http://bbs.pediy.com/showthread.php?s=&threadid=4165
【软件名称】:2scr
【软件简介】:一个中文屏保制作软件
【软件限制】:UPX壳,时间限制!
BC++,用DEDE反一下,找到下面
0040B6A0 55 push ebp
0040B6A1 8BEC mov ebp, esp
0040B6A3 81C4A8FDFFFF add esp, $FFFFFDA8
0040B6A9 53 push ebx
0040B6AA 56 push esi
0040B6AB 57 push edi
0040B6AC 8945B0 mov [ebp-$50], eax
0040B6AF B840464B00 mov eax, $004B4640
|
0040B6B4 E88F3D0800 call 0048F448
0040B6B9 8B55B0 mov edx, [ebp-$50]
0040B6BC 81C2F0020000 add edx, $000002F0
0040B6C2 52 push edx
* Reference to: GetSystemInfo() ;调用GetSystemInfo
| ;可以得到一个SYSTEM_INFO结构
0040B6C3 E8EA3A0A00 call 004AF1B2 ;结构在[ebp-$50]+$2F0 处
看看SYSTEM_INFO是啥样:(具体请查阅资料)
********************************************
typedef struct _SYSTEM_INFO { // sinf
union {
DWORD dwOemId;
struct {
WORD wProcessorArchitecture;
WORD wReserved;
};
};
DWORD dwPageSize;
LPVOID lpMinimumApplicationAddress;
LPVOID lpMaximumApplicationAddress;
DWORD dwActiveProcessorMask;
DWORD dwNumberOfProcessors;
DWORD dwProcessorType;
DWORD dwAllocationGranularity;
WORD wProcessorLevel;
WORD wProcessorRevision;
} SYSTEM_INFO;
********************************************
0040B6C8 8B45B0 mov eax, [ebp-$50] ;EAX=[EBP-50]
0040B6CB 8B4DB0 mov ecx, [ebp-$50] ;ECX=[EBP-50]
0040B6CE 0FB7B010030000 movzx esi, word ptr [eax+$0310];即结构的第$310-$2F0=$20字节0040B6D5 8B45B0 mov eax, [ebp-$50]
0040B6D8 8B9908030000 mov ebx, [ecx+$0308] ;即结构的第$18字节,CPU类型
* Reference to field TForm3.OFFS_0304
|
0040B6DE 8BB804030000 mov edi, [eax+$0304] ;结构的第$14字节,CPU数目
0040B6E4 8B45B0 mov eax, [ebp-$50]
0040B6E7 8D0C1E lea ecx, [esi+ebx]
0040B6EA 0FB79012030000 movzx edx, word ptr [eax+$0312] ;结构的第$22字节
0040B6F1 03CF add ecx, edi
0040B6F3 8955AC mov [ebp-$54], edx
0040B6F6 034DAC add ecx, [ebp-$54]
0040B6F9 894DA8 mov [ebp-$58], ecx
0040B6FC 8B45AC mov eax, [ebp-$54]
0040B6FF 03C6 add eax, esi
0040B701 33C3 xor eax, ebx
0040B703 33C7 xor eax, edi
0040B705 8945A4 mov [ebp-$5C], eax
0040B708 33C0 xor eax, eax
0040B70A 8D941E34120000 lea edx, [esi+ebx+$1234]
0040B711 8D8C3745230000 lea ecx, [edi+esi+$2345]
0040B718 81F245230000 xor edx, $00002345
0040B71E 81F156340000 xor ecx, $00003456
0040B724 8BDA mov ebx, edx
0040B726 8B55AC mov edx, [ebp-$54]
0040B729 0355A8 add edx, [ebp-$58]
0040B72C 037DAC add edi, [ebp-$54]
0040B72F 81C267450000 add edx, $00004567
0040B735 8BF1 mov esi, ecx
0040B737 81F278560000 xor edx, $00005678
0040B73D 81C756340000 add edi, $00003456
0040B743 8955AC mov [ebp-$54], edx
0040B746 81F767450000 xor edi, $00004567
0040B74C 8B4DA8 mov ecx, [ebp-$58]
0040B74F 034DA4 add ecx, [ebp-$5C]
0040B752 81C178560000 add ecx, $00005678
0040B758 81F189670000 xor ecx, $00006789
0040B75E 894DA8 mov [ebp-$58], ecx
0040B761 8B55A4 mov edx, [ebp-$5C]
0040B764 03D3 add edx, ebx
0040B766 81C289670000 add edx, $00006789
0040B76C 81F291780000 xor edx, $00007891
0040B772 8955A4 mov [ebp-$5C], edx
0040B775 40 inc eax
0040B776 83F825 cmp eax, +$25
0040B779 7C8F jl 0040B70A ;上面循环复杂计算
0040B77B 66C745C41400 mov word ptr [ebp-$3C], $0014
.....................(略)..............................
0040B871 8B45B0 mov eax, [ebp-$50]
* Reference to control Edit1 : TEdit
|
0040B874 8B80E0020000 mov eax, [eax+$02E0]
* Reference to: controls.TControl.GetText(TControl):TCaption;
|
0040B87A E815580400 call 00451094 ;得到假码
0040B87F 03F3 add esi, ebx
0040B881 8D55F0 lea edx, [ebp-$10]
0040B884 52 push edx
0040B885 03FE add edi, esi
0040B887 037DAC add edi, [ebp-$54]
0040B88A 037DA8 add edi, [ebp-$58]
0040B88D 037DA4 add edi, [ebp-$5C] ;把上面几处的结果累加
0040B890 337DA0 xor edi, [ebp-$60] ;再与用户名的长度XOR
0040B893 897D9C mov [ebp-$64], edi
0040B896 8B459C mov eax, [ebp-$64]
0040B899 99 cdq
0040B89A 33C2 xor eax, edx
0040B89C 2BC2 sub eax, edx
0040B89E 8BD0 mov edx, eax
0040B8A0 8D45EC lea eax, [ebp-$14]
|
0040B8A3 E8B8F70800 call 0049B060
0040B8A8 8BD0 mov edx, eax
0040B8AA FF45D0 inc dword ptr [ebp-$30]
0040B8AD 58 pop eax
|
0040B8AE E835F90800 call 0049B1E8 ;进行比较,不相等ZF=0
0040B8B3 85C0 test eax, eax
0040B8B5 8D45EC lea eax, [ebp-$14]
0040B8B8 0F94C1 setz cl ;根据标志位设置CL
0040B8BB 83E101 and ecx, +$01 ;CL如果是0这里就成0了
0040B8BE BA02000000 mov edx, $00000002
0040B8C3 51 push ecx
0040B8C4 FF4DD0 dec dword ptr [ebp-$30]
|
0040B8C7 E81CF80800 call 0049B0E8
0040B8CC FF4DD0 dec dword ptr [ebp-$30]
0040B8CF 8D45F0 lea eax, [ebp-$10]
0040B8D2 BA02000000 mov edx, $00000002
|
0040B8D7 E80CF80800 call 0049B0E8
0040B8DC 59 pop ecx
0040B8DD 84C9 test cl, cl
0040B8DF 0F8458010000 jz 0040BA3D ;CL=0跳走就OVER
简易注册机:(VC++)
#include <windows.h>
#include <stdio.h>
#include <iostream.h>
void main()
{
int eax,ebx,ecx,edx,esi,edi;
int ebp_54,ebp_58,ebp_5c,result;
char name[200]={0};
cout<<"Please input your name:";
cin>>name;
SYSTEM_INFO *pSI=new SYSTEM_INFO;
GetSystemInfo(pSI);
esi=pSI->wProcessorLevel;
ebx=pSI->dwProcessorType;
edi=pSI->dwNumberOfProcessors;
ecx=esi+ebx;
edx=pSI->wProcessorRevision;
ecx+=edi;
ebp_54=edx;
ecx+=ebp_54;
ebp_58=ecx;
eax=ebp_54;
eax+=esi;
eax^=ebx;
eax^=edi;
ebp_5c=eax;
eax=0;
label1:
edx=esi+ebx+0x1234;
ecx=edi+esi+0x2345;
edx^=0x2345;
ecx^=0x3456;
ebx=edx;
edx=ebp_54;
edx+=ebp_58;
edi+=ebp_54;
edx+=0x4567;
esi=ecx;
edx^=0x5678;
edi+=0x3456;
ebp_54=edx;
edi^=0x4567;
ecx=ebp_58;
ecx+=ebp_5c;
ecx+=0x5678;
ecx^=0x6789;
ebp_58=ecx;
edx=ebp_5c;
edx+=ebx;
edx+=0x6789;
edx^=0x7891;
ebp_5c=edx;
eax++;
if (eax<0x25) goto label1;
result=(edi+esi+ebx+ebp_54+ebp_58+ebp_5c)^strlen(name);
cout<<"Your serial number is "<<result<<endl;
cout<<"KeyGen by RoBa ThanQ!"<<endl;
}
呵呵,完全直译的,因为和硬件相关,无法确定它绝对正确,还请各位测试。