【文章标题】: [网络验证破解]某外挂验证转本地化
【文章作者】: KuNgBiM
【作者邮箱】: kungbim@163.com
【作者主页】: http://www.crkcn.com
【软件名称】: 惊天伴侣2.2.5会员增强版(2007年3月26日更新)
【软件大小】: 1.71 MB
【下载地址】: 自己搜索下载
【加壳方式】: ASProtect 2.1x SKE
【保护方式】: 网络验证
【编写语言】: Microsoft Visual C++ 6.0
【使用工具】: OllyICE
【操作平台】: 盗版非标准XPsp2
【软件介绍】: 大型网游惊天动地辅助工具,俗称“外挂”。
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
由于该程序加的壳为标准的ASProtect 2.1x SKE,并未偷代码,所以为了方便起见,脱之分析。。。
脱壳后,OllyICE载入分析,由于程序关键字符处理的比较好,字符插件就不起作用了。
我们还是利用常用的办法“API函数断点”来调试它吧。
命令下断:bpx closesocket
F9运行,输入用户名后点击“登陆”断下:
00418E79 . 6A 10 push 10 ; 外挂网络验证开始
00418E7B . 8D85 60FEFFFF lea eax, dword ptr [ebp-1A0] ; 计算游戏ID长度
00418E81 . 50 push eax
00418E82 . 6A 60 push 60
00418E84 . 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C]
00418E8A . 51 push ecx
00418E8B . 8D95 74FFFFFF lea edx, dword ptr [ebp-8C]
00418E91 . 52 push edx
00418E92 . E8 B9320100 call 0042C150 ; 判断外挂是否已经处于通信状态
00418E97 . 83C4 18 add esp, 18
00418E9A . 833D 9C826500 00 cmp dword ptr [65829C], 0
00418EA1 . 74 16 je short 00418EB9 ; 还未通信则跳(不管)
00418EA3 . A1 9C826500 mov eax, dword ptr [65829C]
00418EA8 . 50 push eax ; /Socket => 384
00418EA9 . FF15 E4A54600 call dword ptr [<&ws2_32.closesocket>] ; \closesocket
00418EAF . C705 9C826500 00000000 mov dword ptr [65829C], 0
00418EB9 > 833D 9C826500 00 cmp dword ptr [65829C], 0
00418EC0 . 75 11 jnz short 00418ED3 ; 还未通信则准备获取验证服务器地址
00418EC2 . 6A 00 push 0 ; /Protocol = IPPROTO_IP
00418EC4 . 6A 01 push 1 ; |Type = SOCK_STREAM
00418EC6 . 6A 02 push 2 ; |Family = AF_INET
00418EC8 . FF15 E0A54600 call dword ptr [<&ws2_32.socket>] ; \socket
00418ECE . A3 9C826500 mov dword ptr [65829C], eax
00418ED3 > 66:C785 18FAFFFF 0200 mov word ptr [ebp-5E8], 2
00418EDC . 68 AC836500 push 006583AC ; /ASCII "203.174.87.234"
00418EE1 . FF15 DCA54600 call dword ptr [<&ws2_32.inet_addr>] ; \inet_addr
00418EE7 . 8985 1CFAFFFF mov dword ptr [ebp-5E4], eax
00418EED . 66:8B0D 38105D00 mov cx, word ptr [5D1038]
00418EF4 . 51 push ecx ; /NetShort
00418EF5 . FF15 E8A54600 call dword ptr [<&ws2_32.htons>] ; \ntohs
00418EFB . 66:8985 1AFAFFFF mov word ptr [ebp-5E6], ax
00418F02 . 6A 10 push 10 ; /AddrLen = 10 (16.)
00418F04 . 8D95 18FAFFFF lea edx, dword ptr [ebp-5E8] ; |
00418F0A . 52 push edx ; |pSockAddr
00418F0B . A1 9C826500 mov eax, dword ptr [65829C] ; |
00418F10 . 50 push eax ; |Socket => 384
00418F11 . FF15 D0A54600 call dword ptr [<&ws2_32.connect>] ; \connect
00418F17 . 8985 58FEFFFF mov dword ptr [ebp-1A8], eax ; 获取服务器数据
00418F1D . 83BD 58FEFFFF FF cmp dword ptr [ebp-1A8], -1 ; 返回值是否大于等于FFFFFFFF
; 是则挂(通信不正常)
00418F24 75 14 jnz short 00418F3A ; ★所以这里必须跳!改为JMP★
00418F26 . C705 3C105D00 0D000000 mov dword ptr [5D103C], 0D
00418F30 . E8 EB180100 call 0042A820
00418F35 . E9 5C0A0000 jmp 00419996
00418F3A > 6A 00 push 0 ; /Flags = 0
00418F3C . 6A 60 push 60 ; |DataSize = 60 (96.)
00418F3E . 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C] ; |
00418F44 . 51 push ecx ; |Data
00418F45 . 8B15 9C826500 mov edx, dword ptr [65829C] ; |
00418F4B . 52 push edx ; |Socket => 384
00418F4C . FF15 D8A54600 call dword ptr [<&ws2_32.send>] ; \send
00418F52 . 8985 58FEFFFF mov dword ptr [ebp-1A8], eax ; 再次获取服务器数据
00418F58 . 83BD 58FEFFFF 60 cmp dword ptr [ebp-1A8], 60 ; 返回值是否小于等于96
; 是则挂(数据包不正确)
00418F5F 74 05 je short 00418F66 ; ★所以这里必须跳!改为JMP★
00418F61 . E9 300A0000 jmp 00419996
00418F66 > 6A 00 push 0 ; /Flags = 0
00418F68 . 6A 60 push 60 ; |BufSize = 60 (96.)
00418F6A . 8D85 74FFFFFF lea eax, dword ptr [ebp-8C] ; |
00418F70 . 50 push eax ; |Buffer
00418F71 . 8B0D 9C826500 mov ecx, dword ptr [65829C] ; |
00418F77 . 51 push ecx ; |Socket => 384
00418F78 . FF15 D4A54600 call dword ptr [<&ws2_32.recv>] ; \recv
00418F7E . 8985 58FEFFFF mov dword ptr [ebp-1A8], eax ; 再次获取服务器数据
00418F84 . 83BD 58FEFFFF 00 cmp dword ptr [ebp-1A8], 0 ; 返回值是否大于等于0
; 是则挂(数据包不正确)
00418F8B 75 05 jnz short 00418F92 ; ★则里可改可不改,保险起见改为JMP★
00418F8D . E9 040A0000 jmp 00419996
00418F92 > 8B15 9C826500 mov edx, dword ptr [65829C] ; 服务器通信结束
00418F98 . 52 push edx ; /Socket => 384
00418F99 . FF15 E4A54600 call dword ptr [<&ws2_32.closesocket>] ; \closesocket
00418F9F . 6A 01 push 1
00418FA1 . 6A 10 push 10
00418FA3 . 8D85 48FEFFFF lea eax, dword ptr [ebp-1B8]
00418FA9 . 50 push eax
00418FAA . 6A 60 push 60
00418FAC . 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C]
00418FB2 . 51 push ecx
00418FB3 . 8D95 74FFFFFF lea edx, dword ptr [ebp-8C]
00418FB9 . 52 push edx
00418FBA . E8 91310100 call 0042C150 ; 判断服务器是否有数据返回
00418FBF . 83C4 18 add esp, 18
00418FC2 . 75 04 jnz short 00418FC8 ; 有数据返回则跳!(必须跳)
00418FC4 . 74 02 je short 00418FC8
00418FC6 9A db 9A
00418FC7 E8 db E8
00418FC8 > 83BD 74FFFFFF 09 cmp dword ptr [ebp-8C], 9 ; 检测外挂程序版本是否有更新
00418FCF . 0F85 A7000000 jnz 0041907C ; 大于等于则跳
; (为了不让它自动更新,改为JMP)
00418FD5 . 6A 00 push 0
00418FD7 . 68 502E4800 push 00482E50
00418FDC . 68 082E4800 push 00482E08
00418FE1 . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668]
00418FE7 . E8 CCF40300 call 004584B8
00418FEC . B9 11000000 mov ecx, 11
00418FF1 . 33C0 xor eax, eax
00418FF3 . 8DBD C0F9FFFF lea edi, dword ptr [ebp-640]
00418FF9 . F3:AB rep stos dword ptr es:[edi]
00418FFB . C785 C0F9FFFF 44000000 mov dword ptr [ebp-640], 44
00419005 . 33C0 xor eax, eax
00419007 . 8985 04FAFFFF mov dword ptr [ebp-5FC], eax
0041900D . 8985 08FAFFFF mov dword ptr [ebp-5F8], eax
00419013 . 8985 0CFAFFFF mov dword ptr [ebp-5F4], eax
00419019 . 8985 10FAFFFF mov dword ptr [ebp-5F0], eax
0041901F . 8D8D 04FAFFFF lea ecx, dword ptr [ebp-5FC]
00419025 . 51 push ecx ; /pProcessInfo
00419026 . 8D95 C0F9FFFF lea edx, dword ptr [ebp-640] ; |
0041902C . 52 push edx ; |pStartupInfo
0041902D . 6A 00 push 0 ; |CurrentDir = NULL
0041902F . 6A 00 push 0 ; |pEnvironment = NULL
00419031 . 6A 00 push 0 ; |CreationFlags = 0
00419033 . 6A 00 push 0 ; |InheritHandles = FALSE
00419035 . 6A 00 push 0 ; |pThreadSecurity = NULL
00419037 . 6A 00 push 0 ; |pProcessSecurity = NULL
00419039 . 68 E42D4800 push 00482DE4 ; |CommandLine = "explorer
http://www.jtlover.net/"
0041903E . 6A 00 push 0 ; |ModuleFileName = NULL
00419040 . FF15 34A24600 call dword ptr [<&kernel32.CreateProces>; \CreateProcessA
00419046 . 85C0 test eax, eax
00419048 . 75 07 jnz short 00419051
0041904A . 6A 00 push 0
0041904C . E8 87C30100 call 004353D8
00419051 > 8B85 04FAFFFF mov eax, dword ptr [ebp-5FC]
00419057 . 50 push eax ; /hObject
00419058 . FF15 44A24600 call dword ptr [<&kernel32.CloseHandle>>; \CloseHandle
0041905E . 8B8D 08FAFFFF mov ecx, dword ptr [ebp-5F8]
00419064 . 51 push ecx ; /hObject
00419065 . FF15 44A24600 call dword ptr [<&kernel32.CloseHandle>>; \CloseHandle
0041906B . 8B95 74FFFFFF mov edx, dword ptr [ebp-8C]
00419071 . 8915 3C105D00 mov dword ptr [5D103C], edx
00419077 . E9 1A090000 jmp 00419996
0041907C > 75 04 jnz short 00419082
0041907E . 74 02 je short 00419082
00419080 9A db 9A
00419081 E8 db E8
00419082 > 83BD 74FFFFFF 00 cmp dword ptr [ebp-8C], 0 ; 检测验证数据最后结果是否小于等于0
; 是则正确!
00419089 . 74 15 je short 004190A0 ; ★所以这里必须跳!改为JMP★
0041908B . 8B85 74FFFFFF mov eax, dword ptr [ebp-8C]
00419091 . A3 3C105D00 mov dword ptr [5D103C], eax
00419096 . E8 85170100 call 0042A820
0041909B . E9 F6080000 jmp 00419996
004190A0 > 8B4D CC mov ecx, dword ptr [ebp-34] ; 从这里就开始控制程序窗口、配置文件了
004190A3 . 890D C0836500 mov dword ptr [6583C0], ecx
004190A9 . C705 3C105D00 58000000 mov dword ptr [5D103C], 58
004190B3 . 68 F4030000 push 3F4
004190B8 . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668]
004190BE . E8 25050400 call 004595E8
004190C3 . 8985 5CFEFFFF mov dword ptr [ebp-1A4], eax
004190C9 . 6A 00 push 0
004190CB . 8B8D 5CFEFFFF mov ecx, dword ptr [ebp-1A4]
004190D1 . E8 3E080400 call 00459914
004190D6 . 51 push ecx
004190D7 . 8BCC mov ecx, esp
004190D9 . 89A5 ACF9FFFF mov dword ptr [ebp-654], esp
004190DF . 68 DC2D4800 push 00482DDC ; ASCII "TIP2"
004190E4 . E8 8BD50300 call 00456674
004190E9 . 8985 94F9FFFF mov dword ptr [ebp-66C], eax
004190EF . 8B95 94F9FFFF mov edx, dword ptr [ebp-66C]
004190F5 . 8995 90F9FFFF mov dword ptr [ebp-670], edx
004190FB . C745 FC 00000000 mov dword ptr [ebp-4], 0
00419102 . 51 push ecx
00419103 . 8BCC mov ecx, esp
00419105 . 89A5 A8F9FFFF mov dword ptr [ebp-658], esp
0041910B . 68 D42D4800 push 00482DD4 ; ASCII "Dialog1"
00419110 . E8 5FD50300 call 00456674
00419115 . 8985 8CF9FFFF mov dword ptr [ebp-674], eax ; |
0041911B . 8D85 A4F9FFFF lea eax, dword ptr [ebp-65C] ; |
00419121 . 50 push eax ; |Arg1
00419122 . B9 04156500 mov ecx, 00651504 ; |
00419127 . C745 FC FFFFFFFF mov dword ptr [ebp-4], -1 ; |
0041912E . E8 DD610000 call 0041F310 ; \jtbl.0041F310
00419133 . 8985 88F9FFFF mov dword ptr [ebp-678], eax
00419139 . 8B8D 88F9FFFF mov ecx, dword ptr [ebp-678]
0041913F . 898D A0F9FFFF mov dword ptr [ebp-660], ecx
00419145 . C745 FC 01000000 mov dword ptr [ebp-4], 1
0041914C . 8B95 A0F9FFFF mov edx, dword ptr [ebp-660]
00419152 . 8B02 mov eax, dword ptr [edx]
00419154 . 8985 9CF9FFFF mov dword ptr [ebp-664], eax
0041915A . 8B8D 9CF9FFFF mov ecx, dword ptr [ebp-664]
00419160 . 51 push ecx
00419161 . 68 B5040000 push 4B5
00419166 . B9 C87A6500 mov ecx, 00657AC8
0041916B . E8 69050400 call 004596D9
00419170 . C745 FC FFFFFFFF mov dword ptr [ebp-4], -1
00419177 . 8D8D A4F9FFFF lea ecx, dword ptr [ebp-65C]
0041917D . E8 84D40300 call 00456606
00419182 . 68 0000FF00 push 0FF0000
00419187 . B9 E8806500 mov ecx, 006580E8
0041918C . E8 FF4F0000 call 0041E190
00419191 . C645 D8 00 mov byte ptr [ebp-28], 0
00419195 . C645 D9 00 mov byte ptr [ebp-27], 0
00419199 . 33D2 xor edx, edx
0041919B . 8955 DA mov dword ptr [ebp-26], edx
0041919E . 8955 DE mov dword ptr [ebp-22], edx
004191A1 . 8955 E2 mov dword ptr [ebp-1E], edx
004191A4 . 8955 E6 mov dword ptr [ebp-1A], edx
004191A7 . 8955 EA mov dword ptr [ebp-16], edx
004191AA . 66:8955 EE mov word ptr [ebp-12], dx
004191AE . 8855 F0 mov byte ptr [ebp-10], dl
004191B1 . 6A 18 push 18 ; /Arg3 = 00000018
004191B3 . 8D45 D8 lea eax, dword ptr [ebp-28] ; |
004191B6 . 50 push eax ; |Arg2
004191B7 . 68 05040000 push 405 ; |Arg1 = 00000405
004191BC . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668] ; |
004191C2 . E8 AB040400 call 00459672 ; \jtbl.00459672
004191C7 . 68 382D4800 push 00482D38 ; /FileName = ".\Setting\config.ini"
004191CC . 8D4D D8 lea ecx, dword ptr [ebp-28] ; |
004191CF . 51 push ecx ; |String
004191D0 . 68 182D4800 push 00482D18 ; |Key = "Account"
004191D5 . 68 282D4800 push 00482D28 ; |Section = "Config"
004191DA . FF15 48A24600 call dword ptr [<&kernel32.WritePrivate>; \WritePrivateProfileStringA
004191E0 . C685 70FEFFFF 00 mov byte ptr [ebp-190], 0
004191E7 . C685 71FEFFFF 00 mov byte ptr [ebp-18F], 0
004191EE . B9 40000000 mov ecx, 40
004191F3 . 33C0 xor eax, eax
004191F5 . 8DBD 72FEFFFF lea edi, dword ptr [ebp-18E]
004191FB . F3:AB rep stos dword ptr es:[edi]
004191FD . 66:AB stos word ptr es:[edi]
004191FF . C745 D4 00000000 mov dword ptr [ebp-2C], 0
00419206 . 68 04010000 push 104 ; /BufSize = 104 (260.)
0041920B . 8D95 70FEFFFF lea edx, dword ptr [ebp-190] ; |
00419211 . 52 push edx ; |PathBuffer
00419212 . 6A 00 push 0 ; |hModule = NULL
00419214 . FF15 ECA14600 call dword ptr [<&kernel32.GetModuleFil>; \GetModuleFileNameA
0041921A . 8DBD 70FEFFFF lea edi, dword ptr [ebp-190]
00419220 . 83C9 FF or ecx, FFFFFFFF
00419223 . 33C0 xor eax, eax
00419225 . F2:AE repne scas byte ptr es:[edi]
00419227 . F7D1 not ecx
00419229 . 83C1 FE add ecx, -2
0041922C . 894D D4 mov dword ptr [ebp-2C], ecx
0041922F > 8B45 D4 mov eax, dword ptr [ebp-2C]
00419232 . 0FBE8C05 70FEFFFF movsx ecx, byte ptr [ebp+eax-190]
0041923A . 83F9 5C cmp ecx, 5C
0041923D . 74 16 je short 00419255
0041923F . 8B55 D4 mov edx, dword ptr [ebp-2C]
00419242 . C68415 70FEFFFF 00 mov byte ptr [ebp+edx-190], 0
0041924A . 8B45 D4 mov eax, dword ptr [ebp-2C]
0041924D . 83E8 01 sub eax, 1
00419250 . 8945 D4 mov dword ptr [ebp-2C], eax
00419253 .^ EB DA jmp short 0041922F
00419255 > 8D7D D8 lea edi, dword ptr [ebp-28] ; 获取用户名(准备计算试用时间验证)
00419258 . 8B15 787D5F00 mov edx, dword ptr [5F7D78] ; kudrtgov.10213000
0041925E . 83C9 FF or ecx, FFFFFFFF
00419261 . 33C0 xor eax, eax
00419263 . F2:AE repne scas byte ptr es:[edi]
00419265 . F7D1 not ecx
00419267 . 2BF9 sub edi, ecx
00419269 . 8BF7 mov esi, edi
0041926B . 8BC1 mov eax, ecx
0041926D . 8BFA mov edi, edx
0041926F . C1E9 02 shr ecx, 2
00419272 . F3:A5 rep movs dword ptr es:[edi], dword ptr>
00419274 . 8BC8 mov ecx, eax
00419276 . 83E1 03 and ecx, 3
00419279 . F3:A4 rep movs byte ptr es:[edi], byte ptr [>
0041927B . 8DBD 70FEFFFF lea edi, dword ptr [ebp-190]
00419281 . 8B0D 787D5F00 mov ecx, dword ptr [5F7D78] ; kudrtgov.10213000
00419287 . 83C1 1E add ecx, 1E
0041928A . 8BD1 mov edx, ecx
0041928C . 83C9 FF or ecx, FFFFFFFF
0041928F . 33C0 xor eax, eax
00419291 . F2:AE repne scas byte ptr es:[edi]
00419293 . F7D1 not ecx
00419295 . 2BF9 sub edi, ecx
00419297 . 8BF7 mov esi, edi
00419299 . 8BC1 mov eax, ecx
0041929B . 8BFA mov edi, edx
0041929D . C1E9 02 shr ecx, 2
004192A0 . F3:A5 rep movs dword ptr es:[edi], dword ptr>
004192A2 . 8BC8 mov ecx, eax
004192A4 . 83E1 03 and ecx, 3
004192A7 . F3:A4 rep movs byte ptr es:[edi], byte ptr [>
004192A9 . C685 38FBFFFF 00 mov byte ptr [ebp-4C8], 0
004192B0 . C685 39FBFFFF 00 mov byte ptr [ebp-4C7], 0
004192B7 . B9 40000000 mov ecx, 40
004192BC . 33C0 xor eax, eax
004192BE . 8DBD 3AFBFFFF lea edi, dword ptr [ebp-4C6]
004192C4 . F3:AB rep stos dword ptr es:[edi]
004192C6 . 66:AB stos word ptr es:[edi]
004192C8 . C685 3CFCFFFF 00 mov byte ptr [ebp-3C4], 0
004192CF . C685 3DFCFFFF 00 mov byte ptr [ebp-3C3], 0
004192D6 . B9 40000000 mov ecx, 40
004192DB . 33C0 xor eax, eax
004192DD . 8DBD 3EFCFFFF lea edi, dword ptr [ebp-3C2]
004192E3 . F3:AB rep stos dword ptr es:[edi]
004192E5 . 66:AB stos word ptr es:[edi]
004192E7 . C685 44FDFFFF 00 mov byte ptr [ebp-2BC], 0
004192EE . C685 45FDFFFF 00 mov byte ptr [ebp-2BB], 0
004192F5 . B9 40000000 mov ecx, 40
004192FA . 33C0 xor eax, eax
004192FC . 8DBD 46FDFFFF lea edi, dword ptr [ebp-2BA]
00419302 . F3:AB rep stos dword ptr es:[edi]
00419304 . 66:AB stos word ptr es:[edi]
00419306 . BF CC2D4800 mov edi, 00482DCC ; ASCII "\Users\"
0041930B . 8D95 70FEFFFF lea edx, dword ptr [ebp-190]
00419311 . 83C9 FF or ecx, FFFFFFFF
00419314 . 33C0 xor eax, eax
00419316 . F2:AE repne scas byte ptr es:[edi]
00419318 . F7D1 not ecx
0041931A . 2BF9 sub edi, ecx
0041931C . 8BF7 mov esi, edi
0041931E . 8BD9 mov ebx, ecx
00419320 . 8BFA mov edi, edx
00419322 . 83C9 FF or ecx, FFFFFFFF
00419325 . 33C0 xor eax, eax
00419327 . F2:AE repne scas byte ptr es:[edi]
00419329 . 83C7 FF add edi, -1
0041932C . 8BCB mov ecx, ebx
0041932E . C1E9 02 shr ecx, 2
00419331 . F3:A5 rep movs dword ptr es:[edi], dword ptr>
00419333 . 8BCB mov ecx, ebx
00419335 . 83E1 03 and ecx, 3
00419338 . F3:A4 rep movs byte ptr es:[edi], byte ptr [>
0041933A . 8DBD 70FEFFFF lea edi, dword ptr [ebp-190]
00419340 . 8D95 38FBFFFF lea edx, dword ptr [ebp-4C8]
00419346 . 83C9 FF or ecx, FFFFFFFF
00419349 . 33C0 xor eax, eax
0041934B . F2:AE repne scas byte ptr es:[edi]
0041934D . F7D1 not ecx
0041934F . 2BF9 sub edi, ecx
00419351 . 8BF7 mov esi, edi
00419353 . 8BC1 mov eax, ecx
00419355 . 8BFA mov edi, edx
00419357 . C1E9 02 shr ecx, 2
0041935A . F3:A5 rep movs dword ptr es:[edi], dword ptr>
0041935C . 8BC8 mov ecx, eax
0041935E . 83E1 03 and ecx, 3
00419361 . F3:A4 rep movs byte ptr es:[edi], byte ptr [>
00419363 . 8B3D 787D5F00 mov edi, dword ptr [5F7D78] ; kudrtgov.10213000
00419369 . 8D95 38FBFFFF lea edx, dword ptr [ebp-4C8]
0041936F . 83C9 FF or ecx, FFFFFFFF
00419372 . 33C0 xor eax, eax
00419374 . F2:AE repne scas byte ptr es:[edi]
00419376 . F7D1 not ecx
00419378 . 2BF9 sub edi, ecx
0041937A . 8BF7 mov esi, edi
0041937C . 8BD9 mov ebx, ecx
0041937E . 8BFA mov edi, edx
00419380 . 83C9 FF or ecx, FFFFFFFF
00419383 . 33C0 xor eax, eax
00419385 . F2:AE repne scas byte ptr es:[edi]
00419387 . 83C7 FF add edi, -1
0041938A . 8BCB mov ecx, ebx
0041938C . C1E9 02 shr ecx, 2
0041938F . F3:A5 rep movs dword ptr es:[edi], dword ptr>
00419391 . 8BCB mov ecx, ebx
00419393 . 83E1 03 and ecx, 3
00419396 . F3:A4 rep movs byte ptr es:[edi], byte ptr [>
00419398 . BF BC2D4800 mov edi, 00482DBC ; ASCII "\NewConfig.ini"
0041939D . 8D95 38FBFFFF lea edx, dword ptr [ebp-4C8]
004193A3 . 83C9 FF or ecx, FFFFFFFF
004193A6 . 33C0 xor eax, eax
004193A8 . F2:AE repne scas byte ptr es:[edi]
004193AA . F7D1 not ecx
004193AC . 2BF9 sub edi, ecx
004193AE . 8BF7 mov esi, edi
004193B0 . 8BD9 mov ebx, ecx
004193B2 . 8BFA mov edi, edx
004193B4 . 83C9 FF or ecx, FFFFFFFF
004193B7 . 33C0 xor eax, eax
004193B9 . F2:AE repne scas byte ptr es:[edi]
004193BB . 83C7 FF add edi, -1
004193BE . 8BCB mov ecx, ebx
004193C0 . C1E9 02 shr ecx, 2
004193C3 . F3:A5 rep movs dword ptr es:[edi], dword ptr>
004193C5 . 8BCB mov ecx, ebx
004193C7 . 83E1 03 and ecx, 3
004193CA . F3:A4 rep movs byte ptr es:[edi], byte ptr [>
004193CC . 8DBD 70FEFFFF lea edi, dword ptr [ebp-190]
004193D2 . 8D95 3CFCFFFF lea edx, dword ptr [ebp-3C4]
004193D8 . 83C9 FF or ecx, FFFFFFFF
004193DB . 33C0 xor eax, eax
004193DD . F2:AE repne scas byte ptr es:[edi]
004193DF . F7D1 not ecx
004193E1 . 2BF9 sub edi, ecx
004193E3 . 8BF7 mov esi, edi
004193E5 . 8BC1 mov eax, ecx
004193E7 . 8BFA mov edi, edx
004193E9 . C1E9 02 shr ecx, 2
004193EC . F3:A5 rep movs dword ptr es:[edi], dword ptr>
004193EE . 8BC8 mov ecx, eax
004193F0 . 83E1 03 and ecx, 3
004193F3 . F3:A4 rep movs byte ptr es:[edi], byte ptr [>
004193F5 . 8B3D 787D5F00 mov edi, dword ptr [5F7D78] ; kudrtgov.10213000
004193FB . 8D95 3CFCFFFF lea edx, dword ptr [ebp-3C4]
00419401 . 83C9 FF or ecx, FFFFFFFF
00419404 . 33C0 xor eax, eax
00419406 . F2:AE repne scas byte ptr es:[edi]
00419408 . F7D1 not ecx
0041940A . 2BF9 sub edi, ecx
0041940C . 8BF7 mov esi, edi
0041940E . 8BD9 mov ebx, ecx
00419410 . 8BFA mov edi, edx
00419412 . 83C9 FF or ecx, FFFFFFFF
00419415 . 33C0 xor eax, eax
00419417 . F2:AE repne scas byte ptr es:[edi]
00419419 . 83C7 FF add edi, -1
0041941C . 8BCB mov ecx, ebx
0041941E . C1E9 02 shr ecx, 2
00419421 . F3:A5 rep movs dword ptr es:[edi], dword ptr>
00419423 . 8BCB mov ecx, ebx
00419425 . 83E1 03 and ecx, 3
00419428 . F3:A4 rep movs byte ptr es:[edi], byte ptr [>
0041942A . BF AC2D4800 mov edi, 00482DAC ; ASCII "\ListFile.ini"
0041942F . 8D95 3CFCFFFF lea edx, dword ptr [ebp-3C4]
00419435 . 83C9 FF or ecx, FFFFFFFF
00419438 . 33C0 xor eax, eax
0041943A . F2:AE repne scas byte ptr es:[edi]
0041943C . F7D1 not ecx
0041943E . 2BF9 sub edi, ecx
00419440 . 8BF7 mov esi, edi
00419442 . 8BD9 mov ebx, ecx
00419444 . 8BFA mov edi, edx
00419446 . 83C9 FF or ecx, FFFFFFFF
00419449 . 33C0 xor eax, eax
0041944B . F2:AE repne scas byte ptr es:[edi]
0041944D . 83C7 FF add edi, -1
00419450 . 8BCB mov ecx, ebx
00419452 . C1E9 02 shr ecx, 2
00419455 . F3:A5 rep movs dword ptr es:[edi], dword ptr>
00419457 . 8BCB mov ecx, ebx
00419459 . 83E1 03 and ecx, 3
0041945C . F3:A4 rep movs byte ptr es:[edi], byte ptr [>
0041945E . 8DBD 70FEFFFF lea edi, dword ptr [ebp-190]
00419464 . 8D95 44FDFFFF lea edx, dword ptr [ebp-2BC]
0041946A . 83C9 FF or ecx, FFFFFFFF
0041946D . 33C0 xor eax, eax
0041946F . F2:AE repne scas byte ptr es:[edi]
00419471 . F7D1 not ecx
00419473 . 2BF9 sub edi, ecx
00419475 . 8BF7 mov esi, edi
00419477 . 8BC1 mov eax, ecx
00419479 . 8BFA mov edi, edx
0041947B . C1E9 02 shr ecx, 2
0041947E . F3:A5 rep movs dword ptr es:[edi], dword ptr>
00419480 . 8BC8 mov ecx, eax
00419482 . 83E1 03 and ecx, 3
00419485 . F3:A4 rep movs byte ptr es:[edi], byte ptr [>
00419487 . 8B3D 787D5F00 mov edi, dword ptr [5F7D78] ; kudrtgov.10213000
0041948D . 8D95 44FDFFFF lea edx, dword ptr [ebp-2BC]
00419493 . 83C9 FF or ecx, FFFFFFFF
00419496 . 33C0 xor eax, eax
00419498 . F2:AE repne scas byte ptr es:[edi]
0041949A . F7D1 not ecx
0041949C . 2BF9 sub edi, ecx
0041949E . 8BF7 mov esi, edi
004194A0 . 8BD9 mov ebx, ecx
004194A2 . 8BFA mov edi, edx
004194A4 . 83C9 FF or ecx, FFFFFFFF
004194A7 . 33C0 xor eax, eax
004194A9 . F2:AE repne scas byte ptr es:[edi]
004194AB . 83C7 FF add edi, -1
004194AE . 8BCB mov ecx, ebx
004194B0 . C1E9 02 shr ecx, 2
004194B3 . F3:A5 rep movs dword ptr es:[edi], dword ptr>
004194B5 . 8BCB mov ecx, ebx
004194B7 . 83E1 03 and ecx, 3
004194BA . F3:A4 rep movs byte ptr es:[edi], byte ptr [>
004194BC . BF 9C2D4800 mov edi, 00482D9C ; ASCII "\GuoLvFile.ini"
004194C1 . 8D95 44FDFFFF lea edx, dword ptr [ebp-2BC]
004194C7 . 83C9 FF or ecx, FFFFFFFF
004194CA . 33C0 xor eax, eax
004194CC . F2:AE repne scas byte ptr es:[edi]
004194CE . F7D1 not ecx
004194D0 . 2BF9 sub edi, ecx
004194D2 . 8BF7 mov esi, edi
004194D4 . 8BD9 mov ebx, ecx
004194D6 . 8BFA mov edi, edx
004194D8 . 83C9 FF or ecx, FFFFFFFF
004194DB . 33C0 xor eax, eax
004194DD . F2:AE repne scas byte ptr es:[edi]
004194DF . 83C7 FF add edi, -1
004194E2 . 8BCB mov ecx, ebx
004194E4 . C1E9 02 shr ecx, 2
004194E7 . F3:A5 rep movs dword ptr es:[edi], dword ptr>
004194E9 . 8BCB mov ecx, ebx
004194EB . 83E1 03 and ecx, 3
004194EE . F3:A4 rep movs byte ptr es:[edi], byte ptr [>
004194F0 . 68 982D4800 push 00482D98
004194F5 . 8D85 38FBFFFF lea eax, dword ptr [ebp-4C8]
004194FB . 50 push eax
004194FC . E8 97BE0100 call 00435398 ; 配置文件A是否已经存在
00419501 . 83C4 08 add esp, 8
00419504 . 8985 14FAFFFF mov dword ptr [ebp-5EC], eax
0041950A . 83BD 14FAFFFF 00 cmp dword ptr [ebp-5EC], 0
00419511 . 75 5A jnz short 0041956D ; 如果文件已经存在则跳
00419513 . 8B3D 787D5F00 mov edi, dword ptr [5F7D78] ; kudrtgov.10213000
00419519 . 8D95 70FEFFFF lea edx, dword ptr [ebp-190]
0041951F . 83C9 FF or ecx, FFFFFFFF
00419522 . 33C0 xor eax, eax
00419524 . F2:AE repne scas byte ptr es:[edi]
00419526 . F7D1 not ecx
00419528 . 2BF9 sub edi, ecx
0041952A . 8BF7 mov esi, edi
0041952C . 8BD9 mov ebx, ecx
0041952E . 8BFA mov edi, edx
00419530 . 83C9 FF or ecx, FFFFFFFF
00419533 . 33C0 xor eax, eax
00419535 . F2:AE repne scas byte ptr es:[edi]
00419537 . 83C7 FF add edi, -1
0041953A . 8BCB mov ecx, ebx
0041953C . C1E9 02 shr ecx, 2
0041953F . F3:A5 rep movs dword ptr es:[edi], dword ptr>
00419541 . 8BCB mov ecx, ebx
00419543 . 83E1 03 and ecx, 3
00419546 . F3:A4 rep movs byte ptr es:[edi], byte ptr [>
00419548 . 6A 00 push 0 ; /pSecurity = NULL
0041954A . 8D85 70FEFFFF lea eax, dword ptr [ebp-190] ; |
00419550 . 50 push eax ; |Path
00419551 . FF15 F0A14600 call dword ptr [<&kernel32.CreateDirect>; \CreateDirectoryA
00419557 . 6A 01 push 1 ; /FailIfExists = TRUE
00419559 . 8D8D 38FBFFFF lea ecx, dword ptr [ebp-4C8] ; |使用默认的配置文件A
0041955F . 51 push ecx ; |NewFileName
00419560 . 68 842D4800 push 00482D84 ; |ExistingFileName =
; "Setting\Default.ini"
00419565 . FF15 F4A14600 call dword ptr [<&kernel32.CopyFileA>] ; \CopyFileA
0041956B . EB 0F jmp short 0041957C
0041956D > 8B95 14FAFFFF mov edx, dword ptr [ebp-5EC]
00419573 . 52 push edx
00419574 . E8 71BD0100 call 004352EA
00419579 . 83C4 04 add esp, 4
0041957C > 68 982D4800 push 00482D98
00419581 . 8D85 3CFCFFFF lea eax, dword ptr [ebp-3C4]
00419587 . 50 push eax
00419588 . E8 0BBE0100 call 00435398 ; 配置文件B是否已经存在
0041958D . 83C4 08 add esp, 8
00419590 . 8985 14FAFFFF mov dword ptr [ebp-5EC], eax
00419596 . 83BD 14FAFFFF 00 cmp dword ptr [ebp-5EC], 0
0041959D . 75 25 jnz short 004195C4 ; 如果文件已经存在则跳
0041959F . 6A 00 push 0 ; /pSecurity = NULL
004195A1 . 8D8D 70FEFFFF lea ecx, dword ptr [ebp-190] ; |
004195A7 . 51 push ecx ; |Path
004195A8 . FF15 F0A14600 call dword ptr [<&kernel32.CreateDirect>; \CreateDirectoryA
004195AE . 6A 01 push 1 ; /FailIfExists = TRUE
004195B0 . 8D95 3CFCFFFF lea edx, dword ptr [ebp-3C4] ; |使用默认的配置文件B
004195B6 . 52 push edx ; |NewFileName
004195B7 . 68 6C2D4800 push 00482D6C ; |ExistingFileName =
; "Setting\DefaultList.ini"
004195BC . FF15 F4A14600 call dword ptr [<&kernel32.CopyFileA>] ; \CopyFileA
004195C2 . EB 0F jmp short 004195D3
004195C4 > 8B85 14FAFFFF mov eax, dword ptr [ebp-5EC]
004195CA . 50 push eax
004195CB . E8 1ABD0100 call 004352EA
004195D0 . 83C4 04 add esp, 4
004195D3 > 68 982D4800 push 00482D98
004195D8 . 8D8D 44FDFFFF lea ecx, dword ptr [ebp-2BC]
004195DE . 51 push ecx
004195DF . E8 B4BD0100 call 00435398 ; 配置文件C是否已经存在
004195E4 . 83C4 08 add esp, 8
004195E7 . 8985 14FAFFFF mov dword ptr [ebp-5EC], eax
004195ED . 83BD 14FAFFFF 00 cmp dword ptr [ebp-5EC], 0
004195F4 . 75 25 jnz short 0041961B ; 如果文件已经存在则跳
004195F6 . 6A 00 push 0 ; /pSecurity = NULL
004195F8 . 8D95 70FEFFFF lea edx, dword ptr [ebp-190] ; |
004195FE . 52 push edx ; |Path
004195FF . FF15 F0A14600 call dword ptr [<&kernel32.CreateDirect>; \CreateDirectoryA
00419605 . 6A 01 push 1 ; /FailIfExists = TRUE
00419607 . 8D85 44FDFFFF lea eax, dword ptr [ebp-2BC] ; |使用默认的配置文件C
0041960D . 50 push eax ; |NewFileName
0041960E . 68 502D4800 push 00482D50 ; |ExistingFileName =
; "Setting\DefaultGuoLv.ini"
00419613 . FF15 F4A14600 call dword ptr [<&kernel32.CopyFileA>] ; \CopyFileA
00419619 . EB 0F jmp short 0041962A
0041961B > 8B8D 14FAFFFF mov ecx, dword ptr [ebp-5EC]
00419621 . 51 push ecx
00419622 . E8 C3BC0100 call 004352EA
00419627 . 83C4 04 add esp, 4
0041962A > 68 382D4800 push 00482D38 ; /IniFileName = ".\Setting\config.ini"
0041962F . 6A 00 push 0 ; |Default = 0
00419631 . 68 0C2D4800 push 00482D0C ; |Key = "virtualcode"
00419636 . 68 282D4800 push 00482D28 ; |Section = "Config"
0041963B . FF15 F8A14600 call dword ptr [<&kernel32.GetPrivatePr>; \GetPrivateProfileIntA
00419641 . 66:8985 34FBFFFF mov word ptr [ebp-4CC], ax
00419648 . 68 382D4800 push 00482D38 ; /IniFileName = ".\Setting\config.ini"
0041964D . 6A 00 push 0 ; |Default = 0
0041964F . 68 002D4800 push 00482D00 ; |Key = "modifiers"
00419654 . 68 282D4800 push 00482D28 ; |Section = "Config"
00419659 . FF15 F8A14600 call dword ptr [<&kernel32.GetPrivatePr>; \GetPrivateProfileIntA
0041965F . 66:8985 2CFBFFFF mov word ptr [ebp-4D4], ax
00419666 . 8B95 34FBFFFF mov edx, dword ptr [ebp-4CC]
0041966C . 81E2 FFFF0000 and edx, 0FFFF
00419672 . A1 787D5F00 mov eax, dword ptr [5F7D78]
00419677 . 8990 22010000 mov dword ptr [eax+122], edx
0041967D . 8B8D 2CFBFFFF mov ecx, dword ptr [ebp-4D4]
00419683 . 81E1 FFFF0000 and ecx, 0FFFF
00419689 . 8B15 787D5F00 mov edx, dword ptr [5F7D78] ; kudrtgov.10213000
0041968F . 898A 26010000 mov dword ptr [edx+126], ecx
00419695 . A1 787D5F00 mov eax, dword ptr [5F7D78]
0041969A . C780 90010000 64000000 mov dword ptr [eax+190], 64
004196A4 . C685 28FAFFFF 00 mov byte ptr [ebp-5D8], 0
004196AB . C685 29FAFFFF 00 mov byte ptr [ebp-5D7], 0
004196B2 . B9 40000000 mov ecx, 40
004196B7 . 33C0 xor eax, eax
004196B9 . 8DBD 2AFAFFFF lea edi, dword ptr [ebp-5D6]
004196BF . F3:AB rep stos dword ptr es:[edi]
004196C1 . 66:AB stos word ptr es:[edi]
004196C3 . 6A 12 push 12 ; /Arg3 = 00000012
004196C5 . 8D8D 28FAFFFF lea ecx, dword ptr [ebp-5D8] ; |
004196CB . 51 push ecx ; |Arg2
004196CC . 68 05040000 push 405 ; |Arg1 = 00000405
004196D1 . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668] ; |
004196D7 . E8 96FF0300 call 00459672 ; \jtbl.00459672
004196DC . C785 40FDFFFF 00000000 mov dword ptr [ebp-2C0], 0
004196E6 . EB 0F jmp short 004196F7
004196E8 > 8B95 40FDFFFF mov edx, dword ptr [ebp-2C0]
004196EE . 83C2 01 add edx, 1
004196F1 . 8995 40FDFFFF mov dword ptr [ebp-2C0], edx
004196F7 > 8B85 40FDFFFF mov eax, dword ptr [ebp-2C0]
004196FD . 3B05 687D5F00 cmp eax, dword ptr [5F7D68]
00419703 . 0F83 A6000000 jnb 004197AF
00419709 . 8D8D 28FAFFFF lea ecx, dword ptr [ebp-5D8]
0041970F . 898D 84F9FFFF mov dword ptr [ebp-67C], ecx
00419715 . 8B95 40FDFFFF mov edx, dword ptr [ebp-2C0]
0041971B . 6BD2 68 imul edx, edx, 68
0041971E . 81C2 18E65D00 add edx, 005DE618 ; 获取曾经本地使用过的用户名
00419724 . 8995 80F9FFFF mov dword ptr [ebp-680], edx
0041972A > 8B85 80F9FFFF mov eax, dword ptr [ebp-680]
00419730 . 8A08 mov cl, byte ptr [eax]
00419732 . 888D 7FF9FFFF mov byte ptr [ebp-681], cl
00419738 . 8B95 84F9FFFF mov edx, dword ptr [ebp-67C]
0041973E . 3A0A cmp cl, byte ptr [edx]
00419740 . 75 46 jnz short 00419788
00419742 . 80BD 7FF9FFFF 00 cmp byte ptr [ebp-681], 0
00419749 . 74 31 je short 0041977C
0041974B . 8B85 80F9FFFF mov eax, dword ptr [ebp-680]
00419751 . 8A48 01 mov cl, byte ptr [eax+1]
00419754 . 888D 7EF9FFFF mov byte ptr [ebp-682], cl
0041975A . 8B95 84F9FFFF mov edx, dword ptr [ebp-67C]
00419760 . 3A4A 01 cmp cl, byte ptr [edx+1]
00419763 . 75 23 jnz short 00419788
00419765 . 8385 80F9FFFF 02 add dword ptr [ebp-680], 2
0041976C . 8385 84F9FFFF 02 add dword ptr [ebp-67C], 2
00419773 . 80BD 7EF9FFFF 00 cmp byte ptr [ebp-682], 0
0041977A .^ 75 AE jnz short 0041972A
0041977C > C785 78F9FFFF 00000000 mov dword ptr [ebp-688], 0
00419786 . EB 0B jmp short 00419793
00419788 > 1BC0 sbb eax, eax
0041978A . 83D8 FF sbb eax, -1
0041978D . 8985 78F9FFFF mov dword ptr [ebp-688], eax
00419793 > 8B8D 78F9FFFF mov ecx, dword ptr [ebp-688]
00419799 . 898D 74F9FFFF mov dword ptr [ebp-68C], ecx
0041979F . 83BD 74F9FFFF 00 cmp dword ptr [ebp-68C], 0
004197A6 . 75 02 jnz short 004197AA
004197A8 . EB 05 jmp short 004197AF
004197AA >^ E9 39FFFFFF jmp 004196E8
004197AF > 8B95 40FDFFFF mov edx, dword ptr [ebp-2C0]
004197B5 . 3B15 687D5F00 cmp edx, dword ptr [5F7D68] ; 判断是否该用户名为新用户名
004197BB . 0F82 EF000000 jb 004198B0 ; ★所以这里不能跳!NOP掉★
004197C1 . A1 687D5F00 mov eax, dword ptr [5F7D68]
004197C6 . A3 6C7D5F00 mov dword ptr [5F7D6C], eax
004197CB . 8DBD 28FAFFFF lea edi, dword ptr [ebp-5D8]
004197D1 . 8B0D 687D5F00 mov ecx, dword ptr [5F7D68]
004197D7 . 6BC9 68 imul ecx, ecx, 68
004197DA . 81C1 18E65D00 add ecx, 005DE618 ; ASCII "test"
004197E0 . 898D 70F9FFFF mov dword ptr [ebp-690], ecx
004197E6 . 8B95 70F9FFFF mov edx, dword ptr [ebp-690]
004197EC . A1 687D5F00 mov eax, dword ptr [5F7D68]
004197F1 . 83C0 01 add eax, 1
004197F4 . A3 687D5F00 mov dword ptr [5F7D68], eax
004197F9 . 83C9 FF or ecx, FFFFFFFF
004197FC . 33C0 xor eax, eax
004197FE . F2:AE repne scas byte ptr es:[edi]
00419800 . F7D1 not ecx
00419802 . 2BF9 sub edi, ecx
00419804 . 8BF7 mov esi, edi
00419806 . 8BC1 mov eax, ecx
00419808 . 8BFA mov edi, edx
0041980A . C1E9 02 shr ecx, 2
0041980D . F3:A5 rep movs dword ptr es:[edi], dword ptr>
0041980F . 8BC8 mov ecx, eax
00419811 . 83E1 03 and ecx, 3
00419814 . F3:A4 rep movs byte ptr es:[edi], byte ptr [>
00419816 . 6A 00 push 0 ; /准备写入用于本地记录的数据文件
00419818 . 68 00000002 push 2000000 ; |Attributes = BACKUP_SEMANTICS
0041981D . 6A 04 push 4 ; |Mode = OPEN_ALWAYS
0041981F . 6A 00 push 0 ; |pSecurity = NULL
00419821 . 6A 02 push 2 ; |ShareMode = FILE_SHARE_WRITE
00419823 . 68 00000040 push 40000000 ; |Access = GENERIC_WRITE
00419828 . 68 F42C4800 push 00482CF4 ; |FileName = "Account.dat"
0041982D . FF15 3CA24600 call dword ptr [<&kernel32.CreateFileA>>; \CreateFileA
00419833 . 8985 B8F9FFFF mov dword ptr [ebp-648], eax
00419839 . 6A 00 push 0 ; /pOverlapped = NULL
0041983B . 8D8D BCF9FFFF lea ecx, dword ptr [ebp-644] ; |
00419841 . 51 push ecx ; |pBytesWritten
00419842 . 6A 04 push 4 ; |nBytesToWrite = 4
00419844 . 68 687D5F00 push 005F7D68 ; |Buffer = jtbl.005F7D68
00419849 . 8B95 B8F9FFFF mov edx, dword ptr [ebp-648] ; |
0041984F . 52 push edx ; |hFile
00419850 . FF15 40A24600 call dword ptr [<&kernel32.WriteFile>] ; \WriteFile
00419856 . 6A 00 push 0 ; /pOverlapped = NULL
00419858 . 8D85 BCF9FFFF lea eax, dword ptr [ebp-644] ; |
0041985E . 50 push eax ; |pBytesWritten
0041985F . 6A 04 push 4 ; |nBytesToWrite = 4
00419861 . 68 6C7D5F00 push 005F7D6C ; |Buffer = jtbl.005F7D6C
00419866 . 8B8D B8F9FFFF mov ecx, dword ptr [ebp-648] ; |
0041986C . 51 push ecx ; |hFile
0041986D . FF15 40A24600 call dword ptr [<&kernel32.WriteFile>] ; \WriteFile
00419873 . 6A 00 push 0 ; /pOverlapped = NULL
00419875 . 8D95 BCF9FFFF lea edx, dword ptr [ebp-644] ; |
0041987B . 52 push edx ; |pBytesWritten
0041987C . 68 40960100 push 19640 ; |nBytesToWrite = 19640 (104000.)
00419881 . 68 18E65D00 push 005DE618 ; |Buffer = jtbl.005DE618
00419886 . 8B85 B8F9FFFF mov eax, dword ptr [ebp-648] ; |
0041988C . 50 push eax ; |hFile
0041988D . FF15 40A24600 call dword ptr [<&kernel32.WriteFile>] ; \WriteFile
00419893 . 8B8D B8F9FFFF mov ecx, dword ptr [ebp-648]
00419899 . 51 push ecx ; /hObject
0041989A . FF15 44A24600 call dword ptr [<&kernel32.CloseHandle>>; \CloseHandle
004198A0 . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668]
004198A6 . E8 350E0000 call 0041A6E0
004198AB . E9 A1000000 jmp 00419951
004198B0 > 8B95 40FDFFFF mov edx, dword ptr [ebp-2C0]
004198B6 . 8915 6C7D5F00 mov dword ptr [5F7D6C], edx
004198BC . 6A 00 push 0 ; /hTemplateFile = NULL
004198BE . 68 00000002 push 2000000 ; |Attributes = BACKUP_SEMANTICS
004198C3 . 6A 04 push 4 ; |Mode = OPEN_ALWAYS
004198C5 . 6A 00 push 0 ; |pSecurity = NULL
004198C7 . 6A 02 push 2 ; |ShareMode = FILE_SHARE_WRITE
004198C9 . 68 00000040 push 40000000 ; |Access = GENERIC_WRITE
004198CE . 68 F42C4800 push 00482CF4 ; |FileName = "Account.dat"
004198D3 . FF15 3CA24600 call dword ptr [<&kernel32.CreateFileA>>; \CreateFileA
004198D9 . 8985 B0F9FFFF mov dword ptr [ebp-650], eax
004198DF . 6A 00 push 0 ; /pOverlapped = NULL
004198E1 . 8D85 B4F9FFFF lea eax, dword ptr [ebp-64C] ; |
004198E7 . 50 push eax ; |pBytesWritten
004198E8 . 6A 04 push 4 ; |nBytesToWrite = 4
004198EA . 68 687D5F00 push 005F7D68 ; |Buffer = jtbl.005F7D68
004198EF . 8B8D B0F9FFFF mov ecx, dword ptr [ebp-650] ; |
004198F5 . 51 push ecx ; |hFile
004198F6 . FF15 40A24600 call dword ptr [<&kernel32.WriteFile>] ; \WriteFile
004198FC . 6A 00 push 0 ; /pOverlapped = NULL
004198FE . 8D95 B4F9FFFF lea edx, dword ptr [ebp-64C] ; |
00419904 . 52 push edx ; |pBytesWritten
00419905 . 6A 04 push 4 ; |nBytesToWrite = 4
00419907 . 68 6C7D5F00 push 005F7D6C ; |Buffer = jtbl.005F7D6C
0041990C . 8B85 B0F9FFFF mov eax, dword ptr [ebp-650] ; |
00419912 . 50 push eax ; |hFile
00419913 . FF15 40A24600 call dword ptr [<&kernel32.WriteFile>] ; \WriteFile
00419919 . 6A 00 push 0 ; /pOverlapped = NULL
0041991B . 8D8D B4F9FFFF lea ecx, dword ptr [ebp-64C] ; |
00419921 . 51 push ecx ; |pBytesWritten
00419922 . 68 40960100 push 19640 ; |nBytesToWrite = 19640 (104000.)
00419927 . 68 18E65D00 push 005DE618 ; |Buffer = jtbl.005DE618
0041992C . 8B95 B0F9FFFF mov edx, dword ptr [ebp-650] ; |
00419932 . 52 push edx ; |hFile
00419933 . FF15 40A24600 call dword ptr [<&kernel32.WriteFile>] ; \WriteFile
00419939 . 8B85 B0F9FFFF mov eax, dword ptr [ebp-650]
0041993F . 50 push eax ; /hObject
00419940 . FF15 44A24600 call dword ptr [<&kernel32.CloseHandle>>; \CloseHandle
00419946 . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668]
0041994C . E8 8F0D0000 call 0041A6E0
00419951 > 68 04040000 push 404
00419956 . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668]
0041995C . E8 87FC0300 call 004595E8
00419961 . 8985 5CFEFFFF mov dword ptr [ebp-1A4], eax
00419967 . 6A 01 push 1
00419969 . 8B8D 5CFEFFFF mov ecx, dword ptr [ebp-1A4]
0041996F . E8 A0FF0300 call 00459914
00419974 . 8B0D 787D5F00 mov ecx, dword ptr [5F7D78] ; kudrtgov.10213000
0041997A . 890D A0126500 mov dword ptr [6512A0], ecx
00419980 . 6A 00 push 0 ; /Timerproc = NULL
00419982 . 6A 64 push 64 ; |Timeout = 100. ms
00419984 . 6A 01 push 1 ; |TimerID = 1
00419986 . 8B95 98F9FFFF mov edx, dword ptr [ebp-668] ; |
0041998C . 8B42 1C mov eax, dword ptr [edx+1C] ; |
0041998F . 50 push eax ; |hWnd
00419990 . FF15 6CA54600 call dword ptr [<&user32.SetTimer>] ; \SetTimer
00419996 > 8B4D F4 mov ecx, dword ptr [ebp-C]
00419999 . 64:890D 00000000 mov dword ptr fs:[0], ecx
004199A0 . 5F pop edi
004199A1 . 5E pop esi
004199A2 . 5B pop ebx
004199A3 . 8BE5 mov esp, ebp
004199A5 . 5D pop ebp
004199A6 . C3 retn ; 网络、本地验证全部结束
--------------------------------------------------------------------------------
【经验总结】
其实网络验证并不可怕,可怕的是它们身上穿着的“衣服(壳)”,不过随着大伙儿们的技术的不断提高,工具的不断更新
强大,不脱壳也可以调试它了。最重要的就是细心!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年03月28日 PM 04:03:21
[课程]Android-CTF解题方法汇总!
