一款网页模板小偷软件的注册分析(算法+注册机源码)
程序员文章站
2022-06-22 20:18:49
【文章作者】: suredwang
【作者邮箱】: suredwang@126.com
【软件名称】: 网页模板小偷
【软件大小】: 865KB
【下载地址】: 自己搜索下载
【加壳...
【文章作者】: suredwang
【作者邮箱】: suredwang@126.com
【软件名称】: 网页模板小偷
【软件大小】: 865KB
【下载地址】: 自己搜索下载
【加壳方式】: ASPack 2.12 -> Alexey Solodovnikov
【保护方式】: 加壳外加机器码多重注册
【编写语言】: Microsoft Visual C++ 6.0
【使用工具】: OD PEID AspackDie1.41
【操作平台】: windowXP
【软件介绍】: 只需输入单个网页的URL地址,即可在C盘生成对应文件
【作者声明】: 本人实在是个小小菜鸟,只是感兴趣,研究各种加密软件方法,没有其他目的。失误之处敬请诸位大侠赐教! 这是本人第一次发主帖,好多规则不懂,错误难免,请大家多多包涵!
--------------------------------------------------------------------------------
【详细过程】
分析说明:ASPack 2.12的壳用ESP定律就可以简单脱之,本人因时间关系直接借用大侠的脱壳工具AspackDie1.41脱之试运行正常,用PEID再查发现是用Microsoft Visual C++ 6.0语言编写
打开程序点注册软件,在注册码处任意输入字符点注册按钮出现“注册失败”提示框,然后用OD载入如下
004D8AC3 >/$ 55 push ebp ; (initial cpu selection)
004D8AC4 |. 8BEC mov ebp, esp
004D8AC6 |. 6A FF push -1
004D8AC8 |. 68 E8127500 push 007512E8
004D8ACD |. 68 1CDB4D00 push 004DDB1C ; SE 处理程序安装
004D8AD2 |. 64:A1 0000000>mov eax, dword ptr fs:[0]
004D8AD8 |. 50 push eax
004D8AD9 |. 64:8925 00000>mov dword ptr fs:[0], esp
004D8AE0 |. 83EC 58 sub esp, 58
004D8AE3 |. 53 push ebx
004D8AE4 |. 56 push esi
004D8AE5 |. 57 push edi
004D8AE6 |. 8965 E8 mov dword ptr [ebp-18], esp
004D8AE9 |. FF15 64025100 call dword ptr [<&KERNEL32.GetVersion>; kernel32.GetVersion
004D8AEF |. 33D2 xor edx, edx
004D8AF1 |. 8AD4 mov dl, ah
004D8AF3 |. 8915 002A7B00 mov dword ptr [7B2A00], edx
004D8AF9 |. 8BC8 mov ecx, eax
004D8AFB |. 81E1 FF000000 and ecx, 0FF
004D8B01 |. 890D FC297B00 mov dword ptr [7B29FC], ecx
点右键查找字符串“注册失败”发现有多处调用,并其中充杂了“恭喜你已注册”,“恭喜,注册成功”“恭喜,注册成功,您现在需要重打开软件!”等大约四五十条之多,呵呵,很明显,是注册代码多重复制才会这样的,看来作者为防止别人爆破,可谓用心良苦啊。既然这样那只好先静态分析,追踪关键CALL
任意点开一个“恭喜你”向上慢慢追踪,发现好多重复CALL和代码,找到“0043C6BF . E8 CC010000 call 0043C890”,
0043C668 . 68 04000080 push 80000004
0043C66D . 6A 00 push 0
0043C66F . 68 39E35600 push 0056E339 ; 注册码
0043C674 . 68 04000080 push 80000004
0043C679 . 6A 00 push 0
0043C67B . A1 EC7A7700 mov eax, dword ptr [777AEC]
0043C680 . 85C0 test eax, eax
0043C682 . 75 05 jnz short 0043C689
0043C684 . B8 623E5100 mov eax, 00513E62
0043C689 > 50 push eax
0043C68A . 68 04000080 push 80000004
0043C68F . 6A 00 push 0
0043C691 . A1 E87A7700 mov eax, dword ptr [777AE8]
0043C696 . 85C0 test eax, eax
0043C698 . 75 05 jnz short 0043C69F
0043C69A . B8 623E5100 mov eax, 00513E62
0043C69F > 50 push eax
0043C6A0 . 68 04000000 push 4
0043C6A5 . BB 00A64500 mov ebx, 0045A600
0043C6AA . E8 26B40100 call 00457AD5
0043C6AF . 83C4 34 add esp, 34
0043C6B2 . 8945 FC mov dword ptr [ebp-4], eax
0043C6B5 . FF35 F07A7700 push dword ptr [777AF0]
0043C6BB . 8D45 FC lea eax, dword ptr [ebp-4]
0043C6BE . 50 push eax
0043C6BF . E8 CC010000 call 0043C890 ,关键CALL 右键跟随可以发现是注册码算法,此处可下断
0043C6C4 . 8945 F8 mov dword ptr [ebp-8], eax
0043C6C7 . 8B5D FC mov ebx, dword ptr [ebp-4]
0043C6CA . 85DB test ebx, ebx
0043C6CC . 74 09 je short 0043C6D7
0043C6CE . 53 push ebx
0043C6CF . E8 0DB40100 call 00457AE1
0043C6D4 . 83C4 04 add esp, 4
0043C6D7 > 8B45 F8 mov eax, dword ptr [ebp-8]
0043C6DA . E9 00000000 jmp 0043C6DF
0043C6DF > 8BE5 mov esp, ebp
0043C6E1 . 5D pop ebp
0043C6E2 . C3 retn
F9运行程序 进入注册界面,任意输入注册码(为方便边调试边讲解用真码“9816163181845450363698181871430njhbgvfwa30motherlslslsls”点注册按钮
0043C6BF . E8 CC010000 call 0043C890 在此处断下
0043C6C4 . 8945 F8 mov dword ptr [ebp-8], eax
0043C6C7 . 8B5D FC mov ebx, dword ptr [ebp-4]
0043C6CA . 85DB test ebx, ebx
0043C6CC . 74 09 je short 0043C6D7
0043C6CE . 53 push ebx
0043C6CF . E8 0DB40100 call 00457AE1
0043C6D4 . 83C4 04 add esp, 4
0043C6D7 > 8B45 F8 mov eax, dword ptr [ebp-8]
0043C6DA . E9 00000000 jmp 0043C6DF
0043C6DF > 8BE5 mov esp, ebp
0043C6E1 . 5D pop ebp
0043C6E2 . C3 retn
0043C6E3 /$ 55 push ebp
0043C6E4 |. 8BEC mov ebp, esp
F7进入" call 0043C890" 如下:
0043C890 $ 55 push ebp 按F8单步运行
0043C891 . 8BEC mov ebp, esp
0043C893 . 81EC 70000000 sub esp, 70
0043C899 . C745 FC 00000>mov dword ptr [ebp-4], 0 储存地址
0043C8A0 . C745 F8 00000>mov dword ptr [ebp-8], 0
0043C8A7 . C745 F4 00000>mov dword ptr [ebp-C], 0
0043C8AE . C745 F0 00000>mov dword ptr [ebp-10], 0
0043C8B5 . C745 EC 00000>mov dword ptr [ebp-14], 0
0043C8BC . C745 E8 00000>mov dword ptr [ebp-18], 0
0043C8C3 . C745 E4 00000>mov dword ptr [ebp-1C], 0
0043C8CA . C745 E0 00000>mov dword ptr [ebp-20], 0
0043C8D1 . C745 DC 00000>mov dword ptr [ebp-24], 0
0043C8D8 . C745 D8 00000>mov dword ptr [ebp-28], 0
0043C8DF . C745 D4 00000>mov dword ptr [ebp-2C], 0
0043C8E6 . C745 D0 00000>mov dword ptr [ebp-30], 0
0043C8ED . C745 CC 00000>mov dword ptr [ebp-34], 0
0043C8F4 . C745 C8 00000>mov dword ptr [ebp-38], 0
0043C8FB . C745 C4 00000>mov dword ptr [ebp-3C], 0
0043C902 . C745 C0 00000>mov dword ptr [ebp-40], 0
0043C909 . E8 2FFCFFFF call 0043C53D 取得机器码 “19277955486”
0043C90E . 8945 BC mov dword ptr [ebp-44], eax
0043C911 . 8B45 BC mov eax, dword ptr [ebp-44]
0043C914 . 50 push eax
0043C915 . 8B5D FC mov ebx, dword ptr [ebp-4]
0043C918 . 85DB test ebx, ebx
0043C91A . 74 09 je short 0043C925
0043C91C . 53 push ebx
0043C91D . E8 BFB10100 call 00457AE1
0043C922 . 83C4 04 add esp, 4
0043C925 > 58 pop eax
0043C926 . 8945 FC mov dword ptr [ebp-4], eax
0043C929 . C745 F8 00000>mov dword ptr [ebp-8], 0
0043C930 . 68 04000080 push 80000004
0043C935 . 6A 00 push 0
0043C937 . 8B45 FC mov eax, dword ptr [ebp-4]
0043C93A . 85C0 test eax, eax
0043C93C . 75 05 jnz short 0043C943
0043C93E . B8 623E5100 mov eax, 00513E62
0043C943 > 50 push eax
0043C944 . 68 01000000 push 1
0043C949 . BB C0894500 mov ebx, 004589C0
0043C94E . E8 82B10100 call 00457AD5
0043C953 . 83C4 10 add esp, 10
0043C956 . 8945 B8 mov dword ptr [ebp-48], eax
0043C959 . 8955 BC mov dword ptr [ebp-44], edx
0043C95C . DD45 B8 fld qword ptr [ebp-48]
0043C95F . DC35 AB405100 fdiv qword ptr [5140AB]
0043C965 . DD5D B0 fstp qword ptr [ebp-50] 机器码运算
0043C968 . 68 01060080 push 80000601
0043C96D . FF75 B4 push dword ptr [ebp-4C]
0043C970 . FF75 B0 push dword ptr [ebp-50]
0043C973 . 68 01000000 push 1
0043C978 . BB C0804500 mov ebx, 004580C0
0043C97D . E8 53B10100 call 00457AD5 机器码除以9 十六进制表示
0043C982 . 83C4 10 add esp, 10
0043C985 . 8945 F4 mov dword ptr [ebp-C], eax
0043C988 . 68 01030080 push 80000301
0043C98D . 6A 00 push 0
0043C98F . FF75 F4 push dword ptr [ebp-C]
0043C992 . 68 01000000 push 1
0043C997 . BB 20964500 mov ebx, 00459620
0043C99C . E8 34B10100 call 00457AD5 由十六进制转为十进制 “2141995054”
0043C9A1 . 83C4 10 add esp, 10
0043C9A4 . 8945 BC mov dword ptr [ebp-44], eax
0043C9A7 . 68 01030080 push 80000301
0043C9AC . 6A 00 push 0
0043C9AE . 68 01000000 push 1
0043C9B3 . 68 01030080 push 80000301
0043C9B8 . 6A 00 push 0
0043C9BA . 68 01000000 push 1
0043C9BF . 68 04000080 push 80000004
0043C9C4 . 6A 00 push 0
0043C9C6 . 8B45 BC mov eax, dword ptr [ebp-44]
0043C9C9 . 85C0 test eax, eax
0043C9CB . 75 05 jnz short 0043C9D2
0043C9CD . B8 623E5100 mov eax, 00513E62
0043C9D2 > 50 push eax
0043C9D3 . 68 03000000 push 3
0043C9D8 . BB 10844500 mov ebx, 00458410
0043C9DD . E8 F3B00100 call 00457AD5
0043C9E2 . 83C4 28 add esp, 28
0043C9E5 . 8945 B8 mov dword ptr [ebp-48], eax
0043C9E8 . 8B5D BC mov ebx, dword ptr [ebp-44]
0043C9EB . 85DB test ebx, ebx
0043C9ED . 74 09 je short 0043C9F8
0043C9EF . 53 push ebx
0043C9F0 . E8 ECB00100 call 00457AE1
0043C9F5 . 83C4 04 add esp, 4
0043C9F8 > 68 04000080 push 80000004
0043C9FD . 6A 00 push 0
0043C9FF . 8B45 B8 mov eax, dword ptr [ebp-48]
0043CA02 . 85C0 test eax, eax
0043CA04 . 75 05 jnz short 0043CA0B
0043CA06 . B8 623E5100 mov eax, 00513E62
0043CA0B > 50 push eax
0043CA0C . 68 01000000 push 1
0043CA11 . BB C0894500 mov ebx, 004589C0
0043CA16 . E8 BAB00100 call 00457AD5
0043CA1B . 83C4 10 add esp, 10
0043CA1E . 8945 B0 mov dword ptr [ebp-50], eax
0043CA21 . 8955 B4 mov dword ptr [ebp-4C], edx
0043CA24 . 8B5D B8 mov ebx, dword ptr [ebp-48]
0043CA27 . 85DB test ebx, ebx
0043CA29 . 74 09 je short 0043CA34
0043CA2B . 53 push ebx
0043CA2C . E8 B0B00100 call 00457AE1
0043CA31 . 83C4 04 add esp, 4
0043CA34 > DD45 B0 fld qword ptr [ebp-50]
0043CA37 . E8 C956FCFF call 00402105 ; 取机器码第一位
0043CA3C . 8945 F0 mov dword ptr [ebp-10], eax
0043CA3F . 6A 01 push 1
0043CA41 . FF75 F0 push dword ptr [ebp-10]
0043CA44 . E8 E7120000 call 0043DD30 ; 取 常数 “9 ”
0043CA49 . 8945 B4 mov dword ptr [ebp-4C], eax
0043CA4C . DB45 B4 fild dword ptr [ebp-4C] ; 转到堆栈
0043CA4F . DD5D B4 fstp qword ptr [ebp-4C]
0043CA52 . DD45 B4 fld qword ptr [ebp-4C] ; 机器码第一位
0043CA55 . DB45 F0 fild dword ptr [ebp-10]
0043CA58 . DD5D AC fstp qword ptr [ebp-54]
0043CA5B . DC4D AC fmul qword ptr [ebp-54]
0043CA5E . DB45 0C fild dword ptr [ebp+C] ; 算出常数 十六进制 “65 ” 十进制为101
0043CA61 . DD5D A4 fstp qword ptr [ebp-5C]
0043CA64 . DC4D A4 fmul qword ptr [ebp-5C] ; 各位相乘
0043CA67 . DD5D 9C fstp qword ptr [ebp-64]
0043CA6A . 68 01060080 push 80000601
0043CA6F . FF75 A0 push dword ptr [ebp-60]
0043CA72 . FF75 9C push dword ptr [ebp-64]
0043CA75 . 68 01000000 push 1
0043CA7A . BB 20964500 mov ebx, 00459620
0043CA7F . E8 51B00100 call 00457AD5 ; 结果转化十进制并转化字符串
0043CA84 . 83C4 10 add esp, 10
0043CA87 . 8945 98 mov dword ptr [ebp-68], eax
0043CA8A . FF75 98 push dword ptr [ebp-68]
0043CA8D . 68 B3405100 push 005140B3 ; “98 ”字符串
0043CA92 . B9 02000000 mov ecx, 2
0043CA97 . E8 2A46FCFF call 004010C6
0043CA9C . 83C4 08 add esp, 8
0043CA9F . 8945 94 mov dword ptr [ebp-6C], eax
0043CAA2 . 8B5D 98 mov ebx, dword ptr [ebp-68]
0043CAA5 . 85DB test ebx, ebx
0043CAA7 . 74 09 je short 0043CAB2
0043CAA9 . 53 push ebx
0043CAAA . E8 32B00100 call 00457AE1
0043CAAF . 83C4 04 add esp, 4
0043CAB2 > 8B45 94 mov eax, dword ptr [ebp-6C]
0043CAB5 . 50 push eax
0043CAB6 . 8B5D EC mov ebx, dword ptr [ebp-14]
0043CAB9 . 85DB test ebx, ebx
0043CABB . 74 09 je short 0043CAC6
0043CABD . 53 push ebx
0043CABE . E8 1EB00100 call 00457AE1
0043CAC3 . 83C4 04 add esp, 4
0043CAC6 > 58 pop eax
0043CAC7 . 8945 EC mov dword ptr [ebp-14], eax
0043CACA . 68 01030080 push 80000301
0043CACF . 6A 00 push 0
0043CAD1 . 68 03000000 push 3
0043CAD6 . 68 04000080 push 80000004
0043CADB . 6A 00 push 0
0043CADD . 8B45 EC mov eax, dword ptr [ebp-14]
0043CAE0 . 85C0 test eax, eax
0043CAE2 . 75 05 jnz short 0043CAE9
0043CAE4 . B8 623E5100 mov eax, 00513E62
0043CAE9 > 50 push eax
0043CAEA . 68 02000000 push 2
0043CAEF . BB 80834500 mov ebx, 00458380
0043CAF4 . E8 DCAF0100 call 00457AD5
0043CAF9 . 83C4 1C add esp, 1C
0043CAFC . 8945 BC mov dword ptr [ebp-44], eax
0043CAFF . 8B45 BC mov eax, dword ptr [ebp-44]
0043CB02 . 50 push eax
0043CB03 . 8B5D E8 mov ebx, dword ptr [ebp-18]
0043CB06 . 85DB test ebx, ebx
0043CB08 . 74 09 je short 0043CB13
0043CB0A . 53 push ebx
0043CB0B . E8 D1AF0100 call 00457AE1
0043CB10 . 83C4 04 add esp, 4
0043CB13 > 58 pop eax
0043CB14 . 8945 E8 mov dword ptr [ebp-18], eax
0043CB17 . 68 02000080 push 80000002
0043CB1C . 6A 00 push 0
0043CB1E . 68 00000000 push 0
0043CB23 . 6A 00 push 0
0043CB25 . 6A 00 push 0
0043CB27 . 6A 00 push 0
0043CB29 . 68 04000080 push 80000004
0043CB2E . 6A 00 push 0
0043CB30 . 8B45 E8 mov eax, dword ptr [ebp-18]
0043CB33 . 85C0 test eax, eax
0043CB35 . 75 05 jnz short 0043CB3C
0043CB37 . B8 623E5100 mov eax, 00513E62
0043CB3C > 50 push eax
0043CB3D . 68 04000080 push 80000004
0043CB42 . 6A 00 push 0
0043CB44 . 8B5D 08 mov ebx, dword ptr [ebp+8]
0043CB47 . 8B03 mov eax, dword ptr [ebx] ; 取 注册码
0043CB49 . 85C0 test eax, eax
0043CB4B . 75 05 jnz short 0043CB52
0043CB4D . B8 623E5100 mov eax, 00513E62
0043CB52 > 50 push eax
0043CB53 . 68 04000000 push 4
0043CB58 . BB 70864500 mov ebx, 00458670
0043CB5D . E8 73AF0100 call 00457AD5 ; 取得字符串在注册码的位数
0043CB62 . 83C4 34 add esp, 34
0043CB65 . 8945 B8 mov dword ptr [ebp-48], eax
0043CB68 . 837D B8 FF cmp dword ptr [ebp-48], -1
0043CB6C . 0F84 03000000 je 0043CB75 ; 关键跳 跳就死
0043CB72 . FF45 F8 inc dword ptr [ebp-8]
0043CB75 > 68 01030080 push 80000301
0043CB7A . 6A 00 push 0
0043CB7C . FF75 F4 push dword ptr [ebp-C]
0043CB7F . 68 01000000 push 1
0043CB84 . BB 20964500 mov ebx, 00459620
0043CB89 . E8 47AF0100 call 00457AD5 ; 再取机器码
0043CB8E . 83C4 10 add esp, 10
0043CB91 . 8945 BC mov dword ptr [ebp-44], eax
0043CB94 . 68 01030080 push 80000301
0043CB99 . 6A 00 push 0
0043CB9B . 68 01000000 push 1
0043CBA0 . 68 01030080 push 80000301
0043CBA5 . 6A 00 push 0
0043CBA7 . 68 02000000 push 2
0043CBAC . 68 04000080 push 80000004
0043CBB1 . 6A 00 push 0
0043CBB3 . 8B45 BC mov eax, dword ptr [ebp-44]
0043CBB6 . 85C0 test eax, eax
0043CBB8 . 75 05 jnz short 0043CBBF
0043CBBA . B8 623E5100 mov eax, 00513E62
0043CBBF > 50 push eax
0043CBC0 . 68 03000000 push 3
0043CBC5 . BB 10844500 mov ebx, 00458410
0043CBCA . E8 06AF0100 call 00457AD5
0043CBCF . 83C4 28 add esp, 28
0043CBD2 . 8945 B8 mov dword ptr [ebp-48], eax
0043CBD5 . 8B5D BC mov ebx, dword ptr [ebp-44]
0043CBD8 . 85DB test ebx, ebx
0043CBDA . 74 09 je short 0043CBE5
0043CBDC . 53 push ebx
0043CBDD . E8 FFAE0100 call 00457AE1
0043CBE2 . 83C4 04 add esp, 4
0043CBE5 > 68 04000080 push 80000004
0043CBEA . 6A 00 push 0
0043CBEC . 8B45 B8 mov eax, dword ptr [ebp-48]
0043CBEF . 85C0 test eax, eax
0043CBF1 . 75 05 jnz short 0043CBF8
0043CBF3 . B8 623E5100 mov eax, 00513E62
0043CBF8 > 50 push eax
0043CBF9 . 68 01000000 push 1
0043CBFE . BB C0894500 mov ebx, 004589C0
0043CC03 . E8 CDAE0100 call 00457AD5
0043CC08 . 83C4 10 add esp, 10
0043CC0B . 8945 B0 mov dword ptr [ebp-50], eax
0043CC0E . 8955 B4 mov dword ptr [ebp-4C], edx
0043CC11 . 8B5D B8 mov ebx, dword ptr [ebp-48]
0043CC14 . 85DB test ebx, ebx
0043CC16 . 74 09 je short 0043CC21
0043CC18 . 53 push ebx
0043CC19 . E8 C3AE0100 call 00457AE1
0043CC1E . 83C4 04 add esp, 4
0043CC21 > DD45 B0 fld qword ptr [ebp-50] ; 取机器码第2位
0043CC24 . E8 DC54FCFF call 00402105
0043CC29 . 8945 F0 mov dword ptr [ebp-10], eax
0043CC2C . 6A 01 push 1
0043CC2E . FF75 F0 push dword ptr [ebp-10]
0043CC31 . E8 7E130000 call 0043DFB4
0043CC36 . 8945 BC mov dword ptr [ebp-44], eax ; 取常数7
0043CC39 . DB45 0C fild dword ptr [ebp+C]
0043CC3C . DD5D B4 fstp qword ptr [ebp-4C]
0043CC3F . DD45 B4 fld qword ptr [ebp-4C] ; 常数 十六进制65
0043CC42 . DC05 60405100 fadd qword ptr [514060] ; 加1
0043CC48 . DD5D AC fstp qword ptr [ebp-54]
0043CC4B . DB45 BC fild dword ptr [ebp-44]
0043CC4E . DD5D A4 fstp qword ptr [ebp-5C]
0043CC51 . DD45 A4 fld qword ptr [ebp-5C]
0043CC54 . DB45 F0 fild dword ptr [ebp-10]
0043CC57 . DD5D 9C fstp qword ptr [ebp-64]
0043CC5A . DC4D 9C fmul qword ptr [ebp-64]
0043CC5D . DC4D AC fmul qword ptr [ebp-54]
0043CC60 . DD5D 94 fstp qword ptr [ebp-6C] ; 相乘结果 放入堆栈
0043CC63 . 68 01060080 push 80000601
0043CC68 . FF75 98 push dword ptr [ebp-68]
0043CC6B . FF75 94 push dword ptr [ebp-6C]
0043CC6E . 68 01000000 push 1
0043CC73 . BB 20964500 mov ebx, 00459620
0043CC78 . E8 58AE0100 call 00457AD5 ; 结果转为十进制字符串
0043CC7D . 83C4 10 add esp, 10
0043CC80 . 8945 90 mov dword ptr [ebp-70], eax
0043CC83 . 8B45 90 mov eax, dword ptr [ebp-70]
0043CC86 . 50 push eax
0043CC87 . 8B5D E4 mov ebx, dword ptr [ebp-1C]
0043CC8A . 85DB test ebx, ebx
0043CC8C . 74 09 je short 0043CC97
0043CC8E . 53 push ebx
0043CC8F . E8 4DAE0100 call 00457AE1
0043CC94 . 83C4 04 add esp, 4
0043CC97 > 58 pop eax
0043CC98 . 8945 E4 mov dword ptr [ebp-1C], eax
0043CC9B . 68 02000080 push 80000002
0043CCA0 . 6A 00 push 0
0043CCA2 . 68 00000000 push 0
0043CCA7 . 6A 00 push 0
0043CCA9 . 6A 00 push 0
0043CCAB . 6A 00 push 0
0043CCAD . 68 04000080 push 80000004
0043CCB2 . 6A 00 push 0
0043CCB4 . 8B45 E4 mov eax, dword ptr [ebp-1C]
0043CCB7 . 85C0 test eax, eax
0043CCB9 . 75 05 jnz short 0043CCC0
0043CCBB . B8 623E5100 mov eax, 00513E62
0043CCC0 > 50 push eax
0043CCC1 . 68 04000080 push 80000004
0043CCC6 . 6A 00 push 0
0043CCC8 . 8B5D 08 mov ebx, dword ptr [ebp+8]
0043CCCB . 8B03 mov eax, dword ptr [ebx] ; 取 注册码
0043CCCD . 85C0 test eax, eax
0043CCCF . 75 05 jnz short 0043CCD6
0043CCD1 . B8 623E5100 mov eax, 00513E62
0043CCD6 > 50 push eax
0043CCD7 . 68 04000000 push 4
0043CCDC . BB 70864500 mov ebx, 00458670
0043CCE1 . E8 EFAD0100 call 00457AD5 ; 取得字符串在注册码的位数
0043CCE6 . 83C4 34 add esp, 34
0043CCE9 . 8945 B8 mov dword ptr [ebp-48], eax
0043CCEC . 837D B8 FF cmp dword ptr [ebp-48], -1
0043CCF0 . 0F84 03000000 je 0043CCF9 ; 关键跳 跳就死
0043CCF6 . FF45 F8 inc dword ptr [ebp-8]
0043CCF9 > 68 01030080 push 80000301
0043CCFE . 6A 00 push 0
0043CD00 . FF75 F4 push dword ptr [ebp-C]
0043CD03 . 68 01000000 push 1
0043CD08 . BB 20964500 mov ebx, 00459620
0043CD0D . E8 C3AD0100 call 00457AD5
0043CD12 . 83C4 10 add esp, 10
0043CD15 . 8945 BC mov dword ptr [ebp-44], eax
0043CD18 . 68 01030080 push 80000301
0043CD1D . 6A 00 push 0
0043CD1F . 68 01000000 push 1
0043CD24 . 68 01030080 push 80000301
0043CD29 . 6A 00 push 0
0043CD2B . 68 03000000 push 3
0043CD30 . 68 04000080 push 80000004
0043CD35 . 6A 00 push 0
0043CD37 . 8B45 BC mov eax, dword ptr [ebp-44]
0043CD3A . 85C0 test eax, eax
0043CD3C . 75 05 jnz short 0043CD43
0043CD3E . B8 623E5100 mov eax, 00513E62
0043CD43 > 50 push eax
0043CD44 . 68 03000000 push 3
0043CD49 . BB 10844500 mov ebx, 00458410
0043CD4E . E8 82AD0100 call 00457AD5
0043CD53 . 83C4 28 add esp, 28
0043CD56 . 8945 B8 mov dword ptr [ebp-48], eax
0043CD59 . 8B5D BC mov ebx, dword ptr [ebp-44]
0043CD5C . 85DB test ebx, ebx
0043CD5E . 74 09 je short 0043CD69
0043CD60 . 53 push ebx
0043CD61 . E8 7BAD0100 call 00457AE1
0043CD66 . 83C4 04 add esp, 4
0043CD69 > 68 04000080 push 80000004
0043CD6E . 6A 00 push 0
0043CD70 . 8B45 B8 mov eax, dword ptr [ebp-48]
0043CD73 . 85C0 test eax, eax
0043CD75 . 75 05 jnz short 0043CD7C
0043CD77 . B8 623E5100 mov eax, 00513E62
0043CD7C > 50 push eax
0043CD7D . 68 01000000 push 1
0043CD82 . BB C0894500 mov ebx, 004589C0
0043CD87 . E8 49AD0100 call 00457AD5
0043CD8C . 83C4 10 add esp, 10
0043CD8F . 8945 B0 mov dword ptr [ebp-50], eax
0043CD92 . 8955 B4 mov dword ptr [ebp-4C], edx
0043CD95 . 8B5D B8 mov ebx, dword ptr [ebp-48]
0043CD98 . 85DB test ebx, ebx
0043CD9A . 74 09 je short 0043CDA5
0043CD9C . 53 push ebx
0043CD9D . E8 3FAD0100 call 00457AE1
0043CDA2 . 83C4 04 add esp, 4
0043CDA5 > DD45 B0 fld qword ptr [ebp-50]
0043CDA8 . E8 5853FCFF call 00402105
0043CDAD . 8945 F0 mov dword ptr [ebp-10], eax
0043CDB0 . 6A 01 push 1
0043CDB2 . FF75 F0 push dword ptr [ebp-10]
0043CDB5 . E8 5C170000 call 0043E516
0043CDBA . 8945 B4 mov dword ptr [ebp-4C], eax
0043CDBD . DB45 B4 fild dword ptr [ebp-4C]
0043CDC0 . DD5D B4 fstp qword ptr [ebp-4C]
0043CDC3 . DD45 B4 fld qword ptr [ebp-4C]
0043CDC6 . DB45 F0 fild dword ptr [ebp-10]
0043CDC9 . DD5D AC fstp qword ptr [ebp-54]
0043CDCC . DC4D AC fmul qword ptr [ebp-54]
0043CDCF . DB45 0C fild dword ptr [ebp+C]
0043CDD2 . DD5D A4 fstp qword ptr [ebp-5C]
0043CDD5 . DC4D A4 fmul qword ptr [ebp-5C]
0043CDD8 . DD5D 9C fstp qword ptr [ebp-64]
0043CDDB . 68 01060080 push 80000601
0043CDE0 . FF75 A0 push dword ptr [ebp-60]
0043CDE3 . FF75 9C push dword ptr [ebp-64]
0043CDE6 . 68 01000000 push 1
0043CDEB . BB 20964500 mov ebx, 00459620
0043CDF0 . E8 E0AC0100 call 00457AD5
0043CDF5 . 83C4 10 add esp, 10
0043CDF8 . 8945 98 mov dword ptr [ebp-68], eax
0043CDFB . 8B45 98 mov eax, dword ptr [ebp-68]
0043CDFE . 50 push eax
0043CDFF . 8B5D E0 mov ebx, dword ptr [ebp-20]
0043CE02 . 85DB test ebx, ebx
0043CE04 . 74 09 je short 0043CE0F
0043CE06 . 53 push &n
【作者邮箱】: suredwang@126.com
【软件名称】: 网页模板小偷
【软件大小】: 865KB
【下载地址】: 自己搜索下载
【加壳方式】: ASPack 2.12 -> Alexey Solodovnikov
【保护方式】: 加壳外加机器码多重注册
【编写语言】: Microsoft Visual C++ 6.0
【使用工具】: OD PEID AspackDie1.41
【操作平台】: windowXP
【软件介绍】: 只需输入单个网页的URL地址,即可在C盘生成对应文件
【作者声明】: 本人实在是个小小菜鸟,只是感兴趣,研究各种加密软件方法,没有其他目的。失误之处敬请诸位大侠赐教! 这是本人第一次发主帖,好多规则不懂,错误难免,请大家多多包涵!
