目标软件,为了发布不方便列出来!但是我会把所有的分析的代码全部分析出来!
目标文件是VC写的.程序算法先计算注册码,计算完毕保存二份,一份到系统目录下,一份存到注册表.然后再注册一个唯一消息ID号,主窗体接受这个ID号然后就就退出.提示用户重新运行验证算法.类似Fn(xxx)=Fn(yyy)的算法程序,xxx变量在一个文件中,yyy变量是存在注册表中.最后两者相互判断,也最是接近爆破的地方.
这里只分析计算注册码的算法.验证算法只不过是一个反的方向.不给予分析了!
最后给出的逆向的高级语言,写的算法很不健壮.多谢指教bug.最后分析给出的高级语言源码不是注册机,只是个参考.注重分析.--qiweixue
在此感谢 foxabu 同学建议.
事件地址跟踪是根据MFC消息分派找到的(基本Window 原理的东东):
AfxCallWndProc-->CWnd::WindowProc-->CWnd::OnWndMsg-->CWnd::OnCommand-->CDialog::OnCmdMsg-->CCmdTarget::OnCmdMsg-->_AfxDispatchCmdMsg-->产生注册窗口(模式窗体)的事件地址:
004351C0 . 6A FF push -1
004351C2 . 68 B9095900 push 005909B9 ---> SE handler installation
004351C7 . 64:A1 0000000>mov eax, fs:[0]
004351CD . 50 push eax
004351CE . 64:8925 00000>mov fs:[0], esp
004351D5 . 81EC 4C070000 sub esp, 74C
004351DB . 56 push esi
004351DC . 8BF1 mov esi, ecx
004351DE . 6A 00 push 0
004351E0 . 8D4C24 14 lea ecx, [esp+14]
004351E4 . E8 07C30A00 call 004E14F0
004351E9 . 8D4C24 10 lea ecx, [esp+10]
004351ED . C78424 580700>mov dword ptr [esp+758], 0
004351F8 . E8 F1470F00 call <jmp.&MFC42.#2514_CDialog::DoModal>---->弹出模式注册窗体
004351FD . 83F8 01 cmp eax, 1--->ModelResult eax=1表示用户确定输入
00435200 . 0F84 99000000 je 0043529F---->相等就跳.
00435206 . 8D4C24 04 lea ecx, [esp+4]
0043520A . E8 07470F00 call <jmp.&MFC42.#540_CString::CString>---->分配一个CSting堆栈对象.
0043520F . 8D4C24 08 lea ecx, [esp+8]
00435213 . C68424 580700>mov byte ptr [esp+758], 1
0043521B . E8 F6460F00 call <jmp.&MFC42.#540_CString::CString>--->分配一个CSting堆栈对象.
00435220 . 68 67030000 push 367
00435225 . 8D4C24 08 lea ecx, [esp+8]
00435229 . C68424 5C0700>mov byte ptr [esp+75C], 2
00435231 . E8 2A480F00 call <jmp.&MFC42.#4160_CString::LoadStringA>---->加载ID=367字符串资源
00435236 . 68 68030000 push 368
0043523B . 8D4C24 0C lea ecx, [esp+C]
0043523F . E8 1C480F00 call <jmp.&MFC42.#4160_CString::LoadStringA>---->加载ID=368字符串资源
00435244 . 8B4424 08 mov eax, [esp+8]
00435248 . 8B4C24 04 mov ecx, [esp+4]
0043524C . 6A 40 push 40
0043524E . 50 push eax
0043524F . 51 push ecx
00435250 . 8BCE mov ecx, esi
00435252 . E8 03480F00 call <jmp.&MFC42.#4224_CWnd::MessageBoxA>--->ID=367和ID=368字符资源提示重新启动程序验证算法.
00435257 . 68 8C9B5E00 push 005E9B8C ----->字符串String _005E9B8C= "MEDIAGUARD_MSG_EXITMAINDLG"
0043525C . FF15 504C5A00 call [<&USER32.RegisterWindowMessageA>]----> SDK API RegisterWindowMessageA作用根据字符串参数向OS注册一个唯一消息ID号!
00435262 . 68 7C9B5E00 push 005E9B7C --->字符串String _005E9B8C = "数码",B4,"笫",A6,"2006"
00435267 . 6A 00 push 0 --->Class = 0
00435269 . 8BF0 mov esi, eax
0043526B . FF15 4C4C5A00 call [<&USER32.FindWindowA>] --->找主窗体
00435271 . 6A 00 push 0
00435273 . 6A 00 push 0
00435275 . 56 push esi
00435276 . 50 push eax
00435277 . FF15 244D5A00 call [<&USER32.SendMessageA>] --->发送上边刚注册的唯一ID的Window消息,如果发送成功主程序就关闭了.响应它的事件句柄负责关闭主窗体的.
0043527D . 8D4C24 08 lea ecx, [esp+8]
00435281 . C68424 580700>mov byte ptr [esp+758], 1
00435289 . E8 6A460F00 call <jmp.&MFC42.#800_CString::~CString>--->析构对象
0043528E . 8D4C24 04 lea ecx, [esp+4]
00435292 . C68424 580700>mov byte ptr [esp+758], 0
0043529A . E8 59460F00 call <jmp.&MFC42.#800_CString::~CString>--->析构对象
0043529F > 8D8C24 080700>lea ecx, [esp+708]
004352A6 . C78424 580700>mov dword ptr [esp+758], 9
004352B1 . E8 4AE50B00 call 004F3800
004352B6 . 8D8C24 B00400>lea ecx, [esp+4B0]
004352BD . C68424 580700>mov byte ptr [esp+758], 8
004352C5 . E8 C6F4FDFF call 00414790
004352CA . 8D8C24 E40300>lea ecx, [esp+3E4]
004352D1 . C68424 580700>mov byte ptr [esp+758], 7
004352D9 . E8 E2FE0500 call 004951C0
004352DE . 8D8C24 8C0100>lea ecx, [esp+18C]
004352E5 . C68424 580700>mov byte ptr [esp+758], 6
004352ED . E8 9EF4FDFF call 00414790
004352F2 . 8D8C24 440100>lea ecx, [esp+144]
004352F9 . C68424 580700>mov byte ptr [esp+758], 5
00435301 . E8 FAE40B00 call 004F3800
00435306 . 8D4C24 78 lea ecx, [esp+78]
0043530A . C68424 580700>mov byte ptr [esp+758], 4
00435312 . E8 A9FE0500 call 004951C0
00435317 . 8D5424 70 lea edx, [esp+70]
0043531B . C74424 70 585>mov dword ptr [esp+70], 005A5158
00435323 . 895424 0C mov [esp+C], edx
00435327 . 8D4C24 70 lea ecx, [esp+70]
0043532B . C68424 580700>mov byte ptr [esp+758], 0A
00435333 . E8 AE450F00 call <jmp.&MFC42.#2414_CGdiObject::DeleteObject>
00435338 . 8D4C24 10 lea ecx, [esp+10]
0043533C . C74424 70 445>mov dword ptr [esp+70], 005A5144
00435344 . C78424 580700>mov dword ptr [esp+758], -1
0043534F . E8 C4460F00 call <jmp.&MFC42.#641_CDialog::~CDialog>------->析构注册模式CDialog对象
00435354 . 8B8C24 500700>mov ecx, [esp+750]
0043535B . 5E pop esi
0043535C . 64:890D 00000>mov fs:[0], ecx
00435363 . 81C4 58070000 add esp, 758
00435369 . C3 retn
======================================================================
当注册模式窗体启动,在两个Edit控件中分别输入假用户名qiweixue和假注册码:qwertyuio-p[]asdfg@hjkl;'zxcvbnm,./
点击:确定Button控件,进入算法主程序也就是进入Button的事件之中.
寻找这个Button事件地址也是根据MFC类CCmdTarget,CWnd,CDialog,CButton等类和_AfxDispatchCmdMsg等寻找的,这个没有什么好讲的.基本Window原理的东东.请看深入浅出MFC,Internal MFC,,MFC Programing等书,那里边很详细的.
下面给出完整的事件算法函数过程:
注意:该过程多次用到CString类的各种成员函数,大家可以根据函数名就可以知道其功能.这个就不多讲了.还有为了求数据精度的时候,一时找不出高级语言,就用的VC内联汇编写的.
004E1690 . 6A FF push -1
004E1692 . 64:A1 0000000>mov eax, fs:[0]
004E1698 . 68 B4E15900 push 0059E1B4
004E169D . 50 push eax
004E169E . B8 AC030100 mov eax, 103AC
004E16A3 . 64:8925 00000>mov fs:[0], esp
004E16AA . E8 618C0400 call 0052A310
004E16AF . 53 push ebx
004E16B0 . 55 push ebp
004E16B1 . 56 push esi
004E16B2 . 57 push edi
004E16B3 . 8BF1 mov esi, ecx
004E16B5 . 68 D0AD5F00 push 005FADD0
004E16BA . 8D4C24 5C lea ecx, [esp+5C]
004E16BE . E8 BB830400 call <jmp.&MFC42.#537_CString::CString>
004E16C3 . B9 FF3F0000 mov ecx, 3FFF
004E16C8 . 33C0 xor eax, eax
004E16CA . 8DBC24 BC0300>lea edi, [esp+3BC]
004E16D1 . C78424 C40301>mov dword ptr [esp+103C4], 0
004E16DC . F3:AB rep stos dword ptr es:[edi]
004E16DE . 66:AB stos word ptr es:[edi]
004E16E0 . 8D4C24 14 lea ecx, [esp+14]
004E16E4 . AA stos byte ptr es:[edi]
004E16E5 . E8 2C820400 call <jmp.&MFC42.#540_CString::CString>
004E16EA . 8D4C24 4C lea ecx, [esp+4C]
004E16EE . C68424 C40301>mov byte ptr [esp+103C4], 1
004E16F6 . E8 1B820400 call <jmp.&MFC42.#540_CString::CString>
004E16FB . 8D4424 4C lea eax, [esp+4C]
004E16FF . 8D8E 34010000 lea ecx, [esi+134]
004E1705 . 50 push eax
004E1706 . C68424 C80301>mov byte ptr [esp+103C8], 2
004E170E . E8 FD810400 call <jmp.&MFC42.#3874_CWnd::GetWindowTextA>--->得到用户名
004E1713 . 8D4C24 14 lea ecx, [esp+14]
004E1717 . 51 push ecx
004E1718 . 8D8E F8060000 lea ecx, [esi+6F8]
004E171E . E8 ED810400 call <jmp.&MFC42.#3874_CWnd::GetWindowTextA>--->得到加注册码
004E1723 . 8D5424 14 lea edx, [esp+14]
004E1727 . 8D4C24 58 lea ecx, [esp+58]
004E172B . 52 push edx
004E172C . E8 FF820400 call <jmp.&MFC42.#858_CString::operator=>
004E1731 . 8D4C24 24 lea ecx, [esp+24]
004E1735 . E8 DC810400 call <jmp.&MFC42.#540_CString::CString>
004E173A . 6A 18 push 18
004E173C . 8D4424 14 lea eax, [esp+14]
004E1740 . 6A 00 push 0
004E1742 . 50 push eax
004E1743 . 8D4C24 20 lea ecx, [esp+20]
004E1747 . C68424 D00301>mov byte ptr [esp+103D0], 3
004E174F . E8 F6830400 call <jmp.&MFC42.#4278_CString::Mid>---->定位字符串
004E1754 . 50 push eax
004E1755 . 8D4C24 28 lea ecx, [esp+28]
004E1759 . C68424 C80301>mov byte ptr [esp+103C8], 4
004E1761 . E8 CA820400 call <jmp.&MFC42.#858_CString::operator=>
004E1766 . 8D4C24 10 lea ecx, [esp+10]
004E176A . C68424 C40301>mov byte ptr [esp+103C4], 3
004E1772 . E8 81810400 call <jmp.&MFC42.#800_CString::~CString>
004E1777 . 6A 2D push 2D
004E1779 . 8D4C24 18 lea ecx, [esp+18]
004E177D . E8 74860400 call <jmp.&MFC42.#2763_CString::Find>--->寻找2D操作
004E1782 . 83F8 FF cmp eax, -1
004E1785 . 0F85 9F000000 jnz 004E182A
004E178B . 68 6CA85E00 push 005EA86C
004E1790 . 8D4C24 28 lea ecx, [esp+28]
004E1794 . E8 D1870400 call <jmp.&MFC42.#941_CString::operator+=>--->连接操作
004E1799 . 6A 03 push 3
004E179B . 8D4C24 14 lea ecx, [esp+14]
004E179F . 6A 18 push 18
004E17A1 . 51 push ecx
004E17A2 . 8D4C24 20 lea ecx, [esp+20]
004E17A6 . E8 9F830400 call <jmp.&MFC42.#4278_CString::Mid>---->定位字符串
004E17AB . 50 push eax
004E17AC . 8D4C24 28 lea ecx, [esp+28]
004E17B0 . C68424 C80301>mov byte ptr [esp+103C8], 5
004E17B8 . E8 21860400 call <jmp.&MFC42.#939_CString::operator+=>
004E17BD . 8D4C24 10 lea ecx, [esp+10]
004E17C1 . C68424 C40301>mov byte ptr [esp+103C4], 3
004E17C9 . E8 2A810400 call <jmp.&MFC42.#800_CString::~CString>
004E17CE . 6A 40 push 40
004E17D0 . 8D4C24 18 lea ecx, [esp+18]
004E17D4 . E8 1D860400 call <jmp.&MFC42.#2763_CString::Find>--->寻找40操作
004E17D9 . 83F8 FF cmp eax, -1
004E17DC . 75 2D jnz short 004E180B
004E17DE . 68 B8DF5E00 push 005EDFB8
004E17E3 . 8D4C24 28 lea ecx, [esp+28]
004E17E7 . E8 7E870400 call <jmp.&MFC42.#941_CString::operator+=>
004E17EC . 6A 05 push 5
004E17EE . 8D5424 14 lea edx, [esp+14]
004E17F2 . 6A 1B push 1B
004E17F4 . 52 push edx
004E17F5 . 8D4C24 20 lea ecx, [esp+20]
004E17F9 . E8 4C830400 call <jmp.&MFC42.#4278_CString::Mid>
004E17FE . C68424 C40301>mov byte ptr [esp+103C4], 6
004E1806 . E9 A8000000 jmp 004E18B3
004E180B > 6A 06 push 6
004E180D . 8D4424 14 lea eax, [esp+14]
004E1811 . 6A 1B push 1B
004E1813 . 50 push eax
004E1814 . 8D4C24 20 lea ecx, [esp+20]
004E1818 . E8 2D830400 call <jmp.&MFC42.#4278_CString::Mid>
004E181D . C68424 C40301>mov byte ptr [esp+103C4], 7
004E1825 . E9 89000000 jmp 004E18B3
004E182A > 6A 04 push 4
004E182C . 8D4C24 14 lea ecx, [esp+14]
004E1830 . 6A 18 push 18
004E1832 . 51 push ecx
004E1833 . 8D4C24 20 lea ecx, [esp+20]
004E1837 . E8 0E830400 call <jmp.&MFC42.#4278_CString::Mid>
004E183C . 50 push eax
004E183D . 8D4C24 28 lea ecx, [esp+28]
004E1841 . C68424 C80301>mov byte ptr [esp+103C8], 8
004E1849 . E8 90850400 call <jmp.&MFC42.#939_CString::operator+=>
004E184E . 8D4C24 10 lea ecx, [esp+10]
004E1852 . C68424 C40301>mov byte ptr [esp+103C4], 3
004E185A . E8 99800400 call <jmp.&MFC42.#800_CString::~CString>
004E185F . 6A 40 push 40
004E1861 . 8D4C24 18 lea ecx, [esp+18]
004E1865 . E8 8C850400 call <jmp.&MFC42.#2763_CString::Find>
004E186A . 83F8 FF cmp eax, -1
004E186D . 75 2A jnz short 004E1899
004E186F . 68 B8DF5E00 push 005EDFB8
004E1874 . 8D4C24 28 lea ecx, [esp+28]
004E1878 . E8 ED860400 call <jmp.&MFC42.#941_CString::operator+=>
004E187D . 6A 05 push 5
004E187F . 8D5424 14 lea edx, [esp+14]
004E1883 . 6A 1C push 1C
004E1885 . 52 push edx
004E1886 . 8D4C24 20 lea ecx, [esp+20]
004E188A . E8 BB820400 call <jmp.&MFC42.#4278_CString::Mid>
004E188F . C68424 C40301>mov byte ptr [esp+103C4], 9
004E1897 . EB 1A jmp short 004E18B3
004E1899 > 6A 06 push 6
004E189B . 8D4424 14 lea eax, [esp+14]
004E189F . 6A 1C push 1C
004E18A1 . 50 push eax
004E18A2 . 8D4C24 20 lea ecx, [esp+20]
004E18A6 . E8 9F820400 call <jmp.&MFC42.#4278_CString::Mid>
004E18AB . C68424 C40301>mov byte ptr [esp+103C4], 0A
======================================================================
以上汇编代码,分析给出下面的高级语言,功能简略一下:就是检测注册码和格式化一下注册编码,例如变化成这样的格式:qwertyuio-p[]asdfg@hjkl;'zxcvbnm,.
CString str11,str12,str13,str14,str15,str16,str17,str18,str19,str20,str21,str22,str23,str24,str25, str26;
char user[256];
cin>>user;
KeyStr.Format("%s",user);
str1=KeyStr.Mid(0,0x18);
if(KeyStr.Find('-')<0)
{
str1=str1+(CString)"-";
str2=KeyStr.Mid(0x18,3);
str1=str1+str2;
if(KeyStr.Find('@')<0)
{
str1=str1+(CString)"@";
str3=KeyStr.Mid(0x1B,5);
}
else
{
str3=KeyStr.Mid(0x1B,6);
}
}
else
{
str4=KeyStr.Mid(0x18,4);
str1=str1+str4;
if(KeyStr.Find('@')<0)
{
str1=str1+(CString)"@";
str3=KeyStr.Mid(0x1C,5);
}
else
{
str3=KeyStr.Mid(0x1C,6);
}
}
004E18B3 > 8D4C24 24 lea ecx, [esp+24]
004E18B7 . 50 push eax
004E18B8 . E8 21850400 call <jmp.&MFC42.#939_CString::operator+=>
004E18BD . 8D4C24 10 lea ecx, [esp+10]
004E18C1 . C68424 C40301>mov byte ptr [esp+103C4], 3
004E18C9 . E8 2A800400 call <jmp.&MFC42.#800_CString::~CString>
004E18CE . 8D4C24 24 lea ecx, [esp+24]
004E18D2 . 51 push ecx
004E18D3 . 8D4C24 18 lea ecx, [esp+18]
004E18D7 . E8 54810400 call <jmp.&MFC42.#858_CString::operator=>
004E18DC . 8D4C24 20 lea ecx, [esp+20]
004E18E0 . E8 31800400 call <jmp.&MFC42.#540_CString::CString>
004E18E5 . 8D5424 10 lea edx, [esp+10]
004E18E9 . 6A 0A push 0A
004E18EB . 52 push edx
004E18EC . 8D4C24 1C lea ecx, [esp+1C]
004E18F0 . C68424 CC0301>mov byte ptr [esp+103CC], 0B
004E18F8 . E8 93810400 call <jmp.&MFC42.#4129_CString::Left>
004E18FD . 50 push eax
004E18FE . 8D4C24 24 lea ecx, [esp+24]
004E1902 . C68424 C80301>mov byte ptr [esp+103C8], 0C
004E190A . E8 21810400 call <jmp.&MFC42.#858_CString::operator=>
004E190F . 8D4C24 10 lea ecx, [esp+10]
004E1913 . C68424 C40301>mov byte ptr [esp+103C4], 0B
004E191B . E8 D87F0400 call <jmp.&MFC42.#800_CString::~CString>
004E1920 . 6A 01 push 1
004E1922 . 8D4424 1C lea eax, [esp+1C]
004E1926 . 6A 0A push 0A
004E1928 . 50 push eax
004E1929 . 8D4C24 20 lea ecx, [esp+20]
004E192D . E8 18820400 call <jmp.&MFC42.#4278_CString::Mid>
004E1932 . BB 0D000000 mov ebx, 0D
004E1937 . 8D4C24 18 lea ecx, [esp+18]
004E193B . 889C24 C40301>mov [esp+103C4], bl
004E1942 . E8 C5860400 call <jmp.&MFC42.#4204_CString::MakeUpper>
004E1947 . 8D4C24 18 lea ecx, [esp+18]
004E194B . 51 push ecx
004E194C . 8D4C24 24 lea ecx, [esp+24]
004E1950 . E8 89840400 call <jmp.&MFC42.#939_CString::operator+=>
004E1955 . 6A 01 push 1
004E1957 . 8D5424 14 lea edx, [esp+14]
004E195B . 6A 0B push 0B
004E195D . 52 push edx
004E195E . 8D4C24 20 lea ecx, [esp+20]
004E1962 . E8 E3810400 call <jmp.&MFC42.#4278_CString::Mid>
004E1967 . 50 push eax
004E1968 . 8D4C24 1C lea ecx, [esp+1C]
004E196C . C68424 C80301>mov byte ptr [esp+103C8], 0E
004E1974 . E8 B7800400 call <jmp.&MFC42.#858_CString::operator=>
004E1979 . 8D4C24 10 lea ecx, [esp+10]
004E197D . 889C24 C40301>mov [esp+103C4], bl
004E1984 . E8 6F7F0400 call <jmp.&MFC42.#800_CString::~CString>
004E1989 . 8D4C24 18 lea ecx, [esp+18]
004E198D . E8 7A860400 call <jmp.&MFC42.#4204_CString::MakeUpper>
004E1992 . 8D4424 18 lea eax, [esp+18]
004E1996 . 8D4C24 20 lea ecx, [esp+20]
004E199A . 50 push eax
004E199B . E8 3E840400 call <jmp.&MFC42.#939_CString::operator+=>
004E19A0 . 6A 05 push 5
004E19A2 . 8D4C24 14 lea ecx, [esp+14]
004E19A6 . 6A 0C push 0C
004E19A8 . 51 push ecx
004E19A9 . 8D4C24 20 lea ecx, [esp+20]
004E19AD . E8 98810400 call <jmp.&MFC42.#4278_CString::Mid>
004E19B2 . 50 push eax
004E19B3 . 8D4C24 24 lea ecx, [esp+24]
004E19B7 . C68424 C80301>mov byte ptr [esp+103C8], 0F
004E19BF . E8 1A840400 call <jmp.&MFC42.#939_CString::operator+=>
004E19C4 . 8D4C24 10 lea ecx, [esp+10]
004E19C8 . 889C24 C40301>mov [esp+103C4], bl
004E19CF . E8 247F0400 call <jmp.&MFC42.#800_CString::~CString>
004E19D4 . 6A 01 push 1
004E19D6 . 8D5424 14 lea edx, [esp+14]
004E19DA . 6A 11 push 11
004E19DC . 52 push edx
004E19DD . 8D4C24 20 lea ecx, [esp+20]
004E19E1 . E8 64810400 call <jmp.&MFC42.#4278_CString::Mid>
004E19E6 . 50 push eax
004E19E7 . 8D4C24 1C lea ecx, [esp+1C]
004E19EB . C68424 C80301>mov byte ptr [esp+103C8], 10
004E19F3 . E8 38800400 call <jmp.&MFC42.#858_CString::operator=>
004E19F8 . 8D4C24 10 lea ecx, [esp+10]
004E19FC . 889C24 C40301>mov [esp+103C4], bl
004E1A03 . E8 F07E0400 call <jmp.&MFC42.#800_CString::~CString>
004E1A08 . 8D4C24 18 lea ecx, [esp+18]
004E1A0C . E8 FB850400 call <jmp.&MFC42.#4204_CString::MakeUpper>
004E1A11 . 8D4424 18 lea eax, [esp+18]
004E1A15 . 8D4C24 20 lea ecx, [esp+20]
004E1A19 . 50 push eax
004E1A1A . E8 BF830400 call <jmp.&MFC42.#939_CString::operator+=>
004E1A1F . 6A 01 push 1
004E1A21 . 8D4C24 14 lea ecx, [esp+14]
004E1A25 . 6A 12 push 12
004E1A27 . 51 push ecx
004E1A28 . 8D4C24 20 lea ecx, [esp+20]
004E1A2C . E8 19810400 call <jmp.&MFC42.#4278_CString::Mid>
004E1A31 . 50 push eax
004E1A32 . 8D4C24 1C lea ecx, [esp+1C]
004E1A36 . C68424 C80301>mov byte ptr [esp+103C8], 11
004E1A3E . E8 ED7F0400 call <jmp.&MFC42.#858_CString::operator=>
004E1A43 . 8D4C24 10 lea ecx, [esp+10]
004E1A47 . 889C24 C40301>mov [esp+103C4], bl
004E1A4E . E8 A57E0400 call <jmp.&MFC42.#800_CString::~CString>
004E1A53 . 8D4C24 18 lea ecx, [esp+18]
004E1A57 . E8 EC7F0400 call <jmp.&MFC42.#4202_CString::MakeLower>
004E1A5C . 8D5424 18 lea edx, [esp+18]
004E1A60 . 8D4C24 20 lea ecx, [esp+20]
004E1A64 . 52 push edx
004E1A65 . E8 74830400 call <jmp.&MFC42.#939_CString::operator+=>
004E1A6A . 6A 05 push 5
004E1A6C . 8D4424 14 lea eax, [esp+14]
004E1A70 . 6A 13 push 13
004E1A72 . 50 push eax
004E1A73 . 8D4C24 20 lea ecx, [esp+20]
004E1A77 . E8 CE800400 call <jmp.&MFC42.#4278_CString::Mid>
004E1A7C . 50 push eax
004E1A7D . 8D4C24 24 lea ecx, [esp+24]
004E1A81 . C68424 C80301>mov byte ptr [esp+103C8], 12
004E1A89 . E8 50830400 call <jmp.&MFC42.#939_CString::operator+=>
004E1A8E . 8D4C24 10 lea ecx, [esp+10]
004E1A92 . 889C24 C40301>mov [esp+103C4], bl
004E1A99 . E8 5A7E0400 call <jmp.&MFC42.#800_CString::~CString>
004E1A9E . 6A 01 push 1
004E1AA0 . 8D4C24 14 lea ecx, [esp+14]
004E1AA4 . 6A 18 push 18
004E1AA6 . 51 push ecx
004E1AA7 . 8D4C24 20 lea ecx, [esp+20]
004E1AAB . E8 9A800400 call <jmp.&MFC42.#4278_CString::Mid>
004E1AB0 . 50 push eax
004E1AB1 . 8D4C24 24 lea ecx, [esp+24]
004E1AB5 . C68424 C80301>mov byte ptr [esp+103C8], 13
004E1ABD . E8 1C830400 call <jmp.&MFC42.#939_CString::operator+=>
004E1AC2 . 8D4C24 10 lea ecx, [esp+10]
004E1AC6 . 889C24 C40301>mov [esp+103C4], bl
004E1ACD . E8 267E0400 call <jmp.&MFC42.#800_CString::~CString>
004E1AD2 . 6A 01 push 1
004E1AD4 . 8D5424 14 lea edx, [esp+14]
004E1AD8 . 6A 19 push 19
004E1ADA . 52 push edx
004E1ADB . 8D4C24 20 lea ecx, [esp+20]
004E1ADF . E8 66800400 call <jmp.&MFC42.#4278_CString::Mid>
004E1AE4 . 50 push eax
004E1AE5 . 8D4C24 1C lea ecx, [esp+1C]
004E1AE9 . C68424 C80301>mov byte ptr [esp+103C8], 14
004E1AF1 . E8 3A7F0400 call <jmp.&MFC42.#858_CString::operator=>
004E1AF6 . 8D4C24 10 lea ecx, [esp+10]
004E1AFA . 889C24 C40301>mov [esp+103C4], bl
004E1B01 . E8 F27D0400 call <jmp.&MFC42.#800_CString::~CString>
004E1B06 . 8D4C24 18 lea ecx, [esp+18]
004E1B0A . E8 FD840400 call <jmp.&MFC42.#4204_CString::MakeUpper>
004E1B0F . 8D4424 18 lea eax, [esp+18]
004E1B13 . 50 push eax
004E1B14 . 8D4C24 24 lea ecx, [esp+24]
004E1B18 . E8 C1820400 call <jmp.&MFC42.#939_CString::operator+=>
004E1B1D . 6A 01 push 1
004E1B1F . 8D4C24 14 lea ecx, [esp+14]
004E1B23 . 6A 1A push 1A
004E1B25 . 51 push ecx
004E1B26 . 8D4C24 20 lea ecx, [esp+20]
004E1B2A . E8 1B800400 call <jmp.&MFC42.#4278_CString::Mid>
004E1B2F . 50 push eax
004E1B30 . 8D4C24 1C lea ecx, [esp+1C]
004E1B34 . C68424 C80301>mov byte ptr [esp+103C8], 15
004E1B3C . E8 EF7E0400 call <jmp.&MFC42.#858_CString::operator=>
004E1B41 . 8D4C24 10 lea ecx, [esp+10]
004E1B45 . 889C24 C40301>mov [esp+103C4], bl
004E1B4C . E8 A77D0400 call <jmp.&MFC42.#800_CString::~CString>
004E1B51 . 8D4C24 18 lea ecx, [esp+18]
004E1B55 . E8 EE7E0400 call <jmp.&MFC42.#4202_CString::MakeLower>
004E1B5A . 8D5424 18 lea edx, [esp+18]
004E1B5E . 8D4C24 20 lea ecx, [esp+20]
004E1B62 . 52 push edx
004E1B63 . E8 76820400 call <jmp.&MFC42.#939_CString::operator+=>
004E1B68 . 6A 01 push 1
004E1B6A . 8D4424 14 lea eax, [esp+14]
004E1B6E . 6A 1B push 1B
004E1B70 . 50 push eax
004E1B71 . 8D4C24 20 lea ecx, [esp+20]
004E1B75 . E8 D07F0400 call <jmp.&MFC42.#4278_CString::Mid>
004E1B7A . 50 push eax
004E1B7B . 8D4C24 1C lea ecx, [esp+1C]
004E1B7F . C68424 C80301>mov byte ptr [esp+103C8], 16
004E1B87 . E8 A47E0400 call <jmp.&MFC42.#858_CString::operator=>
004E1B8C . 8D4C24 10 lea ecx, [esp+10]
004E1B90 . 889C24 C40301>mov [esp+103C4], bl
004E1B97 . E8 5C7D0400 call <jmp.&MFC42.#800_CString::~CString>
004E1B9C . 8D4C24 18 lea ecx, [esp+18]
004E1BA0 . E8 A37E0400 call <jmp.&MFC42.#4202_CString::MakeLower>
004E1BA5 . 8D4C24 18 lea ecx, [esp+18]
004E1BA9 . 51 push ecx
004E1BAA . 8D4C24 24 lea ecx, [esp+24]
004E1BAE . E8 2B820400 call <jmp.&MFC42.#939_CString::operator+=>
004E1BB3 . 6A 01 push 1
004E1BB5 . 8D5424 14 lea edx, [esp+14]
004E1BB9 . 6A 1C push 1C
004E1BBB . 52 push edx
004E1BBC . 8D4C24 20 lea ecx, [esp+20]
004E1BC0 . E8 857F0400 call <jmp.&MFC42.#4278_CString::Mid>
004E1BC5 . 50 push eax
004E1BC6 . 8D4C24 24 lea ecx, [esp+24]
004E1BCA . C68424 C80301>mov byte ptr [esp+103C8], 17
004E1BD2 . E8 07820400 call <jmp.&MFC42.#939_CString::operator+=>
004E1BD7 . 8D4C24 10 lea ecx, [esp+10]
004E1BDB . 889C24 C40301>mov [esp+103C4], bl
004E1BE2 . E8 117D0400 call <jmp.&MFC42.#800_CString::~CString>
004E1BE7 . 6A 01 push 1
004E1BE9 . 8D4424 14 lea eax, [esp+14]
004E1BED . 6A 1D push 1D
004E1BEF . 50 push eax
004E1BF0 . 8D4C24 20 lea ecx, [esp+20]
004E1BF4 . E8 517F0400 call <jmp.&MFC42.#4278_CString::Mid>
004E1BF9 . 50 push eax
004E1BFA . 8D4C24 1C lea ecx, [esp+1C]
004E1BFE . C68424 C80301>mov byte ptr [esp+103C8], 18
004E1C06 . E8 257E0400 call <jmp.&MFC42.#858_CString::operator=>
004E1C0B . 8D4C24 10 lea ecx, [esp+10]
004E1C0F . 889C24 C40301>mov [esp+103C4], bl
004E1C16 . E8 DD7C0400 call <jmp.&MFC42.#800_CString::~CString>
004E1C1B . 8D4C24 18 lea ecx, [esp+18]
004E1C1F . E8 E8830400 call <jmp.&MFC42.#4204_CString::MakeUpper>
004E1C24 . 8D4C24 18 lea ecx, [esp+18]
004E1C28 . 51 push ecx
004E1C29 . 8D4C24 24 lea ecx, [esp+24]
004E1C2D . E8 AC810400 call <jmp.&MFC42.#939_CString::operator+=>
004E1C32 . 6A 01 push 1
004E1C34 . 8D5424 14 lea edx, [esp+14]
004E1C38 . 6A 1E push 1E
004E1C3A . 52 push edx
004E1C3B . 8D4C24 20 lea ecx, [esp+20]
004E1C3F . E8 067F0400 call <jmp.&MFC42.#4278_CString::Mid>
004E1C44 . 50 push eax
004E1C45 . 8D4C24 1C lea ecx, [esp+1C]
004E1C49 . C68424 C80301>mov byte ptr [esp+103C8], 19
004E1C51 . E8 DA7D0400 call <jmp.&MFC42.#858_CString::operator=>
004E1C56 . 8D4C24 10 lea ecx, [esp+10]
004E1C5A . 889C24 C40301>mov [esp+103C4], bl
004E1C61 . E8 927C0400 call <jmp.&MFC42.#800_CString::~CString>
004E1C66 . 8D4C24 18 lea ecx, [esp+18]
004E1C6A . E8 9D830400 call <jmp.&MFC42.#4204_CString::MakeUpper>
004E1C6F . 8D4424 18 lea eax, [esp+18]
004E1C73 . 8D4C24 20 lea ecx, [esp+20]
004E1C77 . 50 push eax
004E1C78 . E8 61810400 call <jmp.&MFC42.#939_CString::operator+=>
004E1C7D . 6A 03 push 3
004E1C7F . 8D4C24 14 lea ecx, [esp+14]
004E1C83 . 6A 1F push 1F
004E1C85 . 51 push ecx
004E1C86 . 8D4C24 20 lea ecx, [esp+20]
004E1C8A . E8 BB7E0400 call <jmp.&MFC42.#4278_CString::Mid>
004E1C8F . 50 push eax
004E1C90 . 8D4C24 24 lea ecx, [esp+24]
004E1C94 . C68424 C80301>mov byte ptr [esp+103C8], 1A
004E1C9C . E8 3D810400 call <jmp.&MFC42.#939_CString::operator+=>
004E1CA1 . 8D4C24 10 lea ecx, [esp+10]
004E1CA5 . 889C24 C40301>mov [esp+103C4], bl
004E1CAC . E8 477C0400 call <jmp.&MFC42.#800_CString::~CString>
004E1CB1 . 8D5424 20 lea edx, [esp+20]
004E1CB5 . 8D4C24 14 lea ecx, [esp+14]
004E1CB9 . 52 push edx
004E1CBA . E8 717D0400 call <jmp.&MFC42.#858_CString::operator=>
004E1CBF . 68 D0AD5F00 push 005FADD0
004E1CC4 . 8D4C24 48 lea ecx, [esp+48]
004E1CC8 . E8 B17D0400 call <jmp.&MFC42.#537_CString::CString>
004E1CCD . 68 D0AD5F00 push 005FADD0
004E1CD2 . 8D4C24 4C lea ecx, [esp+4C]
004E1CD6 . C68424 C80301>mov byte ptr [esp+103C8], 1B
004E1CDE . E8 9B7D0400 call <jmp.&MFC42.#537_CString::CString>
004E1CE3 . 8D4424 14 lea eax, [esp+14]
004E1CE7 . 8D4C24 44 lea ecx, [esp+44]
004E1CEB . 50 push eax
004E1CEC . C68424 C80301>mov byte ptr [esp+103C8], 1C
004E1CF4 . E8 377D0400 call <jmp.&MFC42.#858_CString::operator=>
004E1CF9 . 8D4C24 10 lea ecx, [esp+10]
004E1CFD . 6A 0A push 0A
004E1CFF . 51 push ecx
004E1D00 . 8D4C24 1C lea ecx, [esp+1C]
004E1D04 . E8 6F7D0400 call <jmp.&MFC42.#4277_CString::Mid>
004E1D09 . 50 push eax
004E1D0A . 8D4C24 18 lea ecx, [esp+18]
004E1D0E . C68424 C80301>mov byte ptr [esp+103C8], 1D
004E1D16 . E8 157D0400 call <jmp.&MFC42.#858_CString::operator=>
004E1D1B . 8D4C24 10 lea ecx, [esp+10]
004E1D1F . C68424 C40301>mov byte ptr [esp+103C4], 1C
004E1D27 . E8 CC7B0400 call <jmp.&MFC42.#800_CString::~CString>
004E1D2C . 8D5424 4C lea edx, [esp+4C]
004E1D30 . 8D4C24 44 lea ecx, [esp+44]
004E1D34 . 52 push edx
004E1D35 . E8 F67C0400 call <jmp.&MFC42.#858_CString::operator=>
004E1D3A . 6A 01 push 1
004E1D3C . 8D4424 34 lea eax, [esp+34]
004E1D40 . 6A 13 push 13
004E1D42 . 50 push eax
004E1D43 . 8D4C24 20 lea ecx, [esp+20]
004E1D47 . E8 FE7D0400 call <jmp.&MFC42.#4278_CString::Mid>
004E1D4C . 8BF8 mov edi, eax
004E1D4E . 6A 01 push 1
004E1D50 . 8D4C24 3C lea ecx, [esp+3C]
004E1D54 . 53 push ebx
004E1D55 . 51 push ecx
004E1D56 . 8D4C24 20 lea ecx, [esp+20]
004E1D5A . C68424 D00301>mov byte ptr [esp+103D0], 1E
004E1D62 . E8 E37D0400 call <jmp.&MFC42.#4278_CString::Mid>
004E1D67 . 8BE8 mov ebp, eax
004E1D69 . 6A 01 push 1
004E1D6B . 8D5424 64 lea edx, [esp+64]
004E1D6F . 6A 08 push 8
004E1D71 . 52 push edx
004E1D72 . 8D4C24 20 lea ecx, [esp+20]
004E1D76 . C68424 D00301>mov byte ptr [esp+103D0], 1F
004E1D7E . E8 C77D0400 call <jmp.&MFC42.#4278_CString::Mid>
004E1D83 . 894424 64 mov [esp+64], eax
004E1D87 . 6A 01 push 1
004E1D89 . 8D8424 800000>lea eax, [esp+80]
004E1D90 . 6A 07 push 7
004E1D92 . 50 push eax
004E1D93 . 8D4C24 20 lea ecx, [esp+20]
004E1D97 . C68424 D00301>mov byte ptr [esp+103D0], 20
004E1D9F . E8 A67D0400 call <jmp.&MFC42.#4278_CString::Mid>
004E1DA4 . 894424 10 mov [esp+10], eax
004E1DA8 . 6A 01 push 1
004E1DAA . 8D4C24 7C lea ecx, [esp+7C]
004E1DAE . 6A 00 push 0
004E1DB0 . 51 push ecx
004E1DB1 . 8D4C24 20 lea ecx, [esp+20]
004E1DB5 . C68424 D00301>mov byte ptr [esp+103D0], 21
004E1DBD . E8 887D0400 call <jmp.&MFC42.#4278_CString::Mid>
004E1DC2 . 8B5424 10 mov edx, [esp+10]
004E1DC6 . C68424 C40301>mov byte ptr [esp+103C4], 22
004E1DCE . 52 push edx
004E1DCF . 50 push eax
004E1DD0 . 8D4424 48 lea eax, [esp+48]
004E1DD4 . 50 push eax
004E1DD5 . E8 B67F0400 call <jmp.&MFC42.#922_operator+>
004E1DDA . 8B4C24 64 mov ecx, [esp+64]
004E1DDE . 8D5424 54 lea edx, [esp+54]
004E1DE2 . 51 push ecx
004E1DE3 . 50 push eax
004E1DE4 . 52 push edx
004E1DE5 . C68424 D00301>mov byte ptr [esp+103D0], 23
004E1DED . E8 9E7F0400 call <jmp.&MFC42.#922_operator+>
004E1DF2 . 55 push ebp
004E1DF3 . 50 push eax
004E1DF4 . 8D4424 30 lea eax, [esp+30]
004E1DF8 . C68424 CC0301>mov byte ptr [esp+103CC], 24
004E1E00 . 50 push eax
004E1E01 . E8 8A7F0400 call <jmp.&MFC42.#922_operator+>
004E1E06 . 57 push edi
004E1E07 . 8D4C24 30 lea ecx, [esp+30]
004E1E0B . 50 push eax
004E1E0C . 51 push ecx
004E1E0D . C68424 D00301>mov byte ptr [esp+103D0], 25
004E1E15 . E8 767F0400 call <jmp.&MFC42.#922_operator+>
004E1E1A . 50 push eax
004E1E1B . 8D4C24 4C lea ecx, [esp+4C]
004E1E1F . C68424 C80301>mov byte ptr [esp+103C8], 26
004E1E27 . E8 047C0400 call <jmp.&MFC42.#858_CString::operator=>
004E1E2C . 8D4C24 2C lea ecx, [esp+2C]
004E1E30 . C68424 C40301>mov byte ptr [esp+103C4], 25
004E1E38 . E8 BB7A0400 call <jmp.&MFC42.#800_CString::~CString>
004E1E3D . 8D4C24 28 lea ecx, [esp+28]
004E1E41 . C68424 C40301>mov byte ptr [esp+103C4], 24
004E1E49 . E8 AA7A0400 call <jmp.&MFC42.#800_CString::~CString>
004E1E4E . 8D4C24 54 lea ecx, [esp+54]
004E1E52 . C68424 C40301>mov byte ptr [esp+103C4], 23
004E1E5A . E8 997A0400 call <jmp.&MFC42.#800_CString::~CString>
004E1E5F . 8D4C24 40 lea ecx, [esp+40]
004E1E63 . C68424 C40301>mov byte ptr [esp+103C4], 22
004E1E6B . E8 887A0400 call <jmp.&MFC42.#800_CString::~CString>
004E1E70 . 8D4C24 78 lea ecx, [esp+78]
004E1E74 . C68424 C40301>mov byte ptr [esp+103C4], 21
004E1E7C . E8 777A0400 call <jmp.&MFC42.#800_CString::~CString>
004E1E81 . 8D4C24 7C lea ecx, [esp+7C]
004E1E85 . C68424 C40301>mov byte ptr [esp+103C4], 20
004E1E8D . E8 667A0400 call <jmp.&MFC42.#800_CString::~CString>
004E1E92 . 8D4C24 60 lea ecx, [esp+60]
004E1E96 . C68424 C40301>mov byte ptr [esp+103C4], 1F
004E1E9E . E8 557A0400 call <jmp.&MFC42.#800_CString::~CString>
004E1EA3 . 8D4C24 38 lea ecx, [esp+38]
004E1EA7 . C68424 C40301>mov byte ptr [esp+103C4], 1E
004E1EAF . E8 447A0400 call <jmp.&MFC42.#800_CString::~CString>
004E1EB4 . 8D4C24 30 lea ecx, [esp+30]
004E1EB8 . C68424 C40301>mov byte ptr [esp+103C4], 1C
004E1EC0 . E8 337A0400 call <jmp.&MFC42.#800_CString::~CString>
004E1EC5 . 8D4C24 48 lea ecx, [esp+48]
004E1EC9 . E8 3E810400 call <jmp.&MFC42.#4204_CString::MakeUpper>
======================================================================到里又一个小阶段,以上汇编分析如下高级语言:
str1=str1+str3;
str5=str1.Left(0xA);
str6=str1.Mid(0x0A,1);
str6.MakeUpper();
str5=str5+str6;
str7=str1.Mid(0x0B,1);
str7.MakeUpper();
str5=str5+str7;
str8=str1.Mid(0x0C,5);
str5=str5+str8;
str9=str1.Mid(0x11,1);
str9.MakeUpper();
str5=str5+str9;
str10=str1.Mid(0x12,1);
str10.MakeUpper();
str5=str5+str10;
str11=str1.Mid(0x13,5);
str5=str5+str11;
str12=str1.Mid(0x18,1);
str5=str5+str12;
str13=str1.Mid(0x19,1);
str13.MakeUpper();
str5=str5+str13;
str14=str1.Mid(0x1A,1);
str14.MakeLower();
str5=str5+str14;
str15=str1.Mid(0x1B,1);
str15.MakeLower();
str5=str5+str15;
str16=str1.Mid(0x1C,1);
str5=str5+str16;
str17=str1.Mid(0x1D,1);
str17.MakeUpper();
str5=str5+str17;
str18=str1.Mid(0x1E,1);
str18.MakeUpper();
str5=str5+str18;
str19=str1.Mid(0x1F,3);
str5=str5+str19;
str20=str5.Mid(0xA);
str21=str20.Mid(0x13,1);//B
str22=str20.Mid(0x0D,1);//;
str23=str20.Mid(0x8,1);//@
str24=str20.Mid(0x7,1);//G
str25= str20.Mid(0,1);//P
str25=str25+str24;
str25=str25+str23;
str25=str25+str22;
str25=str25+str21;
str25.MakeUpper();
004E1ECE . 8B5424 14 mov edx, [esp+14] ; P[]asdfG@hjkl;'ZxcvBNm,.
004E1ED2 . 8D8424 BC0300>lea eax, [esp+3BC] ; 000FADD4
004E1ED9 . 52 push edx ; /<%s>
004E1EDA . 68 3C965E00 push 005E963C ; |format = "%s"
004E1EDF . 50 push eax ; |s
004E1EE0 . FF15 104A5A00 call [<&MSVCRT.sprintf>] ; \sprintf
004E1EE6 . 8A8C24 C80300>mov cl, [esp+3C8] ; 000FADD4
004E1EED . 83C4 0C add esp, 0C
004E1EF0 . 33C0 xor eax, eax
004E1EF2 . 84C9 test cl, cl
004E1EF4 . 894424 10 mov [esp+10], eax
004E1EF8 . 74 18 je short 004E1F12
004E1EFA . 8D9424 BC0300>lea edx, [esp+3BC] ; 000FADD4
004E1F01 > 0FBEC9 movsx ecx, cl
004E1F04 . 03C1 add eax, ecx
004E1F06 . 8A4A 01 mov cl, [edx+1]
004E1F09 . 42 inc edx
004E1F0A . 84C9 test cl, cl
004E1F0C .^ 75 F3 jnz short 004E1F01
004E1F0E . 894424 10 mov [esp+10], eax
004E1F12 > 8B4C24 14 mov ecx, [esp+14]
004E1F16 . 33ED xor ebp, ebp
004E1F18 . 8B41 F8 mov eax, [ecx-8]
004E1F1B . 99 cdq
004E1F1C . 2BC2 sub eax, edx
004E1F1E . D1F8 sar eax, 1
004E1F20 . 8A1408 mov dl, [eax+ecx]
004E1F23 . 33C0 xor eax, eax
004E1F25 . 885424 1F mov [esp+1F], dl
004E1F29 > 8A8C04 BC0300>mov cl, [esp+eax+3BC]
004E1F30 . 84C9 test cl, cl
004E1F32 . 74 0F je short 004E1F43
004E1F34 . 0FBEC9 movsx ecx, cl
004E1F37 . 83C0 02 add eax, 2
004E1F3A . 03E9 add ebp, ecx
004E1F3C . 3D FFFF0000 cmp eax, 0FFFF
004E1F41 .^ 7C E6 jl short 004E1F29
004E1F43 > D9ED fldln2 -------------------------->浮点运算.loge2放给st0
004E1F45 . DB4424 10 fild dword ptr [esp+10]----->浮点整数运算
004E1F49 . D9F1 fyl2x ------>浮点相乘,并出栈
004E1F4B . E8 7A830400 call <jmp.&MSVCRT._ftol>
======================================================================注意这个ftol VC内联函数,很有意思.是浮点运算函数.如果把一个浮数给转化成整数的话,VC就内联这个函数.lib库中加入了msvcrt.lib用内联汇编call _ftol连接编译不过去,看了一下MSVCRT.DLL导出表中有个_ftol导出函数应该能用LoadLibrary,GetProcAddrees调用,不过没有演示.目的为了温习一下浮点运算汇编自己特意转换成vc内联汇编.在这里多谢5楼foxadu同学.指正文章bug.
int bc; ---->是保存转换返回的整数
_asm FLDLN2;---->loge(2)
_asm FILD DWORD ptr bbb;------>整数bbb压浮数栈
_asm fyl2x;--->ST(1)←ST(1)*log2(ST(0)),
从这里开始是ftol函数:
_asm push ebp---->保存
_asm mov ebp, esp
_asm sub esp, 0x0C
_asm fstcw [ebp-2];--->保存浮点寄存器状态
_asm mov ax, [ebp-2];
_asm or ah, 0x0C;
_asm mov [ebp-4], ax;
_asm fldcw [ebp-4];--->加载浮点运算状态
_asm fistp qword ptr [ebp-0x0C];---->整数弹出
_asm fldcw [ebp];---->--->弹出浮点寄存器状态
_asm mov eax, [ebp-0x0C];
_asm mov edx, [ebp-8];
_asm leave;--->平衡堆栈.
_asm mov bc,eax;--->返回值给bc变量保存
======================================================================
004E1F50 . 0FBE5424 1F movsx edx, byte ptr [esp+1F]
004E1F55 . 8BF8 mov edi, eax
004E1F57 . 8D4C24 3C lea ecx, [esp+3C]
004E1F5B . 03FD add edi, ebp
004E1F5D . 0FAFFA imul edi, edx
004E1F60 . E8 B1790400 call <jmp.&MFC42.#540_CString::CString>
004E1F65 . 57 push edi
004E1F66 . 8D4424 40 lea eax, [esp+40]
004E1F6A . 68 54925E00 push 005E9254
004E1F6F . 50 push eax
004E1F70 . C68424 D00301>mov byte ptr [esp+103D0], 27
004E1F78 . E8 5F7A0400 call <jmp.&MFC42.#2818_CString::Format>
004E1F7D . 83C4 0C add esp, 0C
004E1F80 . 8D4C24 14 lea ecx, [esp+14]
004E1F84 . 51 push ecx
004E1F85 . 8D4C24 38 lea ecx, [esp+38]
004E1F89 . E8 207B0400 call <jmp.&MFC42.#535_CString::CString>
004E1F8E . 8B4424 34 mov eax, [esp+34]
004E1F92 . 33FF xor edi, edi
004E1F94 . C68424 C40301>mov byte ptr [esp+103C4], 28
004E1F9C . 8B48 F8 mov ecx, [eax-8]
004E1F9F . 85C9 test ecx, ecx
004E1FA1 . 7E 1A jle short 004E1FBD
004E1FA3 > 8A0438 mov al, [eax+edi]
004E1FA6 . 8D4C24 34 lea ecx, [esp+34]
004E1FAA . 34 62 xor al, 62
004E1FAC . 50 push eax
004E1FAD . 57 push edi
004E1FAE . E8 A1800400 call <jmp.&MFC42.#5856_CString::SetAt>
004E1FB3 . 8B4424 34 mov eax, [esp+34]
004E1FB7 . 47 inc edi
004E1FB8 . 3B78 F8 cmp edi, [eax-8]
004E1FBB .^ 7C E6 jl short 004E1FA3
004E1FBD > 8D5424 34 lea edx, [esp+34]
004E1FC1 . 8D4424 3C lea eax, [esp+3C]
004E1FC5 . 52 push edx
004E1FC6 . 8D4C24 60 lea ecx, [esp+60]
004E1FCA . 50 push eax
004E1FCB . 51 push ecx
004E1FCC . E8 BF7D0400 call <jmp.&MFC42.#922_operator+>
004E1FD1 . 6A 00 push 0 ; /pFileSystemNameSize = NULL
004E1FD3 . 8D9424 8C0000>lea edx, [esp+8C] ; |
004E1FDA . 6A 00 push 0 ; |pFileSystemNameBuffer = NULL
004E1FDC . 8D8424 8C0000>lea eax, [esp+8C] ; |
004E1FE3 . 52 push edx ; |pFileSystemFlags
004E1FE4 . 8D8C24 8C0000>lea ecx, [esp+8C] ; |
004E1FEB . 50 push eax ; |pMaxFilenameLength
004E1FEC . 51 push ecx ; |pVolumeSerialNumber
004E1FED . 8D9424 D00200>lea edx, [esp+2D0] ; |
004E1FF4 . 68 FF000000 push 0FF ; |MaxVolumeNameSize = FF (255.)
004E1FF9 . 52 push edx ; |VolumeNameBuffer
004E1FFA . 68 B8995E00 push 005E99B8 ; |RootPathName = "c:\"
004E1FFF . C68424 E40301>mov byte ptr [esp+103E4], 29 ; |
004E2007 . FF15 84415A00 call [<&KERNEL32.GetVolumeInformationA>] ; \GetVolumeInformationA
004E200D . 8B8424 800000>mov eax, [esp+80]
004E2014 . 8BCE mov ecx, esi
004E2016 . 50 push eax
004E2017 . E8 F4060000 call 004E2710------>根据磁盘卷标号运算本地唯一码
======================================================================
注意函数call 004E2710,汇编代码很少,这里直接给出下边的的高级语言代码,返回值保存在c1变量中,它是根据磁盘卷标号运算本地唯一码.
char ch1[256]; DWORD Len;DWORD dwIDESerial;DWORD fileformat;
GetVolumeInformation ("C:\\",ch1,256,&dwIDESerial,&Len,&fileformat,NULL,NULL);
CString st;
st.Format("%ld",dwIDESerial); char xxx[256];
sprintf(xxx,"%s",(LPCTSTR)st);
BYTE BE=(BYTE)xxx[0];
int it1=0,it2=0;
if(BE)
{
for(int i=0;i<st.GetLength();i++)
{
BE=(BYTE)xxx[i];
//if(!BE)
//{
//break;
// }
it2=(BYTE)BE;
it1=it1+it2;
}
}
int len1=st.GetLength();
_asm mov eax,len1;
_asm cdq;
_asm sub eax,edx;
_asm sar eax,1;
_asm mov len1,eax;
char c1=xxx[len1];
======================================================================
004E201C . 8D4C24 50 lea ecx, [esp+50]
004E2020 . 8BF8 mov edi, eax
004E2022 . E8 EF780400 call <jmp.&MFC42.#540_CString::CString>
004E2027 . 57 push edi
004E2028 . 8D4C24 54 lea ecx, [esp+54]
004E202C . 68 54925E00 push 005E9254
004E2031 . 51 push ecx
004E2032 . C68424 D00301>mov byte ptr [esp+103D0], 2A
004E203A . E8 9D790400 call <jmp.&MFC42.#2818_CString::Format>--->格式化整数
004E203F . 83C4 0C add esp, 0C
004E2042 . 8D4C24 68 lea ecx, [esp+68]
004E2046 . E8 637D0400 call <jmp.&MFC42.#354_CFile::CFile>--->建立文件类
004E204B . 66:8B15 D4AD5>mov dx, [5FADD4]
004E2052 . B9 40000000 mov ecx, 40
004E2057 . 33C0 xor eax, eax
004E2059 . 8DBC24 8E0000>lea edi, [esp+8E]
004E2060 . 66:899424 8C0>mov [esp+8C], dx
004E2068 . 68 04010000 push 104 ; /BufSize = 104 (260.)
004E206D . F3:AB rep stos dword ptr es:[edi] ; |
004E206F . 66:AB stos word ptr es:[edi] ; |
004E2071 . 8D8424 900000>lea eax, [esp+90] ; |
004E2078 . C68424 C80301>mov byte ptr [esp+103C8], 2B ; |
004E2080 . 50 push eax ; |Buffer
004E2081 . FF15 C4415A00 call [<&KERNEL32.GetWindowsDirectoryA>] ; \GetWindowsDirectoryA
004E2087 . 8D8C24 8C0000>lea ecx, [esp+8C]
004E208E . 51 push ecx
004E208F . 8D4C24 3C lea ecx, [esp+3C]
004E2093 . E8 E6790400 call <jmp.&MFC42.#537_CString::CString>
004E2098 . 68 48A75E00 push 005EA748 ; ASCII "\regmg.cfg"
004E209D . 8D5424 34 lea edx, [esp+34]
004E20A1 . 50 push eax
004E20A2 . 52 push edx
004E20A3 . C68424 D00301>mov byte ptr [esp+103D0], 2C
004E20AB . E8 DA790400 call <jmp.&MFC42.#924_operator+>
004E20B0 . 8B00 mov eax, [eax]
004E20B2 . 6A 00 push 0
004E20B4 . 6A 00 push 0
004E20B6 . 50 push eax
004E20B7 . 8D4C24 74 lea ecx, [esp+74]
004E20BB . C68424 D00301>mov byte ptr [esp+103D0], 2D
004E20C3 . E8 E07C0400 call <jmp.&MFC42.#5186_CFile::Open>------>打开文件regmg.cfg
004E20C8 . 85C0 test eax, eax
004E20CA . 8D4C24 30 lea ecx, [esp+30]
004E20CE . C68424 C40301>mov byte ptr [esp+103C4], 2C
004E20D6 . 0F944424 1F sete [esp+1F]
004E20DB . E8 18780400 call <jmp.&MFC42.#800_CString::~CString>
004E20E0 . 8D4C24 38 lea ecx, [esp+38]
004E20E4 . C68424 C40301>mov byte ptr [esp+103C4], 2B
004E20EC . E8 07780400 call <jmp.&MFC42.#800_CString::~CString>
004E20F1 . 8A4424 1F mov al, [esp+1F]
004E20F5 . 84C0 test al, al
004E20F7 . 74 7F je short 004E2178
004E20F9 . 8D4C24 2C lea ecx, [esp+2C]
004E20FD . E8 14780400 call <jmp.&MFC42.#540_CString::CString>
004E2102 . 8D4C24 28 lea ecx, [esp+28]
004E2106 . C68424 C40301>mov byte ptr [esp+103C4], 2E
004E210E . E8 03780400 call <jmp.&MFC42.#540_CString::CString>
004E2113 . 68 98020000 push 298
004E2118 . 8D4C24 30 lea ecx, [esp+30]
004E211C . C68424 C80301>mov byte ptr [esp+103C8], 2F
004E2124 . E8 37790400 call <jmp.&MFC42.#4160_CString::LoadStringA>
004E2129 . 68 99020000 push 299
004E212E . 8D4C24 2C lea ecx, [esp+2C]
004E2132 . E8 29790400 call <jmp.&MFC42.#4160_CString::LoadStringA>
004E2137 . 8B4424 28 mov eax, [esp+28]
004E213B . 8B4C24 2C mov ecx, [esp+2C]
004E213F . 6A 10 push 10
004E2141 . 50 push eax
004E2142 . 51 push ecx
004E2143 . 8BCE mov ecx, esi
004E2145 . E8 10790400 call <jmp.&MFC42.#4224_CWnd::MessageBoxA> --->文件错误报告!
004E214A . 8BCE mov ecx, esi
004E214C . E8 15790400 call <jmp.&MFC42.#4376_CDialog::OnCancel>
004E2151 . 8D4C24 28 lea ecx, [esp+28]
004E2155 . C68424 C40301>mov byte ptr [esp+103C4], 2E
004E215D . E8 96770400 call <jmp.&MFC42.#800_CString::~CString>
004E2162 . 8D4C24 2C lea ecx, [esp+2C]
004E2166 . C68424 C40301>mov byte ptr [esp+103C4], 2B
004E216E . E8 85770400 call <jmp.&MFC42.#800_CString::~CString>
004E2173 . E9 03040000 jmp 004E257B
004E2178 > 8D9424 900100>lea edx, [esp+190]
004E217F . 68 2C010000 push 12C
004E2184 . 52 push edx
004E2185 . 8D4C24 70 lea ecx, [esp+70]
004E2189 . E8 707D0400 call <jmp.&MFC42.#5442_CFile::Read>
004E218E . 8D4C24 68 lea ecx, [esp+68]
004E2192 . E8 0B7C0400 call <jmp.&MFC42.#1979_CFile::Close>
004E2197 . 8D8424 900100>lea eax, [esp+190]
004E219E . 8D4C24 30 lea ecx, [esp+30]
004E21A2 . 50 push eax
004E21A3 . E8 D6780400 call <jmp.&MFC42.#537_CString::CString>
004E21A8 . 8B28 mov ebp, [eax]
004E21AA . 8B7C24 5C mov edi, [esp+5C]
004E21AE > 8A0F mov cl, [edi]
004E21B0 . 8A55 00 mov dl, [ebp]
004E21B3 . 8AC1 mov al, cl
004E21B5 . 3ACA cmp cl, dl
004E21B7 . 75 1E jnz short 004E21D7
004E21B9 . 84C0 test al, al
004E21BB . 74 16 je short 004E21D3
004E21BD . 8A57 01 mov dl, [edi+1]
004E21C0 . 8A4D 01 mov cl, [ebp+1]
004E21C3 . 8AC2 mov al, dl
004E21C5 . 3AD1 cmp dl, cl
004E21C7 . 75 0E jnz short 004E21D7
004E21C9 . 83C7 02 add edi, 2
004E21CC . 83C5 02 add ebp, 2
004E21CF . 84C0 test al, al
004E21D1 .^ 75 DB jnz short 004E21AE
004E21D3 > 33C0 xor eax, eax
004E21D5 . EB 05 jmp short 004E21DC
004E21D7 > 1BC0 sbb eax, eax
004E21D9 . 83D8 FF sbb eax, -1
004E21DC > 85C0 test eax, eax
004E21DE . 8D4C24 30 lea ecx, [esp+30]
004E21E2 . 0F944424 1F sete [esp+1F]
004E21E7 . E8 0C770400 call <jmp.&MFC42.#800_CString::~CString>
004E21EC . 8A4424 1F mov al, [esp+1F]
004E21F0 . 84C0 test al, al
004E21F2 . 0F84 7C030000 je 004E2574
004E21F8 . 8D8424 8C0000>lea eax, [esp+8C]
004E21FF . 8D4C24 38 lea ecx, [esp+38]
004E2203 . 50 push eax
004E2204 . E8 75780400 call <jmp.&MFC42.#537_CString::CString>
.....整个算法基本完毕,之后重新启动程序验证吧.
004E2661 . 5F pop edi
004E2662 . 5E pop esi
004E2663 . 5D pop ebp
004E2664 . 5B pop ebx
004E2665 . 64:890D 00000>mov fs:[0], ecx
004E266C . 81C4 B8030100 add esp, 103B8
004E2672 . C3 retn
到这里粗略的分析完了,并没有在汉字文字描述上下工夫,算法这东东用计算机语言描述更直接些.所以最后直接给出高级语言代码:
写的很不健壮,多谢指教bug.
int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
{
CString KeyStr,str1,str2,str3,str4,str5,str6,str7,str8,str9,str10;
CString str11,str12,str13,str14,str15,str16,str17,str18,str19,str20,str21,str22,str23,str24,str25,str26;
char keycode[256];
cout<<"写的算法不健壮,多谢指教:=)不用运行我,我不是注册机.自己看代码分析。"<<endl;
return 0;
cin>>keycode;//最好用这样的形式的注册码:qwertyuio-p[]asdfg@hjkl;'zxcvbnm,. 因为我没有写强壮的流程.否则很容易异常的.
KeyStr.Format("%s",keycode);
str1=KeyStr.Mid(0,0x18);
if(KeyStr.Find('-')<0)
{
str1=str1+(CString)"-";
str2=KeyStr.Mid(0x18,3);
str1=str1+str2;
if(KeyStr.Find('@')<0)
{
str1=str1+(CString)"@";
str3=KeyStr.Mid(0x1B,5);
}
else
{
str3=KeyStr.Mid(0x1B,6);
}
}
else
{
str4=KeyStr.Mid(0x18,4);
str1=str1+str4;
if(KeyStr.Find('@')<0)
{
str1=str1+(CString)"@";
str3=KeyStr.Mid(0x1C,5);
}
else
{
str3=KeyStr.Mid(0x1C,6);
}
}
str1=str1+str3;
str5=str1.Left(0xA);
str6=str1.Mid(0x0A,1);
str6.MakeUpper();
str5=str5+str6;
str7=str1.Mid(0x0B,1);
str7.MakeUpper();
str5=str5+str7;
str8=str1.Mid(0x0C,5);
str5=str5+str8;
str9=str1.Mid(0x11,1);
str9.MakeUpper();
str5=str5+str9;
str10=str1.Mid(0x12,1);
str10.MakeUpper();
str5=str5+str10;
str11=str1.Mid(0x13,5);
str5=str5+str11;
str12=str1.Mid(0x18,1);
str5=str5+str12;
str13=str1.Mid(0x19,1);
str13.MakeUpper();
str5=str5+str13;
str14=str1.Mid(0x1A,1);
str14.MakeLower();
str5=str5+str14;
str15=str1.Mid(0x1B,1);
str15.MakeLower();
str5=str5+str15;
str16=str1.Mid(0x1C,1);
str5=str5+str16;
str17=str1.Mid(0x1D,1);
str17.MakeUpper();
str5=str5+str17;
str18=str1.Mid(0x1E,1);
str18.MakeUpper();
str5=str5+str18;
str19=str1.Mid(0x1F,3);
str5=str5+str19;
str20=str5.Mid(0xA);
str21=str20.Mid(0x13,1);//B
str22=str20.Mid(0x0D,1);//;
str23=str20.Mid(0x8,1);//@
str24=str20.Mid(0x7,1);//G
str25= str20.Mid(0,1);//P
str25=str25+str24;
str25=str25+str23;
str25=str25+str22;
str25=str25+str21;
str25.MakeUpper();
char abc[256];
int len=sprintf(abc,"%s",str20);
BYTE BT=(BYTE)abc[0];
int a=0,bbb=0;
if(BT)
{
for(int i=0;i<str20.GetLength();i++)
{
a=(BYTE)abc[i];
bbb=a+bbb;
}
}
_asm mov eax,len;
_asm sar eax,1;
_asm mov len,eax;
char ccc=abc[len];
BT=str20.GetAt(0);
int b=0;
if(BT)
{
int a=0;
for(int j=0;j<str20.GetLength();)
{
a=(BYTE)abc[j];
b=a+b;
j=j+2;
}
}
int bc;
_asm FLDLN2;
_asm FILD DWORD ptr bbb;
_asm fyl2x;
_asm push ebp
_asm mov ebp, esp
_asm sub esp, 0x0C
_asm fstcw [ebp-2];
_asm mov ax, [ebp-2];
_asm or ah, 0x0C;
_asm mov [ebp-4], ax;
_asm fldcw [ebp-4];
_asm fistp qword ptr [ebp-0x0C];
_asm fldcw [ebp];
_asm mov eax, [ebp-0x0C];
_asm mov edx, [ebp-8];
_asm leave;
_asm mov bc,eax;
bc=bc+b;//423
bc=bc*(int)ccc; //1c518
CString str123;
str123.Format("%ld",bc); //115992
if(len)
{
char ch='\0';
for(int i=0;i<str20.GetLength();i++)
{
ch=str20.GetAt(i);
ch=ch^0x62;
str20.SetAt(i,ch);
}
}
str123=str123+str20;
char ch1[256]; DWORD Len;DWORD dwIDESerial;DWORD fileformat;
GetVolumeInformation("C:\\",ch1,256,&dwIDESerial,&Len,&fileformat,NULL,NULL);
CString st;
st.Format("%ld",dwIDESerial); //-996758514
char xxx[256];
sprintf(xxx,"%s",(LPCTSTR)st);
BYTE BE=(BYTE)xxx[0];
int it1=0,it2=0;
if(BE)
{
for(int i=0;i<st.GetLength();i++)
{
BE=(BYTE)xxx[i];
//if(!BE)
//{
//break;
// }
it2=(BYTE)BE;
it1=it1+it2;
}
}
int len1=st.GetLength();
_asm mov eax,len1;
_asm cdq;
_asm sub eax,edx;
_asm sar eax,1;
_asm mov len1,eax;
char c1=xxx[len1];
BYTE BY=(BYTE)xxx[0];
int ac=0;
if(BY)
{
for(int j=0;j<st.GetLength();)
{
BY=(BYTE)xxx[j];
b=(int)BY;
ac=ac+b;
j=j+2;
}
}
int re;
_asm FLDLN2;
_asm FILD DWORD ptr it1;
_asm fyl2x;
_asm push ebp
_asm mov ebp, esp
_asm sub esp, 0x0C
_asm fstcw [ebp-2];
_asm mov ax, [ebp-2];
_asm or ah, 0x0C;
_asm mov [ebp-4], ax;
_asm fldcw [ebp-4];
_asm fistp qword ptr [ebp-0x0C];
_asm fldcw [ebp];
_asm mov eax, [ebp-0x0C];
_asm mov edx, [ebp-8];
_asm leave;
_asm mov re,eax;
int in=(int)c1;
re=re+ac;
re=re*in;
CString res;
res.Format("%ld",re);
cout<<" 确认目录下regmg.cfg存在.不然做异常处理"<<endl;
CFile file;
int bl=file.Open("regmg.cfg",0,0);
if(!bl)
{
cout<<"打开文件失败"<<endl;
return 0;
}
char fe[256];
file.Read(fe,0x12c);
bool bbbb;
bool xxxxx;
label3: _asm mov cl, byte ptr [fe];
_asm mov dl, byte ptr [str123];
_asm mov al, cl;
_asm cmp cl, dl;
_asm jnz label1;
_asm test al, al
_asm je label2;
_asm mov dl, byte ptr [fe+1];
_asm mov cl, byte ptr [str123+1];
_asm mov al, dl;
_asm cmp dl, cl;
_asm jnz label1;
_asm add edi, 2;
_asm add ebp, 2;
_asm test al, al;
_asm jnz label3;
label2: _asm xor eax, eax;
_asm jmp label4;
label1: _asm sbb eax, eax;
_asm sbb eax, -1;
label4: _asm test eax, eax;
_asm sete byte ptr bbbb;
_asm mov al, byte ptr bbbb;
_asm mov byte ptr xxxxx,al ;
if(xxxxx)
{
cout<<"失败"<<endl;
}
{
cout<<"成功"<<endl;
}
return 1;
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
