-
-
[原创]超级电视 5.2.3算法分析
-
2007-3-26 22:20
-
第一次发没发成功,请帮主删除。。。。。。
【文章标题】: 超级电视 5.2.3算法分析
【文章作者】: 坚持到底
【软件名称】: 超级电视 5.2.3
【软件大小】: 894KB
【下载地址】: http://www.newhua.com/soft/44942.htm
【加壳方式】: 无
【保护方式】: 注册码
【编写语言】: VB
【使用工具】: VBExplorer,OD,PEID
【操作平台】: XPSP2
【软件介绍】: 超级电视可接收各地精彩电视节目和广播电台,软件
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
通过VBExplorer找到 立即注册 的按钮地址 下断
软件生成随机数存在根目录下Iotmrd.sys 文件中 随机数记为A
/////////////////////////////////////////////////////////////////////////////////////////////////
生成注册码的过程
/////////////////////////////////////////////////////////////////////////////////////////////////
0045B4BF 90 nop
0045B4C0 55 push ebp
0045B4C1 8BEC mov ebp,esp
0045B4C3 83EC 0C sub esp,0C
0045B4C6 68 A6134000 push <jmp.&MSVBVM50.__vbaExceptHandler>
0045B4CB 64:A1 00000000 mov eax,dword ptr fs:[0]
0045B4D1 50 push eax
0045B4D2 64:8925 00000000 mov dword ptr fs:[0],esp
0045B4D9 81EC EC000000 sub esp,0EC
0045B4DF 53 push ebx
0045B4E0 8B5D 08 mov ebx,dword ptr ss:[ebp+8]
0045B4E3 8BC3 mov eax,ebx
0045B4E5 56 push esi
0045B4E6 83E3 FE and ebx,FFFFFFFE
0045B4E9 57 push edi
0045B4EA 8965 F4 mov dword ptr ss:[ebp-C],esp
0045B4ED 83E0 01 and eax,1
0045B4F0 8B33 mov esi,dword ptr ds:[ebx]
0045B4F2 C745 F8 10134000 mov dword ptr ss:[ebp-8],supernet.00401310
0045B4F9 53 push ebx
0045B4FA 8945 FC mov dword ptr ss:[ebp-4],eax
0045B4FD 895D 08 mov dword ptr ss:[ebp+8],ebx
0045B500 89B5 10FFFFFF mov dword ptr ss:[ebp-F0],esi
0045B506 FF56 04 call dword ptr ds:[esi+4]
0045B509 8BB6 0C030000 mov esi,dword ptr ds:[esi+30C]
0045B50F 33FF xor edi,edi
0045B511 53 push ebx
0045B512 897D E0 mov dword ptr ss:[ebp-20],edi
0045B515 897D DC mov dword ptr ss:[ebp-24],edi
0045B518 897D D8 mov dword ptr ss:[ebp-28],edi
0045B51B 897D D4 mov dword ptr ss:[ebp-2C],edi
0045B51E 897D D0 mov dword ptr ss:[ebp-30],edi
0045B521 897D CC mov dword ptr ss:[ebp-34],edi
0045B524 897D C8 mov dword ptr ss:[ebp-38],edi
0045B527 897D C4 mov dword ptr ss:[ebp-3C],edi
0045B52A 897D B4 mov dword ptr ss:[ebp-4C],edi
0045B52D 897D A4 mov dword ptr ss:[ebp-5C],edi
0045B530 897D 94 mov dword ptr ss:[ebp-6C],edi
0045B533 897D 84 mov dword ptr ss:[ebp-7C],edi
0045B536 89BD 74FFFFFF mov dword ptr ss:[ebp-8C],edi
0045B53C 89BD 64FFFFFF mov dword ptr ss:[ebp-9C],edi
0045B542 89BD 40FFFFFF mov dword ptr ss:[ebp-C0],edi
0045B548 89B5 0CFFFFFF mov dword ptr ss:[ebp-F4],esi
0045B54E FFD6 call esi
0045B550 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
0045B553 50 push eax
0045B554 51 push ecx
0045B555 FF15 2C024600 call dword ptr ds:[<&MSVBVM50.__vbaObjSet>] ; MSVBVM50.__vbaObjSet
0045B55B 8B10 mov edx,dword ptr ds:[eax]
0045B55D 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0045B560 51 push ecx
0045B561 50 push eax
0045B562 8985 3CFFFFFF mov dword ptr ss:[ebp-C4],eax
0045B568 FF92 A0000000 call dword ptr ds:[edx+A0]
0045B56E 3BC7 cmp eax,edi
0045B570 7D 18 jge short supernet.0045B58A
0045B572 8B95 3CFFFFFF mov edx,dword ptr ss:[ebp-C4]
0045B578 68 A0000000 push 0A0
0045B57D 68 10894000 push supernet.00408910
0045B582 52 push edx
0045B583 50 push eax
0045B584 FF15 08024600 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ; MSVBVM50.__vbaHresultCheckObj
0045B58A 8B45 E0 mov eax,dword ptr ss:[ebp-20]
0045B58D 50 push eax
0045B58E 68 C88A4000 push supernet.00408AC8
0045B593 FF15 7C024600 call dword ptr ds:[<&MSVBVM50.__vbaStrCmp>] ; MSVBVM50.__vbaStrCmp
0045B599 F7D8 neg eax
0045B59B 1BC0 sbb eax,eax
0045B59D 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0045B5A0 F7D8 neg eax
0045B5A2 F7D8 neg eax
0045B5A4 8985 34FFFFFF mov dword ptr ss:[ebp-CC],eax
0045B5AA FF15 5C034600 call dword ptr ds:[<&MSVBVM50.__vbaFreeStr>] ; MSVBVM50.__vbaFreeStr
0045B5B0 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
0045B5B3 FF15 58034600 call dword ptr ds:[<&MSVBVM50.__vbaFreeObj>] ; MSVBVM50.__vbaFreeObj
0045B5B9 66:39BD 34FFFFFF cmp word ptr ss:[ebp-CC],di
0045B5C0 0F84 500A0000 je supernet.0045C016
0045B5C6 53 push ebx
0045B5C7 FF95 0CFFFFFF call dword ptr ss:[ebp-F4]
0045B5CD 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
0045B5D0 50 push eax
0045B5D1 51 push ecx
0045B5D2 FF15 2C024600 call dword ptr ds:[<&MSVBVM50.__vbaObjSet>] ; MSVBVM50.__vbaObjSet
0045B5D8 8B10 mov edx,dword ptr ds:[eax]
0045B5DA 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0045B5DD 51 push ecx
0045B5DE 50 push eax
0045B5DF 8985 3CFFFFFF mov dword ptr ss:[ebp-C4],eax
0045B5E5 FF92 A0000000 call dword ptr ds:[edx+A0]
0045B5EB 3BC7 cmp eax,edi
0045B5ED 7D 18 jge short supernet.0045B607
0045B5EF 8B95 3CFFFFFF mov edx,dword ptr ss:[ebp-C4]
0045B5F5 68 A0000000 push 0A0
0045B5FA 68 10894000 push supernet.00408910
0045B5FF 52 push edx
0045B600 50 push eax
0045B601 FF15 08024600 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ; MSVBVM50.__vbaHresultCheckObj
0045B607 8B45 E0 mov eax,dword ptr ss:[ebp-20]
0045B60A 50 push eax
0045B60B FF15 DC014600 call dword ptr ds:[<&MSVBVM50.__vbaLenBstr>] ; MSVBVM50.__vbaLenBstr
0045B611 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0045B614 8985 20FFFFFF mov dword ptr ss:[ebp-E0],eax
0045B61A BE 01000000 mov esi,1
0045B61F FF15 5C034600 call dword ptr ds:[<&MSVBVM50.__vbaFreeStr>] ; MSVBVM50.__vbaFreeStr
0045B625 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
0045B628 FF15 58034600 call dword ptr ds:[<&MSVBVM50.__vbaFreeObj>] ; MSVBVM50.__vbaFreeObj
0045B62E 3BB5 20FFFFFF cmp esi,dword ptr ss:[ebp-E0]
0045B634 0F8F A6000000 jg supernet.0045B6E0
0045B63A 53 push ebx
0045B63B FF95 0CFFFFFF call dword ptr ss:[ebp-F4]
0045B641 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
0045B644 50 push eax
0045B645 51 push ecx
0045B646 FF15 2C024600 call dword ptr ds:[<&MSVBVM50.__vbaObjSet>] ; MSVBVM50.__vbaObjSet
0045B64C 8B45 C8 mov eax,dword ptr ss:[ebp-38]
0045B64F 8D55 A4 lea edx,dword ptr ss:[ebp-5C]
0045B652 8945 BC mov dword ptr ss:[ebp-44],eax
0045B655 52 push edx
0045B656 8D45 B4 lea eax,dword ptr ss:[ebp-4C]
0045B659 56 push esi
0045B65A 8D4D 94 lea ecx,dword ptr ss:[ebp-6C]
0045B65D 50 push eax
0045B65E 51 push ecx
0045B65F C745 AC 01000000 mov dword ptr ss:[ebp-54],1
0045B666 C745 A4 02000000 mov dword ptr ss:[ebp-5C],2
0045B66D C745 C8 00000000 mov dword ptr ss:[ebp-38],0
0045B674 C745 B4 09000000 mov dword ptr ss:[ebp-4C],9
0045B67B FF15 68024600 call dword ptr ds:[<&MSVBVM50.#632>] ; MSVBVM50.rtcMidCharVar
0045B681 8D55 94 lea edx,dword ptr ss:[ebp-6C]
0045B684 8D45 E0 lea eax,dword ptr ss:[ebp-20]
0045B687 52 push edx
0045B688 50 push eax
0045B689 FF15 CC024600 call dword ptr ds:[<&MSVBVM50.__vbaStrVarVal>] ; MSVBVM50.__vbaStrVarVal
0045B68F 50 push eax
0045B690 FF15 F8014600 call dword ptr ds:[<&MSVBVM50.#516>] ; MSVBVM50.rtcAnsiValueBstr
0045B696 0FBFC8 movsx ecx,ax
0045B699 03CF add ecx,edi ; // 用户名ASCII码累加和到ecx
0045B69B 0F80 850A0000 jo supernet.0045C126
0045B6A1 8BF9 mov edi,ecx
0045B6A3 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0045B6A6 FF15 5C034600 call dword ptr ds:[<&MSVBVM50.__vbaFreeStr>] ; MSVBVM50.__vbaFreeStr
0045B6AC 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
0045B6AF FF15 58034600 call dword ptr ds:[<&MSVBVM50.__vbaFreeObj>] ; MSVBVM50.__vbaFreeObj
0045B6B5 8D55 94 lea edx,dword ptr ss:[ebp-6C]
0045B6B8 8D45 A4 lea eax,dword ptr ss:[ebp-5C]
0045B6BB 52 push edx
0045B6BC 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
0045B6BF 50 push eax
0045B6C0 51 push ecx
0045B6C1 6A 03 push 3
0045B6C3 FF15 E8014600 call dword ptr ds:[<&MSVBVM50.__vbaFreeVarList>] ; MSVBVM50.__vbaFreeVarList
0045B6C9 B8 01000000 mov eax,1
0045B6CE 83C4 10 add esp,10
0045B6D1 03C6 add eax,esi
0045B6D3 0F80 4D0A0000 jo supernet.0045C126
0045B6D9 8BF0 mov esi,eax
0045B6DB ^ E9 4EFFFFFF jmp supernet.0045B62E
0045B6E0 A1 10E04500 mov eax,dword ptr ds:[45E010]
0045B6E5 85C0 test eax,eax
0045B6E7 75 19 jnz short supernet.0045B702
0045B6E9 8B1D E0024600 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaNew2>] ; MSVBVM50.__vbaNew2
0045B6EF 68 10E04500 push supernet.0045E010
0045B6F4 68 1C634000 push supernet.0040631C
0045B6F9 FFD3 call ebx
0045B6FB A1 10E04500 mov eax,dword ptr ds:[45E010]
0045B700 EB 06 jmp short supernet.0045B708
0045B702 8B1D E0024600 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaNew2>] ; MSVBVM50.__vbaNew2
0045B708 85C0 test eax,eax
0045B70A 8985 2CFFFFFF mov dword ptr ss:[ebp-D4],eax
0045B710 75 11 jnz short supernet.0045B723
0045B712 68 10E04500 push supernet.0045E010
0045B717 68 1C634000 push supernet.0040631C
0045B71C FFD3 call ebx
0045B71E A1 10E04500 mov eax,dword ptr ds:[45E010]
0045B723 8B10 mov edx,dword ptr ds:[eax]
0045B725 50 push eax
0045B726 FF92 00030000 call dword ptr ds:[edx+300]
0045B72C 50 push eax
0045B72D 8D45 C8 lea eax,dword ptr ss:[ebp-38]
0045B730 50 push eax
0045B731 FF15 2C024600 call dword ptr ds:[<&MSVBVM50.__vbaObjSet>] ; MSVBVM50.__vbaObjSet
0045B737 8BF0 mov esi,eax
0045B739 8D55 E0 lea edx,dword ptr ss:[ebp-20]
0045B73C 52 push edx
0045B73D 56 push esi
0045B73E 8B0E mov ecx,dword ptr ds:[esi]
0045B740 FF91 A0000000 call dword ptr ds:[ecx+A0]
0045B746 85C0 test eax,eax
0045B748 7D 12 jge short supernet.0045B75C
0045B74A 68 A0000000 push 0A0
0045B74F 68 10894000 push supernet.00408910
0045B754 56 push esi
0045B755 50 push eax
0045B756 FF15 08024600 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ; MSVBVM50.__vbaHresultCheckObj
0045B75C A1 10E04500 mov eax,dword ptr ds:[45E010]
0045B761 85C0 test eax,eax
0045B763 75 11 jnz short supernet.0045B776
0045B765 68 10E04500 push supernet.0045E010
0045B76A 68 1C634000 push supernet.0040631C
0045B76F FFD3 call ebx
0045B771 A1 10E04500 mov eax,dword ptr ds:[45E010]
0045B776 8B08 mov ecx,dword ptr ds:[eax]
0045B778 50 push eax
0045B779 FF91 00030000 call dword ptr ds:[ecx+300]
0045B77F 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
0045B782 50 push eax
0045B783 52 push edx
省略N行 代码
0045B784 FF15 2C024600 call dword ptr ds:[<&MSVBVM50.__vbaObjSet>] ; MSVBVM50.__vbaObjSet
0045B78A 8BF0 mov esi,eax
0045B78C 8D4D DC lea ecx,dword ptr ss:[ebp-24]
0045B78F 51 push ecx
0045B790 56 push esi
0045B791 8B06 mov eax,dword ptr ds:[esi]
0045B793 FF90 A0000000 call dword ptr ds:[eax+A0]
0045B799 85C0 test eax,eax
0045B79B 7D 12 jge short supernet.0045B7AF
0045B79D 68 A0000000 push 0A0
0045B7A2 68 10894000 push supernet.00408910
0045B7A7 56 push esi
0045B7A8 50 push eax
0045B7A9 FF15 08024600 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ; MSVBVM50.__vbaHresultCheckObj
0045B7AF 8B95 2CFFFFFF mov edx,dword ptr ss:[ebp-D4]
0045B7B5 8B45 DC mov eax,dword ptr ss:[ebp-24]
0045B7B8 50 push eax
0045B7B9 8B1A mov ebx,dword ptr ds:[edx]
0045B7BB FF15 60034600 call dword ptr ds:[<&MSVBVM50.#581>] ; MSVBVM50.rtcR8ValFromBstr
0045B7C1 FF15 24034600 call dword ptr ds:[<&MSVBVM50.__vbaFpI4>] ; MSVBVM50.__vbaFpI4
0045B7C7 99 cdq
0045B7C8 B9 E8030000 mov ecx,3E8 ; // A%=3E8 记为B
0045B7CD F7F9 idiv ecx
0045B7CF 8BF2 mov esi,edx
0045B7D1 8B55 E0 mov edx,dword ptr ss:[ebp-20]
0045B7D4 52 push edx
0045B7D5 FF15 60034600 call dword ptr ds:[<&MSVBVM50.#581>] ; MSVBVM50.rtcR8ValFromBstr
0045B7DB FF15 24034600 call dword ptr ds:[<&MSVBVM50.__vbaFpI4>] ; MSVBVM50.__vbaFpI4
0045B7E1 99 cdq
0045B7E2 B9 E8030000 mov ecx,3E8 ; // A%=3E8 记为C
0045B7E7 F7F9 idiv ecx
0045B7E9 0FAFF2 imul esi,edx ; // B*C 记为 D
0045B7EC 0F80 34090000 jo supernet.0045C126
0045B7F2 03F7 add esi,edi ; // D+=用户名ASCII码累加和
0045B7F4 0F80 2C090000 jo supernet.0045C126
0045B7FA 83C6 02 add esi,2 ; // D+=2
0045B7FD 0F80 23090000 jo supernet.0045C126
0045B803 46 inc esi ; // D++ 转10进制就是注册码
0045B804 0F80 1C090000 jo supernet.0045C126
0045B80A 56 push esi
0045B80B 8BB5 2CFFFFFF mov esi,dword ptr ss:[ebp-D4]
0045B811 56 push esi
0045B812 FF93 04070000 call dword ptr ds:[ebx+704]
0045B818 85C0 test eax,eax
省略N行 代码
0045B8D1 56 push esi
0045B8D2 50 push eax
0045B8D3 FF15 08024600 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ; MSVBVM50.__vbaHresultCheckObj
0045B8D9 8B55 E0 mov edx,dword ptr ss:[ebp-20]
0045B8DC 52 push edx
0045B8DD FF15 60034600 call dword ptr ds:[<&MSVBVM50.#581>] ; MSVBVM50.rtcR8ValFromBstr
0045B8E3 FF15 5C024600 call dword ptr ds:[<&MSVBVM50.__vbaFpR8>] ; MSVBVM50.__vbaFpR8
0045B8E9 DB85 40FFFFFF fild dword ptr ss:[ebp-C0]
0045B8EF DD9D 04FFFFFF fstp qword ptr ss:[ebp-FC]
0045B8F5 DC9D 04FFFFFF fcomp qword ptr ss:[ebp-FC] ; //真假注册码比较
0045B8FB DFE0 fstsw ax
0045B8FD F6C4 40 test ah,40
0045B900 74 07 je short supernet.0045B909
0045B902 BE 01000000 mov esi,1
0045B907 EB 02 jmp short supernet.0045B90B
0045B909 33F6 xor esi,esi
0045B90B 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0045B90E FF15 5C034600 call dword ptr ds:[<&MSVBVM50.__vbaFreeStr>] ; MSVBVM50.__vbaFreeStr
/////////////////////////////////////////////////////////////////////////////////////////////////
生成序列号的过程
/////////////////////////////////////////////////////////////////////////////////////////////////
通过搜索字符串看到 Iotmrd.sys 文件 就到这里下断
0042135A 51 push ecx
0042135B 52 push edx
0042135C C745 AC 00000000 mov dword ptr ss:[ebp-54],0
00421363 89BD 7CFFFFFF mov dword ptr ss:[ebp-84],edi
00421369 FF15 68024600 call dword ptr ds:[<&MSVBVM50.#632>] ; MSVBVM50.rtcMidCharVar
0042136F 8D85 5CFFFFFF lea eax,dword ptr ss:[ebp-A4]
00421375 8D8D 2CFFFFFF lea ecx,dword ptr ss:[ebp-D4]
0042137B 50 push eax
0042137C 8D95 4CFFFFFF lea edx,dword ptr ss:[ebp-B4]
00421382 51 push ecx
00421383 52 push edx
00421384 C785 34FFFFFF 288A40>mov dword ptr ss:[ebp-CC],supernet.00408A28 ; UNICODE "\Iotmrd.sys"
0042138E 89BD 2CFFFFFF mov dword ptr ss:[ebp-D4],edi
00421394 8D5E 34 lea ebx,dword ptr ds:[esi+34]
00421397 FF15 14034600 call dword ptr ds:[<&MSVBVM50.__vbaVarAdd>] ; MSVBVM50.__vbaVarAdd
0042139D 50 push eax
0042139E FF15 D8014600 call dword ptr ds:[<&MSVBVM50.__vbaStrVarMove>] ; MSVBVM50.__vbaStrVarMove
004213A4 8BD0 mov edx,eax
004213A6 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004213A9 FF15 30034600 call dword ptr ds:[<&MSVBVM50.__vbaStrMove>] ; MSVBVM50.__vbaStrMove
004213AF 8B3D F8024600 mov edi,dword ptr ds:[<&MSVBVM50.__vbaStrCopy>] ; MSVBVM50.__vbaStrCopy
004213B5 8BD0 mov edx,eax
004213B7 8BCB mov ecx,ebx
004213B9 FFD7 call edi
004213BB 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004213BE FF15 5C034600 call dword ptr ds:[<&MSVBVM50.__vbaFreeStr>] ; MSVBVM50.__vbaFreeStr
004213C4 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
004213C7 FF15 58034600 call dword ptr ds:[<&MSVBVM50.__vbaFreeObj>] ; MSVBVM50.__vbaFreeObj
004213CD 8D85 4CFFFFFF lea eax,dword ptr ss:[ebp-B4]
004213D3 8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-A4]
004213D9 50 push eax
004213DA 8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-94]
004213E0 51 push ecx
004213E1 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-84]
004213E7 52 push edx
004213E8 50 push eax
004213E9 6A 04 push 4
004213EB FF15 E8014600 call dword ptr ds:[<&MSVBVM50.__vbaFreeVarList>] ; MSVBVM50.__vbaFreeVarList
004213F1 83C4 14 add esp,14
004213F4 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-84]
004213FA 8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-94]
00421400 C745 84 00000000 mov dword ptr ss:[ebp-7C],0
00421407 51 push ecx
00421408 68 FF000000 push 0FF
0042140D 52 push edx
0042140E C785 7CFFFFFF 020000>mov dword ptr ss:[ebp-84],2
00421418 FF15 C0024600 call dword ptr ds:[<&MSVBVM50.#607>] ; MSVBVM50.rtcStringVar
0042141E 8D85 6CFFFFFF lea eax,dword ptr ss:[ebp-94]
00421424 50 push eax
00421425 FF15 D8014600 call dword ptr ds:[<&MSVBVM50.__vbaStrVarMove>] ; MSVBVM50.__vbaStrVarMove
0042142B 8BD0 mov edx,eax
0042142D 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
00421430 FF15 30034600 call dword ptr ds:[<&MSVBVM50.__vbaStrMove>] ; MSVBVM50.__vbaStrMove
00421436 8D8D 6CFFFFFF lea ecx,dword ptr ss:[ebp-94]
0042143C 8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-84]
00421442 51 push ecx
00421443 52 push edx
00421444 6A 02 push 2
00421446 FF15 E8014600 call dword ptr ds:[<&MSVBVM50.__vbaFreeVarList>] ; MSVBVM50.__vbaFreeVarList
0042144C 8B03 mov eax,dword ptr ds:[ebx]
0042144E 8B1D 18034600 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaStrToAnsi>] ; MSVBVM50.__vbaStrToAnsi
00421454 83C4 0C add esp,0C
00421457 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
0042145A 50 push eax
0042145B 51 push ecx
0042145C FFD3 call ebx
0042145E 8B55 B4 mov edx,dword ptr ss:[ebp-4C]
00421461 50 push eax
00421462 68 00010000 push 100
00421467 52 push edx
00421468 8D45 A0 lea eax,dword ptr ss:[ebp-60]
0042146B 50 push eax
0042146C FFD3 call ebx
00421EE9 D99D 14FFFFFF fstp dword ptr ss:[ebp-EC]
00421EEF D985 14FFFFFF fld dword ptr ss:[ebp-EC]
00421EF5 D80D 28104000 fmul dword ptr ds:[401028]
00421EFB DFE0 fstsw ax
00421EFD A8 0D test al,0D
00421EFF 0F85 C83E0000 jnz supernet.00425DCD
00421F05 FF15 38034600 call dword ptr ds:[<&MSVBVM50.__vbaR8IntI4>] ; MSVBVM50.__vbaR8IntI4
00421F0B 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-84]
00421F11 8BD8 mov ebx,eax
00421F13 FF15 D4014600 call dword ptr ds:[<&MSVBVM50.__vbaFreeVar>] ; MSVBVM50.__vbaFreeVar
00421F19 8BCB mov ecx,ebx
00421F1B 8B16 mov edx,dword ptr ds:[esi]
00421F1D 0FAFCB imul ecx,ebx ; //随机数A*=A;
00421F20 0F80 AC3E0000 jo supernet.00425DD2
00421F26 81C1 40420F00 add ecx,0F4240 ; //结果再加+0F4240 就是序列了
00421F2C 56 push esi ;
00421F2D 0F80 9F3E0000 jo supernet.00425DD2
00421F33 FF92 00030000 call dword ptr ds:[edx+300]
00421F39 50 push eax
00421F3A 8D45 98 lea eax,dword ptr ss:[ebp-68]
00421F3D 50 push eax
00421F3E FF15 2C024600 call dword ptr ds:[<&MSVBVM50.__vbaObjSet>] ; MSVBVM50.__vbaObjSet
00421F44 8B10 mov edx,dword ptr ds:[eax]
00421F46 53 push ebx
00421F47 8985 10FFFFFF mov dword ptr ss:[ebp-F0],eax
00421F4D 8995 8CFEFFFF mov dword ptr ss:[ebp-174],edx
00421F53 FF15 D0014600 call dword ptr ds:[<&MSVBVM50.__vbaStrI4>] ; MSVBVM50.__vbaStrI4
00421F59 8BD0 mov edx,eax
00421F5B 8D4D AC lea ecx,dword ptr ss:[ebp-54]
--------------------------------------------------------------------------------
【经验总结】
总结:
软件随机生成一个数 记为A
放在安装的根的Iotmrd.sys文件下目录 比如 我的就在
E:\Iotmrd.sys
文件内容如
[MyApp]
pt1=5949 // 随机数
pt2=Q
Form1Top= 2580
Form1Left= 2250
Form1Height= 11400
Form1Width= 14400
pt3= // 注册码
pt4= // 用户名
A=A*A
A+=F4240
转10进制 就是 序列号了
注册码就是这个 (随机数%3e8) 再平方 加用户名ASCII码累加和 再加3 转10进制
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年03月26日 22:02:36
【文章标题】: 超级电视 5.2.3算法分析
【文章作者】: 坚持到底
【软件名称】: 超级电视 5.2.3
【软件大小】: 894KB
【下载地址】: http://www.newhua.com/soft/44942.htm
【加壳方式】: 无
【保护方式】: 注册码
【编写语言】: VB
【使用工具】: VBExplorer,OD,PEID
【操作平台】: XPSP2
【软件介绍】: 超级电视可接收各地精彩电视节目和广播电台,软件
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
通过VBExplorer找到 立即注册 的按钮地址 下断
软件生成随机数存在根目录下Iotmrd.sys 文件中 随机数记为A
/////////////////////////////////////////////////////////////////////////////////////////////////
生成注册码的过程
/////////////////////////////////////////////////////////////////////////////////////////////////
0045B4BF 90 nop
0045B4C0 55 push ebp
0045B4C1 8BEC mov ebp,esp
0045B4C3 83EC 0C sub esp,0C
0045B4C6 68 A6134000 push <jmp.&MSVBVM50.__vbaExceptHandler>
0045B4CB 64:A1 00000000 mov eax,dword ptr fs:[0]
0045B4D1 50 push eax
0045B4D2 64:8925 00000000 mov dword ptr fs:[0],esp
0045B4D9 81EC EC000000 sub esp,0EC
0045B4DF 53 push ebx
0045B4E0 8B5D 08 mov ebx,dword ptr ss:[ebp+8]
0045B4E3 8BC3 mov eax,ebx
0045B4E5 56 push esi
0045B4E6 83E3 FE and ebx,FFFFFFFE
0045B4E9 57 push edi
0045B4EA 8965 F4 mov dword ptr ss:[ebp-C],esp
0045B4ED 83E0 01 and eax,1
0045B4F0 8B33 mov esi,dword ptr ds:[ebx]
0045B4F2 C745 F8 10134000 mov dword ptr ss:[ebp-8],supernet.00401310
0045B4F9 53 push ebx
0045B4FA 8945 FC mov dword ptr ss:[ebp-4],eax
0045B4FD 895D 08 mov dword ptr ss:[ebp+8],ebx
0045B500 89B5 10FFFFFF mov dword ptr ss:[ebp-F0],esi
0045B506 FF56 04 call dword ptr ds:[esi+4]
0045B509 8BB6 0C030000 mov esi,dword ptr ds:[esi+30C]
0045B50F 33FF xor edi,edi
0045B511 53 push ebx
0045B512 897D E0 mov dword ptr ss:[ebp-20],edi
0045B515 897D DC mov dword ptr ss:[ebp-24],edi
0045B518 897D D8 mov dword ptr ss:[ebp-28],edi
0045B51B 897D D4 mov dword ptr ss:[ebp-2C],edi
0045B51E 897D D0 mov dword ptr ss:[ebp-30],edi
0045B521 897D CC mov dword ptr ss:[ebp-34],edi
0045B524 897D C8 mov dword ptr ss:[ebp-38],edi
0045B527 897D C4 mov dword ptr ss:[ebp-3C],edi
0045B52A 897D B4 mov dword ptr ss:[ebp-4C],edi
0045B52D 897D A4 mov dword ptr ss:[ebp-5C],edi
0045B530 897D 94 mov dword ptr ss:[ebp-6C],edi
0045B533 897D 84 mov dword ptr ss:[ebp-7C],edi
0045B536 89BD 74FFFFFF mov dword ptr ss:[ebp-8C],edi
0045B53C 89BD 64FFFFFF mov dword ptr ss:[ebp-9C],edi
0045B542 89BD 40FFFFFF mov dword ptr ss:[ebp-C0],edi
0045B548 89B5 0CFFFFFF mov dword ptr ss:[ebp-F4],esi
0045B54E FFD6 call esi
0045B550 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
0045B553 50 push eax
0045B554 51 push ecx
0045B555 FF15 2C024600 call dword ptr ds:[<&MSVBVM50.__vbaObjSet>] ; MSVBVM50.__vbaObjSet
0045B55B 8B10 mov edx,dword ptr ds:[eax]
0045B55D 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0045B560 51 push ecx
0045B561 50 push eax
0045B562 8985 3CFFFFFF mov dword ptr ss:[ebp-C4],eax
0045B568 FF92 A0000000 call dword ptr ds:[edx+A0]
0045B56E 3BC7 cmp eax,edi
0045B570 7D 18 jge short supernet.0045B58A
0045B572 8B95 3CFFFFFF mov edx,dword ptr ss:[ebp-C4]
0045B578 68 A0000000 push 0A0
0045B57D 68 10894000 push supernet.00408910
0045B582 52 push edx
0045B583 50 push eax
0045B584 FF15 08024600 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ; MSVBVM50.__vbaHresultCheckObj
0045B58A 8B45 E0 mov eax,dword ptr ss:[ebp-20]
0045B58D 50 push eax
0045B58E 68 C88A4000 push supernet.00408AC8
0045B593 FF15 7C024600 call dword ptr ds:[<&MSVBVM50.__vbaStrCmp>] ; MSVBVM50.__vbaStrCmp
0045B599 F7D8 neg eax
0045B59B 1BC0 sbb eax,eax
0045B59D 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0045B5A0 F7D8 neg eax
0045B5A2 F7D8 neg eax
0045B5A4 8985 34FFFFFF mov dword ptr ss:[ebp-CC],eax
0045B5AA FF15 5C034600 call dword ptr ds:[<&MSVBVM50.__vbaFreeStr>] ; MSVBVM50.__vbaFreeStr
0045B5B0 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
0045B5B3 FF15 58034600 call dword ptr ds:[<&MSVBVM50.__vbaFreeObj>] ; MSVBVM50.__vbaFreeObj
0045B5B9 66:39BD 34FFFFFF cmp word ptr ss:[ebp-CC],di
0045B5C0 0F84 500A0000 je supernet.0045C016
0045B5C6 53 push ebx
0045B5C7 FF95 0CFFFFFF call dword ptr ss:[ebp-F4]
0045B5CD 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
0045B5D0 50 push eax
0045B5D1 51 push ecx
0045B5D2 FF15 2C024600 call dword ptr ds:[<&MSVBVM50.__vbaObjSet>] ; MSVBVM50.__vbaObjSet
0045B5D8 8B10 mov edx,dword ptr ds:[eax]
0045B5DA 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0045B5DD 51 push ecx
0045B5DE 50 push eax
0045B5DF 8985 3CFFFFFF mov dword ptr ss:[ebp-C4],eax
0045B5E5 FF92 A0000000 call dword ptr ds:[edx+A0]
0045B5EB 3BC7 cmp eax,edi
0045B5ED 7D 18 jge short supernet.0045B607
0045B5EF 8B95 3CFFFFFF mov edx,dword ptr ss:[ebp-C4]
0045B5F5 68 A0000000 push 0A0
0045B5FA 68 10894000 push supernet.00408910
0045B5FF 52 push edx
0045B600 50 push eax
0045B601 FF15 08024600 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ; MSVBVM50.__vbaHresultCheckObj
0045B607 8B45 E0 mov eax,dword ptr ss:[ebp-20]
0045B60A 50 push eax
0045B60B FF15 DC014600 call dword ptr ds:[<&MSVBVM50.__vbaLenBstr>] ; MSVBVM50.__vbaLenBstr
0045B611 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0045B614 8985 20FFFFFF mov dword ptr ss:[ebp-E0],eax
0045B61A BE 01000000 mov esi,1
0045B61F FF15 5C034600 call dword ptr ds:[<&MSVBVM50.__vbaFreeStr>] ; MSVBVM50.__vbaFreeStr
0045B625 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
0045B628 FF15 58034600 call dword ptr ds:[<&MSVBVM50.__vbaFreeObj>] ; MSVBVM50.__vbaFreeObj
0045B62E 3BB5 20FFFFFF cmp esi,dword ptr ss:[ebp-E0]
0045B634 0F8F A6000000 jg supernet.0045B6E0
0045B63A 53 push ebx
0045B63B FF95 0CFFFFFF call dword ptr ss:[ebp-F4]
0045B641 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
0045B644 50 push eax
0045B645 51 push ecx
0045B646 FF15 2C024600 call dword ptr ds:[<&MSVBVM50.__vbaObjSet>] ; MSVBVM50.__vbaObjSet
0045B64C 8B45 C8 mov eax,dword ptr ss:[ebp-38]
0045B64F 8D55 A4 lea edx,dword ptr ss:[ebp-5C]
0045B652 8945 BC mov dword ptr ss:[ebp-44],eax
0045B655 52 push edx
0045B656 8D45 B4 lea eax,dword ptr ss:[ebp-4C]
0045B659 56 push esi
0045B65A 8D4D 94 lea ecx,dword ptr ss:[ebp-6C]
0045B65D 50 push eax
0045B65E 51 push ecx
0045B65F C745 AC 01000000 mov dword ptr ss:[ebp-54],1
0045B666 C745 A4 02000000 mov dword ptr ss:[ebp-5C],2
0045B66D C745 C8 00000000 mov dword ptr ss:[ebp-38],0
0045B674 C745 B4 09000000 mov dword ptr ss:[ebp-4C],9
0045B67B FF15 68024600 call dword ptr ds:[<&MSVBVM50.#632>] ; MSVBVM50.rtcMidCharVar
0045B681 8D55 94 lea edx,dword ptr ss:[ebp-6C]
0045B684 8D45 E0 lea eax,dword ptr ss:[ebp-20]
0045B687 52 push edx
0045B688 50 push eax
0045B689 FF15 CC024600 call dword ptr ds:[<&MSVBVM50.__vbaStrVarVal>] ; MSVBVM50.__vbaStrVarVal
0045B68F 50 push eax
0045B690 FF15 F8014600 call dword ptr ds:[<&MSVBVM50.#516>] ; MSVBVM50.rtcAnsiValueBstr
0045B696 0FBFC8 movsx ecx,ax
0045B699 03CF add ecx,edi ; // 用户名ASCII码累加和到ecx
0045B69B 0F80 850A0000 jo supernet.0045C126
0045B6A1 8BF9 mov edi,ecx
0045B6A3 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0045B6A6 FF15 5C034600 call dword ptr ds:[<&MSVBVM50.__vbaFreeStr>] ; MSVBVM50.__vbaFreeStr
0045B6AC 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
0045B6AF FF15 58034600 call dword ptr ds:[<&MSVBVM50.__vbaFreeObj>] ; MSVBVM50.__vbaFreeObj
0045B6B5 8D55 94 lea edx,dword ptr ss:[ebp-6C]
0045B6B8 8D45 A4 lea eax,dword ptr ss:[ebp-5C]
0045B6BB 52 push edx
0045B6BC 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
0045B6BF 50 push eax
0045B6C0 51 push ecx
0045B6C1 6A 03 push 3
0045B6C3 FF15 E8014600 call dword ptr ds:[<&MSVBVM50.__vbaFreeVarList>] ; MSVBVM50.__vbaFreeVarList
0045B6C9 B8 01000000 mov eax,1
0045B6CE 83C4 10 add esp,10
0045B6D1 03C6 add eax,esi
0045B6D3 0F80 4D0A0000 jo supernet.0045C126
0045B6D9 8BF0 mov esi,eax
0045B6DB ^ E9 4EFFFFFF jmp supernet.0045B62E
0045B6E0 A1 10E04500 mov eax,dword ptr ds:[45E010]
0045B6E5 85C0 test eax,eax
0045B6E7 75 19 jnz short supernet.0045B702
0045B6E9 8B1D E0024600 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaNew2>] ; MSVBVM50.__vbaNew2
0045B6EF 68 10E04500 push supernet.0045E010
0045B6F4 68 1C634000 push supernet.0040631C
0045B6F9 FFD3 call ebx
0045B6FB A1 10E04500 mov eax,dword ptr ds:[45E010]
0045B700 EB 06 jmp short supernet.0045B708
0045B702 8B1D E0024600 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaNew2>] ; MSVBVM50.__vbaNew2
0045B708 85C0 test eax,eax
0045B70A 8985 2CFFFFFF mov dword ptr ss:[ebp-D4],eax
0045B710 75 11 jnz short supernet.0045B723
0045B712 68 10E04500 push supernet.0045E010
0045B717 68 1C634000 push supernet.0040631C
0045B71C FFD3 call ebx
0045B71E A1 10E04500 mov eax,dword ptr ds:[45E010]
0045B723 8B10 mov edx,dword ptr ds:[eax]
0045B725 50 push eax
0045B726 FF92 00030000 call dword ptr ds:[edx+300]
0045B72C 50 push eax
0045B72D 8D45 C8 lea eax,dword ptr ss:[ebp-38]
0045B730 50 push eax
0045B731 FF15 2C024600 call dword ptr ds:[<&MSVBVM50.__vbaObjSet>] ; MSVBVM50.__vbaObjSet
0045B737 8BF0 mov esi,eax
0045B739 8D55 E0 lea edx,dword ptr ss:[ebp-20]
0045B73C 52 push edx
0045B73D 56 push esi
0045B73E 8B0E mov ecx,dword ptr ds:[esi]
0045B740 FF91 A0000000 call dword ptr ds:[ecx+A0]
0045B746 85C0 test eax,eax
0045B748 7D 12 jge short supernet.0045B75C
0045B74A 68 A0000000 push 0A0
0045B74F 68 10894000 push supernet.00408910
0045B754 56 push esi
0045B755 50 push eax
0045B756 FF15 08024600 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ; MSVBVM50.__vbaHresultCheckObj
0045B75C A1 10E04500 mov eax,dword ptr ds:[45E010]
0045B761 85C0 test eax,eax
0045B763 75 11 jnz short supernet.0045B776
0045B765 68 10E04500 push supernet.0045E010
0045B76A 68 1C634000 push supernet.0040631C
0045B76F FFD3 call ebx
0045B771 A1 10E04500 mov eax,dword ptr ds:[45E010]
0045B776 8B08 mov ecx,dword ptr ds:[eax]
0045B778 50 push eax
0045B779 FF91 00030000 call dword ptr ds:[ecx+300]
0045B77F 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
0045B782 50 push eax
0045B783 52 push edx
省略N行 代码
0045B784 FF15 2C024600 call dword ptr ds:[<&MSVBVM50.__vbaObjSet>] ; MSVBVM50.__vbaObjSet
0045B78A 8BF0 mov esi,eax
0045B78C 8D4D DC lea ecx,dword ptr ss:[ebp-24]
0045B78F 51 push ecx
0045B790 56 push esi
0045B791 8B06 mov eax,dword ptr ds:[esi]
0045B793 FF90 A0000000 call dword ptr ds:[eax+A0]
0045B799 85C0 test eax,eax
0045B79B 7D 12 jge short supernet.0045B7AF
0045B79D 68 A0000000 push 0A0
0045B7A2 68 10894000 push supernet.00408910
0045B7A7 56 push esi
0045B7A8 50 push eax
0045B7A9 FF15 08024600 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ; MSVBVM50.__vbaHresultCheckObj
0045B7AF 8B95 2CFFFFFF mov edx,dword ptr ss:[ebp-D4]
0045B7B5 8B45 DC mov eax,dword ptr ss:[ebp-24]
0045B7B8 50 push eax
0045B7B9 8B1A mov ebx,dword ptr ds:[edx]
0045B7BB FF15 60034600 call dword ptr ds:[<&MSVBVM50.#581>] ; MSVBVM50.rtcR8ValFromBstr
0045B7C1 FF15 24034600 call dword ptr ds:[<&MSVBVM50.__vbaFpI4>] ; MSVBVM50.__vbaFpI4
0045B7C7 99 cdq
0045B7C8 B9 E8030000 mov ecx,3E8 ; // A%=3E8 记为B
0045B7CD F7F9 idiv ecx
0045B7CF 8BF2 mov esi,edx
0045B7D1 8B55 E0 mov edx,dword ptr ss:[ebp-20]
0045B7D4 52 push edx
0045B7D5 FF15 60034600 call dword ptr ds:[<&MSVBVM50.#581>] ; MSVBVM50.rtcR8ValFromBstr
0045B7DB FF15 24034600 call dword ptr ds:[<&MSVBVM50.__vbaFpI4>] ; MSVBVM50.__vbaFpI4
0045B7E1 99 cdq
0045B7E2 B9 E8030000 mov ecx,3E8 ; // A%=3E8 记为C
0045B7E7 F7F9 idiv ecx
0045B7E9 0FAFF2 imul esi,edx ; // B*C 记为 D
0045B7EC 0F80 34090000 jo supernet.0045C126
0045B7F2 03F7 add esi,edi ; // D+=用户名ASCII码累加和
0045B7F4 0F80 2C090000 jo supernet.0045C126
0045B7FA 83C6 02 add esi,2 ; // D+=2
0045B7FD 0F80 23090000 jo supernet.0045C126
0045B803 46 inc esi ; // D++ 转10进制就是注册码
0045B804 0F80 1C090000 jo supernet.0045C126
0045B80A 56 push esi
0045B80B 8BB5 2CFFFFFF mov esi,dword ptr ss:[ebp-D4]
0045B811 56 push esi
0045B812 FF93 04070000 call dword ptr ds:[ebx+704]
0045B818 85C0 test eax,eax
省略N行 代码
0045B8D1 56 push esi
0045B8D2 50 push eax
0045B8D3 FF15 08024600 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ; MSVBVM50.__vbaHresultCheckObj
0045B8D9 8B55 E0 mov edx,dword ptr ss:[ebp-20]
0045B8DC 52 push edx
0045B8DD FF15 60034600 call dword ptr ds:[<&MSVBVM50.#581>] ; MSVBVM50.rtcR8ValFromBstr
0045B8E3 FF15 5C024600 call dword ptr ds:[<&MSVBVM50.__vbaFpR8>] ; MSVBVM50.__vbaFpR8
0045B8E9 DB85 40FFFFFF fild dword ptr ss:[ebp-C0]
0045B8EF DD9D 04FFFFFF fstp qword ptr ss:[ebp-FC]
0045B8F5 DC9D 04FFFFFF fcomp qword ptr ss:[ebp-FC] ; //真假注册码比较
0045B8FB DFE0 fstsw ax
0045B8FD F6C4 40 test ah,40
0045B900 74 07 je short supernet.0045B909
0045B902 BE 01000000 mov esi,1
0045B907 EB 02 jmp short supernet.0045B90B
0045B909 33F6 xor esi,esi
0045B90B 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0045B90E FF15 5C034600 call dword ptr ds:[<&MSVBVM50.__vbaFreeStr>] ; MSVBVM50.__vbaFreeStr
/////////////////////////////////////////////////////////////////////////////////////////////////
生成序列号的过程
/////////////////////////////////////////////////////////////////////////////////////////////////
通过搜索字符串看到 Iotmrd.sys 文件 就到这里下断
0042135A 51 push ecx
0042135B 52 push edx
0042135C C745 AC 00000000 mov dword ptr ss:[ebp-54],0
00421363 89BD 7CFFFFFF mov dword ptr ss:[ebp-84],edi
00421369 FF15 68024600 call dword ptr ds:[<&MSVBVM50.#632>] ; MSVBVM50.rtcMidCharVar
0042136F 8D85 5CFFFFFF lea eax,dword ptr ss:[ebp-A4]
00421375 8D8D 2CFFFFFF lea ecx,dword ptr ss:[ebp-D4]
0042137B 50 push eax
0042137C 8D95 4CFFFFFF lea edx,dword ptr ss:[ebp-B4]
00421382 51 push ecx
00421383 52 push edx
00421384 C785 34FFFFFF 288A40>mov dword ptr ss:[ebp-CC],supernet.00408A28 ; UNICODE "\Iotmrd.sys"
0042138E 89BD 2CFFFFFF mov dword ptr ss:[ebp-D4],edi
00421394 8D5E 34 lea ebx,dword ptr ds:[esi+34]
00421397 FF15 14034600 call dword ptr ds:[<&MSVBVM50.__vbaVarAdd>] ; MSVBVM50.__vbaVarAdd
0042139D 50 push eax
0042139E FF15 D8014600 call dword ptr ds:[<&MSVBVM50.__vbaStrVarMove>] ; MSVBVM50.__vbaStrVarMove
004213A4 8BD0 mov edx,eax
004213A6 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004213A9 FF15 30034600 call dword ptr ds:[<&MSVBVM50.__vbaStrMove>] ; MSVBVM50.__vbaStrMove
004213AF 8B3D F8024600 mov edi,dword ptr ds:[<&MSVBVM50.__vbaStrCopy>] ; MSVBVM50.__vbaStrCopy
004213B5 8BD0 mov edx,eax
004213B7 8BCB mov ecx,ebx
004213B9 FFD7 call edi
004213BB 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004213BE FF15 5C034600 call dword ptr ds:[<&MSVBVM50.__vbaFreeStr>] ; MSVBVM50.__vbaFreeStr
004213C4 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
004213C7 FF15 58034600 call dword ptr ds:[<&MSVBVM50.__vbaFreeObj>] ; MSVBVM50.__vbaFreeObj
004213CD 8D85 4CFFFFFF lea eax,dword ptr ss:[ebp-B4]
004213D3 8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-A4]
004213D9 50 push eax
004213DA 8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-94]
004213E0 51 push ecx
004213E1 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-84]
004213E7 52 push edx
004213E8 50 push eax
004213E9 6A 04 push 4
004213EB FF15 E8014600 call dword ptr ds:[<&MSVBVM50.__vbaFreeVarList>] ; MSVBVM50.__vbaFreeVarList
004213F1 83C4 14 add esp,14
004213F4 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-84]
004213FA 8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-94]
00421400 C745 84 00000000 mov dword ptr ss:[ebp-7C],0
00421407 51 push ecx
00421408 68 FF000000 push 0FF
0042140D 52 push edx
0042140E C785 7CFFFFFF 020000>mov dword ptr ss:[ebp-84],2
00421418 FF15 C0024600 call dword ptr ds:[<&MSVBVM50.#607>] ; MSVBVM50.rtcStringVar
0042141E 8D85 6CFFFFFF lea eax,dword ptr ss:[ebp-94]
00421424 50 push eax
00421425 FF15 D8014600 call dword ptr ds:[<&MSVBVM50.__vbaStrVarMove>] ; MSVBVM50.__vbaStrVarMove
0042142B 8BD0 mov edx,eax
0042142D 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
00421430 FF15 30034600 call dword ptr ds:[<&MSVBVM50.__vbaStrMove>] ; MSVBVM50.__vbaStrMove
00421436 8D8D 6CFFFFFF lea ecx,dword ptr ss:[ebp-94]
0042143C 8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-84]
00421442 51 push ecx
00421443 52 push edx
00421444 6A 02 push 2
00421446 FF15 E8014600 call dword ptr ds:[<&MSVBVM50.__vbaFreeVarList>] ; MSVBVM50.__vbaFreeVarList
0042144C 8B03 mov eax,dword ptr ds:[ebx]
0042144E 8B1D 18034600 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaStrToAnsi>] ; MSVBVM50.__vbaStrToAnsi
00421454 83C4 0C add esp,0C
00421457 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
0042145A 50 push eax
0042145B 51 push ecx
0042145C FFD3 call ebx
0042145E 8B55 B4 mov edx,dword ptr ss:[ebp-4C]
00421461 50 push eax
00421462 68 00010000 push 100
00421467 52 push edx
00421468 8D45 A0 lea eax,dword ptr ss:[ebp-60]
0042146B 50 push eax
0042146C FFD3 call ebx
00421EE9 D99D 14FFFFFF fstp dword ptr ss:[ebp-EC]
00421EEF D985 14FFFFFF fld dword ptr ss:[ebp-EC]
00421EF5 D80D 28104000 fmul dword ptr ds:[401028]
00421EFB DFE0 fstsw ax
00421EFD A8 0D test al,0D
00421EFF 0F85 C83E0000 jnz supernet.00425DCD
00421F05 FF15 38034600 call dword ptr ds:[<&MSVBVM50.__vbaR8IntI4>] ; MSVBVM50.__vbaR8IntI4
00421F0B 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-84]
00421F11 8BD8 mov ebx,eax
00421F13 FF15 D4014600 call dword ptr ds:[<&MSVBVM50.__vbaFreeVar>] ; MSVBVM50.__vbaFreeVar
00421F19 8BCB mov ecx,ebx
00421F1B 8B16 mov edx,dword ptr ds:[esi]
00421F1D 0FAFCB imul ecx,ebx ; //随机数A*=A;
00421F20 0F80 AC3E0000 jo supernet.00425DD2
00421F26 81C1 40420F00 add ecx,0F4240 ; //结果再加+0F4240 就是序列了
00421F2C 56 push esi ;
00421F2D 0F80 9F3E0000 jo supernet.00425DD2
00421F33 FF92 00030000 call dword ptr ds:[edx+300]
00421F39 50 push eax
00421F3A 8D45 98 lea eax,dword ptr ss:[ebp-68]
00421F3D 50 push eax
00421F3E FF15 2C024600 call dword ptr ds:[<&MSVBVM50.__vbaObjSet>] ; MSVBVM50.__vbaObjSet
00421F44 8B10 mov edx,dword ptr ds:[eax]
00421F46 53 push ebx
00421F47 8985 10FFFFFF mov dword ptr ss:[ebp-F0],eax
00421F4D 8995 8CFEFFFF mov dword ptr ss:[ebp-174],edx
00421F53 FF15 D0014600 call dword ptr ds:[<&MSVBVM50.__vbaStrI4>] ; MSVBVM50.__vbaStrI4
00421F59 8BD0 mov edx,eax
00421F5B 8D4D AC lea ecx,dword ptr ss:[ebp-54]
--------------------------------------------------------------------------------
【经验总结】
总结:
软件随机生成一个数 记为A
放在安装的根的Iotmrd.sys文件下目录 比如 我的就在
E:\Iotmrd.sys
文件内容如
[MyApp]
pt1=5949 // 随机数
pt2=Q
Form1Top= 2580
Form1Left= 2250
Form1Height= 11400
Form1Width= 14400
pt3= // 注册码
pt4= // 用户名
A=A*A
A+=F4240
转10进制 就是 序列号了
注册码就是这个 (随机数%3e8) 再平方 加用户名ASCII码累加和 再加3 转10进制
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年03月26日 22:02:36
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
|
|
|---|---|
|
|
|
|
|
|
|
|
可能是太紧张了吧,不是 随机数/3e8,而是 随机数%3e8
多谢大侠提出。。。。。。。。。。 |
|
|
不好意思,总结有些失误。。。
注册码就是这个(随机数%3e8) 再平方 加用户名ASCII码累加和 再加3 转10进制 |
|
|
|
|
|
搜索下论坛确实有
大侠的超级电视 4.4注册算法分析 。。。。。。。。。。
|
|
|
|
|
|
呵呵,祝贺 坚持到底!
不要紧张哟。   附: 点击右下角的 编辑按钮 可以修改 |
|
|
|
