下载地址http://soft.yzvod.com/down.php?id=4322
这是一个简单好用的反安装软件, 具有对系统安装检测功能,能记录你硬盘上添加的文件和改变的设置。当你需要时,能彻底地安全地删除你安装的应用程序,使系统恢复安装前的状态。
该软件没有加壳,Delphi编写,用DeDe反汇编后导出uninstallm.map文件,然后用Ollydbg载入,LoadMap插件载入uninstallm.map文件
在uninstallm.map中可以看到TAboutBox@decode,可以看出来这是注册解码模块,猜想注册算法就在其中
如果我们想通过反汇编查找Thanks for your registration和Sorry ...我们是找不到的:-)
但是你可以发现如下两个字符串
\`ifc{(ngz(qg}z(zmoa{|zi|agf
[gzzq(fg|(i(kgzzmk|(zmo(cmq
当我们输入注册信息后,软件先判断注册码是不是正确,然后把上面两个字符串分别经过这一段程序就可以解码成我们想找的东东了
004A9AEA |> /8D45 F4 /lea eax,dword ptr ss:[ebp-C] ;这里就是上面的那两个字符串
004A9AED |. |8B55 FC |mov edx,dword ptr ss:[ebp-4]
004A9AF0 |. |8A5432 FF |mov dl,byte ptr ds:[edx+esi-1]
004A9AF4 |. |80F2 0B |xor dl,0B
004A9AF7 |. |80F2 03 |xor dl,3
004A9AFA |. |E8 51B2F5FF |call uninsman.00404D50
004A9AFF |. |8B55 F4 |mov edx,dword ptr ss:[ebp-C]
004A9B02 |. |8D45 F8 |lea eax,dword ptr ss:[ebp-8]
004A9B05 |. |E8 26B3F5FF |call uninsman.00404E30
004A9B0A |. |46 |inc esi
004A9B0B |. |4B |dec ebx
004A9B0C |.^\75 DC \jnz short uninsman.004A9AEA
如果注册正确的话会在HKEY_CURRENT_USER\Software\NuMegaSoftware\UninstallManager创建
SubKey="Reg"
Value=""
这个Value是我们输入的用户名也经过上面的这段加密代码生成的,程序启动时读键值再解码
下面是对TAboutBox@decode的简单分析啦
004A61BC <>/$ 55 push ebp ; <-TAboutBox@decode
004A61BD |. 8BEC mov ebp,esp
004A61BF |. 33C9 xor ecx,ecx
004A61C1 |. 51 push ecx
004A61C2 |. 51 push ecx
004A61C3 |. 51 push ecx
004A61C4 |. 51 push ecx
004A61C5 |. 53 push ebx
004A61C6 |. 56 push esi
004A61C7 |. 57 push edi
004A61C8 |. 8BF0 mov esi,eax
004A61CA |. 33C0 xor eax,eax
004A61CC |. 55 push ebp
004A61CD |. 68 94624A00 push <uninsman.->System.@HandleFinally;>
004A61D2 |. 64:FF30 push dword ptr fs:[eax]
004A61D5 |. 64:8920 mov dword ptr fs:[eax],esp
004A61D8 |. 33DB xor ebx,ebx
004A61DA |. 8D55 F4 lea edx,dword ptr ss:[ebp-C]
004A61DD <>|. 8B86 10030000 mov eax,dword ptr ds:[esi+310] ; *Edit1:TEdit
004A61E3 <>|. E8 6875FCFF call uninsman.0046D750 ; ->Controls.TControl.GetText(TControl):TCaption;
004A61E8 |. 837D F4 00 cmp dword ptr ss:[ebp-C],0 ;输入用户名了吗?
004A61EC |. 74 7B je short uninsman.004A6269
004A61EE |. 8D55 FC lea edx,dword ptr ss:[ebp-4]
004A61F1 <>|. 8B86 10030000 mov eax,dword ptr ds:[esi+310] ; *Edit1:TEdit
004A61F7 <>|. E8 5475FCFF call uninsman.0046D750 ; ->Controls.TControl.GetText(TControl):TCaption;
004A61FC |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ;用户名入eax
004A61FF <>|. E8 24ECF5FF call uninsman.00404E28 ; ->System.@LStrLen(String):Integer;<+>
004A6204 |. 8BF8 mov edi,eax
004A6206 |. 8D55 F0 lea edx,dword ptr ss:[ebp-10]
004A6209 |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ;用户名入eax
004A620C <>|. E8 572CF6FF call uninsman.00408E68 ; ->SysUtils.LowerCase(AnsiString):AnsiString;
004A6211 |. 8B55 F0 mov edx,dword ptr ss:[ebp-10] ;大写字母变为小写
004A6214 |. 8D45 FC lea eax,dword ptr ss:[ebp-4]
004A6217 <>|. E8 E4E9F5FF call uninsman.00404C00 ; ->System.@LStrLAsg(void;void;void;void);
004A621C |. 33DB xor ebx,ebx
004A621E |. 85FF test edi,edi
004A6220 |. 7E 1D jle short uninsman.004A623F
004A6222 |. B8 01000000 mov eax,1
004A6227 |> 8B55 FC /mov edx,dword ptr ss:[ebp-4] ;用户名的acsii码相加
004A622A |. 8A5402 FF |mov dl,byte ptr ds:[edx+eax-1]
004A622E |. 80FA 20 |cmp dl,20
004A6231 |. 74 08 |je short uninsman.004A623B
004A6233 |. 81E2 FF000000 |and edx,0FF
004A6239 |. 03DA |add ebx,edx
004A623B |> 40 |inc eax
004A623C |. 4F |dec edi
004A623D |.^ 75 E8 \jnz short uninsman.004A6227
004A623F |> 81F3 89000000 xor ebx,89
004A6245 |. 83F3 33 xor ebx,33
004A6248 |. 43 inc ebx
004A6249 |. 8D55 F8 lea edx,dword ptr ss:[ebp-8]
004A624C <>|. 8B86 14030000 mov eax,dword ptr ds:[esi+314] ; *Edit2:TEdit
004A6252 <>|. E8 F974FCFF call uninsman.0046D750 ; ->Controls.TControl.GetText(TControl):TCaption;
004A6257 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
004A625A <>|. E8 C131F6FF call uninsman.00409420 ; ->SysUtils.StrToInt(AnsiString):Integer;
004A625F |. 3BD8 cmp ebx,eax ;关键比较处
004A6261 |. 75 04 jnz short uninsman.004A6267
004A6263 |. B3 01 mov bl,1
004A6265 |. EB 02 jmp short uninsman.004A6269
004A6267 |> 33DB xor ebx,ebx
004A6269 |> 33C0 xor eax,eax
004A626B |. 5A pop edx
004A626C |. 59 pop ecx
004A626D |. 59 pop ecx
004A626E |. 64:8910 mov dword ptr fs:[eax],edx
004A6271 |. 68 9B624A00 push uninsman.004A629B
004A6276 |> 8D45 F0 lea eax,dword ptr ss:[ebp-10]
004A6279 <>|. E8 EAE8F5FF call uninsman.00404B68 ; ->System.@LStrClr(void;void);
004A627E |. 8D45 F4 lea eax,dword ptr ss:[ebp-C]
004A6281 <>|. E8 E2E8F5FF call uninsman.00404B68 ; ->System.@LStrClr(void;void);
004A6286 |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]
004A6289 |. BA 02000000 mov edx,2
004A628E <>|. E8 F9E8F5FF call uninsman.00404B8C ; ->System.@LStrArrayClr(void;void;Integer);
004A6293 \. C3 retn
下面是自注册机的C++源代码,VS.net下编译通过
#include <iostream.h>
#include <string.h>
#include <ctype.h>
#include <Windows.h>
main()
{
MessageBox(NULL,"Remove it first:-)","Coded by Cnbragon",MB_OK);
char Name[30],LowerName[30];
char ValueData[30]="I@";
char Value[30];
int RegKey,d=0;
cout<<"Please input your name:";
cin>>Name;
int l;
l=strlen(Name);
for(int i=0;i<l;i++)
LowerName[i]=tolower(Name[i]);
for(i=0;i<l;i++)
{
d+=toascii(LowerName[i]);
}
RegKey=d^0x89^0x33;
RegKey++;
cout<<"Your Registration Key is:"<<RegKey<<"\n";
cout<<"Do u want me to Register Automatically for u?(Y/Other) "<<endl;
char ch;
cin>>ch;
if(toupper(ch)=='Y')
{
for(i=0;i<strlen(Name);i++)
{
Value[i]=Name[i]^0x3^0xB;
}
Value[i]='\0';
strcat(ValueData,Value);
HKEY hKey;
char SubKeyName[] = "Software\\NoktaSoftware\\UninstallManager";
char ValueName[] = "Reg";
DWORD BufferSize;
DWORD pDisposition[64];
if ( RegCreateKeyEx(HKEY_CURRENT_USER, SubKeyName,0,NULL,REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&hKey,pDisposition) != ERROR_SUCCESS )
{
cout<<"Error: RegCreateKeyEx"<<endl;
return -1;
}
BufferSize = sizeof(ValueData);
if (RegSetValueEx(hKey, ValueName, 0, REG_SZ,(BYTE *)ValueData, BufferSize) != ERROR_SUCCESS)
{
cout<<"Error: RegSetValueEx"<<endl;
RegCloseKey( hKey);
return -1;
}
RegCloseKey( hKey );
MessageBox(NULL,"Successfully Registered 886 ^_^","Coded by Cnbragon",MB_OK);
}
else
MessageBox(NULL,"Remove it :-)","Coded by Cnbragon",MB_OK);
return 0;
}