Search32-PRO v6.05注册算法分析
-
=======================Open Cracking Group=======================
=
= Search32-PRO v6.05注册算法分析
= DiKeN/OCG
=
= http://www.newclw.com/lllufh/cgi-bin/leoboard.cgi
====================Open Cracking Group==========================
=
=工具:LordPE,DeDe,W32Dasm,ODBG,记事本,Delphi
=
=================================================================
1.LordPE-->Unpack
2.DeDe
NAG--->Button1--->0048B938
3.W32Dasm(抓取汇编代码,习惯一点)
4.ODBG
=================================================================
0048B938 55 PUSH EBP
0048B939 8BEC MOV EBP,ESP
0048B93B 83C4 E0 ADD ESP,-20
0048B93E 53 PUSH EBX
0048B93F 56 PUSH ESI
0048B940 57 PUSH EDI
0048B941 33C9 XOR ECX,ECX
0048B943 894D E8 MOV DWORD PTR SS:[EBP-18],ECX
0048B946 894D E4 MOV DWORD PTR SS:[EBP-1C],ECX
0048B949 894D E0 MOV DWORD PTR SS:[EBP-20],ECX
0048B94C 894D F0 MOV DWORD PTR SS:[EBP-10],ECX
0048B94F 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0048B952 33C0 XOR EAX,EAX
0048B954 55 PUSH EBP
0048B955 68 24BD4800 PUSH Search32.0048BD24
0048B95A 64:FF30 PUSH DWORD PTR FS:[EAX]
0048B95D 64:8920 MOV DWORD PTR FS:[EAX],ESP
0048B960 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
0048B963 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0048B966 8B80 10020000 MOV EAX,DWORD PTR DS:[EAX+210]
0048B96C E8 3745F9FF CALL Search32.0041FEA8
0048B971 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
0048B974 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
0048B977 E8 8CBCF7FF CALL Search32.00407608
0048B97C 837D E8 00 CMP DWORD PTR SS:[EBP-18],0
0048B980 75 2F JNZ SHORT Search32.0048B9B1
0048B982 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
0048B985 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0048B988 8B80 14020000 MOV EAX,DWORD PTR DS:[EAX+214]
0048B98E E8 1545F9FF CALL Search32.0041FEA8
0048B993 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
0048B996 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
0048B999 E8 6ABCF7FF CALL Search32.00407608
0048B99E 837D E0 00 CMP DWORD PTR SS:[EBP-20],0
0048B9A2 75 0D JNZ SHORT Search32.0048B9B1
0048B9A4 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0048B9A7 E8 3026FAFF CALL Search32.0042DFDC
0048B9AC E9 45030000 JMP Search32.0048BCF6
0048B9B1 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
0048B9B4 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0048B9B7 8B80 10020000 MOV EAX,DWORD PTR DS:[EAX+210]
0048B9BD E8 E644F9FF CALL Search32.0041FEA8
0048B9C2 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
0048B9C5 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
0048B9C8 E8 3BBCF7FF CALL Search32.00407608
0048B9CD 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18]
0048B9D0 A1 BC254B00 MOV EAX,DWORD PTR DS:[4B25BC]
0048B9D5 E8 BA80F7FF CALL Search32.00403A94
0048B9DA 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
0048B9DD 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0048B9E0 8B80 14020000 MOV EAX,DWORD PTR DS:[EAX+214]
0048B9E6 E8 BD44F9FF CALL Search32.0041FEA8
0048B9EB 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
0048B9EE 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
0048B9F1 E8 12BCF7FF CALL Search32.00407608
0048B9F6 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18]
0048B9F9 A1 3C264B00 MOV EAX,DWORD PTR DS:[4B263C]
0048B9FE E8 9180F7FF CALL Search32.00403A94
0048BA03 A1 10244B00 MOV EAX,DWORD PTR DS:[4B2410]
0048BA08 8B00 MOV EAX,DWORD PTR DS:[EAX]
0048BA0A 8B98 5C060000 MOV EBX,DWORD PTR DS:[EAX+65C]
0048BA10 85DB TEST EBX,EBX
0048BA12 75 50 JNZ SHORT Search32.0048BA64
0048BA14 68 34BD4800 PUSH Search32.0048BD34
0048BA19 E8 22E0FBFF CALL Search32.00449A40 ; JMP to Srch32_d.CreateIndexObject
0048BA1E 8BD8 MOV EBX,EAX
0048BA20 8B15 3C264B00 MOV EDX,DWORD PTR DS:[4B263C] ; Search32.004B3B14
0048BA26 8B12 MOV EDX,DWORD PTR DS:[EDX]
0048BA28 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
0048BA2B B9 40BD4800 MOV ECX,Search32.0048BD40 ; ASCII "SP6"
0048BA30 E8 D382F7FF CALL Search32.00403D08
0048BA35 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
0048BA38 E8 4384F7FF CALL Search32.00403E80
0048BA3D 50 PUSH EAX
0048BA3E A1 BC254B00 MOV EAX,DWORD PTR DS:[4B25BC]
0048BA43 8B00 MOV EAX,DWORD PTR DS:[EAX]
0048BA45 E8 3684F7FF CALL Search32.00403E80
0048BA4A 50 PUSH EAX
0048BA4B 53 PUSH EBX
0048BA4C 8B03 MOV EAX,DWORD PTR DS:[EBX]
0048BA4E FF50 74 CALL DWORD PTR DS:[EAX+74]
0048BA51 8B15 2C234B00 MOV EDX,DWORD PTR DS:[4B232C] ; Search32.004B3B1C
0048BA57 8902 MOV DWORD PTR DS:[EDX],EAX
0048BA59 53 PUSH EBX
0048BA5A E8 F1DFFBFF CALL Search32.00449A50 ; JMP to Srch32_d.DestroyIndexObject
0048BA5F E9 A5000000 JMP Search32.0048BB09
0048BA64 A1 10244B00 MOV EAX,DWORD PTR DS:[4B2410]
0048BA69 837B 08 00 CMP DWORD PTR DS:[EBX+8],0
0048BA6D 75 4F JNZ SHORT Search32.0048BABE
0048BA6F 68 34BD4800 PUSH Search32.0048BD34
0048BA74 E8 C7DFFBFF CALL Search32.00449A40 ; JMP to Srch32_d.CreateIndexObject
0048BA79 8BD8 MOV EBX,EAX
0048BA7B 8B15 3C264B00 MOV EDX,DWORD PTR DS:[4B263C] ; Search32.004B3B14
0048BA81 8B12 MOV EDX,DWORD PTR DS:[EDX]
0048BA83 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
0048BA86 50 PUSH EAX
0048BA87 B9 40BD4800 MOV ECX,Search32.0048BD40 ; ASCII "SP6"
0048BA8C 58 POP EAX
0048BA8D E8 7682F7FF CALL Search32.00403D08
0048BA92 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
0048BA95 E8 E683F7FF CALL Search32.00403E80
0048BA9A 50 PUSH EAX
0048BA9B A1 BC254B00 MOV EAX,DWORD PTR DS:[4B25BC]
0048BAA0 8B00 MOV EAX,DWORD PTR DS:[EAX]
0048BAA2 E8 D983F7FF CALL Search32.00403E80
0048BAA7 50 PUSH EAX
0048BAA8 53 PUSH EBX
0048BAA9 8B03 MOV EAX,DWORD PTR DS:[EBX]
0048BAAB FF50 74 CALL DWORD PTR DS:[EAX+74]
0048BAAE 8B15 2C234B00 MOV EDX,DWORD PTR DS:[4B232C] ; Search32.004B3B1C
0048BAB4 8902 MOV DWORD PTR DS:[EDX],EAX
0048BAB6 53 PUSH EBX
0048BAB7 E8 94DFFBFF CALL Search32.00449A50 ; JMP to Srch32_d.DestroyIndexObject
0048BABC EB 4B JMP SHORT Search32.0048BB09
0048BABE A1 10244B00 MOV EAX,DWORD PTR DS:[4B2410]
0048BAC3 8BC3 MOV EAX,EBX
0048BAC5 33D2 XOR EDX,EDX
0048BAC7 E8 C022F8FF CALL Search32.0040DD8C
0048BACC 8BD8 MOV EBX,EAX
0048BACE 8B15 3C264B00 MOV EDX,DWORD PTR DS:[4B263C] ; Search32.004B3B14
0048BAD4 8B12 MOV EDX,DWORD PTR DS:[EDX]
0048BAD6 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
0048BAD9 50 PUSH EAX
0048BADA B9 40BD4800 MOV ECX,Search32.0048BD40 ; ASCII "SP6"
0048BADF 58 POP EAX
0048BAE0 E8 2382F7FF CALL Search32.00403D08
0048BAE5 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
0048BAE8 E8 9383F7FF CALL Search32.00403E80
0048BAED 50 PUSH EAX
0048BAEE A1 BC254B00 MOV EAX,DWORD PTR DS:[4B25BC]
0048BAF3 8B00 MOV EAX,DWORD PTR DS:[EAX]
0048BAF5 E8 8683F7FF CALL Search32.00403E80
0048BAFA 50 PUSH EAX
0048BAFB 53 PUSH EBX
0048BAFC 8B03 MOV EAX,DWORD PTR DS:[EBX]
0048BAFE FF50 74 CALL DWORD PTR DS:[EAX+74]==================>关键过程
0048BB01 8B15 2C234B00 MOV EDX,DWORD PTR DS:[4B232C] ; Search32.004B3B1C
0048BB07 8902 MOV DWORD PTR DS:[EDX],EAX==================>EAX=0则正确
0048BB09 A1 2C234B00 MOV EAX,DWORD PTR DS:[4B232C]
0048BB0E 8338 00 CMP DWORD PTR DS:[EAX],0
0048BB11 75 0F JNZ SHORT Search32.0048BB22=================>比较
0048BB13 B8 4CBD4800 MOV EAX,Search32.0048BD4C ; ASCII "Entered password is invalid for
the given registration number."
0048BB18 E8 AB38FBFF CALL Search32.0043F3C8
0048BB1D E9 CC010000 JMP Search32.0048BCEE
0048BB22 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
0048BB25 A1 5C254B00 MOV EAX,DWORD PTR DS:[4B255C]
0048BB2A 8B00 MOV EAX,DWORD PTR DS:[EAX]
0048BB2C E8 2342FAFF CALL Search32.0042FD54
0048BB31 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18]
0048BB34 A1 F4234B00 MOV EAX,DWORD PTR DS:[4B23F4]
0048BB39 8B00 MOV EAX,DWORD PTR DS:[EAX]
0048BB3B 8B0D D0234B00 MOV ECX,DWORD PTR DS:[4B23D0] ; Search32.004B3A98
0048BB41 3301 XOR EAX,DWORD PTR DS:[ECX]
0048BB43 E8 9043F9FF CALL Search32.0041FED8
0048BB48 A1 0C244B00 MOV EAX,DWORD PTR DS:[4B240C]
0048BB4D C600 00 MOV BYTE PTR DS:[EAX],0
0048BB50 8B15 EC254B00 MOV EDX,DWORD PTR DS:[4B25EC] ; Search32.004B3B10
0048BB56 8B12 MOV EDX,DWORD PTR DS:[EDX]
0048BB58 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0048BB5B B9 94BD4800 MOV ECX,Search32.0048BD94 ; ASCII "Cd.cd"
0048BB60 E8 A381F7FF CALL Search32.00403D08
0048BB65 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
0048BB68 E8 6BC0F7FF CALL Search32.00407BD8
0048BB6D 84C0 TEST AL,AL
0048BB6F 0F84 79010000 JE Search32.0048BCEE=======>这个Cd.cd干什么的(还没分析,一个正确的Code都搞不定)
0048BB75 B2 01 MOV DL,1
0048BB77 A1 4CCE4000 MOV EAX,DWORD PTR DS:[40CE4C]
0048BB7C E8 2B73F7FF CALL Search32.00402EAC
0048BB81 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
0048BB84 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
0048BB87 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0048BB8A 8B08 MOV ECX,DWORD PTR DS:[EAX]
0048BB8C FF51 58 CALL DWORD PTR DS:[ECX+58]
0048BB8F 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0048BB92 8B10 MOV EDX,DWORD PTR DS:[EAX]
0048BB94 FF52 14 CALL DWORD PTR DS:[EDX+14]
0048BB97 48 DEC EAX
0048BB98 85C0 TEST EAX,EAX
0048BB9A 7C 6C JL SHORT Search32.0048BC08
0048BB9C 40 INC EAX
0048BB9D 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
0048BBA0 C745 F8 00000000 MOV DWORD PTR SS:[EBP-8],0
0048BBA7 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
0048BBAA 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
0048BBAD 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0048BBB0 8B18 MOV EBX,DWORD PTR DS:[EAX]
0048BBB2 FF53 0C CALL DWORD PTR DS:[EBX+C]
0048BBB5 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
0048BBB8 E8 FF80F7FF CALL Search32.00403CBC
0048BBBD 8BF0 MOV ESI,EAX
0048BBBF 85F6 TEST ESI,ESI
0048BBC1 7E 2F JLE SHORT Search32.0048BBF2
0048BBC3 BF 01000000 MOV EDI,1
0048BBC8 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
0048BBCB 8A5C38 FF MOV BL,BYTE PTR DS:[EAX+EDI-1]
0048BBCF 80FB 20 CMP BL,20
0048BBD2 74 1A JE SHORT Search32.0048BBEE
0048BBD4 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0048BBD7 E8 B082F7FF CALL Search32.00403E8C
0048BBDC 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
0048BBDF 33D2 XOR EDX,EDX
0048BBE1 8AD3 MOV DL,BL
0048BBE3 B9 20010000 MOV ECX,120
0048BBE8 2BCA SUB ECX,EDX
0048BBEA 884C38 FF MOV BYTE PTR DS:[EAX+EDI-1],CL
0048BBEE 47 INC EDI
0048BBEF 4E DEC ESI
0048BBF0 75 D6 JNZ SHORT Search32.0048BBC8
0048BBF2 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
0048BBF5 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
0048BBF8 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0048BBFB 8B18 MOV EBX,DWORD PTR DS:[EAX]
0048BBFD FF53 20 CALL DWORD PTR DS:[EBX+20]
0048BC00 FF45 F8 INC DWORD PTR SS:[EBP-8]
0048BC03 FF4D EC DEC DWORD PTR SS:[EBP-14]
0048BC06 75 9F JNZ SHORT Search32.0048BBA7
0048BC08 A1 10244B00 MOV EAX,DWORD PTR DS:[4B2410]
0048BC0D 8B00 MOV EAX,DWORD PTR DS:[EAX]
0048BC0F 83B8 18060000 00 CMP DWORD PTR DS:[EAX+618],0
0048BC16 74 1C JE SHORT Search32.0048BC34
0048BC18 A1 10244B00 MOV EAX,DWORD PTR DS:[4B2410]
0048BC1D 8B00 MOV EAX,DWORD PTR DS:[EAX]
0048BC1F 8B90 50060000 MOV EDX,DWORD PTR DS:[EAX+650]
0048BC25 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0048BC28 B9 A4BD4800 MOV ECX,Search32.0048BDA4
0048BC2D E8 D680F7FF CALL Search32.00403D08
0048BC32 EB 10 JMP SHORT Search32.0048BC44
0048BC34 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0048BC37 8B15 EC254B00 MOV EDX,DWORD PTR DS:[4B25EC] ; Search32.004B3B10
0048BC3D 8B12 MOV EDX,DWORD PTR DS:[EDX]
0048BC3F E8 947EF7FF CALL Search32.00403AD8
0048BC44 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0048BC47 BA B0BD4800 MOV EDX,Search32.0048BDB0 ; ASCII "Notifying_txt"
0048BC4C E8 7380F7FF CALL Search32.00403CC4
0048BC51 8B0D BC254B00 MOV ECX,DWORD PTR DS:[4B25BC] ; Search32.004B3B18
0048BC57 8B09 MOV ECX,DWORD PTR DS:[ECX]
0048BC59 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
0048BC5C BA C8BD4800 MOV EDX,Search32.0048BDC8 ; ASCII "Customer ID: "
0048BC61 E8 A280F7FF CALL Search32.00403D08
0048BC66 8B4D E8 MOV ECX,DWORD PTR SS:[EBP-18]
0048BC69 BA 0A000000 MOV EDX,A
0048BC6E 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0048BC71 8B18 MOV EBX,DWORD PTR DS:[EAX]
0048BC73 FF53 54 CALL DWORD PTR DS:[EBX+54]
0048BC76 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
0048BC79 A1 10244B00 MOV EAX,DWORD PTR DS:[4B2410]
0048BC7E 8B00 MOV EAX,DWORD PTR DS:[EAX]
0048BC80 E8 2342F9FF CALL Search32.0041FEA8
0048BC85 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C]
0048BC88 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
0048BC8B BA E0BD4800 MOV EDX,Search32.0048BDE0 ; ASCII "Program: "
0048BC90 E8 7380F7FF CALL Search32.00403D08
0048BC95 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18]
0048BC98 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0048BC9B 8B08 MOV ECX,DWORD PTR DS:[EAX]
0048BC9D FF51 34 CALL DWORD PTR DS:[ECX+34]
0048BCA0 BA F4BD4800 MOV EDX,Search32.0048BDF4 ; ASCII "Version: 6.05"
0048BCA5 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0048BCA8 8B08 MOV ECX,DWORD PTR DS:[EAX]
0048BCAA FF51 34 CALL DWORD PTR DS:[ECX+34]
0048BCAD 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
0048BCB0 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0048BCB3 8B08 MOV ECX,DWORD PTR DS:[EAX]
0048BCB5 FF51 64 CALL DWORD PTR DS:[ECX+64]
0048BCB8 6A 03 PUSH 3
0048BCBA A1 EC254B00 MOV EAX,DWORD PTR DS:[4B25EC]
0048BCBF 8B00 MOV EAX,DWORD PTR DS:[EAX]
0048BCC1 E8 BA81F7FF CALL Search32.00403E80
0048BCC6 50 PUSH EAX
0048BCC7 6A 00 PUSH 0
0048BCC9 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
0048BCCC 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
0048BCCF BA 0CBE4800 MOV EDX,Search32.0048BE0C ; ASCII "Notepad.exe "
0048BCD4 E8 2F80F7FF CALL Search32.00403D08
0048BCD9 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
0048BCDC E8 9F81F7FF CALL Search32.00403E80
0048BCE1 50 PUSH EAX
0048BCE2 68 1CBE4800 PUSH Search32.0048BE1C ; ASCII "open"
0048BCE7 6A 00 PUSH 0
0048BCE9 E8 AADCFBFF CALL Search32.00449998 ; JMP to SHELL32.ShellExecuteA
0048BCEE 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0048BCF1 E8 E622FAFF CALL Search32.0042DFDC
0048BCF6 33C0 XOR EAX,EAX
0048BCF8 5A POP EDX
0048BCF9 59 POP ECX
0048BCFA 59 POP ECX
0048BCFB 64:8910 MOV DWORD PTR FS:[EAX],EDX
0048BCFE 68 2BBD4800 PUSH Search32.0048BD2B
0048BD03 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
0048BD06 E8 357DF7FF CALL Search32.00403A40
0048BD0B 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
0048BD0E E8 2D7DF7FF CALL Search32.00403A40
0048BD13 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
0048BD16 E8 257DF7FF CALL Search32.00403A40
0048BD1B 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0048BD1E E8 1D7DF7FF CALL Search32.00403A40
0048BD23 C3 RETN
===================分析发现,检测注册码在动态库SRCH32_D.DLL
===============Exported fn(): ?checkData@@YGHPAD0@Z - Ord:0001h
Name:
DiKeN
Code: xxxxxxxxxxxxxxxx
1234567890123456789012345678901234567890
=========================================================================
Exported fn(): ?checkData@@YGHPAD0@Z - Ord:0001h
:10001320 81ECDC020000 sub esp, 000002DC
:10001326 53 push ebx
:10001327 55 push ebp
:10001328 56 push esi
:10001329 57 push edi
:1000132A 8BBC24F0020000 mov edi, dword ptr [esp+000002F0]
:10001331 83C9FF or ecx, FFFFFFFF
:10001334 33C0 xor eax, eax
:10001336 33DB xor ebx, ebx
:10001338 F2 repnz
:10001339 AE scasb
:1000133A F7D1 not ecx
:1000133C 2BF9 sub edi, ecx
:1000133E 8D9424A8000000 lea edx, dword ptr [esp+000000A8]
:10001345 8BC1 mov eax, ecx
:10001347 8BF7 mov esi, edi
:10001349 8BFA mov edi, edx
:1000134B 895C241C mov dword ptr [esp+1C], ebx
:1000134F C1E902 shr ecx, 02
:10001352 F3 repz
:10001353 A5 movsd
:10001354 8BC8 mov ecx, eax
:10001356 895C2424 mov dword ptr [esp+24], ebx
:1000135A 83E103 and ecx, 00000003
:1000135D BD05000000 mov ebp, 00000005
:10001362 F3 repz
:10001363 A4 movsb
:10001364 8D8C24A8000000 lea ecx, dword ptr [esp+000000A8]
:1000136B 895C2420 mov dword ptr [esp+20], ebx
:1000136F 51 push ecx
:10001370 E8A11E0100 call 10013216
:10001375 83C404 add esp, 00000004
:10001378 53 push ebx
* Reference To: KERNEL32.GetDriveTypeA, Ord:0104h
|
:10001379 FF1530400110 Call dword ptr [10014030]
:1000137F 3BC5 cmp eax, ebp=5
:10001381 8B8424A8000000 mov eax, dword ptr [esp+000000A8]=X4X3X2X1
:10001388 750F jne 10001399====>通常应该是不会等于的,也就跳
:1000138A 3C43 cmp al, 43=C
:1000138C 7418 je 100013A6
:1000138E 80FC44 cmp ah, 44=D
:10001391 0F8582040000 jne 10001819============>错误1
//======================>(应该不会出现此错误)
:10001397 EB0D jmp 100013A6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001388(C)
|
:10001399 3C43 cmp al, 43
:1000139B 7509 jne 100013A6
:1000139D 80FC44 cmp ah, 44
:100013A0 0F8473040000 je 10001819============>错误2
//======================>用户名为CD则错误
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1000138C(C), :10001397(U), :1000139B(C)
|
:100013A6 A1308F0110 mov eax, dword ptr [10018F30]
:100013AB 8D9424E8010000 lea edx, dword ptr [esp+000001E8]
:100013B2 6804010000 push 00000104
:100013B7 52 push edx
:100013B8 50 push eax
* Reference To: KERNEL32.GetModuleFileNameA, Ord:0124h
|
:100013B9 FF152C400110 Call dword ptr [1001402C]
:100013BF 85C0 test eax, eax
:100013C1 0F8452040000 je 10001819============>错误3
//====================>装入模块错误
:100013C7 8D8C24E8010000 lea ecx, dword ptr [esp+000001E8]
:100013CE 6A5C push 0000005C
:100013D0 51 push ecx
:100013D1 E89A9C0000 call 1000B070
:100013D6 8BF0 mov esi, eax
:100013D8 83C408 add esp, 00000008
:100013DB 3BF3 cmp esi, ebx=0
:100013DD 0F8436040000 je 10001819============>错误4
//====================>装入模块文件名错误
:100013E3 46 inc esi
:100013E4 56 push esi
:100013E5 89742418 mov dword ptr [esp+18], esi
:100013E9 E8281E0100 call 10013216
:100013EE 8DBC24AC000000 lea edi, dword ptr [esp+000000AC]=用户名
:100013F5 83C9FF or ecx, FFFFFFFF
:100013F8 33C0 xor eax, eax
:100013FA 83C404 add esp, 00000004
:100013FD F2 repnz
:100013FE AE scasb
:100013FF 8B9C24F4020000 mov ebx, dword ptr [esp+000002F4]
:10001406 F7D1 not ecx
:10001408 49 dec ecx
:10001409 8BFB mov edi, ebx
:1000140B 8BD1 mov edx, ecx
:1000140D 83C9FF or ecx, FFFFFFFF
:10001410 F2 repnz
:10001411 AE scasb
:10001412 F7D1 not ecx
:10001414 49 dec ecx
:10001415 83F918 cmp ecx, 00000018
:10001418 894C2418 mov dword ptr [esp+18], ecx
:1000141C 0F82F7030000 jb 10001819============>错误5
//====================>CODE长度检测,>=$15($18-length(SP6))
:10001422 7639 jbe 1000145D
:10001424 8D7B18 lea edi, dword ptr [ebx+18]
:10001427 83C9FF or ecx, FFFFFFFF
:1000142A F2 repnz
:1000142B AE scasb
:1000142C F7D1 not ecx
:1000142E 2BF9 sub edi, ecx
:10001430 8D9C24A8000000 lea ebx, dword ptr [esp+000000A8]
:10001437 8BF7 mov esi, edi
:10001439 8BFB mov edi, ebx
:1000143B 8BD9 mov ebx, ecx
:1000143D 83C9FF or ecx, FFFFFFFF
:10001440 F2 repnz
:10001441 AE scasb
:10001442 8BCB mov ecx, ebx
:10001444 4F dec edi
:10001445 C1E902 shr ecx, 02
:10001448 F3 repz
:10001449 A5 movsd
:1000144A 8BCB mov ecx, ebx
:1000144C C744241818000000 mov [esp+18], 00000018
:10001454 83E103 and ecx, 00000003
:10001457 F3 repz
:10001458 A4 movsb
:10001459 8B742414 mov esi, dword ptr [esp+14]
余下的字符串连接到用户名后面
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001422(C)
|
:1000145D 83FA20 cmp edx, 00000020====>用户名长度
:10001460 7330 jnb 10001492
:10001462 8BFE mov edi, esi
:10001464 83C9FF or ecx, FFFFFFFF
:10001467 33C0 xor eax, eax
:10001469 8D9424A8000000 lea edx, dword ptr [esp+000000A8]
:10001470 F2 repnz
:10001471 AE scasb
:10001472 F7D1 not ecx
:10001474 2BF9 sub edi, ecx
:10001476 8BF7 mov esi, edi
:10001478 8BD9 mov ebx, ecx
:1000147A 8BFA mov edi, edx
:1000147C 83C9FF or ecx, FFFFFFFF
:1000147F F2 repnz
:10001480 AE scasb
:10001481 8BCB mov ecx, ebx
:10001483 4F dec edi
:10001484 C1E902 shr ecx, 02
:10001487 F3 repz
:10001488 A5 movsd
:10001489 8BCB mov ecx, ebx
:1000148B 83E103 and ecx, 00000003
:1000148E F3 repz
:1000148F A4 movsb
:10001490 EB0B jmp 1000149D====>用户名连接DIKEN+余下的注册码+'SRCH32_D.DLL'
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001460(C)
|
:10001492 8D84149C000000 lea eax, dword ptr [esp+edx+0000009C]
:10001499 89442414 mov dword ptr [esp+14], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001490(U)
|
:1000149D B907000000 mov ecx, 00000007
:100014A2 B84D4D4D4D mov eax, 4D4D4D4D
:100014A7 8D7C2448 lea edi, dword ptr [esp+48]
:100014AB F3 repz
:100014AC AB stosd
:100014AD 66AB stosw
:100014AF AA stosb
:100014B0 B81F000000 mov eax, 0000001F
:100014B5 B14D mov cl, 4D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100014BC(C)
|
:100014B7 48 dec eax
:100014B8 884C2429 mov byte ptr [esp+29], cl
:100014BC 75F9 jne 100014B7
:100014BE 8B7C2418 mov edi, dword ptr [esp+18]=注册码长度
:100014C2 33DB xor ebx, ebx
:100014C4 85FF test edi, edi
:100014C6 C644244700 mov [esp+47], 00
:100014CB C644246700 mov [esp+67], 00
:100014D0 0F868F000000 jbe 10001565
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000155F(C)
|
:100014D6 8BB424F4020000 mov esi, dword ptr [esp+000002F4]=Code
:100014DD 0FBE0C33 movsx ecx, byte ptr [ebx+esi]
:100014E1 51 push ecx
===ODBG==00DE14E1 51 PUSH ECX
:100014E2 E85F9B0000 call 1000B046==>转为数字?
:100014E7 83C404 add esp, 00000004
:100014EA 85C0 test eax, eax
:100014EC 7512 jne 10001500
:100014EE 8B442424 mov eax, dword ptr [esp+24]
:100014F2 8A1433 mov dl, byte ptr [ebx+esi]
:100014F5 88540428 mov byte ptr [esp+eax+28], dl
:100014F9 40 inc eax
:100014FA 89442424 mov dword ptr [esp+24], eax
:100014FE EB5C jmp 1000155C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100014EC(C)
|
:10001500 F6C301 test bl, 01=========>奇数偶数位
:10001503 7512 jne 10001517
:10001505 8B442424 mov eax, dword ptr [esp+24]
:10001509 8A0C33 mov cl, byte ptr [ebx+esi]
:1000150C 884C0428 mov byte ptr [esp+eax+28], cl
:10001510 40 inc eax
:10001511 89442424 mov dword ptr [esp+24], eax
:10001515 EB45 jmp 1000155C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001503(C)
|
:10001517 8A1433 mov dl, byte ptr [ebx+esi]
:1000151A 88542C48 mov byte ptr [esp+ebp+48], dl
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:10001539(U), :10001548(U), :1000154B(U)
|
:1000151E 0FBE442C48 movsx eax, byte ptr [esp+ebp+48]
:10001523 50 push eax
:10001524 E81D9B0000 call 1000B046
:10001529 83C404 add esp, 00000004
:1000152C 85C0 test eax, eax
:1000152E 741D je 1000154D
:10001530 8B442420 mov eax, dword ptr [esp+20]
:10001534 85C0 test eax, eax
:10001536 7403 je 1000153B
:10001538 45 inc ebp
:10001539 EBE3 jmp 1000151E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001536(C)
|
:1000153B 85DB test ebx, ebx
:1000153D 750B jne 1000154A
:1000153F C744242001000000 mov [esp+20], 00000001
:10001547 45 inc ebp
:10001548 EBD4 jmp 1000151E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000153D(C)
|
:1000154A 4D dec ebp
:1000154B EBD1 jmp 1000151E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000152E(C)
|
:1000154D 8B442420 mov eax, dword ptr [esp+20]
:10001551 33C9 xor ecx, ecx
:10001553 85C0 test eax, eax
:10001555 0F94C1 sete cl
:10001558 894C2420 mov dword ptr [esp+20], ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:100014FE(U), :10001515(U)
|
:1000155C 43 inc ebx
:1000155D 3BDF cmp ebx, edi
:1000155F 0F8271FFFFFF jb 100014D6
用户名会去掉前后空格
注册码+'SP6'分割成前后两部分:
NameXor的串就是奇数串
Name的累加和
NameXOR的异或
NameXOR mod $7FFFFFFFF===>转为字符串
xor $67C2D76C=
Code2==>数字,去只取一定范围的
Code1:=Code1+Name2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100014D0(C)
|
:10001565 8D7C2448 lea edi, dword ptr [esp+48]
:10001569 83C9FF or ecx, FFFFFFFF
:1000156C 33C0 xor eax, eax
:1000156E C6442C4800 mov [esp+ebp+48], 00
:10001573 F2 repnz
:10001574 AE scasb
:10001575 8B542424 mov edx, dword ptr [esp+24]
:10001579 F7D1 not ecx
:1000157B 49 dec ecx
:1000157C C644142800 mov [esp+edx+28], 00
:10001581 83E1FE and ecx, FFFFFFFE
:10001584 83F90A cmp ecx, 0000000A
:10001587 0F828C020000 jb 10001819============>错误6
//====================>转换后的串2长度
:1000158D 8D442448 lea eax, dword ptr [esp+48]
:10001591 50 push eax
:10001592 E8A49A0000 call 1000B03B==>串2转为数字32bits有效
:10001597 8B7C2418 mov edi, dword ptr [esp+18]
:1000159B 8BD8 mov ebx, eax
:1000159D A1388F0110 mov eax, dword ptr [10018F38]
:100015A2 83C9FF or ecx, FFFFFFFF
:100015A5 33D8 xor ebx, eax
:100015A7 33C0 xor eax, eax
:100015A9 83C404 add esp, 00000004
:100015AC 8D542428 lea edx, dword ptr [esp+28]
:100015B0 F2 repnz
:100015B1 AE scasb
:100015B2 F7D1 not ecx
:100015B4 2BF9 sub edi, ecx
:100015B6 8BF7 mov esi, edi
:100015B8 8BE9 mov ebp, ecx
:100015BA 8BFA mov edi, edx
:100015BC 83C9FF or ecx, FFFFFFFF
:100015BF F2 repnz
:100015C0 AE scasb
:100015C1 8BCD mov ecx, ebp
:100015C3 4F dec edi
:100015C4 C1E902 shr ecx, 02
:100015C7 F3 repz
:100015C8 A5 movsd
:100015C9 8BCD mov ecx, ebp
:100015CB 83E103 and ecx, 00000003
:100015CE F3 repz
:100015CF A4 movsb
:100015D0 8DBC24A8000000 lea edi, dword ptr [esp+000000A8]
========================>串1+DLL名
:100015D7 83C9FF or ecx, FFFFFFFF
:100015DA F2 repnz
:100015DB AE scasb
:100015DC F7D1 not ecx
:100015DE 49 dec ecx
:100015DF 8D7C2428 lea edi, dword ptr [esp+28]
:100015E3 8BD1 mov edx, ecx
:100015E5 83C9FF or ecx, FFFFFFFF
:100015E8 F2 repnz
:100015E9 AE scasb
:100015EA F7D1 not ecx
:100015EC 49 dec ecx
:100015ED 83FA20 cmp edx, 00000020
:100015F0 894C2418 mov dword ptr [esp+18], ecx
:100015F4 0F821F020000 jb 10001819============>错误7
========================>用户名长度>=$20的时候,Name+余串
========================>否则Name+余串+''
========================>DLL为12
========================>串1的长必须>=20
========================>重新输入假注册码40字节长
:100015FA 85D2 test edx, edx
:100015FC 7617 jbe 10001615
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001613(C)
|
:100015FE 0FBE8C04A8000000 movsx ecx, byte ptr [esp+eax+000000A8]
DIKEN5678901234567890SP6SRCH32_D.DLL
:10001606 8B7C241C mov edi, dword ptr [esp+1C]
:1000160A 03F9 add edi, ecx
:1000160C 40 inc eax
:1000160D 3BC2 cmp eax, edx
:1000160F 897C241C mov dword ptr [esp+1C], edi====>累加结果
:10001613 72E9 jb 100015FE
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100015FC(C)
|
:10001615 8BFA mov edi, edx
:10001617 83E703 and edi, 00000003 是否为4的倍数
:1000161A 7420 je 1000163C=======>是则转
:1000161C 33F6 xor esi, esi
:1000161E 33C9 xor ecx, ecx
:10001620 33C0 xor eax, eax
:10001622 85FF test edi, edi
:10001624 7622 jbe 10001648
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001638(C)
|
:10001626 0FBEAC04A8000000 movsx ebp, byte ptr [esp+eax+000000A8]====>Name串
:1000162E D3E5 shl ebp, cl
:10001630 83C108 add ecx, 00000008
:10001633 0BF5 or esi, ebp
:10001635 40 inc eax
:10001636 3BC7 cmp eax, edi
:10001638 72EC jb 10001626
:1000163A EB0C jmp 10001648
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000161A(C)
|
:1000163C 8BB424A8000000 mov esi, dword ptr [esp+000000A8]
:10001643 B804000000 mov eax, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:10001624(C), :1000163A(U)
|
:10001648 3BC2 cmp eax, edx
:1000164A 7310 jnb 1000165C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000165A(C)
|
:1000164C 8BAC04A8000000 mov ebp, dword ptr [esp+eax+000000A8]
:10001653 83C004 add eax, 00000004
:10001656 33F5 xor esi, ebp=========>ESI的值261B0109(我的)
:10001658 3BC2 cmp eax, edx
:1000165A 72F0 jb 1000164C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000164A(C)
|
:1000165C 8B542418 mov edx, dword ptr [esp+18]
:10001660 83E203 and edx, 00000003
:10001663 741D je 10001682
:10001665 33ED xor ebp, ebp
:10001667 33C9 xor ecx, ecx
:10001669 33C0 xor eax, eax
:1000166B 85D2 test edx, edx
:1000166D 761C jbe 1000168B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000167E(C)
|
:1000166F 0FBE7C0428 movsx edi, byte ptr [esp+eax+28]===>Code串1+用户名余串
:10001674 D3E7 shl edi, cl
:10001676 83C108 add ecx, 00000008
:10001679 0BEF or ebp, edi
:1000167B 40 inc eax
:1000167C 3BC2 cmp eax, edx
:1000167E 72EF jb 1000166F
:10001680 EB09 jmp 1000168B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001663(C)
|
:10001682 8B6C2428 mov ebp, dword ptr [esp+28]=======>串1
:10001686 B804000000 mov eax, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1000166D(C), :10001680(U)
|
:1000168B 8B4C2418 mov ecx, dword ptr [esp+18]
:1000168F 3BC1 cmp eax, ecx
:10001691 730D jnb 100016A0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000169E(C)
|
:10001693 8B540428 mov edx, dword ptr [esp+eax+28]
:10001697 83C004 add eax, 00000004
:1000169A 33EA xor ebp, edx============>结果63382C54(我的)
:1000169C 3BC1 cmp eax, ecx
:1000169E 72F3 jb 10001693
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001691(C)
|
:100016A0 8D542468
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
- 文章评论
-
热门文章
去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据
人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>