【文章标题】: 流星网络电视(MeteorNetTv) V2.23.2 分析
【文章作者】: the0crat
【作者邮箱】: the0crat.cn_at_gmail.com
【作者主页】: http://the0crat.blogcn.com
【生产日期】: 20070109
【又可参考】: http://bbs.pediy.com/showthread.php?s=&threadid=38913
【作者声明】: 本文仅供研究学习,本人对因这篇文章而导致的一切后果,不承担任何法律责任。本文中的不足之处请各位多多指教
--------------------------------------------------------------------------------
【详细过程】
[难度] -=初级=- 中级 高级 牛牛
脱壳(饭前要洗手哦),OD载入,打开注册的对话框,dede查到入口,来到这里
00509AE8 /. 55 push ebp
00509AE9 |. 8BEC mov ebp, esp
00509AEB |. B9 09000000 mov ecx, 9
00509AF0 |> 6A 00 /push 0
00509AF2 |. 6A 00 |push 0
00509AF4 |. 49 |dec ecx
00509AF5 |.^ 75 F9 \jnz short 00509AF0
00509AF7 |. 53 push ebx
00509AF8 |. 8BD8 mov ebx, eax
00509AFA |. 33C0 xor eax, eax
00509AFC |. 55 push ebp
00509AFD |. 68 8D9D5000 push 00509D8D
00509B02 |. 64:FF30 push dword ptr fs:[eax]
00509B05 |. 64:8920 mov dword ptr fs:[eax], esp
00509B08 |. 8D55 F0 lea edx, dword ptr [ebp-10]
00509B0B |. 8B83 14030000 mov eax, dword ptr [ebx+314]
00509B11 |. E8 E6F2F4FF call 00458DFC ; 取得用户名
00509B16 |. 8B45 F0 mov eax, dword ptr [ebp-10]
00509B19 |. 8D55 F4 lea edx, dword ptr [ebp-C]
00509B1C |. E8 D3F1EFFF call 00408CF4
00509B21 |. 837D F4 00 cmp dword ptr [ebp-C], 0
00509B25 |. 0F84 0D020000 je 00509D38 ; 用户名为空则跳跑掉
00509B2B |. 8D55 E8 lea edx, dword ptr [ebp-18]
00509B2E |. 8B83 18030000 mov eax, dword ptr [ebx+318]
00509B34 |. E8 C3F2F4FF call 00458DFC ; 取注册码
00509B39 |. 8B45 E8 mov eax, dword ptr [ebp-18]
00509B3C |. 8D55 EC lea edx, dword ptr [ebp-14]
00509B3F |. E8 B0F1EFFF call 00408CF4
00509B44 |. 837D EC 00 cmp dword ptr [ebp-14], 0
00509B48 |. 0F84 EA010000 je 00509D38 ; 注册码为空则跳跑掉
00509B4E |. 8D55 E4 lea edx, dword ptr [ebp-1C]
00509B51 |. 8B83 14030000 mov eax, dword ptr [ebx+314]
00509B57 |. E8 A0F2F4FF call 00458DFC ; 又取一次用户名~~~
00509B5C |. 8B45 E4 mov eax, dword ptr [ebp-1C]
00509B5F |. 8D55 F8 lea edx, dword ptr [ebp-8]
00509B62 |. E8 8DF1EFFF call 00408CF4
00509B67 |. 8D55 DC lea edx, dword ptr [ebp-24]
00509B6A |. 8B83 18030000 mov eax, dword ptr [ebx+318]
00509B70 |. E8 87F2F4FF call 00458DFC ; 又取一次注册码~~~
00509B75 |. 8B45 DC mov eax, dword ptr [ebp-24]
00509B78 |. 8D55 E0 lea edx, dword ptr [ebp-20]
00509B7B |. E8 74F1EFFF call 00408CF4
00509B80 |. 8B45 E0 mov eax, dword ptr [ebp-20]
00509B83 |. 8D55 FC lea edx, dword ptr [ebp-4]
00509B86 |. E8 55EFEFFF call 00408AE0
00509B8B |. 8B45 FC mov eax, dword ptr [ebp-4]
00509B8E |. E8 4DABEFFF call 004046E0
00509B93 |. 83E8 10 sub eax, 10 ; Switch (cases 10..20)
00509B96 |. 74 18 je short 00509BB0 ; 注册码为16位是标准版
00509B98 |. 83E8 04 sub eax, 4
00509B9B |. 74 4B je short 00509BE8 ; 20位是VIP
00509B9D |. 83E8 04 sub eax, 4
00509BA0 |. 74 7B je short 00509C1D ; 24位钻石
00509BA2 |. 83E8 08 sub eax, 8
00509BA5 |. 0F84 A7000000 je 00509C52 ; unknown version ;-)
00509BAB |. E9 88010000 jmp 00509D38
我们看一下钻石版的
00509C1D |> A1 FC275100 mov eax, dword ptr [5127FC] ; Case 18 of switch 00509B93
00509C22 |. 50 push eax
00509C23 |. 8D55 C4 lea edx, dword ptr [ebp-3C]
00509C26 |. 8B45 FC mov eax, dword ptr [ebp-4]
00509C29 |. E8 F222F7FF call 0047BF20 ; 注册码md5
00509C2E |. 8B45 C4 mov eax, dword ptr [ebp-3C]
00509C31 |. 8D4D C8 lea ecx, dword ptr [ebp-38]
00509C34 |. BA A49D5000 mov edx, 00509DA4 ; ASCII "Impressions"
00509C39 |. E8 F614F7FF call 0047B134 ; 再DES,key="Impressions"
00509C3E |. 8B45 C8 mov eax, dword ptr [ebp-38]
00509C41 |. B9 10000000 mov ecx, 10
00509C46 |. BA 05000000 mov edx, 5
00509C4B |. E8 F0ACEFFF call 00404940 ; 取其从左到右算第5位开始依次取16字
符
00509C50 |. EB 33 jmp short 00509C85
00509C52 |> A1 FC275100 mov eax, dword ptr [5127FC] ; Case 20 of switch 00509B93
00509C57 |. 50 push eax
00509C58 |. 8D55 BC lea edx, dword ptr [ebp-44]
00509C5B |. 8B45 FC mov eax, dword ptr [ebp-4]
00509C5E |. E8 BD22F7FF call 0047BF20
00509C63 |. 8B45 BC mov eax, dword ptr [ebp-44]
00509C66 |. 8D4D C0 lea ecx, dword ptr [ebp-40]
00509C69 |. BA A49D5000 mov edx, 00509DA4 ; ASCII "Impressions"
00509C6E |. E8 C114F7FF call 0047B134
00509C73 |. 8B45 C0 mov eax, dword ptr [ebp-40]
00509C76 |. B9 0C000000 mov ecx, 0C
00509C7B |. BA 0C000000 mov edx, 0C
00509C80 |. E8 BBACEFFF call 00404940
00509C85 |> B2 01 mov dl, 1
00509C87 |. A1 20BF4300 mov eax, dword ptr [43BF20]
00509C8C |. E8 8F23F3FF call 0043C020
00509C91 |. 8BD8 mov ebx, eax
00509C93 |. BA 02000080 mov edx, 80000002
00509C98 |. 8BC3 mov eax, ebx
00509C9A |. E8 2124F3FF call 0043C0C0
00509C9F |. B1 01 mov cl, 1
00509CA1 |. BA B89D5000 mov edx, 00509DB8 ; ASCII
"\SOFTWARE\Microsoft\Windows\CurrentVersion\olympic"
00509CA6 |. 8BC3 mov eax, ebx
00509CA8 |. E8 7B24F3FF call 0043C128
00509CAD |. 84C0 test al, al
00509CAF |. 74 14 je short 00509CC5
00509CB1 |. 8B0D FC275100 mov ecx, dword ptr [5127FC] ; unpacked.005141AC
00509CB7 |. 8B09 mov ecx, dword ptr [ecx]
00509CB9 |. BA F49D5000 mov edx, 00509DF4 ; ASCII "pic"
00509CBE |. 8BC3 mov eax, ebx
00509CC0 |. E8 A728F3FF call 0043C56C ; 将其写入注册表
00509CC5 |> 8BC3 mov eax, ebx
00509CC7 |. E8 C423F3FF call 0043C090
00509CCC |. 8BC3 mov eax, ebx
00509CCE |. E8 9998EFFF call 0040356C
00509CD3 |. B2 01 mov dl, 1
00509CD5 |. A1 20BF4300 mov eax, dword ptr [43BF20]
00509CDA |. E8 4123F3FF call 0043C020
00509CDF |. 8BD8 mov ebx, eax
00509CE1 |. BA 01000080 mov edx, 80000001
00509CE6 |. 8BC3 mov eax, ebx
00509CE8 |. E8 D323F3FF call 0043C0C0
00509CED |. B1 01 mov cl, 1
00509CEF |. BA 009E5000 mov edx, 00509E00 ; ASCII
"\SoftWare\Microsoft\Windows\CurrentVersion\patron"
00509CF4 |. 8BC3 mov eax, ebx
00509CF6 |. E8 2D24F3FF call 0043C128
00509CFB |. 84C0 test al, al
00509CFD |. 74 1F je short 00509D1E
00509CFF |. 8D4D B8 lea ecx, dword ptr [ebp-48]
00509D02 |. BA 3C9E5000 mov edx, 00509E3C ; ASCII "MeteorTV.username"
00509D07 |. 8B45 F8 mov eax, dword ptr [ebp-8]
00509D0A |. E8 2514F7FF call 0047B134 ; DES,PT=用户
名,key="MeteorTV.username"
00509D0F |. 8B4D B8 mov ecx, dword ptr [ebp-48]
00509D12 |. BA 589E5000 mov edx, 00509E58 ; ASCII "mortal"
00509D17 |. 8BC3 mov eax, ebx
00509D19 |. E8 4E28F3FF call 0043C56C ; 将其写入注册表
00509D1E |> 8BC3 mov eax, ebx
00509D20 |. E8 6B23F3FF call 0043C090
00509D25 |. 8BC3 mov eax, ebx
00509D27 |. E8 4098EFFF call 0040356C
00509D2C |. A1 68275100 mov eax, dword ptr [512768]
00509D31 |. 8B00 mov eax, dword ptr [eax]
00509D33 |. E8 18BCF6FF call 00475950
00509D38 |> 33C0 xor eax, eax ; Default case of switch 00509B93
00509D3A |. 5A pop edx
00509D3B |. 59 pop ecx
00509D3C |. 59 pop ecx
00509D3D |. 64:8910 mov dword ptr fs:[eax], edx
00509D40 |. 68 949D5000 push 00509D94
00509D45 |> 8D45 B8 lea eax, dword ptr [ebp-48]
00509D48 |. BA 09000000 mov edx, 9
00509D4D |. E8 F2A6EFFF call 00404444
00509D52 |. 8D45 DC lea eax, dword ptr [ebp-24]
00509D55 |. E8 C6A6EFFF call 00404420
00509D5A |. 8D45 E0 lea eax, dword ptr [ebp-20]
00509D5D |. E8 BEA6EFFF call 00404420
00509D62 |. 8D45 E4 lea eax, dword ptr [ebp-1C]
00509D65 |. BA 02000000 mov edx, 2
00509D6A |. E8 D5A6EFFF call 00404444
00509D6F |. 8D45 EC lea eax, dword ptr [ebp-14]
00509D72 |. E8 A9A6EFFF call 00404420
00509D77 |. 8D45 F0 lea eax, dword ptr [ebp-10]
00509D7A |. E8 A1A6EFFF call 00404420
00509D7F |. 8D45 F4 lea eax, dword ptr [ebp-C]
00509D82 |. BA 03000000 mov edx, 3
00509D87 |. E8 B8A6EFFF call 00404444
00509D8C \. C3 retn
Ctrl+F2,打开String Reference,程序错误,换一个试试,IDA载入,string里找"patron",来到CODE:00505A38,DATA
XREF到CODE:00505525,回到OD,在这里断点。还有一处"patron",看到在上面这段里面,跳过。OD运行,断下来了,
Ctrl+F2,把断点往前移到这个函数的入口005054AC,运行,断下来了
005054AC /$ 55 push ebp
005054AD |. 8BEC mov ebp, esp
005054AF |. B9 14000000 mov ecx, 14
005054B4 |> 6A 00 /push 0
005054B6 |. 6A 00 |push 0
005054B8 |. 49 |dec ecx
005054B9 |.^ 75 F9 \jnz short 005054B4
005054BB |. 51 push ecx
005054BC |. 53 push ebx
005054BD |. 56 push esi
005054BE |. 8BD8 mov ebx, eax
005054C0 |. 33C0 xor eax, eax
005054C2 |. 55 push ebp
005054C3 |. 68 DB595000 push 005059DB
005054C8 |. 64:FF30 push dword ptr fs:[eax]
005054CB |. 64:8920 mov dword ptr fs:[eax], esp
005054CE |. B2 01 mov dl, 1
005054D0 |. A1 20BF4300 mov eax, dword ptr [43BF20]
005054D5 |. E8 466BF3FF call 0043C020
005054DA |. 8BF0 mov esi, eax
005054DC |. BA 02000080 mov edx, 80000002
005054E1 |. 8BC6 mov eax, esi
005054E3 |. E8 D86BF3FF call 0043C0C0
005054E8 |. B1 01 mov cl, 1
005054EA |. BA F0595000 mov edx, 005059F0 ; ASCII
"\SOFTWARE\Microsoft\Windows\CurrentVersion\olympic"
005054EF |. 8BC6 mov eax, esi
005054F1 |. E8 326CF3FF call 0043C128
005054F6 |. 84C0 test al, al
005054F8 |. 74 1D je short 00505517
005054FA |. 8D4D F4 lea ecx, dword ptr [ebp-C]
005054FD |. BA 2C5A5000 mov edx, 00505A2C ; ASCII "pic"
00505502 |. 8BC6 mov eax, esi
00505504 |. E8 8F70F3FF call 0043C598 ; 取注册表键值,此处是之前输入的注
册码运算后的值
00505509 |. 8B55 F4 mov edx, dword ptr [ebp-C]
0050550C |. 8D83 C4040000 lea eax, dword ptr [ebx+4C4]
00505512 |. E8 5DEFEFFF call 00404474
00505517 |> BA 01000080 mov edx, 80000001
0050551C |. 8BC6 mov eax, esi
0050551E |. E8 9D6BF3FF call 0043C0C0
00505523 |. B1 01 mov cl, 1
00505525 |. BA 385A5000 mov edx, 00505A38 ; ASCII
"\SoftWare\Microsoft\Windows\CurrentVersion\patron"
0050552A |. 8BC6 mov eax, esi
0050552C |. E8 F76BF3FF call 0043C128
00505531 |. 84C0 test al, al
00505533 |. 74 1D je short 00505552
00505535 |. 8D4D F0 lea ecx, dword ptr [ebp-10]
00505538 |. BA 745A5000 mov edx, 00505A74 ; ASCII "mortal"
0050553D |. 8BC6 mov eax, esi
0050553F |. E8 5470F3FF call 0043C598 ; 取注册表键值
00505544 |. 8B55 F0 mov edx, dword ptr [ebp-10]
00505547 |. 8D83 CC040000 lea eax, dword ptr [ebx+4CC]
0050554D |. E8 22EFEFFF call 00404474
00505552 |> 8BC6 mov eax, esi
00505554 |. E8 376BF3FF call 0043C090 ; 关闭注册表
00505559 |. 8BC6 mov eax, esi
0050555B |. E8 0CE0EFFF call 0040356C
00505560 |. 8D4D EC lea ecx, dword ptr [ebp-14]
00505563 |. BA 845A5000 mov edx, 00505A84 ; ASCII "MeteorTV.username"
00505568 |. 8B83 CC040000 mov eax, dword ptr [ebx+4CC]
0050556E |. E8 A95DF7FF call 0047B31C ; 注册表中mortal的值是之前输入的用
户名,此处取逆运算还原出来
00505573 |. 8B55 EC mov edx, dword ptr [ebp-14]
00505576 |. 8D83 CC040000 lea eax, dword ptr [ebx+4CC]
0050557C |. E8 F3EEEFFF call 00404474
00505581 |. 8D55 FC lea edx, dword ptr [ebp-4]
00505584 |. 8B83 CC040000 mov eax, dword ptr [ebx+4CC]
0050558A |. E8 9169F7FF call 0047BF20 ; 用户名的md5
0050558F |. 8D4D E8 lea ecx, dword ptr [ebp-18]
00505592 |. BA A05A5000 mov edx, 00505AA0 ; ASCII "killyou?yes"
00505597 |. 8B45 FC mov eax, dword ptr [ebp-4]
0050559A |. E8 B5A4FDFF call 004DFA54 ; PT=用户名md5,key="killyou?
yes"......
跟入
004DFA54 /$ 55 push ebp
004DFA55 |. 8BEC mov ebp, esp
004DFA57 |. 51 push ecx
004DFA58 |. B9 07000000 mov ecx, 7
004DFA5D |> 6A 00 /push 0
004DFA5F |. 6A 00 |push 0
004DFA61 |. 49 |dec ecx
004DFA62 |.^ 75 F9 \jnz short 004DFA5D
004DFA64 |. 874D FC xchg dword ptr [ebp-4], ecx
004DFA67 |. 53 push ebx
004DFA68 |. 56 push esi
004DFA69 |. 57 push edi
004DFA6A |. 894D F8 mov dword ptr [ebp-8], ecx
004DFA6D |. 8955 FC mov dword ptr [ebp-4], edx
004DFA70 |. 8BD8 mov ebx, eax
004DFA72 |. 8B45 FC mov eax, dword ptr [ebp-4]
004DFA75 |. E8 564EF2FF call 004048D0
004DFA7A |. 33C0 xor eax, eax
004DFA7C |. 55 push ebp
004DFA7D |. 68 56FC4D00 push 004DFC56
004DFA82 |. 64:FF30 push dword ptr fs:[eax]
004DFA85 |. 64:8920 mov dword ptr fs:[eax], esp
004DFA88 |. 8D55 F4 lea edx, dword ptr [ebp-C]
004DFA8B |. 8BC3 mov eax, ebx
004DFA8D |. E8 26FFFFFF call 004DF9B8 ; 用户名md5的ascii值
004DFA92 |. 8D55 F0 lea edx, dword ptr [ebp-10]
004DFA95 |. 8B45 FC mov eax, dword ptr [ebp-4]
004DFA98 |. E8 1BFFFFFF call 004DF9B8 ; "killyou?yes"的ascii值
004DFA9D |. 8D45 EC lea eax, dword ptr [ebp-14]
004DFAA0 |. 8B55 F4 mov edx, dword ptr [ebp-C]
004DFAA3 |. E8 104AF2FF call 004044B8
004DFAA8 |. 8B45 F0 mov eax, dword ptr [ebp-10]
004DFAAB |. E8 304CF2FF call 004046E0
004DFAB0 |. D1F8 sar eax, 1
004DFAB2 |. 79 03 jns short 004DFAB7
004DFAB4 |. 83D0 00 adc eax, 0
004DFAB7 |> 85C0 test eax, eax
004DFAB9 |. 0F8E 54010000 jle 004DFC13
004DFABF |. 8945 E0 mov dword ptr [ebp-20], eax
004DFAC2 |. BE 01000000 mov esi, 1
004DFAC7 |> 83FE 01 /cmp esi, 1
004DFACA |. 74 0B |je short 004DFAD7
004DFACC |. 8D45 EC |lea eax, dword ptr [ebp-14]
004DFACF |. 8B55 E8 |mov edx, dword ptr [ebp-18]
004DFAD2 |. E8 E149F2FF |call 004044B8
004DFAD7 |> 8D45 E8 |lea eax, dword ptr [ebp-18]
004DFADA |. E8 4149F2FF |call 00404420
004DFADF |. 8B45 EC |mov eax, dword ptr [ebp-14]
004DFAE2 |. E8 F94BF2FF |call 004046E0
004DFAE7 |. 8BF8 |mov edi, eax
004DFAE9 |. D1FF |sar edi, 1 ; 算到这里为止得edi=length(ascii
(md5(username)))
004DFAEB |. 79 03 |jns short 004DFAF0
004DFAED |. 83D7 00 |adc edi, 0
004DFAF0 |> 85FF |test edi, edi
004DFAF2 |. 0F8E 11010000 |jle 004DFC09 ; 其长度,不大于0则跳
004DFAF8 |. BB 01000000 |mov ebx, 1
004DFAFD |> BA 64FC4D00 |/mov edx, 004DFC64
004DFB02 |. 8D45 D8 ||lea eax, dword ptr [ebp-28]
004DFB05 |. E8 4E33F2FF ||call 00402E58
004DFB0A |. 8D45 D4 ||lea eax, dword ptr [ebp-2C]
004DFB0D |. 8BD3 ||mov edx, ebx
004DFB0F |. 03D2 ||add edx, edx
004DFB11 |. 8B4D EC ||mov ecx, dword ptr [ebp-14]
004DFB14 |. 8A5411 FE ||mov dl, byte ptr [ecx+edx-2]
004DFB18 |. 8850 01 ||mov byte ptr [eax+1], dl
004DFB1B |. C600 01 ||mov byte ptr [eax], 1
004DFB1E |. 8D55 D4 ||lea edx, dword ptr [ebp-2C]
004DFB21 |. 8D45 D8 ||lea eax, dword ptr [ebp-28]
004DFB24 |. B1 02 ||mov cl, 2
004DFB26 |. E8 FD32F2FF ||call 00402E28
004DFB2B |. 8D55 D8 ||lea edx, dword ptr [ebp-28]
004DFB2E |. 8D45 D0 ||lea eax, dword ptr [ebp-30]
004DFB31 |. E8 2233F2FF ||call 00402E58
004DFB36 |. 8D45 D4 ||lea eax, dword ptr [ebp-2C]
004DFB39 |. 8BD3 ||mov edx, ebx
004DFB3B |. 03D2 ||add edx, edx
004DFB3D |. 8B4D EC ||mov ecx, dword ptr [ebp-14]
004DFB40 |. 8A5411 FF ||mov dl, byte ptr [ecx+edx-1]
004DFB44 |. 8850 01 ||mov byte ptr [eax+1], dl
004DFB47 |. C600 01 ||mov byte ptr [eax], 1
004DFB4A |. 8D55 D4 ||lea edx, dword ptr [ebp-2C]
004DFB4D |. 8D45 D0 ||lea eax, dword ptr [ebp-30]
004DFB50 |. B1 03 ||mov cl, 3
004DFB52 |. E8 D132F2FF ||call 00402E28
004DFB57 |. 8D55 D0 ||lea edx, dword ptr [ebp-30]
004DFB5A |. 8D45 DC ||lea eax, dword ptr [ebp-24]
004DFB5D |. E8 224BF2FF ||call 00404684
004DFB62 |. 8B45 DC ||mov eax, dword ptr [ebp-24]
004DFB65 |. E8 CE96F2FF ||call 00409238
004DFB6A |. 8845 E7 ||mov byte ptr [ebp-19], al
004DFB6D |. BA 64FC4D00 ||mov edx, 004DFC64
004DFB72 |. 8D45 D8 ||lea eax, dword ptr [ebp-28]
004DFB75 |. E8 DE32F2FF ||call 00402E58
004DFB7A |. 8D45 D4 ||lea eax, dword ptr [ebp-2C]
004DFB7D |. 8BD6 ||mov edx, esi
004DFB7F |. 03D2 ||add edx, edx
004DFB81 |. 8B4D F0 ||mov ecx, dword ptr [ebp-10]
004DFB84 |. 8A5411 FE ||mov dl, byte ptr [ecx+edx-2]
004DFB88 |. 8850 01 ||mov byte ptr [eax+1], dl
004DFB8B |. C600 01 ||mov byte ptr [eax], 1
004DFB8E |. 8D55 D4 ||lea edx, dword ptr [ebp-2C]
004DFB91 |. 8D45 D8 ||lea eax, dword ptr [ebp-28]
004DFB94 |. B1 02 ||mov cl, 2
004DFB96 |. E8 8D32F2FF ||call 00402E28
004DFB9B |. 8D55 D8 ||lea edx, dword ptr [ebp-28]
004DFB9E |. 8D45 D0 ||lea eax, dword ptr [ebp-30]
004DFBA1 |. E8 B232F2FF ||call 00402E58
004DFBA6 |. 8D45 D4 ||lea eax, dword ptr [ebp-2C]
004DFBA9 |. 8BD6 ||mov edx, esi
004DFBAB |. 03D2 ||add edx, edx
004DFBAD |. 8B4D F0 ||mov ecx, dword ptr [ebp-10]
004DFBB0 |. 8A5411 FF ||mov dl, byte ptr [ecx+edx-1]
004DFBB4 |. 8850 01 ||mov byte ptr [eax+1], dl
004DFBB7 |. C600 01 ||mov byte ptr [eax], 1
004DFBBA |. 8D55 D4 ||lea edx, dword ptr [ebp-2C]
004DFBBD |. 8D45 D0 ||lea eax, dword ptr [ebp-30]
004DFBC0 |. B1 03 ||mov cl, 3
004DFBC2 |. E8 6132F2FF ||call 00402E28
004DFBC7 |. 8D55 D0 ||lea edx, dword ptr [ebp-30]
004DFBCA |. 8D45 CC ||lea eax, dword ptr [ebp-34]
004DFBCD |. E8 B24AF2FF ||call 00404684
004DFBD2 |. 8B45 CC ||mov eax, dword ptr [ebp-34]
004DFBD5 |. E8 5E96F2FF ||call 00409238
004DFBDA |. 3245 E7 ||xor al, byte ptr [ebp-19] ; 前面一堆预处理,这里是关键的xor
004DFBDD |. 8845 E6 ||mov byte ptr [ebp-1A], al
004DFBE0 |. 8D45 C4 ||lea eax, dword ptr [ebp-3C]
004DFBE3 |. 8A55 E6 ||mov dl, byte ptr [ebp-1A]
004DFBE6 |. E8 1D4AF2FF ||call 00404608
004DFBEB |. 8B45 C4 ||mov eax, dword ptr [ebp-3C]
004DFBEE |. 8D55 C8 ||lea edx, dword ptr [ebp-38]
004DFBF1 |. E8 C2FDFFFF ||call 004DF9B8
004DFBF6 |. 8B55 C8 ||mov edx, dword ptr [ebp-38]
004DFBF9 |. 8D45 E8 ||lea eax, dword ptr [ebp-18]
004DFBFC |. E8 E74AF2FF ||call 004046E8 ; "strcat()"
004DFC01 |. 43 ||inc ebx
004DFC02 |. 4F ||dec edi
004DFC03 |.^ 0F85 F4FEFFFF |\jnz 004DFAFD
004DFC09 |> 46 |inc esi
004DFC0A |. FF4D E0 |dec dword ptr [ebp-20]
004DFC0D |.^ 0F85 B4FEFFFF \jnz 004DFAC7
004DFC13 |> 8B45 F8 mov eax, dword ptr [ebp-8]
004DFC16 |. 8B55 E8 mov edx, dword ptr [ebp-18]
004DFC19 |. E8 5648F2FF call 00404474
004DFC1E |. 33C0 xor eax, eax
004DFC20 |. 5A pop edx
004DFC21 |. 59 pop ecx
004DFC22 |. 59 pop ecx
004DFC23 |. 64:8910 mov dword ptr fs:[eax], edx
004DFC26 |. 68 5DFC4D00 push 004DFC5D
004DFC2B |> 8D45 C4 lea eax, dword ptr [ebp-3C]
004DFC2E |. BA 03000000 mov edx, 3
004DFC33 |. E8 0C48F2FF call 00404444
004DFC38 |. 8D45 DC lea eax, dword ptr [ebp-24]
004DFC3B |. E8 E047F2FF call 00404420
004DFC40 |. 8D45 E8 lea eax, dword ptr [ebp-18]
004DFC43 |. BA 04000000 mov edx, 4
004DFC48 |. E8 F747F2FF call 00404444
004DFC4D |. 8D45 FC lea eax, dword ptr [ebp-4]
004DFC50 |. E8 CB47F2FF call 00404420
004DFC55 \. C3 retn
这一段的过程很简单,不标注了,将PT的每个字符的ascii依次和key的第一个字符的ascii异或,得到字符串n1,依次将
n1每个字符的ascii与key的第二个字符的ascii异或,得到n2,如此循环完key的每一个字符,即为结果a
0050559F |. 8B55 E8 mov edx, dword ptr [ebp-18]
005055A2 |. 8D45 FC lea eax, dword ptr [ebp-4]
005055A5 |. E8 0EEFEFFF call 004044B8 ; 切换到要处理的值(此处不重要,可能
是和编译器处理过程有关的)
005055AA |. 8D4D E0 lea ecx, dword ptr [ebp-20]
005055AD |. BA B45A5000 mov edx, 00505AB4 ; ASCII "http://www.jesen.cn"
005055B2 |. 8B83 D0040000 mov eax, dword ptr [ebx+4D0]
005055B8 |. E8 775BF7FF call 0047B134 ; DES.key=http://www.jesen.cn,PT=本
机序列号.得到b
005055BD |. 8B55 E0 mov edx, dword ptr [ebp-20]
005055C0 |. 8D4D E4 lea ecx, dword ptr [ebp-1C]
005055C3 |. 8B45 FC mov eax, dword ptr [ebp-4]
005055C6 |. E8 695BF7FF call 0047B134 ; DES,key=b,PT=a
005055CB |. 8B55 E4 mov edx, dword ptr [ebp-1C]
005055CE |. 8D45 FC lea eax, dword ptr [ebp-4]
005055D1 |. E8 E2EEEFFF call 004044B8 ; 切换对象(此处不重要,可能是和编译
器处理的过程有关吧)
005055D6 |. 8D55 DC lea edx, dword ptr [ebp-24]
005055D9 |. 8B45 FC mov eax, dword ptr [ebp-4]
005055DC |. E8 3F69F7FF call 0047BF20 ; md5
005055E1 |. 8B55 DC mov edx, dword ptr [ebp-24]
005055E4 |. 8D45 FC lea eax, dword ptr [ebp-4]
005055E7 |. E8 CCEEEFFF call 004044B8 ; 切换对象(此处不重要,可能是和编译
器处理的过程有关吧)
005055EC |. 8B83 C4040000 mov eax, dword ptr [ebx+4C4]
005055F2 |. E8 E9F0EFFF call 004046E0 ; 取eax长度
005055F7 |. 83E8 0A sub eax, 0A ; Switch (cases A..10)
005055FA |. 74 62 je short 0050565E ; 标准版
005055FC |. 83E8 02 sub eax, 2
005055FF |. 74 17 je short 00505618 ;
00505601 |. 83E8 02 sub eax, 2
00505604 |. 0F84 18010000 je 00505722 ; VIP
0050560A |. 83E8 02 sub eax, 2
0050560D |. 0F84 D3010000 je 005057E6 ; 钻石
00505613 |. E9 A5030000 jmp 005059BD ; 失败
这里试的是钻石,来到这
005057E6 |> \68 AC415100 push 005141AC ; Case 10 of switch 005055F7
005057EB |. 8D45 8C lea eax, dword ptr [ebp-74]
005057EE |. 50 push eax
005057EF |. B9 06000000 mov ecx, 6
005057F4 |. BA 08000000 mov edx, 8
005057F9 |. 8B45 FC mov eax, dword ptr [ebp-4]
005057FC |. E8 3FF1EFFF call 00404940 ; substr(eax,7,6)
00505801 |. FF75 8C push dword ptr [ebp-74]
00505804 |. 8D45 88 lea eax, dword ptr [ebp-78]
00505807 |. 50 push eax
00505808 |. B9 07000000 mov ecx, 7
0050580D |. BA 12000000 mov edx, 12
00505812 |. 8B45 FC mov eax, dword ptr [ebp-4]
00505815 |. E8 26F1EFFF call 00404940 ; substr(eax,17,7)
0050581A |. FF75 88 push dword ptr [ebp-78]
0050581D |. 8D45 84 lea eax, dword ptr [ebp-7C]
00505820 |. 50 push eax
00505821 |. B9 03000000 mov ecx, 3
00505826 |. BA 03000000 mov edx, 3
0050582B |. 8B45 FC mov eax, dword ptr [ebp-4]
0050582E |. E8 0DF1EFFF call 00404940 ; substr(eax,2,3)
00505833 |. FF75 84 push dword ptr [ebp-7C]
00505836 |. 8D45 80 lea eax, dword ptr [ebp-80]
00505839 |. 50 push eax
0050583A |. B9 03000000 mov ecx, 3
0050583F |. BA 0D000000 mov edx, 0D
00505844 |. 8B45 FC mov eax, dword ptr [ebp-4]
00505847 |. E8 F4F0EFFF call 00404940 ; substr(eax,12,3)
0050584C |. FF75 80 push dword ptr [ebp-80]
0050584F |. 8D85 7CFFFFFF lea eax, dword ptr [ebp-84]
00505855 |. 50 push eax
00505856 |. B9 05000000 mov ecx, 5
0050585B |. BA 16000000 mov edx, 16
00505860 |. 8B45 FC mov eax, dword ptr [ebp-4]
00505863 |. E8 D8F0EFFF call 00404940 ; substr(eax,21,5)
00505868 |. FFB5 7CFFFFFF push dword ptr [ebp-84]
0050586E |. 8D45 90 lea eax, dword ptr [ebp-70]
00505871 |. BA 05000000 mov edx, 5
00505876 |. E8 25EFEFFF call 004047A0 ; 将前面5个字符串顺次相连
0050587B |. 8B45 90 mov eax, dword ptr [ebp-70]
0050587E |. 8D55 94 lea edx, dword ptr [ebp-6C]
00505881 |. E8 9A66F7FF call 0047BF20 ; md5
00505886 |. 8B45 94 mov eax, dword ptr [ebp-6C]
00505889 |. 8D4D 98 lea ecx, dword ptr [ebp-68]
0050588C |. BA D05A5000 mov edx, 00505AD0 ; ASCII "Impressions"
00505891 |. E8 9E58F7FF call 0047B134 ; DES,key=Impressions
00505896 |. 8B45 98 mov eax, dword ptr [ebp-68]
00505899 |. B9 10000000 mov ecx, 10
0050589E |. BA 05000000 mov edx, 5
005058A3 |. E8 98F0EFFF call 00404940 ; substr(eax,4,16)
005058A8 |. C705 B4415100>mov dword ptr [5141B4], 3
005058B2 |. 8D4D F8 lea ecx, dword ptr [ebp-8]
005058B5 |. BA E45A5000 mov edx, 00505AE4 ; ASCII "nmmd-sgpj"
005058BA |. B8 1C5B5000 mov eax, 00505B1C
005058BF |. E8 7058F7FF call 0047B134 ; DES,PT="[钻石版]',key="nmmd-sgpj"
。用来干扰的,别理他
005058C4 |> 8D85 70FFFFFF lea eax, dword ptr [ebp-90]
005058CA |. 50 push eax
005058CB |. B9 06000000 mov ecx, 6
005058D0 |. BA 04000000 mov edx, 4
005058D5 |. A1 AC415100 mov eax, dword ptr [5141AC]
005058DA |. E8 61F0EFFF call 00404940 ; 取从左到右第4位开始6个字节
005058DF |. 8B85 70FFFFFF mov eax, dword ptr [ebp-90]
005058E5 |. 8D95 74FFFFFF lea edx, dword ptr [ebp-8C]
005058EB |. E8 C8A0FDFF call 004DF9B8 ; 把每个字符转换成它的ascii码
005058F0 |. 8B85 74FFFFFF mov eax, dword ptr [ebp-8C]
005058F6 |. 8D8D 78FFFFFF lea ecx, dword ptr [ebp-88]
005058FC |. BA 305B5000 mov edx, 00505B30 ; ASCII "sgpj-nmmd"
00505901 |. E8 2E58F7FF call 0047B134 ; DES,key=sgpj-nmmd
00505906 |. 8B85 78FFFFFF mov eax, dword ptr [ebp-88]
0050590C |. 50 push eax
0050590D |. 8D85 64FFFFFF lea eax, dword ptr [ebp-9C]
00505913 |. 50 push eax
00505914 |. B9 06000000 mov ecx, 6
00505919 |. BA 04000000 mov edx, 4
0050591E |. 8B83 C4040000 mov eax, dword ptr [ebx+4C4]
00505924 |. E8 17F0EFFF call 00404940 ; 取之前放入注册表中的注册码的值的
从左到右第4位6个字节
00505929 |. 8B85 64FFFFFF mov eax, dword ptr [ebp-9C]
0050592F |. 8D95 68FFFFFF lea edx, dword ptr [ebp-98]
00505935 |. E8 7EA0FDFF call 004DF9B8 ; 把每个字符转换成它的ascii码
0050593A |. 8B85 68FFFFFF mov eax, dword ptr [ebp-98]
00505940 |. 8D8D 6CFFFFFF lea ecx, dword ptr [ebp-94]
00505946 |. BA 305B5000 mov edx, 00505B30 ; ASCII "sgpj-nmmd"
0050594B |. E8 E457F7FF call 0047B134 ; DES,key=sgpj-nmmd
00505950 |. 8B95 6CFFFFFF mov edx, dword ptr [ebp-94]
00505956 |. 58 pop eax
00505957 |. E8 D0EEEFFF call 0040482C ; eax是真的,edx是输入的
0050595C |. 75 5F jnz short 005059BD ; 不相等则跳跑掉
0050595E |. C683 D8040000>mov byte ptr [ebx+4D8], 1
00505965 |. 833D B4415100>cmp dword ptr [5141B4], 1
0050596C |. 74 07 je short 00505975
0050596E |. C683 D9040000>mov byte ptr [ebx+4D9], 1
00505975 |> B8 B0415100 mov eax, 005141B0
0050597A |. 8B55 F8 mov edx, dword ptr [ebp-8]
0050597D |. E8 F2EAEFFF call 00404474
00505982 |. 8D8D 5CFFFFFF lea ecx, dword ptr [ebp-A4]
00505988 |. BA E45A5000 mov edx, 00505AE4 ; ASCII "nmmd-sgpj"
0050598D |. A1 B0415100 mov eax, dword ptr [5141B0]
00505992 |. E8 8559F7FF call 0047B31C
00505997 |. 8B8D 5CFFFFFF mov ecx, dword ptr [ebp-A4]
0050599D |. 8D85 60FFFFFF lea eax, dword ptr [ebp-A0]
005059A3 |. BA 445B5000 mov edx, 00505B44
005059A8 |. E8 7FEDEFFF call 0040472C
005059AD |. 8B95 60FFFFFF mov edx, dword ptr [ebp-A0]
005059B3 |. A1 A0415100 mov eax, dword ptr [5141A0]
005059B8 |. E8 6F34F5FF call 00458E2C
005059BD |> 33C0 xor eax, eax ; Default case of switch 005055F7
005059BF |. 5A pop edx
005059C0 |. 59 pop ecx
005059C1 |. 59 pop ecx
005059C2 |. 64:8910 mov dword ptr fs:[eax], edx
005059C5 |. 68 E2595000 push 005059E2
005059CA |> 8D85 5CFFFFFF lea eax, dword ptr [ebp-A4]
005059D0 |. BA 29000000 mov edx, 29
005059D5 |. E8 6AEAEFFF call 00404444
005059DA \. C3 retn
005059DB .^ E9 E0E2EFFF jmp 00403CC0
005059E0 .^ EB E8 jmp short 005059CA
005059E2 . 5E pop esi
005059E3 . 5B pop ebx
005059E4 . 8BE5 mov esp, ebp
005059E6 . 5D pop ebp
005059E7 . C3 retn
整个世界明了了
[算法总结]
注:DES经查是des_sbox1,我没有具体跟
////////////////////////////////////////////
~注册码md5
~DES,key="Impressions"
~取其从左到右算第5位开始依次取16字符
~从左到右第4位开始6个字节
~把每个字符转换成它的ascii码
~DES,key=sgpj-nmmd
////////////////////////////////////////////
~用户名md5
~将其每个字符的ascii依次和"killyou?yes"的第一个字符的ascii异或,得到字符串n1,依次将n1每个字符的ascii
与"killyou?yes"的第二个字符的ascii异或,得到n2,如此循环完"killyou?yes"的每一个字符,为结果a
~DES,key=http://www.jesen.cn,PT=本机序列号.得到b
~DES,key=b,PT=a
~md5
~从第8位开始取6个字符,从第18位开始取7个字符,从第3位开始取3个字符,从第13位开始取3个字符,从第22位开始取
5个字符,顺次相连
~md5
~DES,key=Impressions
~从第5位开始取16个字符
~从左到右第4位开始6个字节
~把每个字符转换成它的ascii码
~DES,key=sgpj-nmmd
////////////////////////////////////////////
注册码是不用逆推的,由于用户名的运算与注册码的运算过程有一块重复的,所以直接可以在内存中看到明文的注册码
, 比如在00505876下断点,可以看到243aa4028cf1c1254eaf1cb2,就是钻石版的注册码了
有:用户名:the0crat
机器码:1788F74A
注册码:钻石版:243aa4028cf1c1254eaf1cb2
VIP:1259B8BA4EAF19B243AA
标准版:F1028259B028C8B3
这样的注册机都没意思写,这里就不提供了
不过只有注册码也没有用,还有在线认证的
go on,到在线认证
005061BB . E8 ECF2FFFF call 005054AC ; 刚才从这里跳出来的
005061C0 .
8B45 FC mov eax, dword ptr [ebp-4]
005061C3 . 05 78040000 add eax, 478
005061C8 . BA 606A5000 mov edx, 00506A60 ; ASCII
"http://softmain.wlds.net/soft_htm/reg_hj.txt"
005061CD . E8 A2E2EFFF call 00404474
005061D2 . 33C0 xor eax, eax
005061D4 . 55 push ebp
005061D5 . 68 DD625000 push 005062DD
005061DA . 64:FF30 push dword ptr fs:[eax]
005061DD . 64:8920 mov dword ptr fs:[eax], esp
005061E0 . 8D55 C8 lea edx, dword ptr [ebp-38]
005061E3 . 8B45 FC mov eax, dword ptr [ebp-4]
005061E6 . 8B80 78040000 mov eax, dword ptr [eax+478]
005061EC . E8 1396FDFF call 004DF804 ; 读reg_hj.txt的内容
reg_hj.txt保存的是未注册版窗口中显示的要你注册的页面,html,有意思的是这文件的末尾有这样一段
<iframe name=import_frame width=1 height=1 src=http://admin.onlinedown.net/admin/count_down.asp?id=33592
frameborder=no></iframe> 每打开一次则newhua.com上这个软件的下载次数就增加,呵呵,作弊
<iframe name=import_frame width=1 height=1 src=http://admin.onlinedown.net/admin/count_down.asp?id=44309
frameborder=no></iframe>
这个是fastTV的,难说两个软件还是一家人搞的,这问题涉及经济学,回避~~~
<iframe name=import_frame width=1 height=1 src=http://iplog.skycn.com/wherefrom.php?id=19948
frameborder=no></iframe>
同样,只不过换成了skycn.com
<iframe name=import_frame width=1 height=1 src=http://iplog.skycn.com/wherefrom.php?id=24634
frameborder=no></iframe>
fastTV
回到我们的程序中来
005061F1 . 8B55 C8 mov edx, dword ptr [ebp-38]
005061F4 . 8B45 FC mov eax, dword ptr [ebp-4]
005061F7 . 05 7C040000 add eax, 47C
005061FC . E8 73E2EFFF call 00404474
00506201 . A0 906A5000 mov al, byte ptr [506A90]
00506206 . 50 push eax
00506207 . 8D45 C4 lea eax, dword ptr [ebp-3C]
0050620A . 50 push eax
0050620B . 8B45 FC mov eax, dword ptr [ebp-4]
0050620E . 8B88 D0040000 mov ecx, dword ptr [eax+4D0]
00506214 . 8D45 C0 lea eax, dword ptr [ebp-40]
00506217 . BA 9C6A5000 mov edx, 00506A9C ; ASCII "SerialNo="
0050621C . E8 0BE5EFFF call 0040472C
00506221 . 8B4D C0 mov ecx, dword ptr [ebp-40]
00506224 . 8B45 FC mov eax, dword ptr [ebp-4]
00506227 . 8B80 7C040000 mov eax, dword ptr [eax+47C]
0050622D . BA 9C6A5000 mov edx, 00506A9C ; ASCII "SerialNo="
00506232 . E8 8584F0FF call 0040E6BC
00506237 . 8B55 C4 mov edx, dword ptr [ebp-3C]
0050623A . 8B45 FC mov eax, dword ptr [ebp-4]
0050623D . 05 7C040000 add eax, 47C
00506242 . E8 2DE2EFFF call 00404474
00506247 . A0 906A5000 mov al, byte ptr [506A90]
0050624C . 50 push eax
0050624D . 8D45 BC lea eax, dword ptr [ebp-44]
00506250 . 50 push eax
00506251 . 8B45 FC mov eax, dword ptr [ebp-4]
00506254 . 8B88 D0040000 mov ecx, dword ptr [eax+4D0]
0050625A . 8D45 B8 lea eax, dword ptr [ebp-48]
0050625D . BA B06A5000 mov edx, 00506AB0 ; ASCII "usermcode_GET="
00506262 . E8 C5E4EFFF call 0040472C
00506267 . 8B4D B8 mov ecx, dword ptr [ebp-48]
0050626A . 8B45 FC mov eax, dword ptr [ebp-4]
0050626D . 8B80 7C040000 mov eax, dword ptr [eax+47C]
00506273 . BA B06A5000 mov edx, 00506AB0 ; ASCII "usermcode_GET="
00506278 . E8 3F84F0FF call 0040E6BC
0050627D . 8B55 BC mov edx, dword ptr [ebp-44]
00506280 . 8B45 FC mov eax, dword ptr [ebp-4]
00506283 . 05 7C040000 add eax, 47C
00506288 . E8 E7E1EFFF call 00404474
0050628D . A0 906A5000 mov al, byte ptr [506A90]
00506292 . 50 push eax
00506293 . 8D45 B4 lea eax, dword ptr [ebp-4C]
00506296 . 50 push eax
00506297 . 8B45 FC mov eax, dword ptr [ebp-4]
0050629A . 8B88 D0040000 mov ecx, dword ptr [eax+4D0]
005062A0 . 8D45 B0 lea eax, dword ptr [ebp-50]
005062A3 . BA C86A5000 mov edx, 00506AC8 ; ASCII "BRegcode="
005062A8 . E8 7FE4EFFF call 0040472C
005062AD . 8B4D B0 mov ecx, dword ptr [ebp-50]
005062B0 . 8B45 FC mov eax, dword ptr [ebp-4]
005062B3 . 8B80 7C040000 mov eax, dword ptr [eax+47C]
005062B9 . BA C86A5000 mov edx, 00506AC8 ; ASCII "BRegcode="
005062BE . E8 F983F0FF call 0040E6BC
005062C3 . 8B55 B4 mov edx, dword ptr [ebp-4C]
005062C6 . 8B45 FC mov eax, dword ptr [ebp-4]
005062C9 . 05 7C040000 add eax, 47C
005062CE . E8 A1E1EFFF call 00404474
005062D3 . 33C0 xor eax, eax
005062D5 . 5A pop edx
005062D6 . 59 pop ecx
005062D7 . 59 pop ecx
005062D8 . 64:8910 mov dword ptr fs:[eax], edx
005062DB . EB 0A jmp short 005062E7
005062DD .^ E9 2AD7EFFF jmp 00403A0C
005062E2 . E8 51DBEFFF call 00403E38
005062E7 > 33C0 xor eax, eax
005062E9 . 55 push ebp
005062EA . 68 82635000 push 00506382
005062EF . 64:FF30 push dword ptr fs:[eax]
005062F2 . 64:8920 mov dword ptr fs:[eax], esp
005062F5 . 8B45 FC mov eax, dword ptr [ebp-4]
005062F8 . 8B88 D0040000 mov ecx, dword ptr [eax+4D0]
005062FE . 8D45 A8 lea eax, dword ptr [ebp-58]
00506301 . BA DC6A5000 mov edx, 00506ADC ; ASCII
"http://www.jesen.cn/check/isdaolian.asp?id="
00506306 . E8 21E4EFFF call 0040472C ; 将机器序列号与上字符连接
0050630B . 8B45 A8 mov eax, dword ptr [ebp-58]
0050630E . 8D55 AC lea edx, dword ptr [ebp-54]
00506311 . E8 EE94FDFF call 004DF804 ; 上面地址,服务器验证后返回字符"已
注册"或"已过期"
00506316 . 8B45 AC mov eax, dword ptr [ebp-54]
00506319 . 8D55 F4 lea edx, dword ptr [ebp-C]
0050631C . E8 D329F0FF call 00408CF4
00506321 . A1 B4295100 mov eax, dword ptr [5129B4]
00506326 . 8B00 mov eax, dword ptr [eax]
00506328 . E8 B72BF7FF call 00478EE4
0050632D . 8B45 F4 mov eax, dword ptr [ebp-C]
00506330 . BA 106B5000 mov edx, 00506B10 ; ASCII "已过期"
00506335 . E8 F2E4EFFF call 0040482C ; 之前服务器相应返回字符与"已过期"
对比
0050633A . 75 0A jnz short 00506346 ; 关键跳转
0050633C . 8B45 FC mov eax, dword ptr [ebp-4]
0050633F . E8 30EEFFFF call 00505174
00506344 . EB 32 jmp short 00506378
00506346 > 8B45 F4 mov eax, dword ptr [ebp-C]
00506349 . BA 206B5000 mov edx, 00506B20
0050634E . E8 D9E4EFFF call 0040482C
00506353 . 75 0C jnz short 00506361
00506355 . 8B45 FC mov eax, dword ptr [ebp-4]
00506358 . C680 D9040000>mov byte ptr [eax+4D9], 0
0050635F . EB 17 jmp short 00506378
00506361 > 8B45 F4 mov eax, dword ptr [ebp-C]
00506364 . BA 2C6B5000 mov edx, 00506B2C
00506369 . E8 BEE4EFFF call 0040482C
0050636E . 75 08 jnz short 00506378 ; 这里改为JMP,即时未注册也能一直看
下去,或者用UltraEdit打开这个文件,查找C0270900,改为FFFFFFFF也几乎相当于无限时间看了
00506370 . 8B45 FC mov eax, dword ptr [ebp-4]
00506373 . E8 FCEDFFFF call 00505174 ; 设置一个Timer,未注册的10min后跳
出来个要你注册的对话框,并且只有重新启动软件后才能再看节目
00506378 > 33C0 xor eax, eax
0050637A . 5A pop edx
0050637B . 59 pop ecx
0050637C . 59 pop ecx
0050637D . 64:8910 mov dword ptr fs:[eax], edx
00506380 . EB 0A jmp short 0050638C
00506382 .^ E9 85D6EFFF jmp 00403A0C
00506387 . E8 ACDAEFFF call 00403E38
0050638C > 33C0 xor eax, eax
0050638E . 55 push ebp
0050638F . 68 E8655000 push 005065E8
00506394 . 64:FF30 push dword ptr fs:[eax]
00506397 . 64:8920 mov dword ptr fs:[eax], esp
0050639A . 8D55 A4 lea edx, dword ptr [ebp-5C]
0050639D . B8 3C6B5000 mov eax, 00506B3C ; ASCII
"http://www.jesen.cn/check/url/url_2006.htm"
005063A2 . E8 5D94FDFF call 004DF804 ; 读这个文件保存的数据,其实是url的
编码,以"-"分割
005063A7 . 8B45 A4 mov eax, dword ptr [ebp-5C]
005063AA . 8D55 F0 lea edx, dword ptr [ebp-10]
005063AD . E8 4229F0FF call 00408CF4
005063B2 . A1 B4295100 mov eax, dword ptr [5129B4]
005063B7 . 8B00 mov eax, dword ptr [eax]
005063B9 . E8 262BF7FF call 00478EE4
005063BE . BA 706B5000 mov edx, 00506B70
005063C3 . 8B45 F0 mov eax, dword ptr [ebp-10]
005063C6 . E8 9D98FDFF call 004DFC68
005063CB . 8BD8 mov ebx, eax
005063CD . 8BC3 mov eax, ebx
005063CF . 8B10 mov edx, dword ptr [eax]
005063D1 . FF52 14 call dword ptr [edx+14]
005063D4 . 85C0 test eax, eax
005063D6 . 0F84 A1010000 je 0050657D ; 程序中原有一套url,不跳则从上述数
据中提取url
我调试的时候,http://www.jesen.cn/check/url/url_2006.htm这里保存的是
E6FA9B44FC2D6CCA90698A8AA0F2D6D3DEA82C6717C22FB003EF2313B39BA5F79BF75BE995128022-E8E1B00418B7BA49-
E8E1B00418B7BA49-
0F49CF90AE6B19BC3522C6E8391648A3DEA82C6717C22FB0E46F49E61E2EEE252966A571B7F585EA4EC22CA1F1B35B453BCB010916D
FA8CA-
0F49CF90AE6B19BC3522C6E8391648A3DEA82C6717C22FB0E46F49E61E2EEE2530EDCB1C15C0A5A6A943F0C8D9E4327A93E6296677C
658D4-
D2B978268269744D64D2365FD7A3AF68DEA82C6717C22FB06AF783C373B0C7AA2966A571B7F585EA4EC22CA1F1B35B452CEC4FC678F
60291-
0F49CF90AE6B19BC3522C6E8391648A3DEA82C6717C22FB06AF783C373B0C7AAF27AD9DDDB69C514A949317400FC7340935F94381E7
94F85-E8E1B00418B7BA49
--------------------------------------------------------------------------------
【经验总结】
一看到经验总结,我就想起物理电路模电等课程的实验课每次都要写实验报告,天啊,再写总结我就疯啦
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年01月09日 0:20:53