暴破FileTreePrinter 3.1.6.139
【破文标题】暴破FileTreePrinter 3.1.6.139
【破解作者】hrbx
【作者主页】hrbx.ys168.com
【作者邮箱】[email protected]
【破解平台】WinXP
【使用工具】flyOD1.10、Peid
【破解日期】2006-06-10
【软件名称】FileTreePrinter 3.1.6.139
【软件大小】268KB
【下载地址】https://www.chinapyg.com/viewthread.php?tid=5136
【加壳方式】无
【软件简介】File Tree Printer is used to export directory or CD/DVD listings to a text file.
-----------------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
-----------------------------------------------------------------------------------------------
【破解过程】
1.查壳。用PEID扫描,显示为:Microsoft Visual C++ 7.0,无壳。
2.试运行。输入注册信息后点OK按钮,弹出:"registration failed!"对话框。
3.伪注册算法。OD载入程序,右键--Ultra String Reference--Find ASCII,查找“registration failed!”,
找到后双击,来到:
00407662 .68 D0FE4>push FileTree.0042FED0 ;registration failed!
00407667 .E8 77100>call FileTree.004286E3
0040766C .5B pop ebx
向上查找,来到004073A3处F2下断,F9运行,输入注册信息:
==============================
User Name:hrbx
Registration COde:9876543210
==============================
点Register按钮,立即中断:
004073A3 .55 push ebp ;F2在此下断,中断后F8往下走
004073A4 .56 push esi
004073A5 .57 push edi
004073A6 .BF 01000000 mov edi,1
004073AB .57 push edi
004073AC .8BF1 mov esi,ecx
004073AE .E8 2AB20100 call FileTree.004225DD
004073B3 .8B46 70 mov eax,dword ptr ds: ;用户名"hrbx"
004073B6 .8B68 F4 mov ebp,dword ptr ds: ;用户名长度,ds:=4
004073B9 .83FD 02 cmp ebp,2 ;用户名长度与2比较
004073BC .7D 15 jge short FileTree.004073D3 ;大于等于则跳
004073BE .6A 00 push 0
004073C0 .6A 00 push 0
004073C2 .68 2CFF4200 push FileTree.0042FF2C ;please input correct user name!
004073C7 .E8 17130200 call FileTree.004286E3
004073CC .5F pop edi
004073CD .5E pop esi
004073CE .5D pop ebp
004073CF .83C4 0C add esp,0C
004073D2 .C3 retn
004073D3 >8B4E 74 mov ecx,dword ptr ds: ;假码"9876543210"
004073D6 .8379 F4 08 cmp dword ptr ds:,8 ;假码长度与8比较
004073DA .7D 15 jge short FileTree.004073F1 ;大于等于则跳
004073DC .6A 00 push 0
004073DE .6A 00 push 0
004073E0 .68 04FF4200 push FileTree.0042FF04 ;please input correct registration code!
004073E5 .E8 F9120200 call FileTree.004286E3
004073EA .5F pop edi
004073EB .5E pop esi
004073EC .5D pop ebp
004073ED .83C4 0C add esp,0C
004073F0 .C3 retn
004073F1 >8B46 70 mov eax,dword ptr ds: ;用户名"hrbx"
004073F4 .8B48 F4 mov ecx,dword ptr ds: ;用户名长度,ds:=4
004073F7 .85C9 test ecx,ecx
004073F9 .7D 0A jge short FileTree.00407405 ;用户名长度不为空则跳
004073FB .68 57000780 push 80070057
00407400 .E8 0B9CFFFF call FileTree.00401010
00407405 >8A10 mov dl,byte ptr ds:
00407407 .8B46 70 mov eax,dword ptr ds:
0040740A .3978 F4 cmp dword ptr ds:,edi
0040740D .7D 0A jge short FileTree.00407419
0040740F .68 57000780 push 80070057
00407414 .E8 F79BFFFF call FileTree.00401010
00407419 >8A40 01 mov al,byte ptr ds:
0040741C .884424 0E mov byte ptr ss:,al
00407420 .8B46 70 mov eax,dword ptr ds:
00407423 .8B48 F4 mov ecx,dword ptr ds:
00407426 .85C9 test ecx,ecx
00407428 .7D 0A jge short FileTree.00407434
0040742A .68 57000780 push 80070057
0040742F .E8 DC9BFFFF call FileTree.00401010
00407434 >8B4E 70 mov ecx,dword ptr ds: ;用户名"hrbx"
00407437 .53 push ebx
00407438 .8A18 mov bl,byte ptr ds:
0040743A .3979 F4 cmp dword ptr ds:,edi
0040743D .7D 0A jge short FileTree.00407449
0040743F .68 57000780 push 80070057
00407444 .E8 C79BFFFF call FileTree.00401010
00407449 >0FB6C2 movzx eax,dl ;用户名第1位字符的ASCII值,DL=0x68("h")
0040744C .83C8 45 or eax,45 ;EAX=EAX or 0x45
0040744F .99 cdq
00407450 .BF 0A000000 mov edi,0A ;EDI=0xA
00407455 .F7FF idiv edi ;EAX/EDI,商给EAX,余数给EDX
00407457 .0FB64424 12 movzx eax,byte ptr ss: ;用户名第2位字符的ASCII值,EAX=0x72("r")
0040745C .83C8 42 or eax,42 ;EAX=EAX or 0x42
0040745F .885424 16 mov byte ptr ss:,dl ;用户名第1位字符余数保存放ss:,记为N1
00407463 .99 cdq
00407464 .F7FF idiv edi ;EAX/EDI,商给EAX,余数给EDX
00407466 .0FB6C3 movzx eax,bl ;用户名第1位字符的ASCII值,DL=0x68("h")
00407469 .83C8 43 or eax,43 ;EAX=EAX or 0x43
0040746C .885424 12 mov byte ptr ss:,dl ;用户名第2位字符余数保存放ss:,记为N2
00407470 .99 cdq
00407471 .F7FF idiv edi ;EAX/EDI,商给EAX,余数给EDX
00407473 .0FB641 01 movzx eax,byte ptr ds: ;用户名第2位字符的ASCII值,EAX=0x72("r")
00407477 .83C8 44 or eax,44 ;EAX=EAX or 0x44
0040747A .8BCF mov ecx,edi ;ECX=EDI=0xA
0040747C .885424 17 mov byte ptr ss:,dl ;用户名第1位字符余数保存放ss:,记为N3
00407480 .99 cdq
00407481 .F7F9 idiv ecx ;EAX/ECX,商给EAX,余数给EDX
00407483 .33C0 xor eax,eax
00407485 .33C9 xor ecx,ecx
00407487 .85ED test ebp,ebp
00407489 .885424 18 mov byte ptr ss:,dl ;用户名第2位字符余数保存放ss:,记为N4
0040748D .7E 20 jle short FileTree.004074AF
0040748F .90 nop
00407490 >85C9 test ecx,ecx
00407492 .0F8C D2000000 jl FileTree.0040756A
00407498 .8B7E 70 mov edi,dword ptr ds: ;用户名"hrbx"
0040749B .3B4F F4 cmp ecx,dword ptr ds:
0040749E .0F8F C6000000 jg FileTree.0040756A
004074A4 .0FB6140F movzx edx,byte ptr ds:;依次取用户名每一个字符的ASCII值
004074A8 .03C2 add eax,edx ;ASCII值累加,和为0x1B4
004074AA .41 inc ecx
