小胖网络知识大全
首页 | TAGS | QQ | 输入法 | Win7

  • 文件夹加密精灵算法分析

  •   启动程序,点击注册,输入序列号:9090,程序提示重起。复制机器码后搜索注册表发现程序在注册表名为000处保存机器码。

      详细过程

      启动程序,点击注册,输入序列号:9090,程序提示重起。复制机器码后搜索注册表发现程序在注册表名

      为000处保存机器码。利用OD载入,下段bp RegQueryValueExA,F9

      77DA2410 > 55 push ebp/////////////////段在这里,ctrl+F9返回

      77DA2411 8BEC mov ebp, esp

      77DA2413 83EC 2C sub esp, 2C

      77DA2416 57 push edi

      77DA2417 33FF xor edi, edi

      77DA2419 397D 10 cmp [ebp+10], edi

      77DA241C 897D F8 mov [ebp-8], edi

      77DA241F 897D F4 mov [ebp-C], edi

      77DA2422 0F85 37F60000 jnz 77DB1A5F

      77DA2428 397D 18 cmp [ebp+18], edi

      77DA242B 0F85 C9000000 jnz 77DA24FA

      77DA2431 53 push ebx

      77DA2432 8D45 F4 lea eax, [ebp-C]

      77DA2435 50 push eax

      77DA2436 FF75 08 push dword ptr [ebp+8]

      77DA2439 E8 92F2FFFF call 77DA16D0

      77DA243E 8BD8 mov ebx, eax

      77DA2440 3BDF cmp ebx, edi

      77DA2442 0F84 EDF50000 je 77DB1A35

      77DA2448 56 push esi

      77DA2449 897D E0 mov [ebp-20], edi

      77DA244C 64:A1 18000000 mov eax, fs:[18]

      77DA2452 FF75 0C push dword ptr [ebp+C]

      77DA2455 8DB0 F80B0000 lea esi, [eax+BF8]

      77DA245B 8D45 D4 lea eax, [ebp-2C]

      77DA245E 50 push eax

      77DA245F FF15 7413DA77 call[<&ntdll.RtlInitAnsiString>];ntdll.RtlInitAnsiString

      77DA2465 57 push edi

      /////////////////////////////////////////////////

      0040518F . 8945 E4 mov[ebp-1C],eax/////////////////////////返回在这里,F8单步跟踪

      00405192 . 837D E4 00 cmp dword ptr [ebp-1C], 0

      00405196 . 74 04 je short 0040519C

      00405198 . 33C0 xor eax, eax

      0040519A . EB 53 jmp short 004051EF

      0040519C > C745 E8 00000>mov dword ptr [ebp-18], 0

      004051A3 . EB 09 jmp short 004051AE

      004051A5 > 8B55 E8 /mov edx, [ebp-18]///////ebp-18入edx

      004051A8 . 83C2 01 add edx, 1/////////////////edx+1

      004051AB . 8955 E8 mov [ebp-18], edx

      004051AE > 837D E8 14 cmp dword ptr[ebp-18],14/////比较是否大于20

      004051B2 . 7D 17 jge short 004051CB

      004051B4 . 8B45 E0 mov eax, [ebp-20]

      004051B7 . 0345 E8 add eax, [ebp-18]

      004051BA . 8B4D E8 mov ecx, [ebp-18]

      004051BD . 8A90 C4000000 mov dl, [eax+C4]

      004051C3 . 8891 54E84500 mov[ecx+45E854],dl/////循环取注册码前20位入ecx+45E854

      004051C9 .^ EB DA \jmp short 004051A5

      004051CB > C605 68E84500>mov byte ptr [45E868], 0

      004051D2 . 68 54E84500 push 0045E854 ; /Arg1 = 0045E854

      004051D7 . 8B4D E0 mov ecx, [ebp-20] ;

      004051DA . E8 D1080000 call 00405AB0 ;\FolderPr.00405AB0////////关键call,F7跟进

      004051DF . 8945 F0 mov [ebp-10], eax

      004051E2 . 8B45 EC mov eax, [ebp-14]

      004051E5 . 50 push eax ; /hKey

      004051E6 . FF15 00F04400 call[<&ADVAPI32.RegCloseKey>]; \RegCloseKey

      004051EC . 8B45 F0 mov eax, [ebp-10]

      004051EF > 8BE5 mov esp, ebp

      004051F1 . 5D pop ebp

      004051F2 \. C3 retn

  • TAGS:
  • 作者:管理员 时间:2009-6-21 来源:网络 人气:
更多新闻

热门TAGS


相关推荐

热门新闻

版权所有:小胖网络迷 www.209j.cn 2004-2009 All Rights Reserved.
站长QQ: 951969697 粤ICP备05096685号