-
-
[原创]SPIP(Scanning Probe Image Proce
-
发表于: 2005-5-23 08:03 11710
-
课题: SPIP(Scanning Probe Image Processor)个人版 软件注册码学习
作 者:HaIlDuZ
程序来源:http://www.imagemet.com/ 丹麦 ,下载名称:SPIPinstall.exe
软件名称:SPIP 3.3.9.0 个人版更新时间:2005.4
评 价:该软件不错,用于扫描探针图像分析类软件。
使用工具:OllyDbg v1.09, Ultraedit-32 ,W32Dasm汉化修改版10.0
使用平台:winXP/98/2k(win98下需要GDIplus.Dll)
作者申明:纯技术交流,无任何商业目的,转贴请保持完整。
开始:
运行显示演示版仅可128乘128像素操作,一段时间后变为64乘64。打开文件显示对话框警告。W32Dasm反汇编察看无警告字符信息,从对话框入手,用OllyDbg 装载,跟踪最终观察到该软件采用keyfile方式,文件名:SPIP.LIC,到程序中打开其文件处如下:
:0049D4EF 68D8CB5A00 push 005ACBD8 /*注册文件名压栈,”spip.lic“*/
:0049D4F4 8BC8 mov ecx, eax
:0049D4F6 C68424A000000006 mov byte ptr [esp+000000A0], 06
:0049D4FE FF15C48E5900 Call dword ptr [00598EC4]
:0049D504 50 push eax
:0049D505 E8B6D50600 call 0050AAC0
:0049D50A 83C408 add esp, 00000008
:0049D50D 8D4C2424 lea ecx, dword ptr [esp+24]
:0049D511 A3FC686000 mov dword ptr [006068FC], eax
:0049D516 C684249C00000005 mov byte ptr [esp+0000009C], 05
:0049D51E FF15C88E5900 Call dword ptr [00598EC8]
:0049D524 A1FC686000 mov eax, dword ptr [006068FC]
:0049D529 6868DA5900 push 0059DA68
:0049D52E 50 push eax
:0049D52F FF1530905900 Call dword ptr [00599030] /*注册文件打开读写方式*/
:0049D535 8BF0 mov esi, eax
:0049D537 83C408 add esp, 00000008
:0049D53A 85F6 test esi, esi
:0049D53C 0F8489000000 je 0049D5CB /*无注册文件调到演示版*/
:0049D542 8B0DFC686000 mov ecx, dword ptr [006068FC]
:0049D548 51 push ecx
:0049D549 E8A2470600 call 00501CF0
:0049D54E A3F4686000 mov dword ptr [006068F4], eax
:0049D553 83C002 add eax, 00000002
:0049D556 50 push eax
* Reference To: MFC71.Ordinal:0109, Ord:0109h
|
:0049D557 E85E010E00 Call 0057D6BA
:0049D55C 8B0DF4686000 mov ecx, dword ptr [006068F4]
:0049D562 83C102 add ecx, 00000002
:0049D565 8BD1 mov edx, ecx
:0049D567 8BF8 mov edi, eax
:0049D569 C1E902 shr ecx, 02
:0049D56C 893DF0686000 mov dword ptr [006068F0], edi
:0049D572 33C0 xor eax, eax
:0049D574 F3 repz
:0049D575 AB stosd
:0049D576 8BCA mov ecx, edx
:0049D578 83E103 and ecx, 00000003
:0049D57B F3 repz
:0049D57C AA stosb
:0049D57D A1F4686000 mov eax, dword ptr [006068F4]
:0049D582 8B0DF0686000 mov ecx, dword ptr [006068F0]
:0049D588 56 push esi
:0049D589 50 push eax
:0049D58A 6A01 push 00000001
:0049D58C 51 push ecx
* Reference To: MSVCR71.fread, Ord:02ABh
|
:0049D58D FF1554905900 Call dword ptr [00599054]
:0049D593 56 push esi
* Reference To: MSVCR71.fclose, Ord:029Ah
|
:0049D594 FF152C905900 Call dword ptr [0059902C]
:0049D59A 8D54243C lea edx, dword ptr [esp+3C]
:0049D59E 52 push edx
:0049D59F 8B15F0686000 mov edx, dword ptr [006068F0]
:0049D5A5 8D44243C lea eax, dword ptr [esp+3C]
:0049D5A9 50 push eax
:0049D5AA 8D4C243C lea ecx, dword ptr [esp+3C]
:0049D5AE 51 push ecx
:0049D5AF 52 push edx
:0049D5B0 E8EBFFF6FF call 0040D5A0 /*关键调用见后*/
:0049D5B5 83C42C add esp, 0000002C
:0049D5B8 F6D8 neg al
:0049D5BA 1BC0 sbb eax, eax
:0049D5BC 25C01F0000 and eax, 00001FC0
:0049D5C1 83C040 add eax, 00000040
:0049D5C4 A314995F00 mov dword ptr [005F9914], eax
:0049D5C9 EB19 jmp 0049D5E4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049D53C(C)
|
:0049D5CB E8D072FDFF call 004748A0
:0049D5D0 33C9 xor ecx, ecx
:0049D5D2 85C0 test eax, eax
:0049D5D4 0F9CC1 setl cl
:0049D5D7 49 dec ecx
:0049D5D8 83E140 and ecx, 00000040
:0049D5DB 83C140 add ecx, 00000040
:0049D5DE 890D14995F00 mov dword ptr [005F9914], ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049D5C9(U)
|
:0049D5E4 E8C7D5FFFF call 0049ABB0 //程序功能限制函数调用见后
...................
....................
/////////////////////////////////////////////////////////////////////////////////////////////////
///关键调用/
:0040D5A0 6AFF push FFFFFFFF
:0040D5A2 68BBFC5700 push 0057FCBB
:0040D5A7 64A100000000 mov eax, dword ptr fs:[00000000]
:0040D5AD 50 push eax
:0040D5AE 64892500000000 mov dword ptr fs:[00000000], esp
:0040D5B5 81EC7C010000 sub esp, 0000017C
:0040D5BB A1B0AB5F00 mov eax, dword ptr [005FABB0]
:0040D5C0 89842478010000 mov dword ptr [esp+00000178], eax
:0040D5C7 F60520BF5F0001 test byte ptr [005FBF20], 01
:0040D5CE 53 push ebx
:0040D5CF 56 push esi
:0040D5D0 751D jne 0040D5EF
:0040D5D2 A120BF5F00 mov eax, dword ptr [005FBF20]
:0040D5D7 83C801 or eax, 00000001
:0040D5DA 33DB xor ebx, ebx
:0040D5DC A320BF5F00 mov dword ptr [005FBF20], eax
:0040D5E1 891D18BF5F00 mov dword ptr [005FBF18], ebx
:0040D5E7 891D1CBF5F00 mov dword ptr [005FBF1C], ebx
:0040D5ED EB02 jmp 0040D5F1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D5D0(C)
|
:0040D5EF 33DB xor ebx, ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D5ED(U)
|
* Reference To: MSVCR71._time64, Ord:0211h
|
:0040D5F1 8B3540905900 mov esi, dword ptr [00599040]
:0040D5F7 53 push ebx
:0040D5F8 FFD6 call esi
:0040D5FA A318BF5F00 mov dword ptr [005FBF18], eax
:0040D5FF A0D5675F00 mov al, byte ptr [005F67D5]
:0040D604 83C404 add esp, 00000004
:0040D607 84C0 test al, al
:0040D609 89151CBF5F00 mov dword ptr [005FBF1C], edx
:0040D60F 742A je 0040D63B
:0040D611 8D442408 lea eax, dword ptr [esp+08]
:0040D615 6840E05900 push 0059E040
:0040D61A 50 push eax
:0040D61B E8B0FDFFFF call 0040D3D0
:0040D620 8B08 mov ecx, dword ptr [eax]
:0040D622 890D18BF5F00 mov dword ptr [005FBF18], ecx
:0040D628 8B5004 mov edx, dword ptr [eax+04]
:0040D62B 83C408 add esp, 00000008
:0040D62E 89151CBF5F00 mov dword ptr [005FBF1C], edx
:0040D634 C605D5675F0000 mov byte ptr [005F67D5], 00
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D60F(C)
|
:0040D63B 53 push ebx
:0040D63C FFD6 call esi
:0040D63E 8B0D1CBF5F00 mov ecx, dword ptr [005FBF1C]
:0040D644 8B3518BF5F00 mov esi, dword ptr [005FBF18]
:0040D64A 83C404 add esp, 00000004
:0040D64D 3BCA cmp ecx, edx
:0040D64F A39CBE5F00 mov dword ptr [005FBE9C], eax
:0040D654 8915A0BE5F00 mov dword ptr [005FBEA0], edx
:0040D65A 8935A4BE5F00 mov dword ptr [005FBEA4], esi
:0040D660 890DA8BE5F00 mov dword ptr [005FBEA8], ecx
:0040D666 7C15 jl 0040D67D
:0040D668 7F04 jg 0040D66E
:0040D66A 3BF0 cmp esi, eax
:0040D66C 760F jbe 0040D67D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D668(C)
|
:0040D66E 8BC6 mov eax, esi
:0040D670 8BD1 mov edx, ecx
:0040D672 A39CBE5F00 mov dword ptr [005FBE9C], eax
:0040D677 8915A0BE5F00 mov dword ptr [005FBEA0], edx
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040D666(C), :0040D66C(C)
|
:0040D67D 8B35B8FC6000 mov esi, dword ptr [0060FCB8]
:0040D683 8B0DBCFC6000 mov ecx, dword ptr [0060FCBC]
:0040D689 53 push ebx
:0040D68A 2BC6 sub eax, esi
:0040D68C 6880510100 push 00015180
:0040D691 1BD1 sbb edx, ecx
:0040D693 52 push edx
:0040D694 50 push eax
:0040D695 E8C6081700 call 0057DF60
:0040D69A 8BB42494010000 mov esi, dword ptr [esp+00000194]
:0040D6A1 3BF3 cmp esi, ebx
:0040D6A3 8B8C24A0010000 mov ecx, dword ptr [esp+000001A0]
:0040D6AA 8901 mov dword ptr [ecx], eax
:0040D6AC 7507 jne 0040D6B5
:0040D6AE 32C0 xor al, al
:0040D6B0 E927040000 jmp 0040DADC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D6AC(C)
|
:0040D6B5 55 push ebp
:0040D6B6 8BEE mov ebp, esi
:0040D6B8 8D4D01 lea ecx, dword ptr [ebp+01]
:0040D6BB EB03 jmp 0040D6C0
:0040D6BD 8D4900 lea ecx, dword ptr [ecx+00]
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040D6BB(U), :0040D6C6(C)
|
:0040D6C0 8A4500 mov al, byte ptr [ebp+00]
:0040D6C3 45 inc ebp
:0040D6C4 84C0 test al, al
:0040D6C6 75F8 jne 0040D6C0
:0040D6C8 2BE9 sub ebp, ecx /*计算注册文件中字符长度*/
:0040D6CA 8D9B00000000 lea ebx, dword ptr [ebx+00000000]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D6E6(U)
|
:0040D6D0 8A442EFF mov al, byte ptr [esi+ebp-01]
:0040D6D4 3C0A cmp al, 0A
:0040D6D6 7408 je 0040D6E0
:0040D6D8 3C0D cmp al, 0D
:0040D6DA 7404 je 0040D6E0
:0040D6DC 3C20 cmp al, 20
:0040D6DE 7508 jne 0040D6E8
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040D6D6(C), :0040D6DA(C)
|
:0040D6E0 C6442EFF00 mov [esi+ebp-01], 00
:0040D6E5 4D dec ebp
:0040D6E6 EBE8 jmp 0040D6D0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D6DE(C)
|
:0040D6E8 57 push edi
:0040D6E9 8D7DF6 lea edi, dword ptr [ebp-0A]
:0040D6EC 85FF test edi, edi
:0040D6EE 895C241C mov dword ptr [esp+1C], ebx
:0040D6F2 895C2410 mov dword ptr [esp+10], ebx
:0040D6F6 762A jbe 0040D722
:0040D6F8 EB06 jmp 0040D700
:0040D6FA 8D9B00000000 lea ebx, dword ptr [ebx+00000000]
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040D6F8(U), :0040D720(C)
|/*以下计算注册文件中除后10位的校验码*/
:0040D700 33C0 xor eax, eax
:0040D702 8A0433 mov al, byte ptr [ebx+esi]
:0040D705 8D542410 lea edx, dword ptr [esp+10]
:0040D709 52 push edx
:0040D70A 50 push eax
:0040D70B E8E0FAFFFF call 0040D1F0 //计算注册码变码
:0040D710 8B542424 mov edx, dword ptr [esp+24]
:0040D714 03D0 add edx, eax
:0040D716 83C408 add esp, 00000008
:0040D719 43 inc ebx
:0040D71A 3BDF cmp ebx, edi
:0040D71C 8954241C mov dword ptr [esp+1C], edx
:0040D720 72DE jb 0040D700
0040D700 |> 33C0 /XOR EAX,EAX
0040D702 |. 8A0433 |MOV AL,BYTE PTR DS:[EBX+ESI]
0040D705 |. 8D5424 10 |LEA EDX,DWORD PTR SS:[ESP+10]
0040D709 |. 52 |PUSH EDX
0040D70A |. 50 |PUSH EAX
0040D70B |. E8 E0FAFFFF |CALL SPIP.0040D1F0
0040D710 |. 8B5424 24 |MOV EDX,DWORD PTR SS:[ESP+24]
0040D714 |. 03D0 |ADD EDX,EAX /*累加校验码*/
0040D716 |. 83C4 08 |ADD ESP,8
0040D719 |. 43 |INC EBX
0040D71A |. 3BDF |CMP EBX,EDI
0040D71C |. 895424 1C |MOV DWORD PTR SS:[ESP+1C],EDX
0040D720 |.^72 DE \JB SHORT SPIP.0040D700
/////////////////////////////////////////////////////////
//插入计算注册码变码程序
//设注册码ASCII为X,顺序号为N则 计算后为((X+N)*2E3H+1)*(X+N)+ 99D722DBH*(X+N) *(X+N) *(X+N)/100000000H/80H*/
:0040D1F0 A098BE5F00 mov al, byte ptr [005FBE98] // 005FBE98在程序中其它处无赋值。此处为0,因此下面一段不知何用?高手指教
:0040D1F5 84C0 test al, al
:0040D1F7 56 push esi
:0040D1F8 7438 je 0040D232 //调到计算处
:0040D1FA 8A442408 mov al, byte ptr [esp+08]
:0040D1FE 3C0A cmp al, 0A
:0040D200 7477 je 0040D279
:0040D202 3C0D cmp al, 0D
:0040D204 7473 je 0040D279
:0040D206 0FBEC0 movsx eax, al
:0040D209 8BC8 mov ecx, eax
:0040D20B 0FAFC8 imul ecx, eax
:0040D20E 8BF0 mov esi, eax
:0040D210 0FAFC8 imul ecx, eax
:0040D213 69F60B030000 imul esi, 0000030B
:0040D219 46 inc esi
:0040D21A 0FAFF0 imul esi, eax
:0040D21D B87D63DA04 mov eax, 04DA637D
:0040D222 F7E9 imul ecx
:0040D224 C1FA02 sar edx, 02
:0040D227 8BC2 mov eax, edx
:0040D229 03F2 add esi, edx
:0040D22B C1E81F shr eax, 1F
:0040D22E 03C6 add eax, esi
:0040D230 5E pop esi
:0040D231 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D1F8(C)
|
:0040D232 8A542408 mov dl, byte ptr [esp+08]
:0040D236 8B74240C mov esi, dword ptr [esp+0C]
:0040D23A 8B0E mov ecx, dword ptr [esi]
:0040D23C 0FBEC2 movsx eax, dl
:0040D23F 03C1 add eax, ecx /*X+N*/
:0040D241 80FA0A cmp dl, 0A
:0040D244 7433 je 0040D279
:0040D246 80FA0D cmp dl, 0D
:0040D249 742E je 0040D279
:0040D24B 41 inc ecx
:0040D24C 890E mov dword ptr [esi], ecx /*序号计数*/
:0040D24E 8BC8 mov ecx, eax
:0040D250 0FAFC8 imul ecx, eax
:0040D253 8BF0 mov esi, eax
:0040D255 0FAFC8 imul ecx, eax
:0040D258 69F6E3020000 imul esi, 000002E3
:0040D25E 46 inc esi
:0040D25F 0FAFF0 imul esi, eax
:0040D262 B8DB22D799 mov eax, 99D722DB
:0040D267 F7E9 imul ecx
:0040D269 03D1 add edx, ecx
:0040D26B C1FA07 sar edx, 07
:0040D26E 8BC2 mov eax, edx
:0040D270 03F2 add esi, edx
:0040D272 C1E81F shr eax, 1F
:0040D275 03C6 add eax, esi /*计算后为((X+N)*2E3H+1)*(X+N)+ 99D722DBH*(X+N) *(X+N) *(X+N)/100000000H/80H */
:0040D277 5E pop esi
:0040D278 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040D200(C), :0040D204(C), :0040D244(C), :0040D249(C)
|
:0040D279 33C0 xor eax, eax
:0040D27B 5E pop esi
:0040D27C C3 ret
////////////////////////////////////////////////////////////////////////////////////////////////
/*插入完毕*/
//继续///////////////////////////////////////////////////////
:0040D722 33C0 xor eax, eax
:0040D724 85FF test edi, edi
:0040D726 7602 jbe 0040D72A
:0040D728 8BC7 mov eax, edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D726(C)
|
* Reference To: MSVCR71.sscanf, Ord:0303h
|
:0040D72A 8B1D3C905900 mov ebx, dword ptr [0059903C]
:0040D730 8D4C2418 lea ecx, dword ptr [esp+18]
:0040D734 51 push ecx
:0040D735 8D3C30 lea edi, dword ptr [eax+esi]
:0040D738 683CE05900 push 0059E03C
:0040D73D 57 push edi
:0040D73E FFD3 call ebx
:0040D740 8B542428 mov edx, dword ptr [esp+28]
:0040D744 8B442424 mov eax, dword ptr [esp+24] //取注册码后8位//
:0040D748 83C40C add esp, 0000000C
:0040D74B 3BC2 cmp eax, edx //与计算比较不等演示版
:0040D74D 0F8578010000 jne 0040D8CB
:0040D753 8D442418 lea eax, dword ptr [esp+18]
:0040D757 50 push eax
:0040D758 683CE05900 push 0059E03C
:0040D75D 57 push edi
:0040D75E FFD3 call ebx
:0040D760 8B4C2428 mov ecx, dword ptr [esp+28]
:0040D764 8B442424 mov eax, dword ptr [esp+24] //又弄一次不懂望高手指教:取注册码后8位//
:0040D768 83C40C add esp, 0000000C
:0040D76B 3BC1 cmp eax, ecx //与计算比较不等演示版
:0040D76D 0F8558010000 jne 0040D8CB
:0040D773 8D542454 lea edx, dword ptr [esp+54]
:0040D777 56 push esi
:0040D778 52 push edx
:0040D779 E862FBFFFF call 0040D2E0 //从注册码中取日期信息
//////////////////////////////////////////////////////
//插入日期信息调用
:0040D2E0 83EC08 sub esp, 00000008
:0040D2E3 56 push esi
:0040D2E4 6A01 push 00000001
:0040D2E6 6A01 push 00000001
:0040D2E8 68BC070000 push 000007BC
:0040D2ED 8D4C2410 lea ecx, dword ptr [esp+10]
:0040D2F1 E87AFDFFFF call 0040D070
:0040D2F6 8B442414 mov eax, dword ptr [esp+14]
:0040D2FA 6810DF5900 push 0059DF10 //压入字符“**”
:0040D2FF 50 push eax
* Reference To: MSVCR71.strstr, Ord:0313h
|
:0040D300 FF1500905900 Call dword ptr [00599000] //截取注册码字符**后8位作为日期因此注册码中应有**
:0040D306 8BF0 mov esi, eax
:0040D308 83C408 add esp, 00000008
:0040D30B 85F6 test esi, esi
:0040D30D 7516 jne 0040D325 //没有**演示
:0040D30F 8B442410 mov eax, dword ptr [esp+10]
:0040D313 8B4C2404 mov ecx, dword ptr [esp+04]
:0040D317 8B542408 mov edx, dword ptr [esp+08]
:0040D31B 8908 mov dword ptr [eax], ecx
:0040D31D 895004 mov dword ptr [eax+04], edx
:0040D320 5E pop esi
:0040D321 83C408 add esp, 00000008
:0040D324 C3 ret
.......
.......
///////////////////////////////////////////////////
//插入日期信息结束
//继续
:0040D77E 8B4804 mov ecx, dword ptr [eax+04]
:0040D781 8B10 mov edx, dword ptr [eax]
:0040D783 83C408 add esp, 00000008
:0040D786 51 push ecx
:0040D787 52 push edx
:0040D788 8D4C242C lea ecx, dword ptr [esp+2C]
:0040D78C E8BFC60F00 call 00509E50
:0040D791 8B442428 mov eax, dword ptr [esp+28]
:0040D795 8B0DB8FC6000 mov ecx, dword ptr [0060FCB8]
:0040D79B 8BD0 mov edx, eax
:0040D79D 2BD1 sub edx, ecx
:0040D79F 8B4C242C mov ecx, dword ptr [esp+2C]
:0040D7A3 8BF9 mov edi, ecx
:0040D7A5 1B3DBCFC6000 sbb edi, dword ptr [0060FCBC]
:0040D7AB 2B059CBE5F00 sub eax, dword ptr [005FBE9C]
:0040D7B1 6A00 push 00000000
:0040D7B3 1B0DA0BE5F00 sbb ecx, dword ptr [005FBEA0]
:0040D7B9 6880510100 push 00015180
:0040D7BE 57 push edi
:0040D7BF 52 push edx
:0040D7C0 C78424A401000000000000 mov dword ptr [esp+000001A4], 00000000
:0040D7CB 89442420 mov dword ptr [esp+20], eax
:0040D7CF 894C2424 mov dword ptr [esp+24], ecx
:0040D7D3 E888071700 call 0057DF60
:0040D7D8 85D2 test edx, edx
:0040D7DA 0F8FF2000000 jg 0040D8D2
:0040D7E0 7C08 jl 0040D7EA
:0040D7E2 85C0 test eax, eax
:0040D7E4 0F83E8000000 jnb 0040D8D2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D7E0(C)
|
:0040D7EA A0D4675F00 mov al, byte ptr [005F67D4]
:0040D7EF 84C0 test al, al
:0040D7F1 0F84A1000000 je 0040D898
:0040D7F7 8D44241C lea eax, dword ptr [esp+1C]
:0040D7FB 50 push eax
:0040D7FC 8D4C2428 lea ecx, dword ptr [esp+28]
:0040D800 E85BC80F00 call 0050A060
* Reference To: MSVCR71._localtime64, Ord:016Dh
|
:0040D805 8B3D38905900 mov edi, dword ptr [00599038]
:0040D80B 68B8FC6000 push 0060FCB8
:0040D810 8BE8 mov ebp, eax
:0040D812 FFD7 call edi
:0040D814 83C404 add esp, 00000004
:0040D817 85C0 test eax, eax
:0040D819 7405 je 0040D820
:0040D81B 8B580C mov ebx, dword ptr [eax+0C]
:0040D81E EB02 jmp 0040D822
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D819(C)
|
:0040D820 33DB xor ebx, ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D81E(U)
|
:0040D822 68B8FC6000 push 0060FCB8
:0040D827 FFD7 call edi
:0040D829 83C404 add esp, 00000004
:0040D82C 85C0 test eax, eax
:0040D82E 7406 je 0040D836
:0040D830 8B7010 mov esi, dword ptr [eax+10]
:0040D833 46 inc esi
:0040D834 EB02 jmp 0040D838
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D82E(C)
|
:0040D836 33F6 xor esi, esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D834(U)
|
:0040D838 68B8FC6000 push 0060FCB8
:0040D83D FFD7 call edi
:0040D83F 83C404 add esp, 00000004
:0040D842 85C0 test eax, eax
:0040D844 740A je 0040D850
:0040D846 8B4014 mov eax, dword ptr [eax+14]
:0040D849 056C070000 add eax, 0000076C
:0040D84E EB02 jmp 0040D852
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D844(C)
|
:0040D850 33C0 xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D84E(U)
|
:0040D852 8B4D04 mov ecx, dword ptr [ebp+04]
:0040D855 53 push ebx
:0040D856 56 push esi
:0040D857 50 push eax
:0040D858 51 push ecx
:0040D859 8D54246C lea edx, dword ptr [esp+6C]
:0040D85D 6838DF5900 push 0059DF38
:0040D862 52 push edx
* Reference To: MSVCR71.sprintf, Ord:0300h
|
:0040D863 FF15F88F5900 Call dword ptr [00598FF8]
:0040D869 8B442438 mov eax, dword ptr [esp+38]
:0040D86D 83C418 add esp, 00000018
:0040D870 85C0 test eax, eax
:0040D872 7409 je 0040D87D
:0040D874 50 push eax
* Reference To: MFC71.Ordinal:010A, Ord:010Ah
|
:0040D875 E8D4FD1600 Call 0057D64E
:0040D87A 83C404 add esp, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D872(C)
|
:0040D87D 6A30 push 00000030
:0040D87F 6818DF5900 push 0059DF18
:0040D884 8D442464 lea eax, dword ptr [esp+64]
:0040D888 50 push eax
:0040D889 6A00 push 00000000
* Reference To: USER32.MessageBoxA, Ord:01DEh
|
:0040D88B FF1560925900 Call dword ptr [00599260]
:0040D891 C605D4675F0000 mov byte ptr [005F67D4], 00
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D7F1(C)
|
:0040D898 8B4C2414 mov ecx, dword ptr [esp+14]
:0040D89C 8B542410 mov edx, dword ptr [esp+10]
:0040D8A0 6A00 push 00000000
:0040D8A2 6880510100 push 00015180
:0040D8A7 51 push ecx
:0040D8A8 52 push edx
:0040D8A9 E8B2061700 call 0057DF60
:0040D8AE 8B8C24A4010000 mov ecx, dword ptr [esp+000001A4]
:0040D8B5 8901 mov dword ptr [ecx], eax
:0040D8B7 8D4C2424 lea ecx, dword ptr [esp+24]
:0040D8BB C7842494010000FFFFFFFF mov dword ptr [esp+00000194], FFFFFFFF
:0040D8C6 E865C60F00 call 00509F30
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040D74D(C), :0040D76D(C)
|
:0040D8CB 32C0 xor al, al
:0040D8CD E908020000 jmp 0040DADA
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040D7DA(C), :0040D7E4(C)
|
:0040D8D2 807C2EF40D cmp byte ptr [esi+ebp-0C], 0D
:0040D8D7 7401 je 0040D8DA
:0040D8D9 45 inc ebp
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D8D7(C)
|
* Reference To: MSVCR71.strncpy, Ord:030Fh
|
:0040D8DA 8B3DFC8F5900 mov edi, dword ptr [00598FFC]
:0040D8E0 6A04 push 00000004
:0040D8E2 8D542EEC lea edx, dword ptr [esi+ebp-14]
:0040D8E6 52 push edx
:0040D8E7 680CBF5F00 push 005FBF0C
:0040D8EC FFD7 call edi
:0040D8EE 6A02 push 00000002
:0040D8F0 8D442EF0 lea eax, dword ptr [esi+ebp-10]
:0040D8F4 50 push eax
:0040D8F5 6800BF5F00 push 005FBF00
:0040D8FA FFD7 call edi
:0040D8FC 6A02 push 00000002
:0040D8FE 8D4C2EF2 lea ecx, dword ptr [esi+ebp-0E]
:0040D902 51 push ecx
:0040D903 68F4BE5F00 push 005FBEF4
:0040D908 FFD7 call edi
:0040D90A 68F0BE5F00 push 005FBEF0
:0040D90F 680CDF5900 push 0059DF0C
:0040D914 680CBF5F00 push 005FBF0C
:0040D919 FFD3 call ebx
:0040D91B 68ECBE5F00 push 005FBEEC
:0040D920 680CDF5900 push 0059DF0C
:0040D925 6800BF5F00 push 005FBF00
:0040D92A FFD3 call ebx
:0040D92C 68E8BE5F00 push 005FBEE8
:0040D931 680CDF5900 push 0059DF0C
:0040D936 68F4BE5F00 push 005FBEF4
:0040D93B FFD3 call ebx
:0040D93D A1F0BE5F00 mov eax, dword ptr [005FBEF0] //取注册码中后19位头四位数字转成16进制数
:0040D942 83C448 add esp, 00000048
:0040D945 3D540B0000 cmp eax, 00000B54 //要大于B54 否则出错误
:0040D94A 7E05 jle 0040D951
:0040D94C B8540B0000 mov eax, 00000B54
..............................
................................
///关键调用结束
/////////////////////////////////////////////////////////////////////////////////////////////////////////
//插入程序功能限制函数调用
:0049ABB0 83EC74 sub esp, 00000074
:0049ABB3 A1B0AB5F00 mov eax, dword ptr [005FABB0]
:0049ABB8 89442470 mov dword ptr [esp+70], eax
:0049ABBC 33C0 xor eax, eax
:0049ABBE 53 push ebx
:0049ABBF 89442408 mov dword ptr [esp+08], eax
:0049ABC3 89442404 mov dword ptr [esp+04], eax
:0049ABC7 88442410 mov byte ptr [esp+10], al
:0049ABCB 8D44240C lea eax, dword ptr [esp+0C]
:0049ABCF 50 push eax
:0049ABD0 A1F0686000 mov eax, dword ptr [006068F0]
:0049ABD5 8D4C2408 lea ecx, dword ptr [esp+08]
:0049ABD9 51 push ecx
:0049ABDA 8D542410 lea edx, dword ptr [esp+10]
:0049ABDE 52 push edx
:0049ABDF 50 push eax
:0049ABE0 C744241CFEFFFFFF mov [esp+1C], FFFFFFFE
:0049ABE8 E8B329F7FF call 0040D5A0
:0049ABED 83C410 add esp, 00000010
:0049ABF0 84C0 test al, al
:0049ABF2 756E jne 0049AC62
:0049ABF4 813D14995F0080000000 cmp dword ptr [005F9914], 00000080
:0049ABFE 0F8F14020000 jg 0049AE18
:0049AC04 B301 mov bl, 01
:0049AC06 881DD9686000 mov byte ptr [006068D9], bl
:0049AC0C 881DDA686000 mov byte ptr [006068DA], bl
:0049AC12 881DDB686000 mov byte ptr [006068DB], bl
:0049AC18 881DDD686000 mov byte ptr [006068DD], bl
:0049AC1E 881DDC686000 mov byte ptr [006068DC], bl
:0049AC24 881DD8686000 mov byte ptr [006068D8], bl
:0049AC2A 881DDF686000 mov byte ptr [006068DF], bl
:0049AC30 881DE0686000 mov byte ptr [006068E0], bl
:0049AC36 881DE3686000 mov byte ptr [006068E3], bl
:0049AC3C 881DE4686000 mov byte ptr [006068E4], bl
:0049AC42 881DE6686000 mov byte ptr [006068E6], bl
:0049AC48 881DE8686000 mov byte ptr [006068E8], bl
:0049AC4E 881DE7686000 mov byte ptr [006068E7], bl
:0049AC54 5B pop ebx
:0049AC55 8B4C2470 mov ecx, dword ptr [esp+70]
:0049AC59 E850320E00 call 0057DEAE
:0049AC5E 83C474 add esp, 00000074
:0049AC61 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049ABF2(C)
|
:0049AC62 8B15F0686000 mov edx, dword ptr [006068F0]
:0049AC68 8D4C2410 lea ecx, dword ptr [esp+10]
:0049AC6C 51 push ecx
:0049AC6D 52 push edx
:0049AC6E E80D26F7FF call 0040D280
:0049AC73 83C408 add esp, 00000008
:0049AC76 84C0 test al, al
:0049AC78 0F849A010000 je 0049AE18
:0049AC7E 56 push esi
* Reference To: MSVCR71.strstr, Ord:0313h
//以下判断注册码中是否含有ABCGIMNORU3TSEPF 对应15个模块功能16功能 |
:0049AC7F 8B3500905900 mov esi, dword ptr [00599000]
:0049AC85 8D442414 lea eax, dword ptr [esp+14]
:0049AC89 68E8C45A00 push 005AC4E8
:0049AC8E 50 push eax
:0049AC8F FFD6 call esi
:0049AC91 83C408 add esp, 00000008
:0049AC94 85C0 test eax, eax
:0049AC96 B301 mov bl, 01
:0049AC98 7406 je 0049ACA0
:0049AC9A 881DDA686000 mov byte ptr [006068DA], bl //1模块与功能
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049AC98(C)
|
:0049ACA0 8D4C2414 lea ecx, dword ptr [esp+14]
:0049ACA4 68E4C45A00 push 005AC4E4
:0049ACA9 51 push ecx
:0049ACAA FFD6 call esi
:0049ACAC 83C408 add esp, 00000008
:0049ACAF 85C0 test eax, eax
:0049ACB1 7406 je 0049ACB9
:0049ACB3 881DDF686000 mov byte ptr [006068DF], bl //2模块与功能
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049ACB1(C)
|
:0049ACB9 8D542414 lea edx, dword ptr [esp+14]
:0049ACBD 68E0C45A00 push 005AC4E0
:0049ACC2 52 push edx
:0049ACC3 FFD6 call esi
:0049ACC5 83C408 add esp, 00000008
:0049ACC8 85C0 test eax, eax
:0049ACCA 7406 je 0049ACD2
:0049ACCC 881DD9686000 mov byte ptr [006068D9], bl //3模块与功能
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049ACCA(C)
|
:0049ACD2 8D442414 lea eax, dword ptr [esp+14]
:0049ACD6 6864055A00 push 005A0564
:0049ACDB 50 push eax
:0049ACDC FFD6 call esi
:0049ACDE 83C408 add esp, 00000008
:0049ACE1 85C0 test eax, eax
:0049ACE3 7406 je 0049ACEB
:0049ACE5 881DDB686000 mov byte ptr [006068DB], bl //4模块与功能
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049ACE3(C)
|
:0049ACEB 8D4C2414 lea ecx, dword ptr [esp+14]
:0049ACEF 68DCC45A00 push 005AC4DC
:0049ACF4 51 push ecx
:0049ACF5 FFD6 call esi
:0049ACF7 83C408 add esp, 00000008
:0049ACFA 85C0 test eax, eax
:0049ACFC 7406 je 0049AD04
:0049ACFE 881DDC686000 mov byte ptr [006068DC], bl //5模块与功能
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049ACFC(C)
|
:0049AD04 8D542414 lea edx, dword ptr [esp+14]
:0049AD08 68D8C45A00 push 005AC4D8
:0049AD0D 52 push edx
:0049AD0E FFD6 call esi
:0049AD10 83C408 add esp, 00000008
:0049AD13 85C0 test eax, eax
:0049AD15 7406 je 0049AD1D
:0049AD17 881DE4686000 mov byte ptr [006068E4], bl //6模块与功能
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049AD15(C)
|
:0049AD1D 8D442414 lea eax, dword ptr [esp+14]
:0049AD21 68D4C45A00 push 005AC4D4
:0049AD26 50 push eax
:0049AD27 FFD6 call esi
:0049AD29 83C408 add esp, 00000008
:0049AD2C 85C0 test eax, eax
:0049AD2E 7406 je 0049AD36
:0049AD30 881DE8686000 mov byte ptr [006068E8], bl //7模块与功能
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049AD2E(C)
|
:0049AD36 8D4C2414 lea ecx, dword ptr [esp+14]
:0049AD3A 68D0C45A00 push 005AC4D0
:0049AD3F 51 push ecx
:0049AD40 FFD6 call esi
:0049AD42 83C408 add esp, 00000008
:0049AD45 85C0 test eax, eax
:0049AD47 7406 je 0049AD4F
:0049AD49 881DE2686000 mov byte ptr [006068E2], bl //8模块与功能
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049AD47(C)
|
:0049AD4F 8D542414 lea edx, dword ptr [esp+14]
:0049AD53 68CCC45A00 push 005AC4CC
:0049AD58 52 push edx
:0049AD59 FFD6 call esi
:0049AD5B 83C408 add esp, 00000008
:0049AD5E 85C0 test eax, eax
:0049AD60 7406 je 0049AD68
:0049AD62 881DE0686000 mov byte ptr [006068E0], bl //9模块与功能
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049AD60(C)
|
:0049AD68 8D442414 lea eax, dword ptr [esp+14]
:0049AD6C 68C8C45A00 push 005AC4C8
:0049AD71 50 push eax
:0049AD72 FFD6 call esi
:0049AD74 83C408 add esp, 00000008
:0049AD77 85C0 test eax, eax
:0049AD79 7406 je 0049AD81
:0049AD7B 881DDD686000 mov byte ptr [006068DD], bl //10模块与功能
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049AD79(C)
|
:0049AD81 8D4C2414 lea ecx, dword ptr [esp+14]
:0049AD85 68C4C45A00 push 005AC4C4
:0049AD8A 51 push ecx
:0049AD8B FFD6 call esi
:0049AD8D 83C408 add esp, 00000008
:0049AD90 85C0 test eax, eax
:0049AD92 7406 je 0049AD9A
:0049AD94 881DDE686000 mov byte ptr [006068DE], bl //11模块与功能
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049AD92(C)
|
:0049AD9A 8D542414 lea edx, dword ptr [esp+14]
:0049AD9E 68C0C45A00 push 005AC4C0
:0049ADA3 52 push edx
:0049ADA4 FFD6 call esi
:0049ADA6 83C408 add esp, 00000008
:0049ADA9 85C0 test eax, eax
:0049ADAB 7406 je 0049ADB3
:0049ADAD 881DD8686000 mov byte ptr [006068D8], bl //12模块与功能
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049ADAB(C)
|
:0049ADB3 8D442414 lea eax, dword ptr [esp+14]
:0049ADB7 68BCC45A00 push 005AC4BC
:0049ADBC 50 push eax
:0049ADBD FFD6 call esi
:0049ADBF 83C408 add esp, 00000008
:0049ADC2 85C0 test eax, eax
:0049ADC4 7406 je 0049ADCC
:0049ADC6 881DE3686000 mov byte ptr [006068E3], bl //13模块与功能
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049ADC4(C)
|
:0049ADCC 8D4C2414 lea ecx, dword ptr [esp+14]
:0049ADD0 68B8C45A00 push 005AC4B8
:0049ADD5 51 push ecx
:0049ADD6 FFD6 call esi
:0049ADD8 83C408 add esp, 00000008
:0049ADDB 85C0 test eax, eax
:0049ADDD 7406 je 0049ADE5
:0049ADDF 881DE5686000 mov byte ptr [006068E5], bl //14模块与功能
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049ADDD(C)
|
:0049ADE5 8D542414 lea edx, dword ptr [esp+14]
:0049ADE9 68B4C45A00 push 005AC4B4
:0049ADEE 52 push edx
:0049ADEF FFD6 call esi
:0049ADF1 83C408 add esp, 00000008
:0049ADF4 85C0 test eax, eax
:0049ADF6 7406 je 0049ADFE
:0049ADF8 881DE6686000 mov byte ptr [006068E6], bl //15模块与功能
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049ADF6(C)
|
:0049ADFE 8D442414 lea eax, dword ptr [esp+14]
:0049AE02 68B0C45A00 push 005AC4B0
:0049AE07 50 push eax
:0049AE08 FFD6 call esi
:0049AE0A 83C408 add esp, 00000008
:0049AE0D 85C0 test eax, eax
:0049AE0F 5E pop esi
:0049AE10 7406 je 0049AE18
:0049AE12 881DE7686000 mov byte ptr [006068E7], bl //16模块与功能
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0049ABFE(C), :0049AC78(C), :0049AE10(C)
|
:0049AE18 8B4C2474 mov ecx, dword ptr [esp+74]
:0049AE1C 5B pop ebx
:0049AE1D E88C300E00 call 0057DEAE
:0049AE22 83C474 add esp, 00000074
:0049AE25 C3 ret
//插入程序功能限制函数调用结束
后面取注册码中##前的注册码为注册名,调用相同计算。过程从略。
给两个注册码
HaIlDuZ##ABCGIMNORU3TSEPF**2025090889000BDA47D0F221AD6
丹麦SPIP(TM)##ABCGIMNORU3TSEPF**2025090889eee0FECF3E7
希望多提意见。(完)
HaIlDuZ
hailduz@hotmail.com
2005.5
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)