本页主题: 红玫王进来一下 [100加红亮一天] 打印 \| 加为IE收藏 \| 复制链接 \| 收藏主题 \| 上一主题 \| 下一主题

圣人

小寒

级别: 荣誉会员

精华: 0
发帖: 16824
威望: 4124 点
风云币: 9257 元
专家分: 30 分
论坛群: 雄霸天下
在线时间:1216(小时)
注册时间:2006-10-01
最后登录:2016-12-06

小中大引用推荐编辑只看复制

红玫王进来一下 [100加红亮一天]

管理提醒：

本帖被无名的小兵执行锁定操作(2007-12-19)

[hide=99900]小弟想求你帮助

这几天玩一个软件,好无头绪,

附件里面是软件

其中D02E4.exe文件已经脱过壳壳到是简单,已经算是绿化了,可以直接用

就是软件重启效验真头大

下面是我的破解笔记,我用API函数,这程序到是有字串可是找不到有用的东西也许菜吧

还请各位高手指点一二,下面是我的笔记

可以加我QQ:276378561

5000FYB小意思一下,不够再说,钱可以加,只要我学会,什么都行,一切你说了算

按注册到这里
77D3311E 8BFF MOV EDI,EDI
77D33120 55 PUSH EBP
77D33121 8BEC MOV EBP,ESP
77D33123 51 PUSH ECX
77D33124 51 PUSH ECX
77D33125 56 PUSH ESI
77D33126 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
77D33129 837E 30 00 CMP DWORD PTR DS:[ESI+30],0
77D3312D 0F85 4EE30000 JNZ user32.77D41481
77D33133 FFB6 E8000000 PUSH DWORD PTR DS:[ESI+E8]
77D33139 FF36 PUSH DWORD PTR DS:[ESI]
77D3313B FF15 2408D777 CALL DWORD PTR DS:[77D70824] ; user32.77D330AD
77D33141 FF8E F0000000 DEC DWORD PTR DS:[ESI+F0]
77D33147 5E POP ESI
77D33148 C9 LEAVE
77D33149 C2 0400 RETN 4
77D3314C 0F84 FE0F0000 JE user32.77D34150
77D33152 83FA 0F CMP EDX,0F
77D33155 0F87 35320000 JA user32.77D36390
77D3315B 0F84 44420000 JE user32.77D373A5
77D33161 83FA 0A CMP EDX,0A
77D33164 77 52 JA SHORT user32.77D331B8
77D33166 0F84 A6550000 JE user32.77D38712
77D3316C 4A DEC EDX

进CALL到这里
004463C3 |> \8B03 MOV EAX,DWORD PTR DS:[EBX]
004463C5 |. 83F8 0C CMP EAX,0C
004463C8 |. 75 1B JNZ SHORT D02E4.004463E5
004463CA |. 8B53 08 MOV EDX,DWORD PTR DS:[EBX+8]
004463CD |. 52 PUSH EDX ; /Arg1
004463CE |. 8B4B 04 MOV ECX,DWORD PTR DS:[EBX+4] ; |
004463D1 |. 8BD0 MOV EDX,EAX ; |
004463D3 |. 8BC6 MOV EAX,ESI ; |
004463D5 |. E8 8EB7FFFF CALL D02E4.00441B68 ; \D02E4.00441B68
004463DA |. EB 09 JMP SHORT D02E4.004463E5
004463DC |> 8BD3 MOV EDX,EBX
004463DE |. 8BC6 MOV EAX,ESI
004463E0 |. E8 FBCFFFFF CALL D02E4.004433E0
004463E5 |> 5D POP EBP
004463E6 |. 5F POP EDI
004463E7 |. 5E POP ESI
004463E8 |. 5B POP EBX
004463E9 \. C3 RETN
004463EA 8BC0 MOV EAX,EAX
004463EC /$ 53 PUSH EBX
004463ED |. 56 PUSH ESI
004463EE |. 57 PUSH EDI
004463EF |. 8BF2 MOV ESI,EDX
004463F1 |. 33DB XOR EBX,EBX
004463F3 |. E8 BC8AFFFF CALL D02E4.0043EEB4
004463F8 |. 8BF8 MOV EDI,EAX
004463FA |. 85FF TEST EDI,EDI
004463FC |. 74 1B JE SHORT D02E4.00446419
004463FE |. 8B46 08 MOV EAX,DWORD PTR DS:[ESI+8]
00446401 |. 50 PUSH EAX ; /Arg1
00446402 |. 8B4E 04 MOV ECX,DWORD PTR DS:[ESI+4] ; |
00446405 |. 8B16 MOV EDX,DWORD PTR DS:[ESI] ; |
00446407 |. 81C2 00BC0000 ADD EDX,0BC00 ; |
0044640D |. 8BC7 MOV EAX,EDI ; |
0044640F |. E8 68CDFFFF CALL D02E4.0044317C ; \D02E4.0044317C
00446414 |. 8946 0C MOV DWORD PTR DS:[ESI+C],EAX
00446417 |. B3 01 MOV BL,1
00446419 |> 8BC3 MOV EAX,EBX
0044641B |. 5F POP EDI
0044641C |. 5E POP ESI
0044641D |. 5B POP EBX
0044641E \. C3 RETN
0044641F 90 NOP
00446420 $ 55 PUSH EBP
00446421 . 8BEC MOV EBP,ESP

联续反回跳转到这里
004CE493 |. 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
004CE496 |. BA 34E54C00 MOV EDX,D02E4.004CE534 ; ASCII "RegUser"
004CE49B |. 8BC3 MOV EAX,EBX
004CE49D |. E8 BA51FAFF CALL D02E4.0047365C
004CE4A2 |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
004CE4A5 |. 8B86 0C030000 MOV EAX,DWORD PTR DS:[ESI+30C]
004CE4AB |. E8 183BF7FF CALL D02E4.00441FC8
004CE4B0 |. 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
004CE4B3 |. BA 44E54C00 MOV EDX,D02E4.004CE544 ; ASCII "RegNo"
004CE4B8 |. 8BC3 MOV EAX,EBX
004CE4BA |. E8 9D51FAFF CALL D02E4.0047365C
004CE4BF |. 8BC3 MOV EAX,EBX
004CE4C1 |. E8 AE52F3FF CALL D02E4.00403774
004CE4C6 |. 6A 40 PUSH 40
004CE4C8 |. B9 4CE54C00 MOV ECX,D02E4.004CE54C
004CE4CD |. BA 54E54C00 MOV EDX,D02E4.004CE554
004CE4D2 |. A1 84414D00 MOV EAX,DWORD PTR DS:[4D4184]
004CE4D7 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004CE4D9 |. E8 BE3CF9FF CALL D02E4.0046219C
004CE4DE |. A1 84414D00 MOV EAX,DWORD PTR DS:[4D4184]
004CE4E3 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004CE4E5 |. E8 0E3CF9FF CALL D02E4.004620F8
004CE4EA |. 33C0 XOR EAX,EAX
004CE4EC |. 5A POP EDX
004CE4ED |. 59 POP ECX
004CE4EE |. 59 POP ECX
004CE4EF |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004CE4F2 |. 68 0CE54C00 PUSH D02E4.004CE50C

再联续跟进F8到这里
0047365C /$ 53 PUSH EBX
0047365D |. 56 PUSH ESI
0047365E |. 57 PUSH EDI
0047365F |. 8BF1 MOV ESI,ECX
00473661 |. 8BFA MOV EDI,EDX
00473663 |. 8BD8 MOV EBX,EAX
00473665 |. 8BC6 MOV EAX,ESI
00473667 |. E8 4C11F9FF CALL D02E4.004047B8
0047366C |. 40 INC EAX
0047366D |. 50 PUSH EAX
0047366E |. 6A 01 PUSH 1
00473670 |. 8BC6 MOV EAX,ESI
00473672 |. E8 3913F9FF CALL D02E4.004049B0
00473677 |. 8BC8 MOV ECX,EAX ; |
00473679 |. 8BD7 MOV EDX,EDI ; |
0047367B |. 8BC3 MOV EAX,EBX ; |
0047367D |. E8 7E000000 CALL D02E4.00473700 ; \D02E4.00473700
00473682 |. 5F POP EDI
00473683 |. 5E POP ESI
00473684 |. 5B POP EBX
00473685 \. C3 RETN
00473686 8BC0 MOV EAX,EAX
00473688 /$ 53 PUSH EBX
00473689 |. 56 PUSH ESI
0047368A |. 57 PUSH EDI
0047368B |. 55 PUSH EBP
0047368C |. 51 PUSH ECX
0047368D |. 8BF9 MOV EDI,ECX

跟进第一个CALL到这里
堆栈 SS:[0012F600]=00F5B844, (ASCII "EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B")
ECX=77D1882A (user32.77D1882A)
77DAEBE7 > 6A 2C PUSH 2C
77DAEBE9 68 28EDDA77 PUSH advapi32.77DAED28
77DAEBEE E8 267DFFFF CALL advapi32.77DA6919
77DAEBF3 33DB XOR EBX,EBX
77DAEBF5 895D E4 MOV DWORD PTR SS:[EBP-1C],EBX
77DAEBF8 817D 08 0400008>CMP DWORD PTR SS:[EBP+8],80000004
77DAEBFF 0F84 27850200 JE advapi32.77DD712C
77DAEC05 395D 10 CMP DWORD PTR SS:[EBP+10],EBX
77DAEC08 0F85 22850200 JNZ advapi32.77DD7130
77DAEC0E 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
77DAEC11 50 PUSH EAX
77DAEC12 FF75 08 PUSH DWORD PTR SS:[EBP+8]
77DAEC15 E8 A67CFFFF CALL advapi32.77DA68C0
77DAEC1A 8945 08 MOV DWORD PTR SS:[EBP+8],EAX
77DAEC1D 3BC3 CMP EAX,EBX
77DAEC1F 0F84 13850200 JE advapi32.77DD7138
77DAEC25 395D 0C CMP DWORD PTR SS:[EBP+C],EBX
77DAEC28 0F84 F2820000 JE advapi32.77DB6F20
77DAEC2E FF75 0C PUSH DWORD PTR SS:[EBP+C]
77DAEC31 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
77DAEC34 50 PUSH EAX
77DAEC35 FF15 A011DA77 CALL DWORD PTR DS:[<&ntdll.RtlCreateUnic>; ntdll.RtlCreateUnicodeStringFromAsciiz
77DAEC3B 84C0 TEST AL,AL
77DAEC3D 0F84 F9840200 JE advapi32.77DD713C
77DAEC43 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
77DAEC46 8945 D8 MOV DWORD PTR SS:[EBP-28],EAX

这又反回来
00473730 |. 50 PUSH EAX ; |hKey
00473731 |. E8 B233F9FF CALL <JMP.&advapi32.RegSetValueExA> ; \RegSetValueExA
00473736 |. 85C0 TEST EAX,EAX
00473738 |. 74 24 JE SHORT D02E4.0047375E
0047373A |. 897D F4 MOV DWORD PTR SS:[EBP-C],EDI
0047373D |. C645 F8 0B MOV BYTE PTR SS:[EBP-8],0B
00473741 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00473744 |. 50 PUSH EAX
00473745 |. 6A 00 PUSH 0
00473747 |. 8B0D 08414D00 MOV ECX,DWORD PTR DS:[4D4108] ; D02E4.004128E0
0047374D |. B2 01 MOV DL,1
0047374F |. A1 3C324700 MOV EAX,DWORD PTR DS:[47323C]
00473754 |. E8 C38BF9FF CALL D02E4.0040C31C
00473759 |. E8 E207F9FF CALL D02E4.00403F40
0047375E |> 5F POP EDI
0047375F |. 5E POP ESI
00473760 |. 5B POP EBX
00473761 |. 8BE5 MOV ESP,EBP
00473763 |. 5D POP EBP ; 0012F608

又反回来
004CE4A2 |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
004CE4A5 |. 8B86 0C030000 MOV EAX,DWORD PTR DS:[ESI+30C]
004CE4AB |. E8 183BF7FF CALL D02E4.00441FC8
004CE4B0 |. 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
004CE4B3 |. BA 44E54C00 MOV EDX,D02E4.004CE544 ; ASCII "RegNo"这里假注册友
004CE4B8 |. 8BC3 MOV EAX,EBX
004CE4BA |. E8 9D51FAFF CALL D02E4.0047365C
004CE4BF |. 8BC3 MOV EAX,EBX
004CE4C1 |. E8 AE52F3FF CALL D02E4.00403774
004CE4C6 |. 6A 40 PUSH 40
004CE4C8 |. B9 4CE54C00 MOV ECX,D02E4.004CE54C
004CE4CD |. BA 54E54C00 MOV EDX,D02E4.004CE554
004CE4D2 |. A1 84414D00 MOV EAX,DWORD PTR DS:[4D4184]
004CE4D7 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004CE4D9 |. E8 BE3CF9FF CALL D02E4.0046219C 这到里就显示注册启动这就显示注册成功提示但是假的需要验证
004CE4DE |. A1 84414D00 MOV EAX,DWORD PTR DS:[4D4184]
到这里怎么办,真是搞不懂了,

[/hide]

[ 此贴被无名的小兵在2007-12-19 18:43重新编辑 ]

附件：