-
-
[原创]LiveONE网络直播系统的破解
-
发表于: 2007-11-30 15:22 6117
-
【文章标题】: LiveONE网络直播系统的破解
【文章作者】: chinglq
【作者邮箱】: chinglq@sina.com
【作者主页】: http://lqcoolboy.xinwen365.com
【软件名称】: LiveONE网络直播系统
【软件大小】: 23.4MB
【下载地址】: http://www.kuihua.net/download/LiveONE39_Demo.exe
【加壳方式】: N/A
【保护方式】: 注册码+时间限制
【编写语言】: Microsoft Visual C++ 6.0
【使用工具】: OD、PEiD
【操作平台】: 联想OEM WinXPsp2
【软件介绍】: LiveONE是北京****公司研制开发的高性能音视频直播软件,利用该系统能够提供基于局域网、城域网、广域网以及卫星网的音
视频直播、录像及录像点播服务。
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!如果喜欢该软件,请支持正版!
--------------------------------------------------------------------------------
【详细过程】
1.0 观察:
软件安装后,运行时出现注册对话框,填入任意码,点确定后弹出信息框“序列号错误!”,再点确定后程序自动退出。
2.0 查壳:
用PEiD检查,无壳,编制语言VC++6.0。
3.0 调试:
用OD装载后下MessageBoxA断点,按F9运行。执行一段时间后,停下不动。这时候还没看到注册对话框,看来程序好像有反调试功能,这可
得好好检查检查。检查API函数,没有发现检测调试器的函数。单步跟踪后发现004D8547行的CALL有问题:
--------------------------------------------------------
004D8531 |. 8D45 C4 lea eax, dword ptr [ebp-3C]
004D8534 |. 50 push eax
004D8535 |. FF15 50644E00 call dword ptr [<&OLEAUT32.#9>] ; OLEAUT32.VariantClear
004D853B |. 817D 18 09000280 cmp dword ptr [ebp+18], 80020009
004D8542 74 08 je short 004D854C ; ---> /EB 08 jmp short 004D854C
004D8544 |. FF75 18 push dword ptr [ebp+18]
004D8547 |. E8 D6F1FFFF call 004D7722 ; 进去就死
004D854C |> 395D AC cmp dword ptr [ebp-54], ebx
004D854F |. 74 07 je short 004D8558
-----------------------------------------------------
改动004D8542处的跳转,便可看见注册对话框。后来发现这是由加断点后造成的,并不是采用检测调试器的API函数,可能是传说中的自校
验吧?对否?还请过路的大侠斧正!
在以后的调试过程中,我采用运行前禁用断点,在注册对话框出现后,再激活断点的方法,免去每次在这改跳转的麻烦。
在注册对话框中填入任意码后,程序断在下面这段程序的00438BBC处:
-------------------------------------------------------
00438757 /$ 55 push ebp
00438758 |. 8BEC mov ebp, esp
0043875A |. 6A FF push -1
0043875C |. 68 46E24D00 push 004DE246 ; SE 处理程序安装
00438761 |. 64:A1 00000000 mov eax, dword ptr fs:[0]
00438767 |. 50 push eax
00438768 |. 64:8925 00000000 mov dword ptr fs:[0], esp
0043876F |. 81EC 54030000 sub esp, 354
00438775 |. 57 push edi
00438776 |. 898D 48FDFFFF mov dword ptr [ebp-2B8], ecx
0043877C |. 8B8D 48FDFFFF mov ecx, dword ptr [ebp-2B8]
00438782 |. E8 144E0000 call 0043D59B
00438787 |. 8945 F0 mov dword ptr [ebp-10], eax
0043878A |. 837D F0 00 cmp dword ptr [ebp-10], 0
0043878E |. 0F84 04020000 je 00438998
00438794 |> B8 01000000 /mov eax, 1
00438799 |. 85C0 |test eax, eax
0043879B |. 0F84 E2010000 |je 00438983
004387A1 |. 8B8D 48FDFFFF |mov ecx, dword ptr [ebp-2B8]
004387A7 |. E8 EE420000 |call 0043CA9A
004387AC |. 85C0 |test eax, eax
004387AE |. 0F84 11010000 |je 004388C5
004387B4 |. 833D 60875D00 00 |cmp dword ptr [5D8760], 0
004387BB |. 0F84 F5000000 |je 004388B6
004387C1 |. 833D 60875D00 01 |cmp dword ptr [5D8760], 1
004387C8 |. 0F84 E8000000 |je 004388B6
004387CE |. 833D 60875D00 02 |cmp dword ptr [5D8760], 2
004387D5 |. 0F84 DB000000 |je 004388B6
004387DB |. 833D 60875D00 03 |cmp dword ptr [5D8760], 3
004387E2 |. 0F84 CE000000 |je 004388B6
004387E8 |. 833D 60875D00 06 |cmp dword ptr [5D8760], 6
004387EF |. 0F84 C1000000 |je 004388B6
004387F5 |. 6A 15 |push 15
004387F7 |. 68 4C030000 |push 34C ; /Arg2 = 0000034C
004387FC |. 8D8D C8FDFFFF |lea ecx, dword ptr [ebp-238] ; |
00438802 |. 51 |push ecx ; |Arg1
00438803 |. E8 C5480000 |call 0043D0CD ; \SFLiveON.0043D0CD
00438808 |. 83C4 08 |add esp, 8
0043880B |. 8985 44FDFFFF |mov dword ptr [ebp-2BC], eax
00438811 |. 8B95 44FDFFFF |mov edx, dword ptr [ebp-2BC]
00438817 |. 8995 40FDFFFF |mov dword ptr [ebp-2C0], edx
0043881D |. C745 FC 00000000 |mov dword ptr [ebp-4], 0
00438824 |. 8B8D 40FDFFFF |mov ecx, dword ptr [ebp-2C0]
0043882A |. E8 51B9FCFF |call 00404180
0043882F |. 50 |push eax
00438830 |. 68 41030000 |push 341 ; /Arg2 = 00000341
00438835 |. 8D85 C4FDFFFF |lea eax, dword ptr [ebp-23C] ; |
0043883B |. 50 |push eax ; |Arg1
0043883C |. E8 8C480000 |call 0043D0CD ; \SFLiveON.0043D0CD
00438841 |. 83C4 08 |add esp, 8
00438844 |. 8985 3CFDFFFF |mov dword ptr [ebp-2C4], eax
0043884A |. 8B8D 3CFDFFFF |mov ecx, dword ptr [ebp-2C4]
00438850 |. 898D 38FDFFFF |mov dword ptr [ebp-2C8], ecx
00438856 |. C645 FC 01 |mov byte ptr [ebp-4], 1
0043885A |. 8B8D 38FDFFFF |mov ecx, dword ptr [ebp-2C8]
00438860 |. E8 1BB9FCFF |call 00404180
00438865 |. 50 |push eax ; |Text
00438866 |. 6A 00 |push 0 ; |hOwner = NULL
00438868 |. FF15 C0664E00 |call dword ptr [<&USER32.MessageBoxA>] ; \MessageBoxA
0043886E |. 33D2 |xor edx, edx
00438870 |. 83F8 02 |cmp eax, 2
00438873 |. 0F94C2 |sete dl
00438876 |. 8895 CCFDFFFF |mov byte ptr [ebp-234], dl
0043887C |. C645 FC 00 |mov byte ptr [ebp-4], 0
00438880 |. 8D8D C4FDFFFF |lea ecx, dword ptr [ebp-23C]
00438886 |. E8 187F0800 |call 004C07A3
0043888B |. C745 FC FFFFFFFF |mov dword ptr [ebp-4], -1
00438892 |. 8D8D C8FDFFFF |lea ecx, dword ptr [ebp-238]
00438898 |. E8 067F0800 |call 004C07A3
0043889D |. 8B85 CCFDFFFF |mov eax, dword ptr [ebp-234]
004388A3 |. 25 FF000000 |and eax, 0FF
004388A8 |. 85C0 |test eax, eax
004388AA |. 74 05 |je short 004388B1
004388AC |. E9 D2000000 |jmp 00438983
004388B1 |>^ E9 DEFEFFFF |jmp 00438794
004388B6 |> C705 54875D00 01000000 |mov dword ptr [5D8754], 1
004388C0 |. E9 BE000000 |jmp 00438983
004388C5 |> 6A 15 |push 15
004388C7 |. 68 4C030000 |push 34C ; /Arg2 = 0000034C
004388CC |. 8D8D BCFDFFFF |lea ecx, dword ptr [ebp-244] ; |
004388D2 |. 51 |push ecx ; |Arg1
004388D3 |. E8 F5470000 |call 0043D0CD ; \SFLiveON.0043D0CD
004388D8 |. 83C4 08 |add esp, 8
004388DB |. 8985 34FDFFFF |mov dword ptr [ebp-2CC], eax
004388E1 |. 8B95 34FDFFFF |mov edx, dword ptr [ebp-2CC]
004388E7 |. 8995 30FDFFFF |mov dword ptr [ebp-2D0], edx
004388ED |. C745 FC 02000000 |mov dword ptr [ebp-4], 2
004388F4 |. 8B8D 30FDFFFF |mov ecx, dword ptr [ebp-2D0]
004388FA |. E8 81B8FCFF |call 00404180
004388FF |. 50 |push eax
00438900 |. 68 42030000 |push 342 ; /Arg2 = 00000342
00438905 |. 8D85 B8FDFFFF |lea eax, dword ptr [ebp-248] ; |
0043890B |. 50 |push eax ; |Arg1
0043890C |. E8 BC470000 |call 0043D0CD ; \SFLiveON.0043D0CD
00438911 |. 83C4 08 |add esp, 8
00438914 |. 8985 2CFDFFFF |mov dword ptr [ebp-2D4], eax
0043891A |. 8B8D 2CFDFFFF |mov ecx, dword ptr [ebp-2D4]
00438920 |. 898D 28FDFFFF |mov dword ptr [ebp-2D8], ecx
00438926 |. C645 FC 03 |mov byte ptr [ebp-4], 3
0043892A |. 8B8D 28FDFFFF |mov ecx, dword ptr [ebp-2D8]
00438930 |. E8 4BB8FCFF |call 00404180
00438935 |. 50 |push eax ; |Text
00438936 |. 6A 00 |push 0 ; |hOwner = NULL
00438938 |. FF15 C0664E00 |call dword ptr [<&USER32.MessageBoxA>] ; \MessageBoxA
0043893E |. 33D2 |xor edx, edx
00438940 |. 83F8 02 |cmp eax, 2
00438943 |. 0F94C2 |sete dl
00438946 |. 8895 C0FDFFFF |mov byte ptr [ebp-240], dl
0043894C |. C645 FC 02 |mov byte ptr [ebp-4], 2
00438950 |. 8D8D B8FDFFFF |lea ecx, dword ptr [ebp-248]
00438956 |. E8 487E0800 |call 004C07A3
0043895B |. C745 FC FFFFFFFF |mov dword ptr [ebp-4], -1
00438962 |. 8D8D BCFDFFFF |lea ecx, dword ptr [ebp-244]
00438968 |. E8 367E0800 |call 004C07A3
0043896D |. 8B85 C0FDFFFF |mov eax, dword ptr [ebp-240]
00438973 |. 25 FF000000 |and eax, 0FF
00438978 |. 85C0 |test eax, eax
0043897A |. 74 02 |je short 0043897E
0043897C |. EB 05 |jmp short 00438983
0043897E |>^ E9 11FEFFFF \jmp 00438794
00438983 |> 833D 54875D00 00 cmp dword ptr [5D8754], 0
0043898A |. 75 07 jnz short 00438993
0043898C |. 33C0 xor eax, eax
0043898E |. E9 E5090000 jmp 00439378
00438993 |> E9 DB090000 jmp 00439373
00438998 |> 8D8D B4FDFFFF lea ecx, dword ptr [ebp-24C]
0043899E |. 51 push ecx
0043899F |. E8 FF090800 call 004B93A3
004389A4 |. 50 push eax ; /Arg1
004389A5 |. 8D4D EC lea ecx, dword ptr [ebp-14] ; |
004389A8 |. E8 C3CEFFFF call 00435870 ; \SFLiveON.00435870
004389AD |. 6A FF push -1 ; /Arg7 = FFFFFFFF
004389AF |. 6A 00 push 0 ; |Arg6 = 00000000
004389B1 |. 6A 00 push 0 ; |Arg5 = 00000000
004389B3 |. 6A 00 push 0 ; |Arg4 = 00000000
004389B5 |. 6A 1F push 1F ; |Arg3 = 0000001F
004389B7 |. 6A 0C push 0C ; |Arg2 = 0000000C
004389B9 |. 68 D7070000 push 7D7 ; |Arg1 = 000007D7
004389BE |. 8D8D ACFDFFFF lea ecx, dword ptr [ebp-254] ; |
004389C4 |. E8 F6080800 call 004B92BF ; \SFLiveON.004B92BF
004389C9 |. 51 push ecx ; /Arg1
004389CA |. 8BCC mov ecx, esp ; |
004389CC |. 89A5 B0FDFFFF mov dword ptr [ebp-250], esp ; |
004389D2 |. 50 push eax ; |/Arg1
004389D3 |. E8 98CEFFFF call 00435870 ; |\SFLiveON.00435870
004389D8 |. 8D4D EC lea ecx, dword ptr [ebp-14] ; |
004389DB |. E8 C0590000 call 0043E3A0 ; \SFLiveON.0043E3A0
004389E0 |. 85C0 test eax, eax
004389E2 |. 0F84 A1000000 je 00438A89
004389E8 |. 6A 10 push 10
004389EA |. 68 FC000000 push 0FC ; /Arg2 = 000000FC
004389EF |. 8D95 A8FDFFFF lea edx, dword ptr [ebp-258] ; |
004389F5 |. 52 push edx ; |Arg1
004389F6 |. E8 D2460000 call 0043D0CD ; \SFLiveON.0043D0CD
004389FB |. 83C4 08 add esp, 8
004389FE |. 8985 24FDFFFF mov dword ptr [ebp-2DC], eax
00438A04 |. 8B85 24FDFFFF mov eax, dword ptr [ebp-2DC]
00438A0A |. 8985 20FDFFFF mov dword ptr [ebp-2E0], eax
00438A10 |. C745 FC 04000000 mov dword ptr [ebp-4], 4
00438A17 |. 8B8D 20FDFFFF mov ecx, dword ptr [ebp-2E0]
00438A1D |. E8 5EB7FCFF call 00404180
00438A22 |. 50 push eax
00438A23 |. 68 43030000 push 343 ; /Arg2 = 00000343
00438A28 |. 8D8D A4FDFFFF lea ecx, dword ptr [ebp-25C] ; |
00438A2E |. 51 push ecx ; |Arg1
00438A2F |. E8 99460000 call 0043D0CD ; \SFLiveON.0043D0CD
00438A34 |. 83C4 08 add esp, 8
00438A37 |. 8985 1CFDFFFF mov dword ptr [ebp-2E4], eax
00438A3D |. 8B95 1CFDFFFF mov edx, dword ptr [ebp-2E4]
00438A43 |. 8995 18FDFFFF mov dword ptr [ebp-2E8], edx
00438A49 |. C645 FC 05 mov byte ptr [ebp-4], 5
00438A4D |. 8B8D 18FDFFFF mov ecx, dword ptr [ebp-2E8]
00438A53 |. E8 28B7FCFF call 00404180
00438A58 |. 50 push eax ; |Text
00438A59 |. 6A 00 push 0 ; |hOwner = NULL
00438A5B |. FF15 C0664E00 call dword ptr [<&USER32.MessageBoxA>] ; \MessageBoxA
00438A61 |. C645 FC 04 mov byte ptr [ebp-4], 4
00438A65 |. 8D8D A4FDFFFF lea ecx, dword ptr [ebp-25C]
00438A6B |. E8 337D0800 call 004C07A3
00438A70 |. C745 FC FFFFFFFF mov dword ptr [ebp-4], -1
00438A77 |. 8D8D A8FDFFFF lea ecx, dword ptr [ebp-258]
00438A7D |. E8 217D0800 call 004C07A3
00438A82 |. 33C0 xor eax, eax
00438A84 |. E9 EF080000 jmp 00439378
00438A89 |> 8B8D 48FDFFFF mov ecx, dword ptr [ebp-2B8]
00438A8F |. E8 4D4C0000 call 0043D6E1
00438A94 |. 8945 E4 mov dword ptr [ebp-1C], eax
00438A97 |. 8B45 E4 mov eax, dword ptr [ebp-1C]
00438A9A |. 8945 E8 mov dword ptr [ebp-18], eax
00438A9D |> B9 01000000 /mov ecx, 1
00438AA2 |. 85C9 |test ecx, ecx
00438AA4 |. 0F84 C9080000 |je 00439373 ; ---> 0F85 C9080000 jnz 00439373
00438AAA |. 837D E4 00 |cmp dword ptr [ebp-1C], 0
00438AAE |. 0F84 96060000 |je 0043914A
00438AB4 |. 6A 00 |push 0 ; /Arg1 = 00000000
00438AB6 |. 8D8D 10FFFFFF |lea ecx, dword ptr [ebp-F0] ; |
00438ABC |. E8 7F42FEFF |call 0041CD40 ; \SFLiveON.0041CD40
00438AC1 |. C745 FC 06000000 |mov dword ptr [ebp-4], 6
00438AC8 |. 68 1CB35000 |push 0050B31C ; ASCII
"http://www.kuihua.net/productonline/index.html"
00438ACD |. 8D8D 7CFFFFFF |lea ecx, dword ptr [ebp-84]
00438AD3 |. E8 547E0800 |call 004C092C
00438AD8 |. C785 70FFFFFF 00000000 |mov dword ptr [ebp-90], 0
00438AE2 |. 8D8D 10FFFFFF |lea ecx, dword ptr [ebp-F0]
00438AE8 |. E8 B13A0800 |call 004BC59E ; 自校验和注册对话框
00438AED |. 83F8 01 |cmp eax, 1 ; 下断点
00438AF0 |. 74 27 |je short 00438B19
00438AF2 |. C785 A0FDFFFF 00000000 |mov dword ptr [ebp-260], 0
00438AFC |. C745 FC FFFFFFFF |mov dword ptr [ebp-4], -1
00438B03 |. 8D8D 10FFFFFF |lea ecx, dword ptr [ebp-F0]
00438B09 |. E8 924AFEFF |call 0041D5A0
00438B0E |. 8B85 A0FDFFFF |mov eax, dword ptr [ebp-260]
00438B14 |. E9 5F080000 |jmp 00439378
00438B19 |> C745 C8 00000000 |mov dword ptr [ebp-38], 0
00438B20 |. B9 06000000 |mov ecx, 6
00438B25 |. 33C0 |xor eax, eax
00438B27 |. 8D7D CC |lea edi, dword ptr [ebp-34]
00438B2A |. F3:AB |rep stos dword ptr es:[edi]
00438B2C |. 8D55 C8 |lea edx, dword ptr [ebp-38]
00438B2F |. 52 |push edx
00438B30 |. 8D4D C0 |lea ecx, dword ptr [ebp-40]
00438B33 |. E8 48B6FCFF |call 00404180
00438B38 |. 50 |push eax ; |Arg1 ; 输入码
00438B39 |. 8B8D 48FDFFFF |mov ecx, dword ptr [ebp-2B8] ; |
00438B3F |. E8 334C0000 |call 0043D777 ; \SFLiveON.0043D777 ; 注册检测,追进
00438B44 |. 85C0 |test eax, eax
00438B46 |. 0F85 BB000000 |jnz 00438C07
00438B4C |. 6A 10 |push 10
00438B4E |. 68 4C030000 |push 34C ; /Arg2 = 0000034C
00438B53 |. 8D85 9CFDFFFF |lea eax, dword ptr [ebp-264] ; |
00438B59 |. 50 |push eax ; |Arg1
00438B5A |. E8 6E450000 |call 0043D0CD ; \SFLiveON.0043D0CD
00438B5F |. 83C4 08 |add esp, 8
00438B62 |. 8985 14FDFFFF |mov dword ptr [ebp-2EC], eax
00438B68 |. 8B8D 14FDFFFF |mov ecx, dword ptr [ebp-2EC]
00438B6E |. 898D 10FDFFFF |mov dword ptr [ebp-2F0], ecx
00438B74 |. C645 FC 07 |mov byte ptr [ebp-4], 7
00438B78 |. 8B8D 10FDFFFF |mov ecx, dword ptr [ebp-2F0]
00438B7E |. E8 FDB5FCFF |call 00404180
00438B83 |. 50 |push eax
00438B84 |. 68 44030000 |push 344 ; /Arg2 = 00000344
00438B89 |. 8D95 98FDFFFF |lea edx, dword ptr [ebp-268] ; |
00438B8F |. 52 |push edx ; |Arg1
00438B90 |. E8 38450000 |call 0043D0CD ; \SFLiveON.0043D0CD
00438B95 |. 83C4 08 |add esp, 8
00438B98 |. 8985 0CFDFFFF |mov dword ptr [ebp-2F4], eax
00438B9E |. 8B85 0CFDFFFF |mov eax, dword ptr [ebp-2F4]
00438BA4 |. 8985 08FDFFFF |mov dword ptr [ebp-2F8], eax
00438BAA |. C645 FC 08 |mov byte ptr [ebp-4], 8
00438BAE |. 8B8D 08FDFFFF |mov ecx, dword ptr [ebp-2F8]
00438BB4 |. E8 C7B5FCFF |call 00404180
00438BB9 |. 50 |push eax ; |Text
00438BBA |. 6A 00 |push 0 ; |hOwner = NULL
00438BBC |. FF15 C0664E00 |call dword ptr [<&USER32.MessageBoxA>] ; \MessageBoxA ; 断在这里
00438BC2 |. C645 FC 07 |mov byte ptr [ebp-4], 7
00438BC6 |. 8D8D 98FDFFFF |lea ecx, dword ptr [ebp-268]
00438BCC |. E8 D27B0800 |call 004C07A3
00438BD1 |. C645 FC 06 |mov byte ptr [ebp-4], 6
00438BD5 |. 8D8D 9CFDFFFF |lea ecx, dword ptr [ebp-264]
00438BDB |. E8 C37B0800 |call 004C07A3
00438BE0 |. C785 94FDFFFF 00000000 |mov dword ptr [ebp-26C], 0
00438BEA |. C745 FC FFFFFFFF |mov dword ptr [ebp-4], -1
00438BF1 |. 8D8D 10FFFFFF |lea ecx, dword ptr [ebp-F0]
00438BF7 |. E8 A449FEFF |call 0041D5A0
00438BFC |. 8B85 94FDFFFF |mov eax, dword ptr [ebp-26C]
00438C02 |. E9 71070000 |jmp 00439378
00438C07 |> 837D C8 0A |cmp dword ptr [ebp-38], 0A
00438C0B |. 0F84 BB000000 |je 00438CCC
00438C11 |. 6A 10 |push 10
00438C13 |. 68 4C030000 |push 34C ; /Arg2 = 0000034C
00438C18 |. 8D8D 90FDFFFF |lea ecx, dword ptr [ebp-270] ; |
00438C1E |. 51 |push ecx ; |Arg1
00438C1F |. E8 A9440000 |call 0043D0CD ; \SFLiveON.0043D0CD
00438C24 |. 83C4 08 |add esp, 8
00438C27 |. 8985 04FDFFFF |mov dword ptr [ebp-2FC], eax
00438C2D |. 8B95 04FDFFFF |mov edx, dword ptr [ebp-2FC]
00438C33 |. 8995 00FDFFFF |mov dword ptr [ebp-300], edx
00438C39 |. C645 FC 09 |mov byte ptr [ebp-4], 9
00438C3D |. 8B8D 00FDFFFF |mov ecx, dword ptr [ebp-300]
00438C43 |. E8 38B5FCFF |call 00404180
00438C48 |. 50 |push eax
00438C49 |. 68 44030000 |push 344 ; /Arg2 = 00000344
00438C4E |. 8D85 8CFDFFFF |lea eax, dword ptr [ebp-274] ; |
00438C54 |. 50 |push eax ; |Arg1
00438C55 |. E8 73440000 |call 0043D0CD ; \SFLiveON.0043D0CD
00438C5A |. 83C4 08 |add esp, 8
00438C5D |. 8985 FCFCFFFF |mov dword ptr [ebp-304], eax
00438C63 |. 8B8D FCFCFFFF |mov ecx, dword ptr [ebp-304]
00438C69 |. 898D F8FCFFFF |mov dword ptr [ebp-308], ecx
00438C6F |. C645 FC 0A |mov byte ptr [ebp-4], 0A
00438C73 |. 8B8D F8FCFFFF |mov ecx, dword ptr [ebp-308]
00438C79 |. E8 02B5FCFF |call 00404180
00438C7E |. 50 |push eax ; |Text
00438C7F |. 6A 00 |push 0 ; |hOwner = NULL
00438C81 |. FF15 C0664E00 |call dword ptr [<&USER32.MessageBoxA>] ; \MessageBoxA
00438C87 |. C645 FC 09 |mov byte ptr [ebp-4], 9
00438C8B |. 8D8D 8CFDFFFF |lea ecx, dword ptr [ebp-274]
00438C91 |. E8 0D7B0800 |call 004C07A3
00438C96 |. C645 FC 06 |mov byte ptr [ebp-4], 6
00438C9A |. 8D8D 90FDFFFF |lea ecx, dword ptr [ebp-270]
00438CA0 |. E8 FE7A0800 |call 004C07A3
00438CA5 |. C785 88FDFFFF 00000000 |mov dword ptr [ebp-278], 0
00438CAF |. C745 FC FFFFFFFF |mov dword ptr [ebp-4], -1
00438CB6 |. 8D8D 10FFFFFF |lea ecx, dword ptr [ebp-F0]
00438CBC |. E8 DF48FEFF |call 0041D5A0
00438CC1 |. 8B85 88FDFFFF |mov eax, dword ptr [ebp-278]
00438CC7 |. E9 AC060000 |jmp 00439378
00438CCC |> 8B55 D0 |mov edx, dword ptr [ebp-30]
00438CCF |. F7DA |neg edx
00438CD1 |. 1BD2 |sbb edx, edx
00438CD3 |. 83E2 FE |and edx, FFFFFFFE
00438CD6 |. 83C2 02 |add edx, 2
00438CD9 |. 8915 60875D00 |mov dword ptr [5D8760], edx
00438CDF |. 8B45 DC |mov eax, dword ptr [ebp-24]
00438CE2 |. A3 58875D00 |mov dword ptr [5D8758], eax
00438CE7 |. 8B4D D8 |mov ecx, dword ptr [ebp-28]
00438CEA |. 890D 48875D00 |mov dword ptr [5D8748], ecx
00438CF0 |. 8B55 E0 |mov edx, dword ptr [ebp-20]
00438CF3 |. 8915 50875D00 |mov dword ptr [5D8750], edx
00438CF9 |. 8B45 D4 |mov eax, dword ptr [ebp-2C]
00438CFC |. A3 4C875D00 |mov dword ptr [5D874C], eax
00438D01 |. 837D E8 00 |cmp dword ptr [ebp-18], 0
00438D05 |. 0F84 05010000 |je 00438E10
00438D0B |. 6A 00 |push 0
00438D0D |. 8D4D C0 |lea ecx, dword ptr [ebp-40]
00438D10 |. E8 6BB4FCFF |call 00404180
00438D15 |. 50 |push eax ; |Arg1
00438D16 |. 8B8D 48FDFFFF |mov ecx, dword ptr [ebp-2B8] ; |
00438D1C |. E8 A1410000 |call 0043CEC2 ; \SFLiveON.0043CEC2
00438D21 |. 85C0 |test eax, eax
00438D23 |. 0F85 E2000000 |jnz 00438E0B
00438D29 |. 68 4CB35000 |push 0050B34C ; ASCII "0x0113"
00438D2E |. 68 45030000 |push 345 ; /Arg2 = 00000345
00438D33 |. 8D8D 84FDFFFF |lea ecx, dword ptr [ebp-27C] ; |
00438D39 |. 51 |push ecx ; |Arg1
00438D3A |. E8 8E430000 |call 0043D0CD ; \SFLiveON.0043D0CD
00438D3F |. 83C4 08 |add esp, 8
00438D42 |. 8985 F4FCFFFF |mov dword ptr [ebp-30C], eax
00438D48 |. 8B95 F4FCFFFF |mov edx, dword ptr [ebp-30C]
00438D4E |. 8995 F0FCFFFF |mov dword ptr [ebp-310], edx
00438D54 |. C645 FC 0B |mov byte ptr [ebp-4], 0B
00438D58 |. 8B85 F0FCFFFF |mov eax, dword ptr [ebp-310]
00438D5E |. 50 |push eax
00438D5F |. 8D8D 0CFFFFFF |lea ecx, dword ptr [ebp-F4]
00438D65 |. 51 |push ecx
00438D66 |. E8 CD7C0800 |call 004C0A38
00438D6B |. C645 FC 0D |mov byte ptr [ebp-4], 0D
00438D6F |. 8D8D 84FDFFFF |lea ecx, dword ptr [ebp-27C]
00438D75 |. E8 297A0800 |call 004C07A3
00438D7A |. 6A 10 |push 10
00438D7C |. 68 4C030000 |push 34C ; /Arg2 = 0000034C
00438D81 |. 8D95 80FDFFFF |lea edx, dword ptr [ebp-280] ; |
00438D87 |. 52 |push edx ; |Arg1
00438D88 |. E8 40430000 |call 0043D0CD ; \SFLiveON.0043D0CD
00438D8D |. 83C4 08 |add esp, 8
00438D90 |. 8985 ECFCFFFF |mov dword ptr [ebp-314], eax
00438D96 |. 8B85 ECFCFFFF |mov eax, dword ptr [ebp-314]
00438D9C |. 8985 E8FCFFFF |mov dword ptr [ebp-318], eax
00438DA2 |. C645 FC 0E |mov byte ptr [ebp-4], 0E
00438DA6 |. 8B8D E8FCFFFF |mov ecx, dword ptr [ebp-318]
00438DAC |. E8 CFB3FCFF |call 00404180
00438DB1 |. 50 |push eax
00438DB2 |. 8D8D 0CFFFFFF |lea ecx, dword ptr [ebp-F4]
00438DB8 |. E8 C3B3FCFF |call 00404180
00438DBD |. 50 |push eax ; |Text
00438DBE |. 6A 00 |push 0 ; |hOwner = NULL
00438DC0 |. FF15 C0664E00 |call dword ptr [<&USER32.MessageBoxA>] ; \MessageBoxA
00438DC6 |. C645 FC 0D |mov byte ptr [ebp-4], 0D
00438DCA |. 8D8D 80FDFFFF |lea ecx, dword ptr [ebp-280]
00438DD0 |. E8 CE790800 |call 004C07A3
00438DD5 |. C785 7CFDFFFF 00000000 |mov dword ptr [ebp-284], 0
00438DDF |. C645 FC 06 |mov byte ptr [ebp-4], 6
00438DE3 |. 8D8D 0CFFFFFF |lea ecx, dword ptr [ebp-F4]
00438DE9 |. E8 B5790800 |call 004C07A3
00438DEE |. C745 FC FFFFFFFF |mov dword ptr [ebp-4], -1
00438DF5 |. 8D8D 10FFFFFF |lea ecx, dword ptr [ebp-F0]
00438DFB |. E8 A047FEFF |call 0041D5A0
00438E00 |. 8B85 7CFDFFFF |mov eax, dword ptr [ebp-284]
00438E06 |. E9 6D050000 |jmp 00439378
00438E0B |> E9 CC010000 |jmp 00438FDC
00438E10 |> 8D4D C0 |lea ecx, dword ptr [ebp-40]
00438E13 |. E8 68B3FCFF |call 00404180
00438E18 |. 50 |push eax ; /Arg1
00438E19 |. 8B8D 48FDFFFF |mov ecx, dword ptr [ebp-2B8] ; |
00438E1F |. E8 C74C0000 |call 0043DAEB ; \SFLiveON.0043DAEB
00438E24 |. 85C0 |test eax, eax
00438E26 |. 0F85 E2000000 |jnz 00438F0E
00438E2C |. 68 54B35000 |push 0050B354 ; ASCII "0x0114"
00438E31 |. 68 45030000 |push 345 ; /Arg2 = 00000345
00438E36 |. 8D8D 78FDFFFF |lea ecx, dword ptr [ebp-288] ; |
00438E3C |. 51 |push ecx ; |Arg1
00438E3D |. E8 8B420000 |call 0043D0CD ; \SFLiveON.0043D0CD
00438E42 |. 83C4 08 |add esp, 8
00438E45 |. 8985 E4FCFFFF |mov dword ptr [ebp-31C], eax
00438E4B |. 8B95 E4FCFFFF |mov edx, dword ptr [ebp-31C]
00438E51 |. 8995 E0FCFFFF |mov dword ptr [ebp-320], edx
00438E57 |. C645 FC 0F |mov byte ptr [ebp-4], 0F
00438E5B |. 8B85 E0FCFFFF |mov eax, dword ptr [ebp-320]
00438E61 |. 50 |push eax
00438E62 |. 8D8D 08FFFFFF |lea ecx, dword ptr [ebp-F8]
00438E68 |. 51 |push ecx
00438E69 |. E8 CA7B0800 |call 004C0A38
00438E6E |. C645 FC 11 |mov byte ptr [ebp-4], 11
00438E72 |. 8D8D 78FDFFFF |lea ecx, dword ptr [ebp-288]
00438E78 |. E8 26790800 |call 004C07A3
00438E7D |. 6A 10 |push 10
00438E7F |. 68 4C030000 |push 34C ; /Arg2 = 0000034C
00438E84 |. 8D95 74FDFFFF |lea edx, dword ptr [ebp-28C] ; |
00438E8A |. 52 |push edx ; |Arg1
00438E8B |. E8 3D420000 |call 0043D0CD ; \SFLiveON.0043D0CD
00438E90 |. 83C4 08 |add esp, 8
00438E93 |. 8985 DCFCFFFF |mov dword ptr [ebp-324], eax
00438E99 |. 8B85 DCFCFFFF |mov eax, dword ptr [ebp-324]
00438E9F |. 8985 D8FCFFFF |mov dword ptr [ebp-328], eax
00438EA5 |. C645 FC 12 |mov byte ptr [ebp-4], 12
00438EA9 |. 8B8D D8FCFFFF |mov ecx, dword ptr [ebp-328]
00438EAF |. E8 CCB2FCFF |call 00404180
00438EB4 |. 50 |push eax
00438EB5 |. 8D8D 08FFFFFF |lea ecx, dword ptr [ebp-F8]
00438EBB |. E8 C0B2FCFF |call 00404180
00438EC0 |. 50 |push eax ; |Text
00438EC1 |. 6A 00 |push 0 ; |hOwner = NULL
00438EC3 |. FF15 C0664E00 |call dword ptr [<&USER32.MessageBoxA>] ; \MessageBoxA
00438EC9 |. C645 FC 11 |mov byte ptr [ebp-4], 11
00438ECD |. 8D8D 74FDFFFF |lea ecx, dword ptr [ebp-28C]
00438ED3 |. E8 CB780800 |call 004C07A3
00438ED8 |. C785 70FDFFFF 00000000 |mov dword ptr [ebp-290], 0
00438EE2 |. C645 FC 06 |mov byte ptr [ebp-4], 6
00438EE6 |. 8D8D 08FFFFFF |lea ecx, dword ptr [ebp-F8]
00438EEC |. E8 B2780800 |call 004C07A3
00438EF1 |. C745 FC FFFFFFFF |mov dword ptr [ebp-4], -1
00438EF8 |. 8D8D 10FFFFFF |lea ecx, dword ptr [ebp-F0]
00438EFE |. E8 9D46FEFF |call 0041D5A0
00438F03 |. 8B85 70FDFFFF |mov eax, dword ptr [ebp-290]
00438F09 |. E9 6A040000 |jmp 00439378
00438F0E |> 8B8D 48FDFFFF |mov ecx, dword ptr [ebp-2B8]
00438F14 |. E8 153E0000 |call 0043CD2E
00438F19 |. 85C0 |test eax, eax
00438F1B |. 0F85 BB000000 |jnz 00438FDC
00438F21 |. 6A 10 |push 10
00438F23 |. 68 FC000000 |push 0FC ; /Arg2 = 000000FC
00438F28 |. 8D8D 6CFDFFFF |lea ecx, dword ptr [ebp-294] ; |
00438F2E |. 51 |push ecx ; |Arg1
00438F2F |. E8 99410000 |call 0043D0CD ; \SFLiveON.0043D0CD
00438F34 |. 83C4 08 |add esp, 8
00438F37 |. 8985 D4FCFFFF |mov dword ptr [ebp-32C], eax
00438F3D |. 8B95 D4FCFFFF |mov edx, dword ptr [ebp-32C]
00438F43 |. 8995 D0FCFFFF |mov dword ptr [ebp-330], edx
00438F49 |. C645 FC 13 |mov byte ptr [ebp-4], 13
00438F4D |. 8B8D D0FCFFFF |mov ecx, dword ptr [ebp-330]
00438F53 |. E8 28B2FCFF |call 00404180
00438F58 |. 50 |push eax
00438F59 |. 68 FB000000 |push 0FB ; /Arg2 = 000000FB
00438F5E |. 8D85 68FDFFFF |lea eax, dword ptr [ebp-298] ; |
00438F64 |. 50 |push eax ; |Arg1
00438F65 |. E8 63410000 |call 0043D0CD ; \SFLiveON.0043D0CD
00438F6A |. 83C4 08 |add esp, 8
00438F6D |. 8985 CCFCFFFF |mov dword ptr [ebp-334], eax
00438F73 |. 8B8D CCFCFFFF |mov ecx, dword ptr [ebp-334]
00438F79 |. 898D C8FCFFFF |mov dword ptr [ebp-338], ecx
00438F7F |. C645 FC 14 |mov byte ptr [ebp-4], 14
00438F83 |. 8B8D C8FCFFFF |mov ecx, dword ptr [ebp-338]
00438F89 |. E8 F2B1FCFF |call 00404180
00438F8E |. 50 |push eax ; |Text
00438F8F |. 6A 00 |push 0 ; |hOwner = NULL
00438F91 |. FF15 C0664E00 |call dword ptr [<&USER32.MessageBoxA>] ; \MessageBoxA
00438F97 |. C645 FC 13 |mov byte ptr [ebp-4], 13
00438F9B |. 8D8D 68FDFFFF |lea ecx, dword ptr [ebp-298]
00438FA1 |. E8 FD770800 |call 004C07A3
00438FA6 |. C645 FC 06 |mov byte ptr [ebp-4], 6
00438FAA |. 8D8D 6CFDFFFF |lea ecx, dword ptr [ebp-294]
00438FB0 |. E8 EE770800 |call 004C07A3
00438FB5 |. C785 64FDFFFF 00000000 |mov dword ptr [ebp-29C], 0
00438FBF |. C745 FC FFFFFFFF |mov dword ptr [ebp-4], -1
00438FC6 |. 8D8D 10FFFFFF |lea ecx, dword ptr [ebp-F0]
00438FCC |. E8 CF45FEFF |call 0041D5A0
00438FD1 |. 8B85 64FDFFFF |mov eax, dword ptr [ebp-29C]
00438FD7 |. E9 9C030000 |jmp 00439378
00438FDC |> 8D55 C0 |lea edx, dword ptr [ebp-40]
00438FDF |. 52 |push edx
00438FE0 |. 8B8D 48FDFFFF |mov ecx, dword ptr [ebp-2B8]
00438FE6 |. 81C1 781B0C00 |add ecx, 0C1B78
00438FEC |. E8 EB780800 |call 004C08DC
00438FF1 |. 8D4D C4 |lea ecx, dword ptr [ebp-3C]
00438FF4 |. E8 D7AFFCFF |call 00403FD0
00438FF9 |. C645 FC 15 |mov byte ptr [ebp-4], 15
00438FFD |. 833D 5C875D00 00 |cmp dword ptr [5D875C], 0
00439004 |. 75 66 |jnz short 0043906C
00439006 |. 8B85 48FDFFFF |mov eax, dword ptr [ebp-2B8]
0043900C |. 8B0D 50875D00 |mov ecx, dword ptr [5D8750]
00439012 |. 2B88 101E0B00 |sub ecx, dword ptr [eax+B1E10]
00439018 |. 51 |push ecx
00439019 |. 68 94030000 |push 394 ; /Arg2 = 00000394
0043901E |. 8D95 60FDFFFF |lea edx, dword ptr [ebp-2A0] ; |
00439024 |. 52 |push edx ; |Arg1
00439025 |. E8 A3400000 |call 0043D0CD ; \SFLiveON.0043D0CD
0043902A |. 83C4 08 |add esp, 8
0043902D |. 8985 C4FCFFFF |mov dword ptr [ebp-33C], eax
00439033 |. 8B85 C4FCFFFF |mov eax, dword ptr [ebp-33C]
00439039 |. 8985 C0FCFFFF |mov dword ptr [ebp-340], eax
0043903F |. C645 FC 16 |mov byte ptr [ebp-4], 16
00439043 |. 8B8D C0FCFFFF |mov ecx, dword ptr [ebp-340]
00439049 |. E8 32B1FCFF |call 00404180
0043904E |. 50 |push eax
0043904F |. 8D4D C4 |lea ecx, dword ptr [ebp-3C]
00439052 |. 51 |push ecx
00439053 |. E8 FB000800 |call 004B9153
00439058 |. 83C4 0C |add esp, 0C
0043905B |. C645 FC 15 |mov byte ptr [ebp-4], 15
0043905F |. 8D8D 60FDFFFF |lea ecx, dword ptr [ebp-2A0]
00439065 |. E8 39770800 |call 004C07A3
0043906A |. EB 63 |jmp short 004390CF
0043906C |> 8B95 48FDFFFF |mov edx, dword ptr [ebp-2B8]
00439072 |. A1 50875D00 |mov eax, dword ptr [5D8750]
00439077 |. 2B82 101E0B00 |sub eax, dword ptr [edx+B1E10]
0043907D |. 50 |push eax
0043907E |. 68 95030000 |push 395 ; /Arg2 = 00000395
00439083 |. 8D8D 5CFDFFFF |lea ecx, dword ptr [ebp-2A4] ; |
00439089 |. 51 |push ecx ; |Arg1
0043908A |. E8 3E400000 |call 0043D0CD ; \SFLiveON.0043D0CD
0043908F |. 83C4 08 |add esp, 8
00439092 |. 8985 BCFCFFFF |mov dword ptr [ebp-344], eax
00439098 |. 8B95 BCFCFFFF |mov edx, dword ptr [ebp-344]
0043909E |. 8995 B8FCFFFF |mov dword ptr [ebp-348], edx
004390A4 |. C645 FC 17 |mov byte ptr [ebp-4], 17
004390A8 |. 8B8D B8FCFFFF |mov ecx, dword ptr [ebp-348]
004390AE |. E8 CDB0FCFF |call 00404180
004390B3 |. 50 |push eax
004390B4 |. 8D45 C4 |lea eax, dword ptr [ebp-3C]
004390B7 |. 50 |push eax
004390B8 |. E8 96000800 |call 004B9153
004390BD |. 83C4 0C |add esp, 0C
004390C0 |. C645 FC 15 |mov byte ptr [ebp-4], 15
004390C4 |. 8D8D 5CFDFFFF |lea ecx, dword ptr [ebp-2A4]
004390CA |. E8 D4760800 |call 004C07A3
004390CF |> 6A 40 |push 40
004390D1 |. 68 51030000 |push 351 ; /Arg2 = 00000351
004390D6 |. 8D8D 58FDFFFF |lea ecx, dword ptr [ebp-2A8] ; |
004390DC |. 51 |push ecx ; |Arg1
004390DD |. E8 EB3F0000 |call 0043D0CD ; \SFLiveON.0043D0CD
004390E2 |. 83C4 08 |add esp, 8
004390E5 |. 8985 B4FCFFFF |mov dword ptr [ebp-34C], eax
004390EB |. 8B95 B4FCFFFF |mov edx, dword ptr [ebp-34C]
004390F1 |. 8995 B0FCFFFF |mov dword ptr [ebp-350], edx
004390F7 |. C645 FC 18 |mov byte ptr [ebp-4], 18
004390FB |. 8B8D B0FCFFFF |mov ecx, dword ptr [ebp-350]
00439101 |. E8 7AB0FCFF |call 00404180
00439106 |. 50 |push eax
00439107 |. 8D4D C4 |lea ecx, dword ptr [ebp-3C]
0043910A |. E8 71B0FCFF |call 00404180
0043910F |. 50 |push eax ; |Text
00439110 |. 6A 00 |push 0 ; |hOwner = NULL
00439112 |. FF15 C0664E00 |call dword ptr [<&USER32.MessageBoxA>] ; \MessageBoxA
00439118 |. C645 FC 15 |mov byte ptr [ebp-4], 15
0043911C |. 8D8D 58FDFFFF |lea ecx, dword ptr [ebp-2A8]
00439122 |. E8 7C760800 |call 004C07A3
00439127 |. C645 FC 06 |mov byte ptr [ebp-4], 6
0043912B |. 8D4D C4 |lea ecx, dword ptr [ebp-3C]
0043912E |. E8 70760800 |call 004C07A3
00439133 |. C745 FC FFFFFFFF |mov dword ptr [ebp-4], -1
0043913A |. 8D8D 10FFFFFF |lea ecx, dword ptr [ebp-F0]
00439140 |. E8 5B44FEFF |call 0041D5A0
00439145 |. E9 29020000 |jmp 00439373
0043914A |> C785 84FEFFFF 00000000 |mov dword ptr [ebp-17C], 0
00439154 |. B9 19000000 |mov ecx, 19
00439159 |. 33C0 |xor eax, eax
0043915B |. 8DBD 88FEFFFF |lea edi, dword ptr [ebp-178]
00439161 |. F3:AB |rep stos dword ptr es:[edi]
00439163 |. 8D85 84FEFFFF |lea eax, dword ptr [ebp-17C]
00439169 |. 50 |push eax ; /Arg1
0043916A |. 8B8D 48FDFFFF |mov ecx, dword ptr [ebp-2B8] ; |
00439170 |. E8 CA480000 |call 0043DA3F ; \SFLiveON.0043DA3F
00439175 |. 85C0 |test eax, eax
00439177 |. 75 0C |jnz short 00439185
00439179 |. C745 E4 01000000 |mov dword ptr [ebp-1C], 1
00439180 |.^ E9 18F9FFFF |jmp 00438A9D
00439185 |> 8D8D 88FEFFFF |lea ecx, dword ptr [ebp-178]
0043918B |. 51 |push ecx
0043918C |. 8B8D 48FDFFFF |mov ecx, dword ptr [ebp-2B8]
00439192 |. 81C1 781B0C00 |add ecx, 0C1B78
00439198 |. E8 8F770800 |call 004C092C
0043919D |. C785 ECFEFFFF 00000000 |mov dword ptr [ebp-114], 0
004391A7 |. B9 06000000 |mov ecx, 6
004391AC |. 33C0 |xor eax, eax
004391AE |. 8DBD F0FEFFFF |lea edi, dword ptr [ebp-110]
004391B4 |. F3:AB |rep stos dword ptr es:[edi]
004391B6 |. 8D95 ECFEFFFF |lea edx, dword ptr [ebp-114]
004391BC |. 52 |push edx ; /Arg2
004391BD |. 8D85 88FEFFFF |lea eax, dword ptr [ebp-178] ; |
004391C3 |. 50 |push eax ; |Arg1
004391C4 |. 8B8D 48FDFFFF |mov ecx, dword ptr [ebp-2B8] ; |
004391CA |. E8 A8450000 |call 0043D777 ; \SFLiveON.0043D777
004391CF |. 85C0 |test eax, eax
004391D1 |. 75 0C |jnz short 004391DF
004391D3 |. C745 E4 01000000 |mov dword ptr [ebp-1C], 1
004391DA |.^ E9 BEF8FFFF |jmp 00438A9D
004391DF |> 83BD ECFEFFFF 0A |cmp dword ptr [ebp-114], 0A
004391E6 |. 74 0C |je short 004391F4
004391E8 |. C745 E4 01000000 |mov dword ptr [ebp-1C], 1
004391EF |.^ E9 A9F8FFFF |jmp 00438A9D
004391F4 |> 8B8D F4FEFFFF |mov ecx, dword ptr [ebp-10C]
004391FA |. F7D9 |neg ecx
004391FC |. 1BC9 |sbb ecx, ecx
004391FE |. 83E1 FE |and ecx, FFFFFFFE
00439201 |. 83C1 02 |add ecx, 2
00439204 |. 890D 60875D00 |mov dword ptr [5D8760], ecx
0043920A |. 8B95 00FFFFFF |mov edx, dword ptr [ebp-100]
00439210 |. 8915 58875D00 |mov dword ptr [5D8758], edx
00439216 |. 8B85 FCFEFFFF |mov eax, dword ptr [ebp-104]
0043921C |. A3 48875D00 |mov dword ptr [5D8748], eax
00439221 |. 8B8D 04FFFFFF |mov ecx, dword ptr [ebp-FC]
00439227 |. 890D 50875D00 |mov dword ptr [5D8750], ecx
0043922D |. 8B95 F8FEFFFF |mov edx, dword ptr [ebp-108]
00439233 |. 8915 4C875D00 |mov dword ptr [5D874C], edx
00439239 |. 833D 54875D00 00 |cmp dword ptr [5D8754], 0
00439240 |. 0F85 2D010000 |jnz 00439373
00439246 |. 8B8D 48FDFFFF |mov ecx, dword ptr [ebp-2B8]
0043924C |. E8 DD3A0000 |call 0043CD2E
00439251 |. 85C0 |test eax, eax
00439253 |. 0F85 A6000000 |jnz 004392FF
00439259 |. 6A 10 |push 10
0043925B |. 68 FC000000 |push 0FC ; /Arg2 = 000000FC
00439260 |. 8D85 54FDFFFF |lea eax, dword ptr [ebp-2AC] ; |
00439266 |. 50 |push eax ; |Arg1
00439267 |. E8 613E0000 |call 0043D0CD ; \SFLiveON.0043D0CD
0043926C |. 83C4 08 |add esp, 8
0043926F |. 8985 ACFCFFFF |mov dword ptr [ebp-354], eax
00439275 |. 8B8D ACFCFFFF |mov ecx, dword ptr [ebp-354]
0043927B |. 898D A8FCFFFF |mov dword ptr [ebp-358], ecx
00439281 |. C745 FC 19000000 |mov dword ptr [ebp-4], 19
00439288 |. 8B8D A8FCFFFF |mov ecx, dword ptr [ebp-358]
0043928E |. E8 EDAEFCFF |call 00404180
00439293 |. 50 |push eax
00439294 |. 68 FB000000 |push 0FB ; /Arg2 = 000000FB
00439299 |. 8D95 50FDFFFF |lea edx, dword ptr [ebp-2B0] ; |
0043929F |. 52 |push edx ; |Arg1
004392A0 |. E8 283E0000 |call 0043D0CD ; \SFLiveON.0043D0CD
004392A5 |. 83C4 08 |add esp, 8
004392A8 |. 8985 A4FCFFFF |mov dword ptr [ebp-35C], eax
004392AE |. 8B85 A4FCFFFF |mov eax, dword ptr [ebp-35C]
004392B4 |. 8985 A0FCFFFF |mov dword ptr [ebp-360], eax
004392BA |. C645 FC 1A |mov byte ptr [ebp-4], 1A
004392BE |. 8B8D A0FCFFFF |mov ecx, dword ptr [ebp-360]
004392C4 |. E8 B7AEFCFF |call 00404180
004392C9 |. 50 |push eax ; |Text
004392CA |. 6A 00 |push 0 ; |hOwner = NULL
004392CC |. FF15 C0664E00 |call dword ptr [<&USER32.MessageBoxA>] ; \MessageBoxA
004392D2 |. C645 FC 19 |mov byte ptr [ebp-4], 19
004392D6 |. 8D8D 50FDFFFF |lea ecx, dword ptr [ebp-2B0]
004392DC |. E8 C2740800 |call 004C07A3
004392E1 |. C745 FC FFFFFFFF |mov dword ptr [ebp-4], -1
004392E8 |. 8D8D 54FDFFFF |lea ecx, dword ptr [ebp-2AC]
004392EE |. E8 B0740800 |call 004C07A3
004392F3 |. C745 E4 01000000 |mov dword ptr [ebp-1C], 1
004392FA |.^ E9 9EF7FFFF \jmp 00438A9D
004392FF |> 6A 00 push 0 ; /Arg1 = 00000000
00439301 |. 8D8D D0FDFFFF lea ecx, dword ptr [ebp-230] ; |
00439307 |. E8 343AFEFF call 0041CD40 ; \SFLiveON.0041CD40
0043930C |. C745 FC 1B000000 mov dword ptr [ebp-4], 1B
00439313 |. 68 5CB35000 push 0050B35C ; ASCII
"http://www.kuihua.net/productonline/index.html"
00439318 |. 8D8D 3CFEFFFF lea ecx, dword ptr [ebp-1C4]
0043931E |. E8 09760800 call 004C092C
00439323 |. C785 30FEFFFF 01000000 mov dword ptr [ebp-1D0], 1
0043932D |. 8D8D D0FDFFFF lea ecx, dword ptr [ebp-230]
00439333 |. E8 66320800 call 004BC59E
00439338 |. 83F8 01 cmp eax, 1
0043933B |. 74 24 je short 00439361
0043933D |. C785 4CFDFFFF 00000000 mov dword ptr [ebp-2B4], 0
00439347 |. C745 FC FFFFFFFF mov dword ptr [ebp-4], -1
0043934E |. 8D8D D0FDFFFF lea ecx, dword ptr [ebp-230]
00439354 |. E8 4742FEFF call 0041D5A0
00439359 |. 8B85 4CFDFFFF mov eax, dword ptr [ebp-2B4]
0043935F |. EB 17 jmp short 00439378
00439361 |> C745 FC FFFFFFFF mov dword ptr [ebp-4], -1
00439368 |. 8D8D D0FDFFFF lea ecx, dword ptr [ebp-230]
0043936E |. E8 2D42FEFF call 0041D5A0
00439373 |> B8 01000000 mov eax, 1 ; 由此向上找
00439378 |> 8B4D F4 mov ecx, dword ptr [ebp-C]
0043937B |. 64:890D 00000000 mov dword ptr fs:[0], ecx
00439382 |. 5F pop edi
00439383 |. 8BE5 mov esp, ebp
00439385 |. 5D pop ebp
00439386 \. C3 retn
-----------------------------------------------------------
向上检查,在00438AED处下断点。00438B3F处的CALL是注册检测过程,进去一看,好多垃圾算法,好像还有花指令,白白浪费我一天时间
。算啦!爆破吧!先找爆破点。调试过程发现注册过程是在这段程序的中间进入的,我们下的断点就是最远处,好象由00438AE8处的CALL中返
回的。因无关紧要,我也没深究。向下改动跳转到00439112的信息框,出现“感谢您体验(评估)葵花软件,你可以评估 00 天。”,点确定
后程序启动。本来以为大功告成,可查看帮助文件后发现程序界面有很大不同:菜单栏缺“直播频道管理”,工具栏有几个灰按钮,左侧和下
方也不同。重启后,注册对话框依然出现,但序列号输入框消失,点确定后,程序界面依然不同。看来爆破点没有找对!
为了检查程序的启动过程,必须提前下断。每次改动004D8542处的跳转就不得不做。哈哈!在此之前,程序就调用上面这段程序,而且由
入口处进入。在00438AE8处的CALL里调用自校验。而且两次调用后并不返回程序就出现注册对话框。点退出后才返回下一行00438AED处。这也
是我们填入任意码点确定时返回的地方啊!仔细观察流程走向,发现出口的eax=0,出了这段程序后,再继续运行就Game Over了。再看看我们
注册改动后,能运行起程序的出口eax=1。好啦!检查这段程序的出口值,只有两个,正确值是1。那为什么我们上面改动后,也是1,出去也有
问题呢?原因是岔路太多,我们走的可能不是一条平坦的大道啊!
现在,就让我们来寻找一条平坦的光明大道吧!由00439373处为基点,向上查找。凡能到这里的,都是我们欢迎的,但到底是那条呢?先
把它们都记下来,看一下程序的正常流程走向,到底卡在哪里?!重新启动程序后,发现00438AA4处的跳转直指正确出口,但却没有实现。有
障碍就得踢开,改动这里,直接跳到正确出口(eax=1),再按F9,哇!程序不但运行起来,而且界面和帮助文件里的几乎一模一样,就是程序
标题里还有“试用版”三字。我找了一下没找到改的地方,再查“关于”对话框,时间赫然停留在30天,竟然连时间限制也破了!也算是歪打
正着吧。试用就试用吧,就让它永远还有30天,反正试用期是没啥限制的!若是那位大侠路过看见,取掉这三个字,那就更完美了。
4.0 整理:
好了,在OD中改好,右键——复制到可执行文件——所有修改——全部复制,在弹出窗口中,右键——保存文件——换名——保存。
OK!大功告成!半个字节解决战斗,收工!
--------------------------------------------------------------------------------
【经验总结】
这是菜鸟成长的第三篇破文。破解工作虽然繁琐重复,有时还会碰得焦头烂额,但只要理出头绪来,还是会发现问题的症结所在的,关键
要有恒心和毅力。单步跟踪法对付这种利用自校验来反调试的做法,尽管比较笨拙,但还是有效的。分析关键流程的走向,是十分重要的,这
关系到能否找出关键跳转。一点体会,愿与大家分享,方家莫要见笑!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007.11.30
【文章作者】: chinglq
【作者邮箱】: chinglq@sina.com
【作者主页】: http://lqcoolboy.xinwen365.com
【软件名称】: LiveONE网络直播系统
【软件大小】: 23.4MB
【下载地址】: http://www.kuihua.net/download/LiveONE39_Demo.exe
【加壳方式】: N/A
【保护方式】: 注册码+时间限制
【编写语言】: Microsoft Visual C++ 6.0
【使用工具】: OD、PEiD
【操作平台】: 联想OEM WinXPsp2
【软件介绍】: LiveONE是北京****公司研制开发的高性能音视频直播软件,利用该系统能够提供基于局域网、城域网、广域网以及卫星网的音
视频直播、录像及录像点播服务。
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!如果喜欢该软件,请支持正版!
--------------------------------------------------------------------------------
【详细过程】
1.0 观察:
软件安装后,运行时出现注册对话框,填入任意码,点确定后弹出信息框“序列号错误!”,再点确定后程序自动退出。
2.0 查壳:
用PEiD检查,无壳,编制语言VC++6.0。
3.0 调试:
用OD装载后下MessageBoxA断点,按F9运行。执行一段时间后,停下不动。这时候还没看到注册对话框,看来程序好像有反调试功能,这可
得好好检查检查。检查API函数,没有发现检测调试器的函数。单步跟踪后发现004D8547行的CALL有问题:
--------------------------------------------------------
004D8531 |. 8D45 C4 lea eax, dword ptr [ebp-3C]
004D8534 |. 50 push eax
004D8535 |. FF15 50644E00 call dword ptr [<&OLEAUT32.#9>] ; OLEAUT32.VariantClear
004D853B |. 817D 18 09000280 cmp dword ptr [ebp+18], 80020009
004D8542 74 08 je short 004D854C ; ---> /EB 08 jmp short 004D854C
004D8544 |. FF75 18 push dword ptr [ebp+18]
004D8547 |. E8 D6F1FFFF call 004D7722 ; 进去就死
004D854C |> 395D AC cmp dword ptr [ebp-54], ebx
004D854F |. 74 07 je short 004D8558
-----------------------------------------------------
改动004D8542处的跳转,便可看见注册对话框。后来发现这是由加断点后造成的,并不是采用检测调试器的API函数,可能是传说中的自校
验吧?对否?还请过路的大侠斧正!
在以后的调试过程中,我采用运行前禁用断点,在注册对话框出现后,再激活断点的方法,免去每次在这改跳转的麻烦。
在注册对话框中填入任意码后,程序断在下面这段程序的00438BBC处:
-------------------------------------------------------
00438757 /$ 55 push ebp
00438758 |. 8BEC mov ebp, esp
0043875A |. 6A FF push -1
0043875C |. 68 46E24D00 push 004DE246 ; SE 处理程序安装
00438761 |. 64:A1 00000000 mov eax, dword ptr fs:[0]
00438767 |. 50 push eax
00438768 |. 64:8925 00000000 mov dword ptr fs:[0], esp
0043876F |. 81EC 54030000 sub esp, 354
00438775 |. 57 push edi
00438776 |. 898D 48FDFFFF mov dword ptr [ebp-2B8], ecx
0043877C |. 8B8D 48FDFFFF mov ecx, dword ptr [ebp-2B8]
00438782 |. E8 144E0000 call 0043D59B
00438787 |. 8945 F0 mov dword ptr [ebp-10], eax
0043878A |. 837D F0 00 cmp dword ptr [ebp-10], 0
0043878E |. 0F84 04020000 je 00438998
00438794 |> B8 01000000 /mov eax, 1
00438799 |. 85C0 |test eax, eax
0043879B |. 0F84 E2010000 |je 00438983
004387A1 |. 8B8D 48FDFFFF |mov ecx, dword ptr [ebp-2B8]
004387A7 |. E8 EE420000 |call 0043CA9A
004387AC |. 85C0 |test eax, eax
004387AE |. 0F84 11010000 |je 004388C5
004387B4 |. 833D 60875D00 00 |cmp dword ptr [5D8760], 0
004387BB |. 0F84 F5000000 |je 004388B6
004387C1 |. 833D 60875D00 01 |cmp dword ptr [5D8760], 1
004387C8 |. 0F84 E8000000 |je 004388B6
004387CE |. 833D 60875D00 02 |cmp dword ptr [5D8760], 2
004387D5 |. 0F84 DB000000 |je 004388B6
004387DB |. 833D 60875D00 03 |cmp dword ptr [5D8760], 3
004387E2 |. 0F84 CE000000 |je 004388B6
004387E8 |. 833D 60875D00 06 |cmp dword ptr [5D8760], 6
004387EF |. 0F84 C1000000 |je 004388B6
004387F5 |. 6A 15 |push 15
004387F7 |. 68 4C030000 |push 34C ; /Arg2 = 0000034C
004387FC |. 8D8D C8FDFFFF |lea ecx, dword ptr [ebp-238] ; |
00438802 |. 51 |push ecx ; |Arg1
00438803 |. E8 C5480000 |call 0043D0CD ; \SFLiveON.0043D0CD
00438808 |. 83C4 08 |add esp, 8
0043880B |. 8985 44FDFFFF |mov dword ptr [ebp-2BC], eax
00438811 |. 8B95 44FDFFFF |mov edx, dword ptr [ebp-2BC]
00438817 |. 8995 40FDFFFF |mov dword ptr [ebp-2C0], edx
0043881D |. C745 FC 00000000 |mov dword ptr [ebp-4], 0
00438824 |. 8B8D 40FDFFFF |mov ecx, dword ptr [ebp-2C0]
0043882A |. E8 51B9FCFF |call 00404180
0043882F |. 50 |push eax
00438830 |. 68 41030000 |push 341 ; /Arg2 = 00000341
00438835 |. 8D85 C4FDFFFF |lea eax, dword ptr [ebp-23C] ; |
0043883B |. 50 |push eax ; |Arg1
0043883C |. E8 8C480000 |call 0043D0CD ; \SFLiveON.0043D0CD
00438841 |. 83C4 08 |add esp, 8
00438844 |. 8985 3CFDFFFF |mov dword ptr [ebp-2C4], eax
0043884A |. 8B8D 3CFDFFFF |mov ecx, dword ptr [ebp-2C4]
00438850 |. 898D 38FDFFFF |mov dword ptr [ebp-2C8], ecx
00438856 |. C645 FC 01 |mov byte ptr [ebp-4], 1
0043885A |. 8B8D 38FDFFFF |mov ecx, dword ptr [ebp-2C8]
00438860 |. E8 1BB9FCFF |call 00404180
00438865 |. 50 |push eax ; |Text
00438866 |. 6A 00 |push 0 ; |hOwner = NULL
00438868 |. FF15 C0664E00 |call dword ptr [<&USER32.MessageBoxA>] ; \MessageBoxA
0043886E |. 33D2 |xor edx, edx
00438870 |. 83F8 02 |cmp eax, 2
00438873 |. 0F94C2 |sete dl
00438876 |. 8895 CCFDFFFF |mov byte ptr [ebp-234], dl
0043887C |. C645 FC 00 |mov byte ptr [ebp-4], 0
00438880 |. 8D8D C4FDFFFF |lea ecx, dword ptr [ebp-23C]
00438886 |. E8 187F0800 |call 004C07A3
0043888B |. C745 FC FFFFFFFF |mov dword ptr [ebp-4], -1
00438892 |. 8D8D C8FDFFFF |lea ecx, dword ptr [ebp-238]
00438898 |. E8 067F0800 |call 004C07A3
0043889D |. 8B85 CCFDFFFF |mov eax, dword ptr [ebp-234]
004388A3 |. 25 FF000000 |and eax, 0FF
004388A8 |. 85C0 |test eax, eax
004388AA |. 74 05 |je short 004388B1
004388AC |. E9 D2000000 |jmp 00438983
004388B1 |>^ E9 DEFEFFFF |jmp 00438794
004388B6 |> C705 54875D00 01000000 |mov dword ptr [5D8754], 1
004388C0 |. E9 BE000000 |jmp 00438983
004388C5 |> 6A 15 |push 15
004388C7 |. 68 4C030000 |push 34C ; /Arg2 = 0000034C
004388CC |. 8D8D BCFDFFFF |lea ecx, dword ptr [ebp-244] ; |
004388D2 |. 51 |push ecx ; |Arg1
004388D3 |. E8 F5470000 |call 0043D0CD ; \SFLiveON.0043D0CD
004388D8 |. 83C4 08 |add esp, 8
004388DB |. 8985 34FDFFFF |mov dword ptr [ebp-2CC], eax
004388E1 |. 8B95 34FDFFFF |mov edx, dword ptr [ebp-2CC]
004388E7 |. 8995 30FDFFFF |mov dword ptr [ebp-2D0], edx
004388ED |. C745 FC 02000000 |mov dword ptr [ebp-4], 2
004388F4 |. 8B8D 30FDFFFF |mov ecx, dword ptr [ebp-2D0]
004388FA |. E8 81B8FCFF |call 00404180
004388FF |. 50 |push eax
00438900 |. 68 42030000 |push 342 ; /Arg2 = 00000342
00438905 |. 8D85 B8FDFFFF |lea eax, dword ptr [ebp-248] ; |
0043890B |. 50 |push eax ; |Arg1
0043890C |. E8 BC470000 |call 0043D0CD ; \SFLiveON.0043D0CD
00438911 |. 83C4 08 |add esp, 8
00438914 |. 8985 2CFDFFFF |mov dword ptr [ebp-2D4], eax
0043891A |. 8B8D 2CFDFFFF |mov ecx, dword ptr [ebp-2D4]
00438920 |. 898D 28FDFFFF |mov dword ptr [ebp-2D8], ecx
00438926 |. C645 FC 03 |mov byte ptr [ebp-4], 3
0043892A |. 8B8D 28FDFFFF |mov ecx, dword ptr [ebp-2D8]
00438930 |. E8 4BB8FCFF |call 00404180
00438935 |. 50 |push eax ; |Text
00438936 |. 6A 00 |push 0 ; |hOwner = NULL
00438938 |. FF15 C0664E00 |call dword ptr [<&USER32.MessageBoxA>] ; \MessageBoxA
0043893E |. 33D2 |xor edx, edx
00438940 |. 83F8 02 |cmp eax, 2
00438943 |. 0F94C2 |sete dl
00438946 |. 8895 C0FDFFFF |mov byte ptr [ebp-240], dl
0043894C |. C645 FC 02 |mov byte ptr [ebp-4], 2
00438950 |. 8D8D B8FDFFFF |lea ecx, dword ptr [ebp-248]
00438956 |. E8 487E0800 |call 004C07A3
0043895B |. C745 FC FFFFFFFF |mov dword ptr [ebp-4], -1
00438962 |. 8D8D BCFDFFFF |lea ecx, dword ptr [ebp-244]
00438968 |. E8 367E0800 |call 004C07A3
0043896D |. 8B85 C0FDFFFF |mov eax, dword ptr [ebp-240]
00438973 |. 25 FF000000 |and eax, 0FF
00438978 |. 85C0 |test eax, eax
0043897A |. 74 02 |je short 0043897E
0043897C |. EB 05 |jmp short 00438983
0043897E |>^ E9 11FEFFFF \jmp 00438794
00438983 |> 833D 54875D00 00 cmp dword ptr [5D8754], 0
0043898A |. 75 07 jnz short 00438993
0043898C |. 33C0 xor eax, eax
0043898E |. E9 E5090000 jmp 00439378
00438993 |> E9 DB090000 jmp 00439373
00438998 |> 8D8D B4FDFFFF lea ecx, dword ptr [ebp-24C]
0043899E |. 51 push ecx
0043899F |. E8 FF090800 call 004B93A3
004389A4 |. 50 push eax ; /Arg1
004389A5 |. 8D4D EC lea ecx, dword ptr [ebp-14] ; |
004389A8 |. E8 C3CEFFFF call 00435870 ; \SFLiveON.00435870
004389AD |. 6A FF push -1 ; /Arg7 = FFFFFFFF
004389AF |. 6A 00 push 0 ; |Arg6 = 00000000
004389B1 |. 6A 00 push 0 ; |Arg5 = 00000000
004389B3 |. 6A 00 push 0 ; |Arg4 = 00000000
004389B5 |. 6A 1F push 1F ; |Arg3 = 0000001F
004389B7 |. 6A 0C push 0C ; |Arg2 = 0000000C
004389B9 |. 68 D7070000 push 7D7 ; |Arg1 = 000007D7
004389BE |. 8D8D ACFDFFFF lea ecx, dword ptr [ebp-254] ; |
004389C4 |. E8 F6080800 call 004B92BF ; \SFLiveON.004B92BF
004389C9 |. 51 push ecx ; /Arg1
004389CA |. 8BCC mov ecx, esp ; |
004389CC |. 89A5 B0FDFFFF mov dword ptr [ebp-250], esp ; |
004389D2 |. 50 push eax ; |/Arg1
004389D3 |. E8 98CEFFFF call 00435870 ; |\SFLiveON.00435870
004389D8 |. 8D4D EC lea ecx, dword ptr [ebp-14] ; |
004389DB |. E8 C0590000 call 0043E3A0 ; \SFLiveON.0043E3A0
004389E0 |. 85C0 test eax, eax
004389E2 |. 0F84 A1000000 je 00438A89
004389E8 |. 6A 10 push 10
004389EA |. 68 FC000000 push 0FC ; /Arg2 = 000000FC
004389EF |. 8D95 A8FDFFFF lea edx, dword ptr [ebp-258] ; |
004389F5 |. 52 push edx ; |Arg1
004389F6 |. E8 D2460000 call 0043D0CD ; \SFLiveON.0043D0CD
004389FB |. 83C4 08 add esp, 8
004389FE |. 8985 24FDFFFF mov dword ptr [ebp-2DC], eax
00438A04 |. 8B85 24FDFFFF mov eax, dword ptr [ebp-2DC]
00438A0A |. 8985 20FDFFFF mov dword ptr [ebp-2E0], eax
00438A10 |. C745 FC 04000000 mov dword ptr [ebp-4], 4
00438A17 |. 8B8D 20FDFFFF mov ecx, dword ptr [ebp-2E0]
00438A1D |. E8 5EB7FCFF call 00404180
00438A22 |. 50 push eax
00438A23 |. 68 43030000 push 343 ; /Arg2 = 00000343
00438A28 |. 8D8D A4FDFFFF lea ecx, dword ptr [ebp-25C] ; |
00438A2E |. 51 push ecx ; |Arg1
00438A2F |. E8 99460000 call 0043D0CD ; \SFLiveON.0043D0CD
00438A34 |. 83C4 08 add esp, 8
00438A37 |. 8985 1CFDFFFF mov dword ptr [ebp-2E4], eax
00438A3D |. 8B95 1CFDFFFF mov edx, dword ptr [ebp-2E4]
00438A43 |. 8995 18FDFFFF mov dword ptr [ebp-2E8], edx
00438A49 |. C645 FC 05 mov byte ptr [ebp-4], 5
00438A4D |. 8B8D 18FDFFFF mov ecx, dword ptr [ebp-2E8]
00438A53 |. E8 28B7FCFF call 00404180
00438A58 |. 50 push eax ; |Text
00438A59 |. 6A 00 push 0 ; |hOwner = NULL
00438A5B |. FF15 C0664E00 call dword ptr [<&USER32.MessageBoxA>] ; \MessageBoxA
00438A61 |. C645 FC 04 mov byte ptr [ebp-4], 4
00438A65 |. 8D8D A4FDFFFF lea ecx, dword ptr [ebp-25C]
00438A6B |. E8 337D0800 call 004C07A3
00438A70 |. C745 FC FFFFFFFF mov dword ptr [ebp-4], -1
00438A77 |. 8D8D A8FDFFFF lea ecx, dword ptr [ebp-258]
00438A7D |. E8 217D0800 call 004C07A3
00438A82 |. 33C0 xor eax, eax
00438A84 |. E9 EF080000 jmp 00439378
00438A89 |> 8B8D 48FDFFFF mov ecx, dword ptr [ebp-2B8]
00438A8F |. E8 4D4C0000 call 0043D6E1
00438A94 |. 8945 E4 mov dword ptr [ebp-1C], eax
00438A97 |. 8B45 E4 mov eax, dword ptr [ebp-1C]
00438A9A |. 8945 E8 mov dword ptr [ebp-18], eax
00438A9D |> B9 01000000 /mov ecx, 1
00438AA2 |. 85C9 |test ecx, ecx
00438AA4 |. 0F84 C9080000 |je 00439373 ; ---> 0F85 C9080000 jnz 00439373
00438AAA |. 837D E4 00 |cmp dword ptr [ebp-1C], 0
00438AAE |. 0F84 96060000 |je 0043914A
00438AB4 |. 6A 00 |push 0 ; /Arg1 = 00000000
00438AB6 |. 8D8D 10FFFFFF |lea ecx, dword ptr [ebp-F0] ; |
00438ABC |. E8 7F42FEFF |call 0041CD40 ; \SFLiveON.0041CD40
00438AC1 |. C745 FC 06000000 |mov dword ptr [ebp-4], 6
00438AC8 |. 68 1CB35000 |push 0050B31C ; ASCII
"http://www.kuihua.net/productonline/index.html"
00438ACD |. 8D8D 7CFFFFFF |lea ecx, dword ptr [ebp-84]
00438AD3 |. E8 547E0800 |call 004C092C
00438AD8 |. C785 70FFFFFF 00000000 |mov dword ptr [ebp-90], 0
00438AE2 |. 8D8D 10FFFFFF |lea ecx, dword ptr [ebp-F0]
00438AE8 |. E8 B13A0800 |call 004BC59E ; 自校验和注册对话框
00438AED |. 83F8 01 |cmp eax, 1 ; 下断点
00438AF0 |. 74 27 |je short 00438B19
00438AF2 |. C785 A0FDFFFF 00000000 |mov dword ptr [ebp-260], 0
00438AFC |. C745 FC FFFFFFFF |mov dword ptr [ebp-4], -1
00438B03 |. 8D8D 10FFFFFF |lea ecx, dword ptr [ebp-F0]
00438B09 |. E8 924AFEFF |call 0041D5A0
00438B0E |. 8B85 A0FDFFFF |mov eax, dword ptr [ebp-260]
00438B14 |. E9 5F080000 |jmp 00439378
00438B19 |> C745 C8 00000000 |mov dword ptr [ebp-38], 0
00438B20 |. B9 06000000 |mov ecx, 6
00438B25 |. 33C0 |xor eax, eax
00438B27 |. 8D7D CC |lea edi, dword ptr [ebp-34]
00438B2A |. F3:AB |rep stos dword ptr es:[edi]
00438B2C |. 8D55 C8 |lea edx, dword ptr [ebp-38]
00438B2F |. 52 |push edx
00438B30 |. 8D4D C0 |lea ecx, dword ptr [ebp-40]
00438B33 |. E8 48B6FCFF |call 00404180
00438B38 |. 50 |push eax ; |Arg1 ; 输入码
00438B39 |. 8B8D 48FDFFFF |mov ecx, dword ptr [ebp-2B8] ; |
00438B3F |. E8 334C0000 |call 0043D777 ; \SFLiveON.0043D777 ; 注册检测,追进
00438B44 |. 85C0 |test eax, eax
00438B46 |. 0F85 BB000000 |jnz 00438C07
00438B4C |. 6A 10 |push 10
00438B4E |. 68 4C030000 |push 34C ; /Arg2 = 0000034C
00438B53 |. 8D85 9CFDFFFF |lea eax, dword ptr [ebp-264] ; |
00438B59 |. 50 |push eax ; |Arg1
00438B5A |. E8 6E450000 |call 0043D0CD ; \SFLiveON.0043D0CD
00438B5F |. 83C4 08 |add esp, 8
00438B62 |. 8985 14FDFFFF |mov dword ptr [ebp-2EC], eax
00438B68 |. 8B8D 14FDFFFF |mov ecx, dword ptr [ebp-2EC]
00438B6E |. 898D 10FDFFFF |mov dword ptr [ebp-2F0], ecx
00438B74 |. C645 FC 07 |mov byte ptr [ebp-4], 7
00438B78 |. 8B8D 10FDFFFF |mov ecx, dword ptr [ebp-2F0]
00438B7E |. E8 FDB5FCFF |call 00404180
00438B83 |. 50 |push eax
00438B84 |. 68 44030000 |push 344 ; /Arg2 = 00000344
00438B89 |. 8D95 98FDFFFF |lea edx, dword ptr [ebp-268] ; |
00438B8F |. 52 |push edx ; |Arg1
00438B90 |. E8 38450000 |call 0043D0CD ; \SFLiveON.0043D0CD
00438B95 |. 83C4 08 |add esp, 8
00438B98 |. 8985 0CFDFFFF |mov dword ptr [ebp-2F4], eax
00438B9E |. 8B85 0CFDFFFF |mov eax, dword ptr [ebp-2F4]
00438BA4 |. 8985 08FDFFFF |mov dword ptr [ebp-2F8], eax
00438BAA |. C645 FC 08 |mov byte ptr [ebp-4], 8
00438BAE |. 8B8D 08FDFFFF |mov ecx, dword ptr [ebp-2F8]
00438BB4 |. E8 C7B5FCFF |call 00404180
00438BB9 |. 50 |push eax ; |Text
00438BBA |. 6A 00 |push 0 ; |hOwner = NULL
00438BBC |. FF15 C0664E00 |call dword ptr [<&USER32.MessageBoxA>] ; \MessageBoxA ; 断在这里
00438BC2 |. C645 FC 07 |mov byte ptr [ebp-4], 7
00438BC6 |. 8D8D 98FDFFFF |lea ecx, dword ptr [ebp-268]
00438BCC |. E8 D27B0800 |call 004C07A3
00438BD1 |. C645 FC 06 |mov byte ptr [ebp-4], 6
00438BD5 |. 8D8D 9CFDFFFF |lea ecx, dword ptr [ebp-264]
00438BDB |. E8 C37B0800 |call 004C07A3
00438BE0 |. C785 94FDFFFF 00000000 |mov dword ptr [ebp-26C], 0
00438BEA |. C745 FC FFFFFFFF |mov dword ptr [ebp-4], -1
00438BF1 |. 8D8D 10FFFFFF |lea ecx, dword ptr [ebp-F0]
00438BF7 |. E8 A449FEFF |call 0041D5A0
00438BFC |. 8B85 94FDFFFF |mov eax, dword ptr [ebp-26C]
00438C02 |. E9 71070000 |jmp 00439378
00438C07 |> 837D C8 0A |cmp dword ptr [ebp-38], 0A
00438C0B |. 0F84 BB000000 |je 00438CCC
00438C11 |. 6A 10 |push 10
00438C13 |. 68 4C030000 |push 34C ; /Arg2 = 0000034C
00438C18 |. 8D8D 90FDFFFF |lea ecx, dword ptr [ebp-270] ; |
00438C1E |. 51 |push ecx ; |Arg1
00438C1F |. E8 A9440000 |call 0043D0CD ; \SFLiveON.0043D0CD
00438C24 |. 83C4 08 |add esp, 8
00438C27 |. 8985 04FDFFFF |mov dword ptr [ebp-2FC], eax
00438C2D |. 8B95 04FDFFFF |mov edx, dword ptr [ebp-2FC]
00438C33 |. 8995 00FDFFFF |mov dword ptr [ebp-300], edx
00438C39 |. C645 FC 09 |mov byte ptr [ebp-4], 9
00438C3D |. 8B8D 00FDFFFF |mov ecx, dword ptr [ebp-300]
00438C43 |. E8 38B5FCFF |call 00404180
00438C48 |. 50 |push eax
00438C49 |. 68 44030000 |push 344 ; /Arg2 = 00000344
00438C4E |. 8D85 8CFDFFFF |lea eax, dword ptr [ebp-274] ; |
00438C54 |. 50 |push eax ; |Arg1
00438C55 |. E8 73440000 |call 0043D0CD ; \SFLiveON.0043D0CD
00438C5A |. 83C4 08 |add esp, 8
00438C5D |. 8985 FCFCFFFF |mov dword ptr [ebp-304], eax
00438C63 |. 8B8D FCFCFFFF |mov ecx, dword ptr [ebp-304]
00438C69 |. 898D F8FCFFFF |mov dword ptr [ebp-308], ecx
00438C6F |. C645 FC 0A |mov byte ptr [ebp-4], 0A
00438C73 |. 8B8D F8FCFFFF |mov ecx, dword ptr [ebp-308]
00438C79 |. E8 02B5FCFF |call 00404180
00438C7E |. 50 |push eax ; |Text
00438C7F |. 6A 00 |push 0 ; |hOwner = NULL
00438C81 |. FF15 C0664E00 |call dword ptr [<&USER32.MessageBoxA>] ; \MessageBoxA
00438C87 |. C645 FC 09 |mov byte ptr [ebp-4], 9
00438C8B |. 8D8D 8CFDFFFF |lea ecx, dword ptr [ebp-274]
00438C91 |. E8 0D7B0800 |call 004C07A3
00438C96 |. C645 FC 06 |mov byte ptr [ebp-4], 6
00438C9A |. 8D8D 90FDFFFF |lea ecx, dword ptr [ebp-270]
00438CA0 |. E8 FE7A0800 |call 004C07A3
00438CA5 |. C785 88FDFFFF 00000000 |mov dword ptr [ebp-278], 0
00438CAF |. C745 FC FFFFFFFF |mov dword ptr [ebp-4], -1
00438CB6 |. 8D8D 10FFFFFF |lea ecx, dword ptr [ebp-F0]
00438CBC |. E8 DF48FEFF |call 0041D5A0
00438CC1 |. 8B85 88FDFFFF |mov eax, dword ptr [ebp-278]
00438CC7 |. E9 AC060000 |jmp 00439378
00438CCC |> 8B55 D0 |mov edx, dword ptr [ebp-30]
00438CCF |. F7DA |neg edx
00438CD1 |. 1BD2 |sbb edx, edx
00438CD3 |. 83E2 FE |and edx, FFFFFFFE
00438CD6 |. 83C2 02 |add edx, 2
00438CD9 |. 8915 60875D00 |mov dword ptr [5D8760], edx
00438CDF |. 8B45 DC |mov eax, dword ptr [ebp-24]
00438CE2 |. A3 58875D00 |mov dword ptr [5D8758], eax
00438CE7 |. 8B4D D8 |mov ecx, dword ptr [ebp-28]
00438CEA |. 890D 48875D00 |mov dword ptr [5D8748], ecx
00438CF0 |. 8B55 E0 |mov edx, dword ptr [ebp-20]
00438CF3 |. 8915 50875D00 |mov dword ptr [5D8750], edx
00438CF9 |. 8B45 D4 |mov eax, dword ptr [ebp-2C]
00438CFC |. A3 4C875D00 |mov dword ptr [5D874C], eax
00438D01 |. 837D E8 00 |cmp dword ptr [ebp-18], 0
00438D05 |. 0F84 05010000 |je 00438E10
00438D0B |. 6A 00 |push 0
00438D0D |. 8D4D C0 |lea ecx, dword ptr [ebp-40]
00438D10 |. E8 6BB4FCFF |call 00404180
00438D15 |. 50 |push eax ; |Arg1
00438D16 |. 8B8D 48FDFFFF |mov ecx, dword ptr [ebp-2B8] ; |
00438D1C |. E8 A1410000 |call 0043CEC2 ; \SFLiveON.0043CEC2
00438D21 |. 85C0 |test eax, eax
00438D23 |. 0F85 E2000000 |jnz 00438E0B
00438D29 |. 68 4CB35000 |push 0050B34C ; ASCII "0x0113"
00438D2E |. 68 45030000 |push 345 ; /Arg2 = 00000345
00438D33 |. 8D8D 84FDFFFF |lea ecx, dword ptr [ebp-27C] ; |
00438D39 |. 51 |push ecx ; |Arg1
00438D3A |. E8 8E430000 |call 0043D0CD ; \SFLiveON.0043D0CD
00438D3F |. 83C4 08 |add esp, 8
00438D42 |. 8985 F4FCFFFF |mov dword ptr [ebp-30C], eax
00438D48 |. 8B95 F4FCFFFF |mov edx, dword ptr [ebp-30C]
