金牛阿里旺旺营销王,调试遇到问题,请高手指点!
请高手帮忙看一下!(金牛阿里旺旺营销王(全能版))注释
脱壳后,你可直接ctrl+G 005546BA 下断,F9运行,可到( 正式版 )处,再查找 ASCII ,
跟踪到( 正式版 )处,不管怎么改,运行后产生的这个文件 fspz.db 都显示是试用版(文件 fspz.db 我用记事本打开)。里面的功能不能用!(比如:“设置”智能跟踪不能用!!)
OD 载入
bp RegOpenKeyExA 下断,F9看堆栈 100多次到
77DA761B >8BFF MOV EDI,EDI
77DA761D 55 PUSH EBP
77DA761E 8BEC MOV EBP,ESP
77DA7620 83EC 0C SUB ESP,0C
77DA7623 8365 FC 00 AND DWORD PTR SS:,0
77DA7627 53 PUSH EBX
77DA7628 56 PUSH ESI
77DA7629 8B75 08 MOV ESI,DWORD PTR SS:
77DA762C 81FE 04000080 CMP ESI,80000004
77DA7632 57 PUSH EDI
77DA7633 0F84 0A180200 JE ADVAPI32.77DC8E43
77DA7639 81FE 50000080 CMP ESI,80000050
77DA763F 0F84 FE170200 JE ADVAPI32.77DC8E43
堆栈
0012F9A0 100614D0/CALL 到 RegOpenKeyExA 来自 krnln.100614CA //反汇编跟随
0012F9A4 80000002|hKey = HKEY_LOCAL_MACHINE
0012F9A8 00C33F28|Subkey = "software\Kzalyx" //读注册信息
0012F9AC 00000000|Reserved = 0
0012F9B0 00020019|Access = KEY_READ
0012F9B4 0012F9C8\pHandle = 0012F9C8
0012F9B8 001E600B
0012F9BC 004525941.00452594
0012F9C0 0012FAC4
0012F9C4 100E390Ckrnln.100E390C
到反汇编
100614C9 51 PUSH ECX//下断
100614CA FF15 04200C10 CALL DWORD PTR DS:[<&ADVAPI32.RegOpenKey>; ADVAPI32.RegOpenKeyExA
100614D0 85C0 TEST EAX,EAX
100614D2 0F85 84020000 JNZ krnln.1006175C
F9
00554647 E8 EEB8FEFF call 0053FF3A
堆栈:
0012FA7C 00202AD8ASCII "8888888888888"
0012FA80 004F0CD1ASCII "%CQB%"
0012FA84 00202FB8ASCII "464D6AFD8B8B"
0012FA88 001F8040ASCII "709F83C1"
0012FA8C 001F8110ASCII "JNQNB-615965-17C96D-709F83"
连接服务器
>00554528 85C0 TEST EAX,EAX
>0055452A 75 05 JNZ SHORT 1.00554531
>0055452C B8 D9244500 MOV EAX,1.004524D9
>00554531 50 PUSH EAX
>00554532 68 01000000 PUSH 1
>00554537 BB 1C000000 MOV EBX,1C
>0055453C B8 06000000 MOV EAX,6
>
75C6BE10 FF76 04 PUSH DWORD PTR DS:
75C6BE13 8BCB MOV ECX,EBX
75C6BE15 57 PUSH EDI
75C6BE16 56 PUSH ESI
75C6BE17 E8 4E000000 CALL urlmon.75C6BE6A
75C6BE1C^ E9 F484FFFF JMP urlmon.75C64315
75C6BE21 85C0 TEST EAX,EAX
75C6BE23^ 0F85 AC84FFFF JNZ urlmon.75C642D5
75C6BE29^ E9 E784FFFF JMP urlmon.75C64315
75C6BE2E 8B36 MOV ESI,DWORD PTR DS:
01F51768 6A 00 PUSH 0
01F5176A 51 PUSH ECX
01F5176B 68 0421F701 PUSH internet.01F72104 ; ASCII "Accept: */*
"
01F51770 53 PUSH EBX
01F51771 FF15 D0C3F601 CALL DWORD PTR DS:[<&WININET.H>; WININET.HttpSendRequestA
01F51777 85C0 TEST EAX,EAX ; 注册请求
01F51779 75 4D JNZ SHORT internet.01F517C8
01F5177B 8D4D E8 LEA ECX,DWORD PTR SS:
01F5177E C645 FC 05 MOV BYTE PTR SS:,5
01F51877 C645 FC 01 MOV BYTE PTR SS:,1
01F5187B E8 B2160100 CALL internet.01F62F32
01F51880 EB 41 JMP SHORT internet.01F518C3
01F51882 8B3D D8C3F601 MOV EDI,DWORD PTR DS:[<&WININE>; WININET.InternetReadFile
01F51888 8B45 D8 MOV EAX,DWORD PTR SS:; 网络读文件
01F5188B 8D55 C4 LEA EDX,DWORD PTR SS:
01F5188E 52 PUSH EDX
01F5188F 50 PUSH EAX
01F51890 56 PUSH ESI
01F51894 85C0 TEST EAX,EAX
01F51896^ 74 99 JE SHORT internet.01F51831
01F51898 8B45 C4 MOV EAX,DWORD PTR SS:
01F5189B 85C0 TEST EAX,EAX
