xplorer2之破解和序號產生器
xplorer2之破解和序號產生器
【物件】xplorer2 V1.1.0.2,http://www2.skycn.com/soft/21143.html
【軟體簡介】xplorer2是2xExplorer的後續版本,xplorer2擁有全新、非常友好 的介面,和Windows的資源管理器一模一樣的操作,讓你不用學習即 迅速上手。
■>>>> xplorer2體積小巧,卻提供相當前衛、個性、豐富的功能:
①很有創意的“臨時碎片容器”,用過了才知道爽不爽!
②擁有一個目錄視窗,兩個瀏覽視窗,可以大圖示、詳細資訊等方式檢視檔案(跟Windows的完全一樣!用過Total Commander、EF Commander嗎,也是雙視窗,但它們顯示的圖示較小,用xplorer2就好啦!)
③支援快速書籤,批次重新命名,方便的快捷鍵。
④強大的檔案搜尋功能,直觀地統計目錄資訊讓你看個明明白白,提供檔案的分割/合併/永久刪除等功能。
⑤可即時預覽文字及眾多型別的多媒體檔案(需要相應系統外掛支援,建議安裝暴風影音,等)。
⑥極好的命令列執行功能,內建DOS控制檯,跑DOS命令再無需啟動黑視窗!
⑦隨時隨地的提示資訊,上手極快。
⑧附帶有一個不錯的文字編輯器,比Windows記事本強多了。
⑨沒有FTP等雞肋型功能(怎麼說還是FlashFXP專業!),等等...
總之,這是一款功能豐富、介面簡潔、操作簡單、身材相當苗條的增強型檔案管理器!
【宣告】只是興趣
【工具】peid,odbg等
【作者】peansen
首先用peid看一看,呵呵無殼,VC++。不要高興得太早
這邊要注意:你在程式中下斷點看看(記憶體斷點也算),你會聽到咚咚咚三下(或者死的不明不白)
說明程式中有校驗部分,校驗使得跟蹤更難,爆破不行。當然你可以除去它
但是在這裡我想給出序號產生器,不用暴力,所以忍了。
先隨便輸入字串試試,它會提示你字串要~200(其實就是200)云云
找到它,如下:
.text:0043F1CF Sub_PreProcessKey proc near ; CODE XREF: sub_43EF3C+A9p
.text:0043F1CF
.text:0043F1CF Var_Handle = dword ptr -4
.text:0043F1CF Arg_0C = word ptr 0Ch
.text:0043F1CF
.text:0043F1CF push ebp
.text:0043F1D0 mov ebp, esp
.text:0043F1D2 push ecx
.text:0043F1D3 cmp [ebp+Arg_0C], 1
.text:0043F1D8 push ebx
.text:0043F1D9 push esi
.text:0043F1DA push edi
.text:0043F1DB mov edi, ecx
.text:0043F1DD jnz loc_43F29F
.text:0043F1E3 mov eax, dword_46AB68
.text:0043F1E8 push 47Ah ; nIDDlgItem
.text:0043F1ED push dword ptr [edi+4] ; hDlg
.text:0043F1F0 mov [ebp+Var_Handle], eax
.text:0043F1F3 call ds:GetDlgItem
.text:0043F1F9 mov ebx, eax
.text:0043F1FB lea eax, [ebp+Var_Handle]
.text:0043F1FE push eax
.text:0043F1FF push ebx
.text:0043F200 call sub_43278B
.text:0043F205 pop ecx
.text:0043F206 pop ecx
.text:0043F207 lea ecx, [ebp+Var_Handle]
.text:0043F20A call sub_401BA2
.text:0043F20F lea ecx, [ebp+Var_Handle]
.text:0043F212 call sub_405DF2
.text:0043F217 mov esi, offset word_46FDAC
.text:0043F21C lea ecx, [ebp+Var_Handle]
.text:0043F21F push esi
.text:0043F220 push offset asc_46D6C4 ; "\n"
.text:0043F225 call sub_41874D
.text:0043F22A push esi
.text:0043F22B push offset asc_46B070 ; "\t"
.text:0043F230 lea ecx, [ebp+Var_Handle]
.text:0043F233 call sub_41874D
.text:0043F238 push esi
.text:0043F239 push offset asc_46DFB0 ; "\r"
.text:0043F23E lea ecx, [ebp+Var_Handle]
.text:0043F241 call sub_41874D
.text:0043F246 push esi
.text:0043F247 push offset asc_46AFDC ; " "
.text:0043F24C lea ecx, [ebp+Var_Handle]
.text:0043F24F call sub_41874D
以上是從你輸入的字元中去掉'\n','\t','\r',' '.
.text:0043F254 mov ecx, [ebp+Var_Handle]
.text:0043F257 mov eax, [ecx-8]
.text:0043F25A test eax, eax
.text:0043F25C jz short loc_43F297
.text:0043F25E mov edx, 0C8h
.text:0043F263 cmp eax, edx
.text:0043F265 jnz short loc_43F2B6
比較長度是否為0xC8=200,不是則錯
由於程式不能預先下斷點,所以一切都要等要求註冊的對話方塊出來後(即校驗完畢後)再下
.text:0043F267 xor esi, esi
.text:0043F269
.text:0043F269 loc_43F269: ; CODE XREF: Sub_PreProcessKey+BAj
.text:0043F269 mov ax, [ecx]
.text:0043F26C inc ecx
.text:0043F26D inc ecx
.text:0043F26E cmp ax, 30h
.text:0043F272 jb short loc_43F27A
.text:0043F274 cmp ax, 39h
.text:0043F278 jbe short loc_43F286
.text:0043F27A
.text:0043F27A loc_43F27A: ; CODE XREF: Sub_PreProcessKey+A3j
.text:0043F27A cmp ax, 41h
.text:0043F27E jb short loc_43F2B6
.text:0043F280 cmp ax, 46h
.text:0043F284 ja short loc_43F2B6
.text:0043F286
.text:0043F286 loc_43F286: ; CODE XREF: Sub_PreProcessKey+A9j
.text:0043F286 inc esi
.text:0043F287 cmp esi, edx
.text:0043F289 jl short loc_43F269
這段是判斷你的註冊碼必須在0-9或A-F之間
.text:0043F28B lea eax, [ebp+Var_Handle]
.text:0043F28E lea ecx, [edi+1Ch]
.text:0043F291 push eax
.text:0043F292 call sub_40169C
.text:0043F297
.text:0043F297 loc_43F297: ; CODE XREF: Sub_PreProcessKey+8Dj
.text:0043F297 lea ecx, [ebp+Var_Handle]
.text:0043F29A call sub_401541
.text:0043F29F
.text:0043F29F loc_43F29F: ; CODE XREF: Sub_PreProcessKey+Ej
.text:0043F29F movzx eax, [ebp+Arg_0C]
.text:0043F2A3 push eax ; nResult
.text:0043F2A4 push dword ptr [edi+4] ; hDlg
.text:0043F2A7 call ds:EndDialog
.text:0043F2AD
.text:0043F2AD loc_43F2AD: ; CODE XREF: Sub_PreProcessKey+138j
.text:0043F2AD pop edi
.text:0043F2AE pop esi
.text:0043F2AF xor eax, eax
.text:0043F2B1 pop ebx
.text:0043F2B2 leave
.text:0043F2B3 retn 10h
.text:0043F2B6 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0043F2B6
.text:0043F2B6 loc_43F2B6: ; CODE XREF: Sub_PreProcessKey+96j
.text:0043F2B6 ; Sub_PreProcessKey+AFj ...
.text:0043F2B6 mov eax, TlsIndex
.text:0043F2BB mov ecx, large fs:2Ch
.text:0043F2C2 push 2767h
.text:0043F2C7 push 10h
.text:0043F2C9 mov eax, [ecx+eax*4]
.text:0043F2CC push dword ptr [eax+4]
.text:0043F2D2 call sub_437845
.text:0043F2D7 mov esi, ds:SendMessageW
.text:0043F2DD add esp, 0Ch
.text:0043F2E0 push 0FFFFFFFFh ; lParam
.text:0043F2E2 push 0 ; wParam
.text:0043F2E4 push 0B1h ; Msg
.text:0043F2E9 push ebx ; hWnd
.text:0043F2EA call esi ; SendMessageW
.text:0043F2EC push 0 ; lParam
.text:0043F2EE push 0 ; wParam
.text:0043F2F0 push 0B7h ; Msg
.text:0043F2F5 push ebx ; hWnd
.text:0043F2F6 call esi ; SendMessageW
.text:0043F2F8 push ebx ; hWnd
.text:0043F2F9 call ds:SetFocus
.text:0043F2FF lea ecx, [ebp+Var_Handle]
.text:0043F302 call sub_401541
.text:0043F307 jmp short loc_43F2AD
.text:0043F307 Sub_PreProcessKey endp
.text:0043F307
在這邊,註冊碼是對是錯程式透過postmessage到訊息處理處統一處理------這樣我們斷下最後的錯誤提示資訊就沒有用了,因為我們根本不知道是哪段發出的訊息
這樣我們只能我們在keys記憶體處設斷,慢慢的分析每個記憶體斷點處
終於找到了一個比較有價值的地方
.text:00404D84 ; Attributes: bp-based frame
.text:00404D84
.text:00404D84 sub_404D84 proc near ; CODE XREF: sub_43EA3D+281p
.text:00404D84 ; sub_43F7DD+79p ...
.text:00404D84
.text:00404D84 var_32E4 = dword ptr -32E4h
.text:00404D84 var_32E0 = dword ptr -32E0h
.text:00404D84 var_32DC = dword ptr -32DCh
.text:00404D84 Buffer = dword ptr -22E4h
.text:00404D84 var_22E0 = dword ptr -22E0h
.text:00404D84 var_22DC = dword ptr -22DCh
.text:00404D84 Data = byte ptr -12E4h
.text:00404D84 var_2E4 = dword ptr -2E4h
.text:00404D84 var_80 = dword ptr -80h
.text:00404D84 var_7C = dword ptr -7Ch
.text:00404D84 LastWriteTime = FILETIME ptr -78h
.text:00404D84 var_70 = dword ptr -70h
.text:00404D84 var_6C = word ptr -6Ch
.text:00404D84 var_68 = dword ptr -68h
.text:00404D84 var_64 = dword ptr -64h
.text:00404D84 SystemTimeAsFileTime= _FILETIME ptr -60h
.text:00404D84 var_58 = dword ptr -58h
.text:00404D84 var_54 = dword ptr -54h
.text:00404D84 var_50 = dword ptr -50h
.text:00404D84 NumberOfBytesRead= dword ptr -4Ch
.text:00404D84 cbData = dword ptr -48h
.text:00404D84 var_44 = dword ptr -44h
.text:00404D84 var_40 = dword ptr -40h
.text:00404D84 lpValueName = dword ptr -3Ch
.text:00404D84 var_38 = dword ptr -38h
.text:00404D84 Var_CalClassAddr= dword ptr -34h
.text:00404D84 var_30 = dword ptr -30h
.text:00404D84 var_2C = dword ptr -2Ch
.text:00404D84 var_28 = dword ptr -28h
.text:00404D84 NumberOfBytesWritten= dword ptr -24h
.text:00404D84 nNumberOfBytesToWrite= dword ptr -20h
.text:00404D84 var_1C = dword ptr -1Ch
.text:00404D84 lpFileName = dword ptr -18h
.text:00404D84 hKey = dword ptr -14h
.text:00404D84 hFile = dword ptr -10h
.text:00404D84 var_C = dword ptr -0Ch
.text:00404D84 Type = dword ptr -8
.text:00404D84 var_4 = dword ptr -4
.text:00404D84 Arg_Key = dword ptr 8
.text:00404D84
.text:00404D84 push ebp
.text:00404D85 mov ebp, esp
.text:00404D87 mov eax, 32E4h
.text:00404D8C call __alloca_probe
.text:00404D91 push ebx
.text:00404D92 push esi
.text:00404D93 push edi
.text:00404D94 lea eax, [ebp+SystemTimeAsFileTime]
.text:00404D97 xor edi, edi
.text:00404D99 push eax ; lpSystemTimeAsFileTime
.text:00404D9A mov [ebp+Var_CalClassAddr], ecx
.text:00404D9D mov [ecx+31Ch], edi
.text:00404DA3 call ds:GetSystemTimeAsFileTime
.text:00404DA9 mov ebx, 0A3h
.text:00404DAE lea eax, [ebp+var_28]
.text:00404DB1 push ebx
.text:00404DB2 push offset unk_46ABC4 ; 解密結果:%windir%
.text:00404DB7 push eax
.text:00404DB8 call sub_432191 ; 字串解密,引數:地址,字串,遮蔽字
.text:00404DBD mov eax, dword_46AB68
.text:00404DC2 push ebx
.text:00404DC3 mov [ebp+var_C], eax
.text:00404DC6 mov [ebp+lpFileName], eax
.text:00404DC9 lea eax, [ebp+Type]
.text:00404DCC push offset unk_46ABD0 ; 解出的結果是:登錄檔的位置
.text:00404DD1 push eax
.text:00404DD2 mov word ptr [ebp+var_70], 3Ah
.text:00404DD8 mov word ptr [ebp+var_70+2], 2
.text:00404DDE mov [ebp+var_6C], di
.text:00404DE2 call sub_432191 ; 字串解密,引數:地址,字串,遮蔽字
.text:00404DE7 add esp, 18h
.text:00404DEA lea ecx, [ebp+var_68]
.text:00404DED push dword ptr [eax]
.text:00404DEF call Sub_NewBuffAndCopy ; 新建了一個緩衝區並複製
.text:00404DF4 lea ecx, [ebp+Type]
.text:00404DF7 mov [ebp+var_64], 80000002h
.text:00404DFE call sub_401541
.text:00404E03 mov eax, TlsIndex
.text:00404E08 mov ecx, large fs:2Ch
.text:00404E0F push ebx
.text:00404E10 push offset unk_46ABF8 ; 解密結果為:v1_install
.text:00404E15 mov eax, [ecx+eax*4]
.text:00404E18 mov [ebp+hKey], edi
.text:00404E1B mov [ebp+var_58], eax
.text:00404E1E mov eax, [eax+4]
.text:00404E24 mov eax, [eax+1B0h]
.text:00404E2A and eax, 400h
.text:00404E2F mov [ebp+var_54], eax
.text:00404E32 lea eax, [ebp+lpValueName]
.text:00404E35 push eax
.text:00404E36 call sub_432191 ; 字串解密,引數:地址,字串,遮蔽字
.text:00404E3B add esp, 0Ch
.text:00404E3E lea ecx, [ebp+var_2E4]
.text:00404E44 mov [ebp+var_1C], edi
.text:00404E47 mov [ebp+var_40], edi
.text:00404E4A push offset word_46FDAC
.text:00404E4F mov [ebp+var_44], edi
.text:00404E52 mov [ebp+var_4], edi
.text:00404E55 call sub_433F7F
.text:00404E5A push 1
.text:00404E5C lea eax, [ebp+var_28]
.text:00404E5F pop esi
.text:00404E60 lea ecx, [ebp+var_30]
.text:00404E63 push eax
.text:00404E64 mov [ebp+var_30], edi
.text:00404E67 mov [ebp+var_2C], esi
.text:00404E6A call sub_406242 ; 獲得環境變數
.text:00404E6F lea eax, [ebp+Type]
.text:00404E72 lea ecx, [ebp+var_30]
.text:00404E75 push eax
.text:00404E76 call sub_406457
.text:00404E7B push eax
.text:00404E7C lea ecx, [ebp+var_28]
.text:00404E7F call sub_40169C
.text:00404E84 lea ecx, [ebp+Type]
.text:00404E87 call sub_401541
.text:00404E8C cmp [ebp+var_30], edi
.text:00404E8F jz short loc_404EA2
.text:00404E91 mov eax, dword_46FD9C
.text:00404E96 push [ebp+var_30]
.text:00404E99 mov ecx, [eax]
.text:00404E9B push eax
.text:00404E9C call dword ptr [ecx+14h]
.text:00404E9F mov [ebp+var_30], edi
.text:00404EA2
.text:00404EA2 loc_404EA2: ; CODE XREF: sub_404D84+10Bj
.text:00404EA2 mov eax, [ebp+var_28]
.text:00404EA5 cmp [eax-8], edi
.text:00404EA8 jnz short loc_404EB1
.text:00404EAA mov edi, esi
.text:00404EAC jmp loc_40552E ; 跳向獲取環境變數錯誤
.text:00404EB1 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00404EB1
.text:00404EB1 loc_404EB1: ; CODE XREF: sub_404D84+124j
.text:00404EB1 push ebx
.text:00404EB2 lea eax, [ebp+var_38] ; 解密結果為neoqaz2.dll
.text:00404EB5 push offset aSn ; "推桃淪竅?
.text:00404EBA push eax
.text:00404EBB call sub_432191 ; 字串解密,引數:地址,字串,遮蔽字
.text:00404EC0 push dword ptr [eax]
.text:00404EC2 lea eax, [ebp+var_28]
.text:00404EC5 push eax
.text:00404EC6 lea eax, [ebp+Type]
.text:00404EC9 push eax
.text:00404ECA call sub_42FDC6
.text:00404ECF add esp, 18h
.text:00404ED2 lea ecx, [ebp+lpFileName]
.text:00404ED5 push eax
.text:00404ED6 call sub_40169C
.text:00404EDB lea ecx, [ebp+Type]
.text:00404EDE call sub_401541 ; delete[]和new對應
.text:00404EE3 lea ecx, [ebp+var_38]
.text:00404EE6 call sub_401541
.text:00404EEB push 0 ; hTemplateFile
.text:00404EED mov esi, ds:CreateFileW
.text:00404EF3 push 80h ; dwFlagsAndAttributes
.text:00404EF8 push 3 ; dwCreationDisposition
.text:00404EFA push 0 ; lpSecurityAttributes
.text:00404EFC mov edi, 80000000h
.text:00404F01 push 3 ; dwShareMode
.text:00404F03 push edi ; dwDesiredAccess
.text:00404F04 push [ebp+lpFileName] ; lpFileName
.text:00404F07 call esi ; CreateFileW
.text:00404F09 cmp eax, 0FFFFFFFFh
.text:00404F0C mov [ebp+hFile], eax
.text:00404F0F jz short loc_404F77
.text:00404F11 lea eax, [ebp+NumberOfBytesRead]
.text:00404F14 push 0 ; lpOverlapped
.text:00404F16 push eax ; lpNumberOfBytesRead
.text:00404F17 lea eax, [ebp+Buffer]
.text:00404F1D push 0FFFh ; nNumberOfBytesToRead
.text:00404F22 push eax ; lpBuffer
.text:00404F23 push [ebp+hFile] ; hFile
.text:00404F26 mov [ebp+var_4], 9
.text:00404F2D call ds:ReadFile
.text:00404F33 test eax, eax
.text:00404F35 jz short loc_404F67
.text:00404F37 mov ecx, [ebp+NumberOfBytesRead]
.text:00404F3A cmp ecx, 8
.text:00404F3D jb short loc_404F67
.text:00404F3F lea ecx, [ebp+ecx+Buffer]
.text:00404F46 lea edx, [ebp+Buffer]
.text:00404F4C cmp edx, ecx
.text:00404F4E lea eax, [ebp+Buffer]
.text:00404F54 jnb short loc_404F5E
.text:00404F56
.text:00404F56 loc_404F56: ; CODE XREF: sub_404D84+1D8j
.text:00404F56 xor byte ptr [eax], 5Dh
.text:00404F59 inc eax
.text:00404F5A cmp eax, ecx
.text:00404F5C jb short loc_404F56
.text:00404F5E
.text:00404F5E loc_404F5E: ; CODE XREF: sub_404D84+1D0j
.text:00404F5E mov [ebp+var_40], 1
.text:00404F65 jmp short loc_404F6E
.text:00404F67 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00404F67
.text:00404F67 loc_404F67: ; CODE XREF: sub_404D84+1B1j
.text:00404F67 ; sub_404D84+1B9j
.text:00404F67 mov [ebp+var_4], 19h
.text:00404F6E
.text:00404F6E loc_404F6E: ; CODE XREF: sub_404D84+1E1j
.text:00404F6E push [ebp+hFile] ; hObject
.text:00404F71 call ds:CloseHandle
.text:00404F77
.text:00404F77 loc_404F77: ; CODE XREF: sub_404D84+18Bj
.text:00404F77 push 1
.text:00404F79 push 0
.text:00404F7B lea ecx, [ebp+var_68]
.text:00404F7E call Sub_ReadReg ; 讀取註冊資訊
.text:00404F83 test eax, eax
.text:00404F85 mov [ebp+hKey], eax
.text:00404F88 jnz short loc_404F9B
.text:00404F8A push eax
.text:00404F8B push eax
.text:00404F8C lea ecx, [ebp+var_68]
.text:00404F8F call Sub_ReadReg ; 讀取註冊資訊
.text:00404F94 test eax, eax
.text:00404F96 mov [ebp+hKey], eax
.text:00404F99 jz short loc_405002
.text:00404F9B
.text:00404F9B loc_404F9B: ; CODE XREF: sub_404D84+204j
.text:00404F9B lea eax, [ebp+cbData]
.text:00404F9E and [ebp+Type], 0
.text:00404FA2 push eax ; lpcbData
.text:00404FA3 lea eax, [ebp+Data]
.text:00404FA9 push eax ; lpData
.text:00404FAA lea eax, [ebp+Type]
.text:00404FAD push eax ; lpType
.text:00404FAE push 0 ; lpReserved
.text:00404FB0 push [ebp+lpValueName] ; lpValueName
.text:00404FB3 mov [ebp+cbData], 0FFFh
.text:00404FBA push [ebp+hKey] ; hKey
.text:00404FBD call ds:RegQueryValueExW
.text:00404FC3 test eax, eax
.text:00404FC5 jnz short loc_405006
.text:00404FC7 or [ebp+var_4], 21h
.text:00404FCB cmp [ebp+cbData], 8
.text:00404FCF jb short loc_404FFC
.text:00404FD1 mov ecx, [ebp+cbData]
.text:00404FD4 lea edx, [ebp+Data]
.text:00404FDA lea eax, [ebp+Data]
.text:00404FE0 lea ecx, [ebp+ecx+Data]
.text:00404FE7 cmp edx, ecx
.text:00404FE9 jnb short loc_404FF3
.text:00404FEB
.text:00404FEB loc_404FEB: ; CODE XREF: sub_404D84+26Dj
.text:00404FEB xor byte ptr [eax], 12h
.text:00404FEE inc eax
.text:00404FEF cmp eax, ecx
.text:00404FF1 jb short loc_404FEB
.text:00404FF3
.text:00404FF3 loc_404FF3: ; CODE XREF: sub_404D84+265j
.text:00404FF3 mov [ebp+var_44], 1
.text:00404FFA jmp short loc_405006
.text:00404FFC ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00404FFC
.text:00404FFC loc_404FFC: ; CODE XREF: sub_404D84+24Bj
.text:00404FFC or [ebp+var_4], 40h
.text:00405000 jmp short loc_405006
.text:00405002 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00405002
.text:00405002 loc_405002: ; CODE XREF: sub_404D84+215j
.text:00405002 or byte ptr [ebp+var_4+2], 8
.text:00405006
.text:00405006 loc_405006: ; CODE XREF: sub_404D84+241j
.text:00405006 ; sub_404D84+276j ...
.text:00405006 lea eax, [ebp+var_70]
.text:00405009 push eax
.text:0040500A lea eax, [ebp+var_28]
.text:0040500D push eax
.text:0040500E lea eax, [ebp+Type]
.text:00405011 push eax
.text:00405012 call sub_4016EC
.text:00405017 push eax
.text:00405018 lea ecx, [ebp+var_C]
.text:0040501B call sub_40169C
.text:00405020 lea ecx, [ebp+Type]
.text:00405023 call sub_401541
.text:00405028 cmp [ebp+var_54], 0
.text:0040502C jz short loc_405034
.text:0040502E or byte ptr [ebp+var_4+2], 4
.text:00405032 jmp short loc_4050AA
.text:00405034 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00405034
.text:00405034 loc_405034: ; CODE XREF: sub_404D84+2A8j
.text:00405034 push 0 ; hTemplateFile
.text:00405036 push 80h ; dwFlagsAndAttributes
.text:0040503B push 3 ; dwCreationDisposition
.text:0040503D push 0 ; lpSecurityAttributes
.text:0040503F push 3 ; dwShareMode
.text:00405041 push edi ; dwDesiredAccess
.text:00405042 push [ebp+var_C] ; lpFileName
.text:00405045 call esi ; CreateFileW
.text:00405047 mov esi, eax
.text:00405049 cmp esi, 0FFFFFFFFh
.text:0040504C jz short loc_4050AA
.text:0040504E or [ebp+var_4], 3
.text:00405052 lea eax, [ebp+var_50]
.text:00405055 push 0 ; lpOverlapped
.text:00405057 push eax ; lpNumberOfBytesRead
.text:00405058 lea eax, [ebp+var_32E4]
.text:0040505E push 0FFFh ; nNumberOfBytesToRead
.text:00405063 push eax ; lpBuffer
.text:00405064 push esi ; hFile
.text:00405065 call ds:ReadFile
.text:0040506B test eax, eax
.text:0040506D jz short loc_40509F
.text:0040506F mov ecx, [ebp+var_50]
.text:00405072 cmp ecx, 8
.text:00405075 jb short loc_40509F
.text:00405077 lea ecx, [ebp+ecx+var_32E4]
.text:0040507E lea edx, [ebp+var_32E4]
.text:00405084 cmp edx, ecx
.text:00405086 lea eax, [ebp+var_32E4]
.text:0040508C jnb short loc_405096
.text:0040508E
.text:0040508E loc_40508E: ; CODE XREF: sub_404D84+310j
.text:0040508E xor byte ptr [eax], 0A5h
.text:00405091 inc eax
.text:00405092 cmp eax, ecx
.text:00405094 jb short loc_40508E
.text:00405096
.text:00405096 loc_405096: ; CODE XREF: sub_404D84+308j
.text:00405096 mov [ebp+var_1C], 1
.text:0040509D jmp short loc_4050A3
.text:0040509F ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0040509F
.text:0040509F loc_40509F: ; CODE XREF: sub_404D84+2E9j
.text:0040509F ; sub_404D84+2F1j
.text:0040509F or [ebp+var_4], 4
.text:004050A3
.text:004050A3 loc_4050A3: ; CODE XREF: sub_404D84+319j
.text:004050A3 push esi ; hObject
.text:004050A4 call ds:CloseHandle
.text:004050AA
.text:004050AA loc_4050AA: ; CODE XREF: sub_404D84+2AEj
.text:004050AA ; sub_404D84+2C8j
.text:004050AA xor edi, edi
.text:004050AC cmp [ebp+Arg_Key], edi
.text:004050AF jz short loc_4050CB
.text:004050B1 push [ebp+Arg_Key]
.text:004050B4 mov ecx, [ebp+Var_CalClassAddr]
.text:004050B7 call sub_405679 ; 一個重要的地方
.text:004050BC test eax, eax
.text:004050BE jnz loc_4051A9
.text:004050C4 push 0FFFFFFFEh
.text:004050C6 jmp loc_40552D
.text:004050CB ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004050CB
.text:004050CB loc_4050CB: ; CODE XREF: sub_404D84+32Bj
.text:004050CB test byte ptr [ebp+var_4], 1
.text:004050CF jz loc_4051A9
.text:004050D5 cmp [ebp+var_40], edi
.text:004050D8 jz loc_4051A1
.text:004050DE cmp [ebp+var_44], edi
.text:004050E1 jz loc_4051A1
.text:004050E7 mov eax, [ebp+NumberOfBytesRead]
.text:004050EA lea ecx, [eax+1]
.text:004050ED cmp [ebp+cbData], ecx
.text:004050F0 jnz loc_4051A1
.text:004050F6 push eax
.text:004050F7 lea eax, [ebp+Buffer]
.text:004050FD push eax
.text:004050FE lea eax, [ebp+Data]
.text:00405104 push eax
.text:00405105 call memcmp
.text:0040510A add esp, 0Ch
.text:0040510D test eax, eax
.text:0040510F jnz loc_4051A1
.text:00405115 cmp [ebp+var_54], edi
.text:00405118 mov eax, [ebp+NumberOfBytesRead]
.text:0040511B jz short loc_405125
.text:0040511D and [ebp+eax+Data], 0
.text:00405125
.text:00405125 loc_405125: ; CODE XREF: sub_404D84+397j
.text:00405125 or byte ptr [ebp+var_4+1], 20h
.text:00405129 cmp [ebp+var_1C], edi
.text:0040512C jz short loc_405153
.text:0040512E cmp [ebp+var_50], eax
.text:00405131 jnz short loc_4051A1
.text:00405133 push eax
.text:00405134 lea eax, [ebp+Buffer]
.text:0040513A push eax
.text:0040513B lea eax, [ebp+var_32E4]
.text:00405141 push eax
.text:00405142 call memcmp
.text:00405147 add esp, 0Ch
.text:0040514A test eax, eax
.text:0040514C jnz short loc_4051A1
.text:0040514E mov eax, [ebp+NumberOfBytesRead]
.text:00405151 jmp short loc_40515D
.text:00405153 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00405153
.text:00405153 loc_405153: ; CODE XREF: sub_404D84+3A8j
.text:00405153 cmp [ebp+eax+Data], 0
.text:0040515B jnz short loc_4051A1
.text:0040515D
.text:0040515D loc_40515D: ; CODE XREF: sub_404D84+3CDj
.text:0040515D mov esi, [ebp+Var_CalClassAddr]
.text:00405160 mov ecx, [ebp+Buffer]
.text:00405166 cmp eax, 8
.text:00405169 mov [esi+30Ch], ecx
.text:0040516F mov ecx, [ebp+var_22E0]
.text:00405175 mov [esi+310h], ecx
.text:0040517B jbe loc_405617
.text:00405181 add eax, 0FFFFFFF8h
.text:00405184 push offset unk_46ABA8
.text:00405189 push eax
.text:0040518A lea eax, [ebp+var_22DC]
.text:00405190 push eax
.text:00405191 call Sub_Cal1
.text:00405196 mov [esi+31Ch], eax
.text:0040519C jmp loc_405617
.text:004051A1 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004051A1
.text:004051A1 loc_4051A1: ; CODE XREF: sub_404D84+354j
.text:004051A1 ; sub_404D84+35Dj ...
.text:004051A1 or edi, 0FFFFFFFFh
.text:004051A4 jmp loc_40552E
.text:004051A9 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004051A9
.text:004051A9 loc_4051A9: ; CODE XREF: sub_404D84+33Aj
.text:004051A9 ; sub_404D84+34Bj
.text:004051A9 push edi
.text:004051AA push edi
.text:004051AB lea ecx, [ebp+var_68]
.text:004051AE call Sub_ReadReg ; 讀取註冊資訊
.text:004051B3 cmp [ebp+hKey], edi
.text:004051B6 mov esi, eax
.text:004051B8 mov [ebp+Type], esi
.text:004051BB jz short loc_4051C6
.text:004051BD push [ebp+hKey] ; hKey
.text:004051C0 call ds:RegCloseKey
.text:004051C6
.text:004051C6 loc_4051C6: ; CODE XREF: sub_404D84+437j
.text:004051C6 cmp esi, edi
.text:004051C8 mov [ebp+hKey], esi
.text:004051CB jnz short loc_4051D4
.text:004051CD push 2
.text:004051CF jmp loc_40552D
.text:004051D4 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004051D4
.text:004051D4 loc_4051D4: ; CODE XREF: sub_404D84+447j
.text:004051D4 mov eax, [ebp+SystemTimeAsFileTime.dwLowDateTime]
.text:004051D7 cmp [ebp+Arg_Key], 0
.text:004051DB mov esi, ds:lstrlenW
.text:004051E1 push 8
.text:004051E3 mov [ebp+var_32E4], eax
.text:004051E9 mov eax, [ebp+SystemTimeAsFileTime.dwHighDateTime]
.text:004051EC pop edi
.text:004051ED mov [ebp+var_32E0], eax
.text:004051F3 mov [ebp+nNumberOfBytesToWrite], edi
.text:004051F6 jz short loc_405247
.text:004051F8 push [ebp+Arg_Key] ; lpString
.text:004051FB or byte ptr [ebp+var_4], 80h
.text:004051FF call esi ; lstrlenW
.text:00405201 cdq
.text:00405202 sub eax, edx
.text:00405204 sar eax, 1
.text:00405206 add eax, edi
.text:00405208 cmp eax, 1000h
.text:0040520D mov [ebp+nNumberOfBytesToWrite], eax
.text:00405210 jb short loc_405219
.text:00405212 push 3
.text:00405214 jmp loc_40552D
.text:00405219 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00405219
.text:00405219 loc_405219: ; CODE XREF: sub_404D84+48Cj
.text:00405219 lea eax, [ebp+var_32DC]
.text:0040521F push eax
.text:00405220 push [ebp+Arg_Key]
.text:00405223 call Sub_StrToHex ; strtohex
.text:00405228 and [ebp+var_38], 0
.text:0040522C pop ecx
.text:0040522D pop ecx
.text:0040522E push 1
.text:00405230 pop eax
.text:00405231
.text:00405231 loc_405231: ; CODE XREF: sub_404D84+4BFj
.text:00405231 movzx ecx, byte ptr [ebp+eax+var_32E0+3]
.text:00405239 imul ecx, eax
.text:0040523C add [ebp+var_38], ecx
.text:0040523F inc eax
.text:00405240 cmp eax, 64h
.text:00405243 jle short loc_405231
.text:00405245 jmp short loc_405258
.text:00405247 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00405247
.text:00405247 loc_405247: ; CODE XREF: sub_404D84+472j
.text:00405247 mov eax, [ebp+Var_CalClassAddr]
.text:0040524A or byte ptr [ebp+var_4+1], 1
.text:0040524E mov dword ptr [eax+320h], 1
.text:00405258
.text:00405258 loc_405258: ; CODE XREF: sub_404D84+4C1j
.text:00405258 push ebx
.text:00405259 lea eax, [ebp+var_7C]
.text:0040525C push offset aC ; "暉兇孿鄉倫?
.text:00405261 push eax
.text:00405262 call sub_432191 ; 字串解密,引數:地址,字串,遮蔽字
.text:00405267 mov eax, [eax]
.text:00405269 mov [ebp+hFile], eax
.text:0040526C lea eax, [ebp+SystemTimeAsFileTime]
.text:0040526F push eax
.text:00405270 lea eax, [ebp+var_80]
.text:00405273 push eax
.text:00405274 call sub_43270F
.text:00405279 mov edi, [eax]
.text:0040527B add esp, 14h
.text:0040527E push edi ; lpString
.text:0040527F call esi ; lstrlenW
.text:00405281 lea eax, [eax+eax+2]
.text:00405285 push eax ; cbData
.text:00405286 push edi ; lpData
.text:00405287 push 1 ; dwType
.text:00405289 push 0 ; Reserved
.text:0040528B push [ebp+hFile] ; lpValueName
.text:0040528E push [ebp+Type] ; hKey
.text:00405291 call ds:RegSetValueExW
.text:00405297 lea ecx, [ebp+var_80]
.text:0040529A call sub_401541
.text:0040529F lea ecx, [ebp+var_7C]
.text:004052A2 call sub_401541
.text:004052A7 push [ebp+lpFileName] ; lpFileName
.text:004052AA call ds:GetFileAttributesW
.text:004052B0 cmp eax, 0FFFFFFFFh
.text:004052B3 mov [ebp+NumberOfBytesWritten], eax
.text:004052B6 jz short loc_4052C4
.text:004052B8 and al, 0F8h
.text:004052BA push eax ; dwFileAttributes
.text:004052BB push [ebp+lpFileName] ; lpFileName
.text:004052BE call ds:SetFileAttributesW
.text:004052C4
.text:004052C4 loc_4052C4: ; CODE XREF: sub_404D84+532j
.text:004052C4 push 0 ; hTemplateFile
.text:004052C6 push 20h ; dwFlagsAndAttributes
.text:004052C8 push 2 ; dwCreationDisposition
.text:004052CA push 0 ; lpSecurityAttributes
.text:004052CC push 3 ; dwShareMode
.text:004052CE push 40000000h ; dwDesiredAccess
.text:004052D3 push [ebp+lpFileName] ; lpFileName
.text:004052D6 call ds:CreateFileW
.text:004052DC cmp eax, 0FFFFFFFFh
.text:004052DF mov [ebp+hFile], eax
.text:004052E2 jnz short loc_4052EB
.text:004052E4 push 5
.text:004052E6 jmp loc_40552D
.text:004052EB ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004052EB
.text:004052EB loc_4052EB: ; CODE XREF: sub_404D84+55Ej
.text:004052EB mov edx, [ebp+nNumberOfBytesToWrite]
.text:004052EE lea esi, [ebp+var_32E4]
.text:004052F4 mov ecx, edx
.text:004052F6 lea edi, [ebp+Buffer]
.text:004052FC mov eax, ecx
.text:004052FE shr ecx, 2
.text:00405301 rep movsd
.text:00405303 mov ecx, eax
.text:00405305 lea eax, [ebp+Buffer]
.text:0040530B and ecx, 3
.text:0040530E rep movsb
.text:00405310 lea ecx, [ebp+edx+Buffer]
.text:00405317 lea edx, [ebp+Buffer]
.text:0040531D cmp edx, ecx
.text:0040531F jnb short loc_405329
.text:00405321
.text:00405321 loc_405321: ; CODE XREF: sub_404D84+5A3j
.text:00405321 xor byte ptr [eax], 5Dh
.text:00405324 inc eax
.text:00405325 cmp eax, ecx
.text:00405327 jb short loc_405321
.text:00405329
.text:00405329 loc_405329: ; CODE XREF: sub_404D84+59Bj
.text:00405329 mov esi, [ebp+hFile]
.text:0040532C xor edi, edi
.text:0040532E lea eax, [ebp+NumberOfBytesWritten]
.text:00405331 push edi ; lpOverlapped
.text:00405332 push eax ; lpNumberOfBytesWritten
.text:00405333 lea eax, [ebp+Buffer]
.text:00405339 push [ebp+nNumberOfBytesToWrite] ; nNumberOfBytesToWrite
.text:0040533C push eax ; lpBuffer
.text:0040533D push esi ; hFile
.text:0040533E call ds:WriteFile
.text:00405344 cmp eax, edi
.text:00405346 mov [ebp+var_40], eax
.text:00405349 jnz short loc_40535A
.text:0040534B push 6
.text:0040534D pop edi
.text:0040534E push esi ; hObject
.text:0040534F call ds:CloseHandle
.text:00405355 jmp loc_40552E
.text:0040535A ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0040535A
.text:0040535A loc_40535A: ; CODE XREF: sub_404D84+5C5j
.text:0040535A mov eax, [ebp+SystemTimeAsFileTime.dwLowDateTime]
.text:0040535D mov [ebp+LastWriteTime.dwLowDateTime], eax
.text:00405360 mov eax, [ebp+SystemTimeAsFileTime.dwHighDateTime]
.text:00405363 mov [ebp+LastWriteTime.dwHighDateTime], eax
.text:00405366 add eax, 0FFFE7960h
.text:0040536B mov [ebp+LastWriteTime.dwHighDateTime], eax
.text:0040536E lea eax, [ebp+LastWriteTime]
.text:00405371 push eax ; lpLastWriteTime
.text:00405372 lea eax, [ebp+LastWriteTime]
.text:00405375 push edi ; lpLastAccessTime
.text:00405376 push eax ; lpCreationTime
.text:00405377 push esi ; hFile
.text:00405378 call ds:SetFileTime
.text:0040537E test eax, eax
.text:00405380 jnz short loc_405386
.text:00405382 or byte ptr [ebp+var_4+1], 2
.text:00405386
.text:00405386 loc_405386: ; CODE XREF: sub_404D84+5FCj
.text:00405386 push esi ; hObject
.text:00405387 call ds:CloseHandle
.text:0040538D push [ebp+lpFileName] ; lpFileName
.text:00405390 mov esi, ds:GetFileAttributesW
.text:00405396 call esi ; GetFileAttributesW
.text:00405398 or byte ptr [ebp+var_4+1], 10h
.text:0040539C cmp eax, 0FFFFFFFFh
.text:0040539F mov [ebp+NumberOfBytesWritten], eax
.text:004053A2 jz short loc_4053BB
.text:004053A4 or al, 7
.text:004053A6 push eax ; dwFileAttributes
.text:004053A7 mov [ebp+NumberOfBytesWritten], eax
.text:004053AA push [ebp+lpFileName] ; lpFileName
.text:004053AD call ds:SetFileAttributesW
.text:004053B3 test eax, eax
.text:004053B5 jz short loc_4053BB
.text:004053B7 and byte ptr [ebp+var_4+1], 0EFh
.text:004053BB
.text:004053BB loc_4053BB: ; CODE XREF: sub_404D84+61Ej
.text:004053BB ; sub_404D84+631j
.text:004053BB cmp [ebp+var_54], edi
.text:004053BE mov [ebp+var_1C], edi
.text:004053C1 jz short loc_4053CC
.text:004053C3 or byte ptr [ebp+var_4+2], 4
.text:004053C7 jmp loc_4054BB
.text:004053CC ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004053CC
.text:004053CC loc_4053CC: ; CODE XREF: sub_404D84+63Dj
.text:004053CC push [ebp+var_C] ; lpFileName
.text:004053CF call esi ; GetFileAttributesW
.text:004053D1 cmp eax, 0FFFFFFFFh
.text:004053D4 mov [ebp+NumberOfBytesWritten], eax
.text:004053D7 jz short loc_4053E5
.text:004053D9 and al, 0F8h
.text:004053DB push eax ; dwFileAttributes
.text:004053DC push [ebp+var_C] ; lpFileName
.text:004053DF call ds:SetFileAttributesW
.text:004053E5
.text:004053E5 loc_4053E5: ; CODE XREF: sub_404D84+653j
.text:004053E5 push edi ; hTemplateFile
.text:004053E6 push 20h ; dwFlagsAndAttributes
.text:004053E8 push 2 ; dwCreationDisposition
.text:004053EA push edi ; lpSecurityAttributes
.text:004053EB push 3 ; dwShareMode
.text:004053ED push 40000000h ; dwDesiredAccess
.text:004053F2 push [ebp+var_C] ; lpFileName
.text:004053F5 call ds:CreateFileW
.text:004053FB cmp eax, 0FFFFFFFFh
.text:004053FE mov [ebp+hFile], eax
.text:00405401 jz loc_4054B7
.text:00405407 mov edx, [ebp+nNumberOfBytesToWrite]
.text:0040540A lea esi, [ebp+var_32E4]
.text:00405410 mov ecx, edx
.text:00405412 lea edi, [ebp+Buffer]
.text:00405418 mov eax, ecx
.text:0040541A shr ecx, 2
.text:0040541D rep movsd
.text:0040541F mov ecx, eax
.text:00405421 lea eax, [ebp+Buffer]
.text:00405427 and ecx, 3
.text:0040542A rep movsb
.text:0040542C lea esi, [ebp+Buffer]
.text:00405432 lea ecx, [ebp+edx+Buffer]
.text:00405439 cmp esi, ecx
.text:0040543B jnb short loc_405445
.text:0040543D
.text:0040543D loc_40543D: ; CODE XREF: sub_404D84+6BFj
.text:0040543D xor byte ptr [eax], 0A5h
.text:00405440 inc eax
.text:00405441 cmp eax, ecx
.text:00405443 jb short loc_40543D
.text:00405445
.text:00405445 loc_405445: ; CODE XREF: sub_404D84+6B7j
.text:00405445 lea eax, [ebp+NumberOfBytesWritten]
.text:00405448 push 0 ; lpOverlapped
.text:0040544A push eax ; lpNumberOfBytesWritten
.text:0040544B lea eax, [ebp+Buffer]
.text:00405451 push [ebp+nNumberOfBytesToWrite] ; nNumberOfBytesToWrite
.text:00405454 push eax ; lpBuffer
.text:00405455 push [ebp+hFile] ; hFile
.text:00405458 call ds:WriteFile
.text:0040545E test eax, eax
.text:00405460 mov [ebp+var_1C], eax
.text:00405463 jz short loc_405476
.text:00405465 push [ebp+hFile] ; hFile
.text:00405468 call ds:FlushFileBuffers
.text:0040546E test eax, eax
.text:00405470 jnz short loc_405476
.text:00405472 or byte ptr [ebp+var_4+2], 2
.text:00405476
.text:00405476 loc_405476: ; CODE XREF: sub_404D84+6DFj
.text:00405476 ; sub_404D84+6ECj
.text:00405476 push [ebp+hFile] ; hObject
.text:00405479 call ds:CloseHandle
.text:0040547F cmp [ebp+var_1C], 0
.text:00405483 jz short loc_4054B3
.text:00405485 push [ebp+var_C] ; lpFileName
.text:00405488 call ds:GetFileAttributesW
.text:0040548E or byte ptr [ebp+var_4+1], 8
.text:00405492 cmp eax, 0FFFFFFFFh
.text:00405495 mov [ebp+NumberOfBytesWritten], eax
.text:00405498 jz short loc_4054BB
.text:0040549A or al, 1
.text:0040549C push eax ; dwFileAttributes
.text:0040549D mov [ebp+NumberOfBytesWritten], eax
.text:004054A0 push [ebp+var_C] ; lpFileName
.text:004054A3 call ds:SetFileAttributesW
.text:004054A9 test eax, eax
.text:004054AB jz short loc_4054BB
.text:004054AD and byte ptr [ebp+var_4+1], 0F7h
.text:004054B1 jmp short loc_4054BB
.text:004054B3 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004054B3
.text:004054B3 loc_4054B3: ; CODE XREF: sub_404D84+6FFj
.text:004054B3 push 7
.text:004054B5 jmp short loc_40552D
.text:004054B7 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004054B7
.text:004054B7 loc_4054B7: ; CODE XREF: sub_404D84+67Dj
.text:004054B7 or byte ptr [ebp+var_4+1], 4
.text:004054BB
.text:004054BB loc_4054BB: ; CODE XREF: sub_404D84+643j
.text:004054BB ; sub_404D84+714j ...
.text:004054BB mov eax, [ebp+nNumberOfBytesToWrite]
.text:004054BE lea esi, [ebp+var_32E4]
.text:004054C4 mov ecx, eax
.text:004054C6 lea edi, [ebp+Buffer]
.text:004054CC mov edx, ecx
.text:004054CE lea eax, [ebp+eax+Buffer]
.text:004054D5 shr ecx, 2
.text:004054D8 rep movsd
.text:004054DA mov ecx, edx
.text:004054DC lea edx, [ebp+Buffer]
.text:004054E2 and ecx, 3
.text:004054E5 rep movsb
.text:004054E7 mov cl, byte ptr [ebp+var_1C]
.text:004054EA mov [eax], cl
.text:004054EC inc eax
.text:004054ED cmp edx, eax
.text:004054EF lea ecx, [ebp+Buffer]
.text:004054F5 jnb short loc_4054FF
.text:004054F7
.text:004054F7 loc_4054F7: ; CODE XREF: sub_404D84+779j
.text:004054F7 xor byte ptr [ecx], 12h
.text:004054FA inc ecx
.text:004054FB cmp ecx, eax
.text:004054FD jb short loc_4054F7
.text:004054FF
.text:004054FF loc_4054FF: ; CODE XREF: sub_404D84+771j
.text:004054FF mov eax, [ebp+nNumberOfBytesToWrite]
.text:00405502 mov edi, ds:RegSetValueExW
.text:00405508 inc eax
.text:00405509 push eax ; cbData
.text:0040550A lea eax, [ebp+Buffer]
.text:00405510 push eax ; lpData
.text:00405511 push 3 ; dwType
.text:00405513 push 0 ; Reserved
.text:00405515 push [ebp+lpValueName] ; lpValueName
.text:00405518 push [ebp+Type] ; hKey
.text:0040551B call edi ; RegSetValueExW
.text:0040551D neg eax
.text:0040551F sbb eax, eax
.text:00405521 inc eax
.text:00405522 mov [ebp+var_44], eax
.text:00405525 jnz loc_4055BE
.text:0040552B push 4
.text:0040552D
.text:0040552D loc_40552D: ; CODE XREF: sub_404D84+342j
.text:0040552D ; sub_404D84+44Bj ...
.text:0040552D pop edi
.text:0040552E
.text:0040552E loc_40552E: ; CODE XREF: sub_404D84+128j
.text:0040552E ; sub_404D84+420j ...
.text:0040552E mov esi, [ebp+var_58]
.text:00405531 xor ebx, ebx
.text:00405533 cmp [esi+4], ebx
.text:00405539 jz short loc_40558B
.text:0040553B push [ebp+var_44]
.text:0040553E lea eax, [ebp+var_C]
.text:00405541 push [ebp+var_40]
.text:00405544 push [ebp+var_1C]
.text:00405547 push [ebp+var_4]
.text:0040554A push edi
.text:0040554B push 2766h
.text:00405550 push eax
.text:00405551 call sub_405B77
.text:00405556 add esp, 1Ch
.text:00405559 push [ebp+var_C] ; lpString
.text:0040555C call ds:AddAtomW
.text:00405562 cmp ax, bx
.text:00405565 jz short loc_40558B
.text:00405567 mov ecx, [esi+4]
.text:0040556D mov ecx, [ecx+10h]
.text:00405570 cmp ecx, ebx
.text:00405572 jz short loc_40558B
.text:00405574 movzx eax, ax
.text:00405577 push eax ; lParam
.text:00405578 push 8001h ; wParam
.text:0040557D push 111h ; Msg
.text:00405582 push dword ptr [ecx+4] ; hWnd
.text:00405585 call ds:PostMessageW
.text:0040558B
.text:0040558B loc_40558B: ; CODE XREF: sub_404D84+7B5j
.text:0040558B ; sub_404D84+7E1j ...
.text:0040558B cmp [ebp+var_2C], ebx
.text:0040558E jz short loc_4055A3
.text:00405590 cmp [ebp+var_30], ebx
.text:00405593 jz short loc_4055A3
.text:00405595 mov eax, dword_46FD9C
.text:0040559A push [ebp+var_30]
.text:0040559D mov ecx, [eax]
.text:0040559F push eax
.text:004055A0 call dword ptr [ecx+14h]
.text:004055A3
.text:004055A3 loc_4055A3: ; CODE XREF: sub_404D84+80Aj
.text:004055A3 ; sub_404D84+80Fj
.text:004055A3 lea ecx, [ebp+var_2E4]
.text:004055A9 call sub_434122
.text:004055AE lea ecx, [ebp+lpValueName]
.text:004055B1 call sub_401541
.text:004055B6 cmp [ebp+hKey], ebx
.text:004055B9 jmp loc_405645
.text:004055BE ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004055BE
.text:004055BE loc_4055BE: ; CODE XREF: sub_404D84+7A1j
.text:004055BE cmp [ebp+Arg_Key], 0
.text:004055C2 mov esi, [ebp+Var_CalClassAddr]
.text:004055C5 jz short loc_405603
.text:004055C7 push ebx
.text:004055C8 lea eax, [ebp+var_58]
.text:004055CB push offset unk_46AC1C
.text:004055D0 push eax
.text:004055D1 mov dword ptr [esi+31Ch], 1
.text:004055DB call sub_432191 ; 字串解密,引數:地址,字串,遮蔽字
.text:004055E0 mov ecx, [ebp+var_38]
.text:004055E3 mov eax, [eax]
.text:004055E5 add esp, 0Ch
.text:004055E8 mov [ebp+Arg_Key], ecx
.text:004055EB lea ecx, [ebp+Arg_Key]
.text:004055EE push 4 ; cbData
.text:004055F0 push ecx ; lpData
.text:004055F1 push 4 ; dwType
.text:004055F3 push 0 ; Reserved
.text:004055F5 push eax ; lpValueName
.text:004055F6 push [ebp+Type] ; hKey
.text:004055F9 call edi ; RegSetValueExW
.text:004055FB lea ecx, [ebp+var_58]
.text:004055FE call sub_401541
.text:00405603
.text:00405603 loc_405603: ; CODE XREF: sub_404D84+841j
.text:00405603 mov eax, [ebp+SystemTimeAsFileTime.dwLowDateTime]
.text:00405606 xor edi, edi
.text:00405608 mov [esi+30Ch], eax
.text:0040560E mov eax, [ebp+SystemTimeAsFileTime.dwHighDateTime]
.text:00405611 mov [esi+310h], eax
.text:00405617
.text:00405617 loc_405617: ; CODE XREF: sub_404D84+3F7j
.text:00405617 ; sub_404D84+418j
.text:00405617 cmp [ebp+var_2C], edi
.text:0040561A jz short loc_40562F
.text:0040561C cmp [ebp+var_30], edi
.text:0040561F jz short loc_40562F
.text:00405621 mov eax, dword_46FD9C
.text:00405626 push [ebp+var_30]
.text:00405629 mov ecx, [eax]
.text:0040562B push eax
.text:0040562C call dword ptr [ecx+14h]
.text:0040562F
.text:0040562F loc_40562F: ; CODE XREF: sub_404D84+896j
.text:0040562F ; sub_404D84+89Bj
.text:0040562F lea ecx, [ebp+var_2E4]
.text:00405635 call sub_434122
.text:0040563A lea ecx, [ebp+lpValueName]
.text:0040563D call sub_401541
.text:00405642 cmp [ebp+hKey], edi
.text:00405645
.text:00405645 loc_405645: ; CODE XREF: sub_404D84+835j
.text:00405645 jz short loc_405650
.text:00405647 push [ebp+hKey] ; hKey
.text:0040564A call ds:RegCloseKey
.text:00405650
.text:00405650 loc_405650: ; CODE XREF: sub_404D84:loc_405645j
.text:00405650 lea ecx, [ebp+var_68]
.text:00405653 call sub_401541
.text:00405658 lea ecx, [ebp+lpFileName]
.text:0040565B call sub_401541
.text:00405660 lea ecx, [ebp+var_C]
.text:00405663 call sub_401541
.text:00405668 lea ecx, [ebp+var_28]
.text:0040566B call sub_401541
.text:00405670 mov eax, edi
.text:00405672 pop edi
.text:00405673 pop esi
.text:00405674 pop ebx
.text:00405675 leave
.text:00405676 retn 4
.text:00405676 sub_404D84 endp
上面的函式我們可以看出,很多字串都經過加密。並且註冊資訊儲存在%WINDIR%的neoqaz2.dll中和登錄檔的
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\ZabaraKatranemia Plc\xplorer2]
"InstallDate"="2004-12-5"
"v1_Install"=hex:12,4f,3c,cb,24,c8,d6,13,9a,9a,9a,9a,03,03,c3,13,13,9a,0d,9a,\
9a,9a,9a,9a,9a,9a,9a,9a,9a,9a,9a,9a,9a,9a,9a,9a,9a,9a,9a,9a,3f,35,9a,9a,9a,\
9a,9a,9a,c7,3d,9a,9a,9a,9a,9a,9a,88,25,9a,9a,9a,9a,9a,9a,7e,2d,9a,9a,9a,9a,\
9a,9a,ad,9a,9a,9a,9a,9a,9a,9a,9a,9a,9a,9a,9a,9a,9a,9a,9a,9a,9a,9a,9a,9a,9a,\
9a,9a,9a,9a,9a,9a,9a,9a,9a,9a,9a,9a,9a,13
"v1_regOK"=dword:000a3a27
當然只經過簡單。刪掉了他們就要重新註冊了
.text:00405679 ; 一個重要的地方
.text:00405679 ; Attributes: bp-based frame
.text:00405679
.text:00405679 sub_405679 proc near ; CODE XREF: sub_404D84+333p
.text:00405679
.text:00405679 var_1000 = dword ptr -1000h
.text:00405679 lpString = dword ptr 8
.text:00405679
.text:00405679 push ebp
.text:0040567A mov ebp, esp
.text:0040567C mov eax, 1000h
.text:00405681 call __alloca_probe
.text:00405686 push esi
.text:00405687 push edi
.text:00405688 mov edi, [ebp+lpString]
.text:0040568B test edi, edi
.text:0040568D jz short loc_4056ED ; 失敗,eax=0
.text:0040568F push edi ; lpString
.text:00405690 call ds:lstrlenW
.text:00405696 mov ecx, 0C8h
.text:0040569B cmp eax, ecx
.text:0040569D jnz short loc_4056ED ; 失敗,eax=0
.text:0040569F xor esi, esi
.text:004056A1 mov edx, edi
.text:004056A3
.text:004056A3 loc_4056A3: ; CODE XREF: sub_405679+4Aj
.text:004056A3 mov ax, [edx]
.text:004056A6 cmp ax, 30h
.text:004056AA jb short loc_4056B2
.text:004056AC cmp ax, 39h
.text:004056B0 jbe short loc_4056BE
.text:004056B2
.text:004056B2 loc_4056B2: ; CODE XREF: sub_405679+31j
.text:004056B2 cmp ax, 41h
.text:004056B6 jb short loc_4056ED ; 失敗,eax=0
.text:004056B8 cmp ax, 46h
.text:004056BC ja short loc_4056ED ; 失敗,eax=0
.text:004056BE
.text:004056BE loc_4056BE: ; CODE XREF: sub_405679+37j
.text:004056BE inc esi
.text:004056BF inc edx
.text:004056C0 inc edx
.text:004056C1 cmp esi, ecx
.text:004056C3 jl short loc_4056A3 ; 再一次判斷0-9,A-F
.text:004056C5 lea eax, [ebp+var_1000]
.text:004056CB push eax
.text:004056CC push edi
.text:004056CD call Sub_StrToHex ; strtohex
這是把我們的註冊碼轉化為16進位制(這就是為什麼前面要判斷0-9,A-F)
如:9988----〉0x99,0x88
.text:004056D2 pop ecx
.text:004056D3 lea eax, [ebp+var_1000]
.text:004056D9 pop ecx
.text:004056DA push offset unk_46ABA8
.text:004056DF push 64h
.text:004056E1 push eax
.text:004056E2 call Sub_Cal1---------------------******************很重要,跟進
.text:004056E7
.text:004056E7 loc_4056E7: ; CODE XREF: sub_405679+76j
.text:004056E7 pop edi
.text:004056E8 pop esi
.text:004056E9 leave
.text:004056EA retn 4
來到這裡
.text:004056F1 ; Attributes: bp-based frame
.text:004056F1
.text:004056F1 Sub_Cal1 proc near ; CODE XREF: sub_404D84+40Dp
.text:004056F1 ; sub_405679+69p
.text:004056F1
.text:004056F1 Var_MallocAddr = dword ptr -14h
.text:004056F1 var_10 = dword ptr -10h
.text:004056F1 var_C = dword ptr -0Ch
.text:004056F1 Var_Len = dword ptr -8
.text:004056F1 Var_MallocAddr2 = dword ptr -4
.text:004056F1 Arg_HexKey = dword ptr 8
.text:004056F1 Arg_Length = dword ptr 0Ch
.text:004056F1 arg_8 = dword ptr 10h
.text:004056F1
.text:004056F1 push ebp
.text:004056F2 mov ebp, esp
.text:004056F4 sub esp, 14h
.text:004056F7 and [ebp+Var_MallocAddr2], 0
.text:004056FB push 21Dh ; size_t
.text:00405700 call ds:malloc-----------------------------分配記憶體,用來放註冊碼的校驗程式碼
.text:00405706 pop ecx
.text:00405707 mov [ebp+Var_MallocAddr], eax
.text:0040570A mov [ebp+Var_Len], 20Dh
.text:00405711 mov eax, [ebp+Var_MallocAddr]
.text:00405714 mov [ebp+var_C], eax
.text:00405717
.text:00405717 loc_405717: ; CODE XREF: Sub_Cal1+49j
.text:00405717 mov eax, [ebp+Var_Len]
.text:0040571A mov ecx, [ebp+Var_Len]
.text:0040571D dec ecx
.text:0040571E mov [ebp+Var_Len], ecx
.text:00405721 test eax, eax
.text:00405723 jz short loc_40573C
.text:00405725 mov eax, [ebp+var_C]
.text:00405728 mov ecx, [ebp+Var_Len]
.text:0040572B mov cl, ds:byte_465738[ecx]
.text:00405731 mov [eax], cl
.text:00405733 mov eax, [ebp+var_C]
.text:00405736 inc eax
.text:00405737 mov [ebp+var_C], eax
.text:0040573A jmp short loc_405717
.text:0040573C ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0040573C
.text:0040573C loc_40573C: ; CODE XREF: Sub_Cal1+32j
.text:0040573C mov eax, [ebp+Var_MallocAddr]
.text:0040573F mov [ebp+Var_MallocAddr2], eax
.text:00405742 push [ebp+arg_8] ; 是一個定值
.text:00405745 push [ebp+Arg_Length]
.text:00405748 push [ebp+Arg_HexKey]
.text:0040574B call [ebp+Var_MallocAddr2] ; 就是這個演算法,用動態記憶體分配的
.text:0040574E mov [ebp+var_10], eax
.text:00405751 push [ebp+Var_MallocAddr] ; void *
.text:00405754 call ds:free
.text:0040575A pop ecx
.text:0040575B mov eax, [ebp+var_10]
.text:0040575E leave
.text:0040575F retn 0Ch
.text:0040575F Sub_Cal1 endp
這就是註冊碼計算的地方,我從odbg拷下來(ida裡找不到,當然可以根據上面的解密過程算出來)
0038F8F0 55 push ebp ; 先對三個引數進行判斷
0038F8F1 8BEC mov ebp,esp
0038F8F3 83EC 38 sub esp,38
0038F8F6 837D 08 00 cmp dword ptr ss:[ebp+8],0----------------ebp+8時我們的hexkey(轉化為16進位制以後的key)
0038F8FA 74 0C je short 0038F908
0038F8FC 837D 0C 64 cmp dword ptr ss:[ebp+C],64---------------長度為100
0038F900 75 06 jnz short 0038F908
0038F902 837D 10 00 cmp dword ptr ss:[ebp+10],0---------------這時一個固定字串
0038F906 75 07 jnz short 0038F90F
0038F908 33C0 xor eax,eax
0038F90A E9 E8010000 jmp 0038FAF7
0038F90F C645 DC A5 mov byte ptr ss:[ebp-24],0A5//在這邊給陣列賦了值,暫且定該陣列的名字為m[i]
0038F913 C645 DD 5D mov byte ptr ss:[ebp-23],5D
0038F917 C645 DE 12 mov byte ptr ss:[ebp-22],12
0038F91B C645 DF E4 mov byte ptr ss:[ebp-21],0E4
0038F91F C645 E0 37 mov byte ptr ss:[ebp-20],37
0038F923 C745 F8 0A000000 mov dword ptr ss:[ebp-8],0A-------------a
0038F92A C745 FC 00000000 mov dword ptr ss:[ebp-4],0--------------i
;以上是初始化
0038F931 B8 01000000 mov eax,1
;確保正確時的eax=1,沒有什麼大的意義
0038F936 85C0 test eax,eax
0038F938 74 67 je short 0038F9A1
;肯定不會跳
0038F93A 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
0038F93D 034D F8 add ecx,dword ptr ss:[ebp-8]
;ebp+8中的是我們的註冊碼的16進位制值,從0A處開始運算
0038F940 33D2 xor edx,edx
0038F942 8A11 mov dl,byte ptr ds:[ecx] ; 從第10個開始
0038F944 8955 F8 mov dword ptr ss:[ebp-8],edx
;a被賦予新的值
0038F947 837D F8 0A cmp dword ptr ss:[ebp-8],0A
0038F94B 7C 06 jl short 0038F953
0038F94D 837D F8 62 cmp dword ptr ss:[ebp-8],62
0038F951 7C 02 jl short 0038F955
0038F953 EB 4C jmp short 0038F9A1//跳向錯誤
;要求a在0A和62之間
0038F955 8B45 FC mov eax,dword ptr ss:[ebp-4]
;這裡ebp-4相當於一個計數器,初始值=0
0038F958 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
0038F95B 894C85 E4 mov dword ptr ss:[ebp+eax*4-1C],ecx------後面會用到
;ebp+eax*4-1C指向一個陣列,我們暫且將其命名為r[i]
;就是從我們傳進來的陣列中a偏移量的數賦給陣列的r[i]
0038F95F 8B55 08 mov edx,dword ptr ss:[ebp+8]
0038F962 0355 F8 add edx,dword ptr ss:[ebp-8]
0038F965 33C0 xor eax,eax
0038F967 8A02 mov al,byte ptr ds:[edx]
;透過新的偏移量a取出一個值
0038F969 8B4D FC mov ecx,dword ptr ss:[ebp-4]
0038F96C 33D2 xor edx,edx
0038F96E 8A540D DC mov dl,byte ptr ss:[ebp+ecx-24]
;ebp-ecx-24也是一個陣列m[i]
0038F972 33C2 xor eax,edx
;與p[a]異或
0038F974 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
0038F977 034D F8 add ecx,dword ptr ss:[ebp-8]
0038F97A 33D2 xor edx,edx
0038F97C 8A51 01 mov dl,byte ptr ds:[ecx+1]
0038F97F 3BC2 cmp eax,edx
;這個一定要相等
0038F981 74 02 je short 0038F985
0038F983 EB 1C jmp short 0038F9A1//跳向錯誤
0038F985 8B45 FC mov eax,dword ptr ss:[ebp-4]
0038F988 83C0 01 add eax,1
0038F98B 8945 FC mov dword ptr ss:[ebp-4],eax
;i++
0038F98E 837D FC 05 cmp dword ptr ss:[ebp-4],5
0038F992 75 02 jnz short 0038F996
;等於5則結束迴圈
0038F994 EB 0B jmp short 0038F9A1
0038F996 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
0038F999 83C1 02 add ecx,2
0038F99C 894D F8 mov dword ptr ss:[ebp-8],ecx
0038F99F ^ EB 90 jmp short 0038F931
;a = a+2再重新進入迴圈
0038F9A1 837D FC 05 cmp dword ptr ss:[ebp-4],5
0038F9A5 0F85 4A010000 jnz 0038FAF5
這裡又是一個迴圈,主要對r[i]進行操作
0038F9AB C745 D8 00000000 mov dword ptr ss:[ebp-28],0
0038F9B2 EB 09 jmp short 0038F9BD
0038F9B4 8B55 D8 mov edx,dword ptr ss:[ebp-28]
0038F9B7 83C2 01 add edx,1
0038F9BA 8955 D8 mov dword ptr ss:[ebp-28],edx
0038F9BD 837D D8 04 cmp dword ptr ss:[ebp-28],4
0038F9C1 7D 55 jge short 0038FA18
0038F9C3 8B45 D8 mov eax,dword ptr ss:[ebp-28]
0038F9C6 8B4C85 E4 mov ecx,dword ptr ss:[ebp+eax*4-1C]
0038F9CA 894D F8 mov dword ptr ss:[ebp-8],ecx
0038F9CD C745 D4 00000000 mov dword ptr ss:[ebp-2C],0
0038F9D4 EB 09 jmp short 0038F9DF
0038F9D6 8B55 D4 mov edx,dword ptr ss:[ebp-2C]
0038F9D9 83C2 01 add edx,1
0038F9DC 8955 D4 mov dword ptr ss:[ebp-2C],edx
0038F9DF 837D D4 05 cmp dword ptr ss:[ebp-2C],5
0038F9E3 7D 31 jge short 0038FA16
0038F9E5 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
0038F9E8 3B45 D8 cmp eax,dword ptr ss:[ebp-28]
0038F9EB 75 02 jnz short 0038F9EF
0038F9ED ^ EB E7 jmp short 0038F9D6
0038F9EF 8B4D D4 mov ecx,dword ptr ss:[ebp-2C]
0038F9F2 8B548D E4 mov edx,dword ptr ss:[ebp+ecx*4-1C]
0038F9F6 83EA 02 sub edx,2
0038F9F9 3955 F8 cmp dword ptr ss:[ebp-8],edx
0038F9FC 7C 16 jl short 0038FA14
0038F9FE 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
0038FA01 8B4C85 E4 mov ecx,dword ptr ss:[ebp+eax*4-1C]
0038FA05 83C1 02 add ecx,2
0038FA08 394D F8 cmp dword ptr ss:[ebp-8],ecx
0038FA0B 7F 07 jg short 0038FA14//這邊必須跳
0038FA0D 33C0 xor eax,eax
0038FA0F E9 E3000000 jmp 0038FAF7
0038FA14 ^ EB C0 jmp short 0038F9D6
0038FA16 ^ EB 9C jmp short 0038F9B4
仔細看這段程式碼會發現它要求r[i]的每個元素這件必須絕對值〉2
0038FA18 8B55 08 mov edx,dword ptr ss:[ebp+8]
0038FA1B 33C0 xor eax,eax
0038FA1D 8A42 08 mov al,byte ptr ds:[edx+8]
0038FA20 83F8 01 cmp eax,1//------------------------------keys的第8個值=1
0038FA23 74 07 je short 0038FA2C
0038FA25 33C0 xor eax,eax
0038FA27 E9 CB000000 jmp 0038FAF7
0038FA2C C745 C8 0F2FC401 mov dword ptr ss:[ebp-38],1C42F0F
0038FA33 C745 D0 A0D9D201 mov dword ptr ss:[ebp-30],1D2D9A0
0038FA3A 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
0038FA3D 8B51 04 mov edx,dword ptr ds:[ecx+4]
0038FA40 8955 CC mov dword ptr ss:[ebp-34],edx
0038FA43 8B45 CC mov eax,dword ptr ss:[ebp-34]
0038FA46 3B45 C8 cmp eax,dword ptr ss:[ebp-38]
0038FA49 72 08 jb short 0038FA53
0038FA4B 8B4D CC mov ecx,dword ptr ss:[ebp-34]
0038FA4E 3B4D D0 cmp ecx,dword ptr ss:[ebp-30]
0038FA51 76 07 jbe short 0038FA5A
從keys第4個起所構成的int必須在0x1C42F0F和0x1D2D9A0之間
0038FA53 33C0 xor eax,eax
0038FA55 E9 9D000000 jmp 0038FAF7
0038FA5A 8B55 10 mov edx,dword ptr ss:[ebp+10]
0038FA5D 833A 00 cmp dword ptr ds:[edx],0--------------------比較直到固定字串為0
0038FA60 0F84 88000000 je 0038FAEE----------------------------------跳向成功
0038FA66 8B45 10 mov eax,dword ptr ss:[ebp+10]
0038FA69 8B4D CC mov ecx,dword ptr ss:[ebp-34]
0038FA6C 3B08 cmp ecx,dword ptr ds:[eax]
0038FA6E 75 70 jnz short 0038FAE0--------------------------不等於則跳,*1
不跳則還要分析下面一大段
0038FA70 8B55 08 mov edx,dword ptr ss:[ebp+8]
0038FA73 33C0 xor eax,eax
0038FA75 8A42 0A mov al,byte ptr ds:[edx+A]
0038FA78 8B4D 10 mov ecx,dword ptr ss:[ebp+10]
0038FA7B 33D2 xor edx,edx
0038FA7D 8A51 04 mov dl,byte ptr ds:[ecx+4]
0038FA80 3BC2 cmp eax,edx
0038FA82 75 5C jnz short 0038FAE0
0038FA84 C745 F8 0A000000 mov dword ptr ss:[ebp-8],0A
0038FA8B C745 D4 00000000 mov dword ptr ss:[ebp-2C],0
0038FA92 EB 09 jmp short 0038FA9D
0038FA94 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
0038FA97 83C0 01 add eax,1
0038FA9A 8945 D4 mov dword ptr ss:[ebp-2C],eax
0038FA9D 837D D4 05 cmp dword ptr ss:[ebp-2C],5
0038FAA1 7D 33 jge short 0038FAD6
0038FAA3 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
0038FAA6 034D F8 add ecx,dword ptr ss:[ebp-8]
0038FAA9 33D2 xor edx,edx
0038FAAB 8A11 mov dl,byte ptr ds:[ecx]
0038FAAD 8955 F8 mov dword ptr ss:[ebp-8],edx
0038FAB0 8B45 08 mov eax,dword ptr ss:[ebp+8]
0038FAB3 0345 F8 add eax,dword ptr ss:[ebp-8]
0038FAB6 33C9 xor ecx,ecx
0038FAB8 8A08 mov cl,byte ptr ds:[eax]
0038FABA 8B55 10 mov edx,dword ptr ss:[ebp+10]
0038FABD 0355 D4 add edx,dword ptr ss:[ebp-2C]
0038FAC0 33C0 xor eax,eax
0038FAC2 8A42 05 mov al,byte ptr ds:[edx+5]
0038FAC5 3BC8 cmp ecx,eax
0038FAC7 74 02 je short 0038FACB
0038FAC9 EB 0B jmp short 0038FAD6
0038FACB 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
0038FACE 83C1 02 add ecx,2
0038FAD1 894D F8 mov dword ptr ss:[ebp-8],ecx
0038FAD4 ^ EB BE jmp short 0038FA94
0038FAD6 837D D4 05 cmp dword ptr ss:[ebp-2C],5
0038FADA 75 04 jnz short 0038FAE0
0038FADC 33C0 xor eax,eax
0038FADE EB 17 jmp short 0038FAF7
從*1處跳到這邊
0038FAE0 8B55 10 mov edx,dword ptr ss:[ebp+10]
0038FAE3 83C2 0C add edx,0C-----------------------加0x0C後就是0了(故上面讓他跳好了)
0038FAE6 8955 10 mov dword ptr ss:[ebp+10],edx
0038FAE9 ^ E9 6CFFFFFF jmp 0038FA5A
0038FAEE B8 01000000 mov eax,1
0038FAF3 EB 02 jmp short 0038FAF7
0038FAF5 33C0 xor eax,eax
0038FAF7 8BE5 mov esp,ebp
0038FAF9 5D pop ebp
0038FAFA C2 0C00 retn 0C
由此我們可以得出序號產生器演算法
key符合下列條件
1.第8位=1
2.從第4位開始的4個char組成一個int在0x1C42F0F和0x1D2D9A0之間並且不等於給定字串的前4個char組成的int(0x98989898)
3.從0A開始取出值p[a],再以該值為偏移量得到零一個值p[b],p[b]^m[i] ==p[b+1],a = b+2,繼續進入迴圈
4.上面的每個p[a]的值之間的距離大於2,並且在0xA-0x62之間
下面給出序號產生器的程式碼:在這個程式碼中我只算出了一組key。當然你可以改一下算出所有key
#include <stdio.h>
void main()
{
char p[100];
char q[201] = {0};
char t[20];
int a = 0x0a;//a的初始值
char b = 0x1f;//我把它從0x1f開始,0x1f在0xA-0x62之間
char m[] = "\xA5\x5D\x12\xE4\x37";\\這時程式初始化的值
for(int i = 0; i < 100; i ++)
p[i] = (char)0x88;//沒事就用88來填
for (i = 0; i < 5; i ++)
{
p[a] = b;
p[b + 1] = p[b] ^ m[i];//上面的第三的條件
a = b + 2;
b = b + 8;//第四個條件,我讓他們相差8〉2
}
p[4] = 0x11;
p[5] = 0x11;
p[6] = 0x0D1;
p[7] = 0x01;//這4個值組成0x1d11111在0x1C42F0F和0x1D2D9A0
p[8] = 1;//這個值必須為1
//下面是hentostr轉化,方法很土,其實可以仿照他的程式中strtohen
for(i = 0; i < 100; i ++)
{
sprintf(t,"%02X",p[i]);
if((unsigned int)p[i] >= 0x80)
{
q[2 * i] = t[6];
q[2 * i + 1] = t[7];
}
else
{
q[2 * i] = t[0];
q[2 * i + 1] = t[1];
}
}
//存放在檔案中
FILE *fp = fopen("C:\\key.dat","w");
if(NULL == fp) return ;
fprintf(fp,"%s",q);
fclose(fp);
}
至此,分析完畢!
相關文章
- 010
Editorv1.3破解(序號產生器)2004-05-17
- MP3 explorer 破解和序號產生器的製作2015-11-15
- 序號產生器合集2024-03-17
- 貼彩虹狗破解工具的序號產生器 (727字)2001-07-01
- Myeclipse 6.5 序號產生器2020-04-06Eclipse
- NetTalk破解與序號產生器(高手勿進) (10千字)2001-09-20
- 分享一個navicat序號產生器2024-04-02
- win10如何執行序號產生器_win10怎麼執行序號產生器2020-08-28Win10
- Kalua Cocktails 1.1完全破解,內附彙編序號產生器(用序號產生器編寫器,並有它的使用教程)
(22千字)2002-02-27AI
- 家庭銀行家
v2b53 破解、跟蹤和序號產生器(MASM32)2004-06-02ASM
- 破解accoustica
2.21(帶序號產生器)----讓高手見笑了:) (11千字)2002-03-31
- Resource
Builder 1.1.0 完全破解~~附彙編序號產生器 (10千字)2015-11-15UI
- GIF Movie Gear v3.0.2 破解小談(附序號產生器原始碼)2015-11-15原始碼
- 菜鳥 學序號產生器編寫之 Android app2015-06-23AndroidAPP
- 網頁加密器(HTMLEncryptor1.1)破解及序號產生器 (1千字)2001-04-22網頁加密HTML
- winzip序號產生器 (1千字)2001-04-12
- AlgoLab PtVector的破解及序號產生器的編寫 (17千字)2001-05-04Go
- 一個CrackMe的破解以及序號產生器的製作
(4千字)2001-08-16
- 文書處理大師 3.0 破解~~~附序號產生器 (17千字)2002-03-24
- 3DAxy貪吃蛇 AxySnake 破解與序號產生器 (21千字)2015-11-153D
- myeclipse序號產生器使用教程(破解MyEclipse 10可用)2018-01-17Eclipse
- 美萍安全衛士V8.45序號產生器制作分析過程,及序號產生器! (11千字)2001-10-28
- Gif2Swf Ver 2.1 TC20序號產生器 && MASM32序號產生器 (4千字)2001-12-10ASM
- 序號產生器制分析: (1千字)2001-11-19
- 密碼學-軟體加密技術和序號產生器制2020-04-06密碼學加密
- SWF探索者XP 1.2(swfexplorer)破解+分析+序號產生器
(18千字)2002-04-14
- UltraEdit-32 8.10.1.0的破解及序號產生器的生成 (15千字)2001-05-15
- KEYGENNING4NEWBIES #7破解過程+序號產生器 (6千字)2001-08-21
- 製作mIRC6.02序號產生器(給別人寫的初學者序號產生器教材) (14千字)2015-11-15
- SAP CRM One Order的事件序號產生器制2020-02-11事件
- Navicat Premiumx64 使用序號產生器啟用2018-11-12REM
- winzip的通用序號產生器 (2千字)2001-12-10
- 好用的專案流程管理 OmniPlan Pro 4序號產生器破解版v4.62023-12-19
- Pexplorer 1.70 完全破解(KeyFile&Name+Code),附序號產生器~~~~~~~~~
(17千字)2002-04-03
- 《中華壓縮 6.01》註冊碼破解及序號產生器 (14千字)2001-08-19
- SWF2Video Pro V1.0.1.2 完全破解 演算法分析+序號產生器2015-11-15IDE演算法
- 蒼鷹象棋1.0
註冊演算法分析和序號產生器2004-05-16演算法
- SAP CRM呼叫中心裡的事件序號產生器制2020-03-10事件