家里电脑主板坏了,在网吧上网直接OLLYICE伺候~~~~
00D81395 . FF15 5880D900 call dword ptr [<&KERNEL32.OpenProces>; \OpenProcess
00D8139B . 56 push esi
00D8139C . 8BD8 mov ebx, eax
00D8139E . E8 3C190000 call 00D82CDF
00D813A3 . 57 push edi
00D813A4 . E8 36190000 call 00D82CDF
00D813A9 . 83C4 08 add esp, 8
00D813AC . 85DB test ebx, ebx
00D813AE . 75 14 jnz short 00D813C4 ; 反调试关键跳,不能跳
00D813B0 . 5F pop edi
00D813B1 . 5E pop esi
00D813B2 . 83C8 FF or eax, FFFFFFFF
00D813B5 . 5B pop ebx
00D813B6 . 8B4D FC mov ecx, dword ptr [ebp-4]
00D813B9 . 33CD xor ecx, ebp
00D813BB . E8 05190000 call 00D82CC5
00D813C0 . 8BE5 mov esp, ebp
00D813C2 . 5D pop ebp
00D813C3 . C3 retn
00D813C4 > 8D45 F8 lea eax, dword ptr [ebp-8]
00D813C7 . 50 push eax
00D813C8 . 6A 18 push 18
00D813CA . 8D85 B4FDFFFF lea eax, dword ptr [ebp-24C]
00D813D0 . 50 push eax
00D813D1 . 6A 00 push 0
00D813D3 . 53 push ebx
00D813D4 . FF95 B0FDFFFF call dword ptr [ebp-250]
00D813DA . 8B85 C8FDFFFF mov eax, dword ptr [ebp-238]
00D813E0 . 53 push ebx ; /hObject
00D813E1 . 8985 ACFDFFFF mov dword ptr [ebp-254], eax ; |
00D813E7 . FF15 6080D900 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
00D813ED . E8 EC340000 call 00D848DE
00D813F2 . 6A 00 push 0 ; /ProcessID = 0
00D813F4 . 6A 02 push 2 ; |Flags = TH32CS_SNAPPROCESS
00D813F6 . FF15 6480D900 call dword ptr [<&KERNEL32.CreateTool>; \CreateToolhelp32Snapshot
010F1DE6 . 83FE 07 cmp esi, 7 ; 比较假码位数和7的值
010F1DE9 . 73 0B jnb short 010F1DF6 ; 大于等于7就跳
010F1DEB . 6A 00 push 0
010F1DED . 6A 00 push 0
010F1DEF . 68 0E040000 push 40E
010F1DF4 . EB 0B jmp short 010F1E01
010F1DF6 > 76 2C jbe short 010F1E24
010F1DF8 . 6A 00 push 0
010F1DFA . 6A 00 push 0
010F1DFC . 68 0D040000 push 40D
010F1E01 > FF77 04 push dword ptr [edi+4] ; |hWnd
010F1E04 . FF15 50811001 call dword ptr [<&USER32.SendMessageW>; \SendMessageW
010F1E0A . 53 push ebx
010F1E0B . E8 CF0E0000 call 010F2CDF
010F1E10 . 83C4 04 add esp, 4
010F192F . /73 07 jnb short 010F1938
010F1931 . |66:833447 50 xor word ptr [edi+eax*2], 50 ; 字符p
010F1936 . |EB 05 jmp short 010F193D
010F1938 > \66:833447 42 xor word ptr [edi+eax*2], 42 ; 字符b 检测注册码中是否包含字符b和p
010F193D > 40 inc eax
010F19EA 83F9 02 cmp ecx, 2 ; 比较注册码中包含的字母数量和2的值
010F19ED 75 4A jnz short 010F1A39
010F19EF 33C0 xor eax, eax
010F19F1 C745 F0 3100350>mov dword ptr [ebp-10], 350031
010F19F8 C745 F4 5000420>mov dword ptr [ebp-C], 420050
010F19FF 8D77 04 lea esi, dword ptr [edi+4]
010F1A02 66:8945 F8 mov word ptr [ebp-8], ax
01341A0A 8400 test byte ptr [eax], al
01341A0C 0000 add byte ptr [eax], al
01341A0E 0000 add byte ptr [eax], al
01341A10 66:8B444D F0 mov ax, word ptr [ebp+ecx*2-10]
01341A15 66:3B06 cmp ax, word ptr [esi] ; 注册码中间部分必须为15pb
01341A18 75 1F jnz short 01341A39
01341A1A 41 inc ecx
01341A1B 83C6 02 add esi, 2
01341A1E 83F9 04 cmp ecx, 4
01341A21 ^ 72 ED jb short 01341A10
01341A23 8BD7 mov edx, edi
01341A25 8BCB mov ecx, ebx
01341A27 E8 14FDFFFF call 01341740
01341A2C 6A 00 push 0
01341A2E 85C0 test eax, eax ; eax不能为0
01341813 . 66:3B040E cmp ax, word ptr [esi+ecx] ; 注册码第1位为1,第2位为2
01341817 . 75 42 jnz short 0134185B
01341819 . 83C2 06 add edx, 6
0134181C . 83C1 02 add ecx, 2
0134181F . 83FA 39 cmp edx, 39
01341822 .^ 7E EC jle short 01341810
01341824 . 0FB74F 12 movzx ecx, word ptr [edi+12]
01341828 . 0FB703 movzx eax, word ptr [ebx]
0134182B . 03C8 add ecx, eax
0134182D . 83F9 63 cmp ecx, 63
01341830 . 75 29 jnz short 0134185B
01341832 . 8B45 B4 mov eax, dword ptr [ebp-4C]
01341835 . 0FB74F 0C movzx ecx, word ptr [edi+C]
01341839 . 0308 add ecx, dword ptr [eax]
0134183B . 8B45 B0 mov eax, dword ptr [ebp-50]
0134183E . 0FB700 movzx eax, word ptr [eax]
01341841 . 3BC1 cmp eax, ecx ; 注册码最后一位必须为8
经过以上分析,真正注册码结果为 1215pb8
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
