一鼓作气,申请加入FCG之三-AlertSpy V1.08分析

标题：一鼓作气,申请加入FCG之三-AlertSpy V1.08分析
作者：winndy
时间：2005-04-29 02:09
链接：http://bbs.pediy.com/showthread.php?threadid=13239

AlertSpy V1.08注册分析
【破解作者】 winndy
【作者邮箱】 CNwinndy@hotmail.com
【使用工具】 PEID v0.93  OllyDbg v1.10 fly修改版
【破解平台】 Winxp SP2
【软件名称】 AlertSpy V1.08
【官方网址】 http://www.alertspy.com/
【编写语言】 Microsoft Visual C++ 7.0
【破解声明】 For Study ,For Fun,
【破解说明】无壳,标准MD5算法,失误之处还望指出
【破解过程】 PEID查壳,Microsoft Visual C++ 7.0 [Debug]。

             Registration name：CNwinndy，Registration code：1234567890。点OK，出现一个label，显示
             "Given regustration key was not recognized by the software".

OD载入,反键,"搜索"--"所有参考文本串"，

00405358   push AlertSpy.0045EB18 ASCII "Given registration key was not recognized by the software. Connect software

distributor and retrieve valid key."
0040C00C   push AlertSpy.0046012C ASCII "Thank you for purchasing AlertSpy!"

0040F05D   push AlertSpy.00460CAC  ASCII "Registration Name"
0040F08C   push AlertSpy.00460C98  ASCII "Registration Key"

00410B61  push AlertSpy.00460CAC   ASCII "Registration Name"
00410B9E  push AlertSpy.00460C98   ASCII "Registration Key"

全部下断。

回到CPU窗口，BPX getdlgitem,出现Intermodular calls，点"目标"，按照字母顺序排序，便于查找函数，然后在USER32.GetDlgItem处全部下

断，
00421C3F call dword ptr ds:[<&USER32.GetDlgItem>]   USER32.GetDlgItem
00428725 call dword ptr ds:[<&USER32.GetDlgItem>]   USER32.GetDlgItem
0043BB9B call dword ptr ds:[<&USER32.GetDlgItem>]   USER32.GetDlgItem
0043DCFD call dword ptr ds:[<&USER32.GetDlgItem>]   USER32.GetDlgItem
0043DD21 call dword ptr ds:[<&USER32.GetDlgItem>]   USER32.GetDlgItem
0043F6F9 call dword ptr ds:[<&USER32.GetDlgItem>]   USER32.GetDlgItem

0043C6F4 call dword ptr ds:[<&USER32.GetWindowTextA>] USER32.GetWindowTextA
0043E47F call dword ptr ds:[<&USER32.GetWindowTextA>] USER32.GetWindowTextA
004472A2 call dword ptr ds:[<&USER32.GetWindowTextA>] USER32.GetWindowTextA
0044D987 call dword ptr ds:[<&USER32.GetWindowTextA>] USER32.GetWindowTextA
0043C6DC call dword ptr ds:[<&USER32.GetWindowTextA>] USER32.GetWindowTextA
0044D958 call dword ptr ds:[<&USER32.GetWindowTextA>] USER32.GetWindowTextA
顺便把&USER32.GetWindowTextLengthA也下了。

差不多了吧。拦截不到的话再想办法下其他断点。
F9运行，首先中断USER32.GetDlgItem，F9运行，后来多次中断在此，F2取消断点，
快点杀进主程序。进入主界面之前遇到的USER32.GetDlgItem，USER32.GetWindowTextA都取消断点。

点击工具栏上的register，中断在
00410B61   |.  68 AC0C4600        push AlertSpy.00460CAC                                    ;  ASCII "Registration Name"
可以发现，"Registration Name"是注册窗口上的一个label，现在注册窗口都没看到便中断了，显然这里是在初始化窗口。
往上看，在这段程序的入口下断：
00410AF0   /$  6A FF              push -1

F9运行，到出现注册画面为止，Registration name：CNwinndy，Registration code：1234567890。点OK，中断：
0043C6DC   |.  FF15 80D54500      call dword ptr ds:[<&USER32.GetWindowTextLengthA>]        ; \GetWindowTextLengthA

0043C6D0   /$  56                 push esi
0043C6D1   |.  8BF1               mov esi,ecx
0043C6D3   |.  837E 4C 00         cmp dword ptr ds:[esi+4C],0
0043C6D7   |.  75 30              jnz short AlertSpy.0043C709
0043C6D9   |.  FF76 1C            push dword ptr ds:[esi+1C]                                ; /hWnd
0043C6DC   |.  FF15 80D54500      call dword ptr ds:[<&USER32.GetWindowTextLengthA>]        ; \GetWindowTextLengthA
   ；eax=00000008，ecx=00000008，这是用户名长度
0043C6E2   |.  8D48 01            lea ecx,dword ptr ds:[eax+1]                ；ecx=00000009，这是用户名长度+1(字符串结束

符'\0'),用作Buffer长度
0043C6E5   |.  51                 push ecx
0043C6E6   |.  8B4C24 0C          mov ecx,dword ptr ss:[esp+C]
0043C6EA   |.  50                 push eax
0043C6EB   |.  E8 8438FEFF        call AlertSpy.0041FF74
0043C6F0   |.  50                 push eax                                                  ; |Buffer
0043C6F1   |.  FF76 1C            push dword ptr ds:[esi+1C]                                ; |hWnd
0043C6F4   |.  FF15 84D54500      call dword ptr ds:[<&USER32.GetWindowTextA>]              ; \GetWindowTextA
0043C6FA   |.  8B4C24 08          mov ecx,dword ptr ss:[esp+8]

；eax=000000008，长度
；d [ecx]  ，这是用户名
；00C16078  43 4E 77 69 6E 6E 64 79  CNwinndy
；00C16080  00                       .

0043C6FE   |.  6A FF              push -1
0043C700   |.  E8 4B92FCFF        call AlertSpy.00405950

；EAX 00000008
；ECX 00C16078 ASCII "CNwinndy"
；EDX 00C16078 ASCII "CNwinndy"

0043C705   |.  5E                 pop esi
0043C706   |.  C2 0400            retn 4

回到这里：
0040532B    .  8D4C24 04          lea ecx,dword ptr ss:[esp+4]
前面是一个call，在这个call前下断(没太大必要，个人爱好)

这段的完整程序：
004052D0    .  6A FF              push -1
004052D2    .  68 609D4500        push AlertSpy.00459D60                                    ;  SE handler installation
004052D7    .  64:A1 00000000     mov eax,dword ptr fs:[0]
004052DD    .  50                 push eax
004052DE    .  64:8925 00000000   mov dword ptr fs:[0],esp
004052E5    .  83EC 0C            sub esp,0C
004052E8    .  56                 push esi
004052E9    .  8BF1               mov esi,ecx
004052EB    .  E8 BC970300        call AlertSpy.0043EAAC
004052F0    .  8B10               mov edx,dword ptr ds:[eax]
004052F2    .  8BC8               mov ecx,eax
004052F4    .  FF52 0C            call dword ptr ds:[edx+C]
004052F7    .  83C0 10            add eax,10
004052FA    .  894424 08          mov dword ptr ss:[esp+8],eax
004052FE    .  C74424 18 00000000 mov dword ptr ss:[esp+18],0
00405306    .  E8 A1970300        call AlertSpy.0043EAAC
0040530B    .  8B10               mov edx,dword ptr ds:[eax]
0040530D    .  8BC8               mov ecx,eax
0040530F    .  FF52 0C            call dword ptr ds:[edx+C]
00405312    .  83C0 10            add eax,10
00405315    .  894424 04          mov dword ptr ss:[esp+4],eax
00405319    .  8D4424 08          lea eax,dword ptr ss:[esp+8]
0040531D    .  50                 push eax
0040531E    .  8D4E 70            lea ecx,dword ptr ds:[esi+70]
00405321    .  C64424 1C 01       mov byte ptr ss:[esp+1C],1
00405326    .  E8 A5730300        call AlertSpy.0043C6D0             //用<&USER32.GetWindowTextA>取用户名
0040532B    .  8D4C24 04          lea ecx,dword ptr ss:[esp+4]
0040532F    .  51                 push ecx
00405330    .  8D8E C0000000      lea ecx,dword ptr ds:[esi+C0]
00405336    .  E8 95730300        call AlertSpy.0043C6D0             //这个call就是//用<&USER32.GetWindowTextA>取注册码
0040533B    .  8B5424 04          mov edx,dword ptr ss:[esp+4]
0040533F    .  8B4424 08          mov eax,dword ptr ss:[esp+8]

；EAX 00C16078 ASCII "CNwinndy"
；
；EDX 024D2BC8 ASCII "1234567890"

00405343    .  52                 push edx                          //看到压入的是什么了吧
00405344    .  50                 push eax
00405345    .  E8 B6B60000        call AlertSpy.00410A00            //不可放过，见后面的[主分析]
0040534A    .  83C4 08            add esp,8
0040534D    .  84C0               test al,al                         //al是标志，al=0则注册码错误，因此上面那个唯一的call就是

全部啦
0040534F    .  75 1A              jnz short AlertSpy.0040536B
00405351    .  51                 push ecx
00405352    .  8BCC               mov ecx,esp
00405354    .  896424 10          mov dword ptr ss:[esp+10],esp
00405358    .  68 18EB4500        push AlertSpy.0045EB18                                    ;  ASCII "Given registration key

was not recognized by the software. Connect software distributor and retrieve valid key."
0040535D    .  E8 6EE4FFFF        call AlertSpy.004037D0
00405362    .  8BCE               mov ecx,esi
00405364    .  E8 77FDFFFF        call AlertSpy.004050E0
00405369    .  EB 1C              jmp short AlertSpy.00405387

0040536B    >  8B4424 04          mov eax,dword ptr ss:[esp+4]                               ；成功了跳这里
0040536F    .  8B4C24 08          mov ecx,dword ptr ss:[esp+8]
00405373    .  50                 push eax
00405374    .  51                 push ecx
00405375    .  E8 869C0000        call AlertSpy.0040F000
0040537A    .  8B16               mov edx,dword ptr ds:[esi]
0040537C    .  83C4 08            add esp,8
0040537F    .  8BCE               mov ecx,esi
00405381    .  FF92 4C010000      call dword ptr ds:[edx+14C]
00405387    >  8B4424 04          mov eax,dword ptr ss:[esp+4]                              ;  code
0040538B    .  83C0 F0            add eax,-10
0040538E    .  C64424 18 00       mov byte ptr ss:[esp+18],0
00405393    .  8D48 0C            lea ecx,dword ptr ds:[eax+C]
00405396    .  83CA FF            or edx,FFFFFFFF
00405399    .  F0:0FC111          lock xadd dword ptr ds:[ecx],edx
0040539D    .  4A                 dec edx
0040539E    .  85D2               test edx,edx
004053A0    .  7F 08              jg short AlertSpy.004053AA
004053A2    .  8B08               mov ecx,dword ptr ds:[eax]
004053A4    .  8B11               mov edx,dword ptr ds:[ecx]
004053A6    .  50                 push eax
004053A7    .  FF52 04            call dword ptr ds:[edx+4]
004053AA    >  8B4424 08          mov eax,dword ptr ss:[esp+8]                              ;  name
004053AE    .  83C0 F0            add eax,-10
004053B1    .  C74424 18 FFFFFFFF mov dword ptr ss:[esp+18],-1
004053B9    .  8D48 0C            lea ecx,dword ptr ds:[eax+C]
004053BC    .  83CA FF            or edx,FFFFFFFF
004053BF    .  F0:0FC111          lock xadd dword ptr ds:[ecx],edx
004053C3    .  4A                 dec edx
004053C4    .  85D2               test edx,edx
004053C6    .  7F 08              jg short AlertSpy.004053D0
004053C8    .  8B08               mov ecx,dword ptr ds:[eax]
004053CA    .  8B11               mov edx,dword ptr ds:[ecx]
004053CC    .  50                 push eax
004053CD    .  FF52 04            call dword ptr ds:[edx+4]
004053D0    >  8B4C24 10          mov ecx,dword ptr ss:[esp+10]
004053D4    .  64:890D 00000000   mov dword ptr fs:[0],ecx
004053DB    .  5E                 pop esi
004053DC    .  83C4 18            add esp,18
004053DF    .  C3                 retn
004053E0    .  B8 D0EE4500        mov eax,AlertSpy.0045EED0                                 ;  ASCII "祛E"
004053E5    .  C3                 retn

============================================================================================================
[主分析]
00410A00   /$  6A FF              push -1
00410A02   |.  68 A0A84500        push AlertSpy.0045A8A0                                    ;  SE handler installation
00410A07   |.  64:A1 00000000     mov eax,dword ptr fs:[0]
00410A0D   |.  50                 push eax
00410A0E   |.  64:8925 00000000   mov dword ptr fs:[0],esp
00410A15   |.  83EC 08            sub esp,8
00410A18   |.  8B4424 1C          mov eax,dword ptr ss:[esp+1C]
00410A1C   |.  53                 push ebx
00410A1D   |.  56                 push esi
00410A1E   |.  50                 push eax
00410A1F   |.  8D4C24 0C          lea ecx,dword ptr ss:[esp+C]

//看看压入的是什么参数
EAX 024D2BC8 ASCII "1234567890"
ECX 0012EDBC
EDX 024D2BC8 ASCII "1234567890"
EBX 00000111
ESP 0012EDB0
EBP 0012EE04
ESI 0012F3B4 ASCII "x镋"

00410A23   |.  E8 68BCFFFF        call AlertSpy.0040C690                       ；进去大致观察了一下，
00410A28   |.  8B4C24 20          mov ecx,dword ptr ss:[esp+20]                ；ECX 00C16078 ASCII "CNwinndy"
00410A2C   |.  51                 push ecx
00410A2D   |.  8D5424 10          lea edx,dword ptr ss:[esp+10]                ；edx=0012EDC0
00410A31   |.  52                 push edx
00410A32   |.  C74424 20 00000000 mov dword ptr ss:[esp+20],0                   ；esp+20=0012EDCC
00410A3A   |.  E8 E1F2FFFF        call AlertSpy.0040FD20                       ；跟进去，见[分析一]，看完后，再回过来接着往下

00410A3F   |.  8BF0               mov esi,eax                                  ；回这里，
00410A41   |.  8D4424 10          lea eax,dword ptr ss:[esp+10]
00410A45   |.  50                 push eax
00410A46   |.  C64424 24 01       mov byte ptr ss:[esp+24],1
00410A4B   |.  E8 A0EEFFFF        call AlertSpy.0040F8F0                       ；F8跳过
00410A50   |.  8B36               mov esi,dword ptr ds:[esi]                   ；ESI 001EA300 ASCII "7GFEGIF67WNAN5VW"
00410A52   |.  8B00               mov eax,dword ptr ds:[eax]                   ；EAX 001EA2C8 ASCII "12346789"
00410A54   |.  83C4 0C            add esp,0C                           ；注意上面不是"1234567890",但"当我们输

入"1234567890abcdef"时，这里就和输入的一样
00410A57   |.  56                 push esi                                                  ; /String2
00410A58   |.  50                 push eax                                                  ; |String1
00410A59   |.  FF15 34D34500      call dword ptr ds:[<&KERNEL32.lstrcmpA>]                  ; \lstrcmpA  ****校验注册码，easy

！
00410A5F   |.  8BD8               mov ebx,eax                          ；不相同则EAX FFFFFFFF，否则EAX 00000000，到这为止算法

已基本清楚，F9下去，回到注册画面
00410A61   |.  8B4424 0C          mov eax,dword ptr ss:[esp+C]
00410A65   |.  F7DB               neg ebx
00410A67   |.  1ADB               sbb bl,bl
00410A69   |.  83C0 F0            add eax,-10
00410A6C   |.  83CE FF            or esi,FFFFFFFF
00410A6F   |.  FEC3               inc bl
00410A71   |.  C64424 18 00       mov byte ptr ss:[esp+18],0
00410A76   |.  8D48 0C            lea ecx,dword ptr ds:[eax+C]
00410A79   |.  8BD6               mov edx,esi
00410A7B   |.  F0:0FC111          lock xadd dword ptr ds:[ecx],edx
00410A7F   |.  4A                 dec edx
00410A80   |.  85D2               test edx,edx
00410A82   |.  7F 08              jg short AlertSpy.00410A8C
00410A84   |.  8B08               mov ecx,dword ptr ds:[eax]
00410A86   |.  8B11               mov edx,dword ptr ds:[ecx]
00410A88   |.  50                 push eax
00410A89   |.  FF52 04            call dword ptr ds:[edx+4]
00410A8C   |>  8B4424 08          mov eax,dword ptr ss:[esp+8]
00410A90   |.  83C0 F0            add eax,-10
00410A93   |.  897424 18          mov dword ptr ss:[esp+18],esi
00410A97   |.  8D48 0C            lea ecx,dword ptr ds:[eax+C]
00410A9A   |.  F0:0FC131          lock xadd dword ptr ds:[ecx],esi
00410A9E   |.  4E                 dec esi
00410A9F   |.  84DB               test bl,bl
00410AA1   |.  74 1F              je short AlertSpy.00410AC2
00410AA3   |.  85F6               test esi,esi
00410AA5   |.  7F 08              jg short AlertSpy.00410AAF
00410AA7   |.  8B08               mov ecx,dword ptr ds:[eax]
00410AA9   |.  8B11               mov edx,dword ptr ds:[ecx]
00410AAB   |.  50                 push eax
00410AAC   |.  FF52 04            call dword ptr ds:[edx+4]
00410AAF   |>  5E                 pop esi
00410AB0   |.  B0 01              mov al,1
00410AB2   |.  5B                 pop ebx
00410AB3   |.  8B4C24 08          mov ecx,dword ptr ss:[esp+8]
00410AB7   |.  64:890D 00000000   mov dword ptr fs:[0],ecx
00410ABE   |.  83C4 14            add esp,14
00410AC1   |.  C3                 retn
00410AC2   |>  85F6               test esi,esi
00410AC4   |.  7F 08              jg short AlertSpy.00410ACE
00410AC6   |.  8B08               mov ecx,dword ptr ds:[eax]
00410AC8   |.  8B11               mov edx,dword ptr ds:[ecx]
00410ACA   |.  50                 push eax
00410ACB   |.  FF52 04            call dword ptr ds:[edx+4]
00410ACE   |>  8B4C24 10          mov ecx,dword ptr ss:[esp+10]
00410AD2   |.  5E                 pop esi
00410AD3   |.  32C0               xor al,al
00410AD5   |.  5B                 pop ebx
00410AD6   |.  64:890D 00000000   mov dword ptr fs:[0],ecx
00410ADD   |.  83C4 14            add esp,14
00410AE0   \.  C3                 retn

===========================================================================================================
[分析一]

0040FD20    $  6A FF              push -1
0040FD22    .  68 A8A74500        push AlertSpy.0045A7A8                                    ;  SE handler installation
0040FD27    .  64:A1 00000000     mov eax,dword ptr fs:[0]
0040FD2D    .  50                 push eax
0040FD2E    .  64:8925 00000000   mov dword ptr fs:[0],esp
0040FD35    .  83EC 78            sub esp,78
0040FD38    .  A1 44564700        mov eax,dword ptr ds:[475644]
0040FD3D    .  53                 push ebx
0040FD3E    .  55                 push ebp
0040FD3F    .  56                 push esi
0040FD40    .  898424 80000000    mov dword ptr ss:[esp+80],eax
0040FD47    .  8D4424 28          lea eax,dword ptr ss:[esp+28]
0040FD4B    .  57                 push edi
0040FD4C    .  33DB               xor ebx,ebx
0040FD4E    .  50                 push eax
0040FD4F    .  895C24 18          mov dword ptr ss:[esp+18],ebx
0040FD53    .  E8 786E0000        call AlertSpy.00416BD0
0040FD58    .  8BB424 A0000000    mov esi,dword ptr ss:[esp+A0]
0040FD5F    .  8BEE               mov ebp,esi
0040FD61    .  83C4 04            add esp,4
0040FD64    .  8D4D 01            lea ecx,dword ptr ss:[ebp+1]
0040FD67    >  8A45 00            mov al,byte ptr ss:[ebp]
0040FD6A    .  45                 inc ebp
0040FD6B    .  84C0               test al,al
0040FD6D    .^ 75 F8              jnz short AlertSpy.0040FD67
0040FD6F    .  2BE9               sub ebp,ecx
0040FD71    .  55                 push ebp
0040FD72    .  E8 9EEC0200        call AlertSpy.0043EA15
0040FD77    .  8BCD               mov ecx,ebp
0040FD79    .  8BD1               mov edx,ecx
0040FD7B    .  C1E9 02            shr ecx,2
0040FD7E    .  8BF8               mov edi,eax
0040FD80    .  F3:A5              rep movs dword ptr es:[edi],dword ptr ds:[esi]
0040FD82    .  8BCA               mov ecx,edx
0040FD84    .  83E1 03            and ecx,3
0040FD87    .  F3:A4              rep movs byte ptr es:[edi],byte ptr ds:[esi]
0040FD89    .  83C4 04            add esp,4
0040FD8C    .  33C9               xor ecx,ecx
0040FD8E    .  3BEB               cmp ebp,ebx
0040FD90    .  894424 14          mov dword ptr ss:[esp+14],eax
0040FD94    .  76 09              jbe short AlertSpy.0040FD9F                           ；没有跳
0040FD96    >  803401 83          xor byte ptr ds:[ecx+eax],83            ***VERY IMPORTANT***

//EAX 00C1FFE8 ASCII "CNwinndy"
//ECX 00000000    这个是计数器

0040FD9A    .  41                 inc ecx    //处理下一个字符
0040FD9B    .  3BCD               cmp ecx,ebp   //ebp=0008，是用户名的长度
0040FD9D    .^ 72 F7              jb short AlertSpy.0040FD96   ；这段循环将用户名的每个字符XOR 0x83

0040FD9F    >  55                 push ebp   //EBP 00000008  用户名长度
0040FDA0    .  50                 push eax  //EAX 00C1FFE8    C0 CD F4 EA ED ED E7 FA  劳絷眄琥
0040FDA1    .  8D4424 34          lea eax,dword ptr ss:[esp+34]

///D  EAX
；0012ED40  01 23 45 67 89 AB CD EF  #Eg壂惋  ==>又看到了很熟悉的....没错，就是她了
；0012ED48  FE DC BA 98 76 54 32 10  簶vT2

0040FDA5    .  50                 push eax
0040FDA6    .  E8 D5760000        call AlertSpy.00417480        ；懒得跟进去了，要是结果和猜测的不一样再进去看
0040FDAB    .  8D4C24 28          lea ecx,dword ptr ss:[esp+28]
0040FDAF    .  51                 push ecx                      ；ECX 0012ED30
0040FDB0    .  8D5424 3C          lea edx,dword ptr ss:[esp+3C]
0040FDB4    .  52                 push edx                     ；EDX 0012ED40

；D ECX
；0012ED30  EB 06 93 7C F4 70 43 00  ?搢魀C.
；0012ED38  00 00 16 00 60 00 00 40  ...`..@
；0012ED40  01 23 45 67 89 AB CD EF  #Eg壂惋
；0012ED48  FE DC BA 98 76 54 32 10  簶vT2

0040FDB5    .  E8 96770000        call AlertSpy.00417550

；懒得进去，盯着内存看，估计下一步要padding了吧，F8一过去，内存刷新了一大片，

；0012ED30  D8 2A B1 86 20 37 31 4B  ?眴 71K  ===\这是HASH出来的值，标准MD5算法，HoOoOoO....
；0012ED38  F8 0D 92 A5 2B 5E 75 0E  ?挜+^u  ===/
；0012ED40  00 00 00 00 20 37 31 4B  .... 71K
；0012ED48  F8 0D 92 A5 2B 5E 75 0E  ?挜+^u

0040FDBA    .  A1 F88A4700        mov eax,dword ptr ds:[478AF8]   ；EAX 00469960
0040FDBF    .  83C4 14            add esp,14
0040FDC2    .  B9 F88A4700        mov ecx,AlertSpy.00478AF8       ；ECX 00478AF8 AlertSpy.00478AF8
0040FDC7    .  FF50 0C            call dword ptr ds:[eax+C]       ；F8跳过
0040FDCA    .  8D70 10            lea esi,dword ptr ds:[eax+10]   ；ESI 00478B10 AlertSpy.00478B10
0040FDCD    .  897424 18          mov dword ptr ss:[esp+18],esi   ；esp+18=0012ED2C
0040FDD1    .  899C24 90000000    mov dword ptr ss:[esp+90],ebx   ；EBX 00000000  esp+90=0012EDA4

Begin LOOP

0040FDD8    >  8A441C 1C          mov al,byte ptr ss:[esp+ebx+1C] ；EBX是计数器，esp+1C=0012ED30

；d [esp+1C]
；0012ED30  D8 2A B1 86 20 37 31 4B  ?眴 71K   ===〉MD5 HASH
；0012ED38  F8 0D 92 A5 2B 5E 75 0E  ?挜+^u
；0012ED40  00 00 00 00              ....

0040FDDC    .  33C9               xor ecx,ecx
0040FDDE    .  34 A6              xor al,0A6
0040FDE0    .  8ACB               mov cl,bl
0040FDE2    .  0FB6D0             movzx edx,al
0040FDE5    .  88441C 1C          mov byte ptr ss:[esp+ebx+1C],al ；取出的hash byte经过运算后再写回
0040FDE9    .  A1 E8404700        mov eax,dword ptr ds:[4740E8]  ；EAX 00460AE8 ASCII "ABCDEFGHIJKLMNPQRSTUVWXYZ2345679"，这

是常数串
0040FDEE    .  8B6E F4            mov ebp,dword ptr ds:[esi-C]   ；ebp=0，esi-c=00478B04
0040FDF1    .  83E1 03            and ecx,3
0040FDF4    .  D3EA               shr edx,cl
0040FDF6    .  8D7D 01            lea edi,dword ptr ss:[ebp+1]   ；edi=1，这一句即为edi++，edi为计数器
0040FDF9    .  83E2 1F            and edx,1F
0040FDFC    .  8A0C02             mov cl,byte ptr ds:[edx+eax]   ；eax为常数串首地址，edx为index，取一个字符
0040FDFF    .  8B46 FC            mov eax,dword ptr ds:[esi-4]   ；eax=000002D7，esi-4=00478B0C
0040FE02    .  884C24 10          mov byte ptr ss:[esp+10],cl    ；esp+10=0012ED24，这是注册码的首地址
0040FE06    .  B9 01000000        mov ecx,1
0040FE0B    .  2BC8               sub ecx,eax                    ；
0040FE0D    .  8B46 F8            mov eax,dword ptr ds:[esi-8]   ；esi-8=00478B08，eax=00000000
0040FE10    .  2BC7               sub eax,edi                    ；edi=00000001
0040FE12    .  0BC1               or eax,ecx                     ；
0040FE14    .  7D 0E              jge short AlertSpy.0040FE24    ；没有跳
0040FE16    .  57                 push edi                       ；00000001
0040FE17    .  8D4C24 1C          lea ecx,dword ptr ss:[esp+1C]  ；0012ED2C
0040FE1B    .  E8 301DFFFF        call AlertSpy.00401B50         ；F8
0040FE20    .  8B7424 18          mov esi,dword ptr ss:[esp+18]  ；esi=001EA300
0040FE24    >  85FF               test edi,edi                   ；edi=00000001
0040FE26    .  8A5424 10          mov dl,byte ptr ss:[esp+10]    ；esp+10=0012ED24，这是注册码的首地址
0040FE2A    .  88142E             mov byte ptr ds:[esi+ebp],dl   ；保存注册码，ebp=0，计数器，esi为地址
0040FE2D    .  7C 45              jl short AlertSpy.0040FE74     ；没跳
0040FE2F    .  3B7E F8            cmp edi,dword ptr ds:[esi-8]   ；esi-8=001EA2F8，[esi-8]=00000007
0040FE32    .  7F 40              jg short AlertSpy.0040FE74     ；没有跳
0040FE34    .  43                 inc ebx                        ；计数器++，准备下一轮循环
0040FE35    .  83FB 10            cmp ebx,10                     ；可以结束否
0040FE38    .  897E F4            mov dword ptr ds:[esi-C],edi   ；esi-C=001EA2F4，0=>1,保存计数器
0040FE3B    .  C60437 00          mov byte ptr ds:[edi+esi],0    ；edi为注册码长度+1，置字符串结尾符\0,esi为注册码首地址
0040FE3F    .^ 72 97              jb short AlertSpy.0040FDD8     ；往上跳

END LOOP

循环结束后：
EAX 001EA300 ASCII "7GFEGIF67WNAN5VW"  ===>>>>WooooWaaaaaa,这就是注册码了

0040FE41    .  8B4424 14          mov eax,dword ptr ss:[esp+14]
0040FE45    .  50                 push eax
0040FE46    .  E8 C5EB0200        call AlertSpy.0043EA10        ；F8跳过再说
0040FE4B    .  8B4E F0            mov ecx,dword ptr ds:[esi-10]
0040FE4E    .  8B11               mov edx,dword ptr ds:[ecx]
0040FE50    .  8D5E F0            lea ebx,dword ptr ds:[esi-10]
0040FE53    .  83C4 04            add esp,4
0040FE56    .  FF52 10            call dword ptr ds:[edx+10]   ；F8跳过再说
0040FE59    .  8B53 0C            mov edx,dword ptr ds:[ebx+C]
0040FE5C    .  85D2               test edx,edx
0040FE5E    .  8D4B 0C            lea ecx,dword ptr ds:[ebx+C]
0040FE61    .  7C 1B              jl short AlertSpy.0040FE7E
0040FE63    .  3B03               cmp eax,dword ptr ds:[ebx]
0040FE65    .  75 17              jnz short AlertSpy.0040FE7E
0040FE67    .  8BC3               mov eax,ebx
0040FE69    .  BA 01000000        mov edx,1
0040FE6E    .  F0:0FC111          lock xadd dword ptr ds:[ecx],edx
0040FE72    .  EB 3D              jmp short AlertSpy.0040FEB1
0040FE74    >  68 57000780        push 80070057
0040FE79    .  E8 5218FFFF        call AlertSpy.004016D0
0040FE7E    >  8B4B 04            mov ecx,dword ptr ds:[ebx+4]
0040FE81    .  8B10               mov edx,dword ptr ds:[eax]
0040FE83    .  6A 01              push 1
0040FE85    .  51                 push ecx
0040FE86    .  8BC8               mov ecx,eax
0040FE88    .  FF12               call dword ptr ds:[edx]
0040FE8A    .  85C0               test eax,eax
0040FE8C    .  75 05              jnz short AlertSpy.0040FE93
0040FE8E    .^ E9 0D19FFFF        jmp AlertSpy.004017A0
0040FE93    >  8B53 04            mov edx,dword ptr ds:[ebx+4]
0040FE96    .  8950 04            mov dword ptr ds:[eax+4],edx
0040FE99    .  8B4B 04            mov ecx,dword ptr ds:[ebx+4]
0040FE9C    .  41                 inc ecx
0040FE9D    .  8BD1               mov edx,ecx
0040FE9F    .  C1E9 02            shr ecx,2
0040FEA2    .  8D73 10            lea esi,dword ptr ds:[ebx+10]
0040FEA5    .  8D78 10            lea edi,dword ptr ds:[eax+10]
0040FEA8    .  F3:A5              rep movs dword ptr es:[edi],dword ptr ds:[esi]
0040FEAA    .  8BCA               mov ecx,edx
0040FEAC    .  83E1 03            and ecx,3
0040FEAF    .  F3:A4              rep movs byte ptr es:[edi],byte ptr ds:[esi]

0040FEB1    >  8BB424 98000000    mov esi,dword ptr ss:[esp+98]
0040FEB8    .  83C0 10            add eax,10
0040FEBB    .  8906               mov dword ptr ds:[esi],eax  ；EAX 001EA300 ASCII "7GFEGIF67WNAN5VW"  ||  ESI 0012EDC0
0040FEBD    .  C78424 90000000 FF>mov dword ptr ss:[esp+90],-1
0040FEC8    .  8D43 0C            lea eax,dword ptr ds:[ebx+C]
0040FECB    .  83C9 FF            or ecx,FFFFFFFF
0040FECE    .  F0:0FC108          lock xadd dword ptr ds:[eax],ecx
0040FED2    .  49                 dec ecx
0040FED3    .  85C9               test ecx,ecx
0040FED5    .  7F 08              jg short AlertSpy.0040FEDF
0040FED7    .  8B0B               mov ecx,dword ptr ds:[ebx]
0040FED9    .  8B11               mov edx,dword ptr ds:[ecx]
0040FEDB    .  53                 push ebx
0040FEDC    .  FF52 04            call dword ptr ds:[edx+4]
0040FEDF    >  8B8C24 88000000    mov ecx,dword ptr ss:[esp+88]
0040FEE6    .  5F                 pop edi
0040FEE7    .  8BC6               mov eax,esi
0040FEE9    .  5E                 pop esi
0040FEEA    .  5D                 pop ebp
0040FEEB    .  64:890D 00000000   mov dword ptr fs:[0],ecx
0040FEF2    .  8B4C24 78          mov ecx,dword ptr ss:[esp+78]
0040FEF6    .  5B                 pop ebx
0040FEF7    .  E8 5FA60100        call AlertSpy.0042A55B
0040FEFC    .  81C4 84000000      add esp,84
0040FF02    .  C3                 retn   ；回到00410A3F  见上面的代码

===============================================================================================

【算法总结】输入长度不为0的用户名，然后把用户名的每个字符XOR 0x83，然后采用标准MD5算法来XOR，得到HASH值，
             每次取一个byte，进行运算，然后查表"ABCDEFGHIJKLMNPQRSTUVWXYZ2345679",16轮循环完毕，便得到长为16的注册码。

            注册成功以后，注册码保存在注册表，HKEY_LOCAL_MACHINE\SOFTWARE\Mandel Enterprises\AlertSpy，Registration Name，

Registration Key下。

             注册机有WIN32ASM写的，采用Canterwood的模版，感谢！第一次用汇编写注册机，感觉真好。
             注册机还有VB6写的，VC6写的，Delphi 7版的。
             一点小说明，以前除VB6写的注册机对用户名长度没有小于64的限制外，其他都有限制，今天写文章再次调试纠正了这个错误，

注册机
             里的错误我就不改了。
【Greetings】  看雪论坛,FCG论坛,DFCG论坛等
               注册机源码中的MD5算法以及Flat Button控件是从网上下载而来，稍加修改，感谢原作者！
               VC版的注册机借用看雪加密解密2里面的例子，感谢！

【完稿时间等】2005.04.29，凌晨1:39,天气:阴,广州
附件:AlertSpyV1.08_WIN32ASM.rar
附件:KGAlertSpy_VB6.rar
附件:KG_AlertSpy_Delphi 7.rar
附件:KG_Alertspy_VC6.rar