00438D4E |. 8995 F0FCFFFF |mov dword ptr [ebp-310], edx
00438D54 |. C645 FC 0B |mov byte ptr [ebp-4], 0B
00438D58 |. 8B85 F0FCFFFF |mov eax, dword ptr [ebp-310]
00438D5E |. 50 |push eax
00438D5F |. 8D8D 0CFFFFFF |lea ecx, dword ptr [ebp-F4]
00438D65 |. 51 |push ecx
00438D66 |. E8 CD7C0800 |call 004C0A38
00438D6B |. C645 FC 0D |mov byte ptr [ebp-4], 0D
00438D6F |. 8D8D 84FDFFFF |lea ecx, dword ptr [ebp-27C]
00438D75 |. E8 297A0800 |call 004C07A3
00438D7A |. 6A 10 |push 10
00438D7C |. 68 4C030000 |push 34C ; /Arg2 = 0000034C
00438D81 |. 8D95 80FDFFFF |lea edx, dword ptr [ebp-280] ; |
00438D87 |. 52 |push edx ; |Arg1
00438D88 |. E8 40430000 |call 0043D0CD ; \SFLiveON.0043D0CD
00438D8D |. 83C4 08 |add esp, 8
00438D90 |. 8985 ECFCFFFF |mov dword ptr [ebp-314], eax
00438D96 |. 8B85 ECFCFFFF |mov eax, dword ptr [ebp-314]
00438D9C |. 8985 E8FCFFFF |mov dword ptr [ebp-318], eax
00438DA2 |. C645 FC 0E |mov byte ptr [ebp-4], 0E
00438DA6 |. 8B8D E8FCFFFF |mov ecx, dword ptr [ebp-318]
00438DAC |. E8 CFB3FCFF |call 00404180
00438DB1 |. 50 |push eax
00438DB2 |. 8D8D 0CFFFFFF |lea ecx, dword ptr [ebp-F4]
00438DB8 |. E8 C3B3FCFF |call 00404180
00438DBD |. 50 |push eax ; |Text
00438DBE |. 6A 00 |push 0 ; |hOwner = NULL
00438DC0 |. FF15 C0664E00 |call dword ptr [<&USER32.MessageBoxA>] ; \MessageBoxA
00438DC6 |. C645 FC 0D |mov byte ptr [ebp-4], 0D
00438DCA |. 8D8D 80FDFFFF |lea ecx, dword ptr [ebp-280]
00438DD0 |. E8 CE790800 |call 004C07A3
00438DD5 |. C785 7CFDFFFF 00000000 |mov dword ptr [ebp-284], 0
00438DDF |. C645 FC 06 |mov byte ptr [ebp-4], 6
00438DE3 |. 8D8D 0CFFFFFF |lea ecx, dword ptr [ebp-F4]
00438DE9 |. E8 B5790800 |call 004C07A3
00438DEE |. C745 FC FFFFFFFF |mov dword ptr [ebp-4], -1
00438DF5 |. 8D8D 10FFFFFF |lea ecx, dword ptr [ebp-F0]
00438DFB |. E8 A047FEFF |call 0041D5A0
00438E00 |. 8B85 7CFDFFFF |mov eax, dword ptr [ebp-284]
00438E06 |. E9 6D050000 |jmp 00439378
00438E0B |> E9 CC010000 |jmp 00438FDC
00438E10 |> 8D4D C0 |lea ecx, dword ptr [ebp-40]
00438E13 |. E8 68B3FCFF |call 00404180
00438E18 |. 50 |push eax ; /Arg1
00438E19 |. 8B8D 48FDFFFF |mov ecx, dword ptr [ebp-2B8] ; |
00438E1F |. E8 C74C0000 |call 0043DAEB ; \SFLiveON.0043DAEB
00438E24 |. 85C0 |test eax, eax
00438E26 |. 0F85 E2000000 |jnz 00438F0E
00438E2C |. 68 54B35000 |push 0050B354 ; ASCII "0x0114"
00438E31 |. 68 45030000 |push 345 ; /Arg2 = 00000345
00438E36 |. 8D8D 78FDFFFF |lea ecx, dword ptr [ebp-288] ; |
00438E3C |. 51 |push ecx ; |Arg1
00438E3D |. E8 8B420000 |call 0043D0CD ; \SFLiveON.0043D0CD
00438E42 |. 83C4 08 |add esp, 8
00438E45 |. 8985 E4FCFFFF |mov dword ptr [ebp-31C], eax
00438E4B |. 8B95 E4FCFFFF |mov edx, dword ptr [ebp-31C]
00438E51 |. 8995 E0FCFFFF |mov dword ptr [ebp-320], edx
00438E57 |. C645 FC 0F |mov byte ptr [ebp-4], 0F
00438E5B |. 8B85 E0FCFFFF |mov eax, dword ptr [ebp-320]
00438E61 |. 50 |push eax
00438E62 |. 8D8D 08FFFFFF |lea ecx, dword ptr [ebp-F8]
00438E68 |. 51 |push ecx
00438E69 |. E8 CA7B0800 |call 004C0A38
00438E6E |. C645 FC 11 |mov byte ptr [ebp-4], 11
00438E72 |. 8D8D 78FDFFFF |lea ecx, dword ptr [ebp-288]
00438E78 |. E8 26790800 |call 004C07A3
00438E7D |. 6A 10 |push 10
00438E7F |. 68 4C030000 |push 34C ; /Arg2 = 0000034C
00438E84 |. 8D95 74FDFFFF |lea edx, dword ptr [ebp-28C] ; |
00438E8A |. 52 |push edx ; |Arg1
00438E8B |. E8 3D420000 |call 0043D0CD ; \SFLiveON.0043D0CD
00438E90 |. 83C4 08 |add esp, 8
00438E93 |. 8985 DCFCFFFF |mov dword ptr [ebp-324], eax
00438E99 |. 8B85 DCFCFFFF |mov eax, dword ptr [ebp-324]
00438E9F |. 8985 D8FCFFFF |mov dword ptr [ebp-328], eax
00438EA5 |. C645 FC 12 |mov byte ptr [ebp-4], 12
00438EA9 |. 8B8D D8FCFFFF |mov ecx, dword ptr [ebp-328]
00438EAF |. E8 CCB2FCFF |call 00404180
00438EB4 |. 50 |push eax
00438EB5 |. 8D8D 08FFFFFF |lea ecx, dword ptr [ebp-F8]
00438EBB |. E8 C0B2FCFF |call 00404180
00438EC0 |. 50 |push eax ; |Text
00438EC1 |. 6A 00 |push 0 ; |hOwner = NULL
00438EC3 |. FF15 C0664E00 |call dword ptr [<&USER32.MessageBoxA>] ; \MessageBoxA
00438EC9 |. C645 FC 11 |mov byte ptr [ebp-4], 11
00438ECD |. 8D8D 74FDFFFF |lea ecx, dword ptr [ebp-28C]
00438ED3 |. E8 CB780800 |call 004C07A3
00438ED8 |. C785 70FDFFFF 00000000 |mov dword ptr [ebp-290], 0
00438EE2 |. C645 FC 06 |mov byte ptr [ebp-4], 6
00438EE6 |. 8D8D 08FFFFFF |lea ecx, dword ptr [ebp-F8]
00438EEC |. E8 B2780800 |call 004C07A3
00438EF1 |. C745 FC FFFFFFFF |mov dword ptr [ebp-4], -1
00438EF8 |. 8D8D 10FFFFFF |lea ecx, dword ptr [ebp-F0]
00438EFE |. E8 9D46FEFF |call 0041D5A0
00438F03 |. 8B85 70FDFFFF |mov eax, dword ptr [ebp-290]
00438F09 |. E9 6A040000 |jmp 00439378
00438F0E |> 8B8D 48FDFFFF |mov ecx, dword ptr [ebp-2B8]
00438F14 |. E8 153E0000 |call 0043CD2E
00438F19 |. 85C0 |test eax, eax
00438F1B |. 0F85 BB000000 |jnz 00438FDC
00438F21 |. 6A 10 |push 10
00438F23 |. 68 FC000000 |push 0FC ; /Arg2 = 000000FC
00438F28 |. 8D8D 6CFDFFFF |lea ecx, dword ptr [ebp-294] ; |
00438F2E |. 51 |push ecx ; |Arg1
00438F2F |. E8 99410000 |call 0043D0CD ; \SFLiveON.0043D0CD
00438F34 |. 83C4 08 |add esp, 8
00438F37 |. 8985 D4FCFFFF |mov dword ptr [ebp-32C], eax
00438F3D |. 8B95 D4FCFFFF |mov edx, dword ptr [ebp-32C]
00438F43 |. 8995 D0FCFFFF |mov dword ptr [ebp-330], edx
00438F49 |. C645 FC 13 |mov byte ptr [ebp-4], 13
00438F4D |. 8B8D D0FCFFFF |mov ecx, dword ptr [ebp-330]
00438F53 |. E8 28B2FCFF |call 00404180
00438F58 |. 50 |push eax
00438F59 |. 68 FB000000 |push 0FB ; /Arg2 = 000000FB
00438F5E |. 8D85 68FDFFFF |lea eax, dword ptr [ebp-298] ; |
00438F64 |. 50 |push eax ; |Arg1
00438F65 |. E8 63410000 |call 0043D0CD ; \SFLiveON.0043D0CD
00438F6A |. 83C4 08 |add esp, 8
00438F6D |. 8985 CCFCFFFF |mov dword ptr [ebp-334], eax
00438F73 |. 8B8D CCFCFFFF |mov ecx, dword ptr [ebp-334]
00438F79 |. 898D C8FCFFFF |mov dword ptr [ebp-338], ecx
00438F7F |. C645 FC 14 |mov byte ptr [ebp-4], 14
00438F83 |. 8B8D C8FCFFFF |mov ecx, dword ptr [ebp-338]
00438F89 |. E8 F2B1FCFF |call 00404180
00438F8E |. 50 |push eax ; |Text
00438F8F |. 6A 00 |push 0 ; |hOwner = NULL
00438F91 |. FF15 C0664E00 |call dword ptr [<&USER32.MessageBoxA>] ; \MessageBoxA
00438F97 |. C645 FC 13 |mov byte ptr [ebp-4], 13
00438F9B |. 8D8D 68FDFFFF |lea ecx, dword ptr [ebp-298]
00438FA1 |. E8 FD770800 |call 004C07A3
00438FA6 |. C645 FC 06 |mov byte ptr [ebp-4], 6
00438FAA |. 8D8D 6CFDFFFF |lea ecx, dword ptr [ebp-294]
00438FB0 |. E8 EE770800 |call 004C07A3
00438FB5 |. C785 64FDFFFF 00000000 |mov dword ptr [ebp-29C], 0
00438FBF |. C745 FC FFFFFFFF |mov dword ptr [ebp-4], -1
00438FC6 |. 8D8D 10FFFFFF |lea ecx, dword ptr [ebp-F0]
00438FCC |. E8 CF45FEFF |call 0041D5A0
00438FD1 |. 8B85 64FDFFFF |mov eax, dword ptr [ebp-29C]
00438FD7 |. E9 9C030000 |jmp 00439378
00438FDC |> 8D55 C0 |lea edx, dword ptr [ebp-40]
00438FDF |. 52 |push edx
00438FE0 |. 8B8D 48FDFFFF |mov ecx, dword ptr [ebp-2B8]
00438FE6 |. 81C1 781B0C00 |add ecx, 0C1B78
00438FEC |. E8 EB780800 |call 004C08DC
00438FF1 |. 8D4D C4 |lea ecx, dword ptr [ebp-3C]
00438FF4 |. E8 D7AFFCFF |call 00403FD0
00438FF9 |. C645 FC 15 |mov byte ptr [ebp-4], 15
00438FFD |. 833D 5C875D00 00 |cmp dword ptr [5D875C], 0
00439004 |. 75 66 |jnz short 0043906C
00439006 |. 8B85 48FDFFFF |mov eax, dword ptr [ebp-2B8]
0043900C |. 8B0D 50875D00 |mov ecx, dword ptr [5D8750]
00439012 |. 2B88 101E0B00 |sub ecx, dword ptr [eax+B1E10]
00439018 |. 51 |push ecx
00439019 |. 68 94030000 |push 394 ; /Arg2 = 00000394
0043901E |. 8D95 60FDFFFF |lea edx, dword ptr [ebp-2A0] ; |
00439024 |. 52 |push edx ; |Arg1
00439025 |. E8 A3400000 |call 0043D0CD ; \SFLiveON.0043D0CD
0043902A |. 83C4 08 |add esp, 8
0043902D |. 8985 C4FCFFFF |mov dword ptr [ebp-33C], eax
00439033 |. 8B85 C4FCFFFF |mov eax, dword ptr [ebp-33C]
00439039 |. 8985 C0FCFFFF |mov dword ptr [ebp-340], eax
0043903F |. C645 FC 16 |mov byte ptr [ebp-4], 16
00439043 |. 8B8D C0FCFFFF |mov ecx, dword ptr [ebp-340]
00439049 |. E8 32B1FCFF |call 00404180
0043904E |. 50 |push eax
0043904F |. 8D4D C4 |lea ecx, dword ptr [ebp-3C]
00439052 |. 51 |push ecx
00439053 |. E8 FB000800 |call 004B9153
00439058 |. 83C4 0C |add esp, 0C
0043905B |. C645 FC 15 |mov byte ptr [ebp-4], 15
0043905F |. 8D8D 60FDFFFF |lea ecx, dword ptr [ebp-2A0]
00439065 |. E8 39770800 |call 004C07A3
0043906A |. EB 63 |jmp short 004390CF
0043906C |> 8B95 48FDFFFF |mov edx, dword ptr [ebp-2B8]
00439072 |. A1 50875D00 |mov eax, dword ptr [5D8750]
00439077 |. 2B82 101E0B00 |sub eax, dword ptr [edx+B1E10]
0043907D |. 50 |push eax
0043907E |. 68 95030000 |push 395 ; /Arg2 = 00000395
00439083 |. 8D8D 5CFDFFFF |lea ecx, dword ptr [ebp-2A4] ; |
00439089 |. 51 |push ecx ; |Arg1
0043908A |. E8 3E400000 |call 0043D0CD ; \SFLiveON.0043D0CD
0043908F |. 83C4 08 |add esp, 8
00439092 |. 8985 BCFCFFFF |mov dword ptr [ebp-344], eax
00439098 |. 8B95 BCFCFFFF |mov edx, dword ptr [ebp-344]
0043909E |. 8995 B8FCFFFF |mov dword ptr [ebp-348], edx
004390A4 |. C645 FC 17 |mov byte ptr [ebp-4], 17
004390A8 |. 8B8D B8FCFFFF |mov ecx, dword ptr [ebp-348]
004390AE |. E8 CDB0FCFF |call 00404180
004390B3 |. 50 |push eax
004390B4 |. 8D45 C4 |lea eax, dword ptr [ebp-3C]
004390B7 |. 50 |push eax
004390B8 |. E8 96000800 |call 004B9153
004390BD |. 83C4 0C |add esp, 0C
004390C0 |. C645 FC 15 |mov byte ptr [ebp-4], 15
004390C4 |. 8D8D 5CFDFFFF |lea ecx, dword ptr [ebp-2A4]
004390CA |. E8 D4760800 |call 004C07A3
004390CF |> 6A 40 |push 40
004390D1 |. 68 51030000 |push 351 ; /Arg2 = 00000351
004390D6 |. 8D8D 58FDFFFF |lea ecx, dword ptr [ebp-2A8] ; |
004390DC |. 51 |push ecx ; |Arg1
004390DD |. E8 EB3F0000 |call 0043D0CD ; \SFLiveON.0043D0CD
004390E2 |. 83C4 08 |add esp, 8
004390E5 |. 8985 B4FCFFFF |mov dword ptr [ebp-34C], eax
004390EB |. 8B95 B4FCFFFF |mov edx, dword ptr [ebp-34C]
004390F1 |. 8995 B0FCFFFF |mov dword ptr [ebp-350], edx
004390F7 |. C645 FC 18 |mov byte ptr [ebp-4], 18
004390FB |. 8B8D B0FCFFFF |mov ecx, dword ptr [ebp-350]
00439101 |. E8 7AB0FCFF |call 00404180
00439106 |. 50 |push eax
00439107 |. 8D4D C4 |lea ecx, dword ptr [ebp-3C]
0043910A |. E8 71B0FCFF |call 00404180
0043910F |. 50 |push eax ; |Text
00439110 |. 6A 00 |push 0 ; |hOwner = NULL
00439112 |. FF15 C0664E00 |call dword ptr [<&USER32.MessageBoxA>] ; \MessageBoxA
00439118 |. C645 FC 15 |mov byte ptr [ebp-4], 15
0043911C |. 8D8D 58FDFFFF |lea ecx, dword ptr [ebp-2A8]
00439122 |. E8 7C760800 |call 004C07A3
00439127 |. C645 FC 06 |mov byte ptr [ebp-4], 6
0043912B |. 8D4D C4 |lea ecx, dword ptr [ebp-3C]
0043912E |. E8 70760800 |call 004C07A3
00439133 |. C745 FC FFFFFFFF |mov dword ptr [ebp-4], -1
0043913A |. 8D8D 10FFFFFF |lea ecx, dword ptr [ebp-F0]
00439140 |. E8 5B44FEFF |call 0041D5A0
00439145 |. E9 29020000 |jmp 00439373
0043914A |> C785 84FEFFFF 00000000 |mov dword ptr [ebp-17C], 0
00439154 |. B9 19000000 |mov ecx, 19
00439159 |. 33C0 |xor eax, eax
0043915B |. 8DBD 88FEFFFF |lea edi, dword ptr [ebp-178]
00439161 |. F3:AB |rep stos dword ptr es:[edi]
00439163 |. 8D85 84FEFFFF |lea eax, dword ptr [ebp-17C]
00439169 |. 50 |push eax ; /Arg1
0043916A |. 8B8D 48FDFFFF |mov ecx, dword ptr [ebp-2B8] ; |
00439170 |. E8 CA480000 |call 0043DA3F ; \SFLiveON.0043DA3F
00439175 |. 85C0 |test eax, eax
00439177 |. 75 0C |jnz short 00439185
00439179 |. C745 E4 01000000 |mov dword ptr [ebp-1C], 1
00439180 |.^ E9 18F9FFFF |jmp 00438A9D
00439185 |> 8D8D 88FEFFFF |lea ecx, dword ptr [ebp-178]
0043918B |. 51 |push ecx
0043918C |. 8B8D 48FDFFFF |mov ecx, dword ptr [ebp-2B8]
00439192 |. 81C1 781B0C00 |add ecx, 0C1B78
00439198 |. E8 8F770800 |call 004C092C
0043919D |. C785 ECFEFFFF 00000000 |mov dword ptr [ebp-114], 0
004391A7 |. B9 06000000 |mov ecx, 6
004391AC |. 33C0 |xor eax, eax
004391AE |. 8DBD F0FEFFFF |lea edi, dword ptr [ebp-110]
004391B4 |. F3:AB |rep stos dword ptr es:[edi]
004391B6 |. 8D95 ECFEFFFF |lea edx, dword ptr [ebp-114]
004391BC |. 52 |push edx ; /Arg2
004391BD |. 8D85 88FEFFFF |lea eax, dword ptr [ebp-178] ; |
004391C3 |. 50 |push eax ; |Arg1
004391C4 |. 8B8D 48FDFFFF |mov ecx, dword ptr [ebp-2B8] ; |
004391CA |. E8 A8450000 |call 0043D777 ; \SFLiveON.0043D777
004391CF |. 85C0 |test eax, eax
004391D1 |. 75 0C |jnz short 004391DF
004391D3 |. C745 E4 01000000 |mov dword ptr [ebp-1C], 1
004391DA |.^ E9 BEF8FFFF |jmp 00438A9D
004391DF |> 83BD ECFEFFFF 0A |cmp dword ptr [ebp-114], 0A
004391E6 |. 74 0C |je short 004391F4
004391E8 |. C745 E4 01000000 |mov dword ptr [ebp-1C], 1
004391EF |.^ E9 A9F8FFFF |jmp 00438A9D
004391F4 |> 8B8D F4FEFFFF |mov ecx, dword ptr [ebp-10C]
004391FA |. F7D9 |neg ecx
004391FC |. 1BC9 |sbb ecx, ecx
004391FE |. 83E1 FE |and ecx, FFFFFFFE
00439201 |. 83C1 02 |add ecx, 2
00439204 |. 890D 60875D00 |mov dword ptr [5D8760], ecx
0043920A |. 8B95 00FFFFFF |mov edx, dword ptr [ebp-100]
00439210 |. 8915 58875D00 |mov dword ptr [5D8758], edx
00439216 |. 8B85 FCFEFFFF |mov eax, dword ptr [ebp-104]
0043921C |. A3 48875D00 |mov dword ptr [5D8748], eax
00439221 |. 8B8D 04FFFFFF |mov ecx, dword ptr [ebp-FC]
00439227 |. 890D 50875D00 |mov dword ptr [5D8750], ecx
0043922D |. 8B95 F8FEFFFF |mov edx, dword ptr [ebp-108]
00439233 |. 8915 4C875D00 |mov dword ptr [5D874C], edx
00439239 |. 833D 54875D00 00 |cmp dword ptr [5D8754], 0
00439240 |. 0F85 2D010000 |jnz 00439373
00439246 |. 8B8D 48FDFFFF |mov ecx, dword ptr [ebp-2B8]
0043924C |. E8 DD3A0000 |call 0043CD2E
00439251 |. 85C0 |test eax, eax
00439253 |. 0F85 A6000000 |jnz 004392FF
00439259 |. 6A 10 |push 10
0043925B |. 68 FC000000 |push 0FC ; /Arg2 = 000000FC
00439260 |. 8D85 54FDFFFF |lea eax, dword ptr [ebp-2AC] ; |
00439266 |. 50 |push eax ; |Arg1
00439267 |. E8 613E0000 |call 0043D0CD ; \SFLiveON.0043D0CD
0043926C |. 83C4 08 |add esp, 8
0043926F |. 8985 ACFCFFFF |mov dword ptr [ebp-354], eax
00439275 |. 8B8D ACFCFFFF |mov ecx, dword ptr [ebp-354]
0043927B |. 898D A8FCFFFF |mov dword ptr [ebp-358], ecx
00439281 |. C745 FC 19000000 |mov dword ptr [ebp-4], 19
00439288 |. 8B8D A8FCFFFF |mov ecx, dword ptr [ebp-358]
0043928E |. E8 EDAEFCFF |call 00404180
00439293 |. 50 |push eax
00439294 |. 68 FB000000 |push 0FB ; /Arg2 = 000000FB
00439299 |. 8D95 50FDFFFF |lea edx, dword ptr [ebp-2B0] ; |
0043929F |. 52 |push edx ; |Arg1
004392A0 |. E8 283E0000 |call 0043D0CD ; \SFLiveON.0043D0CD
004392A5 |. 83C4 08 |add esp, 8
004392A8 |. 8985 A4FCFFFF |mov dword ptr [ebp-35C], eax
004392AE |. 8B85 A4FCFFFF |mov eax, dword ptr [ebp-35C]
004392B4 |. 8985 A0FCFFFF |mov dword ptr [ebp-360], eax
004392BA |. C645 FC 1A |mov byte ptr [ebp-4], 1A
004392BE |. 8B8D A0FCFFFF |mov ecx, dword ptr [ebp-360]
004392C4 |. E8 B7AEFCFF |call 00404180
004392C9 |. 50 |push eax ; |Text
004392CA |. 6A 00 |push 0 ; |hOwner = NULL
004392CC |. FF15 C0664E00 |call dword ptr [<&USER32.MessageBoxA>] ; \MessageBoxA
004392D2 |. C645 FC 19 |mov byte ptr [ebp-4], 19
004392D6 |. 8D8D 50FDFFFF |lea ecx, dword ptr [ebp-2B0]
004392DC |. E8 C2740800 |call 004C07A3
004392E1 |. C745 FC FFFFFFFF |mov dword ptr [ebp-4], -1
004392E8 |. 8D8D 54FDFFFF |lea ecx, dword ptr [ebp-2AC]
004392EE |. E8 B0740800 |call 004C07A3
004392F3 |. C745 E4 01000000 |mov dword ptr [ebp-1C], 1
004392FA |.^ E9 9EF7FFFF \jmp 00438A9D
004392FF |> 6A 00 push 0 ; /Arg1 = 00000000
00439301 |. 8D8D D0FDFFFF lea ecx, dword ptr [ebp-230] ; |
00439307 |. E8 343AFEFF call 0041CD40 ; \SFLiveON.0041CD40
0043930C |. C745 FC 1B000000 mov dword ptr [ebp-4], 1B
00439313 |. 68 5CB35000 push 0050B35C ; ASCII
"http://www.kuihua.net/productonline/index.html"
00439318 |. 8D8D 3CFEFFFF lea ecx, dword ptr [ebp-1C4]
0043931E |. E8 09760800 call 004C092C
00439323 |. C785 30FEFFFF 01000000 mov dword ptr [ebp-1D0], 1
0043932D |. 8D8D D0FDFFFF lea ecx, dword ptr [ebp-230]
00439333 |. E8 66320800 call 004BC59E
00439338 |. 83F8 01 cmp eax, 1
0043933B |. 74 24 je short 00439361
0043933D |. C785 4CFDFFFF 00000000 mov dword ptr [ebp-2B4], 0
00439347 |. C745 FC FFFFFFFF mov dword ptr [ebp-4], -1
0043934E |. 8D8D D0FDFFFF lea ecx, dword ptr [ebp-230]
00439354 |. E8 4742FEFF call 0041D5A0
00439359 |. 8B85 4CFDFFFF mov eax, dword ptr [ebp-2B4]
0043935F |. EB 17 jmp short 00439378
00439361 |> C745 FC FFFFFFFF mov dword ptr [ebp-4], -1
00439368 |. 8D8D D0FDFFFF lea ecx, dword ptr [ebp-230]
0043936E |. E8 2D42FEFF call 0041D5A0
00439373 |> B8 01000000 mov eax, 1 ; 由此向上找
00439378 |> 8B4D F4 mov ecx, dword ptr [ebp-C]
0043937B |. 64:890D 00000000 mov dword ptr fs:[0], ecx
00439382 |. 5F pop edi
00439383 |. 8BE5 mov esp, ebp
00439385 |. 5D pop ebp
00439386 \. C3 retn
-----------------------------------------------------------
向上检查,在00438AED处下断点。00438B3F处的CALL是注册检测过程,进去一看,好多垃圾算法,好像还有花指令,白白浪费我一天时间
。算啦!爆破吧!先找爆破点。调试过程发现注册过程是在这段程序的中间进入的,我们下的断点就是最远处,好象由00438AE8处的CALL中返
回的。因无关紧要,我也没深究。向下改动跳转到00439112的信息框,出现“感谢您体验(评估)葵花软件,你可以评估 00 天。”,点确定
后程序启动。本来以为大功告成,可查看帮助文件后发现程序界面有很大不同:菜单栏缺“直播频道管理”,工具栏有几个灰按钮,左侧和下
方也不同。重启后,注册对话框依然出现,但序列号输入框消失,点确定后,程序界面依然不同。看来爆破点没有找对!
为了检查程序的启动过程,必须提前下断。每次改动004D8542处的跳转就不得不做。哈哈!在此之前,程序就调用上面这段程序,而且由
入口处进入。在00438AE8处的CALL里调用自校验。而且两次调用后并不返回程序就出现注册对话框。点退出后才返回下一行00438AED处。这也
是我们填入任意码点确定时返回的地方啊!仔细观察流程走向,发现出口的eax=0,出了这段程序后,再继续运行就Game Over了。再看看我们
注册改动后,能运行起程序的出口eax=1。好啦!检查这段程序的出口值,只有两个,正确值是1。那为什么我们上面改动后,也是1,出去也有
问题呢?原因是岔路太多,我们走的可能不是一条平坦的大道啊!
现在,就让我们来寻找一条平坦的光明大道吧!由00439373处为基点,向上查找。凡能到这里的,都是我们欢迎的,但到底是那条呢?先
把它们都记下来,看一下程序的正常流程走向,到底卡在哪里?!重新启动程序后,发现00438AA4处的跳转直指正确出口,但却没有实现。有
障碍就得踢开,改动这里,直接跳到正确出口(eax=1),再按F9,哇!程序不但运行起来,而且界面和帮助文件里的几乎一模一样,就是程序
标题里还有“试用版”三字。我找了一下没找到改的地方,再查“关于”对话框,时间赫然停留在30天,竟然连时间限制也破了!也算是歪打
正着吧。试用就试用吧,就让它永远还有30天,反正试用期是没啥限制的!若是那位大侠路过看见,取掉这三个字,那就更完美了。
4.0 整理:
好了,在OD中改好,右键——复制到可执行文件——所有修改——全部复制,在弹出窗口中,右键——保存文件——换名——保存。
OK!大功告成!半个字节解决战斗,收工!
--------------------------------------------------------------------------------
【经验总结】
这是菜鸟成长的第三篇破文。破解工作虽然繁琐重复,有时还会碰得焦头烂额,但只要理出头绪来,还是会发现问题的症结所在的,关键
要有恒心和毅力。单步跟踪法对付这种利用自校验来反调试的做法,尽管比较笨拙,但还是有效的。分析关键流程的走向,是十分重要的,这
关系到能否找出关键跳转。一点体会,愿与大家分享,方家莫要见笑!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007.11.30
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
他的文章
赞赏
雪币:
留言:
