题目:分析刻录软件“CDRWinV5.05.001”注册码机制 [元宵节献礼]
软件介绍:CDRWin是一款德国人开发的强力的刻录软件,支持AUDIO CD、DATA CD、MP3 CD、VCD、混合型、多重扇区等格式光盘刻
录。独有的CUE SHEET语言可以100%定制盘片布局,避免其他刻录软件在不同Track之间产生间隔的现象;强大的备份功能可以防止
盘片上原有数据的损失;符合ISO9660 磁盘控制标准等功能。未注册版试用期限为14天。
工具:Softice,PEID
引子:今天又找到这个软件,安装试用了一下,觉得还不错的。我用2个小时跟踪其流程,才开始搞的我晕头转向的,陷阱重重,步
步设防,其注册码生成机制比较有趣,有点跟其他软件注册码产生机制不同。下面就开始分析过程。
拿PEID查看是否加壳,结果幸运,没有加壳,用VC开发的。启动程序,点击HELP,然后单击“Register”,弹出注册对话框,输入
用户名wanggang,输入公司名qingdao university,一开始输入注册码654321,可是下面经过跟踪,对注册码有一定要求,起码首
先要是这个形式:11111-22222-33333-44444-55555,共5段,每段5位。最后跟踪发现,光这样输入注册码还不行,还需要在前2段
内包含字符"C""D""R",顺序和位置不限,其实还是有限制的。所以把注册码改为11R1D-222C1-33333-44444-55555。调出SOFTICE
,下断点bpx hmemcpy,F5退出,点击OK按钮,被拦下。按9次F12来到主程序空间,然后换F10跟踪,来到如下代码处:
00423317 |. E8 70D30300 CALL <JMP.&MFC42.#2370> //取公司名。
0042331C |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] //我们返回到这里。
0042331F |. 83C0 64 ADD EAX,64
00423322 |. 50 PUSH EAX
00423323 |. 68 16040000 PUSH 416
00423328 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
0042332B |. 51 PUSH ECX
0042332C |. E8 5BD30300 CALL <JMP.&MFC42.#2370> //取注册码。
00423331 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00423334 |. 83C2 68 ADD EDX,68
00423337 |. 52 PUSH EDX
00423338 |. 68 15040000 PUSH 415
0042333D |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00423340 |. 50 PUSH EAX
00423341 |. E8 46D30300 CALL <JMP.&MFC42.#2370> //取用户名。
00423346 |. 8BE5 MOV ESP,EBP
00423348 |. 5D POP EBP
00423349 \. C2 0400 RETN 4
***************
上面程序流程返回到下面代码:
00423366 /. 55 PUSH EBP
00423367 |. 8BEC MOV EBP,ESP
00423369 |. 83EC 10 SUB ESP,10
0042336C |. 894D F8 MOV DWORD PTR SS:[EBP-8],ECX
0042336F |. 6A 01 PUSH 1
00423371 |. 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
00423374 |. E8 1FD30300 CALL <JMP.&MFC42.#6334>
00423379 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0042337C |. 83C0 64 ADD EAX,64
0042337F |. 50 PUSH EAX
00423380 |. B9 E4154800 MOV ECX,CDRWIN5.004815E4
00423385 |. E8 22D10300 CALL <JMP.&MFC42.#858>
0042338A |. 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
0042338D |. 83C1 68 ADD ECX,68
00423390 |. 51 PUSH ECX
00423391 |. B9 E0154800 MOV ECX,CDRWIN5.004815E0
00423396 |. E8 11D10300 CALL <JMP.&MFC42.#858>
0042339B |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
0042339E |. 83C2 60 ADD EDX,60
004233A1 |. 52 PUSH EDX
004233A2 |. B9 DC154800 MOV ECX,CDRWIN5.004815DC
004233A7 |. E8 00D10300 CALL <JMP.&MFC42.#858>
004233AC |. 51 PUSH ECX
004233AD |. 8BCC MOV ECX,ESP
004233AF |. 8965 FC MOV DWORD PTR SS:[EBP-4],ESP
004233B2 |. 68 E4154800 PUSH CDRWIN5.004815E4
004233B7 |. E8 44D10300 CALL <JMP.&MFC42.#535>
004233BC |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
004233BF |. E8 71410300 CALL CDRWIN5.00457535 //这个函数就是“兔子”藏身的地方啦。(1)
004233C4 |. 83C4 04 ADD ESP,4
004233C7 |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX //注意EAX里面是返回值,如果注册码正确则返回41Ah。
否则返回其他相关代码。
004233CA |. 817D F0 1A0400>CMP DWORD PTR SS:[EBP-10],41A //返回值与41Ah比较,相等则成功,否则没戏。
004233D1 |. 7D 10 JGE SHORT CDRWIN5.004233E3 //如果是41A,这里就跳到显示成功函数。
004233D3 |. 6A FF PUSH -1
004233D5 |. 6A 00 PUSH 0
004233D7 |. 68 69EF0000 PUSH 0EF69
004233DC |. E8 D9D40300 CALL <JMP.&MFC42.#1199> //这个显示错误系列号信息。
004233E1 |. EB 13 JMP SHORT CDRWIN5.004233F6
004233E3 |> 6A FF PUSH -1
004233E5 |. 6A 00 PUSH 0
004233E7 |. 68 6AEF0000 PUSH 0EF6A
004233EC |. E8 C9D40300 CALL <JMP.&MFC42.#1199> //这个显示注册成功的信息。
004233F1 |. E8 DA520300 CALL CDRWIN5.004586D0
004233F6 |> 6A 00 PUSH 0
004233F8 |. 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
004233FB |. E8 F4D60300 CALL <JMP.&MFC42.#2645> //把信息写入注册表内。
00423400 |. 8BE5 MOV ESP,EBP
00423402 |. 5D POP EBP
00423403 \. C3 RETN
====================================================================================================
下面分析004233BF处的 CALL CDRWIN5.00457535 : (1)
00457535 /$ 55 PUSH EBP
00457536 |. 8BEC MOV EBP,ESP
00457538 |. 6A FF PUSH -1
0045753A |. 68 7D6E4600 PUSH CDRWIN5.00466E7D
0045753F |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00457545 |. 50 PUSH EAX
00457546 |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP
0045754D |. 81EC F0000000 SUB ESP,0F0
00457553 |. 56 PUSH ESI
00457554 |. C745 FC 000000>MOV DWORD PTR SS:[EBP-4],0
0045755B |. 68 9A044600 PUSH <JMP.&MFC42.#800>
00457560 |. 68 A6044600 PUSH <JMP.&MFC42.#540>
00457565 |. 6A 05 PUSH 5
00457567 |. 6A 04 PUSH 4
00457569 |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
0045756C |. 50 PUSH EAX
0045756D |. E8 C49C0000 CALL CDRWIN5.00461236
00457572 |. C645 FC 01 MOV BYTE PTR SS:[EBP-4],1 //下面把黑名单复制到其他地方。
00457576 |. 68 CCDF4700 PUSH CDRWIN5.0047DFCC ; ASCII "5BS8X-CCZDR-59B88-CBCK5-DGTSQ"
0045757B |. 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
0045757E |. E8 1D8F0000 CALL <JMP.&MFC42.#860>
00457583 |. 68 ECDF4700 PUSH CDRWIN5.0047DFEC ; ASCII "59S0@-5CRCD-57647-UPMY3-CEVRF"
00457588 |. 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
0045758B |. E8 108F0000 CALL <JMP.&MFC42.#860>
00457590 |. 68 0CE04700 PUSH CDRWIN5.0047E00C ; ASCII "5ES8D-D5CRT-55606-D1CL0-BNAZL"
00457595 |. 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
00457598 |. E8 038F0000 CALL <JMP.&MFC42.#860>
0045759D |. 68 2CE04700 PUSH CDRWIN5.0047E02C ; ASCII "59S0C-RDQMN-57B22-6U6Y6-7TQDU"
004575A2 |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
004575A5 |. E8 F68E0000 CALL <JMP.&MFC42.#860>
004575AA |. 68 4CE04700 PUSH CDRWIN5.0047E04C ; ASCII "5DC8R-LASH8-57228-LASH8-DLASH"
004575AF |. 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
004575B2 |. E8 E98E0000 CALL <JMP.&MFC42.#860>
004575B7 |. C745 B4 000000>MOV DWORD PTR SS:[EBP-4C],0
004575BE |. EB 09 JMP SHORT CDRWIN5.004575C9
004575C0 |> 8B4D B4 /MOV ECX,DWORD PTR SS:[EBP-4C] //下面这个循环拿输入的假码与黑名单依次比较。
004575C3 |. 83C1 01 |ADD ECX,1
004575C6 |. 894D B4 |MOV DWORD PTR SS:[EBP-4C],ECX
004575C9 |> 837D B4 04 CMP DWORD PTR SS:[EBP-4C],4 //这是比较次数,总共5次。
004575CD |. 7F 4F |JG SHORT CDRWIN5.0045761E //如果比较结束则跳走。
004575CF |. 8B55 B4 |MOV EDX,DWORD PTR SS:[EBP-4C]
004575D2 |. 8D4C95 DC |LEA ECX,DWORD PTR SS:[EBP+EDX*4-24]
004575D6 |. E8 95BBFAFF |CALL CDRWIN5.00403170 //取黑名单上的注册码地址。
004575DB |. 50 |PUSH EAX
004575DC |. 8D4D 08 |LEA ECX,DWORD PTR SS:[EBP+8] //取输入的假码地址。
004575DF |. E8 BCEEFAFF |CALL CDRWIN5.004064A0 //进行比较。如果不在黑名单上则返回FFFFFFFh到EAX。
004575E4 |. 85C0 |TEST EAX,EAX //EAX=FFFFFFFF。
004575E6 |. 75 34 |JNZ SHORT CDRWIN5.0045761C //未完继续下一个。
004575E8 |. C745 90 19FCFF>|MOV DWORD PTR SS:[EBP-70],-3E7
004575EF |. C645 FC 00 |MOV BYTE PTR SS:[EBP-4],0
004575F3 |. 68 9A044600 |PUSH <JMP.&MFC42.#800>
004575F8 |. 6A 05 |PUSH 5
004575FA |. 6A 04 |PUSH 4
004575FC |. 8D45 DC |LEA EAX,DWORD PTR SS:[EBP-24]
004575FF |. 50 |PUSH EAX
00457600 |. E8 1B9B0000 |CALL CDRWIN5.00461120
00457605 |. C745 FC FFFFFF>|MOV DWORD PTR SS:[EBP-4],-1
0045760C |. 8D4D 08 |LEA ECX,DWORD PTR SS:[EBP+8]
0045760F |. E8 868E0000 |CALL <JMP.&MFC42.#800>
00457614 |. 8B45 90 |MOV EAX,DWORD PTR SS:[EBP-70]
00457617 |. E9 CB0F0000 |JMP CDRWIN5.004585E7
0045761C |>^EB A2 \JMP SHORT CDRWIN5.004575C0 //这里循环上去。
0045761E |> 6A 00 PUSH 0 //对第1位注册码进行验证。
00457620 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
00457623 |. E8 4889FCFF CALL CDRWIN5.0041FF70 //取出参数指定第1位注册码字符。
00457628 |. 0FBEC8 MOVSX ECX,AL
0045762B |. 83F9 35 CMP ECX,35 //与35h比较,实际上就是字符'5'。
0045762E |. 75 7C JNZ SHORT CDRWIN5.004576AC //不是5的话则跳走。如果第一位是5,走一条途径,不是
走另一途径,最后还必须是5。
00457630 |. 6A 01 PUSH 1
00457632 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8] //如果第一位是5,则下面比较后面4位字符是否
是'C','C','8','R'. 如果是的话,则OVER。
00457635 |. E8 3689FCFF CALL CDRWIN5.0041FF70
0045763A |. 0FBED0 MOVSX EDX,AL
0045763D |. 83FA 43 CMP EDX,43
00457640 |. 75 6A JNZ SHORT CDRWIN5.004576AC
00457642 |. 6A 02 PUSH 2
00457644 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
00457647 |. E8 2489FCFF CALL CDRWIN5.0041FF70
0045764C |. 0FBEC0 MOVSX EAX,AL
0045764F |. 83F8 43 CMP EAX,43
00457652 |. 75 58 JNZ SHORT CDRWIN5.004576AC
00457654 |. 6A 03 PUSH 3
00457656 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
00457659 |. E8 1289FCFF CALL CDRWIN5.0041FF70
0045765E |. 0FBEC8 MOVSX ECX,AL
00457661 |. 83F9 38 CMP ECX,38
00457664 |. 75 46 JNZ SHORT CDRWIN5.004576AC
00457666 |. 6A 04 PUSH 4
00457668 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
0045766B |. E8 0089FCFF CALL CDRWIN5.0041FF70
00457670 |. 0FBED0 MOVSX EDX,AL
00457673 |. 83FA 52 CMP EDX,52
00457676 |. 75 34 JNZ SHORT CDRWIN5.004576AC
00457678 |. C745 8C 66FDFF>MOV DWORD PTR SS:[EBP-74],-29A
0045767F |. C645 FC 00 MOV BYTE PTR SS:[EBP-4],0
00457683 |. 68 9A044600 PUSH <JMP.&MFC42.#800>
00457688 |. 6A 05 PUSH 5
0045768A |. 6A 04 PUSH 4
0045768C |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
0045768F |. 50 PUSH EAX
00457690 |. E8 8B9A0000 CALL CDRWIN5.00461120
00457695 |. C745 FC FFFFFF>MOV DWORD PTR SS:[EBP-4],-1
0045769C |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
0045769F |. E8 F68D0000 CALL <JMP.&MFC42.#800>
004576A4 |. 8B45 8C MOV EAX,DWORD PTR SS:[EBP-74]
004576A7 |. E9 3B0F0000 JMP CDRWIN5.004585E7 //如果前面字符是5CC8R的话,则OVER。
004576AC |> 6A 00 PUSH 0 //下面开始比较前5位字符是否是5CD8R。
004576AE |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
004576B1 |. E8 BA88FCFF CALL CDRWIN5.0041FF70
004576B6 |. 0FBEC8 MOVSX ECX,AL
004576B9 |. 83F9 35 CMP ECX,35
004576BC |. 75 7C JNZ SHORT CDRWIN5.0045773A //不是5则跳走。下面依次判断后续各位是否
是'C','D','8','R'.
004576BE |. 6A 01 PUSH 1
004576C0 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
004576C3 |. E8 A888FCFF CALL CDRWIN5.0041FF70
004576C8 |. 0FBED0 MOVSX EDX,AL
004576CB |. 83FA 43 CMP EDX,43
004576CE |. 75 6A JNZ SHORT CDRWIN5.0045773A
004576D0 |. 6A 02 PUSH 2
004576D2 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
004576D5 |. E8 9688FCFF CALL CDRWIN5.0041FF70
004576DA |. 0FBEC0 MOVSX EAX,AL
004576DD |. 83F8 44 CMP EAX,44
004576E0 |. 75 58 JNZ SHORT CDRWIN5.0045773A
004576E2 |. 6A 03 PUSH 3
004576E4 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
004576E7 |. E8 8488FCFF CALL CDRWIN5.0041FF70
004576EC |. 0FBEC8 MOVSX ECX,AL
004576EF |. 83F9 38 CMP ECX,38
004576F2 |. 75 46 JNZ SHORT CDRWIN5.0045773A
004576F4 |. 6A 04 PUSH 4
004576F6 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
004576F9 |. E8 7288FCFF CALL CDRWIN5.0041FF70
004576FE |. 0FBED0 MOVSX EDX,AL
00457701 |. 83FA 52 CMP EDX,52
00457704 |. 75 34 JNZ SHORT CDRWIN5.0045773A
00457706 |. C745 88 66FDFF>MOV DWORD PTR SS:[EBP-78],-29A
0045770D |. C645 FC 00 MOV BYTE PTR SS:[EBP-4],0
00457711 |. 68 9A044600 PUSH <JMP.&MFC42.#800>
00457716 |. 6A 05 PUSH 5
00457718 |. 6A 04 PUSH 4
0045771A |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
0045771D |. 50 PUSH EAX
0045771E |. E8 FD990000 CALL CDRWIN5.00461120
00457723 |. C745 FC FFFFFF>MOV DWORD PTR SS:[EBP-4],-1
0045772A |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
0045772D |. E8 688D0000 CALL <JMP.&MFC42.#800>
00457732 |. 8B45 88 MOV EAX,DWORD PTR SS:[EBP-78]
00457735 |. E9 AD0E0000 JMP CDRWIN5.004585E7 //如果前面5位是'5CD8R',同样OVER。
0045773A |> C745 9C 030000>MOV DWORD PTR SS:[EBP-64],3 //3送[EBP-64]内存。
00457741 |. 8B4D 9C MOV ECX,DWORD PTR SS:[EBP-64]
00457744 |. 6BC9 03 IMUL ECX,ECX,3 //ECX=ECX*3。
00457747 |. 894D 9C MOV DWORD PTR SS:[EBP-64],ECX
0045774A |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
0045774D |. E8 EE3EFBFF CALL CDRWIN5.0040B640 //ECX加9,结果是1Dh。
00457752 |. 8B55 9C MOV EDX,DWORD PTR SS:[EBP-64]
00457755 |. 83C2 14 ADD EDX,14 //EDX加14h结果是1Dh.
00457758 |. 3BC2 CMP EAX,EDX //比较肯定相等。
0045775A |. 74 34 JE SHORT CDRWIN5.00457790 //跳走。
0045775C |. C745 84 010000>MOV DWORD PTR SS:[EBP-7C],1
00457763 |. C645 FC 00 MOV BYTE PTR SS:[EBP-4],0
00457767 |. 68 9A044600 PUSH <JMP.&MFC42.#800>
0045776C |. 6A 05 PUSH 5
0045776E |. 6A 04 PUSH 4
00457770 |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
00457773 |. 50 PUSH EAX
00457774 |. E8 A7990000 CALL CDRWIN5.00461120
00457779 |. C745 FC FFFFFF>MOV DWORD PTR SS:[EBP-4],-1
00457780 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
00457783 |. E8 128D0000 CALL <JMP.&MFC42.#800>
00457788 |. 8B45 84 MOV EAX,DWORD PTR SS:[EBP-7C]
0045778B |. E9 570E0000 JMP CDRWIN5.004585E7
00457790 |> 68 6CE04700 PUSH CDRWIN5.0047E06C
00457795 |. 8D4D 98 LEA ECX,DWORD PTR SS:[EBP-68] //下面一直到4578E7验证注册码内的短杠'-'。
00457798 |. E8 218D0000 CALL <JMP.&MFC42.#537> //复制'-'到另一地方。
0045779D |. C645 FC 02 MOV BYTE PTR SS:[EBP-4],2
004577A1 |. 6A 01 PUSH 1
004577A3 |. 6A 05 PUSH 5 //序号为5的位置进栈。实际就是第6位。
004577A5 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
004577A8 |. E8 C387FCFF CALL CDRWIN5.0041FF70
004577AD |. 50 PUSH EAX
004577AE |. 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
004577B4 |. E8 05930000 CALL <JMP.&MFC42.#536>
004577B9 |. C645 FC 03 MOV BYTE PTR SS:[EBP-4],3
004577BD |. 8D4D 98 LEA ECX,DWORD PTR SS:[EBP-68]
004577C0 |. 51 PUSH ECX
004577C1 |. 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
004577C7 |. 52 PUSH EDX
004577C8 |. E8 239DFBFF CALL CDRWIN5.004114F0
004577CD |. 25 FF000000 AND EAX,0FF
004577D2 |. 85C0 TEST EAX,EAX
004577D4 |. 0F85 03010000 JNZ CDRWIN5.004578DD //此处未跳。
004577DA |. 6A 01 PUSH 1
004577DC |. 6A 0B PUSH 0B //序号为B的位置进栈。实际就是第12位。
004577DE |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
004577E1 |. E8 8A87FCFF CALL CDRWIN5.0041FF70
004577E6 |. 50 PUSH EAX
004577E7 |. 8D8D 74FFFFFF LEA ECX,DWORD PTR SS:[EBP-8C]
004577ED |. E8 CC920000 CALL <JMP.&MFC42.#536>
004577F2 |. C645 FC 04 MOV BYTE PTR SS:[EBP-4],4
004577F6 |. 8D45 98 LEA EAX,DWORD PTR SS:[EBP-68]
004577F9 |. 50 PUSH EAX
004577FA |. 8D8D 74FFFFFF LEA ECX,DWORD PTR SS:[EBP-8C]
00457800 |. 51 PUSH ECX
00457801 |. E8 EA9CFBFF CALL CDRWIN5.004114F0
00457806 |. 8885 78FFFFFF MOV BYTE PTR SS:[EBP-88],AL
0045780C |. C645 FC 03 MOV BYTE PTR SS:[EBP-4],3
00457810 |. 8D8D 74FFFFFF LEA ECX,DWORD PTR SS:[EBP-8C]
00457816 |. E8 7F8C0000 CALL <JMP.&MFC42.#800>
0045781B |. 8B95 78FFFFFF MOV EDX,DWORD PTR SS:[EBP-88]
00457821 |. 81E2 FF000000 AND EDX,0FF
00457827 |. 85D2 TEST EDX,EDX
00457829 |. 0F85 AE000000 JNZ CDRWIN5.004578DD
0045782F |. 6A 01 PUSH 1
00457831 |. 6A 11 PUSH 11 //序号为11H的位置进栈。实际就是第18位。
00457833 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
00457836 |. E8 3587FCFF CALL CDRWIN5.0041FF70
0045783B |. 50 PUSH EAX
0045783C |. 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94]
00457842 |. E8 77920000 CALL <JMP.&MFC42.#536>
00457847 |. C645 FC 05 MOV BYTE PTR SS:[EBP-4],5
0045784B |. 8D45 98 LEA EAX,DWORD PTR SS:[EBP-68]
0045784E |. 50 PUSH EAX
0045784F |. 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94]
00457855 |. 51 PUSH ECX
00457856 |. E8 959CFBFF CALL CDRWIN5.004114F0
0045785B |. 8885 70FFFFFF MOV BYTE PTR SS:[EBP-90],AL
00457861 |. C645 FC 03 MOV BYTE PTR SS:[EBP-4],3
00457865 |. 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94]
0045786B |. E8 2A8C0000 CALL <JMP.&MFC42.#800>
00457870 |. 8B95 70FFFFFF MOV EDX,DWORD PTR SS:[EBP-90]
00457876 |. 81E2 FF000000 AND EDX,0FF
0045787C |. 85D2 TEST EDX,EDX
0045787E |. 75 5D JNZ SHORT CDRWIN5.004578DD
00457880 |. 6A 01 PUSH 1
00457882 |. 6A 17 PUSH 17 //序号为17H的位置进栈。实际就是第24位。
00457884 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
00457887 |. E8 E486FCFF CALL CDRWIN5.0041FF70
0045788C |. 50 PUSH EAX
0045788D |. 8D8D 64FFFFFF LEA ECX,DWORD PTR SS:[EBP-9C]
00457893 |. E8 26920000 CALL <JMP.&MFC42.#536>
00457898 |. C645 FC 06 MOV BYTE PTR SS:[EBP-4],6
0045789C |. 8D45 98 LEA EAX,DWORD PTR SS:[EBP-68]
0045789F |. 50 PUSH EAX
004578A0 |. 8D8D 64FFFFFF LEA ECX,DWORD PTR SS:[EBP-9C]
004578A6 |. 51 PUSH ECX
004578A7 |. E8 449CFBFF CALL CDRWIN5.004114F0
004578AC |. 8885 68FFFFFF MOV BYTE PTR SS:[EBP-98],AL
004578B2 |. C645 FC 03 MOV BYTE PTR SS:[EBP-4],3
004578B6 |. 8D8D 64FFFFFF LEA ECX,DWORD PTR SS:[EBP-9C]
004578BC |. E8 D98B0000 CALL <JMP.&MFC42.#800>
004578C1 |. 8B95 68FFFFFF MOV EDX,DWORD PTR SS:[EBP-98]
004578C7 |. 81E2 FF000000 AND EDX,0FF
004578CD |. 85D2 TEST EDX,EDX
004578CF |. 75 0C JNZ SHORT CDRWIN5.004578DD //此处未跳。
004578D1 |. C785 14FFFFFF >MOV DWORD PTR SS:[EBP-EC],0
004578DB |. EB 0A JMP SHORT CDRWIN5.004578E7 //此处跳。
004578DD |> C785 14FFFFFF >MOV DWORD PTR SS:[EBP-EC],1
004578E7 |> 8A85 14FFFFFF MOV AL,BYTE PTR SS:[EBP-EC]
004578ED |. 8845 80 MOV BYTE PTR SS:[EBP-80],AL
004578F0 |. C645 FC 02 MOV BYTE PTR SS:[EBP-4],2
004578F4 |. 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
004578FA |. E8 9B8B0000 CALL <JMP.&MFC42.#800>
004578FF |. 8B4D 80 MOV ECX,DWORD PTR SS:[EBP-80]
00457902 |. 81E1 FF000000 AND ECX,0FF
00457908 |. 85C9 TEST ECX,ECX
0045790A |. 74 46 JE SHORT CDRWIN5.00457952 //这里跳走。
*省去多行*
00457952 |> C745 CC 000000>MOV DWORD PTR SS:[EBP-34],0
00457959 |. 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
0045795C |. E8 458B0000 CALL <JMP.&MFC42.#540>
00457961 |. C645 FC 07 MOV BYTE PTR SS:[EBP-4],7
00457965 |. 6A 0B PUSH 0B
00457967 |. 8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4]
0045796D |. 50 PUSH EAX
0045796E |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
00457971 |. E8 268F0000 CALL <JMP.&MFC42.#4129> //复制前2段注册码到另外地址。
00457976 |. 8985 10FFFFFF MOV DWORD PTR SS:[EBP-F0],EAX //前2段注册码的地址在EAX。
0045797C |. 8B8D 10FFFFFF MOV ECX,DWORD PTR SS:[EBP-F0]
00457982 |. 898D 0CFFFFFF MOV DWORD PTR SS:[EBP-F4],ECX
00457988 |. C645 FC 08 MOV BYTE PTR SS:[EBP-4],8
0045798C |. 8B95 0CFFFFFF MOV EDX,DWORD PTR SS:[EBP-F4]
00457992 |. 52 PUSH EDX
00457993 |. 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
00457996 |. E8 118B0000 CALL <JMP.&MFC42.#858>
0045799B |. C645 FC 07 MOV BYTE PTR SS:[EBP-4],7
0045799F |. 8D8D 5CFFFFFF LEA ECX,DWORD PTR SS:[EBP-A4]
004579A5 |. E8 F08A0000 CALL <JMP.&MFC42.#800>
004579AA |. 68 70E04700 PUSH CDRWIN5.0047E070 //字符'C'的地址进栈。
004579AF |. 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
004579B2 |. E8 978E0000 CALL <JMP.&MFC42.#2764> //如果前2段注册码包含字符'C'则OK,否则没戏。
字符'C'的位置送EAX返回。
004579B7 |. 83F8 FF CMP EAX,-1
004579BA |. 75 09 JNZ SHORT CDRWIN5.004579C5 //前面比较,如果不是0则跳走。此处跳。
004579BC |. C745 CC 000000>MOV DWORD PTR SS:[EBP-34],0
004579C3 |. EB 07 JMP SHORT CDRWIN5.004579CC
004579C5 |> C745 CC 010000>MOV DWORD PTR SS:[EBP-34],1 //请留意这个:[EBP-34]的值必须为1,最后用到它
。
004579CC |> 837D CC 01 CMP DWORD PTR SS:[EBP-34],1
004579D0 |. 75 1B JNZ SHORT CDRWIN5.004579ED //此处不跳。
004579D2 |. 68 74E04700 PUSH CDRWIN5.0047E074 //字符'D'的地址进栈。
004579D7 |. 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
004579DA |. E8 6F8E0000 CALL <JMP.&MFC42.#2764> //如果前2段注册码包含字符'D'则OK,否则OVER。
字符'D'的位置送EAX返回。
004579DF |. 83F8 FF CMP EAX,-1
004579E2 |. 74 09 JE SHORT CDRWIN5.004579ED //如果为0则跳。此处不跳。
004579E4 |. C745 CC 010000>MOV DWORD PTR SS:[EBP-34],1
004579EB |. EB 07 JMP SHORT CDRWIN5.004579F4
004579ED |> C745 CC 000000>MOV DWORD PTR SS:[EBP-34],0
004579F4 |> 837D CC 01 CMP DWORD PTR SS:[EBP-34],1
004579F8 |. 75 1B JNZ SHORT CDRWIN5.00457A15 //此处未跳。
004579FA |. 68 78E04700 PUSH CDRWIN5.0047E078 //字符'R'的地址进栈。
004579FF |. 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
00457A02 |. E8 478E0000 CALL <JMP.&MFC42.#2764> //如果前2段注册码包含字符'R'则OK,否则OVER。字
符'R'的位置送EAX返回。
00457A07 |. 83F8 FF CMP EAX,-1
00457A0A |. 74 09 JE SHORT CDRWIN5.00457A15 //此处未跳。
00457A0C |. C745 CC 010000>MOV DWORD PTR SS:[EBP-34],1 //你看这个:[EBP-34]内一直保持1,说明注册码前面
2段包含了规定的字符了。OK。否则。。。
00457A13 |. EB 07 JMP SHORT CDRWIN5.00457A1C
00457A15 |> C745 CC 000000>MOV DWORD PTR SS:[EBP-34],0
00457A1C |> 68 7CE04700 PUSH CDRWIN5.0047E07C
00457A21 |. 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
00457A24 |. E8 258E0000 CALL <JMP.&MFC42.#2764> //如果前2段注册码包含字符'P'则OVER。
00457A29 |. 83F8 FF CMP EAX,-1
00457A2C |. 74 52 JE SHORT CDRWIN5.00457A80 //如果不包含则EAX返回FFh。这里跳走。
*省去多行*
00457A80 |> 68 80E04700 PUSH CDRWIN5.0047E080
00457A85 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
00457A88 |. E8 C18D0000 CALL <JMP.&MFC42.#2764> //如果前2段注册码包含字符'O'则OVER。
00457A8D |. 83F8 FF CMP EAX,-1
00457A90 |. 74 52 JE SHORT CDRWIN5.00457AE4 //如果不包含则EAX返回FFh。这里跳走。
00457A92 |. C785 54FFFFFF >MOV DWORD PTR SS:[EBP-AC],0E
00457A9C |. C645 FC 02 MOV BYTE PTR SS:[EBP-4],2
00457AA0 |. 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
00457AA3 |. E8 F2890000 CALL <JMP.&MFC42.#800>
00457AA8 |. C645 FC 01 MOV BYTE PTR SS:[EBP-4],1
00457AAC |. 8D4D 98 LEA ECX,DWORD PTR SS:[EBP-68]
00457AAF |. E8 E6890000 CALL <JMP.&MFC42.#800>
00457AB4 |. C645 FC 00 MOV BYTE PTR SS:[EBP-4],0
00457AB8 |. 68 9A044600 PUSH <JMP.&MFC42.#800>
00457ABD |. 6A 05 PUSH 5
00457ABF |. 6A 04 PUSH 4
00457AC1 |. 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
00457AC4 |. 51 PUSH ECX
00457AC5 |. E8 56960000 CALL CDRWIN5.00461120
00457ACA |. C745 FC FFFFFF>MOV DWORD PTR SS:[EBP-4],-1
00457AD1 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
00457AD4 |. E8 C1890000 CALL <JMP.&MFC42.#800>
00457AD9 |. 8B85 54FFFFFF MOV EAX,DWORD PTR SS:[EBP-AC]
00457ADF |. E9 030B0000 JMP CDRWIN5.004585E7
00457AE4 |> 68 84E04700 PUSH CDRWIN5.0047E084
00457AE9 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
00457AEC |. E8 5D8D0000 CALL <JMP.&MFC42.#2764> //如果前2段注册码包含字符'I'则OVER。
00457AF1 |. 83F8 FF CMP EAX,-1
00457AF4 |. 74 52 JE SHORT CDRWIN5.00457B48 //如果不包含则EAX返回FFh。这里跳走。
*省去多行通往OVER 的代码*
00457B48 |> C745 B0 000000>MOV DWORD PTR SS:[EBP-50],0
00457B4F |. C745 A8 060000>MOV DWORD PTR SS:[EBP-58],6
00457B56 |. EB 09 JMP SHORT CDRWIN5.00457B61 //此处跳。
00457B58 |> 8B45 A8 /MOV EAX,DWORD PTR SS:[EBP-58] //下面的循环,累加第2,3段注册码的ASSCI码值。
00457B5B |. 83C0 01 |ADD EAX,1
00457B5E |. 8945 A8 |MOV DWORD PTR SS:[EBP-58],EAX
00457B61 |> 837D A8 0B CMP DWORD PTR SS:[EBP-58],0B
00457B65 |. 7D 33 |JGE SHORT CDRWIN5.00457B9A
00457B67 |. 8B4D A8 |MOV ECX,DWORD PTR SS:[EBP-58]
00457B6A |. 51 |PUSH ECX
00457B6B |. 8D4D 08 |LEA ECX,DWORD PTR SS:[EBP+8]
00457B6E |. E8 FD83FCFF |CALL CDRWIN5.0041FF70 //取对应位置的字符。
00457B73 |. 0FBED0 |MOVSX EDX,AL
00457B76 |. 8B45 B0 |MOV EAX,DWORD PTR SS:[EBP-50] //取出上次中间结果。
00457B79 |. 03C2 |ADD EAX,EDX //累加。
00457B7B |. 8945 B0 |MOV DWORD PTR SS:[EBP-50],EAX
00457B7E |. 8B4D A8 |MOV ECX,DWORD PTR SS:[EBP-58]
00457B81 |. 83C1 06 |ADD ECX,6 //ECX加6形成第3段的字符位置。
00457B84 |. 51 |PUSH ECX
00457B85 |. 8D4D 08 |LEA ECX,DWORD PTR SS:[EBP+8]
00457B88 |. E8 E383FCFF |CALL CDRWIN5.0041FF70
00457B8D |. 0FBED0 |MOVSX EDX,AL
00457B90 |. 8B45 B0 |MOV EAX,DWORD PTR SS:[EBP-50] //取出上次中间结果。
00457B93 |. 03C2 |ADD EAX,EDX //累加。
00457B95 |. 8945 B0 |MOV DWORD PTR SS:[EBP-50],EAX //保存结果。
00457B98 |.^EB BE \JMP SHORT CDRWIN5.00457B58 //未完继续。
00457B9A |> 8B4D B0 MOV ECX,DWORD PTR SS:[EBP-50] //取出累加结果送ECX。
00457B9D |. 81E1 01000080 AND ECX,80000001 //与80000001h进行与运算。
00457BA3 |. 79 05 JNS SHORT CDRWIN5.00457BAA //如果不是负数则跳。
00457BA5 |. 49 DEC ECX
00457BA6 |. 83C9 FE OR ECX,FFFFFFFE
00457BA9 |. 41 INC ECX
00457BAA |> 85C9 TEST ECX,ECX //测试ECX是否为0。
00457BAC |. 74 52 JE SHORT CDRWIN5.00457C00 //如果ECX为0则OK。跳走。否则OVER。
00457BAE |. C785 4CFFFFFF >MOV DWORD PTR SS:[EBP-B4],3
00457BB8 |. C645 FC 02 MOV BYTE PTR SS:[EBP-4],2
00457BBC |. 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
00457BBF |. E8 D6880000 CALL <JMP.&MFC42.#800>
00457BC4 |. C645 FC 01 MOV BYTE PTR SS:[EBP-4],1
00457BC8 |. 8D4D 98 LEA ECX,DWORD PTR SS:[EBP-68]
00457BCB |. E8 CA880000 CALL <JMP.&MFC42.#800>
00457BD0 |. C645 FC 00 MOV BYTE PTR SS:[EBP-4],0
00457BD4 |. 68 9A044600 PUSH <JMP.&MFC42.#800>
00457BD9 |. 6A 05 PUSH 5
00457BDB |. 6A 04 PUSH 4
00457BDD |. 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
00457BE0 |. 52 PUSH EDX
00457BE1 |. E8 3A950000 CALL CDRWIN5.00461120
00457BE6 |. C745 FC FFFFFF>MOV DWORD PTR SS:[EBP-4],-1
00457BED |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
00457BF0 |. E8 A5880000 CALL <JMP.&MFC42.#800>
00457BF5 |. 8B85 4CFFFFFF MOV EAX,DWORD PTR SS:[EBP-B4]
00457BFB |. E9 E7090000 JMP CDRWIN5.004585E7 //如果来到这里就OVER。
00457C00 |> 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00457C03 |. E8 9E880000 CALL <JMP.&MFC42.#540>
00457C08 |. C645 FC 09 MOV BYTE PTR SS:[EBP-4],9
00457C0C |. 6A 10 PUSH 10 //处理第10h位,实际就是第17位。
00457C0E |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
00457C11 |. E8 5A83FCFF CALL CDRWIN5.0041FF70 //取数。
00457C16 |. 50 PUSH EAX
00457C17 |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00457C1A |. E8 A9930000 CALL <JMP.&MFC42.#859>
00457C1F |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00457C22 |. E8 49B5FAFF CALL CDRWIN5.00403170 //把字符变成16进制数。如31h为1的ASSIC码,这里
变为'1'。
00457C27 |. 50 PUSH EAX
00457C28 |. FF15 948A4600 CALL DWORD PTR DS:[<&MSVCRT.atoi>] //字符变整数。
00457C2E |. 83C4 04 ADD ESP,4
00457C31 |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX //保存整数。
00457C34 |. 837D F0 00 CMP DWORD PTR SS:[EBP-10],0
00457C38 |. 75 70 JNZ SHORT CDRWIN5.00457CAA //如果不为0则跳走。
00457C3A |. 6A 10 PUSH 10
00457C3C |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
00457C3F |. E8 2C83FCFF CALL CDRWIN5.0041FF70
00457C44 |. 0FBEC0 MOVSX EAX,AL
00457C47 |. 83F8 30 CMP EAX,30
00457C4A |. 74 5E JE SHORT CDRWIN5.00457CAA
00457C4C |. C785 48FFFFFF >MOV DWORD PTR SS:[EBP-B8],4
00457C56 |. C645 FC 07 MOV BYTE PTR SS:[EBP-4],7
00457C5A |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00457C5D |. E8 38880000 CALL <JMP.&MFC42.#800>
00457C62 |. C645 FC 02 MOV BYTE PTR SS:[EBP-4],2
00457C66 |. 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
00457C69 |. E8 2C880000 CALL <JMP.&MFC42.#800>
00457C6E |. C645 FC 01 MOV BYTE PTR SS:[EBP-4],1
00457C72 |. 8D4D 98 LEA ECX,DWORD PTR SS:[EBP-68]
00457C75 |. E8 20880000 CALL <JMP.&MFC42.#800>
00457C7A |. C645 FC 00 MOV BYTE PTR SS:[EBP-4],0
00457C7E |. 68 9A044600 PUSH <JMP.&MFC42.#800>
00457C83 |. 6A 05 PUSH 5
00457C85 |. 6A 04 PUSH 4
00457C87 |. 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
00457C8A |. 51 PUSH ECX
00457C8B |. E8 90940000 CALL CDRWIN5.00461120
00457C90 |. C745 FC FFFFFF>MOV DWORD PTR SS:[EBP-4],-1
00457C97 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
00457C9A |. E8 FB870000 CALL <JMP.&MFC42.#800>
00457C9F |. 8B85 48FFFFFF MOV EAX,DWORD PTR SS:[EBP-B8]
00457CA5 |. E9 3D090000 JMP CDRWIN5.004585E7
00457CAA |> 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10] //取出上面得到的整数送EDX。
00457CAD |. 83C2 05 ADD EDX,5 //加上5。
00457CB0 |. 8955 F0 MOV DWORD PTR SS:[EBP-10],EDX //保存该数。
00457CB3 |. 837D F0 09 CMP DWORD PTR SS:[EBP-10],9 //如果小于9,则跳走。
00457CB7 |. 0F8E 84000000 JLE CDRWIN5.00457D41 //否则,下面进行变换。
00457CBD |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00457CC0 |. 83E8 0A SUB EAX,0A
00457CC3 |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
00457CC6 |. 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
00457CC9 |. 83C1 41 ADD ECX,41
00457CCC |. 894D F0 MOV DWORD PTR SS:[EBP-10],ECX
00457CCF |. 6A 18 PUSH 18
00457CD1 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
00457CD4 |. E8 9782FCFF CALL CDRWIN5.0041FF70
00457CD9 |. 0FBED0 MOVSX EDX,AL
00457CDC |. 3B55 F0 CMP EDX,DWORD PTR SS:[EBP-10]
00457CDF |. 74 5E JE SHORT CDRWIN5.00457D3F
00457CE1 |. C785 44FFFFFF >MOV DWORD PTR SS:[EBP-BC],5
00457CEB |. C645 FC 07 MOV BYTE PTR SS:[EBP-4],7
00457CEF |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00457CF2 |. E8 A3870000 CALL <JMP.&MFC42.#800>
00457CF7 |. C645 FC 02 MOV BYTE PTR SS:[EBP-4],2
00457CFB |. 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
00457CFE |. E8 97870000 CALL <JMP.&MFC42.#800>
00457D03 |. C645 FC 01 MOV BYTE PTR SS:[EBP-4],1
00457D07 |. 8D4D 98 LEA ECX,DWORD PTR SS:[EBP-68]
00457D0A |. E8 8B870000 CALL <JMP.&MFC42.#800>
00457D0F |. C645 FC 00 MOV BYTE PTR SS:[EBP-4],0
00457D13 |. 68 9A044600 PUSH <JMP.&MFC42.#800>
00457D18 |. 6A 05 PUSH 5
00457D1A |. 6A 04 PUSH 4
00457D1C |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
00457D1F |. 50 PUSH EAX
00457D20 |. E8 FB930000 CALL CDRWIN5.00461120
00457D25 |. C745 FC FFFFFF>MOV DWORD PTR SS:[EBP-4],-1
00457D2C |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
00457D2F |. E8 66870000 CALL <JMP.&MFC42.#800>
00457D34 |. 8B85 44FFFFFF MOV EAX,DWORD PTR SS:[EBP-BC]
00457D3A |. E9 A8080000 JMP CDRWIN5.004585E7
00457D3F |> EB 79 JMP SHORT CDRWIN5.00457DBA
00457D41 |> 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10] //取上面得到的结果到ECX。
00457D44 |. 83C1 30 ADD ECX,30 //ECX加上30H。
00457D47 |. 894D F0 MOV DWORD PTR SS:[EBP-10],ECX //保存。
00457D4A |. 6A 18 PUSH 18 //第18H位进栈,实际就是第25位。
00457D4C |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
00457D4F |. E8 1C82FCFF CALL CDRWIN5.0041FF70 //取出第18H位。
00457D54 |. 0FBED0 MOVSX EDX,AL
00457D57 |. 3B55 F0 CMP EDX,DWORD PTR SS:[EBP-10] //与前面计算的结果比较。
00457D5A |. 74 5E JE SHORT CDRWIN5.00457DBA //相等则OK,跳走。所以这里就是第25位的来源。
00457D5C |. C785 40FFFFFF >MOV DWORD PTR SS:[EBP-C0],6
00457D66 |. C645 FC 07 MOV BYTE PTR SS:[EBP-4],7
00457D6A |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00457D6D |. E8 28870000 CALL <JMP.&MFC42.#800>
00457D72 |. C645 FC 02 MOV BYTE PTR SS:[EBP-4],2
00457D76 |. 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
00457D79 |. E8 1C870000 CALL <JMP.&MFC42.#800>
00457D7E |. C645 FC 01 MOV BYTE PTR SS:[EBP-4],1
00457D82 |. 8D4D 98 LEA ECX,DWORD PTR SS:[EBP-68]
00457D85 |. E8 10870000 CALL <JMP.&MFC42.#800>
00457D8A |. C645 FC 00 MOV BYTE PTR SS:[EBP-4],0
00457D8E |. 68 9A044600 PUSH <JMP.&MFC42.#800>
00457D93 |. 6A 05 PUSH 5
00457D95 |. 6A 04 PUSH 4
00457D97 |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
00457D9A |. 50 PUSH EAX
00457D9B |. E8 80930000 CALL CDRWIN5.00461120
00457DA0 |. C745 FC FFFFFF>MOV DWORD PTR SS:[EBP-4],-1
00457DA7 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
00457DAA |. E8 EB860000 CALL <JMP.&MFC42.#800>
00457DAF |. 8B85 40FFFFFF MOV EAX,DWORD PTR SS:[EBP-C0]
00457DB5 |. E9 2D080000 JMP CDRWIN5.004585E7 //如果上面不跳,则这里OVER。
00457DBA |> C745 BC 000000>MOV DWORD PTR SS:[EBP-44],0 //下面的循环累加第1,2,4,5段注册码。
00457DC1 |. C745 A0 000000>MOV DWORD PTR SS:[EBP-60],0
00457DC8 |. EB 09 JMP SHORT CDRWIN5.00457DD3
00457DCA |> 8B4D A0 /MOV ECX,DWORD PTR SS:[EBP-60]
00457DCD |. 83C1 01 |ADD ECX,1 //计数器加1。
00457DD0 |. 894D A0 |MOV DWORD PTR SS:[EBP-60],ECX
00457DD3 |> 837D A0 05 CMP DWORD PTR SS:[EBP-60],5 //循环次数为5。
00457DD7 |. 7D 67 |JGE SHORT CDRWIN5.00457E40 //循环完毕则跳走。
00457DD9 |. 8B55 A0 |MOV EDX,DWORD PTR SS:[EBP-60] //字符相对位置送EDX。
00457DDC |. 52 |PUSH EDX
00457DDD |. 8D4D 08 |LEA ECX,DWORD PTR SS:[EBP+8]
00457DE0 |. E8 8B81FCFF |CALL CDRWIN5.0041FF70 //取字符到AL。
00457DE5 |. 0FBEC0 |MOVSX EAX,AL
00457DE8 |. 8B4D BC |MOV ECX,DWORD PTR SS:[EBP-44]
00457DEB |. 03C8 |ADD ECX,EAX //累加。
00457DED |. 894D BC |MOV DWORD PTR SS:[EBP-44],ECX
00457DF0 |. 8B55 A0 |MOV EDX,DWORD PTR SS:[EBP-60]
00457DF3 |. 83C2 06 |ADD EDX,6 //EDX加6,累加第二段的字符。
00457DF6 |. 52 |PUSH EDX
00457DF7 |. 8D4D 08 |LEA ECX,DWORD PTR SS:[EBP+8]
00457DFA |. E8 7181FCFF |CALL CDRWIN5.0041FF70
00457DFF |. 0FBEC0 |MOVSX EAX,AL
00457E02 |. 8B4D BC |MOV ECX,DWORD PTR SS:[EBP-44]
00457E05 |. 03C8 |ADD ECX,EAX
00457E07 |. 894D BC |MOV DWORD PTR SS:[EBP-44],ECX
00457E0A |. 8B55 A0 |MOV EDX,DWORD PTR SS:[EBP-60]
00457E0D |. 83C2 12 |ADD EDX,12 //EDX加12h,累加第四段的字符。
00457E10 |. 52 |PUSH EDX
00457E11 |. 8D4D 08 |LEA ECX,DWORD PTR SS:[EBP+8]
00457E14 |. E8 5781FCFF |CALL CDRWIN5.0041FF70
00457E19 |. 0FBEC0 |MOVSX EAX,AL
00457E1C |. 8B4D BC |MOV ECX,DWORD PTR SS:[EBP-44]
00457E1F |. 03C8 |ADD ECX,EAX
00457E21 |. 894D BC |MOV DWORD PTR SS:[EBP-44],ECX
00457E24 |. 8B55 A0 |MOV EDX,DWORD PTR SS:[EBP-60]
00457E27 |. 83C2 18 |ADD EDX,18 //EDX加18h,累加第五段的字符。
00457E2A |. 52 |PUSH EDX
00457E2B |. 8D4D 08 |LEA ECX,DWORD PTR SS:[EBP+8]
00457E2E |. E8 3D81FCFF |CALL CDRWIN5.0041FF70
00457E33 |. 0FBEC0 |MOVSX EAX,AL
00457E36 |. 8B4D BC |MOV ECX,DWORD PTR SS:[EBP-44]
00457E39 |. 03C8 |ADD ECX,EAX
00457E3B |. 894D BC |MOV DWORD PTR SS:[EBP-44],ECX
00457E3E |.^EB 8A \JMP SHORT CDRWIN5.00457DCA //未完则继续。
00457E40 |> 8D4D A4 LEA ECX,DWORD PTR SS:[EBP-5C]
00457E43 |. E8 5E860000 CALL <JMP.&MFC42.#540>
00457E48 |. C645 FC 0A MOV BYTE PTR SS:[EBP-4],0A
00457E4C |. 8B55 BC MOV EDX,DWORD PTR SS:[EBP-44] //取出累加的结果送EDX。
00457E4F |. 52 PUSH EDX
00457E50 |. 68 88E04700 PUSH CDRWIN5.0047E088
00457E55 |. 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
00457E58 |. 50 PUSH EAX
00457E59 |. E8 9C860000 CALL <JMP.&MFC42.#2818>
00457E5E |. 83C4 0C ADD ESP,0C
00457E61 |. 8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48]
00457E64 |. E8 3D860000 CALL <JMP.&MFC42.#540>
00457E69 |. C645 FC 0B MOV BYTE PTR SS:[EBP-4],0B
00457E6D |. 6A 03 PUSH 3
00457E6F |. 6A 0C PUSH 0C
00457E71 |. 8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4]
00457E77 |. 51 PUSH ECX
00457E78 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
00457E7B |. E8 42910000 CALL <JMP.&MFC42.#4278> //把上面的结果逐位变换为ASSIC字符。如整数443
变为'4','4','3'.
00457E80 |. 8985 08FFFFFF MOV DWORD PTR SS:[EBP-F8],EAX
00457E86 |. 8B95 08FFFFFF MOV EDX,DWORD PTR SS:[EBP-F8]
00457E8C |. 8995 04FFFFFF MOV DWORD PTR SS:[EBP-FC],EDX
00457E92 |. C645 FC 0C MOV BYTE PTR SS:[EBP-4],0C
00457E96 |. 8B85 04FFFFFF MOV EAX,DWORD PTR SS:[EBP-FC]
00457E9C |. 50 PUSH EAX
00457E9D |. 8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48]
00457EA0 |. E8 07860000 CALL <JMP.&MFC42.#858>
00457EA5 |. C645 FC 0B MOV BYTE PTR SS:[EBP-4],0B
00457EA9 |. 8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4]
00457EAF |. E8 E6850000 CALL <JMP.&MFC42.#800>
00457EB4 |. 8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48]
00457EB7 |. 51 PUSH ECX //假码第三段的前3位地址送ECX。
00457EB8 |. 8D55 A4 LEA EDX,DWORD PTR SS:[EBP-5C]
00457EBB |. 52 PUSH EDX //整数变字符后的3位字符的地址送EDX。
00457EBC |. E8 2F96FBFF CALL CDRWIN5.004114F0 //在这个函数内进行比较啦。所以这里可以得到第三
段的前3位。
00457EC1 |. 25 FF000000 AND EAX,0FF
00457EC6 |. 85C0 TEST EAX,EAX
00457EC8 |. 74 76 JE SHORT CDRWIN5.00457F40 //如果相等,则跳走。通往成功之路。
*省去多行通往OVER 的代码*
00457F40 |> 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30]
00457F43 |. E8 5E850000 CALL <JMP.&MFC42.#540>
00457F48 |. C645 FC 0D MOV BYTE PTR SS:[EBP-4],0D
00457F4C |. 6A 03 PUSH 3 //第3位序号进栈,其实是第四位(第一位从1数起)
。
00457F4E |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
00457F51 |. E8 1A80FCFF CALL CDRWIN5.0041FF70 //取数。
00457F56 |. 50 PUSH EAX
00457F57 |. 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30]
00457F5A |. E8 69900000 CALL <JMP.&MFC42.#859>
00457F5F |. 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30]
00457F62 |. E8 09B2FAFF CALL CDRWIN5.00403170 //把取得的数由ASSIC码变16进制数。如31h变为1.
00457F67 |. 50 PUSH EAX
00457F68 |. FF15 948A4600 CALL DWORD PTR DS:[<&MSVCRT.atoi>]
00457F6E |. 83C4 04 ADD ESP,4
00457F71 |. 8945 94 MOV DWORD PTR SS:[EBP-6C],EAX
00457F74 |. 837D 94 00 CMP DWORD PTR SS:[EBP-6C],0 //得到的数与0比较。
00457F78 |. 0F85 C0000000 JNZ CDRWIN5.0045803E //如果为0则跳走。
00457F7E |. 6A 03 PUSH 3
00457F80 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
00457F83 |. E8 E87FFCFF CALL CDRWIN5.0041FF70
00457F88 |. 0FBEC8 MOVSX ECX,AL
00457F8B |. 83F9 30 CMP ECX,30
00457F8E |. 0F84 AA000000 JE CDRWIN5.0045803E //否则下面判断是否为大写字符。
00457F94 |. 6A 03 PUSH 3
00457F96 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
00457F99 |. E8 D27FFCFF CALL CDRWIN5.0041FF70
00457F9E |. 0FBED0 MOVSX EDX,AL
00457FA1 |. 83FA 41 CMP EDX,41
00457FA4 |. 7C 16 JL SHORT CDRWIN5.00457FBC //如果小于大写字符A则OVER。
00457FA6 |. 6A 03 PUSH 3
00457FA8 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
00457FAB |. E8 C07FFCFF CALL CDRWIN5.0041FF70
00457FB0 |. 0FBEC0 MOVSX EAX,AL
00457FB3 |. 83F8 46 CMP EAX,46
00457FB6 |. 0F8E 82000000 JLE CDRWIN5.0045803E //如果大于F也错误。
*省去多行通往OVER 的代码*
0045803E |> 837D 94 00 CMP DWORD PTR SS:[EBP-6C],0
00458042 |. 75 1B JNZ SHORT CDRWIN5.0045805F //这里跳走。
00458044 |. 6A 03 PUSH 3 //继续取第3位。
00458046 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
00458049 |. E8 227FFCFF CALL CDRWIN5.0041FF70 //取数送AL。
0045804E |. 0FBED0 MOVSX EDX,AL
00458051 |. 83FA 30 CMP EDX,30 //与30H比较,即与0比较。
00458054 |. 75 09 JNZ SHORT CDRWIN5.0045805F //不等则跳走。这里把第4位定为0即可。
00458056 |. C745 94 000000>MOV DWORD PTR SS:[EBP-6C],0
0045805D |. EB 19 JMP SHORT CDRWIN5.00458078 //如果第四位是0,则这里跳走。
0045805F |> 837D 94 00 CMP DWORD PTR SS:[EBP-6C],0
00458063 |. 75 13 JNZ SHORT CDRWIN5.00458078
00458065 |. 6A 03 PUSH 3
00458067 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
0045806A |. E8 017FFCFF CALL CDRWIN5.0041FF70
0045806F |. 0FBEC0 MOVSX EAX,AL
00458072 |. 83E8 37 SUB EAX,37
00458075 |. 8945 94 MOV DWORD PTR SS:[EBP-6C],EAX
00458078 |> 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
0045807B |. E8 26840000 CALL <JMP.&MFC42.#540>
00458080 |. C645 FC 0E MOV BYTE PTR SS:[EBP-4],0E
00458084 |. 6A 01 PUSH 1 //处理第1位,实际是第二位。
00458086 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
00458089 |. E8 E27EFCFF CALL CDRWIN5.0041FF70
0045808E |. 50 PUSH EAX
0045808F |. 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
00458092 |. E8 318F0000 CALL <JMP.&MFC42.#859>
00458097 |. 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
0045809A |. E8 D1B0FAFF CALL CDRWIN5.00403170 //ASCII码变16进制数。
0045809F |. 50 PUSH EAX
004580A0 |. FF15 948A4600 CALL DWORD PTR DS:[<&MSVCRT.atoi>] //字符变整数。
004580A6 |. 83C4 04 ADD ESP,4
004580A9 |. 8945 C4 MOV DWORD PTR SS:[EBP-3C],EAX
004580AC |. 837D C4 00 CMP DWORD PTR SS:[EBP-3C],0 //与0比较。
004580B0 |. 0F85 CC000000 JNZ CDRWIN5.00458182 //如果不等于0,则跳走。
004580B6 |. 6A 01 PUSH 1
004580B8 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
004580BB |. E8 B07EFCFF CALL CDRWIN5.0041FF70
004580C0 |. 0FBEC8 MOVSX ECX,AL
004580C3 |. 83F9 30 CMP ECX,30
004580C6 |. 0F84 B6000000 JE CDRWIN5.00458182
004580CC |. 6A 01 PUSH 1
004580CE |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
004580D1 |. E8 9A7EFCFF CALL CDRWIN5.0041FF70
004580D6 |. 0FBED0 MOVSX EDX,AL
004580D9 |. 83FA 41 CMP EDX,41
004580DC |. 7C 16 JL SHORT CDRWIN5.004580F4 //如果是字母,必须大于A。
004580DE |. 6A 01 PUSH 1
004580E0 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
004580E3 |. E8 887EFCFF CALL CDRWIN5.0041FF70
004580E8 |. 0FBEC0 MOVSX EAX,AL
004580EB |. 83F8 46 CMP EAX,46
004580EE |. 0F8E 8E000000 JLE CDRWIN5.00458182 //同时要小于F。否则下面就OVER。
*省去多行通往OVER 的代码*
00458182 |> 837D C4 00 CMP DWORD PTR SS:[EBP-3C],0
00458186 |. 75 1B JNZ SHORT CDRWIN5.004581A3 //这里跳。
00458188 |. 6A 01 PUSH 1
0045818A |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
0045818D |. E8 DE7DFCFF CALL CDRWIN5.0041FF70
00458192 |. 0FBED0 MOVSX EDX,AL
00458195 |. 83FA 30 CMP EDX,30
00458198 |. 75 09 JNZ SHORT CDRWIN5.004581A3
0045819A |. C745 C4 000000>MOV DWORD PTR SS:[EBP-3C],0
004581A1 |. EB 19 JMP SHORT CDRWIN5.004581BC
004581A3 |> 837D 94 00 CMP DWORD PTR SS:[EBP-6C],0
004581A7 |. 75 13 JNZ SHORT CDRWIN5.004581BC //这里跳。
004581A9 |. 6A 01 PUSH 1
004581AB |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
004581AE |. E8 BD7DFCFF CALL CDRWIN5.0041FF70
004581B3 |. 0FBEC0 MOVSX EAX,AL
004581B6 |. 83E8 37 SUB EAX,37 //EAX减37h,如果AL小于37h,则变为一个负数。
004581B9 |. 8945 C4 MOV DWORD PTR SS:[EBP-3C],EAX
004581BC |> 8B4D C4 MOV ECX,DWORD PTR SS:[EBP-3C] //取出第2位数的16进制形式。
004581BF |. C1E1 04 SHL ECX,4 //左移4次。
004581C2 |. 894D C4 MOV DWORD PTR SS:[EBP-3C],ECX
004581C5 |. 8B55 C4 MOV EDX,DWORD PTR SS:[EBP-3C] //把前面第4位的16进制形式取出送EDX。
004581C8 |. 0355 94 ADD EDX,DWORD PTR SS:[EBP-6C] //累加起来。
004581CB |. 8955 C4 MOV DWORD PTR SS:[EBP-3C],EDX
004581CE |. 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C]
004581D1 |. 25 07000080 AND EAX,80000007 //最后与80000007h与运算。
004581D6 |. 79 05 JNS SHORT CDRWIN5.004581DD //如果是负数则不跳。
004581D8 |. 48 DEC EAX
004581D9 |. 83C8 F8 OR EAX,FFFFFFF8
004581DC |. 40 INC EAX
004581DD |> 85C0 TEST EAX,EAX //测试EAX。
004581DF |. 0F84 8E000000 JE CDRWIN5.00458273 //EAX为0则OK。否则下面就OVER。
*省去多行通往OVER 的代码*
00458273 |> C745 D8 000000>MOV DWORD PTR SS:[EBP-28],0
0045827A |. 6A 12 PUSH 12 //下面开始处理第12h,13h,14h,15h位。实际就是第
19-22位。
0045827C |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
0045827F |. E8 EC7CFCFF CALL CDRWIN5.0041FF70
00458284 |. 0FBEF0 MOVSX ESI,AL
00458287 |. 6A 13 PUSH 13
00458289 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
0045828C |. E8 DF7CFCFF CALL CDRWIN5.0041FF70
00458291 |. 0FBED0 MOVSX EDX,AL
00458294 |. 03F2 ADD ESI,EDX //第19,20位累加起来。
00458296 |. 6A 14 PUSH 14
00458298 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
0045829B |. E8 D07CFCFF CALL CDRWIN5.0041FF70
004582A0 |. 0FBEC0 MOVSX EAX,AL
004582A3 |. 03F0 ADD ESI,EAX //累加第21位。
004582A5 |. 6A 15 PUSH 15
004582A7 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
004582AA |. E8 C17CFCFF CALL CDRWIN5.0041FF70
004582AF |. 0FBEC8 MOVSX ECX,AL
004582B2 |. 034D D8 ADD ECX,DWORD PTR SS:[EBP-28]
004582B5 |. 03CE ADD ECX,ESI //累加第22位。
004582B7 |. 894D D8 MOV DWORD PTR SS:[EBP-28],ECX
004582BA |. 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28]
004582BD |. 6BD2 0D IMUL EDX,EDX,0D //累加结果乘以Dh。
004582C0 |. 8955 D8 MOV DWORD PTR SS:[EBP-28],EDX
004582C3 |. 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28]
004582C6 |. 99 CDQ
004582C7 |. B9 0A000000 MOV ECX,0A
004582CC |. F7F9 IDIV ECX //计算结果除以Ah,就是10。
004582CE |. 8955 C8 MOV DWORD PTR SS:[EBP-38],EDX //余数送地址保存。
004582D1 |. 8B55 C8 MOV EDX,DWORD PTR SS:[EBP-38]
004582D4 |. 83C2 30 ADD EDX,30 //余数加30h变ASSIC码。
004582D7 |. 8955 C8 MOV DWORD PTR SS:[EBP-38],EDX
004582DA |. 6A 16 PUSH 16 //处理第16h位,即第23位。
004582DC |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
004582DF |. E8 8C7CFCFF CALL CDRWIN5.0041FF70 //取第23位数。
004582E4 |. 0FBEC0 MOVSX EAX,AL
004582E7 |. 3B45 C8 CMP EAX,DWORD PTR SS:[EBP-38] //与前面得到的余数比较。
004582EA |. 0F84 8E000000 JE CDRWIN5.0045837E //相等则OK。
004582F0 |. C785 28FFFFFF >MOV DWORD PTR SS:[EBP-D8],0B //否则下面OVER。
*省去多行通往OVER 的代码*
0045837E |> 6A 02 PUSH 2 //处理第02h位,即第3位。
00458380 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
00458383 |. E8 E87BFCFF CALL CDRWIN5.0041FF70
00458388 |. 0FBED0 MOVSX EDX,AL
0045838B |. 83FA 4D CMP EDX,4D //与字符'M'比较。
0045838E |. 0F85 8E000000 JNZ CDRWIN5.00458422 //不相等即OK。
00458394 |. C785 24FFFFFF >MOV DWORD PTR SS:[EBP-DC],10 //否则下面OVER。
*省去多行通往OVER 的代码*
00458422 |> 6A 00 PUSH 0 //处理第0h位,即第1位。
00458424 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
00458427 |. E8 447BFCFF CALL CDRWIN5.0041FF70
0045842C |. 0FBEC8 MOVSX ECX,AL
0045842F |. 83F9 35 CMP ECX,35 //与ASSIC码'35'比较,即与数字5比较。
00458432 |. 0F84 8E000000 JE CDRWIN5.004584C6 //相等即OK。
00458438 |. C785 20FFFFFF >MOV DWORD PTR SS:[EBP-E0],11 //否则下面OVER。
*省去多行通往OVER 的代码*
004584C6 |> 837D CC 01 CMP DWORD PTR SS:[EBP-34],1 //注意这个地方,[EBP-34]里面保存了一个标志1,
必须为1才行。见前面00457A0C分析。
004584CA |. 0F85 8E000000 JNZ CDRWIN5.0045855E //否则照样OVER。
004584D0 |. C785 1CFFFFFF >MOV DWORD PTR SS:[EBP-E4],41A //到这里才是成功的。把常量41Ah送内存保存,等返
回到主调函数时要判断是否为此常量。
004584DA |. C645 FC 0D MOV BYTE PTR SS:[EBP-4],0D
004584DE |. 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
004584E1 |. E8 B47F0000 CALL <JMP.&MFC42.#800>
004584E6 |. C645 FC 0B MOV BYTE PTR SS:[EBP-4],0B
004584EA |. 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30]
004584ED |. E8 A87F0000 CALL <JMP.&MFC42.#800>
004584F2 |. C645 FC 0A MOV BYTE PTR SS:[EBP-4],0A
004584F6 |. 8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48]
004584F9 |. E8 9C7F0000 CALL <JMP.&MFC42.#800>
004584FE |. C645 FC 09 MOV BYTE PTR SS:[EBP-4],9
00458502 |. 8D4D A4 LEA ECX,DWORD PTR SS:[EBP-5C]
00458505 |. E8 907F0000 CALL <JMP.&MFC42.#800>
0045850A |. C645 FC 07 MOV BYTE PTR SS:[EBP-4],7
0045850E |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00458511 |. E8 847F0000 CALL <JMP.&MFC42.#800>
00458516 |. C645 FC 02 MOV BYTE PTR SS:[EBP-4],2
0045851A |. 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
0045851D |. E8 787F0000 CALL <JMP.&MFC42.#800>
00458522 |. C645 FC 01 MOV BYTE PTR SS:[EBP-4],1
00458526 |. 8D4D 98 LEA ECX,DWORD PTR SS:[EBP-68]
00458529 |. E8 6C7F0000 CALL <JMP.&MFC42.#800>
0045852E |. C645 FC 00 MOV BYTE PTR SS:[EBP-4],0
00458532 |. 68 9A044600 PUSH <JMP.&MFC42.#800>
00458537 |. 6A 05 PUSH 5
00458539 |. 6A 04 PUSH 4
0045853B |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
0045853E |. 50 PUSH EAX
0045853F |. E8 DC8B0000 CALL CDRWIN5.00461120
00458544 |. C745 FC FFFFFF>MOV DWORD PTR SS:[EBP-4],-1
0045854B |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
0045854E |. E8 477F0000 CALL <JMP.&MFC42.#800>
00458553 |. 8B85 1CFFFFFF MOV EAX,DWORD PTR SS:[EBP-E4]
00458559 |. E9 89000000 JMP CDRWIN5.004585E7 //从这里离开才是可以的。
*省去多行通往OVER 的代码*
004585E7 |> 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
004585EA |. 64:890D 000000>MOV DWORD PTR FS:[0],ECX
004585F1 |. 5E POP ESI
004585F2 |. 8BE5 MOV ESP,EBP
004585F4 |. 5D POP EBP
004585F5 \. C3 RETN
===================================================================================================
后记:
经过一番艰苦努力,花了一个上午的时间终于搞定了这个软件,随手根据破解笔记整理了一下分析思路,没有想到最后得到这么一篇
如此长的破文,希望大侠不要见笑,希望与菜鸟分享我的成功与快乐!这个软件迷雾重重,一不小心就落入他的陷阱。我只是想把问
题讲得更清楚点。没有想到写了这么多,我用记事本写的时候,系统提示说内存不足呢。只好改写字板来完成了。
感谢看雪论坛的各位大侠的关注!祝论坛越来越红火!祝贺大家元宵节快乐!!团团圆圆!!
结论:我没有写出注册机。应该比较简单的。时间嘛!!??
用户名:随便写(没有用到)
公司名:随便写(没有用到)。
注册码随便写出一个吧。
注册码:
51R0D-211C1-44332-44444-75555
注册成功后在注册表内的H.L.M\software\CDRWIN5\内写入用户名,公司名和注册码。
qduwg
qduwg@163.com
完稿日期2006年2月10日中午ETHIOPIA。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
