完美**2005 18.17 注册算法初步分析
日期:2005.04.21 破解人:Baby2008
在注册界面输入注册信息
用户名:Baby2008
注册码:123456789012345678901234567890
升级Key:0987654321
Ctrl+M,查找注册码,来到
00DDACE8 0D F0 AD BA 64 60 37 00 32 00 00 00 40 00 00 00 .瓠篸`7.2...@...
00DDACF8 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 1234567890123456
00DDAD08 37 38 39 30 31 32 33 34 35 36 37 38 39 30 31 32 7890123456789012
00DDAD18 33 34 35 36 37 38 39 30 31 32 33 34 35 36 37 38 3456789012345678
00DDAD28 39 30 00 BA 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA 90.?瓠?瓠?瓠
在00DDACF8下内存断点,F9运行,中断在
77C170D2 8807 mov byte ptr ds:[edi],al
77C170D4 8B45 08 mov eax,dword ptr ss:[ebp+8]
77C170D7 5E pop esi
77C170D8 5F pop edi
77C170D9 C9 leave
77C170DA C3 retn
单步返回主模块:
004130A1 E8 28FB0900 call MainCon.004B2BCE ; jmp to MFC42.#3097_CWnd::GetDlgItemTextA
004130A6 8D4D EC lea ecx,dword ptr ss:[ebp-14]
004130A9 51 push ecx
004130AA 68 F4030000 push 3F4
004130AF 8BCE mov ecx,esi
004130B1 E8 18FB0900 call MainCon.004B2BCE ; jmp to MFC42.#3097_CWnd::GetDlgItemTextA
004130B6 8D55 E8 lea edx,dword ptr ss:[ebp-18] ;返回到这里
004130B9 8BCE mov ecx,esi
004130BB 52 push edx
004130BC 68 F6030000 push 3F6
004130C1 E8 08FB0900 call MainCon.004B2BCE ; jmp to MFC42.#3097_CWnd::GetDlgItemTextA
004130C6 60 pushad
分别是读取用户名,注册码,升级Key
继续单步执行来到:
00413125 61 popad
00413126 68 3F000F00 push 0F003F
0041312B 68 4C154C00 push MainCon.004C154C ; ASCII "Software\Netclean"
00413130 68 02000080 push 80000002
00413135 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
00413138 E8 F3CB0500 call MainCon.0046FD30
0041313D 8D45 EC lea eax,dword ptr ss:[ebp-14]
00413140 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
00413143 50 push eax
00413144 E8 0BF60900 call MainCon.004B2754 ; jmp to MFC42.#535_CString::CString
00413149 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0041314C C645 FC 04 mov byte ptr ss:[ebp-4],4
00413150 E8 11F60900 call MainCon.004B2766 ; jmp to MFC42.#540_CString::CString
00413155 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
00413158 C645 FC 05 mov byte ptr ss:[ebp-4],5
0041315C E8 9FD20000 call MainCon.00420400
00413161 51 push ecx
00413162 B3 06 mov bl,6
00413164 8BCC mov ecx,esp
00413166 8965 D4 mov dword ptr ss:[ebp-2C],esp
00413169 68 EC154C00 push MainCon.004C15EC ; ASCII "strMessSNError"
0041316E 885D FC mov byte ptr ss:[ebp-4],bl
00413171 E8 90F80900 call MainCon.004B2A06 ; jmp to MFC42.#537_CString::CString
00413176 C645 FC 07 mov byte ptr ss:[ebp-4],7
0041317A 51 push ecx
0041317B 8BCC mov ecx,esp
0041317D 8965 D0 mov dword ptr ss:[ebp-30],esp
00413180 68 B4154C00 push MainCon.004C15B4 ; ASCII "MainCon.ini"
00413185 E8 7CF80900 call MainCon.004B2A06 ; jmp to MFC42.#537_CString::CString
0041318A 8D4D DC lea ecx,dword ptr ss:[ebp-24]
0041318D 885D FC mov byte ptr ss:[ebp-4],bl
00413190 51 push ecx
00413191 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
00413194 E8 57D30000 call MainCon.004204F0
00413199 50 push eax
0041319A 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0041319D C645 FC 08 mov byte ptr ss:[ebp-4],8
004131A1 E8 6EF60900 call MainCon.004B2814 ; jmp to MFC42.#858_CString::operator=
004131A6 8D4D DC lea ecx,dword ptr ss:[ebp-24]
004131A9 885D FC mov byte ptr ss:[ebp-4],bl
004131AC E8 9DF50900 call MainCon.004B274E ; jmp to MFC42.#800_CString::~CString
004131B1 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
004131B4 C645 FC 05 mov byte ptr ss:[ebp-4],5
004131B8 E8 83D20000 call MainCon.00420440
004131BD 8B55 F0 mov edx,dword ptr ss:[ebp-10] ; 注册码
004131C0 837A F8 32 cmp dword ptr ds:[edx-8],32 ; 注册码长度,$32
004131C4 74 19 je short MainCon.004131DF ; 注册码要求等于50位
004131C6 A1 A0144C00 mov eax,dword ptr ds:[4C14A0]
004131CB 8B4E 20 mov ecx,dword ptr ds:[esi+20]
004131CE 6A 00 push 0
004131D0 6A 00 push 0
004131D2 50 push eax
004131D3 51 push ecx
004131D4 90 nop
004131D5 E8 31511700 call MainCon.0058830B
004131DA E9 E2330000 jmp MainCon.004165C1
004131DF 68 E8154C00 push MainCon.004C15E8 ; 分隔字符'-'
004131E4 8D4D F0 lea ecx,dword ptr ss:[ebp-10] ; 注册码
004131E7 E8 20F80900 call MainCon.004B2A0C ; jmp to MFC42.#2764_CString::Find
004131EC 83CF FF or edi,FFFFFFFF
004131EF 3BC7 cmp eax,edi
004131F1 0F84 20340000 je MainCon.00416617 ; 注册码中要求有'-'
004131F7 6A 11 push 11 ; 17
004131F9 6A 2D push 2D ; '-'
004131FB 8D4D F0 lea ecx,dword ptr ss:[ebp-10] ; 注册码
004131FE E8 C5F90900 call MainCon.004B2BC8 ; jmp to MFC42.#6662_CString::Find
00413203 3BC7 cmp eax,edi
00413205 0F84 0C340000 je MainCon.00416617
0041320B 6A 21 push 21 ; 33
0041320D 6A 2D push 2D ; '-'
0041320F 8D4D F0 lea ecx,dword ptr ss:[ebp-10] ; 注册码
00413212 E8 B1F90900 call MainCon.004B2BC8 ; jmp to MFC42.#6662_CString::Find
00413217 3BC7 cmp eax,edi
00413219 0F84 F8330000 je MainCon.00416617
0041321F 33DB xor ebx,ebx
00413221 8AD3 mov dl,bl
00413223 6A 01 push 1
00413225 80C2 47 add dl,47 ; 'G'+i,i:=1 To 20
00413228 8D4D F0 lea ecx,dword ptr ss:[ebp-10] ; 注册码
0041322B 8855 DC mov byte ptr ss:[ebp-24],dl
0041322E 8B45 DC mov eax,dword ptr ss:[ebp-24]
00413231 50 push eax
00413232 E8 91F90900 call MainCon.004B2BC8 ; jmp to MFC42.#6662_CString::Find
00413237 3BC7 cmp eax,edi
00413239 0F85 C7330000 jnz MainCon.00416606
0041323F 43 inc ebx
00413240 83FB 14 cmp ebx,14 ; 20
00413243 ^ 7C DC jl short MainCon.00413221 ; 循环要求注册码中不能含有G->Z的字符
00413245 33DB xor ebx,ebx
00413247 8AC3 mov al,bl
00413249 6A 01 push 1
0041324B 04 61 add al,61 ; 'a'
0041324D 8845 DC mov byte ptr ss:[ebp-24],al
00413250 8B4D DC mov ecx,dword ptr ss:[ebp-24]
00413253 51 push ecx
00413254 8D4D F0 lea ecx,dword ptr ss:[ebp-10] ; 注册码
00413257 E8 6CF90900 call MainCon.004B2BC8 ; jmp to MFC42.#6662_CString::Find
0041325C 3BC7 cmp eax,edi
0041325E 0F85 B3330000 jnz MainCon.00416617
00413264 43 inc ebx
00413265 83FB 1A cmp ebx,1A ; 26
00413268 ^ 7C DD jl short MainCon.00413247 ; 循环要求注册码中不能含有a-z中的字符
0041326A 68 38154C00 push MainCon.004C1538 ; ASCII "UserName"
0041326F 51 push ecx
00413270 8D55 E4 lea edx,dword ptr ss:[ebp-1C] ; 用户名
00413273 8BCC mov ecx,esp
00413275 8965 D0 mov dword ptr ss:[ebp-30],esp
00413278 52 push edx
00413279 E8 D6F40900 call MainCon.004B2754 ; jmp to MFC42.#535_CString::CString
0041327E 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
00413281 E8 BACB0500 call MainCon.0046FE40
00413286 68 44154C00 push MainCon.004C1544 ; ASCII "UserSN"
0041328B 51 push ecx
0041328C 8D45 EC lea eax,dword ptr ss:[ebp-14] ; 注册码
0041328F 8BCC mov ecx,esp
00413291 8965 D0 mov dword ptr ss:[ebp-30],esp
00413294 50 push eax
00413295 E8 BAF40900 call MainCon.004B2754 ; jmp to MFC42.#535_CString::CString
0041329A 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
0041329D E8 9ECB0500 call MainCon.0046FE40
004132A2 68 20154C00 push MainCon.004C1520 ; ASCII "UpdateKey"
004132A7 51 push ecx
004132A8 8D55 E8 lea edx,dword ptr ss:[ebp-18] ; 升级Key
004132AB 8BCC mov ecx,esp
004132AD 8965 D0 mov dword ptr ss:[ebp-30],esp
004132B0 52 push edx
004132B1 E8 9EF40900 call MainCon.004B2754 ; jmp to MFC42.#535_CString::CString
004132B6 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
004132B9 E8 82CB0500 call MainCon.0046FE40
004132BE 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
004132C1 E8 EAC90500 call MainCon.0046FCB0
004132C6 60 pushad
满足条件保存注册信息待重启验证。
由此可得注册码格式:1234567890123456-1234567890123456-1234567890123456 (16位-16位-16位)
注册信息保存在:
注册表HKEY_LOCAL_MACHINE\SOFTWARE\NetClean下,分别为 MachineID、UpdateKey、UserName、UserSN。
Ctrl+F2,下注册表读取断点 Bp RegQueryValueExA,F9运行(共11次),堆栈出现
001288B4 0046FDEA /CALL 到 RegQueryValueExA 来自 MainCon.0046FDE4
001288B8 00000094 |hKey = 94
001288BC 004C1544 |ValueName = "UserSN"
001288C0 00000000 |Reserved = NULL
001288C4 001288D4 |pValueType = 001288D4
001288C8 001288DC |Buffer = 001288DC
001288CC 001288D8 \pBufSize = 001288D8
取消断点BC RegQueryValueExA,Ctrl+F9、F7,来到
0046FDEA 8B9424 10010000 mov edx,dword ptr ss:[esp+110]
0046FDF1 8D4C24 0C lea ecx,dword ptr ss:[esp+C] ; 此处是读取到注册表中的注册码
0046FDF5 51 push ecx
0046FDF6 68 F8104C00 push MainCon.004C10F8 ; ASCII "%s"
0046FDFB 52 push edx
0046FDFC 8BF0 mov esi,eax
0046FDFE E8 4D2D0400 call MainCon.004B2B50 ; jmp to MFC42.#2818_CString::Format
0046FE03 83C4 0C add esp,0C
0046FE06 8BC6 mov eax,esi
0046FE08 5E pop esi
0046FE09 81C4 08010000 add esp,108
0046FE0F C2 0800 retn 8
Ctrl+F9、F7返回到0042A68E
0042A68E 85 db 85
0042A68F C0 db C0
0042A690 74 db 74 ; CHAR 't'
0042A691 0D db 0D
0042A692 68 db 68 ; CHAR 'h'
0042A693 E4 db E4
0042A694 2F db 2F ; CHAR '/'
0042A695 4C db 4C ; CHAR 'L'
0042A696 00 db 00
0042A697 8D db 8D
Ctrl+A重新分析代码
0042A65B 8D45 F0 lea eax,dword ptr ss:[ebp-10]
0042A65E 68 2C154C00 push MainCon.004C152C ; ASCII "MachineID"
0042A663 50 push eax
0042A664 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0042A667 E8 44570400 call MainCon.0046FDB0
0042A66C 85C0 test eax,eax
0042A66E 74 0D je short MainCon.0042A67D
0042A670 68 E42F4C00 push MainCon.004C2FE4
0042A675 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
0042A678 E8 DD800800 call MainCon.004B275A ; jmp to MFC42.#860_CString::operator=
0042A67D 8D4D EC lea ecx,dword ptr ss:[ebp-14]
0042A680 68 44154C00 push MainCon.004C1544 ; ASCII "UserSN"
0042A685 51 push ecx
0042A686 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0042A689 E8 22570400 call MainCon.0046FDB0
0042A68E 85C0 test eax,eax ;返回到这里
0042A690 74 0D je short MainCon.0042A69F
0042A692 68 E42F4C00 push MainCon.004C2FE4
0042A697 8D4D EC lea ecx,dword ptr ss:[ebp-14]
0042A69A E8 BB800800 call MainCon.004B275A ; jmp to MFC42.#860_CString::operator=
0042A69F 8D55 E8 lea edx,dword ptr ss:[ebp-18]
0042A6A2 68 38154C00 push MainCon.004C1538 ; ASCII "UserName"
0042A6A7 52 push edx
0042A6A8 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0042A6AB E8 00570400 call MainCon.0046FDB0
0042A6B0 85C0 test eax,eax
0042A6B2 74 0D je short MainCon.0042A6C1
0042A6B4 68 E42F4C00 push MainCon.004C2FE4
0042A6B9 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
0042A6BC E8 99800800 call MainCon.004B275A ; jmp to MFC42.#860_CString::operator=
0042A6C1 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0042A6C4 E8 E7550400 call MainCon.0046FCB0
0042A6C9 60 pushad
此时可以看到寄存器内容:
EAX 00000000
ECX 00C4A488 ASCII "1234567890123456-1234567890123456-1234567890123456"
EDX 00C4A489 ASCII "234567890123456-1234567890123456-1234567890123456"
EBX 00129708
ESP 001289E8
EBP 00128A14
ESI 0012C518
EDI 00129694
EIP 0042A68E MainCon.0042A68E
在00C4A488下内存断点,F9,中断在
77C170D2 8807 mov byte ptr ds:[edi],al
77C170D4 8B45 08 mov eax,dword ptr ss:[ebp+8]
77C170D7 5E pop esi
77C170D8 5F pop edi
77C170D9 C9 leave
77C170DA C3 retn
多次Ctrl+F9、F7返回主模块
0046FE03 |. 83C4 0C add esp,0C
0046FE06 |. 8BC6 mov eax,esi
0046FE08 |. 5E pop esi
0046FE09 |. 81C4 08010000 add esp,108
0046FE0F \. C2 0800 retn 8
F8继续单步执行……,来到
0048106E 85 db 85
0048106F C0 db C0
00481070 74 db 74 ; CHAR 't'
00481071 0D db 0D
00481072 68 db 68 ; CHAR 'h'
00481073 E4 db E4
00481074 2F db 2F ; CHAR '/'
00481075 4C db 4C ; CHAR 'L'
00481076 00 db 00
00481077 8D db 8D
00481078 4D db 4D ; CHAR 'M'
00481079 EC db EC
0048107A E8 db E8
0048107B DB db DB
0048107C 16 db 16
Ctrl+A重新分析代码
00481036 . E8 F5ECFEFF call MainCon.0046FD30
0048103B . 8D45 F0 lea eax,dword ptr ss:[ebp-10]
0048103E . 68 2C154C00 push MainCon.004C152C ; /Arg2 = 004C152C ASCII "MachineID"
00481043 . 50 push eax ; |Arg1
00481044 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30] ; |
00481047 . E8 64EDFEFF call MainCon.0046FDB0 ; \MainCon.0046FDB0
0048104C . 85C0 test eax,eax
0048104E . 74 0D je short MainCon.0048105D
00481050 . 68 E42F4C00 push MainCon.004C2FE4
00481055 . 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
00481058 . E8 FD160300 call MainCon.004B275A ; jmp to MFC42.#860_CString::operator=
0048105D > 8D4D EC lea ecx,dword ptr ss:[ebp-14]
00481060 . 68 44154C00 push MainCon.004C1544 ; /Arg2 = 004C1544 ASCII "UserSN"
00481065 . 51 push ecx ; |Arg1
00481066 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30] ; |
00481069 . E8 42EDFEFF call MainCon.0046FDB0 ; \MainCon.0046FDB0
0048106E . 85C0 test eax,eax //返回到这里
00481070 . 74 0D je short MainCon.0048107F
00481072 . 68 E42F4C00 push MainCon.004C2FE4
00481077 . 8D4D EC lea ecx,dword ptr ss:[ebp-14]
0048107A . E8 DB160300 call MainCon.004B275A ; jmp to MFC42.#860_CString::operator=
0048107F > 8D55 E8 lea edx,dword ptr ss:[ebp-18]
00481082 . 68 38154C00 push MainCon.004C1538 ; /Arg2 = 004C1538 ASCII "UserName"
00481087 . 52 push edx ; |Arg1
00481088 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30] ; |
0048108B . E8 20EDFEFF call MainCon.0046FDB0 ; \MainCon.0046FDB0
00481090 . 85C0 test eax,eax
00481092 . 74 0D je short MainCon.004810A1
00481094 . 68 E42F4C00 push MainCon.004C2FE4
00481099 . 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
0048109C . E8 B9160300 call MainCon.004B275A ; jmp to MFC42.#860_CString::operator=
004810A1 > 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
004810A4 . E8 07ECFEFF call MainCon.0046FCB0
004810A9 . 60 pushad
F8继续单步执行……
0047DCDD > \61 popad
