本帖最后由 ubuntu 于 2019-6-6 19:01 编辑
目标软件 :屏幕录像专家2015
版 本:V2015 Build0318
平 台:Window7 32bit
工 具:OD ,MASM32
官 网:http://www.tlxsoft.com
其实这个软件我很久很久就分析过,分析了之后就没管它了,之前一直用的是AT&T格式汇编或者NASM汇编,从没有接触过Win32汇编,在学了Win32汇编后,觉得应该找点东西练练手,于是我就选择了用汇编做注册机,顺带着写了这篇文章。因为很多人都说什么真正的完美注册码是100位以上,当我看到这些留言后也没说什么,用事实说话吧。我先给出我的测试数据:
用户名:aikuimail
机器码:246727859857503126402159603190
序列号:1234567890123456789012345678901234567890
1234567890123456789012345678901234567890
123456789012345678901234567890
我给的序列号是110位的,所以我在这里先试的就是100+的位,关键CALL和断点我就不说了,呆会儿我把UDD一起上传上来。点击注册,然后OD中断。
[Asm] 纯文本查看 复制代码 004862E4 . 55 push ebp ; //第一层
004862E5 . 8BEC mov ebp,esp
004862E7 . 81C4 98F6FFFF add esp,-0x968 ; 分配堆栈
004862ED . 53 push ebx
004862EE . 56 push esi ; 屏录专家.00625FA4
004862EF . 57 push edi ; 保存现场
004862F0 . 8995 44FFFFFF mov dword ptr ss:[ebp-0xBC],edx ; 循环初始化堆栈
004862F6 . 8985 48FFFFFF mov dword ptr ss:[ebp-0xB8],eax ; 在这里赋值给SS:[ebp-0xB8]
004862FC . BE A45F6200 mov esi,屏录专家.00625FA4
00486301 . B8 84ED5E00 mov eax,屏录专家.005EED84
00486306 . E8 F1C71000 call 屏录专家.00592AFC
0048630B . 66:C785 5CFFF>mov word ptr ss:[ebp-0xA4],0x8
00486314 . 8D45 FC lea eax,dword ptr ss:[ebp-0x4]
00486317 . E8 20B7F7FF call 屏录专家.00401A3C ; EDX <= EAX
0048631C . FF85 68FFFFFF inc dword ptr ss:[ebp-0x98] ; 循环
00486322 . 66:C785 5CFFF>mov word ptr ss:[ebp-0xA4],0x14
0048632B . 66:C785 5CFFF>mov word ptr ss:[ebp-0xA4],0x20
00486334 . 8D45 F8 lea eax,dword ptr ss:[ebp-0x8]
00486337 . E8 00B7F7FF call 屏录专家.00401A3C ; EDX <= EAX
0048633C . FF85 68FFFFFF inc dword ptr ss:[ebp-0x98]
00486342 . 66:C785 5CFFF>mov word ptr ss:[ebp-0xA4],0x14
0048634B . 66:C785 5CFFF>mov word ptr ss:[ebp-0xA4],0x2C
00486354 . 8D45 F4 lea eax,dword ptr ss:[ebp-0xC]
00486357 . E8 E0B6F7FF call 屏录专家.00401A3C ; EDX <= EAX strcpy
0048635C . FF85 68FFFFFF inc dword ptr ss:[ebp-0x98]
00486362 . 8D45 F0 lea eax,dword ptr ss:[ebp-0x10]
00486365 . 66:C785 5CFFF>mov word ptr ss:[ebp-0xA4],0x14
0048636E . 66:C785 5CFFF>mov word ptr ss:[ebp-0xA4],0x38
00486377 . 8B95 48FFFFFF mov edx,dword ptr ss:[ebp-0xB8]
0048637D . 8B9A F4020000 mov ebx,dword ptr ds:[edx+0x2F4]
00486383 . 81C3 08020000 add ebx,0x208
00486389 . E8 AEB6F7FF call 屏录专家.00401A3C ; EDX <= EAX
0048638E . 8BD0 mov edx,eax
00486390 . FF85 68FFFFFF inc dword ptr ss:[ebp-0x98] ; i = 4
00486396 . 8B03 mov eax,dword ptr ds:[ebx]
00486398 . 8B08 mov ecx,dword ptr ds:[eax]
0048639A . FF51 1C call dword ptr ds:[ecx+0x1C] ; 得到假码的长度
0048639D . 8D55 F0 lea edx,dword ptr ss:[ebp-0x10] ; 将假码的地址放入EDX
004863A0 . 8D45 F4 lea eax,dword ptr ss:[ebp-0xC] ; 存放假码地址的后一个内存单元
004863A3 . E8 F8AE1100 call 屏录专家.005A12A0 ; EDX<=00000000 ECX<=2
004863A8 . FF8D 68FFFFFF dec dword ptr ss:[ebp-0x98] ; i-
004863AE . 8D45 F0 lea eax,dword ptr ss:[ebp-0x10] ; 假码地址放入EAX
004863B1 . BA 02000000 mov edx,0x2
004863B6 . E8 B5AE1100 call 屏录专家.005A1270 ; 假码 => EDX 空串地址=>ECX
004863BB . 66:C785 5CFFF>mov word ptr ss:[ebp-0xA4],0x44
004863C4 . 8D45 F4 lea eax,dword ptr ss:[ebp-0xC] ; 假码地址放入EAX
004863C7 . E8 D4CAF7FF call 屏录专家.00402EA0 ; 假码 => EAX strcpy
004863CC . 50 push eax ; 假码压栈
004863CD . 8D45 EC lea eax,dword ptr ss:[ebp-0x14]
004863D0 . 8B95 48FFFFFF mov edx,dword ptr ss:[ebp-0xB8]
004863D6 . 52 push edx
004863D7 . E8 60B6F7FF call 屏录专家.00401A3C ; EDX <= EAX ECX<=00000000
004863DC . 50 push eax
004863DD . FF85 68FFFFFF inc dword ptr ss:[ebp-0x98]
004863E3 . E8 44110000 call 屏录专家.0048752C
004863E8 . 83C4 0C add esp,0xC
004863EB . 8D55 EC lea edx,dword ptr ss:[ebp-0x14] ; 假码地址赋给EDX
004863EE . 8D45 F4 lea eax,dword ptr ss:[ebp-0xC] ; 假码地址赋给EAX
004863F1 . E8 AAAE1100 call 屏录专家.005A12A0
004863F6 . FF8D 68FFFFFF dec dword ptr ss:[ebp-0x98]
004863FC . 8D45 EC lea eax,dword ptr ss:[ebp-0x14]
004863FF . BA 02000000 mov edx,0x2
00486404 . E8 67AE1100 call 屏录专家.005A1270 ; strcpy
00486409 . 8D45 F4 lea eax,dword ptr ss:[ebp-0xC] ; EAX <- 序列号地址
0048640C . E8 6BA6F9FF call 屏录专家.00420A7C ; 注册码只能是数字,字母无效,取序列号长度
00486411 . 83F8 32 cmp eax,0x32 ; 注册码长度要大于或者等于50位
00486414 . 0F8D 81000000 jge 屏录专家.0048649B ; => 跳转已实现
这是第一将跳转,序列号长度至少要50位,所以这里要跳:
[Asm] 纯文本查看 复制代码 0048649B > \8D45 F4 lea eax,dword ptr ss:[ebp-0xC] ; 假码地址放入EAX
0048649E . E8 FDC9F7FF call 屏录专家.00402EA0 ; 假码放到EAX
004864A3 . 8BF8 mov edi,eax ; 假码放到EDI
004864A5 . 33C0 xor eax,eax
004864A7 . 56 push esi ; 屏录专家.00625FA4
004864A8 . 83C9 FF or ecx,-0x1 ; ECX存放了假码的地址
004864AB . F2:AE repne scas byte ptr es:[edi] ; 验证假码是不是全为0
004864AD . F7D1 not ecx
004864AF . 2BF9 sub edi,ecx
004864B1 . 8DB5 A4FAFFFF lea esi,dword ptr ss:[ebp-0x55C]
004864B7 . 87F7 xchg edi,esi ; 屏录专家.00625FA4
004864B9 . 8BD1 mov edx,ecx
004864BB . 8BC7 mov eax,edi
004864BD . C1E9 02 shr ecx,0x2
004864C0 . 8D85 A4FAFFFF lea eax,dword ptr ss:[ebp-0x55C]
004864C6 . F3:A5 rep movs dword ptr es:[edi],dword ptr ds>; ESI ASCII "90"
004864C8 . 8BCA mov ecx,edx
004864CA . 83E1 03 and ecx,0x3
004864CD . F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[>
004864CF . 5E pop esi ; 0012EE6C
004864D0 . 50 push eax ; 将假码压栈
004864D1 . E8 26C31000 call 屏录专家.005927FC ; 取假码长度,ECX <= 假码
004864D6 . 59 pop ecx ; 0012EE6C
004864D7 . 8985 40FFFFFF mov dword ptr ss:[ebp-0xC0],eax
004864DD . 81BD 40FFFFFF>cmp dword ptr ss:[ebp-0xC0],0x12C ; 将假码长度与300比较
004864E7 . 0F8E 71020000 jle 屏录专家.0048675E ; 以上代码都是验证序列号的合法性
004864ED . 33C0 xor eax,eax ; 下面是失败
004864EF . 8DBD A4FAFFFF lea edi,dword ptr ss:[ebp-0x55C]
这里是序列号300长度的临界,多于300就是注册失败
[Asm] 纯文本查看 复制代码 0048675E > \83BD 40FFFFFF>cmp dword ptr ss:[ebp-0xC0],0x64 ; 序列号与100比较
00486765 . 0F8E E5010000 jle 屏录专家.00486950 ; //大于一百位就会验证通过后提示升级
0048676B . 8B0D C45E6200 mov ecx,dword ptr ds:[0x625EC4] ; hdb
00486771 . 8D95 A4FAFFFF lea edx,dword ptr ss:[ebp-0x55C] ; 序列号地址=>EDX
00486777 . 52 push edx
00486778 . 8B01 mov eax,dword ptr ds:[ecx]
0048677A . 50 push eax
0048677B . E8 14A3F9FF call 屏录专家.00420A94 ; 取序列号倒数5位
00486780 . 83C4 08 add esp,0x8
00486783 . 84C0 test al,al
00486785 . 0F85 81000000 jnz 屏录专家.0048680C
以上就是序列号长度大于100而小于300的情形了,这段代码就是比较序列号的前105位计算出来的值是否等末五位,这段代码的真正含义我会在后面讲解。我们先将序列号后五位改为正确的后五位45539,运行后就会弹出窗口。
这个窗口就是一个提示升级的窗口,所以这就是当序列号大于100的时候,它会将长度大于100的序列号定为老版本并提示你升级。
好了,闲话就不说了,我们正式进入具体的算法分析,将我们的假码长度更改为50位或者50位以上,我在这里就只50位了,点击注册再次中断。这一次因为长度小于一百,所以跳转会实现。
[Asm] 纯文本查看 复制代码 00486950 > \8B9D 40FFFFFF mov ebx,dword ptr ss:[ebp-0xC0] ; 将假码长度赋给EBX
00486956 . 83C3 FB add ebx,-0x5 ; 假码长度减5 然后将EBX作为索引,取倒数5位
00486959 . 8D841D A4FAFF>lea eax,dword ptr ss:[ebp+ebx-0x55C] ; ASCII "67890"
00486960 . 8985 1CFFFFFF mov dword ptr ss:[ebp-0xE4],eax
00486966 . 3B9D 40FFFFFF cmp ebx,dword ptr ss:[ebp-0xC0] ; 检查是否越界
0048696C . 7D 2B jge short 屏录专家.00486999
0048696E > 8B95 40FFFFFF mov edx,dword ptr ss:[ebp-0xC0] ; ---------------------------
00486974 . 8B85 1CFFFFFF mov eax,dword ptr ss:[ebp-0xE4] ; 倒数5位数的地址赋给EAX
0048697A . 83C2 FB add edx,-0x5
0048697D . 8BCB mov ecx,ebx
0048697F . 2BCA sub ecx,edx
00486981 . 8A10 mov dl,byte ptr ds:[eax] ; 倒数第5个数赋给DL
00486983 . 43 inc ebx
00486984 . 88940D 00FFFF>mov byte ptr ss:[ebp+ecx-0x100],dl ; 将倒数5位数全部放入0012EBF4
0048698B . FF85 1CFFFFFF inc dword ptr ss:[ebp-0xE4]
00486991 . 3B9D 40FFFFFF cmp ebx,dword ptr ss:[ebp-0xC0]
00486997 .^ 7C D5 jl short 屏录专家.0048696E ; ---------------------------
00486999 > 8BB5 40FFFFFF mov esi,dword ptr ss:[ebp-0xC0] ; 将假码总长度赋给ESI
0048699F . 8D95 00FFFFFF lea edx,dword ptr ss:[ebp-0x100] ; 将存放倒数5个数字的缓冲区地址赋给EDX
004869A5 . 83C6 FB add esi,-0x5
004869A8 . 8D45 C4 lea eax,dword ptr ss:[ebp-0x3C]
004869AB . 2BDE sub ebx,esi ; 假码总长度减云倒数第5的索引
004869AD . C6841D 00FFFF>mov byte ptr ss:[ebp+ebx-0x100],0x0 ; 将0赋给上个缓冲区的相邻内存
004869B5 . 66:C785 5CFFF>mov word ptr ss:[ebp-0xA4],0xC8
004869BE . E8 5DA51100 call 屏录专家.005A0F20 ; 得到某一个地址存放到EDX
004869C3 . 8BD0 mov edx,eax
004869C5 . FF85 68FFFFFF inc dword ptr ss:[ebp-0x98] ; i
004869CB . 8D45 F8 lea eax,dword ptr ss:[ebp-0x8]
004869CE . E8 CDA81100 call 屏录专家.005A12A0 ; 将后5位数存放到上一个ss:[ebp-0x8]中
004869D3 . FF8D 68FFFFFF dec dword ptr ss:[ebp-0x98]
004869D9 . 8D45 C4 lea eax,dword ptr ss:[ebp-0x3C] ; 后5位数地址存放到eax
004869DC . BA 02000000 mov edx,0x2
004869E1 . E8 8AA81100 call 屏录专家.005A1270 ; EDX ASCII "67890"
004869E6 . 56 push esi ; 屏录专家.00625FA4
004869E7 . 8D8D A4FAFFFF lea ecx,dword ptr ss:[ebp-0x55C]
004869ED . 51 push ecx
004869EE . A1 C45E6200 mov eax,dword ptr ds:[0x625EC4] ; hdb
004869F3 . 8B10 mov edx,dword ptr ds:[eax]
004869F5 . 52 push edx ; ?
004869F6 . E8 1D7BFFFF call 屏录专家.0047E518 ; CALL 1
004869FB . 0FB7C8 movzx ecx,ax
004869FE . 898D 40FFFFFF mov dword ptr ss:[ebp-0xC0],ecx
00486A04 . 83C4 0C add esp,0xC
00486A07 . 66:C785 5CFFF>mov word ptr ss:[ebp-0xA4],0xD4
00486A10 . 33C0 xor eax,eax
00486A12 . 8985 28FFFFFF mov dword ptr ss:[ebp-0xD8],eax
00486A18 . 8D45 F8 lea eax,dword ptr ss:[ebp-0x8] ; 倒数五位数字给EAX
00486A1B . E8 44AC1100 call 屏录专家.005A1664 ; CALL 2 将末尾5位数字换算成10932
00486A20 . 8985 28FFFFFF mov dword ptr ss:[ebp-0xD8],eax
00486A26 . 66:C785 5CFFF>mov word ptr ss:[ebp-0xA4],0x14
00486A2F . EB 0E jmp short 屏录专家.00486A3F
00486A31 . 66:C785 5CFFF>mov word ptr ss:[ebp-0xA4],0xDC
00486A3A . E8 CB751100 call 屏录专家.0059E00A
00486A3F > 8B95 40FFFFFF mov edx,dword ptr ss:[ebp-0xC0]
00486A45 . 3B95 28FFFFFF cmp edx,dword ptr ss:[ebp-0xD8] ; CALL 1返回值的低四位和CALL 2的返回值必须相等
00486A4B . 0F84 81000000 je 屏录专家.00486AD2
00486A51 . 66:C785 5CFFF>mov word ptr ss:[ebp-0xA4],0xE0
00486A5A . BA 88E65E00 mov edx,屏录专家.005EE688 ; 注册失败,请检查你的输入是否有误
上面这一大段代码的流程大体就是:由序列号前45位计算出一个数值,将这个数值转换成十进制字符串,这个字符串就是真正序列号的后五位。所以在这段代码的最后会将我们假码的后五位与真正序列号的后五位比较,不相等则注册失败。下面就是这个计算函数,也就是代码中的CALL1。
[Asm] 纯文本查看 复制代码 0047E518 /$ 55 push ebp
0047E519 |. 8BEC mov ebp,esp
0047E51B |. 56 push esi
0047E51C |. 57 push edi
0047E51D |. 8B75 0C mov esi,dword ptr ss:[ebp+0xC] ; //序列号
0047E520 |. 33C0 xor eax,eax
0047E522 |. 33C9 xor ecx,ecx
0047E524 |> 81F9 6DB20000 /cmp ecx,0xB26D ; 当ECX不等于0xB26D
0047E52A |. 75 30 |jnz short 屏录专家.0047E55C
0047E52C |. 33FF |xor edi,edi
0047E52E |. 3B7D 10 |cmp edi,dword ptr ss:[ebp+0x10] ; //截取长度
0047E531 |. 7D 29 |jge short 屏录专家.0047E55C
0047E533 |> 41 |/inc ecx
0047E534 |. B2 80 ||mov dl,0x80
0047E536 |> F6C4 80 ||/test ah,0x80
0047E539 |. 74 09 |||je short 屏录专家.0047E544
0047E53B |. 03C0 |||add eax,eax
0047E53D |. 66:35 2110 |||xor ax,0x1021
0047E541 |. 41 |||inc ecx
0047E542 |. EB 02 |||jmp short 屏录专家.0047E546
0047E544 |> 03C0 |||add eax,eax
0047E546 |> 41 |||inc ecx
0047E547 |. 8416 |||test byte ptr ds:[esi],dl
0047E549 |. 74 04 |||je short 屏录专家.0047E54F
0047E54B |. 66:35 2110 |||xor ax,0x1021
0047E54F |> D0EA |||shr dl,1
0047E551 |. 84D2 |||test dl,dl
0047E553 |.^ 75 E1 ||\jnz short 屏录专家.0047E536
0047E555 |. 46 ||inc esi
0047E556 |. 47 ||inc edi
0047E557 |. 3B7D 10 ||cmp edi,dword ptr ss:[ebp+0x10]
0047E55A |.^ 7C D7 |\jl short 屏录专家.0047E533
0047E55C |> 41 |inc ecx
0047E55D |. 81F9 A0860100 |cmp ecx,0x186A0
0047E563 |.^ 7C BF \jl short 屏录专家.0047E524 ; ------------------------------------
0047E565 |. 5F pop edi ; 0012E7CB
0047E566 |. 5E pop esi ; 0012E7CB
0047E567 |. 5D pop ebp ; 0012E7CB
0047E568 \. C3 retn
上面代码就是一堆循环嵌套,我在这里也不知道怎么说,用C语言或者别的语言描述也只是换一个形式,所以我在这里偷个懒,就用IDA F5一下。
[C] 纯文本查看 复制代码 __int16 __cdecl sub_47E518(int a1, int a2, int a3)
{
int v3; // eax@1
signed int v4; // ecx@1
int v5; // esi@1
int i; // edi@3
unsigned __int8 v7; // dl@4
v5 = a2;
v3 = 0;
v4 = 0;
do
{
if ( v4 == 45677 )
{
for ( i = 0; i < a3; ++i )
{
++v4;
v7 = '?';
do
{
if ( BYTE1(v3) & 0x80 )
{
v3 *= 2;
LOWORD(v3) = v3 ^ 0x1021;
++v4;
}
else
{
v3 *= 2;
}
++v4;
if ( v7 & *(_BYTE *)v5 )
LOWORD(v3) = v3 ^ 0x1021;
v7 >>= 1;
}
while ( v7 );
++v5;
}
}
++v4;
}
while ( v4 < 100000 );
return v3;
}
已经很明了了对吧!在这里我们就将真序列号的末尾五位找出来了,剩下的就是编程的事情了,我们继续往下。
[Asm] 纯文本查看 复制代码 00486AD2 > \66:C785 5CFFF>mov word ptr ss:[ebp-0xA4],0xEC
00486ADB . 8B15 C45E6200 mov edx,dword ptr ds:[0x625EC4] ; hdb
00486AE1 . 8D85 A4FAFFFF lea eax,dword ptr ss:[ebp-0x55C] ; ASCII "12345678901234567890123456789012345678901234530919"
00486AE7 . 50 push eax
00486AE8 . 8D45 BC lea eax,dword ptr ss:[ebp-0x44]
00486AEB . 8B0A mov ecx,dword ptr ds:[edx]
00486AED . 51 push ecx
00486AEE . E8 49AFF7FF call 屏录专家.00401A3C
00486AF3 . 50 push eax
00486AF4 . FF85 68FFFFFF inc dword ptr ss:[ebp-0x98]
00486AFA . E8 A19DF9FF call 屏录专家.004208A0 ; 取比较字符串函数 ***
00486AFF . 83C4 0C add esp,0xC
00486B02 . 8D55 BC lea edx,dword ptr ss:[ebp-0x44] ; [EBP-0X44]装有比较字符串
00486B05 . 8D45 FC lea eax,dword ptr ss:[ebp-0x4]
00486B08 . E8 93A71100 call 屏录专家.005A12A0 ; 给下面要用的重要字符串赋值
00486B0D . FF8D 68FFFFFF dec dword ptr ss:[ebp-0x98]
00486B13 . 8D45 BC lea eax,dword ptr ss:[ebp-0x44]
00486B16 . BA 02000000 mov edx,0x2
00486B1B . E8 50A71100 call 屏录专家.005A1270
00486B20 . 6A 14 push 0x14
00486B22 . 6A 00 push 0x0
00486B24 . 8D8D E8FEFFFF lea ecx,dword ptr ss:[ebp-0x118]
00486B2A . 51 push ecx
00486B2B . E8 98BB1000 call 屏录专家.005926C8
00486B30 . 83C4 0C add esp,0xC
00486B33 . 33FF xor edi,edi
00486B35 . 6A 14 push 0x14
00486B37 . 6A 00 push 0x0
00486B39 . 8D85 00FFFFFF lea eax,dword ptr ss:[ebp-0x100]
00486B3F . 50 push eax
00486B40 . E8 83BB1000 call 屏录专家.005926C8
00486B45 . 83C4 0C add esp,0xC
00486B48 . 8D95 BCFEFFFF lea edx,dword ptr ss:[ebp-0x144]
00486B4E . 6A 14 push 0x14
00486B50 . 6A 00 push 0x0
00486B52 . 52 push edx
00486B53 . E8 70BB1000 call 屏录专家.005926C8
00486B58 . 83C4 0C add esp,0xC
00486B5B . 66:C785 5CFFF>mov word ptr ss:[ebp-0xA4],0xF8
