R Folder Guard 5.1STD

标题：R Folder Guard 5.1STD (11千字)
作者：6767[BCG]
时间：2001-7-2 14:08:00
链接：http://bbs.pediy.com

R Folder Guard 5.1STD
by 6767 [BCG]

d/l:   http://gt.onlinedown.net/down/fgstd.exe. (606k)
tools:   SoftIce

它的注册检查好象不严格，所以两次莫名其妙的注册成功。好在还可以Unregister，有意思。

姓名不支持数字，长度应大于5，大小写无关。注册码长度不要小于10。

.....
* Reference To: USER32.GetDlgItem, Ord:0105h
|
:10019757 FF1588530210 Call dword ptr [10025388]
:1001975D 50 push eax

* Reference To: USER32.SetFocus, Ord:0233h
|
:1001975E FF1548530210 Call dword ptr [10025348]
:10019764 E94A010000 jmp 100198B3

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10019751(C)
|
:10019769 8BCE mov ecx, esi
* Reference To: FGuard32.?IsOldRegInfo@ri2@@QAEHXZ
|
:1001976B E895140000 call 1001AC05           <- 检查黑名单
:10019770 85C0 test eax, eax           <- 不在其上则eax=0
:10019772 741F je 10019793

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100197D9(C)
|
:10019774 685BABFFFF push FFFFAB5B

* Possible Reference to String Resource ID=00052: "&Unlock"
|
:10019779 6A34 push 00000034
:1001977B 57 push edi
* Reference To: FGuard32.?Msg@@YAHPAUHWND__@@IHZZ
|
:1001977C E8FB8EFFFF call 1001267C
:10019781 83C40C add esp, 0000000C
:10019784 83F806 cmp eax, 00000006
:10019787 75CA jne 10019753
:10019789 57 push edi
:1001978A 8BCE mov ecx, esi
* Reference To: FGuard32.?DoUpgradeThis@ri2@@QAEHPAUHWND__@@@Z
|
:1001978C E886160000 call 1001AE17
:10019791 EBC0 jmp 10019753

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10019772(C)
|
:10019793 8BCE mov ecx, esi
* Reference To: FGuard32.?iv1@ri2@@QAEHXZ
|
:10019795 E809120000 call 1001A9A3           <- (1)检查Code[1]到Code[4]
:1001979A 85C0 test eax, eax           <- 正确则eax=1
:1001979C 7512 jne 100197B0
:1001979E 6861ABFFFF push FFFFAB61
:100197A3 6A30 push 00000030
:100197A5 57 push edi
* Reference To: FGuard32.?Msg@@YAHPAUHWND__@@IHZZ
|
:100197A6 E8D18EFFFF call 1001267C
:100197AB 83C40C add esp, 0000000C
:100197AE EBA3 jmp 10019753

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1001979C(C)
|
:100197B0 8BCE mov ecx, esi
* Reference To: FGuard32.?iv2@ri2@@QAEHXZ
|
:100197B2 E806120000 call 1001A9BD           <- (2)检查Code[7]、Code[8]
:100197B7 85C0 test eax, eax           <- 正确则eax=1
                              <- 找到这些后我就注册了，好奇怪

:100197B9 7515 jne 100197D0
:100197BB 6863ABFFFF push FFFFAB63
:100197C0 6A30 push 00000030
:100197C2 57 push edi
* Reference To: FGuard32.?Msg@@YAHPAUHWND__@@IHZZ
|
:100197C3 E8B48EFFFF call 1001267C
:100197C8 83C40C add esp, 0000000C
:100197CB FF7518 push [ebp+18]
:100197CE EB86 jmp 10019756

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100197B9(C)
|
:100197D0 8BCE mov ecx, esi
* Reference To: FGuard32.?iu2@ri2@@QAEHXZ
|
:100197D2 E841140000 call 1001AC18
:100197D7 85C0 test eax, eax
:100197D9 7599 jne 10019774
:100197DB 685FABFFFF push FFFFAB5F

(1)
Exported fn(): ?iv1@ri2@@QAEHXZ - Ord:05EAh
:1001A9A3 8B4170 mov eax, dword ptr [ecx+70]
:1001A9A6 83C142 add ecx, 00000042
:1001A9A9 FF7040 push [eax+40]
:1001A9AC FF703C push [eax+3C]
:1001A9AF 8A4030 mov al, byte ptr [eax+30]
:1001A9B2 50 push eax
:1001A9B3 51 push ecx
* Reference To: FGuard32.?riivc2@@YAHPBDDHH@Z
|
:1001A9B4 E8E7F7FFFF call 1001A1A0           <- trace into
:1001A9B9 83C410 add esp, 00000010
:1001A9BC C3 ret

* Referenced by a CALL at Address:
|:1001A9B4
|

Exported fn(): ?riivc2@@YAHPBDDHH@Z - Ord:0612h
:1001A1A0 55 push ebp
:1001A1A1 8BEC mov ebp, esp
:1001A1A3 83EC20 sub esp, 00000020
:1001A1A6 8B4508 mov eax, dword ptr [ebp+08]
:1001A1A9 8A08 mov cl, byte ptr [eax]       <-
:1001A1AB 3A4D0C cmp cl, byte ptr [ebp+0C]       <- Code[1]
:1001A1AE 7404 je 1001A1B4

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1001A1D6(C), :1001A1E9(C)
|
:1001A1B0 33C0 xor eax, eax               <- unRegister Flag
:1001A1B2 C9 leave
:1001A1B3 C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1001A1AE(C)
|
:1001A1B4 8D4DE0 lea ecx, dword ptr [ebp-20]

* Possible Reference to String Resource ID=00032: "On empty password"
|
:1001A1B7 6A20 push 00000020
:1001A1B9 51 push ecx
:1001A1BA 6A00 push 00000000
:1001A1BC 6A00 push 00000000
:1001A1BE 50 push eax
:1001A1BF E832FFFFFF call 1001A0F6
:1001A1C4 FF7510 push [ebp+10]
:1001A1C7 8D45E3 lea eax, dword ptr [ebp-1D]
:1001A1CA 50 push eax
:1001A1CB E8CFFEFFFF call 1001A09F
:1001A1D0 83C41C add esp, 0000001C
:1001A1D3 3845E1 cmp byte ptr [ebp-1F], al       <- Code[2]
:1001A1D6 75D8 jne 1001A1B0
:1001A1D8 FF7514 push [ebp+14]
:1001A1DB 8D45E3 lea eax, dword ptr [ebp-1D]
:1001A1DE 50 push eax
:1001A1DF E8BBFEFFFF call 1001A09F
:1001A1E4 3845E2 cmp byte ptr [ebp-1E], al
:1001A1E7 59 pop ecx
:1001A1E8 59 pop ecx
:1001A1E9 75C5 jne 1001A1B0
:1001A1EB 33C0 xor eax, eax
:1001A1ED 807DE339 cmp byte ptr [ebp-1D], 39       <- Code[3]
:1001A1F1 0F94C0 sete al
:1001A1F4 C9 leave
:1001A1F5 C3 ret

(2)
* Referenced by a CALL at Addresses:
|:100197B2 , :1001A9EC , :1001AC5E
|

Exported fn(): ?iv2@ri2@@QAEHXZ - Ord:05EBh
:1001A9BD 8B4170 mov eax, dword ptr [ecx+70]
:1001A9C0 FF7038 push [eax+38]
:1001A9C3 6A01 push 00000001
:1001A9C5 FF7034 push [eax+34]
:1001A9C8 8D4142 lea eax, dword ptr [ecx+42]
:1001A9CB 6A00 push 00000000
:1001A9CD 50 push eax
:1001A9CE 668B4140 mov ax, word ptr [ecx+40]
:1001A9D2 50 push eax
:1001A9D3 51 push ecx
* Reference To: FGuard32.?riivn2@@YAHPBDG0HHHH@Z
|
:1001A9D4 E81DF8FFFF call 1001A1F6           <- trace into it
:1001A9D9 83C41C add esp, 0000001C
:1001A9DC C3 ret

* Referenced by a CALL at Addresses:
|:1001A9D4 , :1001AA25
|

Exported fn(): ?riivn2@@YAHPBDG0HHHH@Z - Ord:0613h
:1001A1F6 55 push ebp
:1001A1F7 8BEC mov ebp, esp
:1001A1F9 83EC64 sub esp, 00000064
:1001A1FC 56 push esi
:1001A1FD 57 push edi
:1001A1FE 8D45DC lea eax, dword ptr [ebp-24]

* Possible StringData Ref from Data Obj ->"00"
|
:1001A201 BEC8B10310 mov esi, 1003B1C8
:1001A206 8D7DFC lea edi, dword ptr [ebp-04]
:1001A209 6A20 push 00000020
:1001A20B 50 push eax
:1001A20C 6A00 push 00000000
:1001A20E 66A5 movsw
:1001A210 6A00 push 00000000
:1001A212 FF7510 push [ebp+10]
:1001A215 A4 movsb
:1001A216 E8DBFEFFFF call 1001A0F6
:1001A21B 8A45E0 mov al, byte ptr [ebp-20]

* Possible Reference to String Resource ID=00064: "Cannot accept the registration information you have entered."
|
:1001A21E 6A40 push 00000040
:1001A220 8845FC mov byte ptr [ebp-04], al
:1001A223 8A45E1 mov al, byte ptr [ebp-1F]
:1001A226 8845FD mov byte ptr [ebp-03], al
:1001A229 8D459C lea eax, dword ptr [ebp-64]
:1001A22C 50 push eax
:1001A22D 8D45FC lea eax, dword ptr [ebp-04]
:1001A230 50 push eax
:1001A231 FF750C push [ebp+0C]
:1001A234 FF7508 push [ebp+08]
:1001A237 E8BAFEFFFF call 1001A0F6
:1001A23C FF7518 push [ebp+18]
:1001A23F 8D459C lea eax, dword ptr [ebp-64]
:1001A242 50 push eax
:1001A243 E857FEFFFF call 1001A09F
:1001A248 8B4D14 mov ecx, dword ptr [ebp+14]
:1001A24B 83C430 add esp, 00000030
:1001A24E 38440DE2 cmp byte ptr [ebp+ecx-1E], al       <- Code[7]
:1001A252 5F pop edi
:1001A253 5E pop esi
:1001A254 7404 je 1001A25A
:1001A256 33C0 xor eax, eax
:1001A258 C9 leave
:1001A259 C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1001A254(C)
|
:1001A25A FF7520 push [ebp+20]
:1001A25D 8D459C lea eax, dword ptr [ebp-64]
:1001A260 50 push eax
:1001A261 E839FEFFFF call 1001A09F
:1001A266 8B551C mov edx, dword ptr [ebp+1C]
:1001A269 59 pop ecx
:1001A26A 59 pop ecx
:1001A26B 33C9 xor ecx, ecx
:1001A26D 384415E2 cmp byte ptr [ebp+edx-1E], al       <- Code[8]
:1001A271 0F94C1 sete cl
:1001A274 8BC1 mov eax, ecx
:1001A276 C9 leave
:1001A277 C3 ret

注册信息保存在：
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\WinAbility\Folder Guard\Setup\1]
"Info"=.....