看到vxin说这个CM应该比较有意思的,刚好有空,拿来XX一下
原程序请看:http://bbs.pediy.com/showthread.php?t=68698
先PEiD一下,DELPHI的程序,再用DEDE看一下,居然没有Anti DeDe,于是祭出OD,在OD里对比着DEDE看源代码,怎一个爽字了得!
在DEDE里看程序的过程,除了FormShow外只有一个Button1Click:0047F89C,直奔OD里的0047F89C处下断,F9运行后输入用户名:lelfei注册码:14141414,确定后中断下来了!
提示:注意对比DEDE看CALL过程的作用~~
0047F8CA lea edx, dword ptr [ebp-4]
0047F8CD mov eax, dword ptr [ebx+308]
0047F8D3 call <GetText> ; Edit_Name.GetText
0047F8D8 mov eax, dword ptr [ebp-4]
0047F8DB call <StrLen> ; 用户名长度必须大于2
0047F8E0 cmp eax, 2
0047F8E3 jle 0047F9F8
0047F8E9 mov eax, 0047FA7C ; ASCII "3w.bmp"
0047F8EE call <FileExists> ; 检测KeyFile是否存在
0047F8F3 test al, al
0047F8F5 je 0047F9F8
0047F8FB lea edx, dword ptr [ebp-C]
0047F8FE mov eax, dword ptr [ebx+310]
0047F904 call <GetText> ; Edit_Code.GetText
0047F909 mov eax, dword ptr [ebp-C]
0047F90C lea edx, dword ptr [ebp-8]
0047F90F call 0047F520 ; -----------@1,Code转换为16进制
0047F914 mov eax, dword ptr [ebp-8]
0047F917 push eax
0047F918 lea edx, dword ptr [ebp-10]
0047F91B mov eax, dword ptr [ebx+308]
0047F921 call <GetText> ; Edit_Name.GetText
0047F926 mov edx, dword ptr [ebp-10]
0047F929 pop eax
0047F92A call <StrCmp> ; 比较Name与处理后的Code
0047F92F jnz 0047F9F8
0047F935 mov eax, dword ptr [ebx+304]
0047F93B mov eax, dword ptr [eax+168]
0047F941 mov edx, 0047FA7C ; ASCII "3w.bmp"
0047F946 call <LoadFromFile> ; 载入KeyFile文件
0047F94B call 0047F34C ; ------------@2,获取硬盘SN
0047F950 lea edx, dword ptr [ebp-18]
0047F953 call <FixFileName> ; 修复字符串
0047F958 mov eax, dword ptr [ebp-18]
0047F95B lea edx, dword ptr [ebp-14]
0047F95E call <Trim> ; 去除空格
0047F963 mov eax, dword ptr [ebp-14]
0047F966 call 0047F4BC ; ------------@3,累加硬盘SN的ASC码
0047F96B push eax
0047F96C mov eax, dword ptr [ebx+304]
0047F972 mov eax, dword ptr [eax+168]
0047F978 call <GetBitmap> ; Image2.GetBitmap
0047F97D pop edx
0047F97E call 0047F684 ; -------------@4,用累加的ASC码对图片XOR解密
0047F983 mov eax, dword ptr [ebx+304]
0047F989 call 004350D4 ; Image2.PaintRequest
0047F98E mov eax, dword ptr [ebx+304]
0047F994 mov eax, dword ptr [eax+168]
0047F99A call <GetBitmap> ; Image2.GetBitmap
0047F99F push eax
0047F9A0 mov eax, dword ptr [ebx+2FC]
0047F9A6 mov eax, dword ptr [eax+168]
0047F9AC call <GetBitmap> ; Image1.GetBitmap
0047F9B1 pop edx
0047F9B2 call 0047F758 ; -------------@5,比较图片内容
0047F9B7 test al, al
0047F9B9 je short 0047FA10
0047F9BB push 40
0047F9BD lea edx, dword ptr [ebp-20]
0047F9C0 mov eax, dword ptr [ebx+308]
0047F9C6 call <GetText> ; Edit_Name.GetText
0047F9CB mov ecx, dword ptr [ebp-20]
0047F9CE lea eax, dword ptr [ebp-1C]
0047F9D1 mov edx, 0047FA8C ; '注册成功!正式授权给:'
0047F9D6 call <StrCat>
0047F9DB mov eax, dword ptr [ebp-1C]
0047F9DE call <StrToChar>
0047F9E3 mov edx, eax
0047F9E5 mov ecx, 0047FAA4
0047F9EA mov eax, dword ptr [4812F4]
0047F9EF mov eax, dword ptr [eax]
0047F9F1 call <MessageBox>
0047F9F6 jmp short 0047FA10
0047F9F8 push 40
0047F9FA mov ecx, 0047FAAC
0047F9FF mov edx, 0047FAB4
0047FA04 mov eax, dword ptr [4812F4]
0047FA09 mov eax, dword ptr [eax] ; '非法用户!请与软件开发商联系。'
0047FA0B call <MessageBox>
0047F34C push ebp
0047F34D mov ebp, esp
0047F34F add esp, -23C
0047F355 push ebx
0047F356 mov ebx, 0047F494
0047F35B mov eax, dword ptr [481468]
0047F360 cmp dword ptr [eax], 2 ; 判断操作系统
0047F363 jnz short 0047F386
0047F365 push 0 ; /hTemplateFile = NULL
0047F367 push 0 ; |Attributes = 0
0047F369 push 3 ; |Mode = OPEN_EXISTING
0047F36B push 0 ; |pSecurity = NULL
0047F36D push 3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0047F36F push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
0047F374 push 0047F498 ; |FileName = "\\.\PhysicalDrive0"
0047F379 call <jmp.&kernel32.CreateFileA> ; \CreateFileA
0047F37E mov dword ptr [ebp-214], eax ; 连接第1个物理硬盘
0047F384 jmp short 0047F3A2
0047F386 push 0 ; /hTemplateFile = NULL
0047F388 push 0 ; |Attributes = 0
0047F38A push 1 ; |Mode = CREATE_NEW
0047F38C push 0 ; |pSecurity = NULL
0047F38E push 0 ; |ShareMode = 0
0047F390 push 0 ; |Access = 0
0047F392 push 0047F4AC ; |FileName = "\\.\SMARTVSD"
0047F397 call <jmp.&kernel32.CreateFileA> ; \CreateFileA
0047F39C mov dword ptr [ebp-214], eax
0047F3A2 cmp dword ptr [ebp-214], -1
0047F3A9 je 0047F48B
0047F3AF xor eax, eax
0047F3B1 push ebp
0047F3B2 push 0047F463
0047F3B7 push dword ptr fs:[eax]
0047F3BA mov dword ptr fs:[eax], esp
0047F3BD lea eax, dword ptr [ebp-239]
0047F3C3 xor ecx, ecx
0047F3C5 mov edx, 20 ; Clear InBuffer=20
0047F3CA call <FillChar>
0047F3CF lea eax, dword ptr [ebp-210]
0047F3D5 xor ecx, ecx
0047F3D7 mov edx, 210
0047F3DC call <FillChar> ; Clear OutBuffer=210
0047F3E1 xor eax, eax
0047F3E3 mov dword ptr [ebp-218], eax
0047F3E9 mov dword ptr [ebp-239], 200
0047F3F3 mov byte ptr [ebp-234], 1
0047F3FA mov byte ptr [ebp-233], 1
0047F401 mov byte ptr [ebp-230], 0A0
0047F408 mov byte ptr [ebp-22F], 0EC
0047F40F push 0 ; /pOverlapped = NULL
0047F411 lea eax, dword ptr [ebp-218] ; |
0047F417 push eax ; |pBytesReturned
0047F418 push 210 ; |OutBufferSize = 210 (528.)
0047F41D lea eax, dword ptr [ebp-210] ; |
0047F423 push eax ; |OutBuffer
0047F424 push 20 ; |InBufferSize = 20 (32.)
0047F426 lea eax, dword ptr [ebp-239] ; |
0047F42C push eax ; |InBuffer
0047F42D push 7C088 ; |IoControlCode = SMART_RCV_DRIVE_DATA
0047F432 mov eax, dword ptr [ebp-214] ; |
0047F438 push eax ; |hDevice
0047F439 call <jmp.&kernel32.DeviceIoContro>; \DeviceIoControl
0047F43E test eax, eax ; 读取硬盘驱动数据
0047F440 jnz short 0047F449
0047F442 call 0040399C
0047F447 jmp short 0047F48B
0047F449 xor eax, eax
0047F44B pop edx
0047F44C pop ecx
0047F44D pop ecx
0047F44E mov dword ptr fs:[eax], edx
0047F451 push 0047F46A
0047F456 mov eax, dword ptr [ebp-214]
0047F45C push eax ; /hObject
0047F45D call <jmp.&kernel32.CloseHandle> ; \CloseHandle
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
Random,随机
