-
-
[旧帖] [原创]一个KEY文件保护方式软件的算法分析(DES算法) 0.00雪花
-
发表于: 2007-12-23 22:17 7791
-
【文章作者】: 网络断魂
【软件名称】: 自己猜猜
【下载地址】: http://***.okeyoa.cn/
【加壳方式】: 无壳
【保护方式】: key文件保护(机器码+用户数量+DES算法)
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: OD,PEID,PYG密码学综合工具
【操作平台】: winxp2
【作者声明】: 也不知道分析的对不对,大家别笑话偶
1、软件概貌:
1)、软件所有提示字符串全部经DES算法加密(标准DES算法,密钥:windows),密钥及加密后的字符串可在OD中找到
2)、申请注册时需填入“公司名称”、“用户数量”,生成一个正版用户认证文件,内容全部是十六进制字符串(标准DES算法,密钥:officeim),密钥及加密后在字符串可以在生成UID文件时下断找到,
3)、用户需从厂家拿到一个licence.id的KEY文件才能完成注册,文件内容全部是十六进制字符串,软件打开时会载入KEY文件进行较验(标准DES算法,密钥:daily(全文解密)、windows(机器码部份)),密钥及加密后的内容可以OD中找到,
以下是参考的解密内容:
正版用户认证文件(天津市大港区民政局.uid)加密算法:标准DES 密钥:officeim
申请注册时产生的正版用户认证文件内容:
8C23A50BCB330E18EE454FEF093FB2C3F007611091AC43368D1EF313EB6960C57EEE315BF28D2604E9666992549E35E731E475E587428CAE206BFB50235BB4FACE45DC56C521E1CE83F20DF6819FCCC607698F53A00435597BAA6A616FCCEA2C5EDC49667B2744E5D029C15C57E33EDE
密钥:officeim
解密结果:
天津市大港区民政局
83
officeim_494329747
F11
F21
F31
F41
F51
F61
F71
F81
KEY文件(licence.id)加密算法:标准DES 密钥:daily
KEY内容:
5BBEC425EFEBC0E66966202C1A49FF2CD222EECEBA34B5D8E7A5E0C157E41E52E1E1CAA309B6CED3423014B64CDFEEE43AA978D11D302621965EC398909B5523A8375BFEF22B82D58AE42811B9756FCB2D525781D5D4C53907EF4926F86FBDE117EECBB03E018136D66C667A069294211C351C0205E32CBCB2434CB78B330EF94452A1565880C95B5
密钥:daily
解密结果:
officeim
天津市大港区民政局
5
2007-12-13
35514AB06106EE972E02A84FB7F992D5DFBDBA91901EA7D0 //机器码加密后得到的
F11
F21
F31
F41
F51
F61
F71
F81
机器码加密算法:标准DES 密钥:windows
内容(由KEY文件解密后得到):35514AB06106EE972E02A84FB7F992D5DFBDBA91901EA7D0
解密结果:officeim_494329747 //刚好对应UID文件解密出来的机器码
2、KEY文件较验过程:
根据KEY文件读取找到关键处:
00563F74 55 push ebp ; //关键函数
00563F75 8BEC mov ebp, esp
00563F77 B9 11000000 mov ecx, 11
00563F7C 6A 00 push 0
00563F7E 6A 00 push 0
00563F80 49 dec ecx
00563F81 ^ 75 F9 jnz short 00563F7C
00563F83 53 push ebx
00563F84 56 push esi
00563F85 57 push edi
00563F86 8945 FC mov dword ptr [ebp-4], eax
00563F89 33C0 xor eax, eax
00563F8B 55 push ebp
00563F8C 68 86455600 push 00564586
00563F91 64:FF30 push dword ptr fs:[eax]
00563F94 64:8920 mov dword ptr fs:[eax], esp
00563F97 33C0 xor eax, eax
00563F99 55 push ebp
00563F9A 68 4E455600 push 0056454E
00563F9F 64:FF30 push dword ptr fs:[eax]
00563FA2 64:8920 mov dword ptr fs:[eax], esp
00563FA5 E8 A241FFFF call 0055814C ; //取原始硬盘码
00563FAA 8BD0 mov edx, eax
00563FAC 8D45 EC lea eax, dword ptr [ebp-14]
00563FAF E8 F812EAFF call 004052AC
00563FB4 8B45 EC mov eax, dword ptr [ebp-14]
00563FB7 8D55 F0 lea edx, dword ptr [ebp-10]
00563FBA E8 4D5CEAFF call 00409C0C ; //去除前面的空格
00563FBF 837D F0 00 cmp dword ptr [ebp-10], 0 ; //是否为空
00563FC3 75 11 jnz short 00563FD6
00563FC5 E8 2E44FFFF call 005583F8
00563FCA 33D2 xor edx, edx
00563FCC 52 push edx
00563FCD 50 push eax
00563FCE 8D45 F0 lea eax, dword ptr [ebp-10]
00563FD1 E8 DE60EAFF call 0040A0B4
00563FD6 8D45 F0 lea eax, dword ptr [ebp-10]
00563FD9 8B4D F0 mov ecx, dword ptr [ebp-10]
00563FDC BA 9C455600 mov edx, 0056459C ; ASCII "officeim_"
00563FE1 E8 DA13EAFF call 004053C0 ; //硬盘码前面连接 officeim_
00563FE6 8D55 E8 lea edx, dword ptr [ebp-18]
00563FE9 33C0 xor eax, eax
00563FEB E8 08F1E9FF call 004030F8
00563FF0 8B45 E8 mov eax, dword ptr [ebp-18]
00563FF3 8D55 F8 lea edx, dword ptr [ebp-8]
00563FF6 E8 6568EAFF call 0040A860
00563FFB 8D4D E0 lea ecx, dword ptr [ebp-20]
00563FFE BA B0455600 mov edx, 005645B0 ; ASCII "windows"
00564003 B8 C0455600 mov eax, 005645C0 ; ASCII "24F5996545478EB5E498C1DB10C47CD4"
00564008 E8 3F63FFFF call 0055A34C ; //DES解密
0056400D 8B4D E0 mov ecx, dword ptr [ebp-20] ; // licence.id
00564010 8D45 E4 lea eax, dword ptr [ebp-1C]
00564013 8B55 F8 mov edx, dword ptr [ebp-8]
00564016 E8 A513EAFF call 004053C0
0056401B 8B45 E4 mov eax, dword ptr [ebp-1C]
0056401E E8 F164EAFF call 0040A514
00564023 84C0 test al, al
00564025 75 0D jnz short 00564034
00564027 33C0 xor eax, eax
00564029 5A pop edx
0056402A 59 pop ecx
0056402B 59 pop ecx
0056402C 64:8910 mov dword ptr fs:[eax], edx
0056402F E9 34050000 jmp 00564568
00564034 B2 01 mov dl, 1
00564036 A1 D4DC4100 mov eax, dword ptr [41DCD4]
0056403B E8 1401EAFF call 00404154
00564040 8BD8 mov ebx, eax
00564042 8D4D D8 lea ecx, dword ptr [ebp-28]
00564045 BA B0455600 mov edx, 005645B0 ; ASCII "windows"
0056404A B8 C0455600 mov eax, 005645C0 ; ASCII "24F5996545478EB5E498C1DB10C47CD4"
0056404F E8 F862FFFF call 0055A34C ; //DES解密
00564054 8B4D D8 mov ecx, dword ptr [ebp-28] ; // licence.id
00564057 8D45 DC lea eax, dword ptr [ebp-24]
0056405A 8B55 F8 mov edx, dword ptr [ebp-8]
0056405D E8 5E13EAFF call 004053C0
00564062 8B55 DC mov edx, dword ptr [ebp-24]
00564065 8BC3 mov eax, ebx
00564067 8B08 mov ecx, dword ptr [eax]
00564069 FF51 68 call dword ptr [ecx+68] ; //读取KEY文件内容
0056406C 8D55 D0 lea edx, dword ptr [ebp-30]
0056406F 8BC3 mov eax, ebx
00564071 8B08 mov ecx, dword ptr [eax]
00564073 FF51 1C call dword ptr [ecx+1C]
00564076 8B45 D0 mov eax, dword ptr [ebp-30] ; //送KEY文件内容,
00564079 8D4D D4 lea ecx, dword ptr [ebp-2C]
0056407C BA EC455600 mov edx, 005645EC ; ASCII "daily"
00564081 E8 C662FFFF call 0055A34C ; //DES解密
00564086 8B55 D4 mov edx, dword ptr [ebp-2C] ; //送逆推出来内容的存储地址
00564089 8BC3 mov eax, ebx
0056408B 8B08 mov ecx, dword ptr [eax]
0056408D FF51 2C call dword ptr [ecx+2C]
00564090 8D4D CC lea ecx, dword ptr [ebp-34]
00564093 BA 01000000 mov edx, 1
00564098 8BC3 mov eax, ebx
0056409A 8B30 mov esi, dword ptr [eax]
0056409C FF56 0C call dword ptr [esi+C]
0056409F 8B55 CC mov edx, dword ptr [ebp-34]
005640A2 8B45 FC mov eax, dword ptr [ebp-4]
005640A5 8B80 F4040000 mov eax, dword ptr [eax+4F4]
005640AB E8 086DEFFF call 0045ADB8
005640B0 8D4D C8 lea ecx, dword ptr [ebp-38]
005640B3 BA 01000000 mov edx, 1
005640B8 8BC3 mov eax, ebx
005640BA 8B30 mov esi, dword ptr [eax]
005640BC FF56 0C call dword ptr [esi+C]
005640BF 8B55 C8 mov edx, dword ptr [ebp-38]
005640C2 8B45 FC mov eax, dword ptr [ebp-4]
005640C5 05 4C060000 add eax, 64C
005640CA E8 3910EAFF call 00405108
005640CF 8D4D C4 lea ecx, dword ptr [ebp-3C]
005640D2 BA 02000000 mov edx, 2
005640D7 8BC3 mov eax, ebx
005640D9 8B30 mov esi, dword ptr [eax]
005640DB FF56 0C call dword ptr [esi+C]
005640DE 8B55 C4 mov edx, dword ptr [ebp-3C]
005640E1 8B45 FC mov eax, dword ptr [ebp-4]
005640E4 8B80 E8040000 mov eax, dword ptr [eax+4E8]
005640EA E8 C96CEFFF call 0045ADB8
005640EF 8D4D C0 lea ecx, dword ptr [ebp-40]
005640F2 BA 02000000 mov edx, 2
005640F7 8BC3 mov eax, ebx
005640F9 8B30 mov esi, dword ptr [eax]
005640FB FF56 0C call dword ptr [esi+C]
005640FE 8B45 C0 mov eax, dword ptr [ebp-40]
00564101 E8 FE5FEAFF call 0040A104
00564106 8B55 FC mov edx, dword ptr [ebp-4]
00564109 8982 38060000 mov dword ptr [edx+638], eax
0056410F 8D4D BC lea ecx, dword ptr [ebp-44]
00564112 BA 03000000 mov edx, 3
00564117 8BC3 mov eax, ebx
00564119 8B30 mov esi, dword ptr [eax]
0056411B FF56 0C call dword ptr [esi+C]
0056411E 8B55 BC mov edx, dword ptr [ebp-44]
00564121 8B45 FC mov eax, dword ptr [ebp-4]
00564124 8B80 F0040000 mov eax, dword ptr [eax+4F0]
0056412A E8 896CEFFF call 0045ADB8
0056412F 8D4D F4 lea ecx, dword ptr [ebp-C]
00564132 BA 04000000 mov edx, 4
00564137 8BC3 mov eax, ebx
00564139 8B30 mov esi, dword ptr [eax]
0056413B FF56 0C call dword ptr [esi+C]
0056413E 8D4D B8 lea ecx, dword ptr [ebp-48]
00564141 BA 05000000 mov edx, 5
00564146 8BC3 mov eax, ebx
00564148 8B30 mov esi, dword ptr [eax]
0056414A FF56 0C call dword ptr [esi+C]
0056414D 8B45 B8 mov eax, dword ptr [ebp-48]
00564150 BA FC455600 mov edx, 005645FC ; ASCII "F11"
00564155 E8 6613EAFF call 004054C0
0056415A 75 3E jnz short 0056419A
0056415C 8D4D B4 lea ecx, dword ptr [ebp-4C]
0056415F BA B0455600 mov edx, 005645B0 ; ASCII "windows"
00564164 B8 08465600 mov eax, 00564608 ; ASCII "07C6D9A6A578F58F902BD28C3EDC14D295DF846578BDAA3E"
00564169 E8 DE61FFFF call 0055A34C ; //DES解密
0056416E 8B55 B4 mov edx, dword ptr [ebp-4C]
00564171 8B45 FC mov eax, dword ptr [ebp-4]
00564174 8B80 FC040000 mov eax, dword ptr [eax+4FC]
0056417A 8B80 20020000 mov eax, dword ptr [eax+220]
00564180 8B08 mov ecx, dword ptr [eax]
00564182 FF51 38 call dword ptr [ecx+38]
00564185 8B45 FC mov eax, dword ptr [ebp-4]
00564188 8B80 54060000 mov eax, dword ptr [eax+654]
0056418E BA FC455600 mov edx, 005645FC ; ASCII "F11"
00564193 8B08 mov ecx, dword ptr [eax]
00564195 FF51 38 call dword ptr [ecx+38]
00564198 EB 13 jmp short 005641AD
0056419A 8B45 FC mov eax, dword ptr [ebp-4]
0056419D 8B80 54060000 mov eax, dword ptr [eax+654]
005641A3 BA 44465600 mov edx, 00564644 ; ASCII "F10"
005641A8 8B08 mov ecx, dword ptr [eax]
005641AA FF51 38 call dword ptr [ecx+38]
005641AD 8D4D B0 lea ecx, dword ptr [ebp-50]
005641B0 BA 06000000 mov edx, 6
005641B5 8BC3 mov eax, ebx
005641B7 8B30 mov esi, dword ptr [eax]
005641B9 FF56 0C call dword ptr [esi+C]
005641BC 8B45 B0 mov eax, dword ptr [ebp-50]
005641BF BA 50465600 mov edx, 00564650 ; ASCII "F21"
005641C4 E8 F712EAFF call 004054C0
005641C9 75 3E jnz short 00564209
005641CB 8D4D AC lea ecx, dword ptr [ebp-54]
005641CE BA B0455600 mov edx, 005645B0 ; ASCII "windows"
005641D3 B8 5C465600 mov eax, 0056465C ; ASCII "F010E1F0DCF1F1D48F89CFA42C0951006D36873A79A927989134515D47DABA72B7873988E3654567"
005641D8 E8 6F61FFFF call 0055A34C ; //DES解密
005641DD 8B55 AC mov edx, dword ptr [ebp-54]
005641E0 8B45 FC mov eax, dword ptr [ebp-4]
