申请文章-一个简单CM的分析

boy · 发表于 2009-8-3 21:37:51

;程序入口
CODE:00408A60                push ebp
CODE:00408A61                mov    ebp, esp
CODE:00408A63                add    esp, 0FFFFFFF0h
CODE:00408A66                push ebx
CODE:00408A67                mov    eax, offset dword_408A18
CODE:00408A6C                call @Sysinit@@InitExe$qqrpv ; Sysinit::__linkproc__ InitExe(void *)
CODE:00408A71                mov    ebx, offset unk_40A7F4
CODE:00408A76                call InitCommonControls
CODE:00408A7B                push 0
CODE:00408A7D                call CreateSolidBrush
CODE:00408A82                mov    ds:hbr, eax
CODE:00408A87                push 0
CODE:00408A89                call CreateSolidBrush
CODE:00408A8E                mov    ds:dword_40A814, eax
CODE:00408A93                push 0
CODE:00408A95                call CreateSolidBrush
CODE:00408A9A                mov    ds:dword_40A818, eax
CODE:00408A9F                push 666666h
CODE:00408AA4                call CreateSolidBrush
CODE:00408AA9                mov    ds:h, eax
CODE:00408AAE                push 0FFFFFFh
CODE:00408AB3                push 1
CODE:00408AB5                push 6
CODE:00408AB7                call CreatePen
CODE:00408ABC                mov    ds:dword_40A820, eax
CODE:00408AC1                call __MyRegisterClass_Dlg       ; 主对话框
CODE:00408AC6                call __MyRegisterClass_About    ; about对话框
CODE:00408ACB                push offset a___At4reChal_0 ; " ..::.    AT4RE Challenge #03    .:"...
CODE:00408AD0                push 197h
CODE:00408AD5                mov    eax, ds:dword_40A7F0
CODE:00408ADA                push eax
CODE:00408ADB                call SetDlgItemTextA
CODE:00408AE0                jmp    short loc_408AEE
CODE:00408AE2 ; ---------------------------------------------------------------------------
CODE:00408AE2
CODE:00408AE2 loc_408AE2:                            ; CODE XREF: CODE:00408AFCj
CODE:00408AE2                push ebx
CODE:00408AE3                call TranslateMessage
CODE:00408AE8                push ebx
CODE:00408AE9                call DispatchMessageA
CODE:00408AEE
CODE:00408AEE loc_408AEE:                            ; CODE XREF: CODE:00408AE0j
CODE:00408AEE                push 0
CODE:00408AF0                push 0
CODE:00408AF2                push 0
CODE:00408AF4                push ebx
CODE:00408AF5                call GetMessageA
CODE:00408AFA                test eax, eax
CODE:00408AFC                jnz    short loc_408AE2
CODE:00408AFE                mov    eax, [ebx+8]
CODE:00408B01                call sub_4035DC
CODE:00408B06 ; ---------------------------------------------------------------------------
CODE:00408B06                pop    ebx
CODE:00408B07                call @System@@Halt0$qqrv ; System::__linkproc__ Halt0(void)
CODE:00408B07 ; ---------------------------------------------------------------------------
CODE:00408B0C a___At4reChal_0 db ' ..::.    AT4RE Challenge #03    .::..',0Ah
CODE:00408B0C                                        ; DATA XREF: CODE:00408ACBo
CODE:00408B0C                db 0Dh,'-----------------------------------------------',0Ah
CODE:00408B0C                db 0Dh,' Coded By    :    Mr Paradox    ',0Ah
CODE:00408B0C                db 0Dh,' Required    :    Serial | KeyGen',0Ah
CODE:00408B0C                db 0Dh,' WebSite    :    www.at4re.com',0Ah
CODE:00408B0C                db 0Dh,'-----------------------------------------------',0
CODE:00408C11                align 200h
;----------------------------------------------------------------------------------------

;看程序入口发现是个delphi写的SDK程序。可以找RegisterClass。RegisterClass的参数是个WNDCLASS结构体指针
;typedef struct _WNDCLASS {
; UINT    style;
; WNDPROC lpfnWndProc;
; int       cbClsExtra;
; int       cbWndExtra;
; HINSTANCE  hInstance;
; HICON    hIcon;
; HCURSOR hCursor;
; HBRUSH    hbrBackground;
; LPCTSTR lpszMenuName;
; LPCTSTR lpszClassName;
;} WNDCLASS, *PWNDCLASS;
;WNDPROC lpfnWndProc就是回调函数
由于是又是对话框程序，所以也可以找CreateDialogParamA函数，
;HWND CreateDialogParam(
;  HINSTANCE hInstance,    // handle to module
;  LPCTSTR lpTemplateName,  // dialog box template
;  HWND hWndParent,       // handle to owner window
;  DLGPROC lpDialogFunc, // dialog box procedure
;  LPARAM dwInitParam    // initialization value
;);

;在这里二者都有，回调函数是同一个
;下面是 __MyRegisterClass_Dlg
CODE:00408848                push ebx
CODE:00408849                push esi
CODE:0040884A                mov    ebx, offset WndClass
CODE:0040884F                mov    eax, offset aAt4re ; "AT4RE"
CODE:00408854                mov    [ebx+24h], eax
CODE:00408857                mov    dword ptr [ebx+4], offset DialogFunc ; lpDialogFunc 回调函数
CODE:0040885E                mov    dword ptr [ebx], 3
CODE:00408864                mov    esi, [ebx+10h]
CODE:00408867                mov    [ebx+10h], esi
CODE:0040886A                push 7F00h          ; lpIconName
CODE:0040886F                push esi          ; hInstance
CODE:00408870                call LoadIconA
