2009年了 。。。发个帖子吧。第一次发帖。原因pediy不让下载。说偶不发帖。。。。
一个小的局域网工具。dephi的东西。用dd分析下。过程简单。
东西在附件中
004918A4 /$ 55 push ebp
004918A5 |. 8BEC mov ebp, esp
004918A7 |. 83C4 BC add esp, -44
004918AA |. 53 push ebx
004918AB |. 56 push esi
004918AC |. 33D2 xor edx, edx
004918AE |. 8955 BC mov dword ptr [ebp-44], edx
004918B1 |. 8955 C0 mov dword ptr [ebp-40], edx
004918B4 |. 8955 C4 mov dword ptr [ebp-3C], edx
004918B7 |. 8955 C8 mov dword ptr [ebp-38], edx
004918BA |. 8955 F0 mov dword ptr [ebp-10], edx
004918BD |. 8955 EC mov dword ptr [ebp-14], edx
004918C0 |. 8955 F8 mov dword ptr [ebp-8], edx
004918C3 |. 8945 FC mov dword ptr [ebp-4], eax
004918C6 |. 8B45 FC mov eax, dword ptr [ebp-4]
004918C9 |. E8 F630F7FF call 004049C4 ; * Reference to: System.@LStrAddRef(void;void):Pointer;
004918CE |. 33C0 xor eax, eax
004918D0 |. 55 push ebp
004918D1 |. 68 571B4900 push 00491B57
004918D6 |. 64:FF30 push dword ptr fs:[eax]
004918D9 |. 64:8920 mov dword ptr fs:[eax], esp
004918DC |. 33DB xor ebx, ebx
004918DE |. 8B45 FC mov eax, dword ptr [ebp-4]
004918E1 |. E8 F62EF7FF call 004047DC ; * Reference to: System.@LStrLen(String):Integer;
004918E6 |. 8D55 F0 lea edx, dword ptr [ebp-10]
004918E9 |. E8 5E74F7FF call 00408D4C ; * Reference to: SysUtils.IntToStr(Integer):AnsiString;overload;
004918EE |. 8B45 F0 mov eax, dword ptr [ebp-10]
004918F1 |. 50 push eax
004918F2 |. 8D45 E8 lea eax, dword ptr [ebp-18]
004918F5 |. 8B55 FC mov edx, dword ptr [ebp-4]
004918F8 |. 8A52 01 mov dl, byte ptr [edx+1]
004918FB |. 8850 01 mov byte ptr [eax+1], dl
004918FE |. C600 01 mov byte ptr [eax], 1
00491901 |. 8D55 E8 lea edx, dword ptr [ebp-18]
00491904 |. 8D45 E4 lea eax, dword ptr [ebp-1C]
00491907 |. E8 C815F7FF call 00402ED4 ; * Reference to: System.@PStrCpy(PShortString;PShortString);
0049190C |. 8D45 E0 lea eax, dword ptr [ebp-20]
0049190F |. 8B55 FC mov edx, dword ptr [ebp-4]
00491912 |. 8A52 04 mov dl, byte ptr [edx+4]
00491915 |. 8850 01 mov byte ptr [eax+1], dl
00491918 |. C600 01 mov byte ptr [eax], 1
0049191B |. 8D55 E0 lea edx, dword ptr [ebp-20]
0049191E |. 8D45 E4 lea eax, dword ptr [ebp-1C]
00491921 |. B1 02 mov cl, 2
00491923 |. E8 7C15F7FF call 00402EA4 ; * Reference to: System.@PStrNCat;
00491928 |. 8D55 E4 lea edx, dword ptr [ebp-1C]
0049192B |. 8D45 DC lea eax, dword ptr [ebp-24]
0049192E |. E8 A115F7FF call 00402ED4 ; * Reference to: System.@PStrCpy(PShortString;PShortString);
00491933 |. 8D45 E0 lea eax, dword ptr [ebp-20]
00491936 |. 8B55 FC mov edx, dword ptr [ebp-4]
00491939 |. 8A52 06 mov dl, byte ptr [edx+6]
0049193C |. 8850 01 mov byte ptr [eax+1], dl
0049193F |. C600 01 mov byte ptr [eax], 1
00491942 |. 8D55 E0 lea edx, dword ptr [ebp-20]
00491945 |. 8D45 DC lea eax, dword ptr [ebp-24]
00491948 |. B1 03 mov cl, 3
0049194A |. E8 5515F7FF call 00402EA4 ; * Reference to: System.@PStrNCat;
0049194F |. 8D55 DC lea edx, dword ptr [ebp-24]
00491952 |. 8D45 D4 lea eax, dword ptr [ebp-2C]
00491955 |. E8 7A15F7FF call 00402ED4 ; * Reference to: System.@PStrCpy(PShortString;PShortString);
