- UID
- 49047
注册时间2008-5-1
阅读权限30
最后登录1970-1-1
龙战于野
TA的每日心情 | 奋斗
2025-1-6 18:17 |
|---|
签到天数: 153 天 [LV.7]常住居民III
|
楼主 |
发表于 2014-6-12 07:26:59
|
显示全部楼层
在Z大的提示下,看了0055DBC4处函数调用,只有一处。
从标志位比较处继续往下跟
找到了注册表信息清零的代码,然后跟进call发现共有16处调用
0055CAB6 . 6A 00 PUSH 0x0
0055CAB8 . 6A 00 PUSH 0x0
0055CABA . B9 70CB5500 MOV ECX, PCHeal.0055CB70 ; Name
0055CABF . 8B55 F4 MOV EDX, DWORD PTR SS:[EBP-0xC]
0055CAC2 . 8BC6 MOV EAX, ESI
0055CAC4 . E8 F767F9FF CALL PCHeal.004F32C0 ; 写入注册表的call,共有16处调用
0055CAC9 . 6A 00 PUSH 0x0
0055CACB . 6A 00 PUSH 0x0
0055CACD . B9 88CB5500 MOV ECX, PCHeal.0055CB88 ; Serial
0055CAD2 . 8B55 F4 MOV EDX, DWORD PTR SS:[EBP-0xC]
0055CAD5 . 8BC6 MOV EAX, ESI
0055CAD7 . E8 E467F9FF CALL PCHeal.004F32C0
图省事,call的首行直接retn
==================================================
这个程序在注册判断过程中会有网络验证,有网络的情况下调试,输入假码会打开一个网页告诉你IP已被记录,不要干坏事(PCHealRegister.exe程序内)
0053C972 . /0F85 E1030000 JNZ PCHealRe.0053CD59 ; 跳到注册码不正确
0053C978 . |E8 9BE6FFFF CALL PCHealRe.0053B018 ; 这个call打开官网并记录非法操作
0053C97D . |40 INC EAX ; Switch (cases -1..4) 这里EAX如果小于4,底下的跳转就不起作用,直接到注册玛错误了
====================================
[返回值保存在哪里?]不知道如何跟,代码贴出来请老师们指导。
0055DBC4 $ 55 PUSH EBP
0055DBC5 . 8BEC MOV EBP, ESP
0055DBC7 . B9 04000000 MOV ECX, 0x4
0055DBCC > 6A 00 PUSH 0x0
0055DBCE . 6A 00 PUSH 0x0
0055DBD0 . 49 DEC ECX
0055DBD1 .^ 75 F9 JNZ SHORT PCHeal.0055DBCC
0055DBD3 . 51 PUSH ECX
0055DBD4 . 53 PUSH EBX
0055DBD5 . 56 PUSH ESI
0055DBD6 . 57 PUSH EDI
0055DBD7 . 8955 F8 MOV DWORD PTR SS:[EBP-0x8], EDX
0055DBDA . 8945 FC MOV DWORD PTR SS:[EBP-0x4], EAX
0055DBDD . 8B45 FC MOV EAX, DWORD PTR SS:[EBP-0x4]
0055DBE0 . E8 DB8EEAFF CALL PCHeal.00406AC0
0055DBE5 . 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-0x8]
0055DBE8 . E8 D38EEAFF CALL PCHeal.00406AC0
0055DBED . 33C0 XOR EAX, EAX
0055DBEF . 55 PUSH EBP
0055DBF0 . 68 8CDD5500 PUSH PCHeal.0055DD8C
0055DBF5 . 64:FF30 PUSH DWORD PTR FS:[EAX]
0055DBF8 . 64:8920 MOV DWORD PTR FS:[EAX], ESP
0055DBFB . 33D2 XOR EDX, EDX
0055DBFD . 55 PUSH EBP
0055DBFE . 68 65DD5500 PUSH PCHeal.0055DD65
0055DC03 . 64:FF32 PUSH DWORD PTR FS:[EDX]
0055DC06 . 64:8922 MOV DWORD PTR FS:[EDX], ESP
0055DC09 . 8D55 E8 LEA EDX, DWORD PTR SS:[EBP-0x18]
0055DC0C . 8B45 FC MOV EAX, DWORD PTR SS:[EBP-0x4]
0055DC0F . E8 5045EBFF CALL PCHeal.00412164
0055DC14 . 8B45 E8 MOV EAX, DWORD PTR SS:[EBP-0x18]
0055DC17 . 8D55 EC LEA EDX, DWORD PTR SS:[EBP-0x14]
0055DC1A . E8 C54BEBFF CALL PCHeal.004127E4
0055DC1F . 8B55 EC MOV EDX, DWORD PTR SS:[EBP-0x14]
0055DC22 . 8D45 FC LEA EAX, DWORD PTR SS:[EBP-0x4]
0055DC25 . E8 028FEAFF CALL PCHeal.00406B2C
0055DC2A . 8D55 E0 LEA EDX, DWORD PTR SS:[EBP-0x20]
0055DC2D . 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-0x8]
0055DC30 . E8 2F45EBFF CALL PCHeal.00412164
0055DC35 . 8B45 E0 MOV EAX, DWORD PTR SS:[EBP-0x20]
0055DC38 . 8D55 E4 LEA EDX, DWORD PTR SS:[EBP-0x1C]
0055DC3B . E8 A44BEBFF CALL PCHeal.004127E4
0055DC40 . 8B55 E4 MOV EDX, DWORD PTR SS:[EBP-0x1C]
0055DC43 . 8D45 F8 LEA EAX, DWORD PTR SS:[EBP-0x8]
0055DC46 . E8 E18EEAFF CALL PCHeal.00406B2C
0055DC4B . 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-0x8]
0055DC4E . 85C0 TEST EAX, EAX
0055DC50 . 74 16 JE SHORT PCHeal.0055DC68
0055DC52 . 8BD0 MOV EDX, EAX
0055DC54 . 83EA 0A SUB EDX, 0xA
0055DC57 . 66:833A 02 CMP WORD PTR DS:[EDX], 0x2
0055DC5B . 74 0B JE SHORT PCHeal.0055DC68
0055DC5D . 8D45 F8 LEA EAX, DWORD PTR SS:[EBP-0x8]
0055DC60 . 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-0x8]
0055DC63 . E8 7486EAFF CALL PCHeal.004062DC
0055DC68 > 8BD8 MOV EBX, EAX
0055DC6A . 85DB TEST EBX, EBX
0055DC6C . 74 05 JE SHORT PCHeal.0055DC73
0055DC6E . 83EB 04 SUB EBX, 0x4
0055DC71 . 8B1B MOV EBX, DWORD PTR DS:[EBX]
0055DC73 > 8D45 F4 LEA EAX, DWORD PTR SS:[EBP-0xC]
0055DC76 . 50 PUSH EAX
0055DC77 . 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-0x8]
0055DC7A . B8 A8DD5500 MOV EAX, PCHeal.0055DDA8 ; N
0055DC7F . E8 BC98EAFF CALL PCHeal.00407540
0055DC84 . 8BD0 MOV EDX, EAX
0055DC86 . 42 INC EDX
0055DC87 . 8BCB MOV ECX, EBX
0055DC89 . 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-0x8]
0055DC8C . E8 9795EAFF CALL PCHeal.00407228
0055DC91 . 8D45 F0 LEA EAX, DWORD PTR SS:[EBP-0x10]
0055DC94 . 50 PUSH EAX
0055DC95 . 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-0x8]
0055DC98 . B8 A8DD5500 MOV EAX, PCHeal.0055DDA8 ; N
0055DC9D . E8 9E98EAFF CALL PCHeal.00407540
0055DCA2 . 8BD8 MOV EBX, EAX
0055DCA4 . 4B DEC EBX
0055DCA5 . 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-0x8]
0055DCA8 . B8 B8DD5500 MOV EAX, PCHeal.0055DDB8 ; C
0055DCAD . E8 8E98EAFF CALL PCHeal.00407540
0055DCB2 . 2BD8 SUB EBX, EAX
0055DCB4 . 53 PUSH EBX
0055DCB5 . 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-0x8]
0055DCB8 . B8 B8DD5500 MOV EAX, PCHeal.0055DDB8 ; C
0055DCBD . E8 7E98EAFF CALL PCHeal.00407540
0055DCC2 . 8BD0 MOV EDX, EAX
0055DCC4 . 42 INC EDX
0055DCC5 . 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-0x8]
0055DCC8 . 59 POP ECX
0055DCC9 . E8 5A95EAFF CALL PCHeal.00407228
0055DCCE . 8B45 FC MOV EAX, DWORD PTR SS:[EBP-0x4]
0055DCD1 . 85C0 TEST EAX, EAX
0055DCD3 . 74 16 JE SHORT PCHeal.0055DCEB
0055DCD5 . 8BD0 MOV EDX, EAX
0055DCD7 . 83EA 0A SUB EDX, 0xA
0055DCDA . 66:833A 02 CMP WORD PTR DS:[EDX], 0x2
0055DCDE . 74 0B JE SHORT PCHeal.0055DCEB
0055DCE0 . 8D45 FC LEA EAX, DWORD PTR SS:[EBP-0x4]
0055DCE3 . 8B55 FC MOV EDX, DWORD PTR SS:[EBP-0x4]
0055DCE6 . E8 F185EAFF CALL PCHeal.004062DC
0055DCEB > 85C0 TEST EAX, EAX
