PEID查找未发现壳,
用DB载入后,查找超级字符串,找到输入注册码错误的提示,
双击来到如下代码
0074EC52 > /B9 6CEC7400 MOV ECX,projshop.0074EC6C ; 警告框
0074EC57 . |BA 74EC7400 MOV EDX,projshop.0074EC74 ; 注册码错误!请与我们联系!
0074EC5C . |A1 70C69000 MOV EAX,DWORD PTR DS:[90C670]
0074EC61 . |8B00 MOV EAX,DWORD PTR DS:[EAX]
0074EC63 . |E8 14FED5FF CALL projshop.004AEA7C
0074EC68 . |C3 RETN
0074EC69 |00 DB 00
0074EC6A |00 DB 00
0074EC6B |00 DB 00
0074EC6C |BE DB BE
0074EC6D |AF DB AF
0074EC6E |B8 DB B8
0074EC6F |E6 DB E6
0074EC70 |BF DB BF
0074EC71 |F2 DB F2
0074EC72 |00 DB 00
0074EC73 |00 DB 00
0074EC74 |D7 DB D7
0074EC75 |A2 DB A2
0074EC76 |B2 DB B2
0074EC77 |E1 DB E1
0074EC78 . |C2 EBB4 RETN 0B4EB
0074EC7B |ED DB ED
0074EC7C |CE DB CE
0074EC7D |F3 DB F3
0074EC7E |21 DB 21 ; CHAR '!'
0074EC7F |C7 DB C7
0074EC80 |EB DB EB
0074EC81 |D3 DB D3
0074EC82 .^\EB CE JMP SHORT projshop.0074EC52
可发现此程序 0074EC52警告框代码来自0074EC82 的JMP跳转。。。这种从下往上跳转的正常吗?
还有0074EC63 处的CALL是关键点吗? 此处下断后,点击立即注册就会跳到此断点。
我F7进入后。看到此代码,F8测试后,在004AEAC4 有跳转,可是没发现密码验证的CALL啊。
到004AEB58 处又会弹出注册码错误的提示
,实在是不理解了,实在不知关键CALL在哪里,如何查找了,请高手指教。小弟不胜感激。
004AEA7C /$ 55 PUSH EBP
004AEA7D |. 8BEC MOV EBP,ESP
004AEA7F |. 83C4 AC ADD ESP,-54
004AEA82 |. 53 PUSH EBX
004AEA83 |. 56 PUSH ESI
004AEA84 |. 57 PUSH EDI
004AEA85 |. 8BF9 MOV EDI,ECX
004AEA87 |. 8BF2 MOV ESI,EDX
004AEA89 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
004AEA8C |. 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8]
004AEA8F |. E8 2C9FF5FF CALL <JMP.&user32.GetActiveWindow> ; [GetActiveWindow
004AEA94 |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
004AEA97 |. 6A 02 PUSH 2
004AEA99 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
004AEA9C |. 50 PUSH EAX
004AEA9D |. A1 6CC39000 MOV EAX,DWORD PTR DS:[90C36C]
004AEAA2 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004AEAA4 |. FFD0 CALL EAX
004AEAA6 |. 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
004AEAA9 |. 6A 02 PUSH 2
004AEAAB |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004AEAAE |. 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30]
004AEAB1 |. 50 PUSH EAX
004AEAB2 |. A1 6CC39000 MOV EAX,DWORD PTR DS:[90C36C]
004AEAB7 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004AEAB9 |. FFD0 CALL EAX
004AEABB |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
004AEABE |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
004AEAC1 |. 3B45 E8 CMP EAX,DWORD PTR SS:[EBP-18]
004AEAC4 74 60 JE SHORT projshop.004AEB26
004AEAC6 |. C745 BC 28000>MOV DWORD PTR SS:[EBP-44],28
004AEACD |. 8D45 BC LEA EAX,DWORD PTR SS:[EBP-44]
004AEAD0 |. 50 PUSH EAX
004AEAD1 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
004AEAD4 |. 50 PUSH EAX
004AEAD5 |. A1 F4C09000 MOV EAX,DWORD PTR DS:[90C0F4]
004AEADA |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004AEADC |. FFD0 CALL EAX
004AEADE |. 8D45 AC LEA EAX,DWORD PTR SS:[EBP-54]
004AEAE1 |. 50 PUSH EAX ; /pRect
004AEAE2 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; |
004AEAE5 |. 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30] ; |
004AEAE8 |. 50 PUSH EAX ; |hWnd
004AEAE9 |. E8 62A0F5FF CALL <JMP.&user32.GetWindowRect> ; \GetWindowRect
004AEAEE |. 6A 1D PUSH 1D
004AEAF0 |. 6A 00 PUSH 0
004AEAF2 |. 6A 00 PUSH 0
004AEAF4 |. 8B4D CC MOV ECX,DWORD PTR SS:[EBP-34]
004AEAF7 |. 8B55 C4 MOV EDX,DWORD PTR SS:[EBP-3C]
004AEAFA |. 2BCA SUB ECX,EDX
004AEAFC |. D1F9 SAR ECX,1
004AEAFE |. 79 03 JNS SHORT projshop.004AEB03
004AEB00 |. 83D1 00 ADC ECX,0
004AEB03 |> 03CA ADD ECX,EDX
004AEB05 |. 51 PUSH ECX
004AEB06 |. 8B55 C8 MOV EDX,DWORD PTR SS:[EBP-38]
004AEB09 |. 8B45 C0 MOV EAX,DWORD PTR SS:[EBP-40]
004AEB0C |. 2BD0 SUB EDX,EAX
004AEB0E |. D1FA SAR EDX,1
004AEB10 |. 79 03 JNS SHORT projshop.004AEB15
004AEB12 |. 83D2 00 ADC EDX,0
004AEB15 |> 03D0 ADD EDX,EAX ; |
004AEB17 |. 52 PUSH EDX ; |X
004AEB18 |. 6A 00 PUSH 0 ; |InsertAfter = HWND_TOP
004AEB1A |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; |
004AEB1D |. 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30] ; |
004AEB20 |. 50 PUSH EAX ; |hWnd
004AEB21 |. E8 8AA2F5FF CALL <JMP.&user32.SetWindowPos> ; \SetWindowPos
004AEB26 |> 33C0 XOR EAX,EAX
004AEB28 |. E8 2F64FFFF CALL projshop.004A4F5C
004AEB2D |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
004AEB30 |. E8 4363FFFF CALL projshop.004A4E78
004AEB35 |. 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
004AEB38 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004AEB3B |. E8 ECEDFFFF CALL projshop.004AD92C
004AEB40 |. 84C0 TEST AL,AL
004AEB42 |. 74 06 JE SHORT projshop.004AEB4A
004AEB44 |. 81CB 00001000 OR EBX,100000
004AEB4A |> 33C9 XOR ECX,ECX
004AEB4C |. 55 PUSH EBP
004AEB4D |. 68 D1EB4A00 PUSH projshop.004AEBD1
004AEB52 |. 64:FF31 PUSH DWORD PTR FS:[ECX]
004AEB55 |. 64:8921 MOV DWORD PTR FS:[ECX],ESP
004AEB58 |. 53 PUSH EBX ; /Style
004AEB59 |. 57 PUSH EDI ; |Title
004AEB5A |. 56 PUSH ESI ; |Text
004AEB5B |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; |
004AEB5E |. 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30] ; |
004AEB61 |. 50 PUSH EAX ; |hOwner
004AEB62 |. E8 E1A0F5FF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
在
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!