为了能看到精华5,我也凑数垃圾文献一篇
软件叫SuperCleaner.exe
下载地址:http://www.southbaypc.com/
目的:自己弹出注册码
:00412615 8B8C2418010000
mov ecx, dword ptr [esp+00000118]输入的注册码 00012615
8B8424 18010000 MOV EAX,DWORD PTR SS:[ESP+118] /*因为比较以后会改变eax值
:0041261C
8D442410 lea eax, dword
ptr [esp+10] 正确的注册码 0001261C 8D4C24 10
LEA ECX,DWORD PTR SS:[ESP+10] 我就颠倒一下ecx,和eax*/
:00412620 50
push eax
00012620 50
PUSH EAX
:00412621 51
push ecx
00012621 51
PUSH ECX
:00412622 E869FFFFFF
call 00412590
00012622 E8 69FFFFFF
CALL 00012590
:00412627 83C410
add esp, 00000010
00012627 83C4 10
ADD ESP,10
:0041262A 85C0
test eax, eax
0001262A
85C0 TEST EAX,EAX
* Possible Reference to String
Resource ID=00001: "Registered to: %s"
|
:0041262C B801000000 mov
eax, 00000001
:00412631 7502
jne 00412635
:00412633 8BC6
mov eax, esi
00012078 6A 00
PUSH 0
00012078
6A 00 PUSH 0
0001207A 68 3C3D4200 PUSH 423D3C
0001207A 51
PUSH ECX /*颠倒后正确的注册码在ecx里面
0001207F 6A 0A PUSH 0A
0001207B 90
NOP
00012081 56
PUSH ESI
0001207C 90 NOP
00012082 E8 C980FFFF
CALL 0000A150 弹出错误窗口
0001207D
90 NOP
00012087 83C4 10 ADD
ESP,10
0001207E
90 NOP
0001208A 33C0
XOR EAX,EAX
0001207F
51 PUSH ECX 标题和内容都是注册码*/
00012080 90
NOP
00012081 56
PUSH ESI
付注册码算法
:004126EA 57
push edi------->注册名地址
* Reference To: KERNEL32.lstrlenA, Ord:03AEh-->的长度
|
:004126EB FF1538024200
Call dword ptr [00420238]
:004126F1 8BF0
mov esi, eax
:004126F3 33C9
xor ecx, ecx
:004126F5 33C0
xor eax, eax
:004126F7 85F6
test esi, esi
:004126F9 7E13
jle 0041270E
:004126FB 8B1530664200
mov edx, dword ptr [00426630]
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:0041270C(C)
|
:00412701 0FBE1C38
movsx ebx, byte ptr [eax+edi]-->注册名地址
:00412705 03DA
add ebx, edx
:00412707 03CB
add ecx, ebx
:00412709 40
inc eax
:0041270A 3BC6
cmp eax, esi
:0041270C 7CF3
jl 00412701----->以上是把注册名都加上一个edx然后再累加起来
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004126F9(C)
|
:0041270E 8B9C2418010000
mov ebx, dword ptr [esp+00000118]
:00412715 51
push ecx
* Possible
StringData Ref from Data Obj ->"%ld-"
|
:00412716 6844664200 push
00426644
:0041271B 53
push ebx
* Reference To: USER32.wsprintfA, Ord:02D6h
|
:0041271C FF151C034200
Call dword ptr [0042031C]-->用这个api变成xxxx-的格式..下面的算法大通小异
:00412722 83C40C
add esp, 0000000C 没有难度,大家有兴趣就看
:00412725
33C9 xor
ecx, ecx
:00412727 33C0
xor eax, eax
:00412729 85F6
test esi, esi
:0041272B 7E14
jle 00412741
:0041272D
8B1534664200 mov edx, dword ptr [00426634]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041273F(C)
|
:00412733 0FBE2C38
movsx ebp, byte ptr [eax+edi]
:00412737 0FAFEA
imul ebp, edx
:0041273A
03CD add
ecx, ebp
:0041273C 40
inc eax
:0041273D 3BC6
cmp eax, esi
:0041273F 7CF2
jl 00412733
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041272B(C)
|
:00412741 51
push ecx
:00412742 8D4C2414
lea ecx, dword ptr [esp+14]
* Possible StringData
Ref from Data Obj ->"%ld-"
|
:00412746
6844664200 push 00426644
:0041274B 51
push ecx
* Reference To: USER32.wsprintfA, Ord:02D6h
|
:0041274C FF151C034200
Call dword ptr [0042031C]
:00412752 83C40C
add esp, 0000000C
:00412755
8D542410 lea edx, dword
ptr [esp+10]
:00412759 52
push edx
:0041275A 53
push ebx
* Reference
To: KERNEL32.lstrcatA, Ord:039Fh
|
:0041275B FF1520024200 Call dword
ptr [00420220]
:00412761 33C9
xor ecx, ecx
:00412763 33C0
xor eax, eax
:00412765 85F6
test esi, esi
:00412767 7E13
jle 0041277C
:00412769 8B1538664200
mov edx, dword ptr [00426638]
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:0041277A(C)
|
:0041276F 0FBE2C38
movsx ebp, byte ptr [eax+edi]
:00412773
03EA add
ebp, edx
:00412775 03CD
add ecx, ebp
:00412777 40
inc eax
:00412778 3BC6
cmp eax, esi
:0041277A
7CF3 jl 0041276F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412767(C)
|
:0041277C 51
push ecx
:0041277D 8D442414
lea eax, dword ptr [esp+14]
* Possible StringData Ref from Data Obj ->"%ld-"
|
:00412781 6844664200
push 00426644
:00412786 50
push eax
* Reference To: USER32.wsprintfA,
Ord:02D6h
|
:00412787 FF151C034200
Call dword ptr [0042031C]
:0041278D 83C40C
add esp, 0000000C
:00412790 8D4C2410 lea
ecx, dword ptr [esp+10]
:00412794 51
push ecx
:00412795 53
push ebx
* Reference
To: KERNEL32.lstrcatA, Ord:039Fh
|
:00412796 FF1520024200 Call dword
ptr [00420220]
:0041279C 33C9
xor ecx, ecx
:0041279E 33C0
xor eax, eax
:004127A0 85F6
test esi, esi
:004127A2 7E14
jle 004127B8
:004127A4 8B153C664200
mov edx, dword ptr [0042663C]
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:004127B6(C)
|
:004127AA 0FBE2C38
movsx ebp, byte ptr [eax+edi]
:004127AE
0FAFEA imul ebp,
edx
:004127B1 03CD
add ecx, ebp
:004127B3 40
inc eax
:004127B4 3BC6
cmp eax, esi
:004127B6
7CF2 jl 004127AA
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004127A2(C)
|
:004127B8 51
push ecx
:004127B9 8D542414
lea edx, dword ptr [esp+14]
* Possible StringData Ref from Data Obj ->"%ld"
|
:004127BD 6840664200
push 00426640
:004127C2 52
push edx
* Reference To: USER32.wsprintfA,
Ord:02D6h
|
:004127C3 FF151C034200
Call dword ptr [0042031C]
:004127C9 83C40C
add esp, 0000000C
:004127CC 8D442410 lea
eax, dword ptr [esp+10]
:004127D0 50
push eax
:004127D1 53
push ebx
* Reference
To: KERNEL32.lstrcatA, Ord:039Fh
|
:004127D2 FF1520024200 Call dword
ptr [00420220]
:004127D8 5F
pop edi---连接出来的注册码在ebx里面
:004127D9 5E
pop esi
:004127DA
5D
pop ebp
:004127DB 5B
pop ebx
:004127DC 81C400010000
add esp, 00000100
:004127E2 C3
ret
这个算法简单的不能再简单了,我想大家都应该能看懂吧,我连解释都懒得写
00012082 E8 C980FFFF
CALL 0000A150
pll621
- 标 题:SuperCleaner 2.43 (9千字)
- 作 者:pll621
- 时 间:2002-9-27 0:03:55
- 链 接:http://bbs.pediy.com