[原创]易我数据恢复2.0/2.1-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[原创]易我数据恢复2.0/2.1

发表于: 2009-2-6 14:25 7134

[原创]易我数据恢复2.0/2.1

liyuaq

2009-2-6 14:25

7134

最近没什么时间。
我尽量写详细。
这个软件可以下 messagebox断点。
然后向上看到：004414B6  /.  55          push ebp
004414B7  |.  8BEC       mov    ebp, esp
004414B9  |.  6A FF       push -1
004414BB  |.  68 37074800 push 00480737                      ;  SE 处理程序安装
004414C0  |.  64:A1 0000000>mov    eax, dword ptr fs:[0]
004414C6  |.  50          push eax
004414C7  |.  64:8925 00000>mov    dword ptr fs:[0], esp
004414CE  |.  83EC 20    sub    esp, 20
004414D1  |.  894D E0    mov    dword ptr [ebp-20], ecx
004414D4  |.  6A 01       push 1
004414D6  |.  8B4D E0    mov    ecx, dword ptr [ebp-20]
004414D9  |.  E8 C2A20300 call <jmp.&MFC42.#6334>
004414DE  |.  8D4D EC    lea    ecx, dword ptr [ebp-14]
004414E1  |.  E8 9CA20300 call <jmp.&MFC42.#540>
004414E6  |.  C745 FC 00000>mov    dword ptr [ebp-4], 0
004414ED  |.  8D4D F0    lea    ecx, dword ptr [ebp-10]
004414F0  |.  E8 8DA20300 call <jmp.&MFC42.#540>
004414F5  |.  C645 FC 01 mov    byte ptr [ebp-4], 1
004414F9  |.  8B45 E0    mov    eax, dword ptr [ebp-20]
004414FC  |.  05 54030000 add    eax, 354
00441501  |.  50          push eax
00441502  |.  8B4D E0    mov    ecx, dword ptr [ebp-20]
00441505  |.  81C1 50030000 add    ecx, 350
0044150B  |.  51          push ecx
0044150C  |.  E8 7F4B0300 call 00476090 //算法
00441511  |.  85C0       test eax, eax
00441513  |.  75 56       jnz    short 0044156B
00441515  |.  68 F3EF0000 push 0EFF3
0044151A  |.  8D4D F0    lea    ecx, dword ptr [ebp-10]
0044151D  |.  E8 C6A50300 call <jmp.&MFC42.#4160>
00441522  |.  68 37EF0000 push 0EF37
00441527  |.  8D4D EC    lea    ecx, dword ptr [ebp-14]
0044152A  |.  E8 B9A50300 call <jmp.&MFC42.#4160>
0044152F  |.  6A 10       push 10
00441531  |.  8D4D EC    lea    ecx, dword ptr [ebp-14]
00441534  |.  E8 E73F0200 call 00465520
00441539  |.  50          push eax
0044153A  |.  8D4D F0    lea    ecx, dword ptr [ebp-10]
0044153D  |.  E8 DE3F0200 call 00465520
00441542  |.  50          push eax
算法哪里更进去，里面有3个call
第3个进去进是算法。
047580A  |.  C785 78FBFFFF>mov    dword ptr [ebp-488], 950B4B61
00475814  |.  66:C785 7CFBF>mov    word ptr [ebp-484], 0FA41
0047581D  |.  66:C785 7EFBF>mov    word ptr [ebp-482], 4DC2
00475826  |.  C685 80FBFFFF>mov    byte ptr [ebp-480], 0AD
0047582D  |.  C685 81FBFFFF>mov    byte ptr [ebp-47F], 7E
00475834  |.  C685 82FBFFFF>mov    byte ptr [ebp-47E], 63
0047583B  |.  C685 83FBFFFF>mov    byte ptr [ebp-47D], 0CF
00475842  |.  C685 84FBFFFF>mov    byte ptr [ebp-47C], 62
00475849  |.  C685 85FBFFFF>mov    byte ptr [ebp-47B], 11
00475850  |.  C685 86FBFFFF>mov    byte ptr [ebp-47A], 0B2
00475857  |.  C685 87FBFFFF>mov    byte ptr [ebp-479], 11
0047585E  |.  C785 88FBFFFF>mov    dword ptr [ebp-478], 90E7EED0
00475868  |.  66:C785 8CFBF>mov    word ptr [ebp-474], 3005
00475871  |.  66:C785 8EFBF>mov    word ptr [ebp-472], 4A09
0047587A  |.  C685 90FBFFFF>mov    byte ptr [ebp-470], 9D
00475881  |.  C685 91FBFFFF>mov    byte ptr [ebp-46F], 55
00475888  |.  C685 92FBFFFF>mov    byte ptr [ebp-46E], 50
0047588F  |.  C685 93FBFFFF>mov    byte ptr [ebp-46D], 72
00475896  |.  C685 94FBFFFF>mov    byte ptr [ebp-46C], 0FB
0047589D  |.  C685 95FBFFFF>mov    byte ptr [ebp-46B], 65
004758A4  |.  C685 96FBFFFF>mov    byte ptr [ebp-46A], 95
004758AB  |.  C685 97FBFFFF>mov    byte ptr [ebp-469], 0F9
