我遇一软件,静态反编译后只看到注册失败的提示,好象程序没有走到这个地方来,所以这不是关键所在,可就是找不着手点。用OD加载运行,BPX messageboxa 拦截后为以下代码:
:00495824 55 push ebp
:00495825 8BEC mov ebp, esp
:00495827 83C4B0 add esp, FFFFFFB0
:0049582A 53 push ebx
:0049582B 56 push esi
:0049582C 57 push edi
:0049582D 8BF9 mov edi, ecx
:0049582F 8BF2 mov esi, edx
:00495831 8945FC mov dword ptr [ebp-04], eax
:00495834 8B5D08 mov ebx, dword ptr [ebp+08]
* Reference To: USER32.GetActiveWindow, Ord:0000h |
:00495837 E838F80600 Call 00505074
:0049583C 8945F4 mov dword ptr [ebp-0C], eax
:0049583F 6A02 push 00000002
:00495841 8B45F4 mov eax, dword ptr [ebp-0C]
:00495844 50 push eax
:00495845 A1F0015500 mov eax, dword ptr [005501F0]
:0049584A 8B00 mov eax, dword ptr [eax]
:0049584C FFD0 call eax(moniotorfromwindow)
:0049584E 8945EC mov dword ptr [ebp-14], eax
:00495851 6A02 push 00000002
:00495853 8B45FC mov eax, dword ptr [ebp-04]
:00495856 8B4024 mov eax, dword ptr [eax+24]
:00495859 50 push eax
:0049585A A1F0015500 mov eax, dword ptr [005501F0]
:0049585F 8B00 mov eax, dword ptr [eax]
:00495861 FFD0 call eax(moniotorfromwindow)
:00495863 8945E8 mov dword ptr [ebp-18], eax
:00495866 8B45EC mov eax, dword ptr [ebp-14]
:00495869 3B45E8 cmp eax, dword ptr [ebp-18]
:0049586C 7460 je 004958CE(跳)
:0049586E C745C028000000 mov [ebp-40], 00000028
:00495875 8D45C0 lea eax, dword ptr [ebp-40]
:00495878 50 push eax
:00495879 8B45EC mov eax, dword ptr [ebp-14]
:0049587C 50 push eax
:0049587D A1F4015500 mov eax, dword ptr [005501F4]
:00495882 8B00 mov eax, dword ptr [eax]
:00495884 FFD0 call eax
:00495886 8D45B0 lea eax, dword ptr [ebp-50]
:00495889 50 push eax
:0049588A 8B45FC mov eax, dword ptr [ebp-04]
:0049588D 8B4024 mov eax, dword ptr [eax+24]
:00495890 50 push eax
* Reference To: USER32.GetWindowRect, Ord:0000h |
:00495891 E8ECF80600 Call 00505182
:00495896 6A1D push 0000001D
:00495898 6A00 push 00000000
:0049589A 6A00 push 00000000
:0049589C 8B4DD0 mov ecx, dword ptr [ebp-30]
:0049589F 8B55C8 mov edx, dword ptr [ebp-38]
:004958A2 2BCA sub ecx, edx
:004958A4 D1F9 sar ecx, 1
:004958A6 7903 jns 004958AB
:004958A8 83D100 adc ecx, 00000000
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004958A6(C)|
:004958AB 03CA add ecx, edx
:004958AD 51 push ecx
:004958AE 8B55CC mov edx, dword ptr [ebp-34]
:004958B1 8B45C4 mov eax, dword ptr [ebp-3C]
:004958B4 2BD0 sub edx, eax
:004958B6 D1FA sar edx, 1
:004958B8 7903 jns 004958BD
:004958BA 83D200 adc edx, 00000000
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004958B8(C)|
:004958BD 03D0 add edx, eax
:004958BF 52 push edx
:004958C0 6A00 push 00000000
:004958C2 8B45FC mov eax, dword ptr [ebp-04]
:004958C5 8B4024 mov eax, dword ptr [eax+24]
:004958C8 50 push eax
* Reference To: USER32.SetWindowPos, Ord:0000h |
:004958C9 E840FA0600 Call 0050530E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049586C(C)|
:004958CE 33C0 xor eax, eax
:004958D0 E8DF6FFFFF call 0048C8B4
:004958D5 8945F0 mov dword ptr [ebp-10], eax
:004958D8 8B45FC mov eax, dword ptr [ebp-04]
:004958DB E884EFFFFF call 00494864
:004958E0 84C0 test al, al
:004958E2 7406 je 004958EA(跳)
:004958E4 81CB00001000 or ebx, 00100000
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004958E2(C)|
:004958EA 33C9 xor ecx, ecx
:004958EC 55 push ebp
:004958ED 6869594900 push 00495969
:004958F2 64FF31 push dword ptr fs:[ecx]
:004958F5 648921 mov dword ptr fs:[ecx], esp
:004958F8 53 push ebx
:004958F9 57 push edi
:004958FA 56 push esi
:004958FB 8B45FC mov eax, dword ptr [ebp-04]
:004958FE 8B4024 mov eax, dword ptr [eax+24]
:00495901 50 push eax
* Reference To: USER32.MessageBoxA, Ord:0000h |
:00495902 E81DF90600 Call 00505224(提示注册错误)
这段是由一个JMP跳过来的,哪个地方找不到可疑之处,所以也就不知怎样再往前找了,而且,程序加载运行后,OD就没法操作了,要终止进程才能退出。
用了TRW2000的HMEMCPY,可就是没能手动追到这个地方来(没有耐心),以前看过一编文章,说是解密是耐心加运气,也许是对的,不过我想知识更重要,这三个我都没有,至少对这个软件是这样的,有兴趣的帮帮我
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法