[Asm] 纯文本查看 复制代码
00486810 /. 55 push ebp ; //断在这里,F8跟踪
00486811 |. 8BEC mov ebp,esp
00486813 |. B9 06000000 mov ecx,0x6
00486818 |> 6A 00 /push 0x0
0048681A |. 6A 00 |push 0x0
0048681C |. 49 |dec ecx
0048681D |.^ 75 F9 \jnz short 定时任务.00486818
0048681F |. 53 push ebx ;
00486820 |. 56 push esi
00486821 |. 8BF0 mov esi,eax
00486823 |. 33C0 xor eax,eax
00486825 |. 55 push ebp
00486826 |. 68 546A4800 push 定时任务.00486A54
0048682B |. 64:FF30 push dword ptr fs:[eax] ;
0048682E |. 64:8920 mov dword ptr fs:[eax],esp
00486831 |. BB 01000000 mov ebx,0x1 ; ebx=0x1
00486836 |> 8D55 EC /lea edx,[local.5]
00486839 |. 8B86 18030000 |mov eax,dword ptr ds:[esi+0x318]
0048683F |. E8 84ADFCFF |call 定时任务.004515C8
00486844 |. 8B45 EC |mov eax,[local.5] ; 机器码, (ASCII "081308")
00486847 |. 8A5418 FF |mov dl,byte ptr ds:[eax+ebx-0x1] ; 取机器码第1位ASC码:30 ('0')/取机器码第2位ASC码:38
0048684B |. 8D45 F0 |lea eax,[local.4]
0048684E |. E8 C5D9F7FF |call 定时任务.00404218
00486853 |. 8B55 F0 |mov edx,[local.4]
00486856 |. 8D45 FC |lea eax,[local.1]
00486859 |. E8 9ADAF7FF |call 定时任务.004042F8
0048685E |. 8D55 E4 |lea edx,[local.7]
00486861 |. 8B86 18030000 |mov eax,dword ptr ds:[esi+0x318]
00486867 |. E8 5CADFCFF |call 定时任务.004515C8
0048686C |. 8B45 E4 |mov eax,[local.7] ; 机器码, (ASCII "081308")
0048686F |. 8A5418 01 |mov dl,byte ptr ds:[eax+ebx+0x1] ; 取机器码第3位ASC码:31 ('1')/取机器码第4位ASC码:33
00486873 |. 8D45 E8 |lea eax,[local.6]
00486876 |. E8 9DD9F7FF |call 定时任务.00404218
0048687B |. 8B55 E8 |mov edx,[local.6]
0048687E |. 8D45 F8 |lea eax,[local.2]
00486881 |. E8 72DAF7FF |call 定时任务.004042F8
00486886 |. 8D55 DC |lea edx,[local.9]
00486889 |. 8B86 18030000 |mov eax,dword ptr ds:[esi+0x318]
0048688F |. E8 34ADFCFF |call 定时任务.004515C8
00486894 |. 8B45 DC |mov eax,[local.9] ; 机器码, (ASCII "081308")
00486897 |. 8A5418 03 |mov dl,byte ptr ds:[eax+ebx+0x3] ; 取机器码第5位ASC码:30 ('0')/取机器码第6位ASC码:38
0048689B |. 8D45 E0 |lea eax,[local.8]
0048689E |. E8 75D9F7FF |call 定时任务.00404218
004868A3 |. 8B55 E0 |mov edx,[local.8]
004868A6 |. 8D45 F4 |lea eax,[local.3]
004868A9 |. E8 4ADAF7FF |call 定时任务.004042F8
004868AE |. 43 |inc ebx ; ebx加1作为计数器
004868AF |. 83FB 03 |cmp ebx,0x3 ; ebx是否等于3,不等于继续
004868B2 |.^ 75 82 \jnz short 定时任务.00486836 ; 上面取机器码ASC码是按先取奇数位、再取偶数位顺序来取
004868B4 |. 8B45 F4 mov eax,[local.3] ;
004868B7 |. E8 901AF8FF call 定时任务.0040834C
004868BC |. 8B45 FC mov eax,[local.1] ; 取机器码第1-2位:(ASCII "08")
004868BF |. E8 881AF8FF call 定时任务.0040834C
004868C4 |. 8B45 F8 mov eax,[local.2] ; 取机器码第3-4位: (ASCII "13")
004868C7 |. E8 801AF8FF call 定时任务.0040834C
004868CC |. 8B45 F4 mov eax,[local.3] ; 取机器码第5-6位: (ASCII "08")
004868CF |. E8 1CDAF7FF call 定时任务.004042F0
004868D4 |. 83F8 03 cmp eax,0x3 ; eax=00000002
004868D7 |. 7D 12 jge short 定时任务.004868EB ; 跳转未实现
004868D9 |. 8D55 F4 lea edx,[local.3]
004868DC |. B9 01000000 mov ecx,0x1 ; ecx=0x1
004868E1 |. B8 6C6A4800 mov eax,定时任务.00486A6C ; eax=固定字串20
004868E6 |. E8 EDDCF7FF call 定时任务.004045D8 ;
004868EB |> 8B45 F4 mov eax,[local.3] ; eax=固定字串20与机器码最后两位相连, (ASCII "2008")
004868EE |. E8 591AF8FF call 定时任务.0040834C
004868F3 |. 69D8 69010000 imul ebx,eax,0x169 ; ebx=eax X 0x169=0x7D8(十进制为2008) X 0x169=000B0F98
004868F9 |. 8B45 FC mov eax,[local.1] ; 取机器码第1-2位:(ASCII "08")
004868FC |. E8 4B1AF8FF call 定时任务.0040834C
00486901 |. 8BD0 mov edx,eax ; eax=00000008
00486903 |. C1E0 05 shl eax,0x5 ; 机器码前二位左移5位,结果=0x100
00486906 |. 2BC2 sub eax,edx ; 机器码前二位左移5位eax=00000100后-机器码前二位edx=00000008==0xF8
00486908 |. 03D8 add ebx,eax ; 上面相乘结果+相减结果 ebx=ebx+eax=B0F98+F8=000B1090
0048690A |. 8B45 F8 mov eax,[local.2] ; 取机器码第3-4位: (ASCII "13")
0048690D |. E8 3A1AF8FF call 定时任务.0040834C
00486912 |. 03D8 add ebx,eax ; ebx=ebx+eax=000B1090+0000000D(机器码第3-4位的16进制)=000B109D
00486914 |. 8D55 D8 lea edx,[local.10]
00486917 |. 8B86 1C030000 mov eax,dword ptr ds:[esi+0x31C]
0048691D |. E8 A6ACFCFF call 定时任务.004515C8
00486922 |. 837D D8 00 cmp [local.10],0x0 ; 假码: (ASCII "123456")
00486926 |. 75 18 jnz short 定时任务.00486940 ; 注册码不能为空
00486928 |. 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL
0048692A |. 68 706A4800 push 定时任务.00486A70 ; |失败
0048692F |. 68 786A4800 push 定时任务.00486A78 ; |注册失败,请与销售方联系
00486934 |. 6A 00 push 0x0 ; |hOwner = NULL
00486936 |. E8 3101F8FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
0048693B |. E9 CC000000 jmp 定时任务.00486A0C
00486940 |> 8D55 D4 lea edx,[local.11]
00486943 |. 8B86 1C030000 mov eax,dword ptr ds:[esi+0x31C]
00486949 |. E8 7AACFCFF call 定时任务.004515C8
0048694E |. 8B45 D4 mov eax,[local.11] ; 假码
00486951 |. E8 F619F8FF call 定时任务.0040834C
00486956 |. 3BD8 cmp ebx,eax ; 真假比较,ebx=000B109D(真码16进制),eax=0001E240(假码16进制)
00486958 |. 0F85 9B000000 jnz 定时任务.004869F9 ; 跳向失败