-
-
[原创]菜鸟对xiaohui_82 CrackMe V1改进版算法分析
-
2007-3-24 00:30 3481
-
【文章标题】: 菜鸟对xiaohui_82 CrackMe V1改进版算法分析
【文章作者】: aicode
【软件名称】: xiaohui_82 CrackMe
【下载地址】: http://bbs.pediy.com/showthread.php?s=&threadid=41182
【加壳方式】: 无壳
【编写语言】: Delphi
【使用工具】: OD DeDe Peid
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
用peid查了一下是Delphi写的。因为想练习跟算法就直接拿出DeDe找到关键点跟进
004975E8 |. E8 9BE7F9FF call 00435D88 ; 取注册名
004975ED |. 8B45 F0 mov eax, dword ptr [ebp-10]
004975F0 |. E8 B3D1F6FF call 004047A8 ; 取用户名位数
004975F5 |. 85C0 test eax, eax ; 判断是否输入注册名
004975F7 |. 75 17 jnz short 00497610
004975F9 |. 6A 00 push 0 ; /Arg1 = 00000000
004975FB |. 66:8B0D AC764>mov cx, word ptr [4976AC] ; |
00497602 |. 33D2 xor edx, edx ; |
00497604 |. B8 B8764900 mov eax, 004976B8 ; |您没有输入用户名\n请输入用户名
00497609 |. E8 BE18F9FF call 00428ECC ; \crackme.00428ECC
0049760E |. EB 75 jmp short 00497685
00497610 |> 8D55 EC lea edx, dword ptr [ebp-14]
00497613 |. 8B83 1C030000 mov eax, dword ptr [ebx+31C]
00497619 |. E8 6AE7F9FF call 00435D88 ; 取注册码
0049761E |. 8B45 EC mov eax, dword ptr [ebp-14]
00497621 |. E8 82D1F6FF call 004047A8 ; 取注册码位数
00497626 |. 85C0 test eax, eax
00497628 |. 75 17 jnz short 00497641 ; 判断是否输入注册码
0049762A |. 6A 00 push 0 ; /Arg1 = 00000000
0049762C |. 66:8B0D AC764>mov cx, word ptr [4976AC] ; |
00497633 |. 33D2 xor edx, edx ; |
00497635 |. B8 E0764900 mov eax, 004976E0 ; |您没有输入注册号\n请输入注册号
0049763A |. E8 8D18F9FF call 00428ECC ; \crackme.00428ECC
0049763F |. EB 44 jmp short 00497685
00497641 |> 8D45 FC lea eax, dword ptr [ebp-4]
00497644 |. 50 push eax
00497645 |. 6A 00 push 0
00497647 |. 8D55 E8 lea edx, dword ptr [ebp-18]
0049764A |. 8B83 10030000 mov eax, dword ptr [ebx+310]
00497650 |. E8 33E7F9FF call 00435D88
00497655 |. 8B45 E8 mov eax, dword ptr [ebp-18] ; |
00497658 |. 50 push eax ; |pThreadParm
00497659 |. 68 28704900 push 00497028 ; |ThreadFunction = crackme.00497028 算法所在函数
0049765E |. 6A 00 push 0 ; |StackSize = 0
00497660 |. 6A 00 push 0 ; |pSecurity = NULL
00497662 |. E8 19F0F6FF call <jmp.&kernel32.CreateThread> ; \CreateThread 关键点创建新的线程进行验证
对00497028进行跟进
00497028 /. 55 push ebp
00497029 |. 8BEC mov ebp, esp
0049702B |. B9 07000000 mov ecx, 7
00497030 |> 6A 00 /push 0
00497032 |. 6A 00 |push 0
00497034 |. 49 |dec ecx
00497035 |.^ 75 F9 \jnz short 00497030
00497037 |. 51 push ecx
00497038 |. 53 push ebx
00497039 |. 56 push esi
0049703A |. 57 push edi
0049703B |. 33C0 xor eax, eax
0049703D |. 55 push ebp
0049703E |. 68 9B734900 push 0049739B
00497043 |. 64:FF30 push dword ptr fs:[eax]
00497046 |. 64:8920 mov dword ptr fs:[eax], esp
00497049 |. 8D55 E4 lea edx, dword ptr [ebp-1C]
