1. 加密狗破解网首页
  2. 新闻资讯

A Reversing Of iSkySoft

新闻资讯 1

堆栈返回下断,或者字符串搜索,或下对话框断点

;====================================================================|>>第一层>
005573C0 /. 55 push ebp ; //开始
005573C1 |. 8BEC mov ebp, esp
005573C3 |. 33C9 xor ecx, ecx
005573C5 |. 51 push ecx
005573C6 |. 51 push ecx
005573C7 |. 51 push ecx
005573C8 |. 51 push ecx
005573C9 |. 51 push ecx
005573CA |. 51 push ecx
005573CB |. 51 push ecx
005573CC |. 51 push ecx
005573CD |. 8955 F8 mov dword ptr [ebp-8], edx
005573D0 |. 8945 FC mov dword ptr [ebp-4], eax
005573D3 |. 33C0 xor eax, eax
005573D5 |. 55 push ebp
005573D6 |. 68 58755500 push 00557558
005573DB |. 64:FF30 push dword ptr fs:[eax]
005573DE |. 64:8920 mov dword ptr fs:[eax], esp
005573E1 |. E8 66A5F8FF call 004E194C
005573E6 |. 84C0 test al, al
005573E8 |. 0F85 2C010000 jnz 0055751A
005573EE |. E8 35A8F8FF call 004E1C28
005573F3 |. 84C0 test al, al
005573F5 |. 0F85 1F010000 jnz 0055751A
005573FB |. 55 push ebp
005573FC |. 8D55 F4 lea edx, dword ptr [ebp-C]
005573FF |. 8B45 FC mov eax, dword ptr [ebp-4]
00557402 |. 8B80 E0030000 mov eax, dword ptr [eax+3E0]
00557408 |. E8 7F39F7FF call 004CAD8C ; //取用户信息(邮箱)
0055740D |. 8B45 F4 mov eax, dword ptr [ebp-C] ; |ASCII “ultrain@163.com”
00557410 |. E8 73FFFFFF call 00557388 ; \DVDRippe.00557388
00557415 |. 59 pop ecx
00557416 |. 84C0 test al, al ; 邮箱不能为空
00557418 |. 75 3C jnz short 00557456 ; //跳转(实现)
;—————————<提示:邮箱错误>————————–|
0055741A |. 6A 40 push 40
0055741C |. 68 64755500 push 00557564 ; UNICODE “Info_Title”
00557421 |. E8 1685F2FF call
00557426 |. 50 push eax
00557427 |. 68 7C755500 push 0055757C ; UNICODE “INF_Email_Error”
0055742C |. E8 0B85F2FF call
00557431 |. 50 push eax
00557432 |. 8B45 FC mov eax, dword ptr [ebp-4]
00557435 |. E8 12B3F0FF call 0046274C
0055743A |. 50 push eax ; |hOwner
0055743B |. E8 300AEBFF call ; \MessageBoxW
00557440 |. 8B45 FC mov eax, dword ptr [ebp-4]
00557443 |. 8B80 E0030000 mov eax, dword ptr [eax+3E0]
00557449 |. 8B10 mov edx, dword ptr [eax]
0055744B |. FF92 D4000000 call dword ptr [edx+D4]
00557451 |. E9 C4000000 jmp 0055751A
;—————————|
00557456 |> 8D55 EC lea edx, dword ptr [ebp-14]
00557459 |. 8B45 FC mov eax, dword ptr [ebp-4]
0055745C |. 8B80 E4030000 mov eax, dword ptr [eax+3E4]
00557462 |. E8 2539F7FF call 004CAD8C
00557467 |. 8B45 EC mov eax, dword ptr [ebp-14] ; ASCII “09876543212468013579123456789012”
0055746A |. 8D55 F0 lea edx, dword ptr [ebp-10]
0055746D |. E8 4A25EBFF call 004099BC
00557472 |. 8B45 F0 mov eax, dword ptr [ebp-10] ; ASCII “09876543212468013579123456789012”
00557475 |. 50 push eax
00557476 |. 8D55 E4 lea edx, dword ptr [ebp-1C]
00557479 |. 8B45 FC mov eax, dword ptr [ebp-4]
0055747C |. 8B80 E0030000 mov eax, dword ptr [eax+3E0]
00557482 |. E8 0539F7FF call 004CAD8C
00557487 |. 8B45 E4 mov eax, dword ptr [ebp-1C] ; ASCII “ultrain@163.com”
0055748A |. 8D55 E8 lea edx, dword ptr [ebp-18]
0055748D |. E8 2A25EBFF call 004099BC
00557492 |. 8B45 E8 mov eax, dword ptr [ebp-18] ; ASCII “ultrain@163.com”
00557495 |. 5A pop edx
00557496 |. E8 F1A4F8FF call 004E198C ; =>关键CALL
0055749B |. 84C0 test al, al
0055749D |. 74 55 je short 005574F4 ; //跳则挂
;—————————<提示:注册成功>————————–|
0055749F |. 6A 40 push 40
005574A1 |. 68 64755500 push 00557564 ; UNICODE “Info_Title”
005574A6 |. E8 9184F2FF call
005574AB |. 50 push eax
005574AC |. 68 9C755500 push 0055759C ; UNICODE “INF_Register_Success”
005574B1 |. E8 8684F2FF call
005574B6 |. 50 push eax
005574B7 |. 8B45 FC mov eax, dword ptr [ebp-4]
005574BA |. E8 8DB2F0FF call 0046274C
005574BF |. 50 push eax ; |hOwner
005574C0 |. E8 AB09EBFF call ; \MessageBoxW
005574C5 |. 68 C8755500 push 005575C8 ; UNICODE “LBL_Register_Caption”
005574CA |. E8 6D84F2FF call
005574CF |. 8BD0 mov edx, eax
005574D1 |. 8D45 E0 lea eax, dword ptr [ebp-20]
005574D4 |. E8 3BDAEAFF call 00404F14
005574D9 |. 8B55 E0 mov edx, dword ptr [ebp-20]
005574DC |. 8B45 FC mov eax, dword ptr [ebp-4]
005574DF |. 8B80 18040000 mov eax, dword ptr [eax+418]
005574E5 |. E8 6215F0FF call 00458A4C
005574EA |. 8B45 FC mov eax, dword ptr [ebp-4]
005574ED |. E8 161AF2FF call 00478F08
005574F2 |. EB 26 jmp short 0055751A
;—————————<提示:注册失败>————————–|
005574F4 |> 6A 40 push 40
005574F6 |. 68 64755500 push 00557564 ; UNICODE “Info_Title”
005574FB |. E8 3C84F2FF call
00557500 |. 50 push eax
00557501 |. 68 F4755500 push 005575F4 ; UNICODE “INF_Register_Failed”
00557506 |. E8 3184F2FF call
0055750B |. 50 push eax
0055750C |. 8B45 FC mov eax, dword ptr [ebp-4]
0055750F |. E8 38B2F0FF call 0046274C
00557514 |. 50 push eax ; |hOwner
00557515 |. E8 5609EBFF call ; \MessageBoxW
;——————————————————————–|
0055751A |> 33C0 xor eax, eax
0055751C |. 5A pop edx
0055751D |. 59 pop ecx
0055751E |. 59 pop ecx
0055751F |. 64:8910 mov dword ptr fs:[eax], edx
00557522 |. 68 5F755500 push 0055755F
00557527 |> 8D45 E0 lea eax, dword ptr [ebp-20] ;
0055752A |. E8 BDD7EAFF call 00404CEC
0055752F |. 8D45 E4 lea eax, dword ptr [ebp-1C]
00557532 |. E8 B5D7EAFF call 00404CEC
00557537 |. 8D45 E8 lea eax, dword ptr [ebp-18]
0055753A |. E8 ADD7EAFF call 00404CEC
0055753F |. 8D45 EC lea eax, dword ptr [ebp-14]
00557542 |. E8 A5D7EAFF call 00404CEC
00557547 |. 8D45 F0 lea eax, dword ptr [ebp-10]
0055754A |. E8 9DD7EAFF call 00404CEC
0055754F |. 8D45 F4 lea eax, dword ptr [ebp-C]
00557552 |. E8 95D7EAFF call 00404CEC
00557557 . C3 retn
00557558 .^ E9 1FCFEAFF jmp 0040447C
0055755D .^ EB C8 jmp short 00557527
0055755F . 8BE5 mov esp, ebp
00557561 . 5D pop ebp
00557562 . C3 retn ; //结束
;====================================================================|
;在地址00557496处跟进关键CALL->004E198C
;——————————————————————–|>>第二层>
004E198C /$ 55 push ebp ; //本地调用来自 00557496
004E198D |. 8BEC mov ebp, esp
004E198F |. 83C4 F0 add esp, -10
004E1992 |. 8955 F8 mov dword ptr [ebp-8], edx ; ASCII “09876543212468013579123456789012”
004E1995 |. 8945 FC mov dword ptr [ebp-4], eax ; ASCII “ultrain@163.com”
004E1998 |. 8B45 FC mov eax, dword ptr [ebp-4]
004E199B |. E8 1C38F2FF call 004051BC
004E19A0 |. 8B45 F8 mov eax, dword ptr [ebp-8] ; ASCII “09876543212468013579123456789012”
004E19A3 |. E8 1438F2FF call 004051BC
004E19A8 |. 33C0 xor eax, eax
004E19AA |. 55 push ebp
004E19AB |. 68 081A4E00 push 004E1A08
004E19B0 |. 64:FF30 push dword ptr fs:[eax]
004E19B3 |. 64:8920 mov dword ptr fs:[eax], esp
004E19B6 |. 33C9 xor ecx, ecx
004E19B8 |. B2 01 mov dl, 1
004E19BA |. A1 44EF4D00 mov eax, dword ptr [4DEF44]
004E19BF |. E8 84EDFFFF call 004E0748
004E19C4 |. 8945 F0 mov dword ptr [ebp-10], eax
004E19C7 |. 8D45 F0 lea eax, dword ptr [ebp-10]
004E19CA |. E8 6DFCFFFF call 004E163C
004E19CF |. 8B45 F8 mov eax, dword ptr [ebp-8] ; ASCII “09876543212468013579123456789012”
004E19D2 |. 50 push eax
004E19D3 |. 33C9 xor ecx, ecx
004E19D5 |. 8B55 FC mov edx, dword ptr [ebp-4] ; ASCII “ultrain@163.com”
004E19D8 |. 8B45 F0 mov eax, dword ptr [ebp-10]
004E19DB |. E8 90EEFFFF call 004E0870 ; =>关键CALL
004E19E0 |. 8845 F7 mov byte ptr [ebp-9], al ; [ebp-9] = al
004E19E3 |. B2 01 mov dl, 1
004E19E5 |. 8B45 F0 mov eax, dword ptr [ebp-10]
004E19E8 |. 8B08 mov ecx, dword ptr [eax]
004E19EA |. FF51 FC call dword ptr [ecx-4]
004E19ED |. 33C0 xor eax, eax
004E19EF |. 5A pop edx
004E19F0 |. 59 pop ecx
004E19F1 |. 59 pop ecx
004E19F2 |. 64:8910 mov dword ptr fs:[eax], edx
004E19F5 |. 68 0F1A4E00 push 004E1A0F
004E19FA |> 8D45 F8 lea eax, dword ptr [ebp-8]
004E19FD |. BA 02000000 mov edx, 2
004E1A02 |. E8 0933F2FF call 00404D10
004E1A07 . C3 retn
004E1A08 .^ E9 6F2AF2FF jmp 0040447C
004E1A0D .^ EB EB jmp short 004E19FA
004E1A0F . 8A45 F7 mov al, byte ptr [ebp-9] ; al = [ebp-9]
004E1A12 . 8BE5 mov esp, ebp
004E1A14 . 5D pop ebp
004E1A15 . C3 retn ; //返回
;====================================================================|
;在地址004E19DB处跟进关键CALL->004E0870
;——————————————————————–|>>第三层>
004E0870 /$ 55 push ebp ; 本地调用来自 004E19DB
004E0871 |. 8BEC mov ebp, esp
004E0873 |. 83C4 C8 add esp, -38
004E0876 |. 53 push ebx
004E0877 |. 33DB xor ebx, ebx
004E0879 |. 895D D0 mov dword ptr [ebp-30], ebx
004E087C |. 895D CC mov dword ptr [ebp-34], ebx
004E087F |. 895D C8 mov dword ptr [ebp-38], ebx
004E0882 |. 895D D4 mov dword ptr [ebp-2C], ebx
004E0885 |. 894D F4 mov dword ptr [ebp-C], ecx
004E0888 |. 8955 F8 mov dword ptr [ebp-8], edx
004E088B |. 8945 FC mov dword ptr [ebp-4], eax
004E088E |. 8B45 F8 mov eax, dword ptr [ebp-8]
004E0891 |. E8 2649F2FF call 004051BC
004E0896 |. 8B45 F4 mov eax, dword ptr [ebp-C]
004E0899 |. E8 1E49F2FF call 004051BC
004E089E |. 8B45 08 mov eax, dword ptr [ebp+8] ; ASCII “09876543212468013579123456789012”
004E08A1 |. E8 1649F2FF call 004051BC
004E08A6 |. 33C0 xor eax, eax
004E08A8 |. 55 push ebp
004E08A9 |. 68 AE0A4E00 push 004E0AAE
004E08AE |. 64:FF30 push dword ptr fs:[eax]
004E08B1 |. 64:8920 mov dword ptr fs:[eax], esp
004E08B4 |> E8 4F6DF2FF /call ; [GetTickCount
004E08B9 |. 8945 EC |mov dword ptr [ebp-14], eax
004E08BC |. 68 D0070000 |push 7D0 ; /Timeout = 2000. ms
004E08C1 |. E8 F2FFF2FF |call ; \Sleep
004E08C6 |. 8B45 FC |mov eax, dword ptr [ebp-4]
004E08C9 |. 8B40 54 |mov eax, dword ptr [eax+54]
004E08CC |. 8078 04 00 |cmp byte ptr [eax+4], 0
004E08D0 |. 74 0B |je short 004E08DD
004E08D2 |. 8D55 F8 |lea edx, dword ptr [ebp-8]
004E08D5 |. 8B45 FC |mov eax, dword ptr [ebp-4]
004E08D8 |. E8 7BF7FFFF |call 004E0058
004E08DD |> E8 266DF2FF |call ; [GetTickCount
004E08E2 |. 8B55 EC |mov edx, dword ptr [ebp-14]
004E08E5 |. 81C2 CF070000 |add edx, 7CF
004E08EB |. 3BC2 |cmp eax, edx
004E08ED |.^ 72 C5 \jb short 004E08B4
004E08EF |. 8B45 F8 mov eax, dword ptr [ebp-8] ; ASCII “ultrain@163.com”
004E08F2 |. 8945 E8 mov dword ptr [ebp-18], eax
004E08F5 |. 837D E8 00 cmp dword ptr [ebp-18], 0
004E08F9 |. 74 0B je short 004E0906 ; //跳转(未实现)
004E08FB |. 8B45 E8 mov eax, dword ptr [ebp-18] ; ASCII “ultrain@163.com”
004E08FE |. 83E8 04 sub eax, 4
004E0901 |. 8B00 mov eax, dword ptr [eax]
004E0903 |. 8945 E8 mov dword ptr [ebp-18], eax
004E0906 |> 8B45 E8 mov eax, dword ptr [ebp-18]
004E0909 |. 8B55 FC mov edx, dword ptr [ebp-4]
004E090C |. 3B42 58 cmp eax, dword ptr [edx+58]
004E090F |. 7E 06 jle short 004E0917
004E0911 |. C645 E3 01 mov byte ptr [ebp-1D], 1
004E0915 |. EB 24 jmp short 004E093B
004E0917 |> 8B45 F8 mov eax, dword ptr [ebp-8] ; ASCII “ultrain@163.com”
004E091A |. 8945 E4 mov dword ptr [ebp-1C], eax
004E091D |. 837D E4 00 cmp dword ptr [ebp-1C], 0
004E0921 |. 74 0B je short 004E092E
004E0923 |. 8B45 E4 mov eax, dword ptr [ebp-1C] ; ASCII “ultrain@163.com”
004E0926 |. 83E8 04 sub eax, 4
004E0929 |. 8B00 mov eax, dword ptr [eax]
004E092B |. 8945 E4 mov dword ptr [ebp-1C], eax
004E092E |> 8B45 E4 mov eax, dword ptr [ebp-1C]
004E0931 |. 8B55 FC mov edx, dword ptr [ebp-4]
004E0934 |. 3B42 5C cmp eax, dword ptr [edx+5C]
004E0937 |. 0F9C45 E3 setl byte ptr [ebp-1D]
004E093B |> 807D E3 00 cmp byte ptr [ebp-1D], 0
004E093F |. 74 06 je short 004E0947
004E0941 |. C645 DB 01 mov byte ptr [ebp-25], 1
004E0945 |. EB 1F jmp short 004E0966
004E0947 |> 8B45 08 mov eax, dword ptr [ebp+8] ; ASCII “09876543212468013579123456789012”
004E094A |. 8945 DC mov dword ptr [ebp-24], eax
004E094D |. 837D DC 00 cmp dword ptr [ebp-24], 0
004E0951 |. 74 0B je short 004E095E
004E0953 |. 8B45 DC mov eax, dword ptr [ebp-24] ; ASCII “09876543212468013579123456789012”
004E0956 |. 83E8 04 sub eax, 4
004E0959 |. 8B00 mov eax, dword ptr [eax]
004E095B |. 8945 DC mov dword ptr [ebp-24], eax
004E095E |> 837D DC 00 cmp dword ptr [ebp-24], 0
004E0962 |. 0F9445 DB sete byte ptr [ebp-25]
004E0966 |> 807D DB 00 cmp byte ptr [ebp-25], 0
004E096A |. 74 09 je short 004E0975
004E096C |. C645 F3 00 mov byte ptr [ebp-D], 0
004E0970 |. E9 09010000 jmp 004E0A7E
004E0975 |> 8D55 D4 lea edx, dword ptr [ebp-2C]
004E0978 |. 8B45 08 mov eax, dword ptr [ebp+8] ; ASCII “09876543212468013579123456789012”
004E097B |. E8 288CF2FF call 004095A8 ; =>小写转化为大写
004E0980 |. 8B55 D4 mov edx, dword ptr [ebp-2C] ; ASCII “09876543212468013579123456789012”
004E0983 |. 8D45 08 lea eax, dword ptr [ebp+8]
004E0986 |. E8 F943F2FF call 00404D84
004E098B |. C645 F3 00 mov byte ptr [ebp-D], 0
004E098F |. B1 01 mov cl, 1
004E0991 |. 8B55 08 mov edx, dword ptr [ebp+8] ; ASCII “09876543212468013579123456789012”
004E0994 |. 8B45 FC mov eax, dword ptr [ebp-4]
004E0997 |. E8 A8F9FFFF call 004E0344
004E099C |. 84C0 test al, al
004E099E |. 0F85 DA000000 jnz 004E0A7E ; //跳转(未实现)
004E09A4 |. 8B45 FC mov eax, dword ptr [ebp-4]
004E09A7 |. 8B80 A0000000 mov eax, dword ptr [eax+A0]
004E09AD |. E8 1A48F2FF call 004051CC
004E09B2 |. 50 push eax
004E09B3 |. 8B45 FC mov eax, dword ptr [ebp-4]
004E09B6 |. E8 B1F7FFFF call 004E016C
004E09BB |. 8D55 D0 lea edx, dword ptr [ebp-30]
004E09BE |. E8 1994F2FF call 00409DDC ; =>获取参数一
004E09C3 |. 8B45 D0 mov eax, dword ptr [ebp-30] ; ASCII “56239”
004E09C6 |. E8 0148F2FF call 004051CC
004E09CB |. 50 push eax
004E09CC |. 8B45 FC mov eax, dword ptr [ebp-4]
004E09CF |. E8 B8F7FFFF call 004E018C
004E09D4 |. 8D55 CC lea edx, dword ptr [ebp-34]
004E09D7 |. E8 0094F2FF call 00409DDC ; =>获取参数二
004E09DC |. 8B45 CC mov eax, dword ptr [ebp-34] ; ASCII “99733”
004E09DF |. E8 E847F2FF call 004051CC
004E09E4 |. 50 push eax
004E09E5 |. 8B45 FC mov eax, dword ptr [ebp-4]
004E09E8 |. E8 BFF7FFFF call 004E01AC
004E09ED |. 8D55 C8 lea edx, dword ptr [ebp-38]
004E09F0 |. E8 E793F2FF call 00409DDC ; =>获取参数三
004E09F5 |. 8B45 C8 mov eax, dword ptr [ebp-38] ; ASCII “650281”
004E09F8 |. E8 CF47F2FF call 004051CC
004E09FD |. 50 push eax
004E09FE |. 8B45 08 mov eax, dword ptr [ebp+8] ; ASCII “09876543212468013579123456789012”
004E0A01 |. E8 C647F2FF call 004051CC
004E0A06 |. 50 push eax
004E0A07 |. 8B45 FC mov eax, dword ptr [ebp-4]
004E0A0A |. 8B80 9C000000 mov eax, dword ptr [eax+9C]
004E0A10 |. E8 B747F2FF call 004051CC
004E0A15 |. 50 push eax
004E0A16 |. 8B45 F8 mov eax, dword ptr [ebp-8] ; ASCII “ultrain@163.com”
004E0A19 |. E8 AE47F2FF call 004051CC
004E0A1E |. 8BD0 mov edx, eax
004E0A20 |. 8B45 FC mov eax, dword ptr [ebp-4]
004E0A23 |. 59 pop ecx
004E0A24 |. E8 AFEAFFFF call 004DF4D8 ; =>关键CALL
004E0A29 |. 84C0 test al, al
004E0A2B |. 74 06 je short 004E0A33 ; //跳则挂
;—————————|
004E0A2D |. C645 F3 01 mov byte ptr [ebp-D], 1 ; [ebp-D] = 1
004E0A31 |. EB 04 jmp short 004E0A37
;—————————|
004E0A33 |> C645 F3 00 mov byte ptr [ebp-D], 0 ; [ebp-D] = 0
004E0A37 |> 807D F3 01 cmp byte ptr [ebp-D], 1
004E0A3B |. 75 41 jnz short 004E0A7E
;—————————|
004E0A3D |. 8B45 FC mov eax, dword ptr [ebp-4]
004E0A40 |. 83C0 50 add eax, 50
004E0A43 |. 8B55 F8 mov edx, dword ptr [ebp-8]
004E0A46 |. E8 F542F2FF call 00404D40
004E0A4B |. 8B45 FC mov eax, dword ptr [ebp-4]
004E0A4E |. 83C0 60 add eax, 60
004E0A51 |. 8B55 F4 mov edx, dword ptr [ebp-C]
004E0A54 |. E8 E742F2FF call 00404D40
004E0A59 |. 8B45 FC mov eax, dword ptr [ebp-4]
004E0A5C |. 83C0 68 add eax, 68
004E0A5F |. 8B55 08 mov edx, dword ptr [ebp+8]
004E0A62 |. E8 D942F2FF call 00404D40
004E0A67 |. 8B45 FC mov eax, dword ptr [ebp-4]
004E0A6A |. 83C0 44 add eax, 44
004E0A6D |. E8 7A42F2FF call 00404CEC
004E0A72 |. 8B45 FC mov eax, dword ptr [ebp-4]
004E0A75 |. E8 2A030000 call 004E0DA4
004E0A7A |. C645 F3 01 mov byte ptr [ebp-D], 1
004E0A7E |> 33C0 xor eax, eax ; EAX置零
004E0A80 |. 5A pop edx
004E0A81 |. 59 pop ecx
004E0A82 |. 59 pop ecx
004E0A83 |. 64:8910 mov dword ptr fs:[eax], edx
004E0A86 |. 68 B50A4E00 push 004E0AB5
004E0A8B |> 8D45 C8 lea eax, dword ptr [ebp-38]
004E0A8E |. BA 04000000 mov edx, 4
004E0A93 |. E8 7842F2FF call 00404D10
004E0A98 |. 8D45 F4 lea eax, dword ptr [ebp-C]
004E0A9B |. BA 02000000 mov edx, 2
004E0AA0 |. E8 6B42F2FF call 00404D10
004E0AA5 |. 8D45 08 lea eax, dword ptr [ebp+8]
004E0AA8 |. E8 3F42F2FF call 00404CEC
004E0AAD . C3 retn
004E0AAE .^ E9 C939F2FF jmp 0040447C
004E0AB3 .^ EB D6 jmp short 004E0A8B
004E0AB5 . 8A45 F3 mov al, byte ptr [ebp-D] ; al = [ebp-D]
004E0AB8 . 5B pop ebx
004E0AB9 . 8BE5 mov esp, ebp
004E0ABB . 5D pop ebp
004E0ABC . C2 0400 retn 4 ; //返回
;====================================================================|
;在地址004E0A24处跟进关键CALL->004DF4D8
;——————————————————————–|>>第四层>
004DF4D8 /$ 55 push ebp ; //本地调用来自 004E055D, 004E0A24
004DF4D9 |. 8BEC mov ebp, esp
004DF4DB |. 81C4 60FEFFFF add esp, -1A0
004DF4E1 |. 53 push ebx
004DF4E2 |. 56 push esi
004DF4E3 |. 57 push edi
004DF4E4 |. 33DB xor ebx, ebx
004DF4E6 |. 899D 64FEFFFF mov dword ptr [ebp-19C], ebx
004DF4EC |. 899D 60FEFFFF mov dword ptr [ebp-1A0], ebx
004DF4F2 |. 894D F4 mov dword ptr [ebp-C], ecx
004DF4F5 |. 8955 F8 mov dword ptr [ebp-8], edx
004DF4F8 |. 8945 FC mov dword ptr [ebp-4], eax
004DF4FB |. 33C0 xor eax, eax
004DF4FD |. 55 push ebp
004DF4FE |. 68 65F74D00 push 004DF765
004DF503 |. 64:FF30 push dword ptr fs:[eax]
004DF506 |. 64:8920 mov dword ptr fs:[eax], esp
004DF509 |. BE 78F74D00 mov esi, 004DF778
004DF50E |. 8DBD 68FFFFFF lea edi, dword ptr [ebp-98]
004DF514 |. B9 20000000 mov ecx, 20
004DF519 |. F3:A5 rep movs dword ptr es:[edi], dword p>
004DF51B |. BE 78F74D00 mov esi, 004DF778
004DF520 |. 8DBD E8FEFFFF lea edi, dword ptr [ebp-118]
004DF526 |. B9 20000000 mov ecx, 20
004DF52B |. F3:A5 rep movs dword ptr es:[edi], dword p>
;—————————<一轮加密>——————————-|
004DF52D |. 837D 14 00 cmp dword ptr [ebp+14], 0 ; 参数一:”56239″
004DF531 |. 74 59 je short 004DF58C
004DF533 |. 8B45 14 mov eax, dword ptr [ebp+14] ; 参数一:”56239″
004DF536 |. 8038 00 cmp byte ptr [eax], 0 ; ‘5’
004DF539 |. 76 51 jbe short 004DF58C
004DF53B |. 8D85 E8FEFFFF lea eax, dword ptr [ebp-118]
004DF541 |. 50 push eax
004DF542 |. 6A 7F push 7F
004DF544 |. 8D85 60FEFFFF lea eax, dword ptr [ebp-1A0]
004DF54A |. 8B55 F8 mov edx, dword ptr [ebp-8] ; ASCII “ultrain@163.com”
004DF54D |. E8 9259F2FF call 00404EE4
004DF552 |. 8B85 60FEFFFF mov eax, dword ptr [ebp-1A0] ; ASCII “ultrain@163.com”
004DF558 |. 8D95 64FEFFFF lea edx, dword ptr [ebp-19C]
004DF55E |. E8 45A0F2FF call 004095A8
004DF563 |. 8B85 64FEFFFF mov eax, dword ptr [ebp-19C] ; ASCII “ULTRAIN@163.COM”
004DF569 |. E8 5E5CF2FF call 004051CC
004DF56E |. 8BD0 mov edx, eax
004DF570 |. 8B4D 14 mov ecx, dword ptr [ebp+14] ; 参数一:”56239″
004DF573 |. 8B45 FC mov eax, dword ptr [ebp-4]
004DF576 |. E8 7D020000 call 004DF7F8 ; =>一轮加密
004DF57B |. 8D95 E8FEFFFF lea edx, dword ptr [ebp-118] ; ASCII “888089887881877A6C72706C828F8E565758595ACCF8FBF3”
004DF581 |. 8D85 68FFFFFF lea eax, dword ptr [ebp-98]
004DF587 |. E8 44B5F2FF call 0040AAD0
;—————————<二轮加密>——————————|
004DF58C |> 837D 10 00 cmp dword ptr [ebp+10], 0 ; 参数二:”99733″
004DF590 |. 74 3A je short 004DF5CC
004DF592 |. 8B45 10 mov eax, dword ptr [ebp+10] ; 参数二:”99733″
004DF595 |. 8038 00 cmp byte ptr [eax], 0 ; ‘9’
004DF598 |. 76 32 jbe short 004DF5CC
004DF59A |. C685 74FFFFFF>mov byte ptr [ebp-8C], 0
004DF5A1 |. 8D85 E8FEFFFF lea eax, dword ptr [ebp-118] ; ASCII “888089887881877A6C72706C828F8E565758595ACCF8FBF3”
004DF5A7 |. 50 push eax
004DF5A8 |. 6A 7F push 7F
004DF5AA |. 8D95 68FFFFFF lea edx, dword ptr [ebp-98] ; ASCII “888089887881”
004DF5B0 |. 8B4D 10 mov ecx, dword ptr [ebp+10] ; 参数二:”99733″
004DF5B3 |. 8B45 FC mov eax, dword ptr [ebp-4]
004DF5B6 |. E8 3D020000 call 004DF7F8 ; =>二轮加密
004DF5BB |. 8D95 E8FEFFFF lea edx, dword ptr [ebp-118] ; ASCII “6061625B6466666767696A64F2E38568”
004DF5C1 |. 8D85 68FFFFFF lea eax, dword ptr [ebp-98] ; ASCII “888089887881”
004DF5C7 |. E8 04B5F2FF call 0040AAD0
;—————————<三轮加密>——————————-|
004DF5CC |> 837D 0C 00 cmp dword ptr [ebp+C], 0 ; 参数三:”650281″
004DF5D0 |. 74 3A je short 004DF60C
004DF5D2 |. 8B45 0C mov eax, dword ptr [ebp+C] ; 参数三:”650281″
004DF5D5 |. 8038 00 cmp byte ptr [eax], 0 ; ‘6’
004DF5D8 |. 76 32 jbe short 004DF60C
004DF5DA |. C685 74FFFFFF>mov byte ptr [ebp-8C], 0
004DF5E1 |. 8D85 E8FEFFFF lea eax, dword ptr [ebp-118] ; ASCII “6061625B6466666767696A64F2E38568”
004DF5E7 |. 50 push eax
004DF5E8 |. 6A 7F push 7F
004DF5EA |. 8D95 68FFFFFF lea edx, dword ptr [ebp-98] ; ASCII “6061625B6466”
004DF5F0 |. 8B4D 0C mov ecx, dword ptr [ebp+C] ; 参数三:”650281″
004DF5F3 |. 8B45 FC mov eax, dword ptr [ebp-4]
004DF5F6 |. E8 FD010000 call 004DF7F8 ; =>三轮加密
004DF5FB |. 8D95 E8FEFFFF lea edx, dword ptr [ebp-118] ; ASCII “423D4440464347554A494C4DE10AC2CC”)
004DF601 |. 8D85 68FFFFFF lea eax, dword ptr [ebp-98] ; ASCII “6061625B6466”
004DF607 |. E8 C4B4F2FF call 0040AAD0
;——————————————————————–|
004DF60C |> 837D F4 00 cmp dword ptr [ebp-C], 0
004DF610 |. 74 3A je short 004DF64C
004DF612 |. 8B45 F4 mov eax, dword ptr [ebp-C]
004DF615 |. 8038 00 cmp byte ptr [eax], 0
004DF618 |. 76 32 jbe short 004DF64C ; //跳转(实现)
004DF61A |. C685 74FFFFFF>mov byte ptr [ebp-8C], 0
004DF621 |. 8D85 E8FEFFFF lea eax, dword ptr [ebp-118]
004DF627 |. 50 push eax
004DF628 |. 6A 7F push 7F
004DF62A |. 8D95 68FFFFFF lea edx, dword ptr [ebp-98]
004DF630 |. 8B4D F4 mov ecx, dword ptr [ebp-C]
004DF633 |. 8B45 FC mov eax, dword ptr [ebp-4]
004DF636 |. E8 BD010000 call 004DF7F8
004DF63B |. 8D95 E8FEFFFF lea edx, dword ptr [ebp-118]
004DF641 |. 8D85 68FFFFFF lea eax, dword ptr [ebp-98]
004DF647 |. E8 84B4F2FF call 0040AAD0
;——————————————————————–|
004DF64C |> C685 74FFFFFF>mov byte ptr [ebp-8C], 0
004DF653 |. 33C0 xor eax, eax
004DF655 |. 8945 EC mov dword ptr [ebp-14], eax
004DF658 |. C745 E8 02000>mov dword ptr [ebp-18], 2
004DF65F |. 8D85 E8FEFFFF lea eax, dword ptr [ebp-118] ; ASCII “423D4440464347554A494C4DE10AC2CC”
004DF665 |. 8B55 08 mov edx, dword ptr [ebp+8] ; ASCII “09876543212468013579123456789012”
004DF668 |. E8 63B4F2FF call 0040AAD0
004DF66D |. EB 5B jmp short 004DF6CA
;—————————<注册码变换>—————————–|
004DF66F |> 8D85 E8FEFFFF /lea eax, dword ptr [ebp-118]
004DF675 |. E8 FEB3F2FF |call 0040AA78
004DF67A |. 8B55 EC |mov edx, dword ptr [ebp-14]
004DF67D |. 0355 E8 |add edx, dword ptr [ebp-18]
004DF680 |. 3BC2 |cmp eax, edx
004DF682 |. 73 28 |jnb short 004DF6AC
004DF684 |. 8D85 E8FEFFFF |lea eax, dword ptr [ebp-118]
004DF68A |. E8 E9B3F2FF |call 0040AA78
004DF68F |. 2B45 EC |sub eax, dword ptr [ebp-14]
004DF692 |. 8945 E8 |mov dword ptr [ebp-18], eax
004DF695 |. 8B45 EC |mov eax, dword ptr [ebp-14]
004DF698 |. 8D9405 E8FEFF>|lea edx, dword ptr [ebp+eax-118]
004DF69F |. 8B4D E8 |mov ecx, dword ptr [ebp-18]
004DF6A2 |. 8B45 FC |mov eax, dword ptr [ebp-4]
004DF6A5 |. E8 52060000 |call 004DFCFC
004DF6AA |. EB 15 |jmp short 004DF6C1
004DF6AC |> 8B45 EC |mov eax, dword ptr [ebp-14]
004DF6AF |. 8D9405 E8FEFF>|lea edx, dword ptr [ebp+eax-118]
004DF6B6 |. 8B4D E8 |mov ecx, dword ptr [ebp-18]
004DF6B9 |. 8B45 FC |mov eax, dword ptr [ebp-4]
004DF6BC |. E8 3B060000 |call 004DFCFC
004DF6C1 |> 8B45 E8 |mov eax, dword ptr [ebp-18]
004DF6C4 |. 0145 EC |add dword ptr [ebp-14], eax
004DF6C7 |. FF45 E8 |inc dword ptr [ebp-18]
004DF6CA |> 8D85 E8FEFFFF lea eax, dword ptr [ebp-118]
004DF6D0 |. E8 A3B3F2FF |call 0040AA78
004DF6D5 |. 48 |dec eax
004DF6D6 |. 3B45 EC |cmp eax, dword ptr [ebp-14]
004DF6D9 |.^ 77 94 \ja short 004DF66F
;—————————|
变换规则:
从左向右分组:2,3,4,5…
例如:09876543212468013579123456789012
(98)(765)(4321)(0abcd)(ef)
然后组内进行逆序排列
(89)(567)(1234)(dcba0)(fe)
;—————————|
004DF6DB |. 837D 18 00 cmp dword ptr [ebp+18], 0
004DF6DF |. 74 22 je short 004DF703
004DF6E1 |. 8B45 18 mov eax, dword ptr [ebp+18]
004DF6E4 |. 8038 00 cmp byte ptr [eax], 0
004DF6E7 |. 76 1A jbe short 004DF703
004DF6E9 |. 8D85 68FEFFFF lea eax, dword ptr [ebp-198]
004DF6EF |. 50 push eax
004DF6F0 |. 8D95 E8FEFFFF lea edx, dword ptr [ebp-118]
004DF6F6 |. 8B4D 18 mov ecx, dword ptr [ebp+18]
004DF6F9 |. 8B45 FC mov eax, dword ptr [ebp-4]
004DF6FC |. E8 BB030000 call 004DFABC
004DF701 |. EB 26 jmp short 004DF729
004DF703 |> 837D 14 00 cmp dword ptr [ebp+14], 0 ; ASCII “56239”
004DF707 |. 74 20 je short 004DF729
004DF709 |. 8B45 14 mov eax, dword ptr [ebp+14] ; ASCII “56239”
004DF70C |. 8038 00 cmp byte ptr [eax], 0 ; ‘5’
004DF70F |. 76 18 jbe short 004DF729
004DF711 |. 8D85 68FEFFFF lea eax, dword ptr [ebp-198] ; UNICODE “MzcnI0bvLysvRysfFvNG8ys250bm7uMfNx8XOusfOu4E=”)
004DF717 |. 50 push eax
004DF718 |. 8D95 E8FEFFFF lea edx, dword ptr [ebp-118] ; ASCII “90678234586421975310765432121098”
004DF71E |. 8B4D 14 mov ecx, dword ptr [ebp+14] ; ASCII “56239”
004DF721 |. 8B45 FC mov eax, dword ptr [ebp-4]
004DF724 |. E8 93030000 call 004DFABC ; =>变形序列号的变换算法
004DF729 |> C685 74FEFFFF>mov byte ptr [ebp-18C], 0
004DF730 |. 8D95 68FFFFFF lea edx, dword ptr [ebp-98] ; ASCII “423D44404643”
004DF736 |. 8D85 68FEFFFF lea eax, dword ptr [ebp-198] ;
004DF73C |. E8 6FB4F2FF call 0040ABB0 ; 数值比较
004DF741 |. 85C0 test eax, eax
004DF743 |. 0F9445 F3 sete byte ptr [ebp-D] ; 设置标志位[ebp-D]
004DF747 |. 33C0 xor eax, eax ; EAX置零
004DF749 |. 5A pop edx
004DF74A |. 59 pop ecx
004DF74B |. 59 pop ecx
004DF74C |. 64:8910 mov dword ptr fs:[eax], edx
004DF74F |. 68 6CF74D00 push 004DF76C
004DF754 |> 8D85 60FEFFFF lea eax, dword ptr [ebp-1A0]
004DF75A |. BA 02000000 mov edx, 2
004DF75F |. E8 AC55F2FF call 00404D10
004DF764 . C3 retn
004DF765 .^ E9 124DF2FF jmp 0040447C
004DF76A .^ EB E8 jmp short 004DF754
004DF76C . 8A45 F3 mov al, byte ptr [ebp-D] ; al = [ebp-D]
004DF76F . 5F pop edi
004DF770 . 5E pop esi
004DF771 . 5B pop ebx
004DF772 . 8BE5 mov esp, ebp
004DF774 . 5D pop ebp
004DF775 . C2 1400 retn 14 ; //返回
;====================================================================|
;在地址004DF576处F7跟进关键CALL->04DF7F8===用户名加密变换算法========
;——————————————————————–|
004DF7F8 /$ 55 push ebp ; //本地调用来自 004DF576, 004DF5B6, 004DF5F6, 004DF636
004DF7F9 |. 8BEC mov ebp, esp
004DF7FB |. 83C4 98 add esp, -68
004DF7FE |. 53 push ebx
004DF7FF |. 33DB xor ebx, ebx
004DF801 |. 895D B8 mov dword ptr [ebp-48], ebx
004DF804 |. 895D C4 mov dword ptr [ebp-3C], ebx
004DF807 |. 894D F4 mov dword ptr [ebp-C], ecx ; [ebp-C] = ASCII “56239”
004DF80A |. 8955 F8 mov dword ptr [ebp-8], edx ; [ebp-8] = ASCII “ULTRAIN@163.COM”
004DF80D |. 8945 FC mov dword ptr [ebp-4], eax
004DF810 |. 33C0 xor eax, eax
004DF812 |. 55 push ebp
004DF813 |. 68 7FFA4D00 push 004DFA7F
004DF818 |. 64:FF30 push dword ptr fs:[eax]
004DF81B |. 64:8920 mov dword ptr fs:[eax], esp
004DF81E |. 8B45 F8 mov eax, dword ptr [ebp-8]
004DF821 |. E8 52B2F2FF call 0040AA78
004DF826 |. 8945 F0 mov dword ptr [ebp-10], eax
004DF829 |. 8B45 F4 mov eax, dword ptr [ebp-C]
004DF82C |. E8 47B2F2FF call 0040AA78
004DF831 |. 8945 EC mov dword ptr [ebp-14], eax ; EAX = 邮箱长度
004DF834 |. 8B45 F0 mov eax, dword ptr [ebp-10]
004DF837 |. 03C0 add eax, eax ; EAX = EAX + EAX
004DF839 |. 83C0 08 add eax, 8 ; EAX = EAX + 8
004DF83C |. 85C0 test eax, eax
004DF83E |. 79 03 jns short 004DF843
004DF840 |. 83C0 0F add eax, 0F
004DF843 |> C1F8 04 sar eax, 4 ; EAX = EAX / (2^4)
004DF846 |. 40 inc eax ; EAX = EAX + 1
004DF847 |. C1E0 04 shl eax, 4 ; EAX = EAX * (2^4)
004DF84A |. 8945 E8 mov dword ptr [ebp-18], eax ; 30
004DF84D |. 33C0 xor eax, eax
004DF84F |. 8945 E4 mov dword ptr [ebp-1C], eax ; [ebp-1C]初始化为0
004DF852 |. 33C0 xor eax, eax
004DF854 |. 8945 E0 mov dword ptr [ebp-20], eax ; [ebp-20]初始化为0
004DF857 |. 33C0 xor eax, eax
004DF859 |. 8945 D8 mov dword ptr [ebp-28], eax ; [ebp-28]初始化为0
004DF85C |. 8B45 F0 mov eax, dword ptr [ebp-10] ; [ebp-10] = F
004DF85F |. 03C0 add eax, eax ; EAX = EAX + EAX
004DF861 |. 83C0 08 add eax, 8 ; EAX = EAX + 8
004DF864 |. 25 0F000080 and eax, 8000000F ; EAX = EAX & 8000000F
004DF869 |. 79 05 jns short 004DF870
004DF86B |. 48 dec eax
004DF86C |. 83C8 F0 or eax, FFFFFFF0
004DF86F |. 40 inc eax
004DF870 |> 85C0 test eax, eax ; 6
004DF872 |. 75 18 jnz short 004DF88C
004DF874 |. 8B45 F0 mov eax, dword ptr [ebp-10]
004DF877 |. 03C0 add eax, eax
004DF879 |. 83C0 08 add eax, 8
004DF87C |. 85C0 test eax, eax
004DF87E |. 79 03 jns short 004DF883
004DF880 |. 83C0 0F add eax, 0F
004DF883 |> C1F8 04 sar eax, 4
004DF886 |. C1E0 04 shl eax, 4
004DF889 |. 8945 E8 mov dword ptr [ebp-18], eax
004DF88C |> 8B45 F0 mov eax, dword ptr [ebp-10] ; 10
004DF88F |. 48 dec eax
004DF890 |. 85C0 test eax, eax
004DF892 |. 7C 4C jl short 004DF8E0
004DF894 |. 40 inc eax
004DF895 |. 8945 C8 mov dword ptr [ebp-38], eax
004DF898 |. C745 D0 00000>mov dword ptr [ebp-30], 0
;—————————<计算ebp-28/[EBP-1C]>—————|
004DF89F |> 8B45 F8 /mov eax, dword ptr [ebp-8] ; ASCII “ULTRAIN@163.COM”
004DF8A2 |. 8B55 D0 |mov edx, dword ptr [ebp-30] ; EDX = [ebp-30]
004DF8A5 |. 0FB60410 |movzx eax, byte ptr [eax+edx] ; ‘U’
004DF8A9 |. 8B55 F8 |mov edx, dword ptr [ebp-8] ; ASCII “ULTRAIN@163.COM”
004DF8AC |. 8B4D D0 |mov ecx, dword ptr [ebp-30]
004DF8AF |. 0FB6140A |movzx edx, byte ptr [edx+ecx] ; ‘U’
004DF8B3 |. F7EA |imul edx ; EAX = EAX * EDX
004DF8B5 |. 0145 E4 |add dword ptr [ebp-1C], eax ; [ebp-1C] = [ebp-1C] + EAX
004DF8B8 |. 8B45 D0 |mov eax, dword ptr [ebp-30]
004DF8BB |. 25 01000080 |and eax, 80000001 ; EAX = EAX & 80000001
004DF8C0 |. 79 05 |jns short 004DF8C7
004DF8C2 |. 48 |dec eax
004DF8C3 |. 83C8 FE |or eax, FFFFFFFE
004DF8C6 |. 40 |inc eax
004DF8C7 |> 85C0 |test eax, eax
004DF8C9 |. 75 0D |jnz short 004DF8D8
004DF8CB |. 8B45 F8 |mov eax, dword ptr [ebp-8] ; ASCII “ULTRAIN@163.COM”
004DF8CE |. 8B55 D0 |mov edx, dword ptr [ebp-30]
004DF8D1 |. 0FB60410 |movzx eax, byte ptr [eax+edx] ; ‘U’
004DF8D5 |. 0145 D8 |add dword ptr [ebp-28], eax ; [ebp-28] = [ebp-28] + EAX
004DF8D8 |> FF45 D0 |inc dword ptr [ebp-30] ; 累加器[ebp-30]++
004DF8DB |. FF4D C8 |dec dword ptr [ebp-38] ; 计数器[ebp-38]–
004DF8DE |.^ 75 BF \jnz short 004DF89F ; //循环
;——————————————————————–|
004DF8E0 |> 8B45 EC mov eax, dword ptr [ebp-14] ; 5
004DF8E3 |. 48 dec eax
004DF8E4 |. 85C0 test eax, eax
004DF8E6 |. 7C 4C jl short 004DF934
004DF8E8 |. 40 inc eax
004DF8E9 |. 8945 C8 mov dword ptr [ebp-38], eax
004DF8EC |. C745 D0 00000>mov dword ptr [ebp-30], 0
;—————————<计算ebp-28/[EBP-20]>—————|
004DF8F3 |> 8B45 F4 /mov eax, dword ptr [ebp-C] ; ASCII “56239”
004DF8F6 |. 8B55 D0 |mov edx, dword ptr [ebp-30] ; EDX = [ebp-30]
004DF8F9 |. 0FB60410 |movzx eax, byte ptr [eax+edx] ; ‘5’
004DF8FD |. 8B55 F4 |mov edx, dword ptr [ebp-C] ; ASCII “56239”
004DF900 |. 8B4D D0 |mov ecx, dword ptr [ebp-30]
004DF903 |. 0FB6140A |movzx edx, byte ptr [edx+ecx] ; ‘5’
004DF907 |. F7EA |imul edx ; EAX = EAX * EDX
004DF909 |. 0145 E0 |add dword ptr [ebp-20], eax ; [ebp-20] = [ebp-20] + EAX
004DF90C |. 8B45 D0 |mov eax, dword ptr [ebp-30]
004DF90F |. 25 01000080 |and eax, 80000001
004DF914 |. 79 05 |jns short 004DF91B
004DF916 |. 48 |dec eax
004DF917 |. 83C8 FE |or eax, FFFFFFFE
004DF91A |. 40 |inc eax
004DF91B |> 85C0 |test eax, eax
004DF91D |. 75 0D |jnz short 004DF92C
004DF91F |. 8B45 F4 |mov eax, dword ptr [ebp-C]
004DF922 |. 8B55 D0 |mov edx, dword ptr [ebp-30]
004DF925 |. 0FB60410 |movzx eax, byte ptr [eax+edx]
004DF929 |. 0145 D8 |add dword ptr [ebp-28], eax ; [ebp-28] = [ebp-28] + EAX
004DF92C |> FF45 D0 |inc dword ptr [ebp-30]
004DF92F |. FF4D C8 |dec dword ptr [ebp-38]
004DF932 |.^ 75 BF \jnz short 004DF8F3 ;
;——————————————————————–|
004DF934 |> 8B45 E4 mov eax, dword ptr [ebp-1C] ; 堆栈 ss:[0012F678]=00011DF8
004DF937 |. 0345 E0 add eax, dword ptr [ebp-20] ; 堆栈 ss:[0012F674]=000036FB
004DF93A |. 8945 DC mov dword ptr [ebp-24], eax ; eax=000154F3
004DF93D |. 8B45 E8 mov eax, dword ptr [ebp-18] ; 堆栈 ss:[0012F67C]=00000030
004DF940 |. 3B45 08 cmp eax, dword ptr [ebp+8] ; 堆栈 ss:[0012F69C]=0000007F
004DF943 |. 7C 07 jl short 004DF94C
004DF945 |. 8B45 08 mov eax, dword ptr [ebp+8]
004DF948 |. 48 dec eax
004DF949 |. 8945 E8 mov dword ptr [ebp-18], eax
004DF94C |> 8B45 E8 mov eax, dword ptr [ebp-18]
004DF94F |. 83E8 08 sub eax, 8
004DF952 |. 48 dec eax
004DF953 |. D1F8 sar eax, 1
004DF955 |. 79 03 jns short 004DF95A
004DF957 |. 83D0 00 adc eax, 0
004DF95A |> 85C0 test eax, eax
004DF95C |. 0F8C 91000000 jl 004DF9F3
004DF962 |. 40 inc eax
004DF963 |. 8945 C8 mov dword ptr [ebp-38], eax ; eax=00000014
004DF966 |. C745 D0 00000>mov dword ptr [ebp-30], 0 ; [ebp-30]初始化为0
;—————————<计算[ebp-24]>—————————|
004DF96D |> 8B45 D0 /mov eax, dword ptr [ebp-30] ; EAX = [ebp-30]
004DF970 |. 3B45 F0 |cmp eax, dword ptr [ebp-10] ; 堆栈 ss:[0012F684]=0000000F
004DF973 |. 7D 0E |jge short 004DF983
004DF975 |. 8B45 F8 |mov eax, dword ptr [ebp-8] ; ASCII “ULTRAIN@163.COM”
004DF978 |. 8B55 D0 |mov edx, dword ptr [ebp-30]
004DF97B |. 8A0410 |mov al, byte ptr [eax+edx] ; ‘U’
004DF97E |. 8845 D7 |mov byte ptr [ebp-29], al
004DF981 |. EB 04 |jmp short 004DF987
004DF983 |> C645 D7 14 |mov byte ptr [ebp-29], 14
004DF987 |> 8B45 D0 |mov eax, dword ptr [ebp-30] ; EAX = [ebp-30]
004DF98A |. 03C0 |add eax, eax ; EAX = EAX + EAX
004DF98C |. 0345 0C |add eax, dword ptr [ebp+C] ; EAX = EAX + [ebp+C]
004DF98F |. 8945 CC |mov dword ptr [ebp-34], eax
004DF992 |. 8D45 C4 |lea eax, dword ptr [ebp-3C]
004DF995 |. 50 |push eax
004DF996 |. 33C0 |xor eax, eax
004DF998 |. 8A45 D7 |mov al, byte ptr [ebp-29] ; ‘U’
004DF99B |. 8B55 D0 |mov edx, dword ptr [ebp-30] ; EDX = [ebp-30]
004DF99E |. 81E2 3F000080 |and edx, 8000003F ; EDX = EDX & 8000003F
004DF9A4 |. 79 05 |jns short 004DF9AB
004DF9A6 |. 4A |dec edx
004DF9A7 |. 83CA C0 |or edx, FFFFFFC0
004DF9AA |. 42 |inc edx
004DF9AB |> 03C2 |add eax, edx ; EAX = EAX + EDX
004DF9AD |. 8B55 DC |mov edx, dword ptr [ebp-24] ; EDX = [ebp-24]
004DF9B0 |. 81E2 3F000080 |and edx, 8000003F ; EDX = EDX & 8000003F
004DF9B6 |. 79 05 |jns short 004DF9BD
004DF9B8 |. 4A |dec edx
004DF9B9 |. 83CA C0 |or edx, FFFFFFC0
004DF9BC |. 42 |inc edx
004DF9BD |> 03C2 |add eax, edx ; |EAX = EAX + EDX
004DF9BF |. 8945 BC |mov dword ptr [ebp-44], eax ; |
004DF9C2 |. C645 C0 00 |mov byte ptr [ebp-40], 0 ; |
004DF9C6 |. 8D55 BC |lea edx, dword ptr [ebp-44] ; |
004DF9C9 |. 33C9 |xor ecx, ecx ; |
004DF9CB |. B8 98FA4D00 |mov eax, 004DFA98 ; |ASCII “%2x”
004DF9D0 |. E8 EBB8F2FF |call 0040B2C0 ; \数值转化为字符
004DF9D5 |. 8B45 C4 |mov eax, dword ptr [ebp-3C] ; ASCII “88”
004DF9D8 |. E8 EF57F2FF |call 004051CC
004DF9DD |. 8BD0 |mov edx, eax
004DF9DF |. 8B45 CC |mov eax, dword ptr [ebp-34]
004DF9E2 |. E8 E9B0F2FF |call 0040AAD0
004DF9E7 |. FF45 D0 |inc dword ptr [ebp-30] ; 累加器
004DF9EA |. FF4D C8 |dec dword ptr [ebp-38] ; 计数器
004DF9ED |.^ 0F85 7AFFFFFF \jnz 004DF96D ; //循环
;——————————————————————–|
004DF9F3 |> 8B45 0C mov eax, dword ptr [ebp+C] ; ASCII “888089887881877A6C72706C828F8E565758595A”
004DF9F6 |. 0345 E8 add eax, dword ptr [ebp-18]
004DF9F9 |. 83E8 08 sub eax, 8
004DF9FC |. 8945 CC mov dword ptr [ebp-34], eax
004DF9FF |. 8D45 B8 lea eax, dword ptr [ebp-48]
004DFA02 |. 50 push eax ; /Arg1
004DFA03 |. 33C0 xor eax, eax ; |
004DFA05 |. 8A45 D8 mov al, byte ptr [ebp-28] ; |CC
004DFA08 |. 8945 98 mov dword ptr [ebp-68], eax ; |
004DFA0B |. C645 9C 00 mov byte ptr [ebp-64], 0 ; |
004DFA0F |. 33C0 xor eax, eax ; |
004DFA11 |. 8A45 E4 mov al, byte ptr [ebp-1C] ; |F8
004DFA14 |. 8945 A0 mov dword ptr [ebp-60], eax ; |
004DFA17 |. C645 A4 00 mov byte ptr [ebp-5C], 0 ; |
004DFA1B |. 33C0 xor eax, eax ; |
004DFA1D |. 8A45 E0 mov al, byte ptr [ebp-20] ; |FB
004DFA20 |. 8945 A8 mov dword ptr [ebp-58], eax ; |
004DFA23 |. C645 AC 00 mov byte ptr [ebp-54], 0 ; |
004DFA27 |. 33C0 xor eax, eax ; |
004DFA29 |. 8A45 DC mov al, byte ptr [ebp-24] ; |F3
004DFA2C |. 8945 B0 mov dword ptr [ebp-50], eax ; |
004DFA2F |. C645 B4 00 mov byte ptr [ebp-4C], 0 ; |
004DFA33 |. 8D55 98 lea edx, dword ptr [ebp-68] ; |
004DFA36 |. B9 03000000 mov ecx, 3 ; |
004DFA3B |. B8 A4FA4D00 mov eax, 004DFAA4 ; |ASCII “%2.2x%2.2x%2.2x%2.2x”
004DFA40 |. E8 7BB8F2FF call 0040B2C0 ; \数值链接并转化为字符
004DFA45 |. 8B45 B8 mov eax, dword ptr [ebp-48] ; ASCII “CCF8FBF3”
004DFA48 |. E8 7F57F2FF call 004051CC
004DFA4D |. 8BD0 mov edx, eax
004DFA4F |. 8B45 CC mov eax, dword ptr [ebp-34]
004DFA52 |. E8 79B0F2FF call 0040AAD0
004DFA57 |. 8B45 0C mov eax, dword ptr [ebp+C] ; ASCII “888089887881877A6C72706C828F8E565758595ACCF8FBF3”
004DFA5A |. 8B55 E8 mov edx, dword ptr [ebp-18]
004DFA5D |. C60410 00 mov byte ptr [eax+edx], 0
004DFA61 |. 33C0 xor eax, eax
004DFA63 |. 5A pop edx
004DFA64 |. 59 pop ecx
004DFA65 |. 59 pop ecx
004DFA66 |. 64:8910 mov dword ptr fs:[eax], edx
004DFA69 |. 68 86FA4D00 push 004DFA86
004DFA6E |> 8D45 B8 lea eax, dword ptr [ebp-48]
004DFA71 |. E8 7652F2FF call 00404CEC
004DFA76 |. 8D45 C4 lea eax, dword ptr [ebp-3C]
004DFA79 |. E8 6E52F2FF call 00404CEC
004DFA7E . C3 retn
004DFA7F .^ E9 F849F2FF jmp 0040447C
004DFA84 .^ EB E8 jmp short 004DFA6E
004DFA86 . 5B pop ebx
004DFA87 . 8BE5 mov esp, ebp
004DFA89 . 5D pop ebp
004DFA8A . C2 0800 retn 8 ; //返回
;====================================================================|
004DFABC $ 55 push ebp ; 本地调用来自 004DF6FC, 004DF724
004DFABD . 8BEC mov ebp, esp
004DFABF . 83C4 B8 add esp, -48
004DFAC2 . 53 push ebx
004DFAC3 . 56 push esi
004DFAC4 . 57 push edi ; ASCII “423D44404643”
004DFAC5 . 33DB xor ebx, ebx
004DFAC7 . 895D B8 mov dword ptr [ebp-48], ebx
004DFACA . 895D BC mov dword ptr [ebp-44], ebx
004DFACD . 895D C0 mov dword ptr [ebp-40], ebx
004DFAD0 . 895D C4 mov dword ptr [ebp-3C], ebx
004DFAD3 . 895D C8 mov dword ptr [ebp-38], ebx
004DFAD6 . 894D F4 mov dword ptr [ebp-C], ecx ; ASCII “56239”
004DFAD9 . 8955 F8 mov dword ptr [ebp-8], edx ; ASCII “90678234586421975310765432121098”
004DFADC . 8945 FC mov dword ptr [ebp-4], eax
004DFADF . 33C0 xor eax, eax
004DFAE1 . 55 push ebp
004DFAE2 . 68 E3FC4D00 push 004DFCE3
004DFAE7 . 64:FF30 push dword ptr fs:[eax]
004DFAEA . 64:8920 mov dword ptr fs:[eax], esp
004DFAED . 8B45 F8 mov eax, dword ptr [ebp-8] ; ASCII “90678234586421975310765432121098”
004DFAF0 . E8 83AFF2FF call 0040AA78 ; 取字符串长度
004DFAF5 . 8945 F0 mov dword ptr [ebp-10], eax
004DFAF8 . 8B45 F4 mov eax, dword ptr [ebp-C] ; ASCII “56239”
004DFAFB . E8 78AFF2FF call 0040AA78
004DFB00 . 8945 EC mov dword ptr [ebp-14], eax
004DFB03 . A1 F4FC4D00 mov eax, dword ptr [4DFCF4] ; ds:[004DFCF4]=00000024
004DFB08 . 8945 D4 mov dword ptr [ebp-2C], eax
004DFB0B . 33C0 xor eax, eax
004DFB0D . 55 push ebp
004DFB0E . 68 B1FC4D00 push 004DFCB1
004DFB13 . 64:FF30 push dword ptr fs:[eax]
004DFB16 . 64:8920 mov dword ptr fs:[eax], esp
004DFB19 . 8B45 F0 mov eax, dword ptr [ebp-10] ; EAX = [ebp-10]
004DFB1C . 25 0F000080 and eax, 8000000F ; EAX = EAX & 8000000F
004DFB21 . 79 05 jns short 004DFB28 ; //跳转(实现)
004DFB23 . 48 dec eax
004DFB24 . 83C8 F0 or eax, FFFFFFF0
004DFB27 . 40 inc eax
004DFB28 > 85C0 test eax, eax
004DFB2A . 0F85 6A010000 jnz 004DFC9A ; //跳则挂
;—————————|
004DFB30 . 8B55 F8 mov edx, dword ptr [ebp-8] ; ASCII “90678234586421975310765432121098”
004DFB33 . 0355 F0 add edx, dword ptr [ebp-10]
004DFB36 . 83EA 02 sub edx, 2
004DFB39 . 8D45 D5 lea eax, dword ptr [ebp-2B]
004DFB3C . B9 02000000 mov ecx, 2
004DFB41 . E8 5A85F2FF call 004080A0
004DFB46 . 8D45 C8 lea eax, dword ptr [ebp-38]
004DFB49 . 8D55 D4 lea edx, dword ptr [ebp-2C]
004DFB4C . B9 04000000 mov ecx, 4
004DFB51 . E8 0654F2FF call 00404F5C
004DFB56 . 8B45 C8 mov eax, dword ptr [ebp-38]
004DFB59 . E8 9EA4F2FF call 00409FFC
004DFB5E . 8945 E0 mov dword ptr [ebp-20], eax ; eax=00000098
004DFB61 . 8B55 F8 mov edx, dword ptr [ebp-8] ; ASCII “90678234586421975310765432121098”
004DFB64 . 0355 F0 add edx, dword ptr [ebp-10]
004DFB67 . 83EA 04 sub edx, 4
004DFB6A . 8D45 D5 lea eax, dword ptr [ebp-2B] ; ASCII “98”)
;—————————|
004DFB6D . B9 02000000 mov ecx, 2
004DFB72 . E8 2985F2FF call 004080A0
004DFB77 . 8D45 C4 lea eax, dword ptr [ebp-3C]
004DFB7A . 8D55 D4 lea edx, dword ptr [ebp-2C] ; (ASCII “$10”)
004DFB7D . B9 04000000 mov ecx, 4
004DFB82 . E8 D553F2FF call 00404F5C
004DFB87 . 8B45 C4 mov eax, dword ptr [ebp-3C] ; (ASCII “$10”)
004DFB8A . E8 6DA4F2FF call 00409FFC
004DFB8F . 8945 E4 mov dword ptr [ebp-1C], eax ; eax=00000010
004DFB92 . 8B55 F8 mov edx, dword ptr [ebp-8] ; ASCII “90678234586421975310765432121098”
004DFB95 . 0355 F0 add edx, dword ptr [ebp-10]
004DFB98 . 83EA 06 sub edx, 6
004DFB9B . 8D45 D5 lea eax, dword ptr [ebp-2B] ; ASCII “10”
;—————————|
004DFB9E . B9 02000000 mov ecx, 2
004DFBA3 . E8 F884F2FF call 004080A0
004DFBA8 . 8D45 C0 lea eax, dword ptr [ebp-40]
004DFBAB . 8D55 D4 lea edx, dword ptr [ebp-2C]
004DFBAE . B9 04000000 mov ecx, 4
004DFBB3 . E8 A453F2FF call 00404F5C
004DFBB8 . 8B45 C0 mov eax, dword ptr [ebp-40]
004DFBBB . E8 3CA4F2FF call 00409FFC
004DFBC0 . 8945 E8 mov dword ptr [ebp-18], eax ; eax=00000012
004DFBC3 . 8B55 F8 mov edx, dword ptr [ebp-8] ; ASCII “90678234586421975310765432121098”
004DFBC6 . 0355 F0 add edx, dword ptr [ebp-10]
004DFBC9 . 83EA 08 sub edx, 8
004DFBCC . 8D45 D5 lea eax, dword ptr [ebp-2B] ; ASCII “12”
;—————————|
004DFBCF . B9 02000000 mov ecx, 2
004DFBD4 . E8 C784F2FF call 004080A0
004DFBD9 . 8D45 BC lea eax, dword ptr [ebp-44]
004DFBDC . 8D55 D4 lea edx, dword ptr [ebp-2C]
004DFBDF . B9 04000000 mov ecx, 4
004DFBE4 . E8 7353F2FF call 00404F5C
004DFBE9 . 8B45 BC mov eax, dword ptr [ebp-44]
004DFBEC . E8 0BA4F2FF call 00409FFC
004DFBF1 . 8945 DC mov dword ptr [ebp-24], eax ; eax=00000032
004DFBF4 . 8B45 F0 mov eax, dword ptr [ebp-10] ; [ebp-10] = 20
004DFBF7 . 48 dec eax
004DFBF8 . D1F8 sar eax, 1
004DFBFA . 79 03 jns short 004DFBFF
004DFBFC . 83D0 00 adc eax, 0
004DFBFF > 85C0 test eax, eax
004DFC01 . 0F8C A0000000 jl 004DFCA7
004DFC07 . 40 inc eax
004DFC08 . 8945 CC mov dword ptr [ebp-34], eax ; EAX = 10
004DFC0B . C745 D8 00000>mov dword ptr [ebp-28], 0
004DFC12 > 8B55 D8 mov edx, dword ptr [ebp-28]
004DFC15 . 03D2 add edx, edx
004DFC17 . 0355 F8 add edx, dword ptr [ebp-8] ; ASCII “90678234586421975310765432121098”
004DFC1A . 8D45 D5 lea eax, dword ptr [ebp-2B] ; ASCII “4D”
004DFC1D . B9 02000000 mov ecx, 2
004DFC22 . E8 7984F2FF call 004080A0
004DFC27 . 8D45 B8 lea eax, dword ptr [ebp-48]
004DFC2A . 8D55 D4 lea edx, dword ptr [ebp-2C]
004DFC2D . B9 04000000 mov ecx, 4
;——————————————————————–|
004DFC32 . E8 2553F2FF call 00404F5C
004DFC37 . 8B45 B8 mov eax, dword ptr [ebp-48]
004DFC3A . E8 BDA3F2FF call 00409FFC
004DFC3F . 8845 D3 mov byte ptr [ebp-2D], al ; al=98
004DFC42 . 33C0 xor eax, eax
004DFC44 . 8A45 D3 mov al, byte ptr [ebp-2D] ; 堆栈 ss:[0012F66B]=98
004DFC47 . 8B55 D8 mov edx, dword ptr [ebp-28]
004DFC4A . 81E2 3F000080 and edx, 8000003F
004DFC50 . 79 05 jns short 004DFC57
004DFC52 . 4A dec edx
004DFC53 . 83CA C0 or edx, FFFFFFC0
004DFC56 . 42 inc edx
004DFC57 > 2BC2 sub eax, edx
004DFC59 . 8B55 E0 mov edx, dword ptr [ebp-20] ; 堆栈 ss:[0012F678]=00000098
004DFC5C . 81E2 3F000080 and edx, 8000003F
004DFC62 . 79 05 jns short 004DFC69
004DFC64 . 4A dec edx
004DFC65 . 83CA C0 or edx, FFFFFFC0
004DFC68 . 42 inc edx
004DFC69 > 2BC2 sub eax, edx
004DFC6B . 8845 D3 mov byte ptr [ebp-2D], al ; al=4B (‘K’)
004DFC6E . 807D D3 14 cmp byte ptr [ebp-2D], 14
004DFC72 . 75 0C jnz short 004DFC80
004DFC74 . 8B45 08 mov eax, dword ptr [ebp+8]
004DFC77 . 8B55 D8 mov edx, dword ptr [ebp-28]
004DFC7A . C60410 00 mov byte ptr [eax+edx], 0
004DFC7E . EB 27 jmp short 004DFCA7
004DFC80 > 8B45 08 mov eax, dword ptr [ebp+8] ; UNICODE “MzcnI0bvLysvRysfFvNG8ys250bm7uMfNx8XOusfOu4E=”)
004DFC83 . 8B55 D8 mov edx, dword ptr [ebp-28]
004DFC86 . 8A4D D3 mov cl, byte ptr [ebp-2D] ; 堆栈 ss:[0012F66B]=4B (‘K’)
004DFC89 . 880C10 mov byte ptr [eax+edx], cl
004DFC8C . FF45 D8 inc dword ptr [ebp-28]
004DFC8F . FF4D CC dec dword ptr [ebp-34]
004DFC92 .^ 0F85 7AFFFFFF jnz 004DFC12 ; //循环8次
;——————————————————————–|
算法小结:
x – (i & 8000003F) – str[str.length-1] = key[i];
;——————————————————————–|
004DFC98 . EB 0D jmp short 004DFCA7
004DFC9A > BA F8FC4D00 mov edx, 004DFCF8
004DFC9F . 8B45 08 mov eax, dword ptr [ebp+8]
004DFCA2 . E8 29AEF2FF call 0040AAD0
004DFCA7 > 33C0 xor eax, eax ; EAX置零
004DFCA9 . 5A pop edx
004DFCAA . 59 pop ecx
004DFCAB . 59 pop ecx
004DFCAC . 64:8910 mov dword ptr fs:[eax], edx
004DFCAF . EB 17 jmp short 004DFCC8
004DFCB1 .^ E9 1245F2FF jmp 004041C8
004DFCB6 . BA F8FC4D00 mov edx, 004DFCF8
004DFCBB . 8B45 08 mov eax, dword ptr [ebp+8]
004DFCBE . E8 0DAEF2FF call 0040AAD0
004DFCC3 . E8 D449F2FF call 0040469C
004DFCC8 > 33C0 xor eax, eax ; EAX置零
004DFCCA . 5A pop edx
004DFCCB . 59 pop ecx
004DFCCC . 59 pop ecx
004DFCCD . 64:8910 mov dword ptr fs:[eax], edx
004DFCD0 . 68 EAFC4D00 push 004DFCEA
004DFCD5 > 8D45 B8 lea eax, dword ptr [ebp-48]
004DFCD8 . BA 05000000 mov edx, 5
004DFCDD . E8 2E50F2FF call 00404D10
004DFCE2 . C3 retn
004DFCE3 .^ E9 9447F2FF jmp 0040447C
004DFCE8 .^ EB EB jmp short 004DFCD5
004DFCEA . 5F pop edi
004DFCEB . 5E pop esi ;
004DFCEC . 5B pop ebx
004DFCED . 8BE5 mov esp, ebp
004DFCEF . 5D pop ebp
004DFCF0 . C2 0400 retn 4 ; //返回
;====================================================================|

注册验证模型:
f1(f1(f1(用户名))) = f3(f2(序列号)) ? 成功:失败;

1.用户名三轮加密
邮箱各个字符大写
加密算法:
for(int i = 0; i < str.length; i++) { str[i] + (i & 8000003F) + ([ebp-24] & 8000003F) – > 数字转化为字符,并链接;

}

for(int i = 0; i < Email.length; i++)
{
[ebp-1C] = Email[i] * Email[i];

if(Email[i] % 2 == 0)
[ebp-28] = Email[i] * (Email[i] + 1) & 80000001;
else
[ebp-28] = Email[i] * (Email[i] + 1) & 80000001 + Email[i];
}

for(int i = 0; i < cansu_yi.length; i++)
{
[ebp-20] = cansu_yii] * cansu_yi[i];

if(cansu_yi[i] % 2 == 0)
[ebp-28] = cansu_yi[i] * (cansu_yi[i] + 1) & 80000001;
else
[ebp-28] = cansu_yi[i] * (cansu_yi[i] + 1) & 80000001 + Email[i];
}

[ebp-24] = [ebp-1C] + [ebp-20];

依次取下面四段的后八个字节,并与上面的字符串相连接
[ebp-28] ; |CC
[ebp-1C] ; |F8
[ebp-20] ; |FB
[ebp-24] ; |F3

(1)一轮加密
被加密串:”ULTRAIN@163.COM”
加密参数:”56239″
输出结果:”888089887881877A6C72706C828F8E565758595ACCF8FBF3″
取前12位:”888089887881″

(2)二轮加密
被加密串:”888089887881″
加密参数:”99733″
输出结果:”6061625B6466666767696A64F2E38568″
取前12位:”6061625B6466″

(3)三轮加密
被加密串:”6061625B6466″
加密参数:”650281″
输出结果:”423D4440464347554A494C4DE10AC2CC”
取前12位:”423D44404643″

设KEY = “423D44404643”

2.序列号分组逆序
分组:按a[i] = i + 1进行分组
逆序:array[i] <—>array[array.length-i]
示例:
变换前:str_old = “09876543212468013579123456789012”
变换后:str_new = “90678234586421975310765432121098”

3.对变形的序列号再次加密
x – (i & 8000003F) – (‘e’ & 8000003F) = key[i];
说明:
x = str_new[i] + str_new[i+1];
e = str_new[str_new.lengh-1];

4.校验zap a mole
if(KEY == key)
return ture;
else
return false;

上一篇:

下一篇:

相关推荐

发表评论

您的电子邮箱地址不会被公开。

QQ点我咨询