先对主程序脱壳,然后反编译,得到字符串“Thank you”地址为00473D7A,字符串“This is not a valid”地址为00473C32、00473DBE。相关代码如下:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00473C30(C)
|
:00473C64 8D55F8
lea edx, dword ptr [ebp-08]
:00473C67 8B8338020000 mov eax, dword
ptr [ebx+00000238]
:00473C6D E8A2E5FAFF call
00422214
:00473C72 8B55F8
mov edx, dword ptr [ebp-08]
:00473C75 8D85F8FEFFFF lea eax, dword
ptr [ebp+FFFFFEF8]
:00473C7B B9FF000000 mov ecx,
000000FF
:00473C80 E8ABFFF8FF call
00403C30
:00473C85 8D95F8FEFFFF lea edx, dword
ptr [ebp+FFFFFEF8]
:00473C8B B8E4194900 mov eax,
004919E4
:00473C90 B128
mov cl, 28
:00473C92 E8F5ECF8FF call
0040298C
:00473C97 B201
mov dl, 01
:00473C99 A1F4E04500 mov eax,
dword ptr [0045E0F4]
:00473C9E E885A5FEFF call
0045E228
:00473CA3 A3E0194900 mov dword
ptr [004919E0], eax
:00473CA8 B101
mov cl, 01
* Possible StringData Ref from Code Obj ->"\Software\StarMadness"
|
:00473CAA BA683E4700 mov edx,
00473E68
:00473CAF A1E0194900 mov eax,
dword ptr [004919E0]
:00473CB4 E867A6FEFF call
0045E320
:00473CB9 8D55F8
lea edx, dword ptr [ebp-08]
:00473CBC 8B8338020000 mov eax, dword
ptr [ebx+00000238]
:00473CC2 E84DE5FAFF call
00422214
:00473CC7 8B4DF8
mov ecx, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"UserName"
|
:00473CCA BA883E4700 mov edx,
00473E88
:00473CCF A1E0194900 mov eax,
dword ptr [004919E0]
:00473CD4 E8E3A7FEFF call
0045E4BC
:00473CD9 8D55F8
lea edx, dword ptr [ebp-08]
:00473CDC 8B833C020000 mov eax, dword
ptr [ebx+0000023C]
:00473CE2 E82DE5FAFF call
00422214
:00473CE7 8B4DF8
mov ecx, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"SerialNumber"
|
:00473CEA BA9C3E4700 mov edx,
00473E9C
:00473CEF A1E0194900 mov eax,
dword ptr [004919E0]
:00473CF4 E8C3A7FEFF call
0045E4BC
* Possible StringData Ref from Code Obj ->"1.28"
|
:00473CF9 B9B43E4700 mov ecx,
00473EB4
* Possible StringData Ref from Code Obj ->"Version"
|
:00473CFE BAC43E4700 mov edx,
00473EC4
:00473D03 A1E0194900 mov eax,
dword ptr [004919E0]
:00473D08 E8AFA7FEFF call
0045E4BC
:00473D0D 8BC6
mov eax, esi
:00473D0F B910270000 mov ecx,
00002710
:00473D14 99
cdq
:00473D15 F7F9
idiv ecx
:00473D17 8BFA
mov edi, edx
:00473D19 8BCF
mov ecx, edi
:00473D1B 81F1010C0000 xor ecx, 00000C01
* Possible StringData Ref from Code Obj ->"BuildID"
|
:00473D21 BAD43E4700 mov edx,
00473ED4
:00473D26 A1E0194900 mov eax,
dword ptr [004919E0]
:00473D2B E830A8FEFF call
0045E560
:00473D30 A1E0194900 mov eax,
dword ptr [004919E0]
:00473D35 E8F2F0F8FF call
00402E2C
:00473D3A 8BC7
mov eax, edi
:00473D3C B933000000 mov ecx,
00000033
:00473D41 99
cdq
:00473D42 F7F9
idiv ecx
:00473D44 8BC8
mov ecx, eax
:00473D46 8BC6
mov eax, esi
:00473D48 BF10270000 mov edi,
00002710
:00473D4D 99
cdq
:00473D4E F7FF
idiv edi
:00473D50 3BC1
cmp eax, ecx ; 比较,若不正确,跳到“This is not a valid”处
:00473D52 756A
jne 00473DBE
:00473D54 81FE10270000 cmp esi, 00002710
; 同上
:00473D5A 7E62
jle 00473DBE
:00473D5C C605D8C2470001 mov byte ptr [0047C2D8],
01
:00473D63 C605DC19490001 mov byte ptr [004919DC],
01
* Possible StringData Ref from Code Obj ->"JOIN GAME"
|
:00473D6A BAE43E4700 mov edx,
00473EE4
:00473D6F 8B835C030000 mov eax, dword
ptr [ebx+0000035C]
:00473D75 E8DAE4FAFF call
00422254
* Possible StringData Ref from Code Obj ->"Thank you,"
|
:00473D7A BAF83E4700 mov edx,
00473EF8
:00473D7F 8B8374030000 mov eax, dword
ptr [ebx+00000374]
:00473D85 E8CAE4FAFF call
00422254
* Possible StringData Ref from Code Obj ->"have a nice game!"
|
:00473D8A BA0C3F4700 mov edx,
00473F0C
:00473D8F 8B837C030000 mov eax, dword
ptr [ebx+0000037C]
:00473D95 E8BAE4FAFF call
00422254
:00473D9A B201
mov dl, 01
:00473D9C 8B8370030000 mov eax, dword
ptr [ebx+00000370]
:00473DA2 E835E3FAFF call
004220DC
:00473DA7 C605FCC2470001 mov byte ptr [0047C2FC],
01
:00473DAE C60500C347000C mov byte ptr [0047C300],
0C
:00473DB5 C605D8FE480014 mov byte ptr [0048FED8],
14
:00473DBC EB2F
jmp 00473DED
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00473D52(C), :00473D5A(C)
|
* Possible StringData Ref from Code Obj ->"This is not a valid"
|
:00473DBE BA343E4700 mov edx,
00473E34
:00473DC3 8B8374030000 mov eax, dword
ptr [ebx+00000374]
:00473DC9 E886E4FAFF call
00422254
* Possible StringData Ref from Code Obj ->"serial number!"
|
:00473DCE BA503E4700 mov edx,
00473E50
:00473DD3 8B837C030000 mov eax, dword
ptr [ebx+0000037C]
:00473DD9 E876E4FAFF call
00422254
:00473DDE B201
mov dl, 01
:00473DE0 8B8370030000 mov eax, dword
ptr [ebx+00000370]
:00473DE6 E8F1E2FAFF call
004220DC
:00473DEB EB1A
jmp 00473E07
找到这段代码,就好分析了。