手动脱时间提醒助手的变形壳与破解
破解作者
yzez[DFCG][BCG][FCG]
破解对象
时间提醒助手 Build 2003.12.08
软件介绍
时间提醒助手 Build 2003.12.08
软件大小: 2584 KB
软件语言: 简体中文
软件类别: 国产软件 / 试用版 / 开关定时
应用平台: Win9x/NT/2000/XP
界面预览: 无
加入时间: 2003-12-10 10:43:00
下载次数: 1483
推荐等级
软件介绍:
(1)可以按指定时间、每天、每逢周一、每逢周二、每逢周三、每逢周四、每逢周五、每逢周六、每
逢周日、周一至周五提醒;(2)声音提醒,多种好听提醒声音;(3)整点报时。(4)文字提醒,您可直接输
入提醒文字或者选择预设置提醒文字内容,可随时编辑预设置提醒文字;(5)定时运行程序,选择外部程
序指定时间运行它;(6)定时关机,指定时间关闭计算机。支持Win95/98/2000/ME/NT/XP操作系统。(7)…
…多种、灵活的提醒事务方式几乎可满足您所有的提醒需要。 在办公室经常要做的事情,将预先安排好
的备忘录写便条上或日历格子上有时却忘记去看了?上Internet网要上 N小时、打开电脑要玩 N小时、
什么时候下班、什么时间打电话给某位男生/女生、什么时间约会、什么时间让电脑自动关机……
这一切,“时间提醒助手”会帮您解决这所有的问题,她拥有强大的各种事务提醒功能,以提高效
率并节省时间和费用。
下载地址:http://www.skycn.com/soft/12607.html
破解目的
不为破解而破解,只为技术而破解!
破解工具
OLLYDBG1.09、PEID0.9、ImportREC
破解过程
说明:这个软件查壳是:ASPack 2.11 -> Alexey Solodovnikov,用P-SCAN可脱壳,我试着用手动,竟然
有点变形,好在这个变形不是太猛,所以搞的定,难一点,我就无能为力了,关于破解,算法思路基本弄清,但
代码过多,我就不多分析了,因为是明码,所以我就不多说了,有兴趣就自己跟一下算法。
00604001 > 60 PUSHAD*************************载入加壳的程序后,我们就在这里!F8下
00604002 E9 3D040000 JMP TimeHelp.00604444******这里猛跳,我倒!与原来的ASPACK的壳全然不同!
00604007 0B79 E5 OR EDI, DWORD PTR DS:[ECX-1B]
0060400A 04 E3 ADD AL, 0E3
0060400C B6 E1 MOV DH, 0E1
0060400E BF D364A504 MOV EDI, 4A564D3
00604013 - E0 80 LOOPDNE SHORT TimeHelp.00603F9
00604015 CA 9933 RETF 3399
00604444 0FBFEE MOVSX EBP, SI*****************************一下跳到这里!我昏倒!
00604447 0FBFF5 MOVSX ESI, BP*****************************F8往下!
0060444A 66:8BF5 MOV SI, BP
0060444D E8 1C000000 CALL TimeHelp.0060446E*******************F7要跟进!否则程序就飞了!
00604452 81BF 5CF31395 0>CMP DWORD PTR DS:[EDI+9513F35C], CD6>
0060446E /E9 1C000000 JMP TimeHelp.0060448F*******************F7跟进后,我们来到这里!
00604473 |39B3 37C15FC3 CMP DWORD PTR DS:[EBX+C35FC137], ESI
00604479 |59 POP ECX
0060447A |1E PUSH DS
0060447B |D1B9 DDAAA32F SAR DWORD PTR DS:[ECX+2FA3AADD], 1
00604481 |71 5A JNO SHORT TimeHelp.006044DD
00604483 |A9 EF9E32E7 TEST EAX, E7329EEF
00604488 |3F AAS
00604489 |096F C1 OR DWORD PTR DS:[EDI-3F], EBP
0060448C |67:CD 9F INT 9F
0060448F 5E POP ESI *******************************上面跳到这里!
00604490 E9 14000000 JMP TimeHelp.006044A9******************这里再跳!
006044A9 8BDE MOV EBX, ESI***********跳到这里!F8往下
006044AB BA 21D6E0F8 MOV EDX, F8E0D621
006044B0 81C3 BA4E3C15 ADD EBX, 153C4EBA
006044B6 BD 69299D5B MOV EBP, 5B9D2969
006044BB BE F32E96C5 MOV ESI, C5962EF3
006044C0 B9 A9F25169 MOV ECX, 6951F2A9
006044C5 66:8BD1 MOV DX, CX
006044C8 66:8BD5 MOV DX, BP
006044CB 66:8BFD MOV DI, BP
006044CE 0FBFD0 MOVSX EDX, AX
006044D1 81E2 9330AF60 AND EDX, 60AF3093
006044D7 66:8BD0 MOV DX, AX
006044DA 81B3 2FB1C3EA E>XOR DWORD PTR DS:[EBX+EAC3B12F], 4E1>
006044E4 BF 33155BCF MOV EDI, CF5B1533
006044E9 80CE F9 OR DH, 0F9
006044EC 41 INC ECX
006044ED 81F6 3F45BC92 XOR ESI, 92BC453F
006044F3 81EB 02000000 SUB EBX, 2
006044F9 81EB 02000000 SUB EBX, 2
006044FF 66:8BF3 MOV SI, BX
00604502 81F9 B7F35169 CMP ECX, 6951F3B7
00604508 ^ 0F85 C3FFFFFF JNZ TimeHelp.006044D1************这里往回跳!
0060450E ^ E9 28FFFFFF JMP TimeHelp.0060443B************我们在这一行,按F4下来!让它跳回去!
00604513 ^ E3 86 JECXZ SHORT TimeHelp.0060449B
0060443B ^E9 C7FBFFFF JMP TimeHelp.00604007***********0060450E处跳到这里!再让它往回跳!
00604440 0000 ADD BYTE PTR DS:[EAX], AL
00604442 0000 ADD BYTE PTR DS:[EAX], AL
00604444 0FBFEE MOVSX EBP, SI
00604447 0FBFF5 MOVSX ESI, BP
00604007 E8 24040000 CALL TimeHelp.00604430**********再跳回到这里!按F8走!
0060400C EB 00 JMP SHORT TimeHelp.0060400E****让它跳!
0060400E BB 30394400 MOV EBX, TimeHelp.00443930*****跳到这里!继续F8往下!
00604013 03DD ADD EBX, EBP
00604015 2B9D D03F4400 SUB EBX, DWORD PTR SS:[EBP+443FD0]
0060401B 83BD FC494400 0>CMP DWORD PTR SS:[EBP+4449FC], 0
00604022 899D FC494400 MOV DWORD PTR SS:[EBP+4449FC], EBX
00604028 0F85 66030000 JNZ TimeHelp.00604394***********这里没有跳!我们F8下走!后面没有说明,均用F8走!
0060402E |C785 33394400 0>MOV DWORD PTR SS:[EBP+443933], 0
00604038 |8D85 044A4400 LEA EAX, DWORD PTR SS:[EBP+444A04]
0060403E |50 PUSH EAX
0060403F |FF95 004B4400 CALL DWORD PTR SS:[EBP+444B00]
00604045 |8985 004A4400 MOV DWORD PTR SS:[EBP+444A00], EAX
0060404B |8BF8 MOV EDI, EAX
0060404D |8D9D 114A4400 LEA EBX, DWORD PTR SS:[EBP+444A11]
00604053 |53 PUSH EBX
00604054 |50 PUSH EAX
00604055 |FF95 FC4A4400 CALL DWORD PTR SS:[EBP+444AFC]
0060405B |8985 FC3F4400 MOV DWORD PTR SS:[EBP+443FFC], EAX
00604061 |8D9D 1E4A4400 LEA EBX, DWORD PTR SS:[EBP+444A1E]
00604067 |53 PUSH EBX
00604068 |57 PUSH EDI
00604069 |FF95 FC4A4400 CALL DWORD PTR SS:[EBP+444AFC]
0060406F |8985 00404400 MOV DWORD PTR SS:[EBP+444000], EAX
00604075 |8D85 B5394400 LEA EAX, DWORD PTR SS:[EBP+4439B5]
0060407B |FFE0 JMP EAX****************************F8一直到这里,F7进!
00604085 8B9D D83F4400 MOV EBX, DWORD PTR SS:[EBP+443FD8]**进来后停在这里!F8走!
0060408B 0BDB OR EBX, EBX
0060408D 74 0A JE SHORT TimeHelp.00604099*********跳到下面!
0060408F 8B03 MOV EAX, DWORD PTR DS:[EBX]
00604091 8785 DC3F4400 XCHG DWORD PTR SS:[EBP+443FDC], EAX
00604097 8903 MOV DWORD PTR DS:[EBX], EAX
00604099 8DB5 19404400 LEA ESI, DWORD PTR SS:[EBP+444019]**跳到这里!
0060409F 833E 00 CMP DWORD PTR DS:[ESI], 0
006040A2 0F84 1F010000 JE TimeHelp.006041C7***************没有跳!F8往下!
006040A8 8DB5 19404400 LEA ESI, DWORD PTR SS:[EBP+444019]
006040AE 6A 04 PUSH 4
006040B0 68 00100000 PUSH 1000
006040B5 68 00180000 PUSH 1800
006040BA 6A 00 PUSH 0
006040BC FF95 FC3F4400 CALL DWORD PTR SS:[EBP+443FFC]
006040FA E8 DA060000 CALL TimeHelp.006047D9****************F8走,到这里!F8带过!
006040FF 80BD 10404400 0>CMP BYTE PTR SS:[EBP+444010], 0
00604106 75 5E JNZ SHORT TimeHelp.00604166**********没有跳!
00604108 FE85 10404400 INC BYTE PTR SS:[EBP+444010]
0060410E 8B3E MOV EDI, DWORD PTR DS:[ESI]
00604110 03BD FC494400 ADD EDI, DWORD PTR SS:[EBP+4449FC]
00604116 FF37 PUSH DWORD PTR DS:[EDI]
00604118 C607 C3 MOV BYTE PTR DS:[EDI], 0C3
0060411B FFD7 CALL EDI
00604128 8BB5 F43F4400 MOV ESI, DWORD PTR SS:[EBP+443FF4]*****F8到这里,继续往下!
0060412E 33DB XOR EBX, EBX
00604130 0BC9 OR ECX, ECX
00604132 74 2E JE SHORT TimeHelp.00604162************平安无事!
00604134 78 2C JS SHORT TimeHelp.00604162***********平安无事!继续走!
00604136 AC LODS BYTE PTR DS:[ESI]
00604137 3C E8 CMP AL, 0E8
00604139 74 0A JE SHORT TimeHelp.00604145***********平安无事!继续走!
0060413B EB 00 JMP SHORT TimeHelp.0060413D************跳!
0060413D 3C E9 CMP AL, 0E9****************************去!跳到这里!搞什么飞机!
0060413F 74 04 JE SHORT TimeHelp.00604145************不跳!
00604141 43 INC EBX
00604142 49 DEC ECX
00604143 ^ EB EB JMP SHORT TimeHelp.00604130*************不好!要回去了!F4下去!
00604145 8B06 MOV EAX, DWORD PTR DS:[ESI]*************在这里F4下来!
00604147 EB 00 JMP SHORT TimeHelp.00604149
00604149 803E 2A CMP BYTE PTR DS:[ESI], 2A
0060414C ^ 75 F3 JNZ SHORT TimeHelp.00604141*************又要回去?去吧!
0060414E 24 00 AND AL, 0*******************************在这一行F4下来!
00604150 C1C0 18 ROL EAX, 18
00604153 2BC3 SUB EAX, EBX
00604155 8906 MOV DWORD PTR DS:[ESI], EAX
00604157 83C3 05 ADD EBX, 5
0060415A 83C6 04 ADD ESI, 4
0060415D 83E9 05 SUB ECX, 5
00604160 ^ EB CE JMP SHORT TimeHelp.00604130*************又要回去!下去吧!
00604162 5B POP EBX*********************************在这一行F4下来!
00604163 5E POP ESI
00604164 59 POP ECX
00604165 58 POP EAX
00604166 8BC8 MOV ECX, EAX
00604168 8B3E MOV EDI, DWORD PTR DS:[ESI]
0060416A 03BD FC494400 ADD EDI, DWORD PTR SS:[EBP+4449FC]
00604170 8BB5 F43F4400 MOV ESI, DWORD PTR SS:[EBP+443FF4]
00604176 C1F9 02 SAR ECX, 2
00604179 F3:A5 REP MOVS DWORD PTR ES:[EDI], DWORD P>
0060417B 8BC8 MOV ECX, EAX
0060417D 83E1 03 AND ECX, 3
00604180 F3:A4 REP MOVS BYTE PTR ES:[EDI], BYTE PTR>
00604182 5E POP ESI
00604183 68 00800000 PUSH 8000
00604188 6A 00 PUSH 0
0060418A FFB5 F43F4400 PUSH DWORD PTR SS:[EBP+443FF4]
00604190 FF95 00404400 CALL DWORD PTR SS:[EBP+444000]
00604196 83C6 08 ADD ESI, 8
00604199 833E 00 CMP DWORD PTR DS:[ESI], 0
0060419C ^ 0F85 26FFFFFF JNZ TimeHelp.006040C8***************这里又要回去!F4下去!
006041A2 68 00800000 PUSH 8000****************************在这一行F4下来!
006041A7 6A 00 PUSH 0
006041A9 FFB5 F83F4400 PUSH DWORD PTR SS:[EBP+443FF8]
006041AF FF95 00404400 CALL DWORD PTR SS:[EBP+444000]
006041B5 8B9D D83F4400 MOV EBX, DWORD PTR SS:[EBP+443FD8]
006041BB 0BDB OR EBX, EBX
006041BD 74 08 JE SHORT TimeHelp.006041C7**********跳,跳到这里!
006041BF 8B03 MOV EAX, DWORD PTR DS:[EBX]
006041C1 8785 DC3F4400 XCHG DWORD PTR SS:[EBP+443FDC], EAX
006041C7 8B95 FC494400 MOV EDX, DWORD PTR SS:[EBP+4449FC]***跳到这里!F8往下!
006041CD 8B85 D43F4400 MOV EAX, DWORD PTR SS:[EBP+443FD4]
006041D3 2BD0 SUB EDX, EAX
006041D5 74 79 JE SHORT TimeHelp.00604250**********再跳!
00604250 8B95 FC494400 MOV EDX, DWORD PTR SS:[EBP+4449FC]***跳到这里!
00604256 8BB5 E83F4400 MOV ESI, DWORD PTR SS:[EBP+443FE8]
0060425C 0BF6 OR ESI, ESI
0060425E 74 11 JE SHORT TimeHelp.00604271**********再跳!
00604271 8BB5 B1394400 MOV ESI, DWORD PTR SS:[EBP+4439B1]***跳到这里!
00604271 8BB5 B1394400 MOV ESI, DWORD PTR SS:[EBP+4439B1]
00604277 8B95 FC494400 MOV EDX, DWORD PTR SS:[EBP+4449FC]
0060427D 03F2 ADD ESI, EDX
0060427F 8B46 0C MOV EAX, DWORD PTR DS:[ESI+C]
00604282 85C0 TEST EAX, EAX
00604284 0F84 0A010000 JE TimeHelp.00604394
00604295 85C0 TEST EAX, EAX
00604297 75 07 JNZ SHORT TimeHelp.006042A0***********这里跳!
00604299 53 PUSH EBX
0060429A FF95 044B4400 CALL DWORD PTR SS:[EBP+444B04]
006042A0 8985 EC3F4400 MOV DWORD PTR SS:[EBP+443FEC], EAX ***跳到这里!
