[转载]全局变量简单分析:屏幕监视专家2.1
<P>文章作者:liyangsj</P><BR><P><FONT face=宋体><BR><BR>【使用工具】peidOllyDbg1.10<BR>【破解平台】Winxp<BR>【软件名称】屏幕监视专家2.1<BR>【软件地址】[url]http://www.tlxsoft.com/pmjszj/index.htm[/url]<BR>【编写语言】C<BR>一直在用它,不错。分析还是上个学期的事了,不能在拖了(不然忘了)。这里稍微整理了一下下。<BR>此软件烦在全局变量上,败也在全局变量上。<BR>如果看到注册成功就收手,呵呵录像白屏!!<BR>全局变量--下内存断点。<BR>过程:<BR>0041EF38/.55pushebp<BR>0041EF39|.8BECmovebp,esp<BR>0041EF3B|.83C4>addesp,-3C<BR>0041EF3E|.8955>movdwordptrss:[ebp-3C],edx<BR>0041EF41|.8945>movdwordptrss:[ebp-38],eax<BR>0041EF44|.B8B>moveax,pmjszj.004A4BBC<BR>0041EF49|.E86>callpmjszj.0048EDB8<BR>0041EF4E|.66:C>movwordptrss:[ebp-24],8<BR>0041EF54|.8D45>leaeax,dwordptrss:[ebp-4]<BR>0041EF57|.E85>callpmjszj.004035AC<BR>0041EF5C|.8BD0movedx,eax<BR>0041EF5E|.FF45>incdwordptrss:[ebp-18]<BR>0041EF61|.8B4D>movecx,dwordptrss:[ebp-38]<BR>0041EF64|.8B81>moveax,dwordptrds:[ecx+2E4]<BR>0041EF6A|.E83>callpmjszj.0045B2A0<BR>0041EF6F|.8D55>leaedx,dwordptrss:[ebp-4]<BR>0041EF72|.FF32pushdwordptrds:[edx];压入注册码<BR>0041EF74|.8D45>leaeax,dwordptrss:[ebp-8]<BR>0041EF77|.E83>callpmjszj.004035AC<BR>0041EF7C|.8BD0movedx,eax<BR>0041EF7E|.FF45>incdwordptrss:[ebp-18]<BR>0041EF81|.8B4D>movecx,dwordptrss:[ebp-38]<BR>0041EF84|.8B81>moveax,dwordptrds:[ecx+2DC]<BR>0041EF8A|.E81>callpmjszj.0045B2A0<BR>0041EF8F|.8D55>leaedx,dwordptrss:[ebp-8];|<BR>0041EF92|.FF32pushdwordptrds:[edx];|压入用户名<BR>0041EF94|.8B0D>movecx,dwordptrds:[4A93D0];|pmjszj._MainForm<BR>0041EF9A|.FF31pushdwordptrds:[ecx];|Arg1<BR>0041EF9C|.E8A>callpmjszj.0040EE44;\pmjszj.0040EE44<BR>0041EFA1|.83C4>addesp,0C<BR>0041EFA4|.FF4D>decdwordptrss:[ebp-18]<BR>0041EFA7|.8D45>leaeax,dwordptrss:[ebp-8]<BR>0041EFAA|.BA0>movedx,2<BR>0041EFAF|.E8F>callpmjszj.004991AC<BR>0041EFB4|.FF4D>decdwordptrss:[ebp-18]<BR>0041EFB7|.8D45>leaeax,dwordptrss:[ebp-4]<BR>0041EFBA|.BA0>movedx,2<BR>0041EFBF|.E8E>callpmjszj.004991AC<BR>0041EFC4|.8B0D>movecx,dwordptrds:[4A93D0];pmjszj._MainForm<BR>0041EFCA|.FF31pushdwordptrds:[ecx];/Arg1<BR>0041EFCC|.E84>callpmjszj.00409A14;\对注册码第一次判断--注册码码输入格式是否正确<BR>0041EFD1|.59popecx<BR>0041EFD2|.3C0>cmpal,1<BR>0041EFD4|.0F85>jnzpmjszj.0041F05E<BR>0041EFDA|.A1D>moveax,dwordptrds:[4A93D0]<BR>0041EFDF|.FF30pushdwordptrds:[eax];/Arg1<BR>0041EFE1|.E88>callpmjszj.00409A68;\第二次判断--用注册的前5位运算结果与机器码用户名计算的结果比较<BR>0041EFE6|.59popecx<BR>0041EFE7|.3C0>cmpal,1<BR>0041EFE9|.757>jnzshortpmjszj.0041F05E;关键比较<BR>0041EFEB|.66:C>movwordptrss:[ebp-24],14<BR>0041EFF1|.BA3>movedx,pmjszj.004A4B30;注册成功<BR>0041EFF6|.8D45>leaeax,dwordptrss:[ebp-C]<BR>0041EFF9|.E8A>callpmjszj.00498FA0<BR>0041EFFE|.FF45>incdwordptrss:[ebp-18]<BR>0041F001|.8B00moveax,dwordptrds:[eax]<BR>0041F003|.E86>callpmjszj.00456168<BR>0041F008|.FF4D>decdwordptrss:[ebp-18]<BR>0041F00B|.8D45>leaeax,dwordptrss:[ebp-C]<BR>0041F00E|.BA0>movedx,2<BR>0041F013|.E89>callpmjszj.004991AC<BR>0041F018|.8B0D>movecx,dwordptrds:[4A93D0];pmjszj._MainForm<BR>0041F01E|.8B01moveax,dwordptrds:[ecx]<BR>0041F020|.C680>movbyteptrds:[eax+414],1<BR>0041F027|.8B15>movedx,dwordptrds:[4A93D0];pmjszj._MainForm<BR>0041F02D|.8B0Amovecx,dwordptrds:[edx]<BR>0041F02F|.8B81>moveax,dwordptrds:[ecx+3C4]<BR>0041F035|.B20>movdl,1<BR>0041F037|.E85>callpmjszj.0043478C<BR>0041F03C|.8B0D>movecx,dwordptrds:[4A93D0];pmjszj._MainForm<BR>0041F042|.FF31pushdwordptrds:[ecx];/Arg1<BR>0041F044|.E80>callpmjszj.0040AC54;\pmjszj.0040AC54<BR>0041F049|.59popecx<BR>0041F04A|.8B45>moveax,dwordptrss:[ebp-38]<BR>0041F04D|.C680>movbyteptrds:[eax+2F4],1<BR>0041F054|.8B45>moveax,dwordptrss:[ebp-38]<BR>0041F057|.E84>callpmjszj.004490A0<BR>0041F05C|.EB3>jmpshortpmjszj.0041F09A<BR>0041F05E|>66:C>movwordptrss:[ebp-24],20<BR>0041F064|.BA3>movedx,pmjszj.004A4B39;注册失败<BR>0041F069|.8D45>leaeax,dwordptrss:[ebp-10]<BR>0041F06C|.E82>callpmjszj.00498FA0<BR>0041F071|.FF45>incdwordptrss:[ebp-18]<BR>0041F074|.8B00moveax,dwordptrds:[eax]<BR>0041F076|.E8E>callpmjszj.00456168<BR>0041F07B|.FF4D>decdwordptrss:[ebp-18]<BR>0041F07E|.8D45>leaeax,dwordptrss:[ebp-10]<BR><BR><BR>………………………………………………………………………………………………………………………………<BR>进入:0041EFCC|.E84>callpmjszj.00409A14;\对注册码第一次判断--注册码码输入格式是否正确<BR>………………………………………………………………………………………………………………………………<BR>00409A14/$55pushebp<BR>00409A15|.8BECmovebp,esp<BR>00409A17|.83C4>addesp,-8<BR>00409A1A|.33C0xoreax,eax<BR>00409A1C|.8945>movdwordptrss:[ebp-8],eax<BR>00409A1F|.33D2xoredx,edx<BR>00409A21|.8955>movdwordptrss:[ebp-4],edx<BR>00409A24|>8B4D>/movecx,dwordptrss:[ebp+8];全加起来<BR>00409A27|.8B45>|moveax,dwordptrss:[ebp-4]<BR>00409A2A|.0FBE>|movsxedx,byteptrds:[ecx+eax+445];得到每一位注册码<BR>00409A32|.0155>|adddwordptrss:[ebp-8],edx;把得到的每一位的ASCII加起来<BR>00409A35|.FF45>|incdwordptrss:[ebp-4];计数器<BR>00409A38|.837D>|cmpdwordptrss:[ebp-4],13;总共19位<BR>00409A3C|.^7CE>\jlshortpmjszj.00409A24;将每一位值相加<BR>00409A3E|.8B4D>movecx,dwordptrss:[ebp+8]<BR>00409A41|.0FBE>movsxeax,byteptrds:[ecx+458];第20位的注册<BR>00409A48|.83C0>addeax,-41;第20位的注册码的ASCII减去16进制41<BR>00409A4B|.8945>movdwordptrss:[ebp-4],eax<BR>00409A4E|.8B45>moveax,dwordptrss:[ebp-8];得到前19位相加之和<BR>00409A51|.B91>movecx,14<BR>00409A56|.99cdq<BR>00409A57|.F7F9idivecx;得到前19位相加之和除以16进制14<BR>00409A59|.3B55>cmpedx,dwordptrss:[ebp-4];相除的余数与第20位的注册码的ASCII减去16进制41的结果比较<BR>00409A5C|.750>jnzshortpmjszj.00409A62<BR>00409A5E|.B00>moval,1<BR>00409A60|.EB0>jmpshortpmjszj.00409A64<BR>00409A62|>33C0xoreax,eax<BR>00409A64|>59popecx<BR>00409A65|.59popecx<BR>00409A66|.5Dpopebp<BR>…………………………………………………………………………………………………………………………<BR>上面检查输入格式,注册码一共有20位,第20位的注册码的ASCII减去41得到的结果<BR>一定要等于前19位的输入码的ASCII相加的和除以20得到的余数。<BR>…………………………………………………………………………………………………………………………<BR>………………………………………………………………………………………………………………………………<BR>进入0041EFE1|.E88>callpmjszj.00409A68;\第二次判断--用注册的前5位运算结果与机器码用户名计算的结果比较<BR>…………………………………………………………………………………………………………………………………………<BR>00409A68/$55pushebp<BR>00409A69|.8BECmovebp,esp<BR>00409A6B|.83C4>addesp,-58<BR>00409A6E|.B81>moveax,pmjszj.0049E518<BR>00409A73|.E84>callpmjszj.0048EDB8<BR>00409A78|.33D2xoredx,edx<BR>00409A7A|.8955>movdwordptrss:[ebp-30],edx<BR>00409A7D|>8B4D>/movecx,dwordptrss:[ebp-30];控制位数<BR>00409A80|.8B45>|moveax,dwordptrss:[ebp+8];用户名的基地址<BR>00409A83|.8A94>|movdl,byteptrds:[eax+ecx+430];得到用户名各个字符的ASCII<BR>00409A8A|.8B4D>|movecx,dwordptrss:[ebp-30]<BR>00409A8D|.8B45>|moveax,dwordptrss:[ebp+8]<BR>00409A90|.3294>|xordl,byteptrds:[eax+ecx+46F];用依次得到的用户名ASCII与依次得到机器码的每个字符的ASCII进行XOR运算<BR>00409A97|.8B4D>|movecx,dwordptrss:[ebp-30];位数<BR>00409A9A|.8854>|movbyteptrss:[ebp+ecx-54],dl;上面XOR结果存储了<BR>00409A9E|.FF45>|incdwordptrss:[ebp-30];位数加1<BR>00409AA1|.837D>|cmpdwordptrss:[ebp-30],14;一共20位<BR>00409AA5|.^7CD>\jlshortpmjszj.00409A7D<BR>…………………………………………………………………………………………………………………………<BR>把用户名与机器码对应的ASCIIXOR储存用于下面再次运算<BR>…………………………………………………………………………………………………………………………<BR>00409AA7|.33D2xoredx,edx<BR>00409AA9|.8955>movdwordptrss:[ebp-34],edx<BR>00409AAC|.33C0xoreax,eax<BR>00409AAE|.8945>movdwordptrss:[ebp-30],eax;计数器<BR>00409AB1|>8B55>/movedx,dwordptrss:[ebp-30]<BR>00409AB4|.0FBE>|movsxecx,byteptrss:[ebp+edx-54];依次得到上面刚刚处理好的20位结果<BR>00409AB9|.894D>|movdwordptrss:[ebp-58],ecx<BR>00409ABC|.DB45>|filddwordptrss:[ebp-58];把得到的ASCII码转化为10进制实数<BR>00409ABF|.83C4>|addesp,-8;/<BR>00409AC2|.DD1C>|fstpqwordptrss:[esp];|Arg1(8-byte)<BR>00409AC5|.E82>|callpmjszj.004920F0;\pmjszj.004920F0<BR>00409ACA|.83C4>|addesp,8<BR>00409ACD|.DB45>|filddwordptrss:[ebp-30]<BR>00409AD0|.DEC9|fmulpst(1),st;依次得到上面对应XOR的20个结果乘以位数<BR>00409AD2|.DB45>|filddwordptrss:[ebp-34];得到上一次相加的结果<BR>00409AD5|.DEC1|faddpst(1),st;加上这次计算(与位数相乘)的结果<BR>00409AD7|.E83>|callpmjszj.00492118;把实数转化为16进制数<BR>00409ADC|.8945>|movdwordptrss:[ebp-34],eax;结果储存<BR>00409ADF|.FF45>|incdwordptrss:[ebp-30]<BR>00409AE2|.837D>|cmpdwordptrss:[ebp-30],14<BR>00409AE6|.^7CC>\jlshortpmjszj.00409AB1<BR>00409AE8|.8145>adddwordptrss:[ebp-34],0D431;最后结果加上0D431<BR>…………………………………………………………………………………………………………………………<BR>把上面得到的结果用20位,每一位的ASCII分别乘以它自己的位数全部相加起来最后结果加上D431(16进制)<BR>位数从0开始的<BR>…………………………………………………………………………………………………………………………<BR>00409AEF|.33D2xoredx,edx<BR>00409AF1|.8955>movdwordptrss:[ebp-30],edx<BR>00409AF4|>8B4D>/movecx,dwordptrss:[ebp-30];计数器<BR>00409AF7|.8B45>|moveax,dwordptrss:[ebp+8]<BR>00409AFA|.8A94>|movdl,byteptrds:[eax+ecx+445];依次得到得到注册码<BR>00409B01|.80C2>|adddl,0E7;每一位注册码的ASCII加上0E7只有两位进位不算<BR>00409B04|.8B4D>|movecx,dwordptrss:[ebp-30];位数<BR>00409B07|.8854>|movbyteptrss:[ebp+ecx-3C],dl;储存了<BR>00409B0B|.FF45>|incdwordptrss:[ebp-30]<BR>00409B0E|.837D>|cmpdwordptrss:[ebp-30],5;只取前5位<BR>00409B12|.