📄 具体做法.txt
字号:
0040120E E8 05010000 CALL <JMP.&user32.wsprintfA>
00401213 83C4 0C ADD ESP,0C
00401216 68 20334000 PUSH unpacked.00403320 ; ASCII "tsrh-2013-"
0040121B E8 34010000 CALL <JMP.&kernel32.lstrlen>
00401220 8B3D 14354000 MOV EDI,DWORD PTR DS:[403514] ;edi = 用户名长度
00401226 BE 01000000 MOV ESI,1 ;esi = 1
0040122B 8BC8 MOV ECX,EAX ; ecx = "tsrh-2013-"长度
0040122D C3 RETN
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>;过程2,计算注册号
0040122E 56 PUSH ESI
0040122F 68 20334000 PUSH unpacked.00403320 ; ASCII "tsrh-2013-"
00401234 E8 1B010000 CALL <JMP.&kernel32.lstrlen> ;获取字符串"tsrh-2013-"长度
00401239 8B3D 14354000 MOV EDI,DWORD PTR DS:[403514] ;EDI = 用户名长度
0040123F BE 01000000 MOV ESI,1 ;esi = 1
00401244 8BC8 MOV ECX,EAX ;ecx = 字符串"tsrh-2013-"长度
;;;;;;;;;;;;L5:
00401246 B8 B0344000 MOV EAX,unpacked.004034B0 ; ASCII "bj20080808"
0040124B 0FB64406 FF MOVZX EAX,BYTE PTR DS:[ESI+EAX-1] ; eax = "bj20080808"第一个字节
00401250 04 0C ADD AL,0C ; al = al + 0x0C
00401252 0FB6D0 MOVZX EDX,AL ; edx = al
00401255 83EA 11 SUB EDX,11 ; edx = edx - 0x11
00401258 03D0 ADD EDX,EAX ; edx = edx + eax
0040125A 2BD1 SUB EDX,ECX ; edx = edx - ecx
0040125C 33C2 XOR EAX,EDX ; eax = eax ^ edx
0040125E 50 PUSH EAX ; 存eax
0040125F 68 18354000 PUSH unpacked.00403518 ; ASCII "%X"
00401264 8D81 20334000 LEA EAX,DWORD PTR DS:[ECX+403320]
0040126A 50 PUSH EAX
0040126B E8 A8000000 CALL <JMP.&user32.wsprintfA>
00401270 83C4 0C ADD ESP,0C
00401273 68 20334000 PUSH unpacked.00403320 ; ASCII "tsrh-2013-"
00401278 E8 D7000000 CALL <JMP.&kernel32.lstrlen>
0040127D 8BC8 MOV ECX,EAX ; ecx = 字符串
0040127F 46 INC ESI ; esi = esi + 1
00401280 4F DEC EDI ; edi = 用户名长度-1
00401281 ^ 75 C3 JNZ SHORT unpacked.00401246 ; jmp L5
00401283 33C0 XOR EAX,EAX ; eax = 0
00401285 5E POP ESI ; esi
00401286 C3 RETN
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>;过程3,计算注册号
00401287 53 PUSH EBX
00401288 BE 01000000 MOV ESI,1
;;;;;;;;;;;;L8:
0040128D B8 B0344000 MOV EAX,unpacked.004034B0 ; ASCII "bj20080808"
00401292 0FB64406 FF MOVZX EAX,BYTE PTR DS:[ESI+EAX-1] ; 获取一个字符>>eax
00401297 85C0 TEST EAX,EAX ; 如果为结束符
00401299 74 34 JE SHORT unpacked.004012CF ; 跳出循环
0040129B 40 INC EAX ; eax = eax + 1
0040129C BA 20334000 MOV EDX,unpacked.00403320 ; ASCII "tsrh-2013-"
004012A1 0FB65416 0B MOVZX EDX,BYTE PTR DS:[ESI+EDX+B] ; edx = "tsrh-2013-"后面的字符
004012A6 33C2 XOR EAX,EDX ; eax = eax ^ edx
;;;;;;;;;;;L7
004012A8 83F8 41 CMP EAX,41 ; 判断eax与0x41
004012AB 7D 05 JGE SHORT unpacked.004012B2 ; 如果eax >= 0x41,跳L6
004012AD 83C0 08 ADD EAX,8 ; 否则eax = eax + 8
004012B0 ^ EB F6 JMP SHORT unpacked.004012A8 ; 跳L7
;;;;;;;;;;;L6
004012B2 83F8 5A CMP EAX,5A ; 判断eax与0x5A
004012B5 7E 05 JLE SHORT unpacked.004012BC ; 如果eax <= 0x5A
004012B7 83E8 03 SUB EAX,3 ; eax = eax - 3
004012BA ^ EB F6 JMP SHORT unpacked.004012B2 ; 跳 L6
004012BC 83C6 09 ADD ESI,9 ; esi = esi + 9
004012BF BB 20334000 MOV EBX,unpacked.00403320 ; ASCII "tsrh-2013-"
004012C4 89041E MOV DWORD PTR DS:[ESI+EBX],EAX ;
004012C7 83EE 08 SUB ESI,8
004012CA 83FE 10 CMP ESI,10
004012CD ^ 75 BE JNZ SHORT unpacked.0040128D ;不等于就继续循环,跳L8
004012CF 33C0 XOR EAX,EAX
004012D1 5B POP EBX
;=====================================================================到此处注册号已经计算好
;=====================================================================注册机可以写了,呵呵..
004012D2 E8 01000000 CALL unpacked.004012D8 ; call过程4
004012D7 C3 RETN
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>; 过程4,比较注册号
004012D8 53 PUSH EBX
004012D9 33F6 XOR ESI,ESI
004012DB BB 90314000 MOV EBX,unpacked.00403190 ; ASCII "2008"
004012E0 8B1C1E MOV EBX,DWORD PTR DS:[ESI+EBX] ; 获取输入的序列号
004012E3 B8 20334000 MOV EAX,unpacked.00403320 ; ASCII "tsrh-2013-"
004012E8 8B0406 MOV EAX,DWORD PTR DS:[ESI+EAX] ; 获取计算好的序列号
004012EB 84C0 TEST AL,AL ; 判断是否结束
004012ED 74 09 JE SHORT unpacked.004012F8 ; 如果序列号结束,跳出循环
004012EF 46 INC ESI ; 获取下一字符及其连续三个字符
004012F0 3BD8 CMP EBX,EAX ; 比较序列号
004012F2 ^ 74 E7 JE SHORT unpacked.004012DB ; 相等继续
004012F4 33C0 XOR EAX,EAX ; 否则EAX = 0
004012F6 EB 01 JMP SHORT unpacked.004012F9 ; 跳出
004012F8 40 INC EAX ; 如果序列号跟计算出的序列号相等,eax = 1
004012F9 5B POP EBX ; eax==0 失败,eax==1 成功
004012FA C3 RETN ; 返回
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>;过程5,此过程用于修改显示信息
004012FB 50 PUSH EAX
004012FC B9 00304000 MOV ECX,unpacked.00403000 ; ASCII "Invalid Serial!"
00401301 0FB610 MOVZX EDX,BYTE PTR DS:[EAX]
00401304 85D2 TEST EDX,EDX
00401306 74 09 JE SHORT unpacked.00401311
00401308 83C2 10 ADD EDX,10
0040130B 8811 MOV BYTE PTR DS:[ECX],DL
0040130D 40 INC EAX
0040130E 41 INC ECX
0040130F ^ EB F0 JMP SHORT unpacked.00401301
00401311 33C0 XOR EAX,EAX
00401313 8901 MOV DWORD PTR DS:[ECX],EAX
00401315 58 POP EAX
00401316 C3 RETN
00401317 CC INT3
00401318 - FF25 34204000 JMP DWORD PTR DS:[<&user32.wsprintfA>] ; USER32.wsprintfA
0040131E - FF25 30204000 JMP DWORD PTR DS:[<&user32.DialogBoxPara>; USER32.DialogBoxParamA
00401324 - FF25 2C204000 JMP DWORD PTR DS:[<&user32.EndDialog>] ; USER32.EndDialog
0040132A - FF25 28204000 JMP DWORD PTR DS:[<&user32.GetDlgItemTex>; USER32.GetDlgItemTextA
00401330 - FF25 24204000 JMP DWORD PTR DS:[<&user32.MessageBoxA>] ; USER32.MessageBoxA
00401336 - FF25 20204000 JMP DWORD PTR DS:[<&user32.SetDlgItemTex>; USER32.SetDlgItemTextA
0040133C - FF25 10204000 JMP DWORD PTR DS:[<&kernel32.CreateMutex>; kernel32.CreateMutexA
00401342 - FF25 00204000 JMP DWORD PTR DS:[<&kernel32.ExitProcess>; kernel32.ExitProcess
00401348 - FF25 0C204000 JMP DWORD PTR DS:[<&kernel32.GetLastErro>; ntdll.RtlGetLastWin32Error
0040134E - FF25 08204000 JMP DWORD PTR DS:[<&kernel32.GetModuleHa>; kernel32.GetModuleHandleA
00401354 - FF25 04204000 JMP DWORD PTR DS:[<&kernel32.lstrlen>] ; kernel32.lstrlenA
0040135A - FF25 18204000 JMP DWORD PTR DS:[<&shell32.ShellExecute>; shell32.ShellExecuteA
跟踪所得:
用户名: bj20080808
注册码: tsrh-2013-AYCAAAAAAA
三.写注册机
见KeyGen代码⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -