我是新人,刚学破确不久,有个软件写内存注册机时遇到了问题,大家看下面的代码看我问题出在哪了?
00401000 . 6A FF PUSH -1
00401002 . 68 3A424000 PUSH GXCAD_Fo.0040423A ; SE 处理程序安装
00401007 . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
0040100D . 50 PUSH EAX
0040100E . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
00401015 . 51 PUSH ECX
....
....
....
....
....
....
....
....
004014AA 90 NOP
004014AB 90 NOP
004014AC 90 NOP
004014AD 90 NOP
004014AE 90 NOP
004014AF 90 NOP
004014B0 . 56 PUSH ESI
004014B1 . 8BF1 MOV ESI,ECX
004014B3 . 57 PUSH EDI
004014B4 . 8B7C24 0C MOV EDI,DWORD PTR SS:[ESP+C]
004014B8 . 8D46 60 LEA EAX,DWORD PTR DS:[ESI+60]
004014BB . 50 PUSH EAX
004014BC . 68 E8030000 PUSH 3E8
004014C1 . 57 PUSH EDI
004014C2 . E8 61270000 CALL <JMP.&MFC42.#2370_DDX_Text>
004014C7 . 83C6 64 ADD ESI,64
004014CA . 56 PUSH ESI
004014CB . 68 E9030000 PUSH 3E9
004014D0 . 57 PUSH EDI
004014D1 . E8 52270000 CALL <JMP.&MFC42.#2370_DDX_Text>
004014D6 . 5F POP EDI
004014D7 . 5E POP ESI
004014D8 . C2 0400 RETN 4
004014DB 90 NOP
004014DC 90 NOP
004014DD 90 NOP
004014DE 90 NOP
004014DF 90 NOP
004014E0 . B8 70574000 MOV EAX,GXCAD_Fo.00405770
004014E5 . C3 RETN
004014E6 90 NOP
004014E7 90 NOP
004014E8 90 NOP
004014E9 90 NOP
004014EA 90 NOP
004014EB 90 NOP
004014EC 90 NOP
004014ED 90 NOP
004014EE 90 NOP
004014EF 90 NOP
004014F0 . 83EC 64 SUB ESP,64
004014F3 . 56 PUSH ESI
004014F4 . 57 PUSH EDI
004014F5 . 8BF1 MOV ESI,ECX
004014F7 . E8 3E270000 CALL <JMP.&MFC42.#4710_CDialog::OnInitDi>
004014FC . B9 19000000 MOV ECX,19
00401501 . 33C0 XOR EAX,EAX
00401503 . 8D7C24 08 LEA EDI,DWORD PTR SS:[ESP+8]
00401507 . F3:AB REP STOS DWORD PTR ES:[EDI]
00401509 . 8D4424 08 LEA EAX,DWORD PTR SS:[ESP+8]
0040150D . 50 PUSH EAX
0040150E . E8 33240000 CALL <JMP.&mfcsysdll.Get_Net_NetWork>
00401513 . 85C0 TEST EAX,EAX
00401515 . 75 15 JNZ SHORT GXCAD_Fo.0040152C
00401517 . 50 PUSH EAX
00401518 . 50 PUSH EAX
00401519 . 68 4C704000 PUSH GXCAD_Fo.0040704C
0040151E . 8BCE MOV ECX,ESI
00401520 . E8 0F270000 CALL <JMP.&MFC42.#4224_CWnd::MessageBoxA>
00401525 . 8BCE MOV ECX,ESI
00401527 . E8 A2260000 CALL <JMP.&MFC42.#4376_CDialog::OnCancel>
0040152C > 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
00401530 . 8D56 60 LEA EDX,DWORD PTR DS:[ESI+60]
00401533 . 51 PUSH ECX
00401534 . 68 48704000 PUSH GXCAD_Fo.00407048 ; ASCII "%s"
00401539 . 52 PUSH EDX
0040153A . E8 C3250000 CALL <JMP.&MFC42.#2818_CString::Format>
0040153F . 83C4 0C ADD ESP,0C
00401542 . 8BCE MOV ECX,ESI
00401544 . 6A 00 PUSH 0
00401546 . E8 E3260000 CALL <JMP.&MFC42.#6334_CWnd::UpdateData>
0040154B . 5F POP EDI
0040154C . B8 01000000 MOV EAX,1
00401551 . 5E POP ESI
00401552 . 83C4 64 ADD ESP,64
00401555 . C3 RETN
00401556 90 NOP
00401557 90 NOP
00401558 90 NOP
00401559 90 NOP
0040155A 90 NOP
0040155B 90 NOP
0040155C 90 NOP
0040155D 90 NOP
0040155E 90 NOP
0040155F 90 NOP
00401560 . 6A FF PUSH -1
00401562 . 68 17434000 PUSH GXCAD_Fo.00404317 ; SE 处理程序安装
00401567 . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
0040156D . 50 PUSH EAX
0040156E . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
00401575 . 81EC A0010000 SUB ESP,1A0
0040157B . 53 PUSH EBX
0040157C . 55 PUSH EBP
0040157D . 56 PUSH ESI
0040157E . BB 01000000 MOV EBX,1
00401583 . 57 PUSH EDI
00401584 . 8BE9 MOV EBP,ECX
00401586 . 53 PUSH EBX
00401587 . E8 A2260000 CALL <JMP.&MFC42.#6334_CWnd::UpdateData> //我在这里下断,然后返回按shift+F9
0040158C . B9 19000000 MOV ECX,19
00401591 . 33C0 XOR EAX,EAX
00401593 . 8DBC24 4C0100>LEA EDI,DWORD PTR SS:[ESP+14C]
0040159A . F3:AB REP STOS DWORD PTR ES:[EDI]
0040159C . B9 19000000 MOV ECX,19
004015A1 . 8DBC24 840000>LEA EDI,DWORD PTR SS:[ESP+84]
004015A8 . F3:AB REP STOS DWORD PTR ES:[EDI]
004015AA . B9 19000000 MOV ECX,19
004015AF . 8D7C24 20 LEA EDI,DWORD PTR SS:[ESP+20]
004015B3 . F3:AB REP STOS DWORD PTR ES:[EDI]
004015B5 . B9 19000000 MOV ECX,19
004015BA . 8DBC24 E80000>LEA EDI,DWORD PTR SS:[ESP+E8]
004015C1 . F3:AB REP STOS DWORD PTR ES:[EDI]
004015C3 . 8D7D 64 LEA EDI,DWORD PTR SS:[EBP+64]
004015C6 . 8BCF MOV ECX,EDI
004015C8 . E8 7F260000 CALL <JMP.&MFC42.#6283_CString::TrimRigh>
004015CD . 8D8424 E80000>LEA EAX,DWORD PTR SS:[ESP+E8]
004015D4 . 6A 4C PUSH 4C
004015D6 . 50 PUSH EAX
004015D7 . 51 PUSH ECX
004015D8 . 8D55 60 LEA EDX,DWORD PTR SS:[EBP+60]
004015DB . 8BCC MOV ECX,ESP
004015DD . 896424 28 MOV DWORD PTR SS:[ESP+28],ESP
004015E1 . 52 PUSH EDX
004015E2 . E8 03250000 CALL <JMP.&MFC42.#535_CString::CString>
004015E7 . 51 PUSH ECX
004015E8 . C78424 C80100>MOV DWORD PTR SS:[ESP+1C8],0
004015F3 . 8BCC MOV ECX,ESP
004015F5 . 896424 28 MOV DWORD PTR SS:[ESP+28],ESP
004015F9 . 68 BC704000 PUSH GXCAD_Fo.004070BC
004015FE . E8 ED240000 CALL <JMP.&MFC42.#537_CString::CString>
00401603 . C78424 C80100>MOV DWORD PTR SS:[ESP+1C8],-1
0040160E . E8 45230000 CALL <JMP.&mfcsysdll.Crypt_Text>
00401613 . 8D4424 20 LEA EAX,DWORD PTR SS:[ESP+20]
00401617 . 8D8C24 E80000>LEA ECX,DWORD PTR SS:[ESP+E8]
0040161E . 50 PUSH EAX
0040161F . 51 PUSH ECX
00401620 . E8 2D230000 CALL <JMP.&mfcsysdll.Get_Author>
00401625 . 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
00401629 . E8 E0240000 CALL <JMP.&MFC42.#540_CString::CString>
0040162E . 57 PUSH EDI
0040162F . 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
00401633 . 899C24 BC0100>MOV DWORD PTR SS:[ESP+1BC],EBX
0040163A . E8 BD240000 CALL <JMP.&MFC42.#858_CString::operator=>
0040163F . 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10] //然后单步走到这里出现假码
00401643 . 8D7424 20 LEA ESI,DWORD PTR SS:[ESP+20] //这里出真码和假码进行比较
00401647 > 8A10 MOV DL,BYTE PTR DS:[EAX]
00401649 . 8ACA MOV CL,DL
0040164B . 3A16 CMP DL,BYTE PTR DS:[ESI]
0040164D . 75 1C JNZ SHORT GXCAD_Fo.0040166B
0040164F . 84C9 TEST CL,CL
00401651 . 74 14 JE SHORT GXCAD_Fo.00401667
00401653 . 8A50 01 MOV DL,BYTE PTR DS:[EAX+1]
00401656 . 8ACA MOV CL,DL
00401658 . 3A56 01 CMP DL,BYTE PTR DS:[ESI+1]
0040165B . 75 0E JNZ SHORT GXCAD_Fo.0040166B
0040165D . 83C0 02 ADD EAX,2
00401660 . 83C6 02 ADD ESI,2
00401663 . 84C9 TEST CL,CL
00401665 .^ 75 E0 JNZ SHORT GXCAD_Fo.00401647
00401667 > 33C0 XOR EAX,EAX
00401669 . EB 05 JMP SHORT GXCAD_Fo.00401670
0040166B > 1BC0 SBB EAX,EAX
0040166D . 83D8 FF SBB EAX,-1
00401670 > 85C0 TEST EAX,EAX
00401672 . 0F85 FB000000 JNZ GXCAD_Fo.00401773
00401678 . 8D8424 840000>LEA EAX,DWORD PTR SS:[ESP+84]
0040167F . 6A 4C PUSH 4C
00401681 . 50 PUSH EAX
00401682 . 51 PUSH ECX
00401683 . 8D5424 1C LEA EDX,DWORD PTR SS:[ESP+1C]
00401687 . 8BCC MOV ECX,ESP
00401689 . 896424 24 MOV DWORD PTR SS:[ESP+24],ESP
0040168D . 52 PUSH EDX
0040168E . E8 57240000 CALL <JMP.&MFC42.#535_CString::CString>
00401693 . 51 PUSH ECX
00401694 . C68424 C80100>MOV BYTE PTR SS:[ESP+1C8],2
0040169C . 8BCC MOV ECX,ESP
0040169E . 896424 2C MOV DWORD PTR SS:[ESP+2C],ESP
004016A2 . 68 BC704000 PUSH GXCAD_Fo.004070BC
004016A7 . E8 44240000 CALL <JMP.&MFC42.#537_CString::CString>
004016AC . 889C24 C80100>MOV BYTE PTR SS:[ESP+1C8],BL
004016B3 . E8 A0220000 CALL <JMP.&mfcsysdll.Crypt_Text>
004016B8 . 8D8424 4C0100>LEA EAX,DWORD PTR SS:[ESP+14C]
004016BF . 6A 4C PUSH 4C
004016C1 . 50 PUSH EAX
我能找到注册码的存放位置,但写出来的注册机不能正确拦截真码,请大侠指点
[课程]Linux pwn 探索篇!
