大家好,写得比较乱,凑和着看看吧。一口气发了几篇,花了不少时间,最近我是不会再玩crack了,不过,我还是会常来论坛转转的,呵呵。
Help
& Manual 3.0.4.619 破解笔记
================================
sunrise,
2002-9-26
软件名称:Help & Manual
软件版本:3.0.4.619
软件简介:所见即所得的Help文件制作工具
软件主页:http://www.helpandmanual.com
保护方式:14天使用期限+Nag screen,有简单的反SOFTICE措施
使用工具:dede,ollydbg,hiew
主程序HelpMan_demo.exe未加壳,用PeID检测,报告是delphi程序。这下
dede可派上用场了。用dede反编译HelpMan_demo.exe,经过分析,程序开始
时出现的对话框的form是TFrmAbout
TFrmAbout.FormShow
00593268 55
push ebp
00593269
8BEC mov
ebp, esp
0059326B B905000000
mov ecx, $00000005
00593270 6A00
push $00
00593272 6A00
push $00
00593274 49
dec ecx
00593275 75F9
jnz 00593270
00593277
51 push
ecx
00593278 53
push ebx
00593279 56
push esi
0059327A 8BD8
mov ebx, eax
0059327C 33C0
xor eax, eax
0059327E
55 push
ebp
0059327F 68AB345900
push $005934AB
***** TRY
|
00593284 64FF30
push dword ptr fs:[eax]
00593287 648920
mov fs:[eax], esp
* Reference to field TFrmAbout.OFFS_0211
|
0059328A 80BB1102000003 cmp
byte ptr [ebx+$0211], $03
00593291 750D
jnz 005932A0
* Reference to field TFrmAbout.OFFS_003C
|
00593293 8B533C
mov edx, [ebx+$3C]
00593296 83C21E
add edx, +$1E
00593299 8BC3
mov eax, ebx
* Reference
to: controls.TControl.SetHeight(TControl;System.Integer);
|
0059329B
E88C3BEAFF call 00436E2C
* Reference to field TFrmAbout.OFFS_0300
|
005932A0
8D8300030000 lea eax, [ebx+$0300]
* Possible String Reference to: 'http://www.ec-software.com/order.ht
|
m'
|
005932A6 BAC0345900
mov edx, $005934C0
*
Reference to: system.@LStrAsg;
|
005932AB E87C0BE7FF
call 00403E2C
* Reference to
TDM instance
|
005932B0 A1FCF76A00
mov eax, dword ptr [$6AF7FC]
005932B5 8B00
mov eax,
[eax]
* Reference to field TDM.OFFS_006C
|
005932B7
83786C00 cmp dword
ptr [eax+$6C], +$00 ;剩余使用天数<0?
005932BB 0F8CAB000000
jl 0059336C
005932C1 8D45FC
lea eax, [ebp-$04]
005932C4 50
push eax
005932C5 8D4DF8
lea ecx, [ebp-$08]
*
Reference to TDM instance
|
005932C8 A1FCF76A00
mov eax, dword ptr [$6AF7FC]
005932CD
8B00 mov
eax, [eax]
* Reference to field TDM.OFFS_0070
|
005932CF
8B4070 mov
eax, [eax+$70]
* Possible String Reference to: 'EvalDue'
|
005932D2 BAF0345900 mov
edx, $005934F0
* Reference to: classes.TStrings.GetValue(TStrings;System.AnsiString):System.AnsiString;
| or: nmextstr.TExStringList.GetValue(TExStringList;System.AnsiString):System.AnsiString;
|
005932D7 E82007E8FF
call 004139FC
005932DC 8B45F8
mov eax, [ebp-$08]
005932DF
50 push
eax
005932E0 8D55EC
lea edx, [ebp-$14]
* Reference to TDM instance
|
005932E3 A1FCF76A00
mov eax, dword ptr [$6AF7FC]
005932E8 8B00
mov eax, [eax]
* Reference to field TDM.OFFS_006C
|
005932EA 8B406C
mov eax, [eax+$6C]
* Reference to: sysutils.IntToStr(System.Integer):System.AnsiString;overload;
|
005932ED E8EA60E7FF
call 004093DC
005932F2 8B45EC
mov eax, [ebp-$14]
005932F5
8945F0 mov
[ebp-$10], eax
005932F8 C645F40B
mov byte ptr [ebp-$0C], $0B
005932FC 8D55F0
lea edx, [ebp-$10]
005932FF 33C9
xor ecx, ecx
00593301 58
pop eax
|
00593302 E87974E7FF call
0040A780
00593307 8B55FC
mov edx, [ebp-$04]
;在about对话框上显示剩余的天数
* Reference to control TFrmAbout.PnlEval :
TPanel
|
0059330A 8B83DC020000
mov eax, [ebx+$02DC]
* Reference to: controls.TControl.SetText(TControl;System.String);
|
00593310 E8EF42EAFF
call 00437604
00593315 8D45E8
lea eax, [ebp-$18]
00593318
50 push
eax
以下略。。。
从上面的代码可知,使用天数是存在TDM类对象中传给TFrmAbout.FormShow的,用dede
看看TDM的事件函数:
TDM.DMCreate
005891FC 55
push ebp
005891FD 8BEC
mov ebp, esp
005891FF B933000000
mov ecx, $00000033
00589204 6A00
push $00
00589206 6A00
push $00
00589208 49
dec ecx
00589209
75F9 jnz
00589204
0058920B 53
push ebx
0058920C 56
push esi
0058920D 57
push edi
0058920E 8945F8
mov [ebp-$08], eax ;TDM类对象指针
00589211 33C0
xor eax, eax
00589213 55
push ebp
略去一些无关代码
* Reference to: sysutils.Date:System.TDateTime;
|
0058948E
E85D19E8FF call 0040ADF0
* Reference to: system.@TRUNC;
|
00589493 E82896E7FF
call 00402AC0
00589498
8B55E4 mov
edx, [ebp-$1C]
在dede的units info中可以发现 0052FFA0这个地址位于unit:RichEditOLE中
0058949B E8006BFAFF call
0052FFA0 ;***计算已经使用的天数,用负数表示
* Reference to GlobalVar_006B817C
|
005894A0 A37C816B00
mov dword ptr [$6B817C], eax ;保存已经使用的天数
* Reference to
DM
|
005894A5 8B45F8
mov eax, [ebp-$08]
* Reference to field TDM.OFFS_005D
设置非注册标志。0表示未注册,这是demo版,所以设成未注册。
修改这里的指令,将设的值改为1,about对话框就是splash
screen
而不是nag screen
|
005894A8 C6405D00
mov byte ptr [eax+$5D], $00
下面是随机的反跟踪softice的代码
随机生成一个0-29之间的整数,如果这个整数>=20,则调用反softice的代码
005894AC B81E000000 mov
eax, $0000001E
* Reference to: system.@RandInt;
|
005894B1
E8D297E7FF call 00402C88
005894B6 83F814
cmp eax, +$14
005894B9 7C23
jl 005894DE
005894BB 33D2
xor edx, edx
* Reference to DM
|
005894BD
8B45F8 mov
eax, [ebp-$08]
* Reference to : TDM.HasWi95()
|
HasWi95()调用CreateFileA 打开"\\.\SICE"
005894C0 E8B3010000
call 00589678
005894C5
84C0 test
al, al
005894C7 750E
jnz 005894D7 ;有就跳
005894C9
33D2 xor
edx, edx
* Reference to DM
|
005894CB 8B45F8
mov eax, [ebp-$08]
* Reference to : TDM.HasWiNT()
HasWiNT()调用CreateFileA
打开"\\.\NTICE"
005894CE E81D020000
call 005896F0
005894D3 84C0
test al, al
005894D5
7407 jz
005894DE
005894D7 EBFE
jmp 005894D7 ;发现有softice就死机
* Reference to: system.@Halt0;
|
005894D9 E822A7E7FF
call 00403C00
005894DE
33C0 xor
eax, eax
005894E0 55
push ebp
005894E1 6878955800
push $00589578
*****
TRY
|
005894E6 64FF30
push dword ptr fs:[eax]
005894E9 648920
mov fs:[eax], esp
取程序的路径和文件名
005894EC
8D85A0FEFFFF lea eax, [ebp+$FFFFFEA0]
005894F2 50
push eax
005894F3 8D9574FEFFFF
lea edx, [ebp+$FFFFFE74]
* Reference
to TApplication instance
|
005894F9 A1A8F76A00
mov eax, dword ptr [$6AF7A8]
005894FE
8B00 mov
eax, [eax]
* Reference to: forms.TApplication.GetExeName(TApplication):System.AnsiString;
|
00589500 E81BD4ECFF
call 00456920
00589505 8B8574FEFFFF
mov eax, [ebp+$FFFFFE74] ;->程序的路径和文件名
将取得的文件的扩展名替换为.dpl
0058950B
8D8D78FEFFFF lea ecx, [ebp+$FFFFFE78]
* Possible String Reference to: '.dpl'
|
00589511 BA70965800
mov edx, $00589670
*
Reference to: sysutils.ChangeFileExt(System.AnsiString;System.AnsiString):System.AnsiString;
|
00589516 E81504E8FF
call 00409930
0058951B 8B8578FEFFFF
mov eax, [ebp+$FFFFFE78] ;->扩展名换后的路径和文件名
查找这个文件
我看了看,在我的机器上没这个文件
* Reference to: system.@LStrToPChar;
|
00589521 E812ADE7FF
call 00404238
00589526
50 push
eax
* Reference to: kernel32.FindFirstFileA()
|
00589527
E84CDAE7FF call 00406F78
0058952C 8BD8
mov ebx, eax
0058952E 83FBFF
cmp ebx, -$01
00589531
743B jz
0058956E
00589533 8D45E8
lea eax, [ebp-$18]
00589536 50
push eax
00589537 8D85ACFEFFFF lea
eax, [ebp+$FFFFFEAC]
0058953D 50
push eax
* Reference
to: kernel32.FileTimeToLocalFileTime()
|
0058953E E825DAE7FF
call 00406F68
00589543
85C0 test
eax, eax
00589545 7421
jz 00589568
00589547 8D45FC
lea eax, [ebp-$04]
0058954A 50
push eax
0058954B 8D45FE
lea eax, [ebp-$02]
0058954E
50 push
eax
0058954F 8D45E8
lea eax, [ebp-$18]
00589552 50
push eax
* Reference to: kernel32.FileTimeToDosDateTime()
|
00589553
E808DAE7FF call 00406F60
00589558 85C0
test eax, eax
0058955A 740C
jz 00589568
0058955C 8B45FC mov
eax, [ebp-$04]
* Reference to: sysutils.FileDateToDateTime(System.Integer):System.TDateTime;
|
0058955F E84009E8FF
call 00409EA4
00589564 DD5DF0
fstp qword ptr [ebp-$10]
00589567
9B wait
00589568 53
push ebx
* Reference to: kernel32.FindClose()
|
00589569 E802DAE7FF call
00406F70
0058956E 33C0
xor eax, eax
00589570 5A
pop edx
00589571 59
pop ecx
00589572 59
pop ecx
00589573
648910 mov
fs:[eax], edx
00589576 EB0A
jmp 00589582
****** EXCEPT
|
00589578 E99F9FE7FF jmp
0040351C
* Reference to: system.@DoneExcept;
|
0058957D
E8F6A2E7FF call 00403878
****** END
|
* Reference to DM
|
00589582
8B45F8 mov
eax, [ebp-$08]
* Reference to field TDM.OFFS_005C
|
00589585
C6405C01 mov byte
ptr [eax+$5C], $01
00589589 A17C816B00
mov eax, dword ptr [$6B817C]
0058958E 83C00E
add eax, +$0E
;14天试用期-已经使用的天数(因为用负数表示)
;得到剩余天数
* Reference to DM
|
00589591 8B55F8
mov edx, [ebp-$08]
* Reference
to field TDM.OFFS_006C
|
00589594 89426C
mov [edx+$6C], eax ;保存剩余天数
又随机反跟踪,无聊:)
00589597
B201 mov
dl, $01
* Reference to DM
|
00589599 8B45F8
mov eax, [ebp-$08]
* Reference to : TDM.HasWi95()
|
0058959C E8D7000000
call 00589678
005895A1
84C0 test
al, al
005895A3 751F
jnz 005895C4
005895A5 B201
mov dl, $01
* Reference to DM
|
005895A7 8B45F8
mov eax, [ebp-$08]
*
Reference to : TDM.HasWiNT()
|
005895AA E841010000
call 005896F0
005895AF 84C0
test al,
al
005895B1 7511
jnz 005895C4
005895B3 33D2
xor edx, edx
005895B5
33C0 xor
eax, eax
|
005895B7 E8E469FAFF
call 0052FFA0
005895BC 84C0
test al, al
005895BE 7504
jnz 005895C4
005895C0 33C0
xor eax, eax
005895C2
EB02 jmp
005895C6
005895C4 B001
mov al, $01
* Reference to DM
|
005895C6 8B55F8 mov
edx, [ebp-$08]
* Reference to field TDM.OFFS_005C
|
005895C9 88425C mov
[edx+$5C], al ;有softice时,此标志置1
* Reference
to DM
|
005895CC 8B45F8
mov eax, [ebp-$08]
* Reference to field TDM.OFFS_006C
|
005895CF 8B406C
mov eax, [eax+$6C] ;eax=剩余天数
剩余天数应该>=0 <=14
005895D2 83F80E
cmp eax, +$0E
005895D5 7F04
jnle 005895DB
005895D7 85C0
test eax, eax
005895D9
7D0A jnl
005895E5
* Reference to DM
|
005895DB 8B45F8
mov eax, [ebp-$08]
* Reference to field TDM.OFFS_006C
|
005895DE C7406CFFFFFFFF
mov dword ptr [eax+$6C], $FFFFFFFF
当前日期不能早于那个.dpl文件的日期
* Reference
to: sysutils.Date:System.TDateTime;
|
005895E5 E80618E8FF
call 0040ADF0
* Reference
to: system.@INT;
|
005895EA E88194E7FF
call 00402A70
005895EF DBBD68FEFFFF
fstp tbyte ptr [ebp+$FFFFFE68]
005895F5
9B wait
005895F6 DD45F0 fld
qword ptr [ebp-$10] ;.dpl文件的日期
* Reference
to: system.@INT;
|
005895F9 E87294E7FF
call 00402A70
005895FE DBAD68FEFFFF
fld tbyte ptr [ebp+$FFFFFE68]
00589604
DED9 fcompp
00589606 DFE0
fstsw ax
00589608 9E
sahf
00589609 730A
jnb 00589615
* Reference to DM
|
0058960B 8B45F8
mov eax, [ebp-$08]
* Reference
to field TDM.OFFS_006C
|
0058960E C7406CFFFFFFFF
mov dword ptr [eax+$6C], $FFFFFFFF
00589615
33C0 xor
eax, eax
00589617 5A
pop edx
00589618 59
pop ecx
00589619 59
pop ecx
0058961A 648910
mov fs:[eax], edx
****** FINALLY
|
* Possible String Reference to: '_^[嬪]?
|
0058961D
683A965800 push $0058963A
00589622 8D8574FEFFFF lea
eax, [ebp+$FFFFFE74]
00589628 BA0B000000
mov edx, $0000000B
* Reference to: system.@LStrArrayClr;
|
0058962D E8CAA7E7FF
call 00403DFC
00589632 C3
ret
00589633 E998A1E7FF
jmp 004037D0
00589638
EBE8 jmp
00589622
****** END
|
0058963A 5F
pop edi
0058963B
5E pop
esi
0058963C 5B
pop ebx
0058963D 8BE5
mov esp, ebp
0058963F 5D
pop ebp
00589640 C3
ret
patch:
1、去除14天使用限制:
将0058949B处的指令:E8006BFAFF call 0052FFA0 改为:xor eax,eax nop nop nop,表示已经使用天数为0
2、使程序启动时About对话框由Nag screen变成splash screen。
将指令005894A8 C6405D00 mov byte ptr [eax+$5D], $00
^^改成01
来看看Dede生成的dpr文件:
begin
{
006A4D90 55 push ebp
006A4D91 8BEC mov ebp, esp
006A4D93 83C4F4 add esp, -$0C
006A4D96 53 push ebx
006A4D97 B870456A00 mov eax, $006A4570
* Reference to: sysinit.@InitExe;
|
006A4D9C E84720D6FF call 00406DE8
* Reference to TApplication instance
|
006A4DA1 8B1DA8F76A00 mov ebx, [$6AF7A8]
006A4DA7 8B0B mov ecx, [ebx]
006A4DA9 B201 mov dl, $01
* Reference to class TDM
|
006A4DAB A1BC905800 mov eax, dword ptr [$5890BC]
* Reference to: forms.TCustomForm.Create(TCustomForm;boolean;Classes.TComponent);
| or: forms.TDataModule.Create(TDataModule;boolean;Classes.TComponent);
|
006A4DB0 E83BEADAFF call 004537F0
* Reference to TDM instance
|
006A4DB5 8B15FCF76A00 mov edx, [$6AF7FC]
006A4DBB 8902 mov [edx], eax
006A4DBD 8B0B mov ecx, [ebx]
006A4DBF B201 mov dl, $01
* Reference to class TFrmAbout
|
006A4DC1 A1A82F5900 mov eax, dword ptr [$592FA8]
* Reference to: forms.TCustomForm.Create(TCustomForm;boolean;Classes.TComponent);
| or: forms.TDataModule.Create(TDataModule;boolean;Classes.TComponent);
|
006A4DC6 E8719EDAFF call 0044EC3C
* Reference to TFrmAbout instance
|
006A4DCB 8B1578F46A00 mov edx, [$6AF478]
006A4DD1 8902 mov [edx], eax
* Reference to TDM instance
|
006A4DD3 A1FCF76A00 mov eax, dword ptr [$6AF7FC]
006A4DD8 8B00 mov eax, [eax]
* Reference to field TDM.OFFS_005D
| 是注册版本?
006A4DDA 80785D00 cmp byte ptr [eax+$5D], $00 ;0为demo版
006A4DDE 7425 jz 006A4E05
如果是正式版,则检查有无命令行参数,如果有,
不显示About对话框,如果无命令行参数,则
显示about对话框,但是于demo版不同,about对话
框的ok按钮不可见,about对话框作splash screen
用,进入程序主界面后about对话框自动消失。
* Reference to: system.ParamCount:Integer;
|
006A4DE0 E85FDBD5FF call 00402944
006A4DE5 48 dec eax
006A4DE6 7F52 jnle 006A4E3A
* Reference to TFrmAbout instance
|
006A4DE8 A178F46A00 mov eax, dword ptr [$6AF478]
006A4DED 8B00 mov eax, [eax]
* Reference to: forms.TCustomForm.Show(TCustomForm);
|
006A4DEF E8E0DDDAFF call 00452BD4
* Reference to TFrmAbout instance
|
006A4DF4 A178F46A00 mov eax, dword ptr [$6AF478]
006A4DF9 8B00 mov eax, [eax]
006A4DFB 8B10 mov edx, [eax]
* Possible reference to virtual method TFrmAbout.OFFS_0080
|
006A4DFD FF9280000000 call dword ptr [edx+$0080]
006A4E03 EB35 jmp 006A4E3A
* Reference to TFrmAbout instance
demo版转此,使about对话框上的ok按钮可见,用户必须
点击OK按钮后,才能进入程序主界面。这里ABout对话框
就相当于nag screen.
|
006A4E05 A178F46A00 mov eax, dword ptr [$6AF478]
006A4E0A 8B00 mov eax, [eax]
* Reference to control TFrmAbout.BtnOK : TButton
|
006A4E0C 8B80D4020000 mov eax, [eax+$02D4]
006A4E12 B201 mov dl, $01
* Reference to: controls.TControl.SetVisible(TControl;System.Boolean);
|
006A4E14 E8D326D9FF call 004374EC
* Reference to TFrmAbout instance
|
006A4E19 A178F46A00 mov eax, dword ptr [$6AF478]
006A4E1E 8B00 mov eax, [eax]
006A4E20 8B10 mov edx, [eax]
* Possible reference to virtual method TFrmAbout.OFFS_00D8
|
006A4E22 FF92D8000000 call dword ptr [edx+$00D8]
* Reference to TDM instance
|
006A4E28 A1FCF76A00 mov eax, dword ptr [$6AF7FC]
006A4E2D 8B00 mov eax, [eax]
* Reference to field TDM.OFFS_006C
|
006A4E2F 83786C00 cmp dword ptr [eax+$6C], +$00
006A4E33 7D05 jnl 006A4E3A
* Reference to: system.@Halt0;
|
006A4E35 E8C6EDD5FF call 00403C00
程序开始正常初始化
006A4E3A 8B03 mov eax, [ebx]
* Reference to: forms.TApplication.Initialize(TApplication);
| or: webbroker.TWebApplication.Initialize(TWebApplication);
|
006A4E3C E87F15DBFF call 004563C0
006A4E41 8B03 mov eax, [ebx]
==========================================================================
再来看看程序是如何得到软件使用天数的吧:
:0052FFA0 55 push ebp
:0052FFA1 8BEC mov ebp, esp
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0052FF7C(C)
|
:0052FFA3 B905000000 mov ecx, 00000005
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0052FFAD(C)
|
:0052FFA8 6A00 push 00000000
:0052FFAA 6A00 push 00000000
:0052FFAC 49 dec ecx
:0052FFAD 75F9 jne 0052FFA8
:0052FFAF 51 push ecx
:0052FFB0 53 push ebx
:0052FFB1 56 push esi
:0052FFB2 57 push edi
:0052FFB3 8955FC mov dword ptr [ebp-04], edx
:0052FFB6 8945F8 mov dword ptr [ebp-08], eax
:0052FFB9 33C0 xor eax, eax
:0052FFBB 55 push ebp
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0052FF8D(C)
|
:0052FFBC 6846015300 push 00530146
:0052FFC1 64FF30 push dword ptr fs:[eax]
:0052FFC4 648920 mov dword ptr fs:[eax], esp
:0052FFC7 C745F446000000 mov [ebp-0C], 00000046
创建TRegistry对象
:0052FFCE B201 mov dl, 01
:0052FFD0 A1388C4600 mov eax, dword ptr [00468C38] ;TRegistry
:0052FFD5 E8CA8DF3FF call 00468DA4
:0052FFDA 8945F0 mov dword ptr [ebp-10], eax ;TRegistry对象指针
:0052FFDD 33C0 xor eax, eax
:0052FFDF 55 push ebp
:0052FFE0 681C015300 push 0053011C
:0052FFE5 64FF30 push dword ptr fs:[eax]
:0052FFE8 648920 mov dword ptr fs:[eax], esp
TRegistry对象的RootKey := HKCR
:0052FFEB BA00000080 mov edx, 80000000 ;HKCR
:0052FFF0 8B45F0 mov eax, dword ptr [ebp-10]
:0052FFF3 E8888EF3FF call 00468E80
:0052FFF8 C645EB00 mov [ebp-15], 00
HKCR\RichOleLink.TOleLink.1这个Key存不存在?
* Possible StringData Ref from Code Obj ->"\RichOleLink.TOleLink.1"
|
:0052FFFC BA60015300 mov edx, 00530160
:00530001 8B45F0 mov eax, dword ptr [ebp-10]
:00530004 E87797F3FF call 00469780
:00530009 84C0 test al, al
:0053000B 0F84C4000000 je 005300D5 ;不存在,跳
HKCR\RichOleLink.TOleLink.1\CLSID这个Key存不存在?
* Possible StringData Ref from Code Obj ->"\RichOleLink.TOleLink.1\CLSID"
|
:00530011 BA80015300 mov edx, 00530180
:00530016 8B45F0 mov eax, dword ptr [ebp-10]
:00530019 E86297F3FF call 00469780
:0053001E 84C0 test al, al
:00530020 0F84AF000000 je 005300D5 ;不存在,跳
打开(OpenKey)Key:HKCR\RichOleLink.TOleLink.1\CLSID
:00530026 33C9 xor ecx, ecx
* Possible StringData Ref from Code Obj ->"\RichOleLink.TOleLink.1\CLSID"
|
:00530028 BA80015300 mov edx, 00530180
:0053002D 8B45F0 mov eax, dword ptr [ebp-10]
:00530030 E88F8FF3FF call 00468FC4
读入key的缺省值,其实这是一个假CLSID
:00530035 8D4DEC lea ecx, dword ptr [ebp-14]
:00530038 33D2 xor edx, edx ;nil,default value
:0053003A 8B45F0 mov eax, dword ptr [ebp-10]
:0053003D E8DA94F3FF call 0046951C ;ReadString
:00530042 33C0 xor eax, eax
:00530044 55 push ebp
:00530045 68CB005300 push 005300CB
:0053004A 64FF30 push dword ptr fs:[eax]
:0053004D 648920 mov dword ptr fs:[eax], esp
取缺省值的第26个字符开始的12个字符放入另一个字符串
缺省值的形式如同一般的CLSID,在我的机器上是:
{42BFA701-EC57-0000-C130-0000000092DB},这是一个假CLSID,在HKCR\CLSID中是没有的
^^^^^^^^^^^^
这里正好是第26个字符开始的12个字符
提取后的字符串是:'0000000092DB'
:00530050 8D45E0 lea eax, dword ptr [ebp-20]
:00530053 50 push eax
:00530054 B90C000000 mov ecx, 0000000C
:00530059 BA1A000000 mov edx, 0000001A
:0053005E 8B45EC mov eax, dword ptr [ebp-14]
:00530061 E81642EDFF call 0040427C
:00530066 8B4DE0 mov ecx, dword ptr [ebp-20] ;->提取的substring
:00530069 8D45E4 lea eax, dword ptr [ebp-1C]
:0053006C BAA8015300 mov edx, 005301A8 ;'$'
:00530071 E84A40EDFF call 004040C0
刚才的字符串串首加个字符'$'得到一个新字符串,表示是
十六进制数字字符串,
然后转换成数字
:00530076 8B45E4 mov eax, dword ptr [ebp-1C] ;->新字符串
:00530079 E83E94EDFF call 004094BC ;StrToInt
:0053007E 83E846 sub eax, 00000046
:00530081 2B45F8 sub eax, dword ptr [ebp-08]
:00530084 8945F4 mov dword ptr [ebp-0C], eax ;软件已使用天数,用负数表示
取缺省值的第21个字符开始的4个字符放入另一个字符串
{42BFA701-EC57-0000-C130-0000000092DB}
^^^^这是这4个位置上的字符
:00530087 8D45D8 lea eax, dword ptr [ebp-28]
:0053008A 50 push eax
:0053008B B904000000 mov ecx, 00000004
:00530090 BA15000000 mov edx, 00000015
:00530095 8B45EC mov eax, dword ptr [ebp-14] ;刚才读入的default value
:00530098 E8DF41EDFF call 0040427C
同样前面加上十六进制标识符'$'后,转换成数字
:0053009D 8B4DD8 mov ecx, dword ptr [ebp-28]
:005300A0 8D45DC lea eax, dword ptr [ebp-24]
:005300A3 BAA8015300 mov edx, 005301A8 ;'$'
:005300A8 E81340EDFF call 004040C0
:005300AD 8B45DC mov eax, dword ptr [ebp-24]
:005300B0 E80794EDFF call 004094BC
:005300B5 2D00C00000 sub eax, 0000C000
:005300BA 3B45FC cmp eax, dword ptr [ebp-04]
:005300BD 0F9D45EB setnl byte ptr [ebp-15] ;似乎是比较年份?
:005300C1 33C0 xor eax, eax
:005300C3 5A pop edx
:005300C4 59 pop ecx
:005300C5 59 pop ecx
:005300C6 648910 mov dword ptr fs:[eax], edx
:005300C9 EB0A jmp 005300D5
:005300CB E94C34EDFF jmp 0040351C
:005300D0 E8A337EDFF call 00403878
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0053000B(C), :00530020(C), :005300C9(U)
|
:005300D5 807DEB00 cmp byte ptr [ebp-15], 00
:005300D9 752B jne 00530106
:005300DB B101 mov cl, 01
* Possible StringData Ref from Code Obj ->"\RichOleLink.TOleLink.1\CLSID"
|
:005300DD BA80015300 mov edx, 00530180
:005300E2 8B45F0 mov eax, dword ptr [ebp-10]
:005300E5 E8DA8EF3FF call 00468FC4
:005300EA 55 push ebp
:005300EB 8D45D4 lea eax, dword ptr [ebp-2C]
:005300EE E81DFEFFFF call 0052FF10
:005300F3 59 pop ecx
:005300F4 8B4DD4 mov ecx, dword ptr [ebp-2C]
:005300F7 33D2 xor edx, edx
:005300F9 8B45F0 mov eax, dword ptr [ebp-10]
:005300FC E8EF93F3FF call 004694F0
:00530101 33C0 xor eax, eax
:00530103 8945F4 mov dword ptr [ebp-0C], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005300D9(C)
|
:00530106 33C0 xor eax, eax
:00530108 5A pop edx
:00530109 59 pop ecx
:0053010A 59 pop ecx
:0053010B 648910 mov dword ptr fs:[eax], edx
:0053010E 6823015300 push 00530123
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00530121(U)
|
:00530113 8B45F0 mov eax, dword ptr [ebp-10]
:00530116 E8552FEDFF call 00403070
:0053011B C3 ret
:0053011C E9AF36EDFF jmp 004037D0
:00530121 EBF0 jmp 00530113
:00530123 33C0 xor eax, eax
:00530125 5A pop edx
:00530126 59 pop ecx
:00530127 59 pop ecx
:00530128 648910 mov dword ptr fs:[eax], edx
:0053012B 684D015300 push 0053014D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0053014B(U)
|
:00530130 8D45D4 lea eax, dword ptr [ebp-2C]
:00530133 BA05000000 mov edx, 00000005
:00530138 E8BF3CEDFF call 00403DFC
:0053013D 8D45EC lea eax, dword ptr [ebp-14]
:00530140 E8933CEDFF call 00403DD8
:00530145 C3 ret
:00530146 E98536EDFF jmp 004037D0
:0053014B EBE3 jmp 00530130
:0053014D 8B45F4 mov eax, dword ptr [ebp-0C]
:00530150 5F pop edi
:00530151 5E pop esi
:00530152 5B pop ebx
:00530153 8BE5 mov esp, ebp
:00530155 5D pop ebp
:00530156 C3 ret