【软件名称】Space Trip 3D Screensaver
【 下载地址】http://www.digimindsoft.com/Space-Trip-3D-Screensaver-24.html
查壳无壳
下MessageBoxA断点,来到:
复制内容到剪贴板
代码:
0041102B /. 55 push ebp ; /////注册?
0041102C |. 8BEC mov ebp, esp
0041102E |. 83EC 74 sub esp, 74
00411031 |. 8B45 0C mov eax, dword ptr [ebp+C]
00411034 |. 8945 90 mov dword ptr [ebp-70], eax
00411037 |. 817D 90 10010>cmp dword ptr [ebp-70], 110
0041103E 74 0E je short 0041104E ; 对话框事件
00411040 |. 817D 90 11010>cmp dword ptr [ebp-70], 111
00411047 |. 74 0F je short 00411058 ; 退出事件
00411049 |. E9 DB010000 jmp 00411229
0041104E |> B8 01000000 mov eax, 1
00411053 |. E9 D3010000 jmp 0041122B
在段首下断会因为对话框不停的调用而无法显示,观察一下,发现:
复制内容到剪贴板
代码:
0041108A |. E8 A5E4FFFF call 0040F534 ; \Space_Tr.0040F534
0041108F |. 83C4 04 add esp, 4
00411092 |. 8945 98 mov dword ptr [ebp-68], eax
00411095 |. 837D 98 00 cmp dword ptr [ebp-68], 0
00411099 |. 0F85 39010000 jnz 004111D8
0041109F |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
004110A1 |. 68 008E4300 push 00438E00 ; |Title = "Registration"
004110A6 |. 68 108E4300 push 00438E10 ; |Text = "Thank you for purchasing!"
004110AB |. 8B45 08 mov eax, dword ptr [ebp+8] ; |
004110AE |. 50 push eax ; |hOwner
004110AF |. FF15 40534300 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA
0041108A |. E8 A5E4FFFF call 0040F534 为跳过对话框的关键call。对其下断,跟进:
复制内容到剪贴板
代码:
0040F5D6 |. 8B8D 74FFFFFF |mov ecx, dword ptr [ebp-8C] ; 注册名
0040F5DC |. 038D 68FFFFFF |add ecx, dword ptr [ebp-98]
0040F5E2 |. 8B95 68FFFFFF |mov edx, dword ptr [ebp-98]
0040F5E8 |. 8A01 |mov al, byte ptr [ecx] ; 一个字符
0040F5EA |. 8882 B8AB4300 |mov byte ptr [edx+43ABB8], al
0040F612 |> 8B95 6CFFFFFF mov edx, dword ptr [ebp-94] ; 注册名长度
0040F618 |. 8955 FC mov dword ptr [ebp-4], edx
0040F61B |. 83BD 6CFFFFFF>cmp dword ptr [ebp-94], 0F ; 0xF
0040F64D |> 83BD 68FFFFFF> cmp dword ptr [ebp-98], 10 ; 0x10位
0040F67B |> 8B85 74FFFFFF |mov eax, dword ptr [ebp-8C] ; 注册名
0040F684 |. 0FBE08 |movsx ecx, byte ptr [eax] ; 一个字符入Ecx
0040F69A |. 83BC85 24FFFF>|cmp dword ptr [ebp+eax*4-DC], 20 ; 空格 比较
0040F6AA |. C7848D 24FFFF>|mov dword ptr [ebp+ecx*4-DC], 0
0040F6C0 |. 83BC95 24FFFF>|cmp dword ptr [ebp+edx*4-DC], 30 ; 0 比较
0040F6D0 |. 83BC85 24FFFF>|cmp dword ptr [ebp+eax*4-DC], 39 ; 9 比较
0040F6FF |. 83BC8D 24FFFF>|cmp dword ptr [ebp+ecx*4-DC], 41 ; A 比较
0040F70F |. 83BC95 24FFFF>|cmp dword ptr [ebp+edx*4-DC], 5A ; Z 比较
0040F726 |. 83E9 36 |sub ecx, 36 ; -0x36
0040F73E |. 83BC85 24FFFF>|cmp dword ptr [ebp+eax*4-DC], 61 ; a 比较
0040F74E |. 83BC8D 24FFFF>|cmp dword ptr [ebp+ecx*4-DC], 7A ; z 比较
0040F765 |. 83E8 3C |sub eax, 3C ; -0x3c
0040F792 |> 8B8D 74FFFFFF mov ecx, dword ptr [ebp-8C] ; 注册名
0040F798 |. 51 push ecx ; /hMem
0040F799 |. FF15 60514300 call dword ptr [<&KERNEL32.GlobalFree>; \GlobalFree
0040F79F |. 68 FC8B4300 push 00438BFC ; ASCII "Hard Listening and Hightempo!"
0040F7C7 |. C785 1CFFFFFF>mov dword ptr [ebp-E4], 10 ; 0X10
0040F803 |. 0FBE91 FC8B43>|movsx edx, byte ptr [ecx+438BFC] ; ASCII "Hard Listening and Hightempo!"
0040F951 |> 68 F6030000 push 3F6 ; /ControlID = 3F6 (1014.)
0040F956 |. 8B4D 08 mov ecx, dword ptr [ebp+8] ; |
0040F959 |. 51 push ecx ; |hWnd
0040F95A |. FF15 28534300 call dword ptr [<&USER32.GetDlgItem>] ; \GetDlgItem
0040F960 |. 50 push eax ; /hWnd
0040F961 |. FF15 2C534300 call dword ptr [<&USER32.GetWindowTex>; \GetWindowTextLengthA
0040F967 |. 8985 70FFFFFF mov dword ptr [ebp-90], eax
0040F96D |. 83BD 70FFFFFF>cmp dword ptr [ebp-90], 10 ; 注册码长度16位。。。
注册名字符如果是大写就-0x36,小写就-0x3C,数字就-0x2F,空格写0,不足16位就循环计数;字符串"Hard Listening and Hightempo!"取前16位转换方式同上,然后对转换后的前16位八位一组掉个个儿。
假码进行类似的步骤进行转换。
复制内容到剪贴板
代码:
0040FBFB |> 8B85 68FFFFFF /mov eax, dword ptr [ebp-98]
0040FC01 |. 83C0 01 |add eax, 1
0040FC04 |. 8985 68FFFFFF |mov dword ptr [ebp-98], eax
0040FC0A |> 83BD 68FFFFFF> cmp dword ptr [ebp-98], 8
0040FC11 |. 7D 2A |jge short 0040FC3D
0040FC13 |. B9 0F000000 |mov ecx, 0F
0040FC18 |. 2B8D 68FFFFFF |sub ecx, dword ptr [ebp-98]
0040FC1E |. 8B95 68FFFFFF |mov edx, dword ptr [ebp-98]
0040FC24 |. 8B8495 78FFFF>|mov eax, dword ptr [ebp+edx*4-88]
0040FC2B |. 3B848D 78FFFF>|cmp eax, dword ptr [ebp+ecx*4-88]
0040FC32 74 07 je short 0040FC3B
0040FC34 |. B8 04000000 |mov eax, 4
0040FC39 |. EB 04 |jmp short 0040FC3F
0040FC3B |>^ EB BE \jmp short 0040FBFB
0040FC3D |> \33C0 xor eax, eax
真码假码比较,相等则Al置0,注册成功。
复制内容到剪贴板
代码:
修改je short 0040FC3B为JMP
00411135 |. 50 push eax ; /BufSize
00411136 |. 8D45 A4 lea eax, dword ptr [ebp-5C] ; |
00411139 |. 50 push eax ; |Buffer
0041113A |. 6A 01 push 1 ; |ValueType = REG_SZ
0041113C |. 6A 00 push 0 ; |Reserved = 0
0041113E |. 68 508E4300 push 00438E50 ; |ValueName = "RegKey"
00411143 |. 8B4D 94 mov ecx, dword ptr [ebp-6C] ; |
00411146 |. 51 push ecx ; |hKey
00411147 |. FF15 0C504300 call dword ptr [<&ADVAPI32.RegSetValu>; \RegSetValueExA
成功则写入注册表。
保存重启,发现依然未注册。
对注册表下断,发现读到了username和key1
复制内容到剪贴板
代码:
00410900 |. 52 push edx ; /pBufSize
00410901 |. 68 10AC4300 push 0043AC10 ; |Buffer = Space_Tr.0043AC10
00410906 |. 8D45 F4 lea eax, dword ptr [ebp-C] ; |
00410909 |. 50 push eax ; |pValueType
0041090A |. 6A 00 push 0 ; |Reserved = NULL
0041090C |. 68 208D4300 push 00438D20 ; |ValueName = "RegKey"
00410911 |. 8B4D EC mov ecx, dword ptr [ebp-14] ; |
00410914 |. 51 push ecx ; |hKey
00410915 |. FF15 00504300 call dword ptr [<&ADVAPI32.RegQueryVa>; \RegQueryValueExA
0041091B |. C745 FC 51000>mov dword ptr [ebp-4], 51
00410922 |. 8D55 FC lea edx, dword ptr [ebp-4]
00410925 |. 52 push edx ; /pBufSize
00410926 |. 68 B8AB4300 push 0043ABB8 ; |Buffer = Space_Tr.0043ABB8
0041092B |. 8D45 F4 lea eax, dword ptr [ebp-C] ; |
0041092E |. 50 push eax ; |pValueType
0041092F |. 6A 00 push 0 ; |Reserved = NULL
00410931 |. 68 288D4300 push 00438D28 ; |ValueName = "UserName"
00410936 |. 8B4D EC mov ecx, dword ptr [ebp-14] ; |
00410939 |. 51 push ecx ; |hKey
0041093A |. FF15 00504300 call dword ptr [<&ADVAPI32.RegQueryVa>; \RegQueryValueExA
00410940 |. 8B55 EC mov edx, dword ptr [ebp-14]
00410943 |. 52 push edx ; /hKey
00410944 |. FF15 10504300 call dword ptr [<&ADVAPI32.RegCloseKe>; \RegCloseKey
0041094A |. E8 F1E5FFFF call 0040EF40 ; 算法call
跟进算法call,发现和注册按钮用的不是同一个call(狡猾),而且,这次AL=1才注册成功
复制内容到剪贴板
代码:
0040EF40 /$ 55 push ebp
0040EF41 |. 8BEC mov ebp, esp
0040EF43 |. 81EC E4000000 sub esp, 0E4
0040EF49 |. 68 B8AB4300 push 0043ABB8 ; ASCII "zas"
。。。。
0040F526 /74 04 je short 0040F52C
0040F528 |. |32C0 |xor al, al
0040F52A |. |EB 04 |jmp short 0040F530
0040F52C |>^\EB C1 \jmp short 0040F4EF
0040F52E |> B0 01 mov al, 1
方法1:
直接修改
0040F526 /74 04 je short 0040F52C
为JMP
方法2:
直接修改算法call为
0040EF40 B0 01 mov al, 1
0040EF42 C3 retn
保存,启动OK。
算法分析:
复制内容到剪贴板
代码:
0040EFEF |. /EB 17 |jmp short 0040F008
0040EFF1 |> |8B4D B8 |mov ecx, dword ptr [ebp-48] ; 注册名
0040EFF4 |. |0FBE91 B8AB43>|movsx edx, byte ptr [ecx+43ABB8] ; 取字符
0040EFFB |. |8B85 6CFFFFFF |mov eax, dword ptr [ebp-94]
0040F001 |. |899485 28FFFF>|mov dword ptr [ebp+eax*4-D8], edx
0040F008 |> \8B8D 6CFFFFFF |mov ecx, dword ptr [ebp-94]
0040F00E |. 83BC8D 28FFFF>|cmp dword ptr [ebp+ecx*4-D8], 20 ; 空格
0040F016 |. 75 16 |jnz short 0040F02E
0040F018 |. 8B95 6CFFFFFF |mov edx, dword ptr [ebp-94]
0040F01E |. C78495 28FFFF>|mov dword ptr [ebp+edx*4-D8], 0 ; 空格写0
0040F029 |. E9 BB000000 |jmp 0040F0E9
0040F02E |> 8B85 6CFFFFFF |mov eax, dword ptr [ebp-94]
0040F034 |. 83BC85 28FFFF>|cmp dword ptr [ebp+eax*4-D8], 30
0040F03C |. 7C 2F |jl short 0040F06D
0040F03E |. 8B8D 6CFFFFFF |mov ecx, dword ptr [ebp-94]
0040F044 |. 83BC8D 28FFFF>|cmp dword ptr [ebp+ecx*4-D8], 39
0040F04C |. 7F 1F |jg short 0040F06D
0040F04E |. 8B95 6CFFFFFF |mov edx, dword ptr [ebp-94]
0040F054 |. 8B8495 28FFFF>|mov eax, dword ptr [ebp+edx*4-D8]
0040F05B |. 83E8 2F |sub eax, 2F ; 数字-0x2F
0040F05E |. 8B8D 6CFFFFFF |mov ecx, dword ptr [ebp-94]
0040F064 |. 89848D 28FFFF>|mov dword ptr [ebp+ecx*4-D8], eax
0040F06B |. EB 7C |jmp short 0040F0E9
0040F06D |> 8B95 6CFFFFFF |mov edx, dword ptr [ebp-94]
0040F073 |. 83BC95 28FFFF>|cmp dword ptr [ebp+edx*4-D8], 41
0040F07B |. 7C 2F |jl short 0040F0AC
0040F07D |. 8B85 6CFFFFFF |mov eax, dword ptr [ebp-94]
0040F083 |. 83BC85 28FFFF>|cmp dword ptr [ebp+eax*4-D8], 5A
0040F08B |. 7F 1F |jg short 0040F0AC
0040F08D |. 8B8D 6CFFFFFF |mov ecx, dword ptr [ebp-94]
0040F093 |. 8B948D 28FFFF>|mov edx, dword ptr [ebp+ecx*4-D8]
0040F09A |. 83EA 36 |sub edx, 36 ; 大写字母-0x36
0040F09D |. 8B85 6CFFFFFF |mov eax, dword ptr [ebp-94]
0040F0A3 |. 899485 28FFFF>|mov dword ptr [ebp+eax*4-D8], edx
0040F0AA |. EB 3D |jmp short 0040F0E9
0040F0AC |> 8B8D 6CFFFFFF |mov ecx, dword ptr [ebp-94]
0040F0B2 |. 83BC8D 28FFFF>|cmp dword ptr [ebp+ecx*4-D8], 61
0040F0BA |. 7C 2D |jl short 0040F0E9
0040F0BC |. 8B95 6CFFFFFF |mov edx, dword ptr [ebp-94]
0040F0C2 |. 83BC95 28FFFF>|cmp dword ptr [ebp+edx*4-D8], 7A
0040F0CA |. 7F 1D |jg short 0040F0E9
0040F0CC |. 8B85 6CFFFFFF |mov eax, dword ptr [ebp-94]
0040F0D2 |. 8B8C85 28FFFF>|mov ecx, dword ptr [ebp+eax*4-D8]
0040F0D9 |. 83E9 3C |sub ecx, 3C ; 小写字母-0x3C
0040F0DC |. 8B95 6CFFFFFF |mov edx, dword ptr [ebp-94]
0040F0E2 |. 898C95 28FFFF>|mov dword ptr [ebp+edx*4-D8], ecx
0040F0E9 |> 8B45 B8 |mov eax, dword ptr [ebp-48]
0040F0EC |. 83C0 01 |add eax, 1
0040F0EF |. 8945 B8 |mov dword ptr [ebp-48], eax
0040F0F2 |. 8B4D B8 |mov ecx, dword ptr [ebp-48]
0040F0F5 |. 3B4D FC |cmp ecx, dword ptr [ebp-4]
0040F0F8 |. 7C 07 |jl short 0040F101
0040F0FA |. C745 B8 00000>|mov dword ptr [ebp-48], 0
0040F101 |>^ E9 AEFEFFFF \jmp 0040EFB4
0040F106 |> 68 FC8B4300 push 00438BFC ; "Hard Listening and Hightempo!"前16个字符同理处理
0040F10B |. E8 50A90000 call 00419A60
0040F110 |. 83C4 04 add esp, 4
0040F113 |. 8985 68FFFFFF mov dword ptr [ebp-98], eax
0040F119 |. 8B95 68FFFFFF mov edx, dword ptr [ebp-98]
0040F11F |. 8995 24FFFFFF mov dword ptr [ebp-DC], edx
0040F125 |. 83BD 68FFFFFF>cmp dword ptr [ebp-98], 10
0040F12C |. 7E 0A jle short 0040F138
0040F12E |. C785 24FFFFFF>mov dword ptr [ebp-DC], 10
0040F138 |> C745 B8 00000>mov dword ptr [ebp-48], 0
0040F13F |. C785 6CFFFFFF>mov dword ptr [ebp-94], 0
0040F149 |. EB 0F jmp short 0040F15A
0040F14B |> 8B85 6CFFFFFF /mov eax, dword ptr [ebp-94]
0040F151 |. 83C0 01 |add eax, 1
0040F154 |. 8985 6CFFFFFF |mov dword ptr [ebp-94], eax
0040F15A |> 83BD 6CFFFFFF> cmp dword ptr [ebp-94], 10
0040F161 |. 0F8D F4000000 |jge 0040F25B
0040F167 |. 8B4D B8 |mov ecx, dword ptr [ebp-48]
0040F16A |. 0FBE91 FC8B43>|movsx edx, byte ptr [ecx+438BFC]
0040F171 |. 8B85 6CFFFFFF |mov eax, dword ptr [ebp-94]
0040F177 |. 895485 BC |mov dword ptr [ebp+eax*4-44], edx
0040F17B |. 8B8D 6CFFFFFF |mov ecx, dword ptr [ebp-94]
0040F181 |. 837C8D BC 20 |cmp dword ptr [ebp+ecx*4-44], 20
0040F186 |. 75 13 |jnz short 0040F19B
0040F188 |. 8B95 6CFFFFFF |mov edx, dword ptr [ebp-94]
0040F18E |. C74495 BC 000>|mov dword ptr [ebp+edx*4-44], 0
0040F196 |. E9 A0000000 |jmp 0040F23B
0040F19B |> 8B85 6CFFFFFF |mov eax, dword ptr [ebp-94]
0040F1A1 |. 837C85 BC 30 |cmp dword ptr [ebp+eax*4-44], 30
0040F1A6 |. 7C 26 |jl short 0040F1CE
0040F1A8 |. 8B8D 6CFFFFFF |mov ecx, dword ptr [ebp-94]
0040F1AE |. 837C8D BC 39 |cmp dword ptr [ebp+ecx*4-44], 39
0040F1B3 |. 7F 19 |jg short 0040F1CE
0040F1B5 |. 8B95 6CFFFFFF |mov edx, dword ptr [ebp-94]
0040F1BB |. 8B4495 BC |mov eax, dword ptr [ebp+edx*4-44]
0040F1BF |. 83E8 2F |sub eax, 2F
0040F1C2 |. 8B8D 6CFFFFFF |mov ecx, dword ptr [ebp-94]
0040F1C8 |. 89448D BC |mov dword ptr [ebp+ecx*4-44], eax
0040F1CC |. EB 6D |jmp short 0040F23B
0040F1CE |> 8B95 6CFFFFFF |mov edx, dword ptr [ebp-94]
0040F1D4 |. 837C95 BC 41 |cmp dword ptr [ebp+edx*4-44], 41
0040F1D9 |. 7C 26 |jl short 0040F201
0040F1DB |. 8B85 6CFFFFFF |mov eax, dword ptr [ebp-94]
0040F1E1 |. 837C85 BC 5A |cmp dword ptr [ebp+eax*4-44], 5A
0040F1E6 |. 7F 19 |jg short 0040F201
0040F1E8 |. 8B8D 6CFFFFFF |mov ecx, dword ptr [ebp-94]
0040F1EE |. 8B548D BC |mov edx, dword ptr [ebp+ecx*4-44]
0040F1F2 |. 83EA 36 |sub edx, 36
0040F1F5 |. 8B85 6CFFFFFF |mov eax, dword ptr [ebp-94]
0040F1FB |. 895485 BC |mov dword ptr [ebp+eax*4-44], edx
0040F1FF |. EB 3A |jmp short 0040F23B
0040F201 |> 8B8D 6CFFFFFF |mov ecx, dword ptr [ebp-94]
0040F207 |. 837C8D BC 61 |cmp dword ptr [ebp+ecx*4-44], 61
0040F20C |. 7C 26 |jl short 0040F234
0040F20E |. 8B95 6CFFFFFF |mov edx, dword ptr [ebp-94]
0040F214 |. 837C95 BC 7A |cmp dword ptr [ebp+edx*4-44], 7A
0040F219 |. 7F 19 |jg short 0040F234
0040F21B |. 8B85 6CFFFFFF |mov eax, dword ptr [ebp-94]
0040F221 |. 8B4C85 BC |mov ecx, dword ptr [ebp+eax*4-44]
0040F225 |. 83E9 3C |sub ecx, 3C
0040F228 |. 8B95 6CFFFFFF |mov edx, dword ptr [ebp-94]
0040F22E |. 894C95 BC |mov dword ptr [ebp+edx*4-44], ecx
0040F232 |. EB 07 |jmp short 0040F23B
0040F234 |> 32C0 |xor al, al
0040F236 |. E9 F5020000 |jmp 0040F530
0040F23B |> 8B45 B8 |mov eax, dword ptr [ebp-48]
0040F23E |. 83C0 01 |add eax, 1
0040F241 |. 8945 B8 |mov dword ptr [ebp-48], eax
0040F244 |. 8B4D B8 |mov ecx, dword ptr [ebp-48]
0040F247 |. 3B8D 24FFFFFF |cmp ecx, dword ptr [ebp-DC]
0040F24D |. 7C 07 |jl short 0040F256
0040F24F |. C745 B8 00000>|mov dword ptr [ebp-48], 0
0040F256 |>^ E9 F0FEFFFF \jmp 0040F14B
0040F25B |> C785 6CFFFFFF>mov dword ptr [ebp-94], 0
0040F265 |. EB 0F jmp short 0040F276
0040F267 |> 8B95 6CFFFFFF /mov edx, dword ptr [ebp-94] ; 转换部分
0040F26D |. 83C2 01 |add edx, 1 ; 计数器x
0040F270 |. 8995 6CFFFFFF |mov dword ptr [ebp-94], edx
0040F276 |> 83BD 6CFFFFFF> cmp dword ptr [ebp-94], 8 ; 8次循环跳出
0040F27D |. 7D 36 |jge short 0040F2B5
0040F27F |. 8B85 6CFFFFFF |mov eax, dword ptr [ebp-94] ; 计数器x
0040F285 |. 8B4C85 BC |mov ecx, dword ptr [ebp+eax*4-44] ; 字符串第x个字符(x=1 ~ 16)--》S1
0040F289 |. 898D 20FFFFFF |mov dword ptr [ebp-E0], ecx
0040F28F |. 8B95 6CFFFFFF |mov edx, dword ptr [ebp-94]
0040F295 |. 8B85 6CFFFFFF |mov eax, dword ptr [ebp-94]
0040F29B |. 8B4C85 DC |mov ecx, dword ptr [ebp+eax*4-24] ; 字符串第x+8个字符(x=1 ~ 8)
0040F29F |. 894C95 BC |mov dword ptr [ebp+edx*4-44], ecx ; 放入字符串第x个字符(x=1 ~ 8)
0040F2A3 |. 8B95 6CFFFFFF |mov edx, dword ptr [ebp-94]
0040F2A9 |. 8B85 20FFFFFF |mov eax, dword ptr [ebp-E0] ; S1
0040F2AF |. 894495 DC |mov dword ptr [ebp+edx*4-24], eax ; 放入字符串第x+8个字符(x=1 ~ 8)==》S2
0040F2B3 |.^ EB B2 \jmp short 0040F267
0040F2B5 |> 68 10AC4300 push 0043AC10 ; 实际上就是倒装一下
0040F2BA |. E8 A1A70000 call 00419A60
0040F2BF |. 83C4 04 add esp, 4
0040F2C2 |. 8985 74FFFFFF mov dword ptr [ebp-8C], eax
0040F2C8 |. 83BD 74FFFFFF>cmp dword ptr [ebp-8C], 10
0040F2CF |. 74 07 je short 0040F2D8
0040F2D1 |. 32C0 xor al, al
0040F2D3 |. E9 58020000 jmp 0040F530
0040F2D8 |> C785 6CFFFFFF>mov dword ptr [ebp-94], 0
0040F2E2 |. EB 0F jmp short 0040F2F3
0040F2E4 |> 8B8D 6CFFFFFF /mov ecx, dword ptr [ebp-94] ; 假码转换方式同上
0040F2EA |. 83C1 01 |add ecx, 1
0040F2ED |. 898D 6CFFFFFF |mov dword ptr [ebp-94], ecx
0040F2F3 |> 83BD 6CFFFFFF> cmp dword ptr [ebp-94], 10 ; 假码0x10位
0040F2FA |. 0F8D 0C010000 |jge 0040F40C
0040F300 |. 8B95 6CFFFFFF |mov edx, dword ptr [ebp-94]
0040F306 |. 0FBE82 10AC43>|movsx eax, byte ptr [edx+43AC10]
0040F30D |. 8B8D 6CFFFFFF |mov ecx, dword ptr [ebp-94]
0040F313 |. 89848D 78FFFF>|mov dword ptr [ebp+ecx*4-88], eax
0040F31A |. 8B95 6CFFFFFF |mov edx, dword ptr [ebp-94]
0040F320 |. 83BC95 78FFFF>|cmp dword ptr [ebp+edx*4-88], 2D
0040F328 |. 75 16 |jnz short 0040F340
0040F32A |. 8B85 6CFFFFFF |mov eax, dword ptr [ebp-94]
0040F330 |. C78485 78FFFF>|mov dword ptr [ebp+eax*4-88], 0 ; "-"写0
0040F33B |. E9 C7000000 |jmp 0040F407
0040F340 |> 8B8D 6CFFFFFF |mov ecx, dword ptr [ebp-94]
0040F346 |. 83BC8D 78FFFF>|cmp dword ptr [ebp+ecx*4-88], 30
0040F34E |. 7C 32 |jl short 0040F382
0040F350 |. 8B95 6CFFFFFF |mov edx, dword ptr [ebp-94]
0040F356 |. 83BC95 78FFFF>|cmp dword ptr [ebp+edx*4-88], 39
0040F35E |. 7F 22 |jg short 0040F382
0040F360 |. 8B85 6CFFFFFF |mov eax, dword ptr [ebp-94]
0040F366 |. 8B8C85 78FFFF>|mov ecx, dword ptr [ebp+eax*4-88]
0040F36D |. 83E9 2F |sub ecx, 2F
0040F370 |. 8B95 6CFFFFFF |mov edx, dword ptr [ebp-94]
0040F376 |. 898C95 78FFFF>|mov dword ptr [ebp+edx*4-88], ecx
0040F37D |. E9 85000000 |jmp 0040F407
0040F382 |> 8B85 6CFFFFFF |mov eax, dword ptr [ebp-94]
0040F388 |. 83BC85 78FFFF>|cmp dword ptr [ebp+eax*4-88], 41
0040F390 |. 7C 2F |jl short 0040F3C1
0040F392 |. 8B8D 6CFFFFFF |mov ecx, dword ptr [ebp-94]
0040F398 |. 83BC8D 78FFFF>|cmp dword ptr [ebp+ecx*4-88], 5A
0040F3A0 |. 7F 1F |jg short 0040F3C1
0040F3A2 |. 8B95 6CFFFFFF |mov edx, dword ptr [ebp-94]
0040F3A8 |. 8B8495 78FFFF>|mov eax, dword ptr [ebp+edx*4-88]
0040F3AF |. 83E8 36 |sub eax, 36
0040F3B2 |. 8B8D 6CFFFFFF |mov ecx, dword ptr [ebp-94]
0040F3B8 |. 89848D 78FFFF>|mov dword ptr [ebp+ecx*4-88], eax
0040F3BF |. EB 46 |jmp short 0040F407
0040F3C1 |> 8B95 6CFFFFFF |mov edx, dword ptr [ebp-94]
0040F3C7 |. 83BC95 78FFFF>|cmp dword ptr [ebp+edx*4-88], 61
0040F3CF |. 7C 2F |jl short 0040F400
0040F3D1 |. 8B85 6CFFFFFF |mov eax, dword ptr [ebp-94]
0040F3D7 |. 83BC85 78FFFF>|cmp dword ptr [ebp+eax*4-88], 7A
0040F3DF |. 7F 1F |jg short 0040F400
0040F3E1 |. 8B8D 6CFFFFFF |mov ecx, dword ptr [ebp-94]
0040F3E7 |. 8B948D 78FFFF>|mov edx, dword ptr [ebp+ecx*4-88]
0040F3EE |. 83EA 3C |sub edx, 3C
0040F3F1 |. 8B85 6CFFFFFF |mov eax, dword ptr [ebp-94]
0040F3F7 |. 899485 78FFFF>|mov dword ptr [ebp+eax*4-88], edx
0040F3FE |. EB 07 |jmp short 0040F407
0040F400 |> 32C0 |xor al, al
0040F402 |. E9 29010000 |jmp 0040F530
0040F407 |>^ E9 D8FEFFFF \jmp 0040F2E4
0040F40C |> C785 6CFFFFFF>mov dword ptr [ebp-94], 0
0040F416 |. EB 0F jmp short 0040F427
0040F418 |> 8B8D 6CFFFFFF /mov ecx, dword ptr [ebp-94]
0040F41E |. 83C1 01 |add ecx, 1
0040F421 |. 898D 6CFFFFFF |mov dword ptr [ebp-94], ecx
0040F427 |> 83BD 6CFFFFFF> cmp dword ptr [ebp-94], 10
0040F42E |. 7D 53 |jge short 0040F483
0040F430 |. 8B95 6CFFFFFF |mov edx, dword ptr [ebp-94]
0040F436 |. 8B85 6CFFFFFF |mov eax, dword ptr [ebp-94]
0040F43C |. 8B8C95 78FFFF>|mov ecx, dword ptr [ebp+edx*4-88] ; 假码第x个字符(x=1 ~ 16)--》S3
0040F443 |. 2B4C85 BC |sub ecx, dword ptr [ebp+eax*4-44] ; S3-S2
0040F447 |. 8B95 6CFFFFFF |mov edx, dword ptr [ebp-94]
0040F44D |. 898C95 78FFFF>|mov dword ptr [ebp+edx*4-88], ecx ; 放回
0040F454 |. 8B85 6CFFFFFF |mov eax, dword ptr [ebp-94]
0040F45A |. 83BC85 78FFFF>|cmp dword ptr [ebp+eax*4-88], 0
0040F462 |. 7D 1D |jge short 0040F481 ; 大于等于0 跳
0040F464 |. 8B8D 6CFFFFFF |mov ecx, dword ptr [ebp-94]
0040F46A |. 8B948D 78FFFF>|mov edx, dword ptr [ebp+ecx*4-88]
0040F471 |. 83C2 3F |add edx, 3F ; 小于等于0则+0x3F
0040F474 |. 8B85 6CFFFFFF |mov eax, dword ptr [ebp-94]
0040F47A |. 899485 78FFFF>|mov dword ptr [ebp+eax*4-88], edx ; 放回
0040F481 |>^ EB 95 \jmp short 0040F418
0040F483 |> C785 6CFFFFFF>mov dword ptr [ebp-94], 0
0040F48D |. EB 0F jmp short 0040F49E
0040F48F |> 8B8D 6CFFFFFF /mov ecx, dword ptr [ebp-94] ; 再次8位倒换
0040F495 |. 83C1 01 |add ecx, 1
0040F498 |. 898D 6CFFFFFF |mov dword ptr [ebp-94], ecx
0040F49E |> 83BD 6CFFFFFF> cmp dword ptr [ebp-94], 8
0040F4A5 |. 7D 3C |jge short 0040F4E3
0040F4A7 |. 8B95 6CFFFFFF |mov edx, dword ptr [ebp-94]
0040F4AD |. 8B8495 78FFFF>|mov eax, dword ptr [ebp+edx*4-88]
0040F4B4 |. 8985 1CFFFFFF |mov dword ptr [ebp-E4], eax
0040F4BA |. 8B8D 6CFFFFFF |mov ecx, dword ptr [ebp-94]
0040F4C0 |. 8B95 6CFFFFFF |mov edx, dword ptr [ebp-94]
0040F4C6 |. 8B4495 98 |mov eax, dword ptr [ebp+edx*4-68]
0040F4CA |. 89848D 78FFFF>|mov dword ptr [ebp+ecx*4-88], eax
0040F4D1 |. 8B8D 6CFFFFFF |mov ecx, dword ptr [ebp-94]
0040F4D7 |. 8B95 1CFFFFFF |mov edx, dword ptr [ebp-E4]
0040F4DD |. 89548D 98 |mov dword ptr [ebp+ecx*4-68], edx
0040F4E1 |.^ EB AC \jmp short 0040F48F
0040F4E3 |> C785 6CFFFFFF>mov dword ptr [ebp-94], 0
0040F4ED |. EB 0F jmp short 0040F4FE
0040F4EF |> 8B85 6CFFFFFF /mov eax, dword ptr [ebp-94] ; 比较部分
0040F4F5 |. 83C0 01 |add eax, 1
0040F4F8 |. 8985 6CFFFFFF |mov dword ptr [ebp-94], eax
0040F4FE |> 83BD 6CFFFFFF> cmp dword ptr [ebp-94], 8
0040F505 |. 7D 27 |jge short 0040F52E
0040F507 |. B9 0F000000 |mov ecx, 0F ; 0F
0040F50C |. 2B8D 6CFFFFFF |sub ecx, dword ptr [ebp-94] ; ecx-x
0040F512 |. 8B95 6CFFFFFF |mov edx, dword ptr [ebp-94]
0040F518 |. 8B8495 78FFFF>|mov eax, dword ptr [ebp+edx*4-88] ; 首尾比较,相等则注册成功
0040F51F |. 3B848D 78FFFF>|cmp eax, dword ptr [ebp+ecx*4-88]
0040F526 |. 74 04 |je short 0040F52C
0040F528 |. 32C0 |xor al, al
0040F52A |. EB 04 |jmp short 0040F530
0040F52C |>^ EB C1 \jmp short 0040F4EF
0040F52E |> B0 01 mov al, 1
【破解总结】
00410961 |> \C605 45A54300>mov byte ptr [43A545], 1
[43A545]为全局变量。。。
【算法总结】
算法有了,但不是明码比较。。。
第一步:取固定字符串前16位:Hard Listening a
大写-0x36,小写-0x3C,空格为0 得到S1
第二步:S1八位倒换得到S2
第二步:取注册码同样处理得到S3
第三步:S3-S2得到S4
第四步:S4 8位倒换,首尾比较,相等注册成功,不等注册失败
一组可用的注册码:
注册名:随意
注册码:GDCV16GHzrHsnlHF
注册机源代码:
Function Check(Number As Integer) As Integer
If Number < 58 Then
Check = Number - 47
Else
If Number >= 58 And Number <= 96 Then
Check = Number - 54
Else
If Number > 96 Then
Check = Number - 60
End If
End If
End If
End Function
Private Sub Command1_Click()
Dim Word As String
Dim Char As String
Dim Ref_String(16) As Integer
Dim Test_Char As String
Dim Serial(16) As Integer
Dim Output(16) As String
Dim Success As Boolean
Dim First_Rnd_Char As Integer
Dim Selected_Char As Integer
Text1.Text = ""
Word = "3829322D322B00251225362800162D37"
Char = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
For x = 1 To 16
Ref_String(x) = Val("&h" & Mid(Word, 2 * x - 1, 2))
Next
For i = 1 To 8
Do
Do
Randomize
First_Rnd_Char = (122 - 48) * Rnd() + 48
Loop Until (First_Rnd_Char > 47 And First_Rnd_Char < 58) Or (First_Rnd_Char > 64 And First_Rnd_Char < 91) Or (First_Rnd_Char > 96 And First_Rnd_Char < 123)
Success = False
Output(i) = Chr(First_Rnd_Char)
First_Rnd_Char = Check(First_Rnd_Char)
First_Rnd_Char = First_Rnd_Char - Ref_String(i + 8)
For y = 1 To Len(Char)
Selected_Char = Asc(Mid(Char, y, 1))
Test_Char = Chr(Selected_Char)
Selected_Char = Check(Selected_Char)
Selected_Char = Selected_Char - Ref_String(8 - i + 1)
If First_Rnd_Char = Selected_Char Then
Output(16 - i + 1) = Test_Char
Success = True
Exit For
End If
Next
Loop Until Success = True
Next
For m = 1 To 16
First_Rnd_Char_serial = First_Rnd_Char_serial & Output(m)
Text1.Text = Mid(First_Rnd_Char_serial, 9, 8) & Mid(First_Rnd_Char_serial, 1, 8)
Next
End Sub
Private Sub Command2_Click()
Unload Me
End Sub