-
-
[求助] 关于置顶的新手入樵 crackme 博物馆 的一个CM分析
-
发表于: 2011-6-3 16:49 3286
-
注册码找到位置了,但是注册机 不会做 ,请求帮助,那位师傅有时间帮助 做一个算法详细分析 和注册机教程!!!
CM下载
===================================================
原贴地址
===================================================
根据原贴105楼的兄弟的方法 找到注册名对应的注册码
但是 算法 糊涂了 注册机 不会做 请求师傅 帮助做个教程
===================================================
下面是我分析过程,分析算法 绕糊涂了,
===================================================
首先利用“eXeScope”查看源程序,发现获得成功注册后会出来一对话框,记住它的窗口号是103,换成16进制就是67,然后在OD里面加载riijj_mfccm1_r2,
搜索===》命令===》push 67, 就是找到它注册成功的提示之前需要把对话框入栈的指令,
004036C8:push 67 //就是这个窗口
我们往上看,
004036C0 /$ 8B4424 04 mov eax,dword ptr ss:[esp+4] 这个时候在堆栈窗口 有提示 来自于Local Call from 004012B8
或者 在004036C0 点右键 ===》 前往===》 Call 来自于 004012B8
-----------------------
004036C0 /$ 8B4424 04 mov eax,dword ptr ss:[esp+4] 来自于Local Call from 004012B8
004036C4 |. 56 push esi
004036C5 |. 50 push eax
004036C6 |. 8BF1 mov esi,ecx
004036C8 6A 67 push 67 ; 调用注册成功信息对话框
004036CA |. E8 6D020000 call <jmp.&MFC42.#324>
004036CF |. C706 10454000 mov dword ptr ds:[esi],riijj>; $9@
004036D5 |. 8BC6 mov eax,esi
004036D7 |. 5E pop esi
004036D8 \. C2 0400 retn 4
------------------------
---------------------
ddbigboy
BBOJARQCJGNXUKNA
------------------------------------------------------------------------------------------
00401140 6A FF push -1
00401142 68 BE3B4000 push riijj_mf.00403BBE ; 在这里下断点,EAX里显示试验注册码1234567890654321 EDX里显示注册名ddbigboy
00401147 64:A1 00000000 mov eax,dword ptr fs:[0]
0040114D 50 push eax
0040114E 64:8925 0000000>mov dword ptr fs:[0],esp
00401155 81EC D0000000 sub esp,0D0
0040115B 8A4C24 03 mov cl,byte ptr ss:[esp+3]
0040115F 8A4424 03 mov al,byte ptr ss:[esp+3]
00401163 53 push ebx
00401164 55 push ebp
00401165 56 push esi
00401166 884C24 15 mov byte ptr ss:[esp+15],cl
0040116A 57 push edi
0040116B 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
0040116F 884424 18 mov byte ptr ss:[esp+18],al
00401173 C64424 20 00 mov byte ptr ss:[esp+20],0
00401178 E8 831C0000 call riijj_mf.00402E00
0040117D 8A5424 13 mov dl,byte ptr ss:[esp+13]
00401181 8A4424 13 mov al,byte ptr ss:[esp+13]
00401185 33ED xor ebp,ebp
00401187 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
0040118B 89AC24 E8000000 mov dword ptr ss:[esp+E8],ebp
00401192 885424 28 mov byte ptr ss:[esp+28],dl
00401196 884424 29 mov byte ptr ss:[esp+29],al
0040119A C64424 30 00 mov byte ptr ss:[esp+30],0
0040119F E8 5C1C0000 call riijj_mf.00402E00
004011A4 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
004011A8 8D5424 28 lea edx,dword ptr ss:[esp+28]
004011AC 51 push ecx
004011AD 52 push edx
004011AE C68424 F0000000>mov byte ptr ss:[esp+F0],1
004011B6 E8 45FEFFFF call riijj_mf.00401000
004011BB 8B9C24 F8000000 mov ebx,dword ptr ss:[esp+F8]
004011C2 83C4 08 add esp,8
004011C5 8A03 mov al,byte ptr ds:[ebx]
004011C7 0FBEF0 movsx esi,al
004011CA 3BF5 cmp esi,ebp
004011CC 75 2A jnz short riijj_mf.004011F8
004011CE 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
004011D2 C68424 E8000000>mov byte ptr ss:[esp+E8],0
004011DA E8 11150000 call riijj_mf.004026F0
004011DF 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
004011E3 C78424 E8000000>mov dword ptr ss:[esp+E8],-1
004011EE E8 FD140000 call riijj_mf.004026F0
004011F3 E9 CA010000 jmp riijj_mf.004013C2
004011F8 84C0 test al,al
004011FA 74 0F je short riijj_mf.0040120B
关键算法部分,将注册名的ASCII编码依次进行运算
004011FC 0FBEC0 /movsx eax,al al=64
('d') 将注册名第一个字母的ASCII编码64送入EAX
004011FF 0FAFF0 |imul esi,eax 这里ESI 数值是64 EAX*ESI 结果保存在ESI 64*64=2710
00401202 8A442B 01 |mov al,byte ptr ds:[ebx+ebp+1] EBX里存着注册名,将下一位送入al
00401206 45 |inc ebp EBP 累计1次
00401207 84C0 |test al,al 比较al数据
00401209 ^ 75 F1 \jnz short riijj_mf.004011FC al有数据则跳 到上面 循环 计算
在这里一共循环计算8次 注册名ddbigboy的ASCII编码 依次为 64 64 64 62 69 67 62 6f 79
将这8个16 进制数相乘 64*64*64*62*69*67*62*6f*79= 135C2E8D50DDF100 最后 ESI 50DDF100
---------------------------------------------------------------------------------------
0040120B 8D7C24 40 lea edi,dword ptr ss:[esp+40] ESP 0012F734 加40 就是EDI 0012F774
0040120F C74424 14 10000>mov dword ptr ss:[esp+14],10 0012F748 00000010
下面这个循环开始计算注册名相对应的注册码
00401217 8BC6 /mov eax,esi 把ESI 50DDF100 送入EAX 此时EAX 50DDF100
00401219 8D4C24 28 |lea ecx,dword ptr ss:[esp+28] 将ESP+28的有效地址 送入ECX ECX 0012F75C
0040121D 50 |push eax EAX入栈
0040121E 51 |push ecx ECX入栈
0040121F 46 |inc esi 在ESI里累加+1 计数00000010
00401220 E8 FBFDFFFF |call riijj_mf.00401020 在这个call计算
00401225 8907 |mov dword ptr ds:[edi],eax
00401227 8B4424 1C |mov eax,dword ptr ss:[esp+1C]
0040122B 83C4 08 |add esp,8
0040122E 83C7 04 |add edi,4
00401231 48 |dec eax
00401232 894424 14 |mov dword ptr ss:[esp+14],eax
00401236 ^ 75 DF \jnz short riijj_mf.00401217
00401238 8D7C24 40 lea edi,dword ptr ss:[esp+40]
0040123C C74424 14 10000>mov dword ptr ss:[esp+14],10 最后ESI 为50DDF110
------------------------------------------------这个call riijj_mf.00401020
00401020 /$ 83EC 28 sub esp,28 ESP-28 ESP 0012F700
00401023 |. 8B4424 30 mov eax,dword ptr ss:[esp+30] 此时EAX 为50DDF100
00401027 |. B9 2C010000 mov ecx,12C 12C送入ECX
0040102C |. 99 cdq 数据扩展指令,将双字数据扩展为四字类型
0040102D |. F7F9 idiv ecx 二进制除法运算EAX50DDF100除以12C 此时EAX 004501A8
0040102F |. 55 push ebp EBP入栈 00000008
00401030 |. 8B6C24 30 mov ebp,dword ptr ss:[esp+30] 堆栈 ss:[0012F72C]=0012F75C ebp=00000008
00401034 |. 56 push esi ESI入栈 ESI 50DDF101
00401035 |. 57 push edi EDI入栈 EDI 0012F774
00401036 |. 8B7D 04 mov edi,dword ptr ss:[ebp+4] 将EBP+4 数据送入EDI 003B6690
00401039 |. C74424 30 000>mov dword ptr ss:[esp+30],0 将0送入 0012F724
00401041 |. B1 01 mov cl,1 将1送入 cl
00401043 |. 8BC2 mov eax,edx 把EDX送入EAX 00000020
00401045 |. 99 cdq 数据扩展指令,将双字数据扩展为四字类型
00401046 |. 33C2 xor eax,edx 异或 eax,edx 此时eax 000000020 ,edx 00000000
00401048 |. 2BC2 sub eax,edx 相减
0040104A |. 8B15 D8544000 mov edx,dword ptr ds:[4054D8] ds:[004054D8]=003B6650 edx=00000000
00401050 |. 894424 2C mov dword ptr ss:[esp+2C],eax 把EAX 数据00000020 送入 0012F720 00000020
00401054 |. 8B77 04 mov esi,dword ptr ds:[edi+4]
00401057 |. 3BF2 cmp esi,edx 比较数据 edx=003B6650 esi=003B7A50
00401059 |. 74 19 je short riijj_mf.00401074 没跳
0040105B |> 8B4E 0C /mov ecx,dword ptr ds:[esi+C] 第1次 到这里 003B7A50+C 的数据送入ECX 此时 ECX 0000003F
第2次循环到这里 003B7650+C 的数据送入ECX 此时ECX 0000001F
第3次循环到这里 003B7850+C 的数据送入ECX 此时ECX 0000002F
第4次循环到这里 003B7750+C 的数据送入ECX 此时ECX 00000027
第5次循环到这里 003B76D0+C 的数据送入ECX 此时ECX 00000023
第6次循环到这里 003B7690+C 的数据送入ECX 此时ECX 00000021
第6次循环到这里 003B7670+C 的数据送入ECX 此时ECX 00000020
0040105E |. 8BFE |mov edi,esi 将ESI数据送入EDI 003B7650
00401060 |. 3BC1 |cmp eax,ecx ecx=0000003F eax=00000020
第2次循环数据 ecx=0000001F eax=00000020
第3次循环数据 ecx=0000002F eax=00000020
第4次循环数据 ecx=00000027 eax=00000020
第5次循环数据 ecx=00000023 eax=00000020
第6次循环数据 ecx=00000021 eax=00000020
第7次循环数据 ecx=00000020 eax=00000020
00401062 |. 0F9CC1 |setl cl 第1次循环数据 条件为真 TRUE cl=3F ('?')
