WinImage是一套可将文件或是文件夹制成 Image 文件的程序,然后完整复制至另一硬盘
的工具,它与 Ghost 不同的是,它可直接将镜象文件分割成数快存储至a磁盘中,
另外程序提供制作与还原程序.它容许你从软盘上做磁盘镜像,从一个镜像中释放
文件,创建一个空的镜像,通过在一空盘上放置镜像复制磁盘,在一镜像中注入文件
与目录,转换一个镜像格式等等.WinImage 支持许多不同标准和非标准格式,包括
微软的 DMF 格式.WinImage 可以用于备份 WINDOWS 95 磁盘和大部份微软的软件
产品.我的这个版本是V6.10.6100 版,当然如果你感兴趣的话,可以到下面地址
去下载:http://www.winimage.com/winimage.htm
我们输入以下信息:
Name:dengkeng[DFCG]
Registration Code:123456
由于是明码比较所以找到关键点:
0044208A /$ 55 PUSH EBP
0044208B |. 8BEC MOV EBP,ESP
0044208D |. 81EC 00020000 SUB ESP,200
00442093 |. 56 PUSH ESI
00442094 |. 8B75 10 MOV ESI,DWORD PTR SS:[EBP+10]
00442097 |. 85F6 TEST ESI,ESI
00442099 |. 57 PUSH EDI
0044209A |. 74 03 JE SHORT WINIMAGE.0044209F
0044209C |. 8326 00 AND DWORD PTR DS:[ESI],0
0044209F |> FF75 0C PUSH DWORD PTR SS:[EBP+C]
004420A2 |. 8D85 00FFFFFF LEA EAX,DWORD PTR SS:[EBP-100]
004420A8 |. 50 PUSH EAX
004420A9 |. E8 E2FEFFFF CALL WINIMAGE.00441F90
004420AE |. FF75 08 PUSH DWORD PTR SS:[EBP+8]
004420B1 |. E8 06FFFFFF CALL WINIMAGE.00441FBC ;关键部分,进入
004420B6 |. 8BF8 MOV EDI,EAX ;eax就是最终结果
004420B8 |. 83C4 0C ADD ESP,0C
004420BB |. 81FF 26DDDCB8 CMP EDI,B8DCDD26
004420C1 |. 0F84 FE000000 JE WINIMAGE.004421C5
004420C7 |. 8D85 00FFFFFF LEA EAX,DWORD PTR SS:[EBP-100]
004420CD |. 50 PUSH EAX
004420CE |. 8D85 00FEFFFF LEA EAX,DWORD PTR SS:[EBP-200]
004420D4 |. 57 PUSH EDI ;EDI被压入
004420D5 |. 50 PUSH EAX
004420D6 |. E8 63FFFFFF CALL WINIMAGE.0044203E ;把输入的EDI进行变换
004420DB |. 59 POP ECX ; |
004420DC |. 59 POP ECX ; |
004420DD |. 50 PUSH EAX ; |s1
004420DE |. E8 97020000 CALL <JMP.&CRTDLL.strcmp> ; strcmp
004420E3 |. 85C0 TEST EAX,EAX
004420E5 |. 59 POP ECX
004420E6 |. 59 POP ECX
004420E7 |. 0F84 A0000000 JE WINIMAGE.0044218D
004420ED |. 8D85 00FFFFFF LEA EAX,DWORD PTR SS:[EBP-100]
004420F3 |. 50 PUSH EAX
004420F4 |. 8D87 48190514 LEA EAX,DWORD PTR DS:[EDI+14051948] ;上次的EDI不变+14051948H,下面同理
004420FA |. 50 PUSH EAX
004420FB |. 8D85 00FEFFFF LEA EAX,DWORD PTR SS:[EBP-200]
00442101 |. 50 PUSH EAX
00442102 |. E8 37FFFFFF CALL WINIMAGE.0044203E ;根据计算的EDI计算第二个注册码,下面同理
00442107 |. 59 POP ECX ; |
00442108 |. 59 POP ECX ; |
00442109 |. 50 PUSH EAX ; |s1
0044210A |. E8 6B020000 CALL <JMP.&CRTDLL.strcmp> ; strcmp
0044210F |. 85C0 TEST EAX,EAX
00442111 |. 59 POP ECX
00442112 |. 59 POP ECX
00442113 |. 74 78 JE SHORT WINIMAGE.0044218D
00442115 |. 8D85 00FFFFFF LEA EAX,DWORD PTR SS:[EBP-100]
0044211B |. 50 PUSH EAX
0044211C |. 8D87 54190617 LEA EAX,DWORD PTR DS:[EDI+17061954]
