首先说明机器码和注册码的格式:
机器码格式:7281960325-26795-13255-21
注册码格式:6270075585-44918-3410-1497
0079BB0C /. 55 push ebp
0079BB0D |. 8BEC mov ebp, esp
0079BB0F |. 6A 00 push 0
0079BB11 |. 6A 00 push 0
0079BB13 |. 6A 00 push 0
0079BB15 |. 6A 00 push 0
0079BB17 |. 6A 00 push 0
0079BB19 |. 6A 00 push 0
0079BB1B |. 6A 00 push 0
0079BB1D |. 53 push ebx
0079BB1E |. 56 push esi
0079BB1F |. 57 push edi
0079BB20 |. 8BF1 mov esi, ecx
0079BB22 |. 8BD8 mov ebx, eax
0079BB24 |. 33C0 xor eax, eax
0079BB26 |. 55 push ebp
0079BB27 |. 68 02BD7900 push 0079BD02
0079BB2C |. 64:FF30 push dword ptr fs:[eax]
0079BB2F |. 64:8920 mov dword ptr fs:[eax], esp
0079BB32 |. 83BB 4C020000>cmp dword ptr [ebx+24C], 1
0079BB39 |. 0F85 8B010000 jnz 0079BCCA
0079BB3F |. 8D55 FC lea edx, dword ptr [ebp-4]
0079BB42 |. 8B83 2C030000 mov eax, dword ptr [ebx+32C]
0079BB48 |. E8 330BCDFF call 0046C680
0079BB4D |. 837D FC 00 cmp dword ptr [ebp-4], 0 ***若等于0则跳,判断是否有数在加密狗框内
0079BB51 |. 74 16 je short 0079BB69 ***若无数据中加密狗文本框中,则进行注册码校验
跳转后进行注册码校验:
0079BB69 |> C606 00 mov byte ptr [esi], 0
0079BB6C |. 8D55 F0 lea edx, dword ptr [ebp-10] ***将地址0012FEFC送入edx中
0079BB6F |. 8B83 14030000 mov eax, dword ptr [ebx+314] ***将地址01C1C000送入eax中
0079BB75 |. E8 060BCDFF call 0046C680 ***获取软件注册码(假码)地址0012FEFC
0079BB7A |. 8B45 F0 mov eax, dword ptr [ebp-10] ***将假码传入eax寄存器中
0079BB7D |. 8D55 F4 lea edx, dword ptr [ebp-C] ***将地址0012FF00送入edx中
0079BB80 |. E8 D3DAC6FF call 00409658 ***寄存器ECX、EDX清零,将地址0012FF00(假码)送入eax中
0079BB85 |. 837D F4 00 cmp dword ptr [ebp-C], 0 ***判断用户输入的注册码是否为空
0079BB89 |. 74 2B je short 0079BBB6 ***如为空,则跳转(程序OVER)
0079BB8B |. 8D55 EC lea edx, dword ptr [ebp-14] ***将地址0012FEF8送入edx中
0079BB8E |. 8B83 14030000 mov eax, dword ptr [ebx+314] ***将地址01C1C000送入eax中
0079BB94 |. E8 E70ACDFF call 0046C680
0079BB99 |. 8B45 EC mov eax, dword ptr [ebp-14] ***将假码送入eax寄存器中
0079BB9C |. 50 push eax ***将eax中的假码地址压入堆栈
0079BB9D |. 8D55 E8 lea edx, dword ptr [ebp-18] ***将地址0012FEF4送入edx中
0079BBA0 |. 8B83 10030000 mov eax, dword ptr [ebx+310]
0079BBA6 |. E8 D50ACDFF call 0046C680
0079BBAB |. 8B45 E8 mov eax, dword ptr [ebp-18] ***将机器码传入eax寄存器中
0079BBAE |. 5A pop edx ***将假码传入edx寄存器中
0079BBAF |. E8 80220000 call 0079DE34 ***关键CALL
0079BBB4 |. 8806 mov byte ptr [esi], al ***保存注册标志,这里应该为1
0079BBB6 |> 803E 00 cmp byte ptr [esi], 0 ***如果为零,则判断狗狗注册,否则则是注册码注册
0079BBB9 |. 0F85 A1000000 jnz 0079BC60 ***如跳转则注册成功,这里修改为jmp就是注册码注册成功了。
0079BBBF |. 8B83 30030000 mov eax, dword ptr [ebx+330]
0079BBC5 |. 8B10 mov edx, dword ptr [eax]
0079BBC7 |. FF92 C4000000 call dword ptr [edx+C4]
0079BBCD |. 84C0 test al, al
0079BBCF |. 74 74 je short 0079BC45
0079BBD1 |. E8 F62D0000 call 0079E9CC ***运行到这里,提示注册码出错
跟入关键CALL 0079DE34中:
0079DE34 $ 55 push ebp ***将0012FF0C『0012FF48』压入堆栈
0079DE35 . 8BEC mov ebp, esp ***将地址0012FED0『0012FF0C』传入ebp寄存器中
0079DE37 . B9 0B000000 mov ecx, 0B ***给ecx赋值B(也就是十进制的11)
0079DE3C > 6A 00 push 0 ***将0压入堆栈
0079DE3E . 6A 00 push 0 ***将0压入堆栈
0079DE40 . 49 dec ecx ***ecx递减1
0079DE41 .^ 75 F9 jnz short 0079DE3C ***循环,直到ecx的值为0
0079DE43 . 51 push ecx ***将0压入堆栈
0079DE44 . 53 push ebx ***ebx=01C16E74压入堆栈
0079DE45 . 56 push esi ***esi=0012FF14压入堆栈
0079DE46 . 57 push edi ***
0079DE47 . 8955 F8 mov dword ptr [ebp-8], edx ***将假码传入地址[ebp-8]
0079DE4A . 8945 FC mov dword ptr [ebp-4], eax ***将机器码传入地址[ebp-4]
0079DE4D . 8B45 FC mov eax, dword ptr [ebp-4] ***将机器码传入地址eax
0079DE50 . E8 DB6EC6FF call 00404D30 ***edx=2
0079DE55 . 8B45 F8 mov eax, dword ptr [ebp-8] ***将假码传入地址eax
0079DE58 . E8 D36EC6FF call 00404D30
0079DE5D . 33C0 xor eax, eax ***异或运算,eax清零
0079DE5F . 55 push ebp
0079DE60 . 68 C4E07900 push 0079E0C4
0079DE65 . 64:FF30 push dword ptr fs:[eax]
0079DE68 . 64:8920 mov dword ptr fs:[eax], esp
0079DE6B . C645 F7 00 mov byte ptr [ebp-9], 0
0079DE6F . 33C0 xor eax, eax
0079DE71 . 55 push ebp
0079DE72 . 68 85E07900 push 0079E085
0079DE77 . 64:FF30 push dword ptr fs:[eax]
0079DE7A . 64:8920 mov dword ptr fs:[eax], esp
0079DE7D . BA E0E07900 mov edx, 0079E0E0
0079DE82 . 8B45 FC mov eax, dword ptr [ebp-4] ***将机器码传入eax寄存器
0079DE85 . E8 36E5FFFF call 0079C3C0 ***算法对比CALL
跟入算法对比CALL 0079C3C0中:
0079C3C0 /$ 55 push ebp
0079C3C1 |. 8BEC mov ebp, esp
0079C3C3 |. 83C4 EC add esp, -14
0079C3C6 |. 53 push ebx
0079C3C7 |. 56 push esi
0079C3C8 |. 57 push edi
0079C3C9 |. 33C9 xor ecx, ecx
0079C3CB |. 894D F0 mov dword ptr [ebp-10], ecx ***[ebp-10]寄存器清零
0079C3CE |. 894D EC mov dword ptr [ebp-14], ecx ***[ebp-14]寄存器清零
0079C3D1 |. 8955 F8 mov dword ptr [ebp-8], edx ***[ebp-8]寄存器传入0079E0E0
0079C3D4 |. 8945 FC mov dword ptr [ebp-4], eax ***将机器码传入[ebp-4]
0079C3D7 |. 8B45 FC mov eax, dword ptr [ebp-4] ***再将机器码传回eax
0079C3DA |. E8 5189C6FF call 00404D30 ***EDX=3
0079C3DF |. 8B45 F8 mov eax, dword ptr [ebp-8] ***0079E0E0传入eax
0079C3E2 |. E8 4989C6FF call 00404D30 ***EDX=0
0079C3E7 |. 33C0 xor eax, eax ***EAX清零
0079C3E9 |. 55 push ebp 压入堆栈
0079C3EA |. 68 BBC47900 push 0079C4BB
0079C3EF |. 64:FF30 push dword ptr fs:[eax]
0079C3F2 |. 64:8920 mov dword ptr fs:[eax], esp
0079C3F5 |. B2 01 mov dl, 1 ***EDX=1
0079C3F7 |. A1 9C8B4100 mov eax, dword ptr [418B9C] ***00418EB8传入eax
0079C3FC |. E8 8F75C6FF call 00403990 ***EAX传入地址01C18BB4,EDX传入00418EB8
0079C401 |. 8945 F4 mov dword ptr [ebp-C], eax ***01C18BB4传入[ebp-C]寄存器
0079C404 |. 8B45 F8 mov eax, dword ptr [ebp-8] ***0079E0E0传入eax寄存器
0079C407 |. E8 3C87C6FF call 00404B48 ***EAX=1
0079C40C |. 8BF8 mov edi, eax ***edi=1
0079C40E |. 8D4D EC lea ecx, dword ptr [ebp-14] ***堆栈地址=0012FE34传入ecx
0079C411 |. 8B55 F8 mov edx, dword ptr [ebp-8] ***0079E0E0传入edx寄存器
0079C414 |. 8B45 FC mov eax, dword ptr [ebp-4] ***机器码传入eax
0079C417 |. E8 E0FEFFFF call 0079C2FC ***跟进CALL中
跟入CALL 0079C2FC中:
0079C2FC /$ 55 push ebp
0079C2FD |. 8BEC mov ebp, esp
0079C2FF |. 83C4 F4 add esp, -0C
0079C302 |. 53 push ebx
0079C303 |. 56 push esi
0079C304 |. 33DB xor ebx, ebx ***ebx=0012FE34
0079C306 |. 895D F4 mov dword ptr [ebp-C], ebx
0079C309 |. 8BD9 mov ebx, ecx
0079C30B |. 8955 F8 mov dword ptr [ebp-8], edx ***0079E0E0传入edx寄存器
0079C30E |. 8945 FC mov dword ptr [ebp-4], eax ***机器码传入eax寄存器
0079C311 |. 8B45 FC mov eax, dword ptr [ebp-4] ***机器码传回
0079C314 |. E8 178AC6FF call 00404D30 ***EDX=4
0079C319 |. 8B45 F8 mov eax, dword ptr [ebp-8] ***0079E0E0传入eax寄存器
0079C31C |. E8 0F8AC6FF call 00404D30 ***EDX=0
0079C321 |. 33C0 xor eax, eax ***eax清零
0079C323 |. 55 push ebp
0079C324 |. 68 B3C37900 push 0079C3B3
0079C329 |. 64:FF30 push dword ptr fs:[eax]
0079C32C |. 64:8920 mov dword ptr fs:[eax], esp
0079C32F |. 8D45 F4 lea eax, dword ptr [ebp-C] ***eax=0012FE08
0079C332 |. 50 push eax
0079C333 |. 8B45 FC mov eax, dword ptr [ebp-4] ***机器码传入eax寄存器
0079C336 |. E8 0D88C6FF call 00404B48 ***eax=19
0079C33B |. 8BF0 mov esi, eax
0079C33D |. 8B45 F8 mov eax, dword ptr [ebp-8] ***0079E0E0传入eax寄存器
0079C340 |. E8 0388C6FF call 00404B48 ***eax=1
0079C345 |. 2BF0 sub esi, eax ***esi=18
0079C347 |. 46 inc esi ***esi=19
0079C348 |. 56 push esi
0079C349 |. 8B45 F8 mov eax, dword ptr [ebp-8] ***0079E0E0传入eax寄存器
0079C34C |. E8 F787C6FF call 00404B48 ***eax=1
0079C351 |. 8BC8 mov ecx, eax
0079C353 |. 8B45 FC mov eax, dword ptr [ebp-4] ***机器码传入eax寄存器
0079C356 |. 5A pop edx ***edx=19
0079C357 |. E8 448AC6FF call 00404DA0 ***eax=0012FE08,ecx,edx清零
0079C35C |. 8B45 F4 mov eax, dword ptr [ebp-C] ***eax=01C1D868
0079C35F |. 8B55 F8 mov edx, dword ptr [ebp-8] ***0079E0E0传入edx寄存器
0079C362 |. E8 2589C6FF call 00404C8C ***跟进CALL
0079C367 |. /75 25 jnz short 0079C38E
跟进:
***********************************************************************
00404C8C /$ 53 push ebx
00404C8D |. 56 push esi
00404C8E |. 57 push edi
00404C8F |. 89C6 mov esi, eax
00404C91 |. 89D7 mov edi, edx
00404C93 |. 39D0 cmp eax, edx
00404C95 0F84 8F000000 je 00404D2A
00404C9B |. 85F6 test esi, esi
00404C9D 74 68 je short 00404D07
00404C9F |. 85FF test edi, edi
00404CA1 74 6B je short 00404D0E
00404CA3 |. 8B46 FC mov eax, dword ptr [esi-4]
00404CA6 |. 8B57 FC mov edx, dword ptr [edi-4]
00404CA9 |. 29D0 sub eax, edx
00404CAB |. 77 02 ja short 00404CAF
00404CAD |. 01C2 add edx, eax
00404CAF |> 52 push edx
00404CB0 |. C1EA 02 shr edx, 2
00404CB3 |. 74 26 je short 00404CDB ***跳转实现
00404CDB |> \5A pop edx
00404CDC |. 83E2 03 and edx, 3
00404CDF |. 74 22 je short 00404D03
00404CE1 |. 8B0E mov ecx, dword ptr [esi]
00404CE3 |. 8B1F mov ebx, dword ptr [edi]
00404CE5 |. 38D9 cmp cl, bl ***bl=2D ('-') cl=31 ('1')
00404CE7 |. /75 41 jnz short 00404D2A ***跳转实现
00404D2A |> \5F pop edi
00404D2B |. 5E pop esi
00404D2C |. 5B pop ebx
00404D2D \. C3 retn
*************************************************************************
0079C367 |. 75 25 jnz short 0079C38E ***跳转实现
0079C38E |> 8BC3 mov eax, ebx
0079C390 |. 8B55 FC mov edx, dword ptr [ebp-4] ***将机器码传入edx寄存器
0079C393 |. E8 4C85C6FF call 004048E4 ***ecx=5,edx=0
0079C398 |. 33C0 xor eax, eax ***eax=0
0079C39A |. 5A pop edx
0079C39B |. 59 pop ecx
0079C39C |. 59 pop ecx
0079C39D |. 64:8910 mov dword ptr fs:[eax], edx
0079C3A0 |. 68 BAC37900 push 0079C3BA
0079C3A5 |> 8D45 F4 lea eax, dword ptr [ebp-C]
0079C3A8 |. BA 03000000 mov edx, 3
0079C3AD |. E8 0285C6FF call 004048B4 ***EDX=机器码
0079C3B2 \. C3 retn
0079C3BA . 5E pop esi
0079C3BB . 5B pop ebx
0079C3BC . 8BE5 mov esp, ebp
0079C3BE . 5D pop ebp
0079C3BF . C3 retn
0079C41C |. B3 01 mov bl, 1
0079C41E |. EB 69 jmp short 0079C489
0079C489 |> \84DB test bl, bl
0079C48B |. 74 06 |je short 0079C493
0079C48D |. 837D FC 00 |cmp dword ptr [ebp-4], 0
0079C491 |.^ 75 8D \jnz short 0079C420
0079C420 |> /8B55 EC /mov edx, dword ptr [ebp-14] ***EDX=机器码
0079C423 |. |8B45 F8 |mov eax, dword ptr [ebp-8] ***eax=0079E0E0
0079C426 |. |E8 598AC6FF |call 00404E84 **eax=b , ecx=0
0079C42B |. |8BF0 |mov esi, eax
0079C42D |. |85F6 |test esi, esi
0079C42F |. |74 45 |je short 0079C476
0079C431 |. |8D45 F0 |lea eax, dword ptr [ebp-10]
0079C434 |. |50 |push eax
0079C435 |. |8BCE |mov ecx, esi
0079C437 |. |49 |dec ecx
0079C438 |. |BA 01000000 |mov edx, 1
0079C43D |. |8B45 EC |mov eax, dword ptr [ebp-14] ***eax=机器码
0079C440 |. |E8 5B89C6FF |call 00404DA0 ***eax=0012EF38,ecx、edx清零
0079C445 |. |837D F0 00 |cmp dword ptr [ebp-10], 0
0079C449 |. |74 0B |je short 0079C456
0079C44B |. |8B55 F0 |mov edx, dword ptr [ebp-10] ***取机器码前10位,传入edx寄存器
0079C44E |. |8B45 F4 |mov eax, dword ptr [ebp-C] ***eax=01C18BB4
0079C451 |. |8B08 |mov ecx, dword ptr [eax]
0079C453 |. |FF51 38 |call dword ptr [ecx+38] ***eax=0,ecx=2,edx=0
0079C456 |> |8D45 EC |lea eax, dword ptr [ebp-14] ***eax=0012FE34
0079C459 |. |50 |push eax
0079C45A |. |8B45 EC |mov eax, dword ptr [ebp-14] ***eax=机器码
0079C45D |. |E8 E686C6FF |call 00404B48 ***eax=19,ecx=2
0079C462 |. |8BC8 |mov ecx, eax ***ecx=19
0079C464 |. |2BCE |sub ecx, esi ***ecx=E
0079C466 |. |2BCF |sub ecx, edi ***ecx=D
0079C468 |. |41 |inc ecx ***ecx=E
0079C469 |. |8D1437 |lea edx, dword ptr [edi+esi] ***EDX=C
0079C46C |. |8B45 EC |mov eax, dword ptr [ebp-14] ***eax=机器码
0079C46F |. |E8 2C89C6FF |call 00404DA0 ***EDX=机器码,eax=0012FE34,ecx=3
0079C474 |. |EB 13 |jmp short 0079C489
0079C489 |> \84DB test bl, bl ***重复比对
0079C48B |. 74 06 |je short 0079C493
0079C48D |. 837D FC 00 |cmp dword ptr [ebp-4], 0
0079C491 |.^ 75 8D \jnz short 0079C420
0079C420 |> /8B55 EC /mov edx, dword ptr [ebp-14] ***EDX=机器码后14位
0079C423 |. |8B45 F8 |mov eax, dword ptr [ebp-8] ***eax=0079E0E0
0079C426 |. |E8 598AC6FF |call 00404E84 **eax=6 , ecx=0
0079C42B |. |8BF0 |mov esi, eax
0079C42D |. |85F6 |test esi, esi
0079C42F |. |74 45 |je short 0079C476
0079C431 |. |8D45 F0 |lea eax, dword ptr [ebp-10]
0079C434 |. |50 |push eax
0079C435 |. |8BCE |mov ecx, esi
0079C437 |. |49 |dec ecx
0079C438 |. |BA 01000000 |mov edx, 1
0079C43D |. |8B45 EC |mov eax, dword ptr [ebp-14] ***eax=机器码后14位
0079C440 |. |E8 5B89C6FF |call 00404DA0 ***eax=0012EF38,ecx=1、edx=机器码前10位
0079C445 |. |837D F0 00 |cmp dword ptr [ebp-10], 0
0079C449 |. |74 0B |je short 0079C456
0079C44B |. |8B55 F0 |mov edx, dword ptr [ebp-10] ***取机器码后14位的前5位,传入edx寄存器
0079C44E |. |8B45 F4 |mov eax, dword ptr [ebp-C] ***eax=01C18BB4
0079C451 |. |8B08 |mov ecx, dword ptr [eax]
0079C453 |. |FF51 38 |call dword ptr [ecx+38] ***eax=1,ecx=2,edx=1
0079C456 |> |8D45 EC |lea eax, dword ptr [ebp-14] ***eax=0012FE34
0079C459 |. |50 |push eax
0079C45A |. |8B45 EC |mov eax, dword ptr [ebp-14] ***eax=机器码后14位
0079C45D |. |E8 E686C6FF |call 00404B48 ***eax=e,ecx=2
0079C462 |. |8BC8 |mov ecx, eax ***ecx=e
0079C464 |. |2BCE |sub ecx, esi ***ecx=8
0079C466 |. |2BCF |sub ecx, edi ***ecx=7
0079C468 |. |41 |inc ecx ***ecx=8
0079C469 |. |8D1437 |lea edx, dword ptr [edi+esi] ***EDX=7
0079C46C |. |8B45 EC |mov eax, dword ptr [ebp-14] ***eax=机器码后14位
0079C46F |. |E8 2C89C6FF |call 00404DA0 ***EDX=机器码,eax=0012FE34,ecx=3
0079C474 |. |EB 13 |jmp short 0079C489
重复循环,直到将机器码分段取完为止,程序来到如下地方:
0079C42F |. |74 45 |je short 0079C476 取完所有机器码后,该跳转实现
0079C476 |> \837D EC 00 |cmp dword ptr [ebp-14], 0
0079C47A |. 74 0B |je short 0079C487
0079C47C |. 8B55 EC |mov edx, dword ptr [ebp-14]
0079C47F |. 8B45 F4 |mov eax, dword ptr [ebp-C]
0079C482 |. 8B08 |mov ecx, dword ptr [eax]
0079C484 |. FF51 38 |call dword ptr [ecx+38]
0079C487 |> 33DB |xor ebx, ebx
0079C489 |> 84DB test bl, bl
0079C48B |. 74 06 |je short 0079C493
0079C493 |> \33C0 xor eax, eax
0079C495 |. 5A pop edx
0079C496 |. 59 pop ecx
0079C497 |. 59 pop ecx
0079C498 |. 64:8910 mov dword ptr fs:[eax], edx
0079C49B |. 68 C2C47900 push 0079C4C2
0079C4A0 |> 8D45 EC lea eax, dword ptr [ebp-14]
0079C4A3 |. BA 02000000 mov edx, 2
0079C4A8 |. E8 0784C6FF call 004048B4
0079C4AD |. 8D45 F8 lea eax, dword ptr [ebp-8]
0079C4B0 |. BA 02000000 mov edx, 2
0079C4B5 |. E8 FA83C6FF call 004048B4
0079C4BA \. C3 retn
0079C4C2 . 8B45 F4 mov eax, dword ptr [ebp-C]
0079C4C5 . 5F pop edi
0079C4C6 . 5E pop esi
0079C4C7 . 5B pop ebx
0079C4C8 . 8BE5 mov esp, ebp
0079C4CA . 5D pop ebp
0079C4CB . C3 retn
0079DE8A . 8BD8 mov ebx, eax
0079DE8C . 8D4D F0 lea ecx, dword ptr [ebp-10]
0079DE8F . 33D2 xor edx, edx
0079DE91 . 8BC3 mov eax, ebx
0079DE93 . 8B30 mov esi, dword ptr [eax]
0079DE95 . FF56 0C call dword ptr [esi+C]
0079DE98 . 8D4D EC lea ecx, dword ptr [ebp-14]
0079DE9B . BA 01000000 mov edx, 1
0079DEA0 . 8BC3 mov eax, ebx
0079DEA2 . 8B30 mov esi, dword ptr [eax]
0079DEA4 . FF56 0C call dword ptr [esi+C]
0079DEA7 . 8D4D CC lea ecx, dword ptr [ebp-34]
0079DEAA . BA 02000000 mov edx, 2
0079DEAF . 8BC3 mov eax, ebx
0079DEB1 . 8B30 mov esi, dword ptr [eax]
0079DEB3 . FF56 0C call dword ptr [esi+C]
0079DEB6 . 8B45 CC mov eax, dword ptr [ebp-34]
0079DEB9 . E8 EAD8C6FF call 0040B7A8
0079DEBE . D825 E4E07900 fsub dword ptr [79E0E4]
0079DEC4 . 83C4 F4 add esp, -0C
0079DEC7 . DB3C24 fstp tbyte ptr [esp]
0079DECA . 9B wait
0079DECB . 8D45 E4 lea eax, dword ptr [ebp-1C]
0079DECE . E8 55D7C6FF call 0040B628
0079DED3 . 8B45 EC mov eax, dword ptr [ebp-14]
0079DED6 . E8 CDD8C6FF call 0040B7A8
0079DEDB . DB7D C0 fstp tbyte ptr [ebp-40]
0079DEDE . 9B wait
0079DEDF . 8B45 F0 mov eax, dword ptr [ebp-10]
0079DEE2 . E8 C1D8C6FF call 0040B7A8
0079DEE7 . DB6D C0 fld tbyte ptr [ebp-40]
0079DEEA . DEC9 fmulp st(1), st
0079DEEC . DB7D B4 fstp tbyte ptr [ebp-4C]
0079DEEF . 9B wait
0079DEF0 . 8B45 E4 mov eax, dword ptr [ebp-1C]
0079DEF3 . E8 B0D8C6FF call 0040B7A8
0079DEF8 . DB6D B4 fld tbyte ptr [ebp-4C]
0079DEFB . DEC1 faddp st(1), st
0079DEFD . 83C4 F4 add esp, -0C
0079DF00 . DB3C24 fstp tbyte ptr [esp]
0079DF03 . 9B wait
0079DF04 . 8D45 E8 lea eax, dword ptr [ebp-18]
0079DF07 . E8 1CD7C6FF call 0040B628
0079DF0C . 8D4D E0 lea ecx, dword ptr [ebp-20]
0079DF0F . BA 03000000 mov edx, 3
0079DF14 . 8BC3 mov eax, ebx
0079DF16 . 8B18 mov ebx, dword ptr [eax]
0079DF18 . FF53 0C call dword ptr [ebx+C]
0079DF1B . BA E0E07900 mov edx, 0079E0E0
0079DF20 . 8B45 F8 mov eax, dword ptr [ebp-8]
0079DF23 . E8 98E4FFFF call 0079C3C0 ****重复0079C3C0的call内容
0079DF28 . 8BD8 mov ebx, eax
0079DF2A . 8BC3 mov eax, ebx
0079DF2C . 8B10 mov edx, dword ptr [eax]
0079DF2E . FF52 14 call dword ptr [edx+14]
0079DF31 . 83F8 04 cmp eax, 4
0079DF34 . 74 0D je short 0079DF43
0079DF43 > \8D4D F0 lea ecx, dword ptr [ebp-10]
0079DF46 . 33D2 xor edx, edx
0079DF48 . 8BC3 mov eax, ebx
0079DF4A . 8B30 mov esi, dword ptr [eax]
0079DF4C . FF56 0C call dword ptr [esi+C]
0079DF4F . 8D4D DC lea ecx, dword ptr [ebp-24]
0079DF52 . BA 01000000 mov edx, 1
0079DF57 . 8BC3 mov eax, ebx
0079DF59 . 8B30 mov esi, dword ptr [eax]
0079DF5B . FF56 0C call dword ptr [esi+C]
0079DF5E . 8D4D B0 lea ecx, dword ptr [ebp-50]
0079DF61 . BA 02000000 mov edx, 2
0079DF66 . 8BC3 mov eax, ebx
0079DF68 . 8B30 mov esi, dword ptr [eax]
0079DF6A . FF56 0C call dword ptr [esi+C]
0079DF6D . 8B45 B0 mov eax, dword ptr [ebp-50]
0079DF70 . E8 33D8C6FF call 0040B7A8
0079DF75 . D825 E4E07900 fsub dword ptr [79E0E4]
0079DF7B . 83C4 F4 add esp, -0C
0079DF7E . DB3C24 fstp tbyte ptr [esp]
0079DF81 . 9B wait
0079DF82 . 8D45 D4 lea eax, dword ptr [ebp-2C]
0079DF85 . E8 9ED6C6FF call 0040B628
0079DF8A . 8B45 DC mov eax, dword ptr [ebp-24]
0079DF8D . E8 16D8C6FF call 0040B7A8
0079DF92 . DB7D C0 fstp tbyte ptr [ebp-40]
0079DF95 . 9B wait
0079DF96 . 8B45 F0 mov eax, dword ptr [ebp-10]
0079DF99 . E8 0AD8C6FF call 0040B7A8
0079DF9E . DB6D C0 fld tbyte ptr [ebp-40]
0079DFA1 . DEC9 fmulp st(1), st
0079DFA3 . DB7D B4 fstp tbyte ptr [ebp-4C]
0079DFA6 . 9B wait
0079DFA7 . 8B45 D4 mov eax, dword ptr [ebp-2C]
0079DFAA . E8 F9D7C6FF call 0040B7A8
0079DFAF . DB6D B4 fld tbyte ptr [ebp-4C]
0079DFB2 . DEC1 faddp st(1), st
0079DFB4 . 83C4 F4 add esp, -0C
0079DFB7 . DB3C24 fstp tbyte ptr [esp]
0079DFBA . 9B wait
0079DFBB . 8D45 D8 lea eax, dword ptr [ebp-28]
0079DFBE . E8 65D6C6FF call 0040B628
0079DFC3 . 8D4D D0 lea ecx, dword ptr [ebp-30]
0079DFC6 . BA 03000000 mov edx, 3
0079DFCB . 8BC3 mov eax, ebx
0079DFCD . 8B18 mov ebx, dword ptr [eax]
0079DFCF . FF53 0C call dword ptr [ebx+C]
0079DFD2 . 8B45 E8 mov eax, dword ptr [ebp-18] ***此时得到一个类似eax=281639255130340的数值
0079DFD5 . 8B55 D8 mov edx, dword ptr [ebp-28] ***此时得到一个类似edx=281639255130340的数值
0079DFD8 . E8 AF6CC6FF call 00404C8C 数值对比
0079DFDD . /74 0D je short 0079DFEC 跳转实现
0079DFEC > \8B45 DC mov eax, dword ptr [ebp-24]
0079DFEF . E8 B4D7C6FF call 0040B7A8
0079DFF4 . D825 E8E07900 fsub dword ptr [79E0E8]
0079DFFA . 83C4 F4 add esp, -0C
0079DFFD . DB3C24 fstp tbyte ptr [esp]
0079E000 . 9B wait
0079E001 . 8D45 AC lea eax, dword ptr [ebp-54]
0079E004 . E8 1FD6C6FF call 0040B628
0079E009 . 8B55 AC mov edx, dword ptr [ebp-54]
0079E00C . 8B45 EC mov eax, dword ptr [ebp-14]
0079E00F . E8 786CC6FF call 00404C8C
0079E014 . 74 0A je short 0079E020
0079E016 . 33C0 xor eax, eax
0079E018 . 5A pop edx
0079E019 . 59 pop ecx
0079E01A . 59 pop ecx
0079E01B . 64:8910 mov dword ptr fs:[eax], edx
0079E01E . EB 6F jmp short 0079E08F
0079E020 > 8D55 A8 lea edx, dword ptr [ebp-58]
0079E023 . 8B45 F8 mov eax, dword ptr [ebp-8]
之后经过几步,程序注册成功
弄了一晚上,总算是把动态跟踪的东西扒下来了,(这个是用正确的注册码和机器码进行跟踪的程序流程,哪位大侠能对程序的算法进行讲解一番??)如果有空的话,注册机能否用程序写下来。。小弟就靠这个东西入门了,先鞠躬谢谢!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课