雙管齊下演算法分析-----FTP搜尋利器3.0
標 題:雙管齊下演算法分析-----FTP搜尋利器3.0
發信人:FTBirthday
時 間:2003年9月27日 02:36
詳細資訊:
雙管齊下演算法分析-----FTP搜尋利器3.0
※軟體限制※:"未註冊版本無功能限制,有Nag提示"您是未註冊使用者,每次啟動本軟體,我們會出道計算題,
小心哦!功能沒有限制,答對即可使用."
※破解工具※:Ollydbg1.09、FileMon
※註冊方式※ 輸入驗證+重啟驗證,明碼出現.
※開始吧※ Ollydbg1.09載入FTP搜尋利器3.0
*******************************************************
方法(一)從輸入驗證入手:
*******************************************************
在註冊框內輸入
使用者名稱:FTBirthday
註冊碼:7878787878
設斷 MessageBoxA
0012C074 73D39CCB /CALL to MessageBoxA from MFC42.73D39CC5
0012C078 0005028A |hOwner = 0005028A (class='#32770',parent=00910204)
0012C07C 0041CC4C |Text = "註冊碼不正確。"A (clas
0012C080 003741B8 |Title = "SDSFtpSearch"
0012C084 00000030 Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
返回幾次便回到主程式關鍵程式碼
00412400 . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00412406 . 6A FF PUSH -1
00412408 . 68 40504100 PUSH SDSFtpSe.00415040
0041240D . 50 PUSH EAX
0041240E . 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
00412415 . 83EC 60 SUB ESP,60
00412418 . 53 PUSH EBX
00412419 . 55 PUSH EBP
0041241A . 8BE9 MOV EBP,ECX
0041241C . 6A 01 PUSH 1
0041241E . E8 0B090000 CALL <JMP.&MFC42.#6334> ; 讀取使用者名稱
00412423 . 8B85 98010000 MOV EAX,DWORD PTR SS:[EBP+198] ; 使用者名稱給EAX
00412429 . 8D9D 98010000 LEA EBX,DWORD PTR SS:[EBP+198] ; 0012CBF4 48 71 37 Hq7
0041242F . 68 0CCD4100 PUSH SDSFtpSe.0041CD0C ; /s2 = ""
00412434 . 50 PUSH EAX ; |s1
00412435 . FF15 A4654100 CALL DWORD PTR DS:[<&MSVCRT._mbscmp>] ; _mbscmp
0041243B . 83C4 08 ADD ESP,8
0041243E . 85C0 TEST EAX,EAX
00412440 . 75 1D JNZ SHORT SDSFtpSe.0041245F ; 判斷使用者名稱是否為空
00412442 . 50 PUSH EAX
00412443 . 50 PUSH EAX
00412444 . 68 6CCC4100 PUSH SDSFtpSe.0041CC6C
00412449 . E8 7A080000 CALL <JMP.&MFC42.#1200> ; 提示使用者名稱為空
0041244E . 5D POP EBP
0041244F . 5B POP EBX
00412450 . 8B4C24 60 MOV ECX,DWORD PTR SS:[ESP+60]
00412454 . 64:890D 00000000 MOV DWORD PTR FS:[0],ECX
0041245B . 83C4 6C ADD ESP,6C
0041245E . C3 RETN
0041245F > 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18]
00412463 . E8 20090000 CALL <JMP.&MFC42.#354>
00412468 . 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
0041246C . C74424 70 000000>MOV DWORD PTR SS:[ESP+70],0
00412474 . E8 B1030000 CALL <JMP.&MFC42.#540>
00412479 . 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
0041247D . C64424 70 01 MOV BYTE PTR SS:[ESP+70],1
00412482 . E8 A3030000 CALL <JMP.&MFC42.#540>
00412487 . 68 ECC24100 PUSH SDSFtpSe.0041C2EC ; ASCII "my"
0041248C . 8D4424 18 LEA EAX,DWORD PTR SS:[ESP+18]
00412490 . 68 E0D14100 PUSH SDSFtpSe.0041D1E0
00412495 . 50 PUSH EAX
00412496 . C64424 7C 02 MOV BYTE PTR SS:[ESP+7C],2
0041249B . E8 B8080000 CALL <JMP.&MFC42.#924>
004124A0 . 50 PUSH EAX
004124A1 . 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
004124A5 . C64424 74 03 MOV BYTE PTR SS:[ESP+74],3
004124AA . E8 29040000 CALL <JMP.&MFC42.#858>
004124AF . 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
004124B3 . C64424 70 02 MOV BYTE PTR SS:[ESP+70],2
004124B8 . E8 55030000 CALL <JMP.&MFC42.#800>
004124BD . 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C]
004124C1 . 6A 00 PUSH 0
004124C3 . 68 01100000 PUSH 1001
004124C8 . 51 PUSH ECX
004124C9 . 8D4C24 24 LEA ECX,DWORD PTR SS:[ESP+24]
004124CD . E8 B0080000 CALL <JMP.&MFC42.#5186>
004124D2 . 85C0 TEST EAX,EAX
004124D4 . 0F84 37010000 JE SDSFtpSe.00412611
004124DA . 56 PUSH ESI
004124DB . 81C5 8C010000 ADD EBP,18C
004124E1 . 57 PUSH EDI
004124E2 . 55 PUSH EBP
004124E3 . 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
004124E7 . E8 EC030000 CALL <JMP.&MFC42.#858>
004124EC . B9 0C000000 MOV ECX,0C
004124F1 . 33C0 XOR EAX,EAX
004124F3 . 8D7C24 30 LEA EDI,DWORD PTR SS:[ESP+30]
004124F7 . 50 PUSH EAX
004124F8 . F3:AB REP STOS DWORD PTR ES:[EDI]
004124FA . 8BCB MOV ECX,EBX
004124FC . E8 99050000 CALL <JMP.&MFC42.#2915> ; 讀取使用者名稱
00412501 . 8BF8 MOV EDI,EAX ; 使用者名稱給EDI
00412503 . 83C9 FF OR ECX,FFFFFFFF ; ECX置位為FFFFFFFF
00412506 . 33C0 XOR EAX,EAX
00412508 . 8D5424 30 LEA EDX,DWORD PTR SS:[ESP+30]
0041250C . F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; 判斷使用者名稱長度
0041250E . F7D1 NOT ECX ; ECX=使用者名稱長度+1
00412510 . 2BF9 SUB EDI,ECX ; 再次把使用者名稱給了EDI
00412512 . 6A 30 PUSH 30
00412514 . 8BC1 MOV EAX,ECX ; EAX=使用者名稱長度+1
00412516 . 8BF7 MOV ESI,EDI ; 使用者名稱給ESI
00412518 . 8BFA MOV EDI,EDX
0041251A . C1E9 02 SHR ECX,2 ; ECX右移兩位2
0041251D . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
0041251F . 8BC8 MOV ECX,EAX
00412521 . 83E1 03 AND ECX,3
00412524 . F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
00412526 . 8D4C24 34 LEA ECX,DWORD PTR SS:[ESP+34] ; ECX指向使用者名稱
0041252A . 51 PUSH ECX
0041252B . 8D4C24 28 LEA ECX,DWORD PTR SS:[ESP+28]
0041252F . E8 8A080000 CALL <JMP.&MFC42.#6385>
00412534 . 33D2 XOR EDX,EDX
00412536 . 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
0041253A . 895424 30 MOV DWORD PTR SS:[ESP+30],EDX
0041253E . 895424 34 MOV DWORD PTR SS:[ESP+34],EDX
00412542 . 895424 38 MOV DWORD PTR SS:[ESP+38],EDX
00412546 . 52 PUSH EDX
00412547 . 895424 40 MOV DWORD PTR SS:[ESP+40],EDX
0041254B . E8 4A050000 CALL <JMP.&MFC42.#2915> ; 讀取註冊碼
00412550 . 8BF8 MOV EDI,EAX
00412552 . 83C9 FF OR ECX,FFFFFFFF
00412555 . 33C0 XOR EAX,EAX
00412557 . 8D5424 30 LEA EDX,DWORD PTR SS:[ESP+30]
0041255B . F2:AE REPNE SCAS BYTE PTR ES:[EDI]
0041255D . F7D1 NOT ECX
0041255F . 2BF9 SUB EDI,ECX
00412561 . 6A 10 PUSH 10
00412563 . 8BC1 MOV EAX,ECX
00412565 . 8BF7 MOV ESI,EDI
00412567 . 8BFA MOV EDI,EDX
00412569 . C1E9 02 SHR ECX,2
0041256C . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
0041256E . 8BC8 MOV ECX,EAX
00412570 . 83E1 03 AND ECX,3
00412573 . F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
00412575 . 8D4C24 34 LEA ECX,DWORD PTR SS:[ESP+34]
00412579 . 51 PUSH ECX
0041257A . 8D4C24 28 LEA ECX,DWORD PTR SS:[ESP+28]
0041257E . E8 3B080000 CALL <JMP.&MFC42.#6385>
00412583 . 8D4C24 20 LEA ECX,DWORD PTR SS:[ESP+20]
00412587 . E8 F0070000 CALL <JMP.&MFC42.#1979>
0041258C . 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18]
00412590 . E8 95020000 CALL <JMP.&MFC42.#540>
00412595 . 8B0D 20DA4100 MOV ECX,DWORD PTR DS:[41DA20]
0041259B . 8D5424 10 LEA EDX,DWORD PTR SS:[ESP+10]
0041259F . 52 PUSH EDX ; /Arg1
004125A0 . C64424 7C 04 MOV BYTE PTR SS:[ESP+7C],4 ; |
004125A5 . E8 D6DCFFFF CALL SDSFtpSe.00410280 ; SDSFtpSe.00410280
004125AA . 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]
004125AE . 53 PUSH EBX
004125AF . 8D4C24 20 LEA ECX,DWORD PTR SS:[ESP+20]
004125B3 . 50 PUSH EAX
004125B4 . 51 PUSH ECX
004125B5 . E8 A4070000 CALL <JMP.&MFC42.#922>
004125BA . C64424 78 05 MOV BYTE PTR SS:[ESP+78],5
004125BF . 50 PUSH EAX
004125C0 . 8D4C24 1C LEA ECX,DWORD PTR SS:[ESP+1C]
004125C4 . E8 0F030000 CALL <JMP.&MFC42.#858>
004125C9 . 8D4C24 1C LEA ECX,DWORD PTR SS:[ESP+1C]
004125CD . C64424 78 04 MOV BYTE PTR SS:[ESP+78],4
004125D2 . E8 3B020000 CALL <JMP.&MFC42.#800>
004125D7 . 8B0D 20DA4100 MOV ECX,DWORD PTR DS:[41DA20]
004125DD . 8D5424 18 LEA EDX,DWORD PTR SS:[ESP+18]
004125E1 . 55 PUSH EBP ; /Arg2
004125E2 . 52 PUSH EDX ; |Arg1
004125E3 . E8 48DEFFFF CALL SDSFtpSe.00410430 ; SDSFtpSe.00410430
004125E8 . 5F POP EDI ; 關鍵CALL,寫入註冊標誌位於EAX中
004125E9 . 5E POP ESI
004125EA . 85C0 TEST EAX,EAX ; 判斷註冊標誌位
004125EC . 6A 00 PUSH 0
004125EE . 6A 00 PUSH 0
004125F0 . 74 07 JE SHORT SDSFtpSe.004125F9 ; 關鍵跳轉,跳則失敗!
004125F2 . 68 5CCC4100 PUSH SDSFtpSe.0041CC5C
004125F7 . EB 05 JMP SHORT SDSFtpSe.004125FE
004125F9 > 68 4CCC4100 PUSH SDSFtpSe.0041CC4C
004125FE > E8 C5060000 CALL <JMP.&MFC42.#1200> ; 這裡彈出註冊失敗.
*******************************************************
方法(二)從重啟驗證入手:
*******************************************************
重啟驗證,用FileMon、RegMon監測其啟動過程,發現讀my檔案,打
開,裡面儲存著註冊資訊。
使用者名稱和註冊碼是放在my檔案中的,開啟的時候會檢驗.
設斷CreateFileA
0012D108 73D4040B /CALL to CreateFileA from MFC42.73D40405
0012D10C 003770F8 |FileName = "D:crackCrackingSDSFtpSearchSDSINImy"
0012D110 80000000 |Access = GENERIC_READ
0012D114 00000000 |ShareMode = 0
0012D118 0012D238 |pSecurity = 0012D238
0012D11C 00000003 |Mode = OPEN_EXISTING
0012D120 00000080 |Attributes = NORMAL
0012D124 00000000 hTemplateFile = NULL
0012D128 0012D78C ASCII "PuA"
返回幾次便回到主程式關鍵程式碼
0040E9E7 |. E8 96430000 CALL <JMP.&MFC42.#5186> ; 建立my檔案,判斷my檔案是否已經存在
0040E9EC |. 85C0 TEST EAX,EAX
0040E9EE |. 0F84 64010000 JE SDSFtpSe.0040EB58
0040E9F4 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
0040E9F8 |. E8 2D3E0000 CALL <JMP.&MFC42.#540>
0040E9FD |. 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
0040EA01 |. C68424 6C020000 >MOV BYTE PTR SS:[ESP+26C],0A
0040EA09 |. E8 1C3E0000 CALL <JMP.&MFC42.#540>
0040EA0E |. 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18]
0040EA12 |. C68424 6C020000 >MOV BYTE PTR SS:[ESP+26C],0B
0040EA1A |. E8 0B3E0000 CALL <JMP.&MFC42.#540>
0040EA1F |. 8D4424 40 LEA EAX,DWORD PTR SS:[ESP+40]
0040EA23 |. 6A 30 PUSH 30
0040EA25 |. 50 PUSH EAX
0040EA26 |. 8D4C24 30 LEA ECX,DWORD PTR SS:[ESP+30]
0040EA2A |. C68424 74020000 >MOV BYTE PTR SS:[ESP+274],0C
0040EA32 |. E8 8D430000 CALL <JMP.&MFC42.#5442> ; 讀取my檔案中的使用者名稱
0040EA37 |. 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18]
0040EA3B |. 51 PUSH ECX ; /Arg1
0040EA3C |. 8BCF MOV ECX,EDI ; |
0040EA3E |. E8 3D180000 CALL SDSFtpSe.00410280 ; SDSFtpSe.00410280
0040EA43 |. 8D5424 40 LEA EDX,DWORD PTR SS:[ESP+40]
0040EA47 |. 8D4424 0C LEA EAX,DWORD PTR SS:[ESP+C] ; EAX指向使用者名稱
0040EA4B |. 52 PUSH EDX
0040EA4C |. 68 44C24100 PUSH SDSFtpSe.0041C244 ; ASCII "%s"
0040EA51 |. 50 PUSH EAX
0040EA52 |. E8 E3420000 CALL <JMP.&MFC42.#2818>
0040EA57 |. 83C4 0C ADD ESP,0C
0040EA5A |. 8D4C24 40 LEA ECX,DWORD PTR SS:[ESP+40]
0040EA5E |. 8D5424 18 LEA EDX,DWORD PTR SS:[ESP+18]
0040EA62 |. 8D4424 38 LEA EAX,DWORD PTR SS:[ESP+38]
0040EA66 |. 51 PUSH ECX
0040EA67 |. 52 PUSH EDX
0040EA68 |. 50 PUSH EAX
0040EA69 |. E8 EA420000 CALL <JMP.&MFC42.#924>
0040EA6E |. 50 PUSH EAX
0040EA6F |. 8D4C24 24 LEA ECX,DWORD PTR SS:[ESP+24]
0040EA73 |. C68424 70020000 >MOV BYTE PTR SS:[ESP+270],0D
0040EA7B |. E8 583E0000 CALL <JMP.&MFC42.#858>
0040EA80 |. 8D4C24 38 LEA ECX,DWORD PTR SS:[ESP+38]
0040EA84 |. C68424 6C020000 >MOV BYTE PTR SS:[ESP+26C],0C
0040EA8C |. E8 813D0000 CALL <JMP.&MFC42.#800>
0040EA91 |. 8D4C24 40 LEA ECX,DWORD PTR SS:[ESP+40]
0040EA95 |. 6A 10 PUSH 10
0040EA97 |. 51 PUSH ECX
0040EA98 |. 8D4C24 30 LEA ECX,DWORD PTR SS:[ESP+30]
0040EA9C |. E8 23430000 CALL <JMP.&MFC42.#5442> ; 讀取my檔案中的註冊碼
0040EAA1 |. 8D5424 40 LEA EDX,DWORD PTR SS:[ESP+40]
0040EAA5 |. 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+14]
0040EAA9 |. 52 PUSH EDX
0040EAAA |. 68 44C24100 PUSH SDSFtpSe.0041C244 ; ASCII "%s"
0040EAAF |. 50 PUSH EAX
0040EAB0 |. 885C24 5C MOV BYTE PTR SS:[ESP+5C],BL
0040EAB4 |. E8 81420000 CALL <JMP.&MFC42.#2818>
0040EAB9 |. 83C4 0C ADD ESP,0C
0040EABC |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
0040EAC0 |. 8D5424 20 LEA EDX,DWORD PTR SS:[ESP+20]
0040EAC4 |. 51 PUSH ECX ; /Arg2
0040EAC5 |. 52 PUSH EDX ; |Arg1
0040EAC6 |. 8BCF MOV ECX,EDI ; |
0040EAC8 |. E8 63190000 CALL SDSFtpSe.00410430 ; SDSFtpSe.00410430關鍵call
0040EACD |. 85C0 TEST EAX,EAX
0040EACF |. 74 4B JE SHORT SDSFtpSe.0040EB1C
0040EACF |. 74 4B JE SHORT SDSFtpSe.0040EB1C
0040EAD1 |. 8D4C24 28 LEA ECX,DWORD PTR SS:[ESP+28]
0040EAD5 |. C705 28DA4100 > MOV DWORD PTR DS:[41DA28],1
0040EADF |. E8 98420000 CALL <JMP.&MFC42.#1979>
0040EAE4 |. 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18]
0040EAE8 |. C68424 6C02000> MOV BYTE PTR SS:[ESP+26C],0B
0040EAF0 |. E8 1D3D0000 CALL <JMP.&MFC42.#800>
0040EAF5 |. 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
0040EAF9 |. C68424 6C02000> MOV BYTE PTR SS:[ESP+26C],0A
0040EB01 |. E8 0C3D0000 CALL <JMP.&MFC42.#800>
0040EB06 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
0040EB0A |. C68424 6C02000> MOV BYTE PTR SS:[ESP+26C],8
0040EB12 |. E8 FB3C0000 CALL <JMP.&MFC42.#800>
0040EB17 |. E9 DB000000 JMP SDSFtpSe.0040EBF7
0040EB1C |> 8D4C24 28 LEA ECX,DWORD PTR SS:[ESP+28]
0040EB20 |. E8 57420000 CALL <JMP.&MFC42.#1979>
*************************************************************
*************************************************************
*************************************************************
可以看出兩種方法的關鍵call是一樣的.
跟進關鍵關鍵call 00410430
00410430 /$ 6A FF PUSH -1
00410432 |. 68 064D4100 PUSH SDSFtpSe.00414D06 ; SE handler installation
00410437 |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0041043D |. 50 PUSH EAX
0041043E |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP
00410445 |. 81EC 90010000 SUB ESP,190
0041044B |. 53 PUSH EBX
0041044C |. 56 PUSH ESI
0041044D |. 57 PUSH EDI
0041044E |. 8D8C24 9000000>LEA ECX,DWORD PTR SS:[ESP+90]
00410455 |. E8 760C0000 CALL SDSFtpSe.004110D0
0041045A |. 33DB XOR EBX,EBX
0041045C |. 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
00410460 |. 899C24 A401000>MOV DWORD PTR SS:[ESP+1A4],EBX
00410467 |. E8 BE230000 CALL <JMP.&MFC42.#540>
0041046C |. 8B0D 20DA4100 MOV ECX,DWORD PTR DS:[41DA20]
00410472 |. 8D4424 0C LEA EAX,DWORD PTR SS:[ESP+C]
00410476 |. 50 PUSH EAX ; /Arg1
00410477 |. C68424 A801000>MOV BYTE PTR SS:[ESP+1A8],1 ; |
0041047F |. E8 FCFDFFFF CALL SDSFtpSe.00410280 ; SDSFtpSe.00410280
00410484 |. B9 20000000 MOV ECX,20
00410489 |. 33C0 XOR EAX,EAX
0041048B |. 8DBC24 1C01000>LEA EDI,DWORD PTR SS:[ESP+11C]
00410492 |. 53 PUSH EBX
00410493 |. F3:AB REP STOS DWORD PTR ES:[EDI]
00410495 |. B9 10000000 MOV ECX,10
0041049A |. 8D7C24 14 LEA EDI,DWORD PTR SS:[ESP+14]
0041049E |. F3:AB REP STOS DWORD PTR ES:[EDI]
004104A0 |. B9 10000000 MOV ECX,10
004104A5 |. 8D7C24 54 LEA EDI,DWORD PTR SS:[ESP+54]
004104A9 |. F3:AB REP STOS DWORD PTR ES:[EDI]
004104AB |. 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
004104AF |. E8 E6250000 CALL <JMP.&MFC42.#2915> ; 讀取軟體號,我的軟體號為: "770F6A6E0F1D0F0F"
004104B4 |. 8BF8 MOV EDI,EAX
004104B6 |. 83C9 FF OR ECX,FFFFFFFF
004104B9 |. 33C0 XOR EAX,EAX
004104BB |. 8D5424 10 LEA EDX,DWORD PTR SS:[ESP+10]
004104BF |. F2:AE REPNE SCAS BYTE PTR ES:[EDI]
004104C1 |. F7D1 NOT ECX
004104C3 |. 2BF9 SUB EDI,ECX
004104C5 |. 53 PUSH EBX
004104C6 |. 8BC1 MOV EAX,ECX
004104C8 |. 8BF7 MOV ESI,EDI
004104CA |. 8BFA MOV EDI,EDX
004104CC |. C1E9 02 SHR ECX,2
004104CF |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
004104D1 |. 8BC8 MOV ECX,EAX
004104D3 |. 83E1 03 AND ECX,3
004104D6 |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
004104D8 |. 8B8C24 B001000>MOV ECX,DWORD PTR SS:[ESP+1B0]
004104DF |. E8 B6250000 CALL <JMP.&MFC42.#2915> ; 把軟體號和使用者名稱合併
004104E4 |. 8BF8 MOV EDI,EAX ; 軟體號使用者名稱給EDI
004104E6 |. 83C9 FF OR ECX,FFFFFFFF
004104E9 |. 33C0 XOR EAX,EAX
004104EB |. 8D5424 50 LEA EDX,DWORD PTR SS:[ESP+50]
004104EF |. F2:AE REPNE SCAS BYTE PTR ES:[EDI]
004104F1 |. F7D1 NOT ECX ; ECX=軟體號使用者名稱長度+1
004104F3 |. 2BF9 SUB EDI,ECX ; 再次把軟體號使用者名稱給了EDI
004104F5 |. 6A 40 PUSH 40 ; /Arg3 = 00000040
004104F7 |. 8BC1 MOV EAX,ECX ; |軟體號使用者名稱長度+1給EAX
004104F9 |. 8BF7 MOV ESI,EDI ; |軟體號使用者名稱給ESI
004104FB |. 8BFA MOV EDI,EDX ; |
004104FD |. 8D5424 14 LEA EDX,DWORD PTR SS:[ESP+14] ; |EDX指向軟體號WORD
00410501 |. C1E9 02 SHR ECX,2 ; |ECX右移兩位後的數作為下一條指令的迴圈數
00410504 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>; |即送EDI,ECX個DWORD
00410506 |. 8BC8 MOV ECX,EAX ; |
00410508 |. 83E1 03 AND ECX,3 ; |ECX與3後的數作為下一條指令的迴圈數
0041050B |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>; |即再送EDI,ECX個BYTER ES
0041050D |. 8D4C24 54 LEA ECX,DWORD PTR SS:[ESP+54] ; |到此軟體號使用者名稱全給了EDI
00410511 |. 51 PUSH ECX ; |Arg2=軟體號使用者名稱
00410512 |. 52 PUSH EDX ; |Arg2=軟體號
00410513 |. 8D8C24 9C00000>LEA ECX,DWORD PTR SS:[ESP+9C] ; |ECX指向軟體號使用者名稱
0041051A |. E8 51110000 CALL SDSFtpSe.00411670 ; SDSFtpSe.00411670,這個call非常關鍵,產生了註冊碼的雛形
0041051F |. 8D8424 1C01000>LEA EAX,DWORD PTR SS:[ESP+11C]
00410526 |. 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
0041052A |. 50 PUSH EAX
0041052B |. 6A 40 PUSH 40
0041052D |. 51 PUSH ECX
0041052E |. 8D8C24 9C00000>LEA ECX,DWORD PTR SS:[ESP+9C]
00410535 |. E8 D6110000 CALL SDSFtpSe.00411710 ; 對註冊碼雛形進行變換生成註冊碼的call
0041053A |. 8B8C24 B001000>MOV ECX,DWORD PTR SS:[ESP+1B0]
00410541 |. 8D9424 1C01000>LEA EDX,DWORD PTR SS:[ESP+11C]
00410548 |. 52 PUSH EDX
00410549 |. 889C24 3001000>MOV BYTE PTR SS:[ESP+130],BL
00410550 |. E8 7B250000 CALL <JMP.&MFC42.#2764>
00410555 |. 85C0 TEST EAX,EAX
00410557 |. 889C24 A401000>MOV BYTE PTR SS:[ESP+1A4],BL
0041055E |. 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C] ; DWORD PTR SS:[ESP+C]藏著真註冊碼
00410562 |. 7C 23 JL SHORT SDSFtpSe.00410587
00410564 |. E8 A9220000 CALL <JMP.&MFC42.#800>
00410569 |. 8D8C24 9000000>LEA ECX,DWORD PTR SS:[ESP+90]
00410570 |. C78424 A401000>MOV DWORD PTR SS:[ESP+1A4],-1
0041057B |. E8 800B0000 CALL SDSFtpSe.00411100
00410580 |. B8 01000000 MOV EAX,1
00410585 |. EB 1E JMP SHORT SDSFtpSe.004105A5
00410587 |> E8 86220000 CALL <JMP.&MFC42.#800>
0041058C |. 8D8C24 9000000>LEA ECX,DWORD PTR SS:[ESP+90]
00410593 |. C78424 A401000>MOV DWORD PTR SS:[ESP+1A4],-1
0041059E |. E8 5D0B0000 CALL SDSFtpSe.00411100
004105A3 |. 33C0 XOR EAX,EAX
004105A5 |> 8B8C24 9C01000>MOV ECX,DWORD PTR SS:[ESP+19C]
004105AC |. 5F POP EDI
004105AD |. 5E POP ESI
004105AE |. 5B POP EBX
004105AF |. 64:890D 000000>MOV DWORD PTR FS:[0],ECX
004105B6 |. 81C4 9C010000 ADD ESP,19C
004105BC . C2 0800 RETN 8
好,進入產生了註冊碼的雛形的非常關鍵call 00411670
順便說一下:註冊碼的雛形存放於記憶體地址0012C024處
00411670 /$ 83EC 44 SUB ESP,44
00411673 |. 53 PUSH EBX
00411674 |. 55 PUSH EBP
00411675 |. 56 PUSH ESI
00411676 |. 894C24 0C MOV DWORD PTR SS:[ESP+C],ECX
0041167A |. 57 PUSH EDI
0041167B |. B9 0F000000 MOV ECX,0F
00411680 |. 33C0 XOR EAX,EAX
00411682 |. 8D7C24 15 LEA EDI,DWORD PTR SS:[ESP+15]
00411686 |. C64424 14 00 MOV BYTE PTR SS:[ESP+14],0
0041168B |. 6A 20 PUSH 20 ; /size = 20 (32.)
0041168D |. F3:AB REP STOS DWORD PTR ES:[EDI] ; |
0041168F |. 66:AB STOS WORD PTR ES:[EDI] ; |
00411691 |. 6A 01 PUSH 1 ; |nitems = 1
00411693 |. AA STOS BYTE PTR ES:[EDI] ; |
00411694 |. FF15 BC654100 CALL DWORD PTR DS:[<&MSVCRT.calloc>] ; call0c讀取軟體號使用者名稱
0041169A |. 8B7C24 64 MOV EDI,DWORD PTR SS:[ESP+64] ; 軟體號使用者名稱給EDI
0041169E |. 8BE8 MOV EBP,EAX
004116A0 |. 83C4 08 ADD ESP,8
004116A3 |. 33C0 XOR EAX,EAX
004116A5 |. 33F6 XOR ESI,ESI
004116A7 |. 33C9 XOR ECX,ECX ; 下面是一個迴圈ECX
004116A9 |> 8A1C3E /MOV BL,BYTE PTR DS:[ESI+EDI] ; 軟體號使用者名稱第一個BYTE給BL
004116AC |. 8D1401 |LEA EDX,DWORD PTR DS:[ECX+EAX]
004116AF |. 40 |INC EAX ; 迴圈計數+1
004116B0 |. 83F8 08 |CMP EAX,8 ; 迴圈計數和8比較8
004116B3 885C14 14 MOV BYTE PTR SS:[ESP+EDX+14],BL
004116B7 |. 75 04 |JNZ SHORT SDSFtpSe.004116BD ; 不等於8就跳
004116B9 |. 03C8 |ADD ECX,EAX
004116BB |. 33C0 |XOR EAX,EAX
004116BD |> 46 |INC ESI ; 另一個迴圈計數+1
004116BE |. 83FE 40 |CMP ESI,40 ; 和40比較
004116C1 |.^7C E6 JL SHORT SDSFtpSe.004116A9 ; 小於則跳
004116C3 |. 8BCD MOV ECX,EBP
004116C5 |. 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+14] ; EAX指向軟體號使用者名稱
004116C9 |. BA 08000000 MOV EDX,8 ; EDX為迴圈計數=8
004116CE |> 8901 MOV DWORD PTR DS:[ECX],EAX ; 軟體號使用者名稱的第奇數個DWORD的地址給了ECX
004116D0 |. 83C0 08 ADD EAX,8
004116D3 |. 83C1 04 ADD ECX,4
004116D6 |. 4A DEC EDX
004116D7 |.^75 F5 JNZ SHORT SDSFtpSe.004116CE ; 迴圈判斷跳轉
004116D9 |. 8B4424 60 MOV EAX,DWORD PTR SS:[ESP+60]
004116DD |. 8B4C24 58 MOV ECX,DWORD PTR SS:[ESP+58] ; 軟體號給ECX
004116E1 |. 50 PUSH EAX
004116E2 |. 6A 08 PUSH 8
004116E4 |. 55 PUSH EBP
004116E5 |. 51 PUSH ECX
004116E6 |. 8B4C24 20 MOV ECX,DWORD PTR SS:[ESP+20]
004116EA |. E8 E1FEFFFF CALL SDSFtpSe.004115D0 ; 最最關鍵的call
004116EF |. 55 PUSH EBP ; /block = 0037EF38
004116F0 |. FF15 80654100 CALL DWORD PTR DS:[<&MSVCRT.free>] ; free
004116F6 |. 83C4 04 ADD ESP,4
004116F9 |. B8 01000000 MOV EAX,1
004116FE |. 5F POP EDI
004116FF |. 5E POP ESI
00411700 |. 5D POP EBP
00411701 |. 5B POP EBX
00411702 |. 83C4 44 ADD ESP,44
00411705 . C2 0C00 RETN 0C
進最最關鍵的call
004115D0 /$ 51 PUSH ECX
004115D1 |. 57 PUSH EDI ; EDI=770F6A6E0F1D0F0FFTBirthday
004115D2 |. 8B7C24 14 MOV EDI,DWORD PTR SS:[ESP+14] ; EDI=00000008
004115D6 |. 85FF TEST EDI,EDI
004115D8 |. 894C24 04 MOV DWORD PTR SS:[ESP+4],ECX
004115DC |. 76 30 JBE SHORT SDSFtpSe.0041160E ; 比較無符號數<=
004115DE |. 53 PUSH EBX
004115DF |. 8B5C24 1C MOV EBX,DWORD PTR SS:[ESP+1C] ; EBX=00000040
004115E3 |. 55 PUSH EBP
004115E4 |. 8B6C24 14 MOV EBP,DWORD PTR SS:[ESP+14] ; EBP=770F6A6E0F1D0F0F
004115E8 |. 56 PUSH ESI
004115E9 |. 8B7424 1C MOV ESI,DWORD PTR SS:[ESP+1C]
-------------生成註冊碼雛形的迴圈-------------------------------------
004115ED |> 8B06 /MOV EAX,DWORD PTR DS:[ESI] ; EAX=770F6A6E0F1D0F0FFTBirthday
004115EF |. 8B4C24 10 |MOV ECX,DWORD PTR SS:[ESP+10]
004115F3 |. 53 |PUSH EBX
004115F4 |. 50 |PUSH EAX
004115F5 |. 55 |PUSH EBP
004115F6 |. E8 25000000 |CALL SDSFtpSe.00411620
004115FB |. 83C6 04 |ADD ESI,4
004115FE |. 4F |DEC EDI
004115FF |.^75 EC JNZ SHORT SDSFtpSe.004115ED
---------------------------------------------------------------------
00411601 |. 5E POP ESI
00411602 |. 5D POP EBP
00411603 |. 5B POP EBX
00411604 |. B8 01000000 MOV EAX,1
00411609 |. 5F POP EDI
0041160A |. 59 POP ECX
0041160B |. C2 1000 RETN 10
0041160E |> B8 01000000 MOV EAX,1
00411613 |. 5F POP EDI
00411614 |. 59 POP ECX
00411615 . C2 1000 RETN 10
00411620 /$ 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
00411624 |. 53 PUSH EBX
00411625 |. 56 PUSH ESI
00411626 |. 57 PUSH EDI
00411627 |. 8BF9 MOV EDI,ECX
00411629 |. 50 PUSH EAX ; /Arg1=EAX=770F6A6E0F1D0F0FFTBirthday
0041162A |. E8 51FDFFFF CALL SDSFtpSe.00411380 ; SDSFtpSe.00411380
0041162F |. 8B5C24 18 MOV EBX,DWORD PTR SS:[ESP+18]
00411633 |. 33F6 XOR ESI,ESI
00411635 |. 85DB TEST EBX,EBX
00411637 |. 7E 25 JLE SHORT SDSFtpSe.0041165E
00411639 |. 55 PUSH EBP
0041163A |. 8B6C24 14 MOV EBP,DWORD PTR SS:[ESP+14]
0041163E |> 8D0C2E /LEA ECX,DWORD PTR DS:[ESI+EBP]
00411641 |. 6A 01 |PUSH 1 ; /Arg2 = 00000001
00411643 |. 51 |PUSH ECX ; |Arg1
00411644 |. 8BCF |MOV ECX,EDI ; |
00411646 |. E8 15FEFFFF |CALL SDSFtpSe.00411460 ; SDSFtpSe.00411460
0041164B |. 83C6 08 |ADD ESI,8
0041164E |. 3BF3 |CMP ESI,EBX
00411650 |.^7C EC JL SHORT SDSFtpSe.0041163E
00411652 |. 5D POP EBP
00411653 |. 5F POP EDI
00411654 |. 5E POP ESI
00411655 |. B8 01000000 MOV EAX,1
0041165A |. 5B POP EBX
0041165B |. C2 0C00 RETN 0C
0041165E |> 5F POP EDI
0041165F |. 5E POP ESI
00411660 |. B8 01000000 MOV EAX,1
00411665 |. 5B POP EBX
00411666 . C2 0C00 RETN 0C
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
關鍵演算法call
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
00411460 /$ 83EC 0C SUB ESP,0C
00411463 |. 53 PUSH EBX
00411464 |. 55 PUSH EBP
00411465 |. 56 PUSH ESI
00411466 |. 57 PUSH EDI
00411467 |. 8B7C24 20 MOV EDI,DWORD PTR SS:[ESP+20]
0041146B |. 894C24 10 MOV DWORD PTR SS:[ESP+10],ECX
0041146F |. 33DB XOR EBX,EBX
00411471 |. 33F6 XOR ESI,ESI
00411473 |. 8D6F 04 LEA EBP,DWORD PTR DS:[EDI+4]
00411476 |. 33D2 XOR EDX,EDX
00411478 |. B9 0CC94100 MOV ECX,SDSFtpSe.0041C90C
0041147D |> 8A82 ACC84100 /MOV AL,BYTE PTR DS:[EDX+41C8AC]
00411483 |. 81F9 8CC94100 |CMP ECX,SDSFtpSe.0041C98C
00411489 |. 7D 2D |JGE SHORT SDSFtpSe.004114B8
0041148B |. 3C 20 |CMP AL,20
0041148D |. 76 15 |JBE SHORT SDSFtpSe.004114A4
0041148F |. 25 FF000000 |AND EAX,0FF
00411494 |. 8B0485 08C9410>|MOV EAX,DWORD PTR DS:[EAX*4+41C908]
0041149B |. 8545 00 |TEST DWORD PTR SS:[EBP],EAX
0041149E |. 74 41 |JE SHORT SDSFtpSe.004114E1
004114A0 |. 0B19 |OR EBX,DWORD PTR DS:[ECX]
004114A2 |. EB 3D |JMP SHORT SDSFtpSe.004114E1
004114A4 |> 25 FF000000 |AND EAX,0FF
004114A9 |. 8B0485 08C9410>|MOV EAX,DWORD PTR DS:[EAX*4+41C908]
004114B0 |. 8507 |TEST DWORD PTR DS:[EDI],EAX
004114B2 |. 74 2D |JE SHORT SDSFtpSe.004114E1
004114B4 |. 0B19 |OR EBX,DWORD PTR DS:[ECX]
004114B6 |. EB 29 |JMP SHORT SDSFtpSe.004114E1
004114B8 |> 3C 20 |CMP AL,20
004114BA |. 76 13 |JBE SHORT SDSFtpSe.004114CF
004114BC |. 25 FF000000 |AND EAX,0FF
004114C1 |. 8B0485 08C9410>|MOV EAX,DWORD PTR DS:[EAX*4+41C908]
004114C8 |. 8545 00 |TEST DWORD PTR SS:[EBP],EAX
004114CB |. 74 14 |JE SHORT SDSFtpSe.004114E1
004114CD |. EB 10 |JMP SHORT SDSFtpSe.004114DF
004114CF |> 25 FF000000 |AND EAX,0FF
004114D4 |. 8B0485 08C9410>|MOV EAX,DWORD PTR DS:[EAX*4+41C908]
004114DB |. 8507 |TEST DWORD PTR DS:[EDI],EAX
004114DD |. 74 02 |JE SHORT SDSFtpSe.004114E1
004114DF |> 0B31 |OR ESI,DWORD PTR DS:[ECX]
004114E1 |> 83C1 04 |ADD ECX,4
004114E4 |. 42 |INC EDX
004114E5 |. 81F9 0CCA4100 |CMP ECX,SDSFtpSe.0041CA0C
004114EB |.^7C 90 JL SHORT SDSFtpSe.0041147D
004114ED |. 8B4424 24 MOV EAX,DWORD PTR SS:[ESP+24]
004114F1 |. 891F MOV DWORD PTR DS:[EDI],EBX
004114F3 |. 8975 00 MOV DWORD PTR SS:[EBP],ESI
004114F6 |. 25 FF000000 AND EAX,0FF
004114FB |. 33F6 XOR ESI,ESI ; Switch (cases 1..2)
004114FD |. 33DB XOR EBX,EBX
004114FF |. 48 DEC EAX
00411500 |. 897424 14 MOV DWORD PTR SS:[ESP+14],ESI
00411504 |. 74 19 JE SHORT SDSFtpSe.0041151F
00411506 |. 48 DEC EAX
00411507 |. 75 28 JNZ SHORT SDSFtpSe.00411531
00411509 |. BE 0F000000 MOV ESI,0F ; Case 2 of switch 004114FB
0041150E |> 8B4C24 10 /MOV ECX,DWORD PTR SS:[ESP+10]
00411512 |. 56 |PUSH ESI ; /Arg3
00411513 |. 55 |PUSH EBP ; |Arg2
00411514 |. 57 |PUSH EDI ; |Arg1
00411515 |. E8 F6FBFFFF |CALL SDSFtpSe.00411110 ; SDSFtpSe.00411110
0041151A |. 4E |DEC ESI
0041151B |.^79 F1 JNS SHORT SDSFtpSe.0041150E
0041151D |. EB 12 JMP SHORT SDSFtpSe.00411531
0041151F |> 8B4C24 10 /MOV ECX,DWORD PTR SS:[ESP+10] ; Case 1 of switch 004114FB
00411523 |. 56 |PUSH ESI ; /Arg3
00411524 |. 55 |PUSH EBP ; |Arg2
00411525 |. 57 |PUSH EDI ; |Arg1
00411526 |. E8 E5FBFFFF |CALL SDSFtpSe.00411110 ; SDSFtpSe.00411110
0041152B |. 46 |INC ESI
0041152C |. 83FE 10 |CMP ESI,10
0041152F |.^7C EE JL SHORT SDSFtpSe.0041151F
00411531 |> 8B4D 00 MOV ECX,DWORD PTR SS:[EBP] ; Default case of switch 004114FB
00411534 |. 8B37 MOV ESI,DWORD PTR DS:[EDI]
00411536 |. 890F MOV DWORD PTR DS:[EDI],ECX
00411538 |. 8975 00 MOV DWORD PTR SS:[EBP],ESI
0041153B |. 33D2 XOR EDX,EDX
0041153D |. B9 0CC94100 MOV ECX,SDSFtpSe.0041C90C
00411542 |> 8A82 6CC84100 /MOV AL,BYTE PTR DS:[EDX+41C86C]
00411548 |. 81F9 8CC94100 |CMP ECX,SDSFtpSe.0041C98C
0041154E |. 7D 32 |JGE SHORT SDSFtpSe.00411582
00411550 |. 3C 20 |CMP AL,20
00411552 |. 76 16 |JBE SHORT SDSFtpSe.0041156A
00411554 |. 25 FF000000 |AND EAX,0FF
00411559 |. 853485 08C9410>|TEST DWORD PTR DS:[EAX*4+41C908],ESI
00411560 |. 74 46 |JE SHORT SDSFtpSe.004115A8
00411562 |. 8B01 |MOV EAX,DWORD PTR DS:[ECX]
00411564 |. 094424 14 |OR DWORD PTR SS:[ESP+14],EAX
00411568 |. EB 3E |JMP SHORT SDSFtpSe.004115A8
0041156A |> 25 FF000000 |AND EAX,0FF
0041156F |. 8B0485 08C9410>|MOV EAX,DWORD PTR DS:[EAX*4+41C908]
00411576 |. 8507 |TEST DWORD PTR DS:[EDI],EAX
00411578 |. 74 2E |JE SHORT SDSFtpSe.004115A8
0041157A |. 8B01 |MOV EAX,DWORD PTR DS:[ECX]
0041157C |. 094424 14 |OR DWORD PTR SS:[ESP+14],EAX
00411580 |. EB 26 |JMP SHORT SDSFtpSe.004115A8
00411582 |> 3C 20 |CMP AL,20
00411584 |. 76 10 |JBE SHORT SDSFtpSe.00411596
00411586 |. 25 FF000000 |AND EAX,0FF
0041158B |. 853485 08C9410>|TEST DWORD PTR DS:[EAX*4+41C908],ESI
00411592 |. 74 14 |JE SHORT SDSFtpSe.004115A8
00411594 |. EB 10 |JMP SHORT SDSFtpSe.004115A6
00411596 |> 25 FF000000 |AND EAX,0FF
0041159B |. 8B0485 08C9410>|MOV EAX,DWORD PTR DS:[EAX*4+41C908]
004115A2 |. 8507 |TEST DWORD PTR DS:[EDI],EAX
004115A4 |. 74 02 |JE SHORT SDSFtpSe.004115A8
004115A6 |> 0B19 |OR EBX,DWORD PTR DS:[ECX]
004115A8 |> 83C1 04 |ADD ECX,4
004115AB |. 42 |INC EDX
004115AC |. 81F9 0CCA4100 |CMP ECX,SDSFtpSe.0041CA0C
004115B2 |.^7C 8E JL SHORT SDSFtpSe.00411542
004115B4 |. 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+14]
004115B8 |. B8 01000000 MOV EAX,1
004115BD |. 890F MOV DWORD PTR DS:[EDI],ECX
004115BF |. 5F POP EDI
004115C0 |. 895D 00 MOV DWORD PTR SS:[EBP],EBX
004115C3 |. 5E POP ESI
004115C4 |. 5D POP EBP
004115C5 |. 5B POP EBX
004115C6 |. 83C4 0C ADD ESP,0C
004115C9 . C2 0800 RETN 8
對註冊碼雛形進行變換生成註冊碼的call 00411710
00411710 /$ 6A FF PUSH -1
00411712 |. 68 284E4100 PUSH SDSFtpSe.00414E28 ; SE handler installation
00411717 |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0041171D |. 50 PUSH EAX
0041171E |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP
00411725 |. 51 PUSH ECX
00411726 |. 53 PUSH EBX
00411727 |. 56 PUSH ESI
00411728 |. 57 PUSH EDI
00411729 |. 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
0041172D |. E8 F8100000 CALL <JMP.&MFC42.#540>
00411732 |. 8B4424 24 MOV EAX,DWORD PTR SS:[ESP+24]
00411736 |. 8B7C24 28 MOV EDI,DWORD PTR SS:[ESP+28]
0041173A |. 33DB XOR EBX,EBX ; EBX清零X,
0041173C |. 33F6 XOR ESI,ESI ; ESI清零I,
0041173E |. 3BC3 CMP EAX,EBX ; AL賦初值為40,即為迴圈次數
00411740 |. 895C24 18 MOV DWORD PTR SS:[ESP+18],EBX
00411744 |. 0F8E CA000000 JLE SDSFtpSe.00411814
0041174A |. 55 PUSH EBP
0041174B |. 8B6C24 24 MOV EBP,DWORD PTR SS:[ESP+24]
0041174F |. 8A042B MOV AL,BYTE PTR DS:[EBX+EBP] ; 註冊碼雛形值每一位依次賦給AL
00411752 |. 84C0 |TEST AL,AL
00411754 |. 75 37 |JNZ SHORT SDSFtpSe.0041178D ; 判斷AL是否為零
00411756 |. 6A 00 |PUSH 0
00411758 |. 8D4424 14 |LEA EAX,DWORD PTR SS:[ESP+14]
0041175C |. 68 3CCC4100 |PUSH SDSFtpSe.0041CC3C ; ASCII "%x"
00411761 |. 50 |PUSH EAX
00411762 |. E8 D3150000 |CALL <JMP.&MFC42.#2818>
00411767 |. 8B4C24 1C |MOV ECX,DWORD PTR SS:[ESP+1C]
0041176B |. 6A 00 |PUSH 0
0041176D |. 8D5424 20 |LEA EDX,DWORD PTR SS:[ESP+20]
00411771 |. 68 3CCC4100 |PUSH SDSFtpSe.0041CC3C ; ASCII "%x"
00411776 |. 8A01 |MOV AL,BYTE PTR DS:[ECX]
00411778 |. 52 |PUSH EDX
00411779 |. 88043E |MOV BYTE PTR DS:[ESI+EDI],AL
0041177C |. 46 |INC ESI
0041177D |. E8 B8150000 |CALL <JMP.&MFC42.#2818>
00411782 |. 8B4424 28 |MOV EAX,DWORD PTR SS:[ESP+28]
00411786 |. 83C4 18 |ADD ESP,18
00411789 |. 8A00 |MOV AL,BYTE PTR DS:[EAX]
0041178B |. EB 75 |JMP SHORT SDSFtpSe.00411802
0041178D |> 3C 10 |CMP AL,10 ; 判斷AL是否比10大
0041178F |. 7D 44 |JGE SHORT SDSFtpSe.004117D5 ; 比較代符號數的大小,比如E8<10,因為E8=11111000是負數,而10=00010000是正數
00411791 |. 6A 00 |PUSH 0
00411793 |. 8D4C24 14 |LEA ECX,DWORD PTR SS:[ESP+14]
00411797 |. 68 3CCC4100 |PUSH SDSFtpSe.0041CC3C ; ASCII "%x"
0041179C |. 51 |PUSH ECX
0041179D |. E8 98150000 |CALL <JMP.&MFC42.#2818>
004117A2 |. 8B5424 1C |MOV EDX,DWORD PTR SS:[ESP+1C]
004117A6 |. 8D4C24 1C |LEA ECX,DWORD PTR SS:[ESP+1C]
004117AA |. 46 |INC ESI ; ESI+1
004117AB |. 8A02 |MOV AL,BYTE PTR DS:[EDX]
004117AD |. 88443E FF |MOV BYTE PTR DS:[ESI+EDI-1],AL ; 真註冊碼的對應位
004117B1 |. 0FBE042B |MOVSX EAX,BYTE PTR DS:[EBX+EBP]
004117B5 |. 50 |PUSH EAX
004117B6 |. 68 3CCC4100 |PUSH SDSFtpSe.0041CC3C ; ASCII "%x"
004117BB |. 51 |PUSH ECX
004117BC |. E8 79150000 |CALL <JMP.&MFC42.#2818>
004117C1 |. 83C4 18 |ADD ESP,18
004117C4 |. 8D4C24 10 |LEA ECX,DWORD PTR SS:[ESP+10]
004117C8 |. E8 69160000 |CALL <JMP.&MFC42.#4204>
004117CD |. 8B5424 10 |MOV EDX,DWORD PTR SS:[ESP+10]
004117D1 |. 8A02 |MOV AL,BYTE PTR DS:[EDX]
004117D3 |. EB 2D |JMP SHORT SDSFtpSe.00411802
004117D5 |> 0FBEC0 |MOVSX EAX,AL
004117D8 |. 50 |PUSH EAX
004117D9 |. 8D4C24 14 |LEA ECX,DWORD PTR SS:[ESP+14]
004117DD |. 68 3CCC4100 |PUSH SDSFtpSe.0041CC3C ; ASCII "%x"
004117E2 |. 51 |PUSH ECX
004117E3 |. E8 52150000 |CALL <JMP.&MFC42.#2818>
004117E8 |. 83C4 0C |ADD ESP,0C
004117EB |. 8D4C24 10 |LEA ECX,DWORD PTR SS:[ESP+10]
004117EF |. E8 42160000 |CALL <JMP.&MFC42.#4204>
004117F4 |. 8B4424 10 |MOV EAX,DWORD PTR SS:[ESP+10]
004117F8 |. 46 |INC ESI
004117F9 |. 8A08 |MOV CL,BYTE PTR DS:[EAX]
004117FB |. 884C3E FF |MOV BYTE PTR DS:[ESI+EDI-1],CL
004117FF |. 8A40 01 |MOV AL,BYTE PTR DS:[EAX+1]
00411802 |> 88043E |MOV BYTE PTR DS:[ESI+EDI],AL ; 真註冊碼的對應位
00411805 |. 8B4424 28 |MOV EAX,DWORD PTR SS:[ESP+28] ; 40給EAX,40是迴圈次數
00411809 |. 46 |INC ESI ; 迴圈計數+1
0041180A |. 43 |INC EBX ; 另一迴圈計數+1
0041180B |. 3BD8 |CMP EBX,EAX
0041180D |.^0F8C 3CFFFFFF JL SDSFtpSe.0041174F
00411813 |. 5D POP EBP
00411814 |> 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
00411818 |. C6043E 00 MOV BYTE PTR DS:[ESI+EDI],0
0041181C |. C74424 18 FFFF>MOV DWORD PTR SS:[ESP+18],-1
00411824 |. E8 E90F0000 CALL <JMP.&MFC42.#800>
00411829 |. 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
0041182D |. 5F POP EDI
0041182E |. 5E POP ESI
0041182F |. 5B POP EBX
00411830 |. 64:890D 000000>MOV DWORD PTR FS:[0],ECX
00411837 |. 83C4 10 ADD ESP,10
0041183A . C2 0C00 RETN 0C
總結:
註冊碼為16位,註冊碼演算法流程為:
(1).先計算初註冊碼雛形,關節演算法call待續.
(2).再用call 00411710對註冊碼雛形進行變換生成註冊碼,
具體做法是:註冊碼雛形值每一位依次和10(hex)比較(帶符號比較).
然後:
若>10,則對應兩位註冊碼為其本身,
若<10,則對應兩位註冊碼為0F.
以使用者名稱:FTBirthday為例
註冊碼雛形為
0012C024 DA DF 36 D5 89 6F B1 16
則對應位為 0F 0F 36 0F 0F 6F 0F 16
註冊碼為0F0F360F0F6F0F16
大功告成:
使用者名稱:FTBirthday
註冊碼:0F0F360F0F6F0F16
------------------------------------------------------------------
------------------------------------------------------------------
------------------------------------------------------------------
------------------------------------------------------------------
演算法分析-----FTP搜尋利器4.0
※軟體資訊※:
使用平臺: Windows 95/98/ME/NT/2000/XP
軟體型別: 共享軟體(註冊費25元)
軟體大小: 768KB
最新版本: v4.00正式版 [2003/06/5釋出]
最新下載 : http://www.sdsteam.com/index.asp
※軟體限制※:"未註冊版本無任何功能限制".
※破解工具※:Ollydbg1.09、FileMon
※註冊方式※ 輸入驗證+重啟驗證.
重啟驗證,用FileMon、RegMon監測其啟動過程,發現讀mainkey檔案,打
開,裡面儲存著註冊資訊。
最後發現,演算法流程沒有變,和FTP搜尋利器3.0一樣.
好了到此雙管齊下搞定了FTP搜尋利器3.0和4.0
※作者宣告※僅為學習!
相關文章
- FTP搜尋系統2007-04-02FTP
- offset新探索:雙管齊下,加速大資料量查詢2022-11-24大資料
- 淘寶搜尋演算法現狀分析2015-03-18演算法
- AS3.0 Profiler 效能分析利器2017-12-19S3
- 在Linux下建立強大的FTP搜尋引擎(轉)2007-08-10LinuxFTP
- 百度搜尋驚雷演算法3.0DSQ2022-03-19演算法
- 排名演算法(二)--淘寶搜尋排序演算法分析2018-12-31演算法排序
- “裝置+雲管”雙管齊下 H3C WAS6100交換機評測2019-05-15
- 尋路之 A* 搜尋演算法2017-06-21演算法
- 搜易高速郵址搜尋家 V3.0 (EmailSearcher)2015-11-15AI
- 研發運維雙管齊下!Seal AppManager的正確開啟方式2023-04-14運維APP
- Alienware驚豔亮相ChinaJoy,VR、電競雙管齊下助力遊戲產業升級2018-03-06VR遊戲產業
- 深度優先搜尋(DFS)思路及演算法分析2019-05-11演算法
- A*搜尋演算法概述2020-02-10演算法
- 廣度優先搜尋(BFS)思路及演算法分析2019-05-12演算法
- A*搜尋演算法(python)2021-09-09演算法Python
- 演算法總結--搜尋2023-03-27演算法
- 搜尋演算法總結2024-06-08演算法
- 搜尋模組功能分析2020-12-18
- Python之 常用查詢演算法:最小項搜尋、順序搜尋、二分搜尋2019-09-30Python演算法
- 生物實驗室裝置檔案採集如何才能質量和效率雙管齊下?2024-08-02
- #演算法#二分搜尋2017-05-05演算法
- 搜尋演算法合集 - By DijkstraPhoenix2024-10-06演算法
- 語音搜尋排名因素分析2018-03-07
- 移動搜尋產品分析2014-12-10
- Python演算法練習--把搜尋樹轉成雙向連結串列2018-08-21Python演算法
- 啟發式搜尋的方式(深度優先,廣度優先)和 搜尋方法(Dijkstra‘s演算法,代價一致搜尋,貪心搜尋 ,A星搜尋)2021-01-02演算法
- Sunday搜尋演算法實現2019-02-25演算法
- BM搜尋演算法C實現2019-02-25演算法
- 【演算法】深度優先搜尋(DFS)2018-08-03演算法
- elasticsearch演算法之搜尋模型(一)2022-03-02Elasticsearch演算法模型
- tiktok商品搜尋資料分析2021-09-24
- ElasticSearch 簡單的 搜尋 聚合 分析2018-04-16Elasticsearch
- 基本演算法——深度優先搜尋(DFS)和廣度優先搜尋(BFS)2021-09-09演算法
- 0基礎學演算法 搜尋篇第一講 深度優先搜尋2020-11-01演算法
- 搜尋引擎工廠專業版演算法分析+演算法序號產生器2015-11-15演算法
- 不明惡意攻擊致<搜狗搜尋><搜尋結果>跳轉<百度搜尋>技術原理分析2017-09-29
- 視覺語音雙管齊下!阿里聯手美國學院推出AI脣語解讀新方法2019-12-06視覺阿里AI