【破解作者】 yijun
【作者邮箱】 yijun8354@sina.com
【使用工具】 DeDe,OD,peid
【破解平台】 Win9x/NT/2000/XP
【软件名称】 e族百变桌面7.33
【下载地址】 天空
【软件简介】 桌面美化工具!!!!!!!!!
【软件大小】 2.34M
【加壳方式】 无
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【破解内容】
peid查知道该软件无壳,Borland Delphi 6.0 - 7.0语言编写,因为该软件的注册方式不是直接弹出错误对话框,
OD插件也没找到什么有价值信息,所以决定用DeDe试试^-^
因为该软件认证方式是点“下一步”来确认,而在DeDe中又找到“bnNextClick”和“bnPrevClick”字样,所以
判断关键在“bnNextClick”里,具体分析如下^-^
005AD508 /. 55
push ebp //在此下断
005AD509 |. 8BEC
mov ebp,
esp
005AD50B |. 33C9
xor ecx,
ecx
005AD50D |. 51
push ecx
005AD50E |. 51
push ecx
005AD50F |. 51
push ecx
005AD510 |. 51
push ecx
005AD511 |. 51
push ecx
005AD512 |. 51
push ecx
005AD513 |. 53
push ebx
005AD514 |. 8BD8
mov ebx,
eax ; EAX=134FB58送EBX
005AD516 |. 33C0
xor eax,
eax ; EAX清0
005AD518 |. 55
push ebp
005AD519 |. 68 CDD65A00
push ePaper.005AD6CD
005AD51E |. 64:FF30
push dword ptr fs:[
eax]
005AD521 |. 64:8920
mov dword ptr fs:[
eax],
esp
005AD524 |. B2 01
mov dl,1
005AD526 |. 8B83 04030000
mov eax,
dword ptr ds:[
ebx+304]
005AD52C |. 8B08
mov ecx,
dword ptr ds:[
eax]
005AD52E |. FF51 64
call dword ptr ds:[
ecx+64]
005AD531 |. B2 01
mov dl,1
005AD533 |. 8B83 0C030000
mov eax,
dword ptr ds:[
ebx+30C]
005AD539 |. 8B08
mov ecx,
dword ptr ds:[
eax]
005AD53B |. FF51 64
call dword ptr ds:[
ecx+64]
005AD53E |. 8B83 C4030000
mov eax,
dword ptr ds:[
ebx+3C4]
005AD544 |. 48
dec eax ; Switch (cases 1..6)
005AD545 |. 74 11
je short ePaper.005AD558
005AD547 |. 48
dec eax
005AD548 |. 74 64
je short ePaper.005AD5AE
005AD54A |. 83E8 04
sub eax,4
005AD54D |. 0F84 D0000000
je ePaper.005AD623
005AD553 |. E9 3A010000
jmp ePaper.005AD692
005AD558 |> 8B83 38030000
mov eax,
dword ptr ds:[
ebx+338]
; Case 1 of switch 005AD544
005AD55E |. 8B10
mov edx,
dword ptr ds:[
eax]
005AD560 |. FF92 C8000000
call dword ptr ds:[
edx+C8]
005AD566 |. 84C0
test al,
al
005AD568 |. 74 2E
je short ePaper.005AD598
005AD56A |. FFB3 BC030000
push dword ptr ds:[
ebx+3BC]
; /Arg2
005AD570 |. FFB3 B8030000
push dword ptr ds:[
ebx+3B8]
; |Arg1
005AD576 |. 8D45 FC
lea eax,
dword ptr ss:[
ebp-4]
; |
005AD579 |. E8 EEC9E5FF
call ePaper.00409F6C
; \ePaper.00409F6C
005AD57E |. 8B55 FC
mov edx,
dword ptr ss:[
ebp-4]
005AD581 |. 8B83 1C030000
mov eax,
dword ptr ds:[
ebx+31C]
005AD587 |. E8 A408EDFF
call ePaper.0047DE30
005AD58C |. C783 C4030000>
mov dword ptr ds:[
ebx+3C4],2
005AD596 |. EB 0A
jmp short ePaper.005AD5A2
005AD598 |> C783 C4030000>
mov dword ptr ds:[
ebx+3C4],6
005AD5A2 |> 8BC3
mov eax,
ebx
005AD5A4 |. E8 33FCFFFF
call ePaper.005AD1DC
005AD5A9 |. E9 E4000000
jmp ePaper.005AD692
005AD5AE |> 8D55 F8
lea edx,
dword ptr ss:[
ebp-8]
; Case 2 of switch 005AD544
005AD5B1 |. 8B83 20030000
mov eax,
dword ptr ds:[
ebx+320]
005AD5B7 |. E8 4408EDFF
call ePaper.0047DE00
; 取假码,长度送EAX
005AD5BC |. 837D F8 00
cmp dword ptr ss:[
ebp-8],0
; 和0比较
005AD5C0 |. 75 0C
jnz short ePaper.005AD5CE
; 不为空就跳
005AD5C2 |. C783 C4030000>
mov dword ptr ds:[
ebx+3C4],5
005AD5CC |. EB 07
jmp short ePaper.005AD5D5
005AD5CE |> 8BC3
mov eax,
ebx ; EBX=134FB58送EAX
005AD5D0 |. E8 EBFDFFFF
call ePaper.005AD3C0
; 跟进
005AD5D5 |> 83BB C4030000>
cmp dword ptr ds:[
ebx+3C4],5
005AD5DC |. 75 22
jnz short ePaper.005AD600
005AD5DE |. 8D4D F4
lea ecx,
dword ptr ss:[
ebp-C]
005AD5E1 |. A1 7C125E00
mov eax,
dword ptr ds:[5E127C]
005AD5E6 |. 8B00
mov eax,
dword ptr ds:[
eax]
005AD5E8 |. BA E4D65A00
mov edx,ePaper.005AD6E4
; ASCII "RegCodeErr"
005AD5ED |. E8 9E3CE7FF
call ePaper.00421290
005AD5F2 |. 8B55 F4
mov edx,
dword ptr ss:[
ebp-C]
005AD5F5 |. 8B83 70030000
mov eax,
dword ptr ds:[
ebx+370]
005AD5FB |. E8 3008EDFF
call ePaper.0047DE30
005AD600 |> 33D2
xor edx,
edx
005AD602 |. 8B83 04030000
mov eax,
dword ptr ds:[
ebx+304]
005AD608 |. 8B08
mov ecx,
dword ptr ds:[
eax]
005AD60A |. FF51 64
call dword ptr ds:[
ecx+64]
005AD60D |. 33D2
xor edx,
edx
005AD60F |. 8B83 0C030000
mov eax,
dword ptr ds:[
ebx+30C]
005AD615 |. 8B08
mov ecx,
dword ptr ds:[
eax]
=========================================================================================================
跟进005AD5D0处CALL来到:
005AD3C0 $ 55
push ebp
005AD3C1 . 8BEC
mov ebp,
esp
005AD3C3 . 83C4 E4
add esp,-1C
005AD3C6 . 53
push ebx
005AD3C7 . 56
push esi
005AD3C8 . 57
push edi
005AD3C9 . 33D2
xor edx,
edx
005AD3CB . 8955 E4
mov dword ptr ss:[
ebp-1C],
edx ; [ebp-1c]=0
005AD3CE . 8955 E8
mov dword ptr ss:[
ebp-18],
edx ; [ebp-18]=0
005AD3D1 . 8955 EC
mov dword ptr ss:[
ebp-14],
edx ; [ebp-14]=0
005AD3D4 . 8945 FC
mov dword ptr ss:[
ebp-4],
eax ; EAX=134FB58送[ebp-4]
005AD3D7 . 33C0
xor eax,
eax ; EAX清0
005AD3D9 . 55
push ebp
005AD3DA . 68 E4D45A00
push ePaper.005AD4E4
005AD3DF . 64:FF30
push dword ptr fs:[
eax]
005AD3E2 . 64:8920
mov dword ptr fs:[
eax],
esp
005AD3E5 . 33C0
xor eax,
eax
005AD3E7 . 55
push ebp
005AD3E8 . 68 AAD45A00
push ePaper.005AD4AA
005AD3ED . 64:FF30
push dword ptr fs:[
eax]
005AD3F0 . 64:8920
mov dword ptr fs:[
eax],
esp
005AD3F3 . 8D55 EC
lea edx,
dword ptr ss:[
ebp-14]
; [ebp-14]地址送EDX
005AD3F6 . 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
; [ebp-4]=134FB58送EAX
005AD3F9 . 8B80 20030000
mov eax,
dword ptr ds:[
eax+320]
; [eax+320]=135B4E8送EAX
005AD3FF . E8 FC09EDFF
call ePaper.0047DE00
; 计算假码长度
005AD404 . 8B45 EC
mov eax,
dword ptr ss:[
ebp-14]
; 假码送EAX
005AD407 . E8 24CCE5FF
call ePaper.0040A030
; 假码变为16进制
005AD40C . 8945 F0
mov dword ptr ss:[
ebp-10],
eax ; 假码16进制值送[ebp-10]
005AD40F . 8955 F4
mov dword ptr ss:[
ebp-C],
edx ; [ebp-C]=0
005AD412 . 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
; [ebp-4]送EAX
005AD415 . FFB0 BC030000
push dword ptr ds:[
eax+3BC]
005AD41B . FFB0 B8030000
push dword ptr ds:[
eax+3B8]
; 机器码16进制入栈
005AD421 . FF75 F4
push dword ptr ss:[
ebp-C]
005AD424 . FF75 F0
push dword ptr ss:[
ebp-10]
; 假码16进制入栈
005AD427 . B0 01
mov al,1
; AL=1
005AD429 . E8 B6D7F3FF
call ePaper.004EABE4
; 跟进
005AD42E . 8B15 840E5E00
mov edx,
dword ptr ds:[5E0E84]
; ePaper.005E2F64
005AD434 . 8802
mov byte ptr ds:[
edx],
al
005AD436 . A1 840E5E00
mov eax,
dword ptr ds:[5E0E84]
005AD43B . 8038 00
cmp byte ptr ds:[
eax],0
005AD43E . 74 53
je short ePaper.005AD493
005AD440 . 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
005AD443 . C780 C4030000>
mov dword ptr ds:[
eax+3C4],4
005AD44D . FF75 F4
push dword ptr ss:[
ebp-C]
; /Arg2
005AD450 . FF75 F0
push dword ptr ss:[
ebp-10]
; |Arg1
005AD453 . 8D45 E8
lea eax,
dword ptr ss:[
ebp-18]
; |
005AD456 . E8 11CBE5FF
call ePaper.00409F6C
; \ePaper.00409F6C
005AD45B . 8B55 E8
mov edx,
dword ptr ss:[
ebp-18]
005AD45E . 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
005AD461 . 8B80 44030000
mov eax,
dword ptr ds:[
eax+344]
005AD467 . E8 C409EDFF
call ePaper.0047DE30
005AD46C . 8D4D E4
lea ecx,
dword ptr ss:[
ebp-1C]
005AD46F . A1 7C125E00
mov eax,
dword ptr ds:[5E127C]
005AD474 . 8B00
mov eax,
dword ptr ds:[
eax]
005AD476 . BA FCD45A00
mov edx,ePaper.005AD4FC
; ASCII "BuyClose"
005AD47B . E8 103EE7FF
call ePaper.00421290
005AD480 . 8B55 E4
mov edx,
dword ptr ss:[
ebp-1C]
005AD483 . 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
005AD486 . 8B80 08030000
mov eax,
dword ptr ds:[
eax+308]
005AD48C . E8 9F09EDFF
call ePaper.0047DE30
005AD491 . EB 0D
jmp short ePaper.005AD4A0
005AD493 > 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
005AD496 . C780 C4030000>
mov dword ptr ds:[
eax+3C4],5
005AD4A0 > 33C0
xor eax,
eax
005AD4A2 . 5A
pop edx
005AD4A3 . 59
pop ecx
005AD4A4 . 59
pop ecx
005AD4A5 . 64:8910
mov dword ptr fs:[
eax],
edx
005AD4A8 . EB 17
jmp short ePaper.005AD4C1
005AD4AA .^ E9 996DE5FF
jmp ePaper.00404248
005AD4AF . 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
005AD4B2 . C780 C4030000>
mov dword ptr ds:[
eax+3C4],5
005AD4BC . E8 B371E5FF
call ePaper.00404674
005AD4C1 > 33C0
xor eax,
eax
005AD4C3 . 5A
pop edx
005AD4C4 . 59
pop ecx
005AD4C5 . 59
pop ecx
005AD4C6 . 64:8910
mov dword ptr fs:[
eax],
edx
005AD4C9 . 68 EBD45A00
push ePaper.005AD4EB
005AD4CE > 8D45 E4
lea eax,
dword ptr ss:[
ebp-1C]
005AD4D1 . BA 02000000
mov edx,2
005AD4D6 . E8 A577E5FF
call ePaper.00404C80
005AD4DB . 8D45 EC
lea eax,
dword ptr ss:[
ebp-14]
005AD4DE . E8 7977E5FF
call ePaper.00404C5C
005AD4E3 . C3
retn
005AD4E4 .^ E9 1370E5FF
jmp ePaper.004044FC
005AD4E9 .^ EB E3
jmp short ePaper.005AD4CE
005AD4EB . 5F
pop edi
005AD4EC . 5E
pop esi
005AD4ED . 5B
pop ebx
005AD4EE . 8BE5
mov esp,
ebp
005AD4F0 . 5D
pop ebp
005AD4F1 . C3
retn
*********************************************************************************************************
跟进005AD429处CALL来到:
004EABE4 /$ 55
push ebp
004EABE5 |. 8BEC
mov ebp,
esp
004EABE7 |. 83C4 F8
add esp,-8
004EABEA |. 53
push ebx
004EABEB |. 56
push esi
004EABEC |. 33D2
xor edx,
edx
004EABEE |. 8955 F8
mov dword ptr ss:[
ebp-8],
edx
004EABF1 |. 8845 FF
mov byte ptr ss:[
ebp-1],
al
004EABF4 |. 33C0
xor eax,
eax ; EAX清0
004EABF6 |. 55
push ebp
004EABF7 |. 68 7BAC4E00
push ePaper.004EAC7B
004EABFC |. 64:FF30
push dword ptr fs:[
eax]
004EABFF |. 64:8920
mov dword ptr fs:[
eax],
esp
004EAC02 |. 33DB
xor ebx,
ebx
004EAC04 |. FF75 14
push dword ptr ss:[
ebp+14]
004EAC07 |. FF75 10
push dword ptr ss:[
ebp+10]
004EAC0A |. E8 B1000000
call ePaper.004EACC0
; 跟进
004EAC0F |. 3B55 0C
cmp edx,
dword ptr ss:[
ebp+C]
004EAC12 |. 75 07
jnz short ePaper.004EAC1B
004EAC14 |. 3B45 08
cmp eax,
dword ptr ss:[
ebp+8]
; 关键比较
004EAC17 |. 75 02
jnz short ePaper.004EAC1B
; 关键跳
004EAC19 |. B3 01
mov bl,1
;正确的话BL=1
004EAC1B |> 807D FF 00
cmp byte ptr ss:[
ebp-1],0
;错误的话[ebp-1]=0
004EAC1F |. 74 44
je short ePaper.004EAC65
004EAC21 |. B2 01
mov dl,1
004EAC23 |. A1 3C644500
mov eax,
dword ptr ds:[45643C]
004EAC28 |. E8 0FB9F6FF
call ePaper.0045653C
004EAC2D |. 8BF0
mov esi,
eax
004EAC2F |. B1 01
mov cl,1
004EAC31 |. BA 94AC4E00
mov edx,ePaper.004EAC94
; ASCII "\Software\eNation\ePaper"
004EAC36 |. 8BC6
mov eax,
esi
004EAC38 |. E8 03BAF6FF
call ePaper.00456640
004EAC3D |. 84C0
test al,
al
004EAC3F |. 74 1D
je short ePaper.004EAC5E
004EAC41 |. FF75 0C
push dword ptr ss:[
ebp+C]
; /Arg2
004EAC44 |. FF75 08
push dword ptr ss:[
ebp+8]
; |Arg1
004EAC47 |. 8D45 F8
lea eax,
dword ptr ss:[
ebp-8]
; |
004EAC4A |. E8 1DF3F1FF
call ePaper.00409F6C
; \ePaper.00409F6C
004EAC4F |. 8B4D F8
mov ecx,
dword ptr ss:[
ebp-8]
004EAC52 |. BA B8AC4E00
mov edx,ePaper.004EACB8
; ASCII "RegCode"
004EAC57 |. 8BC6
mov eax,
esi
004EAC59 |. E8 7EBBF6FF
call ePaper.004567DC
004EAC5E |> 8BC6
mov eax,
esi
004EAC60 |. E8 FB90F1FF
call ePaper.00403D60
004EAC65 |> 33C0
xor eax,
eax
004EAC67 |. 5A
pop edx
004EAC68 |. 59
pop ecx
004EAC69 |. 59
pop ecx
004EAC6A |. 64:8910
mov dword ptr fs:[
eax],
edx
004EAC6D |. 68 82AC4E00
push ePaper.004EAC82
004EAC72 |> 8D45 F8
lea eax,
dword ptr ss:[
ebp-8]
004EAC75 |. E8 E29FF1FF
call ePaper.00404C5C
004EAC7A \. C3
retn
004EAC7B .^ E9 7C98F1FF
jmp ePaper.004044FC
004EAC80 .^ EB F0
jmp short ePaper.004EAC72
004EAC82 . 8BC3
mov eax,
ebx
004EAC84 . 5E
pop esi
004EAC85 . 5B
pop ebx
004EAC86 . 59
pop ecx
004EAC87 . 59
pop ecx
004EAC88 . 5D
pop ebp
004EAC89 . C2 1000
retn 10
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
跟进004EAC0A处CALL来到:
004EACC0 /$ 55
push ebp
004EACC1 |. 8BEC
mov ebp,
esp
004EACC3 |. 83C4 E0
add esp,-20
004EACC6 |. 53
push ebx
004EACC7 |. 56
push esi
004EACC8 |. 33C0
xor eax,
eax
004EACCA |. 8945 E0
mov dword ptr ss:[
ebp-20],
eax
004EACCD |. 8945 EC
mov dword ptr ss:[
ebp-14],
eax
004EACD0 |. 8945 E8
mov dword ptr ss:[
ebp-18],
eax
004EACD3 |. 8945 E4
mov dword ptr ss:[
ebp-1C],
eax
004EACD6 |. 33C0
xor eax,
eax ; EAX清0
004EACD8 |. 55
push ebp
004EACD9 |. 68 CFAD4E00
push ePaper.004EADCF
004EACDE |. 64:FF30
push dword ptr fs:[
eax]
004EACE1 |. 64:8920
mov dword ptr fs:[
eax],
esp
004EACE4 |. FF75 0C
push dword ptr ss:[
ebp+C]
; /Arg2
004EACE7 |. FF75 08
push dword ptr ss:[
ebp+8]
; |机器码16进制入栈
004EACEA |. 8D45 EC
lea eax,
dword ptr ss:[
ebp-14]
; |
004EACED |. E8 7AF2F1FF
call ePaper.00409F6C
; \ePaper.00409F6C
004EACF2 |. 8B45 08
mov eax,
dword ptr ss:[
ebp+8]
004EACF5 |. 8945 F0
mov dword ptr ss:[
ebp-10],
eax
004EACF8 |. 8B45 0C
mov eax,
dword ptr ss:[
ebp+C]
004EACFB |. 8945 F4
mov dword ptr ss:[
ebp-C],
eax
004EACFE |. 8B45 EC
mov eax,
dword ptr ss:[
ebp-14]
; 机器码送EAX
004EAD01 |. E8 16A2F1FF
call ePaper.00404F1C
; 计算机器码长度,送EAX
004EAD06 |. 8BD8
mov ebx,
eax ; EAX送EBX
004EAD08 |. 85DB
test ebx,
ebx
004EAD0A |. 7E 56
jle short ePaper.004EAD62
; 为空就跳
004EAD0C |. BE 01000000
mov esi,1
; ESI=1
004EAD11 |> 8D45 E0 /
lea eax,
dword ptr ss:[
ebp-20]
004EAD14 |. 8B55 EC |
mov edx,
dword ptr ss:[
ebp-14]
; 机器码送EDX
004EAD17 |. 8A5432 FF |
mov dl,
byte ptr ds:[
edx+
esi-1]
; 将机器码逐为送DL
004EAD1B |. E8 24A1F1FF |
call ePaper.00404E44
004EAD20 |. 8B45 E0 |
mov eax,
dword ptr ss:[
ebp-20]
004EAD23 |. E8 240DF2FF |
call ePaper.0040BA4C
004EAD28 |. DB2D E4AD4E00 |
fld tbyte
ptr ds:[4EADE4]
; 3.1415926535897932800
004EAD2E |. DEC9 |
fmulp st(1),
st ; 机器码逐位乘以3.1415926535897932800
004EAD30 |. E8 6F82F1FF |
call ePaper.00402FA4
; 将浮点数进位取整送EAX
004EAD35 |. 3345 F0 |
xor eax,
dword ptr ss:[
ebp-10]
; EAX和以前循环的结果进行异或(第一次循环时和机器码异或)
004EAD38 |. 3355 F4 |
xor edx,
dword ptr ss:[
ebp-C]
; EDX和[ebp-C]异或
004EAD3B |. 81F0 70B8EF1B |
xor eax,1BEFB870
; EAX和1BEFB870异或
004EAD41 |. 81F2 00000000 |
xor edx,0
; EDX和0异或
004EAD47 |. 85D2 |
test edx,
edx
004EAD49 |. 7D 07 |
jge short ePaper.004EAD52
; EDX不小于0就跳
004EAD4B |. F7D8 |
neg eax
004EAD4D |. 83D2 00 |
adc edx,0
004EAD50 |. F7DA |
neg edx
004EAD52 |> 0345 F0 |
add eax,
dword ptr ss:[
ebp-10]
; 异或结果累加到EAX
004EAD55 |. 1355 F4 |
adc edx,
dword ptr ss:[
ebp-C]
; EDX带进位加[ebp-C]
004EAD58 |. 8945 F0 |
mov dword ptr ss:[
ebp-10],
eax ; EAX送[ebp-10],即[ebp-10]为计算结果
004EAD5B |. 8955 F4 |
mov dword ptr ss:[
ebp-C],
edx ; EDX保存在[ebp-c]
004EAD5E |. 46 |
inc esi ; ESI加一
004EAD5F |. 4B |
dec ebx ; EBX减一
004EAD60 |.^ 75 AF \jnz short ePaper.004EAD11
; 没完继续
004EAD62 |> FF75 F4
push dword ptr ss:[
ebp-C]
; /Arg2
004EAD65 |. FF75 F0
push dword ptr ss:[
ebp-10]
; |计算结果入栈
004EAD68 |. 8D45 E8
lea eax,
dword ptr ss:[
ebp-18]
; |
004EAD6B |. E8 FCF1F1FF
call ePaper.00409F6C
; \
004EAD70 |. 8B45 E8
mov eax,
dword ptr ss:[
ebp-18]
; [ebp-18]送EAX
004EAD73 |. E8 A4A1F1FF
call ePaper.00404F1C
; 计算刚才循环结果的长度送EAX
004EAD78 |. 8BD8
mov ebx,
eax ; EAX送EBX
004EAD7A |. 8B45 EC
mov eax,
dword ptr ss:[
ebp-14]
; 机器码送EAX
004EAD7D |. E8 9AA1F1FF
call ePaper.00404F1C
; 计算机器码长度送EAX
004EAD82 |. 2BD8
sub ebx,
eax ; EBX减EAX
004EAD84 |. 43
inc ebx ; EBX加一
004EAD85 |> 8D45 E4 /
lea eax,
dword ptr ss:[
ebp-1C]
; [ebp-1C]地址送EAX
004EAD88 |. 50 |
push eax
004EAD89 |. 8B45 EC |
mov eax,
dword ptr ss:[
ebp-14]
; 机器码送EAX
004EAD8C |. E8 8BA1F1FF |
call ePaper.00404F1C
; 计算长度送EAX
004EAD91 |. 8BC8 |
mov ecx,
eax ; EAX送ECX
004EAD93 |. 8BD3 |
mov edx,
ebx ; EBX送EDX
004EAD95 |. 8B45 E8 |
mov eax,
dword ptr ss:[
ebp-18]
; [ebp-18]送EAX
004EAD98 |. E8 DFA3F1FF |
call ePaper.0040517C
; 跟进
004EAD9D |. 4B |
dec ebx ; EBX减一
004EAD9E |. 8B45 E4 |
mov eax,
dword ptr ss:[
ebp-1C]
; [ebp-1C]送EAX,也就是刚才取的字符串
004EADA1 |. 8038 30 |
cmp byte ptr ds:[
eax],30
; 若该字符串第一位为30(也就是'0')
004EADA4 |.^ 74 DF \je short ePaper.004EAD85
; 是就跳回去重新取
004EADA6 |. 8B45 E4
mov eax,
dword ptr ss:[
ebp-1C]
; [ebp-1C]送EAX,也就是最终取得的结果
004EADA9 |. E8 82F2F1FF
call ePaper.0040A030
; 将[ebp-1C]的值转换为16进制送EAX
004EADAE |. 8945 F8
mov dword ptr ss:[
ebp-8],
eax
004EADB1 |. 8955 FC
mov dword ptr ss:[
ebp-4],
edx
004EADB4 |. 33C0
xor eax,
eax
004EADB6 |. 5A
pop edx
004EADB7 |. 59
pop ecx
004EADB8 |. 59
pop ecx
004EADB9 |. 64:8910
mov dword ptr fs:[
eax],
edx
004EADBC |. 68 D6AD4E00
push ePaper.004EADD6
004EADC1 |> 8D45 E0
lea eax,
dword ptr ss:[
ebp-20]
004EADC4 |. BA 04000000
mov edx,4
004EADC9 |. E8 B29EF1FF
call ePaper.00404C80
004EADCE \. C3
retn
004EADCF .^ E9 2897F1FF
jmp ePaper.004044FC
004EADD4 .^ EB EB
jmp short ePaper.004EADC1
004EADD6 . 8B45 F8
mov eax,
dword ptr ss:[
ebp-8]
004EADD9 . 8B55 FC
mov edx,
dword ptr ss:[
ebp-4]
004EADDC . 5E
pop esi
004EADDD . 5B
pop ebx
004EADDE . 8BE5
mov esp,
ebp
004EADE0 . 5D
pop ebp
004EADE1 . C2 0800
retn 8
###################################################################################################
跟进004EAD98处CALL处来到:
0040517C /$ 53
push ebx
0040517D |. 85C0
test eax,
eax
0040517F |. 74 2D
je short ePaper.004051AE
; EAX为0就跳
00405181 |. 8B58 FC
mov ebx,
dword ptr ds:[
eax-4]
; [eax-4]长度送EBX
00405184 |. 85DB
test ebx,
ebx
00405186 |. 74 26
je short ePaper.004051AE
; 为0就跳
00405188 |. 4A
dec edx ; EDX减一
00405189 |. 7C 1B
jl short ePaper.004051A6
0040518B |. 39DA
cmp edx,
ebx
0040518D |. 7D 1F
jge short ePaper.004051AE
; EDX大于等于EBX就跳
0040518F |> 29D3
sub ebx,
edx ; EBX减EDX
00405191 |. 85C9
test ecx,
ecx
00405193 |. 7C 19
jl short ePaper.004051AE
00405195 |. 39D9
cmp ecx,
ebx
00405197 |. 7F 11
jg short ePaper.004051AA
; ECX大于EBX就跳
00405199 |> 01C2
add edx,
eax ; EDX加EAX,即从第EDX位开始取到最后
0040519B |. 8B4424 08
mov eax,
dword ptr ss:[
esp+8]
0040519F |. E8 A8FBFFFF
call ePaper.00404D4C
004051A4 |. EB 11
jmp short ePaper.004051B7
004051A6 |> 31D2
xor edx,
edx
004051A8 |.^ EB E5
jmp short ePaper.0040518F
004051AA |> 89D9
mov ecx,
ebx
004051AC |.^ EB EB
jmp short ePaper.00405199
004051AE |> 8B4424 08
mov eax,
dword ptr ss:[
esp+8]
004051B2 |. E8 A5FAFFFF
call ePaper.00404C5C
004051B7 |> 5B
pop ebx
004051B8 \. C2 0400
retn 4 //返回
004051BB . C3
retn--------------------------------------------------------------------------------
【破解总结】
机器码:52348574
注册码:10329561
--------------------------------------------------------------------------------
【内存注册机】
中断地址:5AD5D0
中断次数:1
第一字节:E8
指令长度:5
保存方式:内存
中断地址:5AD429
中断次数:1
第一字节:E8
指令长度:5
保存方式:内存
中断地址:4EAC0A
中断次数:1
第一字节:E8
指令长度:5
保存方式:内存
中断地址:4EADA9
中断次数:1
第一字节:E8
指令长度:5
保存方式:内存->寄存器->EAX
胜利截图:
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法