004074AB .3BCD cmp ecx,ebp
004074AD .^ 7C E1 jl short FileTree.00407490
004074AF >8B4E 74 mov ecx,dword ptr ds: ;假码"9876543210"
004074B2 .8B51 F4 mov edx,dword ptr ds:
004074B5 .85D2 test edx,edx
004074B7 .7D 0A jge short FileTree.004074C3
004074B9 .68 57000780 push 80070057
004074BE .E8 4D9BFFFF call FileTree.00401010
004074C3 >8A11 mov dl,byte ptr ds:
004074C5 .8B4E 74 mov ecx,dword ptr ds:
004074C8 .8379 F4 01 cmp dword ptr ds:,1
004074CC 885424 19 mov byte ptr ss:,dl ;假码第1位字符'9'放入ss:
004074D0 .7D 0A jge short FileTree.004074DC
004074D2 .68 57000780 push 80070057
004074D7 .E8 349BFFFF call FileTree.00401010
004074DC >8A49 01 mov cl,byte ptr ds:
004074DF .8B7E 74 mov edi,dword ptr ds:
004074E2 .884C24 13 mov byte ptr ss:,cl ;假码第2位字符'8'放入ss:
004074E6 .837F F4 02 cmp dword ptr ds:,2
004074EA .7D 0A jge short FileTree.004074F6
004074EC .68 57000780 push 80070057
004074F1 .E8 1A9BFFFF call FileTree.00401010
004074F6 >8A4F 02 mov cl,byte ptr ds:
004074F9 .8B7E 74 mov edi,dword ptr ds:
004074FC .884C24 14 mov byte ptr ss:,cl ;假码第3位字符'7'放入ss:
00407500 .837F F4 03 cmp dword ptr ds:,3
00407504 .7D 0A jge short FileTree.00407510
00407506 .68 57000780 push 80070057
0040750B .E8 009BFFFF call FileTree.00401010
00407510 >8A4F 03 mov cl,byte ptr ds:
00407513 .8B7E 74 mov edi,dword ptr ds:
00407516 .884C24 15 mov byte ptr ss:,cl ;假码第4位字符'6'放入ss:
0040751A .837F F4 04 cmp dword ptr ds:,4
0040751E .7D 0A jge short FileTree.0040752A
00407520 .68 57000780 push 80070057
00407525 .E8 E69AFFFF call FileTree.00401010
0040752A >8A4F 04 mov cl,byte ptr ds: ;假码第5位字符'5'给CL
0040752D .8B7E 74 mov edi,dword ptr ds:
00407530 .837F F4 05 cmp dword ptr ds:,5
00407534 .7D 0A jge short FileTree.00407540
00407536 .68 57000780 push 80070057
0040753B .E8 D09AFFFF call FileTree.00401010
00407540 >8A5F 05 mov bl,byte ptr ds:
00407543 .8B7E 74 mov edi,dword ptr ds:
00407546 .885C24 1A mov byte ptr ss:,bl ;假码第6位字符'4'放入ss:
0040754A .837F F4 06 cmp dword ptr ds:,6
0040754E .7D 0A jge short FileTree.0040755A
00407550 .68 57000780 push 80070057
00407555 .E8 B69AFFFF call FileTree.00401010
0040755A >8A5F 06 mov bl,byte ptr ds:
0040755D .8B7E 74 mov edi,dword ptr ds:
00407560 .885C24 1B mov byte ptr ss:,bl ;假码第7位字符'3'放入ss:
00407564 .837F F4 07 cmp dword ptr ds:,7
00407568 .7D 0A jge short FileTree.00407574
0040756A >68 57000780 push 80070057
0040756F .E8 9C9AFFFF call FileTree.00401010
00407574 >8A5F 07 mov bl,byte ptr ds: ;假码"9876543210"
00407577 .0FB67C24 16 movzx edi,byte ptr ss: ;取出用户名第1位字符运算保存的余数N1
0040757C .0FB6D2 movzx edx,dl ;假码第1位字符的ASCII值,DL=0x39('9')
0040757F .83EA 30 sub edx,30
00407582 .3BFA cmp edi,edx
00407584 .75 48 jnz short FileTree.004075CE ;不相等则跳
00407586 .0FB65424 13 movzx edx,byte ptr ss: ;假码第2位字符的ASCII值,EDX=0x38('8')
0040758B .0FB67C24 12 movzx edi,byte ptr ss: ;取出用户名第2位字符运算保存的余数N2
00407590 .83EA 30 sub edx,30
00407593 .3BFA cmp edi,edx
00407595 .75 37 jnz short FileTree.004075CE ;不相等则跳
00407597 .0FB65424 14 movzx edx,byte ptr ss: ;假码第3位字符的ASCII值,EDX=0x37('7')
0040759C .0FB67C24 17 movzx edi,byte ptr ss: ;取出用户名第1位字符运算保存的余数N3
004075A1 .83EA 30 sub edx,30
004075A4 .3BFA cmp edi,edx
004075A6 .75 26 jnz short FileTree.004075CE ;不相等则跳
004075A8 .0FB65424 15 movzx edx,byte ptr ss: ;假码第4位字符的ASCII值,EDX=0x36('6')
004075AD .0FB67C24 18 movzx edi,byte ptr ss: ;取出用户名第2位字符运算保存的余数N4
004075B2 .83EA 30 sub edx,30
004075B5 .3BFA cmp edi,edx
004075B7 .75 15 jnz short FileTree.004075CE ;不相等则跳
004075B9 .99 cdq
004075BA .BF 0A000000 mov edi,0A
004075BF .F7FF idiv edi
004075C1 .0FB6C2 movzx eax,dl
004075C4 .0FB6D1 movzx edx,cl
004075C7 .83EA 30 sub edx,30
004075CA .3BC2 cmp eax,edx
004075CC .74 3A je short FileTree.00407608
004075CE >807C24 19 38cmp byte ptr ss:,38 ;比较注册码第1位是否为0x38('8')
004075D3 .0F85 85000000 jnz FileTree.0040765E ;不等则Over
004075D9 .807C24 13 33cmp byte ptr ss:,33 ;比较注册码第2位是否为0x33('3')
004075DE .75 7E jnz short FileTree.0040765E ;不等则Over
004075E0 .807C24 14 39cmp byte ptr ss:,39 ;比较注册码第3位是否为0x39('9')
004075E5 .75 77 jnz short FileTree.0040765E ;不等则Over
004075E7 .8A5424 15 mov dl,byte ptr ss: ;注册码第4位0x36('6')
004075EB .B0 31 mov al,31 ;AL=0x31
004075ED .3AD0 cmp dl,al ;比较注册码第4位是否为0x31('1')
004075EF .75 6D jnz short FileTree.0040765E ;不等则Over
004075F1 .80F9 33 cmp cl,33 ;比较注册码第5位是否为0x33('3')
004075F4 .75 68 jnz short FileTree.0040765E ;不等则Over
004075F6 .384424 1A cmp byte ptr ss:,al ;比较注册码第6位是否为0x31('1')
004075FA .75 62 jnz short FileTree.0040765E ;不等则Over
004075FC .807C24 1B 34cmp byte ptr ss:,34 ;比较注册码第7位是否为0x34('4')
00407601 .75 5B jnz short FileTree.0040765E ;不等则Over
00407603 .80FB 36 cmp bl,36 ;比较注册码第8位是否为0x31('6')
00407606 .75 56 jnz short FileTree.0040765E ;不等则Over
00407608 >6A 00 push 0
0040760A .6A 00 push 0
0040760C .68 E8FE4200 push FileTree.0042FEE8 ;registration has succeeded!
00407611 .E8 CD100200 call FileTree.004286E3
00407616 .8B7E 70 mov edi,dword ptr ds:
00407619 .E8 8A1E0200 call FileTree.004294A8
0040761E .8B40 04 mov eax,dword ptr ds:
00407621 .57 push edi
00407622 .68 F4FD4200 push FileTree.0042FDF4 ; username
00407627 .68 ECFD4200 push FileTree.0042FDEC ; option
0040762C .8BC8 mov ecx,eax
0040762E .E8 100E0200 call FileTree.00428443 ; 将用户名写入注册表
00407633 .8B7E 74 mov edi,dword ptr ds:
00407636 .E8 6D1E0200 call FileTree.004294A8
0040763B .8B40 04 mov eax,dword ptr ds:
0040763E .57 push edi
0040763F .68 D8FD4200 push FileTree.0042FDD8 ; registration_code
00407644 .68 ECFD4200 push FileTree.0042FDEC ; option
00407649 .8BC8 mov ecx,eax
0040764B .E8 F30D0200 call FileTree.00428443 ; 将注册码写入注册表
00407650 .5B pop ebx
00407651 .5F pop edi
00407652 .8BCE mov ecx,esi
00407654 .5E pop esi
00407655 .5D pop ebp
00407656 .83C4 0C add esp,0C
00407659 .E9 9B8F0100 jmp FileTree.004205F9
0040765E >6A 00 push 0
00407660 .6A 00 push 0
00407662 .68 D0FE4200 push FileTree.0042FED0 ;registration failed!
00407667 .E8 77100200 call FileTree.004286E3
0040766C .5B pop ebx
0040766D .5F pop edi
0040766E .5E pop esi
0040766F .5D pop ebp
00407670 .83C4 0C add esp,0C
00407673 .C3 retn
将用户名及由用户名运算所得的注册码或者固定码"83913146"输入注册,弹出注册成功提示:"registration has succeeded!"。
同时,程序将注册信息保存入注册表中。但是当程序弹出主界面时,注册表中的信息又被清空了!
4.暴破解之。先在注册表中伪造一份注册信息:
"username"="hrbx"
"registration_code"="9876543210"
Ctrl+F2重新载入程序,右键--Ultra String Reference--Find ASCII,查找“username”,找到后全部F2下断,F9运行程序,
00406670 6A FF push -1
00406672 68 4CDB4200 push FileTree.0042DB4C ;入口地址
00406677 |.64:A1 00000000 mov eax,dword ptr fs:
0040667D |.50 push eax
0040667E |.64:8925 00000000mov dword ptr fs:,esp
00406685 |.81EC 04010000 sub esp,104
0040668B |.53 push ebx
0040668C |.56 push esi
0040668D |.57 push edi
0040668E |.8BD9 mov ebx,ecx
00406690 |.6A 00 push 0
00406692 |.895C24 20 mov dword ptr ss:,ebx
00406696 |.E8 76BC0000 call FileTree.00412311
0040669B |.83C4 04 add esp,4
0040669E |.8BF8 mov edi,eax
004066A0 |.8BF2 mov esi,edx
004066A2 |.E8 012E0200 call FileTree.004294A8
004066A7 |.8B40 04 mov eax,dword ptr ds:
004066AA |.8B88 A4000000 mov ecx,dword ptr ds:
004066B0 |.8B80 A8000000 mov eax,dword ptr ds:
004066B6 |.83C1 05 add ecx,5
004066B9 |.83D0 00 adc eax,0
004066BC |.3BC6 cmp eax,esi
004066BE |.7F 20 jg short FileTree.004066E0
004066C0 |.7C 04 jl short FileTree.004066C6
004066C2 |.3BCF cmp ecx,edi
004066C4 |.73 1A jnb short FileTree.004066E0
004066C6 |>5F pop edi
004066C7 |.5E pop esi
004066C8 |.33C0 xor eax,eax
004066CA |.5B pop ebx
004066CB |.8B8C24 04010000 mov ecx,dword ptr ss:
004066D2 |.64:890D 00000000mov dword ptr fs:,ecx
004066D9 |.81C4 10010000 add esp,110
004066DF |.C3 retn
004066E0 |>E8 C32D0200 call FileTree.004294A8
004066E5 |.8B40 04 mov eax,dword ptr ds:
004066E8 |.68 65F64200 push FileTree.0042F665
004066ED |.68 F4FD4200 push FileTree.0042FDF4 ;username,F9运行后中断在此,
004066F2 |.68 ECFD4200 push FileTree.0042FDEC ;option
004066F7 |.8D4C24 24 lea ecx,dword ptr ss:
004066FB |.51 push ecx
004066FC |.8BC8 mov ecx,eax
004066FE |.E8 7F2F0200 call FileTree.00429682
00406703 |.8DB3 84000000 lea esi,dword ptr ds:
00406709 |.50 push eax
0040670A |.8BCE mov ecx,esi
0040670C |.C78424 1C010000 0>mov dword ptr ss:,0
00406717 |.E8 64ADFFFF call FileTree.00401480
0040671C |.8B4424 18 mov eax,dword ptr ss: ;用户名"hrbx"
00406720 |.83C0 F0 add eax,-10
00406723 |.C78424 18010000 F>mov dword ptr ss:,-1
0040672E |.8D50 0C lea edx,dword ptr ds:
00406731 |.83C9 FF or ecx,FFFFFFFF
00406734 |.F0:0FC10A lock xadd dword ptr ds:,ecx
00406738 |.49 dec ecx
00406739 |.85C9 test ecx,ecx
0040673B |.7F 08 jg short FileTree.00406745
0040673D |.8B08 mov ecx,dword ptr ds:
0040673F |.8B11 mov edx,dword ptr ds:
00406741 |.50 push eax
00406742 |.FF52 04 call dword ptr ds:
00406745 |>55 push ebp
00406746 |.E8 5D2D0200 call FileTree.004294A8
0040674B |.8B40 04 mov eax,dword ptr ds:
0040674E |.68 65F64200 push FileTree.0042F665
00406753 |.68 D8FD4200 push FileTree.0042FDD8 ;registration_code
00406758 |.68 ECFD4200 push FileTree.0042FDEC ;option
0040675D |.8D4C24 28 lea ecx,dword ptr ss:
00406761 |.51 push ecx
00406762 |.8BC8 mov ecx,eax
00406764 |.E8 192F0200 call FileTree.00429682
00406769 |.8DBB 88000000 lea edi,dword ptr ds:
0040676F |.BD 01000000 mov ebp,1
00406774 |.50 push eax
00406775 |.8BCF mov ecx,edi
00406777 |.89AC24 20010000 mov dword ptr ss:,ebp
0040677E |.E8 FDACFFFF call FileTree.00401480
00406783 |.8B4424 1C mov eax,dword ptr ss: ;假码"9876543210"
00406787 |.83C0 F0 add eax,-10
0040678A |.C78424 1C010000 F>mov dword ptr ss:,-1
00406795 |.8D50 0C lea edx,dword ptr ds:
00406798 |.83C9 FF or ecx,FFFFFFFF
0040679B |.F0:0FC10A lock xadd dword ptr ds:,ecx
0040679F |.49 dec ecx
004067A0 |.85C9 test ecx,ecx
004067A2 |.7F 08 jg short FileTree.004067AC
004067A4 |.8B08 mov ecx,dword ptr ds:
004067A6 |.8B11 mov edx,dword ptr ds:
004067A8 |.50 push eax
004067A9 |.FF52 04 call dword ptr ds:
004067AC |>8B06 mov eax,dword ptr ds: ;用户名"hrbx"
004067AE |.8B40 F4 mov eax,dword ptr ds:
004067B1 |.3BC5 cmp eax,ebp
004067B3 |.894424 1C mov dword ptr ss:,eax
004067B7 0F8E F3020000 jle FileTree.00406AB0 ;用户名为空则Over
004067BD |.8B0F mov ecx,dword ptr ds: ;假码"9876543210"
004067BF |.3969 F4 cmp dword ptr ds:,ebp
004067C2 0F8E E8020000 jle FileTree.00406AB0 ;假码为空则Over
004067C8 |.8B06 mov eax,dword ptr ds:
004067CA |.8B48 F4 mov ecx,dword ptr ds:
004067CD |.85C9 test ecx,ecx
004067CF |.7D 0A jge short FileTree.004067DB
004067D1 |.68 57000780 push 80070057
004067D6 |.E8 35A8FFFF call FileTree.00401010
004067DB |>8A10 mov dl,byte ptr ds:
004067DD |.8B06 mov eax,dword ptr ds:
004067DF |.3968 F4 cmp dword ptr ds:,ebp
004067E2 7D 0A jge short FileTree.004067EE
004067E4 |.68 57000780 push 80070057
004067E9 |.E8 22A8FFFF call FileTree.00401010
004067EE |>8A40 01 mov al,byte ptr ds:
004067F1 |.884424 12 mov byte ptr ss:,al
004067F5 |.8B06 mov eax,dword ptr ds:
004067F7 |.8B48 F4 mov ecx,dword ptr ds:
004067FA |.85C9 test ecx,ecx
004067FC |.7D 0A jge short FileTree.00406808
004067FE |.68 57000780 push 80070057
00406803 |.E8 08A8FFFF call FileTree.00401010
00406808 |>8B0E mov ecx,dword ptr ds: ;用户名"hrbx"
0040680A |.8A18 mov bl,byte ptr ds:
0040680C |.3969 F4 cmp dword ptr ds:,ebp
0040680F 7D 0A jge short FileTree.0040681B
00406811 |.68 57000780 push 80070057
00406816 |.E8 F5A7FFFF call FileTree.00401010 ; 以下对用户名进行运算,与"Register"按钮过程相同,分析略
0040681B |>0FB6C2 movzx eax,dl ; 用户名第1位字符的ASCII值,DL=0x68("h")
0040681E |.83C8 45 or eax,45 ; EAX=EAX or 0x45
00406821 |.99 cdq
00406822 |.BD 0A000000 mov ebp,0A
00406827 |.F7FD idiv ebp
00406829 |.0FB64424 12 movzx eax,byte ptr ss:
0040682E |.83C8 42 or eax,42
00406831 |.885424 1A mov byte ptr ss:,dl
00406835 |.99 cdq
00406836 |.F7FD idiv ebp
00406838 |.0FB6C3 movzx eax,bl
0040683B |.83C8 43 or eax,43
0040683E |.8BDD mov ebx,ebp
00406840 |.885424 12 mov byte ptr ss:,dl
00406844 |.99 cdq
00406845 |.F7FB idiv ebx
00406847 |.0FB641 01 movzx eax,byte ptr ds:
0040684B |.83C8 44 or eax,44
0040684E |.8BCD mov ecx,ebp
00406850 |.885424 19 mov byte ptr ss:,dl
00406854 |.99 cdq
00406855 |.F7F9 idiv ecx
00406857 |.33C0 xor eax,eax
00406859 |.33C9 xor ecx,ecx
0040685B |.885424 18 mov byte ptr ss:,dl
0040685F |.8B5424 1C mov edx,dword ptr ss:
00406863 |.85D2 test edx,edx
00406865 |.7E 23 jle short FileTree.0040688A
00406867 |>85C9 /test ecx,ecx
00406869 |.0F8C D8000000 |jl FileTree.00406947
0040686F |.8B16 |mov edx,dword ptr ds:
00406871 |.3B4A F4 |cmp ecx,dword ptr ds:
00406874 |.0F8F CD000000 |jg FileTree.00406947
0040687A |.0FB6140A |movzx edx,byte ptr ds:
0040687E |.03C2 |add eax,edx
00406880 |.8B16 |mov edx,dword ptr ds:
00406882 |.8B5A F4 |mov ebx,dword ptr ds:
00406885 |.41 |inc ecx
00406886 |.3BCB |cmp ecx,ebx
00406888 |.^ 7C DD \jl short FileTree.00406867
0040688A |>99 cdq
0040688B |.B9 0A000000 mov ecx,0A
00406890 |.F7F9 idiv ecx
00406892 |.8B07 mov eax,dword ptr ds:
00406894 |.8B48 F4 mov ecx,dword ptr ds:
00406897 |.85C9 test ecx,ecx
00406899 |.885424 15 mov byte ptr ss:,dl
0040689D |.7D 0A jge short FileTree.004068A9
0040689F |.68 57000780 push 80070057
004068A4 |.E8 67A7FFFF call FileTree.00401010
004068A9 |>8A18 mov bl,byte ptr ds:
004068AB |.8B0F mov ecx,dword ptr ds:
004068AD |.8379 F4 01 cmp dword ptr ds:,1
004068B1 |.885C24 1B mov byte ptr ss:,bl
004068B5 |.7D 0A jge short FileTree.004068C1
004068B7 |.68 57000780 push 80070057
004068BC E8 4FA7FFFF call FileTree.00401010
004068C1 |>8B37 mov esi,dword ptr ds:
004068C3 |.8B6E F4 mov ebp,dword ptr ds:
004068C6 |.83FD 02 cmp ebp,2
004068C9 |.8A51 01 mov dl,byte ptr ds:
004068CC |.885424 13 mov byte ptr ss:,dl
004068D0 |.7D 0A jge short FileTree.004068DC
004068D2 |.68 57000780 push 80070057
004068D7 E8 34A7FFFF call FileTree.00401010
004068DC |>8A46 02 mov al,byte ptr ds:
004068DF |.8B37 mov esi,dword ptr ds:
004068E1 |.884424 14 mov byte ptr ss:,al
004068E5 |.837E F4 03 cmp dword ptr ds:,3
004068E9 |.7D 0A jge short FileTree.004068F5
004068EB |.68 57000780 push 80070057
004068F0 |.E8 1BA7FFFF call FileTree.00401010
004068F5 |>8A56 03 mov dl,byte ptr ds:
004068F8 |.8B37 mov esi,dword ptr ds:
004068FA |.837E F4 04 cmp dword ptr ds:,4
004068FE |.7D 0A jge short FileTree.0040690A
00406900 |.68 57000780 push 80070057
00406905 |.E8 06A7FFFF call FileTree.00401010
0040690A |>8A4E 04 mov cl,byte ptr ds:
0040690D |.8B37 mov esi,dword ptr ds:
0040690F |.837E F4 05 cmp dword ptr ds:,5
00406913 |.7D 0A jge short FileTree.0040691F
00406915 |.68 57000780 push 80070057
0040691A |.E8 F1A6FFFF call FileTree.00401010
0040691F |>8A46 05 mov al,byte ptr ds:
00406922 |.8B37 mov esi,dword ptr ds:
00406924 |.884424 16 mov byte ptr ss:,al
00406928 |.837E F4 06 cmp dword ptr ds:,6
0040692C |.7D 0A jge short FileTree.00406938
0040692E |.68 57000780 push 80070057
00406933 |.E8 D8A6FFFF call FileTree.00401010
00406938 |>8A46 06 mov al,byte ptr ds:
0040693B |.8B3F mov edi,dword ptr ds:
0040693D |.884424 17 mov byte ptr ss:,al
00406941 |.837F F4 07 cmp dword ptr ds:,7
00406945 |.7D 0A jge short FileTree.00406951
00406947 |>68 57000780 push 80070057
0040694C |.E8 BFA6FFFF call FileTree.00401010
00406951 |>8A47 07 mov al,byte ptr ds:
00406954 |.0FB67C24 1A movzx edi,byte ptr ss:
00406959 |.0FB6F3 movzx esi,bl
0040695C |.83EE 30 sub esi,30
0040695F |.3BFE cmp edi,esi
00406961 |.75 44 jnz short FileTree.004069A7
00406963 |.0FB67424 13 movzx esi,byte ptr ss:
00406968 |.0FB67C24 12 movzx edi,byte ptr ss:
0040696D |.83EE 30 sub esi,30
00406970 |.3BFE cmp edi,esi
00406972 |.75 2F jnz short FileTree.004069A3
00406974 |.0FB67424 14 movzx esi,byte ptr ss:
00406979 |.0FB67C24 19 movzx edi,byte ptr ss:
0040697E |.83EE 30 sub esi,30
00406981 |.3BFE cmp edi,esi
00406983 |.75 1E jnz short FileTree.004069A3
00406985 |.0FB67C24 18 movzx edi,byte ptr ss:
0040698A |.0FB6F2 movzx esi,dl
0040698D |.83EE 30 sub esi,30
00406990 |.3BFE cmp edi,esi
00406992 |.75 0F jnz short FileTree.004069A3
00406994 |.0FB67C24 15 movzx edi,byte ptr ss:
00406999 |.0FB6F1 movzx esi,cl
0040699C |.83EE 30 sub esi,30
0040699F |.3BFE cmp edi,esi
004069A1 |.74 32 je short FileTree.004069D5
004069A3 |>8A5C24 1B mov bl,byte ptr ss:
004069A7 |>80FB 38 cmp bl,38
004069AA |.75 78 jnz short FileTree.00406A24
004069AC |.807C24 13 33 cmp byte ptr ss:,33
004069B1 |.75 71 jnz short FileTree.00406A24
004069B3 |.807C24 14 39 cmp byte ptr ss:,39
004069B8 |.75 6A jnz short FileTree.00406A24
004069BA |.80FA 31 cmp dl,31
004069BD |.75 65 jnz short FileTree.00406A24
004069BF |.80F9 33 cmp cl,33
004069C2 |.75 60 jnz short FileTree.00406A24
004069C4 |.385424 16 cmp byte ptr ss:,dl
004069C8 |.75 5A jnz short FileTree.00406A24
004069CA |.807C24 17 34 cmp byte ptr ss:,34
004069CF |.75 53 jnz short FileTree.00406A24
004069D1 |.3C 36 cmp al,36
004069D3 |.75 4F jnz short FileTree.00406A24
004069D5 |>8B4C24 20 mov ecx,dword ptr ss:
004069D9 |.C781 8C000000 010>mov dword ptr ds:,1
004069E3 |.E8 C02A0200 call FileTree.004294A8
004069E8 |.8B40 04 mov eax,dword ptr ds:
004069EB |.68 65F64200 push FileTree.0042F665
004069F0 |.68 F4FD4200 push FileTree.0042FDF4 ; username,
004069F5 |.68 ECFD4200 push FileTree.0042FDEC ; option
004069FA |.8BC8 mov ecx,eax
004069FC |.E8 421A0200 call FileTree.00428443 ; 删除注册表中的用户名数据
00406A01 |.E8 A22A0200 call FileTree.004294A8
00406A06 |.8B40 04 mov eax,dword ptr ds:
00406A09 |.68 65F64200 push FileTree.0042F665
00406A0E |.68 D8FD4200 push FileTree.0042FDD8 ; registration_code
00406A13 |.68 ECFD4200 push FileTree.0042FDEC ; option
00406A18 |.8BC8 mov ecx,eax
00406A1A |.E8 241A0200 call FileTree.00428443 ; 删除注册表中的注册码数据
00406A1F |.E9 AE010000 jmp FileTree.00406BD2
00406A24 6A 00 push 0 ;注册码都不符合上面运算则跳到这里
00406A26 |.8D4C24 28 lea ecx,dword ptr ss:
00406A2A |.E8 510C0000 call FileTree.00407680 ;关键CALL-1,F7进入
00406A2F |.8D4C24 24 lea ecx,dword ptr ss:
00406A33 |.C78424 1C010000 0>mov dword ptr ss:,2
00406A3E |.E8 E3A10100 call FileTree.00420C26 ;关键CALL-2,F7进入
00406A43 |.83F8 01 cmp eax,1
00406A46 |.75 5F jnz short FileTree.00406AA7
00406A48 |.8B5424 20 mov edx,dword ptr ss:
00406A4C |.8982 8C000000 mov dword ptr ds:,eax
00406A52 |.E8 512A0200 call FileTree.004294A8
00406A57 |.8B40 04 mov eax,dword ptr ds:
00406A5A |.68 65F64200 push FileTree.0042F665
00406A5F |.68 F4FD4200 push FileTree.0042FDF4 ; username
00406A64 |.68 ECFD4200 push FileTree.0042FDEC ; option
00406A69 |.8BC8 mov ecx,eax
00406A6B |.E8 D3190200 call FileTree.00428443
00406A70 |.E8 332A0200 call FileTree.004294A8
00406A75 |.8B40 04 mov eax,dword ptr ds:
00406A78 |.68 65F64200 push FileTree.0042F665
00406A7D |.68 D8FD4200 push FileTree.0042FDD8 ; registration_code
00406A82 |.68 ECFD4200 push FileTree.0042FDEC ; option
00406A87 |.8BC8 mov ecx,eax
00406A89 |.E8 B5190200 call FileTree.00428443
00406A8E |.8D4C24 24 lea ecx,dword ptr ss:
00406A92 |.C78424 1C010000 F>mov dword ptr ss:,-1
00406A9D |.E8 9EFAFFFF call FileTree.00406540
00406AA2 |.E9 2B010000 jmp FileTree.00406BD2
00406AA7 |>8D4C24 24 lea ecx,dword ptr ss:
00406AAB |.E9 90000000 jmp FileTree.00406B40
00406AB0 |>6A 00 push 0
00406AB2 |.8D8C24 A0000000 lea ecx,dword ptr ss:
00406AB9 |.E8 C20B0000 call FileTree.00407680
00406ABE |.8D8C24 9C000000 lea ecx,dword ptr ss:
00406AC5 |.C78424 1C010000 0>mov dword ptr ss:,3
00406AD0 |.E8 51A10100 call FileTree.00420C26
00406AD5 |.3BC5 cmp eax,ebp
00406AD7 |.75 60 jnz short FileTree.00406B39
00406AD9 |.89AB 8C000000 mov dword ptr ds:,ebp
00406ADF |.E8 C4290200 call FileTree.004294A8
00406AE4 |.8B40 04 mov eax,dword ptr ds:
00406AE7 |.68 65F64200 push FileTree.0042F665
00406AEC |.68 F4FD4200 push FileTree.0042FDF4
00406AF1 |.68 ECFD4200 push FileTree.0042FDEC
00406AF6 |.8BC8 mov ecx,eax
00406AF8 |.E8 46190200 call FileTree.00428443
00406AFD |.E8 A6290200 call FileTree.004294A8
00406B02 |.8B40 04 mov eax,dword ptr ds:
00406B05 |.68 65F64200 push FileTree.0042F665
00406B0A |.68 D8FD4200 push FileTree.0042FDD8
00406B0F |.68 ECFD4200 push FileTree.0042FDEC
00406B14 |.8BC8 mov ecx,eax
00406B16 |.E8 28190200 call FileTree.00428443
00406B1B |.8D8C24 9C000000 lea ecx,dword ptr ss:
00406B22 |.C78424 1C010000 F>mov dword ptr ss:,-1
00406B2D |.E8 0EFAFFFF call FileTree.00406540
00406B32 |.8BC5 mov eax,ebp
00406B34 |.E9 9E000000 jmp FileTree.00406BD7
00406B39 |>8D8C24 9C000000 lea ecx,dword ptr ss:
00406B40 |>C78424 1C010000 F>mov dword ptr ss:,-1
00406B4B |.E8 F0F9FFFF call FileTree.00406540
00406B50 |.6A 00 push 0
00406B52 |.E8 BAB70000 call FileTree.00412311
00406B57 |.83C4 04 add esp,4
00406B5A |.8BF0 mov esi,eax
00406B5C |.8BDA mov ebx,edx
00406B5E |.E8 45290200 call FileTree.004294A8
00406B63 |.8B40 04 mov eax,dword ptr ds:
00406B66 |.56 push esi
00406B67 |.68 D4FD4200 push FileTree.0042FDD4 ;t
00406B6C |.68 CCFD4200 push FileTree.0042FDCC ;setup
00406B71 |.8BC8 mov ecx,eax
00406B73 |.E8 A12A0200 call FileTree.00429619
00406B78 |.99 cdq
00406B79 |.8BF8 mov edi,eax
00406B7B |.3BFE cmp edi,esi ;检查注册表中是否有"setup"项
00406B7D |.8BEA mov ebp,edx
00406B7F |.75 1E jnz short FileTree.00406B9F ;有则跳
00406B81 |.3BEB cmp ebp,ebx
00406B83 |.75 1A jnz short FileTree.00406B9F ;有则跳
00406B85 |.E8 1E290200 call FileTree.004294A8
00406B8A |.8B40 04 mov eax,dword ptr ds:
00406B8D |.56 push esi ; /Arg3
00406B8E |.68 D4FD4200 push FileTree.0042FDD4 ; |t
00406B93 |.68 CCFD4200 push FileTree.0042FDCC ; |setup
00406B98 |.8BC8 mov ecx,eax ; |
00406B9A |.E8 22180200 call FileTree.004283C1 ; \FileTree.004283C1
00406B9F |>8BCF mov ecx,edi
00406BA1 |.81C1 008D2700 add ecx,278D00
00406BA7 |.8BC5 mov eax,ebp
00406BA9 |.83D0 00 adc eax,0
00406BAC |.3BC3 cmp eax,ebx ;比较软件是否已到30天试用期
00406BAE 7F 18 jg short FileTree.00406BC8
00406BB0 |.7C 04 jl short FileTree.00406BB6
00406BB2 |.3BCE cmp ecx,esi
00406BB4 |.73 12 jnb short FileTree.00406BC8
00406BB6 |>6A 00 push 0
00406BB8 |.6A 00 push 0
00406BBA |.68 98FD4200 push FileTree.0042FD98 ;this trial version has expired! please register.
00406BBF |.E8 1F1B0200 call FileTree.004286E3
00406BC4 |.33C0 xor eax,eax
00406BC6 |.EB 0F jmp short FileTree.00406BD7
00406BC8 |>3BDD cmp ebx,ebp
00406BCA |.7F 06 jg short FileTree.00406BD2
00406BCC |.^ 7C E8 jl short FileTree.00406BB6
00406BCE |.3BF7 cmp esi,edi
00406BD0 |.^ 72 E4 jb short FileTree.00406BB6
00406BD2 B8 01000000 mov eax,1 ;将标志位EAX置为1,暴破关键点
00406BD7 |>8B8C24 14010000 mov ecx,dword ptr ss:
00406BDE |.5D pop ebp
00406BDF |.5F pop edi
00406BE0 |.5E pop esi
00406BE1 |.5B pop ebx
00406BE2 |.64:890D 00000000mov dword ptr fs:,ecx
00406BE9 |.81C4 10010000 add esp,110
00406BEF \.C3 retn
F7进入00406A2A处的关键CALL-1,来到:
00407680 /$6A FF push -1
00407682 |.68 3EDC4200 push FileTree.0042DC3E ;SE 句柄安装
00407687 |.64:A1 00000000 mov eax,dword ptr fs:
0040768D |.50 push eax
0040768E |.64:8925 00000000mov dword ptr fs:,esp
00407695 |.51 push ecx
00407696 |.8B4424 14 mov eax,dword ptr ss:
0040769A |.55 push ebp
0040769B |.56 push esi
0040769C |.57 push edi
0040769D |.50 push eax
0040769E |.8BF1 mov esi,ecx
004076A0 |.68 82000000 push 82 ;常数,0x82,下个CALL中要用到
004076A5 |.897424 14 mov dword ptr ss:,esi
004076A9 |.E8 EC8E0100 call FileTree.0042059A
004076AE |.C74424 18 0000000>mov dword ptr ss:,0
004076B6 |.C706 50FF4200 mov dword ptr ds:,FileTree.004>
004076BC |.8D7E 70 lea edi,dword ptr ds:
004076BF |.E8 41980100 call FileTree.00420F05
004076C4 |.8B10 mov edx,dword ptr ds:
004076C6 |.8BC8 mov ecx,eax
004076C8 |.FF52 0C call dword ptr ds:
004076CB |.83C0 10 add eax,10
004076CE |.8907 mov dword ptr ds:,eax
004076D0 |.C64424 18 01 mov byte ptr ss:,1
004076D5 |.8D6E 74 lea ebp,dword ptr ds:
004076D8 |.E8 28980100 call FileTree.00420F05
004076DD |.8B10 mov edx,dword ptr ds:
004076DF |.8BC8 mov ecx,eax
004076E1 |.FF52 0C call dword ptr ds:
004076E4 |.83C0 10 add eax,10
004076E7 |.8945 00 mov dword ptr ss:,eax
004076EA |.C64424 18 02 mov byte ptr ss:,2
004076EF |.E8 B41D0200 call FileTree.004294A8
004076F4 |.8B40 04 mov eax,dword ptr ds:
004076F7 |.68 65F64200 push FileTree.0042F665
004076FC |.68 F4FD4200 push FileTree.0042FDF4 ;username
00407701 |.68 ECFD4200 push FileTree.0042FDEC ;option
00407706 |.8D4C24 2C lea ecx,dword ptr ss:
0040770A |.51 push ecx
0040770B |.8BC8 mov ecx,eax
0040770D |.E8 701F0200 call FileTree.00429682
00407712 |.50 push eax
00407713 |.8BCF mov ecx,edi
00407715 |.C64424 1C 03 mov byte ptr ss:,3
0040771A |.E8 619DFFFF call FileTree.00401480
0040771F |.8B4424 20 mov eax,dword ptr ss: ;用户名"hrbx"
00407723 |.83C0 F0 add eax,-10
00407726 |.C64424 18 02 mov byte ptr ss:,2
0040772B |.8D50 0C lea edx,dword ptr ds:
0040772E |.83C9 FF or ecx,FFFFFFFF
00407731 |.F0:0FC10A lock xadd dword ptr ds:,ecx
00407735 |.49 dec ecx
00407736 |.85C9 test ecx,ecx
00407738 |.7F 08 jg short FileTree.00407742
0040773A |.8B08 mov ecx,dword ptr ds:
0040773C |.8B11 mov edx,dword ptr ds:
0040773E |.50 push eax
0040773F |.FF52 04 call dword ptr ds:
00407742 |>E8 611D0200 call FileTree.004294A8
00407747 |.8B40 04 mov eax,dword ptr ds:
0040774A |.68 65F64200 push FileTree.0042F665
0040774F |.68 D8FD4200 push FileTree.0042FDD8 ;registration_code
00407754 |.68 ECFD4200 push FileTree.0042FDEC ;option
00407759 |.8D4C24 2C lea ecx,dword ptr ss:
0040775D |.51 push ecx
0040775E |.8BC8 mov ecx,eax
00407760 |.E8 1D1F0200 call FileTree.00429682
00407765 |.50 push eax
00407766 |.8BCD mov ecx,ebp
00407768 |.C64424 1C 04 mov byte ptr ss:,4
0040776D |.E8 0E9DFFFF call FileTree.00401480
00407772 |.8B4424 20 mov eax,dword ptr ss: ;假码"9876543210"
00407776 |.83C0 F0 add eax,-10
00407779 |.C64424 18 02 mov byte ptr ss:,2
0040777E |.8D50 0C lea edx,dword ptr ds:
00407781 |.83C9 FF or ecx,FFFFFFFF
00407784 |.F0:0FC10A lock xadd dword ptr ds:,ecx
00407788 |.49 dec ecx
00407789 |.85C9 test ecx,ecx
0040778B |.7F 08 jg short FileTree.00407795
0040778D |.8B08 mov ecx,dword ptr ds:
0040778F |.8B11 mov edx,dword ptr ds:
00407791 |.50 push eax
00407792 |.FF52 04 call dword ptr ds:
00407795 |>8B4C24 10 mov ecx,dword ptr ss:
00407799 |.5F pop edi
0040779A |.8BC6 mov eax,esi
0040779C |.5E pop esi
0040779D |.5D pop ebp
0040779E |.64:890D 00000000mov dword ptr fs:,ecx
004077A5 |.83C4 10 add esp,10
004077A8 \.C2 0400 retn 4
F7进入00406A3E处的关键CALL-2,来到:
00420C26 $B8 E0DC4200 mov eax,FileTree.0042DCE0
00420C2B .E8 C02BFFFF call FileTree.004137F0
00420C30 .83EC 18 sub esp,18
00420C33 .53 push ebx
00420C34 .56 push esi
00420C35 .8BF1 mov esi,ecx
00420C37 .8B46 58 mov eax,dword ptr ds:
00420C3A .8B5E 5C mov ebx,dword ptr ds:
00420C3D .57 push edi
00420C3E .8965 F0 mov dword ptr ss:,esp
00420C41 .8975 E4 mov dword ptr ss:,esi
00420C44 .8945 E8 mov dword ptr ss:,eax
00420C47 .E8 5C880000 call FileTree.004294A8
00420C4C 837E 54 00 cmp dword ptr ds:,0 ;ds:=82,上个CALL中的常数0x82
00420C50 8B78 0C mov edi,dword ptr ds:
00420C53 74 1F je short FileTree.00420C74 ;不跳则Over
00420C55 .E8 4E880000 call FileTree.004294A8
00420C5A .8B78 0C mov edi,dword ptr ds:
00420C5D .6A 05 push 5 ; /ResourceType = RT_DIALOG
00420C5F .FF76 54 push dword ptr ds: ; |ResourceName
00420C62 .57 push edi ; |hModule
00420C63 .FF15 98F24200 call dword ptr ds:[<&KERNEL32.FindResourceA>]; \FindResourceA
00420C69 .50 push eax ; /hResource
00420C6A .57 push edi ; |hModule
00420C6B .FF15 9CF24200 call dword ptr ds:[<&KERNEL32.LoadResource>] ; \LoadResource
00420C71 .8945 E8 mov dword ptr ss:,eax
00420C74 >837D E8 00 cmp dword ptr ss:,0
00420C78 .74 0B je short FileTree.00420C85
00420C7A .FF75 E8 push dword ptr ss: ; /nHandles
00420C7D .FF15 A0F24200 call dword ptr ds:[<&KERNEL32.LockResource>] ; \SetHandleCount
00420C83 .8BD8 mov ebx,eax
00420C85 >85DB test ebx,ebx
00420C87 .75 08 jnz short FileTree.00420C91
00420C89 .83C8 FF or eax,FFFFFFFF
00420C8C .E9 03010000 jmp FileTree.00420D94
00420C91 >8BCE mov ecx,esi
00420C93 .E8 CEFAFFFF call FileTree.00420766
00420C98 .8945 EC mov dword ptr ss:,eax
00420C9B .E8 94210000 call FileTree.00422E34
00420CA0 .8365 E0 00 and dword ptr ss:,0
00420CA4 .837D EC 00 cmp dword ptr ss:,0
00420CA8 .74 2A je short FileTree.00420CD4
00420CAA .FF15 F0F44200 call dword ptr ds:[<&USER32.GetDesktopWindow>] ; [GetDesktopWindow
00420CB0 .3945 EC cmp dword ptr ss:,eax
00420CB3 .74 1F je short FileTree.00420CD4
00420CB5 .FF75 EC push dword ptr ss: ; /hWnd
00420CB8 .FF15 D0F44200 call dword ptr ds:[<&USER32.IsWindowEnabled>]; \IsWindowEnabled
00420CBE .85C0 test eax,eax
00420CC0 .74 12 je short FileTree.00420CD4
00420CC2 6A 00 push 0
00420CC4 .FF75 EC push dword ptr ss: ; |hWnd
00420CC7 .FF15 44F44200 call dword ptr ds:[<&USER32.EnableWindow>] ; \EnableWindow
00420CCD .C745 E0 01000000mov dword ptr ss:,1
00420CD4 >8365 FC 00 and dword ptr ss:,0
00420CD8 .56 push esi
00420CD9 .E8 A1330000 call FileTree.0042407F
00420CDE .FF75 EC push dword ptr ss:
00420CE1 .E8 A6200000 call FileTree.00422D8C
00420CE6 .57 push edi
00420CE7 .50 push eax
00420CE8 .53 push ebx
00420CE9 .8BCE mov ecx,esi
00420CEB .E8 29FDFFFF call FileTree.00420A19
00420CF0 .33DB xor ebx,ebx
00420CF2 .3BC3 cmp eax,ebx
00420CF4 74 52 je short FileTree.00420D48
00420CF6 .F646 38 10 test byte ptr ds:,10
00420CFA .74 1A je short FileTree.00420D16
00420CFC .6A 04 push 4
00420CFE .5F pop edi
00420CFF .8BCE mov ecx,esi
00420D01 .E8 BC040000 call FileTree.004211C2
00420D06 .F6C4 01 test ah,1
00420D09 .74 03 je short FileTree.00420D0E
00420D0B .6A 05 push 5
00420D0D .5F pop edi
00420D0E >57 push edi ; /Arg1
00420D0F .8BCE mov ecx,esi ; |
00420D11 .E8 1A1B0000 call FileTree.00422830 ; \FileTree.00422830
00420D16 >395E 1C cmp dword ptr ds:,ebx
00420D19 .74 2D je short FileTree.00420D48
00420D1B .68 97000000 push 97 ; /Arg6 = 00000097
00420D20 .53 push ebx ; |Arg5
00420D21 .53 push ebx ; |Arg4
00420D22 .53 push ebx ; |Arg3
00420D23 .53 push ebx ; |Arg2
00420D24 .53 push ebx ; |Arg1
00420D25 .8BCE mov ecx,esi ; |
00420D27 .E8 70060000 call FileTree.0042139C ; \FileTree.0042139C
00420D2C .EB 1A jmp short FileTree.00420D48
00420D2E .8B4D DC mov ecx,dword ptr ss:
00420D31 .E8 3D010000 call FileTree.00420E73
00420D36 .8B45 E4 mov eax,dword ptr ss:
00420D39 .8348 40 FF or dword ptr ds:,FFFFFFFF
00420D3D .B8 430D4200 mov eax,FileTree.00420D43
00420D42 .C3 retn
00420D43 .8B75 E4 mov esi,dword ptr ss:
00420D46 .33DB xor ebx,ebx
00420D48 >834D FC FF or dword ptr ss:,FFFFFFFF
00420D4C .395D E0 cmp dword ptr ss:,ebx
00420D4F .74 0B je short FileTree.00420D5C
00420D51 .6A 01 push 1 ; /Enable = TRUE
00420D53 .FF75 EC push dword ptr ss: ; |hWnd
00420D56 .FF15 44F44200 call dword ptr ds:[<&USER32.EnableWindow>] ; \EnableWindow
00420D5C >395D EC cmp dword ptr ss:,ebx
00420D5F .74 14 je short FileTree.00420D75
00420D61 .FF15 ECF44200 call dword ptr ds:[<&USER32.GetActiveWindow>]; [GetActiveWindow
00420D67 .3B46 1C cmp eax,dword ptr ds:
00420D6A .75 09 jnz short FileTree.00420D75
00420D6C .FF75 EC push dword ptr ss: ; /hWnd
00420D6F .FF15 E8F44200 call dword ptr ds:[<&USER32.SetActiveWindow>]; \SetActiveWindow
00420D75 >8B06 mov eax,dword ptr ds:
00420D77 .8BCE mov ecx,esi
00420D79 .FF50 60 call dword ptr ds:
00420D7C .8BCE mov ecx,esi
00420D7E .E8 1DFAFFFF call FileTree.004207A0
00420D83 .395E 54 cmp dword ptr ds:,ebx
00420D86 .74 09 je short FileTree.00420D91
00420D88 .FF75 E8 push dword ptr ss: ; /hResource
00420D8B .FF15 64F24200 call dword ptr ds:[<&KERNEL32.FreeResource>] ; \FreeResource
00420D91 >8B46 40 mov eax,dword ptr ds:
00420D94 >8B4D F4 mov ecx,dword ptr ss:
00420D97 .5F pop edi
00420D98 .5E pop esi
00420D99 .64:890D 00000000mov dword ptr fs:,ecx
00420DA0 .5B pop ebx
00420DA1 .C9 leave
00420DA2 .C3 retn
-----------------------------------------------------------------------------------------------
【破解总结】
1.程序注册时取用户名进行运算或者固定码"83913146",与注册码进行比较,相等则弹出注册成功提示:"registration has succeeded!"
并将注册信息信息保存入注册表中。但是当程序弹出主界面时,又将注册表中的信息清空!
2.没找到程序真正的算法部分,只好暴破。由于成功注册的话,程序会在00406BD2处将EAX置为1,所以只要EAX为1即可注册成功。
注册信息保存在(暴破的话只有第3项):
"username"=""
"registration_code"=""
暴破更改以下位置:
00406670 push -1 ;push -1 ===================> mov eax,1
00406672 push FileTree.0042DB4C ;push FileTree.0042DB4C=====> retn
-----------------------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[ 本帖最后由 tigerisme 于 2006-8-26 20:57 编辑 ] 爆得精彩! 原帖由 飘云 于 2006-6-10 10:47 发表
爆得精彩!
哈哈。。。好爽呀!这个网站的软件再加这么一暴就完美啦!
之前的自校验看来见到光明咯。。。 向高手学习! 确实高手..厉害 搞了好久都没搞定,总算明白怎么回事了,谢谢楼主出的精品.
网上这个注册机满天飞,不知怎么做的,希望高手贴出 00406670 B8 01000000 mov eax,1 /改过后00406672已屏蔽
00406675 C3 retn /这儿ret 学习了
............... 高手的确厉害,,学习拉~~~ 包括爆破的,好象也逃不出10个文件的目录限制?
页:
[1]
2