-
-
天目电子公司找展讯手机密码的分析
-
2008-12-23 11:47
-
很久以前分析的一个东东,是修手机人员用的一个小软件,我不修手机了,所以贴出来吧.相信这个电子公司是不会介意我贴出来的了,那么老的东东,况且我不在这个公司上班,嘿嘿.不知道论坛里有没有修手机的,或许会用的上.
大概流程是这样的,通过仪器把手机的字库给读出来,然后可以用天目的软件找出手机里的密码.
下面是主要的代码:
总结一下:
查找字库里由数字,#,*组成的~!,长度4--8为之间。长度记为i
从这个匹配的数据开始位置+7(从零开始计数),读去一个字节内容,这个内容要在4--8之间,记做buf
buf>i与s连接,否则与U连接
与U连接的是开机码
与S连接的是防盗码
由此可以看出密码在手机里的存储方式了.
下面是我写的程序
以下是截图:
大概流程是这样的,通过仪器把手机的字库给读出来,然后可以用天目的软件找出手机里的密码.
下面是主要的代码:
004D49C3 E8E44AF4FF call 004194AC //@Classes@TStream@SetPosition$qqrxj
//获取文件开始位置
004D49C8 8D55CC lea edx, [ebp-$34] //[EBP-34]的有效地址
004D49CB B901000000 mov ecx, $00000001 //一个字节
004D49D0 8BC3 mov eax, ebx
004D49D2 8B30 mov esi, [eax]
004D49D4 FF5608 call dword ptr [esi+$08] //read()
//读文件的一个字节内容到[EBP-34]
004D49D7 807DCC30 cmp byte ptr [ebp-$34], $30
004D49DB 7206 jb 004D49E3
004D49DD 807DCC39 cmp byte ptr [ebp-$34], $39
004D49E1 760C jbe 004D49EF
004D49E3 807DCC23 cmp byte ptr [ebp-$34], $23
004D49E7 7406 jz 004D49EF
004D49E9 807DCC2A cmp byte ptr [ebp-$34], $2A
004D49ED 751E jnz 004D4A0D //比较[EBP-34]是不是数字,#,*
004D49EF 8D45B8 lea eax, [ebp-$48]
004D49F2 8A55CC mov dl, byte ptr [ebp-$34]
* Reference to: System.@LStrFromChar(String;String;Char);
| or: System.@LStrFromWChar(String;String;WideChar);
| or: System.@WStrFromChar(WideString;WideString;Char);
| or: System.@WStrFromWChar(WideString;WideString;WideChar);
|
004D49F5 E84AFDF2FF call 00404744 //把[EBP-34]转换成字符
004D49FA 8B55B8 mov edx, [ebp-$48]
004D49FD 8D45E8 lea eax, [ebp-$18]
* Reference to: System.@LStrCat;
|
004D4A00 E81FFEF2FF call 00404824 //连接起来
004D4A05 FF45F0 inc dword ptr [ebp-$10] //计数器++
004D4A08 E97B030000 jmp 004D4D88
004D4A0D 8BC3 mov eax, ebx
* Reference to: Classes.TStream.GetPosition(TStream):Int64;
|
004D4A0F E8784AF4FF call 0041948C //取得当前位置
004D4A14 8BF0 mov esi, eax
004D4A16 8D4607 lea eax, [esi+$07] //位置+7
004D4A19 33D2 xor edx, edx
004D4A1B 52 push edx
004D4A1C 50 push eax
004D4A1D 8B45F0 mov eax, [ebp-$10]
004D4A20 99 cdq
004D4A21 290424 sub dword ptr [esp], eax
004D4A24 19542404 sbb [esp+$04], edx
004D4A28 58 pop eax
004D4A29 5A pop edx
004D4A2A 52 push edx
004D4A2B 50 push eax
004D4A2C 8BC3 mov eax, ebx
|
004D4A2E E8794AF4FF call 004194AC //@Classes@TStream@SetPosition$qqrxj
//设置当前位置,
004D4A33 8D55C1 lea edx, [ebp-$3F]
004D4A36 B901000000 mov ecx, $00000001
004D4A3B 8BC3 mov eax, ebx
004D4A3D 8B38 mov edi, [eax]
004D4A3F FF5708 call dword ptr [edi+$08] //匹配了就读当前位置+7的一个字节到[ebp-$3F]
004D4A42 8BC6 mov eax, esi
004D4A44 33D2 xor edx, edx
004D4A46 52 push edx
004D4A47 50 push eax
004D4A48 8BC3 mov eax, ebx
|
004D4A4A E85D4AF4FF call 004194AC
004D4A4F 837DF003 cmp dword ptr [ebp-$10], +$03
004D4A53 0F8E0A030000 jle 004D4D63
004D4A59 837DF009 cmp dword ptr [ebp-$10], +$09
004D4A5D 0F8D00030000 jnl 004D4D63 //比较[EBP-10]是不是在[4--8]之间
004D4A63 C645EF00 mov byte ptr [ebp-$11], $00
004D4A67 8D45E4 lea eax, [ebp-$1C]
004D4A6A 8B55E8 mov edx, [ebp-$18]
* Reference to: System.@LStrLAsg(void;void;void;void);
|
004D4A6D E88AFBF2FF call 004045FC
004D4A72 A104CC4D00 mov eax, dword ptr [$004DCC04]
004D4A77 8B00 mov eax, [eax]
* Reference to control AllDigit : TCheckBox
|
004D4A79 8B80F0030000 mov eax, [eax+$03F0]
004D4A7F 8B10 mov edx, [eax]
004D4A81 FF92C4000000 call dword ptr [edx+$00C4]
004D4A87 84C0 test al, al
004D4A89 7456 jz 004D4AE1
004D4A8B 807DC103 cmp byte ptr [ebp-$3F], $03
004D4A8F 762F jbe 004D4AC0 //[EBP-3F]介于4--[EBP-10]之间就继续
004D4A91 33C0 xor eax, eax
004D4A93 8A45C1 mov al, byte ptr [ebp-$3F]
004D4A96 3B45F0 cmp eax, [ebp-$10]
004D4A99 7F25 jnle 004D4AC0
004D4A9B 8D4DB4 lea ecx, [ebp-$4C]
004D4A9E 33D2 xor edx, edx
004D4AA0 8A55C1 mov dl, byte ptr [ebp-$3F]
004D4AA3 8B45E8 mov eax, [ebp-$18]
* Reference to: StrUtils.LeftStr(AnsiString;Integer):AnsiString;
|
004D4AA6 E861CBF6FF call 0044160C
004D4AAB 8B55B4 mov edx, [ebp-$4C]
004D4AAE 8D45E4 lea eax, [ebp-$1C]
004D4AB1 B91C4F4D00 mov ecx, $004D4F1C //'U'
* Reference to: System.@LStrCat3;
|
004D4AB6 E8ADFDF2FF call 00404868 //[EBP-3F]>[ebp-10]就与U连接起来
004D4ABB E98B000000 jmp 004D4B4B
004D4AC0 8A45C1 mov al, byte ptr [ebp-$3F]
004D4AC3 3C03 cmp al, $03
004D4AC5 0F8680000000 jbe 004D4B4B //比较[EBP-3F]是不是在4--8之间
004D4ACB 3C09 cmp al, $09
004D4ACD 737C jnb 004D4B4B
004D4ACF 8D45E4 lea eax, [ebp-$1C]
004D4AD2 B9284F4D00 mov ecx, $004D4F28 //'S'
004D4AD7 8B55E8 mov edx, [ebp-$18]
* Reference to: System.@LStrCat3;
|
004D4ADA E889FDF2FF call 00404868 //[EBP-3F]>[ebp-10]就与S连接起来
004D4ADF EB6A jmp 004D4B4B
004D4AE1 807DBC00 cmp byte ptr [ebp-$44], $00
004D4AE5 753F jnz 004D4B26
004D4AE7 8A45BD mov al, byte ptr [ebp-$43]
004D4AEA 24FE and al, $FE
004D4AEC 3C0A cmp al, $0A
004D4AEE 7536 jnz 004D4B26
004D4AF0 F645BEFE test byte ptr [ebp-$42], $FE
004D4AF4 7530 jnz 004D4B26
004D4AF6 33C0 xor eax, eax
004D4AF8 8A45C1 mov al, byte ptr [ebp-$3F]
004D4AFB 3B45F0 cmp eax, [ebp-$10]
004D4AFE 7F26 jnle 004D4B26
004D4B00 807DC103 cmp byte ptr [ebp-$3F], $03
004D4B04 7620 jbe 004D4B26
004D4B06 8D4DB0 lea ecx, [ebp-$50]
004D4B09 33D2 xor edx, edx
004D4B0B 8A55C1 mov dl, byte ptr [ebp-$3F]
004D4B0E 8B45E8 mov eax, [ebp-$18]
* Reference to: StrUtils.LeftStr(AnsiString;Integer):AnsiString;
|
004D4B11 E8F6CAF6FF call 0044160C leftstr()取左边[EBP-3F]位
004D4B16 8B55B0 mov edx, [ebp-$50]
004D4B19 8D45E4 lea eax, [ebp-$1C]
004D4B1C B91C4F4D00 mov ecx, $004D4F1C
* Reference to: System.@LStrCat3;
|
004D4B21 E842FDF2FF call 00404868
004D4B26 807DBD00 cmp byte ptr [ebp-$43], $00
004D4B2A 751F jnz 004D4B4B
004D4B2C 8A45BE mov al, byte ptr [ebp-$42]
004D4B2F 24FE and al, $FE
004D4B31 3C2A cmp al, $2A
004D4B33 7516 jnz 004D4B4B
004D4B35 807DC108 cmp byte ptr [ebp-$3F], $08
004D4B39 7510 jnz 004D4B4B
004D4B3B 8D45E4 lea eax, [ebp-$1C]
004D4B3E B9284F4D00 mov ecx, $004D4F28 's'
004D4B43 8B55E8 mov edx, [ebp-$18]
* Reference to: System.@LStrCat3;
|
004D4B46 E81DFDF2FF call 00404868
004D4B4B 8B45FC mov eax, [ebp-$04]
004D4B4E 8B10 mov edx, [eax]
004D4B50 FF5214 call dword ptr [edx+$14]
004D4B53 85C0 test eax, eax
004D4B55 7E3E jle 004D4B95
004D4B57 8B45FC mov eax, [ebp-$04]
004D4B5A 8B10 mov edx, [eax]
004D4B5C FF5214 call dword ptr [edx+$14]
004D4B5F 8BF0 mov esi, eax
004D4B61 4E dec esi
004D4B62 85F6 test esi, esi
004D4B64 722F jb 004D4B95
004D4B66 46 inc esi
004D4B67 C745F800000000 mov dword ptr [ebp-$08], $00000000
004D4B6E 8D4DAC lea ecx, [ebp-$54]
004D4B71 8B55F8 mov edx, [ebp-$08]
004D4B74 8B45FC mov eax, [ebp-$04]
004D4B77 8B38 mov edi, [eax]
004D4B79 FF570C call dword ptr [edi+$0C]
004D4B7C 8B55AC mov edx, [ebp-$54]
004D4B7F 8B45E4 mov eax, [ebp-$1C]
* Reference to: System.@LStrCmp;
|
004D4B82 E8D9FDF2FF call 00404960
004D4B87 7506 jnz 004D4B8F
004D4B89 C645EF01 mov byte ptr [ebp-$11], $01
004D4B8D EB06 jmp 004D4B95
004D4B8F FF45F8 inc dword ptr [ebp-$08]
004D4B92 4E dec esi
004D4B93 75D9 jnz 004D4B6E
004D4B95 807DEF00 cmp byte ptr [ebp-$11], $00
004D4B99 0F85DC010000 jnz 004D4D7B
004D4B9F A104CC4D00 mov eax, dword ptr [$004DCC04]
004D4BA4 8B00 mov eax, [eax]
* Reference to control AllDigit : TCheckBox
|
004D4BA6 8B80F0030000 mov eax, [eax+$03F0]
004D4BAC 8B10 mov edx, [eax]
004D4BAE FF92C4000000 call dword ptr [edx+$00C4]
004D4BB4 84C0 test al, al
004D4BB6 0F84C6000000 jz 004D4C82
004D4BBC 807DC103 cmp byte ptr [ebp-$3F], $03
004D4BC0 7669 jbe 004D4C2B
004D4BC2 33C0 xor eax, eax
004D4BC4 8A45C1 mov al, byte ptr [ebp-$3F]
004D4BC7 3B45F0 cmp eax, [ebp-$10]
004D4BCA 7F5F jnle 004D4C2B
004D4BCC 8D4DA8 lea ecx, [ebp-$58]
004D4BCF 33D2 xor edx, edx
004D4BD1 8A55C1 mov dl, byte ptr [ebp-$3F]
004D4BD4 8B45E8 mov eax, [ebp-$18]
* Reference to: StrUtils.LeftStr(AnsiString;Integer):AnsiString;
|
004D4BD7 E830CAF6FF call 0044160C //取左边[EBP-3F]位
004D4BDC 8B55A8 mov edx, [ebp-$58]
004D4BDF 8D45E8 lea eax, [ebp-$18]
* Reference to: System.@LStrLAsg(void;void;void;void);
|
004D4BE2 E815FAF2FF call 004045FC
004D4BE7 6A00 push $00
004D4BE9 8D45A4 lea eax, [ebp-$5C]
004D4BEC 8B4DE0 mov ecx, [ebp-$20]
004D4BEF 8B55E8 mov edx, [ebp-$18]
* Reference to: System.@LStrCat3;
|
004D4BF2 E871FCF2FF call 00404868
004D4BF7 8B4DA4 mov ecx, [ebp-$5C]
004D4BFA A104CC4D00 mov eax, dword ptr [$004DCC04]
004D4BFF 8B00 mov eax, [eax]
004D4C01 BA0000FF00 mov edx, $00FF0000
|
004D4C06 E8E9230000 call 004D6FF4
004D4C0B 8D45A0 lea eax, [ebp-$60]
004D4C0E B91C4F4D00 mov ecx, $004D4F1C
004D4C13 8B55E8 mov edx, [ebp-$18]
* Reference to: System.@LStrCat3;
|
004D4C16 E84DFCF2FF call 00404868
004D4C1B 8B55A0 mov edx, [ebp-$60]
004D4C1E 8B45FC mov eax, [ebp-$04]
004D4C21 8B08 mov ecx, [eax]
004D4C23 FF5138 call dword ptr [ecx+$38]
004D4C26 E92A010000 jmp 004D4D55
004D4C2B 8A45C1 mov al, byte ptr [ebp-$3F]
004D4C2E 3C03 cmp al, $03
004D4C30 0F861F010000 jbe 004D4D55
004D4C36 3C09 cmp al, $09
004D4C38 0F8317010000 jnb 004D4D55
004D4C3E 6A00 push $00
004D4C40 8D459C lea eax, [ebp-$64]
004D4C43 8B4DDC mov ecx, [ebp-$24]
004D4C46 8B55E8 mov edx, [ebp-$18]
* Reference to: System.@LStrCat3;
|
004D4C49 E81AFCF2FF call 00404868
004D4C4E 8B4D9C mov ecx, [ebp-$64]
004D4C51 A104CC4D00 mov eax, dword ptr [$004DCC04]
004D4C56 8B00 mov eax, [eax]
004D4C58 BA0000FF00 mov edx, $00FF0000
|
004D4C5D E892230000 call 004D6FF4
004D4C62 8D4598 lea eax, [ebp-$68]
004D4C65 B9284F4D00 mov ecx, $004D4F28 //'S'
004D4C6A 8B55E8 mov edx, [ebp-$18]
* Reference to: System.@LStrCat3;
|
004D4C6D E8F6FBF2FF call 00404868
004D4C72 8B5598 mov edx, [ebp-$68]
004D4C75 8B45FC mov eax, [ebp-$04]
004D4C78 8B08 mov ecx, [eax]
004D4C7A FF5138 call dword ptr [ecx+$38]
//是S的就显示防盗码
004D4C7D E9D3000000 jmp 004D4D55
004D4C82 807DBC00 cmp byte ptr [ebp-$44], $00
004D4C86 7579 jnz 004D4D01
004D4C88 8A45BD mov al, byte ptr [ebp-$43]
004D4C8B 24FE and al, $FE
004D4C8D 3C0A cmp al, $0A
004D4C8F 7570 jnz 004D4D01
004D4C91 F645BEFE test byte ptr [ebp-$42], $FE
004D4C95 756A jnz 004D4D01
004D4C97 33C0 xor eax, eax
004D4C99 8A45C1 mov al, byte ptr [ebp-$3F]
004D4C9C 3B45F0 cmp eax, [ebp-$10]
004D4C9F 7F60 jnle 004D4D01
004D4CA1 807DC103 cmp byte ptr [ebp-$3F], $03
004D4CA5 765A jbe 004D4D01
004D4CA7 8D4D94 lea ecx, [ebp-$6C]
004D4CAA 33D2 xor edx, edx
004D4CAC 8A55C1 mov dl, byte ptr [ebp-$3F]
004D4CAF 8B45E8 mov eax, [ebp-$18]
* Reference to: StrUtils.LeftStr(AnsiString;Integer):AnsiString;
|
004D4CB2 E855C9F6FF call 0044160C
004D4CB7 8B5594 mov edx, [ebp-$6C]
004D4CBA 8D45E8 lea eax, [ebp-$18]
* Reference to: System.@LStrLAsg(void;void;void;void);
|
004D4CBD E83AF9F2FF call 004045FC
004D4CC2 6A00 push $00
004D4CC4 8D4590 lea eax, [ebp-$70]
004D4CC7 8B4DE0 mov ecx, [ebp-$20]
004D4CCA 8B55E8 mov edx, [ebp-$18]
* Reference to: System.@LStrCat3;
|
004D4CCD E896FBF2FF call 00404868
004D4CD2 8B4D90 mov ecx, [ebp-$70]
004D4CD5 A104CC4D00 mov eax, dword ptr [$004DCC04]
004D4CDA 8B00 mov eax, [eax]
004D4CDC BA0000FF00 mov edx, $00FF0000
|
004D4CE1 E80E230000 call 004D6FF4
004D4CE6 8D458C lea eax, [ebp-$74]
004D4CE9 B91C4F4D00 mov ecx, $004D4F1C //'U'
004D4CEE 8B55E8 mov edx, [ebp-$18]
* Reference to: System.@LStrCat3;
|
004D4CF1 E872FBF2FF call 00404868
004D4CF6 8B558C mov edx, [ebp-$74]
004D4CF9 8B45FC mov eax, [ebp-$04]
004D4CFC 8B08 mov ecx, [eax]
004D4CFE FF5138 call dword ptr [ecx+$38]
004D4D01 807DBD00 cmp byte ptr [ebp-$43], $00
004D4D05 754E jnz 004D4D55
004D4D07 8A45BE mov al, byte ptr [ebp-$42]
004D4D0A 24FE and al, $FE
004D4D0C 3C2A cmp al, $2A
004D4D0E 7545 jnz 004D4D55
004D4D10 807DC108 cmp byte ptr [ebp-$3F], $08
004D4D14 753F jnz 004D4D55
004D4D16 6A00 push $00
004D4D18 8D4588 lea eax, [ebp-$78]
004D4D1B 8B4DDC mov ecx, [ebp-$24]
004D4D1E 8B55E8 mov edx, [ebp-$18]
* Reference to: System.@LStrCat3;
|
004D4D21 E842FBF2FF call 00404868
004D4D26 8B4D88 mov ecx, [ebp-$78]
004D4D29 A104CC4D00 mov eax, dword ptr [$004DCC04]
004D4D2E 8B00 mov eax, [eax]
004D4D30 BA0000FF00 mov edx, $00FF0000
|
004D4D35 E8BA220000 call 004D6FF4
004D4D3A 8D4584 lea eax, [ebp-$7C]
004D4D3D B9284F4D00 mov ecx, $004D4F28
004D4D42 8B55E8 mov edx, [ebp-$18] //是U的就显示防盗码
* Reference to: System.@LStrCat3;
|
004D4D45 E81EFBF2FF call 00404868
004D4D4A 8B5584 mov edx, [ebp-$7C]
004D4D4D 8B45FC mov eax, [ebp-$04]
004D4D50 8B08 mov ecx, [eax]
004D4D52 FF5138 call dword ptr [ecx+$38]
004D4D55 A180CB4D00 mov eax, dword ptr [$004DCB80]
004D4D5A 8B00 mov eax, [eax]
* Reference to: Forms.TApplication.ProcessMessages(TApplication);
|
004D4D5C E80B3BF9FF call 0046886C //加上这句程序就稳定很多
004D4D61 EB18 jmp 004D4D7B
004D4D63 837DF400 cmp dword ptr [ebp-$0C], +$00
004D4D67 7506 jnz 004D4D6F
004D4D69 8A45BD mov al, byte ptr [ebp-$43]
004D4D6C 8845BC mov [ebp-$44], al
004D4D6F 8A45BE mov al, byte ptr [ebp-$42]
004D4D72 8845BD mov [ebp-$43], al
004D4D75 8A45CC mov al, byte ptr [ebp-$34]
004D4D78 8845BE mov [ebp-$42], al
004D4D7B 33C0 xor eax, eax
004D4D7D 8945F0 mov [ebp-$10], eax
004D4D80 8D45E8 lea eax, [ebp-$18]
* Reference to: System.@LStrClr(void;void);
|
004D4D83 E8DCF7F2FF call 00404564
004D4D88 8BC3 mov eax, ebx
* Reference to: Classes.TStream.GetPosition(TStream):Int64;
|
004D4D8A E8FD46F4FF call 0041948C
004D4D8F 8BF0 mov esi, eax //取得当前位置-->esi
004D4D91 8BC3 mov eax, ebx
* Reference to: Classes.TStream.GetSize(TStream):Int64;
|
004D4D93 E82847F4FF call 004194C0
004D4D98 52 push edx
004D4D99 50 push eax //取得文件大小
004D4D9A 8BC6 mov eax, esi // EAX=ESI
004D4D9C 33D2 xor edx, edx
004D4D9E 3B542404 cmp edx, [esp+$04] //和文件大小比较
004D4DA2 750D jnz 004D4DB1
004D4DA4 3B0424 cmp eax, [esp]
004D4DA7 5A pop edx
004D4DA8 58 pop eax
004D4DA9 0F8219FCFFFF jb 004D49C8
004D4DAF EB08 jmp 004D4DB9
004D4DB1 5A pop edx
004D4DB2 58 pop eax
004D4DB3 0F8C0FFCFFFF jl 004D49C8 //小于继续循环
004D4DB9 A130C94D00 mov eax, dword ptr [$004DC930]
004D4DBE 803800 cmp byte ptr [eax], $00
004D4DC1 7440 jz 004D4E03
004D4DC3 8B45FC mov eax, [ebp-$04]
004D4DC6 8B10 mov edx, [eax]
004D4DC8 FF5214 call dword ptr [edx+$14]
004D4DCB 85C0 test eax, eax
004D4DCD 7E1A jle 004D4DE9
004D4DCF 6A00 push $00
004D4DD1 A104CC4D00 mov eax, dword ptr [$004DCC04]
004D4DD6 8B00 mov eax, [eax]
* Possible String Reference to: '分析完毕.'
|
004D4DD8 B9344F4D00 mov ecx, $004D4F34
004D4DDD BA0000FF00 mov edx, $00FF0000
|
004D4DE2 E80D220000 call 004D6FF4
004D4DE7 EB58 jmp 004D4E41
004D4DE9 6A00 push $00
004D4DEB A104CC4D00 mov eax, dword ptr [$004DCC04]
004D4DF0 8B00 mov eax, [eax]
* Possible String Reference to: '没有找到,请联系天目.'
|
004D4DF2 B9484F4D00 mov ecx, $004D4F48
004D4DF7 BA0000FF00 mov edx, $00FF0000
|
004D4DFC E8F3210000 call 004D6FF4
总结一下:
查找字库里由数字,#,*组成的~!,长度4--8为之间。长度记为i
从这个匹配的数据开始位置+7(从零开始计数),读去一个字节内容,这个内容要在4--8之间,记做buf
buf>i与s连接,否则与U连接
与U连接的是开机码
与S连接的是防盗码
由此可以看出密码在手机里的存储方式了.
下面是我写的程序
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, StrUtils;
type
TForm1 = class(TForm)
Button1: TButton;
Button2: TButton;
Edit1: TEdit;
Memo1: TMemo;
OpenDialog1: TOpenDialog;
procedure Button1Click(Sender: TObject);
procedure Button2Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
mem: TmemoryStream;
implementation
{$R *.dfm}
procedure TForm1.Button1Click(Sender: TObject);
begin
if opendialog1.Execute then
edit1.Text := opendialog1.FileName;
memo1.Clear ;
end;
procedure TForm1.Button2Click(Sender: TObject);
var
nsize: cardinal;
buf: byte;
num: byte;
read: string;
pos1,pos2: cardinal;
begin
memo1.Clear ;
try
mem := Tmemorystream.Create;
mem.LoadFromFile(edit1.Text);
nsize := mem.Size;
repeat
pos1 := mem.Position;
pos2 := mem.Position;
mem.ReadBuffer(buf, 1);
if ((buf>=$30) and (buf <= $39)) or (buf = $23) or (buf =$2a)) then
//if ((chr(buf) >= '0') and (chr(buf) <= '9')) or ((chr(buf) = '#') or (chr(buf) = '*')) then
begin
appendstr(read, chr(buf));
num := length(read);
end
else
begin
if (num <= 8) and (num >= 4) then
begin
pos1 := pos1 + 8 - num;
mem.Position := pos1;
mem.read(buf, 1);
if (ord(buf) >= 04) and (ord(buf) <= 8) then
if ord(buf) > num then
begin
if (pos(read,memo1.Lines.Text)=0) then
memo1.Lines.Add(leftstr(read, ord(buf)) + '防盗码');
end
else
begin
if (pos(read,memo1.Lines.Text)=0) then
memo1.Lines.Add(leftstr(read, ord(buf)) + '开机码');
end;
end;
read := '';
num := 0;
pos2:=pos2+1;
mem.Position:=pos2;
application.ProcessMessages;
end;
until pos1 >=nsize-1;
finally
memo1.Lines.Add('分析完毕');
mem.Free;
end;
end;
end.
以下是截图:
[培训]《安卓高级研修班(网课)》月薪三万计划,掌 握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
|
|
|---|---|
|
|
分析的不错,支持!
|
|
|
|
|
|
|
|
|
|
|
|
|
