【文章作者】: bxm
【作者邮箱】: bxm78@163.com
【保护方式】: name,serial
【使用工具】: peid,od
【操作平台】: winxp
【作者声明】: 只是感兴趣,失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
用peid查壳,无壳,先收集一此必备信息,然后用OD载入,运行,下断点getwindowtexta,输入name:bxm78,serial:780328051,成功断下面:
00401093 |. E8 D69C0000 call <jmp.&USER32.GetWindowText>; \GetWindowTextA
00401098 |. 6A 68 push 68 ; /ControlID = 68 (104.)
0040109A |. 53 push ebx ; |hWnd
0040109B |. E8 C29C0000 call <jmp.&USER32.GetDlgItem> ; \GetDlgItem
004010A0 |. 6A 64 push 64 ; /Count = 64 (100.)
004010A2 |. 8D95 E0FEFFFF lea edx, [ebp-120] ; |
004010A8 |. 52 push edx ; |Buffer
004010A9 |. 50 push eax ; |hWnd
004010AA |. E8 BF9C0000 call <jmp.&USER32.GetWindowText>; \GetWindowTextA
004010AF |. 6A 67 push 67 ; /ControlID = 67 (103.)
004010B1 |. 53 push ebx ; |hWnd
004010B2 |. E8 AB9C0000 call <jmp.&USER32.GetDlgItem> ; \GetDlgItem
004010B7 |. 8945 FC mov [ebp-4], eax
004010BA |. 8D85 44FFFFFF lea eax, [ebp-BC]
004010C0 |. 50 push eax
004010C1 |. E8 2A060000 call 004016F0 ; 得到用户名长度
004010C6 |. 59 pop ecx
004010C7 |. 8945 D4 mov [ebp-2C], eax
004010CA |. 8D8D E0FEFFFF lea ecx, [ebp-120]
004010D0 |. 51 push ecx
004010D1 |. E8 1A060000 call 004016F0 ; 得到注册码长度
004010D6 |. 59 pop ecx
004010D7 |. 68 EAB04000 push 0040B0EA
004010DC |. E8 0F060000 call 004016F0
004010E1 |. 59 pop ecx
004010E2 |. 68 0EB14000 push 0040B10E
004010E7 |. E8 04060000 call 004016F0
004010EC |. 59 pop ecx
004010ED |. 837D D4 03 cmp dword ptr [ebp-2C], 3 ; name长度<=3 ?
004010F1 |. 0F8E 38010000 jle 0040122F ; 是,出错提示
004010F7 |. 33D2 xor edx, edx
004010F9 |. 33DB xor ebx, ebx
004010FB |. 8B55 D4 mov edx, [ebp-2C]
004010FE |. 0155 C4 add [ebp-3C], edx
00401101 |. 0155 C4 add [ebp-3C], edx ; name长度*2,作为关键call 1的第9个参数
00401104 |. 8BC2 mov eax, edx
00401106 |. 83C0 05 add eax, 5 ; name长度+5
00401109 |. 8945 B8 mov [ebp-48], eax ; 关键call 1的第5个参数
0040110C |. 33C0 xor eax, eax
0040110E |. 8BCF mov ecx, edi
00401110 |. 83C1 04 add ecx, 4
00401113 |. 894D B4 mov [ebp-4C], ecx ; 关键call 1的第6个参数为:12F538+4
00401116 |. 33C9 xor ecx, ecx
00401118 |. 0155 BC add [ebp-44], edx
0040111B |. 017D BC add [ebp-44], edi ; 关键call 1的第8个参数为:12F538+name长度
0040111E |. 6BFF 03 imul edi, edi, 3
00401121 |. 897D C0 mov [ebp-40], edi ; 关键call 1的第10个参数为:12F538*3
00401124 |. 33FF xor edi, edi
00401126 |. 0FBE8C05 44FF>movsx ecx, byte ptr [ebp+eax-BC]
0040112E |. 83F9 61 cmp ecx, 61 ; name的第1个字符ASCII值<61H?
00401131 |. 7C 07 jl short 0040113A ; 是,跳
00401133 |. 90 nop
00401134 |. 90 nop
00401135 |. 90 nop
00401136 |. 90 nop
00401137 |. 83E9 20 sub ecx, 20 ; 减20H
0040113A |> 8BF1 mov esi, ecx
0040113C |. 03DE add ebx, esi ; 累加于ebx
0040113E |. 0FAFD9 imul ebx, ecx ; 与转化后的字符相乘
00401141 |. 4A dec edx
00401142 |> 0FBE8C2F 44FF>/movsx ecx, byte ptr [edi+ebp-BC>
0040114A |. 0FBEB42F 45FF>|movsx esi, byte ptr [edi+ebp-BB>
00401152 |. 83F9 61 |cmp ecx, 61
00401155 |. 7D 12 |jge short 00401169
00401157 |. 90 |nop
00401158 |. 90 |nop
00401159 |. 90 |nop
0040115A |. 90 |nop
0040115B |> 83FE 61 |cmp esi, 61
0040115E |. 7D 0E |jge short 0040116E
00401160 |. 90 |nop
00401161 |. 90 |nop
00401162 |. 90 |nop
00401163 |. 90 |nop
00401164 |. EB 0B |jmp short 00401171
00401166 | 90 |nop
00401167 | 90 |nop
00401168 | 90 |nop
00401169 |> 83E9 20 |sub ecx, 20
0040116C |.^ EB ED |jmp short 0040115B
0040116E |> 83EE 20 |sub esi, 20
00401171 |> 47 |inc edi
00401172 |. 03DE |add ebx, esi ; 当前转换后的字符加于EBX
00401174 |. 0FAFD9 |imul ebx, ecx ; 与上一位转化后的字母相乘
00401177 |. 4A |dec edx
00401178 |.^ 75 C8 \jnz short 00401142 ; 读完了没?没有继续
0040117A |. 895D C8 mov [ebp-38], ebx ; name第1次运算后的结果存入[ebp-38],我的为750558CD,作为关键call 1的第7个参数
0040117D |. 33C9 xor ecx, ecx
0040117F |. 33D2 xor edx, edx
00401181 |. 33DB xor ebx, ebx
00401183 |. 33C0 xor eax, eax
00401185 |. 837D D4 32 cmp dword ptr [ebp-2C], 32 ; name长度>=50 ?
00401189 |. 0F8D A0000000 jge 0040122F ; 是,出错提示
0040118F |> 0FBE840D 44FF>/movsx eax, byte ptr [ebp+ecx-BC>; 循环读取name的每个字符
00401197 |. 03C1 |add eax, ecx
00401199 |. 03D8 |add ebx, eax
0040119B |. 41 |inc ecx
0040119C |. 3B4D D4 |cmp ecx, [ebp-2C]
0040119F |.^ 75 EE \jnz short 0040118F ; 读完了没,没有继续
004011A1 |. D1C0 rol eax, 1 ; name的最后一个字符+长度-1,再左移1位
004011A3 |. 35 40E20100 xor eax, 1E240 ; eax xor 1E240
004011A8 |. 8945 B0 mov [ebp-50], eax ; 存入,备用,我的为1E238,作为关键call 1的第3个参数
004011AB |. 33C9 xor ecx, ecx
004011AD |. 33D2 xor edx, edx
004011AF |. 33DB xor ebx, ebx
004011B1 |. 33C0 xor eax, eax
004011B3 |> 0FBE840D 44FF>/movsx eax, byte ptr [ebp+ecx-BC>; 循环读取name的每个字符
004011BB |. 6BD0 06 |imul edx, eax, 6
004011BE |. 33C2 |xor eax, edx
004011C0 |. 03D8 |add ebx, eax ; 累加于ebx
004011C2 |. 41 |inc ecx
004011C3 |. 3B4D D4 |cmp ecx, [ebp-2C]
004011C6 |.^ 75 EB \jnz short 004011B3
004011C8 |. 035D B0 add ebx, [ebp-50] ; ebx+1E238
004011CB |. 895D AC mov [ebp-54], ebx ; 存入,备用,我的为1ECD6,作为关键call 1的第4个参数
004011CE |. FF75 C0 push dword ptr [ebp-40] ; /arg10:固定值为0038DFA8
004011D1 |. FF75 C4 push dword ptr [ebp-3C] ; |arg9:name长度的2倍
004011D4 |. FF75 BC push dword ptr [ebp-44] ; |Arg8
004011D7 |. FF75 C8 push dword ptr [ebp-38] ; |Arg7
004011DA |. FF75 B4 push dword ptr [ebp-4C] ; |arg6:固定值为0012F53C
004011DD |. FF75 B8 push dword ptr [ebp-48] ; |arg5:name长度+5
004011E0 |. FF75 AC push dword ptr [ebp-54] ; |Arg4
004011E3 |. FF75 B0 push dword ptr [ebp-50] ; |Arg3
004011E6 |. 68 38B44000 push 0040B438 ; |arg2:固定值为ASCII "%lX%lu-%lu%lX-%lu%lu-%lX%lX"
004011EB |. 8D85 7CFEFFFF lea eax, [ebp-184] ; |
004011F1 |. 50 push eax ; |arg1:固定值为0012F828
004011F2 |. E8 8D3D0000 call 00404F84 ; \关键call 1,跟进
004011F7 |. 83C4 28 add esp, 28
004011FA |. 8D95 7CFEFFFF lea edx, [ebp-184]
00401200 |. 52 push edx ; /String2
00401201 |. 8D8D E0FEFFFF lea ecx, [ebp-120] ; |
00401207 |. 51 push ecx ; |String1
00401208 |. E8 399C0000 call <jmp.&KERNEL32.lstrcmpA> ; \lstrcmpA
0040120D |. 85C0 test eax, eax
0040120F |. 75 0F jnz short 00401220 ; 爆破点
00401211 |. 68 54B44000 push 0040B454 ; /Text = "Congratulations! IF this number comes *FROM YOUR* keygen, Write a tutorial dude ;)."
00401216 |. FF75 FC push dword ptr [ebp-4] ; |hWnd
00401219 |. E8 2C9B0000 call <jmp.&USER32.SetWindowText>; \SetWindowTextA
0040121E |. EB 1C jmp short 0040123C
00401220 |> 68 A8B44000 push 0040B4A8 ; /Text = "This serial is *NOT* Valid!! Try again... : UNREGISTERED"
00401225 |. FF75 FC push dword ptr [ebp-4] ; |hWnd
00401228 |. E8 1D9B0000 call <jmp.&USER32.SetWindowText>; \SetWindowTextA
0040122D |. EB 0D jmp short 0040123C
0040122F |> 68 E1B44000 push 0040B4E1 ; /Text = "Name must contain more than 3 chars!"
00401234 |. FF75 FC push dword ptr [ebp-4] ; |hWnd
00401237 |. E8 0E9B0000 call <jmp.&USER32.SetWindowText>; \SetWindowTextA
======================================================================================================
关键call 1
00404F84 /$ 55 push ebp
00404F85 |. 8BEC mov ebp, esp
00404F87 |. 8B45 08 mov eax, [ebp+8]
00404F8A |. 8D4D 08 lea ecx, [ebp+8]
00404F8D |. C600 00 mov byte ptr [eax], 0
00404F90 |. 8D45 10 lea eax, [ebp+10]
00404F93 |. 50 push eax ; /arg4:关键call 1的第3个参数的堆栈地址
00404F94 |. 8B55 0C mov edx, [ebp+C] ; |
00404F97 |. 52 push edx ; |arg3:固定值为ASCII "%lX%lu-%lu%lX-%lu%lu-%lX%lX"
00404F98 |. 51 push ecx ; |arg2:关键call 1的第1个参数的堆栈地址
00404F99 |. 68 5C4F4000 push 00404F5C ; |Arg1 = 00404F5C
00404F9E |. E8 B5010000 call 00405158 ; \关键call 2
00404FA3 |. 83C4 10 add esp, 10
00404FA6 |. 5D pop ebp
00404FA7 \. C3 retn
=====================================================================================================
关键call 2
00405158 /$ 55 push ebp
00405159 |. 8BEC mov ebp, esp
0040515B |. 81C4 BCFAFFFF add esp, -544
00405161 |. 33C0 xor eax, eax
00405163 |. 53 push ebx
00405164 |. 56 push esi
00405165 |. 57 push edi
00405166 |. 8B75 10 mov esi, [ebp+10]
00405169 |. 8985 1CFBFFFF mov [ebp-4E4], eax
0040516F |. 8985 18FBFFFF mov [ebp-4E8], eax
00405175 |. 8985 0CFBFFFF mov [ebp-4F4], eax
0040517B |. 8B55 08 mov edx, [ebp+8]
0040517E |. 8995 10FBFFFF mov [ebp-4F0], edx
00405184 |. 8B4D 0C mov ecx, [ebp+C]
00405187 |. 898D 14FBFFFF mov [ebp-4EC], ecx
0040518D |> 8A1E /mov bl, [esi]
0040518F |. 46 |inc esi
00405190 |. 84DB |test bl, bl ; 注册码算完没?
00405192 |. 0F84 BF080000 |je 00405A57 ; 算完,跳向结束处
00405198 |. 80FB 25 |cmp bl, 25 ; 过滤掉“%”字符
0040519B |. 75 08 |jnz short 004051A5
0040519D |. 8A1E |mov bl, [esi]
0040519F |. 80FB 25 |cmp bl, 25
004051A2 |. 75 38 |jnz short 004051DC
004051A4 |. 46 |inc esi
004051A5 |> 33C0 |xor eax, eax
004051A7 |. 8AC3 |mov al, bl
004051A9 |. F680 99D94000>|test byte ptr [eax+40D999], 4
004051B0 |. 74 18 |je short 004051CA
004051B2 |. 803E 00 |cmp byte ptr [esi], 0
004051B5 |. 74 13 |je short 004051CA
004051B7 |. 8D95 BCFAFFFF |lea edx, [ebp-544]
004051BD |. 52 |push edx ; /Arg2
004051BE |. 53 |push ebx ; |Arg1
004051BF |. E8 38FFFFFF |call 004050FC ; \k4n2.004050FC
004051C4 |. 83C4 08 |add esp, 8
004051C7 |. 8A1E |mov bl, [esi]
004051C9 |. 46 |inc esi
004051CA |> 8D85 BCFAFFFF |lea eax, [ebp-544]
004051D0 |. 50 |push eax ; /Arg2
004051D1 |. 53 |push ebx ; |Arg1
004051D2 |. E8 25FFFFFF |call 004050FC ; \k4n2.004050FC
004051D7 |. 83C4 08 |add esp, 8
004051DA |.^ EB B1 |jmp short 0040518D
004051DC |> 8D56 FF |lea edx, [esi-1]
004051DF |. 33C0 |xor eax, eax
004051E1 |. 8955 EC |mov [ebp-14], edx
004051E4 |. 33D2 |xor edx, edx
004051E6 |. 8955 F0 |mov [ebp-10], edx
004051E9 |. 83CA FF |or edx, FFFFFFFF
004051EC |. C645 F7 00 |mov byte ptr [ebp-9], 0
004051F0 |. 8955 F8 |mov [ebp-8], edx
004051F3 |. 8955 FC |mov [ebp-4], edx
004051F6 |. 33C9 |xor ecx, ecx
004051F8 |. BF 20000000 |mov edi, 20
004051FD |. 894D E4 |mov [ebp-1C], ecx
00405200 |> 8A1E |/mov bl, [esi] ; Default case of switch 00405229
00405202 |. 46 ||inc esi
00405203 |. 80FB 20 ||cmp bl, 20 ; 过滤掉ASCII<20H 字符
00405206 |. 0F8C 3F080000 ||jl 00405A4B
0040520C |. 0FBED3 ||movsx edx, bl
0040520F |. 83FA 7F ||cmp edx, 7F
00405212 |. 0F8F 33080000 ||jg 00405A4B
00405218 |. 8BCB ||mov ecx, ebx ; 决定算法call的第4个参数
0040521A |. 80C1 E0 ||add cl, 0E0
0040521D |. 33D2 ||xor edx, edx
0040521F |. 8AD1 ||mov dl, cl
00405221 |. 33C9 ||xor ecx, ecx
00405223 |. 8A8A AACC4000 ||mov cl, [edx+40CCAA]
00405229 |. 83F9 1A ||cmp ecx, 1A ; Switch (cases 0..1A)
0040522C |.^ 77 D2 ||ja short 00405200
0040522E |. FF248D 355240>||jmp [ecx*4+405235]
00405235 |. C1524000 ||dd k4n2.004052C1 ; 分支表 被用于 0040522E
00405239 |. A1524000 ||dd k4n2.004052A1
0040523D |. 12534000 ||dd k4n2.00405312
00405241 |. B1524000 ||dd k4n2.004052B1
00405245 |. 5C534000 ||dd k4n2.0040535C
00405249 |. 72534000 ||dd k4n2.00405372
0040524D |. C3534000 ||dd k4n2.004053C3
00405251 |. D0534000 ||dd k4n2.004053D0
00405255 |. E3534000 ||dd k4n2.004053E3
00405259 |. F5524000 ||dd k4n2.004052F5
0040525D |. A0544000 ||dd k4n2.004054A0
00405261 |. 79544000 ||dd k4n2.00405479
00405265 |. 82544000 ||dd k4n2.00405482
00405269 |. 8B544000 ||dd k4n2.0040548B
0040526D |. EF554000 ||dd k4n2.004055EF
00405271 |. 62574000 ||dd k4n2.00405762
00405275 |. 32564000 ||dd k4n2.00405632
00405279 |. AD564000 ||dd k4n2.004056AD
0040527D |. 27564000 ||dd k4n2.00405627
00405281 |. A2564000 ||dd k4n2.004056A2
00405285 |. EC594000 ||dd k4n2.004059EC
00405289 |. 4B5A4000 ||dd k4n2.00405A4B
0040528D |. 4B5A4000 ||dd k4n2.00405A4B
00405291 |. 4B5A4000 ||dd k4n2.00405A4B
00405295 |. DB524000 ||dd k4n2.004052DB
00405299 |. E8524000 ||dd k4n2.004052E8
0040529D |. F6534000 ||dd k4n2.004053F6
004052A1 |> 85C0 ||test eax, eax ; Case 1 of switch 00405229
004052A3 |. 0F8F A2070000 ||jg 00405A4B
004052A9 |. 83CF 01 ||or edi, 1
004052AC |.^ E9 4FFFFFFF ||jmp 00405200
004052B1 |> 85C0 ||test eax, eax ; Case 3 of switch 00405229
004052B3 |. 0F8F 92070000 ||jg 00405A4B
004052B9 |. 83CF 02 ||or edi, 2
004052BC |.^ E9 3FFFFFFF ||jmp 00405200
004052C1 |> 85C0 ||test eax, eax ; Case 0 of switch 00405229
004052C3 |. 0F8F 82070000 ||jg 00405A4B
004052C9 |. 807D F7 2B ||cmp byte ptr [ebp-9], 2B
004052CD |.^ 0F84 2DFFFFFF ||je 00405200
004052D3 |. 885D F7 ||mov [ebp-9], bl
004052D6 |.^ E9 25FFFFFF ||jmp 00405200
004052DB |> 83E7 DF ||and edi, FFFFFFDF ; Case 18 of switch 00405229
004052DE |. B8 05000000 ||mov eax, 5
004052E3 |.^ E9 18FFFFFF ||jmp 00405200
004052E8 |> 83CF 20 ||or edi, 20 ; Case 19 of switch 00405229
004052EB |. B8 05000000 ||mov eax, 5
004052F0 |.^ E9 0BFFFFFF ||jmp 00405200
004052F5 |> 85C0 ||test eax, eax ; Case 9 of switch 00405229
004052F7 |. 7F 79 ||jg short 00405372
004052F9 |. F7C7 02000000 ||test edi, 2
004052FF |.^ 0F85 FBFEFFFF ||jnz 00405200
00405305 |. 83CF 08 ||or edi, 8
00405308 |. B8 01000000 ||mov eax, 1
0040530D |.^ E9 EEFEFFFF ||jmp 00405200
00405312 |> 8345 14 04 ||add dword ptr [ebp+14], 4 ; Case 2 of switch 00405229
00405316 |. 8B55 14 ||mov edx, [ebp+14]
00405319 |. 83F8 02 ||cmp eax, 2
0040531C |. 8B4A FC ||mov ecx, [edx-4]
0040531F |. 894D D0 ||mov [ebp-30], ecx
00405322 |. 7D 23 ||jge short 00405347
00405324 |. 837D D0 00 ||cmp dword ptr [ebp-30], 0
00405328 |. 7D 0D ||jge short 00405337
0040532A |. 8B45 D0 ||mov eax, [ebp-30]
0040532D |. F7D8 ||neg eax
0040532F |. 8945 FC ||mov [ebp-4], eax
00405332 |. 83CF 02 ||or edi, 2
00405335 |. EB 06 ||jmp short 0040533D
00405337 |> 8B55 D0 ||mov edx, [ebp-30]
0040533A |. 8955 FC ||mov [ebp-4], edx
0040533D |> B8 03000000 ||mov eax, 3
00405342 |.^ E9 B9FEFFFF ||jmp 00405200
00405347 |> 83F8 04 ||cmp eax, 4
0040534A |. 0F85 FB060000 ||jnz 00405A4B
00405350 |. 8B55 D0 ||mov edx, [ebp-30]
00405353 |. 40 ||inc eax
00405354 |. 8955 F8 ||mov [ebp-8], edx
00405357 |.^ E9 A4FEFFFF ||jmp 00405200
0040535C |> 83F8 04 ||cmp eax, 4 ; Case 4 of switch 00405229
0040535F |. 0F8D E6060000 ||jge 00405A4B
00405365 |. B8 04000000 ||mov eax, 4
0040536A |. FF45 F8 ||inc dword ptr [ebp-8]
0040536D |.^ E9 8EFEFFFF ||jmp 00405200
00405372 |> 80C3 D0 ||add bl, 0D0 ; Case 5 of switch 00405229
00405375 |. 83F8 02 ||cmp eax, 2
00405378 |. 7F 2B ||jg short 004053A5
0040537A |. 837D FC FF ||cmp dword ptr [ebp-4], -1
0040537E |. B8 02000000 ||mov eax, 2
00405383 |. 75 0B ||jnz short 00405390
00405385 |. 0FBED3 ||movsx edx, bl
00405388 |. 8955 FC ||mov [ebp-4], edx
0040538B |.^ E9 70FEFFFF ||jmp 00405200
00405390 |> 8B4D FC ||mov ecx, [ebp-4]
00405393 |. 03C9 ||add ecx, ecx
00405395 |. 8D0C89 ||lea ecx, [ecx+ecx*4]
00405398 |. 0FBED3 ||movsx edx, bl
0040539B |. 03CA ||add ecx, edx
0040539D |. 894D FC ||mov [ebp-4], ecx
004053A0 |.^ E9 5BFEFFFF ||jmp 00405200
004053A5 |> 83F8 04 ||cmp eax, 4
004053A8 |. 0F85 9D060000 ||jnz 00405A4B
004053AE |. 8B4D F8 ||mov ecx, [ebp-8]
004053B1 |. 03C9 ||add ecx, ecx
004053B3 |. 8D0C89 ||lea ecx, [ecx+ecx*4]
004053B6 |. 0FBED3 ||movsx edx, bl
004053B9 |. 03CA ||add ecx, edx
004053BB |. 894D F8 ||mov [ebp-8], ecx
004053BE |.^ E9 3DFEFFFF ||jmp 00405200
004053C3 |> 83CF 10 ||or edi, 10 ; Case 6 of switch 00405229
004053C6 |. B8 05000000 ||mov eax, 5
004053CB |.^ E9 30FEFFFF ||jmp 00405200
004053D0 |> 81CF 00010000 ||or edi, 100 ; Case 7 of switch 00405229
004053D6 |. B8 05000000 ||mov eax, 5
004053DB |. 83E7 EF ||and edi, FFFFFFEF
004053DE |.^ E9 1DFEFFFF ||jmp 00405200
004053E3 |> 81CF 00020000 ||or edi, 200 ; Case 8 of switch 00405229
004053E9 |. B8 05000000 ||mov eax, 5
004053EE |. 83E7 EF ||and edi, FFFFFFEF
004053F1 |.^ E9 0AFEFFFF ||jmp 00405200
004053F6 |> 803E 36 ||cmp byte ptr [esi], 36 ; Case 1A of switch 00405229
004053F9 |. 75 1F ||jnz short 0040541A
004053FB |. 807E 01 34 ||cmp byte ptr [esi+1], 34
004053FF |. 75 19 ||jnz short 0040541A
00405401 |. 83C6 02 ||add esi, 2
00405404 |. 81CF 00010000 ||or edi, 100
0040540A |. 81E7 EFFDFFFF ||and edi, FFFFFDEF
00405410 |. B8 05000000 ||mov eax, 5
00405415 |.^ E9 E6FDFFFF ||jmp 00405200
0040541A |> 803E 33 ||cmp byte ptr [esi], 33
0040541D |. 75 1C ||jnz short 0040543B
0040541F |. 807E 01 32 ||cmp byte ptr [esi+1], 32
00405423 |. 75 16 ||jnz short 0040543B
00405425 |. 83C6 02 ||add esi, 2
00405428 |. 83CF 10 ||or edi, 10
0040542B |. 81E7 FFFCFFFF ||and edi, FFFFFCFF
00405431 |. B8 05000000 ||mov eax, 5
00405436 |.^ E9 C5FDFFFF ||jmp 00405200
0040543B |> 803E 31 ||cmp byte ptr [esi], 31
0040543E |. 75 1F ||jnz short 0040545F
00405440 |. 807E 01 36 ||cmp byte ptr [esi+1], 36
00405444 |. 75 19 ||jnz short 0040545F
00405446 |. 83C6 02 ||add esi, 2
00405449 |. 81CF 00020000 ||or edi, 200
0040544F |. 81E7 EFFEFFFF ||and edi, FFFFFEEF
00405455 |. B8 05000000 ||mov eax, 5
0040545A |.^ E9 A1FDFFFF ||jmp 00405200
0040545F |> 803E 38 ||cmp byte ptr [esi], 38
00405462 |.^ 0F85 98FDFFFF ||jnz 00405200
00405468 |. 46 ||inc esi
00405469 |. 81E7 EFFCFFFF ||and edi, FFFFFCEF
0040546F |. B8 05000000 ||mov eax, 5
00405474 |.^ E9 87FDFFFF |\jmp 00405200
00405479 |> C745 C8 08000>|mov dword ptr [ebp-38], 8 ; Case B of switch 00405229
00405480 |. EB 16 |jmp short 00405498
00405482 |> C745 C8 0A000>|mov dword ptr [ebp-38], 0A ; Case C of switch 00405229
00405489 |. EB 0D |jmp short 00405498
0040548B |> C745 C8 10000>|mov dword ptr [ebp-38], 10 ; Case D of switch 00405229
00405492 |. 8D53 E9 |lea edx, [ebx-17]
00405495 |. 8855 E3 |mov [ebp-1D], dl
00405498 |> C645 F7 00 |mov byte ptr [ebp-9], 0
0040549C |. 33C9 |xor ecx, ecx
0040549E |. EB 09 |jmp short 004054A9
004054A0 |> C745 C8 0A000>|mov dword ptr [ebp-38], 0A ; Case A of switch 00405229
004054A7 |. B1 01 |mov cl, 1
004054A9 |> F7C7 00010000 |test edi, 100
004054AF |. 74 18 |je short 004054C9
004054B1 |. 8345 14 08 |add dword ptr [ebp+14], 8
004054B5 |. 8B45 14 |mov eax, [ebp+14]
004054B8 |. 8B50 F8 |mov edx, [eax-8]
004054BB |. 8955 D8 |mov [ebp-28], edx
004054BE |. 8B50 FC |mov edx, [eax-4]
004054C1 |. 8955 DC |mov [ebp-24], edx
004054C4 |. E9 90000000 |jmp 00405559
004054C9 |> F7C7 10000000 |test edi, 10
004054CF |. 74 2A |je short 004054FB
004054D1 |. 8345 14 04 |add dword ptr [ebp+14], 4
004054D5 |. 8B45 14 |mov eax, [ebp+14]
004054D8 |. 84C9 |test cl, cl
004054DA |. 8B50 FC |mov edx, [eax-4]
004054DD |. 8955 D4 |mov [ebp-2C], edx
004054E0 |. 74 0C |je short 004054EE
004054E2 |. 8B45 D4 |mov eax, [ebp-2C]
004054E5 |. 99 |cdq
004054E6 |. 8945 D8 |mov [ebp-28], eax
004054E9 |. 8955 DC |mov [ebp-24], edx
004054EC |. EB 6B |jmp short 00405559
004054EE |> 8B45 D4 |mov eax, [ebp-2C]
004054F1 |. 33D2 |xor edx, edx
004054F3 |. 8945 D8 |mov [ebp-28], eax
004054F6 |. 8955 DC |mov [ebp-24], edx
004054F9 |. EB 5E |jmp short 00405559
004054FB |> F7C7 00020000 |test edi, 200
00405501 |. 74 2E |je short 00405531
00405503 |. 8345 14 04 |add dword ptr [ebp+14], 4
00405507 |. 8B45 14 |mov eax, [ebp+14]
0040550A |. 84C9 |test cl, cl
0040550C |. 66:8B50 FC |mov dx, [eax-4]
00405510 |. 66:8955 CE |mov [ebp-32], dx
00405514 |. 74 0D |je short 00405523
00405516 |. 0FBF45 CE |movsx eax, word ptr [ebp-32]
0040551A |. 99 |cdq
0040551B |. 8945 D8 |mov [ebp-28], eax
0040551E |. 8955 DC |mov [ebp-24], edx
00405521 |. EB 36 |jmp short 00405559
00405523 |> 0FB745 CE |movzx eax, word ptr [ebp-32]
00405527 |. 33D2 |xor edx, edx
00405529 |. 8945 D8 |mov [ebp-28], eax
0040552C |. 8955 DC |mov [ebp-24], edx
0040552F |. EB 28 |jmp short 00405559
00405531 |> 8345 14 04 |add dword ptr [ebp+14], 4
00405535 |. 8B45 14 |mov eax, [ebp+14]
00405538 |. 84C9 |test cl, cl
0040553A |. 8B50 FC |mov edx, [eax-4]
0040553D |. 8955 D0 |mov [ebp-30], edx
00405540 |. 74 0C |je short 0040554E
00405542 |. 8B45 D0 |mov eax, [ebp-30]
00405545 |. 99 |cdq
00405546 |. 8945 D8 |mov [ebp-28], eax
00405549 |. 8955 DC |mov [ebp-24], edx
0040554C |. EB 0B |jmp short 00405559
0040554E |> 8B45 D0 |mov eax, [ebp-30]
00405551 |. 33D2 |xor edx, edx
00405553 |. 8945 D8 |mov [ebp-28], eax
00405556 |. 8955 DC |mov [ebp-24], edx
00405559 |> 8D85 21FFFFFF |lea eax, [ebp-DF]
0040555F |. 8945 E8 |mov [ebp-18], eax
00405562 |. 837D DC 00 |cmp dword ptr [ebp-24], 0
00405566 |. 75 14 |jnz short 0040557C
00405568 |. 837D D8 00 |cmp dword ptr [ebp-28], 0
0040556C |. 75 0E |jnz short 0040557C
0040556E |. 837D F8 00 |cmp dword ptr [ebp-8], 0
00405572 |. 75 0B |jnz short 0040557F
00405574 |. 8B55 E8 |mov edx, [ebp-18]
00405577 |. C602 00 |mov byte ptr [edx], 0
0040557A |. EB 1E |jmp short 0040559A
0040557C |> 83CF 04 |or edi, 4
0040557F |> 8A45 E3 |mov al, [ebp-1D]
00405582 |. 50 |push eax ; /Arg6:AAEF77
00405583 |. 51 |push ecx ; |Arg5:000000
00405584 |. 8B55 C8 |mov edx, [ebp-38] ; |
00405587 |. 52 |push edx ; |Arg4:
00405588 |. 8B4D E8 |mov ecx, [ebp-18] ; |
0040558B |. 51 |push ecx ; |Arg3:存放注册码的缓冲地址
0040558C |. FF75 DC |push dword ptr [ebp-24] ; |Arg2:000000
0040558F |. FF75 D8 |push dword ptr [ebp-28] ; |Arg1:依次为call 1的第3~10参数
00405592 |. E8 291F0000 |call 004074C0 ; \call 3:此call功能如下,用arg1/arg4,取其余数,先得到的为低位,后得到的为高位,并把它转换成ASCII字符。
===================================================================================================
在关键call 2返回前,把call 3计算出的注册码两两分段连接起来。我的注册码为1E238126166-1012F53C-19632846851242429-A38DFA8
算法小结:
=====================================================================================
call 1第3~10个参数计算方法:
1、call 1的第3个参数计算方法:
name的最后一个字符+长度-1,再左移1位,并与1E240异或,记为A,我的为1E238。
2、call 1的第4个参数计算方法:
name的每个字符*6后与其本身异或,最后累加起来,再加上A,记为B,我的为1ECD6。
3、call 1的第5个参数计算方法:
name长度+5,记为C。
4、call 1的第6个参数计算方法:
12F538+4,记为D。
5、call 1的第7个参数计算方法:
1)读取name的第一字符,判断其是否小于61H,不是,减去20H;是,不变,结果记为X,然后X*X累加于EBX。
2)依次读取name的第2至最后一个字符,运算过程如下:
如果其>=61H,则去20H,否则不变。然后当前转换后的字符累加于EBX,最后与上一次转换后的字符相乘。
3)我的运算最后结果为750558CD,记为E。
6、call 1的第8个参数计算方法:
12F538+name长度,记为F。
7、call 1的第9个参数计算方法:
name长度*2,记为G。
8、call 1的第10个参数计算方法:
12F538*3,记为H。
======================================================================================
call 3功能:
用arg1/arg4,取其余数,先得到的为低位,后得到的为高位,并把它转换成ASCII字符。其中,第1个参数依次为call 1的第3~10个参数。第4个参数依次为10、A、A、10、A、A、10、10,其值由字符串"%lX%lu-%lu%lX-%lu%lu-%lX%lX"决定,当读取到字符是X时,其值为10,当读取到字符是l时,其值为A。
9、在call 2中,把字符串按要求连接起来。
我的一组可用的注册码为:
name:bxm78
serial:1E238126166-1012F53C-19632846851242429-A38DFA8
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