0055DCED . 74 05 JE SHORT PCHeal.0055DCF4
0055DCEF . 83E8 04 SUB EAX, 0x4
0055DCF2 . 8B00 MOV EAX, DWORD PTR DS:[EAX]
0055DCF4 > 83F8 06 CMP EAX, 0x6
0055DCF7 . 7C 2E JL SHORT PCHeal.0055DD27
0055DCF9 . 8B45 F4 MOV EAX, DWORD PTR SS:[EBP-0xC]
0055DCFC . 85C0 TEST EAX, EAX
0055DCFE . 74 16 JE SHORT PCHeal.0055DD16
0055DD00 . 8BD0 MOV EDX, EAX
0055DD02 . 83EA 0A SUB EDX, 0xA
0055DD05 . 66:833A 02 CMP WORD PTR DS:[EDX], 0x2
0055DD09 . 74 0B JE SHORT PCHeal.0055DD16
0055DD0B . 8D45 F4 LEA EAX, DWORD PTR SS:[EBP-0xC]
0055DD0E . 8B55 F4 MOV EDX, DWORD PTR SS:[EBP-0xC]
0055DD11 . E8 C685EAFF CALL PCHeal.004062DC
0055DD16 > 85C0 TEST EAX, EAX
0055DD18 . 74 05 JE SHORT PCHeal.0055DD1F
0055DD1A . 83E8 04 SUB EAX, 0x4
0055DD1D . 8B00 MOV EAX, DWORD PTR DS:[EAX]
0055DD1F > 83F8 05 CMP EAX, 0x5
0055DD22 . 0F9DC0 SETGE AL
0055DD25 . EB 02 JMP SHORT PCHeal.0055DD29
0055DD27 > 33C0 XOR EAX, EAX
0055DD29 > 84C0 TEST AL, AL
0055DD2B . 74 22 JE SHORT PCHeal.0055DD4F
0055DD2D . 8D45 DC LEA EAX, DWORD PTR SS:[EBP-0x24]
0055DD30 . 50 PUSH EAX
0055DD31 . 8B4D F0 MOV ECX, DWORD PTR SS:[EBP-0x10]
0055DD34 . 8B55 F4 MOV EDX, DWORD PTR SS:[EBP-0xC]
0055DD37 . 8B45 FC MOV EAX, DWORD PTR SS:[EBP-0x4]
0055DD3A . E8 95FCFFFF CALL PCHeal.0055D9D4
0055DD3F . 8B45 DC MOV EAX, DWORD PTR SS:[EBP-0x24]
0055DD42 . 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-0x8]
0055DD45 . E8 7694EAFF CALL PCHeal.004071C0
0055DD4A . 0F94C0 SETE AL
0055DD4D . EB 02 JMP SHORT PCHeal.0055DD51
0055DD4F > 33C0 XOR EAX, EAX
0055DD51 > 84C0 TEST AL, AL
0055DD53 74 04 JE SHORT PCHeal.0055DD59 ; 跳到EBX清零
0055DD55 . B3 01 MOV BL, 0x1 ; 给BL赋值为1
0055DD57 . EB 02 JMP SHORT PCHeal.0055DD5B ; 跳过EBX清零
0055DD59 > 33DB XOR EBX, EBX
0055DD5B > 33C0 XOR EAX, EAX
0055DD5D . 5A POP EDX
0055DD5E . 59 POP ECX
0055DD5F . 59 POP ECX
0055DD60 . 64:8910 MOV DWORD PTR FS:[EAX], EDX
0055DD63 . EB 0C JMP SHORT PCHeal.0055DD71
0055DD65 .^ E9 4678EAFF JMP PCHeal.004055B0
0055DD6A . 33DB XOR EBX, EBX
0055DD6C . E8 977CEAFF CALL PCHeal.00405A08
0055DD71 > 33C0 XOR EAX, EAX
0055DD73 . 5A POP EDX
0055DD74 . 59 POP ECX
0055DD75 . 59 POP ECX
0055DD76 . 64:8910 MOV DWORD PTR FS:[EAX], EDX
0055DD79 . 68 93DD5500 PUSH PCHeal.0055DD93
0055DD7E > 8D45 DC LEA EAX, DWORD PTR SS:[EBP-0x24]
0055DD81 . BA 09000000 MOV EDX, 0x9
0055DD86 . E8 458DEAFF CALL PCHeal.00406AD0
0055DD8B . C3 RETN retn到0055DD93
0055DD8C .^ E9 D37AEAFF JMP PCHeal.00405864
0055DD91 .^ EB EB JMP SHORT PCHeal.0055DD7E
0055DD93 . 8BC3 MOV EAX, EBX
0055DD95 . 5F POP EDI
0055DD96 . 5E POP ESI
0055DD97 . 5B POP EBX
0055DD98 . 8BE5 MOV ESP, EBP
0055DD9A . 5D POP EBP
0055DD9B . C3 RETN
|
|
IP卡
发表于 2014-6-11 23:24:28
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2014-6-11 23:41:42
发表于 2016-7-2 14:45:28
