- UID
- 8671
注册时间2006-2-27
阅读权限40
最后登录1970-1-1
独步武林
 
TA的每日心情 | 开心
2018-5-6 16:27 |
|---|
签到天数: 7 天 [LV.3]偶尔看看II
|
【破文标题】软件破解学习交流手记
【破文作者】野猫III[D.4s]
【破解工具】PEiD,W32DASM,UC32,OD
【破解平台】Windows XP SP2
【软件名称】屏幕录像专家 V6.0 算法注册机 by 风球[PYG]
【软件大小】736 KB (754,357 字节)
【原版下载】飘云阁论坛 (本帖附件)
【保护方式】加壳,自检验
【软件简介】一、这个注册机加了tElock 0.98b1 -> tE! [Overlay]壳。咱看了风球兄的脱壳动画,可以搞定。
二、脱了壳后,没想到这个C++程序还有自检验。这是咱来向大家讨教的。以下是咱的脱壳过程及迷惑。
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
------------------------------------------------------------------------
一、用PEiD查得壳:tElock 0.98b1 -> tE! [Overlay]
二、打开OD,选项--调试设置--导常,扣选忽略所有异常。载入程序,程序以下代码:
00466BD6 >^\E9 25E4FFFF JMP PL_6_0_K.00465000 。。。停在这里
00466BDB 0000 ADD BYTE PTR DS:[EAX],AL
00466BDD 0018 ADD BYTE PTR DS:[EAX],BL
00466BDF 48 DEC EAX
00466BE0 06 PUSH ES
00466BE1 27 DAA
00466BE2 1E PUSH DS
00466BE3 6C INS BYTE PTR ES:[EDI],DX ; I/O 命令
快捷键Alt+M打开内存映射窗口,找到:
内存映射, 条目 31
地址=00406000
大小=00001000 (4096.)
属主=PL_6_0_K 00400000
区段=PELOCKnt
包含=数据
类型=Imag 01001002
访问=R
初始访问=RWE
+++++++++右键-设置内存访问断点,然后按快捷键Shift+F9,程序被断在:
00465D1D AC LODS BYTE PTR DS:[ESI] 、、这里
00465D1E 8D12 LEA EDX,DWORD PTR DS:[EDX]
00465D20 FEC0 INC AL
00465D22 D2C8 ROR AL,CL
00465D24 F6D0 NOT AL
00465D26 34 B1 XOR AL,0B1
00465D28 F6D0 NOT AL
00465D2A D2C8 ROR AL,CL
00465D2C 34 05 XOR AL,5
00465D2E 8D1B LEA EBX,DWORD PTR DS:[EBX]
+++++++++右键-查找-二进制字串,或按Ctrl+B,输入0AF6,确定查找:
00466346 0AF6 OR DH,DH 。。。找到这里
00466348 895424 1C MOV DWORD PTR SS:[ESP+1C],EDX
0046634C 61 POPAD
0046634D C685 D7CC4000 0>MOV BYTE PTR SS:[EBP+40CCD7],0
00466354 74 24 JE SHORT PL_6_0_K.0046637A 。。Magic Jump,je改成jmp
+++++++++++++++改完之后,再次打开内在映射窗口(Alt+M),找到:
内存映射, 条目 30
地址=00401000
大小=00005000 (20480.)
属主=PL_6_0_K 00400000
区段=PELOCKnt
包含=代码
类型=Imag 01001002
访问=R
初始访问=RWE
+++++++++++右键--设置内存访问断点,然后按Shift+F9,程序直达OEP:
00403831 55 PUSH EBP 、、、、、、标准的C语言入口,右键Dump下来。
00403832 8BEC MOV EBP,ESP
00403834 6A FF PUSH -1
00403836 68 F0624000 PUSH PL_6_0_K.004062F0
0040383B 68 A44C4000 PUSH PL_6_0_K.00404CA4
00403840 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00403846 50 PUSH EAX
00403847 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
0040384E 83EC 58 SUB ESP,58
00403851 53 PUSH EBX
00403852 56 PUSH ESI
00403853 57 PUSH EDI
00403854 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
00403857 FF15 48604000 CALL DWORD PTR DS:[406048] ; kernel32.GetVersion
+++++++++++++++++++++++++++
查壳Microsoft Visual C++ 6.0,运行软件,发现有自检验!
三、用OD载入脱壳后的程序,下命令断点:bp CreateFileA,F9运行程序,程序中断在:
7C801A24 > 8BFF MOV EDI,EDI ; ntdll.7C930738 。。。断在这里,去除断点
7C801A26 55 PUSH EBP
7C801A27 8BEC MOV EBP,ESP
7C801A29 FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C801A2C E8 73C80000 CALL kernel32.7C80E2A4
7C801A31 85C0 TEST EAX,EAX
7C801A33 74 1E JE SHORT kernel32.7C801A53
++++++++堆栈友好界面:
0012FC70 00401183 /CALL 到 CreateFileA 来自 UnPL_6_0.0040117D 。。。程序领空,右键,在反汇编窗口中跟随
0012FC74 0012FDA0 |FileName = "C:\Documents and Settings\STUDENT\桌面\UnPL 6.0 KeyGen.exe"
0012FC78 80000000 |Access = GENERIC_READ
0012FC7C 00000001 |ShareMode = FILE_SHARE_READ
0012FC80 00000000 |pSecurity = NULL
0012FC84 00000003 |Mode = OPEN_EXISTING
0012FC88 00000080 |Attributes = NORMAL
0012FC8C 00000000 \hTemplateFile = NULL
0012FC90 7C930738 ntdll.7C930738
+++++++++++++
0040117D |. FF15 20604000 CALL DWORD PTR DS:[<&kernel32.CreateFile>; \CreateFileA
00401183 |. 8BF8 MOV EDI,EAX 。。。。。。这里
++++++++++++++++++
再往上下看,晕!
0040113A /$ 55 PUSH EBP
0040113B |. 8BEC MOV EBP,ESP
0040113D |. 81EC 98020000 SUB ESP,298
00401143 |. 53 PUSH EBX
00401144 |. 56 PUSH ESI
00401145 |. 57 PUSH EDI
00401146 |. 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194]
0040114C |. 68 04010000 PUSH 104 ; /BufSize = 104 (260.)
00401151 |. 50 PUSH EAX ; |PathBuffer
00401152 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hModule
00401155 |. 33DB XOR EBX,EBX ; |
00401157 |. 895D FC MOV DWORD PTR SS:[EBP-4],EBX ; |
0040115A |. 895D F8 MOV DWORD PTR SS:[EBP-8],EBX ; |
0040115D |. 895D F0 MOV DWORD PTR SS:[EBP-10],EBX ; |
00401160 |. FF15 24604000 CALL DWORD PTR DS:[<&kernel32.GetModuleF>; \GetModuleFileNameA
00401166 |. 53 PUSH EBX ; /hTemplateFile => NULL
00401167 |. 68 80000000 PUSH 80 ; |Attributes = NORMAL
0040116C |. 6A 03 PUSH 3 ; |Mode = OPEN_EXISTING
0040116E |. 53 PUSH EBX ; |pSecurity => NULL
0040116F |. 6A 01 PUSH 1 ; |ShareMode = FILE_SHARE_READ
00401171 |. 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194] ; |
00401177 |. 68 00000080 PUSH 80000000 ; |Access = GENERIC_READ
0040117C |. 50 PUSH EAX ; |FileName
0040117D |. FF15 20604000 CALL DWORD PTR DS:[<&kernel32.CreateFile>; \CreateFileA
00401183 |. 8BF8 MOV EDI,EAX 。。。。。。这里
00401185 |. 83FF FF CMP EDI,-1
00401188 |. 75 0C JNZ SHORT UnPL_6_0.00401196
0040118A |. C745 FC C0714>MOV DWORD PTR SS:[EBP-4],UnPL_6_0.004071>; ASCII "Can't open file!"
00401191 |. E9 37030000 JMP UnPL_6_0.004014CD
00401196 |> 8B35 1C604000 MOV ESI,DWORD PTR DS:[<&kernel32.SetFile>; kernel32.SetFilePointer
0040119C |. 6A 02 PUSH 2 ; /Origin = FILE_END
0040119E |. 53 PUSH EBX ; |pOffsetHi
0040119F |. 6A F8 PUSH -8 ; |OffsetLo = FFFFFFF8 (-8.)
004011A1 |. 57 PUSH EDI ; |hFile
004011A2 |. FFD6 CALL ESI ; \SetFilePointer
004011A4 |. 3D E8030000 CMP EAX,3E8
004011A9 |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
004011AC |. 0F82 FD020000 JB UnPL_6_0.004014AF
004011B2 |. 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
004011B5 |. 53 PUSH EBX ; /pOverlapped
004011B6 |. 50 PUSH EAX ; |pBytesRead
004011B7 |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24] ; |
004011BA |. 6A 08 PUSH 8 ; |BytesToRead = 8
004011BC |. 50 PUSH EAX ; |Buffer
004011BD |. 57 PUSH EDI ; |hFile
004011BE |. 895D E4 MOV DWORD PTR SS:[EBP-1C],EBX ; |
004011C1 |. FF15 18604000 CALL DWORD PTR DS:[<&kernel32.ReadFile>] ; \ReadFile
004011C7 |. 85C0 TEST EAX,EAX
004011C9 |. 0F84 E9020000 JE UnPL_6_0.004014B8
004011CF |. 837D E4 08 CMP DWORD PTR SS:[EBP-1C],8
004011D3 |. 0F85 DF020000 JNZ UnPL_6_0.004014B8
004011D9 |. 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
004011DC |. 817D E0 A5B79>CMP DWORD PTR SS:[EBP-20],829AB7A5
004011E3 |. 8945 08 MOV DWORD PTR SS:[EBP+8],EAX
004011E6 |. 0F85 C3020000 JNZ UnPL_6_0.004014AF
004011EC |. 83F8 04 CMP EAX,4
004011EF |. 0F8C BA020000 JL UnPL_6_0.004014AF
004011F5 |. 3B45 F4 CMP EAX,DWORD PTR SS:[EBP-C]
004011F8 |. 0F8D B1020000 JGE UnPL_6_0.004014AF
004011FE |. 50 PUSH EAX
004011FF |. E8 32220000 CALL UnPL_6_0.00403436
00401204 |. 3BC3 CMP EAX,EBX
00401206 |. 59 POP ECX
00401207 |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
0040120A |. 0F84 07010000 JE UnPL_6_0.00401317
00401210 |. 6A 02 PUSH 2
00401212 |. 53 PUSH EBX
00401213 |. 6A F8 PUSH -8
00401215 |. 895D E8 MOV DWORD PTR SS:[EBP-18],EBX
00401218 |. 58 POP EAX
00401219 |. 2B45 08 SUB EAX,DWORD PTR SS:[EBP+8]
0040121C |. 50 PUSH EAX
0040121D |. 57 PUSH EDI
0040121E |. FFD6 CALL ESI
00401220 |. 83F8 FF CMP EAX,-1
00401223 |. 0F84 7D020000 JE UnPL_6_0.004014A6
00401229 |. 8B75 F8 MOV ESI,DWORD PTR SS:[EBP-8]
0040122C |. 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
0040122F |. 53 PUSH EBX ; /pOverlapped
00401230 |. 50 PUSH EAX ; |pBytesRead
00401231 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |BytesToRead
00401234 |. 56 PUSH ESI ; |Buffer
00401235 |. 57 PUSH EDI ; |hFile
00401236 |. FF15 18604000 CALL DWORD PTR DS:[<&kernel32.ReadFile>] ; \ReadFile
0040123C |. 85C0 TEST EAX,EAX
0040123E |. 0F84 62020000 JE UnPL_6_0.004014A6
00401244 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00401247 |. 3945 E8 CMP DWORD PTR SS:[EBP-18],EAX
0040124A |. 0F85 56020000 JNZ UnPL_6_0.004014A6
00401250 |. 813E A5B79A82 CMP DWORD PTR DS:[ESI],829AB7A5
00401256 |. 0F85 4A020000 JNZ UnPL_6_0.004014A6
0040125C |. 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194]
00401262 |. 83C6 04 ADD ESI,4
00401265 |. 50 PUSH EAX ; /Buffer
00401266 |. 68 04010000 PUSH 104 ; |BufSize = 104 (260.)
0040126B |. FF15 14604000 CALL DWORD PTR DS:[<&kernel32.GetTempPat>; \GetTempPathA
00401271 |. 85C0 TEST EAX,EAX
00401273 |. 75 0C JNZ SHORT UnPL_6_0.00401281
00401275 |. C745 FC 98714>MOV DWORD PTR SS:[EBP-4],UnPL_6_0.004071>; ASCII "Can't retrieve the temporary directory!"
0040127C |. E9 3E020000 JMP UnPL_6_0.004014BF
00401281 |> 8B06 MOV EAX,DWORD PTR DS:[ESI]
00401283 |. 83C6 04 ADD ESI,4
00401286 |. 50 PUSH EAX ; /<%X>
00401287 |. 8D85 70FFFFFF LEA EAX,DWORD PTR SS:[EBP-90] ; |
0040128D |. 68 90714000 PUSH UnPL_6_0.00407190 ; |Format = "E_%X"
00401292 |. 50 PUSH EAX ; |s
00401293 |. FF15 B0604000 CALL DWORD PTR DS:[<&user32.wsprintfA>] ; \wsprintfA
00401299 |. 8D85 70FFFFFF LEA EAX,DWORD PTR SS:[EBP-90]
0040129F |. 50 PUSH EAX
004012A0 |. 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194]
004012A6 |. 50 PUSH EAX
004012A7 |. E8 24200000 CALL UnPL_6_0.004032D0
004012AC |. 83C4 14 ADD ESP,14
004012AF |. 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194]
004012B5 |. 53 PUSH EBX ; /pSecurity
004012B6 |. 50 PUSH EAX ; |Path
004012B7 |. FF15 10604000 CALL DWORD PTR DS:[<&kernel32.CreateDire>; \CreateDirectoryA
004012BD |. 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194]
004012C3 |. 68 8C714000 PUSH UnPL_6_0.0040718C
004012C8 |. 50 PUSH EAX
004012C9 |. E8 02200000 CALL UnPL_6_0.004032D0
004012CE |. FF36 PUSH DWORD PTR DS:[ESI]
004012D0 |. 836D 08 0C SUB DWORD PTR SS:[EBP+8],0C
004012D4 |. 8D7E 04 LEA EDI,DWORD PTR DS:[ESI+4]
004012D7 |. FF75 08 PUSH DWORD PTR SS:[EBP+8]
004012DA |. 57 PUSH EDI
004012DB |. E8 39FEFFFF CALL UnPL_6_0.00401119
004012E0 |. 836D 08 08 SUB DWORD PTR SS:[EBP+8],8
004012E4 |. 8B47 04 MOV EAX,DWORD PTR DS:[EDI+4]
004012E7 |. 83C4 14 ADD ESP,14
004012EA |. 395D 08 CMP DWORD PTR SS:[EBP+8],EBX
004012ED |. 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
004012F0 |. 0F8E A7010000 JLE UnPL_6_0.0040149D
004012F6 |. 813F 0D0F3E03 CMP DWORD PTR DS:[EDI],33E0F0D
004012FC |. 0F85 9B010000 JNZ UnPL_6_0.0040149D
00401302 |. 3BC3 CMP EAX,EBX
00401304 |. 0F8E 93010000 JLE UnPL_6_0.0040149D
0040130A |. 50 PUSH EAX
0040130B |. E8 26210000 CALL UnPL_6_0.00403436
00401310 |. 8BF0 MOV ESI,EAX
00401312 |. 59 POP ECX
00401313 |. 3BF3 CMP ESI,EBX
00401315 |. 75 0C JNZ SHORT UnPL_6_0.00401323
00401317 |> C745 FC 74714>MOV DWORD PTR SS:[EBP-4],UnPL_6_0.004071>; ASCII "Insufficient memory!"
0040131E |. E9 9C010000 JMP UnPL_6_0.004014BF
00401323 |> FF75 08 PUSH DWORD PTR SS:[EBP+8]
00401326 |. 83C7 08 ADD EDI,8
00401329 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
0040132C |. 57 PUSH EDI
0040132D |. 50 PUSH EAX
0040132E |. 56 PUSH ESI
0040132F |. E8 E71E0000 CALL UnPL_6_0.0040321B
00401334 |. 83C4 10 ADD ESP,10
00401337 |. 85C0 TEST EAX,EAX
00401339 |. 74 13 JE SHORT UnPL_6_0.0040134E
0040133B |. 56 PUSH ESI
0040133C |. E8 EA200000 CALL UnPL_6_0.0040342B
00401341 |. 59 POP ECX
00401342 |. C745 FC 58714>MOV DWORD PTR SS:[EBP-4],UnPL_6_0.004071>; ASCII "Failed to decompress data!"
00401349 |. E9 71010000 JMP UnPL_6_0.004014BF
0040134E |> FF75 F8 PUSH DWORD PTR SS:[EBP-8]
00401351 |. E8 D5200000 CALL UnPL_6_0.0040342B
00401356 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
00401359 |. 59 POP ECX
0040135A |. 03C6 ADD EAX,ESI
0040135C |. 8975 F8 MOV DWORD PTR SS:[EBP-8],ESI
0040135F |. 3BF0 CMP ESI,EAX
00401361 |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
00401364 |. 885D A4 MOV BYTE PTR SS:[EBP-5C],BL
00401367 |. 0F83 B4000000 JNB UnPL_6_0.00401421
0040136D |> 8BFE /MOV EDI,ESI
0040136F |. 56 |PUSH ESI
00401370 |. 897D 08 |MOV DWORD PTR SS:[EBP+8],EDI
00401373 |. E8 38200000 |CALL UnPL_6_0.004033B0
00401378 |. C70424 4C7140>|MOV DWORD PTR SS:[ESP],UnPL_6_0.0040714>; ASCII "krnln.fnr"
0040137F |. 57 |PUSH EDI
00401380 |. 8D7406 01 |LEA ESI,DWORD PTR DS:[ESI+EAX+1]
00401384 |. E8 47480000 |CALL UnPL_6_0.00405BD0
00401389 |. 59 |POP ECX
0040138A |. 85C0 |TEST EAX,EAX
0040138C |. 59 |POP ECX
0040138D |. 74 11 |JE SHORT UnPL_6_0.004013A0
0040138F |. 68 40714000 |PUSH UnPL_6_0.00407140 ; ASCII "krnln.fne"
00401394 |. 57 |PUSH EDI
00401395 |. E8 36480000 |CALL UnPL_6_0.00405BD0
0040139A |. 59 |POP ECX
0040139B |. 85C0 |TEST EAX,EAX
0040139D |. 59 |POP ECX
0040139E |. 75 0C |JNZ SHORT UnPL_6_0.004013AC
004013A0 |> 8D45 A4 |LEA EAX,DWORD PTR SS:[EBP-5C]
004013A3 |. 57 |PUSH EDI
004013A4 |. 50 |PUSH EAX
004013A5 |. E8 161F0000 |CALL UnPL_6_0.004032C0
004013AA |. 59 |POP ECX
004013AB |. 59 |POP ECX
004013AC |> 8B3E |MOV EDI,DWORD PTR DS:[ESI]
004013AE |. 8D85 6CFEFFFF |LEA EAX,DWORD PTR SS:[EBP-194]
004013B4 |. 50 |PUSH EAX
004013B5 |. 8D85 68FDFFFF |LEA EAX,DWORD PTR SS:[EBP-298]
004013BB |. 50 |PUSH EAX
004013BC |. 83C6 04 |ADD ESI,4
004013BF |. E8 FC1E0000 |CALL UnPL_6_0.004032C0
004013C4 |. FF75 08 |PUSH DWORD PTR SS:[EBP+8]
004013C7 |. 8D85 68FDFFFF |LEA EAX,DWORD PTR SS:[EBP-298]
004013CD |. 50 |PUSH EAX
004013CE |. E8 FD1E0000 |CALL UnPL_6_0.004032D0
004013D3 |. 83C4 10 |ADD ESP,10
004013D6 |. 8D85 68FDFFFF |LEA EAX,DWORD PTR SS:[EBP-298]
004013DC |. 53 |PUSH EBX ; /hTemplateFile
004013DD |. 68 80000000 |PUSH 80 ; |Attributes = NORMAL
004013E2 |. 6A 02 |PUSH 2 ; |Mode = CREATE_ALWAYS
004013E4 |. 53 |PUSH EBX ; |pSecurity
004013E5 |. 53 |PUSH EBX ; |ShareMode
004013E6 |. 68 00000040 |PUSH 40000000 ; |Access = GENERIC_WRITE
004013EB |. 50 |PUSH EAX ; |FileName
004013EC |. FF15 20604000 |CALL DWORD PTR DS:[<&kernel32.CreateFil>; \CreateFileA
004013F2 |. 83F8 FF |CMP EAX,-1
004013F5 |. 8945 08 |MOV DWORD PTR SS:[EBP+8],EAX
004013F8 |. 74 17 |JE SHORT UnPL_6_0.00401411
004013FA |. 8D4D D8 |LEA ECX,DWORD PTR SS:[EBP-28]
004013FD |. 53 |PUSH EBX ; /pOverlapped
004013FE |. 51 |PUSH ECX ; |pBytesWritten
004013FF |. 57 |PUSH EDI ; |nBytesToWrite
00401400 |. 56 |PUSH ESI ; |Buffer
00401401 |. 50 |PUSH EAX ; |hFile
00401402 |. FF15 0C604000 |CALL DWORD PTR DS:[<&kernel32.WriteFile>; \WriteFile
00401408 |. FF75 08 |PUSH DWORD PTR SS:[EBP+8] ; /hObject
0040140B |. FF15 08604000 |CALL DWORD PTR DS:[<&kernel32.CloseHand>; \CloseHandle
00401411 |> 03F7 |ADD ESI,EDI
00401413 |. 3B75 F4 |CMP ESI,DWORD PTR SS:[EBP-C]
00401416 |.^ 0F82 51FFFFFF \JB UnPL_6_0.0040136D
0040141C |. 385D A4 CMP BYTE PTR SS:[EBP-5C],BL
0040141F |. 75 0C JNZ SHORT UnPL_6_0.0040142D
00401421 |> C745 FC 20714>MOV DWORD PTR SS:[EBP-4],UnPL_6_0.004071>; ASCII "Not found the kernel library!"
00401428 |. E9 92000000 JMP UnPL_6_0.004014BF
0040142D |> 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194]
00401433 |. 50 PUSH EAX
00401434 |. 8D85 68FDFFFF LEA EAX,DWORD PTR SS:[EBP-298]
0040143A |. 50 PUSH EAX
0040143B |. E8 801E0000 CALL UnPL_6_0.004032C0
00401440 |. 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
00401443 |. 50 PUSH EAX
00401444 |. 8D85 68FDFFFF LEA EAX,DWORD PTR SS:[EBP-298]
0040144A |. 50 PUSH EAX
0040144B |. E8 801E0000 CALL UnPL_6_0.004032D0
00401450 |. 83C4 10 ADD ESP,10
00401453 |. 8D85 68FDFFFF LEA EAX,DWORD PTR SS:[EBP-298]
00401459 |. 50 PUSH EAX ; /FileName
0040145A |. FF15 04604000 CALL DWORD PTR DS:[<&kernel32.LoadLibrar>; \LoadLibraryA
00401460 |. 3BC3 CMP EAX,EBX
00401462 |. 75 09 JNZ SHORT UnPL_6_0.0040146D
00401464 |. C745 FC 00714>MOV DWORD PTR SS:[EBP-4],UnPL_6_0.004071>; ASCII "Failed to load kernel library!"
0040146B |. EB 52 JMP SHORT UnPL_6_0.004014BF
0040146D |> 68 F4704000 PUSH UnPL_6_0.004070F4 ; /ProcNameOrOrdinal = "GetNewSock"
00401472 |. 50 PUSH EAX ; |hModule
00401473 |. FF15 00604000 CALL DWORD PTR DS:[<&kernel32.GetProcAdd>; \GetProcAddress
00401479 |. 3BC3 CMP EAX,EBX
0040147B |. 75 09 JNZ SHORT UnPL_6_0.00401486
0040147D |. C745 FC D4704>MOV DWORD PTR SS:[EBP-4],UnPL_6_0.004070>; ASCII "The kernel library is invalid!"
00401484 |. EB 39 JMP SHORT UnPL_6_0.004014BF
00401486 |> 68 E8030000 PUSH 3E8
0040148B |. FFD0 CALL EAX
0040148D |. 3BC3 CMP EAX,EBX
0040148F |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
00401492 |. 75 2B JNZ SHORT UnPL_6_0.004014BF
00401494 |. C745 FC A8704>MOV DWORD PTR SS:[EBP-4],UnPL_6_0.004070>; ASCII "The interface of kernel library is invalid!"
0040149B |. EB 22 JMP SHORT UnPL_6_0.004014BF
0040149D |> C745 FC 8C704>MOV DWORD PTR SS:[EBP-4],UnPL_6_0.004070>; ASCII "Invalid data in the file!"
004014A4 |. EB 19 JMP SHORT UnPL_6_0.004014BF
004014A6 |> C745 FC 5C704>MOV DWORD PTR SS:[EBP-4],UnPL_6_0.004070>; ASCII "Failed to read file or invalid data in file!"
004014AD |. EB 10 JMP SHORT UnPL_6_0.004014BF
004014AF |> C745 FC 8C704>MOV DWORD PTR SS:[EBP-4],UnPL_6_0.004070>; ASCII "Invalid data in the file!"
004014B6 |. EB 15 JMP SHORT UnPL_6_0.004014CD
004014B8 |> C745 FC 38704>MOV DWORD PTR SS:[EBP-4],UnPL_6_0.004070>; ASCII "Failed to read data from the file!"
004014BF |> 395D F8 CMP DWORD PTR SS:[EBP-8],EBX
004014C2 |. 74 09 JE SHORT UnPL_6_0.004014CD
004014C4 |. FF75 F8 PUSH DWORD PTR SS:[EBP-8]
004014C7 |. E8 5F1F0000 CALL UnPL_6_0.0040342B
004014CC |. 59 POP ECX
004014CD |> 395D FC CMP DWORD PTR SS:[EBP-4],EBX ; |
004014D0 |. 75 13 JNZ SHORT UnPL_6_0.004014E5 ; |
004014D2 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] ; |
004014D5 |. E8 00000000 CALL UnPL_6_0.004014DA ; \UnPL_6_0.004014DA
004014DA |$ 810424 267B00>ADD DWORD PTR SS:[ESP],7B26
004014E1 |. FFD0 CALL EAX
004014E3 |. EB 11 JMP SHORT UnPL_6_0.004014F6
004014E5 |> 6A 10 PUSH 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
004014E7 |. 68 30704000 PUSH UnPL_6_0.00407030 ; |Title = "Error"
004014EC |. FF75 FC PUSH DWORD PTR SS:[EBP-4] ; |Text
004014EF |. 53 PUSH EBX ; |hOwner
004014F0 |. FF15 AC604000 CALL DWORD PTR DS:[<&user32.MessageBoxA>>; \MessageBoxA
004014F6 |> 5F POP EDI
004014F7 |. 5E POP ESI
004014F8 |. 33C0 XOR EAX,EAX
004014FA |. 5B POP EBX
004014FB |. C9 LEAVE
004014FC \. C2 1000 RETN 10
+++++++++++++++=这么多的jump,猫被吓着啦!
+++++++++++
以前学习VB去自检验的时候,飘云老大提示把程序的入口改跳到这段代码的返回。
在这个程序不同,希望懂的朋友赐教,谢谢!
------------------------------------------------------------------------
感谢风球兄和所有飘云阁的兄弟们提供这么好的学习环境,建议有志于学习提高的朋友来飘云阁玩!
这个Keygen的音乐真的很好听!
------------------------------------------------------------------------
【版权声明】本破文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[ 本帖最后由 野猫III 于 2006-5-14 10:42 编辑 ] |
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有账号?加入我们
x
|
IP卡
发表于 2006-5-14 10:30:19
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2006-5-14 11:14:11
楼主