近日遇一程序,运行后有这个提示:“你使用的是测试版”。点击确定后程序退出
把这段代码看了看,不知关键在哪?请高手详解!
00DEA2C3 . 33D2 XOR EDX,EDX
00DEA2C5 . 55 PUSH EBP
00DEA2C6 . 68 0FD3DE00 PUSH 111.00DED30F
00DEA2CB . 64:FF32 PUSH DWORD PTR FS:[EDX]
00DEA2CE . 64:8922 MOV DWORD PTR FS:[EDX],ESP
00DEA2D1 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00DEA2D4 . E8 3F5B0100 CALL 111.00DFFE18
00DEA2D9 . 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
00DEA2DC . A1 4035E500 MOV EAX,DWORD PTR DS:[E53540]
00DEA2E1 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00DEA2E3 . E8 18916CFF CALL 111.004B3400
00DEA2E8 . 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
00DEA2EB . 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
00DEA2EE . E8 850D62FF CALL 111.0040B078
00DEA2F3 . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00DEA2F6 . BA 88D4DE00 MOV EDX,111.00DED488 ; ASCII "data\server.ini"
00DEA2FB . E8 88AD61FF CALL 111.00405088
00DEA300 . 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
00DEA303 . B2 01 MOV DL,1
00DEA305 . A1 70C24400 MOV EAX,DWORD PTR DS:[44C270]
00DEA30A . E8 112066FF CALL 111.0044C320
00DEA30F . 8BD8 MOV EBX,EAX
00DEA311 . A1 9C2DE500 MOV EAX,DWORD PTR DS:[E52D9C]
00DEA316 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00DEA318 . BA A0D4DE00 MOV EDX,111.00DED4A0 ; ASCII "01"
00DEA31D . E8 AAAE61FF CALL 111.004051CC
00DEA322 . 75 29 JNZ SHORT 111.00DEA34D
00DEA324 . A1 182CE500 MOV EAX,DWORD PTR DS:[E52C18]
00DEA329 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00DEA32B . BA ACD4DE00 MOV EDX,111.00DED4AC
00DEA330 . E8 97AE61FF CALL 111.004051CC
00DEA335 . 75 16 JNZ SHORT 111.00DEA34D
00DEA337 . 68 B8D4DE00 PUSH 111.00DED4B8
00DEA33C . B9 C4D4DE00 MOV ECX,111.00DED4C4
00DEA341 . BA D0D4DE00 MOV EDX,111.00DED4D0 ; ASCII "server"
00DEA346 . 8BC3 MOV EAX,EBX
00DEA348 . 8B30 MOV ESI,DWORD PTR DS:[EAX]
00DEA34A . FF56 04 CALL DWORD PTR DS:[ESI+4]
00DEA34D > 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
00DEA350 . A1 403CE500 MOV EAX,DWORD PTR DS:[E53C40]
00DEA355 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00DEA357 . 8B40 58 MOV EAX,DWORD PTR DS:[EAX+58]
00DEA35A . E8 91256FFF CALL 111.004DC8F0
00DEA35F . 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
00DEA362 . 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
00DEA365 . E8 DEFC61FF CALL 111.0040A048
00DEA36A . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
00DEA36D . 33D2 XOR EDX,EDX
00DEA36F . E8 D8B361FF CALL 111.0040574C
00DEA374 . 0F85 96010000 JNZ 111.00DEA510
00DEA37A . A1 403CE500 MOV EAX,DWORD PTR DS:[E53C40]
00DEA37F . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00DEA381 . 8B40 58 MOV EAX,DWORD PTR DS:[EAX+58]
00DEA384 . E8 137D6DFF CALL 111.004C209C
00DEA389 . A1 B430E500 MOV EAX,DWORD PTR DS:[E530B4]
00DEA38E 8038 01 CMP BYTE PTR DS:[EAX],1
00DEA391 . 0F85 AA000000 JNZ 111.00DEA441
00DEA397 . 68 E0D4DE00 PUSH 111.00DED4E0 ; ASCII "Provider=SQLOLEDB.1;Persist Security Info=False;User ID=sa;Initial Catalog=master;Data Source="
00DEA39C . 6A 00 PUSH 0
00DEA39E . 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
00DEA3A1 . 50 PUSH EAX
00DEA3A2 . B9 C4D4DE00 MOV ECX,111.00DED4C4
00DEA3A7 . BA D0D4DE00 MOV EDX,111.00DED4D0 ; ASCII "server"
00DEA3AC . 8BC3 MOV EAX,EBX
00DEA3AE . 8B18 MOV EBX,DWORD PTR DS:[EAX]
