对国外一款简单的PDF编辑器的算号分析
本帖最后由 aikuimail 于 2015-11-17 20:34 编辑实例:PDFill PDF Editor
官网:www.pdfill.com
平台:Windows7 sp1(32位),Windows XP(雨林木风)
目标:对CNET上一款名为"pdfill"的免费试用型软件的注册算法进行逆向 工具:吾爱OD
大家可以进入官网点击download边栏找到下载链接,我在这里也上传一份: http://pan.baidu.com/s/1gdAX8T9 密码: 2b8b
来到吾爱也有大半年了,当时用的也是开放注册的方式融入这个集体的,这半年来一直在学习并收获也不错。别人我不知道,每个人都有自己的兴趣爱好和目标定位,对于我来说,我就是想细致的剖析出某某软件的具体算法,而非热衷修改某某软件、暴力破解之类。所有的方式都可以用来提高自己,大家一起加油!
首先列出一下我分析算法的流程:
(1) 下好断后,来到关键跳,分析关键CALL的返回值对关键跳转的影响
(2) 从下断处单步(F8)走,记录好每一步在堆栈、寄存器中出现的可疑字符串
(3)重点分析关键CALL并完善算法
好了,我们先下载好并打开软件,界面如下
选择菜单 Help -> Enter Registration Code输入相应的名字、邮箱和假码,可以自己用自己的,我用的下面:
First Name: Ashe
LastName: Green
Email Addr: aikuimail@52pojie.cn(捏造的一个邮箱:)
Serial Num: 123456789
提示注册码必须是12位,所以将假码改成123456789123
查壳,VC写的:
好了,开始我们的第一步,首先用OD打开软件并运行,输入我们准备好的信息后,点击OK后弹出错误窗口
不要忙着点OK,来到OD点暂停按钮,查看调用堆栈,然后在段首下好断点,这里我就不详细说明了,毕竟看这帖子的不可能是纯新手,说多了可能有灌水的嫌疑,这里用到的是暂停法。下面我就贴代码了,第一次发帖,有错位的地方请见谅啊!
00455E5F .6A 10 push 0x10
00455E61 .B8 4A954E00 mov eax,PDFill.004E954A
00455E66 .E8 72990800 call PDFill.004DF7DD
00455E6B .8BF1 mov esi,ecx ;mfc100u.57670DBC
00455E6D .E8 C2890800 call <jmp.&mfc100u.#1934>
00455E72 .8B78 04 mov edi,dword ptr ds:
00455E75 .8D86 94000000 lea eax,dword ptr ds:
00455E7B .50 push eax
00455E7C .8D8E A8000000 lea ecx,dword ptr ds:
00455E82 .E8 EB8D0800 call <jmp.&mfc100u.#7006> //ECX UNICODE "Ashe"
00455E87 .8D86 98000000 lea eax,dword ptr ds:
00455E8D .50 push eax
00455E8E .8D8E 1C010000 lea ecx,dword ptr ds:
00455E94 .E8 D98D0800 call <jmp.&mfc100u.#7006> //ECX UNICODE "Green"
00455E99 .8D86 9C000000 lea eax,dword ptr ds:
00455E9F .50 push eax
00455EA0 .8D8E 90010000 lea ecx,dword ptr ds:
00455EA6 .E8 C78D0800 call <jmp.&mfc100u.#7006> //ECX UNICODE "aikuimail@52pojie.cn"
00455EAB .8D9E A0000000 lea ebx,dword ptr ds:
00455EB1 .53 push ebx
00455EB2 .8D8E 04020000 lea ecx,dword ptr ds:
00455EB8 .E8 B58D0800 call <jmp.&mfc100u.#7006> //ECX UNICODE "123456789123"
00455EBD .8D8E 94000000 lea ecx,dword ptr ds:
00455EC3 .FF15 30624F00 call dword ptr ds:[<&mfc100u.#13208>] ;mfc100u.#13208
00455EC9 .8D8E 98000000 lea ecx,dword ptr ds:
00455ECF .FF15 30624F00 call dword ptr ds:[<&mfc100u.#13208>] ;mfc100u.#13208
00455ED5 .8D8E 9C000000 lea ecx,dword ptr ds:
00455EDB .FF15 30624F00 call dword ptr ds:[<&mfc100u.#13208>] ;mfc100u.#13208
00455EE1 .8BCB mov ecx,ebx
00455EE3 .FF15 30624F00 call dword ptr ds:[<&mfc100u.#13208>] ;mfc100u.#13208
00455EE9 .8BCB mov ecx,ebx
00455EEB .FF15 8C624F00 call dword ptr ds:[<&mfc100u.#5229>] ;mfc100u.#5230
00455EF1 .83F8 0C cmp eax,0xC
00455EF4 .74 1F je short PDFill.00455F15
00455EF6 .8BCB mov ecx,ebx
00455EF8 .FF15 8C624F00 call dword ptr ds:[<&mfc100u.#5229>] ;mfc100u.#5230
00455EFE .85C0 test eax,eax
00455F00 .7E 13 jle short PDFill.00455F15
00455F02 .6A 40 push 0x40
00455F04 .68 44654F00 push PDFill.004F6544 ;UNICODE "PlotSoft PDFill"
00455F09 .68 48D65000 push PDFill.0050D648 ;UNICODE "Your register code is not correct! It should have "
00455F0E .8BCE mov ecx,esi
00455F10 .E8 498C0800 call <jmp.&mfc100u.#7911>
00455F15 >51 push ecx ;mfc100u.57670DBC
00455F16 .8BCC mov ecx,esp
00455F18 .8965 F0 mov dword ptr ss:,esp
00455F1B .53 push ebx
00455F1C .FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ;mfc100u.#280
00455F22 .8365 FC 00 and dword ptr ss:,0x0
00455F26 .51 push ecx ;mfc100u.57670DBC //ECX UNICODE "123456789123"
00455F27 .8D86 9C000000 lea eax,dword ptr ds:
00455F2D .8BCC mov ecx,esp
00455F2F .8965 EC mov dword ptr ss:,esp
00455F32 .50 push eax //ECX UNICODE "aikuimail@52pojie.cn"
00455F33 .FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ;mfc100u.#280
00455F39 .51 push ecx ;mfc100u.57670DBC
00455F3A .8D86 98000000 lea eax,dword ptr ds:
00455F40 .8BCC mov ecx,esp
00455F42 .8965 E8 mov dword ptr ss:,esp
00455F45 .50 push eax
00455F46 .C645 FC 01 mov byte ptr ss:,0x1
00455F4A .FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ;mfc100u.#280 //ECX UNICODE "Green"
00455F50 .51 push ecx ;mfc100u.57670DBC
00455F51 .8D86 94000000 lea eax,dword ptr ds:
00455F57 .8BCC mov ecx,esp
00455F59 .8965 E4 mov dword ptr ss:,esp
00455F5C .50 push eax
00455F5D .C645 FC 02 mov byte ptr ss:,0x2
00455F61 .FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ;mfc100u.#280 //ECX UNICODE "Ashe"
00455F67 .834D FC FF or dword ptr ss:,-0x1
00455F6B .8D8F 94030000 lea ecx,dword ptr ds:
00455F71 .E8 6D970400 call PDFill.0049F6E3 //关键CALL
00455F76 .83F8 01 cmp eax,0x1
00455F79 .0F85 D3000000 jnz PDFill.00456052 //关键CALL返回0就注册失败
00455F7F .51 push ecx ;mfc100u.57670DBC