01F5189D 75 09 JNZ SHORT internet.01F518A8
01F5189F C745 CC 0100000>MOV DWORD PTR SS:,1
01F518A6^ EB 89 JMP SHORT internet.01F51831
01F518A8 8B4D 0C MOV ECX,DWORD PTR SS: ; 服务器地址
01F518AB 50 PUSH EAX
01F518AC 56 PUSH ESI
01F518AD E8 5E140000 CALL internet.01F52D10
01F518B2^ EB D4 JMP SHORT internet.01F51888
01F518B4 8B4D BC MOV ECX,DWORD PTR SS:
寄存器
EAX 0000003B
ECX 00000001
EDX 002B0001
EBX 00CC0018
ESP 0012F99C
EBP 0012FA28
ESI 01F78544 ASCII "<script>location.href="http://202.104.57.161";</script>
"
完成后返回到
0055453C B8 06000000 MOV EAX,6
00554541 E8 355D0100 CALL 1.0056A27B
00554546 83C4 10 ADD ESP,10//返回到
00554549 8945 F8 MOV DWORD PTR SS:,EAX
0055454C 8B5D FC MOV EBX,DWORD PTR SS:
0055454F 85DB TEST EBX,EBX
00554551 74 09 JE SHORT 1.0055455C
00554553 53 PUSH EBX
00554642 B9 03000000 MOV ECX,3 ; 计算
00554647 E8 EEB8FEFF CALL 1.0053FF3A
0055464C 83C4 0C ADD ESP,0C
0055464F 8945 F4 MOV DWORD PTR SS:,EAX
00554652 8B5D F8 MOV EBX,DWORD PTR SS:
00554655 85DB TEST EBX,EBX
00554657 74 09 JE SHORT 1.00554662
00554659 53 PUSH EBX
堆栈
0012FA7C 001EF3E0ASCII "88888888888888"
0012FA80 004F0CD1ASCII "%CQB%"
0012FA84 001E5E28ASCII "19F8F68FE8AA"
0012FA88 001EF3C8ASCII "855C3280"
0012FA8C 001EF4B0ASCII "JNQNB-489E75-1593F2-855C32"
0012FA90 001EF6B0
0012FA94 EC85D000
0012FA98 42A3A852
0055468F A1 EC4CC300 MOV EAX,DWORD PTR DS:
00554694 85C0 TEST EAX,EAX ; 计算后向服务器发送结果
00554696 75 05 JNZ SHORT 1.0055469D
00554698 B8 D9244500 MOV EAX,1.004524D9
0055469D 50 PUSH EAX
0055469E 68 04000000 PUSH 4
堆栈
0012FA5C 00000000
0012FA60 80000004
0012FA64 001E5F70ASCII "88888888888888%CQB%19F8F68FE8AA"
0012FA68 00000000
0012FA6C 80000004
0012FA70 00000000
0012FA74 00000000
0012FA78 00000000
0012FA7C 00000000
00554351 BB 30010000 MOV EBX,130
00554356 E8 2C5F0100 CALL 1.0056A287
0055435B 83C4 10 ADD ESP,10
0055435E 8945 F8 MOV DWORD PTR SS:,EAX
00554361 837D F8 00 CMP DWORD PTR SS:,0
00554365 0F8D 24000000 JGE 1.0055438F
0055436B B8 CA0B4F00 MOV EAX,1.004F0BCA ; 未注册版
00554370 50 PUSH EAX
00554371 8B1D F04CC300 MOV EBX,DWORD PTR DS:
00554377 85DB TEST EBX,EBX
00554379 74 09 JE SHORT 1.00554384
0055437B 53 PUSH EBX
0055437C E8 0C5F0100 CALL 1.0056A28D
005546BA 53 PUSH EBX
005546BB E8 CD5B0100 CALL 1.0056A28D
005546C0 83C4 04 ADD ESP,4
005546C3 837D F0 FF CMP DWORD PTR SS:,-1
005546C7 0F84 3F000000 JE 1.0055470C
005546CD 6A 00 PUSH 0
005546CF 68 00800000 PUSH 8000
005546D4 6A FF PUSH -1
005546D6 6A 0B PUSH 0B
005546D8 68 D4080116 PUSH 160108D4
005546DD 68 01000152 PUSH 52010001
005546E2 E8 C45B0100 CALL 1.0056A2AB
005546E7 83C4 18 ADD ESP,18
005546EA 6A 00 PUSH 0
005546EC 68 F50C4F00 PUSH 1.004F0CF5 ;( 正式版 )
005546F1 6A FF PUSH -1
005546F3 6A 08 PUSH 8
[ 本帖最后由 dewwu 于 2008-3-30 20:25 编辑 ] 用ECE找下面二个:
这个是打勾的:00559CE6
这个是帮助的:0055D0DE
找到后 NOP 掉下面的大跳转,OK! PEID查壳为Themida|WinLicense 1.8.x.x-1.9.x.x -> Oreans *If the HideOD is Failure,the will be 1.9.x.x *
请问楼主怎么拖掉的啊!!
页:
[1]