来电通 for Windows Mobile Smartphone版本1.1破解
网址 http://www.yeschange.com/
我也是这几天抽点时间看得arm汇编,呵呵,感觉这个东西有点乱,看着没有x86爽,呵呵
简单分析如下:
程序入口,呵呵
.text:0001EFBC ; int __stdcall WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPWSTR lpCmdLine,int nShowCmd)
.text:0001EFBC WinMain ; CODE XREF: start+28p
.text:0001EFBC
.text:0001EFBC X = -0x5C8
.text:0001EFBC Y = -0x5C4
.text:0001EFBC nWidth = -0x5C0
.text:0001EFBC nHeight = -0x5BC
.text:0001EFBC hWndParent = -0x5B8
.text:0001EFBC hMenu = -0x5B4
.text:0001EFBC hInstance = -0x5B0
.text:0001EFBC lpParam = -0x5AC
.text:0001EFBC var_5A8 = -0x5A8
.text:0001EFBC hWnd = -0x5A4
.text:0001EFBC WndClass = -0x5A0
.text:0001EFBC Msg = -0x578
.text:0001EFBC var_558 = -0x558
.text:0001EFBC var_540 = -0x540
.text:0001EFBC var_4DE = -0x4DE
.text:0001EFBC Buffer = -0x4D8
.text:0001EFBC nCmdShow = 0
.text:0001EFBC
.text:0001EFBC 0D C0 A0 E1 MOV R12, SP
.text:0001EFC0 08 00 2D E9 STMFD SP!, {R3}
.text:0001EFC4 F0 5F 2D E9 STMFD SP!, {R4-R12,LR}
.text:0001EFC8 5A DE 4D E2 SUB SP, SP, #0x5A0 ; X
.text:0001EFCC F8 B3 9F E5 LDR R11, =unk_2CD98
.text:0001EFD0 02 50 A0 E1 MOV R5, R2
.text:0001EFD4 C8 35 8D E5 STR R3, [SP,#0x5C8+nCmdShow]
.text:0001EFD8 F0 20 8D E2 ADD R2, SP, #0x5C8+Buffer ; lpBuffer
.text:0001EFDC 14 30 A0 E3 MOV R3, #0x14 ; nBufferMax
.text:0001EFE0 00 00 8B E5 STR R0, [R11]
.text:0001EFE4 67 10 A0 E3 MOV R1, #0x67 ; uID
.text:0001EFE8 A2 17 00 EB BL LoadStringW
.text:0001EFEC 00 30 B0 E1 MOVS R3, R0
.text:0001EFF0 1A 01 00 0A BEQ loc_1F460
.text:0001EFF4 CC 03 9F E5 LDR R0, =unk_2CDBC
.text:0001EFF8 01 30 A0 E3 MOV R3, #1
.text:0001EFFC 00 30 8D E5 STR R3, [SP,#0x5C8+X]
.text:0001F000 F0 20 8D E2 ADD R2, SP, #0x5C8+Buffer
.text:0001F004 04 00 8D E5 STR R0, [SP,#0x5C8+Y]
.text:0001F008 01 30 A0 E3 MOV R3, #1
.text:0001F00C B0 13 9F E5 LDR R1, =aSVD_DS ; lpFormat
.text:0001F010 68 03 9F E5 LDR R0, =unk_2CBD0 ; lpBuffer
.text:0001F014 29 16 00 EB BL wsprintfW
.text:0001F018 A0 A3 9F E5 LDR R10, =off_29FEC
.text:0001F01C 20 20 8D E2 ADD R2, SP, #0x5C8+var_5A8
.text:0001F020 58 13 9F E5 LDR R1, =unk_2CBD0
.text:0001F024 00 00 9A E5 LDR R0, [R10]
.text:0001F028 8B FF FF EB BL sub_1EE5C
.text:0001F02C 00 30 B0 E1 MOVS R3, R0
.text:0001F030 0A 01 00 4A BMI loc_1F460
.text:0001F034 20 30 9D E5 LDR R3, [SP,#0x5C8+var_5A8]
.text:0001F038 00 00 53 E3 CMP R3, #0
.text:0001F03C 07 01 00 1A BNE loc_1F460
.text:0001F040 09 16 00 EB BL InitCommonControls
.text:0001F044 02 11 A0 E3 MOV R1, #0x80000000
.text:0001F048 6C 23 9F E5 LDR R2, =aControlpanelOw
.text:0001F04C 00 30 A0 E3 MOV R3, #0
.text:0001F050 01 10 81 E3 ORR R1, R1, #1
.text:0001F054 39 0E A0 E3 MOV R0, #0x390
.text:0001F058 00 00 8D E0 ADD R0, SP, R0
.text:0001F05C C1 14 00 EB BL sub_24368
.text:0001F060 50 13 9F E5 LDR R1, =aName_4 ;;;;在注册表里读取用户名
.text:0001F064 00 40 A0 E3 MOV R4, #0
.text:0001F068 32 30 A0 E3 MOV R3, #0x32
.text:0001F06C B8 48 CD E1 STRH R4, [SP,#0x5C8+var_540]
.text:0001F070 88 20 8D E2 ADD R2, SP, #0x5C8+var_540
.text:0001F074 39 0E A0 E3 MOV R0, #0x390
.text:0001F078 00 00 8D E0 ADD R0, SP, R0
.text:0001F07C E1 14 00 EB BL sub_24408
.text:0001F080 2C 03 9F E5 LDR R0, =off_29FC8
.text:0001F084 02 11 A0 E3 MOV R1, #0x80000000
.text:0001F088 00 30 A0 E3 MOV R3, #0
.text:0001F08C BA 4E CD E1 STRH R4, [SP,#0x5C8+var_4DE]
.text:0001F090 00 20 90 E5 LDR R2, [R0]
.text:0001F094 01 10 81 E3 ORR R1, R1, #1
.text:0001F098 06 0D A0 E3 MOV R0, #0x180
.text:0001F09C 00 00 8D E0 ADD R0, SP, R0
.text:0001F0A0 B0 14 00 EB BL sub_24368
.text:0001F0A4 04 13 9F E5 LDR R1, =aSn ;;;;读取上一次的输入的注册码,因为他用的是重起验证
.text:0001F0A8 32 30 A0 E3 MOV R3, #0x32
.text:0001F0AC 46 2F A0 E3 MOV R2, #0x118
.text:0001F0B0 02 20 8D E0 ADD R2, SP, R2
.text:0001F0B4 46 CF A0 E3 MOV R12, #0x118
.text:0001F0B8 BC 40 8D E1 STRH R4, [SP,R12]
.text:0001F0BC 06 0D A0 E3 MOV R0, #0x180
.text:0001F0C0 00 00 8D E0 ADD R0, SP, R0
.text:0001F0C4 CF 14 00 EB BL sub_24408
.text:0001F0C8 06 0D A0 E3 MOV R0, #0x180
.text:0001F0CC 00 00 8D E0 ADD R0, SP, R0
.text:0001F0D0 5E CF A0 E3 02 C0 8C E3 MOVL R12, 0x17A
.text:0001F0D8 BC 40 8D E1 STRH R4, [SP,R12]
.text:0001F0DC 8F 14 00 EB BL sub_24320
.text:0001F0E0 39 0E A0 E3 MOV R0, #0x390
.text:0001F0E4 00 00 8D E0 ADD R0, SP, R0
.text:0001F0E8 8C 14 00 EB BL sub_24320
.text:0001F0EC B8 02 9F E5 LDR R0, =unk_2CC60 ; wchar_t *
.text:0001F0F0 88 10 8D E2 ADD R1, SP, #0x5C8+var_540 ; wchar_t *
.text:0001F0F4 75 16 00 EB BL wcscpy
.text:0001F0F8 51 02 00 EB BL sub_1FA44
.text:0001F0FC 05 00 A0 E1 MOV R0, R5 ; wchar_t *
.text:0001F100 F0 16 00 EB BL wcslen
.text:0001F104 70 12 9F E5 LDR R1, =unk_2D3E4
.text:0001F108 14 20 A0 E3 MOV R2, #0x14
.text:0001F10C 00 30 B0 E1 MOVS R3, R0
.text:0001F110 01 00 A0 13 MOVNE R0, #1
.text:0001F114 00 00 C1 15 STRNEB R0, [R1]
.text:0001F118 88 00 8D E2 ADD R0, SP, #0x5C8+var_540
.text:0001F11C 00 40 C1 05 STREQB R4, [R1]
.text:0001F120 70 10 8D E2 ADD R1, SP, #0x5C8+var_558
.text:0001F124 F1 0E 00 EB BL sub_22CF0 ;;;;具体代码在下边,呵呵
下面是个md5算法,注册应该和这个相关 ,由于没有办法调试,所以只提供爆破了
.text:00022CF0 sub_22CF0 ; CODE XREF: WinMain+168p
.text:00022CF0
.text:00022CF0 var_64 = -0x64
.text:00022CF0
.text:00022CF0 30 40 2D E9 STMFD SP!, {R4,R5,LR}
.text:00022CF4 58 D0 4D E2 SUB SP, SP, #0x58
.text:00022CF8 00 40 A0 E1 MOV R4, R0
.text:00022CFC 01 50 A0 E1 MOV R5, R1
.text:00022D00 10 00 52 E3 CMP R2, #0x10
.text:00022D04 0A 00 00 BA BLT loc_22D34
.text:00022D08 00 00 8D E2 ADD R0, SP, #0x64+var_64
.text:00022D0C 0F FA FF EB BL sub_21550 ;;;;;初始化md5常数
.text:00022D10 04 00 A0 E1 MOV R0, R4 ; wchar_t *
.text:00022D14 EB 07 00 EB BL wcslen
.text:00022D18 04 10 A0 E1 MOV R1, R4
.text:00022D1C 80 20 A0 E1 MOV R2, R0,LSL#1
.text:00022D20 00 00 8D E2 ADD R0, SP, #0x64+var_64
.text:00022D24 19 FA FF EB BL sub_21590
.text:00022D28 05 10 A0 E1 MOV R1, R5
.text:00022D2C 00 00 8D E2 ADD R0, SP, #0x64+var_64
.text:00022D30 5C FD FF EB BL sub_222A8
.text:00022D34
.text:00022D34 loc_22D34 ; CODE XREF: sub_22CF0+14j
.text:00022D34 58 D0 8D E2 ADD SP, SP, #0x58
.text:00022D38 30 80 BD E8 LDMFD SP!, {R4,R5,PC}
.text:00022D38 ; End of function sub_22CF0
//////////////////////////////////////////sub_21550///////////////////////////////////////////////////////
.text:00021550 sub_21550 ; CODE XREF: sub_22CF0+1Cp
.text:00021550 34 30 9F E5 LDR R3, =0x67452301
.text:00021554 00 10 A0 E3 MOV R1, #0
.text:00021558 04 10 80 E5 STR R1, [R0,#4]
.text:0002155C 08 30 80 E5 STR R3, [R0,#8]
.text:00021560 20 30 9F E5 LDR R3, =0xEFCDAB89
.text:00021564 00 10 80 E5 STR R1, [R0]
.text:00021568 0C 30 80 E5 STR R3, [R0,#0xC]
.text:0002156C 10 30 9F E5 LDR R3, =0x98BADCFE
.text:00021570 10 30 80 E5 STR R3, [R0,#0x10]
.text:00021574 04 30 9F E5 LDR R3, =0x10325476
.text:00021578 14 30 80 E5 STR R3, [R0,#0x14]
.text:0002157C 0E F0 A0 E1 RET
.text:0002157C ; End of function sub_21550
.text:00021670 sub_21670 ; CODE XREF: sub_21590+98p
.text:00021670 ; sub_21590+B4p
.text:00021670
.text:00021670 var_90 = -0x90
.text:00021670 var_8C = -0x8C
.text:00021670 var_88 = -0x88
.text:00021670 var_84 = -0x84
.text:00021670 var_80 = -0x80
.text:00021670 var_7C = -0x7C
.text:00021670 var_78 = -0x78
.text:00021670 var_74 = -0x74
.text:00021670 var_70 = -0x70
.text:00021670 var_6C = -0x6C
.text:00021670 var_68 = -0x68
.text:00021670 arg_0 = 0
.text:00021670
.text:00021670 0D C0 A0 E1 MOV R12, SP
.text:00021674 01 00 2D E9 STMFD SP!, {R0}
.text:00021678 F0 5F 2D E9 STMFD SP!, {R4-R12,LR}
.text:0002167C 68 D0 4D E2 SUB SP, SP, #0x68
.text:00021680 03 30 11 E2 ANDS R3, R1, #3
.text:00021684 08 70 90 E5 LDR R7, [R0,#8]
.text:00021688 0C 40 90 E5 LDR R4, [R0,#0xC]
.text:0002168C 10 50 90 E5 LDR R5, [R0,#0x10]
.text:00021690 14 80 90 E5 LDR R8, [R0,#0x14]
.text:00021694 90 00 8D E5 STR R0, [SP,#0x90+arg_0]
.text:00021698 01 00 A0 01 MOVEQ R0, R1
.text:0002169C 03 00 00 0A BEQ loc_216B0
.text:000216A0 40 20 A0 E3 MOV R2, #0x40 ; size_t
.text:000216A4 28 00 8D E2 ADD R0, SP, #0x90+var_68 ; void *
.text:000216A8 F0 0C 00 EB BL memcpy
.text:000216AC 28 00 8D E2 ADD R0, SP, #0x90+var_68
.text:000216B0
.text:000216B0 loc_216B0 ; CODE XREF: sub_21670+2Cj
.text:000216B0 05 20 04 E0 AND R2, R4, R5
.text:000216B4 00 60 90 E5 LDR R6, [R0]
.text:000216B8 04 30 C8 E1 BIC R3, R8, R4
.text:000216BC 0C 90 90 E5 LDR R9, [R0,#0xC]
.text:000216C0 02 30 83 E1 ORR R3, R3, R2
.text:000216C4 D8 2B 9F E5 LDR R2, =0x28955B88 //hash value
.text:000216C8 06 30 83 E0 ADD R3, R3, R6
.text:000216CC 10 A0 90 E5 LDR R10, [R0,#0x10]
.text:000216D0 07 30 83 E0 ADD R3, R3, R7
.text:000216D4 04 70 90 E5 LDR R7, [R0,#4]
.text:000216D8 02 10 43 E0 SUB R1, R3, R2
.text:000216DC A1 3C A0 E1 MOV R3, R1,LSR#25
.text:000216E0 81 33 83 E1 ORR R3, R3, R1,LSL#7
.text:000216E4 04 10 83 E0 ADD R1, R3, R4
.text:000216E8 01 30 C5 E1 BIC R3, R5, R1
.text:000216EC 04 20 01 E0 AND R2, R1, R4
.text:000216F0 02 30 83 E1 ORR R3, R3, R2
.text:000216F4 A4 2B 9F E5 LDR R2, =0x173848AA //hash value
.text:000216F8 07 30 83 E0 ADD R3, R3, R7
.text:000216FC 08 30 83 E0 ADD R3, R3, R8
.text:00021700 08 80 90 E5 LDR R8, [R0,#8]
.text:00021704 02 20 43 E0 SUB R2, R3, R2
.text:00021708 22 3A A0 E1 MOV R3, R2,LSR#20
.text:0002170C 02 36 83 E1 ORR R3, R3, R2,LSL#12
.text:00021710 01 20 83 E0 ADD R2, R3, R1
.text:00021714 02 E0 01 E0 AND LR, R1, R2
.text:00021718 02 30 C4 E1 BIC R3, R4, R2
.text:0002171C 0E 30 83 E1 ORR R3, R3, LR
.text:00021720 74 EB 9F E5 LDR LR, =0x242070DB
.text:00021724 08 30 83 E0 ADD R3, R3, R8
.text:00021728 05 30 83 E0 ADD R3, R3, R5
.text:0002172C 0E 30 83 E0 ADD R3, R3, LR
.text:00021730 A3 E7 A0 E1 MOV LR, R3,LSR#15
.text:00021734 83 38 8E E1 ORR R3, LR, R3,LSL#17
.text:00021738 02 30 83 E0 ADD R3, R3, R2
.text:0002173C 02 B0 03 E0 AND R11, R3, R2
.text:00021740 03 E0 C1 E1 BIC LR, R1, R3
.text:00021744 0B E0 8E E1 ORR LR, LR, R11
.text:00021748 48 BB 9F E5 LDR R11, =0x3E423112
.text:0002174C 09 E0 8E E0 ADD LR, LR, R9
.text:00021750 04 E0 8E E0 ADD LR, LR, R4
.text:00021754 0B E0 4E E0 SUB LR, LR, R11
.text:00021758 0E BB A0 E1 MOV R11, LR,LSL#22
.text:0002175C 2E E5 8B E1 ORR LR, R11, LR,LSR#10
.text:00021760 03 E0 8E E0 ADD LR, LR, R3
.text:00021764 03 50 0E E0 AND R5, LR, R3
.text:00021768 0E B0 C2 E1 BIC R11, R2, LR
.text:0002176C 05 B0 8B E1 ORR R11, R11, R5
.text:00021770 0A B0 8B E0 ADD R11, R11, R10
.text:00021774 01 10 8B E0 ADD R1, R11, R1
.text:00021778 14 BB 9F E5 LDR R11, =0xA83F051
.text:0002177C 0B 10 41 E0 SUB R1, R1, R11
.text:00021780 A1 BC A0 E1 MOV R11, R1,LSR#25
.text:00021784 81 13 8B E1 ORR R1, R11, R1,LSL#7
.text:00021788 14 B0 90 E5 LDR R11, [R0,#0x14]
.text:0002178C 0E 10 81 E0 ADD R1, R1, LR
.text:00021790 04 B0 8D E5 STR R11, [SP,#0x90+var_8C]
.text:00021794 01 B0 C3 E1 BIC R11, R3, R1
.text:00021798 0E 50 01 E0 AND R5, R1, LR
.text:0002179C 05 B0 8B E1 ORR R11, R11, R5
.text:000217A0 04 50 9D E5 LDR R5, [SP,#0x90+var_8C]
.text:000217A4 05 B0 8B E0 ADD R11, R11, R5
.text:000217A8 02 20 8B E0 ADD R2, R11, R2
.text:000217AC DC BA 9F E5 LDR R11, =0x4787C62A
.text:000217B0 0B 20 82 E0 ADD R2, R2, R11
.text:000217B4 22 BA A0 E1 MOV R11, R2,LSR#20
.text:000217B8 02 26 8B E1 ORR R2, R11, R2,LSL#12
.text:000217BC 18 B0 90 E5 LDR R11, [R0,#0x18]
.text:000217C0 01 20 82 E0 ADD R2, R2, R1
.text:000217C4 14 B0 8D E5 STR R11, [SP,#0x90+var_7C]
.text:000217C8 02 50 01 E0 AND R5, R1, R2
.text:000217CC 02 B0 CE E1 BIC R11, LR, R2
.text:000217D0 05 B0 8B E1 ORR R11, R11, R5
.text:000217D4 14 50 9D E5 LDR R5, [SP,#0x90+var_7C]
.text:000217D8 05 B0 8B E0 ADD R11, R11, R5
.text:000217DC 03 30 8B E0 ADD R3, R11, R3
.text:000217E0 A4 BA 9F E5 LDR R11, =0x57CFB9ED
.text:000217E4 0B 30 43 E0 SUB R3, R3, R11
.text:000217E8 A3 B7 A0 E1 MOV R11, R3,LSR#15
.text:000217EC 83 38 8B E1 ORR R3, R11, R3,LSL#17
.text:000217F0 02 30 83 E0 ADD R3, R3, R2
.text:000217F4 1C B0 90 E5 LDR R11, [R0,#0x1C]
.text:000217F8 02 50 03 E0 AND R5, R3, R2
.text:000217FC 00 B0 8D E5 STR R11, [SP,#0x90+var_90]
.text:00021800 03 B0 C1 E1 BIC R11, R1, R3
.text:00021804 05 B0 8B E1 ORR R11, R11, R5
.text:00021808 00 50 9D E5 LDR R5, [SP,#0x90+var_90]
.text:0002180C 05 B0 8B E0 ADD R11, R11, R5
.text:00021810 0E E0 8B E0 ADD LR, R11, LR
.text:00021814 6C BA 9F E5 LDR R11, =0x2B96AFF
.text:00021818 0B E0 4E E0 SUB LR, LR, R11
///////////////////////////////////////////////////////////////////////////////////////////////////////////
爆破的地址如下:
.text:0001E8BC loc_1E8BC ; CODE XREF: sub_1E694+40j
.text:0001E8BC 40 00 9F E5 LDR R0, =unk_2CDA8
.text:0001E8C0 00 40 80 E5 STR R4, [R0]
.text:0001E8C4 04 00 A0 E1 MOV R0, R4
.text:0001E8C8 D4 FE FF EB BL sub_1E420
.text:0001E8CC 00 A0 A0 E1 MOV R10, R0
.text:0001E8D0 28 00 9F E5 LDR R0, =unk_2CD90
.text:0001E8D4 00 00 D0 E5 LDRB R0, [R0]
.text:0001E8D8 FF 30 10 E2 ANDS R3, R0, #0xFF
.text:0001E8DC 04 00 A0 E1 MOV R0, R4
.text:0001E8E0 08 00 00 1A BNE loc_1E908 ; 正点,把指令改成0800000A(我这里的偏移在DCE0),就可以使用了,呵呵
.text:0001E8E4 C5 C9 FF EB BL sub_11000
.text:0001E8E8
.text:0001E8E8 loc_1E8E8 ; CODE XREF: sub_1E694+388j
.text:0001E8E8 D8 01 1F E5 LDR R0, =unk_2CDB0
.text:0001E8EC 01 10 A0 E3 MOV R1, #1
.text:0001E8F0 00 10 C0 E5 STRB R1, [R0]
.text:0001E8F4 04 00 A0 E1 MOV R0, R4 ; hwnd
.text:0001E8F8 6B 18 00 EB BL DestroyWindow
.text:0001E8FC 51 01 00 EA B loc_1EE48
跳过来,就启动程序了,呵呵
.text:0001E908 loc_1E908 ; CODE XREF: sub_1E694+24Cj
.text:0001E908 E6 F0 FF EB BL sub_1ACA8
.text:0001E90C 00 50 A0 E3 MOV R5, #0
.text:0001E910 18 20 9F E5 LDR R2, =sub_1F49C ; lpStartAddr
.text:0001E914 04 30 A0 E1 MOV R3, R4 ; lpvThreadParam
.text:0001E918 04 50 8D E5 STR R5, [SP,#0xE0+lpIDThread]
.text:0001E91C 00 10 A0 E3 MOV R1, #0 ; cbStack
.text:0001E920 00 50 8D E5 STR R5, [SP,#0xE0+fdwCreate]
.text:0001E924 00 00 A0 E3 MOV R0, #0 ; lpsa
.text:0001E928 74 18 00 EB BL CreateThread
.text:0001E92C 45 01 00 EA B loc_1EE48
由于本人也刚刚学习arm汇编,不详细的地方请见谅。
另外,这个软件10块钱,虽然便宜,但是作的确实垃圾,地区查询一点也不准。
附件:receivecall.rar 附件:receivecall.rar
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课