CD Keeper 1.0
by Fpc[CCG] @2001/07
tools:softice
又是个VB程序,1.0版,界面作的不好看,功能不清楚。
在注册窗口,输入信息后下Bpx hmemcpy,拦截可追到下面:
|
:004366A4 8B4DDC
mov ecx, dword ptr [ebp-24] <- 输入的注册码
:004366A7 51
push ecx
:004366A8 FF1524104000 call dword ptr
[00401024] <- 返回长度
:004366AE 8B55E0
mov edx, dword ptr [ebp-20]
:004366B1 33DB
xor ebx, ebx
:004366B3 83F810
cmp eax, 00000010 <- 是否为16字节
:004366B6 52
push edx
:004366B7 0F94C3
sete bl
:004366BA F7DB
neg ebx
:004366BC FF1524104000 call dword ptr
[00401024]
:004366C2 8B55E4
mov edx, dword ptr [ebp-1C]
:004366C5 33C9
xor ecx, ecx
:004366C7 83F808
cmp eax, 00000008 <- 这个比较不用理
:004366CA 52
push edx
:004366CB 0F94C1
sete cl
:004366CE F7D9
neg ecx
:004366D0 68D4294100 push 004129D4
:004366D5 0BD9
or ebx, ecx
:004366D7 FF15B8104000 call dword ptr
[004010B8] <- 验证是否为空串
:004366DD F7D8
neg eax
:004366DF 1BC0
sbb eax, eax
:004366E1 F7D8
neg eax
:004366E3 F7D8
neg eax
:004366E5 23D8
and ebx, eax
:004366E7 8B45E8
mov eax, dword ptr [ebp-18]
:004366EA 50
push eax
:004366EB 68D4294100 push 004129D4
:004366F0 FF15B8104000 call dword ptr
[004010B8] <- 验证是否为空串
:004366F6 F7D8
neg eax
:004366F8 1BC0
sbb eax, eax
:004366FA 8D4DDC
lea ecx, dword ptr [ebp-24]
:004366FD F7D8
neg eax
:004366FF F7D8
neg eax
:00436701 23D8
and ebx, eax
... ...
:00436723 8D55D4
lea edx, dword ptr [ebp-2C]
:00436726 51
push ecx
:00436727 52
push edx
:00436728 6A04
push 00000004
:0043672A FF1534104000 call dword ptr
[00401034]
:00436730 83C428
add esp, 00000028
:00436733 6685DB
test bx, bx
:00436736 0F8404070000 je 00436E40
<- 若上面的验证通过,这里不会跳
很长的一段垃圾........
:00436814 C745E400000000 mov [ebp-1C], 00000000
:0043681B FFD3
call ebx
:0043681D 8D8D14FFFFFF lea ecx, dword
ptr [ebp+FFFFFF14]
:00436823 8D55D8
lea edx, dword ptr [ebp-28]
:00436826 51
push ecx
:00436827 8D45E0
lea eax, dword ptr [ebp-20]
:0043682A 52
push edx
:0043682B 50
push eax
:0043682C E8FF53FFFF call 0042BC30
<- 计算与比较注册码的核心
:00436831 8D4DD8
lea ecx, dword ptr [ebp-28]
:00436834 8BD8
mov ebx, eax <<-
保存出口状态
... ...
:0043685B 83C420
add esp, 00000020
:0043685E 6685DB
test bx, bx <<-
测试注册是否成功
:00436861 0F8452040000 je 00436CB9
:00436867 8B0E
mov ecx, dword ptr [esi]
进入核心call看看,好长的一段代码:
* Referenced by a CALL at Addresses:
|:0042361D , :0043682C
|
:0042BC30 55
push ebp
:0042BC31 8BEC
mov ebp, esp
:0042BC33 83EC08
sub esp, 00000008
:0042BC36 68462C4000 push 00402C46
:0042BC3B 64A100000000 mov eax, dword
ptr fs:[00000000]
:0042BC41 50
push eax
:0042BC42 64892500000000 mov dword ptr fs:[00000000],
esp
... ... KeyGen ruion process
:0042C0CA 8B450C
mov eax, dword ptr [ebp+0C]
:0042C0CD 8B55DC
mov edx, dword ptr [ebp-24]
:0042C0D0 8B08
mov ecx, dword ptr [eax]
:0042C0D2 51
push ecx <-
"d ecx"
:0042C0D3 52
push edx <-
"d edx"
:0042C0D4 FF15B8104000 call dword ptr
[004010B8] <- __vbastrcmp,比较真码与假码
:0042C0DA F7D8
neg eax
:0042C0DC 1BC0
sbb eax, eax
一个可用的注册码:
i6767@263.net
A0U58207032F0V63
[End]
- 标 题:CD Keeper 1.0 (4千字)
- 作 者:6767[BCG]
- 时 间:2001-7-26 22:48:52
- 链 接:http://bbs.pediy.com