crackcode代码分享笔记(一)
今天有些失眠,睡不着,所以闲着也是闲着。今天刚把crackcode下了,挺小的才11.5k。
把它反汇编了。想慢慢的把程序从头读一遍,估计不会很难吧!:)今天还行,看了一点点,
先和大家分享。我的汇编语言也学的马虎,如果你们觉注释还能看得过去的,就将就将!
:00401000 53
push ebx
:00401001 55
push ebp
:00401002 56
push esi
:00401003 57
push edi
:00401004 6A00
push 00000000
* Possible StringData Ref from Data Obj ->"Crackcode 2000 -- Author:Ru Feng
"
->"(http:\\ocqpat.163.net)"
|
:00401006 68AC624000 push 004062AC
* Possible StringData Ref from Data Obj ->"Thank you for using the Crackcode!Let
"
->"us make the
keygen so easy!"
|
:0040100B 6868624000 push 00406268
:00401010 6A00
push 00000000
* Reference To: USER32.MessageBoxA, Ord:0000h
|
:00401012 FF15C0504000 Call dword ptr
[004050C0]
^^^^^^^^^^^^^^---》显示作者的堂堂大名。
:00401018 BE20A44000 mov esi,
0040A420
:0040101D BF04010000 mov edi,
00000104
:00401022 56
push esi
:00401023 57
push edi
* Reference To: KERNEL32.GetCurrentDirectoryA, Ord:0000h
|
:00401024 FF1504504000 Call dword ptr
[00405004]
^^^^^^^^^^^^^^^---》取得当前的路径。
* Possible StringData Ref from Data Obj ->"CRACKCODE.INI"
|
:0040102A 68DC604000 push 004060DC
* Possible StringData Ref from Data Obj ->"\"
|
:0040102F 6864624000 push 00406264
:00401034 56
push esi
:00401035 E8360A0000 call 00401A70
:0040103A 59
pop ecx
:0040103B 59
pop ecx
:0040103C 50
push eax
:0040103D E82E0A0000 call 00401A70
:00401042 59
pop ecx
:00401043 BD50674000 mov ebp,
00406750
:00401048 59
pop ecx
^^^^^^^^^^^^^^^^--》以上这段代码实现一个函数
strcat()比如获得当前路径为C:\crackcode;那么
结果这段代码合并为:c:\crackcode\crackcode.ini
来看看00401A70中的代码:
:00401A70 8B4C2404 mov
ecx, dword ptr [esp+04]
^^^^^^^^---》ECX获得指向路径字符串
ECX=40A620
:00401A74 57
push edi
:00401A75 F7C103000000 test ecx, 00000003
:00401A7B 740F
je 00401A8C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401A8A(C)
|
:00401A7D 8A01
mov al, byte ptr [ecx]
:00401A7F 41
inc ecx
:00401A80 84C0
test al, al
:00401A82 743B
je 00401ABF
:00401A84 F7C103000000 test ecx, 00000003
:00401A8A 75F1
jne 00401A7D
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401A7B(C), :00401AA2(C), :00401ABD(U)
|
:00401A8C 8B01
mov eax, dword ptr [ecx]
:00401A8E BAFFFEFE7E mov edx,
7EFEFEFF
:00401A93 03D0
add edx, eax
:00401A95 83F0FF
xor eax, FFFFFFFF
:00401A98 33C2
xor eax, edx
:00401A9A 83C104
add ecx, 00000004
:00401A9D A900010181 test eax,
81010100
:00401AA2 74E8
je 00401A8C
^^^^^^^^^^^^^^^^--》这段代码是循环取四个字符
确定到那四个字符为结尾
:00401AA4 8B41FC
mov eax, dword ptr [ecx-04]
:00401AA7 84C0
test al, al
:00401AA9 7423
je 00401ACE
:00401AAB 84E4
test ah, ah
:00401AAD 741A
je 00401AC9
:00401AAF A90000FF00 test eax,
00FF0000
:00401AB4 740E
je 00401AC4
:00401AB6 A9000000FF test eax,
FF000000
:00401ABB 7402
je 00401ABF
:00401ABD EBCD
jmp 00401A8C
^^^^^^^^^^^^^^^--》这段代码为确定最后四个字符
中有多少个字符。分别跳到下面相应的程序
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401A82(C), :00401ABB(C)
|
:00401ABF 8D79FF
lea edi, dword ptr [ecx-01]
:00401AC2 EB0D
jmp 00401AD1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401AB4(C)
|
:00401AC4 8D79FE
lea edi, dword ptr [ecx-02]
:00401AC7 EB08
jmp 00401AD1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401AAD(C)
|
:00401AC9 8D79FD
lea edi, dword ptr [ecx-03]
:00401ACC EB03
jmp 00401AD1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401AA9(C)
|
==============下面的代码和也以上代码相似,不再作解释=======
:00401ACE 8D79FC
lea edi, dword ptr [ecx-04]
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401A65(U), :00401AC2(U), :00401AC7(U), :00401ACC(U)
|
:00401AD1 8B4C240C mov
ecx, dword ptr [esp+0C]
:00401AD5 F7C103000000 test ecx, 00000003
:00401ADB 7419
je 00401AF6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401AED(C)
|
:00401ADD 8A11
mov dl, byte ptr [ecx]
:00401ADF 41
inc ecx
:00401AE0 84D2
test dl, dl
:00401AE2 7464
je 00401B48
:00401AE4 8817
mov byte ptr [edi], dl
:00401AE6 47
inc edi
:00401AE7 F7C103000000 test ecx, 00000003
:00401AED 75EE
jne 00401ADD
:00401AEF EB05
jmp 00401AF6
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401B0E(C), :00401B28(U)
|
:00401AF1 8917
mov dword ptr [edi], edx
:00401AF3 83C704
add edi, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401ADB(C), :00401AEF(U)
|
:00401AF6 BAFFFEFE7E mov edx,
7EFEFEFF
:00401AFB 8B01
mov eax, dword ptr [ecx]
:00401AFD 03D0
add edx, eax
:00401AFF 83F0FF
xor eax, FFFFFFFF
:00401B02 33C2
xor eax, edx
:00401B04 8B11
mov edx, dword ptr [ecx]
:00401B06 83C104
add ecx, 00000004
:00401B09 A900010181 test eax,
81010100
:00401B0E 74E1
je 00401AF1
:00401B10 84D2
test dl, dl
:00401B12 7434
je 00401B48
:00401B14 84F6
test dh, dh
:00401B16 7427
je 00401B3F
:00401B18 F7C20000FF00 test edx, 00FF0000
:00401B1E 7412
je 00401B32
:00401B20 F7C2000000FF test edx, FF000000
:00401B26 7402
je 00401B2A
:00401B28 EBC7
jmp 00401AF1
==================================
小结: 希望大家能不能帮我解答,以上代码中不明白的地方。
1、:00401A75 F7C103000000 test ecx,
00000003 --》为什么要TEST??
2 对以下代码中为什么要加上7EFEFEFF 然后再XOR FFFFFFFF,能不能告诉我原因?
:00401A8C 8B01
mov eax, dword ptr [ecx]
:00401A8E BAFFFEFE7E mov edx,
7EFEFEFF
:00401A93 03D0
add edx, eax
:00401A95 83F0FF
xor eax, FFFFFFFF
:00401A98 33C2
xor eax, edx
:00401A9A 83C104
add ecx, 00000004
:00401A9D A900010181 test eax,
81010100
:00401AA2 74E8
je 00401A8C
谢谢大家的帮助!!
今天就到这里,就到这里。。。。。。 (待续)豆豆虾
2001.8.9 23:36完成
历时:1个小时。
- 标 题:crackcode代码分享笔记(一) (8千字)
- 作 者:豆豆虾
- 时 间:2001-8-9 23:33:17
- 链 接:http://bbs.pediy.com