【破文标题】 天天个人助理(DailyPim)注册算法分析+汇编注册机
【破文作者】 snake
【软件名称】 天天个人助理(DailyPim) V3.42
【下载地址】 http://www.skycn.com/soft/15570.html
【软件简介】 DailyPim是一款个人日常信息管理的软件,具有的功能有日记本、资料管理、文件管理、日程管理、地址簿、网页快抓、收发消息、收发文件、邮箱监视器、查询天气、火车、航班、电话区号、邮政编码、定时关机等。DailyPim是国内功能最强大的个人信息管理软件。
【调试环境】 Win2000、Ollydbg
【作者声明】 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
----------------------------------------------------------------------------------------------
【破解过程】
一、程序脱壳
用PEiD、FI查壳,均为Nothing found,只好手动脱壳了。使用两次ESP定律即可到达程序OEP。
Ollydbg载入主程序
00C70082 d> 60 pushad
00C70083 E8 00000000 call dailypim.00C70088
00C70088 5D pop ebp
00C70089 81ED 22A54500 sub ebp,dailypim.0045A522
00C7008F 8DBD 1CA54500 lea edi,dword ptr ss:[ebp+45A51C]
00C70095 81EF 82000000 sub edi,82
00C7009B 89BD 84A84500 mov dword ptr ss:[ebp+45A884],edi
00C700A1 8B4F 18 mov ecx,dword ptr ds:[edi+18]
00C700A4 89FE mov esi,edi
00C700A6 0377 14 add esi,dword ptr ds:[edi+14]
00C700A9 8B47 10 mov eax,dword ptr ds:[edi+10]
......
F8一次,在命令栏下命令 hr esp,回车,F9运行
00C70374 - FFE0 jmp eax ; 断在这里
00C70376 42 inc edx
00C70377 4B dec ebx
......
F9再运行一次
00C693B0 /75 08 jnz short dailypim.00C693BA ; 断在这里
00C693B2 |B8 01000000 mov eax,1
00C693B7 |C2 0C00 retn 0C
00C693BA \68 D85C8200 push dailypim.00825CD8
00C693BF C3 retn ; F8到这里,飞向光明之颠!^_^
00C693C0 8B85 26040000 mov eax,dword ptr ss:[ebp+426]
00C693C6 8D8D 3B040000 lea ecx,dword ptr ss:[ebp+43B]
00C693CC 51 push ecx
00C693CD 50 push eax
00C693CE FF95 490F0000 call dword ptr ss:[ebp+F49]
......
00825CD8 55 push ebp ; 程序OEP处用LordPE完全Dump这个进程
00825CD9 8BEC mov ebp,esp
00825CDB 83C4 F0 add esp,-10
00825CDE 53 push ebx
00825CDF B8 484E8200 mov eax,dailypim.00824E48
00825CE4 E8 AB19BEFF call dailypim.00407694
00825CE9 8B1D D83F8300 mov ebx,dword ptr ds:[833FD8] ; dailypim.00835C3C
00825CEF 8B03 mov eax,dword ptr ds:[ebx]
00825CF1 E8 FA57C5FF call dailypim.0047B4F0
00825CF6 8B03 mov eax,dword ptr ds:[ebx]
......
脱壳后程序可正常运行。
---------------------------------------------------------------------------------------------------
二、算法分析
运行程序,输入相关信息
机器码:G732526459
注册名:snake
注册码:7878787878
注册后提示:谢谢您的注册,下次启动生效!
说明程序在启动时要读取注册表或相应文件的内容,经分析查找,发现同目录下PIM.ini文件里有注册信息。
Ollydbg载入脱壳后的程序
右键,搜所-->所有参考文本串,查找PIM.ini并F2下断,F9运行程序
0080D9BB |. BA BCE48000 mov edx,x.0080E4BC ; ASCII "PIM.ini" 断的此处
0080D9C0 |. E8 6376BFFF call x.00405028
0080D9C5 |. 8B4D E0 mov ecx,[local.8]
0080D9C8 |. B2 01 mov dl,1
0080D9CA |. A1 D4024800 mov eax,dword ptr ds:[4802D4]
0080D9CF |. E8 B029C7FF call x.00480384
0080D9D4 |. 8BD8 mov ebx,eax
0080D9D6 |. 6A 00 push 0
0080D9D8 |. 8D45 D8 lea eax,[local.10]
0080D9DB |. 50 push eax
0080D9DC |. B9 CCE48000 mov ecx,x.0080E4CC ; ASCII "SKINFILE"
0080D9E1 |. BA E0E48000 mov edx,x.0080E4E0 ; ASCII "PIM"
0080D9E6 |. 8BC3 mov eax,ebx
0080D9E8 |. 8B38 mov edi,dword ptr ds:[eax]
0080D9EA |. FF17 call dword ptr ds:[edi]
0080D9EC |. 8B55 D8 mov edx,[local.10]
0080D9EF |. A1 E8408300 mov eax,dword ptr ds:[8340E8]
0080D9F4 |. E8 B373BFFF call x.00404DAC
0080D9F9 |. 68 ECE48000 push x.0080E4EC
0080D9FE |. 8D45 D4 lea eax,[local.11]
0080DA01 |. 50 push eax
0080DA02 |. B9 FCE48000 mov ecx,x.0080E4FC ; ASCII "WEATHER"
0080DA07 |. BA E0E48000 mov edx,x.0080E4E0 ; ASCII "PIM"
0080DA0C |. 8BC3 mov eax,ebx
0080DA0E |. 8B38 mov edi,dword ptr ds:[eax]
0080DA10 |. FF17 call dword ptr ds:[edi]
0080DA12 |. 8B55 D4 mov edx,[local.11]
0080DA15 |. A1 D4378300 mov eax,dword ptr ds:[8337D4]
0080DA1A |. E8 8D73BFFF call x.00404DAC
0080DA1F |. 6A 00 push 0
0080DA21 |. 8D45 D0 lea eax,[local.12]
0080DA24 |. 50 push eax
0080DA25 |. B9 0CE58000 mov ecx,x.0080E50C ; ASCII "REGUSER"
0080DA2A |. BA E0E48000 mov edx,x.0080E4E0 ; ASCII "PIM"
0080DA2F |. 8BC3 mov eax,ebx
0080DA31 |. 8B38 mov edi,dword ptr ds:[eax]
0080DA33 |. FF17 call dword ptr ds:[edi]
0080DA35 |. 8B55 D0 mov edx,[local.12] ; 取注册名 snake
0080DA38 |. A1 B83B8300 mov eax,dword ptr ds:[833BB8]
0080DA3D |. E8 6A73BFFF call x.00404DAC
0080DA42 |. 6A 00 push 0
0080DA44 |. 8D45 FC lea eax,[local.1]
0080DA47 |. 50 push eax
0080DA48 |. 8B0D 70438300 mov ecx,dword ptr ds:[834370] ; x.00838930
0080DA4E |. 8B09 mov ecx,dword ptr ds:[ecx] ; 取机器码 G732526459
0080DA50 |. BA E0E48000 mov edx,x.0080E4E0 ; ASCII "PIM"
0080DA55 |. 8BC3 mov eax,ebx
0080DA57 |. 8B38 mov edi,dword ptr ds:[eax]
0080DA59 |. FF17 call dword ptr ds:[edi] ; 取假注册码 7878787878
0080DA5B |. 837D FC 00 cmp [local.1],0 ; 是否为空
0080DA5F |. 75 16 jnz short x.0080DA77
0080DA61 |. 6A 00 push 0
0080DA63 |. 8D45 FC lea eax,[local.1]
0080DA66 |. 50 push eax
0080DA67 |. B9 1CE58000 mov ecx,x.0080E51C ; ASCII "REGSN"
0080DA6C |. BA E0E48000 mov edx,x.0080E4E0 ; ASCII "PIM"
0080DA71 |. 8BC3 mov eax,ebx
0080DA73 |. 8B38 mov edi,dword ptr ds:[eax]
0080DA75 |. FF17 call dword ptr ds:[edi]
0080DA77 |> A1 EC3D8300 mov eax,dword ptr ds:[833DEC]
0080DA7C |. 8B55 FC mov edx,[local.1]
0080DA7F |. E8 2873BFFF call x.00404DAC ; 转存假码 7878787878
0080DA84 |. 6A 01 push 1
0080DA86 |. B9 2CE58000 mov ecx,x.0080E52C ; ASCII "SKIN"
0080DA8B |. BA E0E48000 mov edx,x.0080E4E0 ; ASCII "PIM"
......(省略部分)
0080E4AC . 5F pop edi
0080E4AD . 5E pop esi
0080E4AE . 5B pop ebx
0080E4AF . 8BE5 mov esp,ebp
0080E4B1 . 5D pop ebp
0080E4B2 . C3 retn ; 返回程序
--------------------------------------------------------------------------------------------------
007AF2A2 . 8B03 mov eax,dword ptr ds:[ebx]
007AF2A4 . E8 D7E60500 call x.0080D980
007AF2A9 . 8B03 mov eax,dword ptr ds:[ebx] ; 返回此处
007AF2AB . E8 00060600 call x.0080F8B0 ; F7跟进
007AF2B0 . A1 D83F8300 mov eax,dword ptr ds:[833FD8]
......
========================= 跟进 007AF2AB E8 00060600 call x.0080F8B0 =========================
0080F8B0 $ 55 push ebp
0080F8B1 . 8BEC mov ebp,esp
0080F8B3 . B9 11000000 mov ecx,11
0080F8B8 > 6A 00 push 0
0080F8BA . 6A 00 push 0
0080F8BC . 49 dec ecx
0080F8BD .^ 75 F9 jnz short x.0080F8B8
0080F8BF . 53 push ebx
......(省略部分)
00810B12 . 8BD8 mov ebx,eax
00810B14 . A1 DC3F8300 mov eax,dword ptr ds:[833FDC]
00810B19 . C700 01000000 mov dword ptr ds:[eax],1
00810B1F . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-88]
00810B25 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
00810B28 . 8B80 940F0000 mov eax,dword ptr ds:[eax+F94] ; ★eax=2BA9777B★
00810B2E . E8 152AF8FF call x.00793548 ; 迷惑算法call,F7跟进
00810B33 . 8B85 78FFFFFF mov eax,dword ptr ss:[ebp-88] ; 生成扰乱码"d1e6d708c38023"
00810B39 . 8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-84]
00810B3F . E8 602BF8FF call x.007936A4 ; 计算注册码call,F7跟进
00810B44 . 8B85 7CFFFFFF mov eax,dword ptr ss:[ebp-84] ; 真码"e260a449e3738"
00810B4A . 8B15 EC3D8300 mov edx,dword ptr ds:[833DEC] ; x.00838898
00810B50 . 8B12 mov edx,dword ptr ds:[edx] ; 假码"787878787878"
00810B52 . E8 0548BFFF call x.0040535C ; 比较call
00810B57 . 85C0 test eax,eax
00810B59 . 74 0D je short x.00810B68 ; ★★关键跳转,不跳则为正式版,爆破点
00810B5B . A1 DC3F8300 mov eax,dword ptr ds:[833FDC]
00810B60 . C700 03000000 mov dword ptr ds:[eax],3
00810B66 . EB 10 jmp short x.00810B78
00810B68 > 83FB 66 cmp ebx,66
00810B6B . 7E 0B jle short x.00810B78
......
----------------------------------------------------------------------------------------------------------
过程说明:经分析该软件生成的注册码不是由机器码运算得来的,而是由本机C盘的卷号运算得来的。
00810B28处eax=2BA9777B是由C盘的卷号初步运算得到的,00810B2E处的call是把这个值经过一系列运算
生成的扰乱码"d1e6d708c38023",而这个码在00810B3F处的计算注册码call中又被逆运算回相应的值,
因此中间的分析过程略掉,只具体分析计算注册码call的内容。
------------------------------------------------------------------------------------------------------------
00810B28处★eax=2BA9777B★的由来
获取本机C盘卷号,Ollydbg重新载入脱壳后的程序,下断bpx GetVolumeInformationA,F9运行
007934FF |. 6A 00 push 0 ; /pFileSystemNameSize = NULL
00793501 |. 6A 00 push 0 ; |pFileSystemNameBuffer = NULL
00793503 |. 8D4424 10 lea eax,dword ptr ss:[esp+10] ; |
00793507 |. 50 push eax ; |pFileSystemFlags
00793508 |. 8D4424 10 lea eax,dword ptr ss:[esp+10] ; |
0079350C |. 50 push eax ; |pMaxFilenameLength
0079350D |. 8D4424 10 lea eax,dword ptr ss:[esp+10] ; |
00793511 |. 50 push eax ; |pVolumeSerialNumber
00793512 |. 6A 00 push 0 ; |MaxVolumeNameSize = 0
00793514 |. 6A 00 push 0 ; |VolumeNameBuffer = NULL
00793516 |. 68 40357900 push x.00793540 ; |RootPathName = "c:\\"
0079351B |. E8 0446C7FF call <jmp.&kernel32.GetVolumeInformationA> ; \GetVolumeInformationA
00793520 |. 8B0424 mov eax,dword ptr ss:[esp] ; ★eax=24351DE4 本机C盘的卷号★
00793523 |. 05 85000000 add eax,85 ; eax=24351E69
00793528 |. B9 22000000 mov ecx,22 ; ecx=22
0079352D |. 33D2 xor edx,edx ; edx=0
0079352F |. F7F1 div ecx
00793531 |. 6BC0 29 imul eax,eax,29 ; ★eax=2BA9777B★
00793534 |. 890424 mov dword ptr ss:[esp],eax
00793537 |. 8B0424 mov eax,dword ptr ss:[esp]
0079353A |. 83C4 0C add esp,0C
0079353D \. C3 retn ; 返回程序
========================= 跟进 00810B2E E8 152AF8FF call x.00793548 =========================
00793548 /$ 55 push ebp
00793549 |. 8BEC mov ebp,esp
0079354B |. 33C9 xor ecx,ecx
0079354D |. 51 push ecx
0079354E |. 51 push ecx
0079354F |. 51 push ecx
00793550 |. 51 push ecx
00793551 |. 51 push ecx
00793552 |. 51 push ecx
00793553 |. 53 push ebx
00793554 |. 56 push esi
00793555 |. 8BF2 mov esi,edx
00793557 |. 8BD8 mov ebx,eax ; ★ebx=2BA9777B★
00793559 |. 33C0 xor eax,eax
0079355B |. 55 push ebp
0079355C |. 68 94367900 push x.00793694
00793561 |. 64:FF30 push dword ptr fs:[eax]
00793564 |. 64:8920 mov dword ptr fs:[eax],esp
00793567 |. 81F3 7C803F48 xor ebx,483F807C
0079356D |. 8BC3 mov eax,ebx ; ★eax=6396F707★ 此值在计算注册码call中用到
0079356F |. 33D2 xor edx,edx
00793571 |. 52 push edx ; /Arg2 => 00000000
00793572 |. 50 push eax ; |Arg1
......
========================= ★跟进 00810B3F E8 602BF8FF call x.007936A4★ =======================
007936A4 /$ 55 push ebp
007936A5 |. 8BEC mov ebp,esp
007936A7 |. 83C4 C0 add esp,-40
007936AA |. 53 push ebx
007936AB |. 56 push esi
007936AC |. 33C9 xor ecx,ecx
007936AE |. 894D C0 mov [local.16],ecx
007936B1 |. 894D C4 mov [local.15],ecx
007936B4 |. 894D C8 mov [local.14],ecx
007936B7 |. 894D F4 mov [local.3],ecx
007936BA |. 894D F0 mov [local.4],ecx
007936BD |. 8955 F8 mov [local.2],edx
......(省略部分)
0079372F |. 8B45 F4 mov eax,[local.3]
00793732 |. E8 896DC7FF call x.0040A4C0
00793737 |. 8BD8 mov ebx,eax ; ★ebx=6396F707★
00793739 |. F7D3 not ebx
0079373B |. 81F3 22211276 xor ebx,76122122
00793741 |. 8BC3 mov eax,ebx
00793743 |. 25 000000FF and eax,FF000000
00793748 |. C1E8 18 shr eax,18
0079374B |. 8906 mov dword ptr ds:[esi],eax ; [12FCDC]=EA
0079374D |. 8BC3 mov eax,ebx
0079374F |. 25 0000FF00 and eax,0FF0000
00793754 |. C1E8 10 shr eax,10
00793757 |. 8946 04 mov dword ptr ds:[esi+4],eax ; [12FCE0]=7B
0079375A |. 8BC3 mov eax,ebx
0079375C |. 25 00FF0000 and eax,0FF00
00793761 |. C1E8 08 shr eax,8
00793764 |. 8946 08 mov dword ptr ds:[esi+8],eax ; [12FCE4]=29
00793767 |. 8BC3 mov eax,ebx
00793769 |. 25 FF000000 and eax,0FF
0079376E |. 8946 0C mov dword ptr ds:[esi+C],eax ; [12FCE8]=DA
00793771 |. 8B16 mov edx,dword ptr ds:[esi]
00793773 |. 81E2 C0000000 and edx,0C0
00793779 |. 8B4E 04 mov ecx,dword ptr ds:[esi+4]
0079377C |. 81E1 C0000000 and ecx,0C0
00793782 |. C1E9 02 shr ecx,2
00793785 |. 03D1 add edx,ecx
00793787 |. 8B4E 08 mov ecx,dword ptr ds:[esi+8]
0079378A |. 81E1 C0000000 and ecx,0C0
00793790 |. C1E9 04 shr ecx,4
00793793 |. 03D1 add edx,ecx
00793795 |. 25 C0000000 and eax,0C0
0079379A |. C1E8 06 shr eax,6
0079379D |. 03D0 add edx,eax
0079379F |. 8955 CC mov [local.13],edx ; [12FCCC]=D3
007937A2 |. 8B06 mov eax,dword ptr ds:[esi]
007937A4 |. 83E0 30 and eax,30
007937A7 |. C1E0 02 shl eax,2
007937AA |. 8B56 04 mov edx,dword ptr ds:[esi+4]
007937AD |. 83E2 30 and edx,30
007937B0 |. 03C2 add eax,edx
007937B2 |. 8B56 08 mov edx,dword ptr ds:[esi+8]
007937B5 |. 83E2 30 and edx,30
007937B8 |. C1EA 02 shr edx,2
007937BB |. 03C2 add eax,edx
007937BD |. 8B56 0C mov edx,dword ptr ds:[esi+C]
007937C0 |. 83E2 30 and edx,30
007937C3 |. C1EA 04 shr edx,4
007937C6 |. 03C2 add eax,edx
007937C8 |. 8945 D0 mov [local.12],eax ; [12FCD0]=B9
007937CB |. 8B06 mov eax,dword ptr ds:[esi]
007937CD |. 83E0 0C and eax,0C
007937D0 |. C1E0 04 shl eax,4
007937D3 |. 8B56 04 mov edx,dword ptr ds:[esi+4]
007937D6 |. 83E2 0C and edx,0C
007937D9 |. C1E2 02 shl edx,2
007937DC |. 03C2 add eax,edx
007937DE |. 8B56 08 mov edx,dword ptr ds:[esi+8]
007937E1 |. 83E2 0C and edx,0C
007937E4 |. 03C2 add eax,edx
007937E6 |. 8B56 0C mov edx,dword ptr ds:[esi+C]
007937E9 |. 83E2 0C and edx,0C
007937EC |. C1EA 02 shr edx,2
007937EF |. 03C2 add eax,edx
007937F1 |. 8945 D4 mov [local.11],eax ; [12FCD4]=AA
007937F4 |. 8B06 mov eax,dword ptr ds:[esi]
007937F6 |. 83E0 03 and eax,3
007937F9 |. C1E0 06 shl eax,6
007937FC |. 8B56 04 mov edx,dword ptr ds:[esi+4]
007937FF |. 83E2 03 and edx,3
00793802 |. C1E2 04 shl edx,4
00793805 |. 03C2 add eax,edx
00793807 |. 8B56 08 mov edx,dword ptr ds:[esi+8]
0079380A |. 83E2 03 and edx,3
0079380D |. C1E2 02 shl edx,2
00793810 |. 03C2 add eax,edx
00793812 |. 8B56 0C mov edx,dword ptr ds:[esi+C]
00793815 |. 83E2 03 and edx,3
00793818 |. 03C2 add eax,edx
0079381A |. 8945 D8 mov [local.10],eax ; [12FCD8]=B6
0079381D |. 8B5D CC mov ebx,[local.13]
00793820 |. C1E3 18 shl ebx,18
00793823 |. 8B45 D0 mov eax,[local.12]
00793826 |. C1E0 10 shl eax,10
00793829 |. 03D8 add ebx,eax
0079382B |. 8B45 D4 mov eax,[local.11]
0079382E |. C1E0 08 shl eax,8
00793831 |. 03D8 add ebx,eax
00793833 |. 035D D8 add ebx,[local.10]
00793836 |. 8BC3 mov eax,ebx
00793838 |. 25 000000FF and eax,FF000000
0079383D |. C1E8 18 shr eax,18
00793840 |. 8906 mov dword ptr ds:[esi],eax ; [12FCDC]=D3
00793842 |. 8BC3 mov eax,ebx
00793844 |. 25 0000FF00 and eax,0FF0000
00793849 |. C1E8 10 shr eax,10
0079384C |. 8946 04 mov dword ptr ds:[esi+4],eax ; [12FCE0]=B9
0079384F |. 8BC3 mov eax,ebx
00793851 |. 25 00FF0000 and eax,0FF00
00793856 |. C1E8 08 shr eax,8
00793859 |. 8946 08 mov dword ptr ds:[esi+8],eax ; [12FCE4]=AA
0079385C |. 81E3 FF000000 and ebx,0FF
00793862 |. 895E 0C mov dword ptr ds:[esi+C],ebx ; [12FCE8]=B6
00793865 |. 8B06 mov eax,dword ptr ds:[esi]
00793867 |. 8BD0 mov edx,eax
00793869 |. 81E2 F0000000 and edx,0F0
0079386F |. C1EA 04 shr edx,4
00793872 |. 83E0 0F and eax,0F
00793875 |. C1E0 04 shl eax,4
00793878 |. 03D0 add edx,eax
0079387A |. 8916 mov dword ptr ds:[esi],edx ; [12FCDC]=3D
0079387C |. 8B46 04 mov eax,dword ptr ds:[esi+4]
0079387F |. 8BD0 mov edx,eax
00793881 |. 81E2 F0000000 and edx,0F0
00793887 |. C1EA 04 shr edx,4
0079388A |. 83E0 0F and eax,0F
0079388D |. C1E0 04 shl eax,4
00793890 |. 03D0 add edx,eax
00793892 |. 8956 04 mov dword ptr ds:[esi+4],edx ; [12FCE0]=9B
00793895 |. 8B46 08 mov eax,dword ptr ds:[esi+8]
00793898 |. 8BD0 mov edx,eax
0079389A |. 81E2 F0000000 and edx,0F0
007938A0 |. C1EA 04 shr edx,4
007938A3 |. 83E0 0F and eax,0F
007938A6 |. C1E0 04 shl eax,4
007938A9 |. 03D0 add edx,eax
007938AB |. 8956 08 mov dword ptr ds:[esi+8],edx ; [12FCE4]=AA
007938AE |. 8B46 0C mov eax,dword ptr ds:[esi+C]
007938B1 |. 8BD0 mov edx,eax
007938B3 |. 81E2 F0000000 and edx,0F0
007938B9 |. C1EA 04 shr edx,4
007938BC |. 83E0 0F and eax,0F
007938BF |. C1E0 04 shl eax,4
007938C2 |. 03D0 add edx,eax
007938C4 |. 8956 0C mov dword ptr ds:[esi+C],edx ; [12FCE8]=6B
007938C7 |. 8B5E 04 mov ebx,dword ptr ds:[esi+4]
007938CA |. C1E3 18 shl ebx,18
007938CD |. 8B06 mov eax,dword ptr ds:[esi]
007938CF |. C1E0 10 shl eax,10
007938D2 |. 03D8 add ebx,eax
007938D4 |. C1E2 08 shl edx,8
007938D7 |. 03DA add ebx,edx
007938D9 |. 035E 08 add ebx,dword ptr ds:[esi+8]
007938DC |. 8BC3 mov eax,ebx ; eax=9B3D6BAA
007938DE |. 33D2 xor edx,edx
007938E0 |. 52 push edx ; /Arg2 => 00000000
007938E1 |. 50 push eax ; |Arg1
007938E2 |. 8D45 F0 lea eax,[local.4] ; |
007938E5 |. E8 F26AC7FF call x.0040A3DC ; \16进制数转换为10进制字符串
007938EA |. 8B45 F0 mov eax,[local.4] ; eax="2604493738"
007938ED |. 0FB600 movzx eax,byte ptr ds:[eax]
007938F0 |. 8B55 F0 mov edx,[local.4]
007938F3 |. 0FB652 01 movzx edx,byte ptr ds:[edx+1]
007938F7 |. 03C2 add eax,edx
007938F9 |. B9 05000000 mov ecx,5
007938FE |. 99 cdq
007938FF |. F7F9 idiv ecx
00793901 |. 80C2 61 add dl,61
00793904 |. 8855 ED mov byte ptr ss:[ebp-13],dl ; [12FCED]='e'
00793907 |. 8B45 F0 mov eax,[local.4]
0079390A |. 0FB640 02 movzx eax,byte ptr ds:[eax+2]
0079390E |. 8B55 F0 mov edx,[local.4]
00793911 |. 0FB652 03 movzx edx,byte ptr ds:[edx+3]
00793915 |. 03C2 add eax,edx
00793917 |. B9 05000000 mov ecx,5
0079391C |. 99 cdq
0079391D |. F7F9 idiv ecx
0079391F |. 80C2 61 add dl,61
00793922 |. 8855 EE mov byte ptr ss:[ebp-12],dl ; [12FCEE]='a'
00793925 |. 8B45 F0 mov eax,[local.4]
00793928 |. 0FB640 04 movzx eax,byte ptr ds:[eax+4]
0079392C |. 8B55 F0 mov edx,[local.4]
0079392F |. 0FB652 05 movzx edx,byte ptr ds:[edx+5]
00793933 |. 03C2 add eax,edx
00793935 |. B9 05000000 mov ecx,5
0079393A |. 99 cdq
0079393B |. F7F9 idiv ecx
0079393D |. 80C2 61 add dl,61
00793940 |. 8855 EF mov byte ptr ss:[ebp-11],dl ; [12FCEF]='e'
00793943 |. 8D45 C8 lea eax,[local.14]
00793946 |. 8A55 ED mov dl,byte ptr ss:[ebp-13]
00793949 |. E8 EA15C7FF call x.00404F38
0079394E |. 8B45 C8 mov eax,[local.14]
00793951 |. 8D55 F0 lea edx,[local.4]
00793954 |. B9 01000000 mov ecx,1
00793959 |. E8 A219C7FF call x.00405300 ; 插入字符'e'
0079395E |. 8D45 C4 lea eax,[local.15]
00793961 |. 8A55 EE mov dl,byte ptr ss:[ebp-12]
00793964 |. E8 CF15C7FF call x.00404F38
00793969 |. 8B45 C4 mov eax,[local.15]
0079396C |. 8D55 F0 lea edx,[local.4]
0079396F |. B9 05000000 mov ecx,5
00793974 |. E8 8719C7FF call x.00405300 ; 插入字符'a'
00793979 |. 8D45 C0 lea eax,[local.16]
0079397C |. 8A55 EF mov dl,byte ptr ss:[ebp-11]
0079397F |. E8 B415C7FF call x.00404F38
00793984 |. 8B45 C0 mov eax,[local.16]
00793987 |. 8D55 F0 lea edx,[local.4]
0079398A |. B9 09000000 mov ecx,9
0079398F |. E8 6C19C7FF call x.00405300 ; 插入字符'e'
00793994 |. 8B45 F8 mov eax,[local.2]
00793997 |. 8B55 F0 mov edx,[local.4] ; edx="e260a449e3738" 生成真注册码
0079399A |. E8 0D14C7FF call x.00404DAC
0079399F |. 33C0 xor eax,eax
007939A1 |. 5A pop edx
007939A2 |. 59 pop ecx
007939A3 |. 59 pop ecx
007939A4 |. 64:8910 mov dword ptr fs:[eax],edx
007939A7 |. 68 D6397900 push x.007939D6
007939AC |> 8D45 C0 lea eax,[local.16]
007939AF |. BA 03000000 mov edx,3
007939B4 |. E8 C313C7FF call x.00404D7C
007939B9 |. 8D45 F0 lea eax,[local.4]
007939BC |. BA 02000000 mov edx,2
007939C1 |. E8 B613C7FF call x.00404D7C
007939C6 |. 8D45 FC lea eax,[local.1]
007939C9 |. E8 8A13C7FF call x.00404D58
007939CE \. C3 retn ; 返回程序
---------------------------------------------------------------------------------------------------------
【算法总结】 见以上分析过程,具体我也说不清楚,表达能力差,见谅 ^-^!
不过在写汇编语言注册机时,以上大段代码稍加修改就可照抄,省了不少事呀,这就是汇编的优点。
---------------------------------------------------------------------------------------------------------
【汇编注册机算法部分源码】
.data
szPathName db 'c:\\',0
.code
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;函数功能:将16进制数转换为10进制数形式的字符串
;函数参数:
; dwNum: 待转换的16进制数
; lpszStr:指针,存放转换后字符串的地址
;返回值:没有
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
dw2str proc dwNum:DWORD, lpszStr:DWORD
local @szStrTmp[32]:BYTE
mov edi,lpszStr
mov eax,dwNum
xor ebx,ebx
@2:
xor edx,edx
mov ecx,0ah
div ecx
add dl,30h
cmp dl,3ah
jb @1
add dl,7
@1:
mov BYTE ptr [@szStrTmp+ebx],dl
inc ebx
or eax,eax
jnz @2
xor edx,edx
@3:
mov al,BYTE ptr [@szStrTmp+ebx-1]
mov BYTE ptr [edi+edx],al
inc edx
dec ebx
jnz @3
mov BYTE ptr [edi+edx],0
ret
dw2str endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;函数功能:在字符串中指定位置插入字符
;函数参数:
; lpszStr:指针,待插入字符的字符串地址
; lpChar: 指针,要插入的字符地址
; wPos: 插入的位置
;返回值:没有
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
InsertChar proc lpszStr:DWORD,lpChar:DWORD,wPos:DWORD
local @szInStr[32]:BYTE
mov edi,lpszStr
mov esi,lpChar
mov edx,wPos
dec edx
mov ecx,edx
add edx,edi
add edi,ecx
invoke lstrcpy, addr @szInStr,edx
mov bl,BYTE ptr [esi]
mov BYTE ptr [edi],bl
mov BYTE ptr [edi+1],0
invoke lstrcat,edi,addr @szInStr
ret
InsertChar endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;算法函数
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
GetRegKey proc hDlg:DWORD
local szRegNum[64]:BYTE,szRlt[32]:BYTE
local szChar[8]:BYTE,nVolNum:DWORD,Char:BYTE
local dwConvert1:DWORD,dwConvert2:DWORD,dwConvert3:DWORD,dwConvert4:DWORD
pushad
invoke GetVolumeInformation,addr szPathName,NULL,0,\
addr nVolNum,NULL,NULL,NULL,NULL
mov eax,nVolNum
add eax,85h
mov ecx,22h
xor edx,edx
div ecx
imul eax,eax,29h
xor eax,483F807Ch
mov ebx,eax
not ebx
xor ebx,76122122h
mov eax,ebx
and eax,0ff000000h
shr eax,18h
mov DWORD ptr [szRlt],eax
mov eax,ebx
and eax,0ff0000h
shr eax,10h
mov DWORD ptr [szRlt+4],eax
mov eax,ebx
and eax,0ff00h
shr eax,8
mov DWORD ptr [szRlt+8],eax
mov eax,ebx
and eax,0ffh
mov DWORD ptr [szRlt+0ch],eax
mov edx,DWORD ptr [szRlt]
and edx,0c0h
mov ecx,DWORD ptr [szRlt+4]
and ecx,0c0h
shr ecx,2
add edx,ecx
mov ecx,DWORD ptr [szRlt+8]
and ecx,0c0h
shr ecx,4
add edx,ecx
and eax,0c0h
shr eax,6
add edx,eax
mov dwConvert1,edx
mov eax,DWORD ptr [szRlt]
and eax,30h
shl eax,2
mov edx,DWORD ptr [szRlt+4]
and edx,30h
add eax,edx
mov edx,DWORD ptr [szRlt+8]
and edx,30h
shr edx,2
add eax,edx
mov edx,DWORD ptr [szRlt+0ch]
and edx,30h
shr edx,4
add eax,edx
mov dwConvert2,eax
mov eax,DWORD ptr [szRlt]
and eax,0ch
shl eax,4
mov edx,DWORD ptr [szRlt+4]
and edx,0ch
shl edx,2
add eax,edx
mov edx,DWORD ptr [szRlt+8]
and edx,0ch
add eax,edx
mov edx,DWORD ptr [szRlt+0ch]
and edx,0ch
shr edx,2
add eax,edx
mov dwConvert3,eax
mov eax,DWORD ptr [szRlt]
and eax,3
shl eax,6
mov edx,DWORD ptr [szRlt+4]
and edx,3
shl edx,4
add eax,edx
mov edx,DWORD ptr [szRlt+8]
and edx,3
shl edx,2
add eax,edx
mov edx,DWORD ptr [szRlt+0ch]
and edx,3
add eax,edx
mov dwConvert4,eax
mov ebx,dwConvert1
shl ebx,18h
mov eax,dwConvert2
shl eax,10h
add ebx,eax
mov eax,dwConvert3
shl eax,8
add ebx,eax
add ebx,dwConvert4
mov eax,ebx
and eax,0ff000000h
shr eax,18h
mov DWORD ptr [szRlt],eax
mov eax,ebx
and eax,0ff0000h
shr eax,10h
mov DWORD ptr [szRlt+4],eax
mov eax,ebx
and eax,0ff00h
shr eax,8
mov DWORD ptr [szRlt+8],eax
and ebx,0FFh
mov DWORD ptr [szRlt+0ch],ebx
mov eax,DWORD ptr [szRlt]
mov edx,eax
and edx,0f0h
shr edx,4
and eax,0Fh
shl eax,4
add edx,eax
mov DWORD ptr [szRlt],edx
mov eax,DWORD ptr [szRlt+4]
mov edx,eax
and edx,0f0h
shr edx,4
and eax,0fh
shl eax,4
add edx,eax
mov DWORD ptr [szRlt+4],edx
mov eax,DWORD ptr [szRlt+8]
mov edx,eax
and edx,0f0h
shr edx,4
and eax,0fh
shl eax,4
add edx,eax
mov DWORD ptr [szRlt+8],edx
mov eax,DWORD ptr [szRlt+0ch]
mov edx,eax
and edx,0f0h
shr edx,4
and eax,0fh
shl eax,4
add edx,eax
mov DWORD ptr [szRlt+0ch],edx
mov ebx,DWORD ptr [szRlt+4]
shl ebx,18h
mov eax,DWORD ptr [szRlt]
shl eax,10h
add ebx,eax
shl edx,8
add ebx,edx
add ebx,DWORD ptr [szRlt+8]
mov eax,ebx
mov nVolNum,eax
invoke dw2str,nVolNum,addr szRegNum
lea eax,szRegNum
movzx eax,BYTE ptr [eax]
lea edx,szRegNum
movzx edx,BYTE ptr [edx+1]
add eax,edx
mov ecx,5
cdq
idiv ecx
add dl,61h
mov BYTE ptr [szChar],dl
lea eax,szRegNum
movzx eax,BYTE ptr [eax+2]
lea edx,szRegNum
movzx edx,BYTE ptr [edx+3]
add eax,edx
mov ecx,5
cdq
idiv ecx
add dl,61h
mov BYTE ptr [szChar+1],dl
lea eax,szRegNum
movzx eax,BYTE ptr [eax+4]
lea edx,szRegNum
movzx edx,BYTE ptr [edx+5]
add eax,edx
mov ecx,5
cdq
idiv ecx
add dl,61h
mov BYTE ptr [szChar+2],dl
mov al,BYTE ptr [szChar]
mov Char,al
invoke InsertChar,addr szRegNum,addr Char,1
mov al,BYTE ptr [szChar+1]
mov Char,al
invoke InsertChar,addr szRegNum,addr Char,5
mov al,BYTE ptr [szChar+2]
mov Char,al
invoke InsertChar,addr szRegNum,addr Char,9
invoke SetDlgItemText,hDlg,IDC_REG,addr szRegNum
popad
ret
GetRegKey endp
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
支持加精。
