作者:GoOdLeiSuRe
时间:2004-10-14
本人水平很菜,无文彩,错误却难免,还请指正。不过还是希望得到大家的支持。
注册码保存在注册表HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ap下
apreg 是否注册
cpuid 机器码
sn 注册码
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00494243(C)
|
:00494263 8D55F8 lea edx, dword ptr [ebp-08]
:00494266 8B8308030000 mov eax, dword ptr [ebx+00000308]
:0049426C E81FB4FAFF call 0043F690
:00494271 8B45F8 mov eax, dword ptr [ebp-08] //输入的注册码
:00494274 50 push eax
:00494275 8D55F0 lea edx, dword ptr [ebp-10]
:00494278 8B8300030000 mov eax, dword ptr [ebx+00000300]
:0049427E E80DB4FAFF call 0043F690
:00494283 8B55F0 mov edx, dword ptr [ebp-10] //机器码
:00494286 8D4DF4 lea ecx, dword ptr [ebp-0C]
:00494289 8BC3 mov eax, ebx
:0049428B E8C4010000 call 00494454 //这个CALL应该是计算注册码
:00494290 8B55F4 mov edx, dword ptr [ebp-0C] //真正注册码
:00494293 58 pop eax
:00494294 E86B02F7FF call 00404504
:00494299 0F85C4000000 jne 00494363 //关键跳转,不该跳,爆破就从此下手,可直接用90填充
:0049429F B201 mov dl, 01
:004942A1 A1583D4300 mov eax, dword ptr [00433D58]
:004942A6 E8ADFBF9FF call 00433E58
:004942AB 8BF0 mov esi, eax
:004942AD BA02000080 mov edx, 80000002
:004942B2 8BC6 mov eax, esi
:004942B4 E83FFCF9FF call 00433EF8
:004942B9 B101 mov cl, 01
* Possible StringData Ref from Code Obj ->"SOFTWARE\Microsoft\ap"
|
:004942BB BAE8434900 mov edx, 004943E8
:004942C0 8BC6 mov eax, esi
:004942C2 E871FDF9FF call 00434038
:004942C7 B901000000 mov ecx, 00000001
* Possible StringData Ref from Code Obj ->"apreg"
|
:004942CC BA08444900 mov edx, 00494408
:004942D1 8BC6 mov eax, esi
:004942D3 E800FFF9FF call 004341D8
:004942D8 8D55EC lea edx, dword ptr [ebp-14]
:004942DB 8B8308030000 mov eax, dword ptr [ebx+00000308]
:004942E1 E8AAB3FAFF call 0043F690
//也可在此处修改,直接将正确的注册码记录在注册表内。
:004942E6 8B4DEC mov ecx, dword ptr [ebp-14]
:004942E9 BA18444900 mov edx, 00494418
:004942EE 8BC6 mov eax, esi
:004942F0 E8B7FEF9FF call 004341AC
:004942F5 8D55E8 lea edx, dword ptr [ebp-18]
:004942F8 8B8300030000 mov eax, dword ptr [ebx+00000300]
:004942FE E88DB3FAFF call 0043F690
:00494303 8B4DE8 mov ecx, dword ptr [ebp-18]
* Possible StringData Ref from Code Obj ->"cpuid"
|
:00494306 BA24444900 mov edx, 00494424
:0049430B 8BC6 mov eax, esi
:0049430D E89AFEF9FF call 004341AC
:00494312 8BC6 mov eax, esi
:00494314 E8AFFBF9FF call 00433EC8
:00494319 8BC6 mov eax, esi
:0049431B E8B0EFF6FF call 004032D0
:00494320 6A00 push 00000000
* Possible StringData Ref from Code Obj ->"谢谢"
|
:00494322 B92C444900 mov ecx, 0049442C
* Possible StringData Ref from Code Obj ->"感谢您的注册,谢谢!"
