不对之处还请指教
环境:Windows XP SP3,OD,Ccproxy6.63
首先在序列号和注册码随便填点东西点击注册出现如图“注册失败”对话框。
OK,这样就可以直接去OD里面查找MessageBox,果然存在,现在就可以从MessageBox一步步的从后向前找它的验证过程了,OD里面bp MessageBoxA,F9运行起来后再注册停在MessageBox处:
00C8C1A4 004285D3 /CALL 到 MessageBoxA 来自 CCProxy.004285CD
00C8C1A8 00000000 |hOwner = NULL
00C8C1AC 00AB6F68 |Text = "对不起,注册失败!."
00C8C1B0 00AB7008 |Title = "对不起,注册失败! (10)"
00C8C1B4 00000040 \Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
现在回到004285d3看下这个函数:
00428530 /$ 55 PUSH EBP
00428531 |. 8BEC MOV EBP,ESP
00428533 |. 6A FF PUSH -1
00428535 |. 68 B22D4700 PUSH CCProxy.00472DB2 ; SE 处理程序安装
0042853A |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00428540 |. 50 PUSH EAX
00428541 |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP
00428548 |. 83EC 1C SUB ESP,1C
0042854B |. 894D E4 MOV DWORD PTR SS:[EBP-1C],ECX
0042854E |. 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
00428551 |. 8A4D 14 MOV CL,BYTE PTR SS:[EBP+14]
00428554 |. 8848 54 MOV BYTE PTR DS:[EAX+54],CL
00428557 |. 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
0042855A |. 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
0042855D |. 8942 50 MOV DWORD PTR DS:[EDX+50],EAX
00428560 |. 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C]
00428563 |. 51 PUSH ECX
00428564 |. E8 25C80300 CALL CCProxy.00464D8E
00428569 |. 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
0042856C |. 52 PUSH EDX ; /Arg1
0042856D |. 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] ; |
00428570 |. 83C1 5C ADD ECX,5C ; |
00428573 |. E8 F8F5FDFF CALL CCProxy.00407B70 ; \CCProxy.00407B70
00428578 |. 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
0042857B |. 8B48 50 MOV ECX,DWORD PTR DS:[EAX+50]
0042857E |. 51 PUSH ECX ; /Arg2
0042857F |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14] ; |
00428582 |. 52 PUSH EDX ; |Arg1
00428583 |. 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] ; |
00428586 |. E8 75000000 CALL CCProxy.00428600 ; \CCProxy.00428600
0042858B |. 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
0042858E |. 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
00428591 |. 8945 DC MOV DWORD PTR SS:[EBP-24],EAX
00428594 |. C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0
0042859B |. 8B4D DC MOV ECX,DWORD PTR SS:[EBP-24]
0042859E |. 51 PUSH ECX ; /Arg3
0042859F |. 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] ; |
004285A2 |. 83C2 5C ADD EDX,5C ; |
004285A5 |. 52 PUSH EDX ; |Arg2
004285A6 |. 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18] ; |
004285A9 |. 50 PUSH EAX ; |Arg1
004285AA |. E8 91010000 CALL CCProxy.00428740 ; \CCProxy.00428740
004285AF |. 83C4 0C ADD ESP,0C
004285B2 |. 8945 D8 MOV DWORD PTR SS:[EBP-28],EAX
004285B5 |. 8B4D 18 MOV ECX,DWORD PTR SS:[EBP+18]
004285B8 |. 51 PUSH ECX
004285B9 |. 8B4D D8 MOV ECX,DWORD PTR SS:[EBP-28]
004285BC |. E8 0FE2FDFF CALL CCProxy.004067D0
004285C1 |. 50 PUSH EAX ; |Title
004285C2 |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] ; |
004285C5 |. 52 PUSH EDX ; |Text
004285C6 |. 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] ; |
004285C9 |. 8B48 58 MOV ECX,DWORD PTR DS:[EAX+58] ; |
004285CC |. 51 PUSH ECX ; |hOwner
004285CD |. FF15 48554700 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA
再向上查看它的调用函数:
00428680 /$ 55 PUSH EBP
00428681 |. 8BEC MOV EBP,ESP
00428683 |. 6A FF PUSH -1
00428685 |. 68 D62D4700 PUSH CCProxy.00472DD6 ; SE 处理程序安装
0042868A |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00428690 |. 50 PUSH EAX
00428691 |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP
00428698 |. 83EC 64 SUB ESP,64
0042869B |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
0042869E |. 50 PUSH EAX ; /Arg1
0042869F |. 8D4D 94 LEA ECX,DWORD PTR SS:[EBP-6C] ; |
004286A2 |. E8 99FCFFFF CALL CCProxy.00428340 ; \CCProxy.00428340
004286A7 |. C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0
004286AE |. 8B4D 14 MOV ECX,DWORD PTR SS:[EBP+14]
004286B1 |. 51 PUSH ECX ; /Arg5
004286B2 |. 6A 01 PUSH 1 ; |Arg4 = 00000001
004286B4 |. 8B55 18 MOV EDX,DWORD PTR SS:[EBP+18] ; |
004286B7 |. 52 PUSH EDX ; |Arg3
004286B8 |. 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10] ; |
004286BB |. 50 PUSH EAX ; |Arg2
004286BC |. 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C] ; |
004286BF |. 51 PUSH ECX ; |Arg1
004286C0 |. 8D4D 94 LEA ECX,DWORD PTR SS:[EBP-6C] ; |
004286C3 |. E8 68FEFFFF CALL CCProxy.00428530 ; \CCProxy.00428530
继续向上:
00435CB0 /. 55 PUSH EBP
00435CB1 |. 8BEC MOV EBP,ESP
00435CB3 |. 6A FF PUSH -1
00435CB5 |. 68 3C354700 PUSH CCProxy.0047353C ; SE 处理程序安装
00435CBA |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00435CC0 |. 50 PUSH EAX
00435CC1 |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP
00435CC8 |. B8 602C0000 MOV EAX,2C60
00435CCD |. E8 2EA50100 CALL CCProxy.00450200
00435CD2 |. 57 PUSH EDI
00435CD3 |. 898D A0D3FFFF MOV DWORD PTR SS:[EBP-2C60],ECX
00435CD9 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00435CDC |. 8985 9CD3FFFF MOV DWORD PTR SS:[EBP-2C64],EAX
00435CE2 |. 8B8D 9CD3FFFF MOV ECX,DWORD PTR SS:[EBP-2C64]
00435CE8 |. 83E9 05 SUB ECX,5
00435CEB |. 898D 9CD3FFFF MOV DWORD PTR SS:[EBP-2C64],ECX
00435CF1 |. 83BD 9CD3FFFF>CMP DWORD PTR SS:[EBP-2C64],0F
00435CF8 |. 0F87 6D030000 JA CCProxy.0043606B
00435CFE |. 8B95 9CD3FFFF MOV EDX,DWORD PTR SS:[EBP-2C64]
00435D04 |. 0FB682 9D6043>MOVZX EAX,BYTE PTR DS:[EDX+43609D]
00435D0B |. FF2485 816043>JMP DWORD PTR DS:[EAX*4+436081]
00435D12 |> B9 402A4900 MOV ECX,CCProxy.00492A40
00435D17 |. E8 1486FDFF CALL CCProxy.0040E330
00435D1C |. E9 4A030000 JMP CCProxy.0043606B
00435D21 |> B9 502F4900 MOV ECX,CCProxy.00492F50
00435D26 |. E8 55150000 CALL CCProxy.00437280
00435D2B |. E9 3B030000 JMP CCProxy.0043606B
00435D30 |> 8A0D 7FAA4700 MOV CL,BYTE PTR DS:[47AA7F]
00435D36 |. 888D E4EFFFFF MOV BYTE PTR SS:[EBP-101C],CL
00435D3C |. B9 00040000 MOV ECX,400
00435D41 |. 33C0 XOR EAX,EAX
00435D43 |. 8DBD E5EFFFFF LEA EDI,DWORD PTR SS:[EBP-101B]
00435D49 |. F3:AB REP STOS DWORD PTR ES:[EDI]
00435D4B |. C745 F0 01100>MOV DWORD PTR SS:[EBP-10],1001
00435D52 |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
00435D55 |. 52 PUSH EDX ; /Arg3
00435D56 |. 8D85 E4EFFFFF LEA EAX,DWORD PTR SS:[EBP-101C] ; |
00435D5C |. 50 PUSH EAX ; |Arg2
00435D5D |. 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C] ; |
00435D60 |. 51 PUSH ECX ; |Arg1
00435D61 |. 8B8D A0D3FFFF MOV ECX,DWORD PTR SS:[EBP-2C60] ; |
00435D67 |. E8 6491FFFF CALL CCProxy.0042EED0 ; \CCProxy.0042EED0
00435D6C |. 85C0 TEST EAX,EAX
00435D6E |. 75 07 JNZ SHORT CCProxy.00435D77
00435D70 |. 33C0 XOR EAX,EAX
00435D72 |. E9 F9020000 JMP CCProxy.00436070
00435D77 |> 8D95 E4EFFFFF LEA EDX,DWORD PTR SS:[EBP-101C]
00435D7D |. 52 PUSH EDX
00435D7E |. E8 BDA40100 CALL CCProxy.00450240
00435D83 |. 83C4 04 ADD ESP,4
00435D86 |. C68405 E2EFFF>MOV BYTE PTR SS:[EBP+EAX-101E],0
00435D8E |. E8 BD69FEFF CALL CCProxy.0041C750
00435D93 |. 85C0 TEST EAX,EAX
00435D95 |. 74 2B JE SHORT CCProxy.00435DC2
00435D97 |. E8 B469FEFF CALL CCProxy.0041C750
00435D9C |. 8378 1C 00 CMP DWORD PTR DS:[EAX+1C],0
00435DA0 |. 74 20 JE SHORT CCProxy.00435DC2
00435DA2 |. 6A 00 PUSH 0
00435DA4 |. 8D85 E4EFFFFF LEA EAX,DWORD PTR SS:[EBP-101C]
00435DAA |. 50 PUSH EAX
00435DAB |. 68 CE040000 PUSH 4CE
00435DB0 |. E8 9B69FEFF CALL CCProxy.0041C750
00435DB5 |. 8B48 1C MOV ECX,DWORD PTR DS:[EAX+1C] ; |
00435DB8 |. 8B51 1C MOV EDX,DWORD PTR DS:[ECX+1C] ; |
00435DBB |. 52 PUSH EDX ; |hWnd
00435DBC |. FF15 48564700 CALL DWORD PTR DS:[<&USER32.SendMessageA>; \SendMessageA
00435DC2 |> E9 A4020000 JMP CCProxy.0043606B
00435DC7 |> A0 80AA4700 MOV AL,BYTE PTR DS:[47AA80]
00435DCC |. 8885 D4EBFFFF MOV BYTE PTR SS:[EBP-142C],AL
00435DD2 |. B9 00010000 MOV ECX,100
00435DD7 |. 33C0 XOR EAX,EAX
00435DD9 |. 8DBD D5EBFFFF LEA EDI,DWORD PTR SS:[EBP-142B]
00435DDF |. F3:AB REP STOS DWORD PTR ES:[EDI]
00435DE1 |. 8A0D 81AA4700 MOV CL,BYTE PTR DS:[47AA81]
00435DE7 |. 888D CCE7FFFF MOV BYTE PTR SS:[EBP-1834],CL
00435DED |. B9 00010000 MOV ECX,100
00435DF2 |. 33C0 XOR EAX,EAX
00435DF4 |. 8DBD CDE7FFFF LEA EDI,DWORD PTR SS:[EBP-1833]
00435DFA |. F3:AB REP STOS DWORD PTR ES:[EDI]
00435DFC |. C785 E0EFFFFF>MOV DWORD PTR SS:[EBP-1020],401
00435E06 |. 8D95 E0EFFFFF LEA EDX,DWORD PTR SS:[EBP-1020]
00435E0C |. 52 PUSH EDX ; /Arg3
00435E0D |. 8D85 D4EBFFFF LEA EAX,DWORD PTR SS:[EBP-142C] ; |
00435E13 |. 50 PUSH EAX ; |Arg2
00435E14 |. 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C] ; |
00435E17 |. 51 PUSH ECX ; |Arg1
00435E18 |. 8B8D A0D3FFFF MOV ECX,DWORD PTR SS:[EBP-2C60] ; |
00435E1E |. E8 AD90FFFF CALL CCProxy.0042EED0 ; \CCProxy.0042EED0
00435E23 |. 85C0 TEST EAX,EAX ;继续向下运行会出现注册未成功时出现在Dialog上的字符,断在00435E1E重新运行,F9,F7,发现CCProxy.0042EED0就是要找的,在它最后0042F227 C2 0C00 RETN 0C
前面添加:xor eax,eax。Ok
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)