下載地址http://soft.yzvod.com/down.php?id=4322
這是一個簡單好用的反安裝軟體, 具有對系統安裝檢測功能,能記錄你硬碟上新增的檔案和改變的設定。當你需要時,能徹底地安全地刪除你安裝的應用程式,使系統恢復安裝前的狀態。
該軟體沒有加殼,Delphi編寫,用DeDe反彙編後匯出uninstallm.map檔案,然後用Ollydbg載入,LoadMap外掛載入uninstallm.map檔案
在uninstallm.map中可以看到TAboutBox@decode,可以看出來這是註冊解碼模組,猜想註冊演算法就在其中
如果我們想透過反彙編查詢Thanks for your registration和Sorry ...我們是找不到的:-)
但是你可以發現如下兩個字串
\`ifc{(ngz(qg}z(zmoa{|zi|agf
[gzzq(fg|(i(kgzzmk|(zmo(cmq
當我們輸入註冊資訊後,軟體先判斷註冊碼是不是正確,然後把上面兩個字串分別經過這一段程式就可以解碼成我們想找的東東了
004A9AEA |> /8D45 F4 /lea eax,dword ptr ss:[ebp-C] ;這裡就是上面的那兩個字串
004A9AED |. |8B55 FC |mov edx,dword ptr ss:[ebp-4]
004A9AF0 |. |8A5432 FF |mov dl,byte ptr ds:[edx+esi-1]
004A9AF4 |. |80F2 0B |xor dl,0B
004A9AF7 |. |80F2 03 |xor dl,3
004A9AFA |. |E8 51B2F5FF |call uninsman.00404D50
004A9AFF |. |8B55 F4 |mov edx,dword ptr ss:[ebp-C]
004A9B02 |. |8D45 F8 |lea eax,dword ptr ss:[ebp-8]
004A9B05 |. |E8 26B3F5FF |call uninsman.00404E30
004A9B0A |. |46 |inc esi
004A9B0B |. |4B |dec ebx
004A9B0C |.^\75 DC \jnz short uninsman.004A9AEA
如果註冊正確的話會在HKEY_CURRENT_USER\Software\NuMegaSoftware\UninstallManager建立
SubKey="Reg"
Value=""
這個Value是我們輸入的使用者名稱也經過上面的這段加密程式碼生成的,程式啟動時讀鍵值再解碼
下面是對TAboutBox@decode的簡單分析啦
004A61BC <>/$ 55 push ebp ; <-TAboutBox@decode
004A61BD |. 8BEC mov ebp,esp
004A61BF |. 33C9 xor ecx,ecx
004A61C1 |. 51 push ecx
004A61C2 |. 51 push ecx
004A61C3 |. 51 push ecx
004A61C4 |. 51 push ecx
004A61C5 |. 53 push ebx
004A61C6 |. 56 push esi
004A61C7 |. 57 push edi
004A61C8 |. 8BF0 mov esi,eax
004A61CA |. 33C0 xor eax,eax
004A61CC |. 55 push ebp
004A61CD |. 68 94624A00 push <uninsman.->System.@HandleFinally;>
004A61D2 |. 64:FF30 push dword ptr fs:[eax]
004A61D5 |. 64:8920 mov dword ptr fs:[eax],esp
004A61D8 |. 33DB xor ebx,ebx
004A61DA |. 8D55 F4 lea edx,dword ptr ss:[ebp-C]
004A61DD <>|. 8B86 10030000 mov eax,dword ptr ds:[esi+310] ; *Edit1:TEdit
004A61E3 <>|. E8 6875FCFF call uninsman.0046D750 ; ->Controls.TControl.GetText(TControl):TCaption;
004A61E8 |. 837D F4 00 cmp dword ptr ss:[ebp-C],0 ;輸入使用者名稱了嗎?
004A61EC |. 74 7B je short uninsman.004A6269
004A61EE |. 8D55 FC lea edx,dword ptr ss:[ebp-4]
004A61F1 <>|. 8B86 10030000 mov eax,dword ptr ds:[esi+310] ; *Edit1:TEdit
004A61F7 <>|. E8 5475FCFF call uninsman.0046D750 ; ->Controls.TControl.GetText(TControl):TCaption;
004A61FC |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ;使用者名稱入eax
004A61FF <>|. E8 24ECF5FF call uninsman.00404E28 ; ->System.@LStrLen(String):Integer;<+>
004A6204 |. 8BF8 mov edi,eax
004A6206 |. 8D55 F0 lea edx,dword ptr ss:[ebp-10]
004A6209 |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ;使用者名稱入eax
004A620C <>|. E8 572CF6FF call uninsman.00408E68 ; ->SysUtils.LowerCase(AnsiString):AnsiString;
004A6211 |. 8B55 F0 mov edx,dword ptr ss:[ebp-10] ;大寫字母變為小寫
004A6214 |. 8D45 FC lea eax,dword ptr ss:[ebp-4]
004A6217 <>|. E8 E4E9F5FF call uninsman.00404C00 ; ->System.@LStrLAsg(void;void;void;void);
004A621C |. 33DB xor ebx,ebx
004A621E |. 85FF test edi,edi
004A6220 |. 7E 1D jle short uninsman.004A623F
004A6222 |. B8 01000000 mov eax,1
004A6227 |> 8B55 FC /mov edx,dword ptr ss:[ebp-4] ;使用者名稱的acsii碼相加
004A622A |. 8A5402 FF |mov dl,byte ptr ds:[edx+eax-1]
004A622E |. 80FA 20 |cmp dl,20
004A6231 |. 74 08 |je short uninsman.004A623B
004A6233 |. 81E2 FF000000 |and edx,0FF
004A6239 |. 03DA |add ebx,edx
004A623B |> 40 |inc eax
004A623C |. 4F |dec edi
004A623D |.^ 75 E8 \jnz short uninsman.004A6227
004A623F |> 81F3 89000000 xor ebx,89
004A6245 |. 83F3 33 xor ebx,33
004A6248 |. 43 inc ebx
004A6249 |. 8D55 F8 lea edx,dword ptr ss:[ebp-8]
004A624C <>|. 8B86 14030000 mov eax,dword ptr ds:[esi+314] ; *Edit2:TEdit
004A6252 <>|. E8 F974FCFF call uninsman.0046D750 ; ->Controls.TControl.GetText(TControl):TCaption;
004A6257 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
004A625A <>|. E8 C131F6FF call uninsman.00409420 ; ->SysUtils.StrToInt(AnsiString):Integer;
004A625F |. 3BD8 cmp ebx,eax ;關鍵比較處
004A6261 |. 75 04 jnz short uninsman.004A6267
004A6263 |. B3 01 mov bl,1
004A6265 |. EB 02 jmp short uninsman.004A6269
004A6267 |> 33DB xor ebx,ebx
004A6269 |> 33C0 xor eax,eax
004A626B |. 5A pop edx
004A626C |. 59 pop ecx
004A626D |. 59 pop ecx
004A626E |. 64:8910 mov dword ptr fs:[eax],edx
004A6271 |. 68 9B624A00 push uninsman.004A629B
004A6276 |> 8D45 F0 lea eax,dword ptr ss:[ebp-10]
004A6279 <>|. E8 EAE8F5FF call uninsman.00404B68 ; ->System.@LStrClr(void;void);
004A627E |. 8D45 F4 lea eax,dword ptr ss:[ebp-C]
004A6281 <>|. E8 E2E8F5FF call uninsman.00404B68 ; ->System.@LStrClr(void;void);
004A6286 |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]
004A6289 |. BA 02000000 mov edx,2
004A628E <>|. E8 F9E8F5FF call uninsman.00404B8C ; ->System.@LStrArrayClr(void;void;Integer);
004A6293 \. C3 retn
下面是自注冊機的C++原始碼,VS.net下編譯透過
#include <iostream.h>
#include <string.h>
#include <ctype.h>
#include <Windows.h>
main()
{
MessageBox(NULL,"Remove it first:-)","Coded by Cnbragon",MB_OK);
char Name[30],LowerName[30];
char ValueData[30]="I@";
char Value[30];
int RegKey,d=0;
cout<<"Please input your name:";
cin>>Name;
int l;
l=strlen(Name);
for(int i=0;i<l;i++)
LowerName[i]=tolower(Name[i]);
for(i=0;i<l;i++)
{
d+=toascii(LowerName[i]);
}
RegKey=d^0x89^0x33;
RegKey++;
cout<<"Your Registration Key is:"<<RegKey<<"\n";
cout<<"Do u want me to Register Automatically for u?(Y/Other) "<<endl;
char ch;
cin>>ch;
if(toupper(ch)=='Y')
{
for(i=0;i<strlen(Name);i++)
{
Value[i]=Name[i]^0x3^0xB;
}
Value[i]='\0';
strcat(ValueData,Value);
HKEY hKey;
char SubKeyName[] = "Software\\NoktaSoftware\\UninstallManager";
char ValueName[] = "Reg";
DWORD BufferSize;
DWORD pDisposition[64];
if ( RegCreateKeyEx(HKEY_CURRENT_USER, SubKeyName,0,NULL,REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&hKey,pDisposition) != ERROR_SUCCESS )
{
cout<<"Error: RegCreateKeyEx"<<endl;
return -1;
}
BufferSize = sizeof(ValueData);
if (RegSetValueEx(hKey, ValueName, 0, REG_SZ,(BYTE *)ValueData, BufferSize) != ERROR_SUCCESS)
{
cout<<"Error: RegSetValueEx"<<endl;
RegCloseKey( hKey);
return -1;
}
RegCloseKey( hKey );
MessageBox(NULL,"Successfully Registered 886 ^_^","Coded by Cnbragon",MB_OK);
}
else
MessageBox(NULL,"Remove it :-)","Coded by Cnbragon",MB_OK);
return 0;
}