0050F092 . 3D 00250000 cmp eax, 2500 ; Switch (cases 2000..40FB)
0050F097 . C745 FC 00000>mov dword ptr [ebp-4], 0
0050F09E . 0F8F E4010000 jg 0050F288
0050F0A4 . 0F84 D4010000 je 0050F27E
0050F0AA . 2D 00200000 sub eax, 2000
0050F0AF . 83F8 09 cmp eax, 9
0050F0B2 0F87 AD1A0000 ja 00510B65
0050F0B8 . FF2485 481451>jmp dword ptr [eax*4+511448]
0050F0BF > 8B43 0C mov eax, dword ptr [ebx+C] ; Case 2000 of switch 0050F092
0050F0C2 . 8B4B 08 mov ecx, dword ptr [ebx+8]
0050F0C5 . 50 push eax
0050F0C6 . 51 push ecx
0050F0C7 . E8 D4DFFFFF call 0050D0A0 /*激活成功
0050F0CC . 83C4 08 add esp, 8
0050F0CF . E9 911A0000 jmp 00510B65
0050F0D4 > C645 FC 01 mov byte ptr [ebp-4], 1 ; Case 2001 of switch 0050F092
0050F0D8 . C785 98F9FFFF>mov dword ptr [ebp-668], 1
0050F0E2 . E8 1935F9FF call 004A2600
0050F0E7 . 85C0 test eax, eax
0050F0E9 . 74 0B je short 0050F0F6
0050F0EB . 8B10 mov edx, dword ptr [eax]
0050F0ED . 6A 01 push 1
0050F0EF . 6A 00 push 0
0050F0F1 . 8BC8 mov ecx, eax
0050F0F3 . FF52 1C call dword ptr [edx+1C]
0050F0F6 > C785 98F9FFFF>mov dword ptr [ebp-668], 2
0050F100 . E8 2B8BF9FF call 004A7C30
0050F105 . 8BF8 mov edi, eax
0050F107 . 8B43 0C mov eax, dword ptr [ebx+C]
0050F10A . 56 push esi
0050F10B . 50 push eax
0050F10C . 8BCF mov ecx, edi
0050F10E . C785 98F9FFFF>mov dword ptr [ebp-668], 3
0050F118 . E8 938BF9FF call 004A7CB0
0050F11D . 8BCF mov ecx, edi
0050F11F . C785 98F9FFFF>mov dword ptr [ebp-668], 4
0050F129 . E8 927BF9FF call 004A6CC0
0050F12E . 8BCF mov ecx, edi
0050F130 . C785 98F9FFFF>mov dword ptr [ebp-668], 5
0050F13A . E8 3178F9FF call 004A6970
0050F13F . C785 98F9FFFF>mov dword ptr [ebp-668], 6
0050F149 . E8 F252F9FF call 004A4440
0050F14E . 8BC8 mov ecx, eax
0050F150 . C785 98F9FFFF>mov dword ptr [ebp-668], 7
0050F15A . E8 512AF6FF call 00471BB0
0050F15F . E9 011A0000 jmp 00510B65
0050F164 . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668]
0050F16A . 51 push ecx
0050F16B . 68 94DB6600 push 0066DB94
0050F170 . 6A 01 push 1
0050F172 . E8 F9BD0000 call 0051AF70
0050F177 . 83C4 0C add esp, 0C
0050F17A . B8 650B5100 mov eax, 00510B65
0050F17F . C3 retn
0050F180 . E9 E0190000 jmp 00510B65
0050F185 > 8B06 mov eax, dword ptr [esi] ; Case 2002 of switch 0050F092
0050F187 . A3 E83B6B00 mov dword ptr [6B3BE8], eax
0050F18C . A3 7C3C6B00 mov dword ptr [6B3C7C], eax
0050F191 . 8B56 04 mov edx, dword ptr [esi+4]
0050F194 . 83C6 04 add esi, 4
0050F197 . 83C6 04 add esi, 4
0050F19A . 8915 F03B6B00 mov dword ptr [6B3BF0], edx
0050F1A0 . 66:8B06 mov ax, word ptr [esi]
0050F1A3 . 8975 08 mov dword ptr [ebp+8], esi
0050F1A6 . 66:A3 F43B6B0>mov word ptr [6B3BF4], ax
0050F1AC . E8 7F8AF9FF call 004A7C30
0050F1B1 . 8BC8 mov ecx, eax
0050F1B3 . E8 F829F6FF call 00471BB0
0050F1B8 . 8B0D 106C6A00 mov ecx, dword ptr [6A6C10]
0050F1BE . 6A 00 push 0
0050F1C0 . E8 CB8A0000 call 00517C90
0050F1C5 . E9 9B190000 jmp 00510B65
0050F1CA > E8 41B2F9FF call 004AA410 ; Case 2003 of switch 0050F092
0050F1CF . 56 push esi
0050F1D0 . 53 push ebx
0050F1D1 . 8BC8 mov ecx, eax
0050F1D3 . E8 48B4F9FF call 004AA620
0050F1D8 . E9 88190000 jmp 00510B65
0050F1DD > 8B0D 106C6A00 mov ecx, dword ptr [6A6C10] ; Case 2005 of switch 0050F092
0050F1E3 . 85C9 test ecx, ecx
0050F1E5 . 0F84 7A190000 je 00510B65
0050F1EB . 56 push esi
0050F1EC . E8 3F38EFFF call 00402A30
0050F1F1 . E9 6F190000 jmp 00510B65
0050F1F6 E8 85C4F9FF call 004AB680 /*呼叫激活模块
0050F1FB . 8BF0 mov esi, eax
0050F1FD . 85F6 test esi, esi
0050F1FF . 0F84 60190000 je 00510B65
0050F205 . 8B5B 04 mov ebx, dword ptr [ebx+4]
0050F208 . 85DB test ebx, ebx
0050F20A . 75 1B jnz short 0050F227
0050F20C . E8 EF33F9FF call 004A2600
0050F211 . 8B10 mov edx, dword ptr [eax]
0050F213 . 6A 01 push 1
0050F215 . 53 push ebx
0050F216 . 8BC8 mov ecx, eax
0050F218 . FF52 1C call dword ptr [edx+1C]
0050F21B . 8BCE mov ecx, esi
0050F21D . E8 3EC3F9FF call 004AB560
0050F222 . E9 3E190000 jmp 00510B65
0050F227 > 53 push ebx
0050F228 . 8BCE mov ecx, esi
0050F22A . E8 11C5F9FF call 004AB740
0050F22F . E9 31190000 jmp 00510B65
0050F234 > E8 27CCF9FF call 004ABE60 ; Case 2007 of switch 0050F092
0050F239 . 56 push esi
0050F23A . 53 push ebx
0050F23B . 8BC8 mov ecx, eax
0050F23D . E8 0ECAF9FF call 004ABC50
0050F242 . E9 1E190000 jmp 00510B65
0050F247 > E8 14CCF9FF call 004ABE60 ; Case 2008 of switch 0050F092
0050F24C . 56 push esi
0050F24D . 53 push ebx
0050F24E . 8BC8 mov ecx, eax
0050F250 . E8 9BCAF9FF call 004ABCF0
0050F255 . E9 0B190000 jmp 00510B65
0050F25A > 33FF xor edi, edi ; Case 2009 of switch 0050F092
0050F25C . 8D6424 00 lea esp, dword ptr [esp]
0050F260 > 3B7B 04 cmp edi, dword ptr [ebx+4]
0050F263 . 0F8D FC180000 jge 00510B65
0050F269 . 8BC7 mov eax, edi
0050F26B . 6BC0 38 imul eax, eax, 38
0050F26E . 03C6 add eax, esi
0050F270 . 50 push eax
0050F271 . B9 BC6D6A00 mov ecx, 006A6DBC
0050F276 . E8 25FCFFFF call 0050EEA0
0050F27B . 47 inc edi
0050F27C .^ EB E2 jmp short 0050F260
0050F27E > E8 7D7DFDFF call 004E7000 ; Case 2500 of switch 0050F092
0050F283 . E9 DD180000 jmp 00510B65
0050F288 > 3D 12300000 cmp eax, 3012
对本人来讲,算是很大的突破了,以上是大概分析
请大家帮帮忙,上面的switch,要怎样才能不经过2007号(即是不弹出激活界面),谢谢
[课程]Linux pwn 探索篇!
