【标题】：IEPopupKiller 1.2破解手记--算法分析(2)
【关键字】：IE,算法分析,破解,Pop,IEPopupKiller
【来源】：网络

IEPopupKiller 1.2破解手记--算法分析(2)

* Possible StringData Ref from Data Obj ->"IDD_DIALOG_REGISTER"
|
:00430915 6874B14D00 push 004DB174
:0043091A 8D4C2414 lea ecx, dword ptr [esp+14]
:0043091E E81F070500 call 00481042
:00430923 885C2428 mov byte ptr [esp+28], bl
:00430927 E895130500 call 00481CC1
:0043092C 85C0 test eax, eax
:0043092E 740B je 0043093B
:00430930 8B10 mov edx, dword ptr [eax]
:00430932 8BC8 mov ecx, eax
:00430934 FF5274 call [edx+74]
:00430937 8BF8 mov edi, eax
:00430939 EB02 jmp 0043093D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043092E(C)
|
:0043093B 33FF xor edi, edi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00430939(U)
|
:0043093D E850E80600 call 0049F192
:00430942 8B4C240C mov ecx, dword ptr [esp+0C]
:00430946 8B4004 mov eax, dword ptr [eax+04]
:00430949 51 push ecx

* Possible StringData Ref from Data Obj ->"Serial"
|
:0043094A 68DCA84D00 push 004DA8DC

* Possible StringData Ref from Data Obj ->"Serial"
|
:0043094F 68DCA84D00 push 004DA8DC
:00430954 8BC8 mov ecx, eax
:00430956 E8C0EF0500 call 0048F91B
:0043095B 51 push ecx
:0043095C 8BCC mov ecx, esp
:0043095E 8964241C mov dword ptr [esp+1C], esp

* Possible StringData Ref from Data Obj ->"OK" <===这是里就是注册成功的信息
|
:00430962 6830B14D00 push 004DB130
:00430967 E8D6060500 call 00481042
:0043096C 51 push ecx
:0043096D 8D542418 lea edx, dword ptr [esp+18]
:00430971 8BCC mov ecx, esp
:00430973 89642424 mov dword ptr [esp+24], esp
:00430977 52 push edx
:00430978 C644243402 mov [esp+34], 02
:0043097D E8C7030500 call 00480D49
:00430982 8D44241C lea eax, dword ptr [esp+1C]
:00430986 8D8F9C0E0000 lea ecx, dword ptr [edi+00000E9C]
:0043098C 50 push eax
:0043098D 885C2434 mov byte ptr [esp+34], bl
:00430991 E83716FDFF call 00401FCD
:00430996 8B00 mov eax, dword ptr [eax]
:00430998 8BCE mov ecx, esi
:0043099A 50 push eax

* Possible Reference to Dialog: DialogID_0090, CONTROL_ID:0419, "Static"
|
:0043099B 6819040000 push 00000419
:004309A0 C644243003 mov [esp+30], 03
:004309A5 E89DF80400 call 00480247
:004309AA 8BC8 mov ecx, eax
:004309AC E82DFB0400 call 004804DE
:004309B1 8D4C2414 lea ecx, dword ptr [esp+14]
:004309B5 885C2428 mov byte ptr [esp+28], bl
:004309B9 E816060500 call 00480FD4
:004309BE 6A00 push 00000000
:004309C0 8D8EA0000000 lea ecx, dword ptr [esi+000000A0]
:004309C6 E89AFC0400 call 00480665
:004309CB 8D4C2410 lea ecx, dword ptr [esp+10]
:004309CF 899F80010000 mov dword ptr [edi+00000180], ebx
:004309D5 C644242800 mov [esp+28], 00
:004309DA E8F5050500 call 00480FD4

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004308F5(C)
|
:004309DF 8D4C240C lea ecx, dword ptr [esp+0C]
:004309E3 C7442428FFFFFFFF mov [esp+28], FFFFFFFF
:004309EB E8E4050500 call 00480FD4
:004309F0 8B4C2420 mov ecx, dword ptr [esp+20]
:004309F4 5F pop edi
:004309F5 5E pop esi
:004309F6 64890D00000000 mov dword ptr fs:[00000000], ecx
:004309FD 5B pop ebx
:004309FE 83C420 add esp, 00000020
:00430A01 C3 ret
.......
.......

-----004308EE call 00401136 关键的算法CALL，F8跟进来到下列代码段------------------
要正确注册，则EAX返回时，不能为0

:00430370 6AFF push FFFFFFFF
:00430372 6820494B00 push 004B4920
:00430377 64A100000000 mov eax, dword ptr fs:[00000000]
:0043037D 50 push eax
:0043037E 64892500000000 mov dword ptr fs:[00000000], esp
:00430385 83EC1C sub esp, 0000001C
:00430388 53 push ebx
:00430389 55 push ebp
:0043038A 56 push esi
:0043038B 57 push edi
:0043038C 8D44243C lea eax, dword ptr [esp+3C]
:00430390 8D4C2414 lea ecx, dword ptr [esp+14]
:00430394 50 push eax
:00430395 C744243800000000 mov [esp+38], 00000000
:0043039D E8A7090500 call 00480D49
:004303A2 8B742414 mov esi, dword ptr [esp+14] <===ESI=78787878
:004303A6 8B56F8 mov edx, dword ptr [esi-08] <===EDX=8(输入注册码的码的长度)
:004303A9 83FA0C cmp edx, 0000000C <===看输入的注册码长度是不是C(12位)，将假码改为787878787878，重新来
:004303AC 0F85B5010000 jne 00430567 <===跳过去就OVER了
:004303B2 33C9 xor ecx, ecx <===计数器ECX，初始值化为0
:004303B4 85D2 test edx, edx
:004303B6 7E18 jle 004303D0 <===不跳

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004303CE(C)
|
:004303B8 8A0431 mov al, byte ptr [ecx+esi]
:004303BB 3C41 cmp al, 41
:004303BD 0F8CA4010000 jl 00430567 <===跳过去就OVER了
:004303C3 3C5A cmp al, 5A
:004303C5 0F8F9C010000 jg 00430567 <===跳过去就OVER了
:004303CB 41 inc ecx
:004303CC 3BCA cmp ecx, edx
:004303CE 7CE8 jl 004303B8 <===构成一个小循环，主要功能依次提取注册码的字符，检测是不是位于A-Z(大写)之间，只要一个不对，就OVER! 将假码改为ABCDEFGHIJKL，再重新来

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004303B6(C)
|
*******************
.......
中间部分省略，主要功能是将输入的注册码分成四段，每段三个字符
.......
*******************
:00430492 8D4C2428 lea ecx, dword ptr [esp+28]
:00430496 885C2434 mov byte ptr [esp+34], bl
:0043049A E8350B0500 call 00480FD4
:0043049F 8B7C241C mov edi, dword ptr [esp+1C] <===EDI=GHI(第三段)
:004304A3 8B6C2418 mov ebp, dword ptr [esp+18] <===EBP=JKL(第四段)
:004304A7 8B742420 mov esi, dword ptr [esp+20] <===ESI=DEF(第二段)
:004304AB 8B442424 mov eax, dword ptr [esp+24] <===EAX=ABC(第一段)
:004304AF 8A1F mov bl, byte ptr [edi] <===BL=47(是G的ASCII的16进制表示形式)
:004304B1 8A16 mov dl, byte ptr [esi] <===DL=44(是D的ASCII的16进制表示形式)
:004304B3 8A08 mov cl, byte ptr [eax] <===CL=41(是A的ASCII的16进制表示形式)
:004304B5 885C2412 mov byte ptr [esp+12], bl
:004304B9 8A5D00 mov bl, byte ptr [ebp+00] <===BL=4A(是J的ASCII的16进制表示形式)
:004304BC 885C2413 mov byte ptr [esp+13], bl
:004304C0 0FBE5C2412 movsx ebx, byte ptr [esp+12] <===EBX=47，不变
:004304C5 0FBED2 movsx edx, dl <===EDX=44
:004304C8 0FBEC9 movsx ecx, cl <===ECX=41
:004304CB 2BD3 sub edx, ebx
:004304CD 03D1 add edx, ecx <===EDX=EDX-EBX+ECX=3E
:004304CF 0FBE4C2413 movsx ecx, byte ptr [esp+13] <===ECX=4A
:004304D4 41 inc ecx <===ECX=4B
:004304D5 3BD1 cmp edx, ecx <===这里必须相等，这里EDX和ECX怎么相等，见分析
:004304D7 740B je 004304E4 <===从这里跳走，才能正确注册