一次不彻底的网络认证破解
最近我们单位与湖南XXXX合作办学,加入了他们的远程网校,可以充分利用XXXX的教学资源。其中应用最多的就是下载后观看他们的录像课,录像课做成了acc格式的文件,要用专门的播放器进行播放。播放时,界面左边为录像,右边为课件。最麻烦的是每次播放时都必须上网认证,所以在不能上网的地方,就不能看了,每次都要输入长长的用户名和密码也很麻烦。
因此也就想到了要破解他的播放器,免去输入用户名和密码上网认证的麻烦。
先运行一下播放器。断开网线,运行播放器,打开一个课件文件,跳出一个要求输入用户名和密码的对话框,直接点“确定”,弹出一个信息框“连接验证服务器失败!”。关闭播放器。
用OllyDBG打开播放器,右键点击代码区“查找”——“所有参考文本字串”。居然没有找到“连接验证服务器失败!”的文本串。由于本人是个菜鸟,从未学过程序的破解,连参考字串都找不到,也就无从下手了。
不能破解,那就试试看能不能把远程认证,改为本地认证。于是请出Iris把播放器与认证服务器之间的通讯拦截下来,发现播放器在运行时,向服务器的认证程序发送了用户名、密码和一个每个课件文件独一无二的特征码。然后,认证程序返回一串密钥。因为本人对网络入侵有点了解,于是又想能不能把他的认证程序下下来。
根据Iris探测到的认证服务器的地址,进去找了一找,还真幸愿,他们的网站居然存在SQL Injection漏洞。因为本人在入侵时没有做隐藏,如果他们看到入侵者的IP地址,肯定知道是我做的。本单位只有我有这样的能力,单位领导和同事都知道,当然最主要是因为我的目的只是想看一看认证程序的源代码,所以没动他网上的东西就出来了。
从认证程序的源代码可以看出,认证程序收到播放器的请求后,先到数据库中验证用户名和密码,然后从数据库中取出密钥返回给播放器。
根据认证的过程,只要在本地做一些相应的修改和设置,就可以做到远程认证转本地认证了。
但是这样不能对他们数据库中新增加的课件进行认证,所以又返回来对播放器进行爆破。对播放器一番研究后,才发现它的中文字串是存放在一个ini文件中的,主要是为了便于进行不同语言的转换。ini文件中与“连接验证服务器失败!”相对应的英文是“Failed to get verify web!”。再次请出OllyDBG,找到三处含有字串“Failed to get verify web!”的地方。
00446210 $ 55 PUSH EBP
00446211 . 8BEC MOV EBP,ESP
00446213 . 6A FF PUSH -1
00446215 . 68 045F4700 PUSH 复件_ACP.00475F04 ; SE handler installation
0044621A . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00446220 . 50 PUSH EAX
00446221 . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
00446228 . 51 PUSH ECX
00446229 . 81EC 58010000 SUB ESP,158
0044622F . 53 PUSH EBX
00446230 . 56 PUSH ESI
00446231 . 57 PUSH EDI
00446232 . 8965 F0 MOV DWORD PTR SS:[EBP-10],ESP
00446235 . 894D EC MOV DWORD PTR SS:[EBP-14],ECX
00446238 . C745 E8 00000>MOV DWORD PTR SS:[EBP-18],0
0044623F . C745 E0 00000>MOV DWORD PTR SS:[EBP-20],0
00446246 . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
00446249 . E8 F4A90200 CALL <JMP.&MFC42.#540>
0044624E . C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0
00446255 . 68 94DA4700 PUSH 复件_ACP.0047DA94 ; ASCII "enc_mode=1"
0044625A . B9 44E74800 MOV ECX,复件_ACP.0048E744
0044625F . E8 7CAB0200 CALL <JMP.&MFC42.#2764>
00446264 . 83F8 FF CMP EAX,-1
00446267 . 74 71 JE SHORT 复件_ACP.004462DA
00446269 . C745 E0 01000>MOV DWORD PTR SS:[EBP-20],1
00446270 . FF15 E88B4700 CALL DWORD PTR DS:[<&WINMM.timeGetTime>] ; WINMM.timeGetTime
00446276 . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
00446279 . 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28]
0044627C . E8 C1A90200 CALL <JMP.&MFC42.#540>
00446281 . C645 FC 01 MOV BYTE PTR SS:[EBP-4],1
00446285 . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
00446288 . 50 PUSH EAX
00446289 . 68 40B04700 PUSH 复件_ACP.0047B040 ; ASCII "%d"
0044628E . 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28]
00446291 . 51 PUSH ECX
00446292 . E8 F9A90200 CALL <JMP.&MFC42.#2818>
00446297 . 83C4 0C ADD ESP,0C
0044629A . 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28]
0044629D . 52 PUSH EDX
0044629E . 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
004462A1 . 8B48 6C MOV ECX,DWORD PTR DS:[EAX+6C]
004462A4 . 51 PUSH ECX
004462A5 . 8B15 3CE74800 MOV EDX,DWORD PTR DS:[48E73C]
004462AB . 52 PUSH EDX
004462AC . A1 40E74800 MOV EAX,DWORD PTR DS:[48E740]
004462B1 . 50 PUSH EAX
004462B2 . B9 44E74800 MOV ECX,复件_ACP.0048E744
004462B7 . E8 24D2FBFF CALL 复件_ACP.004034E0
004462BC . 50 PUSH EAX
004462BD . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
004462C0 . 51 PUSH ECX
004462C1 . E8 CAA90200 CALL <JMP.&MFC42.#2818>
004462C6 . 83C4 18 ADD ESP,18
004462C9 . C645 FC 00 MOV BYTE PTR SS:[EBP-4],0
004462CD . 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28]
004462D0 . E8 61A90200 CALL <JMP.&MFC42.#800>
004462D5 . E9 AE000000 JMP 复件_ACP.00446388
004462DA > 68 88DA4700 PUSH 复件_ACP.0047DA88 ; ASCII "enc_mode=2"
004462DF . B9 44E74800 MOV ECX,复件_ACP.0048E744
004462E4 . E8 F7AA0200 CALL <JMP.&MFC42.#2764>
004462E9 . 83F8 FF CMP EAX,-1
004462EC . 74 6F JE SHORT 复件_ACP.0044635D
004462EE . C745 E0 02000>MOV DWORD PTR SS:[EBP-20],2
004462F5 . FF15 E88B4700 CALL DWORD PTR DS:[<&WINMM.timeGetTime>] ; WINMM.timeGetTime
004462FB . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
004462FE . 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00446301 . E8 3CA90200 CALL <JMP.&MFC42.#540>
00446306 . C645 FC 02 MOV BYTE PTR SS:[EBP-4],2
0044630A . 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
0044630D . 52 PUSH EDX
0044630E . 68 40B04700 PUSH 复件_ACP.0047B040 ; ASCII "%d"
00446313 . 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
00446316 . 50 PUSH EAX
00446317 . E8 74A90200 CALL <JMP.&MFC42.#2818>
0044631C . 83C4 0C ADD ESP,0C
0044631F . 8B4D D4 MOV ECX,DWORD PTR SS:[EBP-2C]
00446322 . 51 PUSH ECX
00446323 . 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
00446326 . 8B42 6C MOV EAX,DWORD PTR DS:[EDX+6C]
00446329 . 50 PUSH EAX
0044632A . 8B0D 3CE74800 MOV ECX,DWORD PTR DS:[48E73C]
00446330 . 51 PUSH ECX
00446331 . 8B15 40E74800 MOV EDX,DWORD PTR DS:[48E740]
00446337 . 52 PUSH EDX
00446338 . B9 44E74800 MOV ECX,复件_ACP.0048E744
0044633D . E8 9ED1FBFF CALL 复件_ACP.004034E0
00446342 . 50 PUSH EAX
00446343 . 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
00446346 . 50 PUSH EAX
00446347 . E8 44A90200 CALL <JMP.&MFC42.#2818>
0044634C . 83C4 18 ADD ESP,18
0044634F . C645 FC 00 MOV BYTE PTR SS:[EBP-4],0
00446353 . 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00446356 . E8 DBA80200 CALL <JMP.&MFC42.#800>
0044635B . EB 2B JMP SHORT 复件_ACP.00446388
0044635D > 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
00446360 . 8B51 6C MOV EDX,DWORD PTR DS:[ECX+6C]
00446363 . 52 PUSH EDX
00446364 . A1 3CE74800 MOV EAX,DWORD PTR DS:[48E73C]
00446369 . 50 PUSH EAX
0044636A . 8B0D 40E74800 MOV ECX,DWORD PTR DS:[48E740]
00446370 . 51 PUSH ECX
00446371 . B9 44E74800 MOV ECX,复件_ACP.0048E744
00446376 . E8 65D1FBFF CALL 复件_ACP.004034E0
0044637B . 50 PUSH EAX
0044637C . 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
0044637F . 52 PUSH EDX
00446380 . E8 0BA90200 CALL <JMP.&MFC42.#2818>
00446385 . 83C4 14 ADD ESP,14
00446388 > 6A 14 PUSH 14 ; /Arg1 = 00000014
0044638A . E8 219DFDFF CALL 复件_ACP.004200B0 ; \复件_ACP.004200B0
0044638F . 8945 B0 MOV DWORD PTR SS:[EBP-50],EAX
00446392 . C645 FC 03 MOV BYTE PTR SS:[EBP-4],3
00446396 . 837D B0 00 CMP DWORD PTR SS:[EBP-50],0
0044639A . 74 1C JE SHORT 复件_ACP.004463B8
0044639C . 6A 00 PUSH 0
0044639E . 6A 00 PUSH 0
004463A0 . 6A 00 PUSH 0
004463A2 . 6A 00 PUSH 0
004463A4 . 6A 01 PUSH 1
004463A6 . 6A 00 PUSH 0
004463A8 . 8B4D B0 MOV ECX,DWORD PTR SS:[EBP-50]
004463AB . E8 ECAE0200 CALL <JMP.&MFC42.#389>
004463B0 . 8985 5CFFFFFF MOV DWORD PTR SS:[EBP-A4],EAX
004463B6 . EB 0A JMP SHORT 复件_ACP.004463C2
004463B8 > C785 5CFFFFFF>MOV DWORD PTR SS:[EBP-A4],0
004463C2 > 8B85 5CFFFFFF MOV EAX,DWORD PTR SS:[EBP-A4]
004463C8 . 8945 B4 MOV DWORD PTR SS:[EBP-4C],EAX
004463CB . C645 FC 00 MOV BYTE PTR SS:[EBP-4],0
004463CF . 8B4D B4 MOV ECX,DWORD PTR SS:[EBP-4C]
004463D2 . 894D D0 MOV DWORD PTR SS:[EBP-30],ECX
004463D5 . C645 FC 04 MOV BYTE PTR SS:[EBP-4],4
004463D9 . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
004463DC . E8 FFD0FBFF CALL 复件_ACP.004034E0
004463E1 . 8985 58FFFFFF MOV DWORD PTR SS:[EBP-A8],EAX
004463E7 . 6A 00 PUSH 0
004463E9 . 6A 00 PUSH 0
004463EB . 6A 02 PUSH 2
004463ED . 6A 01 PUSH 1
004463EF . 8B95 58FFFFFF MOV EDX,DWORD PTR SS:[EBP-A8]
004463F5 . 52 PUSH EDX
004463F6 . 8B4D D0 MOV ECX,DWORD PTR SS:[EBP-30]
004463F9 . E8 98AE0200 CALL <JMP.&MFC42.#5207>
004463FE . 8985 54FFFFFF MOV DWORD PTR SS:[EBP-AC],EAX
00446404 . 8B85 54FFFFFF MOV EAX,DWORD PTR SS:[EBP-AC]
0044640A . 8945 CC MOV DWORD PTR SS:[EBP-34],EAX
0044640D . 837D CC 00 CMP DWORD PTR SS:[EBP-34],0
00446411 . 0F85 83000000 JNZ 复件_ACP.0044649A
00446417 . 68 6CDA4700 PUSH 复件_ACP.0047DA6C ; /Arg1 = 0047DA6C ASCII "
Failed to get verify web!"
0044641C . E8 5FC9FFFF CALL 复件_ACP.00442D80 ; \复件_ACP.00442D80
00446421 . 83C4 04 ADD ESP,4
00446424 . 8985 50FFFFFF MOV DWORD PTR SS:[EBP-B0],EAX
0044642A . 8B8D 50FFFFFF MOV ECX,DWORD PTR SS:[EBP-B0]
00446430 . 51 PUSH ECX
00446431 . 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
00446434 . 81C1 E8010000 ADD ECX,1E8
0044643A . E8 B1A80200 CALL <JMP.&MFC42.#860>
0044643F . 8B55 D0 MOV EDX,DWORD PTR SS:[EBP-30]
00446442 . 8955 A8 MOV DWORD PTR SS:[EBP-58],EDX
00446445 . 8B45 A8 MOV EAX,DWORD PTR SS:[EBP-58]
00446448 . 8945 AC MOV DWORD PTR SS:[EBP-54],EAX
0044644B . 837D AC 00 CMP DWORD PTR SS:[EBP-54],0
0044644F . 74 21 JE SHORT 复件_ACP.00446472
00446451 . 6A 01 PUSH 1
00446453 . 8B4D AC MOV ECX,DWORD PTR SS:[EBP-54]
00446456 . 8B55 AC MOV EDX,DWORD PTR SS:[EBP-54]
00446459 . 8B02 MOV EAX,DWORD PTR DS:[EDX]
0044645B . FF50 04 CALL DWORD PTR DS:[EAX+4]
0044645E . 8985 4CFFFFFF MOV DWORD PTR SS:[EBP-B4],EAX
00446464 . 8B8D 4CFFFFFF MOV ECX,DWORD PTR SS:[EBP-B4]
0044646A . 898D 48FFFFFF MOV DWORD PTR SS:[EBP-B8],ECX
00446470 . EB 0A JMP SHORT 复件_ACP.0044647C
00446472 > C785 48FFFFFF>MOV DWORD PTR SS:[EBP-B8],0
0044647C > C745 A4 00000>MOV DWORD PTR SS:[EBP-5C],0
00446483 . C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
0044648A . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
0044648D . E8 A4A70200 CALL <JMP.&MFC42.#800>
00446492 . 8B45 A4 MOV EAX,DWORD PTR SS:[EBP-5C]
00446495 . E9 E7040000 JMP 复件_ACP.00446981
0044649A > 8D4D C8 LEA ECX,DWORD PTR SS:[EBP-38]
0044649D . E8 A0A70200 CALL <JMP.&MFC42.#540>
004464A2 . 8985 44FFFFFF MOV DWORD PTR SS:[EBP-BC],EAX
004464A8 . C645 FC 05 MOV BYTE PTR SS:[EBP-4],5
004464AC . 6A 00 PUSH 0
004464AE . 8D55 C8 LEA EDX,DWORD PTR SS:[EBP-38]
004464B1 . 52 PUSH EDX
004464B2 . 6A 13 PUSH 13
004464B4 . 8B4D CC MOV ECX,DWORD PTR SS:[EBP-34]
004464B7 . E8 D4AD0200 CALL <JMP.&MFC42.#5353>
004464BC . 8D4D C8 LEA ECX,DWORD PTR SS:[EBP-38]
004464BF . E8 1CD0FBFF CALL 复件_ACP.004034E0
004464C4 . 8985 40FFFFFF MOV DWORD PTR SS:[EBP-C0],EAX
004464CA . 8B85 40FFFFFF MOV EAX,DWORD PTR SS:[EBP-C0]
004464D0 . 50 PUSH EAX ; /s
004464D1 . FF15 34894700 CALL DWORD PTR DS:[<&MSVCRT.atol>] ; \atol
004464D7 . 83C4 04 ADD ESP,4
004464DA . 3D 94010000 CMP EAX,194
004464DF . 0F85 CC000000 JNZ 复件_ACP.004465B1
004464E5 . 68 6CDA4700 PUSH 复件_ACP.0047DA6C ; /Arg1 = 0047DA6C ASCII "
Failed to get verify web!"
004464EA . E8 91C8FFFF CALL 复件_ACP.00442D80 ; \复件_ACP.00442D80
004464EF . 83C4 04 ADD ESP,4
004464F2 . 8985 3CFFFFFF MOV DWORD PTR SS:[EBP-C4],EAX
004464F8 . 8B8D 3CFFFFFF MOV ECX,DWORD PTR SS:[EBP-C4]
004464FE . 51 PUSH ECX
004464FF . 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
00446502 . 81C1 E8010000 ADD ECX,1E8
00446508 . E8 E3A70200 CALL <JMP.&MFC42.#860>
0044650D . 8B55 CC MOV EDX,DWORD PTR SS:[EBP-34]
00446510 . 8955 9C MOV DWORD PTR SS:[EBP-64],EDX
00446513 . 8B45 9C MOV EAX,DWORD PTR SS:[EBP-64]
00446516 . 8945 A0 MOV DWORD PTR SS:[EBP-60],EAX
00446519 . 837D A0 00 CMP DWORD PTR SS:[EBP-60],0
0044651D . 74 21 JE SHORT 复件_ACP.00446540
0044651F . 6A 01 PUSH 1
00446521 . 8B4D A0 MOV ECX,DWORD PTR SS:[EBP-60]
00446524 . 8B55 A0 MOV EDX,DWORD PTR SS:[EBP-60]
00446527 . 8B02 MOV EAX,DWORD PTR DS:[EDX]
00446529 . FF50 04 CALL DWORD PTR DS:[EAX+4]
0044652C . 8985 38FFFFFF MOV DWORD PTR SS:[EBP-C8],EAX
00446532 . 8B8D 38FFFFFF MOV ECX,DWORD PTR SS:[EBP-C8]
00446538 . 898D 34FFFFFF MOV DWORD PTR SS:[EBP-CC],ECX
0044653E . EB 0A JMP SHORT 复件_ACP.0044654A
00446540 > C785 34FFFFFF>MOV DWORD PTR SS:[EBP-CC],0
0044654A > 8B55 D0 MOV EDX,DWORD PTR SS:[EBP-30]
0044654D . 8955 94 MOV DWORD PTR SS:[EBP-6C],EDX
00446550 . 8B45 94 MOV EAX,DWORD PTR SS:[EBP-6C]
00446553 . 8945 98 MOV DWORD PTR SS:[EBP-68],EAX
00446556 . 837D 98 00 CMP DWORD PTR SS:[EBP-68],0
0044655A . 74 21 JE SHORT 复件_ACP.0044657D
0044655C . 6A 01 PUSH 1
0044655E . 8B4D 98 MOV ECX,DWORD PTR SS:[EBP-68]
00446561 . 8B55 98 MOV EDX,DWORD PTR SS:[EBP-68]
00446564 . 8B02 MOV EAX,DWORD PTR DS:[EDX]
00446566 . FF50 04 CALL DWORD PTR DS:[EAX+4]
00446569 . 8985 30FFFFFF MOV DWORD PTR SS:[EBP-D0],EAX
0044656F . 8B8D 30FFFFFF MOV ECX,DWORD PTR SS:[EBP-D0]
00446575 . 898D 2CFFFFFF MOV DWORD PTR SS:[EBP-D4],ECX
0044657B . EB 0A JMP SHORT 复件_ACP.00446587
0044657D > C785 2CFFFFFF>MOV DWORD PTR SS:[EBP-D4],0
00446587 > C745 90 00000>MOV DWORD PTR SS:[EBP-70],0
0044658E . C645 FC 04 MOV BYTE PTR SS:[EBP-4],4
00446592 . 8D4D C8 LEA ECX,DWORD PTR SS:[EBP-38]
00446595 . E8 9CA60200 CALL <JMP.&MFC42.#800>
0044659A . C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
004465A1 . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
004465A4 . E8 8DA60200 CALL <JMP.&MFC42.#800>
004465A9 . 8B45 90 MOV EAX,DWORD PTR SS:[EBP-70]
004465AC . E9 D0030000 JMP 复件_ACP.00446981
004465B1 > 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]
004465B4 . E8 89A60200 CALL <JMP.&MFC42.#540>
004465B9 . 8985 28FFFFFF MOV DWORD PTR SS:[EBP-D8],EAX
004465BF . C645 FC 06 MOV BYTE PTR SS:[EBP-4],6
004465C3 . 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
004465C6 . E8 77A60200 CALL <JMP.&MFC42.#540>
004465CB . 8985 24FFFFFF MOV DWORD PTR SS:[EBP-DC],EAX
004465D1 . C645 FC 07 MOV BYTE PTR SS:[EBP-4],7
004465D5 . 8D55 C4 LEA EDX,DWORD PTR SS:[EBP-3C]
004465D8 . 52 PUSH EDX
004465D9 . 8B4D CC MOV ECX,DWORD PTR SS:[EBP-34]
004465DC . 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34]
004465DF . 8B10 MOV EDX,DWORD PTR DS:[EAX]
004465E1 . FF52 60 CALL DWORD PTR DS:[EDX+60]
004465E4 . 8B4D CC MOV ECX,DWORD PTR SS:[EBP-34]
004465E7 . 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34]
004465EA . 8B10 MOV EDX,DWORD PTR DS:[EAX]
004465EC . FF52 54 CALL DWORD PTR DS:[EDX+54]
004465EF . 68 68DA4700 PUSH 复件_ACP.0047DA68 ; ASCII "ID:"
004465F4 . 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]
004465F7 . E8 E4A70200 CALL <JMP.&MFC42.#2764>
004465FC . 8985 20FFFFFF MOV DWORD PTR SS:[EBP-E0],EAX
00446602 . 8B85 20FFFFFF MOV EAX,DWORD PTR SS:[EBP-E0]
00446608 . 8945 BC MOV DWORD PTR SS:[EBP-44],EAX
0044660B . 837D BC FF CMP DWORD PTR SS:[EBP-44],-1
0044660F . 0F84 10010000 JE 复件_ACP.00446725
00446615 . 8B4D BC MOV ECX,DWORD PTR SS:[EBP-44]
00446618 . 83C1 03 ADD ECX,3
0044661B . 51 PUSH ECX
0044661C . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74]
0044661F . 52 PUSH EDX
00446620 . 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]
00446623 . E8 ACA70200 CALL <JMP.&MFC42.#4277>
00446628 . 8985 1CFFFFFF MOV DWORD PTR SS:[EBP-E4],EAX
0044662E . 8B85 1CFFFFFF MOV EAX,DWORD PTR SS:[EBP-E4]
00446634 . 8985 18FFFFFF MOV DWORD PTR SS:[EBP-E8],EAX
0044663A . C645 FC 08 MOV BYTE PTR SS:[EBP-4],8
0044663E . 8B8D 18FFFFFF MOV ECX,DWORD PTR SS:[EBP-E8]
00446644 . 51 PUSH ECX
00446645 . 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
00446648 . E8 81A70200 CALL <JMP.&MFC42.#858>
0044664D . C645 FC 07 MOV BYTE PTR SS:[EBP-4],7
00446651 . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74]
00446654 . E8 DDA50200 CALL <JMP.&MFC42.#800>
00446659 . 6A 3B PUSH 3B
0044665B . 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
0044665E . E8 65A70200 CALL <JMP.&MFC42.#2763>
00446663 . 8985 14FFFFFF MOV DWORD PTR SS:[EBP-EC],EAX
00446669 . 8B95 14FFFFFF MOV EDX,DWORD PTR SS:[EBP-EC]
0044666F . 8955 BC MOV DWORD PTR SS:[EBP-44],EDX
00446672 . 837D BC FF CMP DWORD PTR SS:[EBP-44],-1
00446676 . 74 41 JE SHORT 复件_ACP.004466B9
00446678 . 8B45 BC MOV EAX,DWORD PTR SS:[EBP-44]
0044667B . 50 PUSH EAX
0044667C . 8D4D 88 LEA ECX,DWORD PTR SS:[EBP-78]
0044667F . 51 PUSH ECX
00446680 . 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
00446683 . E8 3AA70200 CALL <JMP.&MFC42.#4129>
00446688 . 8985 10FFFFFF MOV DWORD PTR SS:[EBP-F0],EAX
0044668E . 8B95 10FFFFFF MOV EDX,DWORD PTR SS:[EBP-F0]
00446694 . 8995 0CFFFFFF MOV DWORD PTR SS:[EBP-F4],EDX
0044669A . C645 FC 09 MOV BYTE PTR SS:[EBP-4],9
0044669E . 8B85 0CFFFFFF MOV EAX,DWORD PTR SS:[EBP-F4]
004466A4 . 50 PUSH EAX
004466A5 . 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
004466A8 . E8 21A70200 CALL <JMP.&MFC42.#858>
004466AD . C645 FC 07 MOV BYTE PTR SS:[EBP-4],7
004466B1 . 8D4D 88 LEA ECX,DWORD PTR SS:[EBP-78]
004466B4 . E8 7DA50200 CALL <JMP.&MFC42.#800>
004466B9 > 8B4D C0 MOV ECX,DWORD PTR SS:[EBP-40]
004466BC . 51 PUSH ECX ; /s
004466BD . FF15 94894700 CALL DWORD PTR DS:[<&MSVCRT.atoi>] ; \atoi
004466C3 . 83C4 04 ADD ESP,4
004466C6 . 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
004466C9 . 837D E0 01 CMP DWORD PTR SS:[EBP-20],1
004466CD . 75 09 JNZ SHORT 复件_ACP.004466D8
004466CF . C745 E8 00000>MOV DWORD PTR SS:[EBP-18],0
004466D6 . EB 4D JMP SHORT 复件_ACP.00446725
004466D8 > 837D E0 02 CMP DWORD PTR SS:[EBP-20],2
004466DC . 75 47 JNZ SHORT 复件_ACP.00446725
004466DE . 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
004466E1 . E8 DA29FCFF CALL 复件_ACP.004090C0
004466E6 . 8985 08FFFFFF MOV DWORD PTR SS:[EBP-F8],EAX
004466EC . 81BD 08FFFFFF>CMP DWORD PTR SS:[EBP-F8],80
004466F6 . 7D 09 JGE SHORT 复件_ACP.00446701
004466F8 . C745 E8 00000>MOV DWORD PTR SS:[EBP-18],0
004466FF . EB 24 JMP SHORT 复件_ACP.00446725
00446701 > 8B55 C0 MOV EDX,DWORD PTR SS:[EBP-40]
00446704 . 52 PUSH EDX ; /Arg1
00446705 . E8 36FAFFFF CALL 复件_ACP.00446140 ; \复件_ACP.00446140
0044670A . 83C4 04 ADD ESP,4
0044670D . 8985 04FFFFFF MOV DWORD PTR SS:[EBP-FC],EAX
00446713 . 8B85 04FFFFFF MOV EAX,DWORD PTR SS:[EBP-FC]
00446719 . 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
0044671C . 8B4D E8 MOV ECX,DWORD PTR SS:[EBP-18]
0044671F . 334D E4 XOR ECX,DWORD PTR SS:[EBP-1C]
00446722 . 894D E8 MOV DWORD PTR SS:[EBP-18],ECX
00446725 > 68 60DA4700 PUSH 复件_ACP.0047DA60 ; ASCII "INFO:"
0044672A . 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]
0044672D . E8 AEA60200 CALL <JMP.&MFC42.#2764>
00446732 . 8985 00FFFFFF MOV DWORD PTR SS:[EBP-100],EAX
00446738 . 8B95 00FFFFFF MOV EDX,DWORD PTR SS:[EBP-100]
0044673E . 8955 BC MOV DWORD PTR SS:[EBP-44],EDX
00446741 . 837D BC FF CMP DWORD PTR SS:[EBP-44],-1
00446745 . 0F84 BC000000 JE 复件_ACP.00446807
0044674B . 8B45 BC MOV EAX,DWORD PTR SS:[EBP-44]
0044674E . 83C0 05 ADD EAX,5
00446751 . 50 PUSH EAX
00446752 . 8D4D 84 LEA ECX,DWORD PTR SS:[EBP-7C]
00446755 . 51 PUSH ECX
00446756 . 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]
00446759 . E8 76A60200 CALL <JMP.&MFC42.#4277>
0044675E . 8985 FCFEFFFF MOV DWORD PTR SS:[EBP-104],EAX
00446764 . 8B95 FCFEFFFF MOV EDX,DWORD PTR SS:[EBP-104]
0044676A . 8995 F8FEFFFF MOV DWORD PTR SS:[EBP-108],EDX
00446770 . C645 FC 0A MOV BYTE PTR SS:[EBP-4],0A
00446774 . 8B85 F8FEFFFF MOV EAX,DWORD PTR SS:[EBP-108]
0044677A . 50 PUSH EAX
0044677B . 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
0044677E . 81C1 E8010000 ADD ECX,1E8
00446784 . E8 45A60200 CALL <JMP.&MFC42.#858>
00446789 . C645 FC 07 MOV BYTE PTR SS:[EBP-4],7
0044678D . 8D4D 84 LEA ECX,DWORD PTR SS:[EBP-7C]
00446790 . E8 A1A40200 CALL <JMP.&MFC42.#800>
00446795 . 6A 3B PUSH 3B
00446797 . 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
0044679A . 81C1 E8010000 ADD ECX,1E8
004467A0 . E8 23A60200 CALL <JMP.&MFC42.#2763>
004467A5 . 8985 F4FEFFFF MOV DWORD PTR SS:[EBP-10C],EAX
004467AB . 8B8D F4FEFFFF MOV ECX,DWORD PTR SS:[EBP-10C]
004467B1 . 894D BC MOV DWORD PTR SS:[EBP-44],ECX
004467B4 . 837D BC FF CMP DWORD PTR SS:[EBP-44],-1
004467B8 . 74 4D JE SHORT 复件_ACP.00446807
004467BA . 8B55 BC MOV EDX,DWORD PTR SS:[EBP-44]
004467BD . 52 PUSH EDX
004467BE . 8D45 80 LEA EAX,DWORD PTR SS:[EBP-80]
004467C1 . 50 PUSH EAX
004467C2 . 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
004467C5 . 81C1 E8010000 ADD ECX,1E8
004467CB . E8 F2A50200 CALL <JMP.&MFC42.#4129>
004467D0 . 8985 F0FEFFFF MOV DWORD PTR SS:[EBP-110],EAX
004467D6 . 8B8D F0FEFFFF MOV ECX,DWORD PTR SS:[EBP-110]
004467DC . 898D ECFEFFFF MOV DWORD PTR SS:[EBP-114],ECX
004467E2 . C645 FC 0B MOV BYTE PTR SS:[EBP-4],0B
004467E6 . 8B95 ECFEFFFF MOV EDX,DWORD PTR SS:[EBP-114]
004467EC . 52 PUSH EDX
004467ED . 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
004467F0 . 81C1 E8010000 ADD ECX,1E8
004467F6 . E8 D3A50200 CALL <JMP.&MFC42.#858>
004467FB . C645 FC 07 MOV BYTE PTR SS:[EBP-4],7
004467FF . 8D4D 80 LEA ECX,DWORD PTR SS:[EBP-80]
00446802 . E8 2FA40200 CALL <JMP.&MFC42.#800>
00446807 > 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34]
0044680A . 8985 78FFFFFF MOV DWORD PTR SS:[EBP-88],EAX
00446810 . 8B8D 78FFFFFF MOV ECX,DWORD PTR SS:[EBP-88]
00446816 . 898D 7CFFFFFF MOV DWORD PTR SS:[EBP-84],ECX
0044681C . 83BD 7CFFFFFF>CMP DWORD PTR SS:[EBP-84],0
00446823 . 74 27 JE SHORT 复件_ACP.0044684C
00446825 . 6A 01 PUSH 1
00446827 . 8B8D 7CFFFFFF MOV ECX,DWORD PTR SS:[EBP-84]
0044682D . 8B95 7CFFFFFF MOV EDX,DWORD PTR SS:[EBP-84]
00446833 . 8B02 MOV EAX,DWORD PTR DS:[EDX]
00446835 . FF50 04 CALL DWORD PTR DS:[EAX+4]
00446838 . 8985 E8FEFFFF MOV DWORD PTR SS:[EBP-118],EAX
0044683E . 8B8D E8FEFFFF MOV ECX,DWORD PTR SS:[EBP-118]
00446844 . 898D E4FEFFFF MOV DWORD PTR SS:[EBP-11C],ECX
0044684A . EB 0A JMP SHORT 复件_ACP.00446856
0044684C > C785 E4FEFFFF>MOV DWORD PTR SS:[EBP-11C],0
00446856 > 8B55 D0 MOV EDX,DWORD PTR SS:[EBP-30]
00446859 . 8995 70FFFFFF MOV DWORD PTR SS:[EBP-90],EDX
0044685F . 8B85 70FFFFFF MOV EAX,DWORD PTR SS:[EBP-90]
00446865 . 8985 74FFFFFF MOV DWORD PTR SS:[EBP-8C],EAX
0044686B . 83BD 74FFFFFF>CMP DWORD PTR SS:[EBP-8C],0
00446872 . 74 27 JE SHORT 复件_ACP.0044689B
00446874 . 6A 01 PUSH 1
00446876 . 8B8D 74FFFFFF MOV ECX,DWORD PTR SS:[EBP-8C]
0044687C . 8B95 74FFFFFF MOV EDX,DWORD PTR SS:[EBP-8C]
00446882 . 8B02 MOV EAX,DWORD PTR DS:[EDX]
00446884 . FF50 04 CALL DWORD PTR DS:[EAX+4]
00446887 . 8985 E0FEFFFF MOV DWORD PTR SS:[EBP-120],EAX
0044688D . 8B8D E0FEFFFF MOV ECX,DWORD PTR SS:[EBP-120]
00446893 . 898D DCFEFFFF MOV DWORD PTR SS:[EBP-124],ECX
00446899 . EB 0A JMP SHORT 复件_ACP.004468A5
0044689B > C785 DCFEFFFF>MOV DWORD PTR SS:[EBP-124],0
004468A5 > C645 FC 06 MOV BYTE PTR SS:[EBP-4],6
004468A9 . 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
004468AC . E8 85A30200 CALL <JMP.&MFC42.#800>
004468B1 . C645 FC 05 MOV BYTE PTR SS:[EBP-4],5
004468B5 . 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]
004468B8 . E8 79A30200 CALL <JMP.&MFC42.#800>
004468BD . C645 FC 04 MOV BYTE PTR SS:[EBP-4],4
004468C1 . 8D4D C8 LEA ECX,DWORD PTR SS:[EBP-38]
004468C4 . E8 6DA30200 CALL <JMP.&MFC42.#800>
004468C9 . E9 8E000000 JMP 复件_ACP.0044695C
004468CE . 8B55 D0 MOV EDX,DWORD PTR SS:[EBP-30]
004468D1 . 8995 68FFFFFF MOV DWORD PTR SS:[EBP-98],EDX
004468D7 . 8B85 68FFFFFF MOV EAX,DWORD PTR SS:[EBP-98]
004468DD . 8985 6CFFFFFF MOV DWORD PTR SS:[EBP-94],EAX
004468E3 . 83BD 6CFFFFFF>CMP DWORD PTR SS:[EBP-94],0
004468EA . 74 1B JE SHORT 复件_ACP.00446907
004468EC . 6A 01 PUSH 1
004468EE . 8B8D 6CFFFFFF MOV ECX,DWORD PTR SS:[EBP-94]
004468F4 . 8B95 6CFFFFFF MOV EDX,DWORD PTR SS:[EBP-94]
004468FA . 8B02 MOV EAX,DWORD PTR DS:[EDX]
004468FC . FF50 04 CALL DWORD PTR DS:[EAX+4]
004468FF . 8985 D8FEFFFF MOV DWORD PTR SS:[EBP-128],EAX
00446905 . EB 0A JMP SHORT 复件_ACP.00446911
00446907 > C785 D8FEFFFF>MOV DWORD PTR SS:[EBP-128],0
00446911 > 8B4D B8 MOV ECX,DWORD PTR SS:[EBP-48]
00446914 . E8 9FA80200 CALL <JMP.&MFC42.#2393>
00446919 . 68 6CDA4700 PUSH 复件_ACP.0047DA6C ; /Arg1 = 0047DA6C ASCII "
Failed to get verify web!"
0044691E . E8 5DC4FFFF CALL 复件_ACP.00442D80 ; \复件_ACP.00442D80
00446923 . 83C4 04 ADD ESP,4
00446926 . 50 PUSH EAX
00446927 . 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
0044692A . 81C1 E8010000 ADD ECX,1E8
00446930 . E8 BBA30200 CALL <JMP.&MFC42.#860>
00446935 . C785 64FFFFFF>MOV DWORD PTR SS:[EBP-9C],0
0044693F . B8 45694400 MOV EAX,复件_ACP.00446945
00446944 . C3 RETN
00446945 . C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
0044694C . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
0044694F . E8 E2A20200 CALL <JMP.&MFC42.#800>
00446954 . 8B85 64FFFFFF MOV EAX,DWORD PTR SS:[EBP-9C]
0044695A . EB 25 JMP SHORT 复件_ACP.00446981
0044695C > C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0
00446963 . 8B4D E8 MOV ECX,DWORD PTR SS:[EBP-18]
00446966 . 898D 60FFFFFF MOV DWORD PTR SS:[EBP-A0],ECX
0044696C . C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
00446973 . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
00446976 . E8 BBA20200 CALL <JMP.&MFC42.#800>
0044697B . 8B85 60FFFFFF MOV EAX,DWORD PTR SS:[EBP-A0]
00446981 > 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
00446984 . 64:890D 00000>MOV DWORD PTR FS:[0],ECX
0044698B . 5F POP EDI
0044698C . 5E POP ESI
0044698D . 5B POP EBX
0044698E . 8BE5 MOV ESP,EBP
00446990 . 5D POP EBP
00446991 . C3 RETN
由于本人是第一次破解程序,特别是对汇编语言一窍不通,找了很久,找到三个跳转,觉得它们应该是关键跳,于是将三个条件跳转全部改为绝对跳转。
00445518 . 8985 D0FEFFFF MOV DWORD PTR SS:[EBP-130],EAX
0044551E . 83BD D0FEFFFF>CMP DWORD PTR SS:[EBP-130],-1
00445525 . 75 74 JNZ SHORT 复件_ACP.0044559B ;
改为 JMP
00445527 . 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
0044552A . E8 C11D0000 CALL 复件_ACP.004472F0
0044552F . E8 4CC6FBFF CALL 复件_ACP.00401B80
00445534 . 8985 FCFDFFFF MOV DWORD PTR SS:[EBP-204],EAX
0044553A . 8B8D FCFDFFFF MOV ECX,DWORD PTR SS:[EBP-204]
00445540 . 8B95 FCFDFFFF MOV EDX,DWORD PTR SS:[EBP-204]
00445546 . 8B02 MOV EAX,DWORD PTR DS:[EDX]
00445548 . FF90 94000000 CALL DWORD PTR DS:[EAX+94]
0044554E . 6A 00 PUSH 0
00445550 . 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
00445553 . 83C1 0C ADD ECX,0C
00445556 . E8 1DB70200 CALL <JMP.&MFC42.#6215>
0044555B . 68 D0D94700 PUSH 复件_ACP.0047D9D0 ; /Arg1 = 0047D9D0 ASCII "The file data error!"
00445560 . E8 1BD8FFFF CALL 复件_ACP.00442D80 ; \复件_ACP.00442D80
00445565 . 83C4 04 ADD ESP,4
00445568 . 50 PUSH EAX
00445569 . 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
0044556C . 81C1 E8010000 ADD ECX,1E8
00445572 . E8 79B70200 CALL <JMP.&MFC42.#860>
00445577 . C785 24FEFFFF>MOV DWORD PTR SS:[EBP-1DC],0
00445581 . C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
00445588 . 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
0044558B . E8 A6B60200 CALL <JMP.&MFC42.#800>
00445590 . 8B85 24FEFFFF MOV EAX,DWORD PTR SS:[EBP-1DC]
00445596 . E9 D8000000 JMP 复件_ACP.00445673
0044559B > 8B8D D0FEFFFF MOV ECX,DWORD PTR SS:[EBP-130]
004455A1 . 83E9 08 SUB ECX,8
004455A4 . 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
004455A7 . 898A DC010000 MOV DWORD PTR DS:[EDX+1DC],ECX
004455AD . C785 CCFEFFFF>MOV DWORD PTR SS:[EBP-134],534F507E
004455B7 . 6A 04 PUSH 4 ; /Arg4 = 00000004
004455B9 . 8D85 CCFEFFFF LEA EAX,DWORD PTR SS:[EBP-134] ; |
004455BF . 50 PUSH EAX ; |Arg3
004455C0 . 68 00010000 PUSH 100 ; |Arg2 = 00000100
004455C5 . 8D8D D4FEFFFF LEA ECX,DWORD PTR SS:[EBP-12C] ; |
004455CB . 51 PUSH ECX ; |Arg1
004455CC . E8 BF000000 CALL 复件_ACP.00445690 ; \复件_ACP.00445690
004455D1 . 83C4 10 ADD ESP,10
004455D4 . 8985 D0FEFFFF MOV DWORD PTR SS:[EBP-130],EAX
004455DA . 83BD D0FEFFFF>CMP DWORD PTR SS:[EBP-130],-1
004455E1 . 74 3C JE SHORT 复件_ACP.0044561F
004455E3 . 8B95 D0FEFFFF MOV EDX,DWORD PTR SS:[EBP-130]
004455E9 . 83EA 08 SUB EDX,8
004455EC . 8995 D0FEFFFF MOV DWORD PTR SS:[EBP-130],EDX
004455F2 . 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
004455F5 . 8B8D D0FEFFFF MOV ECX,DWORD PTR SS:[EBP-130]
004455FB . 8988 D8010000 MOV DWORD PTR DS:[EAX+1D8],ECX
00445601 . 6A 00 PUSH 0
00445603 . 6A 00 PUSH 0
00445605 . 6A 00 PUSH 0
00445607 . 6A 00 PUSH 0
00445609 . 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
0044560C . 52 PUSH EDX
0044560D . 68 606E4400 PUSH 复件_ACP.00446E60
00445612 . E8 2FBB0200 CALL <JMP.&MFC42.#1105>
00445617 . 8985 54FEFFFF MOV DWORD PTR SS:[EBP-1AC],EAX
0044561D . EB 08 JMP SHORT 复件_ACP.00445627
0044561F > 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
00445622 . E8 99150000 CALL 复件_ACP.00446BC0
00445627 > 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
0044562A . 83C0 70 ADD EAX,70
0044562D . 50 PUSH EAX
0044562E . 8B0D 4CE64800 MOV ECX,DWORD PTR DS:[48E64C]
00445634 . 81C1 9C000000 ADD ECX,9C
0044563A . E8 8FB70200 CALL <JMP.&MFC42.#858>
0044563F . 8B0D 4CE64800 MOV ECX,DWORD PTR DS:[48E64C]
00445645 . 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
00445648 . 8B82 94010000 MOV EAX,DWORD PTR DS:[EDX+194]
0044564E . 8981 A0000000 MOV DWORD PTR DS:[ECX+A0],EAX
00445654 . C785 20FEFFFF>MOV DWORD PTR SS:[EBP-1E0],1
0044565E . C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
00445665 . 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
00445668 . E8 C9B50200 CALL <JMP.&MFC42.#800>
0044566D . 8B85 20FEFFFF MOV EAX,DWORD PTR SS:[EBP-1E0]
00445673 > 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
00445676 . 64:890D 00000>MOV DWORD PTR FS:[0],ECX
0044567D . 5F POP EDI
0044567E . 5E POP ESI
0044567F . 5B POP EBX
00445680 . 8BE5 MOV ESP,EBP
00445682 . 5D POP EBP
00445683 . C2 0800 RETN 8
00445D87 |. 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
00445D8A |. 8981 F0010000 MOV DWORD PTR DS:[ECX+1F0],EAX
00445D90 |. 8B95 E8FBFFFF MOV EDX,DWORD PTR SS:[EBP-418]
00445D96 |. 81F2 150379AC XOR EDX,AC790315
00445D9C |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00445D9F |. 3990 F0010000 CMP DWORD PTR DS:[EAX+1F0],EDX
00445DA5 |. 74 07 JE SHORT 复件_ACP.00445DAE ;
改为 JMP
00445DA7 |. 33C0 XOR EAX,EAX
00445DA9 |. E9 5F030000 JMP 复件_ACP.0044610D
00445DAE |> B8 01000000 MOV EAX,1
00445DB3 |. E9 55030000 JMP 复件_ACP.0044610D
00445DB8 |> 83BD E0FBFFFF>CMP DWORD PTR SS:[EBP-420],2
00445DBF |. 0F85 30010000 JNZ 复件_ACP.00445EF5
00445DC5 |. 8D8D D8FBFFFF LEA ECX,DWORD PTR SS:[EBP-428]
00445DCB |. E8 72AE0200 CALL <JMP.&MFC42.#540>
00445DD0 |. C745 FC 02000>MOV DWORD PTR SS:[EBP-4],2
00445DD7 |. 68 00040000 PUSH 400 ; /n = 400 (1024.)
00445DDC |. 6A 00 PUSH 0 ; |c = 00
00445DDE |. 8D8D ECFBFFFF LEA ECX,DWORD PTR SS:[EBP-414] ; |
00445DE4 |. 51 PUSH ECX ; |s
00445DE5 |. E8 62B60200 CALL <JMP.&MSVCRT.memset> ; \memset
00445DEA |. 83C4 0C ADD ESP,0C
00445DED |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
00445DF0 |. 0355 EC ADD EDX,DWORD PTR SS:[EBP-14]
00445DF3 |. 8B02 MOV EAX,DWORD PTR DS:[EDX]
00445DF5 |. 8985 D4FBFFFF MOV DWORD PTR SS:[EBP-42C],EAX
00445DFB |. 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
00445DFE |. 83C1 04 ADD ECX,4
00445E01 |. 894D EC MOV DWORD PTR SS:[EBP-14],ECX
00445E04 |. 8B95 D4FBFFFF MOV EDX,DWORD PTR SS:[EBP-42C]
00445E0A |. 52 PUSH EDX ; /n
00445E0B |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; |
00445E0E |. 0345 EC ADD EAX,DWORD PTR SS:[EBP-14] ; |
00445E11 |. 50 PUSH EAX ; |src
00445E12 |. 8D8D ECFBFFFF LEA ECX,DWORD PTR SS:[EBP-414] ; |
00445E18 |. 51 PUSH ECX ; |dest
00445E19 |. E8 28B60200 CALL <JMP.&MSVCRT.memcpy> ; \memcpy
00445E1E |. 83C4 0C ADD ESP,0C
00445E21 |. 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
00445E24 |. 0395 D4FBFFFF ADD EDX,DWORD PTR SS:[EBP-42C]
00445E2A |. 8955 EC MOV DWORD PTR SS:[EBP-14],EDX
00445E2D |. 8D85 ECFBFFFF LEA EAX,DWORD PTR SS:[EBP-414]
00445E33 |. 50 PUSH EAX
00445E34 |. 8D8D D8FBFFFF LEA ECX,DWORD PTR SS:[EBP-428]
00445E3A |. E8 B1AE0200 CALL <JMP.&MFC42.#860>
00445E3F |. 51 PUSH ECX
00445E40 |. 8BCC MOV ECX,ESP
00445E42 |. 89A5 9CFBFFFF MOV DWORD PTR SS:[EBP-464],ESP
00445E48 |. 8D95 D8FBFFFF LEA EDX,DWORD PTR SS:[EBP-428]
00445E4E |. 52 PUSH EDX
00445E4F |. E8 DEAE0200 CALL <JMP.&MFC42.#535>
00445E54 |. 8985 6CFBFFFF MOV DWORD PTR SS:[EBP-494],EAX ; |
00445E5A |. 8D85 98FBFFFF LEA EAX,DWORD PTR SS:[EBP-468] ; |
00445E60 |. 50 PUSH EAX ; |Arg1
00445E61 |. E8 FAFBFFFF CALL 复件_ACP.00445A60 ; \复件_ACP.00445A60
00445E66 |. 83C4 08 ADD ESP,8
00445E69 |. 8985 68FBFFFF MOV DWORD PTR SS:[EBP-498],EAX
00445E6F |. 8B8D 68FBFFFF MOV ECX,DWORD PTR SS:[EBP-498]
00445E75 |. 898D 64FBFFFF MOV DWORD PTR SS:[EBP-49C],ECX
00445E7B |. C645 FC 03 MOV BYTE PTR SS:[EBP-4],3
00445E7F |. 8B95 64FBFFFF MOV EDX,DWORD PTR SS:[EBP-49C]
00445E85 |. 52 PUSH EDX
00445E86 |. 8D8D D8FBFFFF LEA ECX,DWORD PTR SS:[EBP-428]
00445E8C |. E8 3DAF0200 CALL <JMP.&MFC42.#858>
00445E91 |. C645 FC 02 MOV BYTE PTR SS:[EBP-4],2
00445E95 |. 8D8D 98FBFFFF LEA ECX,DWORD PTR SS:[EBP-468]
00445E9B |. E8 96AD0200 CALL <JMP.&MFC42.#800>
00445EA0 |. 8D8D D8FBFFFF LEA ECX,DWORD PTR SS:[EBP-428]
00445EA6 |. E8 35D6FBFF CALL 复件_ACP.004034E0
00445EAB |. 50 PUSH EAX ; /Arg1
00445EAC |. B9 3CE74800 MOV ECX,复件_ACP.0048E73C ; |
00445EB1 |. E8 5A05FCFF CALL 复件_ACP.00406410 ; \复件_ACP.00406410
00445EB6 |. 85C0 TEST EAX,EAX
00445EB8 |. 75 14 JNZ SHORT 复件_ACP.00445ECE
00445EBA |. 8B85 E8FBFFFF MOV EAX,DWORD PTR SS:[EBP-418]
00445EC0 |. 35 150379AC XOR EAX,AC790315
00445EC5 |. 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
00445EC8 |. 8981 F0010000 MOV DWORD PTR DS:[ECX+1F0],EAX
00445ECE |> C785 94FBFFFF>MOV DWORD PTR SS:[EBP-46C],1
00445ED8 |. C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
00445EDF |. 8D8D D8FBFFFF LEA ECX,DWORD PTR SS:[EBP-428]
00445EE5 |. E8 4CAD0200 CALL <JMP.&MFC42.#800>
00445EEA |. 8B85 94FBFFFF MOV EAX,DWORD PTR SS:[EBP-46C]
00445EF0 |. E9 18020000 JMP 复件_ACP.0044610D
00445EF5 |> 83BD E0FBFFFF>CMP DWORD PTR SS:[EBP-420],3
00445EFC |. 0F85 ED010000 JNZ 复件_ACP.004460EF
0040BFF5 |. 8985 D4FDFFFF MOV DWORD PTR SS:[EBP-22C],EAX
0040BFFB |. 8B85 D4FDFFFF MOV EAX,DWORD PTR SS:[EBP-22C]
0040C001 |. 8985 D0FDFFFF MOV DWORD PTR SS:[EBP-230],EAX
0040C007 |. C645 FC 03 MOV BYTE PTR SS:[EBP-4],3
0040C00B |. 8B8D D0FDFFFF MOV ECX,DWORD PTR SS:[EBP-230]
0040C011 |. 8B11 MOV EDX,DWORD PTR DS:[ECX]
0040C013 |. 52 PUSH EDX
0040C014 |. A1 4CE64800 MOV EAX,DWORD PTR DS:[48E64C]
0040C019 |. 50 PUSH EAX
0040C01A |. 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
0040C01D |. 81C1 E0060000 ADD ECX,6E0
0040C023 |. E8 088E0300 CALL 复件_ACP.00444E30
0040C028 |. 8985 E8FDFFFF MOV DWORD PTR SS:[EBP-218],EAX
0040C02E |. C645 FC 01 MOV BYTE PTR SS:[EBP-4],1
0040C032 |. 8D8D DCFDFFFF LEA ECX,DWORD PTR SS:[EBP-224]
0040C038 |. E8 F94B0600 CALL <JMP.&MFC42.#800>
0040C03D |. 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
0040C040 |. 81C1 C8080000 ADD ECX,8C8
0040C046 |. E8 8566FFFF CALL 复件_ACP.004026D0
0040C04B |. 85C0 TEST EAX,EAX
0040C04D |. 75 26 JNZ SHORT 复件_ACP.0040C075 ; 改为 JMP
0040C04F |. 6A 40 PUSH 40
0040C051 |. 68 A4924700 PUSH 复件_ACP.004792A4 ; ASCII "Information"
0040C056 |. 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
0040C059 |. 8B91 C8080000 MOV EDX,DWORD PTR DS:[ECX+8C8]
0040C05F |. 52 PUSH EDX
0040C060 |. E8 1B5BFFFF CALL 复件_ACP.00401B80
0040C065 |. 8BC8 MOV ECX,EAX
0040C067 |. E8 A468FFFF CALL 复件_ACP.00402910
0040C06C |. 50 PUSH EAX ; |Arg1
0040C06D |. E8 CE6E0300 CALL 复件_ACP.00442F40 ; \复件_ACP.00442F40
0040C072 |. 83C4 10 ADD ESP,10
0040C075 |> 83BD E8FDFFFF>CMP DWORD PTR SS:[EBP-218],0
0040C07C |. 75 2E JNZ SHORT 复件_ACP.0040C0AC
0040C07E |. 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
0040C081 |. 81C1 E0060000 ADD ECX,6E0
0040C087 |. E8 64B20300 CALL 复件_ACP.004472F0
0040C08C |. C645 FC 00 MOV BYTE PTR SS:[EBP-4],0
0040C090 |. 8D8D F0FDFFFF LEA ECX,DWORD PTR SS:[EBP-210]
0040C096 |. E8 55000000 CALL 复件_ACP.0040C0F0
0040C09B |. C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
0040C0A2 |. 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
0040C0A5 |. E8 8C4B0600 CALL <JMP.&MFC42.#800>
0040C0AA |. EB 26 JMP SHORT 复件_ACP.0040C0D2
0040C0AC |> 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
0040C0AF |. E8 FC0F0000 CALL 复件_ACP.0040D0B0
0040C0B4 |. C645 FC 00 MOV BYTE PTR SS:[EBP-4],0
0040C0B8 |. 8D8D F0FDFFFF LEA ECX,DWORD PTR SS:[EBP-210]
0040C0BE |. E8 2D000000 CALL 复件_ACP.0040C0F0
0040C0C3 |. C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
0040C0CA |. 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
0040C0CD |. E8 644B0600 CALL <JMP.&MFC42.#800>
0040C0D2 |> 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
0040C0D5 |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX
0040C0DC |. 5F POP EDI
0040C0DD |. 5E POP ESI
0040C0DE |. 5B POP EBX
0040C0DF |. 8BE5 MOV ESP,EBP
0040C0E1 |. 5D POP EBP
0040C0E2 \. C3 RETN
改完后,可以不用上网,可以不输入用户名和密码,但只能把录像课中的PPT课件释放出来,却放不出图像。
我只好把它称作课件释放器了。请高手们提点建议或想法,如何才能彻底爆破。
[课程]Linux pwn 探索篇!