====================写在前面====================
上次一个截图软件的破解思路,我已经放出来了。本来以为那是比较年轻的软件里面很好破解的了,没想到来了个更软的柿子。它的名字就叫做EasyRecovery,最近有了中文代理官方,所以它的中文名就叫做易恢复了,我冒险说出来吧。
这个软件我偷懒修改破解者信息了,所以加不加壳其实又是没用的了,顺便也就放出来了。额......
====================破解过程====================
<方法一>查找字符串......
PEiD查壳,显示:UPolyX v0.5 [Overlay] *
估计是误报,再看一下:
平均信息量:5.94 (未加密)
EP 检查:未加密
快速检查:未加密
那就确认是误报了,软件作者可能对头部做了点手脚,或者说加的壳太菜了,跟没加一样。我们不用去管它。
查找字符串,然后有5059个。看来软件代码的可读性是不错的。
一:
Ultra 字符串参考,项目 2448
地址=0049AFD4
反汇编=mov ecx,EREnt.0073C558
文本字符串=demototalamountlimit
Ultra 字符串参考,项目 2449
地址=0049AFD9
反汇编=mov edx,EREnt.0073C578
文本字符串=demo
Ultra 字符串参考,项目 2450
地址=0049AFF5
反汇编=mov ecx,EREnt.0073C588
文本字符串=demonumberoffileslimit
Ultra 字符串参考,项目 2451
地址=0049AFFA
反汇编=mov edx,EREnt.0073C578
文本字符串=demo
Ultra 字符串参考,项目 2452
地址=0049B019
反汇编=mov ecx,EREnt.0073C5A8
文本字符串=demofilesizelimit
Ultra 字符串参考,项目 2453
地址=0049B01E
反汇编=mov edx,EREnt.0073C578
文本字符串=demo
Ultra 字符串参考,项目 2454
地址=0049B074
反汇编=mov ecx,EREnt.0073C5C8
文本字符串=demofiletypelimitfilter
Ultra 字符串参考,项目 2455
地址=0049B079
反汇编=mov edx,EREnt.0073C578
文本字符串=demo
Ultra 字符串参考,项目 2456
地址=0049B0D8
反汇编=mov ecx,EREnt.0073C5E8
文本字符串=shouldwritedemofilecounter
Ultra 字符串参考,项目 2457
地址=0049B0DD
反汇编=mov edx,EREnt.0073C578
文本字符串=demo
0049AFBB |. /0F85 46010000 jnz EREnt.0049B107 ; 这里跳过demo的文件总个数限制、大小限制、类型限制等
0049AFC1 |. |8B45 F8 mov eax,dword ptr ss:[ebp-8]
0049AFC4 |. |C640 04 01 mov byte ptr ds:[eax+4],1
0049AFC8 |. |6A 00 push 0 ; /Arg2 = 00000000
0049AFCA |. |68 00400100 push 14000 ; |Arg1 = 00014000
0049AFCF |. |A1 C0D87300 mov eax,dword ptr ds:[73D8C0] ; |
0049AFD4 |. |B9 58C57300 mov ecx,EREnt.0073C558 ; |demototalamountlimit
0049AFD9 |. |BA 78C57300 mov edx,EREnt.0073C578 ; |demo
0049AFDE |. |E8 1D320000 call EREnt.0049E200 ; \EREnt.0049E200
0049AFE3 |. |8B4D F8 mov ecx,dword ptr ss:[ebp-8]
0049AFE6 |. |8941 18 mov dword ptr ds:[ecx+18],eax
0049AFE9 |. |8951 1C mov dword ptr ds:[ecx+1C],edx
0049AFEC |. |6A 00 push 0 ; /Arg2 = 00000000
0049AFEE |. |6A 0A push 0A ; |Arg1 = 0000000A
0049AFF0 |. |A1 C0D87300 mov eax,dword ptr ds:[73D8C0] ; |
0049AFF5 |. |B9 88C57300 mov ecx,EREnt.0073C588 ; |demonumberoffileslimit
0049AFFA |. |BA 78C57300 mov edx,EREnt.0073C578 ; |demo
0049AFFF |. |E8 FC310000 call EREnt.0049E200 ; \EREnt.0049E200
0049B004 |. |8B4D F8 mov ecx,dword ptr ss:[ebp-8]
0049B007 |. |8941 20 mov dword ptr ds:[ecx+20],eax
0049B00A |. |8951 24 mov dword ptr ds:[ecx+24],edx
0049B00D |. |6A 00 push 0 ; /Arg2 = 00000000
0049B00F |. |68 00280000 push 2800 ; |Arg1 = 00002800
0049B014 |. |A1 C0D87300 mov eax,dword ptr ds:[73D8C0] ; |
0049B019 |. |B9 A8C57300 mov ecx,EREnt.0073C5A8 ; |demofilesizelimit
0049B01E |. |BA 78C57300 mov edx,EREnt.0073C578 ; |demo
0049B023 |. |E8 D8310000 call EREnt.0049E200 ; \EREnt.0049E200
0049B028 |. |8B4D F8 mov ecx,dword ptr ss:[ebp-8]
0049B02B |. |8941 30 mov dword ptr ds:[ecx+30],eax
0049B02E |. |8951 34 mov dword ptr ds:[ecx+34],edx
0049B031 |. |8D45 A4 lea eax,dword ptr ss:[ebp-5C]
0049B034 |. |E8 87A1F6FF call EREnt.004051C0
0049B039 |. |C745 A4 0000000>mov dword ptr ss:[ebp-5C],0
0049B040 |. |BA 9C0B7000 mov edx,EREnt.00700B9C
0049B045 |. |8D45 90 lea eax,dword ptr ss:[ebp-70]
0049B048 |. |E8 B338F7FF call EREnt.0040E900
0049B04D |. |BA 9C0B7000 mov edx,EREnt.00700B9C
0049B052 |. |8D45 80 lea eax,dword ptr ss:[ebp-80]
0049B055 |. |E8 A638F7FF call EREnt.0040E900
0049B05A |. |8D55 80 lea edx,dword ptr ss:[ebp-80]
0049B05D |. |B8 BCC57300 mov eax,EREnt.0073C5BC
0049B062 |. |E8 E92FF7FF call EREnt.0040E050
0049B067 |. |8D45 80 lea eax,dword ptr ss:[ebp-80]
0049B06A |. |50 push eax ; /Arg2
0049B06B |. |8D45 90 lea eax,dword ptr ss:[ebp-70] ; |
0049B06E |. |50 push eax ; |Arg1
0049B06F |. |A1 C0D87300 mov eax,dword ptr ds:[73D8C0] ; |
0049B074 |. |B9 C8C57300 mov ecx,EREnt.0073C5C8 ; |demofiletypelimitfilter
0049B079 |. |BA 78C57300 mov edx,EREnt.0073C578 ; |demo
0049B07E |. |E8 FD2D0000 call EREnt.0049DE80 ; \EREnt.0049DE80
0049B083 |. |8D45 90 lea eax,dword ptr ss:[ebp-70]
0049B086 |. |8D55 A4 lea edx,dword ptr ss:[ebp-5C]
0049B089 |. |E8 D232F7FF call EREnt.0040E360
0049B08E |. |8B45 A4 mov eax,dword ptr ss:[ebp-5C]
0049B091 |. |E8 3AD9F6FF call EREnt.004089D0
0049B096 |. |8B5D F8 mov ebx,dword ptr ss:[ebp-8]
0049B099 |. |8D43 28 lea eax,dword ptr ds:[ebx+28]
0049B09C |. |E8 1FA1F6FF call EREnt.004051C0
0049B0A1 |. |8B45 A4 mov eax,dword ptr ss:[ebp-5C]
0049B0A4 |. |8943 28 mov dword ptr ds:[ebx+28],eax
0049B0A7 |. |BA 9C0B7000 mov edx,EREnt.00700B9C
0049B0AC |. |8D45 80 lea eax,dword ptr ss:[ebp-80]
0049B0AF |. |E8 4C38F7FF call EREnt.0040E900
0049B0B4 |. |BA 9C0B7000 mov edx,EREnt.00700B9C
0049B0B9 |. |8D45 90 lea eax,dword ptr ss:[ebp-70]
0049B0BC |. |E8 3F38F7FF call EREnt.0040E900
0049B0C1 |. |8D55 90 lea edx,dword ptr ss:[ebp-70]
0049B0C4 |. |B0 01 mov al,1
0049B0C6 |. |E8 352FF7FF call EREnt.0040E000
0049B0CB |. |8D45 90 lea eax,dword ptr ss:[ebp-70]
0049B0CE |. |50 push eax ; /Arg2
0049B0CF |. |8D45 80 lea eax,dword ptr ss:[ebp-80] ; |
0049B0D2 |. |50 push eax ; |Arg1
0049B0D3 |. |A1 C0D87300 mov eax,dword ptr ds:[73D8C0] ; |
0049B0D8 |. |B9 E8C57300 mov ecx,EREnt.0073C5E8 ; |shouldwritedemofilecounter
0049B0DD |. |BA 78C57300 mov edx,EREnt.0073C578 ; |demo
0049B0E2 |. |E8 992D0000 call EREnt.0049DE80 ; \EREnt.0049DE80
0049B0E7 |. |8D45 80 lea eax,dword ptr ss:[ebp-80]
0049B0EA |. |E8 5132F7FF call EREnt.0040E340
0049B0EF |. |8B55 F8 mov edx,dword ptr ss:[ebp-8]
0049B0F2 |. |8842 38 mov byte ptr ds:[edx+38],al
0049B0F5 |. |8B5D F8 mov ebx,dword ptr ss:[ebp-8]
0049B0F8 |. |8D43 40 lea eax,dword ptr ds:[ebx+40]
0049B0FB |. |E8 C0A0F6FF call EREnt.004051C0
0049B100 |. |C743 40 0000000>mov dword ptr ds:[ebx+40],0
0049B107 |> \E8 042AF7FF call EREnt.0040DB10
二:
Ultra 字符串参考,项目 2495
地址=0049BDDE
反汇编=mov edx,EREnt.0073C918
文本字符串=demo
......
Ultra 字符串参考,项目 2497
地址=0049BDFD
反汇编=mov ebx,EREnt.0073C918
文本字符串=demo
......
0049BD58 |. /0F85 0B010000 jnz EREnt.0049BE69 ; 此处不能跳, nop
0049BD5E |. |8D85 6CFFFFFF lea eax,dword ptr ss:[ebp-94]
0049BD64 |. |E8 5794F6FF call EREnt.004051C0
0049BD69 |. |C785 6CFFFFFF 0>mov dword ptr ss:[ebp-94],0
0049BD73 |. |BA 9C0B7000 mov edx,EREnt.00700B9C
0049BD78 |. |8D85 70FFFFFF lea eax,dword ptr ss:[ebp-90]
0049BD7E |. |E8 7D2BF7FF call EREnt.0040E900
0049BD83 |. |BA 9C0B7000 mov edx,EREnt.00700B9C
0049BD88 |. |8D45 80 lea eax,dword ptr ss:[ebp-80]
0049BD8B |. |E8 702BF7FF call EREnt.0040E900
0049BD90 |. |8D55 80 lea edx,dword ptr ss:[ebp-80]
0049BD93 |. |B8 F4C87300 mov eax,EREnt.0073C8F4 ; ASCII 04,"DEMO"
0049BD98 |. |E8 B322F7FF call EREnt.0040E050
0049BD9D |. |8D45 80 lea eax,dword ptr ss:[ebp-80]
0049BDA0 |. |50 push eax ; /Arg2
0049BDA1 |. |8D85 70FFFFFF lea eax,dword ptr ss:[ebp-90] ; |
0049BDA7 |. |50 push eax ; |Arg1
0049BDA8 |. |A1 C0D87300 mov eax,dword ptr ds:[73D8C0] ; |
0049BDAD |. |B9 04C97300 mov ecx,EREnt.0073C904 ; |runningmode
0049BDB2 |. |BA ECC87300 mov edx,EREnt.0073C8EC ; |license
0049BDB7 |. |E8 C4200000 call EREnt.0049DE80 ; \EREnt.0049DE80
0049BDBC |. |8D85 70FFFFFF lea eax,dword ptr ss:[ebp-90]
0049BDC2 |. |8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-94]
0049BDC8 |. |E8 9325F7FF call EREnt.0040E360
0049BDCD |. |8B85 6CFFFFFF mov eax,dword ptr ss:[ebp-94]
0049BDD3 |. |8D55 EC lea edx,dword ptr ss:[ebp-14]
0049BDD6 |. |E8 D5AFF7FF call EREnt.00416DB0
0049BDDB |. |8B45 EC mov eax,dword ptr ss:[ebp-14]
0049BDDE |. |BA 18C97300 mov edx,EREnt.0073C918 ; demo
0049BDE3 |. |E8 48D1F6FF call EREnt.00408F30
0049BDE8 |. |85C0 test eax,eax
0049BDEA |. |74 21 je short EREnt.0049BE0D ; 此处不能跳,下面Full的Call要执行
0049BDEC |. |8B45 EC mov eax,dword ptr ss:[ebp-14]
0049BDEF |. |BA 28C97300 mov edx,EREnt.0073C928 ; full
0049BDF4 |. |E8 37D1F6FF call EREnt.00408F30
0049BDF9 |. |85C0 test eax,eax
0049BDFB |. |74 10 je short EREnt.0049BE0D ; 此处必须跳,下面demo不能执行
0049BDFD |. |BB 18C97300 mov ebx,EREnt.0073C918 ; demo
0049BE02 |. |8D45 EC lea eax,dword ptr ss:[ebp-14]
0049BE05 |. |E8 B693F6FF call EREnt.004051C0
0049BE0A |. |895D EC mov dword ptr ss:[ebp-14],ebx
0049BE0D |> |8B45 EC mov eax,dword ptr ss:[ebp-14]
三:
Ultra 字符串参考
反汇编=mov ecx,EREnt.00708F58
文本字符串= demo
|. /74 50 je short EREnt.00436D39 ; 这里je改成jmp跳过demo显示
|. |8D45 84 lea eax,dword ptr ss:[ebp-7C]
|. |E8 CFE4FCFF call EREnt.004051C0
|. |C745 84 0000000>mov dword ptr ss:[ebp-7C],0
|. |8D85 70FFFFFF lea eax,dword ptr ss:[ebp-90]
|. |E8 BDE4FCFF call EREnt.004051C0
|. |C785 70FFFFFF 0>mov dword ptr ss:[ebp-90],0
|. |8D95 70FFFFFF lea edx,dword ptr ss:[ebp-90]
|. |8B45 FC mov eax,dword ptr ss:[ebp-4]
|. |E8 C5940500 call EREnt.004901E0
|. |8B95 70FFFFFF mov edx,dword ptr ss:[ebp-90]
|. |8D45 84 lea eax,dword ptr ss:[ebp-7C]
|. |B9 588F7000 mov ecx,EREnt.00708F58 ; demo
|. |E8 D21CFDFF call EREnt.00408A00
|. |8B55 84 mov edx,dword ptr ss:[ebp-7C]
|. |8B45 FC mov eax,dword ptr ss:[ebp-4]
|. |E8 07DB0500 call EREnt.00494840
|> \8B45 FC mov eax,dword ptr ss:[ebp-4]
四:
Ultra 字符串参考,项目 810
地址=0043F7D7
反汇编=mov ecx,EREnt.0070B210
文本字符串=actionbuynowvisible
......
|. /74 50 je short EREnt.0043F7F6 ; 跳过现在购买窗口, je改jmp
|. |BA 9C0B7000 mov edx,EREnt.00700B9C
|. |8D45 98 lea eax,dword ptr ss:[ebp-68]
|. |E8 4DF1FCFF call EREnt.0040E900
|. |BA 9C0B7000 mov edx,EREnt.00700B9C
|. |8D45 B0 lea eax,dword ptr ss:[ebp-50]
|. |E8 40F1FCFF call EREnt.0040E900
|. |8D55 B0 lea edx,dword ptr ss:[ebp-50]
|. |B0 01 mov al,1
|. |E8 36E8FCFF call EREnt.0040E000
|. |8D45 B0 lea eax,dword ptr ss:[ebp-50]
|. |50 push eax ; /Arg2
|. |8D45 98 lea eax,dword ptr ss:[ebp-68] ; |
|. |50 push eax ; |Arg1
|. |A1 C0D87300 mov eax,dword ptr ds:[73D8C0] ; |
|. |B9 10B27000 mov ecx,EREnt.0070B210 ; |actionbuynowvisible
|. |BA 9C907000 mov edx,EREnt.0070909C ; |main
|. |E8 9AE60500 call EREnt.0049DE80 ; \EREnt.0049DE80
|. |8D45 98 lea eax,dword ptr ss:[ebp-68]
|. |E8 52EBFCFF call EREnt.0040E340
|. |84C0 test al,al
|. |74 04 je short EREnt.0043F7F6
|. |B2 01 mov dl,1
|. |EB 02 jmp short EREnt.0043F7F8
|> \B2 00 mov dl,0
五:
Ultra 字符串参考,项目 812
地址=0043F848
反汇编=mov ecx,EREnt.0070B22C
文本字符串=actionlicenseactivatevisible
......
|. /74 50 je short EREnt.0043F867 ; 跳过注册激活窗口, je改jmp
|. |BA 9C0B7000 mov edx,EREnt.00700B9C
|. |8D45 98 lea eax,dword ptr ss:[ebp-68]
|. |E8 DCF0FCFF call EREnt.0040E900
|. |BA 9C0B7000 mov edx,EREnt.00700B9C
|. |8D45 B0 lea eax,dword ptr ss:[ebp-50]
|. |E8 CFF0FCFF call EREnt.0040E900
|. |8D55 B0 lea edx,dword ptr ss:[ebp-50]
|. |B0 01 mov al,1
|. |E8 C5E7FCFF call EREnt.0040E000
|. |8D45 B0 lea eax,dword ptr ss:[ebp-50]
|. |50 push eax ; /Arg2
|. |8D45 98 lea eax,dword ptr ss:[ebp-68] ; |
|. |50 push eax ; |Arg1
|. |A1 C0D87300 mov eax,dword ptr ds:[73D8C0] ; |
|. |B9 2CB27000 mov ecx,EREnt.0070B22C ; |actionlicenseactivatevisible
|. |BA 9C907000 mov edx,EREnt.0070909C ; |main
|. |E8 29E60500 call EREnt.0049DE80 ; \EREnt.0049DE80
|. |8D45 98 lea eax,dword ptr ss:[ebp-68]
|. |E8 E1EAFCFF call EREnt.0040E340
|. |84C0 test al,al
|. |74 04 je short EREnt.0043F867
|. |B2 01 mov dl,1
|. |EB 02 jmp short EREnt.0043F869
|> \B2 00 mov dl,0
六:
Ultra 字符串参考,项目 2460
地址=0049B459
反汇编=mov eax,EREnt.0073C638
文本字符串=demototalamountlimit=%d, totalamountsaved=%d, demonumberoffileslimit=%d, numberoffilessaved=%d, demofilesizelimit=%d, itemsize=%d, demolimitreached=%d
Ultra 字符串参考,项目 2461
地址=0049B502
反汇编=mov ecx,EREnt.0073C6D8
文本字符串=demofiletypelimitfilter=%s - skipping %s
Ultra 字符串参考,项目 2462
地址=0049B55A
反汇编=mov eax,EREnt.0073C70C
文本字符串=demomsgstart
......
Ultra 字符串参考,项目 2464
地址=0049B5B9
反汇编=mov eax,EREnt.0073C730
文本字符串=demomsgfiles
......
Ultra 字符串参考,项目 2467
地址=0049B65B
反汇编=mov eax,EREnt.0073C754
文本字符串=demomsgmaxfilesize
......
Ultra 字符串参考,项目 2470
地址=0049B6FD
反汇编=mov eax,EREnt.0073C770
文本字符串=demomsgtotalamount
......
Ultra 字符串参考,项目 2472
地址=0049B775
反汇编=mov eax,EREnt.0073C78C
文本字符串=demomsgend
......
Ultra 字符串参考,项目 2474
地址=0049B7B5
反汇编=mov eax,EREnt.0073C7A0
文本字符串=demomsgendbuy
Ultra 字符串参考,项目 2475
地址=0049B822
反汇编=mov ecx,EREnt.0073C7B8
文本字符串=exception occured
0049B2C9 |. /0F85 8F050000 jnz EREnt.0049B85E ; 此处je改jmp, 跳过demo各种限制、提示等
0049B2CF |. |C645 F4 01 mov byte ptr ss:[ebp-C],1
0049B2D3 |. |8B5D F8 mov ebx,dword ptr ss:[ebp-8]
0049B2D6 |. |8D43 3C lea eax,dword ptr ds:[ebx+3C]
0049B2D9 |. |E8 E29EF6FF call EREnt.004051C0
0049B2DE |. |C743 3C 0000000>mov dword ptr ds:[ebx+3C],0
0049B2E5 |. |8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
0049B2E8 |. |8D55 9C lea edx,dword ptr ss:[ebp-64]
0049B2EB |. |B8 01000000 mov eax,1
0049B2F0 |. |E8 4B25F7FF call EREnt.0040D840
0049B2F5 |. |E8 F646F7FF call EREnt.0040F9F0
0049B2FA |. |50 push eax
0049B2FB |. |85C0 test eax,eax
0049B2FD |. |0F85 EB040000 jnz EREnt.0049B7EE
0049B303 |. |8B45 F8 mov eax,dword ptr ss:[ebp-8]
0049B306 |. |8A40 04 mov al,byte ptr ds:[eax+4]
0049B309 |. |84C0 test al,al
0049B30B |. |0F84 45050000 je EREnt.0049B856
0049B311 |. |C645 F4 00 mov byte ptr ss:[ebp-C],0
0049B315 |. |C645 F0 00 mov byte ptr ss:[ebp-10],0
0049B319 |. |8B45 F8 mov eax,dword ptr ss:[ebp-8]
0049B31C |. |8B50 18 mov edx,dword ptr ds:[eax+18]
0049B31F |. |8B40 1C mov eax,dword ptr ds:[eax+1C]
0049B322 |. |83F8 FF cmp eax,-1
0049B325 |. |75 05 jnz short EREnt.0049B32C
0049B327 |. |83FA FF cmp edx,-1
0049B32A |. |74 22 je short EREnt.0049B34E
0049B32C |> |8B45 F8 mov eax,dword ptr ss:[ebp-8]
0049B32F |. |8B48 08 mov ecx,dword ptr ds:[eax+8]
0049B332 |. |8B40 0C mov eax,dword ptr ds:[eax+C]
0049B335 |. |034D 08 add ecx,dword ptr ss:[ebp+8]
0049B338 |. |1345 0C adc eax,dword ptr ss:[ebp+C]
0049B33B |. |8B55 F8 mov edx,dword ptr ss:[ebp-8]
0049B33E |. |3B42 1C cmp eax,dword ptr ds:[edx+1C]
0049B341 |. |7F 07 jg short EREnt.0049B34A
0049B343 |. |7C 09 jl short EREnt.0049B34E
0049B345 |. |3B4A 18 cmp ecx,dword ptr ds:[edx+18]
0049B348 |. |76 04 jbe short EREnt.0049B34E
0049B34A |> |C645 F0 01 mov byte ptr ss:[ebp-10],1
0049B34E |> |8B45 F8 mov eax,dword ptr ss:[ebp-8]
0049B351 |. |8B50 20 mov edx,dword ptr ds:[eax+20]
0049B354 |. |8B40 24 mov eax,dword ptr ds:[eax+24]
0049B357 |. |83F8 FF cmp eax,-1
0049B35A |. |75 05 jnz short EREnt.0049B361
0049B35C |. |83FA FF cmp edx,-1
0049B35F |. |74 1C je short EREnt.0049B37D
0049B361 |> |8B45 F8 mov eax,dword ptr ss:[ebp-8]
0049B364 |. |8B55 F8 mov edx,dword ptr ss:[ebp-8]
0049B367 |. |8B48 10 mov ecx,dword ptr ds:[eax+10]
0049B36A |. |8B40 14 mov eax,dword ptr ds:[eax+14]
0049B36D |. |3B42 24 cmp eax,dword ptr ds:[edx+24]
0049B370 |. |7F 07 jg short EREnt.0049B379
0049B372 |. |7C 09 jl short EREnt.0049B37D
0049B374 |. |3B4A 20 cmp ecx,dword ptr ds:[edx+20]
0049B377 |. |72 04 jb short EREnt.0049B37D
0049B379 |> |C645 F0 01 mov byte ptr ss:[ebp-10],1
0049B37D |> |8B45 F8 mov eax,dword ptr ss:[ebp-8]
0049B380 |. |8B50 30 mov edx,dword ptr ds:[eax+30]
0049B383 |. |8B40 34 mov eax,dword ptr ds:[eax+34]
0049B386 |. |83F8 FF cmp eax,-1
0049B389 |. |75 05 jnz short EREnt.0049B390
0049B38B |. |83FA FF cmp edx,-1
0049B38E |. |74 19 je short EREnt.0049B3A9
0049B390 |> |8B45 F8 mov eax,dword ptr ss:[ebp-8]
0049B393 |. |8B50 30 mov edx,dword ptr ds:[eax+30]
0049B396 |. |8B40 34 mov eax,dword ptr ds:[eax+34]
0049B399 |. |3B45 0C cmp eax,dword ptr ss:[ebp+C]
0049B39C |. |7C 07 jl short EREnt.0049B3A5
0049B39E |. |7F 09 jg short EREnt.0049B3A9
0049B3A0 |. |3B55 08 cmp edx,dword ptr ss:[ebp+8]
0049B3A3 |. |73 04 jnb short EREnt.0049B3A9
0049B3A5 |> |C645 F0 01 mov byte ptr ss:[ebp-10],1
0049B3A9 |> |8A45 F0 mov al,byte ptr ss:[ebp-10]
0049B3AC |. |84C0 test al,al
0049B3AE |. |0F9445 F4 sete byte ptr ss:[ebp-C]
0049B3B2 |. |8D45 94 lea eax,dword ptr ss:[ebp-6C]
0049B3B5 |. |E8 069EF6FF call EREnt.004051C0
0049B3BA |. |C745 94 0000000>mov dword ptr ss:[ebp-6C],0
0049B3C1 |. |8D45 94 lea eax,dword ptr ss:[ebp-6C]
0049B3C4 |. |50 push eax ; /Arg1
0049B3C5 |. |8B45 F8 mov eax,dword ptr ss:[ebp-8] ; |
0049B3C8 |. |83C0 18 add eax,18 ; |
0049B3CB |. |8985 5CFFFFFF mov dword ptr ss:[ebp-A4],eax ; |
0049B3D1 |. |C785 58FFFFFF 1>mov dword ptr ss:[ebp-A8],10 ; |
0049B3DB |. |8B45 F8 mov eax,dword ptr ss:[ebp-8] ; |
0049B3DE |. |83C0 08 add eax,8 ; |
0049B3E1 |. |8985 64FFFFFF mov dword ptr ss:[ebp-9C],eax ; |
0049B3E7 |. |C785 60FFFFFF 1>mov dword ptr ss:[ebp-A0],10 ; |
0049B3F1 |. |8B45 F8 mov eax,dword ptr ss:[ebp-8] ; |
0049B3F4 |. |83C0 20 add eax,20 ; |
0049B3F7 |. |8985 6CFFFFFF mov dword ptr ss:[ebp-94],eax ; |
0049B3FD |. |C785 68FFFFFF 1>mov dword ptr ss:[ebp-98],10 ; |
0049B407 |. |8B45 F8 mov eax,dword ptr ss:[ebp-8] ; |
0049B40A |. |83C0 10 add eax,10 ; |
0049B40D |. |8985 74FFFFFF mov dword ptr ss:[ebp-8C],eax ; |
0049B413 |. |C785 70FFFFFF 1>mov dword ptr ss:[ebp-90],10 ; |
0049B41D |. |8B45 F8 mov eax,dword ptr ss:[ebp-8] ; |
0049B420 |. |83C0 30 add eax,30 ; |
0049B423 |. |8985 7CFFFFFF mov dword ptr ss:[ebp-84],eax ; |
0049B429 |. |C785 78FFFFFF 1>mov dword ptr ss:[ebp-88],10 ; |
0049B433 |. |8D45 08 lea eax,dword ptr ss:[ebp+8] ; |
0049B436 |. |8945 84 mov dword ptr ss:[ebp-7C],eax ; |
0049B439 |. |C745 80 1100000>mov dword ptr ss:[ebp-80],11 ; |
0049B440 |. |0FB645 F0 movzx eax,byte ptr ss:[ebp-10] ; |
0049B444 |. |8945 8C mov dword ptr ss:[ebp-74],eax ; |
0049B447 |. |C745 88 0000000>mov dword ptr ss:[ebp-78],0 ; |
0049B44E |. |8D95 58FFFFFF lea edx,dword ptr ss:[ebp-A8] ; |
0049B454 |. |B9 06000000 mov ecx,6 ; |
0049B459 |. |B8 38C67300 mov eax,EREnt.0073C638 ; |demototalamountlimit=%d, totalamountsaved=%d, demonumberoffileslimit=%d, numberoffilessaved=%d, demofilesizelimit=%d, itemsize=%d, demolimitreached=%d
0049B45E |. |E8 5DD9F7FF call EREnt.00418DC0 ; \EREnt.00418DC0
0049B463 |. |8B4D 94 mov ecx,dword ptr ss:[ebp-6C]
0049B466 |. |8B45 F8 mov eax,dword ptr ss:[ebp-8]
0049B469 |. |BA 04000000 mov edx,4
0049B46E |. |E8 CD040F00 call EREnt.0058B940
0049B473 |. |8A45 F0 mov al,byte ptr ss:[ebp-10]
0049B476 |. |84C0 test al,al
0049B478 |. |0F85 9C000000 jnz EREnt.0049B51A
0049B47E |. |8B45 F8 mov eax,dword ptr ss:[ebp-8]
0049B481 |. |8B40 28 mov eax,dword ptr ds:[eax+28]
0049B484 |. |85C0 test eax,eax
0049B486 |. |0F84 8E000000 je EREnt.0049B51A
0049B48C |. |8B45 FC mov eax,dword ptr ss:[ebp-4]
0049B48F |. |85C0 test eax,eax
0049B491 |. |0F84 83000000 je EREnt.0049B51A
0049B497 |. |8D45 94 lea eax,dword ptr ss:[ebp-6C]
0049B49A |. |E8 219DF6FF call EREnt.004051C0
0049B49F |. |C745 94 0000000>mov dword ptr ss:[ebp-6C],0
0049B4A6 |. |8B45 F8 mov eax,dword ptr ss:[ebp-8]
0049B4A9 |. |8B40 28 mov eax,dword ptr ds:[eax+28]
0049B4AC |. |85C0 test eax,eax
0049B4AE |. |74 03 je short EREnt.0049B4B3
0049B4B0 |. |8B40 FC mov eax,dword ptr ds:[eax-4]
0049B4B3 |> |8945 8C mov dword ptr ss:[ebp-74],eax
0049B4B6 |. |8D45 94 lea eax,dword ptr ss:[ebp-6C]
0049B4B9 |. |50 push eax ; /Arg1
0049B4BA |. |8B4D 8C mov ecx,dword ptr ss:[ebp-74] ; |
0049B4BD |. |8B45 FC mov eax,dword ptr ss:[ebp-4] ; |
0049B4C0 |. |BA 01000000 mov edx,1 ; |
0049B4C5 |. |E8 76DCF6FF call EREnt.00409140 ; \EREnt.00409140
0049B4CA |. |8B45 94 mov eax,dword ptr ss:[ebp-6C]
0049B4CD |. |8B55 F8 mov edx,dword ptr ss:[ebp-8]
0049B4D0 |. |8B52 28 mov edx,dword ptr ds:[edx+28]
0049B4D3 |. |E8 58DAF6FF call EREnt.00408F30
0049B4D8 |. |85C0 test eax,eax
0049B4DA |. |74 3E je short EREnt.0049B51A
0049B4DC |. |8B45 F8 mov eax,dword ptr ss:[ebp-8]
0049B4DF |. |8B40 28 mov eax,dword ptr ds:[eax+28]
0049B4E2 |. |8945 84 mov dword ptr ss:[ebp-7C],eax
0049B4E5 |. |C745 80 0B00000>mov dword ptr ss:[ebp-80],0B
0049B4EC |. |8B45 FC mov eax,dword ptr ss:[ebp-4]
0049B4EF |. |8945 8C mov dword ptr ss:[ebp-74],eax
0049B4F2 |. |C745 88 0B00000>mov dword ptr ss:[ebp-78],0B
0049B4F9 |. |8D45 80 lea eax,dword ptr ss:[ebp-80]
0049B4FC |. |50 push eax ; /Arg2
0049B4FD |. |6A 01 push 1 ; |Arg1 = 00000001
0049B4FF |. |8B45 F8 mov eax,dword ptr ss:[ebp-8] ; |
0049B502 |. |B9 D8C67300 mov ecx,EREnt.0073C6D8 ; |demofiletypelimitfilter=%s - skipping %s
0049B507 |. |BA 04000000 mov edx,4 ; |
0049B50C |. |E8 3F030F00 call EREnt.0058B850 ; \EREnt.0058B850
0049B511 |. |C645 F4 00 mov byte ptr ss:[ebp-C],0
0049B515 |. |E9 3C030000 jmp EREnt.0049B856
0049B51A |> |8A45 F0 mov al,byte ptr ss:[ebp-10]
0049B51D |. |84C0 test al,al
0049B51F |. |75 2C jnz short EREnt.0049B54D
0049B521 |. |8B45 F8 mov eax,dword ptr ss:[ebp-8]
0049B524 |. |8B5D 08 mov ebx,dword ptr ss:[ebp+8]
0049B527 |. |8B55 0C mov edx,dword ptr ss:[ebp+C]
0049B52A |. |8B48 08 mov ecx,dword ptr ds:[eax+8]
0049B52D |. |8B70 0C mov esi,dword ptr ds:[eax+C]
0049B530 |. |01D9 add ecx,ebx
0049B532 |. |11D6 adc esi,edx
0049B534 |. |8948 08 mov dword ptr ds:[eax+8],ecx
0049B537 |. |8970 0C mov dword ptr ds:[eax+C],esi
0049B53A |. |8B45 F8 mov eax,dword ptr ss:[ebp-8]
0049B53D |. |8340 10 01 add dword ptr ds:[eax+10],1
0049B541 |. |8350 14 00 adc dword ptr ds:[eax+14],0
0049B545 |. |8B45 F8 mov eax,dword ptr ss:[ebp-8]
0049B548 |. |E8 33040000 call EREnt.0049B980
0049B54D |> |807D F0 00 cmp byte ptr ss:[ebp-10],0
0049B551 |. |0F84 97020000 je EREnt.0049B7EE
0049B557 |. |8D55 EC lea edx,dword ptr ss:[ebp-14]
0049B55A |. |B8 0CC77300 mov eax,EREnt.0073C70C ; demomsgstart
0049B55F |. |E8 6CE8FBFF call EREnt.00459DD0
0049B564 |. |8B45 F8 mov eax,dword ptr ss:[ebp-8]
0049B567 |. |8B50 20 mov edx,dword ptr ds:[eax+20]
0049B56A |. |8B40 24 mov eax,dword ptr ds:[eax+24]
0049B56D |. |83F8 FF cmp eax,-1
0049B570 |. |75 05 jnz short EREnt.0049B577
0049B572 |. |83FA FF cmp edx,-1
0049B575 |. |74 62 je short EREnt.0049B5D9
0049B577 |> |8B45 EC mov eax,dword ptr ss:[ebp-14]
0049B57A |. |8945 84 mov dword ptr ss:[ebp-7C],eax
0049B57D |. |B8 24C77300 mov eax,EREnt.0073C724 ; \n
0049B582 |. |8945 88 mov dword ptr ss:[ebp-78],eax
0049B585 |. |8D45 94 lea eax,dword ptr ss:[ebp-6C]
0049B588 |. |E8 339CF6FF call EREnt.004051C0
0049B58D |. |C745 94 0000000>mov dword ptr ss:[ebp-6C],0
0049B594 |. |8D45 94 lea eax,dword ptr ss:[ebp-6C]
0049B597 |. |50 push eax ; /Arg1
0049B598 |. |8B45 F8 mov eax,dword ptr ss:[ebp-8] ; |
0049B59B |. |83C0 20 add eax,20 ; |
0049B59E |. |8985 5CFFFFFF mov dword ptr ss:[ebp-A4],eax ; |
0049B5A4 |. |C785 58FFFFFF 1>mov dword ptr ss:[ebp-A8],10 ; |
0049B5AE |. |8D95 58FFFFFF lea edx,dword ptr ss:[ebp-A8] ; |
0049B5B4 |. |B9 00000000 mov ecx,0 ; |
0049B5B9 |. |B8 30C77300 mov eax,EREnt.0073C730 ; |demomsgfiles
0049B5BE |. |E8 6DE8FBFF call EREnt.00459E30 ; \EREnt.00459E30
0049B5C3 |. |8B45 94 mov eax,dword ptr ss:[ebp-6C]
0049B5C6 |. |8945 8C mov dword ptr ss:[ebp-74],eax
0049B5C9 |. |8D55 84 lea edx,dword ptr ss:[ebp-7C]
0049B5CC |. |8D45 EC lea eax,dword ptr ss:[ebp-14]
0049B5CF |. |B9 02000000 mov ecx,2
0049B5D4 |. |E8 97D5F6FF call EREnt.00408B70
0049B5D9 |> |8B45 F8 mov eax,dword ptr ss:[ebp-8]
0049B5DC |. |8B50 30 mov edx,dword ptr ds:[eax+30]
0049B5DF |. |8B40 34 mov eax,dword ptr ds:[eax+34]
0049B5E2 |. |83F8 FF cmp eax,-1
0049B5E5 |. |75 09 jnz short EREnt.0049B5F0
0049B5E7 |. |83FA FF cmp edx,-1
0049B5EA |. |0F84 8B000000 je EREnt.0049B67B
0049B5F0 |> |8B45 EC mov eax,dword ptr ss:[ebp-14]
0049B5F3 |. |8945 80 mov dword ptr ss:[ebp-80],eax
0049B5F6 |. |B8 48C77300 mov eax,EREnt.0073C748 ; ,
0049B5FB |. |8945 84 mov dword ptr ss:[ebp-7C],eax
0049B5FE |. |B8 24C77300 mov eax,EREnt.0073C724 ; \n
0049B603 |. |8945 88 mov dword ptr ss:[ebp-78],eax
0049B606 |. |8D45 94 lea eax,dword ptr ss:[ebp-6C]
0049B609 |. |E8 B29BF6FF call EREnt.004051C0
0049B60E |. |C745 94 0000000>mov dword ptr ss:[ebp-6C],0
0049B615 |. |8D45 94 lea eax,dword ptr ss:[ebp-6C]
0049B618 |. |50 push eax ; /Arg1
0049B619 |. |6A 00 push 0 ; |/Arg4 = 00000000
0049B61B |. |68 00040000 push 400 ; ||Arg3 = 00000400
0049B620 |. |8B45 F8 mov eax,dword ptr ss:[ebp-8] ; ||
0049B623 |. |FF70 34 push dword ptr ds:[eax+34] ; ||Arg2
0049B626 |. |FF70 30 push dword ptr ds:[eax+30] ; ||Arg1
0049B629 |. |E8 52D0F6FF call EREnt.00408680 ; |\EREnt.00408680
0049B62E |. |8985 70FFFFFF mov dword ptr ss:[ebp-90],eax ; |
0049B634 |. |8995 74FFFFFF mov dword ptr ss:[ebp-8C],edx ; |
0049B63A |. |8D85 70FFFFFF lea eax,dword ptr ss:[ebp-90] ; |
0049B640 |. |8985 7CFFFFFF mov dword ptr ss:[ebp-84],eax ; |
0049B646 |. |C785 78FFFFFF 1>mov dword ptr ss:[ebp-88],10 ; |
0049B650 |. |8D95 78FFFFFF lea edx,dword ptr ss:[ebp-88] ; |
0049B656 |. |B9 00000000 mov ecx,0 ; |
0049B65B |. |B8 54C77300 mov eax,EREnt.0073C754 ; |demomsgmaxfilesize
0049B660 |. |E8 CBE7FBFF call EREnt.00459E30 ; \EREnt.00459E30
0049B665 |. |8B45 94 mov eax,dword ptr ss:[ebp-6C]
0049B668 |. |8945 8C mov dword ptr ss:[ebp-74],eax
0049B66B |. |8D55 80 lea edx,dword ptr ss:[ebp-80]
0049B66E |. |8D45 EC lea eax,dword ptr ss:[ebp-14]
0049B671 |. |B9 03000000 mov ecx,3
0049B676 |. |E8 F5D4F6FF call EREnt.00408B70
0049B67B |> |8B45 F8 mov eax,dword ptr ss:[ebp-8]
0049B67E |. |8B50 18 mov edx,dword ptr ds:[eax+18]
0049B681 |. |8B40 1C mov eax,dword ptr ds:[eax+1C]
0049B684 |. |83F8 FF cmp eax,-1
0049B687 |. |75 09 jnz short EREnt.0049B692
0049B689 |. |83FA FF cmp edx,-1
0049B68C |. |0F84 8B000000 je EREnt.0049B71D
0049B692 |> |8B45 EC mov eax,dword ptr ss:[ebp-14]
0049B695 |. |8945 80 mov dword ptr ss:[ebp-80],eax
0049B698 |. |B8 48C77300 mov eax,EREnt.0073C748 ; ,
0049B69D |. |8945 84 mov dword ptr ss:[ebp-7C],eax
0049B6A0 |. |B8 24C77300 mov eax,EREnt.0073C724 ; \n
0049B6A5 |. |8945 88 mov dword ptr ss:[ebp-78],eax
0049B6A8 |. |8D45 94 lea eax,dword ptr ss:[ebp-6C]
0049B6AB |. |E8 109BF6FF call EREnt.004051C0
0049B6B0 |. |C745 94 0000000>mov dword ptr ss:[ebp-6C],0
0049B6B7 |. |8D45 94 lea eax,dword ptr ss:[ebp-6C]
0049B6BA |. |50 push eax ; /Arg1
0049B6BB |. |6A 00 push 0 ; |/Arg4 = 00000000
0049B6BD |. |68 00040000 push 400 ; ||Arg3 = 00000400
0049B6C2 |. |8B45 F8 mov eax,dword ptr ss:[ebp-8] ; ||
0049B6C5 |. |FF70 1C push dword ptr ds:[eax+1C] ; ||Arg2
0049B6C8 |. |FF70 18 push dword ptr ds:[eax+18] ; ||Arg1
0049B6CB |. |E8 B0CFF6FF call EREnt.00408680 ; |\EREnt.00408680
0049B6D0 |. |8985 70FFFFFF mov dword ptr ss:[ebp-90],eax ; |
0049B6D6 |. |8995 74FFFFFF mov dword ptr ss:[ebp-8C],edx ; |
0049B6DC |. |8D85 70FFFFFF lea eax,dword ptr ss:[ebp-90] ; |
0049B6E2 |. |8985 7CFFFFFF mov dword ptr ss:[ebp-84],eax ; |
0049B6E8 |. |C785 78FFFFFF 1>mov dword ptr ss:[ebp-88],10 ; |
0049B6F2 |. |8D95 78FFFFFF lea edx,dword ptr ss:[ebp-88] ; |
0049B6F8 |. |B9 00000000 mov ecx,0 ; |
0049B6FD |. |B8 70C77300 mov eax,EREnt.0073C770 ; |demomsgtotalamount
0049B702 |. |E8 29E7FBFF call EREnt.00459E30 ; \EREnt.00459E30
0049B707 |. |8B45 94 mov eax,dword ptr ss:[ebp-6C]
0049B70A |. |8945 8C mov dword ptr ss:[ebp-74],eax
0049B70D |. |8D55 80 lea edx,dword ptr ss:[ebp-80]
0049B710 |. |8D45 EC lea eax,dword ptr ss:[ebp-14]
0049B713 |. |B9 03000000 mov ecx,3
0049B718 |. |E8 53D4F6FF call EREnt.00408B70
0049B71D |> |8B45 EC mov eax,dword ptr ss:[ebp-14]
0049B720 |. |8945 84 mov dword ptr ss:[ebp-7C],eax
0049B723 |. |B8 24C77300 mov eax,EREnt.0073C724 ; \n
0049B728 |. |8945 88 mov dword ptr ss:[ebp-78],eax
0049B72B |. |8D45 94 lea eax,dword ptr ss:[ebp-6C]
0049B72E |. |E8 8D9AF6FF call EREnt.004051C0
0049B733 |. |C745 94 0000000>mov dword ptr ss:[ebp-6C],0
0049B73A |. |8D45 94 lea eax,dword ptr ss:[ebp-6C]
0049B73D |. |50 push eax ; /Arg1
0049B73E |. |8B45 F8 mov eax,dword ptr ss:[ebp-8] ; |
0049B741 |. |83C0 10 add eax,10 ; |
0049B744 |. |8985 5CFFFFFF mov dword ptr ss:[ebp-A4],eax ; |
0049B74A |. |C785 58FFFFFF 1>mov dword ptr ss:[ebp-A8],10 ; |
0049B754 |. |8B45 F8 mov eax,dword ptr ss:[ebp-8] ; |
0049B757 |. |83C0 08 add eax,8 ; |
0049B75A |. |8985 64FFFFFF mov dword ptr ss:[ebp-9C],eax ; |
0049B760 |. |C785 60FFFFFF 1>mov dword ptr ss:[ebp-A0],10 ; |
0049B76A |. |8D95 58FFFFFF lea edx,dword ptr ss:[ebp-A8] ; |
0049B770 |. |B9 01000000 mov ecx,1 ; |
0049B775 |. |B8 8CC77300 mov eax,EREnt.0073C78C ; |demomsgend
0049B77A |. |E8 B1E6FBFF call EREnt.00459E30 ; \EREnt.00459E30
0049B77F |. |8B45 94 mov eax,dword ptr ss:[ebp-6C]
0049B782 |. |8945 8C mov dword ptr ss:[ebp-74],eax
0049B785 |. |8D55 84 lea edx,dword ptr ss:[ebp-7C]
0049B788 |. |8D45 EC lea eax,dword ptr ss:[ebp-14]
0049B78B |. |B9 02000000 mov ecx,2
0049B790 |. |E8 DBD3F6FF call EREnt.00408B70
0049B795 |. |8B45 EC mov eax,dword ptr ss:[ebp-14]
0049B798 |. |8945 84 mov dword ptr ss:[ebp-7C],eax
0049B79B |. |B8 24C77300 mov eax,EREnt.0073C724 ; \n
0049B7A0 |. |8945 88 mov dword ptr ss:[ebp-78],eax
0049B7A3 |. |8D45 94 lea eax,dword ptr ss:[ebp-6C]
0049B7A6 |. |E8 159AF6FF call EREnt.004051C0
0049B7AB |. |C745 94 0000000>mov dword ptr ss:[ebp-6C],0
0049B7B2 |. |8D55 94 lea edx,dword ptr ss:[ebp-6C]
0049B7B5 |. |B8 A0C77300 mov eax,EREnt.0073C7A0 ; demomsgendbuy
0049B7BA |. |E8 11E6FBFF call EREnt.00459DD0
0049B7BF |. |8B45 94 mov eax,dword ptr ss:[ebp-6C]
0049B7C2 |. |8945 8C mov dword ptr ss:[ebp-74],eax
0049B7C5 |. |8D55 84 lea edx,dword ptr ss:[ebp-7C]
0049B7C8 |. |8D45 EC lea eax,dword ptr ss:[ebp-14]
0049B7CB |. |B9 02000000 mov ecx,2
0049B7D0 |. |E8 9BD3F6FF call EREnt.00408B70
0049B7D5 |. |8B45 EC mov eax,dword ptr ss:[ebp-14]
0049B7D8 |. |E8 F3D1F6FF call EREnt.004089D0
0049B7DD |. |8B5D F8 mov ebx,dword ptr ss:[ebp-8]
0049B7E0 |. |8D43 3C lea eax,dword ptr ds:[ebx+3C]
0049B7E3 |. |E8 D899F6FF call EREnt.004051C0
0049B7E8 |. |8B45 EC mov eax,dword ptr ss:[ebp-14]
0049B7EB |. |8943 3C mov dword ptr ds:[ebx+3C],eax
0049B7EE |> |E8 1D23F7FF call EREnt.0040DB10
0049B7F3 |. |58 pop eax
0049B7F4 |. |85C0 test eax,eax
0049B7F6 |. |74 66 je short EREnt.0049B85E
0049B7F8 |. |B8 FFFFFFFF mov eax,-1
0049B7FD |. |E8 DE24F7FF call EREnt.0040DCE0
0049B802 |. |8D4D 84 lea ecx,dword ptr ss:[ebp-7C]
0049B805 |. |8D95 58FFFFFF lea edx,dword ptr ss:[ebp-A8]
0049B80B |. |B8 01000000 mov eax,1
0049B810 |. |E8 2B20F7FF call EREnt.0040D840
0049B815 |. |E8 D641F7FF call EREnt.0040F9F0
0049B81A |. |50 push eax
0049B81B |. |85C0 test eax,eax
0049B81D |. |75 12 jnz short EREnt.0049B831
0049B81F |. |8B45 F8 mov eax,dword ptr ss:[ebp-8]
0049B822 |. |B9 B8C77300 mov ecx,EREnt.0073C7B8 ; exception occured
0049B827 |. |BA 02000000 mov edx,2
0049B82C |. |E8 0F010F00 call EREnt.0058B940
0049B831 |> |E8 DA22F7FF call EREnt.0040DB10
0049B836 |. |58 pop eax
0049B837 |. |85C0 test eax,eax
0049B839 |. |74 0F je short EREnt.0049B84A
0049B83B |. |E8 B023F7FF call EREnt.0040DBF0
0049B840 |. |E8 FB24F7FF call EREnt.0040DD40
0049B845 |. |E8 3624F7FF call EREnt.0040DC80
0049B84A |> |E8 0123F7FF call EREnt.0040DB50
0049B84F |. |E8 EC24F7FF call EREnt.0040DD40
0049B854 |. |EB 08 jmp short EREnt.0049B85E
0049B856 |> |E8 B522F7FF call EREnt.0040DB10
0049B85B |. |58 pop eax
0049B85C |. |EB 00 jmp short EREnt.0049B85E
0049B85E |> \E8 AD22F7FF call EREnt.0040DB10
我为了防止暗桩所以把所有功能限制也去掉了。不知不去掉会不会还有功能限制啊,节省时间不测试了吧。
<方法二>调用注册子程序时下手
这个程序有一个特点,就是说主程序检测到未注册的时候,子程序就会调用.\licman\licman.exe,呵呵。我们从这个入手(我本来还以为调用子程序主程序会关掉,后来试了一下,发现它不会关掉主程序,所以好弄多了。)
运行起来!!调用了子程序以后,F12暂停主程序,看堆栈调用。
调用堆栈
地址 堆栈 函数例程 / 参数 调用来自 框架
0184FB18 7C92DF5A 包含 ntdll.KiFastSystemCallRet ntdll.7C92DF58 0184FB7C
0184FB1C 7C8025DB ntdll.ZwWaitForSingleObject kernel32.7C8025D5 0184FB7C
0184FB80 7C802542 ? kernel32.WaitForSingleObjectEx kernel32.7C80253D 0184FB7C
0184FB84 000001FC hObject = 000001FC (window)
0184FB88 FFFFFFFF Timeout = INFINITE
0184FB8C 00000000 fAlertable = FALSE
0184FB94 004B8696 ? <jmp.&kernel32.WaitForSingleObject EREnt.004B8691 0184FB90
0184FB98 000001FC hObject = 000001FC (window)
0184FB9C FFFFFFFF Timeout = INFINITE
0184FBB0 004B85DC EREnt.004B8680 EREnt.004B85D7 0184FBAC
0184FCF0 004A0CF1 可能 EREnt.004B85D3 EREnt.004A0CEB 0184FCEC
0184FD64 0049BF92 EREnt.004A0C30 EREnt.0049BF8D 0184FD60
0184FE60 00403E77 EREnt.0049BC30 EREnt.00403E72 0184FE5C
0184FF9C 00413851 可能 EREnt.00403190 EREnt.0041384F 0184FF98
0184FFC0 006FE866 ? EREnt.004137E0 EREnt.<模块入口点>+11
0184FFC4 7C81776F 可能 EREnt.<模块入口点> kernel32.7C81776C 0184FFF0
其实这里选什么我也不很清楚,我随便选一个看起来比较顺眼的,这个:
0184FB94 004B8696 ? <jmp.&kernel32.WaitForSingleObject EREnt.004B8691 0184FB90
右键,显示调用。
整个段:
004B8680 /$ 55 push ebp
004B8681 |. 89E5 mov ebp,esp
004B8683 |. 83EC 0C sub esp,0C
004B8686 |. 8945 FC mov dword ptr ss:[ebp-4],eax
004B8689 |. 6A FF push -1 ; /Timeout = INFINITE
004B868B |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; |
004B868E |. FF70 3C push dword ptr ds:[eax+3C] ; |hObject
004B8691 |. E8 3A8DF4FF call <jmp.&kernel32.WaitForSingleObject>; \WaitForSingleObject //显示的调用在这
004B8696 |. 8945 F4 mov dword ptr ss:[ebp-C],eax
004B8699 |. 83F8 FF cmp eax,-1
004B869C |. 0F9545 F8 setne byte ptr ss:[ebp-8]
004B86A0 |. 807D F8 00 cmp byte ptr ss:[ebp-8],0
004B86A4 |. 74 08 je short EREnt.004B86AE ;注意这里
004B86A6 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B86A9 |. E8 E2F1FFFF call EREnt.004B7890
004B86AE |> 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B86B1 |. C680 84000000>mov byte ptr ds:[eax+84],0
004B86B8 |. 8A45 F8 mov al,byte ptr ss:[ebp-8]
004B86BB |. C9 leave
004B86BC \. C3 retn
上面所示的地方,看到了吧,这个je很可疑,我们可以在这里下断,重载程序,看看情况。
由于它在调用Call的下面,所以要点击那个子程序的"作为演示运行"按钮,然后程序就被成功断下了。
断下以后,会发现跳转没有实现,那我们改一下Z标志位先试一下。
界面上面没有Demo字样了,想想应该也没有功能限制了,拿同学送我的U盘试试。
(此U盘他是删光东西以后给我的,但是......应该没有安全删除,所以......顿时发现我好邪恶.)
扫描了二十几秒,拿一个30几M的视频一试,啊哈,成功了。
于是重载程序,想当然就把这里改为jmp......等等!那么licman这个注册子程序还是会被唤出的!我们得从根源上解决问题!(完美才舒服。)
我们在段首,也就是004B8680:push ebp这里下断。
重载程序,会发现,licman还是出来了。(有点想揍这个man)
于是我们可以大胆地猜想,我们进的Call太深了,我们退出一层Call.
从段首到段尾:(这次是没办法,必须得都贴上了,不会被说是灌水吧?)
004B80E0 /. 55 push ebp
004B80E1 |. 89E5 mov ebp,esp
004B80E3 |. 81EC 34010000 sub esp,134
004B80E9 |. 899D CCFEFFFF mov dword ptr ss:[ebp-134],ebx
004B80EF |. 8945 FC mov dword ptr ss:[ebp-4],eax
004B80F2 |. C785 30FFFFFF>mov dword ptr ss:[ebp-D0],0
004B80FC |. C785 34FFFFFF>mov dword ptr ss:[ebp-CC],0
004B8106 |. C785 38FFFFFF>mov dword ptr ss:[ebp-C8],0
004B8110 |. C785 3CFFFFFF>mov dword ptr ss:[ebp-C4],0
004B811A |. C785 40FFFFFF>mov dword ptr ss:[ebp-C0],0
004B8124 |. C785 44FFFFFF>mov dword ptr ss:[ebp-BC],0
004B812E |. 8D8D 64FFFFFF lea ecx,dword ptr ss:[ebp-9C]
004B8134 |. 8D95 4CFFFFFF lea edx,dword ptr ss:[ebp-B4]
004B813A |. B8 01000000 mov eax,1
004B813F |. E8 FC56F5FF call EREnt.0040D840
004B8144 |. E8 A778F5FF call EREnt.0040F9F0
004B8149 |. 50 push eax
004B814A |. 85C0 test eax,eax
004B814C |. 0F85 8A040000 jnz EREnt.004B85DC
004B8152 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B8155 |. C640 64 01 mov byte ptr ds:[eax+64],1
004B8159 |. C745 F8 00000>mov dword ptr ss:[ebp-8],0
004B8160 |. C745 F0 00000>mov dword ptr ss:[ebp-10],0
004B8167 |. C745 F4 00000>mov dword ptr ss:[ebp-C],0
004B816E |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B8171 |. 8B40 48 mov eax,dword ptr ds:[eax+48]
004B8174 |. 85C0 test eax,eax
004B8176 |. 0F85 8E000000 jnz EREnt.004B820A
004B817C |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B817F |. 8B40 50 mov eax,dword ptr ds:[eax+50]
004B8182 |. 85C0 test eax,eax
004B8184 |. 75 21 jnz short EREnt.004B81A7
004B8186 |. 8B0D 148C7400 mov ecx,dword ptr ds:[748C14] ; EREnt.00748798
004B818C |. BA F8867400 mov edx,EREnt.007486F8
004B8191 |. B8 00000000 mov eax,0
004B8196 |. E8 E562F6FF call EREnt.0041E480
004B819B |. 89E9 mov ecx,ebp
004B819D |. BA 9B814B00 mov edx,EREnt.004B819B
004B81A2 |. E8 C958F5FF call EREnt.0040DA70
004B81A7 |> 8D85 44FFFFFF lea eax,dword ptr ss:[ebp-BC]
004B81AD |. E8 CE18F5FF call EREnt.00409A80
004B81B2 |. C785 44FFFFFF>mov dword ptr ss:[ebp-BC],0
004B81BC |. 8D85 40FFFFFF lea eax,dword ptr ss:[ebp-C0]
004B81C2 |. E8 E929F5FF call EREnt.0040ABB0
004B81C7 |. C785 40FFFFFF>mov dword ptr ss:[ebp-C0],0
004B81D1 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B81D4 |. 8B40 50 mov eax,dword ptr ds:[eax+50]
004B81D7 |. 8D95 40FFFFFF lea edx,dword ptr ss:[ebp-C0]
004B81DD |. E8 4E40F5FF call EREnt.0040C230
004B81E2 |. 8B85 40FFFFFF mov eax,dword ptr ss:[ebp-C0]
004B81E8 |. 8D95 44FFFFFF lea edx,dword ptr ss:[ebp-BC]
004B81EE |. E8 7D2BF5FF call EREnt.0040AD70
004B81F3 |. 8B85 44FFFFFF mov eax,dword ptr ss:[ebp-BC]
004B81F9 |. 85C0 test eax,eax
004B81FB |. 75 05 jnz short EREnt.004B8202
004B81FD |. B8 70DE7F00 mov eax,EREnt.007FDE70
004B8202 |> 8945 F0 mov dword ptr ss:[ebp-10],eax
004B8205 |. E9 26010000 jmp EREnt.004B8330
004B820A |> 8D85 3CFFFFFF lea eax,dword ptr ss:[ebp-C4]
004B8210 |. E8 6B18F5FF call EREnt.00409A80
004B8215 |. C785 3CFFFFFF>mov dword ptr ss:[ebp-C4],0
004B821F |. 8D85 40FFFFFF lea eax,dword ptr ss:[ebp-C0]
004B8225 |. E8 8629F5FF call EREnt.0040ABB0
004B822A |. C785 40FFFFFF>mov dword ptr ss:[ebp-C0],0
004B8234 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B8237 |. 8B40 48 mov eax,dword ptr ds:[eax+48]
004B823A |. 8D95 40FFFFFF lea edx,dword ptr ss:[ebp-C0]
004B8240 |. E8 EB3FF5FF call EREnt.0040C230
004B8245 |. 8B85 40FFFFFF mov eax,dword ptr ss:[ebp-C0]
004B824B |. 8D95 3CFFFFFF lea edx,dword ptr ss:[ebp-C4]
004B8251 |. E8 1A2BF5FF call EREnt.0040AD70
004B8256 |. 8B85 3CFFFFFF mov eax,dword ptr ss:[ebp-C4]
004B825C |. 85C0 test eax,eax
004B825E |. 75 05 jnz short EREnt.004B8265
004B8260 |. B8 70DE7F00 mov eax,EREnt.007FDE70
004B8265 |> 8945 F8 mov dword ptr ss:[ebp-8],eax
004B8268 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B826B |. 8B40 50 mov eax,dword ptr ds:[eax+50]
004B826E |. 85C0 test eax,eax
004B8270 |. 75 60 jnz short EREnt.004B82D2
004B8272 |. 8D85 38FFFFFF lea eax,dword ptr ss:[ebp-C8]
004B8278 |. E8 0318F5FF call EREnt.00409A80
004B827D |. C785 38FFFFFF>mov dword ptr ss:[ebp-C8],0
004B8287 |. 8D85 40FFFFFF lea eax,dword ptr ss:[ebp-C0]
004B828D |. E8 1E29F5FF call EREnt.0040ABB0
004B8292 |. C785 40FFFFFF>mov dword ptr ss:[ebp-C0],0
004B829C |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B829F |. 8B40 48 mov eax,dword ptr ds:[eax+48]
004B82A2 |. 8D95 40FFFFFF lea edx,dword ptr ss:[ebp-C0]
004B82A8 |. E8 833FF5FF call EREnt.0040C230
004B82AD |. 8B85 40FFFFFF mov eax,dword ptr ss:[ebp-C0]
004B82B3 |. 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-C8]
004B82B9 |. E8 B22AF5FF call EREnt.0040AD70
004B82BE |. 8B85 38FFFFFF mov eax,dword ptr ss:[ebp-C8]
004B82C4 |. 85C0 test eax,eax
004B82C6 |. 75 05 jnz short EREnt.004B82CD
004B82C8 |. B8 70DE7F00 mov eax,EREnt.007FDE70
004B82CD |> 8945 F0 mov dword ptr ss:[ebp-10],eax
004B82D0 |. EB 5E jmp short EREnt.004B8330
004B82D2 |> 8D85 34FFFFFF lea eax,dword ptr ss:[ebp-CC]
004B82D8 |. E8 A317F5FF call EREnt.00409A80
004B82DD |. C785 34FFFFFF>mov dword ptr ss:[ebp-CC],0
004B82E7 |. 8D85 40FFFFFF lea eax,dword ptr ss:[ebp-C0]
004B82ED |. E8 BE28F5FF call EREnt.0040ABB0
004B82F2 |. C785 40FFFFFF>mov dword ptr ss:[ebp-C0],0
004B82FC |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B82FF |. 8B40 50 mov eax,dword ptr ds:[eax+50]
004B8302 |. 8D95 40FFFFFF lea edx,dword ptr ss:[ebp-C0]
004B8308 |. E8 233FF5FF call EREnt.0040C230
004B830D |. 8B85 40FFFFFF mov eax,dword ptr ss:[ebp-C0]
004B8313 |. 8D95 34FFFFFF lea edx,dword ptr ss:[ebp-CC]
004B8319 |. E8 522AF5FF call EREnt.0040AD70
004B831E |. 8B85 34FFFFFF mov eax,dword ptr ss:[ebp-CC]
004B8324 |. 85C0 test eax,eax
004B8326 |. 75 05 jnz short EREnt.004B832D
004B8328 |. B8 70DE7F00 mov eax,EREnt.007FDE70
004B832D |> 8945 F0 mov dword ptr ss:[ebp-10],eax
004B8330 |> 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B8333 |. 8B40 54 mov eax,dword ptr ds:[eax+54]
004B8336 |. 85C0 test eax,eax
004B8338 |. 74 5E je short EREnt.004B8398
004B833A |. 8D85 30FFFFFF lea eax,dword ptr ss:[ebp-D0]
004B8340 |. E8 3B17F5FF call EREnt.00409A80
004B8345 |. C785 30FFFFFF>mov dword ptr ss:[ebp-D0],0
004B834F |. 8D85 40FFFFFF lea eax,dword ptr ss:[ebp-C0]
004B8355 |. E8 5628F5FF call EREnt.0040ABB0
004B835A |. C785 40FFFFFF>mov dword ptr ss:[ebp-C0],0
004B8364 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B8367 |. 8B40 54 mov eax,dword ptr ds:[eax+54]
004B836A |. 8D95 40FFFFFF lea edx,dword ptr ss:[ebp-C0]
004B8370 |. E8 BB3EF5FF call EREnt.0040C230
004B8375 |. 8B85 40FFFFFF mov eax,dword ptr ss:[ebp-C0]
004B837B |. 8D95 30FFFFFF lea edx,dword ptr ss:[ebp-D0]
004B8381 |. E8 EA29F5FF call EREnt.0040AD70
004B8386 |. 8B85 30FFFFFF mov eax,dword ptr ss:[ebp-D0]
004B838C |. 85C0 test eax,eax
004B838E |. 75 05 jnz short EREnt.004B8395
004B8390 |. B8 70DE7F00 mov eax,EREnt.007FDE70
004B8395 |> 8945 F4 mov dword ptr ss:[ebp-C],eax
004B8398 |> 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B839B |. 8B40 5C mov eax,dword ptr ds:[eax+5C]
004B839E |. 8B55 FC mov edx,dword ptr ss:[ebp-4]
004B83A1 |. 8B52 5C mov edx,dword ptr ds:[edx+5C]
004B83A4 |. 8B12 mov edx,dword ptr ds:[edx]
004B83A6 |. FF92 80000000 call dword ptr ds:[edx+80]
004B83AC |. 85C0 test eax,eax
004B83AE |. 74 10 je short EREnt.004B83C0
004B83B0 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B83B3 |. 8B40 5C mov eax,dword ptr ds:[eax+5C]
004B83B6 |. E8 35FAFFFF call EREnt.004B7DF0
004B83BB |. 8945 EC mov dword ptr ss:[ebp-14],eax
004B83BE |. EB 07 jmp short EREnt.004B83C7
004B83C0 |> C745 EC 00000>mov dword ptr ss:[ebp-14],0
004B83C7 |> 8D8D 24FFFFFF lea ecx,dword ptr ss:[ebp-DC]
004B83CD |. 8D95 0CFFFFFF lea edx,dword ptr ss:[ebp-F4]
004B83D3 |. B8 01000000 mov eax,1
004B83D8 |. E8 6354F5FF call EREnt.0040D840
004B83DD |. E8 0E76F5FF call EREnt.0040F9F0
004B83E2 |. 50 push eax
004B83E3 |. 85C0 test eax,eax
004B83E5 |. 0F85 A4010000 jnz EREnt.004B858F
004B83EB |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B83EE |. E8 5DF9FFFF call EREnt.004B7D50
004B83F3 |. 8945 E8 mov dword ptr ss:[ebp-18],eax
004B83F6 |. 8D55 DC lea edx,dword ptr ss:[ebp-24]
004B83F9 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B83FC |. E8 1FFBFFFF call EREnt.004B7F20
004B8401 |. 8D55 D0 lea edx,dword ptr ss:[ebp-30]
004B8404 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B8407 |. E8 44FBFFFF call EREnt.004B7F50
004B840C |. 8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-84]
004B8412 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B8415 |. E8 66FBFFFF call EREnt.004B7F80
004B841A |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B841D |. F740 2C 04000>test dword ptr ds:[eax+2C],4
004B8424 |. 74 2C je short EREnt.004B8452
004B8426 |. 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-84]
004B842C |. 50 push eax ; /Arg2
004B842D |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; |
004B8430 |. F740 2C 08000>test dword ptr ds:[eax+2C],8 ; |
004B8437 |. 0F94C0 sete al ; |
004B843A |. 50 push eax ; |Arg1
004B843B |. 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-90] ; |
004B8441 |. 8D95 74FFFFFF lea edx,dword ptr ss:[ebp-8C] ; |
004B8447 |. 8D85 78FFFFFF lea eax,dword ptr ss:[ebp-88] ; |
004B844D |. E8 2EFCFFFF call EREnt.004B8080 ; \EREnt.004B8080
004B8452 |> 8D8D FCFEFFFF lea ecx,dword ptr ss:[ebp-104]
004B8458 |. 8D95 E4FEFFFF lea edx,dword ptr ss:[ebp-11C]
004B845E |. B8 01000000 mov eax,1
004B8463 |. E8 D853F5FF call EREnt.0040D840
004B8468 |. E8 8375F5FF call EREnt.0040F9F0
004B846D |. 50 push eax
004B846E |. 85C0 test eax,eax
004B8470 |. 0F85 AD000000 jnz EREnt.004B8523
004B8476 |. 8D45 C0 lea eax,dword ptr ss:[ebp-40]
004B8479 |. 50 push eax ; /pProcessInfo
004B847A |. 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-84] ; |
004B8480 |. 50 push eax ; |pStartupInfo
004B8481 |. FF75 F4 push dword ptr ss:[ebp-C] ; |CurrentDir
004B8484 |. FF75 EC push dword ptr ss:[ebp-14] ; |pEnvironment
004B8487 |. FF75 E8 push dword ptr ss:[ebp-18] ; |CreationFlags
004B848A |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; |
004B848D |. 8A40 64 mov al,byte ptr ds:[eax+64] ; |
004B8490 |. 08C0 or al,al ; |
004B8492 |. 0F95C0 setne al ; |
004B8495 |. 25 FF000000 and eax,0FF ; |
004B849A |. F7D8 neg eax ; |
004B849C |. 50 push eax ; |InheritHandles
004B849D |. 8D45 D0 lea eax,dword ptr ss:[ebp-30] ; |
004B84A0 |. 50 push eax ; |pThreadSecurity
004B84A1 |. 8D45 DC lea eax,dword ptr ss:[ebp-24] ; |
004B84A4 |. 50 push eax ; |pProcessSecurity
004B84A5 |. FF75 F0 push dword ptr ss:[ebp-10] ; |CommandLine
004B84A8 |. FF75 F8 push dword ptr ss:[ebp-8] ; |ModuleFileName
004B84AB |. E8 7092F4FF call <jmp.&kernel32.CreateProcessW> ; \CreateProcessW
004B84B0 |. 85C0 test eax,eax
004B84B2 |. 75 54 jnz short EREnt.004B8508
004B84B4 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B84B7 |. 8B40 50 mov eax,dword ptr ds:[eax+50]
004B84BA |. 8985 D4FEFFFF mov dword ptr ss:[ebp-12C],eax
004B84C0 |. C785 D0FEFFFF>mov dword ptr ss:[ebp-130],0B
004B84CA |. E8 318CF4FF call <jmp.&kernel32.GetLastError> ; [GetLastError
004B84CF |. 8985 DCFEFFFF mov dword ptr ss:[ebp-124],eax
004B84D5 |. C785 D8FEFFFF>mov dword ptr ss:[ebp-128],0
004B84DF |. 8D85 D0FEFFFF lea eax,dword ptr ss:[ebp-130]
004B84E5 |. 50 push eax ; /Arg2
004B84E6 |. 6A 01 push 1 ; |Arg1 = 00000001
004B84E8 |. BA F8867400 mov edx,EREnt.007486F8 ; |
004B84ED |. B9 58887400 mov ecx,EREnt.00748858 ; |ASCII "Failed to execute %s : %d"
004B84F2 |. B8 00000000 mov eax,0 ; |
004B84F7 |. E8 A460F6FF call EREnt.0041E5A0 ; \EREnt.0041E5A0
004B84FC |. 89E9 mov ecx,ebp
004B84FE |. BA FC844B00 mov edx,EREnt.004B84FC
004B8503 |. E8 6855F5FF call EREnt.0040DA70
004B8508 |> 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B850B |. 8B55 C0 mov edx,dword ptr ss:[ebp-40]
004B850E |. 8950 3C mov dword ptr ds:[eax+3C],edx
004B8511 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B8514 |. 8B55 C4 mov edx,dword ptr ss:[ebp-3C]
004B8517 |. 8950 40 mov dword ptr ds:[eax+40],edx
004B851A |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B851D |. 8B55 C8 mov edx,dword ptr ss:[ebp-38]
004B8520 |. 8950 34 mov dword ptr ds:[eax+34],edx
004B8523 |> E8 E855F5FF call EREnt.0040DB10
004B8528 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B852B |. F740 2C 04000>test dword ptr ds:[eax+2C],4
004B8532 |. 74 44 je short EREnt.004B8578
004B8534 |. 8B45 B4 mov eax,dword ptr ss:[ebp-4C]
004B8537 |. E8 8477F6FF call EREnt.0041FCC0
004B853C |. 8B45 B8 mov eax,dword ptr ss:[ebp-48]
004B853F |. E8 7C77F6FF call EREnt.0041FCC0
004B8544 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B8547 |. F740 2C 08000>test dword ptr ds:[eax+2C],8
004B854E |. 75 08 jnz short EREnt.004B8558
004B8550 |. 8B45 BC mov eax,dword ptr ss:[ebp-44]
004B8553 |. E8 6877F6FF call EREnt.0041FCC0
004B8558 |> FFB5 70FFFFFF push dword ptr ss:[ebp-90]
004B855E |. 8B8D 74FFFFFF mov ecx,dword ptr ss:[ebp-8C]
004B8564 |. 8B95 78FFFFFF mov edx,dword ptr ss:[ebp-88]
004B856A |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B856D |. 8B5D FC mov ebx,dword ptr ss:[ebp-4]
004B8570 |. 8B1B mov ebx,dword ptr ds:[ebx]
004B8572 |. FF93 DC000000 call dword ptr ds:[ebx+DC]
004B8578 |> 58 pop eax
004B8579 |. 85C0 test eax,eax
004B857B |. 74 08 je short EREnt.004B8585
004B857D |. 48 dec eax
004B857E |. 85C0 test eax,eax
004B8580 |. E8 FB56F5FF call EREnt.0040DC80
004B8585 |> 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B8588 |. C680 84000000>mov byte ptr ds:[eax+84],1
004B858F |> E8 7C55F5FF call EREnt.0040DB10
004B8594 |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
004B8597 |. 85C0 test eax,eax
004B8599 |. 74 08 je short EREnt.004B85A3
004B859B |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
004B859E |. E8 0D75F5FF call EREnt.0040FAB0
004B85A3 |> 58 pop eax
004B85A4 |. 85C0 test eax,eax
004B85A6 |. 74 08 je short EREnt.004B85B0
004B85A8 |. 48 dec eax
004B85A9 |. 85C0 test eax,eax
004B85AB |. E8 D056F5FF call EREnt.0040DC80
004B85B0 |> 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B85B3 |. F740 20 10000>test dword ptr ds:[eax+20],10
004B85BA |. 75 20 jnz short EREnt.004B85DC
004B85BC |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B85BF |. F740 2C 02000>test dword ptr ds:[eax+2C],2
004B85C6 |. 74 14 je short EREnt.004B85DC
004B85C8 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B85CB |. F740 2C 01000>test dword ptr ds:[eax+2C],1
004B85D2 |. 75 08 jnz short EREnt.004B85DC
004B85D4 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B85D7 |. E8 A4000000 call EREnt.004B8680
004B85DC |> \E8 2F55F5FF call EREnt.0040DB10 ; 我们出来后到了这里,有四个跳转到这里,我们可以向上找来源。
004B85E1 |. 8D85 30FFFFFF lea eax,dword ptr ss:[ebp-D0]
004B85E7 |. E8 9414F5FF call EREnt.00409A80
004B85EC |. C785 30FFFFFF>mov dword ptr ss:[ebp-D0],0
004B85F6 |. 8D85 34FFFFFF lea eax,dword ptr ss:[ebp-CC]
004B85FC |. E8 7F14F5FF call EREnt.00409A80
004B8601 |. C785 34FFFFFF>mov dword ptr ss:[ebp-CC],0
004B860B |. 8D85 38FFFFFF lea eax,dword ptr ss:[ebp-C8]
004B8611 |. E8 6A14F5FF call EREnt.00409A80
004B8616 |. C785 38FFFFFF>mov dword ptr ss:[ebp-C8],0
004B8620 |. 8D85 3CFFFFFF lea eax,dword ptr ss:[ebp-C4]
004B8626 |. E8 5514F5FF call EREnt.00409A80
004B862B |. C785 3CFFFFFF>mov dword ptr ss:[ebp-C4],0
004B8635 |. 8D85 40FFFFFF lea eax,dword ptr ss:[ebp-C0]
004B863B |. E8 7025F5FF call EREnt.0040ABB0
004B8640 |. C785 40FFFFFF>mov dword ptr ss:[ebp-C0],0
004B864A |. 8D85 44FFFFFF lea eax,dword ptr ss:[ebp-BC]
004B8650 |. E8 2B14F5FF call EREnt.00409A80
004B8655 |. C785 44FFFFFF>mov dword ptr ss:[ebp-BC],0
004B865F |. 58 pop eax
004B8660 |. 85C0 test eax,eax
004B8662 |. 74 05 je short EREnt.004B8669
004B8664 |. E8 1756F5FF call EREnt.0040DC80
004B8669 |> 8B9D CCFEFFFF mov ebx,dword ptr ss:[ebp-134]
004B866F |. C9 leave
004B8670 \. C3 retn
看到,有四个跳转可以跳过这个Call。我一般习惯改最前面的。试试。
因为不能同时运行两个EasyRecovery,所以我们保存文件以后,就把OD运行处下断点,然后重载程序,执行一下我们Cracked的程序。
果然,改了第一个跳转的就不会再呼出licman了,而且很完美,没有暗桩哦。;-)
后面三个跳转我也试了一下,都不行。具体原因也来看看吧,在这个段的段首下断。
跟踪后发现:004B84AB |. E8 7092F4FF call <jmp.&kernel32.CreateProcessW> ; \CreateProcessW
这个调用了子程序!呵呵,看来还找得不完全啊。
那么我们前面:004B8470 |. /0F85 AD000000 jnz EREnt.004B8523
这个跳转改成jmp试试。(后面那三个跳转随便改一个哦。)
会发现,这次OK了。试试有没有限制。木有暗桩。哈哈。
到此,两个方法都讲完了,我也累了。
总结一下,看来这个程序就是调用licman,如果反馈给它是使用Demo的,那么再进行增加Demo的限制。
如果什么也不反馈,或者licman根本就没有运行过,那么就是作为完整版运行啦!!
所以,我们还可以......
<方法三>从licman.exe下手(最便捷方法)
由于这个程序调用licman.exe,如果没有它,主程序也无法运行。但是我们可以直接对licman.exe,把这个man给disable了!呵呵。
载入后得:
0059F730 >/$ C605 30806200>mov byte ptr ds:[628030],0
0059F737 |. E8 B4FFFFFF call licman.0059F6F0
0059F73C |. B8 10F46200 mov eax,licman.0062F410
0059F741 |. E8 1A28E7FF call licman.00411F60
0059F746 \. C3 retn
我们直接把retn以外的所有代码nop掉即可。
然后打开主程序一看,就没有licman的阻挡了,直接就是完整版!
以上是所有方法,菜鸟希望大家的支持哈!
====================写在后面====================
呵呵,这个程序破解也很简单吧?为什么我不贴图呢?因为我感觉贴图能贴什么?就贴个软件界面?那还不如自己下载好好观看呢。代码基本也都贴好了,应该不需要图了吧......
还有有人提议让我多花点时间学习啊呵呵。这都是我抽时间搞出来的,零碎时间......不过说的也是啊,我以后发主题帖隔的时间可能会更长一些。
希望大家支持一下。这个程序已经比上一个要好破解得多了,尤其是最简单的方法,那个方法叫做......程序员设计程序时考虑不周到而产生的。呵呵,就连我发现时也大吃一惊呢!
(练习)程序下载链接:
http://xiazai.easyrecoverychina.com/EasyRecovery11.1_WIN_QIYE.exe
(百度网盘空间不够了,直接贴官网下载链接吧。)
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