CODE:00408875                mov    [ebx+14h], eax
CODE:00408878                push 7F00h          ; lpCursorName
CODE:0040887D                push 0             ; hInstance
CODE:0040887F                call LoadCursorA
CODE:00408884                mov    [ebx+18h], eax
CODE:00408887                mov    dword ptr [ebx+1Ch], 9
CODE:0040888E                xor    eax, eax
CODE:00408890                mov    [ebx+20h], eax
CODE:00408893                xor    eax, eax
CODE:00408895                mov    [ebx+8], eax
CODE:00408898                mov    dword ptr [ebx+0Ch], 1Eh
CODE:0040889F                push ebx          ; lpWndClass
CODE:004088A0                call RegisterClassA
CODE:004088A5                push offset DialogFunc ; lpDialogFunc //回调函数
CODE:004088AA                mov    edx, offset TemplateName ; "#103"
CODE:004088AF                xor    ecx, ecx       ; hWndParent
CODE:004088B1                mov    eax, ds:hModule
CODE:004088B6                call unknown_libname_62 ; //貌似delphi库封装的一个CreateDialogParam
CODE:004088BB                mov    ds:hDlg, eax
CODE:004088C0                cmp    ds:hDlg, 0       ;比较是否创建成功
CODE:004088C7                jnz    short loc_4088E3
CODE:004088C9                push 10h          ; uType ;失败则..
CODE:004088CB                push offset @Zlibconst@_16390 ; @Consts@_16656
CODE:004088D0                push offset aRunTimeError ; "Run time error"
CODE:004088D5                push 0             ; hWnd
CODE:004088D7                call MessageBoxA_0    ;弹对话框报错
CODE:004088DC                push 0             ; nExitCode
CODE:004088DE                call PostQuitMessage ;发送退出消息
CODE:004088E3
CODE:004088E3 loc_4088E3:                            ; CODE XREF: __MyRegisterClass_Dlg+7Fj
CODE:004088E3                push 1             ; nCmdShow
CODE:004088E5                mov    eax, ds:hDlg
CODE:004088EA                push eax          ; hWnd
CODE:004088EB                call ShowWindow    ;显示窗口
CODE:004088F0                mov    eax, ds:hDlg
CODE:004088F5                push eax          ; hWnd
CODE:004088F6                call UpdateWindow ;更新窗口内容
CODE:004088FB                pop    esi
CODE:004088FC                pop    ebx
CODE:004088FD                retn

;----------------------------------------------------------------------------------------

;下面是DialogFunc,写过SDK程序的都知道。控件消息相应是在WM_COMMAND消息里，控件ID在wParam的低2字节
CODE:004084E4                push ebp
CODE:004084E5                mov    ebp, esp
CODE:004084E7                push ebx
CODE:004084E8                mov    eax, [ebp+Msg]
CODE:004084EB                xor    ebx, ebx
CODE:004084ED                mov    edx, eax
CODE:004084EF                cmp    edx, 133h
CODE:004084F5                jg    short loc_408518
CODE:004084F7                jz    short loc_408549
CODE:004084F9                sub    edx, 10h
CODE:004084FC                jz    short loc_408532
CODE:004084FE                sub    edx, 1Bh
CODE:00408501                jz    loc_408591
CODE:00408507                sub    edx, 0E6h
CODE:0040850D                jz    JMP_IS_WM_COMMAND
CODE:00408513                jmp    loc_40860E
CODE:00408518 ; ---------------------------------------------------------------------------
CODE:00408518
CODE:00408518 loc_408518:                            ; CODE XREF: DialogFunc+11j
CODE:00408518                sub    edx, 136h
CODE:0040851E                jz    short loc_40853E
CODE:00408520                sub    edx, 2
CODE:00408523                jz    short loc_40856D
CODE:00408525                sub    edx, 0C9h
CODE:0040852B                jz    short loc_4085A6
CODE:0040852D                jmp    loc_40860E
CODE:00408532 ; ---------------------------------------------------------------------------
CODE:00408532
CODE:00408532 loc_408532:                            ; CODE XREF: DialogFunc+18j
CODE:00408532                push 0             ; nExitCode
CODE:00408534                call PostQuitMessage
CODE:00408539                jmp    GO_TO_RETN
CODE:0040853E ; ---------------------------------------------------------------------------
CODE:0040853E
CODE:0040853E loc_40853E:                            ; CODE XREF: DialogFunc+3Aj
CODE:0040853E                mov    ebx, ds:hbr
CODE:00408544                jmp    GO_TO_RETN
CODE:00408549 ; ---------------------------------------------------------------------------
CODE:00408549
CODE:00408549 loc_408549:                            ; CODE XREF: DialogFunc+13j
CODE:00408549                push 1             ; mode
CODE:0040854B                mov    eax, [ebp+wParam]
CODE:0040854E                push eax          ; hdc
CODE:0040854F                call SetBkMode
CODE:00408554                push 0FFFFFFh       ; color
CODE:00408559                mov    eax, [ebp+wParam]
CODE:0040855C                push eax          ; hdc
CODE:0040855D                call SetTextColor
CODE:00408562                mov    ebx, ds:dword_40A814
CODE:00408568                jmp    GO_TO_RETN
