ToolbarPro 4.61 Cracked And my Keygen (17千字) 算法分析 -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → ToolbarPro 4.61 Cracked And my Keygen (17千字) 算法分析

ToolbarPro 4.61 Cracked And my Keygen (17千字) 算法分析 时间：2004/10/15 0:54:00来源：本站整理作者：蓝点我要评论(0): 　

名称:ToolbarPro 4.61
下载:http://www.pitrinec.com/ 或华军主页
保护:注册码,30天过期
原因:纯属练习
简介:个人认为目前最好用的浮动工具条,内带一些实用小工具,支持宏,感觉功能很强大(那位大哥将它汉化一下吧),缺点是有些设计不够方便,图标太多时启动会稍慢.以前用过RipBar中文版也挺好,但是当每栏的图标过多时没有滚动条,而且很久没升级.

这个软件很早就在网上找到了它的注册机,只不过想自己做一个.我们先来看看它的算法.输入注册码时一共有7项可填,当然少不了注册名啦,先填入Sam Von,注册码111222333444555666777,其它的空白,因为根据分析就算一项都不填都会有一个对应的注册码,开始时比较难的是下断点,我懒得找个合适的断点,因为下了几个常用的断点后程序不停的中断(如果装了此程序后调试其它程序时getwindowtext的断点就会不停的中断,所以调试前最好把它Disabled,但是这里就没有办法啦),于是我就和程序比快,一边按F5一边按确定:-)最后还是让我找到了下面的算法部分.

==Code Start========================================
这一个主Call用我们每一项的注册信息经过运算来与输入的注册码相比较,就算比较不正确,程序也不会马上跳出此Call,而是在内存做一个标志,跳出此Call后就根据此标志来判断.注册码的位数是21位,这里我偷了个懒,没有从程序去判断,因为我用下载来的注册机算出的是21位,在调试过程中也是能找到的,不过程序并没有直接比较,所以如果按平时只填8位注册码的话可能要多花点时间.

注册码与注册信息是这样对应的(设7项注册信息为1-7):
111 222 333 444 555 666 777
--- --- --- --- --- --- ---
4 6 3 1 5 2 7

程序取注册信息对应的3位注册码,转换成16进制,再用注册信息运算得到一个16进制数,相等就跳过设标志位,不等就设标志位为0,如果注册信息为空的话就会用一个内定的数来运算

0187:00453518 PUSH EBP
0187:00453519 MOV EBP,ESP
0187:0045351B SUB ESP,9C
0187:00453521 PUSH ESI
0187:00453522 MOV DWORD [EBP+FFFFFF70],01
0187:0045352C MOV DWORD [EBP-08],0320 <---留意这个数
0187:00453533 MOV ECX,00509DBC
0187:00453538 CALL 00418D70
0187:0045353D PUSH EAX
0187:0045353E CALL 00488603
0187:00453543 ADD ESP,BYTE +04
0187:00453546 MOV [EBP-04],EAX
0187:00453549 PUSH ECX
0187:0045354A MOV ECX,ESP
0187:0045354C MOV [EBP+FFFFFF6C],ESP
0187:00453552 PUSH DWORD 00509DBC
0187:00453557 CALL 004ADD4B
0187:0045355C MOV [EBP+FFFFFF68],EAX
0187:00453562 MOV EAX,[EBP-08]
0187:00453565 PUSH EAX
0187:00453566 CALL 00451EBC
0187:0045356B ADD ESP,BYTE +08
0187:0045356E MOV [EBP+FFFFFF64],EAX
0187:00453574 CMP DWORD [EBP+FFFFFF64],BYTE +00
0187:0045357B JZ 00453588
0187:0045357D MOV EAX,[EBP+FFFFFF70]
0187:00453583 JMP 00453889
0187:00453588 LEA ECX,[EBP+FFFFFF78]
0187:0045358E PUSH ECX
0187:0045358F MOV ECX,00509DBC
0187:00453594 CALL 00418D70
0187:00453599 PUSH EAX
0187:0045359A CALL 00452388 <---取对应的3位注册码,进去可看到它如何取码
0187:0045359F ADD ESP,BYTE +08
0187:004535A2 TEST EAX,EAX <---如果注册码不够取不到的话标志位也会设为0
0187:004535A4 JNZ 004535B0
0187:004535A6 MOV DWORD [EBP+FFFFFF70],00 <---这就是标志位,为0就没戏了
0187:004535B0 LEA EDX,[EBP+FFFFFF78]
0187:004535B6 PUSH EDX <---先算注册名,d edx可看到"444"
0187:004535B7 CALL 0045236C
0187:004535BC ADD ESP,BYTE +04
0187:004535BF MOV [EBP+FFFFFF74],AX
0187:004535C6 MOVSX ESI,WORD [EBP+FFFFFF74] <---444的16进制1BC放入esi
0187:004535CD MOV EAX,[EBP-08]
0187:004535D0 PUSH EAX
0187:004535D1 MOV ECX,00509DD8
0187:004535D6 CALL 00418D70
0187:004535DB PUSH EAX <---eax指向我的注册名
0187:004535DC CALL 00452228 <---算法Call,请看Call 1
0187:004535E1 ADD ESP,BYTE +08
0187:004535E4 MOVSX ECX,AX
0187:004535E7 CMP ESI,ECX <---比较相等就OK
0187:004535E9 JZ 004535F5
0187:004535EB MOV DWORD [EBP+FFFFFF70],00
0187:004535F5 LEA EDX,[EBP+FFFFFF78]
0187:004535FB PUSH EDX
0187:004535FC MOV ECX,00509DBC
0187:00453601 CALL 00418D70
0187:00453606 PUSH EAX
0187:00453607 CALL 0045252B
0187:0045360C ADD ESP,BYTE +08
0187:0045360F TEST EAX,EAX
0187:00453611 JNZ 0045361D
0187:00453613 MOV DWORD [EBP+FFFFFF70],00
0187:0045361D LEA EAX,[EBP+FFFFFF78]
0187:00453623 PUSH EAX
0187:00453624 CALL 0045250F
0187:00453629 ADD ESP,BYTE +04
0187:0045362C MOV [EBP+FFFFFF74],AX
0187:00453633 MOVSX ESI,WORD [EBP+FFFFFF74]
0187:0045363A MOV ECX,[EBP-08]
0187:0045363D PUSH ECX
0187:0045363E MOV ECX,00509DD4
0187:00453643 CALL 00418D70
0187:00453648 PUSH EAX
0187:00453649 CALL 004523CD <---下面几个类似的Call都基本一样,只是内定的数不同
0187:0045364E ADD ESP,BYTE +08
0187:00453651 MOVSX EDX,AX
0187:00453654 CMP ESI,EDX <---第2项
0187:00453656 JZ 00453662
0187:00453658 MOV DWORD [EBP+FFFFFF70],00
0187:00453662 LEA EAX,[EBP+FFFFFF78]
0187:00453668 PUSH EAX
0187:00453669 MOV ECX,00509DBC
0187:0045366E CALL 00418D70
0187:00453673 PUSH EAX
0187:00453674 CALL 004526CE
0187:00453679 ADD ESP,BYTE +08
0187:0045367C TEST EAX,EAX
0187:0045367E JNZ 0045368A
0187:00453680 MOV DWORD [EBP+FFFFFF70],00
0187:0045368A LEA ECX,[EBP+FFFFFF78]
0187:00453690 PUSH ECX
0187:00453691 CALL 004526B2
0187:00453696 ADD ESP,BYTE +04
0187:00453699 MOV [EBP+FFFFFF74],AX
0187:004536A0 MOVSX ESI,WORD [EBP+FFFFFF74]
0187:004536A7 MOV EDX,[EBP-08]
0187:004536AA PUSH EDX
0187:004536AB MOV ECX,00509DD0
0187:004536B0 CALL 00418D70
0187:004536B5 PUSH EAX
0187:004536B6 CALL 00452570
0187:004536BB ADD ESP,BYTE +08
0187:004536BE MOVSX EAX,AX
0187:004536C1 CMP ESI,EAX <---第3项
0187:004536C3 JZ 004536CF
0187:004536C5 MOV DWORD [EBP+FFFFFF70],00
0187:004536CF LEA ECX,[EBP+FFFFFF78]
0187:004536D5 PUSH ECX
0187:004536D6 MOV ECX,00509DBC
0187:004536DB CALL 00418D70
0187:004536E0 PUSH EAX
0187:004536E1 CALL 00452873
0187:004536E6 ADD ESP,BYTE +08
0187:004536E9 TEST EAX,EAX
0187:004536EB JNZ 004536F7
0187:004536ED MOV DWORD [EBP+FFFFFF70],00
0187:004536F7 LEA EDX,[EBP+FFFFFF78]
0187:004536FD PUSH EDX
0187:004536FE CALL 00452857
0187:00453703 ADD ESP,BYTE +04
0187:00453706 MOV [EBP+FFFFFF74],AX
0187:0045370D MOVSX ESI,WORD [EBP+FFFFFF74]
0187:00453714 MOV EAX,[EBP-08]
0187:00453717 PUSH EAX
0187:00453718 MOV ECX,00509DCC
0187:0045371D CALL 00418D70
0187:00453722 PUSH EAX
0187:00453723 CALL 00452713
0187:00453728 ADD ESP,BYTE +08
0187:0045372B MOVSX ECX,AX
0187:0045372E CMP ESI,ECX <---第4项
0187:00453730 JZ 0045373C
0187:00453732 MOV DWORD [EBP+FFFFFF70],00
0187:0045373C LEA EDX,[EBP+FFFFFF78]
0187:00453742 PUSH EDX
0187:00453743 MOV ECX,00509DBC
0187:00453748 CALL 00418D70
0187:0045374D PUSH EAX
0187:0045374E CALL 00452A15
0187:00453753 ADD ESP,BYTE +08
0187:00453756 TEST EAX,EAX
0187:00453758 JNZ 00453764
0187:0045375A MOV DWORD [EBP+FFFFFF70],00
0187:00453764 LEA EAX,[EBP+FFFFFF78]
0187:0045376A PUSH EAX
0187:0045376B CALL 004529F9
0187:00453770 ADD ESP,BYTE +04
0187:00453773 MOV [EBP+FFFFFF74],AX
0187:0045377A MOVSX ESI,WORD [EBP+FFFFFF74]
0187:00453781 MOV ECX,[EBP-08]
0187:00453784 PUSH ECX
0187:00453785 MOV ECX,00509DC8
0187:0045378A CALL 00418D70
0187:0045378F PUSH EAX
0187:00453790 CALL 004528B5
0187:00453795 ADD ESP,BYTE +08
0187:00453798 MOVSX EDX,AX
0187:0045379B CMP ESI,EDX <---第5项
0187:0045379D JZ 004537A9
0187:0045379F MOV DWORD [EBP+FFFFFF70],00
0187:004537A9 LEA EAX,[EBP+FFFFFF78]
0187:004537AF PUSH EAX
0187:004537B0 MOV ECX,00509DBC
0187:004537B5 CALL 00418D70
0187:004537BA PUSH EAX
0187:004537BB CALL 00452BB8
0187:004537C0 ADD ESP,BYTE +08
0187:004537C3 TEST EAX,EAX
0187:004537C5 JNZ 004537D1
0187:004537C7 MOV DWORD [EBP+FFFFFF70],00
0187:004537D1 LEA ECX,[EBP+FFFFFF78]
0187:004537D7 PUSH ECX
0187:004537D8 CALL 00452B9C
0187:004537DD ADD ESP,BYTE +04
0187:004537E0 MOV [EBP+FFFFFF74],AX
0187:004537E7 MOVSX ESI,WORD [EBP+FFFFFF74]
0187:004537EE MOV EDX,[EBP-08]
0187:004537F1 PUSH EDX
0187:004537F2 MOV ECX,00509DC4
0187:004537F7 CALL 00418D70
0187:004537FC PUSH EAX
0187:004537FD CALL 00452A5A
0187:00453802 ADD ESP,BYTE +08
0187:00453805 MOVSX EAX,AX
0187:00453808 CMP ESI,EAX <---第6项
0187:0045380A JZ 00453816
0187:0045380C MOV DWORD [EBP+FFFFFF70],00
0187:00453816 LEA ECX,[EBP+FFFFFF78]
0187:0045381C PUSH ECX
0187:0045381D MOV ECX,00509DBC
0187:00453822 CALL 00418D70
0187:00453827 PUSH EAX
0187:00453828 CALL 00452D5B
0187:0045382D ADD ESP,BYTE +08
0187:00453830 TEST EAX,EAX
0187:00453832 JNZ 0045383E
0187:00453834 MOV DWORD [EBP+FFFFFF70],00
0187:0045383E LEA EDX,[EBP+FFFFFF78]
0187:00453844 PUSH EDX
0187:00453845 CALL 00452D3F
0187:0045384A ADD ESP,BYTE +04
0187:0045384D MOV [EBP+FFFFFF74],AX
0187:00453854 MOVSX ESI,WORD [EBP+FFFFFF74]
0187:0045385B MOV EAX,[EBP-08]
0187:0045385E PUSH EAX
0187:0045385F MOV ECX,00509DC0
0187:00453864 CALL 00418D70
0187:00453869 PUSH EAX
0187:0045386A CALL 00452BFD
0187:0045386F ADD ESP,BYTE +08
0187:00453872 MOVSX ECX,AX
0187:00453875 CMP ESI,ECX <---第7项
0187:00453877 JZ 00453883
0187:00453879 MOV DWORD [EBP+FFFFFF70],00
0187:00453883 MOV EAX,[EBP+FFFFFF70]
0187:00453889 POP ESI
0187:0045388A MOV ESP,EBP
0187:0045388C POP EBP
0187:0045388D RET
==Code End=======================================================

==Call 1=========================================================
0187:00452228 PUSH EBP
0187:00452229 MOV EBP,ESP
0187:0045222B SUB ESP,BYTE +14
0187:0045222E MOV WORD [EBP-0C],0149
0187:00452234 LEA EAX,[EBP-0C]
0187:00452237 MOV [EBP-04],EAX
0187:0045223A MOV DWORD [EBP-10],00
0187:00452241 MOV DWORD [EBP-14],00
0187:00452248 CMP DWORD [EBP+0C],BYTE +64 <---[ebp+c]里是在前面我让大家留意的320,这里一直比较肯定是不等的,直到最下面与320比较的地方才是算法重点,那为什么还做这么多比较呢?我想这个Call在程序的其它地方也会调用来做别的事,那我们就跳到后面去.

0187:0045224C JNZ 00452259
0187:0045224E MOV WORD [EBP-0C],3E
0187:00452254 JMP 004522DC
0187:00452259 CMP DWORD [EBP+0C],BYTE +65
0187:0045225D JNZ 00452267
0187:0045225F MOV WORD [EBP-0C],02
0187:00452265 JMP SHORT 004522DC
0187:00452267 CMP DWORD [EBP+0C],C9
0187:0045226E JNZ 00452278
0187:00452270 MOV WORD [EBP-0C],70
0187:00452276 JMP SHORT 004522DC
0187:00452278 CMP DWORD [EBP+0C],C8
0187:0045227F JNZ 00452289
0187:00452281 MOV WORD [EBP-0C],07
0187:00452287 JMP SHORT 004522DC
0187:00452289 CMP DWORD [EBP+0C],012C
0187:00452290 JNZ 0045229A
0187:00452292 MOV WORD [EBP-0C],0D
0187:00452298 JMP SHORT 004522DC
0187:0045229A CMP DWORD [EBP+0C],01F4
0187:004522A1 JNZ 004522AB
0187:004522A3 MOV WORD [EBP-0C],20
0187:004522A9 JMP SHORT 004522DC
0187:004522AB CMP DWORD [EBP+0C],0258
0187:004522B2 JNZ 004522BC
0187:004522B4 MOV WORD [EBP-0C],3B
0187:004522BA JMP SHORT 004522DC
0187:004522BC CMP DWORD [EBP+0C],02BC
0187:004522C3 JNZ 004522CD
0187:004522C5 MOV WORD [EBP-0C],43
0187:004522CB JMP SHORT 004522DC
0187:004522CD CMP DWORD [EBP+0C],0320 <---这里开始
0187:004522D4 JNZ 004522DC
0187:004522D6 MOV WORD [EBP-0C],07 <---这是内定的数,用来运算的
0187:004522DC MOV ECX,[EBP+08] <---指针
0187:004522DF ADD ECX,[EBP-10] <---计数器
0187:004522E2 MOVSX EDX,BYTE [ECX] <---取第一位"S",edx=00000053
0187:004522E5 TEST EDX,EDX
0187:004522E7 JZ 00452339 <---如果为空就跳
0187:004522E9 MOV EAX,[EBP+08]
0187:004522EC ADD EAX,[EBP-10]
0187:004522EF MOV CL,[EAX]
0187:004522F1 PUSH ECX
0187:004522F2 CALL 004521E0 <---进Call 2去看看
0187:004522F7 ADD ESP,BYTE +04 <---写注册机这行一定要去掉
0187:004522FA MOV [EBP-08],AL
0187:004522FD MOVSX EDX,BYTE [EBP-08]
0187:00452301 TEST EDX,EDX
0187:00452303 JZ 0045232E <---非字母和数字就判断下一位
0187:00452305 MOV EAX,[EBP-04] <---存放临时数据的指针,初始是内定的07 00
0187:00452308 ADD EAX,[EBP-14] <---临时数据的计数器
0187:0045230B MOV CL,[EAX] <---取出07
0187:0045230D XOR CL,[EBP-08] <---xor "S"
0187:00452310 MOV EDX,[EBP-04]
0187:00452313 ADD EDX,[EBP-14]
0187:00452316 MOV [EDX],CL <---保存在临时数据区
0187:00452318 MOV EAX,[EBP-14]
0187:0045231B ADD EAX,BYTE +01 <---指针加1
0187:0045231E MOV [EBP-14],EAX
0187:00452321 CMP DWORD [EBP-14],BYTE +01
0187:00452325 JNG 0045232E
0187:00452327 MOV DWORD [EBP-14],00 <---这里调试时要看清楚,不然很容易搞不清楚,这里的内定数是7,内存显示为07 00,程序先用注册名的第1位与7 xor,用第2位与0 xor,然后替换,跟着是第3.4.5...位,所以我所说的临时数据区只是一个WORD的大小,最后我们得到一个数7976h

0187:0045232E MOV ECX,[EBP-10]
0187:00452331 ADD ECX,BYTE +01
0187:00452334 MOV [EBP-10],ECX
0187:00452337 JMP SHORT 004522DC
0187:00452339 MOVSX EAX,WORD [EBP-0C] <---注册名算完后或没填注册名就会跳到这里
0187:0045233D XOR EAX,01C8 <---用结果7976 xor 01C8,这个1C8也算是个内定数
0187:00452342 CDQ
0187:00452343 MOV ECX,03E8
0187:00452348 IDIV ECX
0187:0045234A MOV AX,DX <---edx=38E,这个就是注册名对应的正确注册码
0187:0045234D MOV ESP,EBP
0187:0045234F POP EBP
0187:00452350 RET

==Call 2======================================================
0187:004521E0 PUSH EBP
0187:004521E1 MOV EBP,ESP
0187:004521E3 PUSH ECX
0187:004521E4 MOVSX EAX,BYTE [EBP+08] <---"S"
0187:004521E8 PUSH EAX
0187:004521E9 CALL 00488CDF <---进Call 3看看
0187:004521EE ADD ESP,BYTE +04 <---写注册机这行一定要去掉
0187:004521F1 MOV [EBP-04],AL
0187:004521F4 MOVSX ECX,BYTE [EBP-04]
0187:004521F8 CMP ECX,BYTE +61
0187:004521FB JL 0045220B
0187:004521FD MOVSX EDX,BYTE [EBP-04]
0187:00452201 CMP EDX,BYTE +7A
0187:00452204 JG 0045220B
0187:00452206 MOV AL,[EBP-04]
0187:00452209 JMP SHORT 00452224
0187:0045220B MOVSX EAX,BYTE [EBP-04]
0187:0045220F CMP EAX,BYTE +30
0187:00452212 JL 00452222
0187:00452214 MOVSX ECX,BYTE [EBP-04]
0187:00452218 CMP ECX,BYTE +39
0187:0045221B JG 00452222
0187:0045221D MOV AL,[EBP-04]
0187:00452220 JMP SHORT 00452224
0187:00452222 XOR AL,AL <---这个Call是判断注册名是否为字母和数字,不是就返回0
0187:00452224 MOV ESP,EBP
0187:00452226 POP EBP
0187:00452227 RET

==Call 3=====================================================
0187:00488CDF PUSH EBX
0187:00488CE0 XOR EBX,EBX
0187:00488CE2 CMP [0050D0E4],EBX
0187:00488CE8 JNZ 00488CFD <---这里肯定不会跳
0187:00488CEA MOV EAX,[ESP+08]
0187:00488CEE CMP EAX,BYTE +41
0187:00488CF1 JL 00488D4C
0187:00488CF3 CMP EAX,BYTE +5A
0187:00488CF6 JG 00488D4C
0187:00488CF8 ADD EAX,BYTE +20 <---这个Call其实是将大写转为小写
0187:00488CFB POP EBX
0187:00488CFC RET
0187:00488CFD PUSH ESI
0187:00488CFE MOV ESI,0050EA8C
0187:00488D03 PUSH EDI
0187:00488D04 PUSH ESI
0187:00488D05 CALL `KERNEL32!InterlockedIncrement`
0187:00488D0B CMP [0050EA88],EBX
0187:00488D11 MOV EDI,[004D338C]
0187:00488D17 JZ 00488D27
0187:00488D19 PUSH ESI
0187:00488D1A CALL EDI
0187:00488D1C PUSH BYTE +13
0187:00488D1E CALL 0048EC5D
0187:00488D23 POP ECX
0187:00488D24 PUSH BYTE +01
0187:00488D26 POP EBX
0187:00488D27 PUSH DWORD [ESP+10]
0187:00488D2B CALL 00488D4E
0187:00488D30 TEST EBX,EBX
0187:00488D32 POP ECX
0187:00488D33 MOV [ESP+10],EAX
0187:00488D37 JZ 00488D43
0187:00488D39 PUSH BYTE +13
0187:00488D3B CALL 0048ECBE
0187:00488D40 POP ECX
0187:00488D41 JMP SHORT 00488D46
0187:00488D43 PUSH ESI
0187:00488D44 CALL EDI
0187:00488D46 MOV EAX,[ESP+10]
0187:00488D4A POP EDI
0187:00488D4B POP ESI
0187:00488D4C POP EBX
0187:00488D4D RET

总结:注册信息的其它6个部分过程都是一样的,只不过里面的2个内定数不同而已,他们分别是
Name: 7 1C8
Company: B 66
Street: D3 5B
Town: AB 2F1
ZIP: 3 38A
Country: 27 7
Licences: 63 7
如果什么都不填的话我们最后得到一个注册码:602032136463905109100

==Keygen=======================================================
由于程序有7个注册信息要填,但注册机编写器最多只有3个,所以我用我自己做的一个模板做了一个注册机,不过如果一定要用注册机编写器来做的话可以将注册码先定好,只算3项就行了,在此就不做介绍了.

我的这个模板只是建立了一个对话框,在模板中间和后面分别加上代码和子程序就行了其实和注册机编写器是一样的.建议想学编程的多学一点windows的信息机制.另外用masm来编译程序的话,如果我们的源程序有错,编译窗口里会指出错在第几行,是什么错误,这样我们就很容易改正,而用注册机编写器来做的话就看不到,我刚开始学用注册机编写器时就花了很多时间去修改程序,主要是不知错在那里.

原程序在算注册码时分别调用了7个不同的Call,但不同的只是两个内定数,于是我将它改为一个子程序,多加了2个参数,这样我们的源代码就简洁了,另外一个子程序CopySn只是复制算出的注册码而已,它还判断注册码如果小于3位时要加个0,如32必须变成032,还有就是写注册机时一定要将程序的ADD ESP,BYTE +04去掉,不然堆栈就会乱掉.

注册机的资源文件请自己建立,只要简单的建一个对话框ID为100,8个编辑栏ID分别为101至108,确定键ID为1,退出键ID为2即可,注册机在masm 7.0编译通过.我将做好的注册机放到了win32asm编程论坛,大家可参照一下,内附源码.

.586
.model flat, stdcall
option casemap :none

DialogProc proto :DWORD,:DWORD,:DWORD,:DWORD
Sub_00452228 proto :DWORD,:WORD,:WORD
CopySn proto

include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib

.data
szFmt db "%u",0
szBuffer db 22 dup(0)
szTemp db 8 dup(0)

.data?
hInstance dd ?
hTempEbp dd ?
hInput1 db 100 dup(?)
hInput2 db 100 dup(?)
hInput3 db 100 dup(?)
hInput4 db 100 dup(?)
hInput5 db 100 dup(?)
hInput6 db 100 dup(?)
hInput7 db 100 dup(?)

.code
start:
invoke GetModuleHandle,0
mov hInstance,eax
invoke DialogBoxParam,hInstance,100,0,offset DialogProc,eax
invoke ExitProcess,0
ret
DialogProc proc hWnd:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
mov eax,uMsg
.if eax == WM_CLOSE
  invoke EndDialog,hWnd,0
.elseif eax == WM_COMMAND
  mov eax,wParam
  .if eax == 1
      invoke GetDlgItemTextA,hWnd,101,addr hInput1,sizeof hInput1
      invoke GetDlgItemTextA,hWnd,102,addr hInput2,sizeof hInput2
      invoke GetDlgItemTextA,hWnd,103,addr hInput3,sizeof hInput3
      invoke GetDlgItemTextA,hWnd,104,addr hInput4,sizeof hInput4
      invoke GetDlgItemTextA,hWnd,105,addr hInput5,sizeof hInput5
      invoke GetDlgItemTextA,hWnd,106,addr hInput6,sizeof hInput6
      invoke GetDlgItemTextA,hWnd,107,addr hInput7,sizeof hInput7

      push ebp
      mov hTempEbp,ebp
;Your Code Start Here

  lea edi,szBuffer
  invoke Sub_00452228,addr hInput4,00ABh,02F1h
  invoke CopySn
  invoke Sub_00452228,addr hInput6,0027h,0007h
  invoke CopySn
  invoke Sub_00452228,addr hInput3,00D3h,005Bh
  invoke CopySn
  invoke Sub_00452228,addr hInput1,0007h,01C8h
  invoke CopySn
  invoke Sub_00452228,addr hInput5,0003h,038Ah
  invoke CopySn
  invoke Sub_00452228,addr hInput2,000Bh,0066h
  invoke CopySn
  invoke Sub_00452228,addr hInput7,0063h,0007h
  invoke CopySn

  lea eax,szBuffer

;Code Cut Here
      .repeat
          pop ebp
      .until ebp == hTempEbp
      invoke SetDlgItemTextA,hWnd,108,eax
      mov eax,1
      ret

  .elseif eax == 2
      invoke EndDialog,hWnd,0
  .endif
.else
  xor eax,eax
  ret
.endif
mov eax,1
ret
DialogProc endp

;Your Sub Call Start Here

Sub_00452228 Proc lPtxt:DWORD,Data1:WORD,Data2:WORD
  SUB ESP,BYTE PTR 1Ch
  LEA EAX,[EBP-0Ch]
  MOV [EBP-04],EAX
  MOV DWORD PTR [EBP-10h],00
  MOV DWORD PTR [EBP-14h],00
  MOV CX,WORD PTR [EBP+0Ch]
  MOV [EBP-0Ch],WORD PTR CX
Loc_004522DC:
  MOV ECX,[EBP+08]
  ADD ECX,[EBP-10h]
  MOVSX EDX,BYTE PTR [ECX]
  TEST EDX,EDX
  JZ Loc_00452339
  MOV EAX,[EBP+08]
  ADD EAX,[EBP-10h]
  MOV CL,[EAX]
  PUSH ECX
  CALL Sub_004521E0
  MOV [EBP-08],AL
  MOVSX EDX,BYTE PTR [EBP-08]
  TEST EDX,EDX
  JZ Loc_0045232E
  MOV EAX,[EBP-04]
  ADD EAX,[EBP-14h]
  MOV CL,[EAX]
  XOR CL,[EBP-08]
  MOV EDX,[EBP-04]
  ADD EDX,[EBP-14h]
  MOV [EDX],CL
  MOV EAX,[EBP-14h]
  ADD EAX,BYTE PTR 01
  MOV [EBP-14h],EAX
  CMP [EBP-14h],BYTE PTR 01
  JNG Loc_0045232E
  MOV DWORD PTR [EBP-14h],00
Loc_0045232E:
  MOV ECX,[EBP-10h]
  ADD ECX,BYTE PTR 01
  MOV [EBP-10h],ECX
  JMP Loc_004522DC
Loc_00452339:
  MOVSX EAX,WORD PTR [EBP-0Ch]
  MOVSX ECX,WORD PTR [EBP+10h]
  XOR EAX,ECX
  CDQ
  MOV ECX,03E8h
  IDIV ECX
  RET

Sub_004521E0:
  PUSH EBP
  MOV EBP,ESP
  PUSH ECX
  MOVSX EAX,BYTE PTR [EBP+08]
  PUSH EAX
  CALL Sub_00488CDF
  MOV [EBP-04],AL
  MOVSX ECX,BYTE PTR [EBP-04]
  CMP ECX,BYTE PTR 61h
  JL Loc_0045220B
  MOVSX EDX,BYTE PTR [EBP-04]
  CMP EDX,BYTE PTR 7Ah
  JG Loc_0045220B
  MOV AL,[EBP-04]
  JMP Loc_00452224
Loc_0045220B:
  MOVSX EAX,BYTE PTR [EBP-04]
  CMP EAX,BYTE PTR 30h
  JL Loc_00452222
  MOVSX ECX,BYTE PTR [EBP-04]
  CMP ECX,BYTE PTR 39h
  JG Loc_00452222
  MOV AL,[EBP-04]
  JMP Loc_00452224
Loc_00452222:
  XOR AL,AL
Loc_00452224:
  RET 0

Sub_00488CDF:
  PUSH EBP
  MOV EBP,ESP
MOV EAX,[ESP+08]
  CMP EAX,BYTE PTR 41h
  JL Loc_00488D4C
  CMP EAX,BYTE PTR 5Ah
  JG Loc_00488D4C
  ADD EAX,BYTE PTR 20h
Loc_00488D4C:
  RET 0

Sub_00452228 endp

CopySn proc
  invoke wsprintf,addr szTemp,addr szFmt,edx
  lea esi,szTemp
mov ecx,eax
.if eax < 3
      mov [edi],byte ptr 30h
      inc edi
      rep movsb
  .elseif
    rep movsb
  .endif
  ret

CopySn endp

;Sub Call Cut Here
end start

_/_/_/
_/ _/_/_/ _/_/_/ _/_/
_/_/ _/ _/ _/ _/ _/
_/ _/ _/ _/ _/ _/
_/_/_/ _/_/_/ _/ _/ _/

Sam.com
3:03 2002-4-11

文章评论

查看所有0条评论>>

热门文章 去除winrar注册框方法