飘云阁第十一期初级班第四课--Password Tracker Deluxe分析
本帖最后由 MOD 于 2014-11-18 20:22 编辑以 Invalid registration number 为关键字,搜索
004223DD .E8 DE050000 CALL 004229C0 ;从下面几行可以看出,这验证注册码的call ,如果eax不等于0x9D,注册码为假
004223E2 .83C4 08 ADD ESP, 8
004223E5 .3D 9D000000 CMP EAX, 9D
004223EA .75 09 JNZ SHORT 004223F5
004223EC .8BCE MOV ECX, ESI
004223EE .E8 CD1B0200 CALL 00443FC0
004223F3 .EB 21 JMP SHORT 00422416
004223F5 >6A 00 PUSH 0
004223F7 .6A 30 PUSH 30
004223F9 .68 849F4800 PUSH 00489F84 ;Invalid registration number.
进入 CALL 004229C0
004229C0|. 6A FF PUSH -1
…………………………
00422A04|.E8 E7FBFFFF CALL 004225F0 ;决定最终的返回值 eax
00422A09|.8D4C24 04 LEA ECX, [ESP+4]
00422A0D|.8BF0 MOV ESI, EAX
00422A0F|.C74424 20 FFF>MOV DWORD PTR [ESP+20], -1
00422A17|.E8 84FBFFFF CALL 004225A0
00422A1C|.8B4C24 18 MOV ECX, [ESP+18]
00422A20|.8BC6 MOV EAX, ESI
00422A22|.64:890D 00000>MOV FS:, ECX
00422A29|.5E POP ESI
00422A2A|.83C4 20 ADD ESP, 20
00422A2D\.C3 RETN
进入 CALL 004225F0
004225F0|. 6A FF PUSH -1
004225F2|.68 78914600 PUSH 00469178 ;SE 处理程序安装
004225F7|.64:A1 0000000>MOV EAX, FS:
004225FD|.50 PUSH EAX
004225FE|.64:8925 00000>MOV FS:, ESP
00422605|.51 PUSH ECX
00422606|.55 PUSH EBP
00422607|.56 PUSH ESI
00422608|.57 PUSH EDI
00422609|.8BE9 MOV EBP, ECX
0042260B|.8B45 00 MOV EAX, [EBP]
0042260E|.83CE FF OR ESI, FFFFFFFF
00422611|.3BC6 CMP EAX, ESI
00422613|.C74424 18 000>MOV DWORD PTR [ESP+18], 0
0042261B|.75 05 JNZ SHORT 00422622
0042261D|.3975 04 CMP [EBP+4], ESI
00422620|.74 50 JE SHORT 00422672
00422622|>8D4C24 20 LEA ECX, [ESP+20]
00422626|.E8 F3E60100 CALL 00440D1E
0042262B|.8D4C24 20 LEA ECX, [ESP+20]
0042262F|.E8 9EE60100 CALL 00440CD2
00422634|.8B4424 20 MOV EAX, [ESP+20] ;堆栈 SS:=00AF3F70, (ASCII "1234567890123")
00422638|.8378 F8 0D CMP DWORD PTR [EAX-8], 0D ;判断注册码位数 要求0xD 即13位
0042263C|.75 34 JNZ SHORT 00422672
0042263E|.53 PUSH EBX
0042263F|.8D4C24 10 LEA ECX, [ESP+10]
00422643|.6A 02 PUSH 2
00422645|.51 PUSH ECX
00422646|.8D4C24 2C LEA ECX, [ESP+2C]
0042264A|.E8 50E20100 CALL 0044089F
0042264F|.8B00 MOV EAX, [EAX] ;堆栈 DS:=00AF3FC0, (ASCII "12")
00422651|.68 EC9F4800 PUSH 00489FEC ;PT
00422656|.50 PUSH EAX ;前两位要求是PT
00422657|.E8 BCE80000 CALL 00430F18
0042265C|.83C4 08 ADD ESP, 8
0042265F|.8D4C24 10 LEA ECX, [ESP+10]
00422663|.85C0 TEST EAX, EAX
00422665|.0F95C3 SETNE BL
00422668|.E8 6E5B0200 CALL 004481DB
0042266D|.84DB TEST BL, BL
0042266F|.5B POP EBX
00422670|.74 23 JE SHORT 00422695
00422672|>8D4C24 20 LEA ECX, [ESP+20]
00422676|.897424 18 MOV [ESP+18], ESI
0042267A|.E8 5C5B0200 CALL 004481DB
0042267F|.8BC6 MOV EAX, ESI
00422681|.5F POP EDI
00422682|.5E POP ESI
00422683|.5D POP EBP
00422684|.8B4C24 04 MOV ECX, [ESP+4]
00422688|.64:890D 00000>MOV FS:, ECX
0042268F|.83C4 10 ADD ESP, 10
00422692|.C2 0400 RETN 4
00422695|>6A 04 PUSH 4
00422697|.8D5424 10 LEA EDX, [ESP+10]
0042269B|.6A 02 PUSH 2
0042269D|.52 PUSH EDX
0042269E|.8D4C24 2C LEA ECX, [ESP+2C]
004226A2|.E8 E6E00100 CALL 0044078D
004226A7|.8B00 MOV EAX, [EAX] ;堆栈 DS:=00AF3FC0, (ASCII "1234")
004226A9|.50 PUSH EAX
004226AA|.E8 5EE80000 CALL 00430F0D
004226AF|.83C4 04 ADD ESP, 4
004226B2|.8D4C24 0C LEA ECX, [ESP+C] ;堆栈地址=0012F548
004226B6|.8BF0 MOV ESI, EAX ;EAX=000004D2即1234的16进制
004226B8|.E8 1E5B0200 CALL 004481DB
004226BD|.8D4424 0C LEA EAX, [ESP+C]
004226C1|.6A 06 PUSH 6
004226C3|.50 PUSH EAX
004226C4|.8D4C24 28 LEA ECX, [ESP+28] ;堆栈地址=0012F55C ASCII "PT12345678901"
004226C8|.E8 9DE00100 CALL 0044076A
004226CD|.8B00 MOV EAX, [EAX] ;堆栈 DS:=00AF3FC0, (ASCII "5678901")
004226CF|.50 PUSH EAX
004226D0|.E8 38E80000 CALL 00430F0D
004226D5|.83C4 04 ADD ESP, 4
004226D8|.8D4C24 0C LEA ECX, [ESP+C] ;堆栈地址=0012F548
004226DC|.8BF8 MOV EDI, EAX
004226DE|.E8 F85A0200 CALL 004481DB
004226E3|.81FE B0FCFFFF CMP ESI, -350 ;ESI要等于-350 即第二到第六位 等于-350
004226E9|.75 08 JNZ SHORT 004226F3 ;这个不能实现
004226EB 81FF 058BF9FF CMP EDI, FFF98B05 ;FFF98B05即 -423163
004226F1|.74 77 JE SHORT 0042276A ;这个要实现,eax的值就为0x9D 了
004226F3|>8B45 00 MOV EAX, [EBP]
004226F6|.B9 E8030000 MOV ECX, 3E8
004226FB|.F7D8 NEG EAX
004226FD|.99 CDQ
004226FE|.F7F9 IDIV ECX
00422700|.3BF2 CMP ESI, EDX
00422702|.74 28 JE SHORT 0042272C
00422704|.8D4C24 20 LEA ECX, [ESP+20]
00422708|.C74424 18 FFF>MOV DWORD PTR [ESP+18], -1
00422710|.E8 C65A0200 CALL 004481DB
00422715|.5F POP EDI
00422716|.5E POP ESI
00422717|.83C8 FF OR EAX, FFFFFFFF
0042271A|.5D POP EBP
0042271B|.8B4C24 04 MOV ECX, [ESP+4]
0042271F|.64:890D 00000>MOV FS:, ECX
00422726|.83C4 10 ADD ESP, 10
00422729|.C2 0400 RETN 4
0042272C|>8B45 04 MOV EAX, [EBP+4]
0042272F|.8D14C5 000000>LEA EDX, [EAX*8]
00422736|.2BD0 SUB EDX, EAX
00422738|.D1E2 SHL EDX, 1
0042273A|.2BD0 SUB EDX, EAX
0042273C|.F7DA NEG EDX
0042273E|.3BFA CMP EDI, EDX
00422740|.74 28 JE SHORT 0042276A
00422742|.8D4C24 20 LEA ECX, [ESP+20]
00422746|.C74424 18 FFF>MOV DWORD PTR [ESP+18], -1
0042274E|.E8 885A0200 CALL 004481DB
00422753|.5F POP EDI
00422754|.5E POP ESI
00422755|.83C8 FF OR EAX, FFFFFFFF
00422758|.5D POP EBP
00422759|.8B4C24 04 MOV ECX, [ESP+4]
0042275D|.64:890D 00000>MOV FS:, ECX
00422764|.83C4 10 ADD ESP, 10
00422767|.C2 0400 RETN 4
0042276A|>8D4C24 20 LEA ECX, [ESP+20]
0042276E|.C74424 18 FFF>MOV DWORD PTR [ESP+18], -1
00422776|.E8 605A0200 CALL 004481DB
0042277B|.8B4C24 10 MOV ECX, [ESP+10]
0042277F|.5F POP EDI
00422780|.5E POP ESI
00422781|.B8 9D000000 MOV EAX, 9D
00422786|.5D POP EBP
00422787|.64:890D 00000>MOV FS:, ECX
0042278E|.83C4 10 ADD ESP, 10
00422791\.C2 0400 RETN 4
OrderNumber:20141118
Registration Number:PT-848-423163
本帖最后由 wgz001 于 2014-11-18 19:53 编辑
坚持
赞
沙发啊
代码框一下更好看 wgz001 发表于 2014-11-18 19:50
坚持
赞
沙发啊
不能框的,这种着色了,框一下就乱套了。
你个逗比 就知道调戏我。鄙视你。羡慕会算法的 吾爱学习 发表于 2014-11-20 11:00
你个逗比 就知道调戏我。鄙视你。羡慕会算法的
这也叫会算法?我哪里涉及算法了,不能这么水贴吧
MOD 发表于 2014-11-20 13:05
这也叫会算法?我哪里涉及算法了,不能这么水贴吧
这应该是软件的bug,这是万能注册码,你当初没搞这个软件? 入门表示有点看不懂。 来学习一下啦,感谢分享 来学习一下{:soso_e130:}楼主辛苦了
页:
[1]