006042A6 C785 F03F4400 0>MOV DWORD PTR SS:[EBP+443FF0], 0
006042B0 8B95 FC494400 MOV EDX, DWORD PTR SS:[EBP+4449FC]
006042B6 8B06 MOV EAX, DWORD PTR DS:[ESI]
006042B8 85C0 TEST EAX, EAX
006042BA 75 03 JNZ SHORT TimeHelp.006042BF
006042FC 85C0 TEST EAX, EAX
006042FE 5B POP EBX
006042FF 75 6F JNZ SHORT TimeHelp.00604370**********在这里跳了!往下看!
00604301 F7C3 00000080 TEST EBX, 80000000
00604307 75 19 JNZ SHORT TimeHelp.00604322
00604309 57 PUSH EDI
00604370 8907 MOV DWORD PTR DS:[EDI], EAX*********跳到了这里!往下看看!多美妙!
00604372 8385 F03F4400 0>ADD DWORD PTR SS:[EBP+443FF0], 4
00604379 ^ E9 32FFFFFF JMP TimeHelp.006042B0***************回跳!
0060437E 8906 MOV DWORD PTR DS:[ESI], EAX
00604380 8946 0C MOV DWORD PTR DS:[ESI+C], EAX
00604383 8946 10 MOV DWORD PTR DS:[ESI+10], EAX
00604386 83C6 14 ADD ESI, 14
00604389 8B95 FC494400 MOV EDX, DWORD PTR SS:[EBP+4449FC]
0060438F ^ E9 EBFEFFFF JMP TimeHelp.0060427F***************回跳!
00604394 8B85 AD394400 MOV EAX, DWORD PTR SS:[EBP+4439AD]
0060439A 50 PUSH EAX
0060439B 0385 FC494400 ADD EAX, DWORD PTR SS:[EBP+4449FC]
006043A1 59 POP ECX
006043A2 0BC9 OR ECX, ECX
006043A4 8985 E63C4400 MOV DWORD PTR SS:[EBP+443CE6], EAX
006043AA 61 POPAD***********************************在这一行F4下来!
006043AB 75 08 JNZ SHORT TimeHelp.006043B5
006043AD B8 01000000 MOV EAX, 1
006043B2 C2 0C00 RETN 0C
006043B5 68 8CB35500 PUSH TimeHelp.0055B38C***************希望之光!0055B38C就是OEP!
006043BA C3 RETN************************************F8返回到OEP!
0055B38C 55 PUSH EBP*****************************在这里DUMP出程序!
0055B38D 8BEC MOV EBP, ESP
0055B38F 83C4 E8 ADD ESP, -18
0055B392 53 PUSH EBX
0055B393 56 PUSH ESI
0055B394 33C0 XOR EAX, EAX
用:ImportREC修复,改OEP的值为:0015B38C,OK修复后程序正常运行!
2、破解。
用OD载入脱壳后的程序,我们在下面的地址中断,看下面:
00554AFC PUSH EBP**********我们在这里设断,虽然这不是最好的断点,但对我们却是有用的,我们在此设断!
00554AFD MOV EBP, ESP
00554B23 CALL UNPACK.0044A00C
00554B28 CMP [LOCAL.1], 0*******比较是否输入注册码!没有输入就为0
00554B2C JE UNPACK.00554C6A****为0直接跳向失败!
00554B63 CALL UNPACK.0044A00C
00554B68 MOV ECX, [LOCAL.2]*****机器码1072430079送入ECX中!
00554B6B MOV EDX, UNPACK.00554D14
00554B70 MOV EAX, ESI
00554B72 CALL UNPACK.0049584C
00554BB4 PUSH UNPACK.00554D34****固定字串"aB"入栈!
00554BB9 LEA EDX, [LOCAL.7]
00554BD7 CALL UNPACK.00409630****此CALL把机器码转换成十六进制值是3FEBFBFF
00554BDC PUSH [LOCAL.6]**********转换成十六进制值的机器码入栈!
00554BDF PUSH UNPACK.00554D40****固定的字串"Cd"入栈!
00554BE4 LEA EAX, [LOCAL.5]
00554BE7 MOV EDX, 3
00554BEC CALL UNPACK.00404BCC
00554BE7 MOV EDX, 3
00554BEC CALL UNPACK.00404BCC****把上述的值连接起来:aB3FEBFBFFCd
00554BF1 MOV EDX, [LOCAL.5]*****把上述变换的值:aB3FEBFBFFCd送入EDX中!
00554BF4 MOV EAX, DWORD PTR DS:[55E6A8]
00554BF9 MOV EAX, DWORD PTR DS:[EAX]
00554BFB MOV EAX, DWORD PTR DS:[EAX+378]
00554C01 MOV ECX, UNPACK.00554D4C ; ASCII "my530.com"
00554C06 CALL UNPACK.004BAD7C**************我们看看下面,有一个跳转,按F7跟进!
00554C0B TEST AL, AL
00554C0D JE SHORT UNPACK.00554C50
00554C0F MOV EDX, UNPACK.00554D60
00554C14 MOV EAX, DWORD PTR DS:[56C6F0]
00554C19 CALL UNPACK.0044A03C
-------------------------------------------------------------------------------------
跟进上面的CALL后,我们停在这里!
004BAD7C PUSH EBP****************跟进上面的CALL后,我们就在这里!F8往下!
004BAD7D MOV EBP, ESP
004BAD7F ADD ESP, -8
004BAD82 PUSH EBX
********************************省略一部分代码!************************************
004BADB7 MOV ECX, [LOCAL.2]
004BADBA MOV EDX, [LOCAL.1]
004BADBD MOV EAX, EBX
004BADBF CALL UNPACK.004BADFC*****************关键CALL按F7跟进!
004BADC4 MOV EBX, EAX
004BADC6 XOR EAX, EAX
004BADC8 POP EDX ; UNPACK.00554C0B
004BADC9 POP ECX ; UNPACK.00554C0B
004BADCA POP ECX ; UNPACK.00554C0B
004BADCB MOV DWORD PTR FS:[EAX], EDX
004BADCE PUSH UNPACK.004BADF0
004BADD3 LEA EAX, [LOCAL.2]
004BADD6 MOV EDX, 2
004BADDB CALL UNPACK.00404878
004BADE0 LEA EAX, [ARG.1]
004BADE3 CALL UNPACK.00404854
004BADE8 RETN
____________________________________________________________________________________
跟进关键CALL后我们来到这里!
004BADFC PUSH EBP********************进入关键CALL后在这里!
004BADFD |. 8BEC MOV EBP, ESP
004BADFF |. 83C4 F0 ADD ESP, -10
004BAEB0 |. E8 379AF4FF CALL UNPACK.004048EC
004BAEB5 |. 8D4D F0 LEA ECX, [LOCAL.4]
004BAEB8 |. 8B55 FC MOV EDX, [LOCAL.1]
004BAEBB |. 8BC3 MOV EAX, EBX
004BAEBD |. E8 C2F9FFFF CALL UNPACK.004BA884******算法CALL。按F7跟进!
004BAEC2 |. 8B45 F0 MOV EAX, [LOCAL.4]
004BAEC5 |. 8B55 0C MOV EDX, [ARG.2]
004BAEC8 |. E8 37E1F4FF CALL UNPACK.00409004
004BAECD |. 85C0 TEST EAX, EAX
004BAECF |. 74 04 JE SHORT UNPACK.004BAED5
004BAED1 |. 33DB XOR EBX, EBX
004BAED3 |. EB 35 JMP SHORT UNPACK.004BAF0A
004BAED5 |> 8D43 50 LEA EAX, DWORD PTR DS:[EBX+50]
004BAED8 |. 8B55 FC MOV EDX, [LOCAL.1]
004BAEDB |. E8 C899F4FF CALL UNPACK.004048A8
004BAEE0 |. 8D43 60 LEA EAX, DWORD PTR DS:[EBX+60]
004BAEE3 |. 8B55 F8 MOV EDX, [LOCAL.2] ; UNPACK.00554D4C
004BAEE6 |. E8 BD99F4FF CALL UNPACK.004048A8
004BAEEB |. 8D43 6C LEA EAX, DWORD PTR DS:[EBX+6C]
004BAEEE |. 8B55 0C MOV EDX, [ARG.2]
