我觉得在学习Creak的时候不能只是简单的找关键点、去记住怎么去做。我们要知其然,更要知其所以然。
在进行分析的时候,无论是静态分析还是动态分析,都要能够看懂程序的整个执行过程,才能分析程序的功能,然后才能进一步的分析。
我这里对刚看到的一个Creakme做个简单的分析,当然CCDebuger大哥已经分析的很详细了,我这里注释一下windows程序的反汇编代码(主要是窗口过程中的消息处理),希望对初学者有些许的帮助。
CCDebuger大哥的教程:http://bbs.pediy.com/showthread.php?t=21330
我用OD打开,注释如下
首先主程序调用GetModuleHandleA、GetCommandLineA、0040140C:另外一个子程序?很特殊肯定有什么作用、00401031:WinMain函数、ExitProcess
00401000 >/$ 6A 00 PUSH 0 ; /pModule = NULL
00401002 |. E8 C7040000 CALL <JMP.&KERNEL32.GetModuleHandleA> ; \
GetModuleHandleA
00401007 |. A3 84314000 MOV DWORD PTR DS:[403184],EAX
0040100C |. E8 B1040000 CALL <JMP.&KERNEL32.GetCommandLineA> ; [
GetCommandLineA
00401011 |. E8 F6030000 CALL CrackHea.
0040140C ;0040140C 调用了一个函数,
00401016 |. 6A 0A PUSH 0A ; /Arg4 = 0000000A
00401018 |. FF35 88314000 PUSH DWORD PTR DS:[403188] ; |Arg3 = 00000000
0040101E |. 6A 00 PUSH 0 ; |Arg2 = 00000000
00401020 |. FF35 84314000 PUSH DWORD PTR DS:[403184] ; |Arg1 = 00000000
00401026 |. E8 06000000 CALL CrackHea.00401031 ; \CrackHea.
00401031:WinMain函数的地址
0040102B |. 50 PUSH EAX ; /ExitCode
0040102C \. E8 8B040000 CALL <JMP.&KERNEL32.ExitProcess> ; \ExitProcess
00401031 /$ 55 PUSH EBP ;
WinMain子程序00401032 |. 8BEC MOV EBP,ESP
00401034 |. 83C4 B0 ADD ESP,-50
00401037 |. C745 D0 30000>MOV DWORD PTR SS:[EBP-30],30 ; WNDCLASSEX类,共12个成员,第一个是WNDCLASSEX大小,依次
0040103E |. C745 D4 03000>MOV DWORD PTR SS:[EBP-2C],3
00401045 |. C745 D8 25114>MOV DWORD PTR SS:[EBP-28],CrackHea.00401125
0040104C |. C745 DC 00000>MOV DWORD PTR SS:[EBP-24],0
00401053 |. C745 E0 00000>MOV DWORD PTR SS:[EBP-20],0
0040105A |. FF75 08 PUSH DWORD PTR SS:[EBP+8]
0040105D |. 8F45 E4 POP DWORD PTR SS:[EBP-1C]
00401060 |. C745 F0 10000>MOV DWORD PTR SS:[EBP-10],10
00401067 |. C745 F8 00304>MOV DWORD PTR SS:[EBP-8],CrackHea.00403000 ; ASCII "SimpleWinClass"
0040106E |. 6A 01 PUSH 1 ; /RsrcName = 1.
