- UID
- 8608
注册时间2006-2-27
阅读权限20
最后登录1970-1-1
以武会友
 
TA的每日心情 | 擦汗
2020-7-7 10:06 |
|---|
签到天数: 2 天 [LV.1]初来乍到
|
程序用upx压缩,入口点在0042ABBB,用OD在运行到该点,然后脱壳(脱壳后文件较大)
0042ABB8 > 68 9C534400 push 0044539C
0042ABBD E8 EEFFFFFF call <jmp.&MSVBVM60.ThunRTMain>
进入后,打开注册窗口,输入信息后进行注册,显示错误信息,在OD中F12暂停程序,在堆栈中可发现程序调用对话框后的返回点
00C9A3DC 50 push eax
00C9A3DD C745 C0 084>mov dword ptr [ebp-40], 4008 ; 显示输入错误信息
00C9A3E4 FF15 9C1040>call [<&MSVBVM60.rtcMsgBox>] ; MSVBVM60.rtcMsgBox
。。。。
向上可来到注册处理函数的开始点,在开始点设置断点.
==================================
0108A6E8 50 push eax
0108A6E9 68 34A>push 0047AE34
0108A6EE FF15 0>call [<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
0108A6F4 F7D8 neg eax ; EAX=(NAME=="")
......
0108A712 8D4D D>lea ecx, [ebp-30]
0108A715 FF15 9>call [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
0108A71B 0FBF4D>movsx ecx, word ptr [ebp-60]
0108A71F 85C9 test ecx, ecx
0108A721 0F84 C>je 0108A7E8 ; 如果Name="",则不跳,并显示错误
....
0108A851 50 push eax ; [EAX]=DATE=2006-03-01
0108A852 FF15 4>call [<&MSVBVM60.rtcTrimBstr>] ; MSVBVM60.rtcTrimBstr
0108A858 8BD0 mov edx, eax
0108A85A 8D4D D>lea ecx, [ebp-2C]
0108A85D FF15 6>call [<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
0108A863 50 push eax
0108A864 68 34A>push 0047AE34
0108A869 FF15 0>call [<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
0108A86F F7D8 neg eax ; EAX=(DATE=="")
....
0108A896 0FBF45>movsx eax, word ptr [ebp-60]
0108A89A 85C0 test eax, eax
0108A89C 0F84 C>je 0108A969 ; 如果DATE为空,则不跳,并显示错误
....
0108A9D5 8B55 D>mov edx, [ebp-28]
0108A9D8 52 push edx ; [EDX]=KEY=机器码=1817-18B2-E81A-EA18
0108A9D9 FF15 4>call [<&MSVBVM60.rtcTrimBstr>] ; MSVBVM60.rtcTrimBstr
0108A9DF 8BD0 mov edx, eax
0108A9E1 8D4D D>lea ecx, [ebp-2C]
0108A9E4 FF15 6>call [<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
0108A9EA 50 push eax
0108A9EB 68 34A>push 0047AE34
0108A9F0 FF15 0>call [<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
0108A9F6 F7D8 neg eax ; EAX=(KEY=="")
....
0108AA1D 0FBF55>movsx edx, word ptr [ebp-60]
0108AA21 85D2 test edx, edx
0108AA23 0F84 C>je 0108AAF0 ; 如果key为空,则不跳,并显示错误
...
0108AB5F 51 push ecx ; SN1="1234"
0108AB60 FF15 4>call [<&MSVBVM60.rtcTrimBstr>] ; MSVBVM60.rtcTrimBstr
0108AB66 8BD0 mov edx, eax
0108AB68 8D4D D>lea ecx, [ebp-2C]
0108AB6B FF15 6>call [<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
0108AB71 50 push eax
0108AB72 68 34A>push 0047AE34
0108AB77 FF15 0>call [<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
0108AB7D F7D8 neg eax ; EAX=(SN1=="")
....
0108ABA4 0FBF4D>movsx ecx, word ptr [ebp-60]
0108ABA8 85C9 test ecx, ecx
0108ABAA 0F84 C>je 0108AC77 ; 若SN1="",则不跳并显示错误
....
0108ACE6 50 push eax ; SN2="5678"
0108ACE7 FF15 4>call [<&MSVBVM60.rtcTrimBstr>] ; MSVBVM60.rtcTrimBstr
0108ACED 8BD0 mov edx, eax
0108ACEF 8D4D D>lea ecx, [ebp-2C]
0108ACF2 FF15 6>call [<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
0108ACF8 50 push eax
0108ACF9 68 34A>push 0047AE34
0108ACFE FF15 0>call [<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
0108AD04 F7D8 neg eax ; EAX=(SN2=="")
....
0108AD2B 0FBF45>movsx eax, word ptr [ebp-60]
0108AD2F 85C0 test eax, eax
0108AD31 0F84 C>je 0108ADFE
...
0108AE6D 52 push edx ; EDX=SN3="1234"
0108AE6E FF15 4>call [<&MSVBVM60.rtcTrimBstr>] ; MSVBVM60.rtcTrimBstr
0108AE74 8BD0 mov edx, eax
0108AE76 8D4D D>lea ecx, [ebp-2C]
0108AE79 FF15 6>call [<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
0108AE7F 50 push eax
0108AE80 68 34A>push 0047AE34
0108AE85 FF15 0>call [<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
0108AE8B F7D8 neg eax
....
0108AFF4 51 push ecx ; SN4="5678"
0108AFF5 FF15 4>call [<&MSVBVM60.rtcTrimBstr>] ; MSVBVM60.rtcTrimBstr
0108AFFB 8BD0 mov edx, eax
0108AFFD 8D4D D>lea ecx, [ebp-2C]
0108B000 FF15 6>call [<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
0108B006 50 push eax
0108B007 68 34A>push 0047AE34
0108B00C FF15 0>call [<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
0108B012 F7D8 neg eax
....
0108C6D9 FF90 00070000 call [eax+700] ; 判断输入的各个数据是否有空的,无空则EAX=0
0108C6DF 8985 44FFFFFF mov [ebp-BC], eax
0108C6E5 83BD 44FFFFFF>cmp dword ptr [ebp-BC], 0
0108C6EC 7D 23 jge short 0108C711
....
0108C7D2 52 push edx ; [EDX]=NAME="SPC_CLL"
0108C7D3 FF15 4C104000 call [<&MSVBVM60.rtcTrimBstr>] ; MSVBVM60.rtcTrimBstr
0108C7D9 8BD0 mov edx, eax
0108C7DB 8D4D C8 lea ecx, [ebp-38]
0108C7DE FF15 68124000 call [<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
0108C7E4 50 push eax
0108C7E5 68 34AE4700 push 0047AE34
0108C7EA FF15 00114000 call [<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
0108C7F0 F7D8 neg eax ; EAX=(NAME=="")
....
0108CCCC 68 0>push 00484E00 ; UNICODE "$#@^*()~"
0108CCD1 8B95>mov edx, [ebp-F0]
0108CCD7 8D4D>lea ecx, [ebp-40]
0108CCDA FF15>call [<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
0108CCE0 50 push eax ; [EAX]=KEY
0108CCE1 FF15>call [<&MSVBVM60.__vbaStrCat>] ; MSVBVM60.__vbaStrCat
0108CCE7 8BD0 mov edx, eax ; EAX=CH1="$#@^*()~"+KEY
0108CCE9 8D4D>lea ecx, [ebp-44]
0108CCEC FF15>call [<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
0108CCF2 8B45>mov eax, [ebp-50] ; [EAX]=NAME
0108CCF5 8985>mov [ebp-F4], eax
0108CCFB C745>mov dword ptr [ebp-50], 0
0108CD02 8B95>mov edx, [ebp-F4] ; [EDX]=NAME
0108CD08 8D4D>lea ecx, [ebp-38]
0108CD0B FF15>call [<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
0108CD11 50 push eax ; =>[[ECX]]=NAME
0108CD12 68 F>push 00484DF4 ; CH2=20 5F 0F 5C 1B 74
0108CD17 FF15>call [<&MSVBVM60.__vbaStrCat>] ; MSVBVM60.__vbaStrCat
0108CD1D 8985>mov [ebp-88], eax ; EAX=CH3=NAME+CH2
0108CD23 C785>mov dword ptr [ebp-90], 8
0108CD2D 8D8D>lea ecx, [ebp-B4]
0108CD33 51 push ecx ; 0
0108CD34 8D55>lea edx, [ebp-44]
0108CD37 52 push edx ; CH1="$#@^*()~"+KEY
0108CD38 8D85>lea eax, [ebp-90]
0108CD3E 50 push eax ; CH3=NAME+CH2
0108CD3F E8 6CA5C0F>call 00C972B0 ; eax=snx=Fun(ch3,ch1)=1415-16C6-14A7-135E
======>>>>>>==============
......
00179FC8 00 00 2E 00 59 00 8E 00 3F 00 E7 00 20 00 81 00 ....Y.??.? .?
00179FD8 33 00 1C 00 61 00 F8 00 29 00 88 00 35 00 4E 00 3.�.a.?).?5.N.
00179FE8 A4 ?
.....
00C98619 66:8B8D 48>mov cx, [ebp-B8]
00C98620 66:038D 38>add cx, [ebp-1C8] ; i=i+1=1.2.3.4=1..16
00C98627 0F80 F4090>jo <ErrorOverFlow>
00C9862D 66:898D 48>mov [ebp-B8], cx
00C98634 66:8B95 48>mov dx, [ebp-B8]
00C9863B 66:3B95 34>cmp dx, [ebp-1CC]
00C98642 0F8F BC010>jg 00C98804
00C98648 C745 FC 5E>mov dword ptr [ebp-4], 5E
00C9864F 0FBF85 0CF>movsx eax, word ptr [ebp-F4]
00C98656 8985 70FEF>mov [ebp-190], eax
00C9865C 83BD 70FEF>cmp dword ptr [ebp-190], 11
00C98663 73 0C jnb short 00C98671
00C98665 C785 9CFDF>mov dword ptr [ebp-264], 0
00C9866F EB 0C jmp short 00C9867D
00C98671 FF15 FC104>call [<&MSVBVM60.__vbaGenerateBoundsErro>; MSVBVM60.__vbaGenerateBoundsError
00C98677 8985 9CFDF>mov [ebp-264], eax
00C9867D C785 F4FEF>mov dword ptr [ebp-10C], 1
00C98687 C785 ECFEF>mov dword ptr [ebp-114], 2
00C98691 8D8D 44FFF>lea ecx, [ebp-BC]
00C98697 898D B4FEF>mov [ebp-14C], ecx
00C9869D C785 ACFEF>mov dword ptr [ebp-154], 4008
00C986A7 8D95 ECFEF>lea edx, [ebp-114]
00C986AD 52 push edx ; 1
00C986AE 0FBF85 48F>movsx eax, word ptr [ebp-B8]
00C986B5 50 push eax ; 1
00C986B6 8D8D ACFEF>lea ecx, [ebp-154]
00C986BC 51 push ecx ; ch3
00C986BD 8D95 DCFEF>lea edx, [ebp-124]
00C986C3 52 push edx
00C986C4 FF15 E4104>call [<&MSVBVM60.rtcMidCharVar>] ; MSVBVM60.rtcMidCharVar
00C986CA 0FBF85 0CF>movsx eax, word ptr [ebp-F4] ; c1=mid(ch3,i,1)
00C986D1 8985 74FEF>mov [ebp-18C], eax ; eax=1
00C986D7 83BD 74FEF>cmp dword ptr [ebp-18C], 11
00C986DE 73 0C jnb short 00C986EC
00C986E0 C785 98FDF>mov dword ptr [ebp-268], 0
00C986EA EB 0C jmp short 00C986F8
00C986EC FF15 FC104>call [<&MSVBVM60.__vbaGenerateBoundsErro>; MSVBVM60.__vbaGenerateBoundsError
00C986F2 8985 98FDF>mov [ebp-268], eax
00C986F8 8D8D DCFEF>lea ecx, [ebp-124]
00C986FE 51 push ecx
00C986FF 8D95 FCFEF>lea edx, [ebp-104]
00C98705 52 push edx
00C98706 FF15 A8114>call [<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
00C9870C 50 push eax ; x1=[eax]=val(c1)
00C9870D FF15 44104>call [<&MSVBVM60.rtcAnsiValueBstr>] ; MSVBVM60.rtcAnsiValueBstr
00C98713 8B8D 70FEF>mov ecx, [ebp-190] ; eax=x1=val(c1),ecx=1
00C98719 8B95 2CFFF>mov edx, [ebp-D4]
00C9871F 66:8B0C4A mov cx, [edx+ecx*2]
00C98723 66:03C8 add cx, ax ; cx=d1+x1(数d1组初始为0)
00C98726 0F80 F5080>jo <ErrorOverFlow>
00C9872C 66:83F1 12 xor cx, 12 ; cx=(d1+x1) xor 12
00C98730 8B95 74FEF>mov edx, [ebp-18C]
00C98736 8B85 2CFFF>mov eax, [ebp-D4]
00C9873C 66:890C50 mov [eax+edx*2], cx ; d1=(d1+x1) xor 12
00C98740 8D8D FCFEF>lea ecx, [ebp-104]
00C98746 FF15 98124>call [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00C9874C 8D8D DCFEF>lea ecx, [ebp-124]
00C98752 51 push ecx
00C98753 8D95 ECFEF>lea edx, [ebp-114]
00C98759 52 push edx
00C9875A 6A 02 push 2
00C9875C FF15 38104>call [<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
00C98762 83C4 0C add esp, 0C
00C98765 C745 FC 5F>mov dword ptr [ebp-4], 5F
00C9876C 0FBF85 0CF>movsx eax, word ptr [ebp-F4]
00C98773 8985 74FEF>mov [ebp-18C], eax
00C98779 83BD 74FEF>cmp dword ptr [ebp-18C], 11
00C98780 73 0C jnb short 00C9878E
00C98782 C785 94FDF>mov dword ptr [ebp-26C], 0
00C9878C EB 0C jmp short 00C9879A
00C9878E FF15 FC104>call [<&MSVBVM60.__vbaGenerateBoundsErro>; MSVBVM60.__vbaGenerateBoundsError
00C98794 8985 94FDF>mov [ebp-26C], eax
00C9879A 8B8D 74FEF>mov ecx, [ebp-18C]
00C987A0 8B95 2CFFF>mov edx, [ebp-D4]
00C987A6 66:8B45 B4 mov ax, [ebp-4C] ; ax=z1(z1初始值为0)
00C987AA 66:03044A add ax, [edx+ecx*2] ; ax=d1
00C987AE 0F80 6D080>jo <ErrorOverFlow>
00C987B4 66:8945 B4 mov [ebp-4C], ax ; z1=d1
00C987B8 C745 FC 60>mov dword ptr [ebp-4], 60
00C987BF 66:8B8D 0C>mov cx, [ebp-F4]
00C987C6 66:83C1 01 add cx, 1 ; i=i+1
00C987CA 0F80 51080>jo <ErrorOverFlow>
00C987D0 66:898D 0C>mov [ebp-F4], cx
00C987D7 C745 FC 61>mov dword ptr [ebp-4], 61
00C987DE 66:83BD 0C>cmp word ptr [ebp-F4], 9
00C987E6 75 10 jnz short 00C987F8
00C987E8 C745 FC 62>mov dword ptr [ebp-4], 62
00C987EF 66:C785 0C>mov word ptr [ebp-F4], 1
00C987F8 C745 FC 64>mov dword ptr [ebp-4], 64
00C987FF ^ E9 15FEFFF>jmp 00C98619
........
00C98EE1 8B55 B0 mov edx, [ebp-50] ; 1415-16C6-14A7-135E
00C98EE4 8D8D 00FFF>lea ecx, [ebp-100]
00C98EEA FF15 EC114>call [<&MSVBVM60.__vbaStrCopy>] ; MSVBVM60.__vbaStrCopy
[edx]:=001722EC
001722EC 31 00 34 00 31 00 35 00 2D 00 31 00 36 00 43 00 1.4.1.5.-.1.6.C.
001722FC 36 00 2D 00 31 00 34 00 41 00 37 00 2D 00 31 00 6.-.1.4.A.7.-.1.
0017230C 33 00 35 00 45 3.5.E
.....
<<<<<<<<<===================
0108D11E C745>mov dword ptr [ebp-4], 27
0108D125 8B4D>mov ecx, [ebp-28]
0108D128 51 push ecx ; sn
0108D129 FF15>call [<&MSVBVM60.rtcUpperCaseBstr>; MSVBVM60.rtcUpperCaseBstr
0108D12F 8BD0 mov edx, eax
0108D131 8D4D>lea ecx, [ebp-34]
0108D134 FF15>call [<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
0108D13A 50 push eax ; 输入的sn
0108D13B 8B55>mov edx, [ebp-24]
0108D13E 52 push edx
0108D13F FF15>call [<&MSVBVM60.rtcUpperCaseBstr>; MSVBVM60.rtcUpperCaseBstr
0108D145 8BD0 mov edx, eax
0108D147 8D4D>lea ecx, [ebp-38]
0108D14A FF15>call [<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
0108D150 50 push eax ; snx=1415-16C6-14A7-135E
0108D151 FF15>call [<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
0108D157 F7D8 neg eax ; eax=(snx==输入的SN)
****************************
** 程序使用了明码比较 **
****************************
注册后注册信息保存在系统目录下的jdrv.ocx中(在文件末尾) |
|
IP卡
发表于 2006-3-26 14:44:18
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2006-4-24 15:21:16
发表于 2006-4-24 16:35:15
