Email地址搜索器

标题：Email地址搜索器 (14千字)
作者：custer
时间：2000-10-17 17:01:33
链接：http://bbs.pediy.com

执行emailserach，点击注册，输入
name=12345678 code=12345678
确定后出现 "注册名不正确"
用w32dasm打开emailserach，看到如下信息：

:00403F24 55 push ebp
:00403F25 E879FD0100 call 00423CA3
:00403F2A 51 push ecx
:00403F2B 8BCC mov ecx, esp
:00403F2D 89642418 mov dword ptr [esp+18], esp
:00403F31 53 push ebx
:00403F32 E8D1250200 call 00426508
:00403F37 51 push ecx
:00403F38 8D8780010000 lea eax, dword ptr [edi+00000180]
:00403F3E 8BCC mov ecx, esp
:00403F40 89642420 mov dword ptr [esp+20], esp
:00403F44 50 push eax
:00403F45 C78424A800000000000000 mov dword ptr [esp+000000A8], 00000000
:00403F50 E8B3250200 call 00426508
:00403F55 8BCF mov ecx, edi
:00403F57 C78424A4000000FFFFFFFF mov dword ptr [esp+000000A4], FFFFFFFF
:00403F62 E869150000 call 004054D0 <----进入此处的call
:00403F67 85C0 test eax, eax
:00403F69 7511 jne 00403F7C
:00403F6B 50 push eax
:00403F6C 50 push eax

* Possible StringData Ref from Data Obj ->"注册名不正确"
|
:00403F6D 68480C4400 push 00440C48
:00403F72 E8396D0200 call 0042ACB0
:00403F77 E940010000 jmp 004040BC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403F69(C)
|
:00403F7C 51 push ecx
:00403F7D 8BCC mov ecx, esp
:00403F7F 8964241C mov dword ptr [esp+1C], esp
:00403F83 55 push ebp
:00403F84 E87F250200 call 00426508
:00403F89 51 push ecx
:00403F8A C78424A400000001000000 mov dword ptr [esp+000000A4], 00000001
:00403F95 8BCC mov ecx, esp
:00403F97 8964241C mov dword ptr [esp+1C], esp
:00403F9B 53 push ebx
:00403F9C E867250200 call 00426508
:00403FA1 8BCF mov ecx, edi
:00403FA3 C78424A4000000FFFFFFFF mov dword ptr [esp+000000A4], FFFFFFFF
:00403FAE E89D160000 call 00405650 <----进入此处的call
:00403FB3 85C0 test eax, eax
:00403FB5 7511 jne 00403FC8
:00403FB7 50 push eax
:00403FB8 50 push eax

* Possible StringData Ref from Data Obj ->"注册码不正确"
|
:00403FB9 68380C4400 push 00440C38
:00403FBE E8ED6C0200 call 0042ACB0
:00403FC3 E9F4000000 jmp 004040BC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403FB5(C)
|
:00403FC8 6A00 push 00000000
:00403FCA 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"注册成功!"
|
:00403FCC 682C0C4400 push 00440C2C
:00403FD1 C7878801000001000000 mov dword ptr [edi+00000188], 00000001
:00403FDB E8D06C0200 call 0042ACB0

* Possible StringData Ref from Data Obj ->"\windows.reg"
|
:00403FE0 681C0C4400 push 00440C1C
:00403FE5 8D4C2414 lea ecx, dword ptr [esp+14]
:00403FE9 E8C3260200 call 004266B1
:00403FEE 8D4C241C lea ecx, dword ptr [esp+1C]
:00403FF2 BB02000000 mov ebx, 00000002
:00403FF7 6A1E push 0000001E
:00403FF9 51 push ecx
:00403FFA 899C24A4000000 mov dword ptr [esp+000000A4], ebx

========================================================================
:004054D0 6AFF push FFFFFFFF
:004054D2 6850244300 push 00432450
:004054D7 64A100000000 mov eax, dword ptr fs:[00000000]
:004054DD 50 push eax
:004054DE 64892500000000 mov dword ptr fs:[00000000], esp
:004054E5 83EC0C sub esp, 0000000C
:004054E8 53 push ebx
:004054E9 56 push esi
:004054EA 57 push edi
:004054EB 8B7C2428 mov edi, dword ptr [esp+28]
:004054EF 83C9FF or ecx, FFFFFFFF
:004054F2 33C0 xor eax, eax
:004054F4 8D54240C lea edx, dword ptr [esp+0C]
:004054F8 F2 repnz
:004054F9 AE scasb
:004054FA F7D1 not ecx
:004054FC 2BF9 sub edi, ecx
:004054FE C744242001000000 mov [esp+20], 00000001
:00405506 8BC1 mov eax, ecx
:00405508 8BF7 mov esi, edi
:0040550A 8BFA mov edi, edx
:0040550C C1E902 shr ecx, 02
:0040550F F3 repz
:00405510 A5 movsd
:00405511 8BC8 mov ecx, eax
:00405513 83E103 and ecx, 00000003
:00405516 F3 repz
:00405517 A4 movsb
:00405518 8A4C240F mov cl, byte ptr [esp+0F] ；[esp+0c]指向产品密钥
:0040551C 8A44240C mov al, byte ptr [esp+0C] ；
:00405520 8A5C240D mov bl, byte ptr [esp+0D] ；将产品密钥的各个字母
:00405524 8A54240E mov dl, byte ptr [esp+0E] ；
:00405528 80C104 add cl, 04 ；与其位数相加。
:0040552B FEC0 inc al ；
:0040552D 884C240F mov byte ptr [esp+0F], cl ；如:32(2)+1=33(3)
:00405531 8A4C2413 mov cl, byte ptr [esp+13] ；
:00405535 80C302 add bl, 02 ； 6E(n)+2=70(p)
:00405538 80C203 add dl, 03 ；
:0040553B 80C108 add cl, 08 ；密钥：2ndJ8gIFkNF'
:0040553E 8844240C mov byte ptr [esp+0C], al ；
:00405542 8A442410 mov al, byte ptr [esp+10] ；得到：3pgN=mPNtXQl
:00405546 885C240D mov byte ptr [esp+0D], bl ；
:0040554A 8A5C2411 mov bl, byte ptr [esp+11] ；
:0040554E 8854240E mov byte ptr [esp+0E], dl ；
:00405552 8A542412 mov dl, byte ptr [esp+12] ；
:00405556 884C2413 mov byte ptr [esp+13], cl ；
:0040555A 8A4C2417 mov cl, byte ptr [esp+17] ；
:0040555E 0405 add al, 05 ；
:00405560 80C306 add bl, 06 ；
:00405563 80C207 add dl, 07 ；
:00405566 80C10C add cl, 0C ；
:00405569 88442410 mov byte ptr [esp+10], al ；
:0040556D 8A442414 mov al, byte ptr [esp+14] ；
:00405571 885C2411 mov byte ptr [esp+11], bl ；
:00405575 8A5C2415 mov bl, byte ptr [esp+15] ；
:00405579 88542412 mov byte ptr [esp+12], dl ；
:0040557D 8A542416 mov dl, byte ptr [esp+16] ；
:00405581 884C2417 mov byte ptr [esp+17], cl ；
:00405585 8D4C240C lea ecx, dword ptr [esp+0C] ；
:00405589 0409 add al, 09 ；
:0040558B 80C30A add bl, 0A ；
:0040558E 80C20B add dl, 0B ；
:00405591 51 push ecx ；
:00405592 8D4C242C lea ecx, dword ptr [esp+2C] ；
:00405596 88442418 mov byte ptr [esp+18], al ；
:0040559A 885C2419 mov byte ptr [esp+19], bl ；
:0040559E 8854241A mov byte ptr [esp+1A], dl ；
:004055A2 E8E4110200 call 0042678B
:004055A7 8B74242C mov esi, dword ptr [esp+2C]
:004055AB 8B442428 mov eax, dword ptr [esp+28]
:004055AF 33D2 xor edx, edx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004055CF(C)
|
:004055B1 8A18 mov bl, byte ptr [eax]
:004055B3 8ACB mov cl, bl
:004055B5 3A1E cmp bl, byte ptr [esi]
:004055B7 751C jne 004055D5
:004055B9 3ACA cmp cl, dl
:004055BB 7414 je 004055D1
:004055BD 8A5801 mov bl, byte ptr [eax+01]
:004055C0 8ACB mov cl, bl
:004055C2 3A5E01 cmp bl, byte ptr [esi+01]
:004055C5 750E jne 004055D5
:004055C7 83C002 add eax, 00000002
:004055CA 83C602 add esi, 00000002
:004055CD 3ACA cmp cl, dl
:004055CF 75E0 jne 004055B1 ;这段是将算出的值与name比较

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004055BB(C)
|
:004055D1 33C0 xor eax, eax
:004055D3 EB05 jmp 004055DA

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004055B7(C), :004055C5(C)
|
:004055D5 1BC0 sbb eax, eax
:004055D7 83D8FF sbb eax, FFFFFFFF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004055D3(U)
|
:004055DA 33C9 xor ecx, ecx
:004055DC 3BC2 cmp eax, edx
:004055DE 0F94C1 sete cl
:004055E1 84C9 test cl, cl
:004055E3 88542420 mov byte ptr [esp+20], dl
:004055E7 8D4C2428 lea ecx, dword ptr [esp+28]
:004055EB 742F je 0040561C
:004055ED E851100200 call 00426643
:004055F2 8D4C242C lea ecx, dword ptr [esp+2C]
:004055F6 C7442420FFFFFFFF mov [esp+20], FFFFFFFF
:004055FE E840100200 call 00426643
:00405603 B801000000 mov eax, 00000001
:00405608 8B4C2418 mov ecx, dword ptr [esp+18]
:0040560C 64890D00000000 mov dword ptr fs:[00000000], ecx
:00405613 5F pop edi
:00405614 5E pop esi
:00405615 5B pop ebx
:00405616 83C418 add esp, 00000018
:00405619 C20800 ret 0008

下面是注册码的计算过程，基本雷同，有兴趣可自行计算。
=======================================================================
:00405650 6AFF push FFFFFFFF
:00405652 6870244300 push 00432470
:00405657 64A100000000 mov eax, dword ptr fs:[00000000]
:0040565D 50 push eax
:0040565E 64892500000000 mov dword ptr fs:[00000000], esp
:00405665 83EC0C sub esp, 0000000C
:00405668 53 push ebx
:00405669 56 push esi
:0040566A 57 push edi
:0040566B 8B7C2428 mov edi, dword ptr [esp+28]
:0040566F 83C9FF or ecx, FFFFFFFF
:00405672 33C0 xor eax, eax
:00405674 8D54240C lea edx, dword ptr [esp+0C]
:00405678 F2 repnz
:00405679 AE scasb
:0040567A F7D1 not ecx
:0040567C 2BF9 sub edi, ecx
:0040567E C744242001000000 mov [esp+20], 00000001
:00405686 8BC1 mov eax, ecx
:00405688 8BF7 mov esi, edi
:0040568A 8BFA mov edi, edx
:0040568C C1E902 shr ecx, 02
:0040568F F3 repz
:00405690 A5 movsd
:00405691 8BC8 mov ecx, eax
:00405693 B803000000 mov eax, 00000003
:00405698 23C8 and ecx, eax
:0040569A F3 repz
:0040569B A4 movsb
:0040569C 8A54240C mov dl, byte ptr [esp+0C]
:004056A0 8A4C240D mov cl, byte ptr [esp+0D]
:004056A4 8A5C240E mov bl, byte ptr [esp+0E]
:004056A8 02D0 add dl, al
:004056AA 80C105 add cl, 05
:004056AD 8854240C mov byte ptr [esp+0C], dl
:004056B1 8A54240F mov dl, byte ptr [esp+0F]
:004056B5 884C240D mov byte ptr [esp+0D], cl
:004056B9 B102 mov cl, 02
:004056BB 02D8 add bl, al
:004056BD 02D1 add dl, cl
:004056BF 885C240E mov byte ptr [esp+0E], bl
:004056C3 8A5C2410 mov bl, byte ptr [esp+10]
:004056C7 8854240F mov byte ptr [esp+0F], dl
:004056CB 8A542411 mov dl, byte ptr [esp+11]
:004056CF 80C306 add bl, 06
:004056D2 02D0 add dl, al
:004056D4 885C2410 mov byte ptr [esp+10], bl
:004056D8 8A5C2412 mov bl, byte ptr [esp+12]
:004056DC 88542411 mov byte ptr [esp+11], dl
:004056E0 8A542413 mov dl, byte ptr [esp+13]
:004056E4 80C304 add bl, 04
:004056E7 02D1 add dl, cl
:004056E9 8A4C2417 mov cl, byte ptr [esp+17]
:004056ED 885C2412 mov byte ptr [esp+12], bl
:004056F1 8A5C2414 mov bl, byte ptr [esp+14]
:004056F5 88542413 mov byte ptr [esp+13], dl
:004056F9 8A542415 mov dl, byte ptr [esp+15]
:004056FD FEC3 inc bl
:004056FF 02D0 add dl, al
:00405701 FEC1 inc cl
:00405703 885C2414 mov byte ptr [esp+14], bl
:00405707 884C2417 mov byte ptr [esp+17], cl
:0040570B 8D4C240C lea ecx, dword ptr [esp+0C]
:0040570F 51 push ecx
:00405710 8D4C242C lea ecx, dword ptr [esp+2C]
:00405714 88542419 mov byte ptr [esp+19], dl
:00405718 E86E100200 call 0042678B
:0040571D 8B74242C mov esi, dword ptr [esp+2C]
:00405721 8B442428 mov eax, dword ptr [esp+28]
:00405725 33D2 xor edx, edx

===================
因为软件很多功能没有，我也不愿意用，故没有最后结果，不知是否对。