顶一下 强大~学习 好像大,自己搞不定,学习一下。 强大/:good
学习一下, 思路 注册框出现 会弹出网站
所以我们下bp ShellExecuteA这个断点
7D611200 s>8BFF mov edi,edi ; 1.004E4D30这里断下
7D611202 55 push ebp
7D611203 8BEC mov ebp,esp
7D611205 83EC 3C sub esp,3C
7D611208 8B45 08 mov eax,dword ptr ss:
看堆栈
0012F7B0 004E91BF /CALL 到 ShellExecuteA 来自 1.004E91BA 右键-反汇编跟随不要用alt+f9不能返回程序空间
0012F7B4 002D076A |hWnd = 002D076A ('私人保险箱(登录窗口)',class='TfrmSafeBox',parent=004905F2)
0012F7B8 004E92C0 |Operation = "Open"
0012F7BC 004E9288 |FileName = "http://www.sharebank.com.cn/soft/softbuy.php?soid=10816"
0012F7C0 004E9284 |Parameters = ""
0012F7C4 004E9284 |DefDir = ""
0012F7C8 00000001 \IsShown = 1
0012F7CC 0012F9E0 指针到下一个 SEH 记录
0012F7D0 004E91EC SE 句柄
来到这004E911E |.E8 C19EF1FF call 1.00402FE4
004E9123 |.8D85 30FEFFFF lea eax,dword ptr ss:
004E9129 |.E8 529CF1FF call 1.00402D80
004E912E |.E8 E597F1FF call 1.00402918
004E9133 |.BA 44934E00 mov edx,1.004E9344 ;ASCII "15"次数
004E9138 |.8D85 30FEFFFF lea eax,dword ptr ss:
004E913E |.E8 59C2F1FF call 1.0040539C
004E9143 |.E8 68A8F1FF call 1.004039B0
004E9148 |.E8 CB97F1FF call 1.00402918
004E914D |.8D85 30FEFFFF lea eax,dword ptr ss:
004E9153 |.E8 08A0F1FF call 1.00403160
004E9158 |.E8 BB97F1FF call 1.00402918
004E915D |.EB 60 jmp short 1.004E91BF
004E915F |>33D2 xor edx,edx
004E9161 |.8B86 2C030000 mov eax,dword ptr ds:
004E9167 |.8B08 mov ecx,dword ptr ds:
004E9169 |.FF51 64 call dword ptr ds:
004E916C |.B2 01 mov dl,1
004E916E |.8B86 6C030000 mov eax,dword ptr ds:
004E9174 |.E8 C3EEF5FF call 1.0044803C
004E9179 |.BA 58924E00 mov edx,1.004E9258
004E917E |.8B86 74030000 mov eax,dword ptr ds:
004E9184 |.E8 C3EFF5FF call 1.0044814C
004E9189 |.BA 48924E00 mov edx,1.004E9248
004E918E |.8B86 78030000 mov eax,dword ptr ds:
004E9194 |.E8 FB1DFBFF call 1.0049AF94
004E9199 |.6A 01 push 1
004E919B |.68 84924E00 push 1.004E9284
004E91A0 |.68 84924E00 push 1.004E9284
004E91A5 |.68 88924E00 push 1.004E9288 ;ASCII "http://www.sharebank.com.cn/soft/softbuy.php?soid=10816"
004E91AA |.68 C0924E00 push 1.004E92C0 ;ASCII "Open"
004E91AF |.A1 68DE4E00 mov eax,dword ptr ds:
004E91B4 |.E8 6F56F6FF call 1.0044E828 ;? 提示注册框并弹出网站
004E91B9 |.50 push eax ; |hWnd
004E91BA |.E8 C9F4F4FF call <jmp.&shell32.ShellExecuteA> ; \ShellExecuteA
004E91BF |>8BC3 mov eax,ebx 来这里
004E91C1 |.E8 7EADF1FF call 1.00403F44
004E91C6 |>33C0 xor eax,eax
004E91C8 |.5A pop edx
我们在程序头下F2
发现 Local Call from 004E754A这个CALL调用这个段程序 我们在跟随
004E7522 > \8D85 14FCFFFF lea eax,dword ptr ss:
004E7528 .E8 23ECFFFF call 1.004E6150
004E752D .8D85 14FCFFFF lea eax,dword ptr ss:
004E7533 .BA 907A4E00 mov edx,1.004E7A90 ;ASCII "\SafLst2.dll"
004E7538 .E8 53DAF1FF call 1.00404F90
004E753D .8B85 14FCFFFF mov eax,dword ptr ss:
004E7543 .E8 5425F2FF call 1.00409A9C
004E7548 >8BC3 mov eax,ebx
004E754A E8 59180000 call 1.004E8DA8 来到这个CAll 直接NOP 注册框消失
004E754F .B2 01 mov dl,1
004E7551 .A1 C8B24600 mov eax,dword ptr ds:
004E7556 .E8 6D3EF8FF call 1.0046B3C8
004E755B .8BF0 mov esi,eax
004E755D .BA 00000080 mov edx,80000000
总结 网站广告 出卖这个程序 做广告不容易啊 感谢MOV的回复,不知道能不能找到那个注册框填写的假码在哪里验证? 学习了,谢谢楼主发帖 你的要求真多啊/:L 呵呵,mov是我开始表达不清楚,我的意思是断不下那个注册框点注册以后验证的地方。再辛苦你一下,谢谢!/:001
页:
1
[2]