软件介绍:
工具: OLLYDBG,FI250,UPXmend V1.22
fi250侦壳为UPX1.23加壳,UPXmend V1.22脱之。OLLYDBG载入》查找参考:ASCII "Thank you!
Registration success!"双击来到
004990C7 .^E9 C4B3F6FF JMP WinDrvGh.00404490
004990CC .^EB F0 JMP SHORT WinDrvGh.004990BE
004990CE . B8 C0914900 MOV EAX,WinDrvGh.004991C0 ; ASCII "Thank you! Registration
success!"
004990D3 . E8 9C36FAFF CALL WinDrvGh.0043C774
004990D8 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004990DB . 8B80 1C030000 MOV EAX,DWORD PTR DS:[EAX+31>
F2下......??????下个#◎¥,都不能拦啊!!!TMD,看来找错了!!我重新来过!!
ASCII "Registration Success!"《==这个该对了吧!!双击来到
0049D203 . 51 PUSH ECX《=这里下断(^_^)WHY?为了方便分析而已!(^_^)
0049D204 . 53 PUSH EBX《==EBX(ASCII "LAC"<-这个东东等下会用到)压入堆栈
0049D205 . 56 PUSH ESI
0049D206 . 57 PUSH EDI
0049D207 . 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0049D20A . 33C0 XOR EAX,EAX
0049D20C . 55 PUSH EBP
0049D20D . 68 45D64900 PUSH WinDrvGh.0049D645
0049D212 . 64:FF30 PUSH DWORD PTR FS:[EAX]
0049D215 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
0049D218 . 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C>《=ASCII "LAC"放入EDX
0049D21B . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D21E . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D224 . E8 7B66FAFF CALL WinDrvGh.004438A4《=读注册名、长度(用WinDrvGh.004438A4读
。下同!!!)
0049D229 . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C>《=注册名长度为8放入EAX
0049D22C . E8 737BF6FF CALL WinDrvGh.00404DA4
0049D231 . 05 57040000 ADD EAX,457
0049D236 . 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18>
0049D239 . E8 72C2F6FF CALL WinDrvGh.004094B0《=真注册码长度最多为25个(^_^)-不信?你
试试!!
0049D23E . 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20>
0049D241 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D244 . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D24A . E8 5566FAFF CALL WinDrvGh.004438A4《=取注册名头3个字符
0049D24F . 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20>《=放入地址WORD PTR SS:[EBP-20>
0049D252 . BA 5CD64900 MOV EDX,WinDrvGh.0049D65C ; ASCII "DiSTiNCT"《=字符
"DiSTiNCT"放入 EDX
0049D257 . E8 8C7CF6FF CALL WinDrvGh.00404EE8《=注册名头3个字符与字符
"DiSTiNCT"进行运算
0049D25C . 0F84 32030000 JE WinDrvGh.0049D594
0049D262 . 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24>《=注册名长度(8位)放入EDX
0049D265 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D268 . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D26E . E8 3166FAFF CALL WinDrvGh.004438A4《=又读注册名、长度(烦啊!)
0049D273 . 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24>《=注册名长度(8位)放入EAX(烦啊
!)
0049D276 . BA 70D64900 MOV EDX,WinDrvGh.0049D670 ; ASCII "Team iNSaNE"《=字符"Team
iNSaNE"放入EDX
0049D27B . E8 687CF6FF CALL WinDrvGh.00404EE8《=注册名与字符"Team iNSaNE"进行运算
0049D280 . 0F84 0E030000 JE WinDrvGh.0049D594
0049D286 . 8D55 D8 LEA EDX,DWORD PTR SS:[EBP-28>
0049D289 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D28C . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D292 . E8 0D66FAFF CALL WinDrvGh.004438A4《=再读注册名、长度(更烦啊!)
0049D297 . 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28>
0049D29A . BA 84D64900 MOV EDX,WinDrvGh.0049D684 ; ASCII "TNT!2000"《=字符
"TNT!2000"放入EDX(想干什么啊!TMD!)
0049D29F . E8 447CF6FF CALL WinDrvGh.00404EE8
0049D2A4 . 0F84 EA020000 JE WinDrvGh.0049D594
0049D2AA . 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C>
0049D2AD . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D2B0 . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D2B6 . E8 E965FAFF CALL WinDrvGh.004438A4
0049D2BB . 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C>
0049D2BE . BA 98D64900 MOV EDX,WinDrvGh.0049D698 ; ASCII "-=Demian/TNT!=-"
0049D2C3 . E8 207CF6FF CALL WinDrvGh.00404EE8《=加了一个“—”(^_^)
0049D2C8 . 0F84 C6020000 JE WinDrvGh.0049D594
0049D2CE . 8D55 D0 LEA EDX,DWORD PTR SS:[EBP-30>
0049D2D1 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D2D4 . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D2DA . E8 C565FAFF CALL WinDrvGh.004438A4
0049D2DF . 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30>
0049D2E2 . BA B0D64900 MOV EDX,WinDrvGh.0049D6B0 ; ASCII "-=Demian/TNT!=- "
0049D2E7 . E8 FC7BF6FF CALL WinDrvGh.00404EE8
0049D2EC . 0F84 A2020000 JE WinDrvGh.0049D594
0049D2F2 . 8D55 CC LEA EDX,DWORD PTR SS:[EBP-34>
0049D2F5 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D2F8 . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D2FE . E8 A165FAFF CALL WinDrvGh.004438A4
0049D303 . 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34>
0049D306 . BA CCD64900 MOV EDX,WinDrvGh.0049D6CC ; ASCII "DiSTiNCT "
0049D30B . E8 D87BF6FF CALL WinDrvGh.00404EE8
0049D310 . 0F84 7E020000 JE WinDrvGh.0049D594
0049D316 . 8D55 C8 LEA EDX,DWORD PTR SS:[EBP-38>
0049D319 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D31C . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D322 . E8 7D65FAFF CALL WinDrvGh.004438A4
0049D327 . 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38>
0049D32A . BA E0D64900 MOV EDX,WinDrvGh.0049D6E0 ; ASCII "TMG"
0049D32F . E8 B47BF6FF CALL WinDrvGh.00404EE8
0049D334 . 0F84 5A020000 JE WinDrvGh.0049D594
0049D33A . 8D55 C4 LEA EDX,DWORD PTR SS:[EBP-3C>
0049D33D . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D340 . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D346 . E8 5965FAFF CALL WinDrvGh.004438A4
0049D34B . 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C>
0049D34E . BA ECD64900 MOV EDX,WinDrvGh.0049D6EC ; ASCII "Sponge Uk"
0049D353 . E8 907BF6FF CALL WinDrvGh.00404EE8
0049D358 . 0F84 36020000 JE WinDrvGh.0049D594
0049D35E . 8D55 C0 LEA EDX,DWORD PTR SS:[EBP-40>
0049D361 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D364 . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D36A . E8 3565FAFF CALL WinDrvGh.004438A4
0049D36F . 8B45 C0 MOV EAX,DWORD PTR SS:[EBP-40>
0049D372 . BA 00D74900 MOV EDX,WinDrvGh.0049D700 ; ASCII "Sponge Uk "
0049D377 . E8 6C7BF6FF CALL WinDrvGh.00404EE8
0049D37C . 0F84 12020000 JE WinDrvGh.0049D594
0049D382 . 68 14D74900 PUSH WinDrvGh.0049D714
0049D387 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D38A . FFB0 2C030000 PUSH DWORD PTR DS:[EAX+32C]
0049D390 . 68 20D74900 PUSH WinDrvGh.0049D720 ; ASCII "20"《="20"压入堆栈(20有
什么用?往下看......(^_^)
0049D395 . FF75 E8 PUSH DWORD PTR SS:[EBP-18]《=这里的ASCII为“1119”往下看
......(^_^)
0049D398 . 68 2CD74900 PUSH WinDrvGh.0049D72C
0049D39D . 8D55 B8 LEA EDX,DWORD PTR SS:[EBP-48>
0049D3A0 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D3A3 . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D3A9 . E8 F664FAFF CALL WinDrvGh.004438A4《=注册名长度(8字符)
0049D3AE . 8B45 B8 MOV EAX,DWORD PTR SS:[EBP-48>《=注册名长度(8字符)放入EAX
0049D3B1 . 8D55 BC LEA EDX,DWORD PTR SS:[EBP-44>
0049D3B4 . E8 9BFDFFFF CALL WinDrvGh.0049D154《=此CALL根据注册名的长度计算注册码的后N
个是什么。WHY是N个???跟我进去看看吧!!(^_^)。按F7跟进(虚线内)
=============================
..........略
0049D194 |> 8B45 FC /MOV EAX,DWORD PTR SS:[EBP-4]《=注册名长度(8字符)放入EAX
0049D197 |. 0FB67438 FF |MOVZX ESI,BYTE PTR DS:[EAX+EDI-1]《=分别把注册名的1-8个字符先
零扩展,再传送到ESI
0049D19C |. 8D55 F0 |LEA EDX,DWORD PTR SS:[EBP-10]《=放入EDX
0049D19F |. 8BC6 |MOV EAX,ESI
0049D1A1 |. E8 26FFFFFF |CALL WinDrvGh.0049D0CC《=调用WinDrvGh.0049D0CC算出每一个注册名
字符所对应的注册码(第1到8次分别为:“G”得到47;“Y”=59;J=4A;[=5B;O=4F;C=43;N=4E;]=5D
0049D1A6 |. 8B55 F0 |MOV EDX,DWORD PTR SS:[EBP-10]《=分别放入EDX
0049D1A9 |. 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C]《=分别放入一个地址
0049D1AC |. E8 FB7BF6FF |CALL WinDrvGh.00404DAC
0049D1B1 |. 47 |INC EDI《=加1
0049D1B2 |. 4B |DEC EBX《=减 1
0049D1B3 |.^75 DF \JNZ SHORT WinDrvGh.0049D194
.........略
==============================================
看出来了吧!WHY是N个???如果注册名是N个字符,则虚线内的这段会重复N次计算注册码,(^_^)!!
什么?你用100个字符的注册名??它启不是要重复100次?哈哈......;别笑!!!它没那么笨!又WHY?
看0049D239 . E8 72C2F6FF CALL WinDrvGh.004094B0处(^_^)-不信?你试试!!TMD,你说了半天
只有注册码的后半部分啊!前面的呢?别骂我!(^_^)!!往下看!!
0049D3B9 . FF75 BC PUSH DWORD PTR SS:[EBP-44]《=最后会来到这里!天晴了吧!还WHY?你
自己试试看吧!
#¥◎TMD,你说了半天只有注册码的后半部分啊!前面的呢?别骂我!(^_^)!!往下看!!
0049D3BC . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14>
0049D3BF . BA 06000000 MOV EDX,6
0049D3C4 . E8 9B7AF6FF CALL WinDrvGh.00404E64《=此CALL进去天就大晴了!跟我进去!按F7跟
进(虚线内)
==============================
00404E7D > 8B4C94 14 MOV ECX,DWORD PTR SS:[ESP+EDX*4+14] ; WinDrvGh.0049D720
00404E81 . 85C9 TEST ECX,ECX
00404E83 . 74 09 JE SHORT WinDrvGh.00404E8E
00404E85 . 0341 FC ADD EAX,DWORD PTR DS:[ECX-4]
00404E88 . 39CF CMP EDI,ECX
00404E8A . 75 02 JNZ SHORT WinDrvGh.00404E8E
00404E8C . 31FF XOR EDI,EDI
00404E8E > 4A DEC EDX
00404E8F .^75 EC JNZ SHORT WinDrvGh.00404E7D
这段里嘛.......啊呀!!不就是上面的20,1119,还有.......自己试试看吧!(^_^)!
0049D3C9 . 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18>
0049D3CC . BA 38D74900 MOV EDX,WinDrvGh.0049D738 ; ASCII
"\System32\spool\drivers\w32x86\2\riched20.dll SetActiveEditControlFont, Arial, 30"
0049D3D1 . E8 AE77F6FF CALL WinDrvGh.00404B84《=此CALL就有趣了,我现在的注册名是8个字
符,如果是9个或7个字符的话......(^_^)!看看“1119”会变成什么?各位自己试试看吧!(^_^)!
0049D3D6 . 8D55 B4 LEA EDX,DWORD PTR SS:[EBP-4C>
0049D3D9 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D3DC . 8B80 04030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D3E2 . E8 BD64FAFF CALL WinDrvGh.004438A4《=这个读你输入的注册码
0049D3E7 . 8B55 B4 MOV EDX,DWORD PTR SS:[EBP-4C>《=你输入的注册码放入地址
0049D3EA . 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14>《=真注册码放入地址
0049D3ED . E8 EE7CF6FF CALL WinDrvGh.004050E0《=这个嘛一定是比较注册码的CALL了,我进!
=============================
004050E0 /$ 85C0 TEST EAX,EAX《=检查真注册码
004050E2 |. 74 40 JE SHORT WinDrvGh.00405124
004050E4 |. 85D2 TEST EDX,EDX《=检查假注册码
004050E6 |. 74 31 JE SHORT WinDrvGh.00405119
004050E8 |. 53 PUSH EBX《=把EBX(ASCII "LAC"<-这个东东在每个CALL里都用到了,做
什么用我还没搞懂!各位知道一定告诉我啊!(^_^)!)压入堆栈
004050E9 |. 56 PUSH ESI《=是一个入口地址
004050EA |. 57 PUSH EDI
004050EB |. 89C6 MOV ESI,EAX《=真注册码放入入口地址ESI
004050ED |. 89D7 MOV EDI,EDX《=假注册码放入EDI
004050EF |. 8B4F FC MOV ECX,DWORD PTR DS:[EDI-4]《=真注册码放入ECX
004050F2 |. 57 PUSH EDI《=假注册码放入堆栈
004050F3 |. 8B56 FC MOV EDX,DWORD PTR DS:[ESI-4]《=假注册码放入EDX
004050F6 |. 4A DEC EDX《=减 1
004050F7 |. 78 1B JS SHORT WinDrvGh.00405114《=继续执行
004050F9 |. 8A06 MOV AL,BYTE PTR DS:[ESI]《=真注册码第一个字符放入AL
004050FB |. 46 INC ESI《=加1
004050FC |. 29D1 SUB ECX,EDX《=减运算(EDX=19,ECX=9)
004050FE |. 7E 14 JLE SHORT WinDrvGh.00405114《=发现数值不对跳到00405114处执行
00405100 |> F2:AE /REPNE SCAS BYTE PTR ES:[EDI]
00405102 |. 75 10 |JNZ SHORT WinDrvGh.00405114
00405104 |. 89CB |MOV EBX,ECX
00405106 |. 56 |PUSH ESI
00405107 |. 57 |PUSH EDI
00405108 |. 89D1 |MOV ECX,EDX
0040510A |. F3:A6 |REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS>
0040510C |. 5F |POP EDI
0040510D |. 5E |POP ESI
0040510E |. 74 0C |JE SHORT WinDrvGh.0040511C
00405110 |. 89D9 |MOV ECX,EBX
00405112 |.^EB EC \JMP SHORT WinDrvGh.00405100
00405114 |> 5A POP EDX《=跳到这里
00405115 |. 31C0 XOR EAX,EAX
00405117 |. EB 08 JMP SHORT WinDrvGh.00405121《=再跳到405121处执行
00405119 |> 31C0 XOR EAX,EAX
0040511B |. C3 RETN
0040511C |> 5A POP EDX
0040511D |. 89F8 MOV EAX,EDI
0040511F |. 29D0 SUB EAX,EDX
00405121 |> 5F POP EDI《=跳到这里
00405122 |. 5E POP ESI
00405123 |. 5B POP EBX
00405124 \> C3 RETN《=返回到0049D3F2
=================================
0049D3F2 . 85C0 TEST EAX,EAX《=返回到这里(EAX=00000000)
0049D3F4 . 0F84 9A010000 JE WinDrvGh.0049D594《=注册码不对的话,来到这里就完快啦!
0049D3FA . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D3FD . 8B80 04030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D403 . 33D2 XOR EDX,EDX
0049D405 . E8 CA64FAFF CALL WinDrvGh.004438D4
0049D40A . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14>
0049D40D . E8 DA76F6FF CALL WinDrvGh.00404AEC
0049D412 . 6A 00 PUSH 0
0049D414 . 68 8CD74900 PUSH WinDrvGh.0049D78C ; ASCII "Registration Success!"
0049D419 . 68 A4D74900 PUSH WinDrvGh.0049D7A4 ; ASCII " Thank you for your