0049195A |. 8D45 E0 lea eax, dword ptr [ebp-20]
0049195D |. 8B55 FC mov edx, dword ptr [ebp-4]
00491960 |. 8A52 07 mov dl, byte ptr [edx+7]
00491963 |. 8850 01 mov byte ptr [eax+1], dl
00491966 |. C600 01 mov byte ptr [eax], 1
00491969 |. 8D55 E0 lea edx, dword ptr [ebp-20]
0049196C |. 8D45 D4 lea eax, dword ptr [ebp-2C]
0049196F |. B1 04 mov cl, 4
00491971 |. E8 2E15F7FF call 00402EA4 ; * Reference to: System.@PStrNCat;
00491976 |. 8D55 D4 lea edx, dword ptr [ebp-2C]
00491979 |. 8D45 CC lea eax, dword ptr [ebp-34]
0049197C |. E8 5315F7FF call 00402ED4 ; * Reference to: System.@PStrCpy(PShortString;PShortString);
00491981 |. 8D45 E0 lea eax, dword ptr [ebp-20]
00491984 |. 8B55 FC mov edx, dword ptr [ebp-4]
00491987 |. 8A52 09 mov dl, byte ptr [edx+9]
0049198A |. 8850 01 mov byte ptr [eax+1], dl
0049198D |. C600 01 mov byte ptr [eax], 1
00491990 |. 8D55 E0 lea edx, dword ptr [ebp-20]
00491993 |. 8D45 CC lea eax, dword ptr [ebp-34]
00491996 |. B1 05 mov cl, 5
00491998 |. E8 0715F7FF call 00402EA4 ; * Reference to: System.@PStrNCat;
0049199D |. 8D55 CC lea edx, dword ptr [ebp-34]
004919A0 |. 8D45 EC lea eax, dword ptr [ebp-14]
004919A3 |. E8 D82DF7FF call 00404780 ; * Reference to: System.@LStrFromString(String;String;ShortString;ShortString);
004919A8 |. 8B55 EC mov edx, dword ptr [ebp-14]
004919AB |. 8D45 F8 lea eax, dword ptr [ebp-8]
004919AE |. 59 pop ecx
004919AF |. E8 742EF7FF call 00404828 ; * Reference to: System.@LStrCat3;
004919B4 |. 8B45 F8 mov eax, dword ptr [ebp-8]
004919B7 |. 0FB600 movzx eax, byte ptr [eax]
004919BA |. 8B55 F8 mov edx, dword ptr [ebp-8]
004919BD |. 0FB652 01 movzx edx, byte ptr [edx+1]
004919C1 |. 03C2 add eax, edx
004919C3 |. B9 05000000 mov ecx, 5
004919C8 |. 99 cdq
004919C9 |. F7F9 idiv ecx
004919CB |. 80C2 61 add dl, 61
004919CE |. 8855 F4 mov byte ptr [ebp-C], dl
004919D1 |. 8B45 F8 mov eax, dword ptr [ebp-8]
004919D4 |. 33C9 xor ecx, ecx
004919D6 |. 8A48 02 mov cl, byte ptr [eax+2]
004919D9 |. 8BC1 mov eax, ecx
004919DB |. 8B55 F8 mov edx, dword ptr [ebp-8]
004919DE |. 0FB652 03 movzx edx, byte ptr [edx+3]
004919E2 |. 03C2 add eax, edx
004919E4 |. BE 05000000 mov esi, 5
004919E9 |. 99 cdq
004919EA |. F7FE idiv esi
004919EC |. 80C2 61 add dl, 61
004919EF |. 8855 F5 mov byte ptr [ebp-B], dl
004919F2 |. 8B45 F8 mov eax, dword ptr [ebp-8]
004919F5 |. 0FB640 04 movzx eax, byte ptr [eax+4]
004919F9 |. 8B55 F8 mov edx, dword ptr [ebp-8]
004919FC |. 0FB652 05 movzx edx, byte ptr [edx+5]
00491A00 |. 03C2 add eax, edx
00491A02 |. BE 05000000 mov esi, 5
00491A07 |. 99 cdq
00491A08 |. F7FE idiv esi
00491A0A |. 80C2 61 add dl, 61
00491A0D |. 8855 F6 mov byte ptr [ebp-A], dl
00491A10 |. 8B45 F8 mov eax, dword ptr [ebp-8]
00491A13 |. 0FB640 06 movzx eax, byte ptr [eax+6]
00491A17 |. 03C1 add eax, ecx
00491A19 |. 8B55 F8 mov edx, dword ptr [ebp-8]
00491A1C |. 0FB652 01 movzx edx, byte ptr [edx+1]
00491A20 |. 03C2 add eax, edx
00491A22 |. B9 05000000 mov ecx, 5
00491A27 |. 99 cdq
00491A28 |. F7F9 idiv ecx
00491A2A |. 80C2 61 add dl, 61
00491A2D |. 8855 F7 mov byte ptr [ebp-9], dl
00491A30 |. 8D45 C8 lea eax, dword ptr [ebp-38]
00491A33 |. 8A55 F4 mov dl, byte ptr [ebp-C]
00491A36 |. E8 C92CF7FF call 00404704 ; * Reference to: System.@LStrFromChar(String;String;Char);
00491A3B |. 8B45 C8 mov eax, dword ptr [ebp-38]
00491A3E |. 8D55 F8 lea edx, dword ptr [ebp-8]
00491A41 |. B9 01000000 mov ecx, 1
00491A46 |. E8 7130F7FF call 00404ABC ; * Reference to: System.@LStrInsert;
00491A4B |. 8D45 C4 lea eax, dword ptr [ebp-3C]
00491A4E |. 8A55 F7 mov dl, byte ptr [ebp-9]
00491A51 |. E8 AE2CF7FF call 00404704 ; * Reference to: System.@LStrFromChar(String;String;Char);
00491A56 |. 8B45 C4 mov eax, dword ptr [ebp-3C]
00491A59 |. 8D55 F8 lea edx, dword ptr [ebp-8]
00491A5C |. B9 03000000 mov ecx, 3
00491A61 |. E8 5630F7FF call 00404ABC ; * Reference to: System.@LStrInsert;
00491A66 |. 8B45 FC mov eax, dword ptr [ebp-4]
00491A69 |. 0FB600 movzx eax, byte ptr [eax]
00491A6C |. B9 3B000000 mov ecx, 3B
00491A71 |. 33D2 xor edx, edx
00491A73 |. F7F1 div ecx
00491A75 |. 83FA 2E cmp edx, 2E
00491A78 0F87 A4000000 ja 00491B22
00491A7E |. 8D45 C0 lea eax, dword ptr [ebp-40]
00491A81 |. 8A55 F5 mov dl, byte ptr [ebp-B]
00491A84 |. E8 7B2CF7FF call 00404704 ; * Reference to: System.@LStrFromChar(String;String;Char);
00491A89 |. 8B45 C0 mov eax, dword ptr [ebp-40]
00491A8C |. 8D55 F8 lea edx, dword ptr [ebp-8]
00491A8F |. B9 05000000 mov ecx, 5
00491A94 |. E8 2330F7FF call 00404ABC ; * Reference to: System.@LStrInsert;
00491A99 |. 8D45 BC lea eax, dword ptr [ebp-44]
00491A9C |. 8A55 F6 mov dl, byte ptr [ebp-A]
00491A9F |. E8 602CF7FF call 00404704 ; * Reference to: System.@LStrFromChar(String;String;Char);
00491AA4 |. 8B45 BC mov eax, dword ptr [ebp-44]
00491AA7 |. 8D55 F8 lea edx, dword ptr [ebp-8]
00491AAA |. B9 09000000 mov ecx, 9
00491AAF |. E8 0830F7FF call 00404ABC ; * Reference to: System.@LStrInsert;
00491AB4 |. 8D45 F8 lea eax, dword ptr [ebp-8]
00491AB7 |. B9 01000000 mov ecx, 1
00491ABC |. BA 09000000 mov edx, 9
00491AC1 |. E8 AE2FF7FF call 00404A74 ; * Reference to: System.@LStrDelete;
00491AC6 |. 8D45 F8 lea eax, dword ptr [ebp-8]
00491AC9 |. B9 01000000 mov ecx, 1
00491ACE |. BA 07000000 mov edx, 7
00491AD3 |. E8 9C2FF7FF call 00404A74 ; * Reference to: System.@LStrDelete;
00491AD8 |. 8B45 FC mov eax, dword ptr [ebp-4]
00491ADB |. 0FB640 08 movzx eax, byte ptr [eax+8]
00491ADF |. B9 3D000000 mov ecx, 3D
00491AE4 |. 33D2 xor edx, edx
00491AE6 |. F7F1 div ecx
00491AE8 |. 83FA 2A cmp edx, 2A
00491AEB 77 35 ja short 00491B22
00491AED |. 8D45 F8 lea eax, dword ptr [ebp-8]
00491AF0 |. B9 01000000 mov ecx, 1
00491AF5 |. BA 02000000 mov edx, 2
00491AFA |. E8 752FF7FF call 00404A74 ; * Reference to: System.@LStrDelete;
00491AFF |. 8D45 F8 lea eax, dword ptr [ebp-8]
00491B02 |. B9 01000000 mov ecx, 1
00491B07 |. BA 06000000 mov edx, 6
00491B0C |. E8 632FF7FF call 00404A74 ; * Reference to: System.@LStrDelete;
00491B11 |. 8B45 F8 mov eax, dword ptr [ebp-8]
00491B14 |. BA 701B4900 mov edx, 00491B70 ; ASCII "be9c912"
00491B19 |. E8 022EF7FF call 00404920 ; * Reference to: System.@LStrCmp;
00491B1E 75 02 jnz short 00491B22
00491B20 |. B3 01 mov bl, 1
00491B22 |> 33C0 xor eax, eax
00491B24 |. 5A pop edx
00491B25 |. 59 pop ecx
00491B26 |. 59 pop ecx
00491B27 |. 64:8910 mov dword ptr fs:[eax], edx
00491B2A |. 68 5E1B4900 push 00491B5E
00491B2F |> 8D45 BC lea eax, dword ptr [ebp-44]
00491B32 |. BA 04000000 mov edx, 4
00491B37 |. E8 0C2AF7FF call 00404548
00491B3C |. 8D45 EC lea eax, dword ptr [ebp-14]
00491B3F |. BA 02000000 mov edx, 2
00491B44 |. E8 FF29F7FF call 00404548
00491B49 |. 8D45 F8 lea eax, dword ptr [ebp-8]
00491B4C |. BA 02000000 mov edx, 2
00491B51 |. E8 F229F7FF call 00404548
00491B56 \. C3 retn
00491B57 .^ E9 6C23F7FF jmp 00403EC8
00491B5C .^ EB D1 jmp short 00491B2F
00491B5E . 8BC3 mov eax, ebx
00491B60 . 5E pop esi
00491B61 . 5B pop ebx
00491B62 . 8BE5 mov esp, ebp
00491B64 . 5D pop ebp
00491B65 . C3 retn
------------------------------------
解释:
详细说明
//strcode[12];
这个注册和注册名没关系只和注册码有关
注册码是12位数据
首先根据注册码得到注册码的
strcode[1];
strcode[4];
strcode[6];
strcode[7];
strcode[9];
//
在加上注册码的长度12
组成一个新的字符串以12结尾的串
新串长度为7 ,不防叫 strtemp[7]
strhx[4];
//然后进行以下操作
strhx[0]=(strtemp[0]+strtemp[1])%0x5+0x61 ;C
strhx[1]=(strtemp[2]+strtemp[3])%0x5+0x61 ;B
strhx[2]=(strtemp[4]+strtemp[5])%0x5+0x61 ;A
strhx[3]=(strtemp[6]+strtemp[1]+trtemp[2])%0x5+0x61 ;9
//进行插入操作按照以下顺序插入到strtemp中以下插入删除操作按照位数从第一位开始//1-12
C 9 B A
1 5 9 3
//在把扩展的strtemp的按照以下的位数删除
9 7 2 6
//[ebp-8]就是我们操作的字符串,00491B70 为内存地址的数据
//最后一步得到了新的7位strtemp与内存地址00491B70的数据比较这里是"be9c912"
00491B11 |. 8B45 F8 mov eax, dword ptr [ebp-8] ;最后得到的串
00491B14 |. BA 701B4900 mov edx, 00491B70 ; "be9c912"
00491B19 |. E8 022EF7FF call 00404920 ; @LStrCmp;
相等的话就注册成功!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
---------------------------------
程序实现
mfc console。
// jyw.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include "jyw.h"
#include "conio.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif
const READ_POINT=0x00491B70;
/////////////////////////////////////////////////////////////////////////////
// The one and only application object
CWinApp theApp;
using namespace std;
//by liyue
int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
{
int nRetCode = 0;
STARTUPINFO stStartUp;
BOOL cproc;
CONTEXT stCT={0} ;
HWND hwnd;
PROCESS_INFORMATION stProcInfo;
char szjyw[]="局域网查看工具V1.59.exe\0";
char szErrExec[]="无法装载执行文件!\0";
char szOkExec[]="装载执行文件成功!\0";
char strend[8]={0},strcode[13]="L6009097Y012",strtemp[8]={0},strhx[4]={0},strcodexx[13]="L6009097Y012";
GetStartupInfo( &stStartUp);
cproc=::CreateProcess (szjyw,NULL,NULL,NULL,NULL,NORMAL_PRIORITY_CLASS + CREATE_SUSPENDED,NULL,NULL,&stStartUp,&stProcInfo);
if (!cproc)
{ MessageBox(NULL, szErrExec,NULL,MB_OK + MB_ICONSTOP);
ExitProcess(NULL);
}
else
MessageBox(NULL, szOkExec,"OK",MB_OK );
//这里得到要比较的字符串.
ReadProcessMemory(stProcInfo.hProcess,(void*)READ_POINT,strend,sizeof(strend),NULL);
// CloseHandle(stProcInfo.hProcess);
TerminateProcess(stProcInfo.hProcess,1);
CloseHandle(stProcInfo.hProcess);
//if(strcode[0] || strcode[9] ) 这里的2个特殊的字符要为字母
/* 00491A6C |. B9 3B000000 mov ecx, 3B
00491A71 |. 33D2 xor edx, edx
00491A73 |. F7F1 div ecx
00491A75 |. 83FA 2E cmp edx, 2E
*/
/* 这个 关闭方法只能 对有窗口的程序,这里每显示窗口
hwnd=FindWindow(NULL,"局域网查看工具(LanSee)V1.59");
PostMessage(hwnd,WM_CLOSE,0,0);
*/
printf("李悦2009.1:\n");
printf("可用的注册码有:\n");
//这里只要获取一个注册码就好了 .,14679是要固定的 位数,其它位数的数据随便 第9为由于抵消了最后也每用
for(strcodexx[1]='0';strcodexx[1]<127;strcodexx[1]++)
{for(strcodexx[4]='0';strcodexx[4]<127;strcodexx[4]++)
{for(strcodexx[6]='0';strcodexx[6]<127;strcodexx[6]++)
{for(strcodexx[7]='0';strcodexx[7]<127;strcodexx[7]++)
{//for(strcodexx[9]='0';strcodexx[9]<='9';strcodexx[9]++)
{
//保存数据
strcode[1]=strcodexx[1];
strcode[4]=strcodexx[4];
strcode[6]=strcodexx[6];
strcode[7]=strcodexx[7];
strcode[9]=strcodexx[9];
strtemp[0]=strcode[1];
strtemp[1]=strcode[4];
strtemp[2]=strcode[6];
strtemp[3]=strcode[7];
strtemp[4]=strcode[9];
strtemp[5]='1';
strtemp[6]='2';
//TRACE("%s\n",strtemp);
//---------------------------------------------
strhx[0]=(strtemp[0]+strtemp[1])%0x5+0x61 ;//C
strhx[1]=(strtemp[2]+strtemp[3])%0x5+0x61 ;//B
strhx[2]=(strtemp[4]+strtemp[5])%0x5+0x61 ;//A
strhx[3]=(strtemp[6]+strtemp[1]+strtemp[2])%0x5+0x61 ;//9
// TRACE("%s\n",strhx);
//-----------------------------------------------add
//1 C
strcode[0]=strhx[0];
strcode[1]=strtemp[0];
//3 9
strcode[2]=strhx[3];
strcode[3]=strtemp[1];
//5 B
strcode[4]=strhx[1];
strcode[5]=strtemp[2];
strcode[6]=strtemp[3];
strcode[7]=strtemp[4];
//9 A
strcode[8]=strhx[2];
strcode[9]=strtemp[5];
strcode[10]=strtemp[6];
// TRACE("%s\n",strcode);
//----------------------------------------del 9 7 2 6
strtemp[0]=strcode[0];
strtemp[1]=strcode[2];
strtemp[2]=strcode[3];
strtemp[3]=strcode[4];
strtemp[4]=strcode[5];
strtemp[5]=strcode[9];
strtemp[6]=strcode[10];
// TRACE("%s\n",strtemp);
if(strcmp(strtemp,strend)==0)
printf("%s\n",strcodexx);
// else
// printf("%s\n",strcodexx);
}
}
}
}
}
getch();
//ExitProcess(nRetCode);
return nRetCode;
}
望加精。。。。。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)