易语言某团模块的逆向和分析
打开易语言,CTRL+O打开带有该模块命令的源码会有以下提示
按下F5调试程序会提示类似的代码..
由于易语言模块可以反编译,所以该模块作者把算法写到了支持库内,因此,我们基本上是对支持库的一个逆向
直接OD载入支持库 Game-EC.fne
fne实际上就是DLL 改了扩展名
ALT+E选择fne模块,双击进入
右键搜索字符串
找到错误提示 模块验证状态:不正常
由于字符串带有广告,过滤后剩下关键字符
1002151D/$55 PUSH EBP
1002151E|.8BEC MOV EBP, ESP
10021520|.81EC 04000000 SUB ESP, 0x4
10021526|.B8 631D0610 MOV EAX, 10061D63 ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\r\n
1002152B|.8945 FC MOV , EAX
1002152E|.8D45 FC LEA EAX,
10021531|.50 PUSH EAX
10021532|.E8 DEAEFEFF CALL 1000C415
10021537|.8B5D FC MOV EBX, ;Game-EC.10000000
1002153A|.85DB TEST EBX, EBX
1002153C|.74 09 JE SHORT 10021547
1002153E|.53 PUSH EBX
1002153F|.E8 199B0000 CALL 1002B05D
10021544|.83C4 04 ADD ESP, 0x4
10021547|>B8 C31D0610 MOV EAX, 10061DC3
1002154C|.8945 FC MOV , EAX
1002154F|.8D45 FC LEA EAX,
10021552|.50 PUSH EAX
10021553|.E8 BDAEFEFF CALL 1000C415
10021558|.8B5D FC MOV EBX, ;Game-EC.10000000
1002155B|.85DB TEST EBX, EBX
1002155D|.74 09 JE SHORT 10021568
1002155F|.53 PUSH EBX
10021560|.E8 F89A0000 CALL 1002B05D
10021565|.83C4 04 ADD ESP, 0x4
10021568|>B8 241E0610 MOV EAX, 10061E24
1002156D|.8945 FC MOV , EAX
10021570|.8D45 FC LEA EAX,
10021573|.50 PUSH EAX
10021574|.E8 9CAEFEFF CALL 1000C415
10021579|.8B5D FC MOV EBX, ;Game-EC.10000000
1002157C|.85DB TEST EBX, EBX
1002157E|.74 09 JE SHORT 10021589
10021580|.53 PUSH EBX
10021581|.E8 D79A0000 CALL 1002B05D
10021586|.83C4 04 ADD ESP, 0x4
10021589|>B8 851E0610 MOV EAX, 10061E85 ;┣━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫\r\n
1002158E|.8945 FC MOV , EAX
10021591|.8D45 FC LEA EAX,
10021594|.50 PUSH EAX
10021595|.E8 7BAEFEFF CALL 1000C415
1002159A|.8B5D FC MOV EBX, ;Game-EC.10000000
1002159D|.85DB TEST EBX, EBX
1002159F|.74 09 JE SHORT 100215AA
100215A1|.53 PUSH EBX
100215A2|.E8 B69A0000 CALL 1002B05D
100215A7|.83C4 04 ADD ESP, 0x4
100215AA|>B8 E25E1A10 MOV EAX, 101A5EE2 ;┣ 模块验证状态:不正常
100215AF|.8945 FC MOV , EAX
100215B2|.8D45 FC LEA EAX,
100215B5|.50 PUSH EAX
100215B6|.E8 5AAEFEFF CALL 1000C415
100215BB|.8B5D FC MOV EBX, ;Game-EC.10000000
100215BE|.85DB TEST EBX, EBX
100215C0|.74 09 JE SHORT 100215CB
100215C2|.53 PUSH EBX
100215C3|.E8 959A0000 CALL 1002B05D
100215C8|.83C4 04 ADD ESP, 0x4
100215CB|>B8 851E0610 MOV EAX, 10061E85 ;┣━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫\r\n
100215D0|.8945 FC MOV , EAX
100215D3|.8D45 FC LEA EAX,
100215D6|.50 PUSH EAX
100215D7|.E8 39AEFEFF CALL 1000C415
100215DC|.8B5D FC MOV EBX, ;Game-EC.10000000
100215DF|.85DB TEST EBX, EBX
100215E1|.74 09 JE SHORT 100215EC
100215E3|.53 PUSH EBX
100215E4|.E8 749A0000 CALL 1002B05D
100215E9|.83C4 04 ADD ESP, 0x4
100215EC|>B8 471F0610 MOV EAX, 10061F47 ;┣ 当前模块版本:8.5.3 ┫\r\n
100215F1|.8945 FC MOV , EAX
100215F4|.8D45 FC LEA EAX,
100215F7|.50 PUSH EAX
100215F8|.E8 18AEFEFF CALL 1000C415
100215FD|.8B5D FC MOV EBX, ;Game-EC.10000000
10021600|.85DB TEST EBX, EBX
10021602|.74 09 JE SHORT 1002160D
10021604|.53 PUSH EBX
10021605|.E8 539A0000 CALL 1002B05D
1002160A|.83C4 04 ADD ESP, 0x4
1002160D|>B8 851E0610 MOV EAX, 10061E85 ;┣━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫\r\n
10021612|.8945 FC MOV , EAX
10021615|.8D45 FC LEA EAX,
10021618|.50 PUSH EAX
10021619|.E8 F7ADFEFF CALL 1000C415
1002161E|.8B5D FC MOV EBX, ;Game-EC.10000000
10021621|.85DB TEST EBX, EBX
10021623|.74 09 JE SHORT 1002162E
10021625|.53 PUSH EBX
10021626|.E8 329A0000 CALL 1002B05D
1002162B|.83C4 04 ADD ESP, 0x4
1002162E|>B8 A81F0610 MOV EAX, 10061FA8
10021633|.8945 FC MOV , EAX
10021636|.8D45 FC LEA EAX,
10021639|.50 PUSH EAX
1002163A|.E8 D6ADFEFF CALL 1000C415
1002163F|.8B5D FC MOV EBX, ;Game-EC.10000000
10021642|.85DB TEST EBX, EBX
10021644|.74 09 JE SHORT 1002164F
10021646|.53 PUSH EBX
10021647|.E8 119A0000 CALL 1002B05D
1002164C|.83C4 04 ADD ESP, 0x4
1002164F|>B8 851E0610 MOV EAX, 10061E85 ;┣━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫\r\n
10021654|.8945 FC MOV , EAX
10021657|.8D45 FC LEA EAX,
1002165A|.50 PUSH EAX
1002165B|.E8 B5ADFEFF CALL 1000C415
10021660|.8B5D FC MOV EBX, ;Game-EC.10000000
10021663|.85DB TEST EBX, EBX
10021665|.74 09 JE SHORT 10021670
10021667|.53 PUSH EBX
10021668|.E8 F0990000 CALL 1002B05D
1002166D|.83C4 04 ADD ESP, 0x4
10021670|>8BE5 MOV ESP, EBP
10021672|.5D POP EBP ;ntdll.77351D36
10021673\.C3 RETN
我们找到谁调用这个函数即可 最常见的就是 Call 1002151D
CTRL+S 直接搜索
得到下面的地址
10020A23|> \E8 F50A0000 CALL 1002151D ;状态不正常
我们看谁跳过不正常即可
100209CF|.E8 B6AEFEFF CALL 1000B88A
100209D4|.8945 F8 MOV , EAX
100209D7|.837D F8 00 CMP , 0x0
100209DB|.0F85 4C000000 JNZ 10020A2D
100209E1|.B8 C96C0410 MOV EAX, 10046CC9 ;\r\n
100209E6|.8945 FC MOV , EAX
100209E9|.8D45 FC LEA EAX,
100209EC|.50 PUSH EAX
100209ED|.E8 23BAFEFF CALL 1000C415
100209F2|.8B5D FC MOV EBX, ;Game-EC.10000000
100209F5|.85DB TEST EBX, EBX
100209F7|.74 09 JE SHORT 10020A02
100209F9|.53 PUSH EBX
100209FA|.E8 5EA60000 CALL 1002B05D
100209FF|.83C4 04 ADD ESP, 0x4
10020A02|>B8 725E1A10 MOV EAX, 101A5E72 ;★ ━━━━━━未检测到xx加密狗,请插入xx团加密狗,再使用xx团模块!━━━━━━\r\n
10020A07|.8945 FC MOV , EAX
10020A0A|.8D45 FC LEA EAX,
10020A0D|.50 PUSH EAX
10020A0E|.E8 02BAFEFF CALL 1000C415
10020A13|.8B5D FC MOV EBX, ;Game-EC.10000000
10020A16|.85DB TEST EBX, EBX
10020A18|.74 09 JE SHORT 10020A23
10020A1A|.53 PUSH EBX
10020A1B|.E8 3DA60000 CALL 1002B05D
10020A20|.83C4 04 ADD ESP, 0x4
10020A23|>E8 F50A0000 CALL 1002151D ;状态不正常
10020A28|.E9 00000000 JMP 10020A2D
10020A2D|>68 649E1A10 PUSH 101A9E64 ;看谁跳过来
101A9E64=101A9E64
跳转来自 10020318, 100209DB, 10020A28
跳转很有3个,一个一个看
10020A28 就是上一行,直接忽略
10020318 跳转太长,恐怕会导致模块部分功能失效
100209DB 最像
分析附近代码
100209CF|.E8 B6AEFEFF CALL 1000B88A
100209D4|.8945 F8 MOV , EAX
100209D7|.837D F8 00 CMP , 0x0
100209DB|.0F85 4C000000 JNZ 10020A2D
明显CALL 1000B88A 的返回值 决定是否跳转 一般就是返回1 就是成功 0就是失败
看CMP 也知道了 进入call看看吧,
这个call有点长
1000B88A /$55 PUSH EBP
1000B88B |.8BEC MOV EBP, ESP
1000B88D |.81EC 38000000 SUB ESP, 0x38
1000B893 |.C745 FC 00000>MOV , 0x0
1000B89A |.68 2C000000 PUSH 0x2C
1000B89F |.E8 B3F70100 CALL 1002B057
1000B8A4 |.83C4 04 ADD ESP, 0x4
1000B8A7 |.8945 F8 MOV , EAX
1000B8AA |.8BF8 MOV EDI, EAX
1000B8AC |.BE 3E1D0610 MOV ESI, 10061D3E
1000B8B1 |.AD LODS DWORD PTR DS:
1000B8B2 |.AB STOS DWORD PTR ES:
1000B8B3 |.AD LODS DWORD PTR DS:
1000B8B4 |.AB STOS DWORD PTR ES:
1000B8B5 |.33C0 XOR EAX, EAX
1000B8B7 |.B9 09000000 MOV ECX, 0x9
1000B8BC |.F3:AB REP STOS DWORD PTR ES:
1000B8BE |.B8 286D0410 MOV EAX, 10046D28
1000B8C3 |.85C0 TEST EAX, EAX
1000B8C5 |.74 13 JE SHORT 1000B8DA
1000B8C7 |.50 PUSH EAX
1000B8C8 |.8B40 04 MOV EAX, DWORD PTR DS:
1000B8CB |.83C0 08 ADD EAX, 0x8
1000B8CE |.50 PUSH EAX
1000B8CF |.E8 83F70100 CALL 1002B057
1000B8D4 |.59 POP ECX ;ntdll.77351D36
1000B8D5 |.5E POP ESI ;ntdll.77351D36
1000B8D6 |.8BF8 MOV EDI, EAX
1000B8D8 |.F3:A4 REP MOVS BYTE PTR ES:, BYTE PTR DS:>
1000B8DA |>50 PUSH EAX
1000B8DB |.8B5D FC MOV EBX, ;Game-EC.10000000
1000B8DE |.85DB TEST EBX, EBX
1000B8E0 |.74 09 JE SHORT 1000B8EB
1000B8E2 |.53 PUSH EBX
1000B8E3 |.E8 75F70100 CALL 1002B05D
1000B8E8 |.83C4 04 ADD ESP, 0x4
1000B8EB |>58 POP EAX ;ntdll.77351D36
1000B8EC |.8945 FC MOV , EAX
1000B8EF |.833D D49D1A10>CMP DWORD PTR DS:, 0x0
1000B8F6 |.0F85 19000000 JNZ 1000B915
1000B8FC |.8D45 FC LEA EAX,
1000B8FF |.50 PUSH EAX
1000B900 |.E8 B0050000 CALL 1000BEB5
1000B905 |.50 PUSH EAX
1000B906 |.E8 C9050000 CALL 1000BED4
1000B90B |.A3 D49D1A10 MOV DWORD PTR DS:, EAX
1000B910 |.E9 00000000 JMP 1000B915
1000B915 |>68 010100A0 PUSH 0xA0000101
1000B91A |.6A 00 PUSH 0x0
1000B91C |.68 301D0610 PUSH 10061D30
1000B921 |.68 01000000 PUSH 0x1
1000B926 |.BB 68010000 MOV EBX, 0x168
1000B92B |.E8 20080200 CALL 1002C150
1000B930 |.83C4 10 ADD ESP, 0x10
1000B933 |.8945 F4 MOV , EAX
1000B936 |.8D45 F4 LEA EAX,
1000B939 |.50 PUSH EAX
1000B93A |.FF35 D49D1A10 PUSH DWORD PTR DS:
1000B940 |.E8 98070000 CALL 1000C0DD
1000B945 |.8945 F0 MOV , EAX
1000B948 |.8B5D F4 MOV EBX,
1000B94B |.85DB TEST EBX, EBX
1000B94D |.74 09 JE SHORT 1000B958
1000B94F |.53 PUSH EBX
1000B950 |.E8 08F70100 CALL 1002B05D
1000B955 |.83C4 04 ADD ESP, 0x4
1000B958 |>8B45 F0 MOV EAX,
1000B95B |.A3 D89D1A10 MOV DWORD PTR DS:, EAX
1000B960 |.68 01030080 PUSH 0x80000301
1000B965 |.6A 00 PUSH 0x0
1000B967 |.68 4A000000 PUSH 0x4A
1000B96C |.68 01030080 PUSH 0x80000301
1000B971 |.6A 00 PUSH 0x0
1000B973 |.68 6B7F0000 PUSH 0x7F6B
1000B978 |.68 02000000 PUSH 0x2
1000B97D |.BB CC000000 MOV EBX, 0xCC
1000B982 |.E8 69340200 CALL 1002EDF0
1000B987 |.83C4 1C ADD ESP, 0x1C
1000B98A |.66:A3 DC9D1A1>MOV WORD PTR DS:, AX
1000B990 |.68 01030080 PUSH 0x80000301
1000B995 |.6A 00 PUSH 0x0
1000B997 |.68 4A000000 PUSH 0x4A
1000B99C |.68 01030080 PUSH 0x80000301
1000B9A1 |.6A 00 PUSH 0x0
1000B9A3 |.68 9A500000 PUSH 0x509A
1000B9A8 |.68 02000000 PUSH 0x2
1000B9AD |.BB CC000000 MOV EBX, 0xCC
1000B9B2 |.E8 39340200 CALL 1002EDF0
1000B9B7 |.83C4 1C ADD ESP, 0x1C
1000B9BA |.66:A3 E09D1A1>MOV WORD PTR DS:, AX
1000B9C0 |.8B5D F8 MOV EBX, ;Game-EC.<ModuleEntryPoint>
1000B9C3 |.E8 FD64FFFF CALL 10001EC5
1000B9C8 |.B8 00000000 MOV EAX, 0x0
1000B9CD |.3BC1 CMP EAX, ECX ;Game-EC.<ModuleEntryPoint>
1000B9CF |.7C 0D JL SHORT 1000B9DE
1000B9D1 |.68 01000000 PUSH 0x1
1000B9D6 |.E8 88F60100 CALL 1002B063
1000B9DB |.83C4 04 ADD ESP, 0x4
1000B9DE |>C1E0 02 SHL EAX, 0x2
1000B9E1 |.03D8 ADD EBX, EAX
1000B9E3 |.895D F4 MOV , EBX
1000B9E6 |.8B5D F4 MOV EBX,
1000B9E9 |.C703 01000000 MOV DWORD PTR DS:, 0x1
1000B9EF |.8B5D F8 MOV EBX, ;Game-EC.<ModuleEntryPoint>
1000B9F2 |.E8 CE64FFFF CALL 10001EC5
1000B9F7 |.B8 01000000 MOV EAX, 0x1
1000B9FC |.3BC1 CMP EAX, ECX ;Game-EC.<ModuleEntryPoint>
1000B9FE |.7C 0D JL SHORT 1000BA0D
1000BA00 |.68 01000000 PUSH 0x1
1000BA05 |.E8 59F60100 CALL 1002B063
1000BA0A |.83C4 04 ADD ESP, 0x4
1000BA0D |>C1E0 02 SHL EAX, 0x2
1000BA10 |.03D8 ADD EBX, EAX
1000BA12 |.895D F4 MOV , EBX
1000BA15 |.68 01020080 PUSH 0x80000201
1000BA1A |.6A 00 PUSH 0x0
1000BA1C |.68 E49D1A10 PUSH 101A9DE4
1000BA21 |.68 01000000 PUSH 0x1
1000BA26 |.BB 0C000000 MOV EBX, 0xC
1000BA2B |.B8 60300310 MOV EAX, 10033060
1000BA30 |.E8 9BFC0100 CALL 1002B6D0
1000BA35 |.83C4 10 ADD ESP, 0x10
1000BA38 |.8B5D F4 MOV EBX,
1000BA3B |.8903 MOV DWORD PTR DS:, EAX
1000BA3D |.8B5D F8 MOV EBX, ;Game-EC.<ModuleEntryPoint>
1000BA40 |.E8 8064FFFF CALL 10001EC5
1000BA45 |.B8 02000000 MOV EAX, 0x2
1000BA4A |.3BC1 CMP EAX, ECX ;Game-EC.<ModuleEntryPoint>
1000BA4C |.7C 0D JL SHORT 1000BA5B
1000BA4E |.68 01000000 PUSH 0x1
1000BA53 |.E8 0BF60100 CALL 1002B063
1000BA58 |.83C4 04 ADD ESP, 0x4
1000BA5B |>C1E0 02 SHL EAX, 0x2
1000BA5E |.03D8 ADD EBX, EAX
1000BA60 |.895D F4 MOV , EBX
1000BA63 |.68 01040080 PUSH 0x80000401
1000BA68 |.6A 00 PUSH 0x0
1000BA6A |.68 E89D1A10 PUSH 101A9DE8
1000BA6F |.68 01000000 PUSH 0x1
1000BA74 |.BB 0C000000 MOV EBX, 0xC
1000BA79 |.B8 60300310 MOV EAX, 10033060
1000BA7E |.E8 4DFC0100 CALL 1002B6D0
1000BA83 |.83C4 10 ADD ESP, 0x10
1000BA86 |.8B5D F4 MOV EBX,
1000BA89 |.8903 MOV DWORD PTR DS:, EAX
1000BA8B |.8B5D F8 MOV EBX, ;Game-EC.<ModuleEntryPoint>
1000BA8E |.E8 3264FFFF CALL 10001EC5
1000BA93 |.B8 03000000 MOV EAX, 0x3
1000BA98 |.3BC1 CMP EAX, ECX ;Game-EC.<ModuleEntryPoint>
1000BA9A |.7C 0D JL SHORT 1000BAA9
1000BA9C |.68 01000000 PUSH 0x1
1000BAA1 |.E8 BDF50100 CALL 1002B063
1000BAA6 |.83C4 04 ADD ESP, 0x4
1000BAA9 |>C1E0 02 SHL EAX, 0x2
1000BAAC |.03D8 ADD EBX, EAX
1000BAAE |.895D F4 MOV , EBX
1000BAB1 |.68 01040080 PUSH 0x80000401
1000BAB6 |.6A 00 PUSH 0x0
1000BAB8 |.68 F09D1A10 PUSH 101A9DF0
1000BABD |.68 01000000 PUSH 0x1
1000BAC2 |.BB 0C000000 MOV EBX, 0xC
1000BAC7 |.B8 60300310 MOV EAX, 10033060
1000BACC |.E8 FFFB0100 CALL 1002B6D0
1000BAD1 |.83C4 10 ADD ESP, 0x10
1000BAD4 |.8B5D F4 MOV EBX,
1000BAD7 |.8903 MOV DWORD PTR DS:, EAX
1000BAD9 |.8B5D F8 MOV EBX, ;Game-EC.<ModuleEntryPoint>
1000BADC |.E8 E463FFFF CALL 10001EC5
1000BAE1 |.B8 04000000 MOV EAX, 0x4
1000BAE6 |.3BC1 CMP EAX, ECX ;Game-EC.<ModuleEntryPoint>
