-
-
破解笔记之-key 文件
-
2004-10-29 22:03 3765
-
1.壳检测,没有发现,程序用Borland Delphi 6.0 - 7.0编写
2。如果没有特殊说明,注册码指我输入的,呵呵,未经本人许可,禁止转载
by ngaut(nick3, nguat)
我的问题,没有找到注册算法,还请高手指点
以前玩过,不仔细,现在又尝试。
3.程序开始运行时出现一个NAG,点registration,用户名填abcde,注册码填34567890
注册出现:"Thanks for your registration, reopen this program to validate your serial!"
在ollydbg中找到上面的信息,向上看看,断点下在004C1EAE,分析如下:
004C1EAE |. E8 7147F8FF CALL flashsav.00446624 ; 取得用户名长度
004C1EB3 |. 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10] ; 从 ss:[ebp-10]取得注册码存入edx
004C1EB6 |. A1 109A4D00 MOV EAX,DWORD PTR DS:[4D9A10]
004C1EBB |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004C1EBD |. 8B80 B0040000 MOV EAX,DWORD PTR DS:[EAX+4B0]
004C1EC3 |. E8 449BFFFF CALL flashsav.004BBA0C
004C1EC8 |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
004C1ECB |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004C1ECE |. 8B80 FC020000 MOV EAX,DWORD PTR DS:[EAX+2FC]
004C1ED4 |. E8 4B47F8FF CALL flashsav.00446624 ; 取得注册码长度
004C1ED9 |. 837D F8 00 CMP DWORD PTR SS:[EBP-8],0 ; 没有输入注册码?提示"Invalid Serial Number! Please recheck it or contact us for help."
004C1EDD |. 75 1C JNZ SHORT flashsav.004C1EFB
004C1EDF |. 6A 00 PUSH 0
004C1EE1 |. 68 641F4C00 PUSH flashsav.004C1F64 ; ASCII "Registration Error"
004C1EE6 |. 68 781F4C00 PUSH flashsav.004C1F78 ; ASCII "Invalid Serial Number! Please recheck it or contact us for help."
004C1EEB |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004C1EEE |. E8 31B0F8FF CALL flashsav.0044CF24
004C1EF3 |. 50 PUSH EAX ; |hOwner
004C1EF4 |. E8 2358F4FF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
004C1EF9 |. EB 3D JMP SHORT flashsav.004C1F38
004C1EFB |> A1 109A4D00 MOV EAX,DWORD PTR DS:[4D9A10]
004C1F00 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004C1F02 |. 8B80 B0040000 MOV EAX,DWORD PTR DS:[EAX+4B0]
004C1F08 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] ; 取得注册码存入edx
004C1F0B |. E8 6496FFFF CALL flashsav.004BB574 ; 关键call,进入
004C1F10 |. 84C0 TEST AL,AL
004C1F12 |. 6A 00 PUSH 0
004C1F14 |. 68 BC1F4C00 PUSH flashsav.004C1FBC ; ASCII "Flash ScreenSaver Master"
004C1F19 |. 68 D81F4C00 PUSH flashsav.004C1FD8 ; ASCII "Thanks for your registration, reopen this program to validate your serial!"
004C1F1E |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004C1F21 |. E8 FEAFF8FF CALL flashsav.0044CF24
004C1F26 |. 50 PUSH EAX ; |hOwner
004C1F27 |. E8 F057F4FF CALL <JMP.&user32.MessageBoxA> ; \显示 "Thanks for your registration, reopen this program to validate your serial!"
F8跟踪到004C1F0B,进入的004C1F0Bcall,
004BB583 |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
004BB586 |. 8BD8 MOV EBX,EAX
004BB588 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 注册码存入eax
004BB58B |. E8 B896F4FF CALL flashsav.00404C48 ; 进入
004BB590 |. 33C0 XOR EAX,EAX
004BB592 |. 55 PUSH EBP
004BB593 |. 68 D8B64B00 PUSH flashsav.004BB6D8
004BB598 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004BB59B |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004BB59E |. B2 01 MOV DL,1
004BB5A0 |. A1 90324100 MOV EAX,DWORD PTR DS:[413290]
004BB5A5 |. E8 DE83F4FF CALL flashsav.00403988
004BB5AA |. 8BF8 MOV EDI,EAX
004BB5AC |. 8BC7 MOV EAX,EDI
004BB5AE |. 8B10 MOV EDX,DWORD PTR DS:[EAX]
004BB5B0 |. FF52 44 CALL DWORD PTR DS:[EDX+44]
004BB5B3 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004BB5B6 |. 8B4B 34 MOV ECX,DWORD PTR DS:[EBX+34]
004BB5B9 |. BA F4B64B00 MOV EDX,flashsav.004BB6F4 ; ASCII "i love "
呵呵,等会就知道这个是干什么用的了
004BB5BE |. E8 E994F4FF CALL flashsav.00404AAC ; 这里是key文件的内容ASCII "i love Flash Saver V4.5"
004BB5BE |. E8 E994F4FF CALL flashsav.00404AAC
004BB5C3 |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
004BB5C6 |. 8BC7 MOV EAX,EDI
004BB5C8 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
004BB5CA |. FF51 38 CALL DWORD PTR DS:[ECX+38]
004BB5CD |. C645 FB 01 MOV BYTE PTR SS:[EBP-5],1
004BB5D1 |. B2 01 MOV DL,1
004BB5D3 |. A1 40D14600 MOV EAX,DWORD PTR DS:[46D140]
004BB5D8 |. E8 631CFBFF CALL flashsav.0046D240
004BB5DD |. 8BF0 MOV ESI,EAX
004BB5DF |. BA 01000080 MOV EDX,80000001
004BB5E4 |. 8BC6 MOV EAX,ESI
004BB5E6 |. E8 F51CFBFF CALL flashsav.0046D2E0
004BB5EB |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004BB5EE |. 8B4B 34 MOV ECX,DWORD PTR DS:[EBX+34]
004BB5F1 |. BA 04B74B00 MOV EDX,flashsav.004BB704 ; ASCII "\Software\"
004BB5F6 |. E8 B194F4FF CALL flashsav.00404AAC
004BB5FB |. 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
004BB5FE |. B1 01 MOV CL,1
004BB600 |. 8BC6 MOV EAX,ESI
004BB602 |. E8 3D1DFBFF CALL flashsav.0046D344
004BB607 |. 84C0 TEST AL,AL
004BB609 |. 0F84 9F000000 JE flashsav.004BB6AE
004BB60F |. 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
004BB612 |. BA 18B74B00 MOV EDX,flashsav.004BB718 ; ASCII "version"
004BB617 |. 8BC6 MOV EAX,ESI
004BB619 |. E8 0E1FFBFF CALL flashsav.0046D52C
004BB61E |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
004BB621 |. BA 28B74B00 MOV EDX,flashsav.004BB728 ; ASCII "cbyx"
004BB626 |. E8 7995F4FF CALL flashsav.00404BA4
004BB62B |. 75 06 JNZ SHORT flashsav.004BB633
004BB62D |. C645 FB 01 MOV BYTE PTR SS:[EBP-5],1
004BB631 |. EB 7B JMP SHORT flashsav.004BB6AE
004BB633 |> 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
004BB636 |. 8BC3 MOV EAX,EBX
004BB638 |. E8 1B010000 CALL flashsav.004BB758 ; 显示一个messagebox
004BB63D |. 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18] ; 真正的注册码存入edx
我得到的是86D0117E4108F7832,happy啊
004BB640 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 注册码存入eax
004BB643 |. E8 5C95F4FF CALL flashsav.00404BA4 ; 最关键的call,不用说了吧,肯定是比较真假注册码
进去,如下
00404BA6 |. 57 PUSH EDI
00404BA7 |. 89C6 MOV ESI,EAX ; 注册码存入esi
00404BA9 |. 89D7 MOV EDI,EDX ; 真正的注册码存入edi
00404BAB |. 39D0 CMP EAX,EDX ; 谁是真孙悟空?
00404BAD |. 0F84 8F000000 JE flashsav.00404C42 ; 强行改变ZF标志为1
到00404BAD,强行改变ZF标志为1或者改为jmp,即可实现完美爆破,这里我强行改变ZF标志为1,
返回到下面,继续看
004BB648 |. 75 4F JNZ SHORT flashsav.004BB699
004BB64A B9 28B74B00 MOV ECX,flashsav.004BB728 ; ASCII "cbyx"是干什么的呢?
004BB64F |. BA 18B74B00 MOV EDX,flashsav.004BB718 ; ASCII "version"又是干什么的呢?
004BB654 |. 8BC6 MOV EAX,ESI
004BB656 |. E8 A51EFBFF CALL flashsav.0046D500 ; 将上面的2个字符串写入注册表
004BB65B |. 68 FF000000 PUSH 0FF ; /BufSize = FF (255.)
004BB660 |. 68 70B14D00 PUSH flashsav.004DB170 ; |Buffer = flashsav.004DB170
004BB665 |. E8 B2B8F4FF CALL <JMP.&kernel32.GetSystemDirectoryA> ; \调用GetSystemDirectoryA取得系统目录,嘿嘿,干什么呢?
004BB66A |. 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
004BB66D |. BA 70B14D00 MOV EDX,flashsav.004DB170 ; ASCII "C:\WINDOWS\System32"
004BB672 |. B9 00010000 MOV ECX,100 ; 先到这个目录下看看
看到下面的ASCII "\sysfsaver.dat" key文件名了吗?该文件还没有建立,赶紧去证实一下,下面是我的显示
C:\WINDOWS\system32>dir sys*
驱动器 C 中的卷没有标签。
卷的序列号是 374A-17E3
C:\WINDOWS\system32 的目录
2002-09-13 12:00 18,880 sysedit.exe
2002-09-13 12:00 15,872 sysinv.dll
2002-09-13 12:00 103,936 sysocmgr.exe
2002-09-13 12:00 3,214 sysprint.sep
2002-09-13 12:00 3,577 sysprtj.sep
2002-09-13 12:00 3,360 system.drv
2002-09-13 12:00 3,072 systray.exe
2002-09-13 12:00 1,317,376 syssetup.dll
2002-09-13 12:00 252,928 sysdm.cpl
2002-09-13 12:00 200,192 sysmon.ocx
2002-09-13 12:00 75,264 systeminfo.exe
1998-06-24 00:00 67,376 SYSINFO.OCX
1998-06-18 00:00 2,483 SYSINFO.DEP
1998-07-07 00:00 9,728 SYSINCHS.DLL
1998-05-07 00:00 109 SYSINFO.SRG
2002-09-13 12:00 36,864 syskey.exe
2004-10-07 11:17 141,824 sysgl.dll
2004-10-07 11:17 5 systs.sys
2004-10-07 11:21 156 systec.dat
19 个文件 2,256,216 字节
0 个目录 2,812,280,832 可用字节
只有19个文件,没有发现sysfsaver.dat,继续看汇编代码,
004BB677 |. E8 9493F4FF CALL flashsav.00404A10
004BB67C |. 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
004BB67F |. BA 38B74B00 MOV EDX,flashsav.004BB738 ; ASCII "\sysfsaver.dat" key文件名
004BB684 |. E8 DF93F4FF CALL flashsav.00404A68
004BB689 |. 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
004BB68C |. 8BC7 MOV EAX,EDI
004BB68E |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
004BB690 |. FF51 74 CALL DWORD PTR DS:[ECX+74] ; 建立key文件,赶紧去看看啊,有发现啊
进入004BB690的call,发现有建立sysfsaver.dat,赶紧去看看啊,有发现啊,这里是我的显示
C:\WINDOWS\system32>dir sys*
驱动器 C 中的卷没有标签。
卷的序列号是 374A-17E3
C:\WINDOWS\system32 的目录
2002-09-13 12:00 18,880 sysedit.exe
2002-09-13 12:00 15,872 sysinv.dll
2002-09-13 12:00 103,936 sysocmgr.exe
2002-09-13 12:00 3,214 sysprint.sep
2002-09-13 12:00 3,577 sysprtj.sep
2002-09-13 12:00 3,360 system.drv
2002-09-13 12:00 3,072 systray.exe
2002-09-13 12:00 1,317,376 syssetup.dll
2002-09-13 12:00 252,928 sysdm.cpl
2002-09-13 12:00 200,192 sysmon.ocx
2002-09-13 12:00 75,264 systeminfo.exe
1998-06-24 00:00 67,376 SYSINFO.OCX
1998-06-18 00:00 2,483 SYSINFO.DEP
1998-07-07 00:00 9,728 SYSINCHS.DLL
1998-05-07 00:00 109 SYSINFO.SRG
2002-09-13 12:00 36,864 syskey.exe
2004-10-07 11:17 141,824 sysgl.dll
2004-10-07 11:17 5 systs.sys
2004-10-07 11:21 156 systec.dat
2004-10-26 10:50 25 sysfsaver.dat
20 个文件 2,256,241 字节
0 个目录 2,812,272,640 可用字节
呵呵,20个了,看到了什么。。。。最后哪个就是sysfsaver.dat,有希望了,打开看看什么内容
总结:只要存在C:\WINDOWS\System32\sysfsaver.dat,且内容为
i love Flash Saver V4.5
即可,怎样,非常有意思吧,我第一次见到这么有意思的软件,呵呵
2。如果没有特殊说明,注册码指我输入的,呵呵,未经本人许可,禁止转载
by ngaut(nick3, nguat)
我的问题,没有找到注册算法,还请高手指点
以前玩过,不仔细,现在又尝试。
3.程序开始运行时出现一个NAG,点registration,用户名填abcde,注册码填34567890
注册出现:"Thanks for your registration, reopen this program to validate your serial!"
在ollydbg中找到上面的信息,向上看看,断点下在004C1EAE,分析如下:
004C1EAE |. E8 7147F8FF CALL flashsav.00446624 ; 取得用户名长度
004C1EB3 |. 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10] ; 从 ss:[ebp-10]取得注册码存入edx
004C1EB6 |. A1 109A4D00 MOV EAX,DWORD PTR DS:[4D9A10]
004C1EBB |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004C1EBD |. 8B80 B0040000 MOV EAX,DWORD PTR DS:[EAX+4B0]
004C1EC3 |. E8 449BFFFF CALL flashsav.004BBA0C
004C1EC8 |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
004C1ECB |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004C1ECE |. 8B80 FC020000 MOV EAX,DWORD PTR DS:[EAX+2FC]
004C1ED4 |. E8 4B47F8FF CALL flashsav.00446624 ; 取得注册码长度
004C1ED9 |. 837D F8 00 CMP DWORD PTR SS:[EBP-8],0 ; 没有输入注册码?提示"Invalid Serial Number! Please recheck it or contact us for help."
004C1EDD |. 75 1C JNZ SHORT flashsav.004C1EFB
004C1EDF |. 6A 00 PUSH 0
004C1EE1 |. 68 641F4C00 PUSH flashsav.004C1F64 ; ASCII "Registration Error"
004C1EE6 |. 68 781F4C00 PUSH flashsav.004C1F78 ; ASCII "Invalid Serial Number! Please recheck it or contact us for help."
004C1EEB |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004C1EEE |. E8 31B0F8FF CALL flashsav.0044CF24
004C1EF3 |. 50 PUSH EAX ; |hOwner
004C1EF4 |. E8 2358F4FF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
004C1EF9 |. EB 3D JMP SHORT flashsav.004C1F38
004C1EFB |> A1 109A4D00 MOV EAX,DWORD PTR DS:[4D9A10]
004C1F00 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004C1F02 |. 8B80 B0040000 MOV EAX,DWORD PTR DS:[EAX+4B0]
004C1F08 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] ; 取得注册码存入edx
004C1F0B |. E8 6496FFFF CALL flashsav.004BB574 ; 关键call,进入
004C1F10 |. 84C0 TEST AL,AL
004C1F12 |. 6A 00 PUSH 0
004C1F14 |. 68 BC1F4C00 PUSH flashsav.004C1FBC ; ASCII "Flash ScreenSaver Master"
004C1F19 |. 68 D81F4C00 PUSH flashsav.004C1FD8 ; ASCII "Thanks for your registration, reopen this program to validate your serial!"
004C1F1E |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004C1F21 |. E8 FEAFF8FF CALL flashsav.0044CF24
004C1F26 |. 50 PUSH EAX ; |hOwner
004C1F27 |. E8 F057F4FF CALL <JMP.&user32.MessageBoxA> ; \显示 "Thanks for your registration, reopen this program to validate your serial!"
F8跟踪到004C1F0B,进入的004C1F0Bcall,
004BB583 |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
004BB586 |. 8BD8 MOV EBX,EAX
004BB588 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 注册码存入eax
004BB58B |. E8 B896F4FF CALL flashsav.00404C48 ; 进入
004BB590 |. 33C0 XOR EAX,EAX
004BB592 |. 55 PUSH EBP
004BB593 |. 68 D8B64B00 PUSH flashsav.004BB6D8
004BB598 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004BB59B |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004BB59E |. B2 01 MOV DL,1
004BB5A0 |. A1 90324100 MOV EAX,DWORD PTR DS:[413290]
004BB5A5 |. E8 DE83F4FF CALL flashsav.00403988
004BB5AA |. 8BF8 MOV EDI,EAX
004BB5AC |. 8BC7 MOV EAX,EDI
004BB5AE |. 8B10 MOV EDX,DWORD PTR DS:[EAX]
004BB5B0 |. FF52 44 CALL DWORD PTR DS:[EDX+44]
004BB5B3 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004BB5B6 |. 8B4B 34 MOV ECX,DWORD PTR DS:[EBX+34]
004BB5B9 |. BA F4B64B00 MOV EDX,flashsav.004BB6F4 ; ASCII "i love "
呵呵,等会就知道这个是干什么用的了
004BB5BE |. E8 E994F4FF CALL flashsav.00404AAC ; 这里是key文件的内容ASCII "i love Flash Saver V4.5"
004BB5BE |. E8 E994F4FF CALL flashsav.00404AAC
004BB5C3 |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
004BB5C6 |. 8BC7 MOV EAX,EDI
004BB5C8 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
004BB5CA |. FF51 38 CALL DWORD PTR DS:[ECX+38]
004BB5CD |. C645 FB 01 MOV BYTE PTR SS:[EBP-5],1
004BB5D1 |. B2 01 MOV DL,1
004BB5D3 |. A1 40D14600 MOV EAX,DWORD PTR DS:[46D140]
004BB5D8 |. E8 631CFBFF CALL flashsav.0046D240
004BB5DD |. 8BF0 MOV ESI,EAX
004BB5DF |. BA 01000080 MOV EDX,80000001
004BB5E4 |. 8BC6 MOV EAX,ESI
004BB5E6 |. E8 F51CFBFF CALL flashsav.0046D2E0
004BB5EB |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004BB5EE |. 8B4B 34 MOV ECX,DWORD PTR DS:[EBX+34]
004BB5F1 |. BA 04B74B00 MOV EDX,flashsav.004BB704 ; ASCII "\Software\"
004BB5F6 |. E8 B194F4FF CALL flashsav.00404AAC
004BB5FB |. 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
004BB5FE |. B1 01 MOV CL,1
004BB600 |. 8BC6 MOV EAX,ESI
004BB602 |. E8 3D1DFBFF CALL flashsav.0046D344
004BB607 |. 84C0 TEST AL,AL
004BB609 |. 0F84 9F000000 JE flashsav.004BB6AE
004BB60F |. 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
004BB612 |. BA 18B74B00 MOV EDX,flashsav.004BB718 ; ASCII "version"
004BB617 |. 8BC6 MOV EAX,ESI
004BB619 |. E8 0E1FFBFF CALL flashsav.0046D52C
004BB61E |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
004BB621 |. BA 28B74B00 MOV EDX,flashsav.004BB728 ; ASCII "cbyx"
004BB626 |. E8 7995F4FF CALL flashsav.00404BA4
004BB62B |. 75 06 JNZ SHORT flashsav.004BB633
004BB62D |. C645 FB 01 MOV BYTE PTR SS:[EBP-5],1
004BB631 |. EB 7B JMP SHORT flashsav.004BB6AE
004BB633 |> 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
004BB636 |. 8BC3 MOV EAX,EBX
004BB638 |. E8 1B010000 CALL flashsav.004BB758 ; 显示一个messagebox
004BB63D |. 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18] ; 真正的注册码存入edx
我得到的是86D0117E4108F7832,happy啊
004BB640 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 注册码存入eax
004BB643 |. E8 5C95F4FF CALL flashsav.00404BA4 ; 最关键的call,不用说了吧,肯定是比较真假注册码
进去,如下
00404BA6 |. 57 PUSH EDI
00404BA7 |. 89C6 MOV ESI,EAX ; 注册码存入esi
00404BA9 |. 89D7 MOV EDI,EDX ; 真正的注册码存入edi
00404BAB |. 39D0 CMP EAX,EDX ; 谁是真孙悟空?
00404BAD |. 0F84 8F000000 JE flashsav.00404C42 ; 强行改变ZF标志为1
到00404BAD,强行改变ZF标志为1或者改为jmp,即可实现完美爆破,这里我强行改变ZF标志为1,
返回到下面,继续看
004BB648 |. 75 4F JNZ SHORT flashsav.004BB699
004BB64A B9 28B74B00 MOV ECX,flashsav.004BB728 ; ASCII "cbyx"是干什么的呢?
004BB64F |. BA 18B74B00 MOV EDX,flashsav.004BB718 ; ASCII "version"又是干什么的呢?
004BB654 |. 8BC6 MOV EAX,ESI
004BB656 |. E8 A51EFBFF CALL flashsav.0046D500 ; 将上面的2个字符串写入注册表
004BB65B |. 68 FF000000 PUSH 0FF ; /BufSize = FF (255.)
004BB660 |. 68 70B14D00 PUSH flashsav.004DB170 ; |Buffer = flashsav.004DB170
004BB665 |. E8 B2B8F4FF CALL <JMP.&kernel32.GetSystemDirectoryA> ; \调用GetSystemDirectoryA取得系统目录,嘿嘿,干什么呢?
004BB66A |. 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
004BB66D |. BA 70B14D00 MOV EDX,flashsav.004DB170 ; ASCII "C:\WINDOWS\System32"
004BB672 |. B9 00010000 MOV ECX,100 ; 先到这个目录下看看
看到下面的ASCII "\sysfsaver.dat" key文件名了吗?该文件还没有建立,赶紧去证实一下,下面是我的显示
C:\WINDOWS\system32>dir sys*
驱动器 C 中的卷没有标签。
卷的序列号是 374A-17E3
C:\WINDOWS\system32 的目录
2002-09-13 12:00 18,880 sysedit.exe
2002-09-13 12:00 15,872 sysinv.dll
2002-09-13 12:00 103,936 sysocmgr.exe
2002-09-13 12:00 3,214 sysprint.sep
2002-09-13 12:00 3,577 sysprtj.sep
2002-09-13 12:00 3,360 system.drv
2002-09-13 12:00 3,072 systray.exe
2002-09-13 12:00 1,317,376 syssetup.dll
2002-09-13 12:00 252,928 sysdm.cpl
2002-09-13 12:00 200,192 sysmon.ocx
2002-09-13 12:00 75,264 systeminfo.exe
1998-06-24 00:00 67,376 SYSINFO.OCX
1998-06-18 00:00 2,483 SYSINFO.DEP
1998-07-07 00:00 9,728 SYSINCHS.DLL
1998-05-07 00:00 109 SYSINFO.SRG
2002-09-13 12:00 36,864 syskey.exe
2004-10-07 11:17 141,824 sysgl.dll
2004-10-07 11:17 5 systs.sys
2004-10-07 11:21 156 systec.dat
19 个文件 2,256,216 字节
0 个目录 2,812,280,832 可用字节
只有19个文件,没有发现sysfsaver.dat,继续看汇编代码,
004BB677 |. E8 9493F4FF CALL flashsav.00404A10
004BB67C |. 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
004BB67F |. BA 38B74B00 MOV EDX,flashsav.004BB738 ; ASCII "\sysfsaver.dat" key文件名
004BB684 |. E8 DF93F4FF CALL flashsav.00404A68
004BB689 |. 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
004BB68C |. 8BC7 MOV EAX,EDI
004BB68E |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
004BB690 |. FF51 74 CALL DWORD PTR DS:[ECX+74] ; 建立key文件,赶紧去看看啊,有发现啊
进入004BB690的call,发现有建立sysfsaver.dat,赶紧去看看啊,有发现啊,这里是我的显示
C:\WINDOWS\system32>dir sys*
驱动器 C 中的卷没有标签。
卷的序列号是 374A-17E3
C:\WINDOWS\system32 的目录
2002-09-13 12:00 18,880 sysedit.exe
2002-09-13 12:00 15,872 sysinv.dll
2002-09-13 12:00 103,936 sysocmgr.exe
2002-09-13 12:00 3,214 sysprint.sep
2002-09-13 12:00 3,577 sysprtj.sep
2002-09-13 12:00 3,360 system.drv
2002-09-13 12:00 3,072 systray.exe
2002-09-13 12:00 1,317,376 syssetup.dll
2002-09-13 12:00 252,928 sysdm.cpl
2002-09-13 12:00 200,192 sysmon.ocx
2002-09-13 12:00 75,264 systeminfo.exe
1998-06-24 00:00 67,376 SYSINFO.OCX
1998-06-18 00:00 2,483 SYSINFO.DEP
1998-07-07 00:00 9,728 SYSINCHS.DLL
1998-05-07 00:00 109 SYSINFO.SRG
2002-09-13 12:00 36,864 syskey.exe
2004-10-07 11:17 141,824 sysgl.dll
2004-10-07 11:17 5 systs.sys
2004-10-07 11:21 156 systec.dat
2004-10-26 10:50 25 sysfsaver.dat
20 个文件 2,256,241 字节
0 个目录 2,812,272,640 可用字节
呵呵,20个了,看到了什么。。。。最后哪个就是sysfsaver.dat,有希望了,打开看看什么内容
总结:只要存在C:\WINDOWS\System32\sysfsaver.dat,且内容为
i love Flash Saver V4.5
即可,怎样,非常有意思吧,我第一次见到这么有意思的软件,呵呵
[培训]《安卓高级研修班(网课)》月薪三万计划,掌 握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
赞赏
|
|
|---|---|
|
|
