首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 社区
  2. 软件逆向
    3. 发新帖
[原创]WinHex 14.1 SR-2 注册算法分析
发表于: 2007-5-27 13:34 22633

[原创]WinHex 14.1 SR-2 注册算法分析

kiddik 活跃值
1
2007-5-27 13:34
22633
【文章标题】: WinHex 14.1 SR-2 注册算法分析
【文章作者】: kid
【下载地址】: http://www.x-ways.net/winhex/index-m.html
【加壳方式】: 无
【使用工具】: OD
【软件介绍】: 这个就不用多说了吧
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
  不知讨论这个是否合适,如果不妥版主就删了吧==
  
  winhex的注册算法总体来说比较简单,简单到只是个和效验而已(更正!其实不简单==),且实际用到的只有key1的前四位和后6位,因此我们完全可以打造自己的注册文件。根据以往惯例,注册信息都放在user.txt文件中,结构如下:
  
  // WinHex license file
  
  Name: "kid"
  Addr1: "kid"
  Addr2: "kid"
  Key1: 1111FF83E6B3901CD8ED43C0544F0E18
  Key2: 46C4FF83E6B3901CD8ED43E2D7DFC60B
  Chksm: 64
  
  上面的信息是自己造的,看完本文后你也可以自己造了=-
  winhex在打开user.txt时,用的是CreateFileW,并且读取内容时用的是_lread,下断时要注意。
  
  004457B9  PUSH 1000                                         ; /BufSize = 1000 (4096.)
  004457BE  PUSH ESI                                          ; |Buffer
  004457BF  PUSH EDI                                          ; |hFile
  004457C0  CALL <JMP.&kernel32._lread>                       ; \_lread
  004457C5  MOV EDX,DWORD PTR DS:[544C04]                     ;  WinHex.00553F48
  004457CB  MOV DWORD PTR DS:[EDX],EAX
  004457CD  PUSH EDI                                          ; /hObject
  004457CE  CALL <JMP.&kernel32.CloseHandle>                  ; \CloseHandle
  004457D3  MOV EAX,DWORD PTR DS:[544C04]
  004457D8  CMP DWORD PTR DS:[EAX],19
  004457DB  JL SHORT WinHex.0044581C
  004457DD  MOV EAX,ESI
  004457DF  JMP SHORT WinHex.004457EF
  004457E1  /INC EAX                                          ;  读入的内容预处理,去掉回车、换行、注释等
  004457E2  |MOV EDX,EAX
  004457E4  |DEC EDX
  004457E5  |CMP BYTE PTR DS:[EDX],0A
  004457E8  |JE SHORT WinHex.004457EF
  004457EA  |CMP BYTE PTR DS:[EAX],0
  004457ED  |JNZ SHORT WinHex.004457E1
  004457EF   CMP BYTE PTR DS:[EAX],2F
  004457F2  |JNZ SHORT WinHex.004457FF
  004457F4  |LEA EDX,DWORD PTR DS:[EAX+1]
  004457F7  |CMP BYTE PTR DS:[EDX],2F
  004457FA  \JE SHORT WinHex.004457E1
  004457FC  JMP SHORT WinHex.004457FF
  004457FE  /INC EAX
  004457FF   MOV DL,BYTE PTR DS:[EAX]
  00445801  |CMP DL,0A
  00445804  |JE SHORT WinHex.004457FE
  00445806  |CMP DL,0D
  00445809  \JE SHORT WinHex.004457FE
  0044580B  MOV ESI,EAX                                       ;  定位到Name字段开头
  0044580D  PUSH 1
  0044580F  MOV ECX,EBX
  00445811  MOV EDX,DWORD PTR SS:[ESP+4]
  00445815  MOV EAX,ESI
  00445817  CALL WinHex.0051107C                              ;  关键call 跟进
  

  
  WinHex.0051107C开始就是注册算法的比较部分,长长一段,还调用了好几个函数。首先得到各个字段的字符串内容,按一定格式存入指定内存段,后面的和效验也就是对这段内存进行效验。
  
  005111DD  /LEA EAX,DWORD PTR SS:[EBP-10]
  005111E0  |CALL WinHex.00512838
  005111E5  |TEST AL,AL
  005111E7  |JE WinHex.005117E6
  005111ED  |LEA EAX,DWORD PTR SS:[EBP-10]
  005111F0  |XOR EDX,EDX
  005111F2  |CALL WinHex.005129AC
  005111F7  |TEST AL,AL
  005111F9  |JE WinHex.005117E6
  005111FF  |PUSH EBX                                         ; /String2
  00511200  |PUSH WinHex.005589A0                             ; |String1 = "Addr2:"
  00511205  |CALL <JMP.&kernel32.lstrcmpiA>                   ; \lstrcmpiA
  0051120A  |TEST EAX,EAX
  0051120C  |JNZ WinHex.005117E6
  00511212  |LEA EAX,DWORD PTR SS:[EBP-10]
  00511215  |CALL WinHex.00512838                         ;  定位字段开始位置
  0051121A  |TEST AL,AL
  0051121C  |JE WinHex.005117E6
  00511222  |LEA EAX,DWORD PTR SS:[EBP-10]
  00511225  |XOR EDX,EDX
  00511227  |CALL WinHex.005129AC                             ;  得到字段后的实际字符串内容
  0051122C  |TEST AL,AL
  0051122E  |JE WinHex.005117E6
  00511234  |MOV EDX,WinHex.005589A0                          ;  ASCII "Addr2:"
  00511239  |MOV EAX,ESI
  0051123B  |CALL WinHex.0053CBA8                             ;  将内容写入指定位置
  00511240  |ADD ESI,3D
  00511243  |ADD EBX,7
  00511246  |DEC EDI
  00511247  \JNZ SHORT WinHex.005111DD
  
  CALL WinHex.005129AC这个就是得到各字段内容的子函数。个人感觉winhex得到各个字段内容的那部分代码写的不是很好(就不贴上来了==),完全是根据对字符串的比较、判断来进行的。先压入字段名,然后寻找、比较、定位,过略冒号、空格、引号,后面直到0x0d0a(即回车)处就是该字段的内容。将这些内容放在指定的内存空间中,我机上是00553c1c处,Name占81字节、Addr1和Addr2都占61字节,不足的补0。两个key读入后先转为16进制值,每两个字符拼成一个hex值,再放入指定空间。
  
  005112B0  |PUSH 10                                          ; /Arg3 = 00000010
  005112B2  |PUSH 1                                           ; |Arg2 = 00000001
  005112B4  |PUSH 0                                           ; |Arg1 = 00000000
  005112B6  |MOV EDX,EBX                                      ; |
  005112B8  |MOV EAX,WinHex.005589A0                          ; |ASCII "1111FF83E6B3901CD8ED43C0544F0E18"
  005112BD  |OR ECX,FFFFFFFF                                  ; |
  005112C0  |CALL WinHex.0053D9E4                             ; \将ascii码转为16进制值写入内存
  005112C5  |CMP EAX,10
  005112C8  |JNZ WinHex.005117E6
  
  WinHex.0053D9E4太长了,不贴了。Winhex的转换方法是先压入字符串"0123456789ABCDEF",然后逐个和key的当前位比较,其hex值就是字符所在的位置序号。这段子函数如下:
  
  0051B97C   PUSH ESI
  0051B97D   XOR ECX,ECX
  0051B97F   XOR ESI,ESI
  0051B981   MOV EDX,DWORD PTR DS:[544EC8]                     ;  WinHex.005446C4 即"0123456789ABCDEF"
  0051B987   /CMP AL,BYTE PTR DS:[EDX]
  0051B989   |JNZ SHORT WinHex.0051B98D
  0051B98B   |MOV ECX,ESI               ;相同的话记下值
  0051B98D   |INC ESI
  0051B98E   |INC EDX
  0051B98F   |CMP ESI,10
  0051B992   \JNZ SHORT WinHex.0051B987
  0051B994   MOV EAX,ECX                  ;传给eax
  0051B996   POP ESI
  0051B997   RETN
  
  写入到内存指定位置后,到这里
  
  005112D7   CMP BYTE PTR DS:[553D96],2
  005112DE   JNZ SHORT WinHex.005112EC
  005112E0   MOV AL,BYTE PTR DS:[553CF4]                       ;  即key1的第27、28位的hex值
  005112E5   AND AL,0F                         ;  即只看key1的第28位
  005112E7   MOV BYTE PTR DS:[553D96],AL
  005112EC   CMP BYTE PTR DS:[553D96],0B
  005112F3   JB SHORT WinHex.00511307
  005112F5   CMP BYTE PTR DS:[553D96],0F
  005112FC   JA SHORT WinHex.00511307
  005112FE   CMP BYTE PTR DS:[553D96],0E
  00511305   JNZ SHORT WinHex.00511313           ;  由此该值必须大于0xb、<=0xf、且不为0xe
  00511307   XOR EAX,EAX                                       ;  进入这个分支就错了
  00511309   CALL WinHex.005127D4
  0051130E   JMP WinHex.005117E6
  00511313   CMP BYTE PTR DS:[553D96],0C
  0051131A   JNB SHORT WinHex.0051135B           ;  由此该值必须>=0xc
  0051131C   MOV EAX,WinHex.00553CF5
  00511321   MOV AX,WORD PTR DS:[EAX]
  00511324   MOV EDX,WinHex.00553CE7
  00511329   XOR AX,WORD PTR DS:[EDX]
  0051132C   CMP AX,4D3
  00511330   JB SHORT WinHex.00511348
  00511332   MOV AL,2B
  00511334   CALL WinHex.0051A870
  00511339   CMP BYTE PTR SS:[EBP-9],0
  0051133D   JNZ SHORT WinHex.0051134F
  0051133F   MOV BYTE PTR DS:[553DED],1
  00511346   JMP SHORT WinHex.0051134F
  00511348   MOV AL,3C
  0051134A   CALL WinHex.0051A870
  0051134F   MOV AL,1
  00511351   CALL WinHex.005127D4
  00511356   JMP WinHex.005117E6
  0051135B   MOV EAX,WinHex.00553CF5                           ;  key1 last WORD
  00511360   MOV AX,WORD PTR DS:[EAX]
  00511363   MOV EDX,WinHex.00553CE7                           ;  key1 first WORD
  00511368   XOR AX,WORD PTR DS:[EDX]
  0051136B   MOV WORD PTR DS:[553F00],AX           ;  记住这里553F00
  00511371   TEST BYTE PTR DS:[553F01],80                      ;  最高位非1
  00511378   JE SHORT WinHex.00511398
  
  接着往下,读入Chksm字段内容并转为hex值,到这:
  
  00511409  XOR ESI,ESI
  0051140B  XOR EDI,EDI                                   ;  对注册文件的内容累加
  0051140D  /MOV EAX,WinHex.00553C1C                     ;  ASCII "kid"
  00511412  |ADD EAX,EDI
  00511414  |MOVZX EAX,BYTE PTR DS:[EAX]
  00511417  |ADD ESI,EAX
  00511419  |INC EDI
  0051141A  |CMP EDI,0EB
  00511420  \JNZ SHORT WinHex.0051140D
  00511422   CMP WORD PTR DS:[553F00],36B5         ;  前面异或的结果
  0051142B   SETNB BL
  0051142E   CMP WORD PTR DS:[553F00],4021
  00511437   JNB WinHex.005117E6                               ;  一跳就挂
  0051143D   LEA EAX,DWORD PTR SS:[EBP-1C]
  00511440   PUSH EAX                                          ; /pFileTime
  00511441   PUSH 0                                            ; |DOSTime = 0
  00511443   MOV AX,WORD PTR DS:[553F00]                       ; |
  00511449   PUSH EAX                                          ; |DOSDate
  0051144A   CALL <JMP.&kernel32.DosDateTimeToFileTime>        ; \DosDateTimeToFileTime
  0051144F   LEA EAX,DWORD PTR SS:[EBP-1C]
  00511452   CALL WinHex.00533DF4
  00511457   MOV EDX,EAX
  00511459   MOV EAX,WinHex.005578FC
  0051145E   CALL WinHex.0053CBA8
  00511463   CMP BYTE PTR DS:[553D96],0F                       ;  综合:key1的第28位就填F好了
  0051146A   JE WinHex.00511565
  
  
  效验的内存空间大小为0xeb,即81+61+61+32,和放入esi中。key1 last WORD异或key1 first WORD的值必须在一定范围内,可以看出这个值就是date,表示可以升级的日期。
  
  00511565   CMP BYTE PTR SS:[EBP-11],0
  00511569   JE WinHex.005115EF
  0051156F   MOV EAX,ESI
  00511571   CMP AL,BYTE PTR DS:[553E13]
  00511577   JE SHORT WinHex.005115EF                          ;  和效验不同则出错
  00511579   MOV AX,2CB
  
  005115EF   CMP BYTE PTR DS:[553D96],0F
  005115F6   JNB SHORT WinHex.00511609
  005115F8   XOR EAX,EAX
  005115FA   MOV AL,BYTE PTR DS:[553CF4]
  005115FF   SHR EAX,4
  00511602   MOV BYTE PTR DS:[553E7B],AL
  00511607   JMP SHORT WinHex.00511618
  00511609   XOR EAX,EAX                              ;  <=
  0051160B   MOV AL,BYTE PTR DS:[553CF4]
  00511610   SHR EAX,5                              ;  相当于key1的第27位右移1位
  00511613   MOV BYTE PTR DS:[553E7B],AL
  00511618   CMP BYTE PTR DS:[553E7B],6                        ;  不能等于6
  0051161F   JNZ SHORT WinHex.0051163C
  00511621   MOV BYTE PTR DS:[553E7B],0
  00511628   MOV EAX,WinHex.0051183C         ;  ASCII "License codes not accepted...
  0051162D   MOV EDX,8
  00511632   CALL WinHex.0051B704
  00511637   JMP WinHex.005117E6
  0051163C   CALL WinHex.00510FF4             ;到此注册算法判断部分就算是完了,程序正常进入,并且无限制
  00511641   MOV EAX,WinHex.0054EA6C
  
  
  总结:
  由此可见,除了Chksm和key1的几个特定位,其他的信息基本可以随便输了。确保key1的28位为F,前4位和后4位异或的值在选定范围内,27位不为C,就能通过winhex的注册了。 
  如果爆破掉以上各处关键值判断的话,就成了免注册版了。
  
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!

                                                       2007年05月27日 13:13:31

[课程]Android-CTF解题方法汇总!

收藏
免费 7
支持
分享
最新回复 (20)
ylp1332
雪    币: 14
活跃值: (2660)
能力值: ( LV12,RANK:610 )
在线值:
发帖
回帖
粉丝
私信
2
SHA算法和AES算法都没有?
你太轻敌了!
可不止这么简单。。。。
2007-5-27 16:45
0
kiddik
雪    币: 215
活跃值: (10)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
3
可能吧,也许小第我没跟全。不过用着没问题,还望大侠指教
2007-5-27 16:51
0
wqrsksk
雪    币: 208
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
4
但是他可就是这么简单....
2007-5-27 17:40
0
kiddik
雪    币: 215
活跃值: (10)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
5
刚才小弟又看了下,有些疏忽的地方。上面的分析只是通过winhex的注册,且是for personal版,且不能升级。
这里在给个我凑出来的另一个key

// WinHex license file

Name: "kid"
Addr1: "kid"
Addr2: "kid"
Key1: AB2DFF83E6B3901CD8ED43C0548F3412
Key2: 46C4FF83E6B3901CD8ED43E2D7DFC60B
Chksm: 7A


注册后是专业版,2011-12-31之前可升级。key1的第27位改为8貌似就是专业版,改天在具体看看究竟日期和版本是咋区分的

注:只是通过winhex注册认证而已,在使用时遇到大文件还是会报错。看来确实不简单==
2007-5-27 17:50
0
xIkUg
雪    币: 116
活跃值: (220)
能力值: ( LV12,RANK:370 )
在线值:
发帖
回帖
粉丝
私信
6
算法不复杂...关键是要有realkey才能做出真正的注册机
2007-5-27 17:57
0
kiddik
雪    币: 215
活跃值: (10)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
7
确实轻敌了==偶也觉得winhex的注册算法应该不会那么简单。。。。
上面的那段分析可以应付winhex启动时的检查,不过在实际存储大于200kb文件时,winhex还会对user.txt进行检查。这时会带入name等各字段内容,与key进行一轮又一轮的运算。最后比较判断,错误的话会弹出Invalid file:user.txt. Do not proceed.

00505CA7  MOVZX EAX,SI
00505CAA  ADD EAX,DWORD PTR DS:[5439AC]            ;  WinHex.005052D8
00505CB0  DEC EAX
00505CB1  MOV AL,BYTE PTR DS:[EAX]
00505CB3  CMP AL,BYTE PTR DS:[5439D0]
[COLOR="Red"]00505CB9  JNZ SHORT WinHex.00505CD8[/COLOR]


不过将00505CB处nop掉的话就ok了 可以存储大文件了。
具体用了哪种希哈和加密算法,实际怎么处理的暂时还米看出
2007-5-27 20:56
0
ylp1332
雪    币: 14
活跃值: (2660)
能力值: ( LV12,RANK:610 )
在线值:
发帖
回帖
粉丝
私信
8
有暗桩,呵呵
2007-5-27 22:06
0
elance
雪    币: 716
活跃值: (162)
能力值: ( LV9,RANK:250 )
在线值:
发帖
回帖
粉丝
私信
9
winhex确实不简单
2007-5-27 22:18
0
wqrsksk
雪    币: 208
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
10
确实确实..刚看了一下..差点迷惑了...二楼老大.偶错鸟.. .
2007-5-27 22:24
0
modi
雪    币: 158
活跃值: (43)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
11
用网上那个注册机激活后,有时打开大文件就提示重新激活一次才能用..怪怪.
2007-5-28 00:39
0
peilan
雪    币: 201
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
12
牛人越来越多了~~
2007-5-28 01:39
0
Crem
雪    币: 202
活跃值: (36)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
13
Hi Kiddik ! I think you are on the half of the right way. I am stucking on this target. First when i reversed this target, i also got result as you and i think that it was very strange. And then i found this code which execute real check :

Here is my analysis on version WinHex 13.9 SR1 :

[B][COLOR="Red"]004D0E2C  /$  55              PUSH EBP                                      ;  <== Check on save file[/COLOR][/B]
004D0E2D  |.  8BEC            MOV EBP,ESP
004D0E2F  |.  50              PUSH EAX
004D0E30  |.  B8 50000000     MOV EAX,50
004D0E35  |>  81C4 04F0FFFF   /ADD ESP,-0FFC
004D0E3B  |.  50              |PUSH EAX
004D0E3C  |.  48              |DEC EAX
004D0E3D  |.^ 75 F6           \JNZ SHORT WinHex.004D0E35
004D0E3F  |.  8B45 FC         MOV EAX,[LOCAL.1]
004D0E42  |.  81C4 C8FEFFFF   ADD ESP,-138
004D0E48  |.  53              PUSH EBX
004D0E49  |.  56              PUSH ESI
004D0E4A  |.  57              PUSH EDI
004D0E4B  |.  884D FB         MOV BYTE PTR SS:[EBP-5],CL
004D0E4E  |.  8955 FC         MOV [LOCAL.1],EDX
004D0E51  |.  8BD8            MOV EBX,EAX
004D0E53  |.  8B75 08         MOV ESI,[ARG.1]
004D0E56  |.  80BB 38010000 0>CMP BYTE PTR DS:[EBX+138],3
004D0E5D  |.  0F85 BA000000   JNZ WinHex.004D0F1D
004D0E63  |.  83BB 3C010000 0>CMP DWORD PTR DS:[EBX+13C],0
004D0E6A  |.  75 24           JNZ SHORT WinHex.004D0E90
004D0E6C  |.  85F6            TEST ESI,ESI
004D0E6E  |.  75 0E           JNZ SHORT WinHex.004D0E7E
004D0E70  |.  66:8B83 3201000>MOV AX,WORD PTR DS:[EBX+132]
004D0E77  |.  E8 E8920400     CALL WinHex.0051A164
004D0E7C  |.  8BF0            MOV ESI,EAX
004D0E7E  |>  8A4D FB         MOV CL,BYTE PTR SS:[EBP-5]
004D0E81  |.  8B55 FC         MOV EDX,[LOCAL.1]
004D0E84  |.  8BC6            MOV EAX,ESI
004D0E86  |.  E8 B1B40000     CALL WinHex.004DC33C
004D0E8B  |.  8845 FA         MOV BYTE PTR SS:[EBP-6],AL
004D0E8E  |.  EB 74           JMP SHORT WinHex.004D0F04
004D0E90  |>  8B45 FC         MOV EAX,[LOCAL.1]
004D0E93  |.  E8 8C220400     CALL WinHex.00513124
004D0E98  |.  8945 F4         MOV [LOCAL.3],EAX
004D0E9B  |.  837D F4 FF      CMP [LOCAL.3],-1
004D0E9F  |.  75 15           JNZ SHORT WinHex.004D0EB6
004D0EA1  |.  8B55 FC         MOV EDX,[LOCAL.1]
004D0EA4  |.  66:B8 0300      MOV AX,3
004D0EA8  |.  E8 370F0400     CALL <WinHex.@Comobj@DispatchInvokeError$qqri>
004D0EAD  |.  C645 FA 02      MOV BYTE PTR SS:[EBP-6],2
004D0EB1  |.  E9 9F040000     JMP WinHex.004D1355
004D0EB6  |>  DF6B 18         FILD QWORD PTR DS:[EBX+18]
004D0EB9  |.  83C4 F8         ADD ESP,-8                                    ; /
004D0EBC  |.  DF3C24          FISTP QWORD PTR SS:[ESP]                      ; |Arg1 (8-byte)
004D0EBF  |.  9B              WAIT                                          ; |
004D0EC0  |.  E8 5F470400     CALL WinHex.00515624                          ; \WinHex.00515624
004D0EC5  |.  50              PUSH EAX                                      ; /DataSize
004D0EC6  |.  8B83 3C010000   MOV EAX,DWORD PTR DS:[EBX+13C]                ; |
004D0ECC  |.  50              PUSH EAX                                      ; |Data
004D0ECD  |.  8B45 F4         MOV EAX,[LOCAL.3]                             ; |
004D0ED0  |.  50              PUSH EAX                                      ; |hFile
004D0ED1  |.  E8 9A5AF3FF     CALL <WinHex._hwrite>                         ; \_hwrite
004D0ED6  |.  99              CDQ
004D0ED7  |.  3B53 1C         CMP EDX,DWORD PTR DS:[EBX+1C]
004D0EDA  |.  75 07           JNZ SHORT WinHex.004D0EE3
004D0EDC  |.  3B43 18         CMP EAX,DWORD PTR DS:[EBX+18]
004D0EDF  |.  73 16           JNB SHORT WinHex.004D0EF7
004D0EE1  |.  EB 02           JMP SHORT WinHex.004D0EE5
004D0EE3  |>  7D 12           JGE SHORT WinHex.004D0EF7
004D0EE5  |>  8B55 FC         MOV EDX,[LOCAL.1]
004D0EE8  |.  66:B8 0500      MOV AX,5
004D0EEC  |.  E8 F30E0400     CALL <WinHex.@Comobj@DispatchInvokeError$qqri>
004D0EF1  |.  C645 FA 03      MOV BYTE PTR SS:[EBP-6],3
004D0EF5  |.  EB 04           JMP SHORT WinHex.004D0EFB
004D0EF7  |>  C645 FA 00      MOV BYTE PTR SS:[EBP-6],0
004D0EFB  |>  8B45 F4         MOV EAX,[LOCAL.3]
004D0EFE  |.  50              PUSH EAX                                      ; /hObject
004D0EFF  |.  E8 FC55F3FF     CALL <WinHex.CloseHandle_0>                   ; \CloseHandle
004D0F04  |>  834B 40 20      OR DWORD PTR DS:[EBX+40],20
004D0F08  |.  8B53 40         MOV EDX,DWORD PTR DS:[EBX+40]
004D0F0B  |.  83CA 20         OR EDX,20
004D0F0E  |.  A1 F4175400     MOV EAX,DWORD PTR DS:[5417F4]
004D0F13  |.  E8 94AD0600     CALL WinHex.0053BCAC
004D0F18  |.  E9 38040000     JMP WinHex.004D1355
004D0F1D  |>  C645 D7 00      MOV BYTE PTR SS:[EBP-29],0
004D0F21  |.  837B 44 00      CMP DWORD PTR DS:[EBX+44],0
004D0F25  |.  75 0D           JNZ SHORT WinHex.004D0F34
004D0F27  |.  83BB A8000000 0>CMP DWORD PTR DS:[EBX+A8],0
004D0F2E  |.  0F84 16030000   JE WinHex.004D124A
004D0F34  |>  C645 FA 01      MOV BYTE PTR SS:[EBP-6],1
004D0F38  |.  8BC3            MOV EAX,EBX
004D0F3A  |.  8B90 5C020000   MOV EDX,DWORD PTR DS:[EAX+25C]
004D0F40  |.  FF52 10         CALL DWORD PTR DS:[EDX+10]
004D0F43  |.  84C0            TEST AL,AL
004D0F45  |.  0F84 0A040000   JE WinHex.004D1355
004D0F4B  |.  8B45 FC         MOV EAX,[LOCAL.1]
004D0F4E  |.  E8 D1210400     CALL WinHex.00513124
004D0F53  |.  8945 F4         MOV [LOCAL.3],EAX
004D0F56  |.  837D F4 FF      CMP [LOCAL.3],-1
004D0F5A  |.  75 2D           JNZ SHORT WinHex.004D0F89
004D0F5C  |.  E8 3F57F3FF     CALL <WinHex.GetLastError_0>                  ; [GetLastError
004D0F61  |.  8D95 D0FEFFFF   LEA EDX,[LOCAL.76]
004D0F67  |.  E8 FC2C0400     CALL WinHex.00513C68
004D0F6C  |.  6A 00           PUSH 0                                        ; /Arg1 = 00000000
004D0F6E  |.  8D8D D0FEFFFF   LEA ECX,[LOCAL.76]                            ; |
004D0F74  |.  8B55 FC         MOV EDX,[LOCAL.1]                             ; |
004D0F77  |.  66:B8 0300      MOV AX,3                                      ; |
004D0F7B  |.  E8 B40E0400     CALL WinHex.00511E34                          ; \WinHex.00511E34
004D0F80  |.  C645 FA 02      MOV BYTE PTR SS:[EBP-6],2
004D0F84  |.  E9 CC030000     JMP WinHex.004D1355
004D0F89  |>  807D FB 00      CMP BYTE PTR SS:[EBP-5],0
004D0F8D  |.  74 21           JE SHORT WinHex.004D0FB0
004D0F8F  |.  66:B8 2100      MOV AX,21
004D0F93  |.  E8 04DB0300     CALL WinHex.0050EA9C
004D0F98  |.  8BD0            MOV EDX,EAX
004D0F9A  |.  A1 FC215400     MOV EAX,DWORD PTR DS:[5421FC]
004D0F9F  |.  E8 188C0600     CALL WinHex.00539BBC
004D0FA4  |.  A1 FC215400     MOV EAX,DWORD PTR DS:[5421FC]
004D0FA9  |.  33D2            XOR EDX,EDX
004D0FAB  |.  E8 F41B0400     CALL WinHex.00512BA4
004D0FB0  |>  8B43 18         MOV EAX,DWORD PTR DS:[EBX+18]
004D0FB3  |.  8B53 1C         MOV EDX,DWORD PTR DS:[EBX+1C]
004D0FB6  |.  83E8 01         SUB EAX,1
004D0FB9  |.  83DA 00         SBB EDX,0
004D0FBC  |.  8985 C8FEFAFF   MOV [LOCAL.81998],EAX
004D0FC2  |.  8995 CCFEFAFF   MOV [LOCAL.81997],EDX
004D0FC8  |.  DFAD C8FEFAFF   FILD QWORD PTR SS:[EBP+FFFAFEC8]
004D0FCE  |.  D835 64134D00   FDIV DWORD PTR DS:[4D1364]
004D0FD4  |.  E8 0B1AF3FF     CALL <WinHex.@System@@TRUNC$qqrv>
004D0FD9  |.  40              INC EAX
004D0FDA  |.  8945 D8         MOV [LOCAL.10],EAX
004D0FDD  |.  33C0            XOR EAX,EAX
004D0FDF  |.  8945 E8         MOV [LOCAL.6],EAX
004D0FE2  |.  8945 EC         MOV [LOCAL.5],EAX
004D0FE5  |.  33C0            XOR EAX,EAX
004D0FE7  |.  8945 E0         MOV [LOCAL.8],EAX
004D0FEA  |.  8945 E4         MOV [LOCAL.7],EAX
004D0FED  |.  8B45 D8         MOV EAX,[LOCAL.10]
004D0FF0  |.  85C0            TEST EAX,EAX
004D0FF2  |.  0F8E C7010000   JLE WinHex.004D11BF
004D0FF8  |.  8945 D0         MOV [LOCAL.12],EAX
004D0FFB  |.  C745 DC 0100000>MOV [LOCAL.9],1
004D1002  |>  8B45 DC         /MOV EAX,[LOCAL.9]
004D1005  |.  3B45 D8         |CMP EAX,[LOCAL.10]
004D1008  |.  7D 07           |JGE SHORT WinHex.004D1011
004D100A  |.  BE 00000500     |MOV ESI,50000
004D100F  |.  EB 34           |JMP SHORT WinHex.004D1045
004D1011  |>  8B43 18         |MOV EAX,DWORD PTR DS:[EBX+18]
004D1014  |.  8B53 1C         |MOV EDX,DWORD PTR DS:[EBX+1C]
004D1017  |.  83E8 01         |SUB EAX,1
004D101A  |.  83DA 00         |SBB EDX,0
004D101D  |.  8985 C8FEFAFF   |MOV [LOCAL.81998],EAX
004D1023  |.  8995 CCFEFAFF   |MOV [LOCAL.81997],EDX
004D1029  |.  DFAD C8FEFAFF   |FILD QWORD PTR SS:[EBP+FFFAFEC8]
004D102F  |.  83C4 F8         |ADD ESP,-8                                   ; /
004D1032  |.  DF3C24          |FISTP QWORD PTR SS:[ESP]                     ; |Arg3 (8-byte)
004D1035  |.  9B              |WAIT                                         ; |
004D1036  |.  6A 00           |PUSH 0                                       ; |Arg2 = 00000000
004D1038  |.  68 00000500     |PUSH 50000                                   ; |Arg1 = 00050000
004D103D  |.  E8 0E470400     |CALL WinHex.00515750                         ; \WinHex.00515750
004D1042  |.  8BF0            |MOV ESI,EAX
004D1044  |.  46              |INC ESI
004D1045  |>  56              |PUSH ESI
004D1046  |.  8D8D D0FEFAFF   |LEA ECX,[LOCAL.81996]
004D104C  |.  8D55 E8         |LEA EDX,[LOCAL.6]
004D104F  |.  8BC3            |MOV EAX,EBX
004D1051  |.  8BB8 5C020000   |MOV EDI,DWORD PTR DS:[EAX+25C]
004D1057  |.  FF57 18         |CALL DWORD PTR DS:[EDI+18]
004D105A  |.  3BF0            |CMP ESI,EAX
004D105C  |.  7E 11           |JLE SHORT WinHex.004D106F
004D105E  |.  8B53 0C         |MOV EDX,DWORD PTR DS:[EBX+C]
004D1061  |.  66:B8 0200      |MOV AX,2
004D1065  |.  E8 4E0D0400     |CALL WinHex.00511DB8
004D106A  |.  E9 50010000     |JMP WinHex.004D11BF
004D106F  |>  A1 D8205400     |MOV EAX,DWORD PTR DS:[5420D8]
004D1074  |.  8038 00         |CMP BYTE PTR DS:[EAX],0
004D1077  |.  0F85 83000000   |JNZ WinHex.004D1100
004D107D  |.  89B5 C4FEFAFF   |MOV [LOCAL.81999],ESI
004D1083  |.  DB85 C4FEFAFF   |FILD [LOCAL.81999]
004D1089  |.  DF6D E0         |FILD QWORD PTR SS:[EBP-20]
004D108C  |.  DEC1            |FADDP ST(1),ST(0)
004D108E  |.  D81D 68134D00   |FCOMP DWORD PTR DS:[4D1368]
004D1094  |.  DFE0            |FSTSW AX
004D1096  |.  9E              |SAHF
004D1097  |.  76 67           |JBE SHORT WinHex.004D1100
004D1099  |.  D905 68134D00   |FLD DWORD PTR DS:[4D1368]
004D109F  |.  DF6D E0         |FILD QWORD PTR SS:[EBP-20]
004D10A2  |.  DEE9            |FSUBP ST(1),ST(0)
004D10A4  |.  83C4 F8         |ADD ESP,-8                                   ; /
004D10A7  |.  DF3C24          |FISTP QWORD PTR SS:[ESP]                     ; |Arg1 (8-byte)
004D10AA  |.  9B              |WAIT                                         ; |
004D10AB  |.  E8 74450400     |CALL WinHex.00515624                         ; \WinHex.00515624
004D10B0  |.  8BF0            |MOV ESI,EAX
004D10B2  |.  C645 D7 01      |MOV BYTE PTR SS:[EBP-29],1
004D10B6  |.  8B43 0C         |MOV EAX,DWORD PTR DS:[EBX+C]
004D10B9  |.  E8 E6390400     |CALL WinHex.00514AA4
004D10BE  |.  50              |PUSH EAX
004D10BF  |.  66:B8 0304      |MOV AX,403
004D10C3  |.  E8 D4D90300     |CALL WinHex.0050EA9C
004D10C8  |.  5A              |POP EDX
004D10C9  |.  E8 3A2A0400     |CALL WinHex.00513B08
004D10CE  |.  6A 00           |PUSH 0                                       ; /Arg2 = 00000000
004D10D0  |.  68 C8000000     |PUSH 0C8                                     ; |Arg1 = 000000C8
004D10D5  |.  A1 A8235400     |MOV EAX,DWORD PTR DS:[5423A8]                ; |
004D10DA  |.  E8 F1280400     |CALL WinHex.005139D0                         ; \WinHex.005139D0
004D10DF  |.  66:B8 4F00      |MOV AX,4F
004D10E3  |.  E8 B4D90300     |CALL WinHex.0050EA9C
004D10E8  |.  8BD0            |MOV EDX,EAX
004D10EA  |.  A1 A8235400     |MOV EAX,DWORD PTR DS:[5423A8]
004D10EF  |.  E8 78900600     |CALL WinHex.0053A16C
004D10F4  |.  A1 A8235400     |MOV EAX,DWORD PTR DS:[5423A8]
004D10F9  |.  33D2            |XOR EDX,EDX
004D10FB  |.  E8 C8050400     |CALL WinHex.005116C8
004D1100  |>  56              |PUSH ESI                                     ; /DataSize
004D1101  |.  8D85 D0FEFAFF   |LEA EAX,[LOCAL.81996]                        ; |
004D1107  |.  50              |PUSH EAX                                     ; |Data
004D1108  |.  8B45 F4         |MOV EAX,[LOCAL.3]                            ; |
004D110B  |.  50              |PUSH EAX                                     ; |hFile
004D110C  |.  E8 5F58F3FF     |CALL <WinHex._hwrite>                        ; \_hwrite
004D1111  |.  8985 C4FEFAFF   |MOV [LOCAL.81999],EAX
004D1117  |.  DB85 C4FEFAFF   |FILD [LOCAL.81999]
004D111D  |.  DF6D E0         |FILD QWORD PTR SS:[EBP-20]
004D1120  |.  DEC1            |FADDP ST(1),ST(0)
004D1122  |.  DF7D E0         |FISTP QWORD PTR SS:[EBP-20]
004D1125  |.  9B              |WAIT
004D1126  |.  3BF0            |CMP ESI,EAX
004D1128  |.  7E 15           |JLE SHORT WinHex.004D113F
004D112A  |.  8B55 FC         |MOV EDX,[LOCAL.1]
004D112D  |.  66:B8 0500      |MOV AX,5
004D1131  |.  E8 AE0C0400     |CALL <WinHex.@Comobj@DispatchInvokeError$qqr>
004D1136  |.  C645 FA 03      |MOV BYTE PTR SS:[EBP-6],3
004D113A  |.  E9 80000000     |JMP WinHex.004D11BF
004D113F  |>  3BF0            |CMP ESI,EAX
004D1141  |.  75 08           |JNZ SHORT WinHex.004D114B
004D1143  |.  8B45 DC         |MOV EAX,[LOCAL.9]
004D1146  |.  3B45 D8         |CMP EAX,[LOCAL.10]
004D1149  |.  74 06           |JE SHORT WinHex.004D1151
004D114B  |>  807D D7 00      |CMP BYTE PTR SS:[EBP-29],0
004D114F  |.  74 04           |JE SHORT WinHex.004D1155
004D1151  |>  C645 FA 00      |MOV BYTE PTR SS:[EBP-6],0
004D1155  |>  E8 F2260400     |CALL WinHex.0051384C
004D115A  |.  A1 28235400     |MOV EAX,DWORD PTR DS:[542328]
004D115F  |.  8038 00         |CMP BYTE PTR DS:[EAX],0
004D1162  |.  75 5B           |JNZ SHORT WinHex.004D11BF
004D1164  |.  807D D7 00      |CMP BYTE PTR SS:[EBP-29],0
004D1168  |.  75 55           |JNZ SHORT WinHex.004D11BF
004D116A  |.  807D FB 00      |CMP BYTE PTR SS:[EBP-5],0
004D116E  |.  74 18           |JE SHORT WinHex.004D1188
004D1170  |.  DB45 DC         |FILD [LOCAL.9]
004D1173  |.  DB45 D8         |FILD [LOCAL.10]
004D1176  |.  DEF9            |FDIVP ST(1),ST(0)
004D1178  |.  D80D 6C134D00   |FMUL DWORD PTR DS:[4D136C]
004D117E  |.  E8 5518F3FF     |CALL <WinHex.@System@@ROUND$qqrv>
004D1183  |.  E8 90B00500     |CALL WinHex.0052C218
004D1188  |>  807D 0C 00      |CMP BYTE PTR SS:[EBP+C],0
004D118C  |.  74 25           |JE SHORT WinHex.004D11B3
004D118E  |.  A1 C41C5400     |MOV EAX,DWORD PTR DS:[541CC4]
004D1193  |.  DF28            |FILD QWORD PTR DS:[EAX]
004D1195  |.  DF6D E0         |FILD QWORD PTR SS:[EBP-20]
004D1198  |.  DEC1            |FADDP ST(1),ST(0)
004D119A  |.  D80D 6C134D00   |FMUL DWORD PTR DS:[4D136C]
004D11A0  |.  A1 50175400     |MOV EAX,DWORD PTR DS:[541750]
004D11A5  |.  DF28            |FILD QWORD PTR DS:[EAX]
004D11A7  |.  DEF9            |FDIVP ST(1),ST(0)
004D11A9  |.  E8 2A18F3FF     |CALL <WinHex.@System@@ROUND$qqrv>
004D11AE  |.  E8 65B00500     |CALL WinHex.0052C218
004D11B3  |>  FF45 DC         |INC [LOCAL.9]
004D11B6  |.  FF4D D0         |DEC [LOCAL.12]
004D11B9  |.^ 0F85 43FEFFFF   \JNZ WinHex.004D1002
004D11BF  |>  8B45 F4         MOV EAX,[LOCAL.3]
004D11C2  |.  50              PUSH EAX                                      ; /hObject
004D11C3  |.  E8 3853F3FF     CALL <WinHex.CloseHandle_0>                   ; \CloseHandle
004D11C8  |.  8BC3            MOV EAX,EBX
004D11CA  |.  8B90 5C020000   MOV EDX,DWORD PTR DS:[EAX+25C]
004D11D0  |.  FF52 14         CALL DWORD PTR DS:[EDX+14]
004D11D3  |.  837B 1C 00      CMP DWORD PTR DS:[EBX+1C],0
004D11D7  |.  75 08           JNZ SHORT WinHex.004D11E1
004D11D9  |.  837B 18 00      CMP DWORD PTR DS:[EBX+18],0
004D11DD  |.  76 1A           JBE SHORT WinHex.004D11F9
004D11DF  |.  EB 02           JMP SHORT WinHex.004D11E3
004D11E1  |>  7E 16           JLE SHORT WinHex.004D11F9
004D11E3  |>  DF6D E0         FILD QWORD PTR SS:[EBP-20]
004D11E6  |.  D81D 70134D00   FCOMP DWORD PTR DS:[4D1370]
004D11EC  |.  DFE0            FSTSW AX
004D11EE  |.  9E              SAHF
004D11EF  |.  75 08           JNZ SHORT WinHex.004D11F9
004D11F1  |.  8B45 FC         MOV EAX,[LOCAL.1]
004D11F4  |.  E8 3BAF0600     CALL WinHex.0053C134
004D11F9  |>  807D FB 00      CMP BYTE PTR SS:[EBP-5],0
004D11FD  |.  74 05           JE SHORT WinHex.004D1204
004D11FF  |.  E8 2C1D0400     CALL WinHex.00512F30
004D1204  |>  807D FA 00      CMP BYTE PTR SS:[EBP-6],0
004D1208  |.  0F85 47010000   JNZ WinHex.004D1355
004D120E  |.  807D FB 02      CMP BYTE PTR SS:[EBP-5],2
004D1212  |.  0F85 3D010000   JNZ WinHex.004D1355
004D1218  |.  8D83 B8000000   LEA EAX,DWORD PTR DS:[EBX+B8]
004D121E  |.  E8 0DA60600     CALL WinHex.0053B830
004D1223  |.  33C0            XOR EAX,EAX
004D1225  |.  8983 B8000000   MOV DWORD PTR DS:[EBX+B8],EAX
004D122B  |.  33C0            XOR EAX,EAX
004D122D  |.  8943 44         MOV DWORD PTR DS:[EBX+44],EAX
004D1230  |.  33C0            XOR EAX,EAX
004D1232  |.  8983 A8000000   MOV DWORD PTR DS:[EBX+A8],EAX
004D1238  |.  8D43 4C         LEA EAX,DWORD PTR DS:[EBX+4C]
004D123B  |.  BA 5C000000     MOV EDX,5C
004D1240  |.  E8 475FF3FF     CALL <WinHex._System@@Fillchar>
004D1245  |.  E9 0B010000     JMP WinHex.004D1355
004D124A  |>  C645 FA 04      MOV BYTE PTR SS:[EBP-6],4
004D124E  |.  8B43 10         MOV EAX,DWORD PTR DS:[EBX+10]
004D1251  |.  8B55 FC         MOV EDX,[LOCAL.1]
004D1254  |.  E8 0BA70600     CALL WinHex.0053B964
004D1259  |.  85C0            TEST EAX,EAX
004D125B  |.  74 16           JE SHORT WinHex.004D1273
004D125D  |.  8B43 10         MOV EAX,DWORD PTR DS:[EBX+10]
004D1260  |.  8A4D FB         MOV CL,BYTE PTR SS:[EBP-5]
004D1263  |.  8B55 FC         MOV EDX,[LOCAL.1]
004D1266  |.  E8 D1B00000     CALL WinHex.004DC33C
004D126B  |.  84C0            TEST AL,AL
004D126D  |.  0F85 E2000000   JNZ WinHex.004D1355
004D1273  |>  80BB 45010000 0>CMP BYTE PTR DS:[EBX+145],0
004D127A  |.  0F84 A8000000   JE WinHex.004D1328
[B][COLOR="Red"]004D1280  |.  E8 BB390300     CALL WinHex.00504C40                          ;  <== Trace into[/COLOR][/B]
2007-6-4 23:19
0
Crem
雪    币: 202
活跃值: (36)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
14
Trace into at 004D1280 :

