Add/Remove 4Good 2注册码 跟踪过程,稍麻烦些---[BCG]入门教程
作者:CrackerABC[BCG]
作者主页:http://crackerabc.longcity.net
这个软件呢就是一个典型的跟进CALL计算子程序的例子,下面开始了。
1、首先随便输入任意注册信息:
Name:sunfeng
Code: 31415926
2、启动TRW2000,点确定后用Ctrl+N呼叫出来,然后下bpx hmemcpy
3、F5返回程序空间后,点注册被TRW2000拦截到其领域,下BD *中断所有断点。
4、开始按F12,共计23次(24次时出错),请仔细看了,
0167:004018D5 PUSH DWORD FF /////这里是你按第一次F10后的位置
0167:004018DA MOV ECX,[EBP-10]
0167:004018DD PUSH DWORD 00408460
0167:004018E2 ADD ECX,01A0
0167:004018E8 CALL `MFC40!ord_00000D36`
0167:004018ED PUSH DWORD 00408360
0167:004018F2 LEA ECX,[EBP-18]
0167:004018F5 CALL `MFC40!ord_000001E3`
0167:004018FA MOV DWORD [EBP-04],00
0167:00401901 MOV EAX,[EAX]
0167:00401903 PUSH DWORD 004085A4
0167:00401908 PUSH EAX
0167:00401909 CALL `MSVCRT40!_mbscmp`
0167:0040190F MOV DWORD [EBP-04],FFFFFFFF
0167:00401916 ADD ESP,BYTE +08
0167:00401919 CMP EAX,BYTE +01
0167:0040191C MOV EAX,[EBP-14]
0167:0040191F SBB [EBP-14],EAX
0167:00401922 NEG DWORD [EBP-14]
0167:00401925 CALL 00401A33
0167:0040192A CMP DWORD [EBP-14],BYTE +00
0167:0040192E JZ 00401949
0167:00401930 PUSH BYTE +01
0167:00401932 MOV ECX,[EBP-10]
0167:00401935 CALL `MFC40!ord_00000910`
0167:0040193A MOV EAX,[EBP-0C]
0167:0040193D POP EDI
0167:0040193E MOV [FS:00],EAX
0167:00401944 POP ESI
0167:00401945 MOV ESP,EBP
0167:00401947 POP EBP
0167:00401948 RET
0167:00401949 CALL 00401620 ////按F8跟进去这里是计算的子程序入口
0167:0040194E TEST EAX,EAX ////这里可是典型的组合啊。
0167:00401950 JZ NEAR 004019F8 ///
0167:00401956 LEA EAX,[EBP-18]
下面是跟进去的代码段:
0167:00401620 MOV EAX,[FS:00]
0167:00401626 PUSH EBP
0167:00401627 MOV EBP,ESP
0167:00401629 PUSH BYTE -01
0167:0040162B PUSH DWORD 004017A5
0167:00401630 MOV ECX,FFFFFFFF
0167:00401635 PUSH EAX
0167:00401636 MOV [FS:00],ESP
0167:0040163D SUB ESP,BYTE +0C
0167:00401640 SUB EAX,EAX
0167:00401642 PUSH EDI
0167:00401643 MOV EDI,00408360
0167:00401648 REPNE SCASB
0167:0040164A NOT ECX
0167:0040164C DEC ECX
0167:0040164D CMP ECX,BYTE +06
0167:00401650 JNC 00401663
0167:00401652 XOR EAX,EAX
0167:00401654 MOV ECX,[EBP-0C]
0167:00401657 POP EDI
0167:00401658 MOV [FS:00],ECX
0167:0040165F MOV ESP,EBP
0167:00401661 POP EBP
0167:00401662 RET
0167:00401663 MOV EDI,00408360
0167:00401668 MOV ECX,FFFFFFFF
0167:0040166D SUB EAX,EAX
0167:0040166F REPNE SCASB
0167:00401671 NOT ECX
0167:00401673 SUB EDX,EDX
0167:00401675 LEA EAX,[ECX-01]
0167:00401678 MOV ECX,0C
0167:0040167D DIV ECX
0167:0040167F MOV EAX,[0040835C]
0167:00401684 LEA ECX,[EBP-10]
0167:00401684 LEA ECX,[EBP-10] ////D ECX得到87ae2401my69,这可不是真注册码哟。和他紧挨的
//// 是感谢注册的语句,迷惑人。
0167:00401687 MOV AL,[EAX+EDX]
0167:0040168A PUSH EAX
0167:0040168B PUSH DWORD 0040859C
0167:00401690 CALL `MFC40!ord_000001E3`
0167:00401695 PUSH EAX
0167:00401696 LEA ECX,[EBP-14]
0167:00401699 MOV DWORD [EBP-04],00
0167:004016A0 PUSH ECX
0167:004016A1 CALL `MFC40!ord_00000332`
0167:004016A6 MOV BYTE [EBP-04],02
0167:004016AA CALL 0040179D
0167:004016AF MOV EDI,00408360
0167:004016B4 MOV ECX,FFFFFFFF
0167:004016B9 MOV DWORD [EBP-10],00
0167:004016C0 SUB EAX,EAX
0167:004016C2 REPNE SCASB
0167:004016C4 NOT ECX
0167:004016C6 DEC ECX
0167:004016C7 JZ 00401741
0167:004016C9 TEST BYTE [EBP-10],01
0167:004016CD JNZ 00401728
0167:004016CF MOV EAX,[EBP-10]
0167:004016D2 MOV AL,[EAX+00408360]
0167:004016D8 CMP AL,7F
0167:004016DA JG NEAR 00401773
0167:004016E0 CMP AL,20
0167:004016E2 JL NEAR 00401784
0167:004016E8 CBW
0167:004016EA MOV CL,02
0167:004016EC IDIV CL
0167:004016EE ADD AL,20
0167:004016F0 CMP AL,5A
0167:004016F2 JNG 004016FA
0167:004016F4 CMP AL,61
0167:004016F6 JNL 004016FA
0167:004016F8 ADD AL,06
0167:004016FA CMP AL,39
0167:004016FC JNG 00401704
0167:004016FE CMP AL,41
0167:00401700 JNL 00401704
0167:00401702 ADD AL,08
0167:00401704 PUSH EAX
0167:00401705 LEA ECX,[EBP-18]
0167:00401708 LEA EAX,[EBP-14]
0167:0040170B PUSH EAX
0167:0040170C PUSH ECX
0167:0040170D CALL `MFC40!ord_00000332`
0167:00401712 PUSH EAX
0167:00401713 LEA ECX,[EBP-14]
0167:00401716 MOV BYTE [EBP-04],03
0167:0040171A CALL `MFC40!ord_000002F8`
0167:0040171F MOV BYTE [EBP-04],02 ////此处多次调用,D
ECX得到逐个注册码,最后为6582-1YWRS
0167:00401723 CALL 00401795
0167:00401728 MOV EDI,00408360
0167:0040172D MOV ECX,FFFFFFFF
0167:00401732 INC DWORD [EBP-10]
0167:00401735 SUB EAX,EAX
0167:00401737 REPNE SCASB
0167:00401739 NOT ECX
0167:0040173B DEC ECX
0167:0040173C CMP ECX,[EBP-10]
0167:0040173F JA 004016C9
0167:00401741 PUSH DWORD 00408460
0167:00401746 MOV EAX,[EBP-14]
0167:00401749 PUSH EAX
0167:0040174A CALL `MSVCRT40!_mbscmp`
0167:00401750 ADD ESP,BYTE +08
0167:00401753 MOV ECX,[EBP-10]
0167:00401756 MOV DWORD [EBP-04],FFFFFFFF
0167:0040175D CMP EAX,BYTE +01
0167:00401760 SBB [EBP-10],ECX
0167:00401763 NEG DWORD [EBP-10]
0167:00401766 CALL 004017AF
0167:0040176B MOV EAX,[EBP-10]
0167:0040176E JMP 00401654
0167:00401773 MOV DWORD [EBP-04],FFFFFFFF
0167:0040177A CALL 004017AF
0167:0040177F JMP 00401652
0167:00401784 MOV DWORD [EBP-04],FFFFFFFF
0167:0040178B CALL 004017AF
0167:00401790 JMP 00401652
0167:00401795 LEA ECX,[EBP-18]
0167:00401798 JMP `MFC40!ord_000002C2`
0167:0040179D LEA ECX,[EBP-10]
0167:004017A0 JMP `MFC40!ord_000002C2`
0167:004017A5 MOV EAX,00406E70
0167:004017AA JMP `MSVCRT40!__CxxFrameHandler`
0167:004017AF LEA ECX,[EBP-14]
0167:004017B2 JMP `MFC40!ord_000002C2`
0167:004017B7 INT3
0167:004017B8 INT3
0167:004017B9 INT3
0167:004017BA INT3
0167:004017BB INT3
0167:004017BC INT3
0167:004017BD INT3
0167:004017BE INT3
0167:004017BF INT3
0167:004017C0 PUSH EBX
0167:004017C1 PUSH ESI
0167:004017C2 PUSH EDI
0167:004017C3 MOV EBX,ECX
0167:004017C5 CALL `MFC40!ord_0000104D`
0167:004017CA MOV ECX,EBX
0167:004017CC CALL 004014A0
0167:004017D1 CALL 004015A0
0167:004017D6 TEST EAX,EAX
0167:004017D8 JZ NEAR 00401867
0167:004017DE PUSH DWORD 00408674
0167:004017E3 LEA ECX,[EBX+60]
0167:004017E6 CALL `MFC40!ord_00001574`
0167:004017EB PUSH DWORD 004085C8
0167:004017F0 LEA ECX,[EBX+E0]
0167:004017F6 LEA EDI,[EBX+01E0]
0167:004017FC CALL `MFC40!ord_00001574`
0167:00401801 PUSH DWORD 004085BC
0167:00401806 LEA ECX,[EBX+A0]
0167:0040180C LEA ESI,[EBX+01A0]
0167:00401812 CALL `MFC40!ord_00001574`
0167:00401817 PUSH DWORD 00408360
0167:0040181C MOV ECX,EDI
0167:0040181E CALL `MFC40!ord_00001574`
0167:00401823 PUSH DWORD 00408460
0167:00401828 MOV ECX,ESI
0167:0040182A CALL `MFC40!ord_00001574`
0167:0040182F PUSH DWORD 004085B8
0167:00401834 LEA ECX,[EBX+0120]
0167:0040183A CALL `MFC40!ord_00001574`
0167:0040183F PUSH BYTE +00
0167:00401841 MOV ECX,EDI
0167:00401843 CALL `MFC40!ord_0000090D`
0167:00401848 PUSH BYTE +00
0167:0040184A MOV ECX,ESI
0167:0040184C CALL `MFC40!ord_0000090D`
0167:00401851 PUSH BYTE +00
0167:00401853 LEA ECX,[EBX+0160]
0167:00401859 CALL `MFC40!ord_0000090D`
0167:0040185E MOV EAX,01
0167:00401863 POP EDI
0167:00401864 POP ESI
0167:00401865 POP EBX
0167:00401866 RET
0167:00401867 PUSH DWORD 004085A4
0167:0040186C LEA ECX,[EBX+01E0]
0167:00401872 CALL `MFC40!ord_00001574`
0167:00401877 PUSH DWORD 004085A4
0167:0040187C LEA ECX,[EBX+01A0]
0167:00401882 CALL `MFC40!ord_00001574`
0167:00401887 MOV EAX,[00408358]
0167:0040188C LEA ECX,[EBX+60]
0167:0040188F PUSH EAX
0167:00401890 CALL `MFC40!ord_00001574`
0167:00401895 MOV EAX,01
0167:0040189A POP EDI
0167:0040189B POP ESI
0167:0040189C POP EBX
0167:0040189D RET
0167:0040189E INT3
0167:0040189F INT3
0167:004018A0 MOV EAX,[FS:00]
0167:004018A6 PUSH EBP
0167:004018A7 MOV EBP,ESP
0167:004018A9 PUSH BYTE -01
0167:004018AB PUSH DWORD 00401A29
0167:004018B0 PUSH EAX
0167:004018B1 MOV [FS:00],ESP
0167:004018B8 SUB ESP,BYTE +0C
0167:004018BB MOV [EBP-10],ECX
0167:004018BE PUSH ESI
0167:004018BF PUSH EDI
0167:004018C0 ADD ECX,01E0
0167:004018C6 PUSH DWORD FF
0167:004018CB PUSH DWORD 00408360
0167:004018D0 CALL `MFC40!ord_00000D36`
0167:004018D5 PUSH DWORD FF
0167:004018DA MOV ECX,[EBP-10]
0167:004018DD PUSH DWORD 00408460
0167:004018E2 ADD ECX,01A0
0167:004018E8 CALL `MFC40!ord_00000D36`
0167:004018ED PUSH DWORD 00408360
0167:004018F2 LEA ECX,[EBP-18]
0167:004018F5 CALL `MFC40!ord_000001E3`
0167:004018FA MOV DWORD [EBP-04],00
0167:00401901 MOV EAX,[EAX]
0167:00401903 PUSH DWORD 004085A4
0167:00401908 PUSH EAX
0167:00401909 CALL `MSVCRT40!_mbscmp`
0167:0040190F MOV DWORD [EBP-04],FFFFFFFF
0167:00401916 ADD ESP,BYTE +08
0167:00401919 CMP EAX,BYTE +01
0167:0040191C MOV EAX,[EBP-14]
0167:0040191F SBB [EBP-14],EAX
0167:00401922 NEG DWORD [EBP-14]
0167:00401925 CALL 00401A33
0167:0040192A CMP DWORD [EBP-14],BYTE +00
0167:0040192E JZ 00401949
0167:00401930 PUSH BYTE +01
0167:00401932 MOV ECX,[EBP-10]
0167:00401935 CALL `MFC40!ord_00000910`
0167:0040193A MOV EAX,[EBP-0C]
0167:0040193D POP EDI
0167:0040193E MOV [FS:00],EAX
0167:00401944 POP ESI
0167:00401945 MOV ESP,EBP
0167:00401947 POP EBP
0167:00401948 RET
0167:00401949 CALL 00401620
0167:0040194E TEST EAX,EAX
0167:00401950 JZ NEAR 004019F8
0167:00401956 LEA EAX,[EBP-18]
0167:00401959 LEA ECX,[EBP-14]
0167:0040195C MOV DWORD [EBP-18],00
0167:00401963 MOV DWORD [EBP-14],00
0167:0040196A PUSH EAX
0167:0040196B PUSH ECX
0167:0040196C PUSH BYTE +00
0167:0040196E PUSH DWORD 000F003F
0167:00401973 PUSH BYTE +00
0167:00401975 PUSH BYTE +00
0167:00401977 PUSH BYTE +00
0167:00401979 PUSH DWORD 0040857C
0167:0040197E PUSH DWORD 80000002
0167:00401983 CALL `ADVAPI32!RegCreateKeyExA`
0167:00401989 MOV EDI,EAX
0167:0040198B TEST EDI,EDI
0167:0040198D JNZ 004019BC
0167:0040198F PUSH DWORD 0200
0167:00401994 MOV EAX,[EBP-14]
0167:00401997 PUSH DWORD 00408360
0167:0040199C PUSH BYTE +03
0167:0040199E PUSH BYTE +00
0167:004019A0 PUSH DWORD 00408578
0167:004019A5 PUSH EAX
0167:004019A6 CALL `ADVAPI32!RegSetValueExA`
0167:004019AC MOV EDI,EAX
0167:004019AE MOV EAX,[EBP-14]
0167:004019B1 PUSH EAX
0167:004019B2 CALL `ADVAPI32!RegCloseKey`
0167:004019B8 TEST EDI,EDI
0167:004019BA JZ 004019CF
0167:004019BC PUSH BYTE +00
0167:004019BE PUSH BYTE +00
0167:004019C0 PUSH DWORD 0040886C
0167:004019C5 CALL `MFC40!ord_00000425`
0167:004019CA JMP 00401930
0167:004019CF CMP DWORD [EBP-10],BYTE +00
0167:004019D3 MOV EAX,00
0167:004019D8 JZ 004019E0
0167:004019DA MOV EAX,[EBP-10]
0167:004019DD MOV EAX,[EAX+20]
0167:004019E0 PUSH BYTE +00
0167:004019E2 PUSH DWORD 0040885C
0167:004019E7 PUSH DWORD 004087DC
0167:004019EC PUSH EAX
0167:004019ED CALL `USER32!MessageBoxA`
0167:004019F3 JMP 00401930
0167:004019F8 PUSH BYTE -01
0167:004019FA CALL `USER32!MessageBeep`
0167:00401A00 CMP DWORD [EBP-10],BYTE +00
0167:00401A04 MOV EAX,00
0167:00401A09 JZ 00401A11
0167:00401A0B MOV EAX,[EBP-10]
0167:00401A0E MOV EAX,[EAX+20]
0167:00401A11 PUSH BYTE +30
0167:00401A13 PUSH DWORD 004087C8
0167:00401A18 PUSH DWORD 00408688
0167:00401A1D PUSH EAX ///下面的语句就是弹出出错对框的了。
如果跟的不细心,就会得到一个近似相象的注册码87ae2401my69,其实是假的。
好了,自己总结总结,那些地方应该跟进去呢。下课了。
<------完------->
- 标 题:Add/Remove 4Good 2注册码 跟踪过程,稍麻烦些---[BCG]参考教程 (12千字)
- 作 者:CrackerABC[BCG]
- 时 间:2001-4-13 20:46:02
- 链 接:http://bbs.pediy.com