【文章标题】: Total Commander注册算法
【文章作者】: vasthao
【作者邮箱】: vasthao@gmail.com
【软件名称】: Total Commander 7.56a
【下载地址】: 自己搜索下载
【编写语言】: delphi
【使用工具】: OD
--------------------------------------------------------------------------------
【详细过程】
使用的wincmd.key被加入了黑名单,下断CreateFileA,跟踪wincmd.key的读取,到以下代码:
004E06E4 . 8D95 6CFAFFFF lea edx, dword ptr [ebp-594] ; 读取0x400字节放在这
004E06EA . 66:B9 0004 mov cx, 400
004E06EE . 8BC7 mov eax, edi
004E06F0 . E8 57D7F3FF call <ReadFile>
004E06F5 . 8BC7 mov eax, edi
004E06F7 . E8 E8D6F3FF call 0041DDE4
004E06FC . EB 0B jmp short 004E0709
004E06FE > 33DB xor ebx, ebx
004E0700 . 66:C785 DEFEF>mov word ptr [ebp-122], 0
004E0709 > 66:81BD DEFEF>cmp word ptr [ebp-122], 80 ; 是否0x80字节
004E0712 . 0F9405 15336D>sete byte ptr [6D3315] ; 应该是比较是否老版本的
004E0719 > C685 DDFEFFFF>mov byte ptr [ebp-123], 1
004E0720 . 84DB test bl, bl
004E0722 . 0F84 1E030000 je 004E0A46
004E0728 . 8D85 00EDFFFF lea eax, dword ptr [ebp-1300]
004E072E . 50 push eax ; /pTimeZoneInfo
004E072F . E8 1C4FF2FF call <jmp.&kernel32.GetTimeZoneInform>; \GetTimeZoneInformation
004E0734 . 40 inc eax
004E0735 . 74 1C je short 004E0753
004E0737 . 81BD 00EDFFFF>cmp dword ptr [ebp-1300], 0F0
004E0741 . 7F 10 jg short 004E0753
004E0743 . 81BD 00EDFFFF>cmp dword ptr [ebp-1300], -258
004E074D . 0F8D 14010000 jge 004E0867
004E0753 > B8 02000000 mov eax, 2
004E0758 . E8 EF080000 call 004E104C
004E075D . 84C0 test al, al
004E075F . 0F85 02010000 jnz 004E0867
004E0765 . B8 01000000 mov eax, 1
004E076A . E8 DD080000 call 004E104C
004E076F . 84C0 test al, al
004E0771 . 0F84 F0000000 je 004E0867
004E0777 . 8D95 00FFFFFF lea edx, dword ptr [ebp-100]
004E077D . 8D85 6CFBFFFF lea eax, dword ptr [ebp-494]
004E0783 . B9 00010000 mov ecx, 100
004E0788 . E8 2720F2FF call <MemCpy>
004E078D . 8D85 00FFFFFF lea eax, dword ptr [ebp-100]
004E0793 . B9 FF000000 mov ecx, 0FF
004E0798 . BA CF625800 mov edx, 005862CF
004E079D . E8 AAFBFFFF call <Decode>
004E07A2 . 8D95 20FFFFFF lea edx, dword ptr [ebp-E0]
004E07A8 . B9 78000000 mov ecx, 78
004E07AD . 8B85 E0FEFFFF mov eax, dword ptr [ebp-120]
004E07B3 . E8 C0C3FFFF call <BigInBytes>
004E07B8 . 8D55 98 lea edx, dword ptr [ebp-68]
004E07BB . B9 68000000 mov ecx, 68
004E07C0 . 8B85 F4FEFFFF mov eax, dword ptr [ebp-10C]
004E07C6 . E8 ADC3FFFF call <BigInBytes>
004E07CB . 8D95 00FFFFFF lea edx, dword ptr [ebp-100]
004E07D1 . 8D85 6CFCFFFF lea eax, dword ptr [ebp-394]
004E07D7 . B9 00010000 mov ecx, 100
004E07DC . E8 D31FF2FF call <MemCpy>
004E07E1 . 8D85 00FFFFFF lea eax, dword ptr [ebp-100]
004E07E7 . B9 FF000000 mov ecx, 0FF
004E07EC . BA F5E00100 mov edx, 1E0F5
004E07F1 . E8 56FBFFFF call <Decode>
004E07F6 . 8D95 00FFFFFF lea edx, dword ptr [ebp-100]
004E07FC . B9 68000000 mov ecx, 68
004E0801 . 8B85 E4FEFFFF mov eax, dword ptr [ebp-11C]
004E0807 . E8 6CC3FFFF call <BigInBytes>
004E080C . 6A 00 push 0
004E080E . 8D8D ACEDFFFF lea ecx, dword ptr [ebp-1254]
004E0814 . 8B85 E0FEFFFF mov eax, dword ptr [ebp-120]
004E081A . 83C0 10 add eax, 10
004E081D . BA 78000000 mov edx, 78
004E0822 . E8 0590FBFF call 0049982C
004E0827 . BA 88000000 mov edx, 88
004E082C . 8B85 E0FEFFFF mov eax, dword ptr [ebp-120]
004E0832 . E8 41C5FFFF call 004DCD78
004E0837 . 8D85 ACEDFFFF lea eax, dword ptr [ebp-1254]
004E083D . 8B95 F8FEFFFF mov edx, dword ptr [ebp-108]
004E0843 . E8 3CFCFFFF call 004E0484
004E0848 . 8B8D E4FEFFFF mov ecx, dword ptr [ebp-11C]
004E084E . 8B95 F4FEFFFF mov edx, dword ptr [ebp-10C]
004E0854 . 8B85 F8FEFFFF mov eax, dword ptr [ebp-108]
004E085A . E8 81F5FFFF call 004DFDE0
004E085F . 34 01 xor al, 1
004E0861 . 8885 DDFEFFFF mov byte ptr [ebp-123], al
004E0867 > 80BD DDFEFFFF>cmp byte ptr [ebp-123], 0
004E086E . 0F84 96000000 je 004E090A
004E0874 . BA DC0E4E00 mov edx, 004E0EDC ; ASCII "AAD4474DC8387E81BB095D810F4F4F21D5D7CCC756E3D6E
5DEE48AC000C25AA0EFAD0AD3A5AC46F15B50249597461BBB87CDC
3F1BA37C17A9A207A3603E38E718F9927A5EB38005D8B72EAFDC63
931C3D93C1FAD457A17CA85BEB40F3FA9152770DAC12E8E3B912D"
004E0879 . 8B85 F8FEFFFF mov eax, dword ptr [ebp-108]
004E087F . E8 14C2FFFF call <BigInHexString>
004E0884 . BA B00F4E00 mov edx, 004E0FB0 ; ASCII "65537"
004E0889 . 8B85 F4FEFFFF mov eax, dword ptr [ebp-10C]
004E088F . E8 28C1FFFF call <BigInDecString>
004E0894 . 8D95 CCEDFFFF lea edx, dword ptr [ebp-1234]
004E089A . 8D85 ECFAFFFF lea eax, dword ptr [ebp-514] ; ebp-594是keyfile存放地址,则这个是偏移0x594-0x514=0x80
004E08A0 . B9 80000000 mov ecx, 80 ; 复制0x80字节
004E08A5 . E8 0A1FF2FF call <MemCpy>
004E08AA . 8D95 CCEDFFFF lea edx, dword ptr [ebp-1234]
004E08B0 . B9 68000000 mov ecx, 68
004E08B5 . 8B85 E4FEFFFF mov eax, dword ptr [ebp-11C] ; 0x68个字节转为大数
004E08BB . E8 B8C2FFFF call <BigInBytes>
004E08C0 . 8D85 E0FEFFFF lea eax, dword ptr [ebp-120] ; 解密存放
004E08C6 . 50 push eax
004E08C7 . 8B8D F8FEFFFF mov ecx, dword ptr [ebp-108]
004E08CD . 8B95 F4FEFFFF mov edx, dword ptr [ebp-10C] ; e=65537
004E08D3 . 8B85 E4FEFFFF mov eax, dword ptr [ebp-11C] ; 这个是0x68个字节要解密的
004E08D9 . E8 AADAFFFF call <BigDecrypt> ; 不是RSA
00DD26A0 48 C6 4D 00 34 00 00 00 E8 03 00 00 01 00 00 00 H芃.4...?.....
00DD26B0 2D 91 3B 8E 2E C1 DA 70 27 15 A9 3F 0F B4 BE 85 -??邻p'?淳
00DD26C0 CA 17 7A 45 AD 1F 3C D9 C3 31 39 C6 FD EA 72 8B ?zE?<倜19讫阹
00DD26D0 5D 00 38 EB A5 27 99 8F 71 8E E3 03 36 7A 20 9A ].8毳'檹q庛6z
00DD26E0 7A C1 37 BA F1 C3 CD 87 BB 1B 46 97 95 24 50 5B z?厚猛嚮F棔$P[
00DD26F0 F1 46 AC A5 D3 0A AD EF A0 5A C2 00 C0 8A E4 DE 馞?燴?缞滢
00DD2700 E5 D6 E3 56 C7 CC D7 D5 21 4F 4F 0F 81 5D 09 BB 逯鉜翘渍!OO乚.
00DD2710 81 7E 38 C8 4D 47 D4 AA 00 00 00 00 00 00 00 00 亊8萂G元........
004DE388 >/$ 55 push ebp ; BigDecrypt
004DE389 |. 8BEC mov ebp, esp
004DE38B |. 53 push ebx
004DE38C |. 8B5D 08 mov ebx, dword ptr [ebp+8]
004DE38F |. 53 push ebx
004DE390 |. 6A 00 push 0
004DE392 |. 92 xchg eax, edx
004DE393 |. E8 60FDFFFF call <BigDecrypt0>
004DE398 |. 5B pop ebx
004DE399 |. 5D pop ebp
004DE39A \. C2 0400 retn 4
004DE0F8 >/$ 55 push ebp ; BigDecrypt0
004DE0F9 |. 8BEC mov ebp, esp
004DE0FB |. 83C4 E4 add esp, -1C
004DE0FE |. 53 push ebx
004DE0FF |. 56 push esi
004DE100 |. 57 push edi
004DE101 |. 894D F4 mov dword ptr [ebp-C], ecx ; [ebp-C]=832位大数
004DE104 |. 8955 F8 mov dword ptr [ebp-8], edx ; [ebp-8]=要解密的0x68个字节
004DE107 |. 8945 FC mov dword ptr [ebp-4], eax ; [ebp-4]=65537
004DE10A |. C605 04336D00>mov byte ptr [6D3304], 0
004DE111 |. 33D2 xor edx, edx
004DE113 |. 8B45 FC mov eax, dword ptr [ebp-4]
004DE116 |. E8 9DEFFFFF call 004DD0B8
004DE11B |. 85C0 test eax, eax
004DE11D |. 75 14 jnz short 004DE133
004DE11F |. 8B45 0C mov eax, dword ptr [ebp+C]
004DE122 |. 8B00 mov eax, dword ptr [eax]
004DE124 |. BA 02000000 mov edx, 2
004DE129 |. E8 6EE8FFFF call <BigIn16>
004DE12E |. E9 4A020000 jmp 004DE37D
004DE133 |> B2 01 mov dl, 1
004DE135 |. B8 48C64D00 mov eax, 004DC648
004DE13A |. E8 8DFEFFFF call <BigCreate>
004DE13F |. 8945 F0 mov dword ptr [ebp-10], eax ; [ebp-10]=temp1
004DE142 |. B2 01 mov dl, 1
004DE144 |. B8 48C64D00 mov eax, 004DC648
004DE149 |. E8 7EFEFFFF call <BigCreate>
004DE14E |. 8BF0 mov esi, eax ; esi=temp2
004DE150 |. B2 01 mov dl, 1
004DE152 |. B8 48C64D00 mov eax, 004DC648
004DE157 |. E8 70FEFFFF call <BigCreate>
004DE15C |. 8BF8 mov edi, eax ; edi=temp3
004DE15E |. B2 01 mov dl, 1
004DE160 |. B8 48C64D00 mov eax, 004DC648
004DE165 |. E8 62FEFFFF call <BigCreate>
004DE16A |. 8BD8 mov ebx, eax ; ebx=temp4
004DE16C |. 807D 08 00 cmp byte ptr [ebp+8], 0
004DE170 |. 74 1F je short 004DE191
004DE172 |. C745 E8 803E0>mov dword ptr [ebp-18], 3E80
004DE179 |. 8B45 E8 mov eax, dword ptr [ebp-18]
004DE17C |. E8 0345F2FF call 00402684
004DE181 |. 8945 E4 mov dword ptr [ebp-1C], eax
004DE184 |. 8B45 E4 mov eax, dword ptr [ebp-1C]
004DE187 |. 33C9 xor ecx, ecx
004DE189 |. 8B55 E8 mov edx, dword ptr [ebp-18]
004DE18C |. E8 2B49F2FF call 00402ABC
004DE191 |> 8B45 FC mov eax, dword ptr [ebp-4] ; [ebp-4]=e=0x10001
004DE194 |. E8 C7EDFFFF call <BigGetBitLength> ; 得到二进制位长度
004DE199 |. 48 dec eax
004DE19A |. 8945 EC mov dword ptr [ebp-14], eax ; [ebp-14]=bitlength-1
004DE19D |. 8B55 F8 mov edx, dword ptr [ebp-8]
004DE1A0 |. 8BC3 mov eax, ebx
004DE1A2 |. E8 F5EDFFFF call <BigCopy> ; temp4=c
004DE1A7 |. 8B4D F0 mov ecx, dword ptr [ebp-10]
004DE1AA |. 8B55 F4 mov edx, dword ptr [ebp-C]
004DE1AD |. 8BC3 mov eax, ebx
004DE1AF |. E8 F4F3FFFF call <BigDiv> ; temp1=temp4%n=c%n temp4=temp4/n=c/n
004DE1B4 |. BA 02000000 mov edx, 2
004DE1B9 |. 8BC6 mov eax, esi
004DE1BB |. E8 DCE7FFFF call <BigIn16> ; temp2=2
004DE1C0 |. 8B55 F0 mov edx, dword ptr [ebp-10]
004DE1C3 |. 8BC7 mov eax, edi
004DE1C5 |. E8 D2EDFFFF call <BigCopy> ; temp3=temp1=c%n
004DE1CA |. 837D EC 00 cmp dword ptr [ebp-14], 0
004DE1CE |. 0F8C 6F010000 jl 004DE343
004DE1D4 |> FF05 08336D00 /inc dword ptr [6D3308] ; 循环开始
004DE1DA |. 66:8B55 EC |mov dx, word ptr [ebp-14]
004DE1DE |. 8B45 FC |mov eax, dword ptr [ebp-4]
004DE1E1 |. E8 36EFFFFF |call <BigBitTest> ; 测试二进制位是否为1
004DE1E6 |. 84C0 |test al, al
004DE1E8 |. 0F84 A0000000 |je 004DE28E
004DE1EE |. 8BD7 |mov edx, edi
004DE1F0 |. 8BC6 |mov eax, esi
004DE1F2 |. E8 59F2FFFF |call <BigMul> ; temp2=temp2*temp3
004DE1F7 |. 8B55 F4 |mov edx, dword ptr [ebp-C]
004DE1FA |. 8BC3 |mov eax, ebx
004DE1FC |. E8 9BEDFFFF |call <BigCopy> ; temp4=n
004DE201 |. 8B55 F0 |mov edx, dword ptr [ebp-10]
004DE204 |. 8BC3 |mov eax, ebx
004DE206 |. E8 C5F1FFFF |call <BigSub> ; temp4=temp4-temp1=n-c%n
004DE20B |. 8BD6 |mov edx, esi
004DE20D |. 8BC3 |mov eax, ebx
004DE20F |. E8 58F1FFFF |call <BigAdd> ; temp4=temp4+temp2=n-c%n+temp2*temp3
004DE214 |. 807D 08 00 |cmp byte ptr [ebp+8], 0
004DE218 |. 74 13 |je short 004DE22D
004DE21A |. 56 |push esi
004DE21B |. 8B45 E4 |mov eax, dword ptr [ebp-1C]
004DE21E |. 50 |push eax
004DE21F |. 8BCB |mov ecx, ebx
004DE221 |. 8B55 F4 |mov edx, dword ptr [ebp-C]
004DE224 |. 8BC3 |mov eax, ebx
004DE226 |. E8 09F9FFFF |call <BigDiv0>
004DE22B |. EB 0C |jmp short 004DE239
004DE22D |> 8BCE |mov ecx, esi
004DE22F |. 8B55 F4 |mov edx, dword ptr [ebp-C]
004DE232 |. 8BC3 |mov eax, ebx
004DE234 |. E8 6FF3FFFF |call <BigDiv> ; temp2=temp4%n=(n-c%n+temp2*temp3)%n=(temp2*temp3-c%n)%n
004DE239 |> 8BD7 |mov edx, edi
004DE23B |. 8BC7 |mov eax, edi
004DE23D |. E8 0EF2FFFF |call <BigMul> ; temp3=temp3*temp3
004DE242 |. 8B55 F4 |mov edx, dword ptr [ebp-C]
004DE245 |. 8BC3 |mov eax, ebx
004DE247 |. E8 50EDFFFF |call <BigCopy> ; temp4=n
004DE24C |. BA 02000000 |mov edx, 2
004DE251 |. 8BC3 |mov eax, ebx
004DE253 |. E8 28F5FFFF |call <BigSub16> ; temp4=n-2
004DE258 |. 8BD7 |mov edx, edi
004DE25A |. 8BC3 |mov eax, ebx
004DE25C |. E8 0BF1FFFF |call <BigAdd> ; temp4=temp4+temp3=n-2+temp3*temp3
004DE261 |. 807D 08 00 |cmp byte ptr [ebp+8], 0 ; [ebp+8]==0
004DE265 |. 74 16 |je short 004DE27D
004DE267 |. 57 |push edi
004DE268 |. 8B45 E4 |mov eax, dword ptr [ebp-1C]
004DE26B |. 50 |push eax
004DE26C |. 8BCB |mov ecx, ebx
004DE26E |. 8B55 F4 |mov edx, dword ptr [ebp-C]
004DE271 |. 8BC3 |mov eax, ebx
004DE273 |. E8 BCF8FFFF |call <BigDiv0>
004DE278 |. E9 A9000000 |jmp 004DE326
004DE27D |> 8BCF |mov ecx, edi
004DE27F |. 8B55 F4 |mov edx, dword ptr [ebp-C]
004DE282 |. 8BC3 |mov eax, ebx
004DE284 |. E8 1FF3FFFF |call <BigDiv> ; temp3=temp4%n=(n-2+temp3*temp3)%n=(temp3*temp3-2)%n
004DE289 |. E9 98000000 |jmp 004DE326
004DE28E |> 8BD6 |mov edx, esi ; 二进制位为0时跳到这
004DE290 |. 8BC7 |mov eax, edi
004DE292 |. E8 B9F1FFFF |call <BigMul> ; temp3=temp3*temp2
004DE297 |. 8B55 F4 |mov edx, dword ptr [ebp-C]
004DE29A |. 8BC3 |mov eax, ebx
004DE29C |. E8 FBECFFFF |call <BigCopy> ; temp4=n
004DE2A1 |. 8B55 F0 |mov edx, dword ptr [ebp-10]
004DE2A4 |. 8BC3 |mov eax, ebx
004DE2A6 |. E8 25F1FFFF |call <BigSub> ; temp4=n-temp1=n-c%n
004DE2AB |. 8BD7 |mov edx, edi
004DE2AD |. 8BC3 |mov eax, ebx
004DE2AF |. E8 B8F0FFFF |call <BigAdd> ; temp4=temp4+temp3=n-c%n+temp3*temp2
004DE2B4 |. 807D 08 00 |cmp byte ptr [ebp+8], 0
004DE2B8 |. 74 13 |je short 004DE2CD
004DE2BA |. 57 |push edi
004DE2BB |. 8B45 E4 |mov eax, dword ptr [ebp-1C]
004DE2BE |. 50 |push eax
004DE2BF |. 8BCB |mov ecx, ebx
004DE2C1 |. 8B55 F4 |mov edx, dword ptr [ebp-C]
004DE2C4 |. 8BC3 |mov eax, ebx
004DE2C6 |. E8 69F8FFFF |call <BigDiv0>
004DE2CB |. EB 0C |jmp short 004DE2D9
004DE2CD |> 8BCF |mov ecx, edi
004DE2CF |. 8B55 F4 |mov edx, dword ptr [ebp-C]
004DE2D2 |. 8BC3 |mov eax, ebx
004DE2D4 |. E8 CFF2FFFF |call <BigDiv> ; temp3=temp4%n=(n-c%n+temp3*temp2)%n=(temp3*temp2-c%n)%n
004DE2D9 |> 8BD6 |mov edx, esi
004DE2DB |. 8BC6 |mov eax, esi
004DE2DD |. E8 6EF1FFFF |call <BigMul> ; temp2=temp2*temp2
004DE2E2 |. 8B55 F4 |mov edx, dword ptr [ebp-C]
004DE2E5 |. 8BC3 |mov eax, ebx
004DE2E7 |. E8 B0ECFFFF |call <BigCopy> ; temp4=n
004DE2EC |. BA 02000000 |mov edx, 2
004DE2F1 |. 8BC3 |mov eax, ebx
004DE2F3 |. E8 88F4FFFF |call <BigSub16> ; temp4=tem4-2=n-2
004DE2F8 |. 8BD6 |mov edx, esi
004DE2FA |. 8BC3 |mov eax, ebx
004DE2FC |. E8 6BF0FFFF |call <BigAdd> ; temp4=temp4+temp2=n-2+temp2*temp2
004DE301 |. 807D 08 00 |cmp byte ptr [ebp+8], 0 ; [ebp+8]==0
004DE305 |. 74 13 |je short 004DE31A
004DE307 |. 56 |push esi
004DE308 |. 8B45 E4 |mov eax, dword ptr [ebp-1C]
004DE30B |. 50 |push eax
004DE30C |. 8BCB |mov ecx, ebx
004DE30E |. 8B55 F4 |mov edx, dword ptr [ebp-C]
004DE311 |. 8BC3 |mov eax, ebx
004DE313 |. E8 1CF8FFFF |call <BigDiv0>
004DE318 |. EB 0C |jmp short 004DE326
004DE31A |> 8BCE |mov ecx, esi
004DE31C |. 8B55 F4 |mov edx, dword ptr [ebp-C]
004DE31F |. 8BC3 |mov eax, ebx
004DE321 |. E8 82F2FFFF |call <BigDiv> ; temp2=temp4%n=(n-2+temp2*temp2)%n=(temp2*temp2-2)%n
004DE326 |> FF4D EC |dec dword ptr [ebp-14]
004DE329 |. 803D 04336D00>|cmp byte ptr [6D3304], 0
004DE330 |. 74 07 |je short 004DE339
004DE332 |. C745 EC FFFFF>|mov dword ptr [ebp-14], -1
004DE339 |> 837D EC 00 |cmp dword ptr [ebp-14], 0
004DE33D |.^ 0F8D 91FEFFFF \jge 004DE1D4 ; e从二进制高位至低位循环
004DE343 |> 8B45 0C mov eax, dword ptr [ebp+C]
004DE346 |. 8B00 mov eax, dword ptr [eax]
004DE348 |. 8BD6 mov edx, esi
004DE34A |. E8 4DECFFFF call <BigCopy> ; return temp2
004DE34F |. 807D 08 00 cmp byte ptr [ebp+8], 0
004DE353 |. 74 0B je short 004DE360
004DE355 |. 8B55 E8 mov edx, dword ptr [ebp-18]
004DE358 |. 8B45 E4 mov eax, dword ptr [ebp-1C]
004DE35B |. E8 3C43F2FF call <FreeMem>
004DE360 |> 8B45 F0 mov eax, dword ptr [ebp-10]
004DE363 |. E8 E049F2FF call <Free>
004DE368 |. 8BC6 mov eax, esi
004DE36A |. E8 D949F2FF call <Free>
004DE36F |. 8BC7 mov eax, edi
004DE371 |. E8 D249F2FF call <Free>
004DE376 |. 8BC3 mov eax, ebx
004DE378 |. E8 CB49F2FF call <Free>
004DE37D |> 5F pop edi
004DE37E |. 5E pop esi
004DE37F |. 5B pop ebx
004DE380 |. 8BE5 mov esp, ebp
004DE382 |. 5D pop ebp
004DE383 \. C2 0800 retn 8
对解密后的0x68个字节0x67个字节进行解码:
004E08DE . 833D 08336D00>cmp dword ptr [6D3308], 1
004E08E5 . 7F 23 jg short 004E090A
004E08E7 . 6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
004E08E9 . A1 34636C00 mov eax, dword ptr [6C6334] ; |
004E08EE . 50 push eax ; |Title => "Total Commander"
004E08EF . 68 B80F4E00 push 004E0FB8 ; |using cracks is unfair!\n\nplease get the
; |official release from www.ghisler.com.
004E08F4 . 6A 00 push 0 ; |hOwner = NULL
004E08F6 . E8 4559F2FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004E08FB . B8 01000000 mov eax, 1
004E0900 . E8 DB3DF2FF call 004046E0
004E0905 . E9 AA050000 jmp 004E0EB4
004E090A > 8D95 6CFEFFFF lea edx, dword ptr [ebp-194]
004E0910 . B9 67000000 mov ecx, 67
004E0915 . 8B85 E0FEFFFF mov eax, dword ptr [ebp-120]
004E091B . E8 98C2FFFF call <BitOutBytes> ; 0x67字节大数转为字节数组,高位字节抛弃
004E0920 . 8D85 6CFEFFFF lea eax, dword ptr [ebp-194]
004E0926 . B9 66000000 mov ecx, 66 ; 0x67个字节解码
004E092B BA BCA42000 mov edx, 20A4BC ; 初始值
004E0930 . E8 17FAFFFF call <Decode> ; 解码
004E034C >/$ 55 push ebp ; Decode
004E034D |. 8BEC mov ebp, esp
004E034F |. 83C4 F8 add esp, -8
004E0352 |. 53 push ebx
004E0353 |. 56 push esi
004E0354 |. 57 push edi
004E0355 |. 8BF9 mov edi, ecx ; edi=解码字节长度-1
004E0357 |. 8945 FC mov dword ptr [ebp-4], eax ; [ebp-4]=要解码的字节
004E035A |. 8915 2CE06C00 mov dword ptr [6CE02C], edx ; [6CE02C]=初始值
004E0360 C745 F8 14000>mov dword ptr [ebp-8], 14
004E0367 8BF7 mov esi, edi
004E0369 85F6 test esi, esi
004E036B |. 7C 1C |jl short 004E0389
004E036D |. 46 |inc esi
004E036E |. 8B5D FC |mov ebx, dword ptr [ebp-4]
004E0371 |> 8D47 01 |/lea eax, dword ptr [edi+1] ; eax=解码字节长度,解码开始,编码反着来
004E0374 |. E8 6327F2FF ||call <RandInt> ; 计算[6CEO2C]
004E0379 |. 8B55 FC ||mov edx, dword ptr [ebp-4]
004E037C |. 03D0 ||add edx, eax
004E037E |. 8BC3 ||mov eax, ebx
004E0380 |. E8 BBFFFFFF ||call <ByteSwap>
004E0385 |. 43 ||inc ebx
004E0386 |. 4E ||dec esi
004E0387 |.^ 75 E8 |\jnz short 004E0371
004E0389 |> 8BF7 |mov esi, edi
004E038B |. 85F6 |test esi, esi
004E038D |. 7C 2B |jl short 004E03BA
004E038F |. 46 |inc esi
004E0390 |. 8B5D FC |mov ebx, dword ptr [ebp-4]
004E0393 |> B8 08000000 |/mov eax, 8
004E0398 |. E8 3F27F2FF ||call <RandInt>
004E039D |. 8BD0 ||mov edx, eax
004E039F |. 8BC3 ||mov eax, ebx
004E03A1 |. E8 76FFFFFF ||call <ROR8> ; ror8(x,n) x>>n|x<<(8-n)
004E03A6 |. B8 00010000 ||mov eax, 100
004E03AB |. E8 2C27F2FF ||call <RandInt>
004E03B0 |. 8A13 ||mov dl, byte ptr [ebx]
004E03B2 |. 32C2 ||xor al, dl
004E03B4 |. 8803 ||mov byte ptr [ebx], al
004E03B6 |. 43 ||inc ebx
004E03B7 |. 4E ||dec esi
004E03B8 |.^ 75 D9 |\jnz short 004E0393
004E03BA |> FF4D F8 |dec dword ptr [ebp-8] ; 循环了0x14次,有0x14*length*3个[6CE02C]要计算
004E03BD |.^ 75 A8 \jnz short 004E0367
004E03BF |. 5F pop edi
004E03C0 |. 5E pop esi
004E03C1 |. 5B pop ebx
004E03C2 |. 59 pop ecx
004E03C3 |. 59 pop ecx
004E03C4 |. 5D pop ebp
004E03C5 \. C3 retn
其中004E0374处的RandInt出现了问题,不知道是不是bug
00402ADC > 6915 2CE06C00>imul edx, dword ptr [6CE02C], 8088405 ; RandInt
00402AE6 42 inc edx ; 当[6CE02C]==0x20A48C时,某些地址计算不对
00402AE7 8915 2CE06C00 mov dword ptr [6CE02C], edx
00402AED F7E2 mul edx
00402AEF 89D0 mov eax, edx
00402AF1 C3 retn
004E0935 . 33C9 xor ecx, ecx
004E0937 . B2 01 mov dl, 1
004E0939 . B8 C06F4700 mov eax, 00476FC0
004E093E . E8 BD00F3FF call 00410A00
004E0943 . 8BF0 mov esi, eax
004E0945 . 8D85 7CFEFFFF lea eax, dword ptr [ebp-184] ; 0x67解码字节偏移0x10
004E094B . 8946 20 mov dword ptr [esi+20], eax
004E094E . 8D85 5CFAFFFF lea eax, dword ptr [ebp-5A4] ; MD5存放处
004E0954 . 8946 24 mov dword ptr [esi+24], eax
004E0957 . C746 28 57000>mov dword ptr [esi+28], 57 ; 0x57个字节
004E095E . 8BC6 mov eax, esi
004E0960 . E8 CF66F9FF call <MD5Init>
004E0965 . 33D2 xor edx, edx
004E0967 . 8BC6 mov eax, esi
004E0969 . E8 5275F9FF call <CustomMD5>
004E096E . 8BC6 mov eax, esi
004E0970 . E8 4B76F9FF call <HashOutput>
004E0975 . 8BC6 mov eax, esi
004E0977 . E8 CC23F2FF call <Free>
004E097C . 8D85 5CFAFFFF lea eax, dword ptr [ebp-5A4] ; MD5值
004E0982 . 8D95 6CFEFFFF lea edx, dword ptr [ebp-194] ; 0x67解码字节前0x10字节
004E0988 . B9 10000000 mov ecx, 10
004E098D . E8 BA20F2FF call <StrCmp>
004E0992 0F84 AE000000 je 004E0A46 ; 必须相等,否则挂
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
