【破文标题】菜鸟maomaoma的算法练习破文八
【破文作者】maomaoma
【作者邮箱】
【作者主页】无
【破解工具】OD、PEiD
【破解平台】winxp
【软件名称】Photoplorer 3.01
【软件大小】1744KB
【原版下载】http://nj.onlinedown.net/soft/29508.htm
【保护方式】无
【软件简介】快速浏览照片,图片以及管理,打印,电邮,察看数码相机里的照片的软件
【破解声明】我是菜鸟,学写破文,还请大侠多多指教:)
------------------------------------------------------------------------
【破解过程】
1、PEiD查主程序无壳,Microsoft Visual C++ 6.0 [Debug]编译
2、OD载入,ctrl+N在USER32.GetWindowTextA下断点,F9运行,几次中断后至合适断点,多次F8,向上翻来到以下代码处,删除所有断点,在0044C320处重新下断,F9运行,具体分析如下:
0044C320 /$ 55 push ebp ; OD断在此处
0044C321 |. 8BEC mov ebp, esp
0044C323 |. 6A FF push -1
0044C325 |. 68 F6795200 push 005279F6 ; SE 处理程序安装
0044C32A |. 64:A1 0000000>mov eax, fs:[0]
0044C330 |. 50 push eax
0044C331 |. 64:8925 00000>mov fs:[0], esp
0044C338 |. 81EC 34030000 sub esp, 334
0044C33E |. 53 push ebx
0044C33F |. 56 push esi
0044C340 |. 57 push edi
0044C341 |. 894D F0 mov [ebp-10], ecx
0044C344 |. 6A 00 push 0
0044C346 |. 8D4D 8C lea ecx, [ebp-74]
0044C349 |. E8 02CBFCFF call 00418E50
0044C34E |. C745 FC 00000>mov dword ptr [ebp-4], 0
0044C355 |. 8D4D 88 lea ecx, [ebp-78]
0044C358 |. E8 D372FCFF call 00413630
0044C35D |. C645 FC 01 mov byte ptr [ebp-4], 1
0044C361 |. 8D8D 24FDFFFF lea ecx, [ebp-2DC]
0044C367 |. E8 B410FFFF call 0043D420
0044C36C |. C645 FC 02 mov byte ptr [ebp-4], 2
0044C370 |. 8D4D 8C lea ecx, [ebp-74]
0044C373 |. E8 EC4F0B00 call 00501364 ; F8至此处,输入用户名、注册码后继续
0044C378 |. 83F8 01 cmp eax, 1
0044C37B |. 0F85 3F020000 jnz 0044C5C0
0044C381 |. 8D45 E8 lea eax, [ebp-18]
0044C384 |. 50 push eax
0044C385 |. B9 94075A00 mov ecx, 005A0794 ; ASCII "8<?
0044C38A |. E8 60F20A00 call 004FB5EF
0044C38F |. C705 C4F95900>mov dword ptr [59F9C4], 0
0044C399 |. 8D45 E8 lea eax, [ebp-18]
0044C39C |. 50 push eax
0044C39D |. 51 push ecx
0044C39E |. 8BCC mov ecx, esp
0044C3A0 |. 89A5 1CFDFFFF mov [ebp-2E4], esp
0044C3A6 |. 8D55 EC lea edx, [ebp-14]
0044C3A9 |. 52 push edx
0044C3AA |. E8 7CEE0A00 call 004FB22B ; 取用户名
0044C3AF |. 8985 C8FCFFFF mov [ebp-338], eax ; ||
0044C3B5 |. 8D85 18FDFFFF lea eax, [ebp-2E8] ; ||
0044C3BB |. 50 push eax ; ||Arg1
0044C3BC |. 8B4D F0 mov ecx, [ebp-10] ; ||
0044C3BF |. E8 DCF3FFFF call 0044B7A0 ; |\关键call(1),跟进
0044C3C4 |. 8985 C4FCFFFF mov [ebp-33C], eax ; |
0044C3CA |. 8B8D C4FCFFFF mov ecx, [ebp-33C] ; |
0044C3D0 |. 898D C0FCFFFF mov [ebp-340], ecx ; |
0044C3D6 |. C645 FC 03 mov byte ptr [ebp-4], 3 ; |
0044C3DA |. 8B95 C0FCFFFF mov edx, [ebp-340] ; |
0044C3E0 |. 52 push edx ; |Arg1
0044C3E1 |. E8 8AC1FFFF call 00448570 ; \真假码比较,可做内存注册机
0044C3E6 |. 8885 23FDFFFF mov [ebp-2DD], al
0044C3EC |. C645 FC 02 mov byte ptr [ebp-4], 2
0044C3F0 |. 8D8D 18FDFFFF lea ecx, [ebp-2E8]
0044C3F6 |. E8 BBF00A00 call 004FB4B6
0044C3FB |. 0FB685 23FDFF>movzx eax, byte ptr [ebp-2DD]
0044C402 |. 85C0 test eax, eax
0044C404 |. 0F84 C8000000 je 0044C4D2 ; 爆破点
0044C40A |. 8D45 EC lea eax, [ebp-14]
0044C40D |. 50 push eax
0044C40E |. B9 90075A00 mov ecx, 005A0790
0044C413 |. E8 D7F10A00 call 004FB5EF
0044C418 |. 8D45 E8 lea eax, [ebp-18]
0044C41B |. 50 push eax
0044C41C |. B9 94075A00 mov ecx, 005A0794 ; ASCII "8<?
0044C421 |. E8 C9F10A00 call 004FB5EF
0044C426 |. C605 C0F95900>mov byte ptr [59F9C0], 1
0044C42D |. 6A 00 push 0 ; /Arg3 = 00000000
0044C42F |. 6A 00 push 0 ; |Arg2 = 00000000
0044C431 |. 68 305B5300 push 00535B30 ; |code accepted!\nthanks for registration.uninstall.exe,0uninstall.dll,0uninstall.tmp
0044C436 |. E8 20D50B00 call 0050995B ; \Photoplo.0050995B
0044C43B |. 6A 00 push 0
0044C43D |. E8 48650D00 call 0052298A
0044C442 |. 8D45 E8 lea eax, [ebp-18]
0044C445 |. 50 push eax
0044C446 |. 51 push ecx
0044C447 |. 8BCC mov ecx, esp
0044C449 |. 89A5 10FDFFFF mov [ebp-2F0], esp
0044C44F |. 8D55 EC lea edx, [ebp-14]
0044C452 |. 52 push edx
0044C453 |. E8 D3ED0A00 call 004FB22B
0044C458 |. 8985 C8FCFFFF mov [ebp-338], eax ; ||
0044C45E |. 8D85 0CFDFFFF lea eax, [ebp-2F4] ; ||
0044C464 |. 50 push eax ; ||Arg1
0044C465 |. 8B4D F0 mov ecx, [ebp-10] ; ||
0044C468 |. E8 53FAFFFF call 0044BEC0 ; |\Photoplo.0044BEC0
0044C46D |. 8985 C4FCFFFF mov [ebp-33C], eax ; |
0044C473 |. 8B8D C4FCFFFF mov ecx, [ebp-33C] ; |
0044C479 |. 898D C0FCFFFF mov [ebp-340], ecx ; |
0044C47F |. C645 FC 04 mov byte ptr [ebp-4], 4 ; |
0044C483 |. 8B95 C0FCFFFF mov edx, [ebp-340] ; |
0044C489 |. 52 push edx ; |Arg1
0044C48A |. E8 E1C0FFFF call 00448570 ; \Photoplo.00448570
0044C48F |. 8885 17FDFFFF mov [ebp-2E9], al
0044C495 |. C645 FC 02 mov byte ptr [ebp-4], 2
0044C499 |. 8D8D 0CFDFFFF lea ecx, [ebp-2F4]
0044C49F |. E8 12F00A00 call 004FB4B6
0044C4A4 |. 0FB685 17FDFF>movzx eax, byte ptr [ebp-2E9]
0044C4AB |. 85C0 test eax, eax
0044C4AD |. 74 1E je short 0044C4CD
0044C4AF |. A1 94075A00 mov eax, [5A0794]
0044C4B4 |. 50 push eax
0044C4B5 |. 8B0D 90075A00 mov ecx, [5A0790]
0044C4BB |. 51 push ecx
0044C4BC |. 68 1C5B5300 push 00535B1C ; user=[%s] code=[%s]code accepted!\nthanks for registration.uninstall.exe,0uninstall.dll,0uninstall.tmp
0044C4C1 |. 8D55 88 lea edx, [ebp-78]
0044C4C4 |. 52 push edx
0044C4C5 |. E8 A3950A00 call 004F5A6D
0044C4CA |. 83C4 10 add esp, 10
0044C4CD |> E9 EE000000 jmp 0044C5C0
0044C4D2 |> 6A 54 push 54
0044C4D4 |. 8D4D 88 lea ecx, [ebp-78]
0044C4D7 |. E8 8B8B0A00 call 004F5067
0044C4DC |. 6A 68 push 68
0044C4DE |. 8D4D 88 lea ecx, [ebp-78]
0044C4E1 |. E8 D3F30A00 call 004FB8B9
0044C4E6 |. 6A 65 push 65
0044C4E8 |. 8D4D 88 lea ecx, [ebp-78]
0044C4EB |. E8 C9F30A00 call 004FB8B9
0044C4F0 |. 6A 20 push 20
0044C4F2 |. 8D4D 88 lea ecx, [ebp-78]
0044C4F5 |. E8 BFF30A00 call 004FB8B9
0044C4FA |. 6A 63 push 63
0044C4FC |. 8D4D 88 lea ecx, [ebp-78]
0044C4FF |. E8 B5F30A00 call 004FB8B9
0044C504 |. 6A 6F push 6F
0044C506 |. 8D4D 88 lea ecx, [ebp-78]
0044C509 |. E8 ABF30A00 call 004FB8B9
0044C50E |. 6A 64 push 64
0044C510 |. 8D4D 88 lea ecx, [ebp-78]
0044C513 |. E8 A1F30A00 call 004FB8B9
0044C518 |. 6A 65 push 65
