Windows LockUp 1.4

标题：申请加入BCG第二篇 (9千字)
作者：lllufh
时间：2001-9-16 10:47:41
链接：http://bbs.pediy.com

目标软件：★Windows LockUp 1.4

软件简介： Windows LockUp是一个电脑安全防护软件，当你离开电脑时，可以设定密码，防止别人乱动你的电脑。可以设置自动手动启动密码保护，还支持省电功能、密码保护的屏幕程序、网络使用者确认等等。试用者请在序列号输入对对话框不输入就可以了。

下载地址 http://www.softheap.com/download/wlock.zip

目的：当然是想加入BCG

工具： w32dasm

过程：

终于从失恋的阴影中走出!(太快了吧，一看就知道不是什么好鸟^_^)，找个软件练练手!!!!咦？？Windows Lockup?看起来不错，就你吧!!!(谁让本人心情好呢)

先用TRW2000常规查询法试了试，没啥子头绪，算了，用w32dasm看看有什么突破口吧

用language查看程序，爽!!!没加壳!

动工，动工!

打开w32dasm调进主程序，利用“串式查找”功能找到："Sorry, this registration code "

反复双击，发现只有一处调用!!(不错，两处以上我就不知该怎么办了，^O^)

代码如下：

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A8EE3(C)
|
:004A8F0B 8BC6 mov eax, esi
:004A8F0D E8569FF5FF call 00402E68
:004A8F12 DD05B8ED4A00 fld qword ptr [004AEDB8]
:004A8F18 D81DC88F4A00 fcomp dword ptr [004A8FC8]
:004A8F1E DFE0 fstsw ax
:004A8F20 9E sahf
:004A8F21 7456 je 004A8F79

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A8E78 ------这么长一段的比较怀疑和注册码有关!
:004A8F23 8B07 mov eax, dword ptr [edi]
:004A8F25 E80AAFF5FF call 00403E34
:004A8F2A 83F80C cmp eax,0000000C
你输入的注册码的位数比较小于12则完蛋
:004A8F2D 7C43 jl 004A8F72
:004A8F2F 8B07 mov eax, dword ptr [edi]
:004A8F31 803837 cmp byte ptr [eax],37
和你输入的注册码第一位比较不是7则完蛋
:004A8F34 753C jne 004A8F72
:004A8F36 8B07 mov eax, dword ptr [edi]
:004A8F38 80780130 cmp byte ptr [eax+01], 30
和你输入的注册码第二位比较不是0则完蛋
:004A8F3C 7534 jne 004A8F72
:004A8F3E 8B07 mov eax, dword ptr [edi]
:004A8F40 80780237 cmp byte ptr [eax+02], 37
和你输入的注册码第三位比较不是7则完蛋
:004A8F44 752C jne 004A8F72
:004A8F46 8B07 mov eax, dword ptr [edi]
:004A8F48 80780332 cmp byte ptr [eax+03], 32
和你输入的注册码第四位比较不是2则完蛋
:004A8F4C 7524 jne 004A8F72
:004A8F4E 8B07 mov eax, dword ptr [edi]
:004A8F50 80780431 cmp byte ptr [eax+04], 31
和你输入的注册码第五位比较不是1则完蛋
:004A8F54 751C jne 004A8F72
:004A8F56 8B07 mov eax, dword ptr [edi]
:004A8F58 80780943 cmp byte ptr [eax+09], 43
和你输入的注册码第十位比较不是C则完蛋
:004A8F5C 7514 jne 004A8F72
:004A8F5E 8B07 mov eax, dword ptr [edi]
:004A8F60 80780A57 cmp byte ptr [eax+0A], 57
和你输入的注册码第十一位比较不是W则完蛋
:004A8F64 750C jne 004A8F72
:004A8F66 8B07 mov eax, dword ptr [edi]
:004A8F68 80780B4C cmp byte ptr [eax+0B], 4C
和你输入的注册码第十二位比较不是L则完蛋
:004A8F6C 7504 jne 004A8F72
:004A8F6E B301 mov bl, 01
:004A8F70 EB07 jmp 004A8F79

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004A8F2D(C), :004A8F34(C), :004A8F3C(C), :004A8F44(C), :004A8F4C(C)
|:004A8F54(C), :004A8F5C(C), :004A8F64(C), :004A8F6C(C)
|
:004A8F72 8BC7 mov eax, edi
:004A8F74 E83BACF5FF call 00403BB4

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004A8F21(C), :004A8F70(U)
|
:004A8F79 33C0 xor eax, eax
:004A8F7B 5A pop edx
:004A8F7C 59 pop ecx
:004A8F7D 59 pop ecx
:004A8F7E 648910 mov dword ptr fs:[eax], edx
:004A8F81 689B8F4A00 push 004A8F9B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A8F99(U)
|
:004A8F86 8D45F4 lea eax, dword ptr [ebp-0C]
:004A8F89 BA02000000 mov edx, 00000002
:004A8F8E E845ACF5FF call 00403BD8
:004A8F93 C3 ret

:004A8F94 E92FA6F5FF jmp 004035C8
:004A8F99 EBEB jmp 004A8F86
:004A8F9B 8BC3 mov eax, ebx
:004A8F9D 5F pop edi
:004A8F9E 5E pop esi
:004A8F9F 5B pop ebx
:004A8FA0 8BE5 mov esp, ebp
:004A8FA2 5D pop ebp
:004A8FA3 C3 ret

:004A8FA4 FFFFFFFF BYTE 4 DUP(0ffh)

:004A8FA8 0200 add al, byte ptr [eax]
:004A8FAA 0000 add byte ptr [eax], al
:004A8FAC 44 inc esp
:004A8FAD 54 push esp
:004A8FAE 0000 add byte ptr [eax], al
:004A8FB0 FFFFFFFF BYTE 4 DUP(0ffh)

:004A8FB4 0100 add dword ptr [eax], eax
:004A8FB6 0000 add byte ptr [eax], al
:004A8FB8 3000 xor byte ptr [eax], al
:004A8FBA 0000 add byte ptr [eax], al
:004A8FBC FFFFFFFF BYTE 4 DUP(0ffh)

:004A8FC0 0100 add dword ptr [eax], eax
:004A8FC2 0000 add byte ptr [eax], al
:004A8FC4 4E dec esi
:004A8FC5 00000000000000 BYTE 7 DUP(0)

:004A8FCC 55 push ebp
:004A8FCD 8BEC mov ebp, esp
:004A8FCF 6A00 push 00000000
:004A8FD1 53 push ebx
:004A8FD2 56 push esi
:004A8FD3 8BF0 mov esi, eax
:004A8FD5 33C0 xor eax, eax
:004A8FD7 55 push ebp
:004A8FD8 68A1904A00 push 004A90A1
:004A8FDD 64FF30 push dword ptr fs:[eax]
:004A8FE0 648920 mov dword ptr fs:[eax], esp
:004A8FE3 33DB xor ebx, ebx
:004A8FE5 B8ACED4A00 mov eax, 004AEDAC
:004A8FEA 8BD6 mov edx, esi
:004A8FEC E817ACF5FF call 00403C08
:004A8FF1 33C0 xor eax, eax
:004A8FF3 E858FEFFFF call 004A8E50
:004A8FF8 84C0 test al, al
:004A8FFA 7477 je 004A9073
:004A8FFC B301 mov bl, 01
:004A8FFE A020D94A00 mov al, byte ptr [004AD920]
:004A9003 50 push eax
:004A9004 8B0DB0ED4A00 mov ecx, dword ptr [004AEDB0]
:004A900A B201 mov dl, 01
:004A900C A1A8CB4900 mov eax, dword ptr [0049CBA8]
:004A9011 E84643FFFF call 0049D35C
:004A9016 8BF0 mov esi, eax
:004A9018 E8570DF6FF call 00409D74
:004A901D 83C4F4 add esp, FFFFFFF4
:004A9020 DB3C24 fstp tbyte ptr [esp]
:004A9023 9B wait
:004A9024 8D45FC lea eax, dword ptr [ebp-04]
:004A9027 E8A807F6FF call 004097D4
:004A902C 8B45FC mov eax, dword ptr [ebp-04]
:004A902F 50 push eax
:004A9030 B9B8904A00 mov ecx, 004A90B8
:004A9035 33D2 xor edx, edx
:004A9037 8BC6 mov eax, esi
:004A9039 E88A47FFFF call 0049D7C8
:004A903E A1ACED4A00 mov eax, dword ptr [004AEDAC]
:004A9043 50 push eax
:004A9044 B9C4904A00 mov ecx, 004A90C4
:004A9049 33D2 xor edx, edx
:004A904B 8BC6 mov eax, esi
:004A904D E87647FFFF call 0049D7C8
:004A9052 8BC6 mov eax, esi
:004A9054 E80F9EF5FF call 00402E68
:004A9059 6A40 push 00000040

* Possible StringData Ref from Code Obj ->"Information"
|
:004A905B B9C8904A00 mov ecx, 004A90C8

* Possible StringData Ref from Code Obj ->"Thank you for support !" 接着向上看
|
:004A9060 BAD4904A00 mov edx, 004A90D4
:004A9065 A134DC4A00 mov eax, dword ptr [004ADC34]
:004A906A 8B00 mov eax, dword ptr [eax]
:004A906C E8B347FAFF call 0044D824
:004A9071 EB18 jmp 004A908B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A8FFA(C)
|
:004A9073 6A10 push 00000010

* Possible StringData Ref from Code Obj ->"Error"
|
:004A9075 B9EC904A00 mov ecx, 004A90EC

* Possible StringData Ref from Code Obj ->"Sorry, this registration code " 向上看
->"is invalid."
|
:004A907A BAF4904A00 mov edx, 004A90F4
:004A907F A134DC4A00 mov eax, dword ptr [004ADC34]
:004A9084 8B00 mov eax, dword ptr [eax]
:004A9086 E89947FAFF call 0044D824

降龙十八掌最后一着:
总结：

序列号：70721****CWL

****这四位随便填

各位老大，我这样应该不算是爆破吧，呵呵！
请各位老大，前辈们指点一下！