[转载]ScreenHunter 4.2 Pro 注册算法分析(页 1) - 工程学类分支{ Engineering Column } - 逆向工程[ Reverse Engineering ] - 邪恶八进制信息安全团队技术讨论组努力为祖国的信息安全撑起一片蓝天

pub!1c 2006-1-16 14:13

[转载]ScreenHunter 4.2 Pro 注册算法分析

文章作者:ForEver
【软件名称】ScreenHunter4.2Pro 【破文作者】forever[RCT] 【编程语言】VC 【保护方式】简单运算 【使用工具】peid0.93,exescope6.5,ida4.6,ollydbg1.1 【软件简介】ScreenHunter是一个非常好的屏幕抓取工具，除了基本常见的功能外，他还可以抓取椭圆的选取区，抓取Word文件，还可以自动产生文件名称，定时抓取屏幕，抓取DirectX游戏及屏幕保护程序的屏幕，转存JPEG、GIF、PNG、BMP文件。 【下载地址】[url]http://www4.skycn.com/soft/5021.html[/url] 【破文正文】 首先声明一下，这篇帖子是写给新手的。:) 突然发现，写破文其实是一件很辛苦的事，尤其是想把整个过程写清楚的时候。向那些写了大量破文的前辈们道声辛苦吧。;) 我尽量把过程写的易懂些，不过我还是假定你会使用基本的工具，懂得编程的基本知识。关于MFC的消息处理函数的查找过程 我前面有过一篇帖子<从对话框的构造函数找到消息处理过程>，如果你不太清楚下面的过程可以参考一下前面的帖子。下面我只写 下整个过程。我不在这里对代码做逆向分析了，我只是在注释里尽量写的清楚些。这样可以省掉很多时间:) 首先检查软件的编程语言，peid侦测出是VC，大多数情况下这是可信的。用od和ida载入也证实确实是VC的。 软件启动时有个NAP窗口提示输入注册码，我用exescope找到这个窗口的资源id是1797h,ok按钮的id是1d4h。了解这些信息是有用的。 现在用ida载入软件分析。我以前做过一个mfc4.2的sig，如果你使用这个sig，会检测出更多的函数名。 在Name窗口里查找"CDialog::CDialog(unsignedint,classCWnd*)",来到下面， .text:0054A50Fpublic:__thiscallCDialog::CDialog(unsignedint,classCWnd*)procnear .text:0054A50F .text:0054A50Farg_0=dwordptr0Ch .text:0054A50Farg_4=dwordptr10h .text:0054A50F .text:0054A50Fpushesi .text:0054A510pushedi .text:0054A511movesi,ecx .text:0054A513callCWnd::CWnd(void) .text:0054A518leaedi,[esi+3Ch] .text:0054A51Bpush20h;size_t .text:0054A51Dpush0;int .text:0054A51Fpushedi;void* .text:0054A520movdwordptr[esi],offsetoff_5838D4 .text:0054A526call_memset .text:0054A52Bmoveax,[esp+0Ch+arg_4] .text:0054A52Faddesp,0Ch .text:0054A532mov[esi+50h],eax .text:0054A535moveax,[esp+arg_0] .text:0054A539movzxecx,ax .text:0054A53Cmov[edi],eax .text:0054A53Emov[esi+40h],ecx .text:0054A541moveax,esi .text:0054A543popedi .text:0054A544popesi .text:0054A545retn8 .text:0054A545public:__thiscallCDialog::CDialog(unsignedint,classCWnd*)endp ;================================================================================= 为什么要找这个函数呢？因为这个函数是对话框类的构造函数，自定义对话框在初始化时肯定要调用这个函数。 在名字CDialog::CDialog上右击，选择菜单Jumptoxreftooperand，来到下面， Uppsub_40E7A7+CcallCDialog::CDialog(uint,CWnd*) Uppsub_411987+1BcallCDialog::CDialog(uint,CWnd*) Uppsub_414C64+1BcallCDialog::CDialog(uint,CWnd*) Uppsub_437218+1BcallCDialog::CDialog(uint,CWnd*) Uppsub_43F20C+1BcallCDialog::CDialog(uint,CWnd*) Uppsub_4460F4+1BcallCDialog::CDialog(uint,CWnd*) Uppsub_44D3FD+1AcallCDialog::CDialog(uint,CWnd*) Uppsub_46F72B+CcallCDialog::CDialog(uint,CWnd*) Uppsub_486E87+1BcallCDialog::CDialog(uint,CWnd*) Uppsub_4A89B6+1DcallCDialog::CDialog(uint,CWnd*) Uppsub_4AF524+1BcallCDialog::CDialog(uint,CWnd*) Uppsub_4BC73F+1BcallCDialog::CDialog(uint,CWnd*) Uppsub_4C0301+1AcallCDialog::CDialog(uint,CWnd*) Uppsub_4C2F1A+1AcallCDialog::CDialog(uint,CWnd*) Uppsub_4C5B16+1AcallCDialog::CDialog(uint,CWnd*) Uppsub_4C8639+1AcallCDialog::CDialog(uint,CWnd*) UppCFileDialog::CFileDialog(int,charconst*,charconst*,ulong,charconst*,CWnd*)+19callCDialog::CDia UppCFontDialog::CFontDialog(tagLOGFONTA*,ulong,CDC*,CWnd*)+19callCDialog::CDialog(uint,CWnd*) UppCFontDialog::CFontDialog(_charformatconst&,ulong,CDC*,CWnd*)+19callCDialog::CDialog(uint,CWnd*) UppCColorDialog::CColorDialog(ulong,ulong,CWnd*)+17callCDialog::CDialog(uint,CWnd*) UppCPageSetupDialog::CPageSetupDialog(ulong,CWnd*)+17callCDialog::CDialog(uint,CWnd*) UppCPrintDialog::CPrintDialog(int,ulong,CWnd*)+18callCDialog::CDialog(uint,CWnd*) UppCPrintDialog::CPrintDialog(tagPDA&)+7callCDialog::CDialog(uint,CWnd*) UppCFindReplaceDialog::CFindReplaceDialog(void)+17callCDialog::CDialog(uint,CWnd*) DownpCDocManager::OnFileNew(void)+3DcallCDialog::CDialog(uint,CWnd*) ;================================================================================= 这里就是对CDialog::CDialog引用的地方了。注意找对话框资源号为1797h的函数。（使用exescope查看注册对话框资源） 来到下面： .text:0043F20Csub_43F20Cprocnear;CODEXREF:sub_46973F+31p .text:0043F20Cmoveax,offsetunknown_libname_1324 .text:0043F211call__EH_prolog .text:0043F216pushecx .text:0043F217pushebx .text:0043F218pushesi .text:0043F219pushedi .text:0043F21Amovesi,ecx .text:0043F21Cpushdwordptr[ebp+8] .text:0043F21Fmov[ebp-10h],esi .text:0043F222push1797h;注册对话框 .text:0043F227callCDialog::CDialog(uint,CWnd*)//构造注册对话框的地方，这就是 .text:0043F22Canddwordptr[ebp-4],0//从CDialog::CDialog下手的原因 .text:0043F230leaebx,[esi+5Ch] .text:0043F233movecx,ebx .text:0043F235callCWnd::CWnd(void) .text:0043F23Amovedi,offsetoff_584E04 .text:0043F23Fmov[ebx],edi .text:0043F241leaebx,[esi+98h] .text:0043F247movbyteptr[ebp-4],1 .text:0043F24Bmovecx,ebx .text:0043F24DcallCWnd::CWnd(void) .text:0043F252mov[ebx],edi .text:0043F254leaebx,[esi+0D4h] .text:0043F25Amovbyteptr[ebp-4],2 .text:0043F25Emovecx,ebx .text:0043F260callCWnd::CWnd(void) .text:0043F265mov[ebx],edi .text:0043F267leaebx,[esi+110h] .text:0043F26Dmovbyteptr[ebp-4],3 .text:0043F271movecx,ebx .text:0043F273callCWnd::CWnd(void) .text:0043F278mov[ebx],edi .text:0043F27Aleaebx,[esi+14Ch] .text:0043F280movbyteptr[ebp-4],4 .text:0043F284movecx,ebx .text:0043F286callCWnd::CWnd(void) .text:0043F28Bmov[ebx],edi .text:0043F28Dmoveax,dword_5D537C .text:0043F292leaebx,[esi+188h] .text:0043F298mov[ebx],eax .text:0043F29Amoveax,dword_5D537C .text:0043F29Fmov[esi+18Ch],eax .text:0043F2A5moveax,dword_5D537C .text:0043F2AAmov[esi+190h],eax .text:0043F2B0moveax,dword_5D537C .text:0043F2B5mov[esi+194h],eax .text:0043F2BBmoveax,dword_5D537C .text:0043F2C0mov[esi+198h],eax .text:0043F2C6leaecx,[esi+19Ch] .text:0043F2CCmovbyteptr[ebp-4],0Ah .text:0043F2D0callsub_5430CA .text:0043F2D5movedi,offsetWindowName .text:0043F2DAmovecx,ebx .text:0043F2DCpushedi .text:0043F2DDmovbyteptr[ebp-4],0Bh .text:0043F2E1movdwordptr[esi],offsetoff_57AEE0//这个地址里对话框的虚函数表 .text:0043F2E7callCString::operator=(charconst*)//一般都是在ESI或者EDI里 .text:0043F2ECpushedi .text:0043F2EDleaecx,[esi+18Ch] .text:0043F2F3callCString::operator=(charconst*) .text:0043F2F8pushedi .text:0043F2F9leaecx,[esi+190h] .text:0043F2FFcallCString::operator=(charconst*) .text:0043F304pushedi .text:0043F305leaecx,[esi+194h] .text:0043F30BcallCString::operator=(charconst*) .text:0043F310pushedi .text:0043F311leaecx,[esi+198h] .text:0043F317callCString::operator=(charconst*)//上面连续5个字符串应该是保存 .text:0043F31Cpush0FFFFFFFFh//注册码用的 .text:0043F31Epush5 .text:0043F320leaecx,[esi+19Ch] .text:0043F326callCStringArray::SetSize(int,int) .text:0043F32Bmovecx,[ebp-0Ch] .text:0043F32Emoveax,esi .text:0043F330popedi .text:0043F331popesi .text:0043F332popebx .text:0043F333movlargefs:0,ecx .text:0043F33Aleave .text:0043F33Bretn4 .text:0043F33Bsub_43F20Cendp;sp=4 ;================================================================================= 跟踪对话框的虚函数表地址57AEE0，来到下面： .rdata:0057AEE0off_57AEE0ddoffsetsub_563B94;DATAXREF:sub_43F20C+D5o .rdata:0057AEE4ddoffsetsub_43F33E .rdata:0057AEE8ddoffsetnullsub_50 .rdata:0057AEECddoffsetunknown_libname_12862;?OnCmdMsg@CPropertySheet@@UAEHIHPAXPAUAFX_CMDHANDLERINFO@@@Z .rdata:0057AEEC;doubtfulname .rdata:0057AEF0ddoffsetCWnd::OnFinalRelease(void) .rdata:0057AEF4ddoffsetunknown_libname_884 .rdata:0057AEF8ddoffsetunknown_libname_885 .rdata:0057AEFCddoffsetsub_54B286 .rdata:0057AF00ddoffsetsub_54B289 .rdata:0057AF04ddoffsetCCmdTarget::GetTypeLib(ulong,ITypeLib**) .rdata:0057AF08ddoffsetsub_43F4E4//消息映射函数,继续跟踪这里 .rdata:0057AF0Cddoffsetsub_54B336 .rdata:0057AF10ddoffsetsub_54B2D9 .rdata:0057AF14ddoffsetsub_54B326 .rdata:0057AF18ddoffsetsub_54B2E5 .rdata:0057AF1Cddoffsetsub_54B2DF .rdata:0057AF20ddoffsetsub_54B31D .rdata:0057AF24ddoffsetunknown_libname_886 .rdata:0057AF28ddoffsetunknown_libname_888 .rdata:0057AF2Cddoffsetunknown_libname_887 .rdata:0057AF30ddoffsetnullsub_24 .rdata:0057AF34ddoffsetCWnd::Create(charconst*,charconst*,ulong,tagRECTconst&,CWnd*,uint,CCreateContext*) .rdata:0057AF38ddoffsetCWnd::DestroyWindow(void) .rdata:0057AF3CddoffsetCWnd::PreCreateWindow(tagCREATESTRUCTA&) .rdata:0057AF40ddoffsetCWnd::CalcWindowRect(tagRECT*,uint) .rdata:0057AF44ddoffsetCWnd::OnToolHitTest(CPoint,tagTOOLINFOA*) .rdata:0057AF48ddoffsetunknown_libname_880 .rdata:0057AF4CddoffsetCWnd::WinHelpA(ulong,uint) .rdata:0057AF50ddoffsetCWnd::ContinueModal(void) .rdata:0057AF54ddoffsetCWnd::EndModalLoop(int) .rdata:0057AF58ddoffsetCWnd::OnCommand(uint,long) .rdata:0057AF5CddoffsetCWnd::OnNotify(uint,long,long*) .rdata:0057AF60ddoffsetsub_546855 .rdata:0057AF64ddoffsetsub_43F428 .rdata:0057AF68ddoffsetCWnd::BeginModalState(void) .rdata:0057AF6CddoffsetCWnd::EndModalState(void) .rdata:0057AF70ddoffsetCDialog::PreTranslateMessage(tagMSG*) .rdata:0057AF74ddoffsetCWnd::OnAmbientProperty(COleControlSite*,long,tagVARIANT*) .rdata:0057AF78ddoffsetCWnd::WindowProc(uint,uint,long) .rdata:0057AF7CddoffsetCWnd::OnWndMsg(uint,uint,long,long*) .rdata:0057AF80ddoffsetCWnd::DefWindowProcA(uint,uint,long) .rdata:0057AF84ddoffsetnullsub_25 .rdata:0057AF88ddoffsetCWnd::OnChildNotify(uint,uint,long,long*) .rdata:0057AF8CddoffsetCDialog::CheckAutoCenter(void) .rdata:0057AF90ddoffsetsub_548E97 .rdata:0057AF94ddoffsetCDialog::SetOccDialogInfo(_AFX_OCC_DIALOG_INFO*) .rdata:0057AF98ddoffsetCDialog::DoModal(void) .rdata:0057AF9Cddoffsetsub_43F4EA .rdata:0057AFA0ddoffsetnullsub_52 .rdata:0057AFA4ddoffsetCDialog::OnOK(void) .rdata:0057AFA8ddoffsetCDialog::OnCancel(void) .rdata:0057AFACddoffsetnullsub_53 ;================================================================================= 注意CCmdTarget::GetTypeLib，跟踪这个函数下面的那个函数的地址43F4E4，可以找到处理这个对话框消息的函数。 .text:0043F4E4sub_43F4E4procnear;DATAXREF:.rdata:0057AF08o .text:0043F4E4moveax,offsetoff_57AE30 .text:0043F4E9retn .text:0043F4E9sub_43F4E4endp ;================================================================================= 继续跟踪地址57AE30,来到下面： .rdata:0057AE30off_57AE30ddoffsetoff_5837E8//指向父类的消息处理函数 .rdata:0057AE34ddoffsetdword_57AE38//本对话框的消息处理函数 .rdata:0057AE38dword_57AE38dd111h .rdata:0057AE3Cdd0 .rdata:0057AE40dd627h .rdata:0057AE44dd627h .rdata:0057AE48dd0Ch .rdata:0057AE4Cdd43F682h .rdata:0057AE50dd111h .rdata:0057AE54dd0 .rdata:0057AE58dd1D3h .rdata:0057AE5Cdd1D3h .rdata:0057AE60dd0Ch .rdata:0057AE64dd43F6A0h .rdata:0057AE68dd111h//WM_COMMAND消息 .rdata:0057AE6Cdd0 .rdata:0057AE70dd1D4h .rdata:0057AE74dd1D4h//ok按钮id .rdata:0057AE78dd0Ch .rdata:0057AE7Cdd43F6B7h//ok按钮的处理函数 .rdata:0057AE80dd111h .rdata:0057AE84dd0 .rdata:0057AE88dd7D6h .rdata:0057AE8Cdd7D6h .rdata:0057AE90dd0Ch .rdata:0057AE94dd43F7A4h .rdata:0057AE98dd19h .rdata:0057AE9Cdd0 .rdata:0057AEA0dd0 .rdata:0057AEA4dd0 .rdata:0057AEA8dd4 .rdata:0057AEACdd43F7ADh .rdata:0057AEB0dd111h .rdata:0057AEB4dd0 .rdata:0057AEB8dd623h .rdata:0057AEBCdd623h .rdata:0057AEC0dd0Ch .rdata:0057AEC4dd43F867h .rdata:0057AEC8dd0 .rdata:0057AECCdd0 .rdata:0057AED0dd0 .rdata:0057AED4dd0 .rdata:0057AED8dd0 .rdata:0057AEDCdd0 ;================================================================================= 好了，现在找到了注册对话框中的ok按钮的处理函数，看一下这个函数： .text:0043F6B7sub_43F6B7procnear .text:0043F6B7moveax,offsetunknown_libname_1327 .text:0043F6BCcall__EH_prolog .text:0043F6C1pushecx .text:0043F6C2pushesi .text:0043F6C3movesi,ecx .text:0043F6C5push1 .text:0043F6C7callCWnd::UpdateData(int) .text:0043F6CCmovecx,[esi+1A0h] .text:0043F6D2leaeax,[esi+188h] .text:0043F6D8pusheax .text:0043F6D9callCString::operator=(CStringconst&) .text:0043F6DEmovecx,[esi+1A0h] .text:0043F6E4leaeax,[esi+18Ch] .text:0043F6EApusheax .text:0043F6EBaddecx,4 .text:0043F6EEcallCString::operator=(CStringconst&) .text:0043F6F3movecx,[esi+1A0h] .text:0043F6F9leaeax,[esi+190h] .text:0043F6FFpusheax .text:0043F700addecx,8 .text:0043F703callCString::operator=(CStringconst&) .text:0043F708movecx,[esi+1A0h] .text:0043F70Eleaeax,[esi+194h] .text:0043F714pusheax .text:0043F715addecx,0Ch .text:0043F718callCString::operator=(CStringconst&) .text:0043F71Dmovecx,[esi+1A0h] .text:0043F723leaeax,[esi+198h] .text:0043F729pusheax .text:0043F72Aaddecx,10h .text:0043F72DcallCString::operator=(CStringconst&) .text:0043F732leaeax,[esi+19Ch] .text:0043F738push0 .text:0043F73Apusheax .text:0043F73Bmovecx,offsetunk_5ECE48 .text:0043F740callsub_46CB82//这里是关键函数，下面着重分析 .text:0043F745testeax,eax .text:0043F747jzshortloc_43F750//返回0就失败了 .text:0043F749movecx,esi .text:0043F74BcallCDialog::OnOK(void) .text:0043F750 .text:0043F750loc_43F750: .text:0043F750moveax,dword_5D537C//到这里就是注册失败提示了 .text:0043F755mov[ebp-10h],eax .text:0043F758anddwordptr[ebp-4],0 .text:0043F75Cpush0Dh;InvalidLicenseKey.PleasetryagainorcontactWisdomSoftware .text:0043F75Eleaecx,[ebp-10h] .text:0043F761callCString::LoadStringA(uint) .text:0043F766push1037h .text:0043F76Bmovecx,esi .text:0043F76DcallCWnd::GetDlgItem(int) .text:0043F772testeax,eax .text:0043F774jzshortloc_43F780 .text:0043F776pushdwordptr[ebp-10h] .text:0043F779movecx,eax .text:0043F77BcallCWnd::SetWindowTextA(charconst*) .text:0043F780 .text:0043F780loc_43F780: .text:0043F780leaecx,[esi+14Ch] .text:0043F786callCWnd::SetFocus(void) .text:0043F78Bordwordptr[ebp-4],0FFFFFFFFh .text:0043F78Fleaecx,[ebp-10h] .text:0043F792callCString::~CString(void) .text:0043F797movecx,[ebp-0Ch] .text:0043F79Apopesi .text:0043F79Bmovlargefs:0,ecx .text:0043F7A2leave .text:0043F7A3retn .text:0043F7A3sub_43F6B7endp;sp=4 ;================================================================================= 跟进关键函数46CB82: .text:0046CB82sub_46CB82procnear .text:0046CB82moveax,offsetunknown_libname_1421 .text:0046CB87call__EH_prolog .text:0046CB8Cpushecx .text:0046CB8Dpushebx .text:0046CB8Exorebx,ebx .text:0046CB90pushesi .text:0046CB91pushedi .text:0046CB92movesi,ecx .text:0046CB94mov[ebp-10h],ebx .text:0046CB97pushebx .text:0046CB98pushebx .text:0046CB99push0F003Fh .text:0046CB9Epushebx .text:0046CB9Fpushebx .text:0046CBA0leaecx,[ebp-10h] .text:0046CBA3pushdword_5F0CC8 .text:0046CBA9mov[ebp-4],ebx .text:0046CBACpush80000001h .text:0046CBB1callsub_466121 .text:0046CBB6cmpeax,ebx .text:0046CBB8jlloc_46CCFE .text:0046CBBEpushdwordptr[ebp+0Ch] .text:0046CBC1movedi,[ebp+8] .text:0046CBC4pushedi .text:0046CBC5callfun1_422C8E//检验函数1***** .text:0046CBCApopecx .text:0046CBCBtesteax,eax .text:0046CBCDpopecx .text:0046CBCEjzloc_46CCFC .text:0046CBD4 .text:0046CBD4loc_46CBD4: .text:0046CBD4moveax,ebx .text:0046CBD6movecx,ebx .text:0046CBD8addeax,[edi+4] .text:0046CBDBaddecx,[esi+120h] .text:0046CBE1pusheax .text:0046CBE2callCString::operator=(CStringconst&) .text:0046CBE7addebx,4 .text:0046CBEAcmpebx,20//把5组注册码拷贝到[esi+120h]处 .text:0046CBEDjlshortloc_46CBD4 .text:0046CBEFpush1 .text:0046CBF1leaeax,[esi+11Ch] .text:0046CBF7popebx .text:0046CBF8pusheax .text:0046CBF9mov[esi+130h],ebx .text:0046CBFFcallfun2_422EF1//检验函数2***** .text:0046CC04testeax,eax .text:0046CC06popecx .text:0046CC07jzshortloc_46CC0F .text:0046CC09mov[esi+134h],ebx .text:0046CC0F .text:0046CC0Floc_46CC0F: .text:0046CC0Fmovecx,[esi+120h] .text:0046CC15leaeax,[ebp+0Ch] .text:0046CC18pushebx;1 .text:0046CC19pusheax .text:0046CC1Aaddecx,8 .text:0046CC1DcallCString::Left(int)//取第三组注册码左边一个字符 .text:0046CC22pusheax .text:0046CC23leaecx,[esi+4C4h]//保存到这里 .text:0046CC29mov[ebp-4],bl .text:0046CC2CcallCString::operator=(CStringconst&) .text:0046CC31andbyteptr[ebp-4],0 .text:0046CC35leaecx,[ebp+0Ch] .text:0046CC38callCString::~CString(void) .text:0046CC3Dmovecx,[esi+120h] .text:0046CC43leaeax,[ebp+0Ch] .text:0046CC46push2 .text:0046CC48pusheax .text:0046CC49addecx,4 .text:0046CC4CcallCString::Left(int)//取第二组注册码左边2个字符 .text:0046CC51pusheax .text:0046CC52leaecx,[esi+4C8h]//保存到这里 .text:0046CC58movbyteptr[ebp-4],2 .text:0046CC5CcallCString::operator=(CStringconst&) .text:0046CC61andbyteptr[ebp-4],0 .text:0046CC65leaecx,[ebp+0Ch] .text:0046CC68callCString::~CString(void) .text:0046CC6Dxoredi,edi .text:0046CC6F .text:0046CC6Floc_46CC6F: .text:0046CC6Fmoveax,edi .text:0046CC71pushebx;1 .text:0046CC72addeax,[esi+120h] .text:0046CC78pusheax .text:0046CC79callsub_4230E4;对字符串加密处理 .text:0046CC7Eaddedi,4 .text:0046CC81popecx .text:0046CC82cmpedi,14h .text:0046CC85popecx .text:0046CC86jlshortloc_46CC6F .text:0046CC88moveax,[esi+120h] .text:0046CC8Eleaecx,[ebp-10h] .text:0046CC91pushdwordptr[eax];以下5个函数保存注册码到注册表 .text:0046CC93pushkey_5F0F5C .text:0046CC99callsub_466387 .text:0046CC9Emoveax,[esi+120h] .text:0046CCA4leaecx,[ebp-10h] .text:0046CCA7pushdwordptr[eax+4] .text:0046CCAApushkey_5F0F58 .text:0046CCB0callsub_466387 .text:0046CCB5moveax,[esi+120h] .text:0046CCBBleaecx,[ebp-10h] .text:0046CCBEpushdwordptr[eax+8] .text:0046CCC1pushkey_5F0F54 .text:0046CCC7callsub_466387 .text:0046CCCCmoveax,[esi+120h] .text:0046CCD2leaecx,[ebp-10h] .text:0046CCD5pushdwordptr[eax+0Ch] .text:0046CCD8pushkey_5F0F50 .text:0046CCDEcallsub_466387 .text:0046CCE3moveax,[esi+120h] .text:0046CCE9leaecx,[ebp-10h] .text:0046CCECpushdwordptr[eax+10h] .text:0046CCEFpushkey_5F0F4C .text:0046CCF5callsub_466387 .text:0046CCFAjmpshortloc_46CCFE .text:0046CCFC;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 .text:0046CCFC .text:0046CCFCloc_46CCFC: .text:0046CCFCxorebx,ebx .text:0046CCFE .text:0046CCFEloc_46CCFE: .text:0046CCFE .text:0046CCFEordwordptr[ebp-4],0FFFFFFFFh .text:0046CD02leaecx,[ebp-10h] .text:0046CD05callsub_46610A .text:0046CD0Amovecx,[ebp-0Ch] .text:0046CD0Dpopedi .text:0046CD0Emoveax,ebx .text:0046CD10popesi .text:0046CD11popebx .text:0046CD12movlargefs:0,ecx .text:0046CD19leave .text:0046CD1Aretn8 .text:0046CD1Asub_46CB82endp;sp=4 可以看出,上面共有2个验证的函数,下面分别分析: 先看fun1_422C8E: ================================================================= text:00422C8Efun1_422C8Eprocnear .text:00422C8E .text:00422C8Emoveax,offsetunknown_libname_1253 .text:00422C93call__EH_prolog .text:00422C98subesp,44h .text:00422C9Bpushebx .text:00422C9Cpushesi .text:00422C9Dmovesi,[ebp+8] .text:00422CA0pushedi .text:00422CA1moveax,[esi+8] .text:00422CA4cmpeax,5 .text:00422CA7jnzloc_422E62 .text:00422CADmoveax,[esi+4] .text:00422CB0xorebx,ebx .text:00422CB2xorecx,ecx .text:00422CB4 .text:00422CB4loc_422CB4: .text:00422CB4movedx,[eax] .text:00422CB6cmpdwordptr[edx-8],4 .text:00422CBAjnzloc_422E64 .text:00422CC0incecx .text:00422CC1addeax,4 .text:00422CC4cmpecx,5;检查5组注册码是否都是4个字符 .text:00422CC7jlshortloc_422CB4 .text:00422CC9xoredi,edi .text:00422CCB .text:00422CCBloc_422CCB: .text:00422CCBmoveax,[esi+4] .text:00422CCEpushdwordptr[edi+eax];char* .text:00422CD1leaeax,[ebp-28h] .text:00422CD4pusheax;char* .text:00422CD5call_strcpy;拷贝一组注册码到[ebp-28] .text:00422CDAmovzxeax,byteptr[ebp-26h];取第三个字符到eax .text:00422CDEpopecx .text:00422CDFpopecx .text:00422CE0movzxecx,byteptr[ebp-27h];取第二个字符到ecx .text:00422CE4addeax,ecx;第三个字符和第二个字符相加，和到eax .text:00422CE6push26 .text:00422CE8movzxecx,byteptr[ebp-28h];取第一个字符到ecx .text:00422CECaddeax,ecx;上面的和和第一个字符相加，和到eax .text:00422CEEpopecx .text:00422CEFcdq .text:00422CF0idivecx;和模上26 .text:00422CF2adddl,40h;加上40h .text:00422CF5cmpdl,40h .text:00422CF8jnzshortloc_422CFD .text:00422CFAadddl,26;结果为40h则再加上26 .text:00422CFD .text:00422CFDloc_422CFD: .text:00422CFDcmpdl,[ebp-25h];和第四个字符比较，不等则失败 .text:00422D00jnzloc_422E64 .text:00422D06addedi,4 .text:00422D09cmpedi,10h;依次处理前4组 .text:00422D0Cjlshortloc_422CCB .text:00422D0Emov[ebp-10h],ebx;索引初始化为0 .text:00422D11movebx,offsetasc_5C8424;"------" .text:00422D16 .text:00422D16loc_422D16: .text:00422D16movesi,ebx .text:00422D18leaedi,[ebp-48h];[ebp-48]填充6个"-"字符 .text:00422D1Bmovsd .text:00422D1Cpush1 .text:00422D1Eleaeax,[ebp-14h] .text:00422D21pushdwordptr[ebp-10h];索引 .text:00422D24movsw .text:00422D26pusheax .text:00422D27moveax,[ebp+8] .text:00422D2Amovsb .text:00422D2Bmovecx,[eax+4];第一组注册码 .text:00422D2EcallCString::Mid(int,int) .text:00422D33pushdwordptr[eax];char*;取第一组注册码索引处一个字符 .text:00422D35leaeax,[ebp-48h] .text:00422D38pusheax;char* .text:00422D39call_strcpy;拷贝到[ebp-48] .text:00422D3Epopecx .text:00422D3Fpopecx .text:00422D40leaecx,[ebp-14h] .text:00422D43callCString::~CString(void) .text:00422D48movesi,ebx .text:00422D4Aleaedi,[ebp-40h] .text:00422D4Dpush1 .text:00422D4Fleaeax,[ebp-18h] .text:00422D52pushdwordptr[ebp-10h];索引 .text:00422D55movsd .text:00422D56pusheax .text:00422D57moveax,[ebp+8] .text:00422D5Amovsw .text:00422D5Cmovecx,[eax+4] .text:00422D5Faddecx,4;第二组注册码 .text:00422D62movsb .text:00422D63callCString::Mid(int,int) .text:00422D68pushdwordptr[eax];char*;取第二组注册码索引处一个字符 .text:00422D6Aleaeax,[ebp-40h] .text:00422D6Dpusheax;char* .text:00422D6Ecall_strcpy;拷贝到[ebp-40] .text:00422D73popecx .text:00422D74popecx .text:00422D75leaecx,[ebp-18h] .text:00422D78callCString::~CString(void) .text:00422D7Dmovesi,ebx .text:00422D7Fleaedi,[ebp-38h] .text:00422D82push1 .text:00422D84leaeax,[ebp-1Ch] .text:00422D87pushdwordptr[ebp-10h];索引 .text:00422D8Amovsd .text:00422D8Bpusheax .text:00422D8Cmoveax,[ebp+8] .text:00422D8Fmovsw .text:00422D91movecx,[eax+4] .text:00422D94addecx,8;第三组注册码 .text:00422D97movsb .text:00422D98callCString::Mid(int,int);取第三组注册码索引处一个字符 .text:00422D9Dpushdwordptr[eax];char* .text:00422D9Fleaeax,[ebp-38h] .text:00422DA2pusheax;char* .text:00422DA3call_strcpy;拷贝到[ebp-38] .text:00422DA8popecx .text:00422DA9popecx .text:00422DAAleaecx,[ebp-1Ch] .text:00422DADcallCString::~CString(void) .text:00422DB2movesi,ebx .text:00422DB4leaedi,[ebp-30h] .text:00422DB7push1 .text:00422DB9leaeax,[ebp-20h] .text:00422DBCpushdwordptr[ebp-10h];索引 .text:00422DBFmovsd .text:00422DC0pusheax .text:00422DC1moveax,[ebp+8] .text:00422DC4movsw .text:00422DC6movecx,[eax+4] .text:00422DC9addecx,0Ch;第四组注册码 .text:00422DCCmovsb .text:00422DCDcallCString::Mid(int,int);取第四组注册码索引处一个字符 .text:00422DD2pushdwordptr[eax];char* .text:00422DD4leaeax,[ebp-30h] .text:00422DD7pusheax;char* .text:00422DD8call_strcpy;拷贝到[ebp-30] .text:00422DDDpopecx .text:00422DDEpopecx .text:00422DDFleaecx,[ebp-20h] .text:00422DE2callCString::~CString(void) .text:00422DE7movesi,ebx .text:00422DE9leaedi,[ebp-50h] .text:00422DECpush1 .text:00422DEEleaeax,[ebp-28h] .text:00422DF1pushdwordptr[ebp-10h];索引 .text:00422DF4movsd .text:00422DF5pusheax .text:00422DF6moveax,[ebp+8] .text:00422DF9movsw .text:00422DFBmovecx,[eax+4] .text:00422DFEaddecx,10h;第五组注册码 .text:00422E01movsb .text:00422E02callCString::Mid(int,int);取第五组注册码索引处一个字符 .text:00422E07pushdwordptr[eax];char* .text:00422E09leaeax,[ebp-50h] .text:00422E0Cpusheax;char* .text:00422E0Dcall_strcpy;拷贝到[ebp-50] .text:00422E12popecx .text:00422E13popecx .text:00422E14leaecx,[ebp-28h] .text:00422E17callCString::~CString(void) .text:00422E1Cmovzxeax,byteptr[ebp-30h] .text:00422E20movzxecx,byteptr[ebp-38h] .text:00422E24addeax,ecx .text:00422E26push36 .text:00422E28movzxecx,byteptr[ebp-40h] .text:00422E2Caddeax,ecx .text:00422E2Emovzxecx,byteptr[ebp-48h] .text:00422E32addeax,ecx;前4个字符相加 .text:00422E34popecx .text:00422E35cdq .text:00422E36idivecx;和模上36 .text:00422E38adddl,64;加上64 .text:00422E3Bcmpdl,'Z' .text:00422E3Ejbeshortloc_422E43;结果大于字符'Z'则减去42 .text:00422E40adddl,-42 .text:00422E43 .text:00422E43loc_422E43: .text:00422E43cmpdl,[ebp-50h];和第五个字符比较 .text:00422E46jnzshortloc_422E62 .text:00422E48incdwordptr[ebp-10h];索引加1 .text:00422E4Bcmpdwordptr[ebp-10h],4 .text:00422E4Fjlloc_422D16 .text:00422E55pushdwordptr[ebp+8];注册码压入堆栈 .text:00422E58callfun3_42306F;调用验证函数42306F .text:00422E5Dtesteax,eax .text:00422E5Fpopecx .text:00422E60jnzshortloc_422EDF;验证函数42306F返回非零值则本函数返回1 .text:00422E62 .text:00422E62loc_422E62: .text:00422E62 .text:00422E62xorebx,ebx;跳到这里就验证失败了 .text:00422E64 .text:00422E64loc_422E64: .text:00422E64 .text:00422E64cmp[ebp+0Ch],ebx .text:00422E67jzshortloc_422EDB .text:00422E69moveax,dword_5D537C .text:00422E6Emov[ebp+0Ch],eax .text:00422E71push0Dh;InvalidLicenseKey.PleasetryagainorcontactWisdomSoftware. .text:00422E73leaecx,[ebp+0Ch] .text:00422E76mov[ebp-4],ebx .text:00422E79callCString::LoadStringA(uint) .text:00422E7Emoveax,dword_5D537C .text:00422E83mov[ebp+8],eax .text:00422E86push0Eh;ScreenHunterMessage .text:00422E88leaecx,[ebp+8] .text:00422E8Bmovbyteptr[ebp-4],1 .text:00422E8FcallCString::LoadStringA(uint) .text:00422E94pushdwordptr[ebp+8];lpWindowName .text:00422E97pushebx;lpClassName .text:00422E98callds:FindWindowA .text:00422E9Ecmpeax,ebx .text:00422EA0moveax,[ebp+8] .text:00422EA3jzshortloc_422EAA .text:00422EA5cmp[eax-8],ebx .text:00422EA8jgshortloc_422EC3 .text:00422EAA .text:00422EAAloc_422EAA: .text:00422EAAcmpdword_5ED0C4,6 .text:00422EB1jzshortloc_422EC3 .text:00422EB3push40010h;uType .text:00422EB8pusheax;lpCaption .text:00422EB9pushdwordptr[ebp+0Ch];lpText .text:00422EBCpushebx;hWnd .text:00422EBDcallds:MessageBoxA .text:00422EC3 .text:00422EC3loc_422EC3: .text:00422EC3 .text:00422EC3andbyteptr[ebp-4],0 .text:00422EC7leaecx,[ebp+8] .text:00422ECAcallCString::~CString(void) .text:00422ECFordwordptr[ebp-4],0FFFFFFFFh .text:00422ED3leaecx,[ebp+0Ch] .text:00422ED6callCString::~CString(void) .text:00422EDB .text:00422EDBloc_422EDB: .text:00422EDBxoreax,eax .text:00422EDDjmpshortloc_422EE2 .text:00422EDF;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 .text:00422EDF .text:00422EDFloc_422EDF: .text:00422EDFpush1 .text:00422EE1popeax .text:00422EE2 .text:00422EE2loc_422EE2: .text:00422EE2movecx,[ebp-0Ch] .text:00422EE5popedi .text:00422EE6popesi .text:00422EE7popebx .text:00422EE8movlargefs:0,ecx .text:00422EEFleave .text:00422EF0retn .text:00422EF0fun1_422C8Eendp;sp=4 ;================================================================================= fun1_422C8E里还调用到了函数fun3_42306F,来到下面看看: .text:0042306Ffun3_42306Fprocnear .text:0042306F .text:0042306F .text:0042306F .text:0042306Farg_0=dwordptr8 .text:0042306F .text:0042306Fpushebp .text:00423070movebp,esp .text:00423072pushesi .text:00423073movesi,[ebp+arg_0] .text:00423076pushedi .text:00423077leaeax,[ebp+arg_0] .text:0042307Amovecx,[esi+4];第一组注册码 .text:0042307Dpush3 .text:0042307Fpusheax .text:00423080callCString::Left(int);取前3位 .text:00423085pushdwordptr[eax];char* .text:00423087pushdword_5DFEA0;"SH4" .text:0042308Dcall_strcmp;比较是否是"SH4" .text:00423092popecx .text:00423093movedi,eax .text:00423095popecx .text:00423096leaecx,[ebp+arg_0] .text:00423099callCString::~CString(void) .text:0042309Etestedi,edi .text:004230A0jnzshortloc_4230D2;不等则跳 .text:004230A2movecx,[esi+4] .text:004230A5push1 .text:004230A7leaeax,[ebp+arg_0] .text:004230AApush2 .text:004230ACpusheax .text:004230ADaddecx,4;第二组注册码 .text:004230B0callCString::Mid(int,int);取第三个字符 .text:004230B5pushdwordptr[eax];char* .text:004230B7pushdword_5DFE9C;"9" .text:004230BDcall_strcmp;比较是否是"9" .text:004230C2popecx .text:004230C3movesi,eax .text:004230C5popecx .text:004230C6leaecx,[ebp+arg_0] .text:004230C9callCString::~CString(void) .text:004230CEtestesi,esi .text:004230D0jzshortloc_4230DD .text:004230D2 .text:004230D2loc_4230D2: .text:004230D2anddword_5ECF7C,0;置全局注册失败标志 .text:004230D9xoreax,eax;失败则返回0 .text:004230DBjmpshortloc_4230E0 .text:004230DD;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 .text:004230DD .text:004230DDloc_4230DD: .text:004230DDpush1 .text:004230DFpopeax .text:004230E0 .text:004230E0loc_4230E0: .text:004230E0popedi .text:004230E1popesi .text:004230E2popebp .text:004230E3retn .text:004230E3fun3_42306Fendp ================================================================= 下面开始看fun2_422EF1: .text:00422EF1fun2_422EF1procnear .text:00422EF1 .text:00422EF1 .text:00422EF1var_30=byteptr-30h .text:00422EF1var_28=byteptr-28h .text:00422EF1var_20=byteptr-20h .text:00422EF1var_18=dwordptr-18h .text:00422EF1var_14=dwordptr-14h .text:00422EF1var_10=dwordptr-10h .text:00422EF1var_C=dwordptr-0Ch .text:00422EF1var_8=dwordptr-8 .text:00422EF1var_1=byteptr-1 .text:00422EF1arg_0=dwordptr8 .text:00422EF1 .text:00422EF1pushebp .text:00422EF2movebp,esp .text:00422EF4subesp,30h .text:00422EF7pushebx .text:00422EF8pushesi .text:00422EF9xoresi,esi .text:00422EFBpushedi .text:00422EFCcmpdword_5ECF88,esi .text:00422F02jleloc_423054 .text:00422F08cmpdword_5ECF8C,esi .text:00422F0Ejleloc_423054 .text:00422F14cmpdword_5ECF90,esi .text:00422F1Ajleloc_423054 .text:00422F20leaeax,[ebp+var_C] .text:00422F23pusheax .text:00422F24callCTime::GetTickCount(void) .text:00422F29push0FFFFFFFFh .text:00422F2Bpushesi .text:00422F2Cpushesi .text:00422F2Dpushesi .text:00422F2Epushdword_5ECF90 .text:00422F34leaecx,[ebp+var_8] .text:00422F37pushdword_5ECF8C .text:00422F3Dpushdword_5ECF88 .text:00422F43callCTime::CTime(int,int,int,int,int,int,int) .text:00422F48pushecx .text:00422F49movecx,[ebp+var_8] .text:00422F4Cmoveax,esp .text:00422F4Emov[ebp+var_18],esp .text:00422F51mov[eax],ecx .text:00422F53leaeax,[ebp+var_18] .text:00422F56pusheax .text:00422F57leaecx,[ebp+var_C] .text:00422F5Acallsub_423060 .text:00422F5Fmoveax,[eax] .text:00422F61movecx,15180h .text:00422F66cdq .text:00422F67idivecx .text:00422F69cmpeax,7;随即检查 .text:00422F6Cjlloc_423054 .text:00422F72moveax,dwordptra815;"815" .text:00422F77mov[ebp+var_8],esi;索引清零 .text:00422F7Amov[ebp+var_14],eax .text:00422F7Dmovebx,offsetasc_5C8424;"------" .text:00422F82 .text:00422F82loc_422F82: .text:00422F82movesi,ebx .text:00422F84leaedi,[ebp+var_28] .text:00422F87push1 .text:00422F89leaeax,[ebp+var_C] .text:00422F8Cpush[ebp+var_8];索引 .text:00422F8Fmovsd .text:00422F90pusheax .text:00422F91moveax,[ebp+arg_0] .text:00422F94movsw .text:00422F96movecx,[eax+4] .text:00422F99addecx,4;第二组注册码 .text:00422F9Cmovsb .text:00422F9DcallCString::Mid(int,int);取索引处一个字符 .text:00422FA2pushdwordptr[eax];char* .text:00422FA4leaeax,[ebp+var_28] .text:00422FA7pusheax;char* .text:00422FA8call_strcpy;拷贝到var_28 .text:00422FADpopecx .text:00422FAEpopecx .text:00422FAFleaecx,[ebp+var_C] .text:00422FB2callCString::~CString(void) .text:00422FB7movesi,ebx .text:00422FB9leaedi,[ebp+var_20] .text:00422FBCmovsd .text:00422FBDmovsw .text:00422FBFmovsb .text:00422FC0movesi,[ebp+var_8];索引 .text:00422FC3push1 .text:00422FC5leaeax,[ebp+var_10] .text:00422FC8pushesi .text:00422FC9pusheax .text:00422FCAmoveax,[ebp+arg_0] .text:00422FCDmovecx,[eax+4] .text:00422FD0addecx,8;第三组注册码 .text:00422FD3callCString::Mid(int,int);取索引处一个字符 .text:00422FD8pushdwordptr[eax];char* .text:00422FDAleaeax,[ebp+var_20] .text:00422FDDpusheax;char* .text:00422FDEcall_strcpy;拷贝到var_20 .text:00422FE3popecx .text:00422FE4popecx .text:00422FE5leaecx,[ebp+var_10] .text:00422FE8callCString::~CString(void) .text:00422FEDmovzxeax,byteptr[ebp+esi+var_14];取字符串"815"索引处一个字符 .text:00422FF2movzxecx,[ebp+var_20] .text:00422FF6addeax,ecx;加上第三组注册码一个字符 .text:00422FF8push10 .text:00422FFAmovzxecx,[ebp+var_28] .text:00422FFEaddeax,ecx;加上第二组注册码一个字符 .text:00423000popecx .text:00423001cdq .text:00423002idivecx;模上10 .text:00423004movesi,ebx .text:00423006leaedi,[ebp+var_30] .text:00423009push1 .text:0042300Bleaeax,[ebp+var_18] .text:0042300Epush[ebp+var_8];索引 .text:00423011movsd .text:00423012pusheax .text:00423013moveax,[ebp+arg_0] .text:00423016movsw .text:00423018movecx,[eax+4] .text:0042301Baddecx,12;第四组注册码 .text:0042301Emovsb .text:0042301Fadddl,'0';模加上'0' .text:00423022mov[ebp+var_1],dl .text:00423025callCString::Mid(int,int);取索引处一个字符 .text:0042302Apushdwordptr[eax];char* .text:0042302Cleaeax,[ebp+var_30] .text:0042302Fpusheax;char* .text:00423030call_strcpy;拷贝到var_30 .text:00423035popecx .text:00423036popecx .text:00423037leaecx,[ebp+var_18] .text:0042303AcallCString::~CString(void) .text:0042303Fmoval,[ebp+var_1] .text:00423042cmpal,[ebp+var_30];比较 .text:00423045jnzshortloc_42305C .text:00423047inc[ebp+var_8];索引加1 .text:0042304Acmp[ebp+var_8],3;共比较3次 .text:0042304Ejlloc_422F82 .text:00423054 .text:00423054loc_423054: .text:00423054 .text:00423054push1 .text:00423056popeax .text:00423057 .text:00423057loc_423057: .text:00423057popedi .text:00423058popesi .text:00423059popebx .text:0042305Aleave .text:0042305Bretn .text:0042305C;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 .text:0042305C .text:0042305Cloc_42305C: .text:0042305Cxoreax,eax .text:0042305Ejmpshortloc_423057 .text:0042305Efun2_422EF1endp =================================================================== 跟踪对话框的调用过程，可以来到下面，这里是取协议到多少用户的。 第三组注册码第一个字符决定协议类型。 如果协议类型是'G'则第二组注册码前两个字符是协议用户数。 .text:00423130sub_423130procnear .text:00423130 .text:00423130pushesi .text:00423131xoresi,esi .text:00423133pushmy_5ED30C;char* .text:00423139pushq_5DFE94_D;char* .text:0042313Fcall_strcmp .text:00423144popecx .text:00423145testeax,eax .text:00423147popecx .text:00423148jnzshortloc_423152 .text:0042314Apush1 .text:0042314C .text:0042314Cloc_42314C: .text:0042314Cpopesi .text:0042314Djmploc_42329A .text:00423152;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 .text:00423152 .text:00423152loc_423152: .text:00423152pushmy_5ED30C;char* .text:00423158pushq_5DFE8C_M;char* .text:0042315Ecall_strcmp .text:00423163popecx .text:00423164testeax,eax .text:00423166popecx .text:00423167jnzshortloc_42316D .text:00423169push5 .text:0042316Bjmpshortloc_42314C .text:0042316D;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 .text:0042316D .text:0042316Dloc_42316D: .text:0042316Dpushmy_5ED30C;char* .text:00423173pushq_5DFE88_P;char* .text:00423179call_strcmp .text:0042317Epopecx .text:0042317Ftesteax,eax .text:00423181popecx .text:00423182jnzshortloc_423188 .text:00423184push10 .text:00423186jmpshortloc_42314C .text:00423188;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 .text:00423188 .text:00423188loc_423188: .text:00423188pushmy_5ED30C;char* .text:0042318Epushq_5DFE84_Q;char* .text:00423194call_strcmp .text:00423199popecx .text:0042319Atesteax,eax .text:0042319Cpopecx .text:0042319Djnzshortloc_4231A3 .text:0042319Fpush20 .text:004231A1jmpshortloc_42314C .text:004231A3;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 .text:004231A3 .text:004231A3loc_4231A3: .text:004231A3pushmy_5ED30C;char* .text:004231A9pushq_5DFE80_R;char* .text:004231AFcall_strcmp .text:004231B4popecx .text:004231B5testeax,eax .text:004231B7popecx .text:004231B8jnzshortloc_4231BE .text:004231BApush50 .text:004231BCjmpshortloc_42314C .text:004231BE;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 .text:004231BE .text:004231BEloc_4231BE: .text:004231BEpushmy_5ED30C;char* .text:004231C4pushq_5DFE7C_S;char* .text:004231CAcall_strcmp .text:004231CFpopecx .text:004231D0testeax,eax .text:004231D2popecx .text:004231D3jnzshortloc_4231DC .text:004231D5push100 .text:004231D7jmploc_42314C .text:004231DC;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 .text:004231DC .text:004231DCloc_4231DC: .text:004231DCpushmy_5ED30C;char* .text:004231E2pushq_5DFE78_T;char* .text:004231E8call_strcmp .text:004231EDpopecx .text:004231EEtesteax,eax .text:004231F0popecx .text:004231F1jnzshortloc_4231FD .text:004231F3movesi,200 .text:004231F8jmploc_42329A .text:004231FD;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 .text:004231FD .text:004231FDloc_4231FD: .text:004231FDpushmy_5ED30C;char* .text:00423203pushq_5DFE74_U;char* .text:00423209call_strcmp .text:0042320Epopecx .text:0042320Ftesteax,eax .text:00423211popecx .text:00423212jnzshortloc_42321B .text:00423214movesi,500 .text:00423219jmpshortloc_42329A .text:0042321B;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 .text:0042321B .text:0042321Bloc_42321B: .text:0042321Bpushmy_5ED30C;char* .text:00423221pushq_5DFE70_V;char* .text:00423227call_strcmp .text:0042322Cpopecx .text:0042322Dtesteax,eax .text:0042322Fpopecx .text:00423230jnzshortloc_423239 .text:00423232movesi,1000 .text:00423237jmpshortloc_42329A .text:00423239;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 .text:00423239 .text:00423239loc_423239: .text:00423239pushmy_5ED30C;char* .text:0042323Fpushq_5DFE6C_W;char* .text:00423245call_strcmp .text:0042324Apopecx .text:0042324Btesteax,eax .text:0042324Dpopecx .text:0042324Ejnzshortloc_423257 .text:00423250movesi,2000 .text:00423255jmpshortloc_42329A .text:00423257;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 .text:00423257 .text:00423257loc_423257: .text:00423257pushmy_5ED30C;char* .text:0042325Dpushq_5DFE68_X;char* .text:00423263call_strcmp .text:00423268popecx .text:00423269testeax,eax .text:0042326Bpopecx .text:0042326Cjnzshortloc_423275 .text:0042326Emovesi,5000 .text:00423273jmpshortloc_42329A .text:00423275;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 .text:00423275 .text:00423275loc_423275: .text:00423275pushmy_5ED30C;char* .text:0042327Bpushq_5DFE90_G;char* .text:00423281call_strcmp .text:00423286popecx .text:00423287testeax,eax .text:00423289popecx .text:0042328Ajnzshortloc_42329A .text:0042328Cpushmy_5ED310;char* .text:00423292call_atoi .text:00423297popecx .text:00423298movesi,eax .text:0042329A .text:0042329Aloc_42329A: .text:0042329Amoveax,esi .text:0042329Cpopesi .text:0042329Dretn .text:0042329Dsub_423130endp GetUserCnt(void) { charUserCnt;//第三组注册码左边一个字符 charcount[3];//第二组注册码左边两个字符 if(UserCnt=='D')return1; if(UserCnt=='M')return5; if(UserCnt=='P')return10; if(UserCnt=='Q')return20; if(UserCnt=='R')return50; if(UserCnt=='S')return100; if(UserCnt=='T')return200; if(UserCnt=='U')return500; if(UserCnt=='V')return1000; if(UserCnt=='W')return2000; if(UserCnt=='X')return5000; if(UserCnt=='G')reutrnatoi(count); return0; } ====================================================================== 好了,该总结一下了: 先看看注册码的格式:XXXX-XXXX-XXXX-XXXX-XXXX 这里注册码分了5组，每组4位。为了方便表示，我把5组注册码简称key[0],key[1],key[2],key[3],key[4], 并且把每组注册码中的一个字符简称key[0][0],key[0][1]...。 key[0]的前3位是固定的，为"SH4"。 key[1][2]也是固定的，为'9'。 key[3]的前3个字符由key[1],key[2]和字符串"815"决定。 每组的第4个字符由前面的3个字符决定。 第5组的4个字符由前面的4组决定。 第三组注册码前一个字符决定协议类型。 第二组注册码和协议用户数有关。 下面给出注册机的源代码： { SYSTEMTIMEtm; unsignedlongseed; charkey[5][5]; inti; intsum; chartmp[4]="815"; charlk[25]; GetSystemTime(&tm); seed=tm.wDay+tm.wDayOfWeek+tm.wHour+tm.wMilliseconds +tm.wMinute+tm.wMonth+tm.wSecond+tm.wYear; srand(seed); memset(key,0,sizeof(key)/sizeof(char)); strcpy(key[0],"SH4Y"); key[1][0]=rand()%9+'1'; key[1][1]=rand()%10+'0'; key[1][2]='9'; key[2][0]='X'; key[2][1]=rand()%26+'A'; key[2][2]=rand()%26+'A'; for(i=0;i<3;i++) { sum=tmp[i]+key[1][i]+key[2][i]; sum=sum%10+'0'; key[3][i]=sum; } for(i=1;i<4;i++) { sum=key[i][0]+key[i][1]+key[i][2]; sum=sum%26+0x40; if(sum==0x40)sum+=26; key[i][3]=sum; } for(i=0;i<4;i++) { sum=key[0][i]+key[1][i]+key[2][i]+key[3][i]; sum=sum%36+64; if(sum>'Z')sum-=42; key[4][i]=sum; } sprintf(lk,"%s-%s-%s-%s-%s",key[0],key[1],key[2],key[3],key[4]); m_key=lk; UpdateData(false); }

页: [1]

邪恶八进制信息安全团队技术讨论组's Archiver

[转载]ScreenHunter 4.2 Pro 注册算法分析