00455F80 .8BCC mov ecx,esp
00455F82 .8965 E4 mov dword ptr ss:,esp
00455F85 .53 push ebx
00455F86 .FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ;mfc100u.#280
00455F8C .51 push ecx ;mfc100u.57670DBC
00455F8D .8D86 9C000000 lea eax,dword ptr ds:
00455F93 .8BCC mov ecx,esp
00455F95 .8965 E8 mov dword ptr ss:,esp
00455F98 .50 push eax
00455F99 .C745 FC 03000>mov dword ptr ss:,0x3
00455FA0 .FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ;mfc100u.#280
00455FA6 .51 push ecx ;mfc100u.57670DBC
00455FA7 .8D86 98000000 lea eax,dword ptr ds:
00455FAD .8BCC mov ecx,esp
00455FAF .8965 EC mov dword ptr ss:,esp
00455FB2 .50 push eax
00455FB3 .C645 FC 04 mov byte ptr ss:,0x4
00455FB7 .FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ;mfc100u.#280
00455FBD .51 push ecx ;mfc100u.57670DBC
00455FBE .8D86 94000000 lea eax,dword ptr ds:
00455FC4 .8BCC mov ecx,esp
00455FC6 .8965 F0 mov dword ptr ss:,esp
00455FC9 .50 push eax
00455FCA .C645 FC 05 mov byte ptr ss:,0x5
00455FCE .FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ;mfc100u.#280
00455FD4 .834D FC FF or dword ptr ss:,-0x1
00455FD8 .8D8F 94030000 lea ecx,dword ptr ds:
00455FDE .E8 09920400 call PDFill.0049F1EC
00455FE3 .8D86 94000000 lea eax,dword ptr ds:
00455FE9 .50 push eax
00455FEA .8D8F 70030000 lea ecx,dword ptr ds:
00455FF0 .C787 80030000>mov dword ptr ds:,0x1
00455FFA .FF15 64624F00 call dword ptr ds:[<&mfc100u.#1310>] ;mfc100u.#1310
00456000 .8D86 98000000 lea eax,dword ptr ds:
00456006 .50 push eax
00456007 .8D8F 74030000 lea ecx,dword ptr ds:
0045600D .FF15 64624F00 call dword ptr ds:[<&mfc100u.#1310>] ;mfc100u.#1310
00456013 .8D86 9C000000 lea eax,dword ptr ds:
00456019 .50 push eax
0045601A .8D8F 78030000 lea ecx,dword ptr ds:
00456020 .FF15 64624F00 call dword ptr ds:[<&mfc100u.#1310>] ;mfc100u.#1310
00456026 .53 push ebx
00456027 .8D8F 7C030000 lea ecx,dword ptr ds:
0045602D .FF15 64624F00 call dword ptr ds:[<&mfc100u.#1310>] ;mfc100u.#1310
00456033 .6A 40 push 0x40
00456035 .68 44654F00 push PDFill.004F6544 ;UNICODE "PlotSoft PDFill"
0045603A .68 C8D55000 push PDFill.0050D5C8 ;UNICODE "You have successfully registered your PDFill Licen"
0045603F .8BCE mov ecx,esi
00456041 .E8 188B0800 call <jmp.&mfc100u.#7911>
00456046 .8B06 mov eax,dword ptr ds: ;PDFill.0050CF5C
00456048 .8BCE mov ecx,esi
0045604A .FF90 84010000 call dword ptr ds:
00456050 .EB 13 jmp short PDFill.00456065
00456052 >6A 40 push 0x40
00456054 .68 44654F00 push PDFill.004F6544 ;UNICODE "PlotSoft PDFill"
00456059 .68 18D55000 push PDFill.0050D518 ;UNICODE "Your first name, last name, email or register code"
0045605E .8BCE mov ecx,esi
00456060 .E8 F98A0800 call <jmp.&mfc100u.#7911>
00456065 >E8 12980800 call PDFill.004DF87C
0045606A .C3 retn
到这里大家就已经知道如何暴力破解了,方法很多,这里我就不多说了,我们要分析算法,就要跟进关键CALL。由于我也是一个重度强迫症患者(或许是...:),所以在这里不管大家愿意不愿意,我都要把上面的代码重新贴出来然后进行详细的解释,至少未来某天我在长期的懒惰后幡然醒悟过来想要复习的时候,还能找到自己的学习笔记。好吧,我也不知道上面的代码编排是不是已经稀烂了,我将上面的代码重新贴一次。
00455E5F .6A 10 push 0x10
00455E61 .B8 4A954E00 mov eax,PDFill.004E954A
00455E66 .E8 72990800 call PDFill.004DF7DD
00455E6B .8BF1 mov esi,ecx
00455E6D .E8 C2890800 call <jmp.&mfc100u.#1934>
00455E72 .8B78 04 mov edi,dword ptr ds:
00455E75 .8D86 94000000 lea eax,dword ptr ds: ;将Ashe的地址存入eax
00455E7B .50 push eax ;将Ashe压栈
00455E7C .8D8E A8000000 lea ecx,dword ptr ds:
00455E82 .E8 EB8D0800 call <jmp.&mfc100u.#7006> ;ECX UNICODE "Ashe" 这个函数的作用就是返回参数的长度,并将参数存放到ECX 下面贴出了该函数
00455E87 .8D86 98000000 lea eax,dword ptr ds: ;Green地址存入EAX
00455E8D .50 push eax ;Green地址压栈
00455E8E .8D8E 1C010000 lea ecx,dword ptr ds:
00455E94 .E8 D98D0800 call <jmp.&mfc100u.#7006> ; 返回Green长度
00455E99 .8D86 9C000000 lea eax,dword ptr ds: ;将邮箱地址放入eax
00455E9F .50 push eax ;压栈
00455EA0 .8D8E 90010000 lea ecx,dword ptr ds:
00455EA6 .E8 C78D0800 call <jmp.&mfc100u.#7006> ;将邮箱地址放入ECX
00455EAB .8D9E A0000000 lea ebx,dword ptr ds: ;序列号地址
00455EB1 .53 push ebx ;压栈
00455EB2 .8D8E 04020000 lea ecx,dword ptr ds:
00455EB8 .E8 B58D0800 call <jmp.&mfc100u.#7006> ;序列号长度放入EAX,地址放入ECX
00455EBD .8D8E 94000000 lea ecx,dword ptr ds:
00455EC3 .FF15 30624F00 call dword ptr ds:[<&mfc100u.#13208>] ;mfc100u.#13208
00455EC9 .8D8E 98000000 lea ecx,dword ptr ds:
00455ECF .FF15 30624F00 call dword ptr ds:[<&mfc100u.#13208>] ;mfc100u.#13208
00455ED5 .8D8E 9C000000 lea ecx,dword ptr ds:
00455EDB .FF15 30624F00 call dword ptr ds:[<&mfc100u.#13208>] ;mfc100u.#13208
00455EE1 .8BCB mov ecx,ebx
00455EE3 .FF15 30624F00 call dword ptr ds:[<&mfc100u.#13208>] ;mfc100u.#13208 ;上面这几行就是检测用户名及邮箱和注册码合法否,有没有非法字符
00455EE9 .8BCB mov ecx,ebx
00455EEB .FF15 8C624F00 call dword ptr ds:[<&mfc100u.#5229>] ;mfc100u.#5230 ;得到序列号长度
00455EF1 .83F8 0C cmp eax,0xC的 ;看看序列号长度是不是12位
00455EF4 .74 1F je short PDFill.00455F15 ;是12位注册码就继续比较,不是就跳到注册失败
00455EF6 .8BCB mov ecx,ebx
00455EF8 .FF15 8C624F00 call dword ptr ds:[<&mfc100u.#5229>] ;mfc100u.#5230
00455EFE .85C0 test eax,eax
00455F00 .7E 13 jle short PDFill.00455F15
00455F02 .6A 40 push 0x40
00455F04 .68 44654F00 push PDFill.004F6544 ;UNICODE "PlotSoft PDFill"
00455F09 .68 48D65000 push PDFill.0050D648 ;UNICODE "Your register code is not correct! It should have "
00455F0E .8BCE mov ecx,esi
00455F10 .E8 498C0800 call <jmp.&mfc100u.#7911>
00455F15 >51 push ecx ;验证注册码长度后就从上面跳到这里,将假序列号压栈
00455F16 .8BCC mov ecx,esp
00455F18 .8965 F0 mov dword ptr ss:,esp
00455F1B .53 push ebx
00455F1C .FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ;mfc100u.#280 ;将假码压入栈顶
00455F22 .8365 FC 00 and dword ptr ss:,0x0
00455F26 .51 push ecx
00455F27 .8D86 9C000000 lea eax,dword ptr ds:
00455F2D .8BCC mov ecx,esp
00455F2F .8965 EC mov dword ptr ss:,esp
00455F32 .50 push eax
00455F33 .FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ;mfc100u.#280 ;将邮箱压入栈顶
00455F39 .51 push ecx
00455F3A .8D86 98000000 lea eax,dword ptr ds:
00455F40 .8BCC mov ecx,esp
00455F42 .8965 E8 mov dword ptr ss:,esp
00455F45 .50 push eax
00455F46 .C645 FC 01 mov byte ptr ss:,0x1
00455F4A .FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ;mfc100u.#280;将Last Name压入栈顶
00455F50 .51 push ecx
00455F51 .8D86 94000000 lea eax,dword ptr ds:
00455F57 .8BCC mov ecx,esp
00455F59 .8965 E4 mov dword ptr ss:,esp
00455F5C .50 push eax
00455F5D .C645 FC 02 mov byte ptr ss:,0x2
00455F61 .FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ;mfc100u.#280 ;将First Name压入栈顶
00455F67 .834D FC FF or dword ptr ss:,-0x1
00455F6B .8D8F 94030000 lea ecx,dword ptr ds:
00455F71 .E8 6D970400 call PDFill.0049F6E3 ;关键Call,返回1注册成功,返回其它值则注册失败,我们在这里跟进
00455F76 .83F8 01 cmp eax,0x1
00455F79 .0F85 D3000000 jnz PDFill.00456052
00455F7F .51 push ecx
00455F80 .8BCC mov ecx,esp
00455F82 .8965 E4 mov dword ptr ss:,esp
00455F85 .53 push ebx
00455F86 .FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ;mfc100u.#280
00455F8C .51 push ecx
00455F8D .8D86 9C000000 lea eax,dword ptr ds:
00455F93 .8BCC mov ecx,esp
00455F95 .8965 E8 mov dword ptr ss:,esp
00455F98 .50 push eax
00455F99 .C745 FC 03000>mov dword ptr ss:,0x3
00455FA0 .FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ;mfc100u.#280
00455FA6 .51 push ecx
00455FA7 .8D86 98000000 lea eax,dword ptr ds:
00455FAD .8BCC mov ecx,esp
00455FAF .8965 EC mov dword ptr ss:,esp
00455FB2 .50 push eax
00455FB3 .C645 FC 04 mov byte ptr ss:,0x4
00455FB7 .FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ;mfc100u.#280
00455FBD .51 push ecx
00455FBE .8D86 94000000 lea eax,dword ptr ds:
00455FC4 .8BCC mov ecx,esp
00455FC6 .8965 F0 mov dword ptr ss:,esp
00455FC9 .50 push eax
00455FCA .C645 FC 05 mov byte ptr ss:,0x5
00455FCE .FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ;mfc100u.#280
00455FD4 .834D FC FF or dword ptr ss:,-0x1
00455FD8 .8D8F 94030000 lea ecx,dword ptr ds:
00455FDE .E8 09920400 call PDFill.0049F1EC
00455FE3 .8D86 94000000 lea eax,dword ptr ds:
00455FE9 .50 push eax
00455FEA .8D8F 70030000 lea ecx,dword ptr ds:
00455FF0 .C787 80030000>mov dword ptr ds:,0x1
00455FFA .FF15 64624F00 call dword ptr ds:[<&mfc100u.#1310>] ;mfc100u.#1310
00456000 .8D86 98000000 lea eax,dword ptr ds:
00456006 .50 push eax
00456007 .8D8F 74030000 lea ecx,dword ptr ds:
0045600D .FF15 64624F00 call dword ptr ds:[<&mfc100u.#1310>] ;mfc100u.#1310
00456013 .8D86 9C000000 lea eax,dword ptr ds:
00456019 .50 push eax
0045601A .8D8F 78030000 lea ecx,dword ptr ds:
00456020 .FF15 64624F00 call dword ptr ds:[<&mfc100u.#1310>] ;mfc100u.#1310
00456026 .53 push ebx
00456027 .8D8F 7C030000 lea ecx,dword ptr ds:
0045602D .FF15 64624F00 call dword ptr ds:[<&mfc100u.#1310>] ;mfc100u.#1310
00456033 .6A 40 push 0x40
00456035 .68 44654F00 push PDFill.004F6544 ;UNICODE "PlotSoft PDFill"
0045603A .68 C8D55000 push PDFill.0050D5C8 ;UNICODE "You have successfully registered your PDFill Licen"
0045603F .8BCE mov ecx,esi
00456041 .E8 188B0800 call <jmp.&mfc100u.#7911>
00456046 .8B06 mov eax,dword ptr ds: ;PDFill.0050CF5C
00456048 .8BCE mov ecx,esi
0045604A .FF90 84010000 call dword ptr ds:
00456050 .EB 13 jmp short PDFill.00456065
00456052 >6A 40 push 0x40
00456054 .68 44654F00 push PDFill.004F6544 ;UNICODE "PlotSoft PDFill"
00456059 .68 18D55000 push PDFill.0050D518 ;UNICODE "Your first name, last name, email or register code"
0045605E .8BCE mov ecx,esi
00456060 .E8 F98A0800 call <jmp.&mfc100u.#7911>
00456065 >E8 12980800 call PDFill.004DF87C
0045606A .C3 retn
static/image/hrline/2.gif
mfc100u.#7006函数:
57703C63 >8BFF mov edi,edi ; PDFill.00545910
57703C65 55 push ebp
57703C66 8BEC mov ebp,esp
57703C68 56 push esi
57703C69 8BF1 mov esi,ecx
57703C6B 837E 6C 00 cmp dword ptr ds:,0x0
57703C6F 75 2F jnz short mfc100u.57703CA0
57703C71 FF76 20 push dword ptr ds: ; 取编辑框句柄
57703C74 FF15 541A4C57 call dword ptr ds:[<&USER32.GetWindowTextLengthW>]; 返回编辑框文本长度
57703C7A 8D48 01 lea ecx,dword ptr ds: ; 文本长度加一存入ECX
57703C7D 51 push ecx ; 文本长度加一压栈
57703C7E 8B4D 08 mov ecx,dword ptr ss: ; 邮箱地址存入ecx
57703C81 50 push eax ; 文本长度压栈GetWindowText参数
57703C82 E8 3FEFF6FF call mfc100u.#4519
57703C87 50 push eax ; 缓冲区指针
57703C88 FF76 20 push dword ptr ds: ; 编辑框句柄
57703C8B FF15 D0184C57 call dword ptr ds:[<&USER32.GetWindowTextW>] ; 拷贝了20个字符
57703C91 8B4D 08 mov ecx,dword ptr ss: ; 邮箱地址传入ECX
57703C94 6A FF push -0x1
57703C96 E8 96B3E7FF call mfc100u.#11494
57703C9B 5E pop esi
57703C9C 5D pop ebp
57703C9D C2 0400 retn 0x4
static/image/hrline/2.gif
从上面的关键Call进入到这里:
0049F6E3/$6A 10 push 0x10
0049F6E5|.B8 17E44E00 mov eax,PDFill.004EE417
0049F6EA|.E8 EE000400 call PDFill.004DF7DD
0049F6EF|.8BF9 mov edi,ecx ;PDFill.00545CA4
0049F6F1|.68 A0A15100 push PDFill.0051A1A0 ;UNICODE "ARN@ARN.COM"
0049F6F6|.8D4D 10 lea ecx,
0049F6F9|.C745 FC 03000>mov ,0x3
0049F700|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F706|.85C0 test eax,eax
0049F708|.75 2F jnz short PDFill.0049F739
0049F70A|>8D4D 08 lea ecx,
0049F70D|>FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ;mfc100u.#14057
0049F713|.8D4D 0C lea ecx,
0049F716|.FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ;mfc100u.#14057
0049F71C|.8D4D 10 lea ecx,
0049F71F|.FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ;mfc100u.#14057
0049F725|.8D4D 14 lea ecx,
0049F728|.FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ;mfc100u.#14057
0049F72E|.6A FC push -0x4
0049F730|.58 pop eax ;PDFill.00455F76
0049F731|>E8 46010400 call PDFill.004DF87C
0049F736|.C2 1000 retn 0x10
0049F739|>68 6CA15100 push PDFill.0051A16C ;UNICODE "andrea_grogan@hotmail.com"
0049F73E|.8D4D 10 lea ecx,
0049F741|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F747|.85C0 test eax,eax
0049F749|.^ 74 BF je short PDFill.0049F70A
0049F74B|.68 40A15100 push PDFill.0051A140 ;UNICODE "jmmay@boothcreek.com"
0049F750|.8D4D 10 lea ecx,
0049F753|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F759|.85C0 test eax,eax
0049F75B|.^ 74 AD je short PDFill.0049F70A
0049F75D|.68 18A15100 push PDFill.0051A118 ;UNICODE "vutukurim@yahoo.com"
0049F762|.8D4D 10 lea ecx,
0049F765|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F76B|.85C0 test eax,eax
0049F76D|.^ 74 9B je short PDFill.0049F70A
0049F76F|.68 ECA05100 push PDFill.0051A0EC ;UNICODE "alec_ward@hotmail.com"
0049F774|.8D4D 10 lea ecx,
0049F777|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F77D|.85C0 test eax,eax
0049F77F|.^ 74 89 je short PDFill.0049F70A
0049F781|.68 C8A05100 push PDFill.0051A0C8 ;UNICODE "nebay66@yahoo.com"
0049F786|.8D4D 10 lea ecx,
0049F789|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F78F|.85C0 test eax,eax
0049F791|.^ 0F84 73FFFFFF je PDFill.0049F70A
0049F797|.68 A8A05100 push PDFill.0051A0A8 ;UNICODE "pml@labrier.com"
0049F79C|.8D4D 10 lea ecx,
0049F79F|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F7A5|.85C0 test eax,eax
0049F7A7|.^ 0F84 5DFFFFFF je PDFill.0049F70A
0049F7AD|.68 74A05100 push PDFill.0051A074 ;UNICODE "mrkhazai23@hotmail.co.uk"
0049F7B2|.8D4D 10 lea ecx,
0049F7B5|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F7BB|.85C0 test eax,eax
0049F7BD|.^ 0F84 47FFFFFF je PDFill.0049F70A
0049F7C3|.68 48A05100 push PDFill.0051A048 ;UNICODE "wonfinance@gmail.com"
0049F7C8|.8D4D 10 lea ecx,
0049F7CB|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F7D1|.85C0 test eax,eax
0049F7D3|.^ 0F84 31FFFFFF je PDFill.0049F70A
0049F7D9|.68 20A05100 push PDFill.0051A020 ;UNICODE "info@hetnonnetje.nl"
0049F7DE|.8D4D 10 lea ecx,
0049F7E1|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F7E7|.85C0 test eax,eax
0049F7E9|.^ 0F84 1BFFFFFF je PDFill.0049F70A
0049F7EF|.68 F89F5100 push PDFill.00519FF8 ;UNICODE "josh@eventbrite.com"
0049F7F4|.8D4D 10 lea ecx,
0049F7F7|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F7FD|.85C0 test eax,eax
0049F7FF|.^ 0F84 05FFFFFF je PDFill.0049F70A
0049F805|.68 C89F5100 push PDFill.00519FC8 ;UNICODE "terrencezenno@yahoo.com"
0049F80A|.8D4D 10 lea ecx,
0049F80D|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F813|.85C0 test eax,eax
0049F815|.^ 0F84 EFFEFFFF je PDFill.0049F70A
0049F81B|.BE 949F5100 mov esi,PDFill.00519F94 ;UNICODE "philosophy4135@yahoo.com"
0049F820|.56 push esi
0049F821|.8D4D 10 lea ecx,
0049F824|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F82A|.85C0 test eax,eax
0049F82C|.^ 0F84 D8FEFFFF je PDFill.0049F70A
0049F832|.68 6C9F5100 push PDFill.00519F6C ;UNICODE "ervin@intermetal.hu"
0049F837|.8D4D 10 lea ecx,
0049F83A|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F840|.85C0 test eax,eax
0049F842|.^ 0F84 C2FEFFFF je PDFill.0049F70A
0049F848|.68 489F5100 push PDFill.00519F48 ;UNICODE "maasre@yahoo.com"
0049F84D|.8D4D 10 lea ecx,
0049F850|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F856|.85C0 test eax,eax
0049F858|.^ 0F84 ACFEFFFF je PDFill.0049F70A
0049F85E|.68 289F5100 push PDFill.00519F28 ;UNICODE "soldat2@aol.com"
0049F863|.8D4D 10 lea ecx,
0049F866|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F86C|.85C0 test eax,eax
0049F86E|.^ 0F84 96FEFFFF je PDFill.0049F70A
0049F874|.68 049F5100 push PDFill.00519F04 ;UNICODE "alifar2@gmail.com"
0049F879|.8D4D 10 lea ecx,
0049F87C|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F882|.85C0 test eax,eax
0049F884|.^ 0F84 80FEFFFF je PDFill.0049F70A
0049F88A|.68 DC9E5100 push PDFill.00519EDC ;UNICODE "delder38@yahoo.com"
0049F88F|.8D4D 10 lea ecx,
0049F892|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F898|.85C0 test eax,eax
0049F89A|.^ 0F84 6AFEFFFF je PDFill.0049F70A
0049F8A0|.68 A09E5100 push PDFill.00519EA0 ;UNICODE "fax@energydevelopmentinc.com"
0049F8A5|.8D4D 10 lea ecx,
0049F8A8|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F8AE|.85C0 test eax,eax
0049F8B0|.^ 0F84 54FEFFFF je PDFill.0049F70A
0049F8B6|.68 7C9E5100 push PDFill.00519E7C ;UNICODE "rpd7610@yahoo.com"
0049F8BB|.8D4D 10 lea ecx,
0049F8BE|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F8C4|.85C0 test eax,eax
0049F8C6|.^ 0F84 3EFEFFFF je PDFill.0049F70A
0049F8CC|.68 5C9E5100 push PDFill.00519E5C ;UNICODE "jjoell@sown.org"
0049F8D1|.8D4D 10 lea ecx,
0049F8D4|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F8DA|.85C0 test eax,eax
0049F8DC|.^ 0F84 28FEFFFF je PDFill.0049F70A
0049F8E2|.68 309E5100 push PDFill.00519E30 ;UNICODE "simisworkshop@aol.com"
0049F8E7|.8D4D 10 lea ecx,
0049F8EA|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F8F0|.85C0 test eax,eax
0049F8F2|.^ 0F84 12FEFFFF je PDFill.0049F70A
0049F8F8|.68 0C9E5100 push PDFill.00519E0C ;UNICODE "artturas@mbnet.fi"
0049F8FD|.8D4D 10 lea ecx,
0049F900|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F906|.85C0 test eax,eax
0049F908|.^ 0F84 FCFDFFFF je PDFill.0049F70A
0049F90E|.68 D49D5100 push PDFill.00519DD4 ;UNICODE "Catherine@utahopenlands.org"
0049F913|.8D4D 10 lea ecx,
0049F916|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F91C|.85C0 test eax,eax
0049F91E|.^ 0F84 E6FDFFFF je PDFill.0049F70A
0049F924|.68 B09D5100 push PDFill.00519DB0 ;UNICODE "randoro@gmail.com"
0049F929|.8D4D 10 lea ecx,
0049F92C|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F932|.85C0 test eax,eax
0049F934|.^ 0F84 D0FDFFFF je PDFill.0049F70A
0049F93A|.68 909D5100 push PDFill.00519D90 ;UNICODE "azrdgk@msn.com"
0049F93F|.8D4D 10 lea ecx,
0049F942|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F948|.85C0 test eax,eax
0049F94A|.^ 0F84 BAFDFFFF je PDFill.0049F70A
0049F950|.68 5C9D5100 push PDFill.00519D5C ;UNICODE "ksim-ksam@windowslive.com"
0049F955|.8D4D 10 lea ecx,
0049F958|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F95E|.85C0 test eax,eax
0049F960|.^ 0F84 A4FDFFFF je PDFill.0049F70A
0049F966|.68 289D5100 push PDFill.00519D28 ;UNICODE "jimintheeastbay@yahoo.com"
0049F96B|.8D4D 10 lea ecx,
0049F96E|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F974|.85C0 test eax,eax
0049F976|.^ 0F84 8EFDFFFF je PDFill.0049F70A
0049F97C|.68 F49C5100 push PDFill.00519CF4 ;UNICODE "JOEMARKNORMAN@HOTMAIL.COM"
0049F981|.8D4D 10 lea ecx,
0049F984|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F98A|.85C0 test eax,eax
0049F98C|.^ 0F84 78FDFFFF je PDFill.0049F70A
0049F992|.56 push esi
0049F993|.8D4D 10 lea ecx,
0049F996|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F99C|.85C0 test eax,eax
0049F99E|.^ 0F84 66FDFFFF je PDFill.0049F70A
0049F9A4|.68 C89C5100 push PDFill.00519CC8 ;UNICODE "nataliemora@gmail.com"
0049F9A9|.8D4D 10 lea ecx,
0049F9AC|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F9B2|.85C0 test eax,eax
0049F9B4|.^ 0F84 50FDFFFF je PDFill.0049F70A
0049F9BA|.68 A49C5100 push PDFill.00519CA4 ;UNICODE "rwhalls@yahoo.com"
0049F9BF|.8D4D 10 lea ecx,
0049F9C2|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F9C8|.85C0 test eax,eax
0049F9CA|.^ 0F84 3AFDFFFF je PDFill.0049F70A
0049F9D0|.68 849C5100 push PDFill.00519C84 ;UNICODE "sylkc@yahoo.com"
0049F9D5|.8D4D 10 lea ecx,
0049F9D8|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F9DE|.85C0 test eax,eax
0049F9E0|.^ 0F84 24FDFFFF je PDFill.0049F70A
0049F9E6|.68 5C9C5100 push PDFill.00519C5C ;UNICODE "san_r2000@yahoo.com"
0049F9EB|.8D4D 10 lea ecx,
0049F9EE|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049F9F4|.85C0 test eax,eax
0049F9F6|.^ 0F84 0EFDFFFF je PDFill.0049F70A
0049F9FC|.68 2C9C5100 push PDFill.00519C2C ;UNICODE "ebyte_jersey@yahoo.com"
0049FA01|.8D4D 10 lea ecx,
0049FA04|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049FA0A|.85C0 test eax,eax
0049FA0C|.^ 0F84 F8FCFFFF je PDFill.0049F70A
0049FA12|.68 0C9C5100 push PDFill.00519C0C ;UNICODE "strap69@aol.com"
0049FA17|.8D4D 10 lea ecx,
0049FA1A|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049FA20|.85C0 test eax,eax
0049FA22|.^ 0F84 E2FCFFFF je PDFill.0049F70A
0049FA28|.68 D49B5100 push PDFill.00519BD4 ;UNICODE "David.Kaufman@neatcomm.com" ;上面篇幅是做黑名单的比较,下面我列出了这张表
0049FA2D|.8D4D 10 lea ecx,
0049FA30|.FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049FA36|.8D4D 08 lea ecx,
0049FA39|.85C0 test eax,eax
0049FA3B|.^ 0F84 CCFCFFFF je PDFill.0049F70D
0049FA41|.FF15 60624F00 call dword ptr ds:[<&mfc100u.#7357>] ;mfc100u.#7358
0049FA47|.84C0 test al,al
0049FA49|.74 2E je short PDFill.0049FA79
0049FA4B|.6A FC push -0x4
0049FA4D|>5E pop esi ;PDFill.00455F76
0049FA4E|>8D4D 08 lea ecx,
0049FA51|.FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ;mfc100u.#14057
0049FA57|.8D4D 0C lea ecx,
0049FA5A|.FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ;mfc100u.#14057
0049FA60|.8D4D 10 lea ecx,
0049FA63|.FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ;mfc100u.#14057
0049FA69|.8D4D 14 lea ecx,
0049FA6C|.FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ;mfc100u.#14057
0049FA72|.8BC6 mov eax,esi
0049FA74|.^ E9 B8FCFFFF jmp PDFill.0049F731
0049FA79|>8D4D 0C lea ecx,
0049FA7C|.FF15 60624F00 call dword ptr ds:[<&mfc100u.#7357>] ;mfc100u.#7358
0049FA82|.84C0 test al,al
0049FA84|.74 04 je short PDFill.0049FA8A
0049FA86|.6A FD push -0x3
0049FA88|.^ EB C3 jmp short PDFill.0049FA4D
0049FA8A|>8D4D 10 lea ecx,
0049FA8D|.FF15 60624F00 call dword ptr ds:[<&mfc100u.#7357>] ;mfc100u.#7358
0049FA93|.84C0 test al,al
0049FA95|.74 04 je short PDFill.0049FA9B
0049FA97|>6A FE push -0x2
0049FA99|.^ EB B2 jmp short PDFill.0049FA4D
0049FA9B|>6A 00 push 0x0
0049FA9D|.6A 40 push 0x40
0049FA9F|.8D4D 10 lea ecx,
0049FAA2|.FF15 1C624F00 call dword ptr ds:[<&mfc100u.#4150>] ;mfc100u.#4150 ;取邮箱地址@前面长度
0049FAA8|.8BF0 mov esi,eax
0049FAAA|.83FE 01 cmp esi,0x1
0049FAAD|.^ 7C E8 jl short PDFill.0049FA97 ;邮箱名@前面至少要一个字符,否则失败
0049FAAF|.8D4D 10 lea ecx,
0049FAB2|.FF15 8C624F00 call dword ptr ds:[<&mfc100u.#5229>] ;mfc100u.#5230 ;取邮箱整个长度
0049FAB8|.48 dec eax
0049FAB9|.3BF0 cmp esi,eax
0049FABB|.^ 74 DA je short PDFill.0049FA97 ;@后面没有后缀也是失败
0049FABD|.8D4D 14 lea ecx, ;将序列号地址存入ECX
0049FAC0|.FF15 60624F00 call dword ptr ds:[<&mfc100u.#7357>] ;mfc100u.#7358
0049FAC6|.84C0 test al,al
0049FAC8|.74 08 je short PDFill.0049FAD2
0049FACA|>83CE FF or esi,-0x1
0049FACD|.^ E9 7CFFFFFF jmp PDFill.0049FA4E
0049FAD2|>8D4D 14 lea ecx,
0049FAD5|.FF15 8C624F00 call dword ptr ds:[<&mfc100u.#5229>] ;mfc100u.#5230
0049FADB|.83F8 0C cmp eax,0xC
0049FADE|.^ 75 EA jnz short PDFill.0049FACA
0049FAE0|.51 push ecx ;PDFill.00545CA4
0049FAE1|.8D45 10 lea eax,
0049FAE4|.8BCC mov ecx,esp
0049FAE6|.8965 EC mov ,esp
0049FAE9|.50 push eax
0049FAEA|.FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ;mfc100u.#280
0049FAF0|.51 push ecx ;PDFill.00545CA4
0049FAF1|.8D45 0C lea eax,
0049FAF4|.8BCC mov ecx,esp
0049FAF6|.8965 E8 mov ,esp
0049FAF9|.50 push eax
0049FAFA|.C645 FC 04 mov byte ptr ss:,0x4
0049FAFE|.FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ;mfc100u.#280
0049FB04|.51 push ecx ;PDFill.00545CA4
0049FB05|.8D45 08 lea eax,
0049FB08|.8BCC mov ecx,esp
0049FB0A|.8965 E4 mov ,esp
0049FB0D|.50 push eax
0049FB0E|.C645 FC 05 mov byte ptr ss:,0x5
0049FB12|.FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ;mfc100u.#280
0049FB18|.8D45 F0 lea eax,
0049FB1B|.50 push eax
0049FB1C|.8BCF mov ecx,edi ;PDFill.00545910
0049FB1E|.C645 FC 03 mov byte ptr ss:,0x3 ;上面是重复的验证邮箱和用户名然后全部压入栈顶,用的mfc100u.#280这个函数,有兴趣的可以跟进去看看这个函数
0049FB22|.E8 71F8FFFF call PDFill.0049F398 ;根据用户名和邮箱生成序列号 关键算法 进入
0049FB27|.8D4D 14 lea ecx,
0049FB2A|.C645 FC 06 mov byte ptr ss:,0x6
0049FB2E|.FF15 94624F00 call dword ptr ds:[<&mfc100u.#1450>] ;mfc100u.#6237
0049FB34|.50 push eax
0049FB35|.8D4D F0 lea ecx,
0049FB38|.FF15 98624F00 call dword ptr ds:[<&mfc100u.#2614>] ;mfc100u.#2614 ;比较起码假码EAX返回0就注册失败
0049FB3E|.8D4D F0 lea ecx,
0049FB41|.85C0 test eax,eax
0049FB43|.75 0E jnz short PDFill.0049FB53
0049FB45|.FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ;mfc100u.#14057
0049FB4B|.33F6 xor esi,esi
0049FB4D|.46 inc esi
0049FB4E|.^ E9 FBFEFFFF jmp PDFill.0049FA4E
0049FB53|>FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ;mfc100u.#14057
0049FB59|.33F6 xor esi,esi
0049FB5B\.^ E9 EEFEFFFF jmp PDFill.0049FA4E
0049FB60/$6A 04 push 0x4
0049FB62|.B8 DB264F00 mov eax,PDFill.004F26DB
0049FB67|.E8 71FC0300 call PDFill.004DF7DD
0049FB6C|.8BF1 mov esi,ecx ;PDFill.00545CA4
0049FB6E|.8B46 1C mov eax,dword ptr ds:
0049FB71|.33FF xor edi,edi ;PDFill.00545910
0049FB73|.897D FC mov ,edi ;PDFill.00545910
0049FB76|.8945 F0 mov ,eax
0049FB79|.3BC7 cmp eax,edi ;PDFill.00545910
0049FB7B|.7E 2B jle short PDFill.0049FBA8
0049FB7D|>85FF /test edi,edi ;PDFill.00545910
0049FB7F|.78 47 |js short PDFill.0049FBC8
0049FB81|.3B7E 1C |cmp edi,dword ptr ds:
0049FB84|.7D 42 |jge short PDFill.0049FBC8
0049FB86|.8B46 18 |mov eax,dword ptr ds:
0049FB89|.8B1CB8 |mov ebx,dword ptr ds:
0049FB8C|.8D4D 08 |lea ecx,
0049FB8F|.FF15 94624F00 |call dword ptr ds:[<&mfc100u.#1450>] ;mfc100u.#6237
0049FB95|.50 |push eax
0049FB96|.8BCB |mov ecx,ebx
0049FB98|.FF15 40624F00 |call dword ptr ds:[<&mfc100u.#2620>] ;mfc100u.#2620
0049FB9E|.85C0 |test eax,eax
0049FBA0|.74 19 |je short PDFill.0049FBBB
0049FBA2|.47 |inc edi ;PDFill.00545910
0049FBA3|.3B7D F0 |cmp edi,
0049FBA6|.^ 7C D5 \jl short PDFill.0049FB7D
0049FBA8|>8D4D 08 lea ecx,
0049FBAB|.FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ;mfc100u.#14057
0049FBB1|.33C0 xor eax,eax
0049FBB3|>E8 C4FC0300 call PDFill.004DF87C
0049FBB8|.C2 0400 retn 0x4
static/image/hrline/2.gif
以下是被列入黑名单的邮箱(五笔带字,可能有错,自己在数据窗口跟吧,如果觉得这些帐户是注册码的同学可以输入进去试试{:1_916:}):
David.Kaufman@neatcomm.com
strap69@aol.com
ebyte_jersey@yahoo.com
san_r200@yahoo.com
sylkc@yahoo.com
rwhalls@yahoo.com
nataliemora@gmail.com
JOEMARKNORMAN@HOTMAIL.COM
jimintheeastbay@yahoo.com
ksim-ksam@windowslive.com
azrdgk@msn.com
randoro@gmail.com
Catherine@utahopenlands.org
artturas@mbnet.fi
simisworkshop@aol.com
jjoell@sown.org
rpd7610@yahoo.com
fax@energydevelopmentinc.com
delder38@yahoo.com
alifar2@gmail.com
soldat2@aol.com
maasre@yahoo.com
ervin@intermetal.hu
philosophy41@yahoo.com
terrencezenno@yahoo.com
josh@eventbrite.com
info@hetnonnetje.nl
wonfinance@gmail.com
mrkhazai23@hotmail.co.uk
pml@labrier.com
nebay66@yahoo.com
alec_ward@hotmail.com
vutukurim@yahoo.com
jmmay@boothcreek.com
andrea_grogan@hotmail.com
ARN@ARN.COM
static/image/hrline/2.gif
从上面关键算法进入到这里:
其实真正说起来,前面写的东西全部是废话(但请不要把它等价于灌水,我会有惩罚的),到了这段代码才是真正的算号函数。前面全部都是些验证机制,由于发帖很耗时间,我也有很多的语句都没有写明白,只在心中有个数,即使我有心有力,这帖子排版也不允许我这样做,本来就不会排,再来几下这帖子就不用看了。所以,请见谅啦!好了,我会精解这一段。
0049F398/$6A 18 push 0x18
0049F39A|.B8 5AE34E00 mov eax,PDFill.004EE35A
0049F39F|.E8 39040400 call PDFill.004DF7DD
0049F3A4|.33DB xor ebx,ebx
0049F3A6|.895D E4 mov ,ebx
0049F3A9|.33F6 xor esi,esi
0049F3AB|.46 inc esi
0049F3AC|.8975 FC mov ,esi
0049F3AF|.8D4D F0 lea ecx,
0049F3B2|.33FF xor edi,edi ;PDFill.00545CA4 ;将EDI清零用作累加器
0049F3B4|.FF15 54624F00 call dword ptr ds:[<&mfc100u.#296>] ;mfc100u.#316
0049F3BA|.8D4D E8 lea ecx,
0049F3BD|.FF15 54624F00 call dword ptr ds:[<&mfc100u.#296>] ;mfc100u.#316
0049F3C3|.8B4D 08 mov ecx,
0049F3C6|.C645 FC 05 mov byte ptr ss:,0x5
0049F3CA|.FF15 54624F00 call dword ptr ds:[<&mfc100u.#296>] ;mfc100u.#316
0049F3D0|.8975 E4 mov ,esi
0049F3D3|>85DB /test ebx,ebx ;EBX是个计数器
0049F3D5|.75 13 |jnz short PDFill.0049F3EA
0049F3D7|.8D4D 0C |lea ecx,
0049F3DA|.FF15 9C5A4F00 |call dword ptr ds:[<&mfc100u.#7871>] ;mfc100u.#7871
0049F3E0|.50 |push eax
0049F3E1|.8D4D F0 |lea ecx,
0049F3E4|.FF15 64624F00 |call dword ptr ds:[<&mfc100u.#1310>] ;mfc100u.#1310
0049F3EA|>3BDE |cmp ebx,esi
0049F3EC|.75 13 |jnz short PDFill.0049F401
0049F3EE|.8D4D 10 |lea ecx,
0049F3F1|.FF15 9C5A4F00 |call dword ptr ds:[<&mfc100u.#7871>] ;mfc100u.#7871
0049F3F7|.50 |push eax
0049F3F8|.8D4D F0 |lea ecx,
0049F3FB|.FF15 64624F00 |call dword ptr ds:[<&mfc100u.#1310>] ;mfc100u.#1310
0049F401|>83FB 02 |cmp ebx,0x2
0049F404|.75 13 |jnz short PDFill.0049F419
0049F406|.8D4D 14 |lea ecx,
0049F409|.FF15 9C5A4F00 |call dword ptr ds:[<&mfc100u.#7871>] ;mfc100u.#7871
0049F40F|.50 |push eax
0049F410|.8D4D F0 |lea ecx,
0049F413|.FF15 64624F00 |call dword ptr ds:[<&mfc100u.#1310>] ;mfc100u.#1310
0049F419|>8365 EC 00 |and ,0x0
0049F41D|.8D4D F0 |lea ecx,
0049F420|.FF15 8C624F00 |call dword ptr ds:[<&mfc100u.#5229>] ;mfc100u.#5230
0049F426|.85C0 |test eax,eax
0049F428|.7E 30 |jle short PDFill.0049F45A
0049F42A|>FF75 EC |/push
0049F42D|.8D4D F0 ||lea ecx,
0049F430|.FF15 28624F00 ||call dword ptr ds:[<&mfc100u.#4478>] ;mfc100u.#4478
0049F436|.0FB6C8 ||movzx ecx,al
0049F439|.8B45 EC ||mov eax,
0049F43C|.8D4C01 08 ||lea ecx,dword ptr ds:
0049F440|.8D50 09 ||lea edx,dword ptr ds:
0049F443|.0FAFCA ||imul ecx,edx
0049F446|.03F9 ||add edi,ecx ;PDFill.00545CA4
0049F448|.40 ||inc eax
0049F449|.8D4D F0 ||lea ecx,
0049F44C|.8945 EC ||mov ,eax
0049F44F|.FF15 8C624F00 ||call dword ptr ds:[<&mfc100u.#5229>] ;mfc100u.#5230
0049F455|.3945 EC ||cmp ,eax
0049F458|.^ 7C D0 |\jl short PDFill.0049F42A
0049F45A|>8D87 E1100000 |lea eax,dword ptr ds:
0049F460|.50 |push eax
0049F461|.8D45 E8 |lea eax,
0049F464|.68 A8664F00 |push PDFill.004F66A8 ;UNICODE "%d"
0049F469|.50 |push eax
0049F46A|.FF15 20624F00 |call dword ptr ds:[<&mfc100u.#4290>] ;mfc100u.#4290
0049F470|.83C4 0C |add esp,0xC
0049F473|.6A 04 |push 0x4
0049F475|.8D45 DC |lea eax,
0049F478|.50 |push eax
0049F479|.8D4D E8 |lea ecx,
0049F47C|.FF15 E8614F00 |call dword ptr ds:[<&mfc100u.#11838>] ;mfc100u.#11838
0049F482|.50 |push eax
0049F483|.FF75 08 |push
0049F486|.8D45 E0 |lea eax,
0049F489|.50 |push eax
0049F48A|.C645 FC 06 |mov byte ptr ss:,0x6
0049F48E|.E8 5D1FF6FF |call PDFill.004013F0
0049F493|.83C4 0C |add esp,0xC
0049F496|.8B4D 08 |mov ecx,
0049F499|.50 |push eax
0049F49A|.C645 FC 07 |mov byte ptr ss:,0x7
0049F49E|.FF15 64624F00 |call dword ptr ds:[<&mfc100u.#1310>] ;mfc100u.#1310
0049F4A4|.8D4D E0 |lea ecx,
0049F4A7|.FF15 9C624F00 |call dword ptr ds:[<&mfc100u.#902>] ;mfc100u.#14057
0049F4AD|.8D4D DC |lea ecx,
0049F4B0|.C645 FC 05 |mov byte ptr ss:,0x5
0049F4B4|.FF15 9C624F00 |call dword ptr ds:[<&mfc100u.#902>] ;mfc100u.#14057
0049F4BA|.43 |inc ebx
0049F4BB|.83FB 03 |cmp ebx,0x3
0049F4BE|.^ 0F8C 0FFFFFFF \jl PDFill.0049F3D3
0049F4C4|.8D4D E8 lea ecx,
0049F4C7|.FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ;mfc100u.#14057
0049F4CD|.8D4D F0 lea ecx,
0049F4D0|.FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ;mfc100u.#14057
0049F4D6|.8D4D 0C lea ecx,
0049F4D9|.FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ;mfc100u.#14057
0049F4DF|.8D4D 10 lea ecx,
0049F4E2|.FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ;mfc100u.#14057
0049F4E8|.8D4D 14 lea ecx,
0049F4EB|.FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ;mfc100u.#14057
0049F4F1|.8B45 08 mov eax,
0049F4F4|.E8 83030400 call PDFill.004DF87C
0049F4F9\.C2 1000 retn 0x10
如果都用上面的方式来讲解的话,动手能力稍差的朋友就云里雾里了,所以,下面我们换一种方式。因为这段运算代码是一个大循环,所以我就先用Ashe这个First Name来做实验,实时截图从EDI这个累加器开始:
此时EDI被清零,我们单步往下又看到一个计数器,生手请记住这两个计数器,等你熟练后就自然知道怎么判断是计数器了。
然后到下面,将Ashe里面的大写变小写,好奇的可以跟进去看见wcslwr_s这个函数:
lea ecx,dword ptr ss: :将Ashe地址放入ECX
call dword ptr ds:[<&mfc100u.#7871>] ;将所有大写字母转换成小写wcslwr_s
再到下面就是整个算号程序百分之九十几的算法精华了:
这一小段汇编代码我不知道怎么编排,不明白的朋友也不用报怨,因为如果你是自己边看边动手的话,一切就变得简单化了!如何实在不明白的朋友可以留言。
整个First Name的算号流程是:
计数器->ss:
“Ashe"->"ashe"
得到第一个字母a的ascii码为0x61
然后利用公式:
1、名字的ASCII码+8+计数器 => ECX
所以ECX=0x61+0x8+0x0 = 0x69
2、 计数器+9 => EDX
所以EDX=0x0+0x9=0x9
3、ECX*EDX +EDI=> EDI
所以EDI=0x69 * 0x9 = 0x3B1
算完了a我们再手动算下s,然后再验证结果。
此时是1
ECX=0x73+0x8+0x1=0x7C
EDX=0x1+0x9=0xA
EDI=0x889
然后再算h和e,把每次EDI的结果累加起来,最后我得到的结果是0x12AF,然后再在OD用F4看看结果,是正确的。
再把First Name最终的换算结果也就是EDI的值加上一个固定的数字0x10E1,0x12AF+0x10E1=0x2390
然后亲们,再用计算器把0x2390转换成十进制等于9104这就是由First Name换算得到的序列号了。
因为9104没有超过4位,所以不截取。
用同样的方法算出Last Name生成的序列号为:15484(十进制),这个时候长度超过了4,所以要从后向前截取四位为5484
同样,邮箱的生成57375,截取为7375,关于这个截取函数用的是宽字符的截取函数,大家可以看看,整个程序用的UNICODE编码,而不是DBCS
所以最后的序列号为:910454847375
用邮箱生成的时候也是一样的方法,包括@以及“."之类的特殊符号都要翻译成相应的ASCII码再计算!!!
这只是一个简单的程序,相信大家也能猜到,一共只能12位的序列号要用一个Last Name,一个First Name和一个Email来生成,序列号的形式可想而知。
算法都这么清楚了,相信写注册机也不在话下了吧。第一次发贴,肯定有很多不足的地方,还请大家多多包涵,写注册机我推荐用H大大分享的汇编注册机模板,大家可以搜一搜。
本帖纯属娱乐,请匆用于非法活动。
楼主加油 欢迎分析讨论交流虽然没看懂0.0 楼主写得好详细加油 貌似用得到啊 感谢楼主 值得学习一下, 谢谢分享,你的分享是我们菜鸟进步的阶梯···· 小学习了一下
页:
[1]
2