好友
阅读权限25
听众
最后登录1970-1-1
|
先查壳,DELPHI的程序。OD载入,用DELPHI的按钮事件脚本跑一下,找出所有的按钮事件。然后先禁止所有断点。SHIFT+F9让程序跑起来。
跑起来后,把所有断点激活。再点注册按钮。停下来了,F7一下,来到这里进行如下分析。
004A96EC /$ 55 push ebp
004A96ED |. 8BEC mov ebp,esp
004A96EF |. 33C9 xor ecx,ecx
004A96F1 |. 51 push ecx
004A96F2 |. 51 push ecx
004A96F3 |. 51 push ecx
004A96F4 |. 51 push ecx
004A96F5 |. 51 push ecx
004A96F6 |. 51 push ecx
004A96F7 |. 51 push ecx
004A96F8 |. 51 push ecx
004A96F9 |. 53 push ebx
004A96FA |. 56 push esi
004A96FB |. 57 push edi
004A96FC |. 8955 FC mov dword ptr ss:[ebp-4],edx ; [ebp-4]=假码
004A96FF |. 8BF0 mov esi,eax
004A9701 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004A9704 |. E8 5BAEF5FF call AutoShut.00404564
004A9709 |. 33C0 xor eax,eax
004A970B |. 55 push ebp
004A970C |. 68 0F984A00 push AutoShut.004A980F
004A9711 |. 64:FF30 push dword ptr fs:[eax]
004A9714 |. 64:8920 mov dword ptr fs:[eax],esp
004A9717 |. 33DB xor ebx,ebx
004A9719 |. 68 28984A00 push AutoShut.004A9828 ; I1ls
004A971E |. 68 38984A00 push AutoShut.004A9838 ; g1
004A9723 |. FF75 FC push dword ptr ss:[ebp-4]
004A9726 |. 68 28984A00 push AutoShut.004A9828 ; I1ls
004A972B |. 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
004A972E |. BA 03000000 mov edx,3
004A9733 |. E8 FCACF5FF call AutoShut.00404434
004A9738 |. 8B45 E4 mov eax,dword ptr ss:[ebp-1C] ; 结果1=“g1"+假码+"I1ls"
004A973B |. 8D55 E8 lea edx,dword ptr ss:[ebp-18]
004A973E |. E8 1937FCFF call AutoShut.0046CE5C
004A9743 |. 8B45 E8 mov eax,dword ptr ss:[ebp-18] ; 结果2=MD5(结果1)
004A9746 |. 8D55 EC lea edx,dword ptr ss:[ebp-14]
004A9749 |. E8 66EBF5FF call AutoShut.004082B4
004A974E |. FF75 EC push dword ptr ss:[ebp-14] ; 结果3=结果2转成大写
004A9751 |. 68 38984A00 push AutoShut.004A9838 ; g1
004A9756 |. 8D45 F0 lea eax,dword ptr ss:[ebp-10]
004A9759 |. BA 03000000 mov edx,3
004A975E |. E8 D1ACF5FF call AutoShut.00404434
004A9763 |. 8B45 F0 mov eax,dword ptr ss:[ebp-10] ; 结果4=结果1="I1ls"+假码+“g1"
004A9766 |. 8D55 F4 lea edx,dword ptr ss:[ebp-C]
004A9769 |. E8 EE36FCFF call AutoShut.0046CE5C
004A976E |. 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; 结果5=MD5(结果4)
004A9771 |. 8D55 F8 lea edx,dword ptr ss:[ebp-8]
004A9774 |. E8 3BEBF5FF call AutoShut.004082B4
004A9779 |. 837D F8 00 cmp dword ptr ss:[ebp-8],0 ; 结果6=结果5转成大写
004A977D |. 75 06 jnz short AutoShut.004A9785
004A977F |. C646 08 00 mov byte ptr ds:[esi+8],0
004A9783 |. EB 6F jmp short AutoShut.004A97F4
004A9785 |> 8BC6 mov eax,esi
004A9787 |. E8 60FEFFFF call AutoShut.004A95EC
004A978C |. 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 结果6与"A5A33B0AB9644E84A4614841E2FF924D"相等就成功
004A978F |. 8B56 04 mov edx,dword ptr ds:[esi+4]
004A9792 |. E8 29ADF5FF call AutoShut.004044C0
004A9797 |. 75 04 jnz short AutoShut.004A979D
004A9799 |. B0 01 mov al,1
004A979B |. EB 02 jmp short AutoShut.004A979F
004A979D |> 33C0 xor eax,eax
004A979F |> 84C0 test al,al
004A97A1 |. 75 06 jnz short AutoShut.004A97A9
004A97A3 |. C646 08 00 mov byte ptr ds:[esi+8],0
004A97A7 |. EB 4B jmp short AutoShut.004A97F4
004A97A9 |> B2 01 mov dl,1
004A97AB |. A1 B8664100 mov eax,dword ptr ds:[4166B8]
004A97B0 |. E8 7F9BF5FF call AutoShut.00403334
004A97B5 |. 8BF8 mov edi,eax
004A97B7 |. BA 44984A00 mov edx,AutoShut.004A9844 ; 0
004A97BC |. 8BC7 mov eax,edi
004A97BE |. 8B08 mov ecx,dword ptr ds:[eax]
004A97C0 |. FF51 2C call dword ptr ds:[ecx+2C]
004A97C3 |. A1 38DE4A00 mov eax,dword ptr ds:[4ADE38]
004A97C8 |. 8B00 mov eax,dword ptr ds:[eax]
004A97CA |. 8B90 E8030000 mov edx,dword ptr ds:[eax+3E8]
004A97D0 |. 8D45 E0 lea eax,dword ptr ss:[ebp-20]
004A97D3 |. B9 50984A00 mov ecx,AutoShut.004A9850 ; msisnet.dll
004A97D8 |. E8 E3ABF5FF call AutoShut.004043C0
004A97DD |. 8B55 E0 mov edx,dword ptr ss:[ebp-20]
004A97E0 |. 8BC7 mov eax,edi
004A97E2 |. 8B08 mov ecx,dword ptr ds:[eax]
004A97E4 |. FF51 74 call dword ptr ds:[ecx+74]
004A97E7 |. 8BC7 mov eax,edi
004A97E9 |. E8 769BF5FF call AutoShut.00403364
004A97EE |. C646 08 01 mov byte ptr ds:[esi+8],1
004A97F2 |. B3 01 mov bl,1
004A97F4 |> 33C0 xor eax,eax
004A97F6 |. 5A pop edx
004A97F7 |. 59 pop ecx
004A97F8 |. 59 pop ecx
004A97F9 |. 64:8910 mov dword ptr fs:[eax],edx
004A97FC |. 68 16984A00 push AutoShut.004A9816
004A9801 |> 8D45 E0 lea eax,dword ptr ss:[ebp-20]
004A9804 |. BA 08000000 mov edx,8
004A9809 |. E8 CAA8F5FF call AutoShut.004040D8
004A980E \. C3 retn
004A980F .^ E9 A4A2F5FF jmp AutoShut.00403AB8
004A9814 .^ EB EB jmp short AutoShut.004A9801
004A9816 . 8BC3 mov eax,ebx
004A9818 . 5F pop edi
004A9819 . 5E pop esi
004A981A . 5B pop ebx
004A981B . 8BE5 mov esp,ebp
004A981D . 5D pop ebp
004A981E . C3 retn
总结一下:
如果 转大写(MD5("I1ls"+转大写(MD5(“g1"+假码+"I1ls"))+“g1"))="A5A33B0AB9644E84A4614841E2FF924D" 就OK了
不过MD5是一对一的,而且是不可逆的。
看来注册码只有一个,只有作者自己知道了
|
免费评分
-
查看全部评分
|
发表于 2012-3-20 20:46