00401070 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hInst
00401073 |. E8 08040000 CALL <JMP.&USER32.LoadIconA> ; \LoadIconA
00401078 |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
0040107B |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0040107E |. 68 007F0000 PUSH 7F00 ; /RsrcName = IDC_ARROW
00401083 |. 6A 00 PUSH 0 ; |hInst = NULL
00401085 |. E8 F0030000 CALL <JMP.&USER32.LoadCursorA> ; \LoadCursorA
0040108A |. 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
0040108D |. 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
00401090 |. 50 PUSH EAX ; /pWndClassEx
00401091 |. E8 02040000 CALL <JMP.&USER32.RegisterClassExA> ; \RegisterClassExA
00401096 |. 68 22304000 PUSH CrackHea.00403022 ; /RsrcName = "dick"
0040109B |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hInst
0040109E |. E8 E3030000 CALL <JMP.&USER32.LoadMenuA> ; \LoadMenuA
004010A3 |. A3 80314000 MOV DWORD PTR DS:[403180],EAX
004010A8 |. 6A 00 PUSH 0 ; /lParam = NULL
004010AA |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hInst
004010AD |. FF35 80314000 PUSH DWORD PTR DS:[403180] ; |hMenu = NULL
004010B3 |. 6A 00 PUSH 0 ; |hParent = NULL
004010B5 |. 68 96000000 PUSH 96 ; |Height = 96 (150.)
004010BA |. 68 F0000000 PUSH 0F0 ; |Width = F0 (240.)
004010BF |. 68 00000080 PUSH 80000000 ; |Y = 80000000 (-2147483648.)
004010C4 |. 68 00000080 PUSH 80000000 ; |X = 80000000 (-2147483648.)
004010C9 |. 68 0000C810 PUSH 10C80000 ; |Style = WS_OVERLAPPED|WS_VISIBLE|WS_SYSMENU|WS_CAPTION
004010CE |. 68 0F304000 PUSH CrackHea.0040300F ; |WindowName = "Crudd's Crack Head"
004010D3 |. 68 00304000 PUSH CrackHea.00403000 ; |Class = "SimpleWinClass"
004010D8 |. 68 00020000 PUSH 200 ; |ExtStyle = WS_EX_CLIENTEDGE
004010DD |. E8 74030000 CALL <JMP.&USER32.CreateWindowExA> ; \CreateWindowExA
004010E2 |. 8945 B0 MOV DWORD PTR SS:[EBP-50],EAX
004010E5 |. 6A 01 PUSH 1 ; /ShowState = SW_SHOWNORMAL
004010E7 |. FF75 B0 PUSH DWORD PTR SS:[EBP-50] ; |hWnd
004010EA |. E8 BB030000 CALL <JMP.&USER32.ShowWindow> ; \ShowWindow
004010EF |. FF75 B0 PUSH DWORD PTR SS:[EBP-50] ; /hWnd
004010F2 |. E8 BF030000 CALL <JMP.&USER32.UpdateWindow> ; \UpdateWindow
004010F7 |> 6A 00 /PUSH 0 ; /MsgFilterMax = 0
004010F9 |. 6A 00 |PUSH 0 ; |MsgFilterMin = 0
004010FB |. 6A 00 |PUSH 0 ; |hWnd = NULL
004010FD |. 8D45 B4 |LEA EAX,DWORD PTR SS:[EBP-4C] ; |
00401100 |. 50 |PUSH EAX ; |pMsg
00401101 |. E8 68030000 |CALL <JMP.&USER32.GetMessageA> ; \GetMessageA
00401106 |. 0BC0 |OR EAX,EAX
00401108 |. 74 14 |JE SHORT CrackHea.0040111E
0040110A |. 8D45 B4 |LEA EAX,DWORD PTR SS:[EBP-4C]
0040110D |. 50 |PUSH EAX ; /pMsg
0040110E |. E8 9D030000 |CALL <JMP.&USER32.TranslateMessage> ; \TranslateMessage
