-
-
[讨论]莫名其妙的爆破
-
2006-9-16 10:29
-
首先声明,本人绝对菜鸟一只,前几天从公司拷贝一份打印软件回来,准备安装到自已机器上玩玩的,打开出现这个界面
,用户名密码已知,输入后却出现这个界面
,要注册,看过几篇破文,打开peid查壳,显示为无壳,用delphi4编写,立马输入注册号那里输入123456789,弹出提示“注册号错误,请重新输入”,好了,ollydbg载入,很快找到错误信息
00557FCC /. 55 push ebp
00557FCD |. 8BEC mov ebp, esp
00557FCF |. 83C4 F8 add esp, -8
00557FD2 |. 8955 F8 mov [ebp-8], edx
00557FD5 |. 8945 FC mov [ebp-4], eax
00557FD8 |. C605 18525800>mov byte ptr [585218], 0
00557FDF |. 8B45 FC mov eax, [ebp-4]
00557FE2 |. E8 6998EFFF call 00451850
00557FE7 |. 59 pop ecx
00557FE8 |. 59 pop ecx
00557FE9 |. 5D pop ebp
00557FEA \. C3 retn
00557FEB 90 nop
00557FEC /. 55 push ebp
00557FED |. 8BEC mov ebp, esp
00557FEF |. 83C4 F4 add esp, -0C
00557FF2 |. 894D F8 mov [ebp-8], ecx
00557FF5 |. 8955 F4 mov [ebp-C], edx
00557FF8 |. 8945 FC mov [ebp-4], eax
00557FFB |. 8B45 F8 mov eax, [ebp-8]
00557FFE |. C600 02 mov byte ptr [eax], 2
00558001 |. 8BE5 mov esp, ebp
00558003 |. 5D pop ebp
00558004 \. C3 retn
00558005 8D40 00 lea eax, [eax]
00558008 /. 55 push ebp
00558009 |. 8BEC mov ebp, esp
0055800B |. 33C9 xor ecx, ecx
0055800D |. 51 push ecx
0055800E |. 51 push ecx
0055800F |. 51 push ecx
00558010 |. 51 push ecx
00558011 |. 51 push ecx
00558012 |. 51 push ecx
00558013 |. 8955 F4 mov [ebp-C], edx
00558016 |. 8945 FC mov [ebp-4], eax
00558019 |. 33C0 xor eax, eax
0055801B |. 55 push ebp
0055801C |. 68 FB805500 push 005580FB
00558021 |. 64:FF30 push dword ptr fs:[eax]
00558024 |. 64:8920 mov fs:[eax], esp
00558027 |. 8D55 F0 lea edx, [ebp-10]
0055802A |. 8B45 FC mov eax, [ebp-4]
0055802D |. 8B80 D8020000 mov eax, [eax+2D8]
00558033 |. E8 60E5EDFF call 00436598
00558038 |. 8B45 F0 mov eax, [ebp-10]
0055803B |. 8D55 F8 lea edx, [ebp-8]
0055803E |. E8 251FEBFF call 00409F68
00558043 |. 837D F8 00 cmp dword ptr [ebp-8], 0
00558047 |. 74 44 je short 0055808D
00558049 |. 8B45 F8 mov eax, [ebp-8]
0055804C |. E8 BBC2EAFF call 0040430C
00558051 |. 85C0 test eax, eax
00558053 |. 7E 38 jle short 0055808D
00558055 |. 8D45 EC lea eax, [ebp-14]
00558058 |. 50 push eax
00558059 |. 8B45 F8 mov eax, [ebp-8]
0055805C |. E8 ABC2EAFF call 0040430C
00558061 |. 8BC8 mov ecx, eax
00558063 |. BA 02000000 mov edx, 2
00558068 |. 8B45 F8 mov eax, [ebp-8]
0055806B |. E8 A4C4EAFF call 00404514
00558070 |. 8B45 EC mov eax, [ebp-14]
00558073 |. 50 push eax
00558074 |. 8D45 E8 lea eax, [ebp-18]
00558077 |. 8B55 F8 mov edx, [ebp-8]
0055807A |. 8A12 mov dl, [edx]
0055807C |. E8 B3C1EAFF call 00404234
00558081 |. 8B4D E8 mov ecx, [ebp-18]
00558084 |. 8D45 F8 lea eax, [ebp-8]
00558087 |. 5A pop edx
00558088 |. E8 CBC2EAFF call 00404358
0055808D |> 8B45 F8 mov eax, [ebp-8]
00558090 |. E8 3BC4EAFF call 004044D0
00558095 |. 50 push eax
00558096 |. E8 212FFBFF call <jmp.&secret.registKey>
0055809B |. E8 0C2FFBFF call <jmp.&secret.canEnter>
005580A0 |. 84C0 test al, al
005580A2 |. 75 1D jnz short 005580C1
005580A4 |. B8 10815500 mov eax, 00558110 ; 注册号错误,请重新输入!
005580A9 |. E8 6A65F0FF call 0045E618
005580AE |. 8B45 FC mov eax, [ebp-4]
005580B1 |. 8B80 D8020000 mov eax, [eax+2D8]
005580B7 |. 8B10 mov edx, [eax]
005580B9 |. FF92 B0000000 call [edx+B0]
005580BF |. EB 0F jmp short 005580D0
005580C1 |> C605 18525800>mov byte ptr [585218], 1
005580C8 |. 8B45 FC mov eax, [ebp-4]
005580CB |. E8 8097EFFF call 00451850
005580D0 |> 33C0 xor eax, eax
005580D2 |. 5A pop edx
005580D3 |. 59 pop ecx
005580D4 |. 59 pop ecx
005580D5 |. 64:8910 mov fs:[eax], edx
005580D8 |. 68 02815500 push 00558102
005580DD |> 8D45 E8 lea eax, [ebp-18]
005580E0 |. BA 02000000 mov edx, 2
005580E5 |. E8 C6BFEAFF call 004040B0
005580EA |. 8D45 F0 lea eax, [ebp-10]
005580ED |. E8 9ABFEAFF call 0040408C
005580F2 |. 8D45 F8 lea eax, [ebp-8]
005580F5 |> E8 92BFEAFF call 0040408C
005580FA \. C3 retn
005580FB .^ E9 C4B8EAFF jmp 004039C4
00558100 .^ EB DB jmp short 005580DD
00558102 . 8BE5 mov esp, ebp
00558104 . 5D pop ebp
00558105 . C3 retn
看了半天,也看不懂他的算法,凭感觉将005580A2处的jnz short 005580C1改成jz short 005580C1,保存,一运行,随便输入注册号,虽然可以进了,不知道为什么,但是退出后在进还是要输入注册号,小弟比较郁闷,在这里肯求各位指点小弟一二,小弟感激不尽,如有可能,请指点小弟应该从哪里分析这段代码
,用户名密码已知,输入后却出现这个界面,要注册,看过几篇破文,打开peid查壳,显示为无壳,用delphi4编写,立马输入注册号那里输入123456789,弹出提示“注册号错误,请重新输入”,好了,ollydbg载入,很快找到错误信息00557FCC /. 55 push ebp
00557FCD |. 8BEC mov ebp, esp
00557FCF |. 83C4 F8 add esp, -8
00557FD2 |. 8955 F8 mov [ebp-8], edx
00557FD5 |. 8945 FC mov [ebp-4], eax
00557FD8 |. C605 18525800>mov byte ptr [585218], 0
00557FDF |. 8B45 FC mov eax, [ebp-4]
00557FE2 |. E8 6998EFFF call 00451850
00557FE7 |. 59 pop ecx
00557FE8 |. 59 pop ecx
00557FE9 |. 5D pop ebp
00557FEA \. C3 retn
00557FEB 90 nop
00557FEC /. 55 push ebp
00557FED |. 8BEC mov ebp, esp
00557FEF |. 83C4 F4 add esp, -0C
00557FF2 |. 894D F8 mov [ebp-8], ecx
00557FF5 |. 8955 F4 mov [ebp-C], edx
00557FF8 |. 8945 FC mov [ebp-4], eax
00557FFB |. 8B45 F8 mov eax, [ebp-8]
00557FFE |. C600 02 mov byte ptr [eax], 2
00558001 |. 8BE5 mov esp, ebp
00558003 |. 5D pop ebp
00558004 \. C3 retn
00558005 8D40 00 lea eax, [eax]
00558008 /. 55 push ebp
00558009 |. 8BEC mov ebp, esp
0055800B |. 33C9 xor ecx, ecx
0055800D |. 51 push ecx
0055800E |. 51 push ecx
0055800F |. 51 push ecx
00558010 |. 51 push ecx
00558011 |. 51 push ecx
00558012 |. 51 push ecx
00558013 |. 8955 F4 mov [ebp-C], edx
00558016 |. 8945 FC mov [ebp-4], eax
00558019 |. 33C0 xor eax, eax
0055801B |. 55 push ebp
0055801C |. 68 FB805500 push 005580FB
00558021 |. 64:FF30 push dword ptr fs:[eax]
00558024 |. 64:8920 mov fs:[eax], esp
00558027 |. 8D55 F0 lea edx, [ebp-10]
0055802A |. 8B45 FC mov eax, [ebp-4]
0055802D |. 8B80 D8020000 mov eax, [eax+2D8]
00558033 |. E8 60E5EDFF call 00436598
00558038 |. 8B45 F0 mov eax, [ebp-10]
0055803B |. 8D55 F8 lea edx, [ebp-8]
0055803E |. E8 251FEBFF call 00409F68
00558043 |. 837D F8 00 cmp dword ptr [ebp-8], 0
00558047 |. 74 44 je short 0055808D
00558049 |. 8B45 F8 mov eax, [ebp-8]
0055804C |. E8 BBC2EAFF call 0040430C
00558051 |. 85C0 test eax, eax
00558053 |. 7E 38 jle short 0055808D
00558055 |. 8D45 EC lea eax, [ebp-14]
00558058 |. 50 push eax
00558059 |. 8B45 F8 mov eax, [ebp-8]
0055805C |. E8 ABC2EAFF call 0040430C
00558061 |. 8BC8 mov ecx, eax
00558063 |. BA 02000000 mov edx, 2
00558068 |. 8B45 F8 mov eax, [ebp-8]
0055806B |. E8 A4C4EAFF call 00404514
00558070 |. 8B45 EC mov eax, [ebp-14]
00558073 |. 50 push eax
00558074 |. 8D45 E8 lea eax, [ebp-18]
00558077 |. 8B55 F8 mov edx, [ebp-8]
0055807A |. 8A12 mov dl, [edx]
0055807C |. E8 B3C1EAFF call 00404234
00558081 |. 8B4D E8 mov ecx, [ebp-18]
00558084 |. 8D45 F8 lea eax, [ebp-8]
00558087 |. 5A pop edx
00558088 |. E8 CBC2EAFF call 00404358
0055808D |> 8B45 F8 mov eax, [ebp-8]
00558090 |. E8 3BC4EAFF call 004044D0
00558095 |. 50 push eax
00558096 |. E8 212FFBFF call <jmp.&secret.registKey>
0055809B |. E8 0C2FFBFF call <jmp.&secret.canEnter>
005580A0 |. 84C0 test al, al
005580A2 |. 75 1D jnz short 005580C1
005580A4 |. B8 10815500 mov eax, 00558110 ; 注册号错误,请重新输入!
005580A9 |. E8 6A65F0FF call 0045E618
005580AE |. 8B45 FC mov eax, [ebp-4]
005580B1 |. 8B80 D8020000 mov eax, [eax+2D8]
005580B7 |. 8B10 mov edx, [eax]
005580B9 |. FF92 B0000000 call [edx+B0]
005580BF |. EB 0F jmp short 005580D0
005580C1 |> C605 18525800>mov byte ptr [585218], 1
005580C8 |. 8B45 FC mov eax, [ebp-4]
005580CB |. E8 8097EFFF call 00451850
005580D0 |> 33C0 xor eax, eax
005580D2 |. 5A pop edx
005580D3 |. 59 pop ecx
005580D4 |. 59 pop ecx
005580D5 |. 64:8910 mov fs:[eax], edx
005580D8 |. 68 02815500 push 00558102
005580DD |> 8D45 E8 lea eax, [ebp-18]
005580E0 |. BA 02000000 mov edx, 2
005580E5 |. E8 C6BFEAFF call 004040B0
005580EA |. 8D45 F0 lea eax, [ebp-10]
005580ED |. E8 9ABFEAFF call 0040408C
005580F2 |. 8D45 F8 lea eax, [ebp-8]
005580F5 |> E8 92BFEAFF call 0040408C
005580FA \. C3 retn
005580FB .^ E9 C4B8EAFF jmp 004039C4
00558100 .^ EB DB jmp short 005580DD
00558102 . 8BE5 mov esp, ebp
00558104 . 5D pop ebp
00558105 . C3 retn
看了半天,也看不懂他的算法,凭感觉将005580A2处的jnz short 005580C1改成jz short 005580C1,保存,一运行,随便输入注册号,虽然可以进了,不知道为什么,但是退出后在进还是要输入注册号,小弟比较郁闷,在这里肯求各位指点小弟一二,小弟感激不尽,如有可能,请指点小弟应该从哪里分析这段代码
[培训]科锐软件逆向50期预科班报名即将截止,速来!!! 50期正式班报名火爆招生中!!!
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