00504C40  /$  53              PUSH EBX
00504C41  |.  56              PUSH ESI
00504C42  |.  57              PUSH EDI
00504C43  |.  81C4 04F0FFFF   ADD ESP,-0FFC
00504C49  |.  50              PUSH EAX
00504C4A  |.  83C4 B4         ADD ESP,-4C
00504C4D  |.  33DB            XOR EBX,EBX
[B][COLOR="Red"]00504C4F  |.  803D C0675400 0>CMP BYTE PTR DS:[5467C0],0                    ;  <== Note ***[/COLOR][/B]
00504C56  |.  74 07           JE SHORT WinHex.00504C5F
00504C58  |.  B3 01           MOV BL,1
00504C5A  |.  E9 8C010000     JMP WinHex.00504DEB
00504C5F  |>  68 027F0000     PUSH 7F02                                     ; /RsrcName = IDC_WAIT
00504C64  |.  6A 00           PUSH 0                                        ; |hInst = NULL
00504C66  |.  E8 DD22F0FF     CALL <WinHex.LoadCursorA>                     ; \LoadCursorA
00504C6B  |.  50              PUSH EAX                                      ; /hCursor
00504C6C  |.  E8 E723F0FF     CALL <WinHex.SetCursor>                       ; \SetCursor
00504C71  |.  6A 1C           PUSH 1C                                       ; /BufSize = 1C (28.)
00504C73  |.  8D4424 10       LEA EAX,DWORD PTR SS:[ESP+10]                 ; |
00504C77  |.  50              PUSH EAX                                      ; |Buffer
00504C78  |.  68 00004000     PUSH WinHex.00400000                          ; |Address = WinHex.00400000
00504C7D  |.  E8 AE1CF0FF     CALL <WinHex.VirtualQuery>                    ; \VirtualQuery
00504C82  |.  54              PUSH ESP                                      ; /pOldProtect
00504C83  |.  6A 40           PUSH 40                                       ; |NewProtect = PAGE_EXECUTE_READWRITE
00504C85  |.  8B4424 20       MOV EAX,DWORD PTR SS:[ESP+20]                 ; |
00504C89  |.  50              PUSH EAX                                      ; |Size
00504C8A  |.  8B4424 18       MOV EAX,DWORD PTR SS:[ESP+18]                 ; |
00504C8E  |.  50              PUSH EAX                                      ; |Address
00504C8F  |.  E8 8C1CF0FF     CALL <WinHex.VirtualProtect>                  ; \VirtualProtect
00504C94  |.  85C0            TEST EAX,EAX
00504C96  |.  0F84 28010000   JE WinHex.00504DC4
[B][COLOR="Red"]00504C9C  |.  E8 5BFEFFFF     CALL WinHex.00504AFC              ;  <== Trace into[/COLOR][/B]
00504CA1  |.  66:BE 3807      MOV SI,738
00504CA5  |.  0FB7CE          MOVZX ECX,SI                                  ;  <== ECX = 0x738
00504CA8  |.  8D4424 48       LEA EAX,DWORD PTR SS:[ESP+48]
00504CAC  |.  8B15 D00A5400   MOV EDX,DWORD PTR DS:[540AD0]                 ;  WinHex.005043C4
00504CB2  |.  E8 01E40000     CALL <WinHex._System@@Move>
00504CB7  |.  8D4424 28       LEA EAX,DWORD PTR SS:[ESP+28]
00504CBB  |.  BA 20000000     MOV EDX,20
00504CC0  |.  E8 C724F0FF     CALL <WinHex._System@@Fillchar>
00504CC5  |.  BA C4675400     MOV EDX,WinHex.005467C4
00504CCA  |.  8D4424 28       LEA EAX,DWORD PTR SS:[ESP+28]
00504CCE  |.  B9 10000000     MOV ECX,10
00504CD3  |.  E8 E0E30000     CALL <WinHex._System@@Move>
2007-6-4 23:24
0
Crem
雪    币: 202
活跃值: (36)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
15
Now trace into 00504C9C :

00504AFC  /$  53              PUSH EBX
00504AFD  |.  83C4 88         ADD ESP,-78
00504B00  |.  8D4424 60       LEA EAX,DWORD PTR SS:[ESP+60]
00504B04  |.  B2 09           MOV DL,9
00504B06  |.  E8 5974F0FF     CALL <WinHex._@@Sha256_Init>                  ;  <== Sha256_Init
00504B0B  |.  8B15 78225400   MOV EDX,DWORD PTR DS:[542278]                 ;  <== EDX --> (szName + ... + szAddr1 + ... + szAddr2)
00504B11  |.  8D4424 60       LEA EAX,DWORD PTR SS:[ESP+60]
00504B15  |.  B9 CB000000     MOV ECX,0CB                                   ;  <== ECX = 0xCB = length of (szName + ... + szAddr1 + ... + szAddr2)
00504B1A  |.  E8 9575F0FF     CALL <WinHex._@@SHA256_Update>                ;  <== SHA256_Update()
00504B1F  |.  8D5424 20       LEA EDX,DWORD PTR SS:[ESP+20]
00504B23  |.  8D4424 60       LEA EAX,DWORD PTR SS:[ESP+60]
00504B27  |.  E8 0C77F0FF     CALL <WinHex._@@SHA256_Finish>                ;  <== SHA256_Finish()
00504B2C  |.  BA D40A5400     MOV EDX,WinHex.00540AD4                       ;  ASCII 02,"æõ"
00504B31  |.  8BC4            MOV EAX,ESP
00504B33  |.  B9 20000000     MOV ECX,20
00504B38  |.  E8 7BE50000     CALL <WinHex._System@@Move>                   ;  <== Mov DefString
00504B3D  |.  54              PUSH ESP                                      ; /Arg4
00504B3E  |.  6A 00           PUSH 0                                        ; |Arg3 = 00000000
00504B40  |.  6A 00           PUSH 0                                        ; |Arg2 = 00000000
00504B42  |.  6A 00           PUSH 0                                        ; |Arg1 = 00000000
00504B44  |.  B1 01           MOV CL,1                                      ; |
00504B46  |.  8B15 E88F5300   MOV EDX,DWORD PTR DS:[538FE8]                 ; |WinHex.00538FF4
00504B4C  |.  33C0            XOR EAX,EAX                                   ; |
00504B4E  |.  E8 E9450300     CALL WinHex.0053913C                          ; \<== Call to SHA256(DefString)
00504B53  |.  8BD8            MOV EBX,EAX
00504B55  |.  6A 00           PUSH 0                                        ; /Arg3 = 00000000
00504B57  |.  6A 00           PUSH 0                                        ; |Arg2 = 00000000
00504B59  |.  6A 00           PUSH 0                                        ; |Arg1 = 00000000
00504B5B  |.  8D5424 2C       LEA EDX,DWORD PTR SS:[ESP+2C]                 ; |
00504B5F  |.  B9 20000000     MOV ECX,20                                    ; |
00504B64  |.  8BC3            MOV EAX,EBX                                   ; |
00504B66  |.  E8 2D4A0300     CALL WinHex.00539598                          ; \<== Rijndael
00504B6B  |.  BA 42010000     MOV EDX,142
00504B70  |.  8BC3            MOV EAX,EBX
00504B72  |.  E8 21DBEFFF     CALL <WinHex.@System@@FreeMem$qqrpv>
00504B77  |.  8BC4            MOV EAX,ESP
00504B79  |.  BA 20000000     MOV EDX,20
00504B7E  |.  E8 0926F0FF     CALL <WinHex._System@@Fillchar>               ;  <== Call to FillChar()
00504B83  |.  8D4424 60       LEA EAX,DWORD PTR SS:[ESP+60]
00504B87  |.  B2 09           MOV DL,9
00504B89  |.  E8 D673F0FF     CALL <WinHex._@@Sha256_Init>                  ;  <== Sha256_Init
00504B8E  |.  8D5424 20       LEA EDX,DWORD PTR SS:[ESP+20]
00504B92  |.  8D4424 60       LEA EAX,DWORD PTR SS:[ESP+60]
00504B96  |.  B9 20000000     MOV ECX,20
00504B9B  |.  E8 1475F0FF     CALL <WinHex._@@SHA256_Update>                ;  <== SHA256_Update()
00504BA0  |.  8B15 78225400   MOV EDX,DWORD PTR DS:[542278]                 ;  WinHex.005504F0
00504BA6  |.  81C2 CB000000   ADD EDX,0CB
00504BAC  |.  8D4424 60       LEA EAX,DWORD PTR SS:[ESP+60]
00504BB0  |.  B9 10000000     MOV ECX,10
00504BB5  |.  E8 FA74F0FF     CALL <WinHex._@@SHA256_Update>                ;  <== SHA256_Update()
00504BBA  |.  8D5424 40       LEA EDX,DWORD PTR SS:[ESP+40]
00504BBE  |.  8D4424 60       LEA EAX,DWORD PTR SS:[ESP+60]
00504BC2  |.  E8 7176F0FF     CALL <WinHex._@@SHA256_Finish>                ;  <== SHA256_Finish()
00504BC7  |.  8B15 78225400   MOV EDX,DWORD PTR DS:[542278]                 ;  WinHex.005504F0
00504BCD  |.  81C2 DB000000   ADD EDX,0DB
00504BD3  |.  B8 C4675400     MOV EAX,WinHex.005467C4
00504BD8  |.  B9 10000000     MOV ECX,10
00504BDD  |.  E8 D6E40000     CALL <WinHex._System@@Move>
00504BE2  |.  8D5424 40       LEA EDX,DWORD PTR SS:[ESP+40]
00504BE6  |.  8BC4            MOV EAX,ESP
00504BE8  |.  B9 20000000     MOV ECX,20
00504BED  |.  E8 C6E40000     CALL <WinHex._System@@Move>
00504BF2  |.  54              PUSH ESP                                      ; /Arg4
00504BF3  |.  6A 00           PUSH 0                                        ; |Arg3 = 00000000
00504BF5  |.  6A 00           PUSH 0                                        ; |Arg2 = 00000000
00504BF7  |.  6A 00           PUSH 0                                        ; |Arg1 = 00000000
00504BF9  |.  B1 01           MOV CL,1                                      ; |
00504BFB  |.  8B15 E88F5300   MOV EDX,DWORD PTR DS:[538FE8]                 ; |WinHex.00538FF4
00504C01  |.  33C0            XOR EAX,EAX                                   ; |
00504C03  |.  E8 34450300     CALL WinHex.0053913C                          ; \<== Call to SHA256()
00504C08  |.  8BD8            MOV EBX,EAX
00504C0A  |.  6A 00           PUSH 0                                        ; /Arg3 = 00000000
00504C0C  |.  6A 00           PUSH 0                                        ; |Arg2 = 00000000
00504C0E  |.  6A 00           PUSH 0                                        ; |Arg1 = 00000000
00504C10  |.  BA C4675400     MOV EDX,WinHex.005467C4                       ; |
00504C15  |.  B9 10000000     MOV ECX,10                                    ; |
00504C1A  |.  8BC3            MOV EAX,EBX                                   ; |
00504C1C  |.  E8 DB4A0300     CALL WinHex.005396FC                          ; \WinHex.005396FC
00504C21  |.  BA 42010000     MOV EDX,142
00504C26  |.  8BC3            MOV EAX,EBX
00504C28  |.  E8 6BDAEFFF     CALL <WinHex.@System@@FreeMem$qqrpv>
00504C2D  |.  8BC4            MOV EAX,ESP
00504C2F  |.  BA 20000000     MOV EDX,20
00504C34  |.  E8 5325F0FF     CALL <WinHex._System@@Fillchar>
00504C39  |.  83C4 78         ADD ESP,78
00504C3C  |.  5B              POP EBX
00504C3D  \.  C3              RET


In this Call function : 

00504B4E  |.  E8 E9450300     CALL WinHex.0053913C                          ; \<== Call to SHA256(DefString)


have function call to RijindaleKeySetup

Hmm this code really very long. Now i am very busy so i don't have time to see it again.

This check code you may be get by load WinHex.exe to Olly, F9 to run, then open file into WinHex, edit and then use Save or Save as feature.

Crem !
2007-6-4 23:30
0
Crem
雪    币: 202
活跃值: (36)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
16
I don't understand why Z.W.T can create keymaker for WinHex, because in this program has "private key" to decrypt code hmm :(.
I think this private key can not bruteforce. Or am i wrong ?
2007-8-13 01:08
0
forgot
雪    币: 6075
活跃值: (2236)
能力值: (RANK:1060 )
在线值:
发帖
回帖
粉丝
私信
17
brute or buy:)
2007-8-13 12:33
0
happytown
雪    币: 721
活跃值: (350)
能力值: ( LV9,RANK:1250 )
在线值:
发帖
回帖
粉丝
私信
18
ahaaaaaa.....
Crem, u r right!
2007-8-14 16:07
0
icqoicq
雪    币: 193
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
19
强!又学了不少
2007-8-14 23:21
0
Crem
雪    币: 202
活跃值: (36)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
20
Yeah i think they have legal license from their supplier group Very expensive to make keymaker for next version of this software .
2007-8-17 22:23
0
fangjk
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
21
可以破解它的加密狗,得到取证分析版吗?
2007-9-10 12:18
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//