MouseStar3。0
00491C0B |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00491C0E |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00491C11 |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
00491C14 |. 8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+2FC]
00491C1A |. E8 05A0F9FF CALL MOUSESTA.0042BC24
00491C1F |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
00491C22 |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
00491C25 |. E8 2E64F7FF CALL MOUSESTA.00408058
00491C2A |. 8D4D FC LEA ECX,DWORD PTR SS:[EBP-4]
00491C2D |. A1 98AB4900 MOV EAX,DWORD PTR DS:[49AB98]
00491C32 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
00491C34 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] ;EDX=JJXME
00491C37 |. E8 04540000 CALL MOUSESTA.00497040 ;F8 跟入
00491C3C |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
00491C3F |. 8B83 00030000 MOV EAX,DWORD PTR DS:[EBX+300]
00491C45 |. E8 DA9FF9FF CALL MOUSESTA.0042BC24
00491C4A |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
00491C4D |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
00491C50 |. E8 0364F7FF CALL MOUSESTA.00408058
00491C55 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00491C58 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00491C5B |. E8 4C22F7FF CALL MOUSESTA.00403EAC
00491C60 |. 0F85 8F000000 JNZ MOUSESTA.00491CF5
CALL MOUSESTA.00497040
00497040 /$ 55 PUSH EBP
00497041 |. 8BEC MOV EBP,ESP
00497043 |. 6A 00 PUSH 0
00497045 |. 6A 00 PUSH 0
00497047 |. 6A 00 PUSH 0
00497049 |. 6A 00 PUSH 0
0049704B |. 6A 00 PUSH 0
0049704D |. 6A 00 PUSH 0
0049704F |. 6A 00 PUSH 0
00497051 |. 53 PUSH EBX
00497052 |. 8BD9 MOV EBX,ECX
00497054 |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
00497057 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049705A |. E8 F1CEF6FF CALL MOUSESTA.00403F50
0049705F |. 33C0 XOR EAX,EAX
00497061 |. 55 PUSH EBP
00497062 |. 68 E8704900 PUSH MOUSESTA.004970E8
00497067 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0049706A |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0049706D |. 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
00497070 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00497073 |. E8 E00FF7FF CALL MOUSESTA.00408058
00497078 |. 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
0049707B |. 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
0049707E |. E8 C50DF7FF CALL MOUSESTA.00407E48
00497083 |. 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18]
00497086 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
00497089 |. B9 FC704900 MOV ECX,MOUSESTA.004970FC ASCII "delphi"
0049708E |. E8 55CDF6FF CALL MOUSESTA.00403DE8
00497093 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00497096 |. BA 0C714900 MOV EDX,MOUSESTA.0049710C ASCII "MagicUtils"
0049709B |. E8 14CBF6FF CALL MOUSESTA.00403BB4
004970A0 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004970A3 |. BA 20714900 MOV EDX,MOUSESTA.00497120 ASCII "zhiyuan"
004970A8 |. E8 07CBF6FF CALL MOUSESTA.00403BB4
004970AD |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004970B0 |. BA 30714900 MOV EDX,MOUSESTA.00497130 ASCII "3.0"
004970B5 |. E8 FACAF6FF CALL MOUSESTA.00403BB4
004970BA |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
004970BD |. 50 PUSH EAX
004970BE |. 53 PUSH EBX
004970BF |. 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10] ECX= zhiyuan
004970C2 |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] EDX= MagicUtils
004970C5 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] EAX= JJXMEdelphi
004970C8 |. E8 7F90FFFF CALL MOUSESTA.0049014C F8跟入
004970CD |. 33C0 XOR EAX,EAX
004970CF |. 5A POP EDX MOUSESTA.00497130
004970D0 |. 59 POP ECX
004970D1 |. 59 POP ECX
004970D2 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004970D5 |. 68 EF704900 PUSH MOUSESTA.004970EF
004970DA |> 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
004970DD |. BA 07000000 MOV EDX,7
004970E2 |. E8 59CAF6FF CALL MOUSESTA.00403B40
004970E7 \. C3 RETN
CALL MOUSESTA.0049014C
0049014C /$ 55 PUSH EBP
0049014D |. 8BEC MOV EBP,ESP
0049014F |. 83C4 EC ADD ESP,-14
00490152 |. 53 PUSH EBX
00490153 |. 33DB XOR EBX,EBX
00490155 |. 895D EC MOV DWORD PTR SS:[EBP-14],EBX
00490158 |. 895D F0 MOV DWORD PTR SS:[EBP-10],EBX
0049015B |. 894D F4 MOV DWORD PTR SS:[EBP-C],ECX
0049015E |. 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
00490161 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00490164 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00490167 |. E8 E43DF7FF CALL MOUSESTA.00403F50
0049016C |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049016F |. E8 DC3DF7FF CALL MOUSESTA.00403F50
00490174 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
00490177 |. E8 D43DF7FF CALL MOUSESTA.00403F50
0049017C |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
0049017F |. E8 CC3DF7FF CALL MOUSESTA.00403F50
00490184 |. 33C0 XOR EAX,EAX
00490186 |. 55 PUSH EBP
00490187 |. 68 F2014900 PUSH MOUSESTA.004901F2
0049018C |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0049018F |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00490192 |. FF75 FC PUSH DWORD PTR SS:[EBP-4]
00490195 |. FF75 F8 PUSH DWORD PTR SS:[EBP-8]
00490198 |. FF75 F4 PUSH DWORD PTR SS:[EBP-C]
0049019B |. FF75 0C PUSH DWORD PTR SS:[EBP+C]
0049019E |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
004901A1 |. 50 PUSH EAX
004901A2 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004901A5 |. 50 PUSH EAX
004901A6 |. 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
004901A9 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
004901AC |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004901AF |. E8 80FDFFFF CALL MOUSESTA.0048FF34
004901B4 |. FF75 EC PUSH DWORD PTR SS:[EBP-14]
004901B7 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004901BA |. BA 05000000 MOV EDX,5
004901BF |. E8 983CF7FF CALL MOUSESTA.00403E5C
004901C4 |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
004901C7 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] EAX=JJXMEdelphiMagicUtilszhiyuan3.0.Wl?Pmq]z\
004901CA |. E8 31000000 CALL MOUSESTA.00490200 F8跟入
004901CF |. 33C0 XOR EAX,EAX
004901D1 |. 5A POP EDX
004901D2 |. 59 POP ECX
004901D3 |. 59 POP ECX
004901D4 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004901D7 |. 68 F9014900 PUSH MOUSESTA.004901F9
004901DC |> 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004901DF |. BA 05000000 MOV EDX,5
004901E4 |. E8 5739F7FF CALL MOUSESTA.00403B40
004901E9 |. 8D45 0C LEA EAX,DWORD PTR SS:[EBP+C]
004901EC |. E8 2B39F7FF CALL MOUSESTA.00403B1C
004901F1 \. C3 RETN
CALL MOUSESTA.00490200
00490200 /$ 55 PUSH EBP
00490201 |. 8BEC MOV EBP,ESP
00490203 |. 83C4 F4 ADD ESP,-0C
00490206 |. 53 PUSH EBX
00490207 |. 56 PUSH ESI
00490208 |. 33C9 XOR ECX,ECX
0049020A |. 894D F4 MOV DWORD PTR SS:[EBP-C],ECX
0049020D |. 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
00490210 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00490213 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00490216 |. E8 353DF7FF CALL MOUSESTA.00403F50
0049021B |. 33C0 XOR EAX,EAX
0049021D |. 55 PUSH EBP
0049021E |. 68 9F024900 PUSH MOUSESTA.0049029F
00490223 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00490226 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00490229 |. 33DB XOR EBX,EBX ;EBX=0
0049022B |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] EAX=JJXMEdelphiMagicUtilszhiyuan3.0.Wl?Pmq]z\
0049022E |. E8 693BF7FF CALL MOUSESTA.00403D9C 取得长度
00490233 |. 85C0 TEST EAX,EAX EAX=0x29
00490235 |. 7E 2C JLE SHORT MOUSESTA.00490263
00490237 |. BE 01000000 MOV ESI,1 ;ESI=1 作为取数控制
0049023C |> 8B55 FC /MOV EDX,DWORD PTR SS:[EBP-4] [EDX]=JJXMEdelphiMagicUtilszhiyuan3.0.Wl?Pmq]z\
EDX=
0049023F |. 8A5432 FF |MOV DL,BYTE PTR DS:[EDX+ESI-1] ;取第1位给DL DL=Asc("J")=4AH
00490243 |. 32D3 |XOR DL,BL ;DL=DL xor BL
00490245 |. 81E2 FF000000 |AND EDX,0FF ;EDX=EDX and 0ff(高位清零)=>EDX=DL
0049024B |. 8B1495 74A6490>|MOV EDX,DWORD PTR DS:[EDX*4+49A674] ;取[EDX*4+49A674]处值入EDX,49A674这里 是一段内存表格,在此不列出了
00490252 |. C1EB 08 |SHR EBX,8 ;EBX=EBX右移8位
00490255 |. 81E3 FFFFFF00 |AND EBX,0FFFFFF ;EBX=EBX and 0ffffff
0049025B |. 33D3 |XOR EDX,EBX ;EDX=EDX xor EBX
0049025D |. 8BDA |MOV EBX,EDX ;EBX=EDX
0049025F |. 46 |INC ESI ;ESI+1
00490260 |. 48 |DEC EAX ;EAX-1
00490261 |.^75 D9 \JNZ SHORT MOUSESTA.0049023C ;字符串取完否,没有则继续取
00490263 |> 8BC3 MOV EAX,EBX ;此处 ?EBX 可得正确注册码。
;16进制的ABCDEF都要改成小写
;这个是在00491C50 |. E8 0364F7FF CALL MOUSESTA.00408058之中进行的,但算法 是一样的
00490265 |. 33D2 XOR EDX,EDX
00490267 |. 52 PUSH EDX /Arg2 => 00000000
00490268 |. 50 PUSH EAX |Arg1
00490269 |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C] |
0049026C |. B8 08000000 MOV EAX,8 |
00490271 |. E8 C67EF7FF CALL MOUSESTA.0040813C \MOUSESTA.0040813C
00490276 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
00490279 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
0049027C |. E8 037CF7FF CALL MOUSESTA.00407E84
00490281 |. 33C0 XOR EAX,EAX
00490283 |. 5A POP EDX
00490284 |. 59 POP ECX
00490285 |. 59 POP ECX
00490286 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
00490289 |. 68 A6024900 PUSH MOUSESTA.004902A6
0049028E |> 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00490291 |. E8 8638F7FF CALL MOUSESTA.00403B1C
00490296 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00490299 |. E8 7E38F7FF CALL MOUSESTA.00403B1C
0049029E \. C3 RETN
综上可得基本算法如下:
1。字符串=用户名+delphiMagicUtilszhiyuan3.0.Wl?Pmq]z\
2。分别取字符串各位a,进行如下计算,每次算得数值入EBX(初始位0),我们设为b
a xor bl=>dl
b=[dl*4+49A674] XOR ((b>>8)and 0ffffff)
循环直至取完字符串
小弟第一次跟踪算法,可能有出入,望各位指教。
谢谢!