:004C9EB5 53 push ebx
:004C9EB6 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=0871E552C3B9B4B5B3ADBFBAB8BC59D2413D3F3C282F3FCC473025140C0163E6
:004C9EB9 E842ABF3FF call 00404A00
====>取上面字符串的长度
:004C9EBE 8BD8 mov ebx, eax
====>EBX=40
:004C9EC0 8B45F8 mov eax, dword ptr [ebp-08]
====>EAX=087C94F11F64ACDA364BB7DE296F89F
:004C9EC3 E838ABF3FF call 00404A00
====>取上面字符串的长度
:004C9EC8 2BD8 sub ebx, eax
====>EBX=40 - 1F=21(H)=33(D)
:004C9ECA 53 push ebx
:004C9ECB 8B45F8 mov eax, dword ptr [ebp-08]
====>EAX=087C94F11F64ACDA364BB7DE296F89F
:004C9ECE E82DABF3FF call 00404A00
====>再取上面字符串的长度 哎,这么多次
:004C9ED3 8BC8 mov ecx, eax
====>ECX=1F(H)=31(D)
:004C9ED5 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=0871E552C3B9B4B5B3ADBFBAB8BC59D2413D3F3C282F3FCC473025140C0163E6
:004C9ED8 5A pop edx
:004C9ED9 E882ADF3FF call 00404C60
====>从第33位开始取上面字符串中的31位字符
====>413D3F3C282F3FCC473025140C0163E 这就是注册码了
:004C9EDE 33C0 xor eax, eax
:004C9EE0 5A pop edx
:004C9EE1 59 pop ecx
:004C9EE2 59 pop ecx
:004C9EE3 648910 mov dword ptr fs:[eax], edx
:004C9EE6 68009F4C00 push 004C9F00
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C9EFE(U)
|
:004C9EEB 8D45E8 lea eax, dword ptr [ebp-18]
:004C9EEE BA06000000 mov edx, 00000006
:004C9EF3 E86CA8F3FF call 00404764
:004C9EF8 C3 ret
—————————————————————————————————
进入004C9E85 call 004C26A0
4C9C9F 和 4C9EB0 call 004C26A0也是同样的运算流程,因此就没有详细记录数据了。
:004C26A0 55 push ebp
:004C26A1 8BEC mov ebp, esp
:004C26A3 83C4DC add esp, FFFFFFDC
:004C26A6 53 push ebx
:004C26A7 56 push esi
:004C26A8 57 push edi
...............
.........
:004C26E9 8D45F8 lea eax, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"Snowsky781026"
|
:004C26EC BAD4274C00 mov edx, 004C27D4
:004C26F1 E8E220F4FF call 004047D8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C26E7(C)
|
:004C26F6 33F6 xor esi, esi
:004C26F8 BB08000000 mov ebx, 00000008
====>EBX=8 初始值
:004C26FD 8D45EC lea eax, dword ptr [ebp-14]
:004C2700 50 push eax
:004C2701 895DE0 mov dword ptr [ebp-20], ebx
:004C2704 C645E400 mov [ebp-1C], 00
:004C2708 8D55E0 lea edx, dword ptr [ebp-20]
:004C270B 33C9 xor ecx, ecx
* Possible StringData Ref from Code Obj ->"%1.2x"
|
:004C270D B8EC274C00 mov eax, 004C27EC
:004C2712 E8A576F4FF call 00409DBC
:004C2717 8B45FC mov eax, dword ptr [ebp-04]
:004C271A E8E122F4FF call 00404A00
:004C271F 8BF8 mov edi, eax
:004C2721 85FF test edi, edi
:004C2723 7E60 jle 004C2785
:004C2725 C745E801000000 mov [ebp-18], 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C2783(C)
|
:004C272C 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=E12561A3DC225AA7CB125C9DDC11789 认证码
:004C272F 8B55E8 mov edx, dword ptr [ebp-18]
====>EDX=[ebp-18] 循环次数
:004C2732 0FB64410FF movzx eax, byte ptr [eax+edx-01]
====>依次取E12561A3DC225AA7CB125C9DDC11789字符的HEX值
:004C2737 03C3 add eax, ebx
1、 ====>EAX=45 + 08=4D
2、 ====>EAX=31 + 7C=AD
3、 ====>EAX=32 + 94=C6
4、 ====>EAX=35 + F1=126
…… ……省 略…… ……
31、 ====>EAX=39 + 84=BD
:004C2739 B9FF000000 mov ecx, 000000FF
====>ECX=FF
:004C273E 99 cdq
:004C273F F7F9 idiv ecx
1、 ====>EDX=4D % FF=4D
2、 ====>EDX=AD % FF=AD
3、 ====>EDX=C6 % FF=C6
4、 ====>EDX=126 % FF=27
…… ……省 略…… ……
31、 ====>EDX=BD % FF=BD
:004C2741 8BDA mov ebx, edx
:004C2743 3B75F0 cmp esi, dword ptr [ebp-10]
====>比较是否取完4位
:004C2746 7D03 jge 004C274B
====>取完4位就跳下去。即:循环使用下面的1978
:004C2748 46 inc esi
:004C2749 EB05 jmp 004C2750
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C2746(C)
|
:004C274B BE01000000 mov esi, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C2749(U)
|
:004C2750 8B45F8 mov eax, dword ptr [ebp-08]
====>EAX=1978
:004C2753 0FB64430FF movzx eax, byte ptr [eax+esi-01]
====>依次循环取1978字符的HEX值
:004C2758 33D8 xor ebx, eax
1、 ====>EBX=4D XOR 31=7C
2、 ====>EBX=AD XOR 39=94
3、 ====>EBX=C6 XOR 37=F1
4、 ====>EBX=27 XOR 38=1F
…… ……省 略…… ……
31、 ====>EBX=BD XOR 37=8A
:004C275A 8D45DC lea eax, dword ptr [ebp-24]
:004C275D 50 push eax
:004C275E 895DE0 mov dword ptr [ebp-20], ebx
:004C2761 C645E400 mov [ebp-1C], 00
:004C2765 8D55E0 lea edx, dword ptr [ebp-20]
:004C2768 33C9 xor ecx, ecx
* Possible StringData Ref from Code Obj ->"%1.2x"
|
:004C276A B8EC274C00 mov eax, 004C27EC
:004C276F E84876F4FF call 00409DBC
:004C2774 8B55DC mov edx, dword ptr [ebp-24]
:004C2777 8D45EC lea eax, dword ptr [ebp-14]
:004C277A E88922F4FF call 00404A08
====>保存结果
:004C277F FF45E8 inc [ebp-18]
====>[ebp-18]依次增1 计数器
:004C2782 4F dec edi
====>EDI 依次减1
:004C2783 75A7 jne 004C272C
====>循环
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C2723(C)
|
:004C2785 8B45F4 mov eax, dword ptr [ebp-0C]
:004C2788 8B55EC mov edx, dword ptr [ebp-14]
====>EDX=上面循环计算的结果
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
内存中的值是计算的结果:前2位的08应是固定值
00DA2E50 30 38 37 43 39 34 46 31 31 46 36 34 41 43 44 41 087C94F11F64ACDA
00DA2E60 33 36 34 42 42 37 44 45 32 39 36 46 38 39 46 44 364BB7DE296F89FD
00DA2E70 30 44 36 31 39 41 46 43 31 37 37 44 46 39 30 34 0D619AFC177DF904
00DA2E80 37 30 38 35 46 31 31 34 37 44 38 35 38 34 38 41 7085F1147D85848A
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
:004C278B E80420F4FF call 00404794
:004C2790 33C0 xor eax, eax
:004C2792 5A pop edx
:004C2793 59 pop ecx
:004C2794 59 pop ecx
:004C2795 648910 mov dword ptr fs:[eax], edx
:004C2798 68C2274C00 push 004C27C2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C27C0(U)
|
:004C279D 8D45DC lea eax, dword ptr [ebp-24]
:004C27A0 E89B1FF4FF call 00404740
:004C27A5 8D45EC lea eax, dword ptr [ebp-14]
:004C27A8 E8931FF4FF call 00404740
:004C27AD 8D45F8 lea eax, dword ptr [ebp-08]
:004C27B0 BA02000000 mov edx, 00000002
:004C27B5 E8AA1FF4FF call 00404764
:004C27BA C3 ret
—————————————————————————————————
下面是注册时拦截的比较部分:
:004BE887 8BD8 mov ebx, eax
:004BE889 33C0 xor eax, eax
:004BE88B 55 push ebp
:004BE88C 68C2E94B00 push 004BE9C2
:004BE891 64FF30 push dword ptr fs:[eax]
:004BE894 648920 mov dword ptr fs:[eax], esp
:004BE897 A1A0E04C00 mov eax, dword ptr [004CE0A0]
:004BE89C 8B00 mov eax, dword ptr [eax]
:004BE89E 80B89804000000 cmp byte ptr [eax+00000498], 00
:004BE8A5 0F85ED000000 jne 004BE998
:004BE8AB 8D55F8 lea edx, dword ptr [ebp-08]
:004BE8AE 8B8318030000 mov eax, dword ptr [ebx+00000318]
:004BE8B4 E8D73CF9FF call 00452590
:004BE8B9 8B45F8 mov eax, dword ptr [ebp-08]
====>EAX=13572468 试炼码
:004BE8BC 8B15A0E04C00 mov edx, dword ptr [004CE0A0]
:004BE8C2 8B12 mov edx, dword ptr [edx]
:004BE8C4 8B9294040000 mov edx, dword ptr [edx+00000494]
====>EDX=413D3F3C282F3FCC473025140C0163E 注册码
:004BE8CA E87D62F4FF call 00404B4C
====>比较CALL!
:004BE8CF 0F8585000000 jne 004BE95A
====>跳则OVER!
:004BE8D5 B201 mov dl, 01
:004BE8D7 A104754300 mov eax, dword ptr [00437504]
:004BE8DC E88F8DF7FF call 00437670
:004BE8E1 8BF0 mov esi, eax
:004BE8E3 BA02000080 mov edx, 80000002
:004BE8E8 8BC6 mov eax, esi
:004BE8EA E85D8EF7FF call 0043774C
:004BE8EF B101 mov cl, 01
* Possible StringData Ref from Code Obj ->"SOFTWARE\飘雪工作室\FlashPlayer\Setup\"
====>保存注册信息!
:004BE8F1 BAD8E94B00 mov edx, 004BE9D8
:004BE8F6 8BC6 mov eax, esi
:004BE8F8 E8938FF7FF call 00437890
:004BE8FD 84C0 test al, al
...................
..............
* Possible StringData Ref from Code Obj ->"谢谢"
|
:004BE93D 6858EA4B00 push 004BEA58
:004BE942 8B45FC mov eax, dword ptr [ebp-04]
:004BE945 E8B662F4FF call 00404C00
:004BE94A 50 push eax
:004BE94B 8BC3 mov eax, ebx
:004BE94D E80EA5F9FF call 00458E60
:004BE952 50 push eax
* Reference To: user32.MessageBoxA, Ord:0000h
|
:004BE953 E8408AF4FF Call 00407398
====>呵呵,胜利女神!
:004BE958 EB3E jmp 004BE998
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BE8CF(C)
|
:004BE95A 8D55F0 lea edx, dword ptr [ebp-10]
:004BE95D 8B8318030000 mov eax, dword ptr [ebx+00000318]
:004BE963 E8283CF9FF call 00452590
:004BE968 837DF000 cmp dword ptr [ebp-10], 00000000
:004BE96C 742A je 004BE998
:004BE96E 8D45FC lea eax, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"您的注册码有误,请检查后再次输入!
:004BE971 BA68EA4B00 mov edx, 004BEA68
:004BE976 E85D5EF4FF call 004047D8
:004BE97B 6A10 push 00000010
* Possible StringData Ref from Code Obj ->"错误"
|
:004BE97D 68ACEA4B00 push 004BEAAC
:004BE982 8B45FC mov eax, dword ptr [ebp-04]
:004BE985 E87662F4FF call 00404C00
:004BE98A 50 push eax
:004BE98B 8BC3 mov eax, ebx
:004BE98D E8CEA4F9FF call 00458E60
:004BE992 50 push eax
* Reference To: user32.MessageBoxA, Ord:0000h
|
:004BE993 E8008AF4FF Call 00407398
====>BAD BOY!
—————————————————————————————————
【算 法 总 结】:
1、取主板信息和1978循环运算生成认证码E12561A3DC225AA7CB125C9DDC11789
2、用认证码和1978循环异或、累加、异或得出一组新值:
087C94F11F64ACDA364BB7DE296F89FD0D619AFC177DF9047085F1147D85848A
3、取上面字符串的前31位和ILOVEYOU循环异或、累加、异或再得出一组新值:
0871E552C3B9B4B5B3ADBFBAB8BC59D2413D3F3C282F3FCC473025140C0163E6
4、从第33位开始取上面字符串中的31位(认证码的长度)字符:
413D3F3C282F3FCC473025140C0163E 这就是注册码了
—————————————————————————————————
【自弹出注册码】:
1、 004BE968 837DF000 cmp dword ptr [ebp-10], 00000000
004BE96C 742A je 004BE998
改为:004BE968 8B15502ADA00 MOV EDX,DWORD PTR [00DA2A50]
2、 004BE971 BA68EA4B00 mov edx, 004BEA68
改为:004BE971 9090909090 NOP掉
3、 004BE97D 68ACEA4B00 push 004BEAAC
改为:004BE97D 6858EA4B00 push 004BEA58
呵呵,没办法,004BE971处少1个字节,改了这么多,不知在其他的机子上是否可用。这样原来的出错提示就变成了“谢谢”和注册码了。虽然提示的面孔很是“丑陋”,却也算是差强人意吧。 ^O^ ^O^
—————————————————————————————————
【KeyMake之{88th}内存注册机】:
中断地址:004BE8CA
中断次数:1
第一字节:E8
指令长度:5
内存方式:EDX
—————————————————————————————————
【注册信息保存】:
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\飘雪工作室\FlashPlayer\Setup]
"SN"="413D3F3C282F3FCC473025140C0163E"
—————————————————————————————————
【整 理】:
认证码:E12561A3DC225AA7CB125C9DDC11789
注册码:413D3F3C282F3FCC473025140C0163E
—————————————————————————————————
|
|