好友
阅读权限30
听众
最后登录1970-1-1
|
小黑冰
发表于 2008-8-28 09:07
某外国软件分析 软件就不打包了
WOAINI
123456789
WOAINI
1216
004537FDpush ebp
004537FEpush 3.004538BE
00453803push dword ptr fs:[eax]
00453806mov dword ptr fs:[eax],esp
00453809lea edx,[local.2]
0045380Cmov eax,dword ptr ds:[ebx+300]
00453812call 3.00432A4C ;取注册名
00453817mov eax,[local.2] ;EAX=注册名
0045381Amovzx eax,byte ptr ds:[eax] ;取注册名第一位到EAX
0045381Dxor eax,0E;EAX=EAX XOR OE =79
00453820mov [local.1],eax ;LOCAL.1=79
00453823lea esi,[local.1]
00453826lea edx,[local.3]
00453829mov eax,dword ptr ds:[ebx+2F8];EAX=EBX+2F8=E03D5C
0045382Fcall 3.00432A4C ;取注册码位数
00453834mov eax,[local.3] ;EAX=注册码
00453837push eax
00453838lea edx,[local.4]
0045383Bmov eax,dword ptr ds:[esi];EAX=ESI=79
0045383Dcall 3.00407CE0
00453842lea eax,[local.4]
00453845push eax
00453846lea edx,[local.6]
00453849mov eax,dword ptr ds:[ebx+300]
0045384Fcall 3.00432A4C
00453854mov eax,[local.6] ;EAX=注册名
00453857call 3.0040410C
0045385Clea edx,[local.5]
0045385Fcall 3.00407CE0
00453864mov edx,[local.5]
00453867pop eax
00453868call 3.00404114
0045386Dmov edx,[local.4] ;EDX=1216
00453870pop eax
00453871call 3.00404258 ;关键CALL
00453876jnz short 3.00453884
00453878mov eax,3.004538D4;恭喜你!
0045387Dcall 3.0042736C
00453882jmp short 3.0045388E
00453884mov eax,3.004538E4;注册失败!
关键CALL
00404258push ebx
00404259push esi
0040425Apush edi
0040425Bmov esi,eax ;ESI=EAX=123456789
0040425Dmov edi,edx ;EDI=EDX=1216
0040425Fcmp eax,edx ;比较
00404261je 3.004042F6 ;相等跳 必须跳
00404267test esi,esi;比较注册码是否为空
00404269je short 3.004042D3
0040426Btest edi,edi
0040426Dje short 3.004042DA
0040426Fmov eax,dword ptr ds:[esi-4];注册码位数到EAX=9
00404272mov edx,dword ptr ds:[edi-4];真注册码位数到EDX=4
00404275sub eax,edx ;EAX=EAX-EDX=9-4=5
00404277ja short 3.0040427B ;大于跳
00404279add edx,eax ;小于的话EDX=EDX+EAX=4+5=9
0040427Bpush edx
0040427Cshr edx,2 ;右移2位 EDX=EDX/4=4/4=1
0040427Fje short 3.004042A7
00404281/mov ecx,dword ptr ds:[esi] ;ECX=ESI=34333231=4321
00404283|mov ebx,dword ptr ds:[edi] ;EBX=EDI=36313231=6121
00404285|cmp ecx,ebx
00404287|jnz short 3.004042E1 ;不相等跳 不能跳
00404289|dec edx;EDX=EDX-1=2-1=1
0040428A|je short 3.004042A1
0040428C|mov ecx,dword ptr ds:[esi+4] ;ECX=ESI+4=38373635
0040428F|mov ebx,dword ptr ds:[edi+4] ;EBX=EDI+4=0
00404292|cmp ecx,ebx
00404294|jnz short 3.004042E1
00404296|add esi,8;ESI=ESI+8=123456789+8=123456797
00404299|add edi,8;EDI=EDI+8=1216+8=1224
0040429C|dec edx;EDX=EDX-1=1-1=0
0040429D\jnz short 3.00404281
0040429Fjmp short 3.004042A7
004042A1add esi,4
004042A4add edi,4
004042A7pop edx
004042A8and edx,3 ;EDX=EDX+3=9+3=12
004042ABje short 3.004042CF
004042ADmov ecx,dword ptr ds:[esi];ECX=ESI=39
004042AFmov ebx,dword ptr ds:[edi];EBX=EDI=0
004042B1cmp cl,bl ;CL=39 BL=0
004042B3jnz short 3.004042F6
004042B5dec edx ;EDX=EDX-1=1-1=0
004042B6je short 3.004042CF
004042B8cmp ch,bh
004042BAjnz short 3.004042F6
004042BCdec edx
004042BDje short 3.004042CF
004042BFand ebx,0FF0000
004042C5and ecx,0FF0000
004042CBcmp ecx,ebx
004042CDjnz short 3.004042F6
004042CFadd eax,eax
004042D1jmp short 3.004042F6
004042D3mov edx,dword ptr ds:[edi-4]
004042D6sub eax,edx
004042D8jmp short 3.004042F6
004042DAmov eax,dword ptr ds:[esi-4]
004042DDsub eax,edx
004042DFjmp short 3.004042F6
004042E1pop edx
004042E2cmp cl,bl ;CL=1 BL=1
004042E4jnz short 3.004042F6;不相等跳
004042E6cmp ch,bh ;CH=2 BH=2
004042E8jnz short 3.004042F6;不相等跳
004042EAshr ecx,10;ECX=ECX/10=34333231/10=3433
004042EDshr ebx,10;EBX=EBX/10=36313231/10=3631
004042F0cmp cl,bl ;CL=1 BL=3
004042F2jnz short 3.004042F6;不相等跳
004042F4cmp ch,bh
004042F6pop edi
004042F7pop esi
004042F8pop ebx
004042F9retn
取注册名第一位与0E XOR
取假码位数-真码位数的直=EAX
小于的话真码的直+上假码位数-真码位数的直=EDX
EDX/4+3=EDX
好久没发破文拉```````[s:40][s:43][s:40][s:40][s:40] |
|
发表于 2008-8-28 09:17
发表于 2008-8-28 10:21