00401113 |. 8D45 B4 |LEA EAX,DWORD PTR SS:[EBP-4C]
00401116 |. 50 |PUSH EAX ; /pMsg
00401117 |. E8 4C030000 |CALL <JMP.&USER32.DispatchMessageA> ; \DispatchMessageA
0040111C |.^ EB D9 \JMP SHORT CrackHea.004010F7
0040111E |> 8B45 BC MOV EAX,DWORD PTR SS:[EBP-44]
00401121 |. C9 LEAVE
00401122 \. C2 1000 RETN 10
WinMain子程序结束
00401125 /. 55 PUSH EBP ;
窗口过程子程序
00401126 |. 8BEC MOV EBP,ESP
00401128 |. 837D 0C 02 CMP DWORD PTR SS:[EBP+C],2 ;
;2是WM_DESTROY的16进制形式比较是否是这个消息,下面同理
0040112C |. 75 0C JNZ SHORT CrackHea.0040113A
0040112E |. 6A 00 PUSH 0 ; /ExitCode = 0
00401130 |. E8 5D030000 CALL <JMP.&USER32.PostQuitMessage> ; \PostQuitMessage
00401135 |. E9 50020000 JMP CrackHea.0040138A
0040113A |> 837D 0C 01 CMP DWORD PTR SS:[EBP+C],1 ;
;1是WM_CREATE16进制,这里分别创建了编辑框、静态文本、按钮
0040113E |. 0F85 E3000000 JNZ CrackHea.00401227
00401144 |. 6A 00 PUSH 0 ; /lParam = NULL
00401146 |. FF35 84314000 PUSH DWORD PTR DS:[403184] ; |hInst = NULL
0040114C |. 6A 01 PUSH 1 ; |hMenu = 00000001
0040114E |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hParent
00401151 |. 6A 17 PUSH 17 ; |Height = 17 (23.)
00401153 |. 68 B4000000 PUSH 0B4 ; |Width = B4 (180.)
00401158 |. 6A 01 PUSH 1 ; |Y = 1
0040115A |. 6A 2E PUSH 2E ; |X = 2E (46.)
0040115C |. 68 00208140 PUSH 40812000 ; |Style = WS_CHILD|WS_TABSTOP|WS_BORDER|2000
00401161 |. 6A 00 PUSH 0 ; |WindowName = NULL
00401163 |. 68 37304000 PUSH CrackHea.00403037 ; |Class = "edit"
00401168 |. 68 00020000 PUSH 200 ; |ExtStyle = WS_EX_CLIENTEDGE
0040116D |. E8 E4020000 CALL <JMP.&USER32.CreateWindowExA> ; \CreateWindowExA
00401172 |. A3 90314000 MOV DWORD PTR DS:[403190],EAX
00401177 |. FF35 90314000 PUSH DWORD PTR DS:[403190] ; /hWnd = NULL
0040117D |. E8 1C030000 CALL <JMP.&USER32.SetFocus> ; \SetFocus
00401182 |. 6A 00 PUSH 0 ; /lParam = NULL
00401184 |. FF35 84314000 PUSH DWORD PTR DS:[403184] ; |hInst = NULL
0040118A |. 6A 01 PUSH 1 ; |hMenu = 00000001
0040118C |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hParent
0040118F |. 68 8C000000 PUSH 8C ; |Height = 8C (140.)
00401194 |. 68 DC000000 PUSH 0DC ; |Width = DC (220.)
00401199 |. 6A 01 PUSH 1 ; |Y = 1
0040119B |. 6A 01 PUSH 1 ; |X = 1
0040119D |. 68 01000050 PUSH 50000001 ; |Style = WS_CHILD|WS_VISIBLE|1
004011A2 |. 6A 00 PUSH 0 ; |WindowName = NULL
004011A4 |. 68 3C304000 PUSH CrackHea.0040303C ; |Class = "static"
004011A9 |. 6A 00 PUSH 0 ; |ExtStyle = 0
004011AB |. E8 A6020000 CALL <JMP.&USER32.CreateWindowExA> ; \CreateWindowExA
004011B0 |. A3 94314000 MOV DWORD PTR DS:[403194],EAX
004011B5 |. 68 43304000 PUSH CrackHea.00403043 ; /Text = "Crudd's Crack Head. You have to write a keygen for this because the serial is different for every computer (Hint, Hint). Enjoy."
004011BA |. FF35 94314000 PUSH DWORD PTR DS:[403194] ; |hWnd = NULL
004011C0 |. E8 DF020000 CALL <JMP.&USER32.SetWindowTextA> ; \SetWindowTextA
004011C5 |. 6A 00 PUSH 0 ; /lParam = NULL
004011C7 |. FF35 84314000 PUSH DWORD PTR DS:[403184] ; |hInst = NULL
004011CD |. 6A 01 PUSH 1 ; |hMenu = 00000001
004011CF |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hParent
004011D2 |. 6A 17 PUSH 17 ; |Height = 17 (23.)
004011D4 |. 6A 3C PUSH 3C ; |Width = 3C (60.)
004011D6 |. 6A 4B PUSH 4B ; |Y = 4B (75.)
004011D8 |. 6A 5A PUSH 5A ; |X = 5A (90.)
004011DA |. 68 00000040 PUSH 40000000 ; |Style = WS_CHILD
004011DF |. 68 2E304000 PUSH CrackHea.0040302E ; |WindowName = "Check It"
004011E4 |. 68 27304000 PUSH CrackHea.00403027 ; |Class = "button"
004011E9 |. 6A 00 PUSH 0 ; |ExtStyle = 0
004011EB |. E8 66020000 CALL <JMP.&USER32.CreateWindowExA> ; \CreateWindowExA
004011F0 |. A3 8C314000 MOV DWORD PTR DS:[40318C],EAX
004011F5 |. 6A 00 PUSH 0 ; /lParam = NULL
004011F7 |. FF35 84314000 PUSH DWORD PTR DS:[403184] ; |hInst = NULL
004011FD |. 6A 03 PUSH 3 ; |hMenu = 00000003
004011FF |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hParent
00401202 |. 6A 19 PUSH 19 ; |Height = 19 (25.)
00401204 |. 6A 2D PUSH 2D ; |Width = 2D (45.)
00401206 |. 6A 05 PUSH 5 ; |Y = 5
00401208 |. 6A 02 PUSH 2 ; |X = 2
0040120A |. 68 00000040 PUSH 40000000 ; |Style = WS_CHILD
0040120F |. 6A 00 PUSH 0 ; |WindowName = NULL
00401211 |. 68 3C304000 PUSH CrackHea.0040303C ; |Class = "static"
00401216 |. 6A 00 PUSH 0 ; |ExtStyle = 0
00401218 |. E8 39020000 CALL <JMP.&USER32.CreateWindowExA> ; \CreateWindowExA
0040121D |. A3 98314000 MOV DWORD PTR DS:[403198],EAX
00401222 |. E9 63010000 JMP CrackHea.0040138A
00401227 |> 817D 0C 11010>CMP DWORD PTR SS:[EBP+C],111 ; ;
111是WM_COMMAND的16进制,整个消息主要处理菜单消息和按钮消息
0040122E |. 0F85 41010000 JNZ CrackHea.00401375
00401234 |. 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10] ; ;
mov eax,wParam
00401237 |. 837D 14 00 CMP DWORD PTR SS:[EBP+14],0 ;
判断是否是菜单消息
0040123B |. 0F85 C1000000 JNZ CrackHea.00401302
00401241 |. 66:83F8 01 CMP AX,1 ;
菜单About,菜单ID=1
00401245 |. 75 1A JNZ SHORT CrackHea.00401261
00401247 |. E8 44010000 CALL CrackHea.00401390
0040124C |. 68 43304000 PUSH CrackHea.00403043 ; /Text = "Crudd's Crack Head. You have to write a keygen for this because the serial is different for every computer (Hint, Hint). Enjoy."
00401251 |. FF35 94314000 PUSH DWORD PTR DS:[403194] ; |hWnd = NULL
00401257 |. E8 48020000 CALL <JMP.&USER32.SetWindowTextA> ; \SetWindowTextA
0040125C |. E9 29010000 JMP CrackHea.0040138A
00401261 |> 66:83F8 02 CMP AX,2 ;
菜单Greets,菜单ID=2
00401265 |. 75 1A JNZ SHORT CrackHea.00401281
00401267 |. E8 24010000 CALL CrackHea.00401390
0040126C |. 68 C5304000 PUSH CrackHea.004030C5 ; /Text = "Greets: r!sc, nchanta, Thesmurf, Nitrus, Falcon && the GC, everyone in #c4n, L!m!t, Rebelious and all of [TeX], Sheep140 and Cream, anyone who tries to crack this and anyone i forgot."
00401271 |. FF35 94314000 PUSH DWORD PTR DS:[403194] ; |hWnd = NULL
00401277 |. E8 28020000 CALL <JMP.&USER32.SetWindowTextA> ; \SetWindowTextA
0040127C |. E9 09010000 JMP CrackHea.0040138A
00401281 |> 66:83F8 04 CMP AX,4 ;
菜单Try It、菜单ID=4
00401285 |. 75 6E JNZ SHORT CrackHea.004012F5 ;
Exit菜单没有设置ID,如果是其他菜单则跳转
00401287 |. 6A 05 PUSH 5 ; /ShowState = SW_SHOW
00401289 |. FF35 90314000 PUSH DWORD PTR DS:[403190] ; |hWnd = NULL
0040128F |. E8 16020000 CALL <JMP.&USER32.ShowWindow> ; \ShowWindow
00401294 |. 6A 05 PUSH 5 ; /ShowState = SW_SHOW
00401296 |. FF35 98314000 PUSH DWORD PTR DS:[403198] ; |hWnd = NULL
0040129C |. E8 09020000 CALL <JMP.&USER32.ShowWindow> ; \ShowWindow
004012A1 |. 6A 00 PUSH 0 ; /ShowState = SW_HIDE
004012A3 |. FF35 94314000 PUSH DWORD PTR DS:[403194] ; |hWnd = NULL
004012A9 |. E8 FC010000 CALL <JMP.&USER32.ShowWindow> ; \ShowWindow
004012AE |. EB 09 JMP SHORT CrackHea.004012B9
004012B0 |. 31 32 33 34 3>ASCII "12345666",0
004012B9 |> 68 B0124000 PUSH CrackHea.004012B0 ; /Text = "12345666"
004012BE |. FF35 90314000 PUSH DWORD PTR DS:[403190] ; |hWnd = NULL
004012C4 |. E8 DB010000 CALL <JMP.&USER32.SetWindowTextA> ; \SetWindowTextA
004012C9 |. EB 08 JMP SHORT CrackHea.004012D3
004012CB |. 53 65 72 69 6>ASCII "Serial:",0
004012D3 |> 68 CB124000 PUSH CrackHea.004012CB ; /Text = "Serial:"
004012D8 |. FF35 98314000 PUSH DWORD PTR DS:[403198] ; |hWnd = NULL
004012DE |. E8 C1010000 CALL <JMP.&USER32.SetWindowTextA> ; \SetWindowTextA
004012E3 |. 6A 05 PUSH 5 ; /ShowState = SW_SHOW
004012E5 |. FF35 8C314000 PUSH DWORD PTR DS:[40318C] ; |hWnd = NULL
004012EB |. E8 BA010000 CALL <JMP.&USER32.ShowWindow> ; \ShowWindow
004012F0 |. E9 95000000 JMP CrackHea.0040138A
004012F5 |> FF75 08 PUSH DWORD PTR SS:[EBP+8] ; /
销毁窗口,菜单Exit时调用此004012F8 |. E8 65010000 CALL <JMP.&USER32.DestroyWindow> ; \DestroyWindow
004012FD |. E9 88000000 JMP CrackHea.0040138A
00401302 |> 66:83F8 01 CMP AX,1 ;
如果不是菜单消息,则跳转到此,Check It按钮ID=1
00401306 |. 75 6B JNZ SHORT CrackHea.00401373 ; 没按按钮则跳转
00401308 |. C1E8 10 SHR EAX,10 ;
将消息右移(10h)16位,获得通知码
0040130B |. 66:0BC0 OR AX,AX ;
测试是否是单击了按钮0040130E |. 75 63 JNZ SHORT CrackHea.00401373
00401310 |. 8B35 9C334000 MOV ESI,DWORD PTR DS:[40339C] ; 关键数据,机器码
00401316 |. 6A 28 PUSH 28 ; /Count = 28 (40.)
00401318 |. 68 C4334000 PUSH CrackHea.004033C4 ; |Buffer = CrackHea.004033C4
0040131D |. FF35 90314000 PUSH DWORD PTR DS:[403190] ; |hWnd = NULL
00401323 |. E8 4C010000 CALL <JMP.&USER32.GetWindowTextA> ; \GetWindowTextA
00401328 |. E8 A5000000 CALL CrackHea.004013D2 ;
调用算法函数,对输入的数据进行处理
0040132D |. 3BC6 CMP EAX,ESI ; 返回值,比较结果
0040132F |. 75 42 JNZ SHORT CrackHea.
00401373 ; 不相等则完蛋
00401331 |. EB 2C JMP SHORT CrackHea.0040135F
00401333 |. 4E 6F 77 20 7>ASCII "Now write a keyg"
00401343 |. 65 6E 20 61 6>ASCII "en and tut and y"
00401353 |. 6F 75 27 72 6>ASCII "ou're done.",0
0040135F |> 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
00401361 |. 68 0F304000 PUSH CrackHea.0040300F ; |Title = "Crudd's Crack Head"
00401366 |. 68 33134000 PUSH CrackHea.00401333 ; |Text = "Now write a keygen and tut and you're done."
0040136B |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner
0040136E |. E8 19010000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBox显示成功的消息框
00401373 |> EB 15 JMP SHORT CrackHea.
0040138A
00401375 |> FF75 14 PUSH DWORD PTR SS:[EBP+14] ; /lParam
00401378 |. FF75 10 PUSH DWORD PTR SS:[EBP+10] ; |wParam
0040137B |. FF75 0C PUSH DWORD PTR SS:[EBP+C] ; |Message
0040137E |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00401381 |. E8 D6000000 CALL <JMP.&USER32.DefWindowProcA> ; \DefWindowProcA
00401386 |. C9 LEAVE
00401387 |. C2 1000 RETN 10
0040138A |> 33C0 XOR EAX,EAX ;返回值
0040138C |. C9 LEAVE
0040138D \. C2 1000 RETN 10
窗口过程子程序结束
00401390 /$ 6A 00 PUSH 0 ; /ShowState = SW_HIDE
00401392 |. FF35 90314000 PUSH DWORD PTR DS:[403190] ; |hWnd = NULL
00401398 |. E8 0D010000 CALL <JMP.&USER32.ShowWindow> ; \ShowWindow
0040139D |. 6A 00 PUSH 0 ; /ShowState = SW_HIDE
0040139F |. FF35 98314000 PUSH DWORD PTR DS:[403198] ; |hWnd = NULL
004013A5 |. E8 00010000 CALL <JMP.&USER32.ShowWindow> ; \ShowWindow
004013AA |. 6A 05 PUSH 5 ; /ShowState = SW_SHOW
004013AC |. FF35 94314000 PUSH DWORD PTR DS:[403194] ; |hWnd = NULL
004013B2 |. E8 F3000000 CALL <JMP.&USER32.ShowWindow> ; \ShowWindow
004013B7 |. 6A 00 PUSH 0 ; /Text = NULL
004013B9 |. FF35 94314000 PUSH DWORD PTR DS:[403194] ; |hWnd = NULL
004013BF |. E8 E0000000 CALL <JMP.&USER32.SetWindowTextA> ; \SetWindowTextA
004013C4 |. 6A 00 PUSH 0 ; /ShowState = SW_HIDE
004013C6 |. FF35 8C314000 PUSH DWORD PTR DS:[40318C] ; |hWnd = NULL
004013CC |. E8 D9000000 CALL <JMP.&USER32.ShowWindow> ; \ShowWindow
004013D1 \. C3 RETN
004013D2 /$ 56 PUSH ESI ;
算法函数004013D3 |. 33C0 XOR EAX,EAX ; 清零
004013D5 |. 8D35 C4334000 LEA ESI,DWORD PTR DS:[4033C4] ; 保存到ESI,输入的数据
004013DB |. 33C9 XOR ECX,ECX
004013DD |. 33D2 XOR EDX,EDX
004013DF |. 8A06 MOV AL,BYTE PTR DS:[ESI] ; 把注册码中的每个字符送到AL
004013E1 |. 46 INC ESI ; 指向下一个字符
004013E2 |. 3C 2D CMP AL,2D ; 和“-”比较,是否为负数
004013E4 |. 75 08 JNZ SHORT CrackHea.004013EE
004013E6 |. BA FFFFFFFF MOV EDX,-1
004013EB |. 8A06 MOV AL,BYTE PTR DS:[ESI] ; 如果为负数,则去下一个字符
004013ED |. 46 INC ESI
004013EE |> EB 0B JMP SHORT CrackHea.004013FB
004013F0 |> 2C 30 /SUB AL,30 ; 0的ascii码为30,减30得到数字,并保存到ECX?中
004013F2 |. 8D0C89 |LEA ECX,DWORD PTR DS:[ECX+ECX*4]
004013F5 |. 8D0C48 |LEA ECX,DWORD PTR DS:[EAX+ECX*2]
004013F8 |. 8A06 |MOV AL,BYTE PTR DS:[ESI] ; 取下一个字符
004013FA |. 46 |INC ESI ; 指向下一个字符
004013FB |> 0AC0 OR AL,AL
004013FD |.^ 75 F1 \JNZ SHORT CrackHea.004013F0 ; 这两句来判断是否已经把用户输入的注册码计算完
004013FF |. 8D040A LEA EAX,DWORD PTR DS:[EDX+ECX] ; 把最后的计算结果放到EAX中
00401402 |. 33C2 XOR EAX,EDX ; 异或,如果我们输入的是负数,则此处功能是把EAX取反
00401404 |. 5E POP ESI ; 出栈,ESI是怎么计算出来的?,就是机器码吧,40339C
00401405 |. 81F6 53757A79 XOR ESI,797A7553 ; 异或ESI
0040140B \. C3 RETN
算法子程序结束
0040140C /$ 60 PUSHAD ;
获得机器码的算法0040140D |. 6A 00 PUSH 0 ; /RootPathName = NULL
0040140F |. E8 B4000000 CALL <JMP.&KERNEL32.GetDriveTypeA> ; \GetDriveTypeA
00401414 |. A2 EC334000 MOV BYTE PTR DS:[4033EC],AL
00401419 |. 6A 00 PUSH 0 ; /pFileSystemNameSize = NULL
0040141B |. 6A 00 PUSH 0 ; |pFileSystemNameBuffer = NULL
0040141D |. 6A 00 PUSH 0 ; |pFileSystemFlags = NULL
0040141F |. 6A 00 PUSH 0 ; |pMaxFilenameLength = NULL
00401421 |. 6A 00 PUSH 0 ; |pVolumeSerialNumber = NULL
00401423 |. 6A 0B PUSH 0B ; |MaxVolumeNameSize = B (11.)
00401425 |. 68 9C334000 PUSH CrackHea.0040339C ; |VolumeNameBuffer = CrackHea.0040339C
0040142A |. 6A 00 PUSH 0 ; |RootPathName = NULL
0040142C |. E8 A3000000 CALL <JMP.&KERNEL32.GetVolumeInformationA> ; \GetVolumeInformationA
00401431 |. 8D35 9C334000 LEA ESI,DWORD PTR DS:[40339C]
00401437 |. 0FB60D EC3340>MOVZX ECX,BYTE PTR DS:[4033EC]
0040143E |. 33FF XOR EDI,EDI
00401440 |> 8BC1 MOV EAX,ECX
00401442 |. 8B1E MOV EBX,DWORD PTR DS:[ESI]
00401444 |. F7E3 MUL EBX
00401446 |. 03F8 ADD EDI,EAX
00401448 |. 49 DEC ECX
00401449 |. 83F9 00 CMP ECX,0
0040144C |.^ 75 F2 JNZ SHORT CrackHea.00401440
0040144E |. 893D 9C334000 MOV DWORD PTR DS:[40339C],EDI
00401454 |. 61 POPAD
00401455 \. C3 RETN
子程序结束,
下面是本程序用到的所有API函数及其库
00401456 $- FF25 50204000 JMP DWORD PTR DS:[<&USER32.CreateWindowExA>] ; USER32.CreateWindowExA
0040145C $- FF25 4C204000 JMP DWORD PTR DS:[<&USER32.DefWindowProcA>] ; USER32.DefWindowProcA
00401462 $- FF25 48204000 JMP DWORD PTR DS:[<&USER32.DestroyWindow>] ; USER32.DestroyWindow
00401468 $- FF25 44204000 JMP DWORD PTR DS:[<&USER32.DispatchMessageA>] ; USER32.DispatchMessageA
0040146E $- FF25 18204000 JMP DWORD PTR DS:[<&USER32.GetMessageA>] ; USER32.GetMessageA
00401474 $- FF25 2C204000 JMP DWORD PTR DS:[<&USER32.GetWindowTextA>] ; USER32.GetWindowTextA
0040147A $- FF25 30204000 JMP DWORD PTR DS:[<&USER32.LoadCursorA>] ; USER32.LoadCursorA
00401480 $- FF25 1C204000 JMP DWORD PTR DS:[<&USER32.LoadIconA>] ; USER32.LoadIconA
00401486 $- FF25 20204000 JMP DWORD PTR DS:[<&USER32.LoadMenuA>] ; USER32.LoadMenuA
0040148C $- FF25 24204000 JMP DWORD PTR DS:[<&USER32.MessageBoxA>] ; USER32.MessageBoxA
00401492 $- FF25 28204000 JMP DWORD PTR DS:[<&USER32.PostQuitMessage>] ; USER32.PostQuitMessage
00401498 $- FF25 54204000 JMP DWORD PTR DS:[<&USER32.RegisterClassExA>] ; USER32.RegisterClassExA
0040149E $- FF25 58204000 JMP DWORD PTR DS:[<&USER32.SetFocus>] ; USER32.SetFocus
004014A4 $- FF25 34204000 JMP DWORD PTR DS:[<&USER32.SetWindowTextA>] ; USER32.SetWindowTextA
004014AA $- FF25 38204000 JMP DWORD PTR DS:[<&USER32.ShowWindow>] ; USER32.ShowWindow
004014B0 $- FF25 3C204000 JMP DWORD PTR DS:[<&USER32.TranslateMessage>] ; USER32.TranslateMessage
004014B6 $- FF25 40204000 JMP DWORD PTR DS:[<&USER32.UpdateWindow>] ; USER32.UpdateWindow
004014BC .- FF25 10204000 JMP DWORD PTR DS:[<&KERNEL32.ExitProcess>] ; kernel32.ExitProcess
004014C2 $- FF25 0C204000 JMP DWORD PTR DS:[<&KERNEL32.GetCommandLineA>] ; kernel32.GetCommandLineA
004014C8 $- FF25 08204000 JMP DWORD PTR DS:[<&KERNEL32.GetDriveTypeA>] ; kernel32.GetDriveTypeA
004014CE $- FF25 04204000 JMP DWORD PTR DS:[<&KERNEL32.GetModuleHandleA>] ; kernel32.GetModuleHandleA
004014D4 $- FF25 00204000 JMP DWORD PTR DS:[<&KERNEL32.GetVolumeInformatio>; kernel32.GetVolumeInformationA
004014DA 00 DB 00
004014DB 00 DB 00
004014DC 00 DB 00
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
