某进销存解码分析
原帖见https://www.chinapyg.com/viewthread.php?tid=43456&page=1&extra=#偶然见到此帖,并分析了下。我们直接进入主题
004D9610/> \55 push ebp ;——》断在这里
004D9611|.8BEC mov ebp, esp
004D9613|.6A FF push -1
004D9615|.68 AC1C4F00 push 004F1CAC ;肛sy; SE 处理程序安装
004D961A|.64:A1 0000000>mov eax, dword ptr fs:
004D9620|.50 push eax
004D9621|.64:8925 00000>mov dword ptr fs:, esp
004D9628|.81EC 78020000 sub esp, 278
004D962E|.53 push ebx
004D962F|.56 push esi
004D9630|.57 push edi
004D9631|.51 push ecx
004D9632|.8DBD 7CFDFFFF lea edi, dword ptr
004D9638|.B9 9E000000 mov ecx, 9E
004D963D|.B8 CCCCCCCC mov eax, CCCCCCCC
004D9642|.F3:AB rep stos dword ptr es:
004D9644|.59 pop ecx
004D9645|.894D F0 mov dword ptr , ecx
004D9648|.6A 01 push 1
004D964A|.8B4D F0 mov ecx, dword ptr
004D964D|.E8 CA040000 call <jmp.&MFC42D.#5056>
004D9652|.8B45 F0 mov eax, dword ptr
004D9655|.05 94040000 add eax, 494
004D965A|.50 push eax
004D965B|.8B4D F0 mov ecx, dword ptr
004D965E|.81C1 90040000 add ecx, 490
004D9664|.51 push ecx
004D9665|.8BD4 mov edx, esp
004D9667|.89A5 CCFDFFFF mov dword ptr , esp
004D966D|.51 push ecx
004D966E|.8BCA mov ecx, edx
004D9670|.E8 DB030000 call <jmp.&MFC42D.#485>
004D9675|.8985 C4FDFFFF mov dword ptr , eax
004D967B|.8D85 C8FDFFFF lea eax, dword ptr
004D9681|.50 push eax
004D9682|.E8 B77CF2FF call 0040133E ;算法处
004D9687|.83C4 08 add esp, 8
004D968A|.8985 C0FDFFFF mov dword ptr , eax
004D9690|.8B8D C0FDFFFF mov ecx, dword ptr
004D9696|.898D BCFDFFFF mov dword ptr , ecx
004D969C|.C745 FC 00000>mov dword ptr , 0
004D96A3|.8B95 BCFDFFFF mov edx, dword ptr
004D96A9|.52 push edx
004D96AA|.E8 7B080000 call <jmp.&MFC42D.#823>
004D96AF|.8885 D0FDFFFF mov byte ptr , al
004D96B5|.C745 FC FFFFF>mov dword ptr , -1
004D96BC|.8D8D C8FDFFFF lea ecx, dword ptr
004D96C2|.E8 5F030000 call <jmp.&MFC42D.#684>
004D96C7|.8B85 D0FDFFFF mov eax, dword ptr
004D96CD|.25 FF000000 and eax, 0FF
004D96D2|.85C0 test eax, eax
004D96D4|.74 19 je short 004D96EF
004D96D6|.6A 30 push 30
004D96D8|.68 C8415800 push 005841C8 ;告警
004D96DD|.68 B4415800 push 005841B4 ;注册码输入有误!
004D96E2|.8B4D F0 mov ecx, dword ptr
004D96E5|.E8 56040000 call <jmp.&MFC42D.#3517>
004D96EA|.E9 14010000 jmp 004D9803
004D96EF|>C785 E4FEFFFF>mov dword ptr , 104
004D96F9|.C785 E0FEFFFF>mov dword ptr , 0057BE18 ;software\microsoft\dataaccess\rootbinder\xls
004D9703|.8BF4 mov esi, esp
004D9705|.8D8D D8FEFFFF lea ecx, dword ptr
004D970B|.51 push ecx ; /pDisposition
004D970C|.8D55 EC lea edx, dword ptr ; |
004D970F|.52 push edx ; |pHandle
004D9710|.6A 00 push 0 ; |pSecurity = NULL
004D9712|.68 3F000F00 push 0F003F ; |Access = KEY_ALL_ACCESS
004D9717|.6A 00 push 0 ; |Options = REG_OPTION_NON_VOLATILE
004D9719|.6A 00 push 0 ; |Class = NULL
004D971B|.6A 00 push 0 ; |Reserved = 0
004D971D|.8B85 E0FEFFFF mov eax, dword ptr ; |
004D9723|.50 push eax ; |Subkey
004D9724|.68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
004D9729|.FF15 18B55900 call dword ptr [<&ADVAPI32.RegCreateK>; \RegCreateKeyExA
