能力值:
( LV6,RANK:90 )
|
-
-
3 楼
0048DBEC处是关键call,跟进
--------------------------------------------------------------------------------
0048DBEC /$ 55 push ebp
0048DBED |. 8BEC mov ebp, esp
0048DBEF |. 6A 00 push 0
0048DBF1 |. 6A 00 push 0
0048DBF3 |. 6A 00 push 0
0048DBF5 |. 6A 00 push 0
0048DBF7 |. 6A 00 push 0
0048DBF9 |. 6A 00 push 0
0048DBFB |. 6A 00 push 0
0048DBFD |. 6A 00 push 0
0048DBFF |. 53 push ebx
0048DC00 |. 56 push esi
0048DC01 |. 57 push edi
0048DC02 |. 8BD9 mov ebx, ecx
0048DC04 |. 8955 FC mov dword ptr [ebp-4], edx ; 我们输入的用户名"foresee"
0048DC07 |. 8BF8 mov edi, eax ; 保存EAX的值
0048DC09 |. 8B45 FC mov eax, dword ptr [ebp-4] ; 把用户名传给EAX
0048DC0C |. E8 6F6FF7FF call 00404B80 ; 测试用户名是否为空
0048DC11 |. 33C0 xor eax, eax
0048DC13 |. 55 push ebp
0048DC14 |. 68 47DD4800 push 0048DD47
0048DC19 |. 64:FF30 push dword ptr fs:[eax]
0048DC1C |. 64:8920 mov dword ptr fs:[eax], esp
0048DC1F |. 8D45 FC lea eax, dword ptr [ebp-4]
0048DC22 |. BA 60DD4800 mov edx, 0048DD60 ; Jt^S0Mvx5C1
0048DC27 |. E8 746DF7FF call 004049A0 ; 实现用户名与密文字串连接的功能
0048DC2C |. 8B45 FC mov eax, dword ptr [ebp-4] ; 用户名与Jt^SOMvx5C1连接foreseeJt^S0Mvx5C1
0048DC2F |. E8 646DF7FF call 00404998 ; 取得字串的位数
0048DC34 |. 8BF0 mov esi, eax
0048DC36 |. D1FE sar esi, 1 ; 位数除2,即18/2
0048DC38 |. 79 03 jns short 0048DC3D ; JNS 符号位为 "0" 时转移
0048DC3A |. 83D6 00 adc esi, 0
0048DC3D |> 8D45 F0 lea eax, dword ptr [ebp-10]
0048DC40 |. 50 push eax
0048DC41 |. 8BCE mov ecx, esi
0048DC43 |. BA 01000000 mov edx, 1
0048DC48 |. 8B45 FC mov eax, dword ptr [ebp-4]
0048DC4B >|. E8 A06FF7FF call 00404BF0 ; 从第一位始取9位生成串foreseeJT
0048DC50 |. 8B45 F0 mov eax, dword ptr [ebp-10]
0048DC53 |. 50 push eax
0048DC54 |. 8D45 EC lea eax, dword ptr [ebp-14] ; 堆栈地址=0012F094
0048DC57 |. 50 push eax
0048DC58 |. 8B45 FC mov eax, dword ptr [ebp-4] ; foreseeJt^S0Mvx5C1
0048DC5B |. E8 386DF7FF call 00404998 ; 取得注册名、码位数
0048DC60 8BC8 mov ecx, eax ; 把长度送至ECX
0048DC62 |. 8D56 01 lea edx, dword ptr [esi+1]
0048DC65 |. 8B45 FC mov eax, dword ptr [ebp-4] ; foreseeJt^S0Mvx5C1
0048DC68 |. E8 836FF7FF call 00404BF0 ; 取其余部分生成^SOMvx5C1
0048DC6D |. 8B55 EC mov edx, dword ptr [ebp-14] ; ^S0Mvx5C1
0048DC70 |. 8D45 FC lea eax, dword ptr [ebp-4]
0048DC73 |. 59 pop ecx ; foreseeJt
0048DC74 |. E8 6B6DF7FF call 004049E4 ; 前九位和后九位置换^S0Mvx5C1foreseeJt
0048DC79 |. 8D45 F8 lea eax, dword ptr [ebp-8]
0048DC7C |. 50 push eax
0048DC7D |. B9 0A000000 mov ecx, 0A
0048DC82 |. BA 01000000 mov edx, 1
0048DC87 |. 8B45 FC mov eax, dword ptr [ebp-4]
0048DC8A |. E8 616FF7FF call 00404BF0
0048DC8F |. 8D45 F4 lea eax, dword ptr [ebp-C]
0048DC92 |. 50 push eax
0048DC93 |. 8B45 FC mov eax, dword ptr [ebp-4]
0048DC96 |. E8 FD6CF7FF call 00404998
0048DC9B |. 8BC8 mov ecx, eax
0048DC9D |. BA 06000000 mov edx, 6
0048DCA2 |. 8B45 FC mov eax, dword ptr [ebp-4]
0048DCA5 |. E8 466FF7FF call 00404BF0 ; 从第6位始取部分生成串
0048DCAA |. 837D F4 00 cmp dword ptr [ebp-C], 0 ; x5C1foreseeJt
0048DCAE |. 75 10 jnz short 0048DCC0
0048DCB0 |. 8D45 F4 lea eax, dword ptr [ebp-C]
0048DCB3 |. BA 60DD4800 mov edx, 0048DD60 ; ASCII "Jt^S0Mvx5C1"
0048DCB8 |. 8B4D F8 mov ecx, dword ptr [ebp-8]
0048DCBB |. E8 246DF7FF call 004049E4
0048DCC0 |> 53 push ebx
0048DCC1 |. 8B4D F4 mov ecx, dword ptr [ebp-C]
0048DCC4 |. 8B55 F8 mov edx, dword ptr [ebp-8]
0048DCC7 |. 8BC7 mov eax, edi
0048DCC9 |. E8 92F0FFFF call 0048CD60 ; 伪密码生成函数,此处关键
0048DCCE |. 8D45 E8 lea eax, dword ptr [ebp-18]
0048DCD1 |. 50 push eax
0048DCD2 |. 8B03 mov eax, dword ptr [ebx]
0048DCD4 |. B9 05000000 mov ecx, 5
0048DCD9 |. BA 01000000 mov edx, 1
0048DCDE |. E8 0D6FF7FF call 00404BF0 ; 从第一位开始取五位10027
0048DCE3 |. FF75 E8 push dword ptr [ebp-18]
0048DCE6 |. 68 74DD4800 push 0048DD74
0048DCEB |. 8D45 E4 lea eax, dword ptr [ebp-1C]
0048DCEE |. 50 push eax
0048DCEF |. 8B03 mov eax, dword ptr [ebx] ; (ASCII "100274F3CB849AE91B19192")
0048DCF1 |. B9 05000000 mov ecx, 5
0048DCF6 |. BA 06000000 mov edx, 6
0048DCFB |. E8 F06EF7FF call 00404BF0 ; 从第六位开始取五位4F3CB
0048DD00 |. FF75 E4 push dword ptr [ebp-1C]
0048DD03 |. 68 74DD4800 push 0048DD74
0048DD08 |. 8D45 E0 lea eax, dword ptr [ebp-20]
0048DD0B |. 50 push eax
0048DD0C |. 8B03 mov eax, dword ptr [ebx]
0048DD0E |. B9 05000000 mov ecx, 5
0048DD13 |. BA 0B000000 mov edx, 0B
0048DD18 |. E8 D36EF7FF call 00404BF0 ; 从11位开始取五位849AE
0048DD1D |. FF75 E0 push dword ptr [ebp-20]
0048DD20 |. 8BC3 mov eax, ebx
0048DD22 |. BA 05000000 mov edx, 5
0048DD27 |. E8 2C6DF7FF call 00404A58 ; 第五位用-隔开,这里面生成真正的注册码
0048DD2C |. 33C0 xor eax, eax
0048DD2E |. 5A pop edx
0048DD2F |. 59 pop ecx
0048DD30 |. 59 pop ecx
0048DD31 |. 64:8910 mov dword ptr fs:[eax], edx
0048DD34 |. 68 4EDD4800 push 0048DD4E
0048DD39 |> 8D45 E0 lea eax, dword ptr [ebp-20]
0048DD3C |. BA 08000000 mov edx, 8
0048DD41 |. E8 BE69F7FF call 00404704
0048DD46 \. C3 retn
0048DD47 .^ E9 1863F7FF jmp 00404064
0048DD4C .^ EB EB jmp short 0048DD39
0048DD4E . 5F pop edi
0048DD4F . 5E pop esi
0048DD50 . 5B pop ebx
0048DD51 . 8BE5 mov esp, ebp
0048DD53 . 5D pop ebp
0048DD54 . C3 retn
----------------------------------------------------
0048DCC9处call也是关键call
|
能力值:
( LV6,RANK:90 )
|
-
-
4 楼
0048CD60 /$ 55 push ebp
0048CD61 |. 8BEC mov ebp, esp
0048CD63 |. 83C4 E0 add esp, -20
0048CD66 |. 53 push ebx
0048CD67 |. 56 push esi
0048CD68 |. 57 push edi
0048CD69 |. 33DB xor ebx, ebx
0048CD6B |. 895D E0 mov dword ptr [ebp-20], ebx
0048CD6E |. 895D F0 mov dword ptr [ebp-10], ebx
0048CD71 |. 894D F8 mov dword ptr [ebp-8], ecx
0048CD74 |. 8955 FC mov dword ptr [ebp-4], edx
0048CD77 |. 8B45 FC mov eax, dword ptr [ebp-4] ; ^S0Mvx5C1f->EAX
0048CD7A |. E8 017EF7FF call 00404B80
0048CD7F |. 8B45 F8 mov eax, dword ptr [ebp-8] ; x5C1foreseeJt
0048CD82 |. E8 F97DF7FF call 00404B80
0048CD87 |. 33C0 xor eax, eax
0048CD89 |. 55 push ebp
0048CD8A |. 68 7CCE4800 push 0048CE7C
0048CD8F |. 64:FF30 push dword ptr fs:[eax]
0048CD92 |. 64:8920 mov dword ptr fs:[eax], esp
0048CD95 |. 8B45 F8 mov eax, dword ptr [ebp-8]
0048CD98 |. E8 FB7BF7FF call 00404998 ; 计算[ebp-8]的长度
0048CD9D |. 8945 F4 mov dword ptr [ebp-C], eax
0048CDA0 |. 837D F4 00 cmp dword ptr [ebp-C], 0
0048CDA4 |. 75 0D jnz short 0048CDB3
0048CDA6 |. 8D45 F8 lea eax, dword ptr [ebp-8]
0048CDA9 |. BA 94CE4800 mov edx, 0048CE94 ; ASCII "Think Space"
0048CDAE |. E8 C579F7FF call 00404778
0048CDB3 |> 33F6 xor esi, esi
0048CDB5 |. BB 00010000 mov ebx, 100
0048CDBA |. 8D45 F0 lea eax, dword ptr [ebp-10]
0048CDBD |. 50 push eax ; /eax=0012F054
0048CDBE |. C745 E4 00010>mov dword ptr [ebp-1C], 100 ; |
0048CDC5 |. C645 E8 00 mov byte ptr [ebp-18], 0 ; |
0048CDC9 |. 8D55 E4 lea edx, dword ptr [ebp-1C] ; |
0048CDCC |. 33C9 xor ecx, ecx ; |
0048CDCE |. B8 A8CE4800 mov eax, 0048CEA8 ; |ASCII "%1.2x"
0048CDD3 |. E8 30CFF7FF call 00409D08 ; \WMAMP3Co.00409D08
0048CDD8 |. 8B45 FC mov eax, dword ptr [ebp-4]
0048CDDB |. E8 B87BF7FF call 00404998
0048CDE0 |. 8BF8 mov edi, eax
0048CDE2 |. 85FF test edi, edi
0048CDE4 |. 7E 60 jle short 0048CE46
0048CDE6 |. C745 EC 01000>mov dword ptr [ebp-14], 1
0048CDED |> 8B45 FC /mov eax, dword ptr [ebp-4] ; 循环体开始
0048CDF0 |. 8B55 EC |mov edx, dword ptr [ebp-14]
0048CDF3 |. 0FB64410 FF |movzx eax, byte ptr [eax+edx-1] ; 循环取出^SOMVx5C1F字符串
0048CDF8 |. 03C3 |add eax, ebx ; EBX的初始值为0x100,然后加上面的ascll码,余下循环,循环出来ASC码值与EBX的值相加
0048CDFA |. B9 FF000000 |mov ecx, 0FF
0048CDFF |. 99 |cdq ; 符号扩展
0048CE00 |. F7F9 |idiv ecx ; 带符号除法运算,商在EAX中,余数在EDX中
0048CE02 |. 8BDA |mov ebx, edx
0048CE04 |. 3B75 F4 |cmp esi, dword ptr [ebp-C]
0048CE07 |. 7D 03 |jge short 0048CE0C
0048CE09 |. 46 |inc esi
0048CE0A |. EB 05 |jmp short 0048CE11
0048CE0C |> BE 01000000 |mov esi, 1
0048CE11 |> 8B45 F8 |mov eax, dword ptr [ebp-8]
0048CE14 |. 0FB64430 FF |movzx eax, byte ptr [eax+esi-1] ; 循环取x5C1foreseeJt字串
0048CE19 |. 33D8 |xor ebx, eax
0048CE1B |. 8D45 E0 |lea eax, dword ptr [ebp-20]
0048CE1E |. 50 |push eax ; /Arg1
0048CE1F |. 895D E4 |mov dword ptr [ebp-1C], ebx ; |
0048CE22 |. C645 E8 00 |mov byte ptr [ebp-18], 0 ; |
0048CE26 |. 8D55 E4 |lea edx, dword ptr [ebp-1C] ; |
0048CE29 |. 33C9 |xor ecx, ecx ; |
0048CE2B |. B8 A8CE4800 |mov eax, 0048CEA8 ; |ASCII "%1.2x"
0048CE30 |. E8 D3CEF7FF |call 00409D08 ; \WMAMP3Co.00409D08
0048CE35 |. 8B55 E0 |mov edx, dword ptr [ebp-20]
0048CE38 |. 8D45 F0 |lea eax, dword ptr [ebp-10]
0048CE3B |. E8 607BF7FF |call 004049A0
0048CE40 |. FF45 EC |inc dword ptr [ebp-14]
0048CE43 |. 4F |dec edi ; 循环变量为10
0048CE44 |.^ 75 A7 \jnz short 0048CDED
0048CE46 |> 8B45 08 mov eax, dword ptr [ebp+8]
0048CE49 |. 8B55 F0 mov edx, dword ptr [ebp-10] ; 生成伪码100274F3CB849AE91B19192
0048CE4C |. E8 E378F7FF call 00404734
0048CE51 |. 33C0 xor eax, eax
0048CE53 |. 5A pop edx
0048CE54 |. 59 pop ecx
0048CE55 |. 59 pop ecx
0048CE56 |. 64:8910 mov dword ptr fs:[eax], edx
0048CE59 |. 68 83CE4800 push 0048CE83
0048CE5E |> 8D45 E0 lea eax, dword ptr [ebp-20]
0048CE61 |. E8 7A78F7FF call 004046E0
0048CE66 |. 8D45 F0 lea eax, dword ptr [ebp-10]
0048CE69 |. E8 7278F7FF call 004046E0
0048CE6E |. 8D45 F8 lea eax, dword ptr [ebp-8]
0048CE71 |. BA 02000000 mov edx, 2
0048CE76 |. E8 8978F7FF call 00404704
0048CE7B \. C3 retn
全文贴完,如有错误,请多多指点,虚心接受大家批语。
|
能力值:
( LV6,RANK:90 )
|
-
-
5 楼
谢谢看雪大大给加的第一篇精华,以后我会继续努力,争取注释的让大家都能看的懂,也希望大家能指出我的错误,互相鼓励,互相进步。
|
能力值:
( LV4,RANK:50 )
|
-
-
6 楼
此软件的v5.6.0 汉化版偶曾分析过,见http://bbs.pediy.com/showthread.php?t=34146
|