[分享]精确定位tmd、wl 1.91-2.065 Version
发表于:
2009-9-28 12:43
6869
[分享]精确定位tmd、wl 1.91-2.065 Version
精确定位tmd、wl 1.91-2.065 Version
脚本早有了,自己搜索
01371000 > 68 60530000 push 5360
01371005 893424 mov dword ptr ss:[esp],esi
01371008 54 push esp
01371009 5E pop esi
0137100A 53 push ebx
0137100B BB 5D48DC52 mov ebx,52DC485D
01371010 43 inc ebx
01371011 81C3 A6B723AD add ebx,AD23B7A6
01371017 01DE add esi,ebx
01371019 5B pop ebx
0137101A 83EE 04 sub esi,4
0137101D 873424 xchg dword ptr ss:[esp],esi
bp ZwContinue
7C956DAD > B8 22000000 mov eax,22 断下
7C956DB2 BA 0003FE7F mov edx,7FFE0300
7C956DB7 FF12 call dword ptr ds:[edx]
7C956DB9 C2 0800 retn 8
7C956DBC 90 nop 0006FCB0 7C95858C 返回到 ntdll.7C95858C 来自 ntdll.ZwContinue f9
0006FCB4 0006FCD0
0006FCB8 00000000
0006FCBC C000001D
0006FCB0 7C95858C 返回到 ntdll.7C95858C 来自 ntdll.ZwContinue
0006FCB4 0006FCD0
0006FCB8 00000000
0006FCBC C0000096
0006FCD0 0001003F ?.. 向下
0006FCD4 00000000 ....
0006FCD8 00000000 ....
0006FCDC 00000000 ....
0006FD84 EEDC0014
0006FD88 0108B6C0 CISC-1.0108B6C0
0006FD8C 0000001B
0006FD90 00010212 UNICODE "MEDRIVE=C:"
0006FD94 0006FF9C
0108B6C0 64:8F05 0000000>pop dword ptr fs:[0] eip
0108B6C7 83C4 04 add esp,4
0108B6CA 0F86 03000000 jbe CISC-1.0108B6D3
0108B6D0 66:8BC8 mov cx,ax
0108B6D3 8B8D 39022612 mov ecx,dword ptr ss:[ebp+12260239]
0108B6D9 83BD F5142612 0>cmp dword ptr ss:[ebp+122614F5],0
0108BAA5 0000 add byte ptr ds:[eax],al
0108BAA7 322E xor ch,byte ptr ds:[esi]
0108BAA9 3036 xor byte ptr ds:[esi],dh
0108BAAB 35 00000000 xor eax,0
0108BAB0 0000 add byte ptr ds:[eax],al
0108BAA3 00000004 ...
0108BAA7 36302E32 2.06
0108BAAB 00000035 5...
0108BE29 83BD 9D172612 0>cmp dword ptr ss:[ebp+1226179D],0
0108BE30 0F85 0D000000 jnz CISC-1.0108BE43 Z跳
0108BE36 83BD 95272612 0>cmp dword ptr ss:[ebp+12262795],0
0108BE3D 0F84 86000000 je CISC-1.0108BEC9
0108BE43 FFB5 C5BA2C12 push dword ptr ss:[ebp+122CBAC5]
0108BE49 FFB5 C1BA2C12 push dword ptr ss:[ebp+122CBAC1]
0108BE4F FFB5 BDBA2C12 push dword ptr ss:[ebp+122CBABD]
0108BE55 FFB5 B9BA2C12 push dword ptr ss:[ebp+122CBAB9]
0108BE5B FFB5 B5BA2C12 push dword ptr ss:[ebp+122CBAB5]
0108BE61 FFB5 B1BA2C12 push dword ptr ss:[ebp+122CBAB1]
0108BE67 FFB5 A5BA2C12 push dword ptr ss:[ebp+122CBAA5]
0108BE6D FFB5 A1BA2C12 push dword ptr ss:[ebp+122CBAA1]
0108BE73 FFB5 ADBA2C12 push dword ptr ss:[ebp+122CBAAD]
0108BE79 FFB5 A9BA2C12 push dword ptr ss:[ebp+122CBAA9]
0108BE7F FFB5 9DBA2C12 push dword ptr ss:[ebp+122CBA9D]
0108BE85 FFB5 99BA2C12 push dword ptr ss:[ebp+122CBA99]
0108BE8B 8D85 93BA2C12 lea eax,dword ptr ss:[ebp+122CBA93]
0108BE91 50 push eax
0108BE92 8D85 DFBA2C12 lea eax,dword ptr ss:[ebp+122CBADF]
0108BE98 50 push eax
0108BE99 8D85 85282612 lea eax,dword ptr ss:[ebp+12262885]
0108BE9F 50 push eax
0108BEA0 FF95 AD272612 call dword ptr ss:[ebp+122627AD]
0108BEA6 83C4 38 add esp,38
0108BEA9 6A 40 push 40
0108BEAB 8D85 C9BA2C12 lea eax,dword ptr ss:[ebp+122CBAC9]
0108BEB1 50 push eax
0108BEB2 8D85 85282612 lea eax,dword ptr ss:[ebp+12262885]
0108BEB8 50 push eax
0108BEB9 6A 00 push 0
0108BEBB FF95 75332612 call dword ptr ss:[ebp+12263375]
0108BEC1 6A 01 push 1
0108BEC3 FF95 F1332612 call dword ptr ss:[ebp+122633F1]
0108BEC9 8BC1 mov eax,ecx
-----------------------------------------------------------------------
0108BE92 8D85 DFBA2C12 lea eax,dword ptr ss:[ebp+122CBADF]
地址=0108BAF3, (ASCII "Please, contact the software developers with the following codes. Thank you.
(press CTRL+C on this window to copy to clipboard)
Version = %s
CheckIN = %d
CheckOUT = %d
ProcIN = %d
ProcOUT = %d
ExitIN =)
eax=0108BAA7 (CISC-1.0108BAA7), ASCII "2.065"
--------------------------------------------------------------------------------------
0108BEAB 8D85 C9BA2C12 lea eax,dword ptr ss:[ebp+122CBAC9]
地址=0108BADD, (ASCII "Exception Information")
eax=00000147
0108BEBB FF95 75332612 call dword ptr ss:[ebp+12263375] ; user32.MessageBoxExA
--------------------------------------------------
---------------------------
Exception Information
---------------------------
Please, contact the software developers with the following codes. Thank you.
(press CTRL+C on this window to copy to clipboard)
Version = 2.065
CheckIN = 0
CheckOUT = 0
ProcIN = 0
ProcOUT = 0
ExitIN = 0
ExitOUT = 0
TPin = 0
HWIn = 0
IntV = e1630fbf, f97e0183, e07b7f47, 91cc9667
---------------------------
确定
---------------------------
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课