IrfanView
ASP加壳
pe-scan脱壳
这个软件的算法好复杂,头都大了,哪位老大帮忙给解释解释了,明码是比较,我想写注册机,可是算法没有分析透……
/Name:dnpf
Code:283481102
* Reference To: KERNEL32.GetPrivateProfileStringA, Ord:013Ah
|
:00455039 8B35C0814C00 mov esi, dword ptr [004C81C0]
0045503F . 68 C0DC4F00 PUSH UNIRFANV.004FDCC0 ; /IniFileName = "E:PROGRAM FILESIRFANVIEWi_view32.ini"
00455044 . 8D5424 4C LEA EDX,DWORD PTR SS:[ESP+4C] ; |
00455048 . 68 00010000 PUSH 100 ; |BufSize = 100 (256.)
0045504D . 52 PUSH EDX ; |ReturnBuffer
0045504E . 68 98204F00 PUSH UNIRFANV.004F2098 ; |Default = ""
00455053 . 68 64814E00 PUSH UNIRFANV.004E8164 ; |Key = "Name"
00455058 . 68 54814E00 PUSH UNIRFANV.004E8154 ; |Section = "Registration"
0045505D . 33DB XOR EBX,EBX ; |
0045505F . FFD6 CALL ESI ; GetPrivateProfileStringA
00455061 . 68 C0DC4F00 PUSH UNIRFANV.004FDCC0 ; /IniFileName = "E:PROGRAM FILESIRFANVIEWi_view32.ini"
00455066 . 8D8424 500100>LEA EAX,DWORD PTR SS:[ESP+150] ; |
0045506D . 68 00010000 PUSH 100 ; |BufSize = 100 (256.)
00455072 . 50 PUSH EAX ; |ReturnBuffer
00455073 . 68 98204F00 PUSH UNIRFANV.004F2098 ; |Default = ""
00455078 . 68 4C814E00 PUSH UNIRFANV.004E814C ; |Key = "Code"
0045507D . 68 54814E00 PUSH UNIRFANV.004E8154 ; |Section = "Registration"
00455082 . FFD6 CALL ESI ; GetPrivateProfileStringA
:00455084 8A442448 mov al, byte ptr [esp+48]
:00455088 84C0 test al, al
:0045508A 746A je 004550F6-------------------------------------->看有没有注册名
:0045508C 8A84244C010000 mov al, byte ptr [esp+0000014C]
:00455093 84C0 test al, al
:00455095 745F je 004550F6-------------------------------------->看有没有注册码
:00455097 8D8C244C010000 lea ecx, dword ptr [esp+0000014C]---------------->注册码
:0045509E 8D542448 lea edx, dword ptr [esp+48]---------------------->注册名
:004550A2 51 push ecx
:004550A3 52 push edx
:004550A4 E81718FEFF call 004368C0------------------------------------->验证是否合法(关键)
:004550A9 83C408 add esp, 00000008
:004550AC 85C0 test eax, eax
:004550AE 7446 je 004550F6--------------------------------------->不合法到下面要求输入
:004550B0 A14C394F00 mov eax, dword ptr [004F394C]
:004550B5 6804010000 push 00000104
:004550BA 6860C84F00 push 004FC860
* Possible Reference to String Resource ID=01237: "IrfanView is already registered !"------------->注册成功后的提示
|
:004550BF 68D5040000 push 000004D5
:004550C4 50 push eax
* Reference To: USER32.LoadStringA, Ord:01ABh
|
:004550C5 FF15A0834C00 Call dword ptr [004C83A0]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045567B(U)
|
:004550CB 8B0D88CB4F00 mov ecx, dword ptr [004FCB88]
:004550D1 6840200000 push 00002040
:004550D6 6800DF4F00 push 004FDF00
:004550DB 6860C84F00 push 004FC860
:004550E0 51 push ecx
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:004550E1 FF15A4834C00 Call dword ptr [004C83A4]
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0044F65C(C), :004518BA(C), :00451A86(C), :00453AE7(C), :00453E22(C)
|:004540D7(C)
|
:004550E7 33C0 xor eax, eax
:004550E9 5F pop edi
:004550EA 5E pop esi
:004550EB 5D pop ebp
:004550EC 5B pop ebx
:004550ED 81C4580B0000 add esp, 00000B58
:004550F3 C21000 ret 0010
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0045508A(C), :00455095(C), :004550AE(C)
|
:004550F6 8D94245C050000 lea edx, dword ptr [esp+0000055C]---------------------------->没有注册时到这里
:004550FD 52 push edx----------------------------------------
:004550FE 68606B4300 push 00436B60 |
|
* Reference To: USER32.GetActiveWindow, Ord:00DDh |
|
:00455103 FF1578834C00 Call dword ptr [004C8378] |
:00455109 50 push eax |
:0045510A A1F4E54F00 mov eax, dword ptr [004FE5F4] |
|
* Possible Reference to Dialog: DialogID_0409 |
|
:0045510F 6809040000 push 00000409 |
:00455114 50 push eax |
|
* Reference To: USER32.DialogBoxParamA, Ord:0093h |
| /
:00455115 FF15F4844C00 Call dword ptr [004C84F4]------------------------------------->到这里出输入框
:0045511B 85C0 test eax, eax
:0045511D 0F84AD000000 je 004551D0
:00455123 8DBC245C050000 lea edi, dword ptr [esp+0000055C]
:0045512A 83C9FF or ecx, FFFFFFFF
:0045512D 33C0 xor eax, eax
:0045512F F2 repnz
:00455130 AE scasb
:00455131 F7D1 not ecx
:00455133 49 dec ecx
:00455134 83F902 cmp ecx, 00000002
:00455137 0F825C010000 jb 00455299------------------------------->到错误
:0045513D 8DBC245C050000 lea edi, dword ptr [esp+0000055C]
:00455144 83C9FF or ecx, FFFFFFFF
:00455147 F2 repnz
:00455148 AE scasb
:00455149 F7D1 not ecx
:0045514B 49 dec ecx
:0045514C 83F955 cmp ecx, 00000055
:0045514F 0F8744010000 ja 00455299------------------------------->到错误
:00455155 8DBC245C060000 lea edi, dword ptr [esp+0000065C]
:0045515C 83C9FF or ecx, FFFFFFFF
:0045515F 33D2 xor edx, edx
:00455161 F2 repnz
:00455162 AE scasb
:00455163 F7D1 not ecx
:00455165 49 dec ecx
:00455166 85C9 test ecx, ecx
:00455168 7E75 jle 004551DF
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00455192(C)
|
:0045516A 8A84145C060000 mov al, byte ptr [esp+edx+0000065C]
:00455171 3C30 cmp al, 30
:00455173 7C04 jl 00455179
:00455175 3C39 cmp al, 39
:00455177 7E05 jle 0045517E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00455173(C)
|
* Possible Ref to Menu: IRFANVIEW, Item: "Import palette"
|
:00455179 BB01000000 mov ebx, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00455177(C)
|
:0045517E 8DBC245C060000 lea edi, dword ptr [esp+0000065C]
:00455185 83C9FF or ecx, FFFFFFFF
:00455188 33C0 xor eax, eax
:0045518A 42 inc edx
:0045518B F2 repnz
:0045518C AE scasb
:0045518D F7D1 not ecx
:0045518F 49 dec ecx
:00455190 3BD1 cmp edx, ecx
:00455192 7CD6 jl 0045516A
:00455194 85DB test ebx, ebx
:00455196 7447 je 004551DF-------------------------------------------->不跳则到到错误
:00455198 8B0D4C394F00 mov ecx, dword ptr [004F394C]
:0045519E 6804010000 push 00000104
:004551A3 6860C84F00 push 004FC860
* Possible Reference to String Resource ID=01238: "Incorrect registration !"------------->错误
|
:004551A8 68D6040000 push 000004D6
:004551AD 51 push ecx
* Reference To: USER32.LoadStringA, Ord:01ABh
|
:004551AE FF15A0834C00 Call dword ptr [004C83A0]
:004551B4 8B1588CB4F00 mov edx, dword ptr [004FCB88]
:004551BA 6830200000 push 00002030
:004551BF 6800DF4F00 push 004FDF00
:004551C4 6860C84F00 push 004FC860
:004551C9 52 push edx
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0045522C(U), :00455294(U)
|
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:004551CA FF15A4834C00 Call dword ptr [004C83A4]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045511D(C)
|
:004551D0 33C0 xor eax, eax
:004551D2 5F pop edi
:004551D3 5E pop esi
:004551D4 5D pop ebp
:004551D5 5B pop ebx
:004551D6 81C4580B0000 add esp, 00000B58
:004551DC C21000 ret 0010
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00455168(C), :00455196(C)
|
:004551DF 8D84245C060000 lea eax, dword ptr [esp+0000065C]
:004551E6 8D8C245C050000 lea ecx, dword ptr [esp+0000055C]
:004551ED 50 push eax
:004551EE 51 push ecx
:004551EF E8CC16FEFF call 004368C0------------------------------------------>关键
:004551F4 83C408 add esp, 00000008
:004551F7 85C0 test eax, eax
:004551F9 7533 jne 0045522E------------------------------------------->关键跳!!!
:004551FB 8B154C394F00 mov edx, dword ptr [004F394C]
:00455201 6804010000 push 00000104
:00455206 6860C84F00 push 004FC860
* Possible Reference to String Resource ID=01238: "Incorrect registration !"------------->错误
|
:0045520B 68D6040000 push 000004D6
:00455210 52 push edx
* Reference To: USER32.LoadStringA, Ord:01ABh
|
:00455211 FF15A0834C00 Call dword ptr [004C83A0]
:00455217 A188CB4F00 mov eax, dword ptr [004FCB88]
:0045521C 6830200000 push 00002030
:00455221 6800DF4F00 push 004FDF00
:00455226 6860C84F00 push 004FC860
:0045522B 50 push eax
:0045522C EB9C jmp 004551CA
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004551F9(C)
|
* Reference To: KERNEL32.WritePrivateProfileStringA, Ord:02E5h
|
:0045522E 8B35C8814C00 mov esi, dword ptr [004C81C8]
:00455234 8D8C245C050000 lea ecx, dword ptr [esp+0000055C]
:0045523B 68C0DC4F00 push 004FDCC0
:00455240 51 push ecx
:00455241 6864814E00 push 004E8164
:00455246 6854814E00 push 004E8154
:0045524B FFD6 call esi
:0045524D 8D94245C060000 lea edx, dword ptr [esp+0000065C]
:00455254 68C0DC4F00 push 004FDCC0
:00455259 52 push edx
:0045525A 684C814E00 push 004E814C
:0045525F 6854814E00 push 004E8154
:00455264 FFD6 call esi
:00455266 A14C394F00 mov eax, dword ptr [004F394C]
:0045526B 6804010000 push 00000104
:00455270 6860C84F00 push 004FC860
* Possible Reference to String Resource ID=01239: "Registration successful !------------->注册成功
Thanks."
|
:00455275 68D7040000 push 000004D7
:0045527A 50 push eax
* Reference To: USER32.LoadStringA, Ord:01ABh
|
:0045527B FF15A0834C00 Call dword ptr [004C83A0]
:00455281 8B0D88CB4F00 mov ecx, dword ptr [004FCB88]
:00455287 6A40 push 00000040
:00455289 6800DF4F00 push 004FDF00
:0045528E 6860C84F00 push 004FC860
:00455293 51 push ecx
:00455294 E931FFFFFF jmp 004551CA
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00455137(C), :0045514F(C)
|
:00455299 8B154C394F00 mov edx, dword ptr [004F394C]
:0045529F 6804010000 push 00000104
:004552A4 6860C84F00 push 004FC860
* Possible Reference to String Resource ID=01238: "Incorrect registration !"------------->错误
|
:004552A9 68D6040000 push 000004D6
:004552AE 52 push edx
* Reference To: USER32.LoadStringA, Ord:01ABh
|
:004552AF FF15A0834C00 Call dword ptr [004C83A0]
:004552B5 A188CB4F00 mov eax, dword ptr [004FCB88]
:004552BA 6830200000 push 00002030
:004552BF 6800DF4F00 push 004FDF00
:004552C4 6860C84F00 push 004FC860
:004552C9 50 push eax