0049704C |. A1 54AD4900 mov eax, dword ptr [49AD54]
00497051 |. 8B80 10030000 mov eax, dword ptr [eax+310]
00497057 |. E8 2CEDF9FF call 00435D88 ; 取用户名
0049705C |. E8 9330F7FF call 0040A0F4
00497061 |. 83C4 F8 add esp, -8 ; /
00497064 |. DD1C24 fstp qword ptr [esp] ; |Arg1 (8 字节)
00497067 |. 9B wait ; |
00497068 |. 8D55 E8 lea edx, dword ptr [ebp-18] ; |
0049706B |. B8 B4734900 mov eax, 004973B4 ; |yyyy-mm-dd-hh
00497070 |. E8 CB3CF7FF call 0040AD40 ; \取日期
00497075 |. 8D45 E0 lea eax, dword ptr [ebp-20]
00497078 |. 50 push eax
00497079 |. B9 04000000 mov ecx, 4
0049707E |. BA 01000000 mov edx, 1
00497083 |. 8B45 E8 mov eax, dword ptr [ebp-18] ; 取年月日小时
00497086 |. E8 7DD9F6FF call 00404A08 ; 取年压入栈中
0049708B |. 8B45 E0 mov eax, dword ptr [ebp-20]
0049708E |. E8 B117F7FF call 00408844
00497093 |. 8945 F8 mov dword ptr [ebp-8], eax
00497096 |. 8D45 DC lea eax, dword ptr [ebp-24]
00497099 |. 50 push eax
0049709A |. B9 02000000 mov ecx, 2
0049709F |. BA 06000000 mov edx, 6
004970A4 |. 8B45 E8 mov eax, dword ptr [ebp-18]
004970A7 |. E8 5CD9F6FF call 00404A08 ; 取月压入栈中
004970AC |. 8B45 DC mov eax, dword ptr [ebp-24]
004970AF |. E8 9017F7FF call 00408844
004970B4 |. 8945 F4 mov dword ptr [ebp-C], eax
004970B7 |. 8D45 D8 lea eax, dword ptr [ebp-28]
004970BA |. 50 push eax
004970BB |. B9 02000000 mov ecx, 2
004970C0 |. BA 09000000 mov edx, 9
004970C5 |. 8B45 E8 mov eax, dword ptr [ebp-18]
004970C8 |. E8 3BD9F6FF call 00404A08 ; 取日压入栈中
004970CD |. 8B45 D8 mov eax, dword ptr [ebp-28]
004970D0 |. E8 6F17F7FF call 00408844
004970D5 |. 8945 F0 mov dword ptr [ebp-10], eax
004970D8 |. 8D45 D4 lea eax, dword ptr [ebp-2C]
004970DB |. 50 push eax
004970DC |. B9 02000000 mov ecx, 2
004970E1 |. BA 0C000000 mov edx, 0C
004970E6 |. 8B45 E8 mov eax, dword ptr [ebp-18]
004970E9 |. E8 1AD9F6FF call 00404A08 ; 取小时压入栈中
004970EE |. 8B45 D4 mov eax, dword ptr [ebp-2C]
004970F1 |. E8 4E17F7FF call 00408844
004970F6 |. 8945 EC mov dword ptr [ebp-14], eax
004970F9 |. 8B75 F8 mov esi, dword ptr [ebp-8]
004970FC |. 0375 EC add esi, dword ptr [ebp-14] ; 用年加小时
004970FF |. 8B45 E4 mov eax, dword ptr [ebp-1C]
00497102 |. E8 A1D6F6FF call 004047A8 ; 取用户名
00497107 |. 8B55 E4 mov edx, dword ptr [ebp-1C]
0049710A |. 0FB64402 FF movzx eax, byte ptr [edx+eax-1] ; 取用户名最后一位
0049710F |. 33C6 xor eax, esi ; 与年和小时的和进行异或
00497111 |. 8B15 54AD4900 mov edx, dword ptr [49AD54]
00497117 |. 8B92 04030000 mov edx, dword ptr [edx+304]
0049711D |. 8B4A 48 mov ecx, dword ptr [edx+48]
00497120 |. 99 cdq
00497121 |. F7F9 idiv ecx ; 用上面的计算结果除以300保留余数用来计算注册码
00497123 |. 8BF2 mov esi, edx
00497125 |. 8B7D F4 mov edi, dword ptr [ebp-C]
00497128 |. 037D F0 add edi, dword ptr [ebp-10]
0049712B |. 8B45 E4 mov eax, dword ptr [ebp-1C]
0049712E |. E8 75D6F6FF call 004047A8
00497133 |. 8B55 E4 mov edx, dword ptr [ebp-1C]
00497136 |. 0FB64402 FF movzx eax, byte ptr [edx+eax-1] ; 取用户名最后一位
0049713B |. 33C7 xor eax, edi ; 与24进行异或
0049713D |. 8B15 54AD4900 mov edx, dword ptr [49AD54]
00497143 |. 8B9A 04030000 mov ebx, dword ptr [edx+304]
00497149 |. 99 cdq
0049714A |. F77B 4C idiv dword ptr [ebx+4C] ; 用上面的计算结果除以60保留余数用来计算注册码
0049714D |. 8BFA mov edi, edx
0049714F |. 8BC3 mov eax, ebx
00497151 |. E8 A636F9FF call 0042A7FC
00497156 |. 8BCF mov ecx, edi
00497158 |. 8BD6 mov edx, esi
0049715A |. E8 097AF8FF call 0041EB68 ; 将上面取到的两个余数做为GetPixel的参数取RGB值
0049715F |. 8945 FC mov dword ptr [ebp-4], eax ; 将RGB值存入[ebp-4]的地址中用来进行累加计算注册码
00497162 |. 8B45 E4 mov eax, dword ptr [ebp-1C]
00497165 |. E8 3ED6F6FF call 004047A8
0049716A |. 8BD8 mov ebx, eax
0049716C |. 83FB 01 cmp ebx, 1
0049716F |. 7C 66 jl short 004971D7 按注册名的长度来循环从最后一位开始取每位字母
00497171 |> 8B75 F8 /mov esi, dword ptr [ebp-8] ; 取年
00497174 |. 0375 EC |add esi, dword ptr [ebp-14] ; 将小时加上年
00497177 |. 8B45 E4 |mov eax, dword ptr [ebp-1C] ; 取注册名
0049717A |. 33C9 |xor ecx, ecx
0049717C |. 8A4C18 FF |mov cl, byte ptr [eax+ebx-1] ; 取用户名特定位数的字符
00497180 |. 8BC1 |mov eax, ecx
00497182 |. 33C6 |xor eax, esi ; 将用户名特定位数的字符与年和小时的和进行异或运算
00497184 |. 8B15 54AD4900 |mov edx, dword ptr [49AD54]
0049718A |. 8B92 04030000 |mov edx, dword ptr [edx+304]
00497190 |. 8B72 48 |mov esi, dword ptr [edx+48] ; 取300
00497193 |. 99 |cdq
00497194 |. F7FE |idiv esi ; 异或结果除以300
00497196 |. 8BF2 |mov esi, edx ; 余数放入esi中
00497198 |. 8B7D F4 |mov edi, dword ptr [ebp-C]
0049719B |. 037D F0 |add edi, dword ptr [ebp-10] ; 取24
0049719E |. 8BC1 |mov eax, ecx
004971A0 |. 33C7 |xor eax, edi ; 取用户名特定位数的字符与24进行异或
004971A2 |. 8B15 54AD4900 |mov edx, dword ptr [49AD54]
004971A8 |. 8B92 04030000 |mov edx, dword ptr [edx+304]
004971AE |. 8B4A 4C |mov ecx, dword ptr [edx+4C]
004971B1 |. 99 |cdq
004971B2 |. F7F9 |idiv ecx ; 异或结果除以60
004971B4 |. 8BFA |mov edi, edx ; 余数存入edi
004971B6 |. A1 54AD4900 |mov eax, dword ptr [49AD54]
004971BB |. 8B80 04030000 |mov eax, dword ptr [eax+304]
004971C1 |. E8 3636F9FF |call 0042A7FC
004971C6 |. 8BCF |mov ecx, edi
004971C8 |. 8BD6 |mov edx, esi
004971CA |. E8 9979F8FF |call 0041EB68 ; 将上面取到的两个余数做为GetPixel的参数取RGB值
004971CF |. 0145 FC |add dword ptr [ebp-4], eax ; 与[ebp-4]中的值进行累加
004971D2 |. 4B |dec ebx
004971D3 |. 85DB |test ebx, ebx
004971D5 |.^ 75 9A \jnz short 00497171
004971D7 |> 8D55 D0 lea edx, dword ptr [ebp-30]
004971DA |. 8B45 FC mov eax, dword ptr [ebp-4] ; 取出最后累加的结果(注册码)
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年03月21日 21:50:18
【文章作者】: aicode
【软件名称】: xiaohui_82 CrackMe
【下载地址】: http://bbs.pediy.com/showthread.php?s=&threadid=41182
【加壳方式】: 无壳
【编写语言】: Delphi
【使用工具】: OD DeDe Peid
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
用peid查了一下是Delphi写的。因为想练习跟算法就直接拿出DeDe找到关键点跟进
004975E8 |. E8 9BE7F9FF call 00435D88 ; 取注册名
004975ED |. 8B45 F0 mov eax, dword ptr [ebp-10]
004975F0 |. E8 B3D1F6FF call 004047A8 ; 取用户名位数
004975F5 |. 85C0 test eax, eax ; 判断是否输入注册名
004975F7 |. 75 17 jnz short 00497610
004975F9 |. 6A 00 push 0 ; /Arg1 = 00000000
004975FB |. 66:8B0D AC764>mov cx, word ptr [4976AC] ; |
00497602 |. 33D2 xor edx, edx ; |
00497604 |. B8 B8764900 mov eax, 004976B8 ; |您没有输入用户名\n请输入用户名
00497609 |. E8 BE18F9FF call 00428ECC ; \crackme.00428ECC
0049760E |. EB 75 jmp short 00497685
00497610 |> 8D55 EC lea edx, dword ptr [ebp-14]
00497613 |. 8B83 1C030000 mov eax, dword ptr [ebx+31C]
00497619 |. E8 6AE7F9FF call 00435D88 ; 取注册码
0049761E |. 8B45 EC mov eax, dword ptr [ebp-14]
00497621 |. E8 82D1F6FF call 004047A8 ; 取注册码位数
00497626 |. 85C0 test eax, eax
00497628 |. 75 17 jnz short 00497641 ; 判断是否输入注册码
0049762A |. 6A 00 push 0 ; /Arg1 = 00000000
0049762C |. 66:8B0D AC764>mov cx, word ptr [4976AC] ; |
00497633 |. 33D2 xor edx, edx ; |
00497635 |. B8 E0764900 mov eax, 004976E0 ; |您没有输入注册号\n请输入注册号
0049763A |. E8 8D18F9FF call 00428ECC ; \crackme.00428ECC
0049763F |. EB 44 jmp short 00497685
00497641 |> 8D45 FC lea eax, dword ptr [ebp-4]
00497644 |. 50 push eax
00497645 |. 6A 00 push 0
00497647 |. 8D55 E8 lea edx, dword ptr [ebp-18]
0049764A |. 8B83 10030000 mov eax, dword ptr [ebx+310]
00497650 |. E8 33E7F9FF call 00435D88
00497655 |. 8B45 E8 mov eax, dword ptr [ebp-18] ; |
00497658 |. 50 push eax ; |pThreadParm
00497659 |. 68 28704900 push 00497028 ; |ThreadFunction = crackme.00497028 算法所在函数
0049765E |. 6A 00 push 0 ; |StackSize = 0
00497660 |. 6A 00 push 0 ; |pSecurity = NULL
00497662 |. E8 19F0F6FF call <jmp.&kernel32.CreateThread> ; \CreateThread 关键点创建新的线程进行验证
对00497028进行跟进
00497028 /. 55 push ebp
00497029 |. 8BEC mov ebp, esp
0049702B |. B9 07000000 mov ecx, 7
00497030 |> 6A 00 /push 0
00497032 |. 6A 00 |push 0
00497034 |. 49 |dec ecx
00497035 |.^ 75 F9 \jnz short 00497030
00497037 |. 51 push ecx
00497038 |. 53 push ebx
00497039 |. 56 push esi
0049703A |. 57 push edi
0049703B |. 33C0 xor eax, eax
0049703D |. 55 push ebp
0049703E |. 68 9B734900 push 0049739B
00497043 |. 64:FF30 push dword ptr fs:[eax]
00497046 |. 64:8920 mov dword ptr fs:[eax], esp
00497049 |. 8D55 E4 lea edx, dword ptr [ebp-1C]
0049704C |. A1 54AD4900 mov eax, dword ptr [49AD54]
00497051 |. 8B80 10030000 mov eax, dword ptr [eax+310]
00497057 |. E8 2CEDF9FF call 00435D88 ; 取用户名
0049705C |. E8 9330F7FF call 0040A0F4
00497061 |. 83C4 F8 add esp, -8 ; /
00497064 |. DD1C24 fstp qword ptr [esp] ; |Arg1 (8 字节)
00497067 |. 9B wait ; |
00497068 |. 8D55 E8 lea edx, dword ptr [ebp-18] ; |
0049706B |. B8 B4734900 mov eax, 004973B4 ; |yyyy-mm-dd-hh
00497070 |. E8 CB3CF7FF call 0040AD40 ; \取日期
00497075 |. 8D45 E0 lea eax, dword ptr [ebp-20]
00497078 |. 50 push eax
00497079 |. B9 04000000 mov ecx, 4
0049707E |. BA 01000000 mov edx, 1
00497083 |. 8B45 E8 mov eax, dword ptr [ebp-18] ; 取年月日小时
00497086 |. E8 7DD9F6FF call 00404A08 ; 取年压入栈中
0049708B |. 8B45 E0 mov eax, dword ptr [ebp-20]
0049708E |. E8 B117F7FF call 00408844
00497093 |. 8945 F8 mov dword ptr [ebp-8], eax
00497096 |. 8D45 DC lea eax, dword ptr [ebp-24]
00497099 |. 50 push eax
0049709A |. B9 02000000 mov ecx, 2
0049709F |. BA 06000000 mov edx, 6
004970A4 |. 8B45 E8 mov eax, dword ptr [ebp-18]
004970A7 |. E8 5CD9F6FF call 00404A08 ; 取月压入栈中
004970AC |. 8B45 DC mov eax, dword ptr [ebp-24]
004970AF |. E8 9017F7FF call 00408844
004970B4 |. 8945 F4 mov dword ptr [ebp-C], eax
004970B7 |. 8D45 D8 lea eax, dword ptr [ebp-28]
004970BA |. 50 push eax
004970BB |. B9 02000000 mov ecx, 2
004970C0 |. BA 09000000 mov edx, 9
004970C5 |. 8B45 E8 mov eax, dword ptr [ebp-18]
004970C8 |. E8 3BD9F6FF call 00404A08 ; 取日压入栈中
004970CD |. 8B45 D8 mov eax, dword ptr [ebp-28]
004970D0 |. E8 6F17F7FF call 00408844
004970D5 |. 8945 F0 mov dword ptr [ebp-10], eax
004970D8 |. 8D45 D4 lea eax, dword ptr [ebp-2C]
004970DB |. 50 push eax
004970DC |. B9 02000000 mov ecx, 2
004970E1 |. BA 0C000000 mov edx, 0C
004970E6 |. 8B45 E8 mov eax, dword ptr [ebp-18]
004970E9 |. E8 1AD9F6FF call 00404A08 ; 取小时压入栈中
004970EE |. 8B45 D4 mov eax, dword ptr [ebp-2C]
004970F1 |. E8 4E17F7FF call 00408844
004970F6 |. 8945 EC mov dword ptr [ebp-14], eax
004970F9 |. 8B75 F8 mov esi, dword ptr [ebp-8]
004970FC |. 0375 EC add esi, dword ptr [ebp-14] ; 用年加小时
004970FF |. 8B45 E4 mov eax, dword ptr [ebp-1C]
00497102 |. E8 A1D6F6FF call 004047A8 ; 取用户名
00497107 |. 8B55 E4 mov edx, dword ptr [ebp-1C]
0049710A |. 0FB64402 FF movzx eax, byte ptr [edx+eax-1] ; 取用户名最后一位
0049710F |. 33C6 xor eax, esi ; 与年和小时的和进行异或
00497111 |. 8B15 54AD4900 mov edx, dword ptr [49AD54]
00497117 |. 8B92 04030000 mov edx, dword ptr [edx+304]
0049711D |. 8B4A 48 mov ecx, dword ptr [edx+48]
00497120 |. 99 cdq
00497121 |. F7F9 idiv ecx ; 用上面的计算结果除以300保留余数用来计算注册码
00497123 |. 8BF2 mov esi, edx
00497125 |. 8B7D F4 mov edi, dword ptr [ebp-C]
00497128 |. 037D F0 add edi, dword ptr [ebp-10]
0049712B |. 8B45 E4 mov eax, dword ptr [ebp-1C]
0049712E |. E8 75D6F6FF call 004047A8
00497133 |. 8B55 E4 mov edx, dword ptr [ebp-1C]
00497136 |. 0FB64402 FF movzx eax, byte ptr [edx+eax-1] ; 取用户名最后一位
0049713B |. 33C7 xor eax, edi ; 与24进行异或
0049713D |. 8B15 54AD4900 mov edx, dword ptr [49AD54]
00497143 |. 8B9A 04030000 mov ebx, dword ptr [edx+304]
00497149 |. 99 cdq
0049714A |. F77B 4C idiv dword ptr [ebx+4C] ; 用上面的计算结果除以60保留余数用来计算注册码
0049714D |. 8BFA mov edi, edx
0049714F |. 8BC3 mov eax, ebx
00497151 |. E8 A636F9FF call 0042A7FC
00497156 |. 8BCF mov ecx, edi
00497158 |. 8BD6 mov edx, esi
0049715A |. E8 097AF8FF call 0041EB68 ; 将上面取到的两个余数做为GetPixel的参数取RGB值
0049715F |. 8945 FC mov dword ptr [ebp-4], eax ; 将RGB值存入[ebp-4]的地址中用来进行累加计算注册码
00497162 |. 8B45 E4 mov eax, dword ptr [ebp-1C]
00497165 |. E8 3ED6F6FF call 004047A8
0049716A |. 8BD8 mov ebx, eax
0049716C |. 83FB 01 cmp ebx, 1
0049716F |. 7C 66 jl short 004971D7 按注册名的长度来循环从最后一位开始取每位字母
00497171 |> 8B75 F8 /mov esi, dword ptr [ebp-8] ; 取年
00497174 |. 0375 EC |add esi, dword ptr [ebp-14] ; 将小时加上年
00497177 |. 8B45 E4 |mov eax, dword ptr [ebp-1C] ; 取注册名
0049717A |. 33C9 |xor ecx, ecx
0049717C |. 8A4C18 FF |mov cl, byte ptr [eax+ebx-1] ; 取用户名特定位数的字符
00497180 |. 8BC1 |mov eax, ecx
00497182 |. 33C6 |xor eax, esi ; 将用户名特定位数的字符与年和小时的和进行异或运算
00497184 |. 8B15 54AD4900 |mov edx, dword ptr [49AD54]
0049718A |. 8B92 04030000 |mov edx, dword ptr [edx+304]
00497190 |. 8B72 48 |mov esi, dword ptr [edx+48] ; 取300
00497193 |. 99 |cdq
00497194 |. F7FE |idiv esi ; 异或结果除以300
00497196 |. 8BF2 |mov esi, edx ; 余数放入esi中
00497198 |. 8B7D F4 |mov edi, dword ptr [ebp-C]
0049719B |. 037D F0 |add edi, dword ptr [ebp-10] ; 取24
0049719E |. 8BC1 |mov eax, ecx
004971A0 |. 33C7 |xor eax, edi ; 取用户名特定位数的字符与24进行异或
004971A2 |. 8B15 54AD4900 |mov edx, dword ptr [49AD54]
004971A8 |. 8B92 04030000 |mov edx, dword ptr [edx+304]
004971AE |. 8B4A 4C |mov ecx, dword ptr [edx+4C]
004971B1 |. 99 |cdq
004971B2 |. F7F9 |idiv ecx ; 异或结果除以60
004971B4 |. 8BFA |mov edi, edx ; 余数存入edi
004971B6 |. A1 54AD4900 |mov eax, dword ptr [49AD54]
004971BB |. 8B80 04030000 |mov eax, dword ptr [eax+304]
004971C1 |. E8 3636F9FF |call 0042A7FC
004971C6 |. 8BCF |mov ecx, edi
004971C8 |. 8BD6 |mov edx, esi
004971CA |. E8 9979F8FF |call 0041EB68 ; 将上面取到的两个余数做为GetPixel的参数取RGB值
004971CF |. 0145 FC |add dword ptr [ebp-4], eax ; 与[ebp-4]中的值进行累加
004971D2 |. 4B |dec ebx
004971D3 |. 85DB |test ebx, ebx
004971D5 |.^ 75 9A \jnz short 00497171
004971D7 |> 8D55 D0 lea edx, dword ptr [ebp-30]
004971DA |. 8B45 FC mov eax, dword ptr [ebp-4] ; 取出最后累加的结果(注册码)
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年03月21日 21:50:18
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
赞赏
|
|
|---|---|
|
|
赞赏
雪币:
留言:
