宏远短信群发软件(个人版)注册分析
宏远短信群发系统个人版
http://www.itmacro.com/down.htm
注册号:038400B0
端口数:2
:0040A6F9 E886AE0500 call 00465584
:0040A6FE 8D55E8 lea edx, dword ptr [ebp-18]----读取输入的端口数--2
:0040A701 33C9 xor ecx, ecx
:0040A703 894DE4 mov dword ptr [ebp-1C], ecx
:0040A706 8D4DE4 lea ecx, dword ptr [ebp-1C]
:0040A709 FF431C inc [ebx+1C]
:0040A70C A1E07E4E00 mov eax, dword ptr [004E7EE0]
:0040A711 8B00 mov eax, dword ptr [eax]
:0040A713 05700A0000 add eax, 00000A70------------使eax指向注册号
:0040A718 E83BB70A00 call 004B5E58---------------依次连接注册号和端口数
:0040A71D 8D55E4 lea edx, dword ptr [ebp-1C] 结果为038400B02
:0040A720 8D45F8 lea eax, dword ptr [ebp-08]
:0040A723 E81CB70A00 call 004B5E44
:0040A728 FF4B1C dec [ebx+1C]
:0040A72B 8D45E4 lea eax, dword ptr [ebp-1C]
:0040A72E BA02000000 mov edx, 00000002
:0040A733 E8DCB60A00 call 004B5E14
:0040A738 FF4B1C dec [ebx+1C]
:0040A73B 8D45E8 lea eax, dword ptr [ebp-18]
:0040A73E BA02000000 mov edx, 00000002
:0040A743 E8CCB60A00 call 004B5E14
:0040A748 6880000000 push 00000080
:0040A74D 6A00 push 00000000
:0040A74F 8D8DACFEFFFF lea ecx, dword ptr [ebp+FFFFFEAC]
:0040A755 51 push ecx
:0040A756 E84DCE0900 call 004A75A8
:0040A75B 83C40C add esp, 0000000C
:0040A75E 837DF800 cmp dword ptr [ebp-08], 00000000--------连接的结果是否为空?
:0040A762 7408 je 0040A76C
:0040A764 8B45F8 mov eax, dword ptr [ebp-08]
:0040A767 8B50FC mov edx, dword ptr [eax-04]
:0040A76A EB02 jmp 0040A76E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A762(C)
|
:0040A76C 33D2 xor edx, edx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A76A(U)
|
:0040A76E 52 push edx
:0040A76F 837DF800 cmp dword ptr [ebp-08], 00000000--------连接的结果是否为空?
:0040A773 7405 je 0040A77A
:0040A775 8B45F8 mov eax, dword ptr [ebp-08]
:0040A778 EB05 jmp 0040A77F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A773(C)
|
:0040A77A B8CB044D00 mov eax, 004D04CB
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A778(U)
|
:0040A77F 50 push eax -----eax指向038400B02
:0040A780 8D95ACFEFFFF lea edx, dword ptr [ebp+FFFFFEAC]
:0040A786 52 push edx
:0040A787 E87C8F0100 call 00423708 -------关键!
:0040A78C 66C743103800 mov [ebx+10], 0038
:0040A792 33C9 xor ecx, ecx
:0040A794 894DF4 mov dword ptr [ebp-0C], ecx
:0040A797 8D55F4 lea edx, dword ptr [ebp-0C]
:0040A79A FF431C inc [ebx+1C]
:0040A79D 8B86E0020000 mov eax, dword ptr [esi+000002E0]
:0040A7A3 E8DCAD0500 call 00465584
:0040A7A8 66C743101400 mov [ebx+10], 0014
:0040A7AE 66C743104400 mov [ebx+10], 0044
:0040A7B4 33C9 xor ecx, ecx
. . . . . .
. . . . . .
:0040A9C6 E885B20A00 call 004B5C50
:0040A9CB 8BD0 mov edx, eax-------------指向正确的注册码
:0040A9CD FF431C inc [ebx+1C]
:0040A9D0 8D45F4 lea eax, dword ptr [ebp-0C]---指向输入的注册码
:0040A9D3 E824B50A00 call 004B5EFC ---比较
:0040A9D8 50 push eax ----压入比较结果标志位(相同为"0"
:0040A9D9 FF4B1C dec [ebx+1C] 不相等则为"1")
:0040A9DC 8D45B4 lea eax, dword ptr [ebp-4C]
:0040A9DF BA02000000 mov edx, 00000002
:0040A9E4 E82BB40A00 call 004B5E14
:0040A9E9 59 pop ecx ----弹出标志位
:0040A9EA 84C9 test cl, cl ----测试标志位
:0040A9EC 7456 je 0040AA44 ----为"0"正确则跳
:0040A9EE 8B45F0 mov eax, dword ptr [ebp-10]
:0040A9F1 E8EE570500 call 004601E4
* Referenced by a CALL at Addresses:
|:00408143 , :0040A787 , :0040C767 , :0040D4CD , :0041653C
|:0041730B , :0041BA16
|
:00423708 55 push ebp
:00423709 8BEC mov ebp, esp
:0042370B 81C400FEFFFF add esp, FFFFFE00
:00423711 53 push ebx
:00423712 56 push esi
:00423713 57 push edi
:00423714 8B7510 mov esi, dword ptr [ebp+10]
:00423717 6880000000 push 00000080
:0042371C 6A00 push 00000000
:0042371E 8D4580 lea eax, dword ptr [ebp-80]
:00423721 50 push eax
:00423722 E8813E0800 call 004A75A8
:00423727 83C40C add esp, 0000000C
:0042372A 8D9500FFFFFF lea edx, dword ptr [ebp+FFFFFF00]
:00423730 6880000000 push 00000080
:00423735 6A00 push 00000000
:00423737 52 push edx
:00423738 E86B3E0800 call 004A75A8
:0042373D 83C40C add esp, 0000000C
:00423740 33C0 xor eax, eax
:00423742 8D8D00FFFFFF lea ecx, dword ptr [ebp+FFFFFF00]
:00423748 8B550C mov edx, dword ptr [ebp+0C]
:0042374B 3BF0 cmp esi, eax
:0042374D 760B jbe 0042375A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00423758(C)
|
:0042374F 8A1A mov bl, byte ptr [edx]--------------edx中为038400B02
:00423751 8819 mov byte ptr [ecx], bl
:00423753 40 inc eax
:00423754 41 inc ecx "038400B02"依次移入ecx
:00423755 42 inc edx
:00423756 3BF0 cmp esi, eax
:00423758 77F5 ja 0042374F-------------------------取完了吗?
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042374D(C)
|
:0042375A C6840500FFFFFF66 mov byte ptr [ebp+eax-00000100], 66-------------------
:00423762 40 inc eax
:00423763 8D5580 lea edx, dword ptr [ebp-80]
:00423766 C6840500FFFFFF22 mov byte ptr [ebp+eax-00000100], 22
:0042376E 40 inc eax
:0042376F C6840500FFFFFF7A mov byte ptr [ebp+eax-00000100], 7A 在038400B02后面依次连接
:00423777 40 inc eax
:00423778 C6840500FFFFFF68 mov byte ptr [ebp+eax-00000100], 68 'f','"','z','h',']',
:00423780 40 inc eax
:00423781 C6840500FFFFFF5D mov byte ptr [ebp+eax-00000100], 5D '^','*','o'
:00423789 40 inc eax
:0042378A C6840500FFFFFF5E mov byte ptr [ebp+eax-00000100], 5E 结果为"038400B02f"zh]^*o"
:00423792 40 inc eax
:00423793 C6840500FFFFFF2A mov byte ptr [ebp+eax-00000100], 2A
:0042379B 40 inc eax
:0042379C 83C608 add esi, 00000008
:0042379F C6840500FFFFFF6F mov byte ptr [ebp+eax-00000100], 6F
:004237A7 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00]
:004237AD 56 push esi
:004237AE 50 push eax ------------eax指向“"038400B02f"zh]^*o"
:004237AF 52 push edx
:004237B0 E81FFFFFFF call 004236D4 ----------对"038400B02f"zh]^*o"进行MD5变换
:004237B5 6880000000 push 00000080
:004237BA 6A00 push 00000000
:004237BC 8D8D80FEFFFF lea ecx, dword ptr [ebp+FFFFFE80]
:004237C2 51 push ecx
:004237C3 E8E03D0800 call 004A75A8
:004237C8 83C40C add esp, 0000000C
:004237CB 33F6 xor esi, esi
:004237CD 8D5D80 lea ebx, dword ptr [ebp-80]----使ebx指向md5变换的结果
:004237D0 EB5C jmp 0042382E "3760A132DD7D55D551F79B7A770D5934"
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042383A(C)
|
:004237D2 6880000000 push 00000080------------------------------------------
:004237D7 6A00 push 00000000
:004237D9 8D8500FEFFFF lea eax, dword ptr [ebp+FFFFFE00] 把16进制的md5变换结果
:004237DF 50 push eax
:004237E0 E8C33D0800 call 004A75A8
:004237E5 83C40C add esp, 0000000C 依次取两位
:004237E8 8D9580FEFFFF lea edx, dword ptr [ebp+FFFFFE80] 如果所取数为是0x,
:004237EE 52 push edx 则把0去掉
:004237EF E8183F0800 call 004A770C 如果所取数是00,
:004237F4 59 pop ecx 则把00及后面未取数
:004237F5 50 push eax 全部抛弃,
:004237F6 8D8D80FEFFFF lea ecx, dword ptr [ebp+FFFFFE80] 保留前面已取数为计算结果
:004237FC 51 push ecx 并把其中的大写字母
:004237FD 8D8500FEFFFF lea eax, dword ptr [ebp+FFFFFE00] 全部转换成小写字母,
:00423803 50 push eax 这就是最后计算结果,
:00423804 E82F3D0800 call 004A7538 也就是注册码
:00423809 83C40C add esp, 0000000C
:0042380C 33D2 xor edx, edx
:0042380E 8A13 mov dl, byte ptr [ebx]
:00423810 8D8D00FEFFFF lea ecx, dword ptr [ebp+FFFFFE00]
:00423816 52 push edx
:00423817 51 push ecx
:00423818 8D8580FEFFFF lea eax, dword ptr [ebp+FFFFFE80]
* Possible StringData Ref from Data Obj ->"%s%x"
|
:0042381E 68D0EC4D00 push 004DECD0
:00423823 50 push eax
:00423824 E88F760800 call 004AAEB8
:00423829 83C410 add esp, 00000010
:0042382C 46 inc esi
:0042382D 43 inc ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004237D0(U)
|
:0042382E 8D5580 lea edx, dword ptr [ebp-80]
:00423831 52 push edx
:00423832 E8D53E0800 call 004A770C
:00423837 59 pop ecx
:00423838 3BF0 cmp esi, eax
:0042383A 7296 jb 004237D2---------------------------------------------
:0042383C 8B4D08 mov ecx, dword ptr [ebp+08]
:0042383F 33C0 xor eax, eax
:00423841 8BF1 mov esi, ecx
:00423843 8DBD80FEFFFF lea edi, dword ptr [ebp+FFFFFE80]------使edi指向最后的运算结果
:00423849 83C9FF or ecx, FFFFFFFF "3760a132dd7d55d551f79b7a77d5934"
:0042384C F2 repnz
:0042384D AE scasb
:0042384E F7D1 not ecx
:00423850 2BF9 sub edi, ecx
:00423852 8BD1 mov edx, ecx
:00423854 87F7 xchg edi, esi
:00423856 C1E902 shr ecx, 02
:00423859 8BC7 mov eax, edi
:0042385B F3 repz
:0042385C A5 movsd
:0042385D 8BCA mov ecx, edx
:0042385F 83E103 and ecx, 00000003
:00423862 F3 repz
:00423863 A4 movsb
:00423864 8B4508 mov eax, dword ptr [ebp+08]
:00423867 50 push eax
:00423868 E89F3E0800 call 004A770C
:0042386D 59 pop ecx
:0042386E 85C0 test eax, eax
:00423870 7710 ja 00423882
:00423872 8B5508 mov edx, dword ptr [ebp+08]
* Possible StringData Ref from Data Obj ->"asl92x-q1"
|
:00423875 BED5EC4D00 mov esi, 004DECD5
:0042387A 8BFA mov edi, edx
:0042387C 8BC7 mov eax, edi
:0042387E A5 movsd
:0042387F A5 movsd
:00423880 66A5 movsw
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00423870(C)
|
:00423882 5F pop edi
:00423883 5E pop esi
:00423884 5B pop ebx
:00423885 8BE5 mov esp, ebp
:00423887 5D pop ebp
:00423888 C20C00 ret 000C
总结:
注册号:038400B0
端口数:2
注册码:3760a132dd7d55d551f79b7a77d5934
另外,宏远短信群发软件(广告版&企业版),和个人版的注册算法是一样的。