|
:00494327 BA34444900 mov edx, 00494434
:0049432C A1B88A4900 mov eax, dword ptr [00498AB8]
:00494331 8B00 mov eax, dword ptr [eax]
:00494333 E84CB2FCFF call 0045F584
:00494338 A1FC8B4900 mov eax, dword ptr [00498BFC]
:0049433D 8B00 mov eax, dword ptr [eax]
:0049433F 8B8038030000 mov eax, dword ptr [eax+00000338]
:00494345 33D2 xor edx, edx
:00494347 E8E0D4FBFF call 0045182C
:0049434C A1FC8B4900 mov eax, dword ptr [00498BFC]
:00494351 8B00 mov eax, dword ptr [eax]
:00494353 C6807403000001 mov byte ptr [eax+00000374], 01
:0049435A 8BC3 mov eax, ebx
:0049435C E8FB79FCFF call 0045BD5C
:00494361 EB19 jmp 0049437C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00494299(C)
|
:00494363 6A30 push 00000030
* Possible StringData Ref from Code Obj ->"提示"
|
:00494365 68BC434900 push 004943BC
* Possible StringData Ref from Code Obj ->"注册码错误!"
|
:0049436A 6848444900 push 00494448 //在此可以让程序提示正确的注册码
//要显示正确的注册码,此处修改为:
//mov eax, [ebp-0c]
//push eax
//nop
//程序文件中位置为:9376A
//代码为:8B45F45090
:0049436F 8BC3 mov eax, ebx
:00494371 E82E1CFBFF call 00445FA4
:00494376 50 push eax
* Reference To: user32.MessageBoxA, Ord:0000h
|
:00494377 E8E02BF7FF Call 00406F5C
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0049425E(U), :00494361(U)
|
:0049437C 33C0 xor eax, eax
:0049437E 5A pop edx
:0049437F 59 pop ecx
:00494380 59 pop ecx
:00494381 648910 mov dword ptr fs:[eax], edx
:00494384 68B3434900 push 004943B3
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004943B1(U)
|
:00494389 8D45E8 lea eax, dword ptr [ebp-18]
:0049438C BA03000000 mov edx, 00000003
:00494391 E876FDF6FF call 0040410C
:00494396 8D45F4 lea eax, dword ptr [ebp-0C]
:00494399 E84AFDF6FF call 004040E8
:0049439E 8D45F8 lea eax, dword ptr [ebp-08]
:004943A1 BA02000000 mov edx, 00000002
:004943A6 E861FDF6FF call 0040410C
:004943AB C3 ret
//这个CALL应该是计算注册码
* Referenced by a CALL at Address:
|:0049428B
|
:00494454 55 push ebp
:00494455 8BEC mov ebp, esp
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004943F9(C)
|
:00494457 51 push ecx
:00494458 B906000000 mov ecx, 00000006
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00494462(C)
|
:0049445D 6A00 push 00000000
:0049445F 6A00 push 00000000
:00494461 49 dec ecx
:00494462 75F9 jne 0049445D
:00494464 51 push ecx
:00494465 874DFC xchg dword ptr [ebp-04], ecx
:00494468 53 push ebx
:00494469 56 push esi
:0049446A 57 push edi
:0049446B 8BF9 mov edi, ecx
:0049446D 8955FC mov dword ptr [ebp-04], edx //机器码
:00494470 8B45FC mov eax, dword ptr [ebp-04]
:00494473 E83001F7FF call 004045A8
:00494478 33C0 xor eax, eax
:0049447A 55 push ebp
:0049447B 681F464900 push 0049461F
:00494480 64FF30 push dword ptr fs:[eax]
:00494483 648920 mov dword ptr fs:[eax], esp
:00494486 8D45F8 lea eax, dword ptr [ebp-08]
:00494489 8B55FC mov edx, dword ptr [ebp-04]
:0049448C E8EFFCF6FF call 00404180
:00494491 8D45F4 lea eax, dword ptr [ebp-0C]
:00494494 E84FFCF6FF call 004040E8
:00494499 8B45F8 mov eax, dword ptr [ebp-08]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00494425(C)
|
:0049449C E817FFF6FF call 004043B8
:004944A1 8BF0 mov esi, eax
:004944A3 85F6 test esi, esi
:004944A5 0F8E4F010000 jle 004945FA
:004944AB BB01000000 mov ebx, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004945F4(C)
|
:004944B0 8D45EC lea eax, dword ptr [ebp-14]
:004944B3 8B55F8 mov edx, dword ptr [ebp-08]
:004944B6 8A541AFF mov dl, byte ptr [edx+ebx-01]
:004944BA E811FEF6FF call 004042D0
:004944BF 8B45EC mov eax, dword ptr [ebp-14]
:004944C2 8D55F0 lea edx, dword ptr [ebp-10]
:004944C5 E8963FF7FF call 00408460
:004944CA 8B45F0 mov eax, dword ptr [ebp-10]
:004944CD BA38464900 mov edx, 00494638
:004944D2 E82D00F7FF call 00404504
:004944D7 7512 jne 004944EB
:004944D9 8D45F4 lea eax, dword ptr [ebp-0C]
:004944DC BA44464900 mov edx, 00494644
:004944E1 E8DAFEF6FF call 004043C0
:004944E6 E907010000 jmp 004945F2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004944D7(C)
|
:004944EB 8D45E4 lea eax, dword ptr [ebp-1C]
:004944EE 8B55F8 mov edx, dword ptr [ebp-08]
:004944F1 8A541AFF mov dl, byte ptr [edx+ebx-01]
:004944F5 E8D6FDF6FF call 004042D0
:004944FA 8B45E4 mov eax, dword ptr [ebp-1C]
:004944FD 8D55E8 lea edx, dword ptr [ebp-18]
:00494500 E85B3FF7FF call 00408460
:00494505 8B45E8 mov eax, dword ptr [ebp-18]
:00494508 BA50464900 mov edx, 00494650
:0049450D E8F2FFF6FF call 00404504
:00494512 7512 jne 00494526
:00494514 8D45F4 lea eax, dword ptr [ebp-0C]
:00494517 BA5C464900 mov edx, 0049465C
:0049451C E89FFEF6FF call 004043C0
:00494521 E9CC000000 jmp 004945F2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00494512(C)
|
:00494526 8D45DC lea eax, dword ptr [ebp-24]
:00494529 8B55F8 mov edx, dword ptr [ebp-08]
:0049452C 8A541AFF mov dl, byte ptr [edx+ebx-01]
:00494530 E89BFDF6FF call 004042D0
:00494535 8B45DC mov eax, dword ptr [ebp-24]
:00494538 8D55E0 lea edx, dword ptr [ebp-20]
:0049453B E8203FF7FF call 00408460
:00494540 8B45E0 mov eax, dword ptr [ebp-20]
:00494543 BA68464900 mov edx, 00494668
:00494548 E8B7FFF6FF call 00404504
:0049454D 7512 jne 00494561
:0049454F 8D45F4 lea eax, dword ptr [ebp-0C]
:00494552 BA74464900 mov edx, 00494674
:00494557 E864FEF6FF call 004043C0
:0049455C E991000000 jmp 004945F2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049454D(C)
|
:00494561 8D45D4 lea eax, dword ptr [ebp-2C]
:00494564 8B55F8 mov edx, dword ptr [ebp-08]
:00494567 8A541AFF mov dl, byte ptr [edx+ebx-01]
:0049456B E860FDF6FF call 004042D0
:00494570 8B45D4 mov eax, dword ptr [ebp-2C]
