- UID
- 69663
注册时间2010-7-29
阅读权限20
最后登录1970-1-1
以武会友
 
该用户从未签到
|
10飘云币
本帖最后由 tmbs 于 2010-8-13 20:38 编辑
http://u.115.com/file/t4c6f03604
HDLI.exe 程序脱壳后调试,对于我这个新手来书确实很难,下面是我的分析,希望得到各位师傅的指点。把它分析的全面一些。还有就是破解网络验证的思路是什么?谢谢各位!
004B4FF3 . 55 push ebp
004B4FF4 . 68 C4524B00 push HDLI.004B52C4
004B4FF9 . 64:FF30 push dword ptr fs:[eax]
004B4FFC . 64:8920 mov dword ptr fs:[eax],esp
004B4FFF . 8D55 EC lea edx,dword ptr ss:[ebp-0x14]
004B5002 . 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
004B5005 . 8B80 F8020000 mov eax,dword ptr ds:[eax+0x2F8]
004B500B . E8 D836FAFF call HDLI.004586E8
004B5010 . 8B55 EC mov edx,dword ptr ss:[ebp-0x14]
004B5013 . B8 38E24C00 mov eax,HDLI.004CE238
004B5018 . E8 F7FAF4FF call HDLI.00404B14
004B501D . 833D 38E24C00>cmp dword ptr ds:[0x4CE238],0x0 比较,不输入任何东西则跳
004B5024 . 0F84 5D020000 je HDLI.004B5287
004B502A . C705 4CE24C00>mov dword ptr ds:[0x4CE24C],0x1 这个不知道
004B5034 . E8 7BF9FFFF call HDLI.004B49B4
004B5039 . 833D 34E24C00>cmp dword ptr ds:[0x4CE234],0x1 这个比较的是什么?谁来指点下
004B5040 . 75 0C jnz short HDLI.004B504E
004B5042 . 33C0 xor eax,eax
004B5044 . A3 34E24C00 mov dword ptr ds:[0x4CE234],eax
004B5049 . E8 F2F9FFFF call HDLI.004B4A40
004B504E > 833D 34E24C00>cmp dword ptr ds:[0x4CE234],0x1 这个比较的是什么?谁来指点下
004B5055 . 0F85 18020000 jnz HDLI.004B5273 这个不让跳的话,下面是检测硬件
004B505B . E8 6CFBFFFF call HDLI.004B4BCC
004B5060 . 84C0 test al,al
004B5062 . 0F84 0B020000 je HDLI.004B5273
004B5068 . A0 D4524B00 mov al,byte ptr ds:[0x4B52D4]
004B506D . 50 push eax
004B506E . 8D45 E8 lea eax,dword ptr ss:[ebp-0x18]
004B5071 . 50 push eax
004B5072 . E8 61F2FFFF call HDLI.004B42D8
004B5077 . 8D55 E4 lea edx,dword ptr ss:[ebp-0x1C] 这是检测硬盘号的
004B507A . E8 5170F5FF call HDLI.0040C0D0
004B507F . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C]
004B5082 . 33C9 xor ecx,ecx
004B5084 . BA E0524B00 mov edx,HDLI.004B52E0
004B5089 . E8 02B5F5FF call HDLI.00410590
004B508E . 8B55 E8 mov edx,dword ptr ss:[ebp-0x18]
004B5091 . B8 48E24C00 mov eax,HDLI.004CE248
004B5096 . E8 79FAF4FF call HDLI.00404B14
004B509B . FF35 48E24C00 push dword ptr ds:[0x4CE248]
004B50A1 . 8D45 E0 lea eax,dword ptr ss:[ebp-0x20]
004B50A4 . E8 47F7FFFF call HDLI.004B47F0
004B50A9 . FF75 E0 push dword ptr ss:[ebp-0x20] 检测某个硬件日期
004B50AC . 8D45 DC lea eax,dword ptr ss:[ebp-0x24]
004B50AF . E8 ECF5FFFF call HDLI.004B46A0
004B50B4 . FF75 DC push dword ptr ss:[ebp-0x24] 计算机名
004B50B7 . 8D45 D8 lea eax,dword ptr ss:[ebp-0x28]
004B50BA . E8 A1F3FFFF call HDLI.004B4460
004B50BF . FF75 D8 push dword ptr ss:[ebp-0x28]
004B50C2 . 8D45 F4 lea eax,dword ptr ss:[ebp-0xC]
004B50C5 . BA 04000000 mov edx,0x4
004B50CA . E8 71FDF4FF call HDLI.00404E40
004B50CF . 8D55 C4 lea edx,dword ptr ss:[ebp-0x3C]
004B50D2 . 8B45 F4 mov eax,dword ptr ss:[ebp-0xC] 把检测的东西放在一起了
004B50D5 . E8 4E86FFFF call HDLI.004AD728
004B50DA . 8D45 C4 lea eax,dword ptr ss:[ebp-0x3C]
004B50DD . 8D55 D4 lea edx,dword ptr ss:[ebp-0x2C]
出现了下面的东西不知怎么得到的。不是注册码
堆栈 ss:[0012F5EC]=00BEF908, (ASCII "1e1ff534daaffb2e473cb524492c13ca")edx=00BF4CD0
004B50E0 . E8 B786FFFF call HDLI.004AD79C
004B50E5 . 8B55 D4 mov edx,dword ptr ss:[ebp-0x2C]
004B50E8 . B8 44E24C00 mov eax,HDLI.004CE244
004B50ED . E8 22FAF4FF call HDLI.00404B14
004B50F2 . 33C9 xor ecx,ecx
004B50F4 . B2 01 mov dl,0x1
004B50F6 . A1 04F04800 mov eax,dword ptr ds:[0x48F004]
004B50FB . E8 ECA3FDFF call HDLI.0048F4EC
004B5100 . 8B55 FC mov edx,dword ptr ss:[ebp-0x4]
004B5103 . 8982 08030000 mov dword ptr ds:[edx+0x308],eax
004B5109 . 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]
004B510C . 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
004B510F . E8 F0FCFFFF call HDLI.004B4E04
004B5114 . 8B45 FC mov eax,dword ptr ss:[ebp-0x4] 到这里EDX出现假吗
004B5117 . 8B80 04030000 mov eax,dword ptr ds:[eax+0x304]
004B511D . C640 38 00 mov byte ptr ds:[eax+0x38],0x0
004B5121 . 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
004B5124 . 8B80 08030000 mov eax,dword ptr ds:[eax+0x308]
004B512A . E8 B1BFFDFF call HDLI.004910E0
004B512F . 83C0 24 add eax,0x24
004B5132 . 50 push eax
004B5133 . 8D55 C0 lea edx,dword ptr ss:[ebp-0x40]
004B5136 . B8 EC524B00 mov eax,HDLI.004B52EC ;
D379DA39FA0EE533DB66C47AEB40F330C524CC3AE100A932C065CF3BF002E022D6
004B513B . E8 B4FAFFFF call HDLI.004B4BF4
004B5140 . 8B55 C0 mov edx,dword ptr ss:[ebp-0x40]
堆栈 ss:[0012F5D8]=00BEFAC8, (ASCII "application/x-www-form-urlencoded")
edx=004B52EC (HDLI.004B52EC), ASCII "D379DA39FA0EE533DB66C47AEB40F330C524CC3AE100A932C065CF3BF002E022D6"
我不知道是什么东西
004B5143 . 58 pop eax
004B5144 . E8 CBF9F4FF call HDLI.00404B14
004B5149 . 33D2 xor edx,edx
004B514B . 55 push ebp
004B514C . 68 64524B00 push HDLI.004B5264
004B5151 . 64:FF32 push dword ptr fs:[edx]
004B5154 . 64:8922 mov dword ptr fs:[edx],esp
004B5157 . 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
004B515A . 8B80 08030000 mov eax,dword ptr ds:[eax+0x308]
004B5160 . C780 9C000000>mov dword ptr ds:[eax+0x9C],0x2710
004B516A . 8B15 40E24C00 mov edx,dword ptr ds:[0x4CE240]
004B5170 . 52 push edx
004B5171 . 8B0D 3CE24C00 mov ecx,dword ptr ds:[0x4CE23C]
004B5177 . 8B15 30E24C00 mov edx,dword ptr ds:[0x4CE230]
这里出现 (ASCII "http://govip800.w18.7ga.net/inc/kt/5fkiwijs556343.asp")
好像是网络验证。
下面的C:\tol.lib g-0000-0000 不知道是什么
004B517D . E8 8EA6FDFF call HDLI.0048F810
004B5182 . 8D45 F0 lea eax,dword ptr ss:[ebp-0x10]
004B5185 . 8B15 40E24C00 mov edx,dword ptr ds:[0x4CE240]
004B518B . 8B52 04 mov edx,dword ptr ds:[edx+0x4]
004B518E . E8 C5F9F4FF call HDLI.00404B58
004B5193 . 8D55 BC lea edx,dword ptr ss:[ebp-0x44]
004B5196 . B8 38534B00 mov eax,HDLI.004B5338 ; 2D2BD2D6F485D14C622B9E
004B519B . E8 9C980000 call HDLI.004BEA3C
004B51A0 . 8B55 BC mov edx,dword ptr ss:[ebp-0x44]
004B51A3 . 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]
004B51A6 . E8 21FDF4FF call HDLI.00404ECC
004B51AB . 0F85 87000000 jnz HDLI.004B5238
004B51B1 . B8 58534B00 mov eax,HDLI.004B5358 ; C:\tol.lib
004B51B6 . E8 DD69F5FF call HDLI.0040BB98
004B51BB . 84C0 test al,al
004B51BD . 75 6E jnz short HDLI.004B522D 不让跳,生成文件,文件用记事本打开没有用信息004B51BF . A1 F4A34C00 mov eax,dword ptr ds:[0x4CA3F4]
004B51C4 . BA 58534B00 mov edx,HDLI.004B5358 ; C:\tol.lib
004B51C9 . E8 CEDFF4FF call HDLI.0040319C
004B51CE . A1 F4A34C00 mov eax,dword ptr ds:[0x4CA3F4]
004B51D3 . E8 60DDF4FF call HDLI.00402F38
004B51D8 . E8 1BDAF4FF call HDLI.00402BF8
004B51DD . A1 F4A34C00 mov eax,dword ptr ds:[0x4CA3F4]
004B51E2 . BA 6C534B00 mov edx,HDLI.004B536C ; [info]
004B51E7 . E8 B0FFF4FF call HDLI.0040519C
004B51EC . E8 6FE5F4FF call HDLI.00403760
004B51F1 . E8 02DAF4FF call HDLI.00402BF8
004B51F6 . A1 F4A34C00 mov eax,dword ptr ds:[0x4CA3F4]
004B51FB . BA 7C534B00 mov edx,HDLI.004B537C ; g-0000-00001
004B5200 . E8 97FFF4FF call HDLI.0040519C
004B5205 . E8 56E5F4FF call HDLI.00403760
004B520A . E8 E9D9F4FF call HDLI.00402BF8
004B520F . A1 F4A34C00 mov eax,dword ptr ds:[0x4CA3F4]
004B5214 . E8 4BE0F4FF call HDLI.00403264
004B5219 . E8 DAD9F4FF call HDLI.00402BF8
004B521E . BA 02000000 mov edx,0x2
004B5223 . B8 58534B00 mov eax,HDLI.004B5358 ; C:\tol.lib
004B5228 . E8 9F69F5FF call HDLI.0040BBCC |
|
IP卡
发表于 2010-8-11 12:34:52
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主
发表于 2010-8-12 16:49:44