站长资讯通告:
进入 407C68 的关键call㈠
0042D95A /$ 56 PUSH ESI
0042D95B |. 8BF1 MOV ESI,ECX
0042D95D |. 8B4C24 08 MOV ECX,DWORD PTR SS:[ESP+8]
0042D961 |. 8B01 MOV EAX,DWORD PTR DS:[ECX] //注册名放入eax
0042D963 |. 8378 F4 00 CMP DWORD PTR DS:[EAX-C],0 //比较注册名长度是否为0,即是否已有注册名
0042D967 |. 7C 0E JL SHORT Mp3Recor.0042D977 //注册表中没有注册名则跳
0042D969 |. 8906 MOV DWORD PTR DS:[ESI],EAX
0042D96B |. 83C0 F4 ADD EAX,-0C
0042D96E |. 50 PUSH EAX ; /pVar
0042D96F |. FF15 8C334400 CALL DWORD PTR DS:[<&KERNEL32.Interlocke>; \InterlockedIncrement
0042D975 |. EB 10 JMP SHORT Mp3Recor.0042D987
0042D977 |> A1 803A4500 MOV EAX,DWORD PTR DS:[453A80]
0042D97C |. 8906 MOV DWORD PTR DS:[ESI],EAX
0042D97E |. FF31 PUSH DWORD PTR DS:[ECX]
0042D980 |. 8BCE MOV ECX,ESI
0042D982 |. E8 E7030000 CALL Mp3Recor.0042DD6E
0042D987 |> 8BC6 MOV EAX,ESI
0042D989 |. 5E POP ESI
0042D98A \. C2 0400 RETN 4
------------------------------------------------------------------
进入 407C76 的关键call㈡
004080F0 /$ 6A FF PUSH -1
004080F2 |. 68 E0004400 PUSH Mp3Recor.004400E0 ; SE handler installation
004080F7 |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
004080FD |. 50 PUSH EAX
004080FE |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP
00408105 |. 81EC D4000000 SUB ESP,0D4
0040810B |. 53 PUSH EBX
0040810C |. 33DB XOR EBX,EBX
0040810E |. 899C24 E000000>MOV DWORD PTR SS:[ESP+E0],EBX
00408115 |. 8B8424 E800000>MOV EAX,DWORD PTR SS:[ESP+E8] //注册名放入eax
0040811C |. 68 94674500 PUSH Mp3Recor.00456794 ; /Arg2 = 00456794
00408121 |. 50 PUSH EAX ; |Arg1
00408122 |. C781 E4000000 >MOV DWORD PTR DS:[ECX+E4],1 ; |
0040812C |. E8 24110100 CALL Mp3Recor.00419255 ; \Mp3Recor.00419255
00408131 |. 83C4 08 ADD ESP,8
00408134 |. 85C0 TEST EAX,EAX
00408136 |. 0F84 19010000 JE Mp3Recor.00408255
0040813C |. 8B8C24 EC00000>MOV ECX,DWORD PTR SS:[ESP+EC] //假码放入ecx
00408143 |. 68 94674500 PUSH Mp3Recor.00456794 ; /Arg2 = 00456794
00408148 |. 51 PUSH ECX ; |Arg1 //假码入栈
00408149 |. E8 07110100 CALL Mp3Recor.00419255 ; \Mp3Recor.00419255
0040814E |. 83C4 08 ADD ESP,8
00408151 |. 85C0 TEST EAX,EAX
00408153 |. 0F84 FC000000 JE Mp3Recor.00408255
00408159 |. 55 PUSH EBP
0040815A |. 8BAC24 EC00000>MOV EBP,DWORD PTR SS:[ESP+EC]
00408161 |. 56 PUSH ESI
00408162 |. B0 72 MOV AL,72 //al=72
00408164 |. 8B75 F8 MOV ESI,DWORD PTR SS:[EBP-8] //注册名长度送 esi
00408167 |. 33C9 XOR ECX,ECX //ecx清零,做记数器
00408169 |. 3BF3 CMP ESI,EBX
0040816B |. C64424 0C 6D MOV BYTE PTR SS:[ESP+C],6D //6D = m
00408170 |. C64424 0D 70 MOV BYTE PTR SS:[ESP+D],70 //70 = p
00408175 |. C64424 0E 33 MOV BYTE PTR SS:[ESP+E],33 //33 = 3
0040817A |. 884424 0F MOV BYTE PTR SS:[ESP+F],AL //AL = 72 = r
0040817E |. C64424 10 65 MOV BYTE PTR SS:[ESP+10],65 //65 = e
00408183 |. C64424 11 63 MOV BYTE PTR SS:[ESP+11],63 //63 = c
00408188 |. C64424 12 6F MOV BYTE PTR SS:[ESP+12],6F //6F = o
0040818D |. 884424 13 MOV BYTE PTR SS:[ESP+13],AL //AL = 72 = r
00408191 |. 885C24 14 MOV BYTE PTR SS:[ESP+14],BL //BL = 0,这句无用途?
//以上代码是在 [ESP+C] 开始,依次放入 mp3recor 这个字串
00408195 |. 7E 3D JLE SHORT Mp3Recor.004081D4
00408197 |. 57 PUSH EDI
00408198 |. 8D7C34 1B LEA EDI,DWORD PTR SS:[ESP+ESI+1B]
//循环运算开始
0040819C |> 8A0429 /MOV AL,BYTE PTR DS:[ECX+EBP] //逐位取注册名的ASCII值,并放入 al
0040819F |. 8BD1 |MOV EDX,ECX //edx=ecx
004081A1 |. 81E2 07000080 |AND EDX,80000007 //edx∧80000007,此时edx为循环的次数
004081A7 |. 79 05 |JNS SHORT Mp3Recor.004081AE //非负数则跳到 4081AE 继续
004081A9 |. 4A |DEC EDX
004081AA |. 83CA F8 |OR EDX,FFFFFFF8
004081AD |. 42 |INC EDX
004081AE |> 0FBE5414 10 |MOVSX EDX,BYTE PTR SS:[ESP+EDX+10] //从预设字串 mp3recor 中逐位取字符,放入 edx
004081B3 |. 0FBEC0 |MOVSX EAX,AL //取用户名ASCII
004081B6 |. 8BD9 |MOV EBX,ECX //ebx=ecx,ecx 为循环次数,从0开始算
004081B8 |. 03DA |ADD EBX,EDX //ebx=ebx+edx,edx 中是取得的预设字串的ASCII值(第N次循环就取第N个,预设字串长度为8,所以8次后从头开始取)
004081BA |. 03C3 |ADD EAX,EBX //eax=eax+ebx
004081BC |. BB 09000000 |MOV EBX,9 //ebx=9
004081C1 |. 03C6 |ADD EAX,ESI //eax=eax+esi,esi中是注册名长度
004081C3 |. 99 |CDQ //edx双字扩展(清零)
004081C4 |. F7FB |IDIV EBX //eax=eax/9,余数放入 edx
004081C6 |. 80C2 30 |ADD DL,30 //dl=dl+30,即余数+30
004081C9 |. 41 |INC ECX //记数器+1
004081CA |. 8817 |MOV BYTE PTR DS:[EDI],DL //dl->[EDI],dl中是对应注册名计算出来的注册码
004081CC |. 4F |DEC EDI //edi-1,地址往前推,所以求出的注册码是逆着放的,即注册名第一个字符计算出来的数,应该是此部分注册码的最后一个数
004081CD |. 3BCE |CMP ECX,ESI //比较注册名是否已取完
004081CF |.^7C CB \JL SHORT Mp3Recor.0040819C //没有取完则跳回去继续
//循环结束
0042D95A /$ 56 PUSH ESI
0042D95B |. 8BF1 MOV ESI,ECX
0042D95D |. 8B4C24 08 MOV ECX,DWORD PTR SS:[ESP+8]
0042D961 |. 8B01 MOV EAX,DWORD PTR DS:[ECX] //注册名放入eax
0042D963 |. 8378 F4 00 CMP DWORD PTR DS:[EAX-C],0 //比较注册名长度是否为0,即是否已有注册名
0042D967 |. 7C 0E JL SHORT Mp3Recor.0042D977 //注册表中没有注册名则跳
0042D969 |. 8906 MOV DWORD PTR DS:[ESI],EAX
0042D96B |. 83C0 F4 ADD EAX,-0C
0042D96E |. 50 PUSH EAX ; /pVar
0042D96F |. FF15 8C334400 CALL DWORD PTR DS:[<&KERNEL32.Interlocke>; \InterlockedIncrement
0042D975 |. EB 10 JMP SHORT Mp3Recor.0042D987
0042D977 |> A1 803A4500 MOV EAX,DWORD PTR DS:[453A80]
0042D97C |. 8906 MOV DWORD PTR DS:[ESI],EAX
0042D97E |. FF31 PUSH DWORD PTR DS:[ECX]
0042D980 |. 8BCE MOV ECX,ESI
0042D982 |. E8 E7030000 CALL Mp3Recor.0042DD6E
0042D987 |> 8BC6 MOV EAX,ESI
0042D989 |. 5E POP ESI
0042D98A \. C2 0400 RETN 4
------------------------------------------------------------------
进入 407C76 的关键call㈡
004080F0 /$ 6A FF PUSH -1
004080F2 |. 68 E0004400 PUSH Mp3Recor.004400E0 ; SE handler installation
004080F7 |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
004080FD |. 50 PUSH EAX
004080FE |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP
00408105 |. 81EC D4000000 SUB ESP,0D4
0040810B |. 53 PUSH EBX
0040810C |. 33DB XOR EBX,EBX
0040810E |. 899C24 E000000>MOV DWORD PTR SS:[ESP+E0],EBX
00408115 |. 8B8424 E800000>MOV EAX,DWORD PTR SS:[ESP+E8] //注册名放入eax
0040811C |. 68 94674500 PUSH Mp3Recor.00456794 ; /Arg2 = 00456794
00408121 |. 50 PUSH EAX ; |Arg1
00408122 |. C781 E4000000 >MOV DWORD PTR DS:[ECX+E4],1 ; |
0040812C |. E8 24110100 CALL Mp3Recor.00419255 ; \Mp3Recor.00419255
00408131 |. 83C4 08 ADD ESP,8
00408134 |. 85C0 TEST EAX,EAX
00408136 |. 0F84 19010000 JE Mp3Recor.00408255
0040813C |. 8B8C24 EC00000>MOV ECX,DWORD PTR SS:[ESP+EC] //假码放入ecx
00408143 |. 68 94674500 PUSH Mp3Recor.00456794 ; /Arg2 = 00456794
00408148 |. 51 PUSH ECX ; |Arg1 //假码入栈
00408149 |. E8 07110100 CALL Mp3Recor.00419255 ; \Mp3Recor.00419255
0040814E |. 83C4 08 ADD ESP,8
00408151 |. 85C0 TEST EAX,EAX
00408153 |. 0F84 FC000000 JE Mp3Recor.00408255
00408159 |. 55 PUSH EBP
0040815A |. 8BAC24 EC00000>MOV EBP,DWORD PTR SS:[ESP+EC]
00408161 |. 56 PUSH ESI
00408162 |. B0 72 MOV AL,72 //al=72
00408164 |. 8B75 F8 MOV ESI,DWORD PTR SS:[EBP-8] //注册名长度送 esi
00408167 |. 33C9 XOR ECX,ECX //ecx清零,做记数器
00408169 |. 3BF3 CMP ESI,EBX
0040816B |. C64424 0C 6D MOV BYTE PTR SS:[ESP+C],6D //6D = m
00408170 |. C64424 0D 70 MOV BYTE PTR SS:[ESP+D],70 //70 = p
00408175 |. C64424 0E 33 MOV BYTE PTR SS:[ESP+E],33 //33 = 3
0040817A |. 884424 0F MOV BYTE PTR SS:[ESP+F],AL //AL = 72 = r
0040817E |. C64424 10 65 MOV BYTE PTR SS:[ESP+10],65 //65 = e
00408183 |. C64424 11 63 MOV BYTE PTR SS:[ESP+11],63 //63 = c
00408188 |. C64424 12 6F MOV BYTE PTR SS:[ESP+12],6F //6F = o
0040818D |. 884424 13 MOV BYTE PTR SS:[ESP+13],AL //AL = 72 = r
00408191 |. 885C24 14 MOV BYTE PTR SS:[ESP+14],BL //BL = 0,这句无用途?
//以上代码是在 [ESP+C] 开始,依次放入 mp3recor 这个字串
00408195 |. 7E 3D JLE SHORT Mp3Recor.004081D4
00408197 |. 57 PUSH EDI
00408198 |. 8D7C34 1B LEA EDI,DWORD PTR SS:[ESP+ESI+1B]
//循环运算开始
0040819C |> 8A0429 /MOV AL,BYTE PTR DS:[ECX+EBP] //逐位取注册名的ASCII值,并放入 al
0040819F |. 8BD1 |MOV EDX,ECX //edx=ecx
004081A1 |. 81E2 07000080 |AND EDX,80000007 //edx∧80000007,此时edx为循环的次数
004081A7 |. 79 05 |JNS SHORT Mp3Recor.004081AE //非负数则跳到 4081AE 继续
004081A9 |. 4A |DEC EDX
004081AA |. 83CA F8 |OR EDX,FFFFFFF8
004081AD |. 42 |INC EDX
004081AE |> 0FBE5414 10 |MOVSX EDX,BYTE PTR SS:[ESP+EDX+10] //从预设字串 mp3recor 中逐位取字符,放入 edx
004081B3 |. 0FBEC0 |MOVSX EAX,AL //取用户名ASCII
004081B6 |. 8BD9 |MOV EBX,ECX //ebx=ecx,ecx 为循环次数,从0开始算
004081B8 |. 03DA |ADD EBX,EDX //ebx=ebx+edx,edx 中是取得的预设字串的ASCII值(第N次循环就取第N个,预设字串长度为8,所以8次后从头开始取)
004081BA |. 03C3 |ADD EAX,EBX //eax=eax+ebx
004081BC |. BB 09000000 |MOV EBX,9 //ebx=9
004081C1 |. 03C6 |ADD EAX,ESI //eax=eax+esi,esi中是注册名长度
004081C3 |. 99 |CDQ //edx双字扩展(清零)
004081C4 |. F7FB |IDIV EBX //eax=eax/9,余数放入 edx
004081C6 |. 80C2 30 |ADD DL,30 //dl=dl+30,即余数+30
004081C9 |. 41 |INC ECX //记数器+1
004081CA |. 8817 |MOV BYTE PTR DS:[EDI],DL //dl->[EDI],dl中是对应注册名计算出来的注册码
004081CC |. 4F |DEC EDI //edi-1,地址往前推,所以求出的注册码是逆着放的,即注册名第一个字符计算出来的数,应该是此部分注册码的最后一个数
004081CD |. 3BCE |CMP ECX,ESI //比较注册名是否已取完
004081CF |.^7C CB \JL SHORT Mp3Recor.0040819C //没有取完则跳回去继续
//循环结束
