PEiD查壳 Microsoft Visual C++ 6.0 [Overlay]
试注册...弹出‘注册码错误,请重试’ ... 咱小菜鸟看到这个乐了...呵。。。
啥也不说了,,OD载入...停在:
0040389F >/$ 55 PUSH EBP ; (Initial CPU selection)
004038A0 |. 8BEC MOV EBP,ESP
004038A2 |. 6A FF PUSH -1
004038A4 |. 68 F8724000 PUSH fanyi.004072F8
004038A9 |. 68 04554000 PUSH fanyi.00405504 ; SE 处理程序安装
004038AE |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
004038B4 |. 50 PUSH EAX
004038B5 |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP
004038BC |. 83EC 58 SUB ESP,58
004038BF |. 53 PUSH EBX
004038C0 |. 56 PUSH ESI
004038C1 |. 57 PUSH EDI
直奔字符串。。。。结果没发现,,郁闷.....
再次动用PEiD 关注一下这个‘Overlay’ 看EP区段 ..发现了 ecode ... 呵 .. 易语言
重载一下,,Ctrl+G 来到 004014E1
004014E1 |. FFD0 CALL EAX ; ☆★F2下断 F9运行 F7进入
004014E3 |. EB 11 JMP SHORT fanyi.004014F6
004014E5 |> 6A 10 PUSH 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
004014E7 |. 68 30804000 PUSH fanyi.00408030 ; |Error
004014EC |. FF75 FC PUSH DWORD PTR SS:[EBP-4] ; |Text
004014EF |. 53 PUSH EBX ; |hOwner
004014F0 |. FF15 B4704000 CALL DWORD PTR DS:[>; \MessageBoxA
004014F6 |> 5F POP EDI
004014F7 |. 5E POP ESI
004014F8 |. 33C0 XOR EAX,EAX
004014FA |. 5B POP EBX
004014FB |. C9 LEAVE
004014FC \. C2 1000 RETN 10
----------------------------------------------------------------------------------------
100298BA 55 PUSH EBP ; ☆★来到此处 F8往下
100298BB 8BEC MOV EBP,ESP
100298BD 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
100298C0 50 PUSH EAX
100298C1 B9 10DB0E10 MOV ECX,krnln.100EDB10
100298C6 E8 04F5FFFF CALL krnln.10028DCF ; ☆★F7进去
100298CB 5D POP EBP
100298CC C2 0400 RETN 4
-----------------------------------------------------------------------------------------
10028DCF 55 PUSH EBP ; ☆★来到此处,,一路F8下
10028DD0 8BEC MOV EBP,ESP
10028DD2 83EC 08 SUB ESP,8
10028DD5 53 PUSH EBX
10028DD6 56 PUSH ESI
10028DD7 57 PUSH EDI
------------------------------------------------------------------------------------------
直到这里:
00413D56 FC CLD ; (Initial CPU selection)
00413D57 DBE3 FINIT ; (Initial CPU selection)
此时。。右键。。超级字串参考。。。
哈,,有了。。。‘注册成功’双击进去。。。。。
0040EC65 55 PUSH EBP ; ☆★此处下断..F9运行,输假码。。F8往下
0040EC66 8BEC MOV EBP,ESP
0040EC68 81EC 0C000000 SUB ESP,0C
0040EC6E 68 01030080 PUSH 80000301
0040EC73 6A 00 PUSH 0
0040EC75 FF35 C4209E00 PUSH DWORD PTR DS:[9E20C4]
0040EC7B 68 01000000 PUSH 1
0040EC80 BB 68010000 MOV EBX,168
0040EC85 E8 32510000 CALL fanyi.00413DBC
0040EC8A 83C4 10 ADD ESP,10 ; ☆★此时寄存器窗口已出注册码(做内存注册机)
0040EC8D 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0040EC90 6A FF PUSH -1
0040EC92 6A 08 PUSH 8
0040EC94 68 88020116 PUSH 16010288
0040EC99 68 83020152 PUSH 52010283
0040EC9E E8 25510000 CALL fanyi.00413DC8
0040ECA3 83C4 10 ADD ESP,10
0040ECA6 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
0040ECA9 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; ☆★堆栈,,真假码并在一起了 ^_^
0040ECAC 50 PUSH EAX
0040ECAD FF75 F8 PUSH DWORD PTR SS:[EBP-8]
0040ECB0 E8 13FFFFFF CALL fanyi.0040EBC8
0040ECB5 83C4 08 ADD ESP,8 ; ☆★寄存器 .. ECX和EDX分别是真假码
0040ECB8 83F8 00 CMP EAX,0
0040ECBB B8 00000000 MOV EAX,0
0040ECC0 0F94C0 SETE AL
0040ECC3 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
0040ECC6 8B5D F8 MOV EBX,DWORD PTR SS:[EBP-8]
0040ECC9 85DB TEST EBX,EBX
0040ECCB 74 09 JE SHORT fanyi.0040ECD6
0040ECCD 53 PUSH EBX
0040ECCE E8 E3500000 CALL fanyi.00413DB6
0040ECD3 83C4 04 ADD ESP,4
0040ECD6 8B5D FC MOV EBX,DWORD PTR SS:[EBP-4]
0040ECD9 85DB TEST EBX,EBX
0040ECDB 74 09 JE SHORT fanyi.0040ECE6
0040ECDD 53 PUSH EBX
0040ECDE E8 D3500000 CALL fanyi.00413DB6
0040ECE3 83C4 04 ADD ESP,4
0040ECE6 837D F4 00 CMP DWORD PTR SS:[EBP-C],0
0040ECEA 0F84 CD000000 JE fanyi.0040EDBD
0040ECF0 68 01030080 PUSH 80000301
0040ECF5 6A 00 PUSH 0
0040ECF7 68 01000000 PUSH 1
0040ECFC 68 04000080 PUSH 80000004
0040ED01 6A 00 PUSH 0
0040ED03 68 93C14000 PUSH fanyi.0040C193 ; Software\juyi\count\count3 ☆★估计是保存或验证注册信息的地方
0040ED08 68 01030080 PUSH 80000301
0040ED0D 6A 00 PUSH 0
0040ED0F 68 04000000 PUSH 4
0040ED14 68 03000000 PUSH 3
0040ED19 BB A4060000 MOV EBX,6A4
0040ED1E E8 99500000 CALL fanyi.00413DBC
0040ED23 83C4 28 ADD ESP,28
0040ED26 68 04000080 PUSH 80000004
0040ED2B 6A 00 PUSH 0
0040ED2D 68 AEC14000 PUSH fanyi.0040C1AE ; 友情提醒!
0040ED32 68 01030080 PUSH 80000301
0040ED37 6A 00 PUSH 0
0040ED39 68 40000000 PUSH 40
0040ED3E 68 04000080 PUSH 80000004
0040ED43 6A 00 PUSH 0
0040ED45 68 18C24000 PUSH fanyi.0040C218 ; 注册成功! ☆★ 光标停在这里 往上看
0040ED4A 68 03000000 PUSH 3
0040ED4F BB 00030000 MOV EBX,300
0040ED54 E8 63500000 CALL fanyi.00413DBC
0040ED59 83C4 28 ADD ESP,28
0040ED5C 68 04000080 PUSH 80000004
0040ED61 6A 00 PUSH 0
0040ED63 68 AEC14000 PUSH fanyi.0040C1AE ; 友情提醒!
0040ED68 68 01030080 PUSH 80000301
0040ED6D 6A 00 PUSH 0
0040ED6F 68 40000000 PUSH 40
0040ED74 68 04000080 PUSH 80000004
0040ED79 6A 00 PUSH 0
0040ED7B 68 23C24000 PUSH fanyi.0040C223 ; 请重新打开软件
0040ED80 68 03000000 PUSH 3
0040ED85 BB 00030000 MOV EBX,300
0040ED8A E8 2D500000 CALL fanyi.00413DBC
0040ED8F 83C4 28 ADD ESP,28
0040ED92 68 01000100 PUSH 10001
0040ED97 68 82020106 PUSH 6010282
0040ED9C 68 83020152 PUSH 52010283
0040EDA1 68 01000000 PUSH 1
0040EDA6 BB 60030000 MOV EBX,360
0040EDAB E8 0C500000 CALL fanyi.00413DBC
0040EDB0 83C4 10 ADD ESP,10
0040EDB3 E9 3B000000 JMP fanyi.0040EDF3
0040EDB8 E9 36000000 JMP fanyi.0040EDF3
0040EDBD 68 04000080 PUSH 80000004
0040EDC2 6A 00 PUSH 0
0040EDC4 68 AEC14000 PUSH fanyi.0040C1AE ; 友情提醒!
0040EDC9 68 01030080 PUSH 80000301
0040EDCE 6A 00 PUSH 0
0040EDD0 68 40000000 PUSH 40
0040EDD5 68 04000080 PUSH 80000004
0040EDDA 6A 00 PUSH 0
0040EDDC 68 32C24000 PUSH fanyi.0040C232 ; 注册码错误,请重试!
0040EDE1 68 03000000 PUSH 3
0040EDE6 BB 00030000 MOV EBX,300
0040EDEB E8 CC4F0000 CALL fanyi.00413DBC
0040EDF0 83C4 28 ADD ESP,28
0040EDF3 8BE5 MOV ESP,EBP
0040EDF5 5D POP EBP
0040EDF6 C3 RETN
内存注册机有用信息:
中断地址:40EC8A
中断次数:1
第一字节:83
指令长度:3
内存方式 寄存器 EAX
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!