CODE:0040856D ; ---------------------------------------------------------------------------
CODE:0040856D
CODE:0040856D loc_40856D:                            ; CODE XREF: DialogFunc+3Fj
CODE:0040856D                push 1             ; mode
CODE:0040856F                mov    eax, [ebp+wParam]
CODE:00408572                push eax          ; hdc
CODE:00408573                call SetBkMode
CODE:00408578                push 0FFFFFFh       ; color
CODE:0040857D                mov    eax, [ebp+wParam]
CODE:00408580                push eax          ; hdc
CODE:00408581                call SetTextColor
CODE:00408586                mov    ebx, ds:hbr
CODE:0040858C                jmp    GO_TO_RETN
CODE:00408591 ; ---------------------------------------------------------------------------
CODE:00408591
CODE:00408591 loc_408591:                            ; CODE XREF: DialogFunc+1Dj
CODE:00408591                mov    eax, [ebp+lParam]
CODE:00408594                push eax
CODE:00408595                mov    eax, [ebp+wParam]
CODE:00408598                push eax
CODE:00408599                mov    eax, [ebp+hWnd]
CODE:0040859C                push eax
CODE:0040859D                call sub_408340
CODE:004085A2                mov    ebx, eax
CODE:004085A4                jmp    short GO_TO_RETN
CODE:004085A6 ; ---------------------------------------------------------------------------
CODE:004085A6
CODE:004085A6 loc_4085A6:                            ; CODE XREF: DialogFunc+47j
CODE:004085A6                call ReleaseCapture
CODE:004085AB                push 0             ; lParam
CODE:004085AD                push 0F012h       ; wParam
CODE:004085B2                push 112h          ; Msg
CODE:004085B7                mov    eax, ds:hDlg
CODE:004085BC                push eax          ; hWnd
CODE:004085BD                call SendMessageA
CODE:004085C2                jmp    short GO_TO_RETN
CODE:004085C4 ; ---------------------------------------------------------------------------
CODE:004085C4
CODE:004085C4 JMP_IS_WM_COMMAND:                   ; CODE XREF: DialogFunc+29j
CODE:004085C4                mov    eax, [ebp+wParam] ; WM_COMMAND 处理
CODE:004085C7                call __HightWord    ; 取高2字节
CODE:004085CC                test ax, ax
CODE:004085CF                jnz    short GO_TO_RETN
CODE:004085D1                mov    ax, word ptr [ebp+wParam] ; wmId = (WORD)wParam;
CODE:004085D5                sub    ax, 66h       ; switch(wmId)
CODE:004085D9                jz    short loc_4085ED
CODE:004085DB                sub    ax, 5
CODE:004085DF                jz    short loc_4085FF
CODE:004085E1                dec    ax
CODE:004085E4                jz    short loc_4085ED
CODE:004085E6                dec    ax
CODE:004085E9                jz    short loc_4085F6 ; jmp to check按钮相应控件ID：6D
CODE:004085EB                jmp    short GO_TO_RETN
CODE:004085ED ; ---------------------------------------------------------------------------
CODE:004085ED
CODE:004085ED loc_4085ED:                            ; CODE XREF: DialogFunc+F5j
CODE:004085ED                                        ; DialogFunc+100j
CODE:004085ED                push 0             ; nExitCode
CODE:004085EF                call PostQuitMessage
CODE:004085F4                jmp    short GO_TO_RETN
CODE:004085F6 ; ---------------------------------------------------------------------------
CODE:004085F6
CODE:004085F6 loc_4085F6:                            ; CODE XREF: DialogFunc+105j
CODE:004085F6                xor    eax, eax
CODE:004085F8                call sub_40823C    ; check按钮相应函数
CODE:004085FD                jmp    short GO_TO_RETN
CODE:004085FF ; ---------------------------------------------------------------------------
CODE:004085FF
CODE:004085FF loc_4085FF:                            ; CODE XREF: DialogFunc+FBj
CODE:004085FF                push 1             ; nCmdShow
CODE:00408601                mov    eax, ds:dword_40A7F0
CODE:00408606                push eax          ; hWnd
CODE:00408607                call ShowWindow
CODE:0040860C                jmp    short GO_TO_RETN
CODE:0040860E ; ---------------------------------------------------------------------------
CODE:0040860E
CODE:0040860E loc_40860E:                            ; CODE XREF: DialogFunc+2Fj
CODE:0040860E                                        ; DialogFunc+49j
CODE:0040860E                mov    edx, [ebp+lParam]
CODE:00408611                push edx          ; lParam
CODE:00408612                mov    edx, [ebp+wParam]
CODE:00408615                push edx          ; wParam
CODE:00408616                push eax          ; Msg
CODE:00408617                mov    eax, [ebp+hWnd]
CODE:0040861A                push eax          ; hWnd
CODE:0040861B                call DefWindowProcA
CODE:00408620                mov    ebx, eax
CODE:00408622
CODE:00408622 GO_TO_RETN:                            ; CODE XREF: DialogFunc+55j
CODE:00408622                                        ; DialogFunc+60j ...
CODE:00408622                mov    eax, ebx
CODE:00408624                pop    ebx
CODE:00408625                pop    ebp
CODE:00408626                retn 10h
找到check按钮相应函数sub_40823C
;-----------------------------------------------------------------------------------------

;sub_40823C函数如下:
CODE:0040823C
CODE:0040823C                push ebp
CODE:0040823D                mov    ebp, esp
CODE:0040823F                add    esp, 0FFFFFEF8h
CODE:00408245                xor    edx, edx
CODE:00408247                mov    [ebp+var_108], edx
CODE:0040824D                mov    [ebp+var_4], edx
CODE:00408250                xor    eax, eax
CODE:00408252                push ebp
CODE:00408253                push offset loc_408318
CODE:00408258                push dword ptr fs:[eax]
CODE:0040825B                mov    fs:[eax], esp
CODE:0040825E                mov    edx, 100h
CODE:00408263                lea    eax, [ebp+String]
CODE:00408269
CODE:00408269 loc_408269:                            ; CODE XREF: sub_40823C+32j
CODE:00408269                mov    byte ptr [eax], 0
CODE:0040826C                inc    eax
CODE:0040826D                dec    edx
CODE:0040826E                jnz    short loc_408269
CODE:00408270                push 100h          ; cchMax
CODE:00408275                lea    eax, [ebp+String]
CODE:0040827B                push eax          ; lpString ;字符串buffer
CODE:0040827C                push 6Ah          ; nIDDlgItem
CODE:0040827E                mov    eax, ds:hDlg
CODE:00408283                push eax          ; hDlg
CODE:00408284                call GetDlgItemTextA ;获得用户输入
CODE:00408289                lea    eax, [ebp+var_4]
CODE:0040828C                lea    edx, [ebp+String]
CODE:00408292                mov    ecx, 100h
CODE:00408297                call __string_init ; 貌似字符串初始化
CODE:0040829C                mov    eax, [ebp+var_4]
CODE:0040829F                call _LStrToPChar
CODE:004082A4                mov    edx, eax
CODE:004082A6                lea    eax, [ebp+var_108]
CODE:004082AC                call __string_init_2 ; 也貌似字符串初始化。eg:string s = "xxxx";
CODE:004082B1                mov    eax, [ebp+var_108]
CODE:004082B7                call __check_func ; 关键call。算法就在这里面
CODE:004082BC                test al, al       ; __check_func返回值在al里。所以这里判断al是否为0。为0则false
CODE:004082BE                jz    short loc_4082E5
CODE:004082C0                mov    eax, ds:lpString //正确流程
CODE:004082C5                push eax          ; lpString
CODE:004082C6                push 197h          ; nIDDlgItem ;about对话框ID
CODE:004082CB                mov    eax, ds:dword_40A7F0
CODE:004082D0                push eax          ; hDlg
CODE:004082D1                call SetDlgItemTextA  ;设置about对话框内容
CODE:004082D6                push 1             ; nCmdShow
CODE:004082D8                mov    eax, ds:dword_40A7F0
CODE:004082DD                push eax          ; hWnd
CODE:004082DE                call ShowWindow ;显示
CODE:004082E3                jmp    short loc_4082F7
CODE:004082E5 ; ---------------------------------------------------------------------------
CODE:004082E5
CODE:004082E5 loc_4082E5:                            ; CODE XREF: sub_40823C+82j
CODE:004082E5                push offset String ; "Bad Serial , Try Again .."  //错误跳到这里
CODE:004082EA                push 6Ah          ; nIDDlgItem
CODE:004082EC                mov    eax, ds:hDlg
CODE:004082F1                push eax          ; hDlg
CODE:004082F2                call SetDlgItemTextA  ;设置控件字符串
CODE:004082F7
CODE:004082F7 loc_4082F7:                            ; CODE XREF: sub_40823C+A7j
CODE:004082F7                xor    eax, eax
CODE:004082F9                pop    edx
CODE:004082FA                pop    ecx
CODE:004082FB                pop    ecx
CODE:004082FC                mov    fs:[eax], edx
CODE:004082FF                push offset loc_40831F
CODE:00408304
CODE:00408304 loc_408304:                            ; CODE XREF: sub_40823C+E1j
CODE:00408304                lea    eax, [ebp+var_108]
CODE:0040830A                call _LStrClr
CODE:0040830F                lea    eax, [ebp+var_4]
CODE:00408312                call _LStrClr
CODE:00408317                retn
CODE:00408318 ; ---------------------------------------------------------------------------
CODE:00408318
CODE:00408318 loc_408318:                            ; DATA XREF: sub_40823C+17o
CODE:00408318                jmp    unknown_libname_42 ; BDS 2005-2006 and Delphi6-7 Visual Component Library
CODE:0040831D ; ---------------------------------------------------------------------------
CODE:0040831D                jmp    short loc_408304
CODE:0040831F ; ---------------------------------------------------------------------------
CODE:0040831F
CODE:0040831F loc_40831F:                            ; CODE XREF: sub_40823C+DBj
CODE:0040831F                                        ; DATA XREF: sub_40823C+C3o
CODE:0040831F                mov    esp, ebp
CODE:00408321                pop    ebp
CODE:00408322                retn

;------------------------------------------------------------------------------------------

;关键call __check_func函数如下
CODE:00407F68                push ebp
CODE:00407F69                mov    ebp, esp
CODE:00407F6B                xor    ecx, ecx
CODE:00407F6D                push ecx          ; 编译器优化，开辟栈空间:sub esp,14h 并初始化局部变量
CODE:00407F6D                                        ; push reg占1个指令周期，sub reg, imm 486后也是1个指令周期，不过算上对变量赋0就多了
CODE:00407F6E                push ecx
CODE:00407F6F                push ecx
CODE:00407F70                push ecx
CODE:00407F71                push ecx
CODE:00407F72                push ebx
CODE:00407F73                push esi
CODE:00407F74                mov    [ebp+var_4], eax ; 寄存器参数  eax是用户输入
CODE:00407F77                mov    eax, [ebp+var_4]
CODE:00407F7A                call _LStrAddRef
CODE:00407F7F                xor    eax, eax
CODE:00407F81                push ebp
CODE:00407F82                push offset loc_40820D
CODE:00407F87                push dword ptr fs:[eax]
CODE:00407F8A                mov    fs:[eax], esp
CODE:00407F8D                mov    [ebp+nFlag], 1  ; nFlag，key是否正确标记。1为正确
CODE:00407F91                lea    eax, [ebp+var_C] ; int型数据，寄存器参数，用来放返回值
CODE:00407F94                mov    edx, offset a0123456789abcd ; "0123456789ABCDEF"
CODE:00407F99                call _LStrLAsg    ; str_to_int
CODE:00407F9E                mov    eax, [ebp+var_4] ; user input string
CODE:00407FA1                call __string_getlenth ; 获得字符串长度
CODE:00407FA6                cmp    eax, 8       ; key长度要为8.不等于8就返回假
CODE:00407FA9                jnz    JMP_TO_RETN_1
CODE:00407FAF                xor    ebx, ebx
CODE:00407FB1                mov    edx, 1
CODE:00407FB6
CODE:00407FB6 loc_407FB6:                            ; CODE XREF: __check_func+6Ej
CODE:00407FB6                mov    eax, 1       ; 循环比较用户输入的8个字符是否在0~F之间
CODE:00407FBB
CODE:00407FBB loc_407FBB:                            ; CODE XREF: __check_func+68j
CODE:00407FBB                mov    ecx, [ebp+var_4] ; user input string
CODE:00407FBE                mov    cl, [ecx+edx-1]
CODE:00407FC2                mov    esi, [ebp+var_C]
CODE:00407FC5                cmp    cl, [esi+eax-1]
CODE:00407FC9                jnz    short loc_407FCC
CODE:00407FCB                inc    ebx
CODE:00407FCC
CODE:00407FCC loc_407FCC:                            ; CODE XREF: __check_func+61j
CODE:00407FCC                inc    eax
CODE:00407FCD                cmp    eax, 11h
CODE:00407FD0                jnz    short loc_407FBB
CODE:00407FD2                inc    edx
CODE:00407FD3                cmp    edx, 9
CODE:00407FD6                jnz    short loc_407FB6
CODE:00407FD8                cmp    ebx, 8       ; 比较
CODE:00407FDB                jz    short loc_407FE6 ; 如果都在0~F间，则继续执行，否则返回假
CODE:00407FDD                mov    [ebp+nFlag], 0
CODE:00407FE1                jmp    loc_4081EA
CODE:00407FE6 ; ---------------------------------------------------------------------------
CODE:00407FE6
CODE:00407FE6 loc_407FE6:                            ; CODE XREF: __check_func+73j
CODE:00407FE6                lea    eax, [ebp+var_10]
CODE:00407FE9                push eax
CODE:00407FEA                mov    ecx, 4
CODE:00407FEF                mov    edx, 5
CODE:00407FF4                mov    eax, [ebp+var_4] ; user input str
CODE:00407FF7                call _LStrCopy
CODE:00407FFC                mov    eax, [ebp+var_10] ; 用户输入字符串的后四位
CODE:00407FFF                call __str2int    ; string to int
CODE:00408004                mov    ebx, eax
CODE:00408006                lea    eax, [ebp+var_14]
CODE:00408009                push eax
CODE:0040800A                mov    ecx, 4
CODE:0040800F                mov    edx, 1
CODE:00408014                mov    eax, [ebp+var_4] ; user input str
CODE:00408017                call _LStrCopy
CODE:0040801C                mov    eax, [ebp+var_14] ; 用户输入字符串的前4位
CODE:0040801F                call __str2int
CODE:00408024                lea    edx, [ebx+2B67h] ; + 11111
CODE:0040802A                and    edx, 8000FFFFh  ; % 65536
CODE:00408030                jns    short loc_40803A ; 结果为正数则跳
CODE:00408032                dec    edx
CODE:00408033                or    edx, 0FFFF0000h
CODE:00408039                inc    edx
CODE:0040803A
CODE:0040803A loc_40803A:                            ; CODE XREF: __check_func+C8j
CODE:0040803A                xor    edx, eax
CODE:0040803C                lea    eax, [edx+56CEh] ; + 22222
