|
[求助]破解软件的网络验证,如何改为本地IIS验证?
在网上找到的一篇关于把网络验证转为本地化希望对你有什么帮助。我自己也是菜鸟,现在正在学习关于破解 [网络验证破解]某外挂验证转本地化 【文章标题】: [网络验证破解]某外挂验证转本地化 【文章作者】: KuNgBiM 【作者邮箱】: kungbim@163.com 【作者主页】: http://www.crkcn.com 【软件名称】: 惊天伴侣2.2.5会员增强版(2007年3月26日更新) 【软件大小】: 1.71 MB 【下载地址】: 自己搜索下载 【加壳方式】: ASProtect 2.1x SKE 【保护方式】: 网络验证 【编写语言】: Microsoft Visual C++ 6.0 【使用工具】: OllyICE 【操作平台】: 盗版非标准XPsp2 【软件介绍】: 大型网游惊天动地辅助工具,俗称“外挂”。 【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教! -------------------------------------------------------------------------------- 【详细过程】 由于该程序加的壳为标准的ASProtect 2.1x SKE,并未偷代码,所以为了方便起见,脱之分析。。。 脱壳后,OllyICE载入分析,由于程序关键字符处理的比较好,字符插件就不起作用了。 我们还是利用常用的办法“API函数断点”来调试它吧。 以下内容跟帖回复才能看到 ============================== 命令下断:bpx closesocket F9运行,输入用户名后点击“登陆”断下: 00418E79 . 6A 10 push 10 ; 外挂网络验证开始 00418E7B . 8D85 60FEFFFF lea eax, dword ptr [ebp-1A0] ; 计算游戏ID长度 00418E81 . 50 push eax 00418E82 . 6A 60 push 60 00418E84 . 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C] 00418E8A . 51 push ecx 00418E8B . 8D95 74FFFFFF lea edx, dword ptr [ebp-8C] 00418E91 . 52 push edx 00418E92 . E8 B9320100 call 0042C150 ; 判断外挂是否已经处于通信状态 00418E97 . 83C4 18 add esp, 18 00418E9A . 833D 9C826500 00 cmp dword ptr [65829C], 0 00418EA1 . 74 16 je short 00418EB9 ; 还未通信则跳(不管) 00418EA3 . A1 9C826500 mov eax, dword ptr [65829C] 00418EA8 . 50 push eax ; /Socket => 384 00418EA9 . FF15 E4A54600 call dword ptr [<&ws2_32.closesocket>] ; \closesocket 00418EAF . C705 9C826500 00000000 mov dword ptr [65829C], 0 00418EB9 > 833D 9C826500 00 cmp dword ptr [65829C], 0 00418EC0 . 75 11 jnz short 00418ED3 ; 还未通信则准备获取验证服务器地址 00418EC2 . 6A 00 push 0 ; /Protocol = IPPROTO_IP 00418EC4 . 6A 01 push 1 ; |Type = SOCK_STREAM 00418EC6 . 6A 02 push 2 ; |Family = AF_INET 00418EC8 . FF15 E0A54600 call dword ptr [<&ws2_32.socket>] ; \socket 00418ECE . A3 9C826500 mov dword ptr [65829C], eax 00418ED3 > 66:C785 18FAFFFF 0200 mov word ptr [ebp-5E8], 2 00418EDC . 68 AC836500 push 006583AC ; /ASCII "203.174.87.234" 00418EE1 . FF15 DCA54600 call dword ptr [<&ws2_32.inet_addr>] ; \inet_addr 00418EE7 . 8985 1CFAFFFF mov dword ptr [ebp-5E4], eax 00418EED . 66:8B0D 38105D00 mov cx, word ptr [5D1038] 00418EF4 . 51 push ecx ; /NetShort 00418EF5 . FF15 E8A54600 call dword ptr [<&ws2_32.htons>] ; \ntohs 00418EFB . 66:8985 1AFAFFFF mov word ptr [ebp-5E6], ax 00418F02 . 6A 10 push 10 ; /AddrLen = 10 (16.) 00418F04 . 8D95 18FAFFFF lea edx, dword ptr [ebp-5E8] ; | 00418F0A . 52 push edx ; |pSockAddr 00418F0B . A1 9C826500 mov eax, dword ptr [65829C] ; | 00418F10 . 50 push eax ; |Socket => 384 00418F11 . FF15 D0A54600 call dword ptr [<&ws2_32.connect>] ; \connect 00418F17 . 8985 58FEFFFF mov dword ptr [ebp-1A8], eax ; 获取服务器数据 00418F1D . 83BD 58FEFFFF FF cmp dword ptr [ebp-1A8], -1 ; 返回值是否大于等于FFFFFFFF ; 是则挂(通信不正常) 00418F24 75 14 jnz short 00418F3A ; ★所以这里必须跳!改为JMP★ 00418F26 . C705 3C105D00 0D000000 mov dword ptr [5D103C], 0D 00418F30 . E8 EB180100 call 0042A820 00418F35 . E9 5C0A0000 jmp 00419996 00418F3A > 6A 00 push 0 ; /Flags = 0 00418F3C . 6A 60 push 60 ; |DataSize = 60 (96.) 00418F3E . 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C] ; | 00418F44 . 51 push ecx ; |Data 00418F45 . 8B15 9C826500 mov edx, dword ptr [65829C] ; | 00418F4B . 52 push edx ; |Socket => 384 00418F4C . FF15 D8A54600 call dword ptr [<&ws2_32.send>] ; \send 00418F52 . 8985 58FEFFFF mov dword ptr [ebp-1A8], eax ; 再次获取服务器数据 00418F58 . 83BD 58FEFFFF 60 cmp dword ptr [ebp-1A8], 60 ; 返回值是否小于等于96 ; 是则挂(数据包不正确) 00418F5F 74 05 je short 00418F66 ; ★所以这里必须跳!改为JMP★ 00418F61 . E9 300A0000 jmp 00419996 00418F66 > 6A 00 push 0 ; /Flags = 0 00418F68 . 6A 60 push 60 ; |BufSize = 60 (96.) 00418F6A . 8D85 74FFFFFF lea eax, dword ptr [ebp-8C] ; | 00418F70 . 50 push eax ; |Buffer 00418F71 . 8B0D 9C826500 mov ecx, dword ptr [65829C] ; | 00418F77 . 51 push ecx ; |Socket => 384 00418F78 . FF15 D4A54600 call dword ptr [<&ws2_32.recv>] ; \recv 00418F7E . 8985 58FEFFFF mov dword ptr [ebp-1A8], eax ; 再次获取服务器数据 00418F84 . 83BD 58FEFFFF 00 cmp dword ptr [ebp-1A8], 0 ; 返回值是否大于等于0 ; 是则挂(数据包不正确) 00418F8B 75 05 jnz short 00418F92 ; ★则里可改可不改,保险起见改为JMP★ 00418F8D . E9 040A0000 jmp 00419996 00418F92 > 8B15 9C826500 mov edx, dword ptr [65829C] ; 服务器通信结束 00418F98 . 52 push edx ; /Socket => 384 00418F99 . FF15 E4A54600 call dword ptr [<&ws2_32.closesocket>] ; \closesocket 00418F9F . 6A 01 push 1 00418FA1 . 6A 10 push 10 00418FA3 . 8D85 48FEFFFF lea eax, dword ptr [ebp-1B8] 00418FA9 . 50 push eax 00418FAA . 6A 60 push 60 00418FAC . 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C] 00418FB2 . 51 push ecx 00418FB3 . 8D95 74FFFFFF lea edx, dword ptr [ebp-8C] 00418FB9 . 52 push edx 00418FBA . E8 91310100 call 0042C150 ; 判断服务器是否有数据返回 00418FBF . 83C4 18 add esp, 18 00418FC2 . 75 04 jnz short 00418FC8 ; 有数据返回则跳!(必须跳) 00418FC4 . 74 02 je short 00418FC8 00418FC6 9A db 9A 00418FC7 E8 db E8 00418FC8 > 83BD 74FFFFFF 09 cmp dword ptr [ebp-8C], 9 ; 检测外挂程序版本是否有更新 00418FCF . 0F85 A7000000 jnz 0041907C ; 大于等于则跳 ; (为了不让它自动更新,改为JMP) 00418FD5 . 6A 00 push 0 00418FD7 . 68 502E4800 push 00482E50 00418FDC . 68 082E4800 push 00482E08 00418FE1 . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668] 00418FE7 . E8 CCF40300 call 004584B8 00418FEC . B9 11000000 mov ecx, 11 00418FF1 . 33C0 xor eax, eax 00418FF3 . 8DBD C0F9FFFF lea edi, dword ptr [ebp-640] 00418FF9 . F3:AB rep stos dword ptr es:[edi] 00418FFB . C785 C0F9FFFF 44000000 mov dword ptr [ebp-640], 44 00419005 . 33C0 xor eax, eax 00419007 . 8985 04FAFFFF mov dword ptr [ebp-5FC], eax 0041900D . 8985 08FAFFFF mov dword ptr [ebp-5F8], eax 00419013 . 8985 0CFAFFFF mov dword ptr [ebp-5F4], eax 00419019 . 8985 10FAFFFF mov dword ptr [ebp-5F0], eax 0041901F . 8D8D 04FAFFFF lea ecx, dword ptr [ebp-5FC] 00419025 . 51 push ecx ; /pProcessInfo 00419026 . 8D95 C0F9FFFF lea edx, dword ptr [ebp-640] ; | 0041902C . 52 push edx ; |pStartupInfo 0041902D . 6A 00 push 0 ; |CurrentDir = NULL 0041902F . 6A 00 push 0 ; |pEnvironment = NULL 00419031 . 6A 00 push 0 ; |CreationFlags = 0 00419033 . 6A 00 push 0 ; |InheritHandles = FALSE 00419035 . 6A 00 push 0 ; |pThreadSecurity = NULL 00419037 . 6A 00 push 0 ; |pProcessSecurity = NULL 00419039 . 68 E42D4800 push 00482DE4 ; |CommandLine = "explorer http://www.jtlover.net/"; 0041903E . 6A 00 push 0 ; |ModuleFileName = NULL 00419040 . FF15 34A24600 call dword ptr [<&kernel32.CreateProces>; \CreateProcessA 00419046 . 85C0 test eax, eax 00419048 . 75 07 jnz short 00419051 0041904A . 6A 00 push 0 0041904C . E8 87C30100 call 004353D8 00419051 > 8B85 04FAFFFF mov eax, dword ptr [ebp-5FC] 00419057 . 50 push eax ; /hObject 00419058 . FF15 44A24600 call dword ptr [<&kernel32.CloseHandle>>; \CloseHandle 0041905E . 8B8D 08FAFFFF mov ecx, dword ptr [ebp-5F8] 00419064 . 51 push ecx ; /hObject 00419065 . FF15 44A24600 call dword ptr [<&kernel32.CloseHandle>>; \CloseHandle 0041906B . 8B95 74FFFFFF mov edx, dword ptr [ebp-8C] 00419071 . 8915 3C105D00 mov dword ptr [5D103C], edx 00419077 . E9 1A090000 jmp 00419996 0041907C > 75 04 jnz short 00419082 0041907E . 74 02 je short 00419082 00419080 9A db 9A 00419081 E8 db E8 00419082 > 83BD 74FFFFFF 00 cmp dword ptr [ebp-8C], 0 ; 检测验证数据最后结果是否小于等于0 ; 是则正确! 00419089 . 74 15 je short 004190A0 ; ★所以这里必须跳!改为JMP★ 0041908B . 8B85 74FFFFFF mov eax, dword ptr [ebp-8C] 00419091 . A3 3C105D00 mov dword ptr [5D103C], eax 00419096 . E8 85170100 call 0042A820 0041909B . E9 F6080000 jmp 00419996 004190A0 > 8B4D CC mov ecx, dword ptr [ebp-34] ; 从这里就开始控制程序窗口、配置文件了 004190A3 . 890D C0836500 mov dword ptr [6583C0], ecx 004190A9 . C705 3C105D00 58000000 mov dword ptr [5D103C], 58 004190B3 . 68 F4030000 push 3F4 004190B8 . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668] 004190BE . E8 25050400 call 004595E8 004190C3 . 8985 5CFEFFFF mov dword ptr [ebp-1A4], eax 004190C9 . 6A 00 push 0 004190CB . 8B8D 5CFEFFFF mov ecx, dword ptr [ebp-1A4] 004190D1 . E8 3E080400 call 00459914 004190D6 . 51 push ecx 004190D7 . 8BCC mov ecx, esp 004190D9 . 89A5 ACF9FFFF mov dword ptr [ebp-654], esp 004190DF . 68 DC2D4800 push 00482DDC ; ASCII "TIP2" 004190E4 . E8 8BD50300 call 00456674 004190E9 . 8985 94F9FFFF mov dword ptr [ebp-66C], eax 004190EF . 8B95 94F9FFFF mov edx, dword ptr [ebp-66C] 004190F5 . 8995 90F9FFFF mov dword ptr [ebp-670], edx 004190FB . C745 FC 00000000 mov dword ptr [ebp-4], 0 00419102 . 51 push ecx 00419103 . 8BCC mov ecx, esp 00419105 . 89A5 A8F9FFFF mov dword ptr [ebp-658], esp 0041910B . 68 D42D4800 push 00482DD4 ; ASCII "Dialog1" 00419110 . E8 5FD50300 call 00456674 00419115 . 8985 8CF9FFFF mov dword ptr [ebp-674], eax ; | 0041911B . 8D85 A4F9FFFF lea eax, dword ptr [ebp-65C] ; | 00419121 . 50 push eax ; |Arg1 00419122 . B9 04156500 mov ecx, 00651504 ; | 00419127 . C745 FC FFFFFFFF mov dword ptr [ebp-4], -1 ; | 0041912E . E8 DD610000 call 0041F310 ; \jtbl.0041F310 00419133 . 8985 88F9FFFF mov dword ptr [ebp-678], eax 00419139 . 8B8D 88F9FFFF mov ecx, dword ptr [ebp-678] 0041913F . 898D A0F9FFFF mov dword ptr [ebp-660], ecx 00419145 . C745 FC 01000000 mov dword ptr [ebp-4], 1 0041914C . 8B95 A0F9FFFF mov edx, dword ptr [ebp-660] 00419152 . 8B02 mov eax, dword ptr [edx] 00419154 . 8985 9CF9FFFF mov dword ptr [ebp-664], eax 0041915A . 8B8D 9CF9FFFF mov ecx, dword ptr [ebp-664] 00419160 . 51 push ecx 00419161 . 68 B5040000 push 4B5 00419166 . B9 C87A6500 mov ecx, 00657AC8 0041916B . E8 69050400 call 004596D9 00419170 . C745 FC FFFFFFFF mov dword ptr [ebp-4], -1 00419177 . 8D8D A4F9FFFF lea ecx, dword ptr [ebp-65C] 0041917D . E8 84D40300 call 00456606 00419182 . 68 0000FF00 push 0FF0000 00419187 . B9 E8806500 mov ecx, 006580E8 0041918C . E8 FF4F0000 call 0041E190 00419191 . C645 D8 00 mov byte ptr [ebp-28], 0 00419195 . C645 D9 00 mov byte ptr [ebp-27], 0 00419199 . 33D2 xor edx, edx 0041919B . 8955 DA mov dword ptr [ebp-26], edx 0041919E . 8955 DE mov dword ptr [ebp-22], edx 004191A1 . 8955 E2 mov dword ptr [ebp-1E], edx 004191A4 . 8955 E6 mov dword ptr [ebp-1A], edx 004191A7 . 8955 EA mov dword ptr [ebp-16], edx 004191AA . 66:8955 EE mov word ptr [ebp-12], dx 004191AE . 8855 F0 mov byte ptr [ebp-10], dl 004191B1 . 6A 18 push 18 ; /Arg3 = 00000018 004191B3 . 8D45 D8 lea eax, dword ptr [ebp-28] ; | 004191B6 . 50 push eax ; |Arg2 004191B7 . 68 05040000 push 405 ; |Arg1 = 00000405 004191BC . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668] ; | 004191C2 . E8 AB040400 call 00459672 ; \jtbl.00459672 004191C7 . 68 382D4800 push 00482D38 ; /FileName = ".\Setting\config.ini" 004191CC . 8D4D D8 lea ecx, dword ptr [ebp-28] ; | 004191CF . 51 push ecx ; |String 004191D0 . 68 182D4800 push 00482D18 ; |Key = "Account" 004191D5 . 68 282D4800 push 00482D28 ; |Section = "Config" 004191DA . FF15 48A24600 call dword ptr [<&kernel32.WritePrivate>; \WritePrivateProfileStringA 004191E0 . C685 70FEFFFF 00 mov byte ptr [ebp-190], 0 004191E7 . C685 71FEFFFF 00 mov byte ptr [ebp-18F], 0 004191EE . B9 40000000 mov ecx, 40 004191F3 . 33C0 xor eax, eax 004191F5 . 8DBD 72FEFFFF lea edi, dword ptr [ebp-18E] 004191FB . F3:AB rep stos dword ptr es:[edi] 004191FD . 66:AB stos word ptr es:[edi] 004191FF . C745 D4 00000000 mov dword ptr [ebp-2C], 0 00419206 . 68 04010000 push 104 ; /BufSize = 104 (260.) 0041920B . 8D95 70FEFFFF lea edx, dword ptr [ebp-190] ; | 00419211 . 52 push edx ; |PathBuffer 00419212 . 6A 00 push 0 ; |hModule = NULL 00419214 . FF15 ECA14600 call dword ptr [<&kernel32.GetModuleFil>; \GetModuleFileNameA 0041921A . 8DBD 70FEFFFF lea edi, dword ptr [ebp-190] 00419220 . 83C9 FF or ecx, FFFFFFFF 00419223 . 33C0 xor eax, eax 00419225 . F2:AE repne scas byte ptr es:[edi] 00419227 . F7D1 not ecx 00419229 . 83C1 FE add ecx, -2 0041922C . 894D D4 mov dword ptr [ebp-2C], ecx 0041922F > 8B45 D4 mov eax, dword ptr [ebp-2C] 00419232 . 0FBE8C05 70FEFFFF movsx ecx, byte ptr [ebp+eax-190] 0041923A . 83F9 5C cmp ecx, 5C 0041923D . 74 16 je short 00419255 0041923F . 8B55 D4 mov edx, dword ptr [ebp-2C] 00419242 . C68415 70FEFFFF 00 mov byte ptr [ebp+edx-190], 0 0041924A . 8B45 D4 mov eax, dword ptr [ebp-2C] 0041924D . 83E8 01 sub eax, 1 00419250 . 8945 D4 mov dword ptr [ebp-2C], eax 00419253 .^ EB DA jmp short 0041922F 00419255 > 8D7D D8 lea edi, dword ptr [ebp-28] ; 获取用户名(准备计算试用时间验证) 00419258 . 8B15 787D5F00 mov edx, dword ptr [5F7D78] ; kudrtgov.10213000 0041925E . 83C9 FF or ecx, FFFFFFFF 00419261 . 33C0 xor eax, eax 00419263 . F2:AE repne scas byte ptr es:[edi] 00419265 . F7D1 not ecx 00419267 . 2BF9 sub edi, ecx 00419269 . 8BF7 mov esi, edi 0041926B . 8BC1 mov eax, ecx 0041926D . 8BFA mov edi, edx 0041926F . C1E9 02 shr ecx, 2 00419272 . F3:A5 rep movs dword ptr es:[edi], dword ptr> 00419274 . 8BC8 mov ecx, eax 00419276 . 83E1 03 and ecx, 3 00419279 . F3:A4 rep movs byte ptr es:[edi], byte ptr [> 0041927B . 8DBD 70FEFFFF lea edi, dword ptr [ebp-190] 00419281 . 8B0D 787D5F00 mov ecx, dword ptr [5F7D78] ; kudrtgov.10213000 00419287 . 83C1 1E add ecx, 1E 0041928A . 8BD1 mov edx, ecx 0041928C . 83C9 FF or ecx, FFFFFFFF 0041928F . 33C0 xor eax, eax 00419291 . F2:AE repne scas byte ptr es:[edi] 00419293 . F7D1 not ecx 00419295 . 2BF9 sub edi, ecx 00419297 . 8BF7 mov esi, edi 00419299 . 8BC1 mov eax, ecx 0041929B . 8BFA mov edi, edx 0041929D . C1E9 02 shr ecx, 2 004192A0 . F3:A5 rep movs dword ptr es:[edi], dword ptr> 004192A2 . 8BC8 mov ecx, eax 004192A4 . 83E1 03 and ecx, 3 004192A7 . F3:A4 rep movs byte ptr es:[edi], byte ptr [> 004192A9 . C685 38FBFFFF 00 mov byte ptr [ebp-4C8], 0 004192B0 . C685 39FBFFFF 00 mov byte ptr [ebp-4C7], 0 004192B7 . B9 40000000 mov ecx, 40 004192BC . 33C0 xor eax, eax 004192BE . 8DBD 3AFBFFFF lea edi, dword ptr [ebp-4C6] 004192C4 . F3:AB rep stos dword ptr es:[edi] 004192C6 . 66:AB stos word ptr es:[edi] 004192C8 . C685 3CFCFFFF 00 mov byte ptr [ebp-3C4], 0 004192CF . C685 3DFCFFFF 00 mov byte ptr [ebp-3C3], 0 004192D6 . B9 40000000 mov ecx, 40 004192DB . 33C0 xor eax, eax 004192DD . 8DBD 3EFCFFFF lea edi, dword ptr [ebp-3C2] 004192E3 . F3:AB rep stos dword ptr es:[edi] 004192E5 . 66:AB stos word ptr es:[edi] 004192E7 . C685 44FDFFFF 00 mov byte ptr [ebp-2BC], 0 004192EE . C685 45FDFFFF 00 mov byte ptr [ebp-2BB], 0 004192F5 . B9 40000000 mov ecx, 40 004192FA . 33C0 xor eax, eax 004192FC . 8DBD 46FDFFFF lea edi, dword ptr [ebp-2BA] 00419302 . F3:AB rep stos dword ptr es:[edi] 00419304 . 66:AB stos word ptr es:[edi] 00419306 . BF CC2D4800 mov edi, 00482DCC ; ASCII "\Users\" 0041930B . 8D95 70FEFFFF lea edx, dword ptr [ebp-190] 00419311 . 83C9 FF or ecx, FFFFFFFF 00419314 . 33C0 xor eax, eax 00419316 . F2:AE repne scas byte ptr es:[edi] 00419318 . F7D1 not ecx 0041931A . 2BF9 sub edi, ecx 0041931C . 8BF7 mov esi, edi 0041931E . 8BD9 mov ebx, ecx 00419320 . 8BFA mov edi, edx 00419322 . 83C9 FF or ecx, FFFFFFFF 00419325 . 33C0 xor eax, eax 00419327 . F2:AE repne scas byte ptr es:[edi] 00419329 . 83C7 FF add edi, -1 0041932C . 8BCB mov ecx, ebx 0041932E . C1E9 02 shr ecx, 2 00419331 . F3:A5 rep movs dword ptr es:[edi], dword ptr> 00419333 . 8BCB mov ecx, ebx 00419335 . 83E1 03 and ecx, 3 00419338 . F3:A4 rep movs byte ptr es:[edi], byte ptr [> 0041933A . 8DBD 70FEFFFF lea edi, dword ptr [ebp-190] 00419340 . 8D95 38FBFFFF lea edx, dword ptr [ebp-4C8] 00419346 . 83C9 FF or ecx, FFFFFFFF 00419349 . 33C0 xor eax, eax 0041934B . F2:AE repne scas byte ptr es:[edi] 0041934D . F7D1 not ecx 0041934F . 2BF9 sub edi, ecx 00419351 . 8BF7 mov esi, edi 00419353 . 8BC1 mov eax, ecx 00419355 . 8BFA mov edi, edx 00419357 . C1E9 02 shr ecx, 2 0041935A . F3:A5 rep movs dword ptr es:[edi], dword ptr> 0041935C . 8BC8 mov ecx, eax 0041935E . 83E1 03 and ecx, 3 00419361 . F3:A4 rep movs byte ptr es:[edi], byte ptr [> 00419363 . 8B3D 787D5F00 mov edi, dword ptr [5F7D78] ; kudrtgov.10213000 00419369 . 8D95 38FBFFFF lea edx, dword ptr [ebp-4C8] 0041936F . 83C9 FF or ecx, FFFFFFFF 00419372 . 33C0 xor eax, eax 00419374 . F2:AE repne scas byte ptr es:[edi] 00419376 . F7D1 not ecx 00419378 . 2BF9 sub edi, ecx 0041937A . 8BF7 mov esi, edi 0041937C . 8BD9 mov ebx, ecx 0041937E . 8BFA mov edi, edx 00419380 . 83C9 FF or ecx, FFFFFFFF 00419383 . 33C0 xor eax, eax 00419385 . F2:AE repne scas byte ptr es:[edi] 00419387 . 83C7 FF add edi, -1 0041938A . 8BCB mov ecx, ebx 0041938C . C1E9 02 shr ecx, 2 0041938F . F3:A5 rep movs dword ptr es:[edi], dword ptr> 00419391 . 8BCB mov ecx, ebx 00419393 . 83E1 03 and ecx, 3 00419396 . F3:A4 rep movs byte ptr es:[edi], byte ptr [> 00419398 . BF BC2D4800 mov edi, 00482DBC ; ASCII "\NewConfig.ini" 0041939D . 8D95 38FBFFFF lea edx, dword ptr [ebp-4C8] 004193A3 . 83C9 FF or ecx, FFFFFFFF 004193A6 . 33C0 xor eax, eax 004193A8 . F2:AE repne scas byte ptr es:[edi] 004193AA . F7D1 not ecx 004193AC . 2BF9 sub edi, ecx 004193AE . 8BF7 mov esi, edi 004193B0 . 8BD9 mov ebx, ecx 004193B2 . 8BFA mov edi, edx 004193B4 . 83C9 FF or ecx, FFFFFFFF 004193B7 . 33C0 xor eax, eax 004193B9 . F2:AE repne scas byte ptr es:[edi] 004193BB . 83C7 FF add edi, -1 004193BE . 8BCB mov ecx, ebx 004193C0 . C1E9 02 shr ecx, 2 004193C3 . F3:A5 rep movs dword ptr es:[edi], dword ptr> 004193C5 . 8BCB mov ecx, ebx 004193C7 . 83E1 03 and ecx, 3 004193CA . F3:A4 rep movs byte ptr es:[edi], byte ptr [> 004193CC . 8DBD 70FEFFFF lea edi, dword ptr [ebp-190] 004193D2 . 8D95 3CFCFFFF lea edx, dword ptr [ebp-3C4] 004193D8 . 83C9 FF or ecx, FFFFFFFF 004193DB . 33C0 xor eax, eax 004193DD . F2:AE repne scas byte ptr es:[edi] 004193DF . F7D1 not ecx 004193E1 . 2BF9 sub edi, ecx 004193E3 . 8BF7 mov esi, edi 004193E5 . 8BC1 mov eax, ecx 004193E7 . 8BFA mov edi, edx 004193E9 . C1E9 02 shr ecx, 2 004193EC . F3:A5 rep movs dword ptr es:[edi], dword ptr> 004193EE . 8BC8 mov ecx, eax 004193F0 . 83E1 03 and ecx, 3 004193F3 . F3:A4 rep movs byte ptr es:[edi], byte ptr [> 004193F5 . 8B3D 787D5F00 mov edi, dword ptr [5F7D78] ; kudrtgov.10213000 004193FB . 8D95 3CFCFFFF lea edx, dword ptr [ebp-3C4] 00419401 . 83C9 FF or ecx, FFFFFFFF 00419404 . 33C0 xor eax, eax 00419406 . F2:AE repne scas byte ptr es:[edi] 00419408 . F7D1 not ecx 0041940A . 2BF9 sub edi, ecx 0041940C . 8BF7 mov esi, edi 0041940E . 8BD9 mov ebx, ecx 00419410 . 8BFA mov edi, edx 00419412 . 83C9 FF or ecx, FFFFFFFF 00419415 . 33C0 xor eax, eax 00419417 . F2:AE repne scas byte ptr es:[edi] 00419419 . 83C7 FF add edi, -1 0041941C . 8BCB mov ecx, ebx 0041941E . C1E9 02 shr ecx, 2 00419421 . F3:A5 rep movs dword ptr es:[edi], dword ptr> 00419423 . 8BCB mov ecx, ebx 00419425 . 83E1 03 and ecx, 3 00419428 . F3:A4 rep movs byte ptr es:[edi], byte ptr [> 0041942A . BF AC2D4800 mov edi, 00482DAC ; ASCII "\ListFile.ini" 0041942F . 8D95 3CFCFFFF lea edx, dword ptr [ebp-3C4] 00419435 . 83C9 FF or ecx, FFFFFFFF 00419438 . 33C0 xor eax, eax 0041943A . F2:AE repne scas byte ptr es:[edi] 0041943C . F7D1 not ecx 0041943E . 2BF9 sub edi, ecx 00419440 . 8BF7 mov esi, edi 00419442 . 8BD9 mov ebx, ecx 00419444 . 8BFA mov edi, edx 00419446 . 83C9 FF or ecx, FFFFFFFF 00419449 . 33C0 xor eax, eax 0041944B . F2:AE repne scas byte ptr es:[edi] 0041944D . 83C7 FF add edi, -1 00419450 . 8BCB mov ecx, ebx 00419452 . C1E9 02 shr ecx, 2 00419455 . F3:A5 rep movs dword ptr es:[edi], dword ptr> 00419457 . 8BCB mov ecx, ebx 00419459 . 83E1 03 and ecx, 3 0041945C . F3:A4 rep movs byte ptr es:[edi], byte ptr [> 0041945E . 8DBD 70FEFFFF lea edi, dword ptr [ebp-190] 00419464 . 8D95 44FDFFFF lea edx, dword ptr [ebp-2BC] 0041946A . 83C9 FF or ecx, FFFFFFFF 0041946D . 33C0 xor eax, eax 0041946F . F2:AE repne scas byte ptr es:[edi] 00419471 . F7D1 not ecx 00419473 . 2BF9 sub edi, ecx 00419475 . 8BF7 mov esi, edi 00419477 . 8BC1 mov eax, ecx 00419479 . 8BFA mov edi, edx 0041947B . C1E9 02 shr ecx, 2 0041947E . F3:A5 rep movs dword ptr es:[edi], dword ptr> 00419480 . 8BC8 mov ecx, eax 00419482 . 83E1 03 and ecx, 3 00419485 . F3:A4 rep movs byte ptr es:[edi], byte ptr [> 00419487 . 8B3D 787D5F00 mov edi, dword ptr [5F7D78] ; kudrtgov.10213000 0041948D . 8D95 44FDFFFF lea edx, dword ptr [ebp-2BC] 00419493 . 83C9 FF or ecx, FFFFFFFF 00419496 . 33C0 xor eax, eax 00419498 . F2:AE repne scas byte ptr es:[edi] 0041949A . F7D1 not ecx 0041949C . 2BF9 sub edi, ecx 0041949E . 8BF7 mov esi, edi 004194A0 . 8BD9 mov ebx, ecx 004194A2 . 8BFA mov edi, edx 004194A4 . 83C9 FF or ecx, FFFFFFFF 004194A7 . 33C0 xor eax, eax 004194A9 . F2:AE repne scas byte ptr es:[edi] 004194AB . 83C7 FF add edi, -1 004194AE . 8BCB mov ecx, ebx 004194B0 . C1E9 02 shr ecx, 2 004194B3 . F3:A5 rep movs dword ptr es:[edi], dword ptr> 004194B5 . 8BCB mov ecx, ebx 004194B7 . 83E1 03 and ecx, 3 004194BA . F3:A4 rep movs byte ptr es:[edi], byte ptr [> 004194BC . BF 9C2D4800 mov edi, 00482D9C ; ASCII "\GuoLvFile.ini" 004194C1 . 8D95 44FDFFFF lea edx, dword ptr [ebp-2BC] 004194C7 . 83C9 FF or ecx, FFFFFFFF 004194CA . 33C0 xor eax, eax 004194CC . F2:AE repne scas byte ptr es:[edi] 004194CE . F7D1 not ecx 004194D0 . 2BF9 sub edi, ecx 004194D2 . 8BF7 mov esi, edi 004194D4 . 8BD9 mov ebx, ecx 004194D6 . 8BFA mov edi, edx 004194D8 . 83C9 FF or ecx, FFFFFFFF 004194DB . 33C0 xor eax, eax 004194DD . F2:AE repne scas byte ptr es:[edi] 004194DF . 83C7 FF add edi, -1 004194E2 . 8BCB mov ecx, ebx 004194E4 . C1E9 02 shr ecx, 2 004194E7 . F3:A5 rep movs dword ptr es:[edi], dword ptr> 004194E9 . 8BCB mov ecx, ebx 004194EB . 83E1 03 and ecx, 3 004194EE . F3:A4 rep movs byte ptr es:[edi], byte ptr [> 004194F0 . 68 982D4800 push 00482D98 004194F5 . 8D85 38FBFFFF lea eax, dword ptr [ebp-4C8] 004194FB . 50 push eax 004194FC . E8 97BE0100 call 00435398 ; 配置文件A是否已经存在 00419501 . 83C4 08 add esp, 8 00419504 . 8985 14FAFFFF mov dword ptr [ebp-5EC], eax 0041950A . 83BD 14FAFFFF 00 cmp dword ptr [ebp-5EC], 0 00419511 . 75 5A jnz short 0041956D ; 如果文件已经存在则跳 00419513 . 8B3D 787D5F00 mov edi, dword ptr [5F7D78] ; kudrtgov.10213000 00419519 . 8D95 70FEFFFF lea edx, dword ptr [ebp-190] 0041951F . 83C9 FF or ecx, FFFFFFFF 00419522 . 33C0 xor eax, eax 00419524 . F2:AE repne scas byte ptr es:[edi] 00419526 . F7D1 not ecx 00419528 . 2BF9 sub edi, ecx 0041952A . 8BF7 mov esi, edi 0041952C . 8BD9 mov ebx, ecx 0041952E . 8BFA mov edi, edx 00419530 . 83C9 FF or ecx, FFFFFFFF 00419533 . 33C0 xor eax, eax 00419535 . F2:AE repne scas byte ptr es:[edi] 00419537 . 83C7 FF add edi, -1 0041953A . 8BCB mov ecx, ebx 0041953C . C1E9 02 shr ecx, 2 0041953F . F3:A5 rep movs dword ptr es:[edi], dword ptr> 00419541 . 8BCB mov ecx, ebx 00419543 . 83E1 03 and ecx, 3 00419546 . F3:A4 rep movs byte ptr es:[edi], byte ptr [> 00419548 . 6A 00 push 0 ; /pSecurity = NULL 0041954A . 8D85 70FEFFFF lea eax, dword ptr [ebp-190] ; | 00419550 . 50 push eax ; |Path 00419551 . FF15 F0A14600 call dword ptr [<&kernel32.CreateDirect>; \CreateDirectoryA 00419557 . 6A 01 push 1 ; /FailIfExists = TRUE 00419559 . 8D8D 38FBFFFF lea ecx, dword ptr [ebp-4C8] ; |使用默认的配置文件A 0041955F . 51 push ecx ; |NewFileName 00419560 . 68 842D4800 push 00482D84 ; |ExistingFileName = ; "Setting\Default.ini" 00419565 . FF15 F4A14600 call dword ptr [<&kernel32.CopyFileA>] ; \CopyFileA 0041956B . EB 0F jmp short 0041957C 0041956D > 8B95 14FAFFFF mov edx, dword ptr [ebp-5EC] 00419573 . 52 push edx 00419574 . E8 71BD0100 call 004352EA 00419579 . 83C4 04 add esp, 4 0041957C > 68 982D4800 push 00482D98 00419581 . 8D85 3CFCFFFF lea eax, dword ptr [ebp-3C4] 00419587 . 50 push eax 00419588 . E8 0BBE0100 call 00435398 ; 配置文件B是否已经存在 0041958D . 83C4 08 add esp, 8 00419590 . 8985 14FAFFFF mov dword ptr [ebp-5EC], eax 00419596 . 83BD 14FAFFFF 00 cmp dword ptr [ebp-5EC], 0 0041959D . 75 25 jnz short 004195C4 ; 如果文件已经存在则跳 0041959F . 6A 00 push 0 ; /pSecurity = NULL 004195A1 . 8D8D 70FEFFFF lea ecx, dword ptr [ebp-190] ; | 004195A7 . 51 push ecx ; |Path 004195A8 . FF15 F0A14600 call dword ptr [<&kernel32.CreateDirect>; \CreateDirectoryA 004195AE . 6A 01 push 1 ; /FailIfExists = TRUE 004195B0 . 8D95 3CFCFFFF lea edx, dword ptr [ebp-3C4] ; |使用默认的配置文件B 004195B6 . 52 push edx ; |NewFileName 004195B7 . 68 6C2D4800 push 00482D6C ; |ExistingFileName = ; "Setting\DefaultList.ini" 004195BC . FF15 F4A14600 call dword ptr [<&kernel32.CopyFileA>] ; \CopyFileA 004195C2 . EB 0F jmp short 004195D3 004195C4 > 8B85 14FAFFFF mov eax, dword ptr [ebp-5EC] 004195CA . 50 push eax 004195CB . E8 1ABD0100 call 004352EA 004195D0 . 83C4 04 add esp, 4 004195D3 > 68 982D4800 push 00482D98 004195D8 . 8D8D 44FDFFFF lea ecx, dword ptr [ebp-2BC] 004195DE . 51 push ecx 004195DF . E8 B4BD0100 call 00435398 ; 配置文件C是否已经存在 004195E4 . 83C4 08 add esp, 8 004195E7 . 8985 14FAFFFF mov dword ptr [ebp-5EC], eax 004195ED . 83BD 14FAFFFF 00 cmp dword ptr [ebp-5EC], 0 004195F4 . 75 25 jnz short 0041961B ; 如果文件已经存在则跳 004195F6 . 6A 00 push 0 ; /pSecurity = NULL 004195F8 . 8D95 70FEFFFF lea edx, dword ptr [ebp-190] ; | 004195FE . 52 push edx ; |Path 004195FF . FF15 F0A14600 call dword ptr [<&kernel32.CreateDirect>; \CreateDirectoryA 00419605 . 6A 01 push 1 ; /FailIfExists = TRUE 00419607 . 8D85 44FDFFFF lea eax, dword ptr [ebp-2BC] ; |使用默认的配置文件C 0041960D . 50 push eax ; |NewFileName 0041960E . 68 502D4800 push 00482D50 ; |ExistingFileName = ; "Setting\DefaultGuoLv.ini" 00419613 . FF15 F4A14600 call dword ptr [<&kernel32.CopyFileA>] ; \CopyFileA 00419619 . EB 0F jmp short 0041962A 0041961B > 8B8D 14FAFFFF mov ecx, dword ptr [ebp-5EC] 00419621 . 51 push ecx 00419622 . E8 C3BC0100 call 004352EA 00419627 . 83C4 04 add esp, 4 0041962A > 68 382D4800 push 00482D38 ; /IniFileName = ".\Setting\config.ini" 0041962F . 6A 00 push 0 ; |Default = 0 00419631 . 68 0C2D4800 push 00482D0C ; |Key = "virtualcode" 00419636 . 68 282D4800 push 00482D28 ; |Section = "Config" 0041963B . FF15 F8A14600 call dword ptr [<&kernel32.GetPrivatePr>; \GetPrivateProfileIntA 00419641 . 66:8985 34FBFFFF mov word ptr [ebp-4CC], ax 00419648 . 68 382D4800 push 00482D38 ; /IniFileName = ".\Setting\config.ini" 0041964D . 6A 00 push 0 ; |Default = 0 0041964F . 68 002D4800 push 00482D00 ; |Key = "modifiers" 00419654 . 68 282D4800 push 00482D28 ; |Section = "Config" 00419659 . FF15 F8A14600 call dword ptr [<&kernel32.GetPrivatePr>; \GetPrivateProfileIntA 0041965F . 66:8985 2CFBFFFF mov word ptr [ebp-4D4], ax 00419666 . 8B95 34FBFFFF mov edx, dword ptr [ebp-4CC] 0041966C . 81E2 FFFF0000 and edx, 0FFFF 00419672 . A1 787D5F00 mov eax, dword ptr [5F7D78] 00419677 . 8990 22010000 mov dword ptr [eax+122], edx 0041967D . 8B8D 2CFBFFFF mov ecx, dword ptr [ebp-4D4] 00419683 . 81E1 FFFF0000 and ecx, 0FFFF 00419689 . 8B15 787D5F00 mov edx, dword ptr [5F7D78] ; kudrtgov.10213000 0041968F . 898A 26010000 mov dword ptr [edx+126], ecx 00419695 . A1 787D5F00 mov eax, dword ptr [5F7D78] 0041969A . C780 90010000 64000000 mov dword ptr [eax+190], 64 004196A4 . C685 28FAFFFF 00 mov byte ptr [ebp-5D8], 0 004196AB . C685 29FAFFFF 00 mov byte ptr [ebp-5D7], 0 004196B2 . B9 40000000 mov ecx, 40 004196B7 . 33C0 xor eax, eax 004196B9 . 8DBD 2AFAFFFF lea edi, dword ptr [ebp-5D6] 004196BF . F3:AB rep stos dword ptr es:[edi] 004196C1 . 66:AB stos word ptr es:[edi] 004196C3 . 6A 12 push 12 ; /Arg3 = 00000012 004196C5 . 8D8D 28FAFFFF lea ecx, dword ptr [ebp-5D8] ; | 004196CB . 51 push ecx ; |Arg2 004196CC . 68 05040000 push 405 ; |Arg1 = 00000405 004196D1 . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668] ; | 004196D7 . E8 96FF0300 call 00459672 ; \jtbl.00459672 004196DC . C785 40FDFFFF 00000000 mov dword ptr [ebp-2C0], 0 004196E6 . EB 0F jmp short 004196F7 004196E8 > 8B95 40FDFFFF mov edx, dword ptr [ebp-2C0] 004196EE . 83C2 01 add edx, 1 004196F1 . 8995 40FDFFFF mov dword ptr [ebp-2C0], edx 004196F7 > 8B85 40FDFFFF mov eax, dword ptr [ebp-2C0] 004196FD . 3B05 687D5F00 cmp eax, dword ptr [5F7D68] 00419703 . 0F83 A6000000 jnb 004197AF 00419709 . 8D8D 28FAFFFF lea ecx, dword ptr [ebp-5D8] 0041970F . 898D 84F9FFFF mov dword ptr [ebp-67C], ecx 00419715 . 8B95 40FDFFFF mov edx, dword ptr [ebp-2C0] 0041971B . 6BD2 68 imul edx, edx, 68 0041971E . 81C2 18E65D00 add edx, 005DE618 ; 获取曾经本地使用过的用户名 00419724 . 8995 80F9FFFF mov dword ptr [ebp-680], edx 0041972A > 8B85 80F9FFFF mov eax, dword ptr [ebp-680] 00419730 . 8A08 mov cl, byte ptr [eax] 00419732 . 888D 7FF9FFFF mov byte ptr [ebp-681], cl 00419738 . 8B95 84F9FFFF mov edx, dword ptr [ebp-67C] 0041973E . 3A0A cmp cl, byte ptr [edx] 00419740 . 75 46 jnz short 00419788 00419742 . 80BD 7FF9FFFF 00 cmp byte ptr [ebp-681], 0 00419749 . 74 31 je short 0041977C 0041974B . 8B85 80F9FFFF mov eax, dword ptr [ebp-680] 00419751 . 8A48 01 mov cl, byte ptr [eax+1] 00419754 . 888D 7EF9FFFF mov byte ptr [ebp-682], cl 0041975A . 8B95 84F9FFFF mov edx, dword ptr [ebp-67C] 00419760 . 3A4A 01 cmp cl, byte ptr [edx+1] 00419763 . 75 23 jnz short 00419788 00419765 . 8385 80F9FFFF 02 add dword ptr [ebp-680], 2 0041976C . 8385 84F9FFFF 02 add dword ptr [ebp-67C], 2 00419773 . 80BD 7EF9FFFF 00 cmp byte ptr [ebp-682], 0 0041977A .^ 75 AE jnz short 0041972A 0041977C > C785 78F9FFFF 00000000 mov dword ptr [ebp-688], 0 00419786 . EB 0B jmp short 00419793 00419788 > 1BC0 sbb eax, eax 0041978A . 83D8 FF sbb eax, -1 0041978D . 8985 78F9FFFF mov dword ptr [ebp-688], eax 00419793 > 8B8D 78F9FFFF mov ecx, dword ptr [ebp-688] 00419799 . 898D 74F9FFFF mov dword ptr [ebp-68C], ecx 0041979F . 83BD 74F9FFFF 00 cmp dword ptr [ebp-68C], 0 004197A6 . 75 02 jnz short 004197AA 004197A8 . EB 05 jmp short 004197AF 004197AA >^ E9 39FFFFFF jmp 004196E8 004197AF > 8B95 40FDFFFF mov edx, dword ptr [ebp-2C0] 004197B5 . 3B15 687D5F00 cmp edx, dword ptr [5F7D68] ; 判断是否该用户名为新用户名 004197BB . 0F82 EF000000 jb 004198B0 ; ★所以这里不能跳!NOP掉★ 004197C1 . A1 687D5F00 mov eax, dword ptr [5F7D68] 004197C6 . A3 6C7D5F00 mov dword ptr [5F7D6C], eax 004197CB . 8DBD 28FAFFFF lea edi, dword ptr [ebp-5D8] 004197D1 . 8B0D 687D5F00 mov ecx, dword ptr [5F7D68] 004197D7 . 6BC9 68 imul ecx, ecx, 68 004197DA . 81C1 18E65D00 add ecx, 005DE618 ; ASCII "test" 004197E0 . 898D 70F9FFFF mov dword ptr [ebp-690], ecx 004197E6 . 8B95 70F9FFFF mov edx, dword ptr [ebp-690] 004197EC . A1 687D5F00 mov eax, dword ptr [5F7D68] 004197F1 . 83C0 01 add eax, 1 004197F4 . A3 687D5F00 mov dword ptr [5F7D68], eax 004197F9 . 83C9 FF or ecx, FFFFFFFF 004197FC . 33C0 xor eax, eax 004197FE . F2:AE repne scas byte ptr es:[edi] 00419800 . F7D1 not ecx 00419802 . 2BF9 sub edi, ecx 00419804 . 8BF7 mov esi, edi 00419806 . 8BC1 mov eax, ecx 00419808 . 8BFA mov edi, edx 0041980A . C1E9 02 shr ecx, 2 0041980D . F3:A5 rep movs dword ptr es:[edi], dword ptr> 0041980F . 8BC8 mov ecx, eax 00419811 . 83E1 03 and ecx, 3 00419814 . F3:A4 rep movs byte ptr es:[edi], byte ptr [> 00419816 . 6A 00 push 0 ; /准备写入用于本地记录的数据文件 00419818 . 68 00000002 push 2000000 ; |Attributes = BACKUP_SEMANTICS 0041981D . 6A 04 push 4 ; |Mode = OPEN_ALWAYS 0041981F . 6A 00 push 0 ; |pSecurity = NULL 00419821 . 6A 02 push 2 ; |ShareMode = FILE_SHARE_WRITE 00419823 . 68 00000040 push 40000000 ; |Access = GENERIC_WRITE 00419828 . 68 F42C4800 push 00482CF4 ; |FileName = "Account.dat" 0041982D . FF15 3CA24600 call dword ptr [<&kernel32.CreateFileA>>; \CreateFileA 00419833 . 8985 B8F9FFFF mov dword ptr [ebp-648], eax 00419839 . 6A 00 push 0 ; /pOverlapped = NULL 0041983B . 8D8D BCF9FFFF lea ecx, dword ptr [ebp-644] ; | 00419841 . 51 push ecx ; |pBytesWritten 00419842 . 6A 04 push 4 ; |nBytesToWrite = 4 00419844 . 68 687D5F00 push 005F7D68 ; |Buffer = jtbl.005F7D68 00419849 . 8B95 B8F9FFFF mov edx, dword ptr [ebp-648] ; | 0041984F . 52 push edx ; |hFile 00419850 . FF15 40A24600 call dword ptr [<&kernel32.WriteFile>] ; \WriteFile 00419856 . 6A 00 push 0 ; /pOverlapped = NULL 00419858 . 8D85 BCF9FFFF lea eax, dword ptr [ebp-644] ; | 0041985E . 50 push eax ; |pBytesWritten 0041985F . 6A 04 push 4 ; |nBytesToWrite = 4 00419861 . 68 6C7D5F00 push 005F7D6C ; |Buffer = jtbl.005F7D6C 00419866 . 8B8D B8F9FFFF mov ecx, dword ptr [ebp-648] ; | 0041986C . 51 push ecx ; |hFile 0041986D . FF15 40A24600 call dword ptr [<&kernel32.WriteFile>] ; \WriteFile 00419873 . 6A 00 push 0 ; /pOverlapped = NULL 00419875 . 8D95 BCF9FFFF lea edx, dword ptr [ebp-644] ; | 0041987B . 52 push edx ; |pBytesWritten 0041987C . 68 40960100 push 19640 ; |nBytesToWrite = 19640 (104000.) 00419881 . 68 18E65D00 push 005DE618 ; |Buffer = jtbl.005DE618 00419886 . 8B85 B8F9FFFF mov eax, dword ptr [ebp-648] ; | 0041988C . 50 push eax ; |hFile 0041988D . FF15 40A24600 call dword ptr [<&kernel32.WriteFile>] ; \WriteFile 00419893 . 8B8D B8F9FFFF mov ecx, dword ptr [ebp-648] 00419899 . 51 push ecx ; /hObject 0041989A . FF15 44A24600 call dword ptr [<&kernel32.CloseHandle>>; \CloseHandle 004198A0 . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668] 004198A6 . E8 350E0000 call 0041A6E0 004198AB . E9 A1000000 jmp 00419951 004198B0 > 8B95 40FDFFFF mov edx, dword ptr [ebp-2C0] 004198B6 . 8915 6C7D5F00 mov dword ptr [5F7D6C], edx 004198BC . 6A 00 push 0 ; /hTemplateFile = NULL 004198BE . 68 00000002 push 2000000 ; |Attributes = BACKUP_SEMANTICS 004198C3 . 6A 04 push 4 ; |Mode = OPEN_ALWAYS 004198C5 . 6A 00 push 0 ; |pSecurity = NULL 004198C7 . 6A 02 push 2 ; |ShareMode = FILE_SHARE_WRITE 004198C9 . 68 00000040 push 40000000 ; |Access = GENERIC_WRITE 004198CE . 68 F42C4800 push 00482CF4 ; |FileName = "Account.dat" 004198D3 . FF15 3CA24600 call dword ptr [<&kernel32.CreateFileA>>; \CreateFileA 004198D9 . 8985 B0F9FFFF mov dword ptr [ebp-650], eax 004198DF . 6A 00 push 0 ; /pOverlapped = NULL 004198E1 . 8D85 B4F9FFFF lea eax, dword ptr [ebp-64C] ; | 004198E7 . 50 push eax ; |pBytesWritten 004198E8 . 6A 04 push 4 ; |nBytesToWrite = 4 004198EA . 68 687D5F00 push 005F7D68 ; |Buffer = jtbl.005F7D68 004198EF . 8B8D B0F9FFFF mov ecx, dword ptr [ebp-650] ; | 004198F5 . 51 push ecx ; |hFile 004198F6 . FF15 40A24600 call dword ptr [<&kernel32.WriteFile>] ; \WriteFile 004198FC . 6A 00 push 0 ; /pOverlapped = NULL 004198FE . 8D95 B4F9FFFF lea edx, dword ptr [ebp-64C] ; | 00419904 . 52 push edx ; |pBytesWritten 00419905 . 6A 04 push 4 ; |nBytesToWrite = 4 00419907 . 68 6C7D5F00 push 005F7D6C ; |Buffer = jtbl.005F7D6C 0041990C . 8B85 B0F9FFFF mov eax, dword ptr [ebp-650] ; | 00419912 . 50 push eax ; |hFile 00419913 . FF15 40A24600 call dword ptr [<&kernel32.WriteFile>] ; \WriteFile 00419919 . 6A 00 push 0 ; /pOverlapped = NULL 0041991B . 8D8D B4F9FFFF lea ecx, dword ptr [ebp-64C] ; | 00419921 . 51 push ecx ; |pBytesWritten 00419922 . 68 40960100 push 19640 ; |nBytesToWrite = 19640 (104000.) 00419927 . 68 18E65D00 push 005DE618 ; |Buffer = jtbl.005DE618 0041992C . 8B95 B0F9FFFF mov edx, dword ptr [ebp-650] ; | 00419932 . 52 push edx ; |hFile 00419933 . FF15 40A24600 call dword ptr [<&kernel32.WriteFile>] ; \WriteFile 00419939 . 8B85 B0F9FFFF mov eax, dword ptr [ebp-650] 0041993F . 50 push eax ; /hObject 00419940 . FF15 44A24600 call dword ptr [<&kernel32.CloseHandle>>; \CloseHandle 00419946 . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668] 0041994C . E8 8F0D0000 call 0041A6E0 00419951 > 68 04040000 push 404 00419956 . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668] 0041995C . E8 87FC0300 call 004595E8 00419961 . 8985 5CFEFFFF mov dword ptr [ebp-1A4], eax 00419967 . 6A 01 push 1 00419969 . 8B8D 5CFEFFFF mov ecx, dword ptr [ebp-1A4] 0041996F . E8 A0FF0300 call 00459914 00419974 . 8B0D 787D5F00 mov ecx, dword ptr [5F7D78] ; kudrtgov.10213000 0041997A . 890D A0126500 mov dword ptr [6512A0], ecx 00419980 . 6A 00 push 0 ; /Timerproc = NULL 00419982 . 6A 64 push 64 ; |Timeout = 100. ms 00419984 . 6A 01 push 1 ; |TimerID = 1 00419986 . 8B95 98F9FFFF mov edx, dword ptr [ebp-668] ; | 0041998C . 8B42 1C mov eax, dword ptr [edx+1C] ; | 0041998F . 50 push eax ; |hWnd 00419990 . FF15 6CA54600 call dword ptr [<&user32.SetTimer>] ; \SetTimer 00419996 > 8B4D F4 mov ecx, dword ptr [ebp-C] 00419999 . 64:890D 00000000 mov dword ptr fs:[0], ecx 004199A0 . 5F pop edi 004199A1 . 5E pop esi 004199A2 . 5B pop ebx 004199A3 . 8BE5 mov esp, ebp 004199A5 . 5D pop ebp 004199A6 . C3 retn ; 网络、本地验证全部结束 -------------------------------------------------------------------------------- 【经验总结】 其实网络验证并不可怕,可怕的是它们身上穿着的“衣服(壳)”,不过随着大伙儿们的技术的不断提高,工具的不断更新 强大,不脱壳也可以调试它了。最重要的就是细心! |
|
[求助]网络验证
高手来帮帮丫 |
|
|
|
|
|
|
|
[求助]ASProtect 1.2x - 1.3x [Registered] -> Alexey Solodovnikov
我也是菜鸟 最近一直在学习脱壳 你那个ASP壳 看雪工具里有个ASP1.2x-1.3x的脱壳脚本 拿OD载入程序 之后插件运行一下脚本就自动脱了 我用脱壳脚本就把ASProtect 2.1x SKE -> Alexey Solodovnikov搞定了 哪位大侠能真正的教我脱壳啊 最近自己研究的一塌糊涂 |
|
[求助]超级菜鸟才能问的问题
那可怎么办? 我只是想让你们教我.... |
|
[求助]PECompact V2.X-> Bitsum Technologies *
PECompact V2.X-> Bitsum Technologies * 这个壳的脚本不好使啊 我下载了 麻烦给个连接? |
|
[求助]PECompact V2.X-> Bitsum Technologies *
还有 PECompact V2.X通用脱壳法能否脱这个壳? |
|
|
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值