- UID
- 27514
注册时间2007-2-18
阅读权限20
最后登录1970-1-1
以武会友
 
该用户从未签到
|
【文章标题】: 流星网络电视(MeteorNetTv) V2.23.2 分析
【文章作者】: the0crat
【作者邮箱】: the0crat.cn_at_gmail.com
【作者主页】: http://the0crat.blogcn.com
【生产日期】: 20070109
【作者QQ号】: NULL
【软件名称】: 流星网络电视(MeteorNetTv) V2.23.2
【软件大小】: 2002 KB
【下载地址】: http://www.skycn.com/soft/19948.html
【加壳方式】: ASPack 2.12 -> Alexey Solodovnikov
【保护方式】: 注册码+在线认证
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: OD+IDA+Dede
【操作平台】: Win32
【软件介绍】:
★最好的网络电视软件,1000套全球卫视电视+5000集热播电视剧和电影=终身免费收看,不需要安装其它任何硬件设备。
节目优势:
◆精彩的卫星电视:◎高速体育直播频道:纬来体育,卫视体育,上海体育,广东体育,cctv5,cctv风云足球,goalTV足球等◎港澳台地区:无线翡翠,亚视本港,凤凰系列(中文,资讯,电影),星空系列(卫视,体育,电影),中天系列,TVBS新闻,年代新闻,HBO,华娱,东风,华视等高收视率电视台◎CCTV及各省市(湖南,上海,江苏,浙江,海南等)优秀电视台◎国外电视:国家地理,法国时尚,CNBC,Arirang, Discovery,德国之声等全球著名电视节目。
◆最新热播电视剧及电影:随时点播,随时收看,无需每天守候在电视机前等待,即可抢先收看最新热播电视剧;无需租/买光碟即可欣赏最新大片。◆不受地域限制收听世界各地的广播。
软件优势:
★本软件运用了尖端的P2P技术,具有人越多,播放越流畅的特性
★独有的"节目指南"功能,使您不错过任何一段精彩节目
★清晰地节目分类,方便地树型节目菜单,更加易用
★全自动在线升级,无需手工操作
★电视屏幕自由缩放停靠,不影响等其它操作
★一次注册,终身免费使用,终身免费在线升级
【作者声明】: 本文仅供研究学习,本人对因这篇文章而导致的一切后果,不承担任何法律责任。本文中的不足之处请各位多多指教
--------------------------------------------------------------------------------
【详细过程】
[难度] -=初级=- 中级 高级 牛牛
脱壳(饭前要洗手哦),OD载入,打开注册的对话框,dede查到入口,来到这里
00509AE8 /. 55 push ebp
00509AE9 |. 8BEC mov ebp, esp
00509AEB |. B9 09000000 mov ecx, 9
00509AF0 |> 6A 00 /push 0
00509AF2 |. 6A 00 |push 0
00509AF4 |. 49 |dec ecx
00509AF5 |.^ 75 F9 \jnz short 00509AF0
00509AF7 |. 53 push ebx
00509AF8 |. 8BD8 mov ebx, eax
00509AFA |. 33C0 xor eax, eax
00509AFC |. 55 push ebp
00509AFD |. 68 8D9D5000 push 00509D8D
00509B02 |. 64:FF30 push dword ptr fs:[eax]
00509B05 |. 64:8920 mov dword ptr fs:[eax], esp
00509B08 |. 8D55 F0 lea edx, dword ptr [ebp-10]
00509B0B |. 8B83 14030000 mov eax, dword ptr [ebx+314]
00509B11 |. E8 E6F2F4FF call 00458DFC ; 取得用户名
00509B16 |. 8B45 F0 mov eax, dword ptr [ebp-10]
00509B19 |. 8D55 F4 lea edx, dword ptr [ebp-C]
00509B1C |. E8 D3F1EFFF call 00408CF4
00509B21 |. 837D F4 00 cmp dword ptr [ebp-C], 0
00509B25 |. 0F84 0D020000 je 00509D38 ; 用户名为空则跳跑掉
00509B2B |. 8D55 E8 lea edx, dword ptr [ebp-18]
00509B2E |. 8B83 18030000 mov eax, dword ptr [ebx+318]
00509B34 |. E8 C3F2F4FF call 00458DFC ; 取注册码
00509B39 |. 8B45 E8 mov eax, dword ptr [ebp-18]
00509B3C |. 8D55 EC lea edx, dword ptr [ebp-14]
00509B3F |. E8 B0F1EFFF call 00408CF4
00509B44 |. 837D EC 00 cmp dword ptr [ebp-14], 0
00509B48 |. 0F84 EA010000 je 00509D38 ; 注册码为空则跳跑掉
00509B4E |. 8D55 E4 lea edx, dword ptr [ebp-1C]
00509B51 |. 8B83 14030000 mov eax, dword ptr [ebx+314]
00509B57 |. E8 A0F2F4FF call 00458DFC ; 又取一次用户名~~~
00509B5C |. 8B45 E4 mov eax, dword ptr [ebp-1C]
00509B5F |. 8D55 F8 lea edx, dword ptr [ebp-8]
00509B62 |. E8 8DF1EFFF call 00408CF4
00509B67 |. 8D55 DC lea edx, dword ptr [ebp-24]
00509B6A |. 8B83 18030000 mov eax, dword ptr [ebx+318]
00509B70 |. E8 87F2F4FF call 00458DFC ; 又取一次注册码~~~
00509B75 |. 8B45 DC mov eax, dword ptr [ebp-24]
00509B78 |. 8D55 E0 lea edx, dword ptr [ebp-20]
00509B7B |. E8 74F1EFFF call 00408CF4
00509B80 |. 8B45 E0 mov eax, dword ptr [ebp-20]
00509B83 |. 8D55 FC lea edx, dword ptr [ebp-4]
00509B86 |. E8 55EFEFFF call 00408AE0
00509B8B |. 8B45 FC mov eax, dword ptr [ebp-4]
00509B8E |. E8 4DABEFFF call 004046E0
00509B93 |. 83E8 10 sub eax, 10 ; Switch (cases 10..20)
00509B96 |. 74 18 je short 00509BB0 ; 注册码为16位是标准版
00509B98 |. 83E8 04 sub eax, 4
00509B9B |. 74 4B je short 00509BE8 ; 20位是VIP
00509B9D |. 83E8 04 sub eax, 4
00509BA0 |. 74 7B je short 00509C1D ; 24位钻石
00509BA2 |. 83E8 08 sub eax, 8
00509BA5 |. 0F84 A7000000 je 00509C52 ; unknown version ;-)
00509BAB |. E9 88010000 jmp 00509D38
我们看一下钻石版的
00509C1D |> A1 FC275100 mov eax, dword ptr [5127FC] ; Case 18 of switch 00509B93
00509C22 |. 50 push eax
00509C23 |. 8D55 C4 lea edx, dword ptr [ebp-3C]
00509C26 |. 8B45 FC mov eax, dword ptr [ebp-4]
00509C29 |. E8 F222F7FF call 0047BF20 ; 注册码md5
00509C2E |. 8B45 C4 mov eax, dword ptr [ebp-3C]
00509C31 |. 8D4D C8 lea ecx, dword ptr [ebp-38]
00509C34 |. BA A49D5000 mov edx, 00509DA4 ; ASCII "Impressions"
00509C39 |. E8 F614F7FF call 0047B134 ; 再DES,key="Impressions"
00509C3E |. 8B45 C8 mov eax, dword ptr [ebp-38]
00509C41 |. B9 10000000 mov ecx, 10
00509C46 |. BA 05000000 mov edx, 5
00509C4B |. E8 F0ACEFFF call 00404940 ; 取其从左到右算第5位开始依次取16字符
00509C50 |. EB 33 jmp short 00509C85
00509C52 |> A1 FC275100 mov eax, dword ptr [5127FC] ; Case 20 of switch 00509B93
00509C57 |. 50 push eax
00509C58 |. 8D55 BC lea edx, dword ptr [ebp-44]
00509C5B |. 8B45 FC mov eax, dword ptr [ebp-4]
00509C5E |. E8 BD22F7FF call 0047BF20
00509C63 |. 8B45 BC mov eax, dword ptr [ebp-44]
00509C66 |. 8D4D C0 lea ecx, dword ptr [ebp-40]
00509C69 |. BA A49D5000 mov edx, 00509DA4 ; ASCII "Impressions"
00509C6E |. E8 C114F7FF call 0047B134
00509C73 |. 8B45 C0 mov eax, dword ptr [ebp-40]
00509C76 |. B9 0C000000 mov ecx, 0C
00509C7B |. BA 0C000000 mov edx, 0C
00509C80 |. E8 BBACEFFF call 00404940
00509C85 |> B2 01 mov dl, 1
00509C87 |. A1 20BF4300 mov eax, dword ptr [43BF20]
00509C8C |. E8 8F23F3FF call 0043C020
00509C91 |. 8BD8 mov ebx, eax
00509C93 |. BA 02000080 mov edx, 80000002
00509C98 |. 8BC3 mov eax, ebx
00509C9A |. E8 2124F3FF call 0043C0C0
00509C9F |. B1 01 mov cl, 1
00509CA1 |. BA B89D5000 mov edx, 00509DB8 ; ASCII "\SOFTWARE\Microsoft\Windows\CurrentVersion\olympic"
00509CA6 |. 8BC3 mov eax, ebx
00509CA8 |. E8 7B24F3FF call 0043C128
00509CAD |. 84C0 test al, al
00509CAF |. 74 14 je short 00509CC5
00509CB1 |. 8B0D FC275100 mov ecx, dword ptr [5127FC] ; unpacked.005141AC
00509CB7 |. 8B09 mov ecx, dword ptr [ecx]
00509CB9 |. BA F49D5000 mov edx, 00509DF4 ; ASCII "pic"
00509CBE |. 8BC3 mov eax, ebx
00509CC0 |. E8 A728F3FF call 0043C56C ; 将其写入注册表
00509CC5 |> 8BC3 mov eax, ebx
00509CC7 |. E8 C423F3FF call 0043C090
00509CCC |. 8BC3 mov eax, ebx
00509CCE |. E8 9998EFFF call 0040356C
00509CD3 |. B2 01 mov dl, 1
00509CD5 |. A1 20BF4300 mov eax, dword ptr [43BF20]
00509CDA |. E8 4123F3FF call 0043C020
00509CDF |. 8BD8 mov ebx, eax
00509CE1 |. BA 01000080 mov edx, 80000001
00509CE6 |. 8BC3 mov eax, ebx
00509CE8 |. E8 D323F3FF call 0043C0C0
00509CED |. B1 01 mov cl, 1
00509CEF |. BA 009E5000 mov edx, 00509E00 ; ASCII "\SoftWare\Microsoft\Windows\CurrentVersion\patron"
00509CF4 |. 8BC3 mov eax, ebx
00509CF6 |. E8 2D24F3FF call 0043C128
00509CFB |. 84C0 test al, al
00509CFD |. 74 1F je short 00509D1E
00509CFF |. 8D4D B8 lea ecx, dword ptr [ebp-48]
00509D02 |. BA 3C9E5000 mov edx, 00509E3C ; ASCII "MeteorTV.username"
00509D07 |. 8B45 F8 mov eax, dword ptr [ebp-8]
00509D0A |. E8 2514F7FF call 0047B134 ; DES,PT=用户名,key="MeteorTV.username"
00509D0F |. 8B4D B8 mov ecx, dword ptr [ebp-48]
00509D12 |. BA 589E5000 mov edx, 00509E58 ; ASCII "mortal"
00509D17 |. 8BC3 mov eax, ebx
00509D19 |. E8 4E28F3FF call 0043C56C ; 将其写入注册表
00509D1E |> 8BC3 mov eax, ebx
00509D20 |. E8 6B23F3FF call 0043C090
00509D25 |. 8BC3 mov eax, ebx
00509D27 |. E8 4098EFFF call 0040356C
00509D2C |. A1 68275100 mov eax, dword ptr [512768]
00509D31 |. 8B00 mov eax, dword ptr [eax]
00509D33 |. E8 18BCF6FF call 00475950
00509D38 |> 33C0 xor eax, eax ; Default case of switch 00509B93
00509D3A |. 5A pop edx
00509D3B |. 59 pop ecx
00509D3C |. 59 pop ecx
00509D3D |. 64:8910 mov dword ptr fs:[eax], edx
00509D40 |. 68 949D5000 push 00509D94
00509D45 |> 8D45 B8 lea eax, dword ptr [ebp-48]
00509D48 |. BA 09000000 mov edx, 9
00509D4D |. E8 F2A6EFFF call 00404444
00509D52 |. 8D45 DC lea eax, dword ptr [ebp-24]
00509D55 |. E8 C6A6EFFF call 00404420
00509D5A |. 8D45 E0 lea eax, dword ptr [ebp-20]
00509D5D |. E8 BEA6EFFF call 00404420
00509D62 |. 8D45 E4 lea eax, dword ptr [ebp-1C]
00509D65 |. BA 02000000 mov edx, 2
00509D6A |. E8 D5A6EFFF call 00404444
00509D6F |. 8D45 EC lea eax, dword ptr [ebp-14]
00509D72 |. E8 A9A6EFFF call 00404420
00509D77 |. 8D45 F0 lea eax, dword ptr [ebp-10]
00509D7A |. E8 A1A6EFFF call 00404420
00509D7F |. 8D45 F4 lea eax, dword ptr [ebp-C]
00509D82 |. BA 03000000 mov edx, 3
00509D87 |. E8 B8A6EFFF call 00404444
00509D8C \. C3 retn
Ctrl+F2,打开String Reference,程序错误,换一个试试,IDA载入,string里找"patron",来到CODE:00505A38,DATA XREF到CODE:00505525,回到OD,在这里断点。还有一处"patron",看到在上面这段里面,跳过。OD运行,断下来了,Ctrl+F2,把断点往前移到这个函数的入口005054AC,运行,断下来了
005054AC /$ 55 push ebp
005054AD |. 8BEC mov ebp, esp
005054AF |. B9 14000000 mov ecx, 14
005054B4 |> 6A 00 /push 0
005054B6 |. 6A 00 |push 0
005054B8 |. 49 |dec ecx
005054B9 |.^ 75 F9 \jnz short 005054B4
005054BB |. 51 push ecx
005054BC |. 53 push ebx
005054BD |. 56 push esi
005054BE |. 8BD8 mov ebx, eax
005054C0 |. 33C0 xor eax, eax
005054C2 |. 55 push ebp
005054C3 |. 68 DB595000 push 005059DB
005054C8 |. 64:FF30 push dword ptr fs:[eax]
005054CB |. 64:8920 mov dword ptr fs:[eax], esp
005054CE |. B2 01 mov dl, 1
005054D0 |. A1 20BF4300 mov eax, dword ptr [43BF20]
005054D5 |. E8 466BF3FF call 0043C020
005054DA |. 8BF0 mov esi, eax
005054DC |. BA 02000080 mov edx, 80000002
005054E1 |. 8BC6 mov eax, esi
005054E3 |. E8 D86BF3FF call 0043C0C0
005054E8 |. B1 01 mov cl, 1
005054EA |. BA F0595000 mov edx, 005059F0 ; ASCII "\SOFTWARE\Microsoft\Windows\CurrentVersion\olympic"
005054EF |. 8BC6 mov eax, esi
005054F1 |. E8 326CF3FF call 0043C128
005054F6 |. 84C0 test al, al
005054F8 |. 74 1D je short 00505517
005054FA |. 8D4D F4 lea ecx, dword ptr [ebp-C]
005054FD |. BA 2C5A5000 mov edx, 00505A2C ; ASCII "pic"
00505502 |. 8BC6 mov eax, esi
00505504 |. E8 8F70F3FF call 0043C598 ; 取注册表键值,此处是之前输入的注册码运算后的值
00505509 |. 8B55 F4 mov edx, dword ptr [ebp-C]
0050550C |. 8D83 C4040000 lea eax, dword ptr [ebx+4C4]
00505512 |. E8 5DEFEFFF call 00404474
00505517 |> BA 01000080 mov edx, 80000001
0050551C |. 8BC6 mov eax, esi
0050551E |. E8 9D6BF3FF call 0043C0C0
00505523 |. B1 01 mov cl, 1
00505525 |. BA 385A5000 mov edx, 00505A38 ; ASCII "\SoftWare\Microsoft\Windows\CurrentVersion\patron"
0050552A |. 8BC6 mov eax, esi
0050552C |. E8 F76BF3FF call 0043C128
00505531 |. 84C0 test al, al
00505533 |. 74 1D je short 00505552
00505535 |. 8D4D F0 lea ecx, dword ptr [ebp-10]
00505538 |. BA 745A5000 mov edx, 00505A74 ; ASCII "mortal"
0050553D |. 8BC6 mov eax, esi
0050553F |. E8 5470F3FF call 0043C598 ; 取注册表键值
00505544 |. 8B55 F0 mov edx, dword ptr [ebp-10]
00505547 |. 8D83 CC040000 lea eax, dword ptr [ebx+4CC]
0050554D |. E8 22EFEFFF call 00404474
00505552 |> 8BC6 mov eax, esi
00505554 |. E8 376BF3FF call 0043C090 ; 关闭注册表
00505559 |. 8BC6 mov eax, esi
0050555B |. E8 0CE0EFFF call 0040356C
00505560 |. 8D4D EC lea ecx, dword ptr [ebp-14]
00505563 |. BA 845A5000 mov edx, 00505A84 ; ASCII "MeteorTV.username"
00505568 |. 8B83 CC040000 mov eax, dword ptr [ebx+4CC]
0050556E |. E8 A95DF7FF call 0047B31C ; 注册表中mortal的值是之前输入的用户名,此处取逆运算还原出来
00505573 |. 8B55 EC mov edx, dword ptr [ebp-14]
00505576 |. 8D83 CC040000 lea eax, dword ptr [ebx+4CC]
0050557C |. E8 F3EEEFFF call 00404474
00505581 |. 8D55 FC lea edx, dword ptr [ebp-4]
00505584 |. 8B83 CC040000 mov eax, dword ptr [ebx+4CC]
0050558A |. E8 9169F7FF call 0047BF20 ; 用户名的md5
0050558F |. 8D4D E8 lea ecx, dword ptr [ebp-18]
00505592 |. BA A05A5000 mov edx, 00505AA0 ; ASCII "killyou?yes"
00505597 |. 8B45 FC mov eax, dword ptr [ebp-4]
0050559A |. E8 B5A4FDFF call 004DFA54 ; PT=用户名md5,key="killyou?yes"......
跟入
004DFA54 /$ 55 push ebp
004DFA55 |. 8BEC mov ebp, esp
004DFA57 |. 51 push ecx
004DFA58 |. B9 07000000 mov ecx, 7
004DFA5D |> 6A 00 /push 0
004DFA5F |. 6A 00 |push 0
004DFA61 |. 49 |dec ecx
004DFA62 |.^ 75 F9 \jnz short 004DFA5D
004DFA64 |. 874D FC xchg dword ptr [ebp-4], ecx
004DFA67 |. 53 push ebx
004DFA68 |. 56 push esi
004DFA69 |. 57 push edi
004DFA6A |. 894D F8 mov dword ptr [ebp-8], ecx
004DFA6D |. 8955 FC mov dword ptr [ebp-4], edx
004DFA70 |. 8BD8 mov ebx, eax
004DFA72 |. 8B45 FC mov eax, dword ptr [ebp-4]
004DFA75 |. E8 564EF2FF call 004048D0
004DFA7A |. 33C0 xor eax, eax
004DFA7C |. 55 push ebp
004DFA7D |. 68 56FC4D00 push 004DFC56
004DFA82 |. 64:FF30 push dword ptr fs:[eax]
004DFA85 |. 64:8920 mov dword ptr fs:[eax], esp
004DFA88 |. 8D55 F4 lea edx, dword ptr [ebp-C]
004DFA8B |. 8BC3 mov eax, ebx
004DFA8D |. E8 26FFFFFF call 004DF9B8 ; 用户名md5的ascii值
004DFA92 |. 8D55 F0 lea edx, dword ptr [ebp-10]
004DFA95 |. 8B45 FC mov eax, dword ptr [ebp-4]
004DFA98 |. E8 1BFFFFFF call 004DF9B8 ; "killyou?yes"的ascii值
004DFA9D |. 8D45 EC lea eax, dword ptr [ebp-14]
004DFAA0 |. 8B55 F4 mov edx, dword ptr [ebp-C]
004DFAA3 |. E8 104AF2FF call 004044B8
004DFAA8 |. 8B45 F0 mov eax, dword ptr [ebp-10]
004DFAAB |. E8 304CF2FF call 004046E0
004DFAB0 |. D1F8 sar eax, 1
004DFAB2 |. 79 03 jns short 004DFAB7
004DFAB4 |. 83D0 00 adc eax, 0
004DFAB7 |> 85C0 test eax, eax
004DFAB9 |. 0F8E 54010000 jle 004DFC13
004DFABF |. 8945 E0 mov dword ptr [ebp-20], eax
004DFAC2 |. BE 01000000 mov esi, 1
004DFAC7 |> 83FE 01 /cmp esi, 1
004DFACA |. 74 0B |je short 004DFAD7
004DFACC |. 8D45 EC |lea eax, dword ptr [ebp-14]
004DFACF |. 8B55 E8 |mov edx, dword ptr [ebp-18]
004DFAD2 |. E8 E149F2FF |call 004044B8
004DFAD7 |> 8D45 E8 |lea eax, dword ptr [ebp-18]
004DFADA |. E8 4149F2FF |call 00404420
004DFADF |. 8B45 EC |mov eax, dword ptr [ebp-14]
004DFAE2 |. E8 F94BF2FF |call 004046E0
004DFAE7 |. 8BF8 |mov edi, eax
004DFAE9 |. D1FF |sar edi, 1 ; 算到这里为止得edi=length(ascii(md5(username)))
004DFAEB |. 79 03 |jns short 004DFAF0
004DFAED |. 83D7 00 |adc edi, 0
004DFAF0 |> 85FF |test edi, edi
004DFAF2 |. 0F8E 11010000 |jle 004DFC09 ; 其长度,不大于0则跳
004DFAF8 |. BB 01000000 |mov ebx, 1
004DFAFD |> BA 64FC4D00 |/mov edx, 004DFC64
004DFB02 |. 8D45 D8 ||lea eax, dword ptr [ebp-28]
004DFB05 |. E8 4E33F2FF ||call 00402E58
004DFB0A |. 8D45 D4 ||lea eax, dword ptr [ebp-2C]
004DFB0D |. 8BD3 ||mov edx, ebx
004DFB0F |. 03D2 ||add edx, edx
004DFB11 |. 8B4D EC ||mov ecx, dword ptr [ebp-14]
004DFB14 |. 8A5411 FE ||mov dl, byte ptr [ecx+edx-2]
004DFB18 |. 8850 01 ||mov byte ptr [eax+1], dl
004DFB1B |. C600 01 ||mov byte ptr [eax], 1
004DFB1E |. 8D55 D4 ||lea edx, dword ptr [ebp-2C]
004DFB21 |. 8D45 D8 ||lea eax, dword ptr [ebp-28]
004DFB24 |. B1 02 ||mov cl, 2
004DFB26 |. E8 FD32F2FF ||call 00402E28
004DFB2B |. 8D55 D8 ||lea edx, dword ptr [ebp-28]
004DFB2E |. 8D45 D0 ||lea eax, dword ptr [ebp-30]
004DFB31 |. E8 2233F2FF ||call 00402E58
004DFB36 |. 8D45 D4 ||lea eax, dword ptr [ebp-2C]
004DFB39 |. 8BD3 ||mov edx, ebx
004DFB3B |. 03D2 ||add edx, edx
004DFB3D |. 8B4D EC ||mov ecx, dword ptr [ebp-14]
004DFB40 |. 8A5411 FF ||mov dl, byte ptr [ecx+edx-1]
004DFB44 |. 8850 01 ||mov byte ptr [eax+1], dl
004DFB47 |. C600 01 ||mov byte ptr [eax], 1
004DFB4A |. 8D55 D4 ||lea edx, dword ptr [ebp-2C]
004DFB4D |. 8D45 D0 ||lea eax, dword ptr [ebp-30]
004DFB50 |. B1 03 ||mov cl, 3
004DFB52 |. E8 D132F2FF ||call 00402E28
004DFB57 |. 8D55 D0 ||lea edx, dword ptr [ebp-30]
004DFB5A |. 8D45 DC ||lea eax, dword ptr [ebp-24]
004DFB5D |. E8 224BF2FF ||call 00404684
004DFB62 |. 8B45 DC ||mov eax, dword ptr [ebp-24]
004DFB65 |. E8 CE96F2FF ||call 00409238
004DFB6A |. 8845 E7 ||mov byte ptr [ebp-19], al
004DFB6D |. BA 64FC4D00 ||mov edx, 004DFC64
004DFB72 |. 8D45 D8 ||lea eax, dword ptr [ebp-28]
004DFB75 |. E8 DE32F2FF ||call 00402E58
004DFB7A |. 8D45 D4 ||lea eax, dword ptr [ebp-2C]
004DFB7D |. 8BD6 ||mov edx, esi
004DFB7F |. 03D2 ||add edx, edx
004DFB81 |. 8B4D F0 ||mov ecx, dword ptr [ebp-10]
004DFB84 |. 8A5411 FE ||mov dl, byte ptr [ecx+edx-2]
004DFB88 |. 8850 01 ||mov byte ptr [eax+1], dl
004DFB8B |. C600 01 ||mov byte ptr [eax], 1
004DFB8E |. 8D55 D4 ||lea edx, dword ptr [ebp-2C]
004DFB91 |. 8D45 D8 ||lea eax, dword ptr [ebp-28]
004DFB94 |. B1 02 ||mov cl, 2
004DFB96 |. E8 8D32F2FF ||call 00402E28
004DFB9B |. 8D55 D8 ||lea edx, dword ptr [ebp-28]
004DFB9E |. 8D45 D0 ||lea eax, dword ptr [ebp-30]
004DFBA1 |. E8 B232F2FF ||call 00402E58
004DFBA6 |. 8D45 D4 ||lea eax, dword ptr [ebp-2C]
004DFBA9 |. 8BD6 ||mov edx, esi
004DFBAB |. 03D2 ||add edx, edx
004DFBAD |. 8B4D F0 ||mov ecx, dword ptr [ebp-10]
004DFBB0 |. 8A5411 FF ||mov dl, byte ptr [ecx+edx-1]
004DFBB4 |. 8850 01 ||mov byte ptr [eax+1], dl
004DFBB7 |. C600 01 ||mov byte ptr [eax], 1
004DFBBA |. 8D55 D4 ||lea edx, dword ptr [ebp-2C]
004DFBBD |. 8D45 D0 ||lea eax, dword ptr [ebp-30]
004DFBC0 |. B1 03 ||mov cl, 3
004DFBC2 |. E8 6132F2FF ||call 00402E28
004DFBC7 |. 8D55 D0 ||lea edx, dword ptr [ebp-30]
004DFBCA |. 8D45 CC ||lea eax, dword ptr [ebp-34]
004DFBCD |. E8 B24AF2FF ||call 00404684
004DFBD2 |. 8B45 CC ||mov eax, dword ptr [ebp-34]
004DFBD5 |. E8 5E96F2FF ||call 00409238
004DFBDA |. 3245 E7 ||xor al, byte ptr [ebp-19] ; 前面一堆预处理,这里是关键的xor
004DFBDD |. 8845 E6 ||mov byte ptr [ebp-1A], al
004DFBE0 |. 8D45 C4 ||lea eax, dword ptr [ebp-3C]
004DFBE3 |. 8A55 E6 ||mov dl, byte ptr [ebp-1A]
004DFBE6 |. E8 1D4AF2FF ||call 00404608
004DFBEB |. 8B45 C4 ||mov eax, dword ptr [ebp-3C]
004DFBEE |. 8D55 C8 ||lea edx, dword ptr [ebp-38]
004DFBF1 |. E8 C2FDFFFF ||call 004DF9B8
004DFBF6 |. 8B55 C8 ||mov edx, dword ptr [ebp-38]
004DFBF9 |. 8D45 E8 ||lea eax, dword ptr [ebp-18]
004DFBFC |. E8 E74AF2FF ||call 004046E8 ; "strcat()"
004DFC01 |. 43 ||inc ebx
004DFC02 |. 4F ||dec edi
004DFC03 |.^ 0F85 F4FEFFFF |\jnz 004DFAFD
004DFC09 |> 46 |inc esi
004DFC0A |. FF4D E0 |dec dword ptr [ebp-20]
004DFC0D |.^ 0F85 B4FEFFFF \jnz 004DFAC7
004DFC13 |> 8B45 F8 mov eax, dword ptr [ebp-8]
004DFC16 |. 8B55 E8 mov edx, dword ptr [ebp-18]
004DFC19 |. E8 5648F2FF call 00404474
004DFC1E |. 33C0 xor eax, eax
004DFC20 |. 5A pop edx
004DFC21 |. 59 pop ecx
004DFC22 |. 59 pop ecx
004DFC23 |. 64:8910 mov dword ptr fs:[eax], edx
004DFC26 |. 68 5DFC4D00 push 004DFC5D
004DFC2B |> 8D45 C4 lea eax, dword ptr [ebp-3C]
004DFC2E |. BA 03000000 mov edx, 3
004DFC33 |. E8 0C48F2FF call 00404444
004DFC38 |. 8D45 DC lea eax, dword ptr [ebp-24]
004DFC3B |. E8 E047F2FF call 00404420
004DFC40 |. 8D45 E8 lea eax, dword ptr [ebp-18]
004DFC43 |. BA 04000000 mov edx, 4
004DFC48 |. E8 F747F2FF call 00404444
004DFC4D |. 8D45 FC lea eax, dword ptr [ebp-4]
004DFC50 |. E8 CB47F2FF call 00404420
004DFC55 \. C3 retn
这一段的过程很简单,不标注了,将PT的每个字符的ascii依次和key的第一个字符的ascii异或,得到字符串n1,依次将n1每个字符的ascii与key的第二个字符的ascii异或,得到n2,如此循环完key的每一个字符,即为结果a
0050559F |. 8B55 E8 mov edx, dword ptr [ebp-18]
005055A2 |. 8D45 FC lea eax, dword ptr [ebp-4]
005055A5 |. E8 0EEFEFFF call 004044B8 ; 切换到要处理的值(此处不重要,可能是和编译器处理过程有关的)
005055AA |. 8D4D E0 lea ecx, dword ptr [ebp-20]
005055AD |. BA B45A5000 mov edx, 00505AB4 ; ASCII "http://www.jesen.cn"
005055B2 |. 8B83 D0040000 mov eax, dword ptr [ebx+4D0]
005055B8 |. E8 775BF7FF call 0047B134 ; DES.key=http://www.jesen.cn,PT=本机序列号.得到b
005055BD |. 8B55 E0 mov edx, dword ptr [ebp-20]
005055C0 |. 8D4D E4 lea ecx, dword ptr [ebp-1C]
005055C3 |. 8B45 FC mov eax, dword ptr [ebp-4]
005055C6 |. E8 695BF7FF call 0047B134 ; DES,key=b,PT=a
005055CB |. 8B55 E4 mov edx, dword ptr [ebp-1C]
005055CE |. 8D45 FC lea eax, dword ptr [ebp-4]
005055D1 |. E8 E2EEEFFF call 004044B8 ; 切换对象(此处不重要,可能是和编译器处理的过程有关吧)
005055D6 |. 8D55 DC lea edx, dword ptr [ebp-24]
005055D9 |. 8B45 FC mov eax, dword ptr [ebp-4]
005055DC |. E8 3F69F7FF call 0047BF20 ; md5
005055E1 |. 8B55 DC mov edx, dword ptr [ebp-24]
005055E4 |. 8D45 FC lea eax, dword ptr [ebp-4]
005055E7 |. E8 CCEEEFFF call 004044B8 ; 切换对象(此处不重要,可能是和编译器处理的过程有关吧)
005055EC |. 8B83 C4040000 mov eax, dword ptr [ebx+4C4]
005055F2 |. E8 E9F0EFFF call 004046E0 ; 取eax长度
005055F7 |. 83E8 0A sub eax, 0A ; Switch (cases A..10)
005055FA |. 74 62 je short 0050565E ; 标准版
005055FC |. 83E8 02 sub eax, 2
005055FF |. 74 17 je short 00505618 ;
00505601 |. 83E8 02 sub eax, 2
00505604 |. 0F84 18010000 je 00505722 ; VIP
0050560A |. 83E8 02 sub eax, 2
0050560D |. 0F84 D3010000 je 005057E6 ; 钻石
00505613 |. E9 A5030000 jmp 005059BD ; 失败
这里试的是钻石,来到这
005057E6 |> \68 AC415100 push 005141AC ; Case 10 of switch 005055F7
005057EB |. 8D45 8C lea eax, dword ptr [ebp-74]
005057EE |. 50 push eax
005057EF |. B9 06000000 mov ecx, 6
005057F4 |. BA 08000000 mov edx, 8
005057F9 |. 8B45 FC mov eax, dword ptr [ebp-4]
005057FC |. E8 3FF1EFFF call 00404940 ; substr(eax,7,6)
00505801 |. FF75 8C push dword ptr [ebp-74]
00505804 |. 8D45 88 lea eax, dword ptr [ebp-78]
00505807 |. 50 push eax
00505808 |. B9 07000000 mov ecx, 7
0050580D |. BA 12000000 mov edx, 12
00505812 |. 8B45 FC mov eax, dword ptr [ebp-4]
00505815 |. E8 26F1EFFF call 00404940 ; substr(eax,17,7)
0050581A |. FF75 88 push dword ptr [ebp-78]
0050581D |. 8D45 84 lea eax, dword ptr [ebp-7C]
00505820 |. 50 push eax
00505821 |. B9 03000000 mov ecx, 3
00505826 |. BA 03000000 mov edx, 3
0050582B |. 8B45 FC mov eax, dword ptr [ebp-4]
0050582E |. E8 0DF1EFFF call 00404940 ; substr(eax,2,3)
00505833 |. FF75 84 push dword ptr [ebp-7C]
00505836 |. 8D45 80 lea eax, dword ptr [ebp-80]
00505839 |. 50 push eax
0050583A |. B9 03000000 mov ecx, 3
0050583F |. BA 0D000000 mov edx, 0D
00505844 |. 8B45 FC mov eax, dword ptr [ebp-4]
00505847 |. E8 F4F0EFFF call 00404940 ; substr(eax,12,3)
0050584C |. FF75 80 push dword ptr [ebp-80]
0050584F |. 8D85 7CFFFFFF lea eax, dword ptr [ebp-84]
00505855 |. 50 push eax
00505856 |. B9 05000000 mov ecx, 5
0050585B |. BA 16000000 mov edx, 16
00505860 |. 8B45 FC mov eax, dword ptr [ebp-4]
00505863 |. E8 D8F0EFFF call 00404940 ; substr(eax,21,5)
00505868 |. FFB5 7CFFFFFF push dword ptr [ebp-84]
0050586E |. 8D45 90 lea eax, dword ptr [ebp-70]
00505871 |. BA 05000000 mov edx, 5
00505876 |. E8 25EFEFFF call 004047A0 ; 将前面5个字符串顺次相连
0050587B |. 8B45 90 mov eax, dword ptr [ebp-70]
0050587E |. 8D55 94 lea edx, dword ptr [ebp-6C]
00505881 |. E8 9A66F7FF call 0047BF20 ; md5
00505886 |. 8B45 94 mov eax, dword ptr [ebp-6C]
00505889 |. 8D4D 98 lea ecx, dword ptr [ebp-68]
0050588C |. BA D05A5000 mov edx, 00505AD0 ; ASCII "Impressions"
00505891 |. E8 9E58F7FF call 0047B134 ; DES,key=Impressions
00505896 |. 8B45 98 mov eax, dword ptr [ebp-68]
00505899 |. B9 10000000 mov ecx, 10
0050589E |. BA 05000000 mov edx, 5
005058A3 |. E8 98F0EFFF call 00404940 ; substr(eax,4,16)
005058A8 |. C705 B4415100>mov dword ptr [5141B4], 3
005058B2 |. 8D4D F8 lea ecx, dword ptr [ebp-8]
005058B5 |. BA E45A5000 mov edx, 00505AE4 ; ASCII "nmmd-sgpj"
005058BA |. B8 1C5B5000 mov eax, 00505B1C
005058BF |. E8 7058F7FF call 0047B134 ; DES,PT="[钻石版]',key="nmmd-sgpj"。用来干扰的,别理他
005058C4 |> 8D85 70FFFFFF lea eax, dword ptr [ebp-90]
005058CA |. 50 push eax
005058CB |. B9 06000000 mov ecx, 6
005058D0 |. BA 04000000 mov edx, 4
005058D5 |. A1 AC415100 mov eax, dword ptr [5141AC]
005058DA |. E8 61F0EFFF call 00404940 ; 取从左到右第8位开始6个字节
005058DF |. 8B85 70FFFFFF mov eax, dword ptr [ebp-90]
005058E5 |. 8D95 74FFFFFF lea edx, dword ptr [ebp-8C]
005058EB |. E8 C8A0FDFF call 004DF9B8 ; 把每个字符转换成它的ascii码
005058F0 |. 8B85 74FFFFFF mov eax, dword ptr [ebp-8C]
005058F6 |. 8D8D 78FFFFFF lea ecx, dword ptr [ebp-88]
005058FC |. BA 305B5000 mov edx, 00505B30 ; ASCII "sgpj-nmmd"
00505901 |. E8 2E58F7FF call 0047B134 ; DES,key=sgpj-nmmd
00505906 |. 8B85 78FFFFFF mov eax, dword ptr [ebp-88]
0050590C |. 50 push eax
0050590D |. 8D85 64FFFFFF lea eax, dword ptr [ebp-9C]
00505913 |. 50 push eax
00505914 |. B9 06000000 mov ecx, 6
00505919 |. BA 04000000 mov edx, 4
0050591E |. 8B83 C4040000 mov eax, dword ptr [ebx+4C4]
00505924 |. E8 17F0EFFF call 00404940 ; 取之前放入注册表中的注册码的值的从左到右第4位6个字节
00505929 |. 8B85 64FFFFFF mov eax, dword ptr [ebp-9C]
0050592F |. 8D95 68FFFFFF lea edx, dword ptr [ebp-98]
00505935 |. E8 7EA0FDFF call 004DF9B8 ; 把每个字符转换成它的ascii码
0050593A |. 8B85 68FFFFFF mov eax, dword ptr [ebp-98]
00505940 |. 8D8D 6CFFFFFF lea ecx, dword ptr [ebp-94]
00505946 |. BA 305B5000 mov edx, 00505B30 ; ASCII "sgpj-nmmd"
0050594B |. E8 E457F7FF call 0047B134 ; DES,key=sgpj-nmmd
00505950 |. 8B95 6CFFFFFF mov edx, dword ptr [ebp-94]
00505956 |. 58 pop eax
00505957 |. E8 D0EEEFFF call 0040482C ; eax是真的,edx是输入的
0050595C |. 75 5F jnz short 005059BD ; 不相等则跳跑掉
0050595E |. C683 D8040000>mov byte ptr [ebx+4D8], 1
00505965 |. 833D B4415100>cmp dword ptr [5141B4], 1
0050596C |. 74 07 je short 00505975
0050596E |. C683 D9040000>mov byte ptr [ebx+4D9], 1
00505975 |> B8 B0415100 mov eax, 005141B0
0050597A |. 8B55 F8 mov edx, dword ptr [ebp-8]
0050597D |. E8 F2EAEFFF call 00404474
00505982 |. 8D8D 5CFFFFFF lea ecx, dword ptr [ebp-A4]
00505988 |. BA E45A5000 mov edx, 00505AE4 ; ASCII "nmmd-sgpj"
0050598D |. A1 B0415100 mov eax, dword ptr [5141B0]
00505992 |. E8 8559F7FF call 0047B31C
00505997 |. 8B8D 5CFFFFFF mov ecx, dword ptr [ebp-A4]
0050599D |. 8D85 60FFFFFF lea eax, dword ptr [ebp-A0]
005059A3 |. BA 445B5000 mov edx, 00505B44
005059A8 |. E8 7FEDEFFF call 0040472C
005059AD |. 8B95 60FFFFFF mov edx, dword ptr [ebp-A0]
005059B3 |. A1 A0415100 mov eax, dword ptr [5141A0]
005059B8 |. E8 6F34F5FF call 00458E2C
005059BD |> 33C0 xor eax, eax ; Default case of switch 005055F7
005059BF |. 5A pop edx
005059C0 |. 59 pop ecx
005059C1 |. 59 pop ecx
005059C2 |. 64:8910 mov dword ptr fs:[eax], edx
005059C5 |. 68 E2595000 push 005059E2
005059CA |> 8D85 5CFFFFFF lea eax, dword ptr [ebp-A4]
005059D0 |. BA 29000000 mov edx, 29
005059D5 |. E8 6AEAEFFF call 00404444
005059DA \. C3 retn
005059DB .^ E9 E0E2EFFF jmp 00403CC0
005059E0 .^ EB E8 jmp short 005059CA
005059E2 . 5E pop esi
005059E3 . 5B pop ebx
005059E4 . 8BE5 mov esp, ebp
005059E6 . 5D pop ebp
005059E7 . C3 retn
整个世界明了了
[算法总结]
注:DES经查是des_sbox1,我没有具体跟
////////////////////////////////////////////
~注册码md5
~DES,key="Impressions"
~取其从左到右算第5位开始依次取16字符
~从左到右第4位开始6个字节
~把每个字符转换成它的ascii码
~DES,key=sgpj-nmmd
////////////////////////////////////////////
~用户名md5
~将其每个字符的ascii依次和"killyou?yes"的第一个字符的ascii异或,得到字符串n1,依次将n1每个字符的ascii与"killyou?yes"的第二个字符的ascii异或,得到n2,如此循环完"killyou?yes"的每一个字符,为结果a
~DES,key=http://www.jesen.cn,PT=本机序列号.得到b
~DES,key=b,PT=a
~md5
~从第8位开始取6个字符,从第18位开始取7个字符,从第3位开始取3个字符,从第13位开始取3个字符,从第22位开始取5个字符,顺次相连
~md5
~DES,key=Impressions
~从第5位开始取16个字符
~从左到右第4位开始6个字节
~把每个字符转换成它的ascii码
~DES,key=sgpj-nmmd
////////////////////////////////////////////
注册码是不用逆推的,由于用户名的运算与注册码的运算过程有一块重复的,所以直接可以在内存中看到明文的注册码, 比如在00505876下断点,可以看到243aa4028cf1c1254eaf1cb2,就是钻石版的注册码了
有:用户名:the0crat
机器码:1788F74A
注册码:钻石版:243aa4028cf1c1254eaf1cb2
VIP:1259B8BA4EAF19B243AA
标准版:F1028259B028C8B3
这样的注册机都没意思写,这里就不提供了
不过只有注册码也没有用,还有在线认证的
go on,到在线认证
005061BB . E8 ECF2FFFF call 005054AC ; 刚才从这里跳出来的
005061C0 . 8B45 FC mov eax, dword ptr [ebp-4]
005061C3 . 05 78040000 add eax, 478
005061C8 . BA 606A5000 mov edx, 00506A60 ; ASCII "http://softmain.wlds.net/soft_htm/reg_hj.txt"
005061CD . E8 A2E2EFFF call 00404474
005061D2 . 33C0 xor eax, eax
005061D4 . 55 push ebp
005061D5 . 68 DD625000 push 005062DD
005061DA . 64:FF30 push dword ptr fs:[eax]
005061DD . 64:8920 mov dword ptr fs:[eax], esp
005061E0 . 8D55 C8 lea edx, dword ptr [ebp-38]
005061E3 . 8B45 FC mov eax, dword ptr [ebp-4]
005061E6 . 8B80 78040000 mov eax, dword ptr [eax+478]
005061EC . E8 1396FDFF call 004DF804 ; 读reg_hj.txt的内容
reg_hj.txt保存的是未注册版窗口中显示的要你注册的页面,html,有意思的是这文件的末尾有这样一段
<iframe name=import_frame width=1 height=1 src=http://admin.onlinedown.net/admin/count_down.asp?id=33592 frameborder=no></iframe> 每打开一次则newhua.com上这个软件的下载次数就增加,呵呵,作弊
<iframe name=import_frame width=1 height=1 src=http://admin.onlinedown.net/admin/count_down.asp?id=44309 frameborder=no></iframe>
这个是fastTV的,难说两个软件还是一家人搞的,这问题涉及经济学,回避~~~
<iframe name=import_frame width=1 height=1 src=http://iplog.skycn.com/wherefrom.php?id=19948 frameborder=no></iframe>
同样,只不过换成了skycn.com
<iframe name=import_frame width=1 height=1 src=http://iplog.skycn.com/wherefrom.php?id=24634 frameborder=no></iframe>
fastTV
回到我们的程序中来
005061F1 . 8B55 C8 mov edx, dword ptr [ebp-38]
005061F4 . 8B45 FC mov eax, dword ptr [ebp-4]
005061F7 . 05 7C040000 add eax, 47C
005061FC . E8 73E2EFFF call 00404474
00506201 . A0 906A5000 mov al, byte ptr [506A90]
00506206 . 50 push eax
00506207 . 8D45 C4 lea eax, dword ptr [ebp-3C]
0050620A . 50 push eax
0050620B . 8B45 FC mov eax, dword ptr [ebp-4]
0050620E . 8B88 D0040000 mov ecx, dword ptr [eax+4D0]
00506214 . 8D45 C0 lea eax, dword ptr [ebp-40]
00506217 . BA 9C6A5000 mov edx, 00506A9C ; ASCII "SerialNo="
0050621C . E8 0BE5EFFF call 0040472C
00506221 . 8B4D C0 mov ecx, dword ptr [ebp-40]
00506224 . 8B45 FC mov eax, dword ptr [ebp-4]
00506227 . 8B80 7C040000 mov eax, dword ptr [eax+47C]
0050622D . BA 9C6A5000 mov edx, 00506A9C ; ASCII "SerialNo="
00506232 . E8 8584F0FF call 0040E6BC
00506237 . 8B55 C4 mov edx, dword ptr [ebp-3C]
0050623A . 8B45 FC mov eax, dword ptr [ebp-4]
0050623D . 05 7C040000 add eax, 47C
00506242 . E8 2DE2EFFF call 00404474
00506247 . A0 906A5000 mov al, byte ptr [506A90]
0050624C . 50 push eax
0050624D . 8D45 BC lea eax, dword ptr [ebp-44]
00506250 . 50 push eax
00506251 . 8B45 FC mov eax, dword ptr [ebp-4]
00506254 . 8B88 D0040000 mov ecx, dword ptr [eax+4D0]
0050625A . 8D45 B8 lea eax, dword ptr [ebp-48]
0050625D . BA B06A5000 mov edx, 00506AB0 ; ASCII "usermcode_GET="
00506262 . E8 C5E4EFFF call 0040472C
00506267 . 8B4D B8 mov ecx, dword ptr [ebp-48]
0050626A . 8B45 FC mov eax, dword ptr [ebp-4]
0050626D . 8B80 7C040000 mov eax, dword ptr [eax+47C]
00506273 . BA B06A5000 mov edx, 00506AB0 ; ASCII "usermcode_GET="
00506278 . E8 3F84F0FF call 0040E6BC
0050627D . 8B55 BC mov edx, dword ptr [ebp-44]
00506280 . 8B45 FC mov eax, dword ptr [ebp-4]
00506283 . 05 7C040000 add eax, 47C
00506288 . E8 E7E1EFFF call 00404474
0050628D . A0 906A5000 mov al, byte ptr [506A90]
00506292 . 50 push eax
00506293 . 8D45 B4 lea eax, dword ptr [ebp-4C]
00506296 . 50 push eax
00506297 . 8B45 FC mov eax, dword ptr [ebp-4]
0050629A . 8B88 D0040000 mov ecx, dword ptr [eax+4D0]
005062A0 . 8D45 B0 lea eax, dword ptr [ebp-50]
005062A3 . BA C86A5000 mov edx, 00506AC8 ; ASCII "BRegcode="
005062A8 . E8 7FE4EFFF call 0040472C
005062AD . 8B4D B0 mov ecx, dword ptr [ebp-50]
005062B0 . 8B45 FC mov eax, dword ptr [ebp-4]
005062B3 . 8B80 7C040000 mov eax, dword ptr [eax+47C]
005062B9 . BA C86A5000 mov edx, 00506AC8 ; ASCII "BRegcode="
005062BE . E8 F983F0FF call 0040E6BC
005062C3 . 8B55 B4 mov edx, dword ptr [ebp-4C]
005062C6 . 8B45 FC mov eax, dword ptr [ebp-4]
005062C9 . 05 7C040000 add eax, 47C
005062CE . E8 A1E1EFFF call 00404474
005062D3 . 33C0 xor eax, eax
005062D5 . 5A pop edx
005062D6 . 59 pop ecx
005062D7 . 59 pop ecx
005062D8 . 64:8910 mov dword ptr fs:[eax], edx
005062DB . EB 0A jmp short 005062E7
005062DD .^ E9 2AD7EFFF jmp 00403A0C
005062E2 . E8 51DBEFFF call 00403E38
005062E7 > 33C0 xor eax, eax
005062E9 . 55 push ebp
005062EA . 68 82635000 push 00506382
005062EF . 64:FF30 push dword ptr fs:[eax]
005062F2 . 64:8920 mov dword ptr fs:[eax], esp
005062F5 . 8B45 FC mov eax, dword ptr [ebp-4]
005062F8 . 8B88 D0040000 mov ecx, dword ptr [eax+4D0]
005062FE . 8D45 A8 lea eax, dword ptr [ebp-58]
00506301 . BA DC6A5000 mov edx, 00506ADC ; ASCII "http://www.jesen.cn/check/isdaolian.asp?id="
00506306 . E8 21E4EFFF call 0040472C ; 将机器序列号与上字符连接
0050630B . 8B45 A8 mov eax, dword ptr [ebp-58]
0050630E . 8D55 AC lea edx, dword ptr [ebp-54]
00506311 . E8 EE94FDFF call 004DF804 ; 上面地址,服务器验证后返回字符"已注册"或"已过期"
00506316 . 8B45 AC mov eax, dword ptr [ebp-54]
00506319 . 8D55 F4 lea edx, dword ptr [ebp-C]
0050631C . E8 D329F0FF call 00408CF4
00506321 . A1 B4295100 mov eax, dword ptr [5129B4]
00506326 . 8B00 mov eax, dword ptr [eax]
00506328 . E8 B72BF7FF call 00478EE4
0050632D . 8B45 F4 mov eax, dword ptr [ebp-C]
00506330 . BA 106B5000 mov edx, 00506B10 ; ASCII "已过期"
00506335 . E8 F2E4EFFF call 0040482C ; 之前服务器相应返回字符与"已过期"对比
0050633A . 75 0A jnz short 00506346 ; 关键跳转
0050633C . 8B45 FC mov eax, dword ptr [ebp-4]
0050633F . E8 30EEFFFF call 00505174
00506344 . EB 32 jmp short 00506378
00506346 > 8B45 F4 mov eax, dword ptr [ebp-C]
00506349 . BA 206B5000 mov edx, 00506B20
0050634E . E8 D9E4EFFF call 0040482C
00506353 . 75 0C jnz short 00506361
00506355 . 8B45 FC mov eax, dword ptr [ebp-4]
00506358 . C680 D9040000>mov byte ptr [eax+4D9], 0
0050635F . EB 17 jmp short 00506378
00506361 > 8B45 F4 mov eax, dword ptr [ebp-C]
00506364 . BA 2C6B5000 mov edx, 00506B2C
00506369 . E8 BEE4EFFF call 0040482C
0050636E . 75 08 jnz short 00506378 ; 这里改为JMP,即时未注册也能一直看下去,或者用UltraEdit打开这个文件,查找C0270900,改为FFFFFFFF也几乎相当于无限时间看了
00506370 . 8B45 FC mov eax, dword ptr [ebp-4]
00506373 . E8 FCEDFFFF call 00505174 ; 设置一个Timer,未注册的10min后跳出来个要你注册的对话框,并且只有重新启动软件后才能再看节目
00506378 > 33C0 xor eax, eax
0050637A . 5A pop edx
0050637B . 59 pop ecx
0050637C . 59 pop ecx
0050637D . 64:8910 mov dword ptr fs:[eax], edx
00506380 . EB 0A jmp short 0050638C
00506382 .^ E9 85D6EFFF jmp 00403A0C
00506387 . E8 ACDAEFFF call 00403E38
0050638C > 33C0 xor eax, eax
0050638E . 55 push ebp
0050638F . 68 E8655000 push 005065E8
00506394 . 64:FF30 push dword ptr fs:[eax]
00506397 . 64:8920 mov dword ptr fs:[eax], esp
0050639A . 8D55 A4 lea edx, dword ptr [ebp-5C]
0050639D . B8 3C6B5000 mov eax, 00506B3C ; ASCII "http://www.jesen.cn/check/url/url_2006.htm"
005063A2 . E8 5D94FDFF call 004DF804 ; 读这个文件保存的数据,其实是url的编码,以"-"分割
005063A7 . 8B45 A4 mov eax, dword ptr [ebp-5C]
005063AA . 8D55 F0 lea edx, dword ptr [ebp-10]
005063AD . E8 4229F0FF call 00408CF4
005063B2 . A1 B4295100 mov eax, dword ptr [5129B4]
005063B7 . 8B00 mov eax, dword ptr [eax]
005063B9 . E8 262BF7FF call 00478EE4
005063BE . BA 706B5000 mov edx, 00506B70
005063C3 . 8B45 F0 mov eax, dword ptr [ebp-10]
005063C6 . E8 9D98FDFF call 004DFC68
005063CB . 8BD8 mov ebx, eax
005063CD . 8BC3 mov eax, ebx
005063CF . 8B10 mov edx, dword ptr [eax]
005063D1 . FF52 14 call dword ptr [edx+14]
005063D4 . 85C0 test eax, eax
005063D6 . 0F84 A1010000 je 0050657D ; 程序中原有一套url,不跳则从上述数据中提取url
我调试的时候,http://www.jesen.cn/check/url/url_2006.htm这里保存的是
E6FA9B44FC2D6CCA90698A8AA0F2D6D3DEA82C6717C22FB003EF2313B39BA5F79BF75BE995128022-E8E1B00418B7BA49-E8E1B00418B7BA49-0F49CF90AE6B19BC3522C6E8391648A3DEA82C6717C22FB0E46F49E61E2EEE252966A571B7F585EA4EC22CA1F1B35B453BCB010916DFA8CA-0F49CF90AE6B19BC3522C6E8391648A3DEA82C6717C22FB0E46F49E61E2EEE2530EDCB1C15C0A5A6A943F0C8D9E4327A93E6296677C658D4-D2B978268269744D64D2365FD7A3AF68DEA82C6717C22FB06AF783C373B0C7AA2966A571B7F585EA4EC22CA1F1B35B452CEC4FC678F60291-0F49CF90AE6B19BC3522C6E8391648A3DEA82C6717C22FB06AF783C373B0C7AAF27AD9DDDB69C514A949317400FC7340935F94381E794F85-E8E1B00418B7BA49
--------------------------------------------------------------------------------
【经验总结】
一看到经验总结,我就想起物理电路模电等课程的实验课每次都要写实验报告,天啊,再写总结我就疯啦
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年01月09日 0:20:53
【文章标题】: MagicDVD 4.4.0算法分析
【文章作者】: the0crat
【作者邮箱】: the0crat.cn_at_gmail.com
【作者主页】: http://the0crat.blogcn.com
【生产日期】: 20070126
【软件名称】: MagicDVD v4.4.0
【保护方式】: 注册码
【编写语言】: VC++ 6.0
【使用工具】: OD
【作者声明】: 本文仅供研究学习,本人对因这篇文章而导致的一切后果,不承担任何法律责任。本文中的不足之处请各位多多指教
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
--------------------------------------------------------------------------------
【详细过程】
无壳
00428810 /$ 6A FF push -1
00428812 |. 68 F8704C00 push 004C70F8 ; SE handler installation
00428817 |. 64:A1 0000000>mov eax, dword ptr fs:[0]
0042881D |. 50 push eax
0042881E |. 64:8925 00000>mov dword ptr fs:[0], esp
00428825 |. 83EC 24 sub esp, 24
00428828 |. 8B4424 3C mov eax, dword ptr [esp+3C]
0042882C |. 53 push ebx
0042882D |. 55 push ebp
0042882E |. 8B6C24 3C mov ebp, dword ptr [esp+3C]
00428832 |. 56 push esi
00428833 |. 57 push edi
00428834 |. 55 push ebp
00428835 |. 8D4C24 48 lea ecx, dword ptr [esp+48]
00428839 |. C600 00 mov byte ptr [eax], 0
0042883C |. E8 FDF2FFFF call <jmp.&MFC42.#537>
00428841 |. 8B3D 2C264D00 mov edi, dword ptr [<&MSVCRT._mbscmp>; msvcrt._mbscmp
00428847 |. C74424 3C 000>mov dword ptr [esp+3C], 0
0042884F |. BE 04355000 mov esi, 00503504 ; ASCII "Christopher Bettison"
00428854 |> 8B4C24 44 /mov ecx, dword ptr [esp+44]
00428858 |. 56 |push esi
00428859 |. 51 |push ecx
0042885A |. FFD7 |call edi
0042885C |. 83C4 08 |add esp, 8
0042885F |. 85C0 |test eax, eax
00428861 |. 74 69 |je short 004288CC ; 这里有一堆id,如果与这些id相同则失败
00428863 |. 83C6 6B |add esi, 6B
00428866 |. 81FE BD615000 |cmp esi, 005061BD
0042886C |.^ 7C E6 \jl short 00428854
0042886E |. 8B5C24 48 mov ebx, dword ptr [esp+48]
00428872 |. 83C9 FF or ecx, FFFFFFFF
00428875 |. 8BFB mov edi, ebx
00428877 |. 33C0 xor eax, eax
00428879 |. F2:AE repne scas byte ptr es:[edi]
0042887B |. F7D1 not ecx
0042887D |. 49 dec ecx
0042887E |. 83F9 14 cmp ecx, 14
00428881 |. 75 6F jnz short 004288F2 ; 注册码长度不为20则失败
00428883 |. 50 push eax ; /timer => NULL
00428884 |. FF15 44264D00 call dword ptr [<&MSVCRT.time>] ; \time
0042888A |. 8D5424 50 lea edx, dword ptr [esp+50]
0042888E |. 894424 50 mov dword ptr [esp+50], eax
00428892 |. 52 push edx ; /timet
00428893 |. FF15 7C264D00 call dword ptr [<&MSVCRT.localtime>] ; \localtime
00428899 |. B9 09000000 mov ecx, 9
0042889E |. 8BF0 mov esi, eax
004288A0 |. 8D7C24 18 lea edi, dword ptr [esp+18]
004288A4 |. 53 push ebx
004288A5 |. F3:A5 rep movs dword ptr es:[edi], dword p>
004288A7 |. 8B4424 30 mov eax, dword ptr [esp+30]
004288AB |. 8B4C24 5C mov ecx, dword ptr [esp+5C]
004288AF |. 8B5424 2C mov edx, dword ptr [esp+2C]
004288B3 |. 05 6D070000 add eax, 76D
004288B8 |. 8901 mov dword ptr [ecx], eax
004288BA |. 8B4424 60 mov eax, dword ptr [esp+60]
004288BE |. 42 inc edx
004288BF |. 55 push ebp
004288C0 |. 8910 mov dword ptr [eax], edx
004288C2 |. E8 59FBFFFF call 00428420
关键call,跟进
00428420 /$ 6A FF push -1
00428422 |. 68 A8704C00 push 004C70A8 ; SE handler installation
00428427 |. 64:A1 0000000>mov eax, dword ptr fs:[0]
0042842D |. 50 push eax
0042842E |. 64:8925 00000>mov dword ptr fs:[0], esp
00428435 |. 83EC 0C sub esp, 0C
00428438 |. 53 push ebx
00428439 |. 55 push ebp
0042843A |. 56 push esi
0042843B |. 57 push edi
0042843C |. 8D4C24 14 lea ecx, dword ptr [esp+14]
00428440 |. E8 5FF4FFFF call <jmp.&MFC42.#540>
00428445 |. 8B7C24 30 mov edi, dword ptr [esp+30]
00428449 |. 8D4C24 10 lea ecx, dword ptr [esp+10]
0042844D |. 57 push edi
0042844E |. C74424 28 000>mov dword ptr [esp+28], 0
00428456 |. E8 E3F6FFFF call <jmp.&MFC42.#537>
0042845B |. 8D4C24 10 lea ecx, dword ptr [esp+10]
0042845F |. C64424 24 01 mov byte ptr [esp+24], 1
00428464 |. E8 C1F5FFFF call <jmp.&MFC42.#6282> ; trimleft(void)
00428469 |. 8D4C24 10 lea ecx, dword ptr [esp+10]
0042846D |. E8 B2F5FFFF call <jmp.&MFC42.#6283> ; trimright(void)
00428472 |. 8D4C24 10 lea ecx, dword ptr [esp+10]
00428476 |. E8 A3F5FFFF call <jmp.&MFC42.#4204> ; 注册码转换成大写
0042847B |. 6A 30 push 30
0042847D |. 6A 4F push 4F
0042847F |. 8D4C24 18 lea ecx, dword ptr [esp+18]
00428483 |. E8 12F5FFFF call <jmp.&MFC42.#6876>
00428488 |. 83CE FF or esi, FFFFFFFF
0042848B |. 33C0 xor eax, eax
0042848D |. 8BCE mov ecx, esi
0042848F |. F2:AE repne scas byte ptr es:[edi]
00428491 |. F7D1 not ecx
00428493 |. 49 dec ecx
00428494 |. 83F9 14 cmp ecx, 14
00428497 |. 75 3E jnz short 004284D7
00428499 |. 8B4424 2C mov eax, dword ptr [esp+2C]
0042849D |. 8D4C24 18 lea ecx, dword ptr [esp+18]
004284A1 |. 50 push eax
004284A2 |. E8 97F6FFFF call <jmp.&MFC42.#537>
004284A7 |. 8D4C24 18 lea ecx, dword ptr [esp+18]
004284AB |. C64424 24 02 mov byte ptr [esp+24], 2
004284B0 |. E8 75F5FFFF call <jmp.&MFC42.#6282> ; trimleft(void)
004284B5 |. 8D4C24 18 lea ecx, dword ptr [esp+18]
004284B9 |. E8 66F5FFFF call <jmp.&MFC42.#6283> ; trimright(void)
004284BE |. 8B4424 18 mov eax, dword ptr [esp+18]
004284C2 |. 8B48 F8 mov ecx, dword ptr [eax-8]
004284C5 |. 85C9 test ecx, ecx
004284C7 |. 75 25 jnz short 004284EE
004284C9 |. 8D4C24 18 lea ecx, dword ptr [esp+18]
004284CD |. C64424 24 01 mov byte ptr [esp+24], 1
004284D2 |. E8 BBF3FFFF call <jmp.&MFC42.#800>
004284D7 |> 8D4C24 10 lea ecx, dword ptr [esp+10]
004284DB |. C64424 24 00 mov byte ptr [esp+24], 0
004284E0 |. E8 ADF3FFFF call <jmp.&MFC42.#800>
004284E5 |. 897424 24 mov dword ptr [esp+24], esi
004284E9 |. E9 F2000000 jmp 004285E0
004284EE |> 50 push eax
004284EF |. E8 0C010000 call 00428600 ; 将用户名每个字符的ascii累计相加
004284F4 |. 8BC8 mov ecx, eax
004284F6 |. BE 14000000 mov esi, 14
004284FB |. 81E1 FFFF0000 and ecx, 0FFFF
00428501 |. 83C4 04 add esp, 4
00428504 |. 8BC1 mov eax, ecx
00428506 |. 99 cdq
00428507 |. F7FE idiv esi ; 然后除以注册码长度,也就是20
00428509 |. 51 push ecx ; 取余数n
0042850A |. 8D4C24 18 lea ecx, dword ptr [esp+18]
0042850E |. 68 C0615000 push 005061C0 ; ASCII "%04x"
00428513 |. 51 push ecx
00428514 |. 8BFA mov edi, edx
00428516 |. E8 97F4FFFF call <jmp.&MFC42.#2818> ; 将上面的十六进制值format成4个字节的字符串m
0042851B |. 83C4 0C add esp, 0C
0042851E |. 8D4C24 14 lea ecx, dword ptr [esp+14]
00428522 |. E8 F7F4FFFF call <jmp.&MFC42.#4204> ; 转换成大写
00428527 |. 8BCF mov ecx, edi
00428529 |. BF 14000000 mov edi, 14
0042852E |. 81E1 FFFF0000 and ecx, 0FFFF
00428534 |. 8B7424 14 mov esi, dword ptr [esp+14]
00428538 |. 8D41 05 lea eax, dword ptr [ecx+5]
0042853B |. 8A1E mov bl, byte ptr [esi]
0042853D |. 99 cdq
0042853E |. F7FF idiv edi ; 用户名的长度/注册码的长度
00428540 |. 8B7C24 10 mov edi, dword ptr [esp+10]
00428544 |. 3A1C3A cmp bl, byte ptr [edx+edi] ; 余数为k。对比[大写(注册码)]的第k+1个字符,与m的第一个字符
00428547 |. 75 73 jnz short 004285BC ; 不相等则失败
00428549 |. 8D41 09 lea eax, dword ptr [ecx+9] ; n+=9
0042854C |. BD 14000000 mov ebp, 14
00428551 |. 99 cdq
00428552 |. F7FD idiv ebp ; n/20
00428554 |. 8A5E 01 mov bl, byte ptr [esi+1]
00428557 |. 3A1C3A cmp bl, byte ptr [edx+edi] ; 余数为k。对比[大写(注册码)]的第k+1个字符,与m的第二个字符
0042855A |. 75 60 jnz short 004285BC
0042855C |. 8D41 12 lea eax, dword ptr [ecx+12] ; n+=18
0042855F |. 8A5E 02 mov bl, byte ptr [esi+2]
00428562 |. 99 cdq
00428563 |. F7FD idiv ebp ; n/20
00428565 |. 3A1C3A cmp bl, byte ptr [edx+edi] ; 余数为k。对比[大写(注册码)]的第k+1个字符,与m的第三个字符
00428568 |. 75 52 jnz short 004285BC
0042856A |. 8D41 0B lea eax, dword ptr [ecx+B] ; n+=11
0042856D |. 8BCD mov ecx, ebp
0042856F |. 99 cdq
00428570 |. F7F9 idiv ecx ; n/20
00428572 |. 8A5E 03 mov bl, byte ptr [esi+3]
00428575 |. 3A1C3A cmp bl, byte ptr [edx+edi] ; 余数为k。对比[大写(注册码)]的第k+1个字符,与m的第四个字符
00428578 |. 75 42 jnz short 004285BC
每次启动都效验注册码
【算法总结】
.注册码大写
.注册名的十六进制的ascii累加值->转换成4个字节的字符串m
.注册名的十六进制的ascii累加值->除以注册码长度,取余数n
然后开始对比注册码中相应偏移上的字符
.m的第一个字符 <=> [注册码偏移:](用户名长度/注册码长度)的余数+1
.m的第二个字符 <=> [注册码偏移:](n+9)/20的余数+1
.m的第三个字符 <=> [注册码偏移:](n+18)/20的余数+1
.m的第四个字符 <=> [注册码偏移:](n+11)/20的余数+1
这四个字符相同即可
\\注册机略
用户名:the0crat
注册码:2334567800ab3d7fghij
【文章标题】: 屏幕录像专家V6.0 Build20070123 算法分析
【文章作者】: the0crat
【作者邮箱】: the0crat.cn_at_gmail.com
【作者主页】: http://the0crat.blogcn.com
【生产日期】: 20070205
【软件名称】: 屏幕录像专家V6.0 Build20070123
【保护方式】: 注册码
【编写语言】: Borland C++ 1999
【使用工具】: OD
【作者声明】: 本文仅供研究学习,本人对因这篇文章而导致的一切后果,不承担任何法律责任。本文中的不足之处请各位多多指教
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
--------------------------------------------------------------------------------
【详细过程】
无壳,常规的断点一路追到这里,即验证过程
0043942C /. 55 push ebp
0043942D |. 8BEC mov ebp, esp
0043942F |. 81C4 C0FEFFFF add esp, -140
00439435 |. 53 push ebx
00439436 |. 56 push esi
00439437 |. 57 push edi
00439438 |. 8985 3CFFFFFF mov dword ptr [ebp-C4], eax
0043943E |. B8 60065100 mov eax, 00510660
00439443 |. E8 B4560A00 call 004DEAFC
00439448 |. 66:C785 50FFF>mov word ptr [ebp-B0], 8
00439451 |. 8D45 FC lea eax, dword ptr [ebp-4]
00439454 |. E8 CB83FCFF call 00401824
00439459 |. 8BD0 mov edx, eax
0043945B |. FF85 5CFFFFFF inc dword ptr [ebp-A4]
00439461 |. 8B8D 3CFFFFFF mov ecx, dword ptr [ebp-C4]
00439467 |. 8B81 E4020000 mov eax, dword ptr [ecx+2E4]
0043946D |. E8 56270700 call 004ABBC8
00439472 |. 8D55 FC lea edx, dword ptr [ebp-4]
00439475 |. 8D45 F8 lea eax, dword ptr [ebp-8]
00439478 |. 8B0A mov ecx, dword ptr [edx]
0043947A |. 51 push ecx
0043947B |. E8 A483FCFF call 00401824
00439480 |. 8BD0 mov edx, eax
00439482 |. FF85 5CFFFFFF inc dword ptr [ebp-A4]
00439488 |. 8B8D 3CFFFFFF mov ecx, dword ptr [ebp-C4]
0043948E |. 8B81 DC020000 mov eax, dword ptr [ecx+2DC]
00439494 |. E8 2F270700 call 004ABBC8
00439499 |. 8D55 F8 lea edx, dword ptr [ebp-8]
0043949C |. 8B0A mov ecx, dword ptr [edx]
0043949E |. 51 push ecx
0043949F |. 8B85 3CFFFFFF mov eax, dword ptr [ebp-C4]
004394A5 |. 50 push eax
004394A6 |. E8 2D0D0000 call 0043A1D8
004394AB |. 83C4 0C add esp, 0C
004394AE |. 3C 01 cmp al, 1
004394B0 |. 0F94C2 sete dl
004394B3 |. 83E2 01 and edx, 1
004394B6 |. 8D45 F8 lea eax, dword ptr [ebp-8]
004394B9 |. 52 push edx
004394BA |. BA 02000000 mov edx, 2
004394BF |. FF8D 5CFFFFFF dec dword ptr [ebp-A4]
004394C5 |. E8 9A110B00 call 004EA664
004394CA |. FF8D 5CFFFFFF dec dword ptr [ebp-A4] ; |
004394D0 |. 8D45 FC lea eax, dword ptr [ebp-4] ; |
004394D3 |. BA 02000000 mov edx, 2 ; |
004394D8 |. E8 87110B00 call 004EA664 ; \屏录专家.004EA664
004394DD |. 59 pop ecx
004394DE |. 84C9 test cl, cl
004394E0 |. 74 48 je short 0043952A ; 判断注册码是不是现有版本的注册码
004394E2 |. 66:C785 50FFF>mov word ptr [ebp-B0], 14
004394EB |. BA 14035100 mov edx, 00510314
004394F0 |. 8D45 F4 lea eax, dword ptr [ebp-C]
004394F3 |. E8 340F0B00 call 004EA42C
004394F8 |. FF85 5CFFFFFF inc dword ptr [ebp-A4]
004394FE |. 8B00 mov eax, dword ptr [eax]
00439500 |. E8 ABD20600 call 004A67B0
00439505 |. FF8D 5CFFFFFF dec dword ptr [ebp-A4]
0043950B |. 8D45 F4 lea eax, dword ptr [ebp-C]
0043950E |. BA 02000000 mov edx, 2
00439513 |. E8 4C110B00 call 004EA664
00439518 |. 8B8D 40FFFFFF mov ecx, dword ptr [ebp-C0]
0043951E |. 64:890D 00000>mov dword ptr fs:[0], ecx
00439525 |. E9 920C0000 jmp 0043A1BC
0043952A |> 6A 14 push 14 ; /Arg3 = 00000014
0043952C |. 6A 00 push 0 ; |Arg2 = 00000000
0043952E |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104] ; |
00439534 |. 50 push eax ; |Arg1
00439535 |. E8 6E520A00 call 004DE7A8 ; \屏录专家.004DE7A8
0043953A |. 83C4 0C add esp, 0C
0043953D |. 33FF xor edi, edi
0043953F |. 6A 14 push 14 ; /Arg3 = 00000014
00439541 |. 6A 00 push 0 ; |Arg2 = 00000000
00439543 |. 8D85 14FFFFFF lea eax, dword ptr [ebp-EC] ; |
00439549 |. 50 push eax ; |Arg1
0043954A |. E8 59520A00 call 004DE7A8 ; \屏录专家.004DE7A8
0043954F |. 83C4 0C add esp, 0C
00439552 |. 8D95 E4FEFFFF lea edx, dword ptr [ebp-11C]
00439558 |. 6A 14 push 14 ; /Arg3 = 00000014
0043955A |. 6A 00 push 0 ; |Arg2 = 00000000
0043955C |. 52 push edx ; |Arg1
0043955D |. E8 46520A00 call 004DE7A8 ; \屏录专家.004DE7A8
00439562 |. 83C4 0C add esp, 0C
00439565 |. 66:C785 50FFF>mov word ptr [ebp-B0], 20
0043956E |. 8D45 F0 lea eax, dword ptr [ebp-10]
00439571 |. E8 AE82FCFF call 00401824
00439576 |. 8BD0 mov edx, eax
00439578 |. FF85 5CFFFFFF inc dword ptr [ebp-A4]
0043957E |. 8B8D 3CFFFFFF mov ecx, dword ptr [ebp-C4]
00439584 |. 8B81 DC020000 mov eax, dword ptr [ecx+2DC]
0043958A |. E8 39260700 call 004ABBC8
0043958F |. 8D45 F0 lea eax, dword ptr [ebp-10]
00439592 |. E8 B5B9FCFF call 00404F4C ; 取用户名
00439597 |. 57 push edi
00439598 |. 8BF8 mov edi, eax
0043959A |. 33C0 xor eax, eax
0043959C |. 83C9 FF or ecx, FFFFFFFF
0043959F |. F2:AE repne scas byte ptr es:[edi]
004395A1 |. F7D1 not ecx
004395A3 |. 2BF9 sub edi, ecx
004395A5 |. 8DB5 E4FEFFFF lea esi, dword ptr [ebp-11C]
004395AB |. 87F7 xchg edi, esi
004395AD |. 8BD1 mov edx, ecx
004395AF |. 8BC7 mov eax, edi
004395B1 |. C1E9 02 shr ecx, 2
004395B4 |. 8D45 F0 lea eax, dword ptr [ebp-10]
004395B7 |. F3:A5 rep movs dword ptr es:[edi], dword p>
004395B9 |. 8BCA mov ecx, edx
004395BB |. BA 02000000 mov edx, 2
004395C0 |. 83E1 03 and ecx, 3
004395C3 |. F3:A4 rep movs byte ptr es:[edi], byte ptr>
004395C5 |. 5F pop edi
004395C6 |. FF8D 5CFFFFFF dec dword ptr [ebp-A4]
004395CC |. E8 93100B00 call 004EA664
004395D1 |. 66:C785 50FFF>mov word ptr [ebp-B0], 2C
004395DA |. 8D45 EC lea eax, dword ptr [ebp-14]
004395DD |. E8 4282FCFF call 00401824
004395E2 |. 8BD0 mov edx, eax
004395E4 |. FF85 5CFFFFFF inc dword ptr [ebp-A4]
004395EA |. 8B8D 3CFFFFFF mov ecx, dword ptr [ebp-C4]
004395F0 |. 8B81 F0020000 mov eax, dword ptr [ecx+2F0]
004395F6 |. E8 CD250700 call 004ABBC8
004395FB |. 8D45 EC lea eax, dword ptr [ebp-14]
004395FE |. E8 49B9FCFF call 00404F4C ; 取机器码
00439603 |. 57 push edi
00439604 |. 8BF8 mov edi, eax
00439606 |. 33C0 xor eax, eax
00439608 |. 83C9 FF or ecx, FFFFFFFF
0043960B |. F2:AE repne scas byte ptr es:[edi]
0043960D |. F7D1 not ecx
0043960F |. 2BF9 sub edi, ecx
00439611 |. 8DB5 FCFEFFFF lea esi, dword ptr [ebp-104]
00439617 |. 87F7 xchg edi, esi
00439619 |. 8BD1 mov edx, ecx
0043961B |. 8BC7 mov eax, edi
0043961D |. C1E9 02 shr ecx, 2
00439620 |. 8D45 EC lea eax, dword ptr [ebp-14]
00439623 |. F3:A5 rep movs dword ptr es:[edi], dword p>
00439625 |. 8BCA mov ecx, edx
00439627 |. BA 02000000 mov edx, 2
0043962C |. 83E1 03 and ecx, 3
0043962F |. F3:A4 rep movs byte ptr es:[edi], byte ptr>
00439631 |. 5F pop edi
00439632 |. FF8D 5CFFFFFF dec dword ptr [ebp-A4]
00439638 |. E8 27100B00 call 004EA664
0043963D |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
00439643 |. 8D95 E4FEFFFF lea edx, dword ptr [ebp-11C]
00439649 |. 8985 2CFFFFFF mov dword ptr [ebp-D4], eax
0043964F |. 8995 30FFFFFF mov dword ptr [ebp-D0], edx
00439655 |. 33DB xor ebx, ebx ; 计数器清零
00439657 |. 8DB5 14FFFFFF lea esi, dword ptr [ebp-EC]
0043965D |> 8B8D 30FFFFFF /mov ecx, dword ptr [ebp-D0]
00439663 |. 8B95 2CFFFFFF |mov edx, dword ptr [ebp-D4]
00439669 |. 8A01 |mov al, byte ptr [ecx] ; 取用户名左第一个字符
0043966B |. 3202 |xor al, byte ptr [edx] ; 与机器码左第一个字符异或记a
0043966D |. 83C4 F8 |add esp, -8
00439670 |. 8806 |mov byte ptr [esi], al ; |
00439672 |. 0FBE0E |movsx ecx, byte ptr [esi] ; |
00439675 |. 898D C8FEFFFF |mov dword ptr [ebp-138], ecx ; |
0043967B |. DB85 C8FEFFFF |fild dword ptr [ebp-138] ; |放入浮点寄存器
00439681 |. DD1C24 |fstp qword ptr [esp] ; |
00439684 |. E8 33970A00 |call 004E2DBC ; \屏录专家.004E2DBC
00439689 |. 83C4 08 |add esp, 8
0043968C |. 899D C4FEFFFF |mov dword ptr [ebp-13C], ebx
00439692 |. DB85 C4FEFFFF |fild dword ptr [ebp-13C] ; 取计数器的值入浮点寄存器记b
00439698 |. DEC9 |fmulp st(1), st ; a*b
0043969A |. 89BD C0FEFFFF |mov dword ptr [ebp-140], edi
004396A0 |. DB85 C0FEFFFF |fild dword ptr [ebp-140]
004396A6 |. DEC1 |faddp st(1), st ; 再加edi
004396A8 |. E8 37970A00 |call 004E2DE4 ; 值放入eax
004396AD |. 8BF8 |mov edi, eax ; 值放入edi,用以累加求和
004396AF |. 43 |inc ebx ; 计数器+1
004396B0 |. 46 |inc esi
004396B1 |. FF85 2CFFFFFF |inc dword ptr [ebp-D4] ; 指针移动到机器码下一位
004396B7 |. FF85 30FFFFFF |inc dword ptr [ebp-D0] ; 指针移动到用户名下一位,用户名末尾用空字符填充
004396BD |. 83FB 14 |cmp ebx, 14 ; 遍历完20位机器码
004396C0 |.^ 7C 9B \jl short 0043965D
004396C2 |. 81C7 39300000 add edi, 3039 ; 循环算出的值再加3039h
004396C8 |. 8D95 14FFFFFF lea edx, dword ptr [ebp-EC]
004396CE |. 57 push edi ; /Arg3
004396CF |. 68 89035100 push 00510389 ; |Arg2 = 00510389 ASCII "%d"
004396D4 |. 52 push edx ; |Arg1
004396D5 |. E8 2E7C0A00 call 004E1308 ; \把它的十进制数转换成字符串,得到x
004396DA |. 83C4 0C add esp, 0C
004396DD |. 66:C785 50FFF>mov word ptr [ebp-B0], 38
004396E6 |. 8D45 E8 lea eax, dword ptr [ebp-18]
004396E9 |. E8 3681FCFF call 00401824
004396EE |. 8BD0 mov edx, eax
004396F0 |. FF85 5CFFFFFF inc dword ptr [ebp-A4]
004396F6 |. 8B8D 3CFFFFFF mov ecx, dword ptr [ebp-C4]
004396FC |. 8B81 E4020000 mov eax, dword ptr [ecx+2E4]
00439702 |. E8 C1240700 call 004ABBC8
00439707 |. 8D45 E8 lea eax, dword ptr [ebp-18]
0043970A |. E8 3DB8FCFF call 00404F4C ; 取输入的注册码
0043970F |. 57 push edi
00439710 |. 8BF8 mov edi, eax
00439712 |. 33C0 xor eax, eax
00439714 |. 83C9 FF or ecx, FFFFFFFF
00439717 |. F2:AE repne scas byte ptr es:[edi]
00439719 |. F7D1 not ecx
0043971B |. 2BF9 sub edi, ecx
0043971D |. 8DB5 CCFEFFFF lea esi, dword ptr [ebp-134]
00439723 |. 87F7 xchg edi, esi
00439725 |. 8BD1 mov edx, ecx
00439727 |. 8BC7 mov eax, edi
00439729 |. C1E9 02 shr ecx, 2
0043972C |. 8D45 E8 lea eax, dword ptr [ebp-18]
0043972F |. F3:A5 rep movs dword ptr es:[edi], dword p>
00439731 |. 8BCA mov ecx, edx
00439733 |. BA 02000000 mov edx, 2
00439738 |. 83E1 03 and ecx, 3
0043973B |. F3:A4 rep movs byte ptr es:[edi], byte ptr>
0043973D |. 5F pop edi
0043973E |. FF8D 5CFFFFFF dec dword ptr [ebp-A4]
00439744 |. E8 1B0F0B00 call 004EA664
00439749 |. 33DB xor ebx, ebx ; 计数器清零
0043974B |. 8D85 CCFEFFFF lea eax, dword ptr [ebp-134]
00439751 |. 8985 2CFFFFFF mov dword ptr [ebp-D4], eax
00439757 |. 8DB5 14FFFFFF lea esi, dword ptr [ebp-EC] ; ////////////////////////////*
0043975D |> 8B95 2CFFFFFF /mov edx, dword ptr [ebp-D4] ; //此循环将输入的注册码前五个字符每个-14h然后与x比较
00439763 |. 0FBE06 |movsx eax, byte ptr [esi]
00439766 |. 0FBE0A |movsx ecx, byte ptr [edx] ; 取输入的注册码的左第一个字符
00439769 |. 83C1 EC |add ecx, -14 ; -20
0043976C |. 3BC1 |cmp eax, ecx ; 判断与x的相应位是否相同
0043976E |. 0F85 80000000 |jnz 004397F4 ; 不同则失败
00439774 |. 83FB 03 |cmp ebx, 3 ; 计数器比较,判断是否到注册码的第四位
00439777 |. 75 6A |jnz short 004397E3 ; 不是则跳
00439779 |. 81C7 444D0000 |add edi, 4D44 ; x+=4d44h
0043977F |. 89BD C8FEFFFF |mov dword ptr [ebp-138], edi
00439785 |. DB85 C8FEFFFF |fild dword ptr [ebp-138] ; 放入浮点寄存器
0043978B |. DC0D C4A14300 |fmul qword ptr [43A1C4] ; *3.14
00439791 |. DB2D CCA14300 |fld tbyte ptr [43A1CC]
00439797 |. DEC9 |fmulp st(1), st ; *0.1594896331738437120
00439799 |. E8 46960A00 |call 004E2DE4 ; 整数部分放入eax
0043979E |. 8BF8 |mov edi, eax
004397A0 |. 8BC7 |mov eax, edi
004397A2 |. B9 A0860100 |mov ecx, 186A0
004397A7 |. 99 |cdq
004397A8 |. F7F9 |idiv ecx ; 除以186A0h
004397AA |. 8BFA |mov edi, edx ; 取余数,记d
004397AC |. 33C0 |xor eax, eax
004397AE |. 8985 38FFFFFF |mov dword ptr [ebp-C8], eax ; 累加器清零
004397B4 |. 33D2 |xor edx, edx
004397B6 |. 8D85 CCFEFFFF |lea eax, dword ptr [ebp-134]
004397BC |> 0FBE08 |/movsx ecx, byte ptr [eax] ; 注册码的左一个字符
004397BF |. 018D 38FFFFFF ||add dword ptr [ebp-C8], ecx ; 累加
004397C5 |. 42 ||inc edx
004397C6 |. 40 ||inc eax ; 注册码指针顺移
004397C7 |. 83FA 13 ||cmp edx, 13 ; 循环20次
004397CA |.^ 7C F0 |\jl short 004397BC
004397CC |. 8B85 38FFFFFF |mov eax, dword ptr [ebp-C8]
004397D2 |. B9 0A000000 |mov ecx, 0A
004397D7 |. 99 |cdq
004397D8 |. F7F9 |idiv ecx ; 累加器的值/10
004397DA |. 83C2 30 |add edx, 30 ; 余数加30h,记c
004397DD |. 8995 38FFFFFF |mov dword ptr [ebp-C8], edx
004397E3 |> 43 |inc ebx ; 计数器+1
004397E4 |. FF85 2CFFFFFF |inc dword ptr [ebp-D4] ; 注册码指针指向下一位
004397EA |. 46 |inc esi ; 真注册码指针指向下一位
004397EB |. 83FB 05 |cmp ebx, 5
004397EE |.^ 0F8C 69FFFFFF \jl 0043975D ; *////////////////////////////
004397F4 |> 83FB 05 cmp ebx, 5
004397F7 |. 0F8C 68090000 jl 0043A165
004397FD |. 0FBE85 DFFEFF>movsx eax, byte ptr [ebp-121]
00439804 |. 3B85 38FFFFFF cmp eax, dword ptr [ebp-C8]
0043980A |. 74 09 je short 00439815 ; c等于注册码末位的ascii则进入下一步
0043980C |. 83F8 41 cmp eax, 41
0043980F |. 0F8C 50090000 jl 0043A165 ; 或者也可以是c大于41h
00439815 |> 8BC7 mov eax, edi ; 取d
00439817 |. B9 0A000000 mov ecx, 0A
0043981C |. 99 cdq
0043981D |. F7F9 idiv ecx ; d/10,得余数
0043981F |. 0FBE841D CCFE>movsx eax, byte ptr [ebp+ebx-134] ; 取注册码第6位
00439827 |. 83C0 BF add eax, -41 ; -41h
0043982A |. 2BC2 sub eax, edx ; -刚才的余数
0043982C |. 85C0 test eax, eax
0043982E |. 74 09 je short 00439839 ; 等于0则成功
00439830 |. 83F8 07 cmp eax, 7
00439833 |. 0F85 E1080000 jnz 0043A11A ; 或者也可以等于7
算法总结
//
sum=0;
for(int i=0;i<20;i++){
sum+=i*(用户名 xor 机器码)
}
sum=ascii(decimal(sum+0x3039));
a=个位数字(取余((int((sum+0x4D44)*3.14*0.1594896331738437120))/0x186A0))
b=注册码每个字符ascii累加值的个位数字+0x30
注册成功要同时满足的条件
1.sum[n] <==> 注册码[n]-0x14 n前五位要相同
2.b等于注册码末位字符的ascii
或者b大于0x41
3.注册码第6位-41h-a等于0或者7
机器码:60279011771522222222
用户名:the0crat
注册码:FFHLMI234567890abcde
[ 本帖最后由 the0crat 于 2007-2-19 13:23 编辑 ] |
|
IP卡
发表于 2007-2-19 13:21:33
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2007-2-21 10:48:33
发表于 2007-2-22 07:28:59
楼主