[AppleScript] 纯文本查看 复制代码
0159A529 A1 A8696101 mov eax,dword ptr ds:[0x16169A8]
0159A52E 8B00 mov eax,dword ptr ds:[eax]
0159A530 8BD6 mov edx,esi
0159A532 E8 C5D80BFF call KEXPRESS.00657DFC
0159A537 A1 A8696101 mov eax,dword ptr ds:[0x16169A8]
0159A53C 8B00 mov eax,dword ptr ds:[eax]
0159A53E 8B10 mov edx,dword ptr ds:[eax]
0159A540 FF92 50010000 call dword ptr ds:[edx+0x150]
0159A546 A1 A8696101 mov eax,dword ptr ds:[0x16169A8]
0159A54B 8B00 mov eax,dword ptr ds:[eax]
0159A54D 0FB698 0C040000 movzx ebx,byte ptr ds:[eax+0x40C]
0159A554 A1 A8696101 mov eax,dword ptr ds:[0x16169A8]
0159A559 8B00 mov eax,dword ptr ds:[eax]
0159A55B 8B15 A8696101 mov edx,dword ptr ds:[0x16169A8] ; KEXPRESS.0168A274
0159A561 33C9 xor ecx,ecx
0159A563 890A mov dword ptr ds:[edx],ecx
0159A565 E8 22FAE6FE call KEXPRESS.00409F8C
0159A56A 84DB test bl,bl
0159A56C 0F84 45040000 je KEXPRESS.0159A9B7
0159A572 E8 2932D4FF call KEXPRESS.012DD7A0
0159A577 8B15 60746101 mov edx,dword ptr ds:[0x1617460] ; KEXPRESS.01688A64
0159A57D 8B52 10 mov edx,dword ptr ds:[edx+0x10]
0159A580 8B0D 60746101 mov ecx,dword ptr ds:[0x1617460] ; KEXPRESS.01688A64
0159A586 8B49 0C mov ecx,dword ptr ds:[ecx+0xC]
0159A589 91 xchg eax,ecx
0159A58A E8 05A7D4FF call KEXPRESS.012E4C94 ; 算法CALL -- F7进去
0159A58F A1 A4776101 mov eax,dword ptr ds:[0x16177A4]
0159A594 8338 01 cmp dword ptr ds:[eax],0x1
0159A597 75 1A jnz XKEXPRESS.0159A5B3
0159A599 8B86 60040000 mov eax,dword ptr ds:[esi+0x460]
0159A59F 33D2 xor edx,edx
0159A5A1 E8 72B20AFF call KEXPRESS.00645818
0159A5A6 8B86 64040000 mov eax,dword ptr ds:[esi+0x464]
0159A5AC 33D2 xor edx,edx
0159A5AE E8 65B20AFF call KEXPRESS.00645818
--------------------跟进算法CALL ----------------------
012E4CEA 8B55 FC mov edx,dword ptr ss:[ebp-0x4]
012E4CED E8 4E7612FF call KEXPRESS.0040C340
012E4CF2 8D45 F0 lea eax,dword ptr ss:[ebp-0x10]
012E4CF5 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]
012E4CF8 E8 437612FF call KEXPRESS.0040C340
012E4CFD 8D4D AC lea ecx,dword ptr ss:[ebp-0x54]
012E4D00 BA 4C502E01 mov edx,KEXPRESS.012E504C ; sdk44bKs
012E4D05 8B45 F4 mov eax,dword ptr ss:[ebp-0xC]
012E4D08 E8 4375F6FF call KEXPRESS.0124C250 ; DES算法
012E4D0D 8B45 AC mov eax,dword ptr ss:[ebp-0x54]
012E4D10 8D55 EC lea edx,dword ptr ss:[ebp-0x14]
012E4D13 E8 E45F14FF call KEXPRESS.0042ACFC
012E4D18 8D4D A8 lea ecx,dword ptr ss:[ebp-0x58]
012E4D1B BA 6C502E01 mov edx,KEXPRESS.012E506C ; skEsXiKJ
012E4D20 8B45 F4 mov eax,dword ptr ss:[ebp-0xC]
012E4D23 E8 2875F6FF call KEXPRESS.0124C250 ; DES算法
012E4D28 8B45 A8 mov eax,dword ptr ss:[ebp-0x58]
012E4D2B 8D55 E8 lea edx,dword ptr ss:[ebp-0x18]
012E4D2E E8 C95F14FF call KEXPRESS.0042ACFC ; DES算法
012E4D33 8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C]
012E4D36 BA 8C502E01 mov edx,KEXPRESS.012E508C ; Fl7dYsqg
012E4D3B 8B45 F4 mov eax,dword ptr ss:[ebp-0xC]
012E4D3E E8 0D75F6FF call KEXPRESS.0124C250 ; DES算法
012E4D43 8B45 A4 mov eax,dword ptr ss:[ebp-0x5C]
012E4D46 8D55 E4 lea edx,dword ptr ss:[ebp-0x1C]
012E4D49 E8 AE5F14FF call KEXPRESS.0042ACFC
012E4D4E 8D4D A0 lea ecx,dword ptr ss:[ebp-0x60]
012E4D51 8B15 60746101 mov edx,dword ptr ds:[0x1617460] ; KEXPRESS.01688A64
012E4D57 8B52 14 mov edx,dword ptr ds:[edx+0x14]
012E4D5A 8B45 F4 mov eax,dword ptr ss:[ebp-0xC]
进行四次的DES算法计算然后拼接
012E4D6D 8D45 DC lea eax,dword ptr ss:[ebp-0x24]
012E4D70 50 push eax
012E4D71 B9 03000000 mov ecx,0x3
012E4D76 BA 01000000 mov edx,0x1
012E4D7B 8B45 F8 mov eax,dword ptr ss:[ebp-0x8]
012E4D7E E8 E58512FF call KEXPRESS.0040D368
012E4D83 8B5D F8 mov ebx,dword ptr ss:[ebp-0x8]
012E4D86 85DB test ebx,ebx
012E4D88 74 05 je XKEXPRESS.012E4D8F
012E4D8A 83EB 04 sub ebx,0x4
012E4D8D 8B1B mov ebx,dword ptr ds:[ebx]
012E4D8F 8D45 D8 lea eax,dword ptr ss:[ebp-0x28]
012E4D92 50 push eax
012E4D93 8BCB mov ecx,ebx
012E4D95 83E9 03 sub ecx,0x3
012E4D98 BA 04000000 mov edx,0x4
012E4D9D 8B45 F8 mov eax,dword ptr ss:[ebp-0x8]
012E4DA0 E8 C38512FF call KEXPRESS.0040D368
012E4DA5 8B55 D8 mov edx,dword ptr ss:[ebp-0x28]
012E4DA8 B8 AC502E01 mov eax,KEXPRESS.012E50AC ; DCBAA1B2C3D4E5F6ABCD
012E4DAD E8 DAF714FF call KEXPRESS.0043458C ; 从第四位开始验证是否包含DCBAA1B2C3D4E5F6ABCD
012E4DB2 8BD8 mov ebx,eax
012E4DB4 85DB test ebx,ebx
012E4DB6 0F8E 29020000 jle KEXPRESS.012E4FE5 ; 关键跳,注册码格式错误跳转就失败
012E4DBC 8D45 F0 lea eax,dword ptr ss:[ebp-0x10]
012E4DBF 50 push eax
012E4DC0 8BCB mov ecx,ebx
012E4DC2 49 dec ecx
012E4DC3 BA 01000000 mov edx,0x1
012E4DC8 8B45 D8 mov eax,dword ptr ss:[ebp-0x28]
012E4DCB E8 988512FF call KEXPRESS.0040D368
012E4DD0 FF75 EC push dword ptr ss:[ebp-0x14]
012E4DD3 FF75 E8 push dword ptr ss:[ebp-0x18]
012E4DD6 FF75 E4 push dword ptr ss:[ebp-0x1C]
012E4DD9 FF75 E0 push dword ptr ss:[ebp-0x20]
012E4DDC 8D45 9C lea eax,dword ptr ss:[ebp-0x64]
012E4E17 50 push eax
012E4E18 8BCE mov ecx,esi
012E4E1A 2BCB sub ecx,ebx
012E4E1C 83C1 14 add ecx,0x14
012E4E1F 41 inc ecx
012E4E20 8D53 14 lea edx,dword ptr ds:[ebx+0x14]
012E4E23 8B45 D8 mov eax,dword ptr ss:[ebp-0x28]
012E4E26 E8 3D8512FF call KEXPRESS.0040D368
012E4E2B 8B4D 98 mov ecx,dword ptr ss:[ebp-0x68]
012E4E2E 8D45 D4 lea eax,dword ptr ss:[ebp-0x2C]
012E4E31 8B55 DC mov edx,dword ptr ss:[ebp-0x24]
012E4E34 E8 5F8312FF call KEXPRESS.0040D198
012E4E39 8D4D 94 lea ecx,dword ptr ss:[ebp-0x6C]
012E4E3C BA 4C502E01 mov edx,KEXPRESS.012E504C ; sdk44bKs
012E4E41 8B45 D4 mov eax,dword ptr ss:[ebp-0x2C]
012E4E44 E8 1F76F6FF call KEXPRESS.0124C468
012E4E49 8B45 94 mov eax,dword ptr ss:[ebp-0x6C]
012E4E4C 8D4D D0 lea ecx,dword ptr ss:[ebp-0x30]
012E4E4F 8B15 60746101 mov edx,dword ptr ds:[0x1617460] ; KEXPRESS.01688A64
012E4E55 8B52 14 mov edx,dword ptr ds:[edx+0x14]
012E4E58 E8 0B76F6FF call KEXPRESS.0124C468 ; 进入 就一直卡在此处验证不通过,无计可施求大佬指导。
012E4E5D 8B45 D0 mov eax,dword ptr ss:[ebp-0x30]
012E4E60 85C0 test eax,eax
012E4E62 74 05 je XKEXPRESS.012E4E69
012E4E64 83E8 04 sub eax,0x4
012E4E67 8B00 mov eax,dword ptr ds:[eax]
012E4E69 83F8 08 cmp eax,0x8
012E4E6C 74 18 je XKEXPRESS.012E4E86
012E4E6E A1 C0786101 mov eax,dword ptr ds:[0x16178C0]
012E4E73 C700 02000000 mov dword ptr ds:[eax],0x2
012E4E79 A1 5C746101 mov eax,dword ptr ds:[0x161745C]
012E4E7E C600 00 mov byte ptr ds:[eax],0x0
012E4E81 E9 67010000 jmp KEXPRESS.012E4FED
012E4F7E /75 15 jnz XKEXPRESS.012E4F95
012E4F80 |A1 C0786101 mov eax,dword ptr ds:[0x16178C0]
012E4F85 |C700 02000000 mov dword ptr ds:[eax],0x2
012E4F8B |A1 5C746101 mov eax,dword ptr ds:[0x161745C]
012E4F90 |C600 00 mov byte ptr ds:[eax],0x0
012E4F93 |EB 58 jmp XKEXPRESS.012E4FED
012E4F95 \8B45 CC mov eax,dword ptr ss:[ebp-0x34]
012E4F98 E8 BF6A14FF call KEXPRESS.0042BA5C
012E4F9D 8945 90 mov dword ptr ss:[ebp-0x70],eax
012E4FA0 DB45 90 fild dword ptr ss:[ebp-0x70]
012E4FA3 DB7D 84 fstp tbyte ptr ss:[ebp-0x7C]
012E4FA6 9B wait
012E4FA7 8B45 C8 mov eax,dword ptr ss:[ebp-0x38]
012E4FAA E8 AD6A14FF call KEXPRESS.0042BA5C
012E4FAF 8945 80 mov dword ptr ss:[ebp-0x80],eax
012E4FB2 DB45 80 fild dword ptr ss:[ebp-0x80]
012E4FB5 DB6D 84 fld tbyte ptr ss:[ebp-0x7C]
012E4FB8 DEF1 fdivrp st(1),st
012E4FBA E8 112F12FF call KEXPRESS.00407ED0
012E4FBF 8B15 C0786101 mov edx,dword ptr ds:[0x16178C0] ; KEXPRESS.01688BD8
012E4FC5 8902 mov dword ptr ds:[edx],eax
012E4FC7 A1 C0786101 mov eax,dword ptr ds:[0x16178C0]
012E4FCC 3B38 cmp edi,dword ptr ds:[eax]
012E4FCE 7E 1D jle XKEXPRESS.012E4FED
012E4FD0 A1 C0786101 mov eax,dword ptr ds:[0x16178C0]
012E4FD5 C700 02000000 mov dword ptr ds:[eax],0x2
012E4FDB A1 5C746101 mov eax,dword ptr ds:[0x161745C]
012E4FE0 C600 00 mov byte ptr ds:[eax],0x0
012E4FE3 EB 08 jmp XKEXPRESS.012E4FED
012E4FE5 A1 5C746101 mov eax,dword ptr ds:[0x161745C]
012E4FEA C600 01 mov byte ptr ds:[eax],0x1 ; 一字节破解修改点。将0赋值成1就OK
012E4FED 33C0 xor eax,eax
IP卡
发表于 2024-2-15 20:53:06
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主
发表于 2024-2-16 15:38:58
发表于 2024-2-16 20:15:47
