Active
Messenger(恒创企业信使)
Active Messenger(恒创企业信使)是一款专为企业定制的即时消息系统, 其目标是解决企业的沟通及协同的问题,
提高工作。企业员工可以利用Active Messenger随时随地的进行即时交流、传送文件。
【破解工具】:Ollydbg1.09
中文版
—————————————————————————————
【过
程】:
呵呵,我们开工吧!唉!^-^^-^ 我的水平很低,许多地方表达的有问题,烦请各位指教!
用ollydbg加载运行 ,填注册试验码:A1BCK-D23LE-4AMNB-5O1CP
后按注册键后不久就能
来到这里:
0041DDD0
PUSH -1
0041DDD2 PUSH AMSAdmin.0046DCC0
0041DDD7 MOV
EAX, DWORD PTR FS:[0]
0041DDDD PUSH EAX
0041DDDE
MOV DWORD PTR FS:[0], ESP
0041DDE5 SUB
ESP, 28
0041DDE8 PUSH EBX
0041DDE9 PUSH
EBP
0041DDEA PUSH ESI
0041DDEB PUSH
EDI
0041DDEC MOV ESI, ECX
0041DDEE XOR
EDI, EDI
0041DDF0 MOV DWORD PTR SS:[ESP+40], EDI
0041DDF4
MOV EAX, DWORD PTR SS:[ESP+48]
0041DDF8 PUSH
AMSAdmin.0048CC7C
;
0048CC7C,(ASCII "B6IOH-0S5BS-D606J-PC4Q4")
0041DDFD
PUSH EAX
;
EAX<== 01284028,(ASCII "A1BCK-D23LE-4AMNB-5O1CP")
0041DDFE
CALL AMSAdmin.00437985 // 比较上面的值,如果是就是注册数五个
0041DE03
ADD ESP, 8
0041DE06 TEST EAX, EAX
0041DE08
JNZ SHORT AMSAdmin.0041DE17
0041DE0A MOV
DWORD PTR SS:[ESP+18], 5
0041DE12 JMP AMSAdmin.0041DFC1
0041DE17
MOV ECX, DWORD PTR SS:[ESP+48]
0041DE1B PUSH
AMSAdmin.0048CC64
;
0048CC64 ASCII "B2DLI-0M3ES-C6L2F-RF3O8"
0041DE20
PUSH ECX
;
ECX= 01284028 ASCII "A1BCK-D23LE-4AMNB-5O1CP"
0041DE21
CALL AMSAdmin.00437985 // 比较上面的值,如果是就是注册数十个
0041DE26
ADD ESP, 8
0041DE29 TEST EAX, EAX
0041DE2B
JNZ SHORT AMSAdmin.0041DE3A
0041DE2D MOV
DWORD PTR SS:[ESP+18], 0A
0041DE35 JMP AMSAdmin.0041DFC1
0041DE3A
MOV EDX, DWORD PTR DS:[48E3B8]
0041DE40
MOV DWORD PTR SS:[ESP+20], EDX
0041DE44 PUSH
ECX
0041DE45 LEA EAX, DWORD PTR SS:[ESP+50]
0041DE49
MOV ECX, ESP
0041DE4B MOV DWORD PTR
SS:[ESP+2C], ESP
0041DE4F PUSH EAX
0041DE50 MOV
BYTE PTR SS:[ESP+48], 3
0041DE55 CALL AMSAdmin.0044AE98
0041DE5A
LEA ECX, DWORD PTR SS:[ESP+14]
0041DE5E
PUSH ECX
0041DE5F MOV
ECX, ESI
0041DE61 CALL AMSAdmin.0041D9B0
0041DE66 EBX, 4
0041DE6B
PUSH 1
0041DE6D PUSH
0E
0041DE6F LEA ECX, DWORD PTR
SS:[ESP+18]
0041DE73 MOV BYTE PTR
SS:[ESP+48], BL
0041DE77 CALL AMSAdmin.00447696
0041DE7C PUSH
1
0041DE7E PUSH 9
0041DE80 LEA ECX, DWORD PTR SS:[ESP+18]
0041DE84 CALL AMSAdmin.00447696
0041DE89 PUSH 1
0041DE8B PUSH EBX
// 这里开始根据软件号计算注册码
0041DE8C
LEA ECX, DWORD PTR SS:[ESP+18]
;
ECX<==01284078,(ASCII "7573-7175-7171-7112")<--软件号
0041DE90
CALL AMSAdmin.00447696 ;
把序列号的"-"除掉
0041DE95 EDX, DWORD PTR SS:[ESP+48]
;
EDX= 01284028 ASCII "A1BCK-D23LE-4AMNB-5O1CP"<--试验码
0041DE99
DWORD PTR DS:[EDX-8], 17 ; 比较注册码的长度23位
0041DE9D
JL AMSAdmin.0041E1AB
0041DEA3 PUSH 1
0041DEA5 PUSH 11
0041DEA7
LEA ECX, DWORD PTR SS:[ESP+50]
0041DEAB
CALL AMSAdmin.00447696
0041DEB0 PUSH 1
0041DEB2 PUSH
0B
0041DEB4 LEA ECX, DWORD
PTR SS:[ESP+50]
0041DEB8 CALL AMSAdmin.00447696
0041DEBD PUSH 1
0041DEBF PUSH 5
0041DEC1
LEA ECX, DWORD PTR SS:[ESP+50]
;
ECX= 01284028 ASCII "A1BCK-D23LE-4AMNB-5O1CP"
0041DEC5
CALL AMSAdmin.00447696 ;
把试验码的"-"除掉
0041DECA
LEA EAX, DWORD PTR SS:[ESP+18]
0041DECE LEA
ECX, DWORD PTR SS:[ESP+30]
0041DED2 PUSH EAX
0041DED3
PUSH ECX
0041DED4 PUSH ECX
0041DED5
LEA EDX, DWORD PTR SS:[ESP+54]
0041DED9 MOV
ECX, ESP
0041DEDB MOV DWORD PTR SS:[ESP+34], ESP
0041DEDF
PUSH EDX
0041DEE0 CALL AMSAdmin.0044AE98
0041DEE5
MOV ECX, ESI
0041DEE7 CALL AMSAdmin.0041E490
// 关键的地方1--判断注册码的取值范围,计算关键值
0041DEEC
MOV EAX, DWORD PTR SS:[ESP+30] ; EAX=8817B2CD
<==第一个关键值
0041DEF0
MOV ECX, DWORD PTR SS:[ESP+34] ; ECX=6458
<==第二个关键值
0041DEF4
OR EAX, ECX
// 试验码计算的值
0041DEF6 JE AMSAdmin.0041E1AB
// 以上是第一部分
0041DEFC CMP
DWORD PTR SS:[ESP+18], EDI
0041DF00 JE AMSAdmin.0041E1AB
0041DF06
PUSH ECX
0041DF07 LEA EDX, DWORD PTR
SS:[ESP+50]
0041DF0B MOV ECX, ESP
0041DF0D MOV
DWORD PTR SS:[ESP+2C], ESP
0041DF11 PUSH EDX
0041DF12
CALL AMSAdmin.0044AE98
0041DF17 LEA
EAX, DWORD PTR SS:[ESP+14]
0041DF1B MOV ECX, ESI
0041DF1D
PUSH EAX
0041DF1E CALL AMSAdmin.0041E210
; 关键的计算的地方--软件号变换的地方
0041DF23 MOV
ECX, DWORD PTR SS:[ESP+10] ; ECX<==01284348
0041DF27
MOV EAX, DWORD PTR DS:[ECX-8]
// ASCII "77b272b67fb274b677b270b6e672bd7016"
0041DF2A
CMP EAX, 0F
0041DF2D JLE SHORT AMSAdmin.0041DF5B
0041DF2F
LEA EDX, DWORD PTR SS:[ESP+28]
0041DF33 PUSH
0F
0041DF35 PUSH EDX
0041DF36 LEA
ECX, DWORD PTR SS:[ESP+18]
0041DF3A CALL AMSAdmin.00447A43
0041DF3F
PUSH EAX
0041DF40 LEA ECX, DWORD PTR
SS:[ESP+14]
0041DF44 MOV BYTE PTR SS:[ESP+44], 5
0041DF49
CALL AMSAdmin.0044B25C
0041DF4E LEA
ECX, DWORD PTR SS:[ESP+28]
0041DF52 MOV BYTE PTR SS:[ESP+40],
BL
0041DF56 CALL AMSAdmin.0044B123
0041DF5B LEA
ECX, DWORD PTR SS:[ESP+10]
0041DF5F CALL AMSAdmin.0044B645
0041DF64
MOV EAX, DWORD PTR SS:[ESP+10]
;
0012F934 01284438 ASCII "270B6E672BD7016"
// 软件号变换的值
0041DF68
CMP BYTE PTR DS:[EAX], 50
0041DF6B
JLE SHORT AMSAdmin.0041DF79
0041DF6D PUSH
46
0041DF6F PUSH EDI
0041DF70 LEA
ECX, DWORD PTR SS:[ESP+18]
0041DF74 CALL AMSAdmin.0044B669
0041DF79
PUSH ECX
0041DF7A LEA EDX, DWORD PTR
SS:[ESP+14]
0041DF7E MOV ECX, ESP
0041DF80 MOV
DWORD PTR SS:[ESP+2C], ESP
0041DF84 PUSH EDX
0041DF85
CALL AMSAdmin.0044AE98
0041DF8A MOV
ECX, ESI
0041DF8C CALL AMSAdmin.0041E3D0
; 关键计算的地方2--软件号计算的地方
0041DF91 CMP EAX,
DWORD PTR SS:[ESP+30]
;
EAX=D166F738 SS:[ESP+34]=8817B2CD
0041DF95
JNZ AMSAdmin.0041E1AB
;
关键的跳转<==不同就OVER
0041DF9B
CMP EDX, DWORD PTR SS:[ESP+34]
;
EDX=0013E9E9 SS:[0012F958]=00006458
0041DF9F
JNZ AMSAdmin.0041E1AB
; 关键的跳转<==不同就OVER
0041DFA5
LEA ECX, DWORD PTR SS:[ESP+10]
0041DFA9 MOV
BYTE PTR SS:[ESP+40], 3
0041DFAE CALL AMSAdmin.0044B123
0041DFB3
LEA ECX, DWORD PTR SS:[ESP+20]
0041DFB7 MOV
BYTE PTR SS:[ESP+40], 2
0041DFBC CALL AMSAdmin.0044B123
0041DFC1
MOV DWORD PTR SS:[ESP+20], EDI
0041DFC5 PUSH
ECX
0041DFC6 LEA EAX, DWORD PTR SS:[ESP+50]
0041DFCA
MOV ECX, ESP
0041DFCC MOV DWORD PTR
SS:[ESP+2C], ESP
0041DFD0 PUSH EAX
0041DFD1 MOV
BYTE PTR SS:[ESP+48], 6
0041DFD6 CALL AMSAdmin.0044AE98
0041DFDB
LEA ECX, DWORD PTR SS:[ESP+54]
0041DFDF PUSH
ECX
0041DFE0 MOV ECX, ESI
0041DFE2 CALL
AMSAdmin.0041E210
0041DFE7 LEA EDX, DWORD
PTR SS:[ESP+50]
0041DFEB LEA EAX, DWORD PTR SS:[ESP+24]
0041DFEF
PUSH EDX
0041DFF0 PUSH AMSAdmin.0048CC50
; ASCII "SOFTWARE\Microsoft\"
0041DFF5
PUSH EAX
// 注册成功后在注册表的操作
0041DFF6 CALL AMSAdmin.0044B42C
0041DFFB
MOV EAX, DWORD PTR SS:[ESP+24]
0041DFFF LEA
ECX, DWORD PTR SS:[ESP+2C]
0041E003 LEA EDX, DWORD
PTR SS:[ESP+28]
0041E007 PUSH ECX
; /pDisposition
0041E008
PUSH EDX
; |pHandle
0041E009 PUSH EDI
; |pSecurity
0041E00A PUSH 0F003F
; |Access = KEY_ALL_ACCESS
0041E00F
PUSH EDI
; |Options
0041E010 PUSH EDI
; |Class
0041E011 PUSH EDI
; |Reserved
0041E012
PUSH EAX
; |Subkey
0041E013 PUSH 80000002
; \hKey
= HKEY_LOCAL_MACHINE
0041E018 MOV BYTE PTR SS:[ESP+64],
7
0041E01D MOV DWORD PTR SS:[ESP+4C], EDI
0041E021 CALL DWORD PTR DS:[<&ADVAPI32.RegCrea>;
\RegCreateKeyExA
0041E027 CMP EAX, EDI
0041E029 JNZ
AMSAdmin.0041E134
0041E02F MOV EDI, DWORD
PTR SS:[ESP+28]
0041E033 PUSH ECX
0041E034 LEA
EDX, DWORD PTR SS:[ESP+50]
0041E038 MOV ECX,
ESP
0041E03A MOV DWORD PTR SS:[ESP+14], ESP
0041E03E
PUSH EDX
0041E03F MOV DWORD PTR SS:[ESP+28],
EDI
==============================================
第一关键分支: CALL AMSAdmin.0041E490
// 关键的地方1--判断注册码的取值范围,计算关键值
|
0041E490
PUSH -1
0041E492 PUSH AMSAdmin.0046DD60
0041E497 MOV
EAX, DWORD PTR FS:[0]
0041E49D PUSH EAX
0041E49E
MOV DWORD PTR FS:[0], ESP
0041E4A5 SUB
ESP, 0C
0041E4A8 PUSH ESI
0041E4A9 PUSH
EDI
0041E4AA MOV EDI, ECX
0041E4AC MOV
EAX, DWORD PTR DS:[48E3B8]
0041E4B1 MOV DWORD PTR
SS:[ESP+1C], 0
0041E4B9 MOV DWORD PTR SS:[ESP+8], EAX
0041E4BD
MOV BYTE PTR SS:[ESP+1C], 1
0041E4C2 MOV
ESI, 0C
0041E4C7
/MOV ECX, DWORD PTR SS:[ESP+24]
]
; ECX<==01284488,(ASCII
"A1BCKD23LE4AMNB5O1CP"
0041E4CB
|PUSH 1
0041E4CD |PUSH ESI
0041E4CE |MOV DL, BYTE PTR DS:[ESI+ECX]
;
DL<==DS:[ESI+ECX]=33 ('3') ESI=C ECX=01284488
0041E4D1
|LEA ECX, DWORD PTR SS:[ESP+2C]
0041E4D5
|MOV BYTE PTR SS:[ESP+14], DL
0041E4D9
|CALL AMSAdmin.00447696
0041E4DE |MOV EAX, DWORD PTR SS:[ESP+C]
0041E4E2 |LEA ECX, DWORD PTR SS:[ESP+8]
0041E4E6
|PUSH EAX
0041E4E7 |PUSH 0
0041E4E9
|CALL AMSAdmin.004476EE
0041E4EE |SUB
ESI, 3
0041E4F1 |CMP ESI, 3
0041E4F4 \JGE
SHORT AMSAdmin.0041E4C7
//
以上循环把试验码的第4,7,10,13位取出"C2EM"
0041E4F6
AMSAdmin.00492B18
0041E4FB
AMSAdmin.0048CC94
0041E500
ECX, DWORD PTR SS:[ESP+10]
0041E504 CALL
AMSAdmin.00447827
0041E509
PUSH ECX
0041E50A LEA EDX, DWORD PTR
SS:[ESP+C]
0041E50E MOV ECX, ESP
0041E510 MOV
DWORD PTR SS:[ESP+10], ESP
0041E514 PUSH EDX
0041E515
CALL AMSAdmin.0044AE98
0041E51A MOV
ECX, EDI
0041E51C CALL AMSAdmin.0041E2D0
0041E521 MOV ECX, DWORD
PTR SS:[ESP+2C]
0041E525 MOV DWORD PTR SS:[ESP+10], EDX
0041E529
PUSH ECX
0041E52A LEA EDX, DWORD PTR
SS:[ESP+28]
0041E52E MOV DWORD PTR DS:[ECX], EAX
0041E530
MOV ECX, ESP
0041E532 MOV DWORD PTR
SS:[ESP+30], ESP
0041E536 PUSH EDX
0041E537 CALL
AMSAdmin.0044AE98
0041E53C MOV ECX, EDI
0041E53E
CALL AMSAdmin.0041E2D0
// 关键的地方--判断注册码的取值范围,计算关键值
0041E543
MOV ECX, DWORD PTR SS:[ESP+28]
0041E547 MOV
BYTE PTR SS:[ESP+1C], 0
0041E54C MOV DWORD PTR DS:[ECX],
EAX
; EAX=8817B2CD <==关键值1
0041E54E
MOV DWORD PTR DS:[ECX+4], EDX
;
EDX=6458 <==关键值2
0041E551
LEA ECX, DWORD PTR SS:[ESP+8]
0041E555 CALL
AMSAdmin.0044B123
0041E55A LEA ECX, DWORD PTR SS:[ESP+24]
0041E55E
MOV DWORD PTR SS:[ESP+1C], -1
0041E566 CALL
AMSAdmin.0044B123
0041E56B MOV ECX, DWORD PTR SS:[ESP+14]
0041E56F
POP EDI
0041E570 MOV DWORD PTR FS:[0],
ECX
0041E577 POP ESI
0041E578 ADD
ESP, 18
0041E57B RETN 0C
----------------------------------------------
第二关键分支:CALL
AMSAdmin.0041E2D0 // 判断注册码的取值范围,计算关键值
|
0041E2D0
PUSH -1
0041E2D2 PUSH AMSAdmin.0046DD20
0041E2D7 MOV
EAX, DWORD PTR FS:[0]
0041E2DD PUSH EAX
0041E2DE
MOV DWORD PTR FS:[0], ESP
0041E2E5 SUB
ESP, 8
0041E2E8 PUSH ESI
0041E2E9 PUSH EDI
0041E2EA
MOV EAX, DWORD PTR DS:[48E3B8]
0041E2EF MOV
DWORD PTR SS:[ESP+18], 0
0041E2F7 MOV DWORD PTR
SS:[ESP+C], EAX
0041E2FB MOV ECX, DWORD PTR SS:[ESP+20]
; ECX=012840C8,(ASCII
"C2EM")
0041E2FF
XOR ESI, ESI
// =01284438
ASCII "A1BKD3L4ANB5O1CP"
0041E301
MOV BYTE PTR SS:[ESP+18], 1
0041E306 MOV
EAX, DWORD PTR DS:[ECX-8]
0041E309 TEST EAX, EAX
; EAX=13
0041E30B
JLE SHORT AMSAdmin.0041E386
0041E30D PUSH
EBP
0041E30E /TEST ESI, ESI
// 第一次用取出的四位计算;第二次用剩下的计算
0041E310 |JE SHORT AMSAdmin.0041E363
// 用计算后的值检查注册码的范围
0041E312 |MOV EDI, ESI
0041E314
|AND EDI, 80000001
0041E31A |JNS SHORT
AMSAdmin.0041E321
0041E31C |DEC EDI
0041E31D |OR
EDI, FFFFFFFE
0041E320 |INC EDI
0041E321
|JNZ SHORT AMSAdmin.0041E331
0041E323 |MOV
EAX, ESI
0041E325 |MOV EBP, 3
0041E32A |CDQ
0041E32B
|IDIV EBP
0041E32D |TEST EDX, EDX
0041E32F
|JNZ SHORT AMSAdmin.0041E363
0041E331 |TEST
EDI, EDI
0041E333 |JE SHORT AMSAdmin.0041E347
0041E335
|MOV EAX, ESI
0041E337 |MOV EBP, 3
0041E33C
|CDQ
0041E33D |IDIV EBP
0041E33F |TEST
EDX, EDX
0041E341 |JE SHORT AMSAdmin.0041E355 <==判断的四位
0041E343
|TEST EDI, EDI
0041E345 |JNZ SHORT AMSAdmin.0041E35D <==判断第一,第三位
0041E347
|MOV EAX, ESI
0041E349 |MOV EDI, 3
0041E34E
|CDQ
0041E34F |IDIV EDI
0041E351 |TEST
EDX, EDX
0041E353 |JNZ SHORT AMSAdmin.0041E35D <==判断第二位
0041E355
|MOVSX EAX, BYTE PTR DS:[ESI+ECX]
0041E359 |SUB
AL, 1B
0041E35B |JMP SHORT AMSAdmin.0041E369
0041E35D
|MOVSX EAX, BYTE PTR DS:[ESI+ECX]
0041E361 |JMP
SHORT AMSAdmin.0041E369
0041E363 |MOVSX EAX, BYTE PTR DS:[ESI+ECX]
0041E367 |SUB AL, 11
0041E369 |MOV
BYTE PTR SS:[ESP+C], AL
0041E36D |MOV ECX,
DWORD PTR SS:[ESP+C]
0041E371 |PUSH ECX
0041E372 |LEA
ECX, DWORD PTR SS:[ESP+14]
0041E376 |CALL AMSAdmin.0044B526
0041E37B
|MOV ECX, DWORD PTR SS:[ESP+24]
;
ECX=012840C8,(ASCII "C2EM")
0041E37F
|INC ESI
0041E380 |CMP ESI, DWORD PTR
DS:[ECX-8]
0041E383 \JL SHORT AMSAdmin.0041E30E
------------------------------------------
循环算法总结:
1.第一次用取出的四位计算--第一位-11
;第二位直接用 ;第三位-11 ;第四位-1B
得到新的四位字符串ASCII "2242"
2.用剩下的16位计算--第一位-11
;第二位直接用 ;第三位-11 ;第四位-1B,然后如此循环
得到新的16位字符串ASCII "0110331403154125"
-----------------------
|
0041E385
POP EBP
0041E386 MOV EDX, DWORD PTR
SS:[ESP+C] ; EDX<==SS:[ESP+C]=012844D8 ,
0041E38A PUSH
EDX
; //试验码的第4,7,10,13位
0041E38B CALL
AMSAdmin.004371BC <==关键的地方--判断注册码的取值范围
0041E390 ADD
ESP, 4
; //关键值1的计算
0041E393 LEA ECX, DWORD PTR
SS:[ESP+C]
0041E397 MOV ESI, EAX
; EAX=8817B2CD<==第一关键值
0041E399
MOV EDI, EDX
; EDX=00006458<==第二关键值
0041E39B MOV
BYTE PTR SS:[ESP+18], 0
0041E3A0 CALL AMSAdmin.0044B123
0041E3A5
LEA ECX, DWORD PTR SS:[ESP+20]
0041E3A9 MOV
DWORD PTR SS:[ESP+18], -1
0041E3B1 CALL AMSAdmin.0044B123
0041E3B6
MOV ECX, DWORD PTR SS:[ESP+10]
0041E3BA MOV
EDX, EDI
0041E3BC MOV EAX, ESI
0041E3BE POP
EDI
0041E3BF POP ESI
0041E3C0 MOV
DWORD PTR FS:[0], ECX
0041E3C7 ADD ESP, 14
0041E3CA
RETN 4
--------------------------------------------
第三关键分支:
CALL AMSAdmin.004371BC 判断注册码的取值范围
|
004371BC PUSH
ECX
004371BD PUSH EBX
004371BE PUSH
EBP
004371BF PUSH ESI
004371C0 PUSH
EDI
004371C1 MOV EDI, DWORD PTR SS:[ESP+18]
; EDI<==012844D8 ,(32 32
34 32)
004371C5 /CMP
DWORD PTR DS:[48FCB4], 1 ; //第一个比较
004371CC |JLE
SHORT AMSAdmin.004371DD
004371CE |MOVZX EAX, BYTE
PTR DS:[EDI]
004371D1 |PUSH 8
004371D3 |PUSH
EAX
004371D4 |CALL AMSAdmin.0043B7A1
004371D9 |POP
ECX
004371DA |POP ECX
004371DB |JMP
SHORT AMSAdmin.004371EC
004371DD |MOVZX EAX, BYTE
PTR DS:[EDI] ; EAX=DS:[EDI]=012844D8=32
004371E0 |MOV
ECX, DWORD PTR DS:[48FAA8] ; AMSAdmin.0048FAB2
004371E6
|MOV AL, BYTE PTR DS:[ECX+EAX*2]
;
AL<==DS:[ECX+EAX*2]=84 ECX=0048FAB2
004371E9
|AND EAX, 8
004371EC |TEST EAX, EAX
004371EE
|JE SHORT AMSAdmin.004371F3
004371F0 |INC
EDI
004371F1 \JMP SHORT AMSAdmin.004371C5
004371F3
MOVZX ESI, BYTE PTR DS:[EDI]
;
ESI<==DS:[EDI]=32 EDI=012844D8
004371F6
INC EDI
004371F7 CMP ESI, 2D
004371FA
MOV DWORD PTR SS:[ESP+10], ESI
004371FE JE
SHORT AMSAdmin.00437205
00437200 CMP ESI,
2B
00437203 JNZ SHORT AMSAdmin.00437209
00437205 MOVZX
ESI, BYTE PTR DS:[EDI]
00437208 INC EDI
00437209
XOR EBX, EBX
0043720B XOR EBP, EBP
0043720D
/CMP DWORD PTR DS:[48FCB4], 1
00437214 |JLE
SHORT AMSAdmin.00437222 ; //第2个比较
00437216 |PUSH
4
00437218 |PUSH ESI
00437219 |CALL
AMSAdmin.0043B7A1
0043721E |POP ECX
0043721F
|POP ECX
00437220 |JMP SHORT AMSAdmin.0043722D
00437222
|MOV EAX, DWORD PTR DS:[48FAA8]
00437227 |MOV
AL, BYTE PTR DS:[EAX+ESI*2] ; AL<==DS:[EAX+ESI*2]=84
0043722A
|AND EAX, 4
0043722D |TEST EAX, EAX
0043722F
|JE SHORT AMSAdmin.0043725A
00437231 |LEA
EAX, DWORD PTR DS:[ESI-30] \
00437234 |PUSH 0
|
00437236
|CDQ
|
00437237 |MOV
ESI, EAX |
00437239
|PUSH 0A
|
0043723B |PUSH EBP
|
0043723C
|MOV DWORD PTR SS:[ESP+24], ESI |
00437240 |PUSH
EBX
|
00437241 |MOV ESI, EDX
|
00437243 |CALL
AMSAdmin.00437E40 > <==关键值的计算
00437248
|MOV ECX, DWORD PTR SS:[ESP+18] |
0043724C |ADD
ECX, EAX
|
0043724E |ADC ESI, EDX
|
00437250 |MOV EBX,
ECX |
00437252
|MOV EBP, ESI
|
00437254 |MOVZX ESI, BYTE PTR DS:[EDI]
/
00437257 |INC EDI
00437258 \JMP
SHORT AMSAdmin.0043720D
0043725A CMP DWORD
PTR SS:[ESP+10], 2D
0043725F MOV EAX, EBX
00437261 JNZ
SHORT AMSAdmin.0043726E
00437263 NEG EAX
00437265
MOV EDX, EBP
00437267 ADC EDX, 0
0043726A
NEG EDX
0043726C JMP SHORT AMSAdmin.00437270
0043726E
MOV EDX, EBP
00437270 POP EDI
00437271
POP ESI
00437272 POP EBP
00437273
POP EBX
00437274 POP ECX
00437275
RETN
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
DS:[ECX+EAX*2] ; AL<==DS:[ECX+EAX*2]=10
ECX=0048FAB2 EAX=23
内存值:
|
0048FAB2 20 00 20 00 20
00 20 00 . . . .
0048FABA 20 00 20 00 20 00 20 00 . . .
.
0048FAC2 20 00 28 00 28 00 28 00 .(.(.(.
0048FACA 28
00 28 00 20 00 20 00 (.(. . .
0048FAD2 20 00 20 00 20 00 20 00
. . . .
0048FADA 20 00 20 00 20 00 20 00 . . . .
0048FAE2
20 00 20 00 20 00 20 00 . . . .
0048FAEA 20 00 20 00 20
00 20 00 . . . .
0048FAF2 48 00 10 00 10 00 10 00 H.�.�.�.
0048FAFA
10 00 10 00 10 00 10 00 �.�.�.�.
0048FB02 10 00 10 00 10
00 10 00 �.�.�.�.
0048FB0A 10 00 10 00 10 00 10 00 �.�.�.�.
0048FB12
84 00 84 00 84 00 84 00 ????
0048FB1A 84 00 84 00 84 00 84
00 ????
0048FB22 84 00 84 00 10 00 10 00 ??�.�.
0048FB2A
10 00 10 00 10 00 10 00 �.�.�.�.
0048FB32 10 00 81 00 81
00 81 00 �.???
0048FB3A 81 00 81 00 81 00 01 00 ???�.
0048FB42
01 00 01 00 01 00 01 00 �.�.�.�.
0048FB4A 01 00 01 00 01
00 01 00 �.�.�.�.
0048FB52 01 00 01 00 01 00 01 00 �.�.�.�.
0048FB5A
01 00 01 00 01 00 01 00 �.�.�.�.
0048FB62 01 00 01 00 01
00 10 00 �.�.�.�.
0048FB6A 10 00 10 00 10 00 10 00 �.�.�.�.
0048FB72
10 00 82 00 82 00 82 00 �.???
0048FB7A 82 00 82 00 82 00
02 00 ???�.
0048FB82 02 00 02 00 02 00 02 00 �.�.�.�.
0048FB8A
02 00 02 00 02 00 02 00 �.�.�.�.
0048FB92 02 00 02 00 02
00 02 00 �.�.�.�.
0048FB9A 02 00 02 00 02 00 02 00 �.�.�.�.
0048FBA2
02 00 02 00 02 00 10 00 �.�.�.�.
0048FBAA 10 00 10 00 10
00 20 00 �.�.�. .
以上计算的总结:注册码取值范围
1.第一个比较循环时用第二次计算的字符串的hex值*2作指针在以 0048FAB2 开始的内存中
查表,得到的值 AND
8 ,比较得数如果是0就到第二个比较循环.
2.第二个比较循环用第二次计算的字符串的hex值*2作指针在以 0048FAB2 开始的内存中
查表,得到的值 AND
4 ,比较得数如果是0就OVER.
即查表得到的值 AND 4 不能=0
经过计算可以知道表中 0048FB12 开始的十个值-'84 '符合条件,第一个84的偏移量=60h
那么第二次计算的字符串的hex值的范围是60/2=30到3A
即第二次计算的字符串的范围是0~9.
3.由此推断注册码的取值范围是
1).30+11=41('A')~4A('J')<--第1,3,4,6,10,12,15,19位
2).30+1B=4B('K')~54('T')<--第5,9,13,14,17,20位
3).30+00=30('0')~39('9')<--第2,7,8,11,16,18位
----------------------------------------------------
CALL
AMSAdmin.00437E40 <==关键值的计算
|
00437E40
MOV EAX, DWORD PTR SS:[ESP+8] ; EAX=5AF3
00437E44
MOV ECX, DWORD PTR SS:[ESP+10]
00437E48 OR
ECX, EAX
; 检查高位有没有
00437E4A MOV
ECX, DWORD PTR SS:[ESP+C] ; ECX=32
00437E4E JNZ
SHORT AMSAdmin.00437E59
00437E50
MOV EAX, DWORD PTR SS:[ESP+4]
00437E54 MUL
ECX
00437E56 RETN 10
00437E59 PUSH
EBX
00437E5A MUL ECX
; EAX=5AF3*
ECX=32 =11C376
00437E5C MOV EBX, EAX
; EBX=EAX=11C376
00437E5E
MOV EAX, DWORD PTR SS:[ESP+8] ; EAX=107A400
00437E62
MUL DWORD PTR SS:[ESP+14] ;
=0
00437E66 ADD EBX, EAX
00437E68 MOV
EAX, DWORD PTR SS:[ESP+8] ; EAX=107A400
00437E6C
MUL ECX
; EAX=107A4000*ECX(=32)=37E08000
00437E6E
ADD EDX, EBX
; EDX=3+EBX(=11C376)=11C379
00437E70 POP
EBX
; EBX=32
00437E71 RETN 10
关键值的计算的总结:
关键值=第二次计算的字符串的各位*A+后一位 直到全部算完
然后取低八位做第一关键值,高位做第二关键值
~第一部分完成~
=======================================
第二部分:软件号的计算
由于软件号的计算比较复杂,用到了浮点运算其中还有指数计算.所以不具体发现了
|
00414800
PUSH -1
00414802 PUSH AMSAdmin.0046C8D0
00414807 MOV
EAX, DWORD PTR FS:[0]
0041480D PUSH EAX
0041480E MOV
DWORD PTR FS:[0], ESP
00414815 SUB ESP, 8
00414818
PUSH EBP
00414819 PUSH ESI
0041481A
PUSH EDI
0041481B MOV EDI, DWORD PTR
SS:[ESP+24]
0041481F MOV DWORD PTR SS:[ESP+1C], 0
00414827
MOV EAX, DWORD PTR DS:[EDI]
;
EAX<==012841B8,(ASCII "7573717571717112")软件号
00414829
MOV ECX, DWORD PTR DS:[EAX-8] ; ECX=10
0041482C
TEST ECX, ECX
0041482E JE AMSAdmin.0041495D
00414834
MOV ECX, DWORD PTR DS:[48E3B8]
0041483A MOV
DWORD PTR SS:[ESP+24], ECX
0041483E MOV DWORD
PTR SS:[ESP+C], ECX
00414842 MOV EBP, DWORD PTR DS:[EAX-8]
; EBP=10
00414845 MOV BYTE PTR SS:[ESP+1C],
2
0041484A MOV EAX, EBP
0041484C AND
EAX, 80000003
00414851 JNS SHORT AMSAdmin.00414858
00414853
DEC EAX
00414854 OR EAX, FFFFFFFC
00414857
INC EAX
00414858 JE SHORT AMSAdmin.00414877
0041485A
/PUSH 30
0041485C |MOV ECX, EDI
0041485E
|CALL AMSAdmin.0044B526
00414863 |MOV
ECX, DWORD PTR DS:[EDI]
00414865 |MOV EDX, DWORD PTR DS:[ECX-8]
00414868
|AND EDX, 80000003
0041486E |JNS SHORT
AMSAdmin.00414875
00414870 |DEC EDX
00414871 |OR
EDX, FFFFFFFC
00414874 |INC EDX
00414875
\JNZ SHORT AMSAdmin.0041485A
00414877 MOV
EAX, DWORD PTR DS:[EDI]
;
EAX<==012841B8,(ASCII "7573717571717112")
00414879
XOR ESI, ESI
0041487B MOV ECX, DWORD
PTR DS:[EAX-8] ; ECX=10
0041487E TEST ECX, ECX
00414880
JLE SHORT AMSAdmin.004148CF ; //用软件号计算
00414882
/MOVSX EAX, BYTE PTR DS:[EAX+ESI]
; EAX=DS:[EAX+ESI]=37
EAX=012841B8 ESI=0 ("7573717571717112")
]
00414886 |TEST
EAX, EAX
00414888 |JGE SHORT AMSAdmin.0041488F
0041488A
|ADD EAX, 100
0041488F |PUSH EAX
00414890
|LEA EAX, DWORD PTR SS:[ESP+28]
00414894 |PUSH
AMSAdmin.0048C4B4 ; ASCII
"%x"
00414899 |PUSH EAX
0041489A |CALL
AMSAdmin.00447EDF
0041489F |MOV ECX, DWORD
PTR SS:[ESP+30] ; ECX=01284438,(ASCII "37")
004148A3
|ADD ESP, 0C
004148A6 |CMP DWORD PTR
DS:[ECX-8], 1
004148AA |JNZ SHORT AMSAdmin.004148B9
004148AC
|PUSH 30
004148AE |PUSH 0
004148B0
|LEA ECX, DWORD PTR SS:[ESP+2C]
004148B4 |CALL
AMSAdmin.004476EE
004148B9 |LEA EDX, DWORD PTR SS:[ESP+24]
004148BD
|LEA ECX, DWORD PTR SS:[ESP+C]
004148C1 |PUSH
EDX
004148C2 |CALL AMSAdmin.0044B53B
004148C7 |MOV
EAX, DWORD PTR DS:[EDI]
; EAX=DS:[EDI]=012841B8,(ASCII
"7573717571717112")
004148C9
|INC ESI
004148CA |CMP ESI, DWORD PTR
DS:[EAX-8] ; DS:[EAX-8]=10
004148CD \JL
SHORT AMSAdmin.00414882
004148CF PUSH ECX
004148D0
LEA EAX, DWORD PTR SS:[ESP+2C]
004148D4 MOV
ECX, ESP
004148D6 MOV DWORD PTR SS:[ESP+14], ESP
004148DA
PUSH EAX
004148DB CALL AMSAdmin.0044AE98
004148E0
LEA ECX, DWORD PTR SS:[ESP+10]
004148E4 PUSH
ECX
004148E5 CALL AMSAdmin.00414D80
004148EA ADD
ESP, 8
004148ED LEA EDX, DWORD PTR SS:[ESP+24]
004148F1
PUSH EBP
004148F2 PUSH AMSAdmin.0048C1BC
; ASCII "%d"
004148F7
PUSH EDX
004148F8 CALL AMSAdmin.00447EDF
004148FD
ADD ESP, 0C
00414900 CMP EBP, 0A
00414903
JGE SHORT AMSAdmin.00414912
00414905 PUSH
30
00414907 PUSH 0
00414909 LEA
ECX, DWORD PTR SS:[ESP+2C]
0041490D CALL AMSAdmin.004476EE
00414912
LEA EAX, DWORD PTR SS:[ESP+24]
00414916 LEA
ECX, DWORD PTR SS:[ESP+C]
0041491A PUSH EAX
0041491B
LEA EDX, DWORD PTR SS:[ESP+14]
0041491F PUSH
ECX
00414920 PUSH EDX
00414921 CALL
AMSAdmin.0044B352
00414926 PUSH EAX
00414927 MOV
ECX, EDI
00414929 MOV BYTE PTR SS:[ESP+20],
3
0041492E CALL AMSAdmin.0044B25C
00414933 LEA
ECX, DWORD PTR SS:[ESP+10]
00414937 MOV BYTE
PTR SS:[ESP+1C], 2
0041493C CALL AMSAdmin.0044B123
00414941
LEA ECX, DWORD PTR SS:[ESP+C]
00414945 MOV
BYTE PTR SS:[ESP+1C], 1
0041494A CALL AMSAdmin.0044B123
0041494F
LEA ECX, DWORD PTR SS:[ESP+24]
00414953 MOV
BYTE PTR SS:[ESP+1C], 0
00414958 CALL AMSAdmin.0044B123
0041495D
LEA ECX, DWORD PTR SS:[ESP+28]
00414961 MOV
DWORD PTR SS:[ESP+1C], -1
00414969 CALL AMSAdmin.0044B123
0041496E
MOV ECX, DWORD PTR SS:[ESP+14]
00414972 POP
EDI
00414973 POP ESI
00414974 MOV
DWORD PTR FS:[0], ECX
0041497B POP EBP
0041497C
ADD ESP, 14
0041497F RETN
0044B4A0
PUSH EBX
0044B4A1 PUSH ESI
0044B4A2
PUSH EDI
0044B4A3 MOV EDI, DWORD PTR
SS:[ESP+10]
0044B4A7 TEST EDI, EDI
0044B4A9 MOV
ESI, ECX
0044B4AB JE SHORT AMSAdmin.0044B4F9
0044B4AD
MOV EAX, DWORD PTR DS:[ESI]
;
EAX<==DS:[ESI]=012840C8,(ASCII "37353733373137")
0044B4AF
CMP DWORD PTR DS:[EAX-C], 1
0044B4B3 LEA
EBX, DWORD PTR DS:[EAX-C]
0044B4B6 JG SHORT AMSAdmin.0044B4E3
0044B4B8
MOV ECX, DWORD PTR DS:[EAX-8]
0044B4BB LEA
EDX, DWORD PTR DS:[ECX+EDI]
0044B4BE CMP EDX, DWORD
PTR DS:[EAX-4]
0044B4C1 JG SHORT AMSAdmin.0044B4E3
0044B4C3
PUSH EDI
0044B4C4 ADD ECX, EAX
0044B4C6
PUSH DWORD PTR SS:[ESP+18]
0044B4CA PUSH ECX
0044B4CB
CALL AMSAdmin.004381F0
0044B4D0 MOV
EAX, DWORD PTR DS:[ESI]
0044B4D2 ADD ESP, 0C
0044B4D5
ADD DWORD PTR DS:[EAX-8], EDI
0044B4D8 MOV
EAX, DWORD PTR DS:[ESI]
0044B4DA MOV ECX, DWORD
PTR DS:[EAX-8]
0044B4DD AND BYTE PTR DS:[ECX+EAX], 0
0044B4E1
JMP SHORT AMSAdmin.0044B4F9
0044B4E3 PUSH
DWORD PTR SS:[ESP+14]
0044B4E7 MOV ECX, ESI
0044B4E9
PUSH EDI
0044B4EA PUSH EAX
0044B4EB
PUSH DWORD PTR DS:[EAX-8]
0044B4EE CALL AMSAdmin.0044B314
0044B4F3
PUSH EBX
0044B4F4 CALL AMSAdmin.0044B08B
0044B4F9
POP EDI
0044B4FA POP ESI
0044B4FB
POP EBX
0044B4FC RETN 8
0043835C
MOV AL, BYTE PTR DS:[ESI] ; AL=DS:[ESI]=33
('3')
0043835E MOV BYTE PTR DS:[EDI], AL
00438360 MOV
AL, BYTE PTR DS:[ESI+1]
00438363 MOV BYTE
PTR DS:[EDI+1], AL
00438366 MOV EAX, DWORD PTR SS:[EBP+8]
; EAX<==012840D6,(ASCII
"3575717171")
00438369
POP ESI
0043836A POP
EDI
0043836B LEAVE
0043836C RETN
0041E3D0
PUSH -1
0041E3D2 PUSH AMSAdmin.0046DD38
0041E3D7 MOV
EAX, DWORD PTR FS:[0]
0041E3DD PUSH EAX
0041E3DE
MOV DWORD PTR FS:[0], ESP
0041E3E5 SUB
ESP, 0C
0041E3E8 PUSH EBP
0041E3E9 PUSH
ESI
0041E3EA PUSH EDI
0041E3EB XOR
EBP, EBP
0041E3ED LEA ECX, DWORD PTR SS:[ESP+28]
0041E3F1
MOV DWORD PTR SS:[ESP+20], EBP
0041E3F5 MOV
DWORD PTR SS:[ESP+14], EBP
0041E3F9 CALL AMSAdmin.0044B645
0041E3FE
MOV EAX, DWORD PTR SS:[ESP+28]
;
EAX=01284348, ASCII "270B6E672BD7016" <--软件号生成的字符串
0041E402
XOR ESI, ESI
0041E404 MOV EDI, DWORD
PTR DS:[EAX-8] ; EDI=F
0041E407 CMP EDI,
EBP
0041E409 JLE SHORT AMSAdmin.0041E45B
0041E40B PUSH
EBX
0041E40C /FLD QWORD PTR DS:[474D28]
; ST=10
0041E412 |MOV ECX, DWORD
PTR SS:[ESP+2C]
;
ECX=01284348, ASCII "270B6E672BD7016"
0041E416
|MOV EDX, EDI
0041E418 |SUB EDX, ESI
0041E41A
|MOV BL, BYTE PTR DS:[ESI+ECX]
;
BL=DS:[ESI+ECX]=32 ESI=0 ECX=01284348
0041E41D
|DEC EDX
0041E41E |MOV DWORD PTR SS:[ESP+10],
EDX
0041E422 |FILD DWORD PTR SS:[ESP+10] ;
ST=14 (0E)
0041E426 |CALL AMSAdmin.00437E80
0041E42B
|CALL AMSAdmin.00437624
0041E430 |MOV
ECX, EAX ;
ECX=107A4000
0041E432 |MOVSX EAX, BL
; EAX=BL=32
0041E435
|MOV DWORD PTR SS:[ESP+10], ECX
0041E439 |MOV
ECX, EDX
; ECX=EDX=00005AF3
0041E43B |CDQ
0041E43C |PUSH
EDX
0041E43D |MOV EDX, DWORD PTR SS:[ESP+14] ;
EDX=107A4000
0041E441 |PUSH EAX
; EAX=32
0041E442
|PUSH ECX
; ECX=5AF3
0041E443 |PUSH
EDX
; EDX=107A4000
0041E444 |CALL AMSAdmin.00437E40
0041E449
|MOV EBX, DWORD PTR SS:[ESP+18] ; EBX=0
0041E44D
|ADD EBP, EAX
; F次后 EBP=D166F738<--关键值(低位)
0041E44F
|ADC EBX, EDX
; EBX=11C379
0041E451 |INC ESI
0041E452
|CMP ESI, EDI
; EDI=F ESI=0++
0041E454 |MOV DWORD
PTR SS:[ESP+18], EBX ;
F次后 EBX=13E9E9<--关键值(高位)
0041E458
\JL SHORT AMSAdmin.0041E40C
0041E45A POP
EBX
; EBX=4
0041E45B LEA ECX, DWORD
PTR SS:[ESP+28]
0041E45F MOV DWORD PTR SS:[ESP+20], -1
0041E467
CALL AMSAdmin.0044B123
0041E46C MOV
ECX, DWORD PTR SS:[ESP+18]
0041E470 MOV EDX, DWORD PTR
SS:[ESP+14]
0041E474 POP EDI
0041E475 MOV
EAX, EBP
0041E477 POP ESI
0041E478 POP
EBP
0041E479 MOV DWORD PTR FS:[0], ECX
0041E480
ADD ESP, 18
0041E483 RETN 4
====================================================
到这里注册算法分析完成,总结一下
注册码的正确方法是:软件号计算的值=注册码计算的值
Cracded fxyang[OCN]
2003.4.5