学日语练打字 1.0
软件语言: 简体中文
软件类别: 国产软件/共享版/电脑学习
运行环境: Win9x/Me/NT/2000/XP
界面预览: 无
软件大小: 243KB
软件更新: 2005-3-4
下载地址:http://www.pcdog.com/soft/54214.htm
加壳方式:SoftSentry 2.11 -> 20/20 Software
破解平台:WIN200
一。脱壳
00480E90 > 55 push ebp//进入OD后断在这!
00480E91 8BEC mov ebp,esp
00480E93 83EC 64 sub esp,64
00480E96 53 push ebx
00480E97 56 push esi
00480E98 57 push edi
00480E99 E9 50000000 jmp 学日语练.00480EEE
00480EEE C745 E8 0000000>mov dword ptr ss:[ebp-18],0
00480EF5 8D45 BC lea eax,dword ptr ss:[ebp-44]
00480EF8 50 push eax
00480EF9 FF15 98A44800 call dword ptr ds:[<&KERNEL32.GetSt>; kernel32.GetStartupInfoA
00480EFF F645 E8 01 test byte ptr ss:[ebp-18],1
00480F03 0F84 10000000 je 学日语练.00480F19
00480F09 8B45 EC mov eax,dword ptr ss:[ebp-14]
00480F0C 25 FFFF0000 and eax,0FFFF
00480F11 8945 14 mov dword ptr ss:[ebp+14],eax
00480F14 E9 07000000 jmp 学日语练.00480F20
00480F20 6A 00 push 0
00480F22 FF15 A0A44800 call dword ptr ds:[<&KERNEL32.GetMo>; kernel32.GetModuleHandleA
00480F28 8945 08 mov dword ptr ss:[ebp+8],eax
00480F2B C745 0C 0000000>mov dword ptr ss:[ebp+C],0
00480F32 FF15 84A44800 call dword ptr ds:[<&KERNEL32.GetCo>; kernel32.GetCommandLineA
00480F38 8945 10 mov dword ptr ss:[ebp+10],eax
00480F3B 8B45 08 mov eax,dword ptr ss:[ebp+8]
00480F3E 8945 B4 mov dword ptr ss:[ebp-4C],eax
00480F41 66:C705 B861480>mov word ptr ds:[4861B8],0
00480F4A 66:C705 429C480>mov word ptr ds:[489C42],0
00480F53 837D 0C 00 cmp dword ptr ss:[ebp+C],0
00480F57 0F85 17000000 jnz 学日语练.00480F74
00480F5D 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
00480F60 E8 8B0E0000 call 学日语练.00481DF0
00480F65 85C0 test eax,eax
00480F67 0F85 07000000 jnz 学日语练.00480F74
00480F74 68 04010000 push 104
00480F79 68 709A4800 push 学日语练.00489A70
00480F7E 8B45 08 mov eax,dword ptr ss:[ebp+8]
00480F81 50 push eax
00480F82 FF15 88A44800 call dword ptr ds:[<&KERNEL32.GetMo>; kernel32.GetModuleFileNameA
00480F88 85C0 test eax,eax
00480F8A 0F85 07000000 jnz 学日语练.00480F97
00480F97 8B55 14 mov edx,dword ptr ss:[ebp+14]
00480F9A 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
00480F9D E8 9E0E0000 call 学日语练.00481E40
00480FA2 85C0 test eax,eax
00480FA4 0F85 1B000000 jnz 学日语练.00480FC5
00480FC5 C745 B0 0100000>mov dword ptr ss:[ebp-50],1
00480FCC 8B45 10 mov eax,dword ptr ss:[ebp+10]
00480FCF A3 D0994800 mov dword ptr ds:[4899D0],eax
00480FD4 BA 509A4800 mov edx,学日语练.00489A50
00480FD9 8D0D B1994800 lea ecx,dword ptr ds:[4899B1]
00480FDF E8 CC2B0000 call 学日语练.00483BB0
00480FE4 E8 F72B0000 call 学日语练.00483BE0
00480FE9 85C0 test eax,eax
00480FEB 0F84 18000000 je 学日语练.00481009
00480FF1 66:C705 B861480>mov word ptr ds:[4861B8],1
00480FFA C705 68614800 0>mov dword ptr ds:[486168],1
00481004 E9 9A020000 jmp 学日语练.004812A3
00481009 B9 01000000 mov ecx,1
0048100E E8 7D2A0000 call 学日语练.00483A90
00481013 33C0 xor eax,eax “86362”
00481015 66:A1 429C4800 mov ax,word ptr ds:[489C42]
0048101B F6C4 C0 test ah,0C0
0048101E 0F85 2E000000 jnz 学日语练.00481052
00481024 33C0 xor eax,eax
00481026 66:A1 429C4800 mov ax,word ptr ds:[489C42]
0048102C F6C4 10 test ah,10
0048102F 0F84 1D000000 je 学日语练.00481052
00481035 6A 00 push 0
00481037 68 03800000 push 8003
0048103C 68 11010000 push 111
00481041 A1 909B4800 mov eax,dword ptr ds:[489B90]
00481046 50 push eax
00481047 FF15 34A54800 call dword ptr ds:[<&USER32.SendMes>; user32.SendMessageA
0048104D E9 05000000 jmp 学日语练.00481057
00481052 E8 19060000 call 学日语练.00481670
00481057 833D 70614800 0>cmp dword ptr ds:[486170],0
0048105E 0F84 16000000 je 学日语练.0048107A
00481064 8B4D B0 mov ecx,dword ptr ss:[ebp-50]
00481067 E8 442C0000 call 学日语练.00483CB0
//这里是索要注册码的地方!跳出注册窗口,要求注册,先点“试用”,跳过去
0048106C 8945 B0 mov dword ptr ss:[ebp-50],eax
0048106F 8B4D B0 mov ecx,dword ptr ss:[ebp-50]
00481072 E8 F92C0000 call 学日语练.00483D70
00481077 8945 B0 mov dword ptr ss:[ebp-50],eax
0048107A 837D B0 01 cmp dword ptr ss:[ebp-50],1
0048107E 0F85 27000000 jnz 学日语练.004810AB
00481084 33C0 xor eax,eax
00481086 66:A1 B8614800 mov ax,word ptr ds:[4861B8]
0048108C 85C0 test eax,eax
0048108E 0F84 17000000 je 学日语练.004810AB
00481094 33C0 xor eax,eax
00481096 66:A1 AF994800 mov ax,word ptr ds:[4899AF]
0048109C 85C0 test eax,eax
0048109E 0F84 07000000 je 学日语练.004810AB
004810A4 66:FF0D AF99480>dec word ptr ds:[4899AF]
004810AB 837D B0 01 cmp dword ptr ss:[ebp-50],1
004810AF 0F85 0C010000 jnz 学日语练.004811C1
004810B5 33C0 xor eax,eax
004810B7 66:A1 B8614800 mov ax,word ptr ds:[4861B8]
004810BD 85C0 test eax,eax
004810BF 0F84 FC000000 je 学日语练.004811C1
004810C5 33C0 xor eax,eax
004810C7 66:A1 7C614800 mov ax,word ptr ds:[48617C]
004810CD A8 02 test al,2
004810CF 0F85 1E000000 jnz 学日语练.004810F3
004810D5 833D 78614800 0>cmp dword ptr ds:[486178],0
004810DC 0F84 11000000 je 学日语练.004810F3
004810E2 33C0 xor eax,eax
004810E4 66:A1 7C614800 mov ax,word ptr ds:[48617C]
004810EA 83C8 02 or eax,2
004810ED 66:A3 7C614800 mov word ptr ds:[48617C],ax
004810F3 33C0 xor eax,eax
004810F5 66:A1 7C614800 mov ax,word ptr ds:[48617C]
004810FB A8 02 test al,2
004810FD 0F84 2F000000 je 学日语练.00481132
00481132 33C0 xor eax,eax
00481134 66:A1 7C614800 mov ax,word ptr ds:[48617C]
0048113A A8 01 test al,1
0048113C 0F85 7F000000 jnz 学日语练.004811C1
00481142 833D 74614800 0>cmp dword ptr ds:[486174],0
00481149 0F84 35000000 je 学日语练.00481184
00481184 833D 74614800 0>cmp dword ptr ds:[486174],0
0048118B 0F84 30000000 je 学日语练.004811C1
00481191 0FBF05 C1994800 movsx eax,word ptr ds:[4899C1]
00481198 85C0 test eax,eax
0048119A 0F8D 21000000 jge 学日语练.004811C1
004811C1 33C0 xor eax,eax
004811C3 66:A1 7C614800 mov ax,word ptr ds:[48617C]
004811C9 85C0 test eax,eax
004811CB 0F84 D2000000 je 学日语练.004812A3
004811D1 837D B0 01 cmp dword ptr ss:[ebp-50],1
004811D5 0F85 C8000000 jnz 学日语练.004812A3
004811DB 33C0 xor eax,eax
004811DD 66:A1 B8614800 mov ax,word ptr ds:[4861B8]
004811E3 85C0 test eax,eax
004811E5 0F84 B8000000 je 学日语练.004812A3
004812A3 8D55 B4 lea edx,dword ptr ss:[ebp-4C]
004812A6 8D4D AC lea ecx,dword ptr ss:[ebp-54]
004812A9 E8 12010000 call 学日语练.004813C0
004812AE 8945 B8 mov dword ptr ss:[ebp-48],eax
004812B1 6A 00 push 0
004812B3 6A 00 push 0
004812B5 6A 10 push 10
004812B7 A1 909B4800 mov eax,dword ptr ds:[489B90]
004812BC 50 push eax
004812BD FF15 34A54800 call dword ptr ds:[<&USER32.SendMes>; user32.SendMessageA
004812C3 833D 80614800 0>cmp dword ptr ds:[486180],2
004812CA 0F84 48000000 je 学日语练.00481318
004812D0 837D B0 01 cmp dword ptr ss:[ebp-50],1
004812D4 0F85 3E000000 jnz 学日语练.00481318
004812DA 33C0 xor eax,eax
004812DC 66:A1 B8614800 mov ax,word ptr ds:[4861B8]
004812E2 85C0 test eax,eax
004812E4 0F84 2E000000 je 学日语练.00481318
004812EA 8B45 08 mov eax,dword ptr ss:[ebp+8] ;基地址 EAX=00400000
004812ED 50 push eax
004812EE 68 A8614800 push 学日语练.004861A8 ; ASCII "sSENTRYWndClass"
004812F3 FF15 F4A44800 call dword ptr ds:[<&USER32.Unregis>; user32.UnregisterClassA
004812F9 33C0 xor eax,eax
004812FB 66:A1 BC614800 mov ax,word ptr ds:[4861BC]
00481301 85C0 test eax,eax
00481303 0F84 0F000000 je 学日语练.00481318
00481309 8B45 B4 mov eax,dword ptr ss:[ebp-4C]
0048130C 50 push eax
0048130D 8D55 AC lea edx,dword ptr ss:[ebp-54]
00481310 8B4D B8 mov ecx,dword ptr ss:[ebp-48]
00481313 E8 38000000 call 学日语练.00481350 //F7进去!不然也挂了
00481318 837D AC 00 cmp dword ptr ss:[ebp-54],0
0048131C 0F84 08000000 je 学日语练.0048132A
00481322 8B4D AC mov ecx,dword ptr ss:[ebp-54]
00481325 E8 B6320000 call 学日语练.004845E0
0048132A 8B45 B0 mov eax,dword ptr ss:[ebp-50]
0048132D 50 push eax
0048132E FF15 8CA44800 call dword ptr ds:[<&KERNEL32.ExitP>; kernel32.ExitProcess
//到这里就挂了!
CALL 00481350
00481350 56 push esi
00481351 57 push edi
00481352 8BF2 mov esi,edx
00481354 8B7C24 0C mov edi,dword ptr ss:[esp+C]
00481358 8B51 02 mov edx,dword ptr ds:[ecx+2] ;异常
0048135B 3351 06 xor edx,dword ptr ds:[ecx+6]
0048135E 3351 0A xor edx,dword ptr ds:[ecx+A] ;F4
00481361 03FA add edi,edx ; edx=006006C OEP
00481363 33D2 xor edx,edx
00481365 8B41 06 mov eax,dword ptr ds:[ecx+6]
00481368 42 inc edx
00481369 314497 FC xor dword ptr ds:[edi+edx*4-4],eax
0048136D 42 inc edx
0048136E 8B41 0A mov eax,dword ptr ds:[ecx+A]
00481371 314497 FC xor dword ptr ds:[edi+edx*4-4],eax
00481375 83FA 14 cmp edx,14
00481378 ^ 7C EB jl short 学日语练.00481365
0048137A 8B0E mov ecx,dword ptr ds:[esi]
0048137C E8 5F320000 call 学日语练.004845E0
00481381 C706 00000000 mov dword ptr ds:[esi],0
00481387 66:833D B861480>cmp word ptr ds:[4861B8],0
0048138F 74 0C je short 学日语练.0048139D
00481391 66:833D C061480>cmp word ptr ds:[4861C0],0
00481399 74 02 je short 学日语练.0048139D
0048139B FFD7 call edi ;飞向光明的地方!
0048139D 6A 00 push 0
0048139F 68 38624800 push 学日语练.00486238 ; ASCII "softSENTRY"
004813A4 68 28624800 push 学日语练.00486228 ; ASCII "Failed to run!"
004813A9 6A 00 push 0
004813AB FF15 24A54800 call dword ptr ds:[<&USER32.Message>; user32.MessageBoxA
进入: call esi
0046006C 55 push ebp //LordPE完全DUMP这个进程
0046006D 8BEC mov ebp,esp
0046006F 83C4 F0 add esp,-10
00460072 B8 A4FE4500 mov eax,学日语练.0045FEA4
00460077 E8 1C65FAFF call 学日语练.00406598
0046007C A1 D41F4600 mov eax,dword ptr ds:[461FD4]
00460081 8B00 mov eax,dword ptr ds:[eax]
00460083 E8 5045FFFF call 学日语练.004545D8
00460088 8B0D C8204600 mov ecx,dword ptr ds:[4620C8] ; 学日语练.00463C84
0046008E A1 D41F4600 mov eax,dword ptr ds:[461FD4]
00460093 8B00 mov eax,dword ptr ds:[eax]
00460095 8B15 ECC64500 mov edx,dword ptr ds:[45C6EC] ; 学日语练.0045C738
0046009B E8 5045FFFF call 学日语练.004545F0
004600A0 A1 D41F4600 mov eax,dword ptr ds:[461FD4]
004600A5 8B00 mov eax,dword ptr ds:[eax]
004600A7 E8 C445FFFF call 学日语练.00454670
004600AC E8 8B40FAFF call 学日语练.0040413C
004600B1 8D40 00 lea eax,dword ptr ds:[eax]
出动ImportREC,FixDump,正常运行!553KB->608KB!运行脱壳后的程序已经没有了注册窗口,OK!可以收工了!
二。注册算法
序列号:86362
用户名:pendan2001
单位名:Freedom Cracker
试炼码:yufeifish-12345678-thormars
BP GetDlgItemTextA
返回到这里
00480338 8B1D 10A54800 mov ebx,dword ptr ds:[<&USER32.GetDlg>; user32.GetDlgItemTextA
0048033E 8B4424 10 mov eax,dword ptr ss:[esp+10]
00480342 68 FFFF0000 push 0FFFF
00480347 50 push eax
00480348 8D8F 02100000 lea ecx,dword ptr ds:[edi+1002]
0048034E 51 push ecx
0048034F 56 push esi
00480350 FFD3 call ebx
00480352 85C0 test eax,eax
00480354 74 10 je short 学日语练.00480366
00480356 8B4C24 10 mov ecx,dword ptr ss:[esp+10]
0048035A E8 71470000 call 学日语练.00484AD0
0048035F 8904BD E0994800 mov dword ptr ds:[edi*4+4899E0],eax “pendan2001”
00480366 47 inc edi
00480367 83FF 14 cmp edi,14
0048036A ^ 7C D2 jl short 学日语练.0048033E
。。。。。
00480394 FF15 14A54800 call dword ptr ds:[<&USER32.GetDlgIte>; user32.GetDlgItem
0048039A 85C0 test eax,eax
0048039C 74 17 je short 学日语练.004803B5
0048039E 8BCE mov ecx,esi
004803A0 E8 DBF4FFFF call 学日语练.0047F880
004803A5 EB 0E jmp short 学日语练.004803B5
004803A7 BA 309A4800 mov edx,学日语练.00489A30
004803AC 8B4C24 58 mov ecx,dword ptr ss:[esp+58]
004803B0 E8 EBFAFFFF call 学日语练.0047FEA0
004803B5 33C0 xor eax,eax
004803B7 5D pop ebp
004803B8 5F pop edi
004803B9 5E pop esi
004803BA 5B pop ebx
004803BB 83C4 3C add esp,3C
004803BE C2 1000 retn 10
CALL 0047F880
0047F8BE 6A 32 push 32
0047F8C0 8B4C24 18 mov ecx,dword ptr ss:[esp+18]
0047F8C4 50 push eax
0047F8C5 68 01100000 push 1001
0047F8CA 51 push ecx
0047F8CB FF15 10A54800 call dword ptr ds:[<&USER32.GetDlgIte>; user32.GetDlgItemTextA
0047F8D1 66:894424 10 mov word ptr ss:[esp+10],ax
0047F8D6 8D7C24 50 lea edi,dword ptr ss:[esp+50] ;“ABCDEFGH-12345678-KLMNOPQ”
0047F8DA B9 FFFFFFFF mov ecx,-1
0047F8DF 2BC0 sub eax,eax
0047F8E1 F2:AE repne scas byte ptr es:[edi]
0047F8E3 F7D1 not ecx
0047F8E5 2BF9 sub edi,ecx
0047F8E7 8BD1 mov edx,ecx
0047F8E9 C1E9 02 shr ecx,2
0047F8EC 8BF7 mov esi,edi
0047F8EE 8DBC24 84000000 lea edi,dword ptr ss:[esp+84]
0047F8F5 F3:A5 rep movs dword ptr es:[edi],dword ptr>
0047F8F7 8BCA mov ecx,edx
0047F8F9 83E1 03 and ecx,3
0047F8FC F3:A4 rep movs byte ptr es:[edi],byte ptr d>
0047F8FE 66:C74424 12 00>mov word ptr ss:[esp+12],0
0047F905 66:833D 489C480>cmp word ptr ds:[489C48],0
0047F90D 0F8E 0F040000 jle 学日语练.0047FD22
0047F913 66:8B5C24 10 mov bx,word ptr ss:[esp+10]
0047F918 33ED xor ebp,ebp
0047F91A 8D7C24 50 lea edi,dword ptr ss:[esp+50]
0047F91E B9 FFFFFFFF mov ecx,-1
0047F923 2BC0 sub eax,eax
0047F925 F2:AE repne scas byte ptr es:[edi]
0047F927 F7D1 not ecx
0047F929 2BF9 sub edi,ecx
0047F92B 8BC1 mov eax,ecx
0047F92D C1E9 02 shr ecx,2
0047F930 8BF7 mov esi,edi
0047F932 8D7C24 1C lea edi,dword ptr ss:[esp+1C]
0047F936 F3:A5 rep movs dword ptr es:[edi],dword ptr>
0047F938 8BC8 mov ecx,eax
0047F93A 83E1 03 and ecx,3
0047F93D F3:A4 rep movs byte ptr es:[edi],byte ptr d>
0047F93F 0FBF4C24 12 movsx ecx,word ptr ss:[esp+12]
0047F944 8B35 4C9C4800 mov esi,dword ptr ds:[489C4C]
0047F94A 894C24 18 mov dword ptr ss:[esp+18],ecx
0047F94E C1E1 02 shl ecx,2
0047F951 8D0449 lea eax,dword ptr ds:[ecx+ecx*2]
0047F954 8D1480 lea edx,dword ptr ds:[eax+eax*4]
0047F957 03F2 add esi,edx
0047F959 66:8B06 mov ax,word ptr ds:[esi]
0047F95C 66:A3 389C4800 mov word ptr ds:[489C38],ax
0047F962 8B4E 08 mov ecx,dword ptr ds:[esi+8]
0047F965 890D 349C4800 mov dword ptr ds:[489C34],ecx
0047F96B 8B7E 0C mov edi,dword ptr ds:[esi+C]
0047F96E 893D 449C4800 mov dword ptr ds:[489C44],edi
0047F974 8B46 10 mov eax,dword ptr ds:[esi+10]
0047F977 A3 CC9B4800 mov dword ptr ds:[489BCC],eax
0047F97C 66:833D 389C480>cmp word ptr ds:[489C38],1
0047F984 66:8B4E 14 mov cx,word ptr ds:[esi+14]
0047F988 66:890D 3E9C480>mov word ptr ds:[489C3E],cx
0047F98F 74 0E je short 学日语练.0047F99F
0047F991 66:833D 389C480>cmp word ptr ds:[489C38],2
0047F999 0F85 A4000000 jnz 学日语练.0047FA43
0047F99F BF FC604800 mov edi,学日语练.004860FC ; ASCII "string_1"
0047F9A4 B9 09000000 mov ecx,9
0047F9A9 8B76 20 mov esi,dword ptr ds:[esi+20] ;ASCII "yufeifish"
0047F9AC F3:A6 repe cmps byte ptr es:[edi],byte ptr >
0047F9AE 75 0C jnz short 学日语练.0047F9BC
0047F9B0 A1 E0994800 mov eax,dword ptr ds:[4899E0]
0047F9B5 A3 C09B4800 mov dword ptr ds:[489BC0],eax
0047F9BA EB 32 jmp short 学日语练.0047F9EE
0047F9BC A1 4C9C4800 mov eax,dword ptr ds:[489C4C]
0047F9C1 BF F0604800 mov edi,学日语练.004860F0 ; ASCII "string_2"
0047F9C6 B9 09000000 mov ecx,9
0047F9CB 8B7402 20 mov esi,dword ptr ds:[edx+eax+20] ; ;ASCII "yufeifish"
0047F9CF F3:A6 repe cmps byte ptr es:[edi],byte ptr >
0047F9D1 75 0C jnz short 学日语练.0047F9DF
0047F9D3 A1 E4994800 mov eax,dword ptr ds:[4899E4]
0047F9D8 A3 C09B4800 mov dword ptr ds:[489BC0],eax
0047F9DD EB 0F jmp short 学日语练.0047F9EE
0047F9DF A1 4C9C4800 mov eax,dword ptr ds:[489C4C]
0047F9E4 8B4C02 20 mov ecx,dword ptr ds:[edx+eax+20]
0047F9E8 890D C09B4800 mov dword ptr ds:[489BC0],ecx
0047F9EE A1 4C9C4800 mov eax,dword ptr ds:[489C4C]
0047F9F3 BF FC604800 mov edi,学日语练.004860FC ; ASCII "string_1"
0047F9F8 B9 09000000 mov ecx,9 ASCII "thor-mars" ;ASCII "ufeifish"
0047F9FD 8B7402 24 mov esi,dword ptr ds:[edx+eax+24]
0047FA01 F3:A6 repe cmps byte ptr es:[edi],byte ptr >
0047FA03 75 0C jnz short 学日语练.0047FA11
0047FA05 A1 E0994800 mov eax,dword ptr ds:[4899E0]
0047FA0A A3 C49B4800 mov dword ptr ds:[489BC4],eax
0047FA0F EB 32 jmp short 学日语练.0047FA43
0047FA11 A1 4C9C4800 mov eax,dword ptr ds:[489C4C]
0047FA16 BF F0604800 mov edi,学日语练.004860F0 ; ASCII "string_2"
0047FA1B B9 09000000 mov ecx,9
0047FA20 8B7402 24 mov esi,dword ptr ds:[edx+eax+24]
0047FA24 F3:A6 repe cmps byte ptr es:[edi],byte ptr >
0047FA26 75 0C jnz short 学日语练.0047FA34
0047FA28 A1 E4994800 mov eax,dword ptr ds:[4899E4]
0047FA2D A3 C49B4800 mov dword ptr ds:[489BC4],eax
0047FA32 EB 0F jmp short 学日语练.0047FA43
0047FA34 A1 4C9C4800 mov eax,dword ptr ds:[489C4C]
0047FA39 8B4C02 24 mov ecx,dword ptr ds:[edx+eax+24]
0047FA3D 890D C49B4800 mov dword ptr ds:[489BC4],ecx
0047FA43 A1 4C9C4800 mov eax,dword ptr ds:[489C4C]
0047FA48 66:837C02 04 00 cmp word ptr ds:[edx+eax+4],0
0047FA4E 75 55 jnz short 学日语练.0047FAA5
0047FA50 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
0047FA54 E8 A7F9FFFF call 学日语练.0047F400
0047FA59 33C0 xor eax,eax
0047FA5B 66:A1 389C4800 mov ax,word ptr ds:[489C38]
0047FA61 85C0 test eax,eax
0047FA63 74 0C je short 学日语练.0047FA71
0047FA65 83F8 01 cmp eax,1
0047FA68 7C 3B jl short 学日语练.0047FAA5
0047FA6A 83F8 02 cmp eax,2
0047FA6D 7E 0A jle short 学日语练.0047FA79
0047FA6F /EB 34 jmp short 学日语练.0047FAA5
0047FA71 |8B0D 349C4800 mov ecx,dword ptr ds:[489C34]
0047FA77 |EB 27 jmp short 学日语练.0047FAA0
0047FA79 |8B0D 449C4800 mov ecx,dword ptr ds:[489C44]
0047FA7F |E8 7CF9FFFF call 学日语练.0047F400
0047FA84 |8B0D CC9B4800 mov ecx,dword ptr ds:[489BCC]
0047FA8A |E8 71F9FFFF call 学日语练.0047F400
0047FA8F |8B0D C09B4800 mov ecx,dword ptr ds:[489BC0]
0047FA95 |E8 66F9FFFF call 学日语练.0047F400
0047FA9A |8B0D C49B4800 mov ecx,dword ptr ds:[489BC4]
0047FAA0 |E8 5BF9FFFF call 学日语练.0047F400
0047FAA5 \33C0 xor eax,eax
0047FAA7 66:A1 389C4800 mov ax,word ptr ds:[489C38]
0047FAAD 85C0 test eax,eax
0047FAAF 74 17 je short 学日语练.0047FAC8
0047FAB1 83F8 01 cmp eax,1
0047FAB4 0F8C 4B020000 jl 学日语练.0047FD05
0047FABA 83F8 02 cmp eax,2
0047FABD 0F8E 92000000 jle 学日语练.0047FB55
0047FAC3 E9 3D020000 jmp 学日语练.0047FD05
0047FAC8 A1 349C4800 mov eax,dword ptr ds:[489C34]
0047FACD 8038 00 cmp byte ptr ds:[eax],0
0047FAD0 75 19 jnz short 学日语练.0047FAEB
0047FAD2 8B4424 18 mov eax,dword ptr ss:[esp+18]
0047FAD6 8A80 A3994800 mov al,byte ptr ds:[eax+4899A3]
0047FADC 3C 01 cmp al,1
0047FADE 74 04 je short 学日语练.0047FAE4
0047FAE0 3C 02 cmp al,2
0047FAE2 75 07 jnz short 学日语练.0047FAEB
0047FAE4 33ED xor ebp,ebp
0047FAE6 E9 1A020000 jmp 学日语练.0047FD05
0047FAEB 8B3D 349C4800 mov edi,dword ptr ds:[489C34]
0047FAF1 B9 FFFFFFFF mov ecx,-1
0047FAF6 2BC0 sub eax,eax
0047FAF8 F2:AE repne scas byte ptr es:[edi]
0047FAFA 0FBF4424 10 movsx eax,word ptr ss:[esp+10]
0047FAFF F7D1 not ecx
0047FB01 49 dec ecx
0047FB02 3BC8 cmp ecx,eax
0047FB04 7C 15 jl short 学日语练.0047FB1B
0047FB06 8B3D 349C4800 mov edi,dword ptr ds:[489C34]
0047FB0C B9 FFFFFFFF mov ecx,-1
0047FB11 2BC0 sub eax,eax
0047FB13 F2:AE repne scas byte ptr es:[edi]
0047FB15 F7D1 not ecx
0047FB17 49 dec ecx
0047FB18 66:8BD9 mov bx,cx
0047FB1B 66:33C9 xor cx,cx
0047FB1E 66:85DB test bx,bx
0047FB21 7E 1E jle short 学日语练.0047FB41
0047FB23 8B15 349C4800 mov edx,dword ptr ds:[489C34]
0047FB29 0FBFC1 movsx eax,cx
0047FB2C 8A1402 mov dl,byte ptr ds:[edx+eax]
0047FB2F 80FA 3F cmp dl,3F
0047FB32 74 06 je short 学日语练.0047FB3A
0047FB34 385404 1C cmp byte ptr ss:[esp+eax+1C],dl
0047FB38 75 07 jnz short 学日语练.0047FB41
0047FB3A 66:41 inc cx
0047FB3C 66:3BCB cmp cx,bx
0047FB3F ^ 7C E2 jl short 学日语练.0047FB23
0047FB41 66:2BCB sub cx,bx
0047FB44 BD 00000000 mov ebp,0
0047FB49 66:83F9 01 cmp cx,1
0047FB4D 83D5 FF adc ebp,-1
0047FB50 E9 B0010000 jmp 学日语练.0047FD05
0047FB55 8B3D 449C4800 mov edi,dword ptr ds:[489C44] ;EDI=Xyufeifish. 这就是String 1
0047FB5B B9 FFFFFFFF mov ecx,-1
0047FB60 2BC0 sub eax,eax
0047FB62 F2:AE repne scas byte ptr es:[edi]
0047FB64 F7D1 not ecx
0047FB66 49 dec ecx ;取长度 ECX=9
0047FB67 66:49 dec cx
0047FB69 66:83F9 FF cmp cx,0FFFF
0047FB6D 74 26 je short 学日语练.0047FB95
0047FB6F 66:85C9 test cx,cx
0047FB72 7C 1B jl short 学日语练.0047FB8F
0047FB74 8B15 449C4800 mov edx,dword ptr ds:[489C44]
0047FB7A 0FBFC1 movsx eax,cx
0047FB7D 8A1402 mov dl,byte ptr ds:[edx+eax] ;依次倒序取
0047FB80 80FA 3F cmp dl,3F ;逐位比较试炼码前9位
0047FB83 74 06 je short 学日语练.0047FB8B ;跳则OVER!
0047FB85 385404 1C cmp byte ptr ss:[esp+eax+1C],dl
0047FB89 75 04 jnz short 学日语练.0047FB8F
0047FB8B 66:49 dec cx
0047FB8D ^ 79 E5 jns short 学日语练.0047FB74
0047FB8F 66:83F9 FF cmp cx,0FFFF
0047FB93 75 05 jnz short 学日语练.0047FB9A
0047FB95 BD 01000000 mov ebp,1
0047FB9A 8B3D CC9B4800 mov edi,dword ptr ds:[489BCC]
0047FBA0 B9 FFFFFFFF mov ecx,-1
0047FBA5 2BC0 sub eax,eax
0047FBA7 F2:AE repne scas byte ptr es:[edi]
0047FBA9 F7D1 not ecx
0047FBAB 49 dec ecx
0047FBAC 8D7C24 1C lea edi,dword ptr ss:[esp+1C]
0047FBB0 66:8BD1 mov dx,cx
0047FBB3 2BC0 sub eax,eax
0047FBB5 B9 FFFFFFFF mov ecx,-1
0047FBBA F2:AE repne scas byte ptr es:[edi]
0047FBBC F7D1 not ecx
0047FBBE 49 dec ecx
0047FBBF 66:2BCA sub cx,dx
0047FBC2 66:85C9 test cx,cx
0047FBC5 7E 2F jle short 学日语练.0047FBF6
0047FBC7 66:33F6 xor si,si
0047FBCA 66:85D2 test dx,dx
0047FBCD 7E 21 jle short 学日语练.0047FBF0
0047FBCF A1 CC9B4800 mov eax,dword ptr ds:[489BCC]
0047FBD4 0FBFFE movsx edi,si
0047FBD7 8A0438 mov al,byte ptr ds:[eax+edi] ;依次倒序取
0047FBDA 3C 3F cmp al,3F
0047FBDC 74 0B je short 学日语练.0047FBE9
0047FBDE 0FBFD9 movsx ebx,cx
0047FBE1 03DF add ebx,edi
0047FBE3 38441C 1C cmp byte ptr ss:[esp+ebx+1C],al ;逐位比较试炼码最后8位
0047FBE7 75 07 jnz short 学日语练.0047FBF0 ;跳则OVER!
0047FBE9 66:46 inc si
0047FBEB 66:3BD6 cmp dx,si
0047FBEE ^ 7F DF jg short 学日语练.0047FBCF ;循环比较!
0047FBF0 66:3BD6 cmp dx,si
0047FBF3 75 01 jnz short 学日语练.0047FBF6
0047FBF5 45 inc ebp ;EBP=1 + 1=2
0047FBF6 83FD 02 cmp ebp,2 ;是否已比较2次?
0047FBF9 74 0A je short 学日语练.0047FC05
0047FBFB BD FEFFFFFF mov ebp,-2
0047FC00 E9 00010000 jmp 学日语练.0047FD05
0047FC05 8B3D 449C4800 mov edi,dword ptr ds:[489C44] ;EDI=***** 这就是String 2
0047FC0B B9 FFFFFFFF mov ecx,-1
0047FC10 2BC0 sub eax,eax
0047FC12 F2:AE repne scas byte ptr es:[edi]
0047FC14 F7D1 not ecx
0047FC16 2BC0 sub eax,eax
0047FC18 8D740C 1B lea esi,dword ptr ss:[esp+ecx+1B]
0047FC1C 8BFE mov edi,esi
0047FC1E B9 FFFFFFFF mov ecx,-1
0047FC23 F2:AE repne scas byte ptr es:[edi]
0047FC25 F7D1 not ecx
0047FC27 8B3D CC9B4800 mov edi,dword ptr ds:[489BCC]
0047FC2D 2BC0 sub eax,eax
0047FC2F 8D51 FF lea edx,dword ptr ds:[ecx-1]
0047FC32 B9 FFFFFFFF mov ecx,-1
0047FC37 F2:AE repne scas byte ptr es:[edi]
0047FC39 F7D1 not ecx
0047FC3B 49 dec ecx
0047FC3C 8BC6 mov eax,esi
0047FC3E 2BC1 sub eax,ecx
0047FC40 8BCE mov ecx,esi
0047FC42 C60410 00 mov byte ptr ds:[eax+edx],0
0047FC46 E8 C54D0000 call 学日语练.00484A10 ;测试试炼码中间的12345678是否是数字?
0047FC4B 85C0 test eax,eax
0047FC4D 75 0A jnz short 学日语练.0047FC59
0047FC4F BD FDFFFFFF mov ebp,-3
0047FC54 E9 AC000000 jmp 学日语练.0047FD05
0047FC59 BA E8604800 mov edx,学日语练.004860E8 ; ASCII "0604"
0047FC5E 8BCE mov ecx,esi
0047FC60 BD FCFFFFFF mov ebp,-4
0047FC65 E8 F64D0000 call 学日语练.00484A60 ;取12345678的16进制值
0047FC6A 66:833D 389C480>cmp word ptr ds:[489C38],1
0047FC72 8BF0 mov esi,eax
0047FC74 75 59 jnz short 学日语练.0047FCCF
0047FC76 66:8B3D 3E9C480>mov di,word ptr ds:[489C3E]
0047FC7D 8B15 C09B4800 mov edx,dword ptr ds:[489BC0]
0047FC83 66:C1EF 08 shr di,8
0047FC87 66:8B0D 3E9C480>mov cx,word ptr ds:[489C3E]
0047FC8E 66:81E1 FF00 and cx,0FF
0047FC93 E8 F8FAFFFF call 学日语练.0047F790
0047FC98 03F0 add esi,eax
0047FC9A 66:85FF test di,di
0047FC9D 75 0A jnz short 学日语练.0047FCA9
0047FC9F 8B15 C49B4800 mov edx,dword ptr ds:[489BC4]
0047FCA5 8BCF mov ecx,edi
0047FCA7 EB 0B jmp short 学日语练.0047FCB4
0047FCA9 66:8BCF mov cx,di
0047FCAC 8B15 C49B4800 mov edx,dword ptr ds:[489BC4]
0047FCB2 66:41 inc cx
0047FCB4 E8 D7FAFFFF call 学日语练.0047F790
0047FCB9 8BC8 mov ecx,eax
0047FCBB 85C9 test ecx,ecx
0047FCBD 75 07 jnz short 学日语练.0047FCC6
0047FCBF BD FBFFFFFF mov ebp,-5
0047FCC4 EB 36 jmp short 学日语练.0047FCFC
0047FCC6 8BC6 mov eax,esi
0047FCC8 99 cdq
0047FCC9 F7F9 idiv ecx
0047FCCB 8BEA mov ebp,edx
0047FCCD EB 2D jmp short 学日语练.0047FCFC
0047FCCF 66:833D 389C480>cmp word ptr ds:[489C38],2
0047FCD7 75 23 jnz short 学日语练.0047FCFC
0047FCD9 66:8B15 3E9C480>mov dx,word ptr ds:[489C3E] ;DX=***** 这个似乎是固定值
0047FCE0 A1 C49B4800 mov eax,dword ptr ds:[489BC4] ;EAX=Freedom Cracker 单位名
0047FCE5 50 push eax
0047FCE6 8B0D C09B4800 mov ecx,dword ptr ds:[489BC0] ;ECX=pendan2001 用户名
0047FCEC 51 push ecx
0047FCED 8B0D D4994800 mov ecx,dword ptr ds:[4899D4] ;ECX=0001515A(H)=86362(D) 序列号
0047FCF3 E8 28FBFFFF call 学日语练.0047F820;关键CALL!进入!对用户名、单位和序列号进行运算
0047FCF8 8BE8 mov ebp,eax ;运算结果16进制显示
0047FCFA 2BEE sub ebp,esi ;16进制值-12345678的16进制值是否等于注册码中间几位
0047FCFC 85ED test ebp,ebp
0047FCFE 74 29 je short 学日语练.0047FD29
0047FD00 BD FBFFFFFF mov ebp,-5
0047FD05 85ED test ebp,ebp
0047FD07 7D 20 jge short 学日语练.0047FD29
0047FD09 66:FF4424 12 inc word ptr ss:[esp+12]
0047FD0E 66:8B4424 12 mov ax,word ptr ss:[esp+12]
0047FD13 66:3905 489C480>cmp word ptr ds:[489C48],ax
0047FD1A ^ 0F8F F3FBFFFF jg 学日语练.0047F913
0047FD20 EB 07 jmp short 学日语练.0047FD29
0047FD22 8BAC24 84000000 mov ebp,dword ptr ss:[esp+84]
0047FD29 33F6 xor esi,esi
0047FD2B 85ED test ebp,ebp
0047FD2D 0F8C D5000000 jl 学日语练.0047FE08
0047FD33 66:8B4424 12 mov ax,word ptr ss:[esp+12]
0047FD38 66:3905 489C480>cmp word ptr ds:[489C48],ax
0047FD3F 0F8E C3000000 jle 学日语练.0047FE08
0047FD45 BA 01000000 mov edx,1
0047FD4A 8B4C24 12 mov ecx,dword ptr ss:[esp+12]
0047FD4E E8 6DF7FFFF call 学日语练.0047F4C0
0047FD53 85C0 test eax,eax
0047FD55 74 76 je short 学日语练.0047FDCD
0047FD57 68 10100000 push 1010
0047FD5C 8B1D 4C9C4800 mov ebx,dword ptr ds:[489C4C]
0047FD62 0FBF4424 16 movsx eax,word ptr ss:[esp+16]
0047FD67 C1E0 02 shl eax,2
0047FD6A 68 E0604800 push 学日语练.004860E0 ; ASCII "Warning"
0047FD6F 8D0C40 lea ecx,dword ptr ds:[eax+eax*2]
0047FD72 8D1489 lea edx,dword ptr ds:[ecx+ecx*4]
0047FD75 8B4C24 1C mov ecx,dword ptr ss:[esp+1C]
0047FD79 8B441A 34 mov eax,dword ptr ds:[edx+ebx+34]
0047FD7D 50 push eax
0047FD7E 51 push ecx
0047FD7F FF15 24A54800 call dword ptr ds:[<&USER32.MessageBo>; user32.MessageBoxA
0047FD85 8B4C24 14 mov ecx,dword ptr ss:[esp+14]
0047FD89 68 01100000 push 1001
0047FD8E 51 push ecx
0047FD8F FF15 14A54800 call dword ptr ds:[<&USER32.GetDlgIte>; user32.GetDlgItem
//看到这个函数,明白下bpx getdlgitemtexta 对于Softsentry 壳下这个断点是很好用的。
堆栈:
0012FB1C 01EB0340 |hOwner = 01EB0340 ('学日语背单词',class='#32770')
0012FB20 0013A2D5 |Text = "密码错误!"
0012FB24 004860E0 |Title = "Warning"
偶仔细跟了一下,发现算法和fly的英宇职业介绍管理系统 V5.0 破文里面的算法很想似,也就是
1、注册码前9位固定
2、注册码最后8位固定
3、注册码中间几位是通过对用户名、单位名、序列号运算得出的。
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!