“电脑消磁圣手”的消磁“秘术”
前言:
平安夜的晚上,在网上随处溜达,偶尔看到一款名叫《电脑消磁圣手》的软件,是某公司开发的(具体是什么公司大家自己去看吧,我就不说出来了,免得麻烦)。据软件中的说明“本系统一直在国外市场上销售,效果很好,最近把系统翻译成中文版,免费提供给国内的朋友使用。”,至于软件的作用,又有如下的说明:“本系统非常适合在电脑前长时间工作的人,能够高效的清除电脑产生的电磁波,对工作者的身体起到了保健的工作。本系统根据电脑产生的电磁波,自动产生融磁波,中和电脑产生的磁波。由于电脑在不停的释放电磁波,建议您每隔一个小时进行一次消磁工作。”听起来十分诱人,于是就down了下来把玩一番。最新版本好像是6。3版(升级了好多次了吧)。
试用:
下载下来的是一个压缩包,解开后只有一个可执行文件。运行一下,首先弹出了浏览器窗口,连向了一个网站(可能是软件公司的网站吧),随手关掉。软件的主界面倒是很简捷,最主要的就是“开始消磁”按钮。点击一下,出现了一个进度条在不断的前进,同时还有提示文本出现,就是这些“系统正在做消磁前的准备...”、“系统正在收集电脑的电磁波...”、“系统正在释放融磁电波...”、“系统正在释放融磁电波...”、“系统正在做最后的消磁工作...”。经过这样一番神秘的仪式之后,弹出一个对话框提示“融磁成功,已经成功中和电脑周围磁场?”刹那之间,我对作者的佩服如同滔滔江水连绵不绝,这可是项巨牛x的技术,只靠软件就可以进行消磁了,而且还是电脑周围的电磁波,不知道作者是否申请了专利。怀着最作者的无比崇敬和那份极度的神秘感,我飞快的的把软件给肢解了:)
分析:
检测一下,是用Delphi写的,没有加壳。用DeDe载入后,反编译“开始消磁”按钮点击事件对应的代码,复制如下:
0047FF28 53 push ebx
0047FF29 8BD8 mov ebx, eax
0047FF2B 33D2 xor edx, edx
* Reference to control TFrmRamMain.Panel2 : TPanel
|
0047FF2D 8B83FC020000 mov eax, [ebx+$02FC]
* Reference to: controls.TControl.SetVisible(TControl;Boolean);
|
0047FF33 E80CA6FAFF call 0042A544
0047FF38 B201 mov dl, $01
* Reference to control TFrmRamMain.Panel1 : TPanel
|
0047FF3A 8B83F0020000 mov eax, [ebx+$02F0]
* Reference to: controls.TControl.SetVisible(TControl;Boolean);
|
0047FF40 E8FFA5FAFF call 0042A544
* Possible String Reference to: '系统正在做消磁前的准备...' ;提示文本,准备好了
|
0047FF45 BA7C014800 mov edx, $0048017C
* Reference to control TFrmRamMain.Label3 : TLabel
|
0047FF4A 8B83F4020000 mov eax, [ebx+$02F4]
* Reference to: controls.TControl.SetText(TControl;TCaption);
|
0047FF50 E807A7FAFF call 0042A65C
* Reference to control TFrmRamMain.ProgressBar1 : TProgressBar ;进度条开始动了
|
0047FF55 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: comctrls.TProgressBar.StepIt(TProgressBar);
|
0047FF5B E80489FDFF call 00458864
0047FF60 8BC3 mov eax, ebx
* Reference to : TFrmRamMain.Delay() ;核心代码?~~~~~!!!!!!牛x,这样就可以“中和电脑周围磁场”,佩服佩服~~~~~~
|
0047FF62 E8D1020000 call 00480238
* Reference to control TFrmRamMain.ProgressBar1 : TProgressBar ;进度条继续在动
|
0047FF67 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: comctrls.TProgressBar.StepIt(TProgressBar);
|
0047FF6D E8F288FDFF call 00458864
0047FF72 8BC3 mov eax, ebx
* Reference to : TFrmRamMain.Delay() ;休息一下,不知道从何方招来的神圣正在提我们消磁:)
|
0047FF74 E8BF020000 call 00480238
* Reference to control TFrmRamMain.ProgressBar1 : TProgressBar ;继续动
|
0047FF79 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: comctrls.TProgressBar.StepIt(TProgressBar);
|
0047FF7F E8E088FDFF call 00458864
0047FF84 8BC3 mov eax, ebx
* Reference to : TFrmRamMain.Delay()
|
0047FF86 E8AD020000 call 00480238
* Reference to control TFrmRamMain.ProgressBar1 : TProgressBar
|
0047FF8B 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: comctrls.TProgressBar.StepIt(TProgressBar);
|
0047FF91 E8CE88FDFF call 00458864
0047FF96 8BC3 mov eax, ebx
* Reference to : TFrmRamMain.Delay()
|
0047FF98 E89B020000 call 00480238
* Reference to control TFrmRamMain.ProgressBar1 : TProgressBar
|
0047FF9D 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: comctrls.TProgressBar.StepIt(TProgressBar);
|
0047FFA3 E8BC88FDFF call 00458864
* Possible String Reference to: '系统正在收集电脑的电磁波...'
|
0047FFA8 BAA0014800 mov edx, $004801A0
* Reference to control TFrmRamMain.Label3 : TLabel
|
0047FFAD 8B83F4020000 mov eax, [ebx+$02F4]
* Reference to: controls.TControl.SetText(TControl;TCaption);
|
0047FFB3 E8A4A6FAFF call 0042A65C
* Reference to control TFrmRamMain.ProgressBar1 : TProgressBar
|
0047FFB8 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: comctrls.TProgressBar.StepIt(TProgressBar);
|
0047FFBE E8A188FDFF call 00458864
0047FFC3 8BC3 mov eax, ebx
* Reference to : TFrmRamMain.Delay() ;根据提示,这句应该是收集电磁波的代码。
|
0047FFC5 E86E020000 call 00480238
* Reference to control TFrmRamMain.ProgressBar1 : TProgressBar
|
0047FFCA 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: comctrls.TProgressBar.StepIt(TProgressBar);
|
0047FFD0 E88F88FDFF call 00458864
0047FFD5 8BC3 mov eax, ebx
* Reference to : TFrmRamMain.Delay()
|
0047FFD7 E85C020000 call 00480238
* Reference to control TFrmRamMain.ProgressBar1 : TProgressBar
|
0047FFDC 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: comctrls.TProgressBar.StepIt(TProgressBar);
|
0047FFE2 E87D88FDFF call 00458864
0047FFE7 8BC3 mov eax, ebx
* Reference to : TFrmRamMain.Delay()
|
0047FFE9 E84A020000 call 00480238
* Reference to control TFrmRamMain.ProgressBar1 : TProgressBar
|
0047FFEE 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: comctrls.TProgressBar.StepIt(TProgressBar);
|
0047FFF4 E86B88FDFF call 00458864
0047FFF9 8BC3 mov eax, ebx
* Reference to : TFrmRamMain.Delay()
|
0047FFFB E838020000 call 00480238
* Reference to control TFrmRamMain.ProgressBar1 : TProgressBar
|
00480000 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: comctrls.TProgressBar.StepIt(TProgressBar);
|
00480006 E85988FDFF call 00458864
* Possible String Reference to: '系统正在释放融磁电波...'
|
0048000B BAC4014800 mov edx, $004801C4
* Reference to control TFrmRamMain.Label3 : TLabel
|
00480010 8B83F4020000 mov eax, [ebx+$02F4]
* Reference to: controls.TControl.SetText(TControl;TCaption);
|
00480016 E841A6FAFF call 0042A65C
* Reference to control TFrmRamMain.ProgressBar1 : TProgressBar
|
0048001B 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: comctrls.TProgressBar.StepIt(TProgressBar);
|
00480021 E83E88FDFF call 00458864
00480026 8BC3 mov eax, ebx
* Reference to : TFrmRamMain.Delay() ;消磁的核心代码,这项技术大家可要记牢了,不可乱用,说不定作者申请专利了呢:)
|
00480028 E80B020000 call 00480238
* Reference to control TFrmRamMain.ProgressBar1 : TProgressBar
|
0048002D 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: comctrls.TProgressBar.StepIt(TProgressBar);
|
00480033 E82C88FDFF call 00458864
00480038 8BC3 mov eax, ebx
* Reference to : TFrmRamMain.Delay()
|
0048003A E8F9010000 call 00480238
* Reference to control TFrmRamMain.ProgressBar1 : TProgressBar
|
0048003F 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: comctrls.TProgressBar.StepIt(TProgressBar);
|
00480045 E81A88FDFF call 00458864
0048004A 8BC3 mov eax, ebx
* Reference to : TFrmRamMain.Delay()
|
0048004C E8E7010000 call 00480238
* Reference to control TFrmRamMain.ProgressBar1 : TProgressBar
|
00480051 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: comctrls.TProgressBar.StepIt(TProgressBar);
|
00480057 E80888FDFF call 00458864
0048005C 8BC3 mov eax, ebx
* Reference to : TFrmRamMain.Delay()
|
0048005E E8D5010000 call 00480238
* Reference to control TFrmRamMain.ProgressBar1 : TProgressBar
|
00480063 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: comctrls.TProgressBar.StepIt(TProgressBar);
|
00480069 E8F687FDFF call 00458864
* Reference to control TFrmRamMain.ProgressBar1 : TProgressBar
|
0048006E 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: comctrls.TProgressBar.StepIt(TProgressBar);
|
00480074 E8EB87FDFF call 00458864
00480079 8BC3 mov eax, ebx
* Reference to : TFrmRamMain.Delay()
|
0048007B E8B8010000 call 00480238
* Reference to control TFrmRamMain.ProgressBar1 : TProgressBar
|
00480080 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: comctrls.TProgressBar.StepIt(TProgressBar);
|
00480086 E8D987FDFF call 00458864
0048008B 8BC3 mov eax, ebx
* Reference to : TFrmRamMain.Delay()
|
0048008D E8A6010000 call 00480238
* Reference to control TFrmRamMain.ProgressBar1 : TProgressBar
|
00480092 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: comctrls.TProgressBar.StepIt(TProgressBar);
|
00480098 E8C787FDFF call 00458864
0048009D 8BC3 mov eax, ebx
* Reference to : TFrmRamMain.Delay()
|
0048009F E894010000 call 00480238
* Reference to control TFrmRamMain.ProgressBar1 : TProgressBar
|
004800A4 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: comctrls.TProgressBar.StepIt(TProgressBar);
|
004800AA E8B587FDFF call 00458864
004800AF 8BC3 mov eax, ebx
* Reference to : TFrmRamMain.Delay()
|
004800B1 E882010000 call 00480238
* Reference to control TFrmRamMain.ProgressBar1 : TProgressBar
|
004800B6 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: comctrls.TProgressBar.StepIt(TProgressBar);
|
004800BC E8A387FDFF call 00458864
* Possible String Reference to: '系统正在做最后的消磁工作...'
|
004800C1 BAE4014800 mov edx, $004801E4
* Reference to control TFrmRamMain.Label3 : TLabel
|
004800C6 8B83F4020000 mov eax, [ebx+$02F4]
* Reference to: controls.TControl.SetText(TControl;TCaption);
|
004800CC E88BA5FAFF call 0042A65C
* Reference to control TFrmRamMain.ProgressBar1 : TProgressBar
|
004800D1 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: comctrls.TProgressBar.StepIt(TProgressBar);
|
004800D7 E88887FDFF call 00458864
004800DC 8BC3 mov eax, ebx
* Reference to : TFrmRamMain.Delay() ;我就不说什么了吧:)
|
004800DE E855010000 call 00480238
* Reference to control TFrmRamMain.ProgressBar1 : TProgressBar
|
004800E3 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: comctrls.TProgressBar.StepIt(TProgressBar);
|
004800E9 E87687FDFF call 00458864
004800EE 8BC3 mov eax, ebx
* Reference to : TFrmRamMain.Delay()
|
004800F0 E843010000 call 00480238
* Reference to control TFrmRamMain.ProgressBar1 : TProgressBar
|
004800F5 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: comctrls.TProgressBar.StepIt(TProgressBar);
|
004800FB E86487FDFF call 00458864
00480100 8BC3 mov eax, ebx
* Reference to : TFrmRamMain.Delay()
|
00480102 E831010000 call 00480238
* Reference to control TFrmRamMain.ProgressBar1 : TProgressBar
|
00480107 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: comctrls.TProgressBar.StepIt(TProgressBar);
|
0048010D E85287FDFF call 00458864
00480112 8BC3 mov eax, ebx
* Reference to : TFrmRamMain.Delay()
|
00480114 E81F010000 call 00480238
* Reference to control TFrmRamMain.ProgressBar1 : TProgressBar
|
00480119 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: comctrls.TProgressBar.StepIt(TProgressBar);
|
0048011F E84087FDFF call 00458864
00480124 B8E8030000 mov eax, $000003E8
* Reference to: system.@RandInt;
|
00480129 E86629F8FF call 00402A94
0048012E 85C0 test eax, eax
00480130 6A40 push $40
* Possible String Reference to: '电脑消磁圣手'
|
00480132 B900024800 mov ecx, $00480200
* Possible String Reference to: '融磁成功,已经成功中和电脑周围磁场?
| ?
|
00480137 BA10024800 mov edx, $00480210
* Reference to TApplication instance
|
0048013C A148284800 mov eax, dword ptr [$00482848]
00480141 8B00 mov eax, [eax]
* Reference to: forms.TApplication.MessageBox(TApplication;PChar;PChar;Longint):Integer;
|
00480143 E89895FCFF call 004496E0 ;大功告成,消磁成功!!!
00480148 33D2 xor edx, edx
* Reference to control TFrmRamMain.Panel1 : TPanel
|
0048014A 8B83F0020000 mov eax, [ebx+$02F0]
* Reference to: controls.TControl.SetVisible(TControl;Boolean);
|
00480150 E8EFA3FAFF call 0042A544
00480155 B201 mov dl, $01
* Reference to control TFrmRamMain.Panel2 : TPanel
|
00480157 8B83FC020000 mov eax, [ebx+$02FC]
* Reference to: controls.TControl.SetVisible(TControl;Boolean);
|
0048015D E8E2A3FAFF call 0042A544
* Reference to TFrmAbout instance
|
00480162 A148264800 mov eax, dword ptr [$00482648]
00480167 8B00 mov eax, [eax]
00480169 8B10 mov edx, [eax]
* Reference to method TFrmAbout.ShowModal()
|
0048016B FF92D8000000 call dword ptr [edx+$00D8] ;关于窗口露一小脸,是介绍公司的。如此精深的技术,倘不见一下那只下蛋的鸡,岂不是太可惜了么:)
00480171 5B pop ebx
00480172 C3 ret
上面就是“消磁圣手”的核心代码。逆向了这么重要的代码心里甚是不安。软件的开发公司千万不要告我啊!不过已经看了,再多看一点也无妨吧。谁知这一看不要紧,又发现了软件作者的体贴之处,请看下面的代码,是窗体创建事件对应的代码:
004802F8 55 push ebp
004802F9 8BEC mov ebp, esp
004802FB 33C9 xor ecx, ecx
004802FD 51 push ecx
004802FE 51 push ecx
004802FF 51 push ecx
00480300 51 push ecx
00480301 51 push ecx
00480302 51 push ecx
00480303 51 push ecx
00480304 33C0 xor eax, eax
00480306 55 push ebp
* Possible String Reference to: '檫0?脬?]?
|
00480307 6808044800 push $00480408
***** TRY
|
0048030C 64FF30 push dword ptr fs:[eax]
0048030F 648920 mov fs:[eax], esp
00480312 8D55F0 lea edx, [ebp-$10]
* Reference to TApplication instance
|
00480315 A148284800 mov eax, dword ptr [$00482848]
0048031A 8B00 mov eax, [eax]
* Reference to: forms.TApplication.GetExeName(TApplication):AnsiString;
|
0048031C E82F97FCFF call 00449A50 ;Who am I?
00480321 8B45F0 mov eax, [ebp-$10]
00480324 8D55F4 lea edx, [ebp-$0C]
* Reference to: Unit_00406FD0.Proc_00408110
|
00480327 E8E47DF8FF call 00408110
0048032C 8B45F4 mov eax, [ebp-$0C]
0048032F 50 push eax
00480330 8D55E8 lea edx, [ebp-$18]
* Reference to TApplication instance
|
00480333 A148284800 mov eax, dword ptr [$00482848]
00480338 8B00 mov eax, [eax]
* Reference to: forms.TApplication.GetExeName(TApplication):AnsiString;
|
0048033A E81197FCFF call 00449A50
0048033F 8B45E8 mov eax, [ebp-$18]
00480342 8D55EC lea edx, [ebp-$14]
* Reference to: Unit_00406FD0.Proc_004080DC
|
00480345 E8927DF8FF call 004080DC
0048034A 8B55EC mov edx, [ebp-$14]
0048034D 8D45FC lea eax, [ebp-$04]
00480350 59 pop ecx
* Reference to: system.@LStrCat3;
|
00480351 E8CA39F8FF call 00403D20
00480356 B201 mov dl, $01
* Reference to class TRegistry
|
00480358 A174F14700 mov eax, dword ptr [$0047F174]
* Reference to: Unit_0047F114.Proc_0047F274
|
0048035D E812EFFFFF call 0047F274
00480362 8945F8 mov [ebp-$08], eax
00480365 33C0 xor eax, eax
00480367 55 push ebp
00480368 68DE034800 push $004803DE
***** TRY
|
0048036D 64FF30 push dword ptr fs:[eax]
00480370 648920 mov fs:[eax], esp
00480373 BA02000080 mov edx, $80000002
00480378 8B45F8 mov eax, [ebp-$08]
* Reference to: Unit_0047F114.Proc_0047F314
|
0048037B E894EFFFFF call 0047F314
00480380 B101 mov cl, $01
* Possible String Reference to: '\SOFTWARE\Microsoft\Windows\Current ;这个地方好熟悉,为什么我的毒霸不报警呢:)
| Version\Run\'
|
00480382 BA1C044800 mov edx, $0048041C
00480387 8B45F8 mov eax, [ebp-$08]
* Reference to: Unit_0047F114.Proc_0047F378
|
0048038A E8E9EFFFFF call 0047F378
0048038F 84C0 test al, al
00480391 7435 jz 004803C8
00480393 8D4DE4 lea ecx, [ebp-$1C]
* Possible String Reference to: 'JrRClean'
|
00480396 BA54044800 mov edx, $00480454
0048039B 8B45F8 mov eax, [ebp-$08]
* Reference to: Unit_0047F114.Proc_0047F540
|
0048039E E89DF1FFFF call 0047F540
004803A3 8B45E4 mov eax, [ebp-$1C]
004803A6 8B55FC mov edx, [ebp-$04]
* Reference to: system.@LStrCmp;
|
004803A9 E8363AF8FF call 00403DE4
004803AE 7410 jz 004803C0
004803B0 8B4DFC mov ecx, [ebp-$04]
* Possible String Reference to: 'JrRClean'
|
004803B3 BA54044800 mov edx, $00480454
004803B8 8B45F8 mov eax, [ebp-$08]
* Reference to: Unit_0047F114.Proc_0047F514
|
004803BB E854F1FFFF call 0047F514
004803C0 8B45F8 mov eax, [ebp-$08]
* Reference to: Unit_0047F114.Proc_0047F2E4
|
004803C3 E81CEFFFFF call 0047F2E4
004803C8 33C0 xor eax, eax
004803CA 5A pop edx
004803CB 59 pop ecx
004803CC 59 pop ecx
004803CD 648910 mov fs:[eax], edx
****** FINALLY
|
004803D0 68E5034800 push $004803E5
004803D5 8B45F8 mov eax, [ebp-$08]
* Reference to: system.TObject.Free(TObject);
|
004803D8 E8EF29F8FF call 00402DCC
004803DD C3 ret
* Reference to: system.@HandleFinally;
|
004803DE E90931F8FF jmp 004034EC
004803E3 EBF0 jmp 004803D5
****** END
|
004803E5 33C0 xor eax, eax
004803E7 5A pop edx
004803E8 59 pop ecx
004803E9 59 pop ecx
004803EA 648910 mov fs:[eax], edx
****** FINALLY
|
* Possible String Reference to: '?]?
|
004803ED 680F044800 push $0048040F
004803F2 8D45E4 lea eax, [ebp-$1C]
004803F5 BA05000000 mov edx, $00000005
* Reference to: system.@LStrArrayClr;
|
004803FA E87936F8FF call 00403A78
004803FF 8D45FC lea eax, [ebp-$04]
* Reference to: system.@LStrClr(String;String);
|
00480402 E84D36F8FF call 00403A54
00480407 C3 ret
* Reference to: system.@HandleFinally;
|
00480408 E9DF30F8FF jmp 004034EC
0048040D EBE3 jmp 004803F2
****** END
|
0048040F 8BE5 mov esp, ebp
00480411 5D pop ebp
00480412 C3 ret
上面的代码我就不用多解释了吧?要知道电磁波辐射在开机的时候是最强的,所以“体贴”的作者就把“消磁圣手”加入了启动项中,这样每次启动的时候就能够自动消磁了,真是“人性化”阿~~~~~~当然,每次启动的除了“消磁圣手”,还有宣传的网站:)
只是苦了我又要清理启动项了。为什么98的注册表编辑器不能保存上一次打开的位置阿。
结语:
上面大部分都是废话,能看到这个地方辛苦了大家,真是不好意思。
也许这只是一个开玩笑的程序,或者是有些精深的地方我没有领悟到。没有别的意思,只是闲得无聊。也希望作者没有别的意思,还希望作者在下一版升级的时候加入“取消开机启动”的选项。
权当一笑吧,呵呵~~~~~~~~~~~~
monkeycz于2004年平安夜
2004年12月24日
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)