Active Messenger(恆創企業信使)v3.03跟蹤
Active
Messenger(恆創企業信使)
Active Messenger(恆創企業信使)是一款專為企業定製的即時訊息系統, 其目標是解決企業的溝通及協同的問題,
提高工作。企業員工可以利用Active Messenger隨時隨地的進行即時交流、傳送檔案。
【破解工具】:Ollydbg1.09 中文版
―――――――――――――――――――――――――――――
【過
程】:
呵呵,我們開工吧!唉!^-^^-^ 我的水平很低,許多地方表達的有問題,煩請各位指教!
用ollydbg載入執行 ,填註冊試驗碼:A1BCK-D23LE-4AMNB-5O1CP
後按註冊鍵後不久就能
來到這裡:
0041DDD0
PUSH -1
0041DDD2 PUSH AMSAdmin.0046DCC0
0041DDD7 MOV
EAX, DWORD PTR FS:[0]
0041DDDD PUSH EAX
0041DDDE
MOV DWORD PTR FS:[0], ESP
0041DDE5 SUB
ESP, 28
0041DDE8 PUSH EBX
0041DDE9 PUSH
EBP
0041DDEA PUSH ESI
0041DDEB PUSH
EDI
0041DDEC MOV ESI, ECX
0041DDEE XOR
EDI, EDI
0041DDF0 MOV DWORD PTR SS:[ESP+40], EDI
0041DDF4
MOV EAX, DWORD PTR SS:[ESP+48]
0041DDF8 PUSH
AMSAdmin.0048CC7C
; 0048CC7C,(ASCII "B6IOH-0S5BS-D606J-PC4Q4")
0041DDFD PUSH EAX
; EAX<== 01284028,(ASCII "A1BCK-D23LE-4AMNB-5O1CP")
0041DDFE
CALL AMSAdmin.00437985 // 比較上面的值,如果是就是註冊數五個
0041DE03
ADD ESP, 8
0041DE06 TEST EAX, EAX
0041DE08
JNZ SHORT AMSAdmin.0041DE17
0041DE0A MOV
DWORD PTR SS:[ESP+18], 5
0041DE12 JMP AMSAdmin.0041DFC1
0041DE17
MOV ECX, DWORD PTR SS:[ESP+48]
0041DE1B PUSH
AMSAdmin.0048CC64
; 0048CC64 ASCII "B2DLI-0M3ES-C6L2F-RF3O8"
0041DE20 PUSH ECX
; ECX= 01284028 ASCII "A1BCK-D23LE-4AMNB-5O1CP"
0041DE21
CALL AMSAdmin.00437985 // 比較上面的值,如果是就是註冊數十個
0041DE26
ADD ESP, 8
0041DE29 TEST EAX, EAX
0041DE2B
JNZ SHORT AMSAdmin.0041DE3A
0041DE2D MOV
DWORD PTR SS:[ESP+18], 0A
0041DE35 JMP AMSAdmin.0041DFC1
0041DE3A
MOV EDX, DWORD PTR DS:[48E3B8]
0041DE40
MOV DWORD PTR SS:[ESP+20], EDX
0041DE44 PUSH
ECX
0041DE45 LEA EAX, DWORD PTR SS:[ESP+50]
0041DE49
MOV ECX, ESP
0041DE4B MOV DWORD PTR
SS:[ESP+2C], ESP
0041DE4F PUSH EAX
0041DE50 MOV
BYTE PTR SS:[ESP+48], 3
0041DE55 CALL AMSAdmin.0044AE98
0041DE5A
LEA ECX, DWORD PTR SS:[ESP+14]
0041DE5E
PUSH ECX
0041DE5F MOV
ECX, ESI
0041DE61 CALL AMSAdmin.0041D9B0
0041DE66 EBX, 4
0041DE6B
PUSH 1
0041DE6D PUSH
0E
0041DE6F LEA ECX, DWORD PTR
SS:[ESP+18]
0041DE73 MOV BYTE PTR
SS:[ESP+48], BL
0041DE77 CALL AMSAdmin.00447696
0041DE7C PUSH
1
0041DE7E PUSH 9
0041DE80 LEA ECX, DWORD PTR SS:[ESP+18]
0041DE84 CALL AMSAdmin.00447696
0041DE89 PUSH 1
0041DE8B PUSH EBX
// 這裡開始根據軟體號計算註冊碼
0041DE8C
LEA ECX, DWORD PTR SS:[ESP+18]
; ECX<==01284078,(ASCII "7573-7175-7171-7112")<--軟體號
0041DE90
CALL AMSAdmin.00447696 ;
把序列號的"-"除掉
0041DE95 EDX, DWORD PTR SS:[ESP+48]
; EDX= 01284028 ASCII "A1BCK-D23LE-4AMNB-5O1CP"<--試驗碼
0041DE99
DWORD PTR DS:[EDX-8], 17 ; 比較註冊碼的長度23位
0041DE9D
JL AMSAdmin.0041E1AB
0041DEA3 PUSH 1
0041DEA5 PUSH 11
0041DEA7
LEA ECX, DWORD PTR SS:[ESP+50]
0041DEAB
CALL AMSAdmin.00447696
0041DEB0 PUSH 1
0041DEB2 PUSH
0B
0041DEB4 LEA ECX, DWORD
PTR SS:[ESP+50]
0041DEB8 CALL AMSAdmin.00447696
0041DEBD PUSH 1
0041DEBF PUSH 5
0041DEC1
LEA ECX, DWORD PTR SS:[ESP+50]
; ECX= 01284028 ASCII "A1BCK-D23LE-4AMNB-5O1CP"
0041DEC5
CALL AMSAdmin.00447696 ;
把試驗碼的"-"除掉
0041DECA
LEA EAX, DWORD PTR SS:[ESP+18]
0041DECE LEA
ECX, DWORD PTR SS:[ESP+30]
0041DED2 PUSH EAX
0041DED3
PUSH ECX
0041DED4 PUSH ECX
0041DED5
LEA EDX, DWORD PTR SS:[ESP+54]
0041DED9 MOV
ECX, ESP
0041DEDB MOV DWORD PTR SS:[ESP+34], ESP
0041DEDF
PUSH EDX
0041DEE0 CALL AMSAdmin.0044AE98
0041DEE5
MOV ECX, ESI
0041DEE7 CALL AMSAdmin.0041E490
// 關鍵的地方1--判斷註冊碼的取值範圍,計算關鍵值
0041DEEC MOV EAX, DWORD PTR SS:[ESP+30] ; EAX=8817B2CD
<==第一個關鍵值
0041DEF0 MOV ECX, DWORD PTR SS:[ESP+34] ; ECX=6458
<==第二個關鍵值
0041DEF4
OR EAX, ECX
// 試驗碼計算的值
0041DEF6 JE AMSAdmin.0041E1AB
// 以上是第一部分
0041DEFC CMP
DWORD PTR SS:[ESP+18], EDI
0041DF00 JE AMSAdmin.0041E1AB
0041DF06
PUSH ECX
0041DF07 LEA EDX, DWORD PTR
SS:[ESP+50]
0041DF0B MOV ECX, ESP
0041DF0D MOV
DWORD PTR SS:[ESP+2C], ESP
0041DF11 PUSH EDX
0041DF12
CALL AMSAdmin.0044AE98
0041DF17 LEA
EAX, DWORD PTR SS:[ESP+14]
0041DF1B MOV ECX, ESI
0041DF1D
PUSH EAX
0041DF1E CALL AMSAdmin.0041E210
; 關鍵的計算的地方--軟體號變換的地方
0041DF23 MOV
ECX, DWORD PTR SS:[ESP+10] ; ECX<==01284348
0041DF27
MOV EAX, DWORD PTR DS:[ECX-8]
// ASCII "77b272b67fb274b677b270b6e672bd7016"
0041DF2A
CMP EAX, 0F
0041DF2D JLE SHORT AMSAdmin.0041DF5B
0041DF2F
LEA EDX, DWORD PTR SS:[ESP+28]
0041DF33 PUSH
0F
0041DF35 PUSH EDX
0041DF36 LEA
ECX, DWORD PTR SS:[ESP+18]
0041DF3A CALL AMSAdmin.00447A43
0041DF3F
PUSH EAX
0041DF40 LEA ECX, DWORD PTR
SS:[ESP+14]
0041DF44 MOV BYTE PTR SS:[ESP+44], 5
0041DF49
CALL AMSAdmin.0044B25C
0041DF4E LEA
ECX, DWORD PTR SS:[ESP+28]
0041DF52 MOV BYTE PTR SS:[ESP+40],
BL
0041DF56 CALL AMSAdmin.0044B123
0041DF5B LEA
ECX, DWORD PTR SS:[ESP+10]
0041DF5F CALL AMSAdmin.0044B645
0041DF64
MOV EAX, DWORD PTR SS:[ESP+10]
;
0012F934 01284438 ASCII "270B6E672BD7016"
// 軟體號變換的值
0041DF68
CMP BYTE PTR DS:[EAX], 50
0041DF6B
JLE SHORT AMSAdmin.0041DF79
0041DF6D PUSH
46
0041DF6F PUSH EDI
0041DF70 LEA
ECX, DWORD PTR SS:[ESP+18]
0041DF74 CALL AMSAdmin.0044B669
0041DF79
PUSH ECX
0041DF7A LEA EDX, DWORD PTR
SS:[ESP+14]
0041DF7E MOV ECX, ESP
0041DF80 MOV
DWORD PTR SS:[ESP+2C], ESP
0041DF84 PUSH EDX
0041DF85
CALL AMSAdmin.0044AE98
0041DF8A MOV
ECX, ESI
0041DF8C CALL AMSAdmin.0041E3D0
; 關鍵計算的地方2--軟體號計算的地方
0041DF91 CMP EAX,
DWORD PTR SS:[ESP+30]
; EAX=D166F738 SS:[ESP+34]=8817B2CD
0041DF95 JNZ AMSAdmin.0041E1AB
; 關鍵的跳轉<==不同就OVER
0041DF9B CMP EDX, DWORD PTR SS:[ESP+34]
; EDX=0013E9E9 SS:[0012F958]=00006458
0041DF9F JNZ AMSAdmin.0041E1AB
; 關鍵的跳轉<==不同就OVER
0041DFA5
LEA ECX, DWORD PTR SS:[ESP+10]
0041DFA9 MOV
BYTE PTR SS:[ESP+40], 3
0041DFAE CALL AMSAdmin.0044B123
0041DFB3
LEA ECX, DWORD PTR SS:[ESP+20]
0041DFB7 MOV
BYTE PTR SS:[ESP+40], 2
0041DFBC CALL AMSAdmin.0044B123
0041DFC1
MOV DWORD PTR SS:[ESP+20], EDI
0041DFC5 PUSH
ECX
0041DFC6 LEA EAX, DWORD PTR SS:[ESP+50]
0041DFCA
MOV ECX, ESP
0041DFCC MOV DWORD PTR
SS:[ESP+2C], ESP
0041DFD0 PUSH EAX
0041DFD1 MOV
BYTE PTR SS:[ESP+48], 6
0041DFD6 CALL AMSAdmin.0044AE98
0041DFDB
LEA ECX, DWORD PTR SS:[ESP+54]
0041DFDF PUSH
ECX
0041DFE0 MOV ECX, ESI
0041DFE2 CALL
AMSAdmin.0041E210
0041DFE7 LEA EDX, DWORD
PTR SS:[ESP+50]
0041DFEB LEA EAX, DWORD PTR SS:[ESP+24]
0041DFEF
PUSH EDX
0041DFF0 PUSH AMSAdmin.0048CC50
; ASCII "SOFTWARE\Microsoft\"
0041DFF5
PUSH EAX
// 註冊成功後在登錄檔的操作
0041DFF6 CALL AMSAdmin.0044B42C
0041DFFB
MOV EAX, DWORD PTR SS:[ESP+24]
0041DFFF LEA
ECX, DWORD PTR SS:[ESP+2C]
0041E003 LEA EDX, DWORD
PTR SS:[ESP+28]
0041E007 PUSH ECX
; /pDisposition
0041E008
PUSH EDX
; |pHandle
0041E009 PUSH EDI
; |pSecurity
0041E00A PUSH 0F003F
; |Access = KEY_ALL_ACCESS
0041E00F
PUSH EDI
; |Options
0041E010 PUSH EDI
; |Class
0041E011 PUSH EDI
; |Reserved
0041E012
PUSH EAX
; |Subkey
0041E013 PUSH 80000002
; \hKey
= HKEY_LOCAL_MACHINE
0041E018 MOV BYTE PTR SS:[ESP+64],
7
0041E01D MOV DWORD PTR SS:[ESP+4C], EDI
0041E021 CALL DWORD PTR DS:[<&ADVAPI32.RegCrea>;
\RegCreateKeyExA
0041E027 CMP EAX, EDI
0041E029 JNZ
AMSAdmin.0041E134
0041E02F MOV EDI, DWORD
PTR SS:[ESP+28]
0041E033 PUSH ECX
0041E034 LEA
EDX, DWORD PTR SS:[ESP+50]
0041E038 MOV ECX,
ESP
0041E03A MOV DWORD PTR SS:[ESP+14], ESP
0041E03E
PUSH EDX
0041E03F MOV DWORD PTR SS:[ESP+28],
EDI
==============================================
第一關鍵分支: CALL AMSAdmin.0041E490
// 關鍵的地方1--判斷註冊碼的取值範圍,計算關鍵值
|
0041E490
PUSH -1
0041E492 PUSH AMSAdmin.0046DD60
0041E497 MOV
EAX, DWORD PTR FS:[0]
0041E49D PUSH EAX
0041E49E
MOV DWORD PTR FS:[0], ESP
0041E4A5 SUB
ESP, 0C
0041E4A8 PUSH ESI
0041E4A9 PUSH
EDI
0041E4AA MOV EDI, ECX
0041E4AC MOV
EAX, DWORD PTR DS:[48E3B8]
0041E4B1 MOV DWORD PTR
SS:[ESP+1C], 0
0041E4B9 MOV DWORD PTR SS:[ESP+8], EAX
0041E4BD
MOV BYTE PTR SS:[ESP+1C], 1
0041E4C2 MOV
ESI, 0C
0041E4C7
/MOV ECX, DWORD PTR SS:[ESP+24]
]
; ECX<==01284488,(ASCII
"A1BCKD23LE4AMNB5O1CP"
0041E4CB
|PUSH 1
0041E4CD |PUSH ESI
0041E4CE |MOV DL, BYTE PTR DS:[ESI+ECX]
; DL<==DS:[ESI+ECX]=33 ('3') ESI=C ECX=01284488
0041E4D1
|LEA ECX, DWORD PTR SS:[ESP+2C]
0041E4D5
|MOV BYTE PTR SS:[ESP+14], DL
0041E4D9
|CALL AMSAdmin.00447696
0041E4DE |MOV EAX, DWORD PTR SS:[ESP+C]
0041E4E2 |LEA ECX, DWORD PTR SS:[ESP+8]
0041E4E6
|PUSH EAX
0041E4E7 |PUSH 0
0041E4E9
|CALL AMSAdmin.004476EE
0041E4EE |SUB
ESI, 3
0041E4F1 |CMP ESI, 3
0041E4F4 \JGE
SHORT AMSAdmin.0041E4C7
// 以上迴圈把試驗碼的第4,7,10,13位取出"C2EM"
0041E4F6
AMSAdmin.00492B18
0041E4FB
AMSAdmin.0048CC94
0041E500
ECX, DWORD PTR SS:[ESP+10]
0041E504 CALL
AMSAdmin.00447827
0041E509
PUSH ECX
0041E50A LEA EDX, DWORD PTR
SS:[ESP+C]
0041E50E MOV ECX, ESP
0041E510 MOV
DWORD PTR SS:[ESP+10], ESP
0041E514 PUSH EDX
0041E515
CALL AMSAdmin.0044AE98
0041E51A MOV
ECX, EDI
0041E51C CALL AMSAdmin.0041E2D0
0041E521 MOV ECX, DWORD
PTR SS:[ESP+2C]
0041E525 MOV DWORD PTR SS:[ESP+10], EDX
0041E529
PUSH ECX
0041E52A LEA EDX, DWORD PTR
SS:[ESP+28]
0041E52E MOV DWORD PTR DS:[ECX], EAX
0041E530
MOV ECX, ESP
0041E532 MOV DWORD PTR
SS:[ESP+30], ESP
0041E536 PUSH EDX
0041E537 CALL
AMSAdmin.0044AE98
0041E53C MOV ECX, EDI
0041E53E
CALL AMSAdmin.0041E2D0
// 關鍵的地方--判斷註冊碼的取值範圍,計算關鍵值
0041E543
MOV ECX, DWORD PTR SS:[ESP+28]
0041E547 MOV
BYTE PTR SS:[ESP+1C], 0
0041E54C MOV DWORD PTR DS:[ECX],
EAX
; EAX=8817B2CD <==關鍵值1
0041E54E
MOV DWORD PTR DS:[ECX+4], EDX
; EDX=6458 <==關鍵值2
0041E551
LEA ECX, DWORD PTR SS:[ESP+8]
0041E555 CALL
AMSAdmin.0044B123
0041E55A LEA ECX, DWORD PTR SS:[ESP+24]
0041E55E
MOV DWORD PTR SS:[ESP+1C], -1
0041E566 CALL
AMSAdmin.0044B123
0041E56B MOV ECX, DWORD PTR SS:[ESP+14]
0041E56F
POP EDI
0041E570 MOV DWORD PTR FS:[0],
ECX
0041E577 POP ESI
0041E578 ADD
ESP, 18
0041E57B RETN 0C
----------------------------------------------
第二關鍵分支:CALL
AMSAdmin.0041E2D0 // 判斷註冊碼的取值範圍,計算關鍵值
|
0041E2D0
PUSH -1
0041E2D2 PUSH AMSAdmin.0046DD20
0041E2D7 MOV
EAX, DWORD PTR FS:[0]
0041E2DD PUSH EAX
0041E2DE
MOV DWORD PTR FS:[0], ESP
0041E2E5 SUB
ESP, 8
0041E2E8 PUSH ESI
0041E2E9 PUSH EDI
0041E2EA
MOV EAX, DWORD PTR DS:[48E3B8]
0041E2EF MOV
DWORD PTR SS:[ESP+18], 0
0041E2F7 MOV DWORD PTR
SS:[ESP+C], EAX
0041E2FB MOV ECX, DWORD PTR SS:[ESP+20]
; ECX=012840C8,(ASCII "C2EM")
0041E2FF XOR ESI, ESI
// =01284438 ASCII "A1BKD3L4ANB5O1CP"
0041E301
MOV BYTE PTR SS:[ESP+18], 1
0041E306 MOV
EAX, DWORD PTR DS:[ECX-8]
0041E309 TEST EAX, EAX
; EAX=13
0041E30B
JLE SHORT AMSAdmin.0041E386
0041E30D PUSH
EBP
0041E30E /TEST ESI, ESI
// 第一次用取出的四位計算;第二次用剩下的計算
0041E310 |JE SHORT AMSAdmin.0041E363
// 用計算後的值檢查註冊碼的範圍
0041E312 |MOV EDI, ESI
0041E314
|AND EDI, 80000001
0041E31A |JNS SHORT
AMSAdmin.0041E321
0041E31C |DEC EDI
0041E31D |OR
EDI, FFFFFFFE
0041E320 |INC EDI
0041E321
|JNZ SHORT AMSAdmin.0041E331
0041E323 |MOV
EAX, ESI
0041E325 |MOV EBP, 3
0041E32A |CDQ
0041E32B
|IDIV EBP
0041E32D |TEST EDX, EDX
0041E32F
|JNZ SHORT AMSAdmin.0041E363
0041E331 |TEST
EDI, EDI
0041E333 |JE SHORT AMSAdmin.0041E347
0041E335
|MOV EAX, ESI
0041E337 |MOV EBP, 3
0041E33C
|CDQ
0041E33D |IDIV EBP
0041E33F |TEST
EDX, EDX
0041E341 |JE SHORT AMSAdmin.0041E355 <==判斷的四位
0041E343
|TEST EDI, EDI
0041E345 |JNZ SHORT AMSAdmin.0041E35D <==判斷第一,第三位
0041E347
|MOV EAX, ESI
0041E349 |MOV EDI, 3
0041E34E
|CDQ
0041E34F |IDIV EDI
0041E351 |TEST
EDX, EDX
0041E353 |JNZ SHORT AMSAdmin.0041E35D <==判斷第二位
0041E355
|MOVSX EAX, BYTE PTR DS:[ESI+ECX]
0041E359 |SUB
AL, 1B
0041E35B |JMP SHORT AMSAdmin.0041E369
0041E35D
|MOVSX EAX, BYTE PTR DS:[ESI+ECX]
0041E361 |JMP
SHORT AMSAdmin.0041E369
0041E363 |MOVSX EAX, BYTE PTR DS:[ESI+ECX]
0041E367 |SUB AL, 11
0041E369 |MOV
BYTE PTR SS:[ESP+C], AL
0041E36D |MOV ECX,
DWORD PTR SS:[ESP+C]
0041E371 |PUSH ECX
0041E372 |LEA
ECX, DWORD PTR SS:[ESP+14]
0041E376 |CALL AMSAdmin.0044B526
0041E37B
|MOV ECX, DWORD PTR SS:[ESP+24]
; ECX=012840C8,(ASCII "C2EM")
0041E37F
|INC ESI
0041E380 |CMP ESI, DWORD PTR
DS:[ECX-8]
0041E383 \JL SHORT AMSAdmin.0041E30E
------------------------------------------
迴圈演算法總結:
1.第一次用取出的四位計算--第一位-11
;第二位直接用 ;第三位-11 ;第四位-1B
得到新的四位字串ASCII "2242"
2.用剩下的16位計算--第一位-11
;第二位直接用 ;第三位-11 ;第四位-1B,然後如此迴圈
得到新的16位字串ASCII "0110331403154125"
-----------------------
|
0041E385
POP EBP
0041E386 MOV EDX, DWORD PTR
SS:[ESP+C] ; EDX<==SS:[ESP+C]=012844D8 ,
0041E38A PUSH
EDX
; //試驗碼的第4,7,10,13位
0041E38B CALL
AMSAdmin.004371BC <==關鍵的地方--判斷註冊碼的取值範圍
0041E390 ADD
ESP, 4
; //關鍵值1的計算
0041E393 LEA ECX, DWORD PTR
SS:[ESP+C]
0041E397 MOV ESI, EAX
; EAX=8817B2CD<==第一關鍵值
0041E399
MOV EDI, EDX
; EDX=00006458<==第二關鍵值
0041E39B MOV
BYTE PTR SS:[ESP+18], 0
0041E3A0 CALL AMSAdmin.0044B123
0041E3A5
LEA ECX, DWORD PTR SS:[ESP+20]
0041E3A9 MOV
DWORD PTR SS:[ESP+18], -1
0041E3B1 CALL AMSAdmin.0044B123
0041E3B6
MOV ECX, DWORD PTR SS:[ESP+10]
0041E3BA MOV
EDX, EDI
0041E3BC MOV EAX, ESI
0041E3BE POP
EDI
0041E3BF POP ESI
0041E3C0 MOV
DWORD PTR FS:[0], ECX
0041E3C7 ADD ESP, 14
0041E3CA
RETN 4
--------------------------------------------
第三關鍵分支:
CALL AMSAdmin.004371BC 判斷註冊碼的取值範圍
|
004371BC PUSH
ECX
004371BD PUSH EBX
004371BE PUSH
EBP
004371BF PUSH ESI
004371C0 PUSH
EDI
004371C1 MOV EDI, DWORD PTR SS:[ESP+18]
; EDI<==012844D8 ,(32 32 34 32)
004371C5 /CMP
DWORD PTR DS:[48FCB4], 1 ; //第一個比較
004371CC |JLE
SHORT AMSAdmin.004371DD
004371CE |MOVZX EAX, BYTE
PTR DS:[EDI]
004371D1 |PUSH 8
004371D3 |PUSH
EAX
004371D4 |CALL AMSAdmin.0043B7A1
004371D9 |POP
ECX
004371DA |POP ECX
004371DB |JMP
SHORT AMSAdmin.004371EC
004371DD |MOVZX EAX, BYTE
PTR DS:[EDI] ; EAX=DS:[EDI]=012844D8=32
004371E0 |MOV
ECX, DWORD PTR DS:[48FAA8] ; AMSAdmin.0048FAB2
004371E6
|MOV AL, BYTE PTR DS:[ECX+EAX*2]
; AL<==DS:[ECX+EAX*2]=84 ECX=0048FAB2
004371E9
|AND EAX, 8
004371EC |TEST EAX, EAX
004371EE
|JE SHORT AMSAdmin.004371F3
004371F0 |INC
EDI
004371F1 \JMP SHORT AMSAdmin.004371C5
004371F3
MOVZX ESI, BYTE PTR DS:[EDI]
; ESI<==DS:[EDI]=32 EDI=012844D8
004371F6
INC EDI
004371F7 CMP ESI, 2D
004371FA
MOV DWORD PTR SS:[ESP+10], ESI
004371FE JE
SHORT AMSAdmin.00437205
00437200 CMP ESI,
2B
00437203 JNZ SHORT AMSAdmin.00437209
00437205 MOVZX
ESI, BYTE PTR DS:[EDI]
00437208 INC EDI
00437209
XOR EBX, EBX
0043720B XOR EBP, EBP
0043720D
/CMP DWORD PTR DS:[48FCB4], 1
00437214 |JLE
SHORT AMSAdmin.00437222 ; //第2個比較
00437216 |PUSH
4
00437218 |PUSH ESI
00437219 |CALL
AMSAdmin.0043B7A1
0043721E |POP ECX
0043721F
|POP ECX
00437220 |JMP SHORT AMSAdmin.0043722D
00437222
|MOV EAX, DWORD PTR DS:[48FAA8]
00437227 |MOV
AL, BYTE PTR DS:[EAX+ESI*2] ; AL<==DS:[EAX+ESI*2]=84
0043722A
|AND EAX, 4
0043722D |TEST EAX, EAX
0043722F
|JE SHORT AMSAdmin.0043725A
00437231 |LEA
EAX, DWORD PTR DS:[ESI-30] \
00437234 |PUSH 0
|
00437236
|CDQ
|
00437237 |MOV
ESI, EAX |
00437239
|PUSH 0A
|
0043723B |PUSH EBP
|
0043723C
|MOV DWORD PTR SS:[ESP+24], ESI |
00437240 |PUSH
EBX
|
00437241 |MOV ESI, EDX
|
00437243 |CALL
AMSAdmin.00437E40 > <==關鍵值的計算
00437248
|MOV ECX, DWORD PTR SS:[ESP+18] |
0043724C |ADD
ECX, EAX
|
0043724E |ADC ESI, EDX
|
00437250 |MOV EBX,
ECX |
00437252
|MOV EBP, ESI
|
00437254 |MOVZX ESI, BYTE PTR DS:[EDI]
/
00437257 |INC EDI
00437258 \JMP
SHORT AMSAdmin.0043720D
0043725A CMP DWORD
PTR SS:[ESP+10], 2D
0043725F MOV EAX, EBX
00437261 JNZ
SHORT AMSAdmin.0043726E
00437263 NEG EAX
00437265
MOV EDX, EBP
00437267 ADC EDX, 0
0043726A
NEG EDX
0043726C JMP SHORT AMSAdmin.00437270
0043726E
MOV EDX, EBP
00437270 POP EDI
00437271
POP ESI
00437272 POP EBP
00437273
POP EBX
00437274 POP ECX
00437275
RETN
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
DS:[ECX+EAX*2] ; AL<==DS:[ECX+EAX*2]=10
ECX=0048FAB2 EAX=23
記憶體值:
|
0048FAB2 20 00 20 00 20
00 20 00 . . . .
0048FABA 20 00 20 00 20 00 20 00 . . .
.
0048FAC2 20 00 28 00 28 00 28 00 .(.(.(.
0048FACA 28
00 28 00 20 00 20 00 (.(. . .
0048FAD2 20 00 20 00 20 00 20 00
. . . .
0048FADA 20 00 20 00 20 00 20 00 . . . .
0048FAE2
20 00 20 00 20 00 20 00 . . . .
0048FAEA 20 00 20 00 20
00 20 00 . . . .
0048FAF2 48 00 10 00 10 00 10 00 H....
0048FAFA
10 00 10 00 10 00 10 00 ....
0048FB02 10 00 10 00 10
00 10 00 ....
0048FB0A 10 00 10 00 10 00 10 00 ....
0048FB12
84 00 84 00 84 00 84 00 ????
0048FB1A 84 00 84 00 84 00 84
00 ????
0048FB22 84 00 84 00 10 00 10 00 ??..
0048FB2A
10 00 10 00 10 00 10 00 ....
0048FB32 10 00 81 00 81
00 81 00 .???
0048FB3A 81 00 81 00 81 00 01 00 ???.
0048FB42
01 00 01 00 01 00 01 00 ....
0048FB4A 01 00 01 00 01
00 01 00 ....
0048FB52 01 00 01 00 01 00 01 00 ....
0048FB5A
01 00 01 00 01 00 01 00 ....
0048FB62 01 00 01 00 01
00 10 00 ....
0048FB6A 10 00 10 00 10 00 10 00 ....
0048FB72
10 00 82 00 82 00 82 00 .???
0048FB7A 82 00 82 00 82 00
02 00 ???.
0048FB82 02 00 02 00 02 00 02 00 ....
0048FB8A
02 00 02 00 02 00 02 00 ....
0048FB92 02 00 02 00 02
00 02 00 ....
0048FB9A 02 00 02 00 02 00 02 00 ....
0048FBA2
02 00 02 00 02 00 10 00 ....
0048FBAA 10 00 10 00 10
00 20 00 ... .
以上計算的總結:註冊碼取值範圍
1.第一個比較迴圈時用第二次計算的字串的hex值*2作指標在以 0048FAB2 開始的記憶體中
查表,得到的值 AND
8 ,比較得數如果是0就到第二個比較迴圈.
2.第二個比較迴圈用第二次計算的字串的hex值*2作指標在以 0048FAB2 開始的記憶體中
查表,得到的值 AND
4 ,比較得數如果是0就OVER.
即查表得到的值 AND 4 不能=0
經過計算可以知道表中 0048FB12 開始的十個值-'84 '符合條件,第一個84的偏移量=60h
那麼第二次計算的字串的hex值的範圍是60/2=30到3A
即第二次計算的字串的範圍是0~9.
3.由此推斷註冊碼的取值範圍是
1).30+11=41('A')~4A('J')<--第1,3,4,6,10,12,15,19位
2).30+1B=4B('K')~54('T')<--第5,9,13,14,17,20位
3).30+00=30('0')~39('9')<--第2,7,8,11,16,18位
----------------------------------------------------
CALL
AMSAdmin.00437E40 <==關鍵值的計算
|
00437E40
MOV EAX, DWORD PTR SS:[ESP+8] ; EAX=5AF3
00437E44
MOV ECX, DWORD PTR SS:[ESP+10]
00437E48 OR
ECX, EAX
; 檢查高位有沒有
00437E4A MOV
ECX, DWORD PTR SS:[ESP+C] ; ECX=32
00437E4E JNZ
SHORT AMSAdmin.00437E59
00437E50
MOV EAX, DWORD PTR SS:[ESP+4]
00437E54 MUL
ECX
00437E56 RETN 10
00437E59 PUSH
EBX
00437E5A MUL ECX
; EAX=5AF3*
ECX=32 =11C376
00437E5C MOV EBX, EAX
; EBX=EAX=11C376
00437E5E
MOV EAX, DWORD PTR SS:[ESP+8] ; EAX=107A400
00437E62
MUL DWORD PTR SS:[ESP+14] ;
=0
00437E66 ADD EBX, EAX
00437E68 MOV
EAX, DWORD PTR SS:[ESP+8] ; EAX=107A400
00437E6C
MUL ECX
; EAX=107A4000*ECX(=32)=37E08000
00437E6E
ADD EDX, EBX
; EDX=3+EBX(=11C376)=11C379
00437E70 POP
EBX
; EBX=32
00437E71 RETN 10
關鍵值的計算的總結:
關鍵值=第二次計算的字串的各位*A+後一位 直到全部算完
然後取低八位做第一關鍵值,高位做第二關鍵值
~第一部分完成~
=======================================
第二部分:軟體號的計算
由於軟體號的計算比較複雜,用到了浮點運算其中還有指數計算.所以不具體發現了
|
00414800
PUSH -1
00414802 PUSH AMSAdmin.0046C8D0
00414807 MOV
EAX, DWORD PTR FS:[0]
0041480D PUSH EAX
0041480E MOV
DWORD PTR FS:[0], ESP
00414815 SUB ESP, 8
00414818
PUSH EBP
00414819 PUSH ESI
0041481A
PUSH EDI
0041481B MOV EDI, DWORD PTR
SS:[ESP+24]
0041481F MOV DWORD PTR SS:[ESP+1C], 0
00414827
MOV EAX, DWORD PTR DS:[EDI]
; EAX<==012841B8,(ASCII "7573717571717112")軟體號
00414829
MOV ECX, DWORD PTR DS:[EAX-8] ; ECX=10
0041482C
TEST ECX, ECX
0041482E JE AMSAdmin.0041495D
00414834
MOV ECX, DWORD PTR DS:[48E3B8]
0041483A MOV
DWORD PTR SS:[ESP+24], ECX
0041483E MOV DWORD
PTR SS:[ESP+C], ECX
00414842 MOV EBP, DWORD PTR DS:[EAX-8]
; EBP=10
00414845 MOV BYTE PTR SS:[ESP+1C],
2
0041484A MOV EAX, EBP
0041484C AND
EAX, 80000003
00414851 JNS SHORT AMSAdmin.00414858
00414853
DEC EAX
00414854 OR EAX, FFFFFFFC
00414857
INC EAX
00414858 JE SHORT AMSAdmin.00414877
0041485A
/PUSH 30
0041485C |MOV ECX, EDI
0041485E
|CALL AMSAdmin.0044B526
00414863 |MOV
ECX, DWORD PTR DS:[EDI]
00414865 |MOV EDX, DWORD PTR DS:[ECX-8]
00414868
|AND EDX, 80000003
0041486E |JNS SHORT
AMSAdmin.00414875
00414870 |DEC EDX
00414871 |OR
EDX, FFFFFFFC
00414874 |INC EDX
00414875
\JNZ SHORT AMSAdmin.0041485A
00414877 MOV
EAX, DWORD PTR DS:[EDI]
; EAX<==012841B8,(ASCII "7573717571717112")
00414879
XOR ESI, ESI
0041487B MOV ECX, DWORD
PTR DS:[EAX-8] ; ECX=10
0041487E TEST ECX, ECX
00414880
JLE SHORT AMSAdmin.004148CF ; //用軟體號計算
00414882
/MOVSX EAX, BYTE PTR DS:[EAX+ESI]
; EAX=DS:[EAX+ESI]=37
EAX=012841B8 ESI=0 ("7573717571717112")
]
00414886 |TEST
EAX, EAX
00414888 |JGE SHORT AMSAdmin.0041488F
0041488A
|ADD EAX, 100
0041488F |PUSH EAX
00414890
|LEA EAX, DWORD PTR SS:[ESP+28]
00414894 |PUSH
AMSAdmin.0048C4B4 ; ASCII
"%x"
00414899 |PUSH EAX
0041489A |CALL
AMSAdmin.00447EDF
0041489F |MOV ECX, DWORD
PTR SS:[ESP+30] ; ECX=01284438,(ASCII "37")
004148A3
|ADD ESP, 0C
004148A6 |CMP DWORD PTR
DS:[ECX-8], 1
004148AA |JNZ SHORT AMSAdmin.004148B9
004148AC
|PUSH 30
004148AE |PUSH 0
004148B0
|LEA ECX, DWORD PTR SS:[ESP+2C]
004148B4 |CALL
AMSAdmin.004476EE
004148B9 |LEA EDX, DWORD PTR SS:[ESP+24]
004148BD
|LEA ECX, DWORD PTR SS:[ESP+C]
004148C1 |PUSH
EDX
004148C2 |CALL AMSAdmin.0044B53B
004148C7 |MOV
EAX, DWORD PTR DS:[EDI]
; EAX=DS:[EDI]=012841B8,(ASCII
"7573717571717112")
004148C9
|INC ESI
004148CA |CMP ESI, DWORD PTR
DS:[EAX-8] ; DS:[EAX-8]=10
004148CD \JL
SHORT AMSAdmin.00414882
004148CF PUSH ECX
004148D0
LEA EAX, DWORD PTR SS:[ESP+2C]
004148D4 MOV
ECX, ESP
004148D6 MOV DWORD PTR SS:[ESP+14], ESP
004148DA
PUSH EAX
004148DB CALL AMSAdmin.0044AE98
004148E0
LEA ECX, DWORD PTR SS:[ESP+10]
004148E4 PUSH
ECX
004148E5 CALL AMSAdmin.00414D80
004148EA ADD
ESP, 8
004148ED LEA EDX, DWORD PTR SS:[ESP+24]
004148F1
PUSH EBP
004148F2 PUSH AMSAdmin.0048C1BC
; ASCII "%d"
004148F7
PUSH EDX
004148F8 CALL AMSAdmin.00447EDF
004148FD
ADD ESP, 0C
00414900 CMP EBP, 0A
00414903
JGE SHORT AMSAdmin.00414912
00414905 PUSH
30
00414907 PUSH 0
00414909 LEA
ECX, DWORD PTR SS:[ESP+2C]
0041490D CALL AMSAdmin.004476EE
00414912
LEA EAX, DWORD PTR SS:[ESP+24]
00414916 LEA
ECX, DWORD PTR SS:[ESP+C]
0041491A PUSH EAX
0041491B
LEA EDX, DWORD PTR SS:[ESP+14]
0041491F PUSH
ECX
00414920 PUSH EDX
00414921 CALL
AMSAdmin.0044B352
00414926 PUSH EAX
00414927 MOV
ECX, EDI
00414929 MOV BYTE PTR SS:[ESP+20],
3
0041492E CALL AMSAdmin.0044B25C
00414933 LEA
ECX, DWORD PTR SS:[ESP+10]
00414937 MOV BYTE
PTR SS:[ESP+1C], 2
0041493C CALL AMSAdmin.0044B123
00414941
LEA ECX, DWORD PTR SS:[ESP+C]
00414945 MOV
BYTE PTR SS:[ESP+1C], 1
0041494A CALL AMSAdmin.0044B123
0041494F
LEA ECX, DWORD PTR SS:[ESP+24]
00414953 MOV
BYTE PTR SS:[ESP+1C], 0
00414958 CALL AMSAdmin.0044B123
0041495D
LEA ECX, DWORD PTR SS:[ESP+28]
00414961 MOV
DWORD PTR SS:[ESP+1C], -1
00414969 CALL AMSAdmin.0044B123
0041496E
MOV ECX, DWORD PTR SS:[ESP+14]
00414972 POP
EDI
00414973 POP ESI
00414974 MOV
DWORD PTR FS:[0], ECX
0041497B POP EBP
0041497C
ADD ESP, 14
0041497F RETN
0044B4A0
PUSH EBX
0044B4A1 PUSH ESI
0044B4A2
PUSH EDI
0044B4A3 MOV EDI, DWORD PTR
SS:[ESP+10]
0044B4A7 TEST EDI, EDI
0044B4A9 MOV
ESI, ECX
0044B4AB JE SHORT AMSAdmin.0044B4F9
0044B4AD
MOV EAX, DWORD PTR DS:[ESI]
; EAX<==DS:[ESI]=012840C8,(ASCII "37353733373137")
0044B4AF
CMP DWORD PTR DS:[EAX-C], 1
0044B4B3 LEA
EBX, DWORD PTR DS:[EAX-C]
0044B4B6 JG SHORT AMSAdmin.0044B4E3
0044B4B8
MOV ECX, DWORD PTR DS:[EAX-8]
0044B4BB LEA
EDX, DWORD PTR DS:[ECX+EDI]
0044B4BE CMP EDX, DWORD
PTR DS:[EAX-4]
0044B4C1 JG SHORT AMSAdmin.0044B4E3
0044B4C3
PUSH EDI
0044B4C4 ADD ECX, EAX
0044B4C6
PUSH DWORD PTR SS:[ESP+18]
0044B4CA PUSH ECX
0044B4CB
CALL AMSAdmin.004381F0
0044B4D0 MOV
EAX, DWORD PTR DS:[ESI]
0044B4D2 ADD ESP, 0C
0044B4D5
ADD DWORD PTR DS:[EAX-8], EDI
0044B4D8 MOV
EAX, DWORD PTR DS:[ESI]
0044B4DA MOV ECX, DWORD
PTR DS:[EAX-8]
0044B4DD AND BYTE PTR DS:[ECX+EAX], 0
0044B4E1
JMP SHORT AMSAdmin.0044B4F9
0044B4E3 PUSH
DWORD PTR SS:[ESP+14]
0044B4E7 MOV ECX, ESI
0044B4E9
PUSH EDI
0044B4EA PUSH EAX
0044B4EB
PUSH DWORD PTR DS:[EAX-8]
0044B4EE CALL AMSAdmin.0044B314
0044B4F3
PUSH EBX
0044B4F4 CALL AMSAdmin.0044B08B
0044B4F9
POP EDI
0044B4FA POP ESI
0044B4FB
POP EBX
0044B4FC RETN 8
0043835C
MOV AL, BYTE PTR DS:[ESI] ; AL=DS:[ESI]=33
('3')
0043835E MOV BYTE PTR DS:[EDI], AL
00438360 MOV
AL, BYTE PTR DS:[ESI+1]
00438363 MOV BYTE
PTR DS:[EDI+1], AL
00438366 MOV EAX, DWORD PTR SS:[EBP+8]
; EAX<==012840D6,(ASCII "3575717171")
00438369
POP ESI
0043836A POP
EDI
0043836B LEAVE
0043836C RETN
0041E3D0
PUSH -1
0041E3D2 PUSH AMSAdmin.0046DD38
0041E3D7 MOV
EAX, DWORD PTR FS:[0]
0041E3DD PUSH EAX
0041E3DE
MOV DWORD PTR FS:[0], ESP
0041E3E5 SUB
ESP, 0C
0041E3E8 PUSH EBP
0041E3E9 PUSH
ESI
0041E3EA PUSH EDI
0041E3EB XOR
EBP, EBP
0041E3ED LEA ECX, DWORD PTR SS:[ESP+28]
0041E3F1
MOV DWORD PTR SS:[ESP+20], EBP
0041E3F5 MOV
DWORD PTR SS:[ESP+14], EBP
0041E3F9 CALL AMSAdmin.0044B645
0041E3FE
MOV EAX, DWORD PTR SS:[ESP+28]
; EAX=01284348, ASCII "270B6E672BD7016" <--軟體號生成的字串
0041E402
XOR ESI, ESI
0041E404 MOV EDI, DWORD
PTR DS:[EAX-8] ; EDI=F
0041E407 CMP EDI,
EBP
0041E409 JLE SHORT AMSAdmin.0041E45B
0041E40B PUSH
EBX
0041E40C /FLD QWORD PTR DS:[474D28]
; ST=10
0041E412 |MOV ECX, DWORD
PTR SS:[ESP+2C]
; ECX=01284348, ASCII "270B6E672BD7016"
0041E416
|MOV EDX, EDI
0041E418 |SUB EDX, ESI
0041E41A
|MOV BL, BYTE PTR DS:[ESI+ECX]
; BL=DS:[ESI+ECX]=32 ESI=0 ECX=01284348
0041E41D
|DEC EDX
0041E41E |MOV DWORD PTR SS:[ESP+10],
EDX
0041E422 |FILD DWORD PTR SS:[ESP+10] ;
ST=14 (0E)
0041E426 |CALL AMSAdmin.00437E80
0041E42B
|CALL AMSAdmin.00437624
0041E430 |MOV
ECX, EAX ;
ECX=107A4000
0041E432 |MOVSX EAX, BL
; EAX=BL=32
0041E435
|MOV DWORD PTR SS:[ESP+10], ECX
0041E439 |MOV
ECX, EDX
; ECX=EDX=00005AF3
0041E43B |CDQ
0041E43C |PUSH
EDX
0041E43D |MOV EDX, DWORD PTR SS:[ESP+14] ;
EDX=107A4000
0041E441 |PUSH EAX
; EAX=32
0041E442
|PUSH ECX
; ECX=5AF3
0041E443 |PUSH
EDX
; EDX=107A4000
0041E444 |CALL AMSAdmin.00437E40
0041E449
|MOV EBX, DWORD PTR SS:[ESP+18] ; EBX=0
0041E44D
|ADD EBP, EAX
; F次後 EBP=D166F738<--關鍵值(低位)
0041E44F
|ADC EBX, EDX
; EBX=11C379
0041E451 |INC ESI
0041E452
|CMP ESI, EDI
; EDI=F ESI=0++
0041E454 |MOV DWORD
PTR SS:[ESP+18], EBX ;
F次後 EBX=13E9E9<--關鍵值(高位)
0041E458
\JL SHORT AMSAdmin.0041E40C
0041E45A POP
EBX
; EBX=4
0041E45B LEA ECX, DWORD
PTR SS:[ESP+28]
0041E45F MOV DWORD PTR SS:[ESP+20], -1
0041E467
CALL AMSAdmin.0044B123
0041E46C MOV
ECX, DWORD PTR SS:[ESP+18]
0041E470 MOV EDX, DWORD PTR
SS:[ESP+14]
0041E474 POP EDI
0041E475 MOV
EAX, EBP
0041E477 POP ESI
0041E478 POP
EBP
0041E479 MOV DWORD PTR FS:[0], ECX
0041E480
ADD ESP, 18
0041E483 RETN 4
====================================================
到這裡註冊演算法分析完成,總結一下
註冊碼的正確方法是:軟體號計算的值=註冊碼計算的值
Cracded fxyang[OCN]
2003.4.5
相關文章
- 企業QQ的替代產品Active Messenger2010-01-05Messenger
- 巧用dba_hist_active_sess_history跟蹤某個時間段內SQL2016-11-08SQL
- 企業如何用專案管理軟體做好專案問題跟蹤?2022-05-14專案管理
- [zt] oracle跟蹤檔案與跟蹤事件2008-09-10Oracle事件
- oracle跟蹤檔案與跟蹤事件(zt)2007-03-16Oracle事件
- oracle跟蹤檔案和跟蹤事件(zt)2007-09-18Oracle事件
- sqlnet跟蹤2016-12-04SQL
- ORACLE 跟蹤工具2014-05-27Oracle
- Android應用程式間通訊之Messenger信使使用及原始碼淺析2016-12-27AndroidMessenger原始碼
- 為什麼企業需要實時跟蹤進度的專案管理工具?2022-12-09專案管理
- 基於行跟蹤的ROWDEPENDENCIES實現資訊變化跟蹤2015-05-04
- 【Longkin】ASP.NET應用程式跟蹤---(一)跟蹤頁面2008-06-02ASP.NET
- 反跟蹤技術2021-01-05
- 【TRACE】Oracle跟蹤事件2015-09-01Oracle事件
- Oracle跟蹤會話2010-06-15Oracle會話
- Oracle 跟蹤事件【轉】2010-01-25Oracle事件
- Oracle跟蹤檔案2005-11-02Oracle
- 主力跟蹤戰法2024-10-16
- 非常實用的區域網內聊天工具Active Messenger2010-01-05Messenger
- sp_trace_setfilter sqlserver篩選跟蹤或跟蹤過濾2020-04-05FilterSQLServer
- git的跟蹤分支和遠端跟蹤分支學習筆記2018-03-22Git筆記
- ORACLE 10046 設定跟蹤事件後無跟蹤檔案2010-09-30Oracle事件
- 一個專業的缺陷跟蹤管理軟體:JIRA2006-04-26
- 除錯跟蹤利器---strace2020-11-25除錯
- SQLServer進行SQL跟蹤2020-09-23SQLServer
- 會話跟蹤技術2020-10-14會話
- 跟蹤執行命令T2018-03-22
- 給會話開跟蹤2016-09-23會話
- 棧呼叫關係跟蹤2016-12-05
- 解析listener跟蹤檔案2016-12-04
- oracle session(會話) 跟蹤2017-05-22OracleSession會話
- git 忽略跟蹤檔案2017-12-21Git
- 會話級SQL跟蹤2014-03-01會話SQL
- Oracle跟蹤事件 -- set events2008-08-12Oracle事件
- (zt) 開啟事件跟蹤2008-09-10事件
- Oracle 10G 跟蹤2011-01-14Oracle 10g
- 尋找跟蹤檔案2010-05-13
- Oracle 跟蹤事件 set event2012-10-16Oracle事件