暴破FileTreePrinter 3.1.6.139

hrbx · 发表于 2006-6-10 03:24:14

【破文标题】暴破FileTreePrinter 3.1.6.139
【破解作者】hrbx
【作者主页】hrbx.ys168.com
【作者邮箱】[email protected]
【破解平台】WinXP
【使用工具】flyOD1.10、Peid
【破解日期】2006-06-10
【软件名称】FileTreePrinter 3.1.6.139
【软件大小】268KB
【下载地址】https://www.chinapyg.com/viewthread.php?tid=5136
【加壳方式】无
【软件简介】File Tree Printer is used to export directory or CD/DVD listings to a text file.
-----------------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟，偶得一点心得，愿与大家分享：）
-----------------------------------------------------------------------------------------------
【破解过程】
1.查壳。用PEID扫描，显示为：Microsoft Visual C++ 7.0，无壳。
2.试运行。输入注册信息后点OK按钮，弹出："registration failed!"对话框。
3.伪注册算法。OD载入程序，右键--Ultra String Reference--Find ASCII,查找“registration failed!”，
找到后双击，来到：
00407662 . 68 D0FE4>push FileTree.0042FED0 ; registration failed!
00407667 . E8 77100>call FileTree.004286E3
0040766C . 5B pop ebx
向上查找，来到004073A3处F2下断，F9运行，输入注册信息：
==============================
User Name:hrbx
Registration COde:9876543210
==============================
点Register按钮，立即中断：
004073A3 . 55 push ebp ; F2在此下断，中断后F8往下走
004073A4 . 56 push esi
004073A5 . 57 push edi
004073A6 . BF 01000000 mov edi,1
004073AB . 57 push edi
004073AC . 8BF1 mov esi,ecx
004073AE . E8 2AB20100 call FileTree.004225DD
004073B3 . 8B46 70 mov eax,dword ptr ds:[esi+70] ; 用户名"hrbx"
004073B6 . 8B68 F4 mov ebp,dword ptr ds:[eax-C] ; 用户名长度，ds:[eax-C]＝4
004073B9 . 83FD 02 cmp ebp,2 ; 用户名长度与2比较
004073BC . 7D 15 jge short FileTree.004073D3 ; 大于等于则跳
004073BE . 6A 00 push 0
004073C0 . 6A 00 push 0
004073C2 . 68 2CFF4200 push FileTree.0042FF2C ; please input correct user name!
004073C7 . E8 17130200 call FileTree.004286E3
004073CC . 5F pop edi
004073CD . 5E pop esi
004073CE . 5D pop ebp
004073CF . 83C4 0C add esp,0C
004073D2 . C3 retn
004073D3 > 8B4E 74 mov ecx,dword ptr ds:[esi+74] ; 假码"9876543210"
004073D6 . 8379 F4 08 cmp dword ptr ds:[ecx-C],8 ; 假码长度与8比较
004073DA . 7D 15 jge short FileTree.004073F1 ; 大于等于则跳
004073DC . 6A 00 push 0
004073DE . 6A 00 push 0
004073E0 . 68 04FF4200 push FileTree.0042FF04 ; please input correct registration code!
004073E5 . E8 F9120200 call FileTree.004286E3
004073EA . 5F pop edi
004073EB . 5E pop esi
004073EC . 5D pop ebp
004073ED . 83C4 0C add esp,0C
004073F0 . C3 retn
004073F1 > 8B46 70 mov eax,dword ptr ds:[esi+70] ; 用户名"hrbx"
004073F4 . 8B48 F4 mov ecx,dword ptr ds:[eax-C] ; 用户名长度，ds:[eax-C]＝4
004073F7 . 85C9 test ecx,ecx
004073F9 . 7D 0A jge short FileTree.00407405 ; 用户名长度不为空则跳
004073FB . 68 57000780 push 80070057
00407400 . E8 0B9CFFFF call FileTree.00401010
00407405 > 8A10 mov dl,byte ptr ds:[eax]
00407407 . 8B46 70 mov eax,dword ptr ds:[esi+70]
0040740A . 3978 F4 cmp dword ptr ds:[eax-C],edi
0040740D . 7D 0A jge short FileTree.00407419
0040740F . 68 57000780 push 80070057
00407414 . E8 F79BFFFF call FileTree.00401010
00407419 > 8A40 01 mov al,byte ptr ds:[eax+1]
0040741C . 884424 0E mov byte ptr ss:[esp+E],al
00407420 . 8B46 70 mov eax,dword ptr ds:[esi+70]
00407423 . 8B48 F4 mov ecx,dword ptr ds:[eax-C]
00407426 . 85C9 test ecx,ecx
00407428 . 7D 0A jge short FileTree.00407434
0040742A . 68 57000780 push 80070057
0040742F . E8 DC9BFFFF call FileTree.00401010
00407434 > 8B4E 70 mov ecx,dword ptr ds:[esi+70] ; 用户名"hrbx"
00407437 . 53 push ebx
00407438 . 8A18 mov bl,byte ptr ds:[eax]
0040743A . 3979 F4 cmp dword ptr ds:[ecx-C],edi
0040743D . 7D 0A jge short FileTree.00407449
0040743F . 68 57000780 push 80070057
00407444 . E8 C79BFFFF call FileTree.00401010
00407449 > 0FB6C2 movzx eax,dl ; 用户名第1位字符的ASCII值，DL＝0x68("h")
0040744C . 83C8 45 or eax,45 ; EAX=EAX or 0x45
0040744F . 99 cdq
00407450 . BF 0A000000 mov edi,0A ; EDI=0xA
00407455 . F7FF idiv edi ; EAX/EDI,商给EAX，余数给EDX
00407457 . 0FB64424 12 movzx eax,byte ptr ss:[esp+12] ; 用户名第2位字符的ASCII值，EAX＝0x72("r")
0040745C . 83C8 42 or eax,42 ; EAX=EAX or 0x42
0040745F . 885424 16 mov byte ptr ss:[esp+16],dl ; 用户名第1位字符余数保存放ss:[esp+16]，记为N1
00407463 . 99 cdq
00407464 . F7FF idiv edi ; EAX/EDI,商给EAX，余数给EDX
00407466 . 0FB6C3 movzx eax,bl ; 用户名第1位字符的ASCII值，DL＝0x68("h")
00407469 . 83C8 43 or eax,43 ; EAX=EAX or 0x43
0040746C . 885424 12 mov byte ptr ss:[esp+12],dl ; 用户名第2位字符余数保存放ss:[esp+12]，记为N2
00407470 . 99 cdq
00407471 . F7FF idiv edi ; EAX/EDI,商给EAX，余数给EDX
00407473 . 0FB641 01 movzx eax,byte ptr ds:[ecx+1] ; 用户名第2位字符的ASCII值，EAX＝0x72("r")
00407477 . 83C8 44 or eax,44 ; EAX=EAX or 0x44
0040747A . 8BCF mov ecx,edi ; ECX=EDI=0xA
0040747C . 885424 17 mov byte ptr ss:[esp+17],dl ; 用户名第1位字符余数保存放ss:[esp+17]，记为N3
00407480 . 99 cdq
00407481 . F7F9 idiv ecx ; EAX/ECX,商给EAX，余数给EDX
00407483 . 33C0 xor eax,eax
00407485 . 33C9 xor ecx,ecx
00407487 . 85ED test ebp,ebp
00407489 . 885424 18 mov byte ptr ss:[esp+18],dl ; 用户名第2位字符余数保存放ss:[esp+18]，记为N4
0040748D . 7E 20 jle short FileTree.004074AF
0040748F . 90 nop
00407490 > 85C9 test ecx,ecx
00407492 . 0F8C D2000000 jl FileTree.0040756A
00407498 . 8B7E 70 mov edi,dword ptr ds:[esi+70] ; 用户名"hrbx"
0040749B . 3B4F F4 cmp ecx,dword ptr ds:[edi-C]
0040749E . 0F8F C6000000 jg FileTree.0040756A
004074A4 . 0FB6140F movzx edx,byte ptr ds:[edi+ecx] ; 依次取用户名每一个字符的ASCII值
004074A8 . 03C2 add eax,edx ; ASCII值累加，和为0x1B4
004074AA . 41 inc ecx
004074AB . 3BCD cmp ecx,ebp
004074AD .^ 7C E1 jl short FileTree.00407490
004074AF > 8B4E 74 mov ecx,dword ptr ds:[esi+74] ; 假码"9876543210"
004074B2 . 8B51 F4 mov edx,dword ptr ds:[ecx-C]
004074B5 . 85D2 test edx,edx
004074B7 . 7D 0A jge short FileTree.004074C3
004074B9 . 68 57000780 push 80070057
004074BE . E8 4D9BFFFF call FileTree.00401010
004074C3 > 8A11 mov dl,byte ptr ds:[ecx]
004074C5 . 8B4E 74 mov ecx,dword ptr ds:[esi+74]
004074C8 . 8379 F4 01 cmp dword ptr ds:[ecx-C],1
004074CC 885424 19 mov byte ptr ss:[esp+19],dl ; 假码第1位字符'9'放入ss:[esp+19]
004074D0 . 7D 0A jge short FileTree.004074DC
004074D2 . 68 57000780 push 80070057
004074D7 . E8 349BFFFF call FileTree.00401010
004074DC > 8A49 01 mov cl,byte ptr ds:[ecx+1]
004074DF . 8B7E 74 mov edi,dword ptr ds:[esi+74]
004074E2 . 884C24 13 mov byte ptr ss:[esp+13],cl ; 假码第2位字符'8'放入ss:[esp+13]
004074E6 . 837F F4 02 cmp dword ptr ds:[edi-C],2
004074EA . 7D 0A jge short FileTree.004074F6
004074EC . 68 57000780 push 80070057
004074F1 . E8 1A9BFFFF call FileTree.00401010
004074F6 > 8A4F 02 mov cl,byte ptr ds:[edi+2]
004074F9 . 8B7E 74 mov edi,dword ptr ds:[esi+74]
004074FC . 884C24 14 mov byte ptr ss:[esp+14],cl ; 假码第3位字符'7'放入ss:[esp+14]
00407500 . 837F F4 03 cmp dword ptr ds:[edi-C],3
00407504 . 7D 0A jge short FileTree.00407510
00407506 . 68 57000780 push 80070057
0040750B . E8 009BFFFF call FileTree.00401010
00407510 > 8A4F 03 mov cl,byte ptr ds:[edi+3]
00407513 . 8B7E 74 mov edi,dword ptr ds:[esi+74]
00407516 . 884C24 15 mov byte ptr ss:[esp+15],cl ; 假码第4位字符'6'放入ss:[esp+15]
0040751A . 837F F4 04 cmp dword ptr ds:[edi-C],4
0040751E . 7D 0A jge short FileTree.0040752A
00407520 . 68 57000780 push 80070057
00407525 . E8 E69AFFFF call FileTree.00401010
0040752A > 8A4F 04 mov cl,byte ptr ds:[edi+4] ; 假码第5位字符'5'给CL
0040752D . 8B7E 74 mov edi,dword ptr ds:[esi+74]
00407530 . 837F F4 05 cmp dword ptr ds:[edi-C],5
00407534 . 7D 0A jge short FileTree.00407540
00407536 . 68 57000780 push 80070057
0040753B . E8 D09AFFFF call FileTree.00401010
00407540 > 8A5F 05 mov bl,byte ptr ds:[edi+5]
00407543 . 8B7E 74 mov edi,dword ptr ds:[esi+74]
00407546 . 885C24 1A mov byte ptr ss:[esp+1A],bl ; 假码第6位字符'4'放入ss:[esp+1A]
0040754A . 837F F4 06 cmp dword ptr ds:[edi-C],6
0040754E . 7D 0A jge short FileTree.0040755A
00407550 . 68 57000780 push 80070057
00407555 . E8 B69AFFFF call FileTree.00401010
0040755A > 8A5F 06 mov bl,byte ptr ds:[edi+6]
0040755D . 8B7E 74 mov edi,dword ptr ds:[esi+74]
00407560 . 885C24 1B mov byte ptr ss:[esp+1B],bl ; 假码第7位字符'3'放入ss:[esp+1B]
00407564 . 837F F4 07 cmp dword ptr ds:[edi-C],7
00407568 . 7D 0A jge short FileTree.00407574
0040756A > 68 57000780 push 80070057
0040756F . E8 9C9AFFFF call FileTree.00401010
00407574 > 8A5F 07 mov bl,byte ptr ds:[edi+7] ; 假码"9876543210"
00407577 . 0FB67C24 16 movzx edi,byte ptr ss:[esp+16] ; 取出用户名第1位字符运算保存的余数N1
0040757C . 0FB6D2 movzx edx,dl ; 假码第1位字符的ASCII值，DL＝0x39('9')
0040757F . 83EA 30 sub edx,30
00407582 . 3BFA cmp edi,edx
00407584 . 75 48 jnz short FileTree.004075CE ; 不相等则跳
00407586 . 0FB65424 13 movzx edx,byte ptr ss:[esp+13] ; 假码第2位字符的ASCII值，EDX＝0x38('8')
0040758B . 0FB67C24 12 movzx edi,byte ptr ss:[esp+12] ; 取出用户名第2位字符运算保存的余数N2
00407590 . 83EA 30 sub edx,30
00407593 . 3BFA cmp edi,edx
00407595 . 75 37 jnz short FileTree.004075CE ; 不相等则跳
00407597 . 0FB65424 14 movzx edx,byte ptr ss:[esp+14] ; 假码第3位字符的ASCII值，EDX＝0x37('7')
0040759C . 0FB67C24 17 movzx edi,byte ptr ss:[esp+17] ; 取出用户名第1位字符运算保存的余数N3
004075A1 . 83EA 30 sub edx,30
004075A4 . 3BFA cmp edi,edx
004075A6 . 75 26 jnz short FileTree.004075CE ; 不相等则跳
004075A8 . 0FB65424 15 movzx edx,byte ptr ss:[esp+15] ; 假码第4位字符的ASCII值，EDX＝0x36('6')
004075AD . 0FB67C24 18 movzx edi,byte ptr ss:[esp+18] ; 取出用户名第2位字符运算保存的余数N4
004075B2 . 83EA 30 sub edx,30
004075B5 . 3BFA cmp edi,edx
004075B7 . 75 15 jnz short FileTree.004075CE ; 不相等则跳
004075B9 . 99 cdq
004075BA . BF 0A000000 mov edi,0A
004075BF . F7FF idiv edi
004075C1 . 0FB6C2 movzx eax,dl
004075C4 . 0FB6D1 movzx edx,cl
004075C7 . 83EA 30 sub edx,30
004075CA . 3BC2 cmp eax,edx
004075CC . 74 3A je short FileTree.00407608
004075CE > 807C24 19 38 cmp byte ptr ss:[esp+19],38 ; 比较注册码第1位是否为0x38('8')
004075D3 . 0F85 85000000 jnz FileTree.0040765E ; 不等则Over
004075D9 . 807C24 13 33 cmp byte ptr ss:[esp+13],33 ; 比较注册码第2位是否为0x33('3')
004075DE . 75 7E jnz short FileTree.0040765E ; 不等则Over
004075E0 . 807C24 14 39 cmp byte ptr ss:[esp+14],39 ; 比较注册码第3位是否为0x39('9')
004075E5 . 75 77 jnz short FileTree.0040765E ; 不等则Over
004075E7 . 8A5424 15 mov dl,byte ptr ss:[esp+15] ; 注册码第4位0x36('6')
004075EB . B0 31 mov al,31 ; AL=0x31
004075ED . 3AD0 cmp dl,al ; 比较注册码第4位是否为0x31('1')
004075EF . 75 6D jnz short FileTree.0040765E ; 不等则Over
004075F1 . 80F9 33 cmp cl,33 ; 比较注册码第5位是否为0x33('3')
004075F4 . 75 68 jnz short FileTree.0040765E ; 不等则Over
004075F6 . 384424 1A cmp byte ptr ss:[esp+1A],al ; 比较注册码第6位是否为0x31('1')
004075FA . 75 62 jnz short FileTree.0040765E ; 不等则Over
004075FC . 807C24 1B 34 cmp byte ptr ss:[esp+1B],34 ; 比较注册码第7位是否为0x34('4')
00407601 . 75 5B jnz short FileTree.0040765E ; 不等则Over
00407603 . 80FB 36 cmp bl,36 ; 比较注册码第8位是否为0x31('6')
00407606 . 75 56 jnz short FileTree.0040765E ; 不等则Over
00407608 > 6A 00 push 0
0040760A . 6A 00 push 0
0040760C . 68 E8FE4200 push FileTree.0042FEE8 ; registration has succeeded!
00407611 . E8 CD100200 call FileTree.004286E3
00407616 . 8B7E 70 mov edi,dword ptr ds:[esi+70]
00407619 . E8 8A1E0200 call FileTree.004294A8
0040761E . 8B40 04 mov eax,dword ptr ds:[eax+4]
00407621 . 57 push edi
00407622 . 68 F4FD4200 push FileTree.0042FDF4 ; username
00407627 . 68 ECFD4200 push FileTree.0042FDEC ; option
0040762C . 8BC8 mov ecx,eax
0040762E . E8 100E0200 call FileTree.00428443 ; 将用户名写入注册表
00407633 . 8B7E 74 mov edi,dword ptr ds:[esi+74]
00407636 . E8 6D1E0200 call FileTree.004294A8
0040763B . 8B40 04 mov eax,dword ptr ds:[eax+4]
0040763E . 57 push edi
0040763F . 68 D8FD4200 push FileTree.0042FDD8 ; registration_code
00407644 . 68 ECFD4200 push FileTree.0042FDEC ; option
00407649 . 8BC8 mov ecx,eax
0040764B . E8 F30D0200 call FileTree.00428443 ; 将注册码写入注册表
00407650 . 5B pop ebx
00407651 . 5F pop edi
00407652 . 8BCE mov ecx,esi
00407654 . 5E pop esi
00407655 . 5D pop ebp
00407656 . 83C4 0C add esp,0C
00407659 . E9 9B8F0100 jmp FileTree.004205F9
0040765E > 6A 00 push 0
00407660 . 6A 00 push 0
00407662 . 68 D0FE4200 push FileTree.0042FED0 ; registration failed!
00407667 . E8 77100200 call FileTree.004286E3
0040766C . 5B pop ebx
0040766D . 5F pop edi
0040766E . 5E pop esi
0040766F . 5D pop ebp
00407670 . 83C4 0C add esp,0C
00407673 . C3 retn
将用户名及由用户名运算所得的注册码或者固定码"83913146"输入注册，弹出注册成功提示："registration has succeeded!"。
同时，程序将注册信息保存入注册表中。但是当程序弹出主界面时，注册表中的信息又被清空了!
4.暴破解之。先在注册表中伪造一份注册信息：
[HKEY_CURRENT_USER\Software\DigitByteStudio\FileTreePrinter\Option]
"username"="hrbx"
"registration_code"="9876543210"
Ctrl+F2重新载入程序，右键--Ultra String Reference--Find ASCII,查找“username”，找到后全部F2下断，F9运行程序，
00406670 6A FF push -1
00406672 68 4CDB4200 push FileTree.0042DB4C ; 入口地址
00406677 |. 64:A1 00000000 mov eax,dword ptr fs:[0]
0040667D |. 50 push eax
0040667E |. 64:8925 00000000 mov dword ptr fs:[0],esp
00406685 |. 81EC 04010000 sub esp,104
0040668B |. 53 push ebx
0040668C |. 56 push esi
0040668D |. 57 push edi
0040668E |. 8BD9 mov ebx,ecx
00406690 |. 6A 00 push 0
00406692 |. 895C24 20 mov dword ptr ss:[esp+20],ebx
00406696 |. E8 76BC0000 call FileTree.00412311
0040669B |. 83C4 04 add esp,4
0040669E |. 8BF8 mov edi,eax
004066A0 |. 8BF2 mov esi,edx
004066A2 |. E8 012E0200 call FileTree.004294A8
004066A7 |. 8B40 04 mov eax,dword ptr ds:[eax+4]
004066AA |. 8B88 A4000000 mov ecx,dword ptr ds:[eax+A4]
004066B0 |. 8B80 A8000000 mov eax,dword ptr ds:[eax+A8]
004066B6 |. 83C1 05 add ecx,5
004066B9 |. 83D0 00 adc eax,0
004066BC |. 3BC6 cmp eax,esi
004066BE |. 7F 20 jg short FileTree.004066E0
004066C0 |. 7C 04 jl short FileTree.004066C6
004066C2 |. 3BCF cmp ecx,edi
004066C4 |. 73 1A jnb short FileTree.004066E0
004066C6 |> 5F pop edi
004066C7 |. 5E pop esi
004066C8 |. 33C0 xor eax,eax
004066CA |. 5B pop ebx
004066CB |. 8B8C24 04010000 mov ecx,dword ptr ss:[esp+104]
004066D2 |. 64:890D 00000000 mov dword ptr fs:[0],ecx
004066D9 |. 81C4 10010000 add esp,110
004066DF |. C3 retn
004066E0 |> E8 C32D0200 call FileTree.004294A8
004066E5 |. 8B40 04 mov eax,dword ptr ds:[eax+4]
004066E8 |. 68 65F64200 push FileTree.0042F665
004066ED |. 68 F4FD4200 push FileTree.0042FDF4 ; username,F9运行后中断在此，
004066F2 |. 68 ECFD4200 push FileTree.0042FDEC ; option
004066F7 |. 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
004066FB |. 51 push ecx
004066FC |. 8BC8 mov ecx,eax
004066FE |. E8 7F2F0200 call FileTree.00429682
00406703 |. 8DB3 84000000 lea esi,dword ptr ds:[ebx+84]
00406709 |. 50 push eax
0040670A |. 8BCE mov ecx,esi
0040670C |. C78424 1C010000 0>mov dword ptr ss:[esp+11C],0
00406717 |. E8 64ADFFFF call FileTree.00401480
0040671C |. 8B4424 18 mov eax,dword ptr ss:[esp+18] ; 用户名"hrbx"
00406720 |. 83C0 F0 add eax,-10
00406723 |. C78424 18010000 F>mov dword ptr ss:[esp+118],-1
0040672E |. 8D50 0C lea edx,dword ptr ds:[eax+C]
00406731 |. 83C9 FF or ecx,FFFFFFFF
00406734 |. F0:0FC10A lock xadd dword ptr ds:[edx],ecx
00406738 |. 49 dec ecx
00406739 |. 85C9 test ecx,ecx
0040673B |. 7F 08 jg short FileTree.00406745
0040673D |. 8B08 mov ecx,dword ptr ds:[eax]
0040673F |. 8B11 mov edx,dword ptr ds:[ecx]
00406741 |. 50 push eax
00406742 |. FF52 04 call dword ptr ds:[edx+4]
00406745 |> 55 push ebp
00406746 |. E8 5D2D0200 call FileTree.004294A8
0040674B |. 8B40 04 mov eax,dword ptr ds:[eax+4]
0040674E |. 68 65F64200 push FileTree.0042F665
00406753 |. 68 D8FD4200 push FileTree.0042FDD8 ; registration_code
00406758 |. 68 ECFD4200 push FileTree.0042FDEC ; option
0040675D |. 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
00406761 |. 51 push ecx
00406762 |. 8BC8 mov ecx,eax
00406764 |. E8 192F0200 call FileTree.00429682
00406769 |. 8DBB 88000000 lea edi,dword ptr ds:[ebx+88]
0040676F |. BD 01000000 mov ebp,1
00406774 |. 50 push eax
00406775 |. 8BCF mov ecx,edi
00406777 |. 89AC24 20010000 mov dword ptr ss:[esp+120],ebp
0040677E |. E8 FDACFFFF call FileTree.00401480
00406783 |. 8B4424 1C mov eax,dword ptr ss:[esp+1C] ; 假码"9876543210"
00406787 |. 83C0 F0 add eax,-10
0040678A |. C78424 1C010000 F>mov dword ptr ss:[esp+11C],-1
00406795 |. 8D50 0C lea edx,dword ptr ds:[eax+C]
00406798 |. 83C9 FF or ecx,FFFFFFFF
0040679B |. F0:0FC10A lock xadd dword ptr ds:[edx],ecx
0040679F |. 49 dec ecx
004067A0 |. 85C9 test ecx,ecx
004067A2 |. 7F 08 jg short FileTree.004067AC
004067A4 |. 8B08 mov ecx,dword ptr ds:[eax]
004067A6 |. 8B11 mov edx,dword ptr ds:[ecx]
004067A8 |. 50 push eax
004067A9 |. FF52 04 call dword ptr ds:[edx+4]
004067AC |> 8B06 mov eax,dword ptr ds:[esi] ; 用户名"hrbx"
004067AE |. 8B40 F4 mov eax,dword ptr ds:[eax-C]
004067B1 |. 3BC5 cmp eax,ebp
004067B3 |. 894424 1C mov dword ptr ss:[esp+1C],eax
004067B7 0F8E F3020000 jle FileTree.00406AB0 ; 用户名为空则Over
004067BD |. 8B0F mov ecx,dword ptr ds:[edi] ; 假码"9876543210"
004067BF |. 3969 F4 cmp dword ptr ds:[ecx-C],ebp
004067C2 0F8E E8020000 jle FileTree.00406AB0 ; 假码为空则Over
004067C8 |. 8B06 mov eax,dword ptr ds:[esi]
004067CA |. 8B48 F4 mov ecx,dword ptr ds:[eax-C]
004067CD |. 85C9 test ecx,ecx
004067CF |. 7D 0A jge short FileTree.004067DB
004067D1 |. 68 57000780 push 80070057
004067D6 |. E8 35A8FFFF call FileTree.00401010
004067DB |> 8A10 mov dl,byte ptr ds:[eax]
004067DD |. 8B06 mov eax,dword ptr ds:[esi]
004067DF |. 3968 F4 cmp dword ptr ds:[eax-C],ebp
004067E2 7D 0A jge short FileTree.004067EE
004067E4 |. 68 57000780 push 80070057
004067E9 |. E8 22A8FFFF call FileTree.00401010
004067EE |> 8A40 01 mov al,byte ptr ds:[eax+1]
004067F1 |. 884424 12 mov byte ptr ss:[esp+12],al
004067F5 |. 8B06 mov eax,dword ptr ds:[esi]
004067F7 |. 8B48 F4 mov ecx,dword ptr ds:[eax-C]
004067FA |. 85C9 test ecx,ecx
004067FC |. 7D 0A jge short FileTree.00406808
004067FE |. 68 57000780 push 80070057
00406803 |. E8 08A8FFFF call FileTree.00401010
00406808 |> 8B0E mov ecx,dword ptr ds:[esi] ; 用户名"hrbx"
0040680A |. 8A18 mov bl,byte ptr ds:[eax]
0040680C |. 3969 F4 cmp dword ptr ds:[ecx-C],ebp
0040680F 7D 0A jge short FileTree.0040681B
00406811 |. 68 57000780 push 80070057
00406816 |. E8 F5A7FFFF call FileTree.00401010 ; 以下对用户名进行运算，与"Register"按钮过程相同，分析略
0040681B |> 0FB6C2 movzx eax,dl ; 用户名第1位字符的ASCII值，DL＝0x68("h")
0040681E |. 83C8 45 or eax,45 ; EAX=EAX or 0x45
00406821 |. 99 cdq
00406822 |. BD 0A000000 mov ebp,0A
00406827 |. F7FD idiv ebp
00406829 |. 0FB64424 12 movzx eax,byte ptr ss:[esp+12]
0040682E |. 83C8 42 or eax,42
00406831 |. 885424 1A mov byte ptr ss:[esp+1A],dl
00406835 |. 99 cdq
00406836 |. F7FD idiv ebp
00406838 |. 0FB6C3 movzx eax,bl
0040683B |. 83C8 43 or eax,43
0040683E |. 8BDD mov ebx,ebp
00406840 |. 885424 12 mov byte ptr ss:[esp+12],dl
00406844 |. 99 cdq
00406845 |. F7FB idiv ebx
00406847 |. 0FB641 01 movzx eax,byte ptr ds:[ecx+1]
0040684B |. 83C8 44 or eax,44
0040684E |. 8BCD mov ecx,ebp
00406850 |. 885424 19 mov byte ptr ss:[esp+19],dl
00406854 |. 99 cdq
00406855 |. F7F9 idiv ecx
00406857 |. 33C0 xor eax,eax
00406859 |. 33C9 xor ecx,ecx
0040685B |. 885424 18 mov byte ptr ss:[esp+18],dl
0040685F |. 8B5424 1C mov edx,dword ptr ss:[esp+1C]
00406863 |. 85D2 test edx,edx
00406865 |. 7E 23 jle short FileTree.0040688A
00406867 |> 85C9 /test ecx,ecx
00406869 |. 0F8C D8000000 |jl FileTree.00406947
0040686F |. 8B16 |mov edx,dword ptr ds:[esi]
00406871 |. 3B4A F4 |cmp ecx,dword ptr ds:[edx-C]
00406874 |. 0F8F CD000000 |jg FileTree.00406947
0040687A |. 0FB6140A |movzx edx,byte ptr ds:[edx+ecx]
0040687E |. 03C2 |add eax,edx
00406880 |. 8B16 |mov edx,dword ptr ds:[esi]
00406882 |. 8B5A F4 |mov ebx,dword ptr ds:[edx-C]
00406885 |. 41 |inc ecx
00406886 |. 3BCB |cmp ecx,ebx
00406888 |.^ 7C DD \jl short FileTree.00406867
0040688A |> 99 cdq
0040688B |. B9 0A000000 mov ecx,0A
00406890 |. F7F9 idiv ecx
00406892 |. 8B07 mov eax,dword ptr ds:[edi]
00406894 |. 8B48 F4 mov ecx,dword ptr ds:[eax-C]
00406897 |. 85C9 test ecx,ecx
00406899 |. 885424 15 mov byte ptr ss:[esp+15],dl
0040689D |. 7D 0A jge short FileTree.004068A9
0040689F |. 68 57000780 push 80070057
004068A4 |. E8 67A7FFFF call FileTree.00401010
004068A9 |> 8A18 mov bl,byte ptr ds:[eax]
004068AB |. 8B0F mov ecx,dword ptr ds:[edi]
004068AD |. 8379 F4 01 cmp dword ptr ds:[ecx-C],1
004068B1 |. 885C24 1B mov byte ptr ss:[esp+1B],bl
004068B5 |. 7D 0A jge short FileTree.004068C1
004068B7 |. 68 57000780 push 80070057
004068BC E8 4FA7FFFF call FileTree.00401010
004068C1 |> 8B37 mov esi,dword ptr ds:[edi]
004068C3 |. 8B6E F4 mov ebp,dword ptr ds:[esi-C]
004068C6 |. 83FD 02 cmp ebp,2
004068C9 |. 8A51 01 mov dl,byte ptr ds:[ecx+1]
004068CC |. 885424 13 mov byte ptr ss:[esp+13],dl
004068D0 |. 7D 0A jge short FileTree.004068DC
004068D2 |. 68 57000780 push 80070057
004068D7 E8 34A7FFFF call FileTree.00401010
004068DC |> 8A46 02 mov al,byte ptr ds:[esi+2]
004068DF |. 8B37 mov esi,dword ptr ds:[edi]
004068E1 |. 884424 14 mov byte ptr ss:[esp+14],al
004068E5 |. 837E F4 03 cmp dword ptr ds:[esi-C],3
004068E9 |. 7D 0A jge short FileTree.004068F5
004068EB |. 68 57000780 push 80070057
004068F0 |. E8 1BA7FFFF call FileTree.00401010
004068F5 |> 8A56 03 mov dl,byte ptr ds:[esi+3]
004068F8 |. 8B37 mov esi,dword ptr ds:[edi]
004068FA |. 837E F4 04 cmp dword ptr ds:[esi-C],4
004068FE |. 7D 0A jge short FileTree.0040690A
00406900 |. 68 57000780 push 80070057
00406905 |. E8 06A7FFFF call FileTree.00401010
0040690A |> 8A4E 04 mov cl,byte ptr ds:[esi+4]
0040690D |. 8B37 mov esi,dword ptr ds:[edi]
0040690F |. 837E F4 05 cmp dword ptr ds:[esi-C],5
00406913 |. 7D 0A jge short FileTree.0040691F
00406915 |. 68 57000780 push 80070057
0040691A |. E8 F1A6FFFF call FileTree.00401010
0040691F |> 8A46 05 mov al,byte ptr ds:[esi+5]
00406922 |. 8B37 mov esi,dword ptr ds:[edi]
00406924 |. 884424 16 mov byte ptr ss:[esp+16],al
00406928 |. 837E F4 06 cmp dword ptr ds:[esi-C],6
0040692C |. 7D 0A jge short FileTree.00406938
0040692E |. 68 57000780 push 80070057
00406933 |. E8 D8A6FFFF call FileTree.00401010
00406938 |> 8A46 06 mov al,byte ptr ds:[esi+6]
0040693B |. 8B3F mov edi,dword ptr ds:[edi]
0040693D |. 884424 17 mov byte ptr ss:[esp+17],al
00406941 |. 837F F4 07 cmp dword ptr ds:[edi-C],7
00406945 |. 7D 0A jge short FileTree.00406951
00406947 |> 68 57000780 push 80070057
0040694C |. E8 BFA6FFFF call FileTree.00401010
00406951 |> 8A47 07 mov al,byte ptr ds:[edi+7]
00406954 |. 0FB67C24 1A movzx edi,byte ptr ss:[esp+1A]
00406959 |. 0FB6F3 movzx esi,bl
0040695C |. 83EE 30 sub esi,30
0040695F |. 3BFE cmp edi,esi
00406961 |. 75 44 jnz short FileTree.004069A7
00406963 |. 0FB67424 13 movzx esi,byte ptr ss:[esp+13]
00406968 |. 0FB67C24 12 movzx edi,byte ptr ss:[esp+12]
0040696D |. 83EE 30 sub esi,30
00406970 |. 3BFE cmp edi,esi
00406972 |. 75 2F jnz short FileTree.004069A3
00406974 |. 0FB67424 14 movzx esi,byte ptr ss:[esp+14]
00406979 |. 0FB67C24 19 movzx edi,byte ptr ss:[esp+19]
0040697E |. 83EE 30 sub esi,30
00406981 |. 3BFE cmp edi,esi
00406983 |. 75 1E jnz short FileTree.004069A3
00406985 |. 0FB67C24 18 movzx edi,byte ptr ss:[esp+18]
0040698A |. 0FB6F2 movzx esi,dl
0040698D |. 83EE 30 sub esi,30
00406990 |. 3BFE cmp edi,esi
00406992 |. 75 0F jnz short FileTree.004069A3
00406994 |. 0FB67C24 15 movzx edi,byte ptr ss:[esp+15]
00406999 |. 0FB6F1 movzx esi,cl
0040699C |. 83EE 30 sub esi,30
0040699F |. 3BFE cmp edi,esi
004069A1 |. 74 32 je short FileTree.004069D5
004069A3 |> 8A5C24 1B mov bl,byte ptr ss:[esp+1B]
004069A7 |> 80FB 38 cmp bl,38
004069AA |. 75 78 jnz short FileTree.00406A24
004069AC |. 807C24 13 33 cmp byte ptr ss:[esp+13],33
004069B1 |. 75 71 jnz short FileTree.00406A24
004069B3 |. 807C24 14 39 cmp byte ptr ss:[esp+14],39
004069B8 |. 75 6A jnz short FileTree.00406A24
004069BA |. 80FA 31 cmp dl,31
004069BD |. 75 65 jnz short FileTree.00406A24
004069BF |. 80F9 33 cmp cl,33
004069C2 |. 75 60 jnz short FileTree.00406A24
004069C4 |. 385424 16 cmp byte ptr ss:[esp+16],dl
004069C8 |. 75 5A jnz short FileTree.00406A24
004069CA |. 807C24 17 34 cmp byte ptr ss:[esp+17],34
004069CF |. 75 53 jnz short FileTree.00406A24
004069D1 |. 3C 36 cmp al,36
004069D3 |. 75 4F jnz short FileTree.00406A24
004069D5 |> 8B4C24 20 mov ecx,dword ptr ss:[esp+20]
004069D9 |. C781 8C000000 010>mov dword ptr ds:[ecx+8C],1
004069E3 |. E8 C02A0200 call FileTree.004294A8
004069E8 |. 8B40 04 mov eax,dword ptr ds:[eax+4]
004069EB |. 68 65F64200 push FileTree.0042F665
004069F0 |. 68 F4FD4200 push FileTree.0042FDF4 ; username,
004069F5 |. 68 ECFD4200 push FileTree.0042FDEC ; option
004069FA |. 8BC8 mov ecx,eax
004069FC |. E8 421A0200 call FileTree.00428443 ; 删除注册表中的用户名数据
00406A01 |. E8 A22A0200 call FileTree.004294A8
00406A06 |. 8B40 04 mov eax,dword ptr ds:[eax+4]
00406A09 |. 68 65F64200 push FileTree.0042F665
00406A0E |. 68 D8FD4200 push FileTree.0042FDD8 ; registration_code
00406A13 |. 68 ECFD4200 push FileTree.0042FDEC ; option
00406A18 |. 8BC8 mov ecx,eax
00406A1A |. E8 241A0200 call FileTree.00428443 ; 删除注册表中的注册码数据
00406A1F |. E9 AE010000 jmp FileTree.00406BD2
00406A24 6A 00 push 0 ; 注册码都不符合上面运算则跳到这里
00406A26 |. 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
00406A2A |. E8 510C0000 call FileTree.00407680 ; 关键CALL-1,F7进入
00406A2F |. 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
00406A33 |. C78424 1C010000 0>mov dword ptr ss:[esp+11C],2
00406A3E |. E8 E3A10100 call FileTree.00420C26 ; 关键CALL-2,F7进入
00406A43 |. 83F8 01 cmp eax,1
00406A46 |. 75 5F jnz short FileTree.00406AA7
00406A48 |. 8B5424 20 mov edx,dword ptr ss:[esp+20]
00406A4C |. 8982 8C000000 mov dword ptr ds:[edx+8C],eax
00406A52 |. E8 512A0200 call FileTree.004294A8
00406A57 |. 8B40 04 mov eax,dword ptr ds:[eax+4]
00406A5A |. 68 65F64200 push FileTree.0042F665
00406A5F |. 68 F4FD4200 push FileTree.0042FDF4 ; username
00406A64 |. 68 ECFD4200 push FileTree.0042FDEC ; option
00406A69 |. 8BC8 mov ecx,eax
00406A6B |. E8 D3190200 call FileTree.00428443
00406A70 |. E8 332A0200 call FileTree.004294A8
00406A75 |. 8B40 04 mov eax,dword ptr ds:[eax+4]
00406A78 |. 68 65F64200 push FileTree.0042F665
00406A7D |. 68 D8FD4200 push FileTree.0042FDD8 ; registration_code
00406A82 |. 68 ECFD4200 push FileTree.0042FDEC ; option
00406A87 |. 8BC8 mov ecx,eax
00406A89 |. E8 B5190200 call FileTree.00428443
00406A8E |. 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
00406A92 |. C78424 1C010000 F>mov dword ptr ss:[esp+11C],-1
00406A9D |. E8 9EFAFFFF call FileTree.00406540
00406AA2 |. E9 2B010000 jmp FileTree.00406BD2
00406AA7 |> 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
00406AAB |. E9 90000000 jmp FileTree.00406B40
00406AB0 |> 6A 00 push 0
00406AB2 |. 8D8C24 A0000000 lea ecx,dword ptr ss:[esp+A0]
00406AB9 |. E8 C20B0000 call FileTree.00407680
00406ABE |. 8D8C24 9C000000 lea ecx,dword ptr ss:[esp+9C]
00406AC5 |. C78424 1C010000 0>mov dword ptr ss:[esp+11C],3
00406AD0 |. E8 51A10100 call FileTree.00420C26
00406AD5 |. 3BC5 cmp eax,ebp
00406AD7 |. 75 60 jnz short FileTree.00406B39
00406AD9 |. 89AB 8C000000 mov dword ptr ds:[ebx+8C],ebp
00406ADF |. E8 C4290200 call FileTree.004294A8
00406AE4 |. 8B40 04 mov eax,dword ptr ds:[eax+4]
00406AE7 |. 68 65F64200 push FileTree.0042F665
00406AEC |. 68 F4FD4200 push FileTree.0042FDF4
00406AF1 |. 68 ECFD4200 push FileTree.0042FDEC
00406AF6 |. 8BC8 mov ecx,eax
00406AF8 |. E8 46190200 call FileTree.00428443
00406AFD |. E8 A6290200 call FileTree.004294A8
00406B02 |. 8B40 04 mov eax,dword ptr ds:[eax+4]
00406B05 |. 68 65F64200 push FileTree.0042F665
00406B0A |. 68 D8FD4200 push FileTree.0042FDD8
00406B0F |. 68 ECFD4200 push FileTree.0042FDEC
00406B14 |. 8BC8 mov ecx,eax
00406B16 |. E8 28190200 call FileTree.00428443
00406B1B |. 8D8C24 9C000000 lea ecx,dword ptr ss:[esp+9C]
00406B22 |. C78424 1C010000 F>mov dword ptr ss:[esp+11C],-1
00406B2D |. E8 0EFAFFFF call FileTree.00406540
00406B32 |. 8BC5 mov eax,ebp
00406B34 |. E9 9E000000 jmp FileTree.00406BD7
00406B39 |> 8D8C24 9C000000 lea ecx,dword ptr ss:[esp+9C]
00406B40 |> C78424 1C010000 F>mov dword ptr ss:[esp+11C],-1
00406B4B |. E8 F0F9FFFF call FileTree.00406540
00406B50 |. 6A 00 push 0
00406B52 |. E8 BAB70000 call FileTree.00412311
00406B57 |. 83C4 04 add esp,4
00406B5A |. 8BF0 mov esi,eax
00406B5C |. 8BDA mov ebx,edx
00406B5E |. E8 45290200 call FileTree.004294A8
00406B63 |. 8B40 04 mov eax,dword ptr ds:[eax+4]
00406B66 |. 56 push esi
00406B67 |. 68 D4FD4200 push FileTree.0042FDD4 ; t
00406B6C |. 68 CCFD4200 push FileTree.0042FDCC ; setup
00406B71 |. 8BC8 mov ecx,eax
00406B73 |. E8 A12A0200 call FileTree.00429619
00406B78 |. 99 cdq
00406B79 |. 8BF8 mov edi,eax
00406B7B |. 3BFE cmp edi,esi ; 检查注册表中是否有"setup"项
00406B7D |. 8BEA mov ebp,edx
00406B7F |. 75 1E jnz short FileTree.00406B9F ; 有则跳
00406B81 |. 3BEB cmp ebp,ebx
00406B83 |. 75 1A jnz short FileTree.00406B9F ; 有则跳
00406B85 |. E8 1E290200 call FileTree.004294A8
00406B8A |. 8B40 04 mov eax,dword ptr ds:[eax+4]
00406B8D |. 56 push esi ; /Arg3
00406B8E |. 68 D4FD4200 push FileTree.0042FDD4 ; |t
00406B93 |. 68 CCFD4200 push FileTree.0042FDCC ; |setup
00406B98 |. 8BC8 mov ecx,eax ; |
00406B9A |. E8 22180200 call FileTree.004283C1 ; \FileTree.004283C1
00406B9F |> 8BCF mov ecx,edi
00406BA1 |. 81C1 008D2700 add ecx,278D00
00406BA7 |. 8BC5 mov eax,ebp
00406BA9 |. 83D0 00 adc eax,0
00406BAC |. 3BC3 cmp eax,ebx ; 比较软件是否已到30天试用期
00406BAE 7F 18 jg short FileTree.00406BC8
00406BB0 |. 7C 04 jl short FileTree.00406BB6
00406BB2 |. 3BCE cmp ecx,esi
00406BB4 |. 73 12 jnb short FileTree.00406BC8
00406BB6 |> 6A 00 push 0
00406BB8 |. 6A 00 push 0
00406BBA |. 68 98FD4200 push FileTree.0042FD98 ; this trial version has expired! please register.
00406BBF |. E8 1F1B0200 call FileTree.004286E3
00406BC4 |. 33C0 xor eax,eax
00406BC6 |. EB 0F jmp short FileTree.00406BD7
00406BC8 |> 3BDD cmp ebx,ebp
00406BCA |. 7F 06 jg short FileTree.00406BD2
00406BCC |.^ 7C E8 jl short FileTree.00406BB6
00406BCE |. 3BF7 cmp esi,edi
00406BD0 |.^ 72 E4 jb short FileTree.00406BB6
00406BD2 B8 01000000 mov eax,1 ; 将标志位EAX置为1,暴破关键点
00406BD7 |> 8B8C24 14010000 mov ecx,dword ptr ss:[esp+114]
00406BDE |. 5D pop ebp
00406BDF |. 5F pop edi
00406BE0 |. 5E pop esi
00406BE1 |. 5B pop ebx
00406BE2 |. 64:890D 00000000 mov dword ptr fs:[0],ecx
00406BE9 |. 81C4 10010000 add esp,110
00406BEF \. C3 retn
F7进入00406A2A处的关键CALL-1，来到：
00407680 /$ 6A FF push -1
00407682 |. 68 3EDC4200 push FileTree.0042DC3E ; SE 句柄安装
00407687 |. 64:A1 00000000 mov eax,dword ptr fs:[0]
0040768D |. 50 push eax
0040768E |. 64:8925 00000000 mov dword ptr fs:[0],esp
00407695 |. 51 push ecx
00407696 |. 8B4424 14 mov eax,dword ptr ss:[esp+14]
0040769A |. 55 push ebp
0040769B |. 56 push esi
0040769C |. 57 push edi
0040769D |. 50 push eax
0040769E |. 8BF1 mov esi,ecx
004076A0 |. 68 82000000 push 82 ; 常数,0x82，下个CALL中要用到
004076A5 |. 897424 14 mov dword ptr ss:[esp+14],esi
004076A9 |. E8 EC8E0100 call FileTree.0042059A
004076AE |. C74424 18 0000000>mov dword ptr ss:[esp+18],0
004076B6 |. C706 50FF4200 mov dword ptr ds:[esi],FileTree.004>
004076BC |. 8D7E 70 lea edi,dword ptr ds:[esi+70]
004076BF |. E8 41980100 call FileTree.00420F05
004076C4 |. 8B10 mov edx,dword ptr ds:[eax]
004076C6 |. 8BC8 mov ecx,eax
004076C8 |. FF52 0C call dword ptr ds:[edx+C]
004076CB |. 83C0 10 add eax,10
004076CE |. 8907 mov dword ptr ds:[edi],eax
004076D0 |. C64424 18 01 mov byte ptr ss:[esp+18],1
004076D5 |. 8D6E 74 lea ebp,dword ptr ds:[esi+74]
004076D8 |. E8 28980100 call FileTree.00420F05
004076DD |. 8B10 mov edx,dword ptr ds:[eax]
004076DF |. 8BC8 mov ecx,eax
004076E1 |. FF52 0C call dword ptr ds:[edx+C]
004076E4 |. 83C0 10 add eax,10
004076E7 |. 8945 00 mov dword ptr ss:[ebp],eax
004076EA |. C64424 18 02 mov byte ptr ss:[esp+18],2
004076EF |. E8 B41D0200 call FileTree.004294A8
004076F4 |. 8B40 04 mov eax,dword ptr ds:[eax+4]
004076F7 |. 68 65F64200 push FileTree.0042F665
004076FC |. 68 F4FD4200 push FileTree.0042FDF4 ; username
00407701 |. 68 ECFD4200 push FileTree.0042FDEC ; option
00407706 |. 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
0040770A |. 51 push ecx
0040770B |. 8BC8 mov ecx,eax
0040770D |. E8 701F0200 call FileTree.00429682
00407712 |. 50 push eax
00407713 |. 8BCF mov ecx,edi
00407715 |. C64424 1C 03 mov byte ptr ss:[esp+1C],3
0040771A |. E8 619DFFFF call FileTree.00401480
0040771F |. 8B4424 20 mov eax,dword ptr ss:[esp+20] ; 用户名"hrbx"
00407723 |. 83C0 F0 add eax,-10
00407726 |. C64424 18 02 mov byte ptr ss:[esp+18],2
0040772B |. 8D50 0C lea edx,dword ptr ds:[eax+C]
0040772E |. 83C9 FF or ecx,FFFFFFFF
00407731 |. F0:0FC10A lock xadd dword ptr ds:[edx],ecx
00407735 |. 49 dec ecx
00407736 |. 85C9 test ecx,ecx
00407738 |. 7F 08 jg short FileTree.00407742
0040773A |. 8B08 mov ecx,dword ptr ds:[eax]
0040773C |. 8B11 mov edx,dword ptr ds:[ecx]
0040773E |. 50 push eax
0040773F |. FF52 04 call dword ptr ds:[edx+4]
00407742 |> E8 611D0200 call FileTree.004294A8
00407747 |. 8B40 04 mov eax,dword ptr ds:[eax+4]
0040774A |. 68 65F64200 push FileTree.0042F665
0040774F |. 68 D8FD4200 push FileTree.0042FDD8 ; registration_code
00407754 |. 68 ECFD4200 push FileTree.0042FDEC ; option
00407759 |. 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
0040775D |. 51 push ecx
0040775E |. 8BC8 mov ecx,eax
00407760 |. E8 1D1F0200 call FileTree.00429682
00407765 |. 50 push eax
00407766 |. 8BCD mov ecx,ebp
00407768 |. C64424 1C 04 mov byte ptr ss:[esp+1C],4
0040776D |. E8 0E9DFFFF call FileTree.00401480
00407772 |. 8B4424 20 mov eax,dword ptr ss:[esp+20] ; 假码"9876543210"
00407776 |. 83C0 F0 add eax,-10
00407779 |. C64424 18 02 mov byte ptr ss:[esp+18],2
0040777E |. 8D50 0C lea edx,dword ptr ds:[eax+C]
00407781 |. 83C9 FF or ecx,FFFFFFFF
00407784 |. F0:0FC10A lock xadd dword ptr ds:[edx],ecx
00407788 |. 49 dec ecx
00407789 |. 85C9 test ecx,ecx
0040778B |. 7F 08 jg short FileTree.00407795
0040778D |. 8B08 mov ecx,dword ptr ds:[eax]
0040778F |. 8B11 mov edx,dword ptr ds:[ecx]
00407791 |. 50 push eax
00407792 |. FF52 04 call dword ptr ds:[edx+4]
00407795 |> 8B4C24 10 mov ecx,dword ptr ss:[esp+10]
00407799 |. 5F pop edi
0040779A |. 8BC6 mov eax,esi
0040779C |. 5E pop esi
0040779D |. 5D pop ebp
0040779E |. 64:890D 00000000 mov dword ptr fs:[0],ecx
004077A5 |. 83C4 10 add esp,10
004077A8 \. C2 0400 retn 4
F7进入00406A3E处的关键CALL-2,来到：
00420C26 $ B8 E0DC4200 mov eax,FileTree.0042DCE0
00420C2B . E8 C02BFFFF call FileTree.004137F0
00420C30 . 83EC 18 sub esp,18
00420C33 . 53 push ebx
00420C34 . 56 push esi
00420C35 . 8BF1 mov esi,ecx
00420C37 . 8B46 58 mov eax,dword ptr ds:[esi+58]
00420C3A . 8B5E 5C mov ebx,dword ptr ds:[esi+5C]
00420C3D . 57 push edi
00420C3E . 8965 F0 mov dword ptr ss:[ebp-10],esp
00420C41 . 8975 E4 mov dword ptr ss:[ebp-1C],esi
00420C44 . 8945 E8 mov dword ptr ss:[ebp-18],eax
00420C47 . E8 5C880000 call FileTree.004294A8
00420C4C 837E 54 00 cmp dword ptr ds:[esi+54],0 ; ds:[esi+54]=82,上个CALL中的常数0x82
00420C50 8B78 0C mov edi,dword ptr ds:[eax+C]
00420C53 74 1F je short FileTree.00420C74 ; 不跳则Over
00420C55 . E8 4E880000 call FileTree.004294A8
00420C5A . 8B78 0C mov edi,dword ptr ds:[eax+C]
00420C5D . 6A 05 push 5 ; /ResourceType = RT_DIALOG
00420C5F . FF76 54 push dword ptr ds:[esi+54] ; |ResourceName
00420C62 . 57 push edi ; |hModule
00420C63 . FF15 98F24200 call dword ptr ds:[<&KERNEL32.FindResourceA>] ; \FindResourceA
00420C69 . 50 push eax ; /hResource
00420C6A . 57 push edi ; |hModule
00420C6B . FF15 9CF24200 call dword ptr ds:[<&KERNEL32.LoadResource>] ; \LoadResource
00420C71 . 8945 E8 mov dword ptr ss:[ebp-18],eax
00420C74 > 837D E8 00 cmp dword ptr ss:[ebp-18],0
00420C78 . 74 0B je short FileTree.00420C85
00420C7A . FF75 E8 push dword ptr ss:[ebp-18] ; /nHandles
00420C7D . FF15 A0F24200 call dword ptr ds:[<&KERNEL32.LockResource>] ; \SetHandleCount
00420C83 . 8BD8 mov ebx,eax
00420C85 > 85DB test ebx,ebx
00420C87 . 75 08 jnz short FileTree.00420C91
00420C89 . 83C8 FF or eax,FFFFFFFF
00420C8C . E9 03010000 jmp FileTree.00420D94
00420C91 > 8BCE mov ecx,esi
00420C93 . E8 CEFAFFFF call FileTree.00420766
00420C98 . 8945 EC mov dword ptr ss:[ebp-14],eax
00420C9B . E8 94210000 call FileTree.00422E34
00420CA0 . 8365 E0 00 and dword ptr ss:[ebp-20],0
00420CA4 . 837D EC 00 cmp dword ptr ss:[ebp-14],0
00420CA8 . 74 2A je short FileTree.00420CD4
00420CAA . FF15 F0F44200 call dword ptr ds:[<&USER32.GetDesktopWindow>] ; [GetDesktopWindow
00420CB0 . 3945 EC cmp dword ptr ss:[ebp-14],eax
00420CB3 . 74 1F je short FileTree.00420CD4
00420CB5 . FF75 EC push dword ptr ss:[ebp-14] ; /hWnd
00420CB8 . FF15 D0F44200 call dword ptr ds:[<&USER32.IsWindowEnabled>] ; \IsWindowEnabled
00420CBE . 85C0 test eax,eax
00420CC0 . 74 12 je short FileTree.00420CD4
00420CC2 6A 00 push 0
00420CC4 . FF75 EC push dword ptr ss:[ebp-14] ; |hWnd
00420CC7 . FF15 44F44200 call dword ptr ds:[<&USER32.EnableWindow>] ; \EnableWindow
00420CCD . C745 E0 01000000 mov dword ptr ss:[ebp-20],1
00420CD4 > 8365 FC 00 and dword ptr ss:[ebp-4],0
00420CD8 . 56 push esi
00420CD9 . E8 A1330000 call FileTree.0042407F
00420CDE . FF75 EC push dword ptr ss:[ebp-14]
00420CE1 . E8 A6200000 call FileTree.00422D8C
00420CE6 . 57 push edi
00420CE7 . 50 push eax
00420CE8 . 53 push ebx
00420CE9 . 8BCE mov ecx,esi
00420CEB . E8 29FDFFFF call FileTree.00420A19
00420CF0 . 33DB xor ebx,ebx
00420CF2 . 3BC3 cmp eax,ebx
00420CF4 74 52 je short FileTree.00420D48
00420CF6 . F646 38 10 test byte ptr ds:[esi+38],10
00420CFA . 74 1A je short FileTree.00420D16
00420CFC . 6A 04 push 4
00420CFE . 5F pop edi
00420CFF . 8BCE mov ecx,esi
00420D01 . E8 BC040000 call FileTree.004211C2
00420D06 . F6C4 01 test ah,1
00420D09 . 74 03 je short FileTree.00420D0E
00420D0B . 6A 05 push 5
00420D0D . 5F pop edi
00420D0E > 57 push edi ; /Arg1
00420D0F . 8BCE mov ecx,esi ; |
00420D11 . E8 1A1B0000 call FileTree.00422830 ; \FileTree.00422830
00420D16 > 395E 1C cmp dword ptr ds:[esi+1C],ebx
00420D19 . 74 2D je short FileTree.00420D48
00420D1B . 68 97000000 push 97 ; /Arg6 = 00000097
00420D20 . 53 push ebx ; |Arg5
00420D21 . 53 push ebx ; |Arg4
00420D22 . 53 push ebx ; |Arg3
00420D23 . 53 push ebx ; |Arg2
00420D24 . 53 push ebx ; |Arg1
00420D25 . 8BCE mov ecx,esi ; |
00420D27 . E8 70060000 call FileTree.0042139C ; \FileTree.0042139C
00420D2C . EB 1A jmp short FileTree.00420D48
00420D2E . 8B4D DC mov ecx,dword ptr ss:[ebp-24]
00420D31 . E8 3D010000 call FileTree.00420E73
00420D36 . 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
00420D39 . 8348 40 FF or dword ptr ds:[eax+40],FFFFFFFF
00420D3D . B8 430D4200 mov eax,FileTree.00420D43
00420D42 . C3 retn
00420D43 . 8B75 E4 mov esi,dword ptr ss:[ebp-1C]
00420D46 . 33DB xor ebx,ebx
00420D48 > 834D FC FF or dword ptr ss:[ebp-4],FFFFFFFF
00420D4C . 395D E0 cmp dword ptr ss:[ebp-20],ebx
00420D4F . 74 0B je short FileTree.00420D5C
00420D51 . 6A 01 push 1 ; /Enable = TRUE
00420D53 . FF75 EC push dword ptr ss:[ebp-14] ; |hWnd
00420D56 . FF15 44F44200 call dword ptr ds:[<&USER32.EnableWindow>] ; \EnableWindow
00420D5C > 395D EC cmp dword ptr ss:[ebp-14],ebx
00420D5F . 74 14 je short FileTree.00420D75
00420D61 . FF15 ECF44200 call dword ptr ds:[<&USER32.GetActiveWindow>] ; [GetActiveWindow
00420D67 . 3B46 1C cmp eax,dword ptr ds:[esi+1C]
00420D6A . 75 09 jnz short FileTree.00420D75
00420D6C . FF75 EC push dword ptr ss:[ebp-14] ; /hWnd
00420D6F . FF15 E8F44200 call dword ptr ds:[<&USER32.SetActiveWindow>] ; \SetActiveWindow
00420D75 > 8B06 mov eax,dword ptr ds:[esi]
00420D77 . 8BCE mov ecx,esi
00420D79 . FF50 60 call dword ptr ds:[eax+60]
00420D7C . 8BCE mov ecx,esi
00420D7E . E8 1DFAFFFF call FileTree.004207A0
00420D83 . 395E 54 cmp dword ptr ds:[esi+54],ebx
00420D86 . 74 09 je short FileTree.00420D91
00420D88 . FF75 E8 push dword ptr ss:[ebp-18] ; /hResource
00420D8B . FF15 64F24200 call dword ptr ds:[<&KERNEL32.FreeResource>] ; \FreeResource
00420D91 > 8B46 40 mov eax,dword ptr ds:[esi+40]
00420D94 > 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
00420D97 . 5F pop edi
00420D98 . 5E pop esi
00420D99 . 64:890D 00000000 mov dword ptr fs:[0],ecx
00420DA0 . 5B pop ebx
00420DA1 . C9 leave
00420DA2 . C3 retn
-----------------------------------------------------------------------------------------------
【破解总结】
1.程序注册时取用户名进行运算或者固定码"83913146"，与注册码进行比较，相等则弹出注册成功提示："registration has succeeded!"
并将注册信息信息保存入注册表中。但是当程序弹出主界面时，又将注册表中的信息清空!
2.没找到程序真正的算法部分，只好暴破。由于成功注册的话，程序会在00406BD2处将EAX置为1,所以只要EAX为1即可注册成功。
注册信息保存在(暴破的话只有第3项)：
[HKEY_CURRENT_USER\Software\DigitByteStudio\FileTreePrinter]
[HKEY_CURRENT_USER\Software\DigitByteStudio\FileTreePrinter\Option]
"username"=""
"registration_code"=""
[HKEY_CURRENT_USER\Software\DigitByteStudio\FileTreePrinter\settings]
暴破更改以下位置：
00406670 push -1 ; push -1 ===================> mov eax,1
00406672 push FileTree.0042DB4C ; push FileTree.0042DB4C=====> retn
-----------------------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!

