好友
阅读权限30
听众
最后登录1970-1-1
|
本帖最后由 aikuimail 于 2015-11-17 20:34 编辑
实例:PDFill PDF Editor
官网:www.pdfill.com
平台:Windows7 sp1(32位),Windows XP(雨林木风)
目标:对CNET上一款名为"pdfill"的免费试用型软件的注册算法进行逆向 工具:吾爱OD
大家可以进入官网点击download边栏找到下载链接,我在这里也上传一份: http://pan.baidu.com/s/1gdAX8T9 密码: 2b8b
来到吾爱也有大半年了,当时用的也是开放注册的方式融入这个集体的,这半年来一直在学习并收获也不错。别人我不知道,每个人都有自己的兴趣爱好和目标定位,对于我来说,我就是想细致的剖析出某某软件的具体算法,而非热衷修改某某软件、暴力破解之类。所有的方式都可以用来提高自己,大家一起加油!
首先列出一下我分析算法的流程:
(1) 下好断后,来到关键跳,分析关键CALL的返回值对关键跳转的影响
(2) 从下断处单步(F8)走,记录好每一步在堆栈、寄存器中出现的可疑字符串
(3) 重点分析关键CALL并完善算法
好了,我们先下载好并打开软件,界面如下
选择菜单 Help -> Enter Registration Code 输入相应的名字、邮箱和假码,可以自己用自己的,我用的下面:
First Name: Ashe
Last Name: Green
Email Addr: aikuimail@52pojie.cn (捏造的一个邮箱:)
Serial Num: 123456789
提示注册码必须是12位,所以将假码改成123456789123
查壳,VC写的:
好了,开始我们的第一步,首先用OD打开软件并运行,输入我们准备好的信息后,点击OK后弹出错误窗口
不要忙着点OK,来到OD点暂停按钮,查看调用堆栈,然后在段首下好断点,这里我就不详细说明了,毕竟看这帖子的不可能是纯新手,说多了可能有灌水的嫌疑,这里用到的是暂停法。下面我就贴代码了,第一次发帖,有错位的地方请见谅啊!
[Asm] 纯文本查看 复制代码
00455E5F . 6A 10 push 0x10
00455E61 . B8 4A954E00 mov eax,PDFill.004E954A
00455E66 . E8 72990800 call PDFill.004DF7DD
00455E6B . 8BF1 mov esi,ecx ; mfc100u.57670DBC
00455E6D . E8 C2890800 call <jmp.&mfc100u.#1934>
00455E72 . 8B78 04 mov edi,dword ptr ds:[eax+0x4]
00455E75 . 8D86 94000000 lea eax,dword ptr ds:[esi+0x94]
00455E7B . 50 push eax
00455E7C . 8D8E A8000000 lea ecx,dword ptr ds:[esi+0xA8]
00455E82 . E8 EB8D0800 call <jmp.&mfc100u.#7006> //ECX UNICODE "Ashe"
00455E87 . 8D86 98000000 lea eax,dword ptr ds:[esi+0x98]
00455E8D . 50 push eax
00455E8E . 8D8E 1C010000 lea ecx,dword ptr ds:[esi+0x11C]
00455E94 . E8 D98D0800 call <jmp.&mfc100u.#7006> //ECX UNICODE "Green"
00455E99 . 8D86 9C000000 lea eax,dword ptr ds:[esi+0x9C]
00455E9F . 50 push eax
00455EA0 . 8D8E 90010000 lea ecx,dword ptr ds:[esi+0x190]
00455EA6 . E8 C78D0800 call <jmp.&mfc100u.#7006> //ECX UNICODE "[url=mailto:aikuimail@52pojie.cn]aikuimail@52pojie.cn[/url]"
00455EAB . 8D9E A0000000 lea ebx,dword ptr ds:[esi+0xA0]
00455EB1 . 53 push ebx
00455EB2 . 8D8E 04020000 lea ecx,dword ptr ds:[esi+0x204]
00455EB8 . E8 B58D0800 call <jmp.&mfc100u.#7006> //ECX UNICODE "123456789123"
00455EBD . 8D8E 94000000 lea ecx,dword ptr ds:[esi+0x94]
00455EC3 . FF15 30624F00 call dword ptr ds:[<&mfc100u.#13208>] ; mfc100u.#13208
00455EC9 . 8D8E 98000000 lea ecx,dword ptr ds:[esi+0x98]
00455ECF . FF15 30624F00 call dword ptr ds:[<&mfc100u.#13208>] ; mfc100u.#13208
00455ED5 . 8D8E 9C000000 lea ecx,dword ptr ds:[esi+0x9C]
00455EDB . FF15 30624F00 call dword ptr ds:[<&mfc100u.#13208>] ; mfc100u.#13208
00455EE1 . 8BCB mov ecx,ebx
00455EE3 . FF15 30624F00 call dword ptr ds:[<&mfc100u.#13208>] ; mfc100u.#13208
00455EE9 . 8BCB mov ecx,ebx
00455EEB . FF15 8C624F00 call dword ptr ds:[<&mfc100u.#5229>] ; mfc100u.#5230
00455EF1 . 83F8 0C cmp eax,0xC
00455EF4 . 74 1F je short PDFill.00455F15
00455EF6 . 8BCB mov ecx,ebx
00455EF8 . FF15 8C624F00 call dword ptr ds:[<&mfc100u.#5229>] ; mfc100u.#5230
00455EFE . 85C0 test eax,eax
00455F00 . 7E 13 jle short PDFill.00455F15
00455F02 . 6A 40 push 0x40
00455F04 . 68 44654F00 push PDFill.004F6544 ; UNICODE "PlotSoft PDFill"
00455F09 . 68 48D65000 push PDFill.0050D648 ; UNICODE "Your register code is not correct! It should have "
00455F0E . 8BCE mov ecx,esi
00455F10 . E8 498C0800 call <jmp.&mfc100u.#7911>
00455F15 > 51 push ecx ; mfc100u.57670DBC
00455F16 . 8BCC mov ecx,esp
00455F18 . 8965 F0 mov dword ptr ss:[ebp-0x10],esp
00455F1B . 53 push ebx
00455F1C . FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ; mfc100u.#280
00455F22 . 8365 FC 00 and dword ptr ss:[ebp-0x4],0x0
00455F26 . 51 push ecx ; mfc100u.57670DBC //ECX UNICODE "123456789123"
00455F27 . 8D86 9C000000 lea eax,dword ptr ds:[esi+0x9C]
00455F2D . 8BCC mov ecx,esp
00455F2F . 8965 EC mov dword ptr ss:[ebp-0x14],esp
00455F32 . 50 push eax //ECX UNICODE "[url=mailto:aikuimail@52pojie.cn]aikuimail@52pojie.cn[/url]"
00455F33 . FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ; mfc100u.#280
00455F39 . 51 push ecx ; mfc100u.57670DBC
00455F3A . 8D86 98000000 lea eax,dword ptr ds:[esi+0x98]
00455F40 . 8BCC mov ecx,esp
00455F42 . 8965 E8 mov dword ptr ss:[ebp-0x18],esp
00455F45 . 50 push eax
00455F46 . C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1
00455F4A . FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ; mfc100u.#280 //ECX UNICODE "Green"
00455F50 . 51 push ecx ; mfc100u.57670DBC
00455F51 . 8D86 94000000 lea eax,dword ptr ds:[esi+0x94]
00455F57 . 8BCC mov ecx,esp
00455F59 . 8965 E4 mov dword ptr ss:[ebp-0x1C],esp
00455F5C . 50 push eax
00455F5D . C645 FC 02 mov byte ptr ss:[ebp-0x4],0x2
00455F61 . FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ; mfc100u.#280 //ECX UNICODE "Ashe"
00455F67 . 834D FC FF or dword ptr ss:[ebp-0x4],-0x1
00455F6B . 8D8F 94030000 lea ecx,dword ptr ds:[edi+0x394]
00455F71 . E8 6D970400 call PDFill.0049F6E3 //关键CALL
00455F76 . 83F8 01 cmp eax,0x1
00455F79 . 0F85 D3000000 jnz PDFill.00456052 //关键CALL返回0就注册失败
00455F7F . 51 push ecx ; mfc100u.57670DBC
00455F80 . 8BCC mov ecx,esp
00455F82 . 8965 E4 mov dword ptr ss:[ebp-0x1C],esp
00455F85 . 53 push ebx
00455F86 . FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ; mfc100u.#280
