- UID
- 8608
注册时间2006-2-27
阅读权限20
最后登录1970-1-1
以武会友
 
TA的每日心情 | 擦汗
2020-7-7 10:06 |
|---|
签到天数: 2 天 [LV.1]初来乍到
|
00407E70 /$ 81EC D0000000 sub esp, 0D0
00407E76 |. 53 push ebx
00407E77 |. 55 push ebp
00407E78 |. 56 push esi
...
00407F20 |. 05 D4000000 add eax, 0D4
00407F25 |. 50 push eax ; /<%s>
00407F26 |. 55 push ebp ; |<%s>
00407F27 |. 68 C0D44100 push 0041D4C0 ; |format = "%s%s"
00407F2C |. 51 push ecx ; |s
00407F2D |. FF15 C0934100 call [<&MSVCRT.sprintf>] ; \sprintf
00407F33 |. 8D5424 28 lea edx, [esp+28]
00407F37 |. 52 push edx ; 机器码
00407F38 |. 53 push ebx
00407F39 |. E8 D2000000 call 00408010 ; 关键调用
==>-------------------------------------
00408010 /$ 81EC CC000000 sub esp, 0CC
00408016 |. 8B9424 D0000000 mov edx, [esp+D0]
0040801D |. 53 push ebx
0040801E |. 55 push ebp
0040801F |. 56 push esi
00408020 |. 57 push edi
...
00408062 |. 74 33 |je short 00408097
00408064 |. 40 |inc eax
00408065 |. 83F8 10 |cmp eax, 10
00408068 |.^ 7C F2 \jl short 0040805C
0040806A |> BF 68D54100 mov edi, 0041D568 **** ; ASCII "!@#@#SDFG^*&"
0040806F |. 83C9 FF or ecx, FFFFFFFF
00408072 |. 33C0 xor eax, eax
00408074 |. F2:AE repne scas byte ptr es:[edi]
00408076 |. F7D1 not ecx
00408078 |. 2BF9 sub edi, ecx
0040807A |. 8BC1 mov eax, ecx
0040807C |. 8BF7 mov esi, edi
0040807E |. 8BFA mov edi, edx
00408080 |. C1E9 02 shr ecx, 2
00408083 |. F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
00408085 |. 8BC8 mov ecx, eax
00408087 |. 83E1 03 and ecx, 3
0040808A |. F3:A4 rep movs byte ptr es:[edi], byte ptr [esi]
0040808C |. 5F pop edi
0040808D |. 5E pop esi
0040808E |. 5D pop ebp
0040808F |. 5B pop ebx
00408090 |. 81C4 CC000000 add esp, 0CC
00408096 |. C3 retn 返回0041d568处存储的字符串"!@#@#SDFG^*&"=>ebx。
-----------------------------------------
00407F3E |. 83C4 18 add esp, 18 ; [=>ebx]=!@#@#SDFG^*&
00407F41 |. BF D0D14100 mov edi, 0041D1D0 ; ASCII "Clayman"
00407F46 |. 8BF3 mov esi, ebx ; S-Record.0042E82C
00407F48 |> 8A0E /mov cl, [esi] ; 比较"!@#@#SDFG^*&"=="Clayman"??
00407F4A |. 8A17 |mov dl, [edi]
00407F4C |. 8AC1 |mov al, cl
00407F4E |. 3ACA |cmp cl, dl
00407F50 |. 75 1E |jnz short 00407F70 ; 不相等跳去检查注册信息
00407F52 |. 84C0 |test al, al
00407F54 |. 74 16 |je short 00407F6C ; 比较完成且相等,则跳
00407F56 |. 8A56 01 |mov dl, [esi+1]
00407F59 |. 8A4F 01 |mov cl, [edi+1]
00407F5C |. 8AC2 |mov al, dl
00407F5E |. 3AD1 |cmp dl, cl
00407F60 |. 75 0E |jnz short 00407F70
00407F62 |. 83C6 02 |add esi, 2
00407F65 |. 83C7 02 |add edi, 2
00407F68 |. 84C0 |test al, al
00407F6A |.^ 75 DC \jnz short 00407F48 ; eax=0,跳则检查注册信息
(==>可nop掉这jnz指令,这样只修改两个字节)
00407F6C |> 33C0 xor eax, eax
00407F6E |. EB 05 jmp short 00407F75
00407F70 |> 1BC0 sbb eax, eax
00407F72 |. 83D8 FF sbb eax, -1
00407F75 |> 85C0 test eax, eax
00407F77 |. 74 75 je short 00407FEE ; 跳则不检查注册信息?
00407F79 |. 68 08D54100 push 0041D508 ; /<%s> = "29843710000"
00407F7E |. 55 push ebp ; |<%s>
00407F7F |. 8D4424 20 lea eax, [esp+20] ; |
00407F83 |. 68 C0D44100 push 0041D4C0 ; |format = "%s%s"
00407F88 |. 50 push eax ; |s
00407F89 |. FF15 C0934100 call [<&MSVCRT.sprintf>] ; \sprintf
00407F8F |. 8D4C24 28 lea ecx, [esp+28]
00407F93 |. 51 push ecx
00407F94 |. 53 push ebx
00407F95 |. E8 76000000 call 00408010 ; 检查注册信息?
00407F9A |. 83C4 18 add esp, 18
00407F9D |. BE D0D14100 mov esi, 0041D1D0 ; ASCII "Clayman"
00407FA2 |> 8A13 /mov dl, [ebx]
00407FA4 |. 8A0E |mov cl, [esi]
00407FA6 |. 8AC2 |mov al, dl
00407FA8 |. 3AD1 |cmp dl, cl
00407FAA |. 75 1E |jnz short 00407FCA
00407FAC |. 84C0 |test al, al
00407FAE |. 74 16 |je short 00407FC6
00407FB0 |. 8A4B 01 |mov cl, [ebx+1]
00407FB3 |. 8A56 01 |mov dl, [esi+1]
00407FB6 |. 8AC1 |mov al, cl
00407FB8 |. 3ACA |cmp cl, dl
00407FBA |. 75 0E |jnz short 00407FCA
00407FBC |. 83C3 02 |add ebx, 2
00407FBF |. 83C6 02 |add esi, 2
00407FC2 |. 84C0 |test al, al
00407FC4 |.^ 75 DC \jnz short 00407FA2
00407FC6 |> 33C0 xor eax, eax ;注册信息正确
00407FC8 |. EB 05 jmp short 00407FCF
00407FCA |> 1BC0 sbb eax, eax ;跳这里则注册信息错误
00407FCC |. 83D8 FF sbb eax, -1
00407FCF |> 85C0 test eax, eax
00407FD1 |. 75 1B jnz short 00407FEE
00407FD3 |. 8B5424 10 mov edx, [esp+10]
00407FD7 |. 5F pop edi
00407FD8 |. 5E pop esi
00407FD9 |. 5D pop ebp
00407FDA |. C782 D0000000 01000000 mov dword ptr [edx+D0], 1
00407FE4 |. 33C0 xor eax, eax
00407FE6 |. 5B pop ebx
00407FE7 |. 81C4 D0000000 add esp, 0D0
00407FED |. C3 retn
OK, ==>0041d568-400000=1d568,修改文件偏移1d568处为:Clayman字符串.即破解成功
注:估计0041d568存储的本来就是作者自己测试时用的。
[ 本帖最后由 tigerisme 于 2006-8-26 20:51 编辑 ] |
|
IP卡
发表于 2006-3-2 23:19:27
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2006-3-3 19:20:03
发表于 2006-3-4 13:40:14
发表于 2006-7-9 22:03:19
发表于 2015-3-24 11:12:11
