|
|
发表于 2008-9-18 17:18:05
|
显示全部楼层
/:017 /:017 /:017
简单的分析下算法
算法的大概9楼的大侠已经就说明了.......
OD载入CM,F9运行,输入
Name: hflywolf
Serial: 1234567890
下断BP ShowWindow 按"Chack"按钮就断下了,去除断点,Ctrl+F9返回- 00406120 > \55 push ebp ;段首,在这下断。
- 00406121 . 8BEC mov ebp, esp
- 00406123 . 83EC 0C sub esp, 0C
- 00406126 . 68 86124000 push <jmp.&MSVBVM60.__vbaExceptHandle>; SE 处理程序安装
- 0040612B . 64:A1 0000000>mov eax, dword ptr fs:[0]
- 00406131 . 50 push eax
- 00406132 . 64:8925 00000>mov dword ptr fs:[0], esp
- 00406139 . 81EC BC010000 sub esp, 1BC
- ........省略N句
- 00406AA2 . 8B45 08 mov eax, dword ptr [ebp+8] ;返回到这,往上找到段首.
Name: hflywolf
Serial: 1234567890
按下"Chack"按钮就断在00406120处.一直单步F8- 00406120 > \55 push ebp ;断在这,F8跟下去.
- ........省略N句
- 00406239 > \8B85 4CFFFFFF mov eax, dword ptr [ebp-B4] ;Name送入EAX
- 0040623F . 8D95 B4FEFFFF lea edx, dword ptr [ebp-14C]
- 00406245 . 8D4D CC lea ecx, dword ptr [ebp-34]
- 00406248 . 8985 BCFEFFFF mov dword ptr [ebp-144], eax
- 0040624E . C785 B4FEFFFF>mov dword ptr [ebp-14C], 8
- 00406258 . FF15 38114000 call dword ptr [<&MSVBVM60.__vbaVarCo>;将数值8送到EAX所存的地址里
- 0040625E . 8B1D 54114000 mov ebx, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaFreeStr
- 00406264 . 8D8D 4CFFFFFF lea ecx, dword ptr [ebp-B4]
- 0040626A . FFD3 call ebx ; <&MSVBVM60.__vbaFreeStr>
- 0040626C . 8D8D 44FFFFFF lea ecx, dword ptr [ebp-BC]
- 00406272 . FF15 58114000 call dword ptr [<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
- 00406278 . 8D4D CC lea ecx, dword ptr [ebp-34]
- 0040627B . 8D95 34FFFFFF lea edx, dword ptr [ebp-CC]
- 00406281 . 51 push ecx ; /var18
- 00406282 . 52 push edx ; |retBuffer8
- 00406283 . FF15 4C104000 call dword ptr [<&MSVBVM60.__vbaLenVa>; \__vbaLenVar
- 00406289 . 8B35 0C104000 mov esi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaVarMove
- 0040628F . 8BD0 mov edx, eax
- 00406291 . 8D4D B8 lea ecx, dword ptr [ebp-48]
- 00406294 . FFD6 call esi ; <&MSVBVM60.__vbaVarMove>
- 00406296 . B8 02800000 mov eax, 8002
- 0040629B . B9 02000000 mov ecx, 2
- 004062A0 . 8985 B4FEFFFF mov dword ptr [ebp-14C], eax
- 004062A6 . 8985 94FEFFFF mov dword ptr [ebp-16C], eax
- 004062AC . 8985 84FEFFFF mov dword ptr [ebp-17C], eax
- 004062B2 . 8985 74FEFFFF mov dword ptr [ebp-18C], eax
- 004062B8 . 898D ACFEFFFF mov dword ptr [ebp-154], ecx
- 004062BE . 898D A4FEFFFF mov dword ptr [ebp-15C], ecx
- 004062C4 . 8D45 B8 lea eax, dword ptr [ebp-48]
- 004062C7 . 8D8D B4FEFFFF lea ecx, dword ptr [ebp-14C]
- 004062CD . 50 push eax ; /var18
- 004062CE . 8D95 34FFFFFF lea edx, dword ptr [ebp-CC] ; |
- 004062D4 . 51 push ecx ; |var28
- 004062D5 . 52 push edx ; |SaveTo8
- 004062D6 . 89BD BCFEFFFF mov dword ptr [ebp-144], edi ; |
- 004062DC . 89BD 9CFEFFFF mov dword ptr [ebp-164], edi ; |
- 004062E2 . C785 8CFEFFFF>mov dword ptr [ebp-174], 8 ; 用户名长度最小为8
- 004062EC . C785 7CFEFFFF>mov dword ptr [ebp-184], 18 ; 用户名长度最大为24(HEX(18))
- 004062F6 . FF15 28114000 call dword ptr [<&MSVBVM60.__vbaVarCm>; 如果用户名为空则[EAX+8]为0xFFFF,反之为0
- 004062FC . 50 push eax
- 004062FD . 8D45 B8 lea eax, dword ptr [ebp-48]
- 00406300 . 8D8D A4FEFFFF lea ecx, dword ptr [ebp-15C]
- 00406306 . 50 push eax ; /var18
- 00406307 . 8D95 24FFFFFF lea edx, dword ptr [ebp-DC] ; |
- 0040630D . 51 push ecx ; |var28
- 0040630E . 52 push edx ; |SaveTo8
- 0040630F . FF15 30114000 call dword ptr [<&MSVBVM60.__vbaVarMo>; 用户名长度除于2,余数返回到[eax+8]
- 00406315 . 50 push eax
- 00406316 . 8D85 94FEFFFF lea eax, dword ptr [ebp-16C]
- 0040631C . 8D8D 14FFFFFF lea ecx, dword ptr [ebp-EC]
- 00406322 . 50 push eax
- 00406323 . 51 push ecx
- 00406324 . FF15 3C104000 call dword ptr [<&MSVBVM60.__vbaVarCm>;用户名长度不是偶数则[EAX+8]为0xFFFF,反之为0
- 0040632A . 8D95 04FFFFFF lea edx, dword ptr [ebp-FC]
- 00406330 . 50 push eax
- 00406331 . 52 push edx
- 00406332 . FF15 9C104000 call dword ptr [<&MSVBVM60.__vbaVarOr>;将上面两个CALL(4062F6与406324)返回的结果进行或运算。
- 00406338 . 50 push eax ;运算的结果返回到EAX并压栈
- 00406339 . 8D45 B8 lea eax, dword ptr [ebp-48]
- 0040633C . 8D8D 84FEFFFF lea ecx, dword ptr [ebp-17C]
- 00406342 . 50 push eax
- 00406343 . 8D95 F4FEFFFF lea edx, dword ptr [ebp-10C]
- 00406349 . 51 push ecx
- 0040634A . 52 push edx
- 0040634B . FF15 10114000 call dword ptr [<&MSVBVM60.__vbaVarCm>;用户名长度小于8则[EAX+8]为0xFFFF,反之为0
- 00406351 . 50 push eax
- 00406352 . 8D85 E4FEFFFF lea eax, dword ptr [ebp-11C]
- 00406358 . 50 push eax
- 00406359 . FF15 9C104000 call dword ptr [<&MSVBVM60.__vbaVarOr>;将上面两个CALL(406332与40634B)返回的结果进行或运算,结
- 果返回到EAX
- 0040635F . 8D4D B8 lea ecx, dword ptr [ebp-48]
- 00406362 . 50 push eax
- 00406363 . 8D95 74FEFFFF lea edx, dword ptr [ebp-18C]
- 00406369 . 51 push ecx
- 0040636A . 8D85 D4FEFFFF lea eax, dword ptr [ebp-12C]
- 00406370 . 52 push edx
- 00406371 . 50 push eax
- 00406372 . FF15 78104000 call dword ptr [<&MSVBVM60.__vbaVarCm>;用户名长度大于24则[EAX+8]为0xFFFF,反之为0
- 00406378 . 8D8D C4FEFFFF lea ecx, dword ptr [ebp-13C]
- 0040637E . 50 push eax
- 0040637F . 51 push ecx
- 00406380 . FF15 9C104000 call dword ptr [<&MSVBVM60.__vbaVarOr>;将上面两个CALL(406359与406372)返回的结果进行或运算
- 00406386 . 50 push eax ;运算的结果返回到EAX并压栈
- 00406387 . FF15 6C104000 call dword ptr [<&MSVBVM60.__vbaBoolV>;如果上面CALL(406380)返回的结果是OxFFFF则EAX=FFFFFFFF,
- 如是0则EAX=0
- 0040638D . 66:85C0 test ax, ax
- 00406390 . 0F84 AE000000 je 00406444 ;如果EAX=0就跳,如果EAX=FFFFFFFF就不跳.
用户名长度必须在8位-24位之间,且是偶数...- 00406444 > \B9 02000000 mov ecx, 2 ;跳到这.
- ...................
- 0040646F . 51 push ecx ; 步长
- 00406470 . 8D85 A4FEFFFF lea eax, dword ptr [ebp-15C] ; |
- 00406476 . 52 push edx ; 终值
- 00406477 . 8D8D 48FEFFFF lea ecx, dword ptr [ebp-1B8] ; |
- 0040647D . 50 push eax ; 初值
- 0040647E . 8D95 58FEFFFF lea edx, dword ptr [ebp-1A8] ; |
- 00406484 . 51 push ecx ; 临时终值
- 00406485 . 8D45 DC lea eax, dword ptr [ebp-24] ; |
- 00406488 . 52 push edx ; 临时增量
- 00406489 . 50 push eax ; 循环变量
- 0040648A . FF15 58104000 call dword ptr [<&MSVBVM60.__vbaVarFo>;初始化循环
- ..................
- 004064B7 . FF15 24114000 call dword ptr [<&MSVBVM60.__vbaI4Var>; MSVBVM60.__vbaI4Var
- 004064BD . 50 push eax ; |Start
- 004064BE . 8D45 CC lea eax, dword ptr [ebp-34] ; |
- 004064C1 . 8D8D 24FFFFFF lea ecx, dword ptr [ebp-DC] ; |
- 004064C7 . 50 push eax ; |dString8
- 004064C8 . 51 push ecx ; |RetBUFFER
- 004064C9 . FF15 7C104000 call dword ptr [<&MSVBVM60.#632>] ; Mid(RetBuFFER,dString8,Strart)依次取用户名的一个字符
- 004064CF . 8D95 24FFFFFF lea edx, dword ptr [ebp-DC]
- 004064D5 . 8D85 4CFFFFFF lea eax, dword ptr [ebp-B4]
- 004064DB . 52 push edx ; /String8
- 004064DC . 50 push eax ; |ARG2
- 004064DD . FF15 E0104000 call dword ptr [<&MSVBVM60.__vbaStrVa>; \__vbaStrVarVal
- 004064E3 . 50 push eax ; /String
- 004064E4 . FF15 30104000 call dword ptr [<&MSVBVM60.#516>] ; 取字符的ACALL值
- .....................
- 004064FA . 51 push ecx ; /var18
- 004064FB . 8D85 14FFFFFF lea eax, dword ptr [ebp-EC] ; |
- 00406501 . 52 push edx ; |var28
- 00406502 . 50 push eax ; |saveto8
- 00406503 . C785 A4FEFFFF>mov dword ptr [ebp-15C], 2 ; |
- 0040650D . FF15 2C114000 call dword ptr [<&MSVBVM60.__vbaVarAd>; 加用户名各位字符的ASCALL值
- ......................
- 0040654A . 50 push eax ; /TMPend8
- 0040654B . 51 push ecx ; |TMPstep8
- 0040654C . 52 push edx ; |Counter8
- 0040654D . FF15 4C114000 call dword ptr [<&MSVBVM60.__vbaVarFo>; 循环
- 00406553 .^ E9 38FFFFFF jmp 00406490
- ......................
- 00406583 . 8D45 CC lea eax, dword ptr [ebp-34]
- 00406586 . 51 push ecx ; /Length8
- 00406587 . 52 push edx ; |Start
- 00406588 . 8D8D 24FFFFFF lea ecx, dword ptr [ebp-DC] ; |
- 0040658E . 50 push eax ; |dString8
- 0040658F . 51 push ecx ; |RetBUFFER
- 00406590 . C785 3CFFFFFF>mov dword ptr [ebp-C4], 1 ; |
- 0040659A . C785 34FFFFFF>mov dword ptr [ebp-CC], 2 ; |
- 004065A4 . FF15 7C104000 call dword ptr [<&MSVBVM60.#632>] ; 取用户偶数位字符
- 004065AA . 8D95 24FFFFFF lea edx, dword ptr [ebp-DC]
- 004065B0 . 8D85 4CFFFFFF lea eax, dword ptr [ebp-B4]
- 004065B6 . 52 push edx ; /String8
- 004065B7 . 50 push eax ; |ARG2
- 004065B8 . FF15 E0104000 call dword ptr [<&MSVBVM60.__vbaStrVa>; \__vbaStrVarVal
- 004065BE . 50 push eax ; /String
- 004065BF . FF15 30104000 call dword ptr [<&MSVBVM60.#516>] ; 取用户偶数位字符的ASCALL值
- 004065C5 . 8D8D 64FFFFFF lea ecx, dword ptr [ebp-9C]
- 004065CB . 66:8985 ACFEF>mov word ptr [ebp-154], ax
- 004065D2 . 8D95 A4FEFFFF lea edx, dword ptr [ebp-15C]
- 004065D8 . 51 push ecx ; /var18
- 004065D9 . 8D85 14FFFFFF lea eax, dword ptr [ebp-EC] ; |
- 004065DF . 52 push edx ; |var28
- 004065E0 . 50 push eax ; |saveto8
- 004065E1 . C785 A4FEFFFF>mov dword ptr [ebp-15C], 2 ; |
- 004065EB . FF15 2C114000 call dword ptr [<&MSVBVM60.__vbaVarAd>; 累加用户偶数位字符的ASCALL值
- ........................
- 00406639 .^ E9 2FFFFFFF jmp 0040656D
- 0040663E > 8D45 88 lea eax, dword ptr [ebp-78]
- 00406641 . 8D8D 64FFFFFF lea ecx, dword ptr [ebp-9C]
- 00406647 . 50 push eax ; /var18
- 00406648 . 8D95 34FFFFFF lea edx, dword ptr [ebp-CC] ; |
- 0040664E . 51 push ecx ; |var28
- 0040664F . 52 push edx ; |SaveTo8
- 00406650 . FF15 00104000 call dword ptr [<&MSVBVM60.__vbaVarSu>; 各位字符ASC的累加值-偶数位字符ASC累加值
- 00406656 . 8BD0 mov edx, eax ;[EAX+8]=上面相减的结果.记作Num1
- 00406658 . 8D8D 54FFFFFF lea ecx, dword ptr [ebp-AC]
- .......................
- 00406696 . 50 push eax ; |var28
- 00406697 . 51 push ecx ; |SaveTo8
- 00406698 . FF15 C0104000 call dword ptr [<&MSVBVM60.__vbaVarMu>; Num1*4
- 0040669E . 50 push eax
- 0040669F . FF15 24114000 call dword ptr [<&MSVBVM60.__vbaI4Var>; EAX=相乘的结果。记作Num2
- 004066A5 . 50 push eax
- 004066A6 . FF15 10104000 call dword ptr [<&MSVBVM60.__vbaStrI4>; Num2转十进制,再转换为字符串,记作STR1
- ........................
- 004066C2 . 52 push edx
- 004066C3 . E8 68050000 call 00406C30 ;计算STR1的MD5值
- ........................
- 004066FC . 50 push eax ; /String
- 004066FD . FF15 C8104000 call dword ptr [<&MSVBVM60.#713>] ; 将计算的MD5值逆序,记作STR2
- ........................
- 0040672F . 52 push edx ; /Length8
- 00406730 . 6A 0B push 0B ; |Start = B
- 00406732 . 8D8D 24FFFFFF lea ecx, dword ptr [ebp-DC] ; |
- 00406738 . 50 push eax ; |dString8
- 00406739 . 51 push ecx ; |RetBUFFER
- 0040673A . C785 3CFFFFFF>mov dword ptr [ebp-C4], 0A ; |
- 00406744 . C785 34FFFFFF>mov dword ptr [ebp-CC], 2 ; |
- 0040674E . FF15 7C104000 call dword ptr [<&MSVBVM60.#632>] ;Mid(STR2,11,10) 从逆序后的MD5值的11位开始截取10位字符
- 00406754 . 8D95 24FFFFFF lea edx, dword ptr [ebp-DC]
- 0040675A . 52 push edx
- 0040675B . FF15 20104000 call dword ptr [<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarMove
- 00406761 . 8BD0 mov edx, eax ;截取的结果送EDX,记作Codestr2
- ........................
- 00406788 . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaStrEr>; MSVBVM60.__vbaStrErrVarCopy
- 0040678E . 8BD0 mov edx, eax ;Num1转十进制再换为字符串,记作Codestr功
- 00406790 . 8D8D 4CFFFFFF lea ecx, dword ptr [ebp-B4]
- 00406796 . FFD7 call edi
- 00406798 . 8B1D 40104000 mov ebx, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaStrCat
- 0040679E . 50 push eax
- 0040679F . 68 9C334000 push 0040339C ; /-
- 004067A4 . FFD3 call ebx ; 将Codestr3与"-"连接 记作Codestr1
- 004067A6 . 8BD0 mov edx, eax
- 004067A8 . 8D8D 48FFFFFF lea ecx, dword ptr [ebp-B8]
- 004067AE . FFD7 call edi
- 004067B0 . 50 push eax
- 004067B1 . 8B45 84 mov eax, dword ptr [ebp-7C]
- 004067B4 . 50 push eax
- 004067B5 . FFD3 call ebx ;将Codestr1与Codestr2连接,记作Codestr(最终注册码)
- ......................
- 0040684A . 52 push edx ; /var18
- 0040684B . 50 push eax ; |var28
- 0040684C . C785 4CFFFFFF>mov dword ptr [ebp-B4], 0 ; |
- 00406856 . C785 34FFFFFF>mov dword ptr [ebp-CC], 8008 ; |
- 00406860 . FF15 94104000 call dword ptr [<&MSVBVM60.__vbaVarTs>; 真码与假码比较,相等则eax=ffffffff,反之为0
- 00406866 . 8D8D 44FFFFFF lea ecx, dword ptr [ebp-BC]
- 0040686C . 8BF0 mov esi, eax ;esi=eax
- 0040686E . FF15 58114000 call dword ptr [<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
- 00406874 . 8D8D 34FFFFFF lea ecx, dword ptr [ebp-CC]
- 0040687A . FF15 18104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
- 00406880 . 66:85F6 test si, si
- 00406883 . 0F84 A3000000 je 0040692C ;如果esi=0就跳,注册不成功。esi=ffffffff就反之.
- 00406889 . A1 80A04000 mov eax, dword ptr [40A080]
- 0040688E . 85C0 test eax, eax
- ......................
- 00406A42 . C3 retn
[ 本帖最后由 hflywolf 于 2008-9-18 17:43 编辑 ] |
|
楼主: magic659117852
IP卡
显身卡
楼主
发表于 2008-9-18 19:38:19
发表于 2008-9-18 19:56:22
发表于 2008-9-18 20:35:58
