[讨论]重起验证-付费问答-看雪-安全社区|安全招聘|kanxue.com

最新回复 (9)
shaopeng 雪币： 175 活跃值： (13) 能力值： ( LV2，RANK：10 ) 在线值：发帖 38 回帖 190 粉丝 0 关注私信	shaopeng 2 楼我把程序贴出来大家分析下最近搞了个软件是要KEY才能注册成功的。搞完后发现本程序是重起验证的，发现是注册表验证的。终于找到关键点，但跳过注册框，程序出错。大家给点思路 0040113A . 55 PUSH EBP 0040113B . 8BEC MOV EBP,ESP 0040113D . 81EC 98020000 SUB ESP,298 00401143 . 53 PUSH EBX 00401144 . 56 PUSH ESI 00401145 . 57 PUSH EDI 00401146 . 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194] 0040114C . 68 04010000 PUSH 104 ; /BufSize = 104 (260.) 00401151 . 50 PUSH EAX ; \|PathBuffer 00401152 . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; \|hModule 00401155 . 33DB XOR EBX,EBX ; \| 00401157 . 895D FC MOV DWORD PTR SS:[EBP-4],EBX ; \| 0040115A . 895D F8 MOV DWORD PTR SS:[EBP-8],EBX ; \| 0040115D . 895D F0 MOV DWORD PTR SS:[EBP-10],EBX ; \| 00401160 . FF15 24604000 CALL DWORD PTR DS:[<&kernel32.GetModuleF>; \GetModuleFileNameA 00401166 . 53 PUSH EBX ; /hTemplateFile => NULL 00401167 . 68 80000000 PUSH 80 ; \|Attributes = NORMAL 0040116C . 6A 03 PUSH 3 ; \|Mode = OPEN_EXISTING 0040116E . 53 PUSH EBX ; \|pSecurity => NULL 0040116F . 6A 01 PUSH 1 ; \|ShareMode = FILE_SHARE_READ 00401171 . 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194] ; \| 00401177 . 68 00000080 PUSH 80000000 ; \|Access = GENERIC_READ 0040117C . 50 PUSH EAX ; \|FileName 0040117D . FF15 20604000 CALL DWORD PTR DS:[<&kernel32.CreateFile>; \CreateFileA 00401183 . 8BF8 MOV EDI,EAX 00401185 . 83FF FF CMP EDI,-1 00401188 . 75 0C JNZ SHORT 破解版本.00401196 0040118A . C745 FC C0714>MOV DWORD PTR SS:[EBP-4],破解版本.004071>; ASCII "Can't open file!" 00401191 . E9 37030000 JMP 破解版本.004014CD 00401196 > 8B35 1C604000 MOV ESI,DWORD PTR DS:[<&kernel32.SetFile>; kernel32.SetFilePointer 0040119C . 6A 02 PUSH 2 ; /Origin = FILE_END 0040119E . 53 PUSH EBX ; \|pOffsetHi 0040119F . 6A F8 PUSH -8 ; \|OffsetLo = FFFFFFF8 (-8.) 004011A1 . 57 PUSH EDI ; \|hFile 004011A2 . FFD6 CALL ESI ; \SetFilePointer 004011A4 . 3D E8030000 CMP EAX,3E8 004011A9 . 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX 004011AC . 0F82 FD020000 JB 破解版本.004014AF 004011B2 . 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C] 004011B5 . 53 PUSH EBX ; /pOverlapped 004011B6 . 50 PUSH EAX ; \|pBytesRead 004011B7 . 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24] ; \| 004011BA . 6A 08 PUSH 8 ; \|BytesToRead = 8 004011BC . 50 PUSH EAX ; \|Buffer 004011BD . 57 PUSH EDI ; \|hFile 004011BE . 895D E4 MOV DWORD PTR SS:[EBP-1C],EBX ; \| 004011C1 . FF15 18604000 CALL DWORD PTR DS:[<&kernel32.ReadFile>] ; \ReadFile 004011C7 . 85C0 TEST EAX,EAX 004011C9 . 0F84 E9020000 JE 破解版本.004014B8 004011CF . 837D E4 08 CMP DWORD PTR SS:[EBP-1C],8 004011D3 . 0F85 DF020000 JNZ 破解版本.004014B8 004011D9 . 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24] 004011DC . 817D E0 A5B79>CMP DWORD PTR SS:[EBP-20],829AB7A5 004011E3 . 8945 08 MOV DWORD PTR SS:[EBP+8],EAX 004011E6 . 0F85 C3020000 JNZ 破解版本.004014AF 004011EC . 83F8 04 CMP EAX,4 004011EF . 0F8C BA020000 JL 破解版本.004014AF 004011F5 . 3B45 F4 CMP EAX,DWORD PTR SS:[EBP-C] 004011F8 . 0F8D B1020000 JGE 破解版本.004014AF 004011FE . 50 PUSH EAX 004011FF . E8 32220000 CALL 破解版本.00403436 00401204 . 3BC3 CMP EAX,EBX 00401206 . 59 POP ECX 00401207 . 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 0040120A . 0F84 07010000 JE 破解版本.00401317 00401210 . 6A 02 PUSH 2 00401212 . 53 PUSH EBX 00401213 . 6A F8 PUSH -8 00401215 . 895D E8 MOV DWORD PTR SS:[EBP-18],EBX 00401218 . 58 POP EAX 00401219 . 2B45 08 SUB EAX,DWORD PTR SS:[EBP+8] 0040121C . 50 PUSH EAX 0040121D . 57 PUSH EDI 0040121E . FFD6 CALL ESI 00401220 . 83F8 FF CMP EAX,-1 00401223 . 0F84 7D020000 JE 破解版本.004014A6 00401229 . 8B75 F8 MOV ESI,DWORD PTR SS:[EBP-8] 0040122C . 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18] 0040122F . 53 PUSH EBX ; /pOverlapped 00401230 . 50 PUSH EAX ; \|pBytesRead 00401231 . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; \|BytesToRead 00401234 . 56 PUSH ESI ; \|Buffer 00401235 . 57 PUSH EDI ; \|hFile 00401236 . FF15 18604000 CALL DWORD PTR DS:[<&kernel32.ReadFile>] ; \ReadFile 0040123C . 85C0 TEST EAX,EAX 0040123E . 0F84 62020000 JE 破解版本.004014A6 00401244 . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401247 . 3945 E8 CMP DWORD PTR SS:[EBP-18],EAX 0040124A . 0F85 56020000 JNZ 破解版本.004014A6 00401250 . 813E A5B79A82 CMP DWORD PTR DS:[ESI],829AB7A5 00401256 . 0F85 4A020000 JNZ 破解版本.004014A6 0040125C . 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194] 00401262 . 83C6 04 ADD ESI,4 00401265 . 50 PUSH EAX ; /Buffer 00401266 . 68 04010000 PUSH 104 ; \|BufSize = 104 (260.) 0040126B . FF15 14604000 CALL DWORD PTR DS:[<&kernel32.GetTempPat>; \GetTempPathA 00401271 . 85C0 TEST EAX,EAX 00401273 . 75 0C JNZ SHORT 破解版本.00401281 00401275 . C745 FC 98714>MOV DWORD PTR SS:[EBP-4],破解版本.004071>; ASCII "Can't retrieve the temporary directory!" 0040127C . E9 3E020000 JMP 破解版本.004014BF 00401281 > 8B06 MOV EAX,DWORD PTR DS:[ESI] 00401283 . 83C6 04 ADD ESI,4 00401286 . 50 PUSH EAX ; /<%X> 00401287 . 8D85 70FFFFFF LEA EAX,DWORD PTR SS:[EBP-90] ; \| 0040128D . 68 90714000 PUSH 破解版本.00407190 ; \|Format = "E_%X" 00401292 . 50 PUSH EAX ; \|s 00401293 . FF15 B0604000 CALL DWORD PTR DS:[<&user32.wsprintfA>] ; \wsprintfA 00401299 . 8D85 70FFFFFF LEA EAX,DWORD PTR SS:[EBP-90] 0040129F . 50 PUSH EAX 004012A0 . 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194] 004012A6 . 50 PUSH EAX 004012A7 . E8 24200000 CALL 破解版本.004032D0 004012AC . 83C4 14 ADD ESP,14 004012AF . 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194] 004012B5 . 53 PUSH EBX ; /pSecurity 004012B6 . 50 PUSH EAX ; \|Path 004012B7 . FF15 10604000 CALL DWORD PTR DS:[<&kernel32.CreateDire>; \CreateDirectoryA 004012BD . 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194] 004012C3 . 68 8C714000 PUSH 破解版本.0040718C 004012C8 . 50 PUSH EAX 004012C9 . E8 02200000 CALL 破解版本.004032D0 004012CE . FF36 PUSH DWORD PTR DS:[ESI] 004012D0 . 836D 08 0C SUB DWORD PTR SS:[EBP+8],0C 004012D4 . 8D7E 04 LEA EDI,DWORD PTR DS:[ESI+4] 004012D7 . FF75 08 PUSH DWORD PTR SS:[EBP+8] 004012DA . 57 PUSH EDI 004012DB . E8 39FEFFFF CALL 破解版本.00401119 004012E0 . 836D 08 08 SUB DWORD PTR SS:[EBP+8],8 004012E4 . 8B47 04 MOV EAX,DWORD PTR DS:[EDI+4] 004012E7 . 83C4 14 ADD ESP,14 004012EA . 395D 08 CMP DWORD PTR SS:[EBP+8],EBX 004012ED . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX 004012F0 . 0F8E A7010000 JLE 破解版本.0040149D 004012F6 . 813F 0D0F3E03 CMP DWORD PTR DS:[EDI],33E0F0D 004012FC . 0F85 9B010000 JNZ 破解版本.0040149D 00401302 . 3BC3 CMP EAX,EBX 00401304 . 0F8E 93010000 JLE 破解版本.0040149D 0040130A . 50 PUSH EAX 0040130B . E8 26210000 CALL 破解版本.00403436 00401310 . 8BF0 MOV ESI,EAX 00401312 . 59 POP ECX 00401313 . 3BF3 CMP ESI,EBX 00401315 . 75 0C JNZ SHORT 破解版本.00401323 00401317 > C745 FC 74714>MOV DWORD PTR SS:[EBP-4],破解版本.004071>; ASCII "Insufficient memory!" 0040131E . E9 9C010000 JMP 破解版本.004014BF 00401323 > FF75 08 PUSH DWORD PTR SS:[EBP+8] 00401326 . 83C7 08 ADD EDI,8 00401329 . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14] 0040132C . 57 PUSH EDI 0040132D . 50 PUSH EAX 0040132E . 56 PUSH ESI 0040132F . E8 E71E0000 CALL 破解版本.0040321B 00401334 . 83C4 10 ADD ESP,10 00401337 . 85C0 TEST EAX,EAX 00401339 . 74 13 JE SHORT 破解版本.0040134E 0040133B . 56 PUSH ESI 0040133C . E8 EA200000 CALL 破解版本.0040342B 00401341 . 59 POP ECX 00401342 . C745 FC 58714>MOV DWORD PTR SS:[EBP-4],破解版本.004071>; ASCII "Failed to decompress data!" 00401349 . E9 71010000 JMP 破解版本.004014BF 0040134E > FF75 F8 PUSH DWORD PTR SS:[EBP-8] 00401351 . E8 D5200000 CALL 破解版本.0040342B 00401356 . 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] 00401359 . 59 POP ECX 0040135A . 03C6 ADD EAX,ESI 0040135C . 8975 F8 MOV DWORD PTR SS:[EBP-8],ESI 0040135F . 3BF0 CMP ESI,EAX 00401361 . 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX 00401364 . 885D A4 MOV BYTE PTR SS:[EBP-5C],BL 00401367 . 0F83 B4000000 JNB 破解版本.00401421 ; ... 0040136D > 8BFE MOV EDI,ESI 0040136F . 56 PUSH ESI 00401370 . 897D 08 MOV DWORD PTR SS:[EBP+8],EDI 00401373 . E8 38200000 CALL 破解版本.004033B0 00401378 . C70424 4C7140>MOV DWORD PTR SS:[ESP],破解版本.0040714C ; ASCII "krnln.fnr" 0040137F . 57 PUSH EDI 00401380 . 8D7406 01 LEA ESI,DWORD PTR DS:[ESI+EAX+1] 00401384 . E8 47480000 CALL 破解版本.00405BD0 00401389 . 59 POP ECX 0040138A . 85C0 TEST EAX,EAX 0040138C . 59 POP ECX 0040138D . 74 11 JE SHORT 破解版本.004013A0 0040138F . 68 40714000 PUSH 破解版本.00407140 ; ASCII "krnln.fne" 00401394 . 57 PUSH EDI 00401395 . E8 36480000 CALL 破解版本.00405BD0 0040139A . 59 POP ECX 0040139B . 85C0 TEST EAX,EAX 0040139D . 59 POP ECX 0040139E . 75 0C JNZ SHORT 破解版本.004013AC 004013A0 > 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C] 004013A3 . 57 PUSH EDI 004013A4 . 50 PUSH EAX 004013A5 . E8 161F0000 CALL 破解版本.004032C0 004013AA . 59 POP ECX 004013AB . 59 POP ECX 004013AC > 8B3E MOV EDI,DWORD PTR DS:[ESI] 004013AE . 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194] 004013B4 . 50 PUSH EAX 004013B5 . 8D85 68FDFFFF LEA EAX,DWORD PTR SS:[EBP-298] 004013BB . 50 PUSH EAX 004013BC . 83C6 04 ADD ESI,4 004013BF . E8 FC1E0000 CALL 破解版本.004032C0 004013C4 . FF75 08 PUSH DWORD PTR SS:[EBP+8] 004013C7 . 8D85 68FDFFFF LEA EAX,DWORD PTR SS:[EBP-298] 004013CD . 50 PUSH EAX 004013CE . E8 FD1E0000 CALL 破解版本.004032D0 004013D3 . 83C4 10 ADD ESP,10 004013D6 . 8D85 68FDFFFF LEA EAX,DWORD PTR SS:[EBP-298] 004013DC . 53 PUSH EBX ; /hTemplateFile 004013DD . 68 80000000 PUSH 80 ; \|Attributes = NORMAL 004013E2 . 6A 02 PUSH 2 ; \|Mode = CREATE_ALWAYS 004013E4 . 53 PUSH EBX ; \|pSecurity 004013E5 . 53 PUSH EBX ; \|ShareMode 004013E6 . 68 00000040 PUSH 40000000 ; \|Access = GENERIC_WRITE 004013EB . 50 PUSH EAX ; \|FileName 004013EC . FF15 20604000 CALL DWORD PTR DS:[<&kernel32.CreateFile>; \CreateFileA 004013F2 . 83F8 FF CMP EAX,-1 004013F5 . 8945 08 MOV DWORD PTR SS:[EBP+8],EAX 004013F8 . 74 17 JE SHORT 破解版本.00401411 004013FA . 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28] 004013FD . 53 PUSH EBX ; /pOverlapped 004013FE . 51 PUSH ECX ; \|pBytesWritten 004013FF . 57 PUSH EDI ; \|nBytesToWrite 00401400 . 56 PUSH ESI ; \|Buffer 00401401 . 50 PUSH EAX ; \|hFile 00401402 . FF15 0C604000 CALL DWORD PTR DS:[<&kernel32.WriteFile>>; \WriteFile 00401408 . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; /hObject 0040140B . FF15 08604000 CALL DWORD PTR DS:[<&kernel32.CloseHandl>; \CloseHandle 00401411 > 03F7 ADD ESI,EDI 00401413 . 3B75 F4 CMP ESI,DWORD PTR SS:[EBP-C] 00401416 ^ 0F82 51FFFFFF JB 破解版本.0040136D 0040141C . 385D A4 CMP BYTE PTR SS:[EBP-5C],BL 0040141F . 75 0C JNZ SHORT 破解版本.0040142D 00401421 > C745 FC 20714>MOV DWORD PTR SS:[EBP-4],破解版本.004071>; ASCII "Not found the kernel library!" 00401428 . E9 92000000 JMP 破解版本.004014BF 0040142D > 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194] 00401433 . 50 PUSH EAX 00401434 . 8D85 68FDFFFF LEA EAX,DWORD PTR SS:[EBP-298] 0040143A . 50 PUSH EAX 0040143B . E8 801E0000 CALL 破解版本.004032C0 00401440 . 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C] 00401443 . 50 PUSH EAX 00401444 . 8D85 68FDFFFF LEA EAX,DWORD PTR SS:[EBP-298] 0040144A . 50 PUSH EAX 0040144B . E8 801E0000 CALL 破解版本.004032D0 00401450 . 83C4 10 ADD ESP,10 00401453 . 8D85 68FDFFFF LEA EAX,DWORD PTR SS:[EBP-298] 00401459 50 PUSH EAX ; /FileName 0040145A FF15 04604000 CALL DWORD PTR DS:[<&kernel32.LoadLibrar>; \LoadLibraryA CALL运行了一下 00401460 . 3BC3 CMP EAX,EBX 00401462 . 75 09 JNZ SHORT 破解版本.0040146D 00401464 . C745 FC 00714>MOV DWORD PTR SS:[EBP-4],破解版本.004071>; ASCII "Failed to load kernel library!" 0040146B . EB 52 JMP SHORT 破解版本.004014BF 0040146D > 68 F4704000 PUSH 破解版本.004070F4 ; /ProcNameOrOrdinal = "GetNewSock" 00401472 . 50 PUSH EAX ; \|hModule 00401473 . FF15 00604000 CALL DWORD PTR DS:[<&kernel32.GetProcAdd>; \GetProcAddress 00401479 . 3BC3 CMP EAX,EBX 0040147B . 75 09 JNZ SHORT 破解版本.00401486 0040147D . C745 FC D4704>MOV DWORD PTR SS:[EBP-4],破解版本.004070>; ASCII "The kernel library is invalid!" 00401484 . EB 39 JMP SHORT 破解版本.004014BF 00401486 > 68 E8030000 PUSH 3E8 0040148B . FFD0 CALL EAX 0040148D . 3BC3 CMP EAX,EBX 0040148F . 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX 00401492 . 75 2B JNZ SHORT 破解版本.004014BF 00401494 . C745 FC A8704>MOV DWORD PTR SS:[EBP-4],破解版本.004070>; ASCII "The interface of kernel library is invalid!" 0040149B . EB 22 JMP SHORT 破解版本.004014BF 0040149D > C745 FC 8C704>MOV DWORD PTR SS:[EBP-4],破解版本.004070>; ASCII "Invalid data in the file!" 004014A4 . EB 19 JMP SHORT 破解版本.004014BF 004014A6 > C745 FC 5C704>MOV DWORD PTR SS:[EBP-4],破解版本.004070>; ASCII "Failed to read file or invalid data in file!" 004014AD . EB 10 JMP SHORT 破解版本.004014BF 004014AF > C745 FC 8C704>MOV DWORD PTR SS:[EBP-4],破解版本.004070>; ASCII "Invalid data in the file!" 004014B6 . EB 15 JMP SHORT 破解版本.004014CD 004014B8 > C745 FC 38704>MOV DWORD PTR SS:[EBP-4],破解版本.004070>; ASCII "Failed to read data from the file!" 004014BF > 395D F8 CMP DWORD PTR SS:[EBP-8],EBX 004014C2 . 74 09 JE SHORT 破解版本.004014CD 004014C4 . FF75 F8 PUSH DWORD PTR SS:[EBP-8] 004014C7 E8 5F1F0000 CALL 破解版本.0040342B 004014CC . 59 POP ECX 004014CD 395D FC CMP DWORD PTR SS:[EBP-4],EBX 004014D0 75 13 JNZ SHORT 破解版本.004014E5 004014D2 . 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] 004014D5 . E8 00000000 CALL 破解版本.004014DA 004014DA $ 810424 267B00>ADD DWORD PTR SS:[ESP],7B26 004014E1 . FFD0 CALL EAX ; 注册筐出现 004014E3 . EB 11 JMP SHORT 破解版本.004014F6 004014E5 > 6A 10 PUSH 10 ; /Style = MB_OK\|MB_ICONHAND\|MB_APPLMODAL 004014E7 . 68 30704000 PUSH 破解版本.00407030 ; \|Title = "Error" 004014EC . FF75 FC PUSH DWORD PTR SS:[EBP-4] ; \|Text 004014EF . 53 PUSH EBX ; \|hOwner 004014F0 FF15 AC604000 CALL DWORD PTR DS:[<&user32.MessageBoxA>>; \MessageBoxA 提示EROOR错误 004014F6 > 5F POP EDI 004014F7 . 5E POP ESI 004014F8 . 33C0 XOR EAX,EAX 004014FA . 5B POP EBX 004014FB . C9 LEAVE 004014FC . C2 1000 RETN 10 推出程序我把程序放上来，大家看下。http://www.namipan.com/d/ac363ef63df483c95d95f94eaecfb0016c0a90062d413900 2008-9-16 19:54 0
dzhsurf 雪币： 261 活跃值： (22) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 70 粉丝 0 关注私信	dzhsurf 3 楼跟进那个call吧，大概call里面改变了什么让后面那个retn跳到不同的地方去了。这样看不出什么啊，最好放出程序。我也是初学者，呵呵。 2008-9-16 21:20 0
范范love 雪币： 317 活跃值： (93) 能力值： ( LV9，RANK：140 ) 在线值：发帖 23 回帖 1008 粉丝 3 关注私信	范范love 3 4 楼你首先判断出重启的类型,在来进行后步的处理! 2008-9-16 22:02 0
shaopeng 雪币： 175 活跃值： (13) 能力值： ( LV2，RANK：10 ) 在线值：发帖 38 回帖 190 粉丝 0 关注私信	shaopeng 5 楼看雪的朋友好象不是很热情哦。 2008-9-17 18:49 0
范范love 雪币： 317 活跃值： (93) 能力值： ( LV9，RANK：140 ) 在线值：发帖 23 回帖 1008 粉丝 3 关注私信	范范love 3 6 楼因为你自己连判断都没有去判断,就丢一堆没有用的在这里,和变相求破是没有任何区别的! 2008-9-17 22:12 0
dzhsurf 雪币： 261 活跃值： (22) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 70 粉丝 0 关注私信	dzhsurf 7 楼看了下，只要跟下去很快就找到关键跳了 006F21AC /0F84 1A000000 je 006F21CC nop掉完事... 不过还不知道功能限制有没有解除... 不是看雪的朋友不热情，只是贴一大堆没用的代码出来会被大大们BS的，还有就是不要一味问问题而不自己思考，否则是没有进步的。 2008-9-17 23:54 0
rxzcums 雪币： 427 活跃值： (65) 能力值： ( LV6，RANK：90 ) 在线值：发帖 13 回帖 1174 粉丝 0 关注私信	rxzcums 2 8 楼说得太对了！ 2008-9-18 01:54 0
shaopeng 雪币： 175 活跃值： (13) 能力值： ( LV2，RANK：10 ) 在线值：发帖 38 回帖 190 粉丝 0 关注私信	shaopeng 9 楼给个破文出来我也跟着学下。 2008-9-18 13:57 0
爱琴海雪币： 1355 活跃值： (339) 能力值： ( LV13，RANK：920 ) 在线值：发帖 74 回帖 660 粉丝 7 关注私信	爱琴海 13 10 楼给个破文，我也想学习学习 2008-9-19 19:07 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

shaopeng

雪币： 175

活跃值： (13)

能力值：

( LV2，RANK：10 )

在线值：

发帖

38

回帖

190

粉丝

0

关注

私信

shaopeng: 2 楼

我把程序贴出来大家分析下
最近搞了个软件是要KEY才能注册成功的。
搞完后发现本程序是重起验证的，发现是注册表验证的。
      终于找到关键点，但跳过注册框，程序出错。
         大家给点思路
0040113A .  55          PUSH EBP
0040113B .  8BEC       MOV EBP,ESP
0040113D .  81EC 98020000 SUB ESP,298
00401143 .  53          PUSH EBX
00401144 .  56          PUSH ESI
00401145 .  57          PUSH EDI
00401146 .  8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194]
0040114C .  68 04010000 PUSH 104                               ; /BufSize = 104 (260.)
00401151 .  50          PUSH EAX                               ; |PathBuffer
00401152 .  FF75 08    PUSH DWORD PTR SS:[EBP+8]             ; |hModule
00401155 .  33DB       XOR EBX,EBX                            ; |
00401157 .  895D FC    MOV DWORD PTR SS:[EBP-4],EBX          ; |
0040115A .  895D F8    MOV DWORD PTR SS:[EBP-8],EBX          ; |
0040115D .  895D F0    MOV DWORD PTR SS:[EBP-10],EBX          ; |
00401160 .  FF15 24604000 CALL DWORD PTR DS:[<&kernel32.GetModuleF>; \GetModuleFileNameA
00401166 .  53          PUSH EBX                               ; /hTemplateFile => NULL
00401167 .  68 80000000 PUSH 80                               ; |Attributes = NORMAL
0040116C .  6A 03       PUSH 3                                  ; |Mode = OPEN_EXISTING
0040116E .  53          PUSH EBX                               ; |pSecurity => NULL
0040116F .  6A 01       PUSH 1                                  ; |ShareMode = FILE_SHARE_READ
00401171 .  8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194]          ; |
00401177 .  68 00000080 PUSH 80000000                         ; |Access = GENERIC_READ
0040117C .  50          PUSH EAX                               ; |FileName
0040117D .  FF15 20604000 CALL DWORD PTR DS:[<&kernel32.CreateFile>; \CreateFileA
00401183 .  8BF8       MOV EDI,EAX
00401185 .  83FF FF    CMP EDI,-1
00401188 .  75 0C       JNZ SHORT 破解版本.00401196
0040118A .  C745 FC C0714>MOV DWORD PTR SS:[EBP-4],破解版本.004071>;  ASCII "Can't open file!"
00401191 .  E9 37030000 JMP 破解版本.004014CD
00401196 >  8B35 1C604000 MOV ESI,DWORD PTR DS:[<&kernel32.SetFile>;  kernel32.SetFilePointer
0040119C .  6A 02       PUSH 2                                  ; /Origin = FILE_END
0040119E .  53          PUSH EBX                               ; |pOffsetHi
0040119F .  6A F8       PUSH -8                               ; |OffsetLo = FFFFFFF8 (-8.)
004011A1 .  57          PUSH EDI                               ; |hFile
004011A2 .  FFD6       CALL ESI                               ; \SetFilePointer
004011A4 .  3D E8030000 CMP EAX,3E8
004011A9 .  8945 F4    MOV DWORD PTR SS:[EBP-C],EAX
004011AC .  0F82 FD020000 JB 破解版本.004014AF
004011B2 .  8D45 E4    LEA EAX,DWORD PTR SS:[EBP-1C]
004011B5 .  53          PUSH EBX                               ; /pOverlapped
004011B6 .  50          PUSH EAX                               ; |pBytesRead
004011B7 .  8D45 DC    LEA EAX,DWORD PTR SS:[EBP-24]          ; |
004011BA .  6A 08       PUSH 8                                  ; |BytesToRead = 8
004011BC .  50          PUSH EAX                               ; |Buffer
004011BD .  57          PUSH EDI                               ; |hFile
004011BE .  895D E4    MOV DWORD PTR SS:[EBP-1C],EBX          ; |
004011C1 .  FF15 18604000 CALL DWORD PTR DS:[<&kernel32.ReadFile>] ; \ReadFile
004011C7 .  85C0       TEST EAX,EAX
004011C9 .  0F84 E9020000 JE 破解版本.004014B8
004011CF .  837D E4 08 CMP DWORD PTR SS:[EBP-1C],8
004011D3 .  0F85 DF020000 JNZ 破解版本.004014B8
004011D9 .  8B45 DC    MOV EAX,DWORD PTR SS:[EBP-24]
004011DC .  817D E0 A5B79>CMP DWORD PTR SS:[EBP-20],829AB7A5
004011E3 .  8945 08    MOV DWORD PTR SS:[EBP+8],EAX
004011E6 .  0F85 C3020000 JNZ 破解版本.004014AF
004011EC .  83F8 04    CMP EAX,4
004011EF .  0F8C BA020000 JL 破解版本.004014AF
004011F5 .  3B45 F4    CMP EAX,DWORD PTR SS:[EBP-C]
004011F8 .  0F8D B1020000 JGE 破解版本.004014AF
004011FE .  50          PUSH EAX
004011FF .  E8 32220000 CALL 破解版本.00403436
00401204 .  3BC3       CMP EAX,EBX
00401206 .  59          POP ECX
00401207 .  8945 F8    MOV DWORD PTR SS:[EBP-8],EAX
0040120A .  0F84 07010000 JE 破解版本.00401317
00401210 .  6A 02       PUSH 2
00401212 .  53          PUSH EBX
00401213 .  6A F8       PUSH -8
00401215 .  895D E8    MOV DWORD PTR SS:[EBP-18],EBX
00401218 .  58          POP EAX
00401219 .  2B45 08    SUB EAX,DWORD PTR SS:[EBP+8]
0040121C .  50          PUSH EAX
0040121D .  57          PUSH EDI
0040121E .  FFD6       CALL ESI
00401220 .  83F8 FF    CMP EAX,-1
00401223 .  0F84 7D020000 JE 破解版本.004014A6
00401229 .  8B75 F8    MOV ESI,DWORD PTR SS:[EBP-8]
0040122C .  8D45 E8    LEA EAX,DWORD PTR SS:[EBP-18]
0040122F .  53          PUSH EBX                               ; /pOverlapped
00401230 .  50          PUSH EAX                               ; |pBytesRead
00401231 .  FF75 08    PUSH DWORD PTR SS:[EBP+8]             ; |BytesToRead
00401234 .  56          PUSH ESI                               ; |Buffer
00401235 .  57          PUSH EDI                               ; |hFile
00401236 .  FF15 18604000 CALL DWORD PTR DS:[<&kernel32.ReadFile>] ; \ReadFile
0040123C .  85C0       TEST EAX,EAX
0040123E .  0F84 62020000 JE 破解版本.004014A6
00401244 .  8B45 08    MOV EAX,DWORD PTR SS:[EBP+8]
00401247 .  3945 E8    CMP DWORD PTR SS:[EBP-18],EAX
0040124A .  0F85 56020000 JNZ 破解版本.004014A6
00401250 .  813E A5B79A82 CMP DWORD PTR DS:[ESI],829AB7A5
00401256 .  0F85 4A020000 JNZ 破解版本.004014A6
0040125C .  8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194]
00401262 .  83C6 04    ADD ESI,4
00401265 .  50          PUSH EAX                               ; /Buffer
00401266 .  68 04010000 PUSH 104                               ; |BufSize = 104 (260.)
0040126B .  FF15 14604000 CALL DWORD PTR DS:[<&kernel32.GetTempPat>; \GetTempPathA
00401271 .  85C0       TEST EAX,EAX
00401273 .  75 0C       JNZ SHORT 破解版本.00401281
00401275 .  C745 FC 98714>MOV DWORD PTR SS:[EBP-4],破解版本.004071>;  ASCII "Can't retrieve the temporary directory!"
0040127C .  E9 3E020000 JMP 破解版本.004014BF
00401281 >  8B06       MOV EAX,DWORD PTR DS:[ESI]
00401283 .  83C6 04    ADD ESI,4
00401286 .  50          PUSH EAX                               ; /<%X>
00401287 .  8D85 70FFFFFF LEA EAX,DWORD PTR SS:[EBP-90]          ; |
0040128D .  68 90714000 PUSH 破解版本.00407190                ; |Format = "E_%X"
00401292 .  50          PUSH EAX                               ; |s
00401293 .  FF15 B0604000 CALL DWORD PTR DS:[<&user32.wsprintfA>]  ; \wsprintfA
00401299 .  8D85 70FFFFFF LEA EAX,DWORD PTR SS:[EBP-90]
0040129F .  50          PUSH EAX
004012A0 .  8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194]
004012A6 .  50          PUSH EAX
004012A7 .  E8 24200000 CALL 破解版本.004032D0
004012AC .  83C4 14    ADD ESP,14
004012AF .  8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194]
004012B5 .  53          PUSH EBX                               ; /pSecurity
004012B6 .  50          PUSH EAX                               ; |Path
004012B7 .  FF15 10604000 CALL DWORD PTR DS:[<&kernel32.CreateDire>; \CreateDirectoryA
004012BD .  8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194]
004012C3 .  68 8C714000 PUSH 破解版本.0040718C
004012C8 .  50          PUSH EAX
004012C9 .  E8 02200000 CALL 破解版本.004032D0
004012CE .  FF36       PUSH DWORD PTR DS:[ESI]
004012D0 .  836D 08 0C SUB DWORD PTR SS:[EBP+8],0C
004012D4 .  8D7E 04    LEA EDI,DWORD PTR DS:[ESI+4]
004012D7 .  FF75 08    PUSH DWORD PTR SS:[EBP+8]
004012DA .  57          PUSH EDI
004012DB .  E8 39FEFFFF CALL 破解版本.00401119
004012E0 .  836D 08 08 SUB DWORD PTR SS:[EBP+8],8
004012E4 .  8B47 04    MOV EAX,DWORD PTR DS:[EDI+4]
004012E7 .  83C4 14    ADD ESP,14
004012EA .  395D 08    CMP DWORD PTR SS:[EBP+8],EBX
004012ED .  8945 EC    MOV DWORD PTR SS:[EBP-14],EAX
004012F0 .  0F8E A7010000 JLE 破解版本.0040149D
004012F6 .  813F 0D0F3E03 CMP DWORD PTR DS:[EDI],33E0F0D
004012FC .  0F85 9B010000 JNZ 破解版本.0040149D
00401302 .  3BC3       CMP EAX,EBX
00401304 .  0F8E 93010000 JLE 破解版本.0040149D
0040130A .  50          PUSH EAX
0040130B .  E8 26210000 CALL 破解版本.00403436
00401310 .  8BF0       MOV ESI,EAX
00401312 .  59          POP ECX
00401313 .  3BF3       CMP ESI,EBX
00401315 .  75 0C       JNZ SHORT 破解版本.00401323
00401317 >  C745 FC 74714>MOV DWORD PTR SS:[EBP-4],破解版本.004071>;  ASCII "Insufficient memory!"
0040131E .  E9 9C010000 JMP 破解版本.004014BF
00401323 >  FF75 08    PUSH DWORD PTR SS:[EBP+8]
00401326 .  83C7 08    ADD EDI,8
00401329 .  8D45 EC    LEA EAX,DWORD PTR SS:[EBP-14]
0040132C .  57          PUSH EDI
0040132D .  50          PUSH EAX
0040132E .  56          PUSH ESI
0040132F .  E8 E71E0000 CALL 破解版本.0040321B
00401334 .  83C4 10    ADD ESP,10
00401337 .  85C0       TEST EAX,EAX
00401339 .  74 13       JE SHORT 破解版本.0040134E
0040133B .  56          PUSH ESI
0040133C .  E8 EA200000 CALL 破解版本.0040342B
00401341 .  59          POP ECX
00401342 .  C745 FC 58714>MOV DWORD PTR SS:[EBP-4],破解版本.004071>;  ASCII "Failed to decompress data!"
00401349 .  E9 71010000 JMP 破解版本.004014BF
0040134E >  FF75 F8    PUSH DWORD PTR SS:[EBP-8]
00401351 .  E8 D5200000 CALL 破解版本.0040342B
00401356 .  8B45 EC    MOV EAX,DWORD PTR SS:[EBP-14]
00401359 .  59          POP ECX
0040135A .  03C6       ADD EAX,ESI
0040135C .  8975 F8    MOV DWORD PTR SS:[EBP-8],ESI
0040135F .  3BF0       CMP ESI,EAX
00401361 .  8945 F4    MOV DWORD PTR SS:[EBP-C],EAX
00401364 .  885D A4    MOV BYTE PTR SS:[EBP-5C],BL
00401367 .  0F83 B4000000 JNB 破解版本.00401421                   ;  ...
0040136D >  8BFE       MOV EDI,ESI
0040136F .  56          PUSH ESI
00401370 .  897D 08    MOV DWORD PTR SS:[EBP+8],EDI
00401373 .  E8 38200000 CALL 破解版本.004033B0
00401378 .  C70424 4C7140>MOV DWORD PTR SS:[ESP],破解版本.0040714C ;  ASCII "krnln.fnr"
0040137F .  57          PUSH EDI
00401380 .  8D7406 01    LEA ESI,DWORD PTR DS:[ESI+EAX+1]
00401384 .  E8 47480000 CALL 破解版本.00405BD0
00401389 .  59          POP ECX
0040138A .  85C0       TEST EAX,EAX
0040138C .  59          POP ECX
0040138D .  74 11       JE SHORT 破解版本.004013A0
0040138F .  68 40714000 PUSH 破解版本.00407140                ;  ASCII "krnln.fne"
00401394 .  57          PUSH EDI
00401395 .  E8 36480000 CALL 破解版本.00405BD0
0040139A .  59          POP ECX
0040139B .  85C0       TEST EAX,EAX
0040139D .  59          POP ECX
0040139E .  75 0C       JNZ SHORT 破解版本.004013AC
004013A0 >  8D45 A4    LEA EAX,DWORD PTR SS:[EBP-5C]
004013A3 .  57          PUSH EDI
004013A4 .  50          PUSH EAX
004013A5 .  E8 161F0000 CALL 破解版本.004032C0
004013AA .  59          POP ECX
004013AB .  59          POP ECX
004013AC >  8B3E       MOV EDI,DWORD PTR DS:[ESI]
004013AE .  8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194]
004013B4 .  50          PUSH EAX
004013B5 .  8D85 68FDFFFF LEA EAX,DWORD PTR SS:[EBP-298]
004013BB .  50          PUSH EAX
004013BC .  83C6 04    ADD ESI,4
004013BF .  E8 FC1E0000 CALL 破解版本.004032C0
004013C4 .  FF75 08    PUSH DWORD PTR SS:[EBP+8]
004013C7 .  8D85 68FDFFFF LEA EAX,DWORD PTR SS:[EBP-298]
004013CD .  50          PUSH EAX
004013CE .  E8 FD1E0000 CALL 破解版本.004032D0
004013D3 .  83C4 10    ADD ESP,10
004013D6 .  8D85 68FDFFFF LEA EAX,DWORD PTR SS:[EBP-298]
004013DC .  53          PUSH EBX                               ; /hTemplateFile
004013DD .  68 80000000 PUSH 80                               ; |Attributes = NORMAL
004013E2 .  6A 02       PUSH 2                                  ; |Mode = CREATE_ALWAYS
004013E4 .  53          PUSH EBX                               ; |pSecurity
004013E5 .  53          PUSH EBX                               ; |ShareMode
004013E6 .  68 00000040 PUSH 40000000                         ; |Access = GENERIC_WRITE
004013EB .  50          PUSH EAX                               ; |FileName
004013EC .  FF15 20604000 CALL DWORD PTR DS:[<&kernel32.CreateFile>; \CreateFileA
004013F2 .  83F8 FF    CMP EAX,-1
004013F5 .  8945 08    MOV DWORD PTR SS:[EBP+8],EAX
004013F8 .  74 17       JE SHORT 破解版本.00401411
004013FA .  8D4D D8    LEA ECX,DWORD PTR SS:[EBP-28]
004013FD .  53          PUSH EBX                               ; /pOverlapped
004013FE .  51          PUSH ECX                               ; |pBytesWritten
004013FF .  57          PUSH EDI                               ; |nBytesToWrite
00401400 .  56          PUSH ESI                               ; |Buffer
00401401 .  50          PUSH EAX                               ; |hFile
00401402 .  FF15 0C604000 CALL DWORD PTR DS:[<&kernel32.WriteFile>>; \WriteFile
00401408 .  FF75 08    PUSH DWORD PTR SS:[EBP+8]             ; /hObject
0040140B .  FF15 08604000 CALL DWORD PTR DS:[<&kernel32.CloseHandl>; \CloseHandle
00401411 >  03F7       ADD ESI,EDI
00401413 .  3B75 F4    CMP ESI,DWORD PTR SS:[EBP-C]
00401416 ^ 0F82 51FFFFFF JB 破解版本.0040136D
0040141C .  385D A4    CMP BYTE PTR SS:[EBP-5C],BL
0040141F .  75 0C       JNZ SHORT 破解版本.0040142D
00401421 >  C745 FC 20714>MOV DWORD PTR SS:[EBP-4],破解版本.004071>;  ASCII "Not found the kernel library!"
00401428 .  E9 92000000 JMP 破解版本.004014BF
0040142D >  8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194]
00401433 .  50          PUSH EAX
00401434 .  8D85 68FDFFFF LEA EAX,DWORD PTR SS:[EBP-298]
0040143A .  50          PUSH EAX
0040143B .  E8 801E0000 CALL 破解版本.004032C0
00401440 .  8D45 A4    LEA EAX,DWORD PTR SS:[EBP-5C]
00401443 .  50          PUSH EAX
00401444 .  8D85 68FDFFFF LEA EAX,DWORD PTR SS:[EBP-298]
0040144A .  50          PUSH EAX
0040144B .  E8 801E0000 CALL 破解版本.004032D0
00401450 .  83C4 10    ADD ESP,10
00401453 .  8D85 68FDFFFF LEA EAX,DWORD PTR SS:[EBP-298]
00401459    50          PUSH EAX                               ; /FileName
0040145A    FF15 04604000 CALL DWORD PTR DS:[<&kernel32.LoadLibrar>; \LoadLibraryA    CALL运行了一下
00401460 .  3BC3       CMP EAX,EBX
00401462 .  75 09       JNZ SHORT 破解版本.0040146D
00401464 .  C745 FC 00714>MOV DWORD PTR SS:[EBP-4],破解版本.004071>;  ASCII "Failed to load kernel library!"
0040146B .  EB 52       JMP SHORT 破解版本.004014BF
0040146D >  68 F4704000 PUSH 破解版本.004070F4                ; /ProcNameOrOrdinal = "GetNewSock"
00401472 .  50          PUSH EAX                               ; |hModule
00401473 .  FF15 00604000 CALL DWORD PTR DS:[<&kernel32.GetProcAdd>; \GetProcAddress
00401479 .  3BC3       CMP EAX,EBX
0040147B .  75 09       JNZ SHORT 破解版本.00401486
0040147D .  C745 FC D4704>MOV DWORD PTR SS:[EBP-4],破解版本.004070>;  ASCII "The kernel library is invalid!"
00401484 .  EB 39       JMP SHORT 破解版本.004014BF
00401486 >  68 E8030000 PUSH 3E8
0040148B .  FFD0       CALL EAX
0040148D .  3BC3       CMP EAX,EBX
0040148F .  8945 F0    MOV DWORD PTR SS:[EBP-10],EAX
00401492 .  75 2B       JNZ SHORT 破解版本.004014BF
00401494 .  C745 FC A8704>MOV DWORD PTR SS:[EBP-4],破解版本.004070>;  ASCII "The interface of kernel library is invalid!"
0040149B .  EB 22       JMP SHORT 破解版本.004014BF
0040149D >  C745 FC 8C704>MOV DWORD PTR SS:[EBP-4],破解版本.004070>;  ASCII "Invalid data in the file!"
004014A4 .  EB 19       JMP SHORT 破解版本.004014BF
004014A6 >  C745 FC 5C704>MOV DWORD PTR SS:[EBP-4],破解版本.004070>;  ASCII "Failed to read file or invalid data in file!"
004014AD .  EB 10       JMP SHORT 破解版本.004014BF
004014AF >  C745 FC 8C704>MOV DWORD PTR SS:[EBP-4],破解版本.004070>;  ASCII "Invalid data in the file!"
004014B6 .  EB 15       JMP SHORT 破解版本.004014CD
004014B8 >  C745 FC 38704>MOV DWORD PTR SS:[EBP-4],破解版本.004070>;  ASCII "Failed to read data from the file!"
004014BF >  395D F8    CMP DWORD PTR SS:[EBP-8],EBX
004014C2 .  74 09       JE SHORT 破解版本.004014CD
004014C4 .  FF75 F8    PUSH DWORD PTR SS:[EBP-8]
004014C7    E8 5F1F0000 CALL 破解版本.0040342B
004014CC .  59          POP ECX
004014CD    395D FC    CMP DWORD PTR SS:[EBP-4],EBX
004014D0    75 13       JNZ SHORT 破解版本.004014E5
004014D2 .  8B45 F0    MOV EAX,DWORD PTR SS:[EBP-10]
004014D5 .  E8 00000000 CALL 破解版本.004014DA
004014DA $  810424 267B00>ADD DWORD PTR SS:[ESP],7B26
004014E1 .  FFD0       CALL EAX                               ;  注册筐出现
004014E3 .  EB 11       JMP SHORT 破解版本.004014F6
004014E5 >  6A 10       PUSH 10                               ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
004014E7 .  68 30704000 PUSH 破解版本.00407030                ; |Title = "Error"
004014EC .  FF75 FC    PUSH DWORD PTR SS:[EBP-4]             ; |Text
004014EF .  53          PUSH EBX                               ; |hOwner
004014F0    FF15 AC604000 CALL DWORD PTR DS:[<&user32.MessageBoxA>>; \MessageBoxA          提示EROOR错误
004014F6 >  5F          POP EDI
004014F7 .  5E          POP ESI
004014F8 .  33C0       XOR EAX,EAX
004014FA .  5B          POP EBX
004014FB .  C9          LEAVE
004014FC .  C2 1000    RETN 10                                                          推出程序
      我把程序放上来，大家看下。http://www.namipan.com/d/ac363ef63df483c95d95f94eaecfb0016c0a90062d413900

2008-9-16 19:54

0