|
[原创]Ultra Video Joiner注册分析 附 注册机(上)
好象代码的格式很难看,稍后我会进行调整 |
|
[原创]Ultra Video Joiner注册分析 附 注册机(上)
【文章标题】Ultra Video Joiner注册分析 附 注册机(下) 【联系作者】zhong_sf@sina.com 【软件名称】Ultra Video Joiner 【附件下载】http://www.onlinedown.net/soft/55635.htm 我们接着上一篇..... 上一篇,我们分析到编号为2D70的大数乘法运算. 1.1.3.接下来就是 编号为: 2F80 的函数了,这个函数的功能未知,只是在不断的运算: 00352F7F 90 nop ; Param1 = _2F80 ( Param2 ,Param3) 00352F80 /$ 6A FF push -0x1 ; { 00352F82 |. 68 BFAD3500 push AppSys.0035ADBF ; SE 处理程序安装 00352F87 |. 64:A1 00000000 mov eax,dword ptr fs:[0] 00352F8D |. 50 push eax 00352F8E |. 64:8925 00000000 mov dword ptr fs:[0],esp 00352F95 |. 83EC 64 sub esp,0x64 00352F98 |. 53 push ebx 00352F99 |. 55 push ebp 00352F9A |. 56 push esi 00352F9B |. 6A 01 push 0x1 00352F9D |. 8D4C24 44 lea ecx,dword ptr ss:[esp+0x44] 00352FA1 |. C74424 10 0000000>mov dword ptr ss:[esp+0x10],0x0 00352FA9 |. E8 72FAFFFF call AppSys.00352A20 00352FAE |. 6A 00 push 0x0 00352FB0 |. 8D4C24 1C lea ecx,dword ptr ss:[esp+0x1C] 00352FB4 |. C74424 7C 0100000>mov dword ptr ss:[esp+0x7C],0x1 00352FBC |. E8 5FFAFFFF call AppSys.00352A20 00352FC1 |. 8BAC24 88000000 mov ebp,dword ptr ss:[esp+0x88] 00352FC8 |. 8D4C24 38 lea ecx,dword ptr ss:[esp+0x38] 00352FCC |. 55 push ebp 00352FCD |. E8 8EFAFFFF call AppSys.00352A60 ; lgInt38L = Param3 00352FD2 |. 8B8424 84000000 mov eax,dword ptr ss:[esp+0x84] 00352FD9 |. 8D4C24 10 lea ecx,dword ptr ss:[esp+0x10] 00352FDD |. 50 push eax 00352FDE |. E8 7DFAFFFF call AppSys.00352A60 ; lgInt10L = Param2 00352FE3 |. 6A 00 push 0x0 00352FE5 |. 8D4C24 34 lea ecx,dword ptr ss:[esp+0x34] 00352FE9 |. C64424 7C 04 mov byte ptr ss:[esp+0x7C],0x4 00352FEE |. E8 2DFAFFFF call AppSys.00352A20 00352FF3 |. 6A 00 push 0x0 00352FF5 |. 8D4C24 2C lea ecx,dword ptr ss:[esp+0x2C] 00352FF9 |. C64424 7C 05 mov byte ptr ss:[esp+0x7C],0x5 00352FFE |. E8 1DFAFFFF call AppSys.00352A20 00353003 |. B3 06 mov bl,0x6 00353005 |. 6A 00 push 0x0 00353007 |. 8D4C24 24 lea ecx,dword ptr ss:[esp+0x24] 0035300B |. 885C24 7C mov byte ptr ss:[esp+0x7C],bl 0035300F |. E8 0CFAFFFF call AppSys.00352A20 00353014 |. 8D4C24 20 lea ecx,dword ptr ss:[esp+0x20] 00353018 |. 8D5424 10 lea edx,dword ptr ss:[esp+0x10] 0035301C |. 51 push ecx 0035301D |. 52 push edx 0035301E |. C68424 80000000 0>mov byte ptr ss:[esp+0x80],0x7 00353026 |. E8 65F8FFFF call AppSys.00352890 ; lgInt10L == 0 ? 0035302B |. 83C4 08 add esp,0x8 0035302E |. 8D4C24 20 lea ecx,dword ptr ss:[esp+0x20] 00353032 |. 8BF0 mov esi,eax 00353034 |. 885C24 78 mov byte ptr ss:[esp+0x78],bl 00353038 |. E8 93FAFFFF call AppSys.00352AD0 0035303D |. 85F6 test esi,esi 0035303F |. 0F84 59010000 je AppSys.0035319E ; While ( lgInt10L != 0 ) 00353045 |> 8D4424 10 /lea eax,dword ptr ss:[esp+0x10] ; { 00353049 |. 8D4C24 38 |lea ecx,dword ptr ss:[esp+0x38] 0035304D |. 50 |push eax 0035304E |. 8D5424 4C |lea edx,dword ptr ss:[esp+0x4C] 00353052 |. 51 |push ecx 00353053 |. 52 |push edx 00353054 |. E8 B7FDFFFF |call AppSys.00352E10 ; lgInt48L = _Func2E10 ( lgInt38L , lgInt10L ) 00353059 |. 83C4 0C |add esp,0xC 0035305C |. 50 |push eax 0035305D |. 8D4C24 34 |lea ecx,dword ptr ss:[esp+0x34] 00353061 |. C64424 7C 08 |mov byte ptr ss:[esp+0x7C],0x8 00353066 |. E8 15FAFFFF |call AppSys.00352A80 ; lgInt30L = lgInt48L 0035306B |. 8D4C24 48 |lea ecx,dword ptr ss:[esp+0x48] 0035306F |. 885C24 78 |mov byte ptr ss:[esp+0x78],bl 00353073 |. E8 58FAFFFF |call AppSys.00352AD0 00353078 |. 8D4424 10 |lea eax,dword ptr ss:[esp+0x10] 0035307C |. 8D4C24 30 |lea ecx,dword ptr ss:[esp+0x30] 00353080 |. 50 |push eax 00353081 |. 8D5424 5C |lea edx,dword ptr ss:[esp+0x5C] 00353085 |. 51 |push ecx 00353086 |. 52 |push edx 00353087 |. E8 E4FCFFFF |call AppSys.00352D70 ; lgInt58L = lgInt30L X lgInt10L 0035308C |. 50 |push eax 0035308D |. 8D4424 48 |lea eax,dword ptr ss:[esp+0x48] 00353091 |. 8D4C24 60 |lea ecx,dword ptr ss:[esp+0x60] 00353095 |. 50 |push eax 00353096 |. 51 |push ecx 00353097 |. C68424 90000000 0>|mov byte ptr ss:[esp+0x90],0x9 0035309F |. E8 4CFCFFFF |call AppSys.00352CF0 ; lgInt50L = lgInt38L - lgInt58L 003530A4 |. 83C4 18 |add esp,0x18 003530A7 |. 50 |push eax 003530A8 |. 8D4C24 2C |lea ecx,dword ptr ss:[esp+0x2C] 003530AC |. C64424 7C 0A |mov byte ptr ss:[esp+0x7C],0xA 003530B1 |. E8 CAF9FFFF |call AppSys.00352A80 ; lgInt28L = lgInt50L 003530B6 |. 8D4C24 50 |lea ecx,dword ptr ss:[esp+0x50] 003530BA |. C64424 78 09 |mov byte ptr ss:[esp+0x78],0x9 003530BF |. E8 0CFAFFFF |call AppSys.00352AD0 003530C4 |. 8D4C24 58 |lea ecx,dword ptr ss:[esp+0x58] 003530C8 |. 885C24 78 |mov byte ptr ss:[esp+0x78],bl 003530CC |. E8 FFF9FFFF |call AppSys.00352AD0 003530D1 |. 8D5424 10 |lea edx,dword ptr ss:[esp+0x10] 003530D5 |. 8D4C24 38 |lea ecx,dword ptr ss:[esp+0x38] 003530D9 |. 52 |push edx 003530DA |. E8 A1F9FFFF |call AppSys.00352A80 ; lgInt38L = lgInt10L 003530DF |. 8D4424 28 |lea eax,dword ptr ss:[esp+0x28] 003530E3 |. 8D4C24 10 |lea ecx,dword ptr ss:[esp+0x10] 003530E7 |. 50 |push eax 003530E8 |. E8 93F9FFFF |call AppSys.00352A80 ; lgInt10L = lgInt28L 003530ED |. 8D4C24 40 |lea ecx,dword ptr ss:[esp+0x40] 003530F1 |. 51 |push ecx 003530F2 |. 8D4C24 2C |lea ecx,dword ptr ss:[esp+0x2C] 003530F6 |. E8 85F9FFFF |call AppSys.00352A80 ; lgInt28L = lgInt40L 003530FB |. 8D5424 30 |lea edx,dword ptr ss:[esp+0x30] 003530FF |. 8D4424 40 |lea eax,dword ptr ss:[esp+0x40] 00353103 |. 52 |push edx 00353104 |. 8D4C24 6C |lea ecx,dword ptr ss:[esp+0x6C] 00353108 |. 50 |push eax 00353109 |. 51 |push ecx 0035310A |. E8 61FCFFFF |call AppSys.00352D70 ; lgInt68L = lgInt40L X lgInt30L 0035310F |. 50 |push eax 00353110 |. 8D5424 28 |lea edx,dword ptr ss:[esp+0x28] 00353114 |. 8D4424 70 |lea eax,dword ptr ss:[esp+0x70] 00353118 |. 52 |push edx 00353119 |. 50 |push eax 0035311A |. C68424 90000000 0>|mov byte ptr ss:[esp+0x90],0xB 00353122 |. E8 C9FBFFFF |call AppSys.00352CF0 ; lgInt60L = lgInt18L - lgInt68L 00353127 |. 83C4 18 |add esp,0x18 0035312A |. 50 |push eax 0035312B |. 8D4C24 44 |lea ecx,dword ptr ss:[esp+0x44] 0035312F |. C64424 7C 0C |mov byte ptr ss:[esp+0x7C],0xC 00353134 |. E8 47F9FFFF |call AppSys.00352A80 ; lgInt40L = lgInt60L 00353139 |. 8D4C24 60 |lea ecx,dword ptr ss:[esp+0x60] 0035313D |. C64424 78 0B |mov byte ptr ss:[esp+0x78],0xB 00353142 |. E8 89F9FFFF |call AppSys.00352AD0 00353147 |. 885C24 78 |mov byte ptr ss:[esp+0x78],bl 0035314B |. 8D4C24 68 |lea ecx,dword ptr ss:[esp+0x68] 0035314F |. E8 7CF9FFFF |call AppSys.00352AD0 00353154 |. 8D4C24 28 |lea ecx,dword ptr ss:[esp+0x28] 00353158 |. 51 |push ecx 00353159 |. 8D4C24 1C |lea ecx,dword ptr ss:[esp+0x1C] 0035315D |. E8 1EF9FFFF |call AppSys.00352A80 ; lgInt18L = lgInt28L 00353162 |. 6A 00 |push 0x0 00353164 |. 8D4C24 24 |lea ecx,dword ptr ss:[esp+0x24] 00353168 |. E8 B3F8FFFF |call AppSys.00352A20 0035316D |. 8D5424 20 |lea edx,dword ptr ss:[esp+0x20] 00353171 |. 8D4424 10 |lea eax,dword ptr ss:[esp+0x10] 00353175 |. 52 |push edx 00353176 |. 50 |push eax 00353177 |. C68424 80000000 0>|mov byte ptr ss:[esp+0x80],0x7 0035317F |. E8 0CF7FFFF |call AppSys.00352890 00353184 |. 83C4 08 |add esp,0x8 00353187 |. 8D4C24 20 |lea ecx,dword ptr ss:[esp+0x20] 0035318B |. 8BF0 |mov esi,eax 0035318D |. 885C24 78 |mov byte ptr ss:[esp+0x78],bl 00353191 |. E8 3AF9FFFF |call AppSys.00352AD0 00353196 |. 85F6 |test esi,esi 00353198 |.^ 0F85 A7FEFFFF \jnz AppSys.00353045 ; } //end of while 0035319E |> 6A 00 push 0x0 003531A0 |. 8D4C24 24 lea ecx,dword ptr ss:[esp+0x24] 003531A4 |. E8 77F8FFFF call AppSys.00352A20 003531A9 |. 8D4C24 20 lea ecx,dword ptr ss:[esp+0x20] 003531AD |. 8D5424 18 lea edx,dword ptr ss:[esp+0x18] 003531B1 |. 51 push ecx 003531B2 |. 52 push edx 003531B3 |. C68424 80000000 0>mov byte ptr ss:[esp+0x80],0xD 003531BB |. E8 10F7FFFF call AppSys.003528D0 ; operator < 003531C0 |. 83C4 08 add esp,0x8 003531C3 |. 8D4C24 20 lea ecx,dword ptr ss:[esp+0x20] 003531C7 |. 8BF0 mov esi,eax 003531C9 |. 885C24 78 mov byte ptr ss:[esp+0x78],bl 003531CD |. E8 FEF8FFFF call AppSys.00352AD0 003531D2 |. 85F6 test esi,esi 003531D4 |. 74 0A je XAppSys.003531E0 ; if (lgInt18L < 0) 003531D6 |. 55 push ebp ; { 003531D7 |. 8D4C24 1C lea ecx,dword ptr ss:[esp+0x1C] 003531DB |. E8 20F9FFFF call AppSys.00352B00 ; lgInt18L += Param3 003531E0 |> 8BB424 80000000 mov esi,dword ptr ss:[esp+0x80] ; } 003531E7 |. 8D4424 18 lea eax,dword ptr ss:[esp+0x18] 003531EB |. 50 push eax 003531EC |. 8BCE mov ecx,esi 003531EE |. E8 6DF8FFFF call AppSys.00352A60 ; Param1 = lgInt18L 003531F3 |. C74424 0C 0100000>mov dword ptr ss:[esp+0xC],0x1 003531FB |. 8D4C24 28 lea ecx,dword ptr ss:[esp+0x28] 003531FF |. C64424 78 05 mov byte ptr ss:[esp+0x78],0x5 00353204 |. E8 C7F8FFFF call AppSys.00352AD0 00353209 |. 8D4C24 30 lea ecx,dword ptr ss:[esp+0x30] 0035320D |. C64424 78 04 mov byte ptr ss:[esp+0x78],0x4 00353212 |. E8 B9F8FFFF call AppSys.00352AD0 00353217 |. 8D4C24 10 lea ecx,dword ptr ss:[esp+0x10] 0035321B |. C64424 78 03 mov byte ptr ss:[esp+0x78],0x3 00353220 |. E8 ABF8FFFF call AppSys.00352AD0 00353225 |. 8D4C24 38 lea ecx,dword ptr ss:[esp+0x38] 00353229 |. C64424 78 02 mov byte ptr ss:[esp+0x78],0x2 0035322E |. E8 9DF8FFFF call AppSys.00352AD0 00353233 |. 8D4C24 18 lea ecx,dword ptr ss:[esp+0x18] 00353237 |. C64424 78 01 mov byte ptr ss:[esp+0x78],0x1 0035323C |. E8 8FF8FFFF call AppSys.00352AD0 00353241 |. 8D4C24 40 lea ecx,dword ptr ss:[esp+0x40] 00353245 |. C64424 78 00 mov byte ptr ss:[esp+0x78],0x0 0035324A |. E8 81F8FFFF call AppSys.00352AD0 0035324F |. 8B4C24 70 mov ecx,dword ptr ss:[esp+0x70] 00353253 |. 8BC6 mov eax,esi 00353255 |. 5E pop esi 00353256 |. 5D pop ebp 00353257 |. 5B pop ebx 00353258 |. 64:890D 00000000 mov dword ptr fs:[0],ecx 0035325F |. 83C4 70 add esp,0x70 00353262 \. C3 retn ; } 1.1.3.1其中这里面的编号 为 2E10 的函数也是比较值得关注的,F7跟进: 00352E0F 90 nop ; Param1 = _Func2E10 ( Param2 ,Param3 ) 00352E10 /$ 6A FF push -0x1 ; { 00352E12 |. 68 E7AC3500 push AppSys.0035ACE7 ; SE 处理程序安装 00352E17 |. 64:A1 00000000 mov eax,dword ptr fs:[0] 00352E1D |. 50 push eax 00352E1E |. 64:8925 00000000 mov dword ptr fs:[0],esp 00352E25 |. 83EC 1C sub esp,0x1C 00352E28 |. 56 push esi 00352E29 |. 57 push edi 00352E2A |. 6A 00 push 0x0 00352E2C |. 8D4C24 10 lea ecx,dword ptr ss:[esp+0x10] 00352E30 |. C74424 0C 0000000>mov dword ptr ss:[esp+0xC],0x0 00352E38 |. E8 E3FBFFFF call AppSys.00352A20 00352E3D |. 8D4C24 14 lea ecx,dword ptr ss:[esp+0x14] 00352E41 |. C74424 2C 0100000>mov dword ptr ss:[esp+0x2C],0x1 00352E49 |. E8 92F8FFFF call AppSys.003526E0 ; Small Constructor 00352E4E |. 8B7424 3C mov esi,dword ptr ss:[esp+0x3C] ; esi = Param3 00352E52 |. 8B7C24 38 mov edi,dword ptr ss:[esp+0x38] ; edi = Param2 00352E56 |. 8D4424 14 lea eax,dword ptr ss:[esp+0x14] 00352E5A |. C64424 2C 02 mov byte ptr ss:[esp+0x2C],0x2 00352E5F |. 8B0E mov ecx,dword ptr ds:[esi] 00352E61 |. 8B17 mov edx,dword ptr ds:[edi] 00352E63 |. 50 push eax 00352E64 |. 51 push ecx 00352E65 |. 8B4C24 14 mov ecx,dword ptr ss:[esp+0x14] 00352E69 |. 52 push edx 00352E6A |. E8 D1F8FFFF call AppSys.00352740 ; lgIntCL.2740 (Param2 ,Param3 ,lgInt14L) 00352E6F |. 8B47 04 mov eax,dword ptr ds:[edi+0x4] 00352E72 |. 8B4E 04 mov ecx,dword ptr ds:[esi+0x4] 00352E75 |. 8B7424 34 mov esi,dword ptr ss:[esp+0x34] 00352E79 |. 33C1 xor eax,ecx 00352E7B |. 8D4C24 0C lea ecx,dword ptr ss:[esp+0xC] 00352E7F |. 894424 10 mov dword ptr ss:[esp+0x10],eax 00352E83 |. 51 push ecx 00352E84 |. 8BCE mov ecx,esi 00352E86 |. E8 D5FBFFFF call AppSys.00352A60 ; Param1 = lgIntCL 00352E8B |. C74424 08 0100000>mov dword ptr ss:[esp+0x8],0x1 00352E93 |. 8D4C24 14 lea ecx,dword ptr ss:[esp+0x14] 00352E97 |. C64424 2C 01 mov byte ptr ss:[esp+0x2C],0x1 00352E9C |. E8 3FF2FFFF call AppSys.003520E0 00352EA1 |. 8D4C24 0C lea ecx,dword ptr ss:[esp+0xC] 00352EA5 |. C64424 2C 00 mov byte ptr ss:[esp+0x2C],0x0 00352EAA |. E8 21FCFFFF call AppSys.00352AD0 00352EAF |. 8B4C24 24 mov ecx,dword ptr ss:[esp+0x24] 00352EB3 |. 8BC6 mov eax,esi 00352EB5 |. 5F pop edi 00352EB6 |. 5E pop esi 00352EB7 |. 64:890D 00000000 mov dword ptr fs:[0],ecx 00352EBE |. 83C4 28 add esp,0x28 00352EC1 \. C3 retn ; } 上面这些代码只是一层封装,其中的 被封装的 编号为 2740 的函数才是核心 ,这个函数有两个部分可以人为返回值,一个是类本身的数据改变了,另一个是传入的第3个参数,之后还有一个函数也是对 2740这个函数的只是返回的值不是这部分!,F7跟进 2740。 1.1.3.1.1: 0035273F 90 nop ; this->2740 (Param1 ,Param2 ,Param3) 00352740 /$ 6A FF push -0x1 ; { 00352742 |. 68 E0AB3500 push AppSys.0035ABE0 ; SE 处理程序安装 00352747 |. 64:A1 00000000 mov eax,dword ptr fs:[0] 0035274D |. 50 push eax 0035274E |. 64:8925 00000000 mov dword ptr fs:[0],esp 00352755 |. 83EC 20 sub esp,0x20 00352758 |. 55 push ebp 00352759 |. 56 push esi 0035275A |. 57 push edi 0035275B |. 8BF9 mov edi,ecx 0035275D |. 6A 00 push 0x0 0035275F |. E8 2CFFFFFF call AppSys.00352690 00352764 |. 8B4424 3C mov eax,dword ptr ss:[esp+0x3C] 00352768 |. 8B7424 44 mov esi,dword ptr ss:[esp+0x44] 0035276C |. 50 push eax 0035276D |. 8BCE mov ecx,esi 0035276F |. E8 3CFFFFFF call AppSys.003526B0 ; Param3._CopyFrom( Param1 ) 00352774 |. 8D4C24 0C lea ecx,dword ptr ss:[esp+0xC] 00352778 |. E8 63FFFFFF call AppSys.003526E0 0035277D |. 8D4C24 1C lea ecx,dword ptr ss:[esp+0x1C] 00352781 |. C74424 34 0000000>mov dword ptr ss:[esp+0x34],0x0 00352789 |. E8 52FFFFFF call AppSys.003526E0 0035278E |. 8B6C24 40 mov ebp,dword ptr ss:[esp+0x40] 00352792 |. 8D4C24 0C lea ecx,dword ptr ss:[esp+0xC] 00352796 |. 55 push ebp 00352797 |. C64424 38 01 mov byte ptr ss:[esp+0x38],0x1 0035279C |. E8 0FFFFFFF call AppSys.003526B0 ; lgIntCL._CopyFrom ( Param2 ) 003527A1 |. 6A 01 push 0x1 003527A3 |. 8D4C24 20 lea ecx,dword ptr ss:[esp+0x20] 003527A7 |. E8 E4FEFFFF call AppSys.00352690 ; lgInt1CL.InitData(0 ,1) 003527AC |. 8D4C24 0C lea ecx,dword ptr ss:[esp+0xC] 003527B0 |. 51 push ecx 003527B1 |. 8BCE mov ecx,esi 003527B3 |. E8 A8FCFFFF call AppSys.00352460 ; while ( Param3 > lgIntCL ) 003527B8 |. 85C0 test eax,eax ; { 003527BA |. 7E 22 jle XAppSys.003527DE 003527BC |> 8D4C24 0C /lea ecx,dword ptr ss:[esp+0xC] 003527C0 |. E8 0BFDFFFF |call AppSys.003524D0 ; lgIntCL._Func24D0 () 003527C5 |. 8D4C24 1C |lea ecx,dword ptr ss:[esp+0x1C] 003527C9 |. E8 02FDFFFF |call AppSys.003524D0 ; lgInt1CL._Func24D0 () 003527CE |. 8D5424 0C |lea edx,dword ptr ss:[esp+0xC] 003527D2 |. 8BCE |mov ecx,esi 003527D4 |. 52 |push edx 003527D5 |. E8 86FCFFFF |call AppSys.00352460 003527DA |. 85C0 |test eax,eax 003527DC |.^ 7F DE \jg XAppSys.003527BC ; } 003527DE |> 55 push ebp 003527DF |. 8BCE mov ecx,esi 003527E1 |. E8 7AFCFFFF call AppSys.00352460 003527E6 |. 85C0 test eax,eax 003527E8 |. 7C 56 jl XAppSys.00352840 ; while (Param3 >= Param2 ) 003527EA |> 8D4424 0C /lea eax,dword ptr ss:[esp+0xC] ; { 003527EE |. 8BCE |mov ecx,esi 003527F0 |. 50 |push eax 003527F1 |. E8 6AFCFFFF |call AppSys.00352460 003527F6 |. 85C0 |test eax,eax ; while (Param3 < lgIntCL) 003527F8 |. 7D 22 |jge XAppSys.0035281C ; { 003527FA |> 8D4C24 0C |/lea ecx,dword ptr ss:[esp+0xC] 003527FE |. E8 0DFDFFFF ||call AppSys.00352510 ; lgIntCL._Func2510(); 00352803 |. 8D4C24 1C ||lea ecx,dword ptr ss:[esp+0x1C] 00352807 |. E8 04FDFFFF ||call AppSys.00352510 ; lgInt1CL._Func2510(); 0035280C |. 8D4C24 0C ||lea ecx,dword ptr ss:[esp+0xC] 00352810 |. 51 ||push ecx 00352811 |. 8BCE ||mov ecx,esi 00352813 |. E8 48FCFFFF ||call AppSys.00352460 00352818 |. 85C0 ||test eax,eax 0035281A |.^ 7C DE |\jl XAppSys.003527FA ; } 0035281C |> 8D5424 0C |lea edx,dword ptr ss:[esp+0xC] 00352820 |. 8BCE |mov ecx,esi 00352822 |. 52 |push edx 00352823 |. E8 08FEFFFF |call AppSys.00352630 ; Param3 -= lgIntCL 00352828 |. 8D4424 1C |lea eax,dword ptr ss:[esp+0x1C] 0035282C |. 8BCF |mov ecx,edi 0035282E |. 50 |push eax 0035282F |. E8 8CFDFFFF |call AppSys.003525C0 ; this += lgInt1CL 00352834 |. 55 |push ebp 00352835 |. 8BCE |mov ecx,esi 00352837 |. E8 24FCFFFF |call AppSys.00352460 0035283C |. 85C0 |test eax,eax 0035283E |.^ 7D AA \jge XAppSys.003527EA ; } 00352840 |> 8D4C24 1C lea ecx,dword ptr ss:[esp+0x1C] 00352844 |. C64424 34 00 mov byte ptr ss:[esp+0x34],0x0 00352849 |. E8 92F8FFFF call AppSys.003520E0 0035284E |. 8D4C24 0C lea ecx,dword ptr ss:[esp+0xC] 00352852 |. C74424 34 FFFFFFF>mov dword ptr ss:[esp+0x34],-0x1 0035285A |. E8 81F8FFFF call AppSys.003520E0 0035285F |. 8B4C24 2C mov ecx,dword ptr ss:[esp+0x2C] 00352863 |. 5F pop edi 00352864 |. 5E pop esi 00352865 |. 5D pop ebp 00352866 |. 64:890D 00000000 mov dword ptr fs:[0],ecx 0035286D |. 83C4 2C add esp,0x2C 00352870 \. C2 0C00 retn 0xC ; } 其中还有个 两数相加的函数 及编号 24D0 ,2510等函数,比较简单就不分析了。 下面贴一份编号 2F80 的函数的C++代码吧: void LargeInt::_UnNamed2F80( LargeInt* PlgParam1, LargeInt* PlgParam2 ) { LargeInt lg40(1); LargeInt lg38 ,lg10 ,lg30 ,lg28 ,lg18 ,lgZero ,lgTmp1 ,lgTmp2; lg38 = *PlgParam2; lg10 = *PlgParam1; _Zero(); while (lg10._SignedCmp(&lgZero) != 0) { lg30._Zero(); lg30._UnNamed2E10(&lg38 ,&lg10); lgTmp1._Zero(); lgTmp1._SignedMulVariant(&lg30 ,&lg10); lg28._Zero(); lg28._SignedSub(&lg38 ,&lgTmp1); lg38 = lg10; lg10 = lg28; lg28 = lg40; lgTmp1._Zero(); lgTmp1._SignedMulVariant(&lg40 ,&lg30); lg40._Zero(); lg40._SignedSub(&lg18 ,&lgTmp1); lg18 = lg28; } if (lg18._SignedCmp(&lgZero) < 0) { lgTmp1 = lg18; lg18._Zero(); lg18._SignedAdd(&lgTmp1 ,PlgParam2); } *this = lg18; } LargeInt LargeInt::_UnNamed2E10( LargeInt* PlgParam1, LargeInt* PlgParam2 ) { LargeInt lgInt1CL(1) ,lgTmp1(0) ,lgTmp2(0); LargeInt lgIntp3 = *PlgParam1 ,lgIntCL = *PlgParam2; while (lgIntp3._UnSignedCmp(&lgIntCL) > 0) { lgIntCL._UnNamed24D0(); lgInt1CL._UnNamed24D0(); } while (lgIntp3._UnSignedCmp(PlgParam2) >= 0) { while (lgIntp3._UnSignedCmp(&lgIntCL) < 0) { lgIntCL._UnNamed2510(); lgInt1CL._UnNamed2510(); } lgTmp1 = lgIntp3; lgTmp2 = *this; lgIntp3._UnsignedSub(&lgTmp1 ,&lgIntCL); _UnsignedAdd(&lgTmp2 ,&lgInt1CL); } return lgIntp3; } void LargeInt::_SignedAdd( LargeInt* PlgOp1, LargeInt* PlgOp2 ) { if (PlgOp1->_GetSignFlags() == PlgOp2->_GetSignFlags()) { _UnsignedAdd(PlgOp1 ,PlgOp2); nSignFlag = PlgOp1->_GetSignFlags(); } else if (PlgOp1->_UnSignedCmp(PlgOp2) > 0) { _UnsignedSub(PlgOp1 ,PlgOp2); nSignFlag = PlgOp1->_GetSignFlags(); } else if (PlgOp1->_UnSignedCmp(PlgOp2) < 0) { _UnsignedSub(PlgOp2 ,PlgOp1); nSignFlag = PlgOp2->_GetSignFlags(); } else _Zero(); } void LargeInt::_UnsignedAdd( LargeInt* PlgOp1, LargeInt* PlgOp2 ) { unsigned int nNumLoc = ((PlgOp1->_GetValids()) > (PlgOp2->_GetValids()))? (PlgOp1->_GetValids()) : (PlgOp2->_GetValids()); unsigned int nOptorf = 0 ,nOptors = 0 ,ncfLast = 0 ,ncfNext = 0; _Zero(); for (unsigned int i = 0 ;i <= nNumLoc ;i++) { ncfNext = 0; nOptorf = PlgOp2->_GetData(i); nOptors = PlgOp1->_GetData(i); nOptorf += ncfLast; if (nOptorf < ncfLast) ncfNext++; nOptors += nOptorf; if (nOptors < nOptorf) ncfNext++; _SetData(i ,nOptors); ncfLast = ncfNext; } } void LargeInt::_UnNamed24D0( ) { unsigned int nEsi = 0 ,nEbp = 0 ,nTmp = 0; unsigned int nVdsOri = nValids; for (unsigned int i = 0 ;i <= nVdsOri ;i++) { nEsi = _GetData(i); nTmp = nEsi*2 + nEbp; _SetData(i ,nTmp); nEbp = nEsi >> 0x1F; } } void LargeInt::_UnNamed2510( ) { unsigned int nEbp = 0 ,nEsi = 0 ,nTmp = 0; for (unsigned int i = _GetValids() ;i > 0 ;i--) { nEsi = _GetData(i-1); nTmp = (nEsi >> 0x1) + nEbp; _SetData(i-1 ,nTmp); nEbp = nEsi << 0x1F; } } 1.1.4.接下来就是编号为 2ED0的函数了,这个函数就是上文中提到的与 2E10 都对2740封装的函数,只是返回值是 2740 的第3个参数。这里就不再说了。 1.1.5.再接下来就是编号为 3660 的函数了,这个函数比较深: 00353660 /$ 6A FF push -0x1 ; Param0 = _Func3660( Param1 ,Param2 ,Parm3) 00353662 |. 68 27AF3500 push AppSys.0035AF27 ; SE 处理程序安装 00353667 |. 64:A1 00000000 mov eax,dword ptr fs:[0] 0035366D |. 50 push eax 0035366E |. 64:8925 00000000 mov dword ptr fs:[0],esp 00353675 |. 83EC 38 sub esp,0x38 00353678 |. 8B4424 54 mov eax,dword ptr ss:[esp+0x54] 0035367C |. 56 push esi 0035367D |. 50 push eax 0035367E |. 8D4C24 0C lea ecx,dword ptr ss:[esp+0xC] 00353682 |. C74424 08 0000000>mov dword ptr ss:[esp+0x8],0x0 0035368A |. E8 E1FBFFFF call AppSys.00353270 ; Int8L._3270 ( PclParam3 ) 经过一系列运算,并构造一系列对象 0035368F |. 8B4C24 54 mov ecx,dword ptr ss:[esp+0x54] 00353693 |. 8B5424 50 mov edx,dword ptr ss:[esp+0x50] 00353697 |. 8B7424 4C mov esi,dword ptr ss:[esp+0x4C] 0035369B |. 51 push ecx 0035369C |. 52 push edx 0035369D |. 56 push esi 0035369E |. 8D4C24 14 lea ecx,dword ptr ss:[esp+0x14] 003536A2 |. C74424 50 0100000>mov dword ptr ss:[esp+0x50],0x1 003536AA |. E8 D1FEFFFF call AppSys.00353580 ; lgInt8L._Func3580 ( Param0 ,Param1 ,Param2 ) 003536AF |. C74424 04 0100000>mov dword ptr ss:[esp+0x4],0x1 003536B7 |. 8D4C24 34 lea ecx,dword ptr ss:[esp+0x34] 003536BB |. C74424 44 0600000>mov dword ptr ss:[esp+0x44],0x6 003536C3 |. E8 08F4FFFF call AppSys.00352AD0 003536C8 |. 8D4C24 2C lea ecx,dword ptr ss:[esp+0x2C] 003536CC |. C64424 44 05 mov byte ptr ss:[esp+0x44],0x5 003536D1 |. E8 FAF3FFFF call AppSys.00352AD0 003536D6 |. 8D4C24 20 lea ecx,dword ptr ss:[esp+0x20] 003536DA |. C64424 44 04 mov byte ptr ss:[esp+0x44],0x4 003536DF |. E8 ECF3FFFF call AppSys.00352AD0 003536E4 |. 8D4C24 18 lea ecx,dword ptr ss:[esp+0x18] 003536E8 |. C64424 44 03 mov byte ptr ss:[esp+0x44],0x3 003536ED |. E8 DEF3FFFF call AppSys.00352AD0 003536F2 |. 8D4C24 10 lea ecx,dword ptr ss:[esp+0x10] 003536F6 |. C64424 44 02 mov byte ptr ss:[esp+0x44],0x2 003536FB |. E8 D0F3FFFF call AppSys.00352AD0 00353700 |. 8D4C24 08 lea ecx,dword ptr ss:[esp+0x8] 00353704 |. C64424 44 00 mov byte ptr ss:[esp+0x44],0x0 00353709 |. E8 C2F3FFFF call AppSys.00352AD0 0035370E |. 8B4C24 3C mov ecx,dword ptr ss:[esp+0x3C] 00353712 |. 8BC6 mov eax,esi 00353714 |. 5E pop esi 00353715 |. 64:890D 00000000 mov dword ptr fs:[0],ecx 0035371C |. 83C4 44 add esp,0x44 0035371F \. C3 retn 1.1.4.1这个函数只调用了两个函数,先来看第一个,在这个函数中用 3660函数的 Param3 经过一系列运算并用运算结果构造出一系列对象,这些对象都是位于3660函数的栈空间中,且这些对象将在3660函数中的 下一个函数中用到: 00353270 /$ 6A FF push -0x1 00353272 |. 68 37AE3500 push AppSys.0035AE37 ; SE 处理程序安装 00353277 |. 64:A1 00000000 mov eax,dword ptr fs:[0] 0035327D |. 50 push eax 0035327E |. 64:8925 00000000 mov dword ptr fs:[0],esp 00353285 |. 83EC 14 sub esp,0x14 00353288 |. 53 push ebx 00353289 |. 55 push ebp 0035328A |. 56 push esi 0035328B |. 57 push edi 0035328C |. 8BF1 mov esi,ecx 0035328E |. 6A 00 push 0x0 00353290 |. 897424 14 mov dword ptr ss:[esp+0x14],esi 00353294 |. E8 87F7FFFF call AppSys.00352A20 00353299 |. 8D6E 08 lea ebp,dword ptr ds:[esi+0x8] 0035329C |. 6A 00 push 0x0 0035329E |. 8BCD mov ecx,ebp 003532A0 |. C74424 30 0000000>mov dword ptr ss:[esp+0x30],0x0 003532A8 |. E8 73F7FFFF call AppSys.00352A20 003532AD |. 6A 00 push 0x0 003532AF |. 8D4E 10 lea ecx,dword ptr ds:[esi+0x10] 003532B2 |. C64424 30 01 mov byte ptr ss:[esp+0x30],0x1 003532B7 |. E8 64F7FFFF call AppSys.00352A20 003532BC |. 6A 00 push 0x0 003532BE |. 8D4E 18 lea ecx,dword ptr ds:[esi+0x18] 003532C1 |. C64424 30 02 mov byte ptr ss:[esp+0x30],0x2 003532C6 |. E8 55F7FFFF call AppSys.00352A20 003532CB |. 8D7E 24 lea edi,dword ptr ds:[esi+0x24] 003532CE |. 6A 00 push 0x0 003532D0 |. 8BCF mov ecx,edi 003532D2 |. C64424 30 03 mov byte ptr ss:[esp+0x30],0x3 003532D7 |. E8 44F7FFFF call AppSys.00352A20 003532DC |. 8D5E 2C lea ebx,dword ptr ds:[esi+0x2C] 003532DF |. 6A 00 push 0x0 003532E1 |. 8BCB mov ecx,ebx 003532E3 |. C64424 30 04 mov byte ptr ss:[esp+0x30],0x4 003532E8 |. E8 33F7FFFF call AppSys.00352A20 003532ED |. 8B4424 34 mov eax,dword ptr ss:[esp+0x34] 003532F1 |. 8BCE mov ecx,esi 003532F3 |. 50 push eax 003532F4 |. C64424 30 05 mov byte ptr ss:[esp+0x30],0x5 003532F9 |. E8 82F7FFFF call AppSys.00352A80 ; *this = Param 003532FE |. 6A 01 push 0x1 00353300 |. 8D4C24 18 lea ecx,dword ptr ss:[esp+0x18] 00353304 |. C746 20 00000000 mov dword ptr ds:[esi+0x20],0x0 0035330B |. E8 10F7FFFF call AppSys.00352A20 ; lgInt14L.InitData (0 ,1) 00353310 |. 8D4C24 14 lea ecx,dword ptr ss:[esp+0x14] 00353314 |. C64424 2C 06 mov byte ptr ss:[esp+0x2C],0x6 00353319 |. 51 push ecx 0035331A |. 8BCF mov ecx,edi 0035331C |. E8 5FF7FFFF call AppSys.00352A80 ; qlgInt24 = lgInt14L 00353321 |. 8D4C24 14 lea ecx,dword ptr ss:[esp+0x14] 00353325 |. C64424 2C 05 mov byte ptr ss:[esp+0x2C],0x5 0035332A |. E8 A1F7FFFF call AppSys.00352AD0 0035332F |. 8B5424 34 mov edx,dword ptr ss:[esp+0x34] 00353333 |. 52 push edx 00353334 |. 57 push edi 00353335 |. E8 96F5FFFF call AppSys.003528D0 ; operator < 0035333A |. 83C4 08 add esp,0x8 0035333D |. 85C0 test eax,eax 0035333F |. 74 21 je XAppSys.00353362 ; while (qlgInt24 < Param) 00353341 |> 57 /push edi ; { 00353342 |. 8BCF |mov ecx,edi 00353344 |. E8 B7F7FFFF |call AppSys.00352B00 ; qlgInt24 += qlgInt24 00353349 |. 8B56 20 |mov edx,dword ptr ds:[esi+0x20] 0035334C |. 8B4424 34 |mov eax,dword ptr ss:[esp+0x34] 00353350 |. 42 |inc edx 00353351 |. 50 |push eax 00353352 |. 57 |push edi 00353353 |. 8956 20 |mov dword ptr ds:[esi+0x20],edx 00353356 |. E8 75F5FFFF |call AppSys.003528D0 0035335B |. 83C4 08 |add esp,0x8 0035335E |. 85C0 |test eax,eax 00353360 |.^ 75 DF \jnz XAppSys.00353341 ; } 00353362 |> 56 push esi 00353363 |. 8D4C24 20 lea ecx,dword ptr ss:[esp+0x20] 00353367 |. 57 push edi 00353368 |. 51 push ecx 00353369 |. E8 82F9FFFF call AppSys.00352CF0 ; lgInt1CL = qlgInt24 - Param 0035336E |. 56 push esi 0035336F |. 8D5424 24 lea edx,dword ptr ss:[esp+0x24] 00353373 |. 50 push eax 00353374 |. 52 push edx 00353375 |. C64424 44 07 mov byte ptr ss:[esp+0x44],0x7 0035337A |. E8 01FCFFFF call AppSys.00352F80 ; lgInt14L = _Func2F80 ( lgInt1CL ,Param ) 0035337F |. 83C4 18 add esp,0x18 00353382 |. 50 push eax 00353383 |. 8BCB mov ecx,ebx 00353385 |. C64424 30 08 mov byte ptr ss:[esp+0x30],0x8 0035338A |. E8 F1F6FFFF call AppSys.00352A80 ; qlgInt2C = lgInt14L 0035338F |. 8D4C24 14 lea ecx,dword ptr ss:[esp+0x14] 00353393 |. C64424 2C 07 mov byte ptr ss:[esp+0x2C],0x7 00353398 |. E8 33F7FFFF call AppSys.00352AD0 0035339D |. 8D4C24 1C lea ecx,dword ptr ss:[esp+0x1C] 003533A1 |. C64424 2C 05 mov byte ptr ss:[esp+0x2C],0x5 003533A6 |. E8 25F7FFFF call AppSys.00352AD0 003533AB |. 57 push edi 003533AC |. 8D4424 18 lea eax,dword ptr ss:[esp+0x18] 003533B0 |. 56 push esi 003533B1 |. 50 push eax 003533B2 |. E8 C9FBFFFF call AppSys.00352F80 ; lgInt14L = _Func2F80 ( Param ,qlgInt24 ) 003533B7 |. 50 push eax 003533B8 |. 8D4C24 2C lea ecx,dword ptr ss:[esp+0x2C] 003533BC |. B3 09 mov bl,0x9 003533BE |. 57 push edi 003533BF |. 51 push ecx 003533C0 |. 885C24 44 mov byte ptr ss:[esp+0x44],bl 003533C4 |. E8 27F9FFFF call AppSys.00352CF0 ; lgInt1CL = qlgInt24 - lgInt14L 003533C9 |. 83C4 18 add esp,0x18 003533CC |. 50 push eax 003533CD |. 8BCD mov ecx,ebp 003533CF |. C64424 30 0A mov byte ptr ss:[esp+0x30],0xA 003533D4 |. E8 A7F6FFFF call AppSys.00352A80 ; qlgInt8 = lgInt1CL 003533D9 |. 8D4C24 1C lea ecx,dword ptr ss:[esp+0x1C] 003533DD |. 885C24 2C mov byte ptr ss:[esp+0x2C],bl 003533E1 |. E8 EAF6FFFF call AppSys.00352AD0 003533E6 |. 8D4C24 14 lea ecx,dword ptr ss:[esp+0x14] 003533EA |. C64424 2C 05 mov byte ptr ss:[esp+0x2C],0x5 003533EF |. E8 DCF6FFFF call AppSys.00352AD0 003533F4 |. 8B4C24 24 mov ecx,dword ptr ss:[esp+0x24] 003533F8 |. 8BC6 mov eax,esi 003533FA |. 5F pop edi 003533FB |. 5E pop esi 003533FC |. 5D pop ebp 003533FD |. 5B pop ebx 003533FE |. 64:890D 00000000 mov dword ptr fs:[0],ecx 00353405 |. 83C4 20 add esp,0x20 00353408 \. C2 0400 retn 0x4 上面代码中构造了对象 qlgInt8 ,qlgInt24 ,qlgInt2C 及lgInt8L (调用该函数的对象)会在后面中用到 1.1.4.2.下面再来看 3660 中的第2个函数调用,这个函数中用到上述的几个对象: 0035357F 90 nop ; lgInt8._Func3580 (Param0 ,Param1 ,Param2) 00353580 /$ 6A FF push -0x1 00353582 |. 68 C7AE3500 push AppSys.0035AEC7 ; SE 处理程序安装 00353587 |. 64:A1 00000000 mov eax,dword ptr fs:[0] 0035358D |. 50 push eax 0035358E |. 64:8925 00000000 mov dword ptr fs:[0],esp 00353595 |. 83EC 24 sub esp,0x24 00353598 |. 56 push esi 00353599 |. 8BF1 mov esi,ecx 0035359B |. 8B4C24 3C mov ecx,dword ptr ss:[esp+0x3C] 0035359F |. 8D5424 20 lea edx,dword ptr ss:[esp+0x20] 003535A3 |. 8D46 24 lea eax,dword ptr ds:[esi+0x24] 003535A6 |. C74424 04 0000000>mov dword ptr ss:[esp+0x4],0x0 003535AE |. 50 push eax 003535AF |. 51 push ecx 003535B0 |. 52 push edx 003535B1 |. E8 BAF7FFFF call AppSys.00352D70 ; lgInt20L = Param1 X qClass24 003535B6 |. 56 push esi 003535B7 |. 50 push eax 003535B8 |. 8D4424 2C lea eax,dword ptr ss:[esp+0x2C] 003535BC |. C74424 44 0100000>mov dword ptr ss:[esp+0x44],0x1 003535C4 |. 50 push eax 003535C5 |. E8 06F9FFFF call AppSys.00352ED0 ; lgInt18L = _Func2ED0 ( lgInt20L ,this ) 003535CA |. 83C4 18 add esp,0x18 003535CD |. 8B4C24 40 mov ecx,dword ptr ss:[esp+0x40] 003535D1 |. 8D5424 10 lea edx,dword ptr ss:[esp+0x10] 003535D5 |. 51 push ecx 003535D6 |. 50 push eax 003535D7 |. 52 push edx 003535D8 |. 8BCE mov ecx,esi 003535DA |. C64424 3C 02 mov byte ptr ss:[esp+0x3C],0x2 003535DF |. E8 ACFEFFFF call AppSys.00353490 ; lgInt10L = this->_Func3490 ( lgInt18L ,Param2 ) 003535E4 |. 8D4E 2C lea ecx,dword ptr ds:[esi+0x2C] 003535E7 |. 8D5424 08 lea edx,dword ptr ss:[esp+0x8] 003535EB |. 51 push ecx 003535EC |. 50 push eax 003535ED |. 52 push edx 003535EE |. C64424 3C 03 mov byte ptr ss:[esp+0x3C],0x3 003535F3 |. E8 78F7FFFF call AppSys.00352D70 ; lgInt8L = lgInt10L X qClass2C 003535F8 |. 56 push esi 003535F9 |. 8B7424 48 mov esi,dword ptr ss:[esp+0x48] 003535FD |. 50 push eax 003535FE |. 56 push esi 003535FF |. C64424 48 04 mov byte ptr ss:[esp+0x48],0x4 00353604 |. E8 C7F8FFFF call AppSys.00352ED0 ; Param0 = _Func2ED0 ( lgInt8L ,this ) 00353609 |. 83C4 18 add esp,0x18 0035360C |. C74424 04 0100000>mov dword ptr ss:[esp+0x4],0x1 00353614 |. 8D4C24 08 lea ecx,dword ptr ss:[esp+0x8] 00353618 |. C64424 30 03 mov byte ptr ss:[esp+0x30],0x3 0035361D |. E8 AEF4FFFF call AppSys.00352AD0 00353622 |. 8D4C24 10 lea ecx,dword ptr ss:[esp+0x10] 00353626 |. C64424 30 02 mov byte ptr ss:[esp+0x30],0x2 0035362B |. E8 A0F4FFFF call AppSys.00352AD0 00353630 |. 8D4C24 18 lea ecx,dword ptr ss:[esp+0x18] 00353634 |. C64424 30 01 mov byte ptr ss:[esp+0x30],0x1 00353639 |. E8 92F4FFFF call AppSys.00352AD0 0035363E |. 8D4C24 20 lea ecx,dword ptr ss:[esp+0x20] 00353642 |. C64424 30 00 mov byte ptr ss:[esp+0x30],0x0 00353647 |. E8 84F4FFFF call AppSys.00352AD0 0035364C |. 8B4C24 28 mov ecx,dword ptr ss:[esp+0x28] 00353650 |. 8BC6 mov eax,esi 00353652 |. 5E pop esi 00353653 |. 64:890D 00000000 mov dword ptr fs:[0],ecx 0035365A |. 83C4 30 add esp,0x30 0035365D \. C2 0C00 retn 0xC 1.1.4.2.1这里又调用了编号为3490 的函数,忍住再来分析下: 0035348F 90 nop ; Param1 = this->_Func3490 ( Param2 ,Param3 ) 00353490 /$ 6A FF push -0x1 00353492 |. 68 77AE3500 push AppSys.0035AE77 ; SE 处理程序安装 00353497 |. 64:A1 00000000 mov eax,dword ptr fs:[0] 0035349D |. 50 push eax 0035349E |. 64:8925 00000000 mov dword ptr fs:[0],esp 003534A5 |. 83EC 14 sub esp,0x14 003534A8 |. 53 push ebx 003534A9 |. 55 push ebp 003534AA |. 56 push esi 003534AB |. 8BF1 mov esi,ecx 003534AD |. 57 push edi 003534AE |. 56 push esi 003534AF |. 8D46 24 lea eax,dword ptr ds:[esi+0x24] 003534B2 |. 8D4C24 20 lea ecx,dword ptr ss:[esp+0x20] 003534B6 |. 33FF xor edi,edi 003534B8 |. 50 push eax 003534B9 |. 51 push ecx 003534BA |. 897C24 1C mov dword ptr ss:[esp+0x1C],edi 003534BE |. E8 2DF8FFFF call AppSys.00352CF0 ; lgInt1CL = qlgInt24 - this 003534C3 |. 83C4 0C add esp,0xC 003534C6 |. 8B5424 38 mov edx,dword ptr ss:[esp+0x38] 003534CA |. 8D4C24 14 lea ecx,dword ptr ss:[esp+0x14] 003534CE |. 52 push edx 003534CF |. C74424 30 0100000>mov dword ptr ss:[esp+0x30],0x1 003534D7 |. E8 84F5FFFF call AppSys.00352A60 003534DC |. 8D4C24 14 lea ecx,dword ptr ss:[esp+0x14] 003534E0 |. C64424 2C 02 mov byte ptr ss:[esp+0x2C],0x2 003534E5 |. E8 76F4FFFF call AppSys.00352960 ; lgInt14L = Param2 且不共用缓冲区 003534EA |. 8B6C24 3C mov ebp,dword ptr ss:[esp+0x3C] 003534EE |. 8B4D 00 mov ecx,dword ptr ss:[ebp] 003534F1 |. E8 1AEFFFFF call AppSys.00352410 003534F6 |. 8BD8 mov ebx,eax 003534F8 |> 8B4D 00 /mov ecx,dword ptr ss:[ebp] ; while (i < Param3->_CalcLastData()) 003534FB |. 57 |push edi ; { 003534FC |. E8 DFEEFFFF |call AppSys.003523E0 00353501 |. 85C0 |test eax,eax 00353503 |. 74 11 |je XAppSys.00353516 ; if ( Param3._GetData(i) 的第i位 != 0) 这里的是2进制位 00353505 |. 8D4424 14 |lea eax,dword ptr ss:[esp+0x14] ; { 00353509 |. 8D4C24 1C |lea ecx,dword ptr ss:[esp+0x1C] 0035350D |. 50 |push eax 0035350E |. 51 |push ecx 0035350F |. 8BCE |mov ecx,esi 00353511 |. E8 FAFEFFFF |call AppSys.00353410 ; this->_Func3410( lgInt1CL ,lgInt14L ) 00353516 |> 47 |inc edi ; } 00353517 |. 3BFB |cmp edi,ebx 00353519 |. 74 13 |je XAppSys.0035352E 0035351B |. 8D5424 14 |lea edx,dword ptr ss:[esp+0x14] 0035351F |. 8D4424 14 |lea eax,dword ptr ss:[esp+0x14] 00353523 |. 52 |push edx 00353524 |. 50 |push eax 00353525 |. 8BCE |mov ecx,esi 00353527 |. E8 E4FEFFFF |call AppSys.00353410 ; this->_Func3410( lgInt14L ,lgInt14L ) 0035352C |.^ EB CA \jmp XAppSys.003534F8 ; } 0035352E |> 8B7424 34 mov esi,dword ptr ss:[esp+0x34] 00353532 |. 8D4C24 1C lea ecx,dword ptr ss:[esp+0x1C] 00353536 |. 51 push ecx 00353537 |. 8BCE mov ecx,esi 00353539 |. E8 22F5FFFF call AppSys.00352A60 ; Param1 = lgInt1CL 0035353E |. C74424 10 0100000>mov dword ptr ss:[esp+0x10],0x1 00353546 |. 8D4C24 14 lea ecx,dword ptr ss:[esp+0x14] 0035354A |. C64424 2C 01 mov byte ptr ss:[esp+0x2C],0x1 0035354F |. E8 7CF5FFFF call AppSys.00352AD0 00353554 |. 8D4C24 1C lea ecx,dword ptr ss:[esp+0x1C] 00353558 |. C64424 2C 00 mov byte ptr ss:[esp+0x2C],0x0 0035355D |. E8 6EF5FFFF call AppSys.00352AD0 00353562 |. 8B4C24 24 mov ecx,dword ptr ss:[esp+0x24] 00353566 |. 8BC6 mov eax,esi 00353568 |. 5F pop edi 00353569 |. 5E pop esi 0035356A |. 5D pop ebp 0035356B |. 5B pop ebx 0035356C |. 64:890D 00000000 mov dword ptr fs:[0],ecx 00353573 |. 83C4 20 add esp,0x20 00353576 \. C2 0C00 retn 0xC 其中还有一个函数3410就不分析了,比较简单,记住这个函数旨在改变第1个参数就行了。 下面我贴份 3660函数 的C++代码吧,我将其内联成了一个函数: void LargeInt::_UnName3660( LargeInt* plg1, LargeInt* plg2, LargeInt* plg3 ) { _Zero(); //1.0Constructor: unsigned int nq20 = 0; LargeInt lgIntq24(1) ,lgIntq2c ,lgIntq8 ,lgIntTmp; while (lgIntq24._SignedCmp(plg3) < 0) { lgIntTmp = lgIntq24; lgIntq24._Zero(); lgIntq24._SignedAdd(&lgIntTmp ,&lgIntTmp); nq20++; } lgIntTmp._SignedSub(&lgIntq24 ,plg3); lgIntq2c._UnNamed2F80(&lgIntTmp ,plg3); lgIntTmp._UnNamed2F80(plg3 ,&lgIntq24); lgIntq8._SignedSub(&lgIntq24 ,&lgIntTmp); //2.0 _Func3580: lgIntTmp._UnSignedMulVariant(plg1 ,&lgIntq24 ,0); LargeInt lgIntTmp2 ,lgIntTmp3 ,lgIntTmp4 ,lgIntTmp5; lgIntTmp3 = lgIntTmp2._UnNamed2E10(&lgIntTmp ,plg3); //2.1 _Func3490: lgIntTmp._SignedSub(&lgIntq24 ,plg3); unsigned int i = 0 ,nCalcLst = plg2->_CalcLastData(); do { if (plg2->_GetDataBit(i)) { //2.1.1 _Func3410(&lgIntTmp ,&lgIntTmp3); lgIntTmp2._UnSignedMulVariant(&lgIntTmp ,&lgIntTmp3 ,nq20*2); lgIntTmp4._UnSignedMulVariant(&lgIntTmp2 ,&lgIntq8 ,nq20); lgIntTmp._UnSignedMulVariant(&lgIntTmp4 ,plg3 ,nq20*2); lgIntTmp5._SignedAdd(&lgIntTmp ,&lgIntTmp2); lgIntTmp5._UnName2550(nq20); lgIntTmp = lgIntTmp5; if (lgIntTmp._SignedCmp(plg3) > 0){ lgIntTmp5._SignedSub(&lgIntTmp ,plg3); lgIntTmp = lgIntTmp5; } } //2.1.1 _Func3410(&lgIntTmp3 ,&lgIntTmp3); lgIntTmp2._UnSignedMulVariant(&lgIntTmp3 ,&lgIntTmp3 ,nq20*2); lgIntTmp4._UnSignedMulVariant(&lgIntTmp2 ,&lgIntq8 ,nq20); lgIntTmp3._UnSignedMulVariant(&lgIntTmp4 ,plg3 ,nq20*2); lgIntTmp5._SignedAdd(&lgIntTmp3 ,&lgIntTmp2); lgIntTmp5._UnName2550(nq20); lgIntTmp3 = lgIntTmp5; if (lgIntTmp3._SignedCmp(plg3) > 0) { lgIntTmp5._SignedSub(&lgIntTmp3 ,plg3); lgIntTmp3 = lgIntTmp5; } } while (i++ < nCalcLst); lgIntTmp2._SignedMulVariant(&lgIntTmp ,&lgIntq2c); lgIntTmp3._Zero(); *this = lgIntTmp3._UnNamed2E10(&lgIntTmp2 ,plg3); } 1.1.5.最后一个函数是编号为 2C70 的函数,这个函数其实就是两个大整数相加的封装,就不重复了 。 到此为止,我觉得有必要分析的函数就上面这些了,事实整个注册过程中这个数据结构还有很多函数,分析时经常是的F7跟进一个陌生函数之后发现又是一大堆陌生函数,搞得每一次按F7跟进时都显得特别需要勇气!经过多次的调试之后,几乎把整个过程的函数算是弄透了。还是就是这是面向对象的加密方法(还是第一次逆向),因此,得对C++的逆向代码有一定的了解,其实反汇编下的C++还是挺有技巧的。本来不打算写这篇文章的,因为不知道从何处下手,写出来一定很烂,乱,杂…..但还是写了,逆得这么累,总想留下点什么,烂就烂吧! 文章难免有误,万望高手赐教,贴上全文以供各位高手嘲笑!!! 最后给出一份完整注册机源码吧!需要的朋友可自行下载!! 【注册机源码下载】:由于拷错文件了,不是在自己电脑上,源码我会在稍后附上。 |
|
[原创]ErShu's CrackMe分析 附 注册机
其实我是昨晚才换上它的. |
|
[原创]360网盾 广告拦截模块崩溃分析
顶!虽然看不懂。 |
|
[原创]偶得几十本好书,决定闭关二年!
你可别起清政府的老路啊 |
|
[求助]关于磁盘卷过滤的困惑
原来是这句的错,for (int i = 0 ;i < IRP_MJ_MAXIMUM_FUNCTION ;i++) ,一直蓝屏的原因就是 i < IRP_MJ_MAXIMUM_FUNCTION ,少了个=,,还是要谢谢你 ,tydef兄…… |
|
[求助]关于磁盘卷过滤的困惑
蓝屏的原因似乎与irp无关,通过windbg跟踪,我发现在pnp管理器调用3次AddDevice后便蓝屏 了,在此之前未曾在分发函数中断下过。因此应该不是分发函数的问题吧。 |
|
[求助]关于磁盘卷过滤的困惑
谢谢 tydef兄提醒,附件已上传,由于开发环境的不同,我只传了头文件与源文件。期待答案……… |
|
[求助]关于《寒江独钓》键盘过滤的一个困扰
自己顶一下,别沉下去了,在线等答案...... |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值