-
-
[原创]不好意思,又来添垃圾贴,嘿嘿,SourceFormatX 万能源代码格式化工具 2.5.6.1
-
发表于: 2006-3-17 16:04 5295
-
不好意思,又来添垃圾贴,嘿嘿,SourceFormatX 万能源代码格式化工具 2.5.6.1
也是比较早的东东了,落后了,应该不会被追讨了吧.但是因为这个软件也有可恶的地方.by zzhzihui@163.net
SourceFormatX 万能源代码格式化工具 2.5.6.1
1.>ANTI-CRACK,导致系统死锁
很讨厌,判断文件大小,报错,说是可能感染病毒,若强行改动,则不停加载explorer.exe,导致系统满载,死机.
这里有一处:
0055F10A 50 PUSH EAX
0055F10B E8 D477EAFF CALL <JMP.&kernel32.GetFileSize>;从文件大小判断
0055F110 3D A8421200 CMP EAX,1242A8
0055F115 7E 1F JLE SHORT UNPACK~1.0055F136 ;jmp
0055F117 6A 03 PUSH 3
0055F119 B8 B8F45500 MOV EAX,UNPACK~1.0055F4B8 ; ASCII "048229125055114025094102049210040021027068051099091168132234034161018208011"
;上行即加密的explorer.exe
0055F11E 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
0055F121 E8 9625EFFF CALL UNPACK~1.004516BC
0055F126 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
0055F129 E8 124FEAFF CALL UNPACK~1.00404040
0055F12E 50 PUSH EAX
0055F12F E8 4079EAFF CALL <JMP.&kernel32.WinExec>
0055F134 ^ EB E1 JMP SHORT UNPACK~1.0055F117 ;死循环执行explorer.exe
0055F136 33C0 XOR EAX,EAX
0055F138 5A POP EDX
还有一处
0056415F . 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] ; |
00564162 . 50 PUSH EAX ; |hFile
00564163 . E8 CC28EAFF CALL <JMP.&kernel32.SetFilePointer> ; \SetFilePointer
00564168 3D 508D0F00 CMP EAX,0F8D50
0056416D 0F8E F7000000 JLE UNPACK~1.0056426A ;jmp
00564173 . 33D2 XOR EDX,EDX
00564175 . 55 PUSH EBP
00564176 . 68 4D425600 PUSH UNPACK~1.0056424D
.....
00564257 > E8 3819FFFF CALL UNPACK~1.00555B94
0056425C . |6A 03 PUSH 3 ; /ShowState = SW_SHOWMAXIMIZED
0056425E . |68 F4435600 PUSH UNPACK~1.005643F4 ; |CmdLine = "11111111.exe"本来是explorer.exe
00564263 . |E8 0C28EAFF CALL <JMP.&kernel32.WinExec> ; \WinExec
00564268 .^\EB ED JMP SHORT UNPACK~1.00564257
0056426A > 33C0 XOR EAX,EAX
0056426C . 5A POP EDX
在格式化大于8k的文件后,如果保存,那么还有一处检测(我下WinExec断下了),如果发现文件被更改(脱壳),让你死机.
00566062 . 6A 02 PUSH 2 ; /Origin = FILE_END
00566064 . 6A 00 PUSH 0 ; |pOffsetHi = NULL
00566066 . 6A 00 PUSH 0 ; |OffsetLo = 0
00566068 . 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C] ; |
0056606B . 50 PUSH EAX ; |hFile
0056606C . E8 C309EAFF CALL <JMP.&kernel32.SetFilePointer> ; \SetFilePointer
00566071 . 3D 27E51000 CMP EAX,10E527 ;比较文件内容
00566076 . 76 13 JBE SHORT UNPACK1.0056608B ;这里必须JMP
00566078 > > E8 DBFAFEFF CALL UNPACK1.00555B58 ; ->:TNagForm._PROC_00555B58()
0056607D . 6A 03 PUSH 3 ; /ShowState = SW_SHOWMAXIMIZED
0056607F . 68 A87C5600 PUSH UNPACK1.00567CA8 ; |CmdLine = "11111111.exe"
00566084 . E8 EB09EAFF CALL <JMP.&kernel32.WinExec> ; \WinExec
00566089 .^ EB ED JMP SHORT <UNPACK1.->:TNagForm._PROC_005>
0056608B > 33C0 XOR EAX,EAX
0056608D . 5A POP EDX
---------
00517A60 50 PUSH EAX
00517A61 E8 CEEFEEFF CALL <JMP.&kernel32.SetFilePointer>
00517A66 3D DFF91100 CMP EAX,11F9DF
00517A6B 7E 1B JLE SHORT UNPACK1.00517A88 ;这里必须jmp it,否则会死机
00517A6D E8 E6E00300 CALL UNPACK1.00555B58
00517A72 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00517A75 . E8 96ECFFFF CALL UNPACK1.00516710
00517A7A > 6A 03 PUSH 3 ; /ShowState = SW_SHOWMAXIMIZED
00517A7C . 68 F8945100 PUSH UNPACK1.005194F8 ; |CmdLine = "11111111.exe"
00517A81 . E8 EEEFEEFF CALL <JMP.&kernel32.WinExec> ; \WinExec
00517A86 .^ EB F2 JMP SHORT UNPACK1.00517A7A
00517A88 > 33C0 XOR EAX,EAX
00517A8A . 5A POP EDX
00517A8B . 59 POP ECX
00517A8C . 59 POP ECX
00517A8D . 64:8910 MOV DWORD PTR FS:[EAX],EDX
00517A90 . 68 A57A5100 PUSH UNPACK1.00517AA5
00517A95 > 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
00517A98 . E8 5712EFFF CALL UNPACK1.00408CF4
00517A9D . C3 RETN
00517A9E .^ E9 D5BBEEFF JMP UNPACK1.00403678
00517AA3 .^ EB F0 JMP SHORT UNPACK1.00517A95
00517AA5 8D55 94 LEA EDX,DWORD PTR SS:[EBP-6C]
00517AA8 B8 10955100 MOV EAX,UNPACK1.00519510 ; ASCII "048231091055114023126106049215088130003077102103113127226094230175002064"
;上行是
;DS:[00580840]=005817D4
;EAX=00C525D4, (ASCII "License.dat"),注册文件,点击格式化目录时会检验注册文件
00517AAD E8 0A9CF3FF CALL UNPACK1.004516BC
00517AB2 8B45 94 MOV EAX,DWORD PTR SS:[EBP-6C]
00517AB5 50 PUSH EAX
00517AB6 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74]
00517AB9 A1 40085800 MOV EAX,DWORD PTR DS:[580840]
00517ABE 8B00 MOV EAX,DWORD PTR DS:[EAX]
00517AC0 E8 EF73F3FF CALL UNPACK1.0044EEB4
00517AC5 8B45 8C MOV EAX,DWORD PTR SS:[EBP-74]
00517AC8 . 8D55 90 LEA EDX,DWORD PTR SS:[EBP-70]
00517ACB . E8 FC14EFFF CALL UNPACK1.00408FCC
00517AD0 . 8B55 90 MOV EDX,DWORD PTR SS:[EBP-70]
00517AD3 . 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
00517AD6 . 59 POP ECX
00517AD7 . E8 ECC3EEFF CALL UNPACK1.00403EC8
00517ADC . 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30]
00517ADF . E8 8012EFFF CALL UNPACK1.00408D64;这个call也许是检验License.dat的
00517AE4 . 84C0 TEST AL,AL
00517AE6 . 0F84 F5180000 JE UNPACK1.005193E1
00517AEC . 6A 20 PUSH 20 ; /Arg1 = 00000020
00517AEE . 8B4D D0 MOV ECX,DWORD PTR SS:[EBP-30] ; |
00517AF1 . B2 01 MOV DL,1 ; |
00517AF3 . A1 3CF64000 MOV EAX,DWORD PTR DS:[40F63C] ; |
00517AF8 . E8 BBB3EFFF CALL UNPACK1.00412EB8 ; \UNPACK1.00412EB8
00517AFD . 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
00517B00 . 33C0 XOR EAX,EAX
查找license.dat
00408D17 |. E8 50DBFFFF CALL <JMP.&kernel32.FindFirstFileA> ; \FindFirstFileA
005571D4 |. 2945 FC SUB DWORD PTR SS:[EBP-4],EAX
005571D7 |. FF55 FC CALL DWORD PTR SS:[EBP-4] ;显示未注册框
005571DA |. 33C0 XOR EAX,EAX
2.>不能使用"格式化所有"功能的限制
不经意跟到一个注册标志.
00564666 . 84C0 TEST AL,AL
00564668 . 74 04 JE SHORT UNPACK1.0056466E ;这里nop,可以显示已经处理完成,在选格式化所有的时候.但格式化完后是乱码
0056466A . C645 CB 01 MOV BYTE PTR SS:[EBP-35],1 ;是不是注册标志??,经过验证,是的
0056466E > 33C0 XOR EAX,EAX
------
3.>ANTI-DEBUG,ollydbg无法调试
该程序会搜索有关ollydbg,filemon....的窗口标题或窗口类,有则关闭,可以在脱壳文件里搜索ollydbg,trw,sice.....改掉,
但是有些是加密存放的,无法搜索到,例如:
0055613F E8 FCDEEAFF CALL UNPACK1.00404040
00556144 50 PUSH EAX
00556145 E8 620DEBFF CALL <JMP.&user32.FindWindowA> ;ollydbg
0055614A 85C0 TEST EAX,EAX
0055614C 74 23 JE SHORT UNPACK1.00556171 ;jmp
0055614E 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
00556151 52 PUSH EDX
00556152 50 PUSH EAX
00556153 E8 BC0EEBFF CALL <JMP.&user32.GetWindowThreadProcess>
00556158 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
又查
005729EB E8 BC44E9FF CALL <JMP.&user32.FindWindowA> ;ollydbg
005729F0 85C0 TEST EAX,EAX
005729F2 74 42 JE SHORT UNPACK1.00572A36
005729F4 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
005729F7 52 PUSH EDX
还查
0055F06F E8 387EEAFF CALL <JMP.&user32.FindWindowA> ;ollydbg
0055F074 85C0 TEST EAX,EAX
0055F076 74 42 JE SHORT UNPACK1.0055F0BA
0055F078 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
0055F07B 52 PUSH EDX
它用同样的方法FindWindowA,还会查找dede,ollydbg,filemon....的窗口类,然后XXX,可恶啊.
这是典型的代码特征:
005727E4 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
005727E7 |. E8 5418E9FF CALL UNPACK1.00404040
005727EC |. 50 PUSH EAX ; |Class
005727ED |. E8 BA46E9FF CALL <JMP.&user32.FindWindowA> ; \FindWindowA
005727F2 |. 85C0 TEST EAX,EAX
005727F4 |. 74 28 JE SHORT UNPACK1.0057281E
005727F6 |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
005727F9 |. 52 PUSH EDX ; /pProcessID
005727FA |. 50 PUSH EAX ; |hWnd
005727FB |. E8 1448E9FF CALL <JMP.&user32.GetWindowThreadProcess>; \GetWindowThreadProcessId
00572800 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00572803 |. 50 PUSH EAX ; /ProcessId
00572804 |. 6A 00 PUSH 0 ; |Inheritable = FALSE
00572806 |. 6A 01 PUSH 1 ; |Access = TERMINATE
00572808 |. E8 F741E9FF CALL <JMP.&kernel32.OpenProcess> ; \OpenProcess
0057280D |. 85C0 TEST EAX,EAX
0057280F |. 74 0D JE SHORT UNPACK1.0057281E
00572811 |. 6A 00 PUSH 0 ; /ExitCode = 0
00572813 |. 50 PUSH EAX ; |hProcess
00572814 |. E8 3B42E9FF CALL <JMP.&kernel32.TerminateProcess> ; \TerminateProcess
00572819 |. E8 8A12E9FF CALL UNPACK1.00403AA8
0057281E |> 33C0 XOR EAX,EAX
00572820 |. 5A POP EDX
00572821 |. 59 POP ECX
00572822 |. 59 POP ECX
00572823 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
00572826 |. 68 3B285700 PUSH UNPACK1.0057283B
0057282B |> 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
0057282E |. E8 C913E9FF CALL UNPACK1.00403BFC
00572833 \. C3 RETN
4.>恶意炸弹!!强烈建议CRK掉它,太坏了.
另外更可恶的是,如果发现被破解,它还会偷偷把注册表改写的面目全非导致winows系统无法运行.
这是在点击格式目录时,删除这个键:
0012F150 00C8E53C \Subkey = "{883373C3-BF89-11D1-BE35-080036B11A03}"
00450D74 . E8 D7040000 CALL UNPACK1.00451250
00450D79 . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
00450D7C . 837D E4 00 CMP DWORD PTR SS:[EBP-1C],0
00450D80 . 0F84 B5000000 JE UNPACK1.00450E3B ;跳走就会搞破坏,不跳走照样会走到破坏代码
00450D86 . 33C0 XOR EAX,EAX
00450D88 . 55 PUSH EBP
....
00450E3B > \8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00450E3E . E8 FD31FBFF CALL UNPACK1.00404040
00450E43 . 50 PUSH EAX
00450E44 . 8A55 F7 MOV DL,BYTE PTR SS:[EBP-9]
00450E47 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00450E4A . E8 A1FCFFFF CALL UNPACK1.00450AF0
00450E4F . 50 PUSH EAX ; |hKey
00450E50 . E8 6F59FBFF CALL <JMP.&advapi32.RegDeleteKeyA> ; \RegDeleteKeyA
00450E55 . 85C0 TEST EAX,EAX
00450E57 . 0F94C3 SETE BL
这样改:
00450E3B /EB 1A JMP SHORT UNPACK1.00450E57 ;跳过删除注册表键功能的API
========
5.>关于窗口的用户名
about窗:
0052A682 . E8 F597EDFF CALL UNPACK1.00403E7C
0052A687 . 83F8 28 CMP EAX,28
0052A68A . 7D 0E JGE SHORT UNPACK1.0052A69A ;不跳,nop,则显示用户名,内容为licensc.dat的内容
0052A68C . 8B83 F0020000 MOV EAX,DWORD PTR DS:[EBX+2F0]
0052A692 . 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
0052A695 . E8 5E4FF0FF CALL UNPACK1.0042F5F8
=========
6.>不能保存大于8k文件的限制
现在已经知道它在很多地方都会检查lic文件,那么就下断bp FindFirstFileA,发现它读lic时一直ctrl+f9,一直跟到如下代码:
00565B0A . 50 PUSH EAX
00565B0B . 8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48]
00565B0E . 8D55 C0 LEA EDX,DWORD PTR SS:[EBP-40]
00565B11 . 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38];前面一大堆都是关于读lic文件,然后经过复杂的运算
00565B14 . E8 B357F9FF CALL UNPACK1.004FB2CC ;这里肯定是关键call,前面都没有对EBP-25的操作
00565B19 . 84C0 TEST AL,AL
00565B1B . 74 04 JE SHORT UNPACK1.00565B21 ;al不是0,不跳,标志置1
00565B1D . C645 DB 01 MOV BYTE PTR SS:[EBP-25],1 ;注册标志
00565B21 > 33C0 XOR EAX,EAX
00565B23 . 5A POP EDX
00565B24 . 59 POP ECX
00565B25 . 59 POP ECX
00565B26 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
00565B29 . 68 3E5B5600 PUSH UNPACK1.00565B3E
00565B2E > 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
00565B31 > . E8 EA75EAFF CALL UNPACK1.0040D120 ; ->sysutils.FreeAndNil(void;void);
00565B36 . C3 RETN ;这个ret会返回到565B41
00565B37 > .^ E9 3CDBE9FF JMP UNPACK1.00403678 ; ->system.@HandleFinally;
00565B3C .^ EB F0 JMP SHORT UNPACK1.00565B2E
00565B3E > \8A5D DB MOV BL,BYTE PTR SS:[EBP-25] ;设置bl
00565B41 . 80F3 01 XOR BL,1 ;看来bl是标志了,不能为0,因为与1异或后,判断是0才跳走,那么bl必须为1
00565B44 . 84DB TEST BL,BL
00565B46 . 74 39 JE SHORT UNPACK1.00565B81 ;这里直接跳走更好,是0跳走
00565B48 . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74]
00565B4B . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00565B4E > . 8B80 D0020000 MOV EAX,DWORD PTR DS:[EAX+2D0] ; *MainMenu:TMainMenu
00565B54 . E8 3F34F3FF CALL UNPACK1.00498F98
00565B59 . 8B45 8C MOV EAX,DWORD PTR SS:[EBP-74]
00565B5C > . E8 1BE3E9FF CALL UNPACK1.00403E7C ; ->system.@LStrLen:Integer;
00565B61 . 3D 05200000 CMP EAX,2005 ;2005h=8197d,就是8k了
00565B66 . 7E 19 JLE SHORT UNPACK1.00565B81 ;小于等于才保存,否则不保存,那么就jmp它吧
00565B68 . B8 E7000000 MOV EAX,0E7
00565B6D > . E8 3E2EFFFF CALL UNPACK1.005589B0 ; ->:TNagForm._PROC_005589B0()
00565B72 . B8 8C6C5600 MOV EAX,UNPACK1.00566C8C ; ASCII ".cpp"
00565B77 > . E8 3425FFFF CALL UNPACK1.005580B0 ; ->:TNagForm._PROC_005580B0()
00565B7C . E9 210D0000 JMP UNPACK1.005668A2
00565B81 > B2 01 MOV DL,1
00565B83 . A1 68F44000 MOV EAX,DWORD PTR DS:[40F468]
00565B88 > . E8 9BD3E9FF CALL UNPACK1.00402F28 ; ->system.TObject.Create(TObject;Boolean);
00565B8D . 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
---------
追进那个关键call 004FB2CC
....
004FB520 . E8 57DAFFFF CALL sourcefo.004F8F7C
004FB525 . 3C 02 CMP AL,2 ;则又是个厉害的call,al如何才能只等于2呢?
004FB527 . 75 04 JNZ SHORT sourcefo.004FB52D ;这里不能跳,改这里更进一步,连处理后的文件里的一些提示信息也没有了.
;而且格式化所有的功能限制也可以从这里就解除!!
004FB529 . C645 DF 01 MOV BYTE PTR SS:[EBP-21],1 ;标志置1
004FB52D > 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
004FB530 . E8 33DAFFFF CALL sourcefo.004F8F68
004FB535 . 8D45 B4 LEA EAX,DWORD PTR SS:[EBP-4C]
004FB538 . E8 2BDAFFFF CALL sourcefo.004F8F68
004FB53D . 33C0 XOR EAX,EAX
004FB53F . 5A POP EDX
004FB540 . 59 POP ECX
004FB541 . 59 POP ECX
004FB542 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
004FB545 . EB 0A JMP SHORT sourcefo.004FB551
004FB547 .^ E9 787EF0FF JMP sourcefo.004033C4
004FB54C . E8 CF81F0FF CALL sourcefo.00403720
004FB551 > 33C0 XOR EAX,EAX
004FB553 . 5A POP EDX
004FB554 . 59 POP ECX
004FB555 . 59 POP ECX
004FB556 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
004FB559 . 68 99B54F00 PUSH sourcefo.004FB599
004FB55E > 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74]
004FB561 . 8B15 CC894F00 MOV EDX,DWORD PTR DS:[4F89CC] ; sourcefo.004F89D0
004FB567 . B9 0A000000 MOV ECX,0A
004FB56C . E8 8F8FF0FF CALL sourcefo.00404500
004FB571 . 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
004FB574 . 8B15 CC894F00 MOV EDX,DWORD PTR DS:[4F89CC] ; sourcefo.004F89D0
004FB57A . B9 04000000 MOV ECX,4
004FB57F . E8 7C8FF0FF CALL sourcefo.00404500
004FB584 . 8D45 08 LEA EAX,DWORD PTR SS:[EBP+8]
004FB587 . BA 03000000 MOV EDX,3
004FB58C . E8 8F86F0FF CALL sourcefo.00403C20
004FB591 . C3 RETN
004FB592 .^ E9 E180F0FF JMP sourcefo.00403678
004FB597 .^ EB C5 JMP SHORT sourcefo.004FB55E
004FB599 . 8A45 DF MOV AL,BYTE PTR SS:[EBP-21] ;标志到al
004FB59C . 5F POP EDI
004FB59D . 5E POP ESI
004FB59E . 5B POP EBX
004FB59F . 8BE5 MOV ESP,EBP
004FB5A1 . 5D POP EBP
004FB5A2 . C2 1000 RETN 10
7.>不能复制大于8k内容的限制
00561DFE > . E8 A10EEBFF CALL UNPACK1.00412CA4 ; ->classes.TStream.SetPosition(TStream;Longint);
00561E03 . 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00561E06 > . E8 4122EAFF CALL UNPACK1.0040404C ; ->system.UniqueString(String;String);
00561E0B . 8BD0 MOV EDX,EAX
00561E0D . B9 0A000000 MOV ECX,0A
00561E12 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00561E15 . 8B30 MOV ESI,DWORD PTR DS:[EAX]
00561E17 . FF56 04 CALL DWORD PTR DS:[ESI+4]
00561E1A . 33D2 XOR EDX,EDX
00561E1C . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00561E1F > . E8 800EEBFF CALL UNPACK1.00412CA4 ; ->classes.TStream.SetPosition(TStream;Longint);
00561E24 . 8D7B 02 LEA EDI,DWORD PTR DS:[EBX+2]
00561E27 . 8BC7 MOV EAX,EDI
00561E29 > . E8 E608EAFF CALL UNPACK1.00402714 ; ->system.@GetMem;
00561E2E . 8BF0 MOV ESI,EAX
00561E30 . 8BCF MOV ECX,EDI
00561E32 . 8BD6 MOV EDX,ESI
00561E34 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00561E37 . 8B18 MOV EBX,DWORD PTR DS:[EAX]
00561E39 . FF53 04 CALL DWORD PTR DS:[EBX+4]
00561E3C . 8BD8 MOV EBX,EAX
00561E3E . 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00561E41 . B9 02000000 MOV ECX,2
00561E46 . BA 01000000 MOV EDX,1
00561E4B > . E8 7422EAFF CALL UNPACK1.004040C4 ; ->system.@LStrDelete;
00561E50 . 85DB TEST EBX,EBX
00561E52 . 7E 1D JLE SHORT UNPACK1.00561E71
00561E54 . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
00561E57 . 8BD3 MOV EDX,EBX
00561E59 . 8BC6 MOV EAX,ESI
00561E5B > . E8 9880EFFF CALL UNPACK1.00459EF8 ; ->:TMessageForm._PROC_00459EF8()
00561E60 . 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24] ;一个字符串68E9065F,也许是正确LIC的一部分,哈哈真是的.
;剪切内容也是判断LIC最后8字节,但是这8字节是根据前面的数据算的,如果前面改动,那么LIC后8字节也失效
;一个半真的LIC文件内容:0482310910551140231261060492150868E9065F
00561E63 . 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] ;lic文件的最后8字节81300030
00561E66 > . E8 2121EAFF CALL UNPACK1.00403F8C ; ->system.@LStrCmp;比较字符串,也许可以从这里研究lic
00561E6B . 75 04 JNZ SHORT UNPACK1.00561E71 ;!!!不跳,则复制成功
00561E6D . C645 EF 01 MOV BYTE PTR SS:[EBP-11],1 ;!!!这里是标志
00561E71 > B9 40205600 MOV ECX,UNPACK1.00562040 ; ASCII "1234ABCD"
00561E76 . 8BD3 MOV EDX,EBX
00561E78 . 8BC6 MOV EAX,ESI
00561E7A > . E8 F965FAFF CALL UNPACK1.00508478 ; ->:TSynComment._PROC_00508478()
00561E7F . 8BC6 MOV EAX,ESI
00561E81 > . E8 A608EAFF CALL UNPACK1.0040272C ; ->system.@FreeMem;
00561E86 . 33C0 XOR EAX,EAX
8.>不能剪切大于8k内容的限制
00561AFB > . E8 C425EAFF CALL UNPACK1.004040C4 ; ->system.@LStrDelete;
00561B00 . 85DB TEST EBX,EBX
00561B02 . 7E 1D JLE SHORT UNPACK1.00561B21
00561B04 . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
00561B07 . 8BD3 MOV EDX,EBX
00561B09 . 8BC6 MOV EAX,ESI
00561B0B > . E8 E883EFFF CALL UNPACK1.00459EF8 ; ->:TMessageForm._PROC_00459EF8()
00561B10 . 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
00561B13 . 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
00561B16 > . E8 7124EAFF CALL UNPACK1.00403F8C ; ->system.@LStrCmp;
00561B1B . 75 04 JNZ SHORT UNPACK1.00561B21 ;!!!不跳,则剪切成功
00561B1D . C645 EF 01 MOV BYTE PTR SS:[EBP-11],1 ;!!!这里是标志
00561B21 > 8BCB MOV ECX,EBX
00561B23 . 8BD6 MOV EDX,ESI
00561B25 . B8 F01C5600 MOV EAX,UNPACK1.00561CF0 ; ASCII "ABCD1234"
00561B2A > . E8 6970FAFF CALL UNPACK1.00508B98 ; ->:TSynComment._PROC_00508B98()
00561B2F . 8BC6 MOV EAX,ESI
00561B31 > . E8 F60BEAFF CALL UNPACK1.0040272C ; ->system.@FreeMem;
00561B36 . 33C0 XOR EAX,EAX
00561B38 . 5A POP EDX
9.>格式化目录功能限制
判断0056466A . C645 CB 01 MOV BYTE PTR SS:[EBP-35],1 ;注册标志的call调用
Local Calls from 00564661, 00565B14, 005662D0, 00567F90, 00569CC4
=======
dede反汇编的代码
formatfolderbtnclick 56c16c ->call 565834 ;格式化目录按钮
menuclick 565834 ;格式化目录菜单
---
00565834 55 push ebp
00565835 8BEC mov ebp, esp
00565837 51 push ecx
00565838 8B0D40085800 mov ecx, [$00580840]
0056583E 8B09 mov ecx, [ecx]
00565840 B201 mov dl, $01
00565842 A1C45A5100 mov eax, dword ptr [$00515AC4]
* Reference to: forms.TCustomForm.Create(TCustomForm;boolean;TComponent);
|
00565847 E8FC1FEEFF call 00447848
0056584C 8945FC mov [ebp-$04], eax
0056584F 33C0 xor eax, eax
00565851 55 push ebp
* Possible String Reference to: '轷蓍?鹳]谜??'
|
00565852 687E585600 push $0056587E
***** TRY
|
00565857 64FF30 push dword ptr fs:[eax]
0056585A 648920 mov fs:[eax], esp
0056585D 8B45FC mov eax, [ebp-$04]
00565860 8B10 mov edx, [eax]
00565862 FF92D8000000 call dword ptr [edx+$00D8]
00565868 33C0 xor eax, eax
0056586A 5A pop edx
0056586B 59 pop ecx
0056586C 59 pop ecx
0056586D 648910 mov fs:[eax], edx
****** FINALLY
|
* Possible String Reference to: 'Y]谜??'
|
00565870 6885585600 push $00565885
00565875 8D45FC lea eax, [ebp-$04]
* Reference to: sysutils.FreeAndNil(void;void);
|
00565878 E8A378EAFF call 0040D120
0056587D C3 ret
* Reference to: system.@HandleFinally;
|
0056587E E9F5DDE9FF jmp 00403678
00565883 EBF0 jmp 00565875
****** END
|
00565885 59 pop ecx
00565886 5D pop ebp
00565887 C3 ret
=========
*****用DEDE生成map文件,这回好懂多了.:)
选格式化目录会到这里:
00517A88 > \33C0 XOR EAX,EAX
00517A8A . 5A POP EDX
00517A8B . 59 POP ECX
00517A8C . 59 POP ECX
00517A8D . 64:8910 MOV DWORD PTR FS:[EAX],EDX
00517A90 . 68 A57A5100 PUSH UNPACK1.00517AA5
00517A95 > 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
00517A98 > . E8 5712EFFF CALL UNPACK1.00408CF4 ; ->sconnect.CloseRegKey(HKEY);
00517A9D . C3 RETN
00517A9E > .^ E9 D5BBEEFF JMP UNPACK1.00403678 ; ->system.@HandleFinally;
00517AA3 .^ EB F0 JMP SHORT UNPACK1.00517A95
00517AA5 . 8D55 94 LEA EDX,DWORD PTR SS:[EBP-6C]
00517AA8 . B8 10955100 MOV EAX,UNPACK1.00519510 ; ASCII "048231091055114023126106049215088130003077102103113127226094230175002064"
00517AAD . E8 0A9CF3FF CALL UNPACK1.004516BC
00517AB2 . 8B45 94 MOV EAX,DWORD PTR SS:[EBP-6C]
00517AB5 . 50 PUSH EAX
00517AB6 . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74]
00517AB9 . A1 40085800 MOV EAX,DWORD PTR DS:[580840]
00517ABE . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00517AC0 > . E8 EF73F3FF CALL UNPACK1.0044EEB4 ; ->ddeman.TDdeMgr.GetExeName(TDdeMgr):AnsiString;
00517AC5 . 8B45 8C MOV EAX,DWORD PTR SS:[EBP-74]
00517AC8 . 8D55 90 LEA EDX,DWORD PTR SS:[EBP-70]
00517ACB > . E8 FC14EFFF CALL UNPACK1.00408FCC ; ->sysutils.ExtractFilePath(AnsiString):AnsiString;
00517AD0 . 8B55 90 MOV EDX,DWORD PTR SS:[EBP-70]
00517AD3 . 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
00517AD6 . 59 POP ECX
00517AD7 > . E8 ECC3EEFF CALL UNPACK1.00403EC8 ; ->system.@LStrCat3;合并字符串
00517ADC . 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30]
00517ADF > . E8 8012EFFF CALL UNPACK1.00408D64 ; ->sysutils.FileExists(AnsiString):Boolean;
00517AE4 . 84C0 TEST AL,AL
00517AE6 . 0F84 F5180000 JE UNPACK1.005193E1
00517AEC . 6A 20 PUSH 20 ; /Arg1 = 00000020
00517AEE . 8B4D D0 MOV ECX,DWORD PTR SS:[EBP-30] ; |
00517AF1 . B2 01 MOV DL,1 ; |
00517AF3 . A1 3CF64000 MOV EAX,DWORD PTR DS:[40F63C] ; |
00517AF8 > . E8 BBB3EFFF CALL UNPACK1.00412EB8 ; \->classes.TFileStream.Create(TFileStream;boolean;AnsiString;Word);
00517AFD . 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
00517B00 . 33C0 XOR EAX,EAX
00517B02 . 55 PUSH EBP
00517B03 . 68 4D7D5100 PUSH <UNPACK1.->system.@HandleFinally;>
00517B08 . 64:FF30 PUSH DWORD PTR FS:[EAX]
00517B0B . 64:8920 MOV DWORD PTR FS:[EAX],ESP
00517B0E . 33D2 XOR EDX,EDX
00517B10 . 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
00517B13 > . E8 8CB1EFFF CALL UNPACK1.00412CA4 ; ->classes.TStream.SetPosition(TStream;Longint);
00517B18 . 33DB XOR EBX,EBX
00517B1A > 8D55 A7 LEA EDX,DWORD PTR SS:[EBP-59]
00517B1D . B9 01000000 MOV ECX,1
00517B22 . 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
00517B25 . 8B30 MOV ESI,DWORD PTR DS:[EAX]
00517B27 . FF56 04 CALL DWORD PTR DS:[ESI+4]
00517B2A . 807D A7 00 CMP BYTE PTR SS:[EBP-59],0
00517B2E . 74 1C JE SHORT UNPACK1.00517B4C
00517B30 . 8D45 88 LEA EAX,DWORD PTR SS:[EBP-78]
00517B33 . 8A55 A7 MOV DL,BYTE PTR SS:[EBP-59]
00517B36 > . E8 69C2EEFF CALL UNPACK1.00403DA4 ; ->system.@LStrFromChar(String;String;Char);
00517B3B . 8B55 88 MOV EDX,DWORD PTR SS:[EBP-78]
00517B3E . 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38]
00517B41 > . E8 3EC3EEFF CALL UNPACK1.00403E84 ; ->system.@LStrCat;
00517B46 . 43 INC EBX
00517B47 . 83FB 28 CMP EBX,28 ;28h=40d也许lic文件要40字节,是的
00517B4A .^ 7C CE JL SHORT UNPACK1.00517B1A
00517B4C > 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]
00517B4F . A1 20065800 MOV EAX,DWORD PTR DS:[580620]
00517B54 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00517B56 . 8B55 C8 MOV EDX,DWORD PTR SS:[EBP-38]
00517B59 > . E8 A23D0500 CALL <UNPACK1.<-TMainForm@GetFinal> ; ->:TMainForm.GetFinal()
00517B5E . BA 28000000 MOV EDX,28
00517B63 . 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
00517B66 > . E8 39B1EFFF CALL UNPACK1.00412CA4 ; ->classes.TStream.SetPosition(TStream;Longint);
00517B6B . 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
00517B6E > . E8 3DB1EFFF CALL UNPACK1.00412CB0 ; ->classes.TStream.GetSize(TStream):Longint;
00517B73 . 8BD8 MOV EBX,EAX
00517B75 . 83EB 28 SUB EBX,28
00517B78 . 81EB 5C010000 SUB EBX,15C
00517B7E . B2 01 MOV DL,1
00517B80 . A1 14F74000 MOV EAX,DWORD PTR DS:[40F714]
00517B85 > . E8 9EB3EEFF CALL UNPACK1.00402F28 ; ->system.TObject.Create(TObject;Boolean);
00517B8A . 8945 DC MOV DWORD PTR SS:[EBP-24],EAX
00517B8D . 33C0 XOR EAX,EAX
00517B8F . 55 PUSH EBP
00517B90 . 68 307D5100 PUSH <UNPACK1.->system.@HandleFinally;>
00517B95 . 64:FF30 PUSH DWORD PTR FS:[EAX]
00517B98 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
00517B9B . 8BD3 MOV EDX,EBX
00517B9D . 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
00517BA0 . 8B08 MOV ECX,DWORD PTR DS:[EAX]
00517BA2 . FF11 CALL DWORD PTR DS:[ECX] ;tmd,这个call会引发异常,程序退出
00517BA4 . 8BCB MOV ECX,EBX ;能走到这里就有机会,
00517BA6 . 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-20]
00517BA9 . 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
00517BAC > . E8 A7B1EFFF CALL UNPACK1.00412D58 ; ->classes.TStream.CopyFrom(TStream;TStream;Longint):Longint;
00517BB1 . 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
00517BB4 . BA 5C010000 MOV EDX,15C
00517BB9 > . E8 F2C5EEFF CALL UNPACK1.004041B0 ; ->system.@LStrSetLength;
00517BBE . 8D53 28 LEA EDX,DWORD PTR DS:[EBX+28]
00517BC1 . 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
00517BC4 > . E8 DBB0EFFF CALL UNPACK1.00412CA4 ; ->classes.TStream.SetPosition(TStream;Longint);
00517BC9 . 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
00517BCC > . E8 7BC4EEFF CALL UNPACK1.0040404C ; ->system.UniqueString(String;String);
00517BD1 . 8BD0 MOV EDX,EAX
00517BD3 . B9 5C010000 MOV ECX,15C
00517BD8 . 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
00517BDB . 8B18 MOV EBX,DWORD PTR DS:[EAX]
00517BDD . FF53 04 CALL DWORD PTR DS:[EBX+4]
00517BE0 . 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
00517BE3 . 50 PUSH EAX
00517BE4 . B9 54010000 MOV ECX,154
00517BE9 . BA 01000000 MOV EDX,1
00517BEE . 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34]
00517BF1 > . E8 8EC4EEFF CALL UNPACK1.00404084 ; ->system.@LStrCopy;
00517BF6 . 8D4D 80 LEA ECX,DWORD PTR SS:[EBP-80]
00517BF9 . 33D2 XOR EDX,EDX
00517BFB . 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34]
00517BFE > . E8 652CF4FF CALL UNPACK1.0045A868 ; ->:TMessageForm._PROC_0045A868()
00517C03 . 8D45 80 LEA EAX,DWORD PTR SS:[EBP-80]
00517C06 . 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28]
00517C09 > . E8 76C2EEFF CALL UNPACK1.00403E84 ; ->system.@LStrCat;
00517C0E . 8B45 80 MOV EAX,DWORD PTR SS:[EBP-80]
00517C11 . 8D55 84 LEA EDX,DWORD PTR SS:[EBP-7C]
00517C14 > . E8 0B23F4FF CALL UNPACK1.00459F24 ; ->:TMessageForm._PROC_00459F24()
00517C19 . 8B55 84 MOV EDX,DWORD PTR SS:[EBP-7C]
00517C1C . 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
00517C1F > . E8 70C0EEFF CALL UNPACK1.00403C94 ; ->system.@LStrLAsg;
00517C24 . 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
00517C27 > . E8 84B0EFFF CALL UNPACK1.00412CB0 ; ->classes.TStream.GetSize(TStream):Longint;
00517C2C . 8BC8 MOV ECX,EAX
00517C2E . 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
00517C31 . 8B50 04 MOV EDX,DWORD PTR DS:[EAX+4]
00517C34 . 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28]
00517C37 . E8 6442FEFF CALL UNPACK1.004FBEA0
00517C3C . 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
00517C3F . B9 4A000000 MOV ECX,4A
00517C44 . BA 01000000 MOV EDX,1
00517C49 > . E8 76C4EEFF CALL UNPACK1.004040C4 ; ->system.@LStrDelete;
00517C4E . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
00517C54 . B8 64955100 MOV EAX,UNPACK1.00519564 ; ASCII "054003171055113035037119048230109199179053021179090088151031175"
00517C59 . E8 5E9AF3FF CALL UNPACK1.004516BC
00517C5E . 8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84]
00517C64 . BA AC955100 MOV EDX,UNPACK1.005195AC ; ASCII "735654094212999541971829652262475428651946341206401453831061555989372607929543564130920224754602365578975394352438430717004083507899084371568465239026091181018575401130395959689931997655143106860635246929341093461273051296561722682233738"...
00517C69 > . E8 16C2EEFF CALL UNPACK1.00403E84 ; ->system.@LStrCat;
00517C6E . 8B85 7CFFFFFF MOV EAX,DWORD PTR SS:[EBP-84]
00517C74 . 8D55 B0 LEA EDX,DWORD PTR SS:[EBP-50]
00517C77 . E8 7410FEFF CALL UNPACK1.004F8CF0
00517C7C . 8D95 78FFFFFF LEA EDX,DWORD PTR SS:[EBP-88]
00517C82 . B8 30985100 MOV EAX,UNPACK1.00519830 ; ASCII "048224055055115006009179049222227172058055190162127173"
00517C87 . E8 309AF3FF CALL UNPACK1.004516BC
00517C8C . 8B85 78FFFFFF MOV EAX,DWORD PTR SS:[EBP-88]
00517C92 . 8D55 A8 LEA EDX,DWORD PTR SS:[EBP-58]
00517C95 . E8 5610FEFF CALL UNPACK1.004F8CF0
00517C9A . 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50]
00517C9D . 50 PUSH EAX
00517C9E . 8D4D A8 LEA ECX,DWORD PTR SS:[EBP-58]
00517CA1 . 8B55 CC MOV EDX,DWORD PTR SS:[EBP-34]
00517CA4 . 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C]
00517CA7 . E8 F034FEFF CALL UNPACK1.004FB19C ; 这里应该是个关键call
00517CAC . 84C0 TEST AL,AL
00517CAE . 74 56 JE SHORT UNPACK1.00517D06 ; 调走会把标志置1,好像这里不能跳走
00517CB0 . 8D95 70FFFFFF LEA EDX,DWORD PTR SS:[EBP-90]
00517CB6 . A1 40085800 MOV EAX,DWORD PTR DS:[580840]
00517CBB . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00517CBD > . E8 F271F3FF CALL UNPACK1.0044EEB4 ; ->ddeman.TDdeMgr.GetExeName(TDdeMgr):AnsiString;
00517CC2 . 8B85 70FFFFFF MOV EAX,DWORD PTR SS:[EBP-90]
00517CC8 . 8D95 74FFFFFF LEA EDX,DWORD PTR SS:[EBP-8C]
00517CCE > . E8 F912EFFF CALL UNPACK1.00408FCC ; ->sysutils.ExtractFilePath(AnsiString):AnsiString;
00517CD3 . 8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
00517CD9 . 50 PUSH EAX
00517CDA . 8D95 6CFFFFFF LEA EDX,DWORD PTR SS:[EBP-94]
00517CE0 . B8 70985100 MOV EAX,UNPACK1.00519870 ; ASCII "054007231055113033202017049209033255031124184050143002100212225023210254192"
00517CE5 . E8 D299F3FF CALL UNPACK1.004516BC
00517CEA . 8B95 6CFFFFFF MOV EDX,DWORD PTR SS:[EBP-94]
00517CF0 . 58 POP EAX
00517CF1 > . E8 8EC1EEFF CALL UNPACK1.00403E84 ; ->system.@LStrCat;
00517CF6 . 8B95 74FFFFFF MOV EDX,DWORD PTR SS:[EBP-8C]
00517CFC . 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
00517CFF > . E8 10B3EFFF CALL UNPACK1.00413014 ; ->classes.TCustomMemoryStream.SaveToFile(TCustomMemoryStream;AnsiString);
00517D04 . EB 04 JMP SHORT UNPACK1.00517D0A
00517D06 > C645 A4 01 MOV BYTE PTR SS:[EBP-5C],1
00517D0A > 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50]
00517D0D . E8 5612FEFF CALL UNPACK1.004F8F68
00517D12 . 8D45 A8 LEA EAX,DWORD PTR SS:[EBP-58]
00517D15 . E8 4E12FEFF CALL UNPACK1.004F8F68
00517D1A . 33C0 XOR EAX,EAX
00517D1C . 5A POP EDX
00517D1D . 59 POP ECX
00517D1E . 59 POP ECX
00517D1F . 64:8910 MOV DWORD PTR FS:[EAX],EDX
00517D22 . 68 377D5100 PUSH UNPACK1.00517D37
00517D27 > 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
00517D2A > . E8 F153EFFF CALL UNPACK1.0040D120 ; ->sysutils.FreeAndNil(void;void);
00517D2F . C3 RETN
00517D30 > .^ E9 43B9EEFF JMP UNPACK1.00403678 ; ->system.@HandleFinally;
00517D35 .^ EB F0 JMP SHORT UNPACK1.00517D27
00517D37 . 33C0 XOR EAX,EAX
00517D39 . 5A POP EDX
00517D3A . 59 POP ECX
00517D3B . 59 POP ECX
00517D3C . 64:8910 MOV DWORD PTR FS:[EAX],EDX
00517D3F . 68 547D5100 PUSH UNPACK1.00517D54
00517D44 > 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
00517D47 > . E8 D453EFFF CALL UNPACK1.0040D120 ; ->sysutils.FreeAndNil(void;void);
00517D4C . C3 RETN
00517D4D > .^ E9 26B9EEFF JMP UNPACK1.00403678 ; ->system.@HandleFinally;
00517D52 .^ EB F0 JMP SHORT UNPACK1.00517D44
00517D54 . 807D A4 00 CMP BYTE PTR SS:[EBP-5C],0
00517D58 . 74 4B JE SHORT UNPACK1.00517DA5
00517D5A . A1 20065800 MOV EAX,DWORD PTR DS:[580620]
00517D5F . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00517D61 . 8B80 18040000 MOV EAX,DWORD PTR DS:[EAX+418]
00517D67 . 8078 2C 00 CMP BYTE PTR DS:[EAX+2C],0
00517D6B . 74 1D JE SHORT UNPACK1.00517D8A
00517D6D . 8D95 68FFFFFF LEA EDX,DWORD PTR SS:[EBP-98]
00517D73 . B8 C4985100 MOV EAX,UNPACK1.005198C4 ; ASCII "055119093055112049201038048231092217156207189011090226058046038068139020089095217243077055028234236197123135129152120227107211249038144110189162229174233"
00517D78 . E8 3F99F3FF CALL UNPACK1.004516BC
00517D7D . 8B85 68FFFFFF MOV EAX,DWORD PTR SS:[EBP-98]
00517D83 > . E8 5CE8FFFF CALL UNPACK1.005165E4 ; ->:TDirForm._PROC_005165E4()
00517D88 . EB 1B JMP SHORT UNPACK1.00517DA5
00517D8A > 8D95 64FFFFFF LEA EDX,DWORD PTR SS:[EBP-9C]
00517D90 . B8 68995100 MOV EAX,UNPACK1.00519968 ; ASCII "053026053055118103231098048228008042194075128219195242253113095147020017190213100150190141026096033225139232193077066049016236215190053098127209067088005023166182136074243002106076012199190238077"
00517D95 . E8 2299F3FF CALL UNPACK1.004516BC
00517D9A . 8B85 64FFFFFF MOV EAX,DWORD PTR SS:[EBP-9C]
00517DA0 > . E8 3FE8FFFF CALL UNPACK1.005165E4 ; ->:TDirForm._PROC_005165E4()
00517DA5 > B8 70985100 MOV EAX,UNPACK1.00519870 ; ASCII "054007231055113033202017049209033255031124184050143002100212225023210254192"
00517DAA . 8D95 60FFFFFF LEA EDX,DWORD PTR SS:[EBP-A0]
00517DB0 . E8 0799F3FF CALL UNPACK1.004516BC
00517DB5 . 8B85 60FFFFFF MOV EAX,DWORD PTR SS:[EBP-A0]
00517DBB . 50 PUSH EAX
00517DBC . 8D95 58FFFFFF LEA EDX,DWORD PTR SS:[EBP-A8]
00517DC2 . A1 40085800 MOV EAX,DWORD PTR DS:[580840]
00517DC7 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00517DC9 > . E8 E670F3FF CALL UNPACK1.0044EEB4 ; ->ddeman.TDdeMgr.GetExeName(TDdeMgr):AnsiString;
00517DCE . 8B85 58FFFFFF MOV EAX,DWORD PTR SS:[EBP-A8]
00517DD4 . 8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4]
00517DDA > . E8 ED11EFFF CALL UNPACK1.00408FCC ; ->sysutils.ExtractFilePath(AnsiString):AnsiString;
00517DDF . 8B95 5CFFFFFF MOV EDX,DWORD PTR SS:[EBP-A4]
00517DE5 . 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
00517DE8 . 59 POP ECX
00517DE9 > . E8 DAC0EEFF CALL UNPACK1.00403EC8 ; ->system.@LStrCat3;
00517DEE . 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
00517DF1 > . E8 6E0FEFFF CALL UNPACK1.00408D64 ; ->sysutils.FileExists(AnsiString):Boolean;
00517DF6 . 84C0 TEST AL,AL
00517DF8 . 0F84 5F160000 JE UNPACK1.0051945D
00517DFE . B2 01 MOV DL,1
00517E00 . A1 68F44000 MOV EAX,DWORD PTR DS:[40F468]
00517E05 > . E8 1EB1EEFF CALL UNPACK1.00402F28 ; ->system.TObject.Create(TObject;Boolean);
00517E0A . 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
00517E0D . B2 01 MOV DL,1
00517E0F . A1 68F44000 MOV EAX,DWORD PTR DS:[40F468]
00517E14 > . E8 0FB1EEFF CALL UNPACK1.00402F28 ; ->system.TObject.Create(TObject;Boolean);
00517E19 . 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
00517E1C . 33C0 XOR EAX,EAX
00517E1E . 55 PUSH EBP
00517E1F . 68 FC925100 PUSH <UNPACK1.->system.@HandleFinally;>
00517E24 . 64:FF30 PUSH DWORD PTR FS:[EAX]
00517E27 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
00517E2A . 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
00517E2D > . E8 0EC2EEFF CALL UNPACK1.00404040 ; ->system.@LStrToPChar;
00517E32 . 50 PUSH EAX ; /FileName
00517E33 . E8 9CEBEEFF CALL <JMP.&kernel32.LoadLibraryA> ; \LoadLibraryA
00517E38 . 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
00517E3B . 33C0 XOR EAX,EAX
00517E3D . 55 PUSH EBP
00517E3E . 68 28925100 PUSH <UNPACK1.->system.@HandleFinally;>
00517E43 . 64:FF30 PUSH DWORD PTR FS:[EAX]
00517E46 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
00517E49 . 837D F8 00 CMP DWORD PTR SS:[EBP-8],0
00517E4D . 0F84 B6130000 JE UNPACK1.00519209
00517E53 . 8D95 54FFFFFF LEA EDX,DWORD PTR SS:[EBP-AC]
00517E59 . B8 349A5100 MOV EAX,UNPACK1.00519A34 ; ASCII "049222229055114020045143049208050236205071200166226211233063208098181001134"
00517E5E . E8 5998F3FF CALL UNPACK1.004516BC
00517E63 . 8B85 54FFFFFF MOV EAX,DWORD PTR SS:[EBP-AC]
00517E69 > . E8 D2C1EEFF CALL UNPACK1.00404040 ; ->system.@LStrToPChar;
00517E6E . 50 PUSH EAX ; /ProcNameOrOrdinal
00517E6F . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; |
00517E72 . 50 PUSH EAX ; |hModule
00517E73 . E8 ACEAEEFF CALL <JMP.&kernel32.GetProcAddress> ; \GetProcAddress
===========
在00517BA2 . FF11 CALL DWORD PTR DS:[ECX]处会产生异常,如果跟踪会到这里:
00413190 . 53 PUSH EBX
00413191 . 56 PUSH ESI
00413192 . 57 PUSH EDI
00413193 . 833A 00 CMP DWORD PTR DS:[EDX],0
00413196 . 7E 10 JLE SHORT sourcefo.004131A8 ;这里如果不跳那么就不会有异常
00413198 . 8B0A MOV ECX,DWORD PTR DS:[EDX]
0041319A . 81C1 FF1F0000 ADD ECX,1FFF
004131A0 . 81E1 00E0FFFF AND ECX,FFFFE000
===========
00412DB1 85DB TEST EBX,EBX
00412DB3 74 2D JE SHORT sourcefo.00412DE2 ;这里如果强制跳走会显示"无效的许可证文件"
00412DB5 3B5D F0 /CMP EBX,DWORD PTR SS:[EBP-10]
==========
走到这里其实已经被检测出来了,只是显示错误信息而已,可能是显示不同语言的信息
00516494 55 PUSH EBP
00516495 8BEC MOV EBP,ESP
00516497 6A 00 PUSH 0
00516499 6A 00 PUSH 0
0051649B 6A 00 PUSH 0
0051649D 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
005164A0 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
005164A3 E8 88DBEEFF CALL sourcefo.00404030
005164A8 33C0 XOR EAX,EAX
005164AA 55 PUSH EBP
005164AB 68 44655100 PUSH sourcefo.00516544
005164B0 64:FF30 PUSH DWORD PTR FS:[EAX]
005164B3 64:8920 MOV DWORD PTR FS:[EAX],ESP
005164B6 A1 20065800 MOV EAX,DWORD PTR DS:[580620]
005164BB 8B00 MOV EAX,DWORD PTR DS:[EAX]
005164BD 8B80 18040000 MOV EAX,DWORD PTR DS:[EAX+418]
005164C3 8078 2C 00 CMP BYTE PTR DS:[EAX+2C],0
005164C7 74 31 JE SHORT sourcefo.005164FA
005164C9 6A 40 PUSH 40
005164CB 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
005164CE B8 58655100 MOV EAX,sourcefo.00516558 ; ASCII "055115000055115008104061049223213141026205255155023"
005164D3 E8 E4B1F3FF CALL sourcefo.004516BC
005164D8 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
005164DB E8 60DBEEFF CALL sourcefo.00404040
005164E0 50 PUSH EAX
005164E1 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
005164E4 E8 57DBEEFF CALL sourcefo.00404040
005164E9 8BD0 MOV EDX,EAX
005164EB A1 40085800 MOV EAX,DWORD PTR DS:[580840]
005164F0 8B00 MOV EAX,DWORD PTR DS:[EAX]
005164F2 59 POP ECX
005164F3 E8 4C86F3FF CALL sourcefo.0044EB44 ;出错信息call
005164F8 EB 2F JMP SHORT sourcefo.00516529
005164FA 6A 40 PUSH 40
005164FC 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
005164FF B8 94655100 MOV EAX,sourcefo.00516594 ; ASCII "048225038055115003038086049208053059096079041108062"
00516504 E8 B3B1F3FF CALL sourcefo.004516BC
00516509 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0051650C E8 2FDBEEFF CALL sourcefo.00404040
00516511 50 PUSH EAX
00516512 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00516515 E8 26DBEEFF CALL sourcefo.00404040
0051651A 8BD0 MOV EDX,EAX
0051651C A1 40085800 MOV EAX,DWORD PTR DS:[580840]
00516521 8B00 MOV EAX,DWORD PTR DS:[EAX]
00516523 59 POP ECX
00516524 E8 1B86F3FF CALL sourcefo.0044EB44 ;出错信息call
00516529 33C0 XOR EAX,EAX
0051652B 5A POP EDX
0051652C 59 POP ECX
0051652D 59 POP ECX
0051652E 64:8910 MOV DWORD PTR FS:[EAX],EDX
00516531 68 4B655100 PUSH sourcefo.0051654B
00516536 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00516539 BA 03000000 MOV EDX,3
0051653E E8 DDD6EEFF CALL sourcefo.00403C20
00516543 C3 RETN
...........
上述代码从这里调用,到这里其实也完了,因为没有判断的跳转:
005166E4 59 POP ECX
005166E5 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
005166E8 2945 FC SUB DWORD PTR SS:[EBP-4],EAX
005166EB FF55 FC CALL DWORD PTR SS:[EBP-4] ;这里call会调用一个过程,这个过程再调用00516494
005166EE 33C0 XOR EAX,EAX
005166F0 5A POP EDX
005166F1 59 POP ECX
...........
上段又是从这里调用:
00517D54 807D A4 00 CMP BYTE PTR SS:[EBP-5C],0
00517D58 74 4B JE SHORT sourcefo.00517DA5 ;这里跳走
00517D5A A1 20065800 MOV EAX,DWORD PTR DS:[580620]
00517D5F 8B00 MOV EAX,DWORD PTR DS:[EAX]
00517D61 8B80 18040000 MOV EAX,DWORD PTR DS:[EAX+418]
00517D67 8078 2C 00 CMP BYTE PTR DS:[EAX+2C],0
00517D6B 74 1D JE SHORT sourcefo.00517D8A ;否则这里就不能跳走
00517D6D 8D95 68FFFFFF LEA EDX,DWORD PTR SS:[EBP-98]
00517D73 B8 C4985100 MOV EAX,sourcefo.005198C4 ; ASCII "055119093055112049201038048231092217156207189011090226058046038068139020089095217243077055028234236197123135129152120227107211249038144110189162229174233"
;这应该是中文提示
00517D78 E8 3F99F3FF CALL sourcefo.004516BC
00517D7D 8B85 68FFFFFF MOV EAX,DWORD PTR SS:[EBP-98]
00517D83 E8 5CE8FFFF CALL sourcefo.005165E4 ;这里call 到5165e4,后面的代码就是5166e4了
00517D88 EB 1B JMP SHORT sourcefo.00517DA5 ;到光明之颠!!
00517D8A 8D95 64FFFFFF LEA EDX,DWORD PTR SS:[EBP-9C]
00517D90 B8 68995100 MOV EAX,sourcefo.00519968 ; ASCII "053026053055118103231098048228008042194075128219195242253113095147020017190213100150190141026096033225139232193077066049016236215190053098127209067088005023166182136074243002106076012199190238077"
;md,到这里也死了,上面是 (ASCII "Invalid license file, please contact Crossbow Soft. ")的加密串
00517D95 E8 2299F3FF CALL sourcefo.004516BC
00517D9A 8B85 64FFFFFF MOV EAX,DWORD PTR SS:[EBP-9C]
00517DA0 E8 3FE8FFFF CALL sourcefo.005165E4
00517DA5 B8 70985100 MOV EAX,sourcefo.00519870 ; ASCII "054007231055113033202017049209033255031124184050143002100212225023210254192"
;这里是光明之颠,(ASCII "~$Sftemp.tmp")一个临时文件的加密串
;md,从后面的代码看这应该是个dll文件,要载入他的FormatEngine函数
00517DAA 8D95 60FFFFFF LEA EDX,DWORD PTR SS:[EBP-A0]
00517DB0 E8 0799F3FF CALL sourcefo.004516BC
00517DB5 8B85 60FFFFFF MOV EAX,DWORD PTR SS:[EBP-A0]
00517DBB 50 PUSH EAX
00517DBC 8D95 58FFFFFF LEA EDX,DWORD PTR SS:[EBP-A8]
00517DC2 A1 40085800 MOV EAX,DWORD PTR DS:[580840]
00517DC7 8B00 MOV EAX,DWORD PTR DS:[EAX]
00517DC9 E8 E670F3FF CALL sourcefo.0044EEB4
00517DCE 8B85 58FFFFFF MOV EAX,DWORD PTR SS:[EBP-A8]
00517DD4 8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4]
==
关键!!!在:
00517CAE . 74 56 JE SHORT UNPACK1.00517D06 ;跳走会把标志置1,好像这里不能跳走,这样才会走到loadlib
.........
如下:
00517E2D E8 0EC2EEFF CALL sourcefo.00404040
00517E32 50 PUSH EAX ;载入~$Sftemp.tmp
00517E33 E8 9CEBEEFF CALL sourcefo.004069D4 ; JMP to kernel32.LoadLibraryA
00517E38 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
00517E3B 33C0 XOR EAX,EAX
00517E3D 55 PUSH EBP
00517E3E 68 28925100 PUSH sourcefo.00519228
00517E43 64:FF30 PUSH DWORD PTR FS:[EAX]
00517E46 64:8920 MOV DWORD PTR FS:[EAX],ESP
00517E49 837D F8 00 CMP DWORD PTR SS:[EBP-8],0
00517E4D 0F84 B6130000 JE sourcefo.00519209
00517E53 8D95 54FFFFFF LEA EDX,DWORD PTR SS:[EBP-AC]
00517E59 B8 349A5100 MOV EAX,sourcefo.00519A34 ; ASCII "049222229055114020045143049208050236205071200166226211233063208098181001134"
;的加密串FormatEngine
00517E5E E8 5998F3FF CALL sourcefo.004516BC
00517E63 8B85 54FFFFFF MOV EAX,DWORD PTR SS:[EBP-AC]
00517E69 E8 D2C1EEFF CALL sourcefo.00404040
00517E6E 50 PUSH EAX
00517E6F 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00517E72 50 PUSH EAX
00517E73 E8 ACEAEEFF CALL sourcefo.00406924 ; JMP to kernel32.GetProcAddress
00517E78 8BF0 MOV ESI,EAX
00517E7A 89F3 MOV EBX,ESI
00517E7C 85F6 TEST ESI,ESI
00517E7E 0F84 85130000 JE sourcefo.00519209
00517E84 C645 A5 01 MOV BYTE PTR SS:[EBP-5B],1
00517E88 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00517E8B 8B80 F4020000 MOV EAX,DWORD PTR DS:[EAX+2F4]
00517E91 8B80 F0010000 MOV EAX,DWORD PTR DS:[EAX+1F0]
00517E97 33D2 XOR EDX,EDX
==================
关于对lic文件的解码代码:
00459F63 . /7E 2C JLE SHORT sourcefo.00459F91
00459F65 . |BE 01000000 MOV ESI,1
00459F6A > |8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00459F6D . |8A5432 FF MOV DL,BYTE PTR DS:[EDX+ESI-1]
00459F71 . |32D3 XOR DL,BL
00459F73 . |81E2 FF000000 AND EDX,0FF
00459F79 . |8B1495 C09B570>MOV EDX,DWORD PTR DS:[EDX*4+579BC0]
00459F80 . |C1EB 08 SHR EBX,8
00459F83 . |81E3 FFFFFF00 AND EBX,0FFFFFF
00459F89 . |33D3 XOR EDX,EBX
00459F8B . |8BDA MOV EBX,EDX
00459F8D . |46 INC ESI
00459F8E . |48 DEC EAX
00459F8F .^|75 D9 JNZ SHORT sourcefo.00459F6A
00459F91 > \8BC3 MOV EAX,EBX
00459F93 . 33D2 XOR EDX,EDX
******************
最后总结:
用loader
地址/原始代码/更改代码
450E3B/8b,45/eb,1a: ; 破坏注册表的代码,也许原版不会到这里,但我实在是害怕
52A68A/7d,0e/90,90: ; 关于窗口
4FB527/75,04/90,90: ; 保存8k文件,以及格式化所有功能
关于格式化目录功能,老是异常退出.
======
RPP 脚本
;Crack By:zzhzihui@163.net 2002-5-27 7:09
;source formatx
;
; This is a [R!SC's Process Patcher v1.5] script file.
; (c)1999 r!SC -- http://beam.to/risc
;P=4e8d09/85,c0/39,c0: ; cmp eax,eax Make ZF=1
; | | | |_This is the comment line
; | | |_First of Modified OP code,This is:CMP EAX,EAX
; | |_First of Original OP code,This is:TEST EAX,EAX
; |_offset in Memory for Patch
;
F=sourceformatx.exe: ; PROCESS TO PATCH
O=cr-sf.exe: ; LOADER TO CREATE
P=450E3B/8b,45/eb,1a: ; 破坏注册表的代码
P=52A68A/7d,0e/90,90: ; 关于窗口
P=4FB527/75,04/90,90: ; 保存8k文件,以及格式化所有功能
$
也是比较早的东东了,落后了,应该不会被追讨了吧.但是因为这个软件也有可恶的地方.by zzhzihui@163.net
SourceFormatX 万能源代码格式化工具 2.5.6.1
1.>ANTI-CRACK,导致系统死锁
很讨厌,判断文件大小,报错,说是可能感染病毒,若强行改动,则不停加载explorer.exe,导致系统满载,死机.
这里有一处:
0055F10A 50 PUSH EAX
0055F10B E8 D477EAFF CALL <JMP.&kernel32.GetFileSize>;从文件大小判断
0055F110 3D A8421200 CMP EAX,1242A8
0055F115 7E 1F JLE SHORT UNPACK~1.0055F136 ;jmp
0055F117 6A 03 PUSH 3
0055F119 B8 B8F45500 MOV EAX,UNPACK~1.0055F4B8 ; ASCII "048229125055114025094102049210040021027068051099091168132234034161018208011"
;上行即加密的explorer.exe
0055F11E 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
0055F121 E8 9625EFFF CALL UNPACK~1.004516BC
0055F126 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
0055F129 E8 124FEAFF CALL UNPACK~1.00404040
0055F12E 50 PUSH EAX
0055F12F E8 4079EAFF CALL <JMP.&kernel32.WinExec>
0055F134 ^ EB E1 JMP SHORT UNPACK~1.0055F117 ;死循环执行explorer.exe
0055F136 33C0 XOR EAX,EAX
0055F138 5A POP EDX
还有一处
0056415F . 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] ; |
00564162 . 50 PUSH EAX ; |hFile
00564163 . E8 CC28EAFF CALL <JMP.&kernel32.SetFilePointer> ; \SetFilePointer
00564168 3D 508D0F00 CMP EAX,0F8D50
0056416D 0F8E F7000000 JLE UNPACK~1.0056426A ;jmp
00564173 . 33D2 XOR EDX,EDX
00564175 . 55 PUSH EBP
00564176 . 68 4D425600 PUSH UNPACK~1.0056424D
.....
00564257 > E8 3819FFFF CALL UNPACK~1.00555B94
0056425C . |6A 03 PUSH 3 ; /ShowState = SW_SHOWMAXIMIZED
0056425E . |68 F4435600 PUSH UNPACK~1.005643F4 ; |CmdLine = "11111111.exe"本来是explorer.exe
00564263 . |E8 0C28EAFF CALL <JMP.&kernel32.WinExec> ; \WinExec
00564268 .^\EB ED JMP SHORT UNPACK~1.00564257
0056426A > 33C0 XOR EAX,EAX
0056426C . 5A POP EDX
在格式化大于8k的文件后,如果保存,那么还有一处检测(我下WinExec断下了),如果发现文件被更改(脱壳),让你死机.
00566062 . 6A 02 PUSH 2 ; /Origin = FILE_END
00566064 . 6A 00 PUSH 0 ; |pOffsetHi = NULL
00566066 . 6A 00 PUSH 0 ; |OffsetLo = 0
00566068 . 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C] ; |
0056606B . 50 PUSH EAX ; |hFile
0056606C . E8 C309EAFF CALL <JMP.&kernel32.SetFilePointer> ; \SetFilePointer
00566071 . 3D 27E51000 CMP EAX,10E527 ;比较文件内容
00566076 . 76 13 JBE SHORT UNPACK1.0056608B ;这里必须JMP
00566078 > > E8 DBFAFEFF CALL UNPACK1.00555B58 ; ->:TNagForm._PROC_00555B58()
0056607D . 6A 03 PUSH 3 ; /ShowState = SW_SHOWMAXIMIZED
0056607F . 68 A87C5600 PUSH UNPACK1.00567CA8 ; |CmdLine = "11111111.exe"
00566084 . E8 EB09EAFF CALL <JMP.&kernel32.WinExec> ; \WinExec
00566089 .^ EB ED JMP SHORT <UNPACK1.->:TNagForm._PROC_005>
0056608B > 33C0 XOR EAX,EAX
0056608D . 5A POP EDX
---------
00517A60 50 PUSH EAX
00517A61 E8 CEEFEEFF CALL <JMP.&kernel32.SetFilePointer>
00517A66 3D DFF91100 CMP EAX,11F9DF
00517A6B 7E 1B JLE SHORT UNPACK1.00517A88 ;这里必须jmp it,否则会死机
00517A6D E8 E6E00300 CALL UNPACK1.00555B58
00517A72 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00517A75 . E8 96ECFFFF CALL UNPACK1.00516710
00517A7A > 6A 03 PUSH 3 ; /ShowState = SW_SHOWMAXIMIZED
00517A7C . 68 F8945100 PUSH UNPACK1.005194F8 ; |CmdLine = "11111111.exe"
00517A81 . E8 EEEFEEFF CALL <JMP.&kernel32.WinExec> ; \WinExec
00517A86 .^ EB F2 JMP SHORT UNPACK1.00517A7A
00517A88 > 33C0 XOR EAX,EAX
00517A8A . 5A POP EDX
00517A8B . 59 POP ECX
00517A8C . 59 POP ECX
00517A8D . 64:8910 MOV DWORD PTR FS:[EAX],EDX
00517A90 . 68 A57A5100 PUSH UNPACK1.00517AA5
00517A95 > 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
00517A98 . E8 5712EFFF CALL UNPACK1.00408CF4
00517A9D . C3 RETN
00517A9E .^ E9 D5BBEEFF JMP UNPACK1.00403678
00517AA3 .^ EB F0 JMP SHORT UNPACK1.00517A95
00517AA5 8D55 94 LEA EDX,DWORD PTR SS:[EBP-6C]
00517AA8 B8 10955100 MOV EAX,UNPACK1.00519510 ; ASCII "048231091055114023126106049215088130003077102103113127226094230175002064"
;上行是
;DS:[00580840]=005817D4
;EAX=00C525D4, (ASCII "License.dat"),注册文件,点击格式化目录时会检验注册文件
00517AAD E8 0A9CF3FF CALL UNPACK1.004516BC
00517AB2 8B45 94 MOV EAX,DWORD PTR SS:[EBP-6C]
00517AB5 50 PUSH EAX
00517AB6 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74]
00517AB9 A1 40085800 MOV EAX,DWORD PTR DS:[580840]
00517ABE 8B00 MOV EAX,DWORD PTR DS:[EAX]
00517AC0 E8 EF73F3FF CALL UNPACK1.0044EEB4
00517AC5 8B45 8C MOV EAX,DWORD PTR SS:[EBP-74]
00517AC8 . 8D55 90 LEA EDX,DWORD PTR SS:[EBP-70]
00517ACB . E8 FC14EFFF CALL UNPACK1.00408FCC
00517AD0 . 8B55 90 MOV EDX,DWORD PTR SS:[EBP-70]
00517AD3 . 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
00517AD6 . 59 POP ECX
00517AD7 . E8 ECC3EEFF CALL UNPACK1.00403EC8
00517ADC . 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30]
00517ADF . E8 8012EFFF CALL UNPACK1.00408D64;这个call也许是检验License.dat的
00517AE4 . 84C0 TEST AL,AL
00517AE6 . 0F84 F5180000 JE UNPACK1.005193E1
00517AEC . 6A 20 PUSH 20 ; /Arg1 = 00000020
00517AEE . 8B4D D0 MOV ECX,DWORD PTR SS:[EBP-30] ; |
00517AF1 . B2 01 MOV DL,1 ; |
00517AF3 . A1 3CF64000 MOV EAX,DWORD PTR DS:[40F63C] ; |
00517AF8 . E8 BBB3EFFF CALL UNPACK1.00412EB8 ; \UNPACK1.00412EB8
00517AFD . 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
00517B00 . 33C0 XOR EAX,EAX
查找license.dat
00408D17 |. E8 50DBFFFF CALL <JMP.&kernel32.FindFirstFileA> ; \FindFirstFileA
005571D4 |. 2945 FC SUB DWORD PTR SS:[EBP-4],EAX
005571D7 |. FF55 FC CALL DWORD PTR SS:[EBP-4] ;显示未注册框
005571DA |. 33C0 XOR EAX,EAX
2.>不能使用"格式化所有"功能的限制
不经意跟到一个注册标志.
00564666 . 84C0 TEST AL,AL
00564668 . 74 04 JE SHORT UNPACK1.0056466E ;这里nop,可以显示已经处理完成,在选格式化所有的时候.但格式化完后是乱码
0056466A . C645 CB 01 MOV BYTE PTR SS:[EBP-35],1 ;是不是注册标志??,经过验证,是的
0056466E > 33C0 XOR EAX,EAX
------
3.>ANTI-DEBUG,ollydbg无法调试
该程序会搜索有关ollydbg,filemon....的窗口标题或窗口类,有则关闭,可以在脱壳文件里搜索ollydbg,trw,sice.....改掉,
但是有些是加密存放的,无法搜索到,例如:
0055613F E8 FCDEEAFF CALL UNPACK1.00404040
00556144 50 PUSH EAX
00556145 E8 620DEBFF CALL <JMP.&user32.FindWindowA> ;ollydbg
0055614A 85C0 TEST EAX,EAX
0055614C 74 23 JE SHORT UNPACK1.00556171 ;jmp
0055614E 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
00556151 52 PUSH EDX
00556152 50 PUSH EAX
00556153 E8 BC0EEBFF CALL <JMP.&user32.GetWindowThreadProcess>
00556158 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
又查
005729EB E8 BC44E9FF CALL <JMP.&user32.FindWindowA> ;ollydbg
005729F0 85C0 TEST EAX,EAX
005729F2 74 42 JE SHORT UNPACK1.00572A36
005729F4 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
005729F7 52 PUSH EDX
还查
0055F06F E8 387EEAFF CALL <JMP.&user32.FindWindowA> ;ollydbg
0055F074 85C0 TEST EAX,EAX
0055F076 74 42 JE SHORT UNPACK1.0055F0BA
0055F078 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
0055F07B 52 PUSH EDX
它用同样的方法FindWindowA,还会查找dede,ollydbg,filemon....的窗口类,然后XXX,可恶啊.
这是典型的代码特征:
005727E4 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
005727E7 |. E8 5418E9FF CALL UNPACK1.00404040
005727EC |. 50 PUSH EAX ; |Class
005727ED |. E8 BA46E9FF CALL <JMP.&user32.FindWindowA> ; \FindWindowA
005727F2 |. 85C0 TEST EAX,EAX
005727F4 |. 74 28 JE SHORT UNPACK1.0057281E
005727F6 |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
005727F9 |. 52 PUSH EDX ; /pProcessID
005727FA |. 50 PUSH EAX ; |hWnd
005727FB |. E8 1448E9FF CALL <JMP.&user32.GetWindowThreadProcess>; \GetWindowThreadProcessId
00572800 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00572803 |. 50 PUSH EAX ; /ProcessId
00572804 |. 6A 00 PUSH 0 ; |Inheritable = FALSE
00572806 |. 6A 01 PUSH 1 ; |Access = TERMINATE
00572808 |. E8 F741E9FF CALL <JMP.&kernel32.OpenProcess> ; \OpenProcess
0057280D |. 85C0 TEST EAX,EAX
0057280F |. 74 0D JE SHORT UNPACK1.0057281E
00572811 |. 6A 00 PUSH 0 ; /ExitCode = 0
00572813 |. 50 PUSH EAX ; |hProcess
00572814 |. E8 3B42E9FF CALL <JMP.&kernel32.TerminateProcess> ; \TerminateProcess
00572819 |. E8 8A12E9FF CALL UNPACK1.00403AA8
0057281E |> 33C0 XOR EAX,EAX
00572820 |. 5A POP EDX
00572821 |. 59 POP ECX
00572822 |. 59 POP ECX
00572823 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
00572826 |. 68 3B285700 PUSH UNPACK1.0057283B
0057282B |> 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
0057282E |. E8 C913E9FF CALL UNPACK1.00403BFC
00572833 \. C3 RETN
4.>恶意炸弹!!强烈建议CRK掉它,太坏了.
另外更可恶的是,如果发现被破解,它还会偷偷把注册表改写的面目全非导致winows系统无法运行.
这是在点击格式目录时,删除这个键:
0012F150 00C8E53C \Subkey = "{883373C3-BF89-11D1-BE35-080036B11A03}"
00450D74 . E8 D7040000 CALL UNPACK1.00451250
00450D79 . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
00450D7C . 837D E4 00 CMP DWORD PTR SS:[EBP-1C],0
00450D80 . 0F84 B5000000 JE UNPACK1.00450E3B ;跳走就会搞破坏,不跳走照样会走到破坏代码
00450D86 . 33C0 XOR EAX,EAX
00450D88 . 55 PUSH EBP
....
00450E3B > \8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00450E3E . E8 FD31FBFF CALL UNPACK1.00404040
00450E43 . 50 PUSH EAX
00450E44 . 8A55 F7 MOV DL,BYTE PTR SS:[EBP-9]
00450E47 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00450E4A . E8 A1FCFFFF CALL UNPACK1.00450AF0
00450E4F . 50 PUSH EAX ; |hKey
00450E50 . E8 6F59FBFF CALL <JMP.&advapi32.RegDeleteKeyA> ; \RegDeleteKeyA
00450E55 . 85C0 TEST EAX,EAX
00450E57 . 0F94C3 SETE BL
这样改:
00450E3B /EB 1A JMP SHORT UNPACK1.00450E57 ;跳过删除注册表键功能的API
========
5.>关于窗口的用户名
about窗:
0052A682 . E8 F597EDFF CALL UNPACK1.00403E7C
0052A687 . 83F8 28 CMP EAX,28
0052A68A . 7D 0E JGE SHORT UNPACK1.0052A69A ;不跳,nop,则显示用户名,内容为licensc.dat的内容
0052A68C . 8B83 F0020000 MOV EAX,DWORD PTR DS:[EBX+2F0]
0052A692 . 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
0052A695 . E8 5E4FF0FF CALL UNPACK1.0042F5F8
=========
6.>不能保存大于8k文件的限制
现在已经知道它在很多地方都会检查lic文件,那么就下断bp FindFirstFileA,发现它读lic时一直ctrl+f9,一直跟到如下代码:
00565B0A . 50 PUSH EAX
00565B0B . 8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48]
00565B0E . 8D55 C0 LEA EDX,DWORD PTR SS:[EBP-40]
00565B11 . 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38];前面一大堆都是关于读lic文件,然后经过复杂的运算
00565B14 . E8 B357F9FF CALL UNPACK1.004FB2CC ;这里肯定是关键call,前面都没有对EBP-25的操作
00565B19 . 84C0 TEST AL,AL
00565B1B . 74 04 JE SHORT UNPACK1.00565B21 ;al不是0,不跳,标志置1
00565B1D . C645 DB 01 MOV BYTE PTR SS:[EBP-25],1 ;注册标志
00565B21 > 33C0 XOR EAX,EAX
00565B23 . 5A POP EDX
00565B24 . 59 POP ECX
00565B25 . 59 POP ECX
00565B26 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
00565B29 . 68 3E5B5600 PUSH UNPACK1.00565B3E
00565B2E > 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
00565B31 > . E8 EA75EAFF CALL UNPACK1.0040D120 ; ->sysutils.FreeAndNil(void;void);
00565B36 . C3 RETN ;这个ret会返回到565B41
00565B37 > .^ E9 3CDBE9FF JMP UNPACK1.00403678 ; ->system.@HandleFinally;
00565B3C .^ EB F0 JMP SHORT UNPACK1.00565B2E
00565B3E > \8A5D DB MOV BL,BYTE PTR SS:[EBP-25] ;设置bl
00565B41 . 80F3 01 XOR BL,1 ;看来bl是标志了,不能为0,因为与1异或后,判断是0才跳走,那么bl必须为1
00565B44 . 84DB TEST BL,BL
00565B46 . 74 39 JE SHORT UNPACK1.00565B81 ;这里直接跳走更好,是0跳走
00565B48 . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74]
00565B4B . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00565B4E > . 8B80 D0020000 MOV EAX,DWORD PTR DS:[EAX+2D0] ; *MainMenu:TMainMenu
00565B54 . E8 3F34F3FF CALL UNPACK1.00498F98
00565B59 . 8B45 8C MOV EAX,DWORD PTR SS:[EBP-74]
00565B5C > . E8 1BE3E9FF CALL UNPACK1.00403E7C ; ->system.@LStrLen:Integer;
00565B61 . 3D 05200000 CMP EAX,2005 ;2005h=8197d,就是8k了
00565B66 . 7E 19 JLE SHORT UNPACK1.00565B81 ;小于等于才保存,否则不保存,那么就jmp它吧
00565B68 . B8 E7000000 MOV EAX,0E7
00565B6D > . E8 3E2EFFFF CALL UNPACK1.005589B0 ; ->:TNagForm._PROC_005589B0()
00565B72 . B8 8C6C5600 MOV EAX,UNPACK1.00566C8C ; ASCII ".cpp"
00565B77 > . E8 3425FFFF CALL UNPACK1.005580B0 ; ->:TNagForm._PROC_005580B0()
00565B7C . E9 210D0000 JMP UNPACK1.005668A2
00565B81 > B2 01 MOV DL,1
00565B83 . A1 68F44000 MOV EAX,DWORD PTR DS:[40F468]
00565B88 > . E8 9BD3E9FF CALL UNPACK1.00402F28 ; ->system.TObject.Create(TObject;Boolean);
00565B8D . 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
---------
追进那个关键call 004FB2CC
....
004FB520 . E8 57DAFFFF CALL sourcefo.004F8F7C
004FB525 . 3C 02 CMP AL,2 ;则又是个厉害的call,al如何才能只等于2呢?
004FB527 . 75 04 JNZ SHORT sourcefo.004FB52D ;这里不能跳,改这里更进一步,连处理后的文件里的一些提示信息也没有了.
;而且格式化所有的功能限制也可以从这里就解除!!
004FB529 . C645 DF 01 MOV BYTE PTR SS:[EBP-21],1 ;标志置1
004FB52D > 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
004FB530 . E8 33DAFFFF CALL sourcefo.004F8F68
004FB535 . 8D45 B4 LEA EAX,DWORD PTR SS:[EBP-4C]
004FB538 . E8 2BDAFFFF CALL sourcefo.004F8F68
004FB53D . 33C0 XOR EAX,EAX
004FB53F . 5A POP EDX
004FB540 . 59 POP ECX
004FB541 . 59 POP ECX
004FB542 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
004FB545 . EB 0A JMP SHORT sourcefo.004FB551
004FB547 .^ E9 787EF0FF JMP sourcefo.004033C4
004FB54C . E8 CF81F0FF CALL sourcefo.00403720
004FB551 > 33C0 XOR EAX,EAX
004FB553 . 5A POP EDX
004FB554 . 59 POP ECX
004FB555 . 59 POP ECX
004FB556 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
004FB559 . 68 99B54F00 PUSH sourcefo.004FB599
004FB55E > 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74]
004FB561 . 8B15 CC894F00 MOV EDX,DWORD PTR DS:[4F89CC] ; sourcefo.004F89D0
004FB567 . B9 0A000000 MOV ECX,0A
004FB56C . E8 8F8FF0FF CALL sourcefo.00404500
004FB571 . 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
004FB574 . 8B15 CC894F00 MOV EDX,DWORD PTR DS:[4F89CC] ; sourcefo.004F89D0
004FB57A . B9 04000000 MOV ECX,4
004FB57F . E8 7C8FF0FF CALL sourcefo.00404500
004FB584 . 8D45 08 LEA EAX,DWORD PTR SS:[EBP+8]
004FB587 . BA 03000000 MOV EDX,3
004FB58C . E8 8F86F0FF CALL sourcefo.00403C20
004FB591 . C3 RETN
004FB592 .^ E9 E180F0FF JMP sourcefo.00403678
004FB597 .^ EB C5 JMP SHORT sourcefo.004FB55E
004FB599 . 8A45 DF MOV AL,BYTE PTR SS:[EBP-21] ;标志到al
004FB59C . 5F POP EDI
004FB59D . 5E POP ESI
004FB59E . 5B POP EBX
004FB59F . 8BE5 MOV ESP,EBP
004FB5A1 . 5D POP EBP
004FB5A2 . C2 1000 RETN 10
7.>不能复制大于8k内容的限制
00561DFE > . E8 A10EEBFF CALL UNPACK1.00412CA4 ; ->classes.TStream.SetPosition(TStream;Longint);
00561E03 . 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00561E06 > . E8 4122EAFF CALL UNPACK1.0040404C ; ->system.UniqueString(String;String);
00561E0B . 8BD0 MOV EDX,EAX
00561E0D . B9 0A000000 MOV ECX,0A
00561E12 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00561E15 . 8B30 MOV ESI,DWORD PTR DS:[EAX]
00561E17 . FF56 04 CALL DWORD PTR DS:[ESI+4]
00561E1A . 33D2 XOR EDX,EDX
00561E1C . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00561E1F > . E8 800EEBFF CALL UNPACK1.00412CA4 ; ->classes.TStream.SetPosition(TStream;Longint);
00561E24 . 8D7B 02 LEA EDI,DWORD PTR DS:[EBX+2]
00561E27 . 8BC7 MOV EAX,EDI
00561E29 > . E8 E608EAFF CALL UNPACK1.00402714 ; ->system.@GetMem;
00561E2E . 8BF0 MOV ESI,EAX
00561E30 . 8BCF MOV ECX,EDI
00561E32 . 8BD6 MOV EDX,ESI
00561E34 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00561E37 . 8B18 MOV EBX,DWORD PTR DS:[EAX]
00561E39 . FF53 04 CALL DWORD PTR DS:[EBX+4]
00561E3C . 8BD8 MOV EBX,EAX
00561E3E . 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00561E41 . B9 02000000 MOV ECX,2
00561E46 . BA 01000000 MOV EDX,1
00561E4B > . E8 7422EAFF CALL UNPACK1.004040C4 ; ->system.@LStrDelete;
00561E50 . 85DB TEST EBX,EBX
00561E52 . 7E 1D JLE SHORT UNPACK1.00561E71
00561E54 . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
00561E57 . 8BD3 MOV EDX,EBX
00561E59 . 8BC6 MOV EAX,ESI
00561E5B > . E8 9880EFFF CALL UNPACK1.00459EF8 ; ->:TMessageForm._PROC_00459EF8()
00561E60 . 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24] ;一个字符串68E9065F,也许是正确LIC的一部分,哈哈真是的.
;剪切内容也是判断LIC最后8字节,但是这8字节是根据前面的数据算的,如果前面改动,那么LIC后8字节也失效
;一个半真的LIC文件内容:0482310910551140231261060492150868E9065F
00561E63 . 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] ;lic文件的最后8字节81300030
00561E66 > . E8 2121EAFF CALL UNPACK1.00403F8C ; ->system.@LStrCmp;比较字符串,也许可以从这里研究lic
00561E6B . 75 04 JNZ SHORT UNPACK1.00561E71 ;!!!不跳,则复制成功
00561E6D . C645 EF 01 MOV BYTE PTR SS:[EBP-11],1 ;!!!这里是标志
00561E71 > B9 40205600 MOV ECX,UNPACK1.00562040 ; ASCII "1234ABCD"
00561E76 . 8BD3 MOV EDX,EBX
00561E78 . 8BC6 MOV EAX,ESI
00561E7A > . E8 F965FAFF CALL UNPACK1.00508478 ; ->:TSynComment._PROC_00508478()
00561E7F . 8BC6 MOV EAX,ESI
00561E81 > . E8 A608EAFF CALL UNPACK1.0040272C ; ->system.@FreeMem;
00561E86 . 33C0 XOR EAX,EAX
8.>不能剪切大于8k内容的限制
00561AFB > . E8 C425EAFF CALL UNPACK1.004040C4 ; ->system.@LStrDelete;
00561B00 . 85DB TEST EBX,EBX
00561B02 . 7E 1D JLE SHORT UNPACK1.00561B21
00561B04 . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
00561B07 . 8BD3 MOV EDX,EBX
00561B09 . 8BC6 MOV EAX,ESI
00561B0B > . E8 E883EFFF CALL UNPACK1.00459EF8 ; ->:TMessageForm._PROC_00459EF8()
00561B10 . 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
00561B13 . 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
00561B16 > . E8 7124EAFF CALL UNPACK1.00403F8C ; ->system.@LStrCmp;
00561B1B . 75 04 JNZ SHORT UNPACK1.00561B21 ;!!!不跳,则剪切成功
00561B1D . C645 EF 01 MOV BYTE PTR SS:[EBP-11],1 ;!!!这里是标志
00561B21 > 8BCB MOV ECX,EBX
00561B23 . 8BD6 MOV EDX,ESI
00561B25 . B8 F01C5600 MOV EAX,UNPACK1.00561CF0 ; ASCII "ABCD1234"
00561B2A > . E8 6970FAFF CALL UNPACK1.00508B98 ; ->:TSynComment._PROC_00508B98()
00561B2F . 8BC6 MOV EAX,ESI
00561B31 > . E8 F60BEAFF CALL UNPACK1.0040272C ; ->system.@FreeMem;
00561B36 . 33C0 XOR EAX,EAX
00561B38 . 5A POP EDX
9.>格式化目录功能限制
判断0056466A . C645 CB 01 MOV BYTE PTR SS:[EBP-35],1 ;注册标志的call调用
Local Calls from 00564661, 00565B14, 005662D0, 00567F90, 00569CC4
=======
dede反汇编的代码
formatfolderbtnclick 56c16c ->call 565834 ;格式化目录按钮
menuclick 565834 ;格式化目录菜单
---
00565834 55 push ebp
00565835 8BEC mov ebp, esp
00565837 51 push ecx
00565838 8B0D40085800 mov ecx, [$00580840]
0056583E 8B09 mov ecx, [ecx]
00565840 B201 mov dl, $01
00565842 A1C45A5100 mov eax, dword ptr [$00515AC4]
* Reference to: forms.TCustomForm.Create(TCustomForm;boolean;TComponent);
|
00565847 E8FC1FEEFF call 00447848
0056584C 8945FC mov [ebp-$04], eax
0056584F 33C0 xor eax, eax
00565851 55 push ebp
* Possible String Reference to: '轷蓍?鹳]谜??'
|
00565852 687E585600 push $0056587E
***** TRY
|
00565857 64FF30 push dword ptr fs:[eax]
0056585A 648920 mov fs:[eax], esp
0056585D 8B45FC mov eax, [ebp-$04]
00565860 8B10 mov edx, [eax]
00565862 FF92D8000000 call dword ptr [edx+$00D8]
00565868 33C0 xor eax, eax
0056586A 5A pop edx
0056586B 59 pop ecx
0056586C 59 pop ecx
0056586D 648910 mov fs:[eax], edx
****** FINALLY
|
* Possible String Reference to: 'Y]谜??'
|
00565870 6885585600 push $00565885
00565875 8D45FC lea eax, [ebp-$04]
* Reference to: sysutils.FreeAndNil(void;void);
|
00565878 E8A378EAFF call 0040D120
0056587D C3 ret
* Reference to: system.@HandleFinally;
|
0056587E E9F5DDE9FF jmp 00403678
00565883 EBF0 jmp 00565875
****** END
|
00565885 59 pop ecx
00565886 5D pop ebp
00565887 C3 ret
=========
*****用DEDE生成map文件,这回好懂多了.:)
选格式化目录会到这里:
00517A88 > \33C0 XOR EAX,EAX
00517A8A . 5A POP EDX
00517A8B . 59 POP ECX
00517A8C . 59 POP ECX
00517A8D . 64:8910 MOV DWORD PTR FS:[EAX],EDX
00517A90 . 68 A57A5100 PUSH UNPACK1.00517AA5
00517A95 > 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
00517A98 > . E8 5712EFFF CALL UNPACK1.00408CF4 ; ->sconnect.CloseRegKey(HKEY);
00517A9D . C3 RETN
00517A9E > .^ E9 D5BBEEFF JMP UNPACK1.00403678 ; ->system.@HandleFinally;
00517AA3 .^ EB F0 JMP SHORT UNPACK1.00517A95
00517AA5 . 8D55 94 LEA EDX,DWORD PTR SS:[EBP-6C]
00517AA8 . B8 10955100 MOV EAX,UNPACK1.00519510 ; ASCII "048231091055114023126106049215088130003077102103113127226094230175002064"
00517AAD . E8 0A9CF3FF CALL UNPACK1.004516BC
00517AB2 . 8B45 94 MOV EAX,DWORD PTR SS:[EBP-6C]
00517AB5 . 50 PUSH EAX
00517AB6 . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74]
00517AB9 . A1 40085800 MOV EAX,DWORD PTR DS:[580840]
00517ABE . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00517AC0 > . E8 EF73F3FF CALL UNPACK1.0044EEB4 ; ->ddeman.TDdeMgr.GetExeName(TDdeMgr):AnsiString;
00517AC5 . 8B45 8C MOV EAX,DWORD PTR SS:[EBP-74]
00517AC8 . 8D55 90 LEA EDX,DWORD PTR SS:[EBP-70]
00517ACB > . E8 FC14EFFF CALL UNPACK1.00408FCC ; ->sysutils.ExtractFilePath(AnsiString):AnsiString;
00517AD0 . 8B55 90 MOV EDX,DWORD PTR SS:[EBP-70]
00517AD3 . 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
00517AD6 . 59 POP ECX
00517AD7 > . E8 ECC3EEFF CALL UNPACK1.00403EC8 ; ->system.@LStrCat3;合并字符串
00517ADC . 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30]
00517ADF > . E8 8012EFFF CALL UNPACK1.00408D64 ; ->sysutils.FileExists(AnsiString):Boolean;
00517AE4 . 84C0 TEST AL,AL
00517AE6 . 0F84 F5180000 JE UNPACK1.005193E1
00517AEC . 6A 20 PUSH 20 ; /Arg1 = 00000020
00517AEE . 8B4D D0 MOV ECX,DWORD PTR SS:[EBP-30] ; |
00517AF1 . B2 01 MOV DL,1 ; |
00517AF3 . A1 3CF64000 MOV EAX,DWORD PTR DS:[40F63C] ; |
00517AF8 > . E8 BBB3EFFF CALL UNPACK1.00412EB8 ; \->classes.TFileStream.Create(TFileStream;boolean;AnsiString;Word);
00517AFD . 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
00517B00 . 33C0 XOR EAX,EAX
00517B02 . 55 PUSH EBP
00517B03 . 68 4D7D5100 PUSH <UNPACK1.->system.@HandleFinally;>
00517B08 . 64:FF30 PUSH DWORD PTR FS:[EAX]
00517B0B . 64:8920 MOV DWORD PTR FS:[EAX],ESP
00517B0E . 33D2 XOR EDX,EDX
00517B10 . 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
00517B13 > . E8 8CB1EFFF CALL UNPACK1.00412CA4 ; ->classes.TStream.SetPosition(TStream;Longint);
00517B18 . 33DB XOR EBX,EBX
00517B1A > 8D55 A7 LEA EDX,DWORD PTR SS:[EBP-59]
00517B1D . B9 01000000 MOV ECX,1
00517B22 . 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
00517B25 . 8B30 MOV ESI,DWORD PTR DS:[EAX]
00517B27 . FF56 04 CALL DWORD PTR DS:[ESI+4]
00517B2A . 807D A7 00 CMP BYTE PTR SS:[EBP-59],0
00517B2E . 74 1C JE SHORT UNPACK1.00517B4C
00517B30 . 8D45 88 LEA EAX,DWORD PTR SS:[EBP-78]
00517B33 . 8A55 A7 MOV DL,BYTE PTR SS:[EBP-59]
00517B36 > . E8 69C2EEFF CALL UNPACK1.00403DA4 ; ->system.@LStrFromChar(String;String;Char);
00517B3B . 8B55 88 MOV EDX,DWORD PTR SS:[EBP-78]
00517B3E . 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38]
00517B41 > . E8 3EC3EEFF CALL UNPACK1.00403E84 ; ->system.@LStrCat;
00517B46 . 43 INC EBX
00517B47 . 83FB 28 CMP EBX,28 ;28h=40d也许lic文件要40字节,是的
00517B4A .^ 7C CE JL SHORT UNPACK1.00517B1A
00517B4C > 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]
00517B4F . A1 20065800 MOV EAX,DWORD PTR DS:[580620]
00517B54 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00517B56 . 8B55 C8 MOV EDX,DWORD PTR SS:[EBP-38]
00517B59 > . E8 A23D0500 CALL <UNPACK1.<-TMainForm@GetFinal> ; ->:TMainForm.GetFinal()
00517B5E . BA 28000000 MOV EDX,28
00517B63 . 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
00517B66 > . E8 39B1EFFF CALL UNPACK1.00412CA4 ; ->classes.TStream.SetPosition(TStream;Longint);
00517B6B . 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
00517B6E > . E8 3DB1EFFF CALL UNPACK1.00412CB0 ; ->classes.TStream.GetSize(TStream):Longint;
00517B73 . 8BD8 MOV EBX,EAX
00517B75 . 83EB 28 SUB EBX,28
00517B78 . 81EB 5C010000 SUB EBX,15C
00517B7E . B2 01 MOV DL,1
00517B80 . A1 14F74000 MOV EAX,DWORD PTR DS:[40F714]
00517B85 > . E8 9EB3EEFF CALL UNPACK1.00402F28 ; ->system.TObject.Create(TObject;Boolean);
00517B8A . 8945 DC MOV DWORD PTR SS:[EBP-24],EAX
00517B8D . 33C0 XOR EAX,EAX
00517B8F . 55 PUSH EBP
00517B90 . 68 307D5100 PUSH <UNPACK1.->system.@HandleFinally;>
00517B95 . 64:FF30 PUSH DWORD PTR FS:[EAX]
00517B98 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
00517B9B . 8BD3 MOV EDX,EBX
00517B9D . 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
00517BA0 . 8B08 MOV ECX,DWORD PTR DS:[EAX]
00517BA2 . FF11 CALL DWORD PTR DS:[ECX] ;tmd,这个call会引发异常,程序退出
00517BA4 . 8BCB MOV ECX,EBX ;能走到这里就有机会,
00517BA6 . 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-20]
00517BA9 . 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
00517BAC > . E8 A7B1EFFF CALL UNPACK1.00412D58 ; ->classes.TStream.CopyFrom(TStream;TStream;Longint):Longint;
00517BB1 . 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
00517BB4 . BA 5C010000 MOV EDX,15C
00517BB9 > . E8 F2C5EEFF CALL UNPACK1.004041B0 ; ->system.@LStrSetLength;
00517BBE . 8D53 28 LEA EDX,DWORD PTR DS:[EBX+28]
00517BC1 . 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
00517BC4 > . E8 DBB0EFFF CALL UNPACK1.00412CA4 ; ->classes.TStream.SetPosition(TStream;Longint);
00517BC9 . 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
00517BCC > . E8 7BC4EEFF CALL UNPACK1.0040404C ; ->system.UniqueString(String;String);
00517BD1 . 8BD0 MOV EDX,EAX
00517BD3 . B9 5C010000 MOV ECX,15C
00517BD8 . 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
00517BDB . 8B18 MOV EBX,DWORD PTR DS:[EAX]
00517BDD . FF53 04 CALL DWORD PTR DS:[EBX+4]
00517BE0 . 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
00517BE3 . 50 PUSH EAX
00517BE4 . B9 54010000 MOV ECX,154
00517BE9 . BA 01000000 MOV EDX,1
00517BEE . 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34]
00517BF1 > . E8 8EC4EEFF CALL UNPACK1.00404084 ; ->system.@LStrCopy;
00517BF6 . 8D4D 80 LEA ECX,DWORD PTR SS:[EBP-80]
00517BF9 . 33D2 XOR EDX,EDX
00517BFB . 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34]
00517BFE > . E8 652CF4FF CALL UNPACK1.0045A868 ; ->:TMessageForm._PROC_0045A868()
00517C03 . 8D45 80 LEA EAX,DWORD PTR SS:[EBP-80]
00517C06 . 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28]
00517C09 > . E8 76C2EEFF CALL UNPACK1.00403E84 ; ->system.@LStrCat;
00517C0E . 8B45 80 MOV EAX,DWORD PTR SS:[EBP-80]
00517C11 . 8D55 84 LEA EDX,DWORD PTR SS:[EBP-7C]
00517C14 > . E8 0B23F4FF CALL UNPACK1.00459F24 ; ->:TMessageForm._PROC_00459F24()
00517C19 . 8B55 84 MOV EDX,DWORD PTR SS:[EBP-7C]
00517C1C . 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
00517C1F > . E8 70C0EEFF CALL UNPACK1.00403C94 ; ->system.@LStrLAsg;
00517C24 . 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
00517C27 > . E8 84B0EFFF CALL UNPACK1.00412CB0 ; ->classes.TStream.GetSize(TStream):Longint;
00517C2C . 8BC8 MOV ECX,EAX
00517C2E . 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
00517C31 . 8B50 04 MOV EDX,DWORD PTR DS:[EAX+4]
00517C34 . 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28]
00517C37 . E8 6442FEFF CALL UNPACK1.004FBEA0
00517C3C . 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
00517C3F . B9 4A000000 MOV ECX,4A
00517C44 . BA 01000000 MOV EDX,1
00517C49 > . E8 76C4EEFF CALL UNPACK1.004040C4 ; ->system.@LStrDelete;
00517C4E . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
00517C54 . B8 64955100 MOV EAX,UNPACK1.00519564 ; ASCII "054003171055113035037119048230109199179053021179090088151031175"
00517C59 . E8 5E9AF3FF CALL UNPACK1.004516BC
00517C5E . 8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84]
00517C64 . BA AC955100 MOV EDX,UNPACK1.005195AC ; ASCII "735654094212999541971829652262475428651946341206401453831061555989372607929543564130920224754602365578975394352438430717004083507899084371568465239026091181018575401130395959689931997655143106860635246929341093461273051296561722682233738"...
00517C69 > . E8 16C2EEFF CALL UNPACK1.00403E84 ; ->system.@LStrCat;
00517C6E . 8B85 7CFFFFFF MOV EAX,DWORD PTR SS:[EBP-84]
00517C74 . 8D55 B0 LEA EDX,DWORD PTR SS:[EBP-50]
00517C77 . E8 7410FEFF CALL UNPACK1.004F8CF0
00517C7C . 8D95 78FFFFFF LEA EDX,DWORD PTR SS:[EBP-88]
00517C82 . B8 30985100 MOV EAX,UNPACK1.00519830 ; ASCII "048224055055115006009179049222227172058055190162127173"
00517C87 . E8 309AF3FF CALL UNPACK1.004516BC
00517C8C . 8B85 78FFFFFF MOV EAX,DWORD PTR SS:[EBP-88]
00517C92 . 8D55 A8 LEA EDX,DWORD PTR SS:[EBP-58]
00517C95 . E8 5610FEFF CALL UNPACK1.004F8CF0
00517C9A . 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50]
00517C9D . 50 PUSH EAX
00517C9E . 8D4D A8 LEA ECX,DWORD PTR SS:[EBP-58]
00517CA1 . 8B55 CC MOV EDX,DWORD PTR SS:[EBP-34]
00517CA4 . 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C]
00517CA7 . E8 F034FEFF CALL UNPACK1.004FB19C ; 这里应该是个关键call
00517CAC . 84C0 TEST AL,AL
00517CAE . 74 56 JE SHORT UNPACK1.00517D06 ; 调走会把标志置1,好像这里不能跳走
00517CB0 . 8D95 70FFFFFF LEA EDX,DWORD PTR SS:[EBP-90]
00517CB6 . A1 40085800 MOV EAX,DWORD PTR DS:[580840]
00517CBB . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00517CBD > . E8 F271F3FF CALL UNPACK1.0044EEB4 ; ->ddeman.TDdeMgr.GetExeName(TDdeMgr):AnsiString;
00517CC2 . 8B85 70FFFFFF MOV EAX,DWORD PTR SS:[EBP-90]
00517CC8 . 8D95 74FFFFFF LEA EDX,DWORD PTR SS:[EBP-8C]
00517CCE > . E8 F912EFFF CALL UNPACK1.00408FCC ; ->sysutils.ExtractFilePath(AnsiString):AnsiString;
00517CD3 . 8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
00517CD9 . 50 PUSH EAX
00517CDA . 8D95 6CFFFFFF LEA EDX,DWORD PTR SS:[EBP-94]
00517CE0 . B8 70985100 MOV EAX,UNPACK1.00519870 ; ASCII "054007231055113033202017049209033255031124184050143002100212225023210254192"
00517CE5 . E8 D299F3FF CALL UNPACK1.004516BC
00517CEA . 8B95 6CFFFFFF MOV EDX,DWORD PTR SS:[EBP-94]
00517CF0 . 58 POP EAX
00517CF1 > . E8 8EC1EEFF CALL UNPACK1.00403E84 ; ->system.@LStrCat;
00517CF6 . 8B95 74FFFFFF MOV EDX,DWORD PTR SS:[EBP-8C]
00517CFC . 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
00517CFF > . E8 10B3EFFF CALL UNPACK1.00413014 ; ->classes.TCustomMemoryStream.SaveToFile(TCustomMemoryStream;AnsiString);
00517D04 . EB 04 JMP SHORT UNPACK1.00517D0A
00517D06 > C645 A4 01 MOV BYTE PTR SS:[EBP-5C],1
00517D0A > 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50]
00517D0D . E8 5612FEFF CALL UNPACK1.004F8F68
00517D12 . 8D45 A8 LEA EAX,DWORD PTR SS:[EBP-58]
00517D15 . E8 4E12FEFF CALL UNPACK1.004F8F68
00517D1A . 33C0 XOR EAX,EAX
00517D1C . 5A POP EDX
00517D1D . 59 POP ECX
00517D1E . 59 POP ECX
00517D1F . 64:8910 MOV DWORD PTR FS:[EAX],EDX
00517D22 . 68 377D5100 PUSH UNPACK1.00517D37
00517D27 > 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
00517D2A > . E8 F153EFFF CALL UNPACK1.0040D120 ; ->sysutils.FreeAndNil(void;void);
00517D2F . C3 RETN
00517D30 > .^ E9 43B9EEFF JMP UNPACK1.00403678 ; ->system.@HandleFinally;
00517D35 .^ EB F0 JMP SHORT UNPACK1.00517D27
00517D37 . 33C0 XOR EAX,EAX
00517D39 . 5A POP EDX
00517D3A . 59 POP ECX
00517D3B . 59 POP ECX
00517D3C . 64:8910 MOV DWORD PTR FS:[EAX],EDX
00517D3F . 68 547D5100 PUSH UNPACK1.00517D54
00517D44 > 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
00517D47 > . E8 D453EFFF CALL UNPACK1.0040D120 ; ->sysutils.FreeAndNil(void;void);
00517D4C . C3 RETN
00517D4D > .^ E9 26B9EEFF JMP UNPACK1.00403678 ; ->system.@HandleFinally;
00517D52 .^ EB F0 JMP SHORT UNPACK1.00517D44
00517D54 . 807D A4 00 CMP BYTE PTR SS:[EBP-5C],0
00517D58 . 74 4B JE SHORT UNPACK1.00517DA5
00517D5A . A1 20065800 MOV EAX,DWORD PTR DS:[580620]
00517D5F . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00517D61 . 8B80 18040000 MOV EAX,DWORD PTR DS:[EAX+418]
00517D67 . 8078 2C 00 CMP BYTE PTR DS:[EAX+2C],0
00517D6B . 74 1D JE SHORT UNPACK1.00517D8A
00517D6D . 8D95 68FFFFFF LEA EDX,DWORD PTR SS:[EBP-98]
00517D73 . B8 C4985100 MOV EAX,UNPACK1.005198C4 ; ASCII "055119093055112049201038048231092217156207189011090226058046038068139020089095217243077055028234236197123135129152120227107211249038144110189162229174233"
00517D78 . E8 3F99F3FF CALL UNPACK1.004516BC
00517D7D . 8B85 68FFFFFF MOV EAX,DWORD PTR SS:[EBP-98]
00517D83 > . E8 5CE8FFFF CALL UNPACK1.005165E4 ; ->:TDirForm._PROC_005165E4()
00517D88 . EB 1B JMP SHORT UNPACK1.00517DA5
00517D8A > 8D95 64FFFFFF LEA EDX,DWORD PTR SS:[EBP-9C]
00517D90 . B8 68995100 MOV EAX,UNPACK1.00519968 ; ASCII "053026053055118103231098048228008042194075128219195242253113095147020017190213100150190141026096033225139232193077066049016236215190053098127209067088005023166182136074243002106076012199190238077"
00517D95 . E8 2299F3FF CALL UNPACK1.004516BC
00517D9A . 8B85 64FFFFFF MOV EAX,DWORD PTR SS:[EBP-9C]
00517DA0 > . E8 3FE8FFFF CALL UNPACK1.005165E4 ; ->:TDirForm._PROC_005165E4()
00517DA5 > B8 70985100 MOV EAX,UNPACK1.00519870 ; ASCII "054007231055113033202017049209033255031124184050143002100212225023210254192"
00517DAA . 8D95 60FFFFFF LEA EDX,DWORD PTR SS:[EBP-A0]
00517DB0 . E8 0799F3FF CALL UNPACK1.004516BC
00517DB5 . 8B85 60FFFFFF MOV EAX,DWORD PTR SS:[EBP-A0]
00517DBB . 50 PUSH EAX
00517DBC . 8D95 58FFFFFF LEA EDX,DWORD PTR SS:[EBP-A8]
00517DC2 . A1 40085800 MOV EAX,DWORD PTR DS:[580840]
00517DC7 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00517DC9 > . E8 E670F3FF CALL UNPACK1.0044EEB4 ; ->ddeman.TDdeMgr.GetExeName(TDdeMgr):AnsiString;
00517DCE . 8B85 58FFFFFF MOV EAX,DWORD PTR SS:[EBP-A8]
00517DD4 . 8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4]
00517DDA > . E8 ED11EFFF CALL UNPACK1.00408FCC ; ->sysutils.ExtractFilePath(AnsiString):AnsiString;
00517DDF . 8B95 5CFFFFFF MOV EDX,DWORD PTR SS:[EBP-A4]
00517DE5 . 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
00517DE8 . 59 POP ECX
00517DE9 > . E8 DAC0EEFF CALL UNPACK1.00403EC8 ; ->system.@LStrCat3;
00517DEE . 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
00517DF1 > . E8 6E0FEFFF CALL UNPACK1.00408D64 ; ->sysutils.FileExists(AnsiString):Boolean;
00517DF6 . 84C0 TEST AL,AL
00517DF8 . 0F84 5F160000 JE UNPACK1.0051945D
00517DFE . B2 01 MOV DL,1
00517E00 . A1 68F44000 MOV EAX,DWORD PTR DS:[40F468]
00517E05 > . E8 1EB1EEFF CALL UNPACK1.00402F28 ; ->system.TObject.Create(TObject;Boolean);
00517E0A . 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
00517E0D . B2 01 MOV DL,1
00517E0F . A1 68F44000 MOV EAX,DWORD PTR DS:[40F468]
00517E14 > . E8 0FB1EEFF CALL UNPACK1.00402F28 ; ->system.TObject.Create(TObject;Boolean);
00517E19 . 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
00517E1C . 33C0 XOR EAX,EAX
00517E1E . 55 PUSH EBP
00517E1F . 68 FC925100 PUSH <UNPACK1.->system.@HandleFinally;>
00517E24 . 64:FF30 PUSH DWORD PTR FS:[EAX]
00517E27 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
00517E2A . 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
00517E2D > . E8 0EC2EEFF CALL UNPACK1.00404040 ; ->system.@LStrToPChar;
00517E32 . 50 PUSH EAX ; /FileName
00517E33 . E8 9CEBEEFF CALL <JMP.&kernel32.LoadLibraryA> ; \LoadLibraryA
00517E38 . 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
00517E3B . 33C0 XOR EAX,EAX
00517E3D . 55 PUSH EBP
00517E3E . 68 28925100 PUSH <UNPACK1.->system.@HandleFinally;>
00517E43 . 64:FF30 PUSH DWORD PTR FS:[EAX]
00517E46 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
00517E49 . 837D F8 00 CMP DWORD PTR SS:[EBP-8],0
00517E4D . 0F84 B6130000 JE UNPACK1.00519209
00517E53 . 8D95 54FFFFFF LEA EDX,DWORD PTR SS:[EBP-AC]
00517E59 . B8 349A5100 MOV EAX,UNPACK1.00519A34 ; ASCII "049222229055114020045143049208050236205071200166226211233063208098181001134"
00517E5E . E8 5998F3FF CALL UNPACK1.004516BC
00517E63 . 8B85 54FFFFFF MOV EAX,DWORD PTR SS:[EBP-AC]
00517E69 > . E8 D2C1EEFF CALL UNPACK1.00404040 ; ->system.@LStrToPChar;
00517E6E . 50 PUSH EAX ; /ProcNameOrOrdinal
00517E6F . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; |
00517E72 . 50 PUSH EAX ; |hModule
00517E73 . E8 ACEAEEFF CALL <JMP.&kernel32.GetProcAddress> ; \GetProcAddress
===========
在00517BA2 . FF11 CALL DWORD PTR DS:[ECX]处会产生异常,如果跟踪会到这里:
00413190 . 53 PUSH EBX
00413191 . 56 PUSH ESI
00413192 . 57 PUSH EDI
00413193 . 833A 00 CMP DWORD PTR DS:[EDX],0
00413196 . 7E 10 JLE SHORT sourcefo.004131A8 ;这里如果不跳那么就不会有异常
00413198 . 8B0A MOV ECX,DWORD PTR DS:[EDX]
0041319A . 81C1 FF1F0000 ADD ECX,1FFF
004131A0 . 81E1 00E0FFFF AND ECX,FFFFE000
===========
00412DB1 85DB TEST EBX,EBX
00412DB3 74 2D JE SHORT sourcefo.00412DE2 ;这里如果强制跳走会显示"无效的许可证文件"
00412DB5 3B5D F0 /CMP EBX,DWORD PTR SS:[EBP-10]
==========
走到这里其实已经被检测出来了,只是显示错误信息而已,可能是显示不同语言的信息
00516494 55 PUSH EBP
00516495 8BEC MOV EBP,ESP
00516497 6A 00 PUSH 0
00516499 6A 00 PUSH 0
0051649B 6A 00 PUSH 0
0051649D 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
005164A0 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
005164A3 E8 88DBEEFF CALL sourcefo.00404030
005164A8 33C0 XOR EAX,EAX
005164AA 55 PUSH EBP
005164AB 68 44655100 PUSH sourcefo.00516544
005164B0 64:FF30 PUSH DWORD PTR FS:[EAX]
005164B3 64:8920 MOV DWORD PTR FS:[EAX],ESP
005164B6 A1 20065800 MOV EAX,DWORD PTR DS:[580620]
005164BB 8B00 MOV EAX,DWORD PTR DS:[EAX]
005164BD 8B80 18040000 MOV EAX,DWORD PTR DS:[EAX+418]
005164C3 8078 2C 00 CMP BYTE PTR DS:[EAX+2C],0
005164C7 74 31 JE SHORT sourcefo.005164FA
005164C9 6A 40 PUSH 40
005164CB 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
005164CE B8 58655100 MOV EAX,sourcefo.00516558 ; ASCII "055115000055115008104061049223213141026205255155023"
005164D3 E8 E4B1F3FF CALL sourcefo.004516BC
005164D8 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
005164DB E8 60DBEEFF CALL sourcefo.00404040
005164E0 50 PUSH EAX
005164E1 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
005164E4 E8 57DBEEFF CALL sourcefo.00404040
005164E9 8BD0 MOV EDX,EAX
005164EB A1 40085800 MOV EAX,DWORD PTR DS:[580840]
005164F0 8B00 MOV EAX,DWORD PTR DS:[EAX]
005164F2 59 POP ECX
005164F3 E8 4C86F3FF CALL sourcefo.0044EB44 ;出错信息call
005164F8 EB 2F JMP SHORT sourcefo.00516529
005164FA 6A 40 PUSH 40
005164FC 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
005164FF B8 94655100 MOV EAX,sourcefo.00516594 ; ASCII "048225038055115003038086049208053059096079041108062"
00516504 E8 B3B1F3FF CALL sourcefo.004516BC
00516509 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0051650C E8 2FDBEEFF CALL sourcefo.00404040
00516511 50 PUSH EAX
00516512 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00516515 E8 26DBEEFF CALL sourcefo.00404040
0051651A 8BD0 MOV EDX,EAX
0051651C A1 40085800 MOV EAX,DWORD PTR DS:[580840]
00516521 8B00 MOV EAX,DWORD PTR DS:[EAX]
00516523 59 POP ECX
00516524 E8 1B86F3FF CALL sourcefo.0044EB44 ;出错信息call
00516529 33C0 XOR EAX,EAX
0051652B 5A POP EDX
0051652C 59 POP ECX
0051652D 59 POP ECX
0051652E 64:8910 MOV DWORD PTR FS:[EAX],EDX
00516531 68 4B655100 PUSH sourcefo.0051654B
00516536 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00516539 BA 03000000 MOV EDX,3
0051653E E8 DDD6EEFF CALL sourcefo.00403C20
00516543 C3 RETN
...........
上述代码从这里调用,到这里其实也完了,因为没有判断的跳转:
005166E4 59 POP ECX
005166E5 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
005166E8 2945 FC SUB DWORD PTR SS:[EBP-4],EAX
005166EB FF55 FC CALL DWORD PTR SS:[EBP-4] ;这里call会调用一个过程,这个过程再调用00516494
005166EE 33C0 XOR EAX,EAX
005166F0 5A POP EDX
005166F1 59 POP ECX
...........
上段又是从这里调用:
00517D54 807D A4 00 CMP BYTE PTR SS:[EBP-5C],0
00517D58 74 4B JE SHORT sourcefo.00517DA5 ;这里跳走
00517D5A A1 20065800 MOV EAX,DWORD PTR DS:[580620]
00517D5F 8B00 MOV EAX,DWORD PTR DS:[EAX]
00517D61 8B80 18040000 MOV EAX,DWORD PTR DS:[EAX+418]
00517D67 8078 2C 00 CMP BYTE PTR DS:[EAX+2C],0
00517D6B 74 1D JE SHORT sourcefo.00517D8A ;否则这里就不能跳走
00517D6D 8D95 68FFFFFF LEA EDX,DWORD PTR SS:[EBP-98]
00517D73 B8 C4985100 MOV EAX,sourcefo.005198C4 ; ASCII "055119093055112049201038048231092217156207189011090226058046038068139020089095217243077055028234236197123135129152120227107211249038144110189162229174233"
;这应该是中文提示
00517D78 E8 3F99F3FF CALL sourcefo.004516BC
00517D7D 8B85 68FFFFFF MOV EAX,DWORD PTR SS:[EBP-98]
00517D83 E8 5CE8FFFF CALL sourcefo.005165E4 ;这里call 到5165e4,后面的代码就是5166e4了
00517D88 EB 1B JMP SHORT sourcefo.00517DA5 ;到光明之颠!!
00517D8A 8D95 64FFFFFF LEA EDX,DWORD PTR SS:[EBP-9C]
00517D90 B8 68995100 MOV EAX,sourcefo.00519968 ; ASCII "053026053055118103231098048228008042194075128219195242253113095147020017190213100150190141026096033225139232193077066049016236215190053098127209067088005023166182136074243002106076012199190238077"
;md,到这里也死了,上面是 (ASCII "Invalid license file, please contact Crossbow Soft. ")的加密串
00517D95 E8 2299F3FF CALL sourcefo.004516BC
00517D9A 8B85 64FFFFFF MOV EAX,DWORD PTR SS:[EBP-9C]
00517DA0 E8 3FE8FFFF CALL sourcefo.005165E4
00517DA5 B8 70985100 MOV EAX,sourcefo.00519870 ; ASCII "054007231055113033202017049209033255031124184050143002100212225023210254192"
;这里是光明之颠,(ASCII "~$Sftemp.tmp")一个临时文件的加密串
;md,从后面的代码看这应该是个dll文件,要载入他的FormatEngine函数
00517DAA 8D95 60FFFFFF LEA EDX,DWORD PTR SS:[EBP-A0]
00517DB0 E8 0799F3FF CALL sourcefo.004516BC
00517DB5 8B85 60FFFFFF MOV EAX,DWORD PTR SS:[EBP-A0]
00517DBB 50 PUSH EAX
00517DBC 8D95 58FFFFFF LEA EDX,DWORD PTR SS:[EBP-A8]
00517DC2 A1 40085800 MOV EAX,DWORD PTR DS:[580840]
00517DC7 8B00 MOV EAX,DWORD PTR DS:[EAX]
00517DC9 E8 E670F3FF CALL sourcefo.0044EEB4
00517DCE 8B85 58FFFFFF MOV EAX,DWORD PTR SS:[EBP-A8]
00517DD4 8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4]
==
关键!!!在:
00517CAE . 74 56 JE SHORT UNPACK1.00517D06 ;跳走会把标志置1,好像这里不能跳走,这样才会走到loadlib
.........
如下:
00517E2D E8 0EC2EEFF CALL sourcefo.00404040
00517E32 50 PUSH EAX ;载入~$Sftemp.tmp
00517E33 E8 9CEBEEFF CALL sourcefo.004069D4 ; JMP to kernel32.LoadLibraryA
00517E38 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
00517E3B 33C0 XOR EAX,EAX
00517E3D 55 PUSH EBP
00517E3E 68 28925100 PUSH sourcefo.00519228
00517E43 64:FF30 PUSH DWORD PTR FS:[EAX]
00517E46 64:8920 MOV DWORD PTR FS:[EAX],ESP
00517E49 837D F8 00 CMP DWORD PTR SS:[EBP-8],0
00517E4D 0F84 B6130000 JE sourcefo.00519209
00517E53 8D95 54FFFFFF LEA EDX,DWORD PTR SS:[EBP-AC]
00517E59 B8 349A5100 MOV EAX,sourcefo.00519A34 ; ASCII "049222229055114020045143049208050236205071200166226211233063208098181001134"
;的加密串FormatEngine
00517E5E E8 5998F3FF CALL sourcefo.004516BC
00517E63 8B85 54FFFFFF MOV EAX,DWORD PTR SS:[EBP-AC]
00517E69 E8 D2C1EEFF CALL sourcefo.00404040
00517E6E 50 PUSH EAX
00517E6F 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00517E72 50 PUSH EAX
00517E73 E8 ACEAEEFF CALL sourcefo.00406924 ; JMP to kernel32.GetProcAddress
00517E78 8BF0 MOV ESI,EAX
00517E7A 89F3 MOV EBX,ESI
00517E7C 85F6 TEST ESI,ESI
00517E7E 0F84 85130000 JE sourcefo.00519209
00517E84 C645 A5 01 MOV BYTE PTR SS:[EBP-5B],1
00517E88 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00517E8B 8B80 F4020000 MOV EAX,DWORD PTR DS:[EAX+2F4]
00517E91 8B80 F0010000 MOV EAX,DWORD PTR DS:[EAX+1F0]
00517E97 33D2 XOR EDX,EDX
==================
关于对lic文件的解码代码:
00459F63 . /7E 2C JLE SHORT sourcefo.00459F91
00459F65 . |BE 01000000 MOV ESI,1
00459F6A > |8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00459F6D . |8A5432 FF MOV DL,BYTE PTR DS:[EDX+ESI-1]
00459F71 . |32D3 XOR DL,BL
00459F73 . |81E2 FF000000 AND EDX,0FF
00459F79 . |8B1495 C09B570>MOV EDX,DWORD PTR DS:[EDX*4+579BC0]
00459F80 . |C1EB 08 SHR EBX,8
00459F83 . |81E3 FFFFFF00 AND EBX,0FFFFFF
00459F89 . |33D3 XOR EDX,EBX
00459F8B . |8BDA MOV EBX,EDX
00459F8D . |46 INC ESI
00459F8E . |48 DEC EAX
00459F8F .^|75 D9 JNZ SHORT sourcefo.00459F6A
00459F91 > \8BC3 MOV EAX,EBX
00459F93 . 33D2 XOR EDX,EDX
******************
最后总结:
用loader
地址/原始代码/更改代码
450E3B/8b,45/eb,1a: ; 破坏注册表的代码,也许原版不会到这里,但我实在是害怕
52A68A/7d,0e/90,90: ; 关于窗口
4FB527/75,04/90,90: ; 保存8k文件,以及格式化所有功能
关于格式化目录功能,老是异常退出.
======
RPP 脚本
;Crack By:zzhzihui@163.net 2002-5-27 7:09
;source formatx
;
; This is a [R!SC's Process Patcher v1.5] script file.
; (c)1999 r!SC -- http://beam.to/risc
;P=4e8d09/85,c0/39,c0: ; cmp eax,eax Make ZF=1
; | | | |_This is the comment line
; | | |_First of Modified OP code,This is:CMP EAX,EAX
; | |_First of Original OP code,This is:TEST EAX,EAX
; |_offset in Memory for Patch
;
F=sourceformatx.exe: ; PROCESS TO PATCH
O=cr-sf.exe: ; LOADER TO CREATE
P=450E3B/8b,45/eb,1a: ; 破坏注册表的代码
P=52A68A/7d,0e/90,90: ; 关于窗口
P=4FB527/75,04/90,90: ; 保存8k文件,以及格式化所有功能
$
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
|
|
|---|---|
|
|
这个软件做的太BT了
|
|
|
软件作者太了破解内幕了,防的太历害了,我们这些新手看到都有点害怕!
|
|
|
不敢尝试
|
|
|
他的文章
赞赏
雪币:
留言:
