BootStar V6.02是一款能够控制多操作系统的软件,看雪学院<<论坛精华四>>里面
有arbiter[CCG]写的BootStar v7.33 keygen in pure win32asm的注册机,但是没
有分析过程.碰巧我有BootStar V6.02的版本,所以就把分析过程写了出来.如果你想
练手可以到http://www.star-tools.com下载新的版本.
首先检查是UPX的壳,脱掉!我们输入下面的信息:
User-ID:dengkeng[DFCG]
Key:123-45678-9ABCD-EFGH
这个是指定的格式输入,因为如果你输入错误的话,它会告诉你出错了,然后在Key
这一栏里面用***-*****-*****-****这个格式表示出来,告诉你输入的正确格式.
我们跟踪到如下关键点:(4AB02D)
004AB02D |. FF51 14 CALL DWORD PTR DS:[ECX+14]
004AB030 |. 8BD8 MOV EBX,EAX
004AB032 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004AB035 |. E8 2E8CF5FF CALL BSWIN.00403C68
004AB03A |. 80FB 05 CMP BL,5
004AB03D |. 75 10 JNZ SHORT BSWIN.004AB04F
004AB03F |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004AB042 |. 8B15 D0494B00 MOV EDX,DWORD PTR DS:[4B49D0] ; BSWIN.004ADBF4
004AB048 |. 8B12 MOV EDX,DWORD PTR DS:[EDX]
004AB04A |. E8 B18CF5FF CALL BSWIN.00403D00
004AB04F |> 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
004AB052 |. 8BD3 MOV EDX,EBX
004AB054 |. 66:B8 1C00 MOV AX,1C
004AB058 |. E8 ABE6FDFF CALL BSWIN.00489708
004AB05D |> 84DB TEST BL,BL
004AB05F |. 75 34 JNZ SHORT BSWIN.004AB095
004AB061 |. 8D4D FF LEA ECX,DWORD PTR SS:[EBP-1]
004AB064 |. A1 284F4B00 MOV EAX,DWORD PTR DS:[4B4F28]
004AB069 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004AB06B |. 8D90 EC020000 LEA EDX,DWORD PTR DS:[EAX+2EC]
004AB071 |. 8B86 8C040000 MOV EAX,DWORD PTR DS:[ESI+48C]
004AB077 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004AB079 |. 8B18 MOV EBX,DWORD PTR DS:[EAX]
004AB07B |. FF53 10 CALL DWORD PTR DS:[EBX+10]
004AB07E |. 8BD8 MOV EBX,EAX
004AB080 |. 807D FF 00 CMP BYTE PTR SS:[EBP-1],0
004AB084 |. 75 02 JNZ SHORT BSWIN.004AB088
004AB086 |. B3 54 MOV BL,54 ;用于下面的Call的比较!
004AB088 |> 33C9 XOR ECX,ECX
004AB08A |. 8BD3 MOV EDX,EBX
004AB08C |. 66:B8 1D00 MOV AX,1D
004AB090 |. E8 73E6FDFF CALL BSWIN.00489708 ;这里提示出错!需要跟进:
004AB095 |> 33C0 XOR EAX,EAX
我们跟进4AB090的Call:
00489708 /$ 55 PUSH EBP
00489709 |. 8BEC MOV EBP,ESP
.....
.....
.....
0048973C |. 83F8 54 CMP EAX,54 ; Switch (cases 2..E4)
0048973F |. 7F 39 JG SHORT BSWIN.0048977A
00489741 |. 0F84 64010000 JE BSWIN.004898AB ;如果相等则出错了!
.....
.....省略了
.....
所以在4AB090上面的几个Call十分的重要,我们需要跟进!
经过跟踪分析4AB02D处的Call重要所以我们进入:
0046B148 /. 55 PUSH EBP
0046B149 |. 8BEC MOV EBP,ESP
.....
.....
.....
0046B18D |. 8D55 F3 LEA EDX,DWORD PTR SS:[EBP-D]
0046B190 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0046B193 |. E8 28EFFFFF CALL BSWIN.0046A0C0 ;重要,F7跟入
我们进入46B193处的Call
0046A0C0 /$ 55 PUSH EBP
0046A0C1 |. 8BEC MOV EBP,ESP
.....
.....省略若干行
.....
0046A0FD |. C606 00 MOV BYTE PTR DS:[ESI],0
0046A100 |. 8BD6 MOV EDX,ESI
0046A102 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
0046A105 |. E8 DE85FEFF CALL BSWIN.004526E8 ;F7跟进
按照上面的0046A105处,跟进
004526E8 /$ 55 PUSH EBP
004526E9 |. 8BEC MOV EBP,ESP
004526EB |. 83C4 D8 ADD ESP,-28
.....
