【标题】【delphi】【简单】Wsnap V1.3.79 注册算法分析
【作者】 forever[RCT]
【语言】 delphi
【保护】 无壳,注册码
【级别】 简单
【工具】 peid,ollydbg,dede
【简介】 是一款易用的屏幕捕捉工具,可以帮助您制作产品图解页面,多媒体演示文稿,技术手册或网页文章。它是完全可配置的并且可以捕捉屏幕的任何一个区域。本软件更为突出的是您只要轻点一下鼠标就能捕捉任何屏幕元素,支持3D游戏以及flash动画的画面抓取,可以分别选择全屏,当前窗口,手绘区域等不同的抓图区域,并且可以更换软件皮肤。
首先用PEID检查一下,是DELPHI的程序,没提示加壳。用dede载入也没发现异常。看来是没壳。
这个软件运行时会出现一个提示注册的窗口,要求输入用户名和注册码。在dede里找一下这个窗体吧。见图。
作者很厚道,既然名字给得这么直接,也免得麻烦到处找了。:)
dede的注释很清晰,直接分析一下Button1Click吧。这里是注册验证部分。
00532CA0 55 push ebp
00532CA1 8BEC mov ebp, esp
00532CA3 B908000000 mov ecx, $00000008
00532CA8 6A00 push $00
00532CAA 6A00 push $00
00532CAC 49 dec ecx
00532CAD 75F9 jnz 00532CA8
00532CAF 53 push ebx
00532CB0 56 push esi
00532CB1 8BD8 mov ebx, eax
00532CB3 33C0 xor eax, eax
00532CB5 55 push ebp
00532CB6 68882E5300 push $00532E88
***** TRY
|
00532CBB 64FF30 push dword ptr fs:[eax]
00532CBE 648920 mov fs:[eax], esp
00532CC1 8D55F8 lea edx, [ebp-$08]
* Reference to control e1 : N.A.
|
00532CC4 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
00532CCA E831C7F3FF call 0046F400 //取注册码第一部分
00532CCF FF75F8 push dword ptr [ebp-$08]
00532CD2 8D55F4 lea edx, [ebp-$0C]
* Reference to control e2 : N.A.
|
00532CD5 8B83FC020000 mov eax, [ebx+$02FC]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
00532CDB E820C7F3FF call 0046F400 //取注册码第二部分
00532CE0 FF75F4 push dword ptr [ebp-$0C]
00532CE3 8D55F0 lea edx, [ebp-$10]
* Reference to control e3 : N.A.
|
00532CE6 8B8304030000 mov eax, [ebx+$0304]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
00532CEC E80FC7F3FF call 0046F400 //取注册码第三部分
00532CF1 FF75F0 push dword ptr [ebp-$10]
00532CF4 8D55EC lea edx, [ebp-$14]
* Reference to control e4 : N.A.
|
00532CF7 8B830C030000 mov eax, [ebx+$030C]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
00532CFD E8FEC6F3FF call 0046F400 //取注册码第四部分
00532D02 FF75EC push dword ptr [ebp-$14]
00532D05 8D45FC lea eax, [ebp-$04]
00532D08 BA04000000 mov edx, $00000004
* Reference to: System.@LStrCatN;
|
00532D0D E8FA1AEDFF call 0040480C //连接在一起
00532D12 8B45FC mov eax, [ebp-$04]
* Reference to: System.@LStrLen(String):Integer;
| or: System.@DynArrayLength;
| or: System.DynArraySize(Pointer):Integer;
| or: Variants.DynArraySize(Pointer):Integer;
|
00532D15 E8321AEDFF call 0040474C //取字符串长度
00532D1A 83F814 cmp eax, +$14 //比较是否是20个字符
00532D1D 7D0F jnl 00532D2E //大于等于则跳
* Possible String Reference to: 'Sorry, this key isn't valid.'
|
00532D1F B8A02E5300 mov eax, $00532EA0
* Reference to: Dialogs.ShowMessage(AnsiString);
|
00532D24 E87F43F0FF call 004370A8 //否则提示key无效
00532D29 E93F010000 jmp 00532E6D
00532D2E 8D55E4 lea edx, [ebp-$1C]
* Reference to control e1 : N.A.
|
00532D31 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
00532D37 E8C4C6F3FF call 0046F400 //取注册码第一部分
00532D3C FF75E4 push dword ptr [ebp-$1C]
00532D3F 8D55E0 lea edx, [ebp-$20]
* Reference to control e2 : N.A.
|
00532D42 8B83FC020000 mov eax, [ebx+$02FC]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
00532D48 E8B3C6F3FF call 0046F400 //取注册码第二部分
00532D4D FF75E0 push dword ptr [ebp-$20]
00532D50 8D55DC lea edx, [ebp-$24]
* Reference to control e3 : N.A.
|
00532D53 8B8304030000 mov eax, [ebx+$0304]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
00532D59 E8A2C6F3FF call 0046F400 //取注册码第三部分
00532D5E FF75DC push dword ptr [ebp-$24]
00532D61 8D55D8 lea edx, [ebp-$28]
* Reference to control e4 : N.A.
