【破文标题】【原创】一药店系统GSP管理软件暴破记录 【申请邀请码】
【破文作者】hglhyy
【作者邮箱】651410@qq.com
【作者主页】
【破解工具】DeDe,OD
【破解平台】Win7
【软件名称】DrugMIS.exe
【软件大小】6.8MB
【原版下载】http://www.newhua.com/soft/5353.htm
【软件简介】用Delphi写的,适合我等菜鸟^.^
【破解声明】
本文仅供研究学习,本人对因这篇文章而导致的一切后果,不承担任何法律责任。
手平有限,纯属菜鸟交流。为这个昨天晚上在工作到深夜,现在在单位把这些整理出来。呵呵
------------------------------------------------------------------------
【破解过程】
第一步: 下载好后,装好数据库,用PE查壳竟然 没壳,delphi 编写。 这个过程就不写了,如果有壳,脱壳的软件也很多很强大。。
第二步,打开软件看看。。 试用期,
还有加密狗?? 我是狼还怕狗么?
第二步:OD载入,查找刚才的
一共有五处,一处处的来吧,第一处双击,来到
006B3E0C /74 1B je short 006B3E29
006B3E0E |. |B8 80406B00 mov eax, 006B4080 ; 请安装新加密狗
006B3E13 |. |E8 188DD8FF call 0043CB30
006B3E18 |. |A1 58457700 mov eax, dword ptr [774558]
006B3E1D |. |8B00 mov eax, dword ptr [eax]
006B3E1F |. |E8 008EDEFF call 0049CC24
006B3E24 |. |E9 84010000 jmp 006B3FAD
006B3E29 |> \33C0 xor eax, eax
006B3E2B |. A3 FC0F8B00 mov dword ptr [8B0FFC], eax
006B3E30 |. 6A 01 push 1
006B3E32 |. 68 6C406B00 push 006B406C ; da5d5ba1
006B3E37 |. 68 FC0F8B00 push 008B0FFC
一看就知道, 在006B3E0C 处的 je,怎么可能不跳呢, 到这一行,双击,je 改成 jne 汇编
接下来的四处也是一样的改,改好后,保存一个文件。
第三部 打开刚保存的文件, 提示都变了??
按第二步再来找吧,但发现查找ASCII时,这些提示在一起??可不可以一起改呢??先试了再说
双击跳到
006B3E47 |. /74 1B je short 006B3E64
006B3E49 |. |B8 98406B00 mov eax, 006B4098 ; 错误的新加密狗,请检查
006B3E4E |. |E8 DD8CD8FF call 0043CB30
006B3E53 |. |A1 58457700 mov eax, dword ptr [774558]
006B3E58 |. |8B00 mov eax, dword ptr [eax]
006B3E5A |. |E8 C58DDEFF call 0049CC24
006B3E5F |. |E9 49010000 jmp 006B3FAD
006B3E64 |> \68 B0406B00 push 006B40B0 ; 1357986421357986
006B3E69 |. 6A 00 push 0
006B3E6B |. A1 FC0F8B00 mov eax, dword ptr [8B0FFC]
006B3E70 |. 50 push eax
006B3E71 |. A1 B8497700 mov eax, dword ptr [7749B8]
006B3E76 |. 8B00 mov eax, dword ptr [eax]
006B3E78 |. FFD0 call eax
006B3E7A |. 85C0 test eax, eax
006B3E7C |. 74 1B je short 006B3E99
006B3E7E |. B8 CC406B00 mov eax, 006B40CC ; 新加密狗错误,请检查
006B3E83 |. E8 A88CD8FF call 0043CB30
006B3E88 |. A1 58457700 mov eax, dword ptr [774558]
006B3E8D |. 8B00 mov eax, dword ptr [eax]
006B3E8F |. E8 908DDEFF call 0049CC24
006B3E94 |. E9 14010000 jmp 006B3FAD
006B3E99 |> BA 01020000 mov edx, 201
006B3E9E |. 8D85 FBFDFFFF lea eax, dword ptr [ebp-205]
006B3EA4 |> C600 00 /mov byte ptr [eax], 0
006B3EA7 |. 40 |inc eax
006B3EA8 |. 4A |dec edx
006B3EA9 |.^ 75 F9 \jnz short 006B3EA4
006B3EAB |. 8D85 FBFDFFFF lea eax, dword ptr [ebp-205]
006B3EB1 |. 50 push eax
006B3EB2 |. 6A 3C push 3C
006B3EB4 |. 6A 00 push 0
006B3EB6 |. A1 FC0F8B00 mov eax, dword ptr [8B0FFC]
006B3EBB |. 50 push eax
006B3EBC |. A1 BC477700 mov eax, dword ptr [7747BC]
006B3EC1 |. 8B00 mov eax, dword ptr [eax]
006B3EC3 |. FFD0 call eax
006B3EC5 |. 85C0 test eax, eax
006B3EC7 |. 74 1B je short 006B3EE4
006B3EC9 |. B8 CC406B00 mov eax, 006B40CC ; 新加密狗错误,请检查
006B3ECE |. E8 5D8CD8FF call 0043CB30
006B3ED3 |. A1 58457700 mov eax, dword ptr [774558]
006B3ED8 |. 8B00 mov eax, dword ptr [eax]
006B3EDA |. E8 458DDEFF call 0049CC24
006B3EDF |. E9 C9000000 jmp 006B3FAD
006B3EE4 |> 8D85 F4FDFFFF lea eax, dword ptr [ebp-20C]
看到右边的提示就知道了, 现在是错误的加密狗, 肯定还有程序运行时提示新加密狗错误。(后来证明,加入系统的功能时,有这个提示,因为当初改的时候少改了一个地方,运行功能时报过错的)
把提示出来的 前一后的 Je 全改成 JNE, 保存退出。
第四步: 再打开看上面保存的文件。提示
再找,ASCII码,
还好,只有一处,呵呵 双击跟踪过来,这里是重点,
007684D2 . /0F85 400B0000 jnz 00769018
007684D8 > |A1 5C338F00 mov eax, dword ptr [8F335C]
007684DD . |50 push eax
007684DE . |A1 1C497700 mov eax, dword ptr [77491C]
007684E3 . |8B00 mov eax, dword ptr [eax]
007684E5 . |FFD0 call eax
007684E7 . |A1 F0467700 mov eax, dword ptr [7746F0]
007684EC . |C600 00 mov byte ptr [eax], 0
。。。
。。。 太多了,中间的就省了吧
007689C4 . |E8 8FBBC9FF call 00404558
007689C9 . |8D55 F4 lea edx, dword ptr [ebp-C]
007689CC . |B8 8C947600 mov eax, 0076948C ; encrypt
007689D1 . |E8 72AFDDFF call 00543948
007689D6 . |8D95 8CFDFFFF lea edx, dword ptr [ebp-274]
007689DC . |B8 9C947600 mov eax, 0076949C ; buttonbar
007689E1 . |E8 62AFDDFF call 00543948
007689E6 . |8B85 8CFDFFFF mov eax, dword ptr [ebp-274]
007689EC . |BA 64947600 mov edx, 00769464 ; 1
007689F1 . |E8 1ABFC9FF call 00404910
007689F6 . |75 2C jnz short 00768A24
007689F8 . |8B45 FC mov eax, dword ptr [ebp-4]
007689FB . |8B80 B4030000 mov eax, dword ptr [eax+3B4]
00768A01 . |B2 01 mov dl, 1
00768A03 . |E8 0490D2FF call 00491A0C
00768A08 . |8B45 FC mov eax, dword ptr [ebp-4]
00768A0B . |8B80 B4030000 mov eax, dword ptr [eax+3B4]
00768A11 . |8A50 38 mov dl, byte ptr [eax+38]
00768A14 . |8B45 FC mov eax, dword ptr [ebp-4]
00768A17 . |8B80 38030000 mov eax, dword ptr [eax+338]
00768A1D . |E8 D26BD1FF call 0047F5F4
00768A22 . |EB 2A jmp short 00768A4E
00768A24 > |8B45 FC mov eax, dword ptr [ebp-4]
00768A27 . |8B80 B4030000 mov eax, dword ptr [eax+3B4]
00768A2D . |33D2 xor edx, edx
00768A2F . |E8 D88FD2FF call 00491A0C
00768A34 . |8B45 FC mov eax, dword ptr [ebp-4]
00768A37 . |8B80 B4030000 mov eax, dword ptr [eax+3B4]
00768A3D . |8A50 38 mov dl, byte ptr [eax+38]
00768A40 . |8B45 FC mov eax, dword ptr [ebp-4]
00768A43 . |8B80 38030000 mov eax, dword ptr [eax+338]
00768A49 . |E8 A66BD1FF call 0047F5F4
00768A4E > |6A 00 push 0
00768A50 . |8D45 F8 lea eax, dword ptr [ebp-8]
00768A53 . |50 push eax
00768A54 . |B9 B0947600 mov ecx, 007694B0 ; code
00768A59 . |BA C0947600 mov edx, 007694C0 ; sysregister
00768A5E . |8BC3 mov eax, ebx
00768A60 . |8B30 mov esi, dword ptr [eax]
00768A62 . |FF16 call dword ptr [esi]
00768A64 . |837D F4 00 cmp dword ptr [ebp-C], 0
00768A68 . |0F85 D2000000 jnz 00768B40
00768A6E . |837D F8 00 cmp dword ptr [ebp-8], 0
00768A72 . |0F85 C8000000 jnz 00768B40
00768A78 . |E8 3F2FCAFF call 0040B9BC
00768A7D . |83C4 F8 add esp, -8
00768A80 . |DD1C24 fstp qword ptr [esp]
00768A83 . |9B wait
00768A84 . |E8 77B6DDFF call 00544100
00768A89 . |8D55 F0 lea edx, dword ptr [ebp-10]
00768A8C . |E8 3F0DCAFF call 004097D0
00768A91 . |8B45 F0 mov eax, dword ptr [ebp-10]
00768A94 . |E8 2BBDC9FF call 004047C4
00768A99 . |8BF8 mov edi, eax
00768A9B . |85FF test edi, edi
00768A9D . |7E 32 jle short 00768AD1
00768A9F . |BE 01000000 mov esi, 1
00768AA4 > |8D45 F0 lea eax, dword ptr [ebp-10]
00768AA7 . |E8 70BFC9FF call 00404A1C
00768AAC . |8D4430 FF lea eax, dword ptr [eax+esi-1]
00768AB0 . |50 push eax
00768AB1 . |8BC6 mov eax, esi
00768AB3 . |F7EE imul esi
00768AB5 . |B9 0A000000 mov ecx, 0A
00768ABA . |99 cdq
00768ABB . |F7F9 idiv ecx
00768ABD . |83C2 66 add edx, 66
00768AC0 . |8B45 F0 mov eax, dword ptr [ebp-10]
00768AC3 . |0FB64430 FF movzx eax, byte ptr [eax+esi-1]
00768AC8 . |33D0 xor edx, eax
00768ACA . |58 pop eax
00768ACB . |8810 mov byte ptr [eax], dl
00768ACD . |46 inc esi
00768ACE . |4F dec edi
00768ACF .^|75 D3 jnz short 00768AA4
00768AD1 > |A1 EC487700 mov eax, dword ptr [7748EC]
00768AD6 . |8B00 mov eax, dword ptr [eax]
00768AD8 . |8B70 5C mov esi, dword ptr [eax+5C]
00768ADB . |8BC6 mov eax, esi
00768ADD . |E8 B2EFD7FF call 004E7A94
00768AE2 . |8B86 48020000 mov eax, dword ptr [esi+248]
00768AE8 . |8B10 mov edx, dword ptr [eax]
00768AEA . |FF52 44 call dword ptr [edx+44]
00768AED . |68 D4947600 push 007694D4 ; update versioninfo set content='
00768AF2 . |FF75 F0 push dword ptr [ebp-10]
00768AF5 . |68 00957600 push 00769500 ; '
00768AFA . |68 0C957600 push 0076950C ; where name=
00768AFF . |68 00957600 push 00769500 ; '
00768B04 . |68 8C947600 push 0076948C ; encrypt
00768B09 . |68 00957600 push 00769500 ; '
00768B0E . |8D45 EC lea eax, dword ptr [ebp-14]
00768B11 . |BA 07000000 mov edx, 7
00768B16 . |E8 69BDC9FF call 00404884
00768B1B . |8B86 48020000 mov eax, dword ptr [esi+248]
00768B21 . |8B55 EC mov edx, dword ptr [ebp-14]
00768B24 . |8B08 mov ecx, dword ptr [eax]
00768B26 . |FF51 38 call dword ptr [ecx+38]
00768B29 . |80BE 4C020000>cmp byte ptr [esi+24C], 0
00768B30 . |75 07 jnz short 00768B39
00768B32 . |8BC6 mov eax, esi
00768B34 . |E8 C3C0DBFF call 00524BFC
00768B39 > |8BC6 mov eax, esi
00768B3B . |E8 60C8DBFF call 005253A0
00768B40 > |A1 B44C7700 mov eax, dword ptr [774CB4]
00768B45 . |8A00 mov al, byte ptr [eax]
00768B47 . |34 01 xor al, 1
00768B49 . |E8 6248DDFF call 0053D3B0
00768B4E . |84C0 test al, al
00768B50 . |0F85 EB020000 jnz 00768E41
00768B56 . |A1 D8417700 mov eax, dword ptr [7741D8]
00768B5B . |C600 00 mov byte ptr [eax], 0
00768B5E . |BE D7070000 mov esi, 7D7
00768B63 . |BF 0C000000 mov edi, 0C
00768B68 . |C745 E8 1E000>mov dword ptr [ebp-18], 1E
00768B6F . |8D85 88FDFFFF lea eax, dword ptr [ebp-278]
00768B75 . |50 push eax
00768B76 . |89B5 70FDFFFF mov dword ptr [ebp-290], esi
00768B7C . |C685 74FDFFFF>mov byte ptr [ebp-28C], 0
00768B83 . |89BD 78FDFFFF mov dword ptr [ebp-288], edi
00768B89 . |C685 7CFDFFFF>mov byte ptr [ebp-284], 0
00768B90 . |8B45 E8 mov eax, dword ptr [ebp-18]
00768B93 . |8985 80FDFFFF mov dword ptr [ebp-280], eax
00768B99 . |C685 84FDFFFF>mov byte ptr [ebp-27C], 0
00768BA0 . |8D95 70FDFFFF lea edx, dword ptr [ebp-290]
00768BA6 . |B9 02000000 mov ecx, 2
00768BAB . |B8 20957600 mov eax, 00769520 ; %d-%02d-%02d
00768BB0 . |E8 831BCAFF call 0040A738
00768BB5 . |8B85 88FDFFFF mov eax, dword ptr [ebp-278]
00768BBB . |E8 F043CAFF call 0040CFB0
00768BC0 . |DD9D CCFDFFFF fstp qword ptr [ebp-234]
00768BC6 . |9B wait
00768BC7 . |E8 F02DCAFF call 0040B9BC
00768BCC . |83C4 F8 add esp, -8
00768BCF . |DD1C24 fstp qword ptr [esp]
00768BD2 . |9B wait
00768BD3 . |8D85 6CFDFFFF lea eax, dword ptr [ebp-294]
00768BD9 . |E8 823BCAFF call 0040C760
00768BDE . |8B85 6CFDFFFF mov eax, dword ptr [ebp-294]
00768BE4 . |E8 C743CAFF call 0040CFB0
00768BE9 . |DC9D CCFDFFFF fcomp qword ptr [ebp-234]
00768BEF . |DFE0 fstsw ax
00768BF1 . |9E sahf
00768BF2 . |76 24 jbe short 00768C18
00768BF4 . |6A 40 push 40
00768BF6 . |B9 30957600 mov ecx, 00769530 ; 提示
00768BFB . |BA 38957600 mov edx, 00769538 ; 请使用正式版软件!
00768C00 . |A1 30487700 mov eax, dword ptr [774830]
00768C05 . |8B00 mov eax, dword ptr [eax]
00768C07 . |E8 507BD3FF call 004A075C
00768C0C . |A1 30487700 mov eax, dword ptr [774830]
00768C11 . |8B00 mov eax, dword ptr [eax]
00768C13 . |E8 A07AD3FF call 004A06B8
00768C18 > |837D F4 00 cmp dword ptr [ebp-C], 0
00768C1C . |0F84 27020000 je 00768E49
00768C22 . |8B45 F4 mov eax, dword ptr [ebp-C]
00768C25 . |E8 9ABBC9FF call 004047C4
00768C2A . |8BF8 mov edi, eax
00768C2C . |85FF test edi, edi
00768C2E . |7E 32 jle short 00768C62
00768C30 . |BE 01000000 mov esi, 1
00768C35 > |8D45 F4 lea eax, dword ptr [ebp-C]
00768C38 . |E8 DFBDC9FF call 00404A1C
00768C3D . |8D4430 FF lea eax, dword ptr [eax+esi-1]
00768C41 . |50 push eax
00768C42 . |8BC6 mov eax, esi
00768C44 . |F7EE imul esi
00768C46 . |B9 0A000000 mov ecx, 0A
00768C4B . |99 cdq
00768C4C . |F7F9 idiv ecx
00768C4E . |83C2 66 add edx, 66
00768C51 . |8B45 F4 mov eax, dword ptr [ebp-C]
00768C54 . |0FB64430 FF movzx eax, byte ptr [eax+esi-1]
00768C59 . |33D0 xor edx, eax
00768C5B . |58 pop eax
00768C5C . |8810 mov byte ptr [eax], dl
00768C5E . |46 inc esi
00768C5F . |4F dec edi
00768C60 .^|75 D3 jnz short 00768C35
00768C62 > |8D85 68FDFFFF lea eax, dword ptr [ebp-298]
00768C68 . |50 push eax
00768C69 . |B9 04000000 mov ecx, 4
00768C6E . |BA 01000000 mov edx, 1
00768C73 . |8B45 F4 mov eax, dword ptr [ebp-C]
00768C76 . |E8 A9BDC9FF call 00404A24
00768C7B . |FFB5 68FDFFFF push dword ptr [ebp-298]
00768C81 . |68 54957600 push 00769554 ; -
00768C86 . |8D85 64FDFFFF lea eax, dword ptr [ebp-29C]
00768C8C . |50 push eax
00768C8D . |B9 02000000 mov ecx, 2
00768C92 . |BA 05000000 mov edx, 5
00768C97 . |8B45 F4 mov eax, dword ptr [ebp-C]
00768C9A . |E8 85BDC9FF call 00404A24
00768C9F . |FFB5 64FDFFFF push dword ptr [ebp-29C]
00768CA5 . |68 54957600 push 00769554 ; -
00768CAA . |8D85 60FDFFFF lea eax, dword ptr [ebp-2A0]
00768CB0 . |50 push eax
00768CB1 . |B9 02000000 mov ecx, 2
00768CB6 . |BA 07000000 mov edx, 7
00768CBB . |8B45 F4 mov eax, dword ptr [ebp-C]
00768CBE . |E8 61BDC9FF call 00404A24
00768CC3 . |FFB5 60FDFFFF push dword ptr [ebp-2A0]
00768CC9 . |8D45 F0 lea eax, dword ptr [ebp-10]
00768CCC . |BA 05000000 mov edx, 5
00768CD1 . |E8 AEBBC9FF call 00404884
00768CD6 . |8B45 F0 mov eax, dword ptr [ebp-10]
00768CD9 . |E8 D242CAFF call 0040CFB0
00768CDE . |DD9D CCFDFFFF fstp qword ptr [ebp-234]
00768CE4 . |9B wait
00768CE5 . |E8 D22CCAFF call 0040B9BC
00768CEA . |DCA5 CCFDFFFF fsub qword ptr [ebp-234]
00768CF0 . |D81D 58957600 fcomp dword ptr [769558]
00768CF6 . |DFE0 fstsw ax
00768CF8 . |9E sahf
00768CF9 . |0F87 A3000000 ja 00768DA2
00768CFF . |8B45 F0 mov eax, dword ptr [ebp-10]
00768D02 . |E8 A942CAFF call 0040CFB0
00768D07 . |DD9D 58FDFFFF fstp qword ptr [ebp-2A8]
00768D0D . |9B wait
00768D0E . |E8 A92CCAFF call 0040B9BC
00768D13 . |DCA5 58FDFFFF fsub qword ptr [ebp-2A8]
00768D19 . |D81D 5C957600 fcomp dword ptr [76955C]
00768D1F . |DFE0 fstsw ax
00768D21 . |9E sahf
00768D22 . |72 7E jb short 00768DA2
00768D24 . |8D85 54FDFFFF lea eax, dword ptr [ebp-2AC]
00768D2A . |50 push eax
00768D2B . |E8 8C2CCAFF call 0040B9BC
00768D30 . |83C4 F8 add esp, -8
00768D33 . |DD1C24 fstp qword ptr [esp]
00768D36 . |9B wait
00768D37 . |8D85 50FDFFFF lea eax, dword ptr [ebp-2B0]
00768D3D . |E8 1E3ACAFF call 0040C760
00768D42 . |8B85 50FDFFFF mov eax, dword ptr [ebp-2B0]
00768D48 . |E8 6342CAFF call 0040CFB0
00768D4D . |DD9D 58FDFFFF fstp qword ptr [ebp-2A8]
00768D53 . |9B wait
00768D54 . |8B45 F0 mov eax, dword ptr [ebp-10]
00768D57 . |E8 5442CAFF call 0040CFB0
00768D5C . |DCAD 58FDFFFF fsubr qword ptr [ebp-2A8]
00768D62 . |DBBD 44FDFFFF fstp tbyte ptr [ebp-2BC]
00768D68 . |9B wait
00768D69 . |8D85 44FDFFFF lea eax, dword ptr [ebp-2BC]
00768D6F . |8985 CCFDFFFF mov dword ptr [ebp-234], eax
00768D75 . |C685 D0FDFFFF>mov byte ptr [ebp-230], 3
00768D7C . |8D95 CCFDFFFF lea edx, dword ptr [ebp-234]
00768D82 . |33C9 xor ecx, ecx
00768D84 . |B8 68957600 mov eax, 00769568 ; %2.0f
00768D89 . |E8 AA19CAFF call 0040A738
00768D8E . |8B85 54FDFFFF mov eax, dword ptr [ebp-2AC]
00768D94 . |E8 730BCAFF call 0040990C
00768D99 . |BE 3C000000 mov esi, 3C
00768D9E . |2BF0 sub esi, eax
00768DA0 . |EB 02 jmp short 00768DA4
00768DA2 > |33F6 xor esi, esi
00768DA4 > |85F6 test esi, esi
00768DA6 . |7E 54 jle short 00768DFC
00768DA8 . |83FE 0F cmp esi, 0F
00768DAB . |7D 4F jge short 00768DFC
00768DAD . |6A 40 push 40
00768DAF . |68 78957600 push 00769578 ; 软件还有
00768DB4 . |8D95 3CFDFFFF lea edx, dword ptr [ebp-2C4]
00768DBA . |8BC6 mov eax, esi
00768DBC . |E8 0F0ACAFF call 004097D0
00768DC1 . |FFB5 3CFDFFFF push dword ptr [ebp-2C4]
00768DC7 . |68 8C957600 push 0076958C ; 天可用!
00768DCC . |8D85 40FDFFFF lea eax, dword ptr [ebp-2C0]
00768DD2 . |BA 03000000 mov edx, 3
00768DD7 . |E8 A8BAC9FF call 00404884
00768DDC . |8B85 40FDFFFF mov eax, dword ptr [ebp-2C0]
00768DE2 . |E8 DDBBC9FF call 004049C4
00768DE7 . |8BD0 mov edx, eax
00768DE9 . |B9 30957600 mov ecx, 00769530 ; 提示
00768DEE . |A1 30487700 mov eax, dword ptr [774830]
00768DF3 . |8B00 mov eax, dword ptr [eax]
00768DF5 . |E8 6279D3FF call 004A075C
00768DFA . |EB 4D jmp short 00768E49
00768DFC > |83FE 1E cmp esi, 1E
00768DFF . |7C 1A jl short 00768E1B
00768E01 . |6A 40 push 40
00768E03 . |B9 30957600 mov ecx, 00769530 ; 提示
00768E08 . |BA 98957600 mov edx, 00769598 ; 请注册使用本软件!
00768E0D . |A1 30487700 mov eax, dword ptr [774830]
00768E12 . |8B00 mov eax, dword ptr [eax]
00768E14 . |E8 4379D3FF call 004A075C
00768E19 . |EB 2E jmp short 00768E49
00768E1B > |6A 40 push 40
00768E1D . |B9 30957600 mov ecx, 00769530 ; 提示
00768E22 . |BA AC957600 mov edx, 007695AC ; 软件试用期已过!如想继续使用,请与供应商联系
00768E27 . |A1 30487700 mov eax, dword ptr [774830]
00768E2C . |8B00 mov eax, dword ptr [eax]
00768E2E . |E8 2979D3FF call 004A075C
00768E33 . |A1 30487700 mov eax, dword ptr [774830]
00768E38 . |8B00 mov eax, dword ptr [eax]
00768E3A . |E8 7978D3FF call 004A06B8
00768E3F . |EB 08 jmp short 00768E49
00768E41 > |A1 D8417700 mov eax, dword ptr [7741D8]
00768E46 . |C600 01 mov byte ptr [eax], 1
00768E49 > |8B0D EC427700 mov ecx, dword ptr [7742EC] ; DrugMIS.007760D0
00768E4F . |8B09 mov ecx, dword ptr [ecx]
00768E51 . |A1 244D7700 mov eax, dword ptr [774D24]
00768E56 . |BA F0957600 mov edx, 007695F0 ; 一舟药店通_
00768E5B . |E8 B0B9C9FF call 00404810
00768E60 . |A1 D8417700 mov eax, dword ptr [7741D8]
00768E65 . |8038 00 cmp byte ptr [eax], 0
00768E68 . |75 14 jnz short 00768E7E
00768E6A . |A1 244D7700 mov eax, dword ptr [774D24]
00768E6F . |BA 04967600 mov edx, 00769604 ; (试用版)
00768E74 . |E8 53B9C9FF call 004047CC
00768E79 . |A1 244D7700 mov eax, dword ptr [774D24]
00768E7E > |A1 B44C7700 mov eax, dword ptr [774CB4]
00768E83 . |8038 00 cmp byte ptr [eax], 0
00768E86 . |74 14 je short 00768E9C
00768E88 . |A1 244D7700 mov eax, dword ptr [774D24]
00768E8D . |BA 18967600 mov edx, 00769618 ; _客户端
00768E92 . |E8 35B9C9FF call 004047CC
00768E97 . |A1 244D7700 mov eax, dword ptr [774D24]
00768E9C > |8B15 244D7700 mov edx, dword ptr [774D24] ; DrugMIS.007760E0
00768EA2 . |8B12 mov edx, dword ptr [edx]
00768EA4 . |A1 54338F00 mov eax, dword ptr [8F3354]
00768EA9 . |E8 5668D1FF call 0047F704
00768EAE . |8D95 34FDFFFF lea edx, dword ptr [ebp-2CC]
00768EB4 . |A1 30487700 mov eax, dword ptr [774830]
00768EB9 . |8B00 mov eax, dword ptr [eax]
00768EBB . |E8 1C7DD3FF call 004A0BDC
00768EC0 . |8B85 34FDFFFF mov eax, dword ptr [ebp-2CC]
00768EC6 . |8D95 38FDFFFF lea edx, dword ptr [ebp-2C8]
00768ECC . |E8 AB0FCAFF call 00409E7C
00768ED1 . |8D85 38FDFFFF lea eax, dword ptr [ebp-2C8]
00768ED7 . |BA 28967600 mov edx, 00769628 ; image.jpg
00768EDC . |E8 EBB8C9FF call 004047CC
00768EE1 . |8B95 38FDFFFF mov edx, dword ptr [ebp-2C8]
00768EE7 . |8B45 FC mov eax, dword ptr [ebp-4]
00768EEA . |8B80 98030000 mov eax, dword ptr [eax+398]
00768EF0 . |8B80 68010000 mov eax, dword ptr [eax+168]
00768EF6 . |E8 1D5DCCFF call 0042EC18
00768EFB . |A1 84467700 mov eax, dword ptr [774684]
00768F00 . |C600 00 mov byte ptr [eax], 0
00768F03 . |8D8D 30FDFFFF lea ecx, dword ptr [ebp-2D0]
00768F09 . |BA 3C967600 mov edx, 0076963C ; com
00768F0E . |B8 48967600 mov eax, 00769648 ; display
00768F13 . |E8 5CA9DDFF call 00543874
00768F18 . |8B85 30FDFFFF mov eax, dword ptr [ebp-2D0]
00768F1E . |BA 58967600 mov edx, 00769658 ; null
00768F23 . |E8 E8B9C9FF call 00404910
00768F28 . |0F84 FE000000 je 0076902C
00768F2E . |6A 01 push 1
00768F30 . |B9 3C967600 mov ecx, 0076963C ; com
00768F35 . |BA 48967600 mov edx, 00769648 ; display
00768F3A . |8BC3 mov eax, ebx
00768F3C . |8B30 mov esi, dword ptr [eax]
00768F3E . |FF56 08 call dword ptr [esi+8]
00768F41 . |8BF0 mov esi, eax
00768F43 . |68 60090000 push 960
00768F48 . |B9 68967600 mov ecx, 00769668 ; rate
00768F4D . |BA 48967600 mov edx, 00769648 ; display
00768F52 . |8BC3 mov eax, ebx
00768F54 . |8B18 mov ebx, dword ptr [eax]
00768F56 . |FF53 08 call dword ptr [ebx+8]
00768F59 . |33D2 xor edx, edx
00768F5B . |55 push ebp
00768F5C . |68 7A8F7600 push 00768F7A
00768F61 . |64:FF32 push dword ptr fs:[edx]
00768F64 . |64:8922 mov dword ptr fs:[edx], esp
00768F67 . |8BD0 mov edx, eax
00768F69 . |8BC6 mov eax, esi
00768F6B . |E8 78F3EBFF call 006282E8
00768F70 . |33C0 xor eax, eax
00768F72 . |5A pop edx
00768F73 . |59 pop ecx
00768F74 . |59 pop ecx
00768F75 . |64:8910 mov dword ptr fs:[eax], edx
00768F78 . |EB 22 jmp short 00768F9C
00768F7A .^|E9 F5ABC9FF jmp 00403B74
00768F7F . |6A 30 push 30
00768F81 . |B9 30957600 mov ecx, 00769530 ; 提示
00768F86 . |BA 70967600 mov edx, 00769670 ; 打开端口失败!
00768F8B . |A1 30487700 mov eax, dword ptr [774830]
00768F90 . |8B00 mov eax, dword ptr [eax]
00768F92 . |E8 C577D3FF call 004A075C
00768F97 . |E8 04B0C9FF call 00403FA0
00768F9C > |8D8D 2CFDFFFF lea ecx, dword ptr [ebp-2D4]
00768FA2 . |BA 88967600 mov edx, 00769688 ; location
00768FA7 . |B8 9C967600 mov eax, 0076969C ; userlocation
00768FAC . |E8 C3A8DDFF call 00543874
00768FB1 . |8B95 2CFDFFFF mov edx, dword ptr [ebp-2D4]
00768FB7 . |A1 1C447700 mov eax, dword ptr [77441C]
00768FBC . |E8 97B5C9FF call 00404558
00768FC1 . |A1 1C447700 mov eax, dword ptr [77441C]
00768FC6 . |8B00 mov eax, dword ptr [eax]
00768FC8 . |BA B4967600 mov edx, 007696B4 ; jiaxing
00768FCD . |E8 3EB9C9FF call 00404910
00768FD2 . |75 22 jnz short 00768FF6
00768FD4 . |8B45 FC mov eax, dword ptr [ebp-4]
00768FD7 . |8B80 B4040000 mov eax, dword ptr [eax+4B4]
00768FDD . |B2 01 mov dl, 1
00768FDF . |E8 988BD2FF call 00491B7C
00768FE4 . |8B45 FC mov eax, dword ptr [ebp-4]
00768FE7 . |8B80 B8040000 mov eax, dword ptr [eax+4B8]
00768FED . |B2 01 mov dl, 1
00768FEF . |E8 888BD2FF call 00491B7C
00768FF4 . |EB 36 jmp short 0076902C
00768FF6 > |8B45 FC mov eax, dword ptr [ebp-4]
00768FF9 . |8B80 B4040000 mov eax, dword ptr [eax+4B4]
00768FFF . |33D2 xor edx, edx
00769001 . |E8 768BD2FF call 00491B7C
00769006 . |8B45 FC mov eax, dword ptr [ebp-4]
00769009 . |8B80 B8040000 mov eax, dword ptr [eax+4B8]
0076900F . |33D2 xor edx, edx
00769011 . |E8 668BD2FF call 00491B7C
00769016 . |EB 14 jmp short 0076902C
00769018 > \B8 C4967600 mov eax, 007696C4 ; 加密狗内容错误,请检查
0076901D . |E8 0E3BCDFF call 0043CB30
00769022 . |A1 54338F00 mov eax, dword ptr [8F3354]
00769027 . |E8 F83BD3FF call 0049CC24
0076902C > \33C0 xor eax, eax
当在00769018处时,看到是从上面第一行
007684D2 . /0F85 400B0000 jnz 00769018 这个地方跳过来的!
原打算直接把 JNZ改改 JZ,但一想不对,因为看到后面还有什么试用期的多少天,的ASCII的提示,想想就不必了吧,倒数第六行,看到了,又是一个跳,刚好是在上面的一个内,也就是说,
00769016可以跳过这个 狗的校验,呵呵这样就可以直接过了!
所以在 第一行处,直接汇编 007684D2 . /0F85 400B0000 jnz 00769018
改成 007684D2 . /0F85 400B0000 jnz 00769016
保存后,进入试试!!
OK 成功 登陆窗口出现了
用说明中的用户进入后,试试各功能,可用,OK
到处结束
(小结:有时看到跳时不要急如用相反的流程去改动,要前面看看相关的跳转,这样才能找到关键跳,本例中,最好一个才是关键的跳!CAll出现时前后左右细细看)
(因在单位事多,不能一口气完写事发帖上来,请同学们耐心等,晚上回家加班上传上来。有事外出先写到这样,晚上再接着补发上来)
[课程]Linux pwn 探索篇!