【破文标题】Absolute Sound Recorder算法分析
【来 自】(PYG DCG OCN 看雪 龙族)
【破文作者】学习破解
【作者邮箱】wxh9833@163.com
【作者主页】wxh9833
【破解工具】PEiD,,OD
【破解平台】Windows 2K&XP
【软件名称】Absolute Sound Recorder
【软件大小】2376 KB
【原版下载】http://www.skycn.com/soft/22849.html
【保护方式】注册码
【软件简介】 Absolute Sound Recorder是一款强大的录音工具。用这个容易使用的工具,你可以从麦克风,Line-in音频,互联网的音频流录音,或者可以把Winamp, Windows Media Player, Quick Time, Real Player, Flash, 游戏等播放的音乐录到你的硬盘上,毫无数据损失。支持三种输出格式:WAV,MP3和WMA。
【破解声明】请各位指教!!!:)
------------------------------------------------------------------------
1、查壳 无壳。Borland Delphi 6.0 - 7.0编写。
2、OD载入,很容易找到关键点。停在这里。
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
004A75B0 /. 55 PUSH EBP ; 注册程序的入口。
004A75B1 |. 8BEC MOV EBP,ESP
004A75B3 |. 6A 00 PUSH 0
004A75B5 |. 6A 00 PUSH 0
004A75B7 |. 53 PUSH EBX
004A75B8 |. 8BD8 MOV EBX,EAX
004A75BA |. 33C0 XOR EAX,EAX
004A75BC |. 55 PUSH EBP
004A75BD |. 68 43764A00 PUSH Absolute.004A7643
004A75C2 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004A75C5 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004A75C8 |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
004A75CB |. 8B83 0C030000 MOV EAX,DWORD PTR DS:[EBX+30C]
004A75D1 |. E8 B2B0F9FF CALL Absolute.00442688
004A75D6 |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8] ; 用户名位数放EAX中。
004A75D9 |. 8B83 10030000 MOV EAX,DWORD PTR DS:[EBX+310]
004A75DF |. E8 A4B0F9FF CALL Absolute.00442688
004A75E4 |. A1 F4B94A00 MOV EAX,DWORD PTR DS:[4AB9F4]
004A75E9 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004A75EB |. 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8] ; 我们输入的试练码放到ECX中。
004A75EE |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] ; 输入的用户名入到EDX中。
004A75F1 |. E8 2EC5FFFF CALL Absolute.004A3B24 ; 关键CALL
004A75F6 |. 84C0 TEST AL,AL ; 标志位,可以爆破。
004A75F8 |. 74 2E JE SHORT Absolute.004A7628 ; 关键跳。
004A75FA |. A1 F4B94A00 MOV EAX,DWORD PTR DS:[4AB9F4]
004A75FF |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004A7601 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
004A7604 |. E8 93C8FFFF CALL Absolute.004A3E9C
004A7609 |. 6A 40 PUSH 40
004A760B |. B9 50764A00 MOV ECX,Absolute.004A7650 ; 这里注册成功的标志!
004A7610 |. BA 64764A00 MOV EDX,Absolute.004A7664 ; ASCII "Register successfully! Thank you for your support!"
004A7615 |. A1 C0B84A00 MOV EAX,DWORD PTR DS:[4AB8C0]
004A761A |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004A761C |. E8 0BBFFBFF CALL Absolute.0046352C
004A7621 |. 8BC3 MOV EAX,EBX
004A7623 |. E8 C886FBFF CALL Absolute.0045FCF0
004A7628 |> 33C0 XOR EAX,EAX
004A762A |. 5A POP EDX
004A762B |. 59 POP ECX
004A762C |. 59 POP ECX
004A762D |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004A7630 |. 68 4A764A00 PUSH Absolute.004A764A
004A7635 |> 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004A7638 |. BA 02000000 MOV EDX,2
004A763D |. E8 2AD1F5FF CALL Absolute.0040476C
004A7642 \. C3 RETN
004A7643 .^ E9 08CBF5FF JMP Absolute.00404150
004A7648 .^ EB EB JMP SHORT Absolute.004A7635
004A764A . 5B POP EBX
004A764B . 59 POP ECX
004A764C . 59 POP ECX
004A764D . 5D POP EBP
004A764E . C3 RETN
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
第一次关键CALL跳进
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
004A3B24 /$ 55 PUSH EBP ; 关键CALL入口。
004A3B25 |. 8BEC MOV EBP,ESP
004A3B27 |. 83C4 E4 ADD ESP,-1C
004A3B2A |. 53 PUSH EBX
004A3B2B |. 33DB XOR EBX,EBX
004A3B2D |. 895D F4 MOV DWORD PTR SS:[EBP-C],EBX
004A3B30 |. 894D F8 MOV DWORD PTR SS:[EBP-8],ECX ; 试练码!
004A3B33 |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX ; 用户名。
004A3B36 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 用户名放EAX中。
004A3B39 |. E8 AA10F6FF CALL Absolute.00404BE8
004A3B3E |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004A3B41 |. E8 A210F6FF CALL Absolute.00404BE8
004A3B46 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004A3B49 |. 8B15 14C44900 MOV EDX,DWORD PTR DS:[49C414] ; Absolute.0049C418
004A3B4F |. E8 6016F6FF CALL Absolute.004051B4
004A3B54 |. 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
004A3B57 |. 8B15 14C44900 MOV EDX,DWORD PTR DS:[49C414] ; Absolute.0049C418
004A3B5D |. E8 5216F6FF CALL Absolute.004051B4
004A3B62 |. 33C0 XOR EAX,EAX
004A3B64 |. 55 PUSH EBP
004A3B65 |. 68 E63B4A00 PUSH Absolute.004A3BE6
004A3B6A |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004A3B6D |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004A3B70 |. 33DB XOR EBX,EBX
004A3B72 |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
004A3B75 |. A1 9CB54A00 MOV EAX,DWORD PTR DS:[4AB59C] ; 这里有一组字符65537放到EAX中。
004A3B7A |. E8 258FFFFF CALL Absolute.0049CAA4 ; 这个CALL也要跟进。
004A3B7F |. 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
004A3B82 |. A1 A0B54A00 MOV EAX,DWORD PTR DS:[4AB5A0] ; 这里也是一组常数放到EAX中。
004A3B87 |. E8 188FFFFF CALL Absolute.0049CAA4 ; 这个CALL是把这个常数转为二进制。
004A3B8C |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
004A3B8F |. 50 PUSH EAX
004A3B90 |. 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
004A3B93 |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
004A3B96 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004A3B99 |. E8 F2B2FFFF CALL Absolute.0049EE90 ; 这里是用户名二进制放到EAX中。进行四次大循环二进制运算
004A3B9E |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
004A3BA1 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004A3BA4 |. E8 D38AFFFF CALL Absolute.0049C67C
004A3BA9 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; 假码放EAX中。
004A3BAC |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] ; 这里出现真码放EDX中。!!!
004A3BAF |. E8 900FF6FF CALL Absolute.00404B44 ; 比较CALL。
004A3BB4 |. 75 02 JNZ SHORT Absolute.004A3BB8 ; 不相等就跳,死,可以进行标志位爆破!!
004A3BB6 |. B3 01 MOV BL,1
004A3BB8 |> 33C0 XOR EAX,EAX
004A3BBA |. 5A POP EDX
004A3BBB |. 59 POP ECX
004A3BBC |. 59 POP ECX
004A3BBD |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004A3BC0 |. 68 ED3B4A00 PUSH Absolute.004A3BED
004A3BC5 |> 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
004A3BC8 |. 8B15 14C44900 MOV EDX,DWORD PTR DS:[49C414] ; Absolute.0049C418
004A3BCE |. B9 02000000 MOV ECX,2
004A3BD3 |. E8 E016F6FF CALL Absolute.004052B8
004A3BD8 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004A3BDB |. BA 03000000 MOV EDX,3
004A3BE0 |. E8 870BF6FF CALL Absolute.0040476C
004A3BE5 \. C3 RETN
004A3BE6 .^ E9 6505F6FF JMP Absolute.00404150
004A3BEB .^ EB D8 JMP SHORT Absolute.004A3BC5
004A3BED . 8BC3 MOV EAX,EBX
004A3BEF . 5B POP EBX
004A3BF0 . 8BE5 MOV ESP,EBP
004A3BF2 . 5D POP EBP
004A3BF3 . C3 RETN
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
第二次关键CALL跟进
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
0049EE90 /$ 55 PUSH EBP ; 第三次CALL入口。
0049EE91 |. 8BEC MOV EBP,ESP
0049EE93 |. 83C4 D0 ADD ESP,-30
0049EE96 |. 53 PUSH EBX
0049EE97 |. 56 PUSH ESI
0049EE98 |. 57 PUSH EDI
0049EE99 |. 33DB XOR EBX,EBX
0049EE9B |. 895D D0 MOV DWORD PTR SS:[EBP-30],EBX
0049EE9E |. 895D DC MOV DWORD PTR SS:[EBP-24],EBX
0049EEA1 |. 895D D8 MOV DWORD PTR SS:[EBP-28],EBX
0049EEA4 |. 895D D4 MOV DWORD PTR SS:[EBP-2C],EBX
0049EEA7 |. 8BF9 MOV EDI,ECX
0049EEA9 |. 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
0049EEAC |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0049EEAF |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049EEB2 |. E8 315DF6FF CALL Absolute.00404BE8
0049EEB7 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0049EEBA |. 8B15 14C44900 MOV EDX,DWORD PTR DS:[49C414] ; Absolute.0049C418
0049EEC0 |. E8 EF62F6FF CALL Absolute.004051B4
0049EEC5 |. 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
0049EEC8 |. 8B15 14C44900 MOV EDX,DWORD PTR DS:[49C414] ; Absolute.0049C418
0049EECE |. E8 E162F6FF CALL Absolute.004051B4
0049EED3 |. 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
0049EED6 |. 8B15 14C44900 MOV EDX,DWORD PTR DS:[49C414] ; Absolute.0049C418
0049EEDC |. E8 D362F6FF CALL Absolute.004051B4
0049EEE1 |. 33C0 XOR EAX,EAX
0049EEE3 |. 55 PUSH EBP
0049EEE4 |. 68 D7F04900 PUSH Absolute.0049F0D7
0049EEE9 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0049EEEC |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0049EEEF |. 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
0049EEF2 |. B8 F0F04900 MOV EAX,Absolute.0049F0F0
0049EEF7 |. E8 3CEBFFFF CALL Absolute.0049DA38
0049EEFC |. 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
0049EEFF |. 8BC7 MOV EAX,EDI
0049EF01 |. E8 4EEAFFFF CALL Absolute.0049D954
0049EF06 |. 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24] ; 常数转为的二进制放EAX中。
0049EF09 |. E8 F25AF6FF CALL Absolute.00404A00
0049EF0E |. 8BD8 MOV EBX,EAX
0049EF10 |. 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
0049EF13 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049EF16 |. E8 E1D8FFFF CALL Absolute.0049C7FC ; 取出用户名。
0049EF1B |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
0049EF1E |. 8B4D DC MOV ECX,DWORD PTR SS:[EBP-24] ; 把用户的我ASCII转为二进制。
0049EF21 |. BA FCF04900 MOV EDX,Absolute.0049F0FC ; ASCII "111"
0049EF26 |. E8 215BF6FF CALL Absolute.00404A4C ; 这个CALL是把一个常数111放到用户名ASCII转二进制的前面。
0049EF2B |. 8BF3 MOV ESI,EBX
0049EF2D |. 4E DEC ESI
0049EF2E |. EB 10 JMP SHORT Absolute.0049EF40
0049EF30 |> 8D45 DC /LEA EAX,DWORD PTR SS:[EBP-24] ; 这里是把用户名的二进制码与一个常数111连接。
0049EF33 |. 8B4D DC |MOV ECX,DWORD PTR SS:[EBP-24]
0049EF36 |. BA F0F04900 |MOV EDX,Absolute.0049F0F0
0049EF3B |. E8 0C5BF6FF |CALL Absolute.00404A4C
0049EF40 |> 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
0049EF43 |. E8 B85AF6FF |CALL Absolute.00404A00
0049EF48 |. 99 |CDQ
0049EF49 |. F7FE |IDIV ESI
0049EF4B |. 85D2 |TEST EDX,EDX
0049EF4D |.^ 75 E1 \JNZ SHORT Absolute.0049EF30 ; 取第二组常数的位数进行循环。
0049EF4F |. 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
0049EF52 |. E8 A95AF6FF CALL Absolute.00404A00
0049EF57 |. 8BD3 MOV EDX,EBX
0049EF59 |. 4A DEC EDX
0049EF5A |. 8BCA MOV ECX,EDX
0049EF5C |. 99 CDQ
0049EF5D |. F7F9 IDIV ECX
0049EF5F |. 8BF0 MOV ESI,EAX
0049EF61 |. 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
0049EF64 |. E8 DF57F6FF CALL Absolute.00404748
0049EF69 |. 85F6 TEST ESI,ESI
0049EF6B |. 0F8E 0A010000 JLE Absolute.0049F07B
0049EF71 |> 8D45 D4 /LEA EAX,DWORD PTR SS:[EBP-2C] ; 以下是,把用户名的二进制进行循环处理,得到二进制数。
0049EF74 |. 50 |PUSH EAX
0049EF75 |. 8BCB |MOV ECX,EBX
0049EF77 |. 49 |DEC ECX
0049EF78 |. BA 01000000 |MOV EDX,1
0049EF7D |. 8B45 DC |MOV EAX,DWORD PTR SS:[EBP-24]
0049EF80 |. E8 D35CF6FF |CALL Absolute.00404C58
0049EF85 |. EB 12 |JMP SHORT Absolute.0049EF99
0049EF87 |> 8D45 D4 |/LEA EAX,DWORD PTR SS:[EBP-2C]
0049EF8A |. B9 01000000 ||MOV ECX,1
0049EF8F |. BA 01000000 ||MOV EDX,1
0049EF94 |. E8 FF5CF6FF ||CALL Absolute.00404C98
0049EF99 |> 8D45 D0 | LEA EAX,DWORD PTR SS:[EBP-30]
0049EF9C |. 50 ||PUSH EAX
0049EF9D |. B9 01000000 ||MOV ECX,1
0049EFA2 |. BA 01000000 ||MOV EDX,1
0049EFA7 |. 8B45 D4 ||MOV EAX,DWORD PTR SS:[EBP-2C]
0049EFAA |. E8 A95CF6FF ||CALL Absolute.00404C58 ; 这里可以看到如果用户名二进制的位数小于常数2的位数就在前面补0
0049EFAF |. 8B45 D0 ||MOV EAX,DWORD PTR SS:[EBP-30]
0049EFB2 |. BA F0F04900 ||MOV EDX,Absolute.0049F0F0
0049EFB7 |. E8 885BF6FF ||CALL Absolute.00404B44
0049EFBC |. 75 0B ||JNZ SHORT Absolute.0049EFC9
0049EFBE |. 8B45 D4 ||MOV EAX,DWORD PTR SS:[EBP-2C]
0049EFC1 |. E8 3A5AF6FF ||CALL Absolute.00404A00
0049EFC6 |. 48 ||DEC EAX
0049EFC7 |.^ 7F BE |\JG SHORT Absolute.0049EF87
0049EFC9 |> 8D55 F0 |LEA EDX,DWORD PTR SS:[EBP-10]
0049EFCC |. 8B45 D4 |MOV EAX,DWORD PTR SS:[EBP-2C]
0049EFCF |. E8 64EAFFFF |CALL Absolute.0049DA38 ; 这里是用户名的二进制ASCII
0049EFD4 |. 8BCB |MOV ECX,EBX
0049EFD6 |. 49 |DEC ECX
0049EFD7 |. 8D45 DC |LEA EAX,DWORD PTR SS:[EBP-24]
0049EFDA |. BA 01000000 |MOV EDX,1
0049EFDF |. E8 B45CF6FF |CALL Absolute.00404C98
0049EFE4 |. 8B45 D4 |MOV EAX,DWORD PTR SS:[EBP-2C]
0049EFE7 |. BA F0F04900 |MOV EDX,Absolute.0049F0F0
0049EFEC |. E8 535BF6FF |CALL Absolute.00404B44
0049EFF1 |. 75 0D |JNZ SHORT Absolute.0049F000
0049EFF3 |. 8D55 E8 |LEA EDX,DWORD PTR SS:[EBP-18]
0049EFF6 |. 8D45 E0 |LEA EAX,DWORD PTR SS:[EBP-20]
0049EFF9 |. E8 6EE3FFFF |CALL Absolute.0049D36C
0049EFFE |. EB 11 |JMP SHORT Absolute.0049F011
0049F000 |> 8D45 E8 |LEA EAX,DWORD PTR SS:[EBP-18]
0049F003 |. 50 |PUSH EAX
0049F004 |. 8BCF |MOV ECX,EDI
0049F006 |. 8B55 F8 |MOV EDX,DWORD PTR SS:[EBP-8]
0049F009 |. 8D45 F0 |LEA EAX,DWORD PTR SS:[EBP-10]
0049F00C |. E8 CFF7FFFF |CALL Absolute.0049E7E0
0049F011 |> 8D45 F0 |LEA EAX,DWORD PTR SS:[EBP-10]
0049F014 |. E8 03DDFFFF |CALL Absolute.0049CD1C
0049F019 |. 8D45 D4 |LEA EAX,DWORD PTR SS:[EBP-2C]
0049F01C |. E8 2757F6FF |CALL Absolute.00404748
0049F021 |. 8D55 D4 |LEA EDX,DWORD PTR SS:[EBP-2C]
0049F024 |. 8D45 E8 |LEA EAX,DWORD PTR SS:[EBP-18]
0049F027 |. E8 28E9FFFF |CALL Absolute.0049D954 ; 这个CALL有兴趣可以跟进,里面是把用户进行多重二进制比较。得出一个新的二进制码
0049F02C |. EB 10 |JMP SHORT Absolute.0049F03E
0049F02E |> 8D45 D4 |/LEA EAX,DWORD PTR SS:[EBP-2C]
0049F031 |. 8B4D D4 ||MOV ECX,DWORD PTR SS:[EBP-2C]
0049F034 |. BA F0F04900 ||MOV EDX,Absolute.0049F0F0
0049F039 |. E8 0E5AF6FF ||CALL Absolute.00404A4C
0049F03E |> 8B45 D4 | MOV EAX,DWORD PTR SS:[EBP-2C]
0049F041 |. E8 BA59F6FF ||CALL Absolute.00404A00
0049F046 |. 99 ||CDQ
0049F047 |. F7FB ||IDIV EBX
0049F049 |. 85D2 ||TEST EDX,EDX
0049F04B |.^ 75 E1 |\JNZ SHORT Absolute.0049F02E
0049F04D |. 8D45 D8 |LEA EAX,DWORD PTR SS:[EBP-28]
0049F050 |. 8B55 D4 |MOV EDX,DWORD PTR SS:[EBP-2C]
0049F053 |. E8 B059F6FF |CALL Absolute.00404A08
0049F058 |. 8D45 E8 |LEA EAX,DWORD PTR SS:[EBP-18]
0049F05B |. E8 BCDCFFFF |CALL Absolute.0049CD1C
0049F060 |. 4E |DEC ESI
0049F061 |.^ 0F85 0AFFFFFF \JNZ Absolute.0049EF71
0049F067 |. EB 12 JMP SHORT Absolute.0049F07B
0049F069 |> 8D45 D8 /LEA EAX,DWORD PTR SS:[EBP-28]
0049F06C |. B9 01000000 |MOV ECX,1
0049F071 |. BA 01000000 |MOV EDX,1
0049F076 |. E8 1D5CF6FF |CALL Absolute.00404C98
0049F07B |> 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28] ; 这里可以看到用户的二进制码经过多次处理后的二进制码。
0049F07E |. 8038 30 |CMP BYTE PTR DS:[EAX],30
0049F081 |. 75 0B |JNZ SHORT Absolute.0049F08E
0049F083 |. 8B45 D8 |MOV EAX,DWORD PTR SS:[EBP-28]
0049F086 |. E8 7559F6FF |CALL Absolute.00404A00
0049F08B |. 48 |DEC EAX
0049F08C |.^ 7F DB \JG SHORT Absolute.0049F069 ; 这个操作是去除前面的0。
0049F08E |> 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
0049F091 |. 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28] ; 看到去除前面0的二进制值。
0049F094 |. E8 0FD8FFFF CALL Absolute.0049C8A8
0049F099 |. 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
0049F09C |. E8 7BDCFFFF CALL Absolute.0049CD1C
0049F0A1 |. 33C0 XOR EAX,EAX
0049F0A3 |. 5A POP EDX
0049F0A4 |. 59 POP ECX
0049F0A5 |. 59 POP ECX
0049F0A6 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
0049F0A9 |. 68 DEF04900 PUSH Absolute.0049F0DE
0049F0AE |> 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
0049F0B1 |. BA 04000000 MOV EDX,4
0049F0B6 |. E8 B156F6FF CALL Absolute.0040476C
0049F0BB |. 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
0049F0BE |. 8B15 14C44900 MOV EDX,DWORD PTR DS:[49C414] ; Absolute.0049C418
0049F0C4 |. B9 03000000 MOV ECX,3
0049F0C9 |. E8 EA61F6FF CALL Absolute.004052B8
0049F0CE |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0049F0D1 |. E8 7256F6FF CALL Absolute.00404748
0049F0D6 \. C3 RETN
0049F0D7 .^ E9 7450F6FF JMP Absolute.00404150
0049F0DC .^ EB D0 JMP SHORT Absolute.0049F0AE
0049F0DE . 5F POP EDI
0049F0DF . 5E POP ESI
0049F0E0 . 5B POP EBX
0049F0E1 . 8BE5 MOV ESP,EBP
0049F0E3 . 5D POP EBP
0049F0E4 . C2 0400 RETN 4
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
第三个关键CALL跟进
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
0049C67C /$ 55 PUSH EBP ; 这又是一个关键的入口点。
0049C67D |. 8BEC MOV EBP,ESP
0049C67F |. 81C4 ECFBFFFF ADD ESP,-414
0049C685 |. 53 PUSH EBX
0049C686 |. 56 PUSH ESI
0049C687 |. 57 PUSH EDI
0049C688 |. 33C9 XOR ECX,ECX
0049C68A |. 898D ECFBFFFF MOV DWORD PTR SS:[EBP-414],ECX
0049C690 |. 898D F0FBFFFF MOV DWORD PTR SS:[EBP-410],ECX
0049C696 |. 894D F8 MOV DWORD PTR SS:[EBP-8],ECX
0049C699 |. 8BFA MOV EDI,EDX
0049C69B |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0049C69E |. B9 00010000 MOV ECX,100
0049C6A3 |. 8D85 F4FBFFFF LEA EAX,DWORD PTR SS:[EBP-40C]
0049C6A9 |. 8B15 10114000 MOV EDX,DWORD PTR DS:[401110] ; Absolute.00401114
0049C6AF |. E8 308BF6FF CALL Absolute.004051E4
0049C6B4 |. 33C0 XOR EAX,EAX
0049C6B6 |. 55 PUSH EBP
0049C6B7 |. 68 E1C74900 PUSH Absolute.0049C7E1
0049C6BC |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0049C6BF |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0049C6C2 |. 8D85 F4FBFFFF LEA EAX,DWORD PTR SS:[EBP-40C]
0049C6C8 |. BA FF000000 MOV EDX,0FF
0049C6CD |. E8 36FEFFFF CALL Absolute.0049C508
0049C6D2 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
0049C6D5 |. E8 6E80F6FF CALL Absolute.00404748
0049C6DA |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049C6DD |. E8 1E83F6FF CALL Absolute.00404A00
0049C6E2 |. 8BD8 MOV EBX,EAX
0049C6E4 |. 85DB TEST EBX,EBX
0049C6E6 |. 7E 2F JLE SHORT Absolute.0049C717
0049C6E8 |. BE 01000000 MOV ESI,1
0049C6ED |> 8D45 F8 /LEA EAX,DWORD PTR SS:[EBP-8]
0049C6F0 |. 8B55 FC |MOV EDX,DWORD PTR SS:[EBP-4]
0049C6F3 |. 0FB65432 FF |MOVZX EDX,BYTE PTR DS:[EDX+ESI-1]
0049C6F8 |. 8B9495 F4FBFF>|MOV EDX,DWORD PTR SS:[EBP+EDX*4-40C]
0049C6FF |. E8 0483F6FF |CALL Absolute.00404A08
0049C704 |. 46 |INC ESI ; 这里是每组取八个二进制数。
0049C705 |. 4B |DEC EBX ; EBX做循环变量,每次减一。
0049C706 |.^ 75 E5 \JNZ SHORT Absolute.0049C6ED
0049C708 |. EB 0D JMP SHORT Absolute.0049C717
0049C70A |> 8D45 F8 /LEA EAX,DWORD PTR SS:[EBP-8]
0049C70D |. BA F8C74900 |MOV EDX,Absolute.0049C7F8
0049C712 |. E8 F182F6FF |CALL Absolute.00404A08
0049C717 |> 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; 循环后得到的二进制数。
0049C71A |. E8 E182F6FF |CALL Absolute.00404A00
0049C71F |. B9 06000000 |MOV ECX,6 ; 把6放到ECX中,准备做除法运算
0049C724 |. 99 |CDQ
0049C725 |. F7F9 |IDIV ECX
0049C727 |. 85D2 |TEST EDX,EDX ; 余数放EDX中。
0049C729 |.^ 75 DF \JNZ SHORT Absolute.0049C70A ; 测试EDX,如果为0就跳过。
0049C72B |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049C72E |. E8 CD82F6FF CALL Absolute.00404A00
0049C733 |. B9 06000000 MOV ECX,6 ; 常数6
0049C738 |. 99 CDQ
0049C739 |. F7F9 IDIV ECX ; 除法。
0049C73B |. 8BD8 MOV EBX,EAX
0049C73D |. 8BC7 MOV EAX,EDI
0049C73F |. E8 0480F6FF CALL Absolute.00404748
0049C744 |. 85DB TEST EBX,EBX
0049C746 |. 7E 5D JLE SHORT Absolute.0049C7A5
0049C748 |> 8D85 F0FBFFFF /LEA EAX,DWORD PTR SS:[EBP-410] ; 这里是精典算法。查表。
0049C74E |. 50 |PUSH EAX
0049C74F |. B9 06000000 |MOV ECX,6 ; 把常数6放入ECX中。
0049C754 |. BA 01000000 |MOV EDX,1
0049C759 |. 8B45 F8 |MOV EAX,DWORD PTR SS:[EBP-8]
0049C75C |. E8 F784F6FF |CALL Absolute.00404C58
0049C761 |. 8B95 F0FBFFFF |MOV EDX,DWORD PTR SS:[EBP-410] ; 上面那个CALL取出二进制运算后的前六位。
0049C767 |. 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C] ; 首先得到先得到的二进制运算的前六位。
0049C76A |. E8 55FDFFFF |CALL Absolute.0049C4C4
0049C76F |. 8D85 ECFBFFFF |LEA EAX,DWORD PTR SS:[EBP-414] ; 把取得的二进制数位数加1
0049C775 |. 8B55 F4 |MOV EDX,DWORD PTR SS:[EBP-C] ; 取出上面取得的二进制数的十进制值放入EDX中。
0049C778 |. 8A92 53B54A00 |MOV DL,BYTE PTR DS:[EDX+4AB553] ; 这里就是要查表。
0049C77E |. E8 A581F6FF |CALL Absolute.00404928
0049C783 |. 8B95 ECFBFFFF |MOV EDX,DWORD PTR SS:[EBP-414]
0049C789 |. 8BC7 |MOV EAX,EDI
0049C78B |. E8 7882F6FF |CALL Absolute.00404A08
0049C790 |. 8D45 F8 |LEA EAX,DWORD PTR SS:[EBP-8]
0049C793 |. B9 06000000 |MOV ECX,6
0049C798 |. BA 01000000 |MOV EDX,1
0049C79D |. E8 F684F6FF |CALL Absolute.00404C98 ; EBX每次都减一。
0049C7A2 |. 4B |DEC EBX
0049C7A3 |.^ 75 A3 \JNZ SHORT Absolute.0049C748 ; 不相等跳出。
0049C7A5 |> 33C0 XOR EAX,EAX
0049C7A7 |. 5A POP EDX
0049C7A8 |. 59 POP ECX
0049C7A9 |. 59 POP ECX
0049C7AA |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
0049C7AD |. 68 E8C74900 PUSH Absolute.0049C7E8
0049C7B2 |> 8D85 ECFBFFFF LEA EAX,DWORD PTR SS:[EBP-414]
0049C7B8 |. BA 02000000 MOV EDX,2
0049C7BD |. E8 AA7FF6FF CALL Absolute.0040476C
0049C7C2 |. 8D85 F4FBFFFF LEA EAX,DWORD PTR SS:[EBP-40C]
0049C7C8 |. B9 00010000 MOV ECX,100
0049C7CD |. 8B15 10114000 MOV EDX,DWORD PTR DS:[401110] ; Absolute.00401114
0049C7D3 |. E8 E08AF6FF CALL Absolute.004052B8
0049C7D8 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
0049C7DB |. E8 687FF6FF CALL Absolute.00404748
0049C7E0 \. C3 RETN
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
------------------------------------------------------------------------
简单说如下,注册码为16位。
1、取用户名的二进制ASCII
2、把这个用户的二进与两组常数的二进制的位数进行操作。
3、把操作后的数再进行二进制操作。四次大循环。
4、把第三步得到的二进制值每次取六位,转为十进制。
5、把转为十进制的值。进行查表。(下表)
表:aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ0123456789+=
6、把查得的字符连接就是注册码,提供几组注册码。咱水平有限写不了注册机,呵呵,请高手写吧!
用户名:wxh9833 注册码:f8OWHNaNeEJvZDIC
用户名:血饮狂刀 注册码:TX+9c2TeL9pW7+9N(中文名测试,成功)
用户名:WilldcatIII 注册码:angRqaeaXXJcLUwqHy
------------------------------------------------------------------------
【版权声明】本破文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
分析的好详细 !