00DEA3B0 . FF13 CALL DWORD PTR DS:[EBX]
00DEA3B2 . FF75 D4 PUSH DWORD PTR SS:[EBP-2C]
00DEA3B5 . 68 48D5DE00 PUSH 111.00DED548
00DEA3BA . 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
00DEA3BD . BA 03000000 MOV EDX,3
00DEA3C2 . E8 79AD61FF CALL 111.00405140
00DEA3C7 . 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28]
00DEA3CA . 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
00DEA3CD . E8 A6B261FF CALL 111.00405678
00DEA3D2 . 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24]
00DEA3D5 . A1 403CE500 MOV EAX,DWORD PTR DS:[E53C40]
00DEA3DA . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00DEA3DC . 8B40 58 MOV EAX,DWORD PTR DS:[EAX+58]
00DEA3DF . E8 4C256FFF CALL 111.004DC930
00DEA3E4 . 33C0 XOR EAX,EAX
00DEA3E6 . 55 PUSH EBP
00DEA3E7 . 68 0EA4DE00 PUSH 111.00DEA40E
00DEA3EC . 64:FF30 PUSH DWORD PTR FS:[EAX]
00DEA3EF . 64:8920 MOV DWORD PTR FS:[EAX],ESP
00DEA3F2 . A1 403CE500 MOV EAX,DWORD PTR DS:[E53C40]
00DEA3F7 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00DEA3F9 . 8B40 58 MOV EAX,DWORD PTR DS:[EAX+58]
00DEA3FC . E8 937C6DFF CALL 111.004C2094 //经过这个CALL后它会跳到00DEA413
00DEA401 . 33C0 XOR EAX,EAX
00DEA403 . 5A POP EDX
00DEA404 . 59 POP ECX
00DEA405 . 59 POP ECX
00DEA406 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
00DEA409 . E9 02010000 JMP 111.00DEA510
00DEA40E .^ E9 799F61FF JMP 111.0040438C
00DEA413 . 6A 00 PUSH 0
00DEA415 . B9 50D5DE00 MOV ECX,111.00DED550 //提示
00DEA41A . BA 58D5DE00 MOV EDX,111.00DED558 //你使用的是测试版
00DEA41F . A1 4035E500 MOV EAX,DWORD PTR DS:[E53540] //
00DEA424 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00DEA426 . E8 ED8A6CFF CALL 111.004B2F18
00DEA42B . A1 4035E500 MOV EAX,DWORD PTR DS:[E53540]
00DEA430 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00DEA432 . E8 3D8A6CFF CALL 111.004B2E74
00DEA437 . E8 7CA361FF CALL 111.004047B8
00DEA43C . E9 CF000000 JMP 111.00DEA510
00DEA441 > 6A 00 PUSH 0
00DEA443 . 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38]
00DEA446 . 50 PUSH EAX
CALL 004C2094中的代码
004C2094 /$ B2 01 MOV DL,1
004C2096 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
004C2098 |. FF51 48 CALL DWORD PTR DS:[ECX+48] ; 111.004C20A4
004C209B \. C3 RETN
004C209C /$ 33D2 XOR EDX,EDX
004C209E |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
004C20A0 |. FF51 48 CALL DWORD PTR DS:[ECX+48]
004C20A3 \. C3 RETN
004C20A4 . 53 PUSH EBX
004C20A5 . 56 PUSH ESI
004C20A6 . 8BDA MOV EBX,EDX
004C20A8 . 8BF0 MOV ESI,EAX
004C20AA . F646 1C 02 TEST BYTE PTR DS:[ESI+1C],2
004C20AE . 0F95C0 SETNE AL //这个标志位也曾改成SETE AL试过,但会提示数据设置出错
004C20B1 . 84D8 TEST AL,BL
004C20B3 74 06 JE SHORT 111.004C20BB //跳转实现
004C20B5 . C646 3D 01 MOV BYTE PTR DS:[ESI+3D],1
004C20B9 . EB 6D JMP SHORT 111.004C2128
004C20BB > 8BC6 MOV EAX,ESI
004C20BD . 8B10 MOV EDX,DWORD PTR DS:[EAX]
004C20BF . FF52 38 CALL DWORD PTR DS:[EDX+38]
004C20C2 . 3AD8 CMP BL,AL
004C20C4 . 74 62 JE SHORT 111.004C2128 //跳转实现
004C20C6 . 84DB TEST BL,BL
004C20C8 . 74 30 JE SHORT 111.004C20FA
004C20CA . 66:837E 52 00 CMP WORD PTR DS:[ESI+52],0
004C20CF . 74 08 JE SHORT 111.004C20D9
004C20D1 . 8BD6 MOV EDX,ESI
004C20D3 . 8B46 54 MOV EAX,DWORD PTR DS:[ESI+54]
004C20D6 . FF56 50 CALL DWORD PTR DS:[ESI]
请问怎样才能绕过测试版的那块?请高手详解!
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)