^7CE>\jlshortpmjszj.00409AF4<BR>00409B14|.C645>movbyteptrss:[ebp-37],0<BR>00409B18|.8B45>moveax,dwordptrss:[ebp-34];得到上面加上0D431后的数据<BR>00409B1B|.8B55>movedx,dwordptrss:[ebp+8]<BR>00409B1E|.8982>movdwordptrds:[edx+418],eax;转存在另一个地方,重要的数据后面第三次用到的(由第三次计算后下内存断点得到这里)<BR>00409B24|.8D45>leaeax,dwordptrss:[ebp-8]<BR>00409B27|.8B55>movedx,dwordptrss:[ebp-34]<BR>00409B2A|.E88>callpmjszj.004990B8;进入用机器码与用户名得到的结果计算出1个字符串<BR>00409B2F|.50pusheax<BR>00409B30|.FF45>incdwordptrss:[ebp-10]<BR>00409B33|.66:C>movwordptrss:[ebp-1C],8<BR>00409B39|.8D55>leaedx,dwordptrss:[ebp-3C]<BR>00409B3C|.8D45>leaeax,dwordptrss:[ebp-4]<BR>00409B3F|.E85>callpmjszj.00498FA0<BR>00409B44|.FF45>incdwordptrss:[ebp-10]<BR>00409B47|.5Apopedx<BR>00409B48|.E82>callpmjszj.0049927C<BR>00409B4D|.50pusheax<BR>00409B4E|.FF4D>decdwordptrss:[ebp-10]<BR>00409B51|.8D45>leaeax,dwordptrss:[ebp-8]<BR>00409B54|.BA0>movedx,2<BR>00409B59|.E84>callpmjszj.004991AC<BR>00409B5E|.FF4D>decdwordptrss:[ebp-10]<BR>00409B61|.8D45>leaeax,dwordptrss:[ebp-4]<BR>00409B64|.BA0>movedx,2<BR>00409B69|.E83>callpmjszj.004991AC<BR>00409B6E|.58popeax<BR>00409B6F|.84C0testal,al<BR>00409B71|.740>jeshortpmjszj.00409B81<BR>00409B73|.B00>moval,1<BR>00409B75|.8B55>movedx,dwordptrss:[ebp-2C]<BR>00409B78|.64:8>movdwordptrfs:[0],edx<BR>00409B7F|.EB0>jmpshortpmjszj.00409B8D<BR>00409B81|>33C0xoreax,eax<BR>00409B83|.8B55>movedx,dwordptrss:[ebp-2C]<BR>00409B86|.64:8>movdwordptrfs:[0],edx<BR>00409B8D|>8BE5movesp,ebp<BR>00409B8F|.5Dpopebp<BR>……………………………………………………………………………………………………………………………………………………<BR>00409B2A|.E88>callpmjszj.004990B8;进入用机器码与用户名得到的结果计算出1个字符串<BR>……………………………………………………………………………………………………………………………………………………<BR>004990D4|.8B55>movedx,dwordptrss:[ebp-4]<BR>004990D7|.33C9xorecx,ecx<BR>004990D9|.890Amovdwordptrds:[edx],ecx<BR>004990DB|.53pushebx;/由用户名与机器码计算出来的数据<BR>004990DC|.68E>pushpmjszj.004A8EE3;|Arg2=004A8EE3ASCII"%i"<BR>004990E1|.FF75>pushdwordptrss:[ebp-4];|Arg1<BR>004990E4|.E8F>callpmjszj.004992E8;\进入<BR>004990E9|.83C4>addesp,0C<BR>004990EC|.8B45>moveax,dwordptrss:[ebp-28]<BR>004990EF|.64:6>movdwordptrfs:[0],eax<BR><BR>…………………………………………………………………………………………<BR>进入004990E4|.E8F>callpmjszj.004992E8;\进入<BR>…………………………………………………………………………………………………………………………<BR>004992EF|.8D45>leaeax,dwordptrss:[ebp+10]<BR>004992F2|.50pusheax;/Arg3<BR>004992F3|.FF75>pushdwordptrss:[ebp+C];|Arg2<BR>004992F6|.53pushebx;|Arg1<BR>004992F7|.E8B>callpmjszj.004992AC;\进入<BR>004992FC|.83C4>addesp,0C<BR>004992FF|.8BC3moveax,ebx<BR><BR>…………………………………………………………………………………………………………………………<BR>004992F7|.E8B>callpmjszj.004992AC;\进入<BR>……………………………………………………………………………………………………………………………………<BR>004992B0|.56pushesi<BR>004992B1|.57pushedi<BR>004992B2|.8B7D>movedi,dwordptrss:[ebp+C]<BR>004992B5|.8B5D>movebx,dwordptrss:[ebp+8]<BR>004992B8|.FF75>pushdwordptrss:[ebp+10];/Arg4<BR>004992BB|.57pushedi;|Arg3<BR>004992BC|.6A0>push0;|Arg2=00000000<BR>004992BE|.6A0>push0;|Arg1=00000000<BR>004992C0|.E89>callpmjszj.00490560;\进入<BR>004992C5|.83C4>addesp,10<BR>004992C8|.8BF0movesi,eax<BR>004992CA|.8BD6movedx,esi<BR>……………………………………………………………………………………………………<BR>004992C0|.E89>callpmjszj.00490560;\进入<BR>…………………………………………………………………………………………………………………………<BR>0049057C|.8D45>leaeax,dwordptrss:[ebp+8];|<BR>0049057F|.50pusheax;|Arg2<BR>00490580|.680>pushpmjszj.00490500;|Arg1=00490500<BR>00490585|.E80>callpmjszj.00490998;\pmjszj.00490998<BR>0049058A|.83C4>addesp,18<BR>……………………………………………………………………………………………………………………………………<BR>进入00490585|.E80>callpmjszj.00490998;\pmjszj.00490998<BR>………………………………………………………………………………………………………………………………<BR>00490DD2|>\8A45>|moval,byteptrss:[ebp-1D]<BR>00490DD5|.50|pusheax;/Arg6<BR>00490DD6|.51|pushecx;|Arg5<BR>00490DD7|.8B55>|movedx,dwordptrss:[ebp-38];|<BR>00490DDA|.52|pushedx;|Arg4<BR>00490DDB|.8B4D>|movecx,dwordptrss:[ebp-18];|<BR>00490DDE|.51|pushecx;|Arg3<BR>00490DDF|.FF75>|pushdwordptrss:[ebp-24];|Arg2<BR>00490DE2|.FF75>|pushdwordptrss:[ebp-28];|Arg1<BR>00490DE5|.E8B>|callpmjszj.004921A8;\进入计算出注册码的前5位<BR>00490DEA|.83C4>|addesp,18<BR>00490DED|>837D>|cmpdwordptrss:[ebp-8],0<BR>00490DF1|.0F8C>|jlpmjszj.00491010<BR>00490DF7|.8B55>|movedx,dwordptrss:[ebp-18]<BR>…………………………………………………………………………………………………………<BR>进入<BR>……………………………………………………………………………………………………………………<BR>004921A8/$55pushebp<BR>004921A9|.8BECmovebp,esp<BR>004921AB|.83C4>addesp,-44<BR>004921AE|.53pushebx<BR>004921AF|.56pushesi<BR>004921B0|.57pushedi<BR>004921B1|.8B7D>movedi,dwordptrss:[ebp+14]<BR>004921B4|.8B75>movesi,dwordptrss:[ebp+10]<BR>004921B7|.83FF>cmpedi,2<BR>004921BA|.0F8C>jlpmjszj.0049224C<BR>004921C0|.83FF>cmpedi,24<BR>004921C3|.0F8F>jgpmjszj.0049224C<BR>004921C9|.837D>cmpdwordptrss:[ebp+C],0<BR>004921CD|.750>jnzshortpmjszj.004921D7<BR>004921CF|.837D>cmpdwordptrss:[ebp+8],0<BR>004921D3|.732>jnbshortpmjszj.004921F6<BR>004921D5|.EB0>jmpshortpmjszj.004921D9<BR>004921D7|>7D1>jgeshortpmjszj.004921F6<BR>004921D9|>807D>cmpbyteptrss:[ebp+18],0<BR>004921DD|.741>jeshortpmjszj.004921F6<BR>004921DF|.C606>movbyteptrds:[esi],2D<BR>004921E2|.46incesi<BR>004921E3|.8B45>moveax,dwordptrss:[ebp+8]<BR>004921E6|.8B55>movedx,dwordptrss:[ebp+C]<BR>004921E9|.F7D8negeax<BR>004921EB|.83D2>adcedx,0<BR>004921EE|.8945>movdwordptrss:[ebp+8],eax<BR>004921F1|.F7DAnegedx<BR>004921F3|.8955>movdwordptrss:[ebp+C],edx<BR>004921F6|>8D5D>leaebx,dwordptrss:[ebp-44];这里是计算前5位注册码的地方<BR>004921F9|>8BC7/moveax,edi<BR>004921FB|.99|cdq<BR>004921FC|.52|pushedx;0<BR>004921FD|.50|pusheax;A<BR>004921FE|.8B45>|moveax,dwordptrss:[ebp+8];得到机器码与用户名计算出来的数据<BR>00492201|.8B55>|movedx,dwordptrss:[ebp+C]<BR>00492204|.E82>|callpmjszj.00491C2E;机器码与用户名计算出来的数据计算出来的值除以A得到余数<BR>00492209|.8803|movbyteptrds:[ebx],al;余数储存<BR>0049220B|.8BC7|moveax,edi<BR>0049220D|.99|cdq<BR>0049220E|.52|pushedx;0<BR>0049220F|.50|pusheax;A<BR>00492210|.8B45>|moveax,dwordptrss:[ebp+8];得到机器码与用户名计算出来的数据<BR>00492213|.8B55>|movedx,dwordptrss:[ebp+C]<BR>00492216|.43|incebx<BR>00492217|.E84>|callpmjszj.00491B6B;机器码与用户名计算出来的数据计算出来的值除以A得到商<BR>0049221C|.8945>|movdwordptrss:[ebp+8],eax;把得到的商储存覆盖原来的计算出来的值<BR>0049221F|.8955>|movdwordptrss:[ebp+C],edx<BR>00492222|.83FA>|cmpedx,0<BR>00492225|.^75D>|jnzshortpmjszj.004921F9<BR>00492227|.83F8>|cmpeax,0<BR>0049222A|.^75C>\jnzshortpmjszj.004921F9;上面的循环是把机器码与用户名计算的值一次一次除以A得到余数<BR>0049222C|.EB1>jmpshortpmjszj.00492245<BR>0049222E|>4B/decebx<BR>0049222F|.8A03|moval,byteptrds:[ebx];依次从最后得到的余数值<BR>00492231|.3C0>|cmpal,0A<BR>00492233|.7D0>|jgeshortpmjszj.0049223D;是否大于A不可能的必不跳<BR>00492235|.83C0>|addeax,30;加30<BR>00492238|.8806|movbyteptrds:[esi],al;储存了!!<BR>0049223A|.46|incesi<BR>0049223B|.EB0>|jmpshortpmjszj.00492245<BR>0049223D|>0245>|addal,byteptrss:[ebp+1C]<BR>00492240|.04F>|addal,0F6<BR>00492242|.8806|movbyteptrds:[esi],al<BR>00492244|.46|incesi<BR>00492245|>8D55>leaedx,dwordptrss:[ebp-44];得到上面余数地址<BR>00492248|.3BDA|cmpebx,edx<BR>0049224A|.^75E>\jnzshortpmjszj.0049222E<BR>0049224C|>C606>movbyteptrds:[esi],0<BR>0049224F|.8B45>moveax,dwordptrss:[ebp+10];得到一串字符串,肯定为0~9<BR>00492252|.5Fpopedi<BR>00492253|.5Epopesi<BR>00492254|.5Bpopebx<BR>00492255|.8BE5movesp,ebp<BR>00492257|.5Dpopebp<BR>…………………………………………………………………………………………………………………………<BR>用机器码与用户名得到的结果(乘以位数加上D341之后的)分别除以A得到余数在加上30得到一串字符串<BR>必定在0~9之间用这个字符串与输入码的处理后的前5位进行比较<BR>…………………………………………………………………………………………………………………………<BR>00409B6E|.58popeax<BR>00409B6F|.84C0testal,al<BR>00409B71|.740>jeshortpmjszj.00409B81<BR>00409B73|.B00>moval,1<BR>00409B75|.8B55>movedx,dwordptrss:[ebp-2C]<BR>00409B78|.64:8>movdwordptrfs:[0],edx<BR>00409B7F|.EB0>jmpshortpmjszj.00409B8D<BR>00409B81|>33C0xoreax,eax<BR>…………………………………………………………………………………………………………………………<BR>0041EFE1|.E88>callpmjszj.00409A68;\第二次判断--用注册的前5位运算结果与机器码用户名计算的结果比较<BR>0041EFE6|.59popecx<BR>0041EFE7|.3C0>cmpal,1<BR>0041EFE9|.757>jnzshortpmjszj.0041F05E;关键比较<BR>0041EFEB|.66:C>movwordptrss:[ebp-24],14<BR>0041EFF1|.BA3>movedx,pmjszj.004A4B30;注册成功<BR>0041EFF6|.8D45>leaeax,dwordptrss:[ebp-C]<BR>0041EFF9|.E8A>callpmjszj.00498FA0<BR>0041EFFE|.FF45>incdwordptrss:[ebp-18]<BR>0041F001|.8B00moveax,dwordptrds:[eax]<BR>0041F003|.E86>callpmjszj.00456168<BR>0041F008|.FF4D>decdwordptrss:[ebp-18]<BR>0041F00B|.8D45>leaeax,dwordptrss:[ebp-C]<BR>0041F00E|.BA0>movedx,2<BR>0041F013|.E89>callpmjszj.004991AC<BR>0041F018|.8B0D>movecx,dwordptrds:[4A93D0];pmjszj._MainForm<BR>0041F01E|.8B01moveax,dwordptrds:[ecx]<BR>0041F020|.C680>movbyteptrds:[eax+414],1<BR>0041F027|.8B15>movedx,dwordptrds:[4A93D0];pmjszj._MainForm<BR>0041F02D|.8B0Amovecx,dwordptrds:[edx]<BR>0041F02F|.8B81>moveax,dwordptrds:[ecx+3C4]<BR>0041F035|.B20>movdl,1<BR>0041F037|.E85>callpmjszj.0043478C<BR>0041F03C|.8B0D>movecx,dwordptrds:[4A93D0];pmjszj._MainForm<BR>0041F042|.FF31pushdwordptrds:[ecx];/Arg1<BR>0041F044|.E80>callpmjszj.0040AC54;\pmjszj.0040AC54<BR>0041F049|.59popecx<BR>0041F04A|.8B45>moveax,dwordptrss:[ebp-38]<BR>0041F04D|.C680>movbyteptrds:[eax+2F4],1<BR>0041F054|.8B45>moveax,dwordptrss:[ebp-38]<BR>0041F057|.E84>callpmjszj.004490A0<BR>0041F05C|.EB3>jmpshortpmjszj.0041F09A<BR>0041F05E|>66:C>movwordptrss:[ebp-24],20<BR>0041F064|.BA3>movedx,pmjszj.004A4B39;注册失败<BR>0041F069|.8D45>leaeax,dwordptrss:[ebp-10]<BR>0041F06C|.E82>callpmjszj.00498FA0<BR>0041F071|.FF45>incdwordptrss:[ebp-18]<BR>0041F074|.8B00moveax,dwordptrds:[eax]<BR>0041F076|.E8E>callpmjszj.00456168<BR>0041F07B|.FF4D>decdwordptrss:[ebp-18]<BR>0041F07E|.8D45>leaeax,dwordptrss:[ebp-10]<BR>………………………………………………………………………………………………………………………………………………<BR>总结:<BR>把用户名与机器码对应的ASCIIXOR运算得到20位结果,得到的结果用20位,每一位的ASCII分别乘以它自己的<BR>位数全部相加起来最后结果加上D431(16进制)位数从0开始的;结果分别除以A得到余数在加上30得到一串字符串<BR>必定在0~9之间用这个字符串一共有5字符,用这5个字符的ASCII加上16进制19,即得到输入码的前5位字符<BR>输入码一共有20位字符,第20位有要求:<BR>第20位的注册码的ASCII减去41得到的结果<BR>一定要等于前19位的输入码的ASCII相加的和除以20得到的余数<BR><BR>其中:把用户名与机器码对应的ASCIIXOR运算得到20位结果,得到的结果用20位,每一位的ASCII分别乘以它自己的<BR>位数全部相加起来最后结果加上D431(16进制)位数从0开始的用到第三次。结果为A。<BR>…………………………………………………………………………………………………………………………………………<BR>如果看到注册成功就收手,呵呵录像白屏!!<BR>…………………………………………………………………………………………………………<BR>第二部分:<BR>………………………………………………………………………………………………………………………………<BR>004026C8$55pushebp;这里准备计算第二组(第10位到第16位)计算及判断<BR>004026C9.8BECmovebp,esp<BR>004026CB.83C4>addesp,-34<BR>004026CE.53pushebx<BR>004026CF.56pushesi<BR>004026D0.57pushedi<BR>004026D1.B83>moveax,pmjszj.0049BE38<BR>004026D6.E8D>callpmjszj.0048EDB8<BR>004026DB.33D2xoredx,edx<BR>004026DD.8955>movdwordptrss:[ebp-2C],edx<BR>004026E0.66:C>movwordptrss:[ebp-14],8<BR>004026E6.FF35>pushdwordptrds:[_MainForm];/Arg1=00E720CC<BR>004026EC.E8D>callpmjszj.004029D0;\处理机器码的地方(处理的结果为第二次判断作准备)<BR>004026F1.59popecx<BR>004026F2.B90>movecx,0A<BR>004026F7.8B55>movedx,dwordptrss:[ebp+8]<BR>004026FA.8B45>moveax,dwordptrss:[ebp+C]<BR>004026FD.8B18movebx,dwordptrds:[eax]<BR>004026FF.FF53>calldwordptrds:[ebx+8]<BR>00402702.8B45>moveax,dwordptrss:[ebp+C]<BR>00402705.E89>callpmjszj.00479FA4<BR>0040270A.8945>movdwordptrss:[ebp-30],eax<BR>0040270D.8D55>leaedx,dwordptrss:[ebp-2C]<BR>00402710.B90>movecx,4<BR>00402715.8B45>moveax,dwordptrss:[ebp+C]<BR>00402718.8B18movebx,dwordptrds:[eax]<BR>0040271A.FF53>calldwordptrds:[ebx+8]<BR>0040271D.FF35>pushdwordptrds:[_MainForm]<BR>00402723.E87>callpmjszj.00402AA0;这里要得到全局变量(注册码)进行转化后计算<BR>00402728.59popecx<BR>00402729.8B55>movedx,dwordptrss:[ebp+8]<BR>0040272C.83C2>addedx,24<BR>0040272F.B90>movecx,4<BR>00402734.8B45>moveax,dwordptrss:[ebp+C]<BR>00402737.8B18movebx,dwordptrds:[eax]<BR>00402739.FF53>calldwordptrds:[ebx+8]<BR>0040273C.8B55>movedx,dwordptrss:[ebp+8]<BR>0040273F.83C2>addedx,28<BR>00402742.B90>movecx,4<BR>00402747.8B45>moveax,dwordptrss:[ebp+C]<BR>0040274A.8B18movebx,dwordptrds:[eax]<BR>0040274C.FF53>calldwordptrds:[ebx+8]<BR>0040274F.8B55>movedx,dwordptrss:[ebp+8]<BR>00402752.83C2>addedx,38<BR>00402755.B90>movecx,4<BR>0040275A.8B45>moveax,dwordptrss:[ebp+C]<BR>0040275D.8B18movebx,dwordptrds:[eax]<BR>0040275F.FF53>calldwordptrds:[ebx+8]<BR>00402762.8B55>movedx,dwordptrss:[ebp+8]<BR>00402765.83C2>addedx,3C<BR>00402768.B90>movecx,4<BR>0040276D.8B45>moveax,dwordptrss:[ebp+C]<BR>00402770.8B18movebx,dwordptrds:[eax]<BR>00402772.FF53>calldwordptrds:[ebx+8]<BR>00402775.8B55>movedx,dwordptrss:[ebp+8]<BR>00402778.83C2>addedx,2C<BR>0040277B.B90>movecx,4<BR>00402780.8B45>moveax,dwordptrss:[ebp+C]<BR>00402783.8B18movebx,dwordptrds:[eax]<BR>00402785.FF53>calldwordptrds:[ebx+8]<BR>00402788.A14>moveax,dwordptrds:[_MainForm]<BR>0040278D.80B8>cmpbyteptrds:[eax+414],0<BR>00402794.752>jnzshortpmjszj.004027BF<BR>00402796.8B15>movedx,dwordptrds:[_MainForm]<BR>0040279C.8B8A>movecx,dwordptrds:[edx+3EC]<BR>004027A2.8B41>moveax,dwordptrds:[ecx+6C]<BR>004027A5.8B15>movedx,dwordptrds:[_MainForm]<BR>004027AB.3B82>cmpeax,dwordptrds:[edx+484]<BR>004027B1.7E0>jleshortpmjszj.004027BF<BR>004027B3.8B4D>movecx,dwordptrss:[ebp+8]<BR>004027B6.C741>movdwordptrds:[ecx+24],2<BR>004027BD.EB0>jmpshortpmjszj.004027CB<BR>004027BF>FF35>pushdwordptrds:[_MainForm]<BR>004027C5.E8E>callpmjszj.00402BB4;这里两个结果相减了一定要保证等于0(其实是前6相减的绝对值小于10-6)<BR>004027CA.59popecx;00E720CC<BR>004027CB>8B45>moveax,dwordptrss:[ebp+8]<BR>004027CE.8378>cmpdwordptrds:[eax+24],0<BR>004027D2.740>jeshortpmjszj.004027E1<BR>004027D4.8B55>movedx,dwordptrss:[ebp+8]<BR>004027D7.837A>cmpdwordptrds:[edx+24],1<BR>004027DB.0F85>jnzpmjszj.0040291F<BR>004027E1>8B55>movedx,dwordptrss:[ebp+8]<BR>004027E4.83C2>addedx,1C<BR>004027E7.B90>movecx,4<BR>004027EC.8B45>moveax,dwordptrss:[ebp+C]<BR>004027EF.8B18movebx,dwordptrds:[eax]<BR>004027F1.FF53>calldwordptrds:[ebx+8]<BR>004027F4.8B55>movedx,dwordptrss:[ebp+8]<BR>004027F7.83C2>addedx,20<BR>004027FA.B90>movecx,4<BR>004027FF.8B45>moveax,dwordptrss:[ebp+C]<BR>00402802.8B18movebx,dwordptrds:[eax]<BR>00402804.FF53>calldwordptrds:[ebx+8]<BR>00402807.8B55>movedx,dwordptrss:[ebp+8]<BR>0040280A.83C2>addedx,30<BR>0040280D.B90>movecx,4<BR>00402812.8B45>moveax,dwordptrss:[ebp+C]<BR>00402815.8B18movebx,dwordptrds:[eax]<BR>00402817.FF53>calldwordptrds:[ebx+8]<BR>0040281A.A14>moveax,dwordptrds:[_MainForm];下面是验证上面两处是否相等<BR>0040281F.D980>flddwordptrds:[eax+42C];又得到刚才的结果数据<BR>00402825.D80D>fmuldwordptrds:[4029CC];乘以1000<BR>0040282B.E8E>callpmjszj.00492118;将结果转化为16进制放到EAX中<BR>00402830.8945>movdwordptrss:[ebp-2C],eax;存储此处一定要为0<BR>00402833.8B45>moveax,dwordptrss:[ebp+C]<BR>00402836.E86>callpmjszj.00479FA4<BR>0040283B.8BD0movedx,eax<BR>0040283D.8B0D>movecx,dwordptrds:[_MainForm]<BR>00402843.33C0xoreax,eax<BR>00402845.8A81>moval,byteptrds:[ecx+414]<BR>0040284B.0FAF>imuleax,dwordptrss:[ebp-2C];上面的结果乘以0<BR>0040284F.03D0addedx,eax<BR>00402851.8B45>moveax,dwordptrss:[ebp+C]<BR>00402854.E85>callpmjszj.00479FB4<BR>00402859.8B55>movedx,dwordptrss:[ebp+8]<BR>0040285C.8B4A>movecx,dwordptrds:[edx+14]<BR>0040285F.8B41>moveax,dwordptrds:[ecx+8]<BR>00402862.8945>movdwordptrss:[ebp-2C],eax<BR>……………………………………………………………………………………………………………………………………………………<BR>进入00402723.E87>callpmjszj.00402AA0;这里要得到全局变量(注册码)进行转化后计算<BR>…………………………………………………………………………………………………………………………………………………………<BR>00402AA0$55pushebp<BR>00402AA1.8BECmovebp,esp<BR>00402AA3.83C4>addesp,-48<BR>00402AA6.53pushebx<BR>00402AA7.56pushesi<BR>00402AA8.57pushedi<BR>00402AA9.B8F>moveax,pmjszj.0049DAFC<BR>00402AAE.E80>callpmjszj.0048EDB8<BR>00402AB3.66:C>movwordptrss:[ebp-1C],8<BR>00402AB9.8D45>leaeax,dwordptrss:[ebp-4]<BR>00402ABC.E8E>callpmjszj.004035AC<BR>00402AC1.FF45>incdwordptrss:[ebp-10]<BR>00402AC4.66:C>movwordptrss:[ebp-1C],14<BR>00402ACA.33D2xoredx,edx<BR>00402ACC.8955>movdwordptrss:[ebp-30],edx<BR>00402ACF>B90>movecx,0F<BR>00402AD4.2B4D>subecx,dwordptrss:[ebp-30]<BR>00402AD7.8B45>moveax,dwordptrss:[ebp+8]<BR>00402ADA.8A94>movdl,byteptrds:[eax+ecx+445];这里取值了第二次取值。(全局变量)!!(是下内存访问断点首先来到这里的)<BR>00402AE1.80C2>adddl,0EC;从后面向前面取值(第16位到第10位)分别加上EC<BR>00402AE4.8B4D>movecx,dwordptrss:[ebp-30]<BR>00402AE7.8854>movbyteptrss:[ebp+ecx-48],dl;存储了<BR>00402AEB.FF45>incdwordptrss:[ebp-30]<BR>00402AEE.837D>cmpdwordptrss:[ebp-30],6<BR>00402AF2.^7CD>jlshortpmjszj.00402ACF<BR>00402AF4.C645>movbyteptrss:[ebp-42],0<BR>00402AF8.66:C>movwordptrss:[ebp-1C],20<BR>00402AFE.8D55>leaedx,dwordptrss:[ebp-48];取从第16位开始的6位向前是个小数<BR>00402B01.8D45>leaeax,dwordptrss:[ebp-8]<BR>00402B04.E89>callpmjszj.00498FA0<BR>00402B09.FF45>incdwordptrss:[ebp-10]<BR>00402B0C.8D55>leaedx,dwordptrss:[ebp-8]<BR>00402B0F.8D45>leaeax,dwordptrss:[ebp-4]<BR>00402B12.E8C>callpmjszj.004991DC<BR>00402B17.FF4D>decdwordptrss:[ebp-10]<BR>00402B1A.8D45>leaeax,dwordptrss:[ebp-8]<BR>00402B1D.BA0>movedx,2<BR>00402B22.E88>callpmjszj.004991AC<BR>00402B27.66:C>movwordptrss:[ebp-1C],2C<BR>00402B2D.8D45>leaeax,dwordptrss:[ebp-4]<BR>00402B30.E8A>callpmjszj.004994E0;把上面根据注册码转变来的小数转化为实数<BR>00402B35.8B55>movedx,dwordptrss:[ebp+8]<BR>00402B38.D99A>fstpdwordptrds:[edx+428]<BR>00402B3E.66:C>movwordptrss:[ebp-1C],14<BR>00402B44.EB1>jmpshortpmjszj.00402B5C<BR>00402B46.8B4D>movecx,dwordptrss:[ebp+8]<BR>00402B49.33C0xoreax,eax<BR>00402B4B.8981>movdwordptrds:[ecx+428],eax<BR>00402B51.66:C>movwordptrss:[ebp-1C],34<BR>00402B57.E83>callpmjszj.00496092<BR>00402B5C>8B55>movedx,dwordptrss:[ebp+8]<BR>00402B5F.D982>flddwordptrds:[edx+428]<BR>00402B65.83C4>addesp,-8;/<BR>00402B68.DD1C>fstpqwordptrss:[esp];|Arg1(8-byte)<BR>00402B6B.E85>callpmjszj.004934C4;\将转化后的值进行取SIN值(计算器中的弧度值)<BR>00402B70.83C4>addesp,8<BR>00402B73.DC0D>fmulqwordptrds:[402BAC];SIN后的值与固定值进行相乘0.88891<BR>00402B79.8B4D>movecx,dwordptrss:[ebp+8]<BR>00402B7C.D8A9>fsubrdwordptrds:[ecx+428];再次用注册码转化来的小数减去上面得到的结果值<BR>00402B82.8B45>moveax,dwordptrss:[ebp+8]<BR>00402B85.D998>fstpdwordptrds:[eax+428];结果存储起来<BR>00402B8B.FF4D>decdwordptrss:[ebp-10]<BR>00402B8E.8D45>leaeax,dwordptrss:[ebp-4]<BR>00402B91.BA0>movedx,2<BR>00402B96.E81>callpmjszj.004991AC<BR>00402B9B.8B4D>movecx,dwordptrss:[ebp-2C]<BR>00402B9E.64:8>movdwordptrfs:[0],ecx<BR>00402BA5.5Fpopedi<BR>00402BA6.5Epopesi<BR>00402BA7.5Bpopebx<BR>00402BA8.8BE5movesp,ebp<BR>00402BAA.5Dpopebp<BR>00402BAB.C3retn<BR>………………………………………………………………………………………………………………………………………………<BR>这里是:将注册码的第16位开始向前取6位每一位加上EC变成ASCII其实是个小数,(转化为实数)结果为B再进行运算B-0.88891*SINB<BR>这个值然后与机器码计算出来的值比较看是否相等。<BR>…………………………………………………………………………………………………………………………………………………………<BR>004027C5.E8E>callpmjszj.00402BB4;这里两个结果相减了一定要保证等于0(其实是前6相减的绝对值小于10-6)<BR>……………………………………………………………………………………………………………………………………………………………………<BR>00402BB4/$55pushebp;呵呵<BR>00402BB5|.8BECmovebp,esp<BR>00402BB7|.8B45>moveax,dwordptrss:[ebp+8]<BR>00402BBA|.D980>flddwordptrds:[eax+428];得到刚才的值<BR>00402BC0|.8B55>movedx,dwordptrss:[ebp+8]<BR>00402BC3|.D8A2>fsubdwordptrds:[edx+424];减去由机器码计算出来的值<BR>00402BC9|.83C4>addesp,-8;/<BR>00402BCC|.DD1C>fstpqwordptrss:[esp];|Arg1(8-byte)<BR>00402BCF|.E81>callpmjszj.004920F0;\将负数变位正数<BR>00402BD4|.83C4>addesp,8<BR>00402BD7|.8B4D>movecx,dwordptrss:[ebp+8]<BR>00402BDA|.D999>fstpdwordptrds:[ecx+42C];存储<BR>00402BE0|.5Dpopebp<BR>……………………………………………………………………………………………………………………………………<BR>上面就是与机器码计算出来的值进行比较<BR>……………………………………………………………………………………………………………………………………<BR>这里就是进行处理机器码的地方:004026EC.E8D>callpmjszj.004029D0<BR>…………………………………………………………………………………………………………………………<BR>004029D0/$55pushebp;处理机器码的地方<BR>004029D1|.8BECmovebp,esp<BR>004029D3|.83C4>addesp,-2C<BR>004029D6|.33C0xoreax,eax<BR>004029D8|.8945>movdwordptrss:[ebp-C],eax<BR>004029DB|>8B55>/movedx,dwordptrss:[ebp+8]<BR>004029DE|.8B4D>|movecx,dwordptrss:[ebp-C]<BR>004029E1|.8A84>|moval,byteptrds:[edx+ecx+46F];依次得到每一位机器码<BR>004029E8|.8B55>|movedx,dwordptrss:[ebp+8]<BR>004029EB|.8B4D>|movecx,dwordptrss:[ebp-C]<BR>004029EE|.0A84>|oral,byteptrds:[edx+ecx+430];依次得到每一位机器码与用户名进行OR运算<BR>004029F5|.8B55>|movedx,dwordptrss:[ebp-C]<BR>004029F8|.8844>|movbyteptrss:[ebp+edx-24],al;保存<BR>004029FC|.FF45>|incdwordptrss:[ebp-C]<BR>004029FF|.837D>|cmpdwordptrss:[ebp-C],14<BR>00402A03|.^7CD>\jlshortpmjszj.004029DB;这一段就是就机器码与用户名对应位进行OR运算最后结果保存<BR>00402A05|.33C0xoreax,eax;这里处理机器码了<BR>00402A07|.8945>movdwordptrss:[ebp-8],eax<BR>00402A0A|.33C9xorecx,ecx<BR>00402A0C|.894D>movdwordptrss:[ebp-C],ecx<BR>00402A0F|>8B45>/moveax,dwordptrss:[ebp-C]<BR>00402A12|.0FBE>|movsxedx,byteptrss:[ebp+eax-24];得到刚才计算出来的每一位<BR>00402A17|.8955>|movdwordptrss:[ebp-28],edx<BR>00402A1A|.DB45>|filddwordptrss:[ebp-28];将每一位机器码转化为实数<BR>00402A1D|.83C4>|addesp,-8;/<BR>00402A20|.DD1C>|fstpqwordptrss:[esp];|存储<BR>00402A23|.E8C>|callpmjszj.004920F0;\负数转化为正数<BR>00402A28|.83C4>|addesp,8<BR>00402A2B|.B91>|movecx,14<BR>00402A30|.2B4D>|subecx,dwordptrss:[ebp-C]<BR>00402A33|.894D>|movdwordptrss:[ebp-2C],ecx<BR>00402A36|.DB45>|filddwordptrss:[ebp-2C]<BR>00402A39|.DEC9|fmulpst(1),st;将刚才计算出来的每一位机器码转化10进制后乘以(20减去位数)<BR>00402A3B|.DB45>|filddwordptrss:[ebp-8];装入前一次的结果<BR>00402A3E|.DEC1|faddpst(1),st;将每一次结果加起来<BR>00402A40|.E8D>|callpmjszj.00492118;结果转化位16进制放到EAX中<BR>00402A45|.8945>|movdwordptrss:[ebp-8],eax<BR>00402A48|.FF45>|incdwordptrss:[ebp-C];下一位<BR>00402A4B|.837D>|cmpdwordptrss:[ebp-C],14<BR>00402A4F|.^7CB>\jlshortpmjszj.00402A0F<BR>00402A51|.8B45>moveax,dwordptrss:[ebp-8]<BR>00402A54|.B9A>movecx,186A0;固定值100000<BR>00402A59|.99cdq<BR>00402A5A|.F7F9idivecx;上面的结果除以100000<BR>00402A5C|.8955>movdwordptrss:[ebp-4],edx;余数存储<BR>00402A5F|.8B45>moveax,dwordptrss:[ebp-8];取上面相加的值<BR>00402A62|.053>addeax,3039;将上面相加的值加上12345<BR>00402A67|.250>andeax,80000007;结果与80000007进行与运算<BR>00402A6C|.790>jnsshortpmjszj.00402A73;如果是E数<BR>00402A6E|.48deceax<BR>00402A6F|.83C8>oreax,FFFFFFF8<BR>00402A72|.40inceax<BR>00402A73|>8945>movdwordptrss:[ebp-8],eax;存储<BR>00402A76|.DB45>filddwordptrss:[ebp-8];装入这个值<BR>00402A79|.DB45>filddwordptrss:[ebp-4];在装入前面除以100000的余数值<BR>00402A7C|.DB2D>fldtbyteptrds:[402A94];装入固定值1.5283002229637196370E-06<BR>00402A82|.DEC9fmulpst(1),st;余数乘以固定值1.5283002229637196370E-06<BR>00402A84|.DEC1faddpst(1),st;再加上2<BR>00402A86|.8B55>movedx,dwordptrss:[ebp+8]<BR>00402A89|.D99A>fstpdwordptrds:[edx+424];结果存储了<BR>00402A8F|.8BE5movesp,ebp<BR>00402A91|.5Dpopebp<BR>00402A92\.C3retn<BR>……………………………………………………………………………………………………………………………………………………<BR><BR><BR>第三部分;注意来到这里是随机的<BR>…………………………………………………………………………………………………………………………………………………………<BR>00406A10/$55pushebp;这里就是计算正确第三组数据的地方<BR>00406A11|.8BECmovebp,esp<BR>00406A13|.83C4>addesp,-8<BR>00406A16|.8B45>moveax,dwordptrss:[ebp+8]<BR>00406A19|.8B90>movedx,dwordptrds:[eax+418];取出第一次计算计算出来的数据(是根据在EAX+418下内存访问断点知道是第一次计算中的结果)<BR>00406A1F|.8955>movdwordptrss:[ebp-4],edx<BR>00406A22|.8B4D>movecx,dwordptrss:[ebp-4]<BR>00406A25|.81C1>addecx,4D44;取出的结果加上4D44<BR>00406A2B|.894D>movdwordptrss:[ebp-8],ecx<BR>00406A2E|.DB45>filddwordptrss:[ebp-8]<BR>00406A31|.DC0D>fmulqwordptrds:[406A68];结果乘以3.14<BR>00406A37|.DB2D>fldtbyteptrds:[406A70]<BR>00406A3D|.DEC9fmulpst(1),st;结果再乘以0.1594896331738437110<BR>00406A3F|.E8D>callpmjszj.00492118<BR>00406A44|.8945>movdwordptrss:[ebp-4],eax<BR>00406A47|.8B45>moveax,dwordptrss:[ebp-4]<BR>00406A4A|.B9A>movecx,186A0<BR>00406A4F|.99cdq<BR>00406A50|.F7F9idivecx<BR>00406A52|.8955>movdwordptrss:[ebp-4],edx<BR>00406A55|.8B45>moveax,dwordptrss:[ebp-4]<BR>00406A58|.8B55>movedx,dwordptrss:[ebp+8]<BR>00406A5B|.8982>movdwordptrds:[edx+41C],eax;写入了(就是根据这里的地址(EDX+41C)下内存访问断点来到这里的)<BR>00406A61|.59popecx<BR>00406A62|.59popecx<BR>00406A63|.5Dpopebp<BR>00406A64\.C3retn<BR>……………………………………………………………………………………………………………………………………………………………………<BR>用第一次计算出来的值A在加上4D44再乘以3.14再乘以0.1594896331738437110<BR>……………………………………………………………………………………………………………………………………………………………………<BR><BR>00406E50/$55pushebp;注意来到这里是随机的!!这里是第三次比较判断:计算第三部分注册码的地方<BR>00406E51|.8BECmovebp,esp<BR>00406E53|.83C4>addesp,-34<BR>00406E56|.33C0xoreax,eax<BR>00406E58|.8945>movdwordptrss:[ebp-4],eax<BR>00406E5B|>8B55>/movedx,dwordptrss:[ebp-4]<BR>00406E5E|.8B4D>|movecx,dwordptrss:[ebp+8]<BR>00406E61|.0FBE>|movsxeax,byteptrds:[ecx+edx+46F]<BR>00406E69|.250>|andeax,80000001<BR>00406E6E|.790>|jnsshortpmjszj.00406E75<BR>00406E70|.48|deceax<BR>00406E71|.83C8>|oreax,FFFFFFFE<BR>00406E74|.40|inceax<BR>00406E75|>85C0|testeax,eax<BR>00406E77|.752>|jnzshortpmjszj.00406EA8<BR>00406E79|.8B55>|movedx,dwordptrss:[ebp-4]<BR>00406E7C|.8B4D>|movecx,dwordptrss:[ebp+8]<BR>00406E7F|.8A84>|moval,byteptrds:[ecx+edx*2+44A]<BR>00406E86|.04E>|addal,0E7<BR>00406E88|.8B55>|movedx,dwordptrss:[ebp-4]<BR>00406E8B|.8844>|movbyteptrss:[ebp+edx*2-1C],al<BR>00406E8F|.8B4D>|movecx,dwordptrss:[ebp-4]<BR>00406E92|.8B45>|moveax,dwordptrss:[ebp+8]<BR>00406E95|.8A94>|movdl,byteptrds:[eax+ecx*2+44B]<BR>00406E9C|.80C2>|adddl,0E7<BR>00406E9F|.8B4D>|movecx,dwordptrss:[ebp-4]<BR>00406EA2|.8854>|movbyteptrss:[ebp+ecx*2-1B],dl<BR>00406EA6|.EB2>|jmpshortpmjszj.00406ED5<BR>00406EA8|>8B45>|moveax,dwordptrss:[ebp-4]<BR>00406EAB|.8B55>|movedx,dwordptrss:[ebp+8]<BR>00406EAE|.8A8C>|movcl,byteptrds:[edx+eax*2+44B];取第6位开始这一组的输入码(在全局变量〔可以在保存时候可以看到我这里00e72511看到,[edx+eax*2+44B]下内存断点)<BR>00406EB5|.80C1>|addcl,0E7<BR>00406EB8|.8B45>|moveax,dwordptrss:[ebp-4]<BR>00406EBB|.884C>|movbyteptrss:[ebp+eax*2-1C],cl<BR>00406EBF|.8B55>|movedx,dwordptrss:[ebp-4]<BR>00406EC2|.8B4D>|movecx,dwordptrss:[ebp+8]<BR>00406EC5|.8A84>|moval,byteptrds:[ecx+edx*2+44A]<BR>00406ECC|.04E>|addal,0E7<BR>00406ECE|.8B55>|movedx,dwordptrss:[ebp-4]<BR>00406ED1|.8844>|movbyteptrss:[ebp+edx*2-1B],al<BR>00406ED5|>FF45>|incdwordptrss:[ebp-4]<BR>00406ED8|.837D>|cmpdwordptrss:[ebp-4],2<BR>00406EDC|.^0F8C>\jlpmjszj.00406E5B;这个循环取出四组数据<BR>00406EE2|.8B4D>movecx,dwordptrss:[ebp+8]<BR>00406EE5|.FFB1>pushdwordptrds:[ecx+41C];/取出ECX+41C地址的数据(根据这里地址ECX+41C下内存访问断点去上一层找怎么样计算出来的数据的)<BR>00406EEB|.682>pushpmjszj.0049BB2E;|Arg2=0049BB2EASCII"%d"<BR>00406EF0|.8D45>leaeax,dwordptrss:[ebp-34];|<BR>00406EF3|.50pusheax;|Arg1<BR>00406EF4|.E82>callpmjszj.00490628;\将前面计算出来的用于比较的值转化为十进制<BR>00406EF9|.83C4>addesp,0C<BR>00406EFC|.8B55>movedx,dwordptrss:[ebp+8]<BR>00406EFF|.8A8A>movcl,byteptrds:[edx+44E];第5组了<BR>00406F05|.80C1>addcl,0E7<BR>00406F08|.884D>movbyteptrss:[ebp-18],cl<BR>00406F0B|.C645>movbyteptrss:[ebp-17],0<BR>00406F0F|.33C0xoreax,eax<BR>00406F11|.8945>movdwordptrss:[ebp-4],eax<BR>00406F14|>8B55>/movedx,dwordptrss:[ebp-4]<BR>00406F17|.0FBE>|movsxecx,byteptrss:[ebp+edx-1C]<BR>00406F1C|.83F9>|cmpecx,28<BR>00406F1F|.750>|jnzshortpmjszj.00406F29<BR>00406F21|.8B45>|moveax,dwordptrss:[ebp-4]<BR>00406F24|.C644>|movbyteptrss:[ebp+eax-1C],0<BR>00406F29|>FF45>|incdwordptrss:[ebp-4]<BR>00406F2C|.837D>|cmpdwordptrss:[ebp-4],4<BR>00406F30|.^7CE>\jlshortpmjszj.00406F14<BR>00406F32|.8D55>leaedx,dwordptrss:[ebp-1C]<BR>00406F35|.52pushedx<BR>00406F36|.8D4D>leaecx,dwordptrss:[ebp-34]<BR>00406F39|.51pushecx<BR>00406F3A|.E8C>callpmjszj.0048EB00;取第6到10位与计算出来的进行比较<BR>00406F3F|.83C4>addesp,8<BR>00406F42|.8B55>movedx,dwordptrss:[ebp+8]<BR>00406F45|.8982>movdwordptrds:[edx+420],eax<BR>00406F4B|.8BE5movesp,ebp<BR>00406F4D|.5Dpopebp<BR>00406F4E\.C3retn<BR>………………………………………………………………………………………………………………………………………………<BR>第三次:<BR>将用第一次计算出来的值A在加上4D44再乘以3.14再乘以0.1594896331738437110的结果取其整数部分与<BR>输入码的第6、7、8、9、10位分别加上E7后的数比较<BR>………………………………………………………………………………………………………………………………………………<BR><BR><BR>总结:注册分三步:<BR>第一步:(看上去成功,其实…………<BR>把用户名与机器码对应的ASCIIXOR运算得到20位结果,得到的结果用20位,每一位的ASCII分别乘以它自己的<BR>位数全部相加起来最后结果加上D431(16进制)位数从0开始的;结果分别除以A得到余数在加上30得到一串字符串<BR>必定在0~9之间用这个字符串一共有5字符,用这5个字符的ASCII加上16进制19,即得到输入码的前5位字符<BR>输入码一共有20位字符,第20位有要求:<BR>第20位的注册码的ASCII减去41得到的结果<BR>一定要等于前19位的输入码的ASCII相加的和除以20得到的余数<BR><BR>其中:把用户名与机器码对应的ASCIIXOR运算得到20位结果,得到的结果用20位,每一位的ASCII分别乘以它自己的<BR>位数全部相加起来最后结果加上D431(16进制)位数从0开始的用到第三次。结果为A。<BR><BR>第二步:<BR>将注册码的第16位开始向前取6位每一位加上EC变成ASCII其实是个小数,(转化为实数)结果为B再进行运算B-0.88891*SINB<BR>这个值然后与机器码计算出来的值比较看是否相等。(当然要写注册机的会要反过来哦-解方程吧)<BR><BR><BR>第三步:<BR>第三次:<BR>将用第一次计算出来的值A在加上4D44再乘以3.14再乘以0.1594896331738437110的结果取其整数部分与<BR>输入码的第6、7、8、9、10位分别加上E7后的数比较<BR>………………………………………………………………………………………………………………………………………………</FONT><BR></P>
页:
[1]