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:004552CA FF15A4834C00 Call dword ptr [004C83A4]
:004552D0 33C0 xor eax, eax
:004552D2 5F pop edi
:004552D3 5E pop esi
:004552D4 5D pop ebp
:004552D5 5B pop ebx
:004552D6 81C4580B0000 add esp, 00000B58
:004552DC C21000 ret 0010
*********************************************************************
*********************************************************************
*********************************************************************
OD跟踪生成注册码的过程
004368C0 /$ 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]---------------------->注册码
004368C4 |. 83EC 14 SUB ESP,14
004368C7 |. 53 PUSH EBX
004368C8 |. 55 PUSH EBP
004368C9 |. 56 PUSH ESI
004368CA |. 57 PUSH EDI
004368CB |. 50 PUSH EAX
004368CC |. 33DB XOR EBX,EBX
004368CE |. E8 2AFF0700 CALL UNIRFANV.004B67FD-------------------------->转化注册码为16进制,存于EAX
004368D3 |. 8B7424 2C MOV ESI,DWORD PTR SS:[ESP+2C]------------------->注册名(字符)
004368D7 |. 8BE8 MOV EBP,EAX
004368D9 |. 8BFE MOV EDI,ESI
004368DB |. 83C9 FF OR ECX,FFFFFFFF-----------------------------------
004368DE |. 33C0 XOR EAX,EAX |
004368E0 |. 83C4 04 ADD ESP,4 |
004368E3 |. 33D2 XOR EDX,EDX |测注册名的长度
004368E5 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI] |
004368E7 |. F7D1 NOT ECX |
004368E9 |. 49 DEC ECX-------------------------------------------/
004368EA |. 85C9 TEST ECX,ECX
004368EC |. 7E 17 JLE SHORT UNIRFANV.00436905----------------------->没有注册名时跳
004368EE |> 0FBE0C32 /MOVSX ECX,BYTE PTR DS:[EDX+ESI]------------------>注册名的ASCII值
004368F2 |. 03D9 |ADD EBX,ECX-------------------------------------->总和存于EBX=000001A8(h)
004368F4 |. 8BFE |MOV EDI,ESI
004368F6 |. 83C9 FF |OR ECX,FFFFFFFF
004368F9 |. 33C0 |XOR EAX,EAX
004368FB |. 42 |INC EDX
004368FC |. F2:AE |REPNE SCAS BYTE PTR ES:[EDI]
004368FE |. F7D1 |NOT ECX
00436900 |. 49 |DEC ECX
00436901 |. 3BD1 |CMP EDX,ECX
00436903 |.^ 7C E9 JL SHORT UNIRFANV.004368EE
00436905 |> B8 04010000 MOV EAX,104------------------------------------>EAX=104
0043690A |. 6A 0A PUSH 0A ; /Arg3 = 0000000A
0043690C |. 2BC3 SUB EAX,EBX ; |------>EAX=104(H)-总和
0043690E |. 99 CDQ ; |------>EDX做符号扩展
0043690F |. 33C2 XOR EAX,EDX ; |------>异或运算
00436911 |. 2BC2 SUB EAX,EDX ; |------>EAX=EAX-EDX
00436913 |. 05 4C010000 ADD EAX,14C ; |------>EAX=EAX+14C
00436918 |. 8D14C5 000000>LEA EDX,DWORD PTR DS:[EAX*8] ; |------>EDX=EAX*8
0043691F |. 2BD0 SUB EDX,EAX ; |------>EDX=EDX-EAX
00436921 |. 8D0C90 LEA ECX,DWORD PTR DS:[EAX+EDX*4] ; |------>ECX=EAX*29(10进制)(上面的运算有必要??)
00436924 |. 8D5424 14 LEA EDX,DWORD PTR SS:[ESP+14] ; |
00436928 |. 52 PUSH EDX ; |Arg2----------------->0076EB6C(存放下面的数字串)
00436929 |. 8D3448 LEA ESI,DWORD PTR DS:[EAX+ECX*2] ; |------>ESI=EAX*59(10进制)
0043692C |. C1E6 03 SHL ESI,3 ; |------>ESI=ESI*8
0043692F |. 56 PUSH ESI ; |Arg1----------------->00039280
00436930 |. E8 51B00800 CALL UNIRFANV.004C1986 ; UNIRFANV.004C1986---->将Arg1转换为10进制数
00436935 |. 83C4 0C ADD ESP,0C
00436938 |. 81FE 3F420F00 CMP ESI,0F423F------------------------------->ESI和999999比较
0043693E |. 0F87 EF000000 JA UNIRFANV.00436A33------------------------->大于则出错
00436944 |. 8A4C24 14 MOV CL,BYTE PTR SS:[ESP+14]------------------>CL=数字串第5位------------->234112
00436948 |. 8A4424 15 MOV AL,BYTE PTR SS:[ESP+15]------------------>AL=数字串第6位
0043694C |. 8A5424 13 MOV DL,BYTE PTR SS:[ESP+13]------------------>DL=数字串第4位
00436950 |. 884C24 16 MOV BYTE PTR SS:[ESP+16],CL------------------>数字串第5位追加到第7位--->234112 1
00436954 |. 8A4C24 11 MOV CL,BYTE PTR SS:[ESP+11]------------------>数字串的第2位
00436958 |. 884424 18 MOV BYTE PTR SS:[ESP+18],AL------------------>数字串第6位追加到第9位--->234112 1 2
0043695C |. 8A4424 12 MOV AL,BYTE PTR SS:[ESP+12]------------------>数字串的第3位
00436960 |. 885424 15 MOV BYTE PTR SS:[ESP+15],DL------------------>数字串第6位用第4位替换--->234111 1 2
00436964 |. 884C24 12 MOV BYTE PTR SS:[ESP+12],CL------------------>数字串第3位用第2位替换--->233111 1 2
00436968 |. 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+14]----------------
0043696C |. 81E1 FF000000 AND ECX,0FF----------------------------------/取数字串的第5位
00436972 |. 884424 13 MOV BYTE PTR SS:[ESP+13],AL----------------->用原数字串的第3位替换第4位-->233411 1 2
00436976 |. 8BC1 MOV EAX,ECX
00436978 |. C1E0 05 SHL EAX,5------------------------------------>原第五位左移5位(1*32)
0043697B |. 2BC1 SUB EAX,ECX---------------------------------->减去自身(相当于1*32-1)
0043697D |. 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]----------------
00436981 |. 81E1 FF000000 AND ECX,0FF----------------------------------/取数字串的第9位
00436987 |. 8D1440 LEA EDX,DWORD PTR DS:[EAX+EAX*2]------------->EAX=EAX*3(原第五位*32-自身)\作为高位
0043698A |. 8D0489 LEA EAX,DWORD PTR DS:[ECX+ECX*4]------------->EAX=ECX*5(第九位) \作为低位
0043698D |. C1E0 03 SHL EAX,3------------------------------------>低位*8
00436990 |. 2BC1 SUB EAX,ECX---------------------------------->
00436992 |. 2BC2 SUB EAX,EDX
00436994 |. 99 CDQ
00436995 |. 8BC8 MOV ECX,EAX
00436997 |. 33CA XOR ECX,EDX
00436999 |. 2BCA SUB ECX,EDX
0043699B |. 8D0489 LEA EAX,DWORD PTR DS:[ECX+ECX*4]
0043699E |. C1E0 03 SHL EAX,3
004369A1 |. 2BC1 SUB EAX,ECX
004369A3 |. B9 09000000 MOV ECX,9
004369A8 |. 99 CDQ
004369A9 |. F7F9 IDIV ECX
004369AB |. 8B4424 13 MOV EAX,DWORD PTR SS:[ESP+13]
004369AF |. 25 FF000000 AND EAX,0FF
004369B4 |. 80C2 30 ADD DL,30
004369B7 |. 885424 17 MOV BYTE PTR SS:[ESP+17],DL
004369BB |. 8D1440 LEA EDX,DWORD PTR DS:[EAX+EAX*2]
004369BE |. C1E2 04 SHL EDX,4
004369C1 |. 2BD0 SUB EDX,EAX
004369C3 |. 8B4424 15 MOV EAX,DWORD PTR SS:[ESP+15]
004369C7 |. 25 FF000000 AND EAX,0FF
004369CC |. 8D0CC0 LEA ECX,DWORD PTR DS:[EAX+EAX*8]
004369CF |. 8D0488 LEA EAX,DWORD PTR DS:[EAX+ECX*4]
004369D2 |. 8D0442 LEA EAX,DWORD PTR DS:[EDX+EAX*2]
004369D5 |. 99 CDQ
004369D6 |. 33C2 XOR EAX,EDX
004369D8 |. 2BC2 SUB EAX,EDX
004369DA |. 8D0CC0 LEA ECX,DWORD PTR DS:[EAX+EAX*8]
004369DD |. 8D0488 LEA EAX,DWORD PTR DS:[EAX+ECX*4]
004369E0 |. B9 09000000 MOV ECX,9
004369E5 |. D1E0 SHL EAX,1
004369E7 |. 99 CDQ
004369E8 |. F7F9 IDIV ECX
004369EA |. 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
004369EE |. 81E1 FF000000 AND ECX,0FF
004369F4 |. 8D0449 LEA EAX,DWORD PTR DS:[ECX+ECX*2]
004369F7 |. 8D04C0 LEA EAX,DWORD PTR DS:[EAX+EAX*8]
004369FA |. D1E0 SHL EAX,1
004369FC |. 2BC1 SUB EAX,ECX
004369FE |. 80C2 30 ADD DL,30
00436A01 |. 885424 14 MOV BYTE PTR SS:[ESP+14],DL
00436A05 |. 8B4C24 11 MOV ECX,DWORD PTR SS:[ESP+11]
00436A09 |. 81E1 FF000000 AND ECX,0FF
00436A0F |. 8D14CD 000000>LEA EDX,DWORD PTR DS:[ECX*8]
00436A16 |. 2BD1 SUB EDX,ECX
00436A18 |. 8D1492 LEA EDX,DWORD PTR DS:[EDX+EDX*4]
00436A1B |. 2BC2 SUB EAX,EDX
00436A1D |. 99 CDQ
00436A1E |. 8BC8 MOV ECX,EAX
00436A20 |. 33CA XOR ECX,EDX
00436A22 |. 2BCA SUB ECX,EDX
00436A24 |. 8D0449 LEA EAX,DWORD PTR DS:[ECX+ECX*2]
00436A27 |. 8D04C0 LEA EAX,DWORD PTR DS:[EAX+EAX*8]
00436A2A |. D1E0 SHL EAX,1
00436A2C |. 2BC1 SUB EAX,ECX
00436A2E |. E9 F5000000 JMP UNIRFANV.00436B28
00436A33 |> 8A4424 15 MOV AL,BYTE PTR SS:[ESP+15]
00436A37 |. 8A5424 16 MOV DL,BYTE PTR SS:[ESP+16]
00436A3B |. 8A4C24 14 MOV CL,BYTE PTR SS:[ESP+14]
00436A3F |. 884424 16 MOV BYTE PTR SS:[ESP+16],AL
00436A43 |. 8A4424 11 MOV AL,BYTE PTR SS:[ESP+11]
00436A47 |. 885424 18 MOV BYTE PTR SS:[ESP+18],DL
00436A4B |. 8A5424 12 MOV DL,BYTE PTR SS:[ESP+12]
00436A4F |. 884424 12 MOV BYTE PTR SS:[ESP+12],AL
00436A53 |. 8B4424 16 MOV EAX,DWORD PTR SS:[ESP+16]
00436A57 |. 884C24 15 MOV BYTE PTR SS:[ESP+15],CL
00436A5B |. 25 FF000000 AND EAX,0FF
00436A60 |. 885424 13 MOV BYTE PTR SS:[ESP+13],DL
00436A64 |. 8BC8 MOV ECX,EAX
00436A66 |. C1E1 06 SHL ECX,6
00436A69 |. 2BC8 SUB ECX,EAX
00436A6B |. 8B4424 18 MOV EAX,DWORD PTR SS:[ESP+18]
00436A6F |. 25 FF000000 AND EAX,0FF
00436A74 |. 8D04C0 LEA EAX,DWORD PTR DS:[EAX+EAX*8]
00436A77 |. C1E0 02 SHL EAX,2
00436A7A |. 2BC1 SUB EAX,ECX
00436A7C |. B9 09000000 MOV ECX,9
00436A81 |. 99 CDQ
00436A82 |. 33C2 XOR EAX,EDX
00436A84 |. 2BC2 SUB EAX,EDX
00436A86 |. 8D04C0 LEA EAX,DWORD PTR DS:[EAX+EAX*8]
00436A89 |. C1E0 02 SHL EAX,2
00436A8C |. 99 CDQ
00436A8D |. F7F9 IDIV ECX
00436A8F |. 80C2 30 ADD DL,30
00436A92 |. 885424 17 MOV BYTE PTR SS:[ESP+17],DL
00436A96 |. 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14]
00436A9A |. 25 FF000000 AND EAX,0FF
00436A9F |. 83C0 20 ADD EAX,20
00436AA2 |. 8D14C5 000000>LEA EDX,DWORD PTR DS:[EAX*8]
00436AA9 |. 2BD0 SUB EDX,EAX
00436AAB |. 8D0490 LEA EAX,DWORD PTR DS:[EAX+EDX*4]
00436AAE |. 8D0C40 LEA ECX,DWORD PTR DS:[EAX+EAX*2]
00436AB1 |. 8B4424 13 MOV EAX,DWORD PTR SS:[ESP+13]
00436AB5 |. 25 FF000000 AND EAX,0FF
00436ABA |. 8D1480 LEA EDX,DWORD PTR DS:[EAX+EAX*4]
00436ABD |. C1E2 03 SHL EDX,3
00436AC0 |. 2BD0 SUB EDX,EAX
00436AC2 |. 8D0451 LEA EAX,DWORD PTR DS:[ECX+EDX*2]
00436AC5 |. 99 CDQ
00436AC6 |. 33C2 XOR EAX,EDX
00436AC8 |. 2BC2 SUB EAX,EDX
00436ACA |. 8D0CC5 000000>LEA ECX,DWORD PTR DS:[EAX*8]
00436AD1 |. 2BC8 SUB ECX,EAX
00436AD3 |. 8D0488 LEA EAX,DWORD PTR DS:[EAX+ECX*4]
00436AD6 |. B9 09000000 MOV ECX,9
00436ADB |. 8D0440 LEA EAX,DWORD PTR DS:[EAX+EAX*2]
00436ADE |. 99 CDQ
00436ADF |. F7F9 IDIV ECX
00436AE1 |. 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
00436AE5 |. 25 FF000000 AND EAX,0FF
00436AEA |. 80C2 30 ADD DL,30
00436AED |. 885424 14 MOV BYTE PTR SS:[ESP+14],DL
00436AF1 |. 8D14C5 000000>LEA EDX,DWORD PTR DS:[EAX*8]
00436AF8 |. 2BD0 SUB EDX,EAX
00436AFA |. 8D0490 LEA EAX,DWORD PTR DS:[EAX+EDX*4]
00436AFD |. 8B5424 11 MOV EDX,DWORD PTR SS:[ESP+11]
00436B01 |. 81E2 FF000000 AND EDX,0FF
00436B07 |. 8BCA MOV ECX,EDX
00436B09 |. C1E1 04 SHL ECX,4
00436B0C |. 03CA ADD ECX,EDX
00436B0E |. D1E0 SHL EAX,1
00436B10 |. 8D0C89 LEA ECX,DWORD PTR DS:[ECX+ECX*4]
00436B13 |. 2BC1 SUB EAX,ECX
00436B15 |. 99 CDQ
00436B16 |. 33C2 XOR EAX,EDX
00436B18 |. 2BC2 SUB EAX,EDX
00436B1A |. 8D14C5 000000>LEA EDX,DWORD PTR DS:[EAX*8]
00436B21 |. 2BD0 SUB EDX,EAX
00436B23 |. 8D0490 LEA EAX,DWORD PTR DS:[EAX+EDX*4]
00436B26 |. D1E0 SHL EAX,1
00436B28 |> 99 CDQ
00436B29 |. B9 09000000 MOV ECX,9
00436B2E |. C64424 19 00 MOV BYTE PTR SS:[ESP+19],0
00436B33 |. F7F9 IDIV ECX
00436B35 |. 80C2 30 ADD DL,30
00436B38 |. 885424 11 MOV BYTE PTR SS:[ESP+11],DL
00436B3C |. 8D5424 10 LEA EDX,DWORD PTR SS:[ESP+10]
00436B40 |. 52 PUSH EDX
00436B41 |. E8 B7FC0700 CALL UNIRFANV.004B67FD
00436B46 |. 83C4 04 ADD ESP,4
00436B49 |. 33C9 XOR ECX,ECX
00436B4B |. 3BE8 CMP EBP,EAX------------------------------->真假注册码比较(16进制)
00436B4D |. 5F POP EDI
00436B4E |. 5E POP ESI
00436B4F |. 0F94C1 SETE CL
00436B52 |. 5D POP EBP
00436B53 |. 8BC1 MOV EAX,ECX
00436B55 |. 5B POP EBX
00436B56 |. 83C4 14 ADD ESP,14
00436B59 . C3 RETN
***********************************************************************
***********************************************************************
004C1986
004C1986 /$ 55 PUSH EBP----------------------------------->注册码的16进制数
004C1987 |. 8BEC MOV EBP,ESP
004C1989 |. 33C0 XOR EAX,EAX
004C198B |. 837D 10 0A CMP DWORD PTR SS:[EBP+10],0A
004C198F |. 75 08 JNZ SHORT UNIRFANV.004C1999------------>NO