00442122 |. 50 PUSH EAX
00442123 |. 8D85 00FEFFFF LEA EAX,DWORD PTR SS:[EBP-200]
00442129 |. 50 PUSH EAX
0044212A |. E8 0FFFFFFF CALL WINIMAGE.0044203E
0044212F |. 59 POP ECX ; |
00442130 |. 59 POP ECX ; |
00442131 |. 50 PUSH EAX ; |s1
00442132 |. E8 43020000 CALL <JMP.&CRTDLL.strcmp> ; strcmp
00442137 |. 85C0 TEST EAX,EAX
00442139 |. 59 POP ECX
0044213A |. 59 POP ECX
0044213B |. 74 50 JE SHORT WINIMAGE.0044218D
0044213D |. 8D85 00FFFFFF LEA EAX,DWORD PTR SS:[EBP-100]
00442143 |. 50 PUSH EAX
00442144 |. 8D87 81190510 LEA EAX,DWORD PTR DS:[EDI+10051981]
0044214A |. 50 PUSH EAX
0044214B |. 8D85 00FEFFFF LEA EAX,DWORD PTR SS:[EBP-200]
00442151 |. 50 PUSH EAX
00442152 |. E8 E7FEFFFF CALL WINIMAGE.0044203E
00442157 |. 59 POP ECX ; |
00442158 |. 59 POP ECX ; |
00442159 |. 50 PUSH EAX ; |s1
0044215A |. E8 1B020000 CALL <JMP.&CRTDLL.strcmp> ; strcmp
0044215F |. 85C0 TEST EAX,EAX
00442161 |. 59 POP ECX
00442162 |. 59 POP ECX
00442163 |. 74 55 JE SHORT WINIMAGE.004421BA
00442165 |. 8D85 00FFFFFF LEA EAX,DWORD PTR SS:[EBP-100]
0044216B |. 50 PUSH EAX
0044216C |. 8D87 95190104 LEA EAX,DWORD PTR DS:[EDI+4011995]
00442172 |. 50 PUSH EAX
00442173 |. 8D85 00FEFFFF LEA EAX,DWORD PTR SS:[EBP-200]
00442179 |. 50 PUSH EAX
0044217A |. E8 BFFEFFFF CALL WINIMAGE.0044203E
0044217F |. 59 POP ECX ; |
00442180 |. 59 POP ECX ; |
00442181 |. 50 PUSH EAX ; |s1
00442182 |. E8 F3010000 CALL <JMP.&CRTDLL.strcmp> ; strcmp
00442187 |. 85C0 TEST EAX,EAX
00442189 |. 59 POP ECX
0044218A |. 59 POP ECX
0044218B |. 75 05 JNZ SHORT WINIMAGE.00442192
0044218D |> 33C0 XOR EAX,EAX
0044218F |. 40 INC EAX
00442190 |. EB 35 JMP SHORT WINIMAGE.004421C7
00442192 |> 8D85 00FFFFFF LEA EAX,DWORD PTR SS:[EBP-100]
00442198 |. 50 PUSH EAX
00442199 |. 81C7 97190602 ADD EDI,2061997
0044219F |. 8D85 00FEFFFF LEA EAX,DWORD PTR SS:[EBP-200]
004421A5 |. 57 PUSH EDI
004421A6 |. 50 PUSH EAX
004421A7 |. E8 92FEFFFF CALL WINIMAGE.0044203E
004421AC |. 59 POP ECX ; |
004421AD |. 59 POP ECX ; |
004421AE |. 50 PUSH EAX ; |s1
004421AF |. E8 C6010000 CALL <JMP.&CRTDLL.strcmp> ; strcmp
00441FBC /$ 55 PUSH EBP
00441FBD |. 8BEC MOV EBP,ESP
00441FBF |. 81EC 08010000 SUB ESP,108
00441FC5 |. FF75 08 PUSH DWORD PTR SS:[EBP+8]
00441FC8 |. 8D85 F8FEFFFF LEA EAX,DWORD PTR SS:[EBP-108]
00441FCE |. 50 PUSH EAX
00441FCF |. C745 FC 4C6947>MOV DWORD PTR SS:[EBP-4],WINIMAGE.004769>
00441FD6 |. E8 B5FFFFFF CALL WINIMAGE.00441F90 ;小写转换成大写
00441FDB |. 59 POP ECX
00441FDC |. 59 POP ECX
00441FDD |. 8D85 F8FEFFFF LEA EAX,DWORD PTR SS:[EBP-108]
00441FE3 |. 50 PUSH EAX ; /String
00441FE4 |. FF15 5C624400 CALL DWORD PTR DS:[<&KERNEL32.lstrlenA>] ; lstrlenA
00441FEA |. 33C9 XOR ECX,ECX
00441FEC |. 85C0 TEST EAX,EAX
00441FEE |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX ;字符串的个数送入全局变量保存
00441FF1 |. 7E 46 JLE SHORT WINIMAGE.00442039
00441FF3 |. 53 PUSH EBX
00441FF4 |. 56 PUSH ESI
00441FF5 |. 8B75 F8 MOV ESI,DWORD PTR SS:[EBP-8]
00441FF8 |. 57 PUSH EDI
00441FF9 |. 8DBD F8FEFFFF LEA EDI,DWORD PTR SS:[EBP-108]
00441FFF |. 83EF 03 SUB EDI,3
00442002 |> 8BC1 /MOV EAX,ECX
00442004 |. 6A 0E |PUSH 0E
00442006 |. 99 |CDQ
00442007 |. 5B |POP EBX
00442008 |. F7FB |IDIV EBX
0044200A |. 85D2 |TEST EDX,EDX
0044200C |. 75 03 |JNZ SHORT WINIMAGE.00442011
0044200E |. 6A 27 |PUSH 27
00442010 |. 5E |POP ESI
00442011 |> 8D41 03 |LEA EAX,DWORD PTR DS:[ECX+3] ;实际就是eax=ecx+3,供以后除法用,以后写注册机要注意的地方
00442014 |. 0FB61407 |MOVZX EDX,BYTE PTR DS:[EDI+EAX] ;按顺序取一个字符
00442018 |. 0FAFD6 |IMUL EDX,ESI
0044201B |. 0155 FC |ADD DWORD PTR SS:[EBP-4],EDX ;加到全局变量里面,即最后的结果
0044201E |. 6A 0E |PUSH 0E
00442020 |. 99 |CDQ
00442021 |. 5B |POP EBX
00442022 |. F7FB |IDIV EBX ;用到前面的EAX
00442024 |. 85D2 |TEST EDX,EDX
00442026 |. 74 05 |JE SHORT WINIMAGE.0044202D
00442028 |. 8D3476 |LEA ESI,DWORD PTR DS:[ESI+ESI*2]
0044202B |. EB 03 |JMP SHORT WINIMAGE.00442030
0044202D |> 6BF6 07 |IMUL ESI,ESI,7
00442030 |> 41 |INC ECX
00442031 |. 3B4D F8 |CMP ECX,DWORD PTR SS:[EBP-8] ;刚才保存的全局变量,即次数
00442034 |.^7C CC JL SHORT WINIMAGE.00442002
00442036 |. 5F POP EDI
00442037 |. 5E POP ESI
00442038 |. 5B POP EBX
00442039 |> 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0044203C |. C9 LEAVE
0044203D . C3 RETN
下面是CALL WINIMAGE.0044203E的内容,即对EDI进行变换
0044203E /$ 55 PUSH EBP
0044203F |. 8BEC MOV EBP,ESP
00442041 |. 83EC 10 SUB ESP,10
00442044 |. 56 PUSH ESI
00442045 |. FF75 0C PUSH DWORD PTR SS:[EBP+C] ; /<%lX>
00442048 |. 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8] ; |
0044204B |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10] ; |
0044204E |. 68 48B34400 PUSH WINIMAGE.0044B348 ; |Format = "%lX"
00442053 |. 50 PUSH EAX ; |s
00442054 |. FF15 D4644400 CALL DWORD PTR DS:[<&USER32.wsprintfA>] ; wsprintfA
0044205A |. 8A45 F0 MOV AL,BYTE PTR SS:[EBP-10]
0044205D |. 83C4 0C ADD ESP,0C
00442060 |. 84C0 TEST AL,AL
00442062 |. 74 1D JE SHORT WINIMAGE.00442081
00442064 |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
00442067 |. 2BCE SUB ECX,ESI
00442069 |> 3C 38 /CMP AL,38
0044206B |. 75 04 |JNZ SHORT WINIMAGE.00442071
0044206D |. 04 0A |ADD AL,0A
0044206F |. EB 06 |JMP SHORT WINIMAGE.00442077
00442071 |> 3C 42 |CMP AL,42
00442073 |. 75 02 |JNZ SHORT WINIMAGE.00442077
00442075 |. 04 F6 |ADD AL,0F6
00442077 |> 8806 |MOV BYTE PTR DS:[ESI],AL ;将变换后的al保存,
00442079 |. 46 |INC ESI
0044207A |. 8A0431 |MOV AL,BYTE PTR DS:[ECX+ESI]
0044207D |. 84C0 |TEST AL,AL
0044207F |.^75 E8 JNZ SHORT WINIMAGE.00442069
00442081 |> 8026 00 AND BYTE PTR DS:[ESI],0
00442084 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00442087 |. 5E POP ESI
00442088 |. C9 LEAVE
00442089 . C3 RETN
下面给出注册机的关键部分摘用以前的模版,有的定义的变量没有删除,由于没有使用,所以也不影响)
Generate proc hWnd
local TempName[120]:byte
local MiMa[50]:byte
pushad
lea edi,KeyName
invoke lstrlen, addr KeyName
mov nLen,eax
invoke strupr ;小写转换成大写,MASM32里面没有所以要自己写
mov dNum,47694CH ;送入全局变量以后相加使用
xor edi,edi
xor ecx,ecx
@1: mov eax,ecx
push 0EH
cdq
pop ebx
idiv ebx
test edx,edx
jnz @2
push 27H
pop esi
@2: lea eax,KeyName
movzx edx,byte ptr [eax+ecx]
mov eax,ecx ;原来的顺序
add eax,3 ;加上3供除法使用,这两句较关键,后面的除法使用的
imul edx,esi
add dNum,edx
push 0EH
cdq
pop ebx
idiv ebx
test edx,edx
jz @3
lea esi,dword ptr [esi+esi*2]
jmp @4
@3: imul esi,esi,7
@4: inc ecx
cmp ecx,nLen
jnz @1
;处理dNum了!
invoke wsprintf,addr KKeyReg,addr formats,dNum ;以指定格式输出
invoke lstrcpy,addr KeyName,addr KKeyReg
invoke strupr ;要进行转换
;invoke GetCall,0 ;第1个注册码
;invoke GetCall,14051948H ;第2个注册码
;invoke GetCall,17061954H ;第3个注册码
;invoke GetCall,10051981H ;第4个注册码
;invoke GetCall,4011995H ;第5个注册码
invoke GetCall,2061997H ;第6个注册码
invoke SetDlgItemText,hWnd,REGKEY,addr KeyName
popad
ret
Generate endp
下面是GetCall部分:
GetCall proc Arg1
pushad
mov eax,dNum
add eax,Arg1
mov Num,eax
invoke wsprintf,addr KKeyReg,addr formats,Num
invoke lstrcpy,addr KeyName,addr KKeyReg
invoke strupr
invoke lstrlen,addr KeyName
mov ebx,eax
lea esi,KeyName
@9: mov al,[esi]
cmp al,38H
jnz @5
add al,0aH
jmp @8
@5: cmp al,42H
jnz @8
add al,0F6H
@8: mov [esi],al
inc esi
dec ebx
jnz @9
popad
ret
GetCall endp
这个软件就是好,有6个注册码!^_^,我的是:
Name:dengkeng[DFCG]
Registration code:1868E99D 2F7102E5 327202F1 2871031E 1F6D0332 1D720334
你可以选上面的6个注册码的任意一个注册,注册成功了以后信息写入:
HKEY_USERS.DEFAULTSoftwareWinImageCodeRegistered
HKEY_USERS.DEFAULTSoftwareWinImageNameRegistered
Made By dengkeng[DFCG][YCG]
E-mail:shellc0de@sohu.com
欢迎转载,请保持文章的完整性