00455F8C . 51 push ecx ; mfc100u.57670DBC
00455F8D . 8D86 9C000000 lea eax,dword ptr ds:[esi+0x9C]
00455F93 . 8BCC mov ecx,esp
00455F95 . 8965 E8 mov dword ptr ss:[ebp-0x18],esp
00455F98 . 50 push eax
00455F99 . C745 FC 03000>mov dword ptr ss:[ebp-0x4],0x3
00455FA0 . FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ; mfc100u.#280
00455FA6 . 51 push ecx ; mfc100u.57670DBC
00455FA7 . 8D86 98000000 lea eax,dword ptr ds:[esi+0x98]
00455FAD . 8BCC mov ecx,esp
00455FAF . 8965 EC mov dword ptr ss:[ebp-0x14],esp
00455FB2 . 50 push eax
00455FB3 . C645 FC 04 mov byte ptr ss:[ebp-0x4],0x4
00455FB7 . FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ; mfc100u.#280
00455FBD . 51 push ecx ; mfc100u.57670DBC
00455FBE . 8D86 94000000 lea eax,dword ptr ds:[esi+0x94]
00455FC4 . 8BCC mov ecx,esp
00455FC6 . 8965 F0 mov dword ptr ss:[ebp-0x10],esp
00455FC9 . 50 push eax
00455FCA . C645 FC 05 mov byte ptr ss:[ebp-0x4],0x5
00455FCE . FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ; mfc100u.#280
00455FD4 . 834D FC FF or dword ptr ss:[ebp-0x4],-0x1
00455FD8 . 8D8F 94030000 lea ecx,dword ptr ds:[edi+0x394]
00455FDE . E8 09920400 call PDFill.0049F1EC
00455FE3 . 8D86 94000000 lea eax,dword ptr ds:[esi+0x94]
00455FE9 . 50 push eax
00455FEA . 8D8F 70030000 lea ecx,dword ptr ds:[edi+0x370]
00455FF0 . C787 80030000>mov dword ptr ds:[edi+0x380],0x1
00455FFA . FF15 64624F00 call dword ptr ds:[<&mfc100u.#1310>] ; mfc100u.#1310
00456000 . 8D86 98000000 lea eax,dword ptr ds:[esi+0x98]
00456006 . 50 push eax
00456007 . 8D8F 74030000 lea ecx,dword ptr ds:[edi+0x374]
0045600D . FF15 64624F00 call dword ptr ds:[<&mfc100u.#1310>] ; mfc100u.#1310
00456013 . 8D86 9C000000 lea eax,dword ptr ds:[esi+0x9C]
00456019 . 50 push eax
0045601A . 8D8F 78030000 lea ecx,dword ptr ds:[edi+0x378]
00456020 . FF15 64624F00 call dword ptr ds:[<&mfc100u.#1310>] ; mfc100u.#1310
00456026 . 53 push ebx
00456027 . 8D8F 7C030000 lea ecx,dword ptr ds:[edi+0x37C]
0045602D . FF15 64624F00 call dword ptr ds:[<&mfc100u.#1310>] ; mfc100u.#1310
00456033 . 6A 40 push 0x40
00456035 . 68 44654F00 push PDFill.004F6544 ; UNICODE "PlotSoft PDFill"
0045603A . 68 C8D55000 push PDFill.0050D5C8 ; UNICODE "You have successfully registered your PDFill Licen"
0045603F . 8BCE mov ecx,esi
00456041 . E8 188B0800 call <jmp.&mfc100u.#7911>
00456046 . 8B06 mov eax,dword ptr ds:[esi] ; PDFill.0050CF5C
00456048 . 8BCE mov ecx,esi
0045604A . FF90 84010000 call dword ptr ds:[eax+0x184]
00456050 . EB 13 jmp short PDFill.00456065
00456052 > 6A 40 push 0x40
00456054 . 68 44654F00 push PDFill.004F6544 ; UNICODE "PlotSoft PDFill"
00456059 . 68 18D55000 push PDFill.0050D518 ; UNICODE "Your first name, last name, email or register code"
0045605E . 8BCE mov ecx,esi
00456060 . E8 F98A0800 call <jmp.&mfc100u.#7911>
00456065 > E8 12980800 call PDFill.004DF87C
0045606A . C3 retn
到这里大家就已经知道如何暴力破解了,方法很多,这里我就不多说了,我们要分析算法,就要跟进关键CALL。由于我也是一个重度强迫症患者(或许是...:),所以在这里不管大家愿意不愿意,我都要把上面的代码重新贴出来然后进行详细的解释,至少未来某天我在长期的懒惰后幡然醒悟过来想要复习的时候,还能找到自己的学习笔记。好吧,我也不知道上面的代码编排是不是已经稀烂了,我将上面的代码重新贴一次。
[Asm] 纯文本查看 复制代码 00455E5F . 6A 10 push 0x10
00455E61 . B8 4A954E00 mov eax,PDFill.004E954A
00455E66 . E8 72990800 call PDFill.004DF7DD
00455E6B . 8BF1 mov esi,ecx
00455E6D . E8 C2890800 call <jmp.&mfc100u.#1934>
00455E72 . 8B78 04 mov edi,dword ptr ds:[eax+0x4]
00455E75 . 8D86 94000000 lea eax,dword ptr ds:[esi+0x94] ; 将Ashe的地址存入eax
00455E7B . 50 push eax ;将Ashe压栈
00455E7C . 8D8E A8000000 lea ecx,dword ptr ds:[esi+0xA8]
00455E82 . E8 EB8D0800 call <[color=#ff0000]jmp.&mfc100u.#7006[/color]> ; ECX UNICODE "Ashe" 这个函数的作用就是返回参数的长度,并将参数存放到ECX 下面贴出了该函数
00455E87 . 8D86 98000000 lea eax,dword ptr ds:[esi+0x98] ; Green地址存入EAX
00455E8D . 50 push eax ;Green地址压栈
00455E8E . 8D8E 1C010000 lea ecx,dword ptr ds:[esi+0x11C]
00455E94 . E8 D98D0800 call <[color=#ff0000]jmp.&mfc100u.#7006[/color]> ; 返回Green长度
00455E99 . 8D86 9C000000 lea eax,dword ptr ds:[esi+0x9C] ; 将邮箱地址放入eax
00455E9F . 50 push eax ;压栈
00455EA0 . 8D8E 90010000 lea ecx,dword ptr ds:[esi+0x190]
00455EA6 . E8 C78D0800 call <[color=#ff0000]jmp.&mfc100u.#7006[/color]> ; 将邮箱地址放入ECX
00455EAB . 8D9E A0000000 lea ebx,dword ptr ds:[esi+0xA0] ; 序列号地址
00455EB1 . 53 push ebx ;压栈
00455EB2 . 8D8E 04020000 lea ecx,dword ptr ds:[esi+0x204]
00455EB8 . E8 B58D0800 call <[color=#ff0000]jmp.&mfc100u.#7006[/color]> ; 序列号长度放入EAX,地址放入ECX
00455EBD . 8D8E 94000000 lea ecx,dword ptr ds:[esi+0x94]
00455EC3 . FF15 30624F00 call dword ptr ds:[<&mfc100u.#13208>] ; mfc100u.#13208
00455EC9 . 8D8E 98000000 lea ecx,dword ptr ds:[esi+0x98]
00455ECF . FF15 30624F00 call dword ptr ds:[<&mfc100u.#13208>] ; mfc100u.#13208
00455ED5 . 8D8E 9C000000 lea ecx,dword ptr ds:[esi+0x9C]
00455EDB . FF15 30624F00 call dword ptr ds:[<&mfc100u.#13208>] ; mfc100u.#13208
00455EE1 . 8BCB mov ecx,ebx
00455EE3 . FF15 30624F00 call dword ptr ds:[<&mfc100u.#13208>] ; mfc100u.#13208 ;上面这几行就是检测用户名及邮箱和注册码合法否,有没有非法字符
00455EE9 . 8BCB mov ecx,ebx
00455EEB . FF15 8C624F00 call dword ptr ds:[<&mfc100u.#5229>] ; mfc100u.#5230 ;得到序列号长度
00455EF1 . 83F8 0C cmp eax,0xC的 ;看看序列号长度是不是12位
00455EF4 . 74 1F je short PDFill.00455F15 ;是12位注册码就继续比较,不是就跳到注册失败
00455EF6 . 8BCB mov ecx,ebx
00455EF8 . FF15 8C624F00 call dword ptr ds:[<&mfc100u.#5229>] ; mfc100u.#5230
00455EFE . 85C0 test eax,eax
00455F00 . 7E 13 jle short PDFill.00455F15
00455F02 . 6A 40 push 0x40
00455F04 . 68 44654F00 push PDFill.004F6544 ; UNICODE "PlotSoft PDFill"
00455F09 . 68 48D65000 push PDFill.0050D648 ; UNICODE "Your register code is not correct! It should have "
00455F0E . 8BCE mov ecx,esi
00455F10 . E8 498C0800 call <jmp.&mfc100u.#7911>
00455F15 > 51 push ecx ;验证注册码长度后就从上面跳到这里,将假序列号压栈
00455F16 . 8BCC mov ecx,esp
00455F18 . 8965 F0 mov dword ptr ss:[ebp-0x10],esp
00455F1B . 53 push ebx
00455F1C . FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ; mfc100u.#280 ;将假码压入栈顶
00455F22 . 8365 FC 00 and dword ptr ss:[ebp-0x4],0x0
00455F26 . 51 push ecx
00455F27 . 8D86 9C000000 lea eax,dword ptr ds:[esi+0x9C]
00455F2D . 8BCC mov ecx,esp
00455F2F . 8965 EC mov dword ptr ss:[ebp-0x14],esp
00455F32 . 50 push eax
00455F33 . FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ; mfc100u.#280 ;将邮箱压入栈顶
00455F39 . 51 push ecx
00455F3A . 8D86 98000000 lea eax,dword ptr ds:[esi+0x98]
00455F40 . 8BCC mov ecx,esp
00455F42 . 8965 E8 mov dword ptr ss:[ebp-0x18],esp
00455F45 . 50 push eax
00455F46 . C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1
00455F4A . FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ; mfc100u.#280;将Last Name压入栈顶
00455F50 . 51 push ecx
00455F51 . 8D86 94000000 lea eax,dword ptr ds:[esi+0x94]
00455F57 . 8BCC mov ecx,esp
00455F59 . 8965 E4 mov dword ptr ss:[ebp-0x1C],esp
00455F5C . 50 push eax
00455F5D . C645 FC 02 mov byte ptr ss:[ebp-0x4],0x2
00455F61 . FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ; mfc100u.#280 ;将First Name压入栈顶
00455F67 . 834D FC FF or dword ptr ss:[ebp-0x4],-0x1
00455F6B . 8D8F 94030000 lea ecx,dword ptr ds:[edi+0x394]
00455F71 . E8 6D970400 call PDFill.0049F6E3 [color=#ff0000] ;关键Call,返回1注册成功,返回其它值则注册失败,我们在这里跟进[/color]
00455F76 . 83F8 01 cmp eax,0x1
00455F79 . 0F85 D3000000 jnz PDFill.00456052
00455F7F . 51 push ecx
00455F80 . 8BCC mov ecx,esp
00455F82 . 8965 E4 mov dword ptr ss:[ebp-0x1C],esp
00455F85 . 53 push ebx
00455F86 . FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ; mfc100u.#280
00455F8C . 51 push ecx
00455F8D . 8D86 9C000000 lea eax,dword ptr ds:[esi+0x9C]
00455F93 . 8BCC mov ecx,esp
00455F95 . 8965 E8 mov dword ptr ss:[ebp-0x18],esp
00455F98 . 50 push eax
00455F99 . C745 FC 03000>mov dword ptr ss:[ebp-0x4],0x3
00455FA0 . FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ; mfc100u.#280
00455FA6 . 51 push ecx
00455FA7 . 8D86 98000000 lea eax,dword ptr ds:[esi+0x98]
00455FAD . 8BCC mov ecx,esp
00455FAF . 8965 EC mov dword ptr ss:[ebp-0x14],esp
00455FB2 . 50 push eax
00455FB3 . C645 FC 04 mov byte ptr ss:[ebp-0x4],0x4
00455FB7 . FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ; mfc100u.#280
00455FBD . 51 push ecx
00455FBE . 8D86 94000000 lea eax,dword ptr ds:[esi+0x94]
00455FC4 . 8BCC mov ecx,esp
00455FC6 . 8965 F0 mov dword ptr ss:[ebp-0x10],esp
00455FC9 . 50 push eax
00455FCA . C645 FC 05 mov byte ptr ss:[ebp-0x4],0x5
00455FCE . FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ; mfc100u.#280
00455FD4 . 834D FC FF or dword ptr ss:[ebp-0x4],-0x1
00455FD8 . 8D8F 94030000 lea ecx,dword ptr ds:[edi+0x394]
00455FDE . E8 09920400 call PDFill.0049F1EC
00455FE3 . 8D86 94000000 lea eax,dword ptr ds:[esi+0x94]
00455FE9 . 50 push eax
00455FEA . 8D8F 70030000 lea ecx,dword ptr ds:[edi+0x370]
00455FF0 . C787 80030000>mov dword ptr ds:[edi+0x380],0x1
00455FFA . FF15 64624F00 call dword ptr ds:[<&mfc100u.#1310>] ; mfc100u.#1310
00456000 . 8D86 98000000 lea eax,dword ptr ds:[esi+0x98]
00456006 . 50 push eax
00456007 . 8D8F 74030000 lea ecx,dword ptr ds:[edi+0x374]
0045600D . FF15 64624F00 call dword ptr ds:[<&mfc100u.#1310>] ; mfc100u.#1310
00456013 . 8D86 9C000000 lea eax,dword ptr ds:[esi+0x9C]
00456019 . 50 push eax
0045601A . 8D8F 78030000 lea ecx,dword ptr ds:[edi+0x378]
00456020 . FF15 64624F00 call dword ptr ds:[<&mfc100u.#1310>] ; mfc100u.#1310
00456026 . 53 push ebx
00456027 . 8D8F 7C030000 lea ecx,dword ptr ds:[edi+0x37C]
0045602D . FF15 64624F00 call dword ptr ds:[<&mfc100u.#1310>] ; mfc100u.#1310
00456033 . 6A 40 push 0x40
00456035 . 68 44654F00 push PDFill.004F6544 ; UNICODE "PlotSoft PDFill"
0045603A . 68 C8D55000 push PDFill.0050D5C8 ; UNICODE "You have successfully registered your PDFill Licen"
0045603F . 8BCE mov ecx,esi
00456041 . E8 188B0800 call <jmp.&mfc100u.#7911>
00456046 . 8B06 mov eax,dword ptr ds:[esi] ; PDFill.0050CF5C
00456048 . 8BCE mov ecx,esi
0045604A . FF90 84010000 call dword ptr ds:[eax+0x184]
00456050 . EB 13 jmp short PDFill.00456065
00456052 > 6A 40 push 0x40
00456054 . 68 44654F00 push PDFill.004F6544 ; UNICODE "PlotSoft PDFill"
00456059 . 68 18D55000 push PDFill.0050D518 ; UNICODE "Your first name, last name, email or register code"
0045605E . 8BCE mov ecx,esi
00456060 . E8 F98A0800 call <jmp.&mfc100u.#7911>
00456065 > E8 12980800 call PDFill.004DF87C
0045606A . C3 retn
mfc100u.#7006函数:
[Asm] 纯文本查看 复制代码 57703C63 > 8BFF mov edi,edi ; PDFill.00545910
57703C65 55 push ebp
57703C66 8BEC mov ebp,esp
57703C68 56 push esi
57703C69 8BF1 mov esi,ecx
57703C6B 837E 6C 00 cmp dword ptr ds:[esi+0x6C],0x0
57703C6F 75 2F jnz short mfc100u.57703CA0
57703C71 FF76 20 push dword ptr ds:[esi+0x20] ; 取编辑框句柄
57703C74 FF15 541A4C57 call dword ptr ds:[<&USER32.GetWindowTextLengthW>] ; 返回编辑框文本长度
57703C7A 8D48 01 lea ecx,dword ptr ds:[eax+0x1] ; 文本长度加一存入ECX
57703C7D 51 push ecx ; 文本长度加一压栈
57703C7E 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8] ; 邮箱地址存入ecx
57703C81 50 push eax ; 文本长度压栈 GetWindowText参数
57703C82 E8 3FEFF6FF call mfc100u.#4519
57703C87 50 push eax ; 缓冲区指针
57703C88 FF76 20 push dword ptr ds:[esi+0x20] ; 编辑框句柄
57703C8B FF15 D0184C57 call dword ptr ds:[<&USER32.GetWindowTextW>] ; 拷贝了20个字符
57703C91 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8] ; 邮箱地址传入ECX
57703C94 6A FF push -0x1
57703C96 E8 96B3E7FF call mfc100u.#11494
57703C9B 5E pop esi
57703C9C 5D pop ebp
57703C9D C2 0400 retn 0x4
从上面的关键Call进入到这里:
[Asm] 纯文本查看 复制代码 0049F6E3 /$ 6A 10 push 0x10
0049F6E5 |. B8 17E44E00 mov eax,PDFill.004EE417
0049F6EA |. E8 EE000400 call PDFill.004DF7DD
0049F6EF |. 8BF9 mov edi,ecx ; PDFill.00545CA4
0049F6F1 |. 68 A0A15100 push PDFill.0051A1A0 ; UNICODE "[url=mailto:ARN@ARN.COM]ARN@ARN.COM[/url]"
0049F6F6 |. 8D4D 10 lea ecx,[arg.3]
0049F6F9 |. C745 FC 03000>mov [local.1],0x3
0049F700 |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F706 |. 85C0 test eax,eax
0049F708 |. 75 2F jnz short PDFill.0049F739
0049F70A |> 8D4D 08 lea ecx,[arg.1]
0049F70D |> FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ; mfc100u.#14057
0049F713 |. 8D4D 0C lea ecx,[arg.2]
0049F716 |. FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ; mfc100u.#14057
0049F71C |. 8D4D 10 lea ecx,[arg.3]
0049F71F |. FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ; mfc100u.#14057
0049F725 |. 8D4D 14 lea ecx,[arg.4]
0049F728 |. FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ; mfc100u.#14057
0049F72E |. 6A FC push -0x4
0049F730 |. 58 pop eax ; PDFill.00455F76
0049F731 |> E8 46010400 call PDFill.004DF87C
0049F736 |. C2 1000 retn 0x10
0049F739 |> 68 6CA15100 push PDFill.0051A16C ; UNICODE "[url=mailto:andrea_grogan@hotmail.com]andrea_grogan@hotmail.com[/url]"
0049F73E |. 8D4D 10 lea ecx,[arg.3]
0049F741 |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F747 |. 85C0 test eax,eax
0049F749 |.^ 74 BF je short PDFill.0049F70A
0049F74B |. 68 40A15100 push PDFill.0051A140 ; UNICODE "[url=mailto:jmmay@boothcreek.com]jmmay@boothcreek.com[/url]"
0049F750 |. 8D4D 10 lea ecx,[arg.3]
0049F753 |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F759 |. 85C0 test eax,eax
0049F75B |.^ 74 AD je short PDFill.0049F70A
0049F75D |. 68 18A15100 push PDFill.0051A118 ; UNICODE "[url=mailto:vutukurim@yahoo.com]vutukurim@yahoo.com[/url]"
0049F762 |. 8D4D 10 lea ecx,[arg.3]
0049F765 |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F76B |. 85C0 test eax,eax
0049F76D |.^ 74 9B je short PDFill.0049F70A
0049F76F |. 68 ECA05100 push PDFill.0051A0EC ; UNICODE "[url=mailto:alec_ward@hotmail.com]alec_ward@hotmail.com[/url]"
0049F774 |. 8D4D 10 lea ecx,[arg.3]
0049F777 |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F77D |. 85C0 test eax,eax
0049F77F |.^ 74 89 je short PDFill.0049F70A
0049F781 |. 68 C8A05100 push PDFill.0051A0C8 ; UNICODE "[url=mailto:nebay66@yahoo.com]nebay66@yahoo.com[/url]"
0049F786 |. 8D4D 10 lea ecx,[arg.3]
0049F789 |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F78F |. 85C0 test eax,eax
0049F791 |.^ 0F84 73FFFFFF je PDFill.0049F70A
0049F797 |. 68 A8A05100 push PDFill.0051A0A8 ; UNICODE "[url=mailto:pml@labrier.com]pml@labrier.com[/url]"
0049F79C |. 8D4D 10 lea ecx,[arg.3]
0049F79F |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F7A5 |. 85C0 test eax,eax
0049F7A7 |.^ 0F84 5DFFFFFF je PDFill.0049F70A
0049F7AD |. 68 74A05100 push PDFill.0051A074 ; UNICODE "[url=mailto:mrkhazai23@hotmail.co.uk]mrkhazai23@hotmail.co.uk[/url]"
0049F7B2 |. 8D4D 10 lea ecx,[arg.3]
0049F7B5 |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F7BB |. 85C0 test eax,eax
0049F7BD |.^ 0F84 47FFFFFF je PDFill.0049F70A
0049F7C3 |. 68 48A05100 push PDFill.0051A048 ; UNICODE "[url=mailto:wonfinance@gmail.com]wonfinance@gmail.com[/url]"
0049F7C8 |. 8D4D 10 lea ecx,[arg.3]
0049F7CB |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F7D1 |. 85C0 test eax,eax
0049F7D3 |.^ 0F84 31FFFFFF je PDFill.0049F70A
0049F7D9 |. 68 20A05100 push PDFill.0051A020 ; UNICODE "[url=mailto:info@hetnonnetje.nl]info@hetnonnetje.nl[/url]"
0049F7DE |. 8D4D 10 lea ecx,[arg.3]
0049F7E1 |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F7E7 |. 85C0 test eax,eax
0049F7E9 |.^ 0F84 1BFFFFFF je PDFill.0049F70A
0049F7EF |. 68 F89F5100 push PDFill.00519FF8 ; UNICODE "[url=mailto:josh@eventbrite.com]josh@eventbrite.com[/url]"
0049F7F4 |. 8D4D 10 lea ecx,[arg.3]
0049F7F7 |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F7FD |. 85C0 test eax,eax
0049F7FF |.^ 0F84 05FFFFFF je PDFill.0049F70A
0049F805 |. 68 C89F5100 push PDFill.00519FC8 ; UNICODE "[url=mailto:terrencezenno@yahoo.com]terrencezenno@yahoo.com[/url]"
0049F80A |. 8D4D 10 lea ecx,[arg.3]
0049F80D |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F813 |. 85C0 test eax,eax
0049F815 |.^ 0F84 EFFEFFFF je PDFill.0049F70A
0049F81B |. BE 949F5100 mov esi,PDFill.00519F94 ; UNICODE "[url=mailto:philosophy4135@yahoo.com]philosophy4135@yahoo.com[/url]"
0049F820 |. 56 push esi
0049F821 |. 8D4D 10 lea ecx,[arg.3]
0049F824 |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F82A |. 85C0 test eax,eax
0049F82C |.^ 0F84 D8FEFFFF je PDFill.0049F70A
0049F832 |. 68 6C9F5100 push PDFill.00519F6C ; UNICODE "[url=mailto:ervin@intermetal.hu]ervin@intermetal.hu[/url]"
0049F837 |. 8D4D 10 lea ecx,[arg.3]
0049F83A |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F840 |. 85C0 test eax,eax
0049F842 |.^ 0F84 C2FEFFFF je PDFill.0049F70A
0049F848 |. 68 489F5100 push PDFill.00519F48 ; UNICODE "[url=mailto:maasre@yahoo.com]maasre@yahoo.com[/url]"
0049F84D |. 8D4D 10 lea ecx,[arg.3]
0049F850 |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F856 |. 85C0 test eax,eax
0049F858 |.^ 0F84 ACFEFFFF je PDFill.0049F70A
0049F85E |. 68 289F5100 push PDFill.00519F28 ; UNICODE "[url=mailto:soldat2@aol.com]soldat2@aol.com[/url]"
0049F863 |. 8D4D 10 lea ecx,[arg.3]
0049F866 |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F86C |. 85C0 test eax,eax
0049F86E |.^ 0F84 96FEFFFF je PDFill.0049F70A
0049F874 |. 68 049F5100 push PDFill.00519F04 ; UNICODE "[url=mailto:alifar2@gmail.com]alifar2@gmail.com[/url]"
0049F879 |. 8D4D 10 lea ecx,[arg.3]
0049F87C |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F882 |. 85C0 test eax,eax
0049F884 |.^ 0F84 80FEFFFF je PDFill.0049F70A
0049F88A |. 68 DC9E5100 push PDFill.00519EDC ; UNICODE "[url=mailto:delder38@yahoo.com]delder38@yahoo.com[/url]"
0049F88F |. 8D4D 10 lea ecx,[arg.3]
0049F892 |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F898 |. 85C0 test eax,eax
0049F89A |.^ 0F84 6AFEFFFF je PDFill.0049F70A
0049F8A0 |. 68 A09E5100 push PDFill.00519EA0 ; UNICODE "[url=mailto:fax@energydevelopmentinc.com]fax@energydevelopmentinc.com[/url]"
0049F8A5 |. 8D4D 10 lea ecx,[arg.3]
0049F8A8 |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F8AE |. 85C0 test eax,eax
0049F8B0 |.^ 0F84 54FEFFFF je PDFill.0049F70A
0049F8B6 |. 68 7C9E5100 push PDFill.00519E7C ; UNICODE "[url=mailto:rpd7610@yahoo.com]rpd7610@yahoo.com[/url]"
0049F8BB |. 8D4D 10 lea ecx,[arg.3]
0049F8BE |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F8C4 |. 85C0 test eax,eax
0049F8C6 |.^ 0F84 3EFEFFFF je PDFill.0049F70A
0049F8CC |. 68 5C9E5100 push PDFill.00519E5C ; UNICODE "[url=mailto:jjoell@sown.org]jjoell@sown.org[/url]"
0049F8D1 |. 8D4D 10 lea ecx,[arg.3]
0049F8D4 |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F8DA |. 85C0 test eax,eax
0049F8DC |.^ 0F84 28FEFFFF je PDFill.0049F70A
0049F8E2 |. 68 309E5100 push PDFill.00519E30 ; UNICODE "[url=mailto:simisworkshop@aol.com]simisworkshop@aol.com[/url]"
0049F8E7 |. 8D4D 10 lea ecx,[arg.3]
0049F8EA |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F8F0 |. 85C0 test eax,eax
0049F8F2 |.^ 0F84 12FEFFFF je PDFill.0049F70A
0049F8F8 |. 68 0C9E5100 push PDFill.00519E0C ; UNICODE "[url=mailto:artturas@mbnet.fi]artturas@mbnet.fi[/url]"
0049F8FD |. 8D4D 10 lea ecx,[arg.3]
0049F900 |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F906 |. 85C0 test eax,eax
0049F908 |.^ 0F84 FCFDFFFF je PDFill.0049F70A
0049F90E |. 68 D49D5100 push PDFill.00519DD4 ; UNICODE "[url=mailto:Catherine@utahopenlands.org]Catherine@utahopenlands.org[/url]"
0049F913 |. 8D4D 10 lea ecx,[arg.3]
0049F916 |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F91C |. 85C0 test eax,eax
0049F91E |.^ 0F84 E6FDFFFF je PDFill.0049F70A
0049F924 |. 68 B09D5100 push PDFill.00519DB0 ; UNICODE "[url=mailto:randoro@gmail.com]randoro@gmail.com[/url]"
0049F929 |. 8D4D 10 lea ecx,[arg.3]
0049F92C |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F932 |. 85C0 test eax,eax
0049F934 |.^ 0F84 D0FDFFFF je PDFill.0049F70A
0049F93A |. 68 909D5100 push PDFill.00519D90 ; UNICODE "[url=mailto:azrdgk@msn.com]azrdgk@msn.com[/url]"
0049F93F |. 8D4D 10 lea ecx,[arg.3]
0049F942 |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F948 |. 85C0 test eax,eax
0049F94A |.^ 0F84 BAFDFFFF je PDFill.0049F70A
0049F950 |. 68 5C9D5100 push PDFill.00519D5C ; UNICODE "[url=mailto:ksim-ksam@windowslive.com]ksim-ksam@windowslive.com[/url]"
0049F955 |. 8D4D 10 lea ecx,[arg.3]
0049F958 |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F95E |. 85C0 test eax,eax
0049F960 |.^ 0F84 A4FDFFFF je PDFill.0049F70A
0049F966 |. 68 289D5100 push PDFill.00519D28 ; UNICODE "[url=mailto:jimintheeastbay@yahoo.com]jimintheeastbay@yahoo.com[/url]"
0049F96B |. 8D4D 10 lea ecx,[arg.3]
0049F96E |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F974 |. 85C0 test eax,eax
0049F976 |.^ 0F84 8EFDFFFF je PDFill.0049F70A
0049F97C |. 68 F49C5100 push PDFill.00519CF4 ; UNICODE "[url=mailto:JOEMARKNORMAN@HOTMAIL.COM]JOEMARKNORMAN@HOTMAIL.COM[/url]"
0049F981 |. 8D4D 10 lea ecx,[arg.3]
0049F984 |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F98A |. 85C0 test eax,eax
0049F98C |.^ 0F84 78FDFFFF je PDFill.0049F70A
0049F992 |. 56 push esi
0049F993 |. 8D4D 10 lea ecx,[arg.3]
0049F996 |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F99C |. 85C0 test eax,eax
0049F99E |.^ 0F84 66FDFFFF je PDFill.0049F70A
0049F9A4 |. 68 C89C5100 push PDFill.00519CC8 ; UNICODE "[url=mailto:nataliemora@gmail.com]nataliemora@gmail.com[/url]"
0049F9A9 |. 8D4D 10 lea ecx,[arg.3]
0049F9AC |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F9B2 |. 85C0 test eax,eax
0049F9B4 |.^ 0F84 50FDFFFF je PDFill.0049F70A
0049F9BA |. 68 A49C5100 push PDFill.00519CA4 ; UNICODE "[url=mailto:rwhalls@yahoo.com]rwhalls@yahoo.com[/url]"
0049F9BF |. 8D4D 10 lea ecx,[arg.3]
0049F9C2 |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F9C8 |. 85C0 test eax,eax
0049F9CA |.^ 0F84 3AFDFFFF je PDFill.0049F70A
0049F9D0 |. 68 849C5100 push PDFill.00519C84 ; UNICODE "[url=mailto:sylkc@yahoo.com]sylkc@yahoo.com[/url]"
0049F9D5 |. 8D4D 10 lea ecx,[arg.3]
0049F9D8 |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F9DE |. 85C0 test eax,eax
0049F9E0 |.^ 0F84 24FDFFFF je PDFill.0049F70A
0049F9E6 |. 68 5C9C5100 push PDFill.00519C5C ; UNICODE "[url=mailto:san_r2000@yahoo.com]san_r2000@yahoo.com[/url]"
0049F9EB |. 8D4D 10 lea ecx,[arg.3]
0049F9EE |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049F9F4 |. 85C0 test eax,eax
0049F9F6 |.^ 0F84 0EFDFFFF je PDFill.0049F70A
0049F9FC |. 68 2C9C5100 push PDFill.00519C2C ; UNICODE "[url=mailto:ebyte_jersey@yahoo.com]ebyte_jersey@yahoo.com[/url]"
0049FA01 |. 8D4D 10 lea ecx,[arg.3]
0049FA04 |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049FA0A |. 85C0 test eax,eax
0049FA0C |.^ 0F84 F8FCFFFF je PDFill.0049F70A
0049FA12 |. 68 0C9C5100 push PDFill.00519C0C ; UNICODE "[url=mailto:strap69@aol.com]strap69@aol.com[/url]"
0049FA17 |. 8D4D 10 lea ecx,[arg.3]
0049FA1A |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049FA20 |. 85C0 test eax,eax
0049FA22 |.^ 0F84 E2FCFFFF je PDFill.0049F70A
0049FA28 |. 68 D49B5100 push PDFill.00519BD4 ; UNICODE "[url=mailto:David.Kaufman@neatcomm.com]David.Kaufman@neatcomm.com[/url]" ;上面篇幅是做黑名单的比较,下面我列出了这张表
0049FA2D |. 8D4D 10 lea ecx,[arg.3]
0049FA30 |. FF15 40624F00 call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049FA36 |. 8D4D 08 lea ecx,[arg.1]
0049FA39 |. 85C0 test eax,eax
0049FA3B |.^ 0F84 CCFCFFFF je PDFill.0049F70D
0049FA41 |. FF15 60624F00 call dword ptr ds:[<&mfc100u.#7357>] ; mfc100u.#7358
0049FA47 |. 84C0 test al,al
0049FA49 |. 74 2E je short PDFill.0049FA79
0049FA4B |. 6A FC push -0x4
0049FA4D |> 5E pop esi ; PDFill.00455F76
0049FA4E |> 8D4D 08 lea ecx,[arg.1]
0049FA51 |. FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ; mfc100u.#14057
0049FA57 |. 8D4D 0C lea ecx,[arg.2]
0049FA5A |. FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ; mfc100u.#14057
0049FA60 |. 8D4D 10 lea ecx,[arg.3]
0049FA63 |. FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ; mfc100u.#14057
0049FA69 |. 8D4D 14 lea ecx,[arg.4]
0049FA6C |. FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ; mfc100u.#14057
0049FA72 |. 8BC6 mov eax,esi
0049FA74 |.^ E9 B8FCFFFF jmp PDFill.0049F731
0049FA79 |> 8D4D 0C lea ecx,[arg.2]
0049FA7C |. FF15 60624F00 call dword ptr ds:[<&mfc100u.#7357>] ; mfc100u.#7358
0049FA82 |. 84C0 test al,al
0049FA84 |. 74 04 je short PDFill.0049FA8A
0049FA86 |. 6A FD push -0x3
0049FA88 |.^ EB C3 jmp short PDFill.0049FA4D
0049FA8A |> 8D4D 10 lea ecx,[arg.3]
0049FA8D |. FF15 60624F00 call dword ptr ds:[<&mfc100u.#7357>] ; mfc100u.#7358
0049FA93 |. 84C0 test al,al
0049FA95 |. 74 04 je short PDFill.0049FA9B
0049FA97 |> 6A FE push -0x2
0049FA99 |.^ EB B2 jmp short PDFill.0049FA4D
0049FA9B |> 6A 00 push 0x0
0049FA9D |. 6A 40 push 0x40
0049FA9F |. 8D4D 10 lea ecx,[arg.3]
0049FAA2 |. FF15 1C624F00 call dword ptr ds:[<&mfc100u.#4150>] ; mfc100u.#4150 ;取邮箱地址@前面长度
0049FAA8 |. 8BF0 mov esi,eax
0049FAAA |. 83FE 01 cmp esi,0x1
0049FAAD |.^ 7C E8 jl short PDFill.0049FA97 ; 邮箱名@前面至少要一个字符,否则失败
0049FAAF |. 8D4D 10 lea ecx,[arg.3]
0049FAB2 |. FF15 8C624F00 call dword ptr ds:[<&mfc100u.#5229>] ; mfc100u.#5230 ; 取邮箱整个长度
0049FAB8 |. 48 dec eax
0049FAB9 |. 3BF0 cmp esi,eax
0049FABB |.^ 74 DA je short PDFill.0049FA97 ; @后面没有后缀也是失败
0049FABD |. 8D4D 14 lea ecx,[arg.4] ; 将序列号地址存入ECX
0049FAC0 |. FF15 60624F00 call dword ptr ds:[<&mfc100u.#7357>] ; mfc100u.#7358
0049FAC6 |. 84C0 test al,al
0049FAC8 |. 74 08 je short PDFill.0049FAD2
0049FACA |> 83CE FF or esi,-0x1
0049FACD |.^ E9 7CFFFFFF jmp PDFill.0049FA4E
0049FAD2 |> 8D4D 14 lea ecx,[arg.4]
0049FAD5 |. FF15 8C624F00 call dword ptr ds:[<&mfc100u.#5229>] ; mfc100u.#5230
0049FADB |. 83F8 0C cmp eax,0xC
0049FADE |.^ 75 EA jnz short PDFill.0049FACA
0049FAE0 |. 51 push ecx ; PDFill.00545CA4
0049FAE1 |. 8D45 10 lea eax,[arg.3]
0049FAE4 |. 8BCC mov ecx,esp
0049FAE6 |. 8965 EC mov [local.5],esp
0049FAE9 |. 50 push eax
0049FAEA |. FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ; mfc100u.#280
0049FAF0 |. 51 push ecx ; PDFill.00545CA4
0049FAF1 |. 8D45 0C lea eax,[arg.2]
0049FAF4 |. 8BCC mov ecx,esp
0049FAF6 |. 8965 E8 mov [local.6],esp
0049FAF9 |. 50 push eax
0049FAFA |. C645 FC 04 mov byte ptr ss:[ebp-0x4],0x4
0049FAFE |. FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ; mfc100u.#280
0049FB04 |. 51 push ecx ; PDFill.00545CA4
0049FB05 |. 8D45 08 lea eax,[arg.1]
0049FB08 |. 8BCC mov ecx,esp
0049FB0A |. 8965 E4 mov [local.7],esp
0049FB0D |. 50 push eax
0049FB0E |. C645 FC 05 mov byte ptr ss:[ebp-0x4],0x5
0049FB12 |. FF15 5C624F00 call dword ptr ds:[<&mfc100u.#280>] ; mfc100u.#280
0049FB18 |. 8D45 F0 lea eax,[local.4]
0049FB1B |. 50 push eax
0049FB1C |. 8BCF mov ecx,edi ; PDFill.00545910
0049FB1E |. C645 FC 03 mov byte ptr ss:[ebp-0x4],0x3 ;上面是重复的验证邮箱和用户名然后全部压入栈顶,用的mfc100u.#280这个函数,有兴趣的可以跟进去看看这个函数
0049FB22 |. E8 71F8FFFF call PDFill.0049F398 [color=#ff0000]; 根据用户名和邮箱生成序列号 关键算法 进入[/color]
0049FB27 |. 8D4D 14 lea ecx,[arg.4]
0049FB2A |. C645 FC 06 mov byte ptr ss:[ebp-0x4],0x6
0049FB2E |. FF15 94624F00 call dword ptr ds:[<&mfc100u.#1450>] ; mfc100u.#6237
0049FB34 |. 50 push eax
0049FB35 |. 8D4D F0 lea ecx,[local.4]
0049FB38 |. FF15 98624F00 call dword ptr ds:[<&mfc100u.#2614>] ; mfc100u.#2614 [color=#ff0000] ;比较起码假码EAX返回0就注册失败[/color]
0049FB3E |. 8D4D F0 lea ecx,[local.4]
0049FB41 |. 85C0 test eax,eax
0049FB43 |. 75 0E jnz short PDFill.0049FB53
0049FB45 |. FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ; mfc100u.#14057
0049FB4B |. 33F6 xor esi,esi
0049FB4D |. 46 inc esi
0049FB4E |.^ E9 FBFEFFFF jmp PDFill.0049FA4E
0049FB53 |> FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ; mfc100u.#14057
0049FB59 |. 33F6 xor esi,esi
0049FB5B \.^ E9 EEFEFFFF jmp PDFill.0049FA4E
0049FB60 /$ 6A 04 push 0x4
0049FB62 |. B8 DB264F00 mov eax,PDFill.004F26DB
0049FB67 |. E8 71FC0300 call PDFill.004DF7DD
0049FB6C |. 8BF1 mov esi,ecx ; PDFill.00545CA4
0049FB6E |. 8B46 1C mov eax,dword ptr ds:[esi+0x1C]
0049FB71 |. 33FF xor edi,edi ; PDFill.00545910
0049FB73 |. 897D FC mov [local.1],edi ; PDFill.00545910
0049FB76 |. 8945 F0 mov [local.4],eax
0049FB79 |. 3BC7 cmp eax,edi ; PDFill.00545910
0049FB7B |. 7E 2B jle short PDFill.0049FBA8
0049FB7D |> 85FF /test edi,edi ; PDFill.00545910
0049FB7F |. 78 47 |js short PDFill.0049FBC8
0049FB81 |. 3B7E 1C |cmp edi,dword ptr ds:[esi+0x1C]
0049FB84 |. 7D 42 |jge short PDFill.0049FBC8
0049FB86 |. 8B46 18 |mov eax,dword ptr ds:[esi+0x18]
0049FB89 |. 8B1CB8 |mov ebx,dword ptr ds:[eax+edi*4]
0049FB8C |. 8D4D 08 |lea ecx,[arg.1]
0049FB8F |. FF15 94624F00 |call dword ptr ds:[<&mfc100u.#1450>] ; mfc100u.#6237
0049FB95 |. 50 |push eax
0049FB96 |. 8BCB |mov ecx,ebx
0049FB98 |. FF15 40624F00 |call dword ptr ds:[<&mfc100u.#2620>] ; mfc100u.#2620
0049FB9E |. 85C0 |test eax,eax
0049FBA0 |. 74 19 |je short PDFill.0049FBBB
0049FBA2 |. 47 |inc edi ; PDFill.00545910
0049FBA3 |. 3B7D F0 |cmp edi,[local.4]
0049FBA6 |.^ 7C D5 \jl short PDFill.0049FB7D
0049FBA8 |> 8D4D 08 lea ecx,[arg.1]
0049FBAB |. FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ; mfc100u.#14057
0049FBB1 |. 33C0 xor eax,eax
0049FBB3 |> E8 C4FC0300 call PDFill.004DF87C
0049FBB8 |. C2 0400 retn 0x4
以下是被列入黑名单的邮箱(五笔带字,可能有错,自己在数据窗口跟吧,如果觉得这些帐户是注册码的同学可以输入进去试试{:1_916:}):
David.Kaufman@neatcomm.com
strap69@aol.com
ebyte_jersey@yahoo.com
san_r200@yahoo.com
sylkc@yahoo.com
rwhalls@yahoo.com
nataliemora@gmail.com
JOEMARKNORMAN@HOTMAIL.COM
jimintheeastbay@yahoo.com
ksim-ksam@windowslive.com
azrdgk@msn.com
randoro@gmail.com
Catherine@utahopenlands.org
artturas@mbnet.fi
simisworkshop@aol.com
jjoell@sown.org
rpd7610@yahoo.com
fax@energydevelopmentinc.com
delder38@yahoo.com
alifar2@gmail.com
soldat2@aol.com
maasre@yahoo.com
ervin@intermetal.hu
philosophy41@yahoo.com
terrencezenno@yahoo.com
josh@eventbrite.com
info@hetnonnetje.nl
wonfinance@gmail.com
mrkhazai23@hotmail.co.uk
pml@labrier.com
nebay66@yahoo.com
alec_ward@hotmail.com
vutukurim@yahoo.com
jmmay@boothcreek.com
andrea_grogan@hotmail.com
ARN@ARN.COM
从上面关键算法进入到这里:
其实真正说起来,前面写的东西全部是废话(但请不要把它等价于灌水,我会有惩罚的),到了这段代码才是真正的算号函数。前面全部都是些验证机制,由于发帖很耗时间,我也有很多的语句都没有写明白,只在心中有个数,即使我有心有力,这帖子排版也不允许我这样做,本来就不会排,再来几下这帖子就不用看了。所以,请见谅啦!好了,我会精解这一段。
[Asm] 纯文本查看 复制代码 0049F398 /$ 6A 18 push 0x18
0049F39A |. B8 5AE34E00 mov eax,PDFill.004EE35A
0049F39F |. E8 39040400 call PDFill.004DF7DD
0049F3A4 |. 33DB xor ebx,ebx
0049F3A6 |. 895D E4 mov [local.7],ebx
0049F3A9 |. 33F6 xor esi,esi
0049F3AB |. 46 inc esi
0049F3AC |. 8975 FC mov [local.1],esi
0049F3AF |. 8D4D F0 lea ecx,[local.4]
0049F3B2 |. 33FF xor edi,edi ; PDFill.00545CA4 ;将EDI清零用作累加器
0049F3B4 |. FF15 54624F00 call dword ptr ds:[<&mfc100u.#296>] ; mfc100u.#316
0049F3BA |. 8D4D E8 lea ecx,[local.6]
0049F3BD |. FF15 54624F00 call dword ptr ds:[<&mfc100u.#296>] ; mfc100u.#316
0049F3C3 |. 8B4D 08 mov ecx,[arg.1]
0049F3C6 |. C645 FC 05 mov byte ptr ss:[ebp-0x4],0x5
0049F3CA |. FF15 54624F00 call dword ptr ds:[<&mfc100u.#296>] ; mfc100u.#316
0049F3D0 |. 8975 E4 mov [local.7],esi
0049F3D3 |> 85DB /test ebx,ebx ;EBX是个计数器
0049F3D5 |. 75 13 |jnz short PDFill.0049F3EA
0049F3D7 |. 8D4D 0C |lea ecx,[arg.2]
0049F3DA |. FF15 9C5A4F00 |call dword ptr ds:[<&mfc100u.#7871>] ; mfc100u.#7871
0049F3E0 |. 50 |push eax
0049F3E1 |. 8D4D F0 |lea ecx,[local.4]
0049F3E4 |. FF15 64624F00 |call dword ptr ds:[<&mfc100u.#1310>] ; mfc100u.#1310
0049F3EA |> 3BDE |cmp ebx,esi
0049F3EC |. 75 13 |jnz short PDFill.0049F401
0049F3EE |. 8D4D 10 |lea ecx,[arg.3]
0049F3F1 |. FF15 9C5A4F00 |call dword ptr ds:[<&mfc100u.#7871>] ; mfc100u.#7871
0049F3F7 |. 50 |push eax
0049F3F8 |. 8D4D F0 |lea ecx,[local.4]
0049F3FB |. FF15 64624F00 |call dword ptr ds:[<&mfc100u.#1310>] ; mfc100u.#1310
0049F401 |> 83FB 02 |cmp ebx,0x2
0049F404 |. 75 13 |jnz short PDFill.0049F419
0049F406 |. 8D4D 14 |lea ecx,[arg.4]
0049F409 |. FF15 9C5A4F00 |call dword ptr ds:[<&mfc100u.#7871>] ; mfc100u.#7871
0049F40F |. 50 |push eax
0049F410 |. 8D4D F0 |lea ecx,[local.4]
0049F413 |. FF15 64624F00 |call dword ptr ds:[<&mfc100u.#1310>] ; mfc100u.#1310
0049F419 |> 8365 EC 00 |and [local.5],0x0
0049F41D |. 8D4D F0 |lea ecx,[local.4]
0049F420 |. FF15 8C624F00 |call dword ptr ds:[<&mfc100u.#5229>] ; mfc100u.#5230
0049F426 |. 85C0 |test eax,eax
0049F428 |. 7E 30 |jle short PDFill.0049F45A
0049F42A |> FF75 EC |/push [local.5]
0049F42D |. 8D4D F0 ||lea ecx,[local.4]
0049F430 |. FF15 28624F00 ||call dword ptr ds:[<&mfc100u.#4478>] ; mfc100u.#4478
0049F436 |. 0FB6C8 ||movzx ecx,al
0049F439 |. 8B45 EC ||mov eax,[local.5]
0049F43C |. 8D4C01 08 ||lea ecx,dword ptr ds:[ecx+eax+0x8]
0049F440 |. 8D50 09 ||lea edx,dword ptr ds:[eax+0x9]
0049F443 |. 0FAFCA ||imul ecx,edx
0049F446 |. 03F9 ||add edi,ecx ; PDFill.00545CA4
0049F448 |. 40 ||inc eax
0049F449 |. 8D4D F0 ||lea ecx,[local.4]
0049F44C |. 8945 EC ||mov [local.5],eax
0049F44F |. FF15 8C624F00 ||call dword ptr ds:[<&mfc100u.#5229>] ; mfc100u.#5230
0049F455 |. 3945 EC ||cmp [local.5],eax
0049F458 |.^ 7C D0 |\jl short PDFill.0049F42A
0049F45A |> 8D87 E1100000 |lea eax,dword ptr ds:[edi+0x10E1]
0049F460 |. 50 |push eax
0049F461 |. 8D45 E8 |lea eax,[local.6]
0049F464 |. 68 A8664F00 |push PDFill.004F66A8 ; UNICODE "%d"
0049F469 |. 50 |push eax
0049F46A |. FF15 20624F00 |call dword ptr ds:[<&mfc100u.#4290>] ; mfc100u.#4290
0049F470 |. 83C4 0C |add esp,0xC
0049F473 |. 6A 04 |push 0x4
0049F475 |. 8D45 DC |lea eax,[local.9]
0049F478 |. 50 |push eax
0049F479 |. 8D4D E8 |lea ecx,[local.6]
0049F47C |. FF15 E8614F00 |call dword ptr ds:[<&mfc100u.#11838>] ; mfc100u.#11838
0049F482 |. 50 |push eax
0049F483 |. FF75 08 |push [arg.1]
0049F486 |. 8D45 E0 |lea eax,[local.8]
0049F489 |. 50 |push eax
0049F48A |. C645 FC 06 |mov byte ptr ss:[ebp-0x4],0x6
0049F48E |. E8 5D1FF6FF |call PDFill.004013F0
0049F493 |. 83C4 0C |add esp,0xC
0049F496 |. 8B4D 08 |mov ecx,[arg.1]
0049F499 |. 50 |push eax
0049F49A |. C645 FC 07 |mov byte ptr ss:[ebp-0x4],0x7
0049F49E |. FF15 64624F00 |call dword ptr ds:[<&mfc100u.#1310>] ; mfc100u.#1310
0049F4A4 |. 8D4D E0 |lea ecx,[local.8]
0049F4A7 |. FF15 9C624F00 |call dword ptr ds:[<&mfc100u.#902>] ; mfc100u.#14057
0049F4AD |. 8D4D DC |lea ecx,[local.9]
0049F4B0 |. C645 FC 05 |mov byte ptr ss:[ebp-0x4],0x5
0049F4B4 |. FF15 9C624F00 |call dword ptr ds:[<&mfc100u.#902>] ; mfc100u.#14057
0049F4BA |. 43 |inc ebx
0049F4BB |. 83FB 03 |cmp ebx,0x3
0049F4BE |.^ 0F8C 0FFFFFFF \jl PDFill.0049F3D3
0049F4C4 |. 8D4D E8 lea ecx,[local.6]
0049F4C7 |. FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ; mfc100u.#14057
0049F4CD |. 8D4D F0 lea ecx,[local.4]
0049F4D0 |. FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ; mfc100u.#14057
0049F4D6 |. 8D4D 0C lea ecx,[arg.2]
0049F4D9 |. FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ; mfc100u.#14057
0049F4DF |. 8D4D 10 lea ecx,[arg.3]
0049F4E2 |. FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ; mfc100u.#14057
0049F4E8 |. 8D4D 14 lea ecx,[arg.4]
0049F4EB |. FF15 9C624F00 call dword ptr ds:[<&mfc100u.#902>] ; mfc100u.#14057
0049F4F1 |. 8B45 08 mov eax,[arg.1]
0049F4F4 |. E8 83030400 call PDFill.004DF87C
0049F4F9 \. C2 1000 retn 0x10
如果都用上面的方式来讲解的话,动手能力稍差的朋友就云里雾里了,所以,下面我们换一种方式。因为这段运算代码是一个大循环,所以我就先用Ashe这个First Name来做实验,实时截图从EDI这个累加器开始:
此时EDI被清零,我们单步往下又看到一个计数器,生手请记住这两个计数器,等你熟练后就自然知道怎么判断是计数器了。
然后到下面,将Ashe里面的大写变小写,好奇的可以跟进去看见wcslwr_s这个函数:
[Asm] 纯文本查看 复制代码
lea ecx,dword ptr ss:[ebp+0xC] :将Ashe地址放入ECX
call dword ptr ds:[<&mfc100u.#7871>] ;将所有大写字母转换成小写 wcslwr_s
再到下面就是整个算号程序百分之九十几的算法精华了:
这一小段汇编代码我不知道怎么编排,不明白的朋友也不用报怨,因为如果你是自己边看边动手的话,一切就变得简单化了!如何实在不明白的朋友可以留言。
整个First Name的算号流程是:
计数器->ss:[ebp-0x14]
“Ashe"->"ashe"
得到第一个字母a的ascii码为0x61
然后利用公式:
1、名字的ASCII码+8+计数器 => ECX
所以ECX=0x61+0x8+0x0 = 0x69
2、 计数器+9 => EDX
所以EDX=0x0+0x9=0x9
3、ECX*EDX +EDI=> EDI
所以EDI=0x69 * 0x9 = 0x3B1
算完了a我们再手动算下s,然后再验证结果。
此时[ebp-0x14]是1
ECX=0x73+0x8+0x1=0x7C
EDX=0x1+0x9=0xA
EDI=0x889
然后再算h和e,把每次EDI的结果累加起来,最后我得到的结果是0x12AF,然后再在OD用F4看看结果,是正确的。
再把First Name最终的换算结果也就是EDI的值加上一个固定的数字0x10E1,0x12AF+0x10E1=0x2390
然后亲们,再用计算器把0x2390转换成十进制等于9104这就是由First Name换算得到的序列号了。
因为9104没有超过4位,所以不截取。
用同样的方法算出Last Name生成的序列号为:15484(十进制),这个时候长度超过了4,所以要从后向前截取四位为5484
同样,邮箱的生成57375,截取为7375,关于这个截取函数用的是宽字符的截取函数,大家可以看看,整个程序用的UNICODE编码,而不是DBCS
所以最后的序列号为:910454847375
用邮箱生成的时候也是一样的方法,包括@以及“."之类的特殊符号都要翻译成相应的ASCII码再计算!!!
这只是一个简单的程序,相信大家也能猜到,一共只能12位的序列号要用一个Last Name,一个First Name和一个Email来生成,序列号的形式可想而知。
算法都这么清楚了,相信写注册机也不在话下了吧。第一次发贴,肯定有很多不足的地方,还请大家多多包涵,写注册机我推荐用H大大分享的汇编注册机模板,大家可以搜一搜。
本帖纯属娱乐,请匆用于非法活动。
|
免费评分
-
查看全部评分
|
[复制链接]
发表于 2015-11-15 14:38
发表于 2015-11-15 14:48