--------------------------------------------------------------------------------
【详细过程】
分析说明:ASPack 2.12的壳用ESP定律就可以简单脱之,本人因时间关系直接借用大侠的脱壳工具AspackDie1.41脱之试运行正常,用PEID再查发现是用Microsoft Visual C++ 6.0语言编写
打开程序点注册软件,在注册码处任意输入字符点注册按钮出现“注册失败”提示框,然后用OD载入如下
004D8AC3 >/$ 55 push ebp ; (initial cpu selection)
004D8AC4 |. 8BEC mov ebp, esp
004D8AC6 |. 6A FF push -1
004D8AC8 |. 68 E8127500 push 007512E8
004D8ACD |. 68 1CDB4D00 push 004DDB1C ; SE 处理程序安装
004D8AD2 |. 64:A1 0000000>mov eax, dword ptr fs:[0]
004D8AD8 |. 50 push eax
004D8AD9 |. 64:8925 00000>mov dword ptr fs:[0], esp
004D8AE0 |. 83EC 58 sub esp, 58
004D8AE3 |. 53 push ebx
004D8AE4 |. 56 push esi
004D8AE5 |. 57 push edi
004D8AE6 |. 8965 E8 mov dword ptr [ebp-18], esp
004D8AE9 |. FF15 64025100 call dword ptr [<&KERNEL32.GetVersion>; kernel32.GetVersion
004D8AEF |. 33D2 xor edx, edx
004D8AF1 |. 8AD4 mov dl, ah
004D8AF3 |. 8915 002A7B00 mov dword ptr [7B2A00], edx
004D8AF9 |. 8BC8 mov ecx, eax
004D8AFB |. 81E1 FF000000 and ecx, 0FF
004D8B01 |. 890D FC297B00 mov dword ptr [7B29FC], ecx
点右键查找字符串“注册失败”发现有多处调用,并其中充杂了“恭喜你已注册”,“恭喜,注册成功”“恭喜,注册成功,您现在需要重打开软件!”等大约四五十条之多,呵呵,很明显,是注册代码多重复制才会这样的,看来作者为防止别人爆破,可谓用心良苦啊。既然这样那只好先静态分析,追踪关键CALL
任意点开一个“恭喜你”向上慢慢追踪,发现好多重复CALL和代码,找到“0043C6BF . E8 CC010000 call 0043C890”,
0043C668 . 68 04000080 push 80000004
0043C66D . 6A 00 push 0
0043C66F . 68 39E35600 push 0056E339 ; 注册码
0043C674 . 68 04000080 push 80000004
0043C679 . 6A 00 push 0
0043C67B . A1 EC7A7700 mov eax, dword ptr [777AEC]
0043C680 . 85C0 test eax, eax
0043C682 . 75 05 jnz short 0043C689
0043C684 . B8 623E5100 mov eax, 00513E62
0043C689 > 50 push eax
0043C68A . 68 04000080 push 80000004
0043C68F . 6A 00 push 0
0043C691 . A1 E87A7700 mov eax, dword ptr [777AE8]
0043C696 . 85C0 test eax, eax
0043C698 . 75 05 jnz short 0043C69F
0043C69A . B8 623E5100 mov eax, 00513E62
0043C69F > 50 push eax
0043C6A0 . 68 04000000 push 4
0043C6A5 . BB 00A64500 mov ebx, 0045A600
0043C6AA . E8 26B40100 call 00457AD5
0043C6AF . 83C4 34 add esp, 34
0043C6B2 . 8945 FC mov dword ptr [ebp-4], eax
0043C6B5 . FF35 F07A7700 push dword ptr [777AF0]
0043C6BB . 8D45 FC lea eax, dword ptr [ebp-4]
0043C6BE . 50 push eax
0043C6BF . E8 CC010000 call 0043C890 ,关键CALL 右键跟随可以发现是注册码算法,此处可下断
0043C6C4 . 8945 F8 mov dword ptr [ebp-8], eax
0043C6C7 . 8B5D FC mov ebx, dword ptr [ebp-4]
0043C6CA . 85DB test ebx, ebx
0043C6CC . 74 09 je short 0043C6D7
0043C6CE . 53 push ebx
0043C6CF . E8 0DB40100 call 00457AE1
0043C6D4 . 83C4 04 add esp, 4
0043C6D7 > 8B45 F8 mov eax, dword ptr [ebp-8]
0043C6DA . E9 00000000 jmp 0043C6DF
0043C6DF > 8BE5 mov esp, ebp
0043C6E1 . 5D pop ebp
0043C6E2 . C3 retn
F9运行程序 进入注册界面,任意输入注册码(为方便边调试边讲解用真码“9816163181845450363698181871430njhbgvfwa30motherlslslsls”点注册按钮
0043C6BF . E8 CC010000 call 0043C890 在此处断下
0043C6C4 . 8945 F8 mov dword ptr [ebp-8], eax
0043C6C7 . 8B5D FC mov ebx, dword ptr [ebp-4]
0043C6CA . 85DB test ebx, ebx
0043C6CC . 74 09 je short 0043C6D7
0043C6CE . 53 push ebx
0043C6CF . E8 0DB40100 call 00457AE1
0043C6D4 . 83C4 04 add esp, 4
0043C6D7 > 8B45 F8 mov eax, dword ptr [ebp-8]
0043C6DA . E9 00000000 jmp 0043C6DF
0043C6DF > 8BE5 mov esp, ebp
0043C6E1 . 5D pop ebp
0043C6E2 . C3 retn
0043C6E3 /$ 55 push ebp
0043C6E4 |. 8BEC mov ebp, esp
F7进入" call 0043C890" 如下:
0043C890 $ 55 push ebp 按F8单步运行
0043C891 . 8BEC mov ebp, esp
0043C893 . 81EC 70000000 sub esp, 70
0043C899 . C745 FC 00000>mov dword ptr [ebp-4], 0 储存地址
0043C8A0 . C745 F8 00000>mov dword ptr [ebp-8], 0
0043C8A7 . C745 F4 00000>mov dword ptr [ebp-C], 0
0043C8AE . C745 F0 00000>mov dword ptr [ebp-10], 0
0043C8B5 . C745 EC 00000>mov dword ptr [ebp-14], 0
0043C8BC . C745 E8 00000>mov dword ptr [ebp-18], 0
0043C8C3 . C745 E4 00000>mov dword ptr [ebp-1C], 0
0043C8CA . C745 E0 00000>mov dword ptr [ebp-20], 0
0043C8D1 . C745 DC 00000>mov dword ptr [ebp-24], 0
0043C8D8 . C745 D8 00000>mov dword ptr [ebp-28], 0
0043C8DF . C745 D4 00000>mov dword ptr [ebp-2C], 0
0043C8E6 . C745 D0 00000>mov dword ptr [ebp-30], 0
0043C8ED . C745 CC 00000>mov dword ptr [ebp-34], 0
0043C8F4 . C745 C8 00000>mov dword ptr [ebp-38], 0
0043C8FB . C745 C4 00000>mov dword ptr [ebp-3C], 0
0043C902 . C745 C0 00000>mov dword ptr [ebp-40], 0
0043C909 . E8 2FFCFFFF call 0043C53D 取得机器码 “19277955486”
0043C90E . 8945 BC mov dword ptr [ebp-44], eax
0043C911 . 8B45 BC mov eax, dword ptr [ebp-44]
0043C914 . 50 push eax
0043C915 . 8B5D FC mov ebx, dword ptr [ebp-4]
0043C918 . 85DB test ebx, ebx
0043C91A . 74 09 je short 0043C925
0043C91C . 53 push ebx
0043C91D . E8 BFB10100 call 00457AE1
0043C922 . 83C4 04 add esp, 4
0043C925 > 58 pop eax
0043C926 . 8945 FC mov dword ptr [ebp-4], eax
0043C929 . C745 F8 00000>mov dword ptr [ebp-8], 0
