Search32-PRO v6.05註冊演算法分析 - OCG (46千字)
=======================Open Cracking Group=======================
=
=
Search32-PRO
v6.05註冊演算法分析
=
DiKeN/OCG
=
= http://www.newclw.com/lllufh/cgi-bin/leoboard.cgi
====================Open Cracking Group==========================
=
=工具:LordPE,DeDe,W32Dasm,ODBG,記事本,Delphi
=
=================================================================
1.LordPE-->Unpack
2.DeDe
NAG--->Button1--->0048B938
3.W32Dasm(抓取彙編程式碼,習慣一點)
4.ODBG
=================================================================
0048B938 55
PUSH EBP
0048B939 8BEC
MOV EBP,ESP
0048B93B 83C4 E0 ADD
ESP,-20
0048B93E 53
PUSH EBX
0048B93F 56
PUSH ESI
0048B940 57
PUSH EDI
0048B941 33C9
XOR ECX,ECX
0048B943 894D E8
MOV DWORD PTR SS:[EBP-18],ECX
0048B946 894D E4
MOV DWORD PTR SS:[EBP-1C],ECX
0048B949
894D E0 MOV DWORD PTR SS:[EBP-20],ECX
0048B94C
894D F0 MOV DWORD PTR SS:[EBP-10],ECX
0048B94F
8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0048B952
33C0 XOR EAX,EAX
0048B954
55 PUSH EBP
0048B955
68 24BD4800 PUSH Search32.0048BD24
0048B95A 64:FF30
PUSH DWORD PTR FS:[EAX]
0048B95D 64:8920
MOV DWORD PTR FS:[EAX],ESP
0048B960 8D55
E4 LEA EDX,DWORD PTR SS:[EBP-1C]
0048B963
8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0048B966
8B80 10020000 MOV EAX,DWORD PTR DS:[EAX+210]
0048B96C
E8 3745F9FF CALL Search32.0041FEA8
0048B971 8B45
E4 MOV EAX,DWORD PTR SS:[EBP-1C]
0048B974
8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
0048B977
E8 8CBCF7FF CALL Search32.00407608
0048B97C 837D
E8 00 CMP DWORD PTR SS:[EBP-18],0
0048B980
75 2F JNZ SHORT Search32.0048B9B1
0048B982 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
0048B985 8B45 FC MOV EAX,DWORD PTR
SS:[EBP-4]
0048B988 8B80 14020000 MOV EAX,DWORD PTR DS:[EAX+214]
0048B98E E8 1545F9FF CALL Search32.0041FEA8
0048B993 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
0048B996 8D55 E0 LEA EDX,DWORD PTR
SS:[EBP-20]
0048B999 E8 6ABCF7FF CALL Search32.00407608
0048B99E 837D E0 00 CMP DWORD PTR SS:[EBP-20],0
0048B9A2 75 0D JNZ SHORT Search32.0048B9B1
0048B9A4 8B45 FC MOV EAX,DWORD PTR
SS:[EBP-4]
0048B9A7 E8 3026FAFF CALL Search32.0042DFDC
0048B9AC E9 45030000 JMP Search32.0048BCF6
0048B9B1 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
0048B9B4 8B45 FC MOV EAX,DWORD PTR
SS:[EBP-4]
0048B9B7 8B80 10020000 MOV EAX,DWORD PTR DS:[EAX+210]
0048B9BD E8 E644F9FF CALL Search32.0041FEA8
0048B9C2 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
0048B9C5 8D55 E8 LEA EDX,DWORD PTR
SS:[EBP-18]
0048B9C8 E8 3BBCF7FF CALL Search32.00407608
0048B9CD 8B55 E8 MOV EDX,DWORD PTR
SS:[EBP-18]
0048B9D0 A1 BC254B00 MOV EAX,DWORD
PTR DS:[4B25BC]
0048B9D5 E8 BA80F7FF CALL Search32.00403A94
0048B9DA 8D55 E4 LEA EDX,DWORD PTR
SS:[EBP-1C]
0048B9DD 8B45 FC MOV
EAX,DWORD PTR SS:[EBP-4]
0048B9E0 8B80 14020000 MOV EAX,DWORD
PTR DS:[EAX+214]
0048B9E6 E8 BD44F9FF CALL Search32.0041FEA8
0048B9EB 8B45 E4 MOV EAX,DWORD PTR
SS:[EBP-1C]
0048B9EE 8D55 E8 LEA
EDX,DWORD PTR SS:[EBP-18]
0048B9F1 E8 12BCF7FF
CALL Search32.00407608
0048B9F6 8B55 E8
MOV EDX,DWORD PTR SS:[EBP-18]
0048B9F9 A1 3C264B00
MOV EAX,DWORD PTR DS:[4B263C]
0048B9FE E8 9180F7FF
CALL Search32.00403A94
0048BA03 A1 10244B00
MOV EAX,DWORD PTR DS:[4B2410]
0048BA08 8B00
MOV EAX,DWORD PTR DS:[EAX]
0048BA0A 8B98 5C060000
MOV EBX,DWORD PTR DS:[EAX+65C]
0048BA10 85DB
TEST EBX,EBX
0048BA12 75 50
JNZ SHORT Search32.0048BA64
0048BA14 68
34BD4800 PUSH Search32.0048BD34
0048BA19 E8 22E0FBFF
CALL Search32.00449A40
; JMP to Srch32_d.CreateIndexObject
0048BA1E 8BD8
MOV EBX,EAX
0048BA20 8B15
3C264B00 MOV EDX,DWORD PTR DS:[4B263C]
; Search32.004B3B14
0048BA26 8B12
MOV EDX,DWORD PTR DS:[EDX]
0048BA28 8D45
E8 LEA EAX,DWORD PTR SS:[EBP-18]
0048BA2B
B9 40BD4800 MOV ECX,Search32.0048BD40
; ASCII "SP6"
0048BA30 E8 D382F7FF
CALL Search32.00403D08
0048BA35 8B45 E8
MOV EAX,DWORD PTR SS:[EBP-18]
0048BA38 E8 4384F7FF
CALL Search32.00403E80
0048BA3D 50
PUSH EAX
0048BA3E A1 BC254B00
MOV EAX,DWORD PTR DS:[4B25BC]
0048BA43 8B00
MOV EAX,DWORD PTR DS:[EAX]
0048BA45
E8 3684F7FF CALL Search32.00403E80
0048BA4A 50
PUSH EAX
0048BA4B
53 PUSH EBX
0048BA4C
8B03 MOV EAX,DWORD PTR DS:[EBX]
0048BA4E FF50 74 CALL DWORD PTR DS:[EAX+74]
0048BA51 8B15 2C234B00 MOV EDX,DWORD PTR DS:[4B232C]
; Search32.004B3B1C
0048BA57 8902
MOV DWORD PTR DS:[EDX],EAX
0048BA59
53 PUSH EBX
0048BA5A
E8 F1DFFBFF CALL Search32.00449A50
; JMP to Srch32_d.DestroyIndexObject
0048BA5F
E9 A5000000 JMP Search32.0048BB09
0048BA64 A1 10244B00
MOV EAX,DWORD PTR DS:[4B2410]
0048BA69 837B 08 00
CMP DWORD PTR DS:[EBX+8],0
0048BA6D 75 4F
JNZ SHORT Search32.0048BABE
0048BA6F
68 34BD4800 PUSH Search32.0048BD34
0048BA74 E8
C7DFFBFF CALL Search32.00449A40
; JMP to Srch32_d.CreateIndexObject
0048BA79
8BD8 MOV EBX,EAX
0048BA7B
8B15 3C264B00 MOV EDX,DWORD PTR DS:[4B263C]
; Search32.004B3B14
0048BA81 8B12
MOV EDX,DWORD PTR DS:[EDX]
0048BA83 8D45
E8 LEA EAX,DWORD PTR SS:[EBP-18]
0048BA86
50 PUSH EAX
0048BA87
B9 40BD4800 MOV ECX,Search32.0048BD40
; ASCII "SP6"
0048BA8C 58
POP EAX
0048BA8D E8
7682F7FF CALL Search32.00403D08
0048BA92 8B45 E8
MOV EAX,DWORD PTR SS:[EBP-18]
0048BA95
E8 E683F7FF CALL Search32.00403E80
0048BA9A 50
PUSH EAX
0048BA9B
A1 BC254B00 MOV EAX,DWORD PTR DS:[4B25BC]
0048BAA0
8B00 MOV EAX,DWORD PTR DS:[EAX]
0048BAA2 E8 D983F7FF CALL Search32.00403E80
0048BAA7 50 PUSH
EAX
0048BAA8 53
PUSH EBX
0048BAA9 8B03
MOV EAX,DWORD PTR DS:[EBX]
0048BAAB FF50 74
CALL DWORD PTR DS:[EAX+74]
0048BAAE 8B15 2C234B00
MOV EDX,DWORD PTR DS:[4B232C] ; Search32.004B3B1C
0048BAB4 8902 MOV DWORD
PTR DS:[EDX],EAX
0048BAB6 53
PUSH EBX
0048BAB7 E8 94DFFBFF CALL
Search32.00449A50
; JMP to Srch32_d.DestroyIndexObject
0048BABC EB 4B
JMP SHORT Search32.0048BB09
0048BABE A1 10244B00
MOV EAX,DWORD PTR DS:[4B2410]
0048BAC3 8BC3
MOV EAX,EBX
0048BAC5 33D2
XOR EDX,EDX
0048BAC7 E8 C022F8FF
CALL Search32.0040DD8C
0048BACC 8BD8
MOV EBX,EAX
0048BACE 8B15 3C264B00
MOV EDX,DWORD PTR DS:[4B263C]
; Search32.004B3B14
0048BAD4 8B12
MOV EDX,DWORD PTR DS:[EDX]
0048BAD6 8D45 E8
LEA EAX,DWORD PTR SS:[EBP-18]
0048BAD9 50
PUSH EAX
0048BADA
B9 40BD4800 MOV ECX,Search32.0048BD40
; ASCII "SP6"
0048BADF 58
POP EAX
0048BAE0 E8
2382F7FF CALL Search32.00403D08
0048BAE5 8B45 E8
MOV EAX,DWORD PTR SS:[EBP-18]
0048BAE8
E8 9383F7FF CALL Search32.00403E80
0048BAED 50
PUSH EAX
0048BAEE
A1 BC254B00 MOV EAX,DWORD PTR DS:[4B25BC]
0048BAF3
8B00 MOV EAX,DWORD PTR DS:[EAX]
0048BAF5 E8 8683F7FF CALL Search32.00403E80
0048BAFA 50 PUSH
EAX
0048BAFB 53
PUSH EBX
0048BAFC 8B03
MOV EAX,DWORD PTR DS:[EBX]
0048BAFE FF50 74
CALL DWORD PTR DS:[EAX+74]==================>關鍵過程
0048BB01 8B15
2C234B00 MOV EDX,DWORD PTR DS:[4B232C]
; Search32.004B3B1C
0048BB07 8902
MOV DWORD PTR DS:[EDX],EAX==================>EAX=0則正確
0048BB09 A1 2C234B00 MOV EAX,DWORD PTR DS:[4B232C]
0048BB0E 8338 00 CMP DWORD PTR DS:[EAX],0
0048BB11 75 0F JNZ SHORT Search32.0048BB22=================>比較
0048BB13 B8 4CBD4800 MOV EAX,Search32.0048BD4C
; ASCII "Entered password is
invalid for
the given registration number."
0048BB18 E8 AB38FBFF
CALL Search32.0043F3C8
0048BB1D E9 CC010000
JMP Search32.0048BCEE
0048BB22 8D55 E8
LEA EDX,DWORD PTR SS:[EBP-18]
0048BB25 A1 5C254B00
MOV EAX,DWORD PTR DS:[4B255C]
0048BB2A 8B00
MOV EAX,DWORD PTR DS:[EAX]
0048BB2C E8
2342FAFF CALL Search32.0042FD54
0048BB31 8B55 E8
MOV EDX,DWORD PTR SS:[EBP-18]
0048BB34
A1 F4234B00 MOV EAX,DWORD PTR DS:[4B23F4]
0048BB39
8B00 MOV EAX,DWORD PTR DS:[EAX]
0048BB3B 8B0D D0234B00 MOV ECX,DWORD PTR DS:[4B23D0]
; Search32.004B3A98
0048BB41 3301
XOR EAX,DWORD PTR DS:[ECX]
0048BB43
E8 9043F9FF CALL Search32.0041FED8
0048BB48 A1
0C244B00 MOV EAX,DWORD PTR DS:[4B240C]
0048BB4D
C600 00 MOV BYTE PTR DS:[EAX],0
0048BB50
8B15 EC254B00 MOV EDX,DWORD PTR DS:[4B25EC]
; Search32.004B3B10
0048BB56 8B12
MOV EDX,DWORD PTR DS:[EDX]
0048BB58 8D45
F0 LEA EAX,DWORD PTR SS:[EBP-10]
0048BB5B
B9 94BD4800 MOV ECX,Search32.0048BD94
; ASCII "Cd.cd"
0048BB60 E8 A381F7FF
CALL Search32.00403D08
0048BB65 8B45 F0
MOV EAX,DWORD PTR SS:[EBP-10]
0048BB68 E8 6BC0F7FF
CALL Search32.00407BD8
0048BB6D 84C0
TEST AL,AL
0048BB6F 0F84 79010000
JE Search32.0048BCEE=======>這個Cd.cd幹什麼的(還沒分析,一個正確的Code都搞不定)
0048BB75
B2 01 MOV DL,1
0048BB77 A1
4CCE4000 MOV EAX,DWORD PTR DS:[40CE4C]
0048BB7C
E8 2B73F7FF CALL Search32.00402EAC
0048BB81 8945
F4 MOV DWORD PTR SS:[EBP-C],EAX
0048BB84
8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
0048BB87
8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0048BB8A
8B08 MOV ECX,DWORD PTR DS:[EAX]
0048BB8C FF51 58 CALL DWORD PTR DS:[ECX+58]
0048BB8F 8B45 F4 MOV EAX,DWORD PTR
SS:[EBP-C]
0048BB92 8B10
MOV EDX,DWORD PTR DS:[EAX]
0048BB94 FF52 14
CALL DWORD PTR DS:[EDX+14]
0048BB97 48
DEC EAX
0048BB98 85C0
TEST EAX,EAX
0048BB9A 7C 6C
JL SHORT Search32.0048BC08
0048BB9C 40
INC EAX
0048BB9D 8945
EC MOV DWORD PTR SS:[EBP-14],EAX
0048BBA0
C745 F8 00000000 MOV DWORD PTR SS:[EBP-8],0
0048BBA7 8D4D F0
LEA ECX,DWORD PTR SS:[EBP-10]
0048BBAA
8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
0048BBAD
8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0048BBB0
8B18 MOV EBX,DWORD PTR DS:[EAX]
0048BBB2 FF53 0C CALL DWORD PTR DS:[EBX+C]
0048BBB5 8B45 F0 MOV EAX,DWORD PTR
SS:[EBP-10]
0048BBB8 E8 FF80F7FF CALL Search32.00403CBC
0048BBBD 8BF0 MOV ESI,EAX
0048BBBF 85F6 TEST
ESI,ESI
0048BBC1 7E 2F JLE
SHORT Search32.0048BBF2
0048BBC3 BF 01000000 MOV
EDI,1
0048BBC8 8B45 F0 MOV EAX,DWORD
PTR SS:[EBP-10]
0048BBCB 8A5C38 FF MOV BL,BYTE
PTR DS:[EAX+EDI-1]
0048BBCF 80FB 20
CMP BL,20
0048BBD2 74 1A JE
SHORT Search32.0048BBEE
0048BBD4 8D45 F0
LEA EAX,DWORD PTR SS:[EBP-10]
0048BBD7 E8 B082F7FF
CALL Search32.00403E8C
0048BBDC 8B55 F0
MOV EDX,DWORD PTR SS:[EBP-10]
0048BBDF 33D2
XOR EDX,EDX
0048BBE1 8AD3
MOV DL,BL
0048BBE3 B9 20010000
MOV ECX,120
0048BBE8 2BCA
SUB ECX,EDX
0048BBEA 884C38 FF
MOV BYTE PTR DS:[EAX+EDI-1],CL
0048BBEE 47
INC EDI
0048BBEF 4E
DEC ESI
0048BBF0 75 D6
JNZ SHORT Search32.0048BBC8
0048BBF2
8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
0048BBF5
8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
0048BBF8
8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0048BBFB
8B18 MOV EBX,DWORD PTR DS:[EAX]
0048BBFD FF53 20 CALL DWORD PTR DS:[EBX+20]
0048BC00 FF45 F8 INC DWORD PTR SS:[EBP-8]
0048BC03 FF4D EC DEC DWORD PTR SS:[EBP-14]
0048BC06 75 9F JNZ SHORT Search32.0048BBA7
0048BC08 A1 10244B00 MOV EAX,DWORD PTR DS:[4B2410]
0048BC0D 8B00 MOV EAX,DWORD
PTR DS:[EAX]
0048BC0F 83B8 18060000 00 CMP DWORD PTR DS:[EAX+618],0
0048BC16 74 1C JE SHORT Search32.0048BC34
0048BC18 A1 10244B00 MOV EAX,DWORD PTR DS:[4B2410]
0048BC1D 8B00 MOV EAX,DWORD
PTR DS:[EAX]
0048BC1F 8B90 50060000 MOV EDX,DWORD PTR
DS:[EAX+650]
0048BC25 8D45 F0 LEA
EAX,DWORD PTR SS:[EBP-10]
0048BC28 B9 A4BD4800
MOV ECX,Search32.0048BDA4
0048BC2D E8 D680F7FF
CALL Search32.00403D08
0048BC32 EB 10
JMP SHORT Search32.0048BC44
0048BC34 8D45 F0
LEA EAX,DWORD PTR SS:[EBP-10]
0048BC37 8B15 EC254B00
MOV EDX,DWORD PTR DS:[4B25EC]
; Search32.004B3B10
0048BC3D 8B12
MOV EDX,DWORD PTR DS:[EDX]
0048BC3F E8 947EF7FF
CALL Search32.00403AD8
0048BC44 8D45 F0
LEA EAX,DWORD PTR SS:[EBP-10]
0048BC47 BA B0BD4800
MOV EDX,Search32.0048BDB0
; ASCII "Notifying_txt"
0048BC4C E8 7380F7FF
CALL Search32.00403CC4
0048BC51 8B0D BC254B00 MOV
ECX,DWORD PTR DS:[4B25BC] ; Search32.004B3B18
0048BC57 8B09 MOV ECX,DWORD
PTR DS:[ECX]
0048BC59 8D45 E8 LEA
EAX,DWORD PTR SS:[EBP-18]
0048BC5C BA C8BD4800
MOV EDX,Search32.0048BDC8
; ASCII "Customer ID: "
0048BC61 E8 A280F7FF CALL
Search32.00403D08
0048BC66 8B4D E8
MOV ECX,DWORD PTR SS:[EBP-18]
0048BC69 BA 0A000000
MOV EDX,A
0048BC6E 8B45 F4 MOV EAX,DWORD
PTR SS:[EBP-C]
0048BC71 8B18
MOV EBX,DWORD PTR DS:[EAX]
0048BC73 FF53 54
CALL DWORD PTR DS:[EBX+54]
0048BC76 8D55 E4
LEA EDX,DWORD PTR SS:[EBP-1C]
0048BC79 A1 10244B00
MOV EAX,DWORD PTR DS:[4B2410]
0048BC7E 8B00
MOV EAX,DWORD PTR DS:[EAX]
0048BC80
E8 2342F9FF CALL Search32.0041FEA8
0048BC85 8B4D
E4 MOV ECX,DWORD PTR SS:[EBP-1C]
0048BC88
8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
0048BC8B
BA E0BD4800 MOV EDX,Search32.0048BDE0
; ASCII "Program: "
0048BC90 E8
7380F7FF CALL Search32.00403D08
0048BC95 8B55 E8
MOV EDX,DWORD PTR SS:[EBP-18]
0048BC98
8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0048BC9B
8B08 MOV ECX,DWORD PTR DS:[EAX]
0048BC9D FF51 34 CALL DWORD PTR DS:[ECX+34]
0048BCA0 BA F4BD4800 MOV EDX,Search32.0048BDF4
; ASCII "Version: 6.05"
0048BCA5 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0048BCA8 8B08 MOV ECX,DWORD
PTR DS:[EAX]
0048BCAA FF51 34 CALL
DWORD PTR DS:[ECX+34]
0048BCAD 8B55 F0
MOV EDX,DWORD PTR SS:[EBP-10]
0048BCB0 8B45 F4
MOV EAX,DWORD PTR SS:[EBP-C]
0048BCB3 8B08
MOV ECX,DWORD PTR DS:[EAX]
0048BCB5
FF51 64 CALL DWORD PTR DS:[ECX+64]
0048BCB8
6A 03 PUSH 3
0048BCBA A1 EC254B00
MOV EAX,DWORD PTR DS:[4B25EC]
0048BCBF 8B00
MOV EAX,DWORD PTR DS:[EAX]
0048BCC1
E8 BA81F7FF CALL Search32.00403E80
0048BCC6 50
PUSH EAX
0048BCC7
6A 00 PUSH 0
0048BCC9 8D45
E8 LEA EAX,DWORD PTR SS:[EBP-18]
0048BCCC
8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
0048BCCF
BA 0CBE4800 MOV EDX,Search32.0048BE0C
; ASCII "Notepad.exe "
0048BCD4
E8 2F80F7FF CALL Search32.00403D08
0048BCD9 8B45
E8 MOV EAX,DWORD PTR SS:[EBP-18]
0048BCDC
E8 9F81F7FF CALL Search32.00403E80
0048BCE1 50
PUSH EAX
0048BCE2
68 1CBE4800 PUSH Search32.0048BE1C
; ASCII "open"
0048BCE7 6A 00
PUSH 0
0048BCE9 E8 AADCFBFF
CALL Search32.00449998
; JMP to SHELL32.ShellExecuteA
0048BCEE 8B45 FC
MOV EAX,DWORD PTR SS:[EBP-4]
0048BCF1 E8
E622FAFF CALL Search32.0042DFDC
0048BCF6 33C0
XOR EAX,EAX
0048BCF8 5A
POP EDX
0048BCF9 59
POP ECX
0048BCFA 59
POP ECX
0048BCFB 64:8910
MOV DWORD PTR FS:[EAX],EDX
0048BCFE 68
2BBD4800 PUSH Search32.0048BD2B
0048BD03 8D45 E0
LEA EAX,DWORD PTR SS:[EBP-20]
0048BD06
E8 357DF7FF CALL Search32.00403A40
0048BD0B 8D45
E4 LEA EAX,DWORD PTR SS:[EBP-1C]
0048BD0E
E8 2D7DF7FF CALL Search32.00403A40
0048BD13 8D45
E8 LEA EAX,DWORD PTR SS:[EBP-18]
0048BD16
E8 257DF7FF CALL Search32.00403A40
0048BD1B 8D45
F0 LEA EAX,DWORD PTR SS:[EBP-10]
0048BD1E
E8 1D7DF7FF CALL Search32.00403A40
0048BD23 C3
RETN
===================分析發現,檢測註冊碼在動態庫SRCH32_D.DLL
===============Exported fn(): ?checkData@@YGHPAD0@Z - Ord:0001h
Name:
DiKeN
Code:
xxxxxxxxxxxxxxxx
1234567890123456789012345678901234567890
=========================================================================
Exported fn(): ?checkData@@YGHPAD0@Z - Ord:0001h
:10001320 81ECDC020000
sub esp, 000002DC
:10001326 53
push ebx
:10001327
55
push ebp
:10001328 56
push esi
:10001329 57
push edi
:1000132A 8BBC24F0020000
mov edi, dword ptr [esp+000002F0]
:10001331 83C9FF
or ecx, FFFFFFFF
:10001334 33C0
xor eax, eax
:10001336 33DB
xor ebx, ebx
:10001338 F2
repnz
:10001339 AE
scasb
:1000133A F7D1
not ecx
:1000133C 2BF9
sub edi, ecx
:1000133E 8D9424A8000000
lea edx, dword ptr [esp+000000A8]
:10001345 8BC1
mov eax, ecx
:10001347 8BF7
mov esi, edi
:10001349 8BFA
mov edi, edx
:1000134B 895C241C
mov dword ptr [esp+1C], ebx
:1000134F C1E902
shr ecx, 02
:10001352 F3
repz
:10001353 A5
movsd
:10001354 8BC8
mov ecx, eax
:10001356 895C2424
mov dword ptr [esp+24], ebx
:1000135A
83E103 and ecx,
00000003
:1000135D BD05000000
mov ebp, 00000005
:10001362 F3
repz
:10001363 A4
movsb
:10001364 8D8C24A8000000
lea ecx, dword ptr [esp+000000A8]
:1000136B 895C2420
mov dword ptr [esp+20], ebx
:1000136F 51
push ecx
:10001370 E8A11E0100
call 10013216
:10001375 83C404
add esp, 00000004
:10001378 53
push ebx
* Reference
To: KERNEL32.GetDriveTypeA, Ord:0104h
|
:10001379 FF1530400110 Call dword
ptr [10014030]
:1000137F 3BC5
cmp eax, ebp=5
:10001381 8B8424A8000000
mov eax, dword ptr [esp+000000A8]=X4X3X2X1
:10001388
750F jne
10001399====>通常應該是不會等於的,也就跳
:1000138A 3C43
cmp al, 43=C
:1000138C 7418
je 100013A6
:1000138E
80FC44 cmp ah, 44=D
:10001391 0F8582040000 jne 10001819============>錯誤1
//======================>(應該不會出現此錯誤)
:10001397 EB0D
jmp 100013A6
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:10001388(C)
|
:10001399 3C43
cmp al, 43
:1000139B 7509
jne 100013A6
:1000139D 80FC44
cmp ah, 44
:100013A0 0F8473040000
je 10001819============>錯誤2
//======================>使用者名稱為CD則錯誤
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1000138C(C), :10001397(U), :1000139B(C)
|
:100013A6 A1308F0110
mov eax, dword ptr [10018F30]
:100013AB
8D9424E8010000 lea edx, dword ptr [esp+000001E8]
:100013B2 6804010000 push
00000104
:100013B7 52
push edx
:100013B8 50
push eax
* Reference To: KERNEL32.GetModuleFileNameA,
Ord:0124h
|
:100013B9 FF152C400110
Call dword ptr [1001402C]
:100013BF 85C0
test eax, eax
:100013C1 0F8452040000 je 10001819============>錯誤3
//====================>裝入模組錯誤
:100013C7 8D8C24E8010000
lea ecx, dword ptr [esp+000001E8]
:100013CE 6A5C
push 0000005C
:100013D0 51
push ecx
:100013D1 E89A9C0000
call 1000B070
:100013D6 8BF0
mov esi, eax
:100013D8 83C408
add esp, 00000008
:100013DB 3BF3
cmp esi, ebx=0
:100013DD 0F8436040000 je 10001819============>錯誤4
//====================>裝入模組檔名錯誤
:100013E3 46
inc esi
:100013E4 56
push esi
:100013E5 89742418
mov dword ptr [esp+18], esi
:100013E9 E8281E0100
call 10013216
:100013EE 8DBC24AC000000
lea edi, dword ptr [esp+000000AC]=使用者名稱
:100013F5 83C9FF
or ecx, FFFFFFFF
:100013F8 33C0
xor eax, eax
:100013FA 83C404
add esp, 00000004
:100013FD F2
repnz
:100013FE AE
scasb
:100013FF
8B9C24F4020000 mov ebx, dword ptr [esp+000002F4]
:10001406 F7D1
not ecx
:10001408 49
dec ecx
:10001409 8BFB
mov edi, ebx
:1000140B 8BD1
mov edx, ecx
:1000140D 83C9FF
or ecx, FFFFFFFF
:10001410 F2
repnz
:10001411 AE
scasb
:10001412 F7D1
not ecx
:10001414
49
dec ecx
:10001415 83F918
cmp ecx, 00000018
:10001418 894C2418
mov dword ptr [esp+18], ecx
:1000141C 0F82F7030000
jb 10001819============>錯誤5
//====================>CODE長度檢測,>=$15($18-length(SP6))
:10001422 7639
jbe 1000145D
:10001424 8D7B18
lea edi, dword ptr [ebx+18]
:10001427 83C9FF
or ecx, FFFFFFFF
:1000142A
F2
repnz
:1000142B AE
scasb
:1000142C F7D1
not ecx
:1000142E 2BF9
sub edi, ecx
:10001430 8D9C24A8000000
lea ebx, dword ptr [esp+000000A8]
:10001437 8BF7
mov esi, edi
:10001439 8BFB
mov edi, ebx
:1000143B 8BD9
mov ebx, ecx
:1000143D 83C9FF
or ecx, FFFFFFFF
:10001440 F2
repnz
:10001441
AE
scasb
:10001442 8BCB
mov ecx, ebx
:10001444 4F
dec edi
:10001445 C1E902
shr ecx, 02
:10001448
F3
repz
:10001449 A5
movsd
:1000144A 8BCB
mov ecx, ebx
:1000144C C744241818000000
mov [esp+18], 00000018
:10001454 83E103
and ecx, 00000003
:10001457
F3
repz
:10001458 A4
movsb
:10001459 8B742414
mov esi, dword ptr [esp+14]
餘下的字串連線到使用者名稱後面
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001422(C)
|
:1000145D 83FA20
cmp edx, 00000020====>使用者名稱長度
:10001460 7330
jnb 10001492
:10001462
8BFE mov
edi, esi
:10001464 83C9FF
or ecx, FFFFFFFF
:10001467 33C0
xor eax, eax
:10001469 8D9424A8000000
lea edx, dword ptr [esp+000000A8]
:10001470 F2
repnz
:10001471 AE
scasb
:10001472 F7D1
not ecx
:10001474 2BF9
sub edi, ecx
:10001476 8BF7
mov esi, edi
:10001478
8BD9 mov
ebx, ecx
:1000147A 8BFA
mov edi, edx
:1000147C 83C9FF
or ecx, FFFFFFFF
:1000147F F2
repnz
:10001480 AE
scasb
:10001481 8BCB
mov ecx, ebx
:10001483 4F
dec edi
:10001484 C1E902
shr ecx, 02
:10001487 F3
repz
:10001488 A5
movsd
:10001489 8BCB
mov ecx, ebx
:1000148B 83E103
and ecx, 00000003
:1000148E F3
repz
:1000148F
A4
movsb
:10001490 EB0B
jmp 1000149D====>使用者名稱連線DIKEN+餘下的註冊碼+'SRCH32_D.DLL'
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:10001460(C)
|
:10001492 8D84149C000000 lea eax, dword
ptr [esp+edx+0000009C]
:10001499 89442414
mov dword ptr [esp+14], eax
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:10001490(U)
|
:1000149D B907000000
mov ecx, 00000007
:100014A2 B84D4D4D4D
mov eax, 4D4D4D4D
:100014A7 8D7C2448
lea edi, dword ptr [esp+48]
:100014AB F3
repz
:100014AC AB
stosd
:100014AD 66AB
stosw
:100014AF AA
stosb
:100014B0
B81F000000 mov eax, 0000001F
:100014B5 B14D
mov cl, 4D
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:100014BC(C)
|
:100014B7 48
dec eax
:100014B8 884C2429
mov byte ptr [esp+29], cl
:100014BC 75F9
jne 100014B7
:100014BE 8B7C2418
mov edi, dword ptr [esp+18]=註冊碼長度
:100014C2 33DB
xor ebx, ebx
:100014C4
85FF test
edi, edi
:100014C6 C644244700
mov [esp+47], 00
:100014CB C644246700
mov [esp+67], 00
:100014D0 0F868F000000
jbe 10001565
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:1000155F(C)
|
:100014D6 8BB424F4020000
mov esi, dword ptr [esp+000002F4]=Code
:100014DD
0FBE0C33 movsx ecx, byte
ptr [ebx+esi]
:100014E1 51
push ecx
===ODBG==00DE14E1 51
PUSH ECX
:100014E2 E85F9B0000
call 1000B046==>轉為數字?
:100014E7
83C404 add esp,
00000004
:100014EA 85C0
test eax, eax
:100014EC 7512
jne 10001500
:100014EE 8B442424
mov eax, dword ptr [esp+24]
:100014F2 8A1433
mov dl, byte ptr [ebx+esi]
:100014F5 88540428
mov byte ptr [esp+eax+28], dl
:100014F9 40
inc eax
:100014FA 89442424
mov dword ptr [esp+24], eax
:100014FE EB5C
jmp 1000155C
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:100014EC(C)
|
:10001500 F6C301
test bl, 01=========>奇數偶數位
:10001503 7512
jne 10001517
:10001505 8B442424
mov eax, dword ptr [esp+24]
:10001509 8A0C33
mov cl, byte ptr [ebx+esi]
:1000150C 884C0428 mov
byte ptr [esp+eax+28], cl
:10001510 40
inc eax
:10001511 89442424
mov dword ptr [esp+24], eax
:10001515 EB45
jmp 1000155C
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:10001503(C)
|
:10001517 8A1433
mov dl, byte ptr [ebx+esi]
:1000151A
88542C48 mov byte ptr [esp+ebp+48],
dl
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:10001539(U), :10001548(U), :1000154B(U)
|
:1000151E 0FBE442C48
movsx eax, byte ptr [esp+ebp+48]
:10001523 50
push eax
:10001524 E81D9B0000
call 1000B046
:10001529 83C404
add esp, 00000004
:1000152C 85C0
test eax, eax
:1000152E
741D je 1000154D
:10001530 8B442420
mov eax, dword ptr [esp+20]
:10001534 85C0
test eax, eax
:10001536 7403
je 1000153B
:10001538
45
inc ebp
:10001539 EBE3
jmp 1000151E
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:10001536(C)
|
:1000153B 85DB
test ebx, ebx
:1000153D
750B jne
1000154A
:1000153F C744242001000000 mov [esp+20],
00000001
:10001547 45
inc ebp
:10001548 EBD4
jmp 1000151E
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:1000153D(C)
|
:1000154A 4D
dec ebp
:1000154B EBD1
jmp 1000151E
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:1000152E(C)
|
:1000154D 8B442420
mov eax, dword ptr [esp+20]
:10001551
33C9 xor
ecx, ecx
:10001553 85C0
test eax, eax
:10001555 0F94C1
sete cl
:10001558 894C2420
mov dword ptr [esp+20], ecx
* Referenced
by a (U)nconditional or (C)onditional Jump at Addresses:
|:100014FE(U), :10001515(U)
|
:1000155C 43
inc ebx
:1000155D 3BDF
cmp ebx, edi
:1000155F 0F8271FFFFFF
jb 100014D6
使用者名稱會去掉前後空格
註冊碼+'SP6'分割成前後兩部分:
NameXor的串就是奇數串
Name的累加和
NameXOR的異或
NameXOR mod $7FFFFFFFF===>轉為字串
xor $67C2D76C=
Code2==>數字,去只取一定範圍的
Code1:=Code1+Name2
* Referenced by
a (U)nconditional or (C)onditional Jump at Address:
|:100014D0(C)
|
:10001565 8D7C2448
lea edi, dword ptr [esp+48]
:10001569 83C9FF
or ecx, FFFFFFFF
:1000156C 33C0
xor eax, eax
:1000156E
C6442C4800 mov [esp+ebp+48], 00
:10001573 F2
repnz
:10001574 AE
scasb
:10001575 8B542424
mov edx, dword ptr [esp+24]
:10001579
F7D1 not
ecx
:1000157B 49
dec ecx
:1000157C C644142800
mov [esp+edx+28], 00
:10001581 83E1FE
and ecx, FFFFFFFE
:10001584 83F90A
cmp ecx, 0000000A
:10001587 0F828C020000 jb 10001819============>錯誤6
//====================>轉換後的串2長度
:1000158D 8D442448
lea eax, dword ptr [esp+48]
:10001591
50
push eax
:10001592 E8A49A0000
call 1000B03B==>串2轉為數字32bits有效
:10001597 8B7C2418
mov edi, dword ptr [esp+18]
:1000159B 8BD8
mov ebx, eax
:1000159D A1388F0110 mov eax,
dword ptr [10018F38]
:100015A2 83C9FF
or ecx, FFFFFFFF
:100015A5 33D8
xor ebx, eax
:100015A7 33C0
xor eax, eax
:100015A9 83C404
add esp, 00000004
:100015AC 8D542428
lea edx, dword ptr [esp+28]
:100015B0 F2
repnz
:100015B1 AE
scasb
:100015B2 F7D1
not ecx
:100015B4 2BF9
sub edi, ecx
:100015B6 8BF7
mov esi, edi
:100015B8 8BE9
mov ebp, ecx
:100015BA
8BFA mov
edi, edx
:100015BC 83C9FF
or ecx, FFFFFFFF
:100015BF F2
repnz
:100015C0 AE
scasb
:100015C1
8BCD mov
ecx, ebp
:100015C3 4F
dec edi
:100015C4 C1E902
shr ecx, 02
:100015C7 F3
repz
:100015C8
A5
movsd
:100015C9 8BCD
mov ecx, ebp
:100015CB 83E103
and ecx, 00000003
:100015CE
F3
repz
:100015CF A4
movsb
:100015D0 8DBC24A8000000
lea edi, dword ptr [esp+000000A8]
========================>串1+DLL名
:100015D7 83C9FF
or ecx, FFFFFFFF
:100015DA F2
repnz
:100015DB AE
scasb
:100015DC F7D1
not ecx
:100015DE
49
dec ecx
:100015DF 8D7C2428
lea edi, dword ptr [esp+28]
:100015E3 8BD1
mov edx, ecx
:100015E5 83C9FF
or ecx, FFFFFFFF
:100015E8 F2
repnz
:100015E9 AE
scasb
:100015EA F7D1
not ecx
:100015EC 49
dec ecx
:100015ED
83FA20 cmp edx,
00000020
:100015F0 894C2418
mov dword ptr [esp+18], ecx
:100015F4 0F821F020000
jb 10001819============>錯誤7
========================>使用者名稱長度>=$20的時候,Name+餘串
========================>否則Name+餘串+''
========================>DLL為12
========================>串1的長必須>=20
========================>重新輸入假註冊碼40位元組長
:100015FA 85D2
test edx, edx
:100015FC 7617
jbe 10001615
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:10001613(C)
|
:100015FE 0FBE8C04A8000000
movsx ecx, byte ptr [esp+eax+000000A8]
DIKEN5678901234567890SP6SRCH32_D.DLL
:10001606 8B7C241C
mov edi, dword ptr [esp+1C]
:1000160A 03F9
add edi, ecx
:1000160C 40
inc eax
:1000160D
3BC2 cmp
eax, edx
:1000160F 897C241C
mov dword ptr [esp+1C], edi====>累加結果
:10001613 72E9
jb 100015FE
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:100015FC(C)
|
:10001615 8BFA
mov edi, edx
:10001617 83E703
and edi, 00000003 是否為4的倍數
:1000161A 7420
je 1000163C=======>是則轉
:1000161C 33F6
xor esi, esi
:1000161E 33C9
xor ecx, ecx
:10001620 33C0
xor eax, eax
:10001622 85FF
test edi, edi
:10001624 7622
jbe 10001648
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:10001638(C)
|
:10001626 0FBEAC04A8000000
movsx ebp, byte ptr [esp+eax+000000A8]====>Name串
:1000162E
D3E5 shl
ebp, cl
:10001630 83C108
add ecx, 00000008
:10001633 0BF5
or esi, ebp
:10001635 40
inc eax
:10001636 3BC7
cmp eax, edi
:10001638 72EC
jb 10001626
:1000163A EB0C
jmp 10001648
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:1000161A(C)
|
:1000163C 8BB424A8000000 mov esi, dword
ptr [esp+000000A8]
:10001643 B804000000
mov eax, 00000004
* Referenced by a (U)nconditional or
(C)onditional Jump at Addresses:
|:10001624(C), :1000163A(U)
|
:10001648 3BC2
cmp eax, edx
:1000164A 7310
jnb 1000165C
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:1000165A(C)
|
:1000164C 8BAC04A8000000
mov ebp, dword ptr [esp+eax+000000A8]
:10001653
83C004 add eax,
00000004
:10001656 33F5
xor esi, ebp=========>ESI的值261B0109(我的)
:10001658 3BC2
cmp eax, edx
:1000165A 72F0
jb 1000164C
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:1000164A(C)
|
:1000165C 8B542418
mov edx, dword ptr [esp+18]
:10001660
83E203 and edx,
00000003
:10001663 741D
je 10001682
:10001665 33ED
xor ebp, ebp
:10001667 33C9
xor ecx, ecx
:10001669
33C0 xor
eax, eax
:1000166B 85D2
test edx, edx
:1000166D 761C
jbe 1000168B
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:1000167E(C)
|
:1000166F 0FBE7C0428
movsx edi, byte ptr [esp+eax+28]===>Code串1+使用者名稱餘串
:10001674 D3E7
shl edi, cl
:10001676 83C108
add ecx, 00000008
:10001679 0BEF
or ebp, edi
:1000167B 40
inc eax
:1000167C 3BC2
cmp eax, edx
:1000167E 72EF
jb 1000166F
:10001680 EB09
jmp 1000168B
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:10001663(C)
|
:10001682 8B6C2428
mov ebp, dword ptr [esp+28]=======>串1
:10001686 B804000000
mov eax, 00000004
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:1000166D(C), :10001680(U)
|
:1000168B 8B4C2418 mov
ecx, dword ptr [esp+18]
:1000168F 3BC1
cmp eax, ecx
:10001691 730D
jnb 100016A0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000169E(C)
|
:10001693 8B540428
mov edx, dword ptr [esp+eax+28]
:10001697 83C004
add eax, 00000004
:1000169A 33EA
xor ebp, edx============>結果63382C54(我的)
:1000169C 3BC1
cmp eax, ecx
:1000169E 72F3
jb 10001693
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:10001691(C)
|
:100016A0 8D542468
lea edx, dword ptr [esp+68]
:100016A4 6A0A
push 0000000A
:100016A6 52
push edx
:100016A7 8BC6
mov eax, esi
:100016A9 33D2
xor edx, edx
:100016AB B9FFFFFF7F mov ecx,
7FFFFFFF
:100016B0 F7F1
div ecx
:100016B2 33EB
xor ebp, ebx==========>ebp
:100016B4 52
push edx===>
:100016B5 E805100100 call
100126BF=======>
EAX=960575048
ECX=75048
:100016BA 8B5C2428
mov ebx, dword ptr [esp+28]
:100016BE 8B3D388F0110 mov edi, dword
ptr [10018F38]
:100016C4 8D9424B4010000
lea edx, dword ptr [esp+000001B4]
:100016CB 6A0A
push 0000000A
:100016CD 52
push edx
:100016CE 53
push ebx=================>累加和
:100016CF 33F7
xor esi, edi==========>esi
:100016D1 E8E90F0100 call 100126BF
EAX=12159
ECX=159
取後3個
:100016D6 8DBC2480000000
lea edi, dword ptr [esp+00000080]
:100016DD 83C9FF
or ecx, FFFFFFFF
:100016E0 33C0
xor eax, eax
:100016E2 83C418
add esp, 00000018
:100016E5 F2
repnz
:100016E6 AE
scasb
:100016E7
F7D1 not
ecx
:100016E9 49
dec ecx
:100016EA 8DBC24A8010000
lea edi, dword ptr [esp+000001A8]
:100016F1 894C2420
mov dword ptr [esp+20], ecx
:100016F5
83C9FF or ecx, FFFFFFFF
:100016F8 F2
repnz
:100016F9 AE
scasb
:100016FA F7D1
not ecx
:100016FC 49
dec ecx
:100016FD 8BC3
mov eax, ebx==========>累加和
:100016FF 894C2418
mov dword ptr [esp+18], ecx
:10001703
33D2 xor
edx, edx
:10001705 B905000000
mov ecx, 00000005
:1000170A F7F1
div ecx
:1000170C 85D2
test edx, edx
:1000170E 8954241C
mov dword ptr [esp+1C], edx
:10001712 7504
jne 10001718========是5的倍數則=0否則=5
:10001714 894C241C
mov dword ptr [esp+1C], ecx
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:10001712(C)
|
:10001718 33DB
xor ebx, ebx
:1000171A 33FF
xor edi, edi
:1000171C 3BF5
cmp esi, ebp
:1000171E C644241400
mov [esp+14], 00
:10001723 0F85F0000000
jne 10001819============>錯誤8
====================================================================
00DE171A
====================================================================
[這段迴圈檢測條件]
共14次檢測
這兒使用的是ODBG中的程式碼,因為我分析使用的
====================================================================
====================================================================
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:100017FA(C),
:10001802(U)
|
00DE1729 8A443C 68
MOV AL,BYTE PTR SS:[ESP+EDI+68]
00DE172D 8A4C24 1C
MOV CL,BYTE PTR SS:[ESP+1C]=5NameAdd的和
00DE1731 02C1
ADD AL,CL
00DE1733 0FBED0
MOVSX EDX,AL
00DE1736 52
PUSH EDX
00DE1737 884424
16 MOV BYTE PTR SS:[ESP+16],AL==========
00DE173B
E8 06990000 CALL Srch32_d.00DEB046
+
00DE1740 83C4 04
ADD ESP,4
+===>同一位置
00DE1743 85C0
TEST EAX,EAX
+
00DE1745 75 05
JNZ SHORT Srch32_d.00DE174C==========
00DE1747
804424 12 F7 ADD BYTE PTR SS:[ESP+12],F7
00DE174C
8A4424 12 MOV AL,BYTE PTR SS:[ESP+12]
00DE1750
8A4C1C 28 MOV CL,BYTE PTR SS:[ESP+EBX+28]===>奇數位值的串
00DE1754 3AC1 CMP AL,CL
00DE1756 0F85 BD000000 JNZ Srch32_d.00DE1819============>錯誤9
00DE175C 43
INC EBX
00DE175D 83FB 0E CMP EBX,E
00DE1760 0F83 A1000000 JNB Srch32_d.00DE1807=====================>正確1
00DE1766 0FBE4C1C 28 MOVSX ECX,BYTE PTR SS:[ESP+EBX+28]
00DE176B 51
PUSH ECX
00DE176C E8 D5980000 CALL Srch32_d.00DEB046
00DE1771 83C4 04 ADD ESP,4
00DE1774
85C0 TEST EAX,EAX
00DE1776
75 0A JNZ SHORT Srch32_d.00DE1782
00DE1778 43 INC EBX
00DE1779 83FB 0E CMP EBX,E
00DE177C
0F83 85000000 JNB Srch32_d.00DE1807=====================>正確2
00DE1782 8B7424 20 MOV ESI,DWORD PTR SS:[ESP+20]=====>NameXor串長度
00DE1786 47
INC EDI
00DE1787 3BFE
CMP EDI,ESI
00DE1789 72 02
JB SHORT Srch32_d.00DE178D
00DE178B 33FF
XOR EDI,EDI
00DE178D 8BC7
MOV EAX,EDI
00DE178F 33D2
XOR EDX,EDX
00DE1791 F77424 18
DIV DWORD PTR SS:[ESP+18]=========>Name串累加和串長度
00DE1795
8A4C3C 68 MOV CL,BYTE PTR SS:[ESP+EDI+68]
00DE1799
8A4424 14 MOV AL,BYTE PTR SS:[ESP+14]=========+
00DE179D 6A 0A PUSH A
+
00DE179F 8A9414 AC010000 MOV DL,BYTE PTR SS:[ESP+EDX+1AC]=========>Name串累加和串
00DE17A6 32D1 XOR DL,CL
+
00DE17A8 B9 0A000000 MOV ECX,A
+
00DE17AD
02C2 ADD AL,DL
+
00DE17AF
884424 18 MOV BYTE PTR SS:[ESP+18],AL=========+===>同一個地址
00DE17B3 8D4424 16 LEA EAX,DWORD PTR SS:[ESP+16]
+
00DE17B7 50
PUSH EAX
+
00DE17B8 8B4424 1C
MOV EAX,DWORD PTR SS:[ESP+1C]=======+
00DE17BC
25 FF000000 AND EAX,FF
00DE17C1 99
CDQ
00DE17C2 F7F9
IDIV ECX
00DE17C4 52
PUSH EDX
00DE17C5 E8 F50E0100
CALL Srch32_d.00DF26BF====>得到字元['0'..'9']
00DE17CA 8A5424
1E MOV DL,BYTE PTR SS:[ESP+1E]=========>
00DE17CE
8A441C 34 MOV AL,BYTE PTR SS:[ESP+EBX+34]========>奇數位置串
00DE17D2 83C4 0C ADD ESP,C
00DE17D5
3AD0 CMP DL,AL
00DE17D7
75 40 JNZ SHORT Srch32_d.00DE1819============>錯誤10
00DE17D9 43
INC EBX
00DE17DA 83FB 0E CMP EBX,E
00DE17DD 73 28 JNB SHORT Srch32_d.00DE1807=====================>正確3
00DE17DF 0FBE441C 28 MOVSX EAX,BYTE PTR SS:[ESP+EBX+28]====>奇數位置串
00DE17E4 50
PUSH EAX
00DE17E5 E8 5C980000 CALL Srch32_d.00DEB046
00DE17EA 83C4 04 ADD ESP,4
00DE17ED
85C0 TEST EAX,EAX
00DE17EF
75 06 JNZ SHORT Srch32_d.00DE17F7
00DE17F1 43 INC EBX
00DE17F2 83FB 0E CMP EBX,E
00DE17F5
73 10 JNB SHORT Srch32_d.00DE1807=====================>正確4
00DE17F7 47
INC EDI
00DE17F8 3BFE
CMP EDI,ESI
00DE17FA 0F82 29FFFFFF JB Srch32_d.00DE1729
00DE1800 33FF XOR EDI,EDI
00DE1802 E9 22FFFFFF JMP Srch32_d.00DE1729
===========================================================================
主要迴圈過程結束
===========================================================================
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:10001760(C), :1000177C(C), :100017DD(C), :100017F5(C)
|
:10001807
5F
pop edi
:10001808 5E
pop esi
:10001809 5D
pop ebp
:1000180A B801000000
mov eax, 00000001
:1000180F 5B
pop ebx
:10001810 81C4DC020000 add esp,
000002DC
:10001816 C20800
ret 0008
* Referenced by a (U)nconditional or
(C)onditional Jump at Addresses:
|:10001391(C), :100013A0(C), :100013C1(C),
:100013DD(C), :1000141C(C)
|:10001587(C), :100015F4(C), :10001723(C), :10001756(C),
:100017D7(C)
|
:10001819 5F
pop edi
:1000181A 5E
pop esi
:1000181B
5D
pop ebp
:1000181C 33C0
xor eax, eax
:1000181E 5B
pop ebx
:1000181F 81C4DC020000
add esp, 000002DC
:10001825 C20800
ret 0008
=================================================================
=
=雖然沒找到正確的Code,但可以給大家一個可以透過前面檢測的Code
=但我覺得,應該主要分析後面的14次比較,演算法還原,還在思考中
=Name:DiKeN/OCG
=Code:8891933687692150361075Open Cracking Group
=
=======================Open Cracking Group=======================
=
=
Search32-PRO v6.05註冊演算法分析
=
DiKeN/OCG
=
= http://www.newclw.com/lllufh/cgi-bin/leoboard.cgi
====================Open Cracking Group==========================
相關文章
- SuperCleaner 2.31註冊碼演算法分析 - OCG (13千字)2002-04-02演算法
- Registry Crawler 4.0註冊碼演算法分析 - OCG
(20千字)2002-04-07演算法
- Magic convertor 2.8註冊碼演算法分析
- OCG (9千字)2015-11-15演算法
- CoolClock V1.02註冊演算法分析 ---OCG (14千字)2015-11-15演算法
- ClockWise 3.22e註冊碼演算法分析 - OCG (17千字)2002-04-10演算法
- GSview V4.12 for Windows註冊演算法分析 -
OCG (8千字)2015-11-15ViewWindows演算法
- 中文撥號上網計時計費器 V4.12註冊演算法分析--[OCG] (23千字)2002-03-26演算法
- 鬥地主4.0註冊演算法,序號產生器在OCG論壇
(22千字)2015-11-15演算法
- FolderView 1.7
註冊演算法分析 (14千字)2015-11-15View演算法
- 重新貼過註冊演算法分析 (16千字)2001-10-23演算法
- EffeTech HTTP Sniffer 3.2註冊演算法分析 (5千字)2002-06-24HTTP演算法
- Green Tea 2.60註冊碼演算法分析 (3千字)2000-07-17演算法
- UltraEdit-32
10註冊碼演算法分析 (19千字)2003-05-17演算法
- 完美解除安裝6.0註冊演算法分析 (2千字)2002-02-27演算法
- Directory Scanner v1.5 註冊演算法分析 (6千字)2015-11-15演算法
- MouseStar V3.01註冊演算法分析 (18千字)2015-11-15演算法
- **********.exe註冊碼演算法分析--高手莫笑 (31千字)2015-11-15演算法
- Cleaner 3.2註冊分析 (18千字)2001-12-09
- 註冊碼演算法 (2千字)2001-01-14演算法
- supercleaner註冊演算法分析2015-11-15演算法
- Screen Demo Maker
V3.0註冊演算法分析 (8千字)2002-09-10演算法
- Konvertor 3.03的註冊碼演算法模組的分析
(7千字)2015-11-15演算法
- 飄雪動畫秀3.02註冊演算法分析!
(11千字)2015-11-15動畫演算法
- 〖網際營銷〗V2.4 註冊演算法分析 (11千字)2001-11-03演算法
- EZ MP3 Recorder 1.15 註冊演算法分析 (14千字)2015-11-15演算法
- 一個區域網工具的註冊演算法分析
(5千字)2015-11-15演算法
- SpeedFlash註冊演算法分析(VB)2015-11-15演算法
- 財智老闆通3.04註冊版---註冊演算法分析2003-03-16演算法
- Instant Source 註冊演算法分析+註冊器原始碼2015-11-15演算法原始碼
- S-DEMO2 註冊分析 (14千字)2002-06-25
- DreamWaver3.0註冊流程分析 (17千字)2001-09-10
- CDSpace Power+註冊演算法 (7千字)2001-07-27演算法
- 《棋隱》的註冊演算法 (19千字)2001-08-26演算法
- 五筆輸入通1.x註冊演算法分析
(10千字)2015-11-15演算法
- CPUCOOL 5.1000註冊碼分析 (6千字)2001-01-19
- GetRight 4.5b 註冊分析 (33千字)2001-12-09
- Screen Demo Maker 3.0 註冊演算法分析2003-07-15演算法
- <<Anti-Hack>> 2.0註冊演算法分析2003-06-06演算法