-
-
[原创]海啸多功能关机系统V2.1注册流程分析
-
发表于: 2005-1-27 09:24 3650
-
标题:海啸多功能关机系统V2.1注册流程分析
作者:jney2
日期:2005.1.25
声明:个人学习,交流经验,找出软件的软肋,希望作者在下一版本中有所改进!
观念:喜欢分析注册流程,极少算法分析。
工具:Ollydbg1.1
软件名称:海啸多功能关机系统
============================
版本:V2.1
软件介绍:
==========
功能支持:
*快速关闭计算机
*重新启动计算机
*用其它用户名重新登录系统
*终止当前所有进程或程序
*进入MS-DOS快捷方式的状态中
*自定义关机
*弹出所有光驱
*关闭所有光驱
系统参数设置:
*开机时自动运行
*右键弹出菜单中加入快捷方式
*加快系统菜单显示速度
*取消光盘的自动运行功能
*提高WINDOWS屏幕刷新速度
*在回收站右键菜单中加入重命名选项
*删除"开始"菜单中的"文档"菜单项
免费注册:
请访问作者网站相关广告信息
就可以免费获得注册码!
--请支持本站
访问地址:
popocy.nease.net/ad/hxad.htm
制作日期:2004-12-03
用ollyDbg载入程序,F9运行。在注册框中输入假码787878787878,在ollyDbg中下断BP MSVBVM60.__vbaStrCmp;
F9运行,在此断下:
00424B82 . FF15 D0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
00424B88 . 8BF8 MOV EDI,EAX
00424B8A . 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
00424B8D . F7DF NEG EDI
00424B8F . 1BFF SBB EDI,EDI
00424B91 . 47 INC EDI
00424B92 . F7DF NEG EDI
00424B94 . FF15 08124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00424B9A . 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00424B9D . FF15 04124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
F8跟踪,来到:
00424D3B . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
00424D3E . FF15 D4114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
00424D44 . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
00424D47 . 51 PUSH ECX
00424D48 . E8 130B0000 CALL HXShutDo.00425860 //执行该CALL后,EAX指向的便是真码;
00424D4D . 8945 88 MOV DWORD PTR SS:[EBP-78],EAX //在此可作内存注册机。
00424D50 . 8D55 B0 LEA EDX,DWORD PTR SS:[EBP-50]
00424D53 . 8D45 80 LEA EAX,DWORD PTR SS:[EBP-80]
00424D56 . 52 PUSH EDX
注册码保存在注册表中:
[HKEY_LOCAL_MACHINE\SOFTWARE\HX\HXShutDown]
"Name"="HXSHDN200501"
"Register"="SHDN9329"
"Date"="200501"
CALL 00425860在系统中有两处,另一处在:
00421120 > \55 PUSH EBP
00421121 . 8BEC MOV EBP,ESP
00421123 . 83EC 08 SUB ESP,8
00421126 . 68 761D4000 PUSH <JMP.&MSVBVM60.__vbaExceptHandler> ; SE handler installation
0042112B . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00421131 . 50 PUSH EAX
00421132 . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
00421139 . 83EC 20 SUB ESP,20
0042113C . 53 PUSH EBX
0042113D . 56 PUSH ESI
0042113E . 57 PUSH EDI
0042113F . 8965 F8 MOV DWORD PTR SS:[EBP-8],ESP
00421142 . C745 FC F01A4>MOV DWORD PTR SS:[EBP-4],HXShutDo.00401A>
00421149 . 8B35 6C114000 MOV ESI,DWORD PTR DS:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrCopy
0042114F . 33C0 XOR EAX,EAX
00421151 . BA C0BD4000 MOV EDX,HXShutDo.0040BDC0 ; UNICODE "Name"
00421156 . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
00421159 . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
0042115C . 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
0042115F . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
00421162 . 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
00421165 . 8945 DC MOV DWORD PTR SS:[EBP-24],EAX
00421168 . 8945 D8 MOV DWORD PTR SS:[EBP-28],EAX
0042116B . FFD6 CALL ESI ; <&MSVBVM60.__vbaStrCopy>
0042116D . BA 8CBD4000 MOV EDX,HXShutDo.0040BD8C ; UNICODE "Software\HX\HXShutDown"
00421172 . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
00421175 . FFD6 CALL ESI
00421177 . 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
0042117A . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
0042117D . 50 PUSH EAX
