[求助]迫于无奈把代码放上请大牛帮忙分析下~~跪求~~-¥付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [求助]迫于无奈把代码放上请大牛帮忙分析下~~跪求~~ 0.00雪花

2008-12-19 10:19 4101

[旧帖] [求助]迫于无奈把代码放上请大牛帮忙分析下跪求 0.00雪花

qdzhao

2008-12-19 10:19

4101

007816E8 > $ 55          PUSH EBP                                                 程序入口
007816E9 . 8BEC          MOV EBP,ESP
007816EB . 83C4 F0       ADD ESP,-10
007816EE . B8 A80B7800 MOV EAX,样品通.00780BA8
007816F3 . E8 2061C8FF CALL 样品通.00407818
007816F8 . A1 9C1D7900 MOV EAX,DWORD PTR DS:[791D9C]
007816FD . 8B00          MOV EAX,DWORD PTR DS:[EAX]
007816FF . E8 B48BCFFF CALL 样品通.0047A2B8
00781704 . A1 9C1D7900 MOV EAX,DWORD PTR DS:[791D9C]
00781709 . 8B00          MOV EAX,DWORD PTR DS:[EAX]
0078170B . BA 48177800 MOV EDX,样品通.00781748
00781710 . E8 AF87CFFF CALL 样品通.00479EC4
00781715 . 8B0D B8187900  MOV ECX,DWORD PTR DS:[7918B8]          ;  样品通.007960D4
0078171B . A1 9C1D7900 MOV EAX,DWORD PTR DS:[791D9C]
00781720 . 8B00          MOV EAX,DWORD PTR DS:[EAX]
00781722 . 8B15 1CB37700  MOV EDX,DWORD PTR DS:[77B31C]          ;  样品通.0077B368
00781728 . E8 A38BCFFF CALL 样品通.0047A2D0                      调用程序登陆窗调用
0078172D . A1 9C1D7900 MOV EAX,DWORD PTR DS:[791D9C]
00781732 . 8B00          MOV EAX,DWORD PTR DS:[EAX]
00781734 . E8 178CCFFF CALL 样品通.0047A350    调用主体窗口<问题就在这里>
00781739 . E8 6234C8FF CALL 样品通.00404BA0
0078173E . 0000          ADD BYTE PTR DS:[EAX],AL

问题是：
这个软件有显示是没有加密狗的情况下能录入100条记录<这个我已破解可以想录入多少就多少>，但是还有其他的限制就是没有提示的只要超过100条录入到101条的时候查询功能就不能使用了我一直在追这个关键跳和关键CALL但是分析了一个多星期到现在没有分析出来这就是问题的出处我分析英爱在这里调用什么参数或是函数判断数据库记录是否超过101条或者是否有加密狗但是怎么分析也分析不出来到底是那里判断的CALL如下：

CALL 样品通.0047A350    如下
0047A350 $ 55          PUSH EBP
0047A351 . 8BEC          MOV EBP,ESP
0047A353 . 51          PUSH ECX
0047A354 . 53          PUSH EBX
0047A355 . 56          PUSH ESI
0047A356 . 57          PUSH EDI
0047A357 . 8945 FC       MOV DWORD PTR SS:[EBP-4],EAX
0047A35A . 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
0047A35D . C680 A5000000 >MOV BYTE PTR DS:[EAX+A5],1
0047A364 . 33D2          XOR EDX,EDX
0047A366 . 55          PUSH EBP
0047A367 . 68 2EA44700 PUSH 样品通.0047A42E
0047A36C . 64:FF32       PUSH DWORD PTR FS:[EDX]
0047A36F . 64:8922       MOV DWORD PTR FS:[EDX],ESP
0047A372 . B8 DC0C4700 MOV EAX,样品通.00470CDC                   ;  入口地址
0047A377 . E8 D8F8F8FF CALL 样品通.00409C54
这里又出现个调用所以就贴这个CALL不知道做得的对不对。

00409C54  /$ 53          PUSH EBX
00409C55  |. 8BD8          MOV EBX,EAX
00409C57  |. B8 0C000000 MOV EAX,0C
00409C5C  |. E8 DF8BFFFF CALL 样品通.00402840       这里又出现了一个调用
00409C61  |. 8B15 28217800  MOV EDX,DWORD PTR DS:[782128]
00409C67  |. 8910          MOV DWORD PTR DS:[EAX],EDX
00409C69  |. 8B15 54167900  MOV EDX,DWORD PTR DS:[791654]          ;  样品通.00793048
00409C6F  |. 8B12          MOV EDX,DWORD PTR DS:[EDX]
00409C71  |. 8950 04       MOV DWORD PTR DS:[EAX+4],EDX
00409C74  |. 8958 08       MOV DWORD PTR DS:[EAX+8],EBX
00409C77  |. A3 28217800 MOV DWORD PTR DS:[782128],EAX
00409C7C  |. A1 54167900 MOV EAX,DWORD PTR DS:[791654]
00409C81  |. C700 289C4000  MOV DWORD PTR DS:[EAX],样品通.00409C28
00409C87  |. 5B          POP EBX
00409C88  \. C3          RETN
CALL的调用体

00402840  /$ 53          PUSH EBX                               ;  样品通.00470CDC
00402841  |. 85C0          TEST EAX,EAX
00402843  |. 7E 15       JLE SHORT 样品通.0040285A
00402845  |. FF15 30207800  CALL DWORD PTR DS:[782030]             ;  样品通.00402278
0040284B  |. 8BD8          MOV EBX,EAX
0040284D  |. 85DB          TEST EBX,EBX
0040284F  |. 75 0B       JNZ SHORT 样品通.0040285C
00402851  |. B0 01       MOV AL,1
00402853  |. E8 44010000 CALL 样品通.0040299C
00402858  |. EB 02       JMP SHORT 样品通.0040285C
0040285A  |> 33DB          XOR EBX,EBX
0040285C  |> 8BC3          MOV EAX,EBX
0040285E  |. 5B          POP EBX
0040285F  \. C3          RETN
这里的CALL调用体;00402278 $ 55          PUSH EBP
00402279 . 8BEC          MOV EBP,ESP
0040227B . 83C4 F8       ADD ESP,-8
0040227E . 53          PUSH EBX
0040227F . 56          PUSH ESI
00402280 . 57          PUSH EDI
00402281 . 8BD8          MOV EBX,EAX                            ;  入口地址
00402283 . 803D C0357900 >CMP BYTE PTR DS:[7935C0],0
0040228A . 75 09       JNZ SHORT 样品通.00402295
0040228C . E8 FBF8FFFF CALL 样品通.00401B8C
00402291 . 84C0          TEST AL,AL
00402293 . 74 08       JE SHORT 样品通.0040229D
00402295 > 81FB F8FFFF7F  CMP EBX,7FFFFFF8
0040229B . 7E 0A       JLE SHORT 样品通.004022A7
0040229D > 33C0          XOR EAX,EAX
0040229F . 8945 FC       MOV DWORD PTR SS:[EBP-4],EAX
004022A2 . E9 54010000 JMP 样品通.004023FB
004022A7 > 33C9          XOR ECX,ECX
004022A9 . 55          PUSH EBP
004022AA . 68 F4234000 PUSH 样品通.004023F4
004022AF . 64:FF31       PUSH DWORD PTR FS:[ECX]
004022B2 . 64:8921       MOV DWORD PTR FS:[ECX],ESP
004022B5 . 803D 4D307900 >CMP BYTE PTR DS:[79304D],0
004022BC . 74 0A       JE SHORT 样品通.004022C8
004022BE . 68 C8357900 PUSH 样品通.007935C8                      ; /pCriticalSection = 样品通.007935C8
004022C3 . E8 20F2FFFF CALL <JMP.&kernel32.EnterCriticalSection>; \EnterCriticalSection
第一个CALL跳过了
这里是第二个CALL调用体

004014E8 $-FF25 E8717900  JMP DWORD PTR DS:[<&kernel32.EnterCritic>;  ntdll.RtlEnterCriticalSection

直接跳回7C921000 > 64:8B0D 18000000 MOV ECX,DWORD PTR FS:[18]
7C921007 8B5424 04       MOV EDX,DWORD PTR SS:[ESP+4]
7C92100B 837A 14 00    CMP DWORD PTR DS:[EDX+14],0
7C92100F 75 4F          JNZ SHORT ntdll.7C921060
7C921011 F0:FF42 04    LOCK INC DWORD PTR DS:[EDX+4]          ; LOCK 前缀
7C921015 75 19          JNZ SHORT ntdll.7C921030
7C921017 8B41 24       MOV EAX,DWORD PTR DS:[ECX+24]
7C92101A 8942 0C       MOV DWORD PTR DS:[EDX+C],EAX
7C92101D C742 08 01000000 MOV DWORD PTR DS:[EDX+8],1
7C921024 33C0          XOR EAX,EAX
7C921026 C2 0400       RETN 4

返回
004022C8 > 83C3 07       ADD EBX,7
004022CB . 83E3 FC       AND EBX,FFFFFFFC
004022CE . 83FB 0C       CMP EBX,0C
004022D1 . 7D 05       JGE SHORT 样品通.004022D8
004022D3 . BB 0C000000 MOV EBX,0C
004022D8 > 81FB 00100000  CMP EBX,1000
004022DE . 0F8F 93000000  JG 样品通.00402377
004022E4 . 8BC3          MOV EAX,EBX
004022E6 . 85C0          TEST EAX,EAX
004022E8 . 79 03       JNS SHORT 样品通.004022ED
004022EA . 83C0 03       ADD EAX,3
004022ED > C1F8 02       SAR EAX,2
004022F0 . 8B15 20367900  MOV EDX,DWORD PTR DS:[793620]
004022F6 . 8B5482 F4    MOV EDX,DWORD PTR DS:[EDX+EAX*4-C]
004022FA . 85D2          TEST EDX,EDX
004022FC . 74 79       JE SHORT 样品通.00402377
004022FE . 8BF2          MOV ESI,EDX
00402300 . 8BC6          MOV EAX,ESI
00402302 . 03C3          ADD EAX,EBX
00402304 . 8320 FE       AND DWORD PTR DS:[EAX],FFFFFFFE
00402307 . 8B42 04       MOV EAX,DWORD PTR DS:[EDX+4]
0040230A . 3BD0          CMP EDX,EAX
0040230C . 75 1A       JNZ SHORT 样品通.00402328
跳转实现
00402328 > 8BCB          MOV ECX,EBX
0040232A . 85C9          TEST ECX,ECX
0040232C . 79 03       JNS SHORT 样品通.00402331
0040232E . 83C1 03       ADD ECX,3
00402331 > C1F9 02       SAR ECX,2
00402334 . 8B3D 20367900  MOV EDI,DWORD PTR DS:[793620]
0040233A . 89448F F4    MOV DWORD PTR DS:[EDI+ECX*4-C],EAX
0040233E . 8B0A          MOV ECX,DWORD PTR DS:[EDX]
00402340 . 894D F8       MOV DWORD PTR SS:[EBP-8],ECX
00402343 . 8B4D F8       MOV ECX,DWORD PTR SS:[EBP-8]
00402346 . 8941 04       MOV DWORD PTR DS:[ECX+4],EAX
00402349 . 8B4D F8       MOV ECX,DWORD PTR SS:[EBP-8]
0040234C . 8908          MOV DWORD PTR DS:[EAX],ECX
0040234E > 8BC6          MOV EAX,ESI
00402350 . 8B52 08       MOV EDX,DWORD PTR DS:[EDX+8]
00402353 . 83CA 02       OR EDX,2
00402356 . 8910          MOV DWORD PTR DS:[EAX],EDX
00402358 . 83C0 04       ADD EAX,4
0040235B . 8945 FC       MOV DWORD PTR SS:[EBP-4],EAX
0040235E . FF05 B4357900  INC DWORD PTR DS:[7935B4]
00402364 . 83EB 04       SUB EBX,4
00402367 . 011D B8357900  ADD DWORD PTR DS:[7935B8],EBX
0040236D . E8 0E240000 CALL 样品通.00404780
这里又出现了CALL<快疯掉了这么多分析不过来了：(>
CALL调用体
00404780  /$ 31D2          XOR EDX,EDX
00404782  |. 8B4C24 08    MOV ECX,DWORD PTR SS:[ESP+8]
00404786  |. 8B4424 04    MOV EAX,DWORD PTR SS:[ESP+4]
0040478A  |. 83C1 05       ADD ECX,5
0040478D  |. 64:8902       MOV DWORD PTR FS:[EDX],EAX
00404790  |. FFD1          CALL ECX
又出现调用我想是判断什么的<本人太菜没看出来>
004023F9 .^EB E5       JMP SHORT 样品通.004023E0
004023FB > 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
004023FE . 5F          POP EDI
004023FF . 5E          POP ESI
00402400 . 5B          POP EBX
00402401 . 59          POP ECX
00402402 . 59          POP ECX
00402403 . 5D          POP EBP
00402404 . C3          RETN
调用了直接跳转了
004023E0 > 803D 4D307900 >CMP BYTE PTR DS:[79304D],0
004023E7 . 74 0A       JE SHORT 样品通.004023F3
004023E9 . 68 C8357900 PUSH 样品通.007935C8                      ; /pCriticalSection = 样品通.007935C8
004023EE . E8 FDF0FFFF CALL <JMP.&kernel32.LeaveCriticalSection>; \LeaveCriticalSection
004023F3 > C3          RETN                                  ;  RET used as a jump to

有一个CALL郁闷啊不过这个CALL没有实现直接返回
00404792  \. C2 0C00       RETN 0C
00404795 . C3          RETN

又是个返回真麻烦啊
00402372 . E9 84000000 JMP 样品通.004023FB
00402377 > 3B1D 18367900  CMP EBX,DWORD PTR DS:[793618]
0040237D . 7F 4A       JG SHORT 样品通.004023C9
0040237F . 291D 18367900  SUB DWORD PTR DS:[793618],EBX
00402385 . 833D 18367900 >CMP DWORD PTR DS:[793618],0C
0040238C . 7D 0D       JGE SHORT 样品通.0040239B
0040238E . 031D 18367900  ADD EBX,DWORD PTR DS:[793618]
00402394 . 33C0          XOR EAX,EAX
00402396 . A3 18367900 MOV DWORD PTR DS:[793618],EAX
0040239B > A1 1C367900 MOV EAX,DWORD PTR DS:[79361C]
004023A0 . 011D 1C367900  ADD DWORD PTR DS:[79361C],EBX
004023A6 . 8BD3          MOV EDX,EBX
004023A8 . 83CA 02       OR EDX,2
004023AB . 8910          MOV DWORD PTR DS:[EAX],EDX
004023AD . 83C0 04       ADD EAX,4
004023B0 . 8945 FC       MOV DWORD PTR SS:[EBP-4],EAX
004023B3 . FF05 B4357900  INC DWORD PTR DS:[7935B4]
004023B9 . 83EB 04       SUB EBX,4
004023BC . 011D B8357900  ADD DWORD PTR DS:[7935B8],EBX
004023C2 . E8 B9230000 CALL 样品通.00404780

返回来就跳了
004023FB > 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
004023FE . 5F          POP EDI
004023FF . 5E          POP ESI
00402400 . 5B          POP EBX
00402401 . 59          POP ECX
00402402 . 59          POP ECX
00402403 . 5D          POP EBP
00402404 . C3          RETN

继续返回
0040284B  |. 8BD8          MOV EBX,EAX
0040284D  |. 85DB          TEST EBX,EBX
0040284F  |. 75 0B       JNZ SHORT 样品通.0040285C  跳转实现
00402851  |. B0 01       MOV AL,1
00402853  |. E8 44010000 CALL 样品通.0040299C
00402858  |. EB 02       JMP SHORT 样品通.0040285C
0040285A  |> 33DB          XOR EBX,EBX
0040285C  |> 8BC3          MOV EAX,EBX
0040285E  |. 5B          POP EBX
0040285F  \. C3          RETN
返回去了
00409C61  |. 8B15 28217800  MOV EDX,DWORD PTR DS:[782128]
00409C67  |. 8910          MOV DWORD PTR DS:[EAX],EDX
00409C69  |. 8B15 54167900  MOV EDX,DWORD PTR DS:[791654]          ;  样品通.00793048
00409C6F  |. 8B12          MOV EDX,DWORD PTR DS:[EDX]
00409C71  |. 8950 04       MOV DWORD PTR DS:[EAX+4],EDX
00409C74  |. 8958 08       MOV DWORD PTR DS:[EAX+8],EBX
00409C77  |. A3 28217800 MOV DWORD PTR DS:[782128],EAX
00409C7C  |. A1 54167900 MOV EAX,DWORD PTR DS:[791654]
00409C81  |. C700 289C4000  MOV DWORD PTR DS:[EAX],样品通.00409C28
00409C87  |. 5B          POP EBX 这里出现了个入口地址
00409C88  \. C3          RETN
返回
0047A37C . 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
0047A37F . 8B40 44       MOV EAX,DWORD PTR DS:[EAX+44]
0047A382 . 85C0          TEST EAX,EAX
0047A384 . 0F84 8C000000  JE 样品通.0047A416
0047A38A . 8B15 101D7900  MOV EDX,DWORD PTR DS:[791D10]          ;  样品通.0079303C
0047A390 . 8B12          MOV EDX,DWORD PTR DS:[EDX]
0047A392 . 83EA 03       SUB EDX,3                               ;  Switch (cases 3..7)
0047A395 . 74 0E       JE SHORT 样品通.0047A3A5
0047A397 . 83EA 04       SUB EDX,4
0047A39A . 75 10       JNZ SHORT 样品通.0047A3AC 跳转实现
0047A39C . C680 2B020000 >MOV BYTE PTR DS:[EAX+22B],1             ;  Case 7 of switch 0047A392
0047A3A3 . EB 07       JMP SHORT 样品通.0047A3AC
0047A3A5 > B2 02       MOV DL,2                               ;  Case 3 of switch 0047A392
0047A3A7 . E8 90A4FFFF CALL 样品通.0047483C
0047A3AC > 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]          ;  Default case of switch 0047A392
0047A3AF . 8078 5B 00    CMP BYTE PTR DS:[EAX+5B],0
0047A3B3 . 74 20       JE SHORT 样品通.0047A3D5
0047A3B5 . 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
0047A3B8 . 8B40 44       MOV EAX,DWORD PTR DS:[EAX+44]
0047A3C2 . 75 0A       JNZ SHORT 样品通.0047A3CE 跳转实现
0047A3C4 . 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
0047A3C7 . E8 C0F8FFFF CALL 样品通.00479C8C
0047A3CC . EB 07       JMP SHORT 样品通.0047A3D5
0047A3CE > B2 01       MOV DL,1
0047A3D0 . E8 3794FFFF CALL 样品通.0047380C
0047A3D5 > 33C0          XOR EAX,EAX
0047A3D7 . 55          PUSH EBP
0047A3D8 . 68 F5A34700 PUSH 样品通.0047A3F5
0047A3DD . 64:FF30       PUSH DWORD PTR FS:[EAX]
0047A3E0 . 64:8920       MOV DWORD PTR FS:[EAX],ESP
0047A3E3 . 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
0047A3E6 . E8 D1FDFFFF CALL 样品通.0047A1BC
这里CALL主体

0047380C  /$ 53          PUSH EBX
0047380D  |. 56          PUSH ESI
0047380E  |. 8BDA          MOV EBX,EDX
00473810  |. 8BF0          MOV ESI,EAX
00473812  |. F686 EC020000 >TEST BYTE PTR DS:[ESI+2EC],1
00473819  |. 74 17       JE SHORT 样品通.00473832
0047381B  |. 84DB          TEST BL,BL
0047381D  |. 74 09       JE SHORT 样品通.00473828
0047381F  |. 808E EC020000 >OR BYTE PTR DS:[ESI+2EC],2
00473826  |. EB 23       JMP SHORT 样品通.0047384B
00473828  |> 80A6 EC020000 >AND BYTE PTR DS:[ESI+2EC],0FD
0047382F  |. 5E          POP ESI
00473830  |. 5B          POP EBX
00473831  |. C3          RETN
00473832  |> 84DB          TEST BL,BL
00473834  |. 74 0C       JE SHORT 样品通.00473842
00473836  |. 3A5E 57       CMP BL,BYTE PTR DS:[ESI+57]
00473839  |. 74 07       JE SHORT 样品通.00473842
0047383B  |. 8BC6          MOV EAX,ESI
0047383D  |. E8 3A100000 CALL 样品通.0047487C
00473842  |> 8BD3          MOV EDX,EBX
00473844  |. 8BC6          MOV EAX,ESI
00473846  |. E8 3D4BFEFF CALL 样品通.00458388
0047384B  |> 5E          POP ESI
0047384C  |. 5B          POP EBX
0047384D  \. C3          RETN

不知道这么多够不够能不能可以分析出来呢

阿里云助力开发者！2核2G 3M带宽不限流量！6.18限时价，开发者可享99元/年，续费同价！

收藏・1

点赞・0

打赏

最新回复 (1)
qdzhao 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 45 粉丝 0 关注私信	qdzhao 2008-12-19 10:55 2 楼 0 顶上去有好心的帮忙分析下好吧
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复