鹦鹉螺网络助手 2.22

标题：anti-homeMade(4)：鹦鹉螺网络助手2.22 (4千字)
作者：6767
时间：2001-5-25 23:00:57
链接：http://bbs.pediy.com

anti-homeMade(4)：鹦鹉螺网络助手2.22
by 6767

工具：SOFTICE，WD32ASM(用于写过程)
下载地址：http://jx163.onlinedown.net/down/netranger222c.zip
开发者自己是怎么说的：
鹦鹉螺网络助手是什么?
鹦鹉螺网络助手是一个功能强大，方便易用的专业网络工具箱，既适合网络新手，也适合有经验的用户使用。鹦鹉螺网络助手提供给你上网冲浪、检查网络故障，获取帐号、主机和域名等等互联网或企业内部网上的网络信息所需要的各种常用工具。

不管那么多，在注册窗口，名字：6767，注册码：123654。在SI中下Bpx windowtexta，拦到。跟跟跟，到这里(当然失败上N次才找到)：

.....
:00422B75 C644243002 mov [esp+30], 02
:00422B7A E879EF0100 call 00441AF8
:00422B7F 8BCE mov ecx, esi
:00422B81 C644242C01 mov [esp+2C], 01
:00422B86 E875FEFFFF call 00422A00           <- 怀疑核心在这里，果然是，看下面分析
:00422B8B 8B4C2430 mov ecx, dword ptr [esp+30]   <- 在这里D一下会有收获
:00422B8F 6A0A push 0000000A
:00422B91 8D542410 lea edx, dword ptr [esp+10]   <- 在这里D一下会有收获
:00422B95 51 push ecx
:00422B96 52 push edx
:00422B97 E8E4C40000 call 0042F080           <- 大哥
:00422B9C 83C40C add esp, 0000000C
:00422B9F C644242000 mov [esp+20], 00
:00422BA4 85C0 test eax, eax           <- 看起来
:00422BA6 8D4C2428 lea ecx, dword ptr [esp+28]
:00422BAA 752D jne 00422BD9           <- 好面熟
......

跟入核心CALL不久会到这里：

......
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422A8E(C)
|
:00422AA3 33C9 xor ecx, ecx           <- ECX=0，循环变量

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422AEB(C)
|
:00422AA5 33F6 xor esi, esi
:00422AA7 85FF test edi, edi           <- DI放姓名长度
:00422AA9 7E3D jle 00422AE8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422AE6(C)
|
:00422AAB 83F90A cmp ecx, 0000000A         <- 大于等于10则循环完成
:00422AAE 7D3D jge 00422AED
:00422AB0 85C9 test ecx, ecx           <-
:00422AB2 7E07 jle 00422ABB           <- 仅在第一次循环时跳走
:00422AB4 0FBE4429FF movsx eax, byte ptr [ecx+ebp-01]   <- 取生成的注册码的上一字母
:00422AB9 EB14 jmp 00422ACF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422AB2(C)
|
:00422ABB 0FBE543418 movsx edx, byte ptr [esp+esi+18]   <- 取名字的第一个字符
:00422AC0 0FBEC3 movsx eax, bl           <- 与版本有关的一个值，0X6A
:00422AC3 8BD9 mov ebx, ecx           <- EBX=0
:00422AC5 03DA add ebx, edx
:00422AC7 8B542414 mov edx, dword ptr [esp+14]     <- 在EDX中放入累加和
:00422ACB 03C3 add eax, ebx
:00422ACD 03C2 add eax, edx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422AB9(U)
|
:00422ACF 33D2 xor edx, edx           <- EDX=0
:00422AD1 BB1A000000 mov ebx, 0000001A       <- 0X1A=26
:00422AD6 F7F3 div ebx
:00422AD8 8A5C2413 mov bl, byte ptr [esp+13]   <- [ESP+13]='j'=0X6A，固定值
:00422ADC 83C261 add edx, 00000061       <- EDX变为小写字符
:00422ADF 46 inc esi
:00422AE0 881429 mov byte ptr [ecx+ebp], dl   <- 保存生成的注册码
:00422AE3 41 inc ecx
:00422AE4 3BF7 cmp esi, edi       <- 循环次数是否到名字长度
:00422AE6 7CC3 jl 00422AAB

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422AA9(C)
|
:00422AE8 83F90A cmp ecx, 0000000A
:00422AEB 7CB8 jl 00422AA5           <- 若循环未到10次，继续循环

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422AAE(C)
|
:00422AED 8D4C2434 lea ecx, dword ptr [esp+34]
:00422AF1 C6450A00 mov [ebp+0A], 00       <- 注册码长度变为10
:00422AF5 E889F20100 call 00441D83       <- 下面不重要了
:00422AFA 8D4C2438 lea ecx, dword ptr [esp+38]
:00422AFE C744242CFFFFFFFF mov [esp+2C], FFFFFFFF
:00422B06 E878F20100 call 00441D83
:00422B0B 8B4C2424 mov ecx, dword ptr [esp+24]
:00422B0F 5F pop edi
:00422B10 5E pop esi
:00422B11 5D pop ebp

过程到这里，觉得好用就想办法注册吧。