驱动精灵(WinDriver Ghost) V2.02 个人版 -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → 驱动精灵(WinDriver Ghost) V2.02 个人版

驱动精灵(WinDriver Ghost) V2.02 个人版 时间：2004/10/15 0:57:00来源：本站整理作者：蓝点我要评论(0)

软件大小： 1139 KB
软件语言：简体中文
软件类别：国产软件 / 共享版 / 系统备份
应用平台： Win9x/NT/2000/XP
界面预览：无
加入时间： 2002-12-07 15:47:41
下载次数： 33525
推荐等级：

软件介绍：
驱动精灵是一个非常实用的驱动程序备份工具，经常重装电脑的人一定有找驱动程序的经验，要不就

原版驱动程序已经不见了，就是事先没有备份起来，找起来相当费时；现在你只要利用驱动精灵的驱动程

序备份功能，在电脑重装前，将你目前电脑中的最新版本驱动程序通通备份下载，待重装完成时，再试用

它的驱动程序还原功能安装，这样，便可以节省掉许多许动程序安装的时间，并且在也不怕找不到驱动程

序了。

下载： http://count.skycn.com/download.php?id=8760&url=http://ln-
或

http://count.skycn.com/download.php?id=8760&url=http://jshttp.skycn.net/down/WinDriverGhost2

02.exe

工具： OLLYDBG,FI250，UPXmend V1.22
fi250侦壳为UPX1.23加壳，UPXmend V1.22脱之。OLLYDBG载入》查找参考：ASCII "Thank you!

Registration success!"双击来到
004990C7 .^E9 C4B3F6FF JMP WinDrvGh.00404490
004990CC .^EB F0 JMP SHORT WinDrvGh.004990BE
004990CE . B8 C0914900 MOV EAX,WinDrvGh.004991C0 ; ASCII "Thank you! Registration

success!"
004990D3 . E8 9C36FAFF CALL WinDrvGh.0043C774
004990D8 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004990DB . 8B80 1C030000 MOV EAX,DWORD PTR DS:[EAX+31>
F2下......??????下个＃◎￥，都不能拦啊！！！TMD，看来找错了！！我重新来过！！

ASCII "Registration Success!"《＝＝这个该对了吧！！双击来到

0049D203 . 51 PUSH ECX《＝这里下断(^_^)WHY?为了方便分析而已！(^_^)
0049D204 . 53 PUSH EBX《＝＝EBX（ASCII "LAC"<-这个东东等下会用到）压入堆栈
0049D205 . 56 PUSH ESI
0049D206 . 57 PUSH EDI
0049D207 . 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0049D20A . 33C0 XOR EAX,EAX
0049D20C . 55 PUSH EBP
0049D20D . 68 45D64900 PUSH WinDrvGh.0049D645
0049D212 . 64:FF30 PUSH DWORD PTR FS:[EAX]
0049D215 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
0049D218 . 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C>《＝ASCII "LAC"放入EDX
0049D21B . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D21E . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D224 . E8 7B66FAFF CALL WinDrvGh.004438A4《＝读注册名、长度（用WinDrvGh.004438A4读

。下同！！！）
0049D229 . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C>《＝注册名长度为8放入EAX
0049D22C . E8 737BF6FF CALL WinDrvGh.00404DA4
0049D231 . 05 57040000 ADD EAX,457
0049D236 . 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18>
0049D239 . E8 72C2F6FF CALL WinDrvGh.004094B0《＝真注册码长度最多为25个(^_^)－不信？你

试试！！
0049D23E . 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20>
0049D241 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D244 . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D24A . E8 5566FAFF CALL WinDrvGh.004438A4《＝取注册名头3个字符
0049D24F . 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20>《＝放入地址WORD PTR SS:[EBP-20>
0049D252 . BA 5CD64900 MOV EDX,WinDrvGh.0049D65C ; ASCII "DiSTiNCT"《＝字符

"DiSTiNCT"放入 EDX
0049D257 . E8 8C7CF6FF CALL WinDrvGh.00404EE8《＝注册名头3个字符与字符

"DiSTiNCT"进行运算
0049D25C . 0F84 32030000 JE WinDrvGh.0049D594
0049D262 . 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24>《＝注册名长度（8位）放入EDX
0049D265 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D268 . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D26E . E8 3166FAFF CALL WinDrvGh.004438A4《＝又读注册名、长度（烦啊！）
0049D273 . 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24>《＝注册名长度（8位）放入EAX（烦啊

！）
0049D276 . BA 70D64900 MOV EDX,WinDrvGh.0049D670 ; ASCII "Team iNSaNE"《=字符"Team

iNSaNE"放入EDX
0049D27B . E8 687CF6FF CALL WinDrvGh.00404EE8《＝注册名与字符"Team iNSaNE"进行运算
0049D280 . 0F84 0E030000 JE WinDrvGh.0049D594
0049D286 . 8D55 D8 LEA EDX,DWORD PTR SS:[EBP-28>
0049D289 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D28C . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D292 . E8 0D66FAFF CALL WinDrvGh.004438A4《＝再读注册名、长度（更烦啊！）
0049D297 . 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28>
0049D29A . BA 84D64900 MOV EDX,WinDrvGh.0049D684 ; ASCII "TNT!2000"《=字符

"TNT!2000"放入EDX（想干什么啊！TMD!）
0049D29F . E8 447CF6FF CALL WinDrvGh.00404EE8
0049D2A4 . 0F84 EA020000 JE WinDrvGh.0049D594
0049D2AA . 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C>
0049D2AD . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D2B0 . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D2B6 . E8 E965FAFF CALL WinDrvGh.004438A4
0049D2BB . 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C>
0049D2BE . BA 98D64900 MOV EDX,WinDrvGh.0049D698 ; ASCII "-=Demian/TNT!=-"
0049D2C3 . E8 207CF6FF CALL WinDrvGh.00404EE8《＝加了一个“—”(^_^)
0049D2C8 . 0F84 C6020000 JE WinDrvGh.0049D594
0049D2CE . 8D55 D0 LEA EDX,DWORD PTR SS:[EBP-30>
0049D2D1 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D2D4 . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D2DA . E8 C565FAFF CALL WinDrvGh.004438A4
0049D2DF . 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30>
0049D2E2 . BA B0D64900 MOV EDX,WinDrvGh.0049D6B0 ; ASCII "-=Demian/TNT!=- "
0049D2E7 . E8 FC7BF6FF CALL WinDrvGh.00404EE8
0049D2EC . 0F84 A2020000 JE WinDrvGh.0049D594
0049D2F2 . 8D55 CC LEA EDX,DWORD PTR SS:[EBP-34>
0049D2F5 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D2F8 . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D2FE . E8 A165FAFF CALL WinDrvGh.004438A4
0049D303 . 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34>
0049D306 . BA CCD64900 MOV EDX,WinDrvGh.0049D6CC ; ASCII "DiSTiNCT "
0049D30B . E8 D87BF6FF CALL WinDrvGh.00404EE8
0049D310 . 0F84 7E020000 JE WinDrvGh.0049D594
0049D316 . 8D55 C8 LEA EDX,DWORD PTR SS:[EBP-38>
0049D319 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D31C . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D322 . E8 7D65FAFF CALL WinDrvGh.004438A4
0049D327 . 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38>
0049D32A . BA E0D64900 MOV EDX,WinDrvGh.0049D6E0 ; ASCII "TMG"
0049D32F . E8 B47BF6FF CALL WinDrvGh.00404EE8
0049D334 . 0F84 5A020000 JE WinDrvGh.0049D594
0049D33A . 8D55 C4 LEA EDX,DWORD PTR SS:[EBP-3C>
0049D33D . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D340 . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D346 . E8 5965FAFF CALL WinDrvGh.004438A4
0049D34B . 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C>
0049D34E . BA ECD64900 MOV EDX,WinDrvGh.0049D6EC ; ASCII "Sponge Uk"
0049D353 . E8 907BF6FF CALL WinDrvGh.00404EE8
0049D358 . 0F84 36020000 JE WinDrvGh.0049D594
0049D35E . 8D55 C0 LEA EDX,DWORD PTR SS:[EBP-40>
0049D361 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D364 . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D36A . E8 3565FAFF CALL WinDrvGh.004438A4
0049D36F . 8B45 C0 MOV EAX,DWORD PTR SS:[EBP-40>
0049D372 . BA 00D74900 MOV EDX,WinDrvGh.0049D700 ; ASCII "Sponge Uk "
0049D377 . E8 6C7BF6FF CALL WinDrvGh.00404EE8
0049D37C . 0F84 12020000 JE WinDrvGh.0049D594
0049D382 . 68 14D74900 PUSH WinDrvGh.0049D714
0049D387 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D38A . FFB0 2C030000 PUSH DWORD PTR DS:[EAX+32C]
0049D390 . 68 20D74900 PUSH WinDrvGh.0049D720 ; ASCII "20"《＝"20"压入堆栈（20有

什么用？往下看......(^_^)
0049D395 . FF75 E8 PUSH DWORD PTR SS:[EBP-18]《＝这里的ASCII为“1119”往下看

......(^_^)
0049D398 . 68 2CD74900 PUSH WinDrvGh.0049D72C
0049D39D . 8D55 B8 LEA EDX,DWORD PTR SS:[EBP-48>
0049D3A0 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D3A3 . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D3A9 . E8 F664FAFF CALL WinDrvGh.004438A4《＝注册名长度（8字符）
0049D3AE . 8B45 B8 MOV EAX,DWORD PTR SS:[EBP-48>《＝注册名长度（8字符）放入EAX
0049D3B1 . 8D55 BC LEA EDX,DWORD PTR SS:[EBP-44>
0049D3B4 . E8 9BFDFFFF CALL WinDrvGh.0049D154《＝此CALL根据注册名的长度计算注册码的后N

个是什么。WHY是N个？？？跟我进去看看吧！！(^_^)。按F7跟进（虚线内）
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
..........略
0049D194 |> 8B45 FC /MOV EAX,DWORD PTR SS:[EBP-4]《＝注册名长度（8字符）放入EAX
0049D197 |. 0FB67438 FF |MOVZX ESI,BYTE PTR DS:[EAX+EDI-1]《＝分别把注册名的1－8个字符先

什么？你用100个字符的注册名？？它启不是要重复100次？哈哈......;别笑！！！它没那么笨！又WHY?
看0049D239 . E8 72C2F6FF CALL WinDrvGh.004094B0处(^_^)－不信？你试试！！TMD，你说了半天

只有注册码的后半部分啊！前面的呢？别骂我！(^_^)！！往下看！！

0049D3B9 . FF75 BC PUSH DWORD PTR SS:[EBP-44]《＝最后会来到这里！天晴了吧！还WHY?你

自己试试看吧！

＃￥◎TMD，你说了半天只有注册码的后半部分啊！前面的呢？别骂我！(^_^)！！往下看！！

0049D3BC . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14>
0049D3BF . BA 06000000 MOV EDX,6
0049D3C4 . E8 9B7AF6FF CALL WinDrvGh.00404E64《＝此CALL进去天就大晴了！跟我进去！按F7跟

进（虚线内）
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝

00404E7D > 8B4C94 14 MOV ECX,DWORD PTR SS:[ESP+EDX*4+14] ; WinDrvGh.0049D720
00404E81 . 85C9 TEST ECX,ECX
00404E83 . 74 09 JE SHORT WinDrvGh.00404E8E
00404E85 . 0341 FC ADD EAX,DWORD PTR DS:[ECX-4]
00404E88 . 39CF CMP EDI,ECX
00404E8A . 75 02 JNZ SHORT WinDrvGh.00404E8E
00404E8C . 31FF XOR EDI,EDI
00404E8E > 4A DEC EDX
00404E8F .^75 EC JNZ SHORT WinDrvGh.00404E7D
这段里嘛.......啊呀！！不就是上面的20，1119，还有.......自己试试看吧！(^_^)！

