UltraISO后期的每个版本基本上都差不多,官网上下载的据传是什么加了白名单,红名单的版本,但即使
是相同版本的MD5值都不同,官网每天都更新。所以我们平时见得最多的就是注册机,注册码,什么李明
啊,王健啊等等,现在最新版的是V9.3.6.2750,好象以前的注册码不能用了,除非你下到的是没名单的
裸体版,手上没有,没办法,只好自己动手了。
首先到官网下载最新版本:
http://www.ezbsystems.com/dl1.php?file=uiso9_cn.exe
注意你下到的程序极可能和我的不一样,下面破文地址是不相同的,但大体思路都一样的。只要不太笨,
照样画葫芦就行了。闲话少话,转入正文:
用PEID检测了下,ASPACK的壳,很简单,用AspackDie.exe一下就解了出来,7.39M。然后OD载入,查找所
有参考文本字符串,这里可以多个选择,什么username,registration,uikey.ini,ultraiso.ini等,原因
?你以前用个注册版的ultraiso都会知道,username是注册表的用户名,,registration是注册码,另外
两个INI是KEYFILE。ultraiso是既可以注册表注册,也可以KEYFILE注册的,启动时是先检查有没有
keyfile,没有的话从注册表里去找注册码,再没有就变试用了。我们的目的很简单,能拦下来就行,反
正它们的代码都在一起。我用的是username来断,查找所有的username,F2都标上断点,F9运行OD,在这
里断下,注意代码可能不一样:
00471104 /$ 55 push ebp
00471105 |. 8BEC mov ebp, esp
00471107 |. 81C4 C4FEFFFF add esp, -13C
0047110D |. 68 E5ED6500 push 0065EDE5 ; ASCII "rt"
00471112 |. FF75 08 push dword ptr [ebp+8]
00471115 |. E8 066E1B00 call 00627F20
0047111A |. 83C4 08 add esp, 8
0047111D |. 8945 E4 mov dword ptr [ebp-1C], eax
00471120 |. 8B45 E4 mov eax, dword ptr [ebp-1C]
00471123 |. 85C0 test eax, eax
00471125 |. 75 07 jnz short 0047112E
00471127 |. 33C0 xor eax, eax
00471129 |. E9 D9020000 jmp 00471407
0047112E |> 8B55 0C mov edx, dword ptr [ebp+C]
00471131 |. C602 00 mov byte ptr [edx], 0
00471134 |. 8B4D 10 mov ecx, dword ptr [ebp+10]
00471137 |. C601 00 mov byte ptr [ecx], 0
0047113A |. E9 85020000 jmp 004713C4
0047113F |> 8A85 C4FEFFFF /mov al, byte ptr [ebp-13C]
00471145 |. 8845 FF |mov byte ptr [ebp-1], al
00471148 |. 8A55 FF |mov dl, byte ptr [ebp-1]
0047114B |. 80FA 23 |cmp dl, 23
0047114E |. 0F84 70020000 |je 004713C4
00471154 |. 8A4D FF |mov cl, byte ptr [ebp-1]
00471157 |. 80F9 3B |cmp cl, 3B
0047115A |. 0F84 64020000 |je 004713C4
00471160 |. 8A45 FF |mov al, byte ptr [ebp-1]
00471163 |. 3C 0D |cmp al, 0D
00471165 |. 0F84 59020000 |je 004713C4
0047116B |. 8A55 FF |mov dl, byte ptr [ebp-1]
0047116E |. 80FA 0A |cmp dl, 0A
00471171 |. 0F84 4D020000 |je 004713C4
00471177 |. 33C9 |xor ecx, ecx
00471179 |. 894D F0 |mov dword ptr [ebp-10], ecx
0047117C |. EB 03 |jmp short 00471181
0047117E |> FF45 F0 |/inc dword ptr [ebp-10]
00471181 |> 8B45 F0 | mov eax, dword ptr [ebp-10]
00471184 |. 0FBE9405 C4FE>||movsx edx, byte ptr [ebp+eax-13C]
0047118C |. 83FA 20 ||cmp edx, 20
0047118F |.^ 74 ED ||je short 0047117E
00471191 |. 8B4D F0 ||mov ecx, dword ptr [ebp-10]
00471194 |. 0FBE840D C4FE>||movsx eax, byte ptr [ebp+ecx-13C]
0047119C |. 83F8 08 ||cmp eax, 8
0047119F |.^ 74 DD |\je short 0047117E
004711A1 |. 33D2 |xor edx, edx
004711A3 |. 8955 EC |mov dword ptr [ebp-14], edx
004711A6 |. 8B4D F0 |mov ecx, dword ptr [ebp-10]
004711A9 |. 0FBE840D C4FE>|movsx eax, byte ptr [ebp+ecx-13C]
004711B1 |. 83F8 27 |cmp eax, 27
004711B4 |. 74 14 |je short 004711CA
004711B6 |. 8B55 F0 |mov edx, dword ptr [ebp-10]
004711B9 |. 0FBE8C15 C4FE>|movsx ecx, byte ptr [ebp+edx-13C]
004711C1 |. 83F9 22 |cmp ecx, 22
004711C4 |. 0F85 88000000 |jnz 00471252
004711CA |> 8B45 F0 |mov eax, dword ptr [ebp-10]
004711CD |. 8A9405 C4FEFF>|mov dl, byte ptr [ebp+eax-13C]
004711D4 |. 8855 F7 |mov byte ptr [ebp-9], dl
004711D7 |. FF45 F0 |inc dword ptr [ebp-10]
004711DA |. EB 17 |jmp short 004711F3
004711DC |> 8B4D F0 |/mov ecx, dword ptr [ebp-10]
004711DF |. 8D840D C4FEFF>||lea eax, dword ptr [ebp+ecx-13C]
004711E6 |. 8B55 EC ||mov edx, dword ptr [ebp-14]
004711E9 |. 8A0C10 ||mov cl, byte ptr [eax+edx]
004711EC |. 84C9 ||test cl, cl
004711EE |. 74 1A ||je short 0047120A
004711F0 |. FF45 EC ||inc dword ptr [ebp-14]
004711F3 |> 8B45 F0 | mov eax, dword ptr [ebp-10]
004711F6 |. 8D9405 C4FEFF>||lea edx, dword ptr [ebp+eax-13C]
004711FD |. 8B4D EC ||mov ecx, dword ptr [ebp-14]
00471200 |. 8A040A ||mov al, byte ptr [edx+ecx]
00471203 |. 8A55 F7 ||mov dl, byte ptr [ebp-9]
00471206 |. 3AC2 ||cmp al, dl
00471208 |.^ 75 D2 |\jnz short 004711DC
0047120A |> 8B4D F0 |mov ecx, dword ptr [ebp-10]
0047120D |. 8D840D C4FEFF>|lea eax, dword ptr [ebp+ecx-13C]
00471214 |. 8B55 EC |mov edx, dword ptr [ebp-14]
00471217 |. 8A0C10 |mov cl, byte ptr [eax+edx]
0047121A |. 8A45 F7 |mov al, byte ptr [ebp-9]
0047121D |. 3AC8 |cmp cl, al
0047121F |. 0F85 9F010000 |jnz 004713C4
00471225 |. 8B55 F0 |mov edx, dword ptr [ebp-10]
00471228 |. 8D8C15 C4FEFF>|lea ecx, dword ptr [ebp+edx-13C]
0047122F |. 8B45 EC |mov eax, dword ptr [ebp-14]
00471232 |. C60401 00 |mov byte ptr [ecx+eax], 0
00471236 |. FF45 EC |inc dword ptr [ebp-14]
00471239 |. EB 17 |jmp short 00471252
0047123B |> 8B55 F0 |/mov edx, dword ptr [ebp-10]
0047123E |. 8D8C15 C4FEFF>||lea ecx, dword ptr [ebp+edx-13C]
00471245 |. 8B45 EC ||mov eax, dword ptr [ebp-14]
00471248 |. 8A1401 ||mov dl, byte ptr [ecx+eax]
0047124B |. 84D2 ||test dl, dl
0047124D |. 74 19 ||je short 00471268
0047124F |. FF45 EC ||inc dword ptr [ebp-14]
00471252 |> 8B4D F0 | mov ecx, dword ptr [ebp-10]
00471255 |. 8D840D C4FEFF>||lea eax, dword ptr [ebp+ecx-13C]
0047125C |. 8B55 EC ||mov edx, dword ptr [ebp-14]
0047125F |. 0FBE0C10 ||movsx ecx, byte ptr [eax+edx]
00471263 |. 83F9 3D ||cmp ecx, 3D
00471266 |.^ 75 D3 |\jnz short 0047123B
00471268 |> 8B45 F0 |mov eax, dword ptr [ebp-10]
0047126B |. 8D9405 C4FEFF>|lea edx, dword ptr [ebp+eax-13C]
00471272 |. 8B4D EC |mov ecx, dword ptr [ebp-14]
00471275 |. 0FBE040A |movsx eax, byte ptr [edx+ecx]
00471279 |. 83F8 3D |cmp eax, 3D
0047127C |. 0F85 42010000 |jnz 004713C4
00471282 |. 8B55 F0 |mov edx, dword ptr [ebp-10]
00471285 |. 8D8C15 C4FEFF>|lea ecx, dword ptr [ebp+edx-13C]
0047128C |. 8B45 EC |mov eax, dword ptr [ebp-14]
0047128F |. C60401 00 |mov byte ptr [ecx+eax], 0
00471293 |. 8B55 F0 |mov edx, dword ptr [ebp-10]
00471296 |. 8B4D EC |mov ecx, dword ptr [ebp-14]
00471299 |. 03D1 |add edx, ecx
0047129B |. 8D85 C5FEFFFF |lea eax, dword ptr [ebp-13B]
004712A1 |. 03D0 |add edx, eax
004712A3 |. 8955 F8 |mov dword ptr [ebp-8], edx
004712A6 |. 8B55 F8 |mov edx, dword ptr [ebp-8]
004712A9 |. 0FBE0A |movsx ecx, byte ptr [edx]
004712AC |. 83F9 27 |cmp ecx, 27
004712AF |. 74 0F |je short 004712C0
004712B1 |. 8B45 F8 |mov eax, dword ptr [ebp-8]
004712B4 |. 0FBE10 |movsx edx, byte ptr [eax]
004712B7 |. 83FA 22 |cmp edx, 22
004712BA |. 0F85 04010000 |jnz 004713C4
004712C0 |> 8B4D F8 |mov ecx, dword ptr [ebp-8]
004712C3 |. 8A01 |mov al, byte ptr [ecx]
004712C5 |. 8845 F7 |mov byte ptr [ebp-9], al
004712C8 |. FF45 F8 |inc dword ptr [ebp-8]
004712CB |. 33D2 |xor edx, edx
004712CD |. 8955 E8 |mov dword ptr [ebp-18], edx
004712D0 |. EB 03 |jmp short 004712D5
004712D2 |> FF45 E8 |/inc dword ptr [ebp-18]
004712D5 |> 8B4D F8 | mov ecx, dword ptr [ebp-8]
004712D8 |. 8B45 E8 ||mov eax, dword ptr [ebp-18]
004712DB |. 8A1401 ||mov dl, byte ptr [ecx+eax]
004712DE |. 8A4D F7 ||mov cl, byte ptr [ebp-9]
004712E1 |. 3AD1 ||cmp dl, cl
004712E3 |. 74 0D ||je short 004712F2
004712E5 |. 8B45 F8 ||mov eax, dword ptr [ebp-8]
004712E8 |. 8B55 E8 ||mov edx, dword ptr [ebp-18]
004712EB |. 8A0C10 ||mov cl, byte ptr [eax+edx]
004712EE |. 84C9 ||test cl, cl
004712F0 |.^ 75 E0 |\jnz short 004712D2
004712F2 |> 8B45 F8 |mov eax, dword ptr [ebp-8]
004712F5 |. 8B55 E8 |mov edx, dword ptr [ebp-18]
004712F8 |. C60410 00 |mov byte ptr [eax+edx], 0
004712FC |. 68 E8ED6500 |push 0065EDE8 ; ASCII "UserName"
OD载入后F9,在这里断下,继续F8运行至本CALL返回
00471301 |. 8D8D C4FEFFFF |lea ecx, dword ptr [ebp-13C]
00471307 |. 8B45 F0 |mov eax, dword ptr [ebp-10]
0047130A |. 03C8 |add ecx, eax
0047130C |. 51 |push ecx
0047130D |. E8 32491B00 |call 00625C44
00471312 |. 83C4 08 |add esp, 8
00471315 |. 85C0 |test eax, eax
00471317 |. 75 13 |jnz short 0047132C
00471319 |. FF75 F8 |push dword ptr [ebp-8]
0047131C |. FF75 0C |push dword ptr [ebp+C]
0047131F |. E8 24471B00 |call 00625A48
00471324 |. 83C4 08 |add esp, 8
00471327 |. E9 98000000 |jmp 004713C4
0047132C |> 68 F1ED6500 |push 0065EDF1 ; ASCII "Registration"
00471331 |. 8D95 C4FEFFFF |lea edx, dword ptr [ebp-13C]
00471337 |. 8B4D F0 |mov ecx, dword ptr [ebp-10]
0047133A |. 03D1 |add edx, ecx
0047133C |. 52 |push edx
0047133D |. E8 02491B00 |call 00625C44
00471342 |. 83C4 08 |add esp, 8
00471345 |. 85C0 |test eax, eax
00471347 |. 75 10 |jnz short 00471359
00471349 |. FF75 F8 |push dword ptr [ebp-8]
0047134C |. FF75 10 |push dword ptr [ebp+10]
0047134F |. E8 F4461B00 |call 00625A48
00471354 |. 83C4 08 |add esp, 8
00471357 |. EB 6B |jmp short 004713C4
00471359 |> 68 FEED6500 |push 0065EDFE ; ASCII "Language"
0047135E |. 8D85 C4FEFFFF |lea eax, dword ptr [ebp-13C]
00471364 |. 8B55 F0 |mov edx, dword ptr [ebp-10]
00471367 |. 03C2 |add eax, edx
00471369 |. 50 |push eax
0047136A |. E8 D5481B00 |call 00625C44
0047136F |. 83C4 08 |add esp, 8
00471372 |. 85C0 |test eax, eax
00471374 |. 75 1D |jnz short 00471393
00471376 |. FF75 F8 |push dword ptr [ebp-8]
00471379 |. E8 C624F9FF |call 00403844
0047137E |. 59 |pop ecx
0047137F |. 8945 E0 |mov dword ptr [ebp-20], eax
00471382 |. 8B4D E0 |mov ecx, dword ptr [ebp-20]
00471385 |. 85C9 |test ecx, ecx
00471387 |. 74 3B |je short 004713C4
00471389 |. 8B45 E0 |mov eax, dword ptr [ebp-20]
0047138C |. A3 BCE66300 |mov dword ptr [63E6BC], eax
00471391 |. EB 31 |jmp short 004713C4
00471393 |> 68 07EE6500 |push 0065EE07 ; ASCII "UltraBurn"
00471398 |. 8D95 C4FEFFFF |lea edx, dword ptr [ebp-13C]
0047139E |. 8B4D F0 |mov ecx, dword ptr [ebp-10]
004713A1 |. 03D1 |add edx, ecx
004713A3 |. 52 |push edx
004713A4 |. E8 9B481B00 |call 00625C44
004713A9 |. 83C4 08 |add esp, 8
004713AC |. 85C0 |test eax, eax
004713AE |. 75 14 |jnz short 004713C4
004713B0 |. 8B45 F8 |mov eax, dword ptr [ebp-8]
004713B3 |. 8945 DC |mov dword ptr [ebp-24], eax
004713B6 |. FF75 DC |push dword ptr [ebp-24]
004713B9 |. E8 3AC41B00 |call 0062D7F8
004713BE |. 59 |pop ecx
004713BF |. A3 504F6400 |mov dword ptr [644F50], eax
004713C4 |> FF75 E4 push dword ptr [ebp-1C]
004713C7 |. 68 18010000 |push 118
004713CC |. 8D95 C4FEFFFF |lea edx, dword ptr [ebp-13C]
004713D2 |. 52 |push edx
004713D3 |. E8 84671B00 |call 00627B5C
004713D8 |. 83C4 0C |add esp, 0C
004713DB |. 85C0 |test eax, eax
004713DD |.^ 0F85 5CFDFFFF \jnz 0047113F
004713E3 |. FF75 E4 push dword ptr [ebp-1C]
004713E6 |. E8 41661B00 call 00627A2C
004713EB |. 59 pop ecx
004713EC |. 8B4D 0C mov ecx, dword ptr [ebp+C]
004713EF |. 8A01 mov al, byte ptr [ecx]
004713F1 |. 84C0 test al, al
004713F3 |. 74 10 je short 00471405
004713F5 |. 8B55 10 mov edx, dword ptr [ebp+10]
004713F8 |. 8A0A mov cl, byte ptr [edx]
004713FA |. 84C9 test cl, cl
004713FC |. 74 07 je short 00471405
004713FE |. B8 01000000 mov eax, 1
00471403 |. EB 02 jmp short 00471407
00471405 |> 33C0 xor eax, eax
00471407 |> 8BE5 mov esp, ebp
00471409 |. 5D pop ebp
0047140A \. C3 retn
这里返回到00471490 |. E8 6FFCFFFF call 00471104
0047140C /$ 55 push ebp
0047140D |. 8BEC mov ebp, esp
0047140F |. 81C4 C8FBFFFF add esp, -438
00471415 |. 68 17EE6500 push 0065EE17 ; ASCII "uikey.ini"
0047141A |. 68 88E06A00 push 006AE088 ; ASCII "D:\Program
Files\UltraISO"
0047141F |. 68 11EE6500 push 0065EE11 ; ASCII "%s\%s"
00471424 |. 8D85 C8FBFFFF lea eax, dword ptr [ebp-438]
0047142A |. 50 push eax
0047142B |. E8 E4881B00 call 00629D14
00471430 |. 83C4 10 add esp, 10
00471433 |. 6A 00 push 0
00471435 |. 8D95 C8FBFFFF lea edx, dword ptr [ebp-438]
0047143B |. 52 push edx
0047143C |. E8 9B631B00 call 006277DC
00471441 |. 83C4 08 add esp, 8
00471444 |. 85C0 test eax, eax
00471446 |. 74 1E je short 00471466
检查是否存在uikey.ini文件,没有就检查是否存在ultraiso.ini文件
00471448 |. 68 27EE6500 push 0065EE27 ; ASCII "ultraiso.ini"
0047144D |. 68 88E06A00 push 006AE088 ; ASCII "D:\Program
Files\UltraISO"
00471452 |. 68 21EE6500 push 0065EE21 ; ASCII "%s\%s"
00471457 |. 8D8D C8FBFFFF lea ecx, dword ptr [ebp-438]
0047145D |. 51 push ecx
0047145E |. E8 B1881B00 call 00629D14
00471463 |. 83C4 10 add esp, 10
00471466 |> 6A 00 push 0
00471468 |. 8D85 C8FBFFFF lea eax, dword ptr [ebp-438]
0047146E |. 50 push eax
0047146F |. E8 68631B00 call 006277DC
00471474 |. 83C4 08 add esp, 8
00471477 |. 85C0 test eax, eax
00471479 0F85 C4000000 jnz 00471542
检查是否存在ultraiso.ini文件,没有就继续检查注册表。
这里可以改成 jnz 00471538,把下面的EAX置1。这样不管有没有uikey.ini,程序都会认为uikey.ini文
件里有用户名及注册码选项。
0047147F |. 8D95 CCFEFFFF lea edx, dword ptr [ebp-134]
00471485 |. 52 push edx
00471486 |. FF75 08 push dword ptr [ebp+8]
00471489 |. 8D8D C8FBFFFF lea ecx, dword ptr [ebp-438]
0047148F |. 51 push ecx
00471490 |. E8 6FFCFFFF call 00471104
刚才的CALL返回后停在这里,CALL的作用是检查uikey.ini或ultraiso.ini文件里的username及
registration选项是否正确,继续F8运行,
00471495 |. 83C4 0C add esp, 0C
00471498 |. 85C0 test eax, eax
0047149A |. 0F84 A2000000 je 00471542
004714A0 |. 33C0 xor eax, eax
004714A2 |. 8945 F0 mov dword ptr [ebp-10], eax
004714A5 |. 33D2 xor edx, edx
004714A7 |. 8955 EC mov dword ptr [ebp-14], edx
004714AA |. EB 27 jmp short 004714D3
004714AC |> 8B4D F0 /mov ecx, dword ptr [ebp-10]
004714AF |. 8A840D CCFEFF>|mov al, byte ptr [ebp+ecx-134]
004714B6 |. 3C 2D |cmp al, 2D
004714B8 |. 74 16 |je short 004714D0
004714BA |. 8B55 0C |mov edx, dword ptr [ebp+C]
004714BD |. 8B4D EC |mov ecx, dword ptr [ebp-14]
004714C0 |. 8B45 F0 |mov eax, dword ptr [ebp-10]
004714C3 |. 8A8405 CCFEFF>|mov al, byte ptr [ebp+eax-134]
004714CA |. 88040A |mov byte ptr [edx+ecx], al
004714CD |. FF45 EC |inc dword ptr [ebp-14]
004714D0 |> FF45 F0 |inc dword ptr [ebp-10]
004714D3 |> 8B55 F0 mov edx, dword ptr [ebp-10]
004714D6 |. 8A8C15 CCFEFF>|mov cl, byte ptr [ebp+edx-134]
004714DD |. 84C9 |test cl, cl
004714DF |.^ 75 CB \jnz short 004714AC
004714E1 |. 8B45 0C mov eax, dword ptr [ebp+C]
004714E4 |. 8B55 EC mov edx, dword ptr [ebp-14]
004714E7 |. C60410 00 mov byte ptr [eax+edx], 0
004714EB |. C745 F4 10000>mov dword ptr [ebp-C], 10
004714F2 |. EB 03 jmp short 004714F7
004714F4 |> FF4D F4 /dec dword ptr [ebp-C]
004714F7 |> 8B4D F4 mov ecx, dword ptr [ebp-C]
004714FA |. 85C9 |test ecx, ecx
004714FC |. 7E 10 |jle short 0047150E
004714FE |. 8B45 0C |mov eax, dword ptr [ebp+C]
00471501 |. 8B55 F4 |mov edx, dword ptr [ebp-C]
00471504 |. 0FBE4C10 FF |movsx ecx, byte ptr [eax+edx-1]
00471509 |. 83F9 58 |cmp ecx, 58
0047150C |.^ 74 E6 \je short 004714F4
0047150E |> 8B45 0C mov eax, dword ptr [ebp+C]
00471511 |. 8B55 F4 mov edx, dword ptr [ebp-C]
00471514 |. C60410 00 mov byte ptr [eax+edx], 0
00471518 |. FF75 08 push dword ptr [ebp+8]
0047151B |. 68 24DC8000 push 0080DC24
00471520 |. E8 23451B00 call 00625A48
00471525 |. 83C4 08 add esp, 8
00471528 |. FF75 0C push dword ptr [ebp+C]
0047152B |. 68 28DD8000 push 0080DD28
00471530 |. E8 13451B00 call 00625A48
00471535 |. 83C4 08 add esp, 8
如果存在uikey.ini或ultraiso文件,并且文件里的username及registration正确,这下面的EAX就置1,
然后不再检查注册表,直接跳至CALL的末尾返回。
00471538 |. B8 01000000 mov eax, 1
0047153D |. E9 CD020000 jmp 0047180F
00471542 |> 8D55 DC lea edx, dword ptr [ebp-24]
00471545 |. 52 push edx ; /pHandle
00471546 |. 68 34EE6500 push 0065EE34 ; |Subkey =
"SOFTWARE\EasyBoot Systems\UltraISO\5.0"
0047154B |. 68 01000080 push 80000001 ; |hKey =
HKEY_CURRENT_USER
00471550 |. E8 C3561C00 call <jmp.&ADVAPI32.RegOpenKeyA> ; \RegOpenKeyA
00471555 |. 85C0 test eax, eax
00471557 |. 74 07 je short 00471560
00471559 |. 33C0 xor eax, eax
0047155B |. E9 AF020000 jmp 0047180F
00471560 |> C745 D4 00010>mov dword ptr [ebp-2C], 100
00471567 |. 8D55 D4 lea edx, dword ptr [ebp-2C]
0047156A |. 52 push edx ; /pBufSize
0047156B |. 8D8D CCFCFFFF lea ecx, dword ptr [ebp-334] ; |
00471571 |. 51 push ecx ; |Buffer
00471572 |. 8D45 D8 lea eax, dword ptr [ebp-28] ; |
00471575 |. 50 push eax ; |pValueType
00471576 |. 6A 00 push 0 ; |Reserved = NULL
00471578 |. 68 5BEE6500 push 0065EE5B ; |ValueName =
"UserName"
这里又断了一下,继续F8运行至本CALL返回
0047157D |. FF75 DC push dword ptr [ebp-24] ; |hKey
00471580 |. E8 A5561C00 call <jmp.&ADVAPI32.RegQueryValueExA> ; \RegQueryValueExA
00471585 |. 85C0 test eax, eax
00471587 |. 75 14 jnz short 0047159D
是否存在username键值,用户名
00471589 |. 8D95 CCFCFFFF lea edx, dword ptr [ebp-334]
0047158F |. 52 push edx
00471590 |. FF75 08 push dword ptr [ebp+8]
00471593 |. E8 B0441B00 call 00625A48
00471598 |. 83C4 08 add esp, 8
0047159B |. EB 07 jmp short 004715A4
0047159D |> 33C0 xor eax, eax
0047159F |. E9 6B020000 jmp 0047180F
004715A4 |> C745 D4 00010>mov dword ptr [ebp-2C], 100
004715AB |. 8D55 D4 lea edx, dword ptr [ebp-2C]
004715AE |. 52 push edx ; /pBufSize
004715AF |. 8D8D CCFCFFFF lea ecx, dword ptr [ebp-334] ; |
004715B5 |. 51 push ecx ; |Buffer
004715B6 |. 8D45 D8 lea eax, dword ptr [ebp-28] ; |
004715B9 |. 50 push eax ; |pValueType
004715BA |. 6A 00 push 0 ; |Reserved = NULL
004715BC |. 68 64EE6500 push 0065EE64 ; |ValueName =
"Registration"
004715C1 |. FF75 DC push dword ptr [ebp-24] ; |hKey
004715C4 |. E8 61561C00 call <jmp.&ADVAPI32.RegQueryValueExA> ; \RegQueryValueExA
004715C9 |. 85C0 test eax, eax
004715CB |. 75 18 jnz short 004715E5
是否存在registration键值,注册码
004715CD |. 8D95 CCFCFFFF lea edx, dword ptr [ebp-334]
004715D3 |. 52 push edx
004715D4 |. 8D8D CCFEFFFF lea ecx, dword ptr [ebp-134]
004715DA |. 51 push ecx
004715DB |. E8 68441B00 call 00625A48
004715E0 |. 83C4 08 add esp, 8
004715E3 |. EB 07 jmp short 004715EC
004715E5 |> 33C0 xor eax, eax
004715E7 |. E9 23020000 jmp 0047180F
004715EC |> FF75 DC push dword ptr [ebp-24] ; /hKey
004715EF |. E8 06561C00 call <jmp.&ADVAPI32.RegCloseKey> ; \RegCloseKey
004715F4 |. 33D2 xor edx, edx
004715F6 |. 8955 F0 mov dword ptr [ebp-10], edx
004715F9 |> 8B4D F0 /mov ecx, dword ptr [ebp-10]
004715FC |. 8A844D CCFEFF>|mov al, byte ptr [ebp+ecx*2-134]
00471603 |. 8845 CF |mov byte ptr [ebp-31], al
00471606 |. 8A55 CF |mov dl, byte ptr [ebp-31]
00471609 |. 80FA 30 |cmp dl, 30
0047160C |. 72 0E |jb short 0047161C
0047160E |. 8A4D CF |mov cl, byte ptr [ebp-31]
00471611 |. 80F9 39 |cmp cl, 39
00471614 |. 77 06 |ja short 0047161C
00471616 |. 8045 CF D0 |add byte ptr [ebp-31], 0D0
0047161A |. EB 2E |jmp short 0047164A
0047161C |> 8A45 CF |mov al, byte ptr [ebp-31]
0047161F |. 3C 61 |cmp al, 61
00471621 |. 72 0E |jb short 00471631
00471623 |. 8A55 CF |mov dl, byte ptr [ebp-31]
00471626 |. 80FA 66 |cmp dl, 66
00471629 |. 77 06 |ja short 00471631
0047162B |. 8045 CF A9 |add byte ptr [ebp-31], 0A9
0047162F |. EB 19 |jmp short 0047164A
00471631 |> 8A4D CF |mov cl, byte ptr [ebp-31]
00471634 |. 80F9 41 |cmp cl, 41
00471637 |. 72 0D |jb short 00471646
00471639 |. 8A45 CF |mov al, byte ptr [ebp-31]
0047163C |. 3C 46 |cmp al, 46
0047163E |. 77 06 |ja short 00471646
00471640 |. 8045 CF C9 |add byte ptr [ebp-31], 0C9
00471644 |. EB 04 |jmp short 0047164A
00471646 |> C645 CF 00 |mov byte ptr [ebp-31], 0
0047164A |> 8A55 CF |mov dl, byte ptr [ebp-31]
0047164D |. C1E2 04 |shl edx, 4
00471650 |. 8B4D F0 |mov ecx, dword ptr [ebp-10]
00471653 |. 88940D CCFDFF>|mov byte ptr [ebp+ecx-234], dl
0047165A |. 8B45 F0 |mov eax, dword ptr [ebp-10]
0047165D |. 8A9445 CDFEFF>|mov dl, byte ptr [ebp+eax*2-133]
00471664 |. 8855 CF |mov byte ptr [ebp-31], dl
00471667 |. 8A4D CF |mov cl, byte ptr [ebp-31]
0047166A |. 80F9 30 |cmp cl, 30
0047166D |. 72 0D |jb short 0047167C
0047166F |. 8A45 CF |mov al, byte ptr [ebp-31]
00471672 |. 3C 39 |cmp al, 39
00471674 |. 77 06 |ja short 0047167C
00471676 |. 8045 CF D0 |add byte ptr [ebp-31], 0D0
0047167A |. EB 2F |jmp short 004716AB
0047167C |> 8A55 CF |mov dl, byte ptr [ebp-31]
0047167F |. 80FA 61 |cmp dl, 61
00471682 |. 72 0E |jb short 00471692
00471684 |. 8A4D CF |mov cl, byte ptr [ebp-31]
00471687 |. 80F9 66 |cmp cl, 66
0047168A |. 77 06 |ja short 00471692
0047168C |. 8045 CF A9 |add byte ptr [ebp-31], 0A9
00471690 |. EB 19 |jmp short 004716AB
00471692 |> 8A45 CF |mov al, byte ptr [ebp-31]
00471695 |. 3C 41 |cmp al, 41
00471697 |. 72 0E |jb short 004716A7
00471699 |. 8A55 CF |mov dl, byte ptr [ebp-31]
0047169C |. 80FA 46 |cmp dl, 46
0047169F |. 77 06 |ja short 004716A7
004716A1 |. 8045 CF C9 |add byte ptr [ebp-31], 0C9
004716A5 |. EB 04 |jmp short 004716AB
004716A7 |> C645 CF 00 |mov byte ptr [ebp-31], 0
004716AB |> 8B4D F0 |mov ecx, dword ptr [ebp-10]
004716AE |. 8A45 CF |mov al, byte ptr [ebp-31]
004716B1 |. 00840D CCFDFF>|add byte ptr [ebp+ecx-234], al
004716B8 |. FF45 F0 |inc dword ptr [ebp-10]
004716BB |. 8B55 F0 |mov edx, dword ptr [ebp-10]
004716BE |. 83FA 10 |cmp edx, 10
004716C1 |.^ 0F8C 32FFFFFF \jl 004715F9
004716C7 |. C745 FC 99F47>mov dword ptr [ebp-4], 3E76F499
004716CE |. 8175 FC 20090>xor dword ptr [ebp-4], 20020920
004716D5 |. FF75 FC push dword ptr [ebp-4]
004716D8 |. 68 71EE6500 push 0065EE71
004716DD |. 8D4D E0 lea ecx, dword ptr [ebp-20]
004716E0 |. 51 push ecx
004716E1 |. E8 2E861B00 call 00629D14
004716E6 |. 83C4 0C add esp, 0C
004716E9 |. 33C0 xor eax, eax
004716EB |. 8945 F0 mov dword ptr [ebp-10], eax
004716EE |> 8B55 F0 /mov edx, dword ptr [ebp-10]
004716F1 |. 8B0C95 28ED65>|mov ecx, dword ptr [edx*4+65ED28]
004716F8 |. 8A440D E0 |mov al, byte ptr [ebp+ecx-20]
004716FC |. 8B55 F0 |mov edx, dword ptr [ebp-10]
004716FF |. 8A8A 48ED6500 |mov cl, byte ptr [edx+65ED48]
00471705 |. 32C1 |xor al, cl
00471707 |. 8B55 F0 |mov edx, dword ptr [ebp-10]
0047170A |. 888415 CCFEFF>|mov byte ptr [ebp+edx-134], al
00471711 |. FF45 F0 |inc dword ptr [ebp-10]
00471714 |. 8B45 F0 |mov eax, dword ptr [ebp-10]
00471717 |. 83F8 08 |cmp eax, 8
0047171A |.^ 7C D2 \jl short 004716EE
0047171C |. FF75 08 push dword ptr [ebp+8]
0047171F |. E8 54431B00 call 00625A78
00471724 |. 59 pop ecx
00471725 |. 8945 F8 mov dword ptr [ebp-8], eax
00471728 |. C745 F4 10000>mov dword ptr [ebp-C], 10
0047172F |. 33C9 xor ecx, ecx
00471731 |. 894D EC mov dword ptr [ebp-14], ecx
00471734 |. 33C0 xor eax, eax
00471736 |. 8945 F0 mov dword ptr [ebp-10], eax
00471739 |. 8B55 F0 mov edx, dword ptr [ebp-10]
0047173C |. 8B4D F4 mov ecx, dword ptr [ebp-C]
0047173F |. 3BD1 cmp edx, ecx
00471741 |. 7D 3D jge short 00471780
00471743 |> 8B45 08 /mov eax, dword ptr [ebp+8]
00471746 |. 8B55 EC |mov edx, dword ptr [ebp-14]
00471749 |. 8A0C10 |mov cl, byte ptr [eax+edx]
0047174C |. 8B45 F0 |mov eax, dword ptr [ebp-10]
0047174F |. 8A9405 CCFDFF>|mov dl, byte ptr [ebp+eax-234]
00471756 |. 32CA |xor cl, dl
00471758 |. 8B45 0C |mov eax, dword ptr [ebp+C]
0047175B |. 8B55 F0 |mov edx, dword ptr [ebp-10]
0047175E |. 880C10 |mov byte ptr [eax+edx], cl
00471761 |. FF45 EC |inc dword ptr [ebp-14]
00471764 |. 8B4D EC |mov ecx, dword ptr [ebp-14]
00471767 |. 8B45 F8 |mov eax, dword ptr [ebp-8]
0047176A |. 3BC8 |cmp ecx, eax
0047176C |. 7C 05 |jl short 00471773
0047176E |. 33D2 |xor edx, edx
00471770 |. 8955 EC |mov dword ptr [ebp-14], edx
00471773 |> FF45 F0 |inc dword ptr [ebp-10]
00471776 |. 8B4D F0 |mov ecx, dword ptr [ebp-10]
00471779 |. 8B45 F4 |mov eax, dword ptr [ebp-C]
0047177C |. 3BC8 |cmp ecx, eax
0047177E |.^ 7C C3 \jl short 00471743
00471780 |> 33D2 xor edx, edx
00471782 |. 8955 EC mov dword ptr [ebp-14], edx
00471785 |. 33C9 xor ecx, ecx
00471787 |. 894D F0 mov dword ptr [ebp-10], ecx
0047178A |. 8B45 F0 mov eax, dword ptr [ebp-10]
0047178D |. 8B55 F4 mov edx, dword ptr [ebp-C]
00471790 |. 3BC2 cmp eax, edx
00471792 |. 7D 35 jge short 004717C9
00471794 |> 8B4D EC /mov ecx, dword ptr [ebp-14]
00471797 |. 8A840D CCFEFF>|mov al, byte ptr [ebp+ecx-134]
0047179E |. 8B55 0C |mov edx, dword ptr [ebp+C]
004717A1 |. 8B4D F0 |mov ecx, dword ptr [ebp-10]
004717A4 |. 30040A |xor byte ptr [edx+ecx], al
004717A7 |. FF45 EC |inc dword ptr [ebp-14]
004717AA |. 8B45 EC |mov eax, dword ptr [ebp-14]
004717AD |. 83F8 08 |cmp eax, 8
004717B0 |. 7C 05 |jl short 004717B7
004717B2 |. 33D2 |xor edx, edx
004717B4 |. 8955 EC |mov dword ptr [ebp-14], edx
004717B7 |> FF45 F0 |inc dword ptr [ebp-10]
004717BA |. 8B4D F0 |mov ecx, dword ptr [ebp-10]
004717BD |. 8B45 F4 |mov eax, dword ptr [ebp-C]
004717C0 |. 3BC8 |cmp ecx, eax
004717C2 |.^ 7C D0 \jl short 00471794
004717C4 |. EB 03 jmp short 004717C9
004717C6 |> FF4D F4 /dec dword ptr [ebp-C]
004717C9 |> 8B55 F4 mov edx, dword ptr [ebp-C]
004717CC |. 85D2 |test edx, edx
004717CE |. 7E 10 |jle short 004717E0
004717D0 |. 8B4D 0C |mov ecx, dword ptr [ebp+C]
004717D3 |. 8B45 F4 |mov eax, dword ptr [ebp-C]
004717D6 |. 0FBE5401 FF |movsx edx, byte ptr [ecx+eax-1]
004717DB |. 83FA 58 |cmp edx, 58
004717DE |.^ 74 E6 \je short 004717C6
004717E0 |> 8B4D 0C mov ecx, dword ptr [ebp+C]
004717E3 |. 8B45 F4 mov eax, dword ptr [ebp-C]
004717E6 |. C60401 00 mov byte ptr [ecx+eax], 0
004717EA |. FF75 08 push dword ptr [ebp+8]
004717ED |. 68 24DC8000 push 0080DC24
004717F2 |. E8 51421B00 call 00625A48
004717F7 |. 83C4 08 add esp, 8
004717FA |. FF75 0C push dword ptr [ebp+C]
004717FD |. 68 28DD8000 push 0080DD28
00471802 |. E8 41421B00 call 00625A48
00471807 |. 83C4 08 add esp, 8
如果注册表存在正确的用户名及注册码,这里EAX就会置1
0047180A |. B8 01000000 mov eax, 1
0047180F |> 8BE5 mov esp, ebp
00471811 |. 5D pop ebp
00471812 \. C3 retn
到这里返回至00402FA9 . E8 5EE40600 call 0047140C
00402F6D . BA FE4D6400 mov edx, 00644DFE ; ASCII "UltraISO"
00402F72 . 8D45 F4 lea eax, dword ptr [ebp-C]
00402F75 . E8 9E2C2300 call 00635C18
00402F7A . FF45 E8 inc dword ptr [ebp-18]
00402F7D . 8B10 mov edx, dword ptr [eax]
00402F7F . A1 98D36A00 mov eax, dword ptr [6AD398]
00402F84 . 8B00 mov eax, dword ptr [eax]
00402F86 . E8 29471E00 call 005E76B4
00402F8B . FF4D E8 dec dword ptr [ebp-18]
00402F8E . 8D45 F4 lea eax, dword ptr [ebp-C]
00402F91 . BA 02000000 mov edx, 2
00402F96 . E8 DD2D2300 call 00635D78
00402F9B . 8D8D B0FDFFFF lea ecx, dword ptr [ebp-250]
00402FA1 . 51 push ecx
00402FA2 . 8D85 B0FEFFFF lea eax, dword ptr [ebp-150]
00402FA8 . 50 push eax
00402FA9 . E8 5EE40600 call 0047140C
检查完ini文件及注册表后,返回到这里,下面的就是关键了。
00402FAE . 83C4 08 add esp, 8
00402FB1 A3 D8526400 mov dword ptr [6452D8], eax
把刚才置1的EAX的值传递至[6452D8],注册标志位为1
00402FB6 8B15 D8526400 mov edx, dword ptr [6452D8]
00402FBC . 85D2 test edx, edx
00402FBE . 74 1D je short 00402FDD
这里不能跳转,需要下面的CALL 004018E8对[678340]和[6380C0]赋值,下面会讲到。
00402FC0 . 8D8D B0FDFFFF lea ecx, dword ptr [ebp-250]
00402FC6 . 51 push ecx
00402FC7 . 8D85 B0FEFFFF lea eax, dword ptr [ebp-150]
00402FCD . 50 push eax
00402FCE . E8 15E9FFFF call 004018E8
这上面的CALL应该就是什么白名单,红名单的检查,即使是正确的用户名及注册码,如果在名单里的,照
样不能正确注册。但这个CALL我们不能在上面的00402FBE处跳转绕开。因为下面的[678340]和[6380C0]需
要它来赋值。
00402FD3 . 83C4 08 add esp, 8
00402FD6 . A3 D8526400 mov dword ptr [6452D8], eax
00402FDB . EB 08 jmp short 00402FE5
00402FDD > 33D2 xor edx, edx
00402FDF . 8915 D8526400 mov dword ptr [6452D8], edx
00402FE5 > C705 BCE66300>mov dword ptr [63E6BC], 804
00402FEF . 8B0D 40836700 mov ecx, dword ptr [678340]
00402FF5 . A1 C0806300 mov eax, dword ptr [6380C0]
00402FFA . 3BC8 cmp ecx, eax
00402FFC . 74 19 je short 00403017
这里验证用户名及注册码是否在限制名单里面,[678340]和[6380C0]两个值相等就跳过注册启动窗口。为
什么知道这里会跳开?因为再往下直至0040330C处才有一处跳转,但那里很明显是用来判断程序是否出错
的,一定要跳,不跳就会退出程序。而0040330C处跳转后再往下至0040332A处,程序就会出现注册窗口,
如果之前EAX赋值[6452D8]为1,程序就会跑飞了。显然这是个关键判断。
我们把00402FFC改成强制跳转试试,jmp short 00403017,F9运行,结果注册窗口不见了,进入主界面,但上
面显示的是试用。晕,看来强跳不行,要让[678340]和[6380C0]两个值相等才行,没办法,只能到上面的
call 004018E8处去改变它们的赋值了。这个看完后面几行代码我们再深入到call 004018E8里面分析。
00402FFE . 8B15 98D36A00 mov edx, dword ptr [6AD398] ; UltraISO.00AA4A94
00403004 . 8B02 mov eax, dword ptr [edx]
00403006 . 8B0D 68D06A00 mov ecx, dword ptr [6AD068] ; UltraISO._frmStartup
0040300C . 8B15 E8F26500 mov edx, dword ptr [65F2E8] ; UltraISO.0065F334
00403012 . E8 914A1E00 call 005E7AA8
00403017 > A1 98D36A00 mov eax, dword ptr [6AD398]
0040301C . 8B00 mov eax, dword ptr [eax]
0040301E . 8B0D 50D06A00 mov ecx, dword ptr [6AD050] ; UltraISO._frmMain
00403024 . 8B15 30C36400 mov edx, dword ptr [64C330] ; UltraISO.0064C37C
0040302A . E8 794A1E00 call 005E7AA8
0040302F . A1 98D36A00 mov eax, dword ptr [6AD398]
00403034 . 8B00 mov eax, dword ptr [eax]
00403036 . 8B0D 58D06A00 mov ecx, dword ptr [6AD058] ;
UltraISO._frmProgress
0040303C . 8B15 8C0F6500 mov edx, dword ptr [650F8C] ; UltraISO.00650FD8
00403042 . E8 614A1E00 call 005E7AA8
00403047 . A1 98D36A00 mov eax, dword ptr [6AD398]
0040304C . 8B00 mov eax, dword ptr [eax]
0040304E . 8B0D 5CD06A00 mov ecx, dword ptr [6AD05C] ; UltraISO._frmProp
00403054 . 8B15 F01E6500 mov edx, dword ptr [651EF0] ; UltraISO.00651F3C
0040305A . E8 494A1E00 call 005E7AA8
0040305F . A1 98D36A00 mov eax, dword ptr [6AD398]
00403064 . 8B00 mov eax, dword ptr [eax]
00403066 . 8B0D 60D06A00 mov ecx, dword ptr [6AD060] ; UltraISO._frmAbout
0040306C . 8B15 142A6500 mov edx, dword ptr [652A14] ; UltraISO.00652A60
00403072 . E8 314A1E00 call 005E7AA8
00403077 . A1 98D36A00 mov eax, dword ptr [6AD398]
0040307C . 8B00 mov eax, dword ptr [eax]
0040307E . 8B0D 64D06A00 mov ecx, dword ptr [6AD064] ; UltraISO._frmCDISO
00403084 . 8B15 6CE86500 mov edx, dword ptr [65E86C] ; UltraISO.0065E8B8
0040308A . E8 194A1E00 call 005E7AA8
0040308F . A1 98D36A00 mov eax, dword ptr [6AD398]
00403094 . 8B00 mov eax, dword ptr [eax]
00403096 . 8B0D 6CD06A00 mov ecx, dword ptr [6AD06C] ;
UltraISO._frmRegister
0040309C . 8B15 D80E6600 mov edx, dword ptr [660ED8] ; UltraISO.00660F24
004030A2 . E8 014A1E00 call 005E7AA8
004030A7 . A1 98D36A00 mov eax, dword ptr [6AD398]
004030AC . 8B00 mov eax, dword ptr [eax]
004030AE . 8B0D 70D06A00 mov ecx, dword ptr [6AD070] ; UltraISO._frmFloppy
004030B4 . 8B15 0C1A6600 mov edx, dword ptr [661A0C] ; UltraISO.00661A58
004030BA . E8 E9491E00 call 005E7AA8
004030BF . A1 98D36A00 mov eax, dword ptr [6AD398]
004030C4 . 8B00 mov eax, dword ptr [eax]
004030C6 . 8B0D 74D06A00 mov ecx, dword ptr [6AD074] ; UltraISO._frmConvert
004030CC . 8B15 44236600 mov edx, dword ptr [662344] ; UltraISO.00662390
004030D2 . E8 D1491E00 call 005E7AA8
004030D7 . A1 98D36A00 mov eax, dword ptr [6AD398]
004030DC . 8B00 mov eax, dword ptr [eax]
004030DE . 8B0D 78D06A00 mov ecx, dword ptr [6AD078] ; UltraISO._frmConfig
004030E4 . 8B15 F8CA6600 mov edx, dword ptr [66CAF8] ; UltraISO.0066CB44
004030EA . E8 B9491E00 call 005E7AA8
004030EF . A1 98D36A00 mov eax, dword ptr [6AD398]
004030F4 . 8B00 mov eax, dword ptr [eax]
004030F6 . 8B0D 7CD06A00 mov ecx, dword ptr [6AD07C] ; UltraISO._frmCheck
004030FC . 8B15 48E06600 mov edx, dword ptr [66E048] ; UltraISO.0066E094
00403102 . E8 A1491E00 call 005E7AA8
00403107 . A1 98D36A00 mov eax, dword ptr [6AD398]
0040310C . 8B00 mov eax, dword ptr [eax]
0040310E . 8B0D 80D06A00 mov ecx, dword ptr [6AD080] ; UltraISO._frmDialog
00403114 . 8B15 1CF16600 mov edx, dword ptr [66F11C] ; UltraISO.0066F168
0040311A . E8 89491E00 call 005E7AA8
0040311F . A1 98D36A00 mov eax, dword ptr [6AD398]
00403124 . 8B00 mov eax, dword ptr [eax]
00403126 . 8B0D 84D06A00 mov ecx, dword ptr [6AD084] ; UltraISO._frmSimSave
0040312C . 8B15 B0F86600 mov edx, dword ptr [66F8B0] ; UltraISO.0066F8FC
00403132 . E8 71491E00 call 005E7AA8
00403137 . A1 98D36A00 mov eax, dword ptr [6AD398]
0040313C . 8B00 mov eax, dword ptr [eax]
0040313E . 8B0D 88D06A00 mov ecx, dword ptr [6AD088] ; UltraISO._frmSession
00403144 . 8B15 30856700 mov edx, dword ptr [678530] ; UltraISO.0067857C
0040314A . E8 59491E00 call 005E7AA8
0040314F . A1 98D36A00 mov eax, dword ptr [6AD398]
00403154 . 8B00 mov eax, dword ptr [eax]
00403156 . 8B0D 8CD06A00 mov ecx, dword ptr [6AD08C] ; UltraISO._frmBurn
0040315C . 8B15 FCC16700 mov edx, dword ptr [67C1FC] ; UltraISO.0067C248
00403162 . E8 41491E00 call 005E7AA8
00403167 . A1 98D36A00 mov eax, dword ptr [6AD398]
0040316C . 8B00 mov eax, dword ptr [eax]
0040316E . 8B0D 90D06A00 mov ecx, dword ptr [6AD090] ;
UltraISO._frmChangeLabel
00403174 . 8B15 90CB6700 mov edx, dword ptr [67CB90] ; UltraISO.0067CBDC
0040317A . E8 29491E00 call 005E7AA8
0040317F . A1 98D36A00 mov eax, dword ptr [6AD398]
00403184 . 8B00 mov eax, dword ptr [eax]
00403186 . 8B0D 94D06A00 mov ecx, dword ptr [6AD094] ; UltraISO._frmLog
0040318C . 8B15 88D06700 mov edx, dword ptr [67D088] ; UltraISO.0067D0D4
00403192 . E8 11491E00 call 005E7AA8
00403197 . A1 98D36A00 mov eax, dword ptr [6AD398]
0040319C . 8B00 mov eax, dword ptr [eax]
0040319E . 8B0D 98D06A00 mov ecx, dword ptr [6AD098] ;
UltraISO._frmFileAttribute
004031A4 . 8B15 68D86700 mov edx, dword ptr [67D868] ; UltraISO.0067D8B4
004031AA . E8 F9481E00 call 005E7AA8
004031AF . A1 98D36A00 mov eax, dword ptr [6AD398]
004031B4 . 8B00 mov eax, dword ptr [eax]
004031B6 . 8B0D 9CD06A00 mov ecx, dword ptr [6AD09C] ;
UltraISO._frmChecksum
004031BC . 8B15 B8EB6700 mov edx, dword ptr [67EBB8] ; UltraISO.0067EC04
004031C2 . E8 E1481E00 call 005E7AA8
004031C7 . A1 98D36A00 mov eax, dword ptr [6AD398]
004031CC . 8B00 mov eax, dword ptr [eax]
004031CE . 8B0D A0D06A00 mov ecx, dword ptr [6AD0A0] ; UltraISO._frmOpenCD
004031D4 . 8B15 C4F96700 mov edx, dword ptr [67F9C4] ; UltraISO.0067FA10
004031DA . E8 C9481E00 call 005E7AA8
004031DF . A1 98D36A00 mov eax, dword ptr [6AD398]
004031E4 . 8B00 mov eax, dword ptr [eax]
004031E6 . 8B0D A4D06A00 mov ecx, dword ptr [6AD0A4] ; UltraISO._frmVCD
004031EC . 8B15 BC116900 mov edx, dword ptr [6911BC] ; UltraISO.00691208
004031F2 . E8 B1481E00 call 005E7AA8
004031F7 . A1 98D36A00 mov eax, dword ptr [6AD398]
004031FC . 8B00 mov eax, dword ptr [eax]
004031FE . 8B0D A8D06A00 mov ecx, dword ptr [6AD0A8] ;
UltraISO._frmPassword
00403204 . 8B15 C4DF6900 mov edx, dword ptr [69DFC4] ; UltraISO.0069E010
0040320A . E8 99481E00 call 005E7AA8
0040320F . A1 98D36A00 mov eax, dword ptr [6AD398]
00403214 . 8B00 mov eax, dword ptr [eax]
00403216 . 8B0D ACD06A00 mov ecx, dword ptr [6AD0AC] ; UltraISO._frmSearch
0040321C . 8B15 98EE6900 mov edx, dword ptr [69EE98] ; UltraISO.0069EEE4
00403222 . E8 81481E00 call 005E7AA8
00403227 . A1 98D36A00 mov eax, dword ptr [6AD398]
0040322C . 8B00 mov eax, dword ptr [eax]
0040322E . 8B0D B0D06A00 mov ecx, dword ptr [6AD0B0] ;
UltraISO._frmCompress
00403234 . 8B15 24F96900 mov edx, dword ptr [69F924] ; UltraISO.0069F970
0040323A . E8 69481E00 call 005E7AA8
0040323F . A1 98D36A00 mov eax, dword ptr [6AD398]
00403244 . 8B00 mov eax, dword ptr [eax]
00403246 . 8B0D B4D06A00 mov ecx, dword ptr [6AD0B4] ;
UltraISO._frmWaitMedia
0040324C . 8B15 98FD6900 mov edx, dword ptr [69FD98] ; UltraISO.0069FDE4
00403252 . E8 51481E00 call 005E7AA8
00403257 . A1 98D36A00 mov eax, dword ptr [6AD398]
0040325C . 8B00 mov eax, dword ptr [eax]
0040325E . 8B0D B8D06A00 mov ecx, dword ptr [6AD0B8] ;
UltraISO._frmDiskImage
00403264 . 8B15 F8046A00 mov edx, dword ptr [6A04F8] ; UltraISO.006A0544
0040326A . E8 39481E00 call 005E7AA8
0040326F . A1 98D36A00 mov eax, dword ptr [6AD398]
00403274 . 8B00 mov eax, dword ptr [eax]
00403276 . 8B0D BCD06A00 mov ecx, dword ptr [6AD0BC] ; UltraISO._frmEncrypt
0040327C . 8B15 B80B6A00 mov edx, dword ptr [6A0BB8] ; UltraISO.006A0C04
00403282 . E8 21481E00 call 005E7AA8
00403287 . A1 98D36A00 mov eax, dword ptr [6AD398]
0040328C . 8B00 mov eax, dword ptr [eax]
0040328E . 8B0D C0D06A00 mov ecx, dword ptr [6AD0C0] ;
UltraISO._frmImageFormat
00403294 . 8B15 44136A00 mov edx, dword ptr [6A1344] ; UltraISO.006A1390
0040329A . E8 09481E00 call 005E7AA8
0040329F . A1 98D36A00 mov eax, dword ptr [6AD398]
004032A4 . 8B00 mov eax, dword ptr [eax]
004032A6 . 8B0D C4D06A00 mov ecx, dword ptr [6AD0C4] ;
UltraISO._frmDiskProperty
004032AC . 8B15 2C1F6A00 mov edx, dword ptr [6A1F2C] ; UltraISO.006A1F78
004032B2 . E8 F1471E00 call 005E7AA8
004032B7 . A1 98D36A00 mov eax, dword ptr [6AD398]
004032BC . 8B00 mov eax, dword ptr [eax]
004032BE . 8B0D C8D06A00 mov ecx, dword ptr [6AD0C8] ;
UltraISO._frmCustomImage
004032C4 . 8B15 70276A00 mov edx, dword ptr [6A2770] ; UltraISO.006A27BC
004032CA . E8 D9471E00 call 005E7AA8
004032CF . A1 98D36A00 mov eax, dword ptr [6AD398]
004032D4 . 8B00 mov eax, dword ptr [eax]
004032D6 . 8B0D CCD06A00 mov ecx, dword ptr [6AD0CC] ;
UltraISO._frmUSBWrite
004032DC . 8B15 AC476A00 mov edx, dword ptr [6A47AC] ; UltraISO.006A47F8
004032E2 . E8 C1471E00 call 005E7AA8
004032E7 . A1 98D36A00 mov eax, dword ptr [6AD398]
004032EC . 8B00 mov eax, dword ptr [eax]
004032EE . 8B0D D0D06A00 mov ecx, dword ptr [6AD0D0] ; UltraISO._frmPart
004032F4 . 8B15 B0536A00 mov edx, dword ptr [6A53B0] ; UltraISO.006A53FC
004032FA . E8 A9471E00 call 005E7AA8
004032FF . 68 18D66A00 push 006AD618
00403304 . E8 FB150A00 call 004A4904
00403309 . 59 pop ecx
0040330A . 85C0 test eax, eax
0040330C . 74 0D je short 0040331B
很明显是程序出错时才用的,用来退出程序,这里一定要跳的。显然不是关键判断。
0040330E . FF35 CCE86600 push dword ptr [66E8CC] ; /ExitCode = FFFFFFFF
00403314 . E8 9B392300 call <jmp.&KERNEL32.ExitProcess> ; \ExitProcess
00403319 . EB 07 jmp short 00403322
0040331B > 33C0 xor eax, eax
0040331D . A3 CCE86600 mov dword ptr [66E8CC], eax
00403322 > 8B15 98D36A00 mov edx, dword ptr [6AD398] ; UltraISO.00AA4A94
00403328 . 8B02 mov eax, dword ptr [edx]
0040332A . E8 F9471E00 call 005E7B28
这上面的CALL会弹出注册窗口,但如果之前EAX被赋值1,并传递给[6452D8]的,这里就会跑飞,不显示注
册窗口。
F7追进CALL里后发现是N个循环后才会出现NAG窗口,显然不是靠跳转能去掉的,要靠上面的参数传递来产
生NAG窗口或程序主界面。所以只能从上面的代码去发掘了。
0040332F . 66:C745 DC 00>mov word ptr [ebp-24], 0
00403335 . E9 83000000 jmp 004033BD
0040333A . 8B15 98D36A00 mov edx, dword ptr [6AD398] ; UltraISO.00AA4A94
00403340 . 8B02 mov eax, dword ptr [edx]
00403342 . 8B55 F8 mov edx, dword ptr [ebp-8]
00403345 . E8 D64A1E00 call 005E7E20
0040334A . EB 66 jmp short 004033B2
0040334C . 66:C745 DC 20>mov word ptr [ebp-24], 20
00403352 . 8D4D CC lea ecx, dword ptr [ebp-34]
00403355 . 51 push ecx
00403356 . 6A 00 push 0
00403358 . 6A 00 push 0
0040335A . 6A 00 push 0
0040335C . 6A 01 push 1
0040335E . 68 3C344000 push 0040343C ; 入口地址
00403363 . 6A 00 push 0
00403365 . 66:C745 DC 2C>mov word ptr [ebp-24], 2C
0040336B . BA 074E6400 mov edx, 00644E07
00403370 . 8D45 F0 lea eax, dword ptr [ebp-10]
00403373 . E8 A0282300 call 00635C18
00403378 . FF45 E8 inc dword ptr [ebp-18]
0040337B . 8B08 mov ecx, dword ptr [eax]
0040337D . B2 01 mov dl, 1
0040337F . A1 0C945900 mov eax, dword ptr [59940C]
00403384 . E8 2BB51900 call 0059E8B4
00403389 . 50 push eax
0040338A . 68 D8334000 push 004033D8
0040338F . E8 25FB2200 call 00632EB9
00403394 . 83C4 24 add esp, 24
00403397 . 8B0D 98D36A00 mov ecx, dword ptr [6AD398] ; UltraISO.00AA4A94
0040339D . 8B01 mov eax, dword ptr [ecx]
0040339F . 8B55 FC mov edx, dword ptr [ebp-4]
004033A2 . E8 794A1E00 call 005E7E20
004033A7 . 66:C745 DC 28>mov word ptr [ebp-24], 28
004033AD . E8 28FD2200 call 006330DA
004033B2 > 66:C745 DC 10>mov word ptr [ebp-24], 10
004033B8 . E8 1DFD2200 call 006330DA
004033BD > A1 CCE86600 mov eax, dword ptr [66E8CC]
004033C2 . 8B55 CC mov edx, dword ptr [ebp-34]
004033C5 . 64:8915 00000>mov dword ptr fs:[0], edx
004033CC . 5F pop edi
004033CD . 5E pop esi
004033CE . 5B pop ebx
004033CF . 8BE5 mov esp, ebp
004033D1 . 5D pop ebp
004033D2 . C2 1000 retn 10
============================================================================================
================================
我们OD重新载入,在00471477处下断,把
00471479 0F85 C4000000 jnz 00471542
处改成
00471479 0F85 B9000000 jnz 00471538
让EAX置1,并直接跳转直至返回至00402FA9 . E8 5EE40600 call 0047140C处,F8几步后,来到
00402FCE . E8 15E9FFFF call 004018E8处,再F7进入CALL里,看看哪些地方对[678340]和
[6380C0]进行赋值的。细一看,有好几处呢,我们从CALL的底部和往上追寻最后赋值的地方:
004018E8 $ 55 push ebp
004018E9 . 8BEC mov ebp, esp
004018EB . 81C4 38FBFFFF add esp, -4C8
004018F1 . 33C0 xor eax, eax
004018F3 . 8945 FC mov dword ptr [ebp-4], eax
004018F6 . 33D2 xor edx, edx
004018F8 . 8955 F8 mov dword ptr [ebp-8], edx
004018FB . 33C9 xor ecx, ecx
004018FD . 894D F4 mov dword ptr [ebp-C], ecx
00401900 . 33C0 xor eax, eax
00401902 . 8945 F0 mov dword ptr [ebp-10], eax
00401905 . 33D2 xor edx, edx
00401907 . 8955 EC mov dword ptr [ebp-14], edx
0040190A . 6A 05 push 5
0040190C . 6A 30 push 30
0040190E . 8D4D E4 lea ecx, dword ptr [ebp-1C]
00401911 . 51 push ecx
00401912 . E8 B13F2200 call 006258C8
00401917 . 83C4 0C add esp, 0C
0040191A . C645 E4 31 mov byte ptr [ebp-1C], 31
0040191E . C645 E8 31 mov byte ptr [ebp-18], 31
00401922 . C645 E9 00 mov byte ptr [ebp-17], 0
00401926 . 6A 10 push 10
00401928 . 6A 41 push 41
0040192A . 8D85 A4FCFFFF lea eax, dword ptr [ebp-35C]
00401930 . 50 push eax
00401931 . E8 923F2200 call 006258C8
00401936 . 83C4 0C add esp, 0C
00401939 . C685 B3FCFFFF>mov byte ptr [ebp-34D], 31
00401940 . C685 B2FCFFFF>mov byte ptr [ebp-34E], 44
00401947 . C685 A6FCFFFF>mov byte ptr [ebp-35A], 30
0040194E . C685 A7FCFFFF>mov byte ptr [ebp-359], 46
00401955 . C685 A9FCFFFF>mov byte ptr [ebp-357], 46
0040195C . C685 A8FCFFFF>mov byte ptr [ebp-358], 38
00401963 . C685 ABFCFFFF>mov byte ptr [ebp-355], 32
0040196A . 8D55 D0 lea edx, dword ptr [ebp-30]
0040196D . 52 push edx
0040196E . E8 51092300 call 006322C4
00401973 . 59 pop ecx
00401974 . C685 AEFCFFFF>mov byte ptr [ebp-352], 36
0040197B . C685 AAFCFFFF>mov byte ptr [ebp-356], 36
00401982 . C685 AFFCFFFF>mov byte ptr [ebp-351], 45
00401989 . C685 B0FCFFFF>mov byte ptr [ebp-350], 39
00401990 . C685 B1FCFFFF>mov byte ptr [ebp-34F], 37
00401997 . C685 A5FCFFFF>mov byte ptr [ebp-35B], 37
0040199E . C685 B4FCFFFF>mov byte ptr [ebp-34C], 0
004019A5 . 33C9 xor ecx, ecx
004019A7 . 890D B4E66300 mov dword ptr [63E6B4], ecx
004019AD . 8D45 F4 lea eax, dword ptr [ebp-C]
004019B0 . 50 push eax
004019B1 . FF75 0C push dword ptr [ebp+C]
004019B4 . E8 37E50700 call 0047FEF0
004019B9 . 83C4 08 add esp, 8
004019BC . 8B55 D0 mov edx, dword ptr [ebp-30]
004019BF . F7D2 not edx
004019C1 . 8915 40836700 mov dword ptr [678340], edx
004019C7 . 8D4D FC lea ecx, dword ptr [ebp-4]
004019CA . 51 push ecx
004019CB . 8D85 A4FCFFFF lea eax, dword ptr [ebp-35C]
004019D1 . 50 push eax
004019D2 . E8 19E50700 call 0047FEF0
004019D7 . 83C4 08 add esp, 8
004019DA . 8D55 F8 lea edx, dword ptr [ebp-8]
004019DD . 52 push edx
004019DE . 8D4D E4 lea ecx, dword ptr [ebp-1C]
004019E1 . 51 push ecx
004019E2 . E8 09E50700 call 0047FEF0
004019E7 . 83C4 08 add esp, 8
004019EA . 8D45 EC lea eax, dword ptr [ebp-14]
004019ED . 50 push eax
004019EE . FF75 FC push dword ptr [ebp-4]
004019F1 . FF75 F8 push dword ptr [ebp-8]
004019F4 . FF75 F4 push dword ptr [ebp-C]
004019F7 . E8 54D30700 call 0047ED50
004019FC . 83C4 10 add esp, 10
004019FF . FF75 EC push dword ptr [ebp-14]
00401A02 . 8D95 B8FEFFFF lea edx, dword ptr [ebp-148]
00401A08 . 52 push edx
00401A09 . E8 16E60700 call 00480024
00401A0E . 83C4 08 add esp, 8
00401A11 . 8B4D D0 mov ecx, dword ptr [ebp-30]
00401A14 . F7D1 not ecx
00401A16 . 890D 40836700 mov dword ptr [678340], ecx
00401A1C . 8A85 B8FEFFFF mov al, byte ptr [ebp-148]
00401A22 . 8A15 38046400 mov dl, byte ptr [640438]
00401A28 . 3AC2 cmp al, dl
00401A2A . 75 48 jnz short 00401A74
00401A2C . FF05 40836700 inc dword ptr [678340]
00401A32 . 8A8D B9FEFFFF mov cl, byte ptr [ebp-147]
00401A38 . A0 39046400 mov al, byte ptr [640439]
00401A3D . 3AC8 cmp cl, al
00401A3F . 75 06 jnz short 00401A47
00401A41 . FF05 40836700 inc dword ptr [678340]
00401A47 > 0FBE95 C0FEFF>movsx edx, byte ptr [ebp-140]
00401A4E . 83FA 35 cmp edx, 35
00401A51 . 75 06 jnz short 00401A59
00401A53 . FF05 40836700 inc dword ptr [678340]
00401A59 > 0FBE8D C1FEFF>movsx ecx, byte ptr [ebp-13F]
00401A60 . 83F9 33 cmp ecx, 33
00401A63 . 0F85 D1010000 jnz 00401C3A
00401A69 . FF05 40836700 inc dword ptr [678340]
00401A6F . E9 C6010000 jmp 00401C3A
00401A74 > 8A85 B8FEFFFF mov al, byte ptr [ebp-148]
00401A7A . 8A15 3A046400 mov dl, byte ptr [64043A]
00401A80 . 3AC2 cmp al, dl
00401A82 . 74 13 je short 00401A97
00401A84 . 8A8D B9FEFFFF mov cl, byte ptr [ebp-147]
00401A8A . A0 3B046400 mov al, byte ptr [64043B]
00401A8F . 3AC8 cmp cl, al
00401A91 . 0F85 8E000000 jnz 00401B25
00401A97 > FF05 40836700 inc dword ptr [678340]
00401A9D . FF05 40836700 inc dword ptr [678340]
00401AA3 . 0FBE95 C0FEFF>movsx edx, byte ptr [ebp-140]
00401AAA . 83FA 61 cmp edx, 61
00401AAD . 7C 12 jl short 00401AC1
00401AAF . 0FBE8D C0FEFF>movsx ecx, byte ptr [ebp-140]
00401AB6 . 83C1 A9 add ecx, -57
00401AB9 . 890D 94276500 mov dword ptr [652794], ecx
00401ABF . EB 0F jmp short 00401AD0
00401AC1 > 0FBE85 C0FEFF>movsx eax, byte ptr [ebp-140]
00401AC8 . 83C0 D0 add eax, -30
00401ACB . A3 94276500 mov dword ptr [652794], eax
00401AD0 > FF05 40836700 inc dword ptr [678340]
00401AD6 . 8B15 94276500 mov edx, dword ptr [652794]
00401ADC . C1E2 04 shl edx, 4
00401ADF . 8915 94276500 mov dword ptr [652794], edx
00401AE5 . 0FBE8D C1FEFF>movsx ecx, byte ptr [ebp-13F]
00401AEC . 83F9 61 cmp ecx, 61
00401AEF . 7C 12 jl short 00401B03
00401AF1 . 0FBE85 C1FEFF>movsx eax, byte ptr [ebp-13F]
00401AF8 . 83C0 A9 add eax, -57
00401AFB . 0105 94276500 add dword ptr [652794], eax
00401B01 . EB 10 jmp short 00401B13
00401B03 > 0FBE95 C1FEFF>movsx edx, byte ptr [ebp-13F]
00401B0A . 83C2 D0 add edx, -30
00401B0D . 0115 94276500 add dword ptr [652794], edx
00401B13 > FF05 40836700 inc dword ptr [678340]
00401B19 . 832D 94276500>sub dword ptr [652794], 20
00401B20 . E9 15010000 jmp 00401C3A
00401B25 > 8A8D B8FEFFFF mov cl, byte ptr [ebp-148]
00401B2B . A0 3C046400 mov al, byte ptr [64043C]
00401B30 . 3AC8 cmp cl, al
00401B32 . 74 14 je short 00401B48
00401B34 . 8A95 B9FEFFFF mov dl, byte ptr [ebp-147]
00401B3A . 8A0D 3D046400 mov cl, byte ptr [64043D]
00401B40 . 3AD1 cmp dl, cl
00401B42 . 0F85 F2000000 jnz 00401C3A
00401B48 > FF05 40836700 inc dword ptr [678340]
00401B4E . FF05 40836700 inc dword ptr [678340]
00401B54 . 0FBE85 C6FEFF>movsx eax, byte ptr [ebp-13A]
00401B5B . 83F8 61 cmp eax, 61
00401B5E . 7C 0F jl short 00401B6F
00401B60 . 0FBE95 C6FEFF>movsx edx, byte ptr [ebp-13A]
00401B67 . 83C2 A9 add edx, -57
00401B6A . 8955 CC mov dword ptr [ebp-34], edx
00401B6D . EB 0D jmp short 00401B7C
00401B6F > 0FBE8D C6FEFF>movsx ecx, byte ptr [ebp-13A]
00401B76 . 83C1 D0 add ecx, -30
00401B79 . 894D CC mov dword ptr [ebp-34], ecx
00401B7C > 8B45 CC mov eax, dword ptr [ebp-34]
00401B7F . C1E0 04 shl eax, 4
00401B82 . 8945 CC mov dword ptr [ebp-34], eax
00401B85 . 0FBE95 C7FEFF>movsx edx, byte ptr [ebp-139]
00401B8C . 83FA 61 cmp edx, 61
00401B8F . 7C 0F jl short 00401BA0
00401B91 . 0FBE8D C7FEFF>movsx ecx, byte ptr [ebp-139]
00401B98 . 83C1 A9 add ecx, -57
00401B9B . 014D CC add dword ptr [ebp-34], ecx
00401B9E . EB 0D jmp short 00401BAD
00401BA0 > 0FBE85 C7FEFF>movsx eax, byte ptr [ebp-139]
00401BA7 . 83C0 D0 add eax, -30
00401BAA . 0145 CC add dword ptr [ebp-34], eax
00401BAD > 836D CC 20 sub dword ptr [ebp-34], 20
00401BB1 . 0FBE95 C0FEFF>movsx edx, byte ptr [ebp-140]
00401BB8 . 83FA 61 cmp edx, 61
00401BBB . 7C 12 jl short 00401BCF
00401BBD . 0FBE8D C0FEFF>movsx ecx, byte ptr [ebp-140]
00401BC4 . 83C1 A9 add ecx, -57
00401BC7 . 890D 94276500 mov dword ptr [652794], ecx
00401BCD . EB 0F jmp short 00401BDE
00401BCF > 0FBE85 C0FEFF>movsx eax, byte ptr [ebp-140]
00401BD6 . 83C0 D0 add eax, -30
00401BD9 . A3 94276500 mov dword ptr [652794], eax
00401BDE > FF05 40836700 inc dword ptr [678340]
00401BE4 . 8B15 94276500 mov edx, dword ptr [652794]
00401BEA . C1E2 04 shl edx, 4
00401BED . 8915 94276500 mov dword ptr [652794], edx
00401BF3 . 0FBE8D C1FEFF>movsx ecx, byte ptr [ebp-13F]
00401BFA . 83F9 61 cmp ecx, 61
00401BFD . 7C 12 jl short 00401C11
00401BFF . 0FBE85 C1FEFF>movsx eax, byte ptr [ebp-13F]
00401C06 . 83C0 A9 add eax, -57
00401C09 . 0105 94276500 add dword ptr [652794], eax
00401C0F . EB 10 jmp short 00401C21
00401C11 > 0FBE95 C1FEFF>movsx edx, byte ptr [ebp-13F]
00401C18 . 83C2 D0 add edx, -30
00401C1B . 0115 94276500 add dword ptr [652794], edx
00401C21 > FF05 40836700 inc dword ptr [678340]
00401C27 . 832D 94276500>sub dword ptr [652794], 20
00401C2E . 8B4D CC mov ecx, dword ptr [ebp-34]
00401C31 . C1E1 06 shl ecx, 6
00401C34 . 010D 94276500 add dword ptr [652794], ecx
00401C3A > 0FBE85 BEFEFF>movsx eax, byte ptr [ebp-142]
00401C41 . 83F8 32 cmp eax, 32
00401C44 . 7C 0C jl short 00401C52
00401C46 . 0FBE95 BEFEFF>movsx edx, byte ptr [ebp-142]
00401C4D . 83FA 32 cmp edx, 32
00401C50 . 7E 06 jle short 00401C58
00401C52 > FF0D 40836700 dec dword ptr [678340]
00401C58 > 0FBE8D BFFEFF>movsx ecx, byte ptr [ebp-141]
00401C5F . 83F9 61 cmp ecx, 61
00401C62 . 74 12 je short 00401C76
00401C64 . 0FBE85 BFFEFF>movsx eax, byte ptr [ebp-141]
00401C6B . 83F8 63 cmp eax, 63
00401C6E . 74 06 je short 00401C76
00401C70 . FF0D 40836700 dec dword ptr [678340]
00401C76 > FF05 40836700 inc dword ptr [678340]
00401C7C . FF05 40836700 inc dword ptr [678340]
00401C82 . C745 C4 DC650>mov dword ptr [ebp-3C], 65DC
00401C89 . 8B15 40836700 mov edx, dword ptr [678340]
00401C8F . 8955 B8 mov dword ptr [ebp-48], edx
00401C92 . FF0D 40836700 dec dword ptr [678340]
00401C98 . 8B4D B8 mov ecx, dword ptr [ebp-48]
00401C9B . A1 40836700 mov eax, dword ptr [678340]
00401CA0 . 3BC8 cmp ecx, eax
00401CA2 . 8B55 D0 mov edx, dword ptr [ebp-30]
00401CA5 . F7D2 not edx
00401CA7 . 83C2 0A add edx, 0A
00401CAA . 8B0D 40836700 mov ecx, dword ptr [678340]
00401CB0 . 3BD1 cmp edx, ecx
00401CB2 . 7C 10 jl short 00401CC4
00401CB4 . 8B45 D0 mov eax, dword ptr [ebp-30]
00401CB7 . F7D0 not eax
00401CB9 . 83C0 F6 add eax, -0A
00401CBC . 8B15 40836700 mov edx, dword ptr [678340]
00401CC2 . 3BC2 cmp eax, edx
00401CC4 > C745 C0 C8806>mov dword ptr [ebp-40], 006380C8
00401CCB . 8D8D 38FBFFFF lea ecx, dword ptr [ebp-4C8]
00401CD1 . 51 push ecx
00401CD2 . E8 397C0A00 call 004A9910
00401CD7 . 59 pop ecx
00401CD8 . FF0D 40836700 dec dword ptr [678340]
00401CDE . FF75 C4 push dword ptr [ebp-3C]
00401CE1 . FF75 C0 push dword ptr [ebp-40]
00401CE4 . 8D85 38FBFFFF lea eax, dword ptr [ebp-4C8]
00401CEA . 50 push eax
00401CEB . E8 5C7C0A00 call 004A994C
00401CF0 . 83C4 0C add esp, 0C
00401CF3 . FF0D 40836700 dec dword ptr [678340]
00401CF9 . 8D95 38FBFFFF lea edx, dword ptr [ebp-4C8]
00401CFF . 52 push edx
00401D00 . 8D8D 90FBFFFF lea ecx, dword ptr [ebp-470]
00401D06 . 51 push ecx
00401D07 . E8 287D0A00 call 004A9A34
00401D0C . 83C4 08 add esp, 8
00401D0F . 6A 10 push 10
00401D11 . 68 A4E66300 push 0063E6A4
00401D16 . 8D85 90FBFFFF lea eax, dword ptr [ebp-470]
00401D1C . 50 push eax
00401D1D . E8 823E2200 call 00625BA4
00401D22 . 83C4 0C add esp, 0C
00401D25 . 85C0 test eax, eax
00401D27 . 0F85 FD000000 jnz 00401E2A
00401D2D . FF75 0C push dword ptr [ebp+C]
00401D30 . FF75 08 push dword ptr [ebp+8]
00401D33 . 68 6F046400 push 0064046F ; ASCII "UTRISO"
00401D38 . 68 68046400 push 00640468 ; ASCII "%s%s%s"
00401D3D . 8D95 A0FBFFFF lea edx, dword ptr [ebp-460]
00401D43 . 52 push edx
00401D44 . E8 CB7F2200 call 00629D14
00401D49 . 83C4 14 add esp, 14
00401D4C . FF0D 40836700 dec dword ptr [678340]
00401D52 . 8D8D A0FBFFFF lea ecx, dword ptr [ebp-460]
00401D58 . 51 push ecx
00401D59 . 8D85 90FBFFFF lea eax, dword ptr [ebp-470]
00401D5F . 50 push eax
00401D60 . E8 3FFBFFFF call 004018A4
00401D65 . 83C4 08 add esp, 8
00401D68 . 33D2 xor edx, edx
00401D6A . 8955 C8 mov dword ptr [ebp-38], edx
00401D6D . C745 DC F9100>mov dword ptr [ebp-24], 10F9
00401D74 . 8B4D C8 mov ecx, dword ptr [ebp-38]
00401D77 . 8B45 DC mov eax, dword ptr [ebp-24]
00401D7A . 3BC8 cmp ecx, eax
00401D7C . 0F8F A8000000 jg 00401E2A
00401D82 > 8B55 C8 mov edx, dword ptr [ebp-38]
00401D85 . 8B4D DC mov ecx, dword ptr [ebp-24]
00401D88 . 03D1 add edx, ecx
00401D8A . D1FA sar edx, 1
00401D8C . 79 03 jns short 00401D91
00401D8E . 83D2 00 adc edx, 0
00401D91 > 8955 D8 mov dword ptr [ebp-28], edx
00401D94 . 6A 06 push 6
00401D96 . 8D85 90FBFFFF lea eax, dword ptr [ebp-470]
00401D9C . 50 push eax
00401D9D . 8B55 D8 mov edx, dword ptr [ebp-28]
00401DA0 . 03D2 add edx, edx
00401DA2 . 8D1452 lea edx, dword ptr [edx+edx*2]
00401DA5 . 8B4D C0 mov ecx, dword ptr [ebp-40]
00401DA8 . 03D1 add edx, ecx
00401DAA . 52 push edx
00401DAB . E8 F43D2200 call 00625BA4
00401DB0 . 83C4 0C add esp, 0C
00401DB3 . 8945 BC mov dword ptr [ebp-44], eax
00401DB6 . 8B45 BC mov eax, dword ptr [ebp-44]
00401DB9 . 85C0 test eax, eax
00401DBB . 7E 09 jle short 00401DC6
00401DBD . 8B55 D8 mov edx, dword ptr [ebp-28]
00401DC0 . 4A dec edx
00401DC1 . 8955 DC mov dword ptr [ebp-24], edx
00401DC4 . EB 56 jmp short 00401E1C
00401DC6 > 8B4D BC mov ecx, dword ptr [ebp-44]
00401DC9 . 85C9 test ecx, ecx
这里可以改成xor ecx, ecx,好让下面可以跳转。
00401DCB . 7D 09 jge short 00401DD6
这里一定要跳转才会经过下面的00401DFA处。也可以直接改成JMP
00401DCD . 8B45 D8 mov eax, dword ptr [ebp-28]
00401DD0 . 40 inc eax
00401DD1 . 8945 C8 mov dword ptr [ebp-38], eax
00401DD4 . EB 46 jmp short 00401E1C
00401DD6 > FF0D 40836700 dec dword ptr [678340]
00401DDC . FF0D 40836700 dec dword ptr [678340]
00401DE2 . 8B55 D0 mov edx, dword ptr [ebp-30]
00401DE5 . 83C2 46 add edx, 46
00401DE8 . 8915 B4E66300 mov dword ptr [63E6B4], edx
00401DEE . 8B4D D0 mov ecx, dword ptr [ebp-30]
00401DF1 . F7D1 not ecx
00401DF3 . A1 40836700 mov eax, dword ptr [678340]
00401DF8 . 3BC8 cmp ecx, eax
这里可以改成xor eax, eax,好让下面不要跳转,跳转就完了。
00401DFA . 75 2E jnz short 00401E2A
当然也可以nop掉上面这句。
00401DFC . 8B15 C0806300 mov edx, dword ptr [6380C0]
00401E02 . 8915 40836700 mov dword ptr [678340], edx
00401E08 . 8B0D C0806300 mov ecx, dword ptr [6380C0]
经过分析,程序只要运行到这里就可以令两个地址的值一样。
上面这几行代码是将[6380C0]的值分别传给EDX和ECX,并且通过EDX传给[678340],一句话,运行了上面
,[6380C0]、[678340]、EDX、ECX的值就都一样了。
00401E0E . 81C1 22060000 add ecx, 622
00401E14 . 890D 6C646400 mov dword ptr [64646C], ecx
00401E1A . EB 0E jmp short 00401E2A
00401E1C > 8B45 C8 mov eax, dword ptr [ebp-38]
00401E1F . 8B55 DC mov edx, dword ptr [ebp-24]
00401E22 . 3BC2 cmp eax, edx
00401E24 .^ 0F8E 58FFFFFF jle 00401D82
00401E2A > 8D4D F0 lea ecx, dword ptr [ebp-10]
00401E2D . 51 push ecx
00401E2E . FF75 08 push dword ptr [ebp+8]
00401E31 . E8 BAE00700 call 0047FEF0
00401E36 . 83C4 08 add esp, 8
00401E39 . 8B45 D0 mov eax, dword ptr [ebp-30]
00401E3C . 83C0 46 add eax, 46
00401E3F . 8B15 B4E66300 mov edx, dword ptr [63E6B4]
00401E45 . 3BC2 cmp eax, edx
00401E47 . 74 0B je short 00401E54
00401E49 . 8B4D D0 mov ecx, dword ptr [ebp-30]
00401E4C . F7D1 not ecx
00401E4E . 890D 40836700 mov dword ptr [678340], ecx
00401E54 > FF75 EC push dword ptr [ebp-14]
00401E57 . FF75 F0 push dword ptr [ebp-10]
00401E5A . E8 EDA80700 call 0047C74C
00401E5F . 83C4 08 add esp, 8
00401E62 . 85C0 test eax, eax
00401E64 . 74 04 je short 00401E6A
00401E66 . 33C0 xor eax, eax
00401E68 . EB 05 jmp short 00401E6F
00401E6A > B8 01000000 mov eax, 1
00401E6F > 8BE5 mov esp, ebp
00401E71 . 5D pop ebp
00401E72 . C3 retn
总共改了三处:
00471479 0F85 C4000000 jnz 00471542
处改成
00471479 0F85 B9000000 jnz 00471538
00401DC9 . 85C9 test ecx, ecx
改成
00401DC9 . 33C9 xor ecx, ecx
00401DF8 . 3BC8 cmp ecx, eax
改成
00401DF8 . 33C0 xor eax, eax
修改保存后成功运行,没有注册窗口和试用字样,小功告成。
等等,试下300M的限制去除了没有?随便找个600M的ISO文件打开,另存为,晕,革命尙未成功。
回头看看,判断注册的标志,有两个,一个是[6452D8]的赋值, 一个是[678340]和[6380C0]的赋值,其它
地方一定还有关于它们的赋值及判断。[6452D8]处的命令简单了点,搜索起来肯定很多,很难判断,我们
再回头看看下面这个关键语句,是用来平衡[678340]和[6380C0]的数值的:
00401DFC . 8B15 C0806300 mov edx, dword ptr [6380C0]
00401E02 . 8915 40836700 mov dword ptr [678340], edx
00401E08 . 8B0D C0806300 mov ecx, dword ptr [6380C0]
OD重新载入后,ctrl+f,查找命令,mov edx, dword ptr [6380C0]或另外两句,ctrl+l继续查找,
找到几处,点击进去一看,
00443E15 |. 85C9 |test ecx, ecx
这里。。。
00443E17 |. 7D 09 |jge short 00443E22
00443E19 |. 8B45 D8 |mov eax, dword ptr [ebp-28]
00443E1C |. 40 |inc eax
00443E1D |. 8945 C8 |mov dword ptr [ebp-38], eax
00443E20 |. EB 46 |jmp short 00443E68
00443E22 |> FF0D 40836700 |dec dword ptr [678340]
00443E28 |. FF0D 40836700 |dec dword ptr [678340]
00443E2E |. 8B55 D0 |mov edx, dword ptr [ebp-30]
00443E31 |. 83C2 46 |add edx, 46
00443E34 |. 8915 00976500 |mov dword ptr [659700], edx
00443E3A |. 8B4D D0 |mov ecx, dword ptr [ebp-30]
00443E3D |. F7D1 |not ecx
00443E3F |. A1 40836700 |mov eax, dword ptr [678340]
00443E44 |. 3BC8 |cmp ecx, eax
这里。。。
00443E46 |. 75 2E |jnz short 00443E76
00443E48 |. 8B15 C0806300 |mov edx, dword ptr [6380C0]
00443E4E |. 8915 40836700 |mov dword ptr [678340], edx
00443E54 |. 8B0D C0806300 |mov ecx, dword ptr [6380C0]
这里是不是很眼熟?还等什么,照改吧。
继续ctrl+l,又找到一处:
004AC7EE |. 85C9 |test ecx, ecx
004AC7F0 |. 7D 09 |jge short 004AC7FB
这里。。。
004AC7F2 |. 8B45 D8 |mov eax, dword ptr [ebp-28]
004AC7F5 |. 40 |inc eax
004AC7F6 |. 8945 C8 |mov dword ptr [ebp-38], eax
004AC7F9 |. EB 46 |jmp short 004AC841
004AC7FB |> FF0D 40836700 |dec dword ptr [678340]
004AC801 |. FF0D 40836700 |dec dword ptr [678340]
004AC807 |. 8B55 D0 |mov edx, dword ptr [ebp-30]
004AC80A |. 83C2 46 |add edx, 46
004AC80D |. 8915 B86D6700 |mov dword ptr [676DB8], edx
004AC813 |. 8B4D D0 |mov ecx, dword ptr [ebp-30]
004AC816 |. F7D1 |not ecx
004AC818 |. A1 40836700 |mov eax, dword ptr [678340]
004AC81D |. 3BC8 |cmp ecx, eax
这里。。。
004AC81F |. 75 2E |jnz short 004AC84F
004AC821 |. 8B15 C0806300 |mov edx, dword ptr [6380C0]
004AC827 |. 8915 40836700 |mov dword ptr [678340], edx
004AC82D |. 8B0D C0806300 |mov ecx, dword ptr [6380C0]
降龙十八掌,打完收工!
这样还不行?想加上自己的签名忽悠人?在ultraiso目录里新建文本,里面按以下格式填写。
UserName="大道至简"
Registration="7878-7878-1170-9394"
再把文本重命名为uikey.ini保存,运行ultraiso即可在关于里见到自己的名字授权。想改成多用户版本
的的话,再用OD载入,查找字串"License",点击进去就可以看到(ASCII "%d User License")和(ASCII
"Single User License"),怎样修改上面的跳转不用我教了吧!
唉,写个破文都要个把小时,今天才知道,码字原来是个体力活,比破解还累!
[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!