扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条
在本页阅读全文(共2页)
##############################################
呵呵,看看TRW犯的“小错误”!^-^
?EAX
DEC=-1717838278
HEX=999BDE3A
##############################################
:0050DDDD 2B45F8 sub eax, dword ptr [ebp-08]
====>EAX=999BDE3A-240D358B=758EA8AF
:0050DDE0 1B55FC sbb edx, dword ptr [ebp-04]
====>EDX=9C6D9D-0=9C6D9D
:0050DDE3 8945F0 mov dword ptr [ebp-10], eax
====>758EA8AF入[ebp-10]
:0050DDE6 8955F4 mov dword ptr [ebp-0C], edx
====>9C6D9D入 [ebp-0C]
:0050DDE9 8D55D0 lea edx, dword ptr [ebp-30]
:0050DDEC 8B8310030000 mov eax, dword ptr [ebx+00000310]
:0050DDF2 E851F2F3FF call 0044D048
:0050DDF7 8B45D0 mov eax, dword ptr [ebp-30]
:0050DDFA 50 push eax
:0050DDFB FF75FC push [ebp-04]
:0050DDFE FF75F8 push [ebp-08]
:0050DE01 8B45F0 mov eax, dword ptr [ebp-10]
====>758EA8AF入 EAX
:0050DE04 8B55F4 mov edx, dword ptr [ebp-0C]
====>9C6D9D入 EDX
:0050DE07 E84C79EFFF call 00405758
====>关键CALL,记作关键CALL 2
此CALL对上面的EAX、EDX通过64次循环得出真码的16进制值!详细情况见后。
:0050DE0C 52 push edx
:0050DE0D 50 push eax
:0050DE0E 8D45CC lea eax, dword ptr [ebp-34]
:0050DE11 E8CEB3EFFF call 004091E4
:0050DE16 8B55CC mov edx, dword ptr [ebp-34]
====>D EDX=72796479 真码!
:0050DE19 58 pop eax
:0050DE1A E8016CEFFF call 00404A20
====>比较CALL!F8进入!
:0050DE1F 0F85B9000000 jne 0050DEDE
====>跳则OVER!
:0050DE25 B201 mov dl, 01
:0050DE27 A114364700 mov eax, dword ptr [00473614]
:0050DE2C E8E358F6FF call 00473714
:0050DE31 8945DC mov dword ptr [ebp-24], eax
:0050DE34 33C0 xor eax, eax
:0050DE36 55 push ebp
:0050DE37 68D7DE5000 push 0050DED7
:0050DE3C 64FF30 push dword ptr fs:[eax]
:0050DE3F 648920 mov dword ptr fs:[eax], esp
:0050DE42 BA02000080 mov edx, 80000002
:0050DE47 8B45DC mov eax, dword ptr [ebp-24]
:0050DE4A E86559F6FF call 004737B4
:0050DE4F 8D45D8 lea eax, dword ptr [ebp-28]
* Possible StringData Ref from Code Obj ->"System\Services\ed946c1b-4b05-4070-b56c-d47d82"
->"37c207"
|
:0050DE52 BA54DF5000 mov edx, 0050DF54
:0050DE57 E85068EFFF call 004046AC
:0050DE5C 8B55D8 mov edx, dword ptr [ebp-28]
:0050DE5F 8B45DC mov eax, dword ptr [ebp-24]
:0050DE62 E8DD61F6FF call 00474044
:0050DE67 84C0 test al, al
:0050DE69 750B jne 0050DE76
:0050DE6B 8B55D8 mov edx, dword ptr [ebp-28]
:0050DE6E 8B45DC mov eax, dword ptr [ebp-24]
:0050DE71 E8A659F6FF call 0047381C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0050DE69(C)
|
:0050DE76 B101 mov cl, 01
:0050DE78 8B55D8 mov edx, dword ptr [ebp-28]
:0050DE7B 8B45DC mov eax, dword ptr [ebp-24]
:0050DE7E E8755AF6FF call 004738F8
:0050DE83 B101 mov cl, 01
:0050DE85 BA94DF5000 mov edx, 0050DF94
:0050DE8A 8B45DC mov eax, dword ptr [ebp-24]
:0050DE8D E8925FF6FF call 00473E24
:0050DE92 8B45DC mov eax, dword ptr [ebp-24]
:0050DE95 E8EA58F6FF call 00473784
:0050DE9A 6A40 push 00000040
* Possible StringData Ref from Code Obj ->"注册成功"
====>成功了!
:0050DE9C B998DF5000 mov ecx, 0050DF98
* Possible StringData Ref from Code Obj ->"感谢您购买我们的软件!特别提示:如果您的电脑硬"
->"盘被重新格式化,则必须根据新的机器码向比天国际"
->"获取新的软件注册码。"
|
:0050DEA1 BAA4DF5000 mov edx, 0050DFA4
—————————————————————————————
3、F8进入关键CALL 2:50DE07 call 00405758
* Referenced by a CALL at Addresses:
|:0041499B , :0050DE07
|
:00405758 55 push ebp
:00405759 53 push ebx
:0040575A 56 push esi
:0040575B 57 push edi
:0040575C 31FF xor edi, edi
:0040575E 8B5C2414 mov ebx, dword ptr [esp+14]
:00405762 8B4C2418 mov ecx, dword ptr [esp+18]
:00405766 09C9 or ecx, ecx
:00405768 7508 jne 00405772
:0040576A 09D2 or edx, edx
:0040576C 745C je 004057CA
:0040576E 09DB or ebx, ebx
:00405770 7458 je 004057CA
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405768(C)
|
:00405772 09D2 or edx, edx
:00405774 790A jns 00405780
:00405776 F7DA neg edx
:00405778 F7D8 neg eax
:0040577A 83DA00 sbb edx, 00000000
:0040577D 83CF01 or edi, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405774(C)
|
:00405780 09C9 or ecx, ecx
:00405782 790A jns 0040578E
:00405784 F7D9 neg ecx
:00405786 F7DB neg ebx
:00405788 83D900 sbb ecx, 00000000
:0040578B 83F701 xor edi, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405782(C)
|
:0040578E 89CD mov ebp, ecx
:00405790 B940000000 mov ecx, 00000040
====>呵呵,64次!
:00405795 57 push edi
:00405796 31FF xor edi, edi
:00405798 31F6 xor esi, esi
:0040579A D1E0 shl eax, 1
====>758EA8AF算术左移64次
====>64次左移后的结果=456C93E
:0040579C D1D2 rcl edx, 1
====>9C6D9D带进位循环左移64次
====>64次左移后的结果=0
:0040579E D1D6 rcl esi, 1
====>64次左移后的结果=329F8E05
:004057A0 D1D7 rcl edi, 1
====>64次左移后的结果=0
:004057A2 39EF cmp edi, ebp
:004057A4 720B jb 004057B1
:004057A6 7704 ja 004057AC
:004057A8 39DE cmp esi, ebx
:004057AA 7205 jb 004057B1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004057A6(C)
|
:004057AC 29DE sub esi, ebx
====>ESI-EBX
:004057AE 19EF sbb edi, ebp
:004057B0 40 inc eax
====>EAX增1
呵呵,64次循环后的结果:EAX=456C93E+1=456C93F,这就是真码的16进制值!
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004057A4(C), :004057AA(C)
|
:004057B1 E2E7 loop 0040579A
====>循环吧!
:004057B3 5B pop ebx
:004057B4 F7C301000000 test ebx, 00000001
:004057BA 7407 je 004057C3
:004057BC F7DA neg edx
:004057BE F7D8 neg eax
:004057C0 83DA00 sbb edx, 00000000
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004057BA(C), :004057CE(U)
|
:004057C3 5F pop edi
:004057C4 5E pop esi
:004057C5 5B pop ebx
:004057C6 5D pop ebp
:004057C7 C20800 ret 0008
—————————————————————————————
4、F8进入比较CALL:0050DE1A call 00404A20
* Referenced by a CALL at Addresses:
|:0041D3DB , :004240C6 , :00426E73 , :0042C93D , :0042DC74
|:00433DBB , :00433DD9 , :0043BAE0 , :0044BEDA , :0044BF68
|
…… ……很多地方CALL此处 …… ……
:00404A20 53 push ebx
:00404A21 56 push esi
:00404A22 57 push edi
:00404A23 89C6 mov esi, eax
:00404A25 89D7 mov edi, edx
:00404A27 39D0 cmp eax, edx
====>D EAX=13572468 试炼码
====>D EDX=72796479 真码!!
:00404A29 0F848F000000 je 00404ABE
—————————————————————————————
【KeyMake之内存注册机】:
中断地址:50DE1A
中断次数:1
第一字节:E8
指令长度:5
中断地址:404A27
中断次数:1
第一字节:39
指令长度:2
内存方式:EDX
—————————————————————————————
【总 结】:
程序对自给的44030620021284410进行运算得出999BDE3A,
999BDE3A-我的硬盘序列号-自给的1A85=758EA8AF。
758EA8AF算术左移64次=456C93E
456C93E+1=456C93F —— 这就是真码的16进制值!
奇怪了!难道每次都要重新注册?
—————————————————————————————
【整 理】:
机器码:604838662
注册码:72796479
如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。
现场直击|2021世界人工智能大会
直击5G创新地带,就在2021MWC上海
5G已至 转型当时——服务提供商如何把握转型的绝佳时机
寻找自己的Flag
华为开发者大会2020(Cloud)- 科技行者
京公网安备 11010802021500号