|
[求助]逆向计算。是高手的来
什么太深? 00402060 |. 837D 10 00 cmp [arg.3],0 00402064 |. 74 14 je short 外挂.0040207A 这段程序判断注册码是否成功,只是判断[arg.3]这个局部变量是否为0。 |
|
[求助]逆向计算。是高手的来
上面这段是验证程序有没有验证的地方。 如果call 外挂.00418670是求长度的一个函数,那么就不知道哪段才是生成或者比较真正注册码的地方了。。 sessiondiy大侠和小虾大侠,帮忙再给些提示。 我都找了一个多星期了,头都大了,还是没什么头绪。 |
|
[求助]逆向计算。是高手的来
00401EEF /. 55 push ebp 00401EF0 |. 8BEC mov ebp,esp 00401EF2 |. 83EC 24 sub esp,24 00401EF5 |. 57 push edi 00401EF6 |. A1 34D34400 mov eax,dword ptr ds:[44D334] 00401EFB |. 8945 E0 mov [local.8],eax 00401EFE |. B9 07000000 mov ecx,7 00401F03 |. 33C0 xor eax,eax 00401F05 |. 8D7D E4 lea edi,[local.7] 00401F08 |. F3:AB rep stos dword ptr es:[edi] 00401F0A |. 8B4D 0C mov ecx,[arg.2] 00401F0D |. 894D DC mov [local.9],ecx 00401F10 |. 837D DC 00 cmp [local.9],0 00401F14 |. 0F84 F6000000 je 外挂.00402010 00401F1A |. 837D DC 01 cmp [local.9],1 00401F1E |. 74 05 je short 外挂.00401F25 00401F20 |. E9 57010000 jmp 外挂.0040207C 00401F25 |> 6A 01 push 1 ; /NewValue = 1 00401F27 |. 68 BC2E4500 push 外挂.00452EBC ; |pTarget = 外挂.00452EBC 00401F2C |. FF15 24F34300 call dword ptr ds:[<&kernel32.Interlocke>; \InterlockedExchange 00401F32 |. 8B15 542C4500 mov edx,dword ptr ds:[452C54] 00401F38 |. 81C2 000B0000 add edx,0B00 00401F3E |. 52 push edx 00401F3F |. 68 38D34400 push 外挂.0044D338 ; 激活成功,感谢支持 00401F44 |. 8D45 E0 lea eax,[local.8] 00401F47 |. 50 push eax 00401F48 |. E8 9E670100 call 外挂.004186EB 00401F4D |. 83C4 0C add esp,0C 00401F50 |. 8D4D E0 lea ecx,[local.8] 00401F53 |. 51 push ecx 00401F54 |. E8 17670100 call 外挂.00418670 00401F59 |. 83C4 04 add esp,4 00401F5C |. 83F8 08 cmp eax,8 00401F5F |. 76 46 jbe short 外挂.00401FA7 00401F61 |. 8D55 E0 lea edx,[local.8] 00401F64 |. 52 push edx 00401F65 |. E8 06670100 call 外挂.00418670 00401F6A |. 83C4 04 add esp,4 00401F6D |. C64405 DB 2A mov byte ptr ss:[ebp+eax-25],2A 00401F72 |. 8D45 E0 lea eax,[local.8] 00401F75 |. 50 push eax 00401F76 |. E8 F5660100 call 外挂.00418670 00401F7B |. 83C4 04 add esp,4 00401F7E |. C64405 DA 2A mov byte ptr ss:[ebp+eax-26],2A 00401F83 |. 8D4D E0 lea ecx,[local.8] 00401F86 |. 51 push ecx 00401F87 |. E8 E4660100 call 外挂.00418670 00401F8C |. 83C4 04 add esp,4 00401F8F |. C64405 D9 2A mov byte ptr ss:[ebp+eax-27],2A 00401F94 |. 8D55 E0 lea edx,[local.8] 00401F97 |. 52 push edx 00401F98 |. E8 D3660100 call 外挂.00418670 00401F9D |. 83C4 04 add esp,4 00401FA0 |. C64405 D8 2A mov byte ptr ss:[ebp+eax-28],2A 00401FA5 |. EB 22 jmp short 外挂.00401FC9 00401FA7 |> 8D45 E0 lea eax,[local.8] 00401FAA |. 50 push eax 00401FAB |. E8 C0660100 call 外挂.00418670 00401FB0 |. 83C4 04 add esp,4 00401FB3 |. C64405 DE 2A mov byte ptr ss:[ebp+eax-22],2A 00401FB8 |. 8D4D E0 lea ecx,[local.8] 00401FBB |. 51 push ecx 00401FBC |. E8 AF660100 call 外挂.00418670 00401FC1 |. 83C4 04 add esp,4 00401FC4 |. C64405 DD 2A mov byte ptr ss:[ebp+eax-23],2A 00401FC9 |> 8D55 E0 lea edx,[local.8] 00401FCC |. 52 push edx 00401FCD |. 8B0D C02E4500 mov ecx,dword ptr ds:[452EC0] 00401FD3 |. 81C1 1C090000 add ecx,91C 00401FD9 |. E8 2FEC0200 call 外挂.00430C0D 00401FDE |. 6A 00 push 0 00401FE0 |. 8B0D C02E4500 mov ecx,dword ptr ds:[452EC0] 00401FE6 |. 81C1 1C090000 add ecx,91C 00401FEC |. E8 88ED0200 call 外挂.00430D79 00401FF1 |. 837D 10 00 cmp [arg.3],0 00401FF5 |. 74 14 je short 外挂.0040200B 00401FF7 |. 6A 00 push 0 00401FF9 |. 68 40D34400 push 外挂.0044D340 00401FFE |. 68 54D34400 push 外挂.0044D354 00402003 |. 8B4D 08 mov ecx,[arg.1] 00402006 |. E8 EA090300 call 外挂.004329F5 0040200B |> E9 9C000000 jmp 外挂.004020AC 00402010 |> 6A 01 push 1 ; /NewValue = 1 00402012 |. 68 BC2E4500 push 外挂.00452EBC ; |pTarget = 外挂.00452EBC 00402017 |. FF15 24F34300 call dword ptr ds:[<&kernel32.Interlocke>; \InterlockedExchange 0040201D |. 6A 00 push 0 0040201F |. 6A 00 push 0 00402021 |. 68 00000010 push 10000000 00402026 |. 8B0D C02E4500 mov ecx,dword ptr ds:[452EC0] 0040202C |. 81C1 1C090000 add ecx,91C 00402032 |. E8 74EB0200 call 外挂.00430BAB 00402037 |. 6A 00 push 0 00402039 |. 8B0D C02E4500 mov ecx,dword ptr ds:[452EC0] 0040203F |. 81C1 F40C0000 add ecx,0CF4 00402045 |. E8 2FED0200 call 外挂.00430D79 0040204A |. 68 78D34400 push 外挂.0044D378 0040204F |. 8B0D C02E4500 mov ecx,dword ptr ds:[452EC0] 00402055 |. 81C1 F40C0000 add ecx,0CF4 0040205B |. E8 ADEB0200 call 外挂.00430C0D 00402060 |. 837D 10 00 cmp [arg.3],0 00402064 |. 74 14 je short 外挂.0040207A 00402066 |. 6A 00 push 0 00402068 |. 68 88D34400 push 外挂.0044D388 ; 激活成功 0040206D |. 68 9CD34400 push 外挂.0044D39C 00402072 |. 8B4D 08 mov ecx,[arg.1] 00402075 |. E8 7B090300 call 外挂.004329F5 0040207A |> EB 30 jmp short 外挂.004020AC 0040207C |> 837D 10 00 cmp [arg.3],0 00402080 |. 74 16 je short 外挂.00402098 00402082 |. 6A 00 push 0 00402084 |. 68 C0D34400 push 外挂.0044D3C0 00402089 |. 68 D4D34400 push 外挂.0044D3D4 0040208E |. 8B4D 08 mov ecx,[arg.1] 00402091 |. E8 5F090300 call 外挂.004329F5 00402096 |. EB 14 jmp short 外挂.004020AC 00402098 |> 6A 00 push 0 0040209A |. 68 ECD34400 push 外挂.0044D3EC ; 未激活 0040209F |. 68 00D44400 push 外挂.0044D400 ; 未激活可免费使用部分功能 004020A4 |. 8B4D 08 mov ecx,[arg.1] 004020A7 |. E8 49090300 call 外挂.004329F5 004020AC |> 5F pop edi 004020AD |. 8BE5 mov esp,ebp 004020AF |. 5D pop ebp 004020B0 \. C3 retn |
|
[求助]逆向计算。是高手的来
sessiondiy大侠,能否帮我看下10楼的那段CALL代码,看看里面哪段是查找注册码的。。 |
|
[求助]逆向计算。是高手的来
00418670 /$ 8B4C24 04 mov ecx,dword ptr ss:[esp+4] 00418674 |. F7C1 03000000 test ecx,3 0041867A |. 74 14 je short 脱壳.00418690 0041867C |> 8A01 /mov al,byte ptr ds:[ecx] 0041867E |. 41 |inc ecx 0041867F |. 84C0 |test al,al 00418681 |. 74 40 |je short 脱壳.004186C3 00418683 |. F7C1 03000000 |test ecx,3 00418689 |.^ 75 F1 \jnz short 脱壳.0041867C 0041868B |. 05 00000000 add eax,0 00418690 |> 8B01 /mov eax,dword ptr ds:[ecx] 00418692 |. BA FFFEFE7E |mov edx,7EFEFEFF 00418697 |. 03D0 |add edx,eax 00418699 |. 83F0 FF |xor eax,FFFFFFFF 0041869C |. 33C2 |xor eax,edx 0041869E |. 83C1 04 |add ecx,4 004186A1 |. A9 00010181 |test eax,81010100 004186A6 |.^ 74 E8 |je short 脱壳.00418690 004186A8 |. 8B41 FC |mov eax,dword ptr ds:[ecx-4] 004186AB |. 84C0 |test al,al 004186AD |. 74 32 |je short 脱壳.004186E1 004186AF |. 84E4 |test ah,ah 004186B1 |. 74 24 |je short 脱壳.004186D7 004186B3 |. A9 0000FF00 |test eax,0FF0000 004186B8 |. 74 13 |je short 脱壳.004186CD 004186BA |. A9 000000FF |test eax,FF000000 004186BF |. 74 02 |je short 脱壳.004186C3 004186C1 |.^ EB CD \jmp short 脱壳.00418690 004186C3 |> 8D41 FF lea eax,dword ptr ds:[ecx-1] 004186C6 |. 8B4C24 04 mov ecx,dword ptr ss:[esp+4] 004186CA |. 2BC1 sub eax,ecx 004186CC |. C3 retn 004186CD |> 8D41 FE lea eax,dword ptr ds:[ecx-2] 004186D0 |. 8B4C24 04 mov ecx,dword ptr ss:[esp+4] 004186D4 |. 2BC1 sub eax,ecx 004186D6 |. C3 retn 004186D7 |> 8D41 FD lea eax,dword ptr ds:[ecx-3] 004186DA |. 8B4C24 04 mov ecx,dword ptr ss:[esp+4] 004186DE |. 2BC1 sub eax,ecx 004186E0 |. C3 retn 004186E1 |> 8D41 FC lea eax,dword ptr ds:[ecx-4] 004186E4 |. 8B4C24 04 mov ecx,dword ptr ss:[esp+4] 004186E8 |. 2BC1 sub eax,ecx 004186EA \. C3 retn 我是追注册码追到这个CALL里来了。感觉注册码是在这里计算的。但是追了几天都没追出它的重点所在。 |
|
|
|
[求助]逆向计算。是高手的来
看看这些信息可否有帮助。 |
|
[求助]逆向计算。是高手的来
00418690 |> 8B01 /mov eax,dword ptr ds:[ecx] 00418692 |. |BA FFFEFE7E |mov edx,7EFEFEFF 00418697 |. |03D0 |add edx,eax ; edx=7EFF5C5A 00418699 |. |83F0 FF |xor eax,FFFFFFFF ; eax=FFFFA2A4 0041869C |. |33C2 |xor eax,edx ; eax=8100FEFE 0041869E |. |83C1 04 |add ecx,4 004186A1 |. |A9 00010181 |test eax,81010100 004186A6 |.^ 74 E8 |je short 脱壳.00418690 |
|
[求助]破解外挂过程中遇到的问题
有没有高手能给些解释的 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值