- UID
- 5592
注册时间2005-12-21
阅读权限40
最后登录1970-1-1
独步武林
 
TA的每日心情 | 慵懒
2019-1-18 17:27 |
|---|
签到天数: 30 天 [LV.5]常住居民I
|
原帖见https://www.chinapyg.com/viewthr ... ;page=1&extra=#
偶然见到此帖,并分析了下。我们直接进入主题
004D9610 /> \55 push ebp ; ——》断在这里
004D9611 |. 8BEC mov ebp, esp
004D9613 |. 6A FF push -1
004D9615 |. 68 AC1C4F00 push 004F1CAC ; 肛sy; SE 处理程序安装
004D961A |. 64:A1 0000000>mov eax, dword ptr fs:[0]
004D9620 |. 50 push eax
004D9621 |. 64:8925 00000>mov dword ptr fs:[0], esp
004D9628 |. 81EC 78020000 sub esp, 278
004D962E |. 53 push ebx
004D962F |. 56 push esi
004D9630 |. 57 push edi
004D9631 |. 51 push ecx
004D9632 |. 8DBD 7CFDFFFF lea edi, dword ptr [ebp-284]
004D9638 |. B9 9E000000 mov ecx, 9E
004D963D |. B8 CCCCCCCC mov eax, CCCCCCCC
004D9642 |. F3:AB rep stos dword ptr es:[edi]
004D9644 |. 59 pop ecx
004D9645 |. 894D F0 mov dword ptr [ebp-10], ecx
004D9648 |. 6A 01 push 1
004D964A |. 8B4D F0 mov ecx, dword ptr [ebp-10]
004D964D |. E8 CA040000 call <jmp.&MFC42D.#5056>
004D9652 |. 8B45 F0 mov eax, dword ptr [ebp-10]
004D9655 |. 05 94040000 add eax, 494
004D965A |. 50 push eax
004D965B |. 8B4D F0 mov ecx, dword ptr [ebp-10]
004D965E |. 81C1 90040000 add ecx, 490
004D9664 |. 51 push ecx
004D9665 |. 8BD4 mov edx, esp
004D9667 |. 89A5 CCFDFFFF mov dword ptr [ebp-234], esp
004D966D |. 51 push ecx
004D966E |. 8BCA mov ecx, edx
004D9670 |. E8 DB030000 call <jmp.&MFC42D.#485>
004D9675 |. 8985 C4FDFFFF mov dword ptr [ebp-23C], eax
004D967B |. 8D85 C8FDFFFF lea eax, dword ptr [ebp-238]
004D9681 |. 50 push eax
004D9682 |. E8 B77CF2FF call 0040133E ; 算法处
004D9687 |. 83C4 08 add esp, 8
004D968A |. 8985 C0FDFFFF mov dword ptr [ebp-240], eax
004D9690 |. 8B8D C0FDFFFF mov ecx, dword ptr [ebp-240]
004D9696 |. 898D BCFDFFFF mov dword ptr [ebp-244], ecx
004D969C |. C745 FC 00000>mov dword ptr [ebp-4], 0
004D96A3 |. 8B95 BCFDFFFF mov edx, dword ptr [ebp-244]
004D96A9 |. 52 push edx
004D96AA |. E8 7B080000 call <jmp.&MFC42D.#823>
004D96AF |. 8885 D0FDFFFF mov byte ptr [ebp-230], al
004D96B5 |. C745 FC FFFFF>mov dword ptr [ebp-4], -1
004D96BC |. 8D8D C8FDFFFF lea ecx, dword ptr [ebp-238]
004D96C2 |. E8 5F030000 call <jmp.&MFC42D.#684>
004D96C7 |. 8B85 D0FDFFFF mov eax, dword ptr [ebp-230]
004D96CD |. 25 FF000000 and eax, 0FF
004D96D2 |. 85C0 test eax, eax
004D96D4 |. 74 19 je short 004D96EF
004D96D6 |. 6A 30 push 30
004D96D8 |. 68 C8415800 push 005841C8 ; 告警
004D96DD |. 68 B4415800 push 005841B4 ; 注册码输入有误!
004D96E2 |. 8B4D F0 mov ecx, dword ptr [ebp-10]
004D96E5 |. E8 56040000 call <jmp.&MFC42D.#3517>
004D96EA |. E9 14010000 jmp 004D9803
004D96EF |> C785 E4FEFFFF>mov dword ptr [ebp-11C], 104
004D96F9 |. C785 E0FEFFFF>mov dword ptr [ebp-120], 0057BE18 ; software\microsoft\dataaccess\rootbinder\xls
004D9703 |. 8BF4 mov esi, esp
004D9705 |. 8D8D D8FEFFFF lea ecx, dword ptr [ebp-128]
004D970B |. 51 push ecx ; /pDisposition
004D970C |. 8D55 EC lea edx, dword ptr [ebp-14] ; |
004D970F |. 52 push edx ; |pHandle
004D9710 |. 6A 00 push 0 ; |pSecurity = NULL
004D9712 |. 68 3F000F00 push 0F003F ; |Access = KEY_ALL_ACCESS
004D9717 |. 6A 00 push 0 ; |Options = REG_OPTION_NON_VOLATILE
004D9719 |. 6A 00 push 0 ; |Class = NULL
004D971B |. 6A 00 push 0 ; |Reserved = 0
004D971D |. 8B85 E0FEFFFF mov eax, dword ptr [ebp-120] ; |
004D9723 |. 50 push eax ; |Subkey
004D9724 |. 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
004D9729 |. FF15 18B55900 call dword ptr [<&ADVAPI32.RegCreateK>; \RegCreateKeyExA
004D972F |. 3BF4 cmp esi, esp
004D9731 |. E8 BA120000 call <jmp.&MSVCRTD._chkesp>
004D9736 |. 8985 DCFEFFFF mov dword ptr [ebp-124], eax
004D973C |. 8B4D F0 mov ecx, dword ptr [ebp-10]
004D973F |. 81C1 94040000 add ecx, 494
004D9745 |. E8 12030000 call <jmp.&MFC42D.#880>
004D974A |. 50 push eax ; /src
004D974B |. 8D8D D4FDFFFF lea ecx, dword ptr [ebp-22C] ; |
004D9751 |. 51 push ecx ; |dest
004D9752 |. E8 E5150000 call <jmp.&MSVCRTD.strcpy> ; \strcpy
004D9757 |. 83C4 08 add esp, 8
004D975A |. 8D95 D4FDFFFF lea edx, dword ptr [ebp-22C]
004D9760 |. 52 push edx ; /s
004D9761 |. E8 D0150000 call <jmp.&MSVCRTD.strlen> ; \strlen
004D9766 |. 83C4 04 add esp, 4
004D9769 |. 8BF4 mov esi, esp
004D976B |. 50 push eax ; /BufSize
004D976C |. 8D85 D4FDFFFF lea eax, dword ptr [ebp-22C] ; |
004D9772 |. 50 push eax ; |Buffer
004D9773 |. 6A 01 push 1 ; |ValueType = REG_SZ
004D9775 |. 6A 00 push 0 ; |Reserved = 0
004D9777 |. 68 0CBE5700 push 0057BE0C ; |xls
004D977C |. 8B4D EC mov ecx, dword ptr [ebp-14] ; |
004D977F |. 51 push ecx ; |hKey
004D9780 |. FF15 1CB55900 call dword ptr [<&ADVAPI32.RegSetValu>; \RegSetValueExA
004D9786 |. 3BF4 cmp esi, esp
004D9788 |. E8 63120000 call <jmp.&MSVCRTD._chkesp>
004D978D |. 8985 DCFEFFFF mov dword ptr [ebp-124], eax
004D9793 |. 8BF4 mov esi, esp
004D9795 |. 8B55 EC mov edx, dword ptr [ebp-14]
004D9798 |. 52 push edx ; /hKey
004D9799 |. FF15 14B55900 call dword ptr [<&ADVAPI32.RegCloseKe>; \RegCloseKey
004D979F |. 3BF4 cmp esi, esp
004D97A1 |. E8 4A120000 call <jmp.&MSVCRTD._chkesp>
004D97A6 |. 6A 30 push 30
004D97A8 |. 68 AC415800 push 005841AC ; 注册
004D97AD |. 68 94415800 push 00584194 ; 注册成功,欢迎使用!
004D97B2 |. 8B4D F0 mov ecx, dword ptr [ebp-10]
004D97B5 |. E8 86030000 call <jmp.&MFC42D.#3517>
004D97BA |. 68 6C415800 push 0058416C ; 软件已经注册,欢迎使用!
004D97BF |. 68 4A040000 push 44A
004D97C4 |. 8B4D F0 mov ecx, dword ptr [ebp-10]
004D97C7 |. E8 A4030000 call <jmp.&MFC42D.#4634>
004D97CC |. E8 61020000 call <jmp.&MFC42D.#1087>
004D97D1 |. C780 F0000000>mov dword ptr [eax+F0], 1
004D97DB |. E8 52020000 call <jmp.&MFC42D.#1087>
004D97E0 |. C780 DC000000>mov dword ptr [eax+DC], 14
004D97EA |. 68 88415800 push 00584188 ; 欢迎使用
004D97EF |. 6A 02 push 2
004D97F1 |. 8B4D F0 mov ecx, dword ptr [ebp-10]
004D97F4 |. E8 77030000 call <jmp.&MFC42D.#4634>
004D97F9 |. 6A 01 push 1
004D97FB |. 8B4D F0 mov ecx, dword ptr [ebp-10]
004D97FE |. E8 81040000 call <jmp.&MFC42D.#3309>
004D9803 |> 8B4D F4 mov ecx, dword ptr [ebp-C]
004D9806 |. 64:890D 00000>mov dword ptr fs:[0], ecx
004D980D |. 5F pop edi
004D980E |. 5E pop esi
004D980F |. 5B pop ebx
004D9810 |. 81C4 84020000 add esp, 284
004D9816 |. 3BEC cmp ebp, esp
004D9818 |. E8 D3110000 call <jmp.&MSVCRTD._chkesp>
004D981D |. 8BE5 mov esp, ebp
004D981F |. 5D pop ebp
004D9820 \. C3 retn
++++++++++++++++004D9682 |. E8 B77CF2FF call 0040133E+++++++++++++++++++++++
004BA790 > \55 push ebp ; ——》这里才是关键代码处
004BA791 . 8BEC mov ebp, esp
004BA793 . 6A FF push -1
004BA795 . 68 B2024F00 push 004F02B2 ; SE 处理程序安装
004BA79A . 64:A1 0000000>mov eax, dword ptr fs:[0]
004BA7A0 . 50 push eax
004BA7A1 . 64:8925 00000>mov dword ptr fs:[0], esp
004BA7A8 . 83EC 5C sub esp, 5C
004BA7AB . 53 push ebx
004BA7AC . 56 push esi
004BA7AD . 57 push edi
004BA7AE . 8D7D 98 lea edi, dword ptr [ebp-68]
004BA7B1 . B9 17000000 mov ecx, 17
004BA7B6 . B8 CCCCCCCC mov eax, CCCCCCCC
004BA7BB . F3:AB rep stos dword ptr es:[edi]
004BA7BD . C745 DC 00000>mov dword ptr [ebp-24], 0
004BA7C4 . C745 FC 01000>mov dword ptr [ebp-4], 1
004BA7CB . 8D4D F0 lea ecx, dword ptr [ebp-10]
004BA7CE . E8 9BF20100 call <jmp.&MFC42D.#492>
004BA7D3 . C645 FC 02 mov byte ptr [ebp-4], 2
004BA7D7 . 8D45 0C lea eax, dword ptr [ebp+C]
004BA7DA . 50 push eax
004BA7DB . 8D4D F0 lea ecx, dword ptr [ebp-10]
004BA7DE . E8 4BF30100 call <jmp.&MFC42D.#734>
004BA7E3 . 8D4D 0C lea ecx, dword ptr [ebp+C]
004BA7E6 . E8 33F70100 call <jmp.&MFC42D.#2640>
004BA7EB . 83E8 01 sub eax, 1
004BA7EE . 8945 E8 mov dword ptr [ebp-18], eax
004BA7F1 . 8D4D E4 lea ecx, dword ptr [ebp-1C]