0047DCDE . B9 06000000 mov ecx,6
0047DCE3 . 33C0 xor eax,eax
0047DCE5 . 8D7D 9C lea edi,dword ptr ss:[ebp-64]
0047DCE8 . 6A 01 push 1
0047DCEA . F3:AB rep stos dword ptr es:[edi]
0047DCEC . 8D45 B4 lea eax,dword ptr ss:[ebp-4C] ; 用户名
0047DCEF . 6A 18 push 18
0047DCF1 . 50 push eax
0047DCF2 . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
0047DCF5 . 6A 18 push 18
0047DCF7 . 8D55 9C lea edx,dword ptr ss:[ebp-64]
0047DCFA . 51 push ecx
0047DCFB . 52 push edx
0047DCFC . E8 9F60FFFF call MainCon.00473DA0 ; 机器码再次转换,重要
0047DD01 . 83C4 18 add esp,18
0047DD04 . 60 pushad
0047DD05 . 6A 04 push 4
0047DD07 . 6A 00 push 0
0047DD09 . 6A 00 push 0
0047DD0B . 6A FF push -1
0047DD0D . 90 nop
0047DD0E . E8 F8A51000 call MainCon.0058830B
0047DD13 . EB 1E jmp short MainCon.0047DD33
直到异常在
7C92EAF0 8B1C24 mov ebx,dword ptr ss:[esp]
7C92EAF3 51 push ecx
7C92EAF4 53 push ebx
多次Ctrl+F9、F7返回主模块,来到:
0047DB1B 50 db 50 ; CHAR 'P'
0047DB1C 8D db 8D
0047DB1D 4D db 4D ; CHAR 'M'
0047DB1E 0C db 0C
0047DB1F C6 db C6
0047DB20 45 db 45 ; CHAR 'E'
0047DB21 FC db FC
0047DB22 02 db 02
0047DB23 E8 db E8
0047DB24 EC db EC
0047DB25 4C db 4C ; CHAR 'L'
0047DB26 03 db 03
0047DB27 00 db 00
0047DB28 8D db 8D
0047DB29 4D db 4D ; CHAR 'M'
0047DB2A 94 db 94
0047DB2B C6 db C6
0047DB2C 45 db 45 ; CHAR 'E'
Ctrl+A重新分析代码
0047DADF > \B9 06000000 mov ecx,6
0047DAE4 . 33C0 xor eax,eax
0047DAE6 . 8D7D CC lea edi,dword ptr ss:[ebp-34]
0047DAE9 . 33DB xor ebx,ebx
0047DAEB . F3:AB rep stos dword ptr es:[edi]
0047DAED . 8B4D 14 mov ecx,dword ptr ss:[ebp+14]
0047DAF0 . 8B11 mov edx,dword ptr ds:[ecx]
0047DAF2 . 8B42 F8 mov eax,dword ptr ds:[edx-8]
0047DAF5 . 85C0 test eax,eax
0047DAF7 . 0F8E 9F000000 jle MainCon.0047DB9C
0047DAFD > 8D4D 0C lea ecx,dword ptr ss:[ebp+C] ; 循环转换注册码
0047DB00 . E8 614C0300 call MainCon.004B2766 ; jmp to MFC42.#540_CString::CString
0047DB05 . 8B4D 14 mov ecx,dword ptr ss:[ebp+14]
0047DB08 . 6A 01 push 1
0047DB0A . 8D45 94 lea eax,dword ptr ss:[ebp-6C]
0047DB0D . 53 push ebx
0047DB0E . 50 push eax
0047DB0F . C745 FC 01000000 mov dword ptr ss:[ebp-4],1
0047DB16 . E8 97510300 call MainCon.004B2CB2 ; jmp to MFC42.#4278_CString::Mid
0047DB1B . 50 push eax ;返回到这里
0047DB1C . 8D4D 0C lea ecx,dword ptr ss:[ebp+C]
0047DB1F . C645 FC 02 mov byte ptr ss:[ebp-4],2
0047DB23 . E8 EC4C0300 call MainCon.004B2814 ; jmp to MFC42.#858_CString::operator=
0047DB28 . 8D4D 94 lea ecx,dword ptr ss:[ebp-6C]
0047DB2B . C645 FC 01 mov byte ptr ss:[ebp-4],1
0047DB2F . E8 1A4C0300 call MainCon.004B274E ; jmp to MFC42.#800_CString::~CString
0047DB34 . 8B55 0C mov edx,dword ptr ss:[ebp+C]
0047DB37 . 83C9 FF or ecx,FFFFFFFF
0047DB3A . 8BFA mov edi,edx
0047DB3C . 33C0 xor eax,eax
0047DB3E . F2:AE repne scas byte ptr es:[edi]
0047DB40 . F7D1 not ecx
0047DB42 . 8D75 10 lea esi,dword ptr ss:[ebp+10]
0047DB45 . 2BF9 sub edi,ecx
0047DB47 . 8BC1 mov eax,ecx
0047DB49 . 8975 E8 mov dword ptr ss:[ebp-18],esi
0047DB4C . 8BF7 mov esi,edi
0047DB4E . 8B7D E8 mov edi,dword ptr ss:[ebp-18]
0047DB51 . C1E9 02 shr ecx,2
0047DB54 . F3:A5 rep movs dword ptr es:[edi],dword ptr >
0047DB56 . 8BC8 mov ecx,eax
0047DB58 . 68 E8154C00 push MainCon.004C15E8
0047DB5D . 83E1 03 and ecx,3
0047DB60 . 52 push edx
0047DB61 . F3:A4 rep movs byte ptr es:[edi],byte ptr ds>
