能力值:
![]()
(RANK:260 )
|
-
-
2 楼
程序拿来。
我来看看,看完了才好指点。
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
004E7108是DEDE反编译出来的注册窗体注册按钮事件的入口地址,在OD加载后可以ctrl+G到达4E7108,但是一动就变了,变成
004E70F7 0073 79 add byte ptr ds:[ebx+79],dh
004E70FA 73 45 jnb short 1_.004E7141
004E7108 55 push ebp
004E7109 8BEC mov ebp, esp
004E710B 81C498FDFFFF add esp, $FFFFFD98
004E7111 53 push ebx
004E7112 33C9 xor ecx, ecx
004E7114 898D9CFDFFFF mov [ebp+$FFFFFD9C], ecx
004E711A 898D98FDFFFF mov [ebp+$FFFFFD98], ecx
004E7120 898DA4FDFFFF mov [ebp+$FFFFFDA4], ecx
004E7126 898DA0FDFFFF mov [ebp+$FFFFFDA0], ecx
004E712C 898DACFEFFFF mov [ebp+$FFFFFEAC], ecx
004E7132 898DA8FEFFFF mov [ebp+$FFFFFEA8], ecx
004E7138 8945FC mov [ebp-$04], eax
004E713B 33C0 xor eax, eax
004E713D 55 push ebp
* Possible String Reference to: '橐?爰[嬪]?
|
004E713E 68BA734E00 push $004E73BA
***** TRY
|
004E7143 64FF30 push dword ptr fs:[eax]
004E7146 648920 mov fs:[eax], esp
004E7149 33C0 xor eax, eax
004E714B 8945F8 mov [ebp-$08], eax
004E714E 33C0 xor eax, eax
004E7150 55 push ebp
* Possible String Reference to: '?玉腽?
|
004E7151 6893724E00 push $004E7293
***** TRY
|
004E7156 64FF30 push dword ptr fs:[eax]
004E7159 648920 mov fs:[eax], esp
004E715C 68FFFF0000 push $0000FFFF
004E7161 8D95A8FEFFFF lea edx, [ebp+$FFFFFEA8]
004E7167 A1F46C4F00 mov eax, dword ptr [$004F6CF4]
004E716C 8B00 mov eax, [eax]
* Reference to: DdeMan.TDdeMgr.GetExeName(TDdeMgr):AnsiString;
| or: Forms.TApplication.GetExeName(TApplication):AnsiString;
|
004E716E E8F1ADF9FF call 00481F64
004E7173 8B85A8FEFFFF mov eax, [ebp+$FFFFFEA8]
004E7179 8D95ACFEFFFF lea edx, [ebp+$FFFFFEAC]
* Reference to: SysUtils.ExtractFilePath(AnsiString):AnsiString;
|
004E717F E82C2BF2FF call 00409CB0
004E7184 8D85ACFEFFFF lea eax, [ebp+$FFFFFEAC]
* Possible String Reference to: 'finance.exe'
|
004E718A BAD0734E00 mov edx, $004E73D0
* Reference to: System.@LStrCat;
|
004E718F E880DDF1FF call 00404F14
004E7194 8B8DACFEFFFF mov ecx, [ebp+$FFFFFEAC]
004E719A B201 mov dl, $01
004E719C A108B44100 mov eax, dword ptr [$0041B408]
* Reference to: Classes.TFileStream.Create(TFileStream;boolean;AnsiString;Word);overload;
|
004E71A1 E8EA90F3FF call 00420290
004E71A6 8945F8 mov [ebp-$08], eax
004E71A9 8D95A0FDFFFF lea edx, [ebp+$FFFFFDA0]
004E71AF 8B45FC mov eax, [ebp-$04]
* Reference to control edtRegister : TEdit
|
004E71B2 8B8014030000 mov eax, [eax+$0314]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
004E71B8 E8FBA7F7FF call 004619B8
004E71BD 8B85A0FDFFFF mov eax, [ebp+$FFFFFDA0]
004E71C3 8D95A4FDFFFF lea edx, [ebp+$FFFFFDA4]
* Reference to: SysUtils.Trim(AnsiString):AnsiString;overload;
|
004E71C9 E8A622F2FF call 00409474
004E71CE 8B95A4FDFFFF mov edx, [ebp+$FFFFFDA4]
004E71D4 8D85A8FDFFFF lea eax, [ebp+$FFFFFDA8]
004E71DA B9FF000000 mov ecx, $000000FF
* Reference to: System.@LStrToString;
|
004E71DF E804DDF1FF call 00404EE8
004E71E4 8D95A8FDFFFF lea edx, [ebp+$FFFFFDA8]
004E71EA 8D85B3FEFFFF lea eax, [ebp+$FFFFFEB3]
004E71F0 B128 mov cl, $28
* Reference to: System.@PStrNCpy(PShortString;PShortString;Byte);
|
004E71F2 E871BFF1FF call 00403168
004E71F7 C785E4FEFFFF64000000 mov dword ptr [ebp+$FFFFFEE4], $00000064
004E7201 C745E8B0726891 mov dword ptr [ebp-$18], $916872B0
004E7208 C745ECED7CBF3F mov dword ptr [ebp-$14], $3FBF7CED
004E720F 33C0 xor eax, eax
004E7211 8945F0 mov [ebp-$10], eax
004E7214 C745F454E11B41 mov dword ptr [ebp-$0C], $411BE154
004E721B C785DCFEFFFF003EA59C mov dword ptr [ebp+$FFFFFEDC], $9CA53E00
004E7225 C785E0FEFFFFE774A642 mov dword ptr [ebp+$FFFFFEE0], $42A674E7
004E722F 8D9598FDFFFF lea edx, [ebp+$FFFFFD98]
004E7235 8B45FC mov eax, [ebp-$04]
* Reference to control edtRegisterSN : TEdit
|
004E7238 8B8018030000 mov eax, [eax+$0318]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
004E723E E875A7F7FF call 004619B8
004E7243 8B8598FDFFFF mov eax, [ebp+$FFFFFD98]
004E7249 8D959CFDFFFF lea edx, [ebp+$FFFFFD9C]
* Reference to: SysUtils.Trim(AnsiString):AnsiString;overload;
|
004E724F E82022F2FF call 00409474
004E7254 8B959CFDFFFF mov edx, [ebp+$FFFFFD9C]
004E725A 8D85E8FEFFFF lea eax, [ebp+$FFFFFEE8]
004E7260 B9FF000000 mov ecx, $000000FF
* Reference to: System.@LStrToString;
|
004E7265 E87EDCF1FF call 00404EE8
004E726A 8D95B3FEFFFF lea edx, [ebp+$FFFFFEB3]
004E7270 B945010000 mov ecx, $00000145
004E7275 8B45F8 mov eax, [ebp-$08]
004E7278 8B18 mov ebx, [eax]
004E727A FF5310 call dword ptr [ebx+$10]
004E727D 33C0 xor eax, eax
004E727F 5A pop edx
004E7280 59 pop ecx
004E7281 59 pop ecx
004E7282 648910 mov fs:[eax], edx
****** FINALLY
|
004E7285 689A724E00 push $004E729A
004E728A 8B45F8 mov eax, [ebp-$08]
* Reference to: System.TObject.Free(TObject);
|
004E728D E8A6CBF1FF call 00403E38
004E7292 C3 ret
* Reference to: System.@HandleFinally;
|
004E7293 E934D3F1FF jmp 004045CC
004E7298 EBF0 jmp 004E728A
****** END
|
004E729A A100674F00 mov eax, dword ptr [$004F6700]
004E729F 8B00 mov eax, [eax]
* Reference to : TfrmExcelentPickGold.GetRegUser()
|
004E72A1 E8AA2B0000 call 004E9E50
004E72A6 84C0 test al, al
004E72A8 0F84C2000000 jz 004E7370
004E72AE A100674F00 mov eax, dword ptr [$004F6700]
004E72B3 8B00 mov eax, [eax]
* Reference to : TfrmExcelentPickGold.CheckReg()
|
004E72B5 E82E2A0000 call 004E9CE8
004E72BA 84C0 test al, al
004E72BC 0F84AE000000 jz 004E7370
004E72C2 A100674F00 mov eax, dword ptr [$004F6700]
004E72C7 8B00 mov eax, [eax]
004E72C9 C6809003000001 mov byte ptr [eax+$0390], $01
004E72D0 8B45FC mov eax, [ebp-$04]
* Reference to control lblRegister : TLabel
|
004E72D3 8B8024030000 mov eax, [eax+$0324]
* Possible String Reference to: '已注册'
|
004E72D9 BAE4734E00 mov edx, $004E73E4
* Reference to: Controls.TControl.SetText(TControl;TCaption);
|
004E72DE E805A7F7FF call 004619E8
004E72E3 8B45FC mov eax, [ebp-$04]
* Reference to control edtRegister : TEdit
|
004E72E6 8B8014030000 mov eax, [eax+$0314]
004E72EC 33D2 xor edx, edx
004E72EE 8B08 mov ecx, [eax]
004E72F0 FF5164 call dword ptr [ecx+$64]
004E72F3 8B45FC mov eax, [ebp-$04]
* Reference to control edtRegisterSN : TEdit
|
004E72F6 8B8018030000 mov eax, [eax+$0318]
004E72FC 33D2 xor edx, edx
004E72FE 8B08 mov ecx, [eax]
004E7300 FF5164 call dword ptr [ecx+$64]
004E7303 8B45FC mov eax, [ebp-$04]
* Reference to control bbtnRegister : TBitBtn
|
004E7306 8B801C030000 mov eax, [eax+$031C]
004E730C 33D2 xor edx, edx
004E730E 8B08 mov ecx, [eax]
004E7310 FF5164 call dword ptr [ecx+$64]
004E7313 8B45FC mov eax, [ebp-$04]
* Reference to control bbtnClose : TBitBtn
|
004E7316 8B8020030000 mov eax, [eax+$0320]
004E731C 33D2 xor edx, edx
004E731E 8B08 mov ecx, [eax]
004E7320 FF5164 call dword ptr [ecx+$64]
004E7323 33C0 xor eax, eax
|
004E7325 E86EBCFFFF call 004E2F98
* Reference to : TfrmRegister._PROC_004E70A4()
|
004E732A E875FDFFFF call 004E70A4
004E732F A100674F00 mov eax, dword ptr [$004F6700]
004E7334 8B00 mov eax, [eax]
* Reference to control bbtnClose : TBitBtn
|
004E7336 8B8020030000 mov eax, [eax+$0320]
004E733C B201 mov dl, $01
004E733E 8B08 mov ecx, [eax]
004E7340 FF5164 call dword ptr [ecx+$64]
004E7343 A100674F00 mov eax, dword ptr [$004F6700]
004E7348 8B00 mov eax, [eax]
* Reference to control lblRegister : TLabel
|
004E734A 8B8024030000 mov eax, [eax+$0324]
004E7350 B201 mov dl, $01
004E7352 8B08 mov ecx, [eax]
004E7354 FF5164 call dword ptr [ecx+$64]
004E7357 A100674F00 mov eax, dword ptr [$004F6700]
004E735C 8B00 mov eax, [eax]
* Possible String Reference to: 'XXXXXXXXX-XXXXXXXX
| X--XXXXXXXX'
|
004E735E BAF4734E00 mov edx, $004E73F4
* Reference to: Controls.TControl.SetText(TControl;TCaption);
|
004E7363 E880A6F7FF call 004619E8
004E7368 8B45FC mov eax, [ebp-$04]
* Reference to: Forms.TCustomForm.Close(TCustomForm);
|
004E736B E8A46EF9FF call 0047E214
004E7370 33C0 xor eax, eax
004E7372 5A pop edx
004E7373 59 pop ecx
004E7374 59 pop ecx
004E7375 648910 mov fs:[eax], edx
****** FINALLY
|
* Possible String Reference to: '[嬪]?
|
004E7378 68C1734E00 push $004E73C1
004E737D 8D8598FDFFFF lea eax, [ebp+$FFFFFD98]
* Reference to: System.@LStrClr(void;void);
|
004E7383 E8C4D8F1FF call 00404C4C
004E7388 8D859CFDFFFF lea eax, [ebp+$FFFFFD9C]
* Reference to: System.@LStrClr(void;void);
|
004E738E E8B9D8F1FF call 00404C4C
004E7393 8D85A0FDFFFF lea eax, [ebp+$FFFFFDA0]
* Reference to: System.@LStrClr(void;void);
|
004E7399 E8AED8F1FF call 00404C4C
004E739E 8D85A4FDFFFF lea eax, [ebp+$FFFFFDA4]
* Reference to: System.@LStrClr(void;void);
|
004E73A4 E8A3D8F1FF call 00404C4C
004E73A9 8D85A8FEFFFF lea eax, [ebp+$FFFFFEA8]
004E73AF BA02000000 mov edx, $00000002
* Reference to: System.@LStrArrayClr(void;void;Integer);
|
004E73B4 E8B7D8F1FF call 00404C70
004E73B9 C3 ret
* Reference to: System.@HandleFinally;
|
004E73BA E90DD2F1FF jmp 004045CC
004E73BF EBBC jmp 004E737D
****** END
|
004E73C1 5B pop ebx
004E73C2 8BE5 mov esp, ebp
004E73C4 5D pop ebp
004E73C5 C3 ret
|
能力值:
( LV2,RANK:10 )
|
-
-
4 楼
我用ascii码方式找到几处注册成功标签
1)程序启动的title里显示的未注册/已注册,修改跳转,启动显示已注册
2)注册窗体中显示的未注册/已注册,修改跳转,再打开程序注册窗体时,输入注册码锁定变灰,显示已注册
但有一个功能一运行仍报可能是试用版的错,再找这个错
修改跳转,再运行,不报错了,都显示的是已注册,可运行这个功能什么也没有显示....
什么原因??
|
能力值:
( LV2,RANK:10 )
|
-
-
5 楼
怎么跟你联系??
|
能力值:
![]()
(RANK:260 )
|
-
-
6 楼
[QUOTE=eddieson;532381]
* Reference to : TfrmExcelentPickGold.GetRegUser()
|
004E72A1 E8AA2B0000 call 004E9E50
004E72A6 84C0 test al, al
004E72A8 0F84C2000000 jz 004E7370
004E72AE A100674F00 mov eax, dword ptr [$004F6700]
004E72B3 8B00 mov eax, [eax]
* Reference to : TfrmExcelentPickGold.CheckReg()
|
004E72B5 E82E2A0000 call 004E9CE8
004E72BA 84C0 test al, al
004E72BC 0F84AE000000 jz 004E7370
004E72C2 A100674F00 mov eax, dword ptr [$004F6700].[/QUOTE]
这里,看到了没? CheckReg()。
直接到004e9ce8去下断点。
如果爆破,就修改004e9ce8这个函数,让它直接返回成功。
这种设计,将注册判断放在一个函数里,最容易搞定。
“爆破”,并不是一定要修改跳转指令,曾经有一篇文章,讲的的“标志位”爆破法,你可以查找一下。
这个可以叫做“验证函数”爆破法,和“标志位”是异曲同工啊。
PS.在OD中定位到函数后,程序做了混淆,所以不要滚动,直接下断点。
如果无法下int3断点,就直接硬件断点伺候。
这种代码混淆非常常见,方法就是不要滚动窗口。
如果已经乱了,可以按CTRL+上/下,让OD一个字节一个字节地滚动,直到出现正确的反汇编。
祝你好运。
|
能力值:
( LV2,RANK:10 )
|
-
-
7 楼
其实选中
004E7108 55 push ebp
之前的几个字节,然后点右键->分析->下次分析时,将选择部分视为->Bytes,这样就不会乱掉了。
|
能力值:
( LV2,RANK:10 )
|
-
-
8 楼
这两天都搭在这上了,不管怎么样,非常感谢以上两位的帮助......又学习了不少,之前有想过"标志位"爆破,我再试试
|
能力值:
( LV2,RANK:10 )
|
-
-
9 楼
这个函数是连网认证,我是不让它联网还是,让它验证后做相反跳呢??? 前面说的一下断就飞了,直接ctrl+G来到这里
004E9CE8 55 push ebp
004E9CE9 8BEC mov ebp,esp
004E9CEB 83C4 CC add esp,-34
004E9CEE 53 push ebx
004E9CEF 56 push esi
004E9CF0 57 push edi
004E9CF1 8BD8 mov ebx,eax
004E9CF3 33C0 xor eax,eax
004E9CF5 8945 F8 mov dword ptr ss:[ebp-8],eax
004E9CF8 6A 00 push 0
004E9CFA 6A 01 push 1
004E9CFC 68 C49D4E00 push Unpack_.004E9DC4 ; ASCII "http://xxxx/"
004E9D01 E8 BEA6F4FF call <jmp.&wininet.InternetCheckConnecti>
004E9D06 85C0 test eax,eax
004E9D08 0F84 82000000 je Unpack_.004E9D90
004E9D0E 33C0 xor eax,eax
004E9D10 55 push ebp
004E9D11 68 6D9D4E00 push Unpack_.004E9D6D
004E9D16 64:FF30 push dword ptr fs:[eax]
004E9D19 64:8920 mov dword ptr fs:[eax],esp
004E9D1C B2 01 mov dl,1
004E9D1E A1 F8B44100 mov eax,dword ptr ds:[41B4F8]
004E9D23 E8 E0A0F1FF call Unpack_.00403E08
004E9D28 8945 F8 mov dword ptr ss:[ebp-8],eax
004E9D2B 8B83 FC020000 mov eax,dword ptr ds:[ebx+2FC]
004E9D31 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
004E9D34 BA E89D4E00 mov edx,Unpack_.004E9DE8 ; ASCII "http://xxxx/reg.rar"
004E9D39 E8 D2F7FEFF call Unpack_.004D9510
004E9D3E 33C9 xor ecx,ecx
004E9D40 33D2 xor edx,edx
004E9D42 8B45 F8 mov eax,dword ptr ss:[ebp-8]
004E9D45 8B18 mov ebx,dword ptr ds:[eax]
004E9D47 FF53 14 call dword ptr ds:[ebx+14]
004E9D4A 8B55 F8 mov edx,dword ptr ss:[ebp-8]
004E9D4D 8D45 CF lea eax,dword ptr ss:[ebp-31]
004E9D50 E8 9FFEFFFF call Unpack_.004E9BF4
004E9D55 84C0 test al,al
004E9D57 74 06 je short Unpack_.004E9D5F
004E9D59 C645 FF 01 mov byte ptr ss:[ebp-1],1
004E9D5D EB 04 jmp short Unpack_.004E9D63
004E9D5F C645 FF 00 mov byte ptr ss:[ebp-1],0
004E9D63 33C0 xor eax,eax
004E9D65 5A pop edx
004E9D66 59 pop ecx
004E9D67 59 pop ecx
004E9D68 64:8910 mov dword ptr fs:[eax],edx
004E9D6B EB 19 jmp short Unpack_.004E9D86
004E9D6D ^ E9 A6A5F1FF jmp Unpack_.00404318
004E9D72 8B45 F8 mov eax,dword ptr ss:[ebp-8]
004E9D75 E8 BEA0F1FF call Unpack_.00403E38
004E9D7A E8 01A9F1FF call Unpack_.00404680
004E9D7F EB 37 jmp short Unpack_.004E9DB8
004E9D81 E8 FAA8F1FF call Unpack_.00404680
004E9D86 8B45 F8 mov eax,dword ptr ss:[ebp-8]
004E9D89 E8 AAA0F1FF call Unpack_.00403E38
004E9D8E EB 28 jmp short Unpack_.004E9DB8
004E9D90 6A 30 push 30
004E9D92 B9 149E4E00 mov ecx,Unpack_.004E9E14
004E9D97 BA 249E4E00 mov edx,Unpack_.004E9E24
004E9D9C A1 F46C4F00 mov eax,dword ptr ds:[4F6CF4]
004E9DA1 8B00 mov eax,dword ptr ds:[eax]
004E9DA3 E8 3C7DF9FF call Unpack_.00481AE4
004E9DA8 C645 FF 00 mov byte ptr ss:[ebp-1],0
004E9DAC A1 F46C4F00 mov eax,dword ptr ds:[4F6CF4]
004E9DB1 8B00 mov eax,dword ptr ds:[eax]
004E9DB3 E8 887CF9FF call Unpack_.00481A40
004E9DB8 8A45 FF mov al,byte ptr ss:[ebp-1]
004E9DBB 5F pop edi
004E9DBC 5E pop esi
004E9DBD 5B pop ebx
004E9DBE 8BE5 mov esp,ebp
004E9DC0 5D pop ebp
004E9DC1 C3 retn
|
能力值:
![]()
(RANK:260 )
|
-
-
10 楼
如果只有这一个验证函数的话,直接让函数返回”成功“的标志即可。
看原来函数开头的部分
以及结尾部分的retn,你直接修改成这个“模样”,保持堆栈平衡即可:
mov eax, 1
retn
这样这个函数就永远返回“成功”了。
这只是简单的情况。如果程序有其它的手段导致修改后不能正常运行,则还要具体情况具体分析。
|
能力值:
( LV2,RANK:10 )
|
-
-
11 楼
感谢你的回答,一会儿试一下这个方法,但我估计不成
点击注册按钮会在当前目录下生成个xxxxxxxx.exe文件,这个文件中能看到机器码和注册码,但其余的是乱码
我感觉这个函数是验证机器码的,函数好像是确认一下网址,然后从该网址下载一个文件(这个文件用文本打个是个与机器码前7位一致但后面不同的字串),之后用这个文件去掉本机机器码前8位一致的部分,
跟踪启动读取xxxxxxxx.exe文件时,发现
得到的是本机机器码后面的部分,是把假码,和两个数字串都压入栈,但找不到明显的比较
感觉就断了.....无从下手啊,下面是getreguser的部分,4EA02A和4EA091哪个是比较注册码的部分???
有xxxxxxxx.exe文件时,4EA02A能断下,EAX值是去掉前8位剩下部分的机器码
在4EA091下断,就跑进程序了
004E9E50 55 push ebp
004E9E51 8BEC mov ebp, esp
004E9E53 B938000000 mov ecx, $00000038
004E9E58 6A00 push $00
004E9E5A 6A00 push $00
004E9E5C 49 dec ecx
004E9E5D 75F9 jnz 004E9E58
004E9E5F 51 push ecx
004E9E60 53 push ebx
004E9E61 8D45F0 lea eax, [ebp-$10]
004E9E64 8B1514364E00 mov edx, [$004E3614]
* Reference to: System.@InitializeRecord(Pointer;Pointer);
| or: System.@AddRefRecord;
|
004E9E6A E8BDB7F1FF call 0040562C
004E9E6F 8D45E8 lea eax, [ebp-$18]
004E9E72 8B1514364E00 mov edx, [$004E3614]
* Reference to: System.@InitializeRecord(Pointer;Pointer);
| or: System.@AddRefRecord;
|
004E9E78 E8AFB7F1FF call 0040562C
004E9E7D 8D45E0 lea eax, [ebp-$20]
004E9E80 8B1514364E00 mov edx, [$004E3614]
* Reference to: System.@InitializeRecord(Pointer;Pointer);
| or: System.@AddRefRecord;
|
004E9E86 E8A1B7F1FF call 0040562C
004E9E8B 33C0 xor eax, eax
004E9E8D 55 push ebp
* Possible String Reference to: '殓ゑ肴嬅[嬪]?
|
004E9E8E 68E0A04E00 push $004EA0E0
***** TRY
|
004E9E93 64FF30 push dword ptr fs:[eax]
004E9E96 648920 mov fs:[eax], esp
004E9E99 33C0 xor eax, eax
004E9E9B 8945DC mov [ebp-$24], eax
004E9E9E 8D958CFEFFFF lea edx, [ebp+$FFFFFE8C]
004E9EA4 A1F46C4F00 mov eax, dword ptr [$004F6CF4]
004E9EA9 8B00 mov eax, [eax]
* Reference to: DdeMan.TDdeMgr.GetExeName(TDdeMgr):AnsiString;
| or: Forms.TApplication.GetExeName(TApplication):AnsiString;
|
004E9EAB E8B480F9FF call 00481F64
004E9EB0 8B858CFEFFFF mov eax, [ebp+$FFFFFE8C]
004E9EB6 8D9590FEFFFF lea edx, [ebp+$FFFFFE90]
* Reference to: SysUtils.ExtractFilePath(AnsiString):AnsiString;
|
004E9EBC E8EFFDF1FF call 00409CB0
004E9EC1 8D8590FEFFFF lea eax, [ebp+$FFFFFE90]
* Possible String Reference to: 'finance.exe'
|
004E9EC7 BAF8A04E00 mov edx, $004EA0F8
* Reference to: System.@LStrCat;
|
004E9ECC E843B0F1FF call 00404F14
004E9ED1 8B8590FEFFFF mov eax, [ebp+$FFFFFE90]
* Reference to: SysUtils.FileExists(AnsiString):Boolean;
|
004E9ED7 E808FDF1FF call 00409BE4
004E9EDC 84C0 test al, al
004E9EDE 0F84BC010000 jz 004EA0A0
004E9EE4 33C0 xor eax, eax
004E9EE6 55 push ebp
004E9EE7 68659F4E00 push $004E9F65
***** TRY
|
004E9EEC 64FF30 push dword ptr fs:[eax]
004E9EEF 648920 mov fs:[eax], esp
004E9EF2 6A00 push $00
004E9EF4 8D9584FEFFFF lea edx, [ebp+$FFFFFE84]
004E9EFA A1F46C4F00 mov eax, dword ptr [$004F6CF4]
004E9EFF 8B00 mov eax, [eax]
* Reference to: DdeMan.TDdeMgr.GetExeName(TDdeMgr):AnsiString;
| or: Forms.TApplication.GetExeName(TApplication):AnsiString;
|
004E9F01 E85E80F9FF call 00481F64
004E9F06 8B8584FEFFFF mov eax, [ebp+$FFFFFE84]
004E9F0C 8D9588FEFFFF lea edx, [ebp+$FFFFFE88]
* Reference to: SysUtils.ExtractFilePath(AnsiString):AnsiString;
|
004E9F12 E899FDF1FF call 00409CB0
004E9F17 8D8588FEFFFF lea eax, [ebp+$FFFFFE88]
* Possible String Reference to: 'finance.exe'
|
004E9F1D BAF8A04E00 mov edx, $004EA0F8
* Reference to: System.@LStrCat;
|
004E9F22 E8EDAFF1FF call 00404F14
004E9F27 8B8D88FEFFFF mov ecx, [ebp+$FFFFFE88]
004E9F2D B201 mov dl, $01
004E9F2F A108B44100 mov eax, dword ptr [$0041B408]
* Reference to: Classes.TFileStream.Create(TFileStream;boolean;AnsiString;Word);overload;
|
004E9F34 E85763F3FF call 00420290
004E9F39 8945DC mov [ebp-$24], eax
004E9F3C 8D9597FEFFFF lea edx, [ebp+$FFFFFE97]
004E9F42 B945010000 mov ecx, $00000145
004E9F47 8B45DC mov eax, [ebp-$24]
004E9F4A 8B18 mov ebx, [eax]
004E9F4C FF530C call dword ptr [ebx+$0C]
004E9F4F 33C0 xor eax, eax
004E9F51 5A pop edx
004E9F52 59 pop ecx
004E9F53 59 pop ecx
004E9F54 648910 mov fs:[eax], edx
****** FINALLY
|
004E9F57 686C9F4E00 push $004E9F6C
004E9F5C 8B45DC mov eax, [ebp-$24]
* Reference to: System.TObject.Free(TObject);
|
004E9F5F E8D49EF1FF call 00403E38
004E9F64 C3 ret
* Reference to: System.@HandleFinally;
|
004E9F65 E962A6F1FF jmp 004045CC
004E9F6A EBF0 jmp 004E9F5C
****** END
|
004E9F6C 8D8580FEFFFF lea eax, [ebp+$FFFFFE80]
004E9F72 8D95CCFEFFFF lea edx, [ebp+$FFFFFECC]
* Reference to: System.@LStrFromString(String;String;ShortString;ShortString);
| or: System.@WStrFromString(WideString;WideString;ShortString;ShortString);
|
004E9F78 E833AFF1FF call 00404EB0
004E9F7D 8B8580FEFFFF mov eax, [ebp+$FFFFFE80]
004E9F83 8D55FC lea edx, [ebp-$04]
* Reference to: SysUtils.Trim(AnsiString):AnsiString;overload;
|
004E9F86 E8E9F4F1FF call 00409474
004E9F8B 8D55F8 lea edx, [ebp-$08]
004E9F8E 8B45FC mov eax, [ebp-$04]
|
004E9F91 E81E9AFFFF call 004E39B4
004E9F96 8D45FC lea eax, [ebp-$04]
* Reference to: System.@LStrClr(void;void);
|
004E9F99 E8AEACF1FF call 00404C4C
004E9F9E 8D55F0 lea edx, [ebp-$10]
* Possible String Reference to: '575969'
|
004E9FA1 B80CA14E00 mov eax, $004EA10C
|
004E9FA6 E8FD9DFFFF call 004E3DA8
004E9FAB 8D55E8 lea edx, [ebp-$18]
* Possible String Reference to: '17166242516039274496869237002550514
| 51734800555175175212506141760167605
| 2726703642223718554521'
|
004E9FAE B81CA14E00 mov eax, $004EA11C
|
004E9FB3 E8F09DFFFF call 004E3DA8
004E9FB8 8D45E0 lea eax, [ebp-$20]
004E9FBB 50 push eax
004E9FBC 8D45E0 lea eax, [ebp-$20]
004E9FBF 50 push eax
004E9FC0 8D45E0 lea eax, [ebp-$20]
004E9FC3 50 push eax
004E9FC4 8D45E0 lea eax, [ebp-$20]
004E9FC7 50 push eax
004E9FC8 8D45FC lea eax, [ebp-$04]
004E9FCB 50 push eax
004E9FCC 8D4DE8 lea ecx, [ebp-$18]
004E9FCF 8D55F0 lea edx, [ebp-$10]
004E9FD2 8B45F8 mov eax, [ebp-$08]
|
004E9FD5 E8FAC1FFFF call 004E61D4
004E9FDA 8D45F0 lea eax, [ebp-$10]
|
004E9FDD E83EA0FFFF call 004E4020
004E9FE2 8D45E8 lea eax, [ebp-$18]
|
004E9FE5 E836A0FFFF call 004E4020
004E9FEA 8D45E0 lea eax, [ebp-$20]
|
004E9FED E82EA0FFFF call 004E4020
004E9FF2 8D8578FEFFFF lea eax, [ebp+$FFFFFE78]
|
004E9FF8 E84388FFFF call 004E2840
004E9FFD 8B8578FEFFFF mov eax, [ebp+$FFFFFE78]
004EA003 8D957CFEFFFF lea edx, [ebp+$FFFFFE7C]
* Reference to: SysUtils.Trim(AnsiString):AnsiString;overload;
|
004EA009 E866F4F1FF call 00409474
004EA00E 8B857CFEFFFF mov eax, [ebp+$FFFFFE7C]
004EA014 50 push eax
004EA015 8D9574FEFFFF lea edx, [ebp+$FFFFFE74]
004EA01B 8B45FC mov eax, [ebp-$04]
* Reference to: SysUtils.Trim(AnsiString):AnsiString;overload;
|
004EA01E E851F4F1FF call 00409474
004EA023 8B9574FEFFFF mov edx, [ebp+$FFFFFE74]
004EA029 58 pop eax
* Reference to: System.@LStrCmp;
|
004EA02A E829B0F1FF call 00405058
004EA02F 7567 jnz 004EA098
004EA031 8D9570FEFFFF lea edx, [ebp+$FFFFFE70]
004EA037 8B45FC mov eax, [ebp-$04]
* Reference to: SysUtils.Trim(AnsiString):AnsiString;overload;
|
004EA03A E835F4F1FF call 00409474
004EA03F 8B8570FEFFFF mov eax, [ebp+$FFFFFE70]
004EA045 50 push eax
004EA046 8D853CFEFFFF lea eax, [ebp+$FFFFFE3C]
004EA04C 50 push eax
004EA04D 33C9 xor ecx, ecx
004EA04F 8A8D97FEFFFF mov cl, byte ptr [ebp+$FFFFFE97]
004EA055 83E908 sub ecx, +$08
004EA058 BA09000000 mov edx, $00000009
004EA05D 8D8597FEFFFF lea eax, [ebp+$FFFFFE97]
* Reference to: System.@Copy;
|
004EA063 E87889F1FF call 004029E0
004EA068 8D953CFEFFFF lea edx, [ebp+$FFFFFE3C]
004EA06E 8D8568FEFFFF lea eax, [ebp+$FFFFFE68]
* Reference to: System.@LStrFromString(String;String;ShortString;ShortString);
| or: System.@WStrFromString(WideString;WideString;ShortString;ShortString);
|
004EA074 E837AEF1FF call 00404EB0
004EA079 8B8568FEFFFF mov eax, [ebp+$FFFFFE68]
004EA07F 8D956CFEFFFF lea edx, [ebp+$FFFFFE6C]
* Reference to: SysUtils.Trim(AnsiString):AnsiString;overload;
|
004EA085 E8EAF3F1FF call 00409474
004EA08A 8B956CFEFFFF mov edx, [ebp+$FFFFFE6C]
004EA090 58 pop eax
* Reference to: System.@LStrCmp;
|
004EA091 E8C2AFF1FF call 00405058
004EA096 7404 jz 004EA09C
004EA098 33DB xor ebx, ebx
004EA09A EB06 jmp 004EA0A2
004EA09C B301 mov bl, $01
004EA09E EB02 jmp 004EA0A2
004EA0A0 33DB xor ebx, ebx
004EA0A2 33C0 xor eax, eax
004EA0A4 5A pop edx
004EA0A5 59 pop ecx
004EA0A6 59 pop ecx
004EA0A7 648910 mov fs:[eax], edx
****** FINALLY
|
* Possible String Reference to: '嬅[嬪]?
|
004EA0AA 68E7A04E00 push $004EA0E7
004EA0AF 8D8568FEFFFF lea eax, [ebp+$FFFFFE68]
004EA0B5 BA0B000000 mov edx, $0000000B
* Reference to: System.@LStrArrayClr(void;void;Integer);
|
004EA0BA E8B1ABF1FF call 00404C70
004EA0BF 8D45E0 lea eax, [ebp-$20]
004EA0C2 8B1514364E00 mov edx, [$004E3614]
004EA0C8 B903000000 mov ecx, $00000003
* Reference to: System.@FinalizeArray(Pointer;Pointer;Cardinal);
|
004EA0CD E876B6F1FF call 00405748
004EA0D2 8D45F8 lea eax, [ebp-$08]
004EA0D5 BA02000000 mov edx, $00000002
* Reference to: System.@LStrArrayClr(void;void;Integer);
|
004EA0DA E891ABF1FF call 00404C70
004EA0DF C3 ret
* Reference to: System.@HandleFinally;
|
004EA0E0 E9E7A4F1FF jmp 004045CC
004EA0E5 EBC8 jmp 004EA0AF
****** END
|
004EA0E7 8BC3 mov eax, ebx
004EA0E9 5B pop ebx
004EA0EA 8BE5 mov esp, ebp
004EA0EC 5D pop ebp
004EA0ED C3 ret
|
能力值:
( LV2,RANK:10 )
|
-
-
12 楼
以下这里是否为注册码验证的部分???
00405058 53 push ebx
00405059 56 push esi
0040505A 57 push edi
0040505B 89C6 mov esi,eax
0040505D 89D7 mov edi,edx
0040505F 39D0 cmp eax,edx
00405061 0F84 8F000000 je 1_.004050F6
00405067 85F6 test esi,esi
00405069 74 68 je short 1_.004050D3
0040506B 85FF test edi,edi
0040506D 74 6B je short 1_.004050DA
0040506F 8B46 FC mov eax,dword ptr ds:[esi-4]
00405072 8B57 FC mov edx,dword ptr ds:[edi-4]
00405075 29D0 sub eax,edx
00405077 77 02 ja short 1_.0040507B
00405079 01C2 add edx,eax
0040507B 52 push edx
0040507C C1EA 02 shr edx,2
0040507F 74 26 je short 1_.004050A7
00405081 8B0E mov ecx,dword ptr ds:[esi]
00405083 8B1F mov ebx,dword ptr ds:[edi]
00405085 39D9 cmp ecx,ebx
00405087 75 58 jnz short 1_.004050E1
00405089 4A dec edx
0040508A 74 15 je short 1_.004050A1
0040508C 8B4E 04 mov ecx,dword ptr ds:[esi+4]
0040508F 8B5F 04 mov ebx,dword ptr ds:[edi+4]
00405092 39D9 cmp ecx,ebx
00405094 75 4B jnz short 1_.004050E1
00405096 83C6 08 add esi,8
00405099 83C7 08 add edi,8
0040509C 4A dec edx
0040509D ^ 75 E2 jnz short 1_.00405081
0040509F EB 06 jmp short 1_.004050A7
004050A1 83C6 04 add esi,4
004050A4 83C7 04 add edi,4
004050A7 5A pop edx
004050A8 83E2 03 and edx,3
004050AB 74 22 je short 1_.004050CF
004050AD 8B0E mov ecx,dword ptr ds:[esi]
004050AF 8B1F mov ebx,dword ptr ds:[edi]
004050B1 38D9 cmp cl,bl
004050B3 75 41 jnz short 1_.004050F6
004050B5 4A dec edx
004050B6 74 17 je short 1_.004050CF
004050B8 38FD cmp ch,bh
004050BA 75 3A jnz short 1_.004050F6
004050BC 4A dec edx
004050BD 74 10 je short 1_.004050CF
004050BF 81E3 0000FF00 and ebx,0FF0000
004050C5 81E1 0000FF00 and ecx,0FF0000
004050CB 39D9 cmp ecx,ebx
004050CD 75 27 jnz short 1_.004050F6
004050CF 01C0 add eax,eax
004050D1 EB 23 jmp short 1_.004050F6
004050D3 8B57 FC mov edx,dword ptr ds:[edi-4]
004050D6 29D0 sub eax,edx
004050D8 EB 1C jmp short 1_.004050F6
004050DA 8B46 FC mov eax,dword ptr ds:[esi-4]
004050DD 29D0 sub eax,edx
004050DF EB 15 jmp short 1_.004050F6
004050E1 5A pop edx
004050E2 38D9 cmp cl,bl
004050E4 75 10 jnz short 1_.004050F6
004050E6 38FD cmp ch,bh
004050E8 75 0C jnz short 1_.004050F6
004050EA C1E9 10 shr ecx,10
004050ED C1EB 10 shr ebx,10
004050F0 38D9 cmp cl,bl
004050F2 75 02 jnz short 1_.004050F6
004050F4 38FD cmp ch,bh
004050F6 5F pop edi
004050F7 5E pop esi
004050F8 5B pop ebx
004050F9 C3 retn
|
能力值:
![]()
(RANK:260 )
|
-
-
13 楼
Dede已经分析出来,00405058处这个函数应该是Delphi的库函数 System.@LStrCmp;
根据Delphi的调用习惯,两个参数是分别通过eax,edx来传递的。
按照贴出来的代码来看,这两处都是判断的位置,是两步。
也就是说,这个函数验证过程分两步,任何一步错了,都会失败。
先看你指出的第一处,把上面几行代码连起来看:
004EA015 8D9574FEFFFF lea edx, [ebp+$FFFFFE74]
004EA01B 8B45FC mov eax, [ebp-$04]
* Reference to: SysUtils.Trim(AnsiString):AnsiString;overload;
|
004EA01E E851F4F1FF call 00409474
这是把 [ebp-$04]处的str变量剔除空白字符后,存放于[ebp+$FFFFFE74]处。
下面要比较的两个字串是放在EAX,EDX中的。从代码:
004EA023 8B9574FEFFFF mov edx, [ebp+$FFFFFE74]
004EA029 58 pop eax
* Reference to: System.@LStrCmp;
|
004EA02A E829B0F1FF call 00405058
004EA02F 7567 jnz 004EA098
中我们看到,EDX是[ebp+$FFFFFE74]处的str变量,而EAX呢?再往上翻,看到:
004EA00E 8B857CFEFFFF mov eax, [ebp+$FFFFFE7C]
004EA014 50 push eax
所以,这个比较,比较的是[ebp+$FFFFFE7C]和[ebp+$FFFFFE74]这两个str变量。如果不相等,也就不进行第二步比较,直接跳到004EA098,把EBX清零,也就是失败。
再看第二个比较:
004EA08A 8B956CFEFFFF mov edx, [ebp+$FFFFFE6C]
004EA090 58 pop eax
* Reference to: System.@LStrCmp;
|
004EA091 E8C2AFF1FF call 00405058
004EA096 7404 jz 004EA09C
同样往上翻几行,找到push指令,看到
004EA046 8D853CFEFFFF lea eax, [ebp+$FFFFFE3C]
004EA04C 50 push eax
004EA04D 33C9 xor ecx, ecx
004EA04F 8A8D97FEFFFF mov cl, byte ptr [ebp+$FFFFFE97]
004EA055 83E908 sub ecx, +$08
004EA058 BA09000000 mov edx, $00000009
004EA05D 8D8597FEFFFF lea eax, [ebp+$FFFFFE97]
* Reference to: System.@Copy;
|
004EA063 E87889F1FF call 004029E0
004EA068 8D953CFEFFFF lea edx, [ebp+$FFFFFE3C]
004EA06E 8D8568FEFFFF lea eax, [ebp+$FFFFFE68]
* Reference to: System.@LStrFromString(String;String;ShortString;ShortString);
| or: System.@WStrFromString(WideString;WideString;ShortString;ShortString);
|
004EA074 E837AEF1FF call 00404EB0
004EA079 8B8568FEFFFF mov eax, [ebp+$FFFFFE68]
004EA07F 8D956CFEFFFF lea edx, [ebp+$FFFFFE6C]
* Reference to: SysUtils.Trim(AnsiString):AnsiString;overload;
|
004EA085 E8EAF3F1FF call 00409474
也就是说,是 [ebp+$FFFFFE3C]和 [ebp+$FFFFFE6C]处这两个str变量进行比较。
你下面的工作,就是被比较的这4个str分别是什么内容,通过什么算法来的。然后再逆推,应该用什么样的注册码才能使这两个比较都成功。如果爆破,就修改call后面的跳转,第一处nop,第二处jmp。
建议用IDA来处理,读起来更容易。这样直接用Dede的代码看得太累了。
|
能力值:
( LV2,RANK:10 )
|
-
-
14 楼
算法怎么找呢??我这是边学边干,呵呵,OD和DEDE还没玩明白呢,IDA不会用,刚下了个IDA,反编译出来的好像比OD能多看到些东西,但不会用啊
估计爆破的方法不行,我在想被比较的str是否是真和假码,修改一致行不行???
比放说,往eax和edx都压入7c或74,不知道这样外不外行.....不知道比较的值会不会影响程序,所以特别想找真码验证
|
能力值:
![]()
(RANK:260 )
|
-
-
15 楼
你让它自己和自己比,也是爆破。
看来你对爆破的概念有太清楚。
另外,不要谈什么外行不外行的话,谁都有个进步的过程。
LStrCmp的两个参数需要是字符串,也就是C中的“以0结尾的字符数组”,不是字符值。
你如果不想爆破,就必须能够读懂整个验证过程的代码的意思,才能得到真正的注册码。非明码比较,一般来说,不能通过跟踪“看到”真正的注册码,要得到真码,必须看懂算法。
算法的阅读用IDA更容易看懂。
再加油。胜利就在前方!
|
能力值:
( LV2,RANK:10 )
|
-
-
16 楼
谢谢指教,这段代码是包含关键算法的吗??
int _cdecl TfrmExcelentPickGold_GetRegUser()
{
int v0; // ST14_4@1
int result; // eax@2
int v2; // ST08_4@2
int v3; // eax@2
int v7; // [sp-Ch] [bp-1D4h]@1
int v8; // [sp+1A4h] [bp-24h]@1
char v9; // [sp+5Fh] [bp-169h]@2
unknown_libname_103();
unknown_libname_103();
unknown_libname_103();
v0 = *MK_FP(_FS_, 0);
*MK_FP(_FS_, 0) = &v7;
v8 = 0;
unknown_libname_1344();
Sysutils_ExtractFilePath();
System_linkproc_LStrCat();
if ( (unsigned _int8)Sysutils_FileExists() )
{
v2 = *MK_FP(_FS_, 0);
*MK_FP(_FS_, 0) = &v2;
unknown_libname_1344();
Sysutils_ExtractFilePath();
System_linkproc_LStrCat();
v3 = Classes_TFileStream_TFileStream(0);
v8 = v3;
(*(int (_fastcall **)(int, char *))(*(_DWORD *)v3 + 12))(v3, &v9);
*MK_FP(_FS_, 0) = v2;
result = System_TObject_Free();
}
else
{
*MK_FP(_FS_, 0) = v0;
System_linkproc_LStrArrayClr();
System_linkproc_FinalizeArray();
result = System_linkproc_LStrArrayClr();
}
return result;
}
|
|
|
|