004758B2  |.  C785 98FBFFFF>mov    dword ptr [ebp-468], AA4591F2
004758BC  |.  66:C785 9CFBF>mov    word ptr [ebp-464], 80D2
004758C5  |.  66:C785 9EFBF>mov    word ptr [ebp-462], 42A5
004758CE  |.  C685 A0FBFFFF>mov    byte ptr [ebp-460], 0B3
004758D5  |.  C685 A1FBFFFF>mov    byte ptr [ebp-45F], 0AB
004758DC  |.  C685 A2FBFFFF>mov    byte ptr [ebp-45E], 0C
004758E3  |.  C685 A3FBFFFF>mov    byte ptr [ebp-45D], 96
004758EA  |.  C685 A4FBFFFF>mov    byte ptr [ebp-45C], 5F
004758F1  |.  C685 A5FBFFFF>mov    byte ptr [ebp-45B], 25
004758F8  |.  C685 A6FBFFFF>mov    byte ptr [ebp-45A], 53
004758FF  |.  C685 A7FBFFFF>mov    byte ptr [ebp-459], 1D
00475906  |.  C785 A8FBFFFF>mov    dword ptr [ebp-458], 1177BA51
00475910  |.  66:C785 ACFBF>mov    word ptr [ebp-454], 5DDA
00475919  |.  66:C785 AEFBF>mov    word ptr [ebp-452], 4F35
00475922  |.  C685 B0FBFFFF>mov    byte ptr [ebp-450], 0B2
00475929  |.  C685 B1FBFFFF>mov    byte ptr [ebp-44F], 57
00475930  |.  C685 B2FBFFFF>mov    byte ptr [ebp-44E], 64
00475937  |.  C685 B3FBFFFF>mov    byte ptr [ebp-44D], 0F0
0047593E  |.  C685 B4FBFFFF>mov    byte ptr [ebp-44C], 0CA
00475945  |.  C685 B5FBFFFF>mov    byte ptr [ebp-44B], 0FD
0047594C  |.  C685 B6FBFFFF>mov    byte ptr [ebp-44A], 0D
00475953  |.  C685 B7FBFFFF>mov    byte ptr [ebp-449], 52
0047595A  |.  C785 B8FBFFFF>mov    dword ptr [ebp-448], DC7C1345
00475964  |.  66:C785 BCFBF>mov    word ptr [ebp-444], 7686
0047596D  |.  66:C785 BEFBF>mov    word ptr [ebp-442], 40D4
00475976  |.  C685 C0FBFFFF>mov    byte ptr [ebp-440], 0AD
0047597D  |.  C685 C1FBFFFF>mov    byte ptr [ebp-43F], 0CD
00475984  |.  C685 C2FBFFFF>mov    byte ptr [ebp-43E], 0C1
0047598B  |.  C685 C3FBFFFF>mov    byte ptr [ebp-43D], 88
00475992  |.  C685 C4FBFFFF>mov    byte ptr [ebp-43C], 15
00475999  |.  C685 C5FBFFFF>mov    byte ptr [ebp-43B], 9A
004759A0  |.  C685 C6FBFFFF>mov    byte ptr [ebp-43A], 1B
004759A7  |.  C685 C7FBFFFF>mov    byte ptr [ebp-439], 55
004759AE  |.  C785 C8FBFFFF>mov    dword ptr [ebp-438], E0C3DE22
004759B8  |.  66:C785 CCFBF>mov    word ptr [ebp-434], 0BFDB
004759C1  |.  66:C785 CEFBF>mov    word ptr [ebp-432], 4ABE
004759CA  |.  C685 D0FBFFFF>mov    byte ptr [ebp-430], 8A
004759D1  |.  C685 D1FBFFFF>mov    byte ptr [ebp-42F], 0F9
004759D8  |.  C685 D2FBFFFF>mov    byte ptr [ebp-42E], 89
004759DF  |.  C685 D3FBFFFF>mov    byte ptr [ebp-42D], 76
004759E6  |.  C685 D4FBFFFF>mov    byte ptr [ebp-42C], 0AE
004759ED  |.  C685 D5FBFFFF>mov    byte ptr [ebp-42B], 52
004759F4  |.  C685 D6FBFFFF>mov    byte ptr [ebp-42A], 79
004759FB  |.  C685 D7FBFFFF>mov    byte ptr [ebp-429], 38
00475A02  |.  C785 D8FBFFFF>mov    dword ptr [ebp-428], 79F83686
00475A0C  |.  66:C785 DCFBF>mov    word ptr [ebp-424], 18B9
00475A15  |.  66:C785 DEFBF>mov    word ptr [ebp-422], 4F8A
00475A1E  |.  C685 E0FBFFFF>mov    byte ptr [ebp-420], 0A0
00475A25  |.  C685 E1FBFFFF>mov    byte ptr [ebp-41F], 3
00475A2C  |.  C685 E2FBFFFF>mov    byte ptr [ebp-41E], 2C
00475A33  |.  C685 E3FBFFFF>mov    byte ptr [ebp-41D], 0C2
00475A3A  |.  C685 E4FBFFFF>mov    byte ptr [ebp-41C], 0E3
00475A41  |.  C685 E5FBFFFF>mov    byte ptr [ebp-41B], 7
00475A48  |.  C685 E6FBFFFF>mov    byte ptr [ebp-41A], 0F7
00475A4F  |.  C685 E7FBFFFF>mov    byte ptr [ebp-419], 0CB
//------------------------------------以上都是数据,在最后的时候会有用
这个算法的最大的特点是注册码=f(注册名+注册码(前8位));
所以对于每个不同的注册码(前8)+注册名就可用得到后面的32位
上面的数据看起来很多.其实最后只是在里面由注册码(前8位)的前非0位的位数.来提取其中的
4*4byte个数据. 并不需要都用到.
下面的代码比较简单主要就是对注册名的长度判断.
00475A5A  |.  74 06       je    short 00475A62
00475A5C  |.  837D 0C 00 cmp    dword ptr [ebp+C], 0
00475A60  |.  75 07       jnz    short 00475A69
00475A62  |>  33C0       xor    eax, eax
00475A64  |.  E9 1D030000 jmp    00475D86
00475A69  |>  8B45 08    mov    eax, dword ptr [ebp+8]
00475A6C  |.  50          push eax                            ; /s
00475A6D  |.  E8 F0660000 call <jmp.&MSVCRT.strlen>          ; \strlen
00475A72  |.  83C4 04    add    esp, 4
00475A75  |.  3D FD030000 cmp    eax, 3FD
00475A7A  |.  76 07       jbe    short 00475A83
00475A7C  |.  33C0       xor    eax, eax
00475A7E  |.  E9 03030000 jmp    00475D86
00475A83  |>  8B4D 08    mov    ecx, dword ptr [ebp+8]
00475A86  |.  51          push ecx                            ; /s
00475A87  |.  E8 D6660000 call <jmp.&MSVCRT.strlen>
------------------------------------------------------------
这里的作用.相当于由注册名生成中间量
00475AC3  |.  C785 74FBFFFF>mov    dword ptr [ebp-48C], 0
00475ACD  |.  EB 0F       jmp    short 00475ADE
00475ACF  |>  8B8D 74FBFFFF /mov    ecx, dword ptr [ebp-48C]
00475AD5  |.  83C1 01    |add    ecx, 1
00475AD8  |.  898D 74FBFFFF |mov    dword ptr [ebp-48C], ecx
00475ADE  |>  8B95 74FBFFFF  mov    edx, dword ptr [ebp-48C]
00475AE4  |.  3B95 54F9FFFF |cmp    edx, dword ptr [ebp-6AC]
00475AEA  |.  7D 35       |jge    short 00475B21
00475AEC  |.  8B85 74FBFFFF |mov    eax, dword ptr [ebp-48C]
00475AF2  |.  8A8D 68F9FFFF |mov    cl, byte ptr [ebp-698]
00475AF8  |.  028C05 FCFBFF>|add    cl, byte ptr [ebp+eax-404]
00475AFF  |.  888D 68F9FFFF |mov    byte ptr [ebp-698], cl
00475B05  |.  8B95 68F9FFFF |mov    edx, dword ptr [ebp-698]
00475B0B  |.  81E2 FF000000 |and    edx, 0FF
00475B11  |.  8B85 F0FBFFFF |mov    eax, dword ptr [ebp-410]
00475B17  |.  03C2       |add    eax, edx
00475B19  |.  8985 F0FBFFFF |mov    dword ptr [ebp-410], eax
00475B1F  |.^ EB AE       \jmp    short 00475ACF
00475B53  |.  E8 FEFAFFFF call 00475656
还原成c代码
byte ebp_698=0;
DWORD charsum=0;
DWORD ebp_410=0;
byte chartemp=0;
for(int i=0;i<strlen(strtemp);i++)
{
ebp_698+=strtemp[i];
charsum+=ebp_698;
}
ebp_410=charsum;
一定要按照上面的数据格式来处理负责会出现数据变大.
------------------------------------------------------------------------
00475B53  |.  E8 FEFAFFFF call 00475656
这个call 进去看看把
00475656  /$  55             push ebp
00475657  |.  8BEC          mov    ebp, esp
00475659  |.  83EC 14       sub    esp, 14
0047565C  |.  837D 08 00    cmp    dword ptr [ebp+8], 0
00475660  |.  75 07          jnz    short 00475669
00475662  |.  33C0          xor    eax, eax
00475664  |.  E9 17010000    jmp    00475780
00475669  |>  8B45 08       mov    eax, dword ptr [ebp+8]
0047566C  |.  50             push eax                            ; /s
0047566D  |.  E8 F06A0000    call <jmp.&MSVCRT.strlen>          ; \strlen
00475672  |.  83C4 04       add    esp, 4
00475675  |.  8945 F4       mov    dword ptr [ebp-C], eax
00475678  |.  C745 FC 0000000>mov    dword ptr [ebp-4], 0
0047567F  |.  C745 F8 0000000>mov    dword ptr [ebp-8], 0
00475686  |.  EB 09          jmp    short 00475691
00475688  |>  8B4D F8       /mov    ecx, dword ptr [ebp-8]
0047568B  |.  83C1 01       |add    ecx, 1
0047568E  |.  894D F8       |mov    dword ptr [ebp-8], ecx
00475691  |>  8B55 F8       mov    edx, dword ptr [ebp-8]
00475694  |.  3B55 F4       |cmp    edx, dword ptr [ebp-C]
00475697  |.  0F8D E0000000 |jge    0047577D
0047569D  |.  C745 F0 0000000>|mov    dword ptr [ebp-10], 0
004756A4  |.  8B45 08       |mov    eax, dword ptr [ebp+8]
004756A7  |.  0345 F8       |add    eax, dword ptr [ebp-8]
004756AA  |.  0FBE08       |movsx ecx, byte ptr [eax]
004756AD  |.  894D EC       |mov    dword ptr [ebp-14], ecx
004756B0  |.  8B55 EC       |mov    edx, dword ptr [ebp-14]
004756B3  |.  83EA 30       |sub    edx, 30
004756B6  |.  8955 EC       |mov    dword ptr [ebp-14], edx
004756B9  |.  837D EC 36    |cmp    dword ptr [ebp-14], 36
004756BD  |.  0F87 A3000000 |ja    00475766
004756C3  |.  8B4D EC       |mov    ecx, dword ptr [ebp-14]
004756C6  |.  33C0          |xor    eax, eax
004756C8  |.  8A81 CA574700 |mov    al, byte ptr [ecx+4757CA]
004756CE  |.  FF2485 86574700 |jmp    dword ptr [eax*4+475786]
004756D5  |>  C745 F0 0000000>|mov    dword ptr [ebp-10], 0
004756DC  |.  E9 85000000    |jmp    00475766
004756E1  |>  C745 F0 0100000>|mov    dword ptr [ebp-10], 1
004756E8  |.  EB 7C          |jmp    short 00475766
004756EA  |>  C745 F0 0200000>|mov    dword ptr [ebp-10], 2
004756F1  |.  EB 73          |jmp    short 00475766
004756F3  |>  C745 F0 0300000>|mov    dword ptr [ebp-10], 3
004756FA  |.  EB 6A          |jmp    short 00475766
004756FC  |>  C745 F0 0400000>|mov    dword ptr [ebp-10], 4
00475703  |.  EB 61          |jmp    short 00475766
00475705  |>  C745 F0 0500000>|mov    dword ptr [ebp-10], 5
0047570C  |.  EB 58          |jmp    short 00475766
0047570E  |>  C745 F0 0600000>|mov    dword ptr [ebp-10], 6
00475715  |.  EB 4F          |jmp    short 00475766
00475717  |>  C745 F0 0700000>|mov    dword ptr [ebp-10], 7
0047571E  |.  EB 46          |jmp    short 00475766
00475720  |>  C745 F0 0800000>|mov    dword ptr [ebp-10], 8
00475727  |.  EB 3D          |jmp    short 00475766
00475729  |>  C745 F0 0900000>|mov    dword ptr [ebp-10], 9
00475730  |.  EB 34          |jmp    short 00475766
00475732  |>  C745 F0 0A00000>|mov    dword ptr [ebp-10], 0A
00475739  |.  EB 2B          |jmp    short 00475766
0047573B  |>  C745 F0 0B00000>|mov    dword ptr [ebp-10], 0B
00475742  |.  EB 22          |jmp    short 00475766
00475744  |>  C745 F0 0C00000>|mov    dword ptr [ebp-10], 0C
0047574B  |.  EB 19          |jmp    short 00475766
0047574D  |>  C745 F0 0D00000>|mov    dword ptr [ebp-10], 0D
00475754  |.  EB 10          |jmp    short 00475766
00475756  |>  C745 F0 0E00000>|mov    dword ptr [ebp-10], 0E
0047575D  |.  EB 07          |jmp    short 00475766
0047575F  |>  C745 F0 0F00000>|mov    dword ptr [ebp-10], 0F
00475766  |>  8B55 FC       |mov    edx, dword ptr [ebp-4]
00475769  |.  C1E2 04       |shl    edx, 4
0047576C  |.  8955 FC       |mov    dword ptr [ebp-4], edx
0047576F  |.  8B45 FC       |mov    eax, dword ptr [ebp-4]
00475772  |.  0345 F0       |add    eax, dword ptr [ebp-10]
00475775  |.  8945 FC       |mov    dword ptr [ebp-4], eax
00475778  |.^ E9 0BFFFFFF    \jmp    00475688
0047577D  |>  8B45 FC       mov    eax, dword ptr [ebp-4]
00475780  |>  8BE5          mov    esp, ebp
00475782  |.  5D             pop    ebp
00475783  \.  C2 0400       retn 4
作用就是对注册码的前8位数据改成8位的十六进制数据.不足补0.
如果每有的话那么会是默认的(12345678)16进制
在这里我就用8位的12345678来固定,我写的注册机中
这个8位对后面的数据的提取是有影响的.
-----------------------------------------------------------------
这里就可用看到进行一些操作把上面的数据用f来操作

edx的变化会导致我们取数据的不同在堆栈区开辟的数据
-----------------------------------------------
00475BB3  |.  8D8415 78FBFF>lea    eax, dword ptr [ebp+edx-488]
00475BBA  |.  8985 70FBFFFF mov    dword ptr [ebp-490], eax
这里要注意指针变量 [ebp-490]是一个指向[ebp+edx-488]的指针.
-----------------------------------------------------------------
0475B58  |.  8985 F4FBFFFF mov    dword ptr [ebp-40C], eax
00475B5E  |.  8B95 F0FBFFFF mov    edx, dword ptr [ebp-410]
00475B64  |.  0395 F4FBFFFF add    edx, dword ptr [ebp-40C]
00475B6A  |.  8995 F0FBFFFF mov    dword ptr [ebp-410], edx
00475B70  |.  8B85 F4FBFFFF mov    eax, dword ptr [ebp-40C]
00475B76  |.  0385 F0FBFFFF add    eax, dword ptr [ebp-410]
00475B7C  |.  8B8D 68F9FFFF mov    ecx, dword ptr [ebp-698]
00475B82  |.  81E1 FF000000 and    ecx, 0FF
00475B88  |.  03C1       add    eax, ecx
00475B8A  |.  8B95 74FBFFFF mov    edx, dword ptr [ebp-48C]
00475B90  |.  33C9       xor    ecx, ecx
00475B92  |.  8A8C15 FBFBFF>mov    cl, byte ptr [ebp+edx-405]
00475B99  |.  03C1       add    eax, ecx
00475B9B  |.  33D2       xor    edx, edx
00475B9D  |.  B9 07000000 mov    ecx, 7
00475BA2  |.  F7F1       div    ecx
00475BA4  |.  8995 F8FBFFFF mov    dword ptr [ebp-408], edx
00475BAA  |.  8B95 F8FBFFFF mov    edx, dword ptr [ebp-408]
00475BB0  |.  C1E2 04    shl    edx, 4
00475BB3  |.  8D8415 78FBFF>lea    eax, dword ptr [ebp+edx-488]
00475BBA  |.  8985 70FBFFFF mov    dword ptr [ebp-490], eax
00475BC0  |.  8B8D 70FBFFFF mov    ecx, dword ptr [ebp-490]
00475BC6  |.  8B51 0C    mov    edx, dword ptr [ecx+C]
00475BC9  |.  3395 F0FBFFFF xor    edx, dword ptr [ebp-410]
00475BCF  |.  8995 58F9FFFF mov    dword ptr [ebp-6A8], edx
00475BD5  |.  8B85 70FBFFFF mov    eax, dword ptr [ebp-490]
00475BDB  |.  8B48 04    mov    ecx, dword ptr [eax+4]
00475BDE  |.  338D F0FBFFFF xor    ecx, dword ptr [ebp-410]
00475BE4  |.  898D 5CF9FFFF mov    dword ptr [ebp-6A4], ecx
00475BEA  |.  8B95 70FBFFFF mov    edx, dword ptr [ebp-490]
00475BF0  |.  8B42 08    mov    eax, dword ptr [edx+8]
00475BF3  |.  3385 F0FBFFFF xor    eax, dword ptr [ebp-410]
00475BF9  |.  8985 60F9FFFF mov    dword ptr [ebp-6A0], eax
00475BFF  |.  8B8D 70FBFFFF mov    ecx, dword ptr [ebp-490]
00475C05  |.  8B11       mov    edx, dword ptr [ecx]
00475C07  |.  3395 F0FBFFFF xor    edx, dword ptr [ebp-410]
00475C0D  |.  8995 64F9FFFF mov    dword ptr [ebp-69C], edx
这里把结果放到[ebp-6A8],[ebp-6A4],[ebp-6A0],[ebp-69C]
程序的逻辑就是这样
在sprintf输出十六进制就完成了连接字符小写变大写..

------------------------------------------------------------------
00475C18  |.  6A 00       push 0                               ; |c = 00
00475C1A  |.  8D85 54F7FFFF lea    eax, dword ptr [ebp-8AC]       ; |
00475C20  |.  50          push eax                            ; |s
00475C21  |.  E8 AA640000 call <jmp.&MSVCRT.memset>          ; \memset
00475C26  |.  83C4 0C    add    esp, 0C
00475C29  |.  8B8D F4FBFFFF mov    ecx, dword ptr [ebp-40C]
00475C2F  |.  51          push ecx                            ; /<%.8x>
00475C30  |.  68 042D4A00 push 004A2D04                      ; |format = "%.8x-"
00475C35  |.  8D95 54F7FFFF lea    edx, dword ptr [ebp-8AC]       ; |
00475C3B  |.  52          push edx                            ; |s
00475C3C  |.  FF15 843A4800 call dword ptr [<&MSVCRT.sprintf>] ; \sprintf
00475C42  |.  83C4 0C    add    esp, 0C
00475C45  |.  C785 74FBFFFF>mov    dword ptr [ebp-48C], 0
00475C4F  |.  EB 0F       jmp    short 00475C60
00475C51  |>  8B85 74FBFFFF /mov    eax, dword ptr [ebp-48C]
00475C57  |.  83C0 01    |add    eax, 1
00475C5A  |.  8985 74FBFFFF |mov    dword ptr [ebp-48C], eax
00475C60  |>  83BD 74FBFFFF> cmp    dword ptr [ebp-48C], 4
00475C67  |.  73 3B       |jnb    short 00475CA4
00475C69  |.  8B8D 74FBFFFF |mov    ecx, dword ptr [ebp-48C]
00475C6F  |.  8B948D 58F9FF>|mov    edx, dword ptr [ebp+ecx*4-6A8]
00475C76  |.  52          |push edx                            ; /<%.8x>
00475C77  |.  68 0C2D4A00 |push 004A2D0C                      ; |format = "%.8x-"
00475C7C  |.  8D85 54F5FFFF |lea    eax, dword ptr [ebp-AAC]       ; |
00475C82  |.  50          |push eax                            ; |s
00475C83  |.  FF15 843A4800 |call dword ptr [<&MSVCRT.sprintf>] ; \sprintf
00475C89  |.  83C4 0C    |add    esp, 0C
00475C8C  |.  8D8D 54F5FFFF |lea    ecx, dword ptr [ebp-AAC]
00475C92  |.  51          |push ecx                            ; /src
00475C93  |.  8D95 54F7FFFF |lea    edx, dword ptr [ebp-8AC]       ; |
00475C99  |.  52          |push edx                            ; |dest
00475C9A  |.  E8 79680000 |call <jmp.&MSVCRT.strcat>          ; \strcat
00475C9F  |.  83C4 08    |add    esp, 8
00475CA2  |.^ EB AD       \jmp    short 00475C51
00475CA4  |>  8D85 54F7FFFF lea    eax, dword ptr [ebp-8AC]
00475CAA  |.  50          push eax                            ; /s
00475CAB  |.  FF15 043A4800 call dword ptr [<&MSVCRT._strupr>] ; \_strupr
00475CB1  |.  83C4 04    add    esp, 4
00475CB4  |.  8D8D 54F7FFFF lea    ecx, dword ptr [ebp-8AC]
00475CBA  |.  51          push ecx                            ; /s
00475CBB  |.  E8 A2640000 call <jmp.&MSVCRT.strlen>          ; \strlen
00475CC0  |.  83C4 04    add    esp, 4
00475CC3  |.  C68405 53F7FF>mov    byte ptr [ebp+eax-8AD], 0
00475CCB  |.  8D95 54F7FFFF lea    edx, dword ptr [ebp-8AC]
00475CD1  |.  52          push edx                            ; /s
00475CD2  |.  E8 8B640000 call <jmp.&MSVCRT.strlen>          ; \strlen
00475CD7  |.  83C4 04    add    esp, 4
00475CDA  |.  8985 E8FBFFFF mov    dword ptr [ebp-418], eax
00475CE0  |.  8B45 0C    mov    eax, dword ptr [ebp+C]
00475CE3  |.  50          push eax                            ; /s
00475CE4  |.  E8 79640000 call <jmp.&MSVCRT.strlen>          ; \strlen
00475CE9  |.  83C4 04    add    esp, 4
00475CEC  |.  8945 FC    mov    dword ptr [ebp-4], eax
00475CEF  |.  8B8D E8FBFFFF mov    ecx, dword ptr [ebp-418]
00475CF5  |.  3B4D FC    cmp    ecx, dword ptr [ebp-4]
00475CF8  |.  74 07       je    short 00475D01
00475CFA  |.  33C0       xor    eax, eax
--------------------------------------------------------------------------
这里是用你的注册码和生成的注册码进行比对
00475CFC  |.  E9 85000000 jmp    00475D86
00475D01  |>  C785 6CF9FFFF>mov    dword ptr [ebp-694], 0
00475D0B  |.  C785 ECFBFFFF>mov    dword ptr [ebp-414], 0
00475D15  |.  C785 74FBFFFF>mov    dword ptr [ebp-48C], 0
00475D1F  |.  EB 0F       jmp    short 00475D30
00475D21  |>  8B95 74FBFFFF /mov    edx, dword ptr [ebp-48C]
00475D27  |.  83C2 01    |add    edx, 1
00475D2A  |.  8995 74FBFFFF |mov    dword ptr [ebp-48C], edx
00475D30  |>  8B85 74FBFFFF  mov    eax, dword ptr [ebp-48C]
00475D36  |.  3B45 FC    |cmp    eax, dword ptr [ebp-4]
00475D39  |.  7D 3A       |jge    short 00475D75
00475D3B  |.  8B8D 74FBFFFF |mov    ecx, dword ptr [ebp-48C]
00475D41  |.  33D2       |xor    edx, edx
00475D43  |.  8A940D 54F7FF>|mov    dl, byte ptr [ebp+ecx-8AC]
00475D4A  |.  8B85 6CF9FFFF |mov    eax, dword ptr [ebp-694]
00475D50  |.  03C2       |add    eax, edx
00475D52  |.  8985 6CF9FFFF |mov    dword ptr [ebp-694], eax
00475D58  |.  8B4D 0C    |mov    ecx, dword ptr [ebp+C]
00475D5B  |.  038D 74FBFFFF |add    ecx, dword ptr [ebp-48C]
00475D61  |.  33D2       |xor    edx, edx
00475D63  |.  8A11       |mov    dl, byte ptr [ecx]
00475D65  |.  8B85 ECFBFFFF |mov    eax, dword ptr [ebp-414]
00475D6B  |.  03C2       |add    eax, edx
00475D6D  |.  8985 ECFBFFFF |mov    dword ptr [ebp-414], eax
00475D73  |.^ EB AC       \jmp    short 00475D21
00475D75  |>  8B8D 6CF9FFFF mov    ecx, dword ptr [ebp-694]
00475D7B  |.  33C0       xor    eax, eax
00475D7D  |.  3B8D ECFBFFFF cmp    ecx, dword ptr [ebp-414]
------------------------------------------------------------
主要这个sete al 也就是ecx= dword ptr [ebp-414] 时al=1
00475D83  |.  0F94C0       sete al
00475D86  |>  8BE5       mov    esp, ebp
00475D88  |.  5D          pop    ebp
00475D89  \.  C2 0800    retn 8
-------------------------------------------------------
ok了.

c++ console代码，写的不好。可能看起来有点难读。

//这个程序的改进会很多.但是比较匆忙,这里实现不是很好.但是如果只是像生成一个码的话还是可用的.其实是一名七n码,现在只能一名一码
#include "stdafx.h"
#include "test.h"
#include "conio.h"
using namespace std;

int _tmain(int argc, TCHAR* argv ,TCHAR* envp )
{
int nRetCode = 0x0;
char strtemp[20]={0};
cout<<"李悦09.02"<<endl;
cout << "please input your regname!"<<endl;
cin >> strtemp;
//这里的是数据堆栈区,
DWORD ebp_488_t =0x950B4B61;
WORD ebp_484 =0x0FA41;
WORD ebp_482= 0x4DC2;
DWORD ebp_484_t=0x4DC2FA41;
byte ebp_480= 0x0AD;
byte ebp_47F= 0x7E;
byte ebp_47E= 0x63;
byte ebp_47D= 0x0CF;
DWORD ebp_480_t=0x0CF637EAD;
byte ebp_47C= 0x62;
byte ebp_47B= 0x11;
byte ebp_47A= 0xB2;
byte ebp_479= 0x11;
DWORD  ebp_47C_T=0x11B21162;
DWORD ebp_478= 0x90E7EED0;
WORD ebp_474= 0x3005;
WORD ebp_472= 0x4A09;
byte ebp_470= 0x9D;
byte ebp_46F= 0x55;
byte ebp_46E= 0x50;
byte ebp_46D= 0x72;
byte ebp_46C= 0x0FB;
byte ebp_46B= 0x65;
byte ebp_46A= 0x95;
byte ebp_469= 0x0F9;
DWORD ebp_468= 0xAA4591F2;
WORD ebp_464= 0x80D2;
WORD ebp_462= 0x42A5;
byte ebp_460= 0x0B3;
byte ebp_45F= 0x0AB;
byte ebp_45E= 0x0C;
byte ebp_45D= 0x96;
byte ebp_45C= 0x5F;
byte ebp_45B= 0x25;
byte ebp_45A= 0x53;
byte ebp_459= 0x1D;
DWORD ebp_458= 0x1177BA51;
WORD ebp_454= 0x5DDA;
WORD ebp_452= 0x4F35;
byte ebp_450= 0x0B2;
byte ebp_44F= 0x57;
byte ebp_44E= 0x64;
byte ebp_44D= 0x0F0;
byte ebp_44C= 0x0CA;
byte ebp_44B= 0x0FD;
byte ebp_44A= 0x0D;
byte ebp_449= 0x52;
DWORD ebp_448= 0xDC7C1345;
WORD ebp_444= 0x7686;
WORD ebp_442= 0x40D4;
byte ebp_440= 0x0AD;
byte ebp_43F= 0x0CD;
byte ebp_43E= 0x0C1;
byte ebp_43D= 0x88;
byte ebp_43C= 0x15;
byte ebp_43B= 0x9A;
byte ebp_43A= 0x1B;
byte ebp_439= 0x55;
DWORD ebp_438= 0xE0C3DE22;
WORD ebp_434= 0x0BFDB;
WORD ebp_432= 0x4ABE;
byte ebp_430= 0x8A;
byte ebp_42F= 0x0F9;
byte ebp_42E= 0x89;
byte ebp_42D= 0x76;
byte ebp_42C= 0x0AE;
byte ebp_42B= 0x52;
byte ebp_42A= 0x79;
byte ebp_429= 0x38;
DWORD ebp_428= 0x79F83686;
WORD ebp_424= 0x18B9;
WORD ebp_422= 0x4F8A;
byte ebp_420= 0x0A0;
byte ebp_41F= 0x3;
byte ebp_41E= 0x2C;
byte ebp_41D= 0x0C2;
byte ebp_41C= 0x0E3;
byte ebp_41B= 0x7;
byte ebp_41A= 0x0F7;
byte ebp_419= 0x0CB;
//这里是按照dword来写
//ebp_488
DWORD  ebp_stack[]=
{ 0x950B4B61,0x4DC2FA41,0xCF637EAD,0x11B21162,
0x90E7EED0,0x30053005,0x7250559D,0xF99565FB,
0xAA4591F2,0x42A580D2,0x960CABB3,0x1D53255F,
0x1177BA51,0x4F355DDA,0xF06457B2,0x520DFDCA,
0xDC7C1345,0x40D47686,0x88C1CDAD,0x551B9A15,
0xE0C3DE22,0x4ABEBFDB,0x7689F98A,0x387952AE,
0x79F83686,0x4F8A18B9,0xC22C03A0,0xCBF707E3
};
DWORD  ebp_6AC=strlen(strtemp);
byte ebp_698=0;
DWORD ebp_410=0;
DWORD ebp_408= 0;
char ebp_404[20]={0};
int ebp_48C=strlen(strtemp);
memcpy(ebp_404,strtemp,strlen(strtemp));
DWORD charsum=0;
byte chartemp=0;
for(int i=0;i<strlen(strtemp);i++)
{
//chartemp=strtemp[i]&0xff;
ebp_698+=strtemp[i];
charsum+=ebp_698;
}
// cout<< ebp_698 << charsum<<endl;
ebp_410=charsum;
//这里对前8位注册码进行char->hex .如"c123"->0x0000C123.为了简单输入,就定死了.
char ebp_40C[10]="12345678\0";

/* char tempc[100]={0};
cin>>tempc;
int len=0;
len=(strlen(tempc)>8)?8:strlen(tempc);
for(int j=0;j<strlen(tempc);j++)
ebp_40C[j]=tempc[j];

*/

//这里要注意指针变量 [ebp-490]是一个指向[ebp+edx-488]的指针.

DWORD atohex=0;
{
for(int i=0;i<8;i++)
{ char tc=ebp_40C[i];
atohex+=atoi(&tc)<<(4*(7-i));
}

}

ebp_410+=atohex;
DWORD eaxtemp=ebp_410+atohex;
DWORD ecxtemp=ebp_698;
ecxtemp&=0x00ff;
eaxtemp+=ecxtemp;
DWORD edxtemp=ebp_48C;
ecxtemp^=ecxtemp;
ecxtemp=strtemp[ebp_48C-1];
eaxtemp+=ecxtemp;
edxtemp^=edxtemp;
ecxtemp=7;
ebp_408=eaxtemp%ecxtemp;
edxtemp=ebp_408;
//这里本来是把byte->dword,位移量
int edxdiv=(edxtemp<<4)/4;
// DWORD *ebp_490=&ebp_488_t;
// ecxtemp=DWORD(&ebp_488_t);

// edxtemp=ebp_47C_T;
edxtemp=ebp_stack[edxdiv+3];
edxtemp^=ebp_410;
DWORD ebp_6A8=edxtemp;

// ecxtemp=ebp_484_t;
ecxtemp=ebp_stack[edxdiv+1];
ecxtemp^=ebp_410;
DWORD ebp_6A4=ecxtemp;

// eaxtemp=ebp_480_t;
eaxtemp=ebp_stack[edxdiv+2];
eaxtemp^=ebp_410;
DWORD ebp_6A0=eaxtemp;
// edxtemp=ebp_488_t;
edxtemp=ebp_stack[edxdiv];
edxtemp^=ebp_410;
DWORD ebp_69C=edxtemp;
// 这里是第一个8位
//ebp_6A8,ebp_6A4,ebp_6A0,ebp_69C
//这里是后面4个8位数据按照格式输出就是注册码.

//来对数据进行整合.

   char cBuff[10];
   cout<<"the regedit code is ...."<<endl;
   cout<<ebp_40C<<"-";
   wsprintf(cBuff, "%08lX-", ebp_6A8);
   cout<<cBuff;
   wsprintf(cBuff, "%08lX-", ebp_6A4);
   cout<<cBuff;
   wsprintf(cBuff, "%08lX-", ebp_6A0);
   cout<<cBuff;
   wsprintf(cBuff, "%08lX", ebp_69C);
   cout<<cBuff<<endl;
   while(!kbhit());
   return nRetCode;
}
权限不够就不传附件了；。＝我骗个精华来。。。。。

登录后可查看完整内容

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

免费・7

支持

最新回复 (5)
kanxue 雪币： 47147 活跃值： (20450) 能力值： (RANK：350 ) 在线值：发帖 2375 回帖 17045 粉丝 541 关注私信	kanxue 8 2 楼文章很精彩，技术上己达到了精华的标准了。但由于论坛以前曾有会员破解国产软件，导致一些麻烦，所以出台了这个规定：看雪论坛对于所涉及到目标软件的管理2007.10.15 http://bbs.pediy.com/showthread.php?t=53341 还希望你能理解。 2009-2-6 14:37 0
gzkay 雪币： 204 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 8 粉丝 0 关注私信	gzkay 3 楼规矩是要的...也要遵守的..毕竟是这样的论坛 2009-2-6 14:58 0
达文西雪币： 1632 活跃值： (13) 能力值： ( LV2，RANK：10 ) 在线值：发帖 18 回帖 1328 粉丝 0 关注私信	达文西 4 楼学习来了 2009-2-6 17:07 0
laihuike 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 13 粉丝 0 关注私信	laihuike 5 楼很不错，慢慢看完了，经典 2009-2-6 18:18 0
liyuaq 雪币： 130 活跃值： (69) 能力值： ( LV3，RANK：20 ) 在线值：发帖 4 回帖 14 粉丝 0 关注私信	liyuaq 6 楼谢谢看雪老大的捧场，以后会注意了：）有时间找点crack me来分析了。 2009-2-6 19:06 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

liyuaq

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (5)
kanxue 雪币： 47147 活跃值： (20450) 能力值： (RANK：350 ) 在线值：发帖 2375 回帖 17045 粉丝 541 关注私信	kanxue 8 2 楼文章很精彩，技术上己达到了精华的标准了。但由于论坛以前曾有会员破解国产软件，导致一些麻烦，所以出台了这个规定：看雪论坛对于所涉及到目标软件的管理2007.10.15 http://bbs.pediy.com/showthread.php?t=53341 还希望你能理解。 2009-2-6 14:37 0
gzkay 雪币： 204 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 8 粉丝 0 关注私信	gzkay 3 楼规矩是要的...也要遵守的..毕竟是这样的论坛 2009-2-6 14:58 0
达文西雪币： 1632 活跃值： (13) 能力值： ( LV2，RANK：10 ) 在线值：发帖 18 回帖 1328 粉丝 0 关注私信	达文西 4 楼学习来了 2009-2-6 17:07 0
laihuike 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 13 粉丝 0 关注私信	laihuike 5 楼很不错，慢慢看完了，经典 2009-2-6 18:18 0
liyuaq 雪币： 130 活跃值： (69) 能力值： ( LV3，RANK：20 ) 在线值：发帖 4 回帖 14 粉丝 0 关注私信	liyuaq 6 楼谢谢看雪老大的捧场，以后会注意了：）有时间找点crack me来分析了。 2009-2-6 19:06 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复