下载:http://newhua.ruyi.com/down/yonc112.exe
这个程序的保护很有意思,作者放了不少陷阱在里面,用W32Dasm你可以搜索到下面这个字符串
* Possible StringData
Ref from Data Obj ->"DQJXN-ASNYZ-GQI-FNB"
如果你用它来注册的话,程序会告诉你这个注册码已经无效。
不同错误的注册码,会有不同的错误提示,比如:这个注册码是旧版本的注册码,是以后版本的注册码,是无效注册码,
是过期注册码,等等。
注册码比较过程中所查的表,也很有意思,我把它列在下面了,有兴趣可以看看
好了,言归正传:
======================================================================================================
* Reference To: USER32.SendMessageA, Ord:0214h
|
:004287D7 FF1560C24500
Call dword ptr [0045C260]
:004287DD 8D8C2498000000
lea ecx, dword ptr [esp+00000098]
:004287E4 E8272A0100
call 0043B210<--------------------读取注册码
:004287E9 85C0
test eax, eax
:004287EB 0F8455010000
je 00428946
:004287F1 8B542434
mov edx, dword ptr [esp+34]<------假注册码
:004287F5 8D4C2414
lea ecx, dword ptr [esp+14]
:004287F9 52
push edx
:004287FA E801EAFFFF
call 00427200<--------------------(1)核心,跟入
:004287FF 8D4C2414
lea ecx, dword ptr [esp+14]
:00428803 C684245405000005 mov byte ptr [esp+00000554],
05
:0042880B E8A0EAFFFF call
004272B0<--------------------al<-[ecx+08]
:00428810 25FF000000
and eax, 000000FF
:00428815 8D4C2414
lea ecx, dword ptr [esp+14]
:00428819 8BD8
mov ebx, eax
:0042881B E880EAFFFF
call 004272A0<--------------------eax<-[ecx+0c]
:00428820 85DB
test ebx, ebx
:00428822 8BE8
mov ebp, eax
:00428824 7431
je 00428857
:00428826 8D4C2414
lea ecx, dword ptr [esp+14]
:0042882A E841EAFFFF
call 00427270<-------------------(2)判断,跟入
:0042882F 8B4E68
mov ecx, dword ptr [esi+68]
:00428832 25FF000000
and eax, 000000FF
:00428837 3BC8
cmp ecx, eax
:00428839 7E07
jle 00428842
:0042883B BD04000000 mov ebp,
00000004
:00428840 EB19
jmp 0042885B
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:00428839(C)
|
:00428842 8D4C2414
lea ecx, dword ptr [esp+14]
:00428846
E805EAFFFF call 00427250<------------------(3)判断,跟入
:0042884B 384614
cmp byte ptr [esi+14], al
:0042884E 7407
je 00428857
:00428850 BD05000000
mov ebp, 00000005
:00428855 EB04
jmp 0042885B
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00428824(C), :0042884E(C)
|
:00428857 85ED
test ebp, ebp
:00428859 743A
je 00428895<----------------------跳吧,不要怕,
不跳就没机会了
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00428840(U), :00428855(U)
|
:0042885B 8D842484000000
lea eax, dword ptr [esp+00000084]
:00428862 55
push ebp
:00428863 50
push eax
:00428864 E857010000
call 004289C0
:00428869 8B00
mov eax, dword ptr [eax]
:0042886B 8B7618
mov esi, dword ptr [esi+18]
:0042886E 50
push eax
:0042886F 56
push esi
:00428870 57
push edi
:00428871
C684246805000009 mov byte ptr [esp+00000568], 09
:00428879 E8A2710100 call 0043FA20<---------------------出错信息,到这里就玩完了
===================================================================================
* Referenced by a CALL at Addresses:<--------------------------- call
(1)
|:004287FA , :00428FA7
|
:00427200 8B542404
mov edx, dword ptr [esp+04]<-------假注册码
:00427204 56
push esi
:00427205 8BF1
mov esi, ecx
:00427207 33C0
xor eax, eax
:00427209 52
push edx
:0042720A 884608
mov byte ptr [esi+08], al
:0042720D 89460C
mov dword ptr [esi+0C], eax
:00427210 8901
mov dword ptr [ecx],
eax
:00427212 894104
mov dword ptr [ecx+04], eax
:00427215 E806070000
call 00427920<----------------(1.1)
:0042721A
8BC6 mov
eax, esi
:0042721C 5E
pop esi
:0042721D C20400
ret 0004
==================================================================================
* Referenced by a CALL at Addresses:<--------------------------- call
(1.1)
|:00427215 , :00427849
|
:00427920 6AFF
push FFFFFFFF
:00427922 68E8884500 push 004588E8
:00427927 64A100000000 mov eax,
dword ptr fs:[00000000]
:0042792D 50
push eax
:0042792E 64892500000000
mov dword ptr fs:[00000000], esp
:00427935 83EC2C
sub esp, 0000002C
:00427938 53
push ebx
:00427939 55
push ebp
:0042793A 56
push esi
:0042793B 33DB
xor ebx, ebx
:0042793D 57
push edi
:0042793E 8BF1
mov esi, ecx
:00427940 53
push ebx
:00427941 6AFF
push FFFFFFFF
:00427943 8D4C241C lea
ecx, dword ptr [esp+1C]
:00427947 895C241C
mov dword ptr [esp+1C], ebx
:0042794B 895C2420
mov dword ptr [esp+20], ebx
:0042794F 895C2424 mov
dword ptr [esp+24], ebx
:00427953 C744242860000000
mov [esp+28], 00000060
:0042795B 895C242C
mov dword ptr [esp+2C], ebx
:0042795F E85C690000
call 0042E2C0
:00427964 8B6C244C
mov ebp, dword ptr [esp+4C]<-------假注册码
:00427968 895C2444
mov dword ptr [esp+44], ebx
:0042796C 3BEB
cmp ebp, ebx
:0042796E 7417
je 00427987
:00427970
8BFD mov
edi, ebp<---------------------开始计算注册码长度
:00427972 83C9FF
or ecx, FFFFFFFF
:00427975
33C0 xor
eax, eax
:00427977 55
push ebp
:00427978 F2
repnz
:00427979 AE
scasb
:0042797A
F7D1 not
ecx
:0042797C 49
dec ecx
:0042797D 51
push ecx<-------------------------
并入栈
:0042797E 8D4C241C
lea ecx, dword ptr [esp+1C]
:00427982 E839690000
call 0042E2C0
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0042796E(C)
|
:00427987 8D442414
lea eax, dword ptr [esp+14]<-------假注册码
:0042798B 8D4C2428
lea ecx, dword ptr [esp+28]
:0042798F BF01000000
mov edi, 00000001
:00427994 50
push eax
:00427995 51
push ecx
:00427996 897C244C
mov dword ptr [esp+4C], edi
:0042799A E8C1FBFFFF
call 00427560<---------------------(1.1.1)查表,跟入
:0042799F
83C408 add esp,
00000008
:004279A2 8D4C2414
lea ecx, dword ptr [esp+14]<-------假注册码
:004279A6 C644244403
mov [esp+44], 03
:004279AB E8E0680000
call 0042E290
:004279B0 395C2428
cmp dword ptr [esp+28], ebx
:004279B4 7445
je 004279FB
:004279B6 837C242C08
cmp dword ptr [esp+2C], 00000008
:004279BB 753E
jne 004279FB
:004279BD 6820ED4600
push 0046ED20
:004279C2 6A5A
push 0000005A
* Possible StringData Ref from Data Obj ->"w:\zaphod\strings.hpp"
|
:004279C4 6878624600
push 00466278
* Possible StringData Ref from Data
Obj ->"i>=0 && i<this->Len"
|
:004279C9 6898824600 push
00468298
:004279CE 57
push edi
:004279CF E83C660000
call 0042E010
:004279D4 8B44243C
mov eax, dword ptr [esp+3C]
:004279D8
83C414 add esp,
00000014
:004279DB 8D4C2412
lea ecx, dword ptr [esp+12]
:004279DF 8B10
mov edx, dword ptr [eax]
:004279E1
51
push ecx
:004279E2 8916
mov dword ptr [esi], edx
:004279E4 8B4004
mov eax, dword ptr [eax+04]
:004279E7
8D542415 lea edx, dword
ptr [esp+15]
:004279EB 8BCE
mov ecx, esi
:004279ED 52
push edx
:004279EE 894604
mov dword ptr [esi+04],
eax
:004279F1 E8CAF8FFFF
call 004272C0<---------------------(1.1.2)比较,跟入
:004279F6 89460C
mov dword ptr [esi+0C],
eax<-------0
:004279F9 EB07
jmp 00427A02
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:004279B4(C), :004279BB(C)
|
:004279FB C7460C07000000 mov [esi+0C], 00000007
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004279F9(U)
|
:00427A02 395E0C
cmp dword ptr [esi+0C], ebx
:00427A05 7570
jne 00427A77
:00427A07 8B06
mov eax, dword ptr [esi]<----------0x67452310
:00427A09 8A4C2411
mov cl, byte ptr [esp+11]<---------0x4a
:00427A0D C1E818
shr eax, 18<-----------------------0x67
:00427A10 3AC8
cmp cl, al<------------------------0x67和0x4a比较
:00427A12 7517
jne 00427A2B
:00427A14 8B4E04
mov ecx, dword ptr [esi+04]<-------0xefcdab89
:00427A17
C1E90C shr ecx,
0C<-----------------------0xefcda
:00427A1A 81E1FF0F0000
and ecx, 00000FFF<-----------------0xcda
:00427A20
66394C2412 cmp word ptr [esp+12],
cx<---------0xcda和0x999比较
:00427A25 7504
jne 00427A2B
:00427A27 8BC7
mov eax, edi
:00427A29
EB02 jmp
00427A2D
* Referenced by a (U)nconditional or (C)onditional Jump at
Addresses:
|:00427A12(C), :00427A25(C)
|
:00427A2B 33C0
xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00427A29(U)
|
:00427A2D 3AC3
cmp al, bl
:00427A2F 884608
mov byte ptr [esi+08], al
:00427A32 7503
jne 00427A37
:00427A34 897E0C
mov dword ptr [esi+0C], edi
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:00427A32(C)
|
:00427A37 395E0C
cmp dword ptr [esi+0C], ebx
:00427A3A 753B
jne 00427A77
:00427A3C 55
push ebp
:00427A3D E83E050000
call 00427F80
:00427A42 83C404
add esp, 00000004
:00427A45 85C0
test eax, eax
:00427A47 740A
je 00427A53
:00427A49 885E08
mov byte ptr [esi+08], bl
:00427A4C C7460C08000000
mov [esi+0C], 00000008
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00427A47(C)
|
:00427A53 395E0C
cmp dword ptr [esi+0C],
ebx
:00427A56 751F
jne 00427A77
:00427A58 8BCE
mov ecx, esi
:00427A5A E831F8FFFF
call 00427290
:00427A5F 50
push eax
:00427A60 55
push ebp
:00427A61 E86A050000
call 00427FD0
:00427A66 83C408
add esp, 00000008
:00427A69 85C0
test eax, eax
:00427A6B
740A je 00427A77
:00427A6D 885E08
mov byte ptr [esi+08], bl
:00427A70 C7460C07000000
mov [esi+0C], 00000007
* Referenced by a (U)nconditional or (C)onditional
Jump at Addresses:
|:00427A05(C), :00427A3A(C), :00427A56(C), :00427A6B(C)
|
:00427A77 8D4C2428
lea ecx, dword ptr [esp+28]
:00427A7B C7442444FFFFFFFF
mov [esp+44], FFFFFFFF
:00427A83 E808680000
call 0042E290
:00427A88 8B4C243C
mov ecx, dword ptr [esp+3C]
:00427A8C
5F
pop edi
:00427A8D 5E
pop esi
:00427A8E 5D
pop ebp
:00427A8F 5B
pop ebx
:00427A90
64890D00000000 mov dword ptr fs:[00000000],
ecx
:00427A97 83C438
add esp, 00000038
:00427A9A C20400
ret 0004
============================================================================================
* Referenced by a CALL at Address:<--------------------------------call
(1.1.1)
|:0042799A
|
:00427560 6AFF
push FFFFFFFF
:00427562 683F884500
push 0045883F
:00427567 64A100000000
mov eax, dword ptr fs:[00000000]
:0042756D
50
push eax
:0042756E 64892500000000 mov dword
ptr fs:[00000000], esp
:00427575 83EC24
sub esp, 00000024
:00427578 53
push ebx
:00427579
55
push ebp
:0042757A B820ED4600
mov eax, 0046ED20
:0042757F 33ED
xor ebp, ebp
:00427581 56
push esi
:00427582
57
push edi
:00427583 85C0
test eax, eax
:00427585 896C241C
mov dword ptr [esp+1C], ebp
:00427589 C644241300
mov [esp+13], 00
:0042758E 896C2414
mov dword ptr [esp+14], ebp
:00427592 896C2420 mov
dword ptr [esp+20], ebp
:00427596 896C2424
mov dword ptr [esp+24], ebp
:0042759A 896C2428
mov dword ptr [esp+28], ebp
:0042759E C744242C60000000 mov [esp+2C], 00000060
:004275A6 896C2430 mov
dword ptr [esp+30], ebp
:004275AA 740B
je 004275B7
:004275AC 50
push eax
:004275AD
55
push ebp
:004275AE 8D4C2428
lea ecx, dword ptr [esp+28]
:004275B2 E8096D0000
call 0042E2C0
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004275AA(C)
|
:004275B7 C744243C01000000
mov [esp+3C], 00000001
:004275BF 33FF
xor edi, edi
:004275C1 896C2418
mov dword ptr [esp+18], ebp
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0042767B(U), :004276AC(U)
|
:004275C5 8B4C2448
mov ecx, dword ptr [esp+48]<-------假注册码
:004275C9 8B01
mov eax, dword ptr [ecx]
:004275CB 3BC5
cmp eax, ebp
:004275CD 7405
je 004275D4
:004275CF 8B4904
mov ecx, dword ptr [ecx+04]<-------假注册码长度
:004275D2 EB02
jmp 004275D6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004275CD(C)
|
:004275D4 33C9
xor ecx, ecx
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:004275D2(U)
|
:004275D6 3BF9
cmp edi, ecx
:004275D8 0F8DD3000000
jnl 004276B1
:004275DE 33C9
xor ecx, ecx
:004275E0
8A0C38 mov cl, byte
ptr [eax+edi]<-------取一个字
:004275E3 51
push ecx
:004275E4 E8B30F0200
call 0044859C<--------------------判断大小写
:004275E9 8AD8
mov bl, al
:004275EB 83C404
add esp, 00000004
:004275EE 80FB20
cmp bl, 20<-----------------------判断是否空格
:004275F1 0F84B4000000 je 004276AB
:004275F7 80FB2D
cmp bl, 2D<-----------------------'-'
:004275FA 0F84AB000000
je 004276AB
:00427600 80FB0D
cmp bl, 0D
:00427603 0F84A2000000
je 004276AB
:00427609 80FB0A
cmp bl, 0A
:0042760C 0F8499000000
je 004276AB<----------------------是的话,计数器加1,不比较
:00427612 8B442414
mov eax, dword ptr [esp+14]
:00427616 B905000000
mov ecx, 00000005
- 标 题:yonc v1.12---------------------(一)可能贴不下 (29千字)
- 作 者:lancelot[CCG]
- 时 间:2001-9-18
23:44:38
- 链 接:http://bbs.pediy.com