004C1991 |. 3945 08 CMP DWORD PTR SS:[EBP+8],EAX
004C1994 |. 7D 03 JGE SHORT UNIRFANV.004C1999------------>JMP
004C1996 |. 6A 01 PUSH 1
004C1998 |. 58 POP EAX
004C1999 |> 50 PUSH EAX ; /Arg4-------->00000000
004C199A |. FF75 10 PUSH DWORD PTR SS:[EBP+10] ; |Arg3-------->0000000A(转换后的进制)
004C199D |. FF75 0C PUSH DWORD PTR SS:[EBP+C] ; |Arg2-------->0076EB6C(转换后存放的地址)
004C19A0 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |Arg1-------->00039280(要转换的16进制数)
004C19A3 |. E8 82FFFFFF CALL UNIRFANV.004C192A ; UNIRFANV.004C192A--------------->产生数字串
004C19A8 |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
004C19AB |. 83C4 10 ADD ESP,10
004C19AE |. 5D POP EBP
004C19AF . C3 RETN
***********************************************************************
***********************************************************************
004C192A----------> 将39280(H)转化为10进制存放
004C192A /$ 55 PUSH EBP
004C192B |. 8BEC MOV EBP,ESP
004C192D |. 837D 14 00 CMP DWORD PTR SS:[EBP+14],0
004C1931 |. 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C]
004C1934 |. 53 PUSH EBX
004C1935 |. 56 PUSH ESI
004C1936 |. 57 PUSH EDI
004C1937 |. 74 0B JE SHORT UNIRFANV.004C1944------------>JMP
004C1939 |. 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
004C193C |. C601 2D MOV BYTE PTR DS:[ECX],2D
004C193F |. 41 INC ECX
004C1940 |. F7DE NEG ESI
004C1942 |. EB 03 JMP SHORT UNIRFANV.004C1947
004C1944 |> 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]---------->00039280(H)---234112
004C1947 |> 8BF9 MOV EDI,ECX--------------------------->0076EB6C
004C1949 |> 8BC6 /MOV EAX,ESI-------------------------->00039280(H)
004C194B |. 33D2 |XOR EDX,EDX
004C194D |. F775 10 |DIV DWORD PTR SS:[EBP+10]------------>39280/A
004C1950 |. 8BC6 |MOV EAX,ESI
004C1952 |. 8BDA |MOV EBX,EDX-------------------------->余数
004C1954 |. 33D2 |XOR EDX,EDX
004C1956 |. F775 10 |DIV DWORD PTR SS:[EBP+10]
004C1959 |. 83FB 09 |CMP EBX,9---------------------------->余数与9比较
004C195C |. 8BF0 |MOV ESI,EAX
004C195E |. 76 05 |JBE SHORT UNIRFANV.004C1965---------->小于9则跳
004C1960 |. 80C3 57 |ADD BL,57
004C1963 |. EB 03 |JMP SHORT UNIRFANV.004C1968
004C1965 |> 80C3 30 |ADD BL,30
004C1968 |> 8819 |MOV BYTE PTR DS:[ECX],BL
004C196A |. 41 |INC ECX
004C196B |. 85F6 |TEST ESI,ESI------------------------>测试商是否为零
004C196D |.^ 77 DA JA SHORT UNIRFANV.004C1949---------->不为零则继续转化
004C196F |. 8021 00 AND BYTE PTR DS:[ECX],0
004C1972 |. 49 DEC ECX
004C1973 |> 8A17 MOV DL,BYTE PTR DS:[EDI]
004C1975 |. 8A01 MOV AL,BYTE PTR DS:[ECX]
004C1977 |. 8811 MOV BYTE PTR DS:[ECX],DL
004C1979 |. 8807 MOV BYTE PTR DS:[EDI],AL
004C197B |. 49 DEC ECX
004C197C |. 47 INC EDI
004C197D |. 3BF9 CMP EDI,ECX
004C197F |.^ 72 F2 JB SHORT UNIRFANV.004C1973
004C1981 |. 5F POP EDI
004C1982 |. 5E POP ESI
004C1983 |. 5B POP EBX
004C1984 |. 5D POP EBP
004C1985 . C3 RETN