005641E3 8B80 FC040000 mov eax, dword ptr [eax+4FC]
005641E9 8B80 20020000 mov eax, dword ptr [eax+220]
005641EF 8B08 mov ecx, dword ptr [eax]
005641F1 FF51 38 call dword ptr [ecx+38]
005641F4 8B45 FC mov eax, dword ptr [ebp-4]
005641F7 8B80 54060000 mov eax, dword ptr [eax+654]
005641FD BA 50465600 mov edx, 00564650 ; ASCII "F21"
00564202 8B08 mov ecx, dword ptr [eax]
00564204 FF51 38 call dword ptr [ecx+38]
00564207 EB 13 jmp short 0056421C
00564209 8B45 FC mov eax, dword ptr [ebp-4]
0056420C 8B80 54060000 mov eax, dword ptr [eax+654]
00564212 BA B8465600 mov edx, 005646B8 ; ASCII "F20"
00564217 8B08 mov ecx, dword ptr [eax]
00564219 FF51 38 call dword ptr [ecx+38]
0056421C 8D4D A8 lea ecx, dword ptr [ebp-58]
0056421F BA 07000000 mov edx, 7
00564224 8BC3 mov eax, ebx
00564226 8B30 mov esi, dword ptr [eax]
00564228 FF56 0C call dword ptr [esi+C]
0056422B 8B45 A8 mov eax, dword ptr [ebp-58]
0056422E BA C4465600 mov edx, 005646C4 ; ASCII "F31"
00564233 E8 8812EAFF call 004054C0
00564238 75 3E jnz short 00564278
0056423A 8D4D A4 lea ecx, dword ptr [ebp-5C]
0056423D BA B0455600 mov edx, 005645B0 ; ASCII "windows"
00564242 B8 D0465600 mov eax, 005646D0 ; ASCII "1DF976B57F016E514B4FABE5C0D3E372"
00564247 E8 0061FFFF call 0055A34C ; //DES解密
0056424C 8B55 A4 mov edx, dword ptr [ebp-5C]
0056424F 8B45 FC mov eax, dword ptr [ebp-4]
00564252 8B80 FC040000 mov eax, dword ptr [eax+4FC]
00564258 8B80 20020000 mov eax, dword ptr [eax+220]
0056425E 8B08 mov ecx, dword ptr [eax]
00564260 FF51 38 call dword ptr [ecx+38]
00564263 8B45 FC mov eax, dword ptr [ebp-4]
00564266 8B80 54060000 mov eax, dword ptr [eax+654]
0056426C BA C4465600 mov edx, 005646C4 ; ASCII "F31"
00564271 8B08 mov ecx, dword ptr [eax]
00564273 FF51 38 call dword ptr [ecx+38]
00564276 EB 13 jmp short 0056428B
00564278 8B45 FC mov eax, dword ptr [ebp-4]
0056427B 8B80 54060000 mov eax, dword ptr [eax+654]
00564281 BA FC465600 mov edx, 005646FC ; ASCII "F30"
00564286 8B08 mov ecx, dword ptr [eax]
00564288 FF51 38 call dword ptr [ecx+38]
0056428B 8D4D A0 lea ecx, dword ptr [ebp-60]
0056428E BA 08000000 mov edx, 8
00564293 8BC3 mov eax, ebx
00564295 8B30 mov esi, dword ptr [eax]
00564297 FF56 0C call dword ptr [esi+C]
0056429A 8B45 A0 mov eax, dword ptr [ebp-60]
0056429D BA 08475600 mov edx, 00564708 ; ASCII "F41"
005642A2 E8 1912EAFF call 004054C0
005642A7 75 3E jnz short 005642E7
005642A9 8D4D 9C lea ecx, dword ptr [ebp-64]
005642AC BA B0455600 mov edx, 005645B0 ; ASCII "windows"
005642B1 B8 14475600 mov eax, 00564714 ; ASCII "CF33CDB86F7F65B7"
005642B6 E8 9160FFFF call 0055A34C ; //DES解密
005642BB 8B55 9C mov edx, dword ptr [ebp-64]
005642BE 8B45 FC mov eax, dword ptr [ebp-4]
005642C1 8B80 FC040000 mov eax, dword ptr [eax+4FC]
005642C7 8B80 20020000 mov eax, dword ptr [eax+220]
005642CD 8B08 mov ecx, dword ptr [eax]
005642CF FF51 38 call dword ptr [ecx+38]
005642D2 8B45 FC mov eax, dword ptr [ebp-4]
005642D5 8B80 54060000 mov eax, dword ptr [eax+654]
005642DB BA 08475600 mov edx, 00564708 ; ASCII "F41"
005642E0 8B08 mov ecx, dword ptr [eax]
005642E2 FF51 38 call dword ptr [ecx+38]
005642E5 EB 13 jmp short 005642FA
005642E7 8B45 FC mov eax, dword ptr [ebp-4]
005642EA 8B80 54060000 mov eax, dword ptr [eax+654]
005642F0 BA 30475600 mov edx, 00564730 ; ASCII "F40"
005642F5 8B08 mov ecx, dword ptr [eax]
005642F7 FF51 38 call dword ptr [ecx+38]
005642FA 8D4D 98 lea ecx, dword ptr [ebp-68]
005642FD BA 09000000 mov edx, 9
00564302 8BC3 mov eax, ebx
00564304 8B30 mov esi, dword ptr [eax]
00564306 FF56 0C call dword ptr [esi+C]
00564309 8B45 98 mov eax, dword ptr [ebp-68]
0056430C BA 3C475600 mov edx, 0056473C ; ASCII "F51"
00564311 E8 AA11EAFF call 004054C0
00564316 75 3E jnz short 00564356
00564318 8D4D 94 lea ecx, dword ptr [ebp-6C]
0056431B BA B0455600 mov edx, 005645B0 ; ASCII "windows"
00564320 B8 48475600 mov eax, 00564748 ; ASCII "FA5CF974F45B3239"
00564325 E8 2260FFFF call 0055A34C ; //DES解密
0056432A 8B55 94 mov edx, dword ptr [ebp-6C]
0056432D 8B45 FC mov eax, dword ptr [ebp-4]
00564330 8B80 FC040000 mov eax, dword ptr [eax+4FC]
00564336 8B80 20020000 mov eax, dword ptr [eax+220]
0056433C 8B08 mov ecx, dword ptr [eax]
0056433E FF51 38 call dword ptr [ecx+38]
00564341 8B45 FC mov eax, dword ptr [ebp-4]
00564344 8B80 54060000 mov eax, dword ptr [eax+654]
0056434A BA 3C475600 mov edx, 0056473C ; ASCII "F51"
0056434F 8B08 mov ecx, dword ptr [eax]
00564351 FF51 38 call dword ptr [ecx+38]
00564354 EB 13 jmp short 00564369
00564356 8B45 FC mov eax, dword ptr [ebp-4]
00564359 8B80 54060000 mov eax, dword ptr [eax+654]
0056435F BA 64475600 mov edx, 00564764 ; ASCII "F50"
00564364 8B08 mov ecx, dword ptr [eax]
00564366 FF51 38 call dword ptr [ecx+38]
00564369 8D4D 90 lea ecx, dword ptr [ebp-70]
0056436C BA 0A000000 mov edx, 0A
00564371 8BC3 mov eax, ebx
00564373 8B30 mov esi, dword ptr [eax]
00564375 FF56 0C call dword ptr [esi+C]
00564378 8B45 90 mov eax, dword ptr [ebp-70]
0056437B BA 70475600 mov edx, 00564770 ; ASCII "F61"
00564380 E8 3B11EAFF call 004054C0
00564385 75 3E jnz short 005643C5
00564387 8D4D 8C lea ecx, dword ptr [ebp-74]
0056438A BA B0455600 mov edx, 005645B0 ; ASCII "windows"
0056438F B8 7C475600 mov eax, 0056477C ; ASCII "91AC1B1FB583F17CAA894281150E40A0"
00564394 E8 B35FFFFF call 0055A34C ; //DES解密
00564399 8B55 8C mov edx, dword ptr [ebp-74]
0056439C 8B45 FC mov eax, dword ptr [ebp-4]
0056439F 8B80 FC040000 mov eax, dword ptr [eax+4FC]
005643A5 8B80 20020000 mov eax, dword ptr [eax+220]
005643AB 8B08 mov ecx, dword ptr [eax]
005643AD FF51 38 call dword ptr [ecx+38]
005643B0 8B45 FC mov eax, dword ptr [ebp-4]
005643B3 8B80 54060000 mov eax, dword ptr [eax+654]
005643B9 BA 70475600 mov edx, 00564770 ; ASCII "F61"
005643BE 8B08 mov ecx, dword ptr [eax]
005643C0 FF51 38 call dword ptr [ecx+38]
005643C3 EB 13 jmp short 005643D8
005643C5 8B45 FC mov eax, dword ptr [ebp-4]
005643C8 8B80 54060000 mov eax, dword ptr [eax+654]
005643CE BA A8475600 mov edx, 005647A8 ; ASCII "F60"
005643D3 8B08 mov ecx, dword ptr [eax]
005643D5 FF51 38 call dword ptr [ecx+38]
005643D8 8D4D 88 lea ecx, dword ptr [ebp-78]
005643DB BA 0B000000 mov edx, 0B
005643E0 8BC3 mov eax, ebx
005643E2 8B30 mov esi, dword ptr [eax]
005643E4 FF56 0C call dword ptr [esi+C]
005643E7 8B45 88 mov eax, dword ptr [ebp-78]
005643EA BA B4475600 mov edx, 005647B4 ; ASCII "F71"
005643EF E8 CC10EAFF call 004054C0
005643F4 75 3E jnz short 00564434
005643F6 8D4D 84 lea ecx, dword ptr [ebp-7C]
005643F9 BA B0455600 mov edx, 005645B0 ; ASCII "windows"
005643FE B8 C0475600 mov eax, 005647C0 ; ASCII "A7CCE3FE06D0B533CFBF4A71A71723BC"
00564403 E8 445FFFFF call 0055A34C ; //DES解密
00564408 8B55 84 mov edx, dword ptr [ebp-7C]
0056440B 8B45 FC mov eax, dword ptr [ebp-4]
0056440E 8B80 FC040000 mov eax, dword ptr [eax+4FC]
00564414 8B80 20020000 mov eax, dword ptr [eax+220]
0056441A 8B08 mov ecx, dword ptr [eax]
0056441C FF51 38 call dword ptr [ecx+38]
0056441F 8B45 FC mov eax, dword ptr [ebp-4]
00564422 8B80 54060000 mov eax, dword ptr [eax+654]
00564428 BA B4475600 mov edx, 005647B4 ; ASCII "F71"
0056442D 8B08 mov ecx, dword ptr [eax]
0056442F FF51 38 call dword ptr [ecx+38]
00564432 EB 13 jmp short 00564447
00564434 8B45 FC mov eax, dword ptr [ebp-4]
00564437 8B80 54060000 mov eax, dword ptr [eax+654]
0056443D BA EC475600 mov edx, 005647EC ; ASCII "F70"
00564442 8B08 mov ecx, dword ptr [eax]
00564444 FF51 38 call dword ptr [ecx+38]
00564447 8D4D 80 lea ecx, dword ptr [ebp-80]
0056444A BA 0C000000 mov edx, 0C
0056444F 8BC3 mov eax, ebx
00564451 8B18 mov ebx, dword ptr [eax]
00564453 FF53 0C call dword ptr [ebx+C]
00564456 8B45 80 mov eax, dword ptr [ebp-80]
00564459 BA F8475600 mov edx, 005647F8 ; ASCII "F81"
0056445E E8 5D10EAFF call 004054C0
00564463 75 44 jnz short 005644A9
00564465 8D8D 7CFFFFFF lea ecx, dword ptr [ebp-84]
0056446B BA B0455600 mov edx, 005645B0 ; ASCII "windows"
00564470 B8 04485600 mov eax, 00564804 ; ASCII "FE4BB590E806C63C33CC011106FDD92650DE8C96C705272FBE51C38BA67DDCC8"
00564475 E8 D25EFFFF call 0055A34C ; //DES解密
0056447A 8B95 7CFFFFFF mov edx, dword ptr [ebp-84]
00564480 8B45 FC mov eax, dword ptr [ebp-4]
00564483 8B80 FC040000 mov eax, dword ptr [eax+4FC]
00564489 8B80 20020000 mov eax, dword ptr [eax+220]
0056448F 8B08 mov ecx, dword ptr [eax]
00564491 FF51 38 call dword ptr [ecx+38]
00564494 8B45 FC mov eax, dword ptr [ebp-4]
00564497 8B80 54060000 mov eax, dword ptr [eax+654]
0056449D BA F8475600 mov edx, 005647F8 ; ASCII "F81"
005644A2 8B08 mov ecx, dword ptr [eax]
005644A4 FF51 38 call dword ptr [ecx+38]
005644A7 EB 13 jmp short 005644BC
005644A9 8B45 FC mov eax, dword ptr [ebp-4]
005644AC 8B80 54060000 mov eax, dword ptr [eax+654]
005644B2 BA 50485600 mov edx, 00564850 ; ASCII "F80"
005644B7 8B08 mov ecx, dword ptr [eax]
005644B9 FF51 38 call dword ptr [ecx+38]
005644BC 8D8D 78FFFFFF lea ecx, dword ptr [ebp-88]
005644C2 BA B0455600 mov edx, 005645B0 ; ASCII "windows"
005644C7 8B45 F4 mov eax, dword ptr [ebp-C] ; //送KEY文件解密出来的一段字符,再次解密
005644CA E8 7D5EFFFF call 0055A34C ; //逆推机器码,标准的DES加密,密钥:windows ,待加密字符串: officeim_机器码
005644CF 8B95 78FFFFFF mov edx, dword ptr [ebp-88] ; //送反推后的机器码
005644D5 8B45 F0 mov eax, dword ptr [ebp-10] ; //送真实机器码
005644D8 E8 E30FEAFF call 004054C0 ; //比较?
005644DD 74 45 je short 00564524 ; //关键跳转,爆破
005644DF 8B45 FC mov eax, dword ptr [ebp-4]
005644E2 8B80 B4040000 mov eax, dword ptr [eax+4B4]
005644E8 B2 01 mov dl, 1
005644EA E8 B97EEDFF call 0043C3A8
005644EF 8B45 FC mov eax, dword ptr [ebp-4]
005644F2 8B80 B4040000 mov eax, dword ptr [eax+4B4]
005644F8 BA E8030000 mov edx, 3E8
005644FD E8 B67EEDFF call 0043C3B8
00564502 8B45 FC mov eax, dword ptr [ebp-4]
00564505 8B80 C0040000 mov eax, dword ptr [eax+4C0]
0056450B B2 01 mov dl, 1
0056450D E8 A620EEFF call 004465B8
00564512 8B45 FC mov eax, dword ptr [ebp-4]
00564515 8B80 DC040000 mov eax, dword ptr [eax+4DC]
0056451B 33D2 xor edx, edx
0056451D E8 9620EEFF call 004465B8
00564522 EB 20 jmp short 00564544
00564524 8B45 FC mov eax, dword ptr [ebp-4]
00564527 8B80 C0040000 mov eax, dword ptr [eax+4C0]
0056452D 33D2 xor edx, edx
0056452F E8 8420EEFF call 004465B8
00564534 8B45 FC mov eax, dword ptr [ebp-4]
00564537 8B80 DC040000 mov eax, dword ptr [eax+4DC]
0056453D B2 01 mov dl, 1
0056453F E8 7420EEFF call 004465B8
00564544 33C0 xor eax, eax
00564546 5A pop edx
00564547 59 pop ecx
00564548 59 pop ecx
00564549 64:8910 mov dword ptr fs:[eax], edx
0056454C EB 1A jmp short 00564568
0056454E ^ E9 2501EAFF jmp 00404678
00564553 8B45 FC mov eax, dword ptr [ebp-4]
00564556 8B80 B4040000 mov eax, dword ptr [eax+4B4]
0056455C B2 01 mov dl, 1
0056455E E8 457EEDFF call 0043C3A8
00564563 E8 3C05EAFF call 00404AA4
00564568 33C0 xor eax, eax
0056456A 5A pop edx
0056456B 59 pop ecx
0056456C 59 pop ecx
0056456D 64:8910 mov dword ptr fs:[eax], edx
00564570 68 8D455600 push 0056458D
00564575 8D85 78FFFFFF lea eax, dword ptr [ebp-88]
0056457B BA 21000000 mov edx, 21
00564580 E8 530BEAFF call 004050D8
00564585 C3 retn
00564586 ^ E9 A103EAFF jmp 0040492C
0056458B ^ EB E8 jmp short 00564575
0056458D 5F pop edi
0056458E 5E pop esi
0056458F 5B pop ebx
00564590 8BE5 mov esp, ebp
00564592 5D pop ebp
00564593 C3 retn
3、UID文件生成过程:
0055A7F0 55 push ebp
0055A7F1 8BEC mov ebp, esp
0055A7F3 B9 0E000000 mov ecx, 0E
0055A7F8 6A 00 push 0
0055A7FA 6A 00 push 0
0055A7FC 49 dec ecx
0055A7FD ^ 75 F9 jnz short 0055A7F8
0055A7FF 53 push ebx
0055A800 56 push esi
0055A801 8BD8 mov ebx, eax
0055A803 33C0 xor eax, eax
0055A805 55 push ebp
0055A806 68 07AD5500 push 0055AD07
0055A80B 64:FF30 push dword ptr fs:[eax]
0055A80E 64:8920 mov dword ptr fs:[eax], esp
0055A811 8D55 F8 lea edx, dword ptr [ebp-8]
0055A814 8B83 08030000 mov eax, dword ptr [ebx+308]
0055A81A E8 6905F0FF call 0045AD88
0055A81F 837D F8 00 cmp dword ptr [ebp-8], 0
0055A823 75 0F jnz short 0055A834
0055A825 B8 1CAD5500 mov eax, 0055AD1C ; 请输入单位名称.
0055A82A E8 15DCFFFF call 00558444
0055A82F E9 8E040000 jmp 0055ACC2
0055A834 8D55 F4 lea edx, dword ptr [ebp-C]
0055A837 8B83 48030000 mov eax, dword ptr [ebx+348]
0055A83D E8 4605F0FF call 0045AD88
0055A842 837D F4 00 cmp dword ptr [ebp-C], 0
0055A846 75 0F jnz short 0055A857
0055A848 B8 34AD5500 mov eax, 0055AD34 ; 请输入联系人.
0055A84D E8 F2DBFFFF call 00558444
0055A852 E9 6B040000 jmp 0055ACC2
0055A857 8D55 F0 lea edx, dword ptr [ebp-10]
0055A85A 8B83 50030000 mov eax, dword ptr [ebx+350]
0055A860 E8 2305F0FF call 0045AD88
0055A865 837D F0 00 cmp dword ptr [ebp-10], 0
0055A869 75 0F jnz short 0055A87A
0055A86B B8 4CAD5500 mov eax, 0055AD4C ; 请输入电话.
0055A870 E8 CFDBFFFF call 00558444
0055A875 E9 48040000 jmp 0055ACC2
0055A87A 8D55 EC lea edx, dword ptr [ebp-14]
0055A87D 8B83 18030000 mov eax, dword ptr [ebx+318]
0055A883 E8 0005F0FF call 0045AD88
0055A888 837D EC 00 cmp dword ptr [ebp-14], 0
0055A88C 75 0F jnz short 0055A89D
0055A88E B8 60AD5500 mov eax, 0055AD60 ; 请输入电子邮件.
0055A893 E8 ACDBFFFF call 00558444
0055A898 E9 25040000 jmp 0055ACC2
0055A89D 8D55 E8 lea edx, dword ptr [ebp-18]
0055A8A0 8B83 38030000 mov eax, dword ptr [ebx+338]
0055A8A6 E8 DD04F0FF call 0045AD88
0055A8AB 837D E8 00 cmp dword ptr [ebp-18], 0
0055A8AF 75 0F jnz short 0055A8C0
0055A8B1 B8 78AD5500 mov eax, 0055AD78 ; 请输入通讯地址.
0055A8B6 E8 89DBFFFF call 00558444
0055A8BB E9 02040000 jmp 0055ACC2
0055A8C0 8D55 E4 lea edx, dword ptr [ebp-1C]
0055A8C3 8B83 40030000 mov eax, dword ptr [ebx+340]
0055A8C9 E8 BA04F0FF call 0045AD88
0055A8CE 837D E4 00 cmp dword ptr [ebp-1C], 0
0055A8D2 75 0F jnz short 0055A8E3
0055A8D4 B8 90AD5500 mov eax, 0055AD90 ; 请输入付费银行.
0055A8D9 E8 66DBFFFF call 00558444
0055A8DE E9 DF030000 jmp 0055ACC2
0055A8E3 8D55 E0 lea edx, dword ptr [ebp-20]
0055A8E6 8B83 28030000 mov eax, dword ptr [ebx+328]
0055A8EC E8 9704F0FF call 0045AD88
0055A8F1 837D E0 00 cmp dword ptr [ebp-20], 0
0055A8F5 75 0F jnz short 0055A906
0055A8F7 B8 A8AD5500 mov eax, 0055ADA8 ; 请输入付费时间,格式为 2005-10-22 12:30
0055A8FC E8 43DBFFFF call 00558444
0055A901 E9 BC030000 jmp 0055ACC2
0055A906 8D55 DC lea edx, dword ptr [ebp-24]
0055A909 8B83 30030000 mov eax, dword ptr [ebx+330]
0055A90F E8 7404F0FF call 0045AD88
0055A914 837D DC 00 cmp dword ptr [ebp-24], 0
0055A918 75 0F jnz short 0055A929
0055A91A B8 D8AD5500 mov eax, 0055ADD8 ; 请输入付费金额.
0055A91F E8 20DBFFFF call 00558444
0055A924 E9 99030000 jmp 0055ACC2
0055A929 8D55 D8 lea edx, dword ptr [ebp-28]
0055A92C 8B83 5C030000 mov eax, dword ptr [ebx+35C]
0055A932 E8 5104F0FF call 0045AD88
0055A937 837D D8 00 cmp dword ptr [ebp-28], 0
0055A93B 75 0F jnz short 0055A94C
0055A93D B8 F0AD5500 mov eax, 0055ADF0 ; 请输入购买用户数.
0055A942 E8 FDDAFFFF call 00558444
0055A947 E9 76030000 jmp 0055ACC2
0055A94C B2 01 mov dl, 1
0055A94E A1 D4DC4100 mov eax, dword ptr [41DCD4]
0055A953 E8 FC97EAFF call 00404154 ; //点生成文件时断在此处
0055A958 8BF0 mov esi, eax
0055A95A 8D55 D4 lea edx, dword ptr [ebp-2C]
0055A95D 8B83 08030000 mov eax, dword ptr [ebx+308]
0055A963 E8 2004F0FF call 0045AD88
0055A968 8B55 D4 mov edx, dword ptr [ebp-2C]
0055A96B 8BC6 mov eax, esi
0055A96D 8B08 mov ecx, dword ptr [eax]
0055A96F FF51 38 call dword ptr [ecx+38]
0055A972 8D55 D0 lea edx, dword ptr [ebp-30]
0055A975 8B83 48030000 mov eax, dword ptr [ebx+348]
0055A97B E8 0804F0FF call 0045AD88
0055A980 8B55 D0 mov edx, dword ptr [ebp-30]
0055A983 8BC6 mov eax, esi
0055A985 8B08 mov ecx, dword ptr [eax]
0055A987 FF51 38 call dword ptr [ecx+38]
0055A98A 8D55 CC lea edx, dword ptr [ebp-34]
0055A98D 8B83 50030000 mov eax, dword ptr [ebx+350]
0055A993 E8 F003F0FF call 0045AD88
0055A998 8B55 CC mov edx, dword ptr [ebp-34]
0055A99B 8BC6 mov eax, esi
0055A99D 8B08 mov ecx, dword ptr [eax]
0055A99F FF51 38 call dword ptr [ecx+38]
0055A9A2 8D55 C8 lea edx, dword ptr [ebp-38]
0055A9A5 8B83 18030000 mov eax, dword ptr [ebx+318]
0055A9AB E8 D803F0FF call 0045AD88
0055A9B0 8B55 C8 mov edx, dword ptr [ebp-38]
0055A9B3 8BC6 mov eax, esi
0055A9B5 8B08 mov ecx, dword ptr [eax]
0055A9B7 FF51 38 call dword ptr [ecx+38]
0055A9BA 8D55 C4 lea edx, dword ptr [ebp-3C]
0055A9BD 8B83 1C030000 mov eax, dword ptr [ebx+31C]
0055A9C3 E8 C003F0FF call 0045AD88
0055A9C8 8B55 C4 mov edx, dword ptr [ebp-3C]
0055A9CB 8BC6 mov eax, esi
0055A9CD 8B08 mov ecx, dword ptr [eax]
0055A9CF FF51 38 call dword ptr [ecx+38]
0055A9D2 8D55 C0 lea edx, dword ptr [ebp-40]
0055A9D5 8B83 38030000 mov eax, dword ptr [ebx+338]
0055A9DB E8 A803F0FF call 0045AD88
0055A9E0 8B55 C0 mov edx, dword ptr [ebp-40]
0055A9E3 8BC6 mov eax, esi
0055A9E5 8B08 mov ecx, dword ptr [eax]
0055A9E7 FF51 38 call dword ptr [ecx+38]
0055A9EA 8D55 BC lea edx, dword ptr [ebp-44]
0055A9ED 8B83 40030000 mov eax, dword ptr [ebx+340]
0055A9F3 E8 9003F0FF call 0045AD88
0055A9F8 8B55 BC mov edx, dword ptr [ebp-44]
0055A9FB 8BC6 mov eax, esi
0055A9FD 8B08 mov ecx, dword ptr [eax]
0055A9FF FF51 38 call dword ptr [ecx+38]
0055AA02 8D55 B8 lea edx, dword ptr [ebp-48]
0055AA05 8B83 28030000 mov eax, dword ptr [ebx+328]
0055AA0B E8 7803F0FF call 0045AD88
0055AA10 8B55 B8 mov edx, dword ptr [ebp-48]
0055AA13 8BC6 mov eax, esi
0055AA15 8B08 mov ecx, dword ptr [eax]
0055AA17 FF51 38 call dword ptr [ecx+38]
0055AA1A 8D55 B4 lea edx, dword ptr [ebp-4C]
0055AA1D 8B83 30030000 mov eax, dword ptr [ebx+330]
0055AA23 E8 6003F0FF call 0045AD88
0055AA28 8B55 B4 mov edx, dword ptr [ebp-4C]
0055AA2B 8BC6 mov eax, esi
0055AA2D 8B08 mov ecx, dword ptr [eax]
0055AA2F FF51 38 call dword ptr [ecx+38]
0055AA32 8D55 B0 lea edx, dword ptr [ebp-50]
0055AA35 8B83 5C030000 mov eax, dword ptr [ebx+35C]
0055AA3B E8 4803F0FF call 0045AD88
0055AA40 8B55 B0 mov edx, dword ptr [ebp-50] ; //送允许数量
0055AA43 8BC6 mov eax, esi
0055AA45 8B08 mov ecx, dword ptr [eax]
0055AA47 FF51 38 call dword ptr [ecx+38]
0055AA4A E8 FDD6FFFF call 0055814C ; //取机器码
0055AA4F 8BD0 mov edx, eax
0055AA51 8D45 AC lea eax, dword ptr [ebp-54]
0055AA54 E8 53A8EAFF call 004052AC
0055AA59 8B45 AC mov eax, dword ptr [ebp-54]
0055AA5C 8D55 FC lea edx, dword ptr [ebp-4]
0055AA5F E8 A8F1EAFF call 00409C0C ; //去掉机器码前面的空格
0055AA64 837D FC 00 cmp dword ptr [ebp-4], 0 ; //是否为空
0055AA68 75 11 jnz short 0055AA7B
0055AA6A E8 89D9FFFF call 005583F8
0055AA6F 33D2 xor edx, edx
0055AA71 52 push edx
0055AA72 50 push eax
0055AA73 8D45 FC lea eax, dword ptr [ebp-4]
0055AA76 E8 39F6EAFF call 0040A0B4
0055AA7B 8D45 A8 lea eax, dword ptr [ebp-58]
0055AA7E 8B4D FC mov ecx, dword ptr [ebp-4]
0055AA81 BA 0CAE5500 mov edx, 0055AE0C ; officeim_
0055AA86 E8 35A9EAFF call 004053C0 ; //机器码前面连接 officeim_
0055AA8B 8B55 A8 mov edx, dword ptr [ebp-58]
0055AA8E 8BC6 mov eax, esi
0055AA90 8B08 mov ecx, dword ptr [eax]
0055AA92 FF51 38 call dword ptr [ecx+38]
0055AA95 8B83 60030000 mov eax, dword ptr [ebx+360]
0055AA9B 8B10 mov edx, dword ptr [eax]
0055AA9D FF92 C8000000 call dword ptr [edx+C8]
0055AAA3 84C0 test al, al
0055AAA5 74 0E je short 0055AAB5
0055AAA7 BA 20AE5500 mov edx, 0055AE20 ; f11
0055AAAC 8BC6 mov eax, esi
0055AAAE 8B08 mov ecx, dword ptr [eax]
0055AAB0 FF51 38 call dword ptr [ecx+38]
0055AAB3 EB 0C jmp short 0055AAC1
0055AAB5 BA 2CAE5500 mov edx, 0055AE2C ; f10
0055AABA 8BC6 mov eax, esi
0055AABC 8B08 mov ecx, dword ptr [eax]
0055AABE FF51 38 call dword ptr [ecx+38]
0055AAC1 8B83 64030000 mov eax, dword ptr [ebx+364]
0055AAC7 8B10 mov edx, dword ptr [eax]
0055AAC9 FF92 C8000000 call dword ptr [edx+C8]
0055AACF 84C0 test al, al
0055AAD1 74 0E je short 0055AAE1
0055AAD3 BA 38AE5500 mov edx, 0055AE38 ; f21
0055AAD8 8BC6 mov eax, esi
0055AADA 8B08 mov ecx, dword ptr [eax]
0055AADC FF51 38 call dword ptr [ecx+38]
0055AADF EB 0C jmp short 0055AAED
0055AAE1 BA 44AE5500 mov edx, 0055AE44 ; f20
0055AAE6 8BC6 mov eax, esi
0055AAE8 8B08 mov ecx, dword ptr [eax]
0055AAEA FF51 38 call dword ptr [ecx+38]
0055AAED 8B83 68030000 mov eax, dword ptr [ebx+368]
0055AAF3 8B10 mov edx, dword ptr [eax]
0055AAF5 FF92 C8000000 call dword ptr [edx+C8]
0055AAFB 84C0 test al, al
0055AAFD 74 0E je short 0055AB0D
0055AAFF BA 50AE5500 mov edx, 0055AE50 ; f31
0055AB04 8BC6 mov eax, esi
0055AB06 8B08 mov ecx, dword ptr [eax]
0055AB08 FF51 38 call dword ptr [ecx+38]
0055AB0B EB 0C jmp short 0055AB19
0055AB0D BA 5CAE5500 mov edx, 0055AE5C ; f30
0055AB12 8BC6 mov eax, esi
0055AB14 8B08 mov ecx, dword ptr [eax]
0055AB16 FF51 38 call dword ptr [ecx+38]
0055AB19 8B83 6C030000 mov eax, dword ptr [ebx+36C]
0055AB1F 8B10 mov edx, dword ptr [eax]
0055AB21 FF92 C8000000 call dword ptr [edx+C8]
0055AB27 84C0 test al, al
0055AB29 74 0E je short 0055AB39
0055AB2B BA 68AE5500 mov edx, 0055AE68 ; f41
0055AB30 8BC6 mov eax, esi
0055AB32 8B08 mov ecx, dword ptr [eax]
0055AB34 FF51 38 call dword ptr [ecx+38]
0055AB37 EB 0C jmp short 0055AB45
0055AB39 BA 74AE5500 mov edx, 0055AE74 ; f40
0055AB3E 8BC6 mov eax, esi
0055AB40 8B08 mov ecx, dword ptr [eax]
0055AB42 FF51 38 call dword ptr [ecx+38]
0055AB45 8B83 70030000 mov eax, dword ptr [ebx+370]
0055AB4B 8B10 mov edx, dword ptr [eax]
0055AB4D FF92 C8000000 call dword ptr [edx+C8]
0055AB53 84C0 test al, al
0055AB55 74 0E je short 0055AB65
0055AB57 BA 80AE5500 mov edx, 0055AE80 ; f51
0055AB5C 8BC6 mov eax, esi
0055AB5E 8B08 mov ecx, dword ptr [eax]
0055AB60 FF51 38 call dword ptr [ecx+38]
0055AB63 EB 0C jmp short 0055AB71
0055AB65 BA 8CAE5500 mov edx, 0055AE8C ; f50
0055AB6A 8BC6 mov eax, esi
0055AB6C 8B08 mov ecx, dword ptr [eax]
0055AB6E FF51 38 call dword ptr [ecx+38]
0055AB71 8B83 74030000 mov eax, dword ptr [ebx+374]
0055AB77 8B10 mov edx, dword ptr [eax]
0055AB79 FF92 C8000000 call dword ptr [edx+C8]
0055AB7F 84C0 test al, al
0055AB81 74 0E je short 0055AB91
0055AB83 BA 98AE5500 mov edx, 0055AE98 ; f61
0055AB88 8BC6 mov eax, esi
0055AB8A 8B08 mov ecx, dword ptr [eax]
0055AB8C FF51 38 call dword ptr [ecx+38]
0055AB8F EB 0C jmp short 0055AB9D
0055AB91 BA A4AE5500 mov edx, 0055AEA4 ; f60
0055AB96 8BC6 mov eax, esi
0055AB98 8B08 mov ecx, dword ptr [eax]
0055AB9A FF51 38 call dword ptr [ecx+38]
0055AB9D 8B83 78030000 mov eax, dword ptr [ebx+378]
0055ABA3 8B10 mov edx, dword ptr [eax]
0055ABA5 FF92 C8000000 call dword ptr [edx+C8]
0055ABAB 84C0 test al, al
0055ABAD 74 0E je short 0055ABBD
0055ABAF BA B0AE5500 mov edx, 0055AEB0 ; f71
0055ABB4 8BC6 mov eax, esi
0055ABB6 8B08 mov ecx, dword ptr [eax]
0055ABB8 FF51 38 call dword ptr [ecx+38]
0055ABBB EB 0C jmp short 0055ABC9
0055ABBD BA BCAE5500 mov edx, 0055AEBC ; f70
0055ABC2 8BC6 mov eax, esi
0055ABC4 8B08 mov ecx, dword ptr [eax]
0055ABC6 FF51 38 call dword ptr [ecx+38]
0055ABC9 8B83 7C030000 mov eax, dword ptr [ebx+37C]
0055ABCF 8B10 mov edx, dword ptr [eax]
0055ABD1 FF92 C8000000 call dword ptr [edx+C8]
0055ABD7 84C0 test al, al
0055ABD9 74 0E je short 0055ABE9
0055ABDB BA C8AE5500 mov edx, 0055AEC8 ; f81
0055ABE0 8BC6 mov eax, esi
0055ABE2 8B08 mov ecx, dword ptr [eax]
0055ABE4 FF51 38 call dword ptr [ecx+38]
0055ABE7 EB 0C jmp short 0055ABF5
0055ABE9 BA D4AE5500 mov edx, 0055AED4 ; f80
0055ABEE 8BC6 mov eax, esi
0055ABF0 8B08 mov ecx, dword ptr [eax]
0055ABF2 FF51 38 call dword ptr [ecx+38]
0055ABF5 8D55 A0 lea edx, dword ptr [ebp-60]
0055ABF8 8BC6 mov eax, esi
0055ABFA 8B08 mov ecx, dword ptr [eax]
0055ABFC FF51 1C call dword ptr [ecx+1C]
0055ABFF 8B45 A0 mov eax, dword ptr [ebp-60]
0055AC02 8D4D A4 lea ecx, dword ptr [ebp-5C]
0055AC05 BA E0AE5500 mov edx, 0055AEE0 ; officeim //密钥,
0055AC0A E8 8DF5FFFF call 0055A19C
0055AC0F 8B55 A4 mov edx, dword ptr [ebp-5C] ; //送加密后的字符作为UID内容
0055AC12 8BC6 mov eax, esi
0055AC14 8B08 mov ecx, dword ptr [eax]
0055AC16 FF51 2C call dword ptr [ecx+2C]
0055AC19 68 F4AE5500 push 0055AEF4 ; 正版用户认证文件_
0055AC1E 8D55 9C lea edx, dword ptr [ebp-64]
0055AC21 8B83 08030000 mov eax, dword ptr [ebx+308]
0055AC27 E8 5C01F0FF call 0045AD88
0055AC2C FF75 9C push dword ptr [ebp-64]
0055AC2F 68 10AF5500 push 0055AF10 ; .uid
0055AC34 8B83 3C030000 mov eax, dword ptr [ebx+33C]
0055AC3A 83C0 78 add eax, 78
0055AC3D BA 03000000 mov edx, 3
0055AC42 E8 EDA7EAFF call 00405434
0055AC47 8B83 3C030000 mov eax, dword ptr [ebx+33C]
0055AC4D 8B10 mov edx, dword ptr [eax]
0055AC4F FF52 3C call dword ptr [edx+3C]
0055AC52 84C0 test al, al
0055AC54 74 6C je short 0055ACC2
0055AC56 8D55 98 lea edx, dword ptr [ebp-68]
0055AC59 8B83 3C030000 mov eax, dword ptr [ebx+33C]
0055AC5F E8 18E6EDFF call 0043927C
0055AC64 8B55 98 mov edx, dword ptr [ebp-68]
0055AC67 8BC6 mov eax, esi
0055AC69 8B08 mov ecx, dword ptr [eax]
0055AC6B FF51 74 call dword ptr [ecx+74]
0055AC6E 8BC6 mov eax, esi
0055AC70 E8 0F95EAFF call 00404184
0055AC75 8D55 90 lea edx, dword ptr [ebp-70]
0055AC78 8B83 3C030000 mov eax, dword ptr [ebx+33C]
0055AC7E E8 F9E5EDFF call 0043927C
0055AC83 FF75 90 push dword ptr [ebp-70]
0055AC86 68 20AF5500 push 0055AF20 ; 已生成,
0055AC8B 68 30AF5500 push 0055AF30 ; \n\n
0055AC90 68 30AF5500 push 0055AF30 ; \n\n
0055AC95 68 3CAF5500 push 0055AF3C ; 请发邮件到
0055AC9A A1 04455900 mov eax, dword ptr [594504]
0055AC9F FF30 push dword ptr [eax]
0055ACA1 68 50AF5500 push 0055AF50 ; 获得正式版.
0055ACA6 8D45 94 lea eax, dword ptr [ebp-6C]
0055ACA9 BA 07000000 mov edx, 7
0055ACAE E8 81A7EAFF call 00405434
0055ACB3 8B45 94 mov eax, dword ptr [ebp-6C]
0055ACB6 E8 89D7FFFF call 00558444
0055ACBB 8BC3 mov eax, ebx
0055ACBD E8 22CDF1FF call 004779E4
0055ACC2 33C0 xor eax, eax
0055ACC4 5A pop edx
0055ACC5 59 pop ecx
0055ACC6 59 pop ecx
0055ACC7 64:8910 mov dword ptr fs:[eax], edx
0055ACCA 68 0EAD5500 push 0055AD0E
0055ACCF 8D45 90 lea eax, dword ptr [ebp-70]
0055ACD2 BA 03000000 mov edx, 3
0055ACD7 E8 FCA3EAFF call 004050D8
0055ACDC 8D45 9C lea eax, dword ptr [ebp-64]
0055ACDF E8 D0A3EAFF call 004050B4
0055ACE4 8D45 A0 lea eax, dword ptr [ebp-60]
0055ACE7 BA 04000000 mov edx, 4
0055ACEC E8 E7A3EAFF call 004050D8
0055ACF1 8D45 B0 lea eax, dword ptr [ebp-50]
0055ACF4 BA 13000000 mov edx, 13
0055ACF9 E8 DAA3EAFF call 004050D8
0055ACFE 8D45 FC lea eax, dword ptr [ebp-4]
0055AD01 E8 AEA3EAFF call 004050B4
0055AD06 C3 retn
0055AD07 ^ E9 209CEAFF jmp 0040492C
0055AD0C ^ EB C1 jmp short 0055ACCF
0055AD0E 5E pop esi
0055AD0F 5B pop ebx
0055AD10 8BE5 mov esp, ebp
0055AD12 5D pop ebp
0055AD13 C3 retn
4、算法总结:
officeim
用户公司名
用户数量的数字
注册时间(例如:2007-12-13)
officeim_机器码经DES加密(密钥:windows)
F11
F21
F31
F41
F51
F61
F71
F81
以上内容经DES加密后得到的结果作为最终KEY文件内容,其中用户公司名,用户数量,注册时间,机器码是由用户发送的UID文件解密后得到,F11等固定值取决于用户生成UID文件时选择的功能,
【软件名称】: 自己猜猜
【下载地址】: http://***.okeyoa.cn/
【加壳方式】: 无壳
【保护方式】: key文件保护(机器码+用户数量+DES算法)
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: OD,PEID,PYG密码学综合工具
【操作平台】: winxp2
【作者声明】: 也不知道分析的对不对,大家别笑话偶
1、软件概貌:
1)、软件所有提示字符串全部经DES算法加密(标准DES算法,密钥:windows),密钥及加密后的字符串可在OD中找到
2)、申请注册时需填入“公司名称”、“用户数量”,生成一个正版用户认证文件,内容全部是十六进制字符串(标准DES算法,密钥:officeim),密钥及加密后在字符串可以在生成UID文件时下断找到,
3)、用户需从厂家拿到一个licence.id的KEY文件才能完成注册,文件内容全部是十六进制字符串,软件打开时会载入KEY文件进行较验(标准DES算法,密钥:daily(全文解密)、windows(机器码部份)),密钥及加密后的内容可以OD中找到,
以下是参考的解密内容:
正版用户认证文件(天津市大港区民政局.uid)加密算法:标准DES 密钥:officeim
申请注册时产生的正版用户认证文件内容:
8C23A50BCB330E18EE454FEF093FB2C3F007611091AC43368D1EF313EB6960C57EEE315BF28D2604E9666992549E35E731E475E587428CAE206BFB50235BB4FACE45DC56C521E1CE83F20DF6819FCCC607698F53A00435597BAA6A616FCCEA2C5EDC49667B2744E5D029C15C57E33EDE
密钥:officeim
解密结果:
天津市大港区民政局
83
officeim_494329747
F11
F21
F31
F41
F51
F61
F71
F81
KEY文件(licence.id)加密算法:标准DES 密钥:daily
KEY内容:
5BBEC425EFEBC0E66966202C1A49FF2CD222EECEBA34B5D8E7A5E0C157E41E52E1E1CAA309B6CED3423014B64CDFEEE43AA978D11D302621965EC398909B5523A8375BFEF22B82D58AE42811B9756FCB2D525781D5D4C53907EF4926F86FBDE117EECBB03E018136D66C667A069294211C351C0205E32CBCB2434CB78B330EF94452A1565880C95B5
密钥:daily
解密结果:
officeim
天津市大港区民政局
5
2007-12-13
35514AB06106EE972E02A84FB7F992D5DFBDBA91901EA7D0 //机器码加密后得到的
F11
F21
F31
F41
F51
F61
F71
F81
机器码加密算法:标准DES 密钥:windows
内容(由KEY文件解密后得到):35514AB06106EE972E02A84FB7F992D5DFBDBA91901EA7D0
解密结果:officeim_494329747 //刚好对应UID文件解密出来的机器码
2、KEY文件较验过程:
根据KEY文件读取找到关键处:
00563F74 55 push ebp ; //关键函数
00563F75 8BEC mov ebp, esp
00563F77 B9 11000000 mov ecx, 11
00563F7C 6A 00 push 0
00563F7E 6A 00 push 0
00563F80 49 dec ecx
00563F81 ^ 75 F9 jnz short 00563F7C
00563F83 53 push ebx
00563F84 56 push esi
00563F85 57 push edi
00563F86 8945 FC mov dword ptr [ebp-4], eax
00563F89 33C0 xor eax, eax
00563F8B 55 push ebp
00563F8C 68 86455600 push 00564586
00563F91 64:FF30 push dword ptr fs:[eax]
00563F94 64:8920 mov dword ptr fs:[eax], esp
00563F97 33C0 xor eax, eax
00563F99 55 push ebp
00563F9A 68 4E455600 push 0056454E
00563F9F 64:FF30 push dword ptr fs:[eax]
00563FA2 64:8920 mov dword ptr fs:[eax], esp
00563FA5 E8 A241FFFF call 0055814C ; //取原始硬盘码
00563FAA 8BD0 mov edx, eax
00563FAC 8D45 EC lea eax, dword ptr [ebp-14]
00563FAF E8 F812EAFF call 004052AC
00563FB4 8B45 EC mov eax, dword ptr [ebp-14]
00563FB7 8D55 F0 lea edx, dword ptr [ebp-10]
00563FBA E8 4D5CEAFF call 00409C0C ; //去除前面的空格
00563FBF 837D F0 00 cmp dword ptr [ebp-10], 0 ; //是否为空
00563FC3 75 11 jnz short 00563FD6
00563FC5 E8 2E44FFFF call 005583F8
00563FCA 33D2 xor edx, edx
00563FCC 52 push edx
00563FCD 50 push eax
00563FCE 8D45 F0 lea eax, dword ptr [ebp-10]
00563FD1 E8 DE60EAFF call 0040A0B4
00563FD6 8D45 F0 lea eax, dword ptr [ebp-10]
00563FD9 8B4D F0 mov ecx, dword ptr [ebp-10]
00563FDC BA 9C455600 mov edx, 0056459C ; ASCII "officeim_"
00563FE1 E8 DA13EAFF call 004053C0 ; //硬盘码前面连接 officeim_
00563FE6 8D55 E8 lea edx, dword ptr [ebp-18]
00563FE9 33C0 xor eax, eax
00563FEB E8 08F1E9FF call 004030F8
00563FF0 8B45 E8 mov eax, dword ptr [ebp-18]
00563FF3 8D55 F8 lea edx, dword ptr [ebp-8]
00563FF6 E8 6568EAFF call 0040A860
00563FFB 8D4D E0 lea ecx, dword ptr [ebp-20]
00563FFE BA B0455600 mov edx, 005645B0 ; ASCII "windows"
00564003 B8 C0455600 mov eax, 005645C0 ; ASCII "24F5996545478EB5E498C1DB10C47CD4"
00564008 E8 3F63FFFF call 0055A34C ; //DES解密
0056400D 8B4D E0 mov ecx, dword ptr [ebp-20] ; // licence.id
00564010 8D45 E4 lea eax, dword ptr [ebp-1C]
00564013 8B55 F8 mov edx, dword ptr [ebp-8]
00564016 E8 A513EAFF call 004053C0
0056401B 8B45 E4 mov eax, dword ptr [ebp-1C]
0056401E E8 F164EAFF call 0040A514
00564023 84C0 test al, al
00564025 75 0D jnz short 00564034
00564027 33C0 xor eax, eax
00564029 5A pop edx
0056402A 59 pop ecx
0056402B 59 pop ecx
0056402C 64:8910 mov dword ptr fs:[eax], edx
0056402F E9 34050000 jmp 00564568
00564034 B2 01 mov dl, 1
00564036 A1 D4DC4100 mov eax, dword ptr [41DCD4]
0056403B E8 1401EAFF call 00404154
00564040 8BD8 mov ebx, eax
00564042 8D4D D8 lea ecx, dword ptr [ebp-28]
00564045 BA B0455600 mov edx, 005645B0 ; ASCII "windows"
0056404A B8 C0455600 mov eax, 005645C0 ; ASCII "24F5996545478EB5E498C1DB10C47CD4"
0056404F E8 F862FFFF call 0055A34C ; //DES解密
00564054 8B4D D8 mov ecx, dword ptr [ebp-28] ; // licence.id
00564057 8D45 DC lea eax, dword ptr [ebp-24]
0056405A 8B55 F8 mov edx, dword ptr [ebp-8]
0056405D E8 5E13EAFF call 004053C0
00564062 8B55 DC mov edx, dword ptr [ebp-24]
00564065 8BC3 mov eax, ebx
00564067 8B08 mov ecx, dword ptr [eax]
00564069 FF51 68 call dword ptr [ecx+68] ; //读取KEY文件内容
0056406C 8D55 D0 lea edx, dword ptr [ebp-30]
0056406F 8BC3 mov eax, ebx
00564071 8B08 mov ecx, dword ptr [eax]
00564073 FF51 1C call dword ptr [ecx+1C]
00564076 8B45 D0 mov eax, dword ptr [ebp-30] ; //送KEY文件内容,
00564079 8D4D D4 lea ecx, dword ptr [ebp-2C]
0056407C BA EC455600 mov edx, 005645EC ; ASCII "daily"
00564081 E8 C662FFFF call 0055A34C ; //DES解密
00564086 8B55 D4 mov edx, dword ptr [ebp-2C] ; //送逆推出来内容的存储地址
00564089 8BC3 mov eax, ebx
0056408B 8B08 mov ecx, dword ptr [eax]
0056408D FF51 2C call dword ptr [ecx+2C]
00564090 8D4D CC lea ecx, dword ptr [ebp-34]
00564093 BA 01000000 mov edx, 1
00564098 8BC3 mov eax, ebx
0056409A 8B30 mov esi, dword ptr [eax]
0056409C FF56 0C call dword ptr [esi+C]
0056409F 8B55 CC mov edx, dword ptr [ebp-34]
005640A2 8B45 FC mov eax, dword ptr [ebp-4]
005640A5 8B80 F4040000 mov eax, dword ptr [eax+4F4]
005640AB E8 086DEFFF call 0045ADB8
005640B0 8D4D C8 lea ecx, dword ptr [ebp-38]
005640B3 BA 01000000 mov edx, 1
005640B8 8BC3 mov eax, ebx
005640BA 8B30 mov esi, dword ptr [eax]
005640BC FF56 0C call dword ptr [esi+C]
005640BF 8B55 C8 mov edx, dword ptr [ebp-38]
005640C2 8B45 FC mov eax, dword ptr [ebp-4]
005640C5 05 4C060000 add eax, 64C
005640CA E8 3910EAFF call 00405108
005640CF 8D4D C4 lea ecx, dword ptr [ebp-3C]
005640D2 BA 02000000 mov edx, 2
005640D7 8BC3 mov eax, ebx
005640D9 8B30 mov esi, dword ptr [eax]
005640DB FF56 0C call dword ptr [esi+C]
005640DE 8B55 C4 mov edx, dword ptr [ebp-3C]
005640E1 8B45 FC mov eax, dword ptr [ebp-4]
005640E4 8B80 E8040000 mov eax, dword ptr [eax+4E8]
005640EA E8 C96CEFFF call 0045ADB8
005640EF 8D4D C0 lea ecx, dword ptr [ebp-40]
005640F2 BA 02000000 mov edx, 2
005640F7 8BC3 mov eax, ebx
005640F9 8B30 mov esi, dword ptr [eax]
005640FB FF56 0C call dword ptr [esi+C]
005640FE 8B45 C0 mov eax, dword ptr [ebp-40]
00564101 E8 FE5FEAFF call 0040A104
00564106 8B55 FC mov edx, dword ptr [ebp-4]
00564109 8982 38060000 mov dword ptr [edx+638], eax
0056410F 8D4D BC lea ecx, dword ptr [ebp-44]
00564112 BA 03000000 mov edx, 3
00564117 8BC3 mov eax, ebx
00564119 8B30 mov esi, dword ptr [eax]
0056411B FF56 0C call dword ptr [esi+C]
0056411E 8B55 BC mov edx, dword ptr [ebp-44]
00564121 8B45 FC mov eax, dword ptr [ebp-4]
00564124 8B80 F0040000 mov eax, dword ptr [eax+4F0]
0056412A E8 896CEFFF call 0045ADB8
0056412F 8D4D F4 lea ecx, dword ptr [ebp-C]
00564132 BA 04000000 mov edx, 4
00564137 8BC3 mov eax, ebx
00564139 8B30 mov esi, dword ptr [eax]
0056413B FF56 0C call dword ptr [esi+C]
0056413E 8D4D B8 lea ecx, dword ptr [ebp-48]
00564141 BA 05000000 mov edx, 5
00564146 8BC3 mov eax, ebx
00564148 8B30 mov esi, dword ptr [eax]
0056414A FF56 0C call dword ptr [esi+C]
0056414D 8B45 B8 mov eax, dword ptr [ebp-48]
00564150 BA FC455600 mov edx, 005645FC ; ASCII "F11"
00564155 E8 6613EAFF call 004054C0
0056415A 75 3E jnz short 0056419A
0056415C 8D4D B4 lea ecx, dword ptr [ebp-4C]
0056415F BA B0455600 mov edx, 005645B0 ; ASCII "windows"
00564164 B8 08465600 mov eax, 00564608 ; ASCII "07C6D9A6A578F58F902BD28C3EDC14D295DF846578BDAA3E"
00564169 E8 DE61FFFF call 0055A34C ; //DES解密
0056416E 8B55 B4 mov edx, dword ptr [ebp-4C]
00564171 8B45 FC mov eax, dword ptr [ebp-4]
00564174 8B80 FC040000 mov eax, dword ptr [eax+4FC]
0056417A 8B80 20020000 mov eax, dword ptr [eax+220]
00564180 8B08 mov ecx, dword ptr [eax]
00564182 FF51 38 call dword ptr [ecx+38]
00564185 8B45 FC mov eax, dword ptr [ebp-4]
00564188 8B80 54060000 mov eax, dword ptr [eax+654]
0056418E BA FC455600 mov edx, 005645FC ; ASCII "F11"
00564193 8B08 mov ecx, dword ptr [eax]
00564195 FF51 38 call dword ptr [ecx+38]
00564198 EB 13 jmp short 005641AD
0056419A 8B45 FC mov eax, dword ptr [ebp-4]
0056419D 8B80 54060000 mov eax, dword ptr [eax+654]
005641A3 BA 44465600 mov edx, 00564644 ; ASCII "F10"
005641A8 8B08 mov ecx, dword ptr [eax]
005641AA FF51 38 call dword ptr [ecx+38]
005641AD 8D4D B0 lea ecx, dword ptr [ebp-50]
005641B0 BA 06000000 mov edx, 6
005641B5 8BC3 mov eax, ebx
005641B7 8B30 mov esi, dword ptr [eax]
005641B9 FF56 0C call dword ptr [esi+C]
005641BC 8B45 B0 mov eax, dword ptr [ebp-50]
005641BF BA 50465600 mov edx, 00564650 ; ASCII "F21"
005641C4 E8 F712EAFF call 004054C0
005641C9 75 3E jnz short 00564209
005641CB 8D4D AC lea ecx, dword ptr [ebp-54]
005641CE BA B0455600 mov edx, 005645B0 ; ASCII "windows"
005641D3 B8 5C465600 mov eax, 0056465C ; ASCII "F010E1F0DCF1F1D48F89CFA42C0951006D36873A79A927989134515D47DABA72B7873988E3654567"
005641D8 E8 6F61FFFF call 0055A34C ; //DES解密
005641DD 8B55 AC mov edx, dword ptr [ebp-54]
005641E0 8B45 FC mov eax, dword ptr [ebp-4]
005641E3 8B80 FC040000 mov eax, dword ptr [eax+4FC]
005641E9 8B80 20020000 mov eax, dword ptr [eax+220]
005641EF 8B08 mov ecx, dword ptr [eax]
005641F1 FF51 38 call dword ptr [ecx+38]
005641F4 8B45 FC mov eax, dword ptr [ebp-4]
005641F7 8B80 54060000 mov eax, dword ptr [eax+654]
005641FD BA 50465600 mov edx, 00564650 ; ASCII "F21"
00564202 8B08 mov ecx, dword ptr [eax]
00564204 FF51 38 call dword ptr [ecx+38]
00564207 EB 13 jmp short 0056421C
00564209 8B45 FC mov eax, dword ptr [ebp-4]
0056420C 8B80 54060000 mov eax, dword ptr [eax+654]
00564212 BA B8465600 mov edx, 005646B8 ; ASCII "F20"
00564217 8B08 mov ecx, dword ptr [eax]
00564219 FF51 38 call dword ptr [ecx+38]
0056421C 8D4D A8 lea ecx, dword ptr [ebp-58]
0056421F BA 07000000 mov edx, 7
00564224 8BC3 mov eax, ebx
00564226 8B30 mov esi, dword ptr [eax]
00564228 FF56 0C call dword ptr [esi+C]
0056422B 8B45 A8 mov eax, dword ptr [ebp-58]
0056422E BA C4465600 mov edx, 005646C4 ; ASCII "F31"
00564233 E8 8812EAFF call 004054C0
00564238 75 3E jnz short 00564278
0056423A 8D4D A4 lea ecx, dword ptr [ebp-5C]
0056423D BA B0455600 mov edx, 005645B0 ; ASCII "windows"
00564242 B8 D0465600 mov eax, 005646D0 ; ASCII "1DF976B57F016E514B4FABE5C0D3E372"
00564247 E8 0061FFFF call 0055A34C ; //DES解密
0056424C 8B55 A4 mov edx, dword ptr [ebp-5C]
0056424F 8B45 FC mov eax, dword ptr [ebp-4]
00564252 8B80 FC040000 mov eax, dword ptr [eax+4FC]
00564258 8B80 20020000 mov eax, dword ptr [eax+220]
0056425E 8B08 mov ecx, dword ptr [eax]
00564260 FF51 38 call dword ptr [ecx+38]
00564263 8B45 FC mov eax, dword ptr [ebp-4]
00564266 8B80 54060000 mov eax, dword ptr [eax+654]
0056426C BA C4465600 mov edx, 005646C4 ; ASCII "F31"
00564271 8B08 mov ecx, dword ptr [eax]
00564273 FF51 38 call dword ptr [ecx+38]
00564276 EB 13 jmp short 0056428B
00564278 8B45 FC mov eax, dword ptr [ebp-4]
0056427B 8B80 54060000 mov eax, dword ptr [eax+654]
00564281 BA FC465600 mov edx, 005646FC ; ASCII "F30"
00564286 8B08 mov ecx, dword ptr [eax]
00564288 FF51 38 call dword ptr [ecx+38]
0056428B 8D4D A0 lea ecx, dword ptr [ebp-60]
0056428E BA 08000000 mov edx, 8
00564293 8BC3 mov eax, ebx
00564295 8B30 mov esi, dword ptr [eax]
00564297 FF56 0C call dword ptr [esi+C]
0056429A 8B45 A0 mov eax, dword ptr [ebp-60]
0056429D BA 08475600 mov edx, 00564708 ; ASCII "F41"
005642A2 E8 1912EAFF call 004054C0
005642A7 75 3E jnz short 005642E7
005642A9 8D4D 9C lea ecx, dword ptr [ebp-64]
005642AC BA B0455600 mov edx, 005645B0 ; ASCII "windows"
005642B1 B8 14475600 mov eax, 00564714 ; ASCII "CF33CDB86F7F65B7"
005642B6 E8 9160FFFF call 0055A34C ; //DES解密
005642BB 8B55 9C mov edx, dword ptr [ebp-64]
005642BE 8B45 FC mov eax, dword ptr [ebp-4]
005642C1 8B80 FC040000 mov eax, dword ptr [eax+4FC]
005642C7 8B80 20020000 mov eax, dword ptr [eax+220]
005642CD 8B08 mov ecx, dword ptr [eax]
005642CF FF51 38 call dword ptr [ecx+38]
005642D2 8B45 FC mov eax, dword ptr [ebp-4]
005642D5 8B80 54060000 mov eax, dword ptr [eax+654]
005642DB BA 08475600 mov edx, 00564708 ; ASCII "F41"
005642E0 8B08 mov ecx, dword ptr [eax]
005642E2 FF51 38 call dword ptr [ecx+38]
005642E5 EB 13 jmp short 005642FA
005642E7 8B45 FC mov eax, dword ptr [ebp-4]
005642EA 8B80 54060000 mov eax, dword ptr [eax+654]
005642F0 BA 30475600 mov edx, 00564730 ; ASCII "F40"
005642F5 8B08 mov ecx, dword ptr [eax]
005642F7 FF51 38 call dword ptr [ecx+38]
005642FA 8D4D 98 lea ecx, dword ptr [ebp-68]
005642FD BA 09000000 mov edx, 9
00564302 8BC3 mov eax, ebx
00564304 8B30 mov esi, dword ptr [eax]
00564306 FF56 0C call dword ptr [esi+C]
00564309 8B45 98 mov eax, dword ptr [ebp-68]
0056430C BA 3C475600 mov edx, 0056473C ; ASCII "F51"
00564311 E8 AA11EAFF call 004054C0
00564316 75 3E jnz short 00564356
00564318 8D4D 94 lea ecx, dword ptr [ebp-6C]
0056431B BA B0455600 mov edx, 005645B0 ; ASCII "windows"
00564320 B8 48475600 mov eax, 00564748 ; ASCII "FA5CF974F45B3239"
00564325 E8 2260FFFF call 0055A34C ; //DES解密
0056432A 8B55 94 mov edx, dword ptr [ebp-6C]
0056432D 8B45 FC mov eax, dword ptr [ebp-4]
00564330 8B80 FC040000 mov eax, dword ptr [eax+4FC]
00564336 8B80 20020000 mov eax, dword ptr [eax+220]
0056433C 8B08 mov ecx, dword ptr [eax]
0056433E FF51 38 call dword ptr [ecx+38]
00564341 8B45 FC mov eax, dword ptr [ebp-4]
00564344 8B80 54060000 mov eax, dword ptr [eax+654]
0056434A BA 3C475600 mov edx, 0056473C ; ASCII "F51"
0056434F 8B08 mov ecx, dword ptr [eax]
00564351 FF51 38 call dword ptr [ecx+38]
00564354 EB 13 jmp short 00564369
00564356 8B45 FC mov eax, dword ptr [ebp-4]
00564359 8B80 54060000 mov eax, dword ptr [eax+654]
0056435F BA 64475600 mov edx, 00564764 ; ASCII "F50"
00564364 8B08 mov ecx, dword ptr [eax]
00564366 FF51 38 call dword ptr [ecx+38]
00564369 8D4D 90 lea ecx, dword ptr [ebp-70]
0056436C BA 0A000000 mov edx, 0A
00564371 8BC3 mov eax, ebx
00564373 8B30 mov esi, dword ptr [eax]
00564375 FF56 0C call dword ptr [esi+C]
00564378 8B45 90 mov eax, dword ptr [ebp-70]
0056437B BA 70475600 mov edx, 00564770 ; ASCII "F61"
00564380 E8 3B11EAFF call 004054C0
00564385 75 3E jnz short 005643C5
00564387 8D4D 8C lea ecx, dword ptr [ebp-74]
0056438A BA B0455600 mov edx, 005645B0 ; ASCII "windows"
0056438F B8 7C475600 mov eax, 0056477C ; ASCII "91AC1B1FB583F17CAA894281150E40A0"
00564394 E8 B35FFFFF call 0055A34C ; //DES解密
00564399 8B55 8C mov edx, dword ptr [ebp-74]
0056439C 8B45 FC mov eax, dword ptr [ebp-4]
0056439F 8B80 FC040000 mov eax, dword ptr [eax+4FC]
005643A5 8B80 20020000 mov eax, dword ptr [eax+220]
005643AB 8B08 mov ecx, dword ptr [eax]
005643AD FF51 38 call dword ptr [ecx+38]
005643B0 8B45 FC mov eax, dword ptr [ebp-4]
005643B3 8B80 54060000 mov eax, dword ptr [eax+654]
005643B9 BA 70475600 mov edx, 00564770 ; ASCII "F61"
005643BE 8B08 mov ecx, dword ptr [eax]
005643C0 FF51 38 call dword ptr [ecx+38]
005643C3 EB 13 jmp short 005643D8
005643C5 8B45 FC mov eax, dword ptr [ebp-4]
005643C8 8B80 54060000 mov eax, dword ptr [eax+654]
005643CE BA A8475600 mov edx, 005647A8 ; ASCII "F60"
005643D3 8B08 mov ecx, dword ptr [eax]
005643D5 FF51 38 call dword ptr [ecx+38]
005643D8 8D4D 88 lea ecx, dword ptr [ebp-78]
005643DB BA 0B000000 mov edx, 0B
005643E0 8BC3 mov eax, ebx
005643E2 8B30 mov esi, dword ptr [eax]
005643E4 FF56 0C call dword ptr [esi+C]
005643E7 8B45 88 mov eax, dword ptr [ebp-78]
005643EA BA B4475600 mov edx, 005647B4 ; ASCII "F71"
005643EF E8 CC10EAFF call 004054C0
005643F4 75 3E jnz short 00564434
005643F6 8D4D 84 lea ecx, dword ptr [ebp-7C]
005643F9 BA B0455600 mov edx, 005645B0 ; ASCII "windows"
005643FE B8 C0475600 mov eax, 005647C0 ; ASCII "A7CCE3FE06D0B533CFBF4A71A71723BC"
00564403 E8 445FFFFF call 0055A34C ; //DES解密
00564408 8B55 84 mov edx, dword ptr [ebp-7C]
0056440B 8B45 FC mov eax, dword ptr [ebp-4]
0056440E 8B80 FC040000 mov eax, dword ptr [eax+4FC]
00564414 8B80 20020000 mov eax, dword ptr [eax+220]
0056441A 8B08 mov ecx, dword ptr [eax]
0056441C FF51 38 call dword ptr [ecx+38]
0056441F 8B45 FC mov eax, dword ptr [ebp-4]
00564422 8B80 54060000 mov eax, dword ptr [eax+654]
00564428 BA B4475600 mov edx, 005647B4 ; ASCII "F71"
0056442D 8B08 mov ecx, dword ptr [eax]
0056442F FF51 38 call dword ptr [ecx+38]
00564432 EB 13 jmp short 00564447
00564434 8B45 FC mov eax, dword ptr [ebp-4]
00564437 8B80 54060000 mov eax, dword ptr [eax+654]
0056443D BA EC475600 mov edx, 005647EC ; ASCII "F70"
00564442 8B08 mov ecx, dword ptr [eax]
00564444 FF51 38 call dword ptr [ecx+38]
00564447 8D4D 80 lea ecx, dword ptr [ebp-80]
0056444A BA 0C000000 mov edx, 0C
0056444F 8BC3 mov eax, ebx
00564451 8B18 mov ebx, dword ptr [eax]
00564453 FF53 0C call dword ptr [ebx+C]
00564456 8B45 80 mov eax, dword ptr [ebp-80]
00564459 BA F8475600 mov edx, 005647F8 ; ASCII "F81"
0056445E E8 5D10EAFF call 004054C0
00564463 75 44 jnz short 005644A9
00564465 8D8D 7CFFFFFF lea ecx, dword ptr [ebp-84]
0056446B BA B0455600 mov edx, 005645B0 ; ASCII "windows"
00564470 B8 04485600 mov eax, 00564804 ; ASCII "FE4BB590E806C63C33CC011106FDD92650DE8C96C705272FBE51C38BA67DDCC8"
00564475 E8 D25EFFFF call 0055A34C ; //DES解密
0056447A 8B95 7CFFFFFF mov edx, dword ptr [ebp-84]
00564480 8B45 FC mov eax, dword ptr [ebp-4]
00564483 8B80 FC040000 mov eax, dword ptr [eax+4FC]
00564489 8B80 20020000 mov eax, dword ptr [eax+220]
0056448F 8B08 mov ecx, dword ptr [eax]
00564491 FF51 38 call dword ptr [ecx+38]
00564494 8B45 FC mov eax, dword ptr [ebp-4]
00564497 8B80 54060000 mov eax, dword ptr [eax+654]
0056449D BA F8475600 mov edx, 005647F8 ; ASCII "F81"
005644A2 8B08 mov ecx, dword ptr [eax]
005644A4 FF51 38 call dword ptr [ecx+38]
005644A7 EB 13 jmp short 005644BC
005644A9 8B45 FC mov eax, dword ptr [ebp-4]
005644AC 8B80 54060000 mov eax, dword ptr [eax+654]
005644B2 BA 50485600 mov edx, 00564850 ; ASCII "F80"
005644B7 8B08 mov ecx, dword ptr [eax]
005644B9 FF51 38 call dword ptr [ecx+38]
005644BC 8D8D 78FFFFFF lea ecx, dword ptr [ebp-88]
005644C2 BA B0455600 mov edx, 005645B0 ; ASCII "windows"
005644C7 8B45 F4 mov eax, dword ptr [ebp-C] ; //送KEY文件解密出来的一段字符,再次解密
005644CA E8 7D5EFFFF call 0055A34C ; //逆推机器码,标准的DES加密,密钥:windows ,待加密字符串: officeim_机器码
005644CF 8B95 78FFFFFF mov edx, dword ptr [ebp-88] ; //送反推后的机器码
005644D5 8B45 F0 mov eax, dword ptr [ebp-10] ; //送真实机器码
005644D8 E8 E30FEAFF call 004054C0 ; //比较?
005644DD 74 45 je short 00564524 ; //关键跳转,爆破
005644DF 8B45 FC mov eax, dword ptr [ebp-4]
005644E2 8B80 B4040000 mov eax, dword ptr [eax+4B4]
005644E8 B2 01 mov dl, 1
005644EA E8 B97EEDFF call 0043C3A8
005644EF 8B45 FC mov eax, dword ptr [ebp-4]
005644F2 8B80 B4040000 mov eax, dword ptr [eax+4B4]
005644F8 BA E8030000 mov edx, 3E8
005644FD E8 B67EEDFF call 0043C3B8
00564502 8B45 FC mov eax, dword ptr [ebp-4]
00564505 8B80 C0040000 mov eax, dword ptr [eax+4C0]
0056450B B2 01 mov dl, 1
0056450D E8 A620EEFF call 004465B8
00564512 8B45 FC mov eax, dword ptr [ebp-4]
00564515 8B80 DC040000 mov eax, dword ptr [eax+4DC]
0056451B 33D2 xor edx, edx
0056451D E8 9620EEFF call 004465B8
00564522 EB 20 jmp short 00564544
00564524 8B45 FC mov eax, dword ptr [ebp-4]
00564527 8B80 C0040000 mov eax, dword ptr [eax+4C0]
0056452D 33D2 xor edx, edx
0056452F E8 8420EEFF call 004465B8
00564534 8B45 FC mov eax, dword ptr [ebp-4]
00564537 8B80 DC040000 mov eax, dword ptr [eax+4DC]
0056453D B2 01 mov dl, 1
0056453F E8 7420EEFF call 004465B8
00564544 33C0 xor eax, eax
00564546 5A pop edx
00564547 59 pop ecx
00564548 59 pop ecx
00564549 64:8910 mov dword ptr fs:[eax], edx
0056454C EB 1A jmp short 00564568
0056454E ^ E9 2501EAFF jmp 00404678
00564553 8B45 FC mov eax, dword ptr [ebp-4]
00564556 8B80 B4040000 mov eax, dword ptr [eax+4B4]
0056455C B2 01 mov dl, 1
0056455E E8 457EEDFF call 0043C3A8
00564563 E8 3C05EAFF call 00404AA4
00564568 33C0 xor eax, eax
0056456A 5A pop edx
0056456B 59 pop ecx
0056456C 59 pop ecx
0056456D 64:8910 mov dword ptr fs:[eax], edx
00564570 68 8D455600 push 0056458D
00564575 8D85 78FFFFFF lea eax, dword ptr [ebp-88]
0056457B BA 21000000 mov edx, 21
00564580 E8 530BEAFF call 004050D8
00564585 C3 retn
00564586 ^ E9 A103EAFF jmp 0040492C
0056458B ^ EB E8 jmp short 00564575
0056458D 5F pop edi
0056458E 5E pop esi
0056458F 5B pop ebx
00564590 8BE5 mov esp, ebp
00564592 5D pop ebp
00564593 C3 retn
3、UID文件生成过程:
0055A7F0 55 push ebp
0055A7F1 8BEC mov ebp, esp
0055A7F3 B9 0E000000 mov ecx, 0E
0055A7F8 6A 00 push 0
0055A7FA 6A 00 push 0
0055A7FC 49 dec ecx
0055A7FD ^ 75 F9 jnz short 0055A7F8
0055A7FF 53 push ebx
0055A800 56 push esi
0055A801 8BD8 mov ebx, eax
0055A803 33C0 xor eax, eax
0055A805 55 push ebp
0055A806 68 07AD5500 push 0055AD07
0055A80B 64:FF30 push dword ptr fs:[eax]
0055A80E 64:8920 mov dword ptr fs:[eax], esp
0055A811 8D55 F8 lea edx, dword ptr [ebp-8]
0055A814 8B83 08030000 mov eax, dword ptr [ebx+308]
0055A81A E8 6905F0FF call 0045AD88
0055A81F 837D F8 00 cmp dword ptr [ebp-8], 0
0055A823 75 0F jnz short 0055A834
0055A825 B8 1CAD5500 mov eax, 0055AD1C ; 请输入单位名称.
0055A82A E8 15DCFFFF call 00558444
0055A82F E9 8E040000 jmp 0055ACC2
0055A834 8D55 F4 lea edx, dword ptr [ebp-C]
0055A837 8B83 48030000 mov eax, dword ptr [ebx+348]
0055A83D E8 4605F0FF call 0045AD88
0055A842 837D F4 00 cmp dword ptr [ebp-C], 0
0055A846 75 0F jnz short 0055A857
0055A848 B8 34AD5500 mov eax, 0055AD34 ; 请输入联系人.
0055A84D E8 F2DBFFFF call 00558444
0055A852 E9 6B040000 jmp 0055ACC2
0055A857 8D55 F0 lea edx, dword ptr [ebp-10]
0055A85A 8B83 50030000 mov eax, dword ptr [ebx+350]
0055A860 E8 2305F0FF call 0045AD88
0055A865 837D F0 00 cmp dword ptr [ebp-10], 0
0055A869 75 0F jnz short 0055A87A
0055A86B B8 4CAD5500 mov eax, 0055AD4C ; 请输入电话.
0055A870 E8 CFDBFFFF call 00558444
0055A875 E9 48040000 jmp 0055ACC2
0055A87A 8D55 EC lea edx, dword ptr [ebp-14]
0055A87D 8B83 18030000 mov eax, dword ptr [ebx+318]
0055A883 E8 0005F0FF call 0045AD88
0055A888 837D EC 00 cmp dword ptr [ebp-14], 0
0055A88C 75 0F jnz short 0055A89D
0055A88E B8 60AD5500 mov eax, 0055AD60 ; 请输入电子邮件.
0055A893 E8 ACDBFFFF call 00558444
0055A898 E9 25040000 jmp 0055ACC2
0055A89D 8D55 E8 lea edx, dword ptr [ebp-18]
0055A8A0 8B83 38030000 mov eax, dword ptr [ebx+338]
0055A8A6 E8 DD04F0FF call 0045AD88
0055A8AB 837D E8 00 cmp dword ptr [ebp-18], 0
0055A8AF 75 0F jnz short 0055A8C0
0055A8B1 B8 78AD5500 mov eax, 0055AD78 ; 请输入通讯地址.
0055A8B6 E8 89DBFFFF call 00558444
0055A8BB E9 02040000 jmp 0055ACC2
0055A8C0 8D55 E4 lea edx, dword ptr [ebp-1C]
0055A8C3 8B83 40030000 mov eax, dword ptr [ebx+340]
0055A8C9 E8 BA04F0FF call 0045AD88
0055A8CE 837D E4 00 cmp dword ptr [ebp-1C], 0
0055A8D2 75 0F jnz short 0055A8E3
0055A8D4 B8 90AD5500 mov eax, 0055AD90 ; 请输入付费银行.
0055A8D9 E8 66DBFFFF call 00558444
0055A8DE E9 DF030000 jmp 0055ACC2
0055A8E3 8D55 E0 lea edx, dword ptr [ebp-20]
0055A8E6 8B83 28030000 mov eax, dword ptr [ebx+328]
0055A8EC E8 9704F0FF call 0045AD88
0055A8F1 837D E0 00 cmp dword ptr [ebp-20], 0
0055A8F5 75 0F jnz short 0055A906
0055A8F7 B8 A8AD5500 mov eax, 0055ADA8 ; 请输入付费时间,格式为 2005-10-22 12:30
0055A8FC E8 43DBFFFF call 00558444
0055A901 E9 BC030000 jmp 0055ACC2
0055A906 8D55 DC lea edx, dword ptr [ebp-24]
0055A909 8B83 30030000 mov eax, dword ptr [ebx+330]
0055A90F E8 7404F0FF call 0045AD88
0055A914 837D DC 00 cmp dword ptr [ebp-24], 0
0055A918 75 0F jnz short 0055A929
0055A91A B8 D8AD5500 mov eax, 0055ADD8 ; 请输入付费金额.
0055A91F E8 20DBFFFF call 00558444
0055A924 E9 99030000 jmp 0055ACC2
0055A929 8D55 D8 lea edx, dword ptr [ebp-28]
0055A92C 8B83 5C030000 mov eax, dword ptr [ebx+35C]
0055A932 E8 5104F0FF call 0045AD88
0055A937 837D D8 00 cmp dword ptr [ebp-28], 0
0055A93B 75 0F jnz short 0055A94C
0055A93D B8 F0AD5500 mov eax, 0055ADF0 ; 请输入购买用户数.
0055A942 E8 FDDAFFFF call 00558444
0055A947 E9 76030000 jmp 0055ACC2
0055A94C B2 01 mov dl, 1
0055A94E A1 D4DC4100 mov eax, dword ptr [41DCD4]
0055A953 E8 FC97EAFF call 00404154 ; //点生成文件时断在此处
0055A958 8BF0 mov esi, eax
0055A95A 8D55 D4 lea edx, dword ptr [ebp-2C]
0055A95D 8B83 08030000 mov eax, dword ptr [ebx+308]
0055A963 E8 2004F0FF call 0045AD88
0055A968 8B55 D4 mov edx, dword ptr [ebp-2C]
0055A96B 8BC6 mov eax, esi
0055A96D 8B08 mov ecx, dword ptr [eax]
0055A96F FF51 38 call dword ptr [ecx+38]
0055A972 8D55 D0 lea edx, dword ptr [ebp-30]
0055A975 8B83 48030000 mov eax, dword ptr [ebx+348]
0055A97B E8 0804F0FF call 0045AD88
0055A980 8B55 D0 mov edx, dword ptr [ebp-30]
0055A983 8BC6 mov eax, esi
0055A985 8B08 mov ecx, dword ptr [eax]
0055A987 FF51 38 call dword ptr [ecx+38]
0055A98A 8D55 CC lea edx, dword ptr [ebp-34]
0055A98D 8B83 50030000 mov eax, dword ptr [ebx+350]
0055A993 E8 F003F0FF call 0045AD88
0055A998 8B55 CC mov edx, dword ptr [ebp-34]
0055A99B 8BC6 mov eax, esi
0055A99D 8B08 mov ecx, dword ptr [eax]
0055A99F FF51 38 call dword ptr [ecx+38]
0055A9A2 8D55 C8 lea edx, dword ptr [ebp-38]
0055A9A5 8B83 18030000 mov eax, dword ptr [ebx+318]
0055A9AB E8 D803F0FF call 0045AD88
0055A9B0 8B55 C8 mov edx, dword ptr [ebp-38]
0055A9B3 8BC6 mov eax, esi
0055A9B5 8B08 mov ecx, dword ptr [eax]
0055A9B7 FF51 38 call dword ptr [ecx+38]
0055A9BA 8D55 C4 lea edx, dword ptr [ebp-3C]
0055A9BD 8B83 1C030000 mov eax, dword ptr [ebx+31C]
0055A9C3 E8 C003F0FF call 0045AD88
0055A9C8 8B55 C4 mov edx, dword ptr [ebp-3C]
0055A9CB 8BC6 mov eax, esi
0055A9CD 8B08 mov ecx, dword ptr [eax]
0055A9CF FF51 38 call dword ptr [ecx+38]
0055A9D2 8D55 C0 lea edx, dword ptr [ebp-40]
0055A9D5 8B83 38030000 mov eax, dword ptr [ebx+338]
0055A9DB E8 A803F0FF call 0045AD88
0055A9E0 8B55 C0 mov edx, dword ptr [ebp-40]
0055A9E3 8BC6 mov eax, esi
0055A9E5 8B08 mov ecx, dword ptr [eax]
0055A9E7 FF51 38 call dword ptr [ecx+38]
0055A9EA 8D55 BC lea edx, dword ptr [ebp-44]
0055A9ED 8B83 40030000 mov eax, dword ptr [ebx+340]
0055A9F3 E8 9003F0FF call 0045AD88
0055A9F8 8B55 BC mov edx, dword ptr [ebp-44]
0055A9FB 8BC6 mov eax, esi
0055A9FD 8B08 mov ecx, dword ptr [eax]
0055A9FF FF51 38 call dword ptr [ecx+38]
0055AA02 8D55 B8 lea edx, dword ptr [ebp-48]
0055AA05 8B83 28030000 mov eax, dword ptr [ebx+328]
0055AA0B E8 7803F0FF call 0045AD88
0055AA10 8B55 B8 mov edx, dword ptr [ebp-48]
0055AA13 8BC6 mov eax, esi
0055AA15 8B08 mov ecx, dword ptr [eax]
0055AA17 FF51 38 call dword ptr [ecx+38]
0055AA1A 8D55 B4 lea edx, dword ptr [ebp-4C]
0055AA1D 8B83 30030000 mov eax, dword ptr [ebx+330]
0055AA23 E8 6003F0FF call 0045AD88
0055AA28 8B55 B4 mov edx, dword ptr [ebp-4C]
0055AA2B 8BC6 mov eax, esi
0055AA2D 8B08 mov ecx, dword ptr [eax]
0055AA2F FF51 38 call dword ptr [ecx+38]
0055AA32 8D55 B0 lea edx, dword ptr [ebp-50]
0055AA35 8B83 5C030000 mov eax, dword ptr [ebx+35C]
0055AA3B E8 4803F0FF call 0045AD88
0055AA40 8B55 B0 mov edx, dword ptr [ebp-50] ; //送允许数量
0055AA43 8BC6 mov eax, esi
0055AA45 8B08 mov ecx, dword ptr [eax]
0055AA47 FF51 38 call dword ptr [ecx+38]
0055AA4A E8 FDD6FFFF call 0055814C ; //取机器码
0055AA4F 8BD0 mov edx, eax
0055AA51 8D45 AC lea eax, dword ptr [ebp-54]
0055AA54 E8 53A8EAFF call 004052AC
0055AA59 8B45 AC mov eax, dword ptr [ebp-54]
0055AA5C 8D55 FC lea edx, dword ptr [ebp-4]
0055AA5F E8 A8F1EAFF call 00409C0C ; //去掉机器码前面的空格
0055AA64 837D FC 00 cmp dword ptr [ebp-4], 0 ; //是否为空
0055AA68 75 11 jnz short 0055AA7B
0055AA6A E8 89D9FFFF call 005583F8
0055AA6F 33D2 xor edx, edx
0055AA71 52 push edx
0055AA72 50 push eax
0055AA73 8D45 FC lea eax, dword ptr [ebp-4]
0055AA76 E8 39F6EAFF call 0040A0B4
0055AA7B 8D45 A8 lea eax, dword ptr [ebp-58]
0055AA7E 8B4D FC mov ecx, dword ptr [ebp-4]
0055AA81 BA 0CAE5500 mov edx, 0055AE0C ; officeim_
0055AA86 E8 35A9EAFF call 004053C0 ; //机器码前面连接 officeim_
0055AA8B 8B55 A8 mov edx, dword ptr [ebp-58]
0055AA8E 8BC6 mov eax, esi
0055AA90 8B08 mov ecx, dword ptr [eax]
0055AA92 FF51 38 call dword ptr [ecx+38]
0055AA95 8B83 60030000 mov eax, dword ptr [ebx+360]
0055AA9B 8B10 mov edx, dword ptr [eax]
0055AA9D FF92 C8000000 call dword ptr [edx+C8]
0055AAA3 84C0 test al, al
0055AAA5 74 0E je short 0055AAB5
0055AAA7 BA 20AE5500 mov edx, 0055AE20 ; f11
0055AAAC 8BC6 mov eax, esi
0055AAAE 8B08 mov ecx, dword ptr [eax]
0055AAB0 FF51 38 call dword ptr [ecx+38]
0055AAB3 EB 0C jmp short 0055AAC1
0055AAB5 BA 2CAE5500 mov edx, 0055AE2C ; f10
0055AABA 8BC6 mov eax, esi
0055AABC 8B08 mov ecx, dword ptr [eax]
0055AABE FF51 38 call dword ptr [ecx+38]
0055AAC1 8B83 64030000 mov eax, dword ptr [ebx+364]
0055AAC7 8B10 mov edx, dword ptr [eax]
0055AAC9 FF92 C8000000 call dword ptr [edx+C8]
0055AACF 84C0 test al, al
0055AAD1 74 0E je short 0055AAE1
0055AAD3 BA 38AE5500 mov edx, 0055AE38 ; f21
0055AAD8 8BC6 mov eax, esi
0055AADA 8B08 mov ecx, dword ptr [eax]
0055AADC FF51 38 call dword ptr [ecx+38]
0055AADF EB 0C jmp short 0055AAED
0055AAE1 BA 44AE5500 mov edx, 0055AE44 ; f20
0055AAE6 8BC6 mov eax, esi
0055AAE8 8B08 mov ecx, dword ptr [eax]
0055AAEA FF51 38 call dword ptr [ecx+38]
0055AAED 8B83 68030000 mov eax, dword ptr [ebx+368]
0055AAF3 8B10 mov edx, dword ptr [eax]
0055AAF5 FF92 C8000000 call dword ptr [edx+C8]
0055AAFB 84C0 test al, al
0055AAFD 74 0E je short 0055AB0D
0055AAFF BA 50AE5500 mov edx, 0055AE50 ; f31
0055AB04 8BC6 mov eax, esi
0055AB06 8B08 mov ecx, dword ptr [eax]
0055AB08 FF51 38 call dword ptr [ecx+38]
0055AB0B EB 0C jmp short 0055AB19
0055AB0D BA 5CAE5500 mov edx, 0055AE5C ; f30
0055AB12 8BC6 mov eax, esi
0055AB14 8B08 mov ecx, dword ptr [eax]
0055AB16 FF51 38 call dword ptr [ecx+38]
0055AB19 8B83 6C030000 mov eax, dword ptr [ebx+36C]
0055AB1F 8B10 mov edx, dword ptr [eax]
0055AB21 FF92 C8000000 call dword ptr [edx+C8]
0055AB27 84C0 test al, al
0055AB29 74 0E je short 0055AB39
0055AB2B BA 68AE5500 mov edx, 0055AE68 ; f41
0055AB30 8BC6 mov eax, esi
0055AB32 8B08 mov ecx, dword ptr [eax]
0055AB34 FF51 38 call dword ptr [ecx+38]
0055AB37 EB 0C jmp short 0055AB45
0055AB39 BA 74AE5500 mov edx, 0055AE74 ; f40
0055AB3E 8BC6 mov eax, esi
0055AB40 8B08 mov ecx, dword ptr [eax]
0055AB42 FF51 38 call dword ptr [ecx+38]
0055AB45 8B83 70030000 mov eax, dword ptr [ebx+370]
0055AB4B 8B10 mov edx, dword ptr [eax]
0055AB4D FF92 C8000000 call dword ptr [edx+C8]
0055AB53 84C0 test al, al
0055AB55 74 0E je short 0055AB65
0055AB57 BA 80AE5500 mov edx, 0055AE80 ; f51
0055AB5C 8BC6 mov eax, esi
0055AB5E 8B08 mov ecx, dword ptr [eax]
0055AB60 FF51 38 call dword ptr [ecx+38]
0055AB63 EB 0C jmp short 0055AB71
0055AB65 BA 8CAE5500 mov edx, 0055AE8C ; f50
0055AB6A 8BC6 mov eax, esi
0055AB6C 8B08 mov ecx, dword ptr [eax]
0055AB6E FF51 38 call dword ptr [ecx+38]
0055AB71 8B83 74030000 mov eax, dword ptr [ebx+374]
0055AB77 8B10 mov edx, dword ptr [eax]
0055AB79 FF92 C8000000 call dword ptr [edx+C8]
0055AB7F 84C0 test al, al
0055AB81 74 0E je short 0055AB91
0055AB83 BA 98AE5500 mov edx, 0055AE98 ; f61
0055AB88 8BC6 mov eax, esi
0055AB8A 8B08 mov ecx, dword ptr [eax]
0055AB8C FF51 38 call dword ptr [ecx+38]
0055AB8F EB 0C jmp short 0055AB9D
0055AB91 BA A4AE5500 mov edx, 0055AEA4 ; f60
0055AB96 8BC6 mov eax, esi
0055AB98 8B08 mov ecx, dword ptr [eax]
0055AB9A FF51 38 call dword ptr [ecx+38]
0055AB9D 8B83 78030000 mov eax, dword ptr [ebx+378]
0055ABA3 8B10 mov edx, dword ptr [eax]
0055ABA5 FF92 C8000000 call dword ptr [edx+C8]
0055ABAB 84C0 test al, al
0055ABAD 74 0E je short 0055ABBD
0055ABAF BA B0AE5500 mov edx, 0055AEB0 ; f71
0055ABB4 8BC6 mov eax, esi
0055ABB6 8B08 mov ecx, dword ptr [eax]
0055ABB8 FF51 38 call dword ptr [ecx+38]
0055ABBB EB 0C jmp short 0055ABC9
0055ABBD BA BCAE5500 mov edx, 0055AEBC ; f70
0055ABC2 8BC6 mov eax, esi
0055ABC4 8B08 mov ecx, dword ptr [eax]
0055ABC6 FF51 38 call dword ptr [ecx+38]
0055ABC9 8B83 7C030000 mov eax, dword ptr [ebx+37C]
0055ABCF 8B10 mov edx, dword ptr [eax]
0055ABD1 FF92 C8000000 call dword ptr [edx+C8]
0055ABD7 84C0 test al, al
0055ABD9 74 0E je short 0055ABE9
0055ABDB BA C8AE5500 mov edx, 0055AEC8 ; f81
0055ABE0 8BC6 mov eax, esi
0055ABE2 8B08 mov ecx, dword ptr [eax]
0055ABE4 FF51 38 call dword ptr [ecx+38]
0055ABE7 EB 0C jmp short 0055ABF5
0055ABE9 BA D4AE5500 mov edx, 0055AED4 ; f80
0055ABEE 8BC6 mov eax, esi
0055ABF0 8B08 mov ecx, dword ptr [eax]
0055ABF2 FF51 38 call dword ptr [ecx+38]
0055ABF5 8D55 A0 lea edx, dword ptr [ebp-60]
0055ABF8 8BC6 mov eax, esi
0055ABFA 8B08 mov ecx, dword ptr [eax]
0055ABFC FF51 1C call dword ptr [ecx+1C]
0055ABFF 8B45 A0 mov eax, dword ptr [ebp-60]
0055AC02 8D4D A4 lea ecx, dword ptr [ebp-5C]
0055AC05 BA E0AE5500 mov edx, 0055AEE0 ; officeim //密钥,
0055AC0A E8 8DF5FFFF call 0055A19C
0055AC0F 8B55 A4 mov edx, dword ptr [ebp-5C] ; //送加密后的字符作为UID内容
0055AC12 8BC6 mov eax, esi
0055AC14 8B08 mov ecx, dword ptr [eax]
0055AC16 FF51 2C call dword ptr [ecx+2C]
0055AC19 68 F4AE5500 push 0055AEF4 ; 正版用户认证文件_
0055AC1E 8D55 9C lea edx, dword ptr [ebp-64]
0055AC21 8B83 08030000 mov eax, dword ptr [ebx+308]
0055AC27 E8 5C01F0FF call 0045AD88
0055AC2C FF75 9C push dword ptr [ebp-64]
0055AC2F 68 10AF5500 push 0055AF10 ; .uid
0055AC34 8B83 3C030000 mov eax, dword ptr [ebx+33C]
0055AC3A 83C0 78 add eax, 78
0055AC3D BA 03000000 mov edx, 3
0055AC42 E8 EDA7EAFF call 00405434
0055AC47 8B83 3C030000 mov eax, dword ptr [ebx+33C]
0055AC4D 8B10 mov edx, dword ptr [eax]
0055AC4F FF52 3C call dword ptr [edx+3C]
0055AC52 84C0 test al, al
0055AC54 74 6C je short 0055ACC2
0055AC56 8D55 98 lea edx, dword ptr [ebp-68]
0055AC59 8B83 3C030000 mov eax, dword ptr [ebx+33C]
0055AC5F E8 18E6EDFF call 0043927C
0055AC64 8B55 98 mov edx, dword ptr [ebp-68]
0055AC67 8BC6 mov eax, esi
0055AC69 8B08 mov ecx, dword ptr [eax]
0055AC6B FF51 74 call dword ptr [ecx+74]
0055AC6E 8BC6 mov eax, esi
0055AC70 E8 0F95EAFF call 00404184
0055AC75 8D55 90 lea edx, dword ptr [ebp-70]
0055AC78 8B83 3C030000 mov eax, dword ptr [ebx+33C]
0055AC7E E8 F9E5EDFF call 0043927C
0055AC83 FF75 90 push dword ptr [ebp-70]
0055AC86 68 20AF5500 push 0055AF20 ; 已生成,
0055AC8B 68 30AF5500 push 0055AF30 ; \n\n
0055AC90 68 30AF5500 push 0055AF30 ; \n\n
0055AC95 68 3CAF5500 push 0055AF3C ; 请发邮件到
0055AC9A A1 04455900 mov eax, dword ptr [594504]
0055AC9F FF30 push dword ptr [eax]
0055ACA1 68 50AF5500 push 0055AF50 ; 获得正式版.
0055ACA6 8D45 94 lea eax, dword ptr [ebp-6C]
0055ACA9 BA 07000000 mov edx, 7
0055ACAE E8 81A7EAFF call 00405434
0055ACB3 8B45 94 mov eax, dword ptr [ebp-6C]
0055ACB6 E8 89D7FFFF call 00558444
0055ACBB 8BC3 mov eax, ebx
0055ACBD E8 22CDF1FF call 004779E4
0055ACC2 33C0 xor eax, eax
0055ACC4 5A pop edx
0055ACC5 59 pop ecx
0055ACC6 59 pop ecx
0055ACC7 64:8910 mov dword ptr fs:[eax], edx
0055ACCA 68 0EAD5500 push 0055AD0E
0055ACCF 8D45 90 lea eax, dword ptr [ebp-70]
0055ACD2 BA 03000000 mov edx, 3
0055ACD7 E8 FCA3EAFF call 004050D8
0055ACDC 8D45 9C lea eax, dword ptr [ebp-64]
0055ACDF E8 D0A3EAFF call 004050B4
0055ACE4 8D45 A0 lea eax, dword ptr [ebp-60]
0055ACE7 BA 04000000 mov edx, 4
0055ACEC E8 E7A3EAFF call 004050D8
0055ACF1 8D45 B0 lea eax, dword ptr [ebp-50]
0055ACF4 BA 13000000 mov edx, 13
0055ACF9 E8 DAA3EAFF call 004050D8
0055ACFE 8D45 FC lea eax, dword ptr [ebp-4]
0055AD01 E8 AEA3EAFF call 004050B4
0055AD06 C3 retn
0055AD07 ^ E9 209CEAFF jmp 0040492C
0055AD0C ^ EB C1 jmp short 0055ACCF
0055AD0E 5E pop esi
0055AD0F 5B pop ebx
0055AD10 8BE5 mov esp, ebp
0055AD12 5D pop ebp
0055AD13 C3 retn
4、算法总结:
officeim
用户公司名
用户数量的数字
注册时间(例如:2007-12-13)
officeim_机器码经DES加密(密钥:windows)
F11
F21
F31
F41
F51
F61
F71
F81
以上内容经DES加密后得到的结果作为最终KEY文件内容,其中用户公司名,用户数量,注册时间,机器码是由用户发送的UID文件解密后得到,F11等固定值取决于用户生成UID文件时选择的功能,
赞赏
|
|
|---|---|
|
|
很强大,
收藏了 |
|
|
????不太明白。。难道楼主已经可以破解强大的DES??
|
|
|
挖坟,学习,谢谢楼主无私分享
|
|
|
赞赏
雪币:
留言:
