初次接触网络验证(附实例)
初次接触网络验证的软件,想牛刀初试一番,遇到不少问题:很幸运的,这个挂没壳,od直接载入,有关这个软件,如是新账号,可以使用一天24小时,如果上了保持24小时不下线也可以一直用下去。我曾想过在软件运行时填新账号,在游戏里再改成真实的账号,可是不行,所以唯一的方法是在一开始就让软件承认账号的有效性。
od载入,根据提示框,可以来到以这个断首为开始的代码段:
10004410/$55 push ebp ;断首
10004411|.8BEC mov ebp, esp
10004413|.81C4 20FBFFFF add esp, -4E0
10004419|.53 push ebx
1000441A|.56 push esi
1000441B|.57 push edi
1000441C|.8955 D0 mov dword ptr , edx
1000441F|.8BD8 mov ebx, eax
10004421|.B8 881D1010 mov eax, 10101D88
10004426|.E8 B5C50D00 call 100E09E0
1000442B|.8B75 D0 mov esi, dword ptr
1000442E|.6A 30 push 30
10004430|.6A 00 push 0
10004432|.8D45 90 lea eax, dword ptr
10004435|.50 push eax
10004436|.E8 99C10D00 call 100E05D4
1000443B|.66:C745 90 99>mov word ptr , 9999
10004441|.66:C745 92 04>mov word ptr , 4
10004447|.83C4 0C add esp, 0C
1000444A|.8D55 98 lea edx, dword ptr
1000444D|.C745 94 28000>mov dword ptr , 28
10004454|.6A 14 push 14
10004456|.56 push esi
10004457|.52 push edx
10004458|.E8 ABD8FFFF call 10001D08
1000445D|.83C4 0C add esp, 0C
10004460|.8D4D AC lea ecx, dword ptr
10004463|.6A 14 push 14
10004465|.68 2F151010 push 1010152F ;1111
1000446A|.51 push ecx
1000446B|.E8 98D8FFFF call 10001D08
10004470|.83C4 0C add esp, 0C
10004473|.8D85 50FFFFFF lea eax, dword ptr
10004479|.50 push eax
1000447A|.E8 C5DAFFFF call 10001F44
1000447F|.59 pop ecx
10004480|.8D95 50FFFFFF lea edx, dword ptr
10004486|.66:C745 E4 0C>mov word ptr , 0C
1000448C|.8D45 FC lea eax, dword ptr
1000448F|.E8 4CB20E00 call 100EF6E0
10004494|.FF45 F0 inc dword ptr
10004497|.8B10 mov edx, dword ptr
10004499|.8B83 68030000 mov eax, dword ptr
1000449F|.E8 2C9C0C00 call 100CE0D0
100044A4|.FF4D F0 dec dword ptr
100044A7|.8D45 FC lea eax, dword ptr
100044AA|.BA 02000000 mov edx, 2
100044AF|.E8 FCB30E00 call 100EF8B0
100044B4|.66:C745 E4 18>mov word ptr , 18
100044BA|.E8 7DD8FFFF call 10001D3C
100044BF|.8BD0 mov edx, eax
100044C1|.8D45 F8 lea eax, dword ptr
100044C4|.E8 1BB30E00 call 100EF7E4
100044C9|.FF45 F0 inc dword ptr
100044CC|.8B10 mov edx, dword ptr
100044CE|.8B83 68030000 mov eax, dword ptr
100044D4|.E8 639C0C00 call 100CE13C
100044D9|.FF4D F0 dec dword ptr
100044DC|.8D45 F8 lea eax, dword ptr
100044DF|.BA 02000000 mov edx, 2
100044E4|.E8 C7B30E00 call 100EF8B0
100044E9|.8B75 D0 mov esi, dword ptr
100044EC|.33C0 xor eax, eax
100044EE|.56 push esi
100044EF|.8BFE mov edi, esi
100044F1|.83C9 FF or ecx, FFFFFFFF
100044F4|.BE D43F1110 mov esi, 10113FD4 ;betty
100044F9|.F2:AE repne scas byte ptr es:
100044FB|.F7D1 not ecx
100044FD|.2BF9 sub edi, ecx
100044FF|.8BD1 mov edx, ecx
10004501|.87F7 xchg edi, esi
10004503|.C1E9 02 shr ecx, 2
10004506|.8BC7 mov eax, edi
10004508|.F3:A5 rep movs dword ptr es:, dword p>
1000450A|.8BCA mov ecx, edx
1000450C|.83E1 03 and ecx, 3
1000450F|.F3:A4 rep movs byte ptr es:, byte ptr>
10004511|.8B83 68030000 mov eax, dword ptr
10004517|.5E pop esi
10004518|.8078 30 00 cmp byte ptr , 0
1000451C|.74 05 je short 10004523 ;跳了
1000451E|.8B10 mov edx, dword ptr
10004520|.FF52 40 call dword ptr
10004523|>8B83 68030000 mov eax, dword ptr
10004529|.8B10 mov edx, dword ptr
1000452B|.FF52 3C call dword ptr
1000452E|.6A 30 push 30
10004530|.8D4D 90 lea ecx, dword ptr
10004533|.51 push ecx
10004534|.E8 A3D9FFFF call 10001EDC
10004539|.83C4 08 add esp, 8
1000453C|.8D55 90 lea edx, dword ptr
1000453F|.B9 30000000 mov ecx, 30
10004544|.6A 00 push 0
10004546|.8B83 68030000 mov eax, dword ptr
1000454C|.E8 0B980C00 call 100CDD5C
10004551|.85C0 test eax, eax
10004553|.7F 34 jg short 10004589 ;跳
10004555|.6A 00 push 0
10004557|.A1 D03F1110 mov eax, dword ptr
1000455C|.68 34151010 push 10101534 ;提示
10004561|.50 push eax
10004562|.8BC3 mov eax, ebx
10004564|.E8 DF6C0800 call 1008B248
10004569|.50 push eax ; |hOwner
1000456A|.E8 53A90F00 call <jmp.&USER32.MessageBoxA> ; \网络连接失败
1000456F|.8B83 68030000 mov eax, dword ptr
10004575|.8B10 mov edx, dword ptr
10004577|.FF52 40 call dword ptr
1000457A|.8B4D D4 mov ecx, dword ptr
1000457D|.64:890D 00000>mov dword ptr fs:, ecx
10004584|.E9 DD030000 jmp 10004966
10004589|>33F6 xor esi, esi
1000458B|.B8 18491110 mov eax, 10114918
10004590|.BA D43F1110 mov edx, 10113FD4 ;betty
10004595|>8A0A /mov cl, byte ptr
10004597|.80F1 CC |xor cl, 0CC
1000459A|.8808 |mov byte ptr , cl
1000459C|.46 |inc esi
1000459D|.40 |inc eax
1000459E|.42 |inc edx
1000459F|.83FE 40 |cmp esi, 40
100045A2|.^ 7C F1 \jl short 10004595 ;也跳
100045A4|.8DBD 50FBFFFF lea edi, dword ptr ;循环1
100045AA|.BE 280D1010 mov esi, 10100D28
100045AF|.B9 00010000 mov ecx, 100
100045B4|.8D95 50FBFFFF lea edx, dword ptr
100045BA|.F3:A5 rep movs dword ptr es:, dword p>
100045BC|.6A 00 push 0
100045BE|.B9 00040000 mov ecx, 400
100045C3|.8B83 68030000 mov eax, dword ptr
100045C9|.E8 46970C00 call 100CDD14
100045CE|.85C0 test eax, eax
100045D0|.7F 34 jg short 10004606 ;网络好就跳过
100045D2|.6A 00 push 0
100045D4|.A1 D03F1110 mov eax, dword ptr
100045D9|.68 39151010 push 10101539 ;提示
100045DE|.50 push eax
100045DF|.8BC3 mov eax, ebx
100045E1|.E8 626C0800 call 1008B248
100045E6|.50 push eax ; |hOwner
100045E7|.E8 D6A80F00 call <jmp.&USER32.MessageBoxA> ; \网络连接失败
100045EC|.8B83 68030000 mov eax, dword ptr
100045F2|.8B10 mov edx, dword ptr
100045F4|.FF52 40 call dword ptr
100045F7|.8B4D D4 mov ecx, dword ptr
100045FA|.64:890D 00000>mov dword ptr fs:, ecx
10004601|.E9 60030000 jmp 10004966 ;上面跳就步过这里
10004606|>50 push eax ;确实要跳到这里
10004607|.8D85 50FBFFFF lea eax, dword ptr
1000460D|.50 push eax
1000460E|.E8 C9D8FFFF call 10001EDC
10004613|.83C4 08 add esp, 8
10004616|.8B83 68030000 mov eax, dword ptr
1000461C|.8B10 mov edx, dword ptr
1000461E|.FF52 40 call dword ptr
10004621|.6A 08 push 8
10004623|.68 3E151010 push 1010153E ;登陆成功
10004628|.8D8D 50FBFFFF lea ecx, dword ptr
1000462E|.51 push ecx
1000462F|.E8 D8C10D00 call 100E080C ;这里可能要该
10004634|.83C4 0C add esp, 0C ;(initial cpu selection)
10004637|.85C0 test eax, eax
10004639|.0F85 91020000 jnz 100048D0 ;不能跳
1000463F|.68 47151010 push 10101547 ;pyw
10004644|.8D85 50FBFFFF lea eax, dword ptr
1000464A|.50 push eax
1000464B|.E8 B5C10D00 call 100E0805
10004650|.83C4 08 add esp, 8
10004653|.85C0 test eax, eax
10004655|.74 59 je short 100046B0 ;这里要跳
10004657|.8D55 CC lea edx, dword ptr
1000465A|.52 push edx ; /phToken
1000465B|.6A 28 push 28 ; |DesiredAccess = TOKEN_QUERY|TOKEN_ADJUST_PRIVILEGES
1000465D|.E8 74A00F00 call <jmp.&KERNEL32.GetCurrentProcess>; |[GetCurrentProcess
10004662|.50 push eax ; |hProcess
10004663|.E8 AE9F0F00 call <jmp.&ADVAPI32.OpenProcessToken> ; \OpenProcessToken
10004668|.8D8D 44FBFFFF lea ecx, dword ptr
1000466E|.51 push ecx ; /pLocalId
1000466F|.68 4B151010 push 1010154B ; |seshutdownprivilege
10004674|.6A 00 push 0 ; |SystemName = NULL
10004676|.E8 959F0F00 call <jmp.&ADVAPI32.LookupPrivilegeVa>; \LookupPrivilegeValueA
1000467B|.C785 40FBFFFF>mov dword ptr , 1
10004685|.C785 4CFBFFFF>mov dword ptr , 2
1000468F|.6A 00 push 0 ; /pRetLen = NULL
10004691|.6A 00 push 0 ; |pPrevState = NULL
10004693|.6A 00 push 0 ; |PrevStateSize = 0
10004695|.8D85 40FBFFFF lea eax, dword ptr ; |
1000469B|.50 push eax ; |pNewState
1000469C|.6A 00 push 0 ; |DisableAllPrivileges = FALSE
1000469E|.8B55 CC mov edx, dword ptr ; |
100046A1|.52 push edx ; |hToken
100046A2|.E8 2D9F0F00 call <jmp.&ADVAPI32.AdjustTokenPrivil>; \AdjustTokenPrivileges
100046A7|.6A 00 push 0 ; /Reserved = 0
100046A9|.6A 05 push 5 ; |Options = EWX_SHUTDOWN|EWX_FORCE
100046AB|.E8 38A60F00 call <jmp.&USER32.ExitWindowsEx> ; \ExitWindowsEx
100046B0|>68 94481110 push 10114894 ;应该跳到这里
100046B5|.8D8D 50FFFFFF lea ecx, dword ptr
100046BB|.51 push ecx
100046BC|.68 66151010 push 10101566 ;121212
100046C1|.E8 46C00D00 call 100E070C
100046C6|.59 pop ecx
100046C7|.50 push eax
100046C8|.68 5F151010 push 1010155F ;121212
100046CD|.8B45 D0 mov eax, dword ptr
100046D0|.50 push eax
100046D1|.E8 36C00D00 call 100E070C
100046D6|.59 pop ecx
100046D7|.50 push eax
100046D8|.8B55 D0 mov edx, dword ptr
100046DB|.52 push edx
100046DC|.E8 B70E0000 call 10005598 ;这里可能也要改
100046E1|.83C4 18 add esp, 18
100046E4|.84C0 test al, al
100046E6|.75 28 jnz short 10004710 ; 没跳,要跳
100046E8|.6A 00 push 0
100046EA|.68 9A151010 push 1010159A ;提示
100046EF|.68 6D151010 push 1010156D ;登陆失败,请重新尝试或确定使用的是否最新版本
100046F4|.8BC3 mov eax, ebx
100046F6|.E8 4D6B0800 call 1008B248
100046FB|.50 push eax ; |hOwner
100046FC|.E8 C1A70F00 call <jmp.&USER32.MessageBoxA> ; \登陆失败,请确定是新版吗
10004701|.8B55 D4 mov edx, dword ptr
10004704|.64:8915 00000>mov dword ptr fs:, edx
1000470B|.E9 56020000 jmp 10004966
10004710|>8D8B C4030000 lea ecx, dword ptr
10004716|.51 push ecx
10004717|.E8 0C0D0000 call 10005428
1000471C|.59 pop ecx
1000471D|.8BF0 mov esi, eax
1000471F|.68 80000000 push 80
10004724|.68 94481110 push 10114894
10004729|.56 push esi
1000472A|.E8 11BE0D00 call 100E0540
1000472F|.8B7D D0 mov edi, dword ptr
10004732|.8D86 80000000 lea eax, dword ptr
10004738|.83C4 0C add esp, 0C
1000473B|.8945 C8 mov dword ptr , eax
1000473E|.8B55 C8 mov edx, dword ptr
10004741|.33C0 xor eax, eax
10004743|.56 push esi
10004744|.57 push edi
10004745|.83C9 FF or ecx, FFFFFFFF
10004748|.8BF2 mov esi, edx
1000474A|.F2:AE repne scas byte ptr es:
1000474C|.F7D1 not ecx
1000474E|.2BF9 sub edi, ecx
10004750|.8BD1 mov edx, ecx
10004752|.87F7 xchg edi, esi
10004754|.C1E9 02 shr ecx, 2
10004757|.8BC7 mov eax, edi
10004759|.F3:A5 rep movs dword ptr es:, dword p>
1000475B|.8BCA mov ecx, edx
1000475D|.83E1 03 and ecx, 3
10004760|.F3:A4 rep movs byte ptr es:, byte ptr>
10004762|.5F pop edi
10004763|.5E pop esi
10004764|.8D86 80000000 lea eax, dword ptr
1000476A|.33D2 xor edx, edx
1000476C|.8BC8 mov ecx, eax
1000476E|.8BC1 mov eax, ecx
10004770|>8030 57 /xor byte ptr , 57
10004773|.42 |inc edx
10004774|.40 |inc eax
10004775|.81FA 80000000 |cmp edx, 80
1000477B|.^ 7C F3 \jl short 10004770 ;要想上跳
1000477D|.6A 04 push 4
1000477F|.68 58491110 push 10114958
10004784|.8D86 00010000 lea eax, dword ptr
1000478A|.50 push eax
1000478B|.E8 B0BD0D00 call 100E0540
10004790|.83C4 0C add esp, 0C
10004793|.33D2 xor edx, edx
10004795|.8955 C4 mov dword ptr , edx
10004798|.803D 18021010>cmp byte ptr , 0
1000479F|.75 08 jnz short 100047A9 ;没跳
100047A1|.E8 369F0F00 call <jmp.&KERNEL32.GetCurrentProcess>; [GetCurrentProcessId
100047A6|.8945 C4 mov dword ptr , eax
100047A9|>56 push esi
100047AA|.BE 28111010 mov esi, 10101128
100047AF|.8DBD 30FBFFFF lea edi, dword ptr
100047B5|.B9 04000000 mov ecx, 4
100047BA|.F3:A5 rep movs dword ptr es:, dword p>
100047BC|.5E pop esi
100047BD|.C685 30FBFFFF>mov byte ptr , 6D
100047C4|.C685 31FBFFFF>mov byte ptr , 6B
100047CB|.C685 32FBFFFF>mov byte ptr , 68
100047D2|.C685 33FBFFFF>mov byte ptr , 29
100047D9|.C685 34FBFFFF>mov byte ptr , 28
100047E0|.C685 35FBFFFF>mov byte ptr , 36
100047E7|.C685 36FBFFFF>mov byte ptr , 7C
100047EE|.C685 37FBFFFF>mov byte ptr , 74
100047F5|.C685 38FBFFFF>mov byte ptr , 74
100047FC|.33D2 xor edx, edx
100047FE|.8D85 30FBFFFF lea eax, dword ptr
10004804|>8030 18 /xor byte ptr , 18
10004807|.42 |inc edx
10004808|.40 |inc eax
10004809|.83FA 09 |cmp edx, 9
1000480C|.^ 7C F6 \jl short 10004804 ;又是个要的循环
1000480E|.68 9F151010 push 1010159F ;rb
10004813|.8D8D 30FBFFFF lea ecx, dword ptr
10004819|.51 push ecx
1000481A|.E8 11DE0D00 call 100E2630
1000481F|.83C4 08 add esp, 8
10004822|.85C0 test eax, eax
10004824|.74 09 je short 1000482F ;跳了
10004826|.50 push eax
10004827|.E8 78DA0D00 call 100E22A4
1000482C|.59 pop ecx
1000482D|.EB 15 jmp short 10004844 ;上面跳这里步过
1000482F|>6A 04 push 4
10004831|.8D45 C4 lea eax, dword ptr
10004834|.50 push eax
10004835|.81C6 04010000 add esi, 104
1000483B|.56 push esi
1000483C|.E8 FFBC0D00 call 100E0540
10004841|.83C4 0C add esp, 0C
10004844|>C605 19021010>mov byte ptr , 1
1000484B|.B2 01 mov dl, 1
1000484D|.8B83 8C030000 mov eax, dword ptr
10004853|.8B08 mov ecx, dword ptr
10004855|.FF51 68 call dword ptr
10004858|.B2 01 mov dl, 1
1000485A|.8B83 98030000 mov eax, dword ptr
10004860|.8B08 mov ecx, dword ptr
10004862|.FF51 68 call dword ptr
10004865|.B2 01 mov dl, 1
10004867|.8B83 C0030000 mov eax, dword ptr
1000486D|.8B08 mov ecx, dword ptr
1000486F|.FF51 68 call dword ptr
10004872|.33D2 xor edx, edx
10004874|.8B83 B0030000 mov eax, dword ptr
1000487A|.8B08 mov ecx, dword ptr
1000487C|.FF51 68 call dword ptr
1000487F|.33D2 xor edx, edx
10004881|.8B83 AC030000 mov eax, dword ptr
10004887|.8B08 mov ecx, dword ptr
10004889|.FF51 68 call dword ptr
1000488C|.803D 1A021010>cmp byte ptr , 0
10004893|.75 3B jnz short 100048D0 ;确实该没跳
10004895|.E8 661C0000 call 10006500
1000489A|.84C0 test al, al
1000489C|.75 21 jnz short 100048BF ;该跳
1000489E|.6A 00 push 0
100048A0|.68 C7151010 push 101015C7 ;提示
100048A5|.68 A2151010 push 101015A2 ;文件错误或丢失,请检查或重新安装软件
100048AA|.8BC3 mov eax, ebx
100048AC|.E8 97690800 call 1008B248
100048B1|.50 push eax ; |hOwner
100048B2|.E8 0BA60F00 call <jmp.&USER32.MessageBoxA> ; \文件丢失或错误
100048B7|.6A 00 push 0
100048B9|.E8 6A570E00 call 100EA028
100048BE|.59 pop ecx
100048BF|>A1 D0F41110 mov eax, dword ptr
100048C4|.E8 8F060200 call 10024F58
100048C9|.C605 1A021010>mov byte ptr , 1
100048D0|>68 CC151010 push 101015CC ;pyw,跳到这里,以上以下无未知对话
100048D5|.8D95 50FBFFFF lea edx, dword ptr
100048DB|.52 push edx
100048DC|.E8 24BF0D00 call 100E0805
100048E1|.83C4 08 add esp, 8
100048E4|.85C0 test eax, eax
100048E6|.74 59 je short 10004941 ;跳
100048E8|.8D4D C0 lea ecx, dword ptr
100048EB|.51 push ecx ; /phToken
100048EC|.6A 28 push 28 ; |DesiredAccess = TOKEN_QUERY|TOKEN_ADJUST_PRIVILEGES
100048EE|.E8 E39D0F00 call <jmp.&KERNEL32.GetCurrentProcess>; |[GetCurrentProcess
100048F3|.50 push eax ; |hProcess
100048F4|.E8 1D9D0F00 call <jmp.&ADVAPI32.OpenProcessToken> ; \OpenProcessToken
100048F9|.8D85 24FBFFFF lea eax, dword ptr
100048FF|.50 push eax ; /pLocalId
10004900|.68 D0151010 push 101015D0 ; |seshutdownprivilege
10004905|.6A 00 push 0 ; |SystemName = NULL
10004907|.E8 049D0F00 call <jmp.&ADVAPI32.LookupPrivilegeVa>; \LookupPrivilegeValueA
1000490C|.C785 20FBFFFF>mov dword ptr , 1
10004916|.C785 2CFBFFFF>mov dword ptr , 2
10004920|.6A 00 push 0 ; /pRetLen = NULL
10004922|.6A 00 push 0 ; |pPrevState = NULL
10004924|.6A 00 push 0 ; |PrevStateSize = 0
10004926|.8D95 20FBFFFF lea edx, dword ptr ; |
1000492C|.52 push edx ; |pNewState
1000492D|.6A 00 push 0 ; |DisableAllPrivileges = FALSE
1000492F|.8B4D C0 mov ecx, dword ptr ; |
10004932|.51 push ecx ; |hToken
10004933|.E8 9C9C0F00 call <jmp.&ADVAPI32.AdjustTokenPrivil>; \AdjustTokenPrivileges
10004938|.6A 00 push 0 ; /Reserved = 0
1000493A|.6A 05 push 5 ; |Options = EWX_SHUTDOWN|EWX_FORCE
1000493C|.E8 A7A30F00 call <jmp.&USER32.ExitWindowsEx> ; \ExitWindowsEx
10004941|>6A 00 push 0 ;跳到这里
10004943|.8D85 50FBFFFF lea eax, dword ptr
10004949|.68 E4151010 push 101015E4 ;提示
1000494E|.50 push eax
1000494F|.8BC3 mov eax, ebx
10004951|.E8 F2680800 call 1008B248
10004956|.50 push eax ; |hOwner
10004957|.E8 66A50F00 call <jmp.&USER32.MessageBoxA> ; \不管对错,最后都调用此对话框
1000495C|.8B55 D4 mov edx, dword ptr
1000495F|.64:8915 00000>mov dword ptr fs:, edx
10004966|>5F pop edi
10004967|.5E pop esi
10004968|.5B pop ebx
10004969|.8BE5 mov esp, ebp
1000496B|.5D pop ebp
1000496C\.C3 retn
以上的注释栏是我根据真实的注册账号所标示出来的,然后我用了个假号,把所有的跳转改成和真账号一样的,可还是不行,试问,这是什么原因,难道这类软件一定要用封包拦截的方法吗?
[ 本帖最后由 dbsx 于 2009-2-28 18:23 编辑 ]
页:
[1]