第2次循环数据 条件为假 FALSE cl=1F
第3次循环数据 条件为真 TRUE cl=2F ('/')
第4次循环数据 条件为真 TRUE cl=27 (''')
第5次循环数据 条件为真 TRUE cl=23 ('#')
第6次循环数据 条件为真 TRUE cl=21 ('!')
第7次循环数据 条件为假 FALSE cl=20 (' ')
setg,setl setg cl:如果ZF=0且SF=OF,那么cl=1,否则cl=0。 setl cl:如果SF!=OF,那么cl=1,否则cl=0。 setg,setl一般和cmp一起,用来得到两个有符号数
00401065 |. 84C9 |test cl,cl 比较
00401067 |. 74 04 |je short riijj_mf.0040106D 第一次没跳
第2次循环 跳了
第7次
00401069 |. 8B36 |mov esi,dword ptr ds:[esi]
0040106B |. EB 03 |jmp short riijj_mf.00401070
0040106D |> 8B76 08 |mov esi,dword ptr ds:[esi+8] ESI+8 003B7850
00401070 |> 3BF2 |cmp esi,edx
00401072 |.^ 75 E7 \jnz short riijj_mf.0040105B 跳
第7次没跳
00401074 |> 8A55 08 mov dl,byte ptr ss:[ebp+8] 堆栈 ss:[0012F764]=00 dl=50 ('P')Jump from 00401059
00401077 |. 84D2 test dl,dl 比较
00401079 |. 74 23 je short riijj_mf.0040109E 跳
0040107B |. 8D5424 3C lea edx,dword ptr ss:[esp+3C]
0040107F |. 8D4424 2C lea eax,dword ptr ss:[esp+2C]
00401083 |. 52 push edx
00401084 |. 50 push eax
00401085 |. 57 push edi
00401086 |. 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
0040108A |. 56 push esi
0040108B |. 51 push ecx
0040108C |. 8BCD mov ecx,ebp
0040108E |. C64424 50 01 mov byte ptr ss:[esp+50],1
00401093 |. E8 281E0000 call riijj_mf.00402EC0
00401098 |. 50 push eax
00401099 |. E9 83000000 jmp riijj_mf.00401121
0040109E |> 84C9 test cl,cl
004010A0 |. 897C24 10 mov dword ptr ss:[esp+10],edi
004010A4 |. 74 43 je short riijj_mf.004010E9
004010A6 |. 8D4424 18 lea eax,dword ptr ss:[esp+18]
004010AA |. 8BCD mov ecx,ebp
004010AC |. 50 push eax
004010AD |. E8 0E180000 call riijj_mf.004028C0
004010B2 |. 8B4C24 10 mov ecx,dword ptr ss:[esp+10]
004010B6 |. 8B10 mov edx,dword ptr ds:[eax]
004010B8 |. 3BCA cmp ecx,edx
004010BA |. 75 20 jnz short riijj_mf.004010DC
004010BC |. 8D5424 38 lea edx,dword ptr ss:[esp+38]
004010C0 |. 8D4424 2C lea eax,dword ptr ss:[esp+2C]
004010C4 |. 52 push edx
004010C5 |. 50 push eax
004010C6 |. 57 push edi
004010C7 |. 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
004010CB |. 56 push esi
004010CC |. 51 push ecx
004010CD |. 8BCD mov ecx,ebp
004010CF |. C64424 4C 01 mov byte ptr ss:[esp+4C],1
004010D4 |. E8 E71D0000 call riijj_mf.00402EC0
004010D9 |. 50 push eax
004010DA |. EB 45 jmp short riijj_mf.00401121
004010DC |> 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
004010E0 |. E8 6B200000 call riijj_mf.00403150
004010E5 |. 8B4424 2C mov eax,dword ptr ss:[esp+2C]
004010E9 |> 8B4C24 10 mov ecx,dword ptr ss:[esp+10]
004010ED |. 3941 0C cmp dword ptr ds:[ecx+C],eax 把EAX数据送入003B767C eax=00000020 ds:[003B767C]=00000020
004010F0 |. 7D 20 jge short riijj_mf.00401112
004010F2 |. 8D5424 0E lea edx,dword ptr ss:[esp+E]
004010F6 |. 8D4424 2C lea eax,dword ptr ss:[esp+2C]
004010FA |. 52 push edx
004010FB |. 50 push eax
004010FC |. 57 push edi
004010FD |. 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
00401101 |. 56 push esi
00401102 |. 51 push ecx
00401103 |. 8BCD mov ecx,ebp
00401105 |. C64424 22 01 mov byte ptr ss:[esp+22],1
0040110A |. E8 B11D0000 call riijj_mf.00402EC0
0040110F |. 50 push eax
00401110 |. EB 0F jmp short riijj_mf.00401121
00401112 |> 8D4424 0F lea eax,dword ptr ss:[esp+F]
00401116 |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0040111A |. 50 push eax
0040111B |. C64424 13 00 mov byte ptr ss:[esp+13],0
00401120 |. 51 push ecx
00401121 |> 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
00401125 |. E8 761D0000 call riijj_mf.00402EA0
0040112A |. 8B5424 24 mov edx,dword ptr ss:[esp+24]
0040112E |. 5F pop edi
0040112F |. 5E pop esi
00401130 |. 5D pop ebp
00401131 |. 8B42 10 mov eax,dword ptr ds:[edx+10]
00401134 |. 83C4 28 add esp,28
00401137 \. C3 retn
-------------------------------------------------------------
--------------------------------------------------------------------------------------------------
00401244 83C6 14 /add esi,14 esi+10 最后ESI 为50DDF110 50DDF124
00401247 8D5424 28 |lea edx,dword ptr ss:[esp+28]
0040124B 8BC6 |mov eax,esi
0040124D 46 |inc esi
0040124E 50 |push eax
0040124F 52 |push edx
00401250 E8 CBFDFFFF |call riijj_mf.00401020 又到了这个CALL
----------------
00401020 /$ 83EC 28 sub esp,28 ; ESP为0012F728减去20 则为0012F700
00401023 |. 8B4424 30 mov eax,dword ptr ss:[esp+30] ; 50DDF124
00401027 |. B9 2C010000 mov ecx,12C
0040102C |. 99 cdq ; cdq 数据扩展指令 把低位EDX扩展EAX为四字节高位即64位
0040102D |. F7F9 idiv ecx ; 二进制除法运算EAX50DDF124除以12C等于004501A8
0040102F |. 55 push ebp ; EBP 00000008入栈
00401030 |. 8B6C24 30 mov ebp,dword ptr ss:[esp+30] ; 此时EBP为0012F75C
00401034 |. 56 push esi ; ESI 50DDF125 入栈
00401035 |. 57 push edi ; EDI入栈0012F774 关键点,注册码信息一会要写到这里
00401036 |. 8B7D 04 mov edi,dword ptr ss:[ebp+4] ; EBP+4的数据写入EDI 为 003B6820
00401039 |. C74424 30 000>mov dword ptr ss:[esp+30],0 ; 把0送入ESP+30的位置
00401041 |. B1 01 mov cl,1 ; cl=2C (',') 把1送入cl
00401043 |. 8BC2 mov eax,edx ; EDX 数据44 送入 EAX
00401045 |. 99 cdq
00401046 |. 33C2 xor eax,edx ; EDX和EAX异或,也就是将EDX清零
00401048 |. 2BC2 sub eax,edx ; EAX减去EDX
0040104A |. 8B15 D8544000 mov edx,dword ptr ds:[4054D8] ; 将ds:[004054D8]=003B67E0 送入EDX
00401050 |. 894424 2C mov dword ptr ss:[esp+2C],eax ; 将EAX数据44送入 ESP+2C的位置 既0012F720
00401054 |. 8B77 04 mov esi,dword ptr ds:[edi+4] ; 将ds:[003B6824]=003B7BE0 送入ESI 原先esi=50DDF125 现在是003B7BE0
00401057 |. 3BF2 cmp esi,edx ; 将EDX与EAX比较 edx=003B67E0 esi=003B7BE0
00401059 |. 74 19 je short riijj_mf.00401074 ; 大于则跳,此处跳转没有实现
0040105B |> 8B4E 0C /mov ecx,dword ptr ds:[esi+C] ; ecx 0000003F
累计跳转7次
0040105E |. 8BFE |mov edi,esi ; edi 003B7BE0,esi 003B7BE0
00401060 |. 3BC1 |cmp eax,ecx ; 比较ECX和EAX ECX=0000003F EAX=00000044
00401062 |. 0F9CC1 |setl cl ; 条件为假 FALSE cl=3F ('?')
00401065 |. 84C9 |test cl,cl ; 对比cl cl=00
00401067 |. 74 04 |je short riijj_mf.0040106D ; 跳转成立
00401069 |. 8B36 |mov esi,dword ptr ds:[esi]
0040106B |. EB 03 |jmp short riijj_mf.00401070
0040106D |> 8B76 08 |mov esi,dword ptr ds:[esi+8] ; ds:[003B7BE8]=003B83E8 esi=003B7BE0
00401070 |> 3BF2 |cmp esi,edx ; 比较大小 小则跳
00401072 |.^ 75 E7 \jnz short riijj_mf.0040105B ; 跳转成立
00401074 |> 8A55 08 mov dl,byte ptr ss:[ebp+8]
00401077 |. 84D2 test dl,dl
00401079 |. 74 23 je short riijj_mf.0040109E
0040107B |. 8D5424 3C lea edx,dword ptr ss:[esp+3C]
0040107F |. 8D4424 2C lea eax,dword ptr ss:[esp+2C]
00401083 |. 52 push edx
00401084 |. 50 push eax
00401085 |. 57 push edi
00401086 |. 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
0040108A |. 56 push esi
0040108B |. 51 push ecx
0040108C |. 8BCD mov ecx,ebp
0040108E |. C64424 50 01 mov byte ptr ss:[esp+50],1
00401093 |. E8 281E0000 call riijj_mf.00402EC0
00401098 |. 50 push eax
00401099 |. E9 83000000 jmp riijj_mf.00401121
0040109E |> 84C9 test cl,cl
004010A0 |. 897C24 10 mov dword ptr ss:[esp+10],edi
004010A4 |. 74 43 je short riijj_mf.004010E9
004010A6 |. 8D4424 18 lea eax,dword ptr ss:[esp+18]
004010AA |. 8BCD mov ecx,ebp
004010AC |. 50 push eax
004010AD |. E8 0E180000 call riijj_mf.004028C0
004010B2 |. 8B4C24 10 mov ecx,dword ptr ss:[esp+10]
004010B6 |. 8B10 mov edx,dword ptr ds:[eax]
004010B8 |. 3BCA cmp ecx,edx
004010BA |. 75 20 jnz short riijj_mf.004010DC
004010BC |. 8D5424 38 lea edx,dword ptr ss:[esp+38]
004010C0 |. 8D4424 2C lea eax,dword ptr ss:[esp+2C]
004010C4 |. 52 push edx
004010C5 |. 50 push eax
004010C6 |. 57 push edi
004010C7 |. 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
004010CB |. 56 push esi
004010CC |. 51 push ecx
004010CD |. 8BCD mov ecx,ebp
004010CF |. C64424 4C 01 mov byte ptr ss:[esp+4C],1
004010D4 |. E8 E71D0000 call riijj_mf.00402EC0
004010D9 |. 50 push eax
004010DA |. EB 45 jmp short riijj_mf.00401121
004010DC |> 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
004010E0 |. E8 6B200000 call riijj_mf.00403150
004010E5 |. 8B4424 2C mov eax,dword ptr ss:[esp+2C]
004010E9 |> 8B4C24 10 mov ecx,dword ptr ss:[esp+10]
004010ED |. 3941 0C cmp dword ptr ds:[ecx+C],eax
004010F0 |. 7D 20 jge short riijj_mf.00401112
004010F2 |. 8D5424 0E lea edx,dword ptr ss:[esp+E]
004010F6 |. 8D4424 2C lea eax,dword ptr ss:[esp+2C]
004010FA |. 52 push edx
004010FB |. 50 push eax
004010FC |. 57 push edi
004010FD |. 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
00401101 |. 56 push esi
00401102 |. 51 push ecx
00401103 |. 8BCD mov ecx,ebp
00401105 |. C64424 22 01 mov byte ptr ss:[esp+22],1
0040110A |. E8 B11D0000 call riijj_mf.00402EC0
0040110F |. 50 push eax
00401110 |. EB 0F jmp short riijj_mf.00401121
00401112 |> 8D4424 0F lea eax,dword ptr ss:[esp+F]
00401116 |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0040111A |. 50 push eax
0040111B |. C64424 13 00 mov byte ptr ss:[esp+13],0
00401120 |. 51 push ecx
00401121 |> 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
00401125 |. E8 761D0000 call riijj_mf.00402EA0
0040112A |. 8B5424 24 mov edx,dword ptr ss:[esp+24]
0040112E |. 5F pop edi
0040112F |. 5E pop esi
00401130 |. 5D pop ebp
00401131 |. 8B42 10 mov eax,dword ptr ds:[edx+10] EAX 为00000036
0000014F
省略
00401134 |. 83C4 28 add esp,28 esp,0012F728
00401137 \. C3 retn
-----------------
00401255 |. 8D0440 |lea eax,dword ptr ds:[eax+eax*2] ; EAX 00000036则eax+eax*2=000000A2
00401258 |. 8B0F |mov ecx,dword ptr ds:[edi] ; 将EDI 0012F774 里的数据00000188送入 ECX 这个数据是上一轮循环时候写入的
0040125A |. D1E0 |shl eax,1 ; EAX左移一次,既翻一番A2*2
0040125C |. 99 |cdq ; CDQ—Convert Double to Quad (386+),该指令把edx扩展为eax的高位,也就是说变为64
位。
0040125D |. F7FD |idiv ebp ; EAX 除以 EBP 144/8=28
0040125F |. 83C4 08 |add esp,8 ; ESP+8 地址为 0012F734
00401262 |. 83C7 04 |add edi,4 ; EDI+4地址为0012F778
00401265 |. 8BC2 |mov eax,edx ; EDX送入EAX 0000004
00401267 |. 99 |cdq ; CDQ—Convert Double to Quad (386+),该指令把edx扩展为eax的高位,也就是说变为64
位。
00401268 |. 33C2 |xor eax,edx ; 异或eax,edx 相当于 EDX清零
0040126A |. 2BC2 |sub eax,edx ; eax减edx
0040126C |. 0FBE0418 |movsx eax,byte ptr ds:[eax+ebx] ; 取注册名+4位 ds:[00158FB4]=67 ('g') eax=00000004 ASCII值 送入EAX 此时EAX 为67
00401270 |. 33C1 |xor eax,ecx ; EAX 67 ECX 188 异或67,188则EAX为1EF
00401272 |. B9 1A000000 |mov ecx,1A ; 把1A送入ECX
00401277 |. 99 |cdq ; CDQ—Convert Double to Quad (386+),该指令把edx扩展为eax的高位,也就是说变为64
位。
00401278 |. F7F9 |idiv ecx ; EAX 的数据1EF 除以 ECX 数据1A =13 此时EDX为1
0040127A |. 8B4424 14 |mov eax,dword ptr ss:[esp+14] ; 将ESP+14数据10送入EAX
0040127E |. 83C2 41 |add edx,41 ; EDX+41=42
00401281 |. 48 |dec eax ; EAX-1 EAX为10-1=F
00401282 |. 8957 FC |mov dword ptr ds:[edi-4],edx ; 将EDX数据42送入ESI-4的位置 既0012F774的位置 写入42
一共循环了16次分别为
0012F768 42 00 00 00 B...
0012F778 42 00 00 00 4F 00 00 00 4A 00 00 00 41 00 00 00 B...O...J...A...
0012F788 52 00 00 00 51 00 00 00 43 00 00 00 4A 00 00 00 R...Q...C...J...
0012F798 47 00 00 00 4E 00 00 00 58 00 00 00 55 00 00 00 G...N...X...U...
0012F7A8 4B 00 00 00 4E 00 00 00 41 K...N...A
整理以后得到 注册码 BBOJARQCJGNXUKNA 注册名为 ddbigboy
00401285 |. 894424 14 |mov dword ptr ss:[esp+14],eax ; 将EAX数据F 送入ESP+14的位置 既0012F734+14=0012F748
00401289 |.^ 75 B9 \jnz short riijj_mf.00401244 ; 跳转成立
0040128B 8BB424 F4000000 mov esi,dword ptr ss:[esp+F4]
00401292 33FF xor edi,edi
00401294 33C0 xor eax,eax
00401296 8D4C24 40 lea ecx,dword ptr ss:[esp+40]
0040129A |> /8A1430 /mov dl,byte ptr ds:[eax+esi]
0040129D |. |8A19 |mov bl,byte ptr ds:[ecx] ; 读ECX的数据每次增加4个位置
0040129F |. |3AD3 |cmp dl,bl ; 将计算出来的注册码依次与试验码比较
004012A1 |. |0F85 34010000 |jnz riijj_mf.004013DB ; 从前往后依次对比 只要有任何一个注册码字符不对则跳
004012A7 |. |40 |inc eax
004012A8 |. |83C1 04 |add ecx,4
004012AB |. |83F8 10 |cmp eax,10
004012AE |.^\7C EA \jl short riijj_mf.0040129A
004012B0 |. 57 push edi
004012B1 |. 8D8C24 840000>lea ecx,dword ptr ss:[esp+84]
004012B8 |. E8 03240000 call riijj_mf.004036C0 ; 到注册成功对话框 这里就是调用成功注册对话框的地方
004012BD 8D8C24 80000000 lea ecx,dword ptr ss:[esp+80]
004012C4 C68424 E8000000>mov byte ptr ss:[esp+E8],2
004012CC E8 8B240000 call <jmp.&MFC42.#2514>
004012D1 8D8C24 80000000 lea ecx,dword ptr ss:[esp+80]
004012D8 C68424 E8000000>mov byte ptr ss:[esp+E8],1
004012E0 E8 71240000 call <jmp.&MFC42.#641>
004012E5 8B4424 2C mov eax,dword ptr ss:[esp+2C]
004012E9 C68424 E8000000>mov byte ptr ss:[esp+E8],0
004012F1 50 push eax
004012F2 8B08 mov ecx,dword ptr ds:[eax]
004012F4 51 push ecx
004012F5 8D4C24 40 lea ecx,dword ptr ss:[esp+40]
004012F9 51 push ecx
004012FA 8D4C24 34 lea ecx,dword ptr ss:[esp+34]
004012FE E8 CD150000 call riijj_mf.004028D0
00401303 8B5424 2C mov edx,dword ptr ss:[esp+2C]
00401307 52 push edx
00401308 E8 43240000 call <jmp.&MFC42.#825>
0040130D 8B1D 84414000 mov ebx,dword ptr ds:[<&MSVCP60.std::_Lo>; MSVCP60.std::_Lockit::_Lockit
00401313 83C4 04 add esp,4
00401316 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0040131A 897C24 2C mov dword ptr ss:[esp+2C],edi
0040131E 897C24 34 mov dword ptr ss:[esp+34],edi
00401322 33F6 xor esi,esi
00401324 FFD3 call ebx ; <&MSVCP60.std::_Lockit::_Lockit>
00401326 A1 DC544000 mov eax,dword ptr ds:[4054DC]
0040132B 48 dec eax
0040132C A3 DC544000 mov dword ptr ds:[4054DC],eax
00401331 75 0C jnz short riijj_mf.0040133F
00401333 8B35 D8544000 mov esi,dword ptr ds:[4054D8]
00401339 893D D8544000 mov dword ptr ds:[4054D8],edi
0040133F 8B2D 88414000 mov ebp,dword ptr ds:[<&MSVCP60.std::_Lo>; MSVCP60.std::_Lockit::~_Lockit
00401345 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00401349 FFD5 call ebp ; <&MSVCP60.std::_Lockit::~_Lockit>
0040134B 3BF7 cmp esi,edi
0040134D 74 09 je short riijj_mf.00401358
0040134F 56 push esi
00401350 E8 FB230000 call <jmp.&MFC42.#825>
00401355 83C4 04 add esp,4
00401358 8B4424 1C mov eax,dword ptr ss:[esp+1C]
0040135C C78424 E8000000>mov dword ptr ss:[esp+E8],-1
00401367 50 push eax
00401368 8B08 mov ecx,dword ptr ds:[eax]
0040136A 8D4424 3C lea eax,dword ptr ss:[esp+3C]
0040136E 51 push ecx
0040136F 50 push eax
00401370 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
00401374 E8 57150000 call riijj_mf.004028D0
00401379 8B4C24 1C mov ecx,dword ptr ss:[esp+1C]
0040137D 51 push ecx
0040137E E8 CD230000 call <jmp.&MFC42.#825>
00401383 83C4 04 add esp,4
00401386 8D4C24 3C lea ecx,dword ptr ss:[esp+3C]
0040138A 897C24 1C mov dword ptr ss:[esp+1C],edi
0040138E 897C24 24 mov dword ptr ss:[esp+24],edi
00401392 33F6 xor esi,esi
00401394 FFD3 call ebx
00401396 A1 DC544000 mov eax,dword ptr ds:[4054DC]
0040139B 48 dec eax
0040139C A3 DC544000 mov dword ptr ds:[4054DC],eax
004013A1 75 0C jnz short riijj_mf.004013AF
004013A3 8B35 D8544000 mov esi,dword ptr ds:[4054D8]
004013A9 893D D8544000 mov dword ptr ds:[4054D8],edi
004013AF 8D4C24 3C lea ecx,dword ptr ss:[esp+3C]
004013B3 FFD5 call ebp
004013B5 3BF7 cmp esi,edi
004013B7 74 09 je short riijj_mf.004013C2
004013B9 56 push esi
004013BA E8 91230000 call <jmp.&MFC42.#825>
004013BF 83C4 04 add esp,4
004013C2 8B8C24 E0000000 mov ecx,dword ptr ss:[esp+E0]
004013C9 5F pop edi
004013CA 5E pop esi
004013CB 5D pop ebp
004013CC 5B pop ebx
004013CD 64:890D 0000000>mov dword ptr fs:[0],ecx
004013D4 81C4 DC000000 add esp,0DC
004013DA C3 retn
004013DB 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
004013DF C68424 E8000000>mov byte ptr ss:[esp+E8],0
004013E7 E8 04130000 call riijj_mf.004026F0
004013EC 8B4424 1C mov eax,dword ptr ss:[esp+1C]
004013F0 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
004013F4 50 push eax
004013F5 8D4424 18 lea eax,dword ptr ss:[esp+18]
004013F9 50 push eax
004013FA C78424 F0000000>mov dword ptr ss:[esp+F0],-1
00401405 E8 B6140000 call riijj_mf.004028C0
0040140A 8B08 mov ecx,dword ptr ds:[eax]
0040140C 8D5424 3C lea edx,dword ptr ss:[esp+3C]
00401410 51 push ecx
00401411 52 push edx
00401412 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
00401416 E8 B5140000 call riijj_mf.004028D0
0040141B 8B4424 1C mov eax,dword ptr ss:[esp+1C]
0040141F 50 push eax
00401420 E8 2B230000 call <jmp.&MFC42.#825>
00401425 83C4 04 add esp,4
00401428 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0040142C 897C24 1C mov dword ptr ss:[esp+1C],edi
00401430 897C24 24 mov dword ptr ss:[esp+24],edi
00401434 33F6 xor esi,esi
00401436 FF15 84414000 call dword ptr ds:[<&MSVCP60.std::_Locki>; MSVCP60.std::_Lockit::_Lockit
0040143C A1 DC544000 mov eax,dword ptr ds:[4054DC]
00401441 48 dec eax
00401442 A3 DC544000 mov dword ptr ds:[4054DC],eax
00401447 75 0C jnz short riijj_mf.00401455
00401449 8B35 D8544000 mov esi,dword ptr ds:[4054D8]
0040144F 893D D8544000 mov dword ptr ds:[4054D8],edi
00401455 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00401459 FF15 88414000 call dword ptr ds:[<&MSVCP60.std::_Locki>; MSVCP60.std::_Lockit::~_Lockit
0040145F 3BF7 cmp esi,edi
00401461 ^ 0F84 5BFFFFFF je riijj_mf.004013C2
00401467 ^ E9 4DFFFFFF jmp riijj_mf.004013B9
CM下载
===================================================
原贴地址
===================================================
根据原贴105楼的兄弟的方法 找到注册名对应的注册码
但是 算法 糊涂了 注册机 不会做 请求师傅 帮助做个教程
===================================================
下面是我分析过程,分析算法 绕糊涂了,
===================================================
首先利用“eXeScope”查看源程序,发现获得成功注册后会出来一对话框,记住它的窗口号是103,换成16进制就是67,然后在OD里面加载riijj_mfccm1_r2,
搜索===》命令===》push 67, 就是找到它注册成功的提示之前需要把对话框入栈的指令,
004036C8:push 67 //就是这个窗口
我们往上看,
004036C0 /$ 8B4424 04 mov eax,dword ptr ss:[esp+4] 这个时候在堆栈窗口 有提示 来自于Local Call from 004012B8
或者 在004036C0 点右键 ===》 前往===》 Call 来自于 004012B8
-----------------------
004036C0 /$ 8B4424 04 mov eax,dword ptr ss:[esp+4] 来自于Local Call from 004012B8
004036C4 |. 56 push esi
004036C5 |. 50 push eax
004036C6 |. 8BF1 mov esi,ecx
004036C8 6A 67 push 67 ; 调用注册成功信息对话框
004036CA |. E8 6D020000 call <jmp.&MFC42.#324>
004036CF |. C706 10454000 mov dword ptr ds:[esi],riijj>; $9@
004036D5 |. 8BC6 mov eax,esi
004036D7 |. 5E pop esi
004036D8 \. C2 0400 retn 4
------------------------
---------------------
ddbigboy
BBOJARQCJGNXUKNA
------------------------------------------------------------------------------------------
00401140 6A FF push -1
00401142 68 BE3B4000 push riijj_mf.00403BBE ; 在这里下断点,EAX里显示试验注册码1234567890654321 EDX里显示注册名ddbigboy
00401147 64:A1 00000000 mov eax,dword ptr fs:[0]
0040114D 50 push eax
0040114E 64:8925 0000000>mov dword ptr fs:[0],esp
00401155 81EC D0000000 sub esp,0D0
0040115B 8A4C24 03 mov cl,byte ptr ss:[esp+3]
0040115F 8A4424 03 mov al,byte ptr ss:[esp+3]
00401163 53 push ebx
00401164 55 push ebp
00401165 56 push esi
00401166 884C24 15 mov byte ptr ss:[esp+15],cl
0040116A 57 push edi
0040116B 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
0040116F 884424 18 mov byte ptr ss:[esp+18],al
00401173 C64424 20 00 mov byte ptr ss:[esp+20],0
00401178 E8 831C0000 call riijj_mf.00402E00
0040117D 8A5424 13 mov dl,byte ptr ss:[esp+13]
00401181 8A4424 13 mov al,byte ptr ss:[esp+13]
00401185 33ED xor ebp,ebp
00401187 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
0040118B 89AC24 E8000000 mov dword ptr ss:[esp+E8],ebp
00401192 885424 28 mov byte ptr ss:[esp+28],dl
00401196 884424 29 mov byte ptr ss:[esp+29],al
0040119A C64424 30 00 mov byte ptr ss:[esp+30],0
0040119F E8 5C1C0000 call riijj_mf.00402E00
004011A4 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
004011A8 8D5424 28 lea edx,dword ptr ss:[esp+28]
004011AC 51 push ecx
004011AD 52 push edx
004011AE C68424 F0000000>mov byte ptr ss:[esp+F0],1
004011B6 E8 45FEFFFF call riijj_mf.00401000
004011BB 8B9C24 F8000000 mov ebx,dword ptr ss:[esp+F8]
004011C2 83C4 08 add esp,8
004011C5 8A03 mov al,byte ptr ds:[ebx]
004011C7 0FBEF0 movsx esi,al
004011CA 3BF5 cmp esi,ebp
004011CC 75 2A jnz short riijj_mf.004011F8
004011CE 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
004011D2 C68424 E8000000>mov byte ptr ss:[esp+E8],0
004011DA E8 11150000 call riijj_mf.004026F0
004011DF 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
004011E3 C78424 E8000000>mov dword ptr ss:[esp+E8],-1
004011EE E8 FD140000 call riijj_mf.004026F0
004011F3 E9 CA010000 jmp riijj_mf.004013C2
004011F8 84C0 test al,al
004011FA 74 0F je short riijj_mf.0040120B
关键算法部分,将注册名的ASCII编码依次进行运算
004011FC 0FBEC0 /movsx eax,al al=64
('d') 将注册名第一个字母的ASCII编码64送入EAX
004011FF 0FAFF0 |imul esi,eax 这里ESI 数值是64 EAX*ESI 结果保存在ESI 64*64=2710
00401202 8A442B 01 |mov al,byte ptr ds:[ebx+ebp+1] EBX里存着注册名,将下一位送入al
00401206 45 |inc ebp EBP 累计1次
00401207 84C0 |test al,al 比较al数据
00401209 ^ 75 F1 \jnz short riijj_mf.004011FC al有数据则跳 到上面 循环 计算
在这里一共循环计算8次 注册名ddbigboy的ASCII编码 依次为 64 64 64 62 69 67 62 6f 79
将这8个16 进制数相乘 64*64*64*62*69*67*62*6f*79= 135C2E8D50DDF100 最后 ESI 50DDF100
---------------------------------------------------------------------------------------
0040120B 8D7C24 40 lea edi,dword ptr ss:[esp+40] ESP 0012F734 加40 就是EDI 0012F774
0040120F C74424 14 10000>mov dword ptr ss:[esp+14],10 0012F748 00000010
下面这个循环开始计算注册名相对应的注册码
00401217 8BC6 /mov eax,esi 把ESI 50DDF100 送入EAX 此时EAX 50DDF100
00401219 8D4C24 28 |lea ecx,dword ptr ss:[esp+28] 将ESP+28的有效地址 送入ECX ECX 0012F75C
0040121D 50 |push eax EAX入栈
0040121E 51 |push ecx ECX入栈
0040121F 46 |inc esi 在ESI里累加+1 计数00000010
00401220 E8 FBFDFFFF |call riijj_mf.00401020 在这个call计算
00401225 8907 |mov dword ptr ds:[edi],eax
00401227 8B4424 1C |mov eax,dword ptr ss:[esp+1C]
0040122B 83C4 08 |add esp,8
0040122E 83C7 04 |add edi,4
00401231 48 |dec eax
00401232 894424 14 |mov dword ptr ss:[esp+14],eax
00401236 ^ 75 DF \jnz short riijj_mf.00401217
00401238 8D7C24 40 lea edi,dword ptr ss:[esp+40]
0040123C C74424 14 10000>mov dword ptr ss:[esp+14],10 最后ESI 为50DDF110
------------------------------------------------这个call riijj_mf.00401020
00401020 /$ 83EC 28 sub esp,28 ESP-28 ESP 0012F700
00401023 |. 8B4424 30 mov eax,dword ptr ss:[esp+30] 此时EAX 为50DDF100
00401027 |. B9 2C010000 mov ecx,12C 12C送入ECX
0040102C |. 99 cdq 数据扩展指令,将双字数据扩展为四字类型
0040102D |. F7F9 idiv ecx 二进制除法运算EAX50DDF100除以12C 此时EAX 004501A8
0040102F |. 55 push ebp EBP入栈 00000008
00401030 |. 8B6C24 30 mov ebp,dword ptr ss:[esp+30] 堆栈 ss:[0012F72C]=0012F75C ebp=00000008
00401034 |. 56 push esi ESI入栈 ESI 50DDF101
00401035 |. 57 push edi EDI入栈 EDI 0012F774
00401036 |. 8B7D 04 mov edi,dword ptr ss:[ebp+4] 将EBP+4 数据送入EDI 003B6690
00401039 |. C74424 30 000>mov dword ptr ss:[esp+30],0 将0送入 0012F724
00401041 |. B1 01 mov cl,1 将1送入 cl
00401043 |. 8BC2 mov eax,edx 把EDX送入EAX 00000020
00401045 |. 99 cdq 数据扩展指令,将双字数据扩展为四字类型
00401046 |. 33C2 xor eax,edx 异或 eax,edx 此时eax 000000020 ,edx 00000000
00401048 |. 2BC2 sub eax,edx 相减
0040104A |. 8B15 D8544000 mov edx,dword ptr ds:[4054D8] ds:[004054D8]=003B6650 edx=00000000
00401050 |. 894424 2C mov dword ptr ss:[esp+2C],eax 把EAX 数据00000020 送入 0012F720 00000020
00401054 |. 8B77 04 mov esi,dword ptr ds:[edi+4]
00401057 |. 3BF2 cmp esi,edx 比较数据 edx=003B6650 esi=003B7A50
00401059 |. 74 19 je short riijj_mf.00401074 没跳
0040105B |> 8B4E 0C /mov ecx,dword ptr ds:[esi+C] 第1次 到这里 003B7A50+C 的数据送入ECX 此时 ECX 0000003F
第2次循环到这里 003B7650+C 的数据送入ECX 此时ECX 0000001F
第3次循环到这里 003B7850+C 的数据送入ECX 此时ECX 0000002F
第4次循环到这里 003B7750+C 的数据送入ECX 此时ECX 00000027
第5次循环到这里 003B76D0+C 的数据送入ECX 此时ECX 00000023
第6次循环到这里 003B7690+C 的数据送入ECX 此时ECX 00000021
第6次循环到这里 003B7670+C 的数据送入ECX 此时ECX 00000020
0040105E |. 8BFE |mov edi,esi 将ESI数据送入EDI 003B7650
00401060 |. 3BC1 |cmp eax,ecx ecx=0000003F eax=00000020
第2次循环数据 ecx=0000001F eax=00000020
第3次循环数据 ecx=0000002F eax=00000020
第4次循环数据 ecx=00000027 eax=00000020
第5次循环数据 ecx=00000023 eax=00000020
第6次循环数据 ecx=00000021 eax=00000020
第7次循环数据 ecx=00000020 eax=00000020
00401062 |. 0F9CC1 |setl cl 第1次循环数据 条件为真 TRUE cl=3F ('?')
第2次循环数据 条件为假 FALSE cl=1F
第3次循环数据 条件为真 TRUE cl=2F ('/')
第4次循环数据 条件为真 TRUE cl=27 (''')
第5次循环数据 条件为真 TRUE cl=23 ('#')
第6次循环数据 条件为真 TRUE cl=21 ('!')
第7次循环数据 条件为假 FALSE cl=20 (' ')
setg,setl setg cl:如果ZF=0且SF=OF,那么cl=1,否则cl=0。 setl cl:如果SF!=OF,那么cl=1,否则cl=0。 setg,setl一般和cmp一起,用来得到两个有符号数
00401065 |. 84C9 |test cl,cl 比较
00401067 |. 74 04 |je short riijj_mf.0040106D 第一次没跳
第2次循环 跳了
第7次
00401069 |. 8B36 |mov esi,dword ptr ds:[esi]
0040106B |. EB 03 |jmp short riijj_mf.00401070
0040106D |> 8B76 08 |mov esi,dword ptr ds:[esi+8] ESI+8 003B7850
00401070 |> 3BF2 |cmp esi,edx
00401072 |.^ 75 E7 \jnz short riijj_mf.0040105B 跳
第7次没跳
00401074 |> 8A55 08 mov dl,byte ptr ss:[ebp+8] 堆栈 ss:[0012F764]=00 dl=50 ('P')Jump from 00401059
00401077 |. 84D2 test dl,dl 比较
00401079 |. 74 23 je short riijj_mf.0040109E 跳
0040107B |. 8D5424 3C lea edx,dword ptr ss:[esp+3C]
0040107F |. 8D4424 2C lea eax,dword ptr ss:[esp+2C]
00401083 |. 52 push edx
00401084 |. 50 push eax
00401085 |. 57 push edi
00401086 |. 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
0040108A |. 56 push esi
0040108B |. 51 push ecx
0040108C |. 8BCD mov ecx,ebp
0040108E |. C64424 50 01 mov byte ptr ss:[esp+50],1
00401093 |. E8 281E0000 call riijj_mf.00402EC0
00401098 |. 50 push eax
00401099 |. E9 83000000 jmp riijj_mf.00401121
0040109E |> 84C9 test cl,cl
004010A0 |. 897C24 10 mov dword ptr ss:[esp+10],edi
004010A4 |. 74 43 je short riijj_mf.004010E9
004010A6 |. 8D4424 18 lea eax,dword ptr ss:[esp+18]
004010AA |. 8BCD mov ecx,ebp
004010AC |. 50 push eax
004010AD |. E8 0E180000 call riijj_mf.004028C0
004010B2 |. 8B4C24 10 mov ecx,dword ptr ss:[esp+10]
004010B6 |. 8B10 mov edx,dword ptr ds:[eax]
004010B8 |. 3BCA cmp ecx,edx
004010BA |. 75 20 jnz short riijj_mf.004010DC
004010BC |. 8D5424 38 lea edx,dword ptr ss:[esp+38]
004010C0 |. 8D4424 2C lea eax,dword ptr ss:[esp+2C]
004010C4 |. 52 push edx
004010C5 |. 50 push eax
004010C6 |. 57 push edi
004010C7 |. 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
004010CB |. 56 push esi
004010CC |. 51 push ecx
004010CD |. 8BCD mov ecx,ebp
004010CF |. C64424 4C 01 mov byte ptr ss:[esp+4C],1
004010D4 |. E8 E71D0000 call riijj_mf.00402EC0
004010D9 |. 50 push eax
004010DA |. EB 45 jmp short riijj_mf.00401121
004010DC |> 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
004010E0 |. E8 6B200000 call riijj_mf.00403150
004010E5 |. 8B4424 2C mov eax,dword ptr ss:[esp+2C]
004010E9 |> 8B4C24 10 mov ecx,dword ptr ss:[esp+10]
004010ED |. 3941 0C cmp dword ptr ds:[ecx+C],eax 把EAX数据送入003B767C eax=00000020 ds:[003B767C]=00000020
004010F0 |. 7D 20 jge short riijj_mf.00401112
004010F2 |. 8D5424 0E lea edx,dword ptr ss:[esp+E]
004010F6 |. 8D4424 2C lea eax,dword ptr ss:[esp+2C]
004010FA |. 52 push edx
004010FB |. 50 push eax
004010FC |. 57 push edi
004010FD |. 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
00401101 |. 56 push esi
00401102 |. 51 push ecx
00401103 |. 8BCD mov ecx,ebp
00401105 |. C64424 22 01 mov byte ptr ss:[esp+22],1
0040110A |. E8 B11D0000 call riijj_mf.00402EC0
0040110F |. 50 push eax
00401110 |. EB 0F jmp short riijj_mf.00401121
00401112 |> 8D4424 0F lea eax,dword ptr ss:[esp+F]
00401116 |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0040111A |. 50 push eax
0040111B |. C64424 13 00 mov byte ptr ss:[esp+13],0
00401120 |. 51 push ecx
00401121 |> 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
00401125 |. E8 761D0000 call riijj_mf.00402EA0
0040112A |. 8B5424 24 mov edx,dword ptr ss:[esp+24]
0040112E |. 5F pop edi
0040112F |. 5E pop esi
00401130 |. 5D pop ebp
00401131 |. 8B42 10 mov eax,dword ptr ds:[edx+10]
00401134 |. 83C4 28 add esp,28
00401137 \. C3 retn
-------------------------------------------------------------
--------------------------------------------------------------------------------------------------
00401244 83C6 14 /add esi,14 esi+10 最后ESI 为50DDF110 50DDF124
00401247 8D5424 28 |lea edx,dword ptr ss:[esp+28]
0040124B 8BC6 |mov eax,esi
0040124D 46 |inc esi
0040124E 50 |push eax
0040124F 52 |push edx
00401250 E8 CBFDFFFF |call riijj_mf.00401020 又到了这个CALL
----------------
00401020 /$ 83EC 28 sub esp,28 ; ESP为0012F728减去20 则为0012F700
00401023 |. 8B4424 30 mov eax,dword ptr ss:[esp+30] ; 50DDF124
00401027 |. B9 2C010000 mov ecx,12C
0040102C |. 99 cdq ; cdq 数据扩展指令 把低位EDX扩展EAX为四字节高位即64位
0040102D |. F7F9 idiv ecx ; 二进制除法运算EAX50DDF124除以12C等于004501A8
0040102F |. 55 push ebp ; EBP 00000008入栈
00401030 |. 8B6C24 30 mov ebp,dword ptr ss:[esp+30] ; 此时EBP为0012F75C
00401034 |. 56 push esi ; ESI 50DDF125 入栈
00401035 |. 57 push edi ; EDI入栈0012F774 关键点,注册码信息一会要写到这里
00401036 |. 8B7D 04 mov edi,dword ptr ss:[ebp+4] ; EBP+4的数据写入EDI 为 003B6820
00401039 |. C74424 30 000>mov dword ptr ss:[esp+30],0 ; 把0送入ESP+30的位置
00401041 |. B1 01 mov cl,1 ; cl=2C (',') 把1送入cl
00401043 |. 8BC2 mov eax,edx ; EDX 数据44 送入 EAX
00401045 |. 99 cdq
00401046 |. 33C2 xor eax,edx ; EDX和EAX异或,也就是将EDX清零
00401048 |. 2BC2 sub eax,edx ; EAX减去EDX
0040104A |. 8B15 D8544000 mov edx,dword ptr ds:[4054D8] ; 将ds:[004054D8]=003B67E0 送入EDX
00401050 |. 894424 2C mov dword ptr ss:[esp+2C],eax ; 将EAX数据44送入 ESP+2C的位置 既0012F720
00401054 |. 8B77 04 mov esi,dword ptr ds:[edi+4] ; 将ds:[003B6824]=003B7BE0 送入ESI 原先esi=50DDF125 现在是003B7BE0
00401057 |. 3BF2 cmp esi,edx ; 将EDX与EAX比较 edx=003B67E0 esi=003B7BE0
00401059 |. 74 19 je short riijj_mf.00401074 ; 大于则跳,此处跳转没有实现
0040105B |> 8B4E 0C /mov ecx,dword ptr ds:[esi+C] ; ecx 0000003F
累计跳转7次
0040105E |. 8BFE |mov edi,esi ; edi 003B7BE0,esi 003B7BE0
00401060 |. 3BC1 |cmp eax,ecx ; 比较ECX和EAX ECX=0000003F EAX=00000044
00401062 |. 0F9CC1 |setl cl ; 条件为假 FALSE cl=3F ('?')
00401065 |. 84C9 |test cl,cl ; 对比cl cl=00
00401067 |. 74 04 |je short riijj_mf.0040106D ; 跳转成立
00401069 |. 8B36 |mov esi,dword ptr ds:[esi]
0040106B |. EB 03 |jmp short riijj_mf.00401070
0040106D |> 8B76 08 |mov esi,dword ptr ds:[esi+8] ; ds:[003B7BE8]=003B83E8 esi=003B7BE0
00401070 |> 3BF2 |cmp esi,edx ; 比较大小 小则跳
00401072 |.^ 75 E7 \jnz short riijj_mf.0040105B ; 跳转成立
00401074 |> 8A55 08 mov dl,byte ptr ss:[ebp+8]
00401077 |. 84D2 test dl,dl
00401079 |. 74 23 je short riijj_mf.0040109E
0040107B |. 8D5424 3C lea edx,dword ptr ss:[esp+3C]
0040107F |. 8D4424 2C lea eax,dword ptr ss:[esp+2C]
00401083 |. 52 push edx
00401084 |. 50 push eax
00401085 |. 57 push edi
00401086 |. 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
0040108A |. 56 push esi
0040108B |. 51 push ecx
0040108C |. 8BCD mov ecx,ebp
0040108E |. C64424 50 01 mov byte ptr ss:[esp+50],1
00401093 |. E8 281E0000 call riijj_mf.00402EC0
00401098 |. 50 push eax
00401099 |. E9 83000000 jmp riijj_mf.00401121
0040109E |> 84C9 test cl,cl
004010A0 |. 897C24 10 mov dword ptr ss:[esp+10],edi
004010A4 |. 74 43 je short riijj_mf.004010E9
004010A6 |. 8D4424 18 lea eax,dword ptr ss:[esp+18]
004010AA |. 8BCD mov ecx,ebp
004010AC |. 50 push eax
004010AD |. E8 0E180000 call riijj_mf.004028C0
004010B2 |. 8B4C24 10 mov ecx,dword ptr ss:[esp+10]
004010B6 |. 8B10 mov edx,dword ptr ds:[eax]
004010B8 |. 3BCA cmp ecx,edx
004010BA |. 75 20 jnz short riijj_mf.004010DC
004010BC |. 8D5424 38 lea edx,dword ptr ss:[esp+38]
004010C0 |. 8D4424 2C lea eax,dword ptr ss:[esp+2C]
004010C4 |. 52 push edx
004010C5 |. 50 push eax
004010C6 |. 57 push edi
004010C7 |. 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
004010CB |. 56 push esi
004010CC |. 51 push ecx
004010CD |. 8BCD mov ecx,ebp
004010CF |. C64424 4C 01 mov byte ptr ss:[esp+4C],1
004010D4 |. E8 E71D0000 call riijj_mf.00402EC0
004010D9 |. 50 push eax
004010DA |. EB 45 jmp short riijj_mf.00401121
004010DC |> 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
004010E0 |. E8 6B200000 call riijj_mf.00403150
004010E5 |. 8B4424 2C mov eax,dword ptr ss:[esp+2C]
004010E9 |> 8B4C24 10 mov ecx,dword ptr ss:[esp+10]
004010ED |. 3941 0C cmp dword ptr ds:[ecx+C],eax
004010F0 |. 7D 20 jge short riijj_mf.00401112
004010F2 |. 8D5424 0E lea edx,dword ptr ss:[esp+E]
004010F6 |. 8D4424 2C lea eax,dword ptr ss:[esp+2C]
004010FA |. 52 push edx
004010FB |. 50 push eax
004010FC |. 57 push edi
004010FD |. 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
00401101 |. 56 push esi
00401102 |. 51 push ecx
00401103 |. 8BCD mov ecx,ebp
00401105 |. C64424 22 01 mov byte ptr ss:[esp+22],1
0040110A |. E8 B11D0000 call riijj_mf.00402EC0
0040110F |. 50 push eax
00401110 |. EB 0F jmp short riijj_mf.00401121
00401112 |> 8D4424 0F lea eax,dword ptr ss:[esp+F]
00401116 |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0040111A |. 50 push eax
0040111B |. C64424 13 00 mov byte ptr ss:[esp+13],0
00401120 |. 51 push ecx
00401121 |> 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
00401125 |. E8 761D0000 call riijj_mf.00402EA0
0040112A |. 8B5424 24 mov edx,dword ptr ss:[esp+24]
0040112E |. 5F pop edi
0040112F |. 5E pop esi
00401130 |. 5D pop ebp
00401131 |. 8B42 10 mov eax,dword ptr ds:[edx+10] EAX 为00000036
0000014F
省略
00401134 |. 83C4 28 add esp,28 esp,0012F728
00401137 \. C3 retn
-----------------
00401255 |. 8D0440 |lea eax,dword ptr ds:[eax+eax*2] ; EAX 00000036则eax+eax*2=000000A2
00401258 |. 8B0F |mov ecx,dword ptr ds:[edi] ; 将EDI 0012F774 里的数据00000188送入 ECX 这个数据是上一轮循环时候写入的
0040125A |. D1E0 |shl eax,1 ; EAX左移一次,既翻一番A2*2
0040125C |. 99 |cdq ; CDQ—Convert Double to Quad (386+),该指令把edx扩展为eax的高位,也就是说变为64
位。
0040125D |. F7FD |idiv ebp ; EAX 除以 EBP 144/8=28
0040125F |. 83C4 08 |add esp,8 ; ESP+8 地址为 0012F734
00401262 |. 83C7 04 |add edi,4 ; EDI+4地址为0012F778
00401265 |. 8BC2 |mov eax,edx ; EDX送入EAX 0000004
00401267 |. 99 |cdq ; CDQ—Convert Double to Quad (386+),该指令把edx扩展为eax的高位,也就是说变为64
位。
00401268 |. 33C2 |xor eax,edx ; 异或eax,edx 相当于 EDX清零
0040126A |. 2BC2 |sub eax,edx ; eax减edx
0040126C |. 0FBE0418 |movsx eax,byte ptr ds:[eax+ebx] ; 取注册名+4位 ds:[00158FB4]=67 ('g') eax=00000004 ASCII值 送入EAX 此时EAX 为67
00401270 |. 33C1 |xor eax,ecx ; EAX 67 ECX 188 异或67,188则EAX为1EF
00401272 |. B9 1A000000 |mov ecx,1A ; 把1A送入ECX
00401277 |. 99 |cdq ; CDQ—Convert Double to Quad (386+),该指令把edx扩展为eax的高位,也就是说变为64
位。
00401278 |. F7F9 |idiv ecx ; EAX 的数据1EF 除以 ECX 数据1A =13 此时EDX为1
0040127A |. 8B4424 14 |mov eax,dword ptr ss:[esp+14] ; 将ESP+14数据10送入EAX
0040127E |. 83C2 41 |add edx,41 ; EDX+41=42
00401281 |. 48 |dec eax ; EAX-1 EAX为10-1=F
00401282 |. 8957 FC |mov dword ptr ds:[edi-4],edx ; 将EDX数据42送入ESI-4的位置 既0012F774的位置 写入42
一共循环了16次分别为
0012F768 42 00 00 00 B...
0012F778 42 00 00 00 4F 00 00 00 4A 00 00 00 41 00 00 00 B...O...J...A...
0012F788 52 00 00 00 51 00 00 00 43 00 00 00 4A 00 00 00 R...Q...C...J...
0012F798 47 00 00 00 4E 00 00 00 58 00 00 00 55 00 00 00 G...N...X...U...
0012F7A8 4B 00 00 00 4E 00 00 00 41 K...N...A
整理以后得到 注册码 BBOJARQCJGNXUKNA 注册名为 ddbigboy
00401285 |. 894424 14 |mov dword ptr ss:[esp+14],eax ; 将EAX数据F 送入ESP+14的位置 既0012F734+14=0012F748
00401289 |.^ 75 B9 \jnz short riijj_mf.00401244 ; 跳转成立
0040128B 8BB424 F4000000 mov esi,dword ptr ss:[esp+F4]
00401292 33FF xor edi,edi
00401294 33C0 xor eax,eax
00401296 8D4C24 40 lea ecx,dword ptr ss:[esp+40]
0040129A |> /8A1430 /mov dl,byte ptr ds:[eax+esi]
0040129D |. |8A19 |mov bl,byte ptr ds:[ecx] ; 读ECX的数据每次增加4个位置
0040129F |. |3AD3 |cmp dl,bl ; 将计算出来的注册码依次与试验码比较
004012A1 |. |0F85 34010000 |jnz riijj_mf.004013DB ; 从前往后依次对比 只要有任何一个注册码字符不对则跳
004012A7 |. |40 |inc eax
004012A8 |. |83C1 04 |add ecx,4
004012AB |. |83F8 10 |cmp eax,10
004012AE |.^\7C EA \jl short riijj_mf.0040129A
004012B0 |. 57 push edi
004012B1 |. 8D8C24 840000>lea ecx,dword ptr ss:[esp+84]
004012B8 |. E8 03240000 call riijj_mf.004036C0 ; 到注册成功对话框 这里就是调用成功注册对话框的地方
004012BD 8D8C24 80000000 lea ecx,dword ptr ss:[esp+80]
004012C4 C68424 E8000000>mov byte ptr ss:[esp+E8],2
004012CC E8 8B240000 call <jmp.&MFC42.#2514>
004012D1 8D8C24 80000000 lea ecx,dword ptr ss:[esp+80]
004012D8 C68424 E8000000>mov byte ptr ss:[esp+E8],1
004012E0 E8 71240000 call <jmp.&MFC42.#641>
004012E5 8B4424 2C mov eax,dword ptr ss:[esp+2C]
004012E9 C68424 E8000000>mov byte ptr ss:[esp+E8],0
004012F1 50 push eax
004012F2 8B08 mov ecx,dword ptr ds:[eax]
004012F4 51 push ecx
004012F5 8D4C24 40 lea ecx,dword ptr ss:[esp+40]
004012F9 51 push ecx
004012FA 8D4C24 34 lea ecx,dword ptr ss:[esp+34]
004012FE E8 CD150000 call riijj_mf.004028D0
00401303 8B5424 2C mov edx,dword ptr ss:[esp+2C]
00401307 52 push edx
00401308 E8 43240000 call <jmp.&MFC42.#825>
0040130D 8B1D 84414000 mov ebx,dword ptr ds:[<&MSVCP60.std::_Lo>; MSVCP60.std::_Lockit::_Lockit
00401313 83C4 04 add esp,4
00401316 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0040131A 897C24 2C mov dword ptr ss:[esp+2C],edi
0040131E 897C24 34 mov dword ptr ss:[esp+34],edi
00401322 33F6 xor esi,esi
00401324 FFD3 call ebx ; <&MSVCP60.std::_Lockit::_Lockit>
00401326 A1 DC544000 mov eax,dword ptr ds:[4054DC]
0040132B 48 dec eax
0040132C A3 DC544000 mov dword ptr ds:[4054DC],eax
00401331 75 0C jnz short riijj_mf.0040133F
00401333 8B35 D8544000 mov esi,dword ptr ds:[4054D8]
00401339 893D D8544000 mov dword ptr ds:[4054D8],edi
0040133F 8B2D 88414000 mov ebp,dword ptr ds:[<&MSVCP60.std::_Lo>; MSVCP60.std::_Lockit::~_Lockit
00401345 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00401349 FFD5 call ebp ; <&MSVCP60.std::_Lockit::~_Lockit>
0040134B 3BF7 cmp esi,edi
0040134D 74 09 je short riijj_mf.00401358
0040134F 56 push esi
00401350 E8 FB230000 call <jmp.&MFC42.#825>
00401355 83C4 04 add esp,4
00401358 8B4424 1C mov eax,dword ptr ss:[esp+1C]
0040135C C78424 E8000000>mov dword ptr ss:[esp+E8],-1
00401367 50 push eax
00401368 8B08 mov ecx,dword ptr ds:[eax]
0040136A 8D4424 3C lea eax,dword ptr ss:[esp+3C]
0040136E 51 push ecx
0040136F 50 push eax
00401370 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
00401374 E8 57150000 call riijj_mf.004028D0
00401379 8B4C24 1C mov ecx,dword ptr ss:[esp+1C]
0040137D 51 push ecx
0040137E E8 CD230000 call <jmp.&MFC42.#825>
00401383 83C4 04 add esp,4
00401386 8D4C24 3C lea ecx,dword ptr ss:[esp+3C]
0040138A 897C24 1C mov dword ptr ss:[esp+1C],edi
0040138E 897C24 24 mov dword ptr ss:[esp+24],edi
00401392 33F6 xor esi,esi
00401394 FFD3 call ebx
00401396 A1 DC544000 mov eax,dword ptr ds:[4054DC]
0040139B 48 dec eax
0040139C A3 DC544000 mov dword ptr ds:[4054DC],eax
004013A1 75 0C jnz short riijj_mf.004013AF
004013A3 8B35 D8544000 mov esi,dword ptr ds:[4054D8]
004013A9 893D D8544000 mov dword ptr ds:[4054D8],edi
004013AF 8D4C24 3C lea ecx,dword ptr ss:[esp+3C]
004013B3 FFD5 call ebp
004013B5 3BF7 cmp esi,edi
004013B7 74 09 je short riijj_mf.004013C2
004013B9 56 push esi
004013BA E8 91230000 call <jmp.&MFC42.#825>
004013BF 83C4 04 add esp,4
004013C2 8B8C24 E0000000 mov ecx,dword ptr ss:[esp+E0]
004013C9 5F pop edi
004013CA 5E pop esi
004013CB 5D pop ebp
004013CC 5B pop ebx
004013CD 64:890D 0000000>mov dword ptr fs:[0],ecx
004013D4 81C4 DC000000 add esp,0DC
004013DA C3 retn
004013DB 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
004013DF C68424 E8000000>mov byte ptr ss:[esp+E8],0
004013E7 E8 04130000 call riijj_mf.004026F0
004013EC 8B4424 1C mov eax,dword ptr ss:[esp+1C]
004013F0 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
004013F4 50 push eax
004013F5 8D4424 18 lea eax,dword ptr ss:[esp+18]
004013F9 50 push eax
004013FA C78424 F0000000>mov dword ptr ss:[esp+F0],-1
00401405 E8 B6140000 call riijj_mf.004028C0
0040140A 8B08 mov ecx,dword ptr ds:[eax]
0040140C 8D5424 3C lea edx,dword ptr ss:[esp+3C]
00401410 51 push ecx
00401411 52 push edx
00401412 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
00401416 E8 B5140000 call riijj_mf.004028D0
0040141B 8B4424 1C mov eax,dword ptr ss:[esp+1C]
0040141F 50 push eax
00401420 E8 2B230000 call <jmp.&MFC42.#825>
00401425 83C4 04 add esp,4
00401428 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0040142C 897C24 1C mov dword ptr ss:[esp+1C],edi
00401430 897C24 24 mov dword ptr ss:[esp+24],edi
00401434 33F6 xor esi,esi
00401436 FF15 84414000 call dword ptr ds:[<&MSVCP60.std::_Locki>; MSVCP60.std::_Lockit::_Lockit
0040143C A1 DC544000 mov eax,dword ptr ds:[4054DC]
00401441 48 dec eax
00401442 A3 DC544000 mov dword ptr ds:[4054DC],eax
00401447 75 0C jnz short riijj_mf.00401455
00401449 8B35 D8544000 mov esi,dword ptr ds:[4054D8]
0040144F 893D D8544000 mov dword ptr ds:[4054D8],edi
00401455 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00401459 FF15 88414000 call dword ptr ds:[<&MSVCP60.std::_Locki>; MSVCP60.std::_Lockit::~_Lockit
0040145F 3BF7 cmp esi,edi
00401461 ^ 0F84 5BFFFFFF je riijj_mf.004013C2
00401467 ^ E9 4DFFFFFF jmp riijj_mf.004013B9
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
|
|
|---|---|
|
|
赞赏
雪币:
留言:
