我刚开始学习破解,随便选了一个程序当练习的工具,也不知道是我运气不好还是怎么的,好象不奏效。啊~~~原来作者在里面设计了很多个判断是否真正注册成功的代码。 我
下面是我的一些尝试,请各位指点。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406CEE(U)
:00406D95 8B9570FFFFFF mov edx, dword ptr [ebp+FFFFFF70]
:00406D9B 3B9574FFFFFF cmp edx, dword ptr [ebp+FFFFFF74]
:00406DA1 90 nop
:00406DA2 90 nop //这里,原来是一个jne我把他改成了nop 当然这样很容易注册成功,可是每一次程序运行的时候,又会回到没有注册的状态。
:00406DA3 8B4D98 mov ecx, dword ptr [ebp-68]
:00406DA6 8B8164030000 mov eax, dword ptr [ecx+00000364]
:00406DAC 33D2 xor edx, edx
* Reference To: VCL50.Menus::TMenuItem::SetVisible(()), Ord:0000h
|
:00406DAE E835930000 Call 004100E8
:00406DB3 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"提示"
|
:00406DB5 6894234100 push 00412394
* Possible StringData Ref from Data Obj ->"注册成功,感谢您使用"
|
:00406DBA 6877234100 push 00412377
:00406DBF 6A00 push 00000000
:00406DC1 E8A0970000 call 00410566
:00406DC6 EB13 jmp 00406DDB
:00406DC8 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"错误"
|
:00406DCA 68AE234100 push 004123AE
* Possible StringData Ref from Data Obj ->"注册失败,请重新注册"
往上面追 00406CEE 代码如下:
:00406AAC B856234100 mov eax, 00412356
:00406AB1 5A pop edx
:00406AB2 E8A18E0000 call 0040F958
:00406AB7 FF4DB8 dec [ebp-48]
:00406ABA 8D45D4 lea eax, dword ptr [ebp-2C]
:00406ABD BA02000000 mov edx, 00000002
:00406AC2 E8A18B0000 call 0040F668
:00406AC7 66C745AC0800 mov [ebp-54], 0008
:00406ACD 66C745AC4400 mov [ebp-54], 0044
:00406AD3 8D45D0 lea eax, dword ptr [ebp-30]
:00406AD6 E8BDACFFFF call 00401798
:00406ADB 50 push eax
:00406ADC FF45B8 inc [ebp-48]
:00406ADF 8D45F8 lea eax, dword ptr [ebp-08]
:00406AE2 E851C2FFFF call 00402D38
:00406AE7 8BD0 mov edx, eax
:00406AE9 83C2FC add edx, FFFFFFFC
:00406AEC 8D45F8 lea eax, dword ptr [ebp-08]
:00406AEF B905000000 mov ecx, 00000005
:00406AF4 E82B8D0000 call 0040F824
:00406AF9 8D55D0 lea edx, dword ptr [ebp-30]
:00406AFC 8D45F8 lea eax, dword ptr [ebp-08]
:00406AFF E8948B0000 call 0040F698
:00406B04 FF4DB8 dec [ebp-48]
:00406B07 8D45D0 lea eax, dword ptr [ebp-30]
:00406B0A BA02000000 mov edx, 00000002
:00406B0F E8548B0000 call 0040F668
:00406B14 66C745AC5000 mov [ebp-54], 0050
:00406B1A 8D45CC lea eax, dword ptr [ebp-34]
:00406B1D E876ACFFFF call 00401798
:00406B22 50 push eax
:00406B23 FF45B8 inc [ebp-48]
:00406B26 8D45F4 lea eax, dword ptr [ebp-0C]
:00406B29 E80AC2FFFF call 00402D38
:00406B2E 8BD0 mov edx, eax
:00406B30 83C2FB add edx, FFFFFFFB
:00406B33 8D45F4 lea eax, dword ptr [ebp-0C]
:00406B36 B906000000 mov ecx, 00000006
:00406B3B E8E48C0000 call 0040F824
:00406B40 8D55CC lea edx, dword ptr [ebp-34]
:00406B43 8D45F4 lea eax, dword ptr [ebp-0C]
:00406B46 E84D8B0000 call 0040F698
:00406B4B FF4DB8 dec [ebp-48]
:00406B4E 8D45CC lea eax, dword ptr [ebp-34]
:00406B51 BA02000000 mov edx, 00000002
:00406B56 E80D8B0000 call 0040F668
:00406B5B 66C745AC5C00 mov [ebp-54], 005C
:00406B61 8D45F0 lea eax, dword ptr [ebp-10]
:00406B64 E82FACFFFF call 00401798
:00406B69 8BC8 mov ecx, eax
:00406B6B FF45B8 inc [ebp-48]
:00406B6E 8D55F4 lea edx, dword ptr [ebp-0C]
:00406B71 8D45F8 lea eax, dword ptr [ebp-08]
:00406B74 E8478B0000 call 0040F6C0
:00406B79 66C745AC0800 mov [ebp-54], 0008
:00406B7F 66C745AC6800 mov [ebp-54], 0068
:00406B85 8D45EC lea eax, dword ptr [ebp-14]
:00406B88 E80BACFFFF call 00401798
:00406B8D FF45B8 inc [ebp-48]
:00406B90 66C745AC0800 mov [ebp-54], 0008
:00406B96 66C745AC7400 mov [ebp-54], 0074
:00406B9C 8D45E8 lea eax, dword ptr [ebp-18]
:00406B9F E8F4ABFFFF call 00401798
:00406BA4 FF45B8 inc [ebp-48]
:00406BA7 66C745AC0800 mov [ebp-54], 0008
:00406BAD 66C745AC8000 mov [ebp-54], 0080
:00406BB3 8D45E4 lea eax, dword ptr [ebp-1C]
:00406BB6 E8DDABFFFF call 00401798
:00406BBB FF45B8 inc [ebp-48]
:00406BBE 66C745AC0800 mov [ebp-54], 0008
:00406BC4 66C745AC8C00 mov [ebp-54], 008C
:00406BCA 8D45C8 lea eax, dword ptr [ebp-38]
:00406BCD E8C6ABFFFF call 00401798
:00406BD2 50 push eax
:00406BD3 FF45B8 inc [ebp-48]
:00406BD6 8D45F0 lea eax, dword ptr [ebp-10]
:00406BD9 B903000000 mov ecx, 00000003
:00406BDE BA01000000 mov edx, 00000001
:00406BE3 E83C8C0000 call 0040F824
:00406BE8 8D55C8 lea edx, dword ptr [ebp-38]
:00406BEB 8D45EC lea eax, dword ptr [ebp-14]
:00406BEE E8A58A0000 call 0040F698
:00406BF3 FF4DB8 dec [ebp-48]
:00406BF6 8D45C8 lea eax, dword ptr [ebp-38]
:00406BF9 BA02000000 mov edx, 00000002
:00406BFE E8658A0000 call 0040F668
:00406C03 66C745AC9800 mov [ebp-54], 0098
:00406C09 8D45C4 lea eax, dword ptr [ebp-3C]
:00406C0C E887ABFFFF call 00401798
:00406C11 50 push eax
:00406C12 FF45B8 inc [ebp-48]
:00406C15 8D45F0 lea eax, dword ptr [ebp-10]
:00406C18 B903000000 mov ecx, 00000003
:00406C1D BA04000000 mov edx, 00000004
:00406C22 E8FD8B0000 call 0040F824
:00406C27 8D55C4 lea edx, dword ptr [ebp-3C]
:00406C2A 8D45E8 lea eax, dword ptr [ebp-18]
:00406C2D E8668A0000 call 0040F698
:00406C32 FF4DB8 dec [ebp-48]
:00406C35 8D45C4 lea eax, dword ptr [ebp-3C]
:00406C38 BA02000000 mov edx, 00000002
:00406C3D E8268A0000 call 0040F668
:00406C42 66C745ACA400 mov [ebp-54], 00A4
:00406C48 8D45C0 lea eax, dword ptr [ebp-40]
:00406C4B E848ABFFFF call 00401798
:00406C50 50 push eax
:00406C51 FF45B8 inc [ebp-48]
:00406C54 8D45F0 lea eax, dword ptr [ebp-10]
:00406C57 B903000000 mov ecx, 00000003
:00406C5C BA07000000 mov edx, 00000007
:00406C61 E8BE8B0000 call 0040F824
:00406C66 8D55C0 lea edx, dword ptr [ebp-40]
:00406C69 8D45E4 lea eax, dword ptr [ebp-1C]
:00406C6C E8278A0000 call 0040F698
:00406C71 FF4DB8 dec [ebp-48]
:00406C74 8D45C0 lea eax, dword ptr [ebp-40]
:00406C77 BA02000000 mov edx, 00000002
:00406C7C E8E7890000 call 0040F668
:00406C81 8D45F0 lea eax, dword ptr [ebp-10]
