[原创]****专家 V7.0 算法分析-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[原创]****专家 V7.0 算法分析

发表于: 2007-4-6 15:48 33507

[原创]****专家 V7.0 算法分析

壹只老虎

2007-4-6 15:48

33507

【文章标题】: 屏幕录像专家 V7.0 Build 20070328 算法分析
【文章作者】: 壹只老虎
【作者邮箱】: tiger..tiger@163.com
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
  前言：
  呵呵，大家好，很久没写文章了，感觉手都好生疏了，3月28号在天空找了个****专家(****专家 V7.0 Build 20070328),这东西不错，我有时候也用来做教程。既然有新版本，那我们就来分析一下吧。

  废话：
  下载下来，安装，OK,国际惯例，PEID 查壳，发现是这个：Borland C++ 1999 [Overlay]，好像没有壳，大吃一惊，呵呵，不大相信，再FI一下，再次增加了我破解的信心。运行下看看。出现了欢迎界面，不喜欢这东西，发现有一个机器码的东西，我凭良心说，我怕这个机器码的东西，后来的经历，证明了我的这种恐惧是正确的，好了，我们“注册”，弹出来一个窗体，叫'注册'窗体，里面有3个输入的地方，其中机器码那里已经被填写好了(怎么算得我还不知道)，用户名那里我们可以输入，我就写"tiger"，试验码我输入:"12345678"(后来才发现这里需要是数据才行的)，我们"确定",弹出提示框"注册失败，请检查你的输入是否有误。"，非常好，正是我喜欢的，好了，C32ASM导入查找字符串；输入"注册失败",找到一些有用的信息：如下：
  00443495    注册成功，谢谢您的支持
  00443D8D    注册失败，你输入的注册码不支持此新版本
  00442FBC    注册失败，请检查你的输入是否有误
  00442122    注册失败，请检查你的输入是否有误
  00443E14    注册失败，请检查你的输入是否有误
  好了，非常好，OD载入，进入在这几个地方下断点，然后写注释。
  (说明，对于Borland C++或者Borland Delphi写的程序，可以使用dede来找到相关按钮的点击事件处理代码的偏移，这个软件也是可以的，这里我就不写了，后面会写到的，用dede可以发现"确定"按钮的事件处理代码开始位置是00442E88)

  稍微分析一下：
  刚才说到在注册提示信息的那几个地方下断点了，但是按钮点击事件处理是在他们上面的，所以我们往上面找，找到开始位置，是这里了：看下面
  00442E88       55             push ebp                      ; 开始分析
  00442E89       8BEC             mov ebp,esp
  00442E8B       81C4 A0FAFFFF    add esp,-560
  00442E91       53             push ebx
  00442E92       56             push esi
  00442E93       57             push edi

  好了，断点下好了，我们运行起来吧，输入注册名:tiger,试验码：1234567890
  "确定"。很好，程序断下来了，在00442E88 ，下面是一段分析过程，很简单。

  00442E88       55             push ebp                      ; 开始分析
  00442E89       8BEC             mov ebp,esp
  00442E8B       81C4 A0FAFFFF    add esp,-560
  00442E91       53             push ebx
  00442E92       56             push esi
  00442E93       57             push edi
  00442E94       8985 30FFFFFF    mov dword ptr ss:[ebp-D0],eax
  00442E9A       B8 506F5300    mov eax,**专家.00536F50
  00442E9F       E8 1CB10B00    call **专家.004FDFC0
  00442EA4       66:C785 44FFFFFF >mov word ptr ss:[ebp-BC],8
  00442EAD       8D45 FC          lea eax,dword ptr ss:[ebp-4]
  00442EB0       E8 B7E9FBFF    call **专家.0040186C
  00442EB5       FF85 50FFFFFF    inc dword ptr ss:[ebp-B0]
  00442EBB       66:C785 44FFFFFF >mov word ptr ss:[ebp-BC],14
  00442EC4       66:C785 44FFFFFF >mov word ptr ss:[ebp-BC],20
  00442ECD       8D45 F8          lea eax,dword ptr ss:[ebp-8]
  00442ED0       E8 97E9FBFF    call **专家.0040186C
  00442ED5       FF85 50FFFFFF    inc dword ptr ss:[ebp-B0]
  00442EDB       66:C785 44FFFFFF >mov word ptr ss:[ebp-BC],14
  00442EE4       66:C785 44FFFFFF >mov word ptr ss:[ebp-BC],2C
  00442EED       8D45 F4          lea eax,dword ptr ss:[ebp-C]
  00442EF0       E8 77E9FBFF    call **专家.0040186C
  00442EF5       FF85 50FFFFFF    inc dword ptr ss:[ebp-B0]
  00442EFB       8D45 F0          lea eax,dword ptr ss:[ebp-10]
  00442EFE       66:C785 44FFFFFF >mov word ptr ss:[ebp-BC],14
  00442F07       66:C785 44FFFFFF >mov word ptr ss:[ebp-BC],38
  00442F10       8B95 30FFFFFF    mov edx,dword ptr ss:[ebp-D0]
  00442F16       8B9A F8020000    mov ebx,dword ptr ds:[edx+2F8]
  00442F1C       81C3 08020000    add ebx,208
  00442F22       E8 45E9FBFF    call **专家.0040186C
  00442F27       8BD0             mov edx,eax
  00442F29       FF85 50FFFFFF    inc dword ptr ss:[ebp-B0]
  00442F2F       8B03             mov eax,dword ptr ds:[ebx]
  00442F31       8B08             mov ecx,dword ptr ds:[eax]
  00442F33       FF51 1C          call dword ptr ds:[ecx+1C]
  00442F36       8D55 F0          lea edx,dword ptr ss:[ebp-10]
  00442F39       8D45 F4          lea eax,dword ptr ss:[ebp-C]
  00442F3C       E8 CF960C00    call **专家.0050C610
  00442F41       FF8D 50FFFFFF    dec dword ptr ss:[ebp-B0]
  00442F47       8D45 F0          lea eax,dword ptr ss:[ebp-10]
  00442F4A       BA 02000000    mov edx,2
  00442F4F       E8 8C960C00    call **专家.0050C5E0             ; 取试验码到EDX
  00442F54       66:C785 44FFFFFF >mov word ptr ss:[ebp-BC],44
  00442F5D       8D45 F4          lea eax,dword ptr ss:[ebp-C]
  00442F60       E8 DFEBFBFF    call **专家.00401B44             ; EAX=试验码
  00442F65       50             push eax                            ; 试验码压栈
  00442F66       8D45 EC          lea eax,dword ptr ss:[ebp-14]
  00442F69       8B95 30FFFFFF    mov edx,dword ptr ss:[ebp-D0]
  00442F6F       52             push edx
  00442F70       E8 F7E8FBFF    call **专家.0040186C
  00442F75       50             push eax
  00442F76       FF85 50FFFFFF    inc dword ptr ss:[ebp-B0]
  00442F7C       E8 6F0F0000    call **专家.00443EF0
  00442F81       83C4 0C          add esp,0C
  00442F84       8D55 EC          lea edx,dword ptr ss:[ebp-14]
  00442F87       8D45 F4          lea eax,dword ptr ss:[ebp-C]
  00442F8A       E8 81960C00    call **专家.0050C610
  00442F8F       FF8D 50FFFFFF    dec dword ptr ss:[ebp-B0]
  00442F95       8D45 EC          lea eax,dword ptr ss:[ebp-14]
  00442F98       BA 02000000    mov edx,2
  00442F9D       E8 3E960C00    call **专家.0050C5E0
  00442FA2       8D45 F4          lea eax,dword ptr ss:[ebp-C]
  00442FA5       E8 BAAEFFFF    call **专家.0043DE64             ; EAX=试验码长度
  00442FAA       83F8 32          cmp eax,32                         ; 试验码长度是否>=32H
  00442FAD       0F8D 81000000    jge **专家.00443034             ; 这里必须跳走
  00442FB3       66:C785 44FFFFFF >mov word ptr ss:[ebp-BC],50
  00442FBC       BA 046B5300    mov edx,**专家.00536B04          ; 注册失败，请检查注册码是否油误

  看到了吧，注册码的长度必须要>=50的，不然就失败了。
  好了，我们继续运行，输入注册信息：
  注册名:tiger, 试验码:123456789012345678901234567890123456789012345678901234567890(一共60位)
  "确定"，程序到达
  00442FAA       83F8 32          cmp eax,32                         ; 试验码长度是否>=32H
  00442FAD       0F8D 81000000    jge **专家.00443034             ; 这里必须跳走
  好了，跳过去了。

  接着分析吧：
  我们来到第2个地方
  00442FC1       8D45 E8          lea eax,dword ptr ss:[ebp-18]
  00442FC4       E8 DF930C00    call **专家.0050C3A8
  00442FC9       FF85 50FFFFFF    inc dword ptr ss:[ebp-B0]
  00442FCF       8B00             mov eax,dword ptr ds:[eax]
  00442FD1       E8 5A2A0800    call **专家.004C5A30
  00442FD6       FF8D 50FFFFFF    dec dword ptr ss:[ebp-B0]
  00442FDC       8D45 E8          lea eax,dword ptr ss:[ebp-18]
  00442FDF       BA 02000000    mov edx,2
  00442FE4       E8 F7950C00    call **专家.0050C5E0
  00442FE9       FF8D 50FFFFFF    dec dword ptr ss:[ebp-B0]
  00442FEF       8D45 F4          lea eax,dword ptr ss:[ebp-C]
  00442FF2       BA 02000000    mov edx,2
  00442FF7       E8 E4950C00    call **专家.0050C5E0
  00442FFC       FF8D 50FFFFFF    dec dword ptr ss:[ebp-B0]
  00443002       8D45 F8          lea eax,dword ptr ss:[ebp-8]
  00443005       BA 02000000    mov edx,2
  0044300A       E8 D1950C00    call **专家.0050C5E0
  0044300F       FF8D 50FFFFFF    dec dword ptr ss:[ebp-B0]
  00443015       8D45 FC          lea eax,dword ptr ss:[ebp-4]
  00443018       BA 02000000    mov edx,2
  0044301D       E8 BE950C00    call **专家.0050C5E0
  00443022       8B8D 34FFFFFF    mov ecx,dword ptr ss:[ebp-CC]
  00443028       64:890D 00000000  mov dword ptr fs:[0],ecx
  0044302F       E9 A10E0000    jmp **专家.00443ED5
  00443034       8D45 F4          lea eax,dword ptr ss:[ebp-C]
  00443037       E8 08EBFBFF    call **专家.00401B44             ; EAX=试验码
  0044303C       8BF8             mov edi,eax                         ; EDI=试验码
  0044303E       33C0             xor eax,eax                         ; EAX=0
  00443040       83C9 FF          or ecx,FFFFFFFF
  00443043       8DB5 ACFAFFFF    lea esi,dword ptr ss:[ebp-554]
  00443049       F2:AE          repne scas byte ptr es:[edi]
  0044304B       F7D1             not ecx                            ; ECX=试验码长度+1
  0044304D       2BF9             sub edi,ecx                         ; EDI=试验码
  0044304F       8BD1             mov edx,ecx                         ; EDX=试验码长度+1
  00443051       87F7             xchg edi,esi                         ; ESI=试验码
  00443053       C1E9 02          shr ecx,2
  00443056       8BC7             mov eax,edi
  00443058       F3:A5          rep movs dword ptr es:[edi],dwor>
  0044305A       8BCA             mov ecx,edx
  0044305C       8D85 ACFAFFFF    lea eax,dword ptr ss:[ebp-554]
  00443062       83E1 03          and ecx,3
  00443065       F3:A4          rep movs byte ptr es:[edi],byte > ; 保存试验码到13D95C(堆栈)
  00443067       50             push eax
  00443068       E8 5FAC0B00    call **专家.004FDCCC
  0044306D       8BF0             mov esi,eax
  0044306F       59             pop ecx
  00443070       8D5E FB          lea ebx,dword ptr ds:[esi-5]
  00443073       3BF3             cmp esi,ebx
  00443075       8D841D ACFAFFFF lea eax,dword ptr ss:[ebp+ebx-55>
  0044307C       8985 24FFFFFF    mov dword ptr ss:[ebp-DC],eax
  00443082       7E 21          jle short **专家.004430A5
  00443084       8D56 FB          lea edx,dword ptr ds:[esi-5]
  00443087       8BCB             mov ecx,ebx
  00443089       2BCA             sub ecx,edx
  0044308B       8B85 24FFFFFF    mov eax,dword ptr ss:[ebp-DC]
  00443091       8A10             mov dl,byte ptr ds:[eax]
  00443093       88940D 08FFFFFF mov byte ptr ss:[ebp+ecx-F8],dl
  0044309A       43             inc ebx
  0044309B       FF85 24FFFFFF    inc dword ptr ss:[ebp-DC]
  004430A1       3BF3             cmp esi,ebx
  004430A3    ^ 7F DF          jg short **专家.00443084
  004430A5       8D7E FB          lea edi,dword ptr ds:[esi-5]
  004430A8       8D95 08FFFFFF    lea edx,dword ptr ss:[ebp-F8]
  004430AE       2BDF             sub ebx,edi
  004430B0       8D45 E4          lea eax,dword ptr ss:[ebp-1C]
  004430B3       C6841D 08FFFFFF 0>mov byte ptr ss:[ebp+ebx-F8],0
  004430BB       66:C785 44FFFFFF >mov word ptr ss:[ebp-BC],5C
  004430C4       E8 DF920C00    call **专家.0050C3A8
  004430C9       8BD0             mov edx,eax
  004430CB       FF85 50FFFFFF    inc dword ptr ss:[ebp-B0]
  004430D1       8D45 F8          lea eax,dword ptr ss:[ebp-8]
  004430D4       E8 37950C00    call **专家.0050C610
  004430D9       FF8D 50FFFFFF    dec dword ptr ss:[ebp-B0]
  004430DF       8D45 E4          lea eax,dword ptr ss:[ebp-1C]
  004430E2       BA 02000000    mov edx,2
  004430E7       E8 F4940C00    call **专家.0050C5E0
  004430EC       57             push edi
  004430ED       8D8D ACFAFFFF    lea ecx,dword ptr ss:[ebp-554]    ; ECX=试验码
  004430F3       51             push ecx                            ; 试验码压栈
  004430F4       A1 F4265500    mov eax,dword ptr ds:[5526F4]
  004430F9       8B10             mov edx,dword ptr ds:[eax]
  004430FB       52             push edx                            ; 压栈
  004430FC       E8 6BB1FFFF    call **专家.0043E26C             ; 用试验码(最后5位不参与运算)计算得
                                                                        ;到一个数->EAX,这里我们需要跟入。
                                                                        ;
  00443101       0FB7C8          movzx ecx,ax                      ; ECX=AX(这个数据有用)
  00443104       8D45 F8          lea eax,dword ptr ss:[ebp-8]
  00443107       8BF1             mov esi,ecx                         ; ESI=ECX
  00443109       83C4 0C          add esp,0C
  0044310C       E8 2F970C00    call **专家.0050C840             ; EAX=试验码最后5位数据
  00443111       3BF0             cmp esi,eax                         ; 比较ESI是否和EAX相等
  00443113       0F84 81000000    je **专家.0044319A                ; 这是第一关,必须跳走
  00443119       66:C785 44FFFFFF >mov word ptr ss:[ebp-BC],68
  00443122       BA 256B5300    mov edx,**专家.00536B25          ; 注册失败，请检查注册码是否油误
  00443127       8D45 E0          lea eax,dword ptr ss:[ebp-20]

  跟入0043E26C
  第一个算法分析，的确不知道是怎么算得！我的注册机代码基本和这个汇编代码差不多，如果哪位兄弟能给他精简为循环实现，望指点。设试验码为N位，那么这里对其前N-5进行运算。得到一个数据，和试验码最后5位进行比较，第一个验证，必须相等。
  0043E26C       55             push ebp
  0043E26D       8BEC             mov ebp,esp
  0043E26F       56             push esi
  0043E270       57             push edi
  0043E271       8B75 0C          mov esi,dword ptr ss:[ebp+C]    ; ESI=试验码
  0043E274       33C0             xor eax,eax                   ; EAX=0
  0043E276       33C9             xor ecx,ecx                   ; ECX=0
  0043E278       81F9 6DB20000    cmp ecx,0B26D                   ; ECX=0B26D?
  0043E27E       75 30          jnz short **专家.0043E2B0       ; 不相等就跳
  0043E280       33FF             xor edi,edi                   ; EDI=0
  0043E282       3B7D 10          cmp edi,dword ptr ss:[ebp+10] ; 试验码长度-5和edi比较
  0043E285       7D 29          jge short **专家.0043E2B0       ; >=就跳
  0043E287       41             inc ecx                         ; ecx+1
  0043E288       B2 80          mov dl,80                      ; dl=80H
  0043E28A       F6C4 80          test ah,80
  0043E28D       74 09          je short **专家.0043E298
  0043E28F       03C0             add eax,eax
  0043E291       66:35 2110       xor ax,1021
  0043E295       41             inc ecx
  0043E296       EB 02          jmp short **专家.0043E29A
  0043E298       03C0             add eax,eax
  0043E29A       41             inc ecx
  0043E29B       8416             test byte ptr ds:[esi],dl
  0043E29D       74 04          je short **专家.0043E2A3
  0043E29F       66:35 2110       xor ax,1021
  0043E2A3       D0EA             shr dl,1
  0043E2A5       84D2             test dl,dl
  0043E2A7    ^ 75 E1          jnz short **专家.0043E28A
  0043E2A9       46             inc esi
  0043E2AA       47             inc edi
  0043E2AB       3B7D 10          cmp edi,dword ptr ss:[ebp+10]
  0043E2AE    ^ 7C D7          jl short **专家.0043E287
  0043E2B0       41             inc ecx                            ; ECX+1
  0043E2B1       81F9 A0860100    cmp ecx,186A0                      ; ECX=186A0?
  0043E2B7    ^ 7C BF          jl short **专家.0043E278          ; <就跳
  0043E2B9       5F             pop edi
  0043E2BA       5E             pop esi
  0043E2BB       5D             pop ebp
  0043E2BC       C3             retn

  这里需要说一下的是，怎么调试让这里不跳向失败，我不建议使用暴力手段，因为我怕后面可能会用到这些数据。
  解决方法是：在次注册。把试验码的最后五位改掉，就改成这个比较的地方的esi的10进制数据，其他位不要变。
  如果esi的10进制不足5位，那么在前面加0，补足5位。
  比如试验码可以改为：
  123456789012345678901234567890123456789012345678901234503616
  0044310C       E8 2F970C00    call **专家.0050C840             ; EAX=试验码最后5位数据
  00443111       3BF0             cmp esi,eax                         ; 比较ESI是否和EAX相等
  00443113       0F84 81000000    je **专家.0044319A                ; 这是第一关,必须跳走
  这段算法就不说了，我也说不清楚，反正就这样！嘿嘿！
  继续吧：
  看下一段：
  00443127       8D45 E0          lea eax,dword ptr ss:[ebp-20]
  0044312A       E8 79920C00    call **专家.0050C3A8
  0044312F       FF85 50FFFFFF    inc dword ptr ss:[ebp-B0]
  00443135       8B00             mov eax,dword ptr ds:[eax]
  00443137       E8 F4280800    call **专家.004C5A30
  0044313C       FF8D 50FFFFFF    dec dword ptr ss:[ebp-B0]
  00443142       8D45 E0          lea eax,dword ptr ss:[ebp-20]
  00443145       BA 02000000    mov edx,2
  0044314A       E8 91940C00    call **专家.0050C5E0
  0044314F       FF8D 50FFFFFF    dec dword ptr ss:[ebp-B0]
  00443155       8D45 F4          lea eax,dword ptr ss:[ebp-C]
  00443158       BA 02000000    mov edx,2
  0044315D       E8 7E940C00    call **专家.0050C5E0
  00443162       FF8D 50FFFFFF    dec dword ptr ss:[ebp-B0]
  00443168       8D45 F8          lea eax,dword ptr ss:[ebp-8]
  0044316B       BA 02000000    mov edx,2
  00443170       E8 6B940C00    call **专家.0050C5E0
  00443175       FF8D 50FFFFFF    dec dword ptr ss:[ebp-B0]
  0044317B       8D45 FC          lea eax,dword ptr ss:[ebp-4]
  0044317E       BA 02000000    mov edx,2
  00443183       E8 58940C00    call **专家.0050C5E0
  00443188       8B8D 34FFFFFF    mov ecx,dword ptr ss:[ebp-CC]
  0044318E       64:890D 00000000  mov dword ptr fs:[0],ecx
  00443195       E9 3B0D0000    jmp **专家.00443ED5
  0044319A       66:C785 44FFFFFF >mov word ptr ss:[ebp-BC],74
  004431A3       8B15 F4265500    mov edx,dword ptr ds:[5526F4]       ; **专家._MainForm
  004431A9       8D85 ACFAFFFF    lea eax,dword ptr ss:[ebp-554]    ; EAX=试验码
  004431AF       50             push eax
  004431B0       8D45 DC          lea eax,dword ptr ss:[ebp-24]
  004431B3       8B0A             mov ecx,dword ptr ds:[edx]
  004431B5       51             push ecx
  004431B6       E8 B1E6FBFF    call **专家.0040186C
  004431BB       50             push eax
  004431BC       FF85 50FFFFFF    inc dword ptr ss:[ebp-B0]
  004431C2       E8 45B0FCFF    call **专家.0040E20C             ; 关键算法,跟进去(取得一个字符串)
  004431C7       83C4 0C          add esp,0C
  004431CA       8D55 DC          lea edx,dword ptr ss:[ebp-24]
  004431CD       8D45 FC          lea eax,dword ptr ss:[ebp-4]
  004431D0       E8 3B940C00    call **专家.0050C610
  004431D5       FF8D 50FFFFFF    dec dword ptr ss:[ebp-B0]
  004431DB       8D45 DC          lea eax,dword ptr ss:[ebp-24]
  004431DE       BA 02000000    mov edx,2

  这一段就需要分析一个算法。
  比较简单的，我们的进去。
  跟入0040E20C：
  0040E20C       55             push ebp
  0040E20D       8BEC             mov ebp,esp
  0040E20F       81C4 08FFFFFF    add esp,-0F8
  0040E215       53             push ebx
  0040E216       56             push esi                      ; 上一个算法的结果压栈
  0040E217       B8 3C145300    mov eax,**专家.0053143C
  0040E21C       E8 9FFD0E00    call **专家.004FDFC0
  0040E221       66:C745 E0 0800 mov word ptr ss:[ebp-20],8
  0040E227       8D45 FC          lea eax,dword ptr ss:[ebp-4]
  0040E22A       E8 3D36FFFF    call **专家.0040186C
  0040E22F       FF45 EC          inc dword ptr ss:[ebp-14]
  0040E232       66:C745 E0 1400 mov word ptr ss:[ebp-20],14
  0040E238       6A 28          push 28
  0040E23A       8B55 10          mov edx,dword ptr ss:[ebp+10]  ; EDX=试验码
  0040E23D       52             push edx                      ; 试验码压栈
  0040E23E       8D8D 6CFFFFFF    lea ecx,dword ptr ss:[ebp-94]
  0040E244       51             push ecx
  0040E245       E8 DEF80E00    call **专家.004FDB28
  0040E24A       8A85 6EFFFFFF    mov al,byte ptr ss:[ebp-92] ; 下面这段在将试验码前40位的指定位互换
  0040E250       8A55 92          mov dl,byte ptr ss:[ebp-6E]
  0040E253       8895 6EFFFFFF    mov byte ptr ss:[ebp-92],dl
  0040E259       8845 92          mov byte ptr ss:[ebp-6E],al ; 第3位和第39位互换
  0040E25C       8A85 70FFFFFF    mov al,byte ptr ss:[ebp-90]
  0040E262       8A55 85          mov dl,byte ptr ss:[ebp-7B]
  0040E265       8895 70FFFFFF    mov byte ptr ss:[ebp-90],dl
  0040E26B       8845 85          mov byte ptr ss:[ebp-7B],al ; 第5位和第26位互换
  0040E26E       8A85 75FFFFFF    mov al,byte ptr ss:[ebp-8B] ; AL=试验码第10位
  0040E274       8A55 8B          mov dl,byte ptr ss:[ebp-75] ; DL=试验码第32位
  0040E277       8895 75FFFFFF    mov byte ptr ss:[ebp-8B],dl ; 试验码第10位=DL
  0040E27D       83C4 0C          add esp,0C
  0040E280       33DB             xor ebx,ebx                   ; EBX=0，循环的计数器
  0040E282       8845 8B          mov byte ptr ss:[ebp-75],al ; [EBP-75]=AL(交换前的第10位)
  0040E285       8DB5 6CFFFFFF    lea esi,dword ptr ss:[ebp-94]  ; ESI=试验码第一位的地址
  0040E28B       8A06             mov al,byte ptr ds:[esi]    ; AL=逐位取试验码
  0040E28D       43             inc ebx                      ; EBX=EBX+1
  0040E28E       46             inc esi                      ; ESI=ESI+1
  0040E28F       8885 08FFFFFF    mov byte ptr ss:[ebp-F8],al ; [EBP-F8]=AL
  0040E295       8D45 F8          lea eax,dword ptr ss:[ebp-8] ; EAX=[EBP-8]
  0040E298       8A16             mov dl,byte ptr ds:[esi]    ; dL=取下一位试验码
  0040E29A       8895 09FFFFFF    mov byte ptr ss:[ebp-F7],dl ; [EBP-F7]=DL
  0040E2A0       8D95 08FFFFFF    lea edx,dword ptr ss:[ebp-F8]  ; EDX=[EBP-F8]=上面取得这两个字符
  0040E2A6       C685 0AFFFFFF 00  mov byte ptr ss:[ebp-F6],0
  0040E2AD       66:C745 E0 2000 mov word ptr ss:[ebp-20],20
  0040E2B3       E8 F0E00F00    call **专家.0050C3A8
  0040E2B8       8BD0             mov edx,eax
  0040E2BA       FF45 EC          inc dword ptr ss:[ebp-14]
  0040E2BD       8D45 FC          lea eax,dword ptr ss:[ebp-4]
  0040E2C0       E8 4BE30F00    call **专家.0050C610
  0040E2C5       FF4D EC          dec dword ptr ss:[ebp-14]
  0040E2C8       8D45 F8          lea eax,dword ptr ss:[ebp-8]
  0040E2CB       BA 02000000    mov edx,2                   ; EDX=2
  0040E2D0       E8 0BE30F00    call **专家.0050C5E0
  0040E2D5       8D45 FC          lea eax,dword ptr ss:[ebp-4]
  0040E2D8       E8 63E50F00    call **专家.0050C840       ; 将EDX的字符串转换为数据保存到EAX
  0040E2DD       8BD3             mov edx,ebx                   ; EDX=EBX
  0040E2DF       D1FA             sar edx,1                   ; EDX DIV 2
  0040E2E1       79 03          jns short **专家.0040E2E6 ; EDX=0就跳
  0040E2E3       83D2 00          adc edx,0
  0040E2E6       03C2             add eax,edx                   ; EAX=EAX+EDX
  0040E2E8       43             inc ebx                      ; EBX+1
  0040E2E9       83C0 09          add eax,9                   ; EAX+9
  0040E2EC       46             inc esi                      ; ESI+1
  0040E2ED       83FB 28          cmp ebx,28                   ; 是否遍历结束
  0040E2F0       888415 6CFFFFFF mov byte ptr ss:[ebp+edx-94],a>; 交换后的字符串从第1位开始用AL覆盖
  0040E2F7    ^ 7C 92          jl short **专家.0040E28B    ;
  0040E2F9       C645 80 00       mov byte ptr ss:[ebp-80],0    ; 上面结果的下一位=0
  0040E2FD       66:C745 E0 2C00 mov word ptr ss:[ebp-20],2C
  0040E303       8D95 6CFFFFFF    lea edx,dword ptr ss:[ebp-94]  ; EDX=上面的结果字符串的首指针
  0040E309       8D45 F4          lea eax,dword ptr ss:[ebp-C]
  0040E30C       E8 97E00F00    call **专家.0050C3A8
  0040E311       8BD0             mov edx,eax
  0040E313       FF45 EC          inc dword ptr ss:[ebp-14]
  0040E316       8B45 08          mov eax,dword ptr ss:[ebp+8]
  0040E319       E8 F2E20F00    call **专家.0050C610
  0040E31E       8B45 08          mov eax,dword ptr ss:[ebp+8]
  0040E321       BA 02000000    mov edx,2
  0040E326       66:C745 E0 3800 mov word ptr ss:[ebp-20],38
  0040E32C       50             push eax
  0040E32D       8D45 F4          lea eax,dword ptr ss:[ebp-C]
  0040E330       FF4D EC          dec dword ptr ss:[ebp-14]
  0040E333       E8 A8E20F00    call **专家.0050C5E0
  0040E338       FF4D EC          dec dword ptr ss:[ebp-14]
  0040E33B       8D45 FC          lea eax,dword ptr ss:[ebp-4]
  0040E33E       BA 02000000    mov edx,2
  0040E343       E8 98E20F00    call **专家.0050C5E0
  0040E348       58             pop eax
  0040E349       66:C745 E0 2C00 mov word ptr ss:[ebp-20],2C
  0040E34F       FF45 EC          inc dword ptr ss:[ebp-14]
  0040E352       8B55 D0          mov edx,dword ptr ss:[ebp-30]
  0040E355       64:8915 00000000  mov dword ptr fs:[0],edx
  0040E35C       5E             pop esi
  0040E35D       5B             pop ebx
  0040E35E       8BE5             mov esp,ebp
  0040E360       5D             pop ebp
  0040E361       C3             retn

  总结一下上面这个循环的作用是:对已经做过位交换处理的试验码，对其前20位重新计算覆盖，生成新的字符串，设他为str
  具体算法看注册机。

  我们继续分析下一段：
  004431C7       83C4 0C          add esp,0C
  004431CA       8D55 DC          lea edx,dword ptr ss:[ebp-24]
  004431CD       8D45 FC          lea eax,dword ptr ss:[ebp-4]
  004431D0       E8 3B940C00    call **专家.0050C610
  004431D5       FF8D 50FFFFFF    dec dword ptr ss:[ebp-B0]
  004431DB       8D45 DC          lea eax,dword ptr ss:[ebp-24]
  004431DE       BA 02000000    mov edx,2
  004431E3       E8 F8930C00    call **专家.0050C5E0
  004431E8       6A 14          push 14
  004431EA       6A 00          push 0
  004431EC       8D8D F0FEFFFF    lea ecx,dword ptr ss:[ebp-110]
  004431F2       51             push ecx
  004431F3       E8 A0A90B00    call **专家.004FDB98
  004431F8       83C4 0C          add esp,0C
  004431FB       33FF             xor edi,edi
  004431FD       6A 14          push 14
  004431FF       6A 00          push 0
  00443201       8D85 08FFFFFF    lea eax,dword ptr ss:[ebp-F8]
  00443207       50             push eax
  00443208       E8 8BA90B00    call **专家.004FDB98
  0044320D       83C4 0C          add esp,0C
  00443210       8D95 C4FEFFFF    lea edx,dword ptr ss:[ebp-13C]
  00443216       6A 14          push 14
  00443218       6A 00          push 0
  0044321A       52             push edx
  0044321B       E8 78A90B00    call **专家.004FDB98
  00443220       83C4 0C          add esp,0C
  00443223       66:C785 44FFFFFF >mov word ptr ss:[ebp-BC],80
  0044322C       8D45 D8          lea eax,dword ptr ss:[ebp-28]
  0044322F       E8 38E6FBFF    call **专家.0040186C
  00443234       8BD0             mov edx,eax
  00443236       FF85 50FFFFFF    inc dword ptr ss:[ebp-B0]
  0044323C       8B8D 30FFFFFF    mov ecx,dword ptr ss:[ebp-D0]
  00443242       8B81 DC020000    mov eax,dword ptr ds:[ecx+2DC]
  00443248       E8 FB7B0800    call **专家.004CAE48
  0044324D       8D45 D8          lea eax,dword ptr ss:[ebp-28]
  00443250       E8 EFE8FBFF    call **专家.00401B44          ; 取用户名
  00443255       57             push edi
  00443256       8BF8             mov edi,eax                   ; EDI=用户名
  00443258       33C0             xor eax,eax
  0044325A       83C9 FF          or ecx,FFFFFFFF
  0044325D       F2:AE          repne scas byte ptr es:[edi]
  0044325F       F7D1             not ecx                      ; ECX=注册名长度+1
  00443261       2BF9             sub edi,ecx
  00443263       8DB5 C4FEFFFF    lea esi,dword ptr ss:[ebp-13C]
  00443269       87F7             xchg edi,esi                ; ESI=用户名
  0044326B       8BD1             mov edx,ecx                   ; EDX=ECX
  0044326D       8BC7             mov eax,edi
  0044326F       C1E9 02          shr ecx,2                   ; ECX=ECX DIV 4
  00443272       8D45 D8          lea eax,dword ptr ss:[ebp-28]
  00443275       F3:A5          rep movs dword ptr es:[edi],dw>
  00443277       8BCA             mov ecx,edx                   ; ECX=EDX
  00443279       BA 02000000    mov edx,2                   ; EDX=2
  0044327E       83E1 03          and ecx,3                   ; ECX=ECX AND 3
  00443281       F3:A4          rep movs byte ptr es:[edi],byt>; 用户名保存
  00443283       5F             pop edi
  00443284       FF8D 50FFFFFF    dec dword ptr ss:[ebp-B0]
  0044328A       E8 51930C00    call **专家.0050C5E0
  0044328F       C685 D7FEFFFF 00  mov byte ptr ss:[ebp-129],0
  00443296       8B85 30FFFFFF    mov eax,dword ptr ss:[ebp-D0]
  0044329C       05 00030000    add eax,300

  这一段没什么好说的，略过，

  继续下一段：
  0044329C       05 00030000    add eax,300
  004432A1       E8 9EE8FBFF    call **专家.00401B44          ; 注意这里EAX里面出来一组数据(后来发现                                                                      ;这组数据是很早以前就算好了的，
                                                                     ;怎么算出来的，马上讨论)
  004432A6       57             push edi                         ; 设这组数据为s1(字符串数据)
  004432A7       8BF8             mov edi,eax                      ; EDI=s1
  004432A9       33C0             xor eax,eax                      ; EAX=0
  004432AB       83C9 FF          or ecx,FFFFFFFF
  004432AE       F2:AE          repne scas byte ptr es:[edi]
  004432B0       F7D1             not ecx                         ; ECX=s1长度+1
  004432B2       2BF9             sub edi,ecx
  004432B4       8DB5 F0FEFFFF    lea esi,dword ptr ss:[ebp-110]
  004432BA       87F7             xchg edi,esi                      ; ESI=s1
  004432BC       8BD1             mov edx,ecx                      ; EDX=ECX
  004432BE       8BC7             mov eax,edi                      ; EAX=EDI
  004432C0       C1E9 02          shr ecx,2                         ; ECX=ECX DIV 4
  004432C3       8D85 F0FEFFFF    lea eax,dword ptr ss:[ebp-110]
  004432C9       F3:A5          rep movs dword ptr es:[edi],dword >; EAX=s1
  004432CB       8BCA             mov ecx,edx                      ; ECX=EDX
  004432CD       8D95 C4FEFFFF    lea edx,dword ptr ss:[ebp-13C]    ; EDX=用户名
  004432D3       83E1 03          and ecx,3                         ; ECX=ECX AND 3
  004432D6       F3:A4          rep movs byte ptr es:[edi],byte pt>
  004432D8       5F             pop edi
  004432D9       8985 20FFFFFF    mov dword ptr ss:[ebp-E0],eax    ; 保存s1到[EBP-E0]
  004432DF       8995 24FFFFFF    mov dword ptr ss:[ebp-DC],edx    ; 保存用户名到[EBP-DC]
  004432E5       8DB5 08FFFFFF    lea esi,dword ptr ss:[ebp-F8]
  004432EB       33DB             xor ebx,ebx                      ; EBX=0,下面循环的计数器
  004432ED       8B8D 24FFFFFF    mov ecx,dword ptr ss:[ebp-DC]    ; ECX=注册名
  004432F3       8B95 20FFFFFF    mov edx,dword ptr ss:[ebp-E0]    ; EDX=s1
  004432F9       8A01             mov al,byte ptr ds:[ecx]          ; AL=按位取注册名
  004432FB       3202             xor al,byte ptr ds:[edx]          ; AL=AL XOR s1的指定位
  004432FD       83C4 F8          add esp,-8
  00443300       8806             mov byte ptr ds:[esi],al          ; 把al写入以esi开始的内存地址
  00443302       0FBE0E          movsx ecx,byte ptr ds:[esi]       ; ECX=AL
  00443305       898D A8FAFFFF    mov dword ptr ss:[ebp-558],ecx    ; [EBP-558]=ECX
  0044330B       DB85 A8FAFFFF    fild dword ptr ss:[ebp-558]       ; 装载ECX到ST0
  00443311       DD1C24          fstp qword ptr ss:[esp]
  00443314       E8 97190C00    call **专家.00504CB0
  00443319       83C4 08          add esp,8
  0044331C       899D A4FAFFFF    mov dword ptr ss:[ebp-55C],ebx
  00443322       DB85 A4FAFFFF    fild dword ptr ss:[ebp-55C]       ; 压入计数器
  00443328       DEC9             fmulp st(1),st                   ; ST0=ST0*ST1=ECX*计数器
  0044332A       89BD A0FAFFFF    mov dword ptr ss:[ebp-560],edi    ; [EBP-560]=EDI
  00443330       DB85 A0FAFFFF    fild dword ptr ss:[ebp-560]       ; 压入[EBP-560]
  00443336       DEC1             faddp st(1),st                   ; ST1=ST1+ST0
  00443338       E8 9B190C00    call **专家.00504CD8                ; 保存ST0的16进制到EAX
  0044333D       8BF8             mov edi,eax                      ; EDI=EAX
  0044333F       43             inc ebx                         ; EBX+1
  00443340       46             inc esi                         ; ESI+1
  00443341       FF85 20FFFFFF    inc dword ptr ss:[ebp-E0]       ; 字符串指针后移一位
  00443347       FF85 24FFFFFF    inc dword ptr ss:[ebp-DC]       ; 用户名字符串指针后移一位
  0044334D       83FB 14          cmp ebx,14                      ; 是否结束？
  00443350    ^ 7C 9B          jl short **专家.004432ED
  00443352       81C7 39300000    add edi,3039                      ; X=edi=edi+3039H
  00443358       8D95 08FFFFFF    lea edx,dword ptr ss:[ebp-F8]    ; edx=s1经处理后的字符串
  0044335E       57             push edi
  0044335F       68 466B5300    push **专家.00536B46          ; ASCII "%d"
  00443364       52             push edx
  00443365       E8 7ADF0B00    call **专家.005012E4
  0044336A       83C4 0C          add esp,0C
  0044336D       8D45 FC          lea eax,dword ptr ss:[ebp-4]
  00443370       E8 CFE7FBFF    call **专家.00401B44

登录后可查看完整内容

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)

收藏・11

免费・7

支持

最新回复 (53) 1 2 3 ▶
壹只老虎雪币： 112 活跃值： (16) 能力值： ( LV9，RANK：290 ) 在线值：发帖 38 回帖 709 粉丝 3 关注私信	壹只老虎 7 2 楼这段代码虽然不难，但是里面突然蹦出一个莫名其妙的数据，就是我们叫他s1的那个东西，我开始也觉得晕，就快要到头了，发现那个"欢迎界面"的机器码还没有用到,没用就没用吧,更好,但是直觉告诉(别砸我,其实是猜的,呵呵)我,这个s1不会那么简单,肯定和硬件还是有关系的,先解决这个硬件码的问题吧. 说说我的跟踪思路,很笨的方法,追了很久才追到,思路就是,追他到天边!;) (也许有兄弟会觉得这个字符串是个固定的字符串,我其实也期望这样,但是理想与现实总是有一段差距的.呵呵!) 先跟入--->00401B44.看看再说 00401B44 8338 00 cmp dword ptr ds:[eax],0 00401B47 74 04 je short 屏录专家.00401B4D 00401B49 8B00 mov eax,dword ptr ds:[eax] ;在这里发现字符串地址在036FDA4C 00401B4B EB 05 jmp short 屏录专家.00401B52 00401B4D B8 51505200 mov eax,屏录专家.00525051 00401B52 C3 retn 这是证明: ds:[036C7C08]=036FDA4C, (ASCII "24237270606580267567") eax=036C7C08 第一次郁闷,字符串是被复制过来的,没办法哦,继续追踪036FDA4C, 接下来怎么办呢? 怎么追踪这个036FDA4C什么时候被写入的呢? 第二次郁闷一下!如果你也郁闷了,建议休息一下!嘿嘿! 郁闷之后接着工作吧,搞破解的,需要恒心和耐心,永不放弃的精神. 我对自己说,加油,胜利就在眼前. 我带着试一试的心理,想看看那个数据("24237270606580267567")在显示注册窗口的时候是否已经被写入, OK,说干就干.下什么断点呢,打开dede吧,找注册窗口的事件信息,发现这个 FormShow 00444054 好的,我们去那里下断点,看看!运行下. OK,我们让它断在了00444054地址处,数据窗口跟随到以036C0000开始的虚拟地址,搜索下"24237270606580267567",发现已经存在.(注意:位置可能不是036FDA4C). 第三次郁闷了,再把时间提前一点,在注册窗体显示之前是"欢迎界面"的"注册"按钮点击事件,(别弄混了,不是"注册窗口"的"确定"按钮点击事件哦,还是用dede找!),看看那个时候有没有生成那个数据. 试了几次后知道是button2,事件是Button2Click,事件处理地址是00444398. (我开始还以为是button3呢),在00444398,下断点,运行程序,点击下"注册",程序断在00444398, 好了,数据窗口跟随到以036C0000开始的虚拟地址,搜索下"24237270606580267567",发现不存在. 非常好,成功又进了一步了.我们继续分析是在哪里给跑出来的. 我们到了这里 00444481 E8 5A810C00 call 屏录专家.0050C5E0 发现,这个call之后,发现EDX里面出现了我们在"欢迎界面"里面看到的机器码,非常好!黑黑!(不过好像没什么用,哪来好看的,呵呵) 注意注意:不是"24237270606580267567" 在004444A1 E8 B270FEFF call 屏录专家.0042B558 这个CALL之后,我发现, 以036C0000开始的虚拟地址,搜索下"24237270606580267567",发现已经存在,在此之前不存在 (问我是怎么知道是这里在出现的阿,呵呵!很简单,每过一个CALL,我就搜索一下,看看存在么, 前面都是失败了,就这里成功了,所以,我就知道这个CALL就是和硬件码有关的一个CALL, 如果兄弟们有什么好的办法来定位,请指教,谢谢) 再来,我们需要跟入这个CALL,所以我们再来一次,在这个CALL上面f7跟进去看看. 发现 0042B567 E8 542A0D00 call 屏录专家.004FDFC0 0042B56C 8D83 6C130000 lea eax,dword ptr ds:[ebx+136C] 0042B572 8B50 34 mov edx,dword ptr ds:[eax+34] 0042B575 81C2 9AB1FFFF add edx,FFFFB19A 这个add语句之后, edx里面出现了"24237270606580267567",以036C0000开始的虚拟地址中是没有的, 看看字符串的地址是: 00B607E0 现在怎么办?我也不知道. 第4次郁闷了,这样吧,看看"欢迎窗口"创建完之后,00B607E0这个虚拟地址的上下文中有没有我们要找的东西吧, 说实话,我都快崩溃了,还不是看运气. 试验结果是这样的: OD运行程序,主界面运行好之后,不做任何操作,发现,以00B40000开始的虚拟地址中,发现了我们要找的东西,非常好, 证明这个数据是在此之前就算好的,我们再想想什么事件居然在这个之前呢,很简单,窗体创建事件,显示事件好吧,继续DEDE, 找到"欢迎界面"窗体创建显示事件的代码开始位置(没有写窗体创建事件的代码).004446E0. 我们去那里下断点.运行程序.断在了004446E0. 以00B40000开始的虚拟地址,搜索下"24237270606580267567",发现已经存在,晕了. 奇怪了,不可能阿,其实我也觉得不可能了. 但是还是有两种可能: 1:这个数据串为固定值 2:还有一些事件在此之前. 排除法,我选第2种可能,因为第一种可能是有点夸张的.呵呵! 还记得我们写程序的时候么,那个主窗体是最先创建的,呵呵! 看看dede里面,果然有一个叫MainForm的东西(不是那个欢迎窗口哦),呵呵,好说了. 看看他的窗体的事件.FormCreate---->0040BE2C.还有一个FormShow事件,那个先不考虑, 看看FormCreate事件里面都作了些什么哈.在0040BE2C处下断点.运行程序,成功断下. 慢慢分析吧,一次又一次的搜索,我发现,就是在这里生成机器码的, 看下面的分析吧,如果觉得累了,就休息下吧,我其实也有点累了. 0040BE2C 55 push ebp 0040BE2D 8BEC mov ebp,esp 0040BE2F 81C4 B8F6FFFF add esp,-948 0040BE35 53 push ebx 0040BE36 56 push esi 0040BE37 57 push edi 0040BE38 8985 C8FEFFFF mov dword ptr ss:[ebp-138],eax 0040BE3E B8 48735200 mov eax,屏录专家.00527348 0040BE43 E8 78210F00 call 屏录专家.004FDFC0 0040BE48 68 F0020000 push 2F0 0040BE4D E8 9E130F00 call 屏录专家.004FD1F0 0040BE52 59 pop ecx 0040BE53 8945 FC mov dword ptr ss:[ebp-4],eax 0040BE56 85C0 test eax,eax 0040BE58 74 21 je short 屏录专家.0040BE7B 0040BE5A 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],14 0040BE63 8B55 FC mov edx,dword ptr ss:[ebp-4] 0040BE66 52 push edx 0040BE67 E8 E0EA0700 call 屏录专家.0048A94C 0040BE6C 59 pop ecx 0040BE6D 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],8 0040BE76 8B4D FC mov ecx,dword ptr ss:[ebp-4] 0040BE79 EB 03 jmp short 屏录专家.0040BE7E 0040BE7B 8B4D FC mov ecx,dword ptr ss:[ebp-4] 0040BE7E 8B85 C8FEFFFF mov eax,dword ptr ss:[ebp-138] 0040BE84 8988 B00B0000 mov dword ptr ds:[eax+BB0],ecx 0040BE8A 8B95 C8FEFFFF mov edx,dword ptr ss:[ebp-138] 0040BE90 52 push edx 0040BE91 E8 D2470200 call 屏录专家.00430668 0040BE96 59 pop ecx 0040BE97 33DB xor ebx,ebx 0040BE99 8AD8 mov bl,al 0040BE9B 8B85 C8FEFFFF mov eax,dword ptr ss:[ebp-138] 0040BEA1 8998 B80B0000 mov dword ptr ds:[eax+BB8],ebx 0040BEA7 85DB test ebx,ebx 0040BEA9 75 36 jnz short 屏录专家.0040BEE1 0040BEAB 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],20 0040BEB4 BA FE315200 mov edx,屏录专家.005231FE 0040BEB9 8D45 F8 lea eax,dword ptr ss:[ebp-8] 0040BEBC E8 E7041000 call 屏录专家.0050C3A8 0040BEC1 FF85 E8FEFFFF inc dword ptr ss:[ebp-118] 0040BEC7 8B00 mov eax,dword ptr ds:[eax] 0040BEC9 E8 629B0B00 call 屏录专家.004C5A30 0040BECE FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040BED4 8D45 F8 lea eax,dword ptr ss:[ebp-8] 0040BED7 BA 02000000 mov edx,2 0040BEDC E8 FF061000 call 屏录专家.0050C5E0 0040BEE1 C705 042C5500 1C1>mov dword ptr ds:[552C04],屏录专家.0040191C 0040BEEB 8B8D C8FEFFFF mov ecx,dword ptr ss:[ebp-138] 0040BEF1 33C0 xor eax,eax 0040BEF3 8981 000C0000 mov dword ptr ds:[ecx+C00],eax 0040BEF9 8B95 C8FEFFFF mov edx,dword ptr ss:[ebp-138] 0040BEFF C682 0C0C0000 01 mov byte ptr ds:[edx+C0C],1 0040BF06 8B8D C8FEFFFF mov ecx,dword ptr ss:[ebp-138] 0040BF0C 51 push ecx 0040BF0D E8 E2180000 call 屏录专家.0040D7F4 0040BF12 59 pop ecx 0040BF13 8B85 C8FEFFFF mov eax,dword ptr ss:[ebp-138] 0040BF19 C680 FC170000 01 mov byte ptr ds:[eax+17FC],1 0040BF20 68 61325200 push 屏录专家.00523261 ; ASCII "PMLXZJ" 0040BF25 6A 00 push 0 0040BF27 6A 00 push 0 0040BF29 E8 50481100 call <jmp.&KERNEL32.CreateMutexA> 0040BF2E A3 F82B5500 mov dword ptr ds:[552BF8],eax 0040BF33 E8 12491100 call <jmp.&KERNEL32.GetLastError> 0040BF38 3D B7000000 cmp eax,0B7 0040BF3D 75 3E jnz short 屏录专家.0040BF7D 0040BF3F 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],2C 0040BF48 BA 68325200 mov edx,屏录专家.00523268 0040BF4D 8D45 F4 lea eax,dword ptr ss:[ebp-C] 0040BF50 E8 53041000 call 屏录专家.0050C3A8 0040BF55 FF85 E8FEFFFF inc dword ptr ss:[ebp-118] 0040BF5B 8B00 mov eax,dword ptr ds:[eax] 0040BF5D E8 CE9A0B00 call 屏录专家.004C5A30 0040BF62 FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040BF68 8D45 F4 lea eax,dword ptr ss:[ebp-C] 0040BF6B BA 02000000 mov edx,2 0040BF70 E8 6B061000 call 屏录专家.0050C5E0 0040BF75 6A 01 push 1 0040BF77 E8 70AF0F00 call 屏录专家.00506EEC 0040BF7C 59 pop ecx 0040BF7D 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],38 0040BF86 8D45 F0 lea eax,dword ptr ss:[ebp-10] 0040BF89 E8 DE58FFFF call 屏录专家.0040186C 0040BF8E 8BD0 mov edx,eax 0040BF90 FF85 E8FEFFFF inc dword ptr ss:[ebp-118] 0040BF96 8B0D 80275500 mov ecx,dword ptr ds:[552780] ; 屏录专家.005596A4 0040BF9C 8B01 mov eax,dword ptr ds:[ecx] 0040BF9E E8 49EF0A00 call 屏录专家.004BAEEC 0040BFA3 8D55 F0 lea edx,dword ptr ss:[ebp-10] 0040BFA6 8D45 EC lea eax,dword ptr ss:[ebp-14] 0040BFA9 8B0A mov ecx,dword ptr ds:[edx] 0040BFAB 51 push ecx 0040BFAC E8 BB58FFFF call 屏录专家.0040186C 0040BFB1 8BD0 mov edx,eax 0040BFB3 FF85 E8FEFFFF inc dword ptr ss:[ebp-118] 0040BFB9 58 pop eax 0040BFBA E8 C1780E00 call 屏录专家.004F3880 0040BFBF 8D55 EC lea edx,dword ptr ss:[ebp-14] 0040BFC2 8B9D C8FEFFFF mov ebx,dword ptr ss:[ebp-138] 0040BFC8 81C3 00180000 add ebx,1800 0040BFCE 8BC3 mov eax,ebx 0040BFD0 E8 3B061000 call 屏录专家.0050C610 0040BFD5 FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040BFDB 8D45 EC lea eax,dword ptr ss:[ebp-14] 0040BFDE BA 02000000 mov edx,2 0040BFE3 E8 F8051000 call 屏录专家.0050C5E0 0040BFE8 FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040BFEE 8D45 F0 lea eax,dword ptr ss:[ebp-10] 0040BFF1 BA 02000000 mov edx,2 0040BFF6 E8 E5051000 call 屏录专家.0050C5E0 0040BFFB 8B8D C8FEFFFF mov ecx,dword ptr ss:[ebp-138] 0040C001 51 push ecx 0040C002 E8 41190000 call 屏录专家.0040D948 ; 跟进去,里面会产生一个用于计算硬件码的数据 0040C007 59 pop ecx 0040C008 6A 28 push 28 0040C00A E8 85130F00 call 屏录专家.004FD394 0040C00F 59 pop ecx 0040C010 8B95 C8FEFFFF mov edx,dword ptr ss:[ebp-138] 0040C016 8982 D40B0000 mov dword ptr ds:[edx+BD4],eax 0040C01C 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],44 0040C025 8D45 E4 lea eax,dword ptr ss:[ebp-1C] 0040C028 E8 3F58FFFF call 屏录专家.0040186C 0040C02D 50 push eax 0040C02E FF85 E8FEFFFF inc dword ptr ss:[ebp-118] 0040C034 BA 97325200 mov edx,屏录专家.00523297 ; ASCII "ly.exe" 0040C039 8D45 E8 lea eax,dword ptr ss:[ebp-18] 0040C03C E8 67031000 call 屏录专家.0050C3A8 0040C041 FF85 E8FEFFFF inc dword ptr ss:[ebp-118] 0040C047 8D55 E8 lea edx,dword ptr ss:[ebp-18] 0040C04A 8BC3 mov eax,ebx 0040C04C 59 pop ecx 0040C04D E8 E6051000 call 屏录专家.0050C638 0040C052 8D45 E4 lea eax,dword ptr ss:[ebp-1C] 0040C055 8B00 mov eax,dword ptr ds:[eax] 0040C057 E8 64760E00 call 屏录专家.004F36C0 0040C05C 84C0 test al,al 0040C05E 8D45 E4 lea eax,dword ptr ss:[ebp-1C] 0040C061 0F94C2 sete dl 0040C064 83E2 01 and edx,1 0040C067 52 push edx 0040C068 BA 02000000 mov edx,2 0040C06D FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040C073 E8 68051000 call 屏录专家.0050C5E0 0040C078 FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040C07E 8D45 E8 lea eax,dword ptr ss:[ebp-18] 0040C081 BA 02000000 mov edx,2 0040C086 E8 55051000 call 屏录专家.0050C5E0 0040C08B 59 pop ecx 0040C08C 84C9 test cl,cl 0040C08E 74 50 je short 屏录专家.0040C0E0 0040C090 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],50 0040C099 BA 9E325200 mov edx,屏录专家.0052329E 0040C09E 8D45 E0 lea eax,dword ptr ss:[ebp-20] 0040C0A1 E8 02031000 call 屏录专家.0050C3A8 0040C0A6 FF85 E8FEFFFF inc dword ptr ss:[ebp-118] 0040C0AC 8B00 mov eax,dword ptr ds:[eax] 0040C0AE E8 7D990B00 call 屏录专家.004C5A30 0040C0B3 FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040C0B9 8D45 E0 lea eax,dword ptr ss:[ebp-20] 0040C0BC BA 02000000 mov edx,2 0040C0C1 E8 1A051000 call 屏录专家.0050C5E0 0040C0C6 6A 01 push 1 0040C0C8 E8 1FAE0F00 call 屏录专家.00506EEC 0040C0CD 59 pop ecx 0040C0CE 8B8D CCFEFFFF mov ecx,dword ptr ss:[ebp-134] 0040C0D4 64:890D 00000000 mov dword ptr fs:[0],ecx 0040C0DB E9 0C170000 jmp 屏录专家.0040D7EC 0040C0E0 68 BC325200 push 屏录专家.005232BC ; ASCII "PMLXZJRECORDER{A8B0ADB7-ECB6-4D8F-829A-F050181A6510}" 0040C0E5 6A 00 push 0 0040C0E7 E8 A44D1100 call <jmp.&USER32.FindWindowA> 0040C0EC 85C0 test eax,eax 0040C0EE 74 70 je short 屏录专家.0040C160 0040C0F0 50 push eax 0040C0F1 8B85 C8FEFFFF mov eax,dword ptr ss:[ebp-138] 0040C0F7 50 push eax 0040C0F8 E8 F7180000 call 屏录专家.0040D9F4 0040C0FD 83C4 08 add esp,8 0040C100 68 F1325200 push 屏录专家.005232F1 ; ASCII "PMLXZJRECORDER{A8B0ADB7-ECB6-4D8F-829A-F050181A6510}" 0040C105 6A 00 push 0 0040C107 E8 844D1100 call <jmp.&USER32.FindWindowA> 0040C10C 85C0 test eax,eax 0040C10E 74 50 je short 屏录专家.0040C160 0040C110 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],5C 0040C119 BA 26335200 mov edx,屏录专家.00523326 0040C11E 8D45 DC lea eax,dword ptr ss:[ebp-24] 0040C121 E8 82021000 call 屏录专家.0050C3A8 0040C126 FF85 E8FEFFFF inc dword ptr ss:[ebp-118] 0040C12C 8B00 mov eax,dword ptr ds:[eax] 0040C12E E8 FD980B00 call 屏录专家.004C5A30 0040C133 FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040C139 8D45 DC lea eax,dword ptr ss:[ebp-24] 0040C13C BA 02000000 mov edx,2 0040C141 E8 9A041000 call 屏录专家.0050C5E0 0040C146 6A 01 push 1 0040C148 E8 9FAD0F00 call 屏录专家.00506EEC 0040C14D 59 pop ecx 0040C14E 8B8D CCFEFFFF mov ecx,dword ptr ss:[ebp-134] 0040C154 64:890D 00000000 mov dword ptr fs:[0],ecx 0040C15B E9 8C160000 jmp 屏录专家.0040D7EC 0040C160 8B85 C8FEFFFF mov eax,dword ptr ss:[ebp-138] 0040C166 50 push eax 0040C167 E8 B8180000 call 屏录专家.0040DA24 0040C16C 59 pop ecx 0040C16D 6A 00 push 0 0040C16F E8 62501100 call <jmp.&OLE32.CoInitialize> 0040C174 6A 00 push 0 0040C176 6A 00 push 0 0040C178 6A 00 push 0 0040C17A 6A 03 push 3 0040C17C 6A 04 push 4 0040C17E 6A 00 push 0 0040C180 6A 00 push 0 0040C182 6A FF push -1 0040C184 6A 00 push 0 0040C186 E8 51501100 call <jmp.&OLE32.CoInitializeSecurity> 0040C18B 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],68 0040C194 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],74 0040C19D 8D55 D4 lea edx,dword ptr ss:[ebp-2C] 0040C1A0 52 push edx 0040C1A1 E8 72220000 call 屏录专家.0040E418 0040C1A6 59 pop ecx 0040C1A7 8D4D D4 lea ecx,dword ptr ss:[ebp-2C] 0040C1AA 51 push ecx 0040C1AB 8385 E8FEFFFF 02 add dword ptr ss:[ebp-118],2 0040C1B2 8B9D C8FEFFFF mov ebx,dword ptr ss:[ebp-138] 0040C1B8 81C3 F00B0000 add ebx,0BF0 0040C1BE 53 push ebx 0040C1BF E8 00250000 call 屏录专家.0040E6C4 0040C1C4 FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040C1CA 83C4 08 add esp,8 0040C1CD FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040C1D3 8D45 D4 lea eax,dword ptr ss:[ebp-2C] 0040C1D6 6A 00 push 0 0040C1D8 50 push eax 0040C1D9 E8 5E250000 call 屏录专家.0040E73C 0040C1DE 83C4 08 add esp,8 0040C1E1 8BC3 mov eax,ebx 0040C1E3 E8 7C250000 call 屏录专家.0040E764 0040C1E8 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],0 0040C1F1 E9 56010000 jmp 屏录专家.0040C34C 0040C1F6 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],80 0040C1FF 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],8C 0040C208 8D45 CC lea eax,dword ptr ss:[ebp-34] 0040C20B E8 5C56FFFF call 屏录专家.0040186C 0040C210 50 push eax 0040C211 FF85 E8FEFFFF inc dword ptr ss:[ebp-118] 0040C217 BA 42335200 mov edx,屏录专家.00523342 ; ASCII "ly.exe" 0040C21C 8D45 D0 lea eax,dword ptr ss:[ebp-30] 0040C21F E8 84011000 call 屏录专家.0050C3A8 0040C224 FF85 E8FEFFFF inc dword ptr ss:[ebp-118] 0040C22A 8D55 D0 lea edx,dword ptr ss:[ebp-30] 0040C22D 8B85 C8FEFFFF mov eax,dword ptr ss:[ebp-138] 0040C233 59 pop ecx 0040C234 05 00180000 add eax,1800 0040C239 E8 FA031000 call 屏录专家.0050C638 0040C23E 8D55 CC lea edx,dword ptr ss:[ebp-34] 0040C241 8B02 mov eax,dword ptr ds:[edx] 0040C243 50 push eax 0040C244 8B95 C8FEFFFF mov edx,dword ptr ss:[ebp-138] 0040C24A 52 push edx 0040C24B E8 7C180000 call 屏录专家.0040DACC 0040C250 83C4 08 add esp,8 0040C253 FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040C259 8D45 CC lea eax,dword ptr ss:[ebp-34] 0040C25C BA 02000000 mov edx,2 0040C261 E8 7A031000 call 屏录专家.0050C5E0 0040C266 FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040C26C 8D45 D0 lea eax,dword ptr ss:[ebp-30] 0040C26F BA 02000000 mov edx,2 0040C274 E8 67031000 call 屏录专家.0050C5E0 0040C279 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],98 0040C282 8D4D C4 lea ecx,dword ptr ss:[ebp-3C] 0040C285 51 push ecx 0040C286 E8 8D210000 call 屏录专家.0040E418 0040C28B 59 pop ecx 0040C28C 8D45 C4 lea eax,dword ptr ss:[ebp-3C] 0040C28F 50 push eax 0040C290 8385 E8FEFFFF 02 add dword ptr ss:[ebp-118],2 0040C297 8B9D C8FEFFFF mov ebx,dword ptr ss:[ebp-138] 0040C29D 81C3 F00B0000 add ebx,0BF0 0040C2A3 53 push ebx 0040C2A4 E8 1B240000 call 屏录专家.0040E6C4 0040C2A9 FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040C2AF 83C4 08 add esp,8 0040C2B2 FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040C2B8 8D45 C4 lea eax,dword ptr ss:[ebp-3C] 0040C2BB 6A 00 push 0 0040C2BD 50 push eax 0040C2BE E8 79240000 call 屏录专家.0040E73C 0040C2C3 83C4 08 add esp,8 0040C2C6 8BC3 mov eax,ebx 0040C2C8 E8 97240000 call 屏录专家.0040E764 0040C2CD 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],70 0040C2D6 EB 66 jmp short 屏录专家.0040C33E 0040C2D8 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],0A4 0040C2E1 BA 49335200 mov edx,屏录专家.00523349 0040C2E6 8D45 C0 lea eax,dword ptr ss:[ebp-40] 0040C2E9 E8 BA001000 call 屏录专家.0050C3A8 0040C2EE FF85 E8FEFFFF inc dword ptr ss:[ebp-118] 0040C2F4 8B00 mov eax,dword ptr ds:[eax] 0040C2F6 E8 35970B00 call 屏录专家.004C5A30 0040C2FB FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040C301 8D45 C0 lea eax,dword ptr ss:[ebp-40] 0040C304 BA 02000000 mov edx,2 0040C309 E8 D2021000 call 屏录专家.0050C5E0 0040C30E 6A 01 push 1 0040C310 E8 D7AB0F00 call 屏录专家.00506EEC 0040C315 59 pop ecx 0040C316 33C9 xor ecx,ecx 0040C318 898D E8FEFFFF mov dword ptr ss:[ebp-118],ecx 0040C31E 8D85 CCFEFFFF lea eax,dword ptr ss:[ebp-134] 0040C324 50 push eax 0040C325 E8 25D80F00 call 屏录专家.00509B4F 0040C32A 59 pop ecx 0040C32B E9 BC140000 jmp 屏录专家.0040D7EC 0040C330 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],88 0040C339 E8 5CD10F00 call 屏录专家.0050949A 0040C33E 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],70 0040C347 E8 4ED10F00 call 屏录专家.0050949A 0040C34C 8B95 C8FEFFFF mov edx,dword ptr ss:[ebp-138] 0040C352 52 push edx 0040C353 E8 70180000 call 屏录专家.0040DBC8 0040C358 59 pop ecx 0040C359 68 65335200 push 屏录专家.00523365 ; ASCII "LYSTOPEVENT" 0040C35E 6A 00 push 0 0040C360 6A 00 push 0 0040C362 6A 00 push 0 0040C364 E8 09441100 call <jmp.&KERNEL32.CreateEventA> 0040C369 8B8D C8FEFFFF mov ecx,dword ptr ss:[ebp-138] 0040C36F 8981 F80B0000 mov dword ptr ds:[ecx+BF8],eax 0040C375 6A 2C push 2C 0040C377 6A 00 push 0 0040C379 8B85 C8FEFFFF mov eax,dword ptr ss:[ebp-138] 0040C37F 05 E40C0000 add eax,0CE4 0040C384 50 push eax 0040C385 E8 0E180F00 call 屏录专家.004FDB98 0040C38A 8B95 C8FEFFFF mov edx,dword ptr ss:[ebp-138] 0040C390 83C4 0C add esp,0C 0040C393 BF 18265200 mov edi,屏录专家.00522618 ; ASCII "pmlxzjtlx" 0040C398 C782 F80C0000 080>mov dword ptr ds:[edx+CF8],8 0040C3A2 8B8D C8FEFFFF mov ecx,dword ptr ss:[ebp-138] 0040C3A8 C781 FC0C0000 080>mov dword ptr ds:[ecx+CFC],8 0040C3B2 8B85 C8FEFFFF mov eax,dword ptr ss:[ebp-138] 0040C3B8 05 040D0000 add eax,0D04 0040C3BD 8BF0 mov esi,eax 0040C3BF 33C0 xor eax,eax 0040C3C1 83C9 FF or ecx,FFFFFFFF 0040C3C4 F2:AE repne scas byte ptr es:[edi] 0040C3C6 F7D1 not ecx 0040C3C8 2BF9 sub edi,ecx 0040C3CA 8BD1 mov edx,ecx 0040C3CC 87F7 xchg edi,esi 0040C3CE C1E9 02 shr ecx,2 0040C3D1 8BC7 mov eax,edi 0040C3D3 F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[es> 0040C3D5 8BCA mov ecx,edx 0040C3D7 8D45 B8 lea eax,dword ptr ss:[ebp-48] 0040C3DA 83E1 03 and ecx,3 0040C3DD F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi] 0040C3DF 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],0B0 0040C3E8 E8 7F54FFFF call 屏录专家.0040186C 0040C3ED 50 push eax 0040C3EE FF85 E8FEFFFF inc dword ptr ss:[ebp-118] 0040C3F4 BA 71335200 mov edx,屏录专家.00523371 ; ASCII "\play.dat" 0040C3F9 8D45 BC lea eax,dword ptr ss:[ebp-44] 0040C3FC E8 A7FF0F00 call 屏录专家.0050C3A8 0040C401 FF85 E8FEFFFF inc dword ptr ss:[ebp-118] 0040C407 8D55 BC lea edx,dword ptr ss:[ebp-44] 0040C40A 8B9D C8FEFFFF mov ebx,dword ptr ss:[ebp-138] 0040C410 59 pop ecx 0040C411 81C3 00180000 add ebx,1800 0040C417 8BC3 mov eax,ebx 0040C419 E8 1A021000 call 屏录专家.0050C638 0040C41E 8D55 B8 lea edx,dword ptr ss:[ebp-48] 0040C421 8B02 mov eax,dword ptr ds:[edx] 0040C423 50 push eax 0040C424 8B95 C8FEFFFF mov edx,dword ptr ss:[ebp-138] 0040C42A 52 push edx 0040C42B E8 AC180000 call 屏录专家.0040DCDC 0040C430 83C4 08 add esp,8 0040C433 8B8D C8FEFFFF mov ecx,dword ptr ss:[ebp-138] 0040C439 8981 000D0000 mov dword ptr ds:[ecx+D00],eax 0040C43F FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040C445 8D45 B8 lea eax,dword ptr ss:[ebp-48] 0040C448 BA 02000000 mov edx,2 0040C44D E8 8E011000 call 屏录专家.0050C5E0 0040C452 FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040C458 8D45 BC lea eax,dword ptr ss:[ebp-44] 0040C45B BA 02000000 mov edx,2 0040C460 E8 7B011000 call 屏录专家.0050C5E0 0040C465 8B8D C8FEFFFF mov ecx,dword ptr ss:[ebp-138] 0040C46B 51 push ecx 0040C46C E8 3F190000 call 屏录专家.0040DDB0 ; 机器码生成算法 0040C471 59 pop ecx 跟入0040D948看看,如下: 0040D948 55 push ebp 0040D949 8BEC mov ebp,esp 0040D94B 83C4 D8 add esp,-28 0040D94E B8 B8105300 mov eax,屏录专家.005310B8 0040D953 53 push ebx 0040D954 56 push esi 0040D955 57 push edi 0040D956 E8 65060F00 call 屏录专家.004FDFC0 0040D95B 6A 19 push 19 0040D95D E8 32FA0E00 call 屏录专家.004FD394 0040D962 59 pop ecx 0040D963 8945 D8 mov dword ptr ss:[ebp-28],eax 0040D966 6A 19 push 19 0040D968 6A 00 push 0 0040D96A 8B55 D8 mov edx,dword ptr ss:[ebp-28] 0040D96D 52 push edx 0040D96E E8 25020F00 call 屏录专家.004FDB98 0040D973 83C4 0C add esp,0C 0040D976 66:C745 EC 0800 mov word ptr ss:[ebp-14],8 0040D97C 8B4D D8 mov ecx,dword ptr ss:[ebp-28] 0040D97F 51 push ecx 0040D980 E8 8BC10600 call 屏录专家.00479B10 ; 这里会获取到一组cpu相关的数据，保存到[ebp-28] 0040D985 8B45 D8 mov eax,dword ptr ss:[ebp-28] ; str2生成算法(上面得到的数据为运算的原始数据) 0040D988 59 pop ecx ; 把cpuid相关的一些信息进行异或，最后结果保存到[ebp-28] 0040D989 83C0 04 add eax,4 0040D98C BA 01000000 mov edx,1 0040D991 8B5D D8 mov ebx,dword ptr ss:[ebp-28] 0040D994 8A08 mov cl,byte ptr ds:[eax] 0040D996 42 inc edx 0040D997 300B xor byte ptr ds:[ebx],cl 0040D999 8B5D D8 mov ebx,dword ptr ss:[ebp-28] 0040D99C 8A48 01 mov cl,byte ptr ds:[eax+1] 0040D99F 304B 01 xor byte ptr ds:[ebx+1],cl 0040D9A2 8B5D D8 mov ebx,dword ptr ss:[ebp-28] 0040D9A5 8A48 02 mov cl,byte ptr ds:[eax+2] 0040D9A8 304B 02 xor byte ptr ds:[ebx+2],cl 0040D9AB 8B5D D8 mov ebx,dword ptr ss:[ebp-28] 0040D9AE 8A48 03 mov cl,byte ptr ds:[eax+3] 0040D9B1 83C0 04 add eax,4 0040D9B4 304B 03 xor byte ptr ds:[ebx+3],cl 0040D9B7 83FA 06 cmp edx,6 0040D9BA ^ 7C D5 jl short 屏录专家.0040D991 0040D9BC 66:C745 EC 0000 mov word ptr ss:[ebp-14],0 0040D9C2 EB 0B jmp short 屏录专家.0040D9CF 0040D9C4 66:C745 EC 1000 mov word ptr ss:[ebp-14],10 0040D9CA E8 CBBA0F00 call 屏录专家.0050949A 0040D9CF 8B55 08 mov edx,dword ptr ss:[ebp+8] 0040D9D2 8B45 D8 mov eax,dword ptr ss:[ebp-28] 0040D9D5 05 E8030000 add eax,3E8 0040D9DA 8982 BC130000 mov dword ptr ds:[edx+13BC],eax 0040D9E0 8B4D DC mov ecx,dword ptr ss:[ebp-24] 0040D9E3 64:890D 00000000 mov dword ptr fs:[0],ecx 0040D9EA 5F pop edi 0040D9EB 5E pop esi 0040D9EC 5B pop ebx 0040D9ED 8BE5 mov esp,ebp 0040D9EF 5D pop ebp 0040D9F0 C3 retn 继续跟入:00479B10 00479B10 55 push ebp 00479B11 8BEC mov ebp,esp 00479B13 83C4 E4 add esp,-1C 00479B16 53 push ebx 00479B17 B8 01000000 mov eax,1 ; eax=1 00479B1C 33DB xor ebx,ebx 00479B1E 33C9 xor ecx,ecx 00479B20 33D2 xor edx,edx 00479B22 0FA2 cpuid ; 获取cpuid 00479B24 8955 E4 mov dword ptr ss:[ebp-1C],edx 00479B27 894D E8 mov dword ptr ss:[ebp-18],ecx 00479B2A 8945 EC mov dword ptr ss:[ebp-14],eax 00479B2D B8 03000000 mov eax,3 ; eax=3 00479B32 33DB xor ebx,ebx 00479B34 33C9 xor ecx,ecx 00479B36 33D2 xor edx,edx 00479B38 0FA2 cpuid ; 获取cpuid 00479B3A 8955 F0 mov dword ptr ss:[ebp-10],edx 00479B3D 894D F4 mov dword ptr ss:[ebp-C],ecx 00479B40 895D F8 mov dword ptr ss:[ebp-8],ebx 00479B43 C645 FC 00 mov byte ptr ss:[ebp-4],0 00479B47 6A 19 push 19 00479B49 8D45 E4 lea eax,dword ptr ss:[ebp-1C] 00479B4C 50 push eax 00479B4D 8B55 08 mov edx,dword ptr ss:[ebp+8] 00479B50 52 push edx 00479B51 E8 D23F0800 call 屏录专家.004FDB28 ; 保存上面取得的结果 00479B56 83C4 0C add esp,0C 00479B59 5B pop ebx 00479B5A 8BE5 mov esp,ebp 00479B5C 5D pop ebp 00479B5D C3 retn 好了0040D948 这个CALL 分析完了,总结下,就是获取CPU的信息,然后进行异或运算,得到了一组数据,计为data1 继续分析机器码生成的关键算法吧,累了就先休息下,呵呵. 进入0040DDB0这个call,分析如下: 0040DDB0 55 push ebp 0040DDB1 8BEC mov ebp,esp 0040DDB3 83C4 D4 add esp,-2C 0040DDB6 B8 18125300 mov eax,屏录专家.00531218 0040DDBB 53 push ebx 0040DDBC 56 push esi 0040DDBD 57 push edi 0040DDBE 8B75 08 mov esi,dword ptr ss:[ebp+8] 0040DDC1 E8 FA010F00 call 屏录专家.004FDFC0 0040DDC6 66:C745 E4 0800 mov word ptr ss:[ebp-1C],8 0040DDCC 8D45 FC lea eax,dword ptr ss:[ebp-4] 0040DDCF E8 983AFFFF call 屏录专家.0040186C 0040DDD4 FF45 F0 inc dword ptr ss:[ebp-10] 0040DDD7 8D45 F8 lea eax,dword ptr ss:[ebp-8] 0040DDDA 66:C745 E4 1400 mov word ptr ss:[ebp-1C],14 0040DDE0 66:C745 E4 2000 mov word ptr ss:[ebp-1C],20 0040DDE6 56 push esi 0040DDE7 E8 803AFFFF call 屏录专家.0040186C 0040DDEC 50 push eax 0040DDED FF45 F0 inc dword ptr ss:[ebp-10] 0040DDF0 E8 03640000 call 屏录专家.004141F8 ; 机器码生成算法，跟进 0040DDF5 83C4 08 add esp,8 0040DDF8 8D55 F8 lea edx,dword ptr ss:[ebp-8] 0040DDFB 8D45 FC lea eax,dword ptr ss:[ebp-4] 0040DDFE E8 0DE80F00 call 屏录专家.0050C610 0040DE03 FF4D F0 dec dword ptr ss:[ebp-10] 0040DE06 8D45 F8 lea eax,dword ptr ss:[ebp-8] 0040DE09 BA 02000000 mov edx,2 0040DE0E E8 CDE70F00 call 屏录专家.0050C5E0 0040DE13 6A 15 push 15 0040DE15 E8 7AF50E00 call 屏录专家.004FD394 0040DE1A 59 pop ecx 0040DE1B 8BD8 mov ebx,eax 0040DE1D 8D45 FC lea eax,dword ptr ss:[ebp-4] 0040DE20 E8 1F3DFFFF call 屏录专家.00401B44 0040DE25 8BF8 mov edi,eax 0040DE27 33C0 xor eax,eax 0040DE29 56 push esi 0040DE2A 83C9 FF or ecx,FFFFFFFF 0040DE2D F2:AE repne scas byte ptr es:[edi] 0040DE2F F7D1 not ecx 0040DE31 2BF9 sub edi,ecx 0040DE33 8BF3 mov esi,ebx 0040DE35 87F7 xchg edi,esi 0040DE37 8BD1 mov edx,ecx 0040DE39 8BC7 mov eax,edi 0040DE3B C1E9 02 shr ecx,2 0040DE3E 8D45 FC lea eax,dword ptr ss:[ebp-4] 0040DE41 F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[es> 0040DE43 8BCA mov ecx,edx 0040DE45 BA 02000000 mov edx,2 0040DE4A 83E1 03 and ecx,3 0040DE4D F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi] 0040DE4F 5E pop esi 0040DE50 C643 14 00 mov byte ptr ds:[ebx+14],0 0040DE54 81C3 664E0000 add ebx,4E66 0040DE5A 899E A0130000 mov dword ptr ds:[esi+13A0],ebx 0040DE60 FF4D F0 dec dword ptr ss:[ebp-10] 0040DE63 E8 78E70F00 call 屏录专家.0050C5E0 0040DE68 8B4D D4 mov ecx,dword ptr ss:[ebp-2C] 0040DE6B 64:890D 00000000 mov dword ptr fs:[0],ecx 0040DE72 5F pop edi 0040DE73 5E pop esi 0040DE74 5B pop ebx 0040DE75 8BE5 mov esp,ebp 0040DE77 5D pop ebp 0040DE78 C3 retn 继续跟入:004141F8 004141F8 55 push ebp 004141F9 8BEC mov ebp,esp 004141FB 81C4 C0F7FFFF add esp,-840 00414201 B8 30195300 mov eax,屏录专家.00531930 00414206 53 push ebx 00414207 56 push esi 00414208 57 push edi 00414209 8B75 0C mov esi,dword ptr ss:[ebp+C] 0041420C E8 AF9D0E00 call 屏录专家.004FDFC0 00414211 68 00040000 push 400 00414216 6A 00 push 0 00414218 8D95 C0FBFFFF lea edx,dword ptr ss:[ebp-440] 0041421E 52 push edx 0041421F E8 74990E00 call 屏录专家.004FDB98 00414224 83C4 0C add esp,0C 00414227 8D8D C0F7FFFF lea ecx,dword ptr ss:[ebp-840] 0041422D 68 00040000 push 400 00414232 6A 00 push 0 00414234 51 push ecx 00414235 E8 5E990E00 call 屏录专家.004FDB98 0041423A 83C4 0C add esp,0C 0041423D 8D45 C0 lea eax,dword ptr ss:[ebp-40] 00414240 C686 140C0000 01 mov byte ptr ds:[esi+C14],1 00414247 50 push eax 00414248 56 push esi 00414249 E8 5EA40200 call 屏录专家.0043E6AC ; 复制data1(前面取得的cpu信息处理后的数据)到新的地方 0041424E 83C4 08 add esp,8 00414251 80BE 140C0000 01 cmp byte ptr ds:[esi+C14],1 00414258 0F85 63010000 jnz 屏录专家.004143C1 0041425E 8D95 C0FBFFFF lea edx,dword ptr ss:[ebp-440] 00414264 52 push edx 00414265 56 push esi 00414266 E8 ADA40200 call 屏录专家.0043E718 ; 获取硬盘序列号str1 0041426B 83C4 08 add esp,8 0041426E 83F8 FF cmp eax,-1 00414271 0F85 C3000000 jnz 屏录专家.0041433A 00414277 66:C745 DC 0800 mov word ptr ss:[ebp-24],8 0041427D BA E0515200 mov edx,屏录专家.005251E0 00414282 8D45 FC lea eax,dword ptr ss:[ebp-4] 00414285 E8 1E810F00 call 屏录专家.0050C3A8 0041428A FF45 E8 inc dword ptr ss:[ebp-18] 0041428D 8D55 FC lea edx,dword ptr ss:[ebp-4] 00414290 8D9E 100C0000 lea ebx,dword ptr ds:[esi+C10] 00414296 8BC3 mov eax,ebx 00414298 E8 3F840F00 call 屏录专家.0050C6DC 0041429D 50 push eax 0041429E FF4D E8 dec dword ptr ss:[ebp-18] 004142A1 8D45 FC lea eax,dword ptr ss:[ebp-4] 004142A4 BA 02000000 mov edx,2 004142A9 E8 32830F00 call 屏录专家.0050C5E0 004142AE 59 pop ecx 004142AF 84C9 test cl,cl 004142B1 74 33 je short 屏录专家.004142E6 004142B3 8BC3 mov eax,ebx 004142B5 E8 8AD8FEFF call 屏录专家.00401B44 004142BA 8BF8 mov edi,eax 004142BC 33C0 xor eax,eax 004142BE 56 push esi 004142BF 83C9 FF or ecx,FFFFFFFF 004142C2 F2:AE repne scas byte ptr es:[edi] 004142C4 F7D1 not ecx 004142C6 2BF9 sub edi,ecx 004142C8 8DB5 C0FBFFFF lea esi,dword ptr ss:[ebp-440] 004142CE 87F7 xchg edi,esi 004142D0 8BD1 mov edx,ecx 004142D2 8BC7 mov eax,edi 004142D4 C1E9 02 shr ecx,2 004142D7 F3:A5 rep movs dword ptr es:[edi],dword ptr> 004142D9 8BCA mov ecx,edx 004142DB 83E1 03 and ecx,3 004142DE F3:A4 rep movs byte ptr es:[edi],byte ptr d> 004142E0 5E pop esi 004142E1 E9 DB000000 jmp 屏录专家.004143C1 004142E6 66:C745 DC 1400 mov word ptr ss:[ebp-24],14 004142EC BA E1515200 mov edx,屏录专家.005251E1 004142F1 8D45 F8 lea eax,dword ptr ss:[ebp-8] 004142F4 E8 AF800F00 call 屏录专家.0050C3A8 004142F9 FF45 E8 inc dword ptr ss:[ebp-18] 004142FC 8D55 F8 lea edx,dword ptr ss:[ebp-8] 004142FF 8B45 08 mov eax,dword ptr ss:[ebp+8] 00414302 E8 09830F00 call 屏录专家.0050C610 00414307 8B45 08 mov eax,dword ptr ss:[ebp+8] 0041430A BA 02000000 mov edx,2 0041430F 66:C745 DC 2000 mov word ptr ss:[ebp-24],20 00414315 50 push eax 00414316 8D45 F8 lea eax,dword ptr ss:[ebp-8] 00414319 FF4D E8 dec dword ptr ss:[ebp-18] 0041431C E8 BF820F00 call 屏录专家.0050C5E0 00414321 58 pop eax 00414322 66:C745 DC 1400 mov word ptr ss:[ebp-24],14 00414328 FF45 E8 inc dword ptr ss:[ebp-18] 0041432B 8B55 CC mov edx,dword ptr ss:[ebp-34] 0041432E 64:8915 00000000 mov dword ptr fs:[0],edx 00414335 E9 BB010000 jmp 屏录专家.004144F5 0041433A 83F8 FE cmp eax,-2 0041433D 75 54 jnz short 屏录专家.00414393 0041433F 66:C745 DC 2C00 mov word ptr ss:[ebp-24],2C 00414345 BA F4515200 mov edx,屏录专家.005251F4 0041434A 8D45 F4 lea eax,dword ptr ss:[ebp-C] 0041434D E8 56800F00 call 屏录专家.0050C3A8 00414352 FF45 E8 inc dword ptr ss:[ebp-18] 00414355 8D55 F4 lea edx,dword ptr ss:[ebp-C] 00414358 8B45 08 mov eax,dword ptr ss:[ebp+8] 0041435B E8 B0820F00 call 屏录专家.0050C610 00414360 8B45 08 mov eax,dword ptr ss:[ebp+8] 00414363 BA 02000000 mov edx,2 00414368 66:C745 DC 3800 mov word ptr ss:[ebp-24],38 0041436E 50 push eax 0041436F 8D45 F4 lea eax,dword ptr ss:[ebp-C] 00414372 FF4D E8 dec dword ptr ss:[ebp-18] 00414375 E8 66820F00 call 屏录专家.0050C5E0 0041437A 58 pop eax 0041437B 66:C745 DC 2C00 mov word ptr ss:[ebp-24],2C 00414381 FF45 E8 inc dword ptr ss:[ebp-18] 00414384 8B55 CC mov edx,dword ptr ss:[ebp-34] 00414387 64:8915 00000000 mov dword ptr fs:[0],edx 0041438E E9 62010000 jmp 屏录专家.004144F5 00414393 85C0 test eax,eax 00414395 75 09 jnz short 屏录专家.004143A0 00414397 C686 140C0000 00 mov byte ptr ds:[esi+C14],0 0041439E EB 21 jmp short 屏录专家.004143C1 004143A0 33DB xor ebx,ebx ; EBX=0 004143A2 8D8D C0FBFFFF lea ecx,dword ptr ss:[ebp-440] ; ECX=出现一个重要的字符串(20位)=硬盘序列号 004143A8 0FBE01 movsx eax,byte ptr ds:[ecx] ; 按位取ECX数据到EAX 004143AB 99 cdq ; EDX=0 004143AC BF 0A000000 mov edi,0A ; EDI=A 004143B1 43 inc ebx ; EBX+1 004143B2 F7FF idiv edi ; EDX=EAX MOD A 004143B4 8BC2 mov eax,edx ; EAX=EDX 004143B6 83C0 30 add eax,30 ; EAX=EAX+30H 004143B9 8801 mov byte ptr ds:[ecx],al ; 按位覆盖ecx 004143BB 41 inc ecx ; ECX+1 004143BC 83FB 14 cmp ebx,14 ; EBX<20? 004143BF ^ 7C E7 jl short 屏录专家.004143A8 ; <就继续循环 004143C1 80BE 140C0000 00 cmp byte ptr ds:[esi+C14],0 ; 设处理后的数据为str2 004143C8 0F85 B0000000 jnz 屏录专家.0041447E 004143CE 8D95 C0F7FFFF lea edx,dword ptr ss:[ebp-840] 004143D4 68 00040000 push 400 004143D9 52 push edx 004143DA 6A 00 push 0 004143DC 8D4D C8 lea ecx,dword ptr ss:[ebp-38] 004143DF 6A 00 push 0 004143E1 51 push ecx 004143E2 8D85 C0FBFFFF lea eax,dword ptr ss:[ebp-440] 004143E8 68 00040000 push 400 004143ED 50 push eax 004143EE 68 FF515200 push 屏录专家.005251FF ; ASCII "c:/" 004143F3 E8 DCC41000 call <jmp.&KERNEL32.GetVolumeInformat> 004143F8 8B45 C8 mov eax,dword ptr ss:[ebp-38] 004143FB 33D2 xor edx,edx 004143FD B9 58000000 mov ecx,58 00414402 BB 58000000 mov ebx,58 00414407 F7F1 div ecx 00414409 8BC8 mov ecx,eax 0041440B 8B45 C8 mov eax,dword ptr ss:[ebp-38] 0041440E 33D2 xor edx,edx 00414410 F7F3 div ebx 00414412 03CA add ecx,edx 00414414 8D95 C0FBFFFF lea edx,dword ptr ss:[ebp-440] 0041441A 81C1 75D22D01 add ecx,12DD275 00414420 894D C8 mov dword ptr ss:[ebp-38],ecx 00414423 8B45 C8 mov eax,dword ptr ss:[ebp-38] 00414426 50 push eax 00414427 68 03525200 push 屏录专家.00525203 ; ASCII "%u" 0041442C 52 push edx 0041442D E8 B2CE0E00 call 屏录专家.005012E4 00414432 83C4 0C add esp,0C 00414435 8D8D C0FBFFFF lea ecx,dword ptr ss:[ebp-440] 0041443B 51 push ecx 0041443C E8 8B980E00 call 屏录专家.004FDCCC 00414441 59 pop ecx 00414442 83F8 03 cmp eax,3 00414445 7C 18 jl short 屏录专家.0041445F 00414447 8A95 C2FBFFFF mov dl,byte ptr ss:[ebp-43E] 0041444D 8A8D C0FBFFFF mov cl,byte ptr ss:[ebp-440] 00414453 888D C2FBFFFF mov byte ptr ss:[ebp-43E],cl 00414459 8895 C0FBFFFF mov byte ptr ss:[ebp-440],dl 0041445F 8BD8 mov ebx,eax 00414461 8D841D C0FBFFFF lea eax,dword ptr ss:[ebp+ebx-440] 00414468 83FB 14 cmp ebx,14 0041446B 7D 0A jge short 屏录专家.00414477 0041446D C600 37 mov byte ptr ds:[eax],37 00414470 43 inc ebx 00414471 40 inc eax 00414472 83FB 14 cmp ebx,14 00414475 ^ 7C F6 jl short 屏录专家.0041446D 00414477 C685 D4FBFFFF 00 mov byte ptr ss:[ebp-42C],0 ; 下面再次计算机起码前2-5位 0041447E 33DB xor ebx,ebx ; EBX=0 00414480 8D8D C1FBFFFF lea ecx,dword ptr ss:[ebp-43F] ; ECX=str2(从第2位开始) 00414486 8D75 C0 lea esi,dword ptr ss:[ebp-40] 00414489 8A06 mov al,byte ptr ds:[esi] ; AL=按字节取data1 0041448B BF 0A000000 mov edi,0A ; EDI=A 00414490 3001 xor byte ptr ds:[ecx],al ; str2按位与AL抑或 00414492 0FBE01 movsx eax,byte ptr ds:[ecx] ; 按字节取ecx 00414495 33D2 xor edx,edx ; edx=0 00414497 46 inc esi ; esi+1 00414498 F7F7 div edi ; edx=al mod edi 0041449A 80C2 30 add dl,30 ; dl=dl+30h 0041449D 43 inc ebx ; ebx=ebx+1 0041449E 8811 mov byte ptr ds:[ecx],dl ; 保存 004144A0 41 inc ecx ; ecx=ecx+1 004144A1 83FB 04 cmp ebx,4 ; ebx和4比较 004144A4 ^ 7C E3 jl short 屏录专家.00414489 ; <4就回跳 004144A6 66:C745 DC 4400 mov word ptr ss:[ebp-24],44 004144AC 8D95 C0FBFFFF lea edx,dword ptr ss:[ebp-440] ; edx=机器码 004144B2 8D45 F0 lea eax,dword ptr ss:[ebp-10] 004144B5 E8 EE7E0F00 call 屏录专家.0050C3A8 004144BA 8BD0 mov edx,eax 004144BC FF45 E8 inc dword ptr ss:[ebp-18] 004144BF 8B45 08 mov eax,dword ptr ss:[ebp+8] 004144C2 E8 49810F00 call 屏录专家.0050C610 004144C7 8B45 08 mov eax,dword ptr ss:[ebp+8] 004144CA BA 02000000 mov edx,2 004144CF 66:C745 DC 5000 mov word ptr ss:[ebp-24],50 004144D5 50 push eax 004144D6 8D45 F0 lea eax,dword ptr ss:[ebp-10] 004144D9 FF4D E8 dec dword ptr ss:[ebp-18] 004144DC E8 FF800F00 call 屏录专家.0050C5E0 004144E1 58 pop eax 004144E2 66:C745 DC 4400 mov word ptr ss:[ebp-24],44 004144E8 FF45 E8 inc dword ptr ss:[ebp-18] 004144EB 8B55 CC mov edx,dword ptr ss:[ebp-34] 004144EE 64:8915 00000000 mov dword ptr fs:[0],edx 004144F5 5F pop edi 004144F6 5E pop esi 004144F7 5B pop ebx 004144F8 8BE5 mov esp,ebp 004144FA 5D pop ebp 004144FB C3 retn 2007-4-6 15:49 0
壹只老虎雪币： 112 活跃值： (16) 能力值： ( LV9，RANK：290 ) 在线值：发帖 38 回帖 709 粉丝 3 关注私信	壹只老虎 7 3 楼获取硬盘序列号的call我就不跟进去了,跟进去一看就很明显了,就是那几个熟悉的api函数,不熟悉的话,上百度也行. 好了,机器码生成算法这个老大难的问题现在已经解决的,我们总结一下: 说白乐,就是把硬盘序列号和cpuid进行运算生成的一组20位的数据.后面的注册机代码里面会详细写的. 回到我们上面快要分析完的地方再接着说. 今天先休息了,明天我们接着讨论,88! 我们继续吧，新的一天，要有新的收获！这是最后一部分的分析结果。先看了再讨论。 00443370 E8 CFE7FBFF call 屏录专家.00401B44 00443375 57 push edi 00443376 8BF8 mov edi,eax 00443378 33C0 xor eax,eax 0044337A 83C9 FF or ecx,FFFFFFFF 0044337D F2:AE repne scas byte ptr es:[edi] 0044337F F7D1 not ecx 00443381 2BF9 sub edi,ecx 00443383 8DB5 ACFEFFFF lea esi,dword ptr ss:[ebp-154] 00443389 87F7 xchg edi,esi 0044338B 8BD1 mov edx,ecx 0044338D 8BC7 mov eax,edi 0044338F C1E9 02 shr ecx,2 00443392 8D85 ACFEFFFF lea eax,dword ptr ss:[ebp-154] 00443398 F3:A5 rep movs dword ptr es:[edi],dword > 0044339A 8BCA mov ecx,edx 0044339C 83E1 03 and ecx,3 0044339F F3:A4 rep movs byte ptr es:[edi],byte pt> 004433A1 5F pop edi 004433A2 8985 20FFFFFF mov dword ptr ss:[ebp-E0],eax 004433A8 8DB5 08FFFFFF lea esi,dword ptr ss:[ebp-F8] ; esi=X的10进制字符串 004433AE 33DB xor ebx,ebx ; EBX=0 004433B0 8B95 20FFFFFF mov edx,dword ptr ss:[ebp-E0] 004433B6 0FBE06 movsx eax,byte ptr ds:[esi] ; eax=按位取esi ascii码 004433B9 0FBE0A movsx ecx,byte ptr ds:[edx] ; ecx=按位取str的ascii码 004433BC 83C1 EC add ecx,-14 ; ecx=ecx-14H 004433BF 3BC1 cmp eax,ecx ; 这里慢慢构造吧！ 004433C1 0F85 80000000 jnz 屏录专家.00443447 ; EDI=X 004433C7 83FB 03 cmp ebx,3 ; ebx=3? 004433CA 75 6A jnz short 屏录专家.00443436 ; 不是3就跳 004433CC 81C7 444D0000 add edi,4D44 ; EDI=EDI+4D44H 004433D2 89BD A8FAFFFF mov dword ptr ss:[ebp-558],edi 004433D8 DB85 A8FAFFFF fild dword ptr ss:[ebp-558] 004433DE DC0D DC3E4400 fmul qword ptr ds:[443EDC] 004433E4 DB2D E43E4400 fld tbyte ptr ds:[443EE4] 004433EA DEC9 fmulp st(1),st 004433EC E8 E7180C00 call 屏录专家.00504CD8 ; EAX=EDI3.140.1594896331738437110 004433F1 8BF8 mov edi,eax ; EDI=EAX 004433F3 8BC7 mov eax,edi 004433F5 B9 A0860100 mov ecx,186A0 ; ECX=186A0H 004433FA 99 cdq 004433FB F7F9 idiv ecx ; EDX=EAX mod ECX 004433FD 8BFA mov edi,edx ; EDI=EDX 004433FF 33C0 xor eax,eax ; EAX=0 00443401 8985 2CFFFFFF mov dword ptr ss:[ebp-D4],eax ; [EBP-D4]=EAX 00443407 33D2 xor edx,edx ; EDX=0，循环变量 00443409 8D85 ACFEFFFF lea eax,dword ptr ss:[ebp-154] ; [ebp-154]的数据就是试验码被处理后的那20位数据 0044340F 0FBE08 movsx ecx,byte ptr ds:[eax] ; [EBP-D4]=上面数据前19位相加 00443412 018D 2CFFFFFF add dword ptr ss:[ebp-D4],ecx 00443418 42 inc edx 00443419 40 inc eax 0044341A 83FA 13 cmp edx,13 0044341D ^ 7C F0 jl short 屏录专家.0044340F 0044341F 8B85 2CFFFFFF mov eax,dword ptr ss:[ebp-D4] ; EAX=[EBP-D4] 00443425 B9 0A000000 mov ecx,0A ; ECX=A 0044342A 99 cdq ; EDX=0 0044342B F7F9 idiv ecx ; EDX=EAX MOD ECX 0044342D 83C2 30 add edx,30 ; EDX=EDX+48 00443430 8995 2CFFFFFF mov dword ptr ss:[ebp-D4],edx ; [EBP-D4]=EDX 00443436 43 inc ebx ; ebx++ 00443437 FF85 20FFFFFF inc dword ptr ss:[ebp-E0] 0044343D 46 inc esi ; esi++ 0044343E 83FB 05 cmp ebx,5 ; ebx<5就跳回去 00443441 ^ 0F8C 69FFFFFF jl 屏录专家.004433B0 00443447 83FB 05 cmp ebx,5 0044344A 0F8C BB090000 jl 屏录专家.00443E0B ; 跳向死亡 00443450 0FBE85 BFFEFFFF movsx eax,byte ptr ss:[ebp-141] ; eax=20位字符串的最后一位 00443457 3B85 2CFFFFFF cmp eax,dword ptr ss:[ebp-D4] ; 上面计算的结果 0044345D 74 09 je short 屏录专家.00443468 0044345F 83F8 41 cmp eax,41 00443462 0F8C A3090000 jl 屏录专家.00443E0B ; 跳向死亡 00443468 8BC7 mov eax,edi ; eax=edi 0044346A B9 0A000000 mov ecx,0A ; ecx=A 0044346F 99 cdq ; edx=0 00443470 F7F9 idiv ecx ; edx=eax mod ecx 00443472 0FBEB41D ACFEFFFF movsx esi,byte ptr ss:[ebp+ebx-154>; esi=20位字符串的第6位 0044347A 83C6 BF add esi,-41 ; esi=esi-41H 0044347D 2BF2 sub esi,edx ; esi=esi-edx 0044347F 85F6 test esi,esi ; 关键比较 00443481 74 09 je short 屏录专家.0044348C ; 关键跳，跳走就成功 00443483 83FE 08 cmp esi,8 00443486 0F85 F8080000 jnz 屏录专家.00443D84 ; 关键跳，跳走就失败 0044348C 66:C785 44FFFFFF >mov word ptr ss:[ebp-BC],8C 00443495 BA 496B5300 mov edx,屏录专家.00536B49 ; 注册成功，重起验证 0044349A 8D45 D4 lea eax,dword ptr ss:[ebp-2C] 0044349D E8 068F0C00 call 屏录专家.0050C3A8 004434A2 FF85 50FFFFFF inc dword ptr ss:[ebp-B0] 004434A8 8B00 mov eax,dword ptr ds:[eax] 004434AA E8 81250800 call 屏录专家.004C5A30 004434AF FF8D 50FFFFFF dec dword ptr ss:[ebp-B0] 004434B5 8D45 D4 lea eax,dword ptr ss:[ebp-2C] 004434B8 BA 02000000 mov edx,2 004434BD E8 1E910C00 call 屏录专家.0050C5E0 004434C2 8B0D F4265500 mov ecx,dword ptr ds:[5526F4] ; 屏录专家._MainForm 004434C8 8B01 mov eax,dword ptr ds:[ecx] 004434CA C680 38130000 01 mov byte ptr ds:[eax+1338],1 004434D1 68 00040000 push 400 004434D6 8D95 ACFEFFFF lea edx,dword ptr ss:[ebp-154] 004434DC 52 push edx 004434DD E8 F8D30D00 call <jmp.&KERNEL32.GetWindowsDire> 004434E2 68 866B5300 push 屏录专家.00536B86 ; ASCII "/pmlxz7.dll" 004434E7 8D8D ACFEFFFF lea ecx,dword ptr ss:[ebp-154] 004434ED 51 push ecx 004434EE E8 49A70B00 call 屏录专家.004FDC3C ; 在windows目录下写入注册信息，以便重起验证 004434F3 83C4 08 add esp,8 总的来说，这部分的算法很简单，没什么好说的，关键是要找到他的逆运算算法是什么。我们慢慢来分析吧。前面，机器码和用户名进行运算已经产生了一个5位的数据，设为key。这部分的验证和这个五位数据有着密切的关系。我们的注册码的第1位和第2位连接起来，设为str,把str转化为整型，设为m,m+9必须等于key第一位的ascii码+20；于是就有 str[1]:=inttostr(ord(key[1])+20-9)[1]; str[2]:=inttostr(ord(key[1])+20-9)[2]; 同样第3位和第4位运算如下：因为第3位在注册码运算的时候会和第39位互换，所以，这里需要设置第39的数据，第3位我们后面再来算 str[39]:=inttostr(ord(key[2])+20-9-1)[1]; str[4]:=inttostr(ord(key[2])+20-9-1)[2]; 同样第5位和第6位运算如下：因为第5位在注册码运算的时候会和第26位互换，所以，这里需要设置第26的数据，第5位随便写 str[26]:=inttostr(ord(key[3])+20-9-2)[1]; str[6]:=inttostr(ord(key[3])+20-9-2)[2]; 同样第7位和第8位运算如下：注册算法中,他们没有被交换. str[7]:=inttostr(ord(key[4])+20-9-3)[1]; str[8]:=inttostr(ord(key[4])+20-9-3)[2]; 同样第9位和第10位运算如下：因为第10位在注册码运算的时候会和第32位互换，所以，这里需要设置第32的数据，第9位随便写 str[9]:=inttostr(ord(key[5])+20-9-4)[1]; str[32]:=inttostr(ord(key[5])+20-9-4)[2]; 这里说明完了,说一下中间的一部分吧: 先设注册码code,前40位经过变换后得到的字符串为string(20位),string[1]...string[19]ascii码之和为A; 先看正向运算: EDI=strtoint(key)+$4D44; EAX=round(EDI3.140.1594896331738437110-0.5); 注意：这里是取整，不是四舍五入。 EDI=EAX mod 100000; EAX=EDI MOD 10; ESI=string[6]; esi:=esi-41H-eax; 那么验证条件如下: 1:string[20]=(A mod 10)+48; 2:esi必须等于0 现在来推导逆运算...... string[6]=esi =$41+EAX =$41+(round((inttostr(key)+$4D44)3.140.1594896331738437110-0.5) mod 100000) MOD 10 string[20]= strtoint(code[39]+code[40])+19+9; 由于第39位会被第3位换掉,所以,这里需要修改下,就像下面这样. string[20]= strtoint(code[3]+code[40])+19+9; = (A mod 10)+48; ===>code[3] =inttostr((A mod 10)+20)[1]; code[40]=inttostr((A mod 10)+20)[2]; string[6]=strtoint(code[11]+code[12])+5+9; =$41+(round((inttostr(key)+$4D44)3.140.1594896331738437110-0.5) mod 100000) MOD 10; 上面已经分析的优点清楚了，现在可以写注册机了。还需要注意一下的就是：最后五位的生成需要在前面45位都已经算好的情况下再计算。其他的就是去找找取cpuid和硬盘序列号的参考代码了，这了非常感谢 seast 兄弟分享关于 cpuid 的一些知识。下面我拿出注册机的源代码(用户名不支持中文)：大家一起讨论。 ============================================================================================ type TCPUID = array[1..4] of Longint; TVendor = array [0..11] of char; function GetCPUID1 : TCPUID; assembler; register; asm PUSH EBX {Save affected register} PUSH EDI MOV EDI,EAX {@Resukt} MOV EAX,1 DW $A20F {CPUID Command} STOSD {CPUID[1]} MOV EAX,EBX STOSD {CPUID[2]} MOV EAX,ECX STOSD {CPUID[3]} MOV EAX,EDX STOSD {CPUID[4]} POP EDI {Restore registers} POP EBX end; function GetCPUID3 : TCPUID; assembler; register; asm PUSH EBX {Save affected register} PUSH EDI MOV EDI,EAX {@Resukt} MOV EAX,3 DW $A20F {CPUID Command} STOSD {CPUID[1]} MOV EAX,EBX STOSD {CPUID[2]} MOV EAX,ECX STOSD {CPUID[3]} MOV EAX,EDX STOSD {CPUID[4]} POP EDI {Restore registers} POP EBX end; function GetIdeDiskSerialNumber : String; type TSrbIoControl = packed record HeaderLength : ULONG; Signature : Array[0..7] of Char; Timeout : ULONG; ControlCode : ULONG; ReturnCode : ULONG; Length : ULONG; end; SRB_IO_CONTROL = TSrbIoControl; PSrbIoControl = ^TSrbIoControl; TIDERegs = packed record bFeaturesReg : Byte; // Used for specifying SMART "commands". bSectorCountReg : Byte; // IDE sector count register bSectorNumberReg : Byte; // IDE sector number register bCylLowReg : Byte; // IDE low order cylinder value bCylHighReg : Byte; // IDE high order cylinder value bDriveHeadReg : Byte; // IDE drive/head register bCommandReg : Byte; // Actual IDE command. bReserved : Byte; // reserved. Must be zero. end; IDEREGS = TIDERegs; PIDERegs = ^TIDERegs; TSendCmdInParams = packed record cBufferSize : DWORD; irDriveRegs : TIDERegs; bDriveNumber : Byte; bReserved : Array[0..2] of Byte; dwReserved : Array[0..3] of DWORD; bBuffer : Array[0..0] of Byte; end; SENDCMDINPARAMS = TSendCmdInParams; PSendCmdInParams = ^TSendCmdInParams; TIdSector = packed record wGenConfig : Word; wNumCyls : Word; wReserved : Word; wNumHeads : Word; wBytesPerTrack : Word; wBytesPerSector : Word; wSectorsPerTrack : Word; wVendorUnique : Array[0..2] of Word; sSerialNumber : Array[0..19] of Char; wBufferType : Word; wBufferSize : Word; wECCSize : Word; sFirmwareRev : Array[0..7] of Char; sModelNumber : Array[0..39] of Char; wMoreVendorUnique : Word; wDoubleWordIO : Word; wCapabilities : Word; wReserved1 : Word; wPIOTiming : Word; wDMATiming : Word; wBS : Word; wNumCurrentCyls : Word; wNumCurrentHeads : Word; wNumCurrentSectorsPerTrack : Word; ulCurrentSectorCapacity : ULONG; wMultSectorStuff : Word; ulTotalAddressableSectors : ULONG; wSingleWordDMA : Word; wMultiWordDMA : Word; bReserved : Array[0..127] of Byte; end; PIdSector = ^TIdSector; const IDE_ID_FUNCTION = $EC; IDENTIFY_BUFFER_SIZE = 512; DFP_RECEIVE_DRIVE_DATA = $0007c088; IOCTL_SCSI_MINIPORT = $0004d008; IOCTL_SCSI_MINIPORT_IDENTIFY = $001b0501; DataSize = sizeof(TSendCmdInParams)-1+IDENTIFY_BUFFER_SIZE; BufferSize = SizeOf(SRB_IO_CONTROL)+DataSize; W9xBufferSize = IDENTIFY_BUFFER_SIZE+16; var hDevice : THandle; cbBytesReturned : DWORD; pInData : PSendCmdInParams; pOutData : Pointer; // PSendCmdOutParams Buffer : Array[0..BufferSize-1] of Byte; srbControl : TSrbIoControl absolute Buffer; procedure ChangeByteOrder( var Data; Size : Integer ); var ptr : PChar; i : Integer; c : Char; begin ptr := @Data; for i := 0 to (Size shr 1)-1 do begin c := ptr^; ptr^ := (ptr+1)^; (ptr+1)^ := c; Inc(ptr,2); end; end; begin Result := ''; FillChar(Buffer,BufferSize,#0); if Win32Platform=VER_PLATFORM_WIN32_NT then begin // Windows NT, Windows 2000 // Get SCSI port handle hDevice := CreateFile( '\\.\Scsi0:',GENERIC_READ or GENERIC_WRITE, FILE_SHARE_READ or FILE_SHARE_WRITE, nil, OPEN_EXISTING, 0, 0 ); if hDevice=INVALID_HANDLE_VALUE then Exit; try srbControl.HeaderLength := SizeOf(SRB_IO_CONTROL); System.Move('SCSIDISK',srbControl.Signature,8); srbControl.Timeout := 2; srbControl.Length := DataSize; srbControl.ControlCode := IOCTL_SCSI_MINIPORT_IDENTIFY; pInData := PSendCmdInParams(PChar(@Buffer)+SizeOf(SRB_IO_CONTROL)); pOutData := pInData; with pInData^ do begin cBufferSize := IDENTIFY_BUFFER_SIZE; bDriveNumber := 0; with irDriveRegs do begin bFeaturesReg := 0; bSectorCountReg := 1; bSectorNumberReg := 1; bCylLowReg := 0; bCylHighReg := 0; bDriveHeadReg := $A0; bCommandReg := IDE_ID_FUNCTION; end; end; if not DeviceIoControl( hDevice, IOCTL_SCSI_MINIPORT, @Buffer, BufferSize, @Buffer, BufferSize, cbBytesReturned, nil ) then Exit; finally CloseHandle(hDevice); end; end else begin // Windows 95 OSR2, Windows 98 hDevice := CreateFile( '\\.\SMARTVSD', 0, 0, nil,CREATE_NEW, 0, 0 ); if hDevice=INVALID_HANDLE_VALUE then Exit; try pInData := PSendCmdInParams(@Buffer); pOutData := @pInData^.bBuffer; with pInData^ do begin cBufferSize := IDENTIFY_BUFFER_SIZE; bDriveNumber := 0; with irDriveRegs do begin bFeaturesReg := 0; bSectorCountReg := 1; bSectorNumberReg := 1; bCylLowReg := 0; bCylHighReg := 0; bDriveHeadReg := $A0; bCommandReg := IDE_ID_FUNCTION; end; end; if not DeviceIoControl( hDevice, DFP_RECEIVE_DRIVE_DATA, pInData, SizeOf(TSendCmdInParams)-1, pOutData, W9xBufferSize, cbBytesReturned, nil ) then Exit; finally CloseHandle(hDevice); end; end; with PIdSector(PChar(pOutData)+16)^ do begin ChangeByteOrder(sSerialNumber,SizeOf(sSerialNumber)); SetString(Result,sSerialNumber,SizeOf(sSerialNumber)); end; end; procedure TForm1.Button3Click(Sender: TObject); begin Close; end; {用序列号的前45位验证后5位} {我也是没办法翻译才写成这样的，哎！} function CalcLast5Bit(code:string):string; var k,eax,ecx,dl,edi,i,len:integer; esi,str:string; Label label0043E2B0,label0043E278,label0043E28A,label0043E298, label0043E29A,label0043E2A3,label0043E287; begin len:=length(code); if len<50 then len:=50; k:=1; esi:=code; eax:=0; ecx:=0; label0043E278: if ecx<>$0b26d then goto label0043E2B0; edi:=0; if edi>=len-5 then goto label0043E2B0; label0043E287: inc(ecx); dl:=$80; label0043E28A: if (eax and $00008000)=0 then goto label0043E298; eax:=eax2; eax:=eax xor $00001021; inc(ecx); goto label0043E29A; label0043E298: eax:=eax2; label0043E29A: inc(ecx); if (ord(esi[k])and dl)=0 then goto label0043E2A3; eax:=eax xor $00001021; label0043E2A3: dl:=dl div 2; if dl<>0 then goto label0043E28A; inc(k); inc(edi); if edi<len-5 then goto label0043E287; label0043E2B0: inc(ecx); if ecx<$186a0 then goto label0043E278; str:=''; esi:=inttostr(eax and $0000ffff); for i:=length(esi)+1 to 5 do str:=str+'0'; str:=str+esi; result:=str; end; {试验码的换位和20位验证码的生成} {只处理前40位} function CalcStr20(code:string):string; var temp:char; k,j,eax,edx:integer; begin k:=0; j:=1; temp:=code[3]; code[3]:=code[39]; code[39]:=temp; temp:=code[5]; code[5]:=code[26]; code[26]:=temp; temp:=code[10]; code[10]:=code[32]; code[32]:=temp; while k<40 do begin inc(k); edx:=k div 2; eax:=strtoint(code[k]+code[k+1]); eax:=eax+edx; inc(k); eax:=eax+9; code[j]:=chr(eax and $000000ff); inc(j); end; code[j]:=#0; result:=code; end; {用注册名和机器码，计算5位验证码} function CalcUseName(name,code:string):string; var al,i,edi:integer; str:string; begin setlength(str,21); edi:=0; i:=0; while i<20 do begin if i<length(name)then al:=ord(name[i+1]) else al:=0; al:=al xor ord(code[i+1]); str[i+1]:=chr(al); edi:=ial+edi; inc(i); end; result:=inttostr(edi+$3039); end; {取得机器码} function GetMachineCode:string; var CPUID1,CPUID3:TCPUID; str:string; i,c1,c2,c3,c4:integer; begin str:=GetIdeDiskSerialNumber; for i:=1 to 20 do begin str[i]:=chr((ord(str[i])mod 10)+48); end; CPUID1 := GetCPUID1; CPUID3 := GetCPUID3; CPUID1[4]:=CPUID1[4]xor CPUID1[3]; CPUID1[4]:=CPUID1[4]xor CPUID1[1]; CPUID1[4]:=CPUID1[4]xor CPUID3[4]; CPUID1[4]:=CPUID1[4]xor CPUID3[3]; CPUID1[4]:=CPUID1[4]xor CPUID3[2]; c1:=CPUID1[4]shr 24; c2:=(CPUID1[4]shr 16)and$00ff; c3:=(CPUID1[4]shr 8) and $0000ff; c4:=CPUID1[4]and $000000ff; str[5]:=chr((ord(str[5]) xor c1)mod 10 +48); str[4]:=chr((ord(str[4]) xor c2)mod 10 +48); str[3]:=chr((ord(str[3]) xor c3)mod 10 +48); str[2]:=chr((ord(str[2]) xor c4)mod 10 +48); result:=str; end; {计算注册码} function CalcCode(key:string):string; var str,s:string; i,num,eax,edi:integer; begin str:='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'; str[1]:=inttostr(ord(key[1])+20-9)[1]; str[2]:=inttostr(ord(key[1])+20-9)[2]; str[39]:=inttostr(ord(key[2])+20-9-1)[1]; str[4]:=inttostr(ord(key[2])+20-9-1)[2]; str[26]:=inttostr(ord(key[3])+20-9-2)[1]; str[6]:=inttostr(ord(key[3])+20-9-2)[2]; str[7]:=inttostr(ord(key[4])+20-9-3)[1]; str[8]:=inttostr(ord(key[4])+20-9-3)[2]; str[9]:=inttostr(ord(key[5])+20-9-4)[1]; str[32]:=inttostr(ord(key[5])+20-9-4)[2]; for i:=1 to 45 do if str[i]='x' then str[i]:=chr(random(10)+48); edi:=strtoint(key)+$4D44; eax:=round(edi3.14*0.1594896331738437110-0.5); edi:=eax mod 100000; eax:=edi MOD 10; eax:=eax+$41-14; s:=inttostr(eax); str[11]:=s[1]; str[12]:=s[2]; s:=CalcStr20(str); num:=0; for i:=1 to 19 do num:=num+ord(s[i]); s:=inttostr((num mod 10)+20); str[3]:=s[1]; str[40]:=s[2]; str:=str+CalcLast5Bit(str); result:=str; end; procedure TForm1.Button1Click(Sender: TObject); var key,code,name:string; i:integer; begin name:=edit1.text; for i:=1 to length(name) do if ord(name[i])>127 then begin Application.MessageBox('别欺负我,我不知道中文名字怎么算!','提示',MB_ICONINFORMATION+MB_OK); edit1.Text:=''; Exit; end; if (length(name)<1)or(length(name)>19) then begin Application.MessageBox('注册名长度为1-19位','提示',MB_ICONINFORMATION+MB_OK); Exit; end; key:=GetMachineCode; key:=CalcUseName(name,key); code:=CalcCode(key); edit2.text:=code; end; 好了，文章就到这里了，呵呵！感觉不错！ -------------------------------------------------------------------------------- 【经验总结】这次破解让我的耐心增添不少. -------------------------------------------------------------------------------- 【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢! 2007年04月06日 15:31:54 2007-4-6 15:53 0
壹只老虎雪币： 112 活跃值： (16) 能力值： ( LV9，RANK：290 ) 在线值：发帖 38 回帖 709 粉丝 3 关注私信	壹只老虎 7 4 楼注册信息保存在windows目录的pmlxz7.dll文件中,删除这个文件后,可以再玩一次! 本想一贴给贴完的,后来发现不行,估计是字太多了(100000多), 只好分3贴给贴出来. 2007-4-6 16:06 0
wynney 雪币： 224 活跃值： (147) 能力值： ( LV9，RANK：970 ) 在线值：发帖 65 回帖 1109 粉丝 7 关注私信	wynney 24 5 楼算法好象跟以前版本没多大的变化 2007-4-6 16:07 0
壹只老虎雪币： 112 活跃值： (16) 能力值： ( LV9，RANK：290 ) 在线值：发帖 38 回帖 709 粉丝 3 关注私信	壹只老虎 7 6 楼不知道,没有研究过以前的哪个东西! 呵呵! 2007-4-6 16:09 0
tzl 雪币： 242 活跃值： (1664) 能力值： ( LV9，RANK：410 ) 在线值：发帖 21 回帖 532 粉丝 0 关注私信	tzl 10 7 楼学习,不过注册机好象不准发的吧! 2007-4-6 16:23 0
壹只老虎雪币： 112 活跃值： (16) 能力值： ( LV9，RANK：290 ) 在线值：发帖 38 回帖 709 粉丝 3 关注私信	壹只老虎 7 8 楼那我就删除掉! 2007-4-6 16:29 0
KuNgBiM 雪币： 817 活跃值： (1927) 能力值： ( LV12，RANK：2670 ) 在线值：发帖 500 回帖 2517 粉丝 22 关注私信	KuNgBiM 66 9 楼机机代码可以留下 2007-4-6 16:36 0
tzl 雪币： 242 活跃值： (1664) 能力值： ( LV9，RANK：410 ) 在线值：发帖 21 回帖 532 粉丝 0 关注私信	tzl 10 10 楼老K说的对 2007-4-6 16:37 0
壹只老虎雪币： 112 活跃值： (16) 能力值： ( LV9，RANK：290 ) 在线值：发帖 38 回帖 709 粉丝 3 关注私信	壹只老虎 7 11 楼留下咯, 嘿嘿! 2007-4-6 16:47 0
BlueT 雪币： 517 活跃值： (35) 能力值： ( LV6，RANK：90 ) 在线值：发帖 8 回帖 883 粉丝 0 关注私信	BlueT 2 12 楼大多数的算法注册机都不是真正的注册机，测试时不能只看一次两次的录像中是否有未注册字样。每次至少要录像5个以上才能看得出来。不知道这次研究时注意到了没有？！ 2007-4-6 18:44 0
快雪时晴雪币： 370 活跃值： (15) 能力值： ( LV9，RANK：170 ) 在线值：发帖 34 回帖 2272 粉丝 1 关注私信	快雪时晴 4 13 楼来晚了，机机冇下到严重支持，耐心真好 2007-4-6 19:36 0
海风月影雪币： 7309 活跃值： (3788) 能力值： (RANK：1130 ) 在线值：发帖 93 回帖 2308 粉丝 119 关注私信	海风月影 22 14 楼 10W字，要支持一下 2007-4-6 19:41 0
壹只老虎雪币： 112 活跃值： (16) 能力值： ( LV9，RANK：290 ) 在线值：发帖 38 回帖 709 粉丝 3 关注私信	壹只老虎 7 15 楼多谢兄弟指点!的确存在问题,只是没有想到! 我在看看怎么去除! 2007-4-6 20:09 0
坚持到底雪币： 538 活跃值： (460) 能力值： ( LV9，RANK：290 ) 在线值：发帖 12 回帖 245 粉丝 2 关注私信	坚持到底 7 16 楼支持下，等有空自己跟一下，学习之！！ 2007-4-6 21:25 0
卡秋莎雪币： 144 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 57 回帖 424 粉丝 0 关注私信	卡秋莎 17 楼支持啊真快啊：） 2007-4-6 21:38 0
wmjm 雪币： 217 活跃值： (28) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 72 粉丝 0 关注私信	wmjm 18 楼文章很长，需要慢慢学习，谢谢。 2007-4-7 00:41 0
菜儿雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 193 粉丝 0 关注私信	菜儿 19 楼精彩的分析.....透彻.....辛苦了... 2007-4-7 07:13 0
Nisy 雪币： 167 活跃值： (1574) 能力值： ( LV9，RANK：250 ) 在线值：发帖 68 回帖 668 粉丝 42 关注私信	Nisy 5 20 楼兄弟真有耐心佩服佩服~~ 2007-4-7 08:25 0
playboyjin 雪币： 264 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 74 粉丝 0 关注私信	playboyjin 21 楼呵呵，，好文。强的说。。。 2007-4-7 08:46 0
风间仁雪币： 29249 活跃值： (7769) 能力值： ( LV15，RANK：3306 ) 在线值：发帖 111 回帖 591 粉丝 83 关注私信	风间仁 19 22 楼这软件暗桩不少 2007-4-7 09:24 0
myselfsky 雪币： 200 活跃值： (13) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 2 粉丝 0 关注私信	myselfsky 23 楼强贴,支持! 2007-4-7 09:56 0
wofan[OCN] 雪币： 2943 活跃值： (1788) 能力值： ( LV9，RANK：850 ) 在线值：发帖 55 回帖 808 粉丝 8 关注私信	wofan[OCN] 21 24 楼的确！！！！有空时一定要玩玩它，至少也得弄个自已用的注册码吧。听楼上有人说老版本也没有一个真正的注册机。试一下硬盘中的那个6.0版，果如他所说。 2007-4-7 10:15 0
binbinbin 雪币： 405 活跃值： (10) 能力值： ( LV9，RANK：1130 ) 在线值：发帖 51 回帖 690 粉丝 0 关注私信	binbinbin 28 25 楼楼主辛苦拉收藏下来先 2007-4-7 10:22 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

壹只老虎

发帖

709

回帖

290

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (53) 1 2 3 ▶
壹只老虎雪币： 112 活跃值： (16) 能力值： ( LV9，RANK：290 ) 在线值：发帖 38 回帖 709 粉丝 3 关注私信	壹只老虎 7 2 楼这段代码虽然不难，但是里面突然蹦出一个莫名其妙的数据，就是我们叫他s1的那个东西，我开始也觉得晕，就快要到头了，发现那个"欢迎界面"的机器码还没有用到,没用就没用吧,更好,但是直觉告诉(别砸我,其实是猜的,呵呵)我,这个s1不会那么简单,肯定和硬件还是有关系的,先解决这个硬件码的问题吧. 说说我的跟踪思路,很笨的方法,追了很久才追到,思路就是,追他到天边!;) (也许有兄弟会觉得这个字符串是个固定的字符串,我其实也期望这样,但是理想与现实总是有一段差距的.呵呵!) 先跟入--->00401B44.看看再说 00401B44 8338 00 cmp dword ptr ds:[eax],0 00401B47 74 04 je short 屏录专家.00401B4D 00401B49 8B00 mov eax,dword ptr ds:[eax] ;在这里发现字符串地址在036FDA4C 00401B4B EB 05 jmp short 屏录专家.00401B52 00401B4D B8 51505200 mov eax,屏录专家.00525051 00401B52 C3 retn 这是证明: ds:[036C7C08]=036FDA4C, (ASCII "24237270606580267567") eax=036C7C08 第一次郁闷,字符串是被复制过来的,没办法哦,继续追踪036FDA4C, 接下来怎么办呢? 怎么追踪这个036FDA4C什么时候被写入的呢? 第二次郁闷一下!如果你也郁闷了,建议休息一下!嘿嘿! 郁闷之后接着工作吧,搞破解的,需要恒心和耐心,永不放弃的精神. 我对自己说,加油,胜利就在眼前. 我带着试一试的心理,想看看那个数据("24237270606580267567")在显示注册窗口的时候是否已经被写入, OK,说干就干.下什么断点呢,打开dede吧,找注册窗口的事件信息,发现这个 FormShow 00444054 好的,我们去那里下断点,看看!运行下. OK,我们让它断在了00444054地址处,数据窗口跟随到以036C0000开始的虚拟地址,搜索下"24237270606580267567",发现已经存在.(注意:位置可能不是036FDA4C). 第三次郁闷了,再把时间提前一点,在注册窗体显示之前是"欢迎界面"的"注册"按钮点击事件,(别弄混了,不是"注册窗口"的"确定"按钮点击事件哦,还是用dede找!),看看那个时候有没有生成那个数据. 试了几次后知道是button2,事件是Button2Click,事件处理地址是00444398. (我开始还以为是button3呢),在00444398,下断点,运行程序,点击下"注册",程序断在00444398, 好了,数据窗口跟随到以036C0000开始的虚拟地址,搜索下"24237270606580267567",发现不存在. 非常好,成功又进了一步了.我们继续分析是在哪里给跑出来的. 我们到了这里 00444481 E8 5A810C00 call 屏录专家.0050C5E0 发现,这个call之后,发现EDX里面出现了我们在"欢迎界面"里面看到的机器码,非常好!黑黑!(不过好像没什么用,哪来好看的,呵呵) 注意注意:不是"24237270606580267567" 在004444A1 E8 B270FEFF call 屏录专家.0042B558 这个CALL之后,我发现, 以036C0000开始的虚拟地址,搜索下"24237270606580267567",发现已经存在,在此之前不存在 (问我是怎么知道是这里在出现的阿,呵呵!很简单,每过一个CALL,我就搜索一下,看看存在么, 前面都是失败了,就这里成功了,所以,我就知道这个CALL就是和硬件码有关的一个CALL, 如果兄弟们有什么好的办法来定位,请指教,谢谢) 再来,我们需要跟入这个CALL,所以我们再来一次,在这个CALL上面f7跟进去看看. 发现 0042B567 E8 542A0D00 call 屏录专家.004FDFC0 0042B56C 8D83 6C130000 lea eax,dword ptr ds:[ebx+136C] 0042B572 8B50 34 mov edx,dword ptr ds:[eax+34] 0042B575 81C2 9AB1FFFF add edx,FFFFB19A 这个add语句之后, edx里面出现了"24237270606580267567",以036C0000开始的虚拟地址中是没有的, 看看字符串的地址是: 00B607E0 现在怎么办?我也不知道. 第4次郁闷了,这样吧,看看"欢迎窗口"创建完之后,00B607E0这个虚拟地址的上下文中有没有我们要找的东西吧, 说实话,我都快崩溃了,还不是看运气. 试验结果是这样的: OD运行程序,主界面运行好之后,不做任何操作,发现,以00B40000开始的虚拟地址中,发现了我们要找的东西,非常好, 证明这个数据是在此之前就算好的,我们再想想什么事件居然在这个之前呢,很简单,窗体创建事件,显示事件好吧,继续DEDE, 找到"欢迎界面"窗体创建显示事件的代码开始位置(没有写窗体创建事件的代码).004446E0. 我们去那里下断点.运行程序.断在了004446E0. 以00B40000开始的虚拟地址,搜索下"24237270606580267567",发现已经存在,晕了. 奇怪了,不可能阿,其实我也觉得不可能了. 但是还是有两种可能: 1:这个数据串为固定值 2:还有一些事件在此之前. 排除法,我选第2种可能,因为第一种可能是有点夸张的.呵呵! 还记得我们写程序的时候么,那个主窗体是最先创建的,呵呵! 看看dede里面,果然有一个叫MainForm的东西(不是那个欢迎窗口哦),呵呵,好说了. 看看他的窗体的事件.FormCreate---->0040BE2C.还有一个FormShow事件,那个先不考虑, 看看FormCreate事件里面都作了些什么哈.在0040BE2C处下断点.运行程序,成功断下. 慢慢分析吧,一次又一次的搜索,我发现,就是在这里生成机器码的, 看下面的分析吧,如果觉得累了,就休息下吧,我其实也有点累了. 0040BE2C 55 push ebp 0040BE2D 8BEC mov ebp,esp 0040BE2F 81C4 B8F6FFFF add esp,-948 0040BE35 53 push ebx 0040BE36 56 push esi 0040BE37 57 push edi 0040BE38 8985 C8FEFFFF mov dword ptr ss:[ebp-138],eax 0040BE3E B8 48735200 mov eax,屏录专家.00527348 0040BE43 E8 78210F00 call 屏录专家.004FDFC0 0040BE48 68 F0020000 push 2F0 0040BE4D E8 9E130F00 call 屏录专家.004FD1F0 0040BE52 59 pop ecx 0040BE53 8945 FC mov dword ptr ss:[ebp-4],eax 0040BE56 85C0 test eax,eax 0040BE58 74 21 je short 屏录专家.0040BE7B 0040BE5A 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],14 0040BE63 8B55 FC mov edx,dword ptr ss:[ebp-4] 0040BE66 52 push edx 0040BE67 E8 E0EA0700 call 屏录专家.0048A94C 0040BE6C 59 pop ecx 0040BE6D 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],8 0040BE76 8B4D FC mov ecx,dword ptr ss:[ebp-4] 0040BE79 EB 03 jmp short 屏录专家.0040BE7E 0040BE7B 8B4D FC mov ecx,dword ptr ss:[ebp-4] 0040BE7E 8B85 C8FEFFFF mov eax,dword ptr ss:[ebp-138] 0040BE84 8988 B00B0000 mov dword ptr ds:[eax+BB0],ecx 0040BE8A 8B95 C8FEFFFF mov edx,dword ptr ss:[ebp-138] 0040BE90 52 push edx 0040BE91 E8 D2470200 call 屏录专家.00430668 0040BE96 59 pop ecx 0040BE97 33DB xor ebx,ebx 0040BE99 8AD8 mov bl,al 0040BE9B 8B85 C8FEFFFF mov eax,dword ptr ss:[ebp-138] 0040BEA1 8998 B80B0000 mov dword ptr ds:[eax+BB8],ebx 0040BEA7 85DB test ebx,ebx 0040BEA9 75 36 jnz short 屏录专家.0040BEE1 0040BEAB 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],20 0040BEB4 BA FE315200 mov edx,屏录专家.005231FE 0040BEB9 8D45 F8 lea eax,dword ptr ss:[ebp-8] 0040BEBC E8 E7041000 call 屏录专家.0050C3A8 0040BEC1 FF85 E8FEFFFF inc dword ptr ss:[ebp-118] 0040BEC7 8B00 mov eax,dword ptr ds:[eax] 0040BEC9 E8 629B0B00 call 屏录专家.004C5A30 0040BECE FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040BED4 8D45 F8 lea eax,dword ptr ss:[ebp-8] 0040BED7 BA 02000000 mov edx,2 0040BEDC E8 FF061000 call 屏录专家.0050C5E0 0040BEE1 C705 042C5500 1C1>mov dword ptr ds:[552C04],屏录专家.0040191C 0040BEEB 8B8D C8FEFFFF mov ecx,dword ptr ss:[ebp-138] 0040BEF1 33C0 xor eax,eax 0040BEF3 8981 000C0000 mov dword ptr ds:[ecx+C00],eax 0040BEF9 8B95 C8FEFFFF mov edx,dword ptr ss:[ebp-138] 0040BEFF C682 0C0C0000 01 mov byte ptr ds:[edx+C0C],1 0040BF06 8B8D C8FEFFFF mov ecx,dword ptr ss:[ebp-138] 0040BF0C 51 push ecx 0040BF0D E8 E2180000 call 屏录专家.0040D7F4 0040BF12 59 pop ecx 0040BF13 8B85 C8FEFFFF mov eax,dword ptr ss:[ebp-138] 0040BF19 C680 FC170000 01 mov byte ptr ds:[eax+17FC],1 0040BF20 68 61325200 push 屏录专家.00523261 ; ASCII "PMLXZJ" 0040BF25 6A 00 push 0 0040BF27 6A 00 push 0 0040BF29 E8 50481100 call <jmp.&KERNEL32.CreateMutexA> 0040BF2E A3 F82B5500 mov dword ptr ds:[552BF8],eax 0040BF33 E8 12491100 call <jmp.&KERNEL32.GetLastError> 0040BF38 3D B7000000 cmp eax,0B7 0040BF3D 75 3E jnz short 屏录专家.0040BF7D 0040BF3F 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],2C 0040BF48 BA 68325200 mov edx,屏录专家.00523268 0040BF4D 8D45 F4 lea eax,dword ptr ss:[ebp-C] 0040BF50 E8 53041000 call 屏录专家.0050C3A8 0040BF55 FF85 E8FEFFFF inc dword ptr ss:[ebp-118] 0040BF5B 8B00 mov eax,dword ptr ds:[eax] 0040BF5D E8 CE9A0B00 call 屏录专家.004C5A30 0040BF62 FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040BF68 8D45 F4 lea eax,dword ptr ss:[ebp-C] 0040BF6B BA 02000000 mov edx,2 0040BF70 E8 6B061000 call 屏录专家.0050C5E0 0040BF75 6A 01 push 1 0040BF77 E8 70AF0F00 call 屏录专家.00506EEC 0040BF7C 59 pop ecx 0040BF7D 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],38 0040BF86 8D45 F0 lea eax,dword ptr ss:[ebp-10] 0040BF89 E8 DE58FFFF call 屏录专家.0040186C 0040BF8E 8BD0 mov edx,eax 0040BF90 FF85 E8FEFFFF inc dword ptr ss:[ebp-118] 0040BF96 8B0D 80275500 mov ecx,dword ptr ds:[552780] ; 屏录专家.005596A4 0040BF9C 8B01 mov eax,dword ptr ds:[ecx] 0040BF9E E8 49EF0A00 call 屏录专家.004BAEEC 0040BFA3 8D55 F0 lea edx,dword ptr ss:[ebp-10] 0040BFA6 8D45 EC lea eax,dword ptr ss:[ebp-14] 0040BFA9 8B0A mov ecx,dword ptr ds:[edx] 0040BFAB 51 push ecx 0040BFAC E8 BB58FFFF call 屏录专家.0040186C 0040BFB1 8BD0 mov edx,eax 0040BFB3 FF85 E8FEFFFF inc dword ptr ss:[ebp-118] 0040BFB9 58 pop eax 0040BFBA E8 C1780E00 call 屏录专家.004F3880 0040BFBF 8D55 EC lea edx,dword ptr ss:[ebp-14] 0040BFC2 8B9D C8FEFFFF mov ebx,dword ptr ss:[ebp-138] 0040BFC8 81C3 00180000 add ebx,1800 0040BFCE 8BC3 mov eax,ebx 0040BFD0 E8 3B061000 call 屏录专家.0050C610 0040BFD5 FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040BFDB 8D45 EC lea eax,dword ptr ss:[ebp-14] 0040BFDE BA 02000000 mov edx,2 0040BFE3 E8 F8051000 call 屏录专家.0050C5E0 0040BFE8 FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040BFEE 8D45 F0 lea eax,dword ptr ss:[ebp-10] 0040BFF1 BA 02000000 mov edx,2 0040BFF6 E8 E5051000 call 屏录专家.0050C5E0 0040BFFB 8B8D C8FEFFFF mov ecx,dword ptr ss:[ebp-138] 0040C001 51 push ecx 0040C002 E8 41190000 call 屏录专家.0040D948 ; 跟进去,里面会产生一个用于计算硬件码的数据 0040C007 59 pop ecx 0040C008 6A 28 push 28 0040C00A E8 85130F00 call 屏录专家.004FD394 0040C00F 59 pop ecx 0040C010 8B95 C8FEFFFF mov edx,dword ptr ss:[ebp-138] 0040C016 8982 D40B0000 mov dword ptr ds:[edx+BD4],eax 0040C01C 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],44 0040C025 8D45 E4 lea eax,dword ptr ss:[ebp-1C] 0040C028 E8 3F58FFFF call 屏录专家.0040186C 0040C02D 50 push eax 0040C02E FF85 E8FEFFFF inc dword ptr ss:[ebp-118] 0040C034 BA 97325200 mov edx,屏录专家.00523297 ; ASCII "ly.exe" 0040C039 8D45 E8 lea eax,dword ptr ss:[ebp-18] 0040C03C E8 67031000 call 屏录专家.0050C3A8 0040C041 FF85 E8FEFFFF inc dword ptr ss:[ebp-118] 0040C047 8D55 E8 lea edx,dword ptr ss:[ebp-18] 0040C04A 8BC3 mov eax,ebx 0040C04C 59 pop ecx 0040C04D E8 E6051000 call 屏录专家.0050C638 0040C052 8D45 E4 lea eax,dword ptr ss:[ebp-1C] 0040C055 8B00 mov eax,dword ptr ds:[eax] 0040C057 E8 64760E00 call 屏录专家.004F36C0 0040C05C 84C0 test al,al 0040C05E 8D45 E4 lea eax,dword ptr ss:[ebp-1C] 0040C061 0F94C2 sete dl 0040C064 83E2 01 and edx,1 0040C067 52 push edx 0040C068 BA 02000000 mov edx,2 0040C06D FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040C073 E8 68051000 call 屏录专家.0050C5E0 0040C078 FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040C07E 8D45 E8 lea eax,dword ptr ss:[ebp-18] 0040C081 BA 02000000 mov edx,2 0040C086 E8 55051000 call 屏录专家.0050C5E0 0040C08B 59 pop ecx 0040C08C 84C9 test cl,cl 0040C08E 74 50 je short 屏录专家.0040C0E0 0040C090 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],50 0040C099 BA 9E325200 mov edx,屏录专家.0052329E 0040C09E 8D45 E0 lea eax,dword ptr ss:[ebp-20] 0040C0A1 E8 02031000 call 屏录专家.0050C3A8 0040C0A6 FF85 E8FEFFFF inc dword ptr ss:[ebp-118] 0040C0AC 8B00 mov eax,dword ptr ds:[eax] 0040C0AE E8 7D990B00 call 屏录专家.004C5A30 0040C0B3 FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040C0B9 8D45 E0 lea eax,dword ptr ss:[ebp-20] 0040C0BC BA 02000000 mov edx,2 0040C0C1 E8 1A051000 call 屏录专家.0050C5E0 0040C0C6 6A 01 push 1 0040C0C8 E8 1FAE0F00 call 屏录专家.00506EEC 0040C0CD 59 pop ecx 0040C0CE 8B8D CCFEFFFF mov ecx,dword ptr ss:[ebp-134] 0040C0D4 64:890D 00000000 mov dword ptr fs:[0],ecx 0040C0DB E9 0C170000 jmp 屏录专家.0040D7EC 0040C0E0 68 BC325200 push 屏录专家.005232BC ; ASCII "PMLXZJRECORDER{A8B0ADB7-ECB6-4D8F-829A-F050181A6510}" 0040C0E5 6A 00 push 0 0040C0E7 E8 A44D1100 call <jmp.&USER32.FindWindowA> 0040C0EC 85C0 test eax,eax 0040C0EE 74 70 je short 屏录专家.0040C160 0040C0F0 50 push eax 0040C0F1 8B85 C8FEFFFF mov eax,dword ptr ss:[ebp-138] 0040C0F7 50 push eax 0040C0F8 E8 F7180000 call 屏录专家.0040D9F4 0040C0FD 83C4 08 add esp,8 0040C100 68 F1325200 push 屏录专家.005232F1 ; ASCII "PMLXZJRECORDER{A8B0ADB7-ECB6-4D8F-829A-F050181A6510}" 0040C105 6A 00 push 0 0040C107 E8 844D1100 call <jmp.&USER32.FindWindowA> 0040C10C 85C0 test eax,eax 0040C10E 74 50 je short 屏录专家.0040C160 0040C110 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],5C 0040C119 BA 26335200 mov edx,屏录专家.00523326 0040C11E 8D45 DC lea eax,dword ptr ss:[ebp-24] 0040C121 E8 82021000 call 屏录专家.0050C3A8 0040C126 FF85 E8FEFFFF inc dword ptr ss:[ebp-118] 0040C12C 8B00 mov eax,dword ptr ds:[eax] 0040C12E E8 FD980B00 call 屏录专家.004C5A30 0040C133 FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040C139 8D45 DC lea eax,dword ptr ss:[ebp-24] 0040C13C BA 02000000 mov edx,2 0040C141 E8 9A041000 call 屏录专家.0050C5E0 0040C146 6A 01 push 1 0040C148 E8 9FAD0F00 call 屏录专家.00506EEC 0040C14D 59 pop ecx 0040C14E 8B8D CCFEFFFF mov ecx,dword ptr ss:[ebp-134] 0040C154 64:890D 00000000 mov dword ptr fs:[0],ecx 0040C15B E9 8C160000 jmp 屏录专家.0040D7EC 0040C160 8B85 C8FEFFFF mov eax,dword ptr ss:[ebp-138] 0040C166 50 push eax 0040C167 E8 B8180000 call 屏录专家.0040DA24 0040C16C 59 pop ecx 0040C16D 6A 00 push 0 0040C16F E8 62501100 call <jmp.&OLE32.CoInitialize> 0040C174 6A 00 push 0 0040C176 6A 00 push 0 0040C178 6A 00 push 0 0040C17A 6A 03 push 3 0040C17C 6A 04 push 4 0040C17E 6A 00 push 0 0040C180 6A 00 push 0 0040C182 6A FF push -1 0040C184 6A 00 push 0 0040C186 E8 51501100 call <jmp.&OLE32.CoInitializeSecurity> 0040C18B 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],68 0040C194 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],74 0040C19D 8D55 D4 lea edx,dword ptr ss:[ebp-2C] 0040C1A0 52 push edx 0040C1A1 E8 72220000 call 屏录专家.0040E418 0040C1A6 59 pop ecx 0040C1A7 8D4D D4 lea ecx,dword ptr ss:[ebp-2C] 0040C1AA 51 push ecx 0040C1AB 8385 E8FEFFFF 02 add dword ptr ss:[ebp-118],2 0040C1B2 8B9D C8FEFFFF mov ebx,dword ptr ss:[ebp-138] 0040C1B8 81C3 F00B0000 add ebx,0BF0 0040C1BE 53 push ebx 0040C1BF E8 00250000 call 屏录专家.0040E6C4 0040C1C4 FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040C1CA 83C4 08 add esp,8 0040C1CD FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040C1D3 8D45 D4 lea eax,dword ptr ss:[ebp-2C] 0040C1D6 6A 00 push 0 0040C1D8 50 push eax 0040C1D9 E8 5E250000 call 屏录专家.0040E73C 0040C1DE 83C4 08 add esp,8 0040C1E1 8BC3 mov eax,ebx 0040C1E3 E8 7C250000 call 屏录专家.0040E764 0040C1E8 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],0 0040C1F1 E9 56010000 jmp 屏录专家.0040C34C 0040C1F6 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],80 0040C1FF 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],8C 0040C208 8D45 CC lea eax,dword ptr ss:[ebp-34] 0040C20B E8 5C56FFFF call 屏录专家.0040186C 0040C210 50 push eax 0040C211 FF85 E8FEFFFF inc dword ptr ss:[ebp-118] 0040C217 BA 42335200 mov edx,屏录专家.00523342 ; ASCII "ly.exe" 0040C21C 8D45 D0 lea eax,dword ptr ss:[ebp-30] 0040C21F E8 84011000 call 屏录专家.0050C3A8 0040C224 FF85 E8FEFFFF inc dword ptr ss:[ebp-118] 0040C22A 8D55 D0 lea edx,dword ptr ss:[ebp-30] 0040C22D 8B85 C8FEFFFF mov eax,dword ptr ss:[ebp-138] 0040C233 59 pop ecx 0040C234 05 00180000 add eax,1800 0040C239 E8 FA031000 call 屏录专家.0050C638 0040C23E 8D55 CC lea edx,dword ptr ss:[ebp-34] 0040C241 8B02 mov eax,dword ptr ds:[edx] 0040C243 50 push eax 0040C244 8B95 C8FEFFFF mov edx,dword ptr ss:[ebp-138] 0040C24A 52 push edx 0040C24B E8 7C180000 call 屏录专家.0040DACC 0040C250 83C4 08 add esp,8 0040C253 FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040C259 8D45 CC lea eax,dword ptr ss:[ebp-34] 0040C25C BA 02000000 mov edx,2 0040C261 E8 7A031000 call 屏录专家.0050C5E0 0040C266 FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040C26C 8D45 D0 lea eax,dword ptr ss:[ebp-30] 0040C26F BA 02000000 mov edx,2 0040C274 E8 67031000 call 屏录专家.0050C5E0 0040C279 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],98 0040C282 8D4D C4 lea ecx,dword ptr ss:[ebp-3C] 0040C285 51 push ecx 0040C286 E8 8D210000 call 屏录专家.0040E418 0040C28B 59 pop ecx 0040C28C 8D45 C4 lea eax,dword ptr ss:[ebp-3C] 0040C28F 50 push eax 0040C290 8385 E8FEFFFF 02 add dword ptr ss:[ebp-118],2 0040C297 8B9D C8FEFFFF mov ebx,dword ptr ss:[ebp-138] 0040C29D 81C3 F00B0000 add ebx,0BF0 0040C2A3 53 push ebx 0040C2A4 E8 1B240000 call 屏录专家.0040E6C4 0040C2A9 FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040C2AF 83C4 08 add esp,8 0040C2B2 FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040C2B8 8D45 C4 lea eax,dword ptr ss:[ebp-3C] 0040C2BB 6A 00 push 0 0040C2BD 50 push eax 0040C2BE E8 79240000 call 屏录专家.0040E73C 0040C2C3 83C4 08 add esp,8 0040C2C6 8BC3 mov eax,ebx 0040C2C8 E8 97240000 call 屏录专家.0040E764 0040C2CD 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],70 0040C2D6 EB 66 jmp short 屏录专家.0040C33E 0040C2D8 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],0A4 0040C2E1 BA 49335200 mov edx,屏录专家.00523349 0040C2E6 8D45 C0 lea eax,dword ptr ss:[ebp-40] 0040C2E9 E8 BA001000 call 屏录专家.0050C3A8 0040C2EE FF85 E8FEFFFF inc dword ptr ss:[ebp-118] 0040C2F4 8B00 mov eax,dword ptr ds:[eax] 0040C2F6 E8 35970B00 call 屏录专家.004C5A30 0040C2FB FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040C301 8D45 C0 lea eax,dword ptr ss:[ebp-40] 0040C304 BA 02000000 mov edx,2 0040C309 E8 D2021000 call 屏录专家.0050C5E0 0040C30E 6A 01 push 1 0040C310 E8 D7AB0F00 call 屏录专家.00506EEC 0040C315 59 pop ecx 0040C316 33C9 xor ecx,ecx 0040C318 898D E8FEFFFF mov dword ptr ss:[ebp-118],ecx 0040C31E 8D85 CCFEFFFF lea eax,dword ptr ss:[ebp-134] 0040C324 50 push eax 0040C325 E8 25D80F00 call 屏录专家.00509B4F 0040C32A 59 pop ecx 0040C32B E9 BC140000 jmp 屏录专家.0040D7EC 0040C330 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],88 0040C339 E8 5CD10F00 call 屏录专家.0050949A 0040C33E 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],70 0040C347 E8 4ED10F00 call 屏录专家.0050949A 0040C34C 8B95 C8FEFFFF mov edx,dword ptr ss:[ebp-138] 0040C352 52 push edx 0040C353 E8 70180000 call 屏录专家.0040DBC8 0040C358 59 pop ecx 0040C359 68 65335200 push 屏录专家.00523365 ; ASCII "LYSTOPEVENT" 0040C35E 6A 00 push 0 0040C360 6A 00 push 0 0040C362 6A 00 push 0 0040C364 E8 09441100 call <jmp.&KERNEL32.CreateEventA> 0040C369 8B8D C8FEFFFF mov ecx,dword ptr ss:[ebp-138] 0040C36F 8981 F80B0000 mov dword ptr ds:[ecx+BF8],eax 0040C375 6A 2C push 2C 0040C377 6A 00 push 0 0040C379 8B85 C8FEFFFF mov eax,dword ptr ss:[ebp-138] 0040C37F 05 E40C0000 add eax,0CE4 0040C384 50 push eax 0040C385 E8 0E180F00 call 屏录专家.004FDB98 0040C38A 8B95 C8FEFFFF mov edx,dword ptr ss:[ebp-138] 0040C390 83C4 0C add esp,0C 0040C393 BF 18265200 mov edi,屏录专家.00522618 ; ASCII "pmlxzjtlx" 0040C398 C782 F80C0000 080>mov dword ptr ds:[edx+CF8],8 0040C3A2 8B8D C8FEFFFF mov ecx,dword ptr ss:[ebp-138] 0040C3A8 C781 FC0C0000 080>mov dword ptr ds:[ecx+CFC],8 0040C3B2 8B85 C8FEFFFF mov eax,dword ptr ss:[ebp-138] 0040C3B8 05 040D0000 add eax,0D04 0040C3BD 8BF0 mov esi,eax 0040C3BF 33C0 xor eax,eax 0040C3C1 83C9 FF or ecx,FFFFFFFF 0040C3C4 F2:AE repne scas byte ptr es:[edi] 0040C3C6 F7D1 not ecx 0040C3C8 2BF9 sub edi,ecx 0040C3CA 8BD1 mov edx,ecx 0040C3CC 87F7 xchg edi,esi 0040C3CE C1E9 02 shr ecx,2 0040C3D1 8BC7 mov eax,edi 0040C3D3 F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[es> 0040C3D5 8BCA mov ecx,edx 0040C3D7 8D45 B8 lea eax,dword ptr ss:[ebp-48] 0040C3DA 83E1 03 and ecx,3 0040C3DD F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi] 0040C3DF 66:C785 DCFEFFFF >mov word ptr ss:[ebp-124],0B0 0040C3E8 E8 7F54FFFF call 屏录专家.0040186C 0040C3ED 50 push eax 0040C3EE FF85 E8FEFFFF inc dword ptr ss:[ebp-118] 0040C3F4 BA 71335200 mov edx,屏录专家.00523371 ; ASCII "\play.dat" 0040C3F9 8D45 BC lea eax,dword ptr ss:[ebp-44] 0040C3FC E8 A7FF0F00 call 屏录专家.0050C3A8 0040C401 FF85 E8FEFFFF inc dword ptr ss:[ebp-118] 0040C407 8D55 BC lea edx,dword ptr ss:[ebp-44] 0040C40A 8B9D C8FEFFFF mov ebx,dword ptr ss:[ebp-138] 0040C410 59 pop ecx 0040C411 81C3 00180000 add ebx,1800 0040C417 8BC3 mov eax,ebx 0040C419 E8 1A021000 call 屏录专家.0050C638 0040C41E 8D55 B8 lea edx,dword ptr ss:[ebp-48] 0040C421 8B02 mov eax,dword ptr ds:[edx] 0040C423 50 push eax 0040C424 8B95 C8FEFFFF mov edx,dword ptr ss:[ebp-138] 0040C42A 52 push edx 0040C42B E8 AC180000 call 屏录专家.0040DCDC 0040C430 83C4 08 add esp,8 0040C433 8B8D C8FEFFFF mov ecx,dword ptr ss:[ebp-138] 0040C439 8981 000D0000 mov dword ptr ds:[ecx+D00],eax 0040C43F FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040C445 8D45 B8 lea eax,dword ptr ss:[ebp-48] 0040C448 BA 02000000 mov edx,2 0040C44D E8 8E011000 call 屏录专家.0050C5E0 0040C452 FF8D E8FEFFFF dec dword ptr ss:[ebp-118] 0040C458 8D45 BC lea eax,dword ptr ss:[ebp-44] 0040C45B BA 02000000 mov edx,2 0040C460 E8 7B011000 call 屏录专家.0050C5E0 0040C465 8B8D C8FEFFFF mov ecx,dword ptr ss:[ebp-138] 0040C46B 51 push ecx 0040C46C E8 3F190000 call 屏录专家.0040DDB0 ; 机器码生成算法 0040C471 59 pop ecx 跟入0040D948看看,如下: 0040D948 55 push ebp 0040D949 8BEC mov ebp,esp 0040D94B 83C4 D8 add esp,-28 0040D94E B8 B8105300 mov eax,屏录专家.005310B8 0040D953 53 push ebx 0040D954 56 push esi 0040D955 57 push edi 0040D956 E8 65060F00 call 屏录专家.004FDFC0 0040D95B 6A 19 push 19 0040D95D E8 32FA0E00 call 屏录专家.004FD394 0040D962 59 pop ecx 0040D963 8945 D8 mov dword ptr ss:[ebp-28],eax 0040D966 6A 19 push 19 0040D968 6A 00 push 0 0040D96A 8B55 D8 mov edx,dword ptr ss:[ebp-28] 0040D96D 52 push edx 0040D96E E8 25020F00 call 屏录专家.004FDB98 0040D973 83C4 0C add esp,0C 0040D976 66:C745 EC 0800 mov word ptr ss:[ebp-14],8 0040D97C 8B4D D8 mov ecx,dword ptr ss:[ebp-28] 0040D97F 51 push ecx 0040D980 E8 8BC10600 call 屏录专家.00479B10 ; 这里会获取到一组cpu相关的数据，保存到[ebp-28] 0040D985 8B45 D8 mov eax,dword ptr ss:[ebp-28] ; str2生成算法(上面得到的数据为运算的原始数据) 0040D988 59 pop ecx ; 把cpuid相关的一些信息进行异或，最后结果保存到[ebp-28] 0040D989 83C0 04 add eax,4 0040D98C BA 01000000 mov edx,1 0040D991 8B5D D8 mov ebx,dword ptr ss:[ebp-28] 0040D994 8A08 mov cl,byte ptr ds:[eax] 0040D996 42 inc edx 0040D997 300B xor byte ptr ds:[ebx],cl 0040D999 8B5D D8 mov ebx,dword ptr ss:[ebp-28] 0040D99C 8A48 01 mov cl,byte ptr ds:[eax+1] 0040D99F 304B 01 xor byte ptr ds:[ebx+1],cl 0040D9A2 8B5D D8 mov ebx,dword ptr ss:[ebp-28] 0040D9A5 8A48 02 mov cl,byte ptr ds:[eax+2] 0040D9A8 304B 02 xor byte ptr ds:[ebx+2],cl 0040D9AB 8B5D D8 mov ebx,dword ptr ss:[ebp-28] 0040D9AE 8A48 03 mov cl,byte ptr ds:[eax+3] 0040D9B1 83C0 04 add eax,4 0040D9B4 304B 03 xor byte ptr ds:[ebx+3],cl 0040D9B7 83FA 06 cmp edx,6 0040D9BA ^ 7C D5 jl short 屏录专家.0040D991 0040D9BC 66:C745 EC 0000 mov word ptr ss:[ebp-14],0 0040D9C2 EB 0B jmp short 屏录专家.0040D9CF 0040D9C4 66:C745 EC 1000 mov word ptr ss:[ebp-14],10 0040D9CA E8 CBBA0F00 call 屏录专家.0050949A 0040D9CF 8B55 08 mov edx,dword ptr ss:[ebp+8] 0040D9D2 8B45 D8 mov eax,dword ptr ss:[ebp-28] 0040D9D5 05 E8030000 add eax,3E8 0040D9DA 8982 BC130000 mov dword ptr ds:[edx+13BC],eax 0040D9E0 8B4D DC mov ecx,dword ptr ss:[ebp-24] 0040D9E3 64:890D 00000000 mov dword ptr fs:[0],ecx 0040D9EA 5F pop edi 0040D9EB 5E pop esi 0040D9EC 5B pop ebx 0040D9ED 8BE5 mov esp,ebp 0040D9EF 5D pop ebp 0040D9F0 C3 retn 继续跟入:00479B10 00479B10 55 push ebp 00479B11 8BEC mov ebp,esp 00479B13 83C4 E4 add esp,-1C 00479B16 53 push ebx 00479B17 B8 01000000 mov eax,1 ; eax=1 00479B1C 33DB xor ebx,ebx 00479B1E 33C9 xor ecx,ecx 00479B20 33D2 xor edx,edx 00479B22 0FA2 cpuid ; 获取cpuid 00479B24 8955 E4 mov dword ptr ss:[ebp-1C],edx 00479B27 894D E8 mov dword ptr ss:[ebp-18],ecx 00479B2A 8945 EC mov dword ptr ss:[ebp-14],eax 00479B2D B8 03000000 mov eax,3 ; eax=3 00479B32 33DB xor ebx,ebx 00479B34 33C9 xor ecx,ecx 00479B36 33D2 xor edx,edx 00479B38 0FA2 cpuid ; 获取cpuid 00479B3A 8955 F0 mov dword ptr ss:[ebp-10],edx 00479B3D 894D F4 mov dword ptr ss:[ebp-C],ecx 00479B40 895D F8 mov dword ptr ss:[ebp-8],ebx 00479B43 C645 FC 00 mov byte ptr ss:[ebp-4],0 00479B47 6A 19 push 19 00479B49 8D45 E4 lea eax,dword ptr ss:[ebp-1C] 00479B4C 50 push eax 00479B4D 8B55 08 mov edx,dword ptr ss:[ebp+8] 00479B50 52 push edx 00479B51 E8 D23F0800 call 屏录专家.004FDB28 ; 保存上面取得的结果 00479B56 83C4 0C add esp,0C 00479B59 5B pop ebx 00479B5A 8BE5 mov esp,ebp 00479B5C 5D pop ebp 00479B5D C3 retn 好了0040D948 这个CALL 分析完了,总结下,就是获取CPU的信息,然后进行异或运算,得到了一组数据,计为data1 继续分析机器码生成的关键算法吧,累了就先休息下,呵呵. 进入0040DDB0这个call,分析如下: 0040DDB0 55 push ebp 0040DDB1 8BEC mov ebp,esp 0040DDB3 83C4 D4 add esp,-2C 0040DDB6 B8 18125300 mov eax,屏录专家.00531218 0040DDBB 53 push ebx 0040DDBC 56 push esi 0040DDBD 57 push edi 0040DDBE 8B75 08 mov esi,dword ptr ss:[ebp+8] 0040DDC1 E8 FA010F00 call 屏录专家.004FDFC0 0040DDC6 66:C745 E4 0800 mov word ptr ss:[ebp-1C],8 0040DDCC 8D45 FC lea eax,dword ptr ss:[ebp-4] 0040DDCF E8 983AFFFF call 屏录专家.0040186C 0040DDD4 FF45 F0 inc dword ptr ss:[ebp-10] 0040DDD7 8D45 F8 lea eax,dword ptr ss:[ebp-8] 0040DDDA 66:C745 E4 1400 mov word ptr ss:[ebp-1C],14 0040DDE0 66:C745 E4 2000 mov word ptr ss:[ebp-1C],20 0040DDE6 56 push esi 0040DDE7 E8 803AFFFF call 屏录专家.0040186C 0040DDEC 50 push eax 0040DDED FF45 F0 inc dword ptr ss:[ebp-10] 0040DDF0 E8 03640000 call 屏录专家.004141F8 ; 机器码生成算法，跟进 0040DDF5 83C4 08 add esp,8 0040DDF8 8D55 F8 lea edx,dword ptr ss:[ebp-8] 0040DDFB 8D45 FC lea eax,dword ptr ss:[ebp-4] 0040DDFE E8 0DE80F00 call 屏录专家.0050C610 0040DE03 FF4D F0 dec dword ptr ss:[ebp-10] 0040DE06 8D45 F8 lea eax,dword ptr ss:[ebp-8] 0040DE09 BA 02000000 mov edx,2 0040DE0E E8 CDE70F00 call 屏录专家.0050C5E0 0040DE13 6A 15 push 15 0040DE15 E8 7AF50E00 call 屏录专家.004FD394 0040DE1A 59 pop ecx 0040DE1B 8BD8 mov ebx,eax 0040DE1D 8D45 FC lea eax,dword ptr ss:[ebp-4] 0040DE20 E8 1F3DFFFF call 屏录专家.00401B44 0040DE25 8BF8 mov edi,eax 0040DE27 33C0 xor eax,eax 0040DE29 56 push esi 0040DE2A 83C9 FF or ecx,FFFFFFFF 0040DE2D F2:AE repne scas byte ptr es:[edi] 0040DE2F F7D1 not ecx 0040DE31 2BF9 sub edi,ecx 0040DE33 8BF3 mov esi,ebx 0040DE35 87F7 xchg edi,esi 0040DE37 8BD1 mov edx,ecx 0040DE39 8BC7 mov eax,edi 0040DE3B C1E9 02 shr ecx,2 0040DE3E 8D45 FC lea eax,dword ptr ss:[ebp-4] 0040DE41 F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[es> 0040DE43 8BCA mov ecx,edx 0040DE45 BA 02000000 mov edx,2 0040DE4A 83E1 03 and ecx,3 0040DE4D F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi] 0040DE4F 5E pop esi 0040DE50 C643 14 00 mov byte ptr ds:[ebx+14],0 0040DE54 81C3 664E0000 add ebx,4E66 0040DE5A 899E A0130000 mov dword ptr ds:[esi+13A0],ebx 0040DE60 FF4D F0 dec dword ptr ss:[ebp-10] 0040DE63 E8 78E70F00 call 屏录专家.0050C5E0 0040DE68 8B4D D4 mov ecx,dword ptr ss:[ebp-2C] 0040DE6B 64:890D 00000000 mov dword ptr fs:[0],ecx 0040DE72 5F pop edi 0040DE73 5E pop esi 0040DE74 5B pop ebx 0040DE75 8BE5 mov esp,ebp 0040DE77 5D pop ebp 0040DE78 C3 retn 继续跟入:004141F8 004141F8 55 push ebp 004141F9 8BEC mov ebp,esp 004141FB 81C4 C0F7FFFF add esp,-840 00414201 B8 30195300 mov eax,屏录专家.00531930 00414206 53 push ebx 00414207 56 push esi 00414208 57 push edi 00414209 8B75 0C mov esi,dword ptr ss:[ebp+C] 0041420C E8 AF9D0E00 call 屏录专家.004FDFC0 00414211 68 00040000 push 400 00414216 6A 00 push 0 00414218 8D95 C0FBFFFF lea edx,dword ptr ss:[ebp-440] 0041421E 52 push edx 0041421F E8 74990E00 call 屏录专家.004FDB98 00414224 83C4 0C add esp,0C 00414227 8D8D C0F7FFFF lea ecx,dword ptr ss:[ebp-840] 0041422D 68 00040000 push 400 00414232 6A 00 push 0 00414234 51 push ecx 00414235 E8 5E990E00 call 屏录专家.004FDB98 0041423A 83C4 0C add esp,0C 0041423D 8D45 C0 lea eax,dword ptr ss:[ebp-40] 00414240 C686 140C0000 01 mov byte ptr ds:[esi+C14],1 00414247 50 push eax 00414248 56 push esi 00414249 E8 5EA40200 call 屏录专家.0043E6AC ; 复制data1(前面取得的cpu信息处理后的数据)到新的地方 0041424E 83C4 08 add esp,8 00414251 80BE 140C0000 01 cmp byte ptr ds:[esi+C14],1 00414258 0F85 63010000 jnz 屏录专家.004143C1 0041425E 8D95 C0FBFFFF lea edx,dword ptr ss:[ebp-440] 00414264 52 push edx 00414265 56 push esi 00414266 E8 ADA40200 call 屏录专家.0043E718 ; 获取硬盘序列号str1 0041426B 83C4 08 add esp,8 0041426E 83F8 FF cmp eax,-1 00414271 0F85 C3000000 jnz 屏录专家.0041433A 00414277 66:C745 DC 0800 mov word ptr ss:[ebp-24],8 0041427D BA E0515200 mov edx,屏录专家.005251E0 00414282 8D45 FC lea eax,dword ptr ss:[ebp-4] 00414285 E8 1E810F00 call 屏录专家.0050C3A8 0041428A FF45 E8 inc dword ptr ss:[ebp-18] 0041428D 8D55 FC lea edx,dword ptr ss:[ebp-4] 00414290 8D9E 100C0000 lea ebx,dword ptr ds:[esi+C10] 00414296 8BC3 mov eax,ebx 00414298 E8 3F840F00 call 屏录专家.0050C6DC 0041429D 50 push eax 0041429E FF4D E8 dec dword ptr ss:[ebp-18] 004142A1 8D45 FC lea eax,dword ptr ss:[ebp-4] 004142A4 BA 02000000 mov edx,2 004142A9 E8 32830F00 call 屏录专家.0050C5E0 004142AE 59 pop ecx 004142AF 84C9 test cl,cl 004142B1 74 33 je short 屏录专家.004142E6 004142B3 8BC3 mov eax,ebx 004142B5 E8 8AD8FEFF call 屏录专家.00401B44 004142BA 8BF8 mov edi,eax 004142BC 33C0 xor eax,eax 004142BE 56 push esi 004142BF 83C9 FF or ecx,FFFFFFFF 004142C2 F2:AE repne scas byte ptr es:[edi] 004142C4 F7D1 not ecx 004142C6 2BF9 sub edi,ecx 004142C8 8DB5 C0FBFFFF lea esi,dword ptr ss:[ebp-440] 004142CE 87F7 xchg edi,esi 004142D0 8BD1 mov edx,ecx 004142D2 8BC7 mov eax,edi 004142D4 C1E9 02 shr ecx,2 004142D7 F3:A5 rep movs dword ptr es:[edi],dword ptr> 004142D9 8BCA mov ecx,edx 004142DB 83E1 03 and ecx,3 004142DE F3:A4 rep movs byte ptr es:[edi],byte ptr d> 004142E0 5E pop esi 004142E1 E9 DB000000 jmp 屏录专家.004143C1 004142E6 66:C745 DC 1400 mov word ptr ss:[ebp-24],14 004142EC BA E1515200 mov edx,屏录专家.005251E1 004142F1 8D45 F8 lea eax,dword ptr ss:[ebp-8] 004142F4 E8 AF800F00 call 屏录专家.0050C3A8 004142F9 FF45 E8 inc dword ptr ss:[ebp-18] 004142FC 8D55 F8 lea edx,dword ptr ss:[ebp-8] 004142FF 8B45 08 mov eax,dword ptr ss:[ebp+8] 00414302 E8 09830F00 call 屏录专家.0050C610 00414307 8B45 08 mov eax,dword ptr ss:[ebp+8] 0041430A BA 02000000 mov edx,2 0041430F 66:C745 DC 2000 mov word ptr ss:[ebp-24],20 00414315 50 push eax 00414316 8D45 F8 lea eax,dword ptr ss:[ebp-8] 00414319 FF4D E8 dec dword ptr ss:[ebp-18] 0041431C E8 BF820F00 call 屏录专家.0050C5E0 00414321 58 pop eax 00414322 66:C745 DC 1400 mov word ptr ss:[ebp-24],14 00414328 FF45 E8 inc dword ptr ss:[ebp-18] 0041432B 8B55 CC mov edx,dword ptr ss:[ebp-34] 0041432E 64:8915 00000000 mov dword ptr fs:[0],edx 00414335 E9 BB010000 jmp 屏录专家.004144F5 0041433A 83F8 FE cmp eax,-2 0041433D 75 54 jnz short 屏录专家.00414393 0041433F 66:C745 DC 2C00 mov word ptr ss:[ebp-24],2C 00414345 BA F4515200 mov edx,屏录专家.005251F4 0041434A 8D45 F4 lea eax,dword ptr ss:[ebp-C] 0041434D E8 56800F00 call 屏录专家.0050C3A8 00414352 FF45 E8 inc dword ptr ss:[ebp-18] 00414355 8D55 F4 lea edx,dword ptr ss:[ebp-C] 00414358 8B45 08 mov eax,dword ptr ss:[ebp+8] 0041435B E8 B0820F00 call 屏录专家.0050C610 00414360 8B45 08 mov eax,dword ptr ss:[ebp+8] 00414363 BA 02000000 mov edx,2 00414368 66:C745 DC 3800 mov word ptr ss:[ebp-24],38 0041436E 50 push eax 0041436F 8D45 F4 lea eax,dword ptr ss:[ebp-C] 00414372 FF4D E8 dec dword ptr ss:[ebp-18] 00414375 E8 66820F00 call 屏录专家.0050C5E0 0041437A 58 pop eax 0041437B 66:C745 DC 2C00 mov word ptr ss:[ebp-24],2C 00414381 FF45 E8 inc dword ptr ss:[ebp-18] 00414384 8B55 CC mov edx,dword ptr ss:[ebp-34] 00414387 64:8915 00000000 mov dword ptr fs:[0],edx 0041438E E9 62010000 jmp 屏录专家.004144F5 00414393 85C0 test eax,eax 00414395 75 09 jnz short 屏录专家.004143A0 00414397 C686 140C0000 00 mov byte ptr ds:[esi+C14],0 0041439E EB 21 jmp short 屏录专家.004143C1 004143A0 33DB xor ebx,ebx ; EBX=0 004143A2 8D8D C0FBFFFF lea ecx,dword ptr ss:[ebp-440] ; ECX=出现一个重要的字符串(20位)=硬盘序列号 004143A8 0FBE01 movsx eax,byte ptr ds:[ecx] ; 按位取ECX数据到EAX 004143AB 99 cdq ; EDX=0 004143AC BF 0A000000 mov edi,0A ; EDI=A 004143B1 43 inc ebx ; EBX+1 004143B2 F7FF idiv edi ; EDX=EAX MOD A 004143B4 8BC2 mov eax,edx ; EAX=EDX 004143B6 83C0 30 add eax,30 ; EAX=EAX+30H 004143B9 8801 mov byte ptr ds:[ecx],al ; 按位覆盖ecx 004143BB 41 inc ecx ; ECX+1 004143BC 83FB 14 cmp ebx,14 ; EBX<20? 004143BF ^ 7C E7 jl short 屏录专家.004143A8 ; <就继续循环 004143C1 80BE 140C0000 00 cmp byte ptr ds:[esi+C14],0 ; 设处理后的数据为str2 004143C8 0F85 B0000000 jnz 屏录专家.0041447E 004143CE 8D95 C0F7FFFF lea edx,dword ptr ss:[ebp-840] 004143D4 68 00040000 push 400 004143D9 52 push edx 004143DA 6A 00 push 0 004143DC 8D4D C8 lea ecx,dword ptr ss:[ebp-38] 004143DF 6A 00 push 0 004143E1 51 push ecx 004143E2 8D85 C0FBFFFF lea eax,dword ptr ss:[ebp-440] 004143E8 68 00040000 push 400 004143ED 50 push eax 004143EE 68 FF515200 push 屏录专家.005251FF ; ASCII "c:/" 004143F3 E8 DCC41000 call <jmp.&KERNEL32.GetVolumeInformat> 004143F8 8B45 C8 mov eax,dword ptr ss:[ebp-38] 004143FB 33D2 xor edx,edx 004143FD B9 58000000 mov ecx,58 00414402 BB 58000000 mov ebx,58 00414407 F7F1 div ecx 00414409 8BC8 mov ecx,eax 0041440B 8B45 C8 mov eax,dword ptr ss:[ebp-38] 0041440E 33D2 xor edx,edx 00414410 F7F3 div ebx 00414412 03CA add ecx,edx 00414414 8D95 C0FBFFFF lea edx,dword ptr ss:[ebp-440] 0041441A 81C1 75D22D01 add ecx,12DD275 00414420 894D C8 mov dword ptr ss:[ebp-38],ecx 00414423 8B45 C8 mov eax,dword ptr ss:[ebp-38] 00414426 50 push eax 00414427 68 03525200 push 屏录专家.00525203 ; ASCII "%u" 0041442C 52 push edx 0041442D E8 B2CE0E00 call 屏录专家.005012E4 00414432 83C4 0C add esp,0C 00414435 8D8D C0FBFFFF lea ecx,dword ptr ss:[ebp-440] 0041443B 51 push ecx 0041443C E8 8B980E00 call 屏录专家.004FDCCC 00414441 59 pop ecx 00414442 83F8 03 cmp eax,3 00414445 7C 18 jl short 屏录专家.0041445F 00414447 8A95 C2FBFFFF mov dl,byte ptr ss:[ebp-43E] 0041444D 8A8D C0FBFFFF mov cl,byte ptr ss:[ebp-440] 00414453 888D C2FBFFFF mov byte ptr ss:[ebp-43E],cl 00414459 8895 C0FBFFFF mov byte ptr ss:[ebp-440],dl 0041445F 8BD8 mov ebx,eax 00414461 8D841D C0FBFFFF lea eax,dword ptr ss:[ebp+ebx-440] 00414468 83FB 14 cmp ebx,14 0041446B 7D 0A jge short 屏录专家.00414477 0041446D C600 37 mov byte ptr ds:[eax],37 00414470 43 inc ebx 00414471 40 inc eax 00414472 83FB 14 cmp ebx,14 00414475 ^ 7C F6 jl short 屏录专家.0041446D 00414477 C685 D4FBFFFF 00 mov byte ptr ss:[ebp-42C],0 ; 下面再次计算机起码前2-5位 0041447E 33DB xor ebx,ebx ; EBX=0 00414480 8D8D C1FBFFFF lea ecx,dword ptr ss:[ebp-43F] ; ECX=str2(从第2位开始) 00414486 8D75 C0 lea esi,dword ptr ss:[ebp-40] 00414489 8A06 mov al,byte ptr ds:[esi] ; AL=按字节取data1 0041448B BF 0A000000 mov edi,0A ; EDI=A 00414490 3001 xor byte ptr ds:[ecx],al ; str2按位与AL抑或 00414492 0FBE01 movsx eax,byte ptr ds:[ecx] ; 按字节取ecx 00414495 33D2 xor edx,edx ; edx=0 00414497 46 inc esi ; esi+1 00414498 F7F7 div edi ; edx=al mod edi 0041449A 80C2 30 add dl,30 ; dl=dl+30h 0041449D 43 inc ebx ; ebx=ebx+1 0041449E 8811 mov byte ptr ds:[ecx],dl ; 保存 004144A0 41 inc ecx ; ecx=ecx+1 004144A1 83FB 04 cmp ebx,4 ; ebx和4比较 004144A4 ^ 7C E3 jl short 屏录专家.00414489 ; <4就回跳 004144A6 66:C745 DC 4400 mov word ptr ss:[ebp-24],44 004144AC 8D95 C0FBFFFF lea edx,dword ptr ss:[ebp-440] ; edx=机器码 004144B2 8D45 F0 lea eax,dword ptr ss:[ebp-10] 004144B5 E8 EE7E0F00 call 屏录专家.0050C3A8 004144BA 8BD0 mov edx,eax 004144BC FF45 E8 inc dword ptr ss:[ebp-18] 004144BF 8B45 08 mov eax,dword ptr ss:[ebp+8] 004144C2 E8 49810F00 call 屏录专家.0050C610 004144C7 8B45 08 mov eax,dword ptr ss:[ebp+8] 004144CA BA 02000000 mov edx,2 004144CF 66:C745 DC 5000 mov word ptr ss:[ebp-24],50 004144D5 50 push eax 004144D6 8D45 F0 lea eax,dword ptr ss:[ebp-10] 004144D9 FF4D E8 dec dword ptr ss:[ebp-18] 004144DC E8 FF800F00 call 屏录专家.0050C5E0 004144E1 58 pop eax 004144E2 66:C745 DC 4400 mov word ptr ss:[ebp-24],44 004144E8 FF45 E8 inc dword ptr ss:[ebp-18] 004144EB 8B55 CC mov edx,dword ptr ss:[ebp-34] 004144EE 64:8915 00000000 mov dword ptr fs:[0],edx 004144F5 5F pop edi 004144F6 5E pop esi 004144F7 5B pop ebx 004144F8 8BE5 mov esp,ebp 004144FA 5D pop ebp 004144FB C3 retn 2007-4-6 15:49 0
壹只老虎雪币： 112 活跃值： (16) 能力值： ( LV9，RANK：290 ) 在线值：发帖 38 回帖 709 粉丝 3 关注私信	壹只老虎 7 3 楼获取硬盘序列号的call我就不跟进去了,跟进去一看就很明显了,就是那几个熟悉的api函数,不熟悉的话,上百度也行. 好了,机器码生成算法这个老大难的问题现在已经解决的,我们总结一下: 说白乐,就是把硬盘序列号和cpuid进行运算生成的一组20位的数据.后面的注册机代码里面会详细写的. 回到我们上面快要分析完的地方再接着说. 今天先休息了,明天我们接着讨论,88! 我们继续吧，新的一天，要有新的收获！这是最后一部分的分析结果。先看了再讨论。 00443370 E8 CFE7FBFF call 屏录专家.00401B44 00443375 57 push edi 00443376 8BF8 mov edi,eax 00443378 33C0 xor eax,eax 0044337A 83C9 FF or ecx,FFFFFFFF 0044337D F2:AE repne scas byte ptr es:[edi] 0044337F F7D1 not ecx 00443381 2BF9 sub edi,ecx 00443383 8DB5 ACFEFFFF lea esi,dword ptr ss:[ebp-154] 00443389 87F7 xchg edi,esi 0044338B 8BD1 mov edx,ecx 0044338D 8BC7 mov eax,edi 0044338F C1E9 02 shr ecx,2 00443392 8D85 ACFEFFFF lea eax,dword ptr ss:[ebp-154] 00443398 F3:A5 rep movs dword ptr es:[edi],dword > 0044339A 8BCA mov ecx,edx 0044339C 83E1 03 and ecx,3 0044339F F3:A4 rep movs byte ptr es:[edi],byte pt> 004433A1 5F pop edi 004433A2 8985 20FFFFFF mov dword ptr ss:[ebp-E0],eax 004433A8 8DB5 08FFFFFF lea esi,dword ptr ss:[ebp-F8] ; esi=X的10进制字符串 004433AE 33DB xor ebx,ebx ; EBX=0 004433B0 8B95 20FFFFFF mov edx,dword ptr ss:[ebp-E0] 004433B6 0FBE06 movsx eax,byte ptr ds:[esi] ; eax=按位取esi ascii码 004433B9 0FBE0A movsx ecx,byte ptr ds:[edx] ; ecx=按位取str的ascii码 004433BC 83C1 EC add ecx,-14 ; ecx=ecx-14H 004433BF 3BC1 cmp eax,ecx ; 这里慢慢构造吧！ 004433C1 0F85 80000000 jnz 屏录专家.00443447 ; EDI=X 004433C7 83FB 03 cmp ebx,3 ; ebx=3? 004433CA 75 6A jnz short 屏录专家.00443436 ; 不是3就跳 004433CC 81C7 444D0000 add edi,4D44 ; EDI=EDI+4D44H 004433D2 89BD A8FAFFFF mov dword ptr ss:[ebp-558],edi 004433D8 DB85 A8FAFFFF fild dword ptr ss:[ebp-558] 004433DE DC0D DC3E4400 fmul qword ptr ds:[443EDC] 004433E4 DB2D E43E4400 fld tbyte ptr ds:[443EE4] 004433EA DEC9 fmulp st(1),st 004433EC E8 E7180C00 call 屏录专家.00504CD8 ; EAX=EDI3.140.1594896331738437110 004433F1 8BF8 mov edi,eax ; EDI=EAX 004433F3 8BC7 mov eax,edi 004433F5 B9 A0860100 mov ecx,186A0 ; ECX=186A0H 004433FA 99 cdq 004433FB F7F9 idiv ecx ; EDX=EAX mod ECX 004433FD 8BFA mov edi,edx ; EDI=EDX 004433FF 33C0 xor eax,eax ; EAX=0 00443401 8985 2CFFFFFF mov dword ptr ss:[ebp-D4],eax ; [EBP-D4]=EAX 00443407 33D2 xor edx,edx ; EDX=0，循环变量 00443409 8D85 ACFEFFFF lea eax,dword ptr ss:[ebp-154] ; [ebp-154]的数据就是试验码被处理后的那20位数据 0044340F 0FBE08 movsx ecx,byte ptr ds:[eax] ; [EBP-D4]=上面数据前19位相加 00443412 018D 2CFFFFFF add dword ptr ss:[ebp-D4],ecx 00443418 42 inc edx 00443419 40 inc eax 0044341A 83FA 13 cmp edx,13 0044341D ^ 7C F0 jl short 屏录专家.0044340F 0044341F 8B85 2CFFFFFF mov eax,dword ptr ss:[ebp-D4] ; EAX=[EBP-D4] 00443425 B9 0A000000 mov ecx,0A ; ECX=A 0044342A 99 cdq ; EDX=0 0044342B F7F9 idiv ecx ; EDX=EAX MOD ECX 0044342D 83C2 30 add edx,30 ; EDX=EDX+48 00443430 8995 2CFFFFFF mov dword ptr ss:[ebp-D4],edx ; [EBP-D4]=EDX 00443436 43 inc ebx ; ebx++ 00443437 FF85 20FFFFFF inc dword ptr ss:[ebp-E0] 0044343D 46 inc esi ; esi++ 0044343E 83FB 05 cmp ebx,5 ; ebx<5就跳回去 00443441 ^ 0F8C 69FFFFFF jl 屏录专家.004433B0 00443447 83FB 05 cmp ebx,5 0044344A 0F8C BB090000 jl 屏录专家.00443E0B ; 跳向死亡 00443450 0FBE85 BFFEFFFF movsx eax,byte ptr ss:[ebp-141] ; eax=20位字符串的最后一位 00443457 3B85 2CFFFFFF cmp eax,dword ptr ss:[ebp-D4] ; 上面计算的结果 0044345D 74 09 je short 屏录专家.00443468 0044345F 83F8 41 cmp eax,41 00443462 0F8C A3090000 jl 屏录专家.00443E0B ; 跳向死亡 00443468 8BC7 mov eax,edi ; eax=edi 0044346A B9 0A000000 mov ecx,0A ; ecx=A 0044346F 99 cdq ; edx=0 00443470 F7F9 idiv ecx ; edx=eax mod ecx 00443472 0FBEB41D ACFEFFFF movsx esi,byte ptr ss:[ebp+ebx-154>; esi=20位字符串的第6位 0044347A 83C6 BF add esi,-41 ; esi=esi-41H 0044347D 2BF2 sub esi,edx ; esi=esi-edx 0044347F 85F6 test esi,esi ; 关键比较 00443481 74 09 je short 屏录专家.0044348C ; 关键跳，跳走就成功 00443483 83FE 08 cmp esi,8 00443486 0F85 F8080000 jnz 屏录专家.00443D84 ; 关键跳，跳走就失败 0044348C 66:C785 44FFFFFF >mov word ptr ss:[ebp-BC],8C 00443495 BA 496B5300 mov edx,屏录专家.00536B49 ; 注册成功，重起验证 0044349A 8D45 D4 lea eax,dword ptr ss:[ebp-2C] 0044349D E8 068F0C00 call 屏录专家.0050C3A8 004434A2 FF85 50FFFFFF inc dword ptr ss:[ebp-B0] 004434A8 8B00 mov eax,dword ptr ds:[eax] 004434AA E8 81250800 call 屏录专家.004C5A30 004434AF FF8D 50FFFFFF dec dword ptr ss:[ebp-B0] 004434B5 8D45 D4 lea eax,dword ptr ss:[ebp-2C] 004434B8 BA 02000000 mov edx,2 004434BD E8 1E910C00 call 屏录专家.0050C5E0 004434C2 8B0D F4265500 mov ecx,dword ptr ds:[5526F4] ; 屏录专家._MainForm 004434C8 8B01 mov eax,dword ptr ds:[ecx] 004434CA C680 38130000 01 mov byte ptr ds:[eax+1338],1 004434D1 68 00040000 push 400 004434D6 8D95 ACFEFFFF lea edx,dword ptr ss:[ebp-154] 004434DC 52 push edx 004434DD E8 F8D30D00 call <jmp.&KERNEL32.GetWindowsDire> 004434E2 68 866B5300 push 屏录专家.00536B86 ; ASCII "/pmlxz7.dll" 004434E7 8D8D ACFEFFFF lea ecx,dword ptr ss:[ebp-154] 004434ED 51 push ecx 004434EE E8 49A70B00 call 屏录专家.004FDC3C ; 在windows目录下写入注册信息，以便重起验证 004434F3 83C4 08 add esp,8 总的来说，这部分的算法很简单，没什么好说的，关键是要找到他的逆运算算法是什么。我们慢慢来分析吧。前面，机器码和用户名进行运算已经产生了一个5位的数据，设为key。这部分的验证和这个五位数据有着密切的关系。我们的注册码的第1位和第2位连接起来，设为str,把str转化为整型，设为m,m+9必须等于key第一位的ascii码+20；于是就有 str[1]:=inttostr(ord(key[1])+20-9)[1]; str[2]:=inttostr(ord(key[1])+20-9)[2]; 同样第3位和第4位运算如下：因为第3位在注册码运算的时候会和第39位互换，所以，这里需要设置第39的数据，第3位我们后面再来算 str[39]:=inttostr(ord(key[2])+20-9-1)[1]; str[4]:=inttostr(ord(key[2])+20-9-1)[2]; 同样第5位和第6位运算如下：因为第5位在注册码运算的时候会和第26位互换，所以，这里需要设置第26的数据，第5位随便写 str[26]:=inttostr(ord(key[3])+20-9-2)[1]; str[6]:=inttostr(ord(key[3])+20-9-2)[2]; 同样第7位和第8位运算如下：注册算法中,他们没有被交换. str[7]:=inttostr(ord(key[4])+20-9-3)[1]; str[8]:=inttostr(ord(key[4])+20-9-3)[2]; 同样第9位和第10位运算如下：因为第10位在注册码运算的时候会和第32位互换，所以，这里需要设置第32的数据，第9位随便写 str[9]:=inttostr(ord(key[5])+20-9-4)[1]; str[32]:=inttostr(ord(key[5])+20-9-4)[2]; 这里说明完了,说一下中间的一部分吧: 先设注册码code,前40位经过变换后得到的字符串为string(20位),string[1]...string[19]ascii码之和为A; 先看正向运算: EDI=strtoint(key)+$4D44; EAX=round(EDI3.140.1594896331738437110-0.5); 注意：这里是取整，不是四舍五入。 EDI=EAX mod 100000; EAX=EDI MOD 10; ESI=string[6]; esi:=esi-41H-eax; 那么验证条件如下: 1:string[20]=(A mod 10)+48; 2:esi必须等于0 现在来推导逆运算...... string[6]=esi =$41+EAX =$41+(round((inttostr(key)+$4D44)3.140.1594896331738437110-0.5) mod 100000) MOD 10 string[20]= strtoint(code[39]+code[40])+19+9; 由于第39位会被第3位换掉,所以,这里需要修改下,就像下面这样. string[20]= strtoint(code[3]+code[40])+19+9; = (A mod 10)+48; ===>code[3] =inttostr((A mod 10)+20)[1]; code[40]=inttostr((A mod 10)+20)[2]; string[6]=strtoint(code[11]+code[12])+5+9; =$41+(round((inttostr(key)+$4D44)3.140.1594896331738437110-0.5) mod 100000) MOD 10; 上面已经分析的优点清楚了，现在可以写注册机了。还需要注意一下的就是：最后五位的生成需要在前面45位都已经算好的情况下再计算。其他的就是去找找取cpuid和硬盘序列号的参考代码了，这了非常感谢 seast 兄弟分享关于 cpuid 的一些知识。下面我拿出注册机的源代码(用户名不支持中文)：大家一起讨论。 ============================================================================================ type TCPUID = array[1..4] of Longint; TVendor = array [0..11] of char; function GetCPUID1 : TCPUID; assembler; register; asm PUSH EBX {Save affected register} PUSH EDI MOV EDI,EAX {@Resukt} MOV EAX,1 DW $A20F {CPUID Command} STOSD {CPUID[1]} MOV EAX,EBX STOSD {CPUID[2]} MOV EAX,ECX STOSD {CPUID[3]} MOV EAX,EDX STOSD {CPUID[4]} POP EDI {Restore registers} POP EBX end; function GetCPUID3 : TCPUID; assembler; register; asm PUSH EBX {Save affected register} PUSH EDI MOV EDI,EAX {@Resukt} MOV EAX,3 DW $A20F {CPUID Command} STOSD {CPUID[1]} MOV EAX,EBX STOSD {CPUID[2]} MOV EAX,ECX STOSD {CPUID[3]} MOV EAX,EDX STOSD {CPUID[4]} POP EDI {Restore registers} POP EBX end; function GetIdeDiskSerialNumber : String; type TSrbIoControl = packed record HeaderLength : ULONG; Signature : Array[0..7] of Char; Timeout : ULONG; ControlCode : ULONG; ReturnCode : ULONG; Length : ULONG; end; SRB_IO_CONTROL = TSrbIoControl; PSrbIoControl = ^TSrbIoControl; TIDERegs = packed record bFeaturesReg : Byte; // Used for specifying SMART "commands". bSectorCountReg : Byte; // IDE sector count register bSectorNumberReg : Byte; // IDE sector number register bCylLowReg : Byte; // IDE low order cylinder value bCylHighReg : Byte; // IDE high order cylinder value bDriveHeadReg : Byte; // IDE drive/head register bCommandReg : Byte; // Actual IDE command. bReserved : Byte; // reserved. Must be zero. end; IDEREGS = TIDERegs; PIDERegs = ^TIDERegs; TSendCmdInParams = packed record cBufferSize : DWORD; irDriveRegs : TIDERegs; bDriveNumber : Byte; bReserved : Array[0..2] of Byte; dwReserved : Array[0..3] of DWORD; bBuffer : Array[0..0] of Byte; end; SENDCMDINPARAMS = TSendCmdInParams; PSendCmdInParams = ^TSendCmdInParams; TIdSector = packed record wGenConfig : Word; wNumCyls : Word; wReserved : Word; wNumHeads : Word; wBytesPerTrack : Word; wBytesPerSector : Word; wSectorsPerTrack : Word; wVendorUnique : Array[0..2] of Word; sSerialNumber : Array[0..19] of Char; wBufferType : Word; wBufferSize : Word; wECCSize : Word; sFirmwareRev : Array[0..7] of Char; sModelNumber : Array[0..39] of Char; wMoreVendorUnique : Word; wDoubleWordIO : Word; wCapabilities : Word; wReserved1 : Word; wPIOTiming : Word; wDMATiming : Word; wBS : Word; wNumCurrentCyls : Word; wNumCurrentHeads : Word; wNumCurrentSectorsPerTrack : Word; ulCurrentSectorCapacity : ULONG; wMultSectorStuff : Word; ulTotalAddressableSectors : ULONG; wSingleWordDMA : Word; wMultiWordDMA : Word; bReserved : Array[0..127] of Byte; end; PIdSector = ^TIdSector; const IDE_ID_FUNCTION = $EC; IDENTIFY_BUFFER_SIZE = 512; DFP_RECEIVE_DRIVE_DATA = $0007c088; IOCTL_SCSI_MINIPORT = $0004d008; IOCTL_SCSI_MINIPORT_IDENTIFY = $001b0501; DataSize = sizeof(TSendCmdInParams)-1+IDENTIFY_BUFFER_SIZE; BufferSize = SizeOf(SRB_IO_CONTROL)+DataSize; W9xBufferSize = IDENTIFY_BUFFER_SIZE+16; var hDevice : THandle; cbBytesReturned : DWORD; pInData : PSendCmdInParams; pOutData : Pointer; // PSendCmdOutParams Buffer : Array[0..BufferSize-1] of Byte; srbControl : TSrbIoControl absolute Buffer; procedure ChangeByteOrder( var Data; Size : Integer ); var ptr : PChar; i : Integer; c : Char; begin ptr := @Data; for i := 0 to (Size shr 1)-1 do begin c := ptr^; ptr^ := (ptr+1)^; (ptr+1)^ := c; Inc(ptr,2); end; end; begin Result := ''; FillChar(Buffer,BufferSize,#0); if Win32Platform=VER_PLATFORM_WIN32_NT then begin // Windows NT, Windows 2000 // Get SCSI port handle hDevice := CreateFile( '\\.\Scsi0:',GENERIC_READ or GENERIC_WRITE, FILE_SHARE_READ or FILE_SHARE_WRITE, nil, OPEN_EXISTING, 0, 0 ); if hDevice=INVALID_HANDLE_VALUE then Exit; try srbControl.HeaderLength := SizeOf(SRB_IO_CONTROL); System.Move('SCSIDISK',srbControl.Signature,8); srbControl.Timeout := 2; srbControl.Length := DataSize; srbControl.ControlCode := IOCTL_SCSI_MINIPORT_IDENTIFY; pInData := PSendCmdInParams(PChar(@Buffer)+SizeOf(SRB_IO_CONTROL)); pOutData := pInData; with pInData^ do begin cBufferSize := IDENTIFY_BUFFER_SIZE; bDriveNumber := 0; with irDriveRegs do begin bFeaturesReg := 0; bSectorCountReg := 1; bSectorNumberReg := 1; bCylLowReg := 0; bCylHighReg := 0; bDriveHeadReg := $A0; bCommandReg := IDE_ID_FUNCTION; end; end; if not DeviceIoControl( hDevice, IOCTL_SCSI_MINIPORT, @Buffer, BufferSize, @Buffer, BufferSize, cbBytesReturned, nil ) then Exit; finally CloseHandle(hDevice); end; end else begin // Windows 95 OSR2, Windows 98 hDevice := CreateFile( '\\.\SMARTVSD', 0, 0, nil,CREATE_NEW, 0, 0 ); if hDevice=INVALID_HANDLE_VALUE then Exit; try pInData := PSendCmdInParams(@Buffer); pOutData := @pInData^.bBuffer; with pInData^ do begin cBufferSize := IDENTIFY_BUFFER_SIZE; bDriveNumber := 0; with irDriveRegs do begin bFeaturesReg := 0; bSectorCountReg := 1; bSectorNumberReg := 1; bCylLowReg := 0; bCylHighReg := 0; bDriveHeadReg := $A0; bCommandReg := IDE_ID_FUNCTION; end; end; if not DeviceIoControl( hDevice, DFP_RECEIVE_DRIVE_DATA, pInData, SizeOf(TSendCmdInParams)-1, pOutData, W9xBufferSize, cbBytesReturned, nil ) then Exit; finally CloseHandle(hDevice); end; end; with PIdSector(PChar(pOutData)+16)^ do begin ChangeByteOrder(sSerialNumber,SizeOf(sSerialNumber)); SetString(Result,sSerialNumber,SizeOf(sSerialNumber)); end; end; procedure TForm1.Button3Click(Sender: TObject); begin Close; end; {用序列号的前45位验证后5位} {我也是没办法翻译才写成这样的，哎！} function CalcLast5Bit(code:string):string; var k,eax,ecx,dl,edi,i,len:integer; esi,str:string; Label label0043E2B0,label0043E278,label0043E28A,label0043E298, label0043E29A,label0043E2A3,label0043E287; begin len:=length(code); if len<50 then len:=50; k:=1; esi:=code; eax:=0; ecx:=0; label0043E278: if ecx<>$0b26d then goto label0043E2B0; edi:=0; if edi>=len-5 then goto label0043E2B0; label0043E287: inc(ecx); dl:=$80; label0043E28A: if (eax and $00008000)=0 then goto label0043E298; eax:=eax2; eax:=eax xor $00001021; inc(ecx); goto label0043E29A; label0043E298: eax:=eax2; label0043E29A: inc(ecx); if (ord(esi[k])and dl)=0 then goto label0043E2A3; eax:=eax xor $00001021; label0043E2A3: dl:=dl div 2; if dl<>0 then goto label0043E28A; inc(k); inc(edi); if edi<len-5 then goto label0043E287; label0043E2B0: inc(ecx); if ecx<$186a0 then goto label0043E278; str:=''; esi:=inttostr(eax and $0000ffff); for i:=length(esi)+1 to 5 do str:=str+'0'; str:=str+esi; result:=str; end; {试验码的换位和20位验证码的生成} {只处理前40位} function CalcStr20(code:string):string; var temp:char; k,j,eax,edx:integer; begin k:=0; j:=1; temp:=code[3]; code[3]:=code[39]; code[39]:=temp; temp:=code[5]; code[5]:=code[26]; code[26]:=temp; temp:=code[10]; code[10]:=code[32]; code[32]:=temp; while k<40 do begin inc(k); edx:=k div 2; eax:=strtoint(code[k]+code[k+1]); eax:=eax+edx; inc(k); eax:=eax+9; code[j]:=chr(eax and $000000ff); inc(j); end; code[j]:=#0; result:=code; end; {用注册名和机器码，计算5位验证码} function CalcUseName(name,code:string):string; var al,i,edi:integer; str:string; begin setlength(str,21); edi:=0; i:=0; while i<20 do begin if i<length(name)then al:=ord(name[i+1]) else al:=0; al:=al xor ord(code[i+1]); str[i+1]:=chr(al); edi:=ial+edi; inc(i); end; result:=inttostr(edi+$3039); end; {取得机器码} function GetMachineCode:string; var CPUID1,CPUID3:TCPUID; str:string; i,c1,c2,c3,c4:integer; begin str:=GetIdeDiskSerialNumber; for i:=1 to 20 do begin str[i]:=chr((ord(str[i])mod 10)+48); end; CPUID1 := GetCPUID1; CPUID3 := GetCPUID3; CPUID1[4]:=CPUID1[4]xor CPUID1[3]; CPUID1[4]:=CPUID1[4]xor CPUID1[1]; CPUID1[4]:=CPUID1[4]xor CPUID3[4]; CPUID1[4]:=CPUID1[4]xor CPUID3[3]; CPUID1[4]:=CPUID1[4]xor CPUID3[2]; c1:=CPUID1[4]shr 24; c2:=(CPUID1[4]shr 16)and$00ff; c3:=(CPUID1[4]shr 8) and $0000ff; c4:=CPUID1[4]and $000000ff; str[5]:=chr((ord(str[5]) xor c1)mod 10 +48); str[4]:=chr((ord(str[4]) xor c2)mod 10 +48); str[3]:=chr((ord(str[3]) xor c3)mod 10 +48); str[2]:=chr((ord(str[2]) xor c4)mod 10 +48); result:=str; end; {计算注册码} function CalcCode(key:string):string; var str,s:string; i,num,eax,edi:integer; begin str:='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'; str[1]:=inttostr(ord(key[1])+20-9)[1]; str[2]:=inttostr(ord(key[1])+20-9)[2]; str[39]:=inttostr(ord(key[2])+20-9-1)[1]; str[4]:=inttostr(ord(key[2])+20-9-1)[2]; str[26]:=inttostr(ord(key[3])+20-9-2)[1]; str[6]:=inttostr(ord(key[3])+20-9-2)[2]; str[7]:=inttostr(ord(key[4])+20-9-3)[1]; str[8]:=inttostr(ord(key[4])+20-9-3)[2]; str[9]:=inttostr(ord(key[5])+20-9-4)[1]; str[32]:=inttostr(ord(key[5])+20-9-4)[2]; for i:=1 to 45 do if str[i]='x' then str[i]:=chr(random(10)+48); edi:=strtoint(key)+$4D44; eax:=round(edi3.14*0.1594896331738437110-0.5); edi:=eax mod 100000; eax:=edi MOD 10; eax:=eax+$41-14; s:=inttostr(eax); str[11]:=s[1]; str[12]:=s[2]; s:=CalcStr20(str); num:=0; for i:=1 to 19 do num:=num+ord(s[i]); s:=inttostr((num mod 10)+20); str[3]:=s[1]; str[40]:=s[2]; str:=str+CalcLast5Bit(str); result:=str; end; procedure TForm1.Button1Click(Sender: TObject); var key,code,name:string; i:integer; begin name:=edit1.text; for i:=1 to length(name) do if ord(name[i])>127 then begin Application.MessageBox('别欺负我,我不知道中文名字怎么算!','提示',MB_ICONINFORMATION+MB_OK); edit1.Text:=''; Exit; end; if (length(name)<1)or(length(name)>19) then begin Application.MessageBox('注册名长度为1-19位','提示',MB_ICONINFORMATION+MB_OK); Exit; end; key:=GetMachineCode; key:=CalcUseName(name,key); code:=CalcCode(key); edit2.text:=code; end; 好了，文章就到这里了，呵呵！感觉不错！ -------------------------------------------------------------------------------- 【经验总结】这次破解让我的耐心增添不少. -------------------------------------------------------------------------------- 【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢! 2007年04月06日 15:31:54 2007-4-6 15:53 0
壹只老虎雪币： 112 活跃值： (16) 能力值： ( LV9，RANK：290 ) 在线值：发帖 38 回帖 709 粉丝 3 关注私信	壹只老虎 7 4 楼注册信息保存在windows目录的pmlxz7.dll文件中,删除这个文件后,可以再玩一次! 本想一贴给贴完的,后来发现不行,估计是字太多了(100000多), 只好分3贴给贴出来. 2007-4-6 16:06 0
wynney 雪币： 224 活跃值： (147) 能力值： ( LV9，RANK：970 ) 在线值：发帖 65 回帖 1109 粉丝 7 关注私信	wynney 24 5 楼算法好象跟以前版本没多大的变化 2007-4-6 16:07 0
壹只老虎雪币： 112 活跃值： (16) 能力值： ( LV9，RANK：290 ) 在线值：发帖 38 回帖 709 粉丝 3 关注私信	壹只老虎 7 6 楼不知道,没有研究过以前的哪个东西! 呵呵! 2007-4-6 16:09 0
tzl 雪币： 242 活跃值： (1664) 能力值： ( LV9，RANK：410 ) 在线值：发帖 21 回帖 532 粉丝 0 关注私信	tzl 10 7 楼学习,不过注册机好象不准发的吧! 2007-4-6 16:23 0
壹只老虎雪币： 112 活跃值： (16) 能力值： ( LV9，RANK：290 ) 在线值：发帖 38 回帖 709 粉丝 3 关注私信	壹只老虎 7 8 楼那我就删除掉! 2007-4-6 16:29 0
KuNgBiM 雪币： 817 活跃值： (1927) 能力值： ( LV12，RANK：2670 ) 在线值：发帖 500 回帖 2517 粉丝 22 关注私信	KuNgBiM 66 9 楼机机代码可以留下 2007-4-6 16:36 0
tzl 雪币： 242 活跃值： (1664) 能力值： ( LV9，RANK：410 ) 在线值：发帖 21 回帖 532 粉丝 0 关注私信	tzl 10 10 楼老K说的对 2007-4-6 16:37 0
壹只老虎雪币： 112 活跃值： (16) 能力值： ( LV9，RANK：290 ) 在线值：发帖 38 回帖 709 粉丝 3 关注私信	壹只老虎 7 11 楼留下咯, 嘿嘿! 2007-4-6 16:47 0
BlueT 雪币： 517 活跃值： (35) 能力值： ( LV6，RANK：90 ) 在线值：发帖 8 回帖 883 粉丝 0 关注私信	BlueT 2 12 楼大多数的算法注册机都不是真正的注册机，测试时不能只看一次两次的录像中是否有未注册字样。每次至少要录像5个以上才能看得出来。不知道这次研究时注意到了没有？！ 2007-4-6 18:44 0
快雪时晴雪币： 370 活跃值： (15) 能力值： ( LV9，RANK：170 ) 在线值：发帖 34 回帖 2272 粉丝 1 关注私信	快雪时晴 4 13 楼来晚了，机机冇下到严重支持，耐心真好 2007-4-6 19:36 0
海风月影雪币： 7309 活跃值： (3788) 能力值： (RANK：1130 ) 在线值：发帖 93 回帖 2308 粉丝 119 关注私信	海风月影 22 14 楼 10W字，要支持一下 2007-4-6 19:41 0
壹只老虎雪币： 112 活跃值： (16) 能力值： ( LV9，RANK：290 ) 在线值：发帖 38 回帖 709 粉丝 3 关注私信	壹只老虎 7 15 楼多谢兄弟指点!的确存在问题,只是没有想到! 我在看看怎么去除! 2007-4-6 20:09 0
坚持到底雪币： 538 活跃值： (460) 能力值： ( LV9，RANK：290 ) 在线值：发帖 12 回帖 245 粉丝 2 关注私信	坚持到底 7 16 楼支持下，等有空自己跟一下，学习之！！ 2007-4-6 21:25 0
卡秋莎雪币： 144 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 57 回帖 424 粉丝 0 关注私信	卡秋莎 17 楼支持啊真快啊：） 2007-4-6 21:38 0
wmjm 雪币： 217 活跃值： (28) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 72 粉丝 0 关注私信	wmjm 18 楼文章很长，需要慢慢学习，谢谢。 2007-4-7 00:41 0
菜儿雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 193 粉丝 0 关注私信	菜儿 19 楼精彩的分析.....透彻.....辛苦了... 2007-4-7 07:13 0
Nisy 雪币： 167 活跃值： (1574) 能力值： ( LV9，RANK：250 ) 在线值：发帖 68 回帖 668 粉丝 42 关注私信	Nisy 5 20 楼兄弟真有耐心佩服佩服~~ 2007-4-7 08:25 0
playboyjin 雪币： 264 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 74 粉丝 0 关注私信	playboyjin 21 楼呵呵，，好文。强的说。。。 2007-4-7 08:46 0
风间仁雪币： 29249 活跃值： (7769) 能力值： ( LV15，RANK：3306 ) 在线值：发帖 111 回帖 591 粉丝 83 关注私信	风间仁 19 22 楼这软件暗桩不少 2007-4-7 09:24 0
myselfsky 雪币： 200 活跃值： (13) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 2 粉丝 0 关注私信	myselfsky 23 楼强贴,支持! 2007-4-7 09:56 0
wofan[OCN] 雪币： 2943 活跃值： (1788) 能力值： ( LV9，RANK：850 ) 在线值：发帖 55 回帖 808 粉丝 8 关注私信	wofan[OCN] 21 24 楼的确！！！！有空时一定要玩玩它，至少也得弄个自已用的注册码吧。听楼上有人说老版本也没有一个真正的注册机。试一下硬盘中的那个6.0版，果如他所说。 2007-4-7 10:15 0
binbinbin 雪币： 405 活跃值： (10) 能力值： ( LV9，RANK：1130 ) 在线值：发帖 51 回帖 690 粉丝 0 关注私信	binbinbin 28 25 楼楼主辛苦拉收藏下来先 2007-4-7 10:22 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复