0047DB63 . 90 nop
0047DB64 . E8 A2A71000 call MainCon.0058830B
0047DB69 . 83C4 08 add esp,8
0047DB6C . 85C0 test eax,eax
0047DB6E . 74 11 je short MainCon.0047DB81
0047DB70 . 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
0047DB73 . 8A4D 10 mov cl,byte ptr ss:[ebp+10]
0047DB76 . 888C05 7CFEFFFF mov byte ptr ss:[ebp+eax-184],cl
0047DB7D . 40 inc eax
0047DB7E . 8945 E4 mov dword ptr ss:[ebp-1C],eax
0047DB81 > 8D4D 0C lea ecx,dword ptr ss:[ebp+C]
0047DB84 . C645 FC 00 mov byte ptr ss:[ebp-4],0
0047DB88 . E8 C14B0300 call MainCon.004B274E ; jmp to MFC42.#800_CString::~CString
0047DB8D . 8B55 14 mov edx,dword ptr ss:[ebp+14]
0047DB90 . 43 inc ebx
0047DB91 . 8B02 mov eax,dword ptr ds:[edx]
0047DB93 . 3B58 F8 cmp ebx,dword ptr ds:[eax-8]
0047DB96 .^ 0F8C 61FFFFFF jl MainCon.0047DAFD
0047DB9C > 8B4D E4 mov ecx,dword ptr ss:[ebp-1C] ; 长度
0047DB9F . C6840D 7CFEFFFF >mov byte ptr ss:[ebp+ecx-184],0
0047DBA7 . 60 pushad
0047DBA8 . 6A 04 push 4
0047DBAA . 6A 00 push 0
0047DBAC . 6A 00 push 0
0047DBAE . 6A FF push -1
0047DBB0 . 90 nop
0047DBB1 . E8 55A71000 call MainCon.0058830B
F8继续单步执行……
0047DBD6 > \61 popad
0047DBD7 . 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
0047DBDA . E8 874B0300 call MainCon.004B2766 ; jmp to MFC42.#540_CString::CString
0047DBDF . 8D95 7CFEFFFF lea edx,dword ptr ss:[ebp-184] ; 注册码去分隔字符后的结果
0047DBE5 . 8D45 F0 lea eax,dword ptr ss:[ebp-10]
0047DBE8 . 52 push edx
0047DBE9 . 68 F8104C00 push MainCon.004C10F8 ; ASCII "%s"
0047DBEE . 50 push eax
0047DBEF . C745 FC 03000000 mov dword ptr ss:[ebp-4],3
0047DBF6 . E8 554F0300 call MainCon.004B2B50 ; jmp to MFC42.#2818_CString::Format
0047DBFB . 8B4D F0 mov ecx,dword ptr ss:[ebp-10]
0047DBFE . 83C4 0C add esp,0C
0047DC01 . 33DB xor ebx,ebx
0047DC03 . 8B41 F8 mov eax,dword ptr ds:[ecx-8]
0047DC06 . 85C0 test eax,eax
0047DC08 . 0F8E 8D000000 jle MainCon.0047DC9B
0047DC0E . 8D55 CC lea edx,dword ptr ss:[ebp-34]
0047DC11 . 8955 10 mov dword ptr ss:[ebp+10],edx
0047DC14 > 8D4D 14 lea ecx,dword ptr ss:[ebp+14]
0047DC17 . E8 4A4B0300 call MainCon.004B2766 ; jmp to MFC42.#540_CString::CString
0047DC1C . 6A 02 push 2
0047DC1E . 8D45 0C lea eax,dword ptr ss:[ebp+C]
0047DC21 . 53 push ebx
0047DC22 . 50 push eax
0047DC23 . 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
0047DC26 . C645 FC 04 mov byte ptr ss:[ebp-4],4
0047DC2A . E8 83500300 call MainCon.004B2CB2 ; jmp to MFC42.#4278_CString::Mid
0047DC2F . 50 push eax
0047DC30 . 8D4D 14 lea ecx,dword ptr ss:[ebp+14]
0047DC33 . C645 FC 05 mov byte ptr ss:[ebp-4],5
0047DC37 . E8 D84B0300 call MainCon.004B2814 ; jmp to MFC42.#858_CString::operator=
0047DC3C . 8D4D 0C lea ecx,dword ptr ss:[ebp+C]
0047DC3F . C645 FC 04 mov byte ptr ss:[ebp-4],4
0047DC43 . E8 064B0300 call MainCon.004B274E ; jmp to MFC42.#800_CString::~CString
0047DC48 . 8B7D 14 mov edi,dword ptr ss:[ebp+14]
0047DC4B . 83C9 FF or ecx,FFFFFFFF
0047DC4E . 33C0 xor eax,eax
0047DC50 . 8D55 E8 lea edx,dword ptr ss:[ebp-18]
0047DC53 . F2:AE repne scas byte ptr es:[edi]
0047DC55 . F7D1 not ecx
0047DC57 . 2BF9 sub edi,ecx
0047DC59 . 8BC1 mov eax,ecx
0047DC5B . 8BF7 mov esi,edi
0047DC5D . 8BFA mov edi,edx
0047DC5F . C1E9 02 shr ecx,2
0047DC62 . F3:A5 rep movs dword ptr es:[edi],dword ptr >
0047DC64 . 8BC8 mov ecx,eax
0047DC66 . 83E1 03 and ecx,3
0047DC69 . F3:A4 rep movs byte ptr es:[edi],byte ptr ds>
0047DC6B . 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
0047DC6E . 51 push ecx
0047DC6F . E8 5C66FFFF call MainCon.004742D0
0047DC74 . 8B4D 10 mov ecx,dword ptr ss:[ebp+10]
0047DC77 . 83C4 04 add esp,4
0047DC7A . C645 FC 03 mov byte ptr ss:[ebp-4],3
0047DC7E . 8801 mov byte ptr ds:[ecx],al
0047DC80 . 41 inc ecx
0047DC81 . 894D 10 mov dword ptr ss:[ebp+10],ecx
0047DC84 . 8D4D 14 lea ecx,dword ptr ss:[ebp+14]
0047DC87 . E8 C24A0300 call MainCon.004B274E ; jmp to MFC42.#800_CString::~CString
0047DC8C . 8B55 F0 mov edx,dword ptr ss:[ebp-10]
0047DC8F . 83C3 02 add ebx,2
0047DC92 . 3B5A F8 cmp ebx,dword ptr ds:[edx-8]
0047DC95 .^ 0F8C 79FFFFFF jl MainCon.0047DC14
0047DC9B > 33C0 xor eax,eax
0047DC9D > 8A5C05 CC mov bl,byte ptr ss:[ebp+eax-34] ; 注册码转换结果
0047DCA1 . 80F3 A5 xor bl,0A5
0047DCA4 . 885C05 CC mov byte ptr ss:[ebp+eax-34],bl
0047DCA8 . 40 inc eax
0047DCA9 . 83F8 18 cmp eax,18
0047DCAC .^ 7C EF jl short MainCon.0047DC9D
0047DCAE . 60 pushad
0047DCAF . 6A 04 push 4
0047DCB1 . 6A 00 push 0
0047DCB3 . 6A 00 push 0
0047DCB5 . 6A FF push -1
0047DCB7 . 90 nop
0047DCB8 . E8 4EA61000 call MainCon.0058830B
0047DCBD . EB 1E jmp short MainCon.0047DCDD
将去分隔字符后的注册码
00C4A438 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 1234567890123456
00C4A448 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 1234567890123456
00C4A458 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 1234567890123456 //长度48
转换为
0012895C 12 34 56 78 90 12 34 56 12 34 56 78 90 12 34 56 4Vx?4V4Vx?4V
0012896C 12 34 56 78 90 12 34 56 4Vx?4V0 //长度24
通过以下代码再次转换注册码:
0047DC9D > 8A5C05 CC mov bl,byte ptr ss:[ebp+eax-34] ; 注册码转换结果
0047DCA1 . 80F3 A5 xor bl,0A5
0047DCA4 . 885C05 CC mov byte ptr ss:[ebp+eax-34],bl
0047DCA8 . 40 inc eax
0047DCA9 . 83F8 18 cmp eax,18
0047DCAC .^ 7C EF jl short MainCon.0047DC9D
转换为
0012895C B7 91 F3 DD 35 B7 91 F3 B7 91 F3 DD 35 B7 91 F3 窇筝5窇蠓戵?窇
0012896C B7 91 F3 DD 35 B7 91 F3 窇筝5窇?... //长度24
F8继续单步执行……
0047DCDD > \61 popad
0047DCDE . B9 06000000 mov ecx,6
0047DCE3 . 33C0 xor eax,eax
0047DCE5 . 8D7D 9C lea edi,dword ptr ss:[ebp-64]
0047DCE8 . 6A 01 push 1
0047DCEA . F3:AB rep stos dword ptr es:[edi]
0047DCEC . 8D45 B4 lea eax,dword ptr ss:[ebp-4C] ; 用户名
0047DCEF . 6A 18 push 18
0047DCF1 . 50 push eax
0047DCF2 . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
0047DCF5 . 6A 18 push 18
0047DCF7 . 8D55 9C lea edx,dword ptr ss:[ebp-64]
0047DCFA . 51 push ecx
0047DCFB . 52 push edx
0047DCFC . E8 9F60FFFF call MainCon.00473DA0
0047DD01 . 83C4 18 add esp,18
0047DD04 . 60 pushad
0047DD05 . 6A 04 push 4
0047DD07 . 6A 00 push 0
0047DD09 . 6A 00 push 0
0047DD0B . 6A FF push -1
0047DD0D . 90 nop
0047DD0E . E8 F8A51000 call MainCon.0058830B
0047DD13 . EB 1E jmp short MainCon.0047DD33
F8继续单步执行……
0047DD33 > \61 popad
0047DD34 . 8D4D EC lea ecx,dword ptr ss:[ebp-14]
0047DD37 . E8 2A4A0300 call MainCon.004B2766 ; jmp to MFC42.#540_CString::CString
0047DD3C . 8D45 9C lea eax,dword ptr ss:[ebp-64]
0047DD3F . 8D4D EC lea ecx,dword ptr ss:[ebp-14]
0047DD42 . 50 push eax
0047DD43 . 68 F8104C00 push MainCon.004C10F8 ; ASCII "%s"
0047DD48 . 51 push ecx
0047DD49 . C645 FC 06 mov byte ptr ss:[ebp-4],6
0047DD4D . E8 FE4D0300 call MainCon.004B2B50 ; jmp to MFC42.#2818_CString::Format
0047DD52 . 8B75 08 mov esi,dword ptr ss:[ebp+8]
0047DD55 . 83C4 0C add esp,0C
0047DD58 . 8D55 EC lea edx,dword ptr ss:[ebp-14]
0047DD5B . 8BCE mov ecx,esi
0047DD5D . 52 push edx
0047DD5E . E8 F1490300 call MainCon.004B2754 ; jmp to MFC42.#535_CString::CString
0047DD63 . 8D4D EC lea ecx,dword ptr ss:[ebp-14]
0047DD66 . C745 98 01000000 mov dword ptr ss:[ebp-68],1
0047DD6D . C645 FC 03 mov byte ptr ss:[ebp-4],3
0047DD71 . E8 D8490300 call MainCon.004B274E ; jmp to MFC42.#800_CString::~CString
0047DD76 . 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
0047DD79 . C645 FC 00 mov byte ptr ss:[ebp-4],0
0047DD7D . E8 CC490300 call MainCon.004B274E ; jmp to MFC42.#800_CString::~CString
0047DD82 . 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
0047DD85 . 8BC6 mov eax,esi
0047DD87 . 5F pop edi
0047DD88 . 5E pop esi
0047DD89 . 64:890D 00000000 mov dword ptr fs:[0],ecx
0047DD90 . 5B pop ebx
0047DD91 . 8BE5 mov esp,ebp
0047DD93 . 5D pop ebp
0047DD94 . C3 retn
…………省略………………
00487664 . 83C4 10 add esp,10
00487667 . 50 push eax
00487668 . 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
0048766B . C645 FC 08 mov byte ptr ss:[ebp-4],8
0048766F . E8 A0B10200 call MainCon.004B2814 ; jmp to MFC42.#858_CString::operator=
00487674 . 885D FC mov byte ptr ss:[ebp-4],bl
00487677 . 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
0048767A . E8 CFB00200 call MainCon.004B274E ; jmp to MFC42.#800_CString::~CString
0048767F . 60 pushad
00487680 . 6A 04 push 4
00487682 . 6A 00 push 0
00487684 . 6A 00 push 0
00487686 . 6A FF push -1
00487688 . 90 nop
00487689 . E8 7D0C1000 call MainCon.0058830B
0048768E . EB 1E jmp short MainCon.004876AE
F8继续单步执行……
004876AE > \61 popad
004876AF . 8B55 E4 mov edx,dword ptr ss:[ebp-1C]
004876B2 . 8B45 E0 mov eax,dword ptr ss:[ebp-20] ; 机器码
004876B5 . 52 push edx
004876B6 . 50 push eax
004876B7 . 90 nop
004876B8 . E8 4E0C1000 call MainCon.0058830B ; 将UserSN多次转换结果与MachineID进行比较
004876BD . 83C4 08 add esp,8
004876C0 . C645 FC 05 mov byte ptr ss:[ebp-4],5
004876C4 . 85C0 test eax,eax
004876C6 . 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
004876C9 . 74 3E je short MainCon.00487709 ; 爆破
004876CB . E8 7EB00200 call MainCon.004B274E ; jmp to MFC42.#800_CString::~CString
004876D0 . 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
004876D3 . C645 FC 04 mov byte ptr ss:[ebp-4],4
004876D7 . E8 72B00200 call MainCon.004B274E ; jmp to MFC42.#800_CString::~CString
004876DC . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
004876DF . C645 FC 03 mov byte ptr ss:[ebp-4],3
004876E3 . E8 E82DF8FF call MainCon.0040A4D0
004876E8 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
004876EB . C645 FC 02 mov byte ptr ss:[ebp-4],2
004876EF . E8 8C85FEFF call MainCon.0046FC80
004876F4 . 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
004876F7 . C645 FC 01 mov byte ptr ss:[ebp-4],1
004876FB . E8 4EB00200 call MainCon.004B274E ; jmp to MFC42.#800_CString::~CString
00487700 . C645 FC 00 mov byte ptr ss:[ebp-4],0
00487704 . E9 81000000 jmp MainCon.0048778A
终于到老家了!!!
由于软件作者好像也是坛子里的人,所以剩下的算法分析我就不继续分析了,哪位仁兄有空再研究研究……