UltraEdit 15 算法分析

Hmily · 发表于 2009-9-24 15:45

最近在找资料的时候无意在ARTeam论坛上面看到的一个破解UltraEdit15算法的教程。分析
的相当到位。

寻找算法函数的大概方法：

1，用exescope找到nag窗口的资源ID为28269 即是：6E6D。

2，然后在OD里面找到PUSH 6E6D的命令。分别下断点。

3，在第二次中断的时候，看到Days to expire字样。向上滚动，找到这个子程序的开始。然后crtl +r 寻找引用。发现只有一个引用，于是跳去。

4，作者凭借自己破解14版的经验，准确判断出关键函数的调用是哪一个。但是，下面他还是做了一些简短的分析。

5，最后就开始了算法的分析，这个我就不多说了，太多了，自己看哈，我发在附近里面

由于测试它教程的时候用的中文版（他用的意大利版），所以，有些地址有出入。相信很多朋友也会有一样的感受。

ueres.dll
----------------------
hex  dec
--------------------------------
10E 270 - AboutBox
1B3 435 - GuIDA Avvio Veloce
6E6D 28269 - Il Periodo di Valutazione ?in scadenza

//////////////////////////////////// TO    S TU D Y  \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Attack Point
------------------------------
00446294 .  68 E8A1AD00 PUSH Uedit32.00ADA1E8                   ; |WindowName = "UEAfx:200:0x0008:0:010"
00446299 .  68 E8A1AD00 PUSH Uedit32.00ADA1E8                   ; |Class = "UEAfx:200:0x0008:0:010"
0044629E .  53          PUSH EBX                               ; |ExtStyle = 0
0044629F .  899C24 CC0000>MOV DWORD PTR SS:[ESP+CC], EBX          ; |
004462A6 .  FF15 B03BAD00 CALL DWORD PTR DS:[<&USER32.CreateWindow>; \CreateWindowExA
004462AC .  8D4C24 14    LEA ECX, DWORD PTR SS:[ESP+14]
004462B0 .  51          PUSH ECX
004462B1 .  8D5424 28    LEA EDX, DWORD PTR SS:[ESP+28]
004462B5 .  52          PUSH EDX
004462B6 .  A3 102BD000 MOV DWORD PTR DS:[D02B10], EAX
004462BB .  A1 342BD000 MOV EAX, DWORD PTR DS:[D02B34]
004462C0 .  68 EC2AD000 PUSH Uedit32.00D02AEC
004462C5 .  50          PUSH EAX
004462C6 .  56          PUSH ESI
004462C7 .  881D D45AD000 MOV BYTE PTR DS:[D05AD4], BL
004462CD .  C705 EC2AD000>MOV DWORD PTR DS:[D02AEC], 2A
004462D7 .  895C24 28    MOV DWORD PTR SS:[ESP+28], EBX
004462DB .  E8 B0AAFFFF CALL <Uedit32.RoutineDiRegistrazione>  <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< ENTRA !
004462E0 .  8B2D 003CAD00 MOV EBP, DWORD PTR DS:[<&USER32.SendMess>
004462E6 .  83C4 14    ADD ESP, 14
004462E9 .  84C0       TEST AL, AL
004462EB .  0F84 1D030000 JE Uedit32.0044660E
004462F1 .  391D 142BD000 CMP DWORD PTR DS:[D02B14], EBX
004462F7 .  0F85 11030000 JNZ Uedit32.0044660E
004462FD .  395C24 14    CMP DWORD PTR SS:[ESP+14], EBX
00446301 .  74 28       JE SHORT Uedit32.0044632B
00446303 .  8B4C24 24    MOV ECX, DWORD PTR SS:[ESP+24]

