开头就简单点吧。。很久没写破文了。 最近也少来看雪了哦。今天有点时间就乱写一下了。。请大侠们不要拍砖!!!!
0058EB3C /$ 55 PUSH EBP
0058EB3D |. 8BEC MOV EBP,ESP
0058EB3F |. 6A 00 PUSH 0
0058EB41 |. 6A 00 PUSH 0
0058EB43 |. 6A 00 PUSH 0
0058EB45 |. 6A 00 PUSH 0
0058EB47 |. 53 PUSH EBX
0058EB48 |. 56 PUSH ESI
0058EB49 |. 57 PUSH EDI
0058EB4A |. 8BF9 MOV EDI,ECX
0058EB4C |. 8BDA MOV EBX,EDX
0058EB4E |. 8BF0 MOV ESI,EAX
0058EB50 |. 33C0 XOR EAX,EAX
0058EB52 |. 55 PUSH EBP
0058EB53 |. 68 F6EB5800 PUSH dumped_.0058EBF6
0058EB58 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0058EB5B |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0058EB5E |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0058EB61 |> E8 9260E7FF CALL dumped_.00404BF8
0058EB66 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
0058EB69 |. E8 8A60E7FF CALL dumped_.00404BF8
0058EB6E |. C607 00 MOV BYTE PTR DS:[EDI],0
0058EB71 |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
0058EB74 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0058EB77 |. E8 54F8FFFF CALL dumped_.0058E3D0
0058EB7C |. 837D FC 00 CMP DWORD PTR SS:[EBP-4],0 ; 比较假码是否为空的!
0058EB80 |. 74 59 JE SHORT dumped_.0058EBDB
0058EB82 |. 837D F8 00 CMP DWORD PTR SS:[EBP-8],0 ; 比较用户名是否为空的!
0058EB86 |. 74 53 JE SHORT dumped_.0058EBDB
0058EB88 |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
0058EB8B |. B8 0CEC5800 MOV EAX,dumped_.0058EC0C ; EAX=softaa
0058EB90 |. E8 E3E7FFFF CALL dumped_.0058D378
0058EB95 |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
0058EB98 |. 8BC3 MOV EAX,EBX
0058EB9A |. E8 AD60E7FF CALL dumped_.00404C4C
0058EB9F |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0058EBA2 |. 50 PUSH EAX
0058EBA3 |. 8B03 MOV EAX,DWORD PTR DS:[EBX]
0058EBA5 |. B1 61 MOV CL,61 ; CL=61
0058EBA7 |. 66:BA F10C MOV DX,0CF1 ; DX=CF1
0058EBAB |. E8 44ECFFFF CALL dumped_.0058D7F4 ; 取机器码!fxiogk2b
0058EBB0 |. 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
0058EBB3 |. 8BC3 MOV EAX,EBX ; EAX=EBX=SOFTAA(0012FD90)
0058EBB5 |. E8 9260E7FF CALL dumped_.00404C4C ; 取假码
0058EBBA |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0058EBBD |. 50 PUSH EAX
0058EBBE |. 57 PUSH EDI
0058EBBF |. 8BD3 MOV EDX,EBX
0058EBC1 |. 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8] ; ECX=用户名
0058EBC4 |. 8BC6 MOV EAX,ESI
0058EBC6 |. E8 5D000000 CALL dumped_.0058EC28 ; ★★★关键CALL跟进!!!★★★
0058EBCB |. 84C0 TEST AL,AL
0058EBCD |. 74 0C JE SHORT dumped_.0058EBDB
=================================================================================
跟进0058EBDB
0058EC28 /$ 55 PUSH EBP
0058EC29 |. 8BEC MOV EBP,ESP
0058EC2B |. 51 PUSH ECX
0058EC2C |. B9 05000000 MOV ECX,5 ; ECX=5
0058EC31 |> 6A 00 /PUSH 0
0058EC33 |. 6A 00 |PUSH 0
0058EC35 |. 49 |DEC ECX
0058EC36 |.^ 75 F9 \JNZ SHORT dumped_.0058EC31 ; 循环压栈5次
0058EC38 |. 51 PUSH ECX
0058EC39 |. 874D FC XCHG DWORD PTR SS:[EBP-4],ECX ; 交换数值
0058EC3C |. 53 PUSH EBX
0058EC3D |. 56 PUSH ESI
0058EC3E |. 894D F8 MOV DWORD PTR SS:[EBP-8],ECX ; 保存用户名到0012FD34
0058EC41 |. 8BF2 MOV ESI,EDX
0058EC43 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0058EC46 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0058EC49 |. E8 5A64E7FF CALL dumped_.004050A8 ; 取假码
0058EC4E |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
0058EC51 |. E8 5264E7FF CALL dumped_.004050A8
0058EC56 |. 33C0 XOR EAX,EAX
0058EC58 |. 55 PUSH EBP
0058EC59 |. 68 08EF5800 PUSH dumped_.0058EF08
0058EC5E |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0058EC61 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0058EC64 |. 33DB XOR EBX,EBX
0058EC66 |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
0058EC69 |. B8 24EF5800 MOV EAX,dumped_.0058EF24 ; softaa
0058EC6E |. E8 05E7FFFF CALL dumped_.0058D378
0058EC73 |. 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
0058EC76 |. 50 PUSH EAX
0058EC77 |. 8B06 MOV EAX,DWORD PTR DS:[ESI] ; EAX=机器码fxiogk2b
0058EC79 |. B1 78 MOV CL,78 ; CL=78
0058EC7B |. 66:BA F10C MOV DX,0CF1 ; DX=CF1
0058EC7F |. E8 70EBFFFF CALL dumped_.0058D7F4
0058EC84 |. 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-20]
0058EC87 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0058EC8A |. E8 7563E7FF CALL dumped_.00405004
0058EC8F |. 0F85 50020000 JNZ dumped_.0058EEE5
0058EC95 |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
0058EC98 |. E8 1B62E7FF CALL dumped_.00404EB8 ; 取假码长度!
0058EC9D |. 8BF0 MOV ESI,EAX
0058EC9F |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
0058ECA2 |. 50 PUSH EAX
0058ECA3 |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
0058ECA6 |. 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8] ; ECX=用户名
0058ECA9 |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] ; EDX=SOFTAA
0058ECAC |. E8 5362E7FF CALL dumped_.00404F04 ; SOFTAA和用户名合并(SOFTAAfcrjzmd)
0058ECB1 |. 8B4D DC MOV ECX,DWORD PTR SS:[EBP-24]
0058ECB4 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0058ECB7 |. 8B40 58 MOV EAX,DWORD PTR DS:[EAX+58]
0058ECBA |. BA 96010000 MOV EDX,196 ; EDX=196
0058ECBF |. E8 84FBFFFF CALL dumped_.0058E848
0058ECC4 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
0058ECC7 |. 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
0058ECCA |. E8 3563E7FF CALL dumped_.00405004
0058ECCF |. 75 07 JNZ SHORT dumped_.0058ECD8
0058ECD1 |. B3 01 MOV BL,1
0058ECD3 |. E9 0D020000 JMP dumped_.0058EEE5
0058ECD8 |> 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
0058ECDB |. 50 PUSH EAX
0058ECDC |. 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
0058ECDF |. 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
0058ECE2 |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
0058ECE5 |. E8 1A62E7FF CALL dumped_.00404F04 ; SOFTAA和用户名合并(SOFTAAfcrjzmd)
0058ECEA |. 8B4D D8 MOV ECX,DWORD PTR SS:[EBP-28]
0058ECED |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0058ECF0 |. 8B40 58 MOV EAX,DWORD PTR DS:[EAX+58]
0058ECF3 |. BA 2E000000 MOV EDX,2E
0058ECF8 |. E8 4BFBFFFF CALL dumped_.0058E848
0058ECFD |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
0058ED00 |. 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
0058ED03 |. E8 FC62E7FF CALL dumped_.00405004
0058ED08 |. 75 07 JNZ SHORT dumped_.0058ED11
0058ED0A |. B3 01 MOV BL,1
0058ED0C |. E9 D4010000 JMP dumped_.0058EEE5
0058ED11 |> 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
0058ED14 |. E8 9F61E7FF CALL dumped_.00404EB8
0058ED19 |. 3BF0 CMP ESI,EAX
0058ED1B |. 7E 0A JLE SHORT dumped_.0058ED27
0058ED1D |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
0058ED20 |. E8 9361E7FF CALL dumped_.00404EB8
0058ED25 |. 8BF0 MOV ESI,EAX
0058ED27 |> 8BC6 MOV EAX,ESI
0058ED29 |. 83F8 01 CMP EAX,1
0058ED2C |. 7C 21 JL SHORT dumped_.0058ED4F
0058ED2E |> 84DB /TEST BL,BL
0058ED30 |. 74 10 |JE SHORT dumped_.0058ED42
0058ED32 |. 8B55 0C |MOV EDX,DWORD PTR SS:[EBP+C]
0058ED35 |. 8A5402 FF |MOV DL,BYTE PTR DS:[EDX+EAX-1]
0058ED39 |. 8B4D E8 |MOV ECX,DWORD PTR SS:[EBP-18]
0058ED3C |. 3A5401 FF |CMP DL,BYTE PTR DS:[ECX+EAX-1]
0058ED40 |. 74 04 |JE SHORT dumped_.0058ED46
0058ED42 |> 33D2 |XOR EDX,EDX
0058ED44 |. EB 02 |JMP SHORT dumped_.0058ED48
0058ED46 |> B2 01 |MOV DL,1
0058ED48 |> 8BDA |MOV EBX,EDX
0058ED4A |. 48 |DEC EAX
0058ED4B |. 85C0 |TEST EAX,EAX
0058ED4D |.^ 75 DF \JNZ SHORT dumped_.0058ED2E
0058ED4F |> 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
0058ED52 |. 50 PUSH EAX
0058ED53 |. 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
0058ED56 |. 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
0058ED59 |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
0058ED5C |. E8 A361E7FF CALL dumped_.00404F04 ; SOFTAA和用户名合并(SOFTAAfcrjzmd)
0058ED61 |. 8B4D D4 MOV ECX,DWORD PTR SS:[EBP-2C]
0058ED64 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0058ED67 |. 8B40 58 MOV EAX,DWORD PTR DS:[EAX+58]
0058ED6A |. BA 38000000 MOV EDX,38
0058ED6F |. E8 D4FAFFFF CALL dumped_.0058E848
0058ED74 |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
0058ED77 |. E8 3C61E7FF CALL dumped_.00404EB8
0058ED7C |. 8BF0 MOV ESI,EAX
0058ED7E |. 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
0058ED81 |. E8 3261E7FF CALL dumped_.00404EB8
0058ED86 |. 3BF0 CMP ESI,EAX
0058ED88 |. 7E 0A JLE SHORT dumped_.0058ED94
0058ED8A |. 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
0058ED8D |. E8 2661E7FF CALL dumped_.00404EB8
0058ED92 |. 8BF0 MOV ESI,EAX
0058ED94 |> 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
0058ED97 |. 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
0058ED9A |. E8 6562E7FF CALL dumped_.00405004
0058ED9F |. 75 07 JNZ SHORT dumped_.0058EDA8 ; ???
0058EDA1 |. B3 01 MOV BL,1
0058EDA3 |. E9 3D010000 JMP dumped_.0058EEE5
0058EDA8 |> 8BC6 MOV EAX,ESI
0058EDAA |. 83F8 01 CMP EAX,1
0058EDAD |. 7C 21 JL SHORT dumped_.0058EDD0
0058EDAF |> 84DB /TEST BL,BL
0058EDB1 |. 74 10 |JE SHORT dumped_.0058EDC3
0058EDB3 |. 8B55 0C |MOV EDX,DWORD PTR SS:[EBP+C]
0058EDB6 |. 8A5402 FF |MOV DL,BYTE PTR DS:[EDX+EAX-1]
0058EDBA |. 8B4D E4 |MOV ECX,DWORD PTR SS:[EBP-1C]
0058EDBD |. 3A5401 FF |CMP DL,BYTE PTR DS:[ECX+EAX-1]
0058EDC1 |. 74 04 |JE SHORT dumped_.0058EDC7
0058EDC3 |> 33D2 |XOR EDX,EDX
0058EDC5 |. EB 02 |JMP SHORT dumped_.0058EDC9
0058EDC7 |> B2 01 |MOV DL,1
0058EDC9 |> 8BDA |MOV EBX,EDX
0058EDCB |. 48 |DEC EAX
0058EDCC |. 85C0 |TEST EAX,EAX
0058EDCE |.^ 75 DF \JNZ SHORT dumped_.0058EDAF
0058EDD0 |> B3 01 MOV BL,1
0058EDD2 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0058EDD5 |. 50 PUSH EAX
0058EDD6 |. 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
0058EDD9 |. 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
0058EDDC |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
0058EDDF |. E8 2061E7FF CALL dumped_.00404F04 ; SOFTAA和用户名合并(SOFTAAfcrjzmd)
0058EDE4 |. 8B4D D0 MOV ECX,DWORD PTR SS:[EBP-30]
0058EDE7 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0058EDEA |. 8B40 58 MOV EAX,DWORD PTR DS:[EAX+58]
0058EDED |. BA C8010000 MOV EDX,1C8 ; EDX=1C8
0058EDF2 |. E8 51FAFFFF CALL dumped_.0058E848 ; ◆关键算法CALL跟进!!◆
0058EDF7 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
0058EDFA |. BA 34EF5800 MOV EDX,dumped_.0058EF34 ; EDX=th4gi8fsu0
0058EDFF |. E8 8C5EE7FF CALL dumped_.00404C90 ; 取假码
0058EE04 |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
0058EE07 |. E8 AC60E7FF CALL dumped_.00404EB8 ; 取假码长度!!
0058EE0C |. 8BF0 MOV ESI,EAX
0058EE0E |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] ; ┥真码出现!!!145122-19050768-18314466
0058EE11 |. E8 A260E7FF CALL dumped_.00404EB8 ; 取真码长度!
0058EE16 |. 3BF0 CMP ESI,EAX ; 比较真假码字符长度是否相等!!不相等则注册失败!
0058EE18 |. 74 07 JE SHORT dumped_.0058EE21
0058EE1A |. 33DB XOR EBX,EBX ; EBX清0
0058EE1C |. E9 C4000000 JMP dumped_.0058EEE5 ; 无条件跳走失败!!
0058EE21 |> 8BC6 MOV EAX,ESI
0058EE23 |. 83E8 04 SUB EAX,4
0058EE26 |. 83F8 08 CMP EAX,8
0058EE29 |. 7C 22 JL SHORT dumped_.0058EE4D
0058EE2B |> 84DB /TEST BL,BL
0058EE2D |. 74 10 |JE SHORT dumped_.0058EE3F
0058EE2F |. 8B55 0C |MOV EDX,DWORD PTR SS:[EBP+C]
0058EE32 |. 8A5402 FF |MOV DL,BYTE PTR DS:[EDX+EAX-1]
0058EE36 |. 8B4D F0 |MOV ECX,DWORD PTR SS:[EBP-10]
0058EE39 |. 3A5401 FF |CMP DL,BYTE PTR DS:[ECX+EAX-1]
0058EE3D |. 74 04 |JE SHORT dumped_.0058EE43
0058EE3F |> 33D2 |XOR EDX,EDX
0058EE41 |. EB 02 |JMP SHORT dumped_.0058EE45
0058EE43 |> B2 01 |MOV DL,1
0058EE45 |> 8BDA |MOV EBX,EDX
0058EE47 |. 48 |DEC EAX
0058EE48 |. 83F8 07 |CMP EAX,7
0058EE4B |.^ 75 DE \JNZ SHORT dumped_.0058EE2B
0058EE4D |> B8 01000000 MOV EAX,1
0058EE52 |> 84DB /TEST BL,BL
0058EE54 |. 74 0B |JE SHORT dumped_.0058EE61
0058EE56 |. 8B55 EC |MOV EDX,DWORD PTR SS:[EBP-14]
0058EE59 |. 8A5402 FF |MOV DL,BYTE PTR DS:[EDX+EAX-1]
0058EE5D |. 3AD2 |CMP DL,DL
0058EE5F |. 74 04 |JE SHORT dumped_.0058EE65
0058EE61 |> 33D2 |XOR EDX,EDX
0058EE63 |. EB 02 |JMP SHORT dumped_.0058EE67
0058EE65 |> B2 01 |MOV DL,1
0058EE67 |> 8BDA |MOV EBX,EDX
0058EE69 |. 40 |INC EAX
0058EE6A |. 83F8 09 |CMP EAX,9
0058EE6D |.^ 75 E3 \JNZ SHORT dumped_.0058EE52
0058EE6F |. 8BC6 MOV EAX,ESI
0058EE71 |. 83F8 08 CMP EAX,8
0058EE74 |. 7C 22 JL SHORT dumped_.0058EE98
0058EE76 |> 84DB /TEST BL,BL
0058EE78 |. 74 10 |JE SHORT dumped_.0058EE8A
0058EE7A |. 8B55 0C |MOV EDX,DWORD PTR SS:[EBP+C]
0058EE7D |. 8A5402 FF |MOV DL,BYTE PTR DS:[EDX+EAX-1]
0058EE81 |. 8B4D F0 |MOV ECX,DWORD PTR SS:[EBP-10]
0058EE84 |. 3A5401 FF |CMP DL,BYTE PTR DS:[ECX+EAX-1]
0058EE88 |. 74 04 |JE SHORT dumped_.0058EE8E
0058EE8A |> 33D2 |XOR EDX,EDX
0058EE8C |. EB 02 |JMP SHORT dumped_.0058EE90
0058EE8E |> B2 01 |MOV DL,1
0058EE90 |> 8BDA |MOV EBX,EDX
0058EE92 |. 48 |DEC EAX
0058EE93 |. 83F8 07 |CMP EAX,7
0058EE96 |.^ 75 DE \JNZ SHORT dumped_.0058EE76
0058EE98 |> B8 01000000 MOV EAX,1
0058EE9D |> 84DB /TEST BL,BL
0058EE9F |. 74 0B |JE SHORT dumped_.0058EEAC
0058EEA1 |. 8B55 EC |MOV EDX,DWORD PTR SS:[EBP-14]
0058EEA4 |. 8A5402 FF |MOV DL,BYTE PTR DS:[EDX+EAX-1]
0058EEA8 |. 3AD2 |CMP DL,DL
0058EEAA |. 74 04 |JE SHORT dumped_.0058EEB0
0058EEAC |> 33D2 |XOR EDX,EDX
0058EEAE |. EB 02 |JMP SHORT dumped_.0058EEB2
0058EEB0 |> B2 01 |MOV DL,1
0058EEB2 |> 8BDA |MOV EBX,EDX
0058EEB4 |. 40 |INC EAX
0058EEB5 |. 83F8 03 |CMP EAX,3
0058EEB8 |.^ 75 E3 \JNZ SHORT dumped_.0058EE9D
0058EEBA |. B8 0A000000 MOV EAX,0A
0058EEBF |> 84DB /TEST BL,BL
0058EEC1 |. 74 10 |JE SHORT dumped_.0058EED3
0058EEC3 |. 8B55 0C |MOV EDX,DWORD PTR SS:[EBP+C]
0058EEC6 |. 8A5402 FF |MOV DL,BYTE PTR DS:[EDX+EAX-1]
0058EECA |. 8B4D F0 |MOV ECX,DWORD PTR SS:[EBP-10]
0058EECD |. 3A5401 FF |CMP DL,BYTE PTR DS:[ECX+EAX-1]
0058EED1 |. 74 04 |JE SHORT dumped_.0058EED7
0058EED3 |> 33D2 |XOR EDX,EDX
0058EED5 |. EB 02 |JMP SHORT dumped_.0058EED9
0058EED7 |> B2 01 |MOV DL,1
0058EED9 |> 8BDA |MOV EBX,EDX
0058EEDB |. 48 |DEC EAX
0058EEDC |. 85C0 |TEST EAX,EAX
0058EEDE |.^ 75 DF \JNZ SHORT dumped_.0058EEBF
0058EEE0 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
0058EEE3 |. 8818 MOV BYTE PTR DS:[EAX],BL
0058EEE5 |> 33C0 XOR EAX,EAX
0058EEE7 |. 5A POP EDX
0058EEE8 |. 59 POP ECX
0058EEE9 |. 59 POP ECX
0058EEEA |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
0058EEED |. 68 0FEF5800 PUSH dumped_.0058EF0F
0058EEF2 |> 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
0058EEF5 |. BA 0B000000 MOV EDX,0B
0058EEFA |. E8 1D5DE7FF CALL dumped_.00404C1C
0058EEFF |. 8D45 0C LEA EAX,DWORD PTR SS:[EBP+C]
0058EF02 |. E8 F15CE7FF CALL dumped_.00404BF8
0058EF07 \. C3 RETN
===================================================================================
跟进关键算法CALL 0058E848
0058E848 /$ 55 PUSH EBP
0058E849 |. 8BEC MOV EBP,ESP
0058E84B |. 6A 00 PUSH 0
0058E84D |. 6A 00 PUSH 0
0058E84F |. 6A 00 PUSH 0
0058E851 |. 6A 00 PUSH 0
0058E853 |. 6A 00 PUSH 0
0058E855 |. 6A 00 PUSH 0
0058E857 |. 6A 00 PUSH 0
0058E859 |. 53 PUSH EBX
0058E85A |. 56 PUSH ESI
0058E85B |. 894D F8 MOV DWORD PTR SS:[EBP-8],ECX ; 保存用户名到0012FCE4
0058E85E |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX ; 保存EDX=1C8到0012FCE8
0058E861 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; EAX=合并的用户名SOFTAAfcrjzmd
0058E864 |. E8 3F68E7FF CALL dumped_.004050A8
0058E869 |. 33C0 XOR EAX,EAX ; EAX清0
0058E86B |. 55 PUSH EBP
0058E86C |. 68 7FE95800 PUSH dumped_.0058E97F
0058E871 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0058E874 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0058E877 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0058E87A |. BA 98E95800 MOV EDX,dumped_.0058E998 ; error
0058E87F |. E8 0C64E7FF CALL dumped_.00404C90
0058E884 |. 33DB XOR EBX,EBX ; EBX清0
0058E886 |. 837D FC 00 CMP DWORD PTR SS:[EBP-4],0 ; 比较刚才保存到0012FCE8的值是否和0相等!!
0058E88A |. 0F84 BC000000 JE dumped_.0058E94C
0058E890 |. 837D F8 00 CMP DWORD PTR SS:[EBP-8],0 ; 比较合并用户名的长度是否和0相等!
0058E894 |. 0F84 B2000000 JE dumped_.0058E94C
0058E89A |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; 不相等合并的用户名送入EAX
0058E89D |. E8 1666E7FF CALL dumped_.00404EB8 ; 取合并用户名的长度
0058E8A2 |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX ; 保存长度到0012FCDC
0058E8A5 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] ; 取长度
0058E8A8 |. 85C0 TEST EAX,EAX ; 测试长度
0058E8AA |. 7E 13 JLE SHORT dumped_.0058E8BF ; 小于或等于则转移
0058E8AC |. BA 01000000 MOV EDX,1 ; EDX置1
0058E8B1 |> 8B4D F8 /MOV ECX,DWORD PTR SS:[EBP-8] ; 合并用户名送入ECX
0058E8B4 |. 0FB64C11 FF |MOVZX ECX,BYTE PTR DS:[ECX+EDX-1] ; 依次取出用户字符送入ECX
0058E8B9 |. 03D9 |ADD EBX,ECX ; EBX=EBX+ECX(最终累加得出4AE)
0058E8BB |. 42 |INC EDX ; EDX+1
0058E8BC |. 48 |DEC EAX ; EAX-1计数器
0058E8BD |.^ 75 F2 \JNZ SHORT dumped_.0058E8B1 ; 未完继续循环
0058E8BF |> 81FB C8000000 CMP EBX,0C8 ; 用户累加的值和0C8做比较!
0058E8C5 |. 7E 0C JLE SHORT dumped_.0058E8D3 ; 小于或等于则转移
0058E8C7 |. 8BC3 MOV EAX,EBX ; 累加的值送入EAX(4AE)
0058E8C9 |. B9 C8000000 MOV ECX,0C8 ; ECX=0C8
0058E8CE |. 99 CDQ ; EAX扩展到EDX
0058E8CF |. F7F9 IDIV ECX ; EAX除ECX,商回送EAX(5),余数回送EDX(C6)
0058E8D1 |. 8BDA MOV EBX,EDX ; 余数送入EBX(C6)
0058E8D3 |> 8B75 FC MOV ESI,DWORD PTR SS:[EBP-4] ; ESI=1C8
0058E8D6 |. 0FAF75 F0 IMUL ESI,DWORD PTR SS:[EBP-10] ; 1C8乘D(SOFTAA和用户名合并的长度)ESI=1728
0058E8DA |. 69C3 BF020000 IMUL EAX,EBX,2BF ; EAX=余数*2BF(C6*2BF=21FBA)
0058E8E0 |. 03F0 ADD ESI,EAX ; ESI=ESI+EAX(1728+21FBA=236E2)
0058E8E2 |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
0058E8E5 |. 8BC6 MOV EAX,ESI ; 累加的值送入EAX(236E2)
0058E8E7 |. E8 ECB3E7FF CALL dumped_.00409CD8 ; 将16进制的值(236E2)转换成10进制的值(145122)
0058E8EC |. 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14] ; 转换后保存到EDX
0058E8EF |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0058E8F2 |. B9 A8E95800 MOV ECX,dumped_.0058E9A8 ; 将"-"号送入ECX
0058E8F7 |. E8 0866E7FF CALL dumped_.00404F04 ; 将10进制值和"-"合并为145122-
0058E8FC |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; EAX=1C8
0058E8FF |. F7EB IMUL EBX ; EAX=EAX*EBX(160B0)
0058E901 |. 69F0 D3000000 IMUL ESI,EAX,0D3 ; ESI=EAX*0D3(122B110)
0058E907 |. FF75 F4 PUSH DWORD PTR SS:[EBP-C]
0058E90A |. 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
0058E90D |. 8BC6 MOV EAX,ESI ; 得到的值(122B110)送入EAX
0058E90F |. E8 C4B3E7FF CALL dumped_.00409CD8 ; 将16进制的值(122B110)转换成10进制的值(19050768)
0058E914 |. FF75 E8 PUSH DWORD PTR SS:[EBP-18]
0058E917 |. 68 A8E95800 PUSH dumped_.0058E9A8 ; 压入"-"号
0058E91C |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0058E91F |. BA 03000000 MOV EDX,3 ; EDX=3
0058E924 |. E8 4F66E7FF CALL dumped_.00404F78 ; 和第二部份合并145122-19050768
0058E929 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] ; 合并用户长度送入EAX(D)
0058E92C |. F7EB IMUL EBX ; EBX=EAX用户长度*余数(D*C6=A0E)
0058E92E |. 69F0 CB1B0000 IMUL ESI,EAX,1BCB ; ESI=EAX*1BCB(A0E*1BCB=117731A)
0058E934 |. 0375 FC ADD ESI,DWORD PTR SS:[EBP-4] ; ESI=ESI+1C8(117731A+1C8=11774E2)
0058E937 |. 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
0058E93A |. 8BC6 MOV EAX,ESI ; 得到的值(11774E2)送入EAX
0058E93C |. E8 97B3E7FF CALL dumped_.00409CD8 ; 将16进制的值(11774E2)转换成10进制的值(18314466)
0058E941 |. 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] ; 转换后保存到EDX
0058E944 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0058E947 |. E8 7465E7FF CALL dumped_.00404EC0 ; 和第三部份合并145122-19050768-18314466
0058E94C |> 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
0058E94F |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] ; 合并后这个就是真码了送入EDX(145122-19050768-18314466)
0058E952 |. E8 F562E7FF CALL dumped_.00404C4C
0058E957 |. 33C0 XOR EAX,EAX
0058E959 |. 5A POP EDX
0058E95A |. 59 POP ECX
0058E95B |. 59 POP ECX
0058E95C |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
0058E95F |. 68 86E95800 PUSH dumped_.0058E986
0058E964 |> 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
0058E967 |. BA 03000000 MOV EDX,3
0058E96C |. E8 AB62E7FF CALL dumped_.00404C1C
0058E971 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0058E974 |. BA 02000000 MOV EDX,2
0058E979 |. E8 9E62E7FF CALL dumped_.00404C1C
0058E97E \. C3 RETN
算法流程:
第一部份算法:
1、将用户名字符ASCII码相加,相加得到的值除0C8,余数和2BF相乘!
2、SOFTAA和用户名合并的长度和1C8相乘!
3、1 + 2 = 得出的值再转换成10进制值这就是第一部份注册码!!
第二部份算法:
1、1C8乘余数,再乘0D3得出的值再转换成10进制值这就是第二部份注册码!!
第三部份算法:
1、SOFTAA和用户名合并的长度乘上余数,再乘上1BCB,然后和1C8相加得出的值再转换成10进制值这就是第三部份注册码!!
第四部分注册总结及注册信息:
将上面3部份注册为别为合并起来以※※※※※-※※※※※-※※※※※这种注册码填写方式。注册成功后会在注册表生成如下:
[HKEY_LOCAL_MACHINE\SOFTWARE\lsjsoft\fm]
"InstDir"="C:\\Program Files\\阳光软件\\文件管理专家"
"SerialNo"="145122-19050768-18314466"
"UserName"="fcrjzmd"
这个软件是一个典型重启验证方式。算法很简单,软件虽然加有壳但很弱手脱吧这里就不多说了。。我是一个菜鸟希望能对一些新手入门有些少帮助吧。希望能和热情CRACKER们交
流学习经验吧,也希望高手不惜怜教。感谢您能看完我这篇漏文本人笔墨不才,错漏在所难免。;-6
fcrjzmd
22:39 2005-2-10
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课