目标软件PEID测试为Borland Delphi 6.0 - 7.0
目的为了追出注册码
W32载入后 很快找到注册错误提示 “注册不成功” 表达式为0069B4A3
下断后 F9运行 一路跟下来没有看见注册码对比的过程 也没有看见自己的假码 也没有看见真码
求达人赐教 通宵在线等 小的QQ 7723812
0069B2F0 /$ 55 push ebp ;看了下之后认为 句柄核应该为这句 于是在此处下断
0069B2F1 |. 8BEC mov ebp, esp
0069B2F3 |. 33C9 xor ecx, ecx
0069B2F5 |. 51 push ecx
0069B2F6 |. 51 push ecx
0069B2F7 |. 51 push ecx
0069B2F8 |. 51 push ecx
0069B2F9 |. 51 push ecx
0069B2FA |. 51 push ecx
0069B2FB |. 51 push ecx
0069B2FC |. 51 push ecx
0069B2FD |. 53 push ebx
0069B2FE |. 56 push esi
0069B2FF |. 57 push edi
0069B300 |. 8955 F8 mov dword ptr [ebp-8], edx
0069B303 |. 8945 FC mov dword ptr [ebp-4], eax
0069B306 |. 8B45 FC mov eax, dword ptr [ebp-4]
0069B309 |. E8 869FD6FF call 00405294
0069B30E |. 33C0 xor eax, eax
0069B310 |. 55 push ebp
0069B311 |. 68 1EB46900 push 0069B41E
0069B316 |. 64:FF30 push dword ptr fs:[eax]
0069B319 |. 64:8920 mov dword ptr fs:[eax], esp
0069B31C |. B2 01 mov dl, 1
0069B31E |. A1 9CF04100 mov eax, dword ptr [41F09C]
0069B323 |. E8 788BD6FF call 00403EA0
0069B328 |. 8945 F0 mov dword ptr [ebp-10], eax
0069B32B |. BA 34B46900 mov edx, 0069B434 ; ASCII "A,Z,B,Y,C,0,9,1,8,2,X,D,W,E,V,N,U,G,T,H,S,I,R,J,Q,K,P,L,O,M,F,7,3,6,4,5"
0069B330 |. 8B45 F0 mov eax, dword ptr [ebp-10]
0069B333 |. E8 6886D8FF call 004239A0
0069B338 |. 8D45 F4 lea eax, dword ptr [ebp-C]
0069B33B |. E8 A49AD6FF call 00404DE4
0069B340 |. 8B45 FC mov eax, dword ptr [ebp-4]
0069B343 |. E8 5C9DD6FF call 004050A4
0069B348 |. 8BF0 mov esi, eax
0069B34A |. 85F6 test esi, esi
0069B34C 0F8E 96000000 jle 0069B3E8
0069B352 |. BB 01000000 mov ebx, 1
0069B357 |> 8B45 FC /mov eax, dword ptr [ebp-4]
0069B35A |. 807C18 FF 31 |cmp byte ptr [eax+ebx-1], 31
0069B35F |. 75 0F |jnz short 0069B370
0069B361 |. 8D45 F4 |lea eax, dword ptr [ebp-C]
0069B364 |. BA 84B46900 |mov edx, 0069B484
0069B369 |. E8 3E9DD6FF |call 004050AC
0069B36E |. EB 70 |jmp short 0069B3E0
0069B370 |> 8D45 EC |lea eax, dword ptr [ebp-14]
0069B373 |. 8B55 FC |mov edx, dword ptr [ebp-4]
0069B376 |. 8A541A FF |mov dl, byte ptr [edx+ebx-1]
0069B37A |. E8 4D9CD6FF |call 00404FCC
0069B37F |. 8B55 EC |mov edx, dword ptr [ebp-14]
0069B382 |. 8B45 F0 |mov eax, dword ptr [ebp-10]
0069B385 |. 8B08 |mov ecx, dword ptr [eax]
0069B387 |. FF51 54 |call dword ptr [ecx+54]
0069B38A |. 40 |inc eax
0069B38B |. 7E 39 |jle short 0069B3C6
0069B38D |. 8D45 E4 |lea eax, dword ptr [ebp-1C]
0069B390 |. 8B55 FC |mov edx, dword ptr [ebp-4]
0069B393 |. 8A541A FF |mov dl, byte ptr [edx+ebx-1]
0069B397 |. E8 309CD6FF |call 00404FCC
0069B39C |. 8B55 E4 |mov edx, dword ptr [ebp-1C]
0069B39F |. 8B45 F0 |mov eax, dword ptr [ebp-10]
0069B3A2 |. 8B08 |mov ecx, dword ptr [eax]
0069B3A4 |. FF51 54 |call dword ptr [ecx+54]
0069B3A7 |. BA 23000000 |mov edx, 23
0069B3AC |. 2BD0 |sub edx, eax
0069B3AE |. 8D4D E8 |lea ecx, dword ptr [ebp-18]
0069B3B1 |. 8B45 F0 |mov eax, dword ptr [ebp-10]
0069B3B4 |. 8B38 |mov edi, dword ptr [eax]
0069B3B6 |. FF57 0C |call dword ptr [edi+C]
0069B3B9 |. 8B55 E8 |mov edx, dword ptr [ebp-18]
0069B3BC |. 8D45 F4 |lea eax, dword ptr [ebp-C]
0069B3BF |. E8 E89CD6FF |call 004050AC
0069B3C4 |. EB 1A |jmp short 0069B3E0
0069B3C6 |> 8D45 E0 |lea eax, dword ptr [ebp-20]
0069B3C9 |. 8B55 FC |mov edx, dword ptr [ebp-4]
0069B3CC |. 8A541A FF |mov dl, byte ptr [edx+ebx-1]
0069B3D0 |. E8 F79BD6FF |call 00404FCC
0069B3D5 |. 8B55 E0 |mov edx, dword ptr [ebp-20]
0069B3D8 |. 8D45 F4 |lea eax, dword ptr [ebp-C]
0069B3DB |. E8 CC9CD6FF |call 004050AC
0069B3E0 |> 43 |inc ebx
0069B3E1 |. 4E |dec esi
0069B3E2 |.^ 0F85 6FFFFFFF \jnz 0069B357
0069B3E8 |> 8B45 F8 mov eax, dword ptr [ebp-8]
0069B3EB |. 8B55 F4 mov edx, dword ptr [ebp-C]
0069B3EE |. E8 459AD6FF call 00404E38
0069B3F3 |. 33C0 xor eax, eax
0069B3F5 |. 5A pop edx
0069B3F6 |. 59 pop ecx
0069B3F7 |. 59 pop ecx
0069B3F8 |. 64:8910 mov dword ptr fs:[eax], edx
0069B3FB |. 68 25B46900 push 0069B425
0069B400 |> 8D45 E0 lea eax, dword ptr [ebp-20]
0069B403 |. BA 04000000 mov edx, 4
0069B408 |. E8 FB99D6FF call 00404E08
0069B40D |. 8D45 F4 lea eax, dword ptr [ebp-C]
0069B410 |. E8 CF99D6FF call 00404DE4
0069B415 |. 8D45 FC lea eax, dword ptr [ebp-4]
0069B418 |. E8 C799D6FF call 00404DE4
0069B41D \. C3 retn
0069B41E .^ E9 4192D6FF jmp 00404664
0069B423 .^ EB DB jmp short 0069B400
0069B425 . 5F pop edi
0069B426 . 5E pop esi
0069B427 . 5B pop ebx
0069B428 . 8BE5 mov esp, ebp
0069B42A . 5D pop ebp
0069B42B . C3 retn
0069B42C . FFFFFFFF dd FFFFFFFF
0069B430 . 47000000 dd 00000047
0069B434 . 41 2C 5A 2C 4>ascii "A,Z,B,Y,C,0,9,1,"
0069B444 . 38 2C 32 2C 5>ascii "8,2,X,D,W,E,V,N,"
0069B454 . 55 2C 47 2C 5>ascii "U,G,T,H,S,I,R,J,"
0069B464 . 51 2C 4B 2C 5>ascii "Q,K,P,L,O,M,F,7,"
0069B474 . 33 2C 36 2C 3>ascii "3,6,4,5",0
0069B47C . FFFFFFFF dd FFFFFFFF
0069B480 . 01000000 dd 00000001
0069B484 . 30 00 ascii "0",0
0069B486 00 db 00
0069B487 00 db 00
0069B488 . 55 push ebp
0069B489 . 8BEC mov ebp, esp
0069B48B . 53 push ebx
0069B48C . 8BD8 mov ebx, eax
0069B48E . 33C0 xor eax, eax
0069B490 . 55 push ebp
0069B491 . 68 C3B46900 push 0069B4C3
0069B496 . 64:FF30 push dword ptr fs:[eax]
0069B499 . 64:8920 mov dword ptr fs:[eax], esp
0069B49C . 6A 00 push 0
0069B49E . 68 D0B46900 push 0069B4D0 ; ASCII "提示您:"
0069B4A3 . 68 E0B46900 push 0069B4E0 ;注册不成功
0069B4A8 . 8BC3 mov eax, ebx
0069B4AA . E8 F962DFFF call 004917A8
0069B4AF . 50 push eax ; |hOwner
0069B4B0 . E8 33CFD6FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
0069B4B5 . 33C0 xor eax, eax
0069B4B7 . 5A pop edx
0069B4B8 . 59 pop ecx
0069B4B9 . 59 pop ecx
0069B4BA . 64:8910 mov dword ptr fs:[eax], edx
0069B4BD . 68 CAB46900 push 0069B4CA
0069B4C2 > C3 retn ; RET 用作跳转到 0069B4CA
0069B4C3 .^ E9 9C91D6FF jmp 00404664
0069B4C8 .^ EB F8 jmp short 0069B4C2
0069B4CA > 5B pop ebx
0069B4CB . 5D pop ebp
0069B4CC . C3 retn
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课