.....
.....
0045272B |. E8 A0FBFFFF CALL BSWIN.004522D0
00452730 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
00452733 |. 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
00452736 |. E8 E162FBFF CALL BSWIN.00408A1C ;把输入的名字的小写转换成大写
0045273B |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
0045273E |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
.....
.....省略若干行
.....
0045279E |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004527A1 |. E8 3E17FBFF CALL BSWIN.00403EE4 ;求名字的长度
004527A6 |. 83F8 0A CMP EAX,0A ;是否大于等于10个
004527A9 |. 7D 04 JGE SHORT BSWIN.004527AF
004527AB |> 33C0 XOR EAX,EAX
004527AD |. EB 02 JMP SHORT BSWIN.004527B1 ;一跳就出错,所以名字必须>=10个
004527AF |> B0 01 MOV AL,1
004527B1 |> 8BD8 MOV EBX,EAX
004527B3 |. 84DB TEST BL,BL
004527B5 |. 74 26 JE SHORT BSWIN.004527DD
004527B7 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004527BA |. 50 PUSH EAX
004527BB |. B9 04000000 MOV ECX,4
004527C0 |. BA 01000000 MOV EDX,1
004527C5 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004527C8 |. E8 1B19FBFF CALL BSWIN.004040E8
004527CD |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] ;前4个字符
004527D0 |. BA 802B4500 MOV EDX,BSWIN.00452B80 ;ASCII "BM1-"
004527D5 |. E8 1A18FBFF CALL BSWIN.00403FF4 ;是否相等
004527DA |. 0F94C3 SETE BL ;BL置1
004527DD |> 84DB TEST BL,BL
004527DF |. 74 56 JE SHORT BSWIN.00452837 ;不等则跳走
所以到这里我们可以确定前3位是固定的"BM1-",继续往下:
;算第2部分
004527E1 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004527E4 |. E8 FB16FBFF CALL BSWIN.00403EE4
004527E9 |. 8BD0 MOV EDX,EAX ;名字长度送给EDX
004527EB |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004527EE |. E8 1916FBFF CALL BSWIN.00403E0C
004527F3 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
004527F6 |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
004527F9 |. E8 B2FDFFFF CALL BSWIN.004525B0 ;计算第2部分的关键 @_@
004527FE |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00452801 |. 50 PUSH EAX
00452802 |. B9 02000000 MOV ECX,2 ;取的个数
00452807 |. BA 05000000 MOV EDX,5 ;取数的位置
0045280C |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ;注册码
0045280F |. E8 D418FBFF CALL BSWIN.004040E8 ;取数,即取"45"
00452814 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] ;"45"的地址送入EAX
00452817 |. 50 PUSH EAX ;压入
00452818 |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
0045281B |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
0045281E |. 0FB600 MOVZX EAX,BYTE PTR DS:[EAX]
00452821 |. BA 02000000 MOV EDX,2
00452826 |. E8 9564FBFF CALL BSWIN.00408CC0 ;运算得出两个字符"E0"
0045282B |. 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18] ;送入EDX中
0045282E |. 58 POP EAX ;刚才压入的谈出
0045282F |. E8 C017FBFF CALL BSWIN.00403FF4 ;比较是否相等
00452834 |. 0F94C3 SETE BL
00452837 |> 84DB TEST BL,BL
00452839 |. 0F84 94000000 JE BSWIN.004528D3
到这里我们可以得出5,6位的值"E0",继续....BM1-E0678-9ABCD-EFGH
;算第3部分
0045283F |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
00452842 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00452845 |. E8 B614FBFF CALL BSWIN.00403D00
0045284A |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0045284D |. B9 02000000 MOV ECX,2
00452852 |. BA 07000000 MOV EDX,7
00452857 |. E8 CC18FBFF CALL BSWIN.00404128 ;去掉从7位开始的两个字符,即去掉"67"
0045285C |. 33F6 XOR ESI,ESI
0045285E |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00452861 |. E8 7E16FBFF CALL BSWIN.00403EE4 ;计算去掉"67"两个字符后,字符串的长度
00452866 |. 84C0 TEST AL,AL
00452868 |. 76 16 JBE SHORT BSWIN.00452880
0045286A |. B2 01 MOV DL,1
0045286C |> 33C9 /XOR ECX,ECX ;注册码部分参与运算
0045286E |. 8ACA |MOV CL,DL
00452870 |. 8B5D F0 |MOV EBX,DWORD PTR SS:[EBP-10]
00452873 |. 0FB64C0B FF |MOVZX ECX,BYTE PTR DS:[EBX+ECX-1]
00452878 |. 66:03F1 |ADD SI,CX
0045287B |. 42 |INC EDX
0045287C |. FEC8 |DEC AL
0045287E |.^75 EC JNZ SHORT BSWIN.0045286C ;把所有的字符相加,存入SI中
00452880 |> 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00452883 |. 8BD6 MOV EDX,ESI ;结果送入EDX中
00452885 |. 66:81E2 FF00 AND DX,0FF ;AND 0FFH
0045288A |. E8 7D15FBFF CALL BSWIN.00403E0C
0045288F |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
00452892 |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
00452895 |. E8 16FDFFFF CALL BSWIN.004525B0 ;关键部分,计算第3部分的关键 @_@
0045289A |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
0045289D |. 50 PUSH EAX
0045289E |. B9 02000000 MOV ECX,2
004528A3 |. BA 07000000 MOV EDX,7
004528A8 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004528AB |. E8 3818FBFF CALL BSWIN.004040E8 ;从第7位开始在取两位,即"67"
004528B0 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
004528B3 |. 50 PUSH EAX
004528B4 |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
004528B7 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
004528BA |. 0FB600 MOVZX EAX,BYTE PTR DS:[EAX]
004528BD |. BA 02000000 MOV EDX,2
004528C2 |. E8 F963FBFF CALL BSWIN.00408CC0
004528C7 |. 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18] ;这里得到另外的两位"BF"
004528CA |. 58 POP EAX ;字符"67"
004528CB |. E8 2417FBFF CALL BSWIN.00403FF4 ;比较是否相等
004528D0 |. 0F94C3 SETE BL
004528D3 |> 84DB TEST BL,BL
004528D5 |. 0F84 8B000000 JE BSWIN.00452966
我们得到了注册码的7,8位,BM1-E0BF8-9ABCD-EFGH
;计算第4部分
004528DB |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
004528DE |. B8 902B4500 MOV EAX,BSWIN.00452B90
004528E3 |. E8 E418FBFF CALL BSWIN.004041CC
004528E8 |. 85C0 TEST EAX,EAX
004528EA |. 7E 15 JLE SHORT BSWIN.00452901
004528EC |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
004528EF |. B8 902B4500 MOV EAX,BSWIN.00452B90
004528F4 |. E8 D318FBFF CALL BSWIN.004041CC
004528F9 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
004528FC |. 8A1C02 MOV BL,BYTE PTR DS:[EDX+EAX]
004528FF |. EB 06 JMP SHORT BSWIN.00452907
00452901 |> 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ;名字的地址给EAX,即"DENGKENG[DFCG]
00452904 |. 8A58 01 MOV BL,BYTE PTR DS:[EAX+1] ;第二个字符的ASCII送入BL,即'E'
00452907 |> 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
0045290A |. 50 PUSH EAX
0045290B |. B9 02000000 MOV ECX,2
00452910 |. BA 09000000 MOV EDX,9
00452915 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00452918 |. E8 CB17FBFF CALL BSWIN.004040E8 ;从第9个位置开始取两个,即"8-"
0045291D |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
00452920 |. 50 PUSH EAX
00452921 |. 8BC3 MOV EAX,EBX
00452923 |. E8 3C01FBFF CALL BSWIN.00402A64
00452928 |. 8BD0 MOV EDX,EAX
0045292A |. 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
0045292D |. 8850 01 MOV BYTE PTR DS:[EAX+1],DL ;即刚才的字符'E'
00452930 |. C600 01 MOV BYTE PTR DS:[EAX],1
00452933 |. 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
00452936 |. 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
00452939 |. E8 1602FBFF CALL BSWIN.00402B54
0045293E |. BA 942B4500 MOV EDX,BSWIN.00452B94
00452943 |. 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
00452946 |. B1 02 MOV CL,2
00452948 |. E8 D701FBFF CALL BSWIN.00402B24
0045294D |. 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
00452950 |. 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
00452953 |. E8 3015FBFF CALL BSWIN.00403E88 ;算出9,10两位
00452958 |. 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18] ;"E-",而'E'则是刚才取出的字符'E'
0045295B |. 58 POP EAX ;"8-"
0045295C |. E8 9316FBFF CALL BSWIN.00403FF4 ;相比较
00452961 |. 0F94C0 SETE AL
00452964 |. 8BD8 MOV EBX,EAX
00452966 |> 84DB TEST BL,BL
00452968 |. 0F84 CB000000 JE BSWIN.00452A39
我们得到了9,10两位,注册码BM1-E0BFE-9ABCD-EFGH
;计算第5部分
0045296E |. 33F6 XOR ESI,ESI
00452970 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00452973 |. E8 6C15FBFF CALL BSWIN.00403EE4 ;求名字的长度
00452978 |. 84C0 TEST AL,AL
0045297A |. 76 16 JBE SHORT BSWIN.00452992
0045297C |. B2 01 MOV DL,1
0045297E |> 33C9 /XOR ECX,ECX
00452980 |. 8ACA |MOV CL,DL
00452982 |. 8B5D F8 |MOV EBX,DWORD PTR SS:[EBP-8]
00452985 |. 0FB64C0B FF |MOVZX ECX,BYTE PTR DS:[EBX+ECX-1]
0045298A |. 66:03F1 |ADD SI,CX
0045298D |. 42 |INC EDX
0045298E |. FEC8 |DEC AL
00452990 |.^75 EC JNZ SHORT BSWIN.0045297E ;名字的所有字符求和
00452992 |> 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
00452995 |. 8BD6 MOV EDX,ESI ;结果送入EDX中
00452997 |. 66:C1EA 08 SHR DX,8 ;SHR
0045299B |. 8850 01 MOV BYTE PTR DS:[EAX+1],DL ;送入[eax+1]中
0045299E |. C600 01 MOV BYTE PTR DS:[EAX],1
004529A1 |. 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
004529A4 |. 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
004529A7 |. E8 A801FBFF CALL BSWIN.00402B54
004529AC |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
004529AF |. 8BD6 MOV EDX,ESI ;结果送入EDX中
004529B1 |. 66:81E2 FF00 AND DX,0FF
004529B6 |. 8850 01 MOV BYTE PTR DS:[EAX+1],DL
004529B9 |. C600 01 MOV BYTE PTR DS:[EAX],1
004529BC |. 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
004529BF |. 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
004529C2 |. B1 02 MOV CL,2
004529C4 |. E8 5B01FBFF CALL BSWIN.00402B24
004529C9 |. 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
004529CC |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004529CF |. E8 B414FBFF CALL BSWIN.00403E88
004529D4 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
004529D7 |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
004529DA |. E8 D1FBFFFF CALL BSWIN.004525B0 ;关键部分,计算第5部分 @_@
004529DF |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004529E2 |. 50 PUSH EAX
004529E3 |. B9 04000000 MOV ECX,4
004529E8 |. BA 0B000000 MOV EDX,0B
004529ED |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004529F0 |. E8 F316FBFF CALL BSWIN.004040E8 ;按位置,再取四个字符,即"9ABC"
004529F5 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
004529F8 |. 50 PUSH EAX
004529F9 |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
004529FC |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
004529FF |. 0FB600 MOVZX EAX,BYTE PTR DS:[EAX] ;取出字符
00452A02 |. BA 02000000 MOV EDX,2
00452A07 |. E8 B462FBFF CALL BSWIN.00408CC0
00452A0C |. 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
00452A0F |. 50 PUSH EAX
00452A10 |. 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28]
00452A13 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00452A16 |. 0FB640 01 MOVZX EAX,BYTE PTR DS:[EAX+1]
00452A1A |. BA 02000000 MOV EDX,2
00452A1F |. E8 9C62FBFF CALL BSWIN.00408CC0
00452A24 |. 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28]
00452A27 |. 58 POP EAX
00452A28 |. E8 BF14FBFF CALL BSWIN.00403EEC ;把刚取得的两个字符连接起来
00452A2D |. 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18] ;所得的四个字符"EA3C"
00452A30 |. 58 POP EAX ;假的"9ABC"
00452A31 |. E8 BE15FBFF CALL BSWIN.00403FF4 ;相比较
00452A36 |. 0F94C3 SETE BL
00452A39 |> 84DB TEST BL,BL
00452A3B |. 74 60 JE SHORT BSWIN.00452A9D
我们得到了11~14位"EA3C",为:BM1-E0BFE-EA3CD-EFGH
;计算第6部分
00452A3B |. 74 60 JE SHORT BSWIN.00452A9D
00452A3D |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00452A40 |. 50 PUSH EAX
00452A41 |. B9 02000000 MOV ECX,2
00452A46 |. BA 0F000000 MOV EDX,0F
00452A4B |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00452A4E |. E8 9516FBFF CALL BSWIN.004040E8 ;按位置在取两位,即"D-"
00452A53 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
00452A56 |. 50 PUSH EAX
00452A57 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00452A5A |. 8A00 MOV AL,BYTE PTR DS:[EAX] ;名字的第一个字符送给AL
00452A5C |. E8 0300FBFF CALL BSWIN.00402A64
00452A61 |. 8BD0 MOV EDX,EAX
00452A63 |. 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
00452A66 |. 8850 01 MOV BYTE PTR DS:[EAX+1],DL
00452A69 |. C600 01 MOV BYTE PTR DS:[EAX],1
00452A6C |. 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
00452A6F |. 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
00452A72 |. E8 DD00FBFF CALL BSWIN.00402B54
00452A77 |. BA 942B4500 MOV EDX,BSWIN.00452B94
00452A7C |. 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
00452A7F |. B1 02 MOV CL,2
00452A81 |. E8 9E00FBFF CALL BSWIN.00402B24
00452A86 |. 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
00452A89 |. 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
00452A8C |. E8 F713FBFF CALL BSWIN.00403E88 ;计算出15,16位的值
00452A91 |. 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18];这里算出的是'D-'
00452A94 |. 58 POP EAX
00452A95 |. E8 5A15FBFF CALL BSWIN.00403FF4 ;相比较
00452A9A |. 0F94C3 SETE BL
00452A9D |> 84DB TEST BL,BL
00452A9F |. 74 7B JE SHORT BSWIN.00452B1C
我们得到15,16位'D-',即"BM1-E0BFE-EA3CD-EFGH"
;计算第7部分
00452AA1 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00452AA4 |. 50 PUSH EAX
00452AA5 |. B9 02000000 MOV ECX,2
00452AAA |. BA 01000000 MOV EDX,1
00452AAF |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00452AB2 |. E8 3116FBFF CALL BSWIN.004040E8 ;取用户名的前两个字符,即"DE"(大写哦)
00452AB7 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
00452ABA |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
00452ABD |. E8 EEFAFFFF CALL BSWIN.004525B0 ;通过"DE"参与运算,得到最后的4位 关键7 @_@
00452AC2 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00452AC5 |. 50 PUSH EAX
00452AC6 |. B9 09000000 MOV ECX,9
00452ACB |. BA 11000000 MOV EDX,11
00452AD0 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00452AD3 |. E8 1016FBFF CALL BSWIN.004040E8 ;取最后的四个字符了
00452AD8 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
00452ADB |. 50 PUSH EAX
00452ADC |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
00452ADF |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00452AE2 |. 0FB600 MOVZX EAX,BYTE PTR DS:[EAX]
00452AE5 |. BA 02000000 MOV EDX,2
00452AEA |. E8 D161FBFF CALL BSWIN.00408CC0 ;生成两个字符
00452AEF |. 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
00452AF2 |. 50 PUSH EAX
00452AF3 |. 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28]
00452AF6 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00452AF9 |. 0FB640 01 MOVZX EAX,BYTE PTR DS:[EAX+1]
00452AFD |. BA 02000000 MOV EDX,2
00452B02 |. E8 B961FBFF CALL BSWIN.00408CC0 ;在生成两个字符
00452B07 |. 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28]
00452B0A |. 58 POP EAX
00452B0B |. E8 DC13FBFF CALL BSWIN.00403EEC ;连接生成的两个字符
00452B10 |. 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18] ;最后的四个字符"AA76"
00452B13 |. 58 POP EAX ;"EFGH"
00452B14 |. E8 DB14FBFF CALL BSWIN.00403FF4 ;比较是否相等
00452B19 |. 0F94C3 SETE BL
我们得到17~20位的注册码,"BM1-E0BFE-EA3CD-AA76",用该注册码试一下,还没有成功,
再跟踪一下,发现7,8位的注册码变成了"DE",其他的则没有变化(Why?因为要用到注册码的信息,
而后面的于输入的注册码无关,而是只是用到了用户名)所以其他的则不发生变化,后来发现
9,10位的值为用户名的第2位与'-'的组合,即"E-",而第15,16位的值则是用户名的第1位的值
与'-'的组合,即"D-"(都是大写哦!!).所以最终的注册信息为:
User-ID:dengkeng[DFCG]
Key:BM1-E0DEE-EA3CD-AA76
至于注册机嘛!我已经把计算的关键部分(计算注册码的部分用@_@符号表示出来了,你可以自己
试试看啊!就是CALL BSWIN.004525B0这个部分)看雪学院<<论坛精华四>>里面有arbiter[CCG]写的
BootStar v7.33 keygen in pure win32asm的注册机.有时间的话我在看看,估计不会有很大的变化!
Made By dengkeng[DFCG][YCG]
E-mail:shellc0de@sohu.com
欢迎转载,请保持文章的完整性