0049D3C9 . 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18>
0049D3CC . BA 38D74900 MOV EDX,WinDrvGh.0049D738 ; ASCII

"\System32\spool\drivers\w32x86\2\riched20.dll SetActiveEditControlFont, Arial, 30"
0049D3D1 . E8 AE77F6FF CALL WinDrvGh.00404B84《＝此CALL就有趣了，我现在的注册名是8个字

符，如果是9个或7个字符的话......(^_^)！看看“1119”会变成什么？各位自己试试看吧！(^_^)！

0049D3D6 . 8D55 B4 LEA EDX,DWORD PTR SS:[EBP-4C>
0049D3D9 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D3DC . 8B80 04030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D3E2 . E8 BD64FAFF CALL WinDrvGh.004438A4《＝这个读你输入的注册码
0049D3E7 . 8B55 B4 MOV EDX,DWORD PTR SS:[EBP-4C>《＝你输入的注册码放入地址
0049D3EA . 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14>《＝真注册码放入地址
0049D3ED . E8 EE7CF6FF CALL WinDrvGh.004050E0《＝这个嘛一定是比较注册码的CALL了，我进！
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
004050E0 /$ 85C0 TEST EAX,EAX《＝检查真注册码
004050E2 |. 74 40 JE SHORT WinDrvGh.00405124
004050E4 |. 85D2 TEST EDX,EDX《＝检查假注册码
004050E6 |. 74 31 JE SHORT WinDrvGh.00405119
004050E8 |. 53 PUSH EBX《＝把EBX（ASCII "LAC"<-这个东东在每个CALL里都用到了，做

＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝

0049D3F2 . 85C0 TEST EAX,EAX《＝返回到这里（EAX=00000000）
0049D3F4 . 0F84 9A010000 JE WinDrvGh.0049D594《＝注册码不对的话，来到这里就完快啦！
0049D3FA . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D3FD . 8B80 04030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D403 . 33D2 XOR EDX,EDX
0049D405 . E8 CA64FAFF CALL WinDrvGh.004438D4
0049D40A . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14>
0049D40D . E8 DA76F6FF CALL WinDrvGh.00404AEC
0049D412 . 6A 00 PUSH 0
0049D414 . 68 8CD74900 PUSH WinDrvGh.0049D78C ; ASCII "Registration Success!"
0049D419 . 68 A4D74900 PUSH WinDrvGh.0049D7A4 ; ASCII " Thank you for your

support.
We will work even harder and
notify you future releases."
0049D41E . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D421 . E8 22CCFAFF CALL WinDrvGh.0044A048
0049D426 . 50 PUSH EAX ; |hOwner
0049D427 . E8 F8A7F6FF CALL ; \MessageBoxA
0049D42C . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D42F . C680 31030000 >MOV BYTE PTR DS:[EAX+331],0
0049D436 . B2 01 MOV DL,1
0049D438 . A1 54604600 MOV EAX,DWORD PTR DS:[466054>
0049D43D . E8 128DFCFF CALL WinDrvGh.00466154
0049D442 . 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
0049D445 . 33C0 XOR EAX,EAX
0049D447 . 55 PUSH EBP
0049D448 . 68 49D54900 PUSH WinDrvGh.0049D549
0049D44D . 64:FF30 PUSH DWORD PTR FS:[EAX]
0049D450 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
0049D453 . BA 01000080 MOV EDX,80000001
0049D458 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049D45B . E8 948DFCFF CALL WinDrvGh.004661F4
0049D460 . B1 01 MOV CL,1
0049D462 . BA 04D84900 MOV EDX,WinDrvGh.0049D804 ; ASCII

"\Software\Microsoft\Windows\CurrentVersion\IPSecs"
0049D467 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049D46A . E8 ED8DFCFF CALL WinDrvGh.0046625C
0049D46F . 84C0 TEST AL,AL
0049D471 . 74 0C JE SHORT WinDrvGh.0049D47F
0049D473 . 33C0 XOR EAX,EAX
0049D475 . 8945 F0 MOV DWORD PTR SS:[EBP-10],EA>
0049D478 . C745 F4 00000E>MOV DWORD PTR SS:[EBP-C],400>
0049D47F > 33C0 XOR EAX,EAX
0049D481 . 55 PUSH EBP
0049D482 . 68 D6D44900 PUSH WinDrvGh.0049D4D6
0049D487 . 64:FF30 PUSH DWORD PTR FS:[EAX]
0049D48A . 64:8920 MOV DWORD PTR FS:[EAX],ESP
0049D48D . FF75 F4 PUSH DWORD PTR SS:[EBP-C] ; /Arg2
0049D490 . FF75 F0 PUSH DWORD PTR SS:[EBP-10] ; |Arg1
0049D493 . 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50>; |
0049D496 . E8 89E9F6FF CALL WinDrvGh.0040BE24 ; \WinDrvGh.0040BE24
0049D49B . 8B4D B0 MOV ECX,DWORD PTR SS:[EBP-50>
0049D49E . BA 40D84900 MOV EDX,WinDrvGh.0049D840 ; ASCII "RISCx86"
0049D4A3 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049D4A6 . E8 F591FCFF CALL WinDrvGh.004666A0
0049D4AB . 8D55 AC LEA EDX,DWORD PTR SS:[EBP-54>
0049D4AE . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D4B1 . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D4B7 . E8 E863FAFF CALL WinDrvGh.004438A4
0049D4BC . 8B4D AC MOV ECX,DWORD PTR SS:[EBP-54>
0049D4BF . BA 50D84900 MOV EDX,WinDrvGh.0049D850 ; ASCII "UserName"
0049D4C4 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049D4C7 . E8 D491FCFF CALL WinDrvGh.004666A0
0049D4CC . 33C0 XOR EAX,EAX
0049D4CE . 5A POP EDX
0049D4CF . 59 POP ECX
0049D4D0 . 59 POP ECX
0049D4D1 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
0049D4D4 . EB 55 JMP SHORT WinDrvGh.0049D52B
0049D4D6 .^E9 2D6EF6FF JMP WinDrvGh.00404308
0049D4DB 01 DB 01
0049D4DC 00 DB 00
0049D4DD 00 DB 00
0049D4DE > 00F4 ADD AH,DH ; |
0049D4E0 . 5F POP EDI ; |
0049D4E1 . 46 INC ESI ; |
0049D4E2 . 00E7 ADD BH,AH ; |
0049D4E4 . D4 49 AAM 49 ; |
0049D4E6 . 00FF ADD BH,BH ; |
0049D4E8 .^75 F4 JNZ SHORT WinDrvGh.0049D4DE ; |
0049D4EA . FF75 F0 PUSH DWORD PTR SS:[EBP-10] ; |Arg1
0049D4ED . 8D45 A8 LEA EAX,DWORD PTR SS:[EBP-58>; |
0049D4F0 . E8 2FE9F6FF CALL WinDrvGh.0040BE24 ; \WinDrvGh.0040BE24
0049D4F5 . 8B4D A8 MOV ECX,DWORD PTR SS:[EBP-58>
0049D4F8 . BA 40D84900 MOV EDX,WinDrvGh.0049D840 ; ASCII "RISCx86"
0049D4FD . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049D500 . E8 9B91FCFF CALL WinDrvGh.004666A0
0049D505 . 8D55 A4 LEA EDX,DWORD PTR SS:[EBP-5C>
0049D508 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D50B . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D511 . E8 8E63FAFF CALL WinDrvGh.004438A4
0049D516 . 8B4D A4 MOV ECX,DWORD PTR SS:[EBP-5C>
0049D519 . BA 50D84900 MOV EDX,WinDrvGh.0049D850 ; ASCII "UserName"
0049D51E . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049D521 . E8 7A91FCFF CALL WinDrvGh.004666A0
0049D526 . E8 1970F6FF CALL WinDrvGh.00404544
0049D52B > 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049D52E . E8 918CFCFF CALL WinDrvGh.004661C4
0049D533 . 33C0 XOR EAX,EAX
0049D535 . 5A POP EDX
0049D536 . 59 POP ECX
0049D537 . 59 POP ECX
0049D538 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
0049D53B . 68 50D54900 PUSH WinDrvGh.0049D550
0049D540 > 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049D543 . E8 B467F6FF CALL WinDrvGh.00403CFC
0049D548 . C3 RETN
0049D549 .^E9 426FF6FF JMP WinDrvGh.00404490
0049D54E .^EB F0 JMP SHORT WinDrvGh.0049D540
0049D550 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D553 . 8B80 04030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D559 . 33D2 XOR EDX,EDX
0049D55B . E8 7463FAFF CALL WinDrvGh.004438D4
0049D560 . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14>
0049D563 . E8 8475F6FF CALL WinDrvGh.00404AEC
0049D568 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D56B . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D571 . 33D2 XOR EDX,EDX
0049D573 . E8 5C63FAFF CALL WinDrvGh.004438D4
0049D578 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D57B . C680 30030000 >MOV BYTE PTR DS:[EAX+330],0
0049D582 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D585 . 8B80 24030000 MOV EAX,DWORD PTR DS:[EAX+32>
0049D58B . B2 01 MOV DL,1
0049D58D . E8 E6CFF9FF CALL WinDrvGh.0043A578
0049D592 . EB 54 JMP SHORT WinDrvGh.0049D5E8
0049D594 > 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]《＝跳到这里
0049D597 . 8B80 04030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D59D . 33D2 XOR EDX,EDX
0049D59F . E8 3063FAFF CALL WinDrvGh.004438D4
0049D5A4 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D5A7 . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D5AD . 33D2 XOR EDX,EDX
0049D5AF . E8 2063FAFF CALL WinDrvGh.004438D4
0049D5B4 . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14>
0049D5B7 . BA 03000000 MOV EDX,3
0049D5BC . E8 677BF6FF CALL WinDrvGh.00405128
0049D5C1 . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14>
0049D5C4 . BA 64D84900 MOV EDX,WinDrvGh.0049D864 ; ASCII "$%^"
0049D5C9 . E8 B675F6FF CALL WinDrvGh.00404B84
0049D5CE . 6A 00 PUSH 0
0049D5D0 . 68 68D84900 PUSH WinDrvGh.0049D868 ; ASCII "Invalid Registration

Code"
0049D5D5 . 68 84D84900 PUSH WinDrvGh.0049D884 ; ASCII "Please make sure the

registration
code and the registration name are
correct."
0049D5DA . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D5DD . E8 66CAFAFF CALL WinDrvGh.0044A048
0049D5E2 . 50 PUSH EAX ; |hOwner
0049D5E3 . E8 3CA6F6FF CALL ; \MessageBoxA《＝彻底完蛋！！

总结：根据用户名及其长短计算出注册码后N个是什么，但最长不超过25个。注册码前5个固定为MTW20，

前5个后还有4个也不固定，它与注册名的长短有关。还加了一个“—”。
我的是
注册名：GYJ[OCN]
注册码：MTW201119-47594A5B4F434E5D
注册机还未搞定，改天好吗？累啊！！写了一天啦！！

在注册表

HKEY_USERS\S-1-5-21-1644491937-1957994488-1060284298-500\Software\Microsoft\Windows\CurrentV

ersion\IPSecs\RISCx86: 中加入“1900-1-2 18:00:00”即可变为注册版。

HKEY_USERS\S-1-5-21-1644491937-1957994488-1060284298-500\Software\Microsoft\Windows\CurrentV

ersion\IPSecs\DriverUpdate: "2002-12-28 17:16:21"《＝＝这是你安装时的时间

XXDOWNLOAD1.14分析(注意版本)
from DEDE we got the info below:
--------------------------------
005A1F1D E84224E6FF call 00404364 ; cat MC behind NAME and a '-', and form a long STRING
005A1F22 8B45EC mov eax, [ebp-$14]
005A1F25 5A pop edx

005A1F26 E859180300 call 005D3784 ; here is the main call for CODE
005A1F2B 84C0 test al, al

let's deep into CALL 5D3784, and see what is in it:
---------------------------------------------------
005D37C8 8B45FC mov eax, [ebp-$04] ; here is the long STRING
005D37CB E848000000 call 005D3818 ; some kind calculation
005D37D0 8B45F0 mov eax, [ebp-$10] ; the result CODE
005D37D3 8B55F8 mov edx, [ebp-$08] ; the input CODE

* Reference to: system.@LStrCmp;
005D37D6 E8D90BE3FF call 004043B4
005D37DB 7506 jnz 005D37E3 ; FAILED!

see what is in CALL 005D3818:
-----------------------------
005D3851 |. 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28]
005D3854 |. BA B8385D00 MOV EDX,unpacked.005D38B8 ; ASCII "hidownload1.14"
005D3859 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; Long STRING
005D385C |. E8 8FDF0000 CALL unpacked.005E17F0 ; step 1()
result1 is: 'ylUQQbbOCBkVHn7X/POg+V/BefqmnRucVd3yORd/xh=='

005D3861 |. 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28] ; result1
005D3864 |. 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
005D3867 |. E8 4037FAFF CALL unpacked.00576FAC ; step 2()
result2 is: 92 B6 9C FE 3A 66 FE 95 7C 11 C0 AD 28 2B 6C F1 128bits

005D386C |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24] ; result2
005D386F |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
005D3872 |. E8 A937FAFF CALL unpacked.00577020 ; step 3(change result2 to a HEX string)
; the HEX string is the right code
----------------------------------
see step 1 in CALL 005E17F0 first:
----------------------------------
005E182A |. A1 F8C85400 MOV EAX,DWORD PTR DS:[54C8F8]
005E182F |. E8 9CB1F6FF CALL unpacked.0054C9D0 ; BlowFish.Create
005E1834 |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX ; store BlowFish
005E1837 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
005E183A |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
005E183D |. E8 1EAFF6FF CALL unpacked.0054C760

CALL unpacked.0054C760:
-----------------------
0054C76C |. A1 C0BD5400 MOV EAX,DWORD PTR DS:[54BDC0]
0054C771 |. E8 06F7FFFF CALL unpacked.0054BE7C ; SHA1.Create
0054C776 |. 8BD8 MOV EBX,EAX
0054C778 |. 8BC3 MOV EAX,EBX
0054C77A |. 8B10 MOV EDX,DWORD PTR DS:[EAX]
0054C77C |. FF52 34 CALL NEAR DWORD PTR DS:[EDX+34]; SHA1.Initial values(0x67452301...)

0054C7B0 |. 8B08 MOV ECX,DWORD PTR DS:[EAX] ; 'hidownload1.14'
0054C7B2 |. FF51 40 CALL NEAR DWORD PTR DS:[ECX+40]; SHA1.Encrypt

SHA1('hidownload1.14') = FD BD AD D9 20 79 52 03 2A 24 0B AE 48 E7 ED 7E F0 28 6A 8B

005E1867 |. 8BD0 MOV EDX,EAX
005E1869 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
005E186C |. 59 POP ECX
005E186D |. 8B18 MOV EBX,DWORD PTR DS:[EAX]
005E186F |. FF53 4C CALL NEAR DWORD PTR DS:[EBX+4C] ; Loops of BlowFish_EN xor long STRING
; if U want to know more, just track in

005E1875 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] ; result of last op
005E1878 |. E8 FBA2F6FF CALL unpacked.0054BB78 ; something like base64
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'

005E187D |. 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18] ; result of last op

--------------------------------------
then see step 2 in CALL 00576FAC next:
--------------------------------------
00576FCE |. 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60]
00576FD1 |. E8 1AFEFFFF CALL unpacked.00576DF0 ; MD5.Initial

00576FED |. E8 52FEFFFF CALL unpacked.00576E44 ; grouped result1
00576FF2 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00576FF5 |. 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60]
00576FF8 |. E8 1FFFFFFF CALL unpacked.00576F1C ; MD5.Encrypt
; it is the result2

In HiDownLoad1.15 it still use visible code compare:), but how to get the code changed:

Name + ':' + EMail + 'chs-1.15'

MD5

change MD5's to string