某文件打包软件的注册算法分析实录及机器码生成过程揭秘
本帖最后由 GGLHY 于 2011-1-20 16:25 编辑某软件的注册算法分析及机器码生成过程揭秘
注:本文仅仅只对注册时的算法进行分析,关于重启验证则有机会的话另找时间单列!
为方便理解,特事先说明下:
该软件本身的注册,设为功能A。同时,还有对软件用户进行计算注册码的功能,设为功能B。而软件对于功能A和B的判断标志保存在局部变量这里。
功能B的注册流程大同小异。我们就选择功能A的注册流程为例子来进行分析吧。
软件给出的机器码:619b8367,我们输入注册信息:
用户名:gglhy
假码:15987530
一、软件注册算法分析
功能A:(软件本身的注册)
////////////////////////////////////////////////////////////////////////////////////////////////////////
我们直接来到这里:
00404AF0 .6A FF PUSH -1
00404AF2 .68 B0234500 PUSH FilePack.004523B0 ;SE 处理程序安装
00404AF7 .64:A1 0000000>MOV EAX,DWORD PTR FS:
00404AFD .50 PUSH EAX
00404AFE .64:8925 00000>MOV DWORD PTR FS:,ESP
00404B05 .83EC 1C SUB ESP,1C
00404B08 .53 PUSH EBX
00404B09 .55 PUSH EBP
00404B0A .56 PUSH ESI
00404B0B .8BF1 MOV ESI,ECX
00404B0D .57 PUSH EDI
00404B0E .68 48814600 PUSH FilePack.00468148 ;ASCII "GetUserName ()"
00404B13 .8D4C24 14 LEA ECX,DWORD PTR SS:
00404B17 .E8 2B460400 CALL FilePack.00449147 ;这个CALL是判断当前流程是功能A还是功能B的。不同的功能对下面的有不同的标记。(功能A时为0000001),(功能B为00000000)
00404B1C .8B86 A0070000 MOV EAX,DWORD PTR DS: ;///这个其实是判断对软件自身注册(功能A)还是对软件用户(功能B)计算注册码的变量!
00404B22 .33DB XOR EBX,EBX ;这里EBX清零了!!!
00404B24 .3BC3 CMP EAX,EBX ;可看作(功能A或B)标志位的比较。
00404B26 .895C24 34 MOV DWORD PTR SS:,EBX
00404B2A .74 0E JE SHORT FilePack.00404B3A
00404B2C .68 58814600 PUSH FilePack.00468158 ;ASCII "GoodMan"
00404B31 .8D4C24 14 LEA ECX,DWORD PTR SS:
00404B35 .E8 28470400 CALL FilePack.00449262
00404B3A >8D4424 1C LEA EAX,DWORD PTR SS:
00404B3E .50 PUSH EAX
00404B3F .E8 BC280000 CALL FilePack.00407400
00404B44 .83C4 04 ADD ESP,4
00404B47 .50 PUSH EAX
00404B48 .8D4C24 14 LEA ECX,DWORD PTR SS:
00404B4C .C64424 38 01MOV BYTE PTR SS:,1
00404B51 .E8 9B490400 CALL FilePack.004494F1
00404B56 .8D4C24 1C LEA ECX,DWORD PTR SS:
00404B5A .885C24 34 MOV BYTE PTR SS:,BL
00404B5E .E8 76450400 CALL FilePack.004490D9
00404B63 .6A 01 PUSH 1
00404B65 .8BCE MOV ECX,ESI
00404B67 .E8 31310400 CALL FilePack.00447C9D
00404B6C .8B8E 9C070000 MOV ECX,DWORD PTR DS: ;用户名gglhy
00404B72 .8DBE 9C070000 LEA EDI,DWORD PTR DS:
00404B78 .3959 F8 CMP DWORD PTR DS:,EBX ;用户名长度与0比较,即是否输入了用户名
00404B7B .75 0B JNZ SHORT FilePack.00404B88 ;用户名如果为空,则读取机器码进行运算
00404B7D .8B96 94070000 MOV EDX,DWORD PTR DS: ;机器码到EDX
00404B83 .395A F8 CMP DWORD PTR DS:,EBX ;机器码长度与0比较,即机器码否为空
00404B86 .74 1B JE SHORT FilePack.00404BA3 ;机器码为空则跳
00404B88 >8B86 98070000 MOV EAX,DWORD PTR DS: ;假码15987530到EAX
00404B8E .3958 F8 CMP DWORD PTR DS:,EBX ;假码长度与0比较,即假码否为空
00404B91 .0F85 9A000000 JNZ FilePack.00404C31
00404B97 .399E A0070000 CMP DWORD PTR DS:,EBX ;///功能A或B判断的标志,功能B时则下面跳转成立
00404B9D .0F84 8E000000 JE FilePack.00404C31
00404BA3 >8B0D 30A84600 MOV ECX,DWORD PTR DS: ;FilePack.0046A844
00404BA9 .894C24 14 MOV DWORD PTR SS:,ECX
(省略部分代码)
00404BE5 .6A 30 PUSH 30
00404BE7 .53 PUSH EBX
00404BE8 .50 PUSH EAX
00404BE9 .8BCE MOV ECX,ESI
00404BEB .C64424 40 1CMOV BYTE PTR SS:,1C
00404BF0 .E8 4C290400 CALL FilePack.00447541 ;请重新输入!
(省略部分代码)
00404C2C .E9 06040000 JMP FilePack.00405037
00404C31 >8B8E A0070000 MOV ECX,DWORD PTR DS: ;《==关键点(软件功能A或B的变量)
00404C37 .F7D9 NEG ECX
00404C39 .1BC9 SBB ECX,ECX
00404C3B .83E1 EE AND ECX,FFFFFFEE
00404C3E .81C1 D3000000 ADD ECX,0D3 ;功能A时为 + 0D3H(211);功能B时为0+D3H。相当于常数了
00404C44 .51 PUSH ECX
00404C45 .51 PUSH ECX
00404C46 .8BCC MOV ECX,ESP
00404C48 .896424 28 MOV DWORD PTR SS:,ESP
00404C4C .57 PUSH EDI
00404C4D .E8 FC410400 CALL FilePack.00448E4E
00404C52 .51 PUSH ECX
00404C53 .8D5424 1C LEA EDX,DWORD PTR SS:
00404C57 .8BCC MOV ECX,ESP
00404C59 .896424 24 MOV DWORD PTR SS:,ESP
00404C5D .52 PUSH EDX
00404C5E .C64424 44 02MOV BYTE PTR SS:,2
00404C63 .E8 E6410400 CALL FilePack.00448E4E
00404C68 .8D4424 28 LEA EAX,DWORD PTR SS:
00404C6C .885C24 40 MOV BYTE PTR SS:,BL
00404C70 .50 PUSH EAX
00404C71 .E8 AA1B0000 CALL FilePack.00406820 ; 算法call,我们F7
00404C76 .83C4 10 ADD ESP,10
00404C79 .8DAE A8070000 LEA EBP,DWORD PTR DS:
00404C7F .50 PUSH EAX
00404C80 .8BCD MOV ECX,EBP
00404C82 .C64424 38 03MOV BYTE PTR SS:,3
00404C87 .E8 86450400 CALL FilePack.00449212
00404C8C .8D4C24 1C LEA ECX,DWORD PTR SS:
00404C90 .885C24 34 MOV BYTE PTR SS:,BL
00404C94 .E8 40440400 CALL FilePack.004490D9
00404C99 .399E A0070000 CMP DWORD PTR DS:,EBX ; 《==关键点(软件功能A或B的变量)
00404C9F .0F84 FC000000 JE FilePack.00404DA1 ;关键跳!
