- UID
- 32342
注册时间2007-6-1
阅读权限10
最后登录1970-1-1
周游历练
该用户从未签到
|
一个软件需要重起验证.壳已经脱了.Borland Delphi 6.0 - 7.0写的.用DEDE找到注册按钮的RAV在OD中下断,断在这里,代码如下:
004C3498 /. 55 push ebp
004C3499 |. 8BEC mov ebp, esp
004C349B |. 6A 00 push 0
004C349D |. 6A 00 push 0
004C349F |. 53 push ebx
004C34A0 |. 56 push esi
004C34A1 |. 8BF0 mov esi, eax
004C34A3 |. 33C0 xor eax, eax
004C34A5 |. 55 push ebp
004C34A6 |. 68 59354C00 push 004C3559
004C34AB |. 64:FF30 push dword ptr fs:[eax]
004C34AE |. 64:8920 mov dword ptr fs:[eax], esp
004C34B1 |. B2 01 mov dl, 1
004C34B3 |. A1 ECB54600 mov eax, dword ptr [46B5EC]
004C34B8 |. E8 2F82FAFF call 0046B6EC
004C34BD |. 8BD8 mov ebx, eax
004C34BF |. BA 01000080 mov edx, 80000001
004C34C4 |. 8BC3 mov eax, ebx
004C34C6 |. E8 C182FAFF call 0046B78C
004C34CB |. B1 01 mov cl, 1
004C34CD |. BA 70354C00 mov edx, 004C3570 ; ASCII "Software\FileRen"
004C34D2 |. 8BC3 mov eax, ebx
004C34D4 |. E8 1783FAFF call 0046B7F0
004C34D9 |. 8D55 FC lea edx, dword ptr [ebp-4]
004C34DC |. 8B86 38030000 mov eax, dword ptr [esi+338]
004C34E2 |. E8 1921F8FF call 00445600
004C34E7 |. 8B4D FC mov ecx, dword ptr [ebp-4] ; 用户名长度送ECX
004C34EA |. BA 8C354C00 mov edx, 004C358C ; ASCII "RegUser"
004C34EF |. 8BC3 mov eax, ebx
004C34F1 |. E8 9684FAFF call 0046B98C
004C34F6 |. 8D55 F8 lea edx, dword ptr [ebp-8]
004C34F9 |. 8B86 3C030000 mov eax, dword ptr [esi+33C]
004C34FF |. E8 FC20F8FF call 00445600
004C3504 |. 8B4D F8 mov ecx, dword ptr [ebp-8] ; 假码长度送ECX
004C3507 |. BA 9C354C00 mov edx, 004C359C ; ASCII "RegNo"
004C350C |. 8BC3 mov eax, ebx
004C350E |. E8 7984FAFF call 0046B98C
004C3513 |. 8BC3 mov eax, ebx
004C3515 |. E8 C200F4FF call 004035DC
004C351A |. 6A 40 push 40
004C351C |. B9 A4354C00 mov ecx, 004C35A4
004C3521 |. BA AC354C00 mov edx, 004C35AC ;如果004C359C是RegNo,那么这里难道是:RegYes?(纯属个人猜测)
004C3526 |. A1 E8964C00 mov eax, dword ptr [4C96E8]
004C352B |. 8B00 mov eax, dword ptr [eax]
004C352D |. E8 462EFAFF call 00466378 ; 重起验证(运行到这里提示需要重起程序验证)
004C3532 |. A1 E8964C00 mov eax, dword ptr [4C96E8]
004C3537 |. 8B00 mov eax, dword ptr [eax]
004C3539 |. E8 962DFAFF call 004662D4
004C353E |. 33C0 xor eax, eax
004C3540 |. 5A pop edx
004C3541 |. 59 pop ecx
004C3542 |. 59 pop ecx
004C3543 |. 64:8910 mov dword ptr fs:[eax], edx
004C3546 |. 68 60354C00 push 004C3560
004C354B |> 8D45 F8 lea eax, dword ptr [ebp-8]
004C354E |. BA 02000000 mov edx, 2
004C3553 |. E8 340EF4FF call 0040438C
004C3558 \. C3 retn
不知道那个重起验证的CALL分析的对不对?如果对的话,F7跟入call 00466378 代码如下:
00466378 /$ 55 push ebp
00466379 |. 8BEC mov ebp, esp
0046637B |. 83C4 AC add esp, -54
0046637E |. 53 push ebx
0046637F |. 56 push esi
00466380 |. 57 push edi
00466381 |. 8BF9 mov edi, ecx
00466383 |. 8BF2 mov esi, edx
00466385 |. 8945 FC mov dword ptr [ebp-4], eax
00466388 |. 8B5D 08 mov ebx, dword ptr [ebp+8]
0046638B |. E8 100CFAFF call <jmp.&user32.GetActiveWindow> ; [GetActiveWindow
00466390 |. 8945 F4 mov dword ptr [ebp-C], eax
00466393 |. 6A 02 push 2
00466395 |. 8B45 F4 mov eax, dword ptr [ebp-C]
00466398 |. 50 push eax
00466399 |. A1 18964C00 mov eax, dword ptr [4C9618]
0046639E |. 8B00 mov eax, dword ptr [eax]
004663A0 |. FFD0 call eax
004663A2 |. 8945 EC mov dword ptr [ebp-14], eax
004663A5 |. 6A 02 push 2
004663A7 |. 8B45 FC mov eax, dword ptr [ebp-4]
004663AA |. 8B40 30 mov eax, dword ptr [eax+30]
004663AD |. 50 push eax
004663AE |. A1 18964C00 mov eax, dword ptr [4C9618]
004663B3 |. 8B00 mov eax, dword ptr [eax]
004663B5 |. FFD0 call eax
004663B7 |. 8945 E8 mov dword ptr [ebp-18], eax
004663BA |. 8B45 EC mov eax, dword ptr [ebp-14]
004663BD |. 3B45 E8 cmp eax, dword ptr [ebp-18]
004663C0 74 60 je short 00466422
004663C2 |. C745 BC 28000>mov dword ptr [ebp-44], 28
004663C9 |. 8D45 BC lea eax, dword ptr [ebp-44]
004663CC |. 50 push eax
004663CD |. 8B45 EC mov eax, dword ptr [ebp-14]
004663D0 |. 50 push eax
004663D1 |. A1 6C954C00 mov eax, dword ptr [4C956C]
004663D6 |. 8B00 mov eax, dword ptr [eax]
004663D8 |. FFD0 call eax
004663DA |. 8D45 AC lea eax, dword ptr [ebp-54]
004663DD |. 50 push eax ; /pRect
004663DE |. 8B45 FC mov eax, dword ptr [ebp-4] ; |
004663E1 |. 8B40 30 mov eax, dword ptr [eax+30] ; |
004663E4 |. 50 push eax ; |hWnd
004663E5 |. E8 3E0DFAFF call <jmp.&user32.GetWindowRect> ; \GetWindowRect
004663EA |. 6A 1D push 1D
004663EC |. 6A 00 push 0
004663EE |. 6A 00 push 0
004663F0 |. 8B4D CC mov ecx, dword ptr [ebp-34]
004663F3 |. 8B55 C4 mov edx, dword ptr [ebp-3C]
004663F6 |. 2BCA sub ecx, edx
004663F8 |. D1F9 sar ecx, 1
004663FA |. 79 03 jns short 004663FF
004663FC |. 83D1 00 adc ecx, 0
004663FF |> 03CA add ecx, edx
00466401 |. 51 push ecx
00466402 |. 8B55 C8 mov edx, dword ptr [ebp-38]
00466405 |. 8B45 C0 mov eax, dword ptr [ebp-40]
00466408 |. 2BD0 sub edx, eax
0046640A |. D1FA sar edx, 1
0046640C |. 79 03 jns short 00466411
0046640E |. 83D2 00 adc edx, 0
00466411 |> 03D0 add edx, eax ; |
00466413 |. 52 push edx ; |X
00466414 |. 6A 00 push 0 ; |InsertAfter = HWND_TOP
00466416 |. 8B45 FC mov eax, dword ptr [ebp-4] ; |
00466419 |. 8B40 30 mov eax, dword ptr [eax+30] ; |
0046641C |. 50 push eax ; |hWnd
0046641D |. E8 260FFAFF call <jmp.&user32.SetWindowPos> ; \SetWindowPos
00466422 |> 33C0 xor eax, eax
00466424 |. E8 2B6AFFFF call 0045CE54
00466429 |. 8945 F0 mov dword ptr [ebp-10], eax
0046642C |. E8 3F69FFFF call 0045CD70
00466431 |. 8945 E4 mov dword ptr [ebp-1C], eax
00466434 |. 8B45 FC mov eax, dword ptr [ebp-4]
00466437 |. E8 78EEFFFF call 004652B4
0046643C |. 84C0 test al, al
0046643E |. 74 06 je short 00466446
00466440 |. 81CB 00001000 or ebx, 100000
00466446 |> 33C9 xor ecx, ecx
00466448 |. 55 push ebp
00466449 |. 68 CD644600 push 004664CD
0046644E |. 64:FF31 push dword ptr fs:[ecx]
00466451 |. 64:8921 mov dword ptr fs:[ecx], esp
00466454 |. 53 push ebx ; /Style
00466455 |. 57 push edi ; |Title
00466456 |. 56 push esi ; |Text
00466457 |. 8B45 FC mov eax, dword ptr [ebp-4] ; |
0046645A |. 8B40 30 mov eax, dword ptr [eax+30] ; |
0046645D |. 50 push eax ; |hOwner
0046645E |. E8 B50DFAFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
00466463 |. 8945 F8 mov dword ptr [ebp-8], eax
00466466 |. 33C0 xor eax, eax
00466468 |. 5A pop edx
00466469 |. 59 pop ecx
0046646A |. 59 pop ecx
0046646B |. 64:8910 mov dword ptr fs:[eax], edx
0046646E |. 68 D4644600 push 004664D4
00466473 |> 8B45 EC mov eax, dword ptr [ebp-14]
00466476 |. 3B45 E8 cmp eax, dword ptr [ebp-18]
00466479 |. 74 38 je short 004664B3
0046647B |. 6A 1D push 1D
0046647D |. 6A 00 push 0
0046647F |. 6A 00 push 0
00466481 |. 8B4D B8 mov ecx, dword ptr [ebp-48]
00466484 |. 8B55 B0 mov edx, dword ptr [ebp-50]
00466487 |. 2BCA sub ecx, edx
00466489 |. D1F9 sar ecx, 1
0046648B |. 79 03 jns short 00466490
0046648D |. 83D1 00 adc ecx, 0
00466490 |> 03CA add ecx, edx
00466492 |. 51 push ecx
00466493 |. 8B55 B4 mov edx, dword ptr [ebp-4C]
00466496 |. 8B45 AC mov eax, dword ptr [ebp-54]
00466499 |. 2BD0 sub edx, eax
0046649B |. D1FA sar edx, 1
0046649D |. 79 03 jns short 004664A2
0046649F |. 83D2 00 adc edx, 0
004664A2 |> 03D0 add edx, eax ; |
004664A4 |. 52 push edx ; |X
004664A5 |. 6A 00 push 0 ; |InsertAfter = HWND_TOP
004664A7 |. 8B45 FC mov eax, dword ptr [ebp-4] ; |
004664AA |. 8B40 30 mov eax, dword ptr [eax+30] ; |
004664AD |. 50 push eax ; |hWnd
004664AE |. E8 950EFAFF call <jmp.&user32.SetWindowPos> ; \SetWindowPos
004664B3 |> 8B45 F0 mov eax, dword ptr [ebp-10]
004664B6 |. E8 4D6AFFFF call 0045CF08
004664BB |. 8B45 F4 mov eax, dword ptr [ebp-C]
004664BE |. 50 push eax ; /hWnd
004664BF |. E8 F40DFAFF call <jmp.&user32.SetActiveWindow> ; \SetActiveWindow
004664C4 |. 8B45 E4 mov eax, dword ptr [ebp-1C]
004664C7 |. E8 AC68FFFF call 0045CD78
004664CC \. C3 retn
以上的代码就看不懂了.如何爆破?最好能把算法也详细的写一下.不胜感激 |
|
IP卡
发表于 2007-6-13 11:48:38
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2007-6-14 11:27:05
发表于 2007-6-14 13:32:29
发表于 2007-6-14 15:22:51
楼主
