|
本帖最后由 57907103 于 2018-10-23 21:59 编辑
这两天整理电脑,翻出了以前的一个软件,拿来练练手,顺便将逆向过程记录了下来,欢迎大家先下软件自己搞,完了再看我的逆向过程
软件下载地址:https://pan.baidu.com/s/16vixk5jQbdGMPUWP2GjhMQ
国际惯例先上图:
QQ第六感V2.0逆向记录:
先安装,完成后用通用脱壳机进行脱壳。
运行主程序出现未注册弹窗,使用F12暂停法回溯找到
0040C0AE . E8 3D020000 call SixthSen.0040C2F0 \\启动弹窗计算CALL
0040C0B3 . 3D D8070000 cmp eax,0x7D8 ; //与7D8(十进制2008)比较,不相等就弹出未注册版本窗口
0040C0B8 . 74 2D je short SixthSen.0040C0E7 \\启动弹窗判断
跟进CALL0040C2F0发现是下面这句赋值指令影响了CALL后的判断
mov dword ptr ds:[eax],0x7D5
这句上面发现有另外一个赋值指令
mov dword ptr ds:[eax],0x7D8
如果是赋值的7D8那CALL后面的跳转就可跳过弹窗,证明是这个赋值影响的弹窗
右键查找全部命令,粘贴mov dword ptr ds:[eax],0x7D5
找到两处如下:
0040C447 C700 D5070000 mov dword ptr ds:[eax],0x7D5 ; \\第1处,影响启动弹窗(爆破点1)
0040D615 C700 D5070000 mov dword ptr ds:[eax],0x7D5 ; \\第2处,软件启动后的标题栏未注册提示(爆破点2)
将这两处的7D5全部改为7D8,
这样结果去掉了启动的未注册弹窗,且软件启动后标题栏提示已经注册
点击关于注册界面,输入用户名和密码后点注册按钮,下对话框断点后返回程序领空到段首,代码在后面
单步发现:
首先检查用户名和密码是否输入,
然后判断注册码格式:
检查第7位是否为-
检查第16位是否为-
再检查注册码位数是否为24位
注册码格式判断完成后再将用户名进行一系列的计算,算法简单分析了下,可能部分备注不是很正确,详见最后的代码部分(如果哪位大牛能写出注册机欢迎补充)
将用户名的计算结果与正确注册码的计算结果进行比较
相等就mov dword ptr ds:[eax+0x5C],0x7D8
不相等就mov dword ptr ds:[eax+0x5C],0x7D5
右键查找命令mov dword ptr ds:[eax+0x5C],0x7D5
发现只有这1处
直接将7D5改为7D8,实现注册码爆破,
为什么改这里的赋值,而不改外面CALL后的跳转?
因为这个CALL可能有多处调用,所以改关键call的返回值,这样改了所有调用此call验证的地方都爆破了
00401A2C |. C740 5C D5070>mov dword ptr ds:[eax+0x5C],0x7D5 ; \\直接将7D5改为7D8实现注册码判断爆破(爆破点3)
这3处爆破点改掉后输入注册码时格式没输对还是会提示错误
如果要完美点再将注册码格式判断也爆破掉,如下:
004013BA |> 807D C2 2D cmp byte ptr ss:[ebp-0x3E],0x2D ; \\注册码格式判断,检查第7位是否为-,不是就跳,NOP掉
004013C4 |. 807D CB 2D cmp byte ptr ss:[ebp-0x35],0x2D ; \\注册码格式判断,检查第16位是否为-,不是就跳,NOP掉
004013CE |. 83FE 18 cmp esi,0x18 ; \\判断假码位数是否为24位,不等就跳,NOP掉
改这6处即可实现完美爆破
下面是注册码验证涉及到的代码
===========================================
注册码格式判断:
0040130F /. 55 push ebp ; \\注册码格式判断
00401310 |. 8BEC mov ebp,esp
00401312 |. 81EC 8C010000 sub esp,0x18C
00401318 |. 53 push ebx ; SixthSen.00401833
00401319 |. 56 push esi ; SixthSen.0043CFA2
0040131A |. 57 push edi ; SixthSen.0043CFA2
0040131B |. 8BD9 mov ebx,ecx ; ntdll.7C93005D
0040131D |. 6A 08 push 0x8
0040131F |. 33C0 xor eax,eax
00401321 |. 59 pop ecx ; ntdll.7C93005D
00401322 |. 8DBD 78FFFFFF lea edi,[local.34]
00401328 |. F3:AB rep stos dword ptr es:[edi]
0040132A |. AA stos byte ptr es:[edi]
0040132B |. 6A 06 push 0x6
0040132D |. 33C0 xor eax,eax
0040132F |. 59 pop ecx ; ntdll.7C93005D
00401330 |. 8D7D BC lea edi,[local.17]
00401333 |. F3:AB rep stos dword ptr es:[edi]
00401335 |. 8365 F8 00 and [local.2],0x0
00401339 |. 6A 21 push 0x21
0040133B |. AA stos byte ptr es:[edi]
0040133C |. 8D85 78FFFFFF lea eax,[local.34]
00401342 |. 8D8B 5E080000 lea ecx,dword ptr ds:[ebx+0x85E]
00401348 |. 50 push eax
00401349 |. E8 24D30100 call SixthSen.0041E672
0040134E |. 8D45 BC lea eax,[local.17]
00401351 |. 6A 19 push 0x19
00401353 |. 50 push eax
00401354 |. 8D8B 22080000 lea ecx,dword ptr ds:[ebx+0x822]
0040135A |. E8 13D30100 call SixthSen.0041E672
0040135F |. 8B35 CCD24200 mov esi,dword ptr ds:[<&KERNEL32.lstrlen>; kernel32.lstrlenA
00401365 |. 8D85 78FFFFFF lea eax,[local.34]
0040136B |. 50 push eax ; /\\取用户名
0040136C |. FFD6 call esi ; \取用户名位数
0040136E |. 8945 F4 mov [local.3],eax
00401371 |. 8D45 BC lea eax,[local.17]
00401374 |. 50 push eax ; /\\取注册码
00401375 |. FFD6 call esi ; \\\取注册码位数
00401377 |. 68 38724300 push SixthSen.00437238 ; \\固定字符串8El5hKVUdIf000
0040137C |. 8BF0 mov esi,eax
0040137E |. E8 8CAA0000 call SixthSen.0040BE0F
00401383 |. 59 pop ecx ; ntdll.7C93005D
00401384 |. 50 push eax ; /String2 = 00000001 ???
00401385 |. 8D45 D8 lea eax,[local.10] ; |
00401388 |. 50 push eax ; |String1 = 00000001
00401389 |. FF15 D0D24200 call dword ptr ds:[<&KERNEL32.lstrcpy>] ; \lstrcpyA
0040138F |. 33FF xor edi,edi ; SixthSen.0043CFA2
00401391 |. 397D F4 cmp [local.3],edi ; \\用户名位数与0比较,不等就跳,判断是否输入用户名
00401394 |. 75 10 jnz short SixthSen.004013A6
00401396 |. 8D45 D8 lea eax,[local.10]
00401399 |. 6A 40 push 0x40
0040139B |. 50 push eax
0040139C |. 68 00724300 push SixthSen.00437200 ; Tgte?h<aTh>e4nqG4jr>qYjU4Xpi8dqaik=VQbMNRbd6Qb240<?HB0
004013A1 |. E9 1F020000 jmp SixthSen.004015C5
004013A6 |> 3BF7 cmp esi,edi ; \\注册码位数与0比较,不等就跳,判断是否输入注册码
004013A8 |. 75 10 jnz short SixthSen.004013BA
004013AA |. 8D45 D8 lea eax,[local.10]
004013AD |. 6A 40 push 0x40
004013AF |. 50 push eax
004013B0 |. 68 D4714300 push SixthSen.004371D4 ; Kg?ZqdL>qjs3:o<Sakp:hnL;aXpi7praTh>b000P00
004013B5 |. E9 0B020000 jmp SixthSen.004015C5
004013BA |> 807D C2 2D cmp byte ptr ss:[ebp-0x3E],0x2D ; \\注册码格式判断,检查第7位是否为-,不是就跳
004013BE |. 0F85 F6010000 jnz SixthSen.004015BA
004013C4 |. 807D CB 2D cmp byte ptr ss:[ebp-0x35],0x2D ; \\注册码格式判断,检查第16位是否为-,不是就跳
004013C8 |. 0F85 EC010000 jnz SixthSen.004015BA
004013CE |. 83FE 18 cmp esi,0x18 ; \\判断假码位数是否为24位,不等就跳
004013D1 |. 0F85 E3010000 jnz SixthSen.004015BA
004013D7 |. E8 BA780200 call SixthSen.00428C96
004013DC |. 8B48 04 mov ecx,dword ptr ds:[eax+0x4]
004013DF |. E8 79D60100 call SixthSen.0041EA5D
