 .BA E0E14900 mov edx, 0049E1E0 ;tmg
0049DB9E .E8 1974F6FF call <@System@@LStrCmp$qqrv>
0049DBA3 .0F84 9F040000 je 0049E048
0049DBA9 .8D55 BC lea edx, dword ptr ss:
0049DBAC .8B45 FC mov eax, dword ptr ss:
0049DBAF .8B80 00030000 mov eax, dword ptr ds:
0049DBB5 .E8 E259FAFF call <@TControl@GetText$qqrv>
0049DBBA .8B45 BC mov eax, dword ptr ss:
0049DBBD .BA ECE14900 mov edx, 0049E1EC ;gory
0049DBC2 .E8 F573F6FF call <@System@@LStrCmp$qqrv>
0049DBC7 .0F84 7B040000 je 0049E048
0049DBCD .8D55 B8 lea edx, dword ptr ss:
0049DBD0 .8B45 FC mov eax, dword ptr ss:
0049DBD3 .8B80 00030000 mov eax, dword ptr ds:
0049DBD9 .E8 BE59FAFF call <@TControl@GetText$qqrv>
0049DBDE .8B45 B8 mov eax, dword ptr ss:
0049DBE1 .BA FCE14900 mov edx, 0049E1FC ;masterpower
0049DBE6 .E8 D173F6FF call <@System@@LStrCmp$qqrv>
0049DBEB .0F84 57040000 je 0049E048
0049DBF1 .8D55 B4 lea edx, dword ptr ss:
0049DBF4 .8B45 FC mov eax, dword ptr ss:
0049DBF7 .8B80 00030000 mov eax, dword ptr ds:
0049DBFD .E8 9A59FAFF call <@TControl@GetText$qqrv>
0049DC02 .8B45 B4 mov eax, dword ptr ss:
0049DC05 .BA 10E24900 mov edx, 0049E210 ;snd team
0049DC0A .E8 AD73F6FF call <@System@@LStrCmp$qqrv>
0049DC0F .0F84 33040000 je 0049E048
0049DC15 .8D55 B0 lea edx, dword ptr ss:
0049DC18 .8B45 FC mov eax, dword ptr ss:
0049DC1B .8B80 00030000 mov eax, dword ptr ds:
0049DC21 .E8 7659FAFF call <@TControl@GetText$qqrv>
0049DC26 .8B55 B0 mov edx, dword ptr ss:
0049DC29 .B8 24E24900 mov eax, 0049E224 ;fff
0049DC2E .E8 8175F6FF call <@System@@LStrPos$qqrv>
0049DC33 .85C0 test eax, eax
0049DC35 .0F8F 0D040000 jg 0049E048
0049DC3B .8D55 AC lea edx, dword ptr ss:
0049DC3E .8B45 FC mov eax, dword ptr ss:
0049DC41 .8B80 00030000 mov eax, dword ptr ds:
0049DC47 .E8 5059FAFF call <@TControl@GetText$qqrv>
0049DC4C .8B55 AC mov edx, dword ptr ss:
0049DC4F .B8 30E24900 mov eax, 0049E230 ;cluster
0049DC54 .E8 5B75F6FF call <@System@@LStrPos$qqrv>
0049DC59 .85C0 test eax, eax
0049DC5B .0F8F E7030000 jg 0049E048
0049DC61 .8D55 A8 lea edx, dword ptr ss:
0049DC64 .8B45 FC mov eax, dword ptr ss:
0049DC67 .8B80 00030000 mov eax, dword ptr ds:
0049DC6D .E8 2A59FAFF call <@TControl@GetText$qqrv>
0049DC72 .8B55 A8 mov edx, dword ptr ss:
0049DC75 .B8 40E24900 mov eax, 0049E240 ;.com
0049DC7A .E8 3575F6FF call <@System@@LStrPos$qqrv>
0049DC7F .85C0 test eax, eax
0049DC81 .0F8F C1030000 jg 0049E048
0049DC87 .8D55 A4 lea edx, dword ptr ss:
0049DC8A .8B45 FC mov eax, dword ptr ss:
0049DC8D .8B80 00030000 mov eax, dword ptr ds:
0049DC93 .E8 0459FAFF call <@TControl@GetText$qqrv>
0049DC98 .8B55 A4 mov edx, dword ptr ss:
0049DC9B .B8 50E24900 mov eax, 0049E250 ;rth77
0049DCA0 .E8 0F75F6FF call <@System@@LStrPos$qqrv>
0049DCA5 .85C0 test eax, eax
0049DCA7 .0F8F 9B030000 jg 0049E048
0049DCAD .8D55 9C lea edx, dword ptr ss:
0049DCB0 .8B45 FC mov eax, dword ptr ss:
0049DCB3 .8B80 00030000 mov eax, dword ptr ds:
0049DCB9 .E8 DE58FAFF call <@TControl@GetText$qqrv>
0049DCBE .8B45 9C mov eax, dword ptr ss:
0049DCC1 .8D55 A0 lea edx, dword ptr ss:
0049DCC4 .E8 BFB2F6FF call 00408F88
0049DCC9 .8B55 A0 mov edx, dword ptr ss:
0049DCCC .B8 60E24900 mov eax, 0049E260 ;team
0049DCD1 .E8 DE74F6FF call <@System@@LStrPos$qqrv>
0049DCD6 .85C0 test eax, eax
0049DCD8 .0F8F 6A030000 jg 0049E048
0049DCDE .8D55 98 lea edx, dword ptr ss:
0049DCE1 .8B45 FC mov eax, dword ptr ss:
0049DCE4 .8B80 00030000 mov eax, dword ptr ds:
0049DCEA .E8 AD58FAFF call <@TControl@GetText$qqrv>
0049DCEF .8B55 98 mov edx, dword ptr ss:
0049DCF2 .B8 70E24900 mov eax, 0049E270 ;destroy
0049DCF7 .E8 B874F6FF call <@System@@LStrPos$qqrv>
0049DCFC .85C0 test eax, eax
0049DCFE .0F8F 44030000 jg 0049E048
0049DD04 .8D55 94 lea edx, dword ptr ss:
0049DD07 .8B45 FC mov eax, dword ptr ss:
0049DD0A .8B80 00030000 mov eax, dword ptr ds:
0049DD10 .E8 8758FAFF call <@TControl@GetText$qqrv>
0049DD15 .8B55 94 mov edx, dword ptr ss:
0049DD18 .B8 80E24900 mov eax, 0049E280 ;registered
0049DD1D .E8 9274F6FF call <@System@@LStrPos$qqrv>
0049DD22 .85C0 test eax, eax
0049DD24 .0F8F 1E030000 jg 0049E048
0049DD2A .8D55 90 lea edx, dword ptr ss:
0049DD2D .8B45 FC mov eax, dword ptr ss:
0049DD30 .8B80 00030000 mov eax, dword ptr ds:
0049DD36 .E8 6158FAFF call <@TControl@GetText$qqrv>
0049DD3B .8B55 90 mov edx, dword ptr ss:
0049DD3E .B8 94E24900 mov eax, 0049E294 ;orion
0049DD43 .E8 6C74F6FF call <@System@@LStrPos$qqrv>
0049DD48 .85C0 test eax, eax
0049DD4A .0F8F F8020000 jg 0049E048
0049DD50 .8D55 8C lea edx, dword ptr ss:
0049DD53 .8B45 FC mov eax, dword ptr ss:
0049DD56 .8B80 00030000 mov eax, dword ptr ds:
0049DD5C .E8 3B58FAFF call <@TControl@GetText$qqrv>
0049DD61 .8B55 8C mov edx, dword ptr ss:
0049DD64 .B8 70E24900 mov eax, 0049E270 ;destroy
0049DD69 .E8 4674F6FF call <@System@@LStrPos$qqrv>
0049DD6E .85C0 test eax, eax
0049DD70 .0F8F D2020000 jg 0049E048
0049DD76 .8D55 88 lea edx, dword ptr ss:
0049DD79 .8B45 FC mov eax, dword ptr ss:
0049DD7C .8B80 00030000 mov eax, dword ptr ds:
0049DD82 .E8 1558FAFF call <@TControl@GetText$qqrv>
0049DD87 .8B45 88 mov eax, dword ptr ss:
0049DD8A .BA A4E24900 mov edx, 0049E2A4 ;sponge uk
0049DD8F .E8 2872F6FF call <@System@@LStrCmp$qqrv>
0049DD94 .0F84 AE020000 je 0049E048
0049DD9A .8D55 84 lea edx, dword ptr ss:
0049DD9D .8B45 FC mov eax, dword ptr ss:
0049DDA0 .8B80 00030000 mov eax, dword ptr ds:
0049DDA6 .E8 F157FAFF call <@TControl@GetText$qqrv>
0049DDAB .8B45 84 mov eax, dword ptr ss:
0049DDAE .BA B8E24900 mov edx, 0049E2B8 ;sponge uk
0049DDB3 .E8 0472F6FF call <@System@@LStrCmp$qqrv>
0049DDB8 .0F84 8A020000 je 0049E048
0049DDBE .8D55 80 lea edx, dword ptr ss:
0049DDC1 .8B45 FC mov eax, dword ptr ss:
0049DDC4 .8B80 00030000 mov eax, dword ptr ds:
0049DDCA .E8 CD57FAFF call <@TControl@GetText$qqrv>
0049DDCF .8B45 80 mov eax, dword ptr ss:
0049DDD2 .BA CCE24900 mov edx, 0049E2CC ;scf
0049DDD7 .E8 E071F6FF call <@System@@LStrCmp$qqrv>
0049DDDC .0F84 66020000 je 0049E048
0049DDE2 .8D95 7CFFFFFF lea edx, dword ptr ss:
0049DDE8 .8B45 FC mov eax, dword ptr ss:
0049DDEB .8B80 00030000 mov eax, dword ptr ds:
0049DDF1 .E8 A657FAFF call <@TControl@GetText$qqrv>
0049DDF6 .8B85 7CFFFFFF mov eax, dword ptr ss:
0049DDFC .BA D8E24900 mov edx, 0049E2D8 ;nokedli
0049DE01 .E8 B671F6FF call <@System@@LStrCmp$qqrv>
0049DE06 .0F84 3C020000 je 0049E048
0049DE0C .68 F0E24900 push 0049E2F0 ;w
0049DE11 .8B45 FC mov eax, dword ptr ss:
0049DE14 .FFB0 40030000 push dword ptr ds: ;dw
0049DE1A .68 FCE24900 push 0049E2FC ;22
0049DE1F .FF75 E8 push dword ptr ss: ;2232(用户名长度加上2222)
0049DE22 .68 08E34900 push 0049E308 ;-
0049DE27 .8D95 74FFFFFF lea edx, dword ptr ss:
0049DE2D .8B45 FC mov eax, dword ptr ss:
0049DE30 .8B80 00030000 mov eax, dword ptr ds:
0049DE36 .E8 6157FAFF call <@TControl@GetText$qqrv> ;取用户名字符串
0049DE3B .8B85 74FFFFFF mov eax, dword ptr ss:
0049DE41 .8D95 78FFFFFF lea edx, dword ptr ss:
0049DE47 .E8 30FBFFFF call 0049D97C ;转换成ascii数值
0049DE4C .FFB5 78FFFFFF push dword ptr ss: ;转换结果入栈
0049DE52 .8D45 EC lea eax, dword ptr ss:
0049DE55 .BA 06000000 mov edx, 6
0049DE5A .E8 D970F6FF call 00404F38 ;联接字符串放在eax指向的地址处
0049DE5F .8D45 E8 lea eax, dword ptr ss:
0049DE62 .BA 14E34900 mov edx, 0049E314 ;\system32\spool\drivers\w32x86\2\riched20.dll setactiveeditcontrolfont, arial, 30
0049DE67 .E8 EC6DF6FF call <@System@@LStrLAsg$qqrv>
0049DE6C .8D95 70FFFFFF lea edx, dword ptr ss:
0049DE72 .8B45 FC mov eax, dword ptr ss:
0049DE75 .8B80 04030000 mov eax, dword ptr ds:
0049DE7B .E8 1C57FAFF call <@TControl@GetText$qqrv> ;取输入的注册码
0049DE80 .8B95 70FFFFFF mov edx, dword ptr ss: ;假码
0049DE86 .8B45 EC mov eax, dword ptr ss: ;真码(明码!)
0049DE89 .E8 2673F6FF call <@System@@LStrPos$qqrv> ;算出的注册码和输入的注册码比较。
0049DE8E .85C0 test eax, eax
0049DE90 .0F84 B2010000 je 0049E048 ;跳走就失败了。
0049DE96 .8B45 FC mov eax, dword ptr ss:
0049DE99 .8B80 04030000 mov eax, dword ptr ds:
0049DE9F .33D2 xor edx, edx
0049DEA1 .E8 2657FAFF call <@Controls@TControl@SetText$qqrx17System@AnsiStr>
0049DEA6 .8D45 EC lea eax, dword ptr ss:
0049DEA9 .E8 126DF6FF call <@System@@LStrClr$qqrr17System@AnsiString>
0049DEAE .6A 00 push 0
0049DEB0 .68 68E34900 push 0049E368 ;registration success!
0049DEB5 .68 80E34900 push <Text> ; thank you for your support.\nwe will work even harder and\nnotify you future releases.
0049DEBA .8B45 FC mov eax, dword ptr ss:
0049DEBD .E8 7EBEFAFF call <@Controls@TWinControl@GetHandle$qqrv>
0049DEC2 .50 push eax ; |hOwner
0049DEC3 .E8 849CF6FF call <MessageBoxA> ; \提示注册成功
0049DEC8 .8B45 FC mov eax, dword ptr ss:
0049DECB .C680 45030000>mov byte ptr ds:, 0
0049DED2 .B2 01 mov dl, 1
0049DED4 .A1 485B4600 mov eax, dword ptr ds:
0049DED9 .E8 6A7DFCFF call <@Registry@TRegistry@$bctr$qqrv>
0049DEDE .8945 F8 mov dword ptr ss:, eax
0049DEE1 .33C0 xor eax, eax
0049DEE3 .55 push ebp
0049DEE4 .68 FDDF4900 push 0049DFFD
0049DEE9 .64:FF30 push dword ptr fs:
0049DEEC .64:8920 mov dword ptr fs:, esp
0049DEEF .BA 01000080 mov edx, 80000001
0049DEF4 .8B45 F8 mov eax, dword ptr ss:
0049DEF7 .E8 EC7DFCFF call <@Registry@TRegistry@SetRootKey$qqrui>
0049DEFC .B1 01 mov cl, 1
0049DEFE .BA E0E34900 mov edx, 0049E3E0 ;\software\microsoft\windows\currentversion\ipsec
0049DF03 .8B45 F8 mov eax, dword ptr ss:
0049DF06 .E8 457EFCFF call <@Registry@TRegistry@OpenKey$qqrx17System@AnsiSt>
0049DF0B .84C0 test al, al
0049DF0D .74 0C je short 0049DF1B
0049DF0F .33C0 xor eax, eax
0049DF11 .8945 F0 mov dword ptr ss:, eax
0049DF14 .C745 F4 00000>mov dword ptr ss:, 400E0000
0049DF1B >33C0 xor eax, eax
0049DF1D .55 push ebp
0049DF1E .68 7EDF4900 push 0049DF7E
0049DF23 .64:FF30 push dword ptr fs:
0049DF26 .64:8920 mov dword ptr fs:, esp
0049DF29 .FF75 F4 push dword ptr ss: ; /Arg2
0049DF2C .FF75 F0 push dword ptr ss: ; |Arg1
0049DF2F .8D85 6CFFFFFF lea eax, dword ptr ss: ; |
0049DF35 .E8 26DEF6FF call 0040BD60 ; \MyDriver.0040BD60
0049DF3A .8B8D 6CFFFFFF mov ecx, dword ptr ss:
0049DF40 .BA 1CE44900 mov edx, 0049E41C ;riscx86
0049DF45 .8B45 F8 mov eax, dword ptr ss:
0049DF48 .E8 4782FCFF call 00466194
0049DF4D .8D95 68FFFFFF lea edx, dword ptr ss:
0049DF53 .8B45 FC mov eax, dword ptr ss:
0049DF56 .8B80 00030000 mov eax, dword ptr ds:
0049DF5C .E8 3B56FAFF call <@TControl@GetText$qqrv>
0049DF61 .8B8D 68FFFFFF mov ecx, dword ptr ss:
0049DF67 .BA 2CE44900 mov edx, 0049E42C ;username
0049DF6C .8B45 F8 mov eax, dword ptr ss:
0049DF6F .E8 2082FCFF call 00466194
0049DF74 .33C0 xor eax, eax
0049DF76 .5A pop edx
0049DF77 .59 pop ecx
0049DF78 .59 pop ecx
0049DF79 .64:8910 mov dword ptr fs:, edx
0049DF7C .EB 61 jmp short 0049DFDF
0049DF7E .^ E9 5964F6FF jmp 004043DC
0049DF83 01 db 01
0049DF84 00 db 00
0049DF85 00 db 00
0049DF86 00 db 00
0049DF87 E85A4600 dd MyDriver.00465AE8
0049DF8B 8FDF4900 dd MyDriver.0049DF8F
0049DF8F .FF75 F4 push dword ptr ss: ; /Arg2
0049DF92 .FF75 F0 push dword ptr ss: ; |Arg1
0049DF95 .8D85 64FFFFFF lea eax, dword ptr ss: ; |
0049DF9B .E8 C0DDF6FF call 0040BD60 ; \MyDriver.0040BD60
0049DFA0 .8B8D 64FFFFFF mov ecx, dword ptr ss:
0049DFA6 .BA 1CE44900 mov edx, 0049E41C ;riscx86
0049DFAB .8B45 F8 mov eax, dword ptr ss:
0049DFAE .E8 E181FCFF call 00466194
0049DFB3 .8D95 60FFFFFF lea edx, dword ptr ss:
0049DFB9 .8B45 FC mov eax, dword ptr ss:
0049DFBC .8B80 00030000 mov eax, dword ptr ds:
0049DFC2 .E8 D555FAFF call <@TControl@GetText$qqrv>
0049DFC7 .8B8D 60FFFFFF mov ecx, dword ptr ss:
0049DFCD .BA 2CE44900 mov edx, 0049E42C ;username
0049DFD2 .8B45 F8 mov eax, dword ptr ss:
0049DFD5 .E8 BA81FCFF call 00466194
0049DFDA .E8 3966F6FF call <@@DoneExcept$qqrv>
0049DFDF >8B45 F8 mov eax, dword ptr ss:
0049DFE2 .E8 D17CFCFF call 00465CB8
0049DFE7 .33C0 xor eax, eax
0049DFE9 .5A pop edx
0049DFEA .59 pop ecx
0049DFEB .59 pop ecx
0049DFEC .64:8910 mov dword ptr fs:, edx
0049DFEF .68 04E04900 push 0049E004
0049DFF4 >8B45 F8 mov eax, dword ptr ss:
0049DFF7 .E8 D45DF6FF call 00403DD0
0049DFFC .C3 retn
0049DFFD .^ E9 6265F6FF jmp <@System@@HandleFinally$qqrv>
0049E002 .^ EB F0 jmp short 0049DFF4
0049E004 .8B45 FC mov eax, dword ptr ss:
0049E007 .8B80 04030000 mov eax, dword ptr ds:
0049E00D .33D2 xor edx, edx
0049E00F .E8 B855FAFF call <@Controls@TControl@SetText$qqrx17System@AnsiStr>
0049E014 .8D45 EC lea eax, dword ptr ss:
0049E017 .E8 A46BF6FF call <@System@@LStrClr$qqrr17System@AnsiString>
0049E01C .8B45 FC mov eax, dword ptr ss:
0049E01F .8B80 00030000 mov eax, dword ptr ds:
0049E025 .33D2 xor edx, edx
0049E027 .E8 A055FAFF call <@Controls@TControl@SetText$qqrx17System@AnsiStr>
0049E02C .8B45 FC mov eax, dword ptr ss:
0049E02F .C680 44030000>mov byte ptr ds:, 0
0049E036 .8B45 FC mov eax, dword ptr ss:
0049E039 .8B80 24030000 mov eax, dword ptr ds:
0049E03F .B2 01 mov dl, 1
0049E041 .E8 06C1F9FF call <unknown_libname_202>
0049E046 .EB 54 jmp short 0049E09C
0049E048 >8B45 FC mov eax, dword ptr ss:
0049E04B .8B80 04030000 mov eax, dword ptr ds:
0049E051 .33D2 xor edx, edx
0049E053 .E8 7455FAFF call <@Controls@TControl@SetText$qqrx17System@AnsiStr>
0049E058 .8B45 FC mov eax, dword ptr ss:
0049E05B .8B80 00030000 mov eax, dword ptr ds:
0049E061 .33D2 xor edx, edx
0049E063 .E8 6455FAFF call <@Controls@TControl@SetText$qqrx17System@AnsiStr>
0049E068 .8D45 EC lea eax, dword ptr ss:
0049E06B .BA 03000000 mov edx, 3
0049E070 .E8 8771F6FF call 004051FC
0049E075 .8D45 EC lea eax, dword ptr ss:
0049E078 .BA 40E44900 mov edx, 0049E440 ;$%^
0049E07D .E8 D66BF6FF call <@System@@LStrLAsg$qqrv>
0049E082 .6A 00 push 0
0049E084 .68 44E44900 push 0049E444 ;invalid registration code
0049E089 .68 60E44900 push 0049E460 ;please make sure the registration\ncode and the registration name are\ncorrect.
0049E08E .8B45 FC mov eax, dword ptr ss:
0049E091 .E8 AABCFAFF call <@Controls@TWinControl@GetHandle$qqrv>
0049E096 .50 push eax ; |hOwner
0049E097 .E8 B09AF6FF call <MessageBoxA> ; \MessageBoxA
0049E09C >33C0 xor eax, eax
0049E09E .5A pop edx
0049E09F .59 pop ecx
0049E0A0 .59 pop ecx
0049E0A1 .64:8910 mov dword ptr fs:, edx
0049E0A4 .68 2DE14900 push 0049E12D
0049E0A9 >8D85 60FFFFFF lea eax, dword ptr ss:
0049E0AF .E8 0C6BF6FF call <@System@@LStrClr$qqrr17System@AnsiString>
0049E0B4 .8D85 64FFFFFF lea eax, dword ptr ss:
0049E0BA .E8 016BF6FF call <@System@@LStrClr$qqrr17System@AnsiString>
0049E0BF .8D85 68FFFFFF lea eax, dword ptr ss:
0049E0C5 .E8 F66AF6FF call <@System@@LStrClr$qqrr17System@AnsiString>
0049E0CA .8D85 6CFFFFFF lea eax, dword ptr ss:
0049E0D0 .E8 EB6AF6FF call <@System@@LStrClr$qqrr17System@AnsiString>
0049E0D5 .8D85 70FFFFFF lea eax, dword ptr ss:
0049E0DB .BA 02000000 mov edx, 2
0049E0E0 .E8 FF6AF6FF call <@System@@LStrArrayClr$qqrv>
0049E0E5 .8D85 78FFFFFF lea eax, dword ptr ss:
0049E0EB .E8 D06AF6FF call <@System@@LStrClr$qqrr17System@AnsiString>
0049E0F0 .8D85 7CFFFFFF lea eax, dword ptr ss:
0049E0F6 .BA 09000000 mov edx, 9
0049E0FB .E8 E46AF6FF call <@System@@LStrArrayClr$qqrv>
0049E100 .8D45 A0 lea eax, dword ptr ss:
0049E103 .E8 B86AF6FF call <@System@@LStrClr$qqrr17System@AnsiString>
0049E108 .8D45 A4 lea eax, dword ptr ss:
0049E10B .BA 11000000 mov edx, 11
0049E110 .E8 CF6AF6FF call <@System@@LStrArrayClr$qqrv>
0049E115 .8D45 E8 lea eax, dword ptr ss:
0049E118 .BA 02000000 mov edx, 2
0049E11D .E8 C26AF6FF call <@System@@LStrArrayClr$qqrv>
0049E122 .C3 retn
0049E123 .^ E9 3C64F6FF jmp <@System@@HandleFinally$qqrv>
0049E128 .^ E9 7CFFFFFF jmp 0049E0A9
0049E12D .5F pop edi
0049E12E .5E pop esi
0049E12F .5B pop ebx
0049E130 .8BE5 mov esp, ebp
0049E132 .5D pop ebp
0049E133 .C3 retn
------------------------------------------------------------------------
注册码由下面四部分组成:
WDW22
2222加上用户名长度
-
用户名的ascii十六进制值串
我的注册信息:
surge
WDW222232-73757267655B5059475D
注册成功后的注册表信息保存在注册表中。
软件还有其它验证(估计是网络),因为打开几次之后还会提示注册,但功力有限,加上最近工作
上的生活上的事情另我好烦,静不下心来找了。
------------------------------------------------------------------------
【版权声明】本文纯属技术交流,转载请注明作者信息并保持文章的完整,谢谢!
忘了说明:软件加了upx壳。脱后是delphi程序。 要用IDA先分析? why OD? 原帖由 yyjpcx 于 2006-1-27 21:42 发表
要用IDA先分析? why OD?
是这样子的,IDA能够识别大量的库函数,生成MAP文件后,用在调试器中对一些Call就可以望文生意了,省去不少心思。我最近比较燥。 原帖由 yyjpcx 于 2006-1-27 21:42 发表
要用IDA先分析? why OD?
现在很多高手都喜欢用这种方法,我也准备试一试. 这个方法我倒没试过,听起来很不错啊~!又学了些东西。good
页:
[1]