00486B64 . 8D45 B8 lea eax,dword ptr ss:[ebp-0x48]
00486B67 . E8 D0AEF7FF call 屏录专家.00401A3C
00486B6C . 8BD0 mov edx,eax
00486B6E . FF85 68FFFFFF inc dword ptr ss:[ebp-0x98]
00486B74 . 8B8D 48FFFFFF mov ecx,dword ptr ss:[ebp-0xB8] ; =》
00486B7A . 8B81 DC020000 mov eax,dword ptr ds:[ecx+0x2DC]
00486B80 . E8 97570D00 call 屏录专家.0055C31C ; 取用户名长度
00486B85 . 8D45 B8 lea eax,dword ptr ss:[ebp-0x48] ; 用户名地址存放到EAX
00486B88 . E8 13C3F7FF call 屏录专家.00402EA0 ; strcpy
00486B8D . 57 push edi ; 下面是验证用户名
00486B8E . 8BF8 mov edi,eax
00486B90 . 33C0 xor eax,eax
00486B92 . 83C9 FF or ecx,-0x1
00486B95 . F2:AE repne scas byte ptr es:[edi]
00486B97 . F7D1 not ecx ; 长度
00486B99 . 2BF9 sub edi,ecx
00486B9B . 8DB5 BCFEFFFF lea esi,dword ptr ss:[ebp-0x144]
00486BA1 . 87F7 xchg edi,esi
00486BA3 . 8BD1 mov edx,ecx
00486BA5 . 8BC7 mov eax,edi
00486BA7 . C1E9 02 shr ecx,0x2
00486BAA . 8D45 B8 lea eax,dword ptr ss:[ebp-0x48] ; 用户名地址存放到EAX
00486BAD . F3:A5 rep movs dword ptr es:[edi],dword ptr ds>
00486BAF . 8BCA mov ecx,edx
00486BB1 . BA 02000000 mov edx,0x2
00486BB6 . 83E1 03 and ecx,0x3
00486BB9 . F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[>
00486BBB . 5F pop edi ; 0012EE6C
00486BBC . FF8D 68FFFFFF dec dword ptr ss:[ebp-0x98]
00486BC2 . E8 A9A61100 call 屏录专家.005A1270 ; strcpy
00486BC7 . C685 CFFEFFFF>mov byte ptr ss:[ebp-0x131],0x0
00486BCE . 8B85 48FFFFFF mov eax,dword ptr ss:[ebp-0xB8] ; EAX <- SS:[ebp-0xB8]
00486BD4 . 05 FC020000 add eax,0x2FC ; 为了取下面这个字符串的地址
00486BD9 . E8 C2C2F7FF call 屏录专家.00402EA0 ; ASCII "24471785785950322660"
00486BDE . 57 push edi
00486BDF . 8BF8 mov edi,eax
00486BE1 . 33C0 xor eax,eax
00486BE3 . 83C9 FF or ecx,-0x1
00486BE6 . F2:AE repne scas byte ptr es:[edi]
00486BE8 . F7D1 not ecx
00486BEA . 2BF9 sub edi,ecx ; 求上面号码长度
00486BEC . 8DB5 E8FEFFFF lea esi,dword ptr ss:[ebp-0x118]
00486BF2 . 87F7 xchg edi,esi
00486BF4 . 8BD1 mov edx,ecx
00486BF6 . 8BC7 mov eax,edi
00486BF8 . C1E9 02 shr ecx,0x2
00486BFB . 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-0x118]
00486C01 . F3:A5 rep movs dword ptr es:[edi],dword ptr ds>
00486C03 . 8BCA mov ecx,edx
00486C05 . 8D95 BCFEFFFF lea edx,dword ptr ss:[ebp-0x144] ; 用户名地址到edx
00486C0B . 83E1 03 and ecx,0x3
00486C0E . F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[>; 变换后的机器码到EAX
00486C10 . 5F pop edi ; edi清0
00486C11 . 8985 18FFFFFF mov dword ptr ss:[ebp-0xE8],eax
00486C17 . 8995 1CFFFFFF mov dword ptr ss:[ebp-0xE4],edx
00486C1D . 8DB5 00FFFFFF lea esi,dword ptr ss:[ebp-0x100]
00486C23 . 33DB xor ebx,ebx
00486C25 > 8B8D 1CFFFFFF mov ecx,dword ptr ss:[ebp-0xE4] ; -----------------------------------
00486C2B . 8B95 18FFFFFF mov edx,dword ptr ss:[ebp-0xE8]
00486C31 . 8A01 mov al,byte ptr ds:[ecx]
00486C33 . 3202 xor al,byte ptr ds:[edx]
00486C35 . 83C4 F8 add esp,-0x8
00486C38 . 8806 mov byte ptr ds:[esi],al
00486C3A . 0FBE0E movsx ecx,byte ptr ds:[esi]
00486C3D . 898D A0F6FFFF mov dword ptr ss:[ebp-0x960],ecx ; 将得到的结果保存到某一局部变量
00486C43 . DB85 A0F6FFFF fild dword ptr ss:[ebp-0x960]
00486C49 . DD1C24 fstp qword ptr ss:[esp] ; 将上面得到的数值压栈继续参与进一步运算
00486C4C . E8 BF2B1100 call 屏录专家.00599810 ; 将上面的SN运算结果再次压入ST0
00486C51 . 83C4 08 add esp,0x8
00486C54 . 899D 9CF6FFFF mov dword ptr ss:[ebp-0x964],ebx ; EBX为循环魔数
00486C5A . DB85 9CF6FFFF fild dword ptr ss:[ebp-0x964] ; 将每次循环的魔数压入ST0
00486C60 . DEC9 fmulp st(1),st ; 每次的SN运算结果与魔数相乘 结果存ST0
00486C62 . 89BD 98F6FFFF mov dword ptr ss:[ebp-0x968],edi ; edi放入局部变量
00486C68 . DB85 98F6FFFF fild dword ptr ss:[ebp-0x968] ; 将EDI的值压入ST0 上次的结果存到ST1
00486C6E . DEC1 faddp st(1),st ; 将两次的结果相加,最终结果存到ST0
00486C70 . E8 C32B1100 call 屏录专家.00599838 ; 上面运算就是ST(0)=(SN ^ MachineCode) * Magic + EDI
00486C75 . 8BF8 mov edi,eax ; 上面那个CALL其实就是将结果的十六进制复制到EAX,再存到EDI中重复计算
00486C77 . 43 inc ebx
00486C78 . 46 inc esi
00486C79 . FF85 18FFFFFF inc dword ptr ss:[ebp-0xE8] ; 下一个
00486C7F . FF85 1CFFFFFF inc dword ptr ss:[ebp-0xE4] ; 下一个
00486C85 . 83FB 14 cmp ebx,0x14 ; 20次 机器码的长度
00486C88 .^ 7C 9B jl short 屏录专家.00486C25 ; -----------------------------------
00486C8A . 81C7 39300000 add edi,0x3039
00486C90 . 8D95 00FFFFFF lea edx,dword ptr ss:[ebp-0x100] ; ASCII "S]_BXZY\[85950322660"
00486C96 . 57 push edi ; 累加结果压栈
00486C97 . 68 A9E65E00 push 屏录专家.005EE6A9 ; %d
00486C9C . 52 push edx
00486C9D . E8 7EF11000 call 屏录专家.00595E20 ; =>关键CALL 用数字得到字符串
00486CA2 . 83C4 0C add esp,0xC ; ASCII "23521"
00486CA5 . 8D45 FC lea eax,dword ptr ss:[ebp-0x4] ; 将比较用的字符串地址赋给EAX
00486CA8 . E8 F3C1F7FF call 屏录专家.00402EA0 ; strcpy 将比较字符串地址赋给EAX
00486CAD . 57 push edi ; 5BE1
00486CAE . 8BF8 mov edi,eax ; EDI <- EAX
00486CB0 . 33C0 xor eax,eax
00486CB2 . 83C9 FF or ecx,-0x1
00486CB5 . F2:AE repne scas byte ptr es:[edi] ; 这里才是比较字符串的开始
00486CB7 . F7D1 not ecx ; 得到序列号1长度+\0长度
00486CB9 . 2BF9 sub edi,ecx ; 下标置到开始位置
00486CBB . 8DB5 A4FEFFFF lea esi,dword ptr ss:[ebp-0x15C]
00486CC1 . 87F7 xchg edi,esi ; 互换
00486CC3 . 8BD1 mov edx,ecx
00486CC5 . 8BC7 mov eax,edi
00486CC7 . C1E9 02 shr ecx,0x2
00486CCA . 8D85 A4FEFFFF lea eax,dword ptr ss:[ebp-0x15C]
00486CD0 . F3:A5 rep movs dword ptr es:[edi],dword ptr ds>; 初始化比较的内存变量
00486CD2 . 8BCA mov ecx,edx
00486CD4 . 83E1 03 and ecx,0x3
00486CD7 . F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[>; 结束符一起
00486CD9 . 5F pop edi ; 0012EE6C
00486CDA . 8985 18FFFFFF mov dword ptr ss:[ebp-0xE8],eax
00486CE0 . 8DB5 00FFFFFF lea esi,dword ptr ss:[ebp-0x100]
00486CE6 . 33DB xor ebx,ebx
00486CE8 > 8B95 18FFFFFF mov edx,dword ptr ss:[ebp-0xE8] ; -EDX装入字符串地址------------------------------
00486CEE . 0FBE06 movsx eax,byte ptr ds:[esi] ; "23521"
00486CF1 . 0FBE0A movsx ecx,byte ptr ds:[edx]
00486CF4 . 83C1 EC add ecx,-0x14 ; -0x14
00486CF7 . 3BC1 cmp eax,ecx ; 比较
00486CF9 . 0F85 80000000 jnz 屏录专家.00486D7F ; 跳转失败
00486CFF . 83FB 03 cmp ebx,0x3 ; 前3位正常比较,只要相等就不跳转失败 生成序列号前6位
00486D02 . 75 6A jnz short 屏录专家.00486D6E ; 比较下一个
00486D04 . 81C7 444D0000 add edi,0x4D44 ; 5BE1+4D44
00486D0A . 89BD A0F6FFFF mov dword ptr ss:[ebp-0x960],edi
00486D10 . DB85 A0F6FFFF fild dword ptr ss:[ebp-0x960] ; EDI结果压入ST(0)
00486D16 . DC0D 18754800 fmul qword ptr ds:[0x487518] ; 和3.14相乘
00486D1C . DB2D 20754800 fld tbyte ptr ds:[0x487520] ; 压入ST(0)
00486D22 . DEC9 fmulp st(1),st ; 相乘,结果放入ST(0)
00486D24 . E8 0F2B1100 call 屏录专家.00599838 ; 将上面相乘的浮点数结果放入EAX
00486D29 . 8BF8 mov edi,eax ; 上面搞那么多其实就是(5BE1+4D44)*上面两固定浮点数
00486D2B . 8BC7 mov eax,edi
00486D2D . B9 A0860100 mov ecx,0x186A0 ; 固定常数
00486D32 . 99 cdq ; 除法前准备
00486D33 . F7F9 idiv ecx ; 相除
00486D35 . 8BFA mov edi,edx ; 余数放入EDI
00486D37 . 33C0 xor eax,eax ; 清零EAX
00486D39 . 8985 3CFFFFFF mov dword ptr ss:[ebp-0xC4],eax ; 记住0012EC30这个地址
00486D3F . 33D2 xor edx,edx
00486D41 . 8D85 A4FEFFFF lea eax,dword ptr ss:[ebp-0x15C]
00486D47 > 0FBE08 movsx ecx,byte ptr ds:[eax] ; ------
00486D4A . 018D 3CFFFFFF add dword ptr ss:[ebp-0xC4],ecx ; 累加字符串ASCII码存放在局部变量
00486D50 . 42 inc edx ; 计数器
00486D51 . 40 inc eax ; 源地址
00486D52 . 83FA 13 cmp edx,0x13 ; 比较十九次
00486D55 .^ 7C F0 jl short 屏录专家.00486D47 ; ------
00486D57 . 8B85 3CFFFFFF mov eax,dword ptr ss:[ebp-0xC4] ; 前19个字符串ASCII码累加的和放入EAX
00486D5D . B9 0A000000 mov ecx,0xA
00486D62 . 99 cdq ; 除法前准备
00486D63 . F7F9 idiv ecx ; 字符串的和除以0xA(有符号除法)
00486D65 . 83C2 30 add edx,0x30 ; 余数加0x30
00486D68 . 8995 3CFFFFFF mov dword ptr ss:[ebp-0xC4],edx ; 余数加0x30结果存在局部变量
00486D6E > 43 inc ebx
00486D6F . FF85 18FFFFFF inc dword ptr ss:[ebp-0xE8] ; 下一个字符
00486D75 . 46 inc esi
00486D76 . 83FB 05 cmp ebx,0x5
00486D79 .^ 0F8C 69FFFFFF jl 屏录专家.00486CE8 ; ----------------------------------------
00486D7F > 83FB 05 cmp ebx,0x5 ; 第5次比较
00486D82 . 0F8C BE060000 jl 屏录专家.00487446 ; 跳向失败
00486D88 . 0FBE85 B7FEFF>movsx eax,byte ptr ss:[ebp-0x149] ; 序列号第39、40位计算结果
00486D8F . 3B85 3CFFFFFF cmp eax,dword ptr ss:[ebp-0xC4] ; 与余数加0x30的结果比较
00486D95 . 74 09 je short 屏录专家.00486DA0
00486D97 . 83F8 41 cmp eax,0x41 ; 至少要大于或者等于A
00486D9A . 0F8C A6060000 jl 屏录专家.00487446 ; (eax != [ebp-c4]) && (eax < 65)
00486DA0 > 8BC7 mov eax,edi ; 浮点运算后得到的余数给EAX
00486DA2 . B9 0A000000 mov ecx,0xA ; ECX <- 0xA
00486DA7 . 99 cdq ; 准备除法
00486DA8 . F7F9 idiv ecx
00486DAA . 0FBE841D A4FE>movsx eax,byte ptr ss:[ebp+ebx-0x15C] ; 第六位字符赋给EAX
00486DB2 . 83C0 BF add eax,-0x41
00486DB5 . 2BC2 sub eax,edx
00486DB7 . 8985 40FFFFFF mov dword ptr ss:[ebp-0xC0],eax
00486DBD . 83BD 40FFFFFF>cmp dword ptr ss:[ebp-0xC0],0x0
00486DC4 . 74 0D je short 屏录专家.00486DD3 ; 为零则注册成功
00486DC6 . 83BD 40FFFFFF>cmp dword ptr ss:[ebp-0xC0],0x9
00486DCD . 0F85 EC050000 jnz 屏录专家.004873BF ; 跳转到注册失败
00486DD3 > 66:C785 5CFFF>mov word ptr ss:[ebp-0xA4],0x104
00486DDC . BA ACE65E00 mov edx,屏录专家.005EE6AC
00486DE1 . 8D45 B4 lea eax,dword ptr ss:[ebp-0x4C]
00486DE4 . E8 37A11100 call 屏录专家.005A0F20
00486DE9 . FF85 68FFFFFF inc dword ptr ss:[ebp-0x98]
00486DEF . 8B00 mov eax,dword ptr ds:[eax]
00486DF1 . E8 F6000D00 call 屏录专家.00556EEC ; 弹出注册成功窗口
上面这一串代码就是具体的序列号算法了,我们先进入00486AFA这个CALL。
[Asm] 纯文本查看 复制代码 004208A0 /$ 55 push ebp
004208A1 |. 8BEC mov ebp,esp
004208A3 |. 81C4 04FFFFFF add esp,-0xFC
004208A9 |. B8 1C4F5E00 mov eax,屏录专家.005E4F1C
004208AE |. 53 push ebx
004208AF |. 56 push esi
004208B0 |. 8B5D 10 mov ebx,dword ptr ss:[ebp+0x10] ; 屏录专家.0052CAB0
004208B3 |. E8 44221700 call 屏录专家.00592AFC
004208B8 |. 66:C745 DC 08>mov word ptr ss:[ebp-0x24],0x8
004208BE |. 8D45 FC lea eax,dword ptr ss:[ebp-0x4]
004208C1 |. E8 7611FEFF call 屏录专家.00401A3C
004208C6 |. FF45 E8 inc dword ptr ss:[ebp-0x18]
004208C9 |. 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-0x98]
004208CF |. 66:C745 DC 14>mov word ptr ss:[ebp-0x24],0x14
004208D5 |. 6A 64 push 0x64
004208D7 |. 6A 00 push 0x0
004208D9 |. 52 push edx
004208DA |. E8 E91D1700 call 屏录专家.005926C8
004208DF |. 83C4 0C add esp,0xC
004208E2 |. 53 push ebx ; ASCII "61411660575831316345678906234569890163656786061208"
004208E3 |. E8 141F1700 call 屏录专家.005927FC
004208E8 |. 59 pop ecx ; 屏录专家.00486AFF
004208E9 |. 83F8 28 cmp eax,0x28
004208EC |. 73 64 jnb short 屏录专家.00420952
004208EE |. 66:C745 DC 20>mov word ptr ss:[ebp-0x24],0x20
004208F4 |. 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-0x98]
004208FA |. 8D45 F8 lea eax,dword ptr ss:[ebp-0x8]
004208FD |. E8 1E061800 call 屏录专家.005A0F20
00420902 |. 8BD0 mov edx,eax
00420904 |. FF45 E8 inc dword ptr ss:[ebp-0x18]
00420907 |. 8B45 08 mov eax,dword ptr ss:[ebp+0x8]
0042090A |. E8 91091800 call 屏录专家.005A12A0
0042090F |. 8B45 08 mov eax,dword ptr ss:[ebp+0x8]
00420912 |. BA 02000000 mov edx,0x2
00420917 |. 66:C745 DC 2C>mov word ptr ss:[ebp-0x24],0x2C
0042091D |. 50 push eax
0042091E |. 8D45 F8 lea eax,dword ptr ss:[ebp-0x8]
00420921 |. FF4D E8 dec dword ptr ss:[ebp-0x18]
00420924 |. E8 47091800 call 屏录专家.005A1270
00420929 |. FF4D E8 dec dword ptr ss:[ebp-0x18]
0042092C |. 8D45 FC lea eax,dword ptr ss:[ebp-0x4]
0042092F |. BA 02000000 mov edx,0x2
00420934 |. E8 37091800 call 屏录专家.005A1270
00420939 |. 58 pop eax ; 屏录专家.00486AFF
0042093A |. 66:C745 DC 20>mov word ptr ss:[ebp-0x24],0x20
00420940 |. FF45 E8 inc dword ptr ss:[ebp-0x18]
00420943 |. 8B55 CC mov edx,dword ptr ss:[ebp-0x34]
00420946 |. 64:8915 00000>mov dword ptr fs:[0],edx
0042094D |. E9 24010000 jmp 屏录专家.00420A76
00420952 |> 6A 28 push 0x28 ; <- 前四十位序列号
00420954 |. 53 push ebx
00420955 |. 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-0x98]
0042095B |. 51 push ecx
0042095C |. E8 F71C1700 call 屏录专家.00592658 ; strncpy, 40
00420961 |. 8A85 6AFFFFFF mov al,byte ptr ss:[ebp-0x96] ; 假码的第三位赋给AL
00420967 |. 8A55 8E mov dl,byte ptr ss:[ebp-0x72] ; 假码第39位赋给DL
0042096A |. 8895 6AFFFFFF mov byte ptr ss:[ebp-0x96],dl
00420970 |. 8845 8E mov byte ptr ss:[ebp-0x72],al ; 上面两句就是将假码第3位与第39位互换
00420973 |. 8A85 6CFFFFFF mov al,byte ptr ss:[ebp-0x94] ; 第5位
00420979 |. 8A55 81 mov dl,byte ptr ss:[ebp-0x7F] ; 第26位
0042097C |. 8895 6CFFFFFF mov byte ptr ss:[ebp-0x94],dl
00420982 |. 8845 81 mov byte ptr ss:[ebp-0x7F],al ; 上面两句就是将假码第5位与第26位互换
00420985 |. 8A85 71FFFFFF mov al,byte ptr ss:[ebp-0x8F] ; 第10位
0042098B |. 8A55 87 mov dl,byte ptr ss:[ebp-0x79] ; 第32位
0042098E |. 8895 71FFFFFF mov byte ptr ss:[ebp-0x8F],dl ; 第32位赋给第10位
00420994 |. 83C4 0C add esp,0xC
00420997 |. 33DB xor ebx,ebx ; 第10位与第32位互换
00420999 |. 8845 87 mov byte ptr ss:[ebp-0x79],al ; 第10位赋给第32位
0042099C |. 8DB5 68FFFFFF lea esi,dword ptr ss:[ebp-0x98] ; 互换后的序列号前四十位
004209A2 |> 8A06 /mov al,byte ptr ds:[esi] ; -------逐个取序列号-------------------
004209A4 |. 43 |inc ebx ; EBX是计数器
004209A5 |. 46 |inc esi ; 移动字符指针
004209A6 |. 8885 04FFFFFF |mov byte ptr ss:[ebp-0xFC],al ; 第一位存入内存
004209AC |. 8D45 F4 |lea eax,dword ptr ss:[ebp-0xC]
004209AF |. 8A16 |mov dl,byte ptr ds:[esi]
004209B1 |. 8895 05FFFFFF |mov byte ptr ss:[ebp-0xFB],dl ; 第二位存入内存
004209B7 |. 8D95 04FFFFFF |lea edx,dword ptr ss:[ebp-0xFC] ; ASCII "94"每将连取两位字符
004209BD |. C685 06FFFFFF>|mov byte ptr ss:[ebp-0xFA],0x0
004209C4 |. 66:C745 DC 38>|mov word ptr ss:[ebp-0x24],0x38
004209CA |. E8 51051800 |call 屏录专家.005A0F20 ; 相当于strncpy
004209CF |. 8BD0 |mov edx,eax
004209D1 |. FF45 E8 |inc dword ptr ss:[ebp-0x18]
004209D4 |. 8D45 FC |lea eax,dword ptr ss:[ebp-0x4]
004209D7 |. E8 C4081800 |call 屏录专家.005A12A0 ; 相当于strcpy
004209DC |. FF4D E8 |dec dword ptr ss:[ebp-0x18]
004209DF |. 8D45 F4 |lea eax,dword ptr ss:[ebp-0xC]
004209E2 |. BA 02000000 |mov edx,0x2
004209E7 |. E8 84081800 |call 屏录专家.005A1270 ; strcpy
004209EC |. 8D45 FC |lea eax,dword ptr ss:[ebp-0x4] ; 将两个字符值压栈
004209EF |. E8 700C1800 |call 屏录专家.005A1664 ; printf ("%X\n",atoi(上面两个字符串) );
004209F4 |. 8BD3 |mov edx,ebx ; 计数器给EDX
004209F6 |. D1FA |sar edx,1 ; 除以2
004209F8 |. 79 03 |jns short 屏录专家.004209FD
004209FA |. 83D2 00 |adc edx,0x0
004209FD |> 03C2 |add eax,edx ; 结果累加到EAX
004209FF |. 43 |inc ebx ; 增加计数器
00420A00 |. 83C0 09 |add eax,0x9 ; EAX加9
00420A03 |. 46 |inc esi ; 下一位序列号
00420A04 |. 83FB 28 |cmp ebx,0x28 ; 比较序列号长度
00420A07 |. 888415 68FFFF>|mov byte ptr ss:[ebp+edx-0x98],al ; 逐个生成序号
00420A0E |.^ 7C 92 \jl short 屏录专家.004209A2 ; -------------------------------------
00420A10 |. C685 7CFFFFFF>mov byte ptr ss:[ebp-0x84],0x0
00420A17 |. 66:C745 DC 44>mov word ptr ss:[ebp-0x24],0x44
00420A1D |. 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-0x98] ; 比较字符串地址给EDX
00420A23 |. 8D45 F0 lea eax,dword ptr ss:[ebp-0x10]
00420A26 |. E8 F5041800 call 屏录专家.005A0F20
00420A2B |. 8BD0 mov edx,eax
00420A2D |. FF45 E8 inc dword ptr ss:[ebp-0x18]
00420A30 |. 8B45 08 mov eax,dword ptr ss:[ebp+0x8]
00420A33 |. E8 68081800 call 屏录专家.005A12A0 ; 这里取了比较字符串地址
00420A38 |. 8B45 08 mov eax,dword ptr ss:[ebp+0x8]
00420A3B |. BA 02000000 mov edx,0x2
00420A40 |. 66:C745 DC 50>mov word ptr ss:[ebp-0x24],0x50
00420A46 |. 50 push eax
00420A47 |. 8D45 F0 lea eax,dword ptr ss:[ebp-0x10]
00420A4A |. FF4D E8 dec dword ptr ss:[ebp-0x18]
00420A4D |. E8 1E081800 call 屏录专家.005A1270
00420A52 |. FF4D E8 dec dword ptr ss:[ebp-0x18]
00420A55 |. 8D45 FC lea eax,dword ptr ss:[ebp-0x4]
00420A58 |. BA 02000000 mov edx,0x2
00420A5D |. E8 0E081800 call 屏录专家.005A1270
00420A62 |. 58 pop eax ; 屏录专家.00486AFF
00420A63 |. 66:C745 DC 44>mov word ptr ss:[ebp-0x24],0x44
00420A69 |. FF45 E8 inc dword ptr ss:[ebp-0x18]
00420A6C |. 8B55 CC mov edx,dword ptr ss:[ebp-0x34]
00420A6F |. 64:8915 00000>mov dword ptr fs:[0],edx
00420A76 |> 5E pop esi ; 屏录专家.00486AFF
00420A77 |. 5B pop ebx ; 屏录专家.00486AFF
00420A78 |. 8BE5 mov esp,ebp
00420A7A |. 5D pop ebp ; 屏录专家.00486AFF
00420A7B \. C3 retn
代码我都已经注释得很详细了,这一段代码就是先取假码的前40位序列号,然后用如何的规则进行简单的变换:
第3位与第39位互换
第5位与第26位互换
第10位与第32位互换
变换后,以每两个字符为单位,两两组合,然后再将这个组合而成的字符串当作十进制数进而转换成十六进制,所以最后得到二十位串,在这里我给出汇编语言的描述。
[Asm] 纯文本查看 复制代码 comment#
函数名:CalcSerial
功 能:通过序列号前四十位计算出字符串
lpszIn :输入字符串地址
lpszOut :输出字符串地址
返回值:没有返回值
#
CalcSerial proc lpszIn, lpszOut
local @szCh:DWORD
local @szBuffer[42]:BYTE
local @szSerial[22]:BYTE
local @lpBuffer:DWORD
local @lpSerial:DWORD
local @i:DWORD
pushad
invoke szCopy, lpszIn, addr @szBuffer;将序列号前四十位拷贝到缓冲区
invoke RtlZeroMemory, addr @szSerial, sizeof @szSerial
lea ebx, @szBuffer
lea ecx, @szSerial
xor esi, esi
xor edi, edi
xor edx, edx
mov @i, 0
label1:
inc @i
xor eax, eax
mov @szCh, eax
mov ax, WORD ptr ds:[ebx+esi]
mov @szCh, eax
push ecx
invoke atol, addr @szCh
pop ecx
mov edx, @i
sar edx,1
jns @F
adc edx, 0
@@:
add eax,edx
inc @i
add eax,9
mov [ecx+edi], eax
.if @i==0ch
;
mov g_sixth, al
.endif
inc edi
add esi, 2
cmp @i,28h
jl label1
mov g_character, al
invoke szCopy, addr @szSerial, lpszOut
popad
ret
CalcSerial endp
上面的代码我都给出了详细的注释。
得到的就是类似这样的一串字符:FGIFEF7c>Ul,CZqYH_
继续向下,到了00486BD9 这里,就是变换我们在屏幕录像专家注册窗口上的机器码了,能过简单的对比很容易就得出它的转换规则如下:
取机器码前二十位
3位和19位交换
5位和16位交换
9位和12位交换
得到24471785785950322660
[Asm] 纯文本查看 复制代码 00486C25 > /8B8D 1CFFFFFF mov ecx,dword ptr ss:[ebp-0xE4] ; -----------------------------------
00486C2B . |8B95 18FFFFFF mov edx,dword ptr ss:[ebp-0xE8]
00486C31 . |8A01 mov al,byte ptr ds:[ecx]
00486C33 . |3202 xor al,byte ptr ds:[edx]
00486C35 . |83C4 F8 add esp,-0x8
00486C38 . |8806 mov byte ptr ds:[esi],al
00486C3A . |0FBE0E movsx ecx,byte ptr ds:[esi]
00486C3D . |898D A0F6FFFF mov dword ptr ss:[ebp-0x960],ecx ; 将得到的结果保存到某一局部变量
00486C43 . |DB85 A0F6FFFF fild dword ptr ss:[ebp-0x960]
00486C49 . |DD1C24 fstp qword ptr ss:[esp] ; 将上面得到的数值压栈继续参与进一步运算
00486C4C . |E8 BF2B1100 call 屏录专家.00599810 ; 将上面的SN运算结果再次压入ST0
00486C51 . |83C4 08 add esp,0x8
00486C54 . |899D 9CF6FFFF mov dword ptr ss:[ebp-0x964],ebx ; EBX为循环魔数
00486C5A . |DB85 9CF6FFFF fild dword ptr ss:[ebp-0x964] ; 将每次循环的魔数压入ST0
00486C60 . |DEC9 fmulp st(1),st ; 每次的SN运算结果与魔数相乘 结果存ST0
00486C62 . |89BD 98F6FFFF mov dword ptr ss:[ebp-0x968],edi ; edi放入局部变量
00486C68 . |DB85 98F6FFFF fild dword ptr ss:[ebp-0x968] ; 将EDI的值压入ST0 上次的结果存到ST1
00486C6E . |DEC1 faddp st(1),st ; 将两次的结果相加,最终结果存到ST0
00486C70 . |E8 C32B1100 call 屏录专家.00599838 ; 上面运算就是ST(0)=(SN ^ MachineCode) * Magic + EDI
00486C75 . |8BF8 mov edi,eax ; 上面那个CALL其实就是将结果的十六进制复制到EAX,再存到EDI中重复计算
00486C77 . |43 inc ebx
00486C78 . |46 inc esi
00486C79 . |FF85 18FFFFFF inc dword ptr ss:[ebp-0xE8] ; 下一个
00486C7F . |FF85 1CFFFFFF inc dword ptr ss:[ebp-0xE4] ; 下一个
00486C85 . |83FB 14 cmp ebx,0x14 ; 20次 机器码的长度
00486C88 .^\7C 9B jl short 屏录专家.00486C25 ; -----------------------------------
至于上面这一段,我几乎都注释满了,公式就是ST(0)=(SN ^ MachineCode) * Magic + EDI,就是一个简单的循环,如果对照注释还不懂的朋友就好好复习一下FPU指令。写注册机的朋友唯一要注意的就是这里面浮点数结果精度的控制。进入00486C70 这句的这个CALL,里面就将FPU控制寄存器的第10、11的RC位置为11,所以最后的结果只取整数部份,不能四舍五入。
[Asm] 纯文本查看 复制代码 00599838 /$ 55 push ebp
00599839 |. 8BEC mov ebp,esp
0059983B |. 8D65 F4 lea esp,dword ptr ss:[ebp-0xC]
0059983E |. 9B wait
0059983F |. D97D FC fstcw word ptr ss:[ebp-0x4] ; 将FCW存到内存
00599842 |. 9B wait ; 异常检测
00599843 |. 8A45 FD mov al,byte ptr ss:[ebp-0x3] ; 将FCW的高字节保存到AL
00599846 |. 804D FD 0C or byte ptr ss:[ebp-0x3],0xC ; FCW高字节或上0xC
0059984A |. D96D FC fldcw word ptr ss:[ebp-0x4] ; 运算后的整个FCW压入FCW
0059984D |. DF7D F4 fistp qword ptr ss:[ebp-0xC] ; 将ST0的结果保存在栈内存中
00599850 |. 8845 FD mov byte ptr ss:[ebp-0x3],al
00599853 |. D96D FC fldcw word ptr ss:[ebp-0x4] ; 还原FCW
00599856 |. 8B45 F4 mov eax,dword ptr ss:[ebp-0xC] ; 结果返回EAX
00599859 |. 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]
0059985C |. 8BE5 mov esp,ebp
0059985E |. 5D pop ebp ; 0012EE6C
0059985F \. C3 retn
要注意的是:
[Asm] 纯文本查看 复制代码 ;改变RC位为11
fstcw @cw
or @cw, 0000110000000000b
fldcw @cw
以上的浮点数运算部份会累积计算出一个数值,这个数值很关键,在这里我称它为加密数字。00486C9D 这个CALL就是通过这个加密数字计算出5个字符。
[Asm] 纯文本查看 复制代码 00595E20 /$ 55 push ebp
00595E21 |. 8BEC mov ebp,esp
00595E23 |. 8B45 08 mov eax,dword ptr ss:[ebp+0x8] ; ASCII "S]_BXZY\[85950322660"
00595E26 |. 8D4D 08 lea ecx,dword ptr ss:[ebp+0x8]
00595E29 |. C600 00 mov byte ptr ds:[eax],0x0
00595E2C |. 8D45 10 lea eax,dword ptr ss:[ebp+0x10]
00595E2F |. 50 push eax
00595E30 |. 6A 00 push 0x0
00595E32 |. 6A 00 push 0x0
00595E34 |. 8B55 0C mov edx,dword ptr ss:[ebp+0xC] ; 屏录专家.0052CAD1
00595E37 |. 52 push edx
00595E38 |. 51 push ecx
00595E39 |. 68 F85D5900 push 屏录专家.00595DF8
00595E3E |. E8 41040000 call 屏录专家.00596284 ; ->
00595E43 |. 83C4 18 add esp,0x18
00595E46 |. 5D pop ebp ; 屏录专家.00486CA2
00595E47 \. C3 retn
再次进入:
[Asm] 纯文本查看 复制代码 00596284 /$ 55 push ebp
00596285 |. 8BEC mov ebp,esp
00596287 |. 81C4 E0FAFFFF add esp,-0x520
0059628D |. 33C0 xor eax,eax
0059628F |. 53 push ebx
00596290 |. 56 push esi
00596291 |. 57 push edi
00596292 |. 8B75 10 mov esi,dword ptr ss:[ebp+0x10] ; ASCII "%d" 应该与进制转换有关
00596295 |. 8985 40FBFFFF mov dword ptr ss:[ebp-0x4C0],eax
0059629B |. 8985 3CFBFFFF mov dword ptr ss:[ebp-0x4C4],eax
005962A1 |. 8985 30FBFFFF mov dword ptr ss:[ebp-0x4D0],eax ; 堆
005962A7 |. 8B55 08 mov edx,dword ptr ss:[ebp+0x8]
005962AA |. 8995 34FBFFFF mov dword ptr ss:[ebp-0x4CC],edx ; 屏录专家.005EE6A9
005962B0 |. 8B4D 0C mov ecx,dword ptr ss:[ebp+0xC] ; 屏录专家.005EE6A9
005962B3 |. 898D 38FBFFFF mov dword ptr ss:[ebp-0x4C8],ecx
005962B9 |. 837D 14 00 cmp dword ptr ss:[ebp+0x14],0x0
005962BD |. 74 05 je short 屏录专家.005962C4
005962BF |. 8D45 18 lea eax,dword ptr ss:[ebp+0x18]
005962C2 |. EB 02 jmp short 屏录专家.005962C6
005962C4 |> 33C0 xor eax,eax
005962C6 |> 8985 44FBFFFF mov dword ptr ss:[ebp-0x4BC],eax
005962CC |> 8A1E /mov bl,byte ptr ds:[esi]
005962CE |. 46 |inc esi
005962CF |. 84DB |test bl,bl
005962D1 |. 0F84 C1080000 |je 屏录专家.00596B98
005962D7 |. 80FB 25 |cmp bl,0x25 ; 判断'%'
005962DA |. 75 08 |jnz short 屏录专家.005962E4
005962DC |. 8A1E |mov bl,byte ptr ds:[esi] ; 判断'd'
005962DE |. 80FB 25 |cmp bl,0x25 ; 判断%d
005962E1 |. 75 38 |jnz short 屏录专家.0059631B
005962E3 |. 46 |inc esi
005962E4 |> 33C0 |xor eax,eax
005962E6 |. 8AC3 |mov al,bl
005962E8 |. F680 313A6300>|test byte ptr ds:[eax+0x633A31],0x4
005962EF |. 74 18 |je short 屏录专家.00596309
005962F1 |. 803E 00 |cmp byte ptr ds:[esi],0x0
005962F4 |. 74 13 |je short 屏录专家.00596309
005962F6 |. 8D95 E0FAFFFF |lea edx,dword ptr ss:[ebp-0x520]
005962FC |. 52 |push edx ; 屏录专家.005EE6A9
005962FD |. 53 |push ebx
005962FE |. E8 19FFFFFF |call 屏录专家.0059621C
00596303 |. 83C4 08 |add esp,0x8
00596306 |. 8A1E |mov bl,byte ptr ds:[esi]
00596308 |. 46 |inc esi
00596309 |> 8D85 E0FAFFFF |lea eax,dword ptr ss:[ebp-0x520]
0059630F |. 50 |push eax
00596310 |. 53 |push ebx
00596311 |. E8 06FFFFFF |call 屏录专家.0059621C
00596316 |. 83C4 08 |add esp,0x8
00596319 |.^ EB B1 |jmp short 屏录专家.005962CC
0059631B |> 8D56 FF |lea edx,dword ptr ds:[esi-0x1] ; ASCII "%d"
0059631E |. 33C0 |xor eax,eax
00596320 |. 8955 EC |mov dword ptr ss:[ebp-0x14],edx ; 屏录专家.005EE6A9
00596323 |. 33D2 |xor edx,edx ; 屏录专家.005EE6A9
00596325 |. 8955 F0 |mov dword ptr ss:[ebp-0x10],edx ; 屏录专家.005EE6A9
00596328 |. 83CA FF |or edx,-0x1
0059632B |. C645 F7 00 |mov byte ptr ss:[ebp-0x9],0x0
0059632F |. 8955 F8 |mov dword ptr ss:[ebp-0x8],edx ; 屏录专家.005EE6A9
00596332 |. 8955 FC |mov dword ptr ss:[ebp-0x4],edx ; 屏录专家.005EE6A9
00596335 |. 33C9 |xor ecx,ecx
00596337 |. BF 20000000 |mov edi,0x20
0059633C |. 894D E4 |mov dword ptr ss:[ebp-0x1C],ecx
0059633F |> 8A1E |/mov bl,byte ptr ds:[esi] ; Default case of switch 00596368
00596341 |. 46 ||inc esi
00596342 |. 80FB 20 ||cmp bl,0x20 ; 比较'd'
00596345 |. 0F8C 41080000 ||jl 屏录专家.00596B8C
0059634B |. 0FBED3 ||movsx edx,bl
0059634E |. 83FA 7F ||cmp edx,0x7F
00596351 |. 0F8F 35080000 ||jg 屏录专家.00596B8C ; 是否超过ASCII范围
00596357 |. 8BCB ||mov ecx,ebx
00596359 |. 80C1 E0 ||add cl,0xE0 ; cl=44 ('D')
0059635C |. 33D2 ||xor edx,edx ; 屏录专家.005EE6A9
0059635E |. 8AD1 ||mov dl,cl
00596360 |. 33C9 ||xor ecx,ecx
00596362 |. 8A8A B6266200 ||mov cl,byte ptr ds:[edx+0x6226B6] ; 密码表
00596368 |. 83F9 1A ||cmp ecx,0x1A ; Switch (cases 0..1A)
0059636B |.^ 77 D2 ||ja short 屏录专家.0059633F
0059636D |. FF248D 746359>||jmp dword ptr ds:[ecx*4+0x596374]
00596374 |. 00645900 ||dd 屏录专家.00596400 ; 分支表 被用于 0059636D
00596378 |. E0635900 ||dd 屏录专家.005963E0
0059637C |. 51645900 ||dd 屏录专家.00596451
00596380 |. F0635900 ||dd 屏录专家.005963F0
00596384 |. 9B645900 ||dd 屏录专家.0059649B
00596388 |. B1645900 ||dd 屏录专家.005964B1
0059638C |. 02655900 ||dd 屏录专家.00596502
00596390 |. 0F655900 ||dd 屏录专家.0059650F
00596394 |. 22655900 ||dd 屏录专家.00596522
00596398 |. 34645900 ||dd 屏录专家.00596434
0059639C |. DF655900 ||dd 屏录专家.005965DF
005963A0 |. B8655900 ||dd 屏录专家.005965B8
005963A4 |. C1655900 ||dd 屏录专家.005965C1
005963A8 |. CA655900 ||dd 屏录专家.005965CA
005963AC |. 2E675900 ||dd 屏录专家.0059672E
005963B0 |. A1685900 ||dd 屏录专家.005968A1
005963B4 |. 71675900 ||dd 屏录专家.00596771
005963B8 |. EC675900 ||dd 屏录专家.005967EC
005963BC |. 66675900 ||dd 屏录专家.00596766
005963C0 |. E1675900 ||dd 屏录专家.005967E1
005963C4 |. 2D6B5900 ||dd 屏录专家.00596B2D
005963C8 |. 8C6B5900 ||dd 屏录专家.00596B8C
005963CC |. 8C6B5900 ||dd 屏录专家.00596B8C
005963D0 |. 8C6B5900 ||dd 屏录专家.00596B8C
005963D4 |. 1A645900 ||dd 屏录专家.0059641A
005963D8 |. 27645900 ||dd 屏录专家.00596427
005963DC |. 35655900 ||dd 屏录专家.00596535
005963E0 |> 85C0 ||test eax,eax ; Case 1 of switch 00596368
005963E2 |. 0F8F A4070000 ||jg 屏录专家.00596B8C
005963E8 |. 83CF 01 ||or edi,0x1
005963EB |.^ E9 4FFFFFFF ||jmp 屏录专家.0059633F
005963F0 |> 85C0 ||test eax,eax ; Case 3 of switch 00596368
005963F2 |. 0F8F 94070000 ||jg 屏录专家.00596B8C
005963F8 |. 83CF 02 ||or edi,0x2
005963FB |.^ E9 3FFFFFFF ||jmp 屏录专家.0059633F
00596400 |> 85C0 ||test eax,eax ; Case 0 of switch 00596368
00596402 |. 0F8F 84070000 ||jg 屏录专家.00596B8C
00596408 |. 807D F7 2B ||cmp byte ptr ss:[ebp-0x9],0x2B
0059640C |.^ 0F84 2DFFFFFF ||je 屏录专家.0059633F
00596412 |. 885D F7 ||mov byte ptr ss:[ebp-0x9],bl
00596415 |.^ E9 25FFFFFF ||jmp 屏录专家.0059633F
0059641A |> 83E7 DF ||and edi,-0x21 ; Case 18 of switch 00596368
0059641D |. B8 05000000 ||mov eax,0x5
00596422 |.^ E9 18FFFFFF ||jmp 屏录专家.0059633F
00596427 |> 83CF 20 ||or edi,0x20 ; Case 19 of switch 00596368
0059642A |. B8 05000000 ||mov eax,0x5
0059642F |.^ E9 0BFFFFFF ||jmp 屏录专家.0059633F
00596434 |> 85C0 ||test eax,eax ; Case 9 of switch 00596368
00596436 |. 7F 79 ||jg short 屏录专家.005964B1
00596438 |. F7C7 02000000 ||test edi,0x2
0059643E |.^ 0F85 FBFEFFFF ||jnz 屏录专家.0059633F
00596444 |. 83CF 08 ||or edi,0x8
00596447 |. B8 01000000 ||mov eax,0x1
0059644C |.^ E9 EEFEFFFF ||jmp 屏录专家.0059633F
00596451 |> 8345 1C 04 ||add dword ptr ss:[ebp+0x1C],0x4 ; Case 2 of switch 00596368
00596455 |. 8B55 1C ||mov edx,dword ptr ss:[ebp+0x1C]
00596458 |. 83F8 02 ||cmp eax,0x2
0059645B |. 8B4A FC ||mov ecx,dword ptr ds:[edx-0x4]
0059645E |. 894D D0 ||mov dword ptr ss:[ebp-0x30],ecx
00596461 |. 7D 23 ||jge short 屏录专家.00596486
00596463 |. 837D D0 00 ||cmp dword ptr ss:[ebp-0x30],0x0
00596467 |. 7D 0D ||jge short 屏录专家.00596476
00596469 |. 8B45 D0 ||mov eax,dword ptr ss:[ebp-0x30] ; 屏录专家.0058DE55
0059646C |. F7D8 ||neg eax
0059646E |. 8945 FC ||mov dword ptr ss:[ebp-0x4],eax
00596471 |. 83CF 02 ||or edi,0x2
00596474 |. EB 06 ||jmp short 屏录专家.0059647C
00596476 |> 8B55 D0 ||mov edx,dword ptr ss:[ebp-0x30] ; 屏录专家.0058DE55
00596479 |. 8955 FC ||mov dword ptr ss:[ebp-0x4],edx ; 屏录专家.005EE6A9
0059647C |> B8 03000000 ||mov eax,0x3
00596481 |.^ E9 B9FEFFFF ||jmp 屏录专家.0059633F
00596486 |> 83F8 04 ||cmp eax,0x4
00596489 |. 0F85 FD060000 ||jnz 屏录专家.00596B8C
0059648F |. 8B55 D0 ||mov edx,dword ptr ss:[ebp-0x30] ; 屏录专家.0058DE55
00596492 |. 40 ||inc eax
00596493 |. 8955 F8 ||mov dword ptr ss:[ebp-0x8],edx ; 屏录专家.005EE6A9
00596496 |.^ E9 A4FEFFFF ||jmp 屏录专家.0059633F
0059649B |> 83F8 04 ||cmp eax,0x4 ; Case 4 of switch 00596368
0059649E |. 0F8D E8060000 ||jge 屏录专家.00596B8C
005964A4 |. B8 04000000 ||mov eax,0x4
005964A9 |. FF45 F8 ||inc dword ptr ss:[ebp-0x8]
005964AC |.^ E9 8EFEFFFF ||jmp 屏录专家.0059633F
005964B1 |> 80C3 D0 ||add bl,0xD0 ; Case 5 of switch 00596368
005964B4 |. 83F8 02 ||cmp eax,0x2
005964B7 |. 7F 2B ||jg short 屏录专家.005964E4
005964B9 |. 837D FC FF ||cmp dword ptr ss:[ebp-0x4],-0x1
005964BD |. B8 02000000 ||mov eax,0x2
005964C2 |. 75 0B ||jnz short 屏录专家.005964CF
005964C4 |. 0FBED3 ||movsx edx,bl
005964C7 |. 8955 FC ||mov dword ptr ss:[ebp-0x4],edx ; 屏录专家.005EE6A9
005964CA |.^ E9 70FEFFFF ||jmp 屏录专家.0059633F
005964CF |> 8B4D FC ||mov ecx,dword ptr ss:[ebp-0x4]
005964D2 |. 03C9 ||add ecx,ecx
005964D4 |. 8D0C89 ||lea ecx,dword ptr ds:[ecx+ecx*4]
005964D7 |. 0FBED3 ||movsx edx,bl
005964DA |. 03CA ||add ecx,edx ; 屏录专家.005EE6A9
005964DC |. 894D FC ||mov dword ptr ss:[ebp-0x4],ecx
005964DF |.^ E9 5BFEFFFF ||jmp 屏录专家.0059633F
005964E4 |> 83F8 04 ||cmp eax,0x4
005964E7 |. 0F85 9F060000 ||jnz 屏录专家.00596B8C
005964ED |. 8B4D F8 ||mov ecx,dword ptr ss:[ebp-0x8]
005964F0 |. 03C9 ||add ecx,ecx
005964F2 |. 8D0C89 ||lea ecx,dword ptr ds:[ecx+ecx*4]
005964F5 |. 0FBED3 ||movsx edx,bl
005964F8 |. 03CA ||add ecx,edx ; 屏录专家.005EE6A9
005964FA |. 894D F8 ||mov dword ptr ss:[ebp-0x8],ecx
005964FD |.^ E9 3DFEFFFF ||jmp 屏录专家.0059633F
00596502 |> 83CF 10 ||or edi,0x10 ; Case 6 of switch 00596368
00596505 |. B8 05000000 ||mov eax,0x5
0059650A |.^ E9 30FEFFFF ||jmp 屏录专家.0059633F
0059650F |> 81CF 00010000 ||or edi,0x100 ; Case 7 of switch 00596368
00596515 |. B8 05000000 ||mov eax,0x5
0059651A |. 83E7 EF ||and edi,-0x11
0059651D |.^ E9 1DFEFFFF ||jmp 屏录专家.0059633F
00596522 |> 81CF 00020000 ||or edi,0x200 ; Case 8 of switch 00596368
00596528 |. B8 05000000 ||mov eax,0x5
0059652D |. 83E7 EF ||and edi,-0x11
00596530 |.^ E9 0AFEFFFF ||jmp 屏录专家.0059633F
00596535 |> 803E 36 ||cmp byte ptr ds:[esi],0x36 ; Case 1A of switch 00596368
00596538 |. 75 1F ||jnz short 屏录专家.00596559
0059653A |. 807E 01 34 ||cmp byte ptr ds:[esi+0x1],0x34
0059653E |. 75 19 ||jnz short 屏录专家.00596559
00596540 |. 83C6 02 ||add esi,0x2
00596543 |. 81CF 00010000 ||or edi,0x100
00596549 |. 81E7 EFFDFFFF ||and edi,-0x211
0059654F |. B8 05000000 ||mov eax,0x5
00596554 |.^ E9 E6FDFFFF ||jmp 屏录专家.0059633F
00596559 |> 803E 33 ||cmp byte ptr ds:[esi],0x33
0059655C |. 75 1C ||jnz short 屏录专家.0059657A
0059655E |. 807E 01 32 ||cmp byte ptr ds:[esi+0x1],0x32
00596562 |. 75 16 ||jnz short 屏录专家.0059657A
00596564 |. 83C6 02 ||add esi,0x2
00596567 |. 83CF 10 ||or edi,0x10
0059656A |. 81E7 FFFCFFFF ||and edi,-0x301
00596570 |. B8 05000000 ||mov eax,0x5
00596575 |.^ E9 C5FDFFFF ||jmp 屏录专家.0059633F
0059657A |> 803E 31 ||cmp byte ptr ds:[esi],0x31
0059657D |. 75 1F ||jnz short 屏录专家.0059659E
0059657F |. 807E 01 36 ||cmp byte ptr ds:[esi+0x1],0x36
00596583 |. 75 19 ||jnz short 屏录专家.0059659E
00596585 |. 83C6 02 ||add esi,0x2
00596588 |. 81CF 00020000 ||or edi,0x200
0059658E |. 81E7 EFFEFFFF ||and edi,-0x111
00596594 |. B8 05000000 ||mov eax,0x5
00596599 |.^ E9 A1FDFFFF ||jmp 屏录专家.0059633F
0059659E |> 803E 38 ||cmp byte ptr ds:[esi],0x38
005965A1 |.^ 0F85 98FDFFFF ||jnz 屏录专家.0059633F
005965A7 |. 46 ||inc esi
005965A8 |. 81E7 EFFCFFFF ||and edi,-0x311
005965AE |. B8 05000000 ||mov eax,0x5
005965B3 |.^ E9 87FDFFFF |\jmp 屏录专家.0059633F
005965B8 |> C745 C8 08000>|mov dword ptr ss:[ebp-0x38],0x8 ; Case B of switch 00596368
005965BF |. EB 16 |jmp short 屏录专家.005965D7
005965C1 |> C745 C8 0A000>|mov dword ptr ss:[ebp-0x38],0xA ; Case C of switch 00596368
005965C8 |. EB 0D |jmp short 屏录专家.005965D7
005965CA |> C745 C8 10000>|mov dword ptr ss:[ebp-0x38],0x10 ; Case D of switch 00596368
005965D1 |. 8D53 E9 |lea edx,dword ptr ds:[ebx-0x17]
005965D4 |. 8855 E3 |mov byte ptr ss:[ebp-0x1D],dl
005965D7 |> C645 F7 00 |mov byte ptr ss:[ebp-0x9],0x0
005965DB |. 33C9 |xor ecx,ecx
005965DD |. EB 09 |jmp short 屏录专家.005965E8
005965DF |> C745 C8 0A000>|mov dword ptr ss:[ebp-0x38],0xA ; Case A of switch 00596368
005965E6 |. B1 01 |mov cl,0x1
005965E8 |> F7C7 00010000 |test edi,0x100
005965EE |. 74 18 |je short 屏录专家.00596608
005965F0 |. 8345 1C 08 |add dword ptr ss:[ebp+0x1C],0x8
005965F4 |. 8B45 1C |mov eax,dword ptr ss:[ebp+0x1C]
005965F7 |. 8B50 F8 |mov edx,dword ptr ds:[eax-0x8]
005965FA |. 8955 D8 |mov dword ptr ss:[ebp-0x28],edx ; 屏录专家.005EE6A9
005965FD |. 8B50 FC |mov edx,dword ptr ds:[eax-0x4] ; 屏录专家.005EE6A9
00596600 |. 8955 DC |mov dword ptr ss:[ebp-0x24],edx ; 屏录专家.005EE6A9
00596603 |. E9 90000000 |jmp 屏录专家.00596698
00596608 |> F7C7 10000000 |test edi,0x10
0059660E |. 74 2A |je short 屏录专家.0059663A
00596610 |. 8345 1C 04 |add dword ptr ss:[ebp+0x1C],0x4
00596614 |. 8B45 1C |mov eax,dword ptr ss:[ebp+0x1C]
00596617 |. 84C9 |test cl,cl
00596619 |. 8B50 FC |mov edx,dword ptr ds:[eax-0x4] ; 屏录专家.005EE6A9
0059661C |. 8955 D4 |mov dword ptr ss:[ebp-0x2C],edx ; 屏录专家.005EE6A9
0059661F |. 74 0C |je short 屏录专家.0059662D
00596621 |. 8B45 D4 |mov eax,dword ptr ss:[ebp-0x2C] ; 屏录专家.0063336C
00596624 |. 99 |cdq
00596625 |. 8945 D8 |mov dword ptr ss:[ebp-0x28],eax
00596628 |. 8955 DC |mov dword ptr ss:[ebp-0x24],edx ; 屏录专家.005EE6A9
0059662B |. EB 6B |jmp short 屏录专家.00596698
0059662D |> 8B45 D4 |mov eax,dword ptr ss:[ebp-0x2C] ; 屏录专家.0063336C
00596630 |. 33D2 |xor edx,edx ; 屏录专家.005EE6A9
00596632 |. 8945 D8 |mov dword ptr ss:[ebp-0x28],eax
00596635 |. 8955 DC |mov dword ptr ss:[ebp-0x24],edx ; 屏录专家.005EE6A9
00596638 |. EB 5E |jmp short 屏录专家.00596698
0059663A |> F7C7 00020000 |test edi,0x200
00596640 |. 74 2E |je short 屏录专家.00596670
00596642 |. 8345 1C 04 |add dword ptr ss:[ebp+0x1C],0x4
00596646 |. 8B45 1C |mov eax,dword ptr ss:[ebp+0x1C]
00596649 |. 84C9 |test cl,cl
0059664B |. 66:8B50 FC |mov dx,word ptr ds:[eax-0x4]
0059664F |. 66:8955 CE |mov word ptr ss:[ebp-0x32],dx
00596653 |. 74 0D |je short 屏录专家.00596662
00596655 |. 0FBF45 CE |movsx eax,word ptr ss:[ebp-0x32]
00596659 |. 99 |cdq
0059665A |. 8945 D8 |mov dword ptr ss:[ebp-0x28],eax
0059665D |. 8955 DC |mov dword ptr ss:[ebp-0x24],edx ; 屏录专家.005EE6A9
00596660 |. EB 36 |jmp short 屏录专家.00596698
00596662 |> 0FB745 CE |movzx eax,word ptr ss:[ebp-0x32]
00596666 |. 33D2 |xor edx,edx ; 屏录专家.005EE6A9
00596668 |. 8945 D8 |mov dword ptr ss:[ebp-0x28],eax
0059666B |. 8955 DC |mov dword ptr ss:[ebp-0x24],edx ; 屏录专家.005EE6A9
0059666E |. EB 28 |jmp short 屏录专家.00596698
00596670 |> 8345 1C 04 |add dword ptr ss:[ebp+0x1C],0x4 ; UNICODE "寡"
00596674 |. 8B45 1C |mov eax,dword ptr ss:[ebp+0x1C]
00596677 |. 84C9 |test cl,cl
00596679 |. 8B50 FC |mov edx,dword ptr ds:[eax-0x4] ; 5BE1
0059667C |. 8955 D0 |mov dword ptr ss:[ebp-0x30],edx ; 屏录专家.005EE6A9
0059667F |. 74 0C |je short 屏录专家.0059668D
00596681 |. 8B45 D0 |mov eax,dword ptr ss:[ebp-0x30] ; 5BE1 -> EAX
00596684 |. 99 |cdq ; 除法之前
00596685 |. 8945 D8 |mov dword ptr ss:[ebp-0x28],eax
00596688 |. 8955 DC |mov dword ptr ss:[ebp-0x24],edx ; 屏录专家.005EE6A9
0059668B |. EB 0B |jmp short 屏录专家.00596698
0059668D |> 8B45 D0 |mov eax,dword ptr ss:[ebp-0x30] ; 屏录专家.0058DE55
00596690 |. 33D2 |xor edx,edx ; 屏录专家.005EE6A9
00596692 |. 8945 D8 |mov dword ptr ss:[ebp-0x28],eax
00596695 |. 8955 DC |mov dword ptr ss:[ebp-0x24],edx ; 屏录专家.005EE6A9
00596698 |> 8D85 49FFFFFF |lea eax,dword ptr ss:[ebp-0xB7]
0059669E |. 8945 E8 |mov dword ptr ss:[ebp-0x18],eax
005966A1 |. 837D DC 00 |cmp dword ptr ss:[ebp-0x24],0x0
005966A5 |. 75 14 |jnz short 屏录专家.005966BB
005966A7 |. 837D D8 00 |cmp dword ptr ss:[ebp-0x28],0x0 ; 5BE1
005966AB |. 75 0E |jnz short 屏录专家.005966BB
005966AD |. 837D F8 00 |cmp dword ptr ss:[ebp-0x8],0x0
005966B1 |. 75 0B |jnz short 屏录专家.005966BE
005966B3 |. 8B55 E8 |mov edx,dword ptr ss:[ebp-0x18] ; 屏录专家.00595DF8
005966B6 |. C602 00 |mov byte ptr ds:[edx],0x0
005966B9 |. EB 1E |jmp short 屏录专家.005966D9
005966BB |> 83CF 04 |or edi,0x4
005966BE |> 8A45 E3 |mov al,byte ptr ss:[ebp-0x1D]
005966C1 |. 50 |push eax
005966C2 |. 51 |push ecx
005966C3 |. 8B55 C8 |mov edx,dword ptr ss:[ebp-0x38]
005966C6 |. 52 |push edx ; A入栈
005966C7 |. 8B4D E8 |mov ecx,dword ptr ss:[ebp-0x18] ; 屏录专家.00595DF8
005966CA |. 51 |push ecx
005966CB |. FF75 DC |push dword ptr ss:[ebp-0x24]
005966CE |. FF75 D8 |push dword ptr ss:[ebp-0x28] ; 5BE1
005966D1 |. E8 F2310000 |call 屏录专家.005998C8 ; 关键CALL
005966D6 |. 83C4 18 |add esp,0x18
005966D9 |> 837D F8 00 |cmp dword ptr ss:[ebp-0x8],0x0
005966DD |. 0F8C 19020000 |jl 屏录专家.005968FC
进入关键CALL:
[Asm] 纯文本查看 复制代码 005998C8 /$ 55 push ebp ; 用上次的和生成5个字符串
005998C9 |. 8BEC mov ebp,esp
005998CB |. 83C4 BC add esp,-0x44
005998CE |. 53 push ebx
005998CF |. 56 push esi ; 屏录专家.005EE6AB
005998D0 |. 57 push edi
005998D1 |. 8B7D 14 mov edi,dword ptr ss:[ebp+0x14] ; EDI <- A
005998D4 |. 8B75 10 mov esi,dword ptr ss:[ebp+0x10] ; 屏录专家.005EE6A9
005998D7 |. 83FF 02 cmp edi,0x2
005998DA |. 0F8C 8C000000 jl 屏录专家.0059996C
005998E0 |. 83FF 24 cmp edi,0x24
005998E3 |. 0F8F 83000000 jg 屏录专家.0059996C
005998E9 |. 837D 0C 00 cmp dword ptr ss:[ebp+0xC],0x0
005998ED |. 75 08 jnz short 屏录专家.005998F7
005998EF |. 837D 08 00 cmp dword ptr ss:[ebp+0x8],0x0 ; 做一些非0的验证
005998F3 |. 73 21 jnb short 屏录专家.00599916
005998F5 |. EB 02 jmp short 屏录专家.005998F9
005998F7 |> 7D 1D jge short 屏录专家.00599916
005998F9 |> 807D 18 00 cmp byte ptr ss:[ebp+0x18],0x0
005998FD |. 74 17 je short 屏录专家.00599916
005998FF |. C606 2D mov byte ptr ds:[esi],0x2D
00599902 |. 46 inc esi ; 屏录专家.005EE6AB
00599903 |. 8B45 08 mov eax,dword ptr ss:[ebp+0x8] ; 屏录专家.00595DF8
00599906 |. 8B55 0C mov edx,dword ptr ss:[ebp+0xC]
00599909 |. F7D8 neg eax
0059990B |. 83D2 00 adc edx,0x0
0059990E |. 8945 08 mov dword ptr ss:[ebp+0x8],eax
00599911 |. F7DA neg edx
00599913 |. 8955 0C mov dword ptr ss:[ebp+0xC],edx
00599916 |> 8D5D BC lea ebx,dword ptr ss:[ebp-0x44]
00599919 |> 8BC7 /mov eax,edi ; EAX <-A
0059991B |. 99 |cdq
0059991C |. 52 |push edx
0059991D |. 50 |push eax
0059991E |. 8B45 08 |mov eax,dword ptr ss:[ebp+0x8] ; 上一次运算得到的商放入EAX
00599921 |. 8B55 0C |mov edx,dword ptr ss:[ebp+0xC]
00599924 |. E8 B9FAFFFF |call 屏录专家.005993E2 ; ->
00599929 |. 8803 |mov byte ptr ds:[ebx],al ; 余数放入[EBX]
0059992B |. 8BC7 |mov eax,edi
0059992D |. 99 |cdq
0059992E |. 52 |push edx
0059992F |. 50 |push eax
00599930 |. 8B45 08 |mov eax,dword ptr ss:[ebp+0x8] ; 屏录专家.00595DF8
00599933 |. 8B55 0C |mov edx,dword ptr ss:[ebp+0xC]
00599936 |. 43 |inc ebx ; 存放余数的内存
00599937 |. E8 E3F9FFFF |call 屏录专家.0059931F
0059993C |. 8945 08 |mov dword ptr ss:[ebp+0x8],eax ; 商放入内存
0059993F |. 8955 0C |mov dword ptr ss:[ebp+0xC],edx
00599942 |. 83FA 00 |cmp edx,0x0
00599945 |.^ 75 D2 |jnz short 屏录专家.00599919
00599947 |. 83F8 00 |cmp eax,0x0 ; 商不为0
0059994A |.^ 75 CD \jnz short 屏录专家.00599919
0059994C |. EB 17 jmp short 屏录专家.00599965
0059994E |> 4B /dec ebx ; -------------------------------------------
0059994F |. 8A03 |mov al,byte ptr ds:[ebx] ; 逐个取得到的余数
00599951 |. 3C 0A |cmp al,0xA
00599953 |. 7D 08 |jge short 屏录专家.0059995D
00599955 |. 83C0 30 |add eax,0x30 ; 如果余数小于A
00599958 |. 8806 |mov byte ptr ds:[esi],al
0059995A |. 46 |inc esi ; 屏录专家.005EE6AB
0059995B |. EB 08 |jmp short 屏录专家.00599965
0059995D |> 0245 1C |add al,byte ptr ss:[ebp+0x1C]
00599960 |. 04 F6 |add al,0xF6
00599962 |. 8806 |mov byte ptr ds:[esi],al
00599964 |. 46 |inc esi ; 屏录专家.005EE6AB
00599965 |> 8D55 BC lea edx,dword ptr ss:[ebp-0x44]
00599968 |. 3BDA |cmp ebx,edx
0059996A |.^ 75 E2 \jnz short 屏录专家.0059994E ; -------------------------------------------
0059996C |> C606 00 mov byte ptr ds:[esi],0x0
0059996F |. 8B45 10 mov eax,dword ptr ss:[ebp+0x10] ; ASCII "23521" 结果存到EAX
00599972 |. 5F pop edi ; 屏录专家.005966D6
00599973 |. 5E pop esi ; 屏录专家.005966D6
00599974 |. 5B pop ebx ; 屏录专家.005966D6
00599975 |. 8BE5 mov esp,ebp
00599977 |. 5D pop ebp ; 屏录专家.005966D6
00599978 \. C3 retn
以上就是通过此加密数字生成五个字符,换句话说,就是通过机器码和用户名生成五个字符。
[Asm] 纯文本查看 复制代码 00486CDA . 8985 18FFFFFF mov dword ptr ss:[ebp-0xE8],eax
00486CE0 . 8DB5 00FFFFFF lea esi,dword ptr ss:[ebp-0x100]
00486CE6 . 33DB xor ebx,ebx
00486CE8 > 8B95 18FFFFFF mov edx,dword ptr ss:[ebp-0xE8] ; -EDX装入字符串地址------------------------------
00486CEE . 0FBE06 movsx eax,byte ptr ds:[esi] ; "23521"
00486CF1 . 0FBE0A movsx ecx,byte ptr ds:[edx]
00486CF4 . 83C1 EC add ecx,-0x14 ; -0x14
00486CF7 . 3BC1 cmp eax,ecx ; 比较
00486CF9 . 0F85 80000000 jnz 屏录专家.00486D7F ; 跳转失败
00486CFF . 83FB 03 cmp ebx,0x3 ; 前3位正常比较,只要相等就不跳转失败 生成序列号前6位
00486D02 . 75 6A jnz short 屏录专家.00486D6E ; 比较下一个
00486D04 . 81C7 444D0000 add edi,0x4D44 ; 5BE1+4D44
00486D0A . 89BD A0F6FFFF mov dword ptr ss:[ebp-0x960],edi
00486D10 . DB85 A0F6FFFF fild dword ptr ss:[ebp-0x960] ; EDI结果压入ST(0)
00486D16 . DC0D 18754800 fmul qword ptr ds:[0x487518] ; 和3.14相乘
00486D1C . DB2D 20754800 fld tbyte ptr ds:[0x487520] ; 压入ST(0)
00486D22 . DEC9 fmulp st(1),st ; 相乘,结果放入ST(0)
00486D24 . E8 0F2B1100 call 屏录专家.00599838 ; 将上面相乘的浮点数结果放入EAX
00486D29 . 8BF8 mov edi,eax ; 上面搞那么多其实就是(5BE1+4D44)*上面两固定浮点数
00486D2B . 8BC7 mov eax,edi
00486D2D . B9 A0860100 mov ecx,0x186A0 ; 固定常数
00486D32 . 99 cdq ; 除法前准备
00486D33 . F7F9 idiv ecx ; 相除
00486D35 . 8BFA mov edi,edx ; 余数放入EDI
00486D37 . 33C0 xor eax,eax ; 清零EAX
00486D39 . 8985 3CFFFFFF mov dword ptr ss:[ebp-0xC4],eax ; 记住0012EC30这个地址
00486D3F . 33D2 xor edx,edx
00486D41 . 8D85 A4FEFFFF lea eax,dword ptr ss:[ebp-0x15C]
00486D47 > 0FBE08 movsx ecx,byte ptr ds:[eax] ; ------
00486D4A . 018D 3CFFFFFF add dword ptr ss:[ebp-0xC4],ecx ; 累加字符串ASCII码存放在局部变量
00486D50 . 42 inc edx ; 计数器
00486D51 . 40 inc eax ; 源地址
00486D52 . 83FA 13 cmp edx,0x13 ; 比较十九次
00486D55 .^ 7C F0 jl short 屏录专家.00486D47 ; ------
00486D57 . 8B85 3CFFFFFF mov eax,dword ptr ss:[ebp-0xC4] ; 前19个字符串ASCII码累加的和放入EAX
00486D5D . B9 0A000000 mov ecx,0xA
00486D62 . 99 cdq ; 除法前准备
00486D63 . F7F9 idiv ecx ; 字符串的和除以0xA(有符号除法)
00486D65 . 83C2 30 add edx,0x30 ; 余数加0x30
00486D68 . 8995 3CFFFFFF mov dword ptr ss:[ebp-0xC4],edx ; 余数加0x30结果存在局部变量
00486D6E > 43 inc ebx
00486D6F . FF85 18FFFFFF inc dword ptr ss:[ebp-0xE8] ; 下一个字符
00486D75 . 46 inc esi
00486D76 . 83FB 05 cmp ebx,0x5
00486D79 .^ 0F8C 69FFFFFF jl 屏录专家.00486CE8 ; ----------------------------------------
以上就是通过用户名与机器码生成的五个字符,进而得到真正序列号的前十位。然后将序列号前四十位两两运算生成的二十位字符串进行累加,还有两个固定的浮点数参与运算,注释中写得很清楚。总结一下就是:
用加密数字生成一个字符串 用上次运算出来的和除以A,将每次得到的商和余数保存起来,再用上次的商除以A,如此下去直到商为0
两次将所有的余数取出,如果余数小于A,则余数+0x30
S]_BXZY\[85950322660 //用户名与机器码生成的密钥
SN1:hMZi1H_l6Ldq";Ri: //假码的前四十位运算得出
SN2:"23521" //用户名与机器码生成密钥时同时产生的累加数经过计算得出来的字符
魔数一次性是加2 1/2=0 3/2=1 5/2=2 7/2=3 9/2=4 B/2=5
'2'
SN1==ASC(SN2)+0x14
0x32+0x14=0x46 "23944"
atoi(temp)+1/2+0x9=0x46
atoi(temp) = 0x3D
转十进制:"61"
'3'
0x33+0x14=0x47
atoi(temp)+3/2+0x9=0x47
atoi(temp)=0x3D
转十进制:"61"
'5'
0x35+0x14=0x49
atoi(temp)+5/2+0x9=0x49
atoi(temp)=0x40
转十进制:"62"
'2'
0x32+0x14=0x46
atoi(temp)+7/2+0x9=0x46
atoi(temp)=0x3C
转十进制:"58"
'1'
0x31+0x14=0x45
atoi(temp)+9/2+0x9=0x45
atoi(temp)=0x3A
转十进制:"56"
最终得到正确的前10位序列号:6161625856
好了,写文章太累了。由上面就得到了真正序列号的前十位,然后再通过那二十位长的字符串的第六位,用上面的规则反推出真正序列号的第十一、十二位。
[Asm] 纯文本查看 复制代码 00486D7F > \83FB 05 cmp ebx,0x5 ; 第5次比较
[/size]00486D82 . 0F8C BE060000 jl 屏录专家.00487446 ; 跳向失败
00486D88 . 0FBE85 B7FEFF>movsx eax,byte ptr ss:[ebp-0x149] ; 序列号第39、40位计算结果
00486D8F . 3B85 3CFFFFFF cmp eax,dword ptr ss:[ebp-0xC4] ; 与余数加0x30的结果比较
00486D95 . 74 09 je short 屏录专家.00486DA0
00486D97 . 83F8 41 cmp eax,0x41 ; 至少要大于或者等于A
00486D9A . 0F8C A6060000 jl 屏录专家.00487446 ; (eax != [ebp-c4]) && (eax < 65)
00486DA0 > 8BC7 mov eax,edi ; 浮点运算后得到的余数给EAX
00486DA2 . B9 0A000000 mov ecx,0xA ; ECX <- 0xA
00486DA7 . 99 cdq ; 准备除法
00486DA8 . F7F9 idiv ecx
00486DAA . 0FBE841D A4FE>movsx eax,byte ptr ss:[ebp+ebx-0x15C] ; 第六位字符赋给EAX
至此,真序列号的前十二位就出来了。然后随机生成三十三位字符,最后再通过前四十五位字符生成末尾五位字符,然后继续运行到弹出注册成功对话框继续向下。
[Asm] 纯文本查看 复制代码 00486DF1 . E8 F6000D00 call 屏录专家.00556EEC ; 弹出注册成功窗口
00486DF6 . FF8D 68FFFFFF dec dword ptr ss:[ebp-0x98]
00486DFC . 8D45 B4 lea eax,dword ptr ss:[ebp-0x4C]
00486DFF . BA 02000000 mov edx,0x2
00486E04 . E8 67A41100 call 屏录专家.005A1270
00486E09 . 8B0D C45E6200 mov ecx,dword ptr ds:[0x625EC4] ; hdb
00486E0F . 8B01 mov eax,dword ptr ds:[ecx]
00486E11 . C680 2C170000>mov byte ptr ds:[eax+0x172C],0x1
00486E18 . 68 00040000 push 0x400 ; /BufSize = 400 (1024.)
00486E1D . 8D95 A4FEFFFF lea edx,dword ptr ss:[ebp-0x15C] ; |
00486E23 . 52 push edx ; |Buffer = 0012EC40
00486E24 . E8 37EC1200 call <jmp.&KERNEL32.GetWindowsDirectoryA>; \GetWindowsDirectoryA
00486E29 . 68 36E95E00 push 屏录专家.005EE936 ; /pmlxz7.dll
00486E2E . 8D8D A4FEFFFF lea ecx,dword ptr ss:[ebp-0x15C]
00486E34 . 51 push ecx
00486E35 . E8 32B91000 call 屏录专家.0059276C ; _strcat
00486E3A . 83C4 08 add esp,0x8
00486E3D . 8D85 A4FEFFFF lea eax,dword ptr ss:[ebp-0x15C]
00486E43 . 50 push eax ; /FileName = 00000001 ???
00486E44 . E8 BBEA1200 call <jmp.&KERNEL32.DeleteFileA> ; \DeleteFileA
00486E49 . 68 00040000 push 0x400 ; /BufSize = 400 (1024.)
00486E4E . 8D95 A4FEFFFF lea edx,dword ptr ss:[ebp-0x15C] ; |
00486E54 . 52 push edx ; |Buffer = 0012EC40
00486E55 . E8 06EC1200 call <jmp.&KERNEL32.GetWindowsDirectoryA>; \GetWindowsDirectoryA
00486E5A . 68 42E95E00 push 屏录专家.005EE942 ; /pmlxzj.dll
00486E5F . 8D8D A4FEFFFF lea ecx,dword ptr ss:[ebp-0x15C]
00486E65 . 51 push ecx
00486E66 . E8 01B91000 call 屏录专家.0059276C
00486E6B . 83C4 08 add esp,0x8
00486E6E . 8D85 A4FEFFFF lea eax,dword ptr ss:[ebp-0x15C]
00486E74 . 50 push eax ; /FileName = 00000001 ???
00486E75 . E8 8AEA1200 call <jmp.&KERNEL32.DeleteFileA> ; \DeleteFileA
00486E7A . 8B15 C45E6200 mov edx,dword ptr ds:[0x625EC4] ; hdb
00486E80 . 8B02 mov eax,dword ptr ds:[edx]
00486E82 . 05 F01B0000 add eax,0x1BF0
00486E87 . E8 14C0F7FF call 屏录专家.00402EA0 ; //取安装路径
00486E8C . 8BF8 mov edi,eax
00486E8E . 33C0 xor eax,eax
00486E90 . 83C9 FF or ecx,-0x1
00486E93 . 8DB5 A4FEFFFF lea esi,dword ptr ss:[ebp-0x15C]
00486E99 . F2:AE repne scas byte ptr es:[edi]
00486E9B . F7D1 not ecx
00486E9D . 2BF9 sub edi,ecx
00486E9F . 8BD1 mov edx,ecx
00486EA1 . 87F7 xchg edi,esi
00486EA3 . C1E9 02 shr ecx,0x2
00486EA6 . 8BC7 mov eax,edi
00486EA8 . F3:A5 rep movs dword ptr es:[edi],dword ptr ds>
00486EAA . 8BCA mov ecx,edx
00486EAC . 8D85 A4FEFFFF lea eax,dword ptr ss:[ebp-0x15C]
00486EB2 . 83E1 03 and ecx,0x3
00486EB5 . F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[>
00486EB7 . 68 4EE95E00 push 屏录专家.005EE94E ; pmlxz7.dll
00486EBC . 50 push eax
00486EBD . E8 AAB81000 call 屏录专家.0059276C ; _strcat
00486EC2 . 83C4 08 add esp,0x8
00486EC5 . B2 01 mov dl,0x1
00486EC7 . A1 30805700 mov eax,dword ptr ds:[0x578030] ; 全局变量
00486ECC . E8 E799F8FF call 屏录专家.004108B8
00486ED1 . 8985 24FFFFFF mov dword ptr ss:[ebp-0xDC],eax
00486ED7 . 33D2 xor edx,edx
00486ED9 . 8995 20FFFFFF mov dword ptr ss:[ebp-0xE0],edx
00486EDF > 66:C785 5CFFF>mov word ptr ss:[ebp-0xA4],0x110
00486EE8 . 66:C785 5CFFF>mov word ptr ss:[ebp-0xA4],0x11C
00486EF1 . 8D95 A4FEFFFF lea edx,dword ptr ss:[ebp-0x15C]
00486EF7 . 8D45 B0 lea eax,dword ptr ss:[ebp-0x50]
00486EFA . E8 21A01100 call 屏录专家.005A0F20
00486EFF . FF85 68FFFFFF inc dword ptr ss:[ebp-0x98]
00486F05 . 8B10 mov edx,dword ptr ds:[eax]
00486F07 . 8B85 24FFFFFF mov eax,dword ptr ss:[ebp-0xDC] ; gdi32.7697C0DD
00486F0D . 8B08 mov ecx,dword ptr ds:[eax]
00486F0F . FF51 58 call dword ptr ds:[ecx+0x58]
00486F12 . FF8D 68FFFFFF dec dword ptr ss:[ebp-0x98]
00486F18 . 8D45 B0 lea eax,dword ptr ss:[ebp-0x50]
00486F1B . BA 02000000 mov edx,0x2
00486F20 . E8 4BA31100 call 屏录专家.005A1270
00486F25 . EB 27 jmp short 屏录专家.00486F4E
00486F27 . 68 F4010000 push 0x1F4 ; /Timeout = 500. ms
00486F2C . E8 55EC1200 call <jmp.&KERNEL32.Sleep> ; \Sleep
00486F31 . 66:C785 5CFFF>mov word ptr ss:[ebp-0xA4],0x118
00486F3A . E8 CB701100 call 屏录专家.0059E00A
00486F3F . FF85 20FFFFFF inc dword ptr ss:[ebp-0xE0]
00486F45 . 83BD 20FFFFFF>cmp dword ptr ss:[ebp-0xE0],0xA
00486F4C .^ 7C 91 jl short 屏录专家.00486EDF
00486F4E > 83BD 20FFFFFF>cmp dword ptr ss:[ebp-0xE0],0xA
00486F55 . 0F8C CA000000 jl 屏录专家.00487025
00486F5B . 66:C785 5CFFF>mov word ptr ss:[ebp-0xA4],0x128
00486F64 . BA 59E95E00 mov edx,屏录专家.005EE959 ; 注册文件保存失败,请重新注册试一次。如果还是有问题请联系QQ178046113
00486F69 . 8D45 AC lea eax,dword ptr ss:[ebp-0x54]
00486F6C . E8 AF9F1100 call 屏录专家.005A0F20
00486F71 . FF85 68FFFFFF inc dword ptr ss:[ebp-0x98]
00486F77 . 8B00 mov eax,dword ptr ds:[eax]
00486F79 . E8 6EFF0C00 call 屏录专家.00556EEC
00486F7E . FF8D 68FFFFFF dec dword ptr ss:[ebp-0x98]
00486F84 . 8D45 AC lea eax,dword ptr ss:[ebp-0x54]
00486F87 . BA 02000000 mov edx,0x2
00486F8C . E8 DFA21100 call 屏录专家.005A1270
00486F91 . 8B9D 24FFFFFF mov ebx,dword ptr ss:[ebp-0xDC] ; gdi32.7697C0DD
00486F97 . 895D A4 mov dword ptr ss:[ebp-0x5C],ebx
00486F9A . 85DB test ebx,ebx
00486F9C . 74 24 je short 屏录专家.00486FC2
00486F9E . 8B03 mov eax,dword ptr ds:[ebx]
00486FA0 . 8945 A8 mov dword ptr ss:[ebp-0x58],eax
00486FA3 . 66:C785 5CFFF>mov word ptr ss:[ebp-0xA4],0x140
00486FAC . BA 03000000 mov edx,0x3
00486FB1 . 8B45 A4 mov eax,dword ptr ss:[ebp-0x5C]
00486FB4 . 8B08 mov ecx,dword ptr ds:[eax]
00486FB6 . FF51 FC call dword ptr ds:[ecx-0x4]
00486FB9 . 66:C785 5CFFF>mov word ptr ss:[ebp-0xA4],0x134
00486FC2 > 8B95 48FFFFFF mov edx,dword ptr ss:[ebp-0xB8]
00486FC8 . C682 F8020000>mov byte ptr ds:[edx+0x2F8],0x1
00486FCF . 8B85 48FFFFFF mov eax,dword ptr ss:[ebp-0xB8]
00486FD5 . E8 E2160C00 call 屏录专家.005486BC
00486FDA . FF8D 68FFFFFF dec dword ptr ss:[ebp-0x98]
00486FE0 . 8D45 F4 lea eax,dword ptr ss:[ebp-0xC]
00486FE3 . BA 02000000 mov edx,0x2
00486FE8 . E8 83A21100 call 屏录专家.005A1270
00486FED . FF8D 68FFFFFF dec dword ptr ss:[ebp-0x98]
00486FF3 . 8D45 F8 lea eax,dword ptr ss:[ebp-0x8]
00486FF6 . BA 02000000 mov edx,0x2
00486FFB . E8 70A21100 call 屏录专家.005A1270
00487000 . FF8D 68FFFFFF dec dword ptr ss:[ebp-0x98]
00487006 . 8D45 FC lea eax,dword ptr ss:[ebp-0x4]
00487009 . BA 02000000 mov edx,0x2
0048700E . E8 5DA21100 call 屏录专家.005A1270
00487013 . 8B8D 4CFFFFFF mov ecx,dword ptr ss:[ebp-0xB4]
00487019 . 64:890D 00000>mov dword ptr fs:[0],ecx
00487020 . E9 EB040000 jmp 屏录专家.00487510
00487025 > 66:C785 5CFFF>mov word ptr ss:[ebp-0xA4],0x14C
0048702E . BA 9CE95E00 mov edx,屏录专家.005EE99C
00487033 . 8D45 A0 lea eax,dword ptr ss:[ebp-0x60]
00487036 . E8 E59E1100 call 屏录专家.005A0F20
0048703B . FF85 68FFFFFF inc dword ptr ss:[ebp-0x98]
00487041 . 33D2 xor edx,edx
00487043 . 8B08 mov ecx,dword ptr ds:[eax]
00487045 . 8B85 24FFFFFF mov eax,dword ptr ss:[ebp-0xDC] ; gdi32.7697C0DD
0048704B . 8B18 mov ebx,dword ptr ds:[eax]
0048704D . FF53 20 call dword ptr ds:[ebx+0x20]
00487050 . FF8D 68FFFFFF dec dword ptr ss:[ebp-0x98]
00487056 . 8D45 A0 lea eax,dword ptr ss:[ebp-0x60]
00487059 . BA 02000000 mov edx,0x2
0048705E . E8 0DA21100 call 屏录专家.005A1270
00487063 . 66:C785 5CFFF>mov word ptr ss:[ebp-0xA4],0x158
0048706C . 8D45 9C lea eax,dword ptr ss:[ebp-0x64]
0048706F . E8 C8A9F7FF call 屏录专家.00401A3C
00487074 . 8BD0 mov edx,eax
00487076 . FF85 68FFFFFF inc dword ptr ss:[ebp-0x98]
0048707C . 8B8D 48FFFFFF mov ecx,dword ptr ss:[ebp-0xB8]
00487082 . 8B81 DC020000 mov eax,dword ptr ds:[ecx+0x2DC]
00487088 . E8 8F520D00 call 屏录专家.0055C31C ; GetText
0048708D . 8B85 24FFFFFF mov eax,dword ptr ss:[ebp-0xDC] ; gdi32.7697C0DD
00487093 . 8D4D 9C lea ecx,dword ptr ss:[ebp-0x64]
00487096 . BA 01000000 mov edx,0x1
0048709B . 8B18 mov ebx,dword ptr ds:[eax]
0048709D . 8B09 mov ecx,dword ptr ds:[ecx] ; ASCII "aikuimail"
0048709F . FF53 20 call dword ptr ds:[ebx+0x20]
004870A2 . FF8D 68FFFFFF dec dword ptr ss:[ebp-0x98]
004870A8 . 8D45 9C lea eax,dword ptr ss:[ebp-0x64]
004870AB . BA 02000000 mov edx,0x2
004870B0 . E8 BBA11100 call 屏录专家.005A1270
004870B5 . 8B85 24FFFFFF mov eax,dword ptr ss:[ebp-0xDC] ; gdi32.7697C0DD
004870BB . 8B4D F4 mov ecx,dword ptr ss:[ebp-0xC] ; ASCII "61613258595658034567890126456786016345671234535568"
004870BE . BA 02000000 mov edx,0x2
004870C3 . 8B18 mov ebx,dword ptr ds:[eax]
004870C5 . FF53 20 call dword ptr ds:[ebx+0x20]
004870C8 . A1 C45E6200 mov eax,dword ptr ds:[0x625EC4] ; hdb
004870CD . 8B10 mov edx,dword ptr ds:[eax]
004870CF . 80BA F40F0000>cmp byte ptr ds:[edx+0xFF4],0x1
004870D6 . 0F85 B4000000 jnz 屏录专家.00487190
004870DC . 8B85 24FFFFFF mov eax,dword ptr ss:[ebp-0xDC] ; gdi32.7697C0DD
004870E2 . 8B10 mov edx,dword ptr ds:[eax]
004870E4 . FF52 14 call dword ptr ds:[edx+0x14]
004870E7 . 83F8 03 cmp eax,0x3
004870EA . 7E 56 jle short 屏录专家.00487142
004870EC . 66:C785 5CFFF>mov word ptr ss:[ebp-0xA4],0x164
004870F5 . 8B0D C45E6200 mov ecx,dword ptr ds:[0x625EC4] ; hdb
004870FB . 8B01 mov eax,dword ptr ds:[ecx]
004870FD . 50 push eax
004870FE . 8D45 98 lea eax,dword ptr ss:[ebp-0x68]
00487101 . E8 36A9F7FF call 屏录专家.00401A3C
00487106 . 50 push eax
00487107 . FF85 68FFFFFF inc dword ptr ss:[ebp-0x98]
0048710D . E8 BA040000 call 屏录专家.004875CC ; 产生序列号
00487112 . 8B85 24FFFFFF mov eax,dword ptr ss:[ebp-0xDC] ; gdi32.7697C0DD
00487118 . 8D4D 98 lea ecx,dword ptr ss:[ebp-0x68]
0048711B . 83C4 08 add esp,0x8
0048711E . BA 03000000 mov edx,0x3
00487123 . 8B18 mov ebx,dword ptr ds:[eax]
00487125 . 8B09 mov ecx,dword ptr ds:[ecx] ; ASCII "22222785785950322660"
00487127 . FF53 20 call dword ptr ds:[ebx+0x20]
0048712A . FF8D 68FFFFFF dec dword ptr ss:[ebp-0x98]
00487130 . 8D45 98 lea eax,dword ptr ss:[ebp-0x68]
00487133 . BA 02000000 mov edx,0x2
上面这一大片代码毫无亮点,我将它贴出来就是想把它的文件重启验证简单说一下。到0048710D 这里,进入这个CALL:
[Asm] 纯文本查看 复制代码 004875CC /$ 55 push ebp
004875CD |. 8BEC mov ebp,esp
004875CF |. 81C4 D8FBFFFF add esp,-0x428
004875D5 |. B8 74F05E00 mov eax,屏录专家.005EF074
004875DA |. 53 push ebx
004875DB |. 56 push esi
004875DC |. 8B5D 0C mov ebx,dword ptr ss:[ebp+0xC] ; 屏录专家.0052CAD1
004875DF |. E8 18B51000 call 屏录专家.00592AFC
004875E4 |. 68 00040000 push 0x400
004875E9 |. 6A 00 push 0x0
004875EB |. 8D95 D8FBFFFF lea edx,dword ptr ss:[ebp-0x428]
004875F1 |. 52 push edx
004875F2 |. E8 D1B01000 call 屏录专家.005926C8 ; //清零内存
004875F7 |. 83C4 0C add esp,0xC
004875FA |. 8D8D D8FBFFFF lea ecx,dword ptr ss:[ebp-0x428]
00487600 |. 51 push ecx
00487601 |. 53 push ebx
00487602 |. E8 6D76FFFF call 屏录专家.0047EC74 ; WD-WXA1A25H 硬盘号
00487607 |. 83C4 08 add esp,0x8
0048760A |. 33DB xor ebx,ebx
0048760C |. 8D8D D8FBFFFF lea ecx,dword ptr ss:[ebp-0x428] ; ASCII " WD-WXA1A25HHLLF"
00487612 |> 0FBE01 /movsx eax,byte ptr ds:[ecx]
00487615 |. 99 |cdq
00487616 |. BE 0A000000 |mov esi,0xA
0048761B |. 43 |inc ebx
0048761C |. F7FE |idiv esi
0048761E |. 8BC2 |mov eax,edx
00487620 |. 83C0 30 |add eax,0x30
00487623 |. 8801 |mov byte ptr ds:[ecx],al
00487625 |. 41 |inc ecx
00487626 |. 83FB 14 |cmp ebx,0x14
00487629 |.^ 7C E7 \jl short 屏录专家.00487612
0048762B |. 66:C745 E8 08>mov word ptr ss:[ebp-0x18],0x8
00487631 |. 8D95 D8FBFFFF lea edx,dword ptr ss:[ebp-0x428] ; 机器码结果
00487637 |. 8D45 FC lea eax,dword ptr ss:[ebp-0x4]
0048763A |. E8 E1981100 call 屏录专家.005A0F20 ; strcpy
0048763F |. 8BD0 mov edx,eax
00487641 |. FF45 F4 inc dword ptr ss:[ebp-0xC]
00487644 |. 8B45 08 mov eax,dword ptr ss:[ebp+0x8]
00487647 |. E8 549C1100 call 屏录专家.005A12A0 ; strcpy
0048764C |. 8B45 08 mov eax,dword ptr ss:[ebp+0x8]
0048764F |. BA 02000000 mov edx,0x2
00487654 |. 66:C745 E8 14>mov word ptr ss:[ebp-0x18],0x14
0048765A |. 50 push eax
0048765B |. 8D45 FC lea eax,dword ptr ss:[ebp-0x4]
0048765E |. FF4D F4 dec dword ptr ss:[ebp-0xC]
00487661 |. E8 0A9C1100 call 屏录专家.005A1270 ; strcpy
00487666 |. 58 pop eax ; 0012EE6C
00487667 |. 66:C745 E8 08>mov word ptr ss:[ebp-0x18],0x8
0048766D |. FF45 F4 inc dword ptr ss:[ebp-0xC]
00487670 |. 8B55 D8 mov edx,dword ptr ss:[ebp-0x28]
00487673 |. 64:8915 00000>mov dword ptr fs:[0],edx
0048767A |. 5E pop esi ; 0012EE6C
0048767B |. 5B pop ebx ; 0012EE6C
0048767C |. 8BE5 mov esp,ebp
0048767E |. 5D pop ebp ; 0012EE6C
0048767F \. C3 retn
这个函数就是得到硬盘码,然后通过这个小循环,用硬件码计算出一串数字,然后保存到安装目录里面的pmlxz7.dll文件中,我们用WINHEX打开这个文件。
然后我们在搜索"pmlxz7.dll"字符串全部下断,重新启动将断下:
[Asm] 纯文本查看 复制代码 0041DCE7 . FF8D C4FDFFFF dec dword ptr ss:[ebp-0x23C]
0041DCED . E8 7E351800 call 屏录专家.005A1270
0041DCF2 . FF8D C4FDFFFF dec dword ptr ss:[ebp-0x23C]
0041DCF8 . 8D85 ACFEFFFF lea eax,dword ptr ss:[ebp-0x154]
0041DCFE . BA 02000000 mov edx,0x2
0041DD03 . E8 68351800 call 屏录专家.005A1270 ; //读取pmlxz7.dll里面的序列号
0041DD08 . 59 pop ecx ; 01A62378
0041DD09 . 85C9 test ecx,ecx ; ntdll.76FCAE0D
0041DD0B . 0F84 28020000 je 屏录专家.0041DF39
0041DD11 . 8B85 90FDFFFF mov eax,dword ptr ss:[ebp-0x270]
0041DD17 . 8B10 mov edx,dword ptr ds:[eax]
0041DD19 . FF52 14 call dword ptr ds:[edx+0x14]
0041DD1C . 83F8 03 cmp eax,0x3
0041DD1F . 7E 58 jle short 屏录专家.0041DD79
0041DD21 . 66:C785 B8FDF>mov word ptr ss:[ebp-0x248],0x344
0041DD2A . 8D85 A4FEFFFF lea eax,dword ptr ss:[ebp-0x15C]
0041DD30 . E8 073DFEFF call 屏录专家.00401A3C
0041DD35 . 8BC8 mov ecx,eax
0041DD37 . FF85 C4FDFFFF inc dword ptr ss:[ebp-0x23C]
0041DD3D . BA 03000000 mov edx,0x3
0041DD42 . 8B85 90FDFFFF mov eax,dword ptr ss:[ebp-0x270]
0041DD48 . 8B18 mov ebx,dword ptr ds:[eax]
0041DD4A . FF53 0C call dword ptr ds:[ebx+0xC] ; //读取pmlxz7.dll里面的机器码
0041DD4D . 8D95 A4FEFFFF lea edx,dword ptr ss:[ebp-0x15C]
0041DD53 . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041DD59 . 05 F00F0000 add eax,0xFF0
0041DD5E . E8 3D351800 call 屏录专家.005A12A0 ; //拷贝机器码
0041DD63 . FF8D C4FDFFFF dec dword ptr ss:[ebp-0x23C]
0041DD69 . 8D85 A4FEFFFF lea eax,dword ptr ss:[ebp-0x15C]
0041DD6F . BA 02000000 mov edx,0x2
0041DD74 . E8 F7341800 call 屏录专家.005A1270 ; //机器码到EDX
0041DD79 > 8B8D A4FDFFFF mov ecx,dword ptr ss:[ebp-0x25C]
0041DD7F . C681 2C170000>mov byte ptr ds:[ecx+0x172C],0x1
0041DD86 . 66:C785 B8FDF>mov word ptr ss:[ebp-0x248],0x350
0041DD8F . 8D85 A0FEFFFF lea eax,dword ptr ss:[ebp-0x160]
0041DD95 . E8 A23CFEFF call 屏录专家.00401A3C
0041DD9A . 8BC8 mov ecx,eax
0041DD9C . FF85 C4FDFFFF inc dword ptr ss:[ebp-0x23C]
0041DDA2 . BA 01000000 mov edx,0x1
0041DDA7 . 8B85 90FDFFFF mov eax,dword ptr ss:[ebp-0x270]
0041DDAD . 8B18 mov ebx,dword ptr ds:[eax]
0041DDAF . FF53 0C call dword ptr ds:[ebx+0xC] ; //获取到用户名
0041DDB2 . 8D95 A0FEFFFF lea edx,dword ptr ss:[ebp-0x160]
0041DDB8 . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041DDBE . 05 1C170000 add eax,0x171C
0041DDC3 . E8 D8341800 call 屏录专家.005A12A0
0041DDC8 . FF8D C4FDFFFF dec dword ptr ss:[ebp-0x23C]
0041DDCE . 8D85 A0FEFFFF lea eax,dword ptr ss:[ebp-0x160]
0041DDD4 . BA 02000000 mov edx,0x2
0041DDD9 . E8 92341800 call 屏录专家.005A1270 ; //用户名到EDX
0041DDDE . 66:C785 B8FDF>mov word ptr ss:[ebp-0x248],0x35C
0041DDE7 . 8B8D A4FDFFFF mov ecx,dword ptr ss:[ebp-0x25C]
0041DDED . 8B15 68646200 mov edx,dword ptr ds:[_MainForm]
0041DDF3 . 8B81 1C170000 mov eax,dword ptr ds:[ecx+0x171C]
0041DDF9 . 50 push eax ; 用户名压栈
0041DDFA . 8D85 9CFEFFFF lea eax,dword ptr ss:[ebp-0x164]
0041DE00 . 52 push edx
0041DE01 . E8 363CFEFF call 屏录专家.00401A3C ; 清零内存
0041DE06 . 50 push eax
0041DE07 . FF85 C4FDFFFF inc dword ptr ss:[ebp-0x23C]
0041DE0D . E8 5E290000 call 屏录专家.00420770 ; //拷贝用户名
0041DE12 . 83C4 0C add esp,0xC
0041DE15 . 8D95 9CFEFFFF lea edx,dword ptr ss:[ebp-0x164]
0041DE1B . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041DE21 . 05 18170000 add eax,0x1718
0041DE26 . E8 75341800 call 屏录专家.005A12A0 ; //拷贝用户名
0041DE2B . FF8D C4FDFFFF dec dword ptr ss:[ebp-0x23C]
0041DE31 . 8D85 9CFEFFFF lea eax,dword ptr ss:[ebp-0x164]
0041DE37 . BA 02000000 mov edx,0x2
0041DE3C . E8 2F341800 call 屏录专家.005A1270
0041DE41 . 66:C785 B8FDF>mov word ptr ss:[ebp-0x248],0x368
0041DE4A . 8D85 98FEFFFF lea eax,dword ptr ss:[ebp-0x168]
0041DE50 . E8 E73BFEFF call 屏录专家.00401A3C
0041DE55 . 8BC8 mov ecx,eax
0041DE57 . FF85 C4FDFFFF inc dword ptr ss:[ebp-0x23C]
0041DE5D . BA 02000000 mov edx,0x2
0041DE62 . 8B85 90FDFFFF mov eax,dword ptr ss:[ebp-0x270]
0041DE68 . 8B18 mov ebx,dword ptr ds:[eax]
0041DE6A . FF53 0C call dword ptr ds:[ebx+0xC] ; //拷贝序列号
0041DE6D . 8D95 98FEFFFF lea edx,dword ptr ss:[ebp-0x168]
0041DE73 . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041DE79 . 05 28170000 add eax,0x1728
0041DE7E . E8 1D341800 call 屏录专家.005A12A0 ; //拷贝序列号
0041DE83 . FF8D C4FDFFFF dec dword ptr ss:[ebp-0x23C]
0041DE89 . 8D85 98FEFFFF lea eax,dword ptr ss:[ebp-0x168]
0041DE8F . BA 02000000 mov edx,0x2
0041DE94 . E8 D7331800 call 屏录专家.005A1270 ; //清空缓冲区
0041DE99 . 8B8D A4FDFFFF mov ecx,dword ptr ss:[ebp-0x25C]
0041DE9F . B2 01 mov dl,0x1
0041DEA1 . 8B81 50050000 mov eax,dword ptr ds:[ecx+0x550]
0041DEA7 . E8 C4581100 call 屏录专家.00533770
0041DEAC . 8B8D A4FDFFFF mov ecx,dword ptr ss:[ebp-0x25C]
0041DEB2 . 8B81 70050000 mov eax,dword ptr ds:[ecx+0x570]
0041DEB8 . B2 01 mov dl,0x1
0041DEBA . 8B08 mov ecx,dword ptr ds:[eax]
0041DEBC . FF51 5C call dword ptr ds:[ecx+0x5C]
0041DEBF . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041DEC5 . 8B80 6C050000 mov eax,dword ptr ds:[eax+0x56C]
0041DECB . B2 01 mov dl,0x1
0041DECD . 8B08 mov ecx,dword ptr ds:[eax]
0041DECF . FF51 5C call dword ptr ds:[ecx+0x5C]
0041DED2 . 66:C785 B8FDF>mov word ptr ss:[ebp-0x248],0x374
0041DEDB . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041DEE1 . 05 28170000 add eax,0x1728
0041DEE6 . E8 B54FFEFF call 屏录专家.00402EA0 ; ASCII "61613258595658034567890126456786016345671234535568"
0041DEEB . 50 push eax
0041DEEC . 8D85 94FEFFFF lea eax,dword ptr ss:[ebp-0x16C]
0041DEF2 . 8B95 A4FDFFFF mov edx,dword ptr ss:[ebp-0x25C]
0041DEF8 . 52 push edx
0041DEF9 . E8 3E3BFEFF call 屏录专家.00401A3C
0041DEFE . 50 push eax
0041DEFF . FF85 C4FDFFFF inc dword ptr ss:[ebp-0x23C]
0041DF05 . E8 96290000 call 屏录专家.004208A0
0041DF0A . 83C4 0C add esp,0xC
0041DF0D . 8D95 94FEFFFF lea edx,dword ptr ss:[ebp-0x16C]
0041DF13 . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041DF19 . 05 24170000 add eax,0x1724
0041DF1E . E8 7D331800 call 屏录专家.005A12A0
0041DF23 . FF8D C4FDFFFF dec dword ptr ss:[ebp-0x23C]
0041DF29 . 8D85 94FEFFFF lea eax,dword ptr ss:[ebp-0x16C]
0041DF2F . BA 02000000 mov edx,0x2
0041DF34 . E8 37331800 call 屏录专家.005A1270
0041DF39 > 8B8D 90FDFFFF mov ecx,dword ptr ss:[ebp-0x270]
0041DF3F . 898D 8CFEFFFF mov dword ptr ss:[ebp-0x174],ecx ; ntdll.76FCAE0D
0041DF45 . 83BD 8CFEFFFF>cmp dword ptr ss:[ebp-0x174],0x0
0041DF4C . 74 30 je short 屏录专家.0041DF7E
0041DF4E . 8B85 8CFEFFFF mov eax,dword ptr ss:[ebp-0x174] ; 屏录专家.0058E9C3
0041DF54 . 8B10 mov edx,dword ptr ds:[eax]
0041DF56 . 8995 90FEFFFF mov dword ptr ss:[ebp-0x170],edx
0041DF5C . 66:C785 B8FDF>mov word ptr ss:[ebp-0x248],0x38C
0041DF65 . BA 03000000 mov edx,0x3
0041DF6A . 8B85 8CFEFFFF mov eax,dword ptr ss:[ebp-0x174] ; 屏录专家.0058E9C3
0041DF70 . 8B08 mov ecx,dword ptr ds:[eax]
0041DF72 . FF51 FC call dword ptr ds:[ecx-0x4]
0041DF75 . 66:C785 B8FDF>mov word ptr ss:[ebp-0x248],0x380
0041DF7E > 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041DF84 . 33D2 xor edx,edx
0041DF86 . 8990 201F0000 mov dword ptr ds:[eax+0x1F20],edx
0041DF8C . 68 00020000 push 0x200
0041DF91 . 6A 00 push 0x0
0041DF93 . 8B8D A4FDFFFF mov ecx,dword ptr ss:[ebp-0x25C]
0041DF99 . 81C1 9C1C0000 add ecx,0x1C9C
0041DF9F . 51 push ecx ; ntdll.76FCAE0D
0041DFA0 . E8 23471700 call 屏录专家.005926C8
0041DFA5 . 83C4 0C add esp,0xC
0041DFA8 . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041DFAE . 80B8 2C170000>cmp byte ptr ds:[eax+0x172C],0x1
0041DFB5 . 0F85 3F0A0000 jnz 屏录专家.0041E9FA
0041DFBB . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041DFC1 . 05 28170000 add eax,0x1728
0041DFC6 . E8 B12A0000 call 屏录专家.00420A7C ; //取序列号长度
0041DFCB . 8985 98FDFFFF mov dword ptr ss:[ebp-0x268],eax
0041DFD1 . 81BD 98FDFFFF>cmp dword ptr ss:[ebp-0x268],0x12C
0041DFDB . 0F8E CE060000 jle 屏录专家.0041E6AF ; //序列号长度小于300则跳转
0041DFE1 . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041DFE7 . 05 28170000 add eax,0x1728
0041DFEC . E8 AF4EFEFF call 屏录专家.00402EA0
0041DFF1 . 8BF8 mov edi,eax
0041DFF3 . 33C0 xor eax,eax
0041DFF5 . 83C9 FF or ecx,-0x1
0041DFF8 . 8DB5 DCECFFFF lea esi,dword ptr ss:[ebp-0x1324]
0041DFFE . F2:AE repne scas byte ptr es:[edi]
0041E000 . F7D1 not ecx ; ntdll.76FCAE0D
0041E002 . 2BF9 sub edi,ecx ; ntdll.76FCAE0D
0041E004 . 8BD1 mov edx,ecx ; ntdll.76FCAE0D
0041E006 . 87F7 xchg edi,esi
0041E008 . C1E9 02 shr ecx,0x2
0041E00B . 8BC7 mov eax,edi
0041E00D . F3:A5 rep movs dword ptr es:[edi],dword ptr ds>
0041E00F . 8BCA mov ecx,edx
0041E011 . 8D85 DCECFFFF lea eax,dword ptr ss:[ebp-0x1324]
0041E017 . 83E1 03 and ecx,0x3
0041E01A . F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[>
0041E01C . 50 push eax
0041E01D . E8 DA471700 call 屏录专家.005927FC
0041E022 . 59 pop ecx ; 01A62378
0041E023 . 8985 84FDFFFF mov dword ptr ss:[ebp-0x27C],eax
0041E029 . 8D95 DCECFFFF lea edx,dword ptr ss:[ebp-0x1324]
0041E02F . 52 push edx
0041E030 . 8B8D A4FDFFFF mov ecx,dword ptr ss:[ebp-0x25C]
0041E036 . 51 push ecx ; ntdll.76FCAE0D
0041E037 . E8 582A0000 call 屏录专家.00420A94
0041E03C . 83C4 08 add esp,0x8
0041E03F . 84C0 test al,al
0041E041 . 0F85 33020000 jnz 屏录专家.0041E27A
0041E047 . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041E04D . C680 2C170000>mov byte ptr ds:[eax+0x172C],0x0
0041E054 . 8B95 A4FDFFFF mov edx,dword ptr ss:[ebp-0x25C]
0041E05A . 8B82 50050000 mov eax,dword ptr ds:[edx+0x550]
0041E060 . 33D2 xor edx,edx
0041E062 . E8 09571100 call 屏录专家.00533770
0041E067 . 8B8D A4FDFFFF mov ecx,dword ptr ss:[ebp-0x25C]
0041E06D . 8B81 70050000 mov eax,dword ptr ds:[ecx+0x570]
0041E073 . 33D2 xor edx,edx
0041E075 . 8B08 mov ecx,dword ptr ds:[eax]
0041E077 . FF51 5C call dword ptr ds:[ecx+0x5C]
0041E07A . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041E080 . 8B80 6C050000 mov eax,dword ptr ds:[eax+0x56C]
0041E086 . 33D2 xor edx,edx
0041E088 . 8B08 mov ecx,dword ptr ds:[eax]
0041E08A . FF51 5C call dword ptr ds:[ecx+0x5C]
0041E08D . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041E093 . 8B80 68070000 mov eax,dword ptr ds:[eax+0x768]
0041E099 . 33D2 xor edx,edx
0041E09B . 8B08 mov ecx,dword ptr ds:[eax]
0041E09D . FF51 5C call dword ptr ds:[ecx+0x5C]
0041E0A0 . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041E0A6 . 8B80 64070000 mov eax,dword ptr ds:[eax+0x764]
0041E0AC . 33D2 xor edx,edx
0041E0AE . 8B08 mov ecx,dword ptr ds:[eax]
0041E0B0 . FF51 5C call dword ptr ds:[ecx+0x5C]
0041E0B3 . 66:C785 B8FDF>mov word ptr ss:[ebp-0x248],0x398
0041E0BC . BA 821B5C00 mov edx,屏录专家.005C1B82
0041E0C1 . 8D85 88FEFFFF lea eax,dword ptr ss:[ebp-0x178]
0041E0C7 . E8 542E1800 call 屏录专家.005A0F20
0041E0CC . FF85 C4FDFFFF inc dword ptr ss:[ebp-0x23C]
0041E0D2 . 8D95 88FEFFFF lea edx,dword ptr ss:[ebp-0x178]
0041E0D8 . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041E0DE . 05 18170000 add eax,0x1718
0041E0E3 . E8 B8311800 call 屏录专家.005A12A0
0041E0E8 . FF8D C4FDFFFF dec dword ptr ss:[ebp-0x23C]
0041E0EE . 8D85 88FEFFFF lea eax,dword ptr ss:[ebp-0x178]
0041E0F4 . BA 02000000 mov edx,0x2
0041E0F9 . E8 72311800 call 屏录专家.005A1270
0041E0FE . 66:C785 B8FDF>mov word ptr ss:[ebp-0x248],0x3A4
0041E107 . BA 831B5C00 mov edx,屏录专家.005C1B83
0041E10C . 8D85 84FEFFFF lea eax,dword ptr ss:[ebp-0x17C]
0041E112 . E8 092E1800 call 屏录专家.005A0F20
0041E117 . FF85 C4FDFFFF inc dword ptr ss:[ebp-0x23C]
0041E11D . 8D95 84FEFFFF lea edx,dword ptr ss:[ebp-0x17C]
0041E123 . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041E129 . 05 1C170000 add eax,0x171C
0041E12E . E8 6D311800 call 屏录专家.005A12A0
0041E133 . FF8D C4FDFFFF dec dword ptr ss:[ebp-0x23C]
0041E139 . 8D85 84FEFFFF lea eax,dword ptr ss:[ebp-0x17C]
0041E13F . BA 02000000 mov edx,0x2
0041E144 . E8 27311800 call 屏录专家.005A1270
0041E149 . 66:C785 B8FDF>mov word ptr ss:[ebp-0x248],0x3B0
0041E152 . BA 841B5C00 mov edx,屏录专家.005C1B84
0041E157 . 8D85 80FEFFFF lea eax,dword ptr ss:[ebp-0x180]
0041E15D . E8 BE2D1800 call 屏录专家.005A0F20
0041E162 . FF85 C4FDFFFF inc dword ptr ss:[ebp-0x23C]
0041E168 . 8D95 80FEFFFF lea edx,dword ptr ss:[ebp-0x180]
0041E16E . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041E174 . 05 20170000 add eax,0x1720
0041E179 . E8 22311800 call 屏录专家.005A12A0
0041E17E . FF8D C4FDFFFF dec dword ptr ss:[ebp-0x23C]
0041E184 . 8D85 80FEFFFF lea eax,dword ptr ss:[ebp-0x180]
0041E18A . BA 02000000 mov edx,0x2
0041E18F . E8 DC301800 call 屏录专家.005A1270
0041E194 . 66:C785 B8FDF>mov word ptr ss:[ebp-0x248],0x3BC
0041E19D . BA 851B5C00 mov edx,屏录专家.005C1B85
0041E1A2 . 8D85 7CFEFFFF lea eax,dword ptr ss:[ebp-0x184]
0041E1A8 . E8 732D1800 call 屏录专家.005A0F20
0041E1AD . FF85 C4FDFFFF inc dword ptr ss:[ebp-0x23C]
0041E1B3 . 8D95 7CFEFFFF lea edx,dword ptr ss:[ebp-0x184]
0041E1B9 . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041E1BF . 05 5C1F0000 add eax,0x1F5C
0041E1C4 . E8 D7301800 call 屏录专家.005A12A0
0041E1C9 . FF8D C4FDFFFF dec dword ptr ss:[ebp-0x23C]
0041E1CF . 8D85 7CFEFFFF lea eax,dword ptr ss:[ebp-0x184]
0041E1D5 . BA 02000000 mov edx,0x2
0041E1DA . E8 91301800 call 屏录专家.005A1270
0041E1DF . 66:C785 B8FDF>mov word ptr ss:[ebp-0x248],0x3C8
0041E1E8 . BA 861B5C00 mov edx,屏录专家.005C1B86
0041E1ED . 8D85 78FEFFFF lea eax,dword ptr ss:[ebp-0x188]
0041E1F3 . E8 282D1800 call 屏录专家.005A0F20
0041E1F8 . FF85 C4FDFFFF inc dword ptr ss:[ebp-0x23C]
0041E1FE . 8D95 78FEFFFF lea edx,dword ptr ss:[ebp-0x188]
0041E204 . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041E20A . 05 24170000 add eax,0x1724
0041E20F . E8 8C301800 call 屏录专家.005A12A0
0041E214 . FF8D C4FDFFFF dec dword ptr ss:[ebp-0x23C]
0041E21A . 8D85 78FEFFFF lea eax,dword ptr ss:[ebp-0x188]
0041E220 . BA 02000000 mov edx,0x2
0041E225 . E8 46301800 call 屏录专家.005A1270
0041E22A . 66:C785 B8FDF>mov word ptr ss:[ebp-0x248],0x3D4
0041E233 . BA 871B5C00 mov edx,屏录专家.005C1B87
0041E238 . 8D85 74FEFFFF lea eax,dword ptr ss:[ebp-0x18C]
0041E23E . E8 DD2C1800 call 屏录专家.005A0F20
0041E243 . FF85 C4FDFFFF inc dword ptr ss:[ebp-0x23C]
0041E249 . 8D95 74FEFFFF lea edx,dword ptr ss:[ebp-0x18C]
0041E24F . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041E255 . 05 28170000 add eax,0x1728
0041E25A . E8 41301800 call 屏录专家.005A12A0
0041E25F . FF8D C4FDFFFF dec dword ptr ss:[ebp-0x23C]
0041E265 . 8D85 74FEFFFF lea eax,dword ptr ss:[ebp-0x18C]
0041E26B . BA 02000000 mov edx,0x2
0041E270 . E8 FB2F1800 call 屏录专家.005A1270
0041E275 . E9 80070000 jmp 屏录专家.0041E9FA
0041E27A > 6A 05 push 0x5
0041E27C . 8D8D D2ECFFFF lea ecx,dword ptr ss:[ebp-0x132E]
0041E282 . 038D 84FDFFFF add ecx,dword ptr ss:[ebp-0x27C]
0041E288 . 51 push ecx ; ntdll.76FCAE0D
0041E289 . 8D85 88FDFFFF lea eax,dword ptr ss:[ebp-0x278]
0041E28F . 50 push eax
0041E290 . E8 C3431700 call 屏录专家.00592658
0041E295 . C685 8DFDFFFF>mov byte ptr ss:[ebp-0x273],0x0
0041E29C . 66:C785 B8FDF>mov word ptr ss:[ebp-0x248],0x3E0
0041E2A5 . 83C4 0C add esp,0xC
0041E2A8 . 33D2 xor edx,edx
0041E2AA . 8995 80FDFFFF mov dword ptr ss:[ebp-0x280],edx
0041E2B0 . 8D95 88FDFFFF lea edx,dword ptr ss:[ebp-0x278]
0041E2B6 . 66:C785 B8FDF>mov word ptr ss:[ebp-0x248],0x3EC
0041E2BF . 8D85 70FEFFFF lea eax,dword ptr ss:[ebp-0x190]
0041E2C5 . E8 562C1800 call 屏录专家.005A0F20
0041E2CA . FF85 C4FDFFFF inc dword ptr ss:[ebp-0x23C]
0041E2D0 . E8 8F331800 call 屏录专家.005A1664
0041E2D5 . 8985 80FDFFFF mov dword ptr ss:[ebp-0x280],eax
0041E2DB . FF8D C4FDFFFF dec dword ptr ss:[ebp-0x23C]
0041E2E1 . 8D85 70FEFFFF lea eax,dword ptr ss:[ebp-0x190]
0041E2E7 . BA 02000000 mov edx,0x2
0041E2EC . E8 7F2F1800 call 屏录专家.005A1270
0041E2F1 . 66:C785 B8FDF>mov word ptr ss:[ebp-0x248],0x0
0041E2FA . EB 0E jmp short 屏录专家.0041E30A
0041E2FC . 66:C785 B8FDF>mov word ptr ss:[ebp-0x248],0x3E8
0041E305 . E8 00FD1700 call 屏录专家.0059E00A
0041E30A > 83BD 80FDFFFF>cmp dword ptr ss:[ebp-0x280],0x64
0041E311 . 7C 10 jl short 屏录专家.0041E323
0041E313 . 81BD 80FDFFFF>cmp dword ptr ss:[ebp-0x280],0x190
0041E31D . 0F8E 33020000 jle 屏录专家.0041E556
0041E323 > 8B8D A4FDFFFF mov ecx,dword ptr ss:[ebp-0x25C]
0041E329 . 33D2 xor edx,edx
0041E32B . C681 2C170000>mov byte ptr ds:[ecx+0x172C],0x0
0041E332 . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041E338 . 8B80 50050000 mov eax,dword ptr ds:[eax+0x550]
0041E33E . E8 2D541100 call 屏录专家.00533770
0041E343 . 8B8D A4FDFFFF mov ecx,dword ptr ss:[ebp-0x25C]
0041E349 . 8B81 70050000 mov eax,dword ptr ds:[ecx+0x570]
0041E34F . 33D2 xor edx,edx
0041E351 . 8B08 mov ecx,dword ptr ds:[eax]
0041E353 . FF51 5C call dword ptr ds:[ecx+0x5C]
0041E356 . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041E35C . 8B80 6C050000 mov eax,dword ptr ds:[eax+0x56C]
0041E362 . 33D2 xor edx,edx
0041E364 . 8B08 mov ecx,dword ptr ds:[eax]
0041E366 . FF51 5C call dword ptr ds:[ecx+0x5C]
0041E369 . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041E36F . 8B80 68070000 mov eax,dword ptr ds:[eax+0x768]
0041E375 . 33D2 xor edx,edx
0041E377 . 8B08 mov ecx,dword ptr ds:[eax]
0041E379 . FF51 5C call dword ptr ds:[ecx+0x5C]
0041E37C . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041E382 . 8B80 64070000 mov eax,dword ptr ds:[eax+0x764]
0041E388 . 33D2 xor edx,edx
0041E38A . 8B08 mov ecx,dword ptr ds:[eax]
0041E38C . FF51 5C call dword ptr ds:[ecx+0x5C]
0041E38F . 66:C785 B8FDF>mov word ptr ss:[ebp-0x248],0x3F8
0041E398 . BA 881B5C00 mov edx,屏录专家.005C1B88
0041E39D . 8D85 6CFEFFFF lea eax,dword ptr ss:[ebp-0x194]
0041E3A3 . E8 782B1800 call 屏录专家.005A0F20
0041E3A8 . FF85 C4FDFFFF inc dword ptr ss:[ebp-0x23C]
0041E3AE . 8D95 6CFEFFFF lea edx,dword ptr ss:[ebp-0x194]
0041E3B4 . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041E3BA . 05 18170000 add eax,0x1718
0041E3BF . E8 DC2E1800 call 屏录专家.005A12A0
0041E3C4 . FF8D C4FDFFFF dec dword ptr ss:[ebp-0x23C]
0041E3CA . 8D85 6CFEFFFF lea eax,dword ptr ss:[ebp-0x194]
0041E3D0 . BA 02000000 mov edx,0x2
0041E3D5 . E8 962E1800 call 屏录专家.005A1270
0041E3DA . 66:C785 B8FDF>mov word ptr ss:[ebp-0x248],0x404
0041E3E3 . BA 891B5C00 mov edx,屏录专家.005C1B89
0041E3E8 . 8D85 68FEFFFF lea eax,dword ptr ss:[ebp-0x198]
0041E3EE . E8 2D2B1800 call 屏录专家.005A0F20
0041E3F3 . FF85 C4FDFFFF inc dword ptr ss:[ebp-0x23C]
0041E3F9 . 8D95 68FEFFFF lea edx,dword ptr ss:[ebp-0x198]
0041E3FF . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041E405 . 05 1C170000 add eax,0x171C
0041E40A . E8 912E1800 call 屏录专家.005A12A0
0041E40F . FF8D C4FDFFFF dec dword ptr ss:[ebp-0x23C]
0041E415 . 8D85 68FEFFFF lea eax,dword ptr ss:[ebp-0x198]
0041E41B . BA 02000000 mov edx,0x2
0041E420 . E8 4B2E1800 call 屏录专家.005A1270
0041E425 . 66:C785 B8FDF>mov word ptr ss:[ebp-0x248],0x410
0041E42E . BA 8A1B5C00 mov edx,屏录专家.005C1B8A
0041E433 . 8D85 64FEFFFF lea eax,dword ptr ss:[ebp-0x19C]
0041E439 . E8 E22A1800 call 屏录专家.005A0F20
0041E43E . FF85 C4FDFFFF inc dword ptr ss:[ebp-0x23C]
0041E444 . 8D95 64FEFFFF lea edx,dword ptr ss:[ebp-0x19C]
0041E44A . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041E450 . 05 20170000 add eax,0x1720
0041E455 . E8 462E1800 call 屏录专家.005A12A0
0041E45A . FF8D C4FDFFFF dec dword ptr ss:[ebp-0x23C]
0041E460 . 8D85 64FEFFFF lea eax,dword ptr ss:[ebp-0x19C]
0041E466 . BA 02000000 mov edx,0x2
0041E46B . E8 002E1800 call 屏录专家.005A1270
0041E470 . 66:C785 B8FDF>mov word ptr ss:[ebp-0x248],0x41C
0041E479 . BA 8B1B5C00 mov edx,屏录专家.005C1B8B
0041E47E . 8D85 60FEFFFF lea eax,dword ptr ss:[ebp-0x1A0]
0041E484 . E8 972A1800 call 屏录专家.005A0F20
0041E489 . FF85 C4FDFFFF inc dword ptr ss:[ebp-0x23C]
0041E48F . 8D95 60FEFFFF lea edx,dword ptr ss:[ebp-0x1A0]
0041E495 . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041E49B . 05 5C1F0000 add eax,0x1F5C
0041E4A0 . E8 FB2D1800 call 屏录专家.005A12A0
0041E4A5 . FF8D C4FDFFFF dec dword ptr ss:[ebp-0x23C]
0041E4AB . 8D85 60FEFFFF lea eax,dword ptr ss:[ebp-0x1A0]
0041E4B1 . BA 02000000 mov edx,0x2
0041E4B6 . E8 B52D1800 call 屏录专家.005A1270
0041E4BB . 66:C785 B8FDF>mov word ptr ss:[ebp-0x248],0x428
0041E4C4 . BA 8C1B5C00 mov edx,屏录专家.005C1B8C
0041E4C9 . 8D85 5CFEFFFF lea eax,dword ptr ss:[ebp-0x1A4]
0041E4CF . E8 4C2A1800 call 屏录专家.005A0F20
0041E4D4 . FF85 C4FDFFFF inc dword ptr ss:[ebp-0x23C]
0041E4DA . 8D95 5CFEFFFF lea edx,dword ptr ss:[ebp-0x1A4]
0041E4E0 . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041E4E6 . 05 24170000 add eax,0x1724
0041E4EB . E8 B02D1800 call 屏录专家.005A12A0
0041E4F0 . FF8D C4FDFFFF dec dword ptr ss:[ebp-0x23C]
0041E4F6 . 8D85 5CFEFFFF lea eax,dword ptr ss:[ebp-0x1A4]
0041E4FC . BA 02000000 mov edx,0x2
0041E501 . E8 6A2D1800 call 屏录专家.005A1270
0041E506 . 66:C785 B8FDF>mov word ptr ss:[ebp-0x248],0x434
0041E50F . BA 8D1B5C00 mov edx,屏录专家.005C1B8D
0041E514 . 8D85 58FEFFFF lea eax,dword ptr ss:[ebp-0x1A8]
0041E51A . E8 012A1800 call 屏录专家.005A0F20
0041E51F . FF85 C4FDFFFF inc dword ptr ss:[ebp-0x23C]
0041E525 . 8D95 58FEFFFF lea edx,dword ptr ss:[ebp-0x1A8]
0041E52B . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041E531 . 05 28170000 add eax,0x1728
0041E536 . E8 652D1800 call 屏录专家.005A12A0
0041E53B . FF8D C4FDFFFF dec dword ptr ss:[ebp-0x23C]
0041E541 . 8D85 58FEFFFF lea eax,dword ptr ss:[ebp-0x1A8]
0041E547 . BA 02000000 mov edx,0x2
0041E54C . E8 1F2D1800 call 屏录专家.005A1270
0041E551 . E9 A4040000 jmp 屏录专家.0041E9FA
0041E556 > 8B95 A4FDFFFF mov edx,dword ptr ss:[ebp-0x25C]
0041E55C . 81C2 28170000 add edx,0x1728
0041E562 . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041E568 . 05 9C1E0000 add eax,0x1E9C
0041E56D . E8 2E2D1800 call 屏录专家.005A12A0
0041E572 . 8B8D 80FDFFFF mov ecx,dword ptr ss:[ebp-0x280]
0041E578 . 8D85 DCECFFFF lea eax,dword ptr ss:[ebp-0x1324]
0041E57E . 51 push ecx ; ntdll.76FCAE0D
0041E57F . 50 push eax
0041E580 . 8B95 A4FDFFFF mov edx,dword ptr ss:[ebp-0x25C]
0041E586 . 81C2 9C1C0000 add edx,0x1C9C
0041E58C . 52 push edx
0041E58D . E8 C6401700 call 屏录专家.00592658
0041E592 . 8B8D A4FDFFFF mov ecx,dword ptr ss:[ebp-0x25C]
0041E598 . 8B85 80FDFFFF mov eax,dword ptr ss:[ebp-0x280]
0041E59E . 83C4 0C add esp,0xC
0041E5A1 . C68401 9C1C00>mov byte ptr ds:[ecx+eax+0x1C9C],0x0
0041E5A9 . 8B95 84FDFFFF mov edx,dword ptr ss:[ebp-0x27C]
0041E5AF . 8D8D DCECFFFF lea ecx,dword ptr ss:[ebp-0x1324]
0041E5B5 . 2B95 80FDFFFF sub edx,dword ptr ss:[ebp-0x280]
0041E5BB . 8D85 DCEEFFFF lea eax,dword ptr ss:[ebp-0x1124]
0041E5C1 . 83C2 F6 add edx,-0xA
0041E5C4 . 52 push edx
0041E5C5 . 038D 80FDFFFF add ecx,dword ptr ss:[ebp-0x280]
0041E5CB . 51 push ecx ; ntdll.76FCAE0D
0041E5CC . 50 push eax
0041E5CD . E8 86401700 call 屏录专家.00592658
0041E5D2 . 8B95 84FDFFFF mov edx,dword ptr ss:[ebp-0x27C]
0041E5D8 . 83C4 0C add esp,0xC
0041E5DB . 2B95 80FDFFFF sub edx,dword ptr ss:[ebp-0x280]
0041E5E1 . 8D85 54FEFFFF lea eax,dword ptr ss:[ebp-0x1AC]
0041E5E7 . C68415 D2EEFF>mov byte ptr ss:[ebp+edx-0x112E],0x0
0041E5EF . 66:C785 B8FDF>mov word ptr ss:[ebp-0x248],0x440
0041E5F8 . 8D95 DCEEFFFF lea edx,dword ptr ss:[ebp-0x1124]
0041E5FE . E8 1D291800 call 屏录专家.005A0F20
0041E603 . 8BD0 mov edx,eax
0041E605 . FF85 C4FDFFFF inc dword ptr ss:[ebp-0x23C]
0041E60B . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041E611 . 05 28170000 add eax,0x1728
0041E616 . E8 852C1800 call 屏录专家.005A12A0
0041E61B . FF8D C4FDFFFF dec dword ptr ss:[ebp-0x23C]
0041E621 . 8D85 54FEFFFF lea eax,dword ptr ss:[ebp-0x1AC]
0041E627 . BA 02000000 mov edx,0x2
0041E62C . E8 3F2C1800 call 屏录专家.005A1270
0041E631 . 66:C785 B8FDF>mov word ptr ss:[ebp-0x248],0x44C
0041E63A . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041E640 . 05 28170000 add eax,0x1728
0041E645 . E8 5648FEFF call 屏录专家.00402EA0
0041E64A . 50 push eax
0041E64B . 8D85 50FEFFFF lea eax,dword ptr ss:[ebp-0x1B0]
0041E651 . 8B95 A4FDFFFF mov edx,dword ptr ss:[ebp-0x25C]
0041E657 . 52 push edx
0041E658 . E8 DF33FEFF call 屏录专家.00401A3C
0041E65D . 50 push eax
0041E65E . FF85 C4FDFFFF inc dword ptr ss:[ebp-0x23C]
0041E664 . E8 37220000 call 屏录专家.004208A0
0041E669 . 83C4 0C add esp,0xC
0041E66C . 8D95 50FEFFFF lea edx,dword ptr ss:[ebp-0x1B0]
0041E672 . 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041E678 . 05 24170000 add eax,0x1724
0041E67D . E8 1E2C1800 call 屏录专家.005A12A0
0041E682 . FF8D C4FDFFFF dec dword ptr ss:[ebp-0x23C]
0041E688 . 8D85 50FEFFFF lea eax,dword ptr ss:[ebp-0x1B0]
0041E68E . BA 02000000 mov edx,0x2
0041E693 . E8 D82B1800 call 屏录专家.005A1270
0041E698 . 8B8D A4FDFFFF mov ecx,dword ptr ss:[ebp-0x25C]
0041E69E . 8B85 80FDFFFF mov eax,dword ptr ss:[ebp-0x280]
0041E6A4 . 8981 201F0000 mov dword ptr ds:[ecx+0x1F20],eax
0041E6AA . E9 4B030000 jmp 屏录专家.0041E9FA
0041E6AF > 8B85 A4FDFFFF mov eax,dword ptr ss:[ebp-0x25C]
0041E6B5 . 05 28170000 add eax,0x1728
0041E6BA . E8 BD230000 call 屏录专家.00420A7C ; //取序列号某位数
0041E6BF . 83F8 64 cmp eax,0x64
0041E6C2 0F8E 32030000 jle 屏录专家.0041E9FA ; 序列号长度小于100则跳转
0041E6C8 . 8B8D A4FDFFFF mov ecx,dword ptr ss:[ebp-0x25C] ; //序列号大于100则会提示升级
为节省篇幅我没有全部复制,这里就是读取pmlxz7.dll文件,简单的判断一下序列号,有兴趣的可以分析一下。下面给出我的汇编语言的算法源码。
[Asm] 纯文本查看 复制代码 include string.inc
includelib string.lib
include masm32.inc
includelib masm32.lib
include debug.inc
includelib debug.lib
.data
szName db 64 dup (0)
f1 REAL8 3.140000000000000
f2 REAL10 0.1594896331738436864
g_sixth db 0
.const
snFixed db "34567890123456789016345678601234567", 0
snFixed1 db "12345", 0
.data?
g_remainder dd ? ;保存浮点运算过程中的余数
g_character db ? ;保存序列号前四十位运算字符串的最后一位
g_remAdd dd ? ;余数加30h
Key dd ?
mc db 40 dup (?)
szSerial db 254 dup (?)
szSerial1 db 254 dup (?)
szSerial2 db 254 dup (?)
szSerial3 db 254 dup (?)
szSerial4 db 254 dup (?)
szSerial5 db 254 dup (?)
szMachineCode db 100 dup (?)
szBuffer dd ?
szOut db 10 dup(?)
szOut1 db 10 dup(?)
szOut2 db 12 dup(?)
szWord dw ?
num dd ?
addrNum dd ?
szRand db 10 dup(?)
szDest db 5 dup(?)
.code
comment#
函数名:KeyGen45
功 能:序列号前45位生成Key
len :指定的索引
lpSn :序列号地址
返回值:eax返回Key
#
KeyGen45 proc len, lpSn
mov esi,lpSn
xor eax,eax
xor ecx,ecx
mov ecx, 0B26Dh
local1:
cmp ecx,0B26Dh
jnz short local5
xor edi,edi
cmp edi,len
jge short local5
local2:
inc ecx
mov dl,80h
local3:
test ah,80h
je short @F
add eax,eax
xor ax,1021h
inc ecx
jmp short local4
@@:
add eax,eax
local4:
inc ecx
test byte ptr ds:[esi],dl
je short @F
xor ax,1021h
@@:
shr dl,1
test dl,dl
jnz short local3
inc esi
inc edi
cmp edi,len
jl short local2
local5:
inc ecx
cmp ecx,186A0h
jl short local1
ret
KeyGen45 endp
comment#
函数名:KeyGen5
功 能:序列号后5位生成Key
lpSn :序列号后5位地址
返回值:eax返回Key
#
KeyGen5 proc lpSn
push ebx
push esi
push edi
mov eax, lpSn
mov esi,eax
push eax
test eax,eax
je short local7
xor eax,eax
xor ebx,ebx
mov edi,0CCCCCCCh
local1:
mov bl,byte ptr ds:[esi]
inc esi
cmp bl,20h
je short local1
mov ch,0
cmp bl,2Dh
je short local10
cmp bl,2Bh
je short local11
cmp bl,24h
je short local12
cmp bl,78h
je short local12
cmp bl,58h
je short local12
cmp bl,30h
jnz short local2
mov bl,byte ptr ds:[esi]
inc esi
cmp bl,78h
je short local12
cmp bl,58h
je short local12
test bl,bl
je short local4
jmp short local3
local2:
test bl,bl
je short local9
local3:
sub bl,30h
cmp bl,9
ja short local9
cmp eax,edi
ja short local9
lea eax,dword ptr ds:[eax+eax*4]
add eax,eax ; eax累加
add eax,ebx
mov bl,byte ptr ds:[esi]
inc esi
test bl,bl
jnz short local3
local4:
dec ch
je short local8
test eax,eax
jl short local9
local5:
pop ecx
xor esi,esi
local6:
xor edx, edx
mov edx, esi;mov dword ptr ds:[edx],esi
pop edi
pop esi
pop ebx
ret
local7:
inc esi
jmp short local9
local8:
neg eax
jle short local5
js short local5
local9:
pop ebx
sub esi,ebx
jmp short local6
local10:
inc ch
local11:
mov bl,byte ptr ds:[esi]
inc esi
jmp short local2
local12:
mov edi,0FFFFFFFh
mov bl,byte ptr ds:[esi]
inc esi
test bl,bl
je short local7
local13:
cmp bl,61h
jb short local14
sub bl,20h
local14:
sub bl,30h
cmp bl,9
jbe short local15
sub bl,11h
cmp bl,5
ja short local9
add bl,0Ah
local15:
cmp eax,edi
ja short local9
shl eax,4
add eax,ebx
mov bl,byte ptr ds:[esi]
inc esi
test bl,bl
jnz short local13
jmp short local5
ret
KeyGen5 endp
comment#
函数名:EchgMcode
功 能:交换机器码第3和19位,第5和16位,第9和12位
lpSn :机器码地址
返回值:没有返回值
#
EchgMcode proc lpMc
pushad
mov esi, lpMc
mov bl, BYTE ptr [esi+2]
mov cl, BYTE ptr [esi+12h]
mov BYTE ptr [esi+12h], bl
mov BYTE ptr [esi+2], cl ;第3和19位
mov bl, BYTE ptr [esi+4]
mov cl, BYTE ptr [esi+0Fh]
mov BYTE ptr [esi+0Fh], bl
mov BYTE ptr [esi+4], cl ;第5和16位
mov bl, BYTE ptr [esi+8]
mov cl, BYTE ptr [esi+0Bh]
mov BYTE ptr [esi+0Bh], bl
mov BYTE ptr [esi+8], cl;第9和12位
popad
ret
EchgMcode endp
comment#
函数名:KeyGenNM
功 能:由用户名与交换后的机器码生成Key
lpMcode :机器码地址
lpName :用户名地址
返回值:eax
#
KeyGenNM proc lpName, lpMcode
local @buf[254]:BYTE
local @lpName:DWORD
local @lpMcode:DWORD
local @result1:DWORD
local @result2:DWORD
local @result3:DWORD
local @num:DWORD
mov edx, lpName
mov eax, lpMcode
xor edi, edi
mov @lpMcode, eax
mov @lpName, edx
lea esi, @buf
xor ebx, ebx
@@:
mov ecx, @lpName
mov edx, @lpMcode
mov al,byte ptr ds:[ecx]
xor al,byte ptr ds:[edx]
mov byte ptr ds:[esi],al
movsx ecx,byte ptr ds:[esi]
mov @result1, ecx
fild @result1
mov @result2, ebx
fild @result2
fmulp st(1),st
mov @result3, edi
fild @result3
faddp st(1),st
fistp qword ptr @num
mov eax,dword ptr @num
mov edi,eax
inc ebx
inc esi
inc @lpMcode
inc @lpName
cmp ebx,14h
jl @B
;invoke szCopy, addr @buf, addr szXor
add edi,3039h
mov Key, edi
mov eax, edi
ret
KeyGenNM endp
comment#
函数名:Key25Serial
功 能:由用户名与机器码运算出的Key计算出五个字符
iKey :用户名与机器码生成的Key
lpOut :输出生成的字符串
#
Key25Serial proc iKey, lpOut
local @quotient:DWORD
local @remainder:DWORD
local @buf[10]:BYTE
pushad
lea ebx, @buf
mov eax, iKey
mov @quotient, eax
mov edi, 0Ah
@@:
cdq
mov eax, @quotient
div edi
xchg eax, edx
xor edx, edx
mov BYTE ptr ds:[ebx], al
mov eax,edi
cdq
mov eax, @quotient
inc ebx
div edi
xor edx, edx
mov @quotient, eax
cmp eax,0
jnz @B
mov ecx, 5
lea ebx, @buf
@@:
mov al, BYTE ptr ds:[ebx]
add al, 30h
mov BYTE ptr ds:[ebx], al
inc ebx
loop @B
mov BYTE ptr ds:[ebx], 0
invoke szCopy, addr @buf, lpOut
popad
ret
Key25Serial endp
comment#
函数名:TenOfSerial
功 能:由用户名与机器码运算出的五个字符生成最终序列号的前十位
lpIn :由用户名与机器码运算出的五个字符
lpOut :最终序列号的前十位
#
TenOfSerial proc lpIn, lpOut
local @lpIn[6]:BYTE
local @lpOut[12]:BYTE
local @sn[12]:BYTE
local @i:BYTE
local @k:BYTE
pushad
invoke szCopy, lpIn, addr @lpIn
xor esi, esi;k
xor edi, edi
;xor ebx, ebx;k
mov @k, 0
mov @i, 1;i ecx
lea ebx, @lpIn
lea edi, @lpOut
.while (@i<=0bh) && (esi<5)
xor ecx, ecx
mov edx, 0bh
movzx eax, @i
shr eax, 1
sub edx, eax
mov cl, BYTE ptr ds:[ebx+esi]
add ecx, edx
mov [edi+esi], ecx
add @i, 2
inc esi
.endw
;invoke ltoa, addr @lpOut
invoke szCopy, addr @lpOut, lpOut
popad
ret
TenOfSerial endp
comment#
函数名:HexStr2DecStr
功 能:将十六进制数串转换成十进制字符串
lpIn :输入的十六进制数串
lpOut :转换后的字符缓冲区
#
HexStr2DecStr proc lpIn, lpOut
local @num:DWORD
pushad
xor ebx, ebx
xor esi, esi
xor edx, edx
xor edi, edi
mov ebx, lpIn ;szOut2
mov ebp, lpOut;szSerial1
mov ecx, 5
@@:
mov dl, BYTE ptr ds:[ebx+esi]
movzx eax, dl
mov @num, eax
lea eax, [ebp+edi]
invoke dw2str, @num, eax
inc esi
add edi, 2
loop @B
popad
ret
HexStr2DecStr endp
comment#
函数名:KeyGen11th
功 能:将Key转换成十六进制数
返回值eax
#
KeyGen11th proc
local @quotient:QWORD
local @remainder:DWORD
local @cw:WORD
add Key, 4d44h
fild Key
fmul f1
fld f2
fmulp st(1),st
;改变RC位为11
fstcw @cw
or @cw, 0000110000000000b
fldcw @cw
fistp @quotient
mov ebx, 186A0h
mov eax, dword ptr @quotient
cdq
idiv ebx
mov g_remainder, edx
xchg eax, edx
mov ebx, 0ah
cdq
idiv ebx
xchg eax, edx
add eax, 41h
ret
KeyGen11th endp
comment#
函数名:EchgSerial
功 能:交换序列号第3和39位,第5和26位,第10和32位
lpSn :序列号地址
返回值:没有返回值
#
EchgSerial proc lpMc
pushad
mov esi, lpMc
mov bl, BYTE ptr [esi+2]
mov cl, BYTE ptr [esi+26h]
mov BYTE ptr [esi+26h], bl
mov BYTE ptr [esi+2], cl ;第3和19位
mov bl, BYTE ptr [esi+4]
mov cl, BYTE ptr [esi+19h]
mov BYTE ptr [esi+19h], bl
mov BYTE ptr [esi+4], cl ;第5和16位
mov bl, BYTE ptr [esi+9]
mov cl, BYTE ptr [esi+1fh]
mov BYTE ptr [esi+1fh], bl
mov BYTE ptr [esi+9], cl;第9和12位
popad
ret
EchgSerial endp
comment#
函数名:CalcSerial
功 能:通过序列号前四十位计算出字符串
lpszIn :输入字符串地址
lpszOut :输出字符串地址
返回值:没有返回值
#
CalcSerial proc lpszIn, lpszOut
local @szCh:DWORD
local @szBuffer[42]:BYTE
local @szSerial[22]:BYTE
local @lpBuffer:DWORD
local @lpSerial:DWORD
local @i:DWORD
pushad
invoke szCopy, lpszIn, addr @szBuffer;将序列号前四十位拷贝到缓冲区
invoke RtlZeroMemory, addr @szSerial, sizeof @szSerial
lea ebx, @szBuffer
lea ecx, @szSerial
xor esi, esi
xor edi, edi
xor edx, edx
mov @i, 0
label1:
inc @i
xor eax, eax
mov @szCh, eax
mov ax, WORD ptr ds:[ebx+esi]
mov @szCh, eax
push ecx
invoke atol, addr @szCh
pop ecx
mov edx, @i
sar edx,1
jns @F
adc edx, 0
@@:
add eax,edx
inc @i
add eax,9
mov [ecx+edi], eax
.if @i==0ch
;
mov g_sixth, al
.endif
inc edi
add esi, 2
cmp @i,28h
jl label1
mov g_character, al
invoke szCopy, addr @szSerial, lpszOut
popad
ret
CalcSerial endp
comment#
函数名:CalcLast
功 能:累加交换过后的序列号的前四十位的字符串值
lpszIn :输入字符串地址
返回值:eax返回余数
#
CalcLast proc lpszIn
local @szBuffer[22]:BYTE
local @sum:DWORD
invoke szCopy, lpszIn, addr @szBuffer
lea eax, @szBuffer
@@:
movsx ecx,byte ptr ds:[eax]
add @sum,ecx
inc edx
inc eax
cmp edx, 13h
jl @B
mov eax, @sum
mov ecx, 0ah
cdq
idiv ecx
add edx,30h
mov g_remAdd, edx
ret
CalcLast endp
;PrintHex edx
;DbgDump offset szName,16
GetRegCode proc hDlg
pushad
invoke strempty,addr szSerial,sizeof szSerial
invoke GetDlgItemText,hDlg,IDC_ELSE,addr szMachineCode,sizeof szMachineCode
mov ebx, eax
invoke RtlZeroMemory, addr szName, sizeof szName
invoke GetDlgItemText,hDlg,IDC_NAME,addr szName,sizeof szName
.if (eax)&&(ebx)
;<<<<<<<1、通过用户名与机器码生成一个Key,然后由这个Key计算出真正序列号的前十位
finit
invoke szLeft, addr szMachineCode, addr mc, 20 ;取机器码前20位
invoke EchgMcode, addr mc
invoke KeyGenNM, addr szName, addr mc
invoke Key25Serial, eax, addr szOut
invoke szRev, addr szOut, addr szOut1
invoke TenOfSerial, addr szOut1, addr szOut2
invoke HexStr2DecStr, addr szOut2, addr szSerial1;得到前十位
;<<<<<<<2、随机生成30位同前面十位凑成四十位序列号
@@:
invoke GetTickCount
invoke nrandom, eax
invoke dw2str, eax, addr szRand
invoke szLeft, addr szRand, addr szDest, 5
invoke szCatStr, addr szSerial1, addr szDest
invoke szCatStr, addr szSerial1, addr snFixed
invoke szLeft, addr szSerial1, addr szSerial2, 40 ;取序列号前四十位
;<<<<<<<3、交换一个序列号,然后计算交换后的字符串
invoke EchgSerial, addr szSerial2
invoke CalcSerial, addr szSerial2, addr szSerial3
invoke CalcLast, addr szSerial3
;<<<<<<<4、通过计算出来的数据验证生成真序列号的第十一、
;<<<<<<< 十二位和交换后序列号的第三十九、第四十位
call KeyGen11th
movsx eax, g_character
cmp eax, g_remAdd
je @F
cmp eax, 41h
jl @B
@@:
mov eax, g_remainder
mov ecx, 0ah
cdq
idiv ecx
add edx, 41h
sub edx, 0eh
invoke dw2str, edx, addr szBuffer;真序列号第十一、十二位
invoke szRight, addr szSerial2, addr szSerial5, 28
invoke szLeft, addr szSerial2, addr szSerial4, 10
invoke szCatStr, addr szSerial4, addr szBuffer
invoke szCatStr, addr szSerial4, addr szSerial5
;<<<<<<<5、再生成5位序列号凑成四十五位,最后再生成末尾五位
invoke szCatStr, addr szSerial4, addr snFixed1
invoke KeyGen45, 45, addr szSerial4
xor ecx, ecx
movzx ecx, ax
invoke ltoa, ecx, addr szBuffer
invoke szCatStr, addr szSerial4, addr szBuffer
invoke SetDlgItemText, hDlg, IDC_REG, addr szSerial4
.else
invoke SetDlgItemText,hDlg,IDC_REG,CTXT("机器码或用户名不能为空!")
invoke SetDlgItemText,hDlg,IDC_ELSE,CTXT("机器码或用户名不能为空!")
.endif
popad
ret
GetRegCode endp
简单总结一下算法的流程:
1、通过用户名与机器码生成一个Key,然后由这个Key计算出真正序列号的前十位
2、随机生成30位同前面十位凑成四十位序列号
3、交换一个序列号,然后计算交换后的字符串
4、通过计算出来的数据验证生成真序列号的第十一、十二位和交换后序列号的第三十九、第四十位
5、再生成5位序列号凑成四十五位,最后再生成末尾五位
好了,就到这里了,最后将我的UDD上传一下。
屏录专家.rar
(487.48 KB, 下载次数: 3301)
成品注册机:
屏幕录像专家2015注册机.rar
(68.46 KB, 下载次数: 4420)
|