S-DEMO2 註冊分析 (14千字)
// S-DEMO2 CODE ANALYSIS BY JMZZ 2002.06.25
1: use w32dasm
to find "Register failure!"
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:00403682(C)
|
:0040374A 6A00
push 00000000
* Possible StringData
Ref from Data Obj ->"Register Failure!"
|
:0040374C 689CD24100
push 0041D29C
:00403751 8BCD
mov ecx, ebp
2: goto 00403682
,look up
:00403672 51
push ecx
:00403673 52
push edx
:00403674 B9C0E74200
mov ecx, 0042E7C0
:00403679 E8D24C0000
call 00408350 ====> track into
:0040367E 85C0
test eax, eax
:00403680 6A00
push 00000000
:00403682
0F84C2000000 je 0040374A
:00403688
8D8C24A8000000 lea ecx, dword ptr [esp+000000A8]
3:
* Referenced by a CALL at Addresses:
|:00403679 , :004044DB
, :00404F7B
|
:00408350 81EC34010000
sub esp, 00000134
:00408356 53
push ebx
:00408357 55
push ebp
:00408358 56
push esi
:00408359 8BF1
mov esi, ecx
:0040835B 57
push edi
:0040835C 89742410
mov dword ptr [esp+10], esi
* Reference To: MFC42.Ordinal:0490, Ord:0490h
|
:00408360 E8A9960000 Call 00411A0E
:00408365 8B8C2448010000 mov ecx, dword ptr [esp+00000148]
:0040836C 8B4004 mov eax, dword
ptr [eax+04]
* Reference To: MSVCRT.sprintf, Ord:02B2h
|
:0040836F 8B2DC0934100
mov ebp, dword ptr [004193C0]
:00408375
81C6D4000000 add esi, 000000D4
:0040837B 56 push
esi
:0040837C 51
push ecx
:0040837D 8D942484000000 lea edx, dword
ptr [esp+00000084]
* Possible StringData Ref from Data Obj ->"%s%s"
|
:00408384 68C0D44100 push 0041D4C0
:00408389 52
push edx
:0040838A 89442424 mov
dword ptr [esp+24], eax
:0040838E FFD5
call ebp
// strcat(Name,ID)
:00408390 8B9C245C010000
mov ebx, dword ptr [esp+0000015C]
:00408397 83C9FF
or ecx, FFFFFFFF
:0040839A 8BFB
mov edi, ebx
:0040839C
33C0 xor eax, eax
:0040839E F2
repnz
:0040839F AE
scasb
:004083A0 F7D1
not ecx
:004083A2 2BF9
sub edi, ecx
:004083A4 8D542428
lea edx, dword ptr [esp+28]
:004083A8 8BC1
mov eax, ecx
:004083AA 8BF7
mov esi, edi
:004083AC 8BFA
mov edi, edx
:004083AE C1E902
shr ecx, 02
:004083B1 F3
repz
:004083B2 A5
movsd
:004083B3 8BC8
mov ecx, eax
:004083B5 83E103
and ecx, 00000003
:004083B8 F3
repz
:004083B9 A4
movsb
:004083BA 8D8C248C000000
lea ecx, dword ptr [esp+0000008C]
:004083C1 51
push ecx
:004083C2 53
push ebx
:004083C3 E848FCFFFF
call 00408010 ===> important ,track
into
:004083C8 83C418 add esp,
00000018
* Possible StringData Ref from Data Obj ->"Clayman"
|
:004083CB BFD0D14100 mov edi,
0041D1D0
:004083D0 8BF3
mov esi, ebx
// strcmp(pCode,"Clayman")
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004083F4(C)
|
:004083D2 8A16
mov dl, byte ptr [esi]
:004083D4 8A0F
mov cl, byte ptr [edi]
:004083D6 8AC2
mov al, dl
:004083D8 3AD1
cmp dl, cl
:004083DA 751E
jne 004083FA
:004083DC 84C0
test al, al
:004083DE 7416
je 004083F6
:004083E0 8A4E01
mov cl, byte ptr [esi+01]
:004083E3 8A5701
mov dl, byte ptr [edi+01]
:004083E6 8AC1
mov al, cl
:004083E8 3ACA
cmp cl, dl
:004083EA 750E
jne 004083FA
:004083EC 83C602
add esi, 00000002
:004083EF 83C702
add edi, 00000002
:004083F2 84C0
test al, al
:004083F4
75DC jne 004083D2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004083DE(C)
|
:004083F6 33C0
xor eax, eax
:004083F8 EB05
jmp 004083FF
4: main code
// str[] = "FZRHK01WGTPQSAVC";
// "Guest"
// Code[]
// pCode[] // must be "Clayman"
// sCode[18]
* Referenced by a CALL at Addresses:
|:00407F39
, :00407F95 , :004083C3 , :00408428 , :0040862A
|
:00408010 81ECCC000000
sub esp, 000000CC
:00408016 8B9424D0000000 mov edx,
dword ptr [esp+000000D0]
:0040801D 53
push ebx
:0040801E 55
push ebp
:0040801F 56
push esi
:00408020 57
push edi
:00408021 8BFA
mov edi, edx
:00408023 83C9FF
or ecx, FFFFFFFF
:00408026 33C0
xor eax, eax
:00408028
F2 repnz
:00408029
AE scasb
:0040802A
F7D1 not ecx
// set code's len to ECX
// ECX = CodeLen + 1
:0040802C
2BF9 sub edi, ecx
:0040802E 8D5C2414 lea ebx, dword
ptr [esp+14]
:00408032 8BC1
mov eax, ecx
:00408034 8BF7
mov esi, edi
:00408036 8BFB
mov edi, ebx
:00408038 C1E902
shr ecx, 02
:0040803B F3
repz
:0040803C A5
movsd
:0040803D 8BC8
mov ecx, eax
:0040803F 33C0
xor eax, eax
:00408041 83E103
and ecx, 00000003
:00408044 F3
repz
:00408045 A4
movsb
// copy code to EDI = 0x0068dc78
:00408046
8D7C2414 lea edi, dword ptr [esp+14]
:0040804A 83C9FF or ecx, FFFFFFFF
:0040804D F2
repnz
:0040804E AE
scasb
:0040804F F7D1
not ecx
:00408051 49
dec ecx
:00408052 8BF1
mov esi, ecx
// set code's len to ESI
:00408054 8A4C2414
mov cl, byte ptr [esp+14]
// set code's
first char to CL
:00408058 89742410
mov dword ptr [esp+10], esi
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:00408068(C)
|
:0040805C 388828D54100
cmp byte ptr [eax+0041D528], cl
:00408062 7433
je 00408097
// must jmp (eax<0x10)
:00408064 40
inc eax
:00408065 83F810
cmp eax, 00000010
:00408068 7CF2
jl 0040805C
// set index of code first char in the str
to EAX (EAX < 0x10)
// sCode[0] = a random char of str[]
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:0040809A(C)
|
* Possible StringData Ref from Data Obj ->"!@#@#SDFG^*&"
|
:0040806A BF68D54100 mov edi,
0041D568
:0040806F 83C9FF or
ecx, FFFFFFFF
:00408072 33C0
xor eax, eax
:00408074 F2
repnz
:00408075 AE
scasb
:00408076 F7D1
not ecx
:00408078 2BF9
sub edi, ecx
:0040807A 8BC1
mov eax, ecx
:0040807C 8BF7
mov esi, edi
:0040807E 8BFA
mov edi, edx
:00408080 C1E902
shr ecx, 02
:00408083 F3
repz
:00408084 A5
movsd
:00408085 8BC8
mov ecx, eax
:00408087 83E103
and ecx, 00000003
:0040808A F3
repz
:0040808B A4
movsb
:0040808C 5F
pop edi
:0040808D 5E
pop esi
:0040808E 5D
pop ebp
:0040808F 5B
pop ebx
:00408090 81C4CC000000
add esp, 000000CC
:00408096 C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408062(C)
|
:00408097 83F810 cmp eax,
00000010
:0040809A 7DCE
jge 0040806A
:0040809C 8B9C24E4000000 mov ebx,
dword ptr [esp+000000E4]
:004080A3 BD0F000000
mov ebp, 0000000F
:004080A8 2BE8
sub ebp, eax
// set EBP = 0X0F - IdxCodeFirstCharInStr(EAX)
:004080AA 8BFB
mov edi, ebx
:004080AC 83C9FF
or ecx, FFFFFFFF
:004080AF 33C0
xor eax, eax
:004080B1 F2
repnz
:004080B2 AE
scasb
:004080B3 F7D1
not ecx
:004080B5 49
dec ecx
// set NameIdLen to ECX
:004080B6 33D2
xor edx, edx
:004080B8
8BC1 mov eax, ecx
:004080BA B907000000 mov ecx,
00000007
:004080BF F7F1
div ecx
:004080C1 8BCA
mov ecx, edx
// set (NameIdLen % 7) to ECX
:004080C3 85C9
test ecx, ecx
:004080C5
752B jne 004080F2
// if((NameIdLen % 7) == 0)
// {
// sorry,
I don't see these code during I tracked!
* Possible StringData Ref from Data
Obj ->"Guest"
|
:004080C7 BF20D54100
mov edi, 0041D520
:004080CC 83C9FF
or ecx, FFFFFFFF
:004080CF 33C0
xor eax, eax
:004080D1 F2
repnz
:004080D2 AE
scasb
:004080D3 F7D1
not ecx
:004080D5 2BF9
sub edi, ecx
:004080D7 8BD1
mov edx, ecx
:004080D9 8BF7
mov esi, edi
:004080DB 8BFB
mov edi, ebx
:004080DD C1E902
shr ecx, 02
:004080E0 F3
repz
:004080E1 A5
movsd
:004080E2 8BCA
mov ecx, edx
:004080E4 83E103
and ecx, 00000003
:004080E7 F3
repz
:004080E8 A4
movsb
// copy "Guest" to EBX
:004080E9 8B742410 mov esi,
dword ptr [esp+10]
:004080ED B905000000
mov ecx, 00000005
// }
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004080C5(C)
|
:004080F2 8BC5
mov eax, ebp
//
set (0X0F - IdxCodeFirstCharInStr) to EAX
:004080F4
99 cdq
:004080F5
F7F9 idiv ecx
// EDX = EAX % ECX
// ECX = (NameIdLen % 7) ? (NameIdLen % 7) : 5 ;
// EBX = (NameIdLen % 7) ? NameId : "Guest"
// SET (0X0F
- IdxCodeFirstCharInStr) % ECX to EDX
:004080F7 0FBE041A
movsx eax, byte ptr [edx+ebx]
// SET EAX
= (DWORD)[EBX+EDX]
:004080FB 250F000080
and eax, 8000000F
:00408100 7905
jns 00408107
:00408102 48
dec eax
:00408103 83C8F0
or eax, FFFFFFF0
:00408106 40
inc eax
// ???
// support portion of chinese
or bug
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408100(C)
|
:00408107 8A8828D54100
mov cl, byte ptr [eax+0041D528]
:0040810D 8A442415
mov al, byte ptr [esp+15]
:00408111
3AC8 cmp cl, al
:00408113 740A
je 0040811F // must jmp
// sCode[1] = str[eax]
* Possible StringData Ref from Data Obj ->"99#SDFG^*&"
|
:00408115 BF5CD54100
mov edi, 0041D55C
:0040811A E9C5000000
jmp 004081E4
* Referenced by a
(U)nconditional or (C)onditional Jump at Address:
|:00408113(C)
|
:0040811F 8D46FD lea eax, dword ptr
[esi-03]
// eax = CodeLen - 3
:00408122 33FF
xor edi, edi
:00408124 99
cdq
:00408125 2BC2
sub eax, edx
:00408127 D1F8
sar eax, 1
:00408129 85C0
test eax, eax
:0040812B 0F8E8F000000
jle 004081C0
:00408131 8D742416
lea esi, dword ptr [esp+16]
// ESI
= &Code[2];
// for(;;) // 004081B6
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004081B6(C)
|
:00408135 8A5601 mov dl, byte
ptr [esi+01]
// DL = Code[2+2*EAX+1]
:00408138 33C9
xor ecx, ecx
* Referenced by a
(U)nconditional or (C)onditional Jump at Address:
|:00408146(C)
|
:0040813A 389128D54100 cmp byte ptr
[ecx+0041D528], dl
:00408140 741C
je 0040815E // must jmp (ecx
<0x10)
:00408142 41
inc ecx
:00408143 83F910 cmp
ecx, 00000010
:00408146 7CF2
jl 0040813A
* Referenced by a (U)nconditional or
(C)onditional Jump at Address:
|:00408161(C)
|
:00408148 32D2
xor dl, dl
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00408173(C),
:0040817A(U)
|
:0040814A 8A1E
mov bl, byte ptr [esi]
// BL = Code[2+2*EAX+1]
:0040814C 33C9
xor ecx, ecx
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:0040815A(C)
|
:0040814E 389928D54100
cmp byte ptr [ecx+0041D528], bl
:00408154 7426
je 0040817C //
must jmp (ecx<0x10)
:00408156 41
inc ecx
:00408157 83F910
cmp ecx, 00000010
:0040815A 7CF2
jl 0040814E
:0040815C EB3A
jmp 00408198
* Referenced by a (U)nconditional or
(C)onditional Jump at Address:
|:00408140(C)
|
:0040815E 83F910
cmp ecx, 00000010
:00408161 7DE5
jge 00408148
:00408163
2BCD sub ecx, ebp
:00408165 81C1803E0000 add ecx,
00003E80
:0040816B 8BD1
mov edx, ecx
:0040816D 81E20F000080
and edx, 8000000F
// edx = (ecx - ebp + 0x3e80) & 0x0f
:00408173 79D5
jns 0040814A
:00408175 4A
dec edx
:00408176 83CAF0 or edx,
FFFFFFF0
:00408179 42
inc edx
:0040817A EBCE
jmp 0040814A
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:00408154(C)
|
:0040817C 83F910
cmp ecx, 00000010
:0040817F 7D17
jge 00408198
:00408181 2BCD
sub ecx, ebp
:00408183 81C1803E0000
add ecx, 00003E80
:00408189 81E10F000080
and ecx, 8000000F
// ecx = (ecx - ebp
+ 0x3e80) & 0x0f
:0040818F 7909
jns 0040819A
:00408191 49
dec ecx
:00408192 83C9F0
or ecx, FFFFFFF0
:00408195 41
inc ecx
:00408196 EB02
jmp 0040819A
* Referenced by a (U)nconditional or
(C)onditional Jump at Addresses:
|:0040815C(U), :0040817F(C)
|
:00408198 32C9
xor cl, cl
* Referenced by a (U)nconditional or (C)onditional Jump at
Addresses:
|:0040818F(C), :00408196(U)
|
:0040819A 8AD9
mov bl, cl
:0040819C 83C602
add esi, 00000002
:0040819F C0E304
shl bl, 04
:004081A2 02DA
add bl, dl
:004081A4 8B9424E0000000
mov edx, dword ptr [esp+000000E0]
:004081AB 0FBEC9
movsx ecx, cl
:004081AE 881C17
mov byte ptr [edi+edx], bl
// pCode[edx] = (CL <<
4) + DL
// pCode must be "Clayman".
:004081B1 03E9
add ebp, ecx
// important
// ebp
+= ecx
:004081B3 47
inc edi
:004081B4 3BF8
cmp edi, eax
:004081B6 0F8C79FFFFFF
jl 00408135
:004081BC 8B742410
mov esi, dword ptr [esp+10]
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:0040812B(C)
|
:004081C0 8D542EFD
lea edx, dword ptr [esi+ebp-03]
:004081C4 81E20F000080
and edx, 8000000F
// edx = (esi
+ ebp - 3) & 0x8000000f
:004081CA 7905
jns 004081D1
:004081CC 4A
dec edx
:004081CD 83CAF0
or edx, FFFFFFF0
:004081D0 42
inc edx
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004081CA(C)
|
:004081D1 8A4C3413
mov cl, byte ptr [esp+esi+13]
:004081D5
8A9A28D54100 mov bl, byte ptr [edx+0041D528]
:004081DB 3ACB
cmp cl, bl
:004081DD 7432
je 00408211 // must jmp
// sCode last char
// sCode[16]
= str[edx]
* Possible StringData Ref from Data Obj ->"45#SDFG^*&"
|
:004081DF BF50D54100 mov edi,
0041D550
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:0040811A(U)
|
:004081E4 83C9FF
or ecx, FFFFFFFF
:004081E7 33C0
xor eax, eax
:004081E9 F2
repnz
:004081EA AE
scasb
:004081EB F7D1
not ecx
:004081ED 2BF9
sub edi, ecx
:004081EF 8BD1
mov edx, ecx
:004081F1 8BF7
mov esi, edi
:004081F3 8BBC24E0000000
mov edi, dword ptr [esp+000000E0]
:004081FA C1E902
shr ecx, 02
:004081FD F3
repz
:004081FE A5
movsd
:004081FF 8BCA
mov ecx, edx
:00408201 83E103
and ecx, 00000003
:00408204 F3
repz
:00408205 A4
movsb
:00408206
5F pop edi
:00408207 5E pop
esi
:00408208 5D
pop ebp
:00408209 5B
pop ebx
:0040820A 81C4CC000000
add esp, 000000CC
:00408210 C3
ret
* Referenced by a (U)nconditional or
(C)onditional Jump at Address:
|:004081DD(C)
|
:00408211 8B8C24E0000000
mov ecx, dword ptr [esp+000000E0]
:00408218 5F
pop edi
:00408219 5E
pop esi
:0040821A 5D
pop ebp
:0040821B C6040800
mov byte ptr [eax+ecx], 00
// pCode[strlen(pCode)] = '\0'
:0040821F 5B
pop ebx
:00408220 81C4CC000000
add esp, 000000CC
:00408226 C3
ret
相關文章
- FolderView 1.7
註冊演算法分析 (14千字)2015-11-15View演算法
- Cleaner 3.2註冊分析 (18千字)2001-12-09
- CoolClock V1.02註冊演算法分析 ---OCG (14千字)2015-11-15演算法
- EZ MP3 Recorder 1.15 註冊演算法分析 (14千字)2015-11-15演算法
- DreamWaver3.0註冊流程分析 (17千字)2001-09-10
- CPUCOOL 5.1000註冊碼分析 (6千字)2001-01-19
- GetRight 4.5b 註冊分析 (33千字)2001-12-09
- Personal Antispy 1.14 註冊演算法分析2015-11-15演算法
- Active Ebook Compiler的註冊演算法 (14千字)2001-05-09Compile演算法
- estiprojm 註冊 (12千字)2001-11-08
- 重新貼過註冊演算法分析 (16千字)2001-10-23演算法
- EffeTech HTTP Sniffer 3.2註冊演算法分析 (5千字)2002-06-24HTTP演算法
- DataFit V7.0.36註冊過程的分析 (9千字)2001-11-09
- Cute Email Searcher2.2註冊過程分析 (5千字)2001-11-18AI
- 檔案密使2.6註冊碼分析詳解 (11千字)2001-11-30
- Green Tea 2.60註冊碼演算法分析 (3千字)2000-07-17演算法
- 給TAE!的小禮物---對DISKdata v3.3.2註冊演算法的分析 (14千字)2001-07-13演算法
- PC Security 5.1自動註冊(莫名其妙)~~~~~~~~~~~~~ (14千字)2002-01-20
- SuperCleaner 2.31註冊碼演算法分析 - OCG (13千字)2002-04-02演算法
- Registry Crawler 4.0註冊碼演算法分析 - OCG
(20千字)2002-04-07演算法
- 空檔接龍助手2.01註冊碼分析。 (6千字)2003-01-13
- UltraEdit-32
10註冊碼演算法分析 (19千字)2003-05-17演算法
- getPassword2.3註冊碼計算分析過程 (3千字)2001-11-07
- Photocaster xtra v3.0.3 註冊過程的分析 (15千字)2001-11-22AST
- 完美解除安裝6.0註冊演算法分析 (2千字)2002-02-27演算法
- Directory Scanner v1.5 註冊演算法分析 (6千字)2015-11-15演算法
- MouseStar V3.01註冊演算法分析 (18千字)2015-11-15演算法
- **********.exe註冊碼演算法分析--高手莫笑 (31千字)2015-11-15演算法
- ffmpeg分析系列之一(註冊該註冊的)2010-11-04
- Screen Demo Maker
V3.0註冊演算法分析 (8千字)2002-09-10演算法
- 幻影2003 V3.0註冊碼分析
(12千字)2003-01-25
- Konvertor 3.03的註冊碼演算法模組的分析
(7千字)2015-11-15演算法
- Magic convertor 2.8註冊碼演算法分析
- OCG (9千字)2015-11-15演算法
- 飄雪動畫秀3.02註冊演算法分析!
(11千字)2015-11-15動畫演算法
- 註冊PSXVIDEO Ver1.12詳細演算法 (14千字)2001-04-11IDE演算法
- 註冊碼演算法 (2千字)2001-01-14演算法
- 財智證券結算軟體2.5 破解註冊碼分析!使用ollydbg 破解註冊動畫!高手莫入! (1千字)2001-11-20動畫
- 金寶廳代理註冊-V加:18288129714線上註冊2021-04-18