[原创]Installer2Go 4.1.3注册分析[原创]-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[原创]Installer2Go 4.1.3注册分析[原创]

发表于: 2006-7-4 16:14 7425

[原创]Installer2Go 4.1.3注册分析[原创]

FishSeeWater 活跃值

2006-7-4 16:14

7425

【文章标题】: Installer2Go 4.1.3注册分析
【文章作者】: FishSeeWater
【作者邮箱】: shuijiany99@163.com
【软件名称】: Installer2Go 4.1.3
【下载地址】: 自己搜索下载
【保护方式】: 序列号
【编写语言】: Microsoft Visual C++ 6.0
【使用工具】: Windows2003+MasmPlus1.1+OllyICE1.10
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!
【软件介绍】: Setup2Go 是一个很不错的安装程序制作工具，易于使用且交互性强，它不需要使用者具备多少编程知识和编程经验就可在极短的时间内轻松完成制作，该软件还支持当前所有的 32 位 Windows 操作系统的程序，包括 Windows 95、98、ME、NT4、2000、XP 等。软件还自带工程向导帮助你快速生成安装项目，像建立快捷方式、写入注册表、文件类型关联、定制对话框及屏幕样式、使用外部工具、修改 INI 文件、添加安装密码、测试运行等等这些功能它都具备，并且你还可以利用 Setup2Go 制作出支持多国语言的安装程序，便于你向外国人出售自己的软件产品。
--------------------------------------------------------------------------------
【详细过程】:
  最近公司写了一个通信软件，用到了ODBC数据库，为了用户使用方便，决定找一个打包工具，经过比较选择，最后瞄定：Installer2Go 4.1.3，小巧而功能齐全，Down后发现为FREE软件，不过需注册，否则打包后的程序有NAG，心下不爽，开刀!!!!!
  PEID:Microsoft Visual C++ 6.0
  直接用OllyICE折了她!F9运行出现提示注册的对话框，下断点：GetDlgItemText 输入用户名：qqqqqqqq，注册码：78787878，点注册没反应？
  路不对，想想程序启动时一定有判断处理，下注册表断点试试，Ctrl+F2->打开API断点设置工具插件->注册表处理函数，确定。F9运行，OK断下来了，一边F9一边看堆栈窗口，终于发现了可疑这处了 ValueName = "username"，
  好，停住!F8进行，

 
  00404A84  |.  51            PUSH ECX                                 ; /pBufSize
  00404A85  |.  52            PUSH EDX                                 ; |Buffer
  00404A86  |.  50            PUSH EAX                                 ; |pValueType
  00404A87  |.  50            PUSH EAX                                 ; |Reserved
  00404A88  |.  8B4424 28     MOV EAX,DWORD PTR SS:[ESP+28]            ; |
  00404A8C  |.  BF 04010000   MOV EDI,104                              ; |
  00404A91  |.  68 84134F00   PUSH builder.004F1384                    ; |username
  00404A96  |.  50            PUSH EAX                                 ; |hKey
  00404A97  |.  897C24 2C     MOV DWORD PTR SS:[ESP+2C],EDI            ; |
  00404A9B  |.  FFD6          CALL ESI                                 ; \RegQueryValueExA
  00404A9D  |.  85C0          TEST EAX,EAX                             ;看看有没有用户名，打开注册表，手动输入一个：)
  00404A9F  |.  75 0A         JNZ SHORT builder.00404AAB
  00404AA1  |.  8B4424 14     MOV EAX,DWORD PTR SS:[ESP+14]
  00404AA5  |.  85C0          TEST EAX,EAX
  00404AA7  |.  76 02         JBE SHORT builder.00404AAB
  00404AA9  |.  B3 01         MOV BL,1
  00404AAB  |>  8B4424 18     MOV EAX,DWORD PTR SS:[ESP+18]
  00404AAF  |.  8D4C24 14     LEA ECX,DWORD PTR SS:[ESP+14]
  00404AB3  |.  8D9424 240100>LEA EDX,DWORD PTR SS:[ESP+124]
  00404ABA  |.  51            PUSH ECX
  00404ABB  |.  52            PUSH EDX
  00404ABC  |.  6A 00         PUSH 0
  00404ABE  |.  6A 00         PUSH 0
  00404AC0  |.  68 90134F00   PUSH builder.004F1390                    ;  regcode
  00404AC5  |.  50            PUSH EAX
  00404AC6  |.  897C24 2C     MOV DWORD PTR SS:[ESP+2C],EDI
  00404ACA  |.  FFD6          CALL ESI                                 ;读注册码，照搬，手动输入一个：)  
  00404ACC  |.  85C0          TEST EAX,EAX
  00404ACE  |.  75 0D         JNZ SHORT builder.00404ADD
  00404AD0  |.  8B4424 14     MOV EAX,DWORD PTR SS:[ESP+14]
  00404AD4  |.  85C0          TEST EAX,EAX
  00404AD6  |.  76 05         JBE SHORT builder.00404ADD
  00404AD8  |.  C64424 13 01  MOV BYTE PTR SS:[ESP+13],1
  00404ADD  |>  8B4424 18     MOV EAX,DWORD PTR SS:[ESP+18]
  00404AE1  |.  8D4C24 14     LEA ECX,DWORD PTR SS:[ESP+14]
  00404AE5  |.  8D9424 280200>LEA EDX,DWORD PTR SS:[ESP+228]
  00404AEC  |.  51            PUSH ECX
  00404AED  |.  52            PUSH EDX
  00404AEE  |.  6A 00         PUSH 0
  00404AF0  |.  6A 00         PUSH 0
  00404AF2  |.  68 98134F00   PUSH builder.004F1398                    ;  admin
  00404AF7  |.  50            PUSH EAX
  00404AF8  |.  897C24 2C     MOV DWORD PTR SS:[ESP+2C],EDI
  00404AFC  |.  FFD6          CALL ESI
  00404AFE  |.  85C0          TEST EAX,EAX
  00404B00  |.  75 0D         JNZ SHORT builder.00404B0F
  00404B02  |.  8B4424 14     MOV EAX,DWORD PTR SS:[ESP+14]
  00404B06  |.  85C0          TEST EAX,EAX
  00404B08  |.  76 05         JBE SHORT builder.00404B0F
  00404B0A  |.  C64424 12 01  MOV BYTE PTR SS:[ESP+12],1
  00404B0F  |>  8B4C24 18     MOV ECX,DWORD PTR SS:[ESP+18]
  00404B13  |.  51            PUSH ECX                                 ; /hKey
  00404B14  |.  FF15 0C904D00 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; \RegCloseKey
  00404B1A  |.  84DB          TEST BL,BL
  00404B1C  |.  0F84 16020000 JE builder.00404D38
  00404B22  |.  8A4424 13     MOV AL,BYTE PTR SS:[ESP+13]
  00404B26  |.  84C0          TEST AL,AL
  00404B28  |.  0F84 0A020000 JE builder.00404D38
  00404B2E  |.  8D9424 240100>LEA EDX,DWORD PTR SS:[ESP+124]
  00404B35  |.  8D4424 20     LEA EAX,DWORD PTR SS:[ESP+20]
  00404B39  |.  52            PUSH EDX                                 ；假码压栈
  00404B3A  |.  50            PUSH EAX                                 ；用户名压栈
  00404B3B  |.  8BCD          MOV ECX,EBP
  00404B3D  |.  E8 6EFCFFFF   CALL builder.004047B0                    ；F7跟进
  00404B42  |.  84C0          TEST AL,AL
  00404B44  |.  0F84 EE010000 JE builder.00404D38
  00404B4A  |.  8D7C24 20     LEA EDI,DWORD PTR SS:[ESP+20]
  //++++++++++++++++++++++++++++
  004047B0  /$  56            PUSH ESI                                 ;  ADVAPI32.RegQueryValueExA
  004047B1  |.  8B7424 08     MOV ESI,DWORD PTR SS:[ESP+8]
  004047B5  |.  85F6          TEST ESI,ESI
  004047B7  |.  57            PUSH EDI
  004047B8  |.  74 42         JE SHORT builder.004047FC
  004047BA  |.  8B5424 10     MOV EDX,DWORD PTR SS:[ESP+10]
  004047BE  |.  85D2          TEST EDX,EDX
  004047C0  |.  74 3A         JE SHORT builder.004047FC
  004047C2  |.  8BFE          MOV EDI,ESI
  004047C4  |.  83C9 FF       OR ECX,FFFFFFFF
  004047C7  |.  33C0          XOR EAX,EAX
  004047C9  |.  F2:AE         REPNE SCAS BYTE PTR ES:[EDI]
  004047CB  |.  F7D1          NOT ECX
  004047CD  |.  49            DEC ECX
  004047CE  |.  74 2C         JE SHORT builder.004047FC
  004047D0  |.  8BFA          MOV EDI,EDX
  004047D2  |.  83C9 FF       OR ECX,FFFFFFFF
  004047D5  |.  F2:AE         REPNE SCAS BYTE PTR ES:[EDI]
  004047D7  |.  F7D1          NOT ECX
  004047D9  |.  49            DEC ECX
  004047DA  |.  83F9 0A       CMP ECX,0A                                 ;注册码长度必须为0A->10否则飞走
  004047DD  |.  75 1D         JNZ SHORT builder.004047FC
  004047DF  |.  894424 0C     MOV DWORD PTR SS:[ESP+C],EAX
  004047E3  |.  8D4424 0C     LEA EAX,DWORD PTR SS:[ESP+C]
  004047E7  |.  52            PUSH EDX
  004047E8  |.  50            PUSH EAX
  004047E9  |.  68 A0134F00   PUSH builder.004F13A0                    ;  andrey&pasha
  004047EE  |.  56            PUSH ESI
  004047EF  |.  E8 CCCE0900   CALL builder.004A16C0                    ;F7跟进
  004047F4  |.  83C4 10       ADD ESP,10
  004047F7  |.  5F            POP EDI
  004047F8  |.  5E            POP ESI
  004047F9  |.  C2 0800       RETN 8
  004047FC  |>  5F            POP EDI
  004047FD  |.  32C0          XOR AL,AL
  004047FF  |.  5E            POP ESI
  00404800  \.  C2 0800       RETN 8
  //++++++++++++++++++++++++++++++++++++
  004A16C0  /$  53            PUSH EBX
  004A16C1  |.  8B5C24 14     MOV EBX,DWORD PTR SS:[ESP+14]
  004A16C5  |.  56            PUSH ESI
  004A16C6  |.  57            PUSH EDI
  004A16C7  |.  8BFB          MOV EDI,EBX
  004A16C9  |.  83C9 FF       OR ECX,FFFFFFFF
  004A16CC  |.  33C0          XOR EAX,EAX
  004A16CE  |.  F2:AE         REPNE SCAS BYTE PTR ES:[EDI]
  004A16D0  |.  F7D1          NOT ECX
  004A16D2  |.  49            DEC ECX
  004A16D3  |.  8BF9          MOV EDI,ECX
  004A16D5  |.  8D47 01       LEA EAX,DWORD PTR DS:[EDI+1]
  004A16D8  |.  50            PUSH EAX
  004A16D9  |.  E8 0FBF0100   CALL builder.004BD5ED
  004A16DE  |.  8BF0          MOV ESI,EAX
  004A16E0  |.  8B4424 1C     MOV EAX,DWORD PTR SS:[ESP+1C]
  004A16E4  |.  83C4 04       ADD ESP,4
  004A16E7  |.  85C0          TEST EAX,EAX
  004A16E9  |.  74 2C         JE SHORT builder.004A1717
  004A16EB  |.  8A4B 01       MOV CL,BYTE PTR DS:[EBX+1]
  004A16EE  |.  55            PUSH EBP
  004A16EF  |.  51            PUSH ECX
  004A16F0  |.  E8 9BFFFFFF   CALL builder.004A1690
  004A16F5  |.  8A13          MOV DL,BYTE PTR DS:[EBX]
  004A16F7  |.  8BE8          MOV EBP,EAX
  004A16F9  |.  52            PUSH EDX
  004A16FA  |.  E8 91FFFFFF   CALL builder.004A1690
  004A16FF  |.  C1E0 04       SHL EAX,4
  004A1702  |.  03E8          ADD EBP,EAX
  004A1704  |.  8B4424 24     MOV EAX,DWORD PTR SS:[ESP+24]
  004A1708  |.  81F5 FF000000 XOR EBP,0FF
  004A170E  |.  83C4 08       ADD ESP,8
  004A1711  |.  83ED 55       SUB EBP,55
  004A1714  |.  8928          MOV DWORD PTR DS:[EAX],EBP
  004A1716  |.  5D            POP EBP
  004A1717  |>  8B00          MOV EAX,DWORD PTR DS:[EAX]
  004A1719  |.  8B4C24 14     MOV ECX,DWORD PTR SS:[ESP+14]
  004A171D  |.  8B5424 10     MOV EDX,DWORD PTR SS:[ESP+10]
  004A1721  |.  57            PUSH EDI
  004A1722  |.  56            PUSH ESI
  004A1723  |.  50            PUSH EAX
  004A1724  |.  51            PUSH ECX
  004A1725  |.  52            PUSH EDX
  004A1726  |.  E8 35FEFFFF   CALL builder.004A1560                      ;这里F7进(为什么是这个？因为上面几个CALL已经进过了：)，现在就发现这里有用)
  004A172B  |.  57            PUSH EDI
  004A172C  |.  53            PUSH EBX
  004A172D  |.  56            PUSH ESI
  //++++++++++++++++++++++++++++++++++++++++++++
  进入核心地带了：)
  004A1560  /$  83EC 08       SUB ESP,8
  004A1563  |.  53            PUSH EBX
  004A1564  |.  8B5C24 20     MOV EBX,DWORD PTR SS:[ESP+20]
  004A1568  |.  55            PUSH EBP
  004A1569  |.  56            PUSH ESI
  004A156A  |.  8D73 01       LEA ESI,DWORD PTR DS:[EBX+1]
  004A156D  |.  57            PUSH EDI
  004A156E  |.  56            PUSH ESI
  004A156F  |.  E8 79C00100   CALL builder.004BD5ED
  004A1574  |.  8BE8          MOV EBP,EAX
  004A1576  |.  56            PUSH ESI
  004A1577  |.  896C24 18     MOV DWORD PTR SS:[ESP+18],EBP
  004A157B  |.  E8 6DC00100   CALL builder.004BD5ED
  004A1580  |.  8BF0          MOV ESI,EAX
  004A1582  |.  8B4424 24     MOV EAX,DWORD PTR SS:[ESP+24]
  004A1586  |.  53            PUSH EBX
  004A1587  |.  50            PUSH EAX
  004A1588  |.  55            PUSH EBP
  004A1589  |.  897424 28     MOV DWORD PTR SS:[ESP+28],ESI
  004A158D  |.  33FF          XOR EDI,EDI
  004A158F  |.  E8 0CFFFFFF   CALL builder.004A14A0
  004A1594  |.  8B6C24 34     MOV EBP,DWORD PTR SS:[ESP+34]
  004A1598  |.  53            PUSH EBX
  004A1599  |.  55            PUSH EBP
  004A159A  |.  56            PUSH ESI
  004A159B  |.  E8 00FFFFFF   CALL builder.004A14A0
  004A15A0  |.  8B7424 44     MOV ESI,DWORD PTR SS:[ESP+44]
  004A15A4  |.  81E6 FF000000 AND ESI,0FF
  004A15AA  |.  83C6 55       ADD ESI,55
  004A15AD  |.  81F6 FF000000 XOR ESI,0FF
  004A15B3  |.  8BCE          MOV ECX,ESI
  004A15B5  |.  C1E9 04       SHR ECX,4
  004A15B8  |.  51            PUSH ECX
  004A15B9  |.  E8 52FFFFFF   CALL builder.004A1510
  004A15BE  |.  8B5424 4C     MOV EDX,DWORD PTR SS:[ESP+4C]
  004A15C2  |.  83E6 0F       AND ESI,0F
  004A15C5  |.  56            PUSH ESI
  004A15C6  |.  8802          MOV BYTE PTR DS:[EDX],AL
  004A15C8  |.  E8 43FFFFFF   CALL builder.004A1510
  004A15CD  |.  8B7424 50     MOV ESI,DWORD PTR SS:[ESP+50]
  004A15D1  |.  83C4 28       ADD ESP,28
  004A15D4  |.  8846 01       MOV BYTE PTR DS:[ESI+1],AL
  004A15D7  |.  33C0          XOR EAX,EAX
  004A15D9  |.  85DB          TEST EBX,EBX
  004A15DB  |.  7E 24         JLE SHORT builder.004A1601
  004A15DD  |>  8A0C28        /MOV CL,BYTE PTR DS:[EAX+EBP]             ;取andrey&pasha
  004A15E0  |.  8BD7          |MOV EDX,EDI
  004A15E2  |.  81E1 FF000000 |AND ECX,0FF
  004A15E8  |.  81E2 FF000000 |AND EDX,0FF
  004A15EE  |.  33CA          |XOR ECX,EDX
  004A15F0  |.  C1EF 08       |SHR EDI,8
  004A15F3  |.  8B0C8D 387D4F>|MOV ECX,DWORD PTR DS:[ECX*4+4F7D38]      ；内存原始数据从何而来？(不明白：()
  004A15FA  |.  33F9          |XOR EDI,ECX
  004A15FC  |.  40            |INC EAX
  004A15FD  |.  3BC3          |CMP EAX,EBX                              ；取10个
  004A15FF  |.^ 7C DC         \JL SHORT builder.004A15DD
  004A1601  |>  83FB 02       CMP EBX,2
  004A1604  |.  7E 58         JLE SHORT builder.004A165E
  004A1606  |.  8B6C24 10     MOV EBP,DWORD PTR SS:[ESP+10]
  004A160A  |.  8D53 FE       LEA EDX,DWORD PTR DS:[EBX-2]
  004A160D  |.  8D4E 02       LEA ECX,DWORD PTR DS:[ESI+2]
  004A1610  |.  2BEE          SUB EBP,ESI
  004A1612  |.  895424 2C     MOV DWORD PTR SS:[ESP+2C],EDX
  004A1616  |>  8A0429        /MOV AL,BYTE PTR DS:[ECX+EBP]             ；从用户名的第三个字符开始"shSeeWater"
  004A1619  |.  8BD7          |MOV EDX,EDI
  004A161B  |.  25 FF000000   |AND EAX,0FF
  004A1620  |.  81E2 FF000000 |AND EDX,0FF
  004A1626  |.  33C2          |XOR EAX,EDX
  004A1628  |.  33D2          |XOR EDX,EDX
  004A162A  |.  C1EF 08       |SHR EDI,8
  004A162D  |.  8B0485 387D4F>|MOV EAX,DWORD PTR DS:[EAX*4+4F7D38]       ;内存原始数据从何而来？(不明白：()
  004A1634  |.  BE 24000000   |MOV ESI,24
  004A1639  |.  33F8          |XOR EDI,EAX
  004A163B  |.  8BC7          |MOV EAX,EDI
  004A163D  |.  F7F6          |DIV ESI
  004A163F  |.  83FA 0A       |CMP EDX,0A
  004A1642  |.  73 05         |JNB SHORT builder.004A1649
  004A1644  |.  80C2 30       |ADD DL,30
  004A1647  |.  EB 03         |JMP SHORT builder.004A164C
  004A1649  |>  80C2 37       |ADD DL,37
  004A164C  |>  8B4424 2C     |MOV EAX,DWORD PTR SS:[ESP+2C]
  004A1650  |.  8811          |MOV BYTE PTR DS:[ECX],DL                  ;计算结果存这里了。   
  004A1652  |.  41            |INC ECX
  004A1653  |.  48            |DEC EAX
  004A1654  |.  894424 2C     |MOV DWORD PTR SS:[ESP+2C],EAX
  004A1658  |.^ 75 BC         \JNZ SHORT builder.004A1616
  004A165A  |.  8B7424 28     MOV ESI,DWORD PTR SS:[ESP+28]              ；在这里ESI会出现 注册码。
  004A165E  |>  8B4C24 10     MOV ECX,DWORD PTR SS:[ESP+10]
  004A1662  |.  C6041E 00     MOV BYTE PTR DS:[ESI+EBX],0
  004A1666  |.  51            PUSH ECX
  004A1667  |.  E8 34080100   CALL builder.004B1EA0
  004A166C  |.  8B5424 18     MOV EDX,DWORD PTR SS:[ESP+18]
  004A1670  |.  52            PUSH EDX
  004A1671  |.  E8 2A080100   CALL builder.004B1EA0
  004A1676  |.  83C4 08       ADD ESP,8
  004A1679  |.  5F            POP EDI
  004A167A  |.  5E            POP ESI
  004A167B  |.  5D            POP EBP
  004A167C  |.  5B            POP EBX
  004A167D  |.  83C4 08       ADD ESP,8
  004A1680  \.  C3            RETN

  //++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  算法总结：
  程序很将“andrey&pasha”与 4F7D38处的数据进行处理结果放在4F7D38，然后再将用户名从第三个字符开始与4F7D38处理得到注册码的后8位(前两位任意)。
  写注册机：
  工具：MasmPlus (谢谢AOGO的付出，为大家写了这么好用的一个IDE，)
  由于不知道 4f7d38中的始数据是从哪来的(懒的分析了)所以定义一个byte变量从4f7d38到4f7d38+FF*4的数据全拷出来(为什么是FF*4？因为在跟踪过程中[EAX*4+4F7D38]这里的EAX从来没大于过FF)：)

 
  ///////////////////////////////////////////////////////////////////////////////////
  //用资源工具直接从程序中将注册对话框导出来用：)
  //i2GKeyGen.rc
  
  #include "..\..\INCLUDE\resource.h"
  1000                   ICON    DISCARDABLE     "ico100.ico"
  
  100 DIALOG 120, 100, 320, 108
  STYLE DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU
  CAPTION "Registration"
  FONT 8, "MS Sans Serif"
  {
     CONTROL "", 1001, EDIT, ES_LEFT | ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 130, 44, 170, 14 
     CONTROL "", 1002, EDIT, ES_LEFT | ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 130, 65, 170, 14 
     CONTROL "Ordering Info", 3, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 10, 91, 80, 14 
     CONTROL "Register", 1, BUTTON, BS_DEFPUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 169, 91, 80, 14 
     CONTROL "Close", 2, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 253, 91, 56, 14 
     CONTROL "If you have paid the registration fee simply enter your registration information below and click Register.", 1009, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 10, 8, 298, 16 
     CONTROL "Registration Information", 1010, BUTTON, BS_GROUPBOX | WS_CHILD | WS_VISIBLE, 10, 29, 300, 58 
     CONTROL "User/Company Name", 1011, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 16, 47, 110, 10 
     CONTROL "Registration Number", 1012, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 16, 69, 110, 10 
  }
  ///////////////////////////////////////////////////////////////////////////////////
  ///////////////////////////////////////////////////////////////////////////////////
  //i2GKeyGen.asm
  .386
  .Model Flat, StdCall
  Option Casemap :None
  
  Include windows.inc
  Include user32.inc
  Include kernel32.inc
  Include gdi32.inc
  
  includelib gdi32.lib
  IncludeLib user32.lib
  IncludeLib kernel32.lib
  include macro.asm
  	
  	DlgProc PROTO :DWORD,:DWORD,:DWORD,:DWORD
  	
  .const
  	DLG_MAIN equ 100
  .data
  	a1 db "andrey&pasha",0
  	a4 dd 8
  	a5 db 200 dup('FS',0)
  	a6 db 000h,000h,000h,000h,096h,030h,007h,077h,02Ch,061h,00Eh,0EEh,0BAh,051h,009h,099h,019h,0C4h,06Dh,007h,08Fh,0F4h,06Ah,070h,035h,0A5h,063h,0E9h,0A3h,095h,064h,09Eh
  db 032h,088h,0DBh,00Eh,0A4h,0B8h,0DCh,079h,01Eh,0E9h,0D5h,0E0h,088h,0D9h,0D2h,097h,02Bh,04Ch,0B6h,009h,0BDh,07Ch,0B1h,07Eh,007h,02Dh,0B8h,0E7h,091h,01Dh,0BFh,090h
  db 064h,010h,0B7h,01Dh,0F2h,020h,0B0h,06Ah,048h,071h,0B9h,0F3h,0DEh,041h,0BEh,084h,07Dh,0D4h,0DAh,01Ah,0EBh,0E4h,0DDh,06Dh,051h,0B5h,0D4h,0F4h,0C7h,085h,0D3h,083h
  db 056h,098h,06Ch,013h,0C0h,0A8h,06Bh,064h,07Ah,0F9h,062h,0FDh,0ECh,0C9h,065h,08Ah,04Fh,05Ch,001h,014h,0D9h,06Ch,006h,063h,063h,03Dh,00Fh,0FAh,0F5h,00Dh,008h,08Dh
  db 0C8h,020h,06Eh,03Bh,05Eh,010h,069h,04Ch,0E4h,041h,060h,0D5h,072h,071h,067h,0A2h,0D1h,0E4h,003h,03Ch,047h,0D4h,004h,04Bh,0FDh,085h,00Dh,0D2h,06Bh,0B5h,00Ah,0A5h
  db 0FAh,0A8h,0B5h,035h,06Ch,098h,0B2h,042h,0D6h,0C9h,0BBh,0DBh,040h,0F9h,0BCh,0ACh,0E3h,06Ch,0D8h,032h,075h,05Ch,0DFh,045h,0CFh,00Dh,0D6h,0DCh,059h,03Dh,0D1h,0ABh
  db 0ACh,030h,0D9h,026h,03Ah,000h,0DEh,051h,080h,051h,0D7h,0C8h,016h,061h,0D0h,0BFh,0B5h,0F4h,0B4h,021h,023h,0C4h,0B3h,056h,099h,095h,0BAh,0CFh,00Fh,0A5h,0BDh,0B8h
  db 09Eh,0B8h,002h,028h,008h,088h,005h,05Fh,0B2h,0D9h,00Ch,0C6h,024h,0E9h,00Bh,0B1h,087h,07Ch,06Fh,02Fh,011h,04Ch,068h,058h,0ABh,01Dh,061h,0C1h,03Dh,02Dh,066h,0B6h
  db 090h,041h,0DCh,076h,006h,071h,0DBh,001h,0BCh,020h,0D2h,098h,02Ah,010h,0D5h,0EFh,089h,085h,0B1h,071h,01Fh,0B5h,0B6h,006h,0A5h,0E4h,0BFh,09Fh,033h,0D4h,0B8h,0E8h
  db 0A2h,0C9h,007h,078h,034h,0F9h,000h,00Fh,08Eh,0A8h,009h,096h,018h,098h,00Eh,0E1h,0BBh,00Dh,06Ah,07Fh,02Dh,03Dh,06Dh,008h,097h,06Ch,064h,091h,001h,05Ch,063h,0E6h
  db 0F4h,051h,06Bh,06Bh,062h,061h,06Ch,01Ch,0D8h,030h,065h,085h,04Eh,000h,062h,0F2h,0EDh,095h,006h,06Ch,07Bh,0A5h,001h,01Bh,0C1h,0F4h,008h,082h,057h,0C4h,00Fh,0F5h
  db 0C6h,0D9h,0B0h,065h,050h,0E9h,0B7h,012h,0EAh,0B8h,0BEh,08Bh,07Ch,088h,0B9h,0FCh,0DFh,01Dh,0DDh,062h,049h,02Dh,0DAh,015h,0F3h,07Ch,0D3h,08Ch,065h,04Ch,0D4h,0FBh
  db 058h,061h,0B2h,04Dh,0CEh,051h,0B5h,03Ah,074h,000h,0BCh,0A3h,0E2h,030h,0BBh,0D4h,041h,0A5h,0DFh,04Ah,0D7h,095h,0D8h,03Dh,06Dh,0C4h,0D1h,0A4h,0FBh,0F4h,0D6h,0D3h
  db 06Ah,0E9h,069h,043h,0FCh,0D9h,06Eh,034h,046h,088h,067h,0ADh,0D0h,0B8h,060h,0DAh,073h,02Dh,004h,044h,0E5h,01Dh,003h,033h,05Fh,04Ch,00Ah,0AAh,0C9h,07Ch,00Dh,0DDh
  db 03Ch,071h,005h,050h,0AAh,041h,002h,027h,010h,010h,00Bh,0BEh,086h,020h,00Ch,0C9h,025h,0B5h,068h,057h,0B3h,085h,06Fh,020h,009h,0D4h,066h,0B9h,09Fh,0E4h,061h,0CEh
  db 00Eh,0F9h,0DEh,05Eh,098h,0C9h,0D9h,029h,022h,098h,0D0h,0B0h,0B4h,0A8h,0D7h,0C7h,017h,03Dh,0B3h,059h,081h,00Dh,0B4h,02Eh,03Bh,05Ch,0BDh,0B7h,0ADh,06Ch,0BAh,0C0h
  db 020h,083h,0B8h,0EDh,0B6h,0B3h,0BFh,09Ah,00Ch,0E2h,0B6h,003h,09Ah,0D2h,0B1h,074h,039h,047h,0D5h,0EAh,0AFh,077h,0D2h,09Dh,015h,026h,0DBh,004h,083h,016h,0DCh,073h
  db 012h,00Bh,063h,0E3h,084h,03Bh,064h,094h,03Eh,06Ah,06Dh,00Dh,0A8h,05Ah,06Ah,07Ah,00Bh,0CFh,00Eh,0E4h,09Dh,0FFh,009h,093h,027h,0AEh,000h,00Ah,0B1h,09Eh,007h,07Dh
  db 044h,093h,00Fh,0F0h,0D2h,0A3h,008h,087h,068h,0F2h,001h,01Eh,0FEh,0C2h,006h,069h,05Dh,057h,062h,0F7h,0CBh,067h,065h,080h,071h,036h,06Ch,019h,0E7h,006h,06Bh,06Eh
  db 076h,01Bh,0D4h,0FEh,0E0h,02Bh,0D3h,089h,05Ah,07Ah,0DAh,010h,0CCh,04Ah,0DDh,067h,06Fh,0DFh,0B9h,0F9h,0F9h,0EFh,0BEh,08Eh,043h,0BEh,0B7h,017h,0D5h,08Eh,0B0h,060h
  db 0E8h,0A3h,0D6h,0D6h,07Eh,093h,0D1h,0A1h,0C4h,0C2h,0D8h,038h,052h,0F2h,0DFh,04Fh,0F1h,067h,0BBh,0D1h,067h,057h,0BCh,0A6h,0DDh,006h,0B5h,03Fh,04Bh,036h,0B2h,048h
  db 0DAh,02Bh,00Dh,0D8h,04Ch,01Bh,00Ah,0AFh,0F6h,04Ah,003h,036h,060h,07Ah,004h,041h,0C3h,0EFh,060h,0DFh,055h,0DFh,067h,0A8h,0EFh,08Eh,06Eh,031h,079h,0BEh,069h,046h
  db 08Ch,0B3h,061h,0CBh,01Ah,083h,066h,0BCh,0A0h,0D2h,06Fh,025h,036h,0E2h,068h,052h,095h,077h,00Ch,0CCh,003h,047h,00Bh,0BBh,0B9h,016h,002h,022h,02Fh,026h,005h,055h
  db 0BEh,03Bh,0BAh,0C5h,028h,00Bh,0BDh,0B2h,092h,05Ah,0B4h,02Bh,004h,06Ah,0B3h,05Ch,0A7h,0FFh,0D7h,0C2h,031h,0CFh,0D0h,0B5h,08Bh,09Eh,0D9h,02Ch,01Dh,0AEh,0DEh,05Bh
  db 0B0h,0C2h,064h,09Bh,026h,0F2h,063h,0ECh,09Ch,0A3h,06Ah,075h,00Ah,093h,06Dh,002h,0A9h,006h,009h,09Ch,03Fh,036h,00Eh,0EBh,085h,067h,007h,072h,013h,057h,000h,005h
  db 082h,04Ah,0BFh,095h,014h,07Ah,0B8h,0E2h,0AEh,02Bh,0B1h,07Bh,038h,01Bh,0B6h,00Ch,09Bh,08Eh,0D2h,092h,00Dh,0BEh,0D5h,0E5h,0B7h,0EFh,0DCh,07Ch,021h,0DFh,0DBh,00Bh
  db 0D4h,0D2h,0D3h,086h,042h,0E2h,0D4h,0F1h,0F8h,0B3h,0DDh,068h,06Eh,083h,0DAh,01Fh,0CDh,016h,0BEh,081h,05Bh,026h,0B9h,0F6h,0E1h,077h,0B0h,06Fh,077h,047h,0B7h,018h
  db 0E6h,05Ah,008h,088h,070h,06Ah,00Fh,0FFh,0CAh,03Bh,006h,066h,05Ch,00Bh,001h,011h,0FFh,09Eh,065h,08Fh,069h,0AEh,062h,0F8h,0D3h,0FFh,06Bh,061h,045h,0CFh,06Ch,016h
  db 078h,0E2h,00Ah,0A0h,0EEh,0D2h,00Dh,0D7h,054h,083h,004h,04Eh,0C2h,0B3h,003h,039h,061h,026h,067h,0A7h,0F7h,016h,060h,0D0h,04Dh,047h,069h,049h,0DBh,077h,06Eh,03Eh
  db 04Ah,06Ah,0D1h,0AEh,0DCh,05Ah,0D6h,0D9h,066h,00Bh,0DFh,040h,0F0h,03Bh,0D8h,037h,053h,0AEh,0BCh,0A9h,0C5h,09Eh,0BBh,0DEh,07Fh,0CFh,0B2h,047h,0E9h,0FFh,0B5h,030h
  db 01Ch,0F2h,0BDh,0BDh,08Ah,0C2h,0BAh,0CAh,030h,093h,0B3h,053h,0A6h,0A3h,0B4h,024h		
  	hInput1 db 200 dup(?)
  .data?
  	hInstance dd ?
  	
  .CODE
  START:
  	invoke GetModuleHandle,NULL
  	mov hInstance,eax
  	invoke DialogBoxParam,hInstance,DLG_MAIN,0,offset DlgProc,0
  	invoke ExitProcess,0
  
  DlgProc proc hWnd,uMsg,wParam,lParam
  	.if uMsg==WM_INITDIALOG
  		invoke LoadIcon,hInstance,100
  		invoke SendMessage,hWnd,WM_SETICON,ICON_SMALL,eax
  	.elseif uMsg==WM_COMMAND
  		mov eax,wParam
  		and eax,0ffffh
  		.if eax==IDOK					
  			xor eax,eax
  			mov ebx,0Ah
  			xor edi,edi
  			;int 3
  n1:
  			MOV CL,[a1+eax]
  			MOV EDX,EDI
  			AND ECX,0FFh
  			AND EDX,0FFh
  			XOR ECX,EDX
  			SHR EDI,8
  			MOV ECX,DWORD ptr [a6+ecx*4]
  			XOR EDI,ECX
  			INC EAX
  			CMP EAX,EBX
  			JL n1
  			invoke GetDlgItemTextA,hWnd,1001,addr hInput1,sizeof hInput1
  			xor eax,eax
  			mov ecx,2
  			mov [a4],WORD ptr 8
  n2:
  			MOV AL,BYTE PTR DS:[hInput1+ecx]
  			MOV EDX,EDI
  			AND EAX,0FFh
  			AND EDX,0FFh
  			XOR EAX,EDX
  			XOR EDX,EDX
  			SHR EDI,8
  			MOV EAX,DWORD PTR [a6+eax*4]
  			MOV ESI,024h
  			XOR EDI,EAX
  			MOV EAX,EDI
  			DIV ESI
  			CMP EDX,0Ah
  			JNB n3
  			ADD DL,030h
  			JMP n4
  n3:
  			ADD DL,037h
  n4:
  			MOV EAX,DWORD PTR a4
  			MOV BYTE PTR [a5+2+ecx-2],DL
  			INC ECX
  			DEC EAX
  			MOV DWORD PTR a4,EAX
  			JNZ n2
  			invoke SetDlgItemText,hWnd,1002,addr a5			
  		.elseif eax==IDCANCEL
  			invoke SendMessage,hWnd,WM_CLOSE,0,0
  		.endif
  	.elseif uMsg==WM_CLOSE
  		invoke EndDialog,hWnd,wParam
  	.else
  		mov eax,FALSE
  		ret
  	.endif
  	mov eax,TRUE
  	ret
  DlgProc endp
  END START

--------------------------------------------------------------------------------
【经验总结】
  用汇编语言写注册机真是有得天独厚的优势，算法看不懂可以直接从OllyICE中复制：)
  汇编刚学，程序算法也比较简单，好多地方大家别见笑：)

--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!

                                                   2006年07月04日 15:22:16

[课程]Linux pwn 探索篇！

收藏・2

免费・7

支持

最新回复 (8)
china 雪币： 3519 活跃值： (4047) 能力值： (RANK：215 ) 在线值：发帖 72 回帖 1983 粉丝 9 关注私信	china 5 2 楼这个还是牛，我喜欢，学习了。 2006-7-4 16:16 0
FishSeeWater 雪币： 768 活跃值： (515) 能力值： ( LV13，RANK：460 ) 在线值：发帖 60 回帖 859 粉丝 8 关注私信	FishSeeWater 11 3 楼对了在这里感谢“小虾”版主，程序中的a6变量定义，没您的帮助现在还在郁闷呢怎么贴子发出来后，每行文字这么长？怎样让每行字“自动适应”浏览器的宽度？ 2006-7-4 16:40 0
kanxue 雪币： 44229 活跃值： (19965) 能力值： (RANK：350 ) 在线值：发帖 2369 回帖 17027 粉丝 528 关注私信	kanxue 8 4 楼最初由 FishSeeWater* 发布* 怎么贴子发出来后，每行文字这么长？怎样让每行字“自动适应”浏览器的宽度？将代码标签去除就行 2006-7-4 16:44 0
bfqyygy 雪币： 338 活跃值： (10) 能力值： ( LV4，RANK：50 ) 在线值：发帖 1 回帖 523 粉丝 0 关注私信	bfqyygy 1 5 楼弄了几下注册表.不知道就是加入不进去.最后爆破了!! 2006-7-4 20:03 0
cd37ycs 雪币： 176 活跃值： (1450) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 411 粉丝 0 关注私信	cd37ycs 6 楼实验MasmPlus方法成功，但算号错误。 2006-7-4 22:29 0
FishSeeWater 雪币： 768 活跃值： (515) 能力值： ( LV13，RANK：460 ) 在线值：发帖 60 回帖 859 粉丝 8 关注私信	FishSeeWater 11 7 楼最初由 bfqyygy* 发布* 弄了几下注册表.不知道就是加入不进去.最后爆破了!! 注册表的键值： [HKEY_LOCAL_MACHINE\SOFTWARE\SDS Software\Installer2Go] "username"="FishSeeWater" "regcode"="78787878" 实验MasmPlus方法成功，但算号错误不会吧：( 2006-7-5 09:59 0
飞天大鹏雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 54 粉丝 0 关注私信	飞天大鹏 8 楼楼上能否多多发这样的贴子,我们菜鸟愿意看 2006-7-5 10:01 0
zyhxhw 雪币： 434 活跃值： (18) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 113 粉丝 0 关注私信	zyhxhw 9 楼谢谢提供,学习了! 2006-7-5 12:55 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

FishSeeWater

发帖

859

回帖

460

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (8)
china 雪币： 3519 活跃值： (4047) 能力值： (RANK：215 ) 在线值：发帖 72 回帖 1983 粉丝 9 关注私信	china 5 2 楼这个还是牛，我喜欢，学习了。 2006-7-4 16:16 0
FishSeeWater 雪币： 768 活跃值： (515) 能力值： ( LV13，RANK：460 ) 在线值：发帖 60 回帖 859 粉丝 8 关注私信	FishSeeWater 11 3 楼对了在这里感谢“小虾”版主，程序中的a6变量定义，没您的帮助现在还在郁闷呢怎么贴子发出来后，每行文字这么长？怎样让每行字“自动适应”浏览器的宽度？ 2006-7-4 16:40 0
kanxue 雪币： 44229 活跃值： (19965) 能力值： (RANK：350 ) 在线值：发帖 2369 回帖 17027 粉丝 528 关注私信	kanxue 8 4 楼最初由 FishSeeWater* 发布* 怎么贴子发出来后，每行文字这么长？怎样让每行字“自动适应”浏览器的宽度？将代码标签去除就行 2006-7-4 16:44 0
bfqyygy 雪币： 338 活跃值： (10) 能力值： ( LV4，RANK：50 ) 在线值：发帖 1 回帖 523 粉丝 0 关注私信	bfqyygy 1 5 楼弄了几下注册表.不知道就是加入不进去.最后爆破了!! 2006-7-4 20:03 0
cd37ycs 雪币： 176 活跃值： (1450) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 411 粉丝 0 关注私信	cd37ycs 6 楼实验MasmPlus方法成功，但算号错误。 2006-7-4 22:29 0
FishSeeWater 雪币： 768 活跃值： (515) 能力值： ( LV13，RANK：460 ) 在线值：发帖 60 回帖 859 粉丝 8 关注私信	FishSeeWater 11 7 楼最初由 bfqyygy* 发布* 弄了几下注册表.不知道就是加入不进去.最后爆破了!! 注册表的键值： [HKEY_LOCAL_MACHINE\SOFTWARE\SDS Software\Installer2Go] "username"="FishSeeWater" "regcode"="78787878" 实验MasmPlus方法成功，但算号错误不会吧：( 2006-7-5 09:59 0
飞天大鹏雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 54 粉丝 0 关注私信	飞天大鹏 8 楼楼上能否多多发这样的贴子,我们菜鸟愿意看 2006-7-5 10:01 0
zyhxhw 雪币： 434 活跃值： (18) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 113 粉丝 0 关注私信	zyhxhw 9 楼谢谢提供,学习了! 2006-7-5 12:55 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复