首页
社区
课程
招聘
[旧帖] [求助]感觉它的加密方式非常有特点,解了一半的软件,解不下去了。 0.00雪花
发表于: 2007-8-7 09:43 6675

[旧帖] [求助]感觉它的加密方式非常有特点,解了一半的软件,解不下去了。 0.00雪花

2007-8-7 09:43
6675
目标:http://download.jgsoft.com/buddy/SetupRegexBuddyDemo.exe                    Version:3.0.3
简介:这个一个正则表达式工具,是我见过的最好的一款正则工具,这是一个试用版,但在功能上没有限制。为何说它的加密方式有特点呢,主要是时间限制,我感觉非常有特点。安装后,不管你向前还是向后调时间,都不会过期,只有在使用了7天以后,才会过期。不知道它是怎么做到这一点的,非常纳闷。

下面是我用peid查看该软件:Borland Delphi 6.0-7.0[OverLay]

关于它的nag窗口和自校验,我已经去掉:

NAG
006D52BA    8B00            MOV EAX,DWORD PTR DS:[EAX]
006D52BC    8B10            MOV EDX,DWORD PTR DS:[EAX]
006D52BE    90              NOP************
006D52BF    90              NOP
006D52C0    90              NOP
006D52C1    90              NOP
006D52C2    90              NOP
006D52C3    90              NOP
006D52C4    33C0            XOR EAX,EAX
006D52C6    5A              POP EDX                                  ; 0012FDE0
006D52C7    59              POP ECX
006D52C8    59              POP ECX

自校验
00743692  |. /73 55         JNB SHORT RegexBud.007436E9
00743694  |. |E8 CBAAF9FF   CALL RegexBud.006DE164
00743699  |. |84C0          TEST AL,AL
0074369B     |EB 3A         JMP SHORT RegexBud.007436D7**********
0074369D  |. |6A 10         PUSH 10
0074369F  |. |8D55 FC       LEA EDX,DWORD PTR SS:[EBP-4]
007436A2  |. |B8 BCE26D00   MOV EAX,RegexBud.006DE2BC
007436A7  |. |E8 A846CCFF   CALL RegexBud.00407D54
007436AC  |. |8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
007436AF  |. |E8 0C25CCFF   CALL RegexBud.00405BC0

但7天的时间限制不知道是怎么去掉的,这也是破这个软件最关键的地方,首先我不知道它的7天时间限制的思路,所以感觉下不了手。
现象:安装后,不管你向前还是向后调时间,都不会过期,只有在使用了7天以后,才会过期。过期后,卸载重装也没用,还是显示过期。

我感觉安装后的注册信息肯定是写到注册表中了,否则不会过期后,卸载重装也没用,还是显示过期。
我也尝试在读注册表的api处下断,但读的位置太多,无法搞清楚。

下面是安装这个软件后注册表中新增的信息,我用regshot工具记录如下:

Regshot 1.7
要点注释:
日期时间:2007/8/6 07:47:26  ,  2007/8/6 07:48:05
计算机名:WORM , WORM
使用者名: ,

----------------------------------
增加键:58
----------------------------------
HKLM\SOFTWARE\Classes\CLSID\{15732743-D77B-4301-A10F-AA000859388A}
HKLM\SOFTWARE\Classes\CLSID\{15732743-D77B-4301-A10F-AA000859388A}\LocalServer32
HKLM\SOFTWARE\Classes\CLSID\{15732743-D77B-4301-A10F-AA000859388A}\ProgID
HKLM\SOFTWARE\Classes\CLSID\{15732743-D77B-4301-A10F-AA000859388A}\TypeLib
HKLM\SOFTWARE\Classes\CLSID\{15732743-D77B-4301-A10F-AA000859388A}\Version
HKLM\SOFTWARE\Classes\CLSID\{168E048B-D601-4A7C-ADEF-727CBCF07ACD}
HKLM\SOFTWARE\Classes\CLSID\{168E048B-D601-4A7C-ADEF-727CBCF07ACD}\LocalServer32
HKLM\SOFTWARE\Classes\CLSID\{168E048B-D601-4A7C-ADEF-727CBCF07ACD}\ProgID
HKLM\SOFTWARE\Classes\CLSID\{168E048B-D601-4A7C-ADEF-727CBCF07ACD}\TypeLib
HKLM\SOFTWARE\Classes\CLSID\{168E048B-D601-4A7C-ADEF-727CBCF07ACD}\Version
HKLM\SOFTWARE\Classes\Interface\{345ED6ED-199C-4647-9409-2B9A2173447C}
HKLM\SOFTWARE\Classes\Interface\{345ED6ED-199C-4647-9409-2B9A2173447C}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\{345ED6ED-199C-4647-9409-2B9A2173447C}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\{345ED6ED-199C-4647-9409-2B9A2173447C}\TypeLib
HKLM\SOFTWARE\Classes\Interface\{51C49F15-1BD0-4932-B24C-11F575421968}
HKLM\SOFTWARE\Classes\Interface\{51C49F15-1BD0-4932-B24C-11F575421968}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\{51C49F15-1BD0-4932-B24C-11F575421968}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\{51C49F15-1BD0-4932-B24C-11F575421968}\TypeLib
HKLM\SOFTWARE\Classes\Interface\{BB39FBB8-2AA4-4994-98A8-28AECDE869F5}
HKLM\SOFTWARE\Classes\Interface\{BB39FBB8-2AA4-4994-98A8-28AECDE869F5}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\{BB39FBB8-2AA4-4994-98A8-28AECDE869F5}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\{BB39FBB8-2AA4-4994-98A8-28AECDE869F5}\TypeLib
HKLM\SOFTWARE\Classes\Interface\{ED209426-5EB6-4A27-ADED-01CBCB981A41}
HKLM\SOFTWARE\Classes\Interface\{ED209426-5EB6-4A27-ADED-01CBCB981A41}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\{ED209426-5EB6-4A27-ADED-01CBCB981A41}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\{ED209426-5EB6-4A27-ADED-01CBCB981A41}\TypeLib
HKLM\SOFTWARE\Classes\TypeLib\{59F6DADD-72F7-4770-A852-1F04D5A8DBD8}
HKLM\SOFTWARE\Classes\TypeLib\{59F6DADD-72F7-4770-A852-1F04D5A8DBD8}\1.0
HKLM\SOFTWARE\Classes\TypeLib\{59F6DADD-72F7-4770-A852-1F04D5A8DBD8}\1.0\0
HKLM\SOFTWARE\Classes\TypeLib\{59F6DADD-72F7-4770-A852-1F04D5A8DBD8}\1.0\0\win32
HKLM\SOFTWARE\Classes\TypeLib\{59F6DADD-72F7-4770-A852-1F04D5A8DBD8}\1.0\FLAGS
HKLM\SOFTWARE\Classes\TypeLib\{59F6DADD-72F7-4770-A852-1F04D5A8DBD8}\1.0\HELPDIR
HKLM\SOFTWARE\Classes\.rbg
HKLM\SOFTWARE\Classes\.rbl
HKLM\SOFTWARE\Classes\rbgfile
HKLM\SOFTWARE\Classes\rbgfile\DefaultIcon
HKLM\SOFTWARE\Classes\rbgfile\shell
HKLM\SOFTWARE\Classes\rbgfile\shell\Open
HKLM\SOFTWARE\Classes\rbgfile\shell\Open\command
HKLM\SOFTWARE\Classes\rblfile
HKLM\SOFTWARE\Classes\rblfile\DefaultIcon
HKLM\SOFTWARE\Classes\rblfile\shell
HKLM\SOFTWARE\Classes\rblfile\shell\Open
HKLM\SOFTWARE\Classes\rblfile\shell\Open\command
HKLM\SOFTWARE\Classes\RegexBuddy.RegexBuddyIntf
HKLM\SOFTWARE\Classes\RegexBuddy.RegexBuddyIntf\Clsid
HKLM\SOFTWARE\Classes\RegexBuddy.RegexBuddyIntf3
HKLM\SOFTWARE\Classes\RegexBuddy.RegexBuddyIntf3\Clsid
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\RegexBuddy.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegexBuddy 3
HKLM\SOFTWARE\JGsoft
HKLM\SOFTWARE\JGsoft\DeployIT
HKLM\SOFTWARE\JGsoft\RegexBuddy3
HKU\S-1-5-21-1454471165-884357618-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv
HKU\S-1-5-21-1454471165-884357618-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv
HKU\S-1-5-21-1454471165-884357618-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv\OpenWithList
HKU\S-1-5-21-1454471165-884357618-725345543-1003\Software\JGsoft
HKU\S-1-5-21-1454471165-884357618-725345543-1003\Software\JGsoft\RegexBuddy3

----------------------------------
增加值:72
----------------------------------
HKLM\SOFTWARE\Classes\CLSID\{15732743-D77B-4301-A10F-AA000859388A}\Version\: "1.0"
HKLM\SOFTWARE\Classes\CLSID\{15732743-D77B-4301-A10F-AA000859388A}\TypeLib\: "{59F6DADD-72F7-4770-A852-1F04D5A8DBD8}"
HKLM\SOFTWARE\Classes\CLSID\{15732743-D77B-4301-A10F-AA000859388A}\ProgID\: "RegexBuddy.RegexBuddyIntf"
HKLM\SOFTWARE\Classes\CLSID\{15732743-D77B-4301-A10F-AA000859388A}\LocalServer32\: "C:\PROGRA~1\JGsoft\REGEXB~1\REGEXB~1.EXE"
HKLM\SOFTWARE\Classes\CLSID\{15732743-D77B-4301-A10F-AA000859388A}\: "Automation object supported by RegexBuddy 1.0.0 and later"
HKLM\SOFTWARE\Classes\CLSID\{168E048B-D601-4A7C-ADEF-727CBCF07ACD}\Version\: "1.0"
HKLM\SOFTWARE\Classes\CLSID\{168E048B-D601-4A7C-ADEF-727CBCF07ACD}\TypeLib\: "{59F6DADD-72F7-4770-A852-1F04D5A8DBD8}"
HKLM\SOFTWARE\Classes\CLSID\{168E048B-D601-4A7C-ADEF-727CBCF07ACD}\ProgID\: "RegexBuddy.RegexBuddyIntf3"
HKLM\SOFTWARE\Classes\CLSID\{168E048B-D601-4A7C-ADEF-727CBCF07ACD}\LocalServer32\: "C:\PROGRA~1\JGsoft\REGEXB~1\REGEXB~1.EXE"
HKLM\SOFTWARE\Classes\CLSID\{168E048B-D601-4A7C-ADEF-727CBCF07ACD}\: "Automation object supported by RegexBuddy 3.0.0 and later"
HKLM\SOFTWARE\Classes\Interface\{345ED6ED-199C-4647-9409-2B9A2173447C}\TypeLib\: "{59F6DADD-72F7-4770-A852-1F04D5A8DBD8}"
HKLM\SOFTWARE\Classes\Interface\{345ED6ED-199C-4647-9409-2B9A2173447C}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\{345ED6ED-199C-4647-9409-2B9A2173447C}\ProxyStubClsid32\: "{00020420-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{345ED6ED-199C-4647-9409-2B9A2173447C}\ProxyStubClsid\: "{00020420-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{345ED6ED-199C-4647-9409-2B9A2173447C}\: "IRegexBuddyIntfEvents"
HKLM\SOFTWARE\Classes\Interface\{51C49F15-1BD0-4932-B24C-11F575421968}\TypeLib\: "{59F6DADD-72F7-4770-A852-1F04D5A8DBD8}"
HKLM\SOFTWARE\Classes\Interface\{51C49F15-1BD0-4932-B24C-11F575421968}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\{51C49F15-1BD0-4932-B24C-11F575421968}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{51C49F15-1BD0-4932-B24C-11F575421968}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{51C49F15-1BD0-4932-B24C-11F575421968}\: "IRegexBuddyIntfCallBack"
HKLM\SOFTWARE\Classes\Interface\{BB39FBB8-2AA4-4994-98A8-28AECDE869F5}\TypeLib\: "{59F6DADD-72F7-4770-A852-1F04D5A8DBD8}"
