返回列表 发帖

[转帖]菜鸟算法练习破文六

【破文标题】菜鸟maomaoma的算法练习破文六 【破文作者】maomaoma 【作者邮箱】 【作者主页】无 【破解工具】OD、PEiD 【破解平台】winxp 【软件名称】Photoplorer 3.01 【软件大小】1744KB 【原版下载】http://nj.onlinedown.net/soft/29508.htm 【保护方式】无 【软件简介】快速浏览照片,图片以及管理,打印,电邮,察看数码相机里的照片的软件 【破解声明】我是菜鸟,学写破文,还请大侠多多指教:) ------------------------------------------------------------------------ 【破解过程】 1、PEiD查主程序无壳,Microsoft Visual C++ 6.0 [Debug]编译 2、OD载入,ctrl+N在USER32.GetWindowTextA下断点,F9运行,几次中断后至合适断点,多次F8,向上翻来到以下代码处,删除所有断点,在0044C320处重新下断,F9运行,具体分析如下: 0044C320 /$ 55 push ebp ; OD断在此处 0044C321 |. 8BEC mov ebp, esp 0044C323 |. 6A FF push -1 0044C325 |. 68 F6795200 push 005279F6 ; SE 处理程序安装 0044C32A |. 64:A1 0000000>mov eax, fs:[0] 0044C330 |. 50 push eax 0044C331 |. 64:8925 00000>mov fs:[0], esp 0044C338 |. 81EC 34030000 sub esp, 334 0044C33E |. 53 push ebx 0044C33F |. 56 push esi 0044C340 |. 57 push edi 0044C341 |. 894D F0 mov [ebp-10], ecx 0044C344 |. 6A 00 push 0 0044C346 |. 8D4D 8C lea ecx, [ebp-74] 0044C349 |. E8 02CBFCFF call 00418E50 0044C34E |. C745 FC 00000>mov dword ptr [ebp-4], 0 0044C355 |. 8D4D 88 lea ecx, [ebp-78] 0044C358 |. E8 D372FCFF call 00413630 0044C35D |. C645 FC 01 mov byte ptr [ebp-4], 1 0044C361 |. 8D8D 24FDFFFF lea ecx, [ebp-2DC] 0044C367 |. E8 B410FFFF call 0043D420 0044C36C |. C645 FC 02 mov byte ptr [ebp-4], 2 0044C370 |. 8D4D 8C lea ecx, [ebp-74] 0044C373 |. E8 EC4F0B00 call 00501364 ; F8至此处,输入用户名、注册码后继续 0044C378 |. 83F8 01 cmp eax, 1 0044C37B |. 0F85 3F020000 jnz 0044C5C0 0044C381 |. 8D45 E8 lea eax, [ebp-18] 0044C384 |. 50 push eax 0044C385 |. B9 94075A00 mov ecx, 005A0794 ; ASCII "8mov dword ptr [59F9C4], 0 0044C399 |. 8D45 E8 lea eax, [ebp-18] 0044C39C |. 50 push eax 0044C39D |. 51 push ecx 0044C39E |. 8BCC mov ecx, esp 0044C3A0 |. 89A5 1CFDFFFF mov [ebp-2E4], esp 0044C3A6 |. 8D55 EC lea edx, [ebp-14] 0044C3A9 |. 52 push edx 0044C3AA |. E8 7CEE0A00 call 004FB22B ; 取用户名 0044C3AF |. 8985 C8FCFFFF mov [ebp-338], eax ; || 0044C3B5 |. 8D85 18FDFFFF lea eax, [ebp-2E8] ; || 0044C3BB |. 50 push eax ; ||Arg1 0044C3BC |. 8B4D F0 mov ecx, [ebp-10] ; || 0044C3BF |. E8 DCF3FFFF call 0044B7A0 ; |\关键call(1),跟进 0044C3C4 |. 8985 C4FCFFFF mov [ebp-33C], eax ; | 0044C3CA |. 8B8D C4FCFFFF mov ecx, [ebp-33C] ; | 0044C3D0 |. 898D C0FCFFFF mov [ebp-340], ecx ; | 0044C3D6 |. C645 FC 03 mov byte ptr [ebp-4], 3 ; | 0044C3DA |. 8B95 C0FCFFFF mov edx, [ebp-340] ; | 0044C3E0 |. 52 push edx ; |Arg1 0044C3E1 |. E8 8AC1FFFF call 00448570 ; \真假码比较,可做内存注册机 0044C3E6 |. 8885 23FDFFFF mov [ebp-2DD], al 0044C3EC |. C645 FC 02 mov byte ptr [ebp-4], 2 0044C3F0 |. 8D8D 18FDFFFF lea ecx, [ebp-2E8] 0044C3F6 |. E8 BBF00A00 call 004FB4B6 0044C3FB |. 0FB685 23FDFF>movzx eax, byte ptr [ebp-2DD] 0044C402 |. 85C0 test eax, eax 0044C404 |. 0F84 C8000000 je 0044C4D2 ; 爆破点 0044C40A |. 8D45 EC lea eax, [ebp-14] 0044C40D |. 50 push eax 0044C40E |. B9 90075A00 mov ecx, 005A0790 0044C413 |. E8 D7F10A00 call 004FB5EF 0044C418 |. 8D45 E8 lea eax, [ebp-18] 0044C41B |. 50 push eax 0044C41C |. B9 94075A00 mov ecx, 005A0794 ; ASCII "8mov byte ptr [59F9C0], 1 0044C42D |. 6A 00 push 0 ; /Arg3 = 00000000 0044C42F |. 6A 00 push 0 ; |Arg2 = 00000000 0044C431 |. 68 305B5300 push 00535B30 ; |code accepted!\nthanks for registration.uninstall.exe,0uninstall.dll,0uninstall.tmp 0044C436 |. E8 20D50B00 call 0050995B ; \Photoplo.0050995B 0044C43B |. 6A 00 push 0 0044C43D |. E8 48650D00 call 0052298A 0044C442 |. 8D45 E8 lea eax, [ebp-18] 0044C445 |. 50 push eax 0044C446 |. 51 push ecx 0044C447 |. 8BCC mov ecx, esp 0044C449 |. 89A5 10FDFFFF mov [ebp-2F0], esp 0044C44F |. 8D55 EC lea edx, [ebp-14] 0044C452 |. 52 push edx 0044C453 |. E8 D3ED0A00 call 004FB22B 0044C458 |. 8985 C8FCFFFF mov [ebp-338], eax ; || 0044C45E |. 8D85 0CFDFFFF lea eax, [ebp-2F4] ; || 0044C464 |. 50 push eax ; ||Arg1 0044C465 |. 8B4D F0 mov ecx, [ebp-10] ; || 0044C468 |. E8 53FAFFFF call 0044BEC0 ; |\Photoplo.0044BEC0 0044C46D |. 8985 C4FCFFFF mov [ebp-33C], eax ; | 0044C473 |. 8B8D C4FCFFFF mov ecx, [ebp-33C] ; | 0044C479 |. 898D C0FCFFFF mov [ebp-340], ecx ; | 0044C47F |. C645 FC 04 mov byte ptr [ebp-4], 4 ; | 0044C483 |. 8B95 C0FCFFFF mov edx, [ebp-340] ; | 0044C489 |. 52 push edx ; |Arg1 0044C48A |. E8 E1C0FFFF call 00448570 ; \Photoplo.00448570 0044C48F |. 8885 17FDFFFF mov [ebp-2E9], al 0044C495 |. C645 FC 02 mov byte ptr [ebp-4], 2 0044C499 |. 8D8D 0CFDFFFF lea ecx, [ebp-2F4] 0044C49F |. E8 12F00A00 call 004FB4B6 0044C4A4 |. 0FB685 17FDFF>movzx eax, byte ptr [ebp-2E9] 0044C4AB |. 85C0 test eax, eax 0044C4AD |. 74 1E je short 0044C4CD 0044C4AF |. A1 94075A00 mov eax, [5A0794] 0044C4B4 |. 50 push eax 0044C4B5 |. 8B0D 90075A00 mov ecx, [5A0790] 0044C4BB |. 51 push ecx 0044C4BC |. 68 1C5B5300 push 00535B1C ; user=[%s] code=[%s]code accepted!\nthanks for registration.uninstall.exe,0uninstall.dll,0uninstall.tmp 0044C4C1 |. 8D55 88 lea edx, [ebp-78] 0044C4C4 |. 52 push edx 0044C4C5 |. E8 A3950A00 call 004F5A6D 0044C4CA |. 83C4 10 add esp, 10 0044C4CD |> E9 EE000000 jmp 0044C5C0 0044C4D2 |> 6A 54 push 54 0044C4D4 |. 8D4D 88 lea ecx, [ebp-78] 0044C4D7 |. E8 8B8B0A00 call 004F5067 0044C4DC |. 6A 68 push 68 0044C4DE |. 8D4D 88 lea ecx, [ebp-78] 0044C4E1 |. E8 D3F30A00 call 004FB8B9 0044C4E6 |. 6A 65 push 65 0044C4E8 |. 8D4D 88 lea ecx, [ebp-78] 0044C4EB |. E8 C9F30A00 call 004FB8B9 0044C4F0 |. 6A 20 push 20 0044C4F2 |. 8D4D 88 lea ecx, [ebp-78] 0044C4F5 |. E8 BFF30A00 call 004FB8B9 0044C4FA |. 6A 63 push 63 0044C4FC |. 8D4D 88 lea ecx, [ebp-78] 0044C4FF |. E8 B5F30A00 call 004FB8B9 0044C504 |. 6A 6F push 6F 0044C506 |. 8D4D 88 lea ecx, [ebp-78] 0044C509 |. E8 ABF30A00 call 004FB8B9 0044C50E |. 6A 64 push 64 0044C510 |. 8D4D 88 lea ecx, [ebp-78] 0044C513 |. E8 A1F30A00 call 004FB8B9 0044C518 |. 6A 65 push 65 0044C51A |. 8D4D 88 lea ecx, [ebp-78] 0044C51D |. E8 97F30A00 call 004FB8B9 0044C522 |. 6A 20 push 20 0044C524 |. 8D4D 88 lea ecx, [ebp-78] 0044C527 |. E8 8DF30A00 call 004FB8B9 0044C52C |. 6A 69 push 69 0044C52E |. 8D4D 88 lea ecx, [ebp-78] 0044C531 |. E8 83F30A00 call 004FB8B9 0044C536 |. 6A 73 push 73 0044C538 |. 8D4D 88 lea ecx, [ebp-78] 0044C53B |. E8 79F30A00 call 004FB8B9 0044C540 |. 6A 20 push 20 0044C542 |. 8D4D 88 lea ecx, [ebp-78] 0044C545 |. E8 6FF30A00 call 004FB8B9 0044C54A |. 6A 6E push 6E 0044C54C |. 8D4D 88 lea ecx, [ebp-78] 0044C54F |. E8 65F30A00 call 004FB8B9 0044C554 |. 6A 6F push 6F 0044C556 |. 8D4D 88 lea ecx, [ebp-78] 0044C559 |. E8 5BF30A00 call 004FB8B9 0044C55E |. 6A 74 push 74 0044C560 |. 8D4D 88 lea ecx, [ebp-78] 0044C563 |. E8 51F30A00 call 004FB8B9 0044C568 |. 6A 20 push 20 0044C56A |. 8D4D 88 lea ecx, [ebp-78] 0044C56D |. E8 47F30A00 call 004FB8B9 0044C572 |. 6A 76 push 76 0044C574 |. 8D4D 88 lea ecx, [ebp-78] 0044C577 |. E8 3DF30A00 call 004FB8B9 0044C57C |. 6A 61 push 61 0044C57E |. 8D4D 88 lea ecx, [ebp-78] 0044C581 |. E8 33F30A00 call 004FB8B9 0044C586 |. 6A 6C push 6C 0044C588 |. 8D4D 88 lea ecx, [ebp-78] 0044C58B |. E8 29F30A00 call 004FB8B9 0044C590 |. 6A 69 push 69 0044C592 |. 8D4D 88 lea ecx, [ebp-78] 0044C595 |. E8 1FF30A00 call 004FB8B9 0044C59A |. 6A 64 push 64 0044C59C |. 8D4D 88 lea ecx, [ebp-78] 0044C59F |. E8 15F30A00 call 004FB8B9 0044C5A4 |. 6A 21 push 21 0044C5A6 |. 8D4D 88 lea ecx, [ebp-78] 0044C5A9 |. E8 0BF30A00 call 004FB8B9 0044C5AE |. 6A 00 push 0 0044C5B0 |. 6A 00 push 0 0044C5B2 |. 8D4D 88 lea ecx, [ebp-78] 0044C5B5 |. E8 767CFCFF call 00414230 0044C5BA |. 50 push eax ; |Arg1 0044C5BB |. E8 9BD30B00 call 0050995B ; \Photoplo.0050995B 0044C5C0 |> C645 FC 01 mov byte ptr [ebp-4], 1 0044C5C4 |. 8D8D 24FDFFFF lea ecx, [ebp-2DC] 0044C5CA |. E8 110FFFFF call 0043D4E0 0044C5CF |. C645 FC 00 mov byte ptr [ebp-4], 0 0044C5D3 |. 8D4D 88 lea ecx, [ebp-78] 0044C5D6 |. E8 DBEE0A00 call 004FB4B6 0044C5DB |. C745 FC FFFFF>mov dword ptr [ebp-4], -1 0044C5E2 |. 8D4D 8C lea ecx, [ebp-74] 0044C5E5 |. E8 06C9FCFF call 00418EF0 0044C5EA |. 8B4D F4 mov ecx, [ebp-C] 0044C5ED |. 64:890D 00000>mov fs:[0], ecx 0044C5F4 |. 5F pop edi 0044C5F5 |. 5E pop esi 0044C5F6 |. 5B pop ebx 0044C5F7 |. 8BE5 mov esp, ebp 0044C5F9 |. 5D pop ebp 0044C5FA \. C3 retn 算法call(1): 0044B7A0 /$ 55 push ebp 0044B7A1 |. 8BEC mov ebp, esp 0044B7A3 |. 6A FF push -1 0044B7A5 |. 68 2B795200 push 0052792B ; SE 处理程序安装 0044B7AA |. 64:A1 0000000>mov eax, fs:[0] 0044B7B0 |. 50 push eax 0044B7B1 |. 64:8925 00000>mov fs:[0], esp 0044B7B8 |. 83EC 68 sub esp, 68 0044B7BB |. 53 push ebx 0044B7BC |. 56 push esi 0044B7BD |. 57 push edi 0044B7BE |. 894D F0 mov [ebp-10], ecx 0044B7C1 |. C745 D8 00000>mov dword ptr [ebp-28], 0 0044B7C8 |. C745 FC 01000>mov dword ptr [ebp-4], 1 0044B7CF |. 8D4D EC lea ecx, [ebp-14] 0044B7D2 |. E8 597EFCFF call 00413630 ; 以下直至0044B866为排除黑名单中的用户名 0044B7D7 |. C645 FC 02 mov byte ptr [ebp-4], 2 0044B7DB |. 68 045B5300 push 00535B04 ; /cre@k 0044B7E0 |. 8D45 0C lea eax, [ebp+C] ; | 0044B7E3 |. 50 push eax ; |Arg1 0044B7E4 |. E8 678AFCFF call 00414250 ; \Photoplo.00414250 0044B7E9 |. 33C9 xor ecx, ecx 0044B7EB |. 8AC8 mov cl, al 0044B7ED |. 85C9 test ecx, ecx 0044B7EF |. 75 6E jnz short 0044B85F 0044B7F1 |. 68 F45A5300 push 00535AF4 ; /freeserials.netcre@k 0044B7F6 |. 8D45 0C lea eax, [ebp+C] ; | 0044B7F9 |. 50 push eax ; |Arg1 0044B7FA |. E8 518AFCFF call 00414250 ; \Photoplo.00414250 0044B7FF |. 33C9 xor ecx, ecx 0044B801 |. 8AC8 mov cl, al 0044B803 |. 85C9 test ecx, ecx 0044B805 |. 75 58 jnz short 0044B85F 0044B807 |. 68 E85A5300 push 00535AE8 ; /team zwt 0044B80C |. 8D45 0C lea eax, [ebp+C] ; | 0044B80F |. 50 push eax ; |Arg1 0044B810 |. E8 3B8AFCFF call 00414250 ; \Photoplo.00414250 0044B815 |. 33C9 xor ecx, ecx 0044B817 |. 8AC8 mov cl, al 0044B819 |. 85C9 test ecx, ecx 0044B81B |. 75 42 jnz short 0044B85F 0044B81D |. 68 D05A5300 push 00535AD0 ; /www.crackzplanet.com 0044B822 |. 8D45 0C lea eax, [ebp+C] ; | 0044B825 |. 50 push eax ; |Arg1 0044B826 |. E8 258AFCFF call 00414250 ; \Photoplo.00414250 0044B82B |. 33C9 xor ecx, ecx 0044B82D |. 8AC8 mov cl, al 0044B82F |. 85C9 test ecx, ecx 0044B831 |. 75 2C jnz short 0044B85F 0044B833 |. 68 C05A5300 push 00535AC0 ; /www.2baksa.net 0044B838 |. 8D45 0C lea eax, [ebp+C] ; | 0044B83B |. 50 push eax ; |Arg1 0044B83C |. E8 0F8AFCFF call 00414250 ; \Photoplo.00414250 0044B841 |. 33C9 xor ecx, ecx 0044B843 |. 8AC8 mov cl, al 0044B845 |. 85C9 test ecx, ecx 0044B847 |. 75 16 jnz short 0044B85F 0044B849 |. 68 B45A5300 push 00535AB4 ; /www.nowa.ruwww.2baksa.net 0044B84E |. 8D45 0C lea eax, [ebp+C] ; | 0044B851 |. 50 push eax ; |Arg1 0044B852 |. E8 F989FCFF call 00414250 ; \Photoplo.00414250 0044B857 |. 33C9 xor ecx, ecx 0044B859 |. 8AC8 mov cl, al 0044B85B |. 85C9 test ecx, ecx 0044B85D |. 74 07 je short 0044B866 0044B85F |> 6A 00 push 0 0044B861 |. E8 D12D0900 call 004DE637 0044B866 |> 51 push ecx 0044B867 |. 8BCC mov ecx, esp 0044B869 |. 8965 E8 mov [ebp-18], esp 0044B86C |. 8D45 0C lea eax, [ebp+C] 0044B86F |. 50 push eax 0044B870 |. E8 B6F90A00 call 004FB22B 0044B875 |. 8945 94 mov [ebp-6C], eax ; | 0044B878 |. 8D4D E4 lea ecx, [ebp-1C] ; | 0044B87B |. 51 push ecx ; |Arg1 0044B87C |. 8B4D F0 mov ecx, [ebp-10] ; | 0044B87F |. E8 5C080000 call 0044C0E0 ; \算法call(2),跟进 0044B884 |. 8945 90 mov [ebp-70], eax 0044B887 |. 8B55 90 mov edx, [ebp-70] 0044B88A |. 8955 8C mov [ebp-74], edx 0044B88D |. C645 FC 03 mov byte ptr [ebp-4], 3 0044B891 |. 8B45 8C mov eax, [ebp-74] 0044B894 |. 50 push eax 0044B895 |. 8D4D EC lea ecx, [ebp-14] 0044B898 |. E8 52FD0A00 call 004FB5EF 0044B89D |. C645 FC 02 mov byte ptr [ebp-4], 2 0044B8A1 |. 8D4D E4 lea ecx, [ebp-1C] 0044B8A4 |. E8 0DFC0A00 call 004FB4B6 0044B8A9 |. 68 94075A00 push 005A0794 ; /Arg2 = 005A0794 ASCII "8cmp dword ptr [5A0798], 1E 0044B8CA |. 7D 55 jge short 0044B921 0044B8CC |. 833D C4F95900>cmp dword ptr [59F9C4], 0 0044B8D3 |. 75 17 jnz short 0044B8EC 0044B8D5 |. C705 C4F95900>mov dword ptr [59F9C4], 1 0044B8DF |. A1 98075A00 mov eax, [5A0798] 0044B8E4 |. 83C0 01 add eax, 1 0044B8E7 |. A3 98075A00 mov [5A0798], eax 0044B8EC |> 8D45 EC lea eax, [ebp-14] 0044B8EF |. 50 push eax 0044B8F0 |. 8B4D 08 mov ecx, [ebp+8] 0044B8F3 |. E8 33F90A00 call 004FB22B 0044B8F8 |. 8B4D D8 mov ecx, [ebp-28] 0044B8FB |. 83C9 01 or ecx, 1 0044B8FE |. 894D D8 mov [ebp-28], ecx 0044B901 |. C645 FC 01 mov byte ptr [ebp-4], 1 0044B905 |. 8D4D EC lea ecx, [ebp-14] 0044B908 |. E8 A9FB0A00 call 004FB4B6 0044B90D |. C645 FC 00 mov byte ptr [ebp-4], 0 0044B911 |. 8D4D 0C lea ecx, [ebp+C] 0044B914 |. E8 9DFB0A00 call 004FB4B6 0044B919 |. 8B45 08 mov eax, [ebp+8] 0044B91C |. E9 8C050000 jmp 0044BEAD 0044B921 |> 833D C4F95900>cmp dword ptr [59F9C4], 0 0044B928 |. 0F85 D9040000 jnz 0044BE07 0044B92E |. C705 C4F95900>mov dword ptr [59F9C4], 1 0044B938 |. A1 98075A00 mov eax, [5A0798] 0044B93D |. 83C0 01 add eax, 1 0044B940 |. A3 98075A00 mov [5A0798], eax 0044B945 |. 6A 54 push 54 0044B947 |. 8D4D EC lea ecx, [ebp-14] 0044B94A |. E8 18970A00 call 004F5067 0044B94F |. 6A 68 push 68 0044B951 |. 8D4D EC lea ecx, [ebp-14] 0044B954 |. E8 60FF0A00 call 004FB8B9 0044B959 |. 6A 69 push 69 0044B95B |. 8D4D EC lea ecx, [ebp-14] 0044B95E |. E8 56FF0A00 call 004FB8B9 0044B963 |. 6A 73 push 73 0044B965 |. 8D4D EC lea ecx, [ebp-14] 0044B968 |. E8 4CFF0A00 call 004FB8B9 0044B96D |. 6A 20 push 20 0044B96F |. 8D4D EC lea ecx, [ebp-14] 0044B972 |. E8 42FF0A00 call 004FB8B9 0044B977 |. 6A 76 push 76 0044B979 |. 8D4D EC lea ecx, [ebp-14] 0044B97C |. E8 38FF0A00 call 004FB8B9 0044B981 |. 6A 65 push 65 0044B983 |. 8D4D EC lea ecx, [ebp-14] 0044B986 |. E8 2EFF0A00 call 004FB8B9 0044B98B |. 6A 72 push 72 0044B98D |. 8D4D EC lea ecx, [ebp-14] 0044B990 |. E8 24FF0A00 call 004FB8B9 0044B995 |. 6A 73 push 73 0044B997 |. 8D4D EC lea ecx, [ebp-14] 0044B99A |. E8 1AFF0A00 call 004FB8B9 0044B99F |. 6A 69 push 69 0044B9A1 |. 8D4D EC lea ecx, [ebp-14] 0044B9A4 |. E8 10FF0A00 call 004FB8B9 0044B9A9 |. 6A 6F push 6F 0044B9AB |. 8D4D EC lea ecx, [ebp-14] 0044B9AE |. E8 06FF0A00 call 004FB8B9 0044B9B3 |. 6A 6E push 6E 0044B9B5 |. 8D4D EC lea ecx, [ebp-14] 0044B9B8 |. E8 FCFE0A00 call 004FB8B9 0044B9BD |. 6A 20 push 20 0044B9BF |. 8D4D EC lea ecx, [ebp-14] 0044B9C2 |. E8 F2FE0A00 call 004FB8B9 0044B9C7 |. 6A 72 push 72 0044B9C9 |. 8D4D EC lea ecx, [ebp-14] 0044B9CC |. E8 E8FE0A00 call 004FB8B9 0044B9D1 |. 6A 65 push 65 0044B9D3 |. 8D4D EC lea ecx, [ebp-14] 0044B9D6 |. E8 DEFE0A00 call 004FB8B9 0044B9DB |. 6A 71 push 71 0044B9DD |. 8D4D EC lea ecx, [ebp-14] 0044B9E0 |. E8 D4FE0A00 call 004FB8B9 0044B9E5 |. 6A 75 push 75 0044B9E7 |. 8D4D EC lea ecx, [ebp-14] 0044B9EA |. E8 CAFE0A00 call 004FB8B9 0044B9EF |. 6A 69 push 69 0044B9F1 |. 8D4D EC lea ecx, [ebp-14] 0044B9F4 |. E8 C0FE0A00 call 004FB8B9 0044B9F9 |. 6A 72 push 72 0044B9FB |. 8D4D EC lea ecx, [ebp-14] 0044B9FE |. E8 B6FE0A00 call 004FB8B9 0044BA03 |. 6A 65 push 65 0044BA05 |. 8D4D EC lea ecx, [ebp-14] 0044BA08 |. E8 ACFE0A00 call 004FB8B9 0044BA0D |. 6A 73 push 73 0044BA0F |. 8D4D EC lea ecx, [ebp-14] 0044BA12 |. E8 A2FE0A00 call 004FB8B9 0044BA17 |. 6A 20 push 20 0044BA19 |. 8D4D EC lea ecx, [ebp-14] 0044BA1C |. E8 98FE0A00 call 004FB8B9 0044BA21 |. 6A 61 push 61 0044BA23 |. 8D4D EC lea ecx, [ebp-14] 0044BA26 |. E8 8EFE0A00 call 004FB8B9 0044BA2B |. 6A 20 push 20 0044BA2D |. 8D4D EC lea ecx, [ebp-14] 0044BA30 |. E8 84FE0A00 call 004FB8B9 0044BA35 |. 6A 6E push 6E 0044BA37 |. 8D4D EC lea ecx, [ebp-14] 0044BA3A |. E8 7AFE0A00 call 004FB8B9 0044BA3F |. 6A 65 push 65 0044BA41 |. 8D4D EC lea ecx, [ebp-14] 0044BA44 |. E8 70FE0A00 call 004FB8B9 0044BA49 |. 6A 77 push 77 0044BA4B |. 8D4D EC lea ecx, [ebp-14] 0044BA4E |. E8 66FE0A00 call 004FB8B9 0044BA53 |. 6A 20 push 20 0044BA55 |. 8D4D EC lea ecx, [ebp-14] 0044BA58 |. E8 5CFE0A00 call 004FB8B9 0044BA5D |. 6A 72 push 72 0044BA5F |. 8D4D EC lea ecx, [ebp-14] 0044BA62 |. E8 52FE0A00 call 004FB8B9 0044BA67 |. 6A 65 push 65 0044BA69 |. 8D4D EC lea ecx, [ebp-14] 0044BA6C |. E8 48FE0A00 call 004FB8B9 0044BA71 |. 6A 67 push 67 0044BA73 |. 8D4D EC lea ecx, [ebp-14] 0044BA76 |. E8 3EFE0A00 call 004FB8B9 0044BA7B |. 6A 69 push 69 0044BA7D |. 8D4D EC lea ecx, [ebp-14] 0044BA80 |. E8 34FE0A00 call 004FB8B9 0044BA85 |. 6A 73 push 73 0044BA87 |. 8D4D EC lea ecx, [ebp-14] 0044BA8A |. E8 2AFE0A00 call 004FB8B9 0044BA8F |. 6A 74 push 74 0044BA91 |. 8D4D EC lea ecx, [ebp-14] 0044BA94 |. E8 20FE0A00 call 004FB8B9 0044BA99 |. 6A 72 push 72 0044BA9B |. 8D4D EC lea ecx, [ebp-14] 0044BA9E |. E8 16FE0A00 call 004FB8B9 0044BAA3 |. 6A 61 push 61 0044BAA5 |. 8D4D EC lea ecx, [ebp-14] 0044BAA8 |. E8 0CFE0A00 call 004FB8B9 0044BAAD |. 6A 74 push 74 0044BAAF |. 8D4D EC lea ecx, [ebp-14] 0044BAB2 |. E8 02FE0A00 call 004FB8B9 0044BAB7 |. 6A 69 push 69 0044BAB9 |. 8D4D EC lea ecx, [ebp-14] 0044BABC |. E8 F8FD0A00 call 004FB8B9 0044BAC1 |. 6A 6F push 6F 0044BAC3 |. 8D4D EC lea ecx, [ebp-14] 0044BAC6 |. E8 EEFD0A00 call 004FB8B9 0044BACB |. 6A 6E push 6E 0044BACD |. 8D4D EC lea ecx, [ebp-14] 0044BAD0 |. E8 E4FD0A00 call 004FB8B9 0044BAD5 |. 6A 20 push 20 0044BAD7 |. 8D4D EC lea ecx, [ebp-14] 0044BADA |. E8 DAFD0A00 call 004FB8B9 0044BADF |. 6A 63 push 63 0044BAE1 |. 8D4D EC lea ecx, [ebp-14] 0044BAE4 |. E8 D0FD0A00 call 004FB8B9 0044BAE9 |. 6A 6F push 6F 0044BAEB |. 8D4D EC lea ecx, [ebp-14] 0044BAEE |. E8 C6FD0A00 call 004FB8B9 0044BAF3 |. 6A 64 push 64 0044BAF5 |. 8D4D EC lea ecx, [ebp-14] 0044BAF8 |. E8 BCFD0A00 call 004FB8B9 0044BAFD |. 6A 65 push 65 0044BAFF |. 8D4D EC lea ecx, [ebp-14] 0044BB02 |. E8 B2FD0A00 call 004FB8B9 0044BB07 |. 6A 0A push 0A 0044BB09 |. 8D4D EC lea ecx, [ebp-14] 0044BB0C |. E8 A8FD0A00 call 004FB8B9 0044BB11 |. 6A 4D push 4D 0044BB13 |. 8D4D EC lea ecx, [ebp-14] 0044BB16 |. E8 9EFD0A00 call 004FB8B9 0044BB1B |. 6A 61 push 61 0044BB1D |. 8D4D EC lea ecx, [ebp-14] 0044BB20 |. E8 94FD0A00 call 004FB8B9 0044BB25 |. 6A 69 push 69 0044BB27 |. 8D4D EC lea ecx, [ebp-14] 0044BB2A |. E8 8AFD0A00 call 004FB8B9 0044BB2F |. 6A 6C push 6C 0044BB31 |. 8D4D EC lea ecx, [ebp-14] 0044BB34 |. E8 80FD0A00 call 004FB8B9 0044BB39 |. 6A 20 push 20 0044BB3B |. 8D4D EC lea ecx, [ebp-14] 0044BB3E |. E8 76FD0A00 call 004FB8B9 0044BB43 |. 6A 74 push 74 0044BB45 |. 8D4D EC lea ecx, [ebp-14] 0044BB48 |. E8 6CFD0A00 call 004FB8B9 0044BB4D |. 6A 6F push 6F 0044BB4F |. 8D4D EC lea ecx, [ebp-14] 0044BB52 |. E8 62FD0A00 call 004FB8B9 0044BB57 |. 6A 20 push 20 0044BB59 |. 8D4D EC lea ecx, [ebp-14] 0044BB5C |. E8 58FD0A00 call 004FB8B9 0044BB61 |. 6A 68 push 68 0044BB63 |. 8D4D EC lea ecx, [ebp-14] 0044BB66 |. E8 4EFD0A00 call 004FB8B9 0044BB6B |. 6A 65 push 65 0044BB6D |. 8D4D EC lea ecx, [ebp-14] 0044BB70 |. E8 44FD0A00 call 004FB8B9 0044BB75 |. 6A 6E push 6E 0044BB77 |. 8D4D EC lea ecx, [ebp-14] 0044BB7A |. E8 3AFD0A00 call 004FB8B9 0044BB7F |. 6A 72 push 72 0044BB81 |. 8D4D EC lea ecx, [ebp-14] 0044BB84 |. E8 30FD0A00 call 004FB8B9 0044BB89 |. 6A 79 push 79 0044BB8B |. 8D4D EC lea ecx, [ebp-14] 0044BB8E |. E8 26FD0A00 call 004FB8B9 0044BB93 |. 6A 2E push 2E 0044BB95 |. 8D4D EC lea ecx, [ebp-14] 0044BB98 |. E8 1CFD0A00 call 004FB8B9 0044BB9D |. 6A 6B push 6B 0044BB9F |. 8D4D EC lea ecx, [ebp-14] 0044BBA2 |. E8 12FD0A00 call 004FB8B9 0044BBA7 |. 6A 65 push 65 0044BBA9 |. 8D4D EC lea ecx, [ebp-14] 0044BBAC |. E8 08FD0A00 call 004FB8B9 0044BBB1 |. 6A 6C push 6C 0044BBB3 |. 8D4D EC lea ecx, [ebp-14] 0044BBB6 |. E8 FEFC0A00 call 004FB8B9 0044BBBB |. 6A 6C push 6C 0044BBBD |. 8D4D EC lea ecx, [ebp-14] 0044BBC0 |. E8 F4FC0A00 call 004FB8B9 0044BBC5 |. 6A 6E push 6E 0044BBC7 |. 8D4D EC lea ecx, [ebp-14] 0044BBCA |. E8 EAFC0A00 call 004FB8B9 0044BBCF |. 6A 65 push 65 0044BBD1 |. 8D4D EC lea ecx, [ebp-14] 0044BBD4 |. E8 E0FC0A00 call 004FB8B9 0044BBD9 |. 6A 72 push 72 0044BBDB |. 8D4D EC lea ecx, [ebp-14] 0044BBDE |. E8 D6FC0A00 call 004FB8B9 0044BBE3 |. 6A 40 push 40 0044BBE5 |. 8D4D EC lea ecx, [ebp-14] 0044BBE8 |. E8 CCFC0A00 call 004FB8B9 0044BBED |. 6A 75 push 75 0044BBEF |. 8D4D EC lea ecx, [ebp-14] 0044BBF2 |. E8 C2FC0A00 call 004FB8B9 0044BBF7 |. 6A 74 push 74 0044BBF9 |. 8D4D EC lea ecx, [ebp-14] 0044BBFC |. E8 B8FC0A00 call 004FB8B9 0044BC01 |. 6A 61 push 61 0044BC03 |. 8D4D EC lea ecx, [ebp-14] 0044BC06 |. E8 AEFC0A00 call 004FB8B9 0044BC0B |. 6A 6E push 6E 0044BC0D |. 8D4D EC lea ecx, [ebp-14] 0044BC10 |. E8 A4FC0A00 call 004FB8B9 0044BC15 |. 6A 65 push 65 0044BC17 |. 8D4D EC lea ecx, [ebp-14] 0044BC1A |. E8 9AFC0A00 call 004FB8B9 0044BC1F |. 6A 74 push 74 0044BC21 |. 8D4D EC lea ecx, [ebp-14] 0044BC24 |. E8 90FC0A00 call 004FB8B9 0044BC29 |. 6A 2E push 2E 0044BC2B |. 8D4D EC lea ecx, [ebp-14] 0044BC2E |. E8 86FC0A00 call 004FB8B9 0044BC33 |. 6A 61 push 61 0044BC35 |. 8D4D EC lea ecx, [ebp-14] 0044BC38 |. E8 7CFC0A00 call 004FB8B9 0044BC3D |. 6A 74 push 74 0044BC3F |. 8D4D EC lea ecx, [ebp-14] 0044BC42 |. E8 72FC0A00 call 004FB8B9 0044BC47 |. 6A 20 push 20 0044BC49 |. 8D4D EC lea ecx, [ebp-14] 0044BC4C |. E8 68FC0A00 call 004FB8B9 0044BC51 |. 6A 74 push 74 0044BC53 |. 8D4D EC lea ecx, [ebp-14] 0044BC56 |. E8 5EFC0A00 call 004FB8B9 0044BC5B |. 6A 6F push 6F 0044BC5D |. 8D4D EC lea ecx, [ebp-14] 0044BC60 |. E8 54FC0A00 call 004FB8B9 0044BC65 |. 6A 20 push 20 0044BC67 |. 8D4D EC lea ecx, [ebp-14] 0044BC6A |. E8 4AFC0A00 call 004FB8B9 0044BC6F |. 6A 67 push 67 0044BC71 |. 8D4D EC lea ecx, [ebp-14] 0044BC74 |. E8 40FC0A00 call 004FB8B9 0044BC79 |. 6A 65 push 65 0044BC7B |. 8D4D EC lea ecx, [ebp-14] 0044BC7E |. E8 36FC0A00 call 004FB8B9 0044BC83 |. 6A 74 push 74 0044BC85 |. 8D4D EC lea ecx, [ebp-14] 0044BC88 |. E8 2CFC0A00 call 004FB8B9 0044BC8D |. 6A 20 push 20 0044BC8F |. 8D4D EC lea ecx, [ebp-14] 0044BC92 |. E8 22FC0A00 call 004FB8B9 0044BC97 |. 6A 79 push 79 0044BC99 |. 8D4D EC lea ecx, [ebp-14] 0044BC9C |. E8 18FC0A00 call 004FB8B9 0044BCA1 |. 6A 6F push 6F 0044BCA3 |. 8D4D EC lea ecx, [ebp-14] 0044BCA6 |. E8 0EFC0A00 call 004FB8B9 0044BCAB |. 6A 75 push 75 0044BCAD |. 8D4D EC lea ecx, [ebp-14] 0044BCB0 |. E8 04FC0A00 call 004FB8B9 0044BCB5 |. 6A 72 push 72 0044BCB7 |. 8D4D EC lea ecx, [ebp-14] 0044BCBA |. E8 FAFB0A00 call 004FB8B9 0044BCBF |. 6A 20 push 20 0044BCC1 |. 8D4D EC lea ecx, [ebp-14] 0044BCC4 |. E8 F0FB0A00 call 004FB8B9 0044BCC9 |. 6A 6E push 6E 0044BCCB |. 8D4D EC lea ecx, [ebp-14] 0044BCCE |. E8 E6FB0A00 call 004FB8B9 0044BCD3 |. 6A 65 push 65 0044BCD5 |. 8D4D EC lea ecx, [ebp-14] 0044BCD8 |. E8 DCFB0A00 call 004FB8B9 0044BCDD |. 6A 77 push 77 0044BCDF |. 8D4D EC lea ecx, [ebp-14] 0044BCE2 |. E8 D2FB0A00 call 004FB8B9 0044BCE7 |. 6A 20 push 20 0044BCE9 |. 8D4D EC lea ecx, [ebp-14] 0044BCEC |. E8 C8FB0A00 call 004FB8B9 0044BCF1 |. 6A 63 push 63 0044BCF3 |. 8D4D EC lea ecx, [ebp-14] 0044BCF6 |. E8 BEFB0A00 call 004FB8B9 0044BCFB |. 6A 6F push 6F 0044BCFD |. 8D4D EC lea ecx, [ebp-14] 0044BD00 |. E8 B4FB0A00 call 004FB8B9 0044BD05 |. 6A 64 push 64 0044BD07 |. 8D4D EC lea ecx, [ebp-14] 0044BD0A |. E8 AAFB0A00 call 004FB8B9 0044BD0F |. 6A 65 push 65 0044BD11 |. 8D4D EC lea ecx, [ebp-14] 0044BD14 |. E8 A0FB0A00 call 004FB8B9 0044BD19 |. 6A 0A push 0A 0044BD1B |. 8D4D EC lea ecx, [ebp-14] 0044BD1E |. E8 96FB0A00 call 004FB8B9 0044BD23 |. 6A 41 push 41 0044BD25 |. 8D4D EC lea ecx, [ebp-14] 0044BD28 |. E8 8CFB0A00 call 004FB8B9 0044BD2D |. 6A 74 push 74 0044BD2F |. 8D4D EC lea ecx, [ebp-14] 0044BD32 |. E8 82FB0A00 call 004FB8B9 0044BD37 |. 6A 74 push 74 0044BD39 |. 8D4D EC lea ecx, [ebp-14] 0044BD3C |. E8 78FB0A00 call 004FB8B9 0044BD41 |. 6A 61 push 61 0044BD43 |. 8D4D EC lea ecx, [ebp-14] 0044BD46 |. E8 6EFB0A00 call 004FB8B9 0044BD4B |. 6A 63 push 63 0044BD4D |. 8D4D EC lea ecx, [ebp-14] 0044BD50 |. E8 64FB0A00 call 004FB8B9 0044BD55 |. 6A 68 push 68 0044BD57 |. 8D4D EC lea ecx, [ebp-14] 0044BD5A |. E8 5AFB0A00 call 004FB8B9 0044BD5F |. 6A 20 push 20 0044BD61 |. 8D4D EC lea ecx, [ebp-14] 0044BD64 |. E8 50FB0A00 call 004FB8B9 0044BD69 |. 6A 79 push 79 0044BD6B |. 8D4D EC lea ecx, [ebp-14] 0044BD6E |. E8 46FB0A00 call 004FB8B9 0044BD73 |. 6A 6F push 6F 0044BD75 |. 8D4D EC lea ecx, [ebp-14] 0044BD78 |. E8 3CFB0A00 call 004FB8B9 0044BD7D |. 6A 75 push 75 0044BD7F |. 8D4D EC lea ecx, [ebp-14] 0044BD82 |. E8 32FB0A00 call 004FB8B9 0044BD87 |. 6A 72 push 72 0044BD89 |. 8D4D EC lea ecx, [ebp-14] 0044BD8C |. E8 28FB0A00 call 004FB8B9 0044BD91 |. 6A 20 push 20 0044BD93 |. 8D4D EC lea ecx, [ebp-14] 0044BD96 |. E8 1EFB0A00 call 004FB8B9 0044BD9B |. 6A 6F push 6F 0044BD9D |. 8D4D EC lea ecx, [ebp-14] 0044BDA0 |. E8 14FB0A00 call 004FB8B9 0044BDA5 |. 6A 6C push 6C 0044BDA7 |. 8D4D EC lea ecx, [ebp-14] 0044BDAA |. E8 0AFB0A00 call 004FB8B9 0044BDAF |. 6A 64 push 64 0044BDB1 |. 8D4D EC lea ecx, [ebp-14] 0044BDB4 |. E8 00FB0A00 call 004FB8B9 0044BDB9 |. 6A 20 push 20 0044BDBB |. 8D4D EC lea ecx, [ebp-14] 0044BDBE |. E8 F6FA0A00 call 004FB8B9 0044BDC3 |. 6A 63 push 63 0044BDC5 |. 8D4D EC lea ecx, [ebp-14] 0044BDC8 |. E8 ECFA0A00 call 004FB8B9 0044BDCD |. 6A 6F push 6F 0044BDCF |. 8D4D EC lea ecx, [ebp-14] 0044BDD2 |. E8 E2FA0A00 call 004FB8B9 0044BDD7 |. 6A 64 push 64 0044BDD9 |. 8D4D EC lea ecx, [ebp-14] 0044BDDC |. E8 D8FA0A00 call 004FB8B9 0044BDE1 |. 6A 65 push 65 0044BDE3 |. 8D4D EC lea ecx, [ebp-14] 0044BDE6 |. E8 CEFA0A00 call 004FB8B9 0044BDEB |. 6A 2E push 2E 0044BDED |. 8D4D EC lea ecx, [ebp-14] 0044BDF0 |. E8 C4FA0A00 call 004FB8B9 0044BDF5 |. 6A 00 push 0 0044BDF7 |. 6A 00 push 0 0044BDF9 |. 8D4D EC lea ecx, [ebp-14] 0044BDFC |. E8 2F84FCFF call 00414230 0044BE01 |. 50 push eax ; |Arg1 0044BE02 |. E8 54DB0B00 call 0050995B ; \Photoplo.0050995B 0044BE07 |> 68 10C75700 push 0057C710 0044BE0C |. 8B4D 08 mov ecx, [ebp+8] 0044BE0F |. E8 10F70A00 call 004FB524 0044BE14 |. 8B45 D8 mov eax, [ebp-28] 0044BE17 |. 83C8 01 or eax, 1 0044BE1A |. 8945 D8 mov [ebp-28], eax 0044BE1D |. C645 FC 01 mov byte ptr [ebp-4], 1 0044BE21 |. 8D4D EC lea ecx, [ebp-14] 0044BE24 |. E8 8DF60A00 call 004FB4B6 0044BE29 |. C645 FC 00 mov byte ptr [ebp-4], 0 0044BE2D |. 8D4D 0C lea ecx, [ebp+C] 0044BE30 |. E8 81F60A00 call 004FB4B6 0044BE35 |. 8B45 08 mov eax, [ebp+8] 0044BE38 |. EB 73 jmp short 0044BEAD 0044BE3A |> 51 push ecx 0044BE3B |. 8BCC mov ecx, esp 0044BE3D |. 8965 E0 mov [ebp-20], esp 0044BE40 |. 8D45 0C lea eax, [ebp+C] 0044BE43 |. 50 push eax 0044BE44 |. E8 E2F30A00 call 004FB22B 0044BE49 |. 8945 94 mov [ebp-6C], eax ; | 0044BE4C |. 8D4D DC lea ecx, [ebp-24] ; | 0044BE4F |. 51 push ecx ; |Arg1 0044BE50 |. 8B4D F0 mov ecx, [ebp-10] ; | 0044BE53 |. E8 68000000 call 0044BEC0 ; \算法call(3),跟进 0044BE58 |. 8945 90 mov [ebp-70], eax 0044BE5B |. 8B55 90 mov edx, [ebp-70] 0044BE5E |. 8955 8C mov [ebp-74], edx 0044BE61 |. C645 FC 04 mov byte ptr [ebp-4], 4 0044BE65 |. 8B45 8C mov eax, [ebp-74] 0044BE68 |. 50 push eax 0044BE69 |. 8D4D EC lea ecx, [ebp-14] 0044BE6C |. E8 7EF70A00 call 004FB5EF ; 真码1与真码2比较 0044BE71 |. C645 FC 02 mov byte ptr [ebp-4], 2 0044BE75 |. 8D4D DC lea ecx, [ebp-24] 0044BE78 |. E8 39F60A00 call 004FB4B6 0044BE7D |. 8D45 EC lea eax, [ebp-14] 0044BE80 |. 50 push eax 0044BE81 |. 8B4D 08 mov ecx, [ebp+8] 0044BE84 |. E8 A2F30A00 call 004FB22B 0044BE89 |. 8B4D D8 mov ecx, [ebp-28] 0044BE8C |. 83C9 01 or ecx, 1 0044BE8F |. 894D D8 mov [ebp-28], ecx 0044BE92 |. C645 FC 01 mov byte ptr [ebp-4], 1 0044BE96 |. 8D4D EC lea ecx, [ebp-14] 0044BE99 |. E8 18F60A00 call 004FB4B6 0044BE9E |. C645 FC 00 mov byte ptr [ebp-4], 0 0044BEA2 |. 8D4D 0C lea ecx, [ebp+C] 0044BEA5 |. E8 0CF60A00 call 004FB4B6 0044BEAA |. 8B45 08 mov eax, [ebp+8] 0044BEAD |> 8B4D F4 mov ecx, [ebp-C] 0044BEB0 |. 64:890D 00000>mov fs:[0], ecx 0044BEB7 |. 5F pop edi 0044BEB8 |. 5E pop esi 0044BEB9 |. 5B pop ebx 0044BEBA |. 8BE5 mov esp, ebp 0044BEBC |. 5D pop ebp 0044BEBD \. C2 0800 retn 8 算法call(2): 0044C0E0 /$ 55 push ebp 0044C0E1 |. 8BEC mov ebp, esp 0044C0E3 |. 6A FF push -1 0044C0E5 |. 68 B2795200 push 005279B2 ; SE 处理程序安装 0044C0EA |. 64:A1 0000000>mov eax, fs:[0] 0044C0F0 |. 50 push eax 0044C0F1 |. 64:8925 00000>mov fs:[0], esp 0044C0F8 |. 83EC 5C sub esp, 5C 0044C0FB |. 53 push ebx 0044C0FC |. 56 push esi 0044C0FD |. 57 push edi 0044C0FE |. 894D F0 mov [ebp-10], ecx 0044C101 |. C745 D8 00000>mov dword ptr [ebp-28], 0 0044C108 |. C745 FC 01000>mov dword ptr [ebp-4], 1 0044C10F |. 8D4D E0 lea ecx, [ebp-20] 0044C112 |. E8 1975FCFF call 00413630 0044C117 |. C645 FC 02 mov byte ptr [ebp-4], 2 0044C11B |. 8D4D DC lea ecx, [ebp-24] 0044C11E |. E8 0D75FCFF call 00413630 0044C123 |. C645 FC 03 mov byte ptr [ebp-4], 3 0044C127 |. 6A 48 push 48 ; H 0044C129 |. 8D4D E0 lea ecx, [ebp-20] 0044C12C |. E8 368F0A00 call 004F5067 0044C131 |. 6A 45 push 45 ; E 0044C133 |. 8D4D E0 lea ecx, [ebp-20] 0044C136 |. E8 7EF70A00 call 004FB8B9 0044C13B |. 6A 4E push 4E ; N 0044C13D |. 8D4D E0 lea ecx, [ebp-20] 0044C140 |. E8 74F70A00 call 004FB8B9 0044C145 |. 6A 52 push 52 ; R 0044C147 |. 8D4D E0 lea ecx, [ebp-20] 0044C14A |. E8 6AF70A00 call 004FB8B9 0044C14F |. 6A 59 push 59 ; Y 0044C151 |. 8D4D E0 lea ecx, [ebp-20] 0044C154 |. E8 60F70A00 call 004FB8B9 0044C159 |. 6A 53 push 53 ; S 0044C15B |. 8D4D E0 lea ecx, [ebp-20] 0044C15E |. E8 56F70A00 call 004FB8B9 0044C163 |. 6A 43 push 43 ; C 0044C165 |. 8D4D E0 lea ecx, [ebp-20] 0044C168 |. E8 4CF70A00 call 004FB8B9 0044C16D |. 6A 4F push 4F ; O 0044C16F |. 8D4D E0 lea ecx, [ebp-20] 0044C172 |. E8 42F70A00 call 004FB8B9 0044C177 |. 6A 44 push 44 ; D 0044C179 |. 8D4D E0 lea ecx, [ebp-20] 0044C17C |. E8 38F70A00 call 004FB8B9 0044C181 |. 6A 45 push 45 ; E 0044C183 |. 8D4D E0 lea ecx, [ebp-20] 0044C186 |. E8 2EF70A00 call 004FB8B9 0044C18B |. 6A 50 push 50 ; P 0044C18D |. 8D4D DC lea ecx, [ebp-24] 0044C190 |. E8 D28E0A00 call 004F5067 0044C195 |. 6A 48 push 48 ; H 0044C197 |. 8D4D DC lea ecx, [ebp-24] 0044C19A |. E8 1AF70A00 call 004FB8B9 0044C19F |. 6A 50 push 50 ; P 0044C1A1 |. 8D4D DC lea ecx, [ebp-24] 0044C1A4 |. E8 10F70A00 call 004FB8B9 0044C1A9 |. 6A 31 push 31 ; 1 0044C1AB |. 8D4D DC lea ecx, [ebp-24] 0044C1AE |. E8 06F70A00 call 004FB8B9 0044C1B3 |. C745 EC 00000>mov dword ptr [ebp-14], 0 0044C1BA |. C745 E8 00000>mov dword ptr [ebp-18], 0 0044C1C1 |. C745 E4 00000>mov dword ptr [ebp-1C], 0 0044C1C8 |. EB 09 jmp short 0044C1D3 0044C1CA |> 8B45 EC /mov eax, [ebp-14] 0044C1CD |. 83C0 01 |add eax, 1 0044C1D0 |. 8945 EC |mov [ebp-14], eax 0044C1D3 |> 8D4D 0C lea ecx, [ebp+C] 0044C1D6 |. E8 0577FCFF |call 004138E0 ; 取用户名 0044C1DB |. 3945 EC |cmp [ebp-14], eax ; 用户名各字符是否取完 0044C1DE |. 7D 7D |jge short 0044C25D ; 完则跳 0044C1E0 |. 8B45 E4 |mov eax, [ebp-1C] 0044C1E3 |. 50 |push eax ; /Arg1 0044C1E4 |. 8D4D E0 |lea ecx, [ebp-20] ; | 0044C1E7 |. E8 3477FCFF |call 00413920 ; \取固定字串(HENRYSCODE),记为A 0044C1EC |. 0FBEF0 |movsx esi, al ; 固定字串(HENRYSCODE)逐位移至ESI 0044C1EF |. 8B4D EC |mov ecx, [ebp-14] 0044C1F2 |. 51 |push ecx ; /Arg1 0044C1F3 |. 8D4D 0C |lea ecx, [ebp+C] ; | 0044C1F6 |. E8 2577FCFF |call 00413920 ; \取用户名 0044C1FB |. 0FBED0 |movsx edx, al ; 用户名逐位移至EDX 0044C1FE |. 03F2 |add esi, edx ; A与用户名ASCII值逐位相加,结果保留于ESI 0044C200 |. 8B45 E8 |mov eax, [ebp-18] 0044C203 |. 50 |push eax ; /Arg1 0044C204 |. 8D4D DC |lea ecx, [ebp-24] ; | 0044C207 |. E8 1477FCFF |call 00413920 ; \取固定字串(PHP1),记为B 0044C20C |. 0FBEC8 |movsx ecx, al ; 固定字串(PHP1)逐位移至ECX 0044C20F |. 03F1 |add esi, ecx ; A、B、用户名ASCII值逐位相加,结果保留于ESI 0044C211 |. 56 |push esi 0044C212 |. 8B55 E4 |mov edx, [ebp-1C] 0044C215 |. 52 |push edx 0044C216 |. 8D4D E0 |lea ecx, [ebp-20] 0044C219 |. E8 4AF80A00 |call 004FBA68 ; 每轮ESI值后两位依次替换A各个字符ASCII,替换后的字符串记位C 0044C21E |. 8B45 E4 |mov eax, [ebp-1C] 0044C221 |. 83C0 01 |add eax, 1 0044C224 |. 8945 E4 |mov [ebp-1C], eax 0044C227 |. 8D4D E0 |lea ecx, [ebp-20] 0044C22A |. E8 B176FCFF |call 004138E0 0044C22F |. 3945 E4 |cmp [ebp-1C], eax ; A各字符是否被替换完 0044C232 |. 75 07 |jnz short 0044C23B 0044C234 |. C745 E4 00000>|mov dword ptr [ebp-1C], 0 0044C23B |> 8B45 E8 |mov eax, [ebp-18] 0044C23E |. 83C0 01 |add eax, 1 0044C241 |. 8945 E8 |mov [ebp-18], eax 0044C244 |. 8D4D DC |lea ecx, [ebp-24] 0044C247 |. E8 9476FCFF |call 004138E0 0044C24C |. 3945 E8 |cmp [ebp-18], eax ; PHP1各字符是否取完 0044C24F |. 75 07 |jnz short 0044C258 0044C251 |. C745 E8 00000>|mov dword ptr [ebp-18], 0 0044C258 |>^ E9 6DFFFFFF \jmp 0044C1CA 0044C25D |> C745 E4 00000>mov dword ptr [ebp-1C], 0 0044C264 |. EB 09 jmp short 0044C26F 0044C266 |> 8B45 E4 /mov eax, [ebp-1C] 0044C269 |. 83C0 01 |add eax, 1 0044C26C |. 8945 E4 |mov [ebp-1C], eax 0044C26F |> 8D4D E0 lea ecx, [ebp-20] 0044C272 |. E8 6976FCFF |call 004138E0 0044C277 |. 3945 E4 |cmp [ebp-1C], eax 0044C27A |. 7D 4B |jge short 0044C2C7 0044C27C |> 8B45 E4 |/mov eax, [ebp-1C] 0044C27F |. 50 ||push eax ; /Arg1 0044C280 |. 8D4D E0 ||lea ecx, [ebp-20] ; | 0044C283 |. E8 9876FCFF ||call 00413920 ; \取C 0044C288 |. 0FBEC8 ||movsx ecx, al ; C逐位移至ECX 0044C28B |. 83F9 41 ||cmp ecx, 41 ; 跟41比较 0044C28E |. 7C 14 ||jl short 0044C2A4 ; 小则跳,直至C各字符ASCII值大于41后才不进入加1B的循环过程 0044C290 |. 8B45 E4 ||mov eax, [ebp-1C] 0044C293 |. 50 ||push eax ; /Arg1 0044C294 |. 8D4D E0 ||lea ecx, [ebp-20] ; | 0044C297 |. E8 8476FCFF ||call 00413920 ; \取D 0044C29C |. 0FBEC8 ||movsx ecx, al ; D逐位移至ECX 0044C29F |. 83F9 5A ||cmp ecx, 5A ; 跟5A比较 0044C2A2 |. 7E 21 ||jle short 0044C2C5 ; 小于等于5A则取下一字符 0044C2A4 |> 8B45 E4 ||mov eax, [ebp-1C] 0044C2A7 |. 50 ||push eax ; /Arg1 0044C2A8 |. 8D4D E0 ||lea ecx, [ebp-20] ; | 0044C2AB |. E8 7076FCFF ||call 00413920 ; \取C 0044C2B0 |. 0FBEC8 ||movsx ecx, al ; C逐位移至ECX 0044C2B3 |. 83C1 1B ||add ecx, 1B ; 加1B 0044C2B6 |. 51 ||push ecx 0044C2B7 |. 8B55 E4 ||mov edx, [ebp-1C] 0044C2BA |. 52 ||push edx 0044C2BB |. 8D4D E0 ||lea ecx, [ebp-20] 0044C2BE |. E8 A5F70A00 ||call 004FBA68 ; C各ASCII值按上述方式逐位依次替换,结果记为D 0044C2C3 |.^ EB B7 |\jmp short 0044C27C 0044C2C5 |>^ EB 9F \jmp short 0044C266 0044C2C7 |> 8D45 E0 lea eax, [ebp-20] ; 最终转换结果保存于EAX所指向的内存地址(真码1) 0044C2CA |. 50 push eax 0044C2CB |. 8B4D 08 mov ecx, [ebp+8] 0044C2CE |. E8 58EF0A00 call 004FB22B 0044C2D3 |. 8B4D D8 mov ecx, [ebp-28] 0044C2D6 |. 83C9 01 or ecx, 1 0044C2D9 |. 894D D8 mov [ebp-28], ecx 0044C2DC |. C645 FC 02 mov byte ptr [ebp-4], 2 0044C2E0 |. 8D4D DC lea ecx, [ebp-24] 0044C2E3 |. E8 CEF10A00 call 004FB4B6 0044C2E8 |. C645 FC 01 mov byte ptr [ebp-4], 1 0044C2EC |. 8D4D E0 lea ecx, [ebp-20] 0044C2EF |. E8 C2F10A00 call 004FB4B6 0044C2F4 |. C645 FC 00 mov byte ptr [ebp-4], 0 0044C2F8 |. 8D4D 0C lea ecx, [ebp+C] 0044C2FB |. E8 B6F10A00 call 004FB4B6 0044C300 |. 8B45 08 mov eax, [ebp+8] 0044C303 |. 8B4D F4 mov ecx, [ebp-C] 0044C306 |. 64:890D 00000>mov fs:[0], ecx 0044C30D |. 5F pop edi 0044C30E |. 5E pop esi 0044C30F |. 5B pop ebx 0044C310 |. 8BE5 mov esp, ebp 0044C312 |. 5D pop ebp 0044C313 \. C2 0800 retn 8 算法call(3): 0044BEC0 /$ 55 push ebp 0044BEC1 |. 8BEC mov ebp, esp 0044BEC3 |. 6A FF push -1 0044BEC5 |. 68 69795200 push 00527969 ; SE 处理程序安装 0044BECA |. 64:A1 0000000>mov eax, fs:[0] 0044BED0 |. 50 push eax 0044BED1 |. 64:8925 00000>mov fs:[0], esp 0044BED8 |. 83EC 54 sub esp, 54 0044BEDB |. 53 push ebx 0044BEDC |. 56 push esi 0044BEDD |. 57 push edi 0044BEDE |. 894D F0 mov [ebp-10], ecx 0044BEE1 |. C745 E0 00000>mov dword ptr [ebp-20], 0 0044BEE8 |. C745 FC 01000>mov dword ptr [ebp-4], 1 0044BEEF |. 8D4D E4 lea ecx, [ebp-1C] 0044BEF2 |. E8 3977FCFF call 00413630 0044BEF7 |. C645 FC 02 mov byte ptr [ebp-4], 2 0044BEFB |. 68 0C5B5300 push 00535B0C ; uxdcolfghewz 0044BF00 |. 8D4D E4 lea ecx, [ebp-1C] 0044BF03 |. E8 37F70A00 call 004FB63F 0044BF08 |. 8D4D 0C lea ecx, [ebp+C] 0044BF0B |. E8 D079FCFF call 004138E0 0044BF10 |. 83F8 07 cmp eax, 7 ; 用户名位数与7比较 0044BF13 |. 7F 35 jg short 0044BF4A 0044BF15 |. 8D45 E4 lea eax, [ebp-1C] 0044BF18 |. 50 push eax 0044BF19 |. 8B4D 08 mov ecx, [ebp+8] 0044BF1C |. E8 0AF30A00 call 004FB22B 0044BF21 |. 8B4D E0 mov ecx, [ebp-20] 0044BF24 |. 83C9 01 or ecx, 1 0044BF27 |. 894D E0 mov [ebp-20], ecx 0044BF2A |. C645 FC 01 mov byte ptr [ebp-4], 1 0044BF2E |. 8D4D E4 lea ecx, [ebp-1C] 0044BF31 |. E8 80F50A00 call 004FB4B6 0044BF36 |. C645 FC 00 mov byte ptr [ebp-4], 0 0044BF3A |. 8D4D 0C lea ecx, [ebp+C] 0044BF3D |. E8 74F50A00 call 004FB4B6 0044BF42 |. 8B45 08 mov eax, [ebp+8] 0044BF45 |. E9 7F010000 jmp 0044C0C9 0044BF4A |> C745 E8 00000>mov dword ptr [ebp-18], 0 0044BF51 |. C745 EC 00000>mov dword ptr [ebp-14], 0 0044BF58 |. EB 09 jmp short 0044BF63 0044BF5A |> 8B45 E8 /mov eax, [ebp-18] 0044BF5D |. 83C0 01 |add eax, 1 0044BF60 |. 8945 E8 |mov [ebp-18], eax 0044BF63 |> 8D4D 0C lea ecx, [ebp+C] 0044BF66 |. E8 7579FCFF |call 004138E0 0044BF6B |. 3945 E8 |cmp [ebp-18], eax 0044BF6E |. 0F8D BB000000 |jge 0044C02F 0044BF74 |. 8B45 EC |mov eax, [ebp-14] 0044BF77 |. 50 |push eax ; /Arg1 0044BF78 |. 8D4D E4 |lea ecx, [ebp-1C] ; | 0044BF7B |. E8 A079FCFF |call 00413920 ; \取固定字串(UXDCOLFGHEWZ) 0044BF80 |. 0FBEF0 |movsx esi, al ; 固定字串(UXDCOLFGHEWZ)各字符ASCII值逐位至ESI 0044BF83 |. 8B4D E8 |mov ecx, [ebp-18] 0044BF86 |. 51 |push ecx ; /Arg1 0044BF87 |. 8D4D 0C |lea ecx, [ebp+C] ; | 0044BF8A |. E8 9179FCFF |call 00413920 ; \取用户名 0044BF8F |. 0FBED0 |movsx edx, al ; 用户名各字符ASCII值逐位至EDX 0044BF92 |. 33F2 |xor esi, edx ; 第一次异或ESI和EDX 0044BF94 |. 56 |push esi 0044BF95 |. 8B45 EC |mov eax, [ebp-14] 0044BF98 |. 50 |push eax 0044BF99 |. 8D4D E4 |lea ecx, [ebp-1C] 0044BF9C |. E8 C7FA0A00 |call 004FBA68 0044BFA1 |. 837D E8 00 |cmp dword ptr [ebp-18], 0 0044BFA5 |. 74 30 |je short 0044BFD7 0044BFA7 |. 8B45 EC |mov eax, [ebp-14] 0044BFAA |. 50 |push eax ; /Arg1 0044BFAB |. 8D4D E4 |lea ecx, [ebp-1C] ; | 0044BFAE |. E8 6D79FCFF |call 00413920 ; \取第一次异或后的结果 0044BFB3 |. 0FBEF0 |movsx esi, al ; 至ESI 0044BFB6 |. 8B4D E8 |mov ecx, [ebp-18] 0044BFB9 |. 83E9 01 |sub ecx, 1 0044BFBC |. 51 |push ecx ; /Arg1 0044BFBD |. 8D4D 0C |lea ecx, [ebp+C] ; | 0044BFC0 |. E8 5B79FCFF |call 00413920 ; \第二轮取用户名比第一轮晚取一次 0044BFC5 |. 0FBED0 |movsx edx, al ; 用户名各字符ASCII值逐位至EDX 0044BFC8 |. 33F2 |xor esi, edx ; 第二次异或ESI和EDX 0044BFCA |. 56 |push esi 0044BFCB |. 8B45 EC |mov eax, [ebp-14] 0044BFCE |. 50 |push eax 0044BFCF |. 8D4D E4 |lea ecx, [ebp-1C] 0044BFD2 |. E8 91FA0A00 |call 004FBA68 0044BFD7 |> 837D E8 01 |cmp dword ptr [ebp-18], 1 0044BFDB |. 7E 30 |jle short 0044C00D 0044BFDD |. 8B45 EC |mov eax, [ebp-14] 0044BFE0 |. 50 |push eax ; /Arg1 0044BFE1 |. 8D4D E4 |lea ecx, [ebp-1C] ; | 0044BFE4 |. E8 3779FCFF |call 00413920 ; \取第二次异或后的结果 0044BFE9 |. 0FBEF0 |movsx esi, al ; 异或的结果至ESI 0044BFEC |. 8B4D E8 |mov ecx, [ebp-18] 0044BFEF |. 83E9 02 |sub ecx, 2 0044BFF2 |. 51 |push ecx ; /Arg1 0044BFF3 |. 8D4D 0C |lea ecx, [ebp+C] ; | 0044BFF6 |. E8 2579FCFF |call 00413920 ; \第三轮取用户名比第二轮晚取一次 0044BFFB |. 0FBED0 |movsx edx, al ; 至EDX 0044BFFE |. 33F2 |xor esi, edx ; 第三次异或ESI和EDX 0044C000 |. 56 |push esi 0044C001 |. 8B45 EC |mov eax, [ebp-14] 0044C004 |. 50 |push eax 0044C005 |. 8D4D E4 |lea ecx, [ebp-1C] 0044C008 |. E8 5BFA0A00 |call 004FBA68 0044C00D |> 8B45 EC |mov eax, [ebp-14] 0044C010 |. 83C0 01 |add eax, 1 0044C013 |. 8945 EC |mov [ebp-14], eax 0044C016 |. 8D4D E4 |lea ecx, [ebp-1C] 0044C019 |. E8 C278FCFF |call 004138E0 0044C01E |. 3945 EC |cmp [ebp-14], eax 0044C021 |. 75 07 |jnz short 0044C02A 0044C023 |. C745 EC 00000>|mov dword ptr [ebp-14], 0 0044C02A |>^ E9 2BFFFFFF \jmp 0044BF5A 0044C02F |> C745 EC 00000>mov dword ptr [ebp-14], 0 0044C036 |. EB 09 jmp short 0044C041 0044C038 |> 8B45 EC /mov eax, [ebp-14] 0044C03B |. 83C0 01 |add eax, 1 0044C03E |. 8945 EC |mov [ebp-14], eax 0044C041 |> 8D4D E4 lea ecx, [ebp-1C] 0044C044 |. E8 9778FCFF |call 004138E0 ; 取上述转换后结果,记为E 0044C049 |. 3945 EC |cmp [ebp-14], eax 0044C04C |. 7D 4B |jge short 0044C099 0044C04E |> 8B45 EC |/mov eax, [ebp-14] 0044C051 |. 50 ||push eax ; /Arg1 0044C052 |. 8D4D E4 ||lea ecx, [ebp-1C] ; | 0044C055 |. E8 C678FCFF ||call 00413920 ; \取E 0044C05A |. 0FBEC8 ||movsx ecx, al ; E各字符ASCII值逐位至ECX 0044C05D |. 83F9 41 ||cmp ecx, 41 ; 跟41比较 0044C060 |. 7C 14 ||jl short 0044C076 ; 小则进入下一处理过程(ASCII值加1B直至大于等于41) 0044C062 |. 8B45 EC ||mov eax, [ebp-14] 0044C065 |. 50 ||push eax ; /Arg1 0044C066 |. 8D4D E4 ||lea ecx, [ebp-1C] ; | 0044C069 |. E8 B278FCFF ||call 00413920 ; \取E(加1B处理后的E) 0044C06E |. 0FBEC8 ||movsx ecx, al ; E各字符ASCII值逐位至ECX 0044C071 |. 83F9 5A ||cmp ecx, 5A ; 跟5A比较 0044C074 |. 7E 21 ||jle short 0044C097 0044C076 |> 8B45 EC ||mov eax, [ebp-14] 0044C079 |. 50 ||push eax ; /Arg1 0044C07A |. 8D4D E4 ||lea ecx, [ebp-1C] ; | 0044C07D |. E8 9E78FCFF ||call 00413920 ; \取E 0044C082 |. 0FBEC8 ||movsx ecx, al ; E各字符ASCII值逐位至ECX 0044C085 |. 83C1 1B ||add ecx, 1B ; 加1B 0044C088 |. 51 ||push ecx 0044C089 |. 8B55 EC ||mov edx, [ebp-14] 0044C08C |. 52 ||push edx 0044C08D |. 8D4D E4 ||lea ecx, [ebp-1C] 0044C090 |. E8 D3F90A00 ||call 004FBA68 0044C095 |.^ EB B7 |\jmp short 0044C04E 0044C097 |>^ EB 9F \jmp short 0044C038 0044C099 |> 8D45 E4 lea eax, [ebp-1C] ; 最终结果(真码2)保存于EAX所指向的内存处 0044C09C |. 50 push eax 0044C09D |. 8B4D 08 mov ecx, [ebp+8] 0044C0A0 |. E8 86F10A00 call 004FB22B 0044C0A5 |. 8B4D E0 mov ecx, [ebp-20] 0044C0A8 |. 83C9 01 or ecx, 1 0044C0AB |. 894D E0 mov [ebp-20], ecx 0044C0AE |. C645 FC 01 mov byte ptr [ebp-4], 1 0044C0B2 |. 8D4D E4 lea ecx, [ebp-1C] 0044C0B5 |. E8 FCF30A00 call 004FB4B6 0044C0BA |. C645 FC 00 mov byte ptr [ebp-4], 0 0044C0BE |. 8D4D 0C lea ecx, [ebp+C] 0044C0C1 |. E8 F0F30A00 call 004FB4B6 0044C0C6 |. 8B45 08 mov eax, [ebp+8] 0044C0C9 |> 8B4D F4 mov ecx, [ebp-C] 0044C0CC |. 64:890D 00000>mov fs:[0], ecx 0044C0D3 |. 5F pop edi 0044C0D4 |. 5E pop esi 0044C0D5 |. 5B pop ebx 0044C0D6 |. 8BE5 mov esp, ebp 0044C0D8 |. 5D pop ebp 0044C0D9 \. C2 0800 retn 8 ------------------------------------------------------------------------ 【破解总结】 1、注册失败提示未以明文直接出现,而以各字符ASCII值出现,增加了破解难度; 2、存在注册黑名单,如用户名与黑名单中用户名一致,则注册失败; 3、用户名长度不同,则有不同的注册算法,注册名长度等于小于7,采用注册算法(2),注册名长度大于7,采用注册算法(3)(当注册名长度等于小于7,固定字符串“UXDCOLFGHEWZ”可做通用注册码:),当注册名长度大于7,真码1,真码2均可注册成功,是否有暗桩,未及测试); 4、注册信息保存于注册表中 [HKEY_CURRENT_USER\Software\Photoplorer\Photoplorer\Settings] ------------------------------------------------------------------------ 【版权声明】本文系作者原创, 转载请注明作者并保持文章的完整, 谢谢!

[转帖]菜鸟算法练习破文六

学习ing...
谢谢楼主~!

TOP

返回列表 回复 发帖