英格驾驶员考试学习系统 2015 版追码分析

JZL · 发表于 2015-12-15 17:41:29

本帖最后由 JZL 于 2015-12-15 17:54 编辑

功能限制，提示关键词：

本功能需要注册才能使用，购买电话

在OD中搜索字符串:

搜索字符串

在提示的上面有个跳转进来，同时上方有一个jmp可以跳过未注册提示。

来到关键call

关键call

[Asm] 纯文本查看 复制代码

0045B0D8    FFD3            CALL    NEAR EBX
0045B0DA    E9 1A110000     JMP     0045C1F9
0045B0DF    E8 AC5D0300     CALL    00490E90                         ; 关键call，真假码验证段
    00490E90    55              PUSH    EBP
    00490E91    8BEC            MOV     EBP, ESP
        ……
    00490FCC   .  E8 4FF6FFFF   CALL    00490620                                       ;  真码  EAX=00167944, (UNICODE "haEaDaYbaaoalbGdlcDchaEaDaYbaaoalbGdlcCc")

        ……
    00490FE3   .  FF51 2C       CALL    NEAR DWORD PTR DS:[ECX+0x2C]                   ;  把真码MD5加密

        ……
    00490FFB    8B4D CC         MOV     ECX, DWORD PTR SS:[EBP-0x34]
    00490FFE    51              PUSH    ECX
    00490FFF    8B55 D8         MOV     EDX, DWORD PTR SS:[EBP-0x28]
    00491002    52              PUSH    EDX
    00491003    FF15 08114000   CALL    NEAR DWORD PTR DS:[<&MSVBVM60.__vbaStrCmp>]       ; 这个Cmp就是比较函数，推测应该是真假码比较。
        ……
    00491082    C3              RETN
0045B0E4    66:85C0         TEST    AX, AX
0045B0E7    0F84 6C020000   JE      0045B359
    ……

代码验证段

算法段

我追到算法段也没搞明白，机器码 00000000000000000001 真码之间是什么关系。
真码的生成似乎也只和 00000000000000000001 有关。
各位有兴趣的，分析下，顺带着给我讲下这算法过程。

Dxer · 发表于 2015-12-15 20:02:34

本帖最后由 Dxer 于 2015-12-15 20:13 编辑

机器码7bXbubHaSb7b6aWc2dUd0bXbZbEaVb2bvaXcVdSd7bXbubHaSb7b6aWc2dUd0bXbZbEaVb2bvaXcWdSd参与运算，你只要得到类似这串“haEaDaYbaaoalbGdlcDchaEaDaYbaaoalbGdlcCc”字符的东西记下，然后MD5后得到的值就是转大写就是激活码你自己试试

JZL · 发表于 2015-12-15 20:37:11

Dxer 发表于 2015-12-15 20:02
机器码7bXbubHaSb7b6aWc2dUd0bXbZbEaVb2bvaXcVdSd7bXbubHaSb7b6aWc2dUd0bXbZbEaVb2bvaXcWdSd参与运算，你只 ...

这个码我是找到了。我不明白怎么从机器码到注册码的

Dxer · 发表于 2015-12-15 20:53:05

JZL 发表于 2015-12-15 20:37
这个码我是找到了。我不明白怎么从机器码到注册码的

你说的没错大小写26个字母0-9参与运算得到特殊字符串。我做了一个内存注册机。明天给你测试下

landwind · 发表于 2015-12-15 21:29:20

本帖最后由 landwind 于 2015-12-15 21:32 编辑

根据楼主方法,直接找到码了......
算是第一次找到吧....以前就只会暴力jmp
记录下了几个值

试了下8bJaDaZbSbXbUagc就是我马子

0018F8D0 00634144  UNICODE "D41D8CD98F00B204E9800998ECF8427E"

0018F8CC 00620904  UNICODE "W501DGAV"

0018F8C8 00623324  UNICODE "8bJaDaZbSbXbUagc"

0018F8C4 006341AC  UNICODE "7C859038B066C560C61D320A2B4D2DEF"

JZL · 发表于 2015-12-15 21:38:19

Dxer 发表于 2015-12-15 20:53
你说的没错大小写26个字母0-9参与运算得到特殊字符串。我做了一个内存注册机。明天给你测试下

咱们说说机器码怎么运算成注册码,追码我知道，我就是想搞明白机器码转到注册码的过程

tree_fly · 发表于 2015-12-15 22:38:13

这个vipCrack分析过算法吧～楼主搜索一下
https://www.chinapyg.com/thread-72887-1-1.html

lcy925 · 发表于 2015-12-16 09:38:45

谢谢了。辛苦了。收藏了。

Dxer · 发表于 2015-12-16 09:41:50

JZL 发表于 2015-12-15 21:38
咱们说说机器码怎么运算成注册码,追码我知道，我就是想搞明白机器码转到注册码的过程

详情请看VIp妹子的：https://www.chinapyg.com/thread-72887-1-1.html

第一段激活码前一部分字符串获得：

00490A62 > /3BBD 10FFFFFF CMP    EDI, DWORD PTR SS:[EBP-0xF0]             ;激活码字符串循环开始
00490A68 . |0F8F 77010000 JG    小车科目.00490BE5
00490A6E . |8B45 C0    MOV    EAX, DWORD PTR SS:[EBP-0x40]
00490A71 . |3BC3       CMP    EAX, EBX
00490A73 . |74 18       JE    SHORT 小车科目.00490A8D
00490A75 . |66:8338 01 CMP    WORD PTR DS:[EAX], 0x1
00490A79 . |75 12       JNZ    SHORT 小车科目.00490A8D
00490A7B . |8BF7       MOV    ESI, EDI
00490A7D . |2B70 14    SUB    ESI, DWORD PTR DS:[EAX+0x14]
00490A80 . |3B70 10    CMP    ESI, DWORD PTR DS:[EAX+0x10]
00490A83 . |72 10       JB    SHORT 小车科目.00490A95
00490A85 . |FF15 04114000 CALL NEAR DWORD PTR DS:[<&MSVBVM60.__>;  MSVBVM60.__vbaGenerateBoundsError
00490A8B . |EB 08       JMP    SHORT 小车科目.00490A95
00490A8D > |FF15 04114000 CALL NEAR DWORD PTR DS:[<&MSVBVM60.__>;  MSVBVM60.__vbaGenerateBoundsError
00490A93 . |8BF0       MOV    ESI, EAX
00490A95 > |8B4D D4    MOV    ECX, DWORD PTR SS:[EBP-0x2C]
00490A98 . |51          PUSH ECX                            ; /String
00490A99 . |FF15 2C104000 CALL NEAR DWORD PTR DS:[<&MSVBVM60.__>; \__vbaLenBstr
00490A9F . |8BD8       MOV    EBX, EAX
00490AA1 . |8B4D C0    MOV    ECX, DWORD PTR SS:[EBP-0x40]
00490AA4 . |8B51 0C    MOV    EDX, DWORD PTR DS:[ECX+0xC]
00490AA7 . |33C0       XOR    EAX, EAX
00490AA9 . |8A0432       MOV    AL, BYTE PTR DS:[EDX+ESI]
00490AAC . |99          CDQ
00490AAD . |F7FB       IDIV EBX
00490AAF . |8BF0       MOV    ESI, EAX
00490AB1 . |85C9       TEST ECX, ECX
00490AB3 . |74 18       JE    SHORT 小车科目.00490ACD
00490AB5 . |66:8339 01 CMP    WORD PTR DS:[ECX], 0x1
00490AB9 . |75 12       JNZ    SHORT 小车科目.00490ACD
00490ABB . |8BDF       MOV    EBX, EDI
00490ABD . |2B59 14    SUB    EBX, DWORD PTR DS:[ECX+0x14]
00490AC0 . |3B59 10    CMP    EBX, DWORD PTR DS:[ECX+0x10]
00490AC3 . |72 10       JB    SHORT 小车科目.00490AD5
00490AC5 . |FF15 04114000 CALL NEAR DWORD PTR DS:[<&MSVBVM60.__>;  MSVBVM60.__vbaGenerateBoundsError
00490ACB . |EB 08       JMP    SHORT 小车科目.00490AD5
00490ACD > |FF15 04114000 CALL NEAR DWORD PTR DS:[<&MSVBVM60.__>;  MSVBVM60.__vbaGenerateBoundsError
00490AD3 . |8BD8       MOV    EBX, EAX
00490AD5 > |8B45 D4    MOV    EAX, DWORD PTR SS:[EBP-0x2C]
00490AD8 . |50          PUSH EAX                            ; /String
00490AD9 . |FF15 2C104000 CALL NEAR DWORD PTR DS:[<&MSVBVM60.__>; \__vbaLenBstr
00490ADF . |8BC8       MOV    ECX, EAX
00490AE1 . |8B55 C0    MOV    EDX, DWORD PTR SS:[EBP-0x40]
00490AE4 . |8B42 0C    MOV    EAX, DWORD PTR DS:[EDX+0xC]
00490AE7 . |33D2       XOR    EDX, EDX
00490AE9 . |8A1418       MOV    DL, BYTE PTR DS:[EAX+EBX]
00490AEC . |8BC2       MOV    EAX, EDX
00490AEE . |99          CDQ
00490AEF . |F7F9       IDIV ECX
00490AF1 . |C745 B8 01000>MOV    DWORD PTR SS:[EBP-0x48], 0x1
00490AF8 . |C745 B0 02000>MOV    DWORD PTR SS:[EBP-0x50], 0x2
00490AFF . |8D45 D4    LEA    EAX, DWORD PTR SS:[EBP-0x2C]
00490B02 . |8985 64FFFFFF MOV    DWORD PTR SS:[EBP-0x9C], EAX
00490B08 . |C785 5CFFFFFF>MOV    DWORD PTR SS:[EBP-0xA4], 0x4008
00490B12 . |8D4D B0    LEA    ECX, DWORD PTR SS:[EBP-0x50]
00490B15 . |51          PUSH ECX                            ; /Length8
00490B16 . |83C2 01    ADD    EDX, 0x1                      ; |
00490B19 . |0F80 64010000 JO    小车科目.00490C83                   ; |
00490B1F . |52          PUSH EDX                            ; |Start
00490B20 . |8D95 5CFFFFFF LEA    EDX, DWORD PTR SS:[EBP-0xA4]    ; |
00490B26 . |52          PUSH EDX                            ; |dString8
00490B27 . |8D45 A0    LEA    EAX, DWORD PTR SS:[EBP-0x60]    ; |
00490B2A . |50          PUSH EAX                            ; |RetBUFFER
00490B2B . |8B1D E8104000 MOV    EBX, DWORD PTR DS:[<&MSVBVM60.#r>; |MSVBVM60.rtcMidCharVar
00490B31 . |FFD3       CALL NEAR EBX                      ; \rtcMidCharVar
00490B33 . |C745 98 01000>MOV    DWORD PTR SS:[EBP-0x68], 0x1
00490B3A . |C745 90 02000>MOV    DWORD PTR SS:[EBP-0x70], 0x2
00490B41 . |8D4D D4    LEA    ECX, DWORD PTR SS:[EBP-0x2C]
00490B44 . |898D 44FFFFFF MOV    DWORD PTR SS:[EBP-0xBC], ECX
00490B4A . |C785 3CFFFFFF>MOV    DWORD PTR SS:[EBP-0xC4], 0x4008
00490B54 . |8D55 90    LEA    EDX, DWORD PTR SS:[EBP-0x70]
00490B57 . |52          PUSH EDX                            ; /Length8
00490B58 . |83C6 01    ADD    ESI, 0x1                      ; |
00490B5B . |0F80 22010000 JO    小车科目.00490C83                   ; |
00490B61 . |56          PUSH ESI                            ; |Start
00490B62 . |8D85 3CFFFFFF LEA    EAX, DWORD PTR SS:[EBP-0xC4]    ; |
00490B68 . |50          PUSH EAX                            ; |dString8
00490B69 . |8D4D 80    LEA    ECX, DWORD PTR SS:[EBP-0x80]    ; |
00490B6C . |51          PUSH ECX                            ; |RetBUFFER
00490B6D . |FFD3       CALL NEAR EBX                      ; \rtcMidCharVar
00490B6F . |8D55 A0    LEA    EDX, DWORD PTR SS:[EBP-0x60]
00490B72 . |52          PUSH EDX                            ; /var18
00490B73 . |8D45 80    LEA    EAX, DWORD PTR SS:[EBP-0x80]    ; |
00490B76 . |50          PUSH EAX                            ; |var28
00490B77 . |8D8D 70FFFFFF LEA    ECX, DWORD PTR SS:[EBP-0x90]    ; |
00490B7D . |51          PUSH ECX                            ; |saveto8
00490B7E . |FF15 44124000 CALL NEAR DWORD PTR DS:[<&MSVBVM60.__>; \__vbaVarAdd
00490B84 . |50          PUSH EAX
00490B85 . |FF15 28104000 CALL NEAR DWORD PTR DS:[<&MSVBVM60.__>;  MSVBVM60.__vbaStrVarMove
00490B8B . |8BD0       MOV    EDX, EAX
00490B8D . |8D4D C8    LEA    ECX, DWORD PTR SS:[EBP-0x38]
00490B90 . |8B35 80124000 MOV    ESI, DWORD PTR DS:[<&MSVBVM60.__>;  MSVBVM60.__vbaStrMove
00490B96 . |FFD6       CALL NEAR ESI                      ;  <&MSVBVM60.__vbaStrMove>
00490B98 . |8D95 70FFFFFF LEA    EDX, DWORD PTR SS:[EBP-0x90]
00490B9E . |52          PUSH EDX
00490B9F . |8D45 80    LEA    EAX, DWORD PTR SS:[EBP-0x80]
00490BA2 . |50          PUSH EAX
00490BA3 . |8D4D A0    LEA    ECX, DWORD PTR SS:[EBP-0x60]
00490BA6 . |51          PUSH ECX
00490BA7 . |8D55 90    LEA    EDX, DWORD PTR SS:[EBP-0x70]
00490BAA . |52          PUSH EDX
00490BAB . |8D45 B0    LEA    EAX, DWORD PTR SS:[EBP-0x50]
00490BAE . |50          PUSH EAX
00490BAF . |6A 05       PUSH 0x5
00490BB1 . |FF15 30104000 CALL NEAR DWORD PTR DS:[<&MSVBVM60.__>;  MSVBVM60.__vbaFreeVarList
00490BB7 . |83C4 18    ADD    ESP, 0x18
00490BBA . |8B4D C4    MOV    ECX, DWORD PTR SS:[EBP-0x3C]
00490BBD . |51          PUSH ECX
00490BBE . |8B55 C8    MOV    EDX, DWORD PTR SS:[EBP-0x38]
00490BC1 . |52          PUSH EDX                            ; /String
00490BC2 . |FF15 5C104000 CALL NEAR DWORD PTR DS:[<&MSVBVM60.__>; \__vbaStrCat
00490BC8 . |8BD0       MOV    EDX, EAX
00490BCA . |8D4D C4    LEA    ECX, DWORD PTR SS:[EBP-0x3C]
00490BCD . |FFD6       CALL NEAR ESI
00490BCF . |B8 01000000 MOV    EAX, 0x1
00490BD4 . |03C7       ADD    EAX, EDI
00490BD6 . |0F80 A7000000 JO    小车科目.00490C83
00490BDC . |8BF8       MOV    EDI, EAX
00490BDE . |33DB       XOR    EBX, EBX
00490BE0 .^\E9 7DFEFFFF JMP    小车科目.00490A62
00490BE5 >  8B55 C4    MOV    EDX, DWORD PTR SS:[EBP-0x3C]                ；这里得到激活码的字符串（没有转MD5前的）

第二段转MD5激活码部分：

00479690  /$  53          PUSH EBX                            ;  验证算法部分
00479691  |.  56          PUSH ESI
00479692  |.  57          PUSH EDI
00479693  |.  6A 00       PUSH 0x0                            ; |lBoundn = 0x0
00479695  |.  6A 09       PUSH 0x9                            ; |uBoundn = 0x9
00479697  |.  6A 01       PUSH 0x1                            ; |TotalArray = 0x1
00479699  |.  6A 11       PUSH 0x11                            ; |vBType = Byte
0047969B  |.  68 5CC04700 PUSH 小车科目.0047C05C                   ; |RetADDR = 小车科目.0047C05C
004796A0  |.  6A 01       PUSH 0x1                            ; |VAlign = BYTE
004796A2  |.  68 80000000 PUSH 0x80                            ; |Arg1 = 0x80
004796A7  |.  FF15 4C114000 CALL NEAR DWORD PTR DS:[<&MSVBVM60.__>; \__vbaRedim
004796AD  |.  A1 5CC04700 MOV    EAX, DWORD PTR DS:[0x47C05C]
004796B2  |.  83C4 1C    ADD    ESP, 0x1C
004796B5  |.  85C0       TEST EAX, EAX
004796B7  |.  74 1C       JE    SHORT 小车科目.004796D5
004796B9  |.  66:8338 01 CMP    WORD PTR DS:[EAX], 0x1
004796BD  |.  75 16       JNZ    SHORT 小车科目.004796D5
004796BF  |.  8B70 14    MOV    ESI, DWORD PTR DS:[EAX+0x14]
004796C2  |.  8B48 10    MOV    ECX, DWORD PTR DS:[EAX+0x10]
004796C5  |.  8B1D 04114000 MOV    EBX, DWORD PTR DS:[<&MSVBVM60.__>;  MSVBVM60.__vbaGenerateBoundsError
004796CB  |.  F7DE       NEG    ESI
004796CD  |.  3BF1       CMP    ESI, ECX
004796CF  |.  72 0E       JB    SHORT 小车科目.004796DF
004796D1  |.  FFD3       CALL NEAR EBX                      ;  <&MSVBVM60.__vbaGenerateBoundsError>
004796D3  |.  EB 0A       JMP    SHORT 小车科目.004796DF
004796D5  |>  8B1D 04114000 MOV    EBX, DWORD PTR DS:[<&MSVBVM60.__>;  MSVBVM60.__vbaGenerateBoundsError
004796DB  |.  FFD3       CALL NEAR EBX                      ;  <&MSVBVM60.__vbaGenerateBoundsError>
004796DD  |.  8BF0       MOV    ESI, EAX
004796DF  |>  8B3D 5C114000 MOV    EDI, DWORD PTR DS:[<&MSVBVM60.__>;  MSVBVM60.__vbaUI1I2
004796E5  |.  B9 41000000 MOV    ECX, 0x41
004796EA  |.  FFD7       CALL NEAR EDI                      ;  <&MSVBVM60.__vbaUI1I2>
004796EC  |.  8B0D 5CC04700 MOV    ECX, DWORD PTR DS:[0x47C05C]
004796F2  |.  8B51 0C    MOV    EDX, DWORD PTR DS:[ECX+0xC]
004796F5  |.  880432       MOV    BYTE PTR DS:[EDX+ESI], AL
004796F8  |.  A1 5CC04700 MOV    EAX, DWORD PTR DS:[0x47C05C]
004796FD  |.  85C0       TEST EAX, EAX
004796FF  |.  74 1B       JE    SHORT 小车科目.0047971C
00479701  |.  66:8338 01 CMP    WORD PTR DS:[EAX], 0x1
00479705  |.  75 15       JNZ    SHORT 小车科目.0047971C
00479707  |.  8B50 14    MOV    EDX, DWORD PTR DS:[EAX+0x14]
0047970A  |.  8B48 10    MOV    ECX, DWORD PTR DS:[EAX+0x10]
0047970D  |.  BE 01000000 MOV    ESI, 0x1
00479712  |.  2BF2       SUB    ESI, EDX
00479714  |.  3BF1       CMP    ESI, ECX
00479716  |.  72 08       JB    SHORT 小车科目.00479720
00479718  |.  FFD3       CALL NEAR EBX
0047971A  |.  EB 04       JMP    SHORT 小车科目.00479720
0047971C  |>  FFD3       CALL NEAR EBX
0047971E  |.  8BF0       MOV    ESI, EAX
00479720  |>  B9 2C000000 MOV    ECX, 0x2C
00479725  |.  FFD7       CALL NEAR EDI
00479727  |.  8B0D 5CC04700 MOV    ECX, DWORD PTR DS:[0x47C05C]
0047972D  |.  8B51 0C    MOV    EDX, DWORD PTR DS:[ECX+0xC]
00479730  |.  880432       MOV    BYTE PTR DS:[EDX+ESI], AL
00479733  |.  A1 5CC04700 MOV    EAX, DWORD PTR DS:[0x47C05C]
00479738  |.  85C0       TEST EAX, EAX
0047973A  |.  74 1B       JE    SHORT 小车科目.00479757
0047973C  |.  66:8338 01 CMP    WORD PTR DS:[EAX], 0x1
00479740  |.  75 15       JNZ    SHORT 小车科目.00479757
00479742  |.  8B50 14    MOV    EDX, DWORD PTR DS:[EAX+0x14]
00479745  |.  8B48 10    MOV    ECX, DWORD PTR DS:[EAX+0x10]
00479748  |.  BE 02000000 MOV    ESI, 0x2
0047974D  |.  2BF2       SUB    ESI, EDX
0047974F  |.  3BF1       CMP    ESI, ECX
00479751  |.  72 08       JB    SHORT 小车科目.0047975B
00479753  |.  FFD3       CALL NEAR EBX
00479755  |.  EB 04       JMP    SHORT 小车科目.0047975B
00479757  |>  FFD3       CALL NEAR EBX
00479759  |.  8BF0       MOV    ESI, EAX
0047975B  |>  B9 17000000 MOV    ECX, 0x17
00479760  |.  FFD7       CALL NEAR EDI
00479762  |.  8B0D 5CC04700 MOV    ECX, DWORD PTR DS:[0x47C05C]
00479768  |.  8B51 0C    MOV    EDX, DWORD PTR DS:[ECX+0xC]
0047976B  |.  880432       MOV    BYTE PTR DS:[EDX+ESI], AL
0047976E  |.  A1 5CC04700 MOV    EAX, DWORD PTR DS:[0x47C05C]
00479773  |.  85C0       TEST EAX, EAX
00479775  |.  74 1B       JE    SHORT 小车科目.00479792
00479777  |.  66:8338 01 CMP    WORD PTR DS:[EAX], 0x1
0047977B  |.  75 15       JNZ    SHORT 小车科目.00479792
0047977D  |.  8B50 14    MOV    EDX, DWORD PTR DS:[EAX+0x14]
00479780  |.  8B48 10    MOV    ECX, DWORD PTR DS:[EAX+0x10]
00479783  |.  BE 03000000 MOV    ESI, 0x3
00479788  |.  2BF2       SUB    ESI, EDX
0047978A  |.  3BF1       CMP    ESI, ECX
0047978C  |.  72 08       JB    SHORT 小车科目.00479796
0047978E  |.  FFD3       CALL NEAR EBX
00479790  |.  EB 04       JMP    SHORT 小车科目.00479796
00479792  |>  FFD3       CALL NEAR EBX
00479794  |.  8BF0       MOV    ESI, EAX
00479796  |>  B9 4A000000 MOV    ECX, 0x4A
0047979B  |.  FFD7       CALL NEAR EDI
0047979D  |.  8B0D 5CC04700 MOV    ECX, DWORD PTR DS:[0x47C05C]
004797A3  |.  8B51 0C    MOV    EDX, DWORD PTR DS:[ECX+0xC]
004797A6  |.  880432       MOV    BYTE PTR DS:[EDX+ESI], AL
004797A9  |.  A1 5CC04700 MOV    EAX, DWORD PTR DS:[0x47C05C]
004797AE  |.  85C0       TEST EAX, EAX
004797B0  |.  74 1B       JE    SHORT 小车科目.004797CD
004797B2  |.  66:8338 01 CMP    WORD PTR DS:[EAX], 0x1
004797B6  |.  75 15       JNZ    SHORT 小车科目.004797CD
004797B8  |.  8B50 14    MOV    EDX, DWORD PTR DS:[EAX+0x14]
004797BB  |.  8B48 10    MOV    ECX, DWORD PTR DS:[EAX+0x10]
004797BE  |.  BE 04000000 MOV    ESI, 0x4
004797C3  |.  2BF2       SUB    ESI, EDX
004797C5  |.  3BF1       CMP    ESI, ECX
004797C7  |.  72 08       JB    SHORT 小车科目.004797D1
004797C9  |.  FFD3       CALL NEAR EBX
004797CB  |.  EB 04       JMP    SHORT 小车科目.004797D1
004797CD  |>  FFD3       CALL NEAR EBX
004797CF  |.  8BF0       MOV    ESI, EAX
004797D1  |>  B9 30000000 MOV    ECX, 0x30
004797D6  |.  FFD7       CALL NEAR EDI
004797D8  |.  8B0D 5CC04700 MOV    ECX, DWORD PTR DS:[0x47C05C]
004797DE  |.  8B51 0C    MOV    EDX, DWORD PTR DS:[ECX+0xC]
004797E1  |.  880432       MOV    BYTE PTR DS:[EDX+ESI], AL
004797E4  |.  A1 5CC04700 MOV    EAX, DWORD PTR DS:[0x47C05C]
004797E9  |.  85C0       TEST EAX, EAX
004797EB  |.  74 1B       JE    SHORT 小车科目.00479808
004797ED  |.  66:8338 01 CMP    WORD PTR DS:[EAX], 0x1
004797F1  |.  75 15       JNZ    SHORT 小车科目.00479808
004797F3  |.  8B50 14    MOV    EDX, DWORD PTR DS:[EAX+0x14]
004797F6  |.  8B48 10    MOV    ECX, DWORD PTR DS:[EAX+0x10]
004797F9  |.  BE 05000000 MOV    ESI, 0x5
004797FE  |.  2BF2       SUB    ESI, EDX
00479800  |.  3BF1       CMP    ESI, ECX
00479802  |.  72 08       JB    SHORT 小车科目.0047980C
00479804  |.  FFD3       CALL NEAR EBX
00479806  |.  EB 04       JMP    SHORT 小车科目.0047980C
00479808  |>  FFD3       CALL NEAR EBX
0047980A  |.  8BF0       MOV    ESI, EAX
0047980C  |>  B9 3E000000 MOV    ECX, 0x3E
00479811  |.  FFD7       CALL NEAR EDI
00479813  |.  8B0D 5CC04700 MOV    ECX, DWORD PTR DS:[0x47C05C]
00479819  |.  8B51 0C    MOV    EDX, DWORD PTR DS:[ECX+0xC]
0047981C  |.  880432       MOV    BYTE PTR DS:[EDX+ESI], AL
0047981F  |.  A1 5CC04700 MOV    EAX, DWORD PTR DS:[0x47C05C]
00479824  |.  85C0       TEST EAX, EAX
00479826  |.  74 1B       JE    SHORT 小车科目.00479843
00479828  |.  66:8338 01 CMP    WORD PTR DS:[EAX], 0x1
0047982C  |.  75 15       JNZ    SHORT 小车科目.00479843
0047982E  |.  8B50 14    MOV    EDX, DWORD PTR DS:[EAX+0x14]
00479831  |.  8B48 10    MOV    ECX, DWORD PTR DS:[EAX+0x10]
00479834  |.  BE 06000000 MOV    ESI, 0x6
00479839  |.  2BF2       SUB    ESI, EDX
0047983B  |.  3BF1       CMP    ESI, ECX
0047983D  |.  72 08       JB    SHORT 小车科目.00479847
0047983F  |.  FFD3       CALL NEAR EBX
00479841  |.  EB 04       JMP    SHORT 小车科目.00479847
00479843  |>  FFD3       CALL NEAR EBX
00479845  |.  8BF0       MOV    ESI, EAX
00479847  |>  B9 97000000 MOV    ECX, 0x97
0047984C  |.  FFD7       CALL NEAR EDI
0047984E  |.  8B0D 5CC04700 MOV    ECX, DWORD PTR DS:[0x47C05C]
00479854  |.  8B51 0C    MOV    EDX, DWORD PTR DS:[ECX+0xC]
00479857  |.  880432       MOV    BYTE PTR DS:[EDX+ESI], AL
0047985A  |.  A1 5CC04700 MOV    EAX, DWORD PTR DS:[0x47C05C]
0047985F  |.  85C0       TEST EAX, EAX
00479861  |.  74 1B       JE    SHORT 小车科目.0047987E
00479863  |.  66:8338 01 CMP    WORD PTR DS:[EAX], 0x1
00479867  |.  75 15       JNZ    SHORT 小车科目.0047987E
00479869  |.  8B50 14    MOV    EDX, DWORD PTR DS:[EAX+0x14]
0047986C  |.  8B48 10    MOV    ECX, DWORD PTR DS:[EAX+0x10]
0047986F  |.  BE 07000000 MOV    ESI, 0x7
00479874  |.  2BF2       SUB    ESI, EDX
00479876  |.  3BF1       CMP    ESI, ECX
00479878  |.  72 08       JB    SHORT 小车科目.00479882
0047987A  |.  FFD3       CALL NEAR EBX
0047987C  |.  EB 04       JMP    SHORT 小车科目.00479882
0047987E  |>  FFD3       CALL NEAR EBX
00479880  |.  8BF0       MOV    ESI, EAX
00479882  |>  B9 D4000000 MOV    ECX, 0xD4
00479887  |.  FFD7       CALL NEAR EDI
00479889  |.  8B0D 5CC04700 MOV    ECX, DWORD PTR DS:[0x47C05C]
0047988F  |.  8B51 0C    MOV    EDX, DWORD PTR DS:[ECX+0xC]
00479892  |.  880432       MOV    BYTE PTR DS:[EDX+ESI], AL
00479895  |.  A1 5CC04700 MOV    EAX, DWORD PTR DS:[0x47C05C]
0047989A  |.  85C0       TEST EAX, EAX
0047989C  |.  74 1B       JE    SHORT 小车科目.004798B9
0047989E  |.  66:8338 01 CMP    WORD PTR DS:[EAX], 0x1
004798A2  |.  75 15       JNZ    SHORT 小车科目.004798B9
004798A4  |.  8B50 14    MOV    EDX, DWORD PTR DS:[EAX+0x14]
004798A7  |.  8B48 10    MOV    ECX, DWORD PTR DS:[EAX+0x10]
004798AA  |.  BE 08000000 MOV    ESI, 0x8
004798AF  |.  2BF2       SUB    ESI, EDX
004798B1  |.  3BF1       CMP    ESI, ECX
004798B3  |.  72 08       JB    SHORT 小车科目.004798BD
004798B5  |.  FFD3       CALL NEAR EBX
004798B7  |.  EB 04       JMP    SHORT 小车科目.004798BD
004798B9  |>  FFD3       CALL NEAR EBX
004798BB  |.  8BF0       MOV    ESI, EAX
004798BD  |>  B9 7B000000 MOV    ECX, 0x7B
004798C2  |.  FFD7       CALL NEAR EDI
004798C4  |.  8B0D 5CC04700 MOV    ECX, DWORD PTR DS:[0x47C05C]
004798CA  |.  8B51 0C    MOV    EDX, DWORD PTR DS:[ECX+0xC]
004798CD  |.  880432       MOV    BYTE PTR DS:[EDX+ESI], AL
004798D0  |.  A1 5CC04700 MOV    EAX, DWORD PTR DS:[0x47C05C]
004798D5  |.  85C0       TEST EAX, EAX
004798D7  |.  74 1B       JE    SHORT 小车科目.004798F4
004798D9  |.  66:8338 01 CMP    WORD PTR DS:[EAX], 0x1
004798DD  |.  75 15       JNZ    SHORT 小车科目.004798F4
004798DF  |.  8B50 14    MOV    EDX, DWORD PTR DS:[EAX+0x14]
004798E2  |.  8B48 10    MOV    ECX, DWORD PTR DS:[EAX+0x10]
004798E5  |.  BE 09000000 MOV    ESI, 0x9
004798EA  |.  2BF2       SUB    ESI, EDX
004798EC  |.  3BF1       CMP    ESI, ECX
004798EE  |.  72 08       JB    SHORT 小车科目.004798F8
004798F0  |.  FFD3       CALL NEAR EBX
004798F2  |.  EB 04       JMP    SHORT 小车科目.004798F8
004798F4  |>  FFD3       CALL NEAR EBX
004798F6  |.  8BF0       MOV    ESI, EAX
004798F8  |>  B9 89000000 MOV    ECX, 0x89
004798FD  |.  FFD7       CALL NEAR EDI
004798FF  |.  8B0D 5CC04700 MOV    ECX, DWORD PTR DS:[0x47C05C]
00479905  |.  5F          POP    EDI
00479906  |.  8B51 0C    MOV    EDX, DWORD PTR DS:[ECX+0xC]
00479909  |.  880432       MOV    BYTE PTR DS:[EDX+ESI], AL
0047990C  |.  5E          POP    ESI
0047990D  |.  5B          POP    EBX
0047990E  \.  C3          RETN

安民乐业 · 发表于 2015-12-16 21:43:00

大神，真厉害

		自动登录	找回密码
密码			加入我们

[讨论] 英格驾驶员考试学习系统 2015 版追码分析

点评

点评

点评

点评

[讨论] 英格驾驶员考试学习系统 2015 版 追码分析

点评

点评

点评

点评

[讨论] 英格驾驶员考试学习系统 2015 版追码分析