* Possible StringData Ref from Data Obj ->"无法记录注册信息.
请联系 crawler@4dev.com"
|
:0040B0B3 68A88F4500 push 00458FA8
:0040B0B8 E866B50200 call 00436623
:0040B0BD 8BCE mov ecx, esi
:0040B0BF E8DE400200 call 0042F1A2
:0040B0C4 5E pop esi
:0040B0C5 5B pop ebx
:0040B0C6 83C408 add esp, 00000008
:0040B0C9 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040B0AF(C)
|
:0040B0CA 6A40 push 00000040
* Possible Reference to Dialog:
|
:0040B0CC 68988F4500 push 00458F98
* Possible StringData Ref from Data Obj ->"欢迎使用 Registry Crawle 的完整版本. "
->"感谢你注册软件.
请重新启动程序,以解除所有未注"
->"册版本的功能限制."
|
:0040B0D1 68FC8E4500 push 00458EFC
:0040B0D6 8BCE mov ecx, esi
:0040B0D8 E80F110200 call 0042C1EC
:0040B0DD 8BCE mov ecx, esi
:0040B0DF E8BE400200 call 0042F1A2
:0040B0E4 5E pop esi
:0040B0E5 5B pop ebx
:0040B0E6 83C408 add esp, 00000008
:0040B0E9 C3 ret
======看看0040B047处的跳转是到哪儿了:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040B047(C)
|
:0040B0EA 8BCE mov ecx, esi
:0040B0EC E80FFAFFFF call 0040AB00 <<-------注意这个CALL,F10带过的话,EAX=0
:0040B0F1 85C0 test eax, eax
:0040B0F3 7419 je 0040B10E <<------跳
:0040B0F5 6A40 push 00000040
* Possible Reference to Dialog:
|
:0040B0F7 68E88E4500 push 00458EE8
* Possible StringData Ref from Data Obj ->"你输入的注册信息仅能用于 Registry "
->"Crawler 3.x 版本.
要注册 4.0 "
->"以上版本,你需要新的注册信息.请与我们联系,将你?
->"淖⒉崧肷兜?Registry Crawler "
->"4.0 (E-mail sales@4dev.com). 注意在 "
->"E-mail 中你必须提供旧版本的注册码.
谢谢,
4Dev"
->"elopers Team."
|
:0040B0FC 68AC8D4500 push 00458DAC
:0040B101 8BCE mov ecx, esi
:0040B103 E8E4100200 call 0042C1EC
:0040B108 5E pop esi
:0040B109 5B pop ebx
:0040B10A 83C408 add esp, 00000008
:0040B10D C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040B0F3(C)
|
:0040B10E 6A30 push 00000030
* Possible Reference to Dialog:
|
:0040B110 68A08D4500 push 00458DA0
* Possible StringData Ref from Data Obj ->"你输入的注册信息是无效的.
请重新输入你从 "
->"4Developers LLC 得到的用户 ID "
->"及相应的注册码.
如果你尚未注册,你可以点击下面"
->"的 '马上定购' 软件.如果你需要帮助,请发 "
->"E-mail 到: crawler@4dev.com"
|
:0040B115 68908C4500 push 00458C90
:0040B11A 8BCE mov ecx, esi
:0040B11C E8CB100200 call 0042C1EC
:0040B121 5E pop esi
:0040B122 5B pop ebx
:0040B123 83C408 add esp, 00000008
:0040B126 C3 ret
===================================================
由上面这段代码不难看出,Regstry Crawler 的注册码运算有两处:0040B040处的CALL,0040B0EC处的CALL,其中前者为4.0版的注册码运算,而后者为3.x版注册码的运算,3.x版的注册码运算与4.0版的有点像。注册码验证流程为:先将用户名用4.0版的注册码算法进行运算,并与用户输入的注册码进行比较,不同的话,再将用户名用3.x版的注册码算法进行运算,并与用户输入的注册码进行比较,如果相同,则提示用户更新注册码,如果不同,则跳出注册失败对话框。本文只是对4.0版的注册码运算进行分析,不讨论3.x版的算法,因此不进入第二个CALL。
===================================================
初步分析完成,进入第二次分析:
来到 0040B040处,按F8进入CALL,此时来到:
* Referenced by a CALL at Addresses:
|:0040AAF3 , :0040B040
|
:0040ACF0 83EC24 sub esp, 00000024
:0040ACF3 83C9FF or ecx, FFFFFFFF
:0040ACF6 33C0 xor eax, eax
:0040ACF8 55 push ebp
:0040ACF9 57 push edi
* Possible Reference to Dialog:
|
:0040ACFA BF10E54500 mov edi, 0045E510 <<------0045E510为用户名首地址 \
:0040ACFF F2 repnz \
:0040AD00 AE scasb 测试用户名长度->ECX
:0040AD01 F7D1 not ecx /
:0040AD03 49 dec ecx /
:0040AD04 8BE9 mov ebp, ecx
:0040AD06 83FD08 cmp ebp, 00000008
:0040AD09 7D06 jge 0040AD11 <--------大于或等于8则跳,如果不跳,则不进行4.0版的注册码算法(此例中的用户名符合条件)
:0040AD0B 5F pop edi
:0040AD0C 5D pop ebp
:0040AD0D 83C424 add esp, 00000024
:0040AD10 C3 ret
==================下面开始注册码算法======================
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040AD09(C)
|
:0040AD11 53 push ebx
:0040AD12 56 push esi
:0040AD13 6810E54500 push 0045E510 <<-------用户名入栈
:0040AD18 E845D00100 call 00427D62 <<-------将用户名中所有的大写字母转成小写字母
:0040AD1D B907000000 mov ecx, 00000007
:0040AD22 33C0 xor eax, eax
:0040AD24 8D7C2419 lea edi, dword ptr [esp+19]
:0040AD28 C644241800 mov [esp+18], 00
:0040AD2D F3 repz
:0040AD2E AB stosd
:0040AD2F 66AB stosw
:0040AD31 83C404 add esp, 00000004
:0040AD34 AA stosb
:0040AD35 8D442414 lea eax, dword ptr [esp+14]
* Possible Reference to Dialog:
|
:0040AD39 68E48B4500 push 00458BE4 <<---------“8267-”入栈
:0040AD3E 50 push eax
* Reference To: KERNEL32.lstrcpyA, Ord:0302h
|
:0040AD3F FF155C834400 Call dword ptr [0044835C] <<-------“8267-”首地址->EAX
:0040AD45 33DB xor ebx, ebx <<-------EBX清零,准备计数
|
|