在我电脑上装这个程序。。产生了一个注册表项m_strUniqueId。在别人电脑上装。这个号是一样的。
程序每次在启动的时候验证注册是否成功。不成功的话。有30天试用期和功能限制。每次注册窗口出来后,输入注册码。也没什么提示。
请各位给个思路。用什么断点?
0040C5B6 . E8 25BF0000 CALL <JMP.&MFC42u.#6193>
0040C5BB > E8 AEBE0000 CALL <JMP.&MFC42u.#1165>
0040C5C0 . 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4] ; AtLarge2.00459C20
0040C5C3 . 8A88 FC000000 MOV CL,BYTE PTR DS:[EAX+FC]
0040C5C9 . 84C9 TEST CL,CL
0040C5CB 0F85 AA000000 JNZ AtLarge2.0040C67B
0040C5D1 . 6A 00 PUSH 0
0040C5D3 . 8D4C24 34 LEA ECX,DWORD PTR SS:[ESP+34]
0040C5D7 . E8 24420000 CALL AtLarge2.00410800
0040C5DC . 8D4C24 30 LEA ECX,DWORD PTR SS:[ESP+30]
0040C5E0 . C78424 740200>MOV DWORD PTR SS:[ESP+274],0
0040C5EB . E8 34BD0000 CALL <JMP.&MFC42u.#2506>
0040C5F0 . 68 34524500 PUSH AtLarge2.00455234 ; at-large recorder 2 is running in demo mode...
0040C5F5 . 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
0040C5F9 . E8 5EBE0000 CALL <JMP.&MFC42u.#538>
0040C5FE . C68424 740200>MOV BYTE PTR SS:[ESP+274],1
0040C606 . E8 63BE0000 CALL <JMP.&MFC42u.#1165>
0040C60B . 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]
0040C60E . 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
0040C612 . 51 PUSH ECX
0040C613 . 8BB8 14010000 MOV EDI,DWORD PTR DS:[EAX+114]
0040C619 . 8D8F 0C020000 LEA ECX,DWORD PTR DS:[EDI+20C]
0040C61F . E8 A0BF0000 CALL <JMP.&MFC42u.#858>
0040C624 . 8B57 20 MOV EDX,DWORD PTR DS:[EDI+20]
0040C627 . 6A 00 PUSH 0 ; /Erase = FALSE
0040C629 . 6A 00 PUSH 0 ; |pRect = NULL
0040C62B . 52 PUSH EDX ; |hWnd
0040C62C . FF15 04274400 CALL DWORD PTR DS:[<&USER32.InvalidateRe>; \InvalidateRect
0040C632 . 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
0040C636 . C68424 740200>MOV BYTE PTR SS:[ESP+274],0
0040C63E . E8 01BE0000 CALL <JMP.&MFC42u.#800>
0040C643 . 8D8C24 900000>LEA ECX,DWORD PTR SS:[ESP+90]
0040C64A . C78424 740200>MOV DWORD PTR SS:[ESP+274],2
0040C655 . C78424 900000>MOV DWORD PTR SS:[ESP+90],AtLarge2.??_7C>
0040C660 . E8 ABCA0000 CALL AtLarge2.?Destroy@CxImage@@QAE_NXZ
0040C665 . 8D4C24 30 LEA ECX,DWORD PTR SS:[ESP+30]
0040C669 . C78424 740200>MOV DWORD PTR SS:[ESP+274],-1
0040C674 . E8 A1BD0000 CALL <JMP.&MFC42u.#641>
0040C679 . EB 59 JMP SHORT AtLarge2.0040C6D4
0040C67B > 68 D4514500 PUSH AtLarge2.004551D4 ; thank you for registering at-large recorder 2!
0040C680 . 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
0040C684 . E8 D3BD0000 CALL <JMP.&MFC42u.#538>
0040C689 . C78424 740200>MOV DWORD PTR SS:[ESP+274],3
0040C694 . E8 D5BD0000 CALL <JMP.&MFC42u.#1165>
0040C699 . 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]
0040C69C . 8BB8 14010000 MOV EDI,DWORD PTR DS:[EAX+114]
0040C6A2 . 8D4424 0C LEA EAX,DWORD PTR SS:[ESP+C]
0040C6A6 . 50 PUSH EAX
0040C6A7 . 8D8F 0C020000 LEA ECX,DWORD PTR DS:[EDI+20C]
0040C6AD . E8 12BF0000 CALL <JMP.&MFC42u.#858>
0040C6B2 . 8B4F 20 MOV ECX,DWORD PTR DS:[EDI+20]
0040C6B5 . 6A 00 PUSH 0 ; /Erase = FALSE
0040C6B7 . 6A 00 PUSH 0 ; |pRect = NULL
0040C6B9 . 51 PUSH ECX ; |hWnd
0040C6BA . FF15 04274400 CALL DWORD PTR DS:[<&USER32.InvalidateRe>; \InvalidateRect
0040C5B6 . E8 25BF0000 CALL <JMP.&MFC42u.#6193>
0040C5BB > E8 AEBE0000 CALL <JMP.&MFC42u.#1165>
0040C5C0 . 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4] ; AtLarge2.00459C20
0040C5C3 . 8A88 FC000000 MOV CL,BYTE PTR DS:[EAX+FC]
0040C5C9 . 84C9 TEST CL,CL
0040C5CB 0F85 AA000000 JNZ AtLarge2.0040C67B
有人说看MOV EAX,DWORD PTR DS:[EAX+4] 这里的数据。。怎么看呢?
我跟进上面的2个call里。。但都是在mfc42里转。。
[课程]Linux pwn 探索篇!