CODE:00408042                and    eax, 8000FFFFh  ; %65536
CODE:00408047                jns    short loc_408050
CODE:00408049                dec    eax
CODE:0040804A                or    eax, 0FFFF0000h
CODE:0040804F                inc    eax
CODE:00408050
CODE:00408050 loc_408050:                            ; CODE XREF: __check_func+DFj
CODE:00408050                xor    eax, ebx
CODE:00408052                mov    ecx, edx
CODE:00408054                and    ecx, 800000FFh  ; %256
CODE:0040805A                jns    short loc_408064
CODE:0040805C                dec    ecx
CODE:0040805D                or    ecx, 0FFFFFF00h
CODE:00408063                inc    ecx
CODE:00408064
CODE:00408064 loc_408064:                            ; CODE XREF: __check_func+F2j
CODE:00408064                mov    ebx, ecx
CODE:00408066                shl    ebx, 8       ; << 8
CODE:00408069                test edx, edx
CODE:0040806B                jns    short loc_408073
CODE:0040806D                add    edx, 0FFh
CODE:00408073
CODE:00408073 loc_408073:                            ; CODE XREF: __check_func+103j
CODE:00408073                sar    edx, 8       ; 算术右移8位 / 256
CODE:00408076                add    ebx, edx
CODE:00408078                mov    edx, eax
CODE:0040807A                and    edx, 800000FFh  ; % 256
CODE:00408080                jns    short loc_40808A
CODE:00408082                dec    edx
CODE:00408083                or    edx, 0FFFFFF00h
CODE:00408089                inc    edx
CODE:0040808A
CODE:0040808A loc_40808A:                            ; CODE XREF: __check_func+118j
CODE:0040808A                shl    edx, 8       ; << 8
CODE:0040808D                test eax, eax
CODE:0040808F                jns    short loc_408096
CODE:00408091                add    eax, 0FFh
CODE:00408096
CODE:00408096 loc_408096:                            ; CODE XREF: __check_func+127j
CODE:00408096                sar    eax, 8       ; / 256
CODE:00408099                add    edx, eax
CODE:0040809B                mov    eax, edx
CODE:0040809D                lea    edx, [ebx+8235h] ; + 33333
CODE:004080A3                and    edx, 8000FFFFh  ; % 65536
CODE:004080A9                jns    short loc_4080B3
CODE:004080AB                dec    edx
CODE:004080AC                or    edx, 0FFFF0000h
CODE:004080B2                inc    edx
CODE:004080B3
CODE:004080B3 loc_4080B3:                            ; CODE XREF: __check_func+141j
CODE:004080B3                xor    edx, eax
CODE:004080B5                lea    eax, [edx+0AD9Ch] ; + 44444
CODE:004080BB                and    eax, 8000FFFFh  ; % 65536
CODE:004080C0                jns    short loc_4080C9
CODE:004080C2                dec    eax
CODE:004080C3                or    eax, 0FFFF0000h
CODE:004080C8                inc    eax
CODE:004080C9
CODE:004080C9 loc_4080C9:                            ; CODE XREF: __check_func+158j
CODE:004080C9                xor    eax, ebx
CODE:004080CB                mov    ecx, edx
CODE:004080CD                and    ecx, 800000FFh  ; % 256
CODE:004080D3                jns    short loc_4080DD
CODE:004080D5                dec    ecx
CODE:004080D6                or    ecx, 0FFFFFF00h
CODE:004080DC                inc    ecx
CODE:004080DD
CODE:004080DD loc_4080DD:                            ; CODE XREF: __check_func+16Bj
CODE:004080DD                mov    ebx, ecx
CODE:004080DF                shl    ebx, 8       ; << 8
CODE:004080E2                test edx, edx
CODE:004080E4                jns    short loc_4080EC
CODE:004080E6                add    edx, 0FFh
CODE:004080EC
CODE:004080EC loc_4080EC:                            ; CODE XREF: __check_func+17Cj
CODE:004080EC                sar    edx, 8       ; / 256
CODE:004080EF                add    ebx, edx
CODE:004080F1                mov    edx, eax
CODE:004080F3                and    edx, 800000FFh  ; % 256
CODE:004080F9                jns    short loc_408103
CODE:004080FB                dec    edx
CODE:004080FC                or    edx, 0FFFFFF00h
CODE:00408102                inc    edx
CODE:00408103
CODE:00408103 loc_408103:                            ; CODE XREF: __check_func+191j
CODE:00408103                shl    edx, 8       ; << 8
CODE:00408106                test eax, eax
CODE:00408108                jns    short loc_40810F
CODE:0040810A                add    eax, 0FFh
CODE:0040810F
CODE:0040810F loc_40810F:                            ; CODE XREF: __check_func+1A0j
CODE:0040810F                sar    eax, 8       ; / 256
CODE:00408112                add    edx, eax
CODE:00408114                mov    eax, edx
CODE:00408116                lea    edx, [ebx+0AD9Ch] ; + 44444
CODE:0040811C                and    edx, 8000FFFFh  ; % 65536
CODE:00408122                jns    short loc_40812C