004013E4 |. 68 E8030000 push 0x3E8 ; /Timeout = 1000. ms
004013E9 |. FF15 7CD24200 call dword ptr ds:[<&KERNEL32.Sleep>] ; \Sleep
004013EF |. E8 A2780200 call SixthSen.00428C96
004013F4 |. 8B48 04 mov ecx,dword ptr ds:[eax+0x4]
004013F7 |. E8 76D60100 call SixthSen.0041EA72
004013FC |. 33C9 xor ecx,ecx ; ntdll.7C93005D
004013FE |> 0FBE440D C3 /movsx eax,byte ptr ss:[ebp+ecx-0x3D] ; \\假码中间8位判断
00401403 |. 83F8 39 |cmp eax,0x39 ; \\判断注册码ASSIC大于39,,; Switch (cases 30..39)
00401406 |. 77 0A |ja short SixthSen.00401412
00401408 |. 83F8 30 |cmp eax,0x30 ; \\判断注册码ASSIC小于30,
0040140B |. 72 05 |jb short SixthSen.00401412
0040140D |. 83C0 D0 |add eax,-0x30
00401410 |. EB 24 |jmp short SixthSen.00401436
00401412 |> 83F8 61 |cmp eax,0x61 ; Default case of switch 00401403
00401415 |. 72 0A |jb short SixthSen.00401421
00401417 |. 83F8 66 |cmp eax,0x66
0040141A |. 77 05 |ja short SixthSen.00401421
0040141C |. 83C0 A9 |add eax,-0x57
0040141F |. EB 15 |jmp short SixthSen.00401436
00401421 |> 83F8 41 |cmp eax,0x41
00401424 |. 0F82 BF000000 |jb SixthSen.004014E9
0040142A |. 83F8 46 |cmp eax,0x46
0040142D |. 0F87 B6000000 |ja SixthSen.004014E9
00401433 |. 83C0 C9 |add eax,-0x37
00401436 |> 8B55 F8 |mov edx,[local.2] ; Cases 30 ('0'),31 ('1'),32 ('2'),33 ('3'),34 ('4'),35 ('5'),36 ('6'),37 ('7'),38 ('8'),39 ('9') of switch 00401403
00401439 |. C1E2 04 |shl edx,0x4
0040143C |. 03D0 |add edx,eax
0040143E |. 41 |inc ecx ; ntdll.7C93005D
0040143F |. 83F9 08 |cmp ecx,0x8
00401442 |. 8955 F8 |mov [local.2],edx
00401445 |.^ 72 B7 \jb short SixthSen.004013FE
00401447 |. 8BF2 mov esi,edx
00401449 |. 33D2 xor edx,edx
0040144B |. 33C9 xor ecx,ecx ; ntdll.7C93005D
0040144D |> 0FBE440D CC /movsx eax,byte ptr ss:[ebp+ecx-0x34] ; \\假码最后8位判断
00401452 |. 83F8 39 |cmp eax,0x39 ; \\判断注册码ASSIC大于39,,; Switch (cases 30..39)
00401455 |. 77 0A |ja short SixthSen.00401461 ; \\判断注册码ASSIC大于39,
00401457 |. 83F8 30 |cmp eax,0x30 ; \\判断注册码ASSIC小于30,
0040145A |. 72 05 |jb short SixthSen.00401461 ; \\判断注册码ASSIC小于30
0040145C |. 83C0 D0 |add eax,-0x30
0040145F |. EB 1C |jmp short SixthSen.0040147D
00401461 |> 83F8 61 |cmp eax,0x61 ; Default case of switch 00401452
00401464 |. 72 0A |jb short SixthSen.00401470
00401466 |. 83F8 66 |cmp eax,0x66
00401469 |. 77 05 |ja short SixthSen.00401470
0040146B |. 83C0 A9 |add eax,-0x57
0040146E |. EB 0D |jmp short SixthSen.0040147D
00401470 |> 83F8 41 |cmp eax,0x41
00401473 |. 72 74 |jb short SixthSen.004014E9
00401475 |. 83F8 46 |cmp eax,0x46
00401478 |. 77 6F |ja short SixthSen.004014E9
0040147A |. 83C0 C9 |add eax,-0x37
0040147D |> C1E2 04 |shl edx,0x4 ; Cases 30 ('0'),31 ('1'),32 ('2'),33 ('3'),34 ('4'),35 ('5'),36 ('6'),37 ('7'),38 ('8'),39 ('9') of switch 00401452
00401480 |. 03D0 |add edx,eax
00401482 |. 41 |inc ecx ; ntdll.7C93005D
00401483 |. 83F9 08 |cmp ecx,0x8
00401486 |.^ 72 C5 \jb short SixthSen.0040144D
00401488 |. A1 ECA44300 mov eax,dword ptr ds:[0x43A4EC]
0040148D |. 68 9C714300 push SixthSen.0043719C ; UDlsVM7MQLVELj:6mhLu0;To5E5gADKGJfOVnj5gCIGAjJFoW0?HB0
00401492 |. 33C6 xor eax,esi ; \\EAX与后8位异或
00401494 |. 8945 EC mov [local.5],eax
00401497 |. 33C2 xor eax,edx ; \\EAX与中间8位异或
00401499 |. 8945 F0 mov [local.4],eax
0040149C |. E8 6EA90000 call SixthSen.0040BE0F
004014A1 |. 50 push eax
004014A2 |. 8D85 74FEFFFF lea eax,[local.99]
004014A8 |. 50 push eax
004014A9 |. E8 42D00000 call SixthSen.0040E4F0
004014AE |. 83C4 0C add esp,0xC
004014B1 |. 8D45 B8 lea eax,[local.18]
004014B4 |. BE 02000080 mov esi,0x80000002
004014B9 |. 50 push eax ; /pDisposition = 00000001
004014BA |. 8D45 FC lea eax,[local.1] ; |
004014BD |. 50 push eax ; |pHandle = 00000001
004014BE |. 57 push edi ; |pSecurity = SixthSen.0043CFA2
004014BF |. 68 3F000F00 push 0xF003F ; |Access = KEY_ALL_ACCESS
004014C4 |. 57 push edi ; |Options = 0x43CFA2
004014C5 |. 57 push edi ; |Class = "ㄖB"
004014C6 |. 8D85 74FEFFFF lea eax,[local.99] ; |
004014CC |. 57 push edi ; |Reserved = 0x43CFA2
004014CD |. 50 push eax ; |Subkey = 00000001 ???
004014CE |. 56 push esi ; |hKey = 0x43CFA2
004014CF |. FF15 08D04200 call dword ptr ds:[<&ADVAPI32.RegCreateK>; \RegCreateKeyExA
004014D5 |. 85C0 test eax,eax
004014D7 |. 74 20 je short SixthSen.004014F9
004014D9 |. 8D45 D8 lea eax,[local.10]
004014DC |. 6A 40 push 0x40
004014DE |. 50 push eax
004014DF |. 68 84714300 push SixthSen.00437184 ; >eJS1XairkaFjqLqi8@0B0
004014E4 |. E9 DC000000 jmp SixthSen.004015C5
004014E9 |> 8D45 D8 lea eax,[local.10]
004014EC |. 6A 40 push 0x40
004014EE |. 50 push eax
004014EF |. 68 6C714300 push SixthSen.0043716C ; <kp:hnL;ac>m>rh40j?HB0
004014F4 |. E9 CC000000 jmp SixthSen.004015C5
004014F9 |> 8D45 FC lea eax,[local.1]
004014FC |. 50 push eax ; /pHandle = 00000001
004014FD |. 68 06000200 push 0x20006 ; |Access = KEY_WRITE
00401502 |. 8D85 74FEFFFF lea eax,[local.99] ; |
00401508 |. 57 push edi ; |Reserved = 0x43CFA2
00401509 |. 50 push eax ; |Subkey = 00000001 ???
0040150A |. 56 push esi ; |hKey = 0x43CFA2
0040150B |. FF15 04D04200 call dword ptr ds:[<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
00401511 |. 85C0 test eax,eax
00401513 |. 74 10 je short SixthSen.00401525
00401515 |. 8D45 D8 lea eax,[local.10]
00401518 |. 6A 40 push 0x40
0040151A |. 50 push eax
0040151B |. 68 50714300 push SixthSen.00437150 ; @c?:uZcNRbd6gqKCcie<Q0?3l4
00401520 |. E9 A0000000 jmp SixthSen.004015C5
00401525 |> FF75 F4 push [local.3] ; ntdll.7C9300B8
00401528 |. 8D85 78FFFFFF lea eax,[local.34]
0040152E |. 50 push eax
0040152F |. 6A 01 push 0x1
00401531 |. 57 push edi ; SixthSen.0043CFA2
00401532 |. 68 44714300 push SixthSen.00437144 ; 3BD@0068Xn
00401537 |. E8 D3A80000 call SixthSen.0040BE0F
0040153C |. 8B35 14D04200 mov esi,dword ptr ds:[<&ADVAPI32.RegSetV>; |珀赵
00401542 |. 59 pop ecx ; |ntdll.7C93005D
00401543 |. 50 push eax ; |ValueName = 00000001 ???
00401544 |. FF75 FC push [local.1] ; |hKey = 0x13F20C
00401547 |. FFD6 call esi ; \RegSetValueExA
00401549 |. 85C0 test eax,eax
0040154B |. 75 29 jnz short SixthSen.00401576
0040154D |. 8D45 EC lea eax,[local.5]
00401550 |. 6A 08 push 0x8
00401552 |. 50 push eax
00401553 |. 6A 03 push 0x3
00401555 |. 57 push edi ; SixthSen.0043CFA2
00401556 |. 68 38714300 push SixthSen.00437138 ; 3Djn0068Xn
0040155B |. E8 AFA80000 call SixthSen.0040BE0F
00401560 |. 59 pop ecx ; ntdll.7C93005D
00401561 |. 50 push eax
00401562 |. FF75 FC push [local.1]
00401565 |. FFD6 call esi ; SixthSen.0043CFA2
00401567 |. FF75 FC push [local.1] ; /hKey = 0013F20C
0040156A |. 8BF0 mov esi,eax ; |
0040156C |. FF15 00D04200 call dword ptr ds:[<&ADVAPI32.RegCloseKe>; \RegCloseKey
00401572 |. 3BF7 cmp esi,edi ; SixthSen.0043CFA2
00401574 |. 74 0D je short SixthSen.00401583 ; 00000000000000000000
00401576 |> 8D45 D8 lea eax,[local.10]
00401579 |. 6A 40 push 0x40
0040157B |. 50 push eax
0040157C |. 68 18714300 push SixthSen.00437118 ; B8bWXkb?GXa;QbNljqLqi8B804P000
00401581 |. EB 42 jmp short SixthSen.004015C5
00401583 |> 8D85 78FFFFFF lea eax,[local.34]
00401589 |. 50 push eax ; /String2 = 00000001 ???
0040158A |. 68 14A34300 push SixthSen.0043A314 ; |String1 = SixthSen.0043A314
0040158F |. FF15 D0D24200 call dword ptr ds:[<&KERNEL32.lstrcpy>] ; \lstrcpyA
00401595 |. 8D45 EC lea eax,[local.5]
00401598 |. 6A 08 push 0x8
0040159A |. 50 push eax
0040159B |. 68 0CA34300 push SixthSen.0043A30C
004015A0 |. E8 0BCC0000 call SixthSen.0040E1B0
004015A5 |. 83C4 0C add esp,0xC
004015A8 |. 57 push edi ; /lParam = 0x43CFA2
004015A9 |. 57 push edi ; |wParam = 0x43CFA2
004015AA |. 68 1F040000 push 0x41F ; |Message = WM_USER+31.
004015AF |. FF73 1C push dword ptr ds:[ebx+0x1C] ; |hWnd = 0xA5BBE8
004015B2 |. FF15 ECD44200 call dword ptr ds:[<&USER32.SendMessageA>; \SendMessageA
004015B8 |. EB 19 jmp short SixthSen.004015D3
004015BA |> 8D45 D8 lea eax,[local.10]
004015BD |. 6A 40 push 0x40
004015BF |. 50 push eax
004015C0 |. 68 E0704300 push SixthSen.004370E0 ; Tg>?:o<SacLCGXa;QfddnrLZsjs3>rp>bgteFl=32hdC8ph40<?HB0
004015C5 |> E8 45A80000 call SixthSen.0040BE0F
004015CA |. 59 pop ecx ; ntdll.7C93005D
004015CB |. 50 push eax
004015CC |. 8BCB mov ecx,ebx ; SixthSen.00401833
004015CE |. E8 AABB0100 call SixthSen.0041D17D
004015D3 |> 5F pop edi ; SixthSen.0043CFA2
004015D4 |. 5E pop esi ; SixthSen.0043CFA2
004015D5 |. 5B pop ebx ; SixthSen.00401833
004015D6 |. C9 leave
004015D7 \. C3 retn
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
注册码正确性判断:
004018DE /$ 55 push ebp ; \\注册码计算结果正确性判断
004018DF |. 8BEC mov ebp,esp
004018E1 |. 83EC 4C sub esp,0x4C
004018E4 |. 53 push ebx ; SixthSen.00401833
004018E5 |. 56 push esi ; SixthSen.0043CFA2
004018E6 |. 57 push edi ; SixthSen.0043CFA2
004018E7 |. 6A 40 push 0x40
004018E9 |. 8D45 B4 lea eax,[local.19]
004018EC |. 68 14A34300 push SixthSen.0043A314 ; ASCII "aaaaaaaaaaaaa"
004018F1 |. 894D FC mov [local.1],ecx ; SixthSen.0043CFA2
004018F4 |. 50 push eax
004018F5 |. E8 B6C80000 call SixthSen.0040E1B0 ; \\用户名给变量
004018FA |. 8B3D CCD24200 mov edi,dword ptr ds:[<&KERNEL32.lstrlen>; kernel32.lstrlenA
00401900 |. 83C4 0C add esp,0xC
00401903 |. 8D45 B4 lea eax,[local.19]
00401906 |. 50 push eax ; /\\用户名
00401907 |. FFD7 call edi ; \\\计算用户名长度
00401909 |. 8BF0 mov esi,eax
0040190B |. 83FE 14 cmp esi,0x14 ; \\用户名长度与20位进行比较,小于等于就跳
0040190E |. 72 1C jb short SixthSen.0040192C
00401910 |. C1E6 10 shl esi,0x10
00401913 |. 6A 01 push 0x1
00401915 |. 8BC6 mov eax,esi ; SixthSen.0043CFA2
00401917 |. 33C9 xor ecx,ecx ; SixthSen.0043CFA2
00401919 |. 5A pop edx ; SixthSen.00401841
0040191A |> 0FBE7415 B4 /movsx esi,byte ptr ss:[ebp+edx-0x4C]
0040191F |. 0FAFF2 |imul esi,edx ; SixthSen.00440A70
00401922 |. 03CE |add ecx,esi ; SixthSen.0043CFA2
00401924 |. 42 |inc edx ; SixthSen.00440A70
00401925 |. 83FA 20 |cmp edx,0x20
00401928 |.^ 72 F0 \jb short SixthSen.0040191A
0040192A |. EB 7C jmp short SixthSen.004019A8
0040192C |> 8D45 B4 lea eax,[local.19]
0040192F |. 8975 F4 mov [local.3],esi ; SixthSen.0043CFA2
00401932 |. 50 push eax
00401933 |. FFD7 call edi ; \\计算用户名长度
00401935 |. 6A 20 push 0x20 ; \\压入32
00401937 |. 48 dec eax
00401938 |. 59 pop ecx ; SixthSen.00401841
00401939 |. 3BC1 cmp eax,ecx ; \\用户名长度减1后与压入的32进行比较,不小于等于就跳
0040193B |. 73 32 jnb short SixthSen.0040196F
0040193D |. 8945 F8 mov [local.2],eax
00401940 |. 2975 F8 sub [local.2],esi ; \\小数减大数结果为负数FFFFFFFF,给变量2
00401943 |. 2BC8 sub ecx,eax ; \\32-(用户名长度-1),给ECX作为变量循环总数
00401945 |> 8B5D F4 /mov ebx,[local.3] ; \\用户名长度给EBX
00401948 |. 8B45 F8 |mov eax,[local.2] ; \\FFFFFFFF给EAX
0040194B |. 33D2 |xor edx,edx ; \\EDX清零
0040194D |. 8D7C1D B4 |lea edi,dword ptr ss:[ebp+ebx-0x4C] ; \\将用户名后6位的地址给EDI
00401951 |. 0FBE0438 |movsx eax,byte ptr ds:[eax+edi] ; \\从最后一位倒起逐位赋值后6位给EAX
00401955 |. F7F3 |div ebx ; \\用户名的每一位ASSIC码值除以用户名的位数,商放EAX,余数放EDX
00401957 |. 8B55 F8 |mov edx,[local.2] ; \\EDX赋值FFFFFFFF
0040195A |. 0FBE143A |movsx edx,byte ptr ds:[edx+edi] ; \\逐位赋值后8位给EDX
0040195E |. 8BD8 |mov ebx,eax ; \\上面相除的商再赋值给EBX
00401960 |. 8A45 F4 |mov al,byte ptr ss:[ebp-0xC] ; \\用户名位数给al
00401963 |. F6EA |imul dl ; \\逐位用户名的ASSIC码与用户名位数相乘,得数放EAX
00401965 |. 02D8 |add bl,al ; \\上面除法结果与乘法结果相加,得数放bl中
00401967 |. FF45 F4 |inc [local.3] ; \\用户名长度加1
0040196A |. 49 |dec ecx ; \\循环变量减1已用于下次循环
0040196B |. 881F |mov byte ptr ds:[edi],bl ; \\最终得数放EDI地址
0040196D |.^ 75 D6 \jnz short SixthSen.00401945 ; \\此循环的计算结果在EDI中
0040196F |> 33C9 xor ecx,ecx ; SixthSen.0043CFA2
00401971 |. 33C0 xor eax,eax
00401973 |. 85F6 test esi,esi ; \\判断用户名位数是否等于0
00401975 |. 76 0C jbe short SixthSen.00401983
00401977 |> 0FBE5405 B4 /movsx edx,byte ptr ss:[ebp+eax-0x4C] ; \\逐位取用户名ASSIC码给EDX
0040197C |. 03CA |add ecx,edx ; \\逐位取的ASSIC码累加后放入ECX
0040197E |. 40 |inc eax ; \\eax计次加1
0040197F |. 3BC6 |cmp eax,esi ; \\判断EAX计次是否达到用户名位数,没达到继续循环
00401981 |.^ 72 F4 \jb short SixthSen.00401977 ; \\此循环的计算结果在ECX中
00401983 |> 6A 08 push 0x8
00401985 |. 51 push ecx ; SixthSen.0043CFA2
00401986 |. 8B4D FC mov ecx,[local.1] ; SixthSen.0041CA62
00401989 |. E8 B0000000 call SixthSen.00401A3E ; \\注意EAX
0040198E |. 6A 01 push 0x1 ; \\压入1
00401990 |. 05 00002000 add eax,0x200000 ; \\结果EAX与固定数相加放EAX
00401995 |. 33C9 xor ecx,ecx ; SixthSen.0043CFA2
00401997 |. 5A pop edx ; \\弹出1给EDX
00401998 |> 0FBE7415 B4 /movsx esi,byte ptr ss:[ebp+edx-0x4C] ; \\逐位取用户名ASSIC码给ESI
0040199D |. 0FAFF2 |imul esi,edx ; \\第1位乘以1,第2位乘以2,依此类推。。。。
004019A0 |. 03CE |add ecx,esi ; \\每位相乘的结果累加放在ECX中
004019A2 |. 42 |inc edx ; \\计次加1
004019A3 |. 83FA 20 |cmp edx,0x20 ; \\与32比较,循环32次
004019A6 |.^ 72 F0 \jb short SixthSen.00401998 ; \\此循环的结果放在ECX中
004019A8 |> F7D1 not ecx ; \\上面的结果 非 运算
004019AA |. 81E1 FFFF0000 and ecx,0xFFFF ; \\上面的结果再与FFFF进行与运算,存ECX中
004019B0 |. BF AFB8AF8B mov edi,0x8BAFB8AF ; \\EDI赋值
004019B5 |. 03C1 add eax,ecx ; \\EAX=EAX+ECX
004019B7 |. BB 88864300 mov ebx,SixthSen.00438688
004019BC |. C745 F4 08000>mov [local.3],0x8 ; \\循环变量值8给变量
004019C3 |. 8DB0 47434320 lea esi,dword ptr ds:[eax+0x20434347]
004019C9 |> 8BC7 /mov eax,edi ; SixthSen.0043CFA2
004019CB |. 8B4D FC |mov ecx,[local.1] ; SixthSen.0041CA62
004019CE |. 83E0 1F |and eax,0x1F
004019D1 |. 50 |push eax
004019D2 |. 8BC7 |mov eax,edi ; SixthSen.0043CFA2
004019D4 |. 33C6 |xor eax,esi ; SixthSen.0043CFA2
004019D6 |. 50 |push eax
004019D7 |. E8 78AA0000 |call SixthSen.0040C454
004019DC |. 8BF0 |mov esi,eax
004019DE |. 8B4D FC |mov ecx,[local.1] ; SixthSen.0041CA62
004019E1 |. 0333 |add esi,dword ptr ds:[ebx]
004019E3 |. 83EB 04 |sub ebx,0x4
004019E6 |. 8BC6 |mov eax,esi ; SixthSen.0043CFA2
004019E8 |. 33FE |xor edi,esi ; SixthSen.0043CFA2
004019EA |. 83E0 1F |and eax,0x1F
004019ED |. 50 |push eax
004019EE |. 57 |push edi ; SixthSen.0043CFA2
004019EF |. E8 60AA0000 |call SixthSen.0040C454
004019F4 |. 8BF8 |mov edi,eax
004019F6 |. 033B |add edi,dword ptr ds:[ebx]
004019F8 |. 83EB 04 |sub ebx,0x4
004019FB |. FF4D F4 |dec [local.3] ; SixthSen.00440364
004019FE |.^ 75 C9 \jnz short SixthSen.004019C9 ; \\
00401A00 |. 8B0D ECA44300 mov ecx,dword ptr ds:[0x43A4EC]
00401A06 |. A1 0CA34300 mov eax,dword ptr ds:[0x43A30C]
00401A0B |. 33C8 xor ecx,eax
00401A0D |. 3BF1 cmp esi,ecx ; SixthSen.0043CFA2
00401A0F |. 75 18 jnz short SixthSen.00401A29 ; \\关键跳1,不能跳,跳就赋值失败标志7D5
00401A11 |. 8B0D 10A34300 mov ecx,dword ptr ds:[0x43A310]
00401A17 |. 33C8 xor ecx,eax
00401A19 |. 3BF9 cmp edi,ecx ; SixthSen.0043CFA2
00401A1B |. 75 0C jnz short SixthSen.00401A29 ; \\关键跳2,不能跳,跳就赋值失败标志7D5
00401A1D |. 8B45 FC mov eax,[local.1] ; SixthSen.0041CA62
00401A20 |. C740 5C D8070>mov dword ptr ds:[eax+0x5C],0x7D8 ; \\赋值7D8将注册成功
00401A27 |. EB 0A jmp short SixthSen.00401A33
00401A29 |> 8B45 FC mov eax,[local.1] ; SixthSen.0041CA62
00401A2C C740 5C D5070>mov dword ptr ds:[eax+0x5C],0x7D5 ; \\赋值7D5将会导致后面的验证失败
00401A33 |> 8B45 FC mov eax,[local.1] ; SixthSen.0041CA62
00401A36 |. 5F pop edi ; SixthSen.00401841
00401A37 |. 5E pop esi ; SixthSen.00401841
00401A38 |. 5B pop ebx ; SixthSen.00401841
00401A39 |. 8B40 5C mov eax,dword ptr ds:[eax+0x5C]
00401A3C |. C9 leave
00401A3D \. C3 retn
|
评分
-
参与人数 11 | 威望 +1 |
HB +37 |
THX +9 |
收起
理由
|
虚心学习
| |
|
+ 1 |
[吾爱汇编论坛52HB.COM]-软件反汇编逆向分析,软件安全必不可少! |
temp
| |
+ 1 |
+ 1 |
|
smshiwadai
| |
+ 2 |
+ 1 |
[吾爱汇编论坛52HB.COM]-吃水不忘打井人,给个评分懂感恩! |
消逝的过去
| |
|
+ 1 |
|
冷亦飞
| |
|
+ 1 |
|
Wayne
| |
+ 1 |
|
[吾爱汇编论坛52HB.COM]-软件反汇编逆向分析,软件安全必不可少! |
lies
| |
|
+ 1 |
|
小声点我布隆
| |
+ 1 |
|
|
lluvia
| |
+ 1 |
+ 1 |
[快捷评语] - 吃水不忘打井人,给个评分懂感恩! |
菜刀
| |
+ 1 |
+ 1 |
[快捷评语] - 2018,狗年发发发,狗年旺旺旺! |
Shark恒
| + 1 |
+ 30 |
+ 1 |
[快捷评语] - 评分=感恩!简单却充满爱!感谢您的作品! |
查看全部评分
|