【文章标题】: resscope 1.92
【文章作者】: wxxw
【软件名称】: resscope 1.92
【保护方式】: 无壳
【编写语言】: delphi 2006
【使用工具】: PEID 0.95 DEDE Olldbg1.10
【操作平台】: XP sp3
【软件介绍】: 不用介绍了吧
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
忘了从哪里下载的,版本是1.92,用来查看程序资源挺方便,也直观,可惜没注册不能保存更改,后来一直改用reshacker,虽然不直观,但更改脚本,也很方便直接,但心里还是对resscope有些耿耿于怀,于是抽空研究了下
首先点击“注册”,在弹出的对话框里输入用户名,注册码,点击确定,提示重新运行resscope,显然是保存了注册信息在文件或注册表里,重启验证,在文件目录里没看到可疑文件,打开注册表,果然发现信息在HKEY_LOCAL_MACHINE\SOFTWARE\RESTOOLS\ResScope下,用od载入,对程序里的输入函数RegQueryValueExA下断,F9运行,断下来了,可是跟踪了半天也没发现处理比较的地方,摸不着头脑。。。。
搜索论坛精华集,在精华4里找到一篇decolor2001大侠破解1.35版的resscope的文章,呵呵,受到启发,先用DEDE工具找到处理菜单“导出资源”的代码如下:
代码:
005378A8 $ 55 PUSH EBP 005378A9 . 8BEC MOV EBP,ESP 005378AB . 33C9 XOR ECX,ECX 005378AD . 51 PUSH ECX 005378AE . 51 PUSH ECX 005378AF . 51 PUSH ECX 005378B0 . 51 PUSH ECX 005378B1 . 51 PUSH ECX 005378B2 . 51 PUSH ECX 005378B3 . 51 PUSH ECX 005378B4 . 53 PUSH EBX 005378B5 . 56 PUSH ESI 005378B6 . 57 PUSH EDI 005378B7 . 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 005378BA . 33C0 XOR EAX,EAX 005378BC . 55 PUSH EBP 005378BD . 68 107C5300 PUSH ResScope.00537C10 005378C2 . 64:FF30 PUSH DWORD PTR FS:[EAX] 005378C5 . 64:8920 MOV DWORD PTR FS:[EAX],ESP 005378C8 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 005378CB . 80B8 280C0000>CMP BYTE PTR DS:[EAX+C28],0 005378D2 . 75 38 JNZ SHORT ResScope.0053790C ...
既然保存资源出错,也许是没找到源头,[EAX+C28]里保存的是注册与否的标志,重载程序,试下对[EAX+C28]里的内容下内存断点,注意刚开始可能没有该地址,比如我机器上的此地址为00fb578c,载入程序后F9运行,会有0EEDFADE异常(程序里多处用到这个异常),这时对内存里code段下断,断下后就发现程序已分配有内存 地址=00FB0000 大小=00008000 (32768.),现在再对00fb578c下内存写入断点,顺利的来到如下代码
代码:
00535DAB |. E8 F058FEFF CALL ResScope.0051B6A0 00535DB0 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] 00535DB3 |. 8882 280C0000 MOV BYTE PTR DS:[EDX+C28],AL
代码:
0051B6EB . B1 01 MOV CL,1 0051B6ED . BA DCB85100 MOV EDX,ResScope.0051B8DC ; ASCII "SOFTWARE\RESTOOLS\ResScope" 0051B6F2 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 0051B6F5 . E8 DEA2F2FF CALL ResScope.004459D8 ;查看ResScope下是否有注册信息 0051B6FA . 84C0 TEST AL,AL 0051B6FC . 0F84 86010000 JE ResScope.0051B888 0051B702 . 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C] 0051B705 . E8 0E8FEEFF CALL ResScope.00404618 0051B70A . 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10] 0051B70D . E8 068FEEFF CALL ResScope.00404618 0051B712 . BA 00B95100 MOV EDX,ResScope.0051B900 ; ASCII "reguser" 0051B717 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 0051B71A . E8 05A7F2FF CALL ResScope.00445E24 ;查看用户名是否为空 0051B71F . 84C0 TEST AL,AL 0051B721 . 74 10 JE SHORT ResScope.0051B733 0051B723 . 8D4D F4 LEA ECX,DWORD PTR SS:[EBP-C] 0051B726 . BA 00B95100 MOV EDX,ResScope.0051B900 ; ASCII "reguser" 0051B72B . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 0051B72E . E8 9DA5F2FF CALL ResScope.00445CD0 ;取出用户名 0051B733 > BA 10B95100 MOV EDX,ResScope.0051B910 ; ASCII "regcode" 0051B738 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 0051B73B . E8 E4A6F2FF CALL ResScope.00445E24 ;查看注册码是否为空 0051B740 . 84C0 TEST AL,AL 0051B742 . 74 10 JE SHORT ResScope.0051B754 0051B744 . 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10] 0051B747 . BA 10B95100 MOV EDX,ResScope.0051B910 ; ASCII "regcode" 0051B74C . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 0051B74F . E8 7CA5F2FF CALL ResScope.00445CD0 ;取出注册码 0051B754 > 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] 0051B757 . E8 7C91EEFF CALL ResScope.004048D8 ;得到注册码字符个数 0051B75C . 83F8 30 CMP EAX,30 ;注册码个数必须为30h,即48位 0051B75F . 0F85 23010000 JNZ ResScope.0051B888 0051B765 . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 0051B768 . E8 6B91EEFF CALL ResScope.004048D8 ;得到用户名字符个数 0051B76D . 85C0 TEST EAX,EAX 0051B76F . 0F8E 13010000 JLE ResScope.0051B888 0051B775 . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14] 0051B778 . 50 PUSH EAX 0051B779 . B1 01 MOV CL,1 0051B77B . B2 01 MOV DL,1 0051B77D . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] ;EAX里为用户名 0051B780 . E8 E7E8FFFF CALL ResScope.0051A06C ;对数据进行转换 0051B785 . 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] 0051B788 . 50 PUSH EAX 0051B789 . 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18] 0051B78C . B2 01 MOV DL,1 0051B78E . 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] 0051B791 . E8 02DBFFFF CALL ResScope.00519298 ;对数据进行转换 0051B796 . 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18] 0051B799 . 58 POP EAX 0051B79A . E8 8592EEFF CALL ResScope.00404A24 ;比较数据 0051B79F . 75 04 JNZ SHORT ResScope.0051B7A5 0051B7A1 . C645 FF 01 MOV BYTE PTR SS:[EBP-1],1 ;如果数据相同,保存01 。。。。。 0051B8C7 . 8A45 FF MOV AL,BYTE PTR SS:[EBP-1] ;将保存注册成功否标志传给AL返回 0051B8CA . 5F POP EDI 0051B8CB . 5E POP ESI 0051B8CC . 5B POP EBX 0051B8CD . 8BE5 MOV ESP,EBP 0051B8CF . 5D POP EBP 0051B8D0 . C3 RETN
0051A629,0051A93D,0051AA61,0051AB85,0051ADA4,0051AFC3
0051b780处的call 0051a06c里触发多个0EEDFADE异常,依次调用00519646,00519957,00519b74,00519c95,00519eb2
0051b79a处的call 00404a24是比较两个数据是否相同的块
上面的数据算法太复杂,以后再研究,先看看怎么爆破,0051b79a应该就是我们要找的源头了,将0051B79F处的JNZ 0051B7A5改为jmp 0051b7a1,运行后,错误依旧,虽然显示已注册,但无法正常保存修改,看样子是白忙活了。。。
还是不甘心,接着上面处理”导出资源“菜单的代码往下分析
代码:
005378CB . 80B8 280C0000>CMP BYTE PTR DS:[EAX+C28],0 005378D2 . 75 38 JNZ SHORT ResScope.0053790C ....... 00537B26 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00537B29 . 8B80 0C030000 MOV EAX,DWORD PTR DS:[EAX+30C] 00537B2F . 83C0 60 ADD EAX,60 00537B32 . E8 A9CDECFF CALL ResScope.004048E0 00537B37 > 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00537B3A . 8B80 0C030000 MOV EAX,DWORD PTR DS:[EAX+30C] ....... 00537BAD . 55 PUSH EBP 00537BAE . 68 D47B5300 PUSH ResScope.00537BD4 00537BB3 . 64:FF30 PUSH DWORD PTR FS:[EAX] 00537BB6 . 64:8920 MOV DWORD PTR FS:[EAX],ESP 00537BB9 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00537BBC . 8B80 B40A0000 MOV EAX,DWORD PTR DS:[EAX+AB4] 00537BC2 . 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] 00537BC5 . E8 8AB8FFFF CALL ResScope.00533454
代码:
00533454 $ 55 PUSH EBP 00533455 . 8BEC MOV EBP,ESP 00533457 . 33C9 XOR ECX,ECX 00533459 . 51 PUSH ECX 0053345A . 51 PUSH ECX 0053345B . 51 PUSH ECX 0053345C . 51 PUSH ECX 0053345D . 53 PUSH EBX 0053345E . 56 PUSH ESI 0053345F . 57 PUSH EDI 00533460 . 8955 FC MOV DWORD PTR SS:[EBP-4],EDX 00533463 . 8BF0 MOV ESI,EAX 00533465 . 33C0 XOR EAX,EAX 00533467 . 55 PUSH EBP 00533468 . 68 51355300 PUSH ResScope.00533551 0053346D . 64:FF30 PUSH DWORD PTR FS:[EAX] 00533470 . 64:8920 MOV DWORD PTR FS:[EAX],ESP 00533473 . 33C0 XOR EAX,EAX 00533475 . 55 PUSH EBP 00533476 . 68 D7345300 PUSH ResScope.005334D7 0053347B . 64:FF30 PUSH DWORD PTR FS:[EAX] 0053347E . 64:8920 MOV DWORD PTR FS:[EAX],ESP 00533481 . 8B46 30 MOV EAX,DWORD PTR DS:[ESI+30] ;esi为0,导致异常 00533484 . 8B80 0C030000 MOV EAX,DWORD PTR DS:[EAX+30C] 0053348A . 8B10 MOV EDX,DWORD PTR DS:[EAX] 0053348C . FF52 3C CALL DWORD PTR DS:[EDX+3C] 0053348F . 84C0 TEST AL,AL 00533491 . 74 3A JE SHORT ResScope.005334CD 00533493 . 8B7E 30 MOV EDI,DWORD PTR DS:[ESI+30] 00533496 . 8B87 0C0C0000 MOV EAX,DWORD PTR DS:[EDI+C0C] 0053349C . 8378 44 00 CMP DWORD PTR DS:[EAX+44],0 005334A0 . 74 2B JE SHORT ResScope.005334CD 005334A2 . 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8] 005334A5 . 8B87 0C030000 MOV EAX,DWORD PTR DS:[EDI+30C] 005334AB . E8 1851F0FF CALL ResScope.004385C8 005334B0 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 005334B3 . 50 PUSH EAX 005334B4 . 8B46 30 MOV EAX,DWORD PTR DS:[ESI+30] 005334B7 . 8B80 0C030000 MOV EAX,DWORD PTR DS:[EAX+30C]
代码:
00535EFB . 55 PUSH EBP 00535EFC . 68 375F5300 PUSH ResScope.00535F37 00535F01 . 64:FF30 PUSH DWORD PTR FS:[EAX] 00535F04 . 64:8920 MOV DWORD PTR FS:[EAX],ESP 00535F07 . 8D85 C8FEFFFF LEA EAX,DWORD PTR SS:[EBP-138] 00535F0D . E8 7A30FEFF CALL ResScope.00518F8C 00535F12 . 8B95 C8FEFFFF MOV EDX,DWORD PTR SS:[EBP-138] 00535F18 . A1 6C605700 MOV EAX,DWORD PTR DS:[57606C] 00535F1D . 8B00 MOV EAX,DWORD PTR DS:[EAX] 00535F1F . E8 4405EFFF CALL ResScope.00426468 ;返回值 00535F24 . 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] 00535F27 . 8982 B40A0000 MOV DWORD PTR DS:[EDX+AB4],EAX ;赋值
翻看代码,无意中注意到程序里多次出现下面的指令
MOV EAX,DWORD PTR SS:[EBP-4] ;[ebp-4]里为FB4CC0
MOV EAX,DWORD PTR DS:[EAX+30C]
会不会
00533484 . 8B80 0C030000 MOV EAX,DWORD PTR DS:[EAX+30C]处的EAX里的值也是FB4CC0?抱着这想法试验居然成功了!!!
再对”文件另存为“菜单代码研究,来到下面格式类似的代码
代码:
... 00548927 . 64:8920 MOV DWORD PTR FS:[EAX],ESP 0054892A . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 0054892D . 80B8 280C0000>CMP BYTE PTR DS:[EAX+C28],0 ;判读注册与否 00548934 . /75 38 JNZ SHORT ResScope.0054896E .... 00548AA3 . 55 PUSH EBP 00548AA4 . 68 C78A5400 PUSH ResScope.00548AC7 00548AA9 . 64:FF30 PUSH DWORD PTR FS:[EAX] 00548AAC . 64:8920 MOV DWORD PTR FS:[EAX],ESP 00548AAF . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00548AB2 . 8B80 B40A0000 MOV EAX,DWORD PTR DS:[EAX+AB4] ;读取数据结构指针 00548AB8 . E8 AFA8FEFF CALL ResScope.0053336C ... 00533396 . 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4] 00533399 . 8B73 30 MOV ESI,DWORD PTR DS:[EBX+30] 0053339C . 8B86 840A0000 MOV EAX,DWORD PTR DS:[ESI+A84]
最后处理过程如下
搜索所有8B80 B40A0000 MOV EAX,DWORD PTR DS:[EAX+AB4]的地方NOP掉,然后进入其下的CALL,将[ESI+30],[EBX+30]...中的30改为3C
nop掉的地方有00537bbc,0053ee43,0053f335,00548ab2
改3c的地方有00533481,00533493,005334b4,0053358e,00533399
呵呵,保存运行正常,good luck!
2010.3.23
现在让我们来看看算法
运行程序,第一个异常调用0051b442跟处理用户ID有关,如我的EL62E8TN9929FIFF或者DF62L8ET9929FNFF(很奇怪,不是固定的)
在0051B79A . E8 8592EEFF CALL ResScope.00404A24
下断,发现两块数据比较的地址分别是00FF4F80(EAX),0101C990(EDX),数据大小18h(24)
查看这两个地址的数据,会发现
0051B780 . E8 E7E8FFFF CALL ResScope.0051A06C 处理用户名,调用的最后一个异常0051AFC3后,00FF4F80数据变了
0051B791 . E8 02DBFFFF CALL ResScope.00519298 处理注册码,调用的最后一个异常00519eb2后,0101c990数据变了
在调用异常处理0051AFC3前对00FF4F80下内存写入断点,断在
00402AA9 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
其中ESI为堆栈0012FBA4,观察堆栈可以发现0012FB8C和0012FBA4两块紧挨的数据块相同,大小24
重载程序,将堆栈锁定在0012FB8C,观察发现CALL 0051A06C里调用的六个异常处理代码都是对该处堆栈里的数据进行变换
同样操作,可以得到CALL ResScope.00519298里调用的几个异常处理代码是对0012FB84和0012FB9C数据块变换,大小24
现在让我们想想如何做,既然00FF4F80数据与用户名(可能还与用户ID)有关,我们就不管它了,只需找到对注册码处理的过程就行,到时
写个补丁,取出00FF4F80数据逆运算即可
对0012FB84下硬件写入断点(内存断点会退出),,断在
00402A8F |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
此处是复制0012FB9C数据到0012FB84,对0012fb9c下硬件写入断点,发现数据来自0012FB08,一路追踪下去,来到004e1ef6,代码如下
代码:
004E1E89 |. 8B43 10 MOV EAX,DWORD PTR DS:[EBX+10] 004E1E8C |. 0307 ADD EAX,DWORD PTR DS:[EDI] 004E1E8E |. E8 81FFFFFF CALL ResScope.004E1E14 004E1E93 |. 3145 00 XOR DWORD PTR SS:[EBP],EAX 004E1E96 |. 8B43 14 MOV EAX,DWORD PTR DS:[EBX+14] 004E1E99 |. 0345 00 ADD EAX,DWORD PTR SS:[EBP] 004E1E9C |. E8 73FFFFFF CALL ResScope.004E1E14 004E1EA1 |. 3107 XOR DWORD PTR DS:[EDI],EAX 004E1EA3 |. 8B43 18 MOV EAX,DWORD PTR DS:[EBX+18] 004E1EA6 |. 0307 ADD EAX,DWORD PTR DS:[EDI] 004E1EA8 |. E8 67FFFFFF CALL ResScope.004E1E14 。。。。 004E1F0E |. |3107 |XOR DWORD PTR DS:[EDI],EAX 004E1F10 |. |8B43 24 |MOV EAX,DWORD PTR DS:[EBX+24] 004E1F13 |. |0307 |ADD EAX,DWORD PTR DS:[EDI] 004E1F15 |. |E8 FAFEFFFF |CALL ResScope.004E1E14 004E1F1A |. |3145 00 |XOR DWORD PTR SS:[EBP],EAX 004E1F1D |. |8B43 20 |MOV EAX,DWORD PTR DS:[EBX+20] 004E1F20 |. |0345 00 |ADD EAX,DWORD PTR SS:[EBP] 004E1F23 |. |E8 ECFEFFFF |CALL ResScope.004E1E14 004E1F28 |. |3107 |XOR DWORD PTR DS:[EDI],EAX 004E1F2A |. |8B43 1C |MOV EAX,DWORD PTR DS:[EBX+1C] 004E1F2D |. |0307 |ADD EAX,DWORD PTR DS:[EDI] 004E1F2F |. |E8 E0FEFFFF |CALL ResScope.004E1E14 004E1F34 |. |3145 00 |XOR DWORD PTR SS:[EBP],EAX 004E1F37 |. |8B43 18 |MOV EAX,DWORD PTR DS:[EBX+18] 004E1F3A |. |0345 00 |ADD EAX,DWORD PTR SS:[EBP] 004E1F3D |. |E8 D2FEFFFF |CALL ResScope.004E1E14 004E1F42 |. |3107 |XOR DWORD PTR DS:[EDI],EAX 004E1F44 |. |8B43 14 |MOV EAX,DWORD PTR DS:[EBX+14] 004E1F47 |. |0307 |ADD EAX,DWORD PTR DS:[EDI] 004E1F49 |. |E8 C6FEFFFF |CALL ResScope.004E1E14 004E1F4E |. |3145 00 |XOR DWORD PTR SS:[EBP],EAX 004E1F51 |. |8B43 10 |MOV EAX,DWORD PTR DS:[EBX+10] 004E1F54 |. |0345 00 |ADD EAX,DWORD PTR SS:[EBP] 004E1F57 |. |E8 B8FEFFFF |CALL ResScope.004E1E14 004E1F5C |. |3107 |XOR DWORD PTR DS:[EDI],EAX 004E1F5E |. |4E |DEC ESI 004E1F5F |.^\75 95 \JNZ SHORT ResScope.004E1EF6
代码:
004E1E14 /$ 8BD0 MOV EDX,EAX 004E1E16 |. C1EA 18 SHR EDX,18 ;取出EAX的第一字节 004E1E19 |. 8B1495 E8F255>MOV EDX,DWORD PTR DS:[EDX*4+55F2E8] ; 查表得数据 004E1E20 |. 8BC8 MOV ECX,EAX 004E1E22 |. C1E9 10 SHR ECX,10 004E1E25 |. 81E1 FF000000 AND ECX,0FF ;取出EAX的第二字节 004E1E2B |. 33148D E8EE55>XOR EDX,DWORD PTR DS:[ECX*4+55EEE8] ;查表得数据与前数据异或 004E1E32 |. 8BC8 MOV ECX,EAX 004E1E34 |. C1E9 08 SHR ECX,8 004E1E37 |. 81E1 FF000000 AND ECX,0FF ;取出EAX的第三字节 004E1E3D |. 33148D E8EA55>XOR EDX,DWORD PTR DS:[ECX*4+55EAE8] ;查表得数据与前数据异或 004E1E44 |. 25 FF000000 AND EAX,0FF ;取出EAX的第四字节 004E1E49 |. 331485 E8E655>XOR EDX,DWORD PTR DS:[EAX*4+55E6E8] ;查表得数据与前数据异或 004E1E50 |. 8BC2 MOV EAX,EDX ;保存最后结果 004E1E52 \. C3 RETN
0012FB1C 004E1FB1 返回到 ResScope.004E1FB1 来自 ResScope.004E1E54
....
0012FB34 00519438 返回到 ResScope.00519438 来自 ResScope.004E1F8C
而00519438就和上面处理注册码的CALL ResScope.00519298接上了,这是反推,现在让我们正向从头慢慢看看
代码:
00519298 $ 55 PUSH EBP 00519299 . 8BEC MOV EBP,ESP 0051929B . 81C4 64FFFFFF ADD ESP,-9C 。。。。。。 005192E4 > 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] ;005193bc跳到这儿,循环将0012fb9c数据块清0(大小18h) 005192E7 . 83C0 01 ADD EAX,1 005192EA . 71 05 JNO SHORT ResScope.005192F1 005192EC . E8 33A4EEFF CALL ResScope.00403724 005192F1 > 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] 005192F4 . 8B12 MOV EDX,DWORD PTR DS:[EDX] 005192F6 . 48 DEC EAX 005192F7 . 85D2 TEST EDX,EDX 005192F9 . 74 05 JE SHORT ResScope.00519300 005192FB . 3B42 FC CMP EAX,DWORD PTR DS:[EDX-4] 005192FE . 72 05 JB SHORT ResScope.00519305 00519300 > E8 17A4EEFF CALL ResScope.0040371C 00519305 > 40 INC EAX 00519306 . 8A4402 FF MOV AL,BYTE PTR DS:[EDX+EAX-1] 0051930A . 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] 0051930D . 8802 MOV BYTE PTR DS:[EDX],AL ;用0填充数据 0051930F . 807D FB 00 CMP BYTE PTR SS:[EBP-5],0 00519313 . 0F84 99000000 JE ResScope.005193B2 00519319 . 837D F0 14 CMP DWORD PTR SS:[EBP-10],14 0051931D . 0F85 8F000000 JNZ ResScope.005193B2 。。。。。 005193B2 > FF45 F0 INC DWORD PTR SS:[EBP-10] 005193B5 . FF45 E4 INC DWORD PTR SS:[EBP-1C] 005193B8 . 837D F0 18 CMP DWORD PTR SS:[EBP-10],18 005193BC .^ 0F85 22FFFFFF JNZ ResScope.005192E4 005193C2 . 68 E05A5700 PUSH ResScope.00575AE0 ; /Arg1 = 00575AE0 005193C7 . BA E85A5700 MOV EDX,ResScope.00575AE8 ; | 005193CC . 8D85 68FFFFFF LEA EAX,DWORD PTR SS:[EBP-98] ; | 005193D2 . B9 20000000 MOV ECX,20 ; | 005193D7 . E8 3889FCFF CALL ResScope.004E1D14 ;得到初始数据,在0012fb64 005193DC . C745 F0 01000>MOV DWORD PTR SS:[EBP-10],1 005193E3 > 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] 005193E6 . 83E8 01 SUB EAX,1 005193E9 . 71 05 JNO SHORT ResScope.005193F0 005193EB . E8 34A3EEFF CALL ResScope.00403724 005193F0 > 6BC0 08 IMUL EAX,EAX,8 005193F3 . 71 05 JNO SHORT ResScope.005193FA 005193F5 . E8 2AA3EEFF CALL ResScope.00403724 005193FA > 83F8 17 CMP EAX,17 005193FD . 76 05 JBE SHORT ResScope.00519404 005193FF . E8 18A3EEFF CALL ResScope.0040371C 00519404 > 8D4C05 B0 LEA ECX,DWORD PTR SS:[EBP+EAX-50] 00519408 . 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10] 0051940B . 83EA 01 SUB EDX,1 0051940E . 71 05 JNO SHORT ResScope.00519415 00519410 . E8 0FA3EEFF CALL ResScope.00403724 00519415 > 6BD2 08 IMUL EDX,EDX,8 00519418 . 71 05 JNO SHORT ResScope.0051941F 0051941A . E8 05A3EEFF CALL ResScope.00403724 0051941F > 83FA 17 CMP EDX,17 00519422 . 76 05 JBE SHORT ResScope.00519429 00519424 . E8 F3A2EEFF CALL ResScope.0040371C 00519429 > 8D5405 B0 LEA EDX,DWORD PTR SS:[EBP+EAX-50] 0051942D . 8D85 68FFFFFF LEA EAX,DWORD PTR SS:[EBP-98] 00519433 . E8 548BFCFF CALL ResScope.004E1F8C ;里面调用了上面004E1E89的代码
代码:
004E1D14 /$ 55 PUSH EBP 004E1D15 |. 8BEC MOV EBP,ESP 004E1D17 |. 83C4 F8 ADD ESP,-8 004E1D1A |. 53 PUSH EBX 004E1D1B |. 56 PUSH ESI 004E1D1C |. 57 PUSH EDI ........ 004E1D96 |> 8BC8 /MOV ECX,EAX 004E1D98 |. C1E1 02 |SHL ECX,2 004E1D9B |. 0FB64C0B 03 |MOVZX ECX,BYTE PTR DS:[EBX+ECX+3] ;EBX=00575AE8,可以查看此处内存数据是固定的 004E1DA0 |. C1E1 18 |SHL ECX,18 004E1DA3 |. 8BF0 |MOV ESI,EAX 004E1DA5 |. C1E6 02 |SHL ESI,2 004E1DA8 |. 0FB67433 02 |MOVZX ESI,BYTE PTR DS:[EBX+ESI+2] 004E1DAD |. C1E6 10 |SHL ESI,10 004E1DB0 |. 0BCE |OR ECX,ESI 004E1DB2 |. 8BF0 |MOV ESI,EAX 004E1DB4 |. C1E6 02 |SHL ESI,2 004E1DB7 |. 0FB67433 01 |MOVZX ESI,BYTE PTR DS:[EBX+ESI+1] 004E1DBC |. C1E6 08 |SHL ESI,8 004E1DBF |. 0BCE |OR ECX,ESI 004E1DC1 |. 8BF0 |MOV ESI,EAX 004E1DC3 |. C1E6 02 |SHL ESI,2 004E1DC6 |. 0FB63433 |MOVZX ESI,BYTE PTR DS:[EBX+ESI] 004E1DCA |. 0BCE |OR ECX,ESI 004E1DCC |. 890A |MOV DWORD PTR DS:[EDX],ECX ;EDX=0012FB64, 004E1DCE |. 40 |INC EAX 004E1DCF |. 83C2 04 |ADD EDX,4 004E1DD2 |. 83F8 08 |CMP EAX,8 004E1DD5 |.^ 75 BF \JNZ SHORT ResScope.004E1D96 004E1DD7 |. 5F POP EDI 004E1DD8 |. 5E POP ESI 004E1DD9 |. 5B POP EBX 004E1DDA |. 59 POP ECX 004E1DDB |. 59 POP ECX 004E1DDC |. 5D POP EBP 004E1DDD \. C2 0400 RETN 4
今天先分析到这儿,有空再继续哈
--------------------------------------------------------------------------------
【版权声明】: 看雪论坛首发,转载请注明作者并保持文章的完整, 谢谢!
--------------------------------------------------------------------------------