0044C51A |. 8D4D 88 lea ecx, [ebp-78]
0044C51D |. E8 97F30A00 call 004FB8B9
0044C522 |. 6A 20 push 20
0044C524 |. 8D4D 88 lea ecx, [ebp-78]
0044C527 |. E8 8DF30A00 call 004FB8B9
0044C52C |. 6A 69 push 69
0044C52E |. 8D4D 88 lea ecx, [ebp-78]
0044C531 |. E8 83F30A00 call 004FB8B9
0044C536 |. 6A 73 push 73
0044C538 |. 8D4D 88 lea ecx, [ebp-78]
0044C53B |. E8 79F30A00 call 004FB8B9
0044C540 |. 6A 20 push 20
0044C542 |. 8D4D 88 lea ecx, [ebp-78]
0044C545 |. E8 6FF30A00 call 004FB8B9
0044C54A |. 6A 6E push 6E
0044C54C |. 8D4D 88 lea ecx, [ebp-78]
0044C54F |. E8 65F30A00 call 004FB8B9
0044C554 |. 6A 6F push 6F
0044C556 |. 8D4D 88 lea ecx, [ebp-78]
0044C559 |. E8 5BF30A00 call 004FB8B9
0044C55E |. 6A 74 push 74
0044C560 |. 8D4D 88 lea ecx, [ebp-78]
0044C563 |. E8 51F30A00 call 004FB8B9
0044C568 |. 6A 20 push 20
0044C56A |. 8D4D 88 lea ecx, [ebp-78]
0044C56D |. E8 47F30A00 call 004FB8B9
0044C572 |. 6A 76 push 76
0044C574 |. 8D4D 88 lea ecx, [ebp-78]
0044C577 |. E8 3DF30A00 call 004FB8B9
0044C57C |. 6A 61 push 61
0044C57E |. 8D4D 88 lea ecx, [ebp-78]
0044C581 |. E8 33F30A00 call 004FB8B9
0044C586 |. 6A 6C push 6C
0044C588 |. 8D4D 88 lea ecx, [ebp-78]
0044C58B |. E8 29F30A00 call 004FB8B9
0044C590 |. 6A 69 push 69
0044C592 |. 8D4D 88 lea ecx, [ebp-78]
0044C595 |. E8 1FF30A00 call 004FB8B9
0044C59A |. 6A 64 push 64
0044C59C |. 8D4D 88 lea ecx, [ebp-78]
0044C59F |. E8 15F30A00 call 004FB8B9
0044C5A4 |. 6A 21 push 21
0044C5A6 |. 8D4D 88 lea ecx, [ebp-78]
0044C5A9 |. E8 0BF30A00 call 004FB8B9
0044C5AE |. 6A 00 push 0
0044C5B0 |. 6A 00 push 0
0044C5B2 |. 8D4D 88 lea ecx, [ebp-78]
0044C5B5 |. E8 767CFCFF call 00414230
0044C5BA |. 50 push eax ; |Arg1
0044C5BB |. E8 9BD30B00 call 0050995B ; \Photoplo.0050995B
0044C5C0 |> C645 FC 01 mov byte ptr [ebp-4], 1
0044C5C4 |. 8D8D 24FDFFFF lea ecx, [ebp-2DC]
0044C5CA |. E8 110FFFFF call 0043D4E0
0044C5CF |. C645 FC 00 mov byte ptr [ebp-4], 0
0044C5D3 |. 8D4D 88 lea ecx, [ebp-78]
0044C5D6 |. E8 DBEE0A00 call 004FB4B6
0044C5DB |. C745 FC FFFFF>mov dword ptr [ebp-4], -1
0044C5E2 |. 8D4D 8C lea ecx, [ebp-74]
0044C5E5 |. E8 06C9FCFF call 00418EF0
0044C5EA |. 8B4D F4 mov ecx, [ebp-C]
0044C5ED |. 64:890D 00000>mov fs:[0], ecx
0044C5F4 |. 5F pop edi
0044C5F5 |. 5E pop esi
0044C5F6 |. 5B pop ebx
0044C5F7 |. 8BE5 mov esp, ebp
0044C5F9 |. 5D pop ebp
0044C5FA \. C3 retn
算法call(1):
0044B7A0 /$ 55 push ebp
0044B7A1 |. 8BEC mov ebp, esp
0044B7A3 |. 6A FF push -1
0044B7A5 |. 68 2B795200 push 0052792B ; SE 处理程序安装
0044B7AA |. 64:A1 0000000>mov eax, fs:[0]
0044B7B0 |. 50 push eax
0044B7B1 |. 64:8925 00000>mov fs:[0], esp
0044B7B8 |. 83EC 68 sub esp, 68
0044B7BB |. 53 push ebx
0044B7BC |. 56 push esi
0044B7BD |. 57 push edi
0044B7BE |. 894D F0 mov [ebp-10], ecx
0044B7C1 |. C745 D8 00000>mov dword ptr [ebp-28], 0
0044B7C8 |. C745 FC 01000>mov dword ptr [ebp-4], 1
0044B7CF |. 8D4D EC lea ecx, [ebp-14]
0044B7D2 |. E8 597EFCFF call 00413630 ; 以下直至0044B866为排除黑名单中的用户名
0044B7D7 |. C645 FC 02 mov byte ptr [ebp-4], 2
0044B7DB |. 68 045B5300 push 00535B04 ; /cre@k
0044B7E0 |. 8D45 0C lea eax, [ebp+C] ; |
0044B7E3 |. 50 push eax ; |Arg1
0044B7E4 |. E8 678AFCFF call 00414250 ; \Photoplo.00414250
0044B7E9 |. 33C9 xor ecx, ecx
0044B7EB |. 8AC8 mov cl, al
0044B7ED |. 85C9 test ecx, ecx
0044B7EF |. 75 6E jnz short 0044B85F
0044B7F1 |. 68 F45A5300 push 00535AF4 ; /freeserials.netcre@k
0044B7F6 |. 8D45 0C lea eax, [ebp+C] ; |
0044B7F9 |. 50 push eax ; |Arg1
0044B7FA |. E8 518AFCFF call 00414250 ; \Photoplo.00414250
0044B7FF |. 33C9 xor ecx, ecx
0044B801 |. 8AC8 mov cl, al
0044B803 |. 85C9 test ecx, ecx
0044B805 |. 75 58 jnz short 0044B85F
0044B807 |. 68 E85A5300 push 00535AE8 ; /team zwt
0044B80C |. 8D45 0C lea eax, [ebp+C] ; |
0044B80F |. 50 push eax ; |Arg1
0044B810 |. E8 3B8AFCFF call 00414250 ; \Photoplo.00414250
0044B815 |. 33C9 xor ecx, ecx
0044B817 |. 8AC8 mov cl, al
0044B819 |. 85C9 test ecx, ecx
0044B81B |. 75 42 jnz short 0044B85F
0044B81D |. 68 D05A5300 push 00535AD0 ; /www.crackzplanet.com
0044B822 |. 8D45 0C lea eax, [ebp+C] ; |
0044B825 |. 50 push eax ; |Arg1
0044B826 |. E8 258AFCFF call 00414250 ; \Photoplo.00414250
0044B82B |. 33C9 xor ecx, ecx
0044B82D |. 8AC8 mov cl, al
0044B82F |. 85C9 test ecx, ecx
0044B831 |. 75 2C jnz short 0044B85F
0044B833 |. 68 C05A5300 push 00535AC0 ; /www.2baksa.net
0044B838 |. 8D45 0C lea eax, [ebp+C] ; |
0044B83B |. 50 push eax ; |Arg1
0044B83C |. E8 0F8AFCFF call 00414250 ; \Photoplo.00414250
0044B841 |. 33C9 xor ecx, ecx
0044B843 |. 8AC8 mov cl, al
0044B845 |. 85C9 test ecx, ecx
0044B847 |. 75 16 jnz short 0044B85F
0044B849 |. 68 B45A5300 push 00535AB4 ; /www.nowa.ruwww.2baksa.net
0044B84E |. 8D45 0C lea eax, [ebp+C] ; |
0044B851 |. 50 push eax ; |Arg1
0044B852 |. E8 F989FCFF call 00414250 ; \Photoplo.00414250
0044B857 |. 33C9 xor ecx, ecx
0044B859 |. 8AC8 mov cl, al
0044B85B |. 85C9 test ecx, ecx
0044B85D |. 74 07 je short 0044B866
0044B85F |> 6A 00 push 0
0044B861 |. E8 D12D0900 call 004DE637
0044B866 |> 51 push ecx
0044B867 |. 8BCC mov ecx, esp
0044B869 |. 8965 E8 mov [ebp-18], esp
0044B86C |. 8D45 0C lea eax, [ebp+C]
0044B86F |. 50 push eax
0044B870 |. E8 B6F90A00 call 004FB22B
0044B875 |. 8945 94 mov [ebp-6C], eax ; |
0044B878 |. 8D4D E4 lea ecx, [ebp-1C] ; |
0044B87B |. 51 push ecx ; |Arg1
0044B87C |. 8B4D F0 mov ecx, [ebp-10] ; |
0044B87F |. E8 5C080000 call 0044C0E0 ; \算法call(2),跟进
0044B884 |. 8945 90 mov [ebp-70], eax
0044B887 |. 8B55 90 mov edx, [ebp-70]
0044B88A |. 8955 8C mov [ebp-74], edx
0044B88D |. C645 FC 03 mov byte ptr [ebp-4], 3
0044B891 |. 8B45 8C mov eax, [ebp-74]
0044B894 |. 50 push eax
0044B895 |. 8D4D EC lea ecx, [ebp-14]
0044B898 |. E8 52FD0A00 call 004FB5EF
0044B89D |. C645 FC 02 mov byte ptr [ebp-4], 2
0044B8A1 |. 8D4D E4 lea ecx, [ebp-1C]
0044B8A4 |. E8 0DFC0A00 call 004FB4B6
0044B8A9 |. 68 94075A00 push 005A0794 ; /Arg2 = 005A0794 ASCII "8<?
0044B8AE |. 8D45 EC lea eax, [ebp-14] ; |
0044B8B1 |. 50 push eax ; |Arg1
0044B8B2 |. E8 B9CCFFFF call 00448570 ; \真假码比较call
0044B8B7 |. 33C9 xor ecx, ecx
0044B8B9 |. 8AC8 mov cl, al
0044B8BB |. 85C9 test ecx, ecx
0044B8BD |. 0F84 77050000 je 0044BE3A
0044B8C3 |. 833D 98075A00>cmp dword ptr [5A0798], 1E
0044B8CA |. 7D 55 jge short 0044B921
0044B8CC |. 833D C4F95900>cmp dword ptr [59F9C4], 0
0044B8D3 |. 75 17 jnz short 0044B8EC
0044B8D5 |. C705 C4F95900>mov dword ptr [59F9C4], 1
0044B8DF |. A1 98075A00 mov eax, [5A0798]
0044B8E4 |. 83C0 01 add eax, 1
0044B8E7 |. A3 98075A00 mov [5A0798], eax
0044B8EC |> 8D45 EC lea eax, [ebp-14]
0044B8EF |. 50 push eax
0044B8F0 |. 8B4D 08 mov ecx, [ebp+8]
0044B8F3 |. E8 33F90A00 call 004FB22B
0044B8F8 |. 8B4D D8 mov ecx, [ebp-28]
0044B8FB |. 83C9 01 or ecx, 1
0044B8FE |. 894D D8 mov [ebp-28], ecx
0044B901 |. C645 FC 01 mov byte ptr [ebp-4], 1
0044B905 |. 8D4D EC lea ecx, [ebp-14]
0044B908 |. E8 A9FB0A00 call 004FB4B6
0044B90D |. C645 FC 00 mov byte ptr [ebp-4], 0
0044B911 |. 8D4D 0C lea ecx, [ebp+C]
0044B914 |. E8 9DFB0A00 call 004FB4B6
0044B919 |. 8B45 08 mov eax, [ebp+8]
0044B91C |. E9 8C050000 jmp 0044BEAD
0044B921 |> 833D C4F95900>cmp dword ptr [59F9C4], 0
0044B928 |. 0F85 D9040000 jnz 0044BE07
0044B92E |. C705 C4F95900>mov dword ptr [59F9C4], 1
0044B938 |. A1 98075A00 mov eax, [5A0798]
0044B93D |. 83C0 01 add eax, 1
0044B940 |. A3 98075A00 mov [5A0798], eax
0044B945 |. 6A 54 push 54
0044B947 |. 8D4D EC lea ecx, [ebp-14]
0044B94A |. E8 18970A00 call 004F5067
0044B94F |. 6A 68 push 68
0044B951 |. 8D4D EC lea ecx, [ebp-14]
0044B954 |. E8 60FF0A00 call 004FB8B9
0044B959 |. 6A 69 push 69
0044B95B |. 8D4D EC lea ecx, [ebp-14]
0044B95E |. E8 56FF0A00 call 004FB8B9
0044B963 |. 6A 73 push 73
0044B965 |. 8D4D EC lea ecx, [ebp-14]
0044B968 |. E8 4CFF0A00 call 004FB8B9
0044B96D |. 6A 20 push 20
0044B96F |. 8D4D EC lea ecx, [ebp-14]
0044B972 |. E8 42FF0A00 call 004FB8B9
0044B977 |. 6A 76 push 76
0044B979 |. 8D4D EC lea ecx, [ebp-14]
0044B97C |. E8 38FF0A00 call 004FB8B9
0044B981 |. 6A 65 push 65
0044B983 |. 8D4D EC lea ecx, [ebp-14]
0044B986 |. E8 2EFF0A00 call 004FB8B9
0044B98B |. 6A 72 push 72
0044B98D |. 8D4D EC lea ecx, [ebp-14]
0044B990 |. E8 24FF0A00 call 004FB8B9
0044B995 |. 6A 73 push 73
0044B997 |. 8D4D EC lea ecx, [ebp-14]
0044B99A |. E8 1AFF0A00 call 004FB8B9
0044B99F |. 6A 69 push 69
0044B9A1 |. 8D4D EC lea ecx, [ebp-14]
0044B9A4 |. E8 10FF0A00 call 004FB8B9
0044B9A9 |. 6A 6F push 6F
0044B9AB |. 8D4D EC lea ecx, [ebp-14]
0044B9AE |. E8 06FF0A00 call 004FB8B9
0044B9B3 |. 6A 6E push 6E
0044B9B5 |. 8D4D EC lea ecx, [ebp-14]
0044B9B8 |. E8 FCFE0A00 call 004FB8B9
0044B9BD |. 6A 20 push 20
0044B9BF |. 8D4D EC lea ecx, [ebp-14]
0044B9C2 |. E8 F2FE0A00 call 004FB8B9
0044B9C7 |. 6A 72 push 72
0044B9C9 |. 8D4D EC lea ecx, [ebp-14]
0044B9CC |. E8 E8FE0A00 call 004FB8B9
0044B9D1 |. 6A 65 push 65
0044B9D3 |. 8D4D EC lea ecx, [ebp-14]
0044B9D6 |. E8 DEFE0A00 call 004FB8B9
0044B9DB |. 6A 71 push 71
0044B9DD |. 8D4D EC lea ecx, [ebp-14]
0044B9E0 |. E8 D4FE0A00 call 004FB8B9
0044B9E5 |. 6A 75 push 75
0044B9E7 |. 8D4D EC lea ecx, [ebp-14]
0044B9EA |. E8 CAFE0A00 call 004FB8B9
0044B9EF |. 6A 69 push 69
0044B9F1 |. 8D4D EC lea ecx, [ebp-14]
0044B9F4 |. E8 C0FE0A00 call 004FB8B9
0044B9F9 |. 6A 72 push 72
0044B9FB |. 8D4D EC lea ecx, [ebp-14]
0044B9FE |. E8 B6FE0A00 call 004FB8B9
0044BA03 |. 6A 65 push 65
0044BA05 |. 8D4D EC lea ecx, [ebp-14]
0044BA08 |. E8 ACFE0A00 call 004FB8B9
0044BA0D |. 6A 73 push 73
0044BA0F |. 8D4D EC lea ecx, [ebp-14]
0044BA12 |. E8 A2FE0A00 call 004FB8B9
0044BA17 |. 6A 20 push 20
0044BA19 |. 8D4D EC lea ecx, [ebp-14]
0044BA1C |. E8 98FE0A00 call 004FB8B9
0044BA21 |. 6A 61 push 61
0044BA23 |. 8D4D EC lea ecx, [ebp-14]
0044BA26 |. E8 8EFE0A00 call 004FB8B9
0044BA2B |. 6A 20 push 20
0044BA2D |. 8D4D EC lea ecx, [ebp-14]
0044BA30 |. E8 84FE0A00 call 004FB8B9
0044BA35 |. 6A 6E push 6E
0044BA37 |. 8D4D EC lea ecx, [ebp-14]
0044BA3A |. E8 7AFE0A00 call 004FB8B9
0044BA3F |. 6A 65 push 65
0044BA41 |. 8D4D EC lea ecx, [ebp-14]
0044BA44 |. E8 70FE0A00 call 004FB8B9
0044BA49 |. 6A 77 push 77
0044BA4B |. 8D4D EC lea ecx, [ebp-14]
0044BA4E |. E8 66FE0A00 call 004FB8B9
0044BA53 |. 6A 20 push 20
0044BA55 |. 8D4D EC lea ecx, [ebp-14]
0044BA58 |. E8 5CFE0A00 call 004FB8B9
0044BA5D |. 6A 72 push 72
0044BA5F |. 8D4D EC lea ecx, [ebp-14]
0044BA62 |. E8 52FE0A00 call 004FB8B9
0044BA67 |. 6A 65 push 65
0044BA69 |. 8D4D EC lea ecx, [ebp-14]
0044BA6C |. E8 48FE0A00 call 004FB8B9
0044BA71 |. 6A 67 push 67
0044BA73 |. 8D4D EC lea ecx, [ebp-14]
0044BA76 |. E8 3EFE0A00 call 004FB8B9
0044BA7B |. 6A 69 push 69
0044BA7D |. 8D4D EC lea ecx, [ebp-14]
0044BA80 |. E8 34FE0A00 call 004FB8B9
0044BA85 |. 6A 73 push 73
0044BA87 |. 8D4D EC lea ecx, [ebp-14]
0044BA8A |. E8 2AFE0A00 call 004FB8B9
0044BA8F |. 6A 74 push 74
0044BA91 |. 8D4D EC lea ecx, [ebp-14]
0044BA94 |. E8 20FE0A00 call 004FB8B9
0044BA99 |. 6A 72 push 72
0044BA9B |. 8D4D EC lea ecx, [ebp-14]
0044BA9E |. E8 16FE0A00 call 004FB8B9
0044BAA3 |. 6A 61 push 61
0044BAA5 |. 8D4D EC lea ecx, [ebp-14]
0044BAA8 |. E8 0CFE0A00 call 004FB8B9
0044BAAD |. 6A 74 push 74
0044BAAF |. 8D4D EC lea ecx, [ebp-14]
0044BAB2 |. E8 02FE0A00 call 004FB8B9
0044BAB7 |. 6A 69 push 69
0044BAB9 |. 8D4D EC lea ecx, [ebp-14]
0044BABC |. E8 F8FD0A00 call 004FB8B9
0044BAC1 |. 6A 6F push 6F
0044BAC3 |. 8D4D EC lea ecx, [ebp-14]
0044BAC6 |. E8 EEFD0A00 call 004FB8B9
0044BACB |. 6A 6E push 6E
0044BACD |. 8D4D EC lea ecx, [ebp-14]
0044BAD0 |. E8 E4FD0A00 call 004FB8B9
0044BAD5 |. 6A 20 push 20
0044BAD7 |. 8D4D EC lea ecx, [ebp-14]
0044BADA |. E8 DAFD0A00 call 004FB8B9
0044BADF |. 6A 63 push 63
0044BAE1 |. 8D4D EC lea ecx, [ebp-14]
0044BAE4 |. E8 D0FD0A00 call 004FB8B9
0044BAE9 |. 6A 6F push 6F
0044BAEB |. 8D4D EC lea ecx, [ebp-14]
0044BAEE |. E8 C6FD0A00 call 004FB8B9
0044BAF3 |. 6A 64 push 64
0044BAF5 |. 8D4D EC lea ecx, [ebp-14]
0044BAF8 |. E8 BCFD0A00 call 004FB8B9
0044BAFD |. 6A 65 push 65
0044BAFF |. 8D4D EC lea ecx, [ebp-14]
0044BB02 |. E8 B2FD0A00 call 004FB8B9
0044BB07 |. 6A 0A push 0A
0044BB09 |. 8D4D EC lea ecx, [ebp-14]
0044BB0C |. E8 A8FD0A00 call 004FB8B9
0044BB11 |. 6A 4D push 4D
0044BB13 |. 8D4D EC lea ecx, [ebp-14]
0044BB16 |. E8 9EFD0A00 call 004FB8B9
0044BB1B |. 6A 61 push 61
0044BB1D |. 8D4D EC lea ecx, [ebp-14]
0044BB20 |. E8 94FD0A00 call 004FB8B9
0044BB25 |. 6A 69 push 69
0044BB27 |. 8D4D EC lea ecx, [ebp-14]
0044BB2A |. E8 8AFD0A00 call 004FB8B9
0044BB2F |. 6A 6C push 6C
0044BB31 |. 8D4D EC lea ecx, [ebp-14]
0044BB34 |. E8 80FD0A00 call 004FB8B9
0044BB39 |. 6A 20 push 20
0044BB3B |. 8D4D EC lea ecx, [ebp-14]
0044BB3E |. E8 76FD0A00 call 004FB8B9
0044BB43 |. 6A 74 push 74
0044BB45 |. 8D4D EC lea ecx, [ebp-14]
0044BB48 |. E8 6CFD0A00 call 004FB8B9
0044BB4D |. 6A 6F push 6F
0044BB4F |. 8D4D EC lea ecx, [ebp-14]
0044BB52 |. E8 62FD0A00 call 004FB8B9
0044BB57 |. 6A 20 push 20
0044BB59 |. 8D4D EC lea ecx, [ebp-14]
0044BB5C |. E8 58FD0A00 call 004FB8B9
0044BB61 |. 6A 68 push 68
0044BB63 |. 8D4D EC lea ecx, [ebp-14]
0044BB66 |. E8 4EFD0A00 call 004FB8B9
0044BB6B |. 6A 65 push 65
0044BB6D |. 8D4D EC lea ecx, [ebp-14]
0044BB70 |. E8 44FD0A00 call 004FB8B9
0044BB75 |. 6A 6E push 6E
0044BB77 |. 8D4D EC lea ecx, [ebp-14]
0044BB7A |. E8 3AFD0A00 call 004FB8B9
0044BB7F |. 6A 72 push 72
0044BB81 |. 8D4D EC lea ecx, [ebp-14]
0044BB84 |. E8 30FD0A00 call 004FB8B9
0044BB89 |. 6A 79 push 79
0044BB8B |. 8D4D EC lea ecx, [ebp-14]
0044BB8E |. E8 26FD0A00 call 004FB8B9
0044BB93 |. 6A 2E push 2E
0044BB95 |. 8D4D EC lea ecx, [ebp-14]
0044BB98 |. E8 1CFD0A00 call 004FB8B9
0044BB9D |. 6A 6B push 6B
0044BB9F |. 8D4D EC lea ecx, [ebp-14]
0044BBA2 |. E8 12FD0A00 call 004FB8B9
0044BBA7 |. 6A 65 push 65
0044BBA9 |. 8D4D EC lea ecx, [ebp-14]
0044BBAC |. E8 08FD0A00 call 004FB8B9
0044BBB1 |. 6A 6C push 6C
0044BBB3 |. 8D4D EC lea ecx, [ebp-14]
0044BBB6 |. E8 FEFC0A00 call 004FB8B9
0044BBBB |. 6A 6C push 6C
0044BBBD |. 8D4D EC lea ecx, [ebp-14]
0044BBC0 |. E8 F4FC0A00 call 004FB8B9
0044BBC5 |. 6A 6E push 6E
0044BBC7 |. 8D4D EC lea ecx, [ebp-14]
0044BBCA |. E8 EAFC0A00 call 004FB8B9
0044BBCF |. 6A 65 push 65
0044BBD1 |. 8D4D EC lea ecx, [ebp-14]
0044BBD4 |. E8 E0FC0A00 call 004FB8B9
0044BBD9 |. 6A 72 push 72
0044BBDB |. 8D4D EC lea ecx, [ebp-14]
0044BBDE |. E8 D6FC0A00 call 004FB8B9
0044BBE3 |. 6A 40 push 40
0044BBE5 |. 8D4D EC lea ecx, [ebp-14]
0044BBE8 |. E8 CCFC0A00 call 004FB8B9
0044BBED |. 6A 75 push 75
0044BBEF |. 8D4D EC lea ecx, [ebp-14]
0044BBF2 |. E8 C2FC0A00 call 004FB8B9
0044BBF7 |. 6A 74 push 74
0044BBF9 |. 8D4D EC lea ecx, [ebp-14]
0044BBFC |. E8 B8FC0A00 call 004FB8B9
0044BC01 |. 6A 61 push 61
0044BC03 |. 8D4D EC lea ecx, [ebp-14]
0044BC06 |. E8 AEFC0A00 call 004FB8B9
0044BC0B |. 6A 6E push 6E
0044BC0D |. 8D4D EC lea ecx, [ebp-14]
0044BC10 |. E8 A4FC0A00 call 004FB8B9
0044BC15 |. 6A 65 push 65
0044BC17 |. 8D4D EC lea ecx, [ebp-14]
0044BC1A |. E8 9AFC0A00 call 004FB8B9
0044BC1F |. 6A 74 push 74
0044BC21 |. 8D4D EC lea ecx, [ebp-14]
0044BC24 |. E8 90FC0A00 call 004FB8B9
0044BC29 |. 6A 2E push 2E
0044BC2B |. 8D4D EC lea ecx, [ebp-14]
0044BC2E |. E8 86FC0A00 call 004FB8B9
0044BC33 |. 6A 61 push 61
0044BC35 |. 8D4D EC lea ecx, [ebp-14]
0044BC38 |. E8 7CFC0A00 call 004FB8B9
0044BC3D |. 6A 74 push 74
0044BC3F |. 8D4D EC lea ecx, [ebp-14]
0044BC42 |. E8 72FC0A00 call 004FB8B9
0044BC47 |. 6A 20 push 20
0044BC49 |. 8D4D EC lea ecx, [ebp-14]
0044BC4C |. E8 68FC0A00 call 004FB8B9
0044BC51 |. 6A 74 push 74
0044BC53 |. 8D4D EC lea ecx, [ebp-14]
0044BC56 |. E8 5EFC0A00 call 004FB8B9
0044BC5B |. 6A 6F push 6F
0044BC5D |. 8D4D EC lea ecx, [ebp-14]
0044BC60 |. E8 54FC0A00 call 004FB8B9
0044BC65 |. 6A 20 push 20
0044BC67 |. 8D4D EC lea ecx, [ebp-14]
0044BC6A |. E8 4AFC0A00 call 004FB8B9
0044BC6F |. 6A 67 push 67
0044BC71 |. 8D4D EC lea ecx, [ebp-14]
0044BC74 |. E8 40FC0A00 call 004FB8B9
0044BC79 |. 6A 65 push 65
0044BC7B |. 8D4D EC lea ecx, [ebp-14]
0044BC7E |. E8 36FC0A00 call 004FB8B9
0044BC83 |. 6A 74 push 74
0044BC85 |. 8D4D EC lea ecx, [ebp-14]
0044BC88 |. E8 2CFC0A00 call 004FB8B9
0044BC8D |. 6A 20 push 20
0044BC8F |. 8D4D EC lea ecx, [ebp-14]
0044BC92 |. E8 22FC0A00 call 004FB8B9
0044BC97 |. 6A 79 push 79
0044BC99 |. 8D4D EC lea ecx, [ebp-14]
0044BC9C |. E8 18FC0A00 call 004FB8B9
0044BCA1 |. 6A 6F push 6F
0044BCA3 |. 8D4D EC lea ecx, [ebp-14]
0044BCA6 |. E8 0EFC0A00 call 004FB8B9
0044BCAB |. 6A 75 push 75
0044BCAD |. 8D4D EC lea ecx, [ebp-14]
0044BCB0 |. E8 04FC0A00 call 004FB8B9
0044BCB5 |. 6A 72 push 72
0044BCB7 |. 8D4D EC lea ecx, [ebp-14]
0044BCBA |. E8 FAFB0A00 call 004FB8B9
0044BCBF |. 6A 20 push 20
0044BCC1 |. 8D4D EC lea ecx, [ebp-14]
0044BCC4 |. E8 F0FB0A00 call 004FB8B9
0044BCC9 |. 6A 6E push 6E
0044BCCB |. 8D4D EC lea ecx, [ebp-14]
0044BCCE |. E8 E6FB0A00 call 004FB8B9
0044BCD3 |. 6A 65 push 65
0044BCD5 |. 8D4D EC lea ecx, [ebp-14]
0044BCD8 |. E8 DCFB0A00 call 004FB8B9
0044BCDD |. 6A 77 push 77
0044BCDF |. 8D4D EC lea ecx, [ebp-14]
0044BCE2 |. E8 D2FB0A00 call 004FB8B9
0044BCE7 |. 6A 20 push 20
0044BCE9 |. 8D4D EC lea ecx, [ebp-14]
0044BCEC |. E8 C8FB0A00 call 004FB8B9
0044BCF1 |. 6A 63 push 63
0044BCF3 |. 8D4D EC lea ecx, [ebp-14]
0044BCF6 |. E8 BEFB0A00 call 004FB8B9
0044BCFB |. 6A 6F push 6F
0044BCFD |. 8D4D EC lea ecx, [ebp-14]
0044BD00 |. E8 B4FB0A00 call 004FB8B9
0044BD05 |. 6A 64 push 64
0044BD07 |. 8D4D EC lea ecx, [ebp-14]
0044BD0A |. E8 AAFB0A00 call 004FB8B9
0044BD0F |. 6A 65 push 65
0044BD11 |. 8D4D EC lea ecx, [ebp-14]
0044BD14 |. E8 A0FB0A00 call 004FB8B9
0044BD19 |. 6A 0A push 0A
0044BD1B |. 8D4D EC lea ecx, [ebp-14]
0044BD1E |. E8 96FB0A00 call 004FB8B9
0044BD23 |. 6A 41 push 41
0044BD25 |. 8D4D EC lea ecx, [ebp-14]
0044BD28 |. E8 8CFB0A00 call 004FB8B9
0044BD2D |. 6A 74 push 74
0044BD2F |. 8D4D EC lea ecx, [ebp-14]
0044BD32 |. E8 82FB0A00 call 004FB8B9
0044BD37 |. 6A 74 push 74
0044BD39 |. 8D4D EC lea ecx, [ebp-14]
0044BD3C |. E8 78FB0A00 call 004FB8B9
0044BD41 |. 6A 61 push 61
0044BD43 |. 8D4D EC lea ecx, [ebp-14]
0044BD46 |. E8 6EFB0A00 call 004FB8B9
0044BD4B |. 6A 63 push 63
0044BD4D |. 8D4D EC lea ecx, [ebp-14]
0044BD50 |. E8 64FB0A00 call 004FB8B9
0044BD55 |. 6A 68 push 68
0044BD57 |. 8D4D EC lea ecx, [ebp-14]
0044BD5A |. E8 5AFB0A00 call 004FB8B9
0044BD5F |. 6A 20 push 20
0044BD61 |. 8D4D EC lea ecx, [ebp-14]
0044BD64 |. E8 50FB0A00 call 004FB8B9
0044BD69 |. 6A 79 push 79
0044BD6B |. 8D4D EC lea ecx, [ebp-14]
0044BD6E |. E8 46FB0A00 call 004FB8B9
0044BD73 |. 6A 6F push 6F
0044BD75 |. 8D4D EC lea ecx, [ebp-14]
0044BD78 |. E8 3CFB0A00 call 004FB8B9
0044BD7D |. 6A 75 push 75
0044BD7F |. 8D4D EC lea ecx, [ebp-14]
0044BD82 |. E8 32FB0A00 call 004FB8B9
0044BD87 |. 6A 72 push 72
0044BD89 |. 8D4D EC lea ecx, [ebp-14]
0044BD8C |. E8 28FB0A00 call 004FB8B9
0044BD91 |. 6A 20 push 20
0044BD93 |. 8D4D EC lea ecx, [ebp-14]
0044BD96 |. E8 1EFB0A00 call 004FB8B9
0044BD9B |. 6A 6F push 6F
0044BD9D |. 8D4D EC lea ecx, [ebp-14]
0044BDA0 |. E8 14FB0A00 call 004FB8B9
0044BDA5 |. 6A 6C push 6C
0044BDA7 |. 8D4D EC lea ecx, [ebp-14]
0044BDAA |. E8 0AFB0A00 call 004FB8B9
0044BDAF |. 6A 64 push 64
0044BDB1 |. 8D4D EC lea ecx, [ebp-14]
0044BDB4 |. E8 00FB0A00 call 004FB8B9
0044BDB9 |. 6A 20 push 20
0044BDBB |. 8D4D EC lea ecx, [ebp-14]
0044BDBE |. E8 F6FA0A00 call 004FB8B9
0044BDC3 |. 6A 63 push 63
0044BDC5 |. 8D4D EC lea ecx, [ebp-14]
0044BDC8 |. E8 ECFA0A00 call 004FB8B9
0044BDCD |. 6A 6F push 6F
0044BDCF |. 8D4D EC lea ecx, [ebp-14]
0044BDD2 |. E8 E2FA0A00 call 004FB8B9
0044BDD7 |. 6A 64 push 64
0044BDD9 |. 8D4D EC lea ecx, [ebp-14]
0044BDDC |. E8 D8FA0A00 call 004FB8B9
0044BDE1 |. 6A 65 push 65
0044BDE3 |. 8D4D EC lea ecx, [ebp-14]
0044BDE6 |. E8 CEFA0A00 call 004FB8B9
0044BDEB |. 6A 2E push 2E
0044BDED |. 8D4D EC lea ecx, [ebp-14]
0044BDF0 |. E8 C4FA0A00 call 004FB8B9
0044BDF5 |. 6A 00 push 0
0044BDF7 |. 6A 00 push 0
0044BDF9 |. 8D4D EC lea ecx, [ebp-14]
0044BDFC |. E8 2F84FCFF call 00414230
0044BE01 |. 50 push eax ; |Arg1
0044BE02 |. E8 54DB0B00 call 0050995B ; \Photoplo.0050995B
0044BE07 |> 68 10C75700 push 0057C710
0044BE0C |. 8B4D 08 mov ecx, [ebp+8]
0044BE0F |. E8 10F70A00 call 004FB524
0044BE14 |. 8B45 D8 mov eax, [ebp-28]
0044BE17 |. 83C8 01 or eax, 1
0044BE1A |. 8945 D8 mov [ebp-28], eax
0044BE1D |. C645 FC 01 mov byte ptr [ebp-4], 1
0044BE21 |. 8D4D EC lea ecx, [ebp-14]
0044BE24 |. E8 8DF60A00 call 004FB4B6
0044BE29 |. C645 FC 00 mov byte ptr [ebp-4], 0
0044BE2D |. 8D4D 0C lea ecx, [ebp+C]
0044BE30 |. E8 81F60A00 call 004FB4B6
0044BE35 |. 8B45 08 mov eax, [ebp+8]
0044BE38 |. EB 73 jmp short 0044BEAD
0044BE3A |> 51 push ecx
0044BE3B |. 8BCC mov ecx, esp
0044BE3D |. 8965 E0 mov [ebp-20], esp
0044BE40 |. 8D45 0C lea eax, [ebp+C]
0044BE43 |. 50 push eax
0044BE44 |. E8 E2F30A00 call 004FB22B
0044BE49 |. 8945 94 mov [ebp-6C], eax ; |
0044BE4C |. 8D4D DC lea ecx, [ebp-24] ; |
0044BE4F |. 51 push ecx ; |Arg1
0044BE50 |. 8B4D F0 mov ecx, [ebp-10] ; |
0044BE53 |. E8 68000000 call 0044BEC0 ; \算法call(3),跟进
0044BE58 |. 8945 90 mov [ebp-70], eax
0044BE5B |. 8B55 90 mov edx, [ebp-70]
0044BE5E |. 8955 8C mov [ebp-74], edx
0044BE61 |. C645 FC 04 mov byte ptr [ebp-4], 4
0044BE65 |. 8B45 8C mov eax, [ebp-74]
0044BE68 |. 50 push eax
0044BE69 |. 8D4D EC lea ecx, [ebp-14]
0044BE6C |. E8 7EF70A00 call 004FB5EF ; 真码1与真码2比较
0044BE71 |. C645 FC 02 mov byte ptr [ebp-4], 2
0044BE75 |. 8D4D DC lea ecx, [ebp-24]
0044BE78 |. E8 39F60A00 call 004FB4B6
0044BE7D |. 8D45 EC lea eax, [ebp-14]
0044BE80 |. 50 push eax
0044BE81 |. 8B4D 08 mov ecx, [ebp+8]
0044BE84 |. E8 A2F30A00 call 004FB22B
0044BE89 |. 8B4D D8 mov ecx, [ebp-28]
0044BE8C |. 83C9 01 or ecx, 1
0044BE8F |. 894D D8 mov [ebp-28], ecx
0044BE92 |. C645 FC 01 mov byte ptr [ebp-4], 1
0044BE96 |. 8D4D EC lea ecx, [ebp-14]
0044BE99 |. E8 18F60A00 call 004FB4B6
0044BE9E |. C645 FC 00 mov byte ptr [ebp-4], 0
0044BEA2 |. 8D4D 0C lea ecx, [ebp+C]
0044BEA5 |. E8 0CF60A00 call 004FB4B6
0044BEAA |. 8B45 08 mov eax, [ebp+8]
0044BEAD |> 8B4D F4 mov ecx, [ebp-C]
0044BEB0 |. 64:890D 00000>mov fs:[0], ecx
0044BEB7 |. 5F pop edi
0044BEB8 |. 5E pop esi
0044BEB9 |. 5B pop ebx
0044BEBA |. 8BE5 mov esp, ebp
0044BEBC |. 5D pop ebp
0044BEBD \. C2 0800 retn 8
算法call(2):
0044C0E0 /$ 55 push ebp
0044C0E1 |. 8BEC mov ebp, esp
0044C0E3 |. 6A FF push -1
0044C0E5 |. 68 B2795200 push 005279B2 ; SE 处理程序安装
0044C0EA |. 64:A1 0000000>mov eax, fs:[0]
0044C0F0 |. 50 push eax
0044C0F1 |. 64:8925 00000>mov fs:[0], esp
0044C0F8 |. 83EC 5C sub esp, 5C
0044C0FB |. 53 push ebx
0044C0FC |. 56 push esi
0044C0FD |. 57 push edi
0044C0FE |. 894D F0 mov [ebp-10], ecx
0044C101 |. C745 D8 00000>mov dword ptr [ebp-28], 0
0044C108 |. C745 FC 01000>mov dword ptr [ebp-4], 1
0044C10F |. 8D4D E0 lea ecx, [ebp-20]
0044C112 |. E8 1975FCFF call 00413630
0044C117 |. C645 FC 02 mov byte ptr [ebp-4], 2
0044C11B |. 8D4D DC lea ecx, [ebp-24]
0044C11E |. E8 0D75FCFF call 00413630
0044C123 |. C645 FC 03 mov byte ptr [ebp-4], 3
0044C127 |. 6A 48 push 48 ; H
0044C129 |. 8D4D E0 lea ecx, [ebp-20]
0044C12C |. E8 368F0A00 call 004F5067
0044C131 |. 6A 45 push 45 ; E
0044C133 |. 8D4D E0 lea ecx, [ebp-20]
0044C136 |. E8 7EF70A00 call 004FB8B9
0044C13B |. 6A 4E push 4E ; N
0044C13D |. 8D4D E0 lea ecx, [ebp-20]
0044C140 |. E8 74F70A00 call 004FB8B9
0044C145 |. 6A 52 push 52 ; R
0044C147 |. 8D4D E0 lea ecx, [ebp-20]
0044C14A |. E8 6AF70A00 call 004FB8B9
0044C14F |. 6A 59 push 59 ; Y
0044C151 |. 8D4D E0 lea ecx, [ebp-20]
0044C154 |. E8 60F70A00 call 004FB8B9
0044C159 |. 6A 53 push 53 ; S
0044C15B |. 8D4D E0 lea ecx, [ebp-20]
0044C15E |. E8 56F70A00 call 004FB8B9
0044C163 |. 6A 43 push 43 ; C
0044C165 |. 8D4D E0 lea ecx, [ebp-20]
0044C168 |. E8 4CF70A00 call 004FB8B9
0044C16D |. 6A 4F push 4F ; O
0044C16F |. 8D4D E0 lea ecx, [ebp-20]
0044C172 |. E8 42F70A00 call 004FB8B9
0044C177 |. 6A 44 push 44 ; D
0044C179 |. 8D4D E0 lea ecx, [ebp-20]
0044C17C |. E8 38F70A00 call 004FB8B9
0044C181 |. 6A 45 push 45 ; E
0044C183 |. 8D4D E0 lea ecx, [ebp-20]
0044C186 |. E8 2EF70A00 call 004FB8B9
0044C18B |. 6A 50 push 50 ; P
0044C18D |. 8D4D DC lea ecx, [ebp-24]
0044C190 |. E8 D28E0A00 call 004F5067
0044C195 |. 6A 48 push 48 ; H
0044C197 |. 8D4D DC lea ecx, [ebp-24]
0044C19A |. E8 1AF70A00 call 004FB8B9
0044C19F |. 6A 50 push 50 ; P
0044C1A1 |. 8D4D DC lea ecx, [ebp-24]
0044C1A4 |. E8 10F70A00 call 004FB8B9
0044C1A9 |. 6A 31 push 31 ; 1
0044C1AB |. 8D4D DC lea ecx, [ebp-24]
0044C1AE |. E8 06F70A00 call 004FB8B9
0044C1B3 |. C745 EC 00000>mov dword ptr [ebp-14], 0
0044C1BA |. C745 E8 00000>mov dword ptr [ebp-18], 0
0044C1C1 |. C745 E4 00000>mov dword ptr [ebp-1C], 0
0044C1C8 |. EB 09 jmp short 0044C1D3
0044C1CA |> 8B45 EC /mov eax, [ebp-14]
0044C1CD |. 83C0 01 |add eax, 1
0044C1D0 |. 8945 EC |mov [ebp-14], eax
0044C1D3 |> 8D4D 0C lea ecx, [ebp+C]
0044C1D6 |. E8 0577FCFF |call 004138E0 ; 取用户名
0044C1DB |. 3945 EC |cmp [ebp-14], eax ; 用户名各字符是否取完
0044C1DE |. 7D 7D |jge short 0044C25D ; 完则跳
0044C1E0 |. 8B45 E4 |mov eax, [ebp-1C]
0044C1E3 |. 50 |push eax ; /Arg1
0044C1E4 |. 8D4D E0 |lea ecx, [ebp-20] ; |
0044C1E7 |. E8 3477FCFF |call 00413920 ; \取固定字串(HENRYSCODE),记为A
0044C1EC |. 0FBEF0 |movsx esi, al ; 固定字串(HENRYSCODE)逐位移至ESI
0044C1EF |. 8B4D EC |mov ecx, [ebp-14]
0044C1F2 |. 51 |push ecx ; /Arg1
0044C1F3 |. 8D4D 0C |lea ecx, [ebp+C] ; |
0044C1F6 |. E8 2577FCFF |call 00413920 ; \取用户名
0044C1FB |. 0FBED0 |movsx edx, al ; 用户名逐位移至EDX
0044C1FE |. 03F2 |add esi, edx ; A与用户名ASCII值逐位相加,结果保留于ESI
0044C200 |. 8B45 E8 |mov eax, [ebp-18]
0044C203 |. 50 |push eax ; /Arg1
0044C204 |. 8D4D DC |lea ecx, [ebp-24] ; |
0044C207 |. E8 1477FCFF |call 00413920 ; \取固定字串(PHP1),记为B
0044C20C |. 0FBEC8 |movsx ecx, al ; 固定字串(PHP1)逐位移至ECX
0044C20F |. 03F1 |add esi, ecx ; A、B、用户名ASCII值逐位相加,结果保留于ESI
0044C211 |. 56 |push esi
0044C212 |. 8B55 E4 |mov edx, [ebp-1C]
0044C215 |. 52 |push edx
0044C216 |. 8D4D E0 |lea ecx, [ebp-20]
0044C219 |. E8 4AF80A00 |call 004FBA68 ; 每轮ESI值后两位依次替换A各个字符ASCII,替换后的字符串记位C
0044C21E |. 8B45 E4 |mov eax, [ebp-1C]
0044C221 |. 83C0 01 |add eax, 1
0044C224 |. 8945 E4 |mov [ebp-1C], eax
0044C227 |. 8D4D E0 |lea ecx, [ebp-20]
0044C22A |. E8 B176FCFF |call 004138E0
0044C22F |. 3945 E4 |cmp [ebp-1C], eax ; A各字符是否被替换完
0044C232 |. 75 07 |jnz short 0044C23B
0044C234 |. C745 E4 00000>|mov dword ptr [ebp-1C], 0
0044C23B |> 8B45 E8 |mov eax, [ebp-18]
0044C23E |. 83C0 01 |add eax, 1
0044C241 |. 8945 E8 |mov [ebp-18], eax
0044C244 |. 8D4D DC |lea ecx, [ebp-24]
0044C247 |. E8 9476FCFF |call 004138E0
0044C24C |. 3945 E8 |cmp [ebp-18], eax ; PHP1各字符是否取完
0044C24F |. 75 07 |jnz short 0044C258
0044C251 |. C745 E8 00000>|mov dword ptr [ebp-18], 0
0044C258 |>^ E9 6DFFFFFF \jmp 0044C1CA
0044C25D |> C745 E4 00000>mov dword ptr [ebp-1C], 0
0044C264 |. EB 09 jmp short 0044C26F
0044C266 |> 8B45 E4 /mov eax, [ebp-1C]
0044C269 |. 83C0 01 |add eax, 1
0044C26C |. 8945 E4 |mov [ebp-1C], eax
0044C26F |> 8D4D E0 lea ecx, [ebp-20]
0044C272 |. E8 6976FCFF |call 004138E0
0044C277 |. 3945 E4 |cmp [ebp-1C], eax
0044C27A |. 7D 4B |jge short 0044C2C7
0044C27C |> 8B45 E4 |/mov eax, [ebp-1C]
0044C27F |. 50 ||push eax ; /Arg1
0044C280 |. 8D4D E0 ||lea ecx, [ebp-20] ; |
0044C283 |. E8 9876FCFF ||call 00413920 ; \取C
0044C288 |. 0FBEC8 ||movsx ecx, al ; C逐位移至ECX
0044C28B |. 83F9 41 ||cmp ecx, 41 ; 跟41比较
0044C28E |. 7C 14 ||jl short 0044C2A4 ; 小则跳,直至C各字符ASCII值大于41后才不进入加1B的循环过程
0044C290 |. 8B45 E4 ||mov eax, [ebp-1C]
0044C293 |. 50 ||push eax ; /Arg1
0044C294 |. 8D4D E0 ||lea ecx, [ebp-20] ; |
0044C297 |. E8 8476FCFF ||call 00413920 ; \取D
0044C29C |. 0FBEC8 ||movsx ecx, al ; D逐位移至ECX
0044C29F |. 83F9 5A ||cmp ecx, 5A ; 跟5A比较
0044C2A2 |. 7E 21 ||jle short 0044C2C5 ; 小于等于5A则取下一字符
0044C2A4 |> 8B45 E4 ||mov eax, [ebp-1C]
0044C2A7 |. 50 ||push eax ; /Arg1
0044C2A8 |. 8D4D E0 ||lea ecx, [ebp-20] ; |
0044C2AB |. E8 7076FCFF ||call 00413920 ; \取C
0044C2B0 |. 0FBEC8 ||movsx ecx, al ; C逐位移至ECX
0044C2B3 |. 83C1 1B ||add ecx, 1B ; 加1B
0044C2B6 |. 51 ||push ecx
0044C2B7 |. 8B55 E4 ||mov edx, [ebp-1C]
0044C2BA |. 52 ||push edx
0044C2BB |. 8D4D E0 ||lea ecx, [ebp-20]
0044C2BE |. E8 A5F70A00 ||call 004FBA68 ; C各ASCII值按上述方式逐位依次替换,结果记为D
0044C2C3 |.^ EB B7 |\jmp short 0044C27C
0044C2C5 |>^ EB 9F \jmp short 0044C266
0044C2C7 |> 8D45 E0 lea eax, [ebp-20] ; 最终转换结果保存于EAX所指向的内存地址(真码1)
0044C2CA |. 50 push eax
0044C2CB |. 8B4D 08 mov ecx, [ebp+8]
0044C2CE |. E8 58EF0A00 call 004FB22B
0044C2D3 |. 8B4D D8 mov ecx, [ebp-28]
0044C2D6 |. 83C9 01 or ecx, 1
0044C2D9 |. 894D D8 mov [ebp-28], ecx
0044C2DC |. C645 FC 02 mov byte ptr [ebp-4], 2
0044C2E0 |. 8D4D DC lea ecx, [ebp-24]
0044C2E3 |. E8 CEF10A00 call 004FB4B6
0044C2E8 |. C645 FC 01 mov byte ptr [ebp-4], 1
0044C2EC |. 8D4D E0 lea ecx, [ebp-20]
0044C2EF |. E8 C2F10A00 call 004FB4B6
0044C2F4 |. C645 FC 00 mov byte ptr [ebp-4], 0
0044C2F8 |. 8D4D 0C lea ecx, [ebp+C]
0044C2FB |. E8 B6F10A00 call 004FB4B6
0044C300 |. 8B45 08 mov eax, [ebp+8]
0044C303 |. 8B4D F4 mov ecx, [ebp-C]
0044C306 |. 64:890D 00000>mov fs:[0], ecx
0044C30D |. 5F pop edi
0044C30E |. 5E pop esi
0044C30F |. 5B pop ebx
0044C310 |. 8BE5 mov esp, ebp
0044C312 |. 5D pop ebp
0044C313 \. C2 0800 retn 8
算法call(3):
0044BEC0 /$ 55 push ebp
0044BEC1 |. 8BEC mov ebp, esp
0044BEC3 |. 6A FF push -1
0044BEC5 |. 68 69795200 push 00527969 ; SE 处理程序安装
0044BECA |. 64:A1 0000000>mov eax, fs:[0]
0044BED0 |. 50 push eax
0044BED1 |. 64:8925 00000>mov fs:[0], esp
0044BED8 |. 83EC 54 sub esp, 54
0044BEDB |. 53 push ebx
0044BEDC |. 56 push esi
0044BEDD |. 57 push edi
0044BEDE |. 894D F0 mov [ebp-10], ecx
0044BEE1 |. C745 E0 00000>mov dword ptr [ebp-20], 0
0044BEE8 |. C745 FC 01000>mov dword ptr [ebp-4], 1
0044BEEF |. 8D4D E4 lea ecx, [ebp-1C]
0044BEF2 |. E8 3977FCFF call 00413630
0044BEF7 |. C645 FC 02 mov byte ptr [ebp-4], 2
0044BEFB |. 68 0C5B5300 push 00535B0C ; uxdcolfghewz
0044BF00 |. 8D4D E4 lea ecx, [ebp-1C]
0044BF03 |. E8 37F70A00 call 004FB63F
0044BF08 |. 8D4D 0C lea ecx, [ebp+C]
0044BF0B |. E8 D079FCFF call 004138E0
0044BF10 |. 83F8 07 cmp eax, 7 ; 用户名位数与7比较
0044BF13 |. 7F 35 jg short 0044BF4A
0044BF15 |. 8D45 E4 lea eax, [ebp-1C]
0044BF18 |. 50 push eax
0044BF19 |. 8B4D 08 mov ecx, [ebp+8]
0044BF1C |. E8 0AF30A00 call 004FB22B
0044BF21 |. 8B4D E0 mov ecx, [ebp-20]
0044BF24 |. 83C9 01 or ecx, 1
0044BF27 |. 894D E0 mov [ebp-20], ecx
0044BF2A |. C645 FC 01 mov byte ptr [ebp-4], 1
0044BF2E |. 8D4D E4 lea ecx, [ebp-1C]
0044BF31 |. E8 80F50A00 call 004FB4B6
0044BF36 |. C645 FC 00 mov byte ptr [ebp-4], 0
0044BF3A |. 8D4D 0C lea ecx, [ebp+C]
0044BF3D |. E8 74F50A00 call 004FB4B6
0044BF42 |. 8B45 08 mov eax, [ebp+8]
0044BF45 |. E9 7F010000 jmp 0044C0C9
0044BF4A |> C745 E8 00000>mov dword ptr [ebp-18], 0
0044BF51 |. C745 EC 00000>mov dword ptr [ebp-14], 0
0044BF58 |. EB 09 jmp short 0044BF63
0044BF5A |> 8B45 E8 /mov eax, [ebp-18]
0044BF5D |. 83C0 01 |add eax, 1
0044BF60 |. 8945 E8 |mov [ebp-18], eax
0044BF63 |> 8D4D 0C lea ecx, [ebp+C]
0044BF66 |. E8 7579FCFF |call 004138E0
0044BF6B |. 3945 E8 |cmp [ebp-18], eax
0044BF6E |. 0F8D BB000000 |jge 0044C02F
0044BF74 |. 8B45 EC |mov eax, [ebp-14]
0044BF77 |. 50 |push eax ; /Arg1
0044BF78 |. 8D4D E4 |lea ecx, [ebp-1C] ; |
0044BF7B |. E8 A079FCFF |call 00413920 ; \取固定字串(UXDCOLFGHEWZ)
0044BF80 |. 0FBEF0 |movsx esi, al ; 固定字串(UXDCOLFGHEWZ)各字符ASCII值逐位至ESI
0044BF83 |. 8B4D E8 |mov ecx, [ebp-18]
0044BF86 |. 51 |push ecx ; /Arg1
0044BF87 |. 8D4D 0C |lea ecx, [ebp+C] ; |
0044BF8A |. E8 9179FCFF |call 00413920 ; \取用户名
0044BF8F |. 0FBED0 |movsx edx, al ; 用户名各字符ASCII值逐位至EDX
0044BF92 |. 33F2 |xor esi, edx ; 第一次异或ESI和EDX
0044BF94 |. 56 |push esi
0044BF95 |. 8B45 EC |mov eax, [ebp-14]
0044BF98 |. 50 |push eax
0044BF99 |. 8D4D E4 |lea ecx, [ebp-1C]
0044BF9C |. E8 C7FA0A00 |call 004FBA68
0044BFA1 |. 837D E8 00 |cmp dword ptr [ebp-18], 0
0044BFA5 |. 74 30 |je short 0044BFD7
0044BFA7 |. 8B45 EC |mov eax, [ebp-14]
0044BFAA |. 50 |push eax ; /Arg1
0044BFAB |. 8D4D E4 |lea ecx, [ebp-1C] ; |
0044BFAE |. E8 6D79FCFF |call 00413920 ; \取第一次异或后的结果
0044BFB3 |. 0FBEF0 |movsx esi, al ; 至ESI
0044BFB6 |. 8B4D E8 |mov ecx, [ebp-18]
0044BFB9 |. 83E9 01 |sub ecx, 1
0044BFBC |. 51 |push ecx ; /Arg1
0044BFBD |. 8D4D 0C |lea ecx, [ebp+C] ; |
0044BFC0 |. E8 5B79FCFF |call 00413920 ; \第二轮取用户名比第一轮晚取一次
0044BFC5 |. 0FBED0 |movsx edx, al ; 用户名各字符ASCII值逐位至EDX
0044BFC8 |. 33F2 |xor esi, edx ; 第二次异或ESI和EDX
0044BFCA |. 56 |push esi
0044BFCB |. 8B45 EC |mov eax, [ebp-14]
0044BFCE |. 50 |push eax
0044BFCF |. 8D4D E4 |lea ecx, [ebp-1C]
0044BFD2 |. E8 91FA0A00 |call 004FBA68
0044BFD7 |> 837D E8 01 |cmp dword ptr [ebp-18], 1
0044BFDB |. 7E 30 |jle short 0044C00D
0044BFDD |. 8B45 EC |mov eax, [ebp-14]
0044BFE0 |. 50 |push eax ; /Arg1
0044BFE1 |. 8D4D E4 |lea ecx, [ebp-1C] ; |
0044BFE4 |. E8 3779FCFF |call 00413920 ; \取第二次异或后的结果
0044BFE9 |. 0FBEF0 |movsx esi, al ; 异或的结果至ESI
0044BFEC |. 8B4D E8 |mov ecx, [ebp-18]
0044BFEF |. 83E9 02 |sub ecx, 2
0044BFF2 |. 51 |push ecx ; /Arg1
0044BFF3 |. 8D4D 0C |lea ecx, [ebp+C] ; |
0044BFF6 |. E8 2579FCFF |call 00413920 ; \第三轮取用户名比第二轮晚取一次
0044BFFB |. 0FBED0 |movsx edx, al ; 至EDX
0044BFFE |. 33F2 |xor esi, edx ; 第三次异或ESI和EDX
0044C000 |. 56 |push esi
0044C001 |. 8B45 EC |mov eax, [ebp-14]
0044C004 |. 50 |push eax
0044C005 |. 8D4D E4 |lea ecx, [ebp-1C]
0044C008 |. E8 5BFA0A00 |call 004FBA68
0044C00D |> 8B45 EC |mov eax, [ebp-14]
0044C010 |. 83C0 01 |add eax, 1
0044C013 |. 8945 EC |mov [ebp-14], eax
0044C016 |. 8D4D E4 |lea ecx, [ebp-1C]
0044C019 |. E8 C278FCFF |call 004138E0
0044C01E |. 3945 EC |cmp [ebp-14], eax
0044C021 |. 75 07 |jnz short 0044C02A
0044C023 |. C745 EC 00000>|mov dword ptr [ebp-14], 0
0044C02A |>^ E9 2BFFFFFF \jmp 0044BF5A
0044C02F |> C745 EC 00000>mov dword ptr [ebp-14], 0
0044C036 |. EB 09 jmp short 0044C041
0044C038 |> 8B45 EC /mov eax, [ebp-14]
0044C03B |. 83C0 01 |add eax, 1
0044C03E |. 8945 EC |mov [ebp-14], eax
0044C041 |> 8D4D E4 lea ecx, [ebp-1C]
0044C044 |. E8 9778FCFF |call 004138E0 ; 取上述转换后结果,记为E
0044C049 |. 3945 EC |cmp [ebp-14], eax
0044C04C |. 7D 4B |jge short 0044C099
0044C04E |> 8B45 EC |/mov eax, [ebp-14]
0044C051 |. 50 ||push eax ; /Arg1
0044C052 |. 8D4D E4 ||lea ecx, [ebp-1C] ; |
0044C055 |. E8 C678FCFF ||call 00413920 ; \取E
0044C05A |. 0FBEC8 ||movsx ecx, al ; E各字符ASCII值逐位至ECX
0044C05D |. 83F9 41 ||cmp ecx, 41 ; 跟41比较
0044C060 |. 7C 14 ||jl short 0044C076 ; 小则进入下一处理过程(ASCII值加1B直至大于等于41)
0044C062 |. 8B45 EC ||mov eax, [ebp-14]
0044C065 |. 50 ||push eax ; /Arg1
0044C066 |. 8D4D E4 ||lea ecx, [ebp-1C] ; |
0044C069 |. E8 B278FCFF ||call 00413920 ; \取E(加1B处理后的E)
0044C06E |. 0FBEC8 ||movsx ecx, al ; E各字符ASCII值逐位至ECX
0044C071 |. 83F9 5A ||cmp ecx, 5A ; 跟5A比较
0044C074 |. 7E 21 ||jle short 0044C097
0044C076 |> 8B45 EC ||mov eax, [ebp-14]
0044C079 |. 50 ||push eax ; /Arg1
0044C07A |. 8D4D E4 ||lea ecx, [ebp-1C] ; |
0044C07D |. E8 9E78FCFF ||call 00413920 ; \取E
0044C082 |. 0FBEC8 ||movsx ecx, al ; E各字符ASCII值逐位至ECX
0044C085 |. 83C1 1B ||add ecx, 1B ; 加1B
0044C088 |. 51 ||push ecx
0044C089 |. 8B55 EC ||mov edx, [ebp-14]
0044C08C |. 52 ||push edx
0044C08D |. 8D4D E4 ||lea ecx, [ebp-1C]
0044C090 |. E8 D3F90A00 ||call 004FBA68
0044C095 |.^ EB B7 |\jmp short 0044C04E
0044C097 |>^ EB 9F \jmp short 0044C038
0044C099 |> 8D45 E4 lea eax, [ebp-1C] ; 最终结果(真码2)保存于EAX所指向的内存处
0044C09C |. 50 push eax
0044C09D |. 8B4D 08 mov ecx, [ebp+8]
0044C0A0 |. E8 86F10A00 call 004FB22B
0044C0A5 |. 8B4D E0 mov ecx, [ebp-20]
0044C0A8 |. 83C9 01 or ecx, 1
0044C0AB |. 894D E0 mov [ebp-20], ecx
0044C0AE |. C645 FC 01 mov byte ptr [ebp-4], 1
0044C0B2 |. 8D4D E4 lea ecx, [ebp-1C]
0044C0B5 |. E8 FCF30A00 call 004FB4B6
0044C0BA |. C645 FC 00 mov byte ptr [ebp-4], 0
0044C0BE |. 8D4D 0C lea ecx, [ebp+C]
0044C0C1 |. E8 F0F30A00 call 004FB4B6
0044C0C6 |. 8B45 08 mov eax, [ebp+8]
0044C0C9 |> 8B4D F4 mov ecx, [ebp-C]
0044C0CC |. 64:890D 00000>mov fs:[0], ecx
0044C0D3 |. 5F pop edi
0044C0D4 |. 5E pop esi
0044C0D5 |. 5B pop ebx
0044C0D6 |. 8BE5 mov esp, ebp
0044C0D8 |. 5D pop ebp
0044C0D9 \. C2 0800 retn 8
------------------------------------------------------------------------
【破解总结】
1、注册失败提示未以明文直接出现,而以各字符ASCII值出现,增加了破解难度;
2、存在注册黑名单,如用户名与黑名单中用户名一致,则注册失败;
3、用户名长度不同,则有不同的注册算法,注册名长度等于小于7,采用注册算法(2),注册名长度大于7,采用注册算法(3)(当注册名长度等于小于7,固定字符串“UXDCOLFGHEWZ”可做通用注册码:),当注册名长度大于7,真码1,真码2均可注册成功,是否有暗桩,未及测试);
4、注册信息保存于注册表中
[HKEY_CURRENT_USER\Software\Photoplorer\Photoplorer\Settings]
------------------------------------------------------------------------
【版权声明】本文系作者原创, 转载请注明作者并保持文章的完整, 谢谢!
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)