好友
阅读权限25
听众
最后登录1970-1-1
|
在安装目录下我们找到ImeXXX.exe,运行后可以看到有软件注册的地方。可以知道软件的注册需要软件序列号和注册码,但是注册码不能输入,所以猜想程序先判断软件的序列号,序列号满足一定的条件后才能输入注册码。我们先查壳:ASProtect 2.1x SKE -> Alexey Solodovnikov,真搞不懂,为什么很多软件都用这个壳,幸亏有VolX大侠写的Script,轻松脱壳,再用ImportREC修复IAT,虽然还有两个无效的输入表函数,不用理他,直接修复转存的文件,可以运行。
本来想用Ultra String Reference Plugin V0.12查找有用的字符,真让人失望,一个也没有。真是奇怪,好像很多加壳的程序脱壳后用Ultra String Reference Plugin V0.12都没办法查找到有用的字符,但od原来的那个就可以。找是找到了很多,但是好像没有我们想要的字符。而且你输入错误的序列号时,程序不会弹出对话框,只是在注册码旁边显示了一个X。迷茫中选择了查找所有模块间的调用,由于不知对程序下什么断好,直接在每一个命令都下断点(为了更快来到我们想要的断点,我们在设断之前应该进入软件注册的界面)。点击程序界面,程序中断,F2取消断点,F9运行,程序中断,F2取消断点,循环几次后我们输入序列号,又是程序中断,F2取消断点,F9运行,程序中断,F2取消断点,循环几次我们点击确定按钮。很快我们来到0040AC00:
0040AC00 |. 56 push esi ; /String = "HYUYUYTUTYUTYUYTUTYUYTUYTUU67"
0040AC01 |. 8BE8 mov ebp, eax ; |
0040AC03 |. FFD7 call edi ; \lstrlenA
0040AC05 |. 83F8 18 cmp eax, 18 ; 到这里我们就可以知道序列号必须为20位
0040AC08 |. 74 06 je short 0040AC10
0040AC0A |. 5F pop edi
0040AC0B |. 5E pop esi
0040AC0C |. 33C0 xor eax, eax
0040AC0E |. 5D pop ebp
0040AC0F |. C3 retn
0040AC10 |> 33FF xor edi, edi
0040AC12 |. 53 push ebx
0040AC13 |. 85ED test ebp, ebp
0040AC15 |. B8 01000000 mov eax, 1
0040AC1A |. 76 67 jbe short 0040AC83
0040AC1C |. 8B1D B0C24100 mov ebx, dword ptr [<&user32.IsCha>; USER32.IsCharAlphaNumericA
0040AC22 |> 83FF 17 /cmp edi, 17 ; Switch (cases 0..17)
0040AC25 |. 77 53 |ja short 0040AC7A
0040AC27 |. 33C9 |xor ecx, ecx
0040AC29 |. 8A8F A0AC4000 |mov cl, byte ptr [edi+40ACA0]
0040AC2F |. FF248D 88AC40>|jmp dword ptr [ecx*4+40AC88]
0040AC36 |> 803E 4E |cmp byte ptr [esi], 4E ; Case 0 of switch 0040AC22
0040AC39 |. 75 46 |jnz short 0040AC81 ; 第一位必须为N
0040AC3B |. EB 38 |jmp short 0040AC75
0040AC3D |> 807E 01 57 |cmp byte ptr [esi+1], 57 ; Case 1 of switch 0040AC22
0040AC41 |. 75 3E |jnz short 0040AC81 ; 第二位必须为W
0040AC43 |. EB 30 |jmp short 0040AC75
0040AC45 |> 807E 02 42 |cmp byte ptr [esi+2], 42 ; Case 2 of switch 0040AC22
0040AC49 |. 75 36 |jnz short 0040AC81 ; 第三位必须为B
0040AC4B |. EB 28 |jmp short 0040AC75
0040AC4D |> 807E 03 45 |cmp byte ptr [esi+3], 45 ; Case 3 of switch 0040AC22
0040AC51 |. 75 2E |jnz short 0040AC81 ; 第四位必须为E
0040AC53 |. EB 20 |jmp short 0040AC75
0040AC55 |> 803C37 2D |cmp byte ptr [edi+esi], 2D ; Cases 4,9,E,13 of switch 0040AC22
0040AC59 |. 75 26 |jnz short 0040AC81 ; 第5,10,15,20位必须为-
0040AC5B |. EB 18 |jmp short 0040AC75
0040AC5D |> 8A1437 |mov dl, byte ptr [edi+esi] ; Cases 5,6,7,8,A,B,C,D,F,10,11,12,14,15,16,17 of switch 0040AC22
0040AC60 |. 52 |push edx
0040AC61 |. FFD3 |call ebx
0040AC63 |. 85C0 |test eax, eax
0040AC65 |. 74 1A |je short 0040AC81
0040AC67 |. 8A0437 |mov al, byte ptr [edi+esi]
0040AC6A |. 50 |push eax ; /Char
0040AC6B |. FF15 B4C24100 |call dword ptr [<&user32.IsCharAlp>; \IsCharAlphaA
0040AC71 |. 85C0 |test eax, eax
0040AC73 |. 75 0C |jnz short 0040AC81
0040AC75 |> B8 01000000 |mov eax, 1 ; 其它的必须为数字
0040AC7A |> 47 |inc edi ; Default case of switch 0040AC22
0040AC7B |. 3BFD |cmp edi, ebp
0040AC7D |. 73 04 |jnb short 0040AC83
0040AC7F |.^ EB A1 \jmp short 0040AC22
0040AC81 |> 33C0 xor eax, eax
0040AC83 |> 5B pop ebx
0040AC84 |. 5F pop edi
0040AC85 |. 5E pop esi
0040AC86 |. 5D pop ebp
0040AC87 \. C3 retn
通过上面的分析我们可以知道序列号的格式是:NWBE-XXXX-XXXX-XXXX-XXXX,我们输入NWBE-1111-1111-1111-1111,取消所有中断,并在0040AC00下段。这是可以输入注册码了,我们输入1111-1111-1111-1111-1111,点击确定。程序中断,在0040AC87行按F4,F8返回到0040C0D9。
0040C0CF > \68 FC824400 push 004482FC ; ASCII "NWBE-1111-1111-1111-1111"
0040C0D4 . E8 17EBFFFF call 0040ABF0 ; 上面是我们输入的序列号
0040C0D9 . 83C4 04 add esp, 4
0040C0DC . 85C0 test eax, eax
0040C0DE . 0F84 4E030000 je 0040C432
0040C0E4 . 68 FC824400 push 004482FC ; ASCII "NWBE-1111-1111-1111-1111"
0040C0E9 . E8 D2EBFFFF call 0040ACC0 ; 跟进去
0040C0EE . 83C4 04 add esp, 4
0040C0F1 . 85C0 test eax, eax
0040C0F3 . 0F84 39030000 je 0040C432 ; 下面是我们输入的注册码
0040C0F9 . 68 C8834400 push 004483C8 ; ASCII "1111-1111-1111-1111-1111"
0040C0FE . E8 BDEEFFFF call 0040AFC0 ; 跟进去
0040C103 . 83C4 04 add esp, 4
0040C106 . 85C0 test eax, eax
0040C108 . 0F84 24030000 je 0040C432 ; 过这里就完了
0040C10E . 8A15 BC884400 mov dl, byte ptr [4488BC]
跟进call 0040ACC0:有两处调用0040B3F1, 0040C0E9,两处都下断点。
0040ACC0 /$ 81EC A0020000 sub esp, 2A0
0040ACC6 |. 8A15 BC884400 mov dl, byte ptr [4488BC]
0040ACCC |. 53 push ebx
0040ACCD |. 55 push ebp
0040ACCE |. 56 push esi
0040ACCF |. 57 push edi
0040ACD0 |. B9 18000000 mov ecx, 18
0040ACD5 |. 33C0 xor eax, eax
0040ACD7 |. 8DBC24 A10000>lea edi, dword ptr [esp+A1]
0040ACDE |. 889424 A00000>mov byte ptr [esp+A0], dl
0040ACE5 |. 889424 040100>mov byte ptr [esp+104], dl
0040ACEC |. F3:AB rep stos dword ptr es:[edi]
0040ACEE |. 66:AB stos word ptr es:[edi]
0040ACF0 |. AA stos byte ptr es:[edi]
0040ACF1 |. B9 18000000 mov ecx, 18
0040ACF6 |. 33C0 xor eax, eax
0040ACF8 |. 8DBC24 050100>lea edi, dword ptr [esp+105]
0040ACFF |. 885424 3C mov byte ptr [esp+3C], dl
0040AD03 |. F3:AB rep stos dword ptr es:[edi]
0040AD05 |. 66:AB stos word ptr es:[edi]
0040AD07 |. AA stos byte ptr es:[edi]
0040AD08 |. B9 18000000 mov ecx, 18
0040AD0D |. 33C0 xor eax, eax
0040AD0F |. 8D7C24 3D lea edi, dword ptr [esp+3D]
0040AD13 |. 889424 680100>mov byte ptr [esp+168], dl
0040AD1A |. F3:AB rep stos dword ptr es:[edi]
0040AD1C |. 66:AB stos word ptr es:[edi]
0040AD1E |. AA stos byte ptr es:[edi]
0040AD1F |. B9 18000000 mov ecx, 18
0040AD24 |. 33C0 xor eax, eax
0040AD26 |. 8DBC24 690100>lea edi, dword ptr [esp+169]
0040AD2D |. 889424 CC0100>mov byte ptr [esp+1CC], dl
0040AD34 |. F3:AB rep stos dword ptr es:[edi]
0040AD36 |. 66:AB stos word ptr es:[edi]
0040AD38 |. AA stos byte ptr es:[edi]
0040AD39 |. B9 18000000 mov ecx, 18
0040AD3E |. 33C0 xor eax, eax
0040AD40 |. 8DBC24 CD0100>lea edi, dword ptr [esp+1CD]
0040AD47 |. 8BB424 B40200>mov esi, dword ptr [esp+2B4]
0040AD4E |. F3:AB rep stos dword ptr es:[edi]
0040AD50 |. 66:AB stos word ptr es:[edi]
0040AD52 |. AA stos byte ptr es:[edi]
0040AD53 |. 8B3D 20C14100 mov edi, dword ptr [<&kernel32>; KERNEL32.lstrcpynA
0040AD59 |. 885424 14 mov byte ptr [esp+14], dl
0040AD5D |. 33C0 xor eax, eax
0040AD5F |. 885424 20 mov byte ptr [esp+20], dl
0040AD63 |. 33C9 xor ecx, ecx
0040AD65 |. 6A 15 push 15 ; /n = 15 (21.)
0040AD67 |. 8D9424 6C0100>lea edx, dword ptr [esp+16C] ; |
0040AD6E |. 33DB xor ebx, ebx ; |
0040AD70 |. 894424 19 mov dword ptr [esp+19], eax ; |
0040AD74 |. 894C24 25 mov dword ptr [esp+25], ecx ; |
0040AD78 |. 56 push esi ; |String2
0040AD79 |. 52 push edx ; |String1
0040AD7A |. 895C24 38 mov dword ptr [esp+38], ebx ; |
0040AD7E |. 895C24 3C mov dword ptr [esp+3C], ebx ; |
0040AD82 |. 895C24 40 mov dword ptr [esp+40], ebx ; |
0040AD86 |. 895C24 44 mov dword ptr [esp+44], ebx ; |
0040AD8A |. 894424 25 mov dword ptr [esp+25], eax ; |
0040AD8E |. 894C24 31 mov dword ptr [esp+31], ecx ; |
0040AD92 |. FFD7 call edi ; \lstrcpynA
0040AD94 |. 83C6 14 add esi, 14
0040AD97 |. 6A 05 push 5 ; /n = 5
0040AD99 |. 8D8424 D00100>lea eax, dword ptr [esp+1D0] ; |
0040ADA0 |. 56 push esi ; |String2
0040ADA1 |. 50 push eax ; |String1
0040ADA2 |. FFD7 call edi ; \lstrcpynA
0040ADA4 |. 8A0D BC884400 mov cl, byte ptr [4488BC]
0040ADAA |. 8B2D D8C04100 mov ebp, dword ptr [<&kernel32>; KERNEL32.lstrcatA
0040ADB0 |. 884C24 12 mov byte ptr [esp+12], cl
0040ADB4 |. 885C24 13 mov byte ptr [esp+13], bl
0040ADB8 |. 33F6 xor esi, esi
0040ADBA |> B9 19000000 /mov ecx, 19
0040ADBF |. 33C0 |xor eax, eax
0040ADC1 |. 8DBC24 040100>|lea edi, dword ptr [esp+104]
0040ADC8 |. 8D9424 680100>|lea edx, dword ptr [esp+168]
0040ADCF |. F3:AB |rep stos dword ptr es:[edi]
0040ADD1 |. B9 19000000 |mov ecx, 19
0040ADD6 |. 8D7C24 3C |lea edi, dword ptr [esp+3C]
0040ADDA |. F3:AB |rep stos dword ptr es:[edi]
0040ADDC |. B9 19000000 |mov ecx, 19
0040ADE1 |. 8DBC24 A00000>|lea edi, dword ptr [esp+A0]
0040ADE8 |. F3:AB |rep stos dword ptr es:[edi]
0040ADEA |. 8D8424 A00000>|lea eax, dword ptr [esp+A0]
0040ADF1 |. 52 |push edx ; /String2
0040ADF2 |. 50 |push eax ; |String1
0040ADF3 |. FF15 C0C04100 |call dword ptr [<&kernel32.lst>; \lstrcpyA
0040ADF9 |. 8D8C24 A00000>|lea ecx, dword ptr [esp+A0]
0040AE00 |. 68 60834400 |push 00448360 ; ASCII "3738505823"
0040AE05 |. 51 |push ecx
0040AE06 |. FFD5 |call ebp
0040AE08 |. 8D9424 040100>|lea edx, dword ptr [esp+104]
0040AE0F |. 8D8424 A00000>|lea eax, dword ptr [esp+A0]
0040AE16 |. 52 |push edx
0040AE17 |. 50 |push eax
0040AE18 |. E8 43CA0000 |call 00417860
0040AE1D |. 83C4 08 |add esp, 8
0040AE20 |. 8D4C24 3C |lea ecx, dword ptr [esp+3C]
0040AE24 |. 8D9424 040100>|lea edx, dword ptr [esp+104]
0040AE2B |. 51 |push ecx
0040AE2C |. 52 |push edx ; /String
0040AE2D |. FF15 DCC04100 |call dword ptr [<&kernel32.lst>; \lstrlenA
0040AE33 |. 50 |push eax
0040AE34 |. 8D8424 0C0100>|lea eax, dword ptr [esp+10C]
0040AE3B |. 50 |push eax
0040AE3C |. E8 BF980000 |call 00414700
0040AE41 |. 83C4 0C |add esp, 0C
0040AE44 |. 33C0 |xor eax, eax
0040AE46 |> 385C04 3C |/cmp byte ptr [esp+eax+3C], b>
0040AE4A |. 75 05 ||jnz short 0040AE51
0040AE4C |. C64404 3C 41 ||mov byte ptr [esp+eax+3C], 4>
0040AE51 |> 40 ||inc eax
0040AE52 |. 83F8 08 ||cmp eax, 8
0040AE55 |.^ 7C EF |\jl short 0040AE46
0040AE57 |. 33C9 |xor ecx, ecx
0040AE59 |. 33D2 |xor edx, edx
0040AE5B |. 894C24 14 |mov dword ptr [esp+14], ecx
0040AE5F |. 895424 20 |mov dword ptr [esp+20], edx
0040AE63 |. 894C24 18 |mov dword ptr [esp+18], ecx
0040AE67 |. 8D4424 3C |lea eax, dword ptr [esp+3C]
0040AE6B |. 884C24 1C |mov byte ptr [esp+1C], cl
0040AE6F |. 6A 09 |push 9 ; /n = 9
0040AE71 |. 8D4C24 18 |lea ecx, dword ptr [esp+18] ; |
0040AE75 |. 895424 28 |mov dword ptr [esp+28], edx ; |
0040AE79 |. 50 |push eax ; |String2
0040AE7A |. 51 |push ecx ; |String1
0040AE7B |. 885424 34 |mov byte ptr [esp+34], dl ; |
0040AE7F |. FF15 20C14100 |call dword ptr [<&kernel32.lst>; \lstrcpynA
0040AE85 |. 8D5424 14 |lea edx, dword ptr [esp+14]
0040AE89 |. 53 |push ebx
0040AE8A |. 52 |push edx
0040AE8B |. E8 7061FFFF |call 00401000
0040AE90 |. 8D4424 28 |lea eax, dword ptr [esp+28]
0040AE94 |. 8D4C24 1C |lea ecx, dword ptr [esp+1C]
0040AE98 |. 50 |push eax
0040AE99 |. 51 |push ecx
0040AE9A |. E8 8163FFFF |call 00401220
0040AE9F |. 8D5424 30 |lea edx, dword ptr [esp+30]
0040AEA3 |. 53 |push ebx
0040AEA4 |. 52 |push edx
0040AEA5 |. E8 5661FFFF |call 00401000
0040AEAA |. 8D8424 480200>|lea eax, dword ptr [esp+248]
0040AEB1 |. 50 |push eax
0040AEB2 |. E8 2963FFFF |call 004011E0
0040AEB7 |. 8B84B4 4C0200>|mov eax, dword ptr [esp+esi*4>
0040AEBE |. 33D2 |xor edx, edx
0040AEC0 |. B9 39000000 |mov ecx, 39
0040AEC5 |. 83C4 1C |add esp, 1C
0040AEC8 |. F7F1 |div ecx
0040AECA |. 8BC2 |mov eax, edx
0040AECC |. 83F8 30 |cmp eax, 30
0040AECF |. 73 0D |jnb short 0040AEDE
0040AED1 |. 33D2 |xor edx, edx
0040AED3 |. B9 0A000000 |mov ecx, 0A
0040AED8 |. F7F1 |div ecx
0040AEDA |. 8BC2 |mov eax, edx
0040AEDC |. 04 30 |add al, 30
0040AEDE |> 884424 12 |mov byte ptr [esp+12], al
0040AEE2 |. 8D5424 12 |lea edx, dword ptr [esp+12]
0040AEE6 |. 8D8424 680100>|lea eax, dword ptr [esp+168]
0040AEED |. 52 |push edx
0040AEEE |. 50 |push eax
0040AEEF |. FFD5 |call ebp
0040AEF1 |. 8A4C24 12 |mov cl, byte ptr [esp+12]
0040AEF5 |. 8A8434 CC0100>|mov al, byte ptr [esp+esi+1CC>; 在这里可以看到正确的注册码
0040AEFC |. 3AC8 |cmp cl, al
0040AEFE |. 75 0A |jnz short 0040AF0A
0040AF00 |. C744B4 2C 010>|mov dword ptr [esp+esi*4+2C],>
0040AF08 |. EB 04 |jmp short 0040AF0E
0040AF0A |> 895CB4 2C |mov dword ptr [esp+esi*4+2C],>
0040AF0E |> 46 |inc esi
0040AF0F |. 83FE 04 |cmp esi, 4
0040AF12 |.^ 0F8C A2FEFFFF \jl 0040ADBA
0040AF18 |. 33C0 xor eax, eax
0040AF1A |. 8D4C24 2C lea ecx, dword ptr [esp+2C]
0040AF1E |> 3919 /cmp dword ptr [ecx], ebx
0040AF20 |. 74 19 |je short 0040AF3B
0040AF22 |. 40 |inc eax
0040AF23 |. 83C1 04 |add ecx, 4
0040AF26 |. 83F8 04 |cmp eax, 4
0040AF29 |.^ 7C F3 \jl short 0040AF1E
0040AF2B |. 5F pop edi
0040AF2C |. 5E pop esi
0040AF2D |. 5D pop ebp
0040AF2E |. B8 01000000 mov eax, 1
0040AF33 |. 5B pop ebx
0040AF34 |. 81C4 A0020000 add esp, 2A0
0040AF3A |. C3 retn
0040AF3B |> 5F pop edi
0040AF3C |. 5E pop esi
0040AF3D |. 5D pop ebp
0040AF3E |. 33C0 xor eax, eax
0040AF40 |. 5B pop ebx
0040AF41 |. 81C4 A0020000 add esp, 2A0
0040AF47 \. C3 retn
跟进call 0040AFC0:有两处调用0040B53B, 0040C0FE,两处都下断点。
0040AFC0 /$ 81EC 3C020000 sub esp, 23C
0040AFC6 |. 8A15 BC884400 mov dl, byte ptr [4488BC]
0040AFCC |. 53 push ebx
0040AFCD |. 55 push ebp
0040AFCE |. 56 push esi
0040AFCF |. 57 push edi
0040AFD0 |. B9 18000000 mov ecx, 18
0040AFD5 |. 33C0 xor eax, eax
0040AFD7 |. 8DBC24 A10000>lea edi, dword ptr [esp+A1]
0040AFDE |. 889424 A00000>mov byte ptr [esp+A0], dl
0040AFE5 |. 885424 3C mov byte ptr [esp+3C], dl
0040AFE9 |. F3:AB rep stos dword ptr es:[edi]
0040AFEB |. 66:AB stos word ptr es:[edi]
0040AFED |. AA stos byte ptr es:[edi]
0040AFEE |. B9 18000000 mov ecx, 18
0040AFF3 |. 33C0 xor eax, eax
0040AFF5 |. 8D7C24 3D lea edi, dword ptr [esp+3D]
0040AFF9 |. 889424 040100>mov byte ptr [esp+104], dl
0040B000 |. F3:AB rep stos dword ptr es:[edi]
0040B002 |. 66:AB stos word ptr es:[edi]
0040B004 |. AA stos byte ptr es:[edi]
0040B005 |. B9 18000000 mov ecx, 18
0040B00A |. 33C0 xor eax, eax
0040B00C |. 8DBC24 050100>lea edi, dword ptr [esp+105]
0040B013 |. 889424 680100>mov byte ptr [esp+168], dl
0040B01A |. F3:AB rep stos dword ptr es:[edi]
0040B01C |. 66:AB stos word ptr es:[edi]
0040B01E |. AA stos byte ptr es:[edi]
0040B01F |. B9 18000000 mov ecx, 18
0040B024 |. 33C0 xor eax, eax
0040B026 |. 8DBC24 690100>lea edi, dword ptr [esp+169]
0040B02D |. 8BB424 500200>mov esi, dword ptr [esp+250]
0040B034 |. F3:AB rep stos dword ptr es:[edi]
0040B036 |. 66:AB stos word ptr es:[edi]
0040B038 |. 8B2D 20C14100 mov ebp, dword ptr [<&kernel32>; KERNEL32.lstrcpynA
0040B03E |. 885424 14 mov byte ptr [esp+14], dl
0040B042 |. AA stos byte ptr es:[edi]
0040B043 |. 33C0 xor eax, eax
0040B045 |. 885424 20 mov byte ptr [esp+20], dl
0040B049 |. 33C9 xor ecx, ecx
0040B04B |. 6A 15 push 15 ; /n = 15 (21.)
0040B04D |. 8D9424 080100>lea edx, dword ptr [esp+108] ; |
0040B054 |. 33DB xor ebx, ebx ; |
0040B056 |. 894424 19 mov dword ptr [esp+19], eax ; |
0040B05A |. 894C24 25 mov dword ptr [esp+25], ecx ; |
0040B05E |. 56 push esi ; |String2
0040B05F |. 52 push edx ; |String1
0040B060 |. 895C24 38 mov dword ptr [esp+38], ebx ; |
0040B064 |. 895C24 3C mov dword ptr [esp+3C], ebx ; |
0040B068 |. 895C24 40 mov dword ptr [esp+40], ebx ; |
0040B06C |. 895C24 44 mov dword ptr [esp+44], ebx ; |
0040B070 |. 894424 25 mov dword ptr [esp+25], eax ; |
0040B074 |. 894C24 31 mov dword ptr [esp+31], ecx ; |
0040B078 |. FFD5 call ebp ; \lstrcpynA
0040B07A |. 83C6 14 add esi, 14
0040B07D |. 6A 05 push 5 ; /n = 5
0040B07F |. 8D8424 6C0100>lea eax, dword ptr [esp+16C] ; |
0040B086 |. 56 push esi ; |String2
0040B087 |. 50 push eax ; |String1
0040B088 |. FFD5 call ebp ; \lstrcpynA
0040B08A |. 8A0D BC884400 mov cl, byte ptr [4488BC]
0040B090 |. 885C24 13 mov byte ptr [esp+13], bl
0040B094 |. 884C24 12 mov byte ptr [esp+12], cl
0040B098 |. 33F6 xor esi, esi
0040B09A |> B9 19000000 /mov ecx, 19
0040B09F |. 33C0 |xor eax, eax
0040B0A1 |. 8DBC24 A00000>|lea edi, dword ptr [esp+A0]
0040B0A8 |. 8D9424 A00000>|lea edx, dword ptr [esp+A0]
0040B0AF |. F3:AB |rep stos dword ptr es:[edi]
0040B0B1 |. B9 19000000 |mov ecx, 19
0040B0B6 |. 8D7C24 3C |lea edi, dword ptr [esp+3C]
0040B0BA |. F3:AB |rep stos dword ptr es:[edi]
0040B0BC |. 8D8424 040100>|lea eax, dword ptr [esp+104]
0040B0C3 |. 52 |push edx
0040B0C4 |. 50 |push eax
0040B0C5 |. E8 96C70000 |call 00417860
0040B0CA |. 83C4 08 |add esp, 8
0040B0CD |. 8D4C24 3C |lea ecx, dword ptr [esp+3C]
0040B0D1 |. 8D9424 A00000>|lea edx, dword ptr [esp+A0]
0040B0D8 |. 51 |push ecx
0040B0D9 |. 52 |push edx ; /String
0040B0DA |. FF15 DCC04100 |call dword ptr [<&kernel32.lst>; \lstrlenA
0040B0E0 |. 50 |push eax
0040B0E1 |. 8D8424 A80000>|lea eax, dword ptr [esp+A8]
0040B0E8 |. 50 |push eax
0040B0E9 |. E8 12960000 |call 00414700
0040B0EE |. 83C4 0C |add esp, 0C
0040B0F1 |. 33C0 |xor eax, eax
0040B0F3 |> 385C04 3C |/cmp byte ptr [esp+eax+3C], b>
0040B0F7 |. 75 05 ||jnz short 0040B0FE
0040B0F9 |. C64404 3C 41 ||mov byte ptr [esp+eax+3C], 4>
0040B0FE |> 40 ||inc eax
0040B0FF |. 83F8 08 ||cmp eax, 8
0040B102 |.^ 7C EF |\jl short 0040B0F3
0040B104 |. 33C9 |xor ecx, ecx
0040B106 |. 33D2 |xor edx, edx
0040B108 |. 894C24 14 |mov dword ptr [esp+14], ecx
0040B10C |. 895424 20 |mov dword ptr [esp+20], edx
0040B110 |. 894C24 18 |mov dword ptr [esp+18], ecx
0040B114 |. 8D4424 3C |lea eax, dword ptr [esp+3C]
0040B118 |. 884C24 1C |mov byte ptr [esp+1C], cl
0040B11C |. 6A 09 |push 9
0040B11E |. 8D4C24 18 |lea ecx, dword ptr [esp+18]
0040B122 |. 895424 28 |mov dword ptr [esp+28], edx
0040B126 |. 50 |push eax
0040B127 |. 51 |push ecx
0040B128 |. 885424 34 |mov byte ptr [esp+34], dl
0040B12C |. FFD5 |call ebp
0040B12E |. 8D5424 14 |lea edx, dword ptr [esp+14]
0040B132 |. 53 |push ebx
0040B133 |. 52 |push edx
0040B134 |. E8 C75EFFFF |call 00401000
0040B139 |. 8D4424 28 |lea eax, dword ptr [esp+28]
0040B13D |. 8D4C24 1C |lea ecx, dword ptr [esp+1C]
0040B141 |. 50 |push eax
0040B142 |. 51 |push ecx
0040B143 |. E8 D860FFFF |call 00401220
0040B148 |. 8D5424 30 |lea edx, dword ptr [esp+30]
0040B14C |. 53 |push ebx
0040B14D |. 52 |push edx
0040B14E |. E8 AD5EFFFF |call 00401000
0040B153 |. 8D8424 E40100>|lea eax, dword ptr [esp+1E4]
0040B15A |. 50 |push eax
0040B15B |. E8 8060FFFF |call 004011E0
0040B160 |. 8B84B4 E80100>|mov eax, dword ptr [esp+esi*4>
0040B167 |. 33D2 |xor edx, edx
0040B169 |. B9 39000000 |mov ecx, 39
0040B16E |. 83C4 1C |add esp, 1C
0040B171 |. F7F1 |div ecx
0040B173 |. 8BC2 |mov eax, edx
0040B175 |. 83F8 30 |cmp eax, 30
0040B178 |. 73 0D |jnb short 0040B187
0040B17A |. 33D2 |xor edx, edx
0040B17C |. B9 0A000000 |mov ecx, 0A
0040B181 |. F7F1 |div ecx
0040B183 |. 8BC2 |mov eax, edx
0040B185 |. 04 30 |add al, 30
0040B187 |> 884424 12 |mov byte ptr [esp+12], al
0040B18B |. 8D5424 12 |lea edx, dword ptr [esp+12]
0040B18F |. 8D8424 040100>|lea eax, dword ptr [esp+104]
0040B196 |. 52 |push edx ; /StringToAdd
0040B197 |. 50 |push eax ; |ConcatString
0040B198 |. FF15 D8C04100 |call dword ptr [<&kernel32.lst>; \lstrcatA
0040B19E |. 8A4C24 12 |mov cl, byte ptr [esp+12]
0040B1A2 |. 8A8434 680100>|mov al, byte ptr [esp+esi+168>; 这里可以看到正确的注册码
0040B1A9 |. 3AC8 |cmp cl, al
0040B1AB |. 75 0A |jnz short 0040B1B7
0040B1AD |. C744B4 2C 010>|mov dword ptr [esp+esi*4+2C],>
0040B1B5 |. EB 04 |jmp short 0040B1BB
0040B1B7 |> 895CB4 2C |mov dword ptr [esp+esi*4+2C],>
0040B1BB |> 46 |inc esi
0040B1BC |. 83FE 04 |cmp esi, 4
0040B1BF |.^ 0F8C D5FEFFFF \jl 0040B09A
0040B1C5 |. 33C0 xor eax, eax
0040B1C7 |. 8D4C24 2C lea ecx, dword ptr [esp+2C]
0040B1CB |> 3919 /cmp dword ptr [ecx], ebx
0040B1CD |. 74 19 |je short 0040B1E8
0040B1CF |. 40 |inc eax
0040B1D0 |. 83C1 04 |add ecx, 4
0040B1D3 |. 83F8 04 |cmp eax, 4
0040B1D6 |.^ 7C F3 \jl short 0040B1CB
0040B1D8 |. 5F pop edi
0040B1D9 |. 5E pop esi
0040B1DA |. 5D pop ebp
0040B1DB |. B8 01000000 mov eax, 1
0040B1E0 |. 5B pop ebx
0040B1E1 |. 81C4 3C020000 add esp, 23C
0040B1E7 |. C3 retn
0040B1E8 |> 5F pop edi
0040B1E9 |. 5E pop esi
0040B1EA |. 5D pop ebp
0040B1EB |. 33C0 xor eax, eax
0040B1ED |. 5B pop ebx
0040B1EE |. 81C4 3C020000 add esp, 23C
0040B1F4 \. C3 retn
正确的序列号:NWBE-1111-1111-1111-2672
正确的注册码:1111-1111-1111-1111-3597
把正确的注册码跟序列号都都输进去,注册成功。
程序有暗桩。有兴趣的朋友可以去跟跟。还有好像没办法用制作注册机。 |
|
发表于 2008-12-26 22:11
发表于 2008-12-27 00:15
收藏
淘帖
有用
分享到朋友圈
呵呵 仔细研究下…………
