清华宝迪工作日记(练手3)
【文章作者】: 店小二【软件名称】: 清华宝迪工作日记
【软件大小】: 5M
【下载地址】: www.tsinghuabaodi.siteem.com(官网已失效)自行搜索下载
【加壳方式】: ASP
【保护方式】: 无
【编写语言】: Borland Delphi
【使用工具】: Peid、OD
【操作平台】: xp sp3
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
1、查壳脱壳
2、OD载入分析
0060276C/.55 push ebp
0060276D|.8BEC mov ebp,esp
0060276F|.B9 07000000 mov ecx,0x7
00602774|>6A 00 /push 0x0
00602776|.6A 00 |push 0x0
00602778|.49 |dec ecx
00602779|.^ 75 F9 \jnz short NoteBook.00602774
0060277B|.51 push ecx
0060277C|.53 push ebx
0060277D|.56 push esi
0060277E|.8BD8 mov ebx,eax
00602780|.33C0 xor eax,eax
00602782|.55 push ebp
00602783|.68 51296000 push NoteBook.00602951
00602788|.64:FF30 push dword ptr fs:
0060278B|.64:8920 mov dword ptr fs:,esp
0060278E|.8D55 F4 lea edx,
00602791|.8B83 08030000 mov eax,dword ptr ds:
00602797|.E8 7845E6FF call NoteBook.00466D14
0060279C|.8B45 F4 mov eax, ;kernel32.7C839AA8
0060279F|.8D55 F8 lea edx,
006027A2|.E8 5572E0FF call NoteBook.004099FC
006027A7|.8B45 F8 mov eax, ;kernel32.7C817080
006027AA|.E8 A125E0FF call NoteBook.00404D50
006027AF|.85C0 test eax,eax
006027B1|.75 1D jnz short NoteBook.006027D0
006027B3|.6A 40 push 0x40
006027B5|.B9 60296000 mov ecx,NoteBook.00602960 ;信息
006027BA|.BA 68296000 mov edx,NoteBook.00602968 ;注册码为空或不正确,请在左边的编辑框中输入正确注册码
006027BF|.A1 481E6A00 mov eax,dword ptr ds:
006027C4|.8B00 mov eax,dword ptr ds:
006027C6|.E8 FD48E8FF call NoteBook.004870C8
006027CB|.E9 24010000 jmp NoteBook.006028F4
006027D0|>B2 01 mov dl,0x1
006027D2|.A1 BCD94100 mov eax,dword ptr ds:
006027D7|.E8 A013E0FF call NoteBook.00403B7C
006027DC|.8BF0 mov esi,eax
006027DE|.68 A4296000 push NoteBook.006029A4 ;01234567891bcdef
006027E3|.6A 02 push 0x2
006027E5|.8D45 FC lea eax,
006027E8|.50 push eax
006027E9|.8D55 DC lea edx,
006027EC|.8B83 00030000 mov eax,dword ptr ds:
006027F2|.E8 1D45E6FF call NoteBook.00466D14
006027F7|.8B45 DC mov eax,
006027FA|.8D55 E0 lea edx,
006027FD|.E8 FA71E0FF call NoteBook.004099FC
00602802|.8B55 E0 mov edx,
00602805|.8D45 E4 lea eax,
00602808|.E8 533CE1FF call NoteBook.00416460
0060280D|.8D4D E4 lea ecx,
00602810|.A1 3C176A00 mov eax,dword ptr ds:
00602815|.8B00 mov eax,dword ptr ds:
00602817|.BA 01000000 mov edx,0x1
0060281C|.E8 DB570900 call NoteBook.00697FFC
00602821|.8D55 D8 lea edx,
00602824|.8B45 FC mov eax,
00602827|.E8 346FE0FF call NoteBook.00409760 下断点的位置
060282C|.8B45 D8 mov eax, ;ntdll.7C930208
060282F|.50 push eax 出注册码
0602830|.8D55 CC lea edx,
00602833|.8B83 08030000 mov eax,dword ptr ds:
00602839|.E8 D644E6FF call NoteBook.00466D14
0060283E|.8B45 CC mov eax,
00602841|.8D55 D0 lea edx,
00602844|.E8 B371E0FF call NoteBook.004099FC
00602849|.8B45 D0 mov eax,
0060284C|.8D55 D4 lea edx,
0060284F|.E8 0C6FE0FF call NoteBook.00409760
00602854|.8B55 D4 mov edx, ;kernel32.7C817077
00602857|.58 pop eax ;kernel32.7C817077
00602858|.E8 3F26E0FF call NoteBook.00404E9C
0060285D|.75 76 jnz short NoteBook.006028D5
0060285F|.8D55 C8 lea edx,
00602862|.8B83 08030000 mov eax,dword ptr ds:
00602868|.E8 A744E6FF call NoteBook.00466D14
0060286D|.8B55 C8 mov edx,
00602870|.8BC6 mov eax,esi
00602872|.8B08 mov ecx,dword ptr ds:
00602874|.FF51 38 call dword ptr ds: ;kernel32.7C817080
00602877|.8B15 48196A00 mov edx,dword ptr ds: ;x]j
0060287D|.8B12 mov edx,dword ptr ds:
0060287F|.8D45 C4 lea eax,
00602882|.B9 C0296000 mov ecx,NoteBook.006029C0 ;reg.bd
00602887|.E8 1025E0FF call NoteBook.00404D9C
0060288C|.8B55 C4 mov edx, ;kernel32.7C817074
0060288F|.8BC6 mov eax,esi
00602891|.8B08 mov ecx,dword ptr ds:
00602893|.FF51 74 call dword ptr ds:
00602896|.A1 C01A6A00 mov eax,dword ptr ds: ;|]j
0060289B|.E8 E021E0FF call NoteBook.00404A80
006028A0|.6A 40 push 0x40
006028A2|.B9 60296000 mov ecx,NoteBook.00602960 ;信息
006028A7|.BA C8296000 mov edx,NoteBook.006029C8 ;注册成功,您已成为正版用户
006028AC|.A1 481E6A00 mov eax,dword ptr ds:
006028B1|.8B00 mov eax,dword ptr ds:
006028B3|.E8 1048E8FF call NoteBook.004870C8
006028B8|.A1 C01A6A00 mov eax,dword ptr ds: ;|]j
006028BD|.BA EC296000 mov edx,NoteBook.006029EC ;[正式版]
006028C2|.E8 0D22E0FF call NoteBook.00404AD4
006028C7|.A1 3C176A00 mov eax,dword ptr ds:
006028CC|.8B00 mov eax,dword ptr ds:
006028CE|.E8 F9EF0800 call NoteBook.006918CC
006028D3|.EB 18 jmp short NoteBook.006028ED
006028D5|>6A 40 push 0x40
006028D7|.B9 60296000 mov ecx,NoteBook.00602960 ;信息
006028DC|.BA F8296000 mov edx,NoteBook.006029F8 ;注册失败
006028E1|.A1 481E6A00 mov eax,dword ptr ds:
006028E6|.8B00 mov eax,dword ptr ds:
006028E8|.E8 DB47E8FF call NoteBook.004870C8
006028ED|>8BC6 mov eax,esi
006028EF|.E8 B812E0FF call NoteBook.00403BAC
006028F4|>33C0 xor eax,eax
006028F6|.5A pop edx ;kernel32.7C817077
006028F7|.59 pop ecx ;kernel32.7C817077
006028F8|.59 pop ecx ;kernel32.7C817077
006028F9|.64:8910 mov dword ptr fs:,edx ;ntdll.KiFastSystemCallRet
006028FC|.68 58296000 push NoteBook.00602958
00602901|>8D45 C4 lea eax,
00602904|.E8 7721E0FF call NoteBook.00404A80
00602909|.8D45 C8 lea eax,
0060290C|.BA 02000000 mov edx,0x2
00602911|.E8 8E21E0FF call NoteBook.00404AA4
00602916|.8D45 D0 lea eax,
00602919|.BA 03000000 mov edx,0x3
0060291E|.E8 8121E0FF call NoteBook.00404AA4
00602923|.8D45 DC lea eax,
00602926|.E8 5521E0FF call NoteBook.00404A80
0060292B|.8D45 E0 lea eax,
0060292E|.E8 4D21E0FF call NoteBook.00404A80
00602933|.8D45 E4 lea eax,
00602936|.E8 D9F3E0FF call NoteBook.00411D14
0060293B|.8D45 F4 lea eax,
0060293E|.E8 3D21E0FF call NoteBook.00404A80
00602943|.8D45 F8 lea eax,
00602946|.BA 02000000 mov edx,0x2
0060294B|.E8 5421E0FF call NoteBook.00404AA4
00602950\.C3 retn
堆栈 ss:=00E00DF4, (ASCII "zlbz-luxh-efsd-mngp-a")
eax=0012F261
0012F258 00E00DF4ASCII "zlbz-luxh-efsd-mngp-a"
--------------------------------------------------------------------------------
【经验总结】
1、 适合入门新手练习追码和爆破.
2、 可做内存补丁与算法补丁.
3、 可以练习多个方面的知识.
这家公司的软件比较适合练手.初学者可以自己尝试.
介于本人水平有限,还不能做出算法注册机。很抱歉,继续学习中
--------------------------------------------------------------------------------
【版权声明】: 本文原创于店小二, 转载请注明作者并保持文章的完整, 谢谢!
2014年10月22日 上午 11:29:40
沙发,支持一下了 楼主这是要爆发啊{:soso_e179:} 将军,你需要手下吗?祝你开心,我们学习中!{:soso_e183:} 谢谢楼主分享啊 谢谢楼主分享啊 感谢分享啊
感谢楼主分享,非常感谢~~
页:
[1]