004BA7F4 . E8 75F20100 call <jmp.&MFC42D.#492>
004BA7F9 . C645 FC 03 mov byte ptr [ebp-4], 3
004BA7FD . C745 E0 00000>mov dword ptr [ebp-20], 0
004BA804 . EB 09 jmp short 004BA80F
004BA806 > 8B4D E0 mov ecx, dword ptr [ebp-20] ; / 计算注册码
004BA809 . 83C1 01 add ecx, 1
004BA80C . 894D E0 mov dword ptr [ebp-20], ecx
004BA80F > 8D4D F0 lea ecx, dword ptr [ebp-10]
004BA812 . E8 07F70100 call <jmp.&MFC42D.#2640>
004BA817 . 3945 E0 cmp dword ptr [ebp-20], eax ; 循环次数
004BA81A . 7D 71 jge short 004BA88D
004BA81C . 8B55 E0 mov edx, dword ptr [ebp-20]
004BA81F . 52 push edx
004BA820 . 8D4D 0C lea ecx, dword ptr [ebp+C]
004BA823 . E8 5AFF0100 call <jmp.&MFC42D.#850>
004BA828 . 8845 EC mov byte ptr [ebp-14], al ; 当前字符ASCII
004BA82B . 8A45 EC mov al, byte ptr [ebp-14]
004BA82E . 0245 E0 add al, byte ptr [ebp-20] ; +当前位-1
004BA831 . 8845 EC mov byte ptr [ebp-14], al
004BA834 . 0FBE4D EC movsx ecx, byte ptr [ebp-14]
004BA838 . 6BC9 07 imul ecx, ecx, 7 ; ×7
004BA83B . 884D EC mov byte ptr [ebp-14], cl
004BA83E . 0FBE45 EC movsx eax, byte ptr [ebp-14] ; 如其值大于7F,则用FF-当前值参与下面的计算
004BA842 . 99 cdq ; 接上,如余数=0,则当前位注册码为“0”,否则为“-”
004BA843 . B9 0A000000 mov ecx, 0A
004BA848 . F7F9 idiv ecx ; 除以10
004BA84A . 52 push edx ; 取余数作为注册码的一部分
004BA84B . 68 D4915700 push 005791D4 ; ASCII "%d"
004BA850 . 8D55 E4 lea edx, dword ptr [ebp-1C]
004BA853 . 52 push edx
004BA854 . E8 69F20100 call <jmp.&MFC42D.#2168>
004BA859 . 83C4 0C add esp, 0C
004BA85C . 6A 00 push 0
004BA85E . 8D4D E4 lea ecx, dword ptr [ebp-1C]
004BA861 . E8 1CFF0100 call <jmp.&MFC42D.#850>
004BA866 . 8845 EC mov byte ptr [ebp-14], al
004BA869 . 8A45 EC mov al, byte ptr [ebp-14]
004BA86C . 50 push eax
004BA86D . 8B4D E8 mov ecx, dword ptr [ebp-18]
004BA870 . 894D D8 mov dword ptr [ebp-28], ecx
004BA873 . 8B55 D8 mov edx, dword ptr [ebp-28]
004BA876 . 52 push edx
004BA877 . 8B45 E8 mov eax, dword ptr [ebp-18]
004BA87A . 83E8 01 sub eax, 1
004BA87D . 8945 E8 mov dword ptr [ebp-18], eax
004BA880 . 8D4D F0 lea ecx, dword ptr [ebp-10]
004BA883 . E8 F4FE0100 call <jmp.&MFC42D.#4525>
004BA888 .^ E9 79FFFFFF jmp 004BA806 ; \ 循环
004BA88D > 8D4D F0 lea ecx, dword ptr [ebp-10]
分析:
1、逐位倒取机器码的字符;
2、(当前位字符ASCII+1)×7/A,取余数为当前注册码位字符
如其值大于7F,且(其值-FF-1)除以A的余不为0,则当前的注册码位用“-”,如为0则用“0”为注册码字符。
2、顺序连接,就是注册码。
|
评分
-
查看全部评分
|
IP卡
发表于 2009-3-5 18:09:23
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主
发表于 2009-3-6 12:53:57
发表于 2010-2-19 10:57:26