safeengine虚拟机licence破解手记

来源：互联网发布：游戏自动签到软件编辑：程序博客网时间：2024/04/19 05:36

声明:请支持使用正版软件，尊重原作者的劳动成果，此文只做技术交流，如有他人利用，产生后果，不负任何责任。

Safengine是一个具有反调试、反附加、动态自效验等功能，同时提供了对代码的变形、乱序和虚拟化等功能的应用程序保护壳，是一款简单易用的软件保护工具，它改变您的软件执行流程，以达到阻碍自动分析，消耗破解时间、精力的目的。

Safengine的代码分析引擎将在保护应用程序时提供完整的分析，从而对应用程序进行系统化的保护，将您的原始代码移动和变形，并且加入无数垃圾代码和反调试、跟踪代码。

Safengine处理的范围是整个程序，而不是程序里的某一个过程。所以，即使您的关键代码在保护后未经变形，也需要耗费破解者很长的时间才能找到，而往往只是一行两行代码，穿插在数以万计的垃圾代码中，是极其隐蔽和猥琐的。

Safengine的代码虚拟机在同类产品中最稳定、最完善，整体运行架构线程安全，不会改变系统对受保护代码的线程的调度。虚拟处理器采用了逻辑门级的指令拆分，使用与非和加法两个基础运算指令实现了大部分复杂的x86指令，并且使用了随机的虚拟寄存器参与运算，极大程度提高了代码保护的安全性。

在同类的软件保护壳中，Safengine提供了最完整的解决方案，集代码加密、虚拟化、授权于一体，并且每一项功能都可圈可点。

Safengine支持多种类型的文件格式：
所有32位PE文件，包括：
Win32 可执行文件 (*.exe);
Windows 屏幕保护程序 (*.scr);
动态链接库 (*.dll);
32位 ActiveX 控件 (*.ocx);
32位驱动程序 (*.sys);
破解笔记：

10017BA7      8C            db 8C
10017BA8      B2            db B2
10017BA9      00            db 00
10017BAA      00            db 00
10017BAB      00            db 00
10017BAC   . 837D 0C 00    cmp dword ptr ss:[ebp+0xC],0x0
10017BB0   . 0F84 A8000000 je safeengine.10017C5E
10017BB6   . EB 42         jmp Xsafeengine.10017BFA
10017BB8      6A            db 6A                                                              ; CHAR 'j'
10017BB9      10            db 10
10017BBA      E8            db E8
10017BBB      8E            db 8E
10017BBC      FD            db FD
10017BBD      FF            db FF
10017BBE      FF            db FF
10017BBF      85            db 85
10017BC0      C0            db C0
10017BC1      74            db 74                                                              ; CHAR 't'
10017BC2      0A            db 0A
10017BC3      C7            db C7
10017BC4      00            db 00
10017BC5      D8A90110      dd safeengine.1001A9D8
10017BC9      8B            db 8B
10017BCA      F8            db F8
10017BCB      EB            db EB
10017BCC      02            db 02
10017BCD      33            db 33                                                              ; CHAR '3'
10017BCE      FF            db FF
10017BCF      83            db 83
10017BD0      67            db 67                                                              ; CHAR 'g'
10017BD1      08            db 08
10017BD2      00            db 00
10017BD3      83            db 83
10017BD4      67            db 67                                                              ; CHAR 'g'
10017BD5      0C            db 0C
10017BD6      00            db 00
10017BD7      8D            db 8D
10017BD8      5F            db 5F                                                              ; CHAR '_'
10017BD9      08            db 08
10017BDA      8D            db 8D
10017BDB      46            db 46                                                              ; CHAR 'F'
10017BDC      1C            db 1C
10017BDD      50            db 50                                                              ; CHAR 'P'
10017BDE      89            db 89
10017BDF      7D            db 7D                                                              ; CHAR '}'
10017BE0      FC            db FC
10017BE1      E8            db E8
10017BE2   . BF B01A00A2   mov edi,0xA2001AB0

0040280F   . 68 80000000   push 0x80
00402814   . 8BCE          mov ecx,esi
00402816   . C64424 74 01 mov byte ptr ss:[esp+0x74],0x1
0040281B   . FF90 C0000000 call dword ptr ds:[eax+0xC0]
00402821   . 85C0          test eax,eax
00402823   . 75 54         jnz XBlendDes.00402879
00402825   . 6A 01         push 0x1
00402827   . 6A 12         push 0x12
00402829   . 6A 12         push 0x12
0040282B   . 8D4C24 28     lea ecx,dword ptr ss:[esp+0x28]
0040282F   . 50            push eax
00402830   . 51            push ecx
00402831   . 90            nop
00402832   . E8 1FD60300   call BlendDes.0043FE56
00402837   . 8BCF          mov ecx,edi
00402839   . C747 20 00000>mov dword ptr ds:[edi+0x20],0x0
00402840   . E8 0B010000   call BlendDes.00402950    //弹出提示对话框无key
00402845   > 8D4C24 38     lea ecx,dword ptr ss:[esp+0x38]
00402849   . C64424 64 00 mov byte ptr ss:[esp+0x64],0x0

mfc 2092
mfc 2152

Breakpoints, 条目 0
地址=0041AF30 BlendDes.<ModuleEntryPoint>
模块=BlendDes
激活=仅一次
反汇编=push ebp

Breakpoints, 条目 1
地址=0067ADA0
模块=blendmes
激活=始终
反汇编=call blendmes.0067ADA5

Breakpoints, 条目 2
地址=0067ADB0
模块=blendmes
激活=始终
反汇编=jmp dword ptr ds:[eax]

//rc_GetDocInfo
0012F460   0000000D       ....
0012F464   000042AA       狟..
0012F468   00100E74       t.
0012F46C   52475501       UGR
0012F470   0012F641       A?.            ASCII "'/"
0012F474   002DEDC9       身-.            返回到 blendmes.002DEDC9 来自 blendmes.002DEC70
0012F478   0012F478       x?.

50Ae0E74

0012F47C   0093B220
0012F480   0093B1D8
0012F484   0012F648
0012F488   0093B1D8
0012F48C   4C931B53
0012F490   4C931B53
0012F494   0191E7E8 ASCII "ef4bd11d68bbb7233ee927d3f0ab65f5"
0012F498   0A169C85
0012F49C   4B4AD311
0012F4A0   000000B2

//序列号key
EAX 0191E7E8 ASCII "03000004-1353584244-1369363929 (1000)"
ECX 0068DCB8 blendmes.0068DCB8
EDX 0191E7E9 ASCII "3000004-1353584244-1369363929 (1000)"
EBX 0093B1D8
ESP 0012F48C
EBP 00000012
ESI 0093B220
EDI 0012F4DE
EIP 0066F0C8 blendmes.0066F0C8
C 0 ES 0023 32位 0(FFFFFFFF)
P 0 CS 001B 32位 0(FFFFFFFF)
A 1 SS 0023 32位 0(FFFFFFFF)
Z 0 DS 0023 32位 0(FFFFFFFF)
S 0 FS 003B 32位 7FFDF000(4000)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00000212 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty 0.0
ST1 empty 0.0
ST2 empty 0.0
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 2468095.0000000000000
ST7 empty -0.0001559907540025809
               3 2 1 0      E S P U O Z D I
FST 4020 Cond 1 0 0 0 Err 0 0 1 0 0 0 0 0 (EQ)
FCW 027F Prec NEAR,53 掩码    1 1 1 1 1 1

006B82A9    85C0                  test eax,eax
006B82AB    75 0F                 jnz Xsafeengine.006B82BC
006B82AD    68 09836B00           push safeengine.006B8309
006B82B2    B9 C42A6C00           mov ecx,safeengine.006C2AC4
006B82B7    E8 C6FBFFFF           call safeengine.006B7E82//计算返回缓冲区
006B82BC    C3                    retn
006B82BD    E8 D5FFFFFF           call safeengine.006B8297
006B82C2    05 70100000           add eax,0x1070
006B82C7    68 74766B00           push safeengine.006B7674
006B82CC    8BC8                  mov ecx,eax

edi=00000000
ds:[00752AC4]=002CD3C8//返回值在730000 ds:[22AC4]

102637BB    8061 18 F0      and byte ptr ds:[ecx+0x18],0xF0
102637BF    80E8 03         sub al,0x3
102637C2 ^ 0F80 E8FEFFFF   jo safeengine原?102636B0
102637C8    8B99 C1000000   mov ebx,dword ptr ds:[ecx+0xC1]
102637CE    80E3 01         and bl,0x1
102637D1    3AC3            cmp al,bl
102637D3 ^ 0F85 D7FEFFFF   jnz safeengine原?102636B0
102637D9    8381 B8000000 0>add dword ptr ds:[ecx+0xB8],0x3

10263C6A    8F0424          pop dword ptr ss:[esp]
10263C6D    66:894424 02    mov word ptr ss:[esp+0x2],ax
10263C72    66:895C24 01    mov word ptr ss:[esp+0x1],bx
10263C77    8D6424 02       lea esp,dword ptr ss:[esp+0x2]
10263C7B    896424 44       mov dword ptr ss:[esp+0x44],esp
10263C7F    66:52           push dx
10263C81    66:890C24       mov word ptr ss:[esp],cx
10263C85    8D6424 01       lea esp,dword ptr ss:[esp+0x1]
10263C89 ^ E9 90FAFFFF     jmp safeengine原?1026371E
10263C8E ^ 76 F6           jbe Xsafeengine原?10263C86
10263C90    64:03FE         add edi,esi

授权文件
SE:102635F5                 jnb     short near ptr loc_102635C4+1
SE:102635F7                 aad     1
SE:102635F9                 arpl    [ecx], di
SE:102635FB                 mov     bh, 82h
SE:102635FD                 sub     [ecx-18h], ah
SE:10263600                 scasb
SE:10263601                 pop     large dword ptr fs:0
SE:10263608                 lea     esp, [esp+4]
SE:1026360C                 jmp     loc_10002142    ; //入口点

Threads
标识       入口       数据块       最近的错误          状态        优先权     用户时间      系统时间
0000067C   1003E3CE   7FFDD000     ERROR_SUCCESS (000 激活           32 + 0       0.0000 s      0.0000 s
00000BF0   1003EC1E   7FFDA000     ERROR_SUCCESS (000 激活           32 + 0       0.0000 s      0.0000 s
00000C9C   10042892   7FFDB000     ERROR_SUCCESS (000 激活           32 + 0       0.0000 s      0.0000 s
00000DDC   1003E43A   7FFDE000     ERROR_SUCCESS (000 激活           32 + 0       0.0000 s      0.0000 s //检验线程
000012CC   1003E2CE   7FFDC000     ERROR_SUCCESS (000 激活           32 + 0       0.0000 s      0.0000 s
000013CC( 004011E0   7FFDF000     ERROR_SUCCESS (000 激活           32 + 0       1.0920 s      0.0780 s

1004E654    F6DD            neg ch
1004E656    E8 CFFFFFFF     call safeengine原?1004E62A //调用waitForSingleObject 1003E43A线程
1004E65B    66:8F0424       pop word ptr ss:[esp]
1004E65F    E9 9D000000     jmp safeengine原?1004E701

100EF89B    8906            MOV DWORD PTR DS:[ESI],EAX
100EF89D    E8 7B08FAFF     CALL safeengine.1009011D
100EF8A2    E8 A2B0F8FF     CALL safeengine.1007A949 //调用call   1026360C
100EF8A7    FA              CLI
100EF8A8    8B81 90000000   MOV EAX,DWORD PTR DS:[ECX+90]
100EF8AE    3BC7            CMP EAX,EDI
100EF8B0 ^ 0F84 38FFFFFF   JE safeengine.100EF7EE
100EF8B6    FFB1 98000000   PUSH DWORD PTR DS:[ECX+98]
--------------------------------------------------------------------------------------------------
1004B554    E8 0D000000     CALL safeengine.1004B566
1004B559    56              PUSH ESI
1004B55A    6972 74 75616C5>IMUL ESI,DWORD PTR DS:[EDX+74],516C6175
1004B561    75 65           JNZ SHORT safeengine.1004B5C8
1004B563    72 79           JB SHORT safeengine.1004B5DE
1004B565    0050 E8         ADD BYTE PTR DS:[EAX-18],DL
1004B568    61              POPAD
0012F31C   00ABDDE3 返回到 00ABDDE3
0012F320   00C8CA37 返回到 00C8CA37
0012F378   100E235C 返回到 safeengine.100E235C 来自 safeengine.100750A8
0012F244   1004B877 返回到 safeengine.1004B877 来自 safeengine.1004B884
0012F248   00000000
0012F24C   00000000
0012F250   0012F2D0
0012F254   0012F268
0012F258   00000001
0012F25C   10044708 safeengine.10044708
0012F260   00000000
0012F264   0012F290
0012F268   00000246
0012F26C   8A517D59
0012F270   100F3B3D 返回到 safeengine.100F3B3D 来自 safeengine.1004AC40
0012F274   10044708 safeengine.10044708
0012F278   0012F290
0012F27C   0000001C
0012F280   BB52149E
0012F284   10044708 safeengine.10044708
0012F288   00000000
0012F28C   0012F6DC
0012F290   0437A07C
0012F294   10044708 safeengine.10044708
0012F298   100437A0 safeengine.100437A0
0012F29C   0812F2F4
0012F2A0   00100447

--------------------------------------------------------------------------------------------------
1004B554    E8 0D000000     CALL safeengine.1004B566
1004B559    56              PUSH ESI
1004B55A    6972 74 75616C5>IMUL ESI,DWORD PTR DS:[EDX+74],516C6175
1004B561    75 65           JNZ SHORT safeengine.1004B5C8
1004B563    72 79           JB SHORT safeengine.1004B5DE
1004B565    0050 E8         ADD BYTE PTR DS:[EAX-18],DL
1004B568    61              POPAD
--------------------------------------------------------------------------------------------------
10049655    E8 00000000     CALL safeengine.1004965A
1004965A    E9 8B170000     JMP safeengine.1004ADEA
1004965F    D351 C1         RCL DWORD PTR DS:[ECX-3F],CL
10049662    A0 53B59347     MOV AL,BYTE PTR DS:[4793B553]
10049667    328D 5881E802   XOR CL,BYTE PTR SS:[EBP+2E88158]
1004966D    27              DAA
1004966E    B5 A2           MOV CH,0A2
--------------------------------------------------------------------------------------------------
100F3CEE    8710            XCHG DWORD PTR DS:[EAX],EDX
100F3CF0    85D2            TEST EDX,EDX
100F3CF2 ^ 0F85 2FF8FFFF   JNZ safeengine.100F3527
100F3CF8    E8 4515F9FF     CALL safeengine.10085242   //计算时间过期
100F3CFD    0060 C6         ADD BYTE PTR DS:[EAX-3A],AH
100F3D00    C085 0F9CC58B 0>ROL BYTE PTR SS:[EBP+8BC59C0F],4
100F3D07    24 89           AND AL,89
100F3D09    7C 24           JL SHORT safeengine.100F3D2F
100F3D0B    1C 9C           SBB AL,9C
100F3D0D    FF3424          PUSH DWORD PTR SS:[ESP]
100F3D10    FF7424 04       PUSH DWORD PTR SS:[ESP+4]
100F3D14    884424 03       MOV BYTE PTR SS:[ESP+3],AL
100F3D18    FF7424 07       PUSH DWORD PTR SS:[ESP+7]
100F3D1C    8D6424 06       LEA ESP,DWORD PTR SS:[ESP+6]
100F3D20    8D6424 02       LEA ESP,DWORD PTR SS:[ESP+2]
100F3D24    8D6424 08       LEA ESP,DWORD PTR SS:[ESP+8]
100F3D28    61              POPAD
100F3D29    8BC7            MOV EAX,EDI
100F3D2B    85FF            TEST EDI,EDI
--------------------------------------------------------------------------------------------------
100852F7    60              PUSHAD
100852F8    66:8F4424 12    POP WORD PTR SS:[ESP+12]
100852FD    66:8F4424 10    POP WORD PTR SS:[ESP+10]
10085302    8D6424 10       LEA ESP,DWORD PTR SS:[ESP+10]
10085306    8D6424 03       LEA ESP,DWORD PTR SS:[ESP+3]
1008530A    886C24 02       MOV BYTE PTR SS:[ESP+2],CH
1008530E    8D6424 03       LEA ESP,DWORD PTR SS:[ESP+3]
10085312    8D6424 08       LEA ESP,DWORD PTR SS:[ESP+8]
10085316    68 2B945E20     PUSH 205E942B
1008531B    E8 397CFCFF     CALL safeengine.1004CF59   //计算时间过期
10085320    41              INC ECX
10085321    53              PUSH EBX
10085322    E1 FF           LOOPDE SHORT safeengine.10085323
10085324    74 24           JE SHORT safeengine.1008534A
10085326    02EB            ADD CH,BL
10085328    3E:D059 C9      RCR BYTE PTR DS:[ECX-37],1
1008532C    A8 5B           TEST AL,5B
1008532E    DE3A            FIDIVR WORD PTR DS:[EDX]
10085330    B8 2E49B850     MOV EAX,50B8492E

1004CF59    60              PUSHAD
1004CF5A ^ 0F83 4DFDFFFF   JNB safeengine.1004CCAD
1004CF60 ^ E9 B2FCFFFF     JMP safeengine.1004CC17
--------------------------------------------------------------------------------------------------
1004E9FE    E8 15E6FFFF     CALL safeengine.1004D018
0012F378   100E235C 返回到 safeengine.100E235C 来自 safeengine.100750A8
0012F440   100EF12D 返回到 safeengine.100EF12D 来自 safeengine.1008F8DC
1007511A    896424 15       MOV DWORD PTR SS:[ESP+15],ESP
1007511E    66:8F4424 18    POP WORD PTR SS:[ESP+18]
10075123    66:8F4424 0C    POP WORD PTR SS:[ESP+C]
10075128    8D6424 40       LEA ESP,DWORD PTR SS:[ESP+40]
1007512C    68 DC975D20     PUSH 205D97DC
10075131    E8 237EFDFF     CALL safeengine.1004CF59
10075136    A9 29B9D82B     TEST EAX,2BD8B929

0012F51C |102633D5 safeengine.102633D5
0012F520 |00000001
0012F524 |0012F5A8
0012F528 |0012F8B0
0012F52C |10128EEC safeengine.10128EEC
0012F530 |0012F6AC
0012F534 |0012F548
0012F538 |12000F7C
0012F53C |00120000
0012F540 |ECDF7C00
0012F544 |0020DF27
0012F548 |12001E2C
0012F54C |000F1200
0012F550 |E800E812
0012F554 |0012F5E8
0012F558 |1012AD3D safeengine.1012AD3D
0012F55C |0012F6AC
0012F560 |0012F574
0012F564 |27ECC2AC
0012F568 |0012F744
0012F56C |1013F4A6 safeengine.1013F4A6
0012F570 |0012F74C
0012F574 |1013C41A safeengine.1013C41A
0012F578 |0012F83C
0012F57C |0012F758
0012F580 |1013A1FA safeengine.1013A1FA

100C28E3    6A 04           PUSH 4
100C28E5    57              PUSH EDI
100C28E6    FF50 1C         CALL DWORD PTR DS:[EAX+1C]
100C28E9    85C0            TEST EAX,EAX
100C28EB ^ 0F84 D6FEFFFF   JE safeengine.100C27C7
100C28F1 ^ E9 1DFFFFFF     JMP safeengine.100C2813
100C28F6    5C              POP ESP

100C2813    8B03            MOV EAX,DWORD PTR DS:[EBX]
100C2815    85C0            TEST EAX,EAX
100C2817    79 4B           JNS SHORT safeengine.100C2864
100C2819    83EC 0E         SUB ESP,0E
100C281C    F9              STC
100C281D    66:8F0424       POP WORD PTR SS:[ESP]
100C2821    E9 CB010000     JMP safeengine.100C29F1
100D32BB    E8 F468FBFF     CALL safeengine.10089BB4
100D32C0    E8 2924F9FF     CALL safeengine.100656EE
100D32C5    59              POP ECX
100D32C6    59              POP ECX
100D32C7    3930            CMP DWORD PTR DS:[EAX],ESI
100D32C9 ^ 0F86 77F3FFFF   JBE safeengine.100D2646
100D32CF    33FF            XOR EDI,EDI
100D32D1    03C7            ADD EAX,EDI
100D32D3    FF70 10         PUSH DWORD PTR DS:[EAX+10]
100D32D6    FF70 04         PUSH DWORD PTR DS:[EAX+4]
100D32D9    E8 B468FBFF     CALL safeengine.10089B92
100D32DE    E8 A524F9FF     CALL safeengine.10065788
100D32E3    46              INC ESI
100D32E4    59              POP ECX
100D32E5    83EC 0B         SUB ESP,0B

100F1223    8B48 44         MOV ECX,DWORD PTR DS:[EAX+44]
100F1226    E8 B1FFF9FF     CALL safeengine.100911DC
100F122B    E8 A90AF9FF     CALL safeengine.10081CD9 //此处还未解密
------------------------------------------------------------------------------------------------------------
100D2AC0    E6 89           OUT 89,AL                                          ; I/O 命令
100D2AC2    45              INC EBP
100D2AC3    E8 FF150C56     CALL 661940C7
100D2AC8    04 10           ADD AL,10
100D2ACA    8D4D F0         LEA ECX,DWORD PTR SS:[EBP-10]
100D2ACD    51              PUSH ECX
100D2ACE    6A 40           PUSH 40
100D2AD0    FF76 50         PUSH DWORD PTR DS:[ESI+50]
100D2AD3    8945 FC         MOV DWORD PTR SS:[EBP-4],EAX
100D2AD6    60              PUSHAD
100D2AD7    894C24 16       MOV DWORD PTR SS:[ESP+16],ECX
100D2ADB    FF7424 1F       PUSH DWORD PTR SS:[ESP+1F]
100D2ADF    E9 AB010000     JMP safeengine.100D2C8F
---------------------------------------------------------------------------------------
00AC89E9    0FBF80 0C4A937C MOVSX EAX,WORD PTR DS:[EAX+7C934A0C]
00AC89F0    E9 89010000     JMP 00AC8B7E
00AC89F5    FFB7 78050000   PUSH DWORD PTR DS:[EDI+578]
00AC89FB    E8 EF7CFEFF     CALL 00AB06EF
00AC8A00 ^ E9 0E7DFFFF     JMP 00AC0713
00AC8A05    A8 01           TEST AL,1
----------------------------------------------------------------------------------------
100E270F    8D85 E8FDFFFF   lea eax,dword ptr ss:[ebp-0x218]
100E2715    50              push eax
100E2716    E8 E02EF9FF     call safeengine原?100755FB
100E271B    FF50 04         call dword ptr ds:[eax+0x4]   //kernel32.Createfile
100E271E    66:56           push si
100E2720    52              push edx
100E2721    FF7424 05       push dword ptr ss:[esp+0x5]
100E2725    66:FF7424 04    push word ptr ss:[esp+0x4]
100E272A    895C24 08       mov dword ptr ss:[esp+0x8],ebx
100E272E    9C              pushfd
100E272F    882424          mov byte ptr ss:[esp],ah
-------------------------------------------------------------------------------------------------------------
100E2740    66:FF3424       push word ptr ss:[esp]
100E2744    887424 01       mov byte ptr ss:[esp+0x1],dh
100E2748    8D6424 0C       lea esp,dword ptr ss:[esp+0xC]
100E274C    8945 FC         mov dword ptr ss:[ebp-0x4],eax
100E274F    50              push eax
100E2750    E8 912DF9FF     call safeengine原?100754E6
100E2755    FF50 08         call dword ptr ds:[eax+0x8]                            ; kernel32.GetFileSize
100E2758    60              pushad
100E2759    66:87CE         xchg si,cx
100E275C    66:8B2C24       mov bp,word ptr ss:[esp]
100E2760    0FCB            bswap ebx
100E2762    8DB9 E928F322   lea edi,dword ptr ds:[ecx+0x22F328E9]
100E2768    87CA            xchg edx,ecx

---------------------------------------------------------------------------------------------------------------
100D2948    51              PUSH ECX
100D2949    FF3424          PUSH DWORD PTR SS:[ESP]
100D294C    FF7424 02       PUSH DWORD PTR SS:[ESP+2]
100D2950    FF7424 0A       PUSH DWORD PTR SS:[ESP+A]
100D2954    897C24 02       MOV DWORD PTR SS:[ESP+2],EDI
100D2958    894424 0C       MOV DWORD PTR SS:[ESP+C],EAX
100D295C    9C              PUSHFD
100D295D    890C24          MOV DWORD PTR SS:[ESP],ECX
100D2960    8D6424 03       LEA ESP,DWORD PTR SS:[ESP+3]
100D2964    8D6424 01       LEA ESP,DWORD PTR SS:[ESP+1]
100D2968    8D6424 0C       LEA ESP,DWORD PTR SS:[ESP+C]
100D296C    FF75 F8         PUSH DWORD PTR SS:[EBP-8]
100D296F    E8 DF24F9FF     CALL safeengine.10064E53
100D2974    53              PUSH EBX
100D2975    56              PUSH ESI
100D2976    895D EC         MOV DWORD PTR SS:[EBP-14],EBX
100D2979    FF50 0C         CALL DWORD PTR DS:[EAX+C]                          ; kernel32.ReadFile
100D297C    E8 A325F9FF     CALL safeengine.10064F24
100D2981    56              PUSH ESI
100D2982    FF50 10         CALL DWORD PTR DS:[EAX+10]
100D2985    8BCB            MOV ECX,EBX
100D2987    E8 CA70FBFF     CALL safeengine.10089A56
100D298C    8BF0            MOV ESI,EAX
100D298E    85F6            TEST ESI,ESI
100D2990 ^ 0F85 72FFFFFF   JNZ safeengine.100D2908
100D2996 ^ E9 D9FCFFFF     JMP safeengine.100D2674
100D299B    FB              STI
100D299C    E8 61E8749B     CALL AB821202

------------------------------------------------------------------------------------------------------------
0012F1F0 /0012F21C
0012F1F4 |013CBD19 返回到 013CBD19
-------------------------------------------------------------------------------------------------------------
013CBCFC    68 CDABBADC     push 0xDCBAABCD
013CBD01    56              push esi
013CBD02    FF75 18         push dword ptr ss:[ebp+0x18]
013CBD05    FF75 14         push dword ptr ss:[ebp+0x14]
013CBD08    FF75 10         push dword ptr ss:[ebp+0x10]
013CBD0B    FF75 0C         push dword ptr ss:[ebp+0xC]
013CBD0E    64:800D CA0F000>or byte ptr fs:[0xFCA],0x1
013CBD16    FF55 08         call dword ptr ss:[ebp+0x8] //失败对话框
013CBD19    64:8025 CA0F000>and byte ptr fs:[0xFCA],0xFE
013CBD21    817C24 04 CDABB>cmp dword ptr ss:[esp+0x4],0xDCBAABCD
013CBD29    0F85 B8AC0100   jnz 013E69E7
013CBD2F    83C4 08         add esp,0x8
013CBD32    5B              pop ebx
013CBD33    5F              pop edi
013CBD34    5E              pop esi
013CBD35    5D              pop ebp
013CBD36    C2 1400         retn 0x14

-------------------------------------------------------------------------------------
0012F208   00000110
0012F20C   DCBAABCD
0012F210   00000000
0012F214   0012F26C
0012F218   00000110
0012F21C /0012F294
0012F220 |013CBE19 返回到 013CBE19 来自 013CBCF6
0012F224 |773F5BC1 USER32.DefDlgProcW
0012F228 |000C02B0
0012F22C |00000110
013CBE07    FF75 1C         push dword ptr ss:[ebp+0x1C]
013CBE0A    FF75 18         push dword ptr ss:[ebp+0x18]
013CBE0D    56              push esi
013CBE0E    FF75 10         push dword ptr ss:[ebp+0x10]
013CBE11    FF75 0C         push dword ptr ss:[ebp+0xC]
013CBE14    E8 DDFEFFFF     call 013CBCF6   //失败对话框
013CBE19    8945 E4         mov dword ptr ss:[ebp-0x1C],eax
013CBE1C    C745 FC FEFFFFF>mov dword ptr ss:[ebp-0x4],-0x2

---------------------------------------------------------------------------------------------------
100EB93A    56              push esi
100EB93B    68 80000000     push 0x80
100EB940    6A 03           push 0x3
100EB942    56              push esi
100EB943    6A 01           push 0x1
100EB945    68 00000080     push 0x80000000
100EB94A    FF75 08         push dword ptr ss:[ebp+0x8]
100EB94D    FF50 04         call dword ptr ds:[eax+0x4] //creatFile(safeengine.key)
100EB950    60              pushad
100EB951    C7C6 D650304A   mov esi,0x4A3050D6
100EB957    66:8B2C24       mov bp,word ptr ss:[esp]
100EB95B    0FCA            bswap edx
100EB95D    C6C6 49         mov dh,0x49
100EB960    86D7            xchg bh,dl
100EB962    E9 53010000     jmp safeengine原?100EBABA

-------------------------------------------------------------------------------------------
100D2702    8D6424 03       LEA ESP,DWORD PTR SS:[ESP+3]
100D2706    6A 01           PUSH 1
100D2708    68 00000080     PUSH 80000000
100D270D    8D85 DCFDFFFF   LEA EAX,DWORD PTR SS:[EBP-224]
100D2713    50              PUSH EAX
100D2714    E8 9B0FF9FF     CALL safeengine.100636B4
100D2719    FF50 04         CALL DWORD PTR DS:[EAX+4]                ; kernel32.CreateFileW
100D271C    8BF0            MOV ESI,EAX
100D271E    66:53           PUSH BX
100D2720    66:FF7424 01    PUSH WORD PTR SS:[ESP+1]
100D2725    83FE FF         CMP ESI,-1
100D2728    E9 92000000     JMP safeengine.100D27BF

-------------------------------------------------------------------------------------------
100E0F93    33C0            xor eax,eax
100E0F95 ^ E9 8CFEFFFF     jmp safeengine原?100E0E26 //messagebox safeengine
100E2345    8D70 10         lea esi,dword ptr ds:[eax+0x10]
100E2348    FF50 4C         call dword ptr ds:[eax+0x4C]
100E234B    50              push eax
100E234C    FF16            call dword ptr ds:[esi]
100E234E    FF7424 0C       push dword ptr ss:[esp+0xC]
100E2352    E8 8DAFFAFF     call safeengine原?1008D2E4 //messagebox safeengine
100E2357    E8 4C2DF9FF     call safeengine原?100750A8

--------------------------------------------------------------------------------------------------------
100EBA6C    53              push ebx
100EBA6D    FF50 08         call dword ptr ds:[eax+0x8] ////GetFileSize    Key
100EBA70    8BF8            mov edi,eax

--------------------------------------------------------------------------------------------------------
100E283D    66:891C24       MOV WORD PTR SS:[ESP],BX
100E2841    8D6424 03       LEA ESP,DWORD PTR SS:[ESP+3]
100E2845    8D6424 04       LEA ESP,DWORD PTR SS:[ESP+4]
100E2849    56              PUSH ESI
100E284A    FF75 FC         PUSH DWORD PTR SS:[EBP-4]
100E284D    FF50 0C         CALL DWORD PTR DS:[EAX+C]   //readKey
100E2850    FF75 FC         PUSH DWORD PTR SS:[EBP-4]
100E2853    E8 CB2EF9FF     CALL safeengine.10075723
100E2858    FF50 10         CALL DWORD PTR DS:[EAX+10]

--------------------------------------------------------------------------------------------------------

100E233E    16              push ss
100E233F    E5 0D           in eax,0xD
100E2341    6F              outs dx,dword ptr es:[edi]
100E2342    55              push ebp
100E2343    93              xchg eax,ebx
100E2344    57              push edi
100E2345    8D70 10         lea esi,dword ptr ds:[eax+0x10]
100E2348    FF50 4C         call dword ptr ds:[eax+0x4C]                                       ; kernel32.CreateThread
100E234B    50              push eax
--------------------------------------------------------------------------------------------------------------
100D2937    5C              POP ESP
100D2938    8945 F8         MOV DWORD PTR SS:[EBP-8],EAX
100D293B    FF15 0C560410   CALL DWORD PTR DS:[1004560C]             ; ntdll.RtlAllocateHeap
100D2941    8BD8            MOV EBX,EAX
------------------------------------------------------------------------------------------------------------------
100EF121 ^/0F84 70FFFFFF   JE safeengine.100EF097
100EF127    50              PUSH EAX
100EF128    E8 AF07FAFF     CALL safeengine.1008F8DC
100EF12D    59              POP ECX
100EF12E ^ E9 64FFFFFF     JMP safeengine.100EF097
100EF133    14 8A           ADC AL,8A
100EF135    66:891C24       MOV WORD PTR SS:[ESP],BX
0149FC18   7C939B23 返回到 ntdll.7C939B23 来自 ntdll.ZwWaitForSingleObject
------------------------------------------------------------------------------------------------------------------------
100D2706    6A 01           PUSH 1
100D2708    68 00000080     PUSH 80000000
100D270D    8D85 DCFDFFFF   LEA EAX,DWORD PTR SS:[EBP-224]
100D2713    50              PUSH EAX
100D2714    E8 9B0FF9FF     CALL safeengine.100636B4
100D2719    FF50 04         CALL DWORD PTR DS:[EAX+4]
100D271C    8BF0            MOV ESI,EAX
100D271E    66:53           PUSH BX
100D2720    66:FF7424 01    PUSH WORD PTR SS:[ESP+1]
100D2725    83FE FF         CMP ESI,-1
100D2728    E9 92000000     JMP safeengine.100D27BF

101C3320 (loadlibrary )Kernel32.dll

0012F440   100EF12D 返回到 safeengine.100EF12D 来自 safeengine.1008F8DC
001534B8 7C80B475 kernel32.GetModuleFileNameW
001534BC 7C810800 kernel32.CreateFileW
001534C0 7C810B17 kernel32.GetFileSize
001534C4 7C801812 kernel32.ReadFile
001534C8 7C809BE7 kernel32.CloseHandle
001534CC 7C801D53 kernel32.LoadLibraryExA
001534D0 7C92FF2D ntdll.RtlFreeHeap
001534D4 7C801AD4 kernel32.VirtualProtect
001534D8 7C80934A kernel32.GetTickCount
001534DC 7C80AE40 kernel32.GetProcAddress
001534E0 7C92120E ntdll.DbgBreakPoint
001534E4 7C921212 ntdll.DbgUserBreakPoint
001534E8 7C9720EC ntdll.DbgUiRemoteBreakin
DS:[001534BC]=7C810800 (kernel32.CreateFileW)
------------------------------------------------------------------------------
100D2932    E8 8727F9FF     CALL safeengine.100650BE
100D2937    5C              POP ESP
100D2938    8945 F8         MOV DWORD PTR SS:[EBP-8],EAX
100D293B    FF15 0C560410   CALL DWORD PTR DS:[1004560C]             ; ntdll.RtlAllocateHeap
100D2941    8BD8            MOV EBX,EAX
100D2943    6A 00           PUSH 0
---------------------------------------------------------------------------------
100D2AB9    6A 00           PUSH 0
100D2ABB    E8 4025F9FF     CALL safeengine.10065000
100D2AC0    E6 89           OUT 89,AL                                ; I/O 命令
100D2AC2    45              INC EBP
100D2AC3    E8 FF150C56     CALL 661940C7   //ZwAllocateVirtualMemory
100D2AC8    04 10           ADD AL,10
------------------------------------------------------------------------------

100D2964    8D6424 01       LEA ESP,DWORD PTR SS:[ESP+1]
100D2968    8D6424 0C       LEA ESP,DWORD PTR SS:[ESP+C]
100D296C    FF75 F8         PUSH DWORD PTR SS:[EBP-8]
100D296F    E8 DF24F9FF     CALL safeengine.10064E53
100D2974    53              PUSH EBX
100D2975    56              PUSH ESI
100D2976    895D EC         MOV DWORD PTR SS:[EBP-14],EBX
100D2979    FF50 0C         CALL DWORD PTR DS:[EAX+C]
100D297C    E8 A325F9FF     CALL safeengine.10064F24
100D2981    56              PUSH ESI
100D2982    FF50 10         CALL DWORD PTR DS:[EAX+10]   //0x1534c8   GetModuleFileNameW
100D2985    8BCB            MOV ECX,EBX
100D2987    E8 CA70FBFF     CALL safeengine.10089A56
100D298C    8BF0            MOV ESI,EAX
100D298E    85F6            TEST ESI,ESI
100D2990 ^ 0F85 72FFFFFF   JNZ safeengine.100D2908
100D2996 ^ E9 D9FCFFFF     JMP safeengine.100D2674
100D299B    FB              STI
100D299C    E8 61E8749B     CALL AB821202
100D29A1    C7C7 AE5A1F20   MOV EDI,201F5AAE
100D29A7    8D78 37         LEA EDI,DWORD PTR DS:[EAX+37]
100D29AA    8B3C24          MOV EDI,DWORD PTR SS:[ESP]
100D29AD    66:54           PUSH SP
100D29AF    66:890C24       MOV WORD PTR SS:[ESP],CX
100D29B3    881C24          MOV BYTE PTR SS:[ESP],BL
100D29B6    8D2424          LEA ESP,DWORD PTR SS:[ESP]
100D29B9    55              PUSH EBP
100D29BA    8D6424 02       LEA ESP,DWORD PTR SS:[ESP+2]
100D29BE ^ E9 8CFCFFFF     JMP safeengine.100D264F
-----------------------------------------------------------------------------------------------------

100D2AC8    04 10           ADD AL,10
100D2ACA    8D4D F0         LEA ECX,DWORD PTR SS:[EBP-10]
100D2ACD    51              PUSH ECX
100D2ACE    6A 40           PUSH 40
100D2AD0    FF76 50         PUSH DWORD PTR DS:[ESI+50]
100D2AD3    8945 FC         MOV DWORD PTR SS:[EBP-4],EAX
100D2AD6    60              PUSHAD
100D2AD7    894C24 16       MOV DWORD PTR SS:[ESP+16],ECX
100D2ADB    FF7424 1F       PUSH DWORD PTR SS:[ESP+1F]
100D2ADF    E9 AB010000     JMP safeengine.100D2C8F
------------------------------------------------------------------------------------------------------

100EBDEA    8975 08         MOV DWORD PTR SS:[EBP+8],ESI
100EBDED    FF50 0C         CALL DWORD PTR DS:[EAX+C]
100EBDF0    E8 1FABF8FF     CALL safeengine.10076914
100EBDF5    53              PUSH EBX
100EBDF6    FF50 10         CALL DWORD PTR DS:[EAX+10] //五次获得key
100EBDF9    3B7D 08         CMP EDI,DWORD PTR SS:[EBP+8]
100EBDFC ^ 0F85 04FBFFFF   JNZ safeengine.100EB906
100EBE02    F8              CLC
-------------------------------------------------------------------------------------------------------
1009CAFE    5F              POP EDI                                                         ; 00161798 读key 返回
1009CAFF    C9              LEAVE
1009CB00    C3              RETN

----------------------------------------------------------------------------------------------------------------

100EAEA2    E8 0A2EFAFF     CALL safeengine.1008DCB1
100EAEA7    8D4424 78       LEA EAX,DWORD PTR SS:[ESP+78]
100EAEAB    E8 A42FFAFF     CALL safeengine.1008DE54
100EAEB0    57              PUSH EDI
100EAEB1    8D4C24 7C       LEA ECX,DWORD PTR SS:[ESP+7C]
100EAEB5    E8 4F18F5FF     CALL safeengine.1003C709
100EAEBA    59              POP ECX
100EAEBB    8D8424 00010000 LEA EAX,DWORD PTR SS:[ESP+100]
100EAEC2    50              PUSH EAX
100EAEC3    E8 70B4F8FF     CALL safeengine.10076338
100EAEC8    8B58 14         MOV EBX,DWORD PTR DS:[EAX+14]                                   ; safeengine.10036321
100EAECB    E8 F232FAFF     CALL safeengine.1008E1C2
----------------------------------------------------------------------------------------------------------------------------
100EBD01    E8 14D3F8FF     CALL safeengine.1007901A
100EBD06    14 EB           ADC AL,0EB
100EBD08    CC              INT3
------------------------------------------------------------------------------------------------------------------------------
10049193    8B05 0000C544   MOV EAX,DWORD PTR DS:[44C50000]
10049199    DABD 4CA3E487   FIDIVR DWORD PTR SS:[EBP+87E4A34C]
1004919F    E8 0C000000     CALL safeengine.100491B0
100491A4    4D              DEC EBP
100491A5    65:73 73        JNB SHORT safeengine.1004921B                 ; 多余的前缀
100491A8    61              POPAD
100491A9    67:65:42        INC EDX                                  ; 多余的前缀
100491AC    6F              OUTS DX,DWORD PTR ES:[EDI]               ; I/O 命令
100491AD    78 57           JS SHORT safeengine.10049206
---------------------------------------------------------------------------------------------------------------------------------
*****************************************************************************
*
*MessageBox   天数已满
*
******************************************************************************

100492A3    FF90 E1ED3FF6   CALL DWORD PTR DS:[EAX+F63FEDE1]
100492A9 ^ E9 F1FEFFFF     JMP safeengine.1004919F

00BA5CF1    FF75 14         PUSH DWORD PTR SS:[EBP+14]
00BA5CF4    FF75 10         PUSH DWORD PTR SS:[EBP+10]
00BA5CF7    FF75 0C         PUSH DWORD PTR SS:[EBP+C]
00BA5CFA    FF75 08         PUSH DWORD PTR SS:[EBP+8]
00BA5CFD    E8 BFA2FEFF     CALL 00B8FFC1   //call MessageBox 天数已满
00BA5D02    5D              POP EBP
00BA5D03    C2 1000         RETN 10

100E240F    893424          MOV DWORD PTR SS:[ESP],ESI
100E2412    884424 01       MOV BYTE PTR SS:[ESP+1],AL
100E2416    8D6424 02       LEA ESP,DWORD PTR SS:[ESP+2]
100E241A    8D6424 04       LEA ESP,DWORD PTR SS:[ESP+4]
100E241E    E8 BE6CF6FF     CALL safeengine.100490E1   //上一层
100E2423    00E9            ADD CL,CH
100E2425    6A EB           PUSH -15
100E2427    FFFF            ???                                      ; 未知命令
-----------------------------------------------------------------------------------------------------------------------------------
00AB0229    8D9B 00000000   LEA EBX,DWORD PTR DS:[EBX]
00AB022F    8B41 24         MOV EAX,DWORD PTR DS:[ECX+24]
00AB0232    3942 0C         CMP DWORD PTR DS:[EDX+C],EAX
00AB0235    75 18           JNZ SHORT 00AB024F
1100EBC77    FF75 FC         PUSH DWORD PTR SS:[EBP-4]
100EBC7A    8BF8            MOV EDI,EAX
100EBC7C    E8 4FEEF8FF     CALL safeengine.1007AAD0

100EBD01    E8 14D3F8FF     CALL safeengine.1007901A
100EE975    0000            ADD BYTE PTR DS:[EAX],AL
100EE977    E8 0CB2F8FF     CALL safeengine.10079B88
100EE97C    BC 8B410439     MOV ESP,3904418B
//栈空间
0012F42C   100EEDF0 返回到 safeengine.100EEDF0
0012F430   00000000
0012F434   00000000
0012F438   10042892 safeengine.10042892
*********************************************************************************
//过期的天数
0012F440   100EEEF7 返回到 safeengine.100EEEF7
100EEEEC    8D6424 02       LEA ESP,DWORD PTR SS:[ESP+2]
100EEEF0    8D6424 30       LEA ESP,DWORD PTR SS:[ESP+30]
100EEEF4    FF50 10         CALL DWORD PTR DS:[EAX+10]
100EEEF7    E8 7CAEF8FF     CALL safeengine.10079D78

00C7A96F    8BFF            MOV EDI,EDI
00C7A971    55              PUSH EBP
00C7A972    8BEC            MOV EBP,ESP
00C7A974    837D 08 00      CMP DWORD PTR SS:[EBP+8],0
00C7A978    74 18           JE SHORT 00C7A992
00C7A97A    FF75 08         PUSH DWORD PTR SS:[EBP+8]
00C7A97D    E8 C0290000     CALL 00C7D342
00C7A982    85C0            TEST EAX,EAX
00C7A984    74 08           JE SHORT 00C7A98E
00C7A986    FF70 04         PUSH DWORD PTR DS:[EAX+4]
00C7A989    E8 7D2D0000     CALL 00C7D70B
00C7A98E    5D              POP EBP
00C7A98F    C2 0400         RETN 4

0012F2C4   00000000
0012F2C8   00000000
0012F2CC   00000000
0012F2D0   00000000
0012F2D4   00000000
0012F2D8   00000000
0012F2DC   100497FC 返回到 safeengine.100497FC
0012F2E0   100497E9 返回到 safeengine.100497E9 来自 safeengine.100497F6
0012F2E4   00000200
0012F2E8   0012F330
0012F2EC   0012F418
0012F2F0   0012F304
0012F2F4   100455B4 safeengine.100455B4
0012F2F8   3BC9FDB7
0012F2FC   000000BA
0012F300   0012F3D0
0012F304   00200246
0012F308   66E1B32F
0012F30C   100EA835 返回到 safeengine.100EA835 来自 safeengine.100496C1

100E234B    50              PUSH EAX
100E234C    FF16            CALL DWORD PTR DS:[ESI]
100E234E    FF7424 0C       PUSH DWORD PTR SS:[ESP+C]
100E2352    E8 8DAFFAFF     CALL safeengine.1008D2E4 //MessageBox 天数已满
100E2357    E8 4C2DF9FF     CALL safeengine.100750A8
100E235C    59              POP ECX
100E235D    57              PUSH EDI
100E235E    FF50 44         CALL DWORD PTR DS:[EAX+44] ExitProcess
100E2361    5F              POP EDI
100E2362    5E              POP ESI
100E2363    C3              RETN

、************************************************************
过期
0012F2DC   100497FC 返回到 safeengine.100497FC
0012F2E0   100497E9 返回到 safeengine.100497E9 来自 safeengine.100497F6
0012F2E4   00000200
0012F2E8   0012F330
0012F2EC   0012F418
0012F2F0   0012F304
0012F2F4   100455B4 safeengine.100455B4
0012F2F8   3BC9FDB7
0012F2FC   000000BA
0012F300   0012F3D0
0012F304   00200246
0012F308   66E1B32F
0012F30C   100EA835 返回到 safeengine.100EA835 来自 safeengine.100496C1
不过期:
0012F418   100ED243 返回到 safeengine.100ED243
0012F41C   0012F430
0012F420   00000200
0012F424   0000008C
0012F428   00000000
0012F42C   00000000
0012F430   001562F8
0012F434   001562F8
0012F438   001562F8
0012F43C   100ED133 返回到 safeengine.100ED133 来自 safeengine.10078EAF
0012F440 /0012F6EC
0012F444 |100EF0F8 返回到 safeengine.100EF0F8 来自 safeengine.1008F93A
**********************************************************************************
********************************************************************************
不过期的
0012F2C0   10049651 返回到 safeengine.10049651
0012F2C4   1004963E 返回到 safeengine.1004963E 来自 safeengine.1004964B
00C7AD65    8BFF            MOV EDI,EDI
00C7AD67    55              PUSH EBP
00C7AD68    8BEC            MOV EBP,ESP
00C7AD6A    837D 08 00      CMP DWORD PTR SS:[EBP+8],0
00C7AD6E    74 18           JE SHORT 00C7AD88
00C7AD70    FF75 08         PUSH DWORD PTR SS:[EBP+8]
00C7AD73    E8 C0290000     CALL 00C7D738
00C7AD78    85C0            TEST EAX,EAX
00C7AD7A    74 08           JE SHORT 00C7AD84
00C7AD7C    FF70 04         PUSH DWORD PTR DS:[EAX+4]
00C7AD7F    E8 7D2D0000     CALL 00C7DB01
00C7AD84    5D              POP EBP
00C7AD85    C2 0400         RETN 4

10049602    E8 10000000     CALL safeengine.10049617   此处调用
10049607    52              PUSH EDX
10049608    65:67:43        INC EBX                                  ; 多余的前缀
1004960B    72 65           JB SHORT safeengine.10049672
1004960D    61              POPAD
1004960E    74 65           JE SHORT safeengine.10049675
10049610    4B              DEC EBX

100ED852    E8 12B9F8FF     CALL safeengine.10079169
100ED857    AA              STOS BYTE PTR ES:[EDI]
100ED858    8B42 10         MOV EAX,DWORD PTR DS:[EDX+10]
100ED85B    E9 CD030000     JMP safeengine.100EDC2D
100ED860    4A              DEC EDX

0012F42C   100EF1A1 返回到 safeengine.100EF1A1 返回到这里
0012F430   00000000
0012F434   00000000
0012F438   100429A6 safeengine.100429A6

******************************************************************************
二者共同经过了
100ED852    E8 12B9F8FF     CALL safeengine.10079169
100ED857    AA              STOS BYTE PTR ES:[EDI]
100ED858    8B42 10         MOV EAX,DWORD PTR DS:[EDX+10]
100ED85B    E9 CD030000     JMP safeengine.100EDC2D

******************************************************************************

******************************************************************************
ds:[10032AFC]=771ACF41 (kernel32.GetModuleHandleA)    000c2f93偏移

100ED84F    FF50 54         call dword ptr ds:[eax+0x54]                                    ; kernel32.GetSystemTime
100ED852    E8 12B9F8FF     call safeengine.10079169
100ED857    AA              stos byte ptr es:[edi]
100ED858    8B42 10         mov eax,dword ptr ds:[edx+0x10]
100ED85B    E9 CD030000     jmp safeengine.100EDC2D

100ED84F    FF50 54         call dword ptr ds:[eax+0x54]                ; kernel32.GetSystemTime第一次
100ED852    E8 12B9F8FF     call safeengine.10079169

0012F7E0   000907DA
0012F7E4   00120006
0012F7E8   0018000F
0012F7EC   037D001B

100ED9BA    3B8E 400A0000   cmp ecx,dword ptr ds:[esi+0xA40]
100ED9C0 ^ 0F86 4AFFFFFF   jbe safeengine.100ED910
100ED9C6    3BD8            cmp ebx,eax
100ED9C8 ^ 0F86 69FFFFFF   jbe safeengine.100ED937
100ED9CE    8B7A 10         mov edi,dword ptr ds:[edx+0x10]
100ED9D1    8D7424 10       lea esi,dword ptr ss:[esp+0x10]
*************************************************************************************************************************************

100EF121 ^/E9 71FFFFFF     jmp safeengine.100EF097 成功方向跳转
100ED23C    87BCF8 FFFF5054 xchg dword ptr ds:[eax+edi*8+0x5450FFFF]>
100ED243 ^ EB D4           jmp Xsafeengine.100ED219   跳转检验

0071FED8     006D4B68    0077C960    0000000B    F0E0D0C0
0071FEE8     49D19F40    88008278    00000000    0071FEF4
0071FEF8     0071FEF4    00000000    00000001    008B33BF
0071FF08     49D19F7C    8800D2C5    000907DA    001C0002
0071FF18     00150004    02800014    00000000    00000000
0025FED8     00214B68    002BC960    0000000B    F0E0D0C0
0025FEE8     0AB12007    88008278    00000000    0025FEF4
0025FEF8     0025FEF4    00000000    00000001    0115CF93
0025FF08     0AB1203B    8800D2C5    000907DA    001C0002
0025FF18     00150004    02800014    00000000    00000000

RSA：算法计算key

100EB46A         8B45 08         mov eax,dword ptr ss:[ebp+0x8]
100EB46D         6A 10           push 0x10
100EB46F         81C0 10150000   add eax,0x1510
100EB475         8D4C24 6C       lea ecx,dword ptr ss:[esp+0x6C]
100EB479         E8 742DFAFF     call safeengine.1008E1F2