00404CA5 .8B86 A4070000 MOV EAX,DWORD PTR DS: ;F(机器码)=注册码方式得到的注册码
00404CAB .8B8E 98070000 MOV ECX,DWORD PTR DS: ;假码15987530
00404CB1 .50 PUSH EAX ; /Arg2
00404CB2 .51 PUSH ECX ; |Arg1
00404CB3 .E8 5EDD0200 CALL FilePack.00432A16 ; \FilePack.00432A16
00404CB8 .83C4 08 ADD ESP,8
00404CBB .85C0 TEST EAX,EAX
00404CBD .0F84 A9000000 JE FilePack.00404D6C ; F(机器码)=注册码方式的 关键跳!
00404CC3 .8B6D 00 MOV EBP,DWORD PTR SS: ; F(用户名)=注册码得到的 字符串N2
00404CC6 .8B86 98070000 MOV EAX,DWORD PTR DS: ;假码15987530
00404CCC .55 PUSH EBP ; /Arg2
00404CCD .50 PUSH EAX ; |Arg1
00404CCE .E8 43DD0200 CALL FilePack.00432A16 ; \FilePack.00432A16
00404CD3 .83C4 08 ADD ESP,8
00404CD6 .85C0 TEST EAX,EAX
00404CD8 .0F84 8E000000 JE FilePack.00404D6C ;F(用户名)=注册码方式的 关键跳!
(省略部分代码)
00404D22 .53 PUSH EBX
00404D23 .50 PUSH EAX
00404D24 .8BCE MOV ECX,ESI
00404D26 .C64424 40 07MOV BYTE PTR SS:,7
00404D2B .E8 11280400 CALL FilePack.00447541 ;出错了!
00404D30 .8D4C24 1C LEA ECX,DWORD PTR SS:
==========00404C71 .E8 AA1B0000 CALL FilePack.00406820 ;算法call,我们F7进入: ==========
00406820/$6A FF PUSH -1 ;局部调用来自 0040319C, 004034E3, 00403D8A, 00404C71, 00404E0F, 00404E66, 00404F80, 00404FD9
00406822|.68 57244500 PUSH FilePack.00452457 ;SE 处理程序安装
00406827|.64:A1 0000000>MOV EAX,DWORD PTR FS:
0040682D|.50 PUSH EAX
0040682E|.64:8925 00000>MOV DWORD PTR FS:,ESP
00406835|.83EC 14 SUB ESP,14
00406838|.53 PUSH EBX
00406839|.55 PUSH EBP
0040683A|.56 PUSH ESI
0040683B|.33F6 XOR ESI,ESI
0040683D|.57 PUSH EDI
0040683E|.897424 1C MOV DWORD PTR SS:,ESI
00406842|.BF 01000000 MOV EDI,1
00406847|.897C24 2C MOV DWORD PTR SS:,EDI
0040684B|.8B4C24 3C MOV ECX,DWORD PTR SS: ;用户名gglhy到ECX
0040684F|.8B4424 38 MOV EAX,DWORD PTR SS: ;右键跟随数值到数据窗口,(功能A)为“GoodMan未注册” ;功能B时是GetUserName ()未注册
00406853|.32DB XOR BL,BL
00406855|.8B51 F8 MOV EDX,DWORD PTR DS: ;用户名长度
00406858|.8B0D 30A84600 MOV ECX,DWORD PTR DS: ;FilePack.0046A844
0040685E|.8B68 F8 MOV EBP,DWORD PTR DS: ;其实是上面固定字符串的长度哦!大家数一下就明白了!
00406861|.895424 20 MOV DWORD PTR SS:,EDX ;用户名长度
00406865|.894C24 14 MOV DWORD PTR SS:,ECX
00406869|.894C24 10 MOV DWORD PTR SS:,ECX
0040686D|.894C24 18 MOV DWORD PTR SS:,ECX
00406871|.3BEE CMP EBP,ESI ;固定字符串的长度与0比较
00406873|.C64424 2C 05MOV BYTE PTR SS:,5 ;5
00406878|.0F84 37010000 JE FilePack.004069B5 ;固定字符串的长度与0比较,相等就跳
0040687E|.3BD6 CMP EDX,ESI ;用户名长度与0比较,相等就跳
00406880|.0F84 2F010000 JE FilePack.004069B5
00406886|.3BEE CMP EBP,ESI
00406888|.7E 64 JLE SHORT FilePack.004068EE
0040688A|.8B7C24 40 MOV EDI,DWORD PTR SS: ;[常数C1](功能B时是D3)
0040688E|.EB 08 JMP SHORT FilePack.00406898
00406890|>8B4424 38 /MOV EAX,DWORD PTR SS:
00406894|.8B5424 20 |MOV EDX,DWORD PTR SS:
00406898|>3BF2 CMP ESI,EDX ;循环计数器ESI:用户名长度
0040689A|.7D 20 |JGE SHORT FilePack.004068BC ;循环计数器ESI超过用户名长度时则跳
0040689C|.8B5424 3C |MOV EDX,DWORD PTR SS: ;用户名gglhy
004068A0|.8A0406 |MOV AL,BYTE PTR DS: ;依次取“GoodMan未注册”每一位的ASC到AL
004068A3|.0FBE0C16 |MOVSX ECX,BYTE PTR DS: ;用户名gglhy的每一位到EDX
004068A7|.0FBED0 |MOVSX EDX,AL ;AL扩展到EDX
004068AA|.03CA |ADD ECX,EDX ;ASC相加
004068AC|.8D4424 14 |LEA EAX,DWORD PTR SS:
004068B0|.0FAFCF |IMUL ECX,EDI ;相加的结果 * [常数C1]或(D3)
004068B3|.51 |PUSH ECX
004068B4|.68 80814600 |PUSH FilePack.00468180 ;ASCII "%X"
004068B9|.50 |PUSH EAX
004068BA|.EB 12 |JMP SHORT FilePack.004068CE
004068BC|>0FBE0C06 |MOVSX ECX,BYTE PTR DS: ;依次读取“GoodMan未注册”中超过用户名长度还未读取的ASC
004068C0|.0FAFCF |IMUL ECX,EDI ;还未读取的ASC *[常数C1]
004068C3|.51 |PUSH ECX
004068C4|.8D5424 18 |LEA EDX,DWORD PTR SS:
004068C8|.68 80814600 |PUSH FilePack.00468180 ;ASCII "%X"
004068CD|.52 |PUSH EDX
004068CE|>E8 7ECD0300 |CALL FilePack.00443651 ;这个CALL是将运算得到的数值转化为字符串形式
004068D3|.83C4 0C |ADD ESP,0C
004068D6|.8D4424 14 |LEA EAX,DWORD PTR SS:
004068DA|.8D4C24 10 |LEA ECX,DWORD PTR SS:
004068DE|.50 |PUSH EAX
004068DF|.E8 0D2C0400 |CALL FilePack.004494F1
004068E4|.46 |INC ESI
004068E5|.3BF5 |CMP ESI,EBP ;循环计数器:“GoodMan未注册”的长度Dh(13位);功能B时是20位
004068E7|.^ 7C A7 \JL SHORT FilePack.00406890 ;循环计数器未达到13(或20)位则继续循环
004068E9|.BF 01000000 MOV EDI,1 ;循环结束得到字符串: "832EA156A51B99CC9546492152EEFFFFDA4EFFFFC6B4FFFFE117FFFFB922FFFFC532FFFFE8A1",设为S1
004068EE|>68 68E84600 PUSH FilePack.0046E868 ; /Arg2 = 0046E868
004068F3|.68 7C814600 PUSH FilePack.0046817C ; |Arg1 = 0046817C ASCII "FF"
004068F8|.8D4C24 18 LEA ECX,DWORD PTR SS: ; |
004068FC|.E8 47C60300 CALL FilePack.00442F48 ; \这个CALL就是去掉S1中每2个相连为一组的"FF",结果设为Q
00406901|.8B4C24 10 MOV ECX,DWORD PTR SS: ;字符串Q的长度
00406905|.8B41 F8 MOV EAX,DWORD PTR DS: ;还是字符串Q的长度
00406908|.83F8 0C CMP EAX,0C ;与0C(12)比较?
0040690B|.7E 7F JLE SHORT FilePack.0040698C
0040690D|.48 DEC EAX ;-1
0040690E|.83F8 0C CMP EAX,0C
00406911|.7E 0B JLE SHORT FilePack.0040691E
00406913|>8A1408 /MOV DL,BYTE PTR DS: ;依次倒取Q的各位ASC
00406916|.02DA |ADD BL,DL
00406918|.48 |DEC EAX ;EAX是取字符串Q的计数器
00406919|.83F8 0C |CMP EAX,0C ;计数器与C(12)比较
0040691C|.^ 7F F5 \JG SHORT FilePack.00406913
0040691E|>8D4C24 40 LEA ECX,DWORD PTR SS: ;[常数C1]
00406922|.6A 0C PUSH 0C
00406924|.51 PUSH ECX
00406925|.8D4C24 18 LEA ECX,DWORD PTR SS:
00406929|.E8 03C90300 CALL FilePack.00443231 //////F7
0040692E|.50 PUSH EAX
0040692F|.8D4C24 14 LEA ECX,DWORD PTR SS:
00406933|.C64424 30 06MOV BYTE PTR SS:,6
00406938|.E8 D5280400 CALL FilePack.00449212
0040693D|.8D4C24 40 LEA ECX,DWORD PTR SS:
00406941|.C64424 2C 05MOV BYTE PTR SS:,5
00406946|.E8 8E270400 CALL FilePack.004490D9
0040694B|.33F6 XOR ESI,ESI
0040694D|>8B5424 10 /MOV EDX,DWORD PTR SS: ;Q的前12位
00406951|.8D4C24 14 |LEA ECX,DWORD PTR SS:
00406955|.021C16 |ADD BL,BYTE PTR DS: ;累加结果到BL(BL初始为P),依次取Q前12位ASC
00406958|.0FBEC3 |MOVSX EAX,BL ; 结果到EAX
0040695B|.50 |PUSH EAX
0040695C|.68 80814600 |PUSH FilePack.00468180 ;ASCII "%X"
00406961|.51 |PUSH ECX
00406962|.E8 EACC0300 |CALL FilePack.00443651 ;数值转换成字符
00406967|.83C4 0C |ADD ESP,0C
0040696A|.8D5424 14 |LEA EDX,DWORD PTR SS:
0040696E|.8D4C24 18 |LEA ECX,DWORD PTR SS: ;数值转换成的字符
00406972|.52 |PUSH EDX
00406973|.E8 792B0400 |CALL FilePack.004494F1
00406978|.46 |INC ESI
00406979|.83FE 0C |CMP ESI,0C
0040697C|.^ 7C CF \JL SHORT FilePack.0040694D
0040697E|.8D4424 18 LEA EAX,DWORD PTR SS: ;得到字符串N1
00406982|.8D4C24 10 LEA ECX,DWORD PTR SS:
00406986|.50 PUSH EAX
00406987|.E8 86280400 CALL FilePack.00449212
0040698C|>68 68E84600 PUSH FilePack.0046E868 ; /Arg2 = 0046E868
00406991|.68 7C814600 PUSH FilePack.0046817C ; |Arg1 = 0046817C ASCII "FF"
00406996|.8D4C24 18 LEA ECX,DWORD PTR SS: ; |
0040699A|.E8 A9C50300 CALL FilePack.00442F48 ; \同样是去掉N1中每2个一组的“FF”
0040699F|.8B7424 34 MOV ESI,DWORD PTR SS:
004069A3|.8D4C24 10 LEA ECX,DWORD PTR SS:
(省略部分代码)
00406A19|.64:890D 00000>MOV DWORD PTR FS:,ECX
00406A20|.83C4 20 ADD ESP,20
00406A23\.C3 RETN
==========004068FC |. E8 47C60300 CALL FilePack.00442F48; \这个CALL就是去掉S1中每2个相连为一组的"FF",结果设为Q ==========
00442F48/$55 PUSH EBP
00442F49|.8BEC MOV EBP,ESP
00442F4B|.83EC 1C SUB ESP,1C
00442F4E|.53 PUSH EBX
00442F4F|.56 PUSH ESI
00442F50|.57 PUSH EDI
00442F51|.33DB XOR EBX,EBX
00442F53|.395D 08 CMP DWORD PTR SS:,EBX
00442F56|.8BF9 MOV EDI,ECX
00442F58|.897D E8 MOV DWORD PTR SS:,EDI
00442F5B|.74 12 JE SHORT FilePack.00442F6F
00442F5D|.FF75 08 PUSH DWORD PTR SS: ; /String = ”FF“
00442F60|.8B35 20734500 MOV ESI,DWORD PTR DS:[<&KERNEL32.lstrl>; |kernel32.lstrlenA
00442F66|.FFD6 CALL ESI ; \lstrlenA
00442F68|.3BC3 CMP EAX,EBX ;“FF”的长度2与0比较
00442F6A|.8945 F4 MOV DWORD PTR SS:,EAX ;“FF”的长度2
00442F6D|.75 07 JNZ SHORT FilePack.00442F76
00442F6F|>33C0 XOR EAX,EAX
00442F71|.E9 2E010000 JMP FilePack.004430A4
00442F76|>395D 0C CMP DWORD PTR SS:,EBX
00442F79|.75 05 JNZ SHORT FilePack.00442F80
00442F7B|.895D FC MOV DWORD PTR SS:,EBX
00442F7E|.EB 08 JMP SHORT FilePack.00442F88
00442F80|>FF75 0C PUSH DWORD PTR SS:
00442F83|.FFD6 CALL ESI
00442F85|.8945 FC MOV DWORD PTR SS:,EAX
00442F88|>8B37 MOV ESI,DWORD PTR DS: ;字符串S1
00442F8A|.895D F8 MOV DWORD PTR SS:,EBX
00442F8D|.8B5E F8 MOV EBX,DWORD PTR DS: ;字符串S1的长度,本例为4C=76
00442F90|.03DE ADD EBX,ESI
00442F92|.3BF3 CMP ESI,EBX
00442F94|.0F83 07010000 JNB FilePack.004430A1
00442F9A|>FF75 08 /PUSH DWORD PTR SS: ;“FF“
00442F9D|.56 |PUSH ESI ; /字符串S1
00442F9E|.E8 5410FFFF |CALL FilePack.00433FF7 ; \FilePack.00433FF7
00442FA3|.59 |POP ECX
00442FA4|.85C0 |TEST EAX,EAX ;
00442FA6|.59 |POP ECX ; 字符串S1
00442FA7|.74 0B |JE SHORT FilePack.00442FB4
00442FA9|.8B4D F4 |MOV ECX,DWORD PTR SS: ;“FF“的长度2
00442FAC|.FF45 F8 |INC DWORD PTR SS:
00442FAF|.8D3408 |LEA ESI,DWORD PTR DS:
00442FB2|.^ EB E6 |JMP SHORT FilePack.00442F9A
00442FB4|>56 |PUSH ESI ; /String
00442FB5|.FF15 20734500 |CALL DWORD PTR DS:[<&KERNEL32.lstrlen>; \lstrlenA
00442FBB|.8D7406 01 |LEA ESI,DWORD PTR DS:
00442FBF|.3BF3 |CMP ESI,EBX
00442FC1|.^ 72 D7 \JB SHORT FilePack.00442F9A
00442FC3|.837D F8 00 CMP DWORD PTR SS:,0
00442FC7|.0F8E D4000000 JLE FilePack.004430A1
00442FCD|.8BCF MOV ECX,EDI
00442FCF|.E8 AE600000 CALL FilePack.00449082
00442FD4|.8B75 FC MOV ESI,DWORD PTR SS:
00442FD7|.8B1F MOV EBX,DWORD PTR DS: ;字符串S1
00442FD9|.2B75 F4 SUB ESI,DWORD PTR SS:
00442FDC|.8B43 F8 MOV EAX,DWORD PTR DS: ;字符串S1的长度
00442FDF|.0FAF75 F8 IMUL ESI,DWORD PTR SS:
00442FE3|.03F0 ADD ESI,EAX
00442FE5|.8945 F0 MOV DWORD PTR SS:,EAX ;字符串S1的长度
00442FE8|.3973 FC CMP DWORD PTR DS:,ESI
00442FEB|.8975 E4 MOV DWORD PTR SS:,ESI
00442FEE|.7C 06 JL SHORT FilePack.00442FF6
00442FF0|.837B F4 01 CMP DWORD PTR DS:,1
00442FF4|.7E 27 JLE SHORT FilePack.0044301D
00442FF6|>8D43 F4 LEA EAX,DWORD PTR DS:
00442FF9|.56 PUSH ESI
00442FFA|.8BCF MOV ECX,EDI
00442FFC|.8945 EC MOV DWORD PTR SS:,EAX
00442FFF|.E8 425F0000 CALL FilePack.00448F46
00443004|.8B45 EC MOV EAX,DWORD PTR SS:
00443007|.FF70 04 PUSH DWORD PTR DS:
0044300A|.53 PUSH EBX
0044300B|.FF37 PUSH DWORD PTR DS:
0044300D|.E8 AE15FFFF CALL FilePack.004345C0
00443012|.83C4 0C ADD ESP,0C
00443015|.FF75 EC PUSH DWORD PTR SS:
00443018|.E8 24600000 CALL FilePack.00449041
0044301D|>8B1F MOV EBX,DWORD PTR DS: ;字符串S1
0044301F|.8B43 F8 MOV EAX,DWORD PTR DS: ;字符串S1的长度
00443022|.03C3 ADD EAX,EBX
00443024|.3BD8 CMP EBX,EAX
00443026|.8945 EC MOV DWORD PTR SS:,EAX
00443029|.73 71 JNB SHORT FilePack.0044309C
0044302B|>FF75 08 /PUSH DWORD PTR SS: ;“FF”
0044302E|.53 |PUSH EBX ;字符串S1
0044302F|.E8 C30FFFFF |CALL FilePack.00433FF7
00443034|.8BF8 |MOV EDI,EAX ;
00443036|.59 |POP ECX
00443037|.85FF |TEST EDI,EDI
00443039|.59 |POP ECX
0044303A|.74 4D |JE SHORT FilePack.00443089
0044303C|>8B45 E8 |/MOV EAX,DWORD PTR SS:
0044303F|.8B4D FC ||MOV ECX,DWORD PTR SS:
00443042|.8B30 ||MOV ESI,DWORD PTR DS: ;字符串S1
00443044|.8B45 F4 ||MOV EAX,DWORD PTR SS: ;“FF”的长度2
00443047|.2BF7 ||SUB ESI,EDI ;
00443049|.8D1C0F ||LEA EBX,DWORD PTR DS: ;
0044304C|.2BF0 ||SUB ESI,EAX
0044304E|.03C7 ||ADD EAX,EDI
00443050|.0375 F0 ||ADD ESI,DWORD PTR SS:
00443053|.56 ||PUSH ESI
00443054|.50 ||PUSH EAX ;
00443055|.53 ||PUSH EBX
00443056|.E8 15FCFEFF ||CALL FilePack.00432C70
0044305B|.FF75 FC ||PUSH DWORD PTR SS:
0044305E|.FF75 0C ||PUSH DWORD PTR SS:
00443061|.57 ||PUSH EDI
00443062|.E8 5915FFFF ||CALL FilePack.004345C0
00443067|.8B45 FC ||MOV EAX,DWORD PTR SS: ; |
0044306A|.FF75 08 ||PUSH DWORD PTR SS: ; |“FF”
0044306D|.2B45 F4 ||SUB EAX,DWORD PTR SS: ; |
00443070|.80241E 00 ||AND BYTE PTR DS:,0 ; |字符串S1的倒数第2位的ASC and 0
00443074|.53 ||PUSH EBX ; |Arg1
00443075|.0145 F0 ||ADD DWORD PTR SS:,EAX ; |
00443078|.E8 7A0FFFFF ||CALL FilePack.00433FF7 ; \FilePack.00433FF7
0044307D|.8BF8 ||MOV EDI,EAX
0044307F|.83C4 20 ||ADD ESP,20
00443082|.85FF ||TEST EDI,EDI
00443084|.^ 75 B6 |\JNZ SHORT FilePack.0044303C
00443086|.8B75 E4 |MOV ESI,DWORD PTR SS:
00443089|>53 |PUSH EBX ; /String
0044308A|.FF15 20734500 |CALL DWORD PTR DS:[<&KERNEL32.lstrlen>; \lstrlenA
00443090|.8D5C03 01 |LEA EBX,DWORD PTR DS: ;地址=00C495D5,
00443094|.3B5D EC |CMP EBX,DWORD PTR SS:
00443097|.^ 72 92 \JB SHORT FilePack.0044302B
00443099|.8B7D E8 MOV EDI,DWORD PTR SS: ;循环结束,得到字符串Q,其实这个循环就是去掉S1中每2个相连为一组的"FF"
0044309C|>8B07 MOV EAX,DWORD PTR DS: ;字符串Q
0044309E|.8970 F8 MOV DWORD PTR DS:,ESI ;字符串Q的长度
004430A1|>8B45 F8 MOV EAX,DWORD PTR SS:
004430A4|>5F POP EDI
004430A5|.5E POP ESI
004430A6|.5B POP EBX
004430A7|.C9 LEAVE
004430A8\.C2 0800 RETN 8
==========00406929|.E8 03C90300 CALL FilePack.00443231 F7后:==========
00443231/$B8 5F5A4500 MOV EAX,FilePack.00455A5F
00443236|.E8 AD12FFFF CALL FilePack.004344E8
0044323B|.51 PUSH ECX
0044323C|.8B45 0C MOV EAX,DWORD PTR SS:
0044323F|.8365 F0 00 AND DWORD PTR SS:,0
00443243|.85C0 TEST EAX,EAX
00443245|.7D 02 JGE SHORT FilePack.00443249
00443247|.33C0 XOR EAX,EAX
00443249|>8B11 MOV EDX,DWORD PTR DS: ; 字符串Q
0044324B|.3B42 F8 CMP EAX,DWORD PTR DS: ;字符串Q的长度
0044324E|.7C 0E JL SHORT FilePack.0044325E
00443250|.51 PUSH ECX
00443251|.8B4D 08 MOV ECX,DWORD PTR SS:
00443254|.E8 F55B0000 CALL FilePack.00448E4E
00443259|.8B45 08 MOV EAX,DWORD PTR SS:
0044325C|.EB 3D JMP SHORT FilePack.0044329B
0044325E|>8B15 30A84600 MOV EDX,DWORD PTR DS: ;FilePack.0046A844
00443264|.56 PUSH ESI
00443265|.8955 0C MOV DWORD PTR SS:,EDX
00443268|.6A 01 PUSH 1
0044326A|.5E POP ESI
0044326B|.6A 00 PUSH 0 ; /Arg4 = 00000000
0044326D|.6A 00 PUSH 0 ; |Arg3 = 00000000
0044326F|.50 PUSH EAX ; |Arg2
00443270|.8D45 0C LEA EAX,DWORD PTR SS: ; |
00443273|.50 PUSH EAX ; |Arg1
00443274|.8975 FC MOV DWORD PTR SS:,ESI ; |
00443277|.E8 875E0000 CALL FilePack.00449103 ; \FilePack.00449103
0044327C|.8B4D 08 MOV ECX,DWORD PTR SS:
0044327F|.8D45 0C LEA EAX,DWORD PTR SS: ;字符串Q的前12位
00443282|.50 PUSH EAX
00443283|.E8 C65B0000 CALL FilePack.00448E4E
00443288|.8065 FC 00 AND BYTE PTR SS:,0
0044328C|.8D4D 0C LEA ECX,DWORD PTR SS:
0044328F|.8975 F0 MOV DWORD PTR SS:,ESI
00443292|.E8 425E0000 CALL FilePack.004490D9
00443297|.8B45 08 MOV EAX,DWORD PTR SS:
0044329A|.5E POP ESI
0044329B|>8B4D F4 MOV ECX,DWORD PTR SS:
0044329E|.64:890D 00000>MOV DWORD PTR FS:,ECX
004432A5|.C9 LEAVE
004432A6\.C2 0800 RETN 8
00449212/$56 PUSH ESI
00449213|.57 PUSH EDI
00449214|.8B7C24 0C MOV EDI,DWORD PTR SS:
00449218|.8BF1 MOV ESI,ECX
0044921A|.8B0E MOV ECX,DWORD PTR DS:
0044921C|.8B07 MOV EAX,DWORD PTR DS: ;同样是去掉N1中每2个一组的“FF”,得到字符串N2
0044921E|.3BC8 CMP ECX,EAX
00449220|.74 39 JE SHORT FilePack.0044925B
00449222|.8379 F4 00 CMP DWORD PTR DS:,0
00449226|.7D 0B JGE SHORT FilePack.00449233
00449228|.83C1 F4 ADD ECX,-0C
0044922B|.3B0D 34A84600 CMP ECX,DWORD PTR DS: ;FilePack.0046A838
00449231|.75 06 JNZ SHORT FilePack.00449239
00449233|>8378 F4 00 CMP DWORD PTR DS:,0
00449237|.7D 0D JGE SHORT FilePack.00449246
00449239|>50 PUSH EAX
0044923A|.8BCE MOV ECX,ESI
0044923C|.FF70 F8 PUSH DWORD PTR DS:
0044923F|.E8 A1FFFFFF CALL FilePack.004491E5
00449244|.EB 15 JMP SHORT FilePack.0044925B
00449246|>8BCE MOV ECX,ESI
00449248|.E8 C3FDFFFF CALL FilePack.00449010
0044924D|.8B07 MOV EAX,DWORD PTR DS: ;字符串N2
0044924F|.8906 MOV DWORD PTR DS:,EAX
00449251|.83C0 F4 ADD EAX,-0C
00449254|.50 PUSH EAX ; /pVar
00449255|.FF15 60724500 CALL DWORD PTR DS:[<&KERNEL32.Interloc>; \InterlockedIncrement
0044925B|>8BC6 MOV EAX,ESI
0044925D|.5F POP EDI
0044925E|.5E POP ESI
0044925F\.C2 0400 RETN 4
*****************************************************************************************************
软件会判断当前流程是功能A或B,赋不同的值给局部变量,该变量的值会间接参与算法运算。
算法总结:
一、软件本身的注册:
A.用户名不为空:
1.用户名各位的ASC依次与“GoodMan未注册”的ASC(到AL)相加,其和乘以常数C1。(用户名取完后则“GoodMan未注册”中还未参与运算的部分依次取ASC(到AL)乘以常数C1),直至循环到“GoodMan未注册”全部取完为止,并将得到的结果转换成字符串,设为S1。
2.去掉S1中每2位"F"为一组的"F"(即“FF”),得到字符串Q
3.取Q的12位以后的各位ASC,依次累加,得到的结果为P
4.P = P + 依次取Q的前12位各位ASC,每次相加的结果转化为字符串,得到字符串N1
5.去掉N1中每2位"F"为一组的"F"(即“FF”),得到字符串即为注册码。
注册成功后,会在OD中看到“GoodMan未注册”变成了“GoodMangglhy”了!软件也显示注册给gglhy
B.用户名为空时:
算法流程同上,只不过用机器码取代用户名来运算而已。其中有些许不同,比如常数为4A等。大家有兴趣的话可以跟一下。
(比如:00403D8A|.E8 912A0000 call 00406820 ;///用户名为空时,用机器码运算的CALL)
(在00406820处下好断点,OD重新载入就可以看见了。)
二、软件对用户计算注册码:(略,大家有兴趣可以自己去跟下....呵呵)
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
二、试看软件机器码的产生过程
既来之,则安之。我们顺便看看软件功能A中的机器码是如何得出来的。
我们直接来到:
0040FE40 .6A FF push -1
0040FE42 .68 E4404500 push 004540E4 ;SE 处理程序安装
0040FE47 .64:A1 0000000>mov eax, fs:
0040FE4D .50 push eax
0040FE4E .64:8925 00000>mov fs:, esp
0040FE55 .81EC BC080000 sub esp, 8BC
0040FE5B .51 push ecx ; /Arg2
0040FE5C .6A 01 push 1 ; |Arg1 = 00000001
0040FE5E .8D8C24 180100>lea ecx, ; |
0040FE65 .E8 763CFFFF call 00403AE0 ; \PPTPacke.00403AE0 ///从这里去看
0040FE6A .8D4C24 00 lea ecx,
0040FE6E .C78424 C40800>mov dword ptr , 0
======================0040FE65处call 00403AE0 我们F7后:===========================================
00403AE0/$6A FF push -1
00403AE2|.68 5D1E4500 push 00451E5D ;SE 处理程序安装
00403AE7|.64:A1 0000000>mov eax, fs:
(省略部分代码)
00403CAA|.8996 A8070000 mov , edx
00403CB0|.68 48814600 push 00468148 ;ASCII "GetUserName ()"
00403CB5|.8D4C24 34 lea ecx,
00403CB9|.C64424 28 14mov byte ptr , 1>
00403CBE|.C706 987B4500 mov dword ptr , 004>
00403CC4|.E8 7E540400 call 00449147
00403CC9|.68 68E84600 push 0046E868
00403CCE|.8BCF mov ecx, edi
00403CD0|.C64424 28 15mov byte ptr , 1>
00403CD5|.E8 88550400 call 00449262
00403CDA|.68 68E84600 push 0046E868
00403CDF|.8BCD mov ecx, ebp
00403CE1|.E8 7C550400 call 00449262
00403CE6|.68 68E84600 push 0046E868
00403CEB|.8BCB mov ecx, ebx
00403CED|.E8 70550400 call 00449262
00403CF2|.8B4424 2C mov eax,
00403CF6|.85C0 test eax, eax
00403CF8|.8986 A0070000 mov , eax ;又是这个
00403CFE|.74 0E je short 00403D0E
00403D00|.68 58814600 push 00468158 ;ASCII "GoodMan"
00403D05|.8D4C24 34 lea ecx,
00403D09|.E8 54550400 call 00449262
00403D0E|>E8 AD2A0000 call 004067C0 ;软件产生机器码的CALL ,我们F7
00403D13|.50 push eax ;得到机器码的数值形式,下面要转换为字符串形式
00403D14|.68 44814600 push 00468144 ;ASCII "%x"
00403D19|.57 push edi
00403D1A|.E8 32F90300 call 00443651
============00403D0E|>E8 AD2A0000 call 004067C0 ;软件产生机器码的CALL ,我们F7进入,来到:===========
004067C0 $55 push ebp
004067C1 .8BEC mov ebp, esp
004067C3 .6A FF push -1
004067C5 .68 107D4500 push 00457D10
004067CA .68 8C2B4300 push 00432B8C ;SE 处理程序安装
004067CF .64:A1 0000000>mov eax, fs:
004067D5 .50 push eax
004067D6 .64:8925 00000>mov fs:, esp
004067DD .83EC 0C sub esp, 0C
004067E0 .53 push ebx
004067E1 .56 push esi
004067E2 .57 push edi
004067E3 .8965 E8 mov , esp
004067E6 .C745 FC 00000>mov dword ptr , 0
004067ED .E8 6EFFFFFF call 00406760 ; 很重要的CALL,接着F7
004067F2 .8945 E4 mov , eax ;EAX寄存器的数值就是机器码了,还要将其转化为字符串
004067F5 .EB 0B jmp short 00406802
(省略部分代码)
00406819 .C3 retn
==============004067ED .E8 6EFFFFFF call 00406760 ;很重要的CALL,接着F7进入:===================
00406760 $55 push ebp
(省略部分代码)
0040677E .C745 FC 00000>mov dword ptr , 0
00406785 .8965 F0 mov , esp
00406788 .E8 23B60000 call 00411DB0 ;是个关键CALL--1,还是F7
0040678D .EB 10 jmp short 0040679F
0040678F .C745 EC 00000>mov dword ptr , >
00406796 .B8 9C674000 mov eax, 0040679C
0040679B .C3 retn
0040679C .8B45 EC mov eax,
0040679F >8B4D F4 mov ecx,
004067A2 .5F pop edi
004067A3 .5E pop esi
004067A4 .05 C7F8AE54 add eax, 54AEF8C7 ;EAX的值 + 常数54AEF8C7 = 注册码的数值形式
004067A9 .64:890D 00000>mov fs:, ecx
004067B0 .5B pop ebx
004067B1 .8BE5 mov esp, ebp
004067B3 .5D pop ebp
004067B4 .C3 retn
==============00406788 .E8 23B60000 call 00411DB0 ;是个关键CALL--1,还是F7,进入去看看:=============
00411DB0/$53 push ebx
(省略部分代码)
00411DCC|.BF F8F04600 mov edi, 0046F0F8 ;本机硬盘序列号到EDI
00411DD1|.C1E9 02 shr ecx, 2
(省略部分代码)
00411DFC|>BE F8F04600 mov esi, 0046F0F8 ;本机硬盘序列号
00411E01|.6A 04 push 4
00411E03|.68 94874600 push 00468794 ;
00411E08|.56 push esi ;本机硬盘序列号
00411E09|.E8 02200200 call 00433E10
00411E0E|.83C4 0C add esp, 0C
00411E11|.85C0 test eax, eax
00411E13|.75 05 jnz short 00411E1A
00411E15|.BE FDF04600 mov esi, 0046F0FD ;
00411E1A|>85F6 test esi, esi
00411E1C|.0F84 29010000 je 00411F4B
00411E22|>8A06 /mov al, ;依次取本机硬盘序列号ASC到AL
00411E24|.84C0 |test al, al
00411E26|.0F84 FF000000 |je 00411F2B ;本机硬盘序列号是否取完?
00411E2C|.3C 2D |cmp al, 2D ;是“-”吗?
00411E2E|.0F84 F0000000 |je 00411F24
00411E34|.6A 00 |push 0
00411E36|.6A 0A |push 0A ;呵呵,常量0A
00411E38|.53 |push ebx
00411E39|.55 |push ebp
00411E3A|.E8 D1200200 |call 00433F10 ;这里的EAX关系到下面EBP的值。关键CALL--2
00411E3F|.8BE8 |mov ebp, eax ;上面CALL运算后的值到EBP,再进行下面的运算
00411E41|.8BDA |mov ebx, edx
00411E43|.0FBE06 |movsx eax, byte ptr ;当前所取的本机硬盘序列号ASC
00411E46|.83C0 D0 |add eax, -30 ;当前所取的本机硬盘序列号ASC - 39; Switch (cases 31..7A)
00411E49|.83F8 4A |cmp eax, 4A ;差与4A比较。
00411E4C|.0F87 D2000000 |ja 00411F24 ;比较的结果不同就跳向不同的表
00411E52|.FF2485 641F41>|jmp ;跳向不同的表;注意ebp + 不同的值
00411E59|>83C5 01 |add ebp, 1 ;Case 31 ('1') of switch 00411E46
00411E5C|.E9 C0000000 |jmp 00411F21
00411E61|>83C5 02 |add ebp, 2 ;Case 32 ('2') of switch 00411E46
00411E64|.E9 B8000000 |jmp 00411F21
00411E69|>83C5 03 |add ebp, 3 ;Case 33 ('3') of switch 00411E46
00411E6C|.E9 B0000000 |jmp 00411F21
00411E71|>83C5 04 |add ebp, 4 ;Case 34 ('4') of switch 00411E46
00411E74|.E9 A8000000 |jmp 00411F21
00411E79|>83C5 05 |add ebp, 5 ;Case 35 ('5') of switch 00411E46
00411E7C|.E9 A0000000 |jmp 00411F21
00411E81|>83C5 06 |add ebp, 6 ;Case 36 ('6') of switch 00411E46
00411E84|.E9 98000000 |jmp 00411F21
00411E89|>83C5 07 |add ebp, 7 ;Case 37 ('7') of switch 00411E46
00411E8C|.E9 90000000 |jmp 00411F21
00411E91|>83C5 08 |add ebp, 8 ;Case 38 ('8') of switch 00411E46
00411E94|.E9 88000000 |jmp 00411F21
00411E99|>83C5 09 |add ebp, 9 ;Case 39 ('9') of switch 00411E46
00411E9C|.E9 80000000 |jmp 00411F21
00411EA1|>83C5 0A |add ebp, 0A ;Cases 41 ('A'),61 ('a') of switch 00411E46
00411EA4|.EB 7B |jmp short 00411F21
00411EA6|>83C5 0B |add ebp, 0B ;Cases 42 ('B'),62 ('b') of switch 00411E46
00411EA9|.EB 76 |jmp short 00411F21
00411EAB|>83C5 0C |add ebp, 0C ;Cases 43 ('C'),63 ('c') of switch 00411E46
00411EAE|.EB 71 |jmp short 00411F21
00411EB0|>83C5 0D |add ebp, 0D ;Cases 44 ('D'),64 ('d') of switch 00411E46
00411EB3|.EB 6C |jmp short 00411F21
00411EB5|>83C5 0E |add ebp, 0E ;Cases 45 ('E'),65 ('e') of switch 00411E46
00411EB8|.EB 67 |jmp short 00411F21
00411EBA|>83C5 0F |add ebp, 0F ;Cases 46 ('F'),66 ('f') of switch 00411E46
00411EBD|.EB 62 |jmp short 00411F21
00411EBF|>83C5 10 |add ebp, 10 ;Cases 47 ('G'),67 ('g') of switch 00411E46
00411EC2|.EB 5D |jmp short 00411F21
00411EC4|>83C5 11 |add ebp, 11 ;Cases 48 ('H'),68 ('h') of switch 00411E46
00411EC7|.EB 58 |jmp short 00411F21
00411EC9|>83C5 12 |add ebp, 12 ;Cases 49 ('I'),69 ('i') of switch 00411E46
00411ECC|.EB 53 |jmp short 00411F21
00411ECE|>83C5 13 |add ebp, 13 ;Cases 4A ('J'),6A ('j') of switch 00411E46
00411ED1|.EB 4E |jmp short 00411F21
00411ED3|>83C5 14 |add ebp, 14 ;Cases 4B ('K'),6B ('k') of switch 00411E46
00411ED6|.EB 49 |jmp short 00411F21
00411ED8|>83C5 15 |add ebp, 15 ;Cases 4C ('L'),6C ('l') of switch 00411E46
00411EDB|.EB 44 |jmp short 00411F21
00411EDD|>83C5 16 |add ebp, 16 ;Cases 4D ('M'),6D ('m') of switch 00411E46
00411EE0|.EB 3F |jmp short 00411F21
00411EE2|>83C5 17 |add ebp, 17 ;Cases 4E ('N'),6E ('n') of switch 00411E46
00411EE5|.EB 3A |jmp short 00411F21
00411EE7|>83C5 18 |add ebp, 18 ;Cases 4F ('O'),6F ('o') of switch 00411E46
00411EEA|.EB 35 |jmp short 00411F21
00411EEC|>83C5 19 |add ebp, 19 ;Cases 50 ('P'),70 ('p') of switch 00411E46
00411EEF|.EB 30 |jmp short 00411F21
00411EF1|>83C5 1A |add ebp, 1A ;Cases 51 ('Q'),71 ('q') of switch 00411E46
00411EF4|.EB 2B |jmp short 00411F21
00411EF6|>83C5 1B |add ebp, 1B ;Cases 52 ('R'),72 ('r') of switch 00411E46
00411EF9|.EB 26 |jmp short 00411F21
00411EFB|>83C5 1C |add ebp, 1C ;Cases 53 ('S'),73 ('s') of switch 00411E46
00411EFE|.EB 21 |jmp short 00411F21
00411F00|>83C5 1D |add ebp, 1D ;Cases 54 ('T'),74 ('t') of switch 00411E46
00411F03|.EB 1C |jmp short 00411F21
00411F05|>83C5 1E |add ebp, 1E ;Cases 55 ('U'),75 ('u') of switch 00411E46
00411F08|.EB 17 |jmp short 00411F21
00411F0A|>83C5 1F |add ebp, 1F ;Cases 56 ('V'),76 ('v') of switch 00411E46
00411F0D|.EB 12 |jmp short 00411F21
00411F0F|>83C5 20 |add ebp, 20 ;Cases 57 ('W'),77 ('w') of switch 00411E46
00411F12|.EB 0D |jmp short 00411F21
00411F14|>83C5 21 |add ebp, 21 ;Cases 58 ('X'),78 ('x') of switch 00411E46
00411F17|.EB 08 |jmp short 00411F21
00411F19|>83C5 22 |add ebp, 22 ;Cases 59 ('Y'),79 ('y') of switch 00411E46
00411F1C|.EB 03 |jmp short 00411F21
00411F1E|>83C5 23 |add ebp, 23 ;Cases 5A ('Z'),7A ('z') of switch 00411E46
00411F21|>83D3 00 |adc ebx, 0
00411F24|>46 |inc esi ;Default case of switch 00411E46
00411F25|.^ 0F85 F7FEFFFF \jnz 00411E22
00411F2B|>85DB test ebx, ebx ;循环结束后,EBP的值就是硬盘序列号运算后的结果。设为W
00411F2D|.7C 1C jl short 00411F4B
00411F2F|.7F 08 jg short 00411F39
00411F31|.81FD FFFFFF0F cmp ebp, 0FFFFFFF ;EBP的值W与0FFFFFFF比较
00411F37|.76 12 jbe short 00411F4B
00411F39|>6A 00 push 0
00411F3B|.68 00000010 push 10000000
00411F40|.53 push ebx
00411F41|.55 push ebp
00411F42|.E8 091F0200 call 00433E50 ;仍然F7,关键CALL--3
00411F47|.8BE8 mov ebp, eax
00411F49|.8BDA mov ebx, edx
00411F4B|>53 push ebx
00411F4C|.55 push ebp
00411F4D|.68 68874600 push 00468768 ;ASCII 0A,"Computer I"
00411F52|.E8 6B1E0200 call 00433DC2
00411F57|.83C4 0C add esp, 0C
00411F5A|.8BC5 mov eax, ebp
00411F5C|.5F pop edi
00411F5D|.5E pop esi
00411F5E|.5D pop ebp
00411F5F|.5B pop ebx
00411F60\.C3 retn
==========这里,关键call--2:其实是将当前查表运算得到的结果(ebp初始为0)再 * 0A,这个积再作为下一轮循环时的EBP值:==========
00433F10/$8B4424 08 MOV EAX,DWORD PTR SS:
00433F14|.8B4C24 10 MOV ECX,DWORD PTR SS:
00433F18|.0BC8 OR ECX,EAX
00433F1A|.8B4C24 0C MOV ECX,DWORD PTR SS: ;=0A
00433F1E|.75 09 JNZ SHORT FilePack.00433F29
00433F20|.8B4424 04 MOV EAX,DWORD PTR SS: ;上一次循环运算中EBP的值
00433F24|.F7E1 MUL ECX ;(上一次循环运算中EBP的值)*0A,结果保存在EAX
00433F26|.C2 1000 RETN 10
00433F29|>53 PUSH EBX
00433F2A|.F7E1 MUL ECX
00433F2C|.8BD8 MOV EBX,EAX
00433F2E|.8B4424 08 MOV EAX,DWORD PTR SS:
00433F32|.F76424 14 MUL DWORD PTR SS:
00433F36|.03D8 ADD EBX,EAX
00433F38|.8B4424 08 MOV EAX,DWORD PTR SS:
00433F3C|.F7E1 MUL ECX
00433F3E|.03D3 ADD EDX,EBX
00433F40|.5B POP EBX
00433F41\.C2 1000 RETN 10
==========00411F42|.E8 091F0200 call 00433E50 ;仍然F7,关键CALL--3,我们进入:============
00433E50/$53 PUSH EBX
00433E51|.57 PUSH EDI
00433E52|.33FF XOR EDI,EDI
(省略部分代码)
00433E9B|.8B4424 0C MOV EAX,DWORD PTR SS: ;硬盘序列号运算后的结果W
00433E9F|.F7F1 DIV ECX ;ECX=10000000 (应该也是常量,时间紧没仔细看!但2台电脑上数值一样)
00433EA1|.8BC2 MOV EAX,EDX ;余数到EAX
00433EA3|.33D2 XOR EDX,EDX
00433EA5|.4F DEC EDI
00433EA6|.79 4E JNS SHORT FilePack.00433EF6
00433EA8|.EB 53 JMP SHORT FilePack.00433EFD
(省略部分代码)
00433EFD|>5F POP EDI
00433EFE|.5B POP EBX
00433EFF\.C2 1000 RETN 10
OK,现在清楚了:
1.取硬盘序列号各位ASC来跳向不同的表,得到不同的EBP值(初始为0)乘以0A,其结果作为下一位ASC运算时的EBP值,直至硬盘序列号取完。
2.然后用最终的EBP值/10000000H、
3.余数再加常数54AEF8C7(16进制),再将和转化为字符串形式就是机器码了!
呵呵!文章又臭又长,希望不会让大家失望!文中如有错误,敬请指正!!!
谢谢观看! 刚开始学`` 很感谢分享``` “呵呵!文章又臭又长,希望不会让大家失望!文中如有错误,敬请指正!!!
谢谢观看!”
不用谢,应该谢您,哈哈/:017 天啊,0+点还在研究,小心身体哈,哈哈
多谢月大关心!:loveliness: GGLHY 好有耐心,支持的说! GGLHY 好有耐心,支持的说!
野猫III 发表于 2011-1-20 12:05 https://www.chinapyg.com/images/common/back.gif
还望大侠多多指点!/:014 很好的一篇算法分析文章。 很好的一篇算法分析文章。
glts 发表于 2011-1-20 14:40 https://www.chinapyg.com/images/common/back.gif
谢谢大牛的肯定!
你们的支持和鼓励是小菜们前进的动力!/:014 感觉“GGLHY ”此人必火! 感觉“GGLHY ”此人必火!
飘云 发表于 2011-1-20 16:44 https://www.chinapyg.com/images/common/back.gif
/:017 我要红了?/:017