注册名: simonyan
注册码: CFC0-C3C1-D7C7-DDC0
此为重启校验的,注册码在注册表内,如运行脱壳程序,则注册码在脱壳程序的项内。
下断点bpx regqueryvalueexa do "d *(esp+8)"
看见userID停下,进入程序跟踪。
到下面地方可看见算法。
算法如下:
:0040C735 8A0C28 mov cl, byte ptr [eax+ebp] EBP中为注册名
:0040C738 884C0410 mov byte ptr [esp+eax+10], cl
:0040C73C 40 inc eax
:0040C73D 83F808 cmp eax, 00000008
:0040C740 7CF3 jl 0040C735 (上面只是个检查注册名长度的动作,小于8就无效)
:0040C742 83FB08 cmp ebx, 00000008
:0040C745 7E24 jle 0040C76B (如长度小于等于8跳转)
:0040C747 BE08000000 mov esi, 00000008
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C769(C)
|
:0040C74C 8BC6 mov eax, esi
:0040C74E 2507000080 and eax, 80000007
:0040C753 7905 jns 0040C75A
:0040C755 48 dec eax
:0040C756 83C8F8 or eax, FFFFFFF8
:0040C759 40 inc eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C753(C)
|
:0040C75A 8A1428 mov dl, byte ptr [eax+ebp]
:0040C75D 8A0C2E mov cl, byte ptr [esi+ebp]
:0040C760 32CA xor cl, dl
:0040C762 46 inc esi
:0040C763 3BF3 cmp esi, ebx
:0040C765 884C0410 mov byte ptr [esp+eax+10], cl
:0040C769 7CE1 jl 0040C74C (上面为大于8的处理,就是第一位和第9位,第二和第10位异或,类推)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C745(C)
|
:0040C76B 33C0 xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C786(C)
|
:0040C76D 8B4C045C mov ecx, dword ptr [esp+eax+5C] (EBP+5c中值依次为6,7,2,3,5,1,0,4)
:0040C771 83C004 add eax, 00000004
:0040C774 0FBE4C0C10 movsx ecx, byte ptr [esp+ecx+10]
:0040C779 81F1AE000000 xor ecx, 000000AE
:0040C77F 83F820 cmp eax, 00000020 (每次加4,共有8组)
:0040C782 894C0418 mov dword ptr [esp+eax+18], ecx
:0040C786 7CE5 jl 0040C76D
:0040C788 8B1564564500 mov edx, dword ptr [00455664]
:0040C78E 89542410 mov dword ptr [esp+10], edx
:0040C792 8B442438 mov eax, dword ptr [esp+38]
:0040C796 8B4C2434 mov ecx, dword ptr [esp+34]
:0040C79A 8B542430 mov edx, dword ptr [esp+30]
:0040C79E 50 push eax
:0040C79F 8B442430 mov eax, dword ptr [esp+30]
:0040C7A3 51 push ecx
:0040C7A4 8B4C2430 mov ecx, dword ptr [esp+30]
:0040C7A8 52 push edx
:0040C7A9 8B542430 mov edx, dword ptr [esp+30]
:0040C7AD 50 push eax
:0040C7AE 8B442430 mov eax, dword ptr [esp+30]
:0040C7B2 51 push ecx
:0040C7B3 8B4C2430 mov ecx, dword ptr [esp+30]
:0040C7B7 52 push edx
:0040C7B8 50 push eax
:0040C7B9 51 push ecx
:0040C7BA 8D542430 lea edx, dword ptr [esp+30]
* Possible StringData Ref from Data Obj ->"%02X%02X-%02X%02X-%02X%02X-%02X%02X" (注册码格式)
|
:0040C7BE 685C444500 push 0045445C
:0040C7C3 52 push edx
:0040C7C4 C784248C08000000000000 mov dword ptr [esp+0000088C], 00000000
:0040C7CF E8AE020200 call 0042CA82 (将前面所得值转为此格式就OK了)
:0040C7D4 8BB42498080000 mov esi, dword ptr [esp+00000898] (这里可以看见注册码明码了)
:0040C7DB 8B06 mov eax, dword ptr [esi]
:0040C7DD 50 push eax
:0040C7DE 8B44243C mov eax, dword ptr [esp+3C]
:0040C7E2 50 push eax
:0040C7E3 E859320100 call 0041FA41 (这里开始比较,不等就未注册了)
:0040C7E8 83C430 add esp, 00000030
:0040C7EB 85C0 test eax, eax
:0040C7ED 753E jne 0040C82D
:0040C7EF 8B8C246C080000 mov ecx, dword ptr [esp+0000086C]
有空再写注册机吧。
|