复制代码

[ 本帖最后由 tigerisme 于 2006-8-26 20:57 编辑 ]

飘云 · 发表于 2006-6-10 10:47:13

爆得精彩！

野猫III · 发表于 2006-6-10 12:20:40

原帖由飘云于 2006-6-10 10:47 发表
爆得精彩！

哈哈。。。好爽呀！这个网站的软件再加这么一暴就完美啦！

之前的自校验看来见到光明咯。。。

沙粒 · 发表于 2006-6-10 16:23:33

向高手学习！

bfqyygy · 发表于 2006-6-10 18:07:46

确实高手..厉害

wuyuan · 发表于 2006-6-13 21:03:35

搞了好久都没搞定,总算明白怎么回事了,谢谢楼主出的精品.
网上这个注册机满天飞,不知怎么做的,希望高手贴出

wuyuan · 发表于 2006-6-13 21:58:55

00406670 B8 01000000 mov eax,1 /改过后00406672已屏蔽
00406675 C3 retn /这儿ret

chenlinyong36 · 发表于 2006-6-14 17:35:03

学习了
...............

网游难民 · 发表于 2006-6-19 08:37:51

高手的确厉害,,学习拉~~~

sky2008 · 发表于 2009-11-3 14:09:02

包括爆破的，好象也逃不出10个文件的目录限制？

		自动登录	找回密码
密码			加入我们

[原创] 暴破FileTreePrinter 3.1.6.139

相关帖子