今天在华军软件园下载的网络电视软件,下载地址:
http://down.52sttv.com/STTVok0725.exe , 把过程和大家分享,论坛的大虾们,多多指教啊 :)
PEID 检测, 壳 ASPACK2.12, 手动脱掉壳,比较简单,过程就不说了。脱了之后,在用PEID检测,
Delphi5.0 - 6.0, Delphi的程序,拿出DaFixer的DeDe, 找到注册窗体注册按钮Click的地址 0x54A708
TregForm -> BzcrzClick (0x54A708)。
OD启动程序,在注册的地方输入用户名laracraft,注册码随便写123456, 下断点 0x54A708。
0054A700 . 03 DB 03
0054A701 . 52 65 67 ASCII "Reg"
0054A704 00 DB 00
0054A705 00 DB 00
0054A706 8BC0 MOV EAX,EAX
0054A708 . 55 PUSH EBP ; 注册的按钮事件 //断在这里
0054A709 . 8BEC MOV EBP,ESP
想快速得到注册码,没有仔细分析,向下观察,每个主体函数都进去看看, 走到 0x54A802,
0054A800 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
0054A802 . E8 015E0000 CALL unpack_S.00550608 ;计算注册码的CALL
0054A807 . 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C]
跟进去,走几步观察堆栈发现了注册码就在这个函数里面计算的。
00550608 /$ 55 PUSH EBP ; 计算出注册码
00550609 |. 8BEC MOV EBP,ESP
0055060B |. 6A 00 PUSH 0
0055060D |. 6A 00 PUSH 0
0055060F |. 6A 00 PUSH 0
00550611 |. 6A 00 PUSH 0
00550613 |. 6A 00 PUSH 0
00550615 |. 6A 00 PUSH 0
00550617 |. 53 PUSH EBX
00550618 |. 56 PUSH ESI
00550619 |. 57 PUSH EDI
0055061A |. 894D F8 MOV DWORD PTR SS:[EBP-8],ECX
0055061D |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
00550620 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00550623 |. E8 4C41EBFF CALL unpack_S.00404774
00550628 |. 33C0 XOR EAX,EAX
0055062A |. 55 PUSH EBP
0055062B |. 68 06075500 PUSH unpack_S.00550706
00550630 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00550633 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00550636 |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
00550639 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0055063C |. E8 D781EBFF CALL unpack_S.00408818
00550641 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
00550644 |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
00550647 |. E8 E083EBFF CALL unpack_S.00408A2C
0055064C |. 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
0055064F |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00550652 |. E8 053DEBFF CALL unpack_S.0040435C
00550657 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0055065A |. E8 653CEBFF CALL unpack_S.004042C4
0055065F |. BE 01000000 MOV ESI,1
00550664 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00550667 |. E8 183FEBFF CALL unpack_S.00404584
0055066C |. 85C0 TEST EAX,EAX
0055066E |. 7E 14 JLE SHORT unpack_S.00550684
00550670 |. BB 01000000 MOV EBX,1
00550675 |> 8B55 FC /MOV EDX,DWORD PTR SS:[EBP-4]
00550678 |. 0FB6541A FF |MOVZX EDX,BYTE PTR DS:[EDX+EBX-1]
0055067D |. 03F2 |ADD ESI,EDX
0055067F |. 46 |INC ESI
00550680 |. 43 |INC EBX
00550681 |. 48 |DEC EAX
00550682 |.^ 75 F1 \JNZ SHORT unpack_S.00550675
00550684 |> BB 01000000 MOV EBX,1
00550689 |> 8BFE /MOV EDI,ESI
0055068B |. 0FAFFE |IMUL EDI,ESI
0055068E |. 0FAFFE |IMUL EDI,ESI
00550691 |. 0FAFFB |IMUL EDI,EBX
00550694 |. 0FAFFB |IMUL EDI,EBX
00550697 |. 0FAFFB |IMUL EDI,EBX
0055069A |. 8D041E |LEA EAX,DWORD PTR DS:[ESI+EBX]
0055069D |. 0FAFF8 |IMUL EDI,EAX
005506A0 |. 0FAFF8 |IMUL EDI,EAX
005506A3 |. 0FAFF8 |IMUL EDI,EAX
005506A6 |. 8D4D E8 |LEA ECX,DWORD PTR SS:[EBP-18]
005506A9 |. BA 08000000 |MOV EDX,8
005506AE |. 8BC7 |MOV EAX,EDI
005506B0 |. E8 5B88EBFF |CALL unpack_S.00408F10 ; 生成一个8位注册码
005506B5 |. 8B55 E8 |MOV EDX,DWORD PTR SS:[EBP-18]
005506B8 |. 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C]
005506BB |. E8 CC3EEBFF |CALL unpack_S.0040458C ; 粘贴到前面的注册码上
005506C0 |. 83FB 06 |CMP EBX,6
005506C3 |. 74 0D |JE SHORT unpack_S.005506D2
005506C5 |. 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C]
005506C8 |. BA 1C075500 |MOV EDX,unpack_S.0055071C
005506CD |. E8 BA3EEBFF |CALL unpack_S.0040458C ; 添加 '-'
005506D2 |> 43 |INC EBX
005506D3 |. 83FB 07 |CMP EBX,7 ; 注册码6组
005506D6 |.^ 75 B1 \JNZ SHORT unpack_S.00550689
005506D8 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
005506DB |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] ; 注册码地址
005506DE |. E8 353CEBFF CALL unpack_S.00404318
005506E3 |. 33C0 XOR EAX,EAX
005506E5 |. 5A POP EDX
005506E6 |. 59 POP ECX
005506E7 |. 59 POP ECX
005506E8 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
005506EB |. 68 0D075500 PUSH unpack_S.0055070D
005506F0 |> 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
005506F3 |. BA 04000000 MOV EDX,4
005506F8 |. E8 EB3BEBFF CALL unpack_S.004042E8
005506FD |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00550700 |. E8 BF3BEBFF CALL unpack_S.004042C4
00550705 \. C3 RETN
当时的堆栈
0012F738 00550706 SE handler
0012F73C 0012F764
0012F740 036383F4
0012F744 036383F4
0012F748 00000000
0012F74C 03639E20 ASCII "49000000"
0012F750 0360CA40 ASCII "laracraft"
0012F754 036392AC ASCII "laracraft"
0012F758 036040CC ASCII "A24EBA78-EC88B000-12CBE018-C619B000-523E8278-49000000" //得到注册码
0012F75C 0012F824
0012F760 036392AC ASCII "laracraft"
0012F764 /0012F860
0012F768 |0054A807 RETURN to unpack_S.0054A807 from unpack_S.00550608
这个时候已经得到注册码,没有进行详细的分析过程,计算部分就在 unpack_S.00408F10。
接下来输入用户名,注册码,登陆,等待好消息。。。 前面的出错没了,注册码看来通过了,但是弹出了另一个失败框。
用数据包工具拦截了一下,看来程序做了网络验证。
1 192.168.0.100:2290 221.231.138.74:80 226 Send
0000 47 45 54 20 2F 73 65 72 76 69 63 65 2F 72 65 67 GET /service/reg
0010 5F 5F 32 30 30 36 30 33 32 32 2E 61 73 70 3F 52 __20060322.asp?R
0020 65 67 55 73 65 72 4E 61 6D 65 3D 6C 61 72 61 63 egUserName=larac
0030 72 61 66 74 26 44 69 73 6B 53 65 72 69 61 6C 3D raft&DiskSerial=
0040 35 4C 41 45 47 57 31 4D 26 43 6F 64 65 3D 37 30 5LAEGW1M&Code=70
0050 36 32 31 30 35 32 20 48 54 54 50 2F 31 2E 31 0D 621052 HTTP/1.1.
0060 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74 .Content-Type: t
0070 65 78 74 2F 68 74 6D 6C 0D 0A 48 6F 73 74 3A 20 ext/html..Host:
0080 73 65 72 76 69 63 65 2E 35 32 73 74 74 76 2E 63 service.52sttv.c
0090 6F 6D 0D 0A 41 63 63 65 70 74 3A 20 74 65 78 74 om..Accept: text
00A0 2F 68 74 6D 6C 2C 20 2A 2F 2A 0D 0A 55 73 65 72 /html, */*..User
00B0 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F -Agent: Mozilla/
00C0 33 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65 3B 3.0 (compatible;
00D0 20 49 6E 64 79 20 4C 69 62 72 61 72 79 29 0D 0A Indy Library)..
00E0 0D 0A ..
2 221.231.138.74:80 192.168.0.100:2290 302 Recv
0000 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D HTTP/1.1 200 OK.
0010 0A 44 61 74 65 3A 20 57 65 64 2C 20 32 36 20 4A .Date: Wed, 26 J
0020 75 6C 20 32 30 30 36 20 30 35 3A 30 36 3A 31 36 ul 2006 05:06:16
0030 20 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 4D 69 GMT..Server: Mi
0040 63 72 6F 73 6F 66 74 2D 49 49 53 2F 36 2E 30 0D crosoft-IIS/6.0.
0050 0A 58 2D 50 6F 77 65 72 65 64 2D 42 79 3A 20 41 .X-Powered-By: A
0060 53 50 2E 4E 45 54 0D 0A 50 72 61 67 6D 61 3A 20 SP.NET..Pragma:
0070 4E 6F 2D 43 61 63 68 65 0D 0A 43 6F 6E 74 65 6E No-Cache..Conten
0080 74 2D 4C 65 6E 67 74 68 3A 20 32 0D 0A 43 6F 6E t-Length: 2..Con
0090 74 65 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 2F tent-Type: text/
00A0 68 74 6D 6C 0D 0A 45 78 70 69 72 65 73 3A 20 54 html..Expires: T
00B0 75 65 2C 20 32 35 20 4A 75 6C 20 32 30 30 36 20 ue, 25 Jul 2006
00C0 30 35 3A 30 36 3A 31 36 20 47 4D 54 0D 0A 53 65 05:06:16 GMT..Se
00D0 74 2D 43 6F 6F 6B 69 65 3A 20 41 53 50 53 45 53 t-Cookie: ASPSES
00E0 53 49 4F 4E 49 44 53 53 42 43 42 51 52 42 3D 4F SIONIDSSBCBQRB=O
00F0 45 47 44 48 45 48 44 46 45 41 45 48 50 4F 4D 50 EGDHEHDFEAEHPOMP
0100 4E 45 45 48 49 41 44 3B 20 70 61 74 68 3D 2F 0D NEEHIAD; path=/.
0110 0A 43 61 63 68 65 2D 63 6F 6E 74 72 6F 6C 3A 20 .Cache-control:
0120 6E 6F 2D 63 61 63 68 65 0D 0A 0D 0A 2D 31 no-cache....-1
仔细观察,传给服务器3个数据:
RegUserName=laracraft //注册名
DiskSerial=5LAEGW1M //硬盘序列号
Code=70621052 //可能计算出的识别码
数据库里面没有这个用户,当然反馈一个错误信息,主体信息就两个字节-1,有意思。
用OD的插件搜索字符串,找到几处调用
ASCII "http://service.52sttv.com/service/reg__20060322.asp?RegUserName=",
这处和发送的内容正好吻合,说明程序检测过注册码来到这里验证
0054AD73 . 50 PUSH EAX ; 连接服务器验证
0054AD74 . 68 D4B65400 PUSH unpack_S.0054B6D4 ; ASCII "http://service.52sttv.com/service/reg__20060322.asp?RegUserName="
0054AD79 . 8D95 3CFFFFFF LEA EDX,DWORD PTR SS:[EBP-C4]
0054AD7F . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0054AD82 . 8B80 14030000 MOV EAX,DWORD PTR DS:[EAX+314]
0054AD88 . E8 8FA5F6FF CALL unpack_S.004B531C
0054AD8D . FFB5 3CFFFFFF PUSH DWORD PTR SS:[EBP-C4]
0054AD93 . 68 34B75400 PUSH unpack_S.0054B734 ; ASCII "&DiskSerial="
0054AD98 . A1 E4ED5500 MOV EAX,DWORD PTR DS:[55EDE4]
0054AD9D . FF30 PUSH DWORD PTR DS:[EAX]
0054AD9F . 68 4CB75400 PUSH unpack_S.0054B74C ; ASCII "&Code="
下断点 54AD74, 断下后往下观察,看到
0054ADFD . BA 84B85400 MOV EDX,unpack_S.0054B884 ; ASCII "-1"
这一行,-1,服务器验证验证失败反馈的就是-1,看来判定就在这里。
0054ADA4 . FF75 E4 PUSH DWORD PTR SS:[EBP-1C]
0054ADA7 . 8D85 40FFFFFF LEA EAX,DWORD PTR SS:[EBP-C0]
0054ADAD . BA 06000000 MOV EDX,6
0054ADB2 . E8 8D98EBFF CALL unpack_S.00404644
0054ADB7 . 8B95 40FFFFFF MOV EDX,DWORD PTR SS:[EBP-C0]
0054ADBD . A1 94E85500 MOV EAX,DWORD PTR DS:[55E894]
0054ADC2 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
0054ADC4 . B1 01 MOV CL,1
0054ADC6 . E8 B1530000 CALL unpack_S.0055017C
0054ADCB > 837D E8 00 CMP DWORD PTR SS:[EBP-18],0
0054ADCF . 75 29 JNZ SHORT unpack_S.0054ADFA
0054ADD1 . A1 94E85500 MOV EAX,DWORD PTR DS:[55E894]
0054ADD6 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
0054ADD8 . BA FCB75400 MOV EDX,unpack_S.0054B7FC
0054ADDD . E8 D65B0000 CALL unpack_S.005509B8
0054ADE2 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0054ADE5 . 8B80 F8020000 MOV EAX,DWORD PTR DS:[EAX+2F8]
0054ADEB . BA 94B35400 MOV EDX,unpack_S.0054B394
0054ADF0 . E8 0F5AF1FF CALL unpack_S.00460804
0054ADF5 . E9 D0030000 JMP unpack_S.0054B1CA
0054ADFA > 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
0054ADFD . BA 84B85400 MOV EDX,unpack_S.0054B884 ; ASCII "-1"
0054AE02 . E8 C998EBFF CALL unpack_S.004046D0
0054AE07 75 29 JNZ SHORT unpack_S.0054AE32 ; 第一次跳 改 JE SHORT unpack_S.0054AE32
0054AE09 . A1 94E85500 MOV EAX,DWORD PTR DS:[55E894]
0054AE0E . 8B00 MOV EAX,DWORD PTR DS:[EAX]
0054AE10 . BA 90B85400 MOV EDX,unpack_S.0054B890
0054AE15 . E8 9E5B0000 CALL unpack_S.005509B8 ; 弹出错误对话框
0054AE1A . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0054AE1D . 8B80 F8020000 MOV EAX,DWORD PTR DS:[EAX+2F8]
0054AE23 . BA 94B35400 MOV EDX,unpack_S.0054B394
0054AE28 . E8 D759F1FF CALL unpack_S.00460804
0054AE2D . E9 98030000 JMP unpack_S.0054B1CA
0054AE32 > 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
0054AE35 . BA 4CB95400 MOV EDX,unpack_S.0054B94C
0054AE3A . E8 9198EBFF CALL unpack_S.004046D0
0054AE3F . 75 29 JNZ SHORT unpack_S.0054AE6A
0054AE41 . A1 94E85500 MOV EAX,DWORD PTR DS:[55E894]
0054AE46 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
0054AE48 . BA 58B95400 MOV EDX,unpack_S.0054B958
0054AE4D . E8 665B0000 CALL unpack_S.005509B8
0054AE52 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0054AE55 . 8B80 F8020000 MOV EAX,DWORD PTR DS:[EAX+2F8]
0054AE5B . BA 94B35400 MOV EDX,unpack_S.0054B394
0054AE60 . E8 9F59F1FF CALL unpack_S.00460804
0054AE65 . E9 60030000 JMP unpack_S.0054B1CA
0054AE6A > 8D95 38FFFFFF LEA EDX,DWORD PTR SS:[EBP-C8]
0054AE70 . 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
0054AE73 . E8 64D9EBFF CALL unpack_S.004087DC
0054AE78 . 8B85 38FFFFFF MOV EAX,DWORD PTR SS:[EBP-C8]
0054AE7E . BA C0B95400 MOV EDX,unpack_S.0054B9C0 ; ASCII "DISKSERIALCHANGE"
0054AE83 . E8 4898EBFF CALL unpack_S.004046D0
0054AE88 . 75 29 JNZ SHORT unpack_S.0054AEB3
0054AE8A . A1 94E85500 MOV EAX,DWORD PTR DS:[55E894]
0054AE8F . 8B00 MOV EAX,DWORD PTR DS:[EAX]
0054AE91 . BA DCB95400 MOV EDX,unpack_S.0054B9DC
0054AE96 . E8 1D5B0000 CALL unpack_S.005509B8
0054AE9B . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0054AE9E . 8B80 F8020000 MOV EAX,DWORD PTR DS:[EAX+2F8]
0054AEA4 . BA 94B35400 MOV EDX,unpack_S.0054B394
0054AEA9 . E8 5659F1FF CALL unpack_S.00460804
0054AEAE . E9 17030000 JMP unpack_S.0054B1CA
0054AEB3 > BA 4CBA5400 MOV EDX,unpack_S.0054BA4C ; ASCII "RegOk"
0054AEB8 . 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
0054AEBB . E8 38DAEBFF CALL unpack_S.004088F8
0054AEC0 . 84C0 TEST AL,AL
0054AEC2 75 27 JNZ SHORT unpack_S.0054AEEB ; 第二次跳 改JE SHORT unpack_S.0054AEEB
0054AEC4 . A1 94E85500 MOV EAX,DWORD PTR DS:[55E894]
0054AEC9 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
0054AECB . 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18]
0054AECE . E8 E55A0000 CALL unpack_S.005509B8 ; 弹出错误对话框
0054AED3 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0054AED6 . 8B80 F8020000 MOV EAX,DWORD PTR DS:[EAX+2F8]
0054AEDC . BA 94B35400 MOV EDX,unpack_S.0054B394
0054AEE1 . E8 1E59F1FF CALL unpack_S.00460804
0054AEE6 . E9 DF020000 JMP unpack_S.0054B1CA
0054AEEB > 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0054AEEE . 8B80 30030000 MOV EAX,DWORD PTR DS:[EAX+330]
0054AEF4 . BA 5CBA5400 MOV EDX,unpack_S.0054BA5C
0054AEF9 . E8 0659F1FF CALL unpack_S.00460804
0054AEFE . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0054AF01 . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+300]
0054AF07 . 8B50 44 MOV EDX,DWORD PTR DS:[EAX+44]
0054AF0A . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0054AF0D . 8B80 1C030000 MOV EAX,DWORD PTR DS:[EAX+31C]
0054AF13 . E8 5050F1FF CALL unpack_S.0045FF68
0054AF18 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0054AF1B . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+300]
0054AF21 . 8B50 40 MOV EDX,DWORD PTR DS:[EAX+40]
0054AF24 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0054AF27 . 8B80 1C030000 MOV EAX,DWORD PTR DS:[EAX+31C]
0054AF2D . E8 1250F1FF CALL unpack_S.0045FF44
0054AF32 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0054AF35 . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+300]
0054AF3B . 33D2 XOR EDX,EDX
0054AF3D . E8 B257F1FF CALL unpack_S.004606F4
0054AF42 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0054AF45 . 8B80 1C030000 MOV EAX,DWORD PTR DS:[EAX+31C]
0054AF4B . B2 01 MOV DL,1
0054AF4D . E8 A257F1FF CALL unpack_S.004606F4
0054AF52 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0054AF55 . 8B80 24030000 MOV EAX,DWORD PTR DS:[EAX+324]
0054AF5B . 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
0054AF5E . E8 A158F1FF CALL unpack_S.00460804
0054AF63 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0054AF66 . 8B80 28030000 MOV EAX,DWORD PTR DS:[EAX+328]
0054AF6C . 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
0054AF6F . E8 9058F1FF CALL unpack_S.00460804
0054AF74 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0054AF77 . 8B80 2C030000 MOV EAX,DWORD PTR DS:[EAX+32C]
0054AF7D . 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
0054AF80 . E8 7F58F1FF CALL unpack_S.00460804
0054AF85 . 33C0 XOR EAX,EAX
0054AF87 . 55 PUSH EBP
0054AF88 . 68 52B05400 PUSH unpack_S.0054B052
0054AF8D . 64:FF30 PUSH DWORD PTR FS:[EAX]
0054AF90 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
0054AF93 . B2 01 MOV DL,1
0054AF95 . A1 288B4300 MOV EAX,DWORD PTR DS:[438B28]
0054AF9A . E8 89DCEEFF CALL unpack_S.00438C28
0054AF9F . 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
0054AFA2 . BA 01000080 MOV EDX,80000001
0054AFA7 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0054AFAA . E8 19DDEEFF CALL unpack_S.00438CC8
0054AFAF . B1 01 MOV CL,1
0054AFB1 . BA E4BA5400 MOV EDX,unpack_S.0054BAE4 ; ASCII "Software\System\STAdmin"
0054AFB6 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0054AFB9 . E8 6EDDEEFF CALL unpack_S.00438D2C
0054AFBE . 8D95 30FFFFFF LEA EDX,DWORD PTR SS:[EBP-D0]
0054AFC4 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0054AFC7 . 8B80 14030000 MOV EAX,DWORD PTR DS:[EAX+314]
0054AFCD . E8 4AA3F6FF CALL unpack_S.004B531C
0054AFD2 . 8B95 30FFFFFF MOV EDX,DWORD PTR SS:[EBP-D0]
0054AFD8 . 8D8D 34FFFFFF LEA ECX,DWORD PTR SS:[EBP-CC]
0054AFDE . A1 94E85500 MOV EAX,DWORD PTR DS:[55E894]
0054AFE3 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
0054AFE5 . E8 2E5A0000 CALL unpack_S.00550A18
0054AFEA . 8B8D 34FFFFFF MOV ECX,DWORD PTR SS:[EBP-CC]
0054AFF0 . BA 04BB5400 MOV EDX,unpack_S.0054BB04 ; ASCII "UN"
0054AFF5 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0054AFF8 . E8 1BE0EEFF CALL unpack_S.00439018
0054AFFD . 8D95 28FFFFFF LEA EDX,DWORD PTR SS:[EBP-D8]
0054B003 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0054B006 . 8B80 18030000 MOV EAX,DWORD PTR DS:[EAX+318]
0054B00C . E8 0BA3F6FF CALL unpack_S.004B531C
0054B011 . 8B95 28FFFFFF MOV EDX,DWORD PTR SS:[EBP-D8]
0054B017 . 8D8D 2CFFFFFF LEA ECX,DWORD PTR SS:[EBP-D4]
0054B01D . A1 94E85500 MOV EAX,DWORD PTR DS:[55E894]
0054B022 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
0054B024 . E8 EF590000 CALL unpack_S.00550A18
0054B029 . 8B8D 2CFFFFFF MOV ECX,DWORD PTR SS:[EBP-D4]
0054B02F . BA 10BB5400 MOV EDX,unpack_S.0054BB10 ; ASCII "RC"
0054B034 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0054B037 . E8 DCDFEEFF CALL unpack_S.00439018
0054B03C . 33C0 XOR EAX,EAX
0054B03E . 5A POP EDX
0054B03F . 59 POP ECX
0054B040 . 59 POP ECX
0054B041 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
0054B044 . 68 59B05400 PUSH unpack_S.0054B059
0054B049 > 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0054B04C . E8 5F84EBFF CALL unpack_S.004034B0
0054B051 . C3 RETN
两处地方修改后,OK。程序通过,运行后,提示注册成功。再次启动,已经从试用版变成了标准版。
原本灰色的部分都打开了,点了一个电影,试一下, 半天连不上,拦截一个数据包看一下,
1 192.168.0.100:2535 221.10.254.253:80 298 Send
0000 47 45 54 20 2F 73 65 72 76 69 63 65 2F 72 6D 75 GET /service/rmu
0010 72 6C 5F 5F 5F 5F 32 30 30 36 30 33 32 32 2E 61 rl____20060322.a
0020 73 70 3F 6A 6D 6D 63 3D 2E BB FA C6 F7 C3 A8 26 sp?jmmc=.......&
0030 52 65 67 75 73 65 72 4E 61 6D 65 3D 6C 61 72 61 ReguserName=lara
0040 63 72 61 66 74 26 63 6F 64 65 3D 37 30 36 32 38 craft&code=70628
0050 32 30 26 44 69 73 6B 53 65 72 69 61 6C 3D 35 4C 20&DiskSerial=5L
0060 41 45 47 57 31 4D 20 48 54 54 50 2F 31 2E 31 0D AEGW1M HTTP/1.1.
0070 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74 .Content-Type: t
0080 65 78 74 2F 68 74 6D 6C 0D 0A 48 6F 73 74 3A 20 ext/html..Host:
0090 77 61 6E 67 74 6F 6E 67 2E 35 32 73 74 74 76 2E wangtong.52sttv.
00A0 63 6F 6D 0D 0A 41 63 63 65 70 74 3A 20 74 65 78 com..Accept: tex
00B0 74 2F 68 74 6D 6C 2C 20 2A 2F 2A 0D 0A 55 73 65 t/html, */*..Use
00C0 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 r-Agent: Mozilla
00D0 2F 33 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65 /3.0 (compatible
00E0 3B 20 49 6E 64 79 20 4C 69 62 72 61 72 79 29 0D ; Indy Library).
00F0 0A 43 6F 6F 6B 69 65 3A 20 41 53 50 53 45 53 53 .Cookie: ASPSESS
0100 49 4F 4E 49 44 43 41 42 53 42 52 43 44 3D 48 47 IONIDCABSBRCD=HG
0110 4B 4A 41 47 49 44 49 4F 43 46 4C 43 4A 4C 42 43 KJAGIDIOCFLCJLBC
0120 4A 45 4A 4E 4C 4B 0D 0A 0D 0A JEJNLK....
2 221.10.254.253:80 192.168.0.100:2535 272 Recv
0000 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D HTTP/1.1 200 OK.
0010 0A 44 61 74 65 3A 20 57 65 64 2C 20 32 36 20 4A .Date: Wed, 26 J
0020 75 6C 20 32 30 30 36 20 30 37 3A 32 38 3A 33 38 ul 2006 07:28:38
0030 20 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 4D 69 GMT..Server: Mi
0040 63 72 6F 73 6F 66 74 2D 49 49 53 2F 36 2E 30 0D crosoft-IIS/6.0.
0050 0A 58 2D 50 6F 77 65 72 65 64 2D 42 79 3A 20 41 .X-Powered-By: A
0060 53 50 2E 4E 45 54 0D 0A 50 72 61 67 6D 61 3A 20 SP.NET..Pragma:
0070 4E 6F 2D 43 61 63 68 65 0D 0A 43 6F 6E 74 65 6E No-Cache..Conten
0080 74 2D 4C 65 6E 67 74 68 3A 20 33 38 0D 0A 43 6F t-Length: 38..Co
0090 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 ntent-Type: text
00A0 2F 68 74 6D 6C 0D 0A 45 78 70 69 72 65 73 3A 20 /html..Expires:
00B0 54 75 65 2C 20 32 35 20 4A 75 6C 20 32 30 30 36 Tue, 25 Jul 2006
00C0 20 30 37 3A 32 38 3A 33 38 20 47 4D 54 0D 0A 43 07:28:38 GMT..C
00D0 61 63 68 65 2D 63 6F 6E 74 72 6F 6C 3A 20 6E 6F ache-control: no
00E0 2D 63 61 63 68 65 0D 0A 0D 0A 68 74 74 70 3A 2F -cache....http:/
00F0 2F 77 61 6E 67 74 6F 6E 67 2E 35 32 73 74 74 76 /wangtong.52sttv
0100 2E 63 6F 6D 2F 77 61 72 6E 69 6E 67 2E 73 77 66 .com/warning.swf
郁闷了,这个程序了每次获得电影地址都要先验证的,我的用户名没在服务器注册,肯定通过不了
那边的服务器,直接送给我个FALSH,哎~,搞了半天白忙了。。。。呜~
[课程]Linux pwn 探索篇!