|
00532D64 8B830C030000 mov eax, [ebx+$030C]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
00532D6A E891C6F3FF call 0046F400 //取注册码第四部分
00532D6F FF75D8 push dword ptr [ebp-$28]
00532D72 8D45E8 lea eax, [ebp-$18]
00532D75 BA04000000 mov edx, $00000004
* Reference to: System.@LStrCatN;
|
00532D7A E88D1AEDFF call 0040480C //连接在一起
00532D7F 8B55E8 mov edx, [ebp-$18]
00532D82 A1C4155900 mov eax, dword ptr [$005915C4]
00532D87 8B00 mov eax, [eax]
|
00532D89 E842610500 call 00588ED0 //****验证的CALL,要跟进****
00532D8E 84C0 test al, al
00532D90 0F84CD000000 jz 00532E63 //返回值为0就验证失败了
00532D96 B201 mov dl, $01
00532D98 A138FF4300 mov eax, dword ptr [$0043FF38]
* Reference to: Registry.TRegistry.Create(TRegistry;boolean);overload;
|
00532D9D E896D2F0FF call 00440038 //打开注册表
00532DA2 8BF0 mov esi, eax
00532DA4 BA01000080 mov edx, $80000001
00532DA9 8BC6 mov eax, esi
* Reference to: Registry.TRegistry.SetRootKey(TRegistry;HKEY);
|
00532DAB E864D3F0FF call 00440114
00532DB0 B101 mov cl, $01
* Possible String Reference to: 'software\gsave'
|
00532DB2 BAC82E5300 mov edx, $00532EC8
00532DB7 8BC6 mov eax, esi
* Reference to: Registry.TRegistry.OpenKey(TRegistry;AnsiString;Boolean):Boolean;
|
00532DB9 E8BAD3F0FF call 00440178
00532DBE 8D55D0 lea edx, [ebp-$30]
* Reference to control e1 : N.A.
|
00532DC1 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
00532DC7 E834C6F3FF call 0046F400
00532DCC FF75D0 push dword ptr [ebp-$30]
00532DCF 8D55CC lea edx, [ebp-$34]
* Reference to control e2 : N.A.
|
00532DD2 8B83FC020000 mov eax, [ebx+$02FC]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
00532DD8 E823C6F3FF call 0046F400
00532DDD FF75CC push dword ptr [ebp-$34]
00532DE0 8D55C8 lea edx, [ebp-$38]
* Reference to control e3 : N.A.
|
00532DE3 8B8304030000 mov eax, [ebx+$0304]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
00532DE9 E812C6F3FF call 0046F400
00532DEE FF75C8 push dword ptr [ebp-$38]
00532DF1 8D55C4 lea edx, [ebp-$3C]
* Reference to control e4 : N.A.
|
00532DF4 8B830C030000 mov eax, [ebx+$030C]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
00532DFA E801C6F3FF call 0046F400
00532DFF FF75C4 push dword ptr [ebp-$3C]
00532E02 8D45D4 lea eax, [ebp-$2C]
00532E05 BA04000000 mov edx, $00000004
* Reference to: System.@LStrCatN;
|
00532E0A E8FD19EDFF call 0040480C
00532E0F 8B4DD4 mov ecx, [ebp-$2C]
* Possible String Reference to: 'regkey'
|
00532E12 BAE02E5300 mov edx, $00532EE0
00532E17 8BC6 mov eax, esi
* Reference to: Registry.TRegistry.WriteString(TRegistry;AnsiString;AnsiString);
|
00532E19 E816D5F0FF call 00440334 //保存key到注册表
00532E1E 8D55C0 lea edx, [ebp-$40]
* Reference to control Edit1 : N.A.
|
00532E21 8B832C030000 mov eax, [ebx+$032C]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
00532E27 E8D4C5F3FF call 0046F400
00532E2C 8B4DC0 mov ecx, [ebp-$40]
* Possible String Reference to: 'regto'
|
00532E2F BAF02E5300 mov edx, $00532EF0
00532E34 8BC6 mov eax, esi
* Reference to: Registry.TRegistry.WriteString(TRegistry;AnsiString;AnsiString);
|
00532E36 E8F9D4F0FF call 00440334 //保存用户名到注册表
00532E3B 8BC6 mov eax, esi
* Reference to: System.TObject.Free(TObject);
|
00532E3D E83608EDFF call 00403678
00532E42 A1C4155900 mov eax, dword ptr [$005915C4]
00532E47 8B00 mov eax, [eax]
00532E49 B201 mov dl, $01
00532E4B 8B08 mov ecx, [eax]
00532E4D FF5164 call dword ptr [ecx+$64]
* Possible String Reference to: 'Thank you for registration! Please
| reload program now.'
|
00532E50 B8002F5300 mov eax, $00532F00
* Reference to: Dialogs.ShowMessage(AnsiString);
|
00532E55 E84E42F0FF call 004370A8 //注册成功提示
00532E5A 8BC3 mov eax, ebx
* Reference to: Forms.TCustomForm.Close(TCustomForm);
|
00532E5C E85B9DF5FF call 0048CBBC
00532E61 EB0A jmp 00532E6D
* Possible String Reference to: 'Sorry, this registration key is not
| valid.'