:00494573 8D55D8 lea edx, dword ptr [ebp-28]
:00494576 E8E53EF7FF call 00408460
:0049457B 8B45D8 mov eax, dword ptr [ebp-28]
:0049457E BA80464900 mov edx, 00494680
:00494583 E87CFFF6FF call 00404504
:00494588 750F jne 00494599
:0049458A 8D45F4 lea eax, dword ptr [ebp-0C]
:0049458D BA8C464900 mov edx, 0049468C
:00494592 E829FEF6FF call 004043C0
:00494597 EB59 jmp 004945F2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00494588(C)
|
:00494599 8D45CC lea eax, dword ptr [ebp-34]
:0049459C 8B55F8 mov edx, dword ptr [ebp-08]
:0049459F 8A541AFF mov dl, byte ptr [edx+ebx-01]
:004945A3 E828FDF6FF call 004042D0
:004945A8 8B45CC mov eax, dword ptr [ebp-34]
:004945AB 8D55D0 lea edx, dword ptr [ebp-30]
:004945AE E8AD3EF7FF call 00408460
:004945B3 8B45D0 mov eax, dword ptr [ebp-30]
:004945B6 BA98464900 mov edx, 00494698
:004945BB E844FFF6FF call 00404504
:004945C0 750F jne 004945D1
:004945C2 8D45F4 lea eax, dword ptr [ebp-0C]
:004945C5 BAA4464900 mov edx, 004946A4
:004945CA E8F1FDF6FF call 004043C0
:004945CF EB21 jmp 004945F2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004945C0(C)
|
:004945D1 8D45C8 lea eax, dword ptr [ebp-38]
:004945D4 8B55F8 mov edx, dword ptr [ebp-08]
:004945D7 0FB6541AFF movzx edx, byte ptr [edx+ebx-01]
:004945DC 83C221 add edx, 00000021 //EDX=EDX+21
:004945DF 83E27F and edx, 0000007F //EDX=EDX AND 7F
:004945E2 E8E9FCF6FF call 004042D0
:004945E7 8B55C8 mov edx, dword ptr [ebp-38]
:004945EA 8D45F4 lea eax, dword ptr [ebp-0C]
:004945ED E8CEFDF6FF call 004043C0
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004944E6(U), :00494521(U), :0049455C(U), :00494597(U), :004945CF(U)
|
:004945F2 43 inc ebx
:004945F3 4E dec esi
:004945F4 0F85B6FEFFFF jne 004944B0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004944A5(C)
|
:004945FA 8BC7 mov eax, edi
:004945FC 8B55F4 mov edx, dword ptr [ebp-0C]
:004945FF E838FBF6FF call 0040413C
:00494604 33C0 xor eax, eax
:00494606 5A pop edx
:00494607 59 pop ecx
:00494608 59 pop ecx
:00494609 648910 mov dword ptr fs:[eax], edx
:0049460C 6826464900 push 00494626
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00494624(U)
|
:00494611 8D45C8 lea eax, dword ptr [ebp-38]
:00494614 BA0E000000 mov edx, 0000000E
:00494619 E8EEFAF6FF call 0040410C
:0049461E C3 ret
//解密:
对应关系:
2 L
4 O
6 V
8 E
0 U
其它 ASCII值加上33,并与127求与(AND),所得的ASCII码对应的字符
有空分析了一下软件为何只显示三位密码,原来很简单。
00494A98 55 push ebp
00494A99 8BEC mov ebp, esp
00494A9B B908000000 mov ecx, $00000008
00494AA0 6A00 push $00
00494AA2 6A00 push $00
00494AA4 49 dec ecx
00494AA5 75F9 jnz 00494AA0
00494AA7 53 push ebx
00494AA8 56 push esi
00494AA9 57 push edi
00494AAA 8BFA mov edi, edx
00494AAC 8BD8 mov ebx, eax
00494AAE 33C0 xor eax, eax
00494AB0 55 push ebp
* Possible String Reference to: '榍祧??^[?]?
|
00494AB1 68C04D4900 push $00494DC0
***** TRY
|
00494AB6 64FF30 push dword ptr fs:[eax]
00494AB9 648920 mov fs:[eax], esp
* Reference to control TForm1.OpenDialog1 : TOpenDialog
|
00494ABC 8B83F8020000 mov eax, [ebx+$02F8]
00494AC2 8B10 mov edx, [eax]
* Reference to method TOpenDialog.Execute()
|
00494AC4 FF523C call dword ptr [edx+$3C]
00494AC7 3C01 cmp al, $01
00494AC9 0F851F010000 jnz 00494BEE
00494ACF 8D55F8 lea edx, [ebp-$08]
* Reference to control TForm1.OpenDialog1 : TOpenDialog
|
00494AD2 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: Dialogs.TOpenDialog.GetFileName(TOpenDialog):TFileName;
|
00494AD8 E8DBACF9FF call 0042F7B8
00494ADD 8B55F8 mov edx, [ebp-$08]
* Reference to control TForm1.Edit1 : TEdit
|
00494AE0 8B8324030000 mov eax, [ebx+$0324]
* Reference to: Controls.TControl.SetText(TControl;TCaption);
|
00494AE6 E8D5ABFAFF call 0043F6C0
00494AEB 8D55EC lea edx, [ebp-$14]
* Reference to control TForm1.Edit1 : TEdit
|
00494AEE 8B8324030000 mov eax, [ebx+$0324]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
00494AF4 E897ABFAFF call 0043F690
00494AF9 8B45EC mov eax, [ebp-$14]
00494AFC 8D55F0 lea edx, [ebp-$10]
* Reference to: SysUtils.ExtractFileExt(AnsiString):AnsiString;
|
00494AFF E8D042F7FF call 00408DD4
00494B04 8B45F0 mov eax, [ebp-$10]
00494B07 8D55F4 lea edx, [ebp-$0C]
* Reference to: SysUtils.UpperCase(AnsiString):AnsiString;
|
00494B0A E85139F7FF call 00408460
00494B0F 8B45F4 mov eax, [ebp-$0C]
* Possible String Reference to: '.MDB'
|
00494B12 BAD84D4900 mov edx, $00494DD8
* Reference to: System.@LStrCmp;
|
00494B17 E8E8F9F6FF call 00404504
00494B1C 743E jz 00494B5C
00494B1E 6A30 push $30
* Possible String Reference to: '提示'
|
00494B20 68E04D4900 push $00494DE0
* Possible String Reference to: '这个程序只处理ACCESS数据库文件请确?
| 夏愦蚩?奈募?'
|
00494B25 68E84D4900 push $00494DE8
00494B2A 8BC3 mov eax, ebx
* Reference to: QForms.TCustomForm.GetClientHandle(TCustomForm):QWorkspaceH;
|
00494B2C E87314FBFF call 00445FA4
00494B31 50 push eax
* Reference to: user32.MessageBoxA()
|
00494B32 E82524F7FF call 00406F5C
* Possible String Reference to: '欢迎使用'
|
00494B37 BA244E4900 mov edx, $00494E24
* Reference to control TForm1.Edit1 : TEdit
|
00494B3C 8B8324030000 mov eax, [ebx+$0324]
* Reference to: Controls.TControl.SetText(TControl;TCaption);
|
00494B42 E879ABFAFF call 0043F6C0
* Possible String Reference to: '########'
|
00494B47 BA384E4900 mov edx, $00494E38
* Reference to control TForm1.Edit2 : TEdit
|
00494B4C 8B8328030000 mov eax, [ebx+$0328]
* Reference to: Controls.TControl.SetText(TControl;TCaption);
|
00494B52 E869ABFAFF call 0043F6C0
00494B57 E9FD010000 jmp 00494D59
* Possible String Reference to: '########'
|
00494B5C BA384E4900 mov edx, $00494E38
* Reference to control TForm1.Edit2 : TEdit
|
00494B61 8B8328030000 mov eax, [ebx+$0328]
* Reference to: Controls.TControl.SetText(TControl;TCaption);
|
00494B67 E854ABFAFF call 0043F6C0
00494B6C 6A00 push $00
00494B6E 8D55E8 lea edx, [ebp-$18]
* Reference to control TForm1.Edit1 : TEdit
|
00494B71 8B8324030000 mov eax, [ebx+$0324]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
00494B77 E814ABFAFF call 0043F690
00494B7C 8B4DE8 mov ecx, [ebp-$18]
00494B7F B201 mov dl, $01
* Reference to class TFileStream
|
00494B81 A104AD4100 mov eax, dword ptr [$0041AD04]
* Reference to: Classes.TFileStream.Create(TFileStream;boolean;AnsiString;Word);overload;
|
00494B86 E8C1A7F8FF call 0041F34C
00494B8B 8BF0 mov esi, eax
00494B8D 6A00 push $00
00494B8F 6A14 push $14
00494B91 8BC6 mov eax, esi
|
00494B93 E820A3F8FF call 0041EEB8
00494B98 8D55FF lea edx, [ebp-$01]
00494B9B B901000000 mov ecx, $00000001
00494BA0 8BC6 mov eax, esi
* Reference to: Classes.TStream.ReadBuffer(TStream;void;void;Longint);
|
00494BA2 E81DA5F8FF call 0041F0C4
00494BA7 807DFF01 cmp byte ptr [ebp-$01], $01
00494BAB 751A jnz 00494BC7
* Reference to field TForm1.OFFS_0360
|
00494BAD C78360030000D0070000 mov dword ptr [ebx+$0360], $000007D0
* Possible String Reference to: 'ACCESS2000'
|
00494BB7 BA4C4E4900 mov edx, $00494E4C
* Reference to control TForm1.Label3 : TLabel
|
00494BBC 8B835C030000 mov eax, [ebx+$035C]
* Reference to: Controls.TControl.SetText(TControl;TCaption);
|
00494BC2 E8F9AAFAFF call 0043F6C0
00494BC7 807DFF00 cmp byte ptr [ebp-$01], $00
00494BCB 751A jnz 00494BE7
* Reference to field TForm1.OFFS_0360
|
00494BCD C7836003000061000000 mov dword ptr [ebx+$0360], $00000061
* Possible String Reference to: 'ACCESS97'
|
00494BD7 BA604E4900 mov edx, $00494E60
* Reference to control TForm1.Label3 : TLabel
|
00494BDC 8B835C030000 mov eax, [ebx+$035C]
* Reference to: Controls.TControl.SetText(TControl;TCaption);
|
00494BE2 E8D9AAFAFF call 0043F6C0
00494BE7 8BC6 mov eax, esi
* Reference to: System.TObject.Free(TObject);
|
00494BE9 E8E2E6F6FF call 004032D0
* Reference to Form1
|
00494BEE A1409C4900 mov eax, dword ptr [$00499C40]
* Reference to: Controls.TControl.Refresh(TControl);
| or: QControls.TGraphicControl.PaintRequest(TGraphicControl);
| or: WebAdapt.TBaseAdapterAction.HasExecuteAccess(TBaseAdapterAction):System.Boolean;
|
00494BF3 E8D4AFFAFF call 0043FBCC
* Reference to field TForm1.OFFS_0360
|
00494BF8 83BB6003000061 cmp dword ptr [ebx+$0360], +$61
00494BFF 0F85A3000000 jnz 00494CA8
* Reference to field TForm1.OFFS_0374 : Byte
|
00494C05 80BB7403000000 cmp byte ptr [ebx+$0374], $00
00494C0C 744E jz 00494C5C
00494C0E 8D45E4 lea eax, [ebp-$1C]
00494C11 50 push eax
00494C12 8D55DC lea edx, [ebp-$24]
* Reference to control TForm1.Edit1 : TEdit
|
00494C15 8B8324030000 mov eax, [ebx+$0324]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
00494C1B E870AAFAFF call 0043F690
00494C20 8B55DC mov edx, [ebp-$24] { 数据库文件 }
00494C23 8D4DE0 lea ecx, [ebp-$20]
00494C26 8BC3 mov eax, ebx
|
00494C28 E8570A0000 call 00495684
00494C2D 8B45E0 mov eax, [ebp-$20] { 数据库密码 }
00494C30 B904000000 mov ecx, $00000004 { 这里限制了显示的密码长度 }
00494C35 BA01000000 mov edx, $00000001
* Reference to: System.@LStrCopy;
|
00494C3A E8D9F9F6FF call 00404618
00494C3F 8D45E4 lea eax, [ebp-$1C]
* Possible String Reference to: '***[请用正式版]'
|
00494C42 BA744E4900 mov edx, $00494E74
* Reference to: System.@LStrCat;
|
00494C47 E874F7F6FF call 004043C0
00494C4C 8B55E4 mov edx, [ebp-$1C] { 在这里更改,完整的密码存在[ebp-$20],把E4改为E0 }
* Reference to control TForm1.Edit2 : TEdit
|
00494C4F 8B8328030000 mov eax, [ebx+$0328]
* Reference to: Controls.TControl.SetText(TControl;TCaption);
|
00494C55 E866AAFAFF call 0043F6C0
00494C5A EB4C jmp 00494CA8
00494C5C 8D45D8 lea eax, [ebp-$28]
00494C5F 50 push eax
00494C60 8D55D0 lea edx, [ebp-$30]
* Reference to control TForm1.Edit1 : TEdit
|
00494C63 8B8324030000 mov eax, [ebx+$0324]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
00494C69 E822AAFAFF call 0043F690
00494C6E 8B55D0 mov edx, [ebp-$30] { 数据库文件 }
00494C71 8D4DD4 lea ecx, [ebp-$2C]
00494C74 8BC3 mov eax, ebx
|
00494C76 E8090A0000 call 00495684
00494C7B 8B45D4 mov eax, [ebp-$2C] { 数据库密码 }
00494C7E B904000000 mov ecx, $00000004 { 这里限制了显示的密码长度 }
00494C83 BA01000000 mov edx, $00000001
* Reference to: System.@LStrCopy;
|
00494C88 E88BF9F6FF call 00404618
00494C8D 8D45D8 lea eax, [ebp-$28]
* Possible String Reference to: '######'
|
00494C90 BA8C4E4900 mov edx, $00494E8C
* Reference to: System.@LStrCat;
|
00494C95 E826F7F6FF call 004043C0
00494C9A 8B55D8 mov edx, [ebp-$28] { 在这里更改,完整的密码存在[ebp-$2C],把D8改为D4 }
* Reference to control TForm1.Edit2 : TEdit
|
00494C9D 8B8328030000 mov eax, [ebx+$0328]
* Reference to: Controls.TControl.SetText(TControl;TCaption);
|
00494CA3 E818AAFAFF call 0043F6C0
* Reference to field TForm1.OFFS_0360
|
00494CA8 81BB60030000D0070000 cmp dword ptr [ebx+$0360], $000007D0
00494CB2 0F85A1000000 jnz 00494D59
* Reference to field TForm1.OFFS_0364
|
00494CB8 C7836403000040060000 mov dword ptr [ebx+$0364], $00000640
* Reference to field TForm1.OFFS_0368
|
00494CC2 C78368030000FFFFFFFF mov dword ptr [ebx+$0368], $FFFFFFFF
00494CCC 33C0 xor eax, eax
* Reference to field TForm1.OFFS_036C
|
00494CCE 89836C030000 mov [ebx+$036C], eax
* Reference to field TForm1.OFFS_0374 : Byte
|
00494CD4 80BB7403000001 cmp byte ptr [ebx+$0374], $01
00494CDB 753F jnz 00494D1C
00494CDD 8D45CC lea eax, [ebp-$34]
00494CE0 50 push eax
00494CE1 8D4DC8 lea ecx, [ebp-$38]
00494CE4 8BD7 mov edx, edi
00494CE6 8BC3 mov eax, ebx
|
00494CE8 E843020000 call 00494F30
00494CED 8B45C8 mov eax, [ebp-$38] { 数据库密码 }
00494CF0 B904000000 mov ecx, $00000004 { 这里限制了显示的密码长度 }
00494CF5 BA01000000 mov edx, $00000001
* Reference to: System.@LStrCopy;
|
00494CFA E819F9F6FF call 00404618
00494CFF 8D45CC lea eax, [ebp-$34]
* Possible String Reference to: '***[请用正式版]'
|
00494D02 BA744E4900 mov edx, $00494E74
* Reference to: System.@LStrCat;
|
00494D07 E8B4F6F6FF call 004043C0
00494D0C 8B55CC mov edx, [ebp-$34] { 在这里更改,完整的密码存在[ebp-$38],把CC改为C8 }
* Reference to control TForm1.Edit2 : TEdit
|
00494D0F 8B8328030000 mov eax, [ebx+$0328]
* Reference to: Controls.TControl.SetText(TControl;TCaption);
|
00494D15 E8A6A9FAFF call 0043F6C0
00494D1A EB3D jmp 00494D59
00494D1C 8D45C4 lea eax, [ebp-$3C]
00494D1F 50 push eax
00494D20 8D4DC0 lea ecx, [ebp-$40]
00494D23 8BD7 mov edx, edi
00494D25 8BC3 mov eax, ebx
|
00494D27 E804020000 call 00494F30
00494D2C 8B45C0 mov eax, [ebp-$40]
00494D2F B904000000 mov ecx, $00000004
00494D34 BA01000000 mov edx, $00000001
* Reference to: System.@LStrCopy;
|
00494D39 E8DAF8F6FF call 00404618
00494D3E 8D45C4 lea eax, [ebp-$3C]
* Possible String Reference to: '######'
|
00494D41 BA8C4E4900 mov edx, $00494E8C
* Reference to: System.@LStrCat;
|
00494D46 E875F6F6FF call 004043C0
00494D4B 8B55C4 mov edx, [ebp-$3C]
* Reference to control TForm1.Edit2 : TEdit
|
00494D4E 8B8328030000 mov eax, [ebx+$0328]
* Reference to: Controls.TControl.SetText(TControl;TCaption);
|
00494D54 E867A9FAFF call 0043F6C0
00494D59 33C0 xor eax, eax
00494D5B 5A pop edx
00494D5C 59 pop ecx
00494D5D 59 pop ecx
00494D5E 648910 mov fs:[eax], edx
****** FINALLY
|
* Possible String Reference to: '_^[?]?
|
00494D61 68C74D4900 push $00494DC7
00494D66 8D45C0 lea eax, [ebp-$40]
00494D69 BA04000000 mov edx, $00000004
* Reference to: System.@LStrArrayClr(void;void;Integer);
|
00494D6E E899F3F6FF call 0040410C
00494D73 8D45D0 lea eax, [ebp-$30]
* Reference to: System.@LStrClr(void;void);
|
00494D76 E86DF3F6FF call 004040E8
00494D7B 8D45D4 lea eax, [ebp-$2C]
00494D7E BA02000000 mov edx, $00000002
* Reference to: System.@LStrArrayClr(void;void;Integer);
|
00494D83 E884F3F6FF call 0040410C
00494D88 8D45DC lea eax, [ebp-$24]
* Reference to: System.@LStrClr(void;void);
|
00494D8B E858F3F6FF call 004040E8
00494D90 8D45E0 lea eax, [ebp-$20]
00494D93 BA02000000 mov edx, $00000002
* Reference to: System.@LStrArrayClr(void;void;Integer);
|
00494D98 E86FF3F6FF call 0040410C
00494D9D 8D45E8 lea eax, [ebp-$18]
00494DA0 BA02000000 mov edx, $00000002
* Reference to: System.@LStrArrayClr(void;void;Integer);
|
00494DA5 E862F3F6FF call 0040410C
00494DAA 8D45F0 lea eax, [ebp-$10]
00494DAD BA02000000 mov edx, $00000002
* Reference to: System.@LStrArrayClr(void;void;Integer);
|
00494DB2 E855F3F6FF call 0040410C
00494DB7 8D45F8 lea eax, [ebp-$08]
* Reference to: System.@LStrClr(void;void);
|
00494DBA E829F3F6FF call 004040E8
00494DBF C3 ret
* Reference to: System.@HandleFinally;
|
00494DC0 E947ECF6FF jmp 00403A0C
00494DC5 EB9F jmp 00494D66
****** END
|
00494DC7 5F pop edi
00494DC8 5E pop esi
00494DC9 5B pop ebx
00494DCA 8BE5 mov esp, ebp
00494DCC 5D pop ebp
00494DCD C3 ret
总结:
只需更改三处,好像都不需要进行注册了。
9404C 8B55E4 -> 8B55E0
9409A 8B55D8 -> 8B55D4
9410C 8B55CC -> 8B55C8
[培训]《安卓高级研修班(网课)》月薪三万计划,掌
握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
