网上下载后,安装,运行主程序saleman.exe,弹出对话框,软件介绍及试用、注册按钮,点击注册,弹出注册框,用户名填写:ltj ,授权编号填写:12345678 ,然后点注册。弹出对话框“系统注册失败,请检查注册是否有误!”,好!就要这句话。
用PE探测saleman.exe,显示未加壳,省力气了。在w32dasm中打开saleman.exe进行反汇编,在参考中,打开字符串参考。找到如下两句话:“系统注册成功,欢迎你使用本软件!”双击,来到程序005E14FA处。“系统注册失败,请检查注册是否有误!”,双击,来到程序005E153B处。如图:
:005E14E2 8B4DCC mov ecx, dword ptr [ebp-34]
* Possible StringData Ref from Code Obj ->"RegCode"
|
:005E14E5 BA1C165E00 mov edx, 005E161C
:005E14EA 8BC3 mov eax, ebx
:005E14EC E81F20E9FF call 00473510
:005E14F1 8BC3 mov eax, ebx
:005E14F3 E83427E2FF call 00403C2C
:005E14F8 6A00 push 00000000
* Possible StringData Ref from Code Obj ->"系统注册成功,欢迎你使用本软件!"
|
:005E14FA 6824165E00 push 005E1624
* Reference To: PunUnitLib.ShowMess, Ord:0000h
|
:005E14FF E82809FFFF Call 005D1E2C
:005E1504 A170156400 mov eax, dword ptr [00641570]
:005E1509 C70002000000 mov dword ptr [eax], 00000002
:005E150F A12C136400 mov eax, dword ptr [0064132C]
:005E1514 8B00 mov eax, dword ptr [eax]
:005E1516 E8A5F6E8FF call 00470BC0
:005E151B 33C0 xor eax, eax
:005E151D 5A pop edx
:005E151E 59 pop ecx
:005E151F 59 pop ecx
:005E1520 648910 mov dword ptr fs:[eax], edx
:005E1523 EB20 jmp 005E1545
:005E1525 E9E22BE2FF jmp 0040410C
:005E152A 8B45FC mov eax, dword ptr [ebp-04]
:005E152D E8DEBDE8FF call 0046D310
:005E1532 E80130E2FF call 00404538
:005E1537 EB0C jmp 005E1545
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005E1435(C)
|
:005E1539 6A03 push 00000003
* Possible StringData Ref from Code Obj ->"系统注册失败,请检查注册是否有误!"
:005E153B 6848165E00 push 005E1648
* Reference To: PunUnitLib.ShowMess, Ord:0000h
:005E1540 E8E708FFFF Call 005D1E2C
说明:005E153B是从005E1435跳转而来。
* Reference To: PunUnitLib.GetRegPass, Ord:0000h
|
:005E13FF E8580AFFFF Call 005D1E5C
:005E1404 8BD0 mov edx, eax
:005E1406 8D45F8 lea eax, dword ptr [ebp-08]
:005E1409 E80239E2FF call 00404D10
:005E140E 8D55DC lea edx, dword ptr [ebp-24]
:005E1411 8B45FC mov eax, dword ptr [ebp-04]
:005E1414 8B80FC020000 mov eax, dword ptr [eax+000002FC]
:005E141A E84DDCE6FF call 0044F06C
:005E141F 8B45DC mov eax, dword ptr [ebp-24]
:005E1422 8D55E0 lea edx, dword ptr [ebp-20]
:005E1425 E8F682E2FF call 00409720
:005E142A 8B45E0 mov eax, dword ptr [ebp-20]
:005E142D 8B55F8 mov edx, dword ptr [ebp-08]
:005E1430 E8E73AE2FF call 00404F1C
:005E1435 0F85FE000000 jne 005E1539
:005E143B 33C0 xor eax, eax
005E1430就是比较注册码的地方
用OD载入saleman.exe,在005E1430下断点,F9运行,弹出刚开始第一个对话框,点注册,用户名填写:ltj ,授权编号:12345678。然后点注册,程序运行到下的断点处,再看寄存器处的值:
EAX 01A20A7C ASCII "12345678"
ECX 00000000
EDX 01A2DC94 ASCII "C26D-0593-Q638-6533"
呵呵,应该就是注册码了,赶紧试试,果不其然。
后来再试了试其他用户名,注册码是一样的。
[课程]Linux pwn 探索篇!