|
00532E63 B8402F5300 mov eax, $00532F40
* Reference to: Dialogs.ShowMessage(AnsiString);
|
00532E68 E83B42F0FF call 004370A8 //如果跳到这里就提示验证失败
00532E6D 33C0 xor eax, eax
00532E6F 5A pop edx
00532E70 59 pop ecx
00532E71 59 pop ecx
00532E72 648910 mov fs:[eax], edx
****** FINALLY
|
* Possible String Reference to: '^[?]?
|
00532E75 688F2E5300 push $00532E8F
00532E7A 8D45C0 lea eax, [ebp-$40]
00532E7D BA10000000 mov edx, $00000010
* Reference to: System.@LStrArrayClr(void;void;Integer);
|
00532E82 E82916EDFF call 004044B0
00532E87 C3 ret
* Reference to: System.@HandleFinally;
|
00532E88 E97F0FEDFF jmp 00403E0C
00532E8D EBEB jmp 00532E7A
****** END
|
00532E8F 5E pop esi
00532E90 5B pop ebx
00532E91 8BE5 mov esp, ebp
00532E93 5D pop ebp
00532E94 C3 ret
=======================================================================================
注册码长度要求不小于20位。
继续跟进上面验证的CALL,看看注册码是怎么验证的。:)
=======================================================================================
00588ED0 55 push ebp
00588ED1 8BEC mov ebp, esp
00588ED3 83C4F8 add esp, -$08
00588ED6 53 push ebx
00588ED7 33C9 xor ecx, ecx
00588ED9 894DF8 mov [ebp-$08], ecx
00588EDC 8955FC mov [ebp-$04], edx
00588EDF 8B45FC mov eax, [ebp-$04]
* Reference to: System.@LStrAddRef(void;void):Pointer;
|
00588EE2 E855BAE7FF call 0040493C //这个就是上面传进来的注册码了
00588EE7 33C0 xor eax, eax //delphi里就这样,习惯了就知道了
00588EE9 55 push ebp
00588EEA 6800955800 push $00589500
***** TRY
|
00588EEF 64FF30 push dword ptr fs:[eax]
00588EF2 648920 mov fs:[eax], esp
00588EF5 8B45FC mov eax, [ebp-$04]
00588EF8 8A00 mov al, byte ptr [eax] //取注册码第一个字符
00588EFA 3C30 cmp al, $30
00588EFC 724E jb 00588F4C
00588EFE 3C39 cmp al, $39
00588F00 770F jnbe 00588F11
00588F02 8D45F8 lea eax, [ebp-$08]
00588F05 BA18955800 mov edx, $00589518
* Reference to: System.@LStrCat;
|
00588F0A E845B8E7FF call 00404754 //在'0'-'9'之间有效
00588F0F EB3B jmp 00588F4C
00588F11 3C41 cmp al, $41
00588F13 7237 jb 00588F4C
00588F15 3C5A cmp al, $5A
00588F17 770F jnbe 00588F28
00588F19 8D45F8 lea eax, [ebp-$08]
00588F1C BA18955800 mov edx, $00589518
* Reference to: System.@LStrCat;
|
00588F21 E82EB8E7FF call 00404754 //在'A'-'Z'之间有效
00588F26 EB24 jmp 00588F4C
00588F28 3C61 cmp al, $61
00588F2A 7220 jb 00588F4C
00588F2C 3C7A cmp al, $7A
00588F2E 770F jnbe 00588F3F
00588F30 8D45F8 lea eax, [ebp-$08]
00588F33 BA18955800 mov edx, $00589518
* Reference to: System.@LStrCat;
|
00588F38 E817B8E7FF call 00404754 //在'a'-'z'之间有效
00588F3D EB0D jmp 00588F4C
00588F3F 8D45F8 lea eax, [ebp-$08]
00588F42 BA24955800 mov edx, $00589524 //这里是'2'
* Reference to: System.@LStrCat;
|
00588F47 E808B8E7FF call 00404754
00588F4C 8B45FC mov eax, [ebp-$04]
00588F4F 8A4001 mov al, byte ptr [eax+$01] //取注册码第二个字符
00588F52 3C30 cmp al, $30
00588F54 7220 jb 00588F76
00588F56 3C39 cmp al, $39
00588F58 770F jnbe 00588F69
00588F5A 8D45F8 lea eax, [ebp-$08]
00588F5D BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
00588F62 E8EDB7E7FF call 00404754 //'0'-'9'之间有效
00588F67 EB0D jmp 00588F76
00588F69 8D45F8 lea eax, [ebp-$08]
00588F6C BA24955800 mov edx, $00589524 //这里是'2'
* Reference to: System.@LStrCat;
|
00588F71 E8DEB7E7FF call 00404754
00588F76 8B45FC mov eax, [ebp-$04]
00588F79 8A4002 mov al, byte ptr [eax+$02] //取注册码第三个字符
00588F7C 3C48 cmp al, $48
00588F7E 724E jb 00588FCE
00588F80 3C55 cmp al, $55
00588F82 770F jnbe 00588F93
00588F84 8D45F8 lea eax, [ebp-$08]
00588F87 BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
00588F8C E8C3B7E7FF call 00404754 //'H'-'U'之间有效
00588F91 EB3B jmp 00588FCE
00588F93 3C61 cmp al, $61
00588F95 7237 jb 00588FCE
00588F97 3C67 cmp al, $67
00588F99 770F jnbe 00588FAA
00588F9B 8D45F8 lea eax, [ebp-$08]
00588F9E BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
00588FA3 E8ACB7E7FF call 00404754 //'a'-'g'之间有效
00588FA8 EB24 jmp 00588FCE
00588FAA 3C76 cmp al, $76
00588FAC 7220 jb 00588FCE
00588FAE 3C7A cmp al, $7A
00588FB0 770F jnbe 00588FC1
00588FB2 8D45F8 lea eax, [ebp-$08]
00588FB5 BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
00588FBA E895B7E7FF call 00404754 //'v'-'z'之间有效
00588FBF EB0D jmp 00588FCE
00588FC1 8D45F8 lea eax, [ebp-$08]
00588FC4 BA24955800 mov edx, $00589524 //这里是'2'
* Reference to: System.@LStrCat;
|
00588FC9 E886B7E7FF call 00404754
00588FCE 8B45FC mov eax, [ebp-$04]
00588FD1 8A4003 mov al, byte ptr [eax+$03] //取注册码第四个字符
00588FD4 3C32 cmp al, $32
00588FD6 7237 jb 0058900F
00588FD8 3C35 cmp al, $35
00588FDA 770F jnbe 00588FEB
00588FDC 8D45F8 lea eax, [ebp-$08]
00588FDF BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
00588FE4 E86BB7E7FF call 00404754 //'2'-'5'之间有效
00588FE9 EB24 jmp 0058900F
00588FEB 3C45 cmp al, $45
00588FED 7220 jb 0058900F
00588FEF 3C55 cmp al, $55
00588FF1 770F jnbe 00589002
00588FF3 8D45F8 lea eax, [ebp-$08]
00588FF6 BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
00588FFB E854B7E7FF call 00404754 //'D'-'U'之间有效
00589000 EB0D jmp 0058900F
00589002 8D45F8 lea eax, [ebp-$08]
00589005 BA24955800 mov edx, $00589524 //这里是'2'
* Reference to: System.@LStrCat;
|
0058900A E845B7E7FF call 00404754
0058900F 8B45FC mov eax, [ebp-$04]
00589012 8A4004 mov al, byte ptr [eax+$04] //取注册码第五个字符
00589015 3C67 cmp al, $67
00589017 7237 jb 00589050
00589019 3C79 cmp al, $79
0058901B 770F jnbe 0058902C
0058901D 8D45F8 lea eax, [ebp-$08]
00589020 BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
00589025 E82AB7E7FF call 00404754 //'g'-'y'之间有效
0058902A EB24 jmp 00589050
0058902C 3C30 cmp al, $30
0058902E 7220 jb 00589050
00589030 3C33 cmp al, $33
00589032 770F jnbe 00589043
00589034 8D45F8 lea eax, [ebp-$08]
00589037 BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
0058903C E813B7E7FF call 00404754
00589041 EB0D jmp 00589050
00589043 8D45F8 lea eax, [ebp-$08]
00589046 BA24955800 mov edx, $00589524 //这里是'2'
* Reference to: System.@LStrCat;
|
0058904B E804B7E7FF call 00404754
00589050 8D45F8 lea eax, [ebp-$08]
00589053 BA30955800 mov edx, $00589530 //这里是'-'
* Reference to: System.@LStrCat;
|
00589058 E8F7B6E7FF call 00404754 //连接一个'-'号
0058905D 8B45FC mov eax, [ebp-$04]
00589060 8A4005 mov al, byte ptr [eax+$05] //取注册码第六个字符
00589063 3C32 cmp al, $32
00589065 7237 jb 0058909E
00589067 3C35 cmp al, $35
00589069 770F jnbe 0058907A
0058906B 8D45F8 lea eax, [ebp-$08]
0058906E BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
00589073 E8DCB6E7FF call 00404754 //'2'-'5'之间有效
00589078 EB24 jmp 0058909E
0058907A 3C45 cmp al, $45
0058907C 7220 jb 0058909E
0058907E 3C55 cmp al, $55
00589080 770F jnbe 00589091
00589082 8D45F8 lea eax, [ebp-$08]
00589085 BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
0058908A E8C5B6E7FF call 00404754 //'E'-'U'之间有效
0058908F EB0D jmp 0058909E
00589091 8D45F8 lea eax, [ebp-$08]
00589094 BA24955800 mov edx, $00589524 //这里是'2'
* Reference to: System.@LStrCat;
|
00589099 E8B6B6E7FF call 00404754
0058909E 8B45FC mov eax, [ebp-$04]
005890A1 8A4006 mov al, byte ptr [eax+$06] //取注册码第七个字符
005890A4 3C48 cmp al, $48
005890A6 724E jb 005890F6
005890A8 3C55 cmp al, $55
005890AA 770F jnbe 005890BB
005890AC 8D45F8 lea eax, [ebp-$08]
005890AF BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
005890B4 E89BB6E7FF call 00404754 //'H'-'U'之间有效
005890B9 EB3B jmp 005890F6
005890BB 3C61 cmp al, $61
005890BD 7237 jb 005890F6
005890BF 3C67 cmp al, $67
005890C1 770F jnbe 005890D2
005890C3 8D45F8 lea eax, [ebp-$08]
005890C6 BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
005890CB E884B6E7FF call 00404754 //'a'-'g'之间有效
005890D0 EB24 jmp 005890F6
005890D2 3C76 cmp al, $76
005890D4 7220 jb 005890F6
005890D6 3C7A cmp al, $7A
005890D8 770F jnbe 005890E9
005890DA 8D45F8 lea eax, [ebp-$08]
005890DD BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
005890E2 E86DB6E7FF call 00404754 //'v'-'z'之间有效
005890E7 EB0D jmp 005890F6
005890E9 8D45F8 lea eax, [ebp-$08]
005890EC BA24955800 mov edx, $00589524 //这里是'2'
* Reference to: System.@LStrCat;
|
005890F1 E85EB6E7FF call 00404754
005890F6 8B45FC mov eax, [ebp-$04]
005890F9 8A4007 mov al, byte ptr [eax+$07] //取注册码第八个字符
005890FC 3C48 cmp al, $48
005890FE 724E jb 0058914E
00589100 3C55 cmp al, $55
00589102 770F jnbe 00589113
00589104 8D45F8 lea eax, [ebp-$08]
00589107 BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
0058910C E843B6E7FF call 00404754 //'H'-'U'之间有效
00589111 EB3B jmp 0058914E
00589113 3C61 cmp al, $61
00589115 7237 jb 0058914E
00589117 3C67 cmp al, $67
00589119 770F jnbe 0058912A
0058911B 8D45F8 lea eax, [ebp-$08]
0058911E BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
00589123 E82CB6E7FF call 00404754 //'a'-'g'之间有效
00589128 EB24 jmp 0058914E
0058912A 3C76 cmp al, $76
0058912C 7220 jb 0058914E
0058912E 3C7A cmp al, $7A
00589130 770F jnbe 00589141
00589132 8D45F8 lea eax, [ebp-$08]
00589135 BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
0058913A E815B6E7FF call 00404754 //'v'-'z'之间有效
0058913F EB0D jmp 0058914E
00589141 8D45F8 lea eax, [ebp-$08]
00589144 BA24955800 mov edx, $00589524 //这里是'2'
* Reference to: System.@LStrCat;
|
00589149 E806B6E7FF call 00404754
0058914E 8B45FC mov eax, [ebp-$04]
00589151 8A4008 mov al, byte ptr [eax+$08] //取注册码第九个字符
00589154 3C32 cmp al, $32
00589156 7237 jb 0058918F
00589158 3C35 cmp al, $35
0058915A 770F jnbe 0058916B
0058915C 8D45F8 lea eax, [ebp-$08]
0058915F BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
00589164 E8EBB5E7FF call 00404754 //'2'-'5'之间有效
00589169 EB24 jmp 0058918F
0058916B 3C45 cmp al, $45
0058916D 7220 jb 0058918F
0058916F 3C55 cmp al, $55
00589171 770F jnbe 00589182
00589173 8D45F8 lea eax, [ebp-$08]
00589176 BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
0058917B E8D4B5E7FF call 00404754 //'E'-'U'之间有效
00589180 EB0D jmp 0058918F
00589182 8D45F8 lea eax, [ebp-$08]
00589185 BA24955800 mov edx, $00589524 //这里是'2'
* Reference to: System.@LStrCat;
|
0058918A E8C5B5E7FF call 00404754
0058918F 8B45FC mov eax, [ebp-$04]
00589192 8A4009 mov al, byte ptr [eax+$09] //取注册码第十个字符
00589195 3C67 cmp al, $67
00589197 7237 jb 005891D0
00589199 3C79 cmp al, $79
0058919B 770F jnbe 005891AC
0058919D 8D45F8 lea eax, [ebp-$08]
005891A0 BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
005891A5 E8AAB5E7FF call 00404754 //'g'-'y'之间有效
005891AA EB24 jmp 005891D0
005891AC 3C30 cmp al, $30
005891AE 7220 jb 005891D0
005891B0 3C33 cmp al, $33
005891B2 770F jnbe 005891C3
005891B4 8D45F8 lea eax, [ebp-$08]
005891B7 BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
005891BC E893B5E7FF call 00404754
005891C1 EB0D jmp 005891D0
005891C3 8D45F8 lea eax, [ebp-$08]
005891C6 BA24955800 mov edx, $00589524 //这里是'2'
* Reference to: System.@LStrCat;
|
005891CB E884B5E7FF call 00404754
005891D0 8D45F8 lea eax, [ebp-$08]
005891D3 BA30955800 mov edx, $00589530 //这里是'-'
* Reference to: System.@LStrCat;
|
005891D8 E877B5E7FF call 00404754 //连接上一个'-'号
005891DD 8B45FC mov eax, [ebp-$04]
005891E0 8A400A mov al, byte ptr [eax+$0A] //取注册码第十一个字符
005891E3 3C48 cmp al, $48
005891E5 724E jb 00589235
005891E7 3C55 cmp al, $55
005891E9 770F jnbe 005891FA
005891EB 8D45F8 lea eax, [ebp-$08]
005891EE BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
005891F3 E85CB5E7FF call 00404754 //'H'-'U'之间有效
005891F8 EB3B jmp 00589235
005891FA 3C61 cmp al, $61
005891FC 7237 jb 00589235
005891FE 3C67 cmp al, $67
00589200 770F jnbe 00589211
00589202 8D45F8 lea eax, [ebp-$08]
00589205 BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
0058920A E845B5E7FF call 00404754 //'a'-'g'之间有效
0058920F EB24 jmp 00589235
00589211 3C76 cmp al, $76
00589213 7220 jb 00589235
00589215 3C7A cmp al, $7A
00589217 770F jnbe 00589228
00589219 8D45F8 lea eax, [ebp-$08]
0058921C BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
00589221 E82EB5E7FF call 00404754 //'v'-'z'之间有效
00589226 EB0D jmp 00589235
00589228 8D45F8 lea eax, [ebp-$08]
0058922B BA24955800 mov edx, $00589524 //这里是'2'
* Reference to: System.@LStrCat;
|
00589230 E81FB5E7FF call 00404754
00589235 8B45FC mov eax, [ebp-$04]
00589238 8A400B mov al, byte ptr [eax+$0B] //取注册码第十二个字符
0058923B 3C67 cmp al, $67
0058923D 7237 jb 00589276
0058923F 3C79 cmp al, $79
00589241 770F jnbe 00589252
00589243 8D45F8 lea eax, [ebp-$08]
00589246 BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
0058924B E804B5E7FF call 00404754 //'g'-'y'之间有效
00589250 EB24 jmp 00589276
00589252 3C30 cmp al, $30
00589254 7220 jb 00589276
00589256 3C33 cmp al, $33
00589258 770F jnbe 00589269
0058925A 8D45F8 lea eax, [ebp-$08]
0058925D BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
00589262 E8EDB4E7FF call 00404754
00589267 EB0D jmp 00589276
00589269 8D45F8 lea eax, [ebp-$08]
0058926C BA24955800 mov edx, $00589524 //这里是'2'
* Reference to: System.@LStrCat;
|
00589271 E8DEB4E7FF call 00404754
00589276 8B45FC mov eax, [ebp-$04]
00589279 8A400C mov al, byte ptr [eax+$0C] //取注册码第十三个字符
0058927C 3C30 cmp al, $30
0058927E 724E jb 005892CE
00589280 3C39 cmp al, $39
00589282 770F jnbe 00589293
00589284 8D45F8 lea eax, [ebp-$08]
00589287 BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
0058928C E8C3B4E7FF call 00404754 //'0'-'9'之间有效
00589291 EB3B jmp 005892CE
00589293 3C41 cmp al, $41
00589295 7237 jb 005892CE
00589297 3C5A cmp al, $5A
00589299 770F jnbe 005892AA
0058929B 8D45F8 lea eax, [ebp-$08]
0058929E BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
005892A3 E8ACB4E7FF call 00404754 //'A'-'Z'之间有效
005892A8 EB24 jmp 005892CE
005892AA 3C61 cmp al, $61
005892AC 7220 jb 005892CE
005892AE 3C7A cmp al, $7A
005892B0 770F jnbe 005892C1
005892B2 8D45F8 lea eax, [ebp-$08]
005892B5 BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
005892BA E895B4E7FF call 00404754 //'a'-'z'之间有效
005892BF EB0D jmp 005892CE
005892C1 8D45F8 lea eax, [ebp-$08]
005892C4 BA24955800 mov edx, $00589524 //这里是'2'
* Reference to: System.@LStrCat;
|
005892C9 E886B4E7FF call 00404754
005892CE 8B45FC mov eax, [ebp-$04]
005892D1 8A400D mov al, byte ptr [eax+$0D] //取注册码第十四个字符
005892D4 3C32 cmp al, $32
005892D6 7237 jb 0058930F
005892D8 3C35 cmp al, $35
005892DA 770F jnbe 005892EB
005892DC 8D45F8 lea eax, [ebp-$08]
005892DF BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
005892E4 E86BB4E7FF call 00404754 //'2'-'5'之间有效
005892E9 EB24 jmp 0058930F
005892EB 3C45 cmp al, $45
005892ED 7220 jb 0058930F
005892EF 3C55 cmp al, $55
005892F1 770F jnbe 00589302
005892F3 8D45F8 lea eax, [ebp-$08]
005892F6 BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
005892FB E854B4E7FF call 00404754 //'E'-'U'之间有效
00589300 EB0D jmp 0058930F
00589302 8D45F8 lea eax, [ebp-$08]
00589305 BA24955800 mov edx, $00589524 //这里是'2'
* Reference to: System.@LStrCat;
|
0058930A E845B4E7FF call 00404754
0058930F 8B45FC mov eax, [ebp-$04]
00589312 8A400E mov al, byte ptr [eax+$0E] //取注册码第十五个字符
00589315 3C30 cmp al, $30
00589317 7220 jb 00589339
00589319 3C39 cmp al, $39
0058931B 770F jnbe 0058932C
0058931D 8D45F8 lea eax, [ebp-$08]
00589320 BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
00589325 E82AB4E7FF call 00404754 //'0'-'9'之间有效
0058932A EB0D jmp 00589339
0058932C 8D45F8 lea eax, [ebp-$08]
0058932F BA24955800 mov edx, $00589524 //这里是'2'
* Reference to: System.@LStrCat;
|
00589334 E81BB4E7FF call 00404754
00589339 8D45F8 lea eax, [ebp-$08]
0058933C BA30955800 mov edx, $00589530 //这里是'-'
* Reference to: System.@LStrCat;
|
00589341 E80EB4E7FF call 00404754 //连接一个'-'号
00589346 8B45FC mov eax, [ebp-$04]
00589349 8A400F mov al, byte ptr [eax+$0F] //取注册码第十六个字符
0058934C 3C30 cmp al, $30
0058934E 724E jb 0058939E
00589350 3C39 cmp al, $39
00589352 770F jnbe 00589363
00589354 8D45F8 lea eax, [ebp-$08]
00589357 BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
0058935C E8F3B3E7FF call 00404754 //'0'-'9'之间有效
00589361 EB3B jmp 0058939E
00589363 3C41 cmp al, $41
00589365 7237 jb 0058939E
00589367 3C5A cmp al, $5A
00589369 770F jnbe 0058937A
0058936B 8D45F8 lea eax, [ebp-$08]
0058936E BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
00589373 E8DCB3E7FF call 00404754 //'A'-'Z'之间有效
00589378 EB24 jmp 0058939E
0058937A 3C61 cmp al, $61
0058937C 7220 jb 0058939E
0058937E 3C7A cmp al, $7A
00589380 770F jnbe 00589391
00589382 8D45F8 lea eax, [ebp-$08]
00589385 BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
0058938A E8C5B3E7FF call 00404754 //'a'-'z'之间有效
0058938F EB0D jmp 0058939E
00589391 8D45F8 lea eax, [ebp-$08]
00589394 BA24955800 mov edx, $00589524 //这里是'2'
* Reference to: System.@LStrCat;
|
00589399 E8B6B3E7FF call 00404754
0058939E 8B45FC mov eax, [ebp-$04]
005893A1 8A4010 mov al, byte ptr [eax+$10] //取注册码第十七个字符
005893A4 3C30 cmp al, $30
005893A6 724E jb 005893F6
005893A8 3C39 cmp al, $39
005893AA 770F jnbe 005893BB
005893AC 8D45F8 lea eax, [ebp-$08]
005893AF BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
005893B4 E89BB3E7FF call 00404754 //'0'-'9'之间有效
005893B9 EB3B jmp 005893F6
005893BB 3C41 cmp al, $41
005893BD 7237 jb 005893F6
005893BF 3C5A cmp al, $5A
005893C1 770F jnbe 005893D2
005893C3 8D45F8 lea eax, [ebp-$08]
005893C6 BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
005893CB E884B3E7FF call 00404754 //'A'-'Z'之间有效
005893D0 EB24 jmp 005893F6
005893D2 3C61 cmp al, $61
005893D4 7220 jb 005893F6
005893D6 3C7A cmp al, $7A
005893D8 770F jnbe 005893E9
005893DA 8D45F8 lea eax, [ebp-$08]
005893DD BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
005893E2 E86DB3E7FF call 00404754 //'a'-'z'之间有效
005893E7 EB0D jmp 005893F6
005893E9 8D45F8 lea eax, [ebp-$08]
005893EC BA24955800 mov edx, $00589524 //这里是'2'
* Reference to: System.@LStrCat;
|
005893F1 E85EB3E7FF call 00404754
005893F6 8B45FC mov eax, [ebp-$04]
005893F9 8A4011 mov al, byte ptr [eax+$11] //取注册码第十八个字符
005893FC 3C48 cmp al, $48
005893FE 724E jb 0058944E
00589400 3C55 cmp al, $55
00589402 770F jnbe 00589413
00589404 8D45F8 lea eax, [ebp-$08]
00589407 BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
0058940C E843B3E7FF call 00404754 //'H'-'U'之间有效
00589411 EB3B jmp 0058944E
00589413 3C61 cmp al, $61
00589415 7237 jb 0058944E
00589417 3C67 cmp al, $67
00589419 770F jnbe 0058942A
0058941B 8D45F8 lea eax, [ebp-$08]
0058941E BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
00589423 E82CB3E7FF call 00404754 //'a'-'g'之间有效
00589428 EB24 jmp 0058944E
0058942A 3C76 cmp al, $76
0058942C 7220 jb 0058944E
0058942E 3C7A cmp al, $7A
00589430 770F jnbe 00589441
