好友
阅读权限40
听众
最后登录1970-1-1
|
本帖最后由 冥界3大法王 于 2014-3-12 23:49 编辑
德语助手 11.21,终极内存补丁彻底注册版,新鲜出炉:
图片:
昨天没有彻底成功,今天看会了反调试部分,茅塞顿开,又努力了下,终于彻底成功了。
006CF849 |. E8 5EE8FFFF call 006CE0AC
ds:[00CF37B8]=76AEFECF (user32.MessageBoxW)
本地调用来自 005AA088, 006CF86D, 006F4356
00414017 . BA 52B5B000 mov edx, 00B0B552 ; regDate
0044E0D0 . /7F 7F jg short 0044E151
以TimeLeft3为切入点
00413423 . 8B4D C0 mov ecx, dword ptr [ebp-0x40]
可以看到信息窗口中
堆栈 ss:[0018FD0C]=00000032 准备写入50次了,实际上写入49次
ecx=056002DC, (UNICODE "TimesLeft3")
0041340D . BA 74B3B000 mov edx, 00B0B374 ; TimesLeft3
00413412 . 8D45 F0 lea eax, dword ptr [ebp-0x10]
00413415 . E8 92616E00 call 00AF95AC
0041341A . FF45 E0 inc dword ptr [ebp-0x20]
0041341D . 8B08 mov ecx, dword ptr [eax]
0041341F . 8D45 B8 lea eax, dword ptr [ebp-0x48]
00413422 . 51 push ecx
00413423 . 8B4D C0 mov ecx, dword ptr [ebp-0x40] ; 实际上写入49次
00413426 . 49 dec ecx ; 这句上是减1,故此注册表键值实际写入是49,我们娱乐改成INC +1,破法1
0044E0D0 . /7F 7F jg short 0044E151 破法2
00413441 . E8 62811600 call 0057B5A8
00413446 . FF4D E0 dec dword ptr [ebp-0x20] 这句F8时,可看到regworkshop中键值被写入 ,破法3
0041414C . BA B4B5B000 mov edx, 00B0B5B4 ; LicenseCode 显然这句很重要,启动时拦下!!
009AB0E2 . 68 8ED9BA00 push 00BAD98E ; @local_timestamp
0057B375 |. 8BC6 mov eax, esi 可能重要,下一句看到任务栏出现程序图标了,说明该下手了
:403cad call jmp .kernel32.isdebuggerpresent 反调试信息出现
=====================
004627CC /$ 55 push ebp ;断在这里可以看到我们的假码!
004627CD |. 8BEC mov ebp, esp
004627CF |. 81C4 14FFFFFF add esp, -0xEC
004627D5 |. 53 push ebx
004627D6 |. 56 push esi
004627D7 |. 57 push edi
004627D8 |. 8955 FC mov dword ptr [ebp-0x4], edx
004627DB |. 8985 3CFFFFFF mov dword ptr [ebp-0xC4], eax
004627E1 |. 8DB5 40FFFFFF lea esi, dword ptr [ebp-0xC0]
004627E7 |. B8 D48EB500 mov eax, 00B58ED4
004627EC |. E8 A3406800 call 00AE6894
004627F1 |. C746 1C 01000>mov dword ptr [esi+0x1C], 0x1
004627F8 |. 8D55 FC lea edx, dword ptr [ebp-0x4]
004627FB |. 8D45 FC lea eax, dword ptr [ebp-0x4]
004627FE |. E8 E96D6900 call 00AF95EC
00462803 |. FF46 1C inc dword ptr [esi+0x1C]
00462806 |. 66:C746 10 0C>mov word ptr [esi+0x10], 0xC
0046280C |. 66:C746 10 18>mov word ptr [esi+0x10], 0x18
00462812 |. E8 A9B9FAFF call 0040E1C0
00462817 |. 50 push eax
00462818 |. 8D55 D4 lea edx, dword ptr [ebp-0x2C]
0046281B |. 52 push edx
0046281C |. E8 331AFBFF call 00414254
00462821 |. 83C4 08 add esp, 0x8
00462824 |. FF46 1C inc dword ptr [esi+0x1C]
00462827 |. 66:C746 10 0C>mov word ptr [esi+0x10], 0xC
0046282D |. 66:C746 10 24>mov word ptr [esi+0x10], 0x24
00462833 |. 8D45 D0 lea eax, dword ptr [ebp-0x30]
00462836 |. E8 C516FAFF call 00403F00
0046283B |. 8BD0 mov edx, eax
0046283D |. FF46 1C inc dword ptr [esi+0x1C]
00462840 |. 8B8D 3CFFFFFF mov ecx, dword ptr [ebp-0xC4]
00462846 |. 8B81 B4030000 mov eax, dword ptr [ecx+0x3B4]
0046284C |. E8 67012300 call 006929B8
00462851 |. 8D45 D0 lea eax, dword ptr [ebp-0x30]
00462854 |. E8 1FCDFAFF call 0040F578
00462859 |. 50 push eax
0046285A |. 8D55 A8 lea edx, dword ptr [ebp-0x58]
0046285D |. 52 push edx
0046285E |. E8 11CBFAFF call 0040F374
00462863 |. 83C4 08 add esp, 0x8
00462866 |. FF46 1C inc dword ptr [esi+0x1C]
00462869 |. 8D4D A8 lea ecx, dword ptr [ebp-0x58]
0046286C |. 51 push ecx
0046286D |. 8D7D 80 lea edi, dword ptr [ebp-0x80]
00462870 |. 57 push edi
00462871 |. E8 4A1D5B00 call 00A145C0
00462876 |. 83C4 08 add esp, 0x8
00462879 |. 8D45 80 lea eax, dword ptr [ebp-0x80]
0046287C |. 50 push eax
0046287D |. FF46 1C inc dword ptr [esi+0x1C]
00462880 |. E8 1B78FAFF call 0040A0A0
00462885 |. 59 pop ecx
00462886 |. 50 push eax
00462887 |. 8D55 D4 lea edx, dword ptr [ebp-0x2C]
0046288A |. 52 push edx
0046288B |. E8 1078FAFF call 0040A0A0
00462890 |. 59 pop ecx
00462891 |. 50 push eax
00462892 |. E8 09A06600 call 00ACC8A0
00462897 |. 83C4 08 add esp, 0x8
0046289A |. 8BD8 mov ebx, eax
0046289C |. FF4E 1C dec dword ptr [esi+0x1C]
0046289F |. 8D45 80 lea eax, dword ptr [ebp-0x80]
004628A2 |. 6A 02 push 0x2
004628A4 |. 50 push eax
004628A5 |. E8 760FFAFF call 00403820
004628AA |. 83C4 08 add esp, 0x8
004628AD |. FF4E 1C dec dword ptr [esi+0x1C]
004628B0 |. 6A 02 push 0x2
004628B2 |. 8D55 A8 lea edx, dword ptr [ebp-0x58]
004628B5 |. 52 push edx
004628B6 |. E8 8D0FFAFF call 00403848
004628BB |. 83C4 08 add esp, 0x8
004628BE |. FF4E 1C dec dword ptr [esi+0x1C]
004628C1 |. 8D45 D0 lea eax, dword ptr [ebp-0x30]
004628C4 |. BA 02000000 mov edx, 0x2
004628C9 |. E8 466F6900 call 00AF9814
004628CE |. 66:C746 10 0C>mov word ptr [esi+0x10], 0xC
004628D4 |. 84DB test bl, bl
004628D6 |. 0F84 43010000 je 00462A1F ; 跳走了,肯定不能让它走~~~ NOP了
004628DC |. B2 01 mov dl, 0x1
004628DE |. A1 58955700 mov eax, dword ptr [0x579558]
004628E3 |. E8 BC7D1100 call 0057A6A4
004628E8 |. 66:C746 10 30>mov word ptr [esi+0x10], 0x30
004628EE |. 8BF8 mov edi, eax
004628F0 |. 8D85 7CFFFFFF lea eax, dword ptr [ebp-0x84]
004628F6 |. BA 4486B500 mov edx, 00B58644 ; Software\Francophonie\Dehelper\Customer Info
004628FB |. E8 246E6900 call 00AF9724
00462900 |. FF46 1C inc dword ptr [esi+0x1C]
00462903 |. 8B10 mov edx, dword ptr [eax]
00462905 |. B1 01 mov cl, 0x1
00462907 |. 8BC7 mov eax, edi
00462909 |. E8 6E801100 call 0057A97C
0046290E |. FF4E 1C dec dword ptr [esi+0x1C]
00462911 |. 8D85 7CFFFFFF lea eax, dword ptr [ebp-0x84]
00462917 |. BA 02000000 mov edx, 0x2
0046291C |. E8 F36E6900 call 00AF9814
00462921 |. 66:C746 10 0C>mov word ptr [esi+0x10], 0xC
00462927 |. 33DB xor ebx, ebx ; 要清,到底要不要让它清? 结果尝试NOP 成功
00462929 |> 66:C746 10 48>/mov word ptr [esi+0x10], 0x48
0046292F |. BA 9E86B500 |mov edx, 00B5869E ; 确实是注册表键值 SerialCode
00462934 |. 8D85 78FFFFFF |lea eax, dword ptr [ebp-0x88]
0046293A |. E8 6D6C6900 |call 00AF95AC
0046293F |. FF46 1C |inc dword ptr [esi+0x1C]
00462942 |. 66:C746 10 3C>|mov word ptr [esi+0x10], 0x3C
00462948 |. 85DB |test ebx, ebx
0046294A |. 7E 3A |jle short 00462986
0046294C |. 66:C746 10 54>|mov word ptr [esi+0x10], 0x54
00462952 |. 8D85 74FFFFFF |lea eax, dword ptr [ebp-0x8C]
00462958 |. 8BD3 |mov edx, ebx
0046295A |. E8 E915FBFF |call 00413F48
0046295F |. FF46 1C |inc dword ptr [esi+0x1C]
00462962 |. 8D95 74FFFFFF |lea edx, dword ptr [ebp-0x8C]
00462968 |. 8D85 78FFFFFF |lea eax, dword ptr [ebp-0x88]
0046296E |. E8 DD6E6900 |call 00AF9850
00462973 |. FF4E 1C |dec dword ptr [esi+0x1C]
00462976 |. 8D85 74FFFFFF |lea eax, dword ptr [ebp-0x8C]
0046297C |. BA 02000000 |mov edx, 0x2
00462981 |. E8 8E6E6900 |call 00AF9814
00462986 |> 8B95 78FFFFFF |mov edx, dword ptr [ebp-0x88]
0046298C |. 8BC7 |mov eax, edi
0046298E |. E8 318F1100 |call 0057B8C4
00462993 |. 84C0 |test al, al
00462995 |. 75 25 |jnz short 004629BC
00462997 |. 8B4D FC |mov ecx, dword ptr [ebp-0x4]
0046299A |. 8B95 78FFFFFF |mov edx, dword ptr [ebp-0x88]
004629A0 |. 8BC7 |mov eax, edi
004629A2 |. E8 29891100 |call 0057B2D0
004629A7 |. FF4E 1C |dec dword ptr [esi+0x1C]
004629AA |. 8D85 78FFFFFF |lea eax, dword ptr [ebp-0x88]
004629B0 |. BA 02000000 |mov edx, 0x2
004629B5 |. E8 5A6E6900 |call 00AF9814
004629BA |. EB 23 |jmp short 004629DF
004629BC |> FF4E 1C |dec dword ptr [esi+0x1C]
004629BF |. 8D85 78FFFFFF |lea eax, dword ptr [ebp-0x88]
004629C5 |. BA 02000000 |mov edx, 0x2
004629CA |. E8 456E6900 |call 00AF9814
004629CF |. 66:C746 10 0C>|mov word ptr [esi+0x10], 0xC
004629D5 |. 43 |inc ebx
004629D6 |. 83FB 64 |cmp ebx, 0x64
004629D9 |.^ 0F8C 4AFFFFFF \jl 00462929
004629DF |> 8BDF mov ebx, edi
004629E1 |. 899D 6CFFFFFF mov dword ptr [ebp-0x94], ebx
004629E7 |. 85DB test ebx, ebx
004629E9 |. 74 24 je short 00462A0F ; 这里又一个不知如何处理?不用理会
004629EB |. 8B03 mov eax, dword ptr [ebx]
004629ED |. 8985 70FFFFFF mov dword ptr [ebp-0x90], eax
004629F3 |. 66:C746 10 78>mov word ptr [esi+0x10], 0x78
004629F9 |. BA 03000000 mov edx, 0x3
004629FE |. 8B85 6CFFFFFF mov eax, dword ptr [ebp-0x94]
00462A04 |. 8B08 mov ecx, dword ptr [eax]
00462A06 |. FF51 FC call dword ptr [ecx-0x4]
00462A09 |. 66:C746 10 60>mov word ptr [esi+0x10], 0x60
00462A0F |> 8B85 3CFFFFFF mov eax, dword ptr [ebp-0xC4]
00462A15 |. E8 76070000 call 00463190
00462A1A |. E9 89000000 jmp 00462AA8
00462A1F |> 6A 30 push 0x30
00462A21 |. 8D85 64FFFFFF lea eax, dword ptr [ebp-0x9C]
00462A27 |. E8 D414FAFF call 00403F00
00462A2C |. 8BD0 mov edx, eax
00462A2E |. FF46 1C inc dword ptr [esi+0x1C]
00462A31 |. A1 5C83C800 mov eax, dword ptr [0xC8835C]
00462A36 |. E8 395C6900 call 00AF8674
00462A3B |. 8D85 64FFFFFF lea eax, dword ptr [ebp-0x9C]
00462A41 |. E8 42CBFAFF call 0040F588
00462A46 |. 50 push eax
00462A47 |. 66:C746 10 84>mov word ptr [esi+0x10], 0x84
00462A4D |. 8D85 68FFFFFF lea eax, dword ptr [ebp-0x98]
00462A53 |. E8 A814FAFF call 00403F00
00462A58 |. 8BD0 mov edx, eax
00462A5A |. FF46 1C inc dword ptr [esi+0x1C]
00462A5D |. A1 6482C800 mov eax, dword ptr [0xC88264]
00462A62 |. E8 0D5C6900 call 00AF8674
00462A67 |. 8D85 68FFFFFF lea eax, dword ptr [ebp-0x98]
00462A6D |. E8 16CBFAFF call 0040F588
00462A72 |. 8BD0 mov edx, eax
00462A74 |. 8B0D DC87C800 mov ecx, dword ptr [0xC887DC] ; dehelper.00CE4350
00462A7A |. 8B01 mov eax, dword ptr [ecx]
00462A7C |. 59 pop ecx
00462A7D |. E8 56556900 call 00AF7FD8 ; 出来注册错误对话框!1111111
00462A82 |. FF4E 1C dec dword ptr [esi+0x1C]
00462A85 |. 8D85 64FFFFFF lea eax, dword ptr [ebp-0x9C]
00462A8B |. BA 02000000 mov edx, 0x2
00462A90 |. E8 7F6D6900 call 00AF9814
00462A95 |. FF4E 1C dec dword ptr [esi+0x1C]
00462A98 |. 8D85 68FFFFFF lea eax, dword ptr [ebp-0x98]
00462A9E |. BA 02000000 mov edx, 0x2
00462AA3 |. E8 6C6D6900 call 00AF9814
00462AA8 |> FF4E 1C dec dword ptr [esi+0x1C]
|
免费评分
-
查看全部评分
|
发表于 2014-3-12 23:47
