supercleaner 2.0 (1)

标题：算法分析 (11千字)
作者：2000yeah
时间：2001-3-24 18:37:46

SuperCleaner V1.91
帮助用户清洗他们的计算机硬盘内不必要的文件的程序
类型：共享软件，注册费$20.00，试用30天平台：Win 95/98/NT/2000

目的：找到注册码并分析算法
作者：2000yeah

:00408289 8D842408010000 lea eax, dword ptr [esp+00000108] ----fake code
:00408290 8D4C2408 lea ecx, dword ptr [esp+08] ----fake name
:00408294 50 push eax
:00408295 51 push ecx
:00408296 E8A5020000 call 00408540 -------------******** 进入
:0040829B 83C408 add esp, 00000008
:0040829E 85C0 test eax, eax
:004082A0 7447 je 004082E9
:004082A2 8D942408010000 lea edx, dword ptr [esp+00000108]
:004082A9 8D442408 lea eax, dword ptr [esp+08]
:004082AD 52 push edx
:004082AE 50 push eax

* Possible StringData Ref from Data Obj ->"Software\SuperCleaner\Registration" -----save reg code
|
:004082AF 6850714100 push 00417150
:004082B4 6801000080 push 80000001
:004082B9 E8D2020000 call 00408590

* Possible StringData Ref from Data Obj ->"Software\SuperCleaner\Registration" ----save name
|
:004082BE 6850714100 push 00417150
:004082C3 6801000080 push 80000001
:004082C8 E863010000 call 00408430
:004082CD 83C418 add esp, 00000018

* Referenced by a CALL at Addresses:
|:00408296 , :0040850E
|
:00408540 8B4C2404 mov ecx, dword ptr [esp+04]
:00408544 81EC00010000 sub esp, 00000100
:0040854A 8D442400 lea eax, dword ptr [esp]
:0040854E 56 push esi
:0040854F 50 push eax
:00408550 51 push ecx
:00408551 33F6 xor esi, esi
:00408553 E8B8000000 call 00408610 -------------进入此CALL
:00408558 8B842414010000 mov eax, dword ptr [esp+00000114]
:0040855F 83C408 add esp, 00000008
:00408562 8D542404 lea edx, dword ptr [esp+04]
:00408566 52 push edx －－－－－－－－－－－－'real code '
:00408567 50 push eax －－－－－－－－－－－－'fake code'

* Reference To: KERNEL32.lstrcmpA, Ord:0329h －－－－－－－－－－－
|                   总比较
:00408568 FF15C0504100 Call dword ptr [004150C0]
:0040856E 85C0 test eax, eax －－－－－－－－－－－－

* Possible Reference to String Resource ID=00001: "Registered to: "
|
:00408570 B801000000 mov eax, 00000001
:00408575 7402 je 00408579
:00408577 8BC6 mov eax, esi

----------------------------------------------------00408553 : call 00408610内--------------------------------------
* Referenced by a CALL at Address:
|:00408553
|
:00408610 81EC00010000 sub esp, 00000100
:00408616 A09CA74100 mov al, byte ptr [0041A79C]
:0040861B 53 push ebx
:0040861C 55 push ebp
:0040861D 56 push esi
:0040861E 57 push edi
:0040861F 88442410 mov byte ptr [esp+10], al
:00408623 B93F000000 mov ecx, 0000003F
:00408628 33C0 xor eax, eax
:0040862A 8D7C2411 lea edi, dword ptr [esp+11]
:0040862E F3 repz
:0040862F AB stosd
:00408630 66AB stosw
:00408632 AA stosb
:00408633 8BBC2414010000 mov edi, dword ptr [esp+00000114]
:0040863A 57 push edi

* Reference To: KERNEL32.lstrlenA, Ord:0335h
|
:0040863B FF1578514100 Call dword ptr [00415178]
:00408641 8BF0 mov esi, eax
:00408643 33C9 xor ecx, ecx
:00408645 33C0 xor eax, eax
:00408647 85F6 test esi, esi
:00408649 7613 jbe 0040865E
:0040864B 8B1558794100 mov edx, dword ptr [00417958]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040865C(C)
|
:00408651 0FBE1C38 movsx ebx, byte ptr [eax+edi] ------------------依次将NAME运算
:00408655 03DA add ebx, edx 此时：EDX=26H
:00408657 03CB add ecx, ebx
:00408659 40 inc eax
:0040865A 3BC6 cmp eax, esi
:0040865C 72F3 jb 00408651-------------------------------------------

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408649(C)
|
:0040865E 8B9C2418010000 mov ebx, dword ptr [esp+00000118]
:00408665 51 push ecx ------------------------------ ecx=23fh=575d

* Possible StringData Ref from Data Obj ->"%u-" －－－－－－－－－－格式
|
:00408666 6894774100 push 00417794
:0040866B 53 push ebx

* Reference To: USER32.wsprintfA, Ord:02B3h
|
:0040866C FF15F4514100 Call dword ptr [004151F4]
:00408672 83C40C add esp, 0000000C
:00408675 33C9 xor ecx, ecx
:00408677 33C0 xor eax, eax
:00408679 85F6 test esi, esi
:0040867B 7614 jbe 00408691
:0040867D 8B155C794100 mov edx, dword ptr [0041795C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040868F(C)
|
:00408683 0FBE2C38 movsx ebp, byte ptr [eax+edi]－－－－－－－－－依次将NAME运算
:00408687 0FAFEA imul ebp, edx           此时：EDX=34H
:0040868A 03CD add ecx, ebp
:0040868C 40 inc eax
:0040868D 3BC6 cmp eax, esi
:0040868F 72F2 jb 00408683－－－－－－－－－－－－－－－－－－－

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040867B(C)
|
:00408691 51 push ecx - -----------------------------------------ecx=55ech=21996d
:00408692 8D4C2414 lea ecx, dword ptr [esp+14]

* Possible StringData Ref from Data Obj ->"%u-" －－－－－－－－－－－－－－格式
|
:00408696 6894774100 push 00417794
:0040869B 51 push ecx

* Reference To: USER32.wsprintfA, Ord:02B3h
|
:0040869C FF15F4514100 Call dword ptr [004151F4]
:004086A2 83C40C add esp, 0000000C
:004086A5 8D542410 lea edx, dword ptr [esp+10]
:004086A9 52 push edx
:004086AA 53 push ebx

* Reference To: KERNEL32.lstrcatA, Ord:0326h
|
:004086AB FF15A0504100 Call dword ptr [004150A0]
:004086B1 33C9 xor ecx, ecx
:004086B3 33C0 xor eax, eax
:004086B5 85F6 test esi, esi
:004086B7 7613 jbe 004086CC
:004086B9 8B1560794100 mov edx, dword ptr [00417960]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004086CA(C)
|
:004086BF 0FBE2C38 movsx ebp, byte ptr [eax+edi] －－－－－－－－－－依次将NAME运算
:004086C3 03EA add ebp, edx       此时：EDX=CH
:004086C5 03CD add ecx, ebp
:004086C7 40 inc eax
:004086C8 3BC6 cmp eax, esi
:004086CA 72F3 jb 004086BF －－－－－－－－－－－－－－－－－－

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004086B7(C)
|
:004086CC 51 push ecx ---------------------------------------ecx=1d7h=471d
:004086CD 8D442414 lea eax, dword ptr [esp+14]

* Possible StringData Ref from Data Obj ->"%u-" －－－－－－－－－－－－格式
|
:004086D1 6894774100 push 00417794
:004086D6 50 push eax

* Reference To: USER32.wsprintfA, Ord:02B3h
|
:004086D7 FF15F4514100 Call dword ptr [004151F4] ----------将注册码合并在一起
:004086DD 83C40C add esp, 0000000C
:004086E0 8D4C2410 lea ecx, dword ptr [esp+10]
:004086E4 51 push ecx
:004086E5 53 push ebx －－－－－－－－ebx=575-21996-

* Reference To: KERNEL32.lstrcatA, Ord:0326h
|
:004086E6 FF15A0504100 Call dword ptr [004150A0]
:004086EC 33C9 xor ecx, ecx
:004086EE 33C0 xor eax, eax
:004086F0 85F6 test esi, esi
:004086F2 7614 jbe 00408708
:004086F4 8B1564794100 mov edx, dword ptr [00417964]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408706(C)
|
:004086FA 0FBE2C38 movsx ebp, byte ptr [eax+edi] －－－－－－－－－依次将NAME运算
:004086FE 0FAFEA imul ebp, edx       此时:EDX=EH
:00408701 03CD add ecx, ebp
:00408703 40 inc eax
:00408704 3BC6 cmp eax, esi
:00408706 72F2 jb 004086FA－－－－－－－－－－－－－－－－－－－

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004086F2(C)
|
:00408708 51 push ecx -------------------------------------ecx=1722h=5922d
:00408709 8D542414 lea edx, dword ptr [esp+14]

* Possible StringData Ref from Data Obj ->"%u" -------格式，最后一位
|
:0040870D 6890774100 push 00417790
:00408712 52 push edx

* Reference To: USER32.wsprintfA, Ord:02B3h
|
:00408713 FF15F4514100 Call dword ptr [004151F4]------------将注册码合并在一起
:00408719 83C40C add esp, 0000000C
:0040871C 8D442410 lea eax, dword ptr [esp+10]
:00408720 50 push eax
:00408721 53 push ebx －－－－－－－－－－－－－－－ebx=575-21996-471-

* Reference To: KERNEL32.lstrcatA, Ord:0326h
|
:00408722 FF15A0504100 Call dword ptr [004150A0] --------过了此CALL，就看到“全家福”了
:00408728 5F pop edi
:00408729 5E pop esi
:0040872A 5D pop ebp
:0040872B 5B pop ebx
:0040872C 81C400010000 add esp, 00000100
:00408732 C3 ret

算法概述：此注册码共分4段。每段EDX的值分别等于"26h" "34h" "ch" "eh"

:00408651 0FBE1C38 movsx ebx, byte ptr [eax+edi] ------------------依次将NAME运算
:00408655 03DA add ebx, edx 此时：EDX=26H //ebx=121+26
:00408657 03CB add ecx, ebx //ecx=ebx+ecx
:00408659 40 inc eax             //eax=eax+1
:0040865A 3BC6 cmp eax, esi //if eax<esi
:0040865C 72F3 jb 00408651-------------------------------------依次循环

其他每段的循环雷同，不再一一说了。

name:yeah
code:575-21996-471-5922

注册信息添加在：
HKEY_CURRENT_USER\Software\SuperCleaner\Registration