DLL EXPLORER 2.2.2
设断点bpx hmemcpy
程序被中断后,按F12键12次,来到:
:004412E4 8B45F8
mov eax, dword ptr [ebp-08]<----可看到输入的注册码
:004412E7 8D55FC
lea edx, dword ptr [ebp-04]
:004412EA E81964FCFF call 00407708
:004412EF 837DFC00 cmp
dword ptr [ebp-04], 00000000
:004412F3 7525
jne 0044131A
:004412F5 6A00
push 00000000
:004412F7 668B0DF4134400 mov cx, word ptr
[004413F4]
:004412FE 33D2
xor edx, edx
* Possible StringData Ref from Code Obj ->"Please enter your user name exactly
"
->"as it appears
in the registration "
->"information
that you received."
|
:00441300 B800144400 mov eax,
00441400
:00441305 E8BAACFFFF call 0043BFC4
:0044130A 8B83DC010000 mov eax, dword
ptr [ebx+000001DC]
:00441310 8B10
mov edx, dword ptr [eax]
:00441312 FF5278
call [edx+78]
:00441315 E9AB000000 jmp 004413C5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004412F3(C)
|
:0044131A 8D55F8
lea edx, dword ptr [ebp-08]
:0044131D 8B83EC010000 mov eax, dword
ptr [ebx+000001EC]
:00441323 E8A411FEFF call 004224CC
:00441328 8B45F8
mov eax, dword ptr [ebp-08]
:0044132B 8D55FC
lea edx, dword ptr [ebp-04]
:0044132E E8D563FCFF call 00407708
:00441333 837DFC00 cmp
dword ptr [ebp-04], 00000000
:00441337 7522
jne 0044135B
:00441339 6A00
push 00000000
:0044133B 668B0DF4134400 mov cx, word ptr
[004413F4]
:00441342 33D2
xor edx, edx
* Possible StringData Ref from Code Obj ->"Please enter your registration "
->"key as it
appears in the registration "
->"information
that you received."
|
:00441344 B870144400 mov eax,
00441470
:00441349 E876ACFFFF call 0043BFC4
:0044134E 8B83EC010000 mov eax, dword
ptr [ebx+000001EC]
:00441354 8B10
mov edx, dword ptr [eax]
:00441356 FF5278
call [edx+78]
:00441359 EB6A
jmp 004413C5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00441337(C)
|
:0044135B 8D55F8
lea edx, dword ptr [ebp-08]
:0044135E 8B83EC010000 mov eax, dword
ptr [ebx+000001EC]
:00441364 E86311FEFF call 004224CC
:00441369 8B45F8
mov eax, dword ptr [ebp-08]<----可看到输入的注册码,下BPM EAX
:0044136C 50
push eax
:0044136D 8D55F4
lea edx, dword ptr [ebp-0C]
:00441370 8B83E4010000 mov eax, dword
ptr [ebx+000001E4]
:00441376 E85111FEFF call 004224CC
:0044137B 8B45F4
mov eax, dword ptr [ebp-0C]
:0044137E 50
push eax
:0044137F 8D55F0
lea edx, dword ptr [ebp-10]
:00441382 8B83DC010000 mov eax, dword
ptr [ebx+000001DC]
:00441388 E83F11FEFF call 004224CC
:0044138D 8B55F0
mov edx, dword ptr [ebp-10]
:00441390 A150004900 mov eax,
dword ptr [00490050]
:00441395 8B00
mov eax, dword ptr [eax]
:00441397 59
pop ecx
:00441398 E8CB9F0400 call 0048B368
:0044139D A150004900 mov eax,
dword ptr [00490050]
:004413A2 8B00
mov eax, dword ptr [eax]
:004413A4 80780400 cmp
byte ptr [eax+04], 00
:004413A8 7514
jne 004413BE
下BPM EAX,程序被中断在
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403DE1(C)
|
:00403DC5 8B0E
mov ecx, dword ptr [esi]<----D ESI可看到注册码
:00403DC7 8B1F
mov ebx, dword ptr [edi]<----D EDI可看到输入的注册码
:00403DC9 39D9
cmp ecx, ebx
:00403DCB 7558
jne 00403E25
:00403DCD 4A
dec edx
:00403DCE 7415
je 00403DE5
:00403DD0 8B4E04
mov ecx, dword ptr [esi+04]
:00403DD3 8B5F04
mov ebx, dword ptr [edi+04]
:00403DD6 39D9
cmp ecx, ebx
:00403DD8 754B
jne 00403E25
:00403DDA 83C608
add esi, 00000008
:00403DDD 83C708
add edi, 00000008
:00403DE0 4A
dec edx
:00403DE1 75E2
jne 00403DC5
:00403DE3 EB06
jmp 00403DEB
方法2将上面的两个JNE 00403E25改为NOP
注意:注册码是12位
未能找出注册码的生成过程,如哪位找出了算法,请帖出来
- 标 题:初学者(19) (4千字)
- 作 者:liutong
- 时 间:2000-7-10 21:30:46
- 链 接:http://bbs.pediy.com