Into registration routine
------------------------------------------
00440D90 >/$  6A FF       PUSH -1
00440D92  |.  68 6B8BA500 PUSH Uedit32.00A58B6B
00440D97  |.  64:A1 0000000>MOV EAX, DWORD PTR FS:[0]
00440D9D  |.  50          PUSH EAX
00440D9E  |.  81EC 9C020000 SUB ESP, 29C
00440DA4  |.  A1 3CFECF00 MOV EAX, DWORD PTR DS:[CFFE3C]
00440DA9  |.  33C4       XOR EAX, ESP
00440DAB  |.  898424 980200>MOV DWORD PTR SS:[ESP+298], EAX
00440DB2  |.  53          PUSH EBX
00440DB3  |.  55          PUSH EBP
00440DB4  |.  56          PUSH ESI
00440DB5  |.  57          PUSH EDI
00440DB6  |.  A1 3CFECF00 MOV EAX, DWORD PTR DS:[CFFE3C]
00440DBB  |.  33C4       XOR EAX, ESP
00440DBD  |.  50          PUSH EAX
00440DBE  |.  8D8424 B00200>LEA EAX, DWORD PTR SS:[ESP+2B0]
00440DC5  |.  64:A3 0000000>MOV DWORD PTR FS:[0], EAX
00440DCB  |.  8BAC24 C40200>MOV EBP, DWORD PTR SS:[ESP+2C4]                         ;  << Seriale da controllare
00440DD2  |.  8B8C24 CC0200>MOV ECX, DWORD PTR SS:[ESP+2CC]                         ;  << ind. di ritorno
00440DD9  |.  8B9424 D00200>MOV EDX, DWORD PTR SS:[ESP+2D0]                         ;  << Una dword vuota
00440DE0  |.  8BBC24 C00200>MOV EDI, DWORD PTR SS:[ESP+2C0]                         ;  << UserName
00440DE7  |.  8B8424 C80200>MOV EAX, DWORD PTR SS:[ESP+2C8]                         ;  << ptr a 2A = 42 (indicatore per file *.reg)
00440DEE  |.  894C24 1C    MOV DWORD PTR SS:[ESP+1C], ECX
00440DF2  |.  895424 18    MOV DWORD PTR SS:[ESP+18], EDX
00440DF6  |.  85ED       TEST EBP, EBP                                           ;  << Inserito un seriale ?
00440DF8  |.  74 0A       JE SHORT Uedit32.00440E04
00440DFA  |.  C705 E82AD000>MOV DWORD PTR DS:[D02AE8], 1                            ;  << si, inserito !
00440E04  |>  C700 00000000 MOV DWORD PTR DS:[EAX], 0                               ;  << azzera il 2A
00440E0A  |.  8BC7       MOV EAX, EDI                                           ;  << userName
00440E0C  |.  8D50 01    LEA EDX, DWORD PTR DS:[EAX+1]
00440E0F  |.  90          NOP
00440E10  |>  8A08       /MOV CL, BYTE PTR DS:[EAX]
00440E12  |.  40          |INC EAX
00440E13  |.  84C9       |TEST CL, CL
00440E15  |.^ 75 F9       \JNZ SHORT Uedit32.00440E10
00440E17  |.  2BC2       SUB EAX, EDX
00440E19  |.  83F8 06    CMP EAX, 6                                              ;  << Verifica che la lunghezza dello userName sia almeno 6
00440E1C  |.  0F82 EA010000 JB Uedit32.0044100C
00440E22  |.  8BC5       MOV EAX, EBP                                           ;  << Seriale
00440E24  |.  8D50 01    LEA EDX, DWORD PTR DS:[EAX+1]
00440E27  |>  8A08       /MOV CL, BYTE PTR DS:[EAX]
00440E29  |.  40          |INC EAX
00440E2A  |.  84C9       |TEST CL, CL
00440E2C  |.^ 75 F9       \JNZ SHORT Uedit32.00440E27
00440E2E  |.  2BC2       SUB EAX, EDX
00440E30  |.  83F8 2F    CMP EAX, 2F                                              ;  << La lunghezza del seriale deve essere almeno 47
00440E33  |.  0F82 D3010000 JB Uedit32.0044100C
00440E39  |.  6A 3B       PUSH 3B                                                 ;  << Dimensione area da riempire
00440E3B  |.  8D4424 75    LEA EAX, DWORD PTR SS:[ESP+75]
00440E3F  |.  6A 00       PUSH 0                                                 ;  << carattere con cui riempire
00440E41  |.  50          PUSH EAX                                                 ;  << indirizzo da riempire
00440E42  |.  C64424 23 01  MOV BYTE PTR SS:[ESP+23], 1                            ;  << segna un flag
00440E47  |.  884C24 7C    MOV BYTE PTR SS:[ESP+7C], CL                            ;  << azzera il primo byte
00440E4B  |.  E8 A00E5900 CALL <Uedit32.FillWithZero>                            ;  << entro
00440E50  |.  68 FF010000 PUSH 1FF                                                 ;  << dimensione ( 511 bytes )
00440E55  |.  8D8C24 BD0000>LEA ECX, DWORD PTR SS:[ESP+BD]
00440E5C  |.  6A 00       PUSH 0                                                 ;  << carattere di riempimento
00440E5E  |.  51          PUSH ECX                                                 ;  << indirizzo da riempire ( 0024F9D1 ) - per copia userName
00440E5F  |.  C68424 C40000>MOV BYTE PTR SS:[ESP+C4], 0                            ;  << azzera il primo byte
00440E67  |.  E8 840E5900 CALL <Uedit32.FillWithZero>
00440E6C  |.  57          PUSH EDI                                                 ;  << push nome utente
00440E6D  |.  8D9424 C80000>LEA EDX, DWORD PTR SS:[ESP+C8]
00440E74  |.  68 00020000 PUSH 200                                                 ;  << 200h = 512d (max len username)
00440E79  |.  52          PUSH EDX                                                 ;  << indirizzo appena svuotato (il primo dei due)
00440E7A  |.  E8 F6335900 CALL <Uedit32.CopiaStringa>                            ;  << Copia UserName
00440E7F  |.  57          PUSH EDI                                                 ;  << push nome utente
00440E80  |.  8D4424 7C    LEA EAX, DWORD PTR SS:[ESP+7C]                         ;  << 0024F978
00440E84  |.  55          PUSH EBP                                                 ;  << push seriale
00440E85  |.  50          PUSH EAX                                                 ;  << push indirizzo (doppio ptr. a zona in cui andranno scritte le info dei match
00440E86  |.  E8 F5E8FFFF CALL <Uedit32.GenerazioneVettoreEdEstrazioneStringa>    ;  << entro
00440E8B  |.  83C4 30    ADD ESP, 30
00440E8E  |.  837C24 6C 10  CMP DWORD PTR SS:[ESP+6C], 10                            ;  << lungh. del serial  == 16 ?
00440E93  |.  8B4424 58    MOV EAX, DWORD PTR SS:[ESP+58]                         ;  << Stringa estratta dal seriale
00440E97  |.  C78424 B80200>MOV DWORD PTR SS:[ESP+2B8], 0                            ;  << 0
00440EA2  |.  73 04       JNB SHORT Uedit32.00440EA8                               ;  v
00440EA4  |.  8D4424 58    LEA EAX, DWORD PTR SS:[ESP+58]
00440EA8  |>  50          PUSH EAX                                                 ; /<< push stringa estratta dal seriale
00440EA9  |.  8D4C24 74    LEA ECX, DWORD PTR SS:[ESP+74]                         ; |
00440EAD  |.  6A 3C       PUSH 3C                                                 ; |<< dimensione stringa
00440EAF  |.  51          PUSH ECX                                                 ; |<< dove copiarla (sopra il nome utente)
00440EB0  |.  E8 C0335900 CALL <Uedit32.CopiaStringa>                            ; \CopiaStringa
00440EB5  |.  83C4 0C    ADD ESP, 0C
00440EB8  |.  68 409CAD00 PUSH Uedit32.00AD9C40                                  ; /pModule = "kernel32.dll"
00440EBD  |.  FF15 EC35AD00 CALL DWORD PTR DS:[<&KERNEL32.GetModuleHandleA>]       ; \GetModuleHandleA
00440EC3  |.  8D5424 44    LEA EDX, DWORD PTR SS:[ESP+44]                         ;  << ind. pSystemTime2
00440EC7  |.  8BF0       MOV ESI, EAX                                           ;  << salva kernel32.ll imagebase
00440EC9  |.  52          PUSH EDX
00440ECA  |.  8D4424 38    LEA EAX, DWORD PTR SS:[ESP+38]                         ;  << pSystemTime
00440ECE  |.  50          PUSH EAX
00440ECF  |.  8D4C24 2C    LEA ECX, DWORD PTR SS:[ESP+2C]                         ;  << currentSystemTime
00440ED3  |.  51          PUSH ECX
00440ED4  |.  E8 67A6FFFF CALL <Uedit32.SystemTime_FileTime>                      ;  << Determina Data Corrente (in SystemTime) + altro che non ci interessa (Generazione 2 FileTime e loro conversione in SystemTime)
00440ED9  |.  8D5424 30    LEA EDX, DWORD PTR SS:[ESP+30]                         ;  << otr. a currentSystemTime
00440EDD  |.  56          PUSH ESI
00440EDE  |.  52          PUSH EDX                                                 ;  << push currentSysTime
00440EDF  |.  E8 8708FCFF CALL <Uedit32.DataCorrenteInFileTime>                   ;  <<
00440EE4  |.  8D4424 48    LEA EAX, DWORD PTR SS:[ESP+48]                         ;  << pSystemTime
00440EE8  |.  50          PUSH EAX                                                 ;  << pSystemTime
00440EE9  |.  E8 0A09FCFF CALL <Uedit32.AltraDataInFileTime>                      ;  << non ci interessa
00440EEE  |.  8D4C24 5C    LEA ECX, DWORD PTR SS:[ESP+5C]                         ;  << pSystemTime2
00440EF2  |.  51          PUSH ECX                                                 ;  << pSystemTime2
00440EF3  |.  E8 120CFCFF CALL Uedit32.00401B0A                                  ;  << non ci interessa
00440EF8  |.  68 00001500 PUSH 150000                                              ;  << Push Versione programma !!!
00440EFD  |.  E8 7509FCFF CALL <Uedit32.DoBSWAP_Parametro>                         ;  << bswap della versione del programma
00440F02  |.  8D9424 CC0000>LEA EDX, DWORD PTR SS:[ESP+CC]                         ;  << username
00440F09  |.  52          PUSH EDX
00440F0A  |.  8D8424 940000>LEA EAX, DWORD PTR SS:[ESP+94]                         ;  << stringa estratta da seriale
00440F11  |.  50          PUSH EAX
00440F12  |.  E8 8B09FCFF CALL <Uedit32.DeterminaMatchEStabilisciReg>
00440F17  |.  8B1D 96104000 MOV EBX, DWORD PTR DS:[<controllo>]                      ;  << Salva il valore della dword di controllo >> in EBX (la call modifica la dword in oggetto per altri scopi)
00440F1D  |.  83C4 28    ADD ESP, 28
00440F20  |.  E8 5705FCFF CALL <Uedit32.divisione_qword>                         ;  << seconda divisione quadword (non ci interessa particolarmente)
00440F25  |.  8BF3       MOV ESI, EBX                                           ;  << la call precedente NON modifica EBX
00440F27  |.  C1EE 10    SHR ESI, 10
00440F2A  |.  8BCB       MOV ECX, EBX                                           ;  << nuova copia di EBX
00440F2C  |.  80E1 0F    AND CL, 0F                                              ;  << ultimo char esadecimale (ultimo mezzo byte)
00440F2F  |.  81E6 FF010000 AND ESI, 1FF                                           ;  << and esi, 1FF
00440F35  |.  80F9 01    CMP CL, 1                                              ;  << CL deve essere = 1
00440F38  |.  74 05       JE SHORT Uedit32.00440F3F
00440F3A  |.  C64424 17 00  MOV BYTE PTR SS:[ESP+17], 0                            ;  << :(
00440F3F  |>  F7C3 00400000 TEST EBX, 4000                                           ;  << test
00440F45  |.  74 0A       JE SHORT Uedit32.00440F51
00440F47  |.  F6C3 40    TEST BL, 40
00440F4A  |.  75 05       JNZ SHORT Uedit32.00440F51
00440F4C  |.  C64424 17 00  MOV BYTE PTR SS:[ESP+17], 0                            ;  << :(
00440F51  |>  F7C3 00000020 TEST EBX, 20000000                                     ;  << test EBX 20.000.000
00440F57  |.  74 05       JE SHORT Uedit32.00440F5E
00440F59  |.  C64424 17 00  MOV BYTE PTR SS:[ESP+17], 0                            ;  << :(
00440F5E  |>  51          PUSH ECX                                                 ;  << push valore 'iniziale' della dword di controllo
00440F5F  |.  8BCC       MOV ECX, ESP
00440F61  |.  896424 24    MOV DWORD PTR SS:[ESP+24], ESP
00440F65  |.  57          PUSH EDI                                                 ;  << nome utente
00440F66  |.  C705 A055D000>MOV DWORD PTR DS:[<flag_fine_reg>], 1                   ;  << flag
00440F70  |.  E8 EBA4FCFF CALL <Uedit32.CodificaInformazioneInLicenza>             ;  << dovrebbe salvare le info di username nel file di licenza
00440F75  |.  B9 8455D000 MOV ECX, OFFSET <Uedit32.costante_usata_spesso>
00440F7A  |.  E8 61DAFFFF CALL Uedit32.0043E9E0
00440F7F  |.  51          PUSH ECX
00440F80  |.  8BCC       MOV ECX, ESP
00440F82  |.  896424 24    MOV DWORD PTR SS:[ESP+24], ESP
00440F86  |.  55          PUSH EBP                                                 ;  << push seriale
00440F87  |.  E8 D4A4FCFF CALL <Uedit32.CodificaInformazioneInLicenza>
00440F8C  |.  B9 8455D000 MOV ECX, OFFSET <Uedit32.costante_usata_spesso>
00440F91  |.  E8 BADAFFFF CALL Uedit32.0043EA50
00440F96  |.  B9 8455D000 MOV ECX, OFFSET <Uedit32.costante_usata_spesso>
00440F9B  |.  8935 8C55D000 MOV DWORD PTR DS:[D0558C], ESI
00440FA1  |.  891D 9055D000 MOV DWORD PTR DS:[D05590], EBX
00440FA7  |.  E8 C47C2100 CALL Uedit32.00658C70
00440FAC  |.  807C24 17 00  CMP BYTE PTR SS:[ESP+17], 0                            ;  << byte di registrazione
00440FB1  |.  0FB6D0       MOVZX EDX, AL
00440FB4  |.  8915 9855D000 MOV DWORD PTR DS:[D05598], EDX
00440FBA  |.  74 36       JE SHORT Uedit32.00440FF2
00440FBC  |.  81FE 7C010000 CMP ESI, 17C                                           ;  << *** DEVE SALTARE PER NON MOSTRARE LA NAG (dipende dal valore di "controllo")
00440FC2  |.  72 2E       JB SHORT Uedit32.00440FF2                               ;  v
00440FC4  |.  F6C3 40    TEST BL, 40
00440FC7  |.  75 29       JNZ SHORT Uedit32.00440FF2
00440FC9  |.  8B4424 18    MOV EAX, DWORD PTR SS:[ESP+18]
00440FCD  |.  8B4C24 24    MOV ECX, DWORD PTR SS:[ESP+24]
00440FD1  |.  8B5424 28    MOV EDX, DWORD PTR SS:[ESP+28]
00440FD5  |.  C700 01000000 MOV DWORD PTR DS:[EAX], 1
00440FDB  |.  8B4424 1C    MOV EAX, DWORD PTR SS:[ESP+1C]                         ;  Uedit32.004461A0
00440FDF  |.  8908       MOV DWORD PTR DS:[EAX], ECX
00440FE1  |.  8B4C24 2C    MOV ECX, DWORD PTR SS:[ESP+2C]
00440FE5  |.  8950 04    MOV DWORD PTR DS:[EAX+4], EDX
00440FE8  |.  8B5424 30    MOV EDX, DWORD PTR SS:[ESP+30]
00440FEC  |.  8948 08    MOV DWORD PTR DS:[EAX+8], ECX
00440FEF  |.  8950 0C    MOV DWORD PTR DS:[EAX+C], EDX
00440FF2  |>  837C24 6C 10  CMP DWORD PTR SS:[ESP+6C], 10                            ;  << lungh. del seriale
00440FF7  |.  72 0D       JB SHORT Uedit32.00441006
00440FF9  |.  8B4424 58    MOV EAX, DWORD PTR SS:[ESP+58]                         ;  << stringa estratta da seriale
00440FFD  |.  50          PUSH EAX                                                 ;  << push stringa estratta
00440FFE  |.  E8 4CB54000 CALL <Uedit32.FreeString>
00441003  |.  83C4 04    ADD ESP, 4
00441006  |>  8A4424 17    MOV AL, BYTE PTR SS:[ESP+17]                            ;  << stato di registrazione
0044100A  |.  EB 02       JMP SHORT Uedit32.0044100E
0044100C  |>  32C0       XOR AL, AL
0044100E  |>  8B8C24 B00200>MOV ECX, DWORD PTR SS:[ESP+2B0]
00441015  |.  64:890D 00000>MOV DWORD PTR FS:[0], ECX
0044101C  |.  59          POP ECX                                                 ;  017459B8
0044101D  |.  5F          POP EDI                                                 ;  017459B8
0044101E  |.  5E          POP ESI                                                 ;  017459B8
0044101F  |.  5D          POP EBP                                                 ;  017459B8
00441020  |.  5B          POP EBX                                                 ;  017459B8
00441021  |.  8B8C24 980200>MOV ECX, DWORD PTR SS:[ESP+298]                         ;  USER32.77D18808
00441028  |.  33CC       XOR ECX, ESP
0044102A  |.  E8 09FD5800 CALL Uedit32.009D0D38                                  ;  << non ci interessa
0044102F  |.  81C4 A8020000 ADD ESP, 2A8
00441035  \.  C3          RETN

GenerazioneVettoreEdEstrazioneStringa
-------------------------------------------
0043F780 >/$  6A FF       PUSH -1
0043F782  |.  68 A288A500 PUSH Uedit32.00A588A2
0043F787  |.  64:A1 0000000>MOV EAX, DWORD PTR FS:[0]
0043F78D  |.  50          PUSH EAX
0043F78E  |.  81EC 100A0000 SUB ESP, 0A10                                           ;  << 2576
0043F794  |.  A1 3CFECF00 MOV EAX, DWORD PTR DS:[CFFE3C]
0043F799  |.  33C4       XOR EAX, ESP
0043F79B  |.  898424 0C0A00>MOV DWORD PTR SS:[ESP+A0C], EAX
0043F7A2  |.  53          PUSH EBX
0043F7A3  |.  55          PUSH EBP
0043F7A4  |.  56          PUSH ESI
0043F7A5  |.  57          PUSH EDI
0043F7A6  |.  A1 3CFECF00 MOV EAX, DWORD PTR DS:[CFFE3C]
0043F7AB  |.  33C4       XOR EAX, ESP
0043F7AD  |.  50          PUSH EAX
0043F7AE  |.  8D8424 240A00>LEA EAX, DWORD PTR SS:[ESP+A24]
0043F7B5  |.  64:A3 0000000>MOV DWORD PTR FS:[0], EAX
0043F7BB  |.  8BAC24 340A00>MOV EBP, DWORD PTR SS:[ESP+A34]                         ;  Uedit32.00730065
0043F7C2  |.  8BBC24 380A00>MOV EDI, DWORD PTR SS:[ESP+A38]                         ;  << serial
0043F7C9  |.  8BB424 3C0A00>MOV ESI, DWORD PTR SS:[ESP+A3C]                         ;  << username
0043F7D0  |.  33DB       XOR EBX, EBX                                           ;  << EBX := 0
0043F7D2  |.  6A 3B       PUSH 3B                                                 ;  << dimensione da riempire
0043F7D4  |.  8D8424 E90900>LEA EAX, DWORD PTR SS:[ESP+9E9]
0043F7DB  |.  53          PUSH EBX                                                 ;  << carattere di riempimento
0043F7DC  |.  895C24 1C    MOV DWORD PTR SS:[ESP+1C], EBX                         ;  << azzera primo byte
0043F7E0  |.  50          PUSH EAX                                                 ;  << ind. da riempire
0043F7E1  |.  899C24 380A00>MOV DWORD PTR SS:[ESP+A38], EBX                         ;  << zero
0043F7E8  |.  896C24 28    MOV DWORD PTR SS:[ESP+28], EBP
0043F7EC  |.  889C24 F00900>MOV BYTE PTR SS:[ESP+9F0], BL                            ;  << azzero primo byte
0043F7F3  |.  E8 F8245900 CALL <Uedit32.FillWithZero>                            ;  << Libera zona per copiare il seriale
0043F7F8  |.  57          PUSH EDI                                                 ; |<< Seriale
0043F7F9  |.  8D8C24 F40900>LEA ECX, DWORD PTR SS:[ESP+9F4]                         ; |
0043F800  |.  6A 3C       PUSH 3C                                                 ; |<< 60
0043F802  |.  51          PUSH ECX                                                 ; |<< dove copiare il seriale
0043F803  |.  E8 6D4A5900 CALL <Uedit32.CopiaStringa>                            ; \CopiaStringa
0043F808  |.  8BC6       MOV EAX, ESI                                           ;  << Nome Utente
0043F80A  |.  83C4 18    ADD ESP, 18
0043F80D  |.  33D2       XOR EDX, EDX                                           ;  <<< EDX := 0
0043F80F  |.  8D78 01    LEA EDI, DWORD PTR DS:[EAX+1]                            ;  << calcola len username
0043F812  |>  8A08       /MOV CL, BYTE PTR DS:[EAX]
0043F814  |.  40          |INC EAX
0043F815  |.  3ACB       |CMP CL, BL
0043F817  |.^ 75 F9       \JNZ SHORT Uedit32.0043F812
0043F819  |.  2BC7       SUB EAX, EDI                                           ;  << EAX = lungh. username
0043F81B  |.  33C9       XOR ECX, ECX                                           ;  ECX := 0
0043F81D  |.  3BC3       CMP EAX, EBX                                           ;  << Hai specificato un userName ?
0043F81F  |.  7E 0B       JLE SHORT Uedit32.0043F82C                               ;  << se si' non salta
0043F821  |>  0FBE3C0E    /MOVSX EDI, BYTE PTR DS:[ESI+ECX]                      ;  << Hash username - serve ad inizializzare il vettore
0043F825  |.  41          |INC ECX
0043F826  |.  03D7       |ADD EDX, EDI
0043F828  |.  3BC8       |CMP ECX, EAX
0043F82A  |.^ 7C F5       \JL SHORT Uedit32.0043F821
0043F82C  |>  81CA 221AF704 OR EDX, 4F71A22                                        ;  << Somma i caratteri del nome utente ed effettua OR con costante
0043F832  |.  52          PUSH EDX                                                 ;  << push hash utente ( 04F71E7A per Virtual Killer )
0043F833  |.  8D4C24 24    LEA ECX, DWORD PTR SS:[ESP+24]                         ;  << ind. vettore
0043F837  |.  E8 B4542100 CALL <Uedit32.GenerazioneVettoreIniziale>                ;  << Genera un vettore iniziale in base all'hash utente calcolato
0043F83C  |.  53          PUSH EBX                                                 ;  << 0
0043F83D  |.  C745 18 0F000>MOV DWORD PTR SS:[EBP+18], 0F                            ;  << 15
0043F844  |.  895D 14    MOV DWORD PTR SS:[EBP+14], EBX                         ;  << 0
0043F847  |.  68 F046AD00 PUSH Uedit32.00AD46F0
0043F84C  |.  8BCD       MOV ECX, EBP
0043F84E  |.  885D 04    MOV BYTE PTR SS:[EBP+4], BL                            ;  << 0
0043F851  |.  E8 AA50FCFF CALL <Uedit32.NonImportante1>                            ;  << entro
0043F856  |.  B0 30       MOV AL, 30                                              ;  << '0'
0043F858  |.  BF 01000000 MOV EDI, 1                                              ;  << EDI := 1
0043F85D  |.  899C24 2C0A00>MOV DWORD PTR SS:[ESP+A2C], EBX                         ;  << 0
0043F864  |.  897C24 14    MOV DWORD PTR SS:[ESP+14], EDI                         ;  << 1
0043F868  |.  888424 E80900>MOV BYTE PTR SS:[ESP+9E8], AL                            ;  << Ignora il quinto carattere di ogni sotto-gruppo
0043F86F  |.  888424 EE0900>MOV BYTE PTR SS:[ESP+9EE], AL
0043F876  |.  888424 F40900>MOV BYTE PTR SS:[ESP+9F4], AL
0043F87D  |.  888424 FA0900>MOV BYTE PTR SS:[ESP+9FA], AL
0043F884  |.  888424 000A00>MOV BYTE PTR SS:[ESP+A00], AL
0043F88B  |.  888424 060A00>MOV BYTE PTR SS:[ESP+A06], AL
0043F892  |.  888424 0C0A00>MOV BYTE PTR SS:[ESP+A0C], AL
0043F899  |.  888424 120A00>MOV BYTE PTR SS:[ESP+A12], AL
0043F8A0  |.  8DB424 E40900>LEA ESI, DWORD PTR SS:[ESP+9E4]                         ;  << seriale
0043F8A7  |.  389C24 E40900>CMP BYTE PTR SS:[ESP+9E4], BL                            ;  << finito ?
0043F8AE  |.  74 4A       JE SHORT Uedit32.0043F8FA
0043F8B0  |>  803E 2D    /CMP BYTE PTR DS:[ESI], 2D                               ;  << trovato il trattino ?
0043F8B3  |.  74 40       |JE SHORT Uedit32.0043F8F5                               ;  << ignora il trattino
0043F8B5  |.  8D4C24 20    |LEA ECX, DWORD PTR SS:[ESP+20]                         ;  << vettore_inizializzazione
0043F8B9  |.  E8 02532100 |CALL <Uedit32.LookupInVettore_conRicalcolo>
0043F8BE  |.  33D2       |XOR EDX, EDX                                           ;  << EDX := 0
0043F8C0  |.  B9 0A000000 |MOV ECX, 0A                                           ;  << ECX := 0A (10)
0043F8C5  |.  F7F1       |DIV ECX                                                 ;  << divisione di EAX (restituito da CALL) per 0A e il resto in EDX
0043F8C7  |.  8A06       |MOV AL, BYTE PTR DS:[ESI]                               ;  << AL := carattere del seriale
0043F8C9  |.  2AC2       |SUB AL, DL                                              ;  << sottrai ad esso il resto
0043F8CB  |.  2C 41       |SUB AL, 41                                              ;  << e 41h ('A')
0043F8CD  |.  0FBED0       |MOVSX EDX, AL                                           ;  << a questo punto EDX := AL
0043F8D0  |.  0FB682 54A0AD>|MOVZX EAX, BYTE PTR DS:[EDX+ADA054]                   ;  << Lookup di valore in 'X6A3KVMOQ8D2HCPI'
0043F8D7  |.  884424 18    |MOV BYTE PTR SS:[ESP+18], AL                            ;  << salva poi il valore lookup-ato (BYTE ptr)
0043F8DB  |.  8B4C24 18    |MOV ECX, DWORD PTR SS:[ESP+18]                         ;  << ... e lo copia in ECX (tutta la dword pero')
0043F8DF  |.  51          |PUSH ECX                                              ;  << PUSH di questo valore
0043F8E0  |.  6A 01       |PUSH 1                                                 ;  << 1
0043F8E2  |.  8BCD       |MOV ECX, EBP                                           ;  << Dove salvare il carattere lookup-ato
0043F8E4  |.  E8 27B8FDFF |CALL <Uedit32.SalvaCarattereLookup>                   ;  <<
0043F8E9  |.  47          |INC EDI                                                 ;  << prox char
0043F8EA  |.  83FF 05    |CMP EDI, 5                                              ;  << finito un sottogruppo ?
0043F8ED  |.  75 06       |JNZ SHORT Uedit32.0043F8F5
0043F8EF  |.  BF 01000000 |MOV EDI, 1                                              ;  << riparte da 1 per EDI
0043F8F4  |.  46          |INC ESI
0043F8F5  |>  46          |INC ESI
0043F8F6  |.  381E       |CMP BYTE PTR DS:[ESI], BL                               ;  << finito il seriale ?
0043F8F8  |.^ 75 B6       \JNZ SHORT Uedit32.0043F8B0
0043F8FA  |>  8BC5       MOV EAX, EBP
0043F8FC  |.  8B8C24 240A00>MOV ECX, DWORD PTR SS:[ESP+A24]
0043F903  |.  64:890D 00000>MOV DWORD PTR FS:[0], ECX
0043F90A  |.  59          POP ECX                                                 ;  017459B8
0043F90B  |.  5F          POP EDI                                                 ;  017459B8
0043F90C  |.  5E          POP ESI                                                 ;  017459B8
0043F90D  |.  5D          POP EBP                                                 ;  017459B8
0043F90E  |.  5B          POP EBX                                                 ;  017459B8
0043F90F  |.  8B8C24 0C0A00>MOV ECX, DWORD PTR SS:[ESP+A0C]                         ;  Uedit32.0078005F
0043F916  |.  33CC       XOR ECX, ESP
0043F918  |.  E8 1B145900 CALL Uedit32.009D0D38                                  ;  << non interessante
0043F91D  |.  81C4 1C0A0000 ADD ESP, 0A1C
0043F923  \.  C3          RETN

  GenerazioneVettoreIniziale
  -----------------------------------
   00654CF0 >/$  8B4424 04    MOV EAX, DWORD PTR SS:[ESP+4]
   00654CF4  |.  50          PUSH EAX                                                 ;  << push parametro passato (la prima volta ?"hash utente")
   00654CF5  |.  C781 C0090000>MOV DWORD PTR DS:[ECX+9C0], 271                         ;  << dimensione vettore inizializzazione (prima del seriale)
   00654CFF  |.  E8 CCFDFFFF CALL <Uedit32.ElaboraVettore_0024EEE0>
   00654D04  |.  8BC1       MOV EAX, ECX                                           ;  << EAX := indirizzo vettore calcolato
   00654D06  \.  C2 0400    RETN 4

   ElaboraVettore_0024EEE0
   ------------------------------------------------
      00654AD0 <>/$  8B5424 04    MOV EDX, DWORD PTR SS:[ESP+4]                            ;  << Parametro (inizialmente hash utente)
      00654AD4 |.  56          PUSH ESI                                                 ;  << nome utente
      00654AD5 |.  57          PUSH EDI                                                 ;  << 2E = 46
      00654AD6 |.  8D41 08    LEA EAX, DWORD PTR DS:[ECX+8]
      00654AD9 |.  BE 68000000 MOV ESI, 68                                              ;  << esi := 68h (iterazioni ciclo)
      00654ADE |.  8BFF       MOV EDI, EDI                                           ;  ??? inutile ???
      00654AE0 |>  8BFA       MOV EDI, EDX                      ; Prima DWORD
      00654AE2 |.  69D2 CD0D0100 IMUL EDX, EDX, 10DCD                                     ;  << EDX :=  ( EDX * 10DCDh )
      00654AE8 |.  81E7 0000FFFF AND EDI, FFFF0000                                        ;  << EDI := lascia solo HIWORD(EDX)
      00654AEE |.  42          INC EDX                                                 ;  << EDX += 1
      00654AEF |.  8978 F8    MOV DWORD PTR DS:[EAX-8], EDI                            ;  << salva EDI
      00654AF2 |.  8BFA       MOV EDI, EDX                                           ;  << EDI := EDX
      00654AF4 |.  69D2 CD0D0100 IMUL EDX, EDX, 10DCD                                     ;  << EDX := EDX * 10DCDh
      00654AFA |.  C1EF 10    SHR EDI, 10                                              ;  << EDI := EDI / 2^16 (recupera parte alta della dword)
      00654AFD |.  0978 F8    OR DWORD PTR DS:[EAX-8], EDI                            ;  << OR-ing della dword appena scritta
      00654B00 |.  42          INC EDX                                                 ;  << edx++
      00654B01 |.  8BFA       MOV EDI, EDX                                           ;  << ESEGUE GLI STESSI DUE PASSI per la prossima dword>>
      00654B03 |.  69D2 CD0D0100 IMUL EDX, EDX, 10DCD
      00654B09 |.  81E7 0000FFFF AND EDI, FFFF0000
      00654B0F |.  42          INC EDX
      00654B10 |.  8978 FC    MOV DWORD PTR DS:[EAX-4], EDI             ; Seconda Dword
      00654B13 |.  8BFA       MOV EDI, EDX
      00654B15 |.  69D2 CD0D0100 IMUL EDX, EDX, 10DCD
      00654B1B |.  C1EF 10    SHR EDI, 10
      00654B1E |.  0978 FC    OR DWORD PTR DS:[EAX-4], EDI
      00654B21 |.  42          INC EDX
      00654B22 |.  8BFA       MOV EDI, EDX                                           ;  << terza dword
      00654B24 |.  69D2 CD0D0100 IMUL EDX, EDX, 10DCD
      00654B2A |.  81E7 0000FFFF AND EDI, FFFF0000
      00654B30 |.  42          INC EDX
      00654B31 |.  8938       MOV DWORD PTR DS:[EAX], EDI
      00654B33 |.  8BFA       MOV EDI, EDX
      00654B35 |.  69D2 CD0D0100 IMUL EDX, EDX, 10DCD
      00654B3B |.  C1EF 10    SHR EDI, 10
      00654B3E |.  0938       OR DWORD PTR DS:[EAX], EDI
      00654B40 |.  42          INC EDX
      00654B41 |.  8BFA       MOV EDI, EDX                                           ;  << quarta dword
      00654B43 |.  69D2 CD0D0100 IMUL EDX, EDX, 10DCD
      00654B49 |.  81E7 0000FFFF AND EDI, FFFF0000
      00654B4F |.  42          INC EDX
      00654B50 |.  8978 04    MOV DWORD PTR DS:[EAX+4], EDI
      00654B53 |.  8BFA       MOV EDI, EDX
      00654B55 |.  69D2 CD0D0100 IMUL EDX, EDX, 10DCD
      00654B5B |.  C1EF 10    SHR EDI, 10
      00654B5E |.  0978 04    OR DWORD PTR DS:[EAX+4], EDI
      00654B61 |.  42          INC EDX
      00654B62 |.  8BFA       MOV EDI, EDX                                           ;  << quinta dword
      00654B64 |.  69D2 CD0D0100 IMUL EDX, EDX, 10DCD
      00654B6A |.  81E7 0000FFFF AND EDI, FFFF0000
      00654B70 |.  42          INC EDX
      00654B71 |.  8978 08    MOV DWORD PTR DS:[EAX+8], EDI
      00654B74 |.  8BFA       MOV EDI, EDX
      00654B76 |.  69D2 CD0D0100 IMUL EDX, EDX, 10DCD
      00654B7C |.  C1EF 10    SHR EDI, 10
      00654B7F |.  0978 08    OR DWORD PTR DS:[EAX+8], EDI
      00654B82 |.  42          INC EDX                                                 ;  << sesta dword
      00654B83 |.  8BFA       MOV EDI, EDX
      00654B85 |.  69D2 CD0D0100 IMUL EDX, EDX, 10DCD
      00654B8B |.  81E7 0000FFFF AND EDI, FFFF0000
      00654B91 |.  42          INC EDX
      00654B92 |.  8978 0C    MOV DWORD PTR DS:[EAX+C], EDI
      00654B95 |.  8BFA       MOV EDI, EDX
      00654B97 |.  69D2 CD0D0100 IMUL EDX, EDX, 10DCD
      00654B9D |.  C1EF 10    SHR EDI, 10
      00654BA0 |.  0978 0C    OR DWORD PTR DS:[EAX+C], EDI
      00654BA3 |.  42          INC EDX
      00654BA4 |.  83C0 18    ADD EAX, 18                                              ;  << passa alle prossime 6 dword
      00654BA7 |.  83EE 01    SUB ESI, 1                                              ;  << decremento contatore ciclo
      00654BAA |.^ 0F85 30FFFFFF JNZ Uedit32.00654AE0                                     ;  << continua ciclo
      00654BB0 |.  5F          POP EDI                                                 ;  021896D0
      00654BB1 |.  C781 C0090000>MOV DWORD PTR DS:[ECX+9C0], 270                         ;  << segna inizializzazione in posizione prima di seriale
      00654BBB |.  5E          POP ESI                                                 ;  021896D0
      00654BBC \.  C2 0400    RETN 4



  LookupInVettore_conRicalcolo
  -------------------------------------

  00654BC0 >/$  8B81 C0090000 MOV EAX, DWORD PTR DS:[ECX+9C0]                         ;  << dword before serial ... (9C0 = array size)
  00654BC6  |.  3D 70020000 CMP EAX, 270                                           ;  << execute the two subloops ?
  00654BCB  |.  0F82 BB000000 JB Uedit32.00654C8C                                     ;  << no.
  00654BD1  |.  3D 71020000 CMP EAX, 271                                           ;  << Array initialized ? (270h = 624d = # of array dword )
  00654BD6  |.  75 0A       JNZ SHORT Uedit32.00654BE2                               ;  v
  00654BD8  |.  68 05110000 PUSH 1105
  00654BDD  |.  E8 EEFEFFFF CALL <Uedit32.ElaboraVettore_0024EEE0>
  00654BE2  |>  33C0       XOR EAX, EAX                                           ;  << EAX := 0
  00654BE4  |.  56          PUSH ESI                                                 ;  << serial
  00654BE5  |>  8B5481 04    /MOV EDX, DWORD PTR DS:[ECX+EAX*4+4]                   ;  << array Lookup (ECX = array address) - offset +4
  00654BE9  |.  331481       |XOR EDX, DWORD PTR DS:[ECX+EAX*4]                      ;  << XOR with previous dword
  00654BEC  |.  40          |INC EAX                                                 ;  << EAX++
  00654BED  |.  81E2 FFFFFF7F |AND EDX, 7FFFFFFF                                     ;  Filter on high byte
  00654BF3  |.  335481 FC    |XOR EDX, DWORD PTR DS:[ECX+EAX*4-4]                   ;  << XOR with even previous dword (first time is array start)
  00654BF7  |.  8BF2       |MOV ESI, EDX                                           ;  << ESI := resulted value
  00654BF9  |.  D1EA       |SHR EDX, 1                                              ;  << EDX / 2
  00654BFB  |.  83E6 01    |AND ESI, 1                                              ;  << ESI = 0/1
  00654BFE  |.  3314B5 C426C2>|XOR EDX, DWORD PTR DS:[ESI*4+C226C4]                   ;  << XOR with 9908B0DFh or with 0 ( if ESI = 0 --> xor with 0 )
  00654C05  |.  339481 300600>|XOR EDX, DWORD PTR DS:[ECX+EAX*4+630]                   ;  << xor with another lookup value
  00654C0C  |.  895481 FC    |MOV DWORD PTR DS:[ECX+EAX*4-4], EDX                   ;  << save value in first of used 3 dwords
  00654C10  |.  3D E3000000 |CMP EAX, 0E3                                           ;  << Loop for 0E3 = 227 times
  00654C15  |.^ 72 CE       \JB SHORT Uedit32.00654BE5
  00654C17  |.  3D 6F020000 CMP EAX, 26F                                           ;  << Already executed second loop ?
  00654C1C  |.  73 34       JNB SHORT Uedit32.00654C52
  00654C1E  |.  8BFF       MOV EDI, EDI                                           ;  << reset flags
  00654C20  |>  8B5481 04    /MOV EDX, DWORD PTR DS:[ECX+EAX*4+4]                   ;  << EAX Starts from 0E3. lookup
  00654C24  |.  331481       |XOR EDX, DWORD PTR DS:[ECX+EAX*4]                      ;  xor
  00654C27  |.  40          |INC EAX                                                 ;  << EAX ++
  00654C28  |.  81E2 FFFFFF7F |AND EDX, 7FFFFFFF
  00654C2E  |.  335481 FC    |XOR EDX, DWORD PTR DS:[ECX+EAX*4-4]
  00654C32  |.  8BF2       |MOV ESI, EDX
  00654C34  |.  D1EA       |SHR EDX, 1
  00654C36  |.  83E6 01    |AND ESI, 1
  00654C39  |.  3314B5 C426C2>|XOR EDX, DWORD PTR DS:[ESI*4+C226C4]
  00654C40  |.  339481 70FCFF>|XOR EDX, DWORD PTR DS:[ECX+EAX*4-390]                   ;  << this is the only change (in respect to first subloop)
  00654C47  |.  895481 FC    |MOV DWORD PTR DS:[ECX+EAX*4-4], EDX
  00654C4B  |.  3D 6F020000 |CMP EAX, 26F                                           ;  << loop for per (26F - 0E3) times
  00654C50  |.^ 72 CE       \JB SHORT Uedit32.00654C20
  00654C52  |>  8B81 BC090000 MOV EAX, DWORD PTR DS:[ECX+9BC]                         ;  <<
  00654C58  |.  3301       XOR EAX, DWORD PTR DS:[ECX]                            ;  << xor with first array dword
  00654C5A  |.  5E          POP ESI                                                 ;  021896D0
  00654C5B  |.  25 FFFFFF7F AND EAX, 7FFFFFFF                                        ;  << filter
  00654C60  |.  3381 BC090000 XOR EAX, DWORD PTR DS:[ECX+9BC]                         ;  << another xor
  00654C66  |.  8BD0       MOV EDX, EAX                                           ;  << EDX := EAX
  00654C68  |.  83E2 01    AND EDX, 1                                              ;  << EDX = 0/1
  00654C6B  |.  8B1495 C426C2>MOV EDX, DWORD PTR DS:[EDX*4+C226C4]                   ;  << EDX := 9908B0DFh or 0 ( if EDX = 0 --> xor with 0 )
  00654C72  |.  3391 30060000 XOR EDX, DWORD PTR DS:[ECX+630]                         ;  <<
  00654C78  |.  D1E8       SHR EAX, 1                                              ;  << EAX := EAX / 2
  00654C7A  |.  33D0       XOR EDX, EAX                                           ;  << Xor
  00654C7C  |.  8991 BC090000 MOV DWORD PTR DS:[ECX+9BC], EDX                         ;  << update specific value in array
  00654C82  |.  C781 C0090000>MOV DWORD PTR DS:[ECX+9C0], 0                            ;  << zero-out value at the end of array
  00654C8C  |>  8B81 C0090000 MOV EAX, DWORD PTR DS:[ECX+9C0]                         ;  << [ALWAYS EXECUTED] - value at array end
  00654C92  |.  8B1481       MOV EDX, DWORD PTR DS:[ECX+EAX*4]                      ;  << EDX := EAX-th array dword
  00654C95  |.  40          INC EAX                                                 ;  << EAX += 1
  00654C96  |.  8981 C0090000 MOV DWORD PTR DS:[ECX+9C0], EAX                         ;  << update dword at array end (current position in serial)
  00654C9C  |.  8BC2       MOV EAX, EDX                                           ;  << other math
  00654C9E  |.  C1E8 0B    SHR EAX, 0B
  00654CA1  |.  33D0       XOR EDX, EAX
  00654CA3  |.  8BCA       MOV ECX, EDX
  00654CA5  |.  81E1 AD583AFF AND ECX, FF3A58AD
  00654CAB  |.  C1E1 07    SHL ECX, 7
  00654CAE  |.  33D1       XOR EDX, ECX
  00654CB0  |.  8BC2       MOV EAX, EDX
  00654CB2  |.  25 8CDFFFFF AND EAX, FFFFDF8C
  00654CB7  |.  C1E0 0F    SHL EAX, 0F
  00654CBA  |.  33D0       XOR EDX, EAX
  00654CBC  |.  8BC2       MOV EAX, EDX
  00654CBE  |.  C1E8 12    SHR EAX, 12
  00654CC1  |.  33C2       XOR EAX, EDX                                           ;  << routine return value
  00654CC3  \.  C3          RETN

SystemTime_FileTime (determinazione data corrente)
----------------------------------
Di questa ci interessa solo la parte iniziale:
0043B540 >/$  83EC 20    SUB ESP, 20
0043B543  |.  8B4424 24    MOV EAX, DWORD PTR SS:[ESP+24]
0043B547  |.  56          PUSH ESI
0043B548  |.  50          PUSH EAX                                                 ; /pSystemTime = 017E0EC8
0043B549  |.  FF15 D035AD00 CALL DWORD PTR DS:[<&KERNEL32.GetSystemTime>]          ; \GetSystemTime
0043B54F  |.  8B0D 042BD000 MOV ECX, DWORD PTR DS:[D02B04]                         ;  << 0
0043B555  |.  8B15 002BD000 MOV EDX, DWORD PTR DS:[D02B00]                         ;  << 3970h
0043B55B  |.  6A 00       PUSH 0                                                 ;  << 0
0043B55D  |.  68 80510100 PUSH 15180                                              ;  << 15180 (86400 - secondi in un giorno)
0043B562  |.  51          PUSH ECX                                                 ;  << 0
0043B563  |.  52          PUSH EDX                                                 ;  << 3970h
0043B564  |.  E8 C7D15900 CALL <Uedit32.MoltiplicaConElaborazione>
0043B569  |.  894424 04    MOV DWORD PTR SS:[ESP+4], EAX                            ;  << 15180h * 3970h = 4BB92800
:
:
:
0043B5B4  |.  8B4424 30    MOV EAX, DWORD PTR SS:[ESP+30]                         ;  << pSystemTime2
0043B5B8  |.  50          PUSH EAX                                                 ; /pSystemTime = 017E0EC8
0043B5B9  |.  8D4C24 20    LEA ECX, DWORD PTR SS:[ESP+20]                         ; |
0043B5BD  |.  51          PUSH ECX                                                 ; |pFileTime = 0024FC0C
0043B5BE  |.  FFD6       CALL ESI                                                 ; \FileTimeToSystemTime
0043B5C0  |.  5E          POP ESI                                                 ;  017459B8
0043B5C1  |.  83C4 20    ADD ESP, 20
0043B5C4  \.  C3          RETN

DataCorrenteInFileTime
--------------------------------
0040176B > $  83EC 04    SUB ESP, 4
0040176E .  892C24       MOV DWORD PTR SS:[ESP], EBP                            ;  << seriale
00401771 .  54          PUSH ESP
00401772 .  5D          POP EBP                                                 ;  017459B8
00401773 .  83EC 10    SUB ESP, 10
00401776 .  50          PUSH EAX
00401777 .  53          PUSH EBX
00401778 .  51          PUSH ECX
00401779 .  E8 00000000 CALL Uedit32.0040177E                                  ;  << salta alla linea successiva
0040177E $  8F45 FC    POP DWORD PTR SS:[EBP-4]                               ;  017459B8
00401781 .  8B5D FC    MOV EBX, DWORD PTR SS:[EBP-4]                            ;  Uedit32.004461A0
00401784 .  81EB 72070000 SUB EBX, 772
0040178A .  8B45 0C    MOV EAX, DWORD PTR SS:[EBP+C]
0040178D .  8903       MOV DWORD PTR DS:[EBX], EAX
0040178F .  68 38F6FC10 PUSH 10FCF638
00401794 .  8B4D FC    MOV ECX, DWORD PTR SS:[EBP-4]                            ;  Uedit32.004461A0
00401797 .  81E9 82050000 SUB ECX, 582
0040179D .  50          PUSH EAX
0040179E .  E8 00000000 CALL Uedit32.004017A3
004017A3 $  58          POP EAX                                                 ;  017459B8
004017A4 .  83C0 09    ADD EAX, 9
004017A7 .  870424       XCHG DWORD PTR SS:[ESP], EAX
004017AA .- FFE1       JMP ECX                                                 ;  << WinVersionInfo + GetProcAddress per SysTimeToFileTime
004017AC .  83C4 04    ADD ESP, 4
004017AF .  89EB       MOV EBX, EBP
004017B1 .  83EB 10    SUB EBX, 10
004017B4 .  53          PUSH EBX
004017B5 .  FF75 08    PUSH DWORD PTR SS:[EBP+8]                               ;  << currentSystemTime
004017B8 .  50          PUSH EAX
004017B9 .  E8 00000000 CALL Uedit32.004017BE                                  ;  << chiama linea successiva
004017BE $  58          POP EAX                                                 ;  017459B8
004017BF .  83C0 09    ADD EAX, 9
004017C2 .  870424       XCHG DWORD PTR SS:[ESP], EAX                            ;  << ** Converte in FileTime la data corrente **
004017C5 .- FFE0       JMP EAX                                                 ;  << SystemTimeToFileTime - passando come parametro il primo valore
004017C7 .  89EB       MOV EBX, EBP
004017C9 .  83EB 10    SUB EBX, 10
004017CC .  53          PUSH EBX
004017CD .  8B5D FC    MOV EBX, DWORD PTR SS:[EBP-4]                            ;  Uedit32.004461A0
004017D0 .  81EB 5A070000 SUB EBX, 75A
004017D6 .  50          PUSH EAX                                                 ;  << 401024 - dove saltare
004017D7 .  E8 00000000 CALL Uedit32.004017DC                                  ;  << linea successiva
004017DC $  58          POP EAX                                                 ;  017459B8
004017DD .  83C0 09    ADD EAX, 9
004017E0 .  870424       XCHG DWORD PTR SS:[ESP], EAX
004017E3 .  FFE3       JMP EBX                                                 ;  << Copia il valore SysTimeInFileTime in 401010
004017E5 .  83C4 04    ADD ESP, 4
004017E8 .  59          POP ECX                                                 ;  017459B8
004017E9 .  5B          POP EBX                                                 ;  017459B8
004017EA .  58          POP EAX                                                 ;  017459B8
004017EB .  83C4 10    ADD ESP, 10
004017EE .  8B2C24       MOV EBP, DWORD PTR SS:[ESP]                            ;  << seriale (in EDI c'e' il nome utente)
004017F1 .  83C4 08    ADD ESP, 8
004017F4 .  FF6424 FC    JMP DWORD PTR SS:[ESP-4]                               ;  << TORNA AL CHIAMANTE

DoBSWAP_Parametro
--------------------------------
00401877 <> $  83EC 04    SUB ESP, 4
0040187A .  892C24       MOV DWORD PTR SS:[ESP], EBP
0040187D .  54          PUSH ESP
0040187E .  5D          POP EBP                                                 ;  USER32.77D1919B
0040187F .  50          PUSH EAX
00401880 .  53          PUSH EBX
00401881 .  E8 00000000 CALL Uedit32.00401886
00401886 $  5B          POP EBX                                                 ;
00401887 .  81EB 6E080000 SUB EBX, 86E                                           ;  << DoveSalvare
0040188D .  8B45 08    MOV EAX, DWORD PTR SS:[EBP+8]                            ;  << RecuperaLaCostantePerVersion
00401890 .  F7D0       NOT EAX                                                 ;  << NOT
00401892 .  0FC8       BSWAP EAX                                              ;  << BSWAP
00401894 .  8903       MOV DWORD PTR DS:[EBX], EAX                            ;  << salva valore
00401896 .  5B          POP EBX                                                 ;
00401897 .  58          POP EAX                                                 ;
00401898 .  8B2C24       MOV EBP, DWORD PTR SS:[ESP]                            ;
0040189B .  83C4 08    ADD ESP, 8
0040189E .- FF6424 FC    JMP DWORD PTR SS:[ESP-4]                               ;  << Torna al chiamante

DeterminaMatchEStabilisciReg
-----------------------------
004018A2 <>/$  83EC 04    SUB ESP, 4
004018A5 |.  892C24       MOV DWORD PTR SS:[ESP], EBP
004018A8 |.  54          PUSH ESP
004018A9 |.  5D          POP EBP                                                 ;  USER32.77D1919B
004018AA |.  83EC 24    SUB ESP, 24
004018AD |.  50          PUSH EAX
004018AE |.  53          PUSH EBX
004018AF |.  51          PUSH ECX
004018B0 |.  52          PUSH EDX                                                 ;  ntdll.KiFastSystemCallRet
004018B1 |.  56          PUSH ESI
004018B2 |.  57          PUSH EDI                                                 ;  Uedit32.00D04F40
004018B3 |.  E8 00000000 CALL Uedit32.004018B8                                  ;  << riga successiva
004018B8 |$  8F45 FC    POP DWORD PTR SS:[EBP-4]                               ;  USER32.77D1919B
004018BB |.  8B45 08    MOV EAX, DWORD PTR SS:[EBP+8]                            ;  << stringa ricavata da seriale
004018BE |.  09C0       OR EAX, EAX
004018C0 |.  75 0B       JNZ SHORT Uedit32.004018CD                               ;  v se stringa valida
004018C2 |.  FF75 FC    PUSH DWORD PTR SS:[EBP-4]
004018C5 |.  810424 3F0200>ADD DWORD PTR SS:[ESP], 23F
004018CC |.  C3          RETN
004018CD |>  8B5D FC    MOV EBX, DWORD PTR SS:[EBP-4]
004018D0 |.  81EB ED070000 SUB EBX, 7ED
004018D6 |.  FF75 0C    PUSH DWORD PTR SS:[EBP+C]                               ;  << username
004018D9 |.  50          PUSH EAX                                                 ;  << stringa estratta da serial
004018DA |.  E8 00000000 CALL Uedit32.004018DF                                  ;  << riga successiva
004018DF |$  58          POP EAX                                                 ;  USER32.77D1919B
004018E0 |.  83C0 09    ADD EAX, 9
004018E3 |.  870424       XCHG DWORD PTR SS:[ESP], EAX                            ;  << Controlla il valore di EAX - e' modificato in 'ElaboraUserName'
004018E6 \.  FFE3       JMP EBX                                                 ;  << CALCOLA HASH USERNAME
004018E8 .  83C4 04    ADD ESP, 4
004018EB .  8945 F8    MOV DWORD PTR SS:[EBP-8], EAX                            ;  << salva hash di username
004018EE .  8B5D 08    MOV EBX, DWORD PTR SS:[EBP+8]                            ;  << stringa da seriale
004018F1 .  8B55 FC    MOV EDX, DWORD PTR SS:[EBP-4]
004018F4 .  81EA B2010000 SUB EDX, 1B2                                           ;  << Routine da invocare
004018FA .  53          PUSH EBX
004018FB .  50          PUSH EAX
004018FC .  E8 00000000 CALL Uedit32.00401901                                  ;  << dopo
00401901 $  58          POP EAX                                                 ;  USER32.77D1919B
00401902 .  83C0 09    ADD EAX, 9
00401905 .  870424       XCHG DWORD PTR SS:[ESP], EAX                            ;  << EAX := hashUserName_NOT
00401908 .- FFE2       JMP EDX                                                 ;  << bswap stringa estratta da seriale
0040190A .  83C4 04    ADD ESP, 4
0040190D .  53          PUSH EBX                                                 ;  << stringa estratta (Bswappata)
0040190E .  8B55 FC    MOV EDX, DWORD PTR SS:[EBP-4]
00401911 .  81EA 78030000 SUB EDX, 378                                           ;  << routine da invocare (estraiMatch)
00401917 .  50          PUSH EAX
00401918 .  E8 00000000 CALL Uedit32.0040191D                                  ;  << linea dopo
0040191D $  58          POP EAX                                                 ;
0040191E .  83C0 09    ADD EAX, 9
00401921 .  870424       XCHG DWORD PTR SS:[ESP], EAX                            ;  << 401926
00401924 .- FFE2       JMP EDX                                                 ;  << Match1 - 8 char iniziali
00401926 .  83C4 04    ADD ESP, 4
00401929 .  8945 E4    MOV DWORD PTR SS:[EBP-1C], EAX                         ;  << salva primo match
0040192C .  83C3 08    ADD EBX, 8                                              ;  << prossimi 8 char
0040192F .  53          PUSH EBX
00401930 .  50          PUSH EAX
00401931 .  E8 00000000 CALL Uedit32.00401936                                  ;  << linea dopo
00401936 $  58          POP EAX                                                 ;
00401937 .  83C0 09    ADD EAX, 9
0040193A .  870424       XCHG DWORD PTR SS:[ESP], EAX                            ;  << EAX := Primo Match
0040193D .- FFE2       JMP EDX                                                 ;
0040193F .  83C4 04    ADD ESP, 4
00401942 .  8945 F0    MOV DWORD PTR SS:[EBP-10], EAX                         ;  << salva secondo Match
00401945 .  83C3 08    ADD EBX, 8                                              ;  << avanza
00401948 .  53          PUSH EBX
00401949 .  50          PUSH EAX
0040194A .  E8 00000000 CALL Uedit32.0040194F                                  ;  << linea dopo
0040194F $  58          POP EAX                                                 ;
00401950 .  83C0 09    ADD EAX, 9
00401953 .  870424       XCHG DWORD PTR SS:[ESP], EAX
00401956 .- FFE2       JMP EDX                                                 ;  << terzoMatch
00401958 .  83C4 04    ADD ESP, 4
0040195B .  8945 F4    MOV DWORD PTR SS:[EBP-C], EAX                            ;  << salva terzo match
0040195E .  53          PUSH EBX
0040195F .  52          PUSH EDX                                                 ;
00401960 .  89EB       MOV EBX, EBP
00401962 .  83EB 10    SUB EBX, 10
00401965 .  53          PUSH EBX                                                 ;  << secondoMatch
00401966 .  8B55 FC    MOV EDX, DWORD PTR SS:[EBP-4]
00401969 .  81EA 7A010000 SUB EDX, 17A
0040196F .  50          PUSH EAX
00401970 .  E8 00000000 CALL Uedit32.00401975                                  ;  << linea dopo
00401975 $  58          POP EAX                                                 ;
00401976 .  83C0 09    ADD EAX, 9
00401979 .  870424       XCHG DWORD PTR SS:[ESP], EAX
0040197C .- FFE2       JMP EDX                                                 ;  << Combina Secondo e Terzo Match
0040197E .  83C4 04    ADD ESP, 4
00401981 .  5A          POP EDX                                                 ;
00401982 .  5B          POP EBX                                                 ;
00401983 .  83C3 08    ADD EBX, 8                                              ;  << avanza nella stringa estratta
00401986 .  53          PUSH EBX
00401987 .  50          PUSH EAX
00401988 .  E8 00000000 CALL Uedit32.0040198D                                  ;  << linea successiva
0040198D $  58          POP EAX                                                 ;
0040198E .  83C0 09    ADD EAX, 9
00401991 .  870424       XCHG DWORD PTR SS:[ESP], EAX
00401994 .- FFE2       JMP EDX                                                 ;  << Estrae quartoMatch
00401996 .  83C4 04    ADD ESP, 4
00401999 .  8945 E8    MOV DWORD PTR SS:[EBP-18], EAX                         ;  << salva quartoMatch
0040199C .  8B5D FC    MOV EBX, DWORD PTR SS:[EBP-4]
0040199F .  81EB A0080000 SUB EBX, 8A0
004019A5 .  8B1B       MOV EBX, DWORD PTR DS:[EBX]                            ;  << BSWAP di 150000 (versione di Uedit)
004019A7 .  8B45 E8    MOV EAX, DWORD PTR SS:[EBP-18]                         ;  << EAX := QuartoMatch
004019AA .  0FCB       BSWAP EBX                                              ;  << ottiene 150000 ...
004019AC .  F7D3       NOT EBX                                                 ;  << .... in EBX
004019AE .  50          PUSH EAX                                                 ;  << push quartoMatch
004019AF .  53          PUSH EBX                                                 ;  << push 150000
004019B0 .  8B5D E8    MOV EBX, DWORD PTR SS:[EBP-18]                         ;  << quartoMatch
004019B3 .  8B45 E4    MOV EAX, DWORD PTR SS:[EBP-1C]                         ;  << primo match
004019B6 .  C1C8 0D    ROR EAX, 0D                                              ;  << primoMatch = primoMatch ROR 0D
004019B9 .  31C3       XOR EBX, EAX                                           ;  << XOR quarto_match e (primoMatch ROR 0D)
004019BB .  C1C0 0D    ROL EAX, 0D                                              ;  << rotazione a sinistra ora (ripristina valore ?)
004019BE .  31C3       XOR EBX, EAX                                           ;  << nuovo XOR col valore 'non ribaltato'
004019C0 .  895D E8    MOV DWORD PTR SS:[EBP-18], EBX                         ;  << salva questo valore in posizione quartoMatch
004019C3 .  5B          POP EBX                                                 ;  USER32.77D1919B
004019C4 .  58          POP EAX                                                 ;  USER32.77D1919B
004019C5 .  31C0       XOR EAX, EAX                                           ;  << EAX := 0
004019C7 .  8B45 E8    MOV EAX, DWORD PTR SS:[EBP-18]                         ;  << recupera il valore appena calcolato
004019CA .  25 000000F0 AND EAX, F0000000                                        ;  << Esegue AND (ultima cifra esadecimale)
004019CF .  C1C0 04    ROL EAX, 4                                              ;  << rotazione a sinistra di 4 (lo porta a destra a tutto )
004019D2 .  53          PUSH EBX                                                 ;  << 150000
004019D3 .  50          PUSH EAX                                                 ;  <<
004019D4 .  93          XCHG EAX, EBX                                           ;  << scambio EAX <--> EBX
004019D5 .  8B45 FC    MOV EAX, DWORD PTR SS:[EBP-4]
004019D8 .  2D 22080000 SUB EAX, 822
004019DD .  0918       OR DWORD PTR DS:[EAX], EBX                               ;  << OR della dword di 'controllo' (su cui si decide la registrazione) deve essere < 17Ch
004019DF .  8B45 E8    MOV EAX, DWORD PTR SS:[EBP-18]                         ;  << recupera il valore calcolato (posizione quartoMatch)
004019E2 .  25 FFFFFF0F AND EAX, 0FFFFFFF                                        ;  << tutto tranne prima cifra esadecimale
004019E7 .  8945 E8    MOV DWORD PTR SS:[EBP-18], EAX                         ;  << e lo salva da dove l'ha preso (quarto match)
004019EA .  58          POP EAX                                                 ;  USER32.77D1919B
004019EB .  5B          POP EBX                                                 ;  USER32.77D1919B
004019EC .  8B45 E8    MOV EAX, DWORD PTR SS:[EBP-18]                         ;  << riprende cio' che e' in quartoMatch
004019EF .  C1CB 10    ROR EBX, 10                                              ;  << ROR 150000, 10 (otteniamo 15)
004019F2 .  C1C8 10    ROR EAX, 10                                              ;  << ror EAX, 10
004019F5 .  66:29C3    SUB BX, AX                                              ;  << devono essere uguali le WORD + basse ( 00 15 ) !
004019F8 .  74 13       JE SHORT Uedit32.00401A0D                               ;  v
004019FA .  8B5D FC    MOV EBX, DWORD PTR SS:[EBP-4]                            ;  << prepara valore di errore
004019FD .  81EB 22080000 SUB EBX, 822
00401A03 .  31C0       XOR EAX, EAX
00401A05 .  40          INC EAX
00401A06 .  C1E0 1D    SHL EAX, 1D
00401A09 .  0903       OR DWORD PTR DS:[EBX], EAX
00401A0B .  EB 54       JMP SHORT Uedit32.00401A61
00401A0D >  C1C8 18    ROR EAX, 18                                              ;  << deve essere uguale anche altro
00401A10 .  C1CB 18    ROR EBX, 18
00401A13 .  28C3       SUB BL, AL                                              ;  << byte + basso = 0 ?
00401A15 .  74 4A       JE SHORT Uedit32.00401A61                               ;  - devo farlo saltare ?
00401A17 .  9B          WAIT
00401A18 .  DBE3       FINIT
00401A1A .  8B5D FC    MOV EBX, DWORD PTR SS:[EBP-4]
00401A1D .  81EB B4080000 SUB EBX, 8B4
00401A23 .  DF2B       FILD QWORD PTR DS:[EBX]
00401A25 .  DF6D F0    FILD QWORD PTR SS:[EBP-10]
00401A28 .  8B5D FC    MOV EBX, DWORD PTR SS:[EBP-4]
00401A2B .  81EB 98070000 SUB EBX, 798
00401A31 .  DF2B       FILD QWORD PTR DS:[EBX]
00401A33 .  D8E1       FSUB ST(0), ST(1)
00401A35 .  D8F2       FDIV ST(0), ST(2)
00401A37 .  DB5D DC    FISTP DWORD PTR SS:[EBP-24]
00401A3A .  9B          WAIT
00401A3B .  DBE3       FINIT
00401A3D .  8B45 DC    MOV EAX, DWORD PTR SS:[EBP-24]                         ;  USER32.77D1919B
00401A40 .  A9 00000080 TEST EAX, 80000000
00401A45 .  74 02       JE SHORT Uedit32.00401A49
00401A47 .  F7D8       NEG EAX
00401A49 >  3D 6D010000 CMP EAX, 16D
00401A4E .  76 11       JBE SHORT Uedit32.00401A61
00401A50 .  8B5D FC    MOV EBX, DWORD PTR SS:[EBP-4]
00401A53 .  81EB 22080000 SUB EBX, 822
00401A59 .  31C0       XOR EAX, EAX
00401A5B .  40          INC EAX
00401A5C .  C1E0 0E    SHL EAX, 0E
00401A5F .  0903       OR DWORD PTR DS:[EBX], EAX
00401A61 >  8B5D FC    MOV EBX, DWORD PTR SS:[EBP-4]
00401A64 .  81EB B4080000 SUB EBX, 8B4                                           ;  << importante_401004
00401A6A .  9B          WAIT
00401A6B .  DBE3       FINIT
00401A6D .  DF2B       FILD QWORD PTR DS:[EBX]                                  ;  << 00 C0 69 2A | C9 00 00 00
00401A6F .  DF6D F0    FILD QWORD PTR SS:[EBP-10]                               ;  << secondo e terzo match assieme come qword ( secondo nella dword + bassa )
00401A72 .  8B5D FC    MOV EBX, DWORD PTR SS:[EBP-4]
00401A75 .  81EB A8080000 SUB EBX, 8A8
00401A7B .  DF2B       FILD QWORD PTR DS:[EBX]                                  ;  << currSysTime in FileTime
00401A7D .  D8E1       FSUB ST(0), ST(1)                                        ;  << sottrae quest'ultima con secondo_terzo
00401A7F .  D8F2       FDIV ST(0), ST(2)                                        ;  << divide per la prima (dovrebbe essere costante)
00401A81 .  DB5D DC    FISTP DWORD PTR SS:[EBP-24]                            ;  << salva il risultato (DWORD)
00401A84 .  8B45 DC    MOV EAX, DWORD PTR SS:[EBP-24]                         ;  << recupera questo valore
00401A87 .  A9 00000080 TEST EAX, 80000000                                     ;  << e lo controlla
00401A8C .  74 02       JE SHORT Uedit32.00401A90
00401A8E .  F7D8       NEG EAX
00401A90 >  3D 7C010000 CMP EAX, 17C                                           ;  << EAX deve essere <= 17C
00401A95 .  76 15       JBE SHORT Uedit32.00401AAC                               ;  DEVE SALTARE
00401A97 .  8B5D FC    MOV EBX, DWORD PTR SS:[EBP-4]
00401A9A .  81EB 22080000 SUB EBX, 822
00401AA0 .  B8 FF010000 MOV EAX, 1FF
00401AA5 .  C1E0 10    SHL EAX, 10
00401AA8 .  0903       OR DWORD PTR DS:[EBX], EAX                               ;  << male?
00401AAA .  EB 0E       JMP SHORT Uedit32.00401ABA
00401AAC >  C1C0 10    ROL EAX, 10                                              ;  << ROL EAX,10 posizioni
00401AAF .  8B5D FC    MOV EBX, DWORD PTR SS:[EBP-4]
00401AB2 .  81EB 22080000 SUB EBX, 822                                           ;  << dword di controllo
00401AB8 .  0903       OR DWORD PTR DS:[EBX], EAX                               ;  << salva il valore nell'indicatore (male?)
00401ABA >  8B45 E8    MOV EAX, DWORD PTR SS:[EBP-18]                         ;  << valore in posizione quartoMatch
00401ABD .  83E0 0F    AND EAX, 0F                                              ;  << ultima cifra esadecimale
00401AC0 .  A9 08000000 TEST EAX, 8
00401AC5 .  75 1F       JNZ SHORT Uedit32.00401AE6                               ;  << ** NON deve saltare
00401AC7 .  83E0 07    AND EAX, 7
00401ACA .  0C 00       OR AL, 0
00401ACC .  74 29       JE SHORT Uedit32.00401AF7                               ;  << questo *deve* saltare
00401ACE .  83C8 20    OR EAX, 20
00401AD1 .  C1E0 07    SHL EAX, 7
00401AD4 .  25 801F0000 AND EAX, 1F80
00401AD9 .  8B5D FC    MOV EBX, DWORD PTR SS:[EBP-4]
00401ADC .  81EB 22080000 SUB EBX, 822
00401AE2 .  0903       OR DWORD PTR DS:[EBX], EAX                               ;  << male
00401AE4 .  EB 11       JMP SHORT Uedit32.00401AF7
00401AE6 >  8B5D FC    MOV EBX, DWORD PTR SS:[EBP-4]
00401AE9 .  81EB 22080000 SUB EBX, 822
00401AEF .  31C0       XOR EAX, EAX
00401AF1 .  40          INC EAX
00401AF2 .  C1E0 06    SHL EAX, 6
00401AF5 .  0903       OR DWORD PTR DS:[EBX], EAX
00401AF7 >  5F          POP EDI                                                 ;  USER32.77D1919B
00401AF8 .  5E          POP ESI                                                 ;  USER32.77D1919B
00401AF9 .  5A          POP EDX                                                 ;  USER32.77D1919B
00401AFA .  59          POP ECX                                                 ;  USER32.77D1919B
00401AFB .  5B          POP EBX                                                 ;  USER32.77D1919B
00401AFC .  58          POP EAX                                                 ;  USER32.77D1919B
00401AFD .  83C4 24    ADD ESP, 24
00401B00 .  8B2C24       MOV EBP, DWORD PTR SS:[ESP]                            ;  USER32.77D1919B
00401B03 .  83C4 08    ADD ESP, 8
00401B06 .- FF6424 FC    JMP DWORD PTR SS:[ESP-4]                               ;  << **** torna al chiamante

Analizziamo meglio CodificaMatchEDeterminaRegistrazione
-------------------------
CalcolaHashUserName (serve solo per il file di licenza)
-------
004010CB <> .  83EC 04    SUB ESP, 4
004010CE .  892C24       MOV DWORD PTR SS:[ESP], EBP                            ;  <moltiplicazione_e_pFileTime>
004010D1 .  54          PUSH ESP
004010D2 .  5D          POP EBP                                                 ;  Uedit32.004018E8
004010D3 .  53          PUSH EBX                                                 ;  <Uedit32.ElaboraUserName>
004010D4 .  51          PUSH ECX
004010D5 .  52          PUSH EDX
004010D6 .  56          PUSH ESI                                                 ;  kernel32.7C800000
004010D7 .  8B75 08    MOV ESI, DWORD PTR SS:[EBP+8]                            ;  << username
004010DA .  BA 01A001DC MOV EDX, DC01A001                                        ;  << costante
004010DF .  6A 00       PUSH 0
004010E1 .  59          POP ECX                                                 ;  << ECX := 0
004010E2 >  AC          LODS BYTE PTR DS:[ESI]                                  ;  << carattere dello username in AL
004010E3 .  08C0       OR AL, AL                                              ;  << username finito ?
004010E5 .  74 25       JE SHORT Uedit32.0040110C
004010E7 .  50          PUSH EAX                                                 ;  << salva valore (per successivo uso)
004010E8 .  34 CD       XOR AL, 0CD                                              ;  << XOR char username con 0CD
004010EA .  0FB6C0       MOVZX EAX, AL                                           ;  << estende con 0 (byte esteso)
004010ED .  01C1       ADD ECX, EAX                                           ;  << ECX += EAX
004010EF .  58          POP EAX                                                 ;  Uedit32.004018E8
004010F0 .  F6E0       MUL AL                                                 ;  << AL * AL
004010F2 .  0FB7C0       MOVZX EAX, AX                                           ;  << AX (word estesa)
004010F5 .  66:BB E500 MOV BX, 0E5                                              ;  << BX := 0E5
004010F9 .  66:F7E3    MUL BX                                                 ;  << EAX = AX*BX
004010FC .  01C1       ADD ECX, EAX                                           ;  << ECX += EAX
004010FE .  01D1       ADD ECX, EDX                                           ;  << ECX += EDX
00401100 .  F7C1 01000000 TEST ECX, 1                                              ;  << ECX dispari ?
00401106 .^ 74 DA       JE SHORT Uedit32.004010E2                               ;  << se NON pari moltiplican per 2 EDX
00401108 .  D1CA       ROR EDX, 1
0040110A .^ EB D6       JMP SHORT Uedit32.004010E2
0040110C >  89C8       MOV EAX, ECX                                           ;  << hash username
0040110E .  F7D0       NOT EAX                                                 ;  << NOT hash
00401110 .  5E          POP ESI                                                 ;  Uedit32.004018E8
00401111 .  5A          POP EDX                                                 ;  Uedit32.004018E8
00401112 .  59          POP ECX                                                 ;  Uedit32.004018E8
00401113 .  5B          POP EBX                                                 ;  Uedit32.004018E8
00401114 .  8B2C24       MOV EBP, DWORD PTR SS:[ESP]                            ;  Uedit32.004018E8
00401117 .  83C4 08    ADD ESP, 8
0040111A .  FF6424 FC    JMP DWORD PTR SS:[ESP-4]                               ;  Uedit32.004018DF
BSWAP Stringa estratta da seriale
-----------------------
00401706 <BSWA> .  83EC 04    SUB ESP, 4                                              ;  ---
00401709       .  892C24       MOV DWORD PTR SS:[ESP], EBP                            ;  <moltiplicazione_e_pFileTime>
0040170C       .  54          PUSH ESP
0040170D       .  5D          POP EBP                                                 ;  Uedit32.0040190A
0040170E       .  50          PUSH EAX
0040170F       .  53          PUSH EBX
00401710       .  51          PUSH ECX
00401711       .  52          PUSH EDX                                                 ;  <Uedit32.BSWAPInPlace>
00401712       .  B9 0F000000 MOV ECX, 0F                                              ;  << ecx := 0F
00401717       .  8B5D F8    MOV EBX, DWORD PTR SS:[EBP-8]                            ;  << stringa da seriale
0040171A       .  BA 1C000000 MOV EDX, 1C                                              ;  << EDX := 1C (28)
0040171F       >  8B0413       MOV EAX, DWORD PTR DS:[EBX+EDX]                         ;  << ultimi 4 char (e poi si sposta di 2 char alla volta indietro)
00401722       .  0FC8       BSWAP EAX                                              ;  << BSWAP
00401724       .  890413       MOV DWORD PTR DS:[EBX+EDX], EAX                         ;  << salva il BSWAP nel posto originale
00401727       .  83EA 02    SUB EDX, 2
0040172A       .^ E2 F3       LOOPD SHORT Uedit32.0040171F
0040172C       .  5A          POP EDX                                                 ;  Uedit32.0040190A
0040172D       .  59          POP ECX                                                 ;  Uedit32.0040190A
0040172E       .  5B          POP EBX                                                 ;  Uedit32.0040190A
0040172F       .  58          POP EAX                                                 ;  Uedit32.0040190A
00401730       .  8B2C24       MOV EBP, DWORD PTR SS:[ESP]                            ;  << ptr. a 'secondi'
00401733       .  83C4 08    ADD ESP, 8
00401736       .  FF6424 FC    JMP DWORD PTR SS:[ESP-4]                               ;  Uedit32.00401901

EstraiMatch
--------------------
00401540 <Estr> .  83EC 04    SUB ESP, 4                                              ;  ---- Estrai Match ----
00401543       .  892C24       MOV DWORD PTR SS:[ESP], EBP                            ;  <moltiplicazione_e_pFileTime>
00401546       .  54          PUSH ESP
00401547       .  5D          POP EBP                                                 ;  Uedit32.00401926
00401548       .  53          PUSH EBX
00401549       .  51          PUSH ECX
0040154A       .  52          PUSH EDX                                                 ;  <Uedit32.EstraiMatch>
0040154B       .  56          PUSH ESI                                                 ;  kernel32.7C800000
0040154C       .  57          PUSH EDI
0040154D       .  E8 00000000 CALL Uedit32.00401552                                  ;  << successiva
00401552       $  5F          POP EDI                                                 ;  Uedit32.00401926
00401553       .  83EF 2A    SUB EDI, 2A
00401556       .  8B75 08    MOV ESI, DWORD PTR SS:[EBP+8]                            ;  << stringa estratta da seriale e bswappata
00401559       .  31DB       XOR EBX, EBX                                           ;  << EBX := 0
0040155B       .  31C9       XOR ECX, ECX                                           ;  << ECX := 0
0040155D       >  AC          LODS BYTE PTR DS:[ESI]                                  ;  << char della stringa in AL
0040155E       .  51          PUSH ECX                                                 ;  <<
0040155F       .  31C9       XOR ECX, ECX                                           ;  << ecx := 0
00401561       >  3A040F       CMP AL, BYTE PTR DS:[EDI+ECX]                            ;  << Cerca l'indice nella stringa X6A3KVMOQ8D2HCPI
00401564       .  74 08       JE SHORT Uedit32.0040156E
00401566       .  83F9 0F    CMP ECX, 0F
00401569       .  7F 11       JG SHORT Uedit32.0040157C
0040156B       .  41          INC ECX
0040156C       .^ EB F3       JMP SHORT Uedit32.00401561
0040156E       >  09CB       OR EBX, ECX                                              ;  << EBX = EBX OR <indice_carattere>
00401570       .  59          POP ECX                                                 ;  << num char 'matchati'
00401571       .  83F9 07    CMP ECX, 7
00401574       .  74 1A       JE SHORT Uedit32.00401590                               ;  << se ho matchato 8 char ... per ora va bene
00401576       .  41          INC ECX                                                 ;  << char_matchati++
00401577       .  C1E3 04    SHL EBX, 4                                              ;  << EBX * 16
0040157A       .^ EB E1       JMP SHORT Uedit32.0040155D
0040157C       >  83C4 04    ADD ESP, 4
0040157F       .  5F          POP EDI                                                 ;  Uedit32.00401926
00401580       .  5E          POP ESI                                                 ;  Uedit32.00401926
00401581       .  5A          POP EDX                                                 ;  Uedit32.00401926
00401582       .  59          POP ECX                                                 ;  Uedit32.00401926
00401583       .  5B          POP EBX                                                 ;  Uedit32.00401926
00401584       .  31C0       XOR EAX, EAX
00401586       .  8B2C24       MOV EBP, DWORD PTR SS:[ESP]                            ;  Uedit32.00401926
00401589       .  83C4 08    ADD ESP, 8
0040158C       .  FF6424 FC    JMP DWORD PTR SS:[ESP-4]                               ;  Uedit32.0040191D
00401590       >  89D8       MOV EAX, EBX                                           ;  << valore calcolato in EAX
00401592       .  5F          POP EDI                                                 ;  Uedit32.00401926
00401593       .  5E          POP ESI                                                 ;  Uedit32.00401926
00401594       .  5A          POP EDX                                                 ;  Uedit32.00401926
00401595       .  59          POP ECX                                                 ;  Uedit32.00401926
00401596       .  5B          POP EBX                                                 ;  Uedit32.00401926
00401597       .  8B2C24       MOV EBP, DWORD PTR SS:[ESP]                            ;  Uedit32.00401926
0040159A       .  83C4 08    ADD ESP, 8
0040159D       .  FF6424 FC    JMP DWORD PTR SS:[ESP-4]                               ;  Uedit32.0040191D

CombinaSecondoTerzoMatch
-------------------------------
0040173E <Combin> .  83EC 04    SUB ESP, 4                                              ;  ----
00401741       .  892C24       MOV DWORD PTR SS:[ESP], EBP                            ;  <moltiplicazione_e_pFileTime>
00401744       .  54          PUSH ESP
00401745       .  5D          POP EBP                                                 ;  Uedit32.0040197E
00401746       .  50          PUSH EAX
00401747       .  53          PUSH EBX                                                 ;  <secondoMatch>
00401748       .  52          PUSH EDX                                                 ;  <Uedit32.CombinaSecondoTerzoMatch>
00401749       .  8B5D 08    MOV EBX, DWORD PTR SS:[EBP+8]                            ;  << ind. secondo match
0040174C       .  8B43 04    MOV EAX, DWORD PTR DS:[EBX+4]                            ;  << terzo match (valore)
0040174F       .  8B13       MOV EDX, DWORD PTR DS:[EBX]                            ;  << Secondo Match ( valore )
00401751       .  31C2       XOR EDX, EAX                                           ;  << SecondoMatch = SecondoMatch XOR TerzoMatch
00401753       .  0FCA       BSWAP EDX                                              ;  << bswap risultato (in edx)
00401755       .  31D0       XOR EAX, EDX                                           ;  << TerzoMatch = TerzoMatch XOR ( valore_bswappato appena calcolato )
00401757       .  0FC8       BSWAP EAX                                              ;  << bswap a sua volta
00401759       .  8943 04    MOV DWORD PTR DS:[EBX+4], EAX                            ;  << Salva valore di EAX nella posizione del terzoMatch
0040175C       .  8913       MOV DWORD PTR DS:[EBX], EDX                            ;  << Salva EDX nella posizione del secondo Match
0040175E       .  5A          POP EDX                                                 ;  Uedit32.0040197E
0040175F       .  5B          POP EBX                                                 ;  Uedit32.0040197E
00401760       .  58          POP EAX                                                 ;  Uedit32.0040197E
00401761       .  8B2C24       MOV EBP, DWORD PTR SS:[ESP]                            ;  Uedit32.0040197E
00401764       .  83C4 08    ADD ESP, 8
00401767       .  FF6424 FC    JMP DWORD PTR SS:[ESP-4]                               ;  Uedit32.00401975

----------------------------

zhimingcom · 发表于 2009-9-24 20:12

这么好的帖子怎么没有人顶啊，要是把注释给翻译一下就好了。

mycc · 发表于 2009-9-24 21:42

下载保存，这么好的贴没人顶，奇怪

gry8686 · 发表于 2009-9-24 22:05

不错哦，支持楼主的分享

menglv · 发表于 2009-9-26 16:03

这么好的帖子

daihu37 · 发表于 2009-10-13 16:20

谢谢分享，好东西啊

TheCjw · 发表于 2009-10-13 16:52

初看，确实分析得十分到位。

489414 · 发表于 2009-10-16 00:51

学习了不错啊

flygo · 发表于 2009-10-22 10:45

是不是视频教程？

speedboy · 发表于 2009-10-22 11:59

辛苦了！！！

帐号		自动登录	找回密码
密码			注册[Register]

[分享] UltraEdit 15 算法分析

个人中心