好多天没有来看雪了看贴了,也好久没有写菜文东东了,今天随便找一软件练练手好久没动手了正好找图片浏览器,就天空下了“批量缩略图工具”安装运行就弹一个大对话框要注册!!
这个软件PJ很简单其他就不用多说了。进入正题吧,至于如何找下断处找一下字符信息吧。或者直接下命令函数吧!!!
004BBA4E 55 PUSH EBP
004BBA4F 68 D1BB4B00 PUSH BatchPic.004BBBD1
004BBA54 64:FF30 PUSH DWORD PTR FS:[EAX]
004BBA57 64:8920 MOV DWORD PTR FS:[EAX],ESP
004BBA5A 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
004BBA5D 8B83 28030000 MOV EAX,DWORD PTR DS:[EBX+328]
004BBA63 E8 142DFAFF CALL BatchPic.0045E77C ; //获取假码,长度送入EAX
004BBA68 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; //EAX=假码
004BBA6B E8 B889F4FF CALL BatchPic.00404428 ; //获取假码长度,送入EAX
004BBA70 83F8 08 CMP EAX,8 ; //比较假码字符长度是否和8相等,不相等则OVER!
004BBA73 74 3F JE SHORT BatchPic.004BBAB4 ; //相等则继续运算
004BBA75 6A 10 PUSH 10
004BBA77 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
004BBA7A A1 E4114C00 MOV EAX,DWORD PTR DS:[4C11E4]
004BBA7F 8B00 MOV EAX,DWORD PTR DS:[EAX]
004BBA81 E8 C627FCFF CALL BatchPic.0047E24C
004BBA86 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004BBA89 E8 9A8BF4FF CALL BatchPic.00404628
004BBA8E 50 PUSH EAX
004BBA8F 68 E0BB4B00 PUSH BatchPic.004BBBE0 ; //压入:注册码错误!
004BBA94 8BC3 MOV EAX,EBX
004BBA96 E8 1596FAFF CALL BatchPic.004650B0
004BBA9B 50 PUSH EAX
004BBA9C E8 CFB2F4FF CALL <JMP.&user32.MessageBoxA>
004BBAA1 8B83 28030000 MOV EAX,DWORD PTR DS:[EBX+328]
004BBAA7 8B10 MOV EDX,DWORD PTR DS:[EAX]
004BBAA9 FF92 C4000000 CALL DWORD PTR DS:[EDX+C4]
004BBAAF E9 DA000000 JMP BatchPic.004BBB8E
004BBAB4 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
004BBAB7 8B83 28030000 MOV EAX,DWORD PTR DS:[EBX+328]
004BBABD E8 BA2CFAFF CALL BatchPic.0045E77C ; //获取假码,长度送入EAX
004BBAC2 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] ; //EAX=假码
004BBAC5 50 PUSH EAX ; //压入假码
004BBAC6 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004BBAC9 E8 060C0000 CALL BatchPic.004BC6D4 ; //★★★关键1跟进!★★★
004BBACE 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
004BBAD1 5A POP EDX
004BBAD2 E8 C50A0000 CALL BatchPic.004BC59C ; //★★★关键2跟进!★★★
004BBAD7 84C0 TEST AL,AL ; //测试AL是否相等
004BBAD9 74 79 JE SHORT BatchPic.004BBB54 ; //不相等则写入注册成功信息文件,相等则玩完了!
004BBADB A1 180F4C00 MOV EAX,DWORD PTR DS:[4C0F18]
004BBAE0 C600 01 MOV BYTE PTR DS:[EAX],1
004BBAE3 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
004BBAE6 8B83 28030000 MOV EAX,DWORD PTR DS:[EBX+328]
004BBAEC E8 8B2CFAFF CALL BatchPic.0045E77C
004BBAF1 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
004BBAF4 50 PUSH EAX
004BBAF5 A1 F4114C00 MOV EAX,DWORD PTR DS:[4C11F4]
004BBAFA 8B00 MOV EAX,DWORD PTR DS:[EAX]
004BBAFC B9 F8BB4B00 MOV ECX,BatchPic.004BBBF8 ; ASCII "KEY"
004BBB01 BA 04BC4B00 MOV EDX,BatchPic.004BBC04 ; ASCII "REGCODE"
004BBB06 8B30 MOV ESI,DWORD PTR DS:[EAX]
004BBB08 FF56 04 CALL DWORD PTR DS:[ESI+4]
004BBB0B 6A 40 PUSH 40
004BBB0D 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
004BBB10 A1 E4114C00 MOV EAX,DWORD PTR DS:[4C11E4]
004BBB15 8B00 MOV EAX,DWORD PTR DS:[EAX]
004BBB17 E8 3027FCFF CALL BatchPic.0047E24C
004BBB1C 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
004BBB1F E8 048BF4FF CALL BatchPic.00404628
004BBB24 50 PUSH EAX
004BBB25 68 0CBC4B00 PUSH BatchPic.004BBC0C ; //压入:注册成功!
004BBB2A 8BC3 MOV EAX,EBX
004BBB2C E8 7F95FAFF CALL BatchPic.004650B0
004BBB31 50 PUSH EAX
004BBB32 E8 39B2F4FF CALL <JMP.&user32.MessageBoxA> ; //弹出注册成功信息!!
004BBB37 A1 D4104C00 MOV EAX,DWORD PTR DS:[4C10D4]
004BBB3C 8B00 MOV EAX,DWORD PTR DS:[EAX]
004BBB3E 8B80 88030000 MOV EAX,DWORD PTR DS:[EAX+388]
004BBB44 33D2 XOR EDX,EDX
004BBB46 E8 512BFAFF CALL BatchPic.0045E69C
004BBB4B 8BC3 MOV EAX,EBX
004BBB4D E8 A6F4FBFF CALL BatchPic.0047AFF8
004BBB52 EB 3A JMP SHORT BatchPic.004BBB8E
004BBB54 6A 10 PUSH 10
004BBB56 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
004BBB59 A1 E4114C00 MOV EAX,DWORD PTR DS:[4C11E4]
004BBB5E 8B00 MOV EAX,DWORD PTR DS:[EAX]
004BBB60 E8 E726FCFF CALL BatchPic.0047E24C
004BBB65 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
004BBB68 E8 BB8AF4FF CALL BatchPic.00404628
004BBB6D 50 PUSH EAX
004BBB6E 68 E0BB4B00 PUSH BatchPic.004BBBE0 ; //压入:注册码错误!
004BBB73 8BC3 MOV EAX,EBX
004BBB75 E8 3695FAFF CALL BatchPic.004650B0
004BBB7A 50 PUSH EAX
004BBB7B E8 F0B1F4FF CALL <JMP.&user32.MessageBoxA> ; //弹出注册失败信息!!
004BBB80 8B83 28030000 MOV EAX,DWORD PTR DS:[EBX+328]
004BBB86 8B10 MOV EDX,DWORD PTR DS:[EAX]
004BBB88 FF92 C4000000 CALL DWORD PTR DS:[EDX+C4]
004BBB8E 33C0 XOR EAX,EAX
004BBB90 5A POP EDX
004BBB91 59 POP ECX
004BBB92 59 POP ECX
004BBB93 64:8910 MOV DWORD PTR FS:[EAX],EDX
004BBB96 68 D8BB4B00 PUSH BatchPic.004BBBD8
004BBB9B 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
004BBB9E BA 02000000 MOV EDX,2
004BBBA3 E8 E485F4FF CALL BatchPic.0040418C
004BBBA8 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004BBBAB E8 B885F4FF CALL BatchPic.00404168
004BBBB0 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004BBBB3 E8 B085F4FF CALL BatchPic.00404168
004BBBB8 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004BBBBB E8 A885F4FF CALL BatchPic.00404168
004BBBC0 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004BBBC3 E8 A085F4FF CALL BatchPic.00404168
004BBBC8 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
004BBBCB E8 9885F4FF CALL BatchPic.00404168
004BBBD0 C3 RETN
上面是分析注册的主干流程,从上面分析看得出注册码字符长度是一定要8位否则别想要注册了! 呵呵 好让我们跟进关键1 "004BBAC9 E8 060C0000 CALL BatchPic.004BC6D4"
004BC6D4 55 PUSH EBP
004BC6D5 8BEC MOV EBP,ESP
004BC6D7 6A 00 PUSH 0
004BC6D9 6A 00 PUSH 0
004BC6DB 53 PUSH EBX
004BC6DC 8BD8 MOV EBX,EAX
004BC6DE 33C0 XOR EAX,EAX
004BC6E0 55 PUSH EBP
004BC6E1 68 2EC74B00 PUSH BatchPic.004BC72E
004BC6E6 64:FF30 PUSH DWORD PTR FS:[EAX]
004BC6E9 64:8920 MOV DWORD PTR FS:[EAX],ESP
004BC6EC 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004BC6EF E8 34FFFFFF CALL BatchPic.004BC628 ; //取C盘的分区序列号E8317C71,并转换成10进制数的3895557233
004BC6F4 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] ; //EDX=3895557233(转换成10进制C盘分区序列号)
004BC6F7 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
004BC6FA B9 44C74B00 MOV ECX,BatchPic.004BC744 ; ASCII "8311499"
004BC6FF E8 707DF4FF CALL BatchPic.00404474 ; //C盘的分区10进制的序列号和8311499合并
004BC704 8BCB MOV ECX,EBX
004BC706 BA 08000000 MOV EDX,8
004BC70B 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; //EAX=38955572338311499
004BC70E E8 45A4F7FF CALL BatchPic.00436B58 ; //取合并字符串前8位
004BC713 33C0 XOR EAX,EAX
004BC715 5A POP EDX
004BC716 59 POP ECX
004BC717 59 POP ECX
004BC718 64:8910 MOV DWORD PTR FS:[EAX],EDX
004BC71B 68 35C74B00 PUSH BatchPic.004BC735
004BC720 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004BC723 BA 02000000 MOV EDX,2
004BC728 E8 5F7AF4FF CALL BatchPic.0040418C
004BC72D C3 RETN
这个过程就是取C盘分区序列号E8317C71(我的C盘分区序列号),转换为10进制的3895557233字符串。然后和固定数8311499合并(38955572338311499),最后取合并字符串的前8位也就是38955572了!
好得到前8位返回!我们再跟进关键2处"004BBAD2 E8 C50A0000 CALL BatchPic.004BC59C"
004BC59C 55 PUSH EBP
004BC59D 8BEC MOV EBP,ESP
004BC59F 83C4 F8 ADD ESP,-8
004BC5A2 53 PUSH EBX
004BC5A3 56 PUSH ESI
004BC5A4 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
004BC5A7 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
004BC5AA 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004BC5AD E8 6680F4FF CALL BatchPic.00404618 ; //获取假码
004BC5B2 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; //EAX=假码
004BC5B5 E8 5E80F4FF CALL BatchPic.00404618
004BC5BA 33C0 XOR EAX,EAX
004BC5BC 55 PUSH EBP
004BC5BD 68 18C64B00 PUSH BatchPic.004BC618
004BC5C2 64:FF30 PUSH DWORD PTR FS:[EAX]
004BC5C5 64:8920 MOV DWORD PTR FS:[EAX],ESP
004BC5C8 B3 01 MOV BL,1
004BC5CA 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004BC5CD E8 567EF4FF CALL BatchPic.00404428 ; //获取假码长度
004BC5D2 83F8 08 CMP EAX,8 ; //检测假码长度是否和8相等
004BC5D5 74 04 JE SHORT BatchPic.004BC5DB ; //相等则跳走继续运算,反之失败!
004BC5D7 33DB XOR EBX,EBX ; //EBX清0
004BC5D9 EB 22 JMP SHORT BatchPic.004BC5FD ; //跳走失败!
004BC5DB BE 01000000 MOV ESI,1 ; //ESI=1
004BC5E0 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; //EAX=合并字符串前8位38955572
004BC5E3 8A4430 FF MOV AL,BYTE PTR DS:[EAX+ESI-1] ; //逐个取出合并串前8位的字符,送入AL
004BC5E7 E8 50FFFFFF CALL BatchPic.004BC53C ; //这个CALL作用是将取出的字符进行对比取相应的值作为真注册码!也是★★★关键之3★★★了!
004BC5EC 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] ; //假码送入EDX
004BC5EF 3A4432 FF CMP AL,BYTE PTR DS:[EDX+ESI-1] ; //查找到的值和假码作比较
004BC5F3 74 02 JE SHORT BatchPic.004BC5F7 ; //相等则跳!
004BC5F5 33DB XOR EBX,EBX ; //EBX清0
004BC5F7 46 INC ESI ; //ESI作为指针加1指向下一个字符
004BC5F8 83FE 09 CMP ESI,9 ; //ESI和9做比较
004BC5FB ^ 75 E3 JNZ SHORT BatchPic.004BC5E0 ; //不相等则跳转继续循环计算
004BC5FD 33C0 XOR EAX,EAX
004BC5FF 5A POP EDX
004BC600 59 POP ECX
004BC601 59 POP ECX
004BC602 64:8910 MOV DWORD PTR FS:[EAX],EDX
004BC605 68 1FC64B00 PUSH BatchPic.004BC61F
004BC60A 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004BC60D BA 02000000 MOV EDX,2
004BC612 E8 757BF4FF CALL BatchPic.0040418C
004BC617 C3 RETN
"004BC5E7 E8 50FFFFFF CALL BatchPic.004BC53C"这个就是关键3了对照给出的数值,取得相应的值就是真注册码了。代码如下:
004BC53C 25 FF000000 AND EAX,0FF ; //EAX和0FF做AND运算
004BC541 83C0 D0 ADD EAX,-30 ; //EAX加上-30
004BC544 83F8 09 CMP EAX,9 ; //EAX和9做比较
004BC547 77 4D JA SHORT BatchPic.004BC596 ; //不小于或不等于时转移
004BC549 FF2485 50C54B00 JMP DWORD PTR DS:[EAX*4+4BC550] ; //查找对应的值作为注册码
004BC550 ^ 78 C5 JS SHORT BatchPic.004BC517
004BC552 4B DEC EBX
004BC553 007B C5 ADD BYTE PTR DS:[EBX-3B],BH
004BC556 4B DEC EBX
004BC557 007E C5 ADD BYTE PTR DS:[ESI-3B],BH
004BC55A 4B DEC EBX
004BC55B 0081 C54B0084 ADD BYTE PTR DS:[ECX+84004BC5],AL
004BC561 C54B 00 LDS ECX,FWORD PTR DS:[EBX]
004BC564 87C5 XCHG EBP,EAX
004BC566 4B DEC EBX
004BC567 008A C54B008D ADD BYTE PTR DS:[EDX+8D004BC5],CL
004BC56D C54B 00 LDS ECX,FWORD PTR DS:[EBX]
004BC570 90 NOP
004BC571 C54B 00 LDS ECX,FWORD PTR DS:[EBX]
004BC574 93 XCHG EAX,EBX
004BC575 C54B 00 LDS ECX,FWORD PTR DS:[EBX]
004BC578 B0 38 MOV AL,38
004BC57A C3 RETN
004BC57B B0 36 MOV AL,36
004BC57D C3 RETN
004BC57E B0 34 MOV AL,34
004BC580 C3 RETN
004BC581 B0 30 MOV AL,30
004BC583 C3 RETN
004BC584 B0 35 MOV AL,35
004BC586 C3 RETN
004BC587 B0 32 MOV AL,32
004BC589 C3 RETN
004BC58A B0 39 MOV AL,39
004BC58C C3 RETN
004BC58D B0 31 MOV AL,31
004BC58F C3 RETN
004BC590 B0 33 MOV AL,33
004BC592 C3 RETN
004BC593 B0 37 MOV AL,37
004BC595 C3 RETN
004BC596 33C0 XOR EAX,EAX
004BC598 C3 RETN
够简单了吧,真注册码就是在1、2、3、4、5、6、7、8、9之间产生的!。^_^!!
分析总结:
总的来说这个软件是非常简单,基本说不上是分析。适合入门级菜鸟练手,注册成功后软件会自成生成一个文件叫BatchPic.ini文件,注册码就保存在里面了文件格式如下:
[REGCODE]
KEY=03722214(我的真码)
删除后就成未注册了!希望能对新手有些少帮助吧,本人喜欢PJ一个软件就是记一下简单的手稿呵呵。。希望和我这样新手们能看懂了。。写得简单点了请不拍砖哦。非常感谢了
凌晨3点多了要睡了..ZZZzzzzz
fcrjzmd
3:41 2006-2-15