[求助][求助]flexlm 11.6找seed失败-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[求助][求助]flexlm 11.6找seed失败

发表于: 2012-2-7 22:37 4445

[求助][求助]flexlm 11.6找seed失败

tritu

2012-2-7 22:37

4445

自己最近在搞某個軟件，用的是11.6的flexlm。參考罈子裡各位大俠的帖子，最後採用laoqian的辦法，定位0x6f7330b8後在01A0DB7F處下斷。但是做出來的lic總是不對。
我現在的問題是用ollydgb發現01A0DB7F處CALL是有四個arg的，貌似和經典的l_sg三個參數不一樣。不知道自己是哪裡錯了，還忘高手指教

l_sg(
LM_HANDLE * job,
char * vendor_id,
VENDORCODE * key) /*- l_sg means "signature vendor_key5" */
{

CPU Disasm
Address Hex dump       Command                               Comments
01A0DAD8  /$  55          PUSH EBP                               ; libSecurity.01A0DAD8(guessed Arg1,Arg2,Arg3)
01A0DAD9  |.  8BEC       MOV EBP,ESP
01A0DADB  |.  83EC 24    SUB ESP,24
01A0DADE  |.  C645 EC 00 MOV BYTE PTR SS:[EBP-14],0
01A0DAE2  |.  33C0       XOR EAX,EAX
01A0DAE4  |.  66:8945 ED MOV WORD PTR SS:[EBP-13],AX
01A0DAE8  |.  8845 EF    MOV BYTE PTR SS:[EBP-11],AL
01A0DAEB  |.  C745 F4 B8307 MOV DWORD PTR SS:[EBP-0C],6F7330B8
01A0DAF2  |.  C745 FC 00000 MOV DWORD PTR SS:[EBP-4],0
01A0DAF9  |.  C745 F8 00000 MOV DWORD PTR SS:[EBP-8],0
01A0DB00  |.  C745 F0 03000 MOV DWORD PTR SS:[EBP-10],3
01A0DB07  |.  68 00100000 PUSH 1000                               ; /Arg2 = 1000
01A0DB0C  |.  8B4D 08    MOV ECX,DWORD PTR SS:[EBP+8]          ; |
01A0DB0F  |.  51          PUSH ECX                               ; |Arg1
01A0DB10  |.  E8 68B60000 CALL 01A1917D                         ; \libSecurity.01A1917D
01A0DB15  |.  83C4 08    ADD ESP,8
01A0DB18  |.  85C0       TEST EAX,EAX
01A0DB1A  |.- 74 52       JE SHORT 01A0DB6E
01A0DB1C  |.  8B55 08    MOV EDX,DWORD PTR SS:[EBP+8]
01A0DB1F  |.  8B82 9C010000 MOV EAX,DWORD PTR DS:[EDX+19C]
01A0DB25  |.  8B88 E81C0000 MOV ECX,DWORD PTR DS:[EAX+1CE8]
01A0DB2B  |.  83B9 24050000 CMP DWORD PTR DS:[ECX+524],0
01A0DB32  |.- 74 3A       JE SHORT 01A0DB6E
01A0DB34  |.  8B55 10    MOV EDX,DWORD PTR SS:[EBP+10]
01A0DB37  |.  52          PUSH EDX
01A0DB38  |.  8B45 0C    MOV EAX,DWORD PTR SS:[EBP+0C]
01A0DB3B  |.  50          PUSH EAX
01A0DB3C  |.  8B4D 08    MOV ECX,DWORD PTR SS:[EBP+8]
01A0DB3F  |.  8B91 9C010000 MOV EDX,DWORD PTR DS:[ECX+19C]
01A0DB45  |.  8B82 E81C0000 MOV EAX,DWORD PTR DS:[EDX+1CE8]
01A0DB4B  |.  05 28050000 ADD EAX,528
01A0DB50  |.  50          PUSH EAX
01A0DB51  |.  8B4D 08    MOV ECX,DWORD PTR SS:[EBP+8]
01A0DB54  |.  8B91 9C010000 MOV EDX,DWORD PTR DS:[ECX+19C]
01A0DB5A  |.  8B82 E81C0000 MOV EAX,DWORD PTR DS:[EDX+1CE8]
01A0DB60  |.  FF90 24050000 CALL DWORD PTR DS:[EAX+524]
01A0DB66  |.  83C4 0C    ADD ESP,0C
01A0DB69  |.- E9 13010000 JMP 01A0DC81
01A0DB6E  |>  6A 04       PUSH 4                                  ; Arg4 = 4
01A0DB70  |.  8D4D DC    LEA ECX,[EBP-24]
01A0DB73  |.  51          PUSH ECX                               ; Arg3
01A0DB74  |.  8B55 10    MOV EDX,DWORD PTR SS:[EBP+10]
01A0DB77  |.  83C2 0C    ADD EDX,0C
01A0DB7A  |.  52          PUSH EDX                               ; Arg2
01A0DB7B  |.  8B45 0C    MOV EAX,DWORD PTR SS:[EBP+0C]
01A0DB7E  |.  50          PUSH EAX                               ; Arg1
01A0DB7F    E8 CF750300 CALL 01A45153

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！

收藏・0

免费・0

支持