004BAEF1 |. E8 B299F4FF CALL UNPACK.004048A8
004BAEF6 |. 8D43 44 LEA EAX, DWORD PTR DS:[EBX+44]
004BAEF9 |. 8B55 08 MOV EDX, [ARG.1]
004BAEFC |. E8 A799F4FF CALL UNPACK.004048A8
004BAF01 |. 8BC3 MOV EAX, EBX
004BAF03 |. E8 58020000 CALL UNPACK.004BB160
004BAF08 |. B3 01 MOV BL, 1
004BAF0A |> 33C0 XOR EAX, EAX
004BAF0C |. 5A POP EDX ; UNPACK.004BADC4
004BAF0D |. 59 POP ECX ; UNPACK.004BADC4
004BAF0E |. 59 POP ECX ; UNPACK.004BADC4
004BAF0F |. 64:8910 MOV DWORD PTR FS:[EAX], EDX
004BAF12 |. 68 39AF4B00 PUSH UNPACK.004BAF39
004BAF17 |> 8D45 F0 LEA EAX, [LOCAL.4]
004BAF1A |. BA 04000000 MOV EDX, 4
004BAF1F |. E8 5499F4FF CALL UNPACK.00404878
004BAF24 |. 8D45 08 LEA EAX, [ARG.1]
004BAF27 |. BA 02000000 MOV EDX, 2
004BAF2C |. E8 4799F4FF CALL UNPACK.00404878
004BAF31 . C3 RETN
-----------------------------------------------------------------------------------
跟进算法CALL后:
004BA884 PUSH EBP*************进入算法CALL后我们停在这里!
004BA885 MOV EBP, ESP
004BA887 ADD ESP, -34
004BA8B2 MOV EAX, [LOCAL.1]***变形后的机器码:aB3FEBFBFFCd送入EAX中!
004BA8B5 CALL UNPACK.00404B0C
004BA8BA CMP EAX, DWORD PTR DS:[ESI+58]***EAX中存放上述机器码的位数是C,C与19比较!
004BA8BD JG SHORT UNPACK.004BA8CC********大于就跳走!
004BA8BF MOV EAX, [LOCAL.1]***************变形机器码入EAX
004BA8C2 CALL UNPACK.00404B0C
004BA9CC MOV EAX, [LOCAL.1]***************跳到此!变形机器码入EAX
004BA9CF CALL UNPACK.00404B0C
004BA9D4 SUB EAX, 6***********************位数减去6,即C-6=6
004BA9D7 CMP EBX, EAX*********************比较EBX与EAX的值!C与6比较
004BA9D9 JL SHORT UNPACK.004BA9DF********小于就跳!
004BA9DB TEST EBX, EBX*********************测试EBX的值!
004BA9DD JG SHORT UNPACK.004BA99B********大于就跳走!
004BA9DF LEA EDX, [LOCAL.2]
004BA9E2 MOV EAX, [LOCAL.3]
004BA9E5 CALL UNPACK.00405C5C
004BA9EA MOV [LOCAL.6], EAX
004BA9ED MOV [LOCAL.5], EDX
004BA9F0 MOV EBX, DWORD PTR DS:[ESI+70]
004BA9F3 TEST EBX, EBX
004BA9F5 JG SHORT UNPACK.004BAA08
004BA9F7 PUSH [LOCAL.5]
004BA9FA PUSH [LOCAL.6]
004BA9FD MOV EDX, EDI
004BA9FF XOR EAX, EAX
004BAA01 CALL UNPACK.0040966C
004BAA06 JMP SHORT UNPACK.004BAA2E
004BAA08 PUSH [LOCAL.5]
004BAA0B PUSH [LOCAL.6]
004BAA0E MOV EDX, EDI
004BAA10 MOV EAX, EBX
004BAA12 CALL UNPACK.0040966C
004BAA17 MOV EAX, DWORD PTR DS:[EDI]*******机器码运算后的注册码:278114D1C19B入EAX,这就是我们要找的注册码!
004BAA19 CALL UNPACK.00404B0C
004BAA1E MOV ECX, EAX
004BAA20 SUB ECX, DWORD PTR DS:[ESI+70]