CODE:00408124                dec    edx
CODE:00408125                or    edx, 0FFFF0000h
CODE:0040812B                inc    edx
CODE:0040812C
CODE:0040812C loc_40812C:                            ; CODE XREF: __check_func+1BAj
CODE:0040812C                xor    edx, eax
CODE:0040812E                lea    eax, [edx+8235h] ; + 33333
CODE:00408134                and    eax, 8000FFFFh  ; % 65536
CODE:00408139                jns    short loc_408142
CODE:0040813B                dec    eax
CODE:0040813C                or    eax, 0FFFF0000h
CODE:00408141                inc    eax
CODE:00408142
CODE:00408142 loc_408142:                            ; CODE XREF: __check_func+1D1j
CODE:00408142                xor    eax, ebx
CODE:00408144                mov    ecx, edx
CODE:00408146                and    ecx, 800000FFh  ; % 256
CODE:0040814C                jns    short loc_408156
CODE:0040814E                dec    ecx
CODE:0040814F                or    ecx, 0FFFFFF00h
CODE:00408155                inc    ecx
CODE:00408156
CODE:00408156 loc_408156:                            ; CODE XREF: __check_func+1E4j
CODE:00408156                mov    ebx, ecx
CODE:00408158                shl    ebx, 8       ; << 8
CODE:0040815B                test edx, edx
CODE:0040815D                jns    short loc_408165
CODE:0040815F                add    edx, 0FFh
CODE:00408165
CODE:00408165 loc_408165:                            ; CODE XREF: __check_func+1F5j
CODE:00408165                sar    edx, 8       ; / 256
CODE:00408168                add    ebx, edx
CODE:0040816A                mov    edx, eax
CODE:0040816C                and    edx, 800000FFh  ; % 256
CODE:00408172                jns    short loc_40817C
CODE:00408174                dec    edx
CODE:00408175                or    edx, 0FFFFFF00h
CODE:0040817B                inc    edx
CODE:0040817C
CODE:0040817C loc_40817C:                            ; CODE XREF: __check_func+20Aj
CODE:0040817C                shl    edx, 8       ; << 8
CODE:0040817F                test eax, eax
CODE:00408181                jns    short loc_408188
CODE:00408183                add    eax, 0FFh
CODE:00408188
CODE:00408188 loc_408188:                            ; CODE XREF: __check_func+219j
CODE:00408188                sar    eax, 8       ; /256
CODE:0040818B                add    edx, eax
CODE:0040818D                mov    eax, edx
CODE:0040818F                lea    edx, [ebx+56CEh] ; + 22222
CODE:00408195                and    edx, 8000FFFFh  ; % 65536
CODE:0040819B                jns    short loc_4081A5
CODE:0040819D                dec    edx
CODE:0040819E                or    edx, 0FFFF0000h
CODE:004081A4                inc    edx
CODE:004081A5
CODE:004081A5 loc_4081A5:                            ; CODE XREF: __check_func+233j
CODE:004081A5                xor    edx, eax
CODE:004081A7                lea    eax, [edx+2B67h] ; + 11111
CODE:004081AD                and    eax, 8000FFFFh  ; % 65536
CODE:004081B2                jns    short loc_4081BB
CODE:004081B4                dec    eax
CODE:004081B5                or    eax, 0FFFF0000h
CODE:004081BA                inc    eax
CODE:004081BB
CODE:004081BB loc_4081BB:                            ; CODE XREF: __check_func+24Aj
CODE:004081BB                xor    eax, ebx
CODE:004081BD                test eax, eax
CODE:004081BF                jns    short loc_4081C6
CODE:004081C1                add    eax, 0FFh
CODE:004081C6
CODE:004081C6 loc_4081C6:                            ; CODE XREF: __check_func+257j
CODE:004081C6                sar    eax, 8       ; / 256
CODE:004081C9                cmp    eax, 33h       ; 比较是否等于51
CODE:004081CC                jnz    short loc_4081E0 ; 不等于返回假
CODE:004081CE                test edx, edx
CODE:004081D0                jns    short loc_4081D8
CODE:004081D2                add    edx, 0FFh
CODE:004081D8
CODE:004081D8 loc_4081D8:                            ; CODE XREF: __check_func+268j
CODE:004081D8                sar    edx, 8       ; / 256
CODE:004081DB                cmp    edx, 25h       ; 比较是否等于37
CODE:004081DE                jz    short loc_4081EA ; 等于则跳到返回真
CODE:004081E0
CODE:004081E0 loc_4081E0:                            ; CODE XREF: __check_func+264j
CODE:004081E0                mov    [ebp+nFlag], 0
CODE:004081E4                jmp    short loc_4081EA
CODE:004081E6 ; ---------------------------------------------------------------------------
CODE:004081E6
CODE:004081E6 JMP_TO_RETN_1:                         ; CODE XREF: __check_func+41j
CODE:004081E6                mov    [ebp+nFlag], 0
CODE:004081EA
CODE:004081EA loc_4081EA:                            ; CODE XREF: __check_func+79j
CODE:004081EA                                        ; __check_func+276j ...
CODE:004081EA                xor    eax, eax
CODE:004081EC                pop    edx
CODE:004081ED                pop    ecx
CODE:004081EE                pop    ecx
CODE:004081EF                mov    fs:[eax], edx
CODE:004081F2                push offset loc_408214
CODE:004081F7
CODE:004081F7 loc_4081F7:                            ; CODE XREF: __check_func+2AAj
CODE:004081F7                lea    eax, [ebp+var_14]
CODE:004081FA                mov    edx, 3
CODE:004081FF                call _LStrArrayClr
CODE:00408204                lea    eax, [ebp+var_4]
CODE:00408207                call _LStrClr
CODE:0040820C                retn
CODE:0040820D ; ---------------------------------------------------------------------------
CODE:0040820D
CODE:0040820D loc_40820D:                            ; DATA XREF: __check_func+1Ao
CODE:0040820D                jmp    unknown_libname_42 ; BDS 2005-2006 and Delphi6-7 Visual Component Library
CODE:00408212 ; ---------------------------------------------------------------------------
CODE:00408212                jmp    short loc_4081F7
CODE:00408214 ; ---------------------------------------------------------------------------
CODE:00408214
CODE:00408214 loc_408214:                            ; CODE XREF: __check_func+2A4j
CODE:00408214                                        ; DATA XREF: __check_func+28Ao
CODE:00408214                mov    al, [ebp+nFlag] ; 标志位赋给al
CODE:00408217                pop    esi
CODE:00408218                pop    ebx
CODE:00408219                mov    esp, ebp
CODE:0040821B                pop    ebp
CODE:0040821C                retn
;由于本人太菜，加上可以偷懒。所以算法就直接拿的IDA F5的改改。
;这个没有注册机，只是一个key。只要通过运算后结果和51 还有 37比较相等则符合。
;key生成程序如下：
;void main(int argc, char* argv[])
;{
;
; int v5; // edx@10
; int v7; // ebx@10
; int v8; // edx@10
; int v9; // eax@10
; int v10; // ebx@10
; int v11; // edx@10
; int v12; // eax@10
; int v13; // ebx@10
; int v14; // edx@10
; int v15; // eax@10
; int v16; // ebx@10
; int v17; // [sp+8h] [bp-Ch]@1
; int v18; // [sp+4h] [bp-10h]@1
; int v19; // [sp+0h] [bp-14h]@1
;
; char v22; // [sp+Fh] [bp-5h]@1
;
; v17 = 0;
; v18 = 0;
; v19 = 0;
;
; //FILE* fp = fopen("psd.txt","a+");
; //char buffer[20] = {0};
; for (int n = 0x10000000; n <= 0xFFFFFFFF; n++)
; {
; v7 = n%0x10000;
; v19 = n/0x10000;
; v8 = v19 ^ (v7 + 11111) % 65536;
; v9 = v7 ^ (v8 + 22222) % 65536;
; v10 = v8 / 256 + (v8 % 256 << 8);
; v11 = (v9 / 256 + (v9 % 256 << 8)) ^ (v10 + 33333) % 65536;
; v12 = v10 ^ (v11 + 44444) % 65536;
; v13 = v11 / 256 + (v11 % 256 << 8);
; v14 = (v12 / 256 + (v12 % 256 << 8)) ^ (v13 + 44444) % 65536;
; v15 = v13 ^ (v14 + 33333) % 65536;
; v16 = v14 / 256 + (v14 % 256 << 8);
; v5 = (v15 / 256 + (v15 % 256 << 8)) ^ (v16 + 22222) % 65536;
; if ( (v16 ^ (v5 + 11111) % 65536) / 256 != 51 || v5 / 256 != 37 )
; v22 = 0;
; else
; {
; //sprintf(buffer,"%04X%04X\n",v19,v7);
; //fwrite(buffer,1,sizeof(buffer),fp);
;                      printf("%04X%04X\n",v19,v7);
; }
; }
; fclose(fp);
;}

飘云 · 发表于 2009-8-3 22:32:30

很好，希望来个最新软件实战~~
keygen it~

		自动登录	找回密码
密码			加入我们

申请文章-一个简单CM的分析

本帖子中包含更多资源