浩晖清洁工V1.00是一款清除Windows系统运行时产生的临时文件,以增加
硬盘可用空间的免费软件.软件不需要注册费,是免费的哦!如果你对这个软件
感兴趣的话,可以到网上搜索一下下!
虽说是免费的,但是启动的时候弹出的注册对话框还是很烦人的!
是Borland公司的Borland Delphi,我们找到关键的地方:
004A3BCE . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004A3BD1 . 50 PUSH EAX
004A3BD2 . 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
004A3BD5 . 8B83 F4020000 MOV EAX,DWORD PTR DS:[EBX+2F4]
004A3BDB . E8 E84AFAFF CALL CLEANER.004486C8
004A3BE0 . 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] ;机器码地址
004A3BE3 . 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
004A3BE6 . E8 09F9FFFF CALL CLEANER.004A34F4 ;关键进入
004A3BEB . 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] ;d edx真的
004A3BEE . 58 POP EAX ;d eax假的
004A3BEF . E8 0C0CF6FF CALL CLEANER.00404800 ;经典句型哦!
004A3BF4 . 0F85 9D000000 JNZ CLEANER.004A3C97
好了我们可以做内存注册机了,我们接着看,上面004A3BE6的call是关键call,
所以我们跟了进来.
004A34F4 /$ 55 PUSH EBP
004A34F5 |. 8BEC MOV EBP,ESP
004A34F7 |. 83C4 F0 ADD ESP,-10
004A34FA |. 53 PUSH EBX
004A34FB |. 56 PUSH ESI
004A34FC |. 57 PUSH EDI
004A34FD |. 33C9 XOR ECX,ECX
004A34FF |. 894D F4 MOV DWORD PTR SS:[EBP-C],ECX
004A3502 |. 894D F0 MOV DWORD PTR SS:[EBP-10],ECX
004A3505 |. 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
004A3508 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
004A350B |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004A350E |. E8 9113F6FF CALL CLEANER.004048A4
004A3513 |. 33C0 XOR EAX,EAX
004A3515 |. 55 PUSH EBP
004A3516 |. 68 B1354A00 PUSH CLEANER.004A35B1
004A351B |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004A351E |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004A3521 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004A3524 |. BA C8354A00 MOV EDX,CLEANER.004A35C8 ; ASCII "0123456789ABCDEFGHIJ0123456789KLMNOPQRST0123456789UVWXYZabcd0123456789efghijklmn0123456789opqrstuvwx0123456789yz"
004A3529 |. E8 6E0FF6FF CALL CLEANER.0040449C
004A352E |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004A3531 |. 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
004A3534 |. BA 44364A00 MOV EDX,CLEANER.004A3644 ; ASCII "HowWell Cleaner"
004A3539 |. E8 CA11F6FF CALL CLEANER.00404708 ;连接两个字符串
004A353E |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
004A3541 |. E8 7611F6FF CALL CLEANER.004046BC ;取得字符串的长度
004A3546 |. 8BF0 MOV ESI,EAX ;放入esi中保存
004A3548 |. 85F6 TEST ESI,ESI
004A354A |. 7E 37 JLE SHORT CLEANER.004A3583
004A354C |. BB 01000000 MOV EBX,1
004A3551 |> 8B45 F0 /MOV EAX,DWORD PTR SS:[EBP-10]
004A3554 |. 0FB67C18 FF |MOVZX EDI,BYTE PTR DS:[EAX+EBX-1] ;取一个字符
004A3559 |. 8D049B |LEA EAX,DWORD PTR DS:[EBX+EBX*4]
004A355C |. 03F8 |ADD EDI,EAX
004A355E |. 8D45 F0 |LEA EAX,DWORD PTR SS:[EBP-10]
004A3561 |. E8 A613F6FF |CALL CLEANER.0040490C
004A3566 |. 8D4418 FF |LEA EAX,DWORD PTR DS:[EAX+EBX-1]
004A356A |. 50 |PUSH EAX ;保存地址
004A356B |. 8BC7 |MOV EAX,EDI
004A356D |. B9 71000000 |MOV ECX,71
004A3572 |. 99 |CDQ
004A3573 |. F7F9 |IDIV ECX
004A3575 |. 8B45 F4 |MOV EAX,DWORD PTR SS:[EBP-C] ;密码表地址
004A3578 |. 8A4410 FF |MOV AL,BYTE PTR DS:[EAX+EDX-1] ;取出一个字符
004A357C |. 5A |POP EDX ;还原地址
004A357D |. 8802 |MOV BYTE PTR DS:[EDX],AL ;保存
004A357F |. 43 |INC EBX ;ebx+1,取下个字符
004A3580 |. 4E |DEC ESI 循环次数
004A3581 |.^75 CE JNZ SHORT CLEANER.004A3551
004A3583 |> 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004A3586 |. 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
我相信这个算法还不是很难对吧!通过几步计算得到密码表的索引,进行取值.
所以用Win32Asm将是一个好办法,比较容易写出注册机:
; ?
.486 ; create 32 bit code
.model flat, stdcall ; 32 bit memory model
option casemap :none ; case sensitive
include masm32includewindows.inc
include masm32includemasm32.inc
include masm32includegdi32.inc
include masm32includeuser32.inc
include masm32includekernel32.inc
include masm32includeComctl32.inc
include masm32includecomdlg32.inc
include masm32includeshell32.inc
include masm32includeoleaut32.inc
includelib masm32libmasm32.lib
includelib masm32libgdi32.lib
includelib masm32libuser32.lib
includelib masm32libkernel32.lib
includelib masm32libComctl32.lib
includelib masm32libcomdlg32.lib
includelib masm32libshell32.lib
includelib masm32liboleaut32.lib
ICO_MAIN equ 1000h;图标
DLG_MAIN equ 1
IDGENERATE equ 1002
REGNAME equ 1003
REGKEY equ 1004
IDC_EDITNAME equ 3000
; ?
.data?
hInstance dd ?
nLen dd ?
KeyName db 50 dup(?)
KeyReg db 50 dup(?)
KRealKey db 120 dup(?)
.data
Standard db 'HowWell Cleaner',0
Mima db '0123456789ABCDEFGHIJ0123456789KLMNOPQRST0123456789UVWXYZabcd0123456789efghijklmn0123456789opqrstuvwx0123456789yz',0
.code
Generate proc hWnd
local KKeyName[120]:byte
local KKeyGen[120]:byte
pushad
invoke lstrlen, addr KeyName
cmp eax,0
jle @2
invoke SetDlgItemText,hWnd,REGKEY,addr KeyName
invoke lstrcpy,addr KKeyName,addr KeyName ;传递给局部变量,如果用全局变量会修改KeyName的值
invoke lstrcpy,addr KKeyGen,addr Standard ;Copy HowWell Cleaner
invoke lstrcat,addr KKeyGen,addr KKeyName;连接机器码,形成'HowWell Cleaner+注册码'
;invoke MessageBox, NULL,addr KKeyGen, addr Standard, MB_OK
invoke lstrlen, addr KKeyGen
mov esi,eax
mov ebx,1
@3: lea eax,KKeyGen
movsx edi, byte ptr [eax+ebx-1]
lea eax,[ebx+ebx*4]
add edi,eax
mov eax,edi
mov ecx,71H
cdq
idiv ecx
lea eax,Mima
mov al,[eax+edx-1]
mov [KRealKey+ebx-1],al
inc ebx
dec esi
jnz @3
@2:
popad
ret
Generate endp
ProcDlgMain proc hWnd,wMsg,wParam,lParam
;local KeyName[50]:byte
;local KeyReg[50]:byte
mov eax,wMsg
.if eax==WM_CLOSE
invoke EndDialog,hWnd,NULL
.elseif eax==WM_INITDIALOG
invoke LoadIcon,hInstance,ICO_MAIN
invoke SendMessage,hWnd,WM_SETICON,ICON_BIG,eax
invoke GetDlgItem,hWnd,IDC_EDITNAME
invoke SetFocus,hWnd
.elseif eax==WM_COMMAND
mov eax,wParam
.if ax==IDOK
invoke EndDialog,hWnd,NULL
.endif
.if ax==IDGENERATE
invoke GetDlgItemText,hWnd,REGNAME,addr KeyName,sizeof KeyName
invoke Generate,hWnd
invoke SetDlgItemText,hWnd,REGKEY,addr KRealKey
.endif
.else
mov eax,FALSE
ret
.endif
mov eax,TRUE
ret
ProcDlgMain endp
start:
; ?
invoke GetModuleHandle,NULL
mov hInstance,eax
invoke DialogBoxParam,hInstance,DLG_MAIN,NULL,offset ProcDlgMain,NULL
invoke ExitProcess,NULL
; ?
end start