首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 软件逆向
    3. 发新帖
2SCR(屏保制作软件)
发表于: 2004-8-23 21:29 5503

2SCR(屏保制作软件)

RoBa 活跃值
16
2004-8-23 21:29
5503
0040B6A0   55                     push    ebp
0040B6A1   8BEC                   mov     ebp, esp
0040B6A3   81C4A8FDFFFF           add     esp, $FFFFFDA8
0040B6A9   53                     push    ebx
0040B6AA   56                     push    esi
0040B6AB   57                     push    edi
0040B6AC   8945B0                 mov     [ebp-$50], eax
0040B6AF   B840464B00             mov     eax, $004B4640

|
0040B6B4   E88F3D0800             call    0048F448
0040B6B9   8B55B0                 mov     edx, [ebp-$50]
0040B6BC   81C2F0020000           add     edx, $000002F0
0040B6C2   52                     push    edx

* Reference to: GetSystemInfo()					;调用GetSystemInfo
|								;可以得到一个SYSTEM_INFO结构
0040B6C3   E8EA3A0A00             call    004AF1B2		;结构在[ebp-$50]+$2F0 处

看看SYSTEM_INFO是啥样:(具体请查阅资料)
********************************************
typedef struct _SYSTEM_INFO { // sinf  
    union { 
        DWORD  dwOemId; 
        struct { 
            WORD wProcessorArchitecture; 
            WORD wReserved; 
        }; 
    }; 
    DWORD  dwPageSize; 
    LPVOID lpMinimumApplicationAddress; 
    LPVOID lpMaximumApplicationAddress; 
    DWORD  dwActiveProcessorMask; 
    DWORD  dwNumberOfProcessors; 
    DWORD  dwProcessorType; 
    DWORD  dwAllocationGranularity; 
    WORD  wProcessorLevel; 
    WORD  wProcessorRevision; 

} SYSTEM_INFO; 
********************************************

0040B6C8   8B45B0                 mov     eax, [ebp-$50]	;EAX=[EBP-50]
0040B6CB   8B4DB0                 mov     ecx, [ebp-$50]	;ECX=[EBP-50]
0040B6CE   0FB7B010030000         movzx   esi, word ptr [eax+$0310];即结构的第$310-$2F0=$20字节0040B6D5   8B45B0                 mov     eax, [ebp-$50]
0040B6D8   8B9908030000           mov     ebx, [ecx+$0308]	;即结构的第$18字节,CPU类型

* Reference to field TForm3.OFFS_0304
|
0040B6DE   8BB804030000           mov     edi, [eax+$0304]	;结构的第$14字节,CPU数目
0040B6E4   8B45B0                 mov     eax, [ebp-$50]
0040B6E7   8D0C1E                 lea     ecx, [esi+ebx]
0040B6EA   0FB79012030000         movzx   edx, word ptr [eax+$0312]	;结构的第$22字节
0040B6F1   03CF                   add     ecx, edi
0040B6F3   8955AC                 mov     [ebp-$54], edx
0040B6F6   034DAC                 add     ecx, [ebp-$54]
0040B6F9   894DA8                 mov     [ebp-$58], ecx
0040B6FC   8B45AC                 mov     eax, [ebp-$54]
0040B6FF   03C6                   add     eax, esi
0040B701   33C3                   xor     eax, ebx
0040B703   33C7                   xor     eax, edi
0040B705   8945A4                 mov     [ebp-$5C], eax
0040B708   33C0                   xor     eax, eax
0040B70A   8D941E34120000         lea     edx, [esi+ebx+$1234]
0040B711   8D8C3745230000         lea     ecx, [edi+esi+$2345]
0040B718   81F245230000           xor     edx, $00002345
0040B71E   81F156340000           xor     ecx, $00003456
0040B724   8BDA                   mov     ebx, edx
0040B726   8B55AC                 mov     edx, [ebp-$54]
0040B729   0355A8                 add     edx, [ebp-$58]
0040B72C   037DAC                 add     edi, [ebp-$54]
0040B72F   81C267450000           add     edx, $00004567
0040B735   8BF1                   mov     esi, ecx
0040B737   81F278560000           xor     edx, $00005678
0040B73D   81C756340000           add     edi, $00003456
0040B743   8955AC                 mov     [ebp-$54], edx
0040B746   81F767450000           xor     edi, $00004567
0040B74C   8B4DA8                 mov     ecx, [ebp-$58]
0040B74F   034DA4                 add     ecx, [ebp-$5C]
0040B752   81C178560000           add     ecx, $00005678
0040B758   81F189670000           xor     ecx, $00006789
0040B75E   894DA8                 mov     [ebp-$58], ecx
0040B761   8B55A4                 mov     edx, [ebp-$5C]
0040B764   03D3                   add     edx, ebx
0040B766   81C289670000           add     edx, $00006789
0040B76C   81F291780000           xor     edx, $00007891
0040B772   8955A4                 mov     [ebp-$5C], edx
0040B775   40                     inc     eax
0040B776   83F825                 cmp     eax, +$25
0040B779   7C8F                   jl      0040B70A  		;上面循环复杂计算
0040B77B   66C745C41400           mov     word ptr [ebp-$3C], $0014

.....................(略)..............................

0040B871   8B45B0                 mov     eax, [ebp-$50]

* Reference to control Edit1 : TEdit
|
0040B874   8B80E0020000           mov     eax, [eax+$02E0]

* Reference to: controls.TControl.GetText(TControl):TCaption;
|
0040B87A   E815580400             call    00451094		;得到假码
0040B87F   03F3                   add     esi, ebx
0040B881   8D55F0                 lea     edx, [ebp-$10]
0040B884   52                     push    edx
0040B885   03FE                   add     edi, esi
0040B887   037DAC                 add     edi, [ebp-$54]
0040B88A   037DA8                 add     edi, [ebp-$58]
0040B88D   037DA4                 add     edi, [ebp-$5C]	;把上面几处的结果累加
0040B890   337DA0                 xor     edi, [ebp-$60]	;再与用户名的长度XOR
0040B893   897D9C                 mov     [ebp-$64], edi
0040B896   8B459C                 mov     eax, [ebp-$64]
0040B899   99                     cdq
0040B89A   33C2                   xor     eax, edx
0040B89C   2BC2                   sub     eax, edx
0040B89E   8BD0                   mov     edx, eax
0040B8A0   8D45EC                 lea     eax, [ebp-$14]

|
0040B8A3   E8B8F70800             call    0049B060
0040B8A8   8BD0                   mov     edx, eax
0040B8AA   FF45D0                 inc     dword ptr [ebp-$30]
0040B8AD   58                     pop     eax

|
0040B8AE   E835F90800             call    0049B1E8		;进行比较,不相等ZF=0
0040B8B3   85C0                   test    eax, eax
0040B8B5   8D45EC                 lea     eax, [ebp-$14]
0040B8B8   0F94C1                 setz    cl			;根据标志位设置CL
0040B8BB   83E101                 and     ecx, +$01		;CL如果是0这里就成0了
0040B8BE   BA02000000             mov     edx, $00000002
0040B8C3   51                     push    ecx
0040B8C4   FF4DD0                 dec     dword ptr [ebp-$30]

|
0040B8C7   E81CF80800             call    0049B0E8
0040B8CC   FF4DD0                 dec     dword ptr [ebp-$30]
0040B8CF   8D45F0                 lea     eax, [ebp-$10]
0040B8D2   BA02000000             mov     edx, $00000002

|
0040B8D7   E80CF80800             call    0049B0E8
0040B8DC   59                     pop     ecx
0040B8DD   84C9                   test    cl, cl
0040B8DF   0F8458010000           jz      0040BA3D		;CL=0跳走就OVER

简易注册机:(VC++)

#include <windows.h>
#include <stdio.h>
#include <iostream.h>

void main()
{
	int eax,ebx,ecx,edx,esi,edi;
	int ebp_54,ebp_58,ebp_5c,result;
	char name[200]={0};
	cout<<"Please input your name:";
	cin>>name;
	SYSTEM_INFO *pSI=new SYSTEM_INFO;
	GetSystemInfo(pSI);

	esi=pSI->wProcessorLevel;	
	ebx=pSI->dwProcessorType;
	edi=pSI->dwNumberOfProcessors;
	ecx=esi+ebx;
	edx=pSI->wProcessorRevision;
	ecx+=edi;
	ebp_54=edx;
	ecx+=ebp_54;
	ebp_58=ecx;
	eax=ebp_54;
	eax+=esi;
	eax^=ebx;
	eax^=edi;
	ebp_5c=eax;
	eax=0;
label1:
	edx=esi+ebx+0x1234;
	ecx=edi+esi+0x2345;
	edx^=0x2345;
	ecx^=0x3456;
	ebx=edx;
	edx=ebp_54;
	edx+=ebp_58;
	edi+=ebp_54;
	edx+=0x4567;
	esi=ecx;
	edx^=0x5678;
	edi+=0x3456;
	ebp_54=edx;
	edi^=0x4567;
	ecx=ebp_58;
	ecx+=ebp_5c;
	ecx+=0x5678;
	ecx^=0x6789;
	ebp_58=ecx;
	edx=ebp_5c;
	edx+=ebx;
	edx+=0x6789;
	edx^=0x7891;
	ebp_5c=edx;
	eax++;
	if (eax<0x25) goto label1;
	result=(edi+esi+ebx+ebp_54+ebp_58+ebp_5c)^strlen(name);
	cout<<"Your serial number is "<<result<<endl;
	cout<<"KeyGen by RoBa  ThanQ!"<<endl;
}

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 7
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//