初學者(19) (4千字)

DLL EXPLORER 2.2.2

設斷點bpx hmemcpy
程式被中斷後,按F12鍵12次,來到:

:004412E4 8B45F8 mov eax, dword ptr [ebp-08]<----可看到輸入的註冊碼
:004412E7 8D55FC lea edx, dword ptr [ebp-04]
:004412EA E81964FCFF call 00407708
:004412EF 837DFC00 cmp dword ptr [ebp-04], 00000000
:004412F3 7525 jne 0044131A
:004412F5 6A00 push 00000000
:004412F7 668B0DF4134400 mov cx, word ptr [004413F4]
:004412FE 33D2 xor edx, edx

* Possible StringData Ref from Code Obj ->"Please enter your user name exactly "
->"as it appears in the registration "
->"information that you received."
|
:00441300 B800144400 mov eax, 00441400
:00441305 E8BAACFFFF call 0043BFC4
:0044130A 8B83DC010000 mov eax, dword ptr [ebx+000001DC]
:00441310 8B10 mov edx, dword ptr [eax]
:00441312 FF5278 call [edx+78]
:00441315 E9AB000000 jmp 004413C5

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004412F3(C)
|
:0044131A 8D55F8 lea edx, dword ptr [ebp-08]
:0044131D 8B83EC010000 mov eax, dword ptr [ebx+000001EC]
:00441323 E8A411FEFF call 004224CC
:00441328 8B45F8 mov eax, dword ptr [ebp-08]
:0044132B 8D55FC lea edx, dword ptr [ebp-04]
:0044132E E8D563FCFF call 00407708
:00441333 837DFC00 cmp dword ptr [ebp-04], 00000000
:00441337 7522 jne 0044135B
:00441339 6A00 push 00000000
:0044133B 668B0DF4134400 mov cx, word ptr [004413F4]
:00441342 33D2 xor edx, edx

* Possible StringData Ref from Code Obj ->"Please enter your registration "
->"key as it appears in the registration "
->"information that you received."
|
:00441344 B870144400 mov eax, 00441470
:00441349 E876ACFFFF call 0043BFC4
:0044134E 8B83EC010000 mov eax, dword ptr [ebx+000001EC]
:00441354 8B10 mov edx, dword ptr [eax]
:00441356 FF5278 call [edx+78]
:00441359 EB6A jmp 004413C5

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00441337(C)
|
:0044135B 8D55F8 lea edx, dword ptr [ebp-08]
:0044135E 8B83EC010000 mov eax, dword ptr [ebx+000001EC]
:00441364 E86311FEFF call 004224CC
:00441369 8B45F8 mov eax, dword ptr [ebp-08]<----可看到輸入的註冊碼,下BPM EAX
:0044136C 50 push eax
:0044136D 8D55F4 lea edx, dword ptr [ebp-0C]
:00441370 8B83E4010000 mov eax, dword ptr [ebx+000001E4]
:00441376 E85111FEFF call 004224CC
:0044137B 8B45F4 mov eax, dword ptr [ebp-0C]
:0044137E 50 push eax
:0044137F 8D55F0 lea edx, dword ptr [ebp-10]
:00441382 8B83DC010000 mov eax, dword ptr [ebx+000001DC]
:00441388 E83F11FEFF call 004224CC
:0044138D 8B55F0 mov edx, dword ptr [ebp-10]
:00441390 A150004900 mov eax, dword ptr [00490050]
:00441395 8B00 mov eax, dword ptr [eax]
:00441397 59 pop ecx
:00441398 E8CB9F0400 call 0048B368
:0044139D A150004900 mov eax, dword ptr [00490050]
:004413A2 8B00 mov eax, dword ptr [eax]
:004413A4 80780400 cmp byte ptr [eax+04], 00
:004413A8 7514 jne 004413BE

下BPM EAX,程式被中斷在
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403DE1(C)
|
:00403DC5 8B0E mov ecx, dword ptr [esi]<----D ESI可看到註冊碼
:00403DC7 8B1F mov ebx, dword ptr [edi]<----D EDI可看到輸入的註冊碼
:00403DC9 39D9 cmp ecx, ebx
:00403DCB 7558 jne 00403E25
:00403DCD 4A dec edx
:00403DCE 7415 je 00403DE5
:00403DD0 8B4E04 mov ecx, dword ptr [esi+04]
:00403DD3 8B5F04 mov ebx, dword ptr [edi+04]
:00403DD6 39D9 cmp ecx, ebx
:00403DD8 754B jne 00403E25
:00403DDA 83C608 add esi, 00000008
:00403DDD 83C708 add edi, 00000008
:00403DE0 4A dec edx
:00403DE1 75E2 jne 00403DC5
:00403DE3 EB06 jmp 00403DEB

方法2將上面的兩個JNE 00403E25改為NOP
注意:註冊碼是12位

未能找出註冊碼的生成過程,如哪位找出了演算法,請帖出來

初學者(19) (4千字)

相關文章