:00406C84 E8AFC0FFFF call 00402D38
:00406C89 898578FFFFFF mov dword ptr [ebp+FFFFFF78], eax
:00406C8F 66C745AC0800 mov [ebp-54], 0008
:00406C95 8D45EC lea eax, dword ptr [ebp-14]
:00406C98 E86B8C0000 call 0040F908
:00406C9D 8BD8 mov ebx, eax
:00406C9F 8D45E8 lea eax, dword ptr [ebp-18]
:00406CA2 E8618C0000 call 0040F908
:00406CA7 0FAFD8 imul ebx, eax
:00406CAA 8D45E4 lea eax, dword ptr [ebp-1C]
:00406CAD E8568C0000 call 0040F908
:00406CB2 03D8 add ebx, eax
:00406CB4 039D78FFFFFF add ebx, dword ptr [ebp+FFFFFF78]
:00406CBA 899D74FFFFFF mov dword ptr [ebp+FFFFFF74], ebx
:00406CC0 33D2 xor edx, edx
:00406CC2 899570FFFFFF mov dword ptr [ebp+FFFFFF70], edx
:00406CC8 8D8D4CFFFFFF lea ecx, dword ptr [ebp+FFFFFF4C]
:00406CCE 51 push ecx
:00406CCF E86C980000 call 00410540
:00406CD4 66C745ACB000 mov [ebp-54], 00B0
:00406CDA 8D45FC lea eax, dword ptr [ebp-04]
:00406CDD E8268C0000 call 0040F908
:00406CE2 898570FFFFFF mov dword ptr [ebp+FFFFFF70], eax
:00406CE8 66C745AC0800 mov [ebp-54], 0008
:00406CEE E9A2000000 jmp 00406D95
啊,好多代码。看的有点晕了
下面估计是他的判断吧 第一个
* Possible StringData Ref from Data Obj ->""
|
:00407B01 BA4B494100 mov edx, 0041494B
:00407B06 8D45F8 lea eax, dword ptr [ebp-08]
:00407B09 E88A7A0000 call 0040F598
:00407B0E FF4594 inc [ebp-6C]
:00407B11 8B00 mov eax, dword ptr [eax]
:00407B13 5A pop edx
:00407B14 E89D890000 call 004104B6
:00407B19 FF4D94 dec [ebp-6C]
:00407B1C 8D45F8 lea eax, dword ptr [ebp-08]
:00407B1F BA02000000 mov edx, 00000002
:00407B24 E83F7B0000 call 0040F668
:00407B29 66C745880800 mov [ebp-78], 0008
:00407B2F 66C745882000 mov [ebp-78], 0020
:00407B35 BA52494100 mov edx, 00414952
:00407B3A 8D45F4 lea eax, dword ptr [ebp-0C]
:00407B3D E8567A0000 call 0040F598
:00407B42 FF4594 inc [ebp-6C]
:00407B45 8D55F4 lea edx, dword ptr [ebp-0C]
:00407B48 8D45FC lea eax, dword ptr [ebp-04]
:00407B4B E8FC7B0000 call 0040F74C
:00407B50 50 push eax
:00407B51 FF4D94 dec [ebp-6C]
:00407B54 8D45F4 lea eax, dword ptr [ebp-0C]
:00407B57 BA02000000 mov edx, 00000002
:00407B5C E8077B0000 call 0040F668
:00407B61 59 pop ecx
:00407B62 84C9 test cl, cl
:00407B64 7438 je 00407B9E
:00407B66 66C745882C00 mov [ebp-78], 002C
* Possible StringData Ref from Data Obj ->该产品尚未注册 |
:00407B6C BA53494100 mov edx, 00414953
:00407B71 8D45F0 lea eax, dword ptr [ebp-10]
:00407B74 E81F7A0000 call 0040F598
:00407B79 FF4594 inc [ebp-6C]
:00407B7C 8B10 mov edx, dword ptr [eax]
:00407B7E 8B8574FFFFFF mov eax, dword ptr [ebp+FFFFFF74]
:00407B84 E82F060000 call 004081B8
:00407B89 FF4D94 dec [ebp-6C]
:00407B8C 8D45F0 lea eax, dword ptr [ebp-10]
:00407B8F BA02000000 mov edx, 00000002
:00407B94 E8CF7A0000 call 0040F668
:00407B99 E95C050000 jmp 004080FA
之二
:00407CD1 B87E494100 mov eax, 0041497E
:00407CD6 5A pop edx
:00407CD7 E87C7C0000 call 0040F958
:00407CDC FF4D94 dec [ebp-6C]
:00407CDF 8D45D0 lea eax, dword ptr [ebp-30]
:00407CE2 BA02000000 mov edx, 00000002
:00407CE7 E87C790000 call 0040F668
:00407CEC 66C745883800 mov [ebp-78], 0038
:00407CF2 66C745885C00 mov [ebp-78], 005C
:00407CF8 8D45CC lea eax, dword ptr [ebp-34]
:00407CFB E8989AFFFF call 00401798
:00407D00 50 push eax
:00407D01 FF4594 inc [ebp-6C]
:00407D04 8D45EC lea eax, dword ptr [ebp-14]
:00407D07 E82CB0FFFF call 00402D38
:00407D0C 8BD0 mov edx, eax
:00407D0E 83C2FC add edx, FFFFFFFC
:00407D11 8D45EC lea eax, dword ptr [ebp-14]
:00407D14 B905000000 mov ecx, 00000005
:00407D19 E8067B0000 call 0040F824
:00407D1E 8D55CC lea edx, dword ptr [ebp-34]
:00407D21 8D45EC lea eax, dword ptr [ebp-14]
:00407D24 E86F790000 call 0040F698
:00407D29 FF4D94 dec [ebp-6C]
:00407D2C 8D45CC lea eax, dword ptr [ebp-34]
:00407D2F BA02000000 mov edx, 00000002
:00407D34 E82F790000 call 0040F668
:00407D39 66C745886800 mov [ebp-78], 0068
:00407D3F 8D45C8 lea eax, dword ptr [ebp-38]
:00407D42 E8519AFFFF call 00401798
:00407D47 50 push eax
:00407D48 FF4594 inc [ebp-6C]
:00407D4B 8D45E8 lea eax, dword ptr [ebp-18]
:00407D4E E8E5AFFFFF call 00402D38
:00407D53 8BD0 mov edx, eax
:00407D55 83C2FB add edx, FFFFFFFB
:00407D58 8D45E8 lea eax, dword ptr [ebp-18]
:00407D5B B906000000 mov ecx, 00000006
:00407D60 E8BF7A0000 call 0040F824
:00407D65 8D55C8 lea edx, dword ptr [ebp-38]
:00407D68 8D45E8 lea eax, dword ptr [ebp-18]
:00407D6B E828790000 call 0040F698
:00407D70 FF4D94 dec [ebp-6C]
:00407D73 8D45C8 lea eax, dword ptr [ebp-38]
:00407D76 BA02000000 mov edx, 00000002
:00407D7B E8E8780000 call 0040F668
:00407D80 66C745887400 mov [ebp-78], 0074
:00407D86 8D45E4 lea eax, dword ptr [ebp-1C]
:00407D89 E80A9AFFFF call 00401798
:00407D8E 8BC8 mov ecx, eax
:00407D90 FF4594 inc [ebp-6C]
:00407D93 8D55E8 lea edx, dword ptr [ebp-18]
:00407D96 8D45EC lea eax, dword ptr [ebp-14]
:00407D99 E822790000 call 0040F6C0
:00407D9E 66C745883800 mov [ebp-78], 0038
:00407DA4 66C745888000 mov [ebp-78], 0080
:00407DAA 8D45E0 lea eax, dword ptr [ebp-20]
:00407DAD E8E699FFFF call 00401798
:00407DB2 FF4594 inc [ebp-6C]
:00407DB5 66C745883800 mov [ebp-78], 0038
:00407DBB 66C745888C00 mov [ebp-78], 008C
:00407DC1 8D45DC lea eax, dword ptr [ebp-24]
:00407DC4 E8CF99FFFF call 00401798
:00407DC9 FF4594 inc [ebp-6C]
:00407DCC 66C745883800 mov [ebp-78], 0038
:00407DD2 66C745889800 mov [ebp-78], 0098
:00407DD8 8D45D8 lea eax, dword ptr [ebp-28]
:00407DDB E8B899FFFF call 00401798
:00407DE0 FF4594 inc [ebp-6C]
:00407DE3 66C745883800 mov [ebp-78], 0038
:00407DE9 66C74588A400 mov [ebp-78], 00A4
:00407DEF 8D45C4 lea eax, dword ptr [ebp-3C]
:00407DF2 E8A199FFFF call 00401798
:00407DF7 50 push eax
:00407DF8 FF4594 inc [ebp-6C]
:00407DFB 8D45E4 lea eax, dword ptr [ebp-1C]
:00407DFE B903000000 mov ecx, 00000003
:00407E03 BA01000000 mov edx, 00000001
:00407E08 E8177A0000 call 0040F824
:00407E0D 8D55C4 lea edx, dword ptr [ebp-3C]
:00407E10 8D45E0 lea eax, dword ptr [ebp-20]
:00407E13 E880780000 call 0040F698
:00407E18 FF4D94 dec [ebp-6C]
:00407E1B 8D45C4 lea eax, dword ptr [ebp-3C]
:00407E1E BA02000000 mov edx, 00000002
:00407E23 E840780000 call 0040F668
:00407E28 66C74588B000 mov [ebp-78], 00B0
:00407E2E 8D45C0 lea eax, dword ptr [ebp-40]
:00407E31 E86299FFFF call 00401798
:00407E36 50 push eax
:00407E37 FF4594 inc [ebp-6C]
:00407E3A 8D45E4 lea eax, dword ptr [ebp-1C]
:00407E3D B903000000 mov ecx, 00000003
:00407E42 BA04000000 mov edx, 00000004
:00407E47 E8D8790000 call 0040F824
:00407E4C 8D55C0 lea edx, dword ptr [ebp-40]
:00407E4F 8D45DC lea eax, dword ptr [ebp-24]
:00407E52 E841780000 call 0040F698
:00407E57 FF4D94 dec [ebp-6C]
:00407E5A 8D45C0 lea eax, dword ptr [ebp-40]
:00407E5D BA02000000 mov edx, 00000002
:00407E62 E801780000 call 0040F668
:00407E67 66C74588BC00 mov [ebp-78], 00BC
:00407E6D 8D45BC lea eax, dword ptr [ebp-44]
:00407E70 E82399FFFF call 00401798
:00407E75 50 push eax
:00407E76 FF4594 inc [ebp-6C]
:00407E79 8D45E4 lea eax, dword ptr [ebp-1C]
:00407E7C B903000000 mov ecx, 00000003
:00407E81 BA07000000 mov edx, 00000007
:00407E86 E899790000 call 0040F824
:00407E8B 8D55BC lea edx, dword ptr [ebp-44]
:00407E8E 8D45D8 lea eax, dword ptr [ebp-28]
:00407E91 E802780000 call 0040F698
:00407E96 FF4D94 dec [ebp-6C]
:00407E99 8D45BC lea eax, dword ptr [ebp-44]
:00407E9C BA02000000 mov edx, 00000002
:00407EA1 E8C2770000 call 0040F668
:00407EA6 8D45E4 lea eax, dword ptr [ebp-1C]
:00407EA9 E88AAEFFFF call 00402D38
:00407EAE 898554FFFFFF mov dword ptr [ebp+FFFFFF54], eax
:00407EB4 66C745883800 mov [ebp-78], 0038
:00407EBA 8D45E0 lea eax, dword ptr [ebp-20]
:00407EBD E8467A0000 call 0040F908
:00407EC2 8BD8 mov ebx, eax
:00407EC4 8D45DC lea eax, dword ptr [ebp-24]
:00407EC7 E83C7A0000 call 0040F908
:00407ECC 0FAFD8 imul ebx, eax
:00407ECF 8D45D8 lea eax, dword ptr [ebp-28]
:00407ED2 E8317A0000 call 0040F908
:00407ED7 03D8 add ebx, eax
:00407ED9 039D54FFFFFF add ebx, dword ptr [ebp+FFFFFF54]
:00407EDF 899D50FFFFFF mov dword ptr [ebp+FFFFFF50], ebx
:00407EE5 33D2 xor edx, edx
:00407EE7 89954CFFFFFF mov dword ptr [ebp+FFFFFF4C], edx
:00407EED 8D8D24FFFFFF lea ecx, dword ptr [ebp+FFFFFF24]
:00407EF3 51 push ecx
:00407EF4 E847860000 call 00410540
:00407EF9 66C74588C800 mov [ebp-78], 00C8
:00407EFF 8D45FC lea eax, dword ptr [ebp-04]
:00407F02 E8017A0000 call 0040F908
:00407F07 89854CFFFFFF mov dword ptr [ebp+FFFFFF4C], eax
:00407F0D 8B954CFFFFFF mov edx, dword ptr [ebp+FFFFFF4C]
:00407F13 3B9550FFFFFF cmp edx, dword ptr [ebp+FFFFFF50]
:00407F19 0F85FC000000 jne 0040801B
这一跳就跳到产品没有注册
哈哈,哪位高手有火眼帮俺看一下,现在是注册的代码在招手,我却看不到。
[课程]Android-CTF解题方法汇总!