从逆向作品的结论出发，再逆向再研究：

冥界3大法王 发表于 2014-3-7 12:10

本帖最后由冥界3大法王于 2014-3-7 12:34 编辑

突然在某论坛发现一个破解版本的按键精灵，

1.启动退出无广告
2.无需登录和联网生成小精灵
3.小精灵无广告
4.资源库直接导入    ZZZZZZZZ

实际使用测试了下，他的汇编方法比我的方法要精练些，但广告的去除程度不如我的搞法彻底，最难容忍的是他的按键精灵的启动补丁条没有NOP掉（如果你没有爆破的话，即使你使用的是正版的，按键精灵的启动速度也会直接拖慢）
已知：通过WinHEX分析得知：
1. 按键精灵9.XXexe:                   9,756,200 字节
2. 按键精灵9.XX破解版.exe:       9,756,200 字节
Offsets: 十六进制
1B8: 9F 92       :4001b8                               －－－－－A
1B9: D6 17
1EC: 30 BE       :4001EC                            －－－－－B
1ED: 06 02
2D8: 30 BE    :4002D8                            －－－－－C
2D9: 06 02
20D4: 0F E9    :004020D4 /E9 53040000 jmp 0040252C       －－－－－D
20D5: 8E 53
20D6: 52 04
20D7: 04 00
20D9: 00 90
－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－
00402084 > \E8 B30C1100 call <jmp.&MFC42.#CString::~CString_800>    1
00402089 >8B46 10    mov eax, dword ptr
0040208C .8D4E 08    lea ecx, dword ptr
0040208F .3BC0       cmp eax, eax
00402091 .8B71 04    mov esi, dword ptr
00402094 .8BC8       mov ecx, eax
00402096 .74 0E       je    short 004020A6
00402098 >8B11       mov edx, dword ptr
0040209A .83C1 04    add ecx, 0x4
0040209D .8916       mov dword ptr , edx
0040209F .83C6 04    add esi, 0x4
004020A2 .3BC8       cmp ecx, eax
004020A4 .^ 75 F2       jnz short 00402098
004020A6 >8B4424 64 mov eax, dword ptr
004020AA .8D78 08    lea edi, dword ptr
004020AD .8BCF       mov ecx, edi
004020AF .8B47 08    mov eax, dword ptr
004020B2 .50          push eax
004020B3 .56          push esi
004020B4 .E8 37220000 call 004042F0                            2
004020B9 .8D6B 44    lea ebp, dword ptr
004020BC .8977 08    mov dword ptr , esi
004020BF .8BCD       mov ecx, ebp
004020C1 .C74424 14 000>mov dword ptr , 0x0
004020C9 .896C24 28 mov dword ptr , ebp
004020CD    E8 FEF50A00 call 004B16D0                            3
004020D2 .85C0       test eax, eax
004020D4    0F8E 52040000 jle 0040252C       这里我们要改JMP的地方
－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－
由DLL 看到一个返回用户处的地址，就是下面行的
eax=00483BB0 (Z3_备份.00483BB0)
00483E26    E8 6558FFFF call 00479690                      ;该死的启动补丁处 NOP了之后速度秒速
00483E2B .85C0       test eax, eax
00483E2D .0F85 2F020000 jnz 00484062
00483E33 >8D4C24 18 lea ecx, dword ptr
00483E37 .E8 142E0800 call <jmp.&MFC42.#CString::CString_54>
00483E3C .68 78608300 push 00836078                      ;ASCII "9.51.11790"
00483E41 .8D5424 1C lea edx, dword ptr
00483E45 .68 99000000 push 0x99
00483E4A .52          push edx
00483E4B .C68424 AC1000>mov byte ptr , 0x3
00483E53 .E8 A6310800 call <jmp.&MFC42.#CString::Format_281>
00483E58 .83C4 08    add esp, 0x8
00483E5B .8BCC       mov ecx, esp
00483E5D .896424 28 mov dword ptr , esp
00483E61 .68 18638300 push 00836318                      ;ASCII "?lan=chs"
－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－

注：上述地址，你通过虚拟地址转换工具，输入1B8，你是不能正确得到偏移地址的，所以正确的做法是使用WinHEX看到的16进制机器码，F5到HIEW中得到
求证：将他的结论与我的结论结合，去掉不该有的
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
OD中，通过字串搜索 lan=chs
－－－－－－－－－－－－－－－－－－－－－－－－－
下面的地方下好断点：
00415F2A 按键精灵始终 call <jmp.&MFC42.#CString::Format_2818>
00415F41 按键精灵始终 push 0084CABC 9.60.12177
0041A5EA 按键精灵始终 push 0084CCA8 lan=chs&
0041AAA1 按键精灵始终 push 0084CCA8 lan=chs&
00472C8B 按键精灵始终 push 0084E3B8 ?lan=chs
0048AFDE 按键精灵始终 call 00480210
0048AFF2 按键精灵始终 call <jmp.&MFC42.#CCommandLineInfo::~CCommandLineInfo_617>
0048B016 按键精灵始终 call <jmp.&MFC42.#CString::CString_540>
0048B040 按键精灵始终 push 0084E3B8 ?lan=chs
00492983 按键精灵始终 push 0084E3B8 ?lan=chs
004977C1 按键精灵始终 push 0084E3B8 ?lan=chs
－－－－－－－－－－－－－－－－－－－－－－－－－之后F9开球~~~
你会断在这里：
0048AFDE    E8 2D52FFFF call 00480210 ；但这里不是我们所要的地方
我们接着F9，因为有断点所以不怕跟丢~~
－－－－－－－－－－－－
00415F24 .68 C8CA8400 push 0084CAC8                                              ;res://%s%s.EXE/bottom_bar_ad.htm
00415F29 .52          push edx
00415F2A .E8 4FCE0F00 call <jmp.&MFC42.#CString::Format_2818>    是的，就是这里，我们可以下手了~~~ NOP掉
此时，程序的补丁条被爆破掉，跟我搞的那个低版本效果一样了。同样1秒速度进界面，享受ZZZZZZZZ 处所提到的待遇。
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
http://img.blog.csdn.net/20140307122545406?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvbWVuZ2h1YW5ydWFuamlhbg==/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center

文章为了交流汇编和逆向技术，所以不提供其他东东~~
按键精灵论坛大家要多多支持哟~~
其他不是之处也与吾爱破解论坛，楼主等没有关系，不追究法律责任哟~

＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
未完，下面修补我自己的那个版本，未搞的几个地方。

Some 发表于 2014-3-7 12:15

前途无可限量，支持一下。

yutao531315 发表于 2014-3-7 12:32

来支持下楼主真愁按键精灵破解的呢.

247605832 发表于 2014-3-7 12:38

如此吊的作品,怎能不支持

冥界3大法王 发表于 2014-3-7 12:39

好了，先吃饭，接下来，把我自己的那个也同样处理的象他那个
可以生成没有广告的小精灵，就OK了，
我那个除网址更底层，只留下一个编程时用到的例子网址。
先去吃饭了，回来写教程跟逆向心得，还有要贴图像说明最近进步很快，弄死好多共享软件。{:301_978:}

飘舞的雪花 发表于 2014-3-7 12:54

谢谢楼主的分析。

lwdzb 发表于 2014-3-7 14:33

谢谢楼主分享！学习了！！！

人气天子 发表于 2014-3-7 15:28

支持我看不懂

冥界3大法王 发表于 2014-3-7 22:32

第二部分：
20D4: 0F E9       :004020D4 /E9 53040000 jmp 0040252C
20D5: 8E 53
20D6: 52 04
20D7: 04 00
20D9: 00 90
－－－－－－－－－－－－－－－－－－－－－－－－－－－－
这是人家的修改的位置

我们可以搜索特征码：0F8E52040000

前3处的位置，实在是太特殊，位于PE头的位置，实在不好定位，在OD中也断不下，好像两个版本解压缩的代码差异性太——，所以暂时那个生成商业小精灵部分

目前不知思路是什么，人家是如何做到得到在此位置修改的结论？

1B8: 9F 92       :4001b8
1B9: D6 17

1EC: 30 BE       :4001EC                   0020BD2200
1ED: 06 02

2D8: 30 BE       :4002D8                   0020BD2200
2D9: 06 02

冥界3大法王 发表于 2014-3-7 22:52

00401C65 . /E9 53040000 jmp 004020BD                      ;如果这里不跳的话，按键精灵可始做坏事，自动网络检测，自己给你拨号上网
00401C6A |90          nop
00401C6B . |8B5C24 14 mov ebx, dword ptr
00401C6F > |53          push ebx
00401C70 . |8BCD       mov ecx, ebp
00401C72 . |E8 69660A00 call 004A82E0
00401C77 . |8B7424 10 mov esi, dword ptr
00401C7B . |8B00       mov eax, dword ptr
00401C7D > |8A10       mov dl, byte ptr
00401C7F . |8ACA       mov cl, dl
00401C81 . |3A16       cmp dl, byte ptr
00401C83 . |75 1C       jnz short 00401CA1
00401C85 . |84C9       test cl, cl
00401C87 . |74 14       je    short 00401C9D
00401C89 . |8A50 01    mov dl, byte ptr
00401C8C . |8ACA       mov cl, dl
00401C8E . |3A56 01    cmp dl, byte ptr
00401C91 . |75 0E       jnz short 00401CA1
00401C93 . |83C0 02    add eax, 0x2
00401C96 . |83C6 02    add esi, 0x2
00401C99 . |84C9       test cl, cl
00401C9B .^|75 E0       jnz short 00401C7D
00401C9D > |33C0       xor eax, eax
00401C9F . |EB 05       jmp short 00401CA6
00401CA1 > |1BC0       sbb eax, eax
00401CA3 . |83D8 FF    sbb eax, -0x1
00401CA6 > |85C0       test eax, eax
00401CA8 . |0F85 FB030000 jnz 004020A9
00401CAE . |68 74468300 push 00834674                      ;ASCII "begintime"
00401CB3 . |53          push ebx
00401CB4 . |8BCD       mov ecx, ebp
00401CB6 . |E8 25660A00 call 004A82E0
00401CBB . |8BC8       mov ecx, eax
00401CBD . |E8 8E650A00 call 004A8250
00401CC2 . |50          push eax
00401CC3 . |8D4C24 24 lea ecx, dword ptr
00401CC7 . |E8 20501000 call <jmp.&MFC42.#CString::operator=_>
00401CCC . |8B7C24 20 mov edi, dword ptr
00401CD0 . |BE A0C68400 mov esi, 0084C6A0
00401CD5 . |8BC7       mov eax, edi
00401CD7 > |8A10       mov dl, byte ptr
00401CD9 . |8ACA       mov cl, dl
00401CDB . |3A16       cmp dl, byte ptr
00401CDD . |75 1C       jnz short 00401CFB
00401CDF . |84C9       test cl, cl
00401CE1 . |74 14       je    short 00401CF7
00401CE3 . |8A50 01    mov dl, byte ptr
00401CE6 . |8ACA       mov cl, dl
00401CE8 . |3A56 01    cmp dl, byte ptr
00401CEB . |75 0E       jnz short 00401CFB
00401CED . |83C0 02    add eax, 0x2
00401CF0 . |83C6 02    add esi, 0x2
00401CF3 . |84C9       test cl, cl
00401CF5 .^|75 E0       jnz short 00401CD7
00401CF7 > |33C0       xor eax, eax
00401CF9 . |EB 05       jmp short 00401D00
00401CFB > |1BC0       sbb eax, eax
00401CFD . |83D8 FF    sbb eax, -0x1
00401D00 > |85C0       test eax, eax
00401D02 . |74 5E       je    short 00401D62
00401D04 . |68 00040000 push 0x400
00401D09 . |6A 00       push 0x0
00401D0B . |57          push edi
00401D0C . |8D4C24 54 lea ecx, dword ptr
00401D10 . |E8 D14F1000 call <jmp.&MFC42.#COleDateTime::Parse>
00401D15 . |6A FF       push -0x1
00401D17 . |8D4C24 4C lea ecx, dword ptr
00401D1B . |E8 C04F1000 call <jmp.&MFC42.#COleDateTime::GetSe>
00401D20 . |50          push eax
00401D21 . |8D4C24 50 lea ecx, dword ptr