0043C930 . 68 04000080 push 80000004
0043C935 . 6A 00 push 0
0043C937 . 8B45 FC mov eax, dword ptr [ebp-4]
0043C93A . 85C0 test eax, eax
0043C93C . 75 05 jnz short 0043C943
0043C93E . B8 623E5100 mov eax, 00513E62
0043C943 > 50 push eax
0043C944 . 68 01000000 push 1
0043C949 . BB C0894500 mov ebx, 004589C0
0043C94E . E8 82B10100 call 00457AD5
0043C953 . 83C4 10 add esp, 10
0043C956 . 8945 B8 mov dword ptr [ebp-48], eax
0043C959 . 8955 BC mov dword ptr [ebp-44], edx
0043C95C . DD45 B8 fld qword ptr [ebp-48]
0043C95F . DC35 AB405100 fdiv qword ptr [5140AB]
0043C965 . DD5D B0 fstp qword ptr [ebp-50] 机器码运算
0043C968 . 68 01060080 push 80000601
0043C96D . FF75 B4 push dword ptr [ebp-4C]
0043C970 . FF75 B0 push dword ptr [ebp-50]
0043C973 . 68 01000000 push 1
0043C978 . BB C0804500 mov ebx, 004580C0
0043C97D . E8 53B10100 call 00457AD5 机器码除以9 十六进制表示
0043C982 . 83C4 10 add esp, 10
0043C985 . 8945 F4 mov dword ptr [ebp-C], eax
0043C988 . 68 01030080 push 80000301
0043C98D . 6A 00 push 0
0043C98F . FF75 F4 push dword ptr [ebp-C]
0043C992 . 68 01000000 push 1
0043C997 . BB 20964500 mov ebx, 00459620
0043C99C . E8 34B10100 call 00457AD5 由十六进制转为十进制 “2141995054”
0043C9A1 . 83C4 10 add esp, 10
0043C9A4 . 8945 BC mov dword ptr [ebp-44], eax
0043C9A7 . 68 01030080 push 80000301
0043C9AC . 6A 00 push 0
0043C9AE . 68 01000000 push 1
0043C9B3 . 68 01030080 push 80000301
0043C9B8 . 6A 00 push 0
0043C9BA . 68 01000000 push 1
0043C9BF . 68 04000080 push 80000004
0043C9C4 . 6A 00 push 0
0043C9C6 . 8B45 BC mov eax, dword ptr [ebp-44]
0043C9C9 . 85C0 test eax, eax
0043C9CB . 75 05 jnz short 0043C9D2
0043C9CD . B8 623E5100 mov eax, 00513E62
0043C9D2 > 50 push eax
0043C9D3 . 68 03000000 push 3
0043C9D8 . BB 10844500 mov ebx, 00458410
0043C9DD . E8 F3B00100 call 00457AD5
0043C9E2 . 83C4 28 add esp, 28
0043C9E5 . 8945 B8 mov dword ptr [ebp-48], eax
0043C9E8 . 8B5D BC mov ebx, dword ptr [ebp-44]
0043C9EB . 85DB test ebx, ebx
0043C9ED . 74 09 je short 0043C9F8
0043C9EF . 53 push ebx
0043C9F0 . E8 ECB00100 call 00457AE1
0043C9F5 . 83C4 04 add esp, 4
0043C9F8 > 68 04000080 push 80000004
0043C9FD . 6A 00 push 0
0043C9FF . 8B45 B8 mov eax, dword ptr [ebp-48]
0043CA02 . 85C0 test eax, eax
0043CA04 . 75 05 jnz short 0043CA0B
0043CA06 . B8 623E5100 mov eax, 00513E62
0043CA0B > 50 push eax
0043CA0C . 68 01000000 push 1
0043CA11 . BB C0894500 mov ebx, 004589C0
0043CA16 . E8 BAB00100 call 00457AD5
0043CA1B . 83C4 10 add esp, 10
0043CA1E . 8945 B0 mov dword ptr [ebp-50], eax
0043CA21 . 8955 B4 mov dword ptr [ebp-4C], edx
0043CA24 . 8B5D B8 mov ebx, dword ptr [ebp-48]
0043CA27 . 85DB test ebx, ebx
0043CA29 . 74 09 je short 0043CA34
0043CA2B . 53 push ebx
0043CA2C . E8 B0B00100 call 00457AE1
0043CA31 . 83C4 04 add esp, 4
0043CA34 > DD45 B0 fld qword ptr [ebp-50]
0043CA37 . E8 C956FCFF call 00402105 ; 取机器码第一位
0043CA3C . 8945 F0 mov dword ptr [ebp-10], eax
0043CA3F . 6A 01 push 1
0043CA41 . FF75 F0 push dword ptr [ebp-10]
0043CA44 . E8 E7120000 call 0043DD30 ; 取 常数 “9 ”
0043CA49 . 8945 B4 mov dword ptr [ebp-4C], eax
0043CA4C . DB45 B4 fild dword ptr [ebp-4C] ; 转到堆栈
0043CA4F . DD5D B4 fstp qword ptr [ebp-4C]
0043CA52 . DD45 B4 fld qword ptr [ebp-4C] ; 机器码第一位
0043CA55 . DB45 F0 fild dword ptr [ebp-10]
0043CA58 . DD5D AC fstp qword ptr [ebp-54]
0043CA5B . DC4D AC fmul qword ptr [ebp-54]
0043CA5E . DB45 0C fild dword ptr [ebp+C] ; 算出常数 十六进制 “65 ” 十进制为101
0043CA61 . DD5D A4 fstp qword ptr [ebp-5C]
0043CA64 . DC4D A4 fmul qword ptr [ebp-5C] ; 各位相乘
0043CA67 . DD5D 9C fstp qword ptr [ebp-64]
0043CA6A . 68 01060080 push 80000601
0043CA6F . FF75 A0 push dword ptr [ebp-60]
0043CA72 . FF75 9C push dword ptr [ebp-64]
0043CA75 . 68 01000000 push 1
0043CA7A . BB 20964500 mov ebx, 00459620
0043CA7F . E8 51B00100 call 00457AD5 ; 结果转化十进制并转化字符串
0043CA84 . 83C4 10 add esp, 10
0043CA87 . 8945 98 mov dword ptr [ebp-68], eax
0043CA8A . FF75 98 push dword ptr [ebp-68]
0043CA8D . 68 B3405100 push 005140B3 ; “98 ”字符串
0043CA92 . B9 02000000 mov ecx, 2
0043CA97 . E8 2A46FCFF call 004010C6
0043CA9C . 83C4 08 add esp, 8
0043CA9F . 8945 94 mov dword ptr [ebp-6C], eax
0043CAA2 . 8B5D 98 mov ebx, dword ptr [ebp-68]
0043CAA5 . 85DB test ebx, ebx
0043CAA7 . 74 09 je short 0043CAB2
0043CAA9 . 53 push ebx
0043CAAA . E8 32B00100 call 00457AE1
0043CAAF . 83C4 04 add esp, 4
0043CAB2 > 8B45 94 mov eax, dword ptr [ebp-6C]
0043CAB5 . 50 push eax
0043CAB6 . 8B5D EC mov ebx, dword ptr [ebp-14]
0043CAB9 . 85DB test ebx, ebx
0043CABB . 74 09 je short 0043CAC6
0043CABD . 53 push ebx
0043CABE . E8 1EB00100 call 00457AE1
0043CAC3 . 83C4 04 add esp, 4
0043CAC6 > 58 pop eax
0043CAC7 . 8945 EC mov dword ptr [ebp-14], eax
0043CACA . 68 01030080 push 80000301
0043CACF . 6A 00 push 0
0043CAD1 . 68 03000000 push 3
0043CAD6 . 68 04000080 push 80000004
0043CADB . 6A 00 push 0
0043CADD . 8B45 EC mov eax, dword ptr [ebp-14]
0043CAE0 . 85C0 test eax, eax
0043CAE2 . 75 05 jnz short 0043CAE9
0043CAE4 . B8 623E5100 mov eax, 00513E62
0043CAE9 > 50 push eax
0043CAEA . 68 02000000 push 2
0043CAEF . BB 80834500 mov ebx, 00458380
0043CAF4 . E8 DCAF0100 call 00457AD5
0043CAF9 . 83C4 1C add esp, 1C
0043CAFC . 8945 BC mov dword ptr [ebp-44], eax
0043CAFF . 8B45 BC mov eax, dword ptr [ebp-44]
0043CB02 . 50 push eax
0043CB03 . 8B5D E8 mov ebx, dword ptr [ebp-18]
0043CB06 . 85DB test ebx, ebx
0043CB08 . 74 09 je short 0043CB13
0043CB0A . 53 push ebx
0043CB0B . E8 D1AF0100 call 00457AE1
0043CB10 . 83C4 04 add esp, 4
0043CB13 > 58 pop eax
0043CB14 . 8945 E8 mov dword ptr [ebp-18], eax
0043CB17 . 68 02000080 push 80000002
0043CB1C . 6A 00 push 0
0043CB1E . 68 00000000 push 0
0043CB23 . 6A 00 push 0
0043CB25 . 6A 00 push 0
0043CB27 . 6A 00 push 0
0043CB29 . 68 04000080 push 80000004
0043CB2E . 6A 00 push 0
0043CB30 . 8B45 E8 mov eax, dword ptr [ebp-18]
0043CB33 . 85C0 test eax, eax
0043CB35 . 75 05 jnz short 0043CB3C
0043CB37 . B8 623E5100 mov eax, 00513E62
0043CB3C > 50 push eax
0043CB3D . 68 04000080 push 80000004
0043CB42 . 6A 00 push 0
0043CB44 . 8B5D 08 mov ebx, dword ptr [ebp+8]
0043CB47 . 8B03 mov eax, dword ptr [ebx] ; 取 注册码
0043CB49 . 85C0 test eax, eax
0043CB4B . 75 05 jnz short 0043CB52
0043CB4D . B8 623E5100 mov eax, 00513E62
0043CB52 > 50 push eax
0043CB53 . 68 04000000 push 4
0043CB58 . BB 70864500 mov ebx, 00458670
0043CB5D . E8 73AF0100 call 00457AD5 ; 取得字符串在注册码的位数
0043CB62 . 83C4 34 add esp, 34
0043CB65 . 8945 B8 mov dword ptr [ebp-48], eax
0043CB68 . 837D B8 FF cmp dword ptr [ebp-48], -1
0043CB6C . 0F84 03000000 je 0043CB75 ; 关键跳 跳就死
0043CB72 . FF45 F8 inc dword ptr [ebp-8]
0043CB75 > 68 01030080 push 80000301
0043CB7A . 6A 00 push 0
0043CB7C . FF75 F4 push dword ptr [ebp-C]
0043CB7F . 68 01000000 push 1
0043CB84 . BB 20964500 mov ebx, 00459620
0043CB89 . E8 47AF0100 call 00457AD5 ; 再取机器码
0043CB8E . 83C4 10 add esp, 10
0043CB91 . 8945 BC mov dword ptr [ebp-44], eax
0043CB94 . 68 01030080 push 80000301
0043CB99 . 6A 00 push 0
0043CB9B . 68 01000000 push 1
0043CBA0 . 68 01030080 push 80000301
0043CBA5 . 6A 00 push 0
0043CBA7 . 68 02000000 push 2
0043CBAC . 68 04000080 push 80000004
0043CBB1 . 6A 00 push 0
0043CBB3 . 8B45 BC mov eax, dword ptr [ebp-44]
0043CBB6 . 85C0 test eax, eax
0043CBB8 . 75 05 jnz short 0043CBBF
0043CBBA . B8 623E5100 mov eax, 00513E62
0043CBBF > 50 push eax
0043CBC0 . 68 03000000 push 3
0043CBC5 . BB 10844500 mov ebx, 00458410
0043CBCA . E8 06AF0100 call 00457AD5
0043CBCF . 83C4 28 add esp, 28
0043CBD2 . 8945 B8 mov dword ptr [ebp-48], eax
0043CBD5 . 8B5D BC mov ebx, dword ptr [ebp-44]
0043CBD8 . 85DB test ebx, ebx
0043CBDA . 74 09 je short 0043CBE5
0043CBDC . 53 push ebx
0043CBDD . E8 FFAE0100 call 00457AE1
0043CBE2 . 83C4 04 add esp, 4
0043CBE5 > 68 04000080 push 80000004
0043CBEA . 6A 00 push 0
0043CBEC . 8B45 B8 mov eax, dword ptr [ebp-48]
0043CBEF . 85C0 test eax, eax
0043CBF1 . 75 05 jnz short 0043CBF8
0043CBF3 . B8 623E5100 mov eax, 00513E62
0043CBF8 > 50 push eax
0043CBF9 . 68 01000000 push 1
0043CBFE . BB C0894500 mov ebx, 004589C0
0043CC03 . E8 CDAE0100 call 00457AD5
0043CC08 . 83C4 10 add esp, 10
0043CC0B . 8945 B0 mov dword ptr [ebp-50], eax
0043CC0E . 8955 B4 mov dword ptr [ebp-4C], edx
0043CC11 . 8B5D B8 mov ebx, dword ptr [ebp-48]
0043CC14 . 85DB test ebx, ebx
0043CC16 . 74 09 je short 0043CC21
0043CC18 . 53 push ebx
0043CC19 . E8 C3AE0100 call 00457AE1
0043CC1E . 83C4 04 add esp, 4
0043CC21 > DD45 B0 fld qword ptr [ebp-50] ; 取机器码第2位
0043CC24 . E8 DC54FCFF call 00402105
0043CC29 . 8945 F0 mov dword ptr [ebp-10], eax
0043CC2C . 6A 01 push 1
0043CC2E . FF75 F0 push dword ptr [ebp-10]
0043CC31 . E8 7E130000 call 0043DFB4
0043CC36 . 8945 BC mov dword ptr [ebp-44], eax ; 取常数7
0043CC39 . DB45 0C fild dword ptr [ebp+C]
0043CC3C . DD5D B4 fstp qword ptr [ebp-4C]
0043CC3F . DD45 B4 fld qword ptr [ebp-4C] ; 常数 十六进制65
0043CC42 . DC05 60405100 fadd qword ptr [514060] ; 加1
0043CC48 . DD5D AC fstp qword ptr [ebp-54]
0043CC4B . DB45 BC fild dword ptr [ebp-44]
0043CC4E . DD5D A4 fstp qword ptr [ebp-5C]
0043CC51 . DD45 A4 fld qword ptr [ebp-5C]
0043CC54 . DB45 F0 fild dword ptr [ebp-10]
0043CC57 . DD5D 9C fstp qword ptr [ebp-64]
0043CC5A . DC4D 9C fmul qword ptr [ebp-64]
0043CC5D . DC4D AC fmul qword ptr [ebp-54]
0043CC60 . DD5D 94 fstp qword ptr [ebp-6C] ; 相乘结果 放入堆栈
0043CC63 . 68 01060080 push 80000601
0043CC68 . FF75 98 push dword ptr [ebp-68]
0043CC6B . FF75 94 push dword ptr [ebp-6C]
0043CC6E . 68 01000000 push 1
0043CC73 . BB 20964500 mov ebx, 00459620
0043CC78 . E8 58AE0100 call 00457AD5 ; 结果转为十进制字符串
0043CC7D . 83C4 10 add esp, 10
0043CC80 . 8945 90 mov dword ptr [ebp-70], eax
0043CC83 . 8B45 90 mov eax, dword ptr [ebp-70]
0043CC86 . 50 push eax
0043CC87 . 8B5D E4 mov ebx, dword ptr [ebp-1C]
0043CC8A . 85DB test ebx, ebx
0043CC8C . 74 09 je short 0043CC97
0043CC8E . 53 push ebx
0043CC8F . E8 4DAE0100 call 00457AE1
0043CC94 . 83C4 04 add esp, 4
0043CC97 > 58 pop eax
0043CC98 . 8945 E4 mov dword ptr [ebp-1C], eax
0043CC9B . 68 02000080 push 80000002
0043CCA0 . 6A 00 push 0
0043CCA2 . 68 00000000 push 0
0043CCA7 . 6A 00 push 0
0043CCA9 . 6A 00 push 0
0043CCAB . 6A 00 push 0
0043CCAD . 68 04000080 push 80000004
0043CCB2 . 6A 00 push 0
0043CCB4 . 8B45 E4 mov eax, dword ptr [ebp-1C]
0043CCB7 . 85C0 test eax, eax
0043CCB9 . 75 05 jnz short 0043CCC0
0043CCBB . B8 623E5100 mov eax, 00513E62
0043CCC0 > 50 push eax
0043CCC1 . 68 04000080 push 80000004
0043CCC6 . 6A 00 push 0
0043CCC8 . 8B5D 08 mov ebx, dword ptr [ebp+8]
0043CCCB . 8B03 mov eax, dword ptr [ebx] ; 取 注册码
0043CCCD . 85C0 test eax, eax
0043CCCF . 75 05 jnz short 0043CCD6
0043CCD1 . B8 623E5100 mov eax, 00513E62
0043CCD6 > 50 push eax
0043CCD7 . 68 04000000 push 4
0043CCDC . BB 70864500 mov ebx, 00458670
0043CCE1 . E8 EFAD0100 call 00457AD5 ; 取得字符串在注册码的位数
0043CCE6 . 83C4 34 add esp, 34
0043CCE9 . 8945 B8 mov dword ptr [ebp-48], eax
0043CCEC . 837D B8 FF cmp dword ptr [ebp-48], -1
0043CCF0 . 0F84 03000000 je 0043CCF9 ; 关键跳 跳就死
0043CCF6 . FF45 F8 inc dword ptr [ebp-8]
0043CCF9 > 68 01030080 push 80000301
0043CCFE . 6A 00 push 0
0043CD00 . FF75 F4 push dword ptr [ebp-C]
0043CD03 . 68 01000000 push 1
0043CD08 . BB 20964500 mov ebx, 00459620
0043CD0D . E8 C3AD0100 call 00457AD5
0043CD12 . 83C4 10 add esp, 10
0043CD15 . 8945 BC mov dword ptr [ebp-44], eax
0043CD18 . 68 01030080 push 80000301
0043CD1D . 6A 00 push 0
0043CD1F . 68 01000000 push 1
0043CD24 . 68 01030080 push 80000301
0043CD29 . 6A 00 push 0
0043CD2B . 68 03000000 push 3
0043CD30 . 68 04000080 push 80000004
0043CD35 . 6A 00 push 0
0043CD37 . 8B45 BC mov eax, dword ptr [ebp-44]
0043CD3A . 85C0 test eax, eax
0043CD3C . 75 05 jnz short 0043CD43
0043CD3E . B8 623E5100 mov eax, 00513E62
0043CD43 > 50 push eax
0043CD44 . 68 03000000 push 3
0043CD49 . BB 10844500 mov ebx, 00458410
0043CD4E . E8 82AD0100 call 00457AD5
0043CD53 . 83C4 28 add esp, 28
0043CD56 . 8945 B8 mov dword ptr [ebp-48], eax
0043CD59 . 8B5D BC mov ebx, dword ptr [ebp-44]
0043CD5C . 85DB test ebx, ebx
0043CD5E . 74 09 je short 0043CD69
0043CD60 . 53 push ebx
0043CD61 . E8 7BAD0100 call 00457AE1
0043CD66 . 83C4 04 add esp, 4
0043CD69 > 68 04000080 push 80000004
0043CD6E . 6A 00 push 0
0043CD70 . 8B45 B8 mov eax, dword ptr [ebp-48]
0043CD73 . 85C0 test eax, eax
0043CD75 . 75 05 jnz short 0043CD7C
0043CD77 . B8 623E5100 mov eax, 00513E62
0043CD7C > 50 push eax
0043CD7D . 68 01000000 push 1
0043CD82 . BB C0894500 mov ebx, 004589C0
0043CD87 . E8 49AD0100 call 00457AD5
0043CD8C . 83C4 10 add esp, 10
0043CD8F . 8945 B0 mov dword ptr [ebp-50], eax
0043CD92 . 8955 B4 mov dword ptr [ebp-4C], edx
0043CD95 . 8B5D B8 mov ebx, dword ptr [ebp-48]
0043CD98 . 85DB test ebx, ebx
0043CD9A . 74 09 je short 0043CDA5
0043CD9C . 53 push ebx
0043CD9D . E8 3FAD0100 call 00457AE1
0043CDA2 . 83C4 04 add esp, 4
0043CDA5 > DD45 B0 fld qword ptr [ebp-50]
0043CDA8 . E8 5853FCFF call 00402105
0043CDAD . 8945 F0 mov dword ptr [ebp-10], eax
0043CDB0 . 6A 01 push 1
0043CDB2 . FF75 F0 push dword ptr [ebp-10]
0043CDB5 . E8 5C170000 call 0043E516
0043CDBA . 8945 B4 mov dword ptr [ebp-4C], eax
0043CDBD . DB45 B4 fild dword ptr [ebp-4C]
0043CDC0 . DD5D B4 fstp qword ptr [ebp-4C]
0043CDC3 . DD45 B4 fld qword ptr [ebp-4C]
0043CDC6 . DB45 F0 fild dword ptr [ebp-10]
0043CDC9 . DD5D AC fstp qword ptr [ebp-54]
0043CDCC . DC4D AC fmul qword ptr [ebp-54]
0043CDCF . DB45 0C fild dword ptr [ebp+C]
0043CDD2 . DD5D A4 fstp qword ptr [ebp-5C]
0043CDD5 . DC4D A4 fmul qword ptr [ebp-5C]
0043CDD8 . DD5D 9C fstp qword ptr [ebp-64]
0043CDDB . 68 01060080 push 80000601
0043CDE0 . FF75 A0 push dword ptr [ebp-60]
0043CDE3 . FF75 9C push dword ptr [ebp-64]
0043CDE6 . 68 01000000 push 1
0043CDEB . BB 20964500 mov ebx, 00459620
0043CDF0 . E8 E0AC0100 call 00457AD5
0043CDF5 . 83C4 10 add esp, 10
0043CDF8 . 8945 98 mov dword ptr [ebp-68], eax
0043CDFB . 8B45 98 mov eax, dword ptr [ebp-68]
0043CDFE . 50 push eax
0043CDFF . 8B5D E0 mov ebx, dword ptr [ebp-20]
0043CE02 . 85DB test ebx, ebx
0043CE04 . 74 09 je short 0043CE0F
0043CE06 . 53 push &n