004D972F|.3BF4 cmp esi, esp
004D9731|.E8 BA120000 call <jmp.&MSVCRTD._chkesp>
004D9736|.8985 DCFEFFFF mov dword ptr , eax
004D973C|.8B4D F0 mov ecx, dword ptr
004D973F|.81C1 94040000 add ecx, 494
004D9745|.E8 12030000 call <jmp.&MFC42D.#880>
004D974A|.50 push eax ; /src
004D974B|.8D8D D4FDFFFF lea ecx, dword ptr ; |
004D9751|.51 push ecx ; |dest
004D9752|.E8 E5150000 call <jmp.&MSVCRTD.strcpy> ; \strcpy
004D9757|.83C4 08 add esp, 8
004D975A|.8D95 D4FDFFFF lea edx, dword ptr
004D9760|.52 push edx ; /s
004D9761|.E8 D0150000 call <jmp.&MSVCRTD.strlen> ; \strlen
004D9766|.83C4 04 add esp, 4
004D9769|.8BF4 mov esi, esp
004D976B|.50 push eax ; /BufSize
004D976C|.8D85 D4FDFFFF lea eax, dword ptr ; |
004D9772|.50 push eax ; |Buffer
004D9773|.6A 01 push 1 ; |ValueType = REG_SZ
004D9775|.6A 00 push 0 ; |Reserved = 0
004D9777|.68 0CBE5700 push 0057BE0C ; |xls
004D977C|.8B4D EC mov ecx, dword ptr ; |
004D977F|.51 push ecx ; |hKey
004D9780|.FF15 1CB55900 call dword ptr [<&ADVAPI32.RegSetValu>; \RegSetValueExA
004D9786|.3BF4 cmp esi, esp
004D9788|.E8 63120000 call <jmp.&MSVCRTD._chkesp>
004D978D|.8985 DCFEFFFF mov dword ptr , eax
004D9793|.8BF4 mov esi, esp
004D9795|.8B55 EC mov edx, dword ptr
004D9798|.52 push edx ; /hKey
004D9799|.FF15 14B55900 call dword ptr [<&ADVAPI32.RegCloseKe>; \RegCloseKey
004D979F|.3BF4 cmp esi, esp
004D97A1|.E8 4A120000 call <jmp.&MSVCRTD._chkesp>
004D97A6|.6A 30 push 30
004D97A8|.68 AC415800 push 005841AC ;注册
004D97AD|.68 94415800 push 00584194 ;注册成功,欢迎使用!
004D97B2|.8B4D F0 mov ecx, dword ptr
004D97B5|.E8 86030000 call <jmp.&MFC42D.#3517>
004D97BA|.68 6C415800 push 0058416C ;软件已经注册,欢迎使用!
004D97BF|.68 4A040000 push 44A
004D97C4|.8B4D F0 mov ecx, dword ptr
004D97C7|.E8 A4030000 call <jmp.&MFC42D.#4634>
004D97CC|.E8 61020000 call <jmp.&MFC42D.#1087>
004D97D1|.C780 F0000000>mov dword ptr , 1
004D97DB|.E8 52020000 call <jmp.&MFC42D.#1087>
004D97E0|.C780 DC000000>mov dword ptr , 14
004D97EA|.68 88415800 push 00584188 ;欢迎使用
004D97EF|.6A 02 push 2
004D97F1|.8B4D F0 mov ecx, dword ptr
004D97F4|.E8 77030000 call <jmp.&MFC42D.#4634>
004D97F9|.6A 01 push 1
004D97FB|.8B4D F0 mov ecx, dword ptr
004D97FE|.E8 81040000 call <jmp.&MFC42D.#3309>
004D9803|>8B4D F4 mov ecx, dword ptr
004D9806|.64:890D 00000>mov dword ptr fs:, ecx
004D980D|.5F pop edi
004D980E|.5E pop esi
004D980F|.5B pop ebx
004D9810|.81C4 84020000 add esp, 284
004D9816|.3BEC cmp ebp, esp
004D9818|.E8 D3110000 call <jmp.&MSVCRTD._chkesp>
004D981D|.8BE5 mov esp, ebp
004D981F|.5D pop ebp
004D9820\.C3 retn
++++++++++++++++004D9682|.E8 B77CF2FF call 0040133E+++++++++++++++++++++++
004BA790 > \55 push ebp ;——》这里才是关键代码处
004BA791 .8BEC mov ebp, esp
004BA793 .6A FF push -1
004BA795 .68 B2024F00 push 004F02B2 ;SE 处理程序安装
004BA79A .64:A1 0000000>mov eax, dword ptr fs:
004BA7A0 .50 push eax
004BA7A1 .64:8925 00000>mov dword ptr fs:, esp
004BA7A8 .83EC 5C sub esp, 5C
004BA7AB .53 push ebx
004BA7AC .56 push esi
004BA7AD .57 push edi
004BA7AE .8D7D 98 lea edi, dword ptr
004BA7B1 .B9 17000000 mov ecx, 17
004BA7B6 .B8 CCCCCCCC mov eax, CCCCCCCC
004BA7BB .F3:AB rep stos dword ptr es:
004BA7BD .C745 DC 00000>mov dword ptr , 0
004BA7C4 .C745 FC 01000>mov dword ptr , 1
004BA7CB .8D4D F0 lea ecx, dword ptr
004BA7CE .E8 9BF20100 call <jmp.&MFC42D.#492>
004BA7D3 .C645 FC 02 mov byte ptr , 2
004BA7D7 .8D45 0C lea eax, dword ptr
004BA7DA .50 push eax
004BA7DB .8D4D F0 lea ecx, dword ptr
004BA7DE .E8 4BF30100 call <jmp.&MFC42D.#734>
004BA7E3 .8D4D 0C lea ecx, dword ptr
004BA7E6 .E8 33F70100 call <jmp.&MFC42D.#2640>
004BA7EB .83E8 01 sub eax, 1
004BA7EE .8945 E8 mov dword ptr , eax
004BA7F1 .8D4D E4 lea ecx, dword ptr
004BA7F4 .E8 75F20100 call <jmp.&MFC42D.#492>
004BA7F9 .C645 FC 03 mov byte ptr , 3
004BA7FD .C745 E0 00000>mov dword ptr , 0
004BA804 .EB 09 jmp short 004BA80F
004BA806 >8B4D E0 mov ecx, dword ptr ;/ 计算注册码
004BA809 .83C1 01 add ecx, 1
004BA80C .894D E0 mov dword ptr , ecx
004BA80F >8D4D F0 lea ecx, dword ptr
004BA812 .E8 07F70100 call <jmp.&MFC42D.#2640>
004BA817 .3945 E0 cmp dword ptr , eax ;循环次数
004BA81A .7D 71 jge short 004BA88D
004BA81C .8B55 E0 mov edx, dword ptr
004BA81F .52 push edx
004BA820 .8D4D 0C lea ecx, dword ptr
004BA823 .E8 5AFF0100 call <jmp.&MFC42D.#850>
004BA828 .8845 EC mov byte ptr , al ;当前字符ASCII
004BA82B .8A45 EC mov al, byte ptr
004BA82E .0245 E0 add al, byte ptr ;+当前位-1
004BA831 .8845 EC mov byte ptr , al
004BA834 .0FBE4D EC movsx ecx, byte ptr
004BA838 .6BC9 07 imul ecx, ecx, 7 ;×7
004BA83B .884D EC mov byte ptr , cl
004BA83E .0FBE45 EC movsx eax, byte ptr ;如其值大于7F,则用FF-当前值参与下面的计算
004BA842 .99 cdq ;接上,如余数=0,则当前位注册码为“0”,否则为“-”
004BA843 .B9 0A000000 mov ecx, 0A
004BA848 .F7F9 idiv ecx ;除以10
004BA84A .52 push edx ;取余数作为注册码的一部分
004BA84B .68 D4915700 push 005791D4 ;ASCII "%d"
004BA850 .8D55 E4 lea edx, dword ptr
004BA853 .52 push edx
004BA854 .E8 69F20100 call <jmp.&MFC42D.#2168>
004BA859 .83C4 0C add esp, 0C
004BA85C .6A 00 push 0
004BA85E .8D4D E4 lea ecx, dword ptr
004BA861 .E8 1CFF0100 call <jmp.&MFC42D.#850>
004BA866 .8845 EC mov byte ptr , al
004BA869 .8A45 EC mov al, byte ptr
004BA86C .50 push eax
004BA86D .8B4D E8 mov ecx, dword ptr
004BA870 .894D D8 mov dword ptr , ecx
004BA873 .8B55 D8 mov edx, dword ptr
004BA876 .52 push edx
004BA877 .8B45 E8 mov eax, dword ptr
004BA87A .83E8 01 sub eax, 1
004BA87D .8945 E8 mov dword ptr , eax
004BA880 .8D4D F0 lea ecx, dword ptr
004BA883 .E8 F4FE0100 call <jmp.&MFC42D.#4525>
004BA888 .^ E9 79FFFFFF jmp 004BA806 ;\ 循环
004BA88D >8D4D F0 lea ecx, dword ptr
分析:
1、逐位倒取机器码的字符;
2、(当前位字符ASCII+1)×7/A,取余数为当前注册码位字符
如其值大于7F,且(其值-FF-1)除以A的余不为0,则当前的注册码位用“-”,如为0则用“0”为注册码字符。
2、顺序连接,就是注册码。
另外要说明的就是,机机算号里要输入校验码,如不正确,算的号当然也不对
要校验码的短信通知我 /:014 感谢lzq1973 看一下lzq1973的算法分析,学习一下。 原帖由 topstar 于 2009-3-6 17:35 发表 https://www.chinapyg.com/images/common/back.gif
感谢lzq1973,另外校验码是多少,望LZ告知!
就是当前时间
回复 6# lzq1973 的帖子
这个较难,先下来再学
页:
[1]