00401D25 . |E8 B04F1000 call <jmp.&MFC42.#COleDateTime::GetMi>
00401D2A . |50          push eax
00401D2B . |8D4C24 54 lea ecx, dword ptr
00401D2F . |E8 A04F1000 call <jmp.&MFC42.#COleDateTime::GetHo>
00401D34 . |50          push eax
00401D35 . |8D4C24 58 lea ecx, dword ptr
00401D39 . |E8 904F1000 call <jmp.&MFC42.#COleDateTime::GetDa>
00401D3E . |50          push eax
00401D3F . |8D4C24 5C lea ecx, dword ptr
00401D43 . |E8 804F1000 call <jmp.&MFC42.#COleDateTime::GetMo>
00401D48 . |50          push eax
00401D49 . |8D4C24 60 lea ecx, dword ptr
00401D4D . |E8 704F1000 call <jmp.&MFC42.#COleDateTime::GetYe>
00401D52 . |50          push eax
00401D53 . |8D4C24 58 lea ecx, dword ptr
00401D57 . |E8 604F1000 call <jmp.&MFC42.#CTime::CTime_551>
00401D5C . |8B00       mov eax, dword ptr
00401D5E . |894424 30 mov dword ptr , eax
00401D62 > |68 6C468300 push 0083466C                      ;ASCII "endtime"
00401D67 . |53          push ebx
00401D68 . |8BCD       mov ecx, ebp
00401D6A . |E8 71650A00 call 004A82E0
00401D6F . |8BC8       mov ecx, eax
00401D71 . |E8 DA640A00 call 004A8250
00401D76 . |50          push eax
00401D77 . |8D4C24 20 lea ecx, dword ptr
00401D7B . |E8 6C4F1000 call <jmp.&MFC42.#CString::operator=_>
00401D80 . |8B7C24 1C mov edi, dword ptr
00401D84 . |BE A0C68400 mov esi, 0084C6A0
00401D89 . |8BC7       mov eax, edi
00401D8B > |8A10       mov dl, byte ptr
00401D8D . |8ACA       mov cl, dl
00401D8F . |3A16       cmp dl, byte ptr
00401D91 . |75 1C       jnz short 00401DAF
00401D93 . |84C9       test cl, cl
00401D95 . |74 14       je    short 00401DAB
00401D97 . |8A50 01    mov dl, byte ptr
00401D9A . |8ACA       mov cl, dl
00401D9C . |3A56 01    cmp dl, byte ptr
00401D9F . |75 0E       jnz short 00401DAF
00401DA1 . |83C0 02    add eax, 0x2
00401DA4 . |83C6 02    add esi, 0x2
00401DA7 . |84C9       test cl, cl
00401DA9 .^|75 E0       jnz short 00401D8B
00401DAB > |33C0       xor eax, eax
00401DAD . |EB 05       jmp short 00401DB4
00401DAF > |1BC0       sbb eax, eax
00401DB1 . |83D8 FF    sbb eax, -0x1
00401DB4 > |85C0       test eax, eax
00401DB6 . |74 62       je    short 00401E1A
00401DB8 . |68 00040000 push 0x400
00401DBD . |6A 00       push 0x0
00401DBF . |57          push edi
00401DC0 . |8D4C24 54 lea ecx, dword ptr
00401DC4 . |E8 1D4F1000 call <jmp.&MFC42.#COleDateTime::Parse>
00401DC9 . |6A FF       push -0x1
00401DCB . |8D4C24 4C lea ecx, dword ptr
00401DCF . |E8 0C4F1000 call <jmp.&MFC42.#COleDateTime::GetSe>
00401DD4 . |50          push eax
00401DD5 . |8D4C24 50 lea ecx, dword ptr
00401DD9 . |E8 FC4E1000 call <jmp.&MFC42.#COleDateTime::GetMi>
00401DDE . |50          push eax
00401DDF . |8D4C24 54 lea ecx, dword ptr
00401DE3 . |E8 EC4E1000 call <jmp.&MFC42.#COleDateTime::GetHo>
00401DE8 . |50          push eax
00401DE9 . |8D4C24 58 lea ecx, dword ptr
00401DED . |E8 DC4E1000 call <jmp.&MFC42.#COleDateTime::GetDa>
00401DF2 . |50          push eax
00401DF3 . |8D4C24 5C lea ecx, dword ptr
00401DF7 . |E8 CC4E1000 call <jmp.&MFC42.#COleDateTime::GetMo>
00401DFC . |50          push eax
00401DFD . |8D4C24 60 lea ecx, dword ptr
00401E01 . |E8 BC4E1000 call <jmp.&MFC42.#COleDateTime::GetYe>
00401E06 . |50          push eax
00401E07 . |8D4C24 5C lea ecx, dword ptr
00401E0B . |E8 AC4E1000 call <jmp.&MFC42.#CTime::CTime_551>
00401E10 . |8B00       mov eax, dword ptr
00401E12 . |8B7C24 1C mov edi, dword ptr
00401E16 . |894424 34 mov dword ptr , eax
00401E1A > |8B4424 20 mov eax, dword ptr
00401E1E . |BE A0C68400 mov esi, 0084C6A0
00401E23 > |8A10       mov dl, byte ptr
00401E25 . |8ACA       mov cl, dl
00401E27 . |3A16       cmp dl, byte ptr
00401E29 . |75 1C       jnz short 00401E47
00401E2B . |84C9       test cl, cl
00401E2D . |74 14       je    short 00401E43
00401E2F . |8A50 01    mov dl, byte ptr
00401E32 . |8ACA       mov cl, dl
00401E34 . |3A56 01    cmp dl, byte ptr
00401E37 . |75 0E       jnz short 00401E47
00401E39 . |83C0 02    add eax, 0x2
00401E3C . |83C6 02    add esi, 0x2
00401E3F . |84C9       test cl, cl
00401E41 .^|75 E0       jnz short 00401E23
00401E43 > |33C0       xor eax, eax
00401E45 . |EB 05       jmp short 00401E4C
00401E47 > |1BC0       sbb eax, eax
00401E49 . |83D8 FF    sbb eax, -0x1
00401E4C > |85C0       test eax, eax
00401E4E . |74 70       je    short 00401EC0
00401E50 . |BE A0C68400 mov esi, 0084C6A0
00401E55 . |8BC7       mov eax, edi
00401E57 > |8A10       mov dl, byte ptr
00401E59 . |8ACA       mov cl, dl
00401E5B . |3A16       cmp dl, byte ptr
00401E5D . |75 1C       jnz short 00401E7B
00401E5F . |84C9       test cl, cl
00401E61 . |74 14       je    short 00401E77
00401E63 . |8A50 01    mov dl, byte ptr
00401E66 . |8ACA       mov cl, dl
00401E68 . |3A56 01    cmp dl, byte ptr
00401E6B . |75 0E       jnz short 00401E7B
00401E6D . |83C0 02    add eax, 0x2
00401E70 . |83C6 02    add esi, 0x2
00401E73 . |84C9       test cl, cl
00401E75 .^|75 E0       jnz short 00401E57
00401E77 > |33C0       xor eax, eax
00401E79 . |EB 05       jmp short 00401E80
00401E7B > |1BC0       sbb eax, eax
00401E7D . |83D8 FF    sbb eax, -0x1
00401E80 > |85C0       test eax, eax
00401E82 . |74 3C       je    short 00401EC0
00401E84 . |51          push ecx
00401E85 . |8B4C24 38 mov ecx, dword ptr
00401E89 . |8BC4       mov eax, esp
00401E8B . |896424 3C mov dword ptr , esp
00401E8F . |8908       mov dword ptr , ecx
00401E91 . |8D4C24 28 lea ecx, dword ptr
00401E95 . |E8 E6190000 call 00403880
00401E9A . |85C0       test eax, eax
00401E9C . |0F85 07020000 jnz 004020A9
00401EA2 . |8B5424 30 mov edx, dword ptr
00401EA6 . |51          push ecx
00401EA7 . |8BC4       mov eax, esp
00401EA9 . |8D4C24 28 lea ecx, dword ptr
00401EAD . |896424 3C mov dword ptr , esp
00401EB1 . |8910       mov dword ptr , edx
00401EB3 . |E8 B8190000 call 00403870
00401EB8 . |85C0       test eax, eax
00401EBA . |0F85 E9010000 jnz 004020A9
00401EC0 > |8B4424 14 mov eax, dword ptr
00401EC4 . |8BCD       mov ecx, ebp
00401EC6 . |50          push eax
00401EC7 . |E8 14640A00 call 004A82E0
00401ECC . |8B4C24 64 mov ecx, dword ptr
00401ED0 . |894424 18 mov dword ptr , eax
00401ED4 . |8B71 10    mov esi, dword ptr
00401ED7 . |8B51 14    mov edx, dword ptr
00401EDA . |8D59 08    lea ebx, dword ptr
00401EDD . |2BD6       sub edx, esi
00401EDF . |C1FA 02    sar edx, 0x2
00401EE2 . |83FA 01    cmp edx, 0x1
00401EE5 . |8BFE       mov edi, esi
00401EE7 . |0F83 EF000000 jnb 00401FDC
00401EED . |8B4B 04    mov ecx, dword ptr
