-
-
[旧帖] 找不到参考字符,麻烦看看 0.00雪花
-
发表于: 2009-12-19 09:46
-
这个软件是需要*.key注册的,我随便做个了miros.key去测试,但是注册的时候,他都是提示 注册成功,然后重新启动软件。
无奈进去软件使用下注册功能,提示不是注册用户,但是在ollydbg找不到参考字符。
部分如下:
00419980 |. 8B2D 88D24500 MOV EBP,DWORD PTR DS:[<&KERNEL32.lstrlen>; kernel32.lstrlenW
00419986 |. 53 PUSH EBX ; /String
00419987 |. FFD5 CALL EBP ; \lstrlenW
00419989 |. 3D 03010000 CMP EAX,103
0041998E |. 76 18 JBE SHORT MFI.004199A8
00419990 |. B8 03010000 MOV EAX,103
00419995 |. 40 INC EAX
00419996 |. 50 PUSH EAX ; /n => 104 (260.)
00419997 |. 53 PUSH EBX ; |String2
00419998 |. 57 PUSH EDI ; |String1
00419999 |. FF15 44D24500 CALL DWORD PTR DS:[<&KERNEL32.lstrcpynW>>; \lstrcpynW
0041999F |. 5F POP EDI
004199A0 |. 8BC6 MOV EAX,ESI
004199A2 |. 5E POP ESI
004199A3 |. 5D POP EBP
004199A4 |. 5B POP EBX
004199A5 |. C2 1800 RETN 18
004199A8 |> 53 PUSH EBX
004199A9 |. FFD5 CALL EBP
004199AB |. 40 INC EAX
004199AC |. 50 PUSH EAX ; /n
004199AD |. 53 PUSH EBX ; |String2
004199AE |. 57 PUSH EDI ; |String1
004199AF |. FF15 44D24500 CALL DWORD PTR DS:[<&KERNEL32.lstrcpynW>>; \lstrcpynW
004199B5 |> 5F POP EDI
004199B6 |. 8BC6 MOV EAX,ESI
004199B8 |. 5E POP ESI
004199B9 |. 5D POP EBP
004199BA |. 5B POP EBX
004199BB \. C2 1800 RETN 18
004199BE CC INT3
004199BF CC INT3
004199C0 . 33C0 XOR EAX,EAX
004199C2 . C2 1800 RETN 18
004199C5 CC INT3
004199C6 CC INT3
004199C7 CC INT3
004199C8 CC INT3
004199C9 CC INT3
004199CA CC INT3
004199CB CC INT3
004199CC CC INT3
004199CD CC INT3
004199CE CC INT3
004199CF CC INT3
004199D0 . 56 PUSH ESI
004199D1 . 8BF1 MOV ESI,ECX
004199D3 . E8 089FFEFF CALL MFI.004038E0
004199D8 . F64424 08 01 TEST BYTE PTR SS:[ESP+8],1
004199DD . 74 09 JE SHORT MFI.004199E8
004199DF . 56 PUSH ESI
004199E0 . E8 4CCD0200 CALL MFI.00446731
004199E5 . 83C4 04 ADD ESP,4
004199E8 > 8BC6 MOV EAX,ESI
004199EA . 5E POP ESI
004199EB . C2 0400 RETN 4
004199EE CC INT3
004199EF CC INT3
004199F0 /$ 55 PUSH EBP
004199F1 |. 8BEC MOV EBP,ESP
004199F3 |. 83E4 F8 AND ESP,FFFFFFF8
004199F6 |. 81EC D0080000 SUB ESP,8D0
004199FC |. A1 2CFF4600 MOV EAX,DWORD PTR DS:[46FF2C]
00419A01 |. 56 PUSH ESI
00419A02 |. 57 PUSH EDI
00419A03 |. 6A 00 PUSH 0
00419A05 |. 68 58E34500 PUSH MFI.0045E358 ; UNICODE "*.key files"
00419A0A |. 68 04108000 PUSH 801004
00419A0F |. 68 48E34500 PUSH MFI.0045E348 ; UNICODE "MFI.key"
00419A14 |. 68 3CE34500 PUSH MFI.0045E33C ; UNICODE "*.key"
00419A19 |. 8BF1 MOV ESI,ECX
00419A1B |. 6A 01 PUSH 1
00419A1D |. 8D8C24 6004000>LEA ECX,DWORD PTR SS:[ESP+460]
00419A24 |. 898424 EC08000>MOV DWORD PTR SS:[ESP+8EC],EAX
00419A2B |. E8 B0FEFFFF CALL MFI.004198E0
00419A30 |. C78424 4804000>MOV DWORD PTR SS:[ESP+448],MFI.0045E25C
00419A3B |. FF15 6CD44500 CALL DWORD PTR DS:[<&USER32.GetActiveWin>; [GetActiveWindow
00419A41 |. 50 PUSH EAX
00419A42 |. 8D8C24 4C04000>LEA ECX,DWORD PTR SS:[ESP+44C]
00419A49 |. E8 32FEFFFF CALL MFI.00419880
00419A4E |. 83F8 01 CMP EAX,1
00419A51 |. 0F85 E4000000 JNZ MFI.00419B3B
00419A57 |. 33C0 XOR EAX,EAX
00419A59 |. 66:C74424 28 0>MOV WORD PTR SS:[ESP+28],0
00419A60 |. B9 82000000 MOV ECX,82
00419A65 |. 8D7C24 2A LEA EDI,DWORD PTR SS:[ESP+2A]
00419A69 |. F3:AB REP STOS DWORD PTR ES:[EDI]
00419A6B |. 68 04010000 PUSH 104 ; /BufSize = 104 (260.)
00419A70 |. 8D4424 2C LEA EAX,DWORD PTR SS:[ESP+2C] ; |
00419A74 |. 50 PUSH EAX ; |PathBuffer
00419A75 |. 6A 00 PUSH 0 ; |hModule = NULL
00419A77 |. FF15 80D24500 CALL DWORD PTR DS:[<&KERNEL32.GetModuleF>; \GetModuleFileNameW
00419A7D |. 68 30E34500 PUSH MFI.0045E330 ; /Extention = ".key"
00419A82 |. 8D4C24 2C LEA ECX,DWORD PTR SS:[ESP+2C] ; |
00419A86 |. 51 PUSH ECX ; |Path
00419A87 |. FF15 ECD24500 CALL DWORD PTR DS:[<&SHLWAPI.PathRenameE>; \PathRenameExtensionW
00419A8D |. 33C0 XOR EAX,EAX
00419A8F |. 66:C78424 3802>MOV WORD PTR SS:[ESP+238],0
00419A99 |. B9 82000000 MOV ECX,82
00419A9E |. 8DBC24 3A02000>LEA EDI,DWORD PTR SS:[ESP+23A]
00419AA5 |. 8D9424 C406000>LEA EDX,DWORD PTR SS:[ESP+6C4]
00419AAC |. F3:AB REP STOS DWORD PTR ES:[EDI]
00419AAE |. 52 PUSH EDX
00419AAF |. 8D8424 3C02000>LEA EAX,DWORD PTR SS:[ESP+23C]
00419AB6 |. 50 PUSH EAX
00419AB7 |. E8 73D30200 CALL MFI.00446E2F
00419ABC |. 8B56 04 MOV EDX,DWORD PTR DS:[ESI+4]
00419ABF |. 33C9 XOR ECX,ECX
00419AC1 |. 894C24 14 MOV DWORD PTR SS:[ESP+14],ECX
00419AC5 |. 894C24 18 MOV DWORD PTR SS:[ESP+18],ECX
00419AC9 |. 894C24 1C MOV DWORD PTR SS:[ESP+1C],ECX
00419ACD |. 894C24 20 MOV DWORD PTR SS:[ESP+20],ECX
00419AD1 |. 894C24 24 MOV DWORD PTR SS:[ESP+24],ECX
00419AD5 |. 894C24 28 MOV DWORD PTR SS:[ESP+28],ECX
00419AD9 |. 895424 10 MOV DWORD PTR SS:[ESP+10],EDX
00419ADD |. 83C4 08 ADD ESP,8
00419AE0 |. 66:894C24 24 MOV WORD PTR SS:[ESP+24],CX
00419AE5 |. 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8]
00419AE9 |. 8D8424 3802000>LEA EAX,DWORD PTR SS:[ESP+238]
00419AF0 |. 8D4C24 28 LEA ECX,DWORD PTR SS:[ESP+28]
00419AF4 |. 52 PUSH EDX
00419AF5 |. C74424 10 0200>MOV DWORD PTR SS:[ESP+10],2
00419AFD |. 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
00419B01 |. 66:C74424 1C 1>MOV WORD PTR SS:[ESP+1C],10
00419B08 |. 894C24 18 MOV DWORD PTR SS:[ESP+18],ECX
00419B0C |. FF15 DCD24500 CALL DWORD PTR DS:[<&SHELL32.SHFileOpera>; SHELL32.SHFileOperationW
00419B12 |. 85C0 TEST EAX,EAX
00419B14 75 25 JNZ SHORT MFI.00419B3B
00419B16 |. 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4]
00419B19 |. 6A 40 PUSH 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00419B1B |. 68 14E34500 PUSH MFI.0045E314 ; |Title = "Registration"
00419B20 |. 68 70E24500 PUSH MFI.0045E270 ; |感谢你的注册,请重新启动程序!
00419B25 |. 50 PUSH EAX ; |hOwner
00419B26 |. FF15 20D34500 CALL DWORD PTR DS:[<&USER32.MessageBoxW>>; \MessageBoxW
00419B2C |. 0FB74D 0C MOVZX ECX,WORD PTR SS:[EBP+C]
00419B30 |. 8B56 04 MOV EDX,DWORD PTR DS:[ESI+4]
00419B33 |. 51 PUSH ECX ; /Result
00419B34 |. 52 PUSH EDX ; |hWnd
00419B35 |. FF15 DCD44500 CALL DWORD PTR DS:[<&USER32.EndDialog>] ; \EndDialog
00419B3B |> 8B8424 5C04000>MOV EAX,DWORD PTR SS:[ESP+45C]
00419B42 |. 85C0 TEST EAX,EAX
00419B44 |. 74 10 JE SHORT MFI.00419B56
00419B46 |. 50 PUSH EAX ; /pMemory
00419B47 |. 6A 00 PUSH 0 ; |Flags = 0
00419B49 |. FF15 90D24500 CALL DWORD PTR DS:[<&KERNEL32.GetProcess>; |[GetProcessHeap
00419B4F |. 50 PUSH EAX ; |hHeap
00419B50 |. FF15 74D24500 CALL DWORD PTR DS:[<&KERNEL32.HeapFree>] ; \HeapFree
00419B56 |> 8B8C24 D408000>MOV ECX,DWORD PTR SS:[ESP+8D4]
00419B5D |. 33C0 XOR EAX,EAX
00419B5F |. E8 03BF0200 CALL MFI.00445A67
00419B64 |. 5F POP EDI
00419B65 |. 5E POP ESI
00419B66 |. 8BE5 MOV ESP,EBP
00419B68 |. 5D POP EBP
00419B69 \. C2 1000 RETN 10
无奈进去软件使用下注册功能,提示不是注册用户,但是在ollydbg找不到参考字符。
部分如下:
00419980 |. 8B2D 88D24500 MOV EBP,DWORD PTR DS:[<&KERNEL32.lstrlen>; kernel32.lstrlenW
00419986 |. 53 PUSH EBX ; /String
00419987 |. FFD5 CALL EBP ; \lstrlenW
00419989 |. 3D 03010000 CMP EAX,103
0041998E |. 76 18 JBE SHORT MFI.004199A8
00419990 |. B8 03010000 MOV EAX,103
00419995 |. 40 INC EAX
00419996 |. 50 PUSH EAX ; /n => 104 (260.)
00419997 |. 53 PUSH EBX ; |String2
00419998 |. 57 PUSH EDI ; |String1
00419999 |. FF15 44D24500 CALL DWORD PTR DS:[<&KERNEL32.lstrcpynW>>; \lstrcpynW
0041999F |. 5F POP EDI
004199A0 |. 8BC6 MOV EAX,ESI
004199A2 |. 5E POP ESI
004199A3 |. 5D POP EBP
004199A4 |. 5B POP EBX
004199A5 |. C2 1800 RETN 18
004199A8 |> 53 PUSH EBX
004199A9 |. FFD5 CALL EBP
004199AB |. 40 INC EAX
004199AC |. 50 PUSH EAX ; /n
004199AD |. 53 PUSH EBX ; |String2
004199AE |. 57 PUSH EDI ; |String1
004199AF |. FF15 44D24500 CALL DWORD PTR DS:[<&KERNEL32.lstrcpynW>>; \lstrcpynW
004199B5 |> 5F POP EDI
004199B6 |. 8BC6 MOV EAX,ESI
004199B8 |. 5E POP ESI
004199B9 |. 5D POP EBP
004199BA |. 5B POP EBX
004199BB \. C2 1800 RETN 18
004199BE CC INT3
004199BF CC INT3
004199C0 . 33C0 XOR EAX,EAX
004199C2 . C2 1800 RETN 18
004199C5 CC INT3
004199C6 CC INT3
004199C7 CC INT3
004199C8 CC INT3
004199C9 CC INT3
004199CA CC INT3
004199CB CC INT3
004199CC CC INT3
004199CD CC INT3
004199CE CC INT3
004199CF CC INT3
004199D0 . 56 PUSH ESI
004199D1 . 8BF1 MOV ESI,ECX
004199D3 . E8 089FFEFF CALL MFI.004038E0
004199D8 . F64424 08 01 TEST BYTE PTR SS:[ESP+8],1
004199DD . 74 09 JE SHORT MFI.004199E8
004199DF . 56 PUSH ESI
004199E0 . E8 4CCD0200 CALL MFI.00446731
004199E5 . 83C4 04 ADD ESP,4
004199E8 > 8BC6 MOV EAX,ESI
004199EA . 5E POP ESI
004199EB . C2 0400 RETN 4
004199EE CC INT3
004199EF CC INT3
004199F0 /$ 55 PUSH EBP
004199F1 |. 8BEC MOV EBP,ESP
004199F3 |. 83E4 F8 AND ESP,FFFFFFF8
004199F6 |. 81EC D0080000 SUB ESP,8D0
004199FC |. A1 2CFF4600 MOV EAX,DWORD PTR DS:[46FF2C]
00419A01 |. 56 PUSH ESI
00419A02 |. 57 PUSH EDI
00419A03 |. 6A 00 PUSH 0
00419A05 |. 68 58E34500 PUSH MFI.0045E358 ; UNICODE "*.key files"
00419A0A |. 68 04108000 PUSH 801004
00419A0F |. 68 48E34500 PUSH MFI.0045E348 ; UNICODE "MFI.key"
00419A14 |. 68 3CE34500 PUSH MFI.0045E33C ; UNICODE "*.key"
00419A19 |. 8BF1 MOV ESI,ECX
00419A1B |. 6A 01 PUSH 1
00419A1D |. 8D8C24 6004000>LEA ECX,DWORD PTR SS:[ESP+460]
00419A24 |. 898424 EC08000>MOV DWORD PTR SS:[ESP+8EC],EAX
00419A2B |. E8 B0FEFFFF CALL MFI.004198E0
00419A30 |. C78424 4804000>MOV DWORD PTR SS:[ESP+448],MFI.0045E25C
00419A3B |. FF15 6CD44500 CALL DWORD PTR DS:[<&USER32.GetActiveWin>; [GetActiveWindow
00419A41 |. 50 PUSH EAX
00419A42 |. 8D8C24 4C04000>LEA ECX,DWORD PTR SS:[ESP+44C]
00419A49 |. E8 32FEFFFF CALL MFI.00419880
00419A4E |. 83F8 01 CMP EAX,1
00419A51 |. 0F85 E4000000 JNZ MFI.00419B3B
00419A57 |. 33C0 XOR EAX,EAX
00419A59 |. 66:C74424 28 0>MOV WORD PTR SS:[ESP+28],0
00419A60 |. B9 82000000 MOV ECX,82
00419A65 |. 8D7C24 2A LEA EDI,DWORD PTR SS:[ESP+2A]
00419A69 |. F3:AB REP STOS DWORD PTR ES:[EDI]
00419A6B |. 68 04010000 PUSH 104 ; /BufSize = 104 (260.)
00419A70 |. 8D4424 2C LEA EAX,DWORD PTR SS:[ESP+2C] ; |
00419A74 |. 50 PUSH EAX ; |PathBuffer
00419A75 |. 6A 00 PUSH 0 ; |hModule = NULL
00419A77 |. FF15 80D24500 CALL DWORD PTR DS:[<&KERNEL32.GetModuleF>; \GetModuleFileNameW
00419A7D |. 68 30E34500 PUSH MFI.0045E330 ; /Extention = ".key"
00419A82 |. 8D4C24 2C LEA ECX,DWORD PTR SS:[ESP+2C] ; |
00419A86 |. 51 PUSH ECX ; |Path
00419A87 |. FF15 ECD24500 CALL DWORD PTR DS:[<&SHLWAPI.PathRenameE>; \PathRenameExtensionW
00419A8D |. 33C0 XOR EAX,EAX
00419A8F |. 66:C78424 3802>MOV WORD PTR SS:[ESP+238],0
00419A99 |. B9 82000000 MOV ECX,82
00419A9E |. 8DBC24 3A02000>LEA EDI,DWORD PTR SS:[ESP+23A]
00419AA5 |. 8D9424 C406000>LEA EDX,DWORD PTR SS:[ESP+6C4]
00419AAC |. F3:AB REP STOS DWORD PTR ES:[EDI]
00419AAE |. 52 PUSH EDX
00419AAF |. 8D8424 3C02000>LEA EAX,DWORD PTR SS:[ESP+23C]
00419AB6 |. 50 PUSH EAX
00419AB7 |. E8 73D30200 CALL MFI.00446E2F
00419ABC |. 8B56 04 MOV EDX,DWORD PTR DS:[ESI+4]
00419ABF |. 33C9 XOR ECX,ECX
00419AC1 |. 894C24 14 MOV DWORD PTR SS:[ESP+14],ECX
00419AC5 |. 894C24 18 MOV DWORD PTR SS:[ESP+18],ECX
00419AC9 |. 894C24 1C MOV DWORD PTR SS:[ESP+1C],ECX
00419ACD |. 894C24 20 MOV DWORD PTR SS:[ESP+20],ECX
00419AD1 |. 894C24 24 MOV DWORD PTR SS:[ESP+24],ECX
00419AD5 |. 894C24 28 MOV DWORD PTR SS:[ESP+28],ECX
00419AD9 |. 895424 10 MOV DWORD PTR SS:[ESP+10],EDX
00419ADD |. 83C4 08 ADD ESP,8
00419AE0 |. 66:894C24 24 MOV WORD PTR SS:[ESP+24],CX
00419AE5 |. 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8]
00419AE9 |. 8D8424 3802000>LEA EAX,DWORD PTR SS:[ESP+238]
00419AF0 |. 8D4C24 28 LEA ECX,DWORD PTR SS:[ESP+28]
00419AF4 |. 52 PUSH EDX
00419AF5 |. C74424 10 0200>MOV DWORD PTR SS:[ESP+10],2
00419AFD |. 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
00419B01 |. 66:C74424 1C 1>MOV WORD PTR SS:[ESP+1C],10
00419B08 |. 894C24 18 MOV DWORD PTR SS:[ESP+18],ECX
00419B0C |. FF15 DCD24500 CALL DWORD PTR DS:[<&SHELL32.SHFileOpera>; SHELL32.SHFileOperationW
00419B12 |. 85C0 TEST EAX,EAX
00419B14 75 25 JNZ SHORT MFI.00419B3B
00419B16 |. 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4]
00419B19 |. 6A 40 PUSH 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00419B1B |. 68 14E34500 PUSH MFI.0045E314 ; |Title = "Registration"
00419B20 |. 68 70E24500 PUSH MFI.0045E270 ; |感谢你的注册,请重新启动程序!
00419B25 |. 50 PUSH EAX ; |hOwner
00419B26 |. FF15 20D34500 CALL DWORD PTR DS:[<&USER32.MessageBoxW>>; \MessageBoxW
00419B2C |. 0FB74D 0C MOVZX ECX,WORD PTR SS:[EBP+C]
00419B30 |. 8B56 04 MOV EDX,DWORD PTR DS:[ESI+4]
00419B33 |. 51 PUSH ECX ; /Result
00419B34 |. 52 PUSH EDX ; |hWnd
00419B35 |. FF15 DCD44500 CALL DWORD PTR DS:[<&USER32.EndDialog>] ; \EndDialog
00419B3B |> 8B8424 5C04000>MOV EAX,DWORD PTR SS:[ESP+45C]
00419B42 |. 85C0 TEST EAX,EAX
00419B44 |. 74 10 JE SHORT MFI.00419B56
00419B46 |. 50 PUSH EAX ; /pMemory
00419B47 |. 6A 00 PUSH 0 ; |Flags = 0
00419B49 |. FF15 90D24500 CALL DWORD PTR DS:[<&KERNEL32.GetProcess>; |[GetProcessHeap
00419B4F |. 50 PUSH EAX ; |hHeap
00419B50 |. FF15 74D24500 CALL DWORD PTR DS:[<&KERNEL32.HeapFree>] ; \HeapFree
00419B56 |> 8B8C24 D408000>MOV ECX,DWORD PTR SS:[ESP+8D4]
00419B5D |. 33C0 XOR EAX,EAX
00419B5F |. E8 03BF0200 CALL MFI.00445A67
00419B64 |. 5F POP EDI
00419B65 |. 5E POP ESI
00419B66 |. 8BE5 MOV ESP,EBP
00419B68 |. 5D POP EBP
00419B69 \. C2 1000 RETN 10
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
|
|
|---|---|
|
|
|
|
|
能详细点嘛?感觉无从入手。
|
|
|
|
|
|
 PUSH MFI.0045E270 大概是装入提示字符的代码 确实是装入了提示字符的代码。但是问题是 注册失败的提示符,我根本找不到。
|
|
|
|
|
|
应该是重启验证的啦`
|
