QQ第六感V2.0破解分析
本帖最后由 57907103 于 2018-10-23 21:59 编辑这两天整理电脑,翻出了以前的一个软件,拿来练练手,顺便将逆向过程记录了下来,欢迎大家先下软件自己搞,完了再看我的逆向过程
软件下载地址:https://pan.baidu.com/s/16vixk5jQbdGMPUWP2GjhMQ
国际惯例先上图:
QQ第六感V2.0逆向记录:
先安装,完成后用通用脱壳机进行脱壳。
运行主程序出现未注册弹窗,使用F12暂停法回溯找到
0040C0AE .E8 3D020000 call SixthSen.0040C2F0 \\启动弹窗计算CALL
0040C0B3 .3D D8070000 cmp eax,0x7D8 ;//与7D8(十进制2008)比较,不相等就弹出未注册版本窗口
0040C0B8 .74 2D je short SixthSen.0040C0E7 \\启动弹窗判断
跟进CALL0040C2F0发现是下面这句赋值指令影响了CALL后的判断
mov dword ptr ds:,0x7D5
这句上面发现有另外一个赋值指令
mov dword ptr ds:,0x7D8
如果是赋值的7D8那CALL后面的跳转就可跳过弹窗,证明是这个赋值影响的弹窗
右键查找全部命令,粘贴mov dword ptr ds:,0x7D5
找到两处如下:
0040C447 C700 D5070000 mov dword ptr ds:,0x7D5 ;\\第1处,影响启动弹窗(爆破点1)
0040D615 C700 D5070000 mov dword ptr ds:,0x7D5 ;\\第2处,软件启动后的标题栏未注册提示(爆破点2)
将这两处的7D5全部改为7D8,
这样结果去掉了启动的未注册弹窗,且软件启动后标题栏提示已经注册
点击关于注册界面,输入用户名和密码后点注册按钮,下对话框断点后返回程序领空到段首,代码在后面
单步发现:
首先检查用户名和密码是否输入,
然后判断注册码格式:
检查第7位是否为-
检查第16位是否为-
再检查注册码位数是否为24位
注册码格式判断完成后再将用户名进行一系列的计算,算法简单分析了下,可能部分备注不是很正确,详见最后的代码部分(如果哪位大牛能写出注册机欢迎补充)
将用户名的计算结果与正确注册码的计算结果进行比较
相等就mov dword ptr ds:,0x7D8
不相等就mov dword ptr ds:,0x7D5
右键查找命令mov dword ptr ds:,0x7D5
发现只有这1处
直接将7D5改为7D8,实现注册码爆破,
为什么改这里的赋值,而不改外面CALL后的跳转?
因为这个CALL可能有多处调用,所以改关键call的返回值,这样改了所有调用此call验证的地方都爆破了
00401A2C|.C740 5C D5070>mov dword ptr ds:,0x7D5 ;\\直接将7D5改为7D8实现注册码判断爆破(爆破点3)
这3处爆破点改掉后输入注册码时格式没输对还是会提示错误
如果要完美点再将注册码格式判断也爆破掉,如下:
004013BA|>807D C2 2D cmp byte ptr ss:,0x2D ;\\注册码格式判断,检查第7位是否为-,不是就跳,NOP掉
004013C4|.807D CB 2D cmp byte ptr ss:,0x2D ;\\注册码格式判断,检查第16位是否为-,不是就跳,NOP掉
004013CE|.83FE 18 cmp esi,0x18 ;\\判断假码位数是否为24位,不等就跳,NOP掉
改这6处即可实现完美爆破
下面是注册码验证涉及到的代码
===========================================
注册码格式判断:
0040130F/.55 push ebp ;\\注册码格式判断
00401310|.8BEC mov ebp,esp
00401312|.81EC 8C010000 sub esp,0x18C
00401318|.53 push ebx ;SixthSen.00401833
00401319|.56 push esi ;SixthSen.0043CFA2
0040131A|.57 push edi ;SixthSen.0043CFA2
0040131B|.8BD9 mov ebx,ecx ;ntdll.7C93005D
0040131D|.6A 08 push 0x8
0040131F|.33C0 xor eax,eax
00401321|.59 pop ecx ;ntdll.7C93005D
00401322|.8DBD 78FFFFFF lea edi,
00401328|.F3:AB rep stos dword ptr es:
0040132A|.AA stos byte ptr es:
0040132B|.6A 06 push 0x6
0040132D|.33C0 xor eax,eax
0040132F|.59 pop ecx ;ntdll.7C93005D
00401330|.8D7D BC lea edi,
00401333|.F3:AB rep stos dword ptr es:
00401335|.8365 F8 00 and ,0x0
00401339|.6A 21 push 0x21
0040133B|.AA stos byte ptr es:
0040133C|.8D85 78FFFFFF lea eax,
00401342|.8D8B 5E080000 lea ecx,dword ptr ds:
00401348|.50 push eax
00401349|.E8 24D30100 call SixthSen.0041E672
0040134E|.8D45 BC lea eax,
00401351|.6A 19 push 0x19
00401353|.50 push eax
00401354|.8D8B 22080000 lea ecx,dword ptr ds:
0040135A|.E8 13D30100 call SixthSen.0041E672
0040135F|.8B35 CCD24200 mov esi,dword ptr ds:[<&KERNEL32.lstrlen>;kernel32.lstrlenA
00401365|.8D85 78FFFFFF lea eax,
0040136B|.50 push eax ; /\\取用户名
0040136C|.FFD6 call esi ; \取用户名位数
0040136E|.8945 F4 mov ,eax
00401371|.8D45 BC lea eax,
00401374|.50 push eax ; /\\取注册码
00401375|.FFD6 call esi ; \\\取注册码位数
00401377|.68 38724300 push SixthSen.00437238 ;\\固定字符串8El5hKVUdIf000
0040137C|.8BF0 mov esi,eax
0040137E|.E8 8CAA0000 call SixthSen.0040BE0F
00401383|.59 pop ecx ;ntdll.7C93005D
00401384|.50 push eax ; /String2 = 00000001 ???
00401385|.8D45 D8 lea eax, ; |
00401388|.50 push eax ; |String1 = 00000001
00401389|.FF15 D0D24200 call dword ptr ds:[<&KERNEL32.lstrcpy>]; \lstrcpyA
0040138F|.33FF xor edi,edi ;SixthSen.0043CFA2
00401391|.397D F4 cmp ,edi ;\\用户名位数与0比较,不等就跳,判断是否输入用户名
00401394|.75 10 jnz short SixthSen.004013A6
00401396|.8D45 D8 lea eax,
00401399|.6A 40 push 0x40
0040139B|.50 push eax
0040139C|.68 00724300 push SixthSen.00437200 ;Tgte?h<aTh>e4nqG4jr>qYjU4Xpi8dqaik=VQbMNRbd6Qb240<?HB0
004013A1|.E9 1F020000 jmp SixthSen.004015C5
004013A6|>3BF7 cmp esi,edi ;\\注册码位数与0比较,不等就跳,判断是否输入注册码
004013A8|.75 10 jnz short SixthSen.004013BA
004013AA|.8D45 D8 lea eax,
004013AD|.6A 40 push 0x40
004013AF|.50 push eax
004013B0|.68 D4714300 push SixthSen.004371D4 ;Kg?ZqdL>qjs3:o<Sakp:hnL;aXpi7praTh>b000P00
004013B5|.E9 0B020000 jmp SixthSen.004015C5
004013BA|>807D C2 2D cmp byte ptr ss:,0x2D ;\\注册码格式判断,检查第7位是否为-,不是就跳
004013BE|.0F85 F6010000 jnz SixthSen.004015BA
004013C4|.807D CB 2D cmp byte ptr ss:,0x2D ;\\注册码格式判断,检查第16位是否为-,不是就跳
004013C8|.0F85 EC010000 jnz SixthSen.004015BA
004013CE|.83FE 18 cmp esi,0x18 ;\\判断假码位数是否为24位,不等就跳
004013D1|.0F85 E3010000 jnz SixthSen.004015BA
004013D7|.E8 BA780200 call SixthSen.00428C96
004013DC|.8B48 04 mov ecx,dword ptr ds:
004013DF|.E8 79D60100 call SixthSen.0041EA5D
004013E4|.68 E8030000 push 0x3E8 ; /Timeout = 1000. ms
004013E9|.FF15 7CD24200 call dword ptr ds:[<&KERNEL32.Sleep>] ; \Sleep
004013EF|.E8 A2780200 call SixthSen.00428C96
004013F4|.8B48 04 mov ecx,dword ptr ds:
004013F7|.E8 76D60100 call SixthSen.0041EA72
004013FC|.33C9 xor ecx,ecx ;ntdll.7C93005D
004013FE|>0FBE440D C3 /movsx eax,byte ptr ss: ;\\假码中间8位判断
00401403|.83F8 39 |cmp eax,0x39 ;\\判断注册码ASSIC大于39,,; Switch (cases 30..39)
00401406|.77 0A |ja short SixthSen.00401412
00401408|.83F8 30 |cmp eax,0x30 ;\\判断注册码ASSIC小于30,
0040140B|.72 05 |jb short SixthSen.00401412
0040140D|.83C0 D0 |add eax,-0x30
00401410|.EB 24 |jmp short SixthSen.00401436
00401412|>83F8 61 |cmp eax,0x61 ;Default case of switch 00401403
00401415|.72 0A |jb short SixthSen.00401421
00401417|.83F8 66 |cmp eax,0x66
0040141A|.77 05 |ja short SixthSen.00401421
0040141C|.83C0 A9 |add eax,-0x57
0040141F|.EB 15 |jmp short SixthSen.00401436
00401421|>83F8 41 |cmp eax,0x41
00401424|.0F82 BF000000 |jb SixthSen.004014E9
0040142A|.83F8 46 |cmp eax,0x46
0040142D|.0F87 B6000000 |ja SixthSen.004014E9
00401433|.83C0 C9 |add eax,-0x37
00401436|>8B55 F8 |mov edx, ;Cases 30 ('0'),31 ('1'),32 ('2'),33 ('3'),34 ('4'),35 ('5'),36 ('6'),37 ('7'),38 ('8'),39 ('9') of switch 00401403
00401439|.C1E2 04 |shl edx,0x4
0040143C|.03D0 |add edx,eax
0040143E|.41 |inc ecx ;ntdll.7C93005D
0040143F|.83F9 08 |cmp ecx,0x8
00401442|.8955 F8 |mov ,edx
00401445|.^ 72 B7 \jb short SixthSen.004013FE
00401447|.8BF2 mov esi,edx
00401449|.33D2 xor edx,edx
0040144B|.33C9 xor ecx,ecx ;ntdll.7C93005D
0040144D|>0FBE440D CC /movsx eax,byte ptr ss: ;\\假码最后8位判断
00401452|.83F8 39 |cmp eax,0x39 ;\\判断注册码ASSIC大于39,,; Switch (cases 30..39)
00401455|.77 0A |ja short SixthSen.00401461 ;\\判断注册码ASSIC大于39,
00401457|.83F8 30 |cmp eax,0x30 ;\\判断注册码ASSIC小于30,
0040145A|.72 05 |jb short SixthSen.00401461 ;\\判断注册码ASSIC小于30
0040145C|.83C0 D0 |add eax,-0x30
0040145F|.EB 1C |jmp short SixthSen.0040147D
00401461|>83F8 61 |cmp eax,0x61 ;Default case of switch 00401452
00401464|.72 0A |jb short SixthSen.00401470
00401466|.83F8 66 |cmp eax,0x66
00401469|.77 05 |ja short SixthSen.00401470
0040146B|.83C0 A9 |add eax,-0x57
0040146E|.EB 0D |jmp short SixthSen.0040147D
00401470|>83F8 41 |cmp eax,0x41
00401473|.72 74 |jb short SixthSen.004014E9
00401475|.83F8 46 |cmp eax,0x46
00401478|.77 6F |ja short SixthSen.004014E9
0040147A|.83C0 C9 |add eax,-0x37
0040147D|>C1E2 04 |shl edx,0x4 ;Cases 30 ('0'),31 ('1'),32 ('2'),33 ('3'),34 ('4'),35 ('5'),36 ('6'),37 ('7'),38 ('8'),39 ('9') of switch 00401452
00401480|.03D0 |add edx,eax
00401482|.41 |inc ecx ;ntdll.7C93005D
00401483|.83F9 08 |cmp ecx,0x8
00401486|.^ 72 C5 \jb short SixthSen.0040144D
00401488|.A1 ECA44300 mov eax,dword ptr ds:
0040148D|.68 9C714300 push SixthSen.0043719C ;UDlsVM7MQLVELj:6mhLu0;To5E5gADKGJfOVnj5gCIGAjJFoW0?HB0
00401492|.33C6 xor eax,esi ;\\EAX与后8位异或
00401494|.8945 EC mov ,eax
00401497|.33C2 xor eax,edx ;\\EAX与中间8位异或
00401499|.8945 F0 mov ,eax
0040149C|.E8 6EA90000 call SixthSen.0040BE0F
004014A1|.50 push eax
004014A2|.8D85 74FEFFFF lea eax,
004014A8|.50 push eax
004014A9|.E8 42D00000 call SixthSen.0040E4F0
004014AE|.83C4 0C add esp,0xC
004014B1|.8D45 B8 lea eax,
004014B4|.BE 02000080 mov esi,0x80000002
004014B9|.50 push eax ; /pDisposition = 00000001
004014BA|.8D45 FC lea eax, ; |
004014BD|.50 push eax ; |pHandle = 00000001
004014BE|.57 push edi ; |pSecurity = SixthSen.0043CFA2
004014BF|.68 3F000F00 push 0xF003F ; |Access = KEY_ALL_ACCESS
004014C4|.57 push edi ; |Options = 0x43CFA2
004014C5|.57 push edi ; |Class = "ㄖB"
004014C6|.8D85 74FEFFFF lea eax, ; |
004014CC|.57 push edi ; |Reserved = 0x43CFA2
004014CD|.50 push eax ; |Subkey = 00000001 ???
004014CE|.56 push esi ; |hKey = 0x43CFA2
004014CF|.FF15 08D04200 call dword ptr ds:[<&ADVAPI32.RegCreateK>; \RegCreateKeyExA
004014D5|.85C0 test eax,eax
004014D7|.74 20 je short SixthSen.004014F9
004014D9|.8D45 D8 lea eax,
004014DC|.6A 40 push 0x40
004014DE|.50 push eax
004014DF|.68 84714300 push SixthSen.00437184 ;>eJS1XairkaFjqLqi8@0B0
004014E4|.E9 DC000000 jmp SixthSen.004015C5
004014E9|>8D45 D8 lea eax,
004014EC|.6A 40 push 0x40
004014EE|.50 push eax
004014EF|.68 6C714300 push SixthSen.0043716C ;<kp:hnL;ac>m>rh40j?HB0
004014F4|.E9 CC000000 jmp SixthSen.004015C5
004014F9|>8D45 FC lea eax,
004014FC|.50 push eax ; /pHandle = 00000001
004014FD|.68 06000200 push 0x20006 ; |Access = KEY_WRITE
00401502|.8D85 74FEFFFF lea eax, ; |
00401508|.57 push edi ; |Reserved = 0x43CFA2
00401509|.50 push eax ; |Subkey = 00000001 ???
0040150A|.56 push esi ; |hKey = 0x43CFA2
0040150B|.FF15 04D04200 call dword ptr ds:[<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
00401511|.85C0 test eax,eax
00401513|.74 10 je short SixthSen.00401525
00401515|.8D45 D8 lea eax,
00401518|.6A 40 push 0x40
0040151A|.50 push eax
0040151B|.68 50714300 push SixthSen.00437150 ;@c?:uZcNRbd6gqKCcie<Q0?3l4
00401520|.E9 A0000000 jmp SixthSen.004015C5
00401525|>FF75 F4 push ;ntdll.7C9300B8
00401528|.8D85 78FFFFFF lea eax,
0040152E|.50 push eax
0040152F|.6A 01 push 0x1
00401531|.57 push edi ;SixthSen.0043CFA2
00401532|.68 44714300 push SixthSen.00437144 ;3BD@0068Xn
00401537|.E8 D3A80000 call SixthSen.0040BE0F
0040153C|.8B35 14D04200 mov esi,dword ptr ds:[<&ADVAPI32.RegSetV>; |珀赵
00401542|.59 pop ecx ; |ntdll.7C93005D
00401543|.50 push eax ; |ValueName = 00000001 ???
00401544|.FF75 FC push ; |hKey = 0x13F20C
00401547|.FFD6 call esi ; \RegSetValueExA
00401549|.85C0 test eax,eax
0040154B|.75 29 jnz short SixthSen.00401576
0040154D|.8D45 EC lea eax,
00401550|.6A 08 push 0x8
00401552|.50 push eax
00401553|.6A 03 push 0x3
00401555|.57 push edi ;SixthSen.0043CFA2
00401556|.68 38714300 push SixthSen.00437138 ;3Djn0068Xn
0040155B|.E8 AFA80000 call SixthSen.0040BE0F
00401560|.59 pop ecx ;ntdll.7C93005D
00401561|.50 push eax
00401562|.FF75 FC push
00401565|.FFD6 call esi ;SixthSen.0043CFA2
00401567|.FF75 FC push ; /hKey = 0013F20C
0040156A|.8BF0 mov esi,eax ; |
0040156C|.FF15 00D04200 call dword ptr ds:[<&ADVAPI32.RegCloseKe>; \RegCloseKey
00401572|.3BF7 cmp esi,edi ;SixthSen.0043CFA2
00401574|.74 0D je short SixthSen.00401583 ;00000000000000000000
00401576|>8D45 D8 lea eax,
00401579|.6A 40 push 0x40
0040157B|.50 push eax
0040157C|.68 18714300 push SixthSen.00437118 ;B8bWXkb?GXa;QbNljqLqi8B804P000
00401581|.EB 42 jmp short SixthSen.004015C5
00401583|>8D85 78FFFFFF lea eax,
00401589|.50 push eax ; /String2 = 00000001 ???
0040158A|.68 14A34300 push SixthSen.0043A314 ; |String1 = SixthSen.0043A314
0040158F|.FF15 D0D24200 call dword ptr ds:[<&KERNEL32.lstrcpy>]; \lstrcpyA
00401595|.8D45 EC lea eax,
00401598|.6A 08 push 0x8
0040159A|.50 push eax
0040159B|.68 0CA34300 push SixthSen.0043A30C
004015A0|.E8 0BCC0000 call SixthSen.0040E1B0
004015A5|.83C4 0C add esp,0xC
004015A8|.57 push edi ; /lParam = 0x43CFA2
004015A9|.57 push edi ; |wParam = 0x43CFA2
004015AA|.68 1F040000 push 0x41F ; |Message = WM_USER+31.
004015AF|.FF73 1C push dword ptr ds: ; |hWnd = 0xA5BBE8
004015B2|.FF15 ECD44200 call dword ptr ds:[<&USER32.SendMessageA>; \SendMessageA
004015B8|.EB 19 jmp short SixthSen.004015D3
004015BA|>8D45 D8 lea eax,
004015BD|.6A 40 push 0x40
004015BF|.50 push eax
004015C0|.68 E0704300 push SixthSen.004370E0 ;Tg>?:o<SacLCGXa;QfddnrLZsjs3>rp>bgteFl=32hdC8ph40<?HB0
004015C5|>E8 45A80000 call SixthSen.0040BE0F
004015CA|.59 pop ecx ;ntdll.7C93005D
004015CB|.50 push eax
004015CC|.8BCB mov ecx,ebx ;SixthSen.00401833
004015CE|.E8 AABB0100 call SixthSen.0041D17D
004015D3|>5F pop edi ;SixthSen.0043CFA2
004015D4|.5E pop esi ;SixthSen.0043CFA2
004015D5|.5B pop ebx ;SixthSen.00401833
004015D6|.C9 leave
004015D7\.C3 retn
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
注册码正确性判断:
004018DE/$55 push ebp ;\\注册码计算结果正确性判断
004018DF|.8BEC mov ebp,esp
004018E1|.83EC 4C sub esp,0x4C
004018E4|.53 push ebx ;SixthSen.00401833
004018E5|.56 push esi ;SixthSen.0043CFA2
004018E6|.57 push edi ;SixthSen.0043CFA2
004018E7|.6A 40 push 0x40
004018E9|.8D45 B4 lea eax,
004018EC|.68 14A34300 push SixthSen.0043A314 ;ASCII "aaaaaaaaaaaaa"
004018F1|.894D FC mov ,ecx ;SixthSen.0043CFA2
004018F4|.50 push eax
004018F5|.E8 B6C80000 call SixthSen.0040E1B0 ;\\用户名给变量
004018FA|.8B3D CCD24200 mov edi,dword ptr ds:[<&KERNEL32.lstrlen>;kernel32.lstrlenA
00401900|.83C4 0C add esp,0xC
00401903|.8D45 B4 lea eax,
00401906|.50 push eax ; /\\用户名
00401907|.FFD7 call edi ; \\\计算用户名长度
00401909|.8BF0 mov esi,eax
0040190B|.83FE 14 cmp esi,0x14 ;\\用户名长度与20位进行比较,小于等于就跳
0040190E|.72 1C jb short SixthSen.0040192C
00401910|.C1E6 10 shl esi,0x10
00401913|.6A 01 push 0x1
00401915|.8BC6 mov eax,esi ;SixthSen.0043CFA2
00401917|.33C9 xor ecx,ecx ;SixthSen.0043CFA2
00401919|.5A pop edx ;SixthSen.00401841
0040191A|>0FBE7415 B4 /movsx esi,byte ptr ss:
0040191F|.0FAFF2 |imul esi,edx ;SixthSen.00440A70
00401922|.03CE |add ecx,esi ;SixthSen.0043CFA2
00401924|.42 |inc edx ;SixthSen.00440A70
00401925|.83FA 20 |cmp edx,0x20
00401928|.^ 72 F0 \jb short SixthSen.0040191A
0040192A|.EB 7C jmp short SixthSen.004019A8
0040192C|>8D45 B4 lea eax,
0040192F|.8975 F4 mov ,esi ;SixthSen.0043CFA2
00401932|.50 push eax
00401933|.FFD7 call edi ;\\计算用户名长度
00401935|.6A 20 push 0x20 ;\\压入32
00401937|.48 dec eax
00401938|.59 pop ecx ;SixthSen.00401841
00401939|.3BC1 cmp eax,ecx ;\\用户名长度减1后与压入的32进行比较,不小于等于就跳
0040193B|.73 32 jnb short SixthSen.0040196F
0040193D|.8945 F8 mov ,eax
00401940|.2975 F8 sub ,esi ;\\小数减大数结果为负数FFFFFFFF,给变量2
00401943|.2BC8 sub ecx,eax ;\\32-(用户名长度-1),给ECX作为变量循环总数
00401945|>8B5D F4 /mov ebx, ;\\用户名长度给EBX
00401948|.8B45 F8 |mov eax, ;\\FFFFFFFF给EAX
0040194B|.33D2 |xor edx,edx ;\\EDX清零
0040194D|.8D7C1D B4 |lea edi,dword ptr ss: ;\\将用户名后6位的地址给EDI
00401951|.0FBE0438 |movsx eax,byte ptr ds: ;\\从最后一位倒起逐位赋值后6位给EAX
00401955|.F7F3 |div ebx ;\\用户名的每一位ASSIC码值除以用户名的位数,商放EAX,余数放EDX
00401957|.8B55 F8 |mov edx, ;\\EDX赋值FFFFFFFF
0040195A|.0FBE143A |movsx edx,byte ptr ds: ;\\逐位赋值后8位给EDX
0040195E|.8BD8 |mov ebx,eax ;\\上面相除的商再赋值给EBX
00401960|.8A45 F4 |mov al,byte ptr ss: ;\\用户名位数给al
00401963|.F6EA |imul dl ;\\逐位用户名的ASSIC码与用户名位数相乘,得数放EAX
00401965|.02D8 |add bl,al ;\\上面除法结果与乘法结果相加,得数放bl中
00401967|.FF45 F4 |inc ;\\用户名长度加1
0040196A|.49 |dec ecx ;\\循环变量减1已用于下次循环
0040196B|.881F |mov byte ptr ds:,bl ;\\最终得数放EDI地址
0040196D|.^ 75 D6 \jnz short SixthSen.00401945 ;\\此循环的计算结果在EDI中
0040196F|>33C9 xor ecx,ecx ;SixthSen.0043CFA2
00401971|.33C0 xor eax,eax
00401973|.85F6 test esi,esi ;\\判断用户名位数是否等于0
00401975|.76 0C jbe short SixthSen.00401983
00401977|>0FBE5405 B4 /movsx edx,byte ptr ss: ;\\逐位取用户名ASSIC码给EDX
0040197C|.03CA |add ecx,edx ;\\逐位取的ASSIC码累加后放入ECX
0040197E|.40 |inc eax ;\\eax计次加1
0040197F|.3BC6 |cmp eax,esi ;\\判断EAX计次是否达到用户名位数,没达到继续循环
00401981|.^ 72 F4 \jb short SixthSen.00401977 ;\\此循环的计算结果在ECX中
00401983|>6A 08 push 0x8
00401985|.51 push ecx ;SixthSen.0043CFA2
00401986|.8B4D FC mov ecx, ;SixthSen.0041CA62
00401989|.E8 B0000000 call SixthSen.00401A3E ;\\注意EAX
0040198E|.6A 01 push 0x1 ;\\压入1
00401990|.05 00002000 add eax,0x200000 ;\\结果EAX与固定数相加放EAX
00401995|.33C9 xor ecx,ecx ;SixthSen.0043CFA2
00401997|.5A pop edx ;\\弹出1给EDX
00401998|>0FBE7415 B4 /movsx esi,byte ptr ss: ;\\逐位取用户名ASSIC码给ESI
0040199D|.0FAFF2 |imul esi,edx ;\\第1位乘以1,第2位乘以2,依此类推。。。。
004019A0|.03CE |add ecx,esi ;\\每位相乘的结果累加放在ECX中
004019A2|.42 |inc edx ;\\计次加1
004019A3|.83FA 20 |cmp edx,0x20 ;\\与32比较,循环32次
004019A6|.^ 72 F0 \jb short SixthSen.00401998 ;\\此循环的结果放在ECX中
004019A8|>F7D1 not ecx ;\\上面的结果 非 运算
004019AA|.81E1 FFFF0000 and ecx,0xFFFF ;\\上面的结果再与FFFF进行与运算,存ECX中
004019B0|.BF AFB8AF8B mov edi,0x8BAFB8AF ;\\EDI赋值
004019B5|.03C1 add eax,ecx ;\\EAX=EAX+ECX
004019B7|.BB 88864300 mov ebx,SixthSen.00438688
004019BC|.C745 F4 08000>mov ,0x8 ;\\循环变量值8给变量
004019C3|.8DB0 47434320 lea esi,dword ptr ds:
004019C9|>8BC7 /mov eax,edi ;SixthSen.0043CFA2
004019CB|.8B4D FC |mov ecx, ;SixthSen.0041CA62
004019CE|.83E0 1F |and eax,0x1F
004019D1|.50 |push eax
004019D2|.8BC7 |mov eax,edi ;SixthSen.0043CFA2
004019D4|.33C6 |xor eax,esi ;SixthSen.0043CFA2
004019D6|.50 |push eax
004019D7|.E8 78AA0000 |call SixthSen.0040C454
004019DC|.8BF0 |mov esi,eax
004019DE|.8B4D FC |mov ecx, ;SixthSen.0041CA62
004019E1|.0333 |add esi,dword ptr ds:
004019E3|.83EB 04 |sub ebx,0x4
004019E6|.8BC6 |mov eax,esi ;SixthSen.0043CFA2
004019E8|.33FE |xor edi,esi ;SixthSen.0043CFA2
004019EA|.83E0 1F |and eax,0x1F
004019ED|.50 |push eax
004019EE|.57 |push edi ;SixthSen.0043CFA2
004019EF|.E8 60AA0000 |call SixthSen.0040C454
004019F4|.8BF8 |mov edi,eax
004019F6|.033B |add edi,dword ptr ds:
004019F8|.83EB 04 |sub ebx,0x4
004019FB|.FF4D F4 |dec ;SixthSen.00440364
004019FE|.^ 75 C9 \jnz short SixthSen.004019C9 ;\\
00401A00|.8B0D ECA44300 mov ecx,dword ptr ds:
00401A06|.A1 0CA34300 mov eax,dword ptr ds:
00401A0B|.33C8 xor ecx,eax
00401A0D|.3BF1 cmp esi,ecx ;SixthSen.0043CFA2
00401A0F|.75 18 jnz short SixthSen.00401A29 ;\\关键跳1,不能跳,跳就赋值失败标志7D5
00401A11|.8B0D 10A34300 mov ecx,dword ptr ds:
00401A17|.33C8 xor ecx,eax
00401A19|.3BF9 cmp edi,ecx ;SixthSen.0043CFA2
00401A1B|.75 0C jnz short SixthSen.00401A29 ;\\关键跳2,不能跳,跳就赋值失败标志7D5
00401A1D|.8B45 FC mov eax, ;SixthSen.0041CA62
00401A20|.C740 5C D8070>mov dword ptr ds:,0x7D8 ;\\赋值7D8将注册成功
00401A27|.EB 0A jmp short SixthSen.00401A33
00401A29|>8B45 FC mov eax, ;SixthSen.0041CA62
00401A2C C740 5C D5070>mov dword ptr ds:,0x7D5 ;\\赋值7D5将会导致后面的验证失败
00401A33|>8B45 FC mov eax, ;SixthSen.0041CA62
00401A36|.5F pop edi ;SixthSen.00401841
00401A37|.5E pop esi ;SixthSen.00401841
00401A38|.5B pop ebx ;SixthSen.00401841
00401A39|.8B40 5C mov eax,dword ptr ds:
00401A3C|.C9 leave
00401A3D\.C3 retn
感谢楼主分享 吃水不忘打井人,给个评分懂感恩!
好好学习天天向上
{:5_116:} 谢谢楼主
学习一下
举一反三
支持恒大 感谢楼主分享~~~ 太棒了,吾爱汇编真挺给力的 这个软件好早了吧{:5_117:}居然还能翻出来 学习大佬操作
[快捷回复]-软件反汇编逆向分析,软件安全必不可少!