TA的每日心情 | 开心
2015-8-23 23:49 |
|---|
签到天数: 27 天 [LV.4]偶尔看看III
|
本帖最后由 GGLHY 于 2011-1-20 16:25 编辑
某软件的注册算法分析及机器码生成过程揭秘
注:本文仅仅只对注册时的算法进行分析,关于重启验证则有机会的话另找时间单列!
为方便理解,特事先说明下:
该软件本身的注册,设为功能A。同时,还有对软件用户进行计算注册码的功能,设为功能B。而软件对于功能A和B的判断标志保存在局部变量[ESI+7A0]这里。
功能B的注册流程大同小异。我们就选择功能A的注册流程为例子来进行分析吧。
软件给出的机器码:619b8367,我们输入注册信息:
用户名:gglhy
假 码:15987530
一、软件注册算法分析
功能A:(软件本身的注册)
////////////////////////////////////////////////////////////////////////////////////////////////////////
我们直接来到这里:
00404AF0 . 6A FF PUSH -1
00404AF2 . 68 B0234500 PUSH FilePack.004523B0 ; SE 处理程序安装
00404AF7 . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00404AFD . 50 PUSH EAX
00404AFE . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
00404B05 . 83EC 1C SUB ESP,1C
00404B08 . 53 PUSH EBX
00404B09 . 55 PUSH EBP
00404B0A . 56 PUSH ESI
00404B0B . 8BF1 MOV ESI,ECX
00404B0D . 57 PUSH EDI
00404B0E . 68 48814600 PUSH FilePack.00468148 ; ASCII "GetUserName ()"
00404B13 . 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
00404B17 . E8 2B460400 CALL FilePack.00449147 ; 这个CALL是判断当前流程是功能A还是功能B的。不同的功能对下面的[ESI+70A]有不同的标记。(功能A时为0000001),(功能B为00000000)
00404B1C . 8B86 A0070000 MOV EAX,DWORD PTR DS:[ESI+7A0] ; ///这个[ESI+7A0]其实是判断对软件自身注册(功能A)还是对软件用户(功能B)计算注册码的变量!
00404B22 . 33DB XOR EBX,EBX ; 这里EBX清零了!!!
00404B24 . 3BC3 CMP EAX,EBX ; 可看作(功能A或B)标志位的比较。
00404B26 . 895C24 34 MOV DWORD PTR SS:[ESP+34],EBX
00404B2A . 74 0E JE SHORT FilePack.00404B3A
00404B2C . 68 58814600 PUSH FilePack.00468158 ; ASCII "GoodMan"
00404B31 . 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
00404B35 . E8 28470400 CALL FilePack.00449262
00404B3A > 8D4424 1C LEA EAX,DWORD PTR SS:[ESP+1C]
00404B3E . 50 PUSH EAX
00404B3F . E8 BC280000 CALL FilePack.00407400
00404B44 . 83C4 04 ADD ESP,4
00404B47 . 50 PUSH EAX
00404B48 . 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
00404B4C . C64424 38 01 MOV BYTE PTR SS:[ESP+38],1
00404B51 . E8 9B490400 CALL FilePack.004494F1
00404B56 . 8D4C24 1C LEA ECX,DWORD PTR SS:[ESP+1C]
00404B5A . 885C24 34 MOV BYTE PTR SS:[ESP+34],BL
00404B5E . E8 76450400 CALL FilePack.004490D9
00404B63 . 6A 01 PUSH 1
00404B65 . 8BCE MOV ECX,ESI
00404B67 . E8 31310400 CALL FilePack.00447C9D
00404B6C . 8B8E 9C070000 MOV ECX,DWORD PTR DS:[ESI+79C] ; 用户名gglhy
00404B72 . 8DBE 9C070000 LEA EDI,DWORD PTR DS:[ESI+79C]
00404B78 . 3959 F8 CMP DWORD PTR DS:[ECX-8],EBX ; 用户名长度与0比较,即是否输入了用户名
00404B7B . 75 0B JNZ SHORT FilePack.00404B88 ; 用户名如果为空,则读取机器码进行运算
00404B7D . 8B96 94070000 MOV EDX,DWORD PTR DS:[ESI+794] ; 机器码到EDX
00404B83 . 395A F8 CMP DWORD PTR DS:[EDX-8],EBX ; 机器码长度与0比较,即机器码否为空
00404B86 . 74 1B JE SHORT FilePack.00404BA3 ; 机器码为空则跳
00404B88 > 8B86 98070000 MOV EAX,DWORD PTR DS:[ESI+798] ; 假码15987530到EAX
00404B8E . 3958 F8 CMP DWORD PTR DS:[EAX-8],EBX ; 假码长度与0比较,即假码否为空
00404B91 . 0F85 9A000000 JNZ FilePack.00404C31
00404B97 . 399E A0070000 CMP DWORD PTR DS:[ESI+7A0],EBX ; ///[ESI+7A0]功能A或B判断的标志,功能B时则下面跳转成立
00404B9D . 0F84 8E000000 JE FilePack.00404C31
00404BA3 > 8B0D 30A84600 MOV ECX,DWORD PTR DS:[46A830] ; FilePack.0046A844
00404BA9 . 894C24 14 MOV DWORD PTR SS:[ESP+14],ECX
(省略部分代码)
00404BE5 . 6A 30 PUSH 30
00404BE7 . 53 PUSH EBX
00404BE8 . 50 PUSH EAX
00404BE9 . 8BCE MOV ECX,ESI
00404BEB . C64424 40 1C MOV BYTE PTR SS:[ESP+40],1C
00404BF0 . E8 4C290400 CALL FilePack.00447541 ; 请重新输入!
(省略部分代码)
00404C2C . E9 06040000 JMP FilePack.00405037
00404C31 > 8B8E A0070000 MOV ECX,DWORD PTR DS:[ESI+7A0] ; [ESI+7A0]《==关键点(软件功能A或B的变量)
00404C37 . F7D9 NEG ECX
00404C39 . 1BC9 SBB ECX,ECX
00404C3B . 83E1 EE AND ECX,FFFFFFEE
00404C3E . 81C1 D3000000 ADD ECX,0D3 ; 功能A时为 + 0D3H(211);功能B时为0+D3H。相当于常数了
00404C44 . 51 PUSH ECX
00404C45 . 51 PUSH ECX
00404C46 . 8BCC MOV ECX,ESP
00404C48 . 896424 28 MOV DWORD PTR SS:[ESP+28],ESP
00404C4C . 57 PUSH EDI
00404C4D . E8 FC410400 CALL FilePack.00448E4E
00404C52 . 51 PUSH ECX
00404C53 . 8D5424 1C LEA EDX,DWORD PTR SS:[ESP+1C]
00404C57 . 8BCC MOV ECX,ESP
00404C59 . 896424 24 MOV DWORD PTR SS:[ESP+24],ESP
00404C5D . 52 PUSH EDX
00404C5E . C64424 44 02 MOV BYTE PTR SS:[ESP+44],2
00404C63 . E8 E6410400 CALL FilePack.00448E4E
00404C68 . 8D4424 28 LEA EAX,DWORD PTR SS:[ESP+28]
00404C6C . 885C24 40 MOV BYTE PTR SS:[ESP+40],BL
00404C70 . 50 PUSH EAX
00404C71 . E8 AA1B0000 CALL FilePack.00406820 ; 算法call,我们F7
00404C76 . 83C4 10 ADD ESP,10
00404C79 . 8DAE A8070000 LEA EBP,DWORD PTR DS:[ESI+7A8]
00404C7F . 50 PUSH EAX
00404C80 . 8BCD MOV ECX,EBP
00404C82 . C64424 38 03 MOV BYTE PTR SS:[ESP+38],3
00404C87 . E8 86450400 CALL FilePack.00449212
00404C8C . 8D4C24 1C LEA ECX,DWORD PTR SS:[ESP+1C]
00404C90 . 885C24 34 MOV BYTE PTR SS:[ESP+34],BL
00404C94 . E8 40440400 CALL FilePack.004490D9
00404C99 . 399E A0070000 CMP DWORD PTR DS:[ESI+7A0],EBX ; [ESI+7A0]《==关键点(软件功能A或B的变量)
00404C9F . 0F84 FC000000 JE FilePack.00404DA1 ; 关键跳!
00404CA5 . 8B86 A4070000 MOV EAX,DWORD PTR DS:[ESI+7A4] ; F(机器码)=注册码方式得到的注册码
00404CAB . 8B8E 98070000 MOV ECX,DWORD PTR DS:[ESI+798] ; 假码15987530
00404CB1 . 50 PUSH EAX ; /Arg2
00404CB2 . 51 PUSH ECX ; |Arg1
00404CB3 . E8 5EDD0200 CALL FilePack.00432A16 ; \FilePack.00432A16
00404CB8 . 83C4 08 ADD ESP,8
00404CBB . 85C0 TEST EAX,EAX
00404CBD . 0F84 A9000000 JE FilePack.00404D6C ; F(机器码)=注册码方式的 关键跳!
00404CC3 . 8B6D 00 MOV EBP,DWORD PTR SS:[EBP] ; F(用户名)=注册码得到的 字符串N2
00404CC6 . 8B86 98070000 MOV EAX,DWORD PTR DS:[ESI+798] ; 假码15987530
00404CCC . 55 PUSH EBP ; /Arg2
00404CCD . 50 PUSH EAX ; |Arg1
00404CCE . E8 43DD0200 CALL FilePack.00432A16 ; \FilePack.00432A16
00404CD3 . 83C4 08 ADD ESP,8
00404CD6 . 85C0 TEST EAX,EAX
00404CD8 . 0F84 8E000000 JE FilePack.00404D6C ; F(用户名)=注册码方式的 关键跳!
(省略部分代码)
00404D22 . 53 PUSH EBX
00404D23 . 50 PUSH EAX
00404D24 . 8BCE MOV ECX,ESI
00404D26 . C64424 40 07 MOV BYTE PTR SS:[ESP+40],7
00404D2B . E8 11280400 CALL FilePack.00447541 ; 出错了!
00404D30 . 8D4C24 1C LEA ECX,DWORD PTR SS:[ESP+1C]
==========00404C71 . E8 AA1B0000 CALL FilePack.00406820 ; 算法call,我们F7进入: ==========
00406820 /$ 6A FF PUSH -1 ; 局部调用来自 0040319C, 004034E3, 00403D8A, 00404C71, 00404E0F, 00404E66, 00404F80, 00404FD9
00406822 |. 68 57244500 PUSH FilePack.00452457 ; SE 处理程序安装
00406827 |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
0040682D |. 50 PUSH EAX
0040682E |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP
00406835 |. 83EC 14 SUB ESP,14
00406838 |. 53 PUSH EBX
00406839 |. 55 PUSH EBP
0040683A |. 56 PUSH ESI
0040683B |. 33F6 XOR ESI,ESI
0040683D |. 57 PUSH EDI
0040683E |. 897424 1C MOV DWORD PTR SS:[ESP+1C],ESI
00406842 |. BF 01000000 MOV EDI,1
00406847 |. 897C24 2C MOV DWORD PTR SS:[ESP+2C],EDI
0040684B |. 8B4C24 3C MOV ECX,DWORD PTR SS:[ESP+3C] ; 用户名gglhy到ECX
0040684F |. 8B4424 38 MOV EAX,DWORD PTR SS:[ESP+38] ; 右键跟随数值到数据窗口,(功能A)为“GoodMan未注册” ;功能B时是GetUserName ()未注册
00406853 |. 32DB XOR BL,BL
00406855 |. 8B51 F8 MOV EDX,DWORD PTR DS:[ECX-8] ; 用户名长度
00406858 |. 8B0D 30A84600 MOV ECX,DWORD PTR DS:[46A830] ; FilePack.0046A844
0040685E |. 8B68 F8 MOV EBP,DWORD PTR DS:[EAX-8] ; [EAX-8]其实是上面固定字符串的长度哦!大家数一下就明白了!
00406861 |. 895424 20 MOV DWORD PTR SS:[ESP+20],EDX ; 用户名长度
00406865 |. 894C24 14 MOV DWORD PTR SS:[ESP+14],ECX
00406869 |. 894C24 10 MOV DWORD PTR SS:[ESP+10],ECX
0040686D |. 894C24 18 MOV DWORD PTR SS:[ESP+18],ECX
00406871 |. 3BEE CMP EBP,ESI ; 固定字符串的长度与0比较
00406873 |. C64424 2C 05 MOV BYTE PTR SS:[ESP+2C],5 ; 5
00406878 |. 0F84 37010000 JE FilePack.004069B5 ; 固定字符串的长度与0比较,相等就跳
0040687E |. 3BD6 CMP EDX,ESI ; 用户名长度与0比较,相等就跳
00406880 |. 0F84 2F010000 JE FilePack.004069B5
00406886 |. 3BEE CMP EBP,ESI
00406888 |. 7E 64 JLE SHORT FilePack.004068EE
0040688A |. 8B7C24 40 MOV EDI,DWORD PTR SS:[ESP+40] ; [常数C1](功能B时是D3)
0040688E |. EB 08 JMP SHORT FilePack.00406898
00406890 |> 8B4424 38 /MOV EAX,DWORD PTR SS:[ESP+38]
00406894 |. 8B5424 20 |MOV EDX,DWORD PTR SS:[ESP+20]
00406898 |> 3BF2 CMP ESI,EDX ; 循环计数器ESI:用户名长度
0040689A |. 7D 20 |JGE SHORT FilePack.004068BC ; 循环计数器ESI超过用户名长度时则跳
0040689C |. 8B5424 3C |MOV EDX,DWORD PTR SS:[ESP+3C] ; 用户名gglhy
004068A0 |. 8A0406 |MOV AL,BYTE PTR DS:[ESI+EAX] ; 依次取“GoodMan未注册”每一位的ASC到AL
004068A3 |. 0FBE0C16 |MOVSX ECX,BYTE PTR DS:[ESI+EDX] ; 用户名gglhy的每一位到EDX
004068A7 |. 0FBED0 |MOVSX EDX,AL ; AL扩展到EDX
004068AA |. 03CA |ADD ECX,EDX ; ASC相加
004068AC |. 8D4424 14 |LEA EAX,DWORD PTR SS:[ESP+14]
004068B0 |. 0FAFCF |IMUL ECX,EDI ; 相加的结果 * [常数C1]或(D3)
004068B3 |. 51 |PUSH ECX
004068B4 |. 68 80814600 |PUSH FilePack.00468180 ; ASCII "%X"
004068B9 |. 50 |PUSH EAX
004068BA |. EB 12 |JMP SHORT FilePack.004068CE
004068BC |> 0FBE0C06 |MOVSX ECX,BYTE PTR DS:[ESI+EAX] ; 依次读取“GoodMan未注册”中超过用户名长度还未读取的ASC
004068C0 |. 0FAFCF |IMUL ECX,EDI ; 还未读取的ASC * [常数C1]
004068C3 |. 51 |PUSH ECX
004068C4 |. 8D5424 18 |LEA EDX,DWORD PTR SS:[ESP+18]
004068C8 |. 68 80814600 |PUSH FilePack.00468180 ; ASCII "%X"
004068CD |. 52 |PUSH EDX
004068CE |> E8 7ECD0300 |CALL FilePack.00443651 ; 这个CALL是将运算得到的数值转化为字符串形式
004068D3 |. 83C4 0C |ADD ESP,0C
004068D6 |. 8D4424 14 |LEA EAX,DWORD PTR SS:[ESP+14]
004068DA |. 8D4C24 10 |LEA ECX,DWORD PTR SS:[ESP+10]
004068DE |. 50 |PUSH EAX
004068DF |. E8 0D2C0400 |CALL FilePack.004494F1
004068E4 |. 46 |INC ESI
004068E5 |. 3BF5 |CMP ESI,EBP ; 循环计数器:“GoodMan未注册”的长度Dh(13位);功能B时是20位
004068E7 |.^ 7C A7 \JL SHORT FilePack.00406890 ; 循环计数器未达到13(或20)位则继续循环
004068E9 |. BF 01000000 MOV EDI,1 ; 循环结束得到字符串: "832EA156A51B99CC9546492152EEFFFFDA4EFFFFC6B4FFFFE117FFFFB922FFFFC532FFFFE8A1",设为S1
004068EE |> 68 68E84600 PUSH FilePack.0046E868 ; /Arg2 = 0046E868
004068F3 |. 68 7C814600 PUSH FilePack.0046817C ; |Arg1 = 0046817C ASCII "FF"
004068F8 |. 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18] ; |
004068FC |. E8 47C60300 CALL FilePack.00442F48 ; \这个CALL就是去掉S1中每2个相连为一组的"FF",结果设为Q
00406901 |. 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10] ; 字符串Q的长度
00406905 |. 8B41 F8 MOV EAX,DWORD PTR DS:[ECX-8] ; 还是字符串Q的长度
00406908 |. 83F8 0C CMP EAX,0C ; 与0C(12)比较?
0040690B |. 7E 7F JLE SHORT FilePack.0040698C
0040690D |. 48 DEC EAX ; -1
0040690E |. 83F8 0C CMP EAX,0C
00406911 |. 7E 0B JLE SHORT FilePack.0040691E
00406913 |> 8A1408 /MOV DL,BYTE PTR DS:[EAX+ECX] ; 依次倒取Q的各位ASC
00406916 |. 02DA |ADD BL,DL
00406918 |. 48 |DEC EAX ; EAX是取字符串Q的计数器
00406919 |. 83F8 0C |CMP EAX,0C ; 计数器与C(12)比较
0040691C |.^ 7F F5 \JG SHORT FilePack.00406913
0040691E |> 8D4C24 40 LEA ECX,DWORD PTR SS:[ESP+40] ; [常数C1]
00406922 |. 6A 0C PUSH 0C
00406924 |. 51 PUSH ECX
00406925 |. 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18]
00406929 |. E8 03C90300 CALL FilePack.00443231 //////F7
0040692E |. 50 PUSH EAX
0040692F |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
00406933 |. C64424 30 06 MOV BYTE PTR SS:[ESP+30],6
00406938 |. E8 D5280400 CALL FilePack.00449212
0040693D |. 8D4C24 40 LEA ECX,DWORD PTR SS:[ESP+40]
00406941 |. C64424 2C 05 MOV BYTE PTR SS:[ESP+2C],5
00406946 |. E8 8E270400 CALL FilePack.004490D9
0040694B |. 33F6 XOR ESI,ESI
0040694D |> 8B5424 10 /MOV EDX,DWORD PTR SS:[ESP+10] ; Q的前12位
00406951 |. 8D4C24 14 |LEA ECX,DWORD PTR SS:[ESP+14]
00406955 |. 021C16 |ADD BL,BYTE PTR DS:[ESI+EDX] ; 累加结果到BL(BL初始为P),依次取Q前12位ASC
00406958 |. 0FBEC3 |MOVSX EAX,BL ; 结果到EAX
0040695B |. 50 |PUSH EAX
0040695C |. 68 80814600 |PUSH FilePack.00468180 ; ASCII "%X"
00406961 |. 51 |PUSH ECX
00406962 |. E8 EACC0300 |CALL FilePack.00443651 ; 数值转换成字符
00406967 |. 83C4 0C |ADD ESP,0C
0040696A |. 8D5424 14 |LEA EDX,DWORD PTR SS:[ESP+14]
0040696E |. 8D4C24 18 |LEA ECX,DWORD PTR SS:[ESP+18] ; 数值转换成的字符
00406972 |. 52 |PUSH EDX
00406973 |. E8 792B0400 |CALL FilePack.004494F1
00406978 |. 46 |INC ESI
00406979 |. 83FE 0C |CMP ESI,0C
0040697C |.^ 7C CF \JL SHORT FilePack.0040694D
0040697E |. 8D4424 18 LEA EAX,DWORD PTR SS:[ESP+18] ; 得到字符串N1
00406982 |. 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
00406986 |. 50 PUSH EAX
00406987 |. E8 86280400 CALL FilePack.00449212
0040698C |> 68 68E84600 PUSH FilePack.0046E868 ; /Arg2 = 0046E868
00406991 |. 68 7C814600 PUSH FilePack.0046817C ; |Arg1 = 0046817C ASCII "FF"
00406996 |. 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18] ; |
0040699A |. E8 A9C50300 CALL FilePack.00442F48 ; \同样是去掉N1中每2个一组的“FF”
0040699F |. 8B7424 34 MOV ESI,DWORD PTR SS:[ESP+34]
004069A3 |. 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
(省略部分代码)
00406A19 |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX
00406A20 |. 83C4 20 ADD ESP,20
00406A23 \. C3 RETN
==========004068FC |. E8 47C60300 CALL FilePack.00442F48; \这个CALL就是去掉S1中每2个相连为一组的"FF",结果设为Q ==========
00442F48 /$ 55 PUSH EBP
00442F49 |. 8BEC MOV EBP,ESP
00442F4B |. 83EC 1C SUB ESP,1C
00442F4E |. 53 PUSH EBX
00442F4F |. 56 PUSH ESI
00442F50 |. 57 PUSH EDI
00442F51 |. 33DB XOR EBX,EBX
00442F53 |. 395D 08 CMP DWORD PTR SS:[EBP+8],EBX
00442F56 |. 8BF9 MOV EDI,ECX
00442F58 |. 897D E8 MOV DWORD PTR SS:[EBP-18],EDI
00442F5B |. 74 12 JE SHORT FilePack.00442F6F
00442F5D |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; /String = ”FF“
00442F60 |. 8B35 20734500 MOV ESI,DWORD PTR DS:[<&KERNEL32.lstrl>; |kernel32.lstrlenA
00442F66 |. FFD6 CALL ESI ; \lstrlenA
00442F68 |. 3BC3 CMP EAX,EBX ; “FF”的长度2与0比较
00442F6A |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX ; “FF”的长度2
00442F6D |. 75 07 JNZ SHORT FilePack.00442F76
00442F6F |> 33C0 XOR EAX,EAX
00442F71 |. E9 2E010000 JMP FilePack.004430A4
00442F76 |> 395D 0C CMP DWORD PTR SS:[EBP+C],EBX
00442F79 |. 75 05 JNZ SHORT FilePack.00442F80
00442F7B |. 895D FC MOV DWORD PTR SS:[EBP-4],EBX
00442F7E |. EB 08 JMP SHORT FilePack.00442F88
00442F80 |> FF75 0C PUSH DWORD PTR SS:[EBP+C]
00442F83 |. FFD6 CALL ESI
00442F85 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00442F88 |> 8B37 MOV ESI,DWORD PTR DS:[EDI] ; 字符串S1
00442F8A |. 895D F8 MOV DWORD PTR SS:[EBP-8],EBX
00442F8D |. 8B5E F8 MOV EBX,DWORD PTR DS:[ESI-8] ; 字符串S1的长度,本例为4C=76
00442F90 |. 03DE ADD EBX,ESI
00442F92 |. 3BF3 CMP ESI,EBX
00442F94 |. 0F83 07010000 JNB FilePack.004430A1
00442F9A |> FF75 08 /PUSH DWORD PTR SS:[EBP+8] ; “FF“
00442F9D |. 56 |PUSH ESI ; /字符串S1
00442F9E |. E8 5410FFFF |CALL FilePack.00433FF7 ; \FilePack.00433FF7
00442FA3 |. 59 |POP ECX
00442FA4 |. 85C0 |TEST EAX,EAX ;
00442FA6 |. 59 |POP ECX ; 字符串S1
00442FA7 |. 74 0B |JE SHORT FilePack.00442FB4
00442FA9 |. 8B4D F4 |MOV ECX,DWORD PTR SS:[EBP-C] ; “FF“的长度2
00442FAC |. FF45 F8 |INC DWORD PTR SS:[EBP-8]
00442FAF |. 8D3408 |LEA ESI,DWORD PTR DS:[EAX+ECX]
00442FB2 |.^ EB E6 |JMP SHORT FilePack.00442F9A
00442FB4 |> 56 |PUSH ESI ; /String
00442FB5 |. FF15 20734500 |CALL DWORD PTR DS:[<&KERNEL32.lstrlen>; \lstrlenA
00442FBB |. 8D7406 01 |LEA ESI,DWORD PTR DS:[ESI+EAX+1]
00442FBF |. 3BF3 |CMP ESI,EBX
00442FC1 |.^ 72 D7 \JB SHORT FilePack.00442F9A
00442FC3 |. 837D F8 00 CMP DWORD PTR SS:[EBP-8],0
00442FC7 |. 0F8E D4000000 JLE FilePack.004430A1
00442FCD |. 8BCF MOV ECX,EDI
00442FCF |. E8 AE600000 CALL FilePack.00449082
00442FD4 |. 8B75 FC MOV ESI,DWORD PTR SS:[EBP-4]
00442FD7 |. 8B1F MOV EBX,DWORD PTR DS:[EDI] ; 字符串S1
00442FD9 |. 2B75 F4 SUB ESI,DWORD PTR SS:[EBP-C]
00442FDC |. 8B43 F8 MOV EAX,DWORD PTR DS:[EBX-8] ; 字符串S1的长度
00442FDF |. 0FAF75 F8 IMUL ESI,DWORD PTR SS:[EBP-8]
00442FE3 |. 03F0 ADD ESI,EAX
00442FE5 |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX ; 字符串S1的长度
00442FE8 |. 3973 FC CMP DWORD PTR DS:[EBX-4],ESI
00442FEB |. 8975 E4 MOV DWORD PTR SS:[EBP-1C],ESI
00442FEE |. 7C 06 JL SHORT FilePack.00442FF6
00442FF0 |. 837B F4 01 CMP DWORD PTR DS:[EBX-C],1
00442FF4 |. 7E 27 JLE SHORT FilePack.0044301D
00442FF6 |> 8D43 F4 LEA EAX,DWORD PTR DS:[EBX-C]
00442FF9 |. 56 PUSH ESI
00442FFA |. 8BCF MOV ECX,EDI
00442FFC |. 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
00442FFF |. E8 425F0000 CALL FilePack.00448F46
00443004 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
00443007 |. FF70 04 PUSH DWORD PTR DS:[EAX+4]
0044300A |. 53 PUSH EBX
0044300B |. FF37 PUSH DWORD PTR DS:[EDI]
0044300D |. E8 AE15FFFF CALL FilePack.004345C0
00443012 |. 83C4 0C ADD ESP,0C
00443015 |. FF75 EC PUSH DWORD PTR SS:[EBP-14]
00443018 |. E8 24600000 CALL FilePack.00449041
0044301D |> 8B1F MOV EBX,DWORD PTR DS:[EDI] ; 字符串S1
0044301F |. 8B43 F8 MOV EAX,DWORD PTR DS:[EBX-8] ; 字符串S1的长度
00443022 |. 03C3 ADD EAX,EBX
00443024 |. 3BD8 CMP EBX,EAX
00443026 |. 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
00443029 |. 73 71 JNB SHORT FilePack.0044309C
0044302B |> FF75 08 /PUSH DWORD PTR SS:[EBP+8] ; “FF”
0044302E |. 53 |PUSH EBX ; 字符串S1
0044302F |. E8 C30FFFFF |CALL FilePack.00433FF7
00443034 |. 8BF8 |MOV EDI,EAX ;
00443036 |. 59 |POP ECX
00443037 |. 85FF |TEST EDI,EDI
00443039 |. 59 |POP ECX
0044303A |. 74 4D |JE SHORT FilePack.00443089
0044303C |> 8B45 E8 |/MOV EAX,DWORD PTR SS:[EBP-18]
0044303F |. 8B4D FC ||MOV ECX,DWORD PTR SS:[EBP-4]
00443042 |. 8B30 ||MOV ESI,DWORD PTR DS:[EAX] ; 字符串S1
00443044 |. 8B45 F4 ||MOV EAX,DWORD PTR SS:[EBP-C] ; “FF”的长度2
00443047 |. 2BF7 ||SUB ESI,EDI ;
00443049 |. 8D1C0F ||LEA EBX,DWORD PTR DS:[EDI+ECX] ;
0044304C |. 2BF0 ||SUB ESI,EAX
0044304E |. 03C7 ||ADD EAX,EDI
00443050 |. 0375 F0 ||ADD ESI,DWORD PTR SS:[EBP-10]
00443053 |. 56 ||PUSH ESI
00443054 |. 50 ||PUSH EAX ;
00443055 |. 53 ||PUSH EBX
00443056 |. E8 15FCFEFF ||CALL FilePack.00432C70
0044305B |. FF75 FC ||PUSH DWORD PTR SS:[EBP-4]
0044305E |. FF75 0C ||PUSH DWORD PTR SS:[EBP+C]
00443061 |. 57 ||PUSH EDI
00443062 |. E8 5915FFFF ||CALL FilePack.004345C0
00443067 |. 8B45 FC ||MOV EAX,DWORD PTR SS:[EBP-4] ; |
0044306A |. FF75 08 ||PUSH DWORD PTR SS:[EBP+8] ; |“FF”
0044306D |. 2B45 F4 ||SUB EAX,DWORD PTR SS:[EBP-C] ; |
00443070 |. 80241E 00 ||AND BYTE PTR DS:[ESI+EBX],0 ; |字符串S1的倒数第2位的ASC and 0
00443074 |. 53 ||PUSH EBX ; |Arg1
00443075 |. 0145 F0 ||ADD DWORD PTR SS:[EBP-10],EAX ; |
00443078 |. E8 7A0FFFFF ||CALL FilePack.00433FF7 ; \FilePack.00433FF7
0044307D |. 8BF8 ||MOV EDI,EAX
0044307F |. 83C4 20 ||ADD ESP,20
00443082 |. 85FF ||TEST EDI,EDI
00443084 |.^ 75 B6 |\JNZ SHORT FilePack.0044303C
00443086 |. 8B75 E4 |MOV ESI,DWORD PTR SS:[EBP-1C]
00443089 |> 53 |PUSH EBX ; /String
0044308A |. FF15 20734500 |CALL DWORD PTR DS:[<&KERNEL32.lstrlen>; \lstrlenA
00443090 |. 8D5C03 01 |LEA EBX,DWORD PTR DS:[EBX+EAX+1] ; 地址=00C495D5,
00443094 |. 3B5D EC |CMP EBX,DWORD PTR SS:[EBP-14]
00443097 |.^ 72 92 \JB SHORT FilePack.0044302B
00443099 |. 8B7D E8 MOV EDI,DWORD PTR SS:[EBP-18] ; 循环结束,得到字符串Q,其实这个循环就是去掉S1中每2个相连为一组的"FF"
0044309C |> 8B07 MOV EAX,DWORD PTR DS:[EDI] ; 字符串Q
0044309E |. 8970 F8 MOV DWORD PTR DS:[EAX-8],ESI ; 字符串Q的长度
004430A1 |> 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004430A4 |> 5F POP EDI
004430A5 |. 5E POP ESI
004430A6 |. 5B POP EBX
004430A7 |. C9 LEAVE
004430A8 \. C2 0800 RETN 8
==========00406929 |. E8 03C90300 CALL FilePack.00443231 F7后:==========
00443231 /$ B8 5F5A4500 MOV EAX,FilePack.00455A5F
00443236 |. E8 AD12FFFF CALL FilePack.004344E8
0044323B |. 51 PUSH ECX
0044323C |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
0044323F |. 8365 F0 00 AND DWORD PTR SS:[EBP-10],0
00443243 |. 85C0 TEST EAX,EAX
00443245 |. 7D 02 JGE SHORT FilePack.00443249
00443247 |. 33C0 XOR EAX,EAX
00443249 |> 8B11 MOV EDX,DWORD PTR DS:[ECX] ; 字符串Q
0044324B |. 3B42 F8 CMP EAX,DWORD PTR DS:[EDX-8] ; 字符串Q的长度
0044324E |. 7C 0E JL SHORT FilePack.0044325E
00443250 |. 51 PUSH ECX
00443251 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
00443254 |. E8 F55B0000 CALL FilePack.00448E4E
00443259 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
0044325C |. EB 3D JMP SHORT FilePack.0044329B
0044325E |> 8B15 30A84600 MOV EDX,DWORD PTR DS:[46A830] ; FilePack.0046A844
00443264 |. 56 PUSH ESI
00443265 |. 8955 0C MOV DWORD PTR SS:[EBP+C],EDX
00443268 |. 6A 01 PUSH 1
0044326A |. 5E POP ESI
0044326B |. 6A 00 PUSH 0 ; /Arg4 = 00000000
0044326D |. 6A 00 PUSH 0 ; |Arg3 = 00000000
0044326F |. 50 PUSH EAX ; |Arg2
00443270 |. 8D45 0C LEA EAX,DWORD PTR SS:[EBP+C] ; |
00443273 |. 50 PUSH EAX ; |Arg1
00443274 |. 8975 FC MOV DWORD PTR SS:[EBP-4],ESI ; |
00443277 |. E8 875E0000 CALL FilePack.00449103 ; \FilePack.00449103
0044327C |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
0044327F |. 8D45 0C LEA EAX,DWORD PTR SS:[EBP+C] ; 字符串Q的前12位
00443282 |. 50 PUSH EAX
00443283 |. E8 C65B0000 CALL FilePack.00448E4E
00443288 |. 8065 FC 00 AND BYTE PTR SS:[EBP-4],0
0044328C |. 8D4D 0C LEA ECX,DWORD PTR SS:[EBP+C]
0044328F |. 8975 F0 MOV DWORD PTR SS:[EBP-10],ESI
00443292 |. E8 425E0000 CALL FilePack.004490D9
00443297 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
0044329A |. 5E POP ESI
0044329B |> 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
0044329E |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX
004432A5 |. C9 LEAVE
004432A6 \. C2 0800 RETN 8
00449212 /$ 56 PUSH ESI
00449213 |. 57 PUSH EDI
00449214 |. 8B7C24 0C MOV EDI,DWORD PTR SS:[ESP+C]
00449218 |. 8BF1 MOV ESI,ECX
0044921A |. 8B0E MOV ECX,DWORD PTR DS:[ESI]
0044921C |. 8B07 MOV EAX,DWORD PTR DS:[EDI] ; 同样是去掉N1中每2个一组的“FF”,得到字符串N2
0044921E |. 3BC8 CMP ECX,EAX
00449220 |. 74 39 JE SHORT FilePack.0044925B
00449222 |. 8379 F4 00 CMP DWORD PTR DS:[ECX-C],0
00449226 |. 7D 0B JGE SHORT FilePack.00449233
00449228 |. 83C1 F4 ADD ECX,-0C
0044922B |. 3B0D 34A84600 CMP ECX,DWORD PTR DS:[46A834] ; FilePack.0046A838
00449231 |. 75 06 JNZ SHORT FilePack.00449239
00449233 |> 8378 F4 00 CMP DWORD PTR DS:[EAX-C],0
00449237 |. 7D 0D JGE SHORT FilePack.00449246
00449239 |> 50 PUSH EAX
0044923A |. 8BCE MOV ECX,ESI
0044923C |. FF70 F8 PUSH DWORD PTR DS:[EAX-8]
0044923F |. E8 A1FFFFFF CALL FilePack.004491E5
00449244 |. EB 15 JMP SHORT FilePack.0044925B
00449246 |> 8BCE MOV ECX,ESI
00449248 |. E8 C3FDFFFF CALL FilePack.00449010
0044924D |. 8B07 MOV EAX,DWORD PTR DS:[EDI] ; 字符串N2
0044924F |. 8906 MOV DWORD PTR DS:[ESI],EAX
00449251 |. 83C0 F4 ADD EAX,-0C
00449254 |. 50 PUSH EAX ; /pVar
00449255 |. FF15 60724500 CALL DWORD PTR DS:[<&KERNEL32.Interloc>; \InterlockedIncrement
0044925B |> 8BC6 MOV EAX,ESI
0044925D |. 5F POP EDI
0044925E |. 5E POP ESI
0044925F \. C2 0400 RETN 4
*****************************************************************************************************
软件会判断当前流程是功能A或B,赋不同的值给局部变量[ESI + 7A0],该变量的值会间接参与算法运算。
算法总结:
一、软件本身的注册:
A.用户名不为空:
1.用户名各位的ASC依次与“GoodMan未注册”的ASC(到AL)相加,其和乘以常数C1。(用户名取完后则“GoodMan未注册”中还未参与运算的部分依次取ASC(到AL)乘以常数C1),直至循环到“GoodMan未注册”全部取完为止,并将得到的结果转换成字符串,设为S1。
2.去掉S1中每2位"F"为一组的"F"(即“FF”),得到字符串Q
3.取Q的12位以后的各位ASC,依次累加,得到的结果为P
4.P = P + 依次取Q的前12位各位ASC,每次相加的结果转化为字符串,得到字符串N1
5.去掉N1中每2位"F"为一组的"F"(即“FF”),得到字符串即为注册码。
注册成功后,会在OD中看到“GoodMan未注册”变成了“GoodMangglhy”了!软件也显示注册给gglhy
B.用户名为空时:
算法流程同上,只不过用机器码取代用户名来运算而已。其中有些许不同,比如常数为4A等。大家有兴趣的话可以跟一下。
(比如:00403D8A |. E8 912A0000 call 00406820 ; ///用户名为空时,用机器码运算的CALL)
(在00406820处下好断点,OD重新载入就可以看见了。)
二、软件对用户计算注册码:(略,大家有兴趣可以自己去跟下....呵呵)
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
二、试看软件机器码的产生过程
既来之,则安之。我们顺便看看软件功能A中的机器码是如何得出来的。
我们直接来到:
0040FE40 . 6A FF push -1
0040FE42 . 68 E4404500 push 004540E4 ; SE 处理程序安装
0040FE47 . 64:A1 0000000>mov eax, fs:[0]
0040FE4D . 50 push eax
0040FE4E . 64:8925 00000>mov fs:[0], esp
0040FE55 . 81EC BC080000 sub esp, 8BC
0040FE5B . 51 push ecx ; /Arg2
0040FE5C . 6A 01 push 1 ; |Arg1 = 00000001
0040FE5E . 8D8C24 180100>lea ecx, [esp+118] ; |
0040FE65 . E8 763CFFFF call 00403AE0 ; \PPTPacke.00403AE0 ///从这里去看
0040FE6A . 8D4C24 00 lea ecx, [esp]
0040FE6E . C78424 C40800>mov dword ptr [esp+8C4], 0
====================== 0040FE65处 call 00403AE0 我们F7后:===========================================
00403AE0 /$ 6A FF push -1
00403AE2 |. 68 5D1E4500 push 00451E5D ; SE 处理程序安装
00403AE7 |. 64:A1 0000000>mov eax, fs:[0]
(省略部分代码)
00403CAA |. 8996 A8070000 mov [esi+7A8], edx
00403CB0 |. 68 48814600 push 00468148 ; ASCII "GetUserName ()"
00403CB5 |. 8D4C24 34 lea ecx, [esp+34]
00403CB9 |. C64424 28 14 mov byte ptr [esp+28], 1>
00403CBE |. C706 987B4500 mov dword ptr [esi], 004>
00403CC4 |. E8 7E540400 call 00449147
00403CC9 |. 68 68E84600 push 0046E868
00403CCE |. 8BCF mov ecx, edi
00403CD0 |. C64424 28 15 mov byte ptr [esp+28], 1>
00403CD5 |. E8 88550400 call 00449262
00403CDA |. 68 68E84600 push 0046E868
00403CDF |. 8BCD mov ecx, ebp
00403CE1 |. E8 7C550400 call 00449262
00403CE6 |. 68 68E84600 push 0046E868
00403CEB |. 8BCB mov ecx, ebx
00403CED |. E8 70550400 call 00449262
00403CF2 |. 8B4424 2C mov eax, [esp+2C]
00403CF6 |. 85C0 test eax, eax
00403CF8 |. 8986 A0070000 mov [esi+7A0], eax ; 又是这个[ESI+7A0]
00403CFE |. 74 0E je short 00403D0E
00403D00 |. 68 58814600 push 00468158 ; ASCII "GoodMan"
00403D05 |. 8D4C24 34 lea ecx, [esp+34]
00403D09 |. E8 54550400 call 00449262
00403D0E |> E8 AD2A0000 call 004067C0 ; 软件产生机器码的CALL ,我们F7
00403D13 |. 50 push eax ; 得到机器码的数值形式,下面要转换为字符串形式
00403D14 |. 68 44814600 push 00468144 ; ASCII "%x"
00403D19 |. 57 push edi
00403D1A |. E8 32F90300 call 00443651
============00403D0E |> E8 AD2A0000 call 004067C0 ;软件产生机器码的CALL ,我们F7进入,来到:===========
004067C0 $ 55 push ebp
004067C1 . 8BEC mov ebp, esp
004067C3 . 6A FF push -1
004067C5 . 68 107D4500 push 00457D10
004067CA . 68 8C2B4300 push 00432B8C ; SE 处理程序安装
004067CF . 64:A1 0000000>mov eax, fs:[0]
004067D5 . 50 push eax
004067D6 . 64:8925 00000>mov fs:[0], esp
004067DD . 83EC 0C sub esp, 0C
004067E0 . 53 push ebx
004067E1 . 56 push esi
004067E2 . 57 push edi
004067E3 . 8965 E8 mov [ebp-18], esp
004067E6 . C745 FC 00000>mov dword ptr [ebp-4], 0
004067ED . E8 6EFFFFFF call 00406760 ; 很重要的CALL,接着F7
004067F2 . 8945 E4 mov [ebp-1C], eax ; EAX寄存器的数值就是机器码了,还要将其转化为字符串
004067F5 . EB 0B jmp short 00406802
(省略部分代码)
00406819 . C3 retn
==============004067ED . E8 6EFFFFFF call 00406760 ;很重要的CALL,接着F7进入:===================
00406760 $ 55 push ebp
(省略部分代码)
0040677E . C745 FC 00000>mov dword ptr [ebp-4], 0
00406785 . 8965 F0 mov [ebp-10], esp
00406788 . E8 23B60000 call 00411DB0 ; 是个关键CALL--1,还是F7
0040678D . EB 10 jmp short 0040679F
0040678F . C745 EC 00000>mov dword ptr [ebp-14], >
00406796 . B8 9C674000 mov eax, 0040679C
0040679B . C3 retn
0040679C . 8B45 EC mov eax, [ebp-14]
0040679F > 8B4D F4 mov ecx, [ebp-C]
004067A2 . 5F pop edi
004067A3 . 5E pop esi
004067A4 . 05 C7F8AE54 add eax, 54AEF8C7 ; EAX的值 + 常数54AEF8C7 = 注册码的数值形式
004067A9 . 64:890D 00000>mov fs:[0], ecx
004067B0 . 5B pop ebx
004067B1 . 8BE5 mov esp, ebp
004067B3 . 5D pop ebp
004067B4 . C3 retn
==============00406788 . E8 23B60000 call 00411DB0 ;是个关键CALL--1,还是F7,进入去看看:=============
00411DB0 /$ 53 push ebx
(省略部分代码)
00411DCC |. BF F8F04600 mov edi, 0046F0F8 ; 本机硬盘序列号到EDI
00411DD1 |. C1E9 02 shr ecx, 2
(省略部分代码)
00411DFC |> BE F8F04600 mov esi, 0046F0F8 ; 本机硬盘序列号
00411E01 |. 6A 04 push 4
00411E03 |. 68 94874600 push 00468794 ;
00411E08 |. 56 push esi ; 本机硬盘序列号
00411E09 |. E8 02200200 call 00433E10
00411E0E |. 83C4 0C add esp, 0C
00411E11 |. 85C0 test eax, eax
00411E13 |. 75 05 jnz short 00411E1A
00411E15 |. BE FDF04600 mov esi, 0046F0FD ;
00411E1A |> 85F6 test esi, esi
00411E1C |. 0F84 29010000 je 00411F4B
00411E22 |> 8A06 /mov al, [esi] ; 依次取本机硬盘序列号ASC到AL
00411E24 |. 84C0 |test al, al
00411E26 |. 0F84 FF000000 |je 00411F2B ; 本机硬盘序列号是否取完?
00411E2C |. 3C 2D |cmp al, 2D ; 是“-”吗?
00411E2E |. 0F84 F0000000 |je 00411F24
00411E34 |. 6A 00 |push 0
00411E36 |. 6A 0A |push 0A ; 呵呵,常量0A
00411E38 |. 53 |push ebx
00411E39 |. 55 |push ebp
00411E3A |. E8 D1200200 |call 00433F10 ; 这里的EAX关系到下面EBP的值。关键CALL--2
00411E3F |. 8BE8 |mov ebp, eax ; 上面CALL运算后的值到EBP,再进行下面的运算
00411E41 |. 8BDA |mov ebx, edx
00411E43 |. 0FBE06 |movsx eax, byte ptr [esi] ; 当前所取的本机硬盘序列号ASC
00411E46 |. 83C0 D0 |add eax, -30 ; 当前所取的本机硬盘序列号ASC - 39; Switch (cases 31..7A)
00411E49 |. 83F8 4A |cmp eax, 4A ; 差与4A比较。
00411E4C |. 0F87 D2000000 |ja 00411F24 ; 比较的结果不同就跳向不同的表
00411E52 |. FF2485 641F41>|jmp [eax*4+411F64] ; 跳向不同的表;注意ebp + 不同的值
00411E59 |> 83C5 01 |add ebp, 1 ; Case 31 ('1') of switch 00411E46
00411E5C |. E9 C0000000 |jmp 00411F21
00411E61 |> 83C5 02 |add ebp, 2 ; Case 32 ('2') of switch 00411E46
00411E64 |. E9 B8000000 |jmp 00411F21
00411E69 |> 83C5 03 |add ebp, 3 ; Case 33 ('3') of switch 00411E46
00411E6C |. E9 B0000000 |jmp 00411F21
00411E71 |> 83C5 04 |add ebp, 4 ; Case 34 ('4') of switch 00411E46
00411E74 |. E9 A8000000 |jmp 00411F21
00411E79 |> 83C5 05 |add ebp, 5 ; Case 35 ('5') of switch 00411E46
00411E7C |. E9 A0000000 |jmp 00411F21
00411E81 |> 83C5 06 |add ebp, 6 ; Case 36 ('6') of switch 00411E46
00411E84 |. E9 98000000 |jmp 00411F21
00411E89 |> 83C5 07 |add ebp, 7 ; Case 37 ('7') of switch 00411E46
00411E8C |. E9 90000000 |jmp 00411F21
00411E91 |> 83C5 08 |add ebp, 8 ; Case 38 ('8') of switch 00411E46
00411E94 |. E9 88000000 |jmp 00411F21
00411E99 |> 83C5 09 |add ebp, 9 ; Case 39 ('9') of switch 00411E46
00411E9C |. E9 80000000 |jmp 00411F21
00411EA1 |> 83C5 0A |add ebp, 0A ; Cases 41 ('A'),61 ('a') of switch 00411E46
00411EA4 |. EB 7B |jmp short 00411F21
00411EA6 |> 83C5 0B |add ebp, 0B ; Cases 42 ('B'),62 ('b') of switch 00411E46
00411EA9 |. EB 76 |jmp short 00411F21
00411EAB |> 83C5 0C |add ebp, 0C ; Cases 43 ('C'),63 ('c') of switch 00411E46
00411EAE |. EB 71 |jmp short 00411F21
00411EB0 |> 83C5 0D |add ebp, 0D ; Cases 44 ('D'),64 ('d') of switch 00411E46
00411EB3 |. EB 6C |jmp short 00411F21
00411EB5 |> 83C5 0E |add ebp, 0E ; Cases 45 ('E'),65 ('e') of switch 00411E46
00411EB8 |. EB 67 |jmp short 00411F21
00411EBA |> 83C5 0F |add ebp, 0F ; Cases 46 ('F'),66 ('f') of switch 00411E46
00411EBD |. EB 62 |jmp short 00411F21
00411EBF |> 83C5 10 |add ebp, 10 ; Cases 47 ('G'),67 ('g') of switch 00411E46
00411EC2 |. EB 5D |jmp short 00411F21
00411EC4 |> 83C5 11 |add ebp, 11 ; Cases 48 ('H'),68 ('h') of switch 00411E46
00411EC7 |. EB 58 |jmp short 00411F21
00411EC9 |> 83C5 12 |add ebp, 12 ; Cases 49 ('I'),69 ('i') of switch 00411E46
00411ECC |. EB 53 |jmp short 00411F21
00411ECE |> 83C5 13 |add ebp, 13 ; Cases 4A ('J'),6A ('j') of switch 00411E46
00411ED1 |. EB 4E |jmp short 00411F21
00411ED3 |> 83C5 14 |add ebp, 14 ; Cases 4B ('K'),6B ('k') of switch 00411E46
00411ED6 |. EB 49 |jmp short 00411F21
00411ED8 |> 83C5 15 |add ebp, 15 ; Cases 4C ('L'),6C ('l') of switch 00411E46
00411EDB |. EB 44 |jmp short 00411F21
00411EDD |> 83C5 16 |add ebp, 16 ; Cases 4D ('M'),6D ('m') of switch 00411E46
00411EE0 |. EB 3F |jmp short 00411F21
00411EE2 |> 83C5 17 |add ebp, 17 ; Cases 4E ('N'),6E ('n') of switch 00411E46
00411EE5 |. EB 3A |jmp short 00411F21
00411EE7 |> 83C5 18 |add ebp, 18 ; Cases 4F ('O'),6F ('o') of switch 00411E46
00411EEA |. EB 35 |jmp short 00411F21
00411EEC |> 83C5 19 |add ebp, 19 ; Cases 50 ('P'),70 ('p') of switch 00411E46
00411EEF |. EB 30 |jmp short 00411F21
00411EF1 |> 83C5 1A |add ebp, 1A ; Cases 51 ('Q'),71 ('q') of switch 00411E46
00411EF4 |. EB 2B |jmp short 00411F21
00411EF6 |> 83C5 1B |add ebp, 1B ; Cases 52 ('R'),72 ('r') of switch 00411E46
00411EF9 |. EB 26 |jmp short 00411F21
00411EFB |> 83C5 1C |add ebp, 1C ; Cases 53 ('S'),73 ('s') of switch 00411E46
00411EFE |. EB 21 |jmp short 00411F21
00411F00 |> 83C5 1D |add ebp, 1D ; Cases 54 ('T'),74 ('t') of switch 00411E46
00411F03 |. EB 1C |jmp short 00411F21
00411F05 |> 83C5 1E |add ebp, 1E ; Cases 55 ('U'),75 ('u') of switch 00411E46
00411F08 |. EB 17 |jmp short 00411F21
00411F0A |> 83C5 1F |add ebp, 1F ; Cases 56 ('V'),76 ('v') of switch 00411E46
00411F0D |. EB 12 |jmp short 00411F21
00411F0F |> 83C5 20 |add ebp, 20 ; Cases 57 ('W'),77 ('w') of switch 00411E46
00411F12 |. EB 0D |jmp short 00411F21
00411F14 |> 83C5 21 |add ebp, 21 ; Cases 58 ('X'),78 ('x') of switch 00411E46
00411F17 |. EB 08 |jmp short 00411F21
00411F19 |> 83C5 22 |add ebp, 22 ; Cases 59 ('Y'),79 ('y') of switch 00411E46
00411F1C |. EB 03 |jmp short 00411F21
00411F1E |> 83C5 23 |add ebp, 23 ; Cases 5A ('Z'),7A ('z') of switch 00411E46
00411F21 |> 83D3 00 |adc ebx, 0
00411F24 |> 46 |inc esi ; Default case of switch 00411E46
00411F25 |.^ 0F85 F7FEFFFF \jnz 00411E22
00411F2B |> 85DB test ebx, ebx ; 循环结束后,EBP的值就是硬盘序列号运算后的结果。设为W
00411F2D |. 7C 1C jl short 00411F4B
00411F2F |. 7F 08 jg short 00411F39
00411F31 |. 81FD FFFFFF0F cmp ebp, 0FFFFFFF ; EBP的值W与0FFFFFFF比较
00411F37 |. 76 12 jbe short 00411F4B
00411F39 |> 6A 00 push 0
00411F3B |. 68 00000010 push 10000000
00411F40 |. 53 push ebx
00411F41 |. 55 push ebp
00411F42 |. E8 091F0200 call 00433E50 ; 仍然F7,关键CALL--3
00411F47 |. 8BE8 mov ebp, eax
00411F49 |. 8BDA mov ebx, edx
00411F4B |> 53 push ebx
00411F4C |. 55 push ebp
00411F4D |. 68 68874600 push 00468768 ; ASCII 0A,"Computer I"
00411F52 |. E8 6B1E0200 call 00433DC2
00411F57 |. 83C4 0C add esp, 0C
00411F5A |. 8BC5 mov eax, ebp
00411F5C |. 5F pop edi
00411F5D |. 5E pop esi
00411F5E |. 5D pop ebp
00411F5F |. 5B pop ebx
00411F60 \. C3 retn
==========这里,关键call--2:其实是将当前查表运算得到的结果(ebp初始为0)再 * 0A,这个积再作为下一轮循环时的EBP值:==========
00433F10 /$ 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
00433F14 |. 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
00433F18 |. 0BC8 OR ECX,EAX
00433F1A |. 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C] ; [ESP+C]=0A
00433F1E |. 75 09 JNZ SHORT FilePack.00433F29
00433F20 |. 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4] ;上一次循环运算中EBP的值
00433F24 |. F7E1 MUL ECX ;(上一次循环运算中EBP的值)*0A,结果保存在EAX
00433F26 |. C2 1000 RETN 10
00433F29 |> 53 PUSH EBX
00433F2A |. F7E1 MUL ECX
00433F2C |. 8BD8 MOV EBX,EAX
00433F2E |. 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
00433F32 |. F76424 14 MUL DWORD PTR SS:[ESP+14]
00433F36 |. 03D8 ADD EBX,EAX
00433F38 |. 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
00433F3C |. F7E1 MUL ECX
00433F3E |. 03D3 ADD EDX,EBX
00433F40 |. 5B POP EBX
00433F41 \. C2 1000 RETN 10
==========00411F42 |. E8 091F0200 call 00433E50 ; 仍然F7,关键CALL--3,我们进入:============
00433E50 /$ 53 PUSH EBX
00433E51 |. 57 PUSH EDI
00433E52 |. 33FF XOR EDI,EDI
(省略部分代码)
00433E9B |. 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C] ; 硬盘序列号运算后的结果W
00433E9F |. F7F1 DIV ECX ; ECX=10000000 (应该也是常量,时间紧没仔细看!但2台电脑上数值一样)
00433EA1 |. 8BC2 MOV EAX,EDX ; 余数到EAX
00433EA3 |. 33D2 XOR EDX,EDX
00433EA5 |. 4F DEC EDI
00433EA6 |. 79 4E JNS SHORT FilePack.00433EF6
00433EA8 |. EB 53 JMP SHORT FilePack.00433EFD
(省略部分代码)
00433EFD |> 5F POP EDI
00433EFE |. 5B POP EBX
00433EFF \. C2 1000 RETN 10
OK,现在清楚了:
1.取硬盘序列号各位ASC来跳向不同的表,得到不同的EBP值(初始为0)乘以0A,其结果作为下一位ASC运算时的EBP值,直至硬盘序列号取完。
2.然后用最终的EBP值/10000000H、
3.余数再加常数54AEF8C7(16进制),再将和转化为字符串形式就是机器码了!
呵呵!文章又臭又长,希望不会让大家失望!文中如有错误,敬请指正!!!
谢谢观看! |
评分
-
| 参与人数 1 | 威望 +40 |
飘云币 +40 |
收起
理由
|
 月之精灵
| + 40 |
+ 40 |
天啊,0+点还在研究,小心身体哈,哈哈 |
查看全部评分
|
[复制链接]
IP卡
发表于 2011-1-19 00:35:04
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2011-1-19 09:41:34
发表于 2011-1-19 14:54:16
楼主
发表于 2011-1-20 16:44:34