UltraEdit 15 算法分析
最近在找资料的时候无意在ARTeam论坛上面看到的一个破解UltraEdit15算法的教程。分析的相当到位。
寻找算法函数的大概方法:
1,用exescope找到nag窗口的资源ID为28269 即是:6E6D。
2,然后在OD里面找到PUSH 6E6D的命令。分别下断点。
3,在第二次中断的时候,看到Days to expire字样。向上滚动,找到这个子程序的开始。然后crtl +r 寻找引用。发现只有一个引用,于是跳去。
4,作者凭借自己破解14版的经验,准确判断出关键函数的调用是哪一个。但是,下面他还是做了一些简短的分析。
5,最后就开始了算法的分析,这个我就不多说了,太多了,自己看哈,我发在附近里面
由于测试它教程的时候用的中文版(他用的意大利版),所以,有些地址有出入。相信很多朋友也会有一样的感受。
ueres.dll
----------------------
hexdec
--------------------------------
10E 270 - AboutBox
1B3 435 - Guida Avvio Veloce
6E6D 28269 - Il Periodo di Valutazione ?in scadenza
//////////////////////////////////// TO S TU D Y\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Attack Point
------------------------------
00446294 .68 E8A1AD00 PUSH Uedit32.00ADA1E8 ; |WindowName = "UEAfx:200:0x0008:0:010"
00446299 .68 E8A1AD00 PUSH Uedit32.00ADA1E8 ; |Class = "UEAfx:200:0x0008:0:010"
0044629E .53 PUSH EBX ; |ExtStyle = 0
0044629F .899C24 CC0000>MOV DWORD PTR SS:, EBX ; |
004462A6 .FF15 B03BAD00 CALL DWORD PTR DS:[<&USER32.CreateWindow>; \CreateWindowExA
004462AC .8D4C24 14 LEA ECX, DWORD PTR SS:
004462B0 .51 PUSH ECX
004462B1 .8D5424 28 LEA EDX, DWORD PTR SS:
004462B5 .52 PUSH EDX
004462B6 .A3 102BD000 MOV DWORD PTR DS:, EAX
004462BB .A1 342BD000 MOV EAX, DWORD PTR DS:
004462C0 .68 EC2AD000 PUSH Uedit32.00D02AEC
004462C5 .50 PUSH EAX
004462C6 .56 PUSH ESI
004462C7 .881D D45AD000 MOV BYTE PTR DS:, BL
004462CD .C705 EC2AD000>MOV DWORD PTR DS:, 2A
004462D7 .895C24 28 MOV DWORD PTR SS:, EBX
004462DB .E8 B0AAFFFF CALL <Uedit32.RoutineDiRegistrazione><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< ENTRA !
004462E0 .8B2D 003CAD00 MOV EBP, DWORD PTR DS:[<&USER32.SendMess>
004462E6 .83C4 14 ADD ESP, 14
004462E9 .84C0 TEST AL, AL
004462EB .0F84 1D030000 JE Uedit32.0044660E
004462F1 .391D 142BD000 CMP DWORD PTR DS:, EBX
004462F7 .0F85 11030000 JNZ Uedit32.0044660E
004462FD .395C24 14 CMP DWORD PTR SS:, EBX
00446301 .74 28 JE SHORT Uedit32.0044632B
00446303 .8B4C24 24 MOV ECX, DWORD PTR SS:
Into registration routine
------------------------------------------
00440D90 >/$6A FF PUSH -1
00440D92|.68 6B8BA500 PUSH Uedit32.00A58B6B
00440D97|.64:A1 0000000>MOV EAX, DWORD PTR FS:
00440D9D|.50 PUSH EAX
00440D9E|.81EC 9C020000 SUB ESP, 29C
00440DA4|.A1 3CFECF00 MOV EAX, DWORD PTR DS:
00440DA9|.33C4 XOR EAX, ESP
00440DAB|.898424 980200>MOV DWORD PTR SS:, EAX
00440DB2|.53 PUSH EBX
00440DB3|.55 PUSH EBP
00440DB4|.56 PUSH ESI
00440DB5|.57 PUSH EDI
00440DB6|.A1 3CFECF00 MOV EAX, DWORD PTR DS:
00440DBB|.33C4 XOR EAX, ESP
00440DBD|.50 PUSH EAX
00440DBE|.8D8424 B00200>LEA EAX, DWORD PTR SS:
00440DC5|.64:A3 0000000>MOV DWORD PTR FS:, EAX
00440DCB|.8BAC24 C40200>MOV EBP, DWORD PTR SS: ;<< Seriale da controllare
00440DD2|.8B8C24 CC0200>MOV ECX, DWORD PTR SS: ;<< ind. di ritorno
00440DD9|.8B9424 D00200>MOV EDX, DWORD PTR SS: ;<< Una dword vuota
00440DE0|.8BBC24 C00200>MOV EDI, DWORD PTR SS: ;<< UserName
00440DE7|.8B8424 C80200>MOV EAX, DWORD PTR SS: ;<< ptr a 2A = 42 (indicatore per file *.reg)
00440DEE|.894C24 1C MOV DWORD PTR SS:, ECX
00440DF2|.895424 18 MOV DWORD PTR SS:, EDX
00440DF6|.85ED TEST EBP, EBP ;<< Inserito un seriale ?
00440DF8|.74 0A JE SHORT Uedit32.00440E04
00440DFA|.C705 E82AD000>MOV DWORD PTR DS:, 1 ;<< si, inserito !
00440E04|>C700 00000000 MOV DWORD PTR DS:, 0 ;<< azzera il 2A
00440E0A|.8BC7 MOV EAX, EDI ;<< userName
00440E0C|.8D50 01 LEA EDX, DWORD PTR DS:
00440E0F|.90 NOP
00440E10|>8A08 /MOV CL, BYTE PTR DS:
00440E12|.40 |INC EAX
00440E13|.84C9 |TEST CL, CL
00440E15|.^ 75 F9 \JNZ SHORT Uedit32.00440E10
00440E17|.2BC2 SUB EAX, EDX
00440E19|.83F8 06 CMP EAX, 6 ;<< Verifica che la lunghezza dello userName sia almeno 6
00440E1C|.0F82 EA010000 JB Uedit32.0044100C
00440E22|.8BC5 MOV EAX, EBP ;<< Seriale
00440E24|.8D50 01 LEA EDX, DWORD PTR DS:
00440E27|>8A08 /MOV CL, BYTE PTR DS:
00440E29|.40 |INC EAX
00440E2A|.84C9 |TEST CL, CL
00440E2C|.^ 75 F9 \JNZ SHORT Uedit32.00440E27
00440E2E|.2BC2 SUB EAX, EDX
00440E30|.83F8 2F CMP EAX, 2F ;<< La lunghezza del seriale deve essere almeno 47
00440E33|.0F82 D3010000 JB Uedit32.0044100C
00440E39|.6A 3B PUSH 3B ;<< Dimensione area da riempire
00440E3B|.8D4424 75 LEA EAX, DWORD PTR SS:
00440E3F|.6A 00 PUSH 0 ;<< carattere con cui riempire
00440E41|.50 PUSH EAX ;<< indirizzo da riempire
00440E42|.C64424 23 01MOV BYTE PTR SS:, 1 ;<< segna un flag
00440E47|.884C24 7C MOV BYTE PTR SS:, CL ;<< azzera il primo byte
00440E4B|.E8 A00E5900 CALL <Uedit32.FillWithZero> ;<< entro
00440E50|.68 FF010000 PUSH 1FF ;<< dimensione ( 511 bytes )
00440E55|.8D8C24 BD0000>LEA ECX, DWORD PTR SS:
00440E5C|.6A 00 PUSH 0 ;<< carattere di riempimento
00440E5E|.51 PUSH ECX ;<< indirizzo da riempire ( 0024F9D1 ) - per copia userName
00440E5F|.C68424 C40000>MOV BYTE PTR SS:, 0 ;<< azzera il primo byte
00440E67|.E8 840E5900 CALL <Uedit32.FillWithZero>
00440E6C|.57 PUSH EDI ;<< push nome utente
00440E6D|.8D9424 C80000>LEA EDX, DWORD PTR SS:
00440E74|.68 00020000 PUSH 200 ;<< 200h = 512d (max len username)
00440E79|.52 PUSH EDX ;<< indirizzo appena svuotato (il primo dei due)
00440E7A|.E8 F6335900 CALL <Uedit32.CopiaStringa> ;<< Copia UserName
00440E7F|.57 PUSH EDI ;<< push nome utente
00440E80|.8D4424 7C LEA EAX, DWORD PTR SS: ;<< 0024F978
00440E84|.55 PUSH EBP ;<< push seriale
00440E85|.50 PUSH EAX ;<< push indirizzo (doppio ptr. a zona in cui andranno scritte le info dei match
00440E86|.E8 F5E8FFFF CALL <Uedit32.GenerazioneVettoreEdEstrazioneStringa> ;<< entro
00440E8B|.83C4 30 ADD ESP, 30
00440E8E|.837C24 6C 10CMP DWORD PTR SS:, 10 ;<< lungh. del serial== 16 ?
00440E93|.8B4424 58 MOV EAX, DWORD PTR SS: ;<< Stringa estratta dal seriale
00440E97|.C78424 B80200>MOV DWORD PTR SS:, 0 ;<< 0
00440EA2|.73 04 JNB SHORT Uedit32.00440EA8 ;v
00440EA4|.8D4424 58 LEA EAX, DWORD PTR SS:
00440EA8|>50 PUSH EAX ; /<< push stringa estratta dal seriale
00440EA9|.8D4C24 74 LEA ECX, DWORD PTR SS: ; |
00440EAD|.6A 3C PUSH 3C ; |<< dimensione stringa
00440EAF|.51 PUSH ECX ; |<< dove copiarla (sopra il nome utente)
00440EB0|.E8 C0335900 CALL <Uedit32.CopiaStringa> ; \CopiaStringa
00440EB5|.83C4 0C ADD ESP, 0C
00440EB8|.68 409CAD00 PUSH Uedit32.00AD9C40 ; /pModule = "kernel32.dll"
00440EBD|.FF15 EC35AD00 CALL DWORD PTR DS:[<&KERNEL32.GetModuleHandleA>] ; \GetModuleHandleA
00440EC3|.8D5424 44 LEA EDX, DWORD PTR SS: ;<< ind. pSystemTime2
00440EC7|.8BF0 MOV ESI, EAX ;<< salva kernel32.ll imagebase
00440EC9|.52 PUSH EDX
00440ECA|.8D4424 38 LEA EAX, DWORD PTR SS: ;<< pSystemTime
00440ECE|.50 PUSH EAX
00440ECF|.8D4C24 2C LEA ECX, DWORD PTR SS: ;<< currentSystemTime
00440ED3|.51 PUSH ECX
00440ED4|.E8 67A6FFFF CALL <Uedit32.SystemTime_FileTime> ;<< Determina Data Corrente (in SystemTime) + altro che non ci interessa (Generazione 2 FileTime e loro conversione in SystemTime)
00440ED9|.8D5424 30 LEA EDX, DWORD PTR SS: ;<< otr. a currentSystemTime
00440EDD|.56 PUSH ESI
00440EDE|.52 PUSH EDX ;<< push currentSysTime
00440EDF|.E8 8708FCFF CALL <Uedit32.DataCorrenteInFileTime> ;<<
00440EE4|.8D4424 48 LEA EAX, DWORD PTR SS: ;<< pSystemTime
00440EE8|.50 PUSH EAX ;<< pSystemTime
00440EE9|.E8 0A09FCFF CALL <Uedit32.AltraDataInFileTime> ;<< non ci interessa
00440EEE|.8D4C24 5C LEA ECX, DWORD PTR SS: ;<< pSystemTime2
00440EF2|.51 PUSH ECX ;<< pSystemTime2
00440EF3|.E8 120CFCFF CALL Uedit32.00401B0A ;<< non ci interessa
00440EF8|.68 00001500 PUSH 150000 ;<< Push Versione programma !!!
00440EFD|.E8 7509FCFF CALL <Uedit32.DoBSWAP_Parametro> ;<< bswap della versione del programma
00440F02|.8D9424 CC0000>LEA EDX, DWORD PTR SS: ;<< username
00440F09|.52 PUSH EDX
00440F0A|.8D8424 940000>LEA EAX, DWORD PTR SS: ;<< stringa estratta da seriale
00440F11|.50 PUSH EAX
00440F12|.E8 8B09FCFF CALL <Uedit32.DeterminaMatchEStabilisciReg>
00440F17|.8B1D 96104000 MOV EBX, DWORD PTR DS:[<controllo>] ;<< Salva il valore della dword di controllo >> in EBX (la call modifica la dword in oggetto per altri scopi)
00440F1D|.83C4 28 ADD ESP, 28
00440F20|.E8 5705FCFF CALL <Uedit32.divisione_qword> ;<< seconda divisione quadword (non ci interessa particolarmente)
00440F25|.8BF3 MOV ESI, EBX ;<< la call precedente NON modifica EBX
00440F27|.C1EE 10 SHR ESI, 10
00440F2A|.8BCB MOV ECX, EBX ;<< nuova copia di EBX
00440F2C|.80E1 0F AND CL, 0F ;<< ultimo char esadecimale (ultimo mezzo byte)
00440F2F|.81E6 FF010000 AND ESI, 1FF ;<< and esi, 1FF
00440F35|.80F9 01 CMP CL, 1 ;<< CL deve essere = 1
00440F38|.74 05 JE SHORT Uedit32.00440F3F
00440F3A|.C64424 17 00MOV BYTE PTR SS:, 0 ;<< :(
00440F3F|>F7C3 00400000 TEST EBX, 4000 ;<< test
00440F45|.74 0A JE SHORT Uedit32.00440F51
00440F47|.F6C3 40 TEST BL, 40
00440F4A|.75 05 JNZ SHORT Uedit32.00440F51
00440F4C|.C64424 17 00MOV BYTE PTR SS:, 0 ;<< :(
00440F51|>F7C3 00000020 TEST EBX, 20000000 ;<< test EBX 20.000.000
00440F57|.74 05 JE SHORT Uedit32.00440F5E
00440F59|.C64424 17 00MOV BYTE PTR SS:, 0 ;<< :(
00440F5E|>51 PUSH ECX ;<< push valore 'iniziale' della dword di controllo
00440F5F|.8BCC MOV ECX, ESP
00440F61|.896424 24 MOV DWORD PTR SS:, ESP
00440F65|.57 PUSH EDI ;<< nome utente
00440F66|.C705 A055D000>MOV DWORD PTR DS:[<flag_fine_reg>], 1 ;<< flag
00440F70|.E8 EBA4FCFF CALL <Uedit32.CodificaInformazioneInLicenza> ;<< dovrebbe salvare le info di username nel file di licenza
00440F75|.B9 8455D000 MOV ECX, OFFSET <Uedit32.costante_usata_spesso>
00440F7A|.E8 61DAFFFF CALL Uedit32.0043E9E0
00440F7F|.51 PUSH ECX
00440F80|.8BCC MOV ECX, ESP
00440F82|.896424 24 MOV DWORD PTR SS:, ESP
00440F86|.55 PUSH EBP ;<< push seriale
00440F87|.E8 D4A4FCFF CALL <Uedit32.CodificaInformazioneInLicenza>
00440F8C|.B9 8455D000 MOV ECX, OFFSET <Uedit32.costante_usata_spesso>
00440F91|.E8 BADAFFFF CALL Uedit32.0043EA50
00440F96|.B9 8455D000 MOV ECX, OFFSET <Uedit32.costante_usata_spesso>
00440F9B|.8935 8C55D000 MOV DWORD PTR DS:, ESI
00440FA1|.891D 9055D000 MOV DWORD PTR DS:, EBX
00440FA7|.E8 C47C2100 CALL Uedit32.00658C70
00440FAC|.807C24 17 00CMP BYTE PTR SS:, 0 ;<< byte di registrazione
00440FB1|.0FB6D0 MOVZX EDX, AL
00440FB4|.8915 9855D000 MOV DWORD PTR DS:, EDX
00440FBA|.74 36 JE SHORT Uedit32.00440FF2
00440FBC|.81FE 7C010000 CMP ESI, 17C ;<< *** DEVE SALTARE PER NON MOSTRARE LA NAG (dipende dal valore di "controllo")
00440FC2|.72 2E JB SHORT Uedit32.00440FF2 ;v
00440FC4|.F6C3 40 TEST BL, 40
00440FC7|.75 29 JNZ SHORT Uedit32.00440FF2
00440FC9|.8B4424 18 MOV EAX, DWORD PTR SS:
00440FCD|.8B4C24 24 MOV ECX, DWORD PTR SS:
00440FD1|.8B5424 28 MOV EDX, DWORD PTR SS:
00440FD5|.C700 01000000 MOV DWORD PTR DS:, 1
00440FDB|.8B4424 1C MOV EAX, DWORD PTR SS: ;Uedit32.004461A0
00440FDF|.8908 MOV DWORD PTR DS:, ECX
00440FE1|.8B4C24 2C MOV ECX, DWORD PTR SS:
00440FE5|.8950 04 MOV DWORD PTR DS:, EDX
00440FE8|.8B5424 30 MOV EDX, DWORD PTR SS:
00440FEC|.8948 08 MOV DWORD PTR DS:, ECX
00440FEF|.8950 0C MOV DWORD PTR DS:, EDX
00440FF2|>837C24 6C 10CMP DWORD PTR SS:, 10 ;<< lungh. del seriale
00440FF7|.72 0D JB SHORT Uedit32.00441006
00440FF9|.8B4424 58 MOV EAX, DWORD PTR SS: ;<< stringa estratta da seriale
00440FFD|.50 PUSH EAX ;<< push stringa estratta
00440FFE|.E8 4CB54000 CALL <Uedit32.FreeString>
00441003|.83C4 04 ADD ESP, 4
00441006|>8A4424 17 MOV AL, BYTE PTR SS: ;<< stato di registrazione
0044100A|.EB 02 JMP SHORT Uedit32.0044100E
0044100C|>32C0 XOR AL, AL
0044100E|>8B8C24 B00200>MOV ECX, DWORD PTR SS:
00441015|.64:890D 00000>MOV DWORD PTR FS:, ECX
0044101C|.59 POP ECX ;017459B8
0044101D|.5F POP EDI ;017459B8
0044101E|.5E POP ESI ;017459B8
0044101F|.5D POP EBP ;017459B8
00441020|.5B POP EBX ;017459B8
00441021|.8B8C24 980200>MOV ECX, DWORD PTR SS: ;USER32.77D18808
00441028|.33CC XOR ECX, ESP
0044102A|.E8 09FD5800 CALL Uedit32.009D0D38 ;<< non ci interessa
0044102F|.81C4 A8020000 ADD ESP, 2A8
00441035\.C3 RETN
GenerazioneVettoreEdEstrazioneStringa
-------------------------------------------
0043F780 >/$6A FF PUSH -1
0043F782|.68 A288A500 PUSH Uedit32.00A588A2
0043F787|.64:A1 0000000>MOV EAX, DWORD PTR FS:
0043F78D|.50 PUSH EAX
0043F78E|.81EC 100A0000 SUB ESP, 0A10 ;<< 2576
0043F794|.A1 3CFECF00 MOV EAX, DWORD PTR DS:
0043F799|.33C4 XOR EAX, ESP
0043F79B|.898424 0C0A00>MOV DWORD PTR SS:, EAX
0043F7A2|.53 PUSH EBX
0043F7A3|.55 PUSH EBP
0043F7A4|.56 PUSH ESI
0043F7A5|.57 PUSH EDI
0043F7A6|.A1 3CFECF00 MOV EAX, DWORD PTR DS:
0043F7AB|.33C4 XOR EAX, ESP
0043F7AD|.50 PUSH EAX
0043F7AE|.8D8424 240A00>LEA EAX, DWORD PTR SS:
0043F7B5|.64:A3 0000000>MOV DWORD PTR FS:, EAX
0043F7BB|.8BAC24 340A00>MOV EBP, DWORD PTR SS: ;Uedit32.00730065
0043F7C2|.8BBC24 380A00>MOV EDI, DWORD PTR SS: ;<< serial
0043F7C9|.8BB424 3C0A00>MOV ESI, DWORD PTR SS: ;<< username
0043F7D0|.33DB XOR EBX, EBX ;<< EBX := 0
0043F7D2|.6A 3B PUSH 3B ;<< dimensione da riempire
0043F7D4|.8D8424 E90900>LEA EAX, DWORD PTR SS:
0043F7DB|.53 PUSH EBX ;<< carattere di riempimento
0043F7DC|.895C24 1C MOV DWORD PTR SS:, EBX ;<< azzera primo byte
0043F7E0|.50 PUSH EAX ;<< ind. da riempire
0043F7E1|.899C24 380A00>MOV DWORD PTR SS:, EBX ;<< zero
0043F7E8|.896C24 28 MOV DWORD PTR SS:, EBP
0043F7EC|.889C24 F00900>MOV BYTE PTR SS:, BL ;<< azzero primo byte
0043F7F3|.E8 F8245900 CALL <Uedit32.FillWithZero> ;<< Libera zona per copiare il seriale
0043F7F8|.57 PUSH EDI ; |<< Seriale
0043F7F9|.8D8C24 F40900>LEA ECX, DWORD PTR SS: ; |
0043F800|.6A 3C PUSH 3C ; |<< 60
0043F802|.51 PUSH ECX ; |<< dove copiare il seriale
0043F803|.E8 6D4A5900 CALL <Uedit32.CopiaStringa> ; \CopiaStringa
0043F808|.8BC6 MOV EAX, ESI ;<< Nome Utente
0043F80A|.83C4 18 ADD ESP, 18
0043F80D|.33D2 XOR EDX, EDX ;<<< EDX := 0
0043F80F|.8D78 01 LEA EDI, DWORD PTR DS: ;<< calcola len username
0043F812|>8A08 /MOV CL, BYTE PTR DS:
0043F814|.40 |INC EAX
0043F815|.3ACB |CMP CL, BL
0043F817|.^ 75 F9 \JNZ SHORT Uedit32.0043F812
0043F819|.2BC7 SUB EAX, EDI ;<< EAX = lungh. username
0043F81B|.33C9 XOR ECX, ECX ;ECX := 0
0043F81D|.3BC3 CMP EAX, EBX ;<< Hai specificato un userName ?
0043F81F|.7E 0B JLE SHORT Uedit32.0043F82C ;<< se si' non salta
0043F821|>0FBE3C0E /MOVSX EDI, BYTE PTR DS: ;<< Hash username - serve ad inizializzare il vettore
0043F825|.41 |INC ECX
0043F826|.03D7 |ADD EDX, EDI
0043F828|.3BC8 |CMP ECX, EAX
0043F82A|.^ 7C F5 \JL SHORT Uedit32.0043F821
0043F82C|>81CA 221AF704 OR EDX, 4F71A22 ;<< Somma i caratteri del nome utente ed effettua OR con costante
0043F832|.52 PUSH EDX ;<< push hash utente ( 04F71E7A per Virtual Killer )
0043F833|.8D4C24 24 LEA ECX, DWORD PTR SS: ;<< ind. vettore
0043F837|.E8 B4542100 CALL <Uedit32.GenerazioneVettoreIniziale> ;<< Genera un vettore iniziale in base all'hash utente calcolato
0043F83C|.53 PUSH EBX ;<< 0
0043F83D|.C745 18 0F000>MOV DWORD PTR SS:, 0F ;<< 15
0043F844|.895D 14 MOV DWORD PTR SS:, EBX ;<< 0
0043F847|.68 F046AD00 PUSH Uedit32.00AD46F0
0043F84C|.8BCD MOV ECX, EBP
0043F84E|.885D 04 MOV BYTE PTR SS:, BL ;<< 0
0043F851|.E8 AA50FCFF CALL <Uedit32.NonImportante1> ;<< entro
0043F856|.B0 30 MOV AL, 30 ;<< '0'
0043F858|.BF 01000000 MOV EDI, 1 ;<< EDI := 1
0043F85D|.899C24 2C0A00>MOV DWORD PTR SS:, EBX ;<< 0
0043F864|.897C24 14 MOV DWORD PTR SS:, EDI ;<< 1
0043F868|.888424 E80900>MOV BYTE PTR SS:, AL ;<< Ignora il quinto carattere di ogni sotto-gruppo
0043F86F|.888424 EE0900>MOV BYTE PTR SS:, AL
0043F876|.888424 F40900>MOV BYTE PTR SS:, AL
0043F87D|.888424 FA0900>MOV BYTE PTR SS:, AL
0043F884|.888424 000A00>MOV BYTE PTR SS:, AL
0043F88B|.888424 060A00>MOV BYTE PTR SS:, AL
0043F892|.888424 0C0A00>MOV BYTE PTR SS:, AL
0043F899|.888424 120A00>MOV BYTE PTR SS:, AL
0043F8A0|.8DB424 E40900>LEA ESI, DWORD PTR SS: ;<< seriale
0043F8A7|.389C24 E40900>CMP BYTE PTR SS:, BL ;<< finito ?
0043F8AE|.74 4A JE SHORT Uedit32.0043F8FA
0043F8B0|>803E 2D /CMP BYTE PTR DS:, 2D ;<< trovato il trattino ?
0043F8B3|.74 40 |JE SHORT Uedit32.0043F8F5 ;<< ignora il trattino
0043F8B5|.8D4C24 20 |LEA ECX, DWORD PTR SS: ;<< vettore_inizializzazione
0043F8B9|.E8 02532100 |CALL <Uedit32.LookupInVettore_conRicalcolo>
0043F8BE|.33D2 |XOR EDX, EDX ;<< EDX := 0
0043F8C0|.B9 0A000000 |MOV ECX, 0A ;<< ECX := 0A (10)
0043F8C5|.F7F1 |DIV ECX ;<< divisione di EAX (restituito da CALL) per 0A e il resto in EDX
0043F8C7|.8A06 |MOV AL, BYTE PTR DS: ;<< AL := carattere del seriale
0043F8C9|.2AC2 |SUB AL, DL ;<< sottrai ad esso il resto
0043F8CB|.2C 41 |SUB AL, 41 ;<< e 41h ('A')
0043F8CD|.0FBED0 |MOVSX EDX, AL ;<< a questo punto EDX := AL
0043F8D0|.0FB682 54A0AD>|MOVZX EAX, BYTE PTR DS: ;<< Lookup di valore in 'X6A3KVMOQ8D2HCPI'
0043F8D7|.884424 18 |MOV BYTE PTR SS:, AL ;<< salva poi il valore lookup-ato (BYTE ptr)
0043F8DB|.8B4C24 18 |MOV ECX, DWORD PTR SS: ;<< ... e lo copia in ECX (tutta la dword pero')
0043F8DF|.51 |PUSH ECX ;<< PUSH di questo valore
0043F8E0|.6A 01 |PUSH 1 ;<< 1
0043F8E2|.8BCD |MOV ECX, EBP ;<< Dove salvare il carattere lookup-ato
0043F8E4|.E8 27B8FDFF |CALL <Uedit32.SalvaCarattereLookup> ;<<
0043F8E9|.47 |INC EDI ;<< prox char
0043F8EA|.83FF 05 |CMP EDI, 5 ;<< finito un sottogruppo ?
0043F8ED|.75 06 |JNZ SHORT Uedit32.0043F8F5
0043F8EF|.BF 01000000 |MOV EDI, 1 ;<< riparte da 1 per EDI
0043F8F4|.46 |INC ESI
0043F8F5|>46 |INC ESI
0043F8F6|.381E |CMP BYTE PTR DS:, BL ;<< finito il seriale ?
0043F8F8|.^ 75 B6 \JNZ SHORT Uedit32.0043F8B0
0043F8FA|>8BC5 MOV EAX, EBP
0043F8FC|.8B8C24 240A00>MOV ECX, DWORD PTR SS:
0043F903|.64:890D 00000>MOV DWORD PTR FS:, ECX
0043F90A|.59 POP ECX ;017459B8
0043F90B|.5F POP EDI ;017459B8
0043F90C|.5E POP ESI ;017459B8
0043F90D|.5D POP EBP ;017459B8
0043F90E|.5B POP EBX ;017459B8
0043F90F|.8B8C24 0C0A00>MOV ECX, DWORD PTR SS: ;Uedit32.0078005F
0043F916|.33CC XOR ECX, ESP
0043F918|.E8 1B145900 CALL Uedit32.009D0D38 ;<< non interessante
0043F91D|.81C4 1C0A0000 ADD ESP, 0A1C
0043F923\.C3 RETN
GenerazioneVettoreIniziale
-----------------------------------
00654CF0 >/$8B4424 04 MOV EAX, DWORD PTR SS:
00654CF4|.50 PUSH EAX ;<< push parametro passato (la prima volta ?"hash utente")
00654CF5|.C781 C0090000>MOV DWORD PTR DS:, 271 ;<< dimensione vettore inizializzazione (prima del seriale)
00654CFF|.E8 CCFDFFFF CALL <Uedit32.ElaboraVettore_0024EEE0>
00654D04|.8BC1 MOV EAX, ECX ;<< EAX := indirizzo vettore calcolato
00654D06\.C2 0400 RETN 4
ElaboraVettore_0024EEE0
------------------------------------------------
00654AD0 <>/$8B5424 04 MOV EDX, DWORD PTR SS: ;<< Parametro (inizialmente hash utente)
00654AD4 |.56 PUSH ESI ;<< nome utente
00654AD5 |.57 PUSH EDI ;<< 2E = 46
00654AD6 |.8D41 08 LEA EAX, DWORD PTR DS:
00654AD9 |.BE 68000000 MOV ESI, 68 ;<< esi := 68h (iterazioni ciclo)
00654ADE |.8BFF MOV EDI, EDI ;??? inutile ???
00654AE0 |>8BFA MOV EDI, EDX ; Prima DWORD
00654AE2 |.69D2 CD0D0100 IMUL EDX, EDX, 10DCD ;<< EDX :=( EDX * 10DCDh )
00654AE8 |.81E7 0000FFFF AND EDI, FFFF0000 ;<< EDI := lascia solo HIWORD(EDX)
00654AEE |.42 INC EDX ;<< EDX += 1
00654AEF |.8978 F8 MOV DWORD PTR DS:, EDI ;<< salva EDI
00654AF2 |.8BFA MOV EDI, EDX ;<< EDI := EDX
00654AF4 |.69D2 CD0D0100 IMUL EDX, EDX, 10DCD ;<< EDX := EDX * 10DCDh
00654AFA |.C1EF 10 SHR EDI, 10 ;<< EDI := EDI / 2^16 (recupera parte alta della dword)
00654AFD |.0978 F8 OR DWORD PTR DS:, EDI ;<< OR-ing della dword appena scritta
00654B00 |.42 INC EDX ;<< edx++
00654B01 |.8BFA MOV EDI, EDX ;<< ESEGUE GLI STESSI DUE PASSI per la prossima dword>>
00654B03 |.69D2 CD0D0100 IMUL EDX, EDX, 10DCD
00654B09 |.81E7 0000FFFF AND EDI, FFFF0000
00654B0F |.42 INC EDX
00654B10 |.8978 FC MOV DWORD PTR DS:, EDI ; Seconda Dword
00654B13 |.8BFA MOV EDI, EDX
00654B15 |.69D2 CD0D0100 IMUL EDX, EDX, 10DCD
00654B1B |.C1EF 10 SHR EDI, 10
00654B1E |.0978 FC OR DWORD PTR DS:, EDI
00654B21 |.42 INC EDX
00654B22 |.8BFA MOV EDI, EDX ;<< terza dword
00654B24 |.69D2 CD0D0100 IMUL EDX, EDX, 10DCD
00654B2A |.81E7 0000FFFF AND EDI, FFFF0000
00654B30 |.42 INC EDX
00654B31 |.8938 MOV DWORD PTR DS:, EDI
00654B33 |.8BFA MOV EDI, EDX
00654B35 |.69D2 CD0D0100 IMUL EDX, EDX, 10DCD
00654B3B |.C1EF 10 SHR EDI, 10
00654B3E |.0938 OR DWORD PTR DS:, EDI
00654B40 |.42 INC EDX
00654B41 |.8BFA MOV EDI, EDX ;<< quarta dword
00654B43 |.69D2 CD0D0100 IMUL EDX, EDX, 10DCD
00654B49 |.81E7 0000FFFF AND EDI, FFFF0000
00654B4F |.42 INC EDX
00654B50 |.8978 04 MOV DWORD PTR DS:, EDI
00654B53 |.8BFA MOV EDI, EDX
00654B55 |.69D2 CD0D0100 IMUL EDX, EDX, 10DCD
00654B5B |.C1EF 10 SHR EDI, 10
00654B5E |.0978 04 OR DWORD PTR DS:, EDI
00654B61 |.42 INC EDX
00654B62 |.8BFA MOV EDI, EDX ;<< quinta dword
00654B64 |.69D2 CD0D0100 IMUL EDX, EDX, 10DCD
00654B6A |.81E7 0000FFFF AND EDI, FFFF0000
00654B70 |.42 INC EDX
00654B71 |.8978 08 MOV DWORD PTR DS:, EDI
00654B74 |.8BFA MOV EDI, EDX
00654B76 |.69D2 CD0D0100 IMUL EDX, EDX, 10DCD
00654B7C |.C1EF 10 SHR EDI, 10
00654B7F |.0978 08 OR DWORD PTR DS:, EDI
00654B82 |.42 INC EDX ;<< sesta dword
00654B83 |.8BFA MOV EDI, EDX
00654B85 |.69D2 CD0D0100 IMUL EDX, EDX, 10DCD
00654B8B |.81E7 0000FFFF AND EDI, FFFF0000
00654B91 |.42 INC EDX
00654B92 |.8978 0C MOV DWORD PTR DS:, EDI
00654B95 |.8BFA MOV EDI, EDX
00654B97 |.69D2 CD0D0100 IMUL EDX, EDX, 10DCD
00654B9D |.C1EF 10 SHR EDI, 10
00654BA0 |.0978 0C OR DWORD PTR DS:, EDI
00654BA3 |.42 INC EDX
00654BA4 |.83C0 18 ADD EAX, 18 ;<< passa alle prossime 6 dword
00654BA7 |.83EE 01 SUB ESI, 1 ;<< decremento contatore ciclo
00654BAA |.^ 0F85 30FFFFFF JNZ Uedit32.00654AE0 ;<< continua ciclo
00654BB0 |.5F POP EDI ;021896D0
00654BB1 |.C781 C0090000>MOV DWORD PTR DS:, 270 ;<< segna inizializzazione in posizione prima di seriale
00654BBB |.5E POP ESI ;021896D0
00654BBC \.C2 0400 RETN 4
LookupInVettore_conRicalcolo
-------------------------------------
00654BC0 >/$8B81 C0090000 MOV EAX, DWORD PTR DS: ;<< dword before serial ... (9C0 = array size)
00654BC6|.3D 70020000 CMP EAX, 270 ;<< execute the two subloops ?
00654BCB|.0F82 BB000000 JB Uedit32.00654C8C ;<< no.
00654BD1|.3D 71020000 CMP EAX, 271 ;<< Array initialized ? (270h = 624d = # of array dword )
00654BD6|.75 0A JNZ SHORT Uedit32.00654BE2 ;v
00654BD8|.68 05110000 PUSH 1105
00654BDD|.E8 EEFEFFFF CALL <Uedit32.ElaboraVettore_0024EEE0>
00654BE2|>33C0 XOR EAX, EAX ;<< EAX := 0
00654BE4|.56 PUSH ESI ;<< serial
00654BE5|>8B5481 04 /MOV EDX, DWORD PTR DS: ;<< array Lookup (ECX = array address) - offset +4
00654BE9|.331481 |XOR EDX, DWORD PTR DS: ;<< XOR with previous dword
00654BEC|.40 |INC EAX ;<< EAX++
00654BED|.81E2 FFFFFF7F |AND EDX, 7FFFFFFF ;Filter on high byte
00654BF3|.335481 FC |XOR EDX, DWORD PTR DS: ;<< XOR with even previous dword (first time is array start)
00654BF7|.8BF2 |MOV ESI, EDX ;<< ESI := resulted value
00654BF9|.D1EA |SHR EDX, 1 ;<< EDX / 2
00654BFB|.83E6 01 |AND ESI, 1 ;<< ESI = 0/1
00654BFE|.3314B5 C426C2>|XOR EDX, DWORD PTR DS: ;<< XOR with 9908B0DFh or with 0 ( if ESI = 0 --> xor with 0 )
00654C05|.339481 300600>|XOR EDX, DWORD PTR DS: ;<< xor with another lookup value
00654C0C|.895481 FC |MOV DWORD PTR DS:, EDX ;<< save value in first of used 3 dwords
00654C10|.3D E3000000 |CMP EAX, 0E3 ;<< Loop for 0E3 = 227 times
00654C15|.^ 72 CE \JB SHORT Uedit32.00654BE5
00654C17|.3D 6F020000 CMP EAX, 26F ;<< Already executed second loop ?
00654C1C|.73 34 JNB SHORT Uedit32.00654C52
00654C1E|.8BFF MOV EDI, EDI ;<< reset flags
00654C20|>8B5481 04 /MOV EDX, DWORD PTR DS: ;<< EAX Starts from 0E3. lookup
00654C24|.331481 |XOR EDX, DWORD PTR DS: ;xor
00654C27|.40 |INC EAX ;<< EAX ++
00654C28|.81E2 FFFFFF7F |AND EDX, 7FFFFFFF
00654C2E|.335481 FC |XOR EDX, DWORD PTR DS:
00654C32|.8BF2 |MOV ESI, EDX
00654C34|.D1EA |SHR EDX, 1
00654C36|.83E6 01 |AND ESI, 1
00654C39|.3314B5 C426C2>|XOR EDX, DWORD PTR DS:
00654C40|.339481 70FCFF>|XOR EDX, DWORD PTR DS: ;<< this is the only change (in respect to first subloop)
00654C47|.895481 FC |MOV DWORD PTR DS:, EDX
00654C4B|.3D 6F020000 |CMP EAX, 26F ;<< loop for per (26F - 0E3) times
00654C50|.^ 72 CE \JB SHORT Uedit32.00654C20
00654C52|>8B81 BC090000 MOV EAX, DWORD PTR DS: ;<<
00654C58|.3301 XOR EAX, DWORD PTR DS: ;<< xor with first array dword
00654C5A|.5E POP ESI ;021896D0
00654C5B|.25 FFFFFF7F AND EAX, 7FFFFFFF ;<< filter
00654C60|.3381 BC090000 XOR EAX, DWORD PTR DS: ;<< another xor
00654C66|.8BD0 MOV EDX, EAX ;<< EDX := EAX
00654C68|.83E2 01 AND EDX, 1 ;<< EDX = 0/1
00654C6B|.8B1495 C426C2>MOV EDX, DWORD PTR DS: ;<< EDX := 9908B0DFh or 0 ( if EDX = 0 --> xor with 0 )
00654C72|.3391 30060000 XOR EDX, DWORD PTR DS: ;<<
00654C78|.D1E8 SHR EAX, 1 ;<< EAX := EAX / 2
00654C7A|.33D0 XOR EDX, EAX ;<< Xor
00654C7C|.8991 BC090000 MOV DWORD PTR DS:, EDX ;<< update specific value in array
00654C82|.C781 C0090000>MOV DWORD PTR DS:, 0 ;<< zero-out value at the end of array
00654C8C|>8B81 C0090000 MOV EAX, DWORD PTR DS: ;<< - value at array end
00654C92|.8B1481 MOV EDX, DWORD PTR DS: ;<< EDX := EAX-th array dword
00654C95|.40 INC EAX ;<< EAX += 1
00654C96|.8981 C0090000 MOV DWORD PTR DS:, EAX ;<< update dword at array end (current position in serial)
00654C9C|.8BC2 MOV EAX, EDX ;<< other math
00654C9E|.C1E8 0B SHR EAX, 0B
00654CA1|.33D0 XOR EDX, EAX
00654CA3|.8BCA MOV ECX, EDX
00654CA5|.81E1 AD583AFF AND ECX, FF3A58AD
00654CAB|.C1E1 07 SHL ECX, 7
00654CAE|.33D1 XOR EDX, ECX
00654CB0|.8BC2 MOV EAX, EDX
00654CB2|.25 8CDFFFFF AND EAX, FFFFDF8C
00654CB7|.C1E0 0F SHL EAX, 0F
00654CBA|.33D0 XOR EDX, EAX
00654CBC|.8BC2 MOV EAX, EDX
00654CBE|.C1E8 12 SHR EAX, 12
00654CC1|.33C2 XOR EAX, EDX ;<< routine return value
00654CC3\.C3 RETN
SystemTime_FileTime (determinazione data corrente)
----------------------------------
Di questa ci interessa solo la parte iniziale:
0043B540 >/$83EC 20 SUB ESP, 20
0043B543|.8B4424 24 MOV EAX, DWORD PTR SS:
0043B547|.56 PUSH ESI
0043B548|.50 PUSH EAX ; /pSystemTime = 017E0EC8
0043B549|.FF15 D035AD00 CALL DWORD PTR DS:[<&KERNEL32.GetSystemTime>] ; \GetSystemTime
0043B54F|.8B0D 042BD000 MOV ECX, DWORD PTR DS: ;<< 0
0043B555|.8B15 002BD000 MOV EDX, DWORD PTR DS: ;<< 3970h
0043B55B|.6A 00 PUSH 0 ;<< 0
0043B55D|.68 80510100 PUSH 15180 ;<< 15180 (86400 - secondi in un giorno)
0043B562|.51 PUSH ECX ;<< 0
0043B563|.52 PUSH EDX ;<< 3970h
0043B564|.E8 C7D15900 CALL <Uedit32.MoltiplicaConElaborazione>
0043B569|.894424 04 MOV DWORD PTR SS:, EAX ;<< 15180h * 3970h = 4BB92800
:
:
:
0043B5B4|.8B4424 30 MOV EAX, DWORD PTR SS: ;<< pSystemTime2
0043B5B8|.50 PUSH EAX ; /pSystemTime = 017E0EC8
0043B5B9|.8D4C24 20 LEA ECX, DWORD PTR SS: ; |
0043B5BD|.51 PUSH ECX ; |pFileTime = 0024FC0C
0043B5BE|.FFD6 CALL ESI ; \FileTimeToSystemTime
0043B5C0|.5E POP ESI ;017459B8
0043B5C1|.83C4 20 ADD ESP, 20
0043B5C4\.C3 RETN
DataCorrenteInFileTime
--------------------------------
0040176B > $83EC 04 SUB ESP, 4
0040176E .892C24 MOV DWORD PTR SS:, EBP ;<< seriale
00401771 .54 PUSH ESP
00401772 .5D POP EBP ;017459B8
00401773 .83EC 10 SUB ESP, 10
00401776 .50 PUSH EAX
00401777 .53 PUSH EBX
00401778 .51 PUSH ECX
00401779 .E8 00000000 CALL Uedit32.0040177E ;<< salta alla linea successiva
0040177E $8F45 FC POP DWORD PTR SS: ;017459B8
00401781 .8B5D FC MOV EBX, DWORD PTR SS: ;Uedit32.004461A0
00401784 .81EB 72070000 SUB EBX, 772
0040178A .8B45 0C MOV EAX, DWORD PTR SS:
0040178D .8903 MOV DWORD PTR DS:, EAX
0040178F .68 38F6FC10 PUSH 10FCF638
00401794 .8B4D FC MOV ECX, DWORD PTR SS: ;Uedit32.004461A0
00401797 .81E9 82050000 SUB ECX, 582
0040179D .50 PUSH EAX
0040179E .E8 00000000 CALL Uedit32.004017A3
004017A3 $58 POP EAX ;017459B8
004017A4 .83C0 09 ADD EAX, 9
004017A7 .870424 XCHG DWORD PTR SS:, EAX
004017AA .- FFE1 JMP ECX ;<< WinVersionInfo + GetProcAddress per SysTimeToFileTime
004017AC .83C4 04 ADD ESP, 4
004017AF .89EB MOV EBX, EBP
004017B1 .83EB 10 SUB EBX, 10
004017B4 .53 PUSH EBX
004017B5 .FF75 08 PUSH DWORD PTR SS: ;<< currentSystemTime
004017B8 .50 PUSH EAX
004017B9 .E8 00000000 CALL Uedit32.004017BE ;<< chiama linea successiva
004017BE $58 POP EAX ;017459B8
004017BF .83C0 09 ADD EAX, 9
004017C2 .870424 XCHG DWORD PTR SS:, EAX ;<< ** Converte in FileTime la data corrente **
004017C5 .- FFE0 JMP EAX ;<< SystemTimeToFileTime - passando come parametro il primo valore
004017C7 .89EB MOV EBX, EBP
004017C9 .83EB 10 SUB EBX, 10
004017CC .53 PUSH EBX
004017CD .8B5D FC MOV EBX, DWORD PTR SS: ;Uedit32.004461A0
004017D0 .81EB 5A070000 SUB EBX, 75A
004017D6 .50 PUSH EAX ;<< 401024 - dove saltare
004017D7 .E8 00000000 CALL Uedit32.004017DC ;<< linea successiva
004017DC $58 POP EAX ;017459B8
004017DD .83C0 09 ADD EAX, 9
004017E0 .870424 XCHG DWORD PTR SS:, EAX
004017E3 .FFE3 JMP EBX ;<< Copia il valore SysTimeInFileTime in 401010
004017E5 .83C4 04 ADD ESP, 4
004017E8 .59 POP ECX ;017459B8
004017E9 .5B POP EBX ;017459B8
004017EA .58 POP EAX ;017459B8
004017EB .83C4 10 ADD ESP, 10
004017EE .8B2C24 MOV EBP, DWORD PTR SS: ;<< seriale (in EDI c'e' il nome utente)
004017F1 .83C4 08 ADD ESP, 8
004017F4 .FF6424 FC JMP DWORD PTR SS: ;<< TORNA AL CHIAMANTE
DoBSWAP_Parametro
--------------------------------
00401877 <> $83EC 04 SUB ESP, 4
0040187A .892C24 MOV DWORD PTR SS:, EBP
0040187D .54 PUSH ESP
0040187E .5D POP EBP ;USER32.77D1919B
0040187F .50 PUSH EAX
00401880 .53 PUSH EBX
00401881 .E8 00000000 CALL Uedit32.00401886
00401886 $5B POP EBX ;
00401887 .81EB 6E080000 SUB EBX, 86E ;<< DoveSalvare
0040188D .8B45 08 MOV EAX, DWORD PTR SS: ;<< RecuperaLaCostantePerVersion
00401890 .F7D0 NOT EAX ;<< NOT
00401892 .0FC8 BSWAP EAX ;<< BSWAP
00401894 .8903 MOV DWORD PTR DS:, EAX ;<< salva valore
00401896 .5B POP EBX ;
00401897 .58 POP EAX ;
00401898 .8B2C24 MOV EBP, DWORD PTR SS: ;
0040189B .83C4 08 ADD ESP, 8
0040189E .- FF6424 FC JMP DWORD PTR SS: ;<< Torna al chiamante
DeterminaMatchEStabilisciReg
-----------------------------
004018A2 <>/$83EC 04 SUB ESP, 4
004018A5 |.892C24 MOV DWORD PTR SS:, EBP
004018A8 |.54 PUSH ESP
004018A9 |.5D POP EBP ;USER32.77D1919B
004018AA |.83EC 24 SUB ESP, 24
004018AD |.50 PUSH EAX
004018AE |.53 PUSH EBX
004018AF |.51 PUSH ECX
004018B0 |.52 PUSH EDX ;ntdll.KiFastSystemCallRet
004018B1 |.56 PUSH ESI
004018B2 |.57 PUSH EDI ;Uedit32.00D04F40
004018B3 |.E8 00000000 CALL Uedit32.004018B8 ;<< riga successiva
004018B8 |$8F45 FC POP DWORD PTR SS: ;USER32.77D1919B
004018BB |.8B45 08 MOV EAX, DWORD PTR SS: ;<< stringa ricavata da seriale
004018BE |.09C0 OR EAX, EAX
004018C0 |.75 0B JNZ SHORT Uedit32.004018CD ;v se stringa valida
004018C2 |.FF75 FC PUSH DWORD PTR SS:
004018C5 |.810424 3F0200>ADD DWORD PTR SS:, 23F
004018CC |.C3 RETN
004018CD |>8B5D FC MOV EBX, DWORD PTR SS:
004018D0 |.81EB ED070000 SUB EBX, 7ED
004018D6 |.FF75 0C PUSH DWORD PTR SS: ;<< username
004018D9 |.50 PUSH EAX ;<< stringa estratta da serial
004018DA |.E8 00000000 CALL Uedit32.004018DF ;<< riga successiva
004018DF |$58 POP EAX ;USER32.77D1919B
004018E0 |.83C0 09 ADD EAX, 9
004018E3 |.870424 XCHG DWORD PTR SS:, EAX ;<< Controlla il valore di EAX - e' modificato in 'ElaboraUserName'
004018E6 \.FFE3 JMP EBX ;<< CALCOLA HASH USERNAME
004018E8 .83C4 04 ADD ESP, 4
004018EB .8945 F8 MOV DWORD PTR SS:, EAX ;<< salva hash di username
004018EE .8B5D 08 MOV EBX, DWORD PTR SS: ;<< stringa da seriale
004018F1 .8B55 FC MOV EDX, DWORD PTR SS:
004018F4 .81EA B2010000 SUB EDX, 1B2 ;<< Routine da invocare
004018FA .53 PUSH EBX
004018FB .50 PUSH EAX
004018FC .E8 00000000 CALL Uedit32.00401901 ;<< dopo
00401901 $58 POP EAX ;USER32.77D1919B
00401902 .83C0 09 ADD EAX, 9
00401905 .870424 XCHG DWORD PTR SS:, EAX ;<< EAX := hashUserName_NOT
00401908 .- FFE2 JMP EDX ;<< bswap stringa estratta da seriale
0040190A .83C4 04 ADD ESP, 4
0040190D .53 PUSH EBX ;<< stringa estratta (Bswappata)
0040190E .8B55 FC MOV EDX, DWORD PTR SS:
00401911 .81EA 78030000 SUB EDX, 378 ;<< routine da invocare (estraiMatch)
00401917 .50 PUSH EAX
00401918 .E8 00000000 CALL Uedit32.0040191D ;<< linea dopo
0040191D $58 POP EAX ;
0040191E .83C0 09 ADD EAX, 9
00401921 .870424 XCHG DWORD PTR SS:, EAX ;<< 401926
00401924 .- FFE2 JMP EDX ;<< Match1 - 8 char iniziali
00401926 .83C4 04 ADD ESP, 4
00401929 .8945 E4 MOV DWORD PTR SS:, EAX ;<< salva primo match
0040192C .83C3 08 ADD EBX, 8 ;<< prossimi 8 char
0040192F .53 PUSH EBX
00401930 .50 PUSH EAX
00401931 .E8 00000000 CALL Uedit32.00401936 ;<< linea dopo
00401936 $58 POP EAX ;
00401937 .83C0 09 ADD EAX, 9
0040193A .870424 XCHG DWORD PTR SS:, EAX ;<< EAX := Primo Match
0040193D .- FFE2 JMP EDX ;
0040193F .83C4 04 ADD ESP, 4
00401942 .8945 F0 MOV DWORD PTR SS:, EAX ;<< salva secondo Match
00401945 .83C3 08 ADD EBX, 8 ;<< avanza
00401948 .53 PUSH EBX
00401949 .50 PUSH EAX
0040194A .E8 00000000 CALL Uedit32.0040194F ;<< linea dopo
0040194F $58 POP EAX ;
00401950 .83C0 09 ADD EAX, 9
00401953 .870424 XCHG DWORD PTR SS:, EAX
00401956 .- FFE2 JMP EDX ;<< terzoMatch
00401958 .83C4 04 ADD ESP, 4
0040195B .8945 F4 MOV DWORD PTR SS:, EAX ;<< salva terzo match
0040195E .53 PUSH EBX
0040195F .52 PUSH EDX ;
00401960 .89EB MOV EBX, EBP
00401962 .83EB 10 SUB EBX, 10
00401965 .53 PUSH EBX ;<< secondoMatch
00401966 .8B55 FC MOV EDX, DWORD PTR SS:
00401969 .81EA 7A010000 SUB EDX, 17A
0040196F .50 PUSH EAX
00401970 .E8 00000000 CALL Uedit32.00401975 ;<< linea dopo
00401975 $58 POP EAX ;
00401976 .83C0 09 ADD EAX, 9
00401979 .870424 XCHG DWORD PTR SS:, EAX
0040197C .- FFE2 JMP EDX ;<< Combina Secondo e Terzo Match
0040197E .83C4 04 ADD ESP, 4
00401981 .5A POP EDX ;
00401982 .5B POP EBX ;
00401983 .83C3 08 ADD EBX, 8 ;<< avanza nella stringa estratta
00401986 .53 PUSH EBX
00401987 .50 PUSH EAX
00401988 .E8 00000000 CALL Uedit32.0040198D ;<< linea successiva
0040198D $58 POP EAX ;
0040198E .83C0 09 ADD EAX, 9
00401991 .870424 XCHG DWORD PTR SS:, EAX
00401994 .- FFE2 JMP EDX ;<< Estrae quartoMatch
00401996 .83C4 04 ADD ESP, 4
00401999 .8945 E8 MOV DWORD PTR SS:, EAX ;<< salva quartoMatch
0040199C .8B5D FC MOV EBX, DWORD PTR SS:
0040199F .81EB A0080000 SUB EBX, 8A0
004019A5 .8B1B MOV EBX, DWORD PTR DS: ;<< BSWAP di 150000 (versione di Uedit)
004019A7 .8B45 E8 MOV EAX, DWORD PTR SS: ;<< EAX := QuartoMatch
004019AA .0FCB BSWAP EBX ;<< ottiene 150000 ...
004019AC .F7D3 NOT EBX ;<< .... in EBX
004019AE .50 PUSH EAX ;<< push quartoMatch
004019AF .53 PUSH EBX ;<< push 150000
004019B0 .8B5D E8 MOV EBX, DWORD PTR SS: ;<< quartoMatch
004019B3 .8B45 E4 MOV EAX, DWORD PTR SS: ;<< primo match
004019B6 .C1C8 0D ROR EAX, 0D ;<< primoMatch = primoMatch ROR 0D
004019B9 .31C3 XOR EBX, EAX ;<< XOR quarto_match e (primoMatch ROR 0D)
004019BB .C1C0 0D ROL EAX, 0D ;<< rotazione a sinistra ora (ripristina valore ?)
004019BE .31C3 XOR EBX, EAX ;<< nuovo XOR col valore 'non ribaltato'
004019C0 .895D E8 MOV DWORD PTR SS:, EBX ;<< salva questo valore in posizione quartoMatch
004019C3 .5B POP EBX ;USER32.77D1919B
004019C4 .58 POP EAX ;USER32.77D1919B
004019C5 .31C0 XOR EAX, EAX ;<< EAX := 0
004019C7 .8B45 E8 MOV EAX, DWORD PTR SS: ;<< recupera il valore appena calcolato
004019CA .25 000000F0 AND EAX, F0000000 ;<< Esegue AND (ultima cifra esadecimale)
004019CF .C1C0 04 ROL EAX, 4 ;<< rotazione a sinistra di 4 (lo porta a destra a tutto )
004019D2 .53 PUSH EBX ;<< 150000
004019D3 .50 PUSH EAX ;<<
004019D4 .93 XCHG EAX, EBX ;<< scambio EAX <--> EBX
004019D5 .8B45 FC MOV EAX, DWORD PTR SS:
004019D8 .2D 22080000 SUB EAX, 822
004019DD .0918 OR DWORD PTR DS:, EBX ;<< OR della dword di 'controllo' (su cui si decide la registrazione) deve essere < 17Ch
004019DF .8B45 E8 MOV EAX, DWORD PTR SS: ;<< recupera il valore calcolato (posizione quartoMatch)
004019E2 .25 FFFFFF0F AND EAX, 0FFFFFFF ;<< tutto tranne prima cifra esadecimale
004019E7 .8945 E8 MOV DWORD PTR SS:, EAX ;<< e lo salva da dove l'ha preso (quarto match)
004019EA .58 POP EAX ;USER32.77D1919B
004019EB .5B POP EBX ;USER32.77D1919B
004019EC .8B45 E8 MOV EAX, DWORD PTR SS: ;<< riprende cio' che e' in quartoMatch
004019EF .C1CB 10 ROR EBX, 10 ;<< ROR 150000, 10 (otteniamo 15)
004019F2 .C1C8 10 ROR EAX, 10 ;<< ror EAX, 10
004019F5 .66:29C3 SUB BX, AX ;<< devono essere uguali le WORD + basse ( 00 15 ) !
004019F8 .74 13 JE SHORT Uedit32.00401A0D ;v
004019FA .8B5D FC MOV EBX, DWORD PTR SS: ;<< prepara valore di errore
004019FD .81EB 22080000 SUB EBX, 822
00401A03 .31C0 XOR EAX, EAX
00401A05 .40 INC EAX
00401A06 .C1E0 1D SHL EAX, 1D
00401A09 .0903 OR DWORD PTR DS:, EAX
00401A0B .EB 54 JMP SHORT Uedit32.00401A61
00401A0D >C1C8 18 ROR EAX, 18 ;<< deve essere uguale anche altro
00401A10 .C1CB 18 ROR EBX, 18
00401A13 .28C3 SUB BL, AL ;<< byte + basso = 0 ?
00401A15 .74 4A JE SHORT Uedit32.00401A61 ;- devo farlo saltare ?
00401A17 .9B WAIT
00401A18 .DBE3 FINIT
00401A1A .8B5D FC MOV EBX, DWORD PTR SS:
00401A1D .81EB B4080000 SUB EBX, 8B4
00401A23 .DF2B FILD QWORD PTR DS:
00401A25 .DF6D F0 FILD QWORD PTR SS:
00401A28 .8B5D FC MOV EBX, DWORD PTR SS:
00401A2B .81EB 98070000 SUB EBX, 798
00401A31 .DF2B FILD QWORD PTR DS:
00401A33 .D8E1 FSUB ST(0), ST(1)
00401A35 .D8F2 FDIV ST(0), ST(2)
00401A37 .DB5D DC FISTP DWORD PTR SS:
00401A3A .9B WAIT
00401A3B .DBE3 FINIT
00401A3D .8B45 DC MOV EAX, DWORD PTR SS: ;USER32.77D1919B
00401A40 .A9 00000080 TEST EAX, 80000000
00401A45 .74 02 JE SHORT Uedit32.00401A49
00401A47 .F7D8 NEG EAX
00401A49 >3D 6D010000 CMP EAX, 16D
00401A4E .76 11 JBE SHORT Uedit32.00401A61
00401A50 .8B5D FC MOV EBX, DWORD PTR SS:
00401A53 .81EB 22080000 SUB EBX, 822
00401A59 .31C0 XOR EAX, EAX
00401A5B .40 INC EAX
00401A5C .C1E0 0E SHL EAX, 0E
00401A5F .0903 OR DWORD PTR DS:, EAX
00401A61 >8B5D FC MOV EBX, DWORD PTR SS:
00401A64 .81EB B4080000 SUB EBX, 8B4 ;<< importante_401004
00401A6A .9B WAIT
00401A6B .DBE3 FINIT
00401A6D .DF2B FILD QWORD PTR DS: ;<< 00 C0 69 2A | C9 00 00 00
00401A6F .DF6D F0 FILD QWORD PTR SS: ;<< secondo e terzo match assieme come qword ( secondo nella dword + bassa )
00401A72 .8B5D FC MOV EBX, DWORD PTR SS:
00401A75 .81EB A8080000 SUB EBX, 8A8
00401A7B .DF2B FILD QWORD PTR DS: ;<< currSysTime in FileTime
00401A7D .D8E1 FSUB ST(0), ST(1) ;<< sottrae quest'ultima con secondo_terzo
00401A7F .D8F2 FDIV ST(0), ST(2) ;<< divide per la prima (dovrebbe essere costante)
00401A81 .DB5D DC FISTP DWORD PTR SS: ;<< salva il risultato (DWORD)
00401A84 .8B45 DC MOV EAX, DWORD PTR SS: ;<< recupera questo valore
00401A87 .A9 00000080 TEST EAX, 80000000 ;<< e lo controlla
00401A8C .74 02 JE SHORT Uedit32.00401A90
00401A8E .F7D8 NEG EAX
00401A90 >3D 7C010000 CMP EAX, 17C ;<< EAX deve essere <= 17C
00401A95 .76 15 JBE SHORT Uedit32.00401AAC ;DEVE SALTARE
00401A97 .8B5D FC MOV EBX, DWORD PTR SS:
00401A9A .81EB 22080000 SUB EBX, 822
00401AA0 .B8 FF010000 MOV EAX, 1FF
00401AA5 .C1E0 10 SHL EAX, 10
00401AA8 .0903 OR DWORD PTR DS:, EAX ;<< male?
00401AAA .EB 0E JMP SHORT Uedit32.00401ABA
00401AAC >C1C0 10 ROL EAX, 10 ;<< ROL EAX,10 posizioni
00401AAF .8B5D FC MOV EBX, DWORD PTR SS:
00401AB2 .81EB 22080000 SUB EBX, 822 ;<< dword di controllo
00401AB8 .0903 OR DWORD PTR DS:, EAX ;<< salva il valore nell'indicatore (male?)
00401ABA >8B45 E8 MOV EAX, DWORD PTR SS: ;<< valore in posizione quartoMatch
00401ABD .83E0 0F AND EAX, 0F ;<< ultima cifra esadecimale
00401AC0 .A9 08000000 TEST EAX, 8
00401AC5 .75 1F JNZ SHORT Uedit32.00401AE6 ;<< ** NON deve saltare
00401AC7 .83E0 07 AND EAX, 7
00401ACA .0C 00 OR AL, 0
00401ACC .74 29 JE SHORT Uedit32.00401AF7 ;<< questo *deve* saltare
00401ACE .83C8 20 OR EAX, 20
00401AD1 .C1E0 07 SHL EAX, 7
00401AD4 .25 801F0000 AND EAX, 1F80
00401AD9 .8B5D FC MOV EBX, DWORD PTR SS:
00401ADC .81EB 22080000 SUB EBX, 822
00401AE2 .0903 OR DWORD PTR DS:, EAX ;<< male
00401AE4 .EB 11 JMP SHORT Uedit32.00401AF7
00401AE6 >8B5D FC MOV EBX, DWORD PTR SS:
00401AE9 .81EB 22080000 SUB EBX, 822
00401AEF .31C0 XOR EAX, EAX
00401AF1 .40 INC EAX
00401AF2 .C1E0 06 SHL EAX, 6
00401AF5 .0903 OR DWORD PTR DS:, EAX
00401AF7 >5F POP EDI ;USER32.77D1919B
00401AF8 .5E POP ESI ;USER32.77D1919B
00401AF9 .5A POP EDX ;USER32.77D1919B
00401AFA .59 POP ECX ;USER32.77D1919B
00401AFB .5B POP EBX ;USER32.77D1919B
00401AFC .58 POP EAX ;USER32.77D1919B
00401AFD .83C4 24 ADD ESP, 24
00401B00 .8B2C24 MOV EBP, DWORD PTR SS: ;USER32.77D1919B
00401B03 .83C4 08 ADD ESP, 8
00401B06 .- FF6424 FC JMP DWORD PTR SS: ;<< **** torna al chiamante
Analizziamo meglio CodificaMatchEDeterminaRegistrazione
-------------------------
CalcolaHashUserName (serve solo per il file di licenza)
-------
004010CB <> .83EC 04 SUB ESP, 4
004010CE .892C24 MOV DWORD PTR SS:, EBP ;<moltiplicazione_e_pFileTime>
004010D1 .54 PUSH ESP
004010D2 .5D POP EBP ;Uedit32.004018E8
004010D3 .53 PUSH EBX ;<Uedit32.ElaboraUserName>
004010D4 .51 PUSH ECX
004010D5 .52 PUSH EDX
004010D6 .56 PUSH ESI ;kernel32.7C800000
004010D7 .8B75 08 MOV ESI, DWORD PTR SS: ;<< username
004010DA .BA 01A001DC MOV EDX, DC01A001 ;<< costante
004010DF .6A 00 PUSH 0
004010E1 .59 POP ECX ;<< ECX := 0
004010E2 >AC LODS BYTE PTR DS: ;<< carattere dello username in AL
004010E3 .08C0 OR AL, AL ;<< username finito ?
004010E5 .74 25 JE SHORT Uedit32.0040110C
004010E7 .50 PUSH EAX ;<< salva valore (per successivo uso)
004010E8 .34 CD XOR AL, 0CD ;<< XOR char username con 0CD
004010EA .0FB6C0 MOVZX EAX, AL ;<< estende con 0 (byte esteso)
004010ED .01C1 ADD ECX, EAX ;<< ECX += EAX
004010EF .58 POP EAX ;Uedit32.004018E8
004010F0 .F6E0 MUL AL ;<< AL * AL
004010F2 .0FB7C0 MOVZX EAX, AX ;<< AX (word estesa)
004010F5 .66:BB E500 MOV BX, 0E5 ;<< BX := 0E5
004010F9 .66:F7E3 MUL BX ;<< EAX = AX*BX
004010FC .01C1 ADD ECX, EAX ;<< ECX += EAX
004010FE .01D1 ADD ECX, EDX ;<< ECX += EDX
00401100 .F7C1 01000000 TEST ECX, 1 ;<< ECX dispari ?
00401106 .^ 74 DA JE SHORT Uedit32.004010E2 ;<< se NON pari moltiplican per 2 EDX
00401108 .D1CA ROR EDX, 1
0040110A .^ EB D6 JMP SHORT Uedit32.004010E2
0040110C >89C8 MOV EAX, ECX ;<< hash username
0040110E .F7D0 NOT EAX ;<< NOT hash
00401110 .5E POP ESI ;Uedit32.004018E8
00401111 .5A POP EDX ;Uedit32.004018E8
00401112 .59 POP ECX ;Uedit32.004018E8
00401113 .5B POP EBX ;Uedit32.004018E8
00401114 .8B2C24 MOV EBP, DWORD PTR SS: ;Uedit32.004018E8
00401117 .83C4 08 ADD ESP, 8
0040111A .FF6424 FC JMP DWORD PTR SS: ;Uedit32.004018DF
BSWAP Stringa estratta da seriale
-----------------------
00401706 <BSWA> .83EC 04 SUB ESP, 4 ;---
00401709 .892C24 MOV DWORD PTR SS:, EBP ;<moltiplicazione_e_pFileTime>
0040170C .54 PUSH ESP
0040170D .5D POP EBP ;Uedit32.0040190A
0040170E .50 PUSH EAX
0040170F .53 PUSH EBX
00401710 .51 PUSH ECX
00401711 .52 PUSH EDX ;<Uedit32.BSWAPInPlace>
00401712 .B9 0F000000 MOV ECX, 0F ;<< ecx := 0F
00401717 .8B5D F8 MOV EBX, DWORD PTR SS: ;<< stringa da seriale
0040171A .BA 1C000000 MOV EDX, 1C ;<< EDX := 1C (28)
0040171F >8B0413 MOV EAX, DWORD PTR DS: ;<< ultimi 4 char (e poi si sposta di 2 char alla volta indietro)
00401722 .0FC8 BSWAP EAX ;<< BSWAP
00401724 .890413 MOV DWORD PTR DS:, EAX ;<< salva il BSWAP nel posto originale
00401727 .83EA 02 SUB EDX, 2
0040172A .^ E2 F3 LOOPD SHORT Uedit32.0040171F
0040172C .5A POP EDX ;Uedit32.0040190A
0040172D .59 POP ECX ;Uedit32.0040190A
0040172E .5B POP EBX ;Uedit32.0040190A
0040172F .58 POP EAX ;Uedit32.0040190A
00401730 .8B2C24 MOV EBP, DWORD PTR SS: ;<< ptr. a 'secondi'
00401733 .83C4 08 ADD ESP, 8
00401736 .FF6424 FC JMP DWORD PTR SS: ;Uedit32.00401901
EstraiMatch
--------------------
00401540 <Estr> .83EC 04 SUB ESP, 4 ;---- Estrai Match ----
00401543 .892C24 MOV DWORD PTR SS:, EBP ;<moltiplicazione_e_pFileTime>
00401546 .54 PUSH ESP
00401547 .5D POP EBP ;Uedit32.00401926
00401548 .53 PUSH EBX
00401549 .51 PUSH ECX
0040154A .52 PUSH EDX ;<Uedit32.EstraiMatch>
0040154B .56 PUSH ESI ;kernel32.7C800000
0040154C .57 PUSH EDI
0040154D .E8 00000000 CALL Uedit32.00401552 ;<< successiva
00401552 $5F POP EDI ;Uedit32.00401926
00401553 .83EF 2A SUB EDI, 2A
00401556 .8B75 08 MOV ESI, DWORD PTR SS: ;<< stringa estratta da seriale e bswappata
00401559 .31DB XOR EBX, EBX ;<< EBX := 0
0040155B .31C9 XOR ECX, ECX ;<< ECX := 0
0040155D >AC LODS BYTE PTR DS: ;<< char della stringa in AL
0040155E .51 PUSH ECX ;<<
0040155F .31C9 XOR ECX, ECX ;<< ecx := 0
00401561 >3A040F CMP AL, BYTE PTR DS: ;<< Cerca l'indice nella stringa X6A3KVMOQ8D2HCPI
00401564 .74 08 JE SHORT Uedit32.0040156E
00401566 .83F9 0F CMP ECX, 0F
00401569 .7F 11 JG SHORT Uedit32.0040157C
0040156B .41 INC ECX
0040156C .^ EB F3 JMP SHORT Uedit32.00401561
0040156E >09CB OR EBX, ECX ;<< EBX = EBX OR <indice_carattere>
00401570 .59 POP ECX ;<< num char 'matchati'
00401571 .83F9 07 CMP ECX, 7
00401574 .74 1A JE SHORT Uedit32.00401590 ;<< se ho matchato 8 char ... per ora va bene
00401576 .41 INC ECX ;<< char_matchati++
00401577 .C1E3 04 SHL EBX, 4 ;<< EBX * 16
0040157A .^ EB E1 JMP SHORT Uedit32.0040155D
0040157C >83C4 04 ADD ESP, 4
0040157F .5F POP EDI ;Uedit32.00401926
00401580 .5E POP ESI ;Uedit32.00401926
00401581 .5A POP EDX ;Uedit32.00401926
00401582 .59 POP ECX ;Uedit32.00401926
00401583 .5B POP EBX ;Uedit32.00401926
00401584 .31C0 XOR EAX, EAX
00401586 .8B2C24 MOV EBP, DWORD PTR SS: ;Uedit32.00401926
00401589 .83C4 08 ADD ESP, 8
0040158C .FF6424 FC JMP DWORD PTR SS: ;Uedit32.0040191D
00401590 >89D8 MOV EAX, EBX ;<< valore calcolato in EAX
00401592 .5F POP EDI ;Uedit32.00401926
00401593 .5E POP ESI ;Uedit32.00401926
00401594 .5A POP EDX ;Uedit32.00401926
00401595 .59 POP ECX ;Uedit32.00401926
00401596 .5B POP EBX ;Uedit32.00401926
00401597 .8B2C24 MOV EBP, DWORD PTR SS: ;Uedit32.00401926
0040159A .83C4 08 ADD ESP, 8
0040159D .FF6424 FC JMP DWORD PTR SS: ;Uedit32.0040191D
CombinaSecondoTerzoMatch
-------------------------------
0040173E <Combin> .83EC 04 SUB ESP, 4 ;----
00401741 .892C24 MOV DWORD PTR SS:, EBP ;<moltiplicazione_e_pFileTime>
00401744 .54 PUSH ESP
00401745 .5D POP EBP ;Uedit32.0040197E
00401746 .50 PUSH EAX
00401747 .53 PUSH EBX ;<secondoMatch>
00401748 .52 PUSH EDX ;<Uedit32.CombinaSecondoTerzoMatch>
00401749 .8B5D 08 MOV EBX, DWORD PTR SS: ;<< ind. secondo match
0040174C .8B43 04 MOV EAX, DWORD PTR DS: ;<< terzo match (valore)
0040174F .8B13 MOV EDX, DWORD PTR DS: ;<< Secondo Match ( valore )
00401751 .31C2 XOR EDX, EAX ;<< SecondoMatch = SecondoMatch XOR TerzoMatch
00401753 .0FCA BSWAP EDX ;<< bswap risultato (in edx)
00401755 .31D0 XOR EAX, EDX ;<< TerzoMatch = TerzoMatch XOR ( valore_bswappato appena calcolato )
00401757 .0FC8 BSWAP EAX ;<< bswap a sua volta
00401759 .8943 04 MOV DWORD PTR DS:, EAX ;<< Salva valore di EAX nella posizione del terzoMatch
0040175C .8913 MOV DWORD PTR DS:, EDX ;<< Salva EDX nella posizione del secondo Match
0040175E .5A POP EDX ;Uedit32.0040197E
0040175F .5B POP EBX ;Uedit32.0040197E
00401760 .58 POP EAX ;Uedit32.0040197E
00401761 .8B2C24 MOV EBP, DWORD PTR SS: ;Uedit32.0040197E
00401764 .83C4 08 ADD ESP, 8
00401767 .FF6424 FC JMP DWORD PTR SS: ;Uedit32.00401975
---------------------------- 这么好的帖子怎么没有人顶啊,要是把注释给翻译一下就好了。 下载保存,这么好的贴没人顶,奇怪 不错哦,支持楼主的分享 这么好的帖子 谢谢分享,好东西啊 初看,确实分析得十分到位。 学习了不错啊 是不是视频教程? 辛苦了!!!
页:
[1]
2