00589432 8D45F8 lea eax, [ebp-$08]
00589435 BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
0058943A E815B3E7FF call 00404754 //'v'-'z'之间有效
0058943F EB0D jmp 0058944E
00589441 8D45F8 lea eax, [ebp-$08]
00589444 BA24955800 mov edx, $00589524 //这里是'2'
* Reference to: System.@LStrCat;
|
00589449 E806B3E7FF call 00404754
0058944E 8B45FC mov eax, [ebp-$04]
00589451 8A4012 mov al, byte ptr [eax+$12] //取注册码第十九个字符
00589454 3C32 cmp al, $32
00589456 7237 jb 0058948F
00589458 3C35 cmp al, $35
0058945A 770F jnbe 0058946B
0058945C 8D45F8 lea eax, [ebp-$08]
0058945F BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
00589464 E8EBB2E7FF call 00404754 //'2'-'5'之间有效
00589469 EB24 jmp 0058948F
0058946B 3C45 cmp al, $45
0058946D 7220 jb 0058948F
0058946F 3C55 cmp al, $55
00589471 770F jnbe 00589482
00589473 8D45F8 lea eax, [ebp-$08]
00589476 BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
0058947B E8D4B2E7FF call 00404754 'E'-'U'之间有效
00589480 EB0D jmp 0058948F
00589482 8D45F8 lea eax, [ebp-$08]
00589485 BA24955800 mov edx, $00589524 //这里是'2'
* Reference to: System.@LStrCat;
|
0058948A E8C5B2E7FF call 00404754
0058948F 8B45FC mov eax, [ebp-$04]
00589492 8A4013 mov al, byte ptr [eax+$13] //取注册码第二十个字符
00589495 3C67 cmp al, $67
00589497 7237 jb 005894D0
00589499 3C79 cmp al, $79
0058949B 770F jnbe 005894AC
0058949D 8D45F8 lea eax, [ebp-$08]
005894A0 BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
005894A5 E8AAB2E7FF call 00404754 //'g'-'y'之间有效
005894AA EB24 jmp 005894D0
005894AC 3C30 cmp al, $30
005894AE 7220 jb 005894D0
005894B0 3C33 cmp al, $33
005894B2 770F jnbe 005894C3
005894B4 8D45F8 lea eax, [ebp-$08]
005894B7 BA18955800 mov edx, $00589518 //这里是'1'
* Reference to: System.@LStrCat;
|
005894BC E893B2E7FF call 00404754
005894C1 EB0D jmp 005894D0
005894C3 8D45F8 lea eax, [ebp-$08]
005894C6 BA24955800 mov edx, $00589524 //这里是'2'
* Reference to: System.@LStrCat;
|
005894CB E884B2E7FF call 00404754
005894D0 8B45F8 mov eax, [ebp-$08]
* Possible String Reference to: '11111-11111-11111-11111'
|
005894D3 BA3C955800 mov edx, $0058953C
* Reference to: System.@LStrCmp;
|
005894D8 E8BBB3E7FF call 00404898 //检查连接后的字符串是否等于
005894DD 7504 jnz 005894E3 // '11111-11111-11111-11111'
005894DF B301 mov bl, $01 //相等则返回值是1
005894E1 EB02 jmp 005894E5
005894E3 33DB xor ebx, ebx //不等则返回值是0
005894E5 33C0 xor eax, eax
005894E7 5A pop edx
005894E8 59 pop ecx
005894E9 59 pop ecx
005894EA 648910 mov fs:[eax], edx
****** FINALLY
|
* Possible String Reference to: '?[YY]?
|
005894ED 6807955800 push $00589507
005894F2 8D45F8 lea eax, [ebp-$08]
005894F5 BA02000000 mov edx, $00000002
* Reference to: System.@LStrArrayClr(void;void;Integer);
|
005894FA E8B1AFE7FF call 004044B0
005894FF C3 ret
* Reference to: System.@HandleFinally;
|
00589500 E907A9E7FF jmp 00403E0C
00589505 EBEB jmp 005894F2
****** END
|
00589507 8BC3 mov eax, ebx
00589509 5B pop ebx
0058950A 59 pop ecx
0058950B 59 pop ecx
0058950C 5D pop ebp
0058950D C3 ret
=======================================================================================
好累哦。终于注释完了。
总结一下:注册码的每个字符只要在某个范围就可以了。分别如下:
1. '0'-'9','A'-'Z','a'-'z'
2. '0'-'9'
3. 'H'-'U','a'-'g','v'-'z'
4. '2'-'5','D'-'U'
5. 'g'-'y'
6. '2'-'5','E'-'U'
7. 'H'-'U','a'-'g','v'-'z'
8. 'H'-'U','a'-'g','v'-'z'
9. '2'-'5','E'-'U'
10.'g'-'y'
11.'H'-'U','a'-'g','v'-'z'
12.'g'-'y'
13.'0'-'9','A'-'Z','a'-'z'
14.'2'-'5','E'-'U'
15.'0'-'9'
16.'0'-'9','A'-'Z','a'-'z'
17.'0'-'9','A'-'Z','a'-'z'
18.'H'-'U','a'-'g','v'-'z'
19.'2'-'5','E'-'U'
20.'g'-'y'
=======================================================================================
【全文完】
[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!