HKLM\SOFTWARE\Classes\Interface\{BB39FBB8-2AA4-4994-98A8-28AECDE869F5}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\{BB39FBB8-2AA4-4994-98A8-28AECDE869F5}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{BB39FBB8-2AA4-4994-98A8-28AECDE869F5}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{BB39FBB8-2AA4-4994-98A8-28AECDE869F5}\: "IRegexBuddyIntf3"
HKLM\SOFTWARE\Classes\Interface\{ED209426-5EB6-4A27-ADED-01CBCB981A41}\TypeLib\: "{59F6DADD-72F7-4770-A852-1F04D5A8DBD8}"
HKLM\SOFTWARE\Classes\Interface\{ED209426-5EB6-4A27-ADED-01CBCB981A41}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\{ED209426-5EB6-4A27-ADED-01CBCB981A41}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{ED209426-5EB6-4A27-ADED-01CBCB981A41}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{ED209426-5EB6-4A27-ADED-01CBCB981A41}\: "IRegexBuddyIntf"
HKLM\SOFTWARE\Classes\TypeLib\{59F6DADD-72F7-4770-A852-1F04D5A8DBD8}\1.0\0\win32\: "C:\Program Files\JGsoft\RegexBuddy3\RegexBuddy.exe"
HKLM\SOFTWARE\Classes\TypeLib\{59F6DADD-72F7-4770-A852-1F04D5A8DBD8}\1.0\HELPDIR\: "C:\Program Files\JGsoft\RegexBuddy3\"
HKLM\SOFTWARE\Classes\TypeLib\{59F6DADD-72F7-4770-A852-1F04D5A8DBD8}\1.0\FLAGS\: "0"
HKLM\SOFTWARE\Classes\TypeLib\{59F6DADD-72F7-4770-A852-1F04D5A8DBD8}\1.0\: "RegexBuddy API"
HKLM\SOFTWARE\Classes\.rbg\: "rbgfile"
HKLM\SOFTWARE\Classes\.rbl\: "rblfile"
HKLM\SOFTWARE\Classes\rbgfile\shell\Open\command\: ""C:\Program Files\JGsoft\RegexBuddy3\RegexBuddy.exe" /grep "%1""
HKLM\SOFTWARE\Classes\rbgfile\DefaultIcon\: "C:\Program Files\JGsoft\RegexBuddy3\RegexBuddy.exe,0"
HKLM\SOFTWARE\Classes\rbgfile\: "RegexBuddy GREP Action"
HKLM\SOFTWARE\Classes\rblfile\shell\Open\command\: ""C:\Program Files\JGsoft\RegexBuddy3\RegexBuddy.exe" /library "%1""
HKLM\SOFTWARE\Classes\rblfile\DefaultIcon\: "C:\Program Files\JGsoft\RegexBuddy3\RegexBuddy.exe,0"
HKLM\SOFTWARE\Classes\rblfile\: "RegexBuddy Library"
HKLM\SOFTWARE\Classes\RegexBuddy.RegexBuddyIntf\Clsid\: "{15732743-D77B-4301-A10F-AA000859388A}"
HKLM\SOFTWARE\Classes\RegexBuddy.RegexBuddyIntf\: "Automation object supported by RegexBuddy 1.0.0 and later"
HKLM\SOFTWARE\Classes\RegexBuddy.RegexBuddyIntf3\Clsid\: "{168E048B-D601-4A7C-ADEF-727CBCF07ACD}"
HKLM\SOFTWARE\Classes\RegexBuddy.RegexBuddyIntf3\: "Automation object supported by RegexBuddy 3.0.0 and later"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\RegexBuddy.exe\: "C:\Program Files\JGsoft\RegexBuddy3\RegexBuddy.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\RegexBuddy.exe\Path: "C:\Program Files\JGsoft\RegexBuddy3"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\WINDOWS\UnDeploy.exe: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegexBuddy 3\DisplayName: "JGsoft RegexBuddy 3 DEMO 3.0.3"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegexBuddy 3\UninstallString: "C:\WINDOWS\UnDeploy.exe "C:\Program Files\JGsoft\RegexBuddy3\Deploy.log""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegexBuddy 3\NoModify: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegexBuddy 3\NoRepair: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegexBuddy 3\EstimatedSize: 0x00002ECC
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegexBuddy 3\InstallDate: "20070806"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegexBuddy 3\InstallLocation: "C:\Program Files\JGsoft\RegexBuddy3"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegexBuddy 3\DisplayVersion: "DEMO 3.0.3"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegexBuddy 3\Publisher: "JGsoft"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegexBuddy 3\HelpLink: "http://www.regexbuddy.com"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegexBuddy 3\URLInfoUpdate: "http://www.regexbuddy.com"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegexBuddy 3\URLInfoAbout: "http://www.just-great-software.com"
HKLM\SOFTWARE\JGsoft\DeployIT\Stub: "E:\Tool\regexbuddy 3.0.3\SetupRegexBuddyDemo.exe"
HKLM\SOFTWARE\JGsoft\DeployIT\Setup: "C:\DOCUME~1\linuxlf\LOCALS~1\Temp\dpy.exe"
HKLM\SOFTWARE\JGsoft\DeployIT\RegexBuddy 3: "C:\Program Files\JGsoft\RegexBuddy3\Deploy.log"
HKLM\SYSTEM\ControlSet001\Control\Session Manager\PendingFileRenameOperations: 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 6C 69 6E 75 78 6C 66 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 64 70 79 2E 65 78 65 00 00 00
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations: 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 6C 69 6E 75 78 6C 66 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 64 70 79 2E 65 78 65 00 00 00
HKU\S-1-5-21-1454471165-884357618-725345543-1003\Control Panel\Desktop\Pattern State: 0x00019984
HKU\S-1-5-21-1454471165-884357618-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\b: "E:\Test\before.hiv"
HKU\S-1-5-21-1454471165-884357618-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\a: "E:\Test\before.hiv"
HKU\S-1-5-21-1454471165-884357618-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\MRUList: "a"
HKU\S-1-5-21-1454471165-884357618-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv\OpenWithList\a: "regshot.exe"
HKU\S-1-5-21-1454471165-884357618-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv\OpenWithList\MRUList: "a"

----------------------------------
修改值:2
----------------------------------
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 79 7A A6 B9 62 14 F7 30 99 17 67 43 82 F2 8B 50 4B B8 BF 71 DB 54 C7 56 12 D4 86 17 75 BD 16 7E 0C E3 F3 DF 4B D4 FE 66 D9 59 20 0A F0 65 10 EC B1 B1 2F 88 4F 18 E7 F9 62 A2 00 60 BC 72 CE 7B 04 84 A2 93 51 92 8A 2B 79 35 02 9A 31 1D 80 BD
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 9A 69 0C 26 6D 28 D0 4F FF 5A B3 6E 28 07 33 60 AC 92 4D 3C 5C 8F 5A 37 02 BB 44 8B 01 2A EE 1D 32 74 9B C1 EA 73 AC 3F 36 7C E6 AF D1 47 7C 66 B2 33 A1 A4 17 D6 26 F2 43 2B 0E 06 55 DE 28 57 3F 0E 87 28 1D A9 24 9E B5 65 B7 FA 22 4C 05 37
HKU\S-1-5-21-1454471165-884357618-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "a"
HKU\S-1-5-21-1454471165-884357618-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "ba"

----------------------------------
总计:132
----------------------------------

但搞不清楚时间信息和哪个键值有关,哪位高人分析指点一下 ,谢谢 。

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (12)
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
HKU\S-1-5-21-1454471165-884357618-725345543-1003\Software\JGsoft
HKU\S-1-5-21-1454471165-884357618-725345543-1003\Software\JGsoft\RegexBuddy3
比较可疑
还有HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 79 7A A6 B9 62 14 F7 30 99 17 67 43 82 F2 8B 50 4B B8 BF 71 DB 54 C7 56 12 D4 86 17 75 BD 16 7E 0C E3 F3 DF 4B D4 FE 66 D9 59 20 0A F0 65 10 EC B1 B1 2F 88 4F 18 E7 F9 62 A2 00 60 BC 72 CE 7B 04 84 A2 93 51 92 8A 2B 79 35 02 9A 31 1D 80 BD
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 9A 69 0C 26 6D 28 D0 4F FF 5A B3 6E 28 07 33 60 AC 92 4D 3C 5C 8F 5A 37 02 BB 44 8B 01 2A EE 1D 32 74 9B C1 EA 73 AC 3F 36 7C E6 AF D1 47 7C 66 B2 33 A1 A4 17 D6 26 F2 43 2B 0E 06 55 DE 28 57 3F 0E 87 28 1D A9 24 9E B5 65 B7 FA 22 4C 05 37
2007-8-7 10:25
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 79 7A A6 B9 62 14 F7 30 99 17 67 43 82 F2 8B 50 4B B8 BF 71 DB 54 C7 56 12 D4 86 17 75 BD 16 7E 0C E3 F3 DF 4B D4 FE 66 D9 59 20 0A F0 65 10 EC B1 B1 2F 88 4F 18 E7 F9 62 A2 00 60 BC 72 CE 7B 04 84 A2 93 51 92 8A 2B 79 35 02 9A 31 1D 80 BD
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 9A 69 0C 26 6D 28 D0 4F FF 5A B3 6E 28 07 33 60 AC 92 4D 3C 5C 8F 5A 37 02 BB 44 8B 01 2A EE 1D 32 74 9B C1 EA 73 AC 3F 36 7C E6 AF D1 47 7C 66 B2 33 A1 A4 17 D6 26 F2 43 2B 0E 06 55 DE 28 57 3F 0E 87 28 1D A9 24 9E B5 65 B7 FA 22 4C 05 37

这两个应该不会有问题,只是个产生随机数用的种子。
2007-8-7 10:46
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
各位版主能否抽空指点一下呢?
2007-8-7 15:21
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
自己顶一下,
2007-8-8 08:37
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
6
好失望啊,回复的人这么少。
2007-8-8 13:41
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
7
不甘心啊,期待高人出现
2007-8-9 09:50
0
雪    币: 201
活跃值: (12)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
8
给个菜鸟意见!你再分析一下卸载后注册表何种变化,再安装又何种变化!3次对比。或许有帮助!
2007-8-9 13:05
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
9
自己顶一下。没人愿意研究一下这个软件加密方法吗?
2007-8-9 23:14
0
雪    币: 295
活跃值: (346)
能力值: ( LV9,RANK:530 )
在线值:
发帖
回帖
粉丝
10
限制应该是在这里:
\HKEY_CURRENT_USER\Software\JGsoft\RegexBuddy3\Demo\Date
\HKEY_CURRENT_USER\Software\JGsoft\RegexBuddy3\Demo\Days
\HKEY_CURRENT_USER\Software\JGsoft\RegexBuddy3\Demo\Msg

判断应该是:
         mov eax, dword ptr [007511BC]
         cmp dword ptr [eax], 00000007
         jle ...
共四处
2007-8-10 06:02
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
11
楼上的大哥,你是怎么分析得到这些信息的,你能否详细地讲一讲,不胜感激。
2007-8-10 10:31
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
12
楼上的大哥,能否详细讲一些你是怎么找到这些的??不胜感激。
2007-8-10 11:12
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
13
自己顶一下,大家来看看
2007-8-10 16:37
0
游客
登录 | 注册 方可回帖
返回
//