工具:OD
启动时检查父进程,必须是explorer.exe启动,OD+插件直接载入(我用TC直接拒绝启动)
代码有花指令和未知指令异常,忽略异常可以直接跳到下面的可读代码(Resume next?)
第1次点击时新建线程检查注册码,与主线程发消息互动(SendMessageW)
01302361 . 6A 00 push 0x0
01302363 . 6A 00 push 0x0
01302365 . 56 push esi
01302366 . 8946 08 mov dword ptr [esi+0x8], eax
01302369 . 8976 10 mov dword ptr [esi+0x10], esi
0130236C . 68 E0203001 push 013020E0
01302371 . E9 F5030000 jmp 0130276B
01302761 . 6A 00 push 0x0
01302763 . 6A 00 push 0x0
01302765 . 57 push edi
01302766 . 68 00213001 push 01302100
0130276B > 6A 00 push 0x0 ; |StackSize = 0x0
0130276D . 6A 00 push 0x0 ; |pSecurity = NULL
0130276F . FF15 74803101 call dword ptr [<&KERNEL32.CreateThre>; \CreateThread
1.有“b”
01131C65 . BA 62000000 mov edx, 0x62 ; 字符b
01131C6A 66 db 66 ; CHAR 'f'
01131C6B 0F db 0F
01131C6C 1F db 1F
01131C6D 44 db 44 ; CHAR 'D'
01131C6E 00 db 00
01131C6F 00 db 00
01131C70 > 66:3BD1 cmp dx, cx
01131C73 . 74 1E je short 01131C93 ; 循环检查
01131C75 . 0FB78C45 36FFFFFF movzx ecx, word ptr [ebp+eax*2-0xCA]
01131C7D . 40 inc eax
01131C7E . 66:85C9 test cx, cx
01131C81 .^ 75 ED jnz short 01131C70
2.有“p”
01132A70 |> /66:3BF0 /cmp si, ax
01132A73 |. |74 14 |je short 01132A89
01132A75 |. |0FB7444A 02 |movzx eax, word ptr [edx+ecx*2+0x2]
01132A7A |. |41 |inc ecx
01132A7B |. |66:85C0 |test ax, ax
01132A7E |.^\75 F0 \jnz short 01132A70
01132A80 |> 33C0 xor eax, eax
01132A82 |. 5E pop esi
01132A83 |. 8BE5 mov esp, ebp
01132A85 |. 5D pop ebp
01132A86 |. C2 0400 retn 0x4
01132A89 |> B8 01000000 mov eax, 0x1 ; 检查p
01132A8E |. 5E pop esi
01132A8F |. 8BE5 mov esp, ebp
01132A91 |. 5D pop ebp
01132A92 \. C2 0400 retn 0x4
3.长度为7
01131DD9 . 8D85 34FFFFFF lea eax, dword ptr [ebp-0xCC] ; check timer??
01131DDF . 50 push eax ; /Arg2
01131DE0 . 53 push ebx ; |Arg1
01131DE1 . E8 8A0A0000 call 01132870 ; \Crack_Me.013B2870
01131DE6 . 83FE 07 cmp esi, 0x7 ; check len==7
01131DE9 . 73 0B jnb short 01131DF6
01131DEB . 6A 00 push 0x0
01131DED . 6A 00 push 0x0
01131DEF . 68 0E040000 push 0x40E
01131DF4 . EB 0B jmp short 01131E01
01131DF6 > 76 2C jbe short 01131E24
01131DF8 . 6A 00 push 0x0
01131DFA . 6A 00 push 0x0
01131DFC . 68 0D040000 push 0x40D
4.有2个字母,第3-6位为15PB
011319EA 83F9 02 cmp ecx, 0x2
011319ED 75 4A jnz short 01131A39 ; 字符数为2
011319EF 33C0 xor eax, eax
011319F1 C745 F0 31003500 mov dword ptr [ebp-0x10], 0x350031 ; 15
011319F8 C745 F4 50004200 mov dword ptr [ebp-0xC], 0x420050 ; PB
011319FF 8D77 04 lea esi, dword ptr [edi+0x4]
01131A02 66:8945 F8 mov word ptr [ebp-0x8], ax
01131A06 33C9 xor ecx, ecx
01131A08 0F1F ??? ; Unknown command
01131A0A 8400 test byte ptr [eax], al
01131A0C 0000 add byte ptr [eax], al
01131A0E 0000 add byte ptr [eax], al
01131A10 > 66:8B444D F0 mov ax, word ptr [ebp+ecx*2-0x10] ; s[2--6]="15PB"
01131A15 . 66:3B06 cmp ax, word ptr [esi]
01131A18 . 75 1F jnz short 01131A39
01131A1A . 41 inc ecx
01131A1B . 83C6 02 add esi, 0x2
01131A1E . 83F9 04 cmp ecx, 0x4
01131A21 .^ 72 ED jb short 01131A10
5.前2位为“12”,最后一位为7+1=8
01301810 > /66:8B01 mov ax, word ptr [ecx] ; ----------
01301813 . |66:3B040E cmp ax, word ptr [esi+ecx] ; 前几位为字符序列123...
01301817 . |75 42 jnz short 0130185B
01301819 . |83C2 06 add edx, 0x6
0130181C . |83C1 02 add ecx, 0x2
0130181F . |83FA 39 cmp edx, 0x39
01301822 .^\7E EC jle short 01301810
01301824 . 0FB74F 12 movzx ecx, word ptr [edi+0x12]
01301828 . 0FB703 movzx eax, word ptr [ebx]
0130182B . 03C8 add ecx, eax
0130182D . 83F9 63 cmp ecx, 0x63 ; 第1位加第2位为63
01301830 . 75 29 jnz short 0130185B
01301832 . 8B45 B4 mov eax, dword ptr [ebp-0x4C]
01301835 . 0FB74F 0C movzx ecx, word ptr [edi+0xC] ; 字符7
01301839 . 0308 add ecx, dword ptr [eax] ; 加点击数1
0130183B . 8B45 B0 mov eax, dword ptr [ebp-0x50]
0130183E . 0FB700 movzx eax, word ptr [eax] ; 取最后一位
01301841 . 3BC1 cmp eax, ecx ; 相等?
01301843 . 75 16 jnz short 0130185B
01301845 . 5F pop edi
01301846 . 5E pop esi
01301847 . B8 01000000 mov eax, 0x1 ; 正确
0130184C . 5B pop ebx
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