1000BAE8 |.7C 0D JL SHORT 1000BAF7
1000BAEA |.68 01000000 PUSH 0x1
1000BAEF |.E8 6FF50100 CALL 1002B063
1000BAF4 |.83C4 04 ADD ESP, 0x4
1000BAF7 |>C1E0 02 SHL EAX, 0x2
1000BAFA |.03D8 ADD EBX, EAX
1000BAFC |.895D F4 MOV , EBX
1000BAFF |.68 01020080 PUSH 0x80000201
1000BB04 |.6A 00 PUSH 0x0
1000BB06 |.68 DC9D1A10 PUSH 101A9DDC
1000BB0B |.68 01000000 PUSH 0x1
1000BB10 |.BB 0C000000 MOV EBX, 0xC
1000BB15 |.B8 60300310 MOV EAX, 10033060
1000BB1A |.E8 B1FB0100 CALL 1002B6D0
1000BB1F |.83C4 10 ADD ESP, 0x10
1000BB22 |.8B5D F4 MOV EBX,
1000BB25 |.8903 MOV DWORD PTR DS:, EAX
1000BB27 |.8B5D F8 MOV EBX, ;Game-EC.<ModuleEntryPoint>
1000BB2A |.E8 9663FFFF CALL 10001EC5
1000BB2F |.B8 05000000 MOV EAX, 0x5
1000BB34 |.3BC1 CMP EAX, ECX ;Game-EC.<ModuleEntryPoint>
1000BB36 |.7C 0D JL SHORT 1000BB45
1000BB38 |.68 01000000 PUSH 0x1
1000BB3D |.E8 21F50100 CALL 1002B063
1000BB42 |.83C4 04 ADD ESP, 0x4
1000BB45 |>C1E0 02 SHL EAX, 0x2
1000BB48 |.03D8 ADD EBX, EAX
1000BB4A |.895D F4 MOV , EBX
1000BB4D |.68 01020080 PUSH 0x80000201
1000BB52 |.6A 00 PUSH 0x0
1000BB54 |.68 E09D1A10 PUSH 101A9DE0
1000BB59 |.68 01000000 PUSH 0x1
1000BB5E |.BB 0C000000 MOV EBX, 0xC
1000BB63 |.B8 60300310 MOV EAX, 10033060
1000BB68 |.E8 63FB0100 CALL 1002B6D0
1000BB6D |.83C4 10 ADD ESP, 0x10
1000BB70 |.8B5D F4 MOV EBX,
1000BB73 |.8903 MOV DWORD PTR DS:, EAX
1000BB75 |.8B5D F8 MOV EBX, ;Game-EC.<ModuleEntryPoint>
1000BB78 |.E8 4863FFFF CALL 10001EC5
1000BB7D |.B8 06000000 MOV EAX, 0x6
1000BB82 |.3BC1 CMP EAX, ECX ;Game-EC.<ModuleEntryPoint>
1000BB84 |.7C 0D JL SHORT 1000BB93
1000BB86 |.68 01000000 PUSH 0x1
1000BB8B |.E8 D3F40100 CALL 1002B063
1000BB90 |.83C4 04 ADD ESP, 0x4
1000BB93 |>C1E0 02 SHL EAX, 0x2
1000BB96 |.03D8 ADD EBX, EAX
1000BB98 |.895D F4 MOV , EBX
1000BB9B |.68 01020080 PUSH 0x80000201
1000BBA0 |.6A 00 PUSH 0x0
1000BBA2 |.68 F89D1A10 PUSH 101A9DF8
1000BBA7 |.68 01000000 PUSH 0x1
1000BBAC |.BB 0C000000 MOV EBX, 0xC
1000BBB1 |.B8 60300310 MOV EAX, 10033060
1000BBB6 |.E8 15FB0100 CALL 1002B6D0
1000BBBB |.83C4 10 ADD ESP, 0x10
1000BBBE |.8B5D F4 MOV EBX,
1000BBC1 |.8903 MOV DWORD PTR DS:, EAX
1000BBC3 |.8B5D F8 MOV EBX, ;Game-EC.<ModuleEntryPoint>
1000BBC6 |.E8 FA62FFFF CALL 10001EC5
1000BBCB |.B8 07000000 MOV EAX, 0x7
1000BBD0 |.3BC1 CMP EAX, ECX ;Game-EC.<ModuleEntryPoint>
1000BBD2 |.7C 0D JL SHORT 1000BBE1
1000BBD4 |.68 01000000 PUSH 0x1
1000BBD9 |.E8 85F40100 CALL 1002B063
1000BBDE |.83C4 04 ADD ESP, 0x4
1000BBE1 |>C1E0 02 SHL EAX, 0x2
1000BBE4 |.03D8 ADD EBX, EAX
1000BBE6 |.895D F4 MOV , EBX
1000BBE9 |.68 01020080 PUSH 0x80000201
1000BBEE |.6A 00 PUSH 0x0
1000BBF0 |.68 FC9D1A10 PUSH 101A9DFC
1000BBF5 |.68 01000000 PUSH 0x1
1000BBFA |.BB 0C000000 MOV EBX, 0xC
1000BBFF |.B8 60300310 MOV EAX, 10033060
1000BC04 |.E8 C7FA0100 CALL 1002B6D0
1000BC09 |.83C4 10 ADD ESP, 0x10
1000BC0C |.8B5D F4 MOV EBX,
1000BC0F |.8903 MOV DWORD PTR DS:, EAX
1000BC11 |.8B5D F8 MOV EBX, ;Game-EC.<ModuleEntryPoint>
1000BC14 |.E8 AC62FFFF CALL 10001EC5
1000BC19 |.B8 08000000 MOV EAX, 0x8
1000BC1E |.3BC1 CMP EAX, ECX ;Game-EC.<ModuleEntryPoint>
1000BC20 |.7C 0D JL SHORT 1000BC2F
1000BC22 |.68 01000000 PUSH 0x1
1000BC27 |.E8 37F40100 CALL 1002B063
1000BC2C |.83C4 04 ADD ESP, 0x4
1000BC2F |>C1E0 02 SHL EAX, 0x2
1000BC32 |.03D8 ADD EBX, EAX
1000BC34 |.895D F4 MOV , EBX
1000BC37 |.68 05000080 PUSH 0x80000005
1000BC3C |.6A 00 PUSH 0x0
1000BC3E |.68 009E1A10 PUSH 101A9E00
1000BC43 |.68 01000000 PUSH 0x1
1000BC48 |.BB 0C000000 MOV EBX, 0xC
1000BC4D |.B8 60300310 MOV EAX, 10033060
1000BC52 |.E8 79FA0100 CALL 1002B6D0
1000BC57 |.83C4 10 ADD ESP, 0x10
1000BC5A |.8B5D F4 MOV EBX,
1000BC5D |.8903 MOV DWORD PTR DS:, EAX
1000BC5F |.8B5D F8 MOV EBX, ;Game-EC.<ModuleEntryPoint>
1000BC62 |.E8 5E62FFFF CALL 10001EC5
1000BC67 |.B8 00000000 MOV EAX, 0x0
1000BC6C |.3BC1 CMP EAX, ECX ;Game-EC.<ModuleEntryPoint>
1000BC6E |.7C 0D JL SHORT 1000BC7D
1000BC70 |.68 01000000 PUSH 0x1
1000BC75 |.E8 E9F30100 CALL 1002B063
1000BC7A |.83C4 04 ADD ESP, 0x4
1000BC7D |>C1E0 02 SHL EAX, 0x2
1000BC80 |.03D8 ADD EBX, EAX
1000BC82 |.895D F4 MOV , EBX
1000BC85 |.8B5D F8 MOV EBX, ;Game-EC.<ModuleEntryPoint>
1000BC88 |.E8 3862FFFF CALL 10001EC5
1000BC8D |.B8 01000000 MOV EAX, 0x1
1000BC92 |.3BC1 CMP EAX, ECX ;Game-EC.<ModuleEntryPoint>
1000BC94 |.7C 0D JL SHORT 1000BCA3
1000BC96 |.68 01000000 PUSH 0x1
1000BC9B |.E8 C3F30100 CALL 1002B063
1000BCA0 |.83C4 04 ADD ESP, 0x4
1000BCA3 |>C1E0 02 SHL EAX, 0x2
1000BCA6 |.03D8 ADD EBX, EAX
1000BCA8 |.895D F0 MOV , EBX
1000BCAB |.8B5D F8 MOV EBX, ;Game-EC.<ModuleEntryPoint>
1000BCAE |.E8 1262FFFF CALL 10001EC5
1000BCB3 |.B8 02000000 MOV EAX, 0x2
1000BCB8 |.3BC1 CMP EAX, ECX ;Game-EC.<ModuleEntryPoint>
1000BCBA |.7C 0D JL SHORT 1000BCC9
1000BCBC |.68 01000000 PUSH 0x1
1000BCC1 |.E8 9DF30100 CALL 1002B063
1000BCC6 |.83C4 04 ADD ESP, 0x4
1000BCC9 |>C1E0 02 SHL EAX, 0x2
1000BCCC |.03D8 ADD EBX, EAX
1000BCCE |.895D EC MOV , EBX
1000BCD1 |.8B5D F8 MOV EBX, ;Game-EC.<ModuleEntryPoint>
1000BCD4 |.E8 EC61FFFF CALL 10001EC5
1000BCD9 |.B8 03000000 MOV EAX, 0x3
1000BCDE |.3BC1 CMP EAX, ECX ;Game-EC.<ModuleEntryPoint>
1000BCE0 |.7C 0D JL SHORT 1000BCEF
1000BCE2 |.68 01000000 PUSH 0x1
1000BCE7 |.E8 77F30100 CALL 1002B063
1000BCEC |.83C4 04 ADD ESP, 0x4
1000BCEF |>C1E0 02 SHL EAX, 0x2
1000BCF2 |.03D8 ADD EBX, EAX
1000BCF4 |.895D E8 MOV , EBX
1000BCF7 |.8B5D F8 MOV EBX, ;Game-EC.<ModuleEntryPoint>
1000BCFA |.E8 C661FFFF CALL 10001EC5
1000BCFF |.B8 04000000 MOV EAX, 0x4
1000BD04 |.3BC1 CMP EAX, ECX ;Game-EC.<ModuleEntryPoint>
1000BD06 |.7C 0D JL SHORT 1000BD15
1000BD08 |.68 01000000 PUSH 0x1
1000BD0D |.E8 51F30100 CALL 1002B063
1000BD12 |.83C4 04 ADD ESP, 0x4
1000BD15 |>C1E0 02 SHL EAX, 0x2
1000BD18 |.03D8 ADD EBX, EAX
1000BD1A |.895D E4 MOV , EBX
1000BD1D |.8B5D F8 MOV EBX, ;Game-EC.<ModuleEntryPoint>
1000BD20 |.E8 A061FFFF CALL 10001EC5
1000BD25 |.B8 05000000 MOV EAX, 0x5
1000BD2A |.3BC1 CMP EAX, ECX ;Game-EC.<ModuleEntryPoint>
1000BD2C |.7C 0D JL SHORT 1000BD3B
1000BD2E |.68 01000000 PUSH 0x1
1000BD33 |.E8 2BF30100 CALL 1002B063
1000BD38 |.83C4 04 ADD ESP, 0x4
1000BD3B |>C1E0 02 SHL EAX, 0x2
1000BD3E |.03D8 ADD EBX, EAX
1000BD40 |.895D E0 MOV , EBX
1000BD43 |.8B5D F8 MOV EBX, ;Game-EC.<ModuleEntryPoint>
1000BD46 |.E8 7A61FFFF CALL 10001EC5
1000BD4B |.B8 06000000 MOV EAX, 0x6
1000BD50 |.3BC1 CMP EAX, ECX ;Game-EC.<ModuleEntryPoint>
1000BD52 |.7C 0D JL SHORT 1000BD61
1000BD54 |.68 01000000 PUSH 0x1
1000BD59 |.E8 05F30100 CALL 1002B063
1000BD5E |.83C4 04 ADD ESP, 0x4
1000BD61 |>C1E0 02 SHL EAX, 0x2
1000BD64 |.03D8 ADD EBX, EAX
1000BD66 |.895D DC MOV , EBX
1000BD69 |.8B5D F8 MOV EBX, ;Game-EC.<ModuleEntryPoint>
1000BD6C |.E8 5461FFFF CALL 10001EC5
1000BD71 |.B8 07000000 MOV EAX, 0x7
1000BD76 |.3BC1 CMP EAX, ECX ;Game-EC.<ModuleEntryPoint>
1000BD78 |.7C 0D JL SHORT 1000BD87
1000BD7A |.68 01000000 PUSH 0x1
1000BD7F |.E8 DFF20100 CALL 1002B063
1000BD84 |.83C4 04 ADD ESP, 0x4
1000BD87 |>C1E0 02 SHL EAX, 0x2
1000BD8A |.03D8 ADD EBX, EAX
1000BD8C |.895D D8 MOV , EBX
1000BD8F |.8B5D F8 MOV EBX, ;Game-EC.<ModuleEntryPoint>
1000BD92 |.E8 2E61FFFF CALL 10001EC5
1000BD97 |.B8 08000000 MOV EAX, 0x8
1000BD9C |.3BC1 CMP EAX, ECX ;Game-EC.<ModuleEntryPoint>
1000BD9E |.7C 0D JL SHORT 1000BDAD
1000BDA0 |.68 01000000 PUSH 0x1
1000BDA5 |.E8 B9F20100 CALL 1002B063
1000BDAA |.83C4 04 ADD ESP, 0x4
1000BDAD |>C1E0 02 SHL EAX, 0x2
1000BDB0 |.03D8 ADD EBX, EAX
1000BDB2 |.895D D4 MOV , EBX
1000BDB5 |.6A 01 PUSH 0x1
1000BDB7 |.8B5D D4 MOV EBX, ;oleaut32.75150000
1000BDBA |.FF33 PUSH DWORD PTR DS:
1000BDBC |.6A 01 PUSH 0x1
1000BDBE |.8B5D D8 MOV EBX,
1000BDC1 |.FF33 PUSH DWORD PTR DS:
1000BDC3 |.6A 01 PUSH 0x1
1000BDC5 |.8B5D DC MOV EBX, ;ntdll.77315558
1000BDC8 |.FF33 PUSH DWORD PTR DS:
1000BDCA |.6A 01 PUSH 0x1
1000BDCC |.8B5D E0 MOV EBX, ;oleaut32.<ModuleEntryPoint>
1000BDCF |.FF33 PUSH DWORD PTR DS:
1000BDD1 |.6A 01 PUSH 0x1
1000BDD3 |.8B5D E4 MOV EBX, ;ntdll.77351D36
1000BDD6 |.FF33 PUSH DWORD PTR DS:
1000BDD8 |.6A 01 PUSH 0x1
1000BDDA |.8B5D E8 MOV EBX, ;Game-EC.10000000
1000BDDD |.FF33 PUSH DWORD PTR DS:
1000BDDF |.6A 01 PUSH 0x1
1000BDE1 |.8B5D EC MOV EBX,
1000BDE4 |.FF33 PUSH DWORD PTR DS:
1000BDE6 |.6A 01 PUSH 0x1
1000BDE8 |.8B5D F0 MOV EBX,
1000BDEB |.FF33 PUSH DWORD PTR DS:
1000BDED |.6A 01 PUSH 0x1
1000BDEF |.8B5D F4 MOV EBX,
1000BDF2 |.FF33 PUSH DWORD PTR DS:
1000BDF4 |.FF35 D89D1A10 PUSH DWORD PTR DS:
1000BDFA |.E8 8D020000 CALL 1000C08C
1000BDFF |.8945 CC MOV , EAX
1000BE02 |.837D CC 03 CMP , 0x3
1000BE06 |.0F85 0A000000 JNZ 1000BE16
1000BE0C |.B8 00000000 MOV EAX, 0x0
1000BE11 |.E9 7D000000 JMP 1000BE93
1000BE16 |>68 01040080 PUSH 0x80000401
1000BE1B |.FF35 EC9D1A10 PUSH DWORD PTR DS:
1000BE21 |.FF35 E89D1A10 PUSH DWORD PTR DS:
1000BE27 |.68 01000000 PUSH 0x1
1000BE2C |.BB 68010000 MOV EBX, 0x168
1000BE31 |.E8 1A030200 CALL 1002C150
1000BE36 |.83C4 10 ADD ESP, 0x10
1000BE39 |.8945 F4 MOV , EAX
1000BE3C |.68 04000080 PUSH 0x80000004
1000BE41 |.6A 00 PUSH 0x0
1000BE43 |.8B45 F4 MOV EAX,
1000BE46 |.85C0 TEST EAX, EAX
1000BE48 |.75 05 JNZ SHORT 1000BE4F
1000BE4A |.B8 4B520410 MOV EAX, 1004524B
1000BE4F |>50 PUSH EAX
1000BE50 |.68 01000000 PUSH 0x1
1000BE55 |.BB 30010000 MOV EBX, 0x130
1000BE5A |.E8 21FA0100 CALL 1002B880
1000BE5F |.83C4 10 ADD ESP, 0x10
1000BE62 |.8945 F0 MOV , EAX
1000BE65 |.8B5D F4 MOV EBX,
1000BE68 |.85DB TEST EBX, EBX
1000BE6A |.74 09 JE SHORT 1000BE75
1000BE6C |.53 PUSH EBX
1000BE6D |.E8 EBF10100 CALL 1002B05D
1000BE72 |.83C4 04 ADD ESP, 0x4
1000BE75 |>837D F0 0A CMP , 0xA
1000BE79 |.0F85 0A000000 JNZ 1000BE89
1000BE7F |.B8 01000000 MOV EAX, 0x1
1000BE84 |.E9 0A000000 JMP 1000BE93
1000BE89 |>B8 00000000 MOV EAX, 0x0
1000BE8E |.E9 00000000 JMP 1000BE93
1000BE93 |>50 PUSH EAX
1000BE94 |.8B5D FC MOV EBX, ;Game-EC.10000000
1000BE97 |.85DB TEST EBX, EBX
1000BE99 |.74 09 JE SHORT 1000BEA4
1000BE9B |.53 PUSH EBX
1000BE9C |.E8 BCF10100 CALL 1002B05D
1000BEA1 |.83C4 04 ADD ESP, 0x4
1000BEA4 |>8B5D F8 MOV EBX, ;Game-EC.<ModuleEntryPoint>
1000BEA7 |.53 PUSH EBX
1000BEA8 |.E8 B0F10100 CALL 1002B05D
1000BEAD |.83C4 04 ADD ESP, 0x4
1000BEB0 |.58 POP EAX ;ntdll.77351D36
1000BEB1 |.8BE5 MOV ESP, EBP
1000BEB3 |.5D POP EBP ;ntdll.77351D36
1000BEB4 \.C3 RETN
着重看尾部代码 如下面代码,我们主要看eax那里赋值
1000BE93是调转过来的 看看就行了 确定返回值
1000BE93 |> \50 PUSH EAX
1000BE94 |.8B5D FC MOV EBX, ;Game-EC.10000000
1000BE97 |.85DB TEST EBX, EBX
1000BE99 |.74 09 JE SHORT 1000BEA4
1000BE9B |.53 PUSH EBX
1000BE9C |.E8 BCF10100 CALL 1002B05D
1000BEA1 |.83C4 04 ADD ESP, 0x4
1000BEA4 |>8B5D F8 MOV EBX, ;Game-EC.<ModuleEntryPoint>
1000BEA7 |.53 PUSH EBX
1000BEA8 |.E8 B0F10100 CALL 1002B05D
1000BEAD |.83C4 04 ADD ESP, 0x4
1000BEB0 |.58 POP EAX ;ntdll.77351D36
1000BEB1 |.8BE5 MOV ESP, EBP
1000BEB3 |.5D POP EBP ;ntdll.77351D36
1000BEB4 \.C3 RETN
EAX=00000000
跳转来自 1000BE11, 1000BE84, 1000BE8E
还是一个一个的看
1000BE0C |.B8 00000000 MOV EAX, 0x0
1000BE11 |.E9 7D000000 JMP 1000BE93
1000BE7F |.B8 01000000 MOV EAX, 0x1
1000BE84 |.E9 0A000000 JMP 1000BE93
1000BE89 |>B8 00000000 MOV EAX, 0x0
1000BE8E |.E9 00000000 JMP 1000BE93
可以确定返回值是1就好了 修改方法有很多
1.把这3个地址中 mov eax,0 改成mov eax,1
2.改中间的跳转
3.继续找核心的验证.
4.在函数尾部补码
我选择补码
1000BEB0 |.58 POP EAX ;ntdll.77351D36
1000BEB1 8BE5 MOV ESP, EBP
1000BEB3 5D POP EBP ;ntdll.77351D36
1000BEB4 C3 RETN
尾部JMP到空白区域
1001B0D5 58 POP EAX ;ntdll.77351D36
1001B0D6 B8 01000000 MOV EAX, 0x1
1001B0DB 8BE5 MOV ESP, EBP
1001B0DD 5D POP EBP ;ntdll.77351D36
1001B0DE C3 RETN
然后保存下来,覆盖到支持库 关闭易语言重新打开源码,没有了未授权的提示
调试状态输出正常
静态编译测试正常
本文仅供学习交流,不提供任何成品,由于模块引用下载均涉及广告内容,所以不做共享,有需要样本的,可以私聊我.
如有违规,请删除
虫大好久不出现了啊{:301_1009:} yy5201314 发表于 2021-3-22 13:33
厉害了大神这个模块好久不用了 基本就用精易模块了
这个模块我也不用,精易模块很多功能没有.我都是自己写模块的 大佬牛,但是新手还是看不懂,还是慢慢学习易语言吧,。 茅塞顿开但是我也不会,期待私个成品{:1_918:} 用心讨论,共获提升! 易语言,我只是了解过,还不是很懂 等其他大佬的成品{:301_998:} 厉害了大神这个模块好久不用了 基本就用精易模块了 谢谢!感谢分享。
好多的逆向教程,够得我学习啊。
这个教程感觉对于我这个小白来说,难道太大了。
没看懂某团模块,是什么意思