正如你先前所说的,如果FindAtomA( )返回的值不为0,则注册成功。
:0040F06D 80B89500000000 cmp byte ptr [eax+00000095],
00 //FindAtomA的返回值
:0040F074 744F
je 0040F0C5
* Possible Reference to String Resource ID=30111: "This copy of $PROGNAME
is licensed to:"
|
:0040F076 B99F750000 mov ecx,
0000759F
.........................................................
* Possible Reference to Dialog: DialogID_7918, CONTROL_ID:791E, "Thank you for
your registration!"
|
:0040F0AF C745BC1E790000 mov [ebp-44], 0000791E
:0040F0B6 8D55BC
lea edx, dword ptr [ebp-44]
:0040F0B9 33C9
xor ecx, ecx
:0040F0BB 8B45FC
mov eax, dword ptr [ebp-04]
:0040F0BE E8DD9EFFFF call 00408FA0
:0040F0C3 EB56
jmp 0040F11B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F074(C)
|
* Possible Reference to String Resource ID=30112: "This is an UNREGISTERED copy
of $PROGNAME!"
|
:0040F0C5 B9A0750000 mov ecx,
000075A0
看一下传给FindAtomA( )的参数,发现它是在试图找一个值为“sdf”的atom。这说明如果注册码正确的话,它会在原子表中加入一个值为“sdf”的原子,以此作为标志。后面将会看到这一点。
1、启动时将RegCode加入到原子表中:
:004143B7 803D3C69420000 cmp byte ptr [0042693C],
00
:004143BE 7410
je 004143D0
:004143C0 683C694200 push 0042693C
* Reference To: kernel32.AddAtomA, Ord:0000h
|
:004143C5 E87E02FFFF Call 00404648
:004143CA 66A35E694200 mov word ptr
[0042695E], ax
2、启动时将UserName加入到原子表中:
:0042402D 83787400 cmp
dword ptr [eax+74], 00000000
:00424031 7428
je 0042405B
:00424033 8B45F4
mov eax, dword ptr [ebp-0C]
:00424036 8B4074
mov eax, dword ptr [eax+74]
:00424039 50
push eax
* Reference To: kernel32.AddAtomA, Ord:0000h
|
:0042403A E80906FEFF Call 00404648
:0042403F 8B1570564200 mov edx, dword
ptr [00425670]
:00424045 668902
mov word ptr [edx], ax
3、从原子表中取出UserName:
:004228F3 A170564200 mov eax,
dword ptr [00425670]
:004228F8 668B00
mov ax, word ptr [eax]
:004228FB 50
push eax
* Reference To: kernel32.GetAtomNameA, Ord:0000h
|
:004228FC E89F1DFEFF Call 004046A0
4、利用从原子表中取出的UserName来计算注册码。把下面的代码拷贝下来稍加修改就可写个注册机。久违了的TSecHash算法又在这里露面了 :)
* Referenced by a CALL at Address:
|:00422912
|
:00407FAC 55
push ebp
:00407FAD 8BEC
mov ebp, esp
:00407FAF 81C418FFFFFF add esp, FFFFFF18
:00407FB5 894DF4
mov dword ptr [ebp-0C], ecx
:00407FB8 8955F8
mov dword ptr [ebp-08], edx
:00407FBB 8945FC
mov dword ptr [ebp-04], eax
:00407FBE BAD4804000 mov edx,
004080D4
:00407FC3 8D856BFFFFFF lea eax, dword
ptr [ebp+FFFFFF6B]
:00407FC9 E812CEFFFF call 00404DE0
:00407FCE 8D856BFFFFFF lea eax, dword
ptr [ebp+FFFFFF6B]
:00407FD4 8B55FC
mov edx, dword ptr [ebp-04]
:00407FD7 E860CEFFFF call 00404E3C
:00407FDC BAD8804000 mov edx,
004080D8
:00407FE1 8D856BFFFFFF lea eax, dword
ptr [ebp+FFFFFF6B]
:00407FE7 E850CEFFFF call 00404E3C
:00407FEC 8D856BFFFFFF lea eax, dword
ptr [ebp+FFFFFF6B]
:00407FF2 E821D2FFFF call 00405218
:00407FF7 B201
mov dl, 01
* Possible StringData Ref from Code Obj ->"TSecHash岪"
|
:00407FF9 A134784000 mov eax,
dword ptr [00407834]
:00407FFE E87DA8FFFF call 00402880
:00408003 8945F0
mov dword ptr [ebp-10], eax
:00408006 8D8518FFFFFF lea eax, dword
ptr [ebp+FFFFFF18]
:0040800C 50
push eax
:0040800D 8B45F8
mov eax, dword ptr [ebp-08]
:00408010 E837CFFFFF call 00404F4C
:00408015 8BC8
mov ecx, eax
:00408017 8B55F8
mov edx, dword ptr [ebp-08]
:0040801A 8B45F0
mov eax, dword ptr [ebp-10]
:0040801D E86AFCFFFF call 00407C8C
:00408022 8D8D43FFFFFF lea ecx, dword
ptr [ebp+FFFFFF43]
:00408028 8D9518FFFFFF lea edx, dword
ptr [ebp+FFFFFF18]
:0040802E 8B45F0
mov eax, dword ptr [ebp-10]
:00408031 E8CEFEFFFF call 00407F04
:00408036 8B45F0
mov eax, dword ptr [ebp-10]
:00408039 E8AAA8FFFF call 004028E8
:0040803E B201
mov dl, 01
* Possible StringData Ref from Code Obj ->"TSecHash岪"
|
:00408040 A134784000 mov eax,
dword ptr [00407834]
:00408045 E836A8FFFF call 00402880
:0040804A 8945F0
mov dword ptr [ebp-10], eax
:0040804D 8D852CFFFFFF lea eax, dword
ptr [ebp+FFFFFF2C]
:00408053 50
push eax
:00408054 8D856BFFFFFF lea eax, dword
ptr [ebp+FFFFFF6B]
:0040805A E8EDCEFFFF call 00404F4C
:0040805F 8BC8
mov ecx, eax
:00408061 8D956BFFFFFF lea edx, dword
ptr [ebp+FFFFFF6B]
:00408067 8B45F0
mov eax, dword ptr [ebp-10]
:0040806A E81DFCFFFF call 00407C8C
:0040806F 8D8D57FFFFFF lea ecx, dword
ptr [ebp+FFFFFF57]
:00408075 8D952CFFFFFF lea edx, dword
ptr [ebp+FFFFFF2C]
:0040807B 8B45F0
mov eax, dword ptr [ebp-10]
:0040807E E881FEFFFF call 00407F04
:00408083 8B45F0
mov eax, dword ptr [ebp-10]
:00408086 E85DA8FFFF call 004028E8
:0040808B 33C0
xor eax, eax
:0040808D 8945EC
mov dword ptr [ebp-14], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004080CE(C)
|
:00408090 8B45EC
mov eax, dword ptr [ebp-14]
:00408093 0FB6840557FFFFFF movzx eax, byte ptr [ebp+eax-000000A9]
:0040809B 8B55EC
mov edx, dword ptr [ebp-14]
:0040809E 03D2
add edx, edx
:004080A0 0FB6941557FFFFFF movzx edx, byte ptr [ebp+edx-000000A9]
:004080A8 03C2
add eax, edx
:004080AA 8B55EC
mov edx, dword ptr [ebp-14]
:004080AD 03D2
add edx, edx
:004080AF 0FB6941543FFFFFF movzx edx, byte ptr [ebp+edx-000000BD]
:004080B7 03C2
add eax, edx
:004080B9 25FF000000 and eax,
000000FF
:004080BE 8B55F4
mov edx, dword ptr [ebp-0C]
:004080C1 8B4DEC
mov ecx, dword ptr [ebp-14]
:004080C4 88040A
mov byte ptr [edx+ecx], al //保存生成的注册码
:004080C7 FF45EC
inc [ebp-14]
:004080CA 837DEC0A cmp
dword ptr [ebp-14], 0000000A //注册码共20个字符(10个字节)
:004080CE 75C0
jne 00408090
:004080D0 8BE5
mov esp, ebp
:004080D2 5D
pop ebp
:004080D3 C3
ret
5、从原子表中取出我们输入的假RegCode:
:00422778 8D4597
lea eax, dword ptr [ebp-69]
:0042277B 50
push eax
:0042277C A1A4564200 mov eax,
dword ptr [004256A4]
:00422781 668B00
mov ax, word ptr [eax]
:00422784 50
push eax
* Reference To: kernel32.GetAtomNameA, Ord:0000h
|
:00422785 E8161FFEFF Call 004046A0
6、将假RegCode每两个字符转换成一个字节:
* Referenced by a CALL at Address:
|:004227DF
|
:004080DC 55
push ebp
:004080DD 8BEC
mov ebp, esp
:004080DF 83C4EC
add esp, FFFFFFEC
:004080E2 8955F8
mov dword ptr [ebp-08], edx
:004080E5 8945FC
mov dword ptr [ebp-04], eax
:004080E8 33C0
xor eax, eax
:004080EA 8945F0
mov dword ptr [ebp-10], eax
:004080ED C645EF00 mov
[ebp-11], 00
:004080F1 33C0
xor eax, eax
:004080F3 8945F4
mov dword ptr [ebp-0C], eax
:004080F6 8B45F8
mov eax, dword ptr [ebp-08]
:004080F9 33C9
xor ecx, ecx
|
:004080FB BA0A000000 mov edx,
0000000A //10字节
:00408100 E827A5FFFF call 0040262C
:00408105 C645ED01 mov
[ebp-13], 01
:00408109 EB66
jmp 00408171
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040817C(C)
|
:0040810B 8B45F4
mov eax, dword ptr [ebp-0C]
:0040810E 8B55FC
mov edx, dword ptr [ebp-04]
:00408111 803C022D cmp
byte ptr [edx+eax], 2D
:00408115 7457
je 0040816E
:00408117 8B45F4
mov eax, dword ptr [ebp-0C]
:0040811A 8B55FC
mov edx, dword ptr [ebp-04]
:0040811D 803C0239 cmp
byte ptr [edx+eax], 39
:00408121 7710
ja 00408133
:00408123 8B45F4
mov eax, dword ptr [ebp-0C]
:00408126 8B55FC
mov edx, dword ptr [ebp-04]
:00408129 8A0402
mov al, byte ptr [edx+eax]
:0040812C 2C30
sub al, 30
:0040812E 8845EE
mov byte ptr [ebp-12], al
:00408131 EB10
jmp 00408143
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408121(C)
|
:00408133 8B45F4
mov eax, dword ptr [ebp-0C]
:00408136 8B55FC
mov edx, dword ptr [ebp-04]
:00408139 8A0402
mov al, byte ptr [edx+eax]
:0040813C 2C41
sub al, 41
:0040813E 0408
add al, 08
:00408140 8845EE
mov byte ptr [ebp-12], al
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408131(U)
|
:00408143 807DED00 cmp
byte ptr [ebp-13], 00
:00408147 740C
je 00408155
:00408149 8A45EE
mov al, byte ptr [ebp-12]
:0040814C 8845EF
mov byte ptr [ebp-11], al
:0040814F C645ED00 mov
[ebp-13], 00
:00408153 EB19
jmp 0040816E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408147(C)
|
:00408155 8B45F8
mov eax, dword ptr [ebp-08]
:00408158 8B55F0
mov edx, dword ptr [ebp-10]
:0040815B 8A4DEE
mov cl, byte ptr [ebp-12]
:0040815E C1E104
shl ecx, 04
:00408161 024DEF
add cl, byte ptr [ebp-11]
:00408164 880C10
mov byte ptr [eax+edx], cl //保存转换结果
:00408167 FF45F0
inc [ebp-10]
:0040816A C645ED01 mov
[ebp-13], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00408115(C), :00408153(U)
|
:0040816E FF45F4
inc [ebp-0C]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408109(U)
|
:00408171 8B45FC
mov eax, dword ptr [ebp-04]
:00408174 E8D3CDFFFF call 00404F4C
:00408179 3B45F4
cmp eax, dword ptr [ebp-0C]
:0040817C 778D
ja 0040810B
//循环
:0040817E 8BE5
mov esp, ebp
:00408180 5D
pop ebp
:00408181 C3
ret
7、比较真假RegCode:
:004227E4 33C0
xor eax, eax
:004227E6 8945F0
mov dword ptr [ebp-10], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042280F(C)
|
:004227E9 8B45F0
mov eax, dword ptr [ebp-10]
:004227EC 8A4405C9 mov
al, byte ptr [ebp+eax-37]
:004227F0 8B55F0
mov edx, dword ptr [ebp-10]
:004227F3 8B4DFC
mov ecx, dword ptr [ebp-04]
:004227F6 3A441168 cmp
al, byte ptr [ecx+edx+68] //比较一个字节
:004227FA 7506
jne 00422802
:004227FC C645DF01 mov
[ebp-21], 01 //good guy
:00422800 EB06
jmp 00422808
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004227FA(C)
|
:00422802 C645DF00 mov
[ebp-21], 00 //bad guy
:00422806 EB09
jmp 00422811
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422800(U)
|
:00422808 FF45F0
inc [ebp-10]
:0042280B 837DF00A cmp
dword ptr [ebp-10], 0000000A //循环比较10个字节
:0042280F 75D8
jne 004227E9
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422806(U)
|
:00422811 8B45FC
mov eax, dword ptr [ebp-04]
:00422814 C6407300 mov
[eax+73], 00
:00422818 8B45FC
mov eax, dword ptr [ebp-04]
:0042281B C6407201 mov
[eax+72], 01
:0042281F 807DDF00 cmp
byte ptr [ebp-21], 00 //bag guy?
:00422823 740A
je 0042282F
* Possible StringData Ref from Code Obj ->"sdf"
|
:00422825 686C284200 push 0042286C
//注册与否的标志!
* Reference To: kernel32.AddAtomA, Ord:0000h
|
:0042282A E8191EFEFF Call 00404648
可见关键的断点是GetAtomNameA( )。
BF