0042117E . 8D55 D8 LEA EDX,DWORD PTR SS:[EBP-28]
00421181 . 51 PUSH ECX
00421182 . 52 PUSH EDX
00421183 . C745 D8 02000>MOV DWORD PTR SS:[EBP-28],80000002
0042118A . E8 F1410000 CALL HXShutDo.00425380
0042118F . 8B3D D4114000 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrMove
00421195 . 8BD0 MOV EDX,EAX
00421197 . 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
0042119A . FFD7 CALL EDI ; <&MSVBVM60.__vbaStrMove>
0042119C . 8B1D 70114000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeStrList
004211A2 . 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
004211A5 . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
004211A8 . 50 PUSH EAX
004211A9 . 51 PUSH ECX
004211AA . 6A 02 PUSH 2
004211AC . FFD3 CALL EBX ; <&MSVBVM60.__vbaFreeStrList>
004211AE . 83C4 0C ADD ESP,0C
004211B1 . BA D0BD4000 MOV EDX,HXShutDo.0040BDD0 ; UNICODE "Register"
004211B6 . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
004211B9 . FFD6 CALL ESI
004211BB . BA 8CBD4000 MOV EDX,HXShutDo.0040BD8C ; UNICODE "Software\HX\HXShutDown"
004211C0 . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
004211C3 . FFD6 CALL ESI
004211C5 . 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
004211C8 . 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
004211CB . 52 PUSH EDX
004211CC . 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28]
004211CF . 50 PUSH EAX
004211D0 . 51 PUSH ECX
004211D1 . C745 D8 02000>MOV DWORD PTR SS:[EBP-28],80000002
004211D8 . E8 A3410000 CALL HXShutDo.00425380
004211DD . 8BD0 MOV EDX,EAX
004211DF . 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
004211E2 . FFD7 CALL EDI
004211E4 . 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
004211E7 . 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
004211EA . 52 PUSH EDX
004211EB . 50 PUSH EAX
004211EC . 6A 02 PUSH 2
004211EE . FFD3 CALL EBX
004211F0 . 83C4 0C ADD ESP,0C
004211F3 . BA E8BD4000 MOV EDX,HXShutDo.0040BDE8 ; UNICODE "Date"
004211F8 . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
004211FB . FFD6 CALL ESI
004211FD . BA 8CBD4000 MOV EDX,HXShutDo.0040BD8C ; UNICODE "Software\HX\HXShutDown"
00421202 . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
00421205 . FFD6 CALL ESI
00421207 . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
0042120A . 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
0042120D . 51 PUSH ECX
0042120E . 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
00421211 . 52 PUSH EDX
00421212 . 50 PUSH EAX
00421213 . C745 D8 02000>MOV DWORD PTR SS:[EBP-28],80000002
0042121A . E8 61410000 CALL HXShutDo.00425380
0042121F . 8BD0 MOV EDX,EAX
00421221 . 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
00421224 . FFD7 CALL EDI
00421226 . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
00421229 . 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
0042122C . 51 PUSH ECX
0042122D . 52 PUSH EDX
0042122E . 6A 02 PUSH 2
00421230 . FFD3 CALL EBX
00421232 . 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
00421235 . 83C4 0C ADD ESP,0C
00421238 . 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
0042123B . 50 PUSH EAX
0042123C . 51 PUSH ECX
0042123D . E8 1E460000 CALL HXShutDo.00425860 //关键CAll。
00421242 . 8BD0 MOV EDX,EAX
00421244 . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
00421247 . FFD7 CALL EDI
00421249 . 8B1D D0104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrCmp
0042124F . 50 PUSH EAX
00421250 . FFD3 CALL EBX ; <&MSVBVM60.__vbaStrCmp>
00421252 . 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
00421255 . 8BF0 MOV ESI,EAX
00421257 . F7DE NEG ESI
00421259 . 1BF6 SBB ESI,ESI
0042125B . 52 PUSH EDX
0042125C . 46 INC ESI
0042125D . 68 B4B34000 PUSH HXShutDo.0040B3B4
00421262 . F7DE NEG ESI
00421264 . FFD3 CALL EBX
00421266 . F7D8 NEG EAX
00421268 . 1BC0 SBB EAX,EAX
0042126A . F7D8 NEG EAX
0042126C . F7D8 NEG EAX
0042126E . 23F0 AND ESI,EAX
00421270 . 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
00421273 . 50 PUSH EAX
00421274 . 68 B4B34000 PUSH HXShutDo.0040B3B4
00421279 . FFD3 CALL EBX
0042127B . F7D8 NEG EAX
0042127D . 1BC0 SBB EAX,EAX
0042127F . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
00421282 . F7D8 NEG EAX
00421284 . F7D8 NEG EAX
00421286 . 23F0 AND ESI,EAX
00421288 . FF15 08124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0042128E . 66:85F6 TEST SI,SI
00421291 74 3A JE SHORT HXShutDo.004212CD
00421293 . 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
很显然,以上是读注册表验证。
内存注册机,如何做完美爆破版,看下面:
0042127D . 1BC0 SBB EAX,EAX
0042127F . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
00421282 . F7D8 NEG EAX
00421284 . F7D8 NEG EAX
00421286 . 23F0 AND ESI,EAX
00421288 . FF15 08124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0042128E . 66:85F6 TEST SI,SI
00421291 74 3A JE SHORT HXShutDo.004212CD //判断点:为0即为未注册。在这里不能直接修改跳转指令,否则会出错,让它跳。
00421293 . 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
00421296 . 51 PUSH ECX
00421297 . E8 D4440000 CALL HXShutDo.00425770
0042129C . 8BD0 MOV EDX,EAX
0042129E . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
004212A1 . FFD7 CALL EDI
004212A3 . 50 PUSH EAX
004212A4 . FFD3 CALL EBX
004212A6 . 8BF0 MOV ESI,EAX
004212A8 . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
004212AB . F7DE NEG ESI
004212AD . 1BF6 SBB ESI,ESI
004212AF . 46 INC ESI
004212B0 . F7DE NEG ESI
004212B2 . FF15 08124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
004212B8 . 66:F7DE NEG SI
004212BB . 1BF6 SBB ESI,ESI
004212BD . 68 08134200 PUSH HXShutDo.00421308
004212C2 . 83C6 02 ADD ESI,2
004212C5 . 8935 20714200 MOV DWORD PTR DS:[427120],ESI //注册正确的置注册标志位
004212CB . EB 25 JMP SHORT HXShutDo.004212F2
004212CD C705 20714200>MOV DWORD PTR DS:[427120],0 //来到这里,置注册标志位为0,所以在置1即完美爆破。
004212D7 . 68 08134200 PUSH HXShutDo.00421308
004212DC . EB 14 JMP SHORT HXShutDo.004212F2
004212DE . 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
004212E1 . 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
004212E4 . 52 PUSH EDX
004212E5 . 50 PUSH EAX
004212E6 . 6A 02 PUSH 2
004212E8 . FF15 70114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStrList
总结:简单!(因为注册码可免费获得嘛!)适合初学者。
作者:jney2
日期:2005.1.25
声明:个人学习,交流经验,找出软件的软肋,希望作者在下一版本中有所改进!
观念:喜欢分析注册流程,极少算法分析。
工具:Ollydbg1.1
软件名称:海啸多功能关机系统
============================
版本:V2.1
软件介绍:
==========
功能支持:
*快速关闭计算机
*重新启动计算机
*用其它用户名重新登录系统
*终止当前所有进程或程序
*进入MS-DOS快捷方式的状态中
*自定义关机
*弹出所有光驱
*关闭所有光驱
系统参数设置:
*开机时自动运行
*右键弹出菜单中加入快捷方式
*加快系统菜单显示速度
*取消光盘的自动运行功能
*提高WINDOWS屏幕刷新速度
*在回收站右键菜单中加入重命名选项
*删除"开始"菜单中的"文档"菜单项
免费注册:
请访问作者网站相关广告信息
就可以免费获得注册码!
--请支持本站
访问地址:
popocy.nease.net/ad/hxad.htm
制作日期:2004-12-03
用ollyDbg载入程序,F9运行。在注册框中输入假码787878787878,在ollyDbg中下断BP MSVBVM60.__vbaStrCmp;
F9运行,在此断下:
00424B82 . FF15 D0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
00424B88 . 8BF8 MOV EDI,EAX
00424B8A . 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
00424B8D . F7DF NEG EDI
00424B8F . 1BFF SBB EDI,EDI
00424B91 . 47 INC EDI
00424B92 . F7DF NEG EDI
00424B94 . FF15 08124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00424B9A . 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00424B9D . FF15 04124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
F8跟踪,来到:
00424D3B . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
00424D3E . FF15 D4114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
00424D44 . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
00424D47 . 51 PUSH ECX
00424D48 . E8 130B0000 CALL HXShutDo.00425860 //执行该CALL后,EAX指向的便是真码;
00424D4D . 8945 88 MOV DWORD PTR SS:[EBP-78],EAX //在此可作内存注册机。
00424D50 . 8D55 B0 LEA EDX,DWORD PTR SS:[EBP-50]
00424D53 . 8D45 80 LEA EAX,DWORD PTR SS:[EBP-80]
00424D56 . 52 PUSH EDX
注册码保存在注册表中:
[HKEY_LOCAL_MACHINE\SOFTWARE\HX\HXShutDown]
"Name"="HXSHDN200501"
"Register"="SHDN9329"
"Date"="200501"
CALL 00425860在系统中有两处,另一处在:
00421120 > \55 PUSH EBP
00421121 . 8BEC MOV EBP,ESP
00421123 . 83EC 08 SUB ESP,8
00421126 . 68 761D4000 PUSH <JMP.&MSVBVM60.__vbaExceptHandler> ; SE handler installation
0042112B . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00421131 . 50 PUSH EAX
00421132 . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
00421139 . 83EC 20 SUB ESP,20
0042113C . 53 PUSH EBX
0042113D . 56 PUSH ESI
0042113E . 57 PUSH EDI
0042113F . 8965 F8 MOV DWORD PTR SS:[EBP-8],ESP
00421142 . C745 FC F01A4>MOV DWORD PTR SS:[EBP-4],HXShutDo.00401A>
00421149 . 8B35 6C114000 MOV ESI,DWORD PTR DS:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrCopy
0042114F . 33C0 XOR EAX,EAX
00421151 . BA C0BD4000 MOV EDX,HXShutDo.0040BDC0 ; UNICODE "Name"
00421156 . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
00421159 . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
0042115C . 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
0042115F . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
00421162 . 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
00421165 . 8945 DC MOV DWORD PTR SS:[EBP-24],EAX
00421168 . 8945 D8 MOV DWORD PTR SS:[EBP-28],EAX
0042116B . FFD6 CALL ESI ; <&MSVBVM60.__vbaStrCopy>
0042116D . BA 8CBD4000 MOV EDX,HXShutDo.0040BD8C ; UNICODE "Software\HX\HXShutDown"
00421172 . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
00421175 . FFD6 CALL ESI
00421177 . 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
0042117A . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
0042117D . 50 PUSH EAX
0042117E . 8D55 D8 LEA EDX,DWORD PTR SS:[EBP-28]
00421181 . 51 PUSH ECX
00421182 . 52 PUSH EDX
00421183 . C745 D8 02000>MOV DWORD PTR SS:[EBP-28],80000002
0042118A . E8 F1410000 CALL HXShutDo.00425380
0042118F . 8B3D D4114000 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrMove
00421195 . 8BD0 MOV EDX,EAX
00421197 . 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
0042119A . FFD7 CALL EDI ; <&MSVBVM60.__vbaStrMove>
0042119C . 8B1D 70114000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeStrList
004211A2 . 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
004211A5 . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
004211A8 . 50 PUSH EAX
004211A9 . 51 PUSH ECX
004211AA . 6A 02 PUSH 2
004211AC . FFD3 CALL EBX ; <&MSVBVM60.__vbaFreeStrList>
004211AE . 83C4 0C ADD ESP,0C
004211B1 . BA D0BD4000 MOV EDX,HXShutDo.0040BDD0 ; UNICODE "Register"
004211B6 . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
004211B9 . FFD6 CALL ESI
004211BB . BA 8CBD4000 MOV EDX,HXShutDo.0040BD8C ; UNICODE "Software\HX\HXShutDown"
004211C0 . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
004211C3 . FFD6 CALL ESI
004211C5 . 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
004211C8 . 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
004211CB . 52 PUSH EDX
004211CC . 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28]
004211CF . 50 PUSH EAX
004211D0 . 51 PUSH ECX
004211D1 . C745 D8 02000>MOV DWORD PTR SS:[EBP-28],80000002
004211D8 . E8 A3410000 CALL HXShutDo.00425380
004211DD . 8BD0 MOV EDX,EAX
004211DF . 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
004211E2 . FFD7 CALL EDI
004211E4 . 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
004211E7 . 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
004211EA . 52 PUSH EDX
004211EB . 50 PUSH EAX
004211EC . 6A 02 PUSH 2
004211EE . FFD3 CALL EBX
004211F0 . 83C4 0C ADD ESP,0C
004211F3 . BA E8BD4000 MOV EDX,HXShutDo.0040BDE8 ; UNICODE "Date"
004211F8 . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
004211FB . FFD6 CALL ESI
004211FD . BA 8CBD4000 MOV EDX,HXShutDo.0040BD8C ; UNICODE "Software\HX\HXShutDown"
00421202 . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
00421205 . FFD6 CALL ESI
00421207 . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
0042120A . 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
0042120D . 51 PUSH ECX
0042120E . 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
00421211 . 52 PUSH EDX
00421212 . 50 PUSH EAX
00421213 . C745 D8 02000>MOV DWORD PTR SS:[EBP-28],80000002
0042121A . E8 61410000 CALL HXShutDo.00425380
0042121F . 8BD0 MOV EDX,EAX
00421221 . 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
00421224 . FFD7 CALL EDI
00421226 . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
00421229 . 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
0042122C . 51 PUSH ECX
0042122D . 52 PUSH EDX
0042122E . 6A 02 PUSH 2
00421230 . FFD3 CALL EBX
00421232 . 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
00421235 . 83C4 0C ADD ESP,0C
00421238 . 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
0042123B . 50 PUSH EAX
0042123C . 51 PUSH ECX
0042123D . E8 1E460000 CALL HXShutDo.00425860 //关键CAll。
00421242 . 8BD0 MOV EDX,EAX
00421244 . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
00421247 . FFD7 CALL EDI
00421249 . 8B1D D0104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrCmp
0042124F . 50 PUSH EAX
00421250 . FFD3 CALL EBX ; <&MSVBVM60.__vbaStrCmp>
00421252 . 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
00421255 . 8BF0 MOV ESI,EAX
00421257 . F7DE NEG ESI
00421259 . 1BF6 SBB ESI,ESI
0042125B . 52 PUSH EDX
0042125C . 46 INC ESI
0042125D . 68 B4B34000 PUSH HXShutDo.0040B3B4
00421262 . F7DE NEG ESI
00421264 . FFD3 CALL EBX
00421266 . F7D8 NEG EAX
00421268 . 1BC0 SBB EAX,EAX
0042126A . F7D8 NEG EAX
0042126C . F7D8 NEG EAX
0042126E . 23F0 AND ESI,EAX
00421270 . 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
00421273 . 50 PUSH EAX
00421274 . 68 B4B34000 PUSH HXShutDo.0040B3B4
00421279 . FFD3 CALL EBX
0042127B . F7D8 NEG EAX
0042127D . 1BC0 SBB EAX,EAX
0042127F . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
00421282 . F7D8 NEG EAX
00421284 . F7D8 NEG EAX
00421286 . 23F0 AND ESI,EAX
00421288 . FF15 08124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0042128E . 66:85F6 TEST SI,SI
00421291 74 3A JE SHORT HXShutDo.004212CD
00421293 . 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
很显然,以上是读注册表验证。
内存注册机,如何做完美爆破版,看下面:
0042127D . 1BC0 SBB EAX,EAX
0042127F . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
00421282 . F7D8 NEG EAX
00421284 . F7D8 NEG EAX
00421286 . 23F0 AND ESI,EAX
00421288 . FF15 08124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0042128E . 66:85F6 TEST SI,SI
00421291 74 3A JE SHORT HXShutDo.004212CD //判断点:为0即为未注册。在这里不能直接修改跳转指令,否则会出错,让它跳。
00421293 . 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
00421296 . 51 PUSH ECX
00421297 . E8 D4440000 CALL HXShutDo.00425770
0042129C . 8BD0 MOV EDX,EAX
0042129E . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
004212A1 . FFD7 CALL EDI
004212A3 . 50 PUSH EAX
004212A4 . FFD3 CALL EBX
004212A6 . 8BF0 MOV ESI,EAX
004212A8 . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
004212AB . F7DE NEG ESI
004212AD . 1BF6 SBB ESI,ESI
004212AF . 46 INC ESI
004212B0 . F7DE NEG ESI
004212B2 . FF15 08124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
004212B8 . 66:F7DE NEG SI
004212BB . 1BF6 SBB ESI,ESI
004212BD . 68 08134200 PUSH HXShutDo.00421308
004212C2 . 83C6 02 ADD ESI,2
004212C5 . 8935 20714200 MOV DWORD PTR DS:[427120],ESI //注册正确的置注册标志位
004212CB . EB 25 JMP SHORT HXShutDo.004212F2
004212CD C705 20714200>MOV DWORD PTR DS:[427120],0 //来到这里,置注册标志位为0,所以在置1即完美爆破。
004212D7 . 68 08134200 PUSH HXShutDo.00421308
004212DC . EB 14 JMP SHORT HXShutDo.004212F2
004212DE . 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
004212E1 . 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
004212E4 . 52 PUSH EDX
004212E5 . 50 PUSH EAX
004212E6 . 6A 02 PUSH 2
004212E8 . FF15 70114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStrList
总结:简单!(因为注册码可免费获得嘛!)适合初学者。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
|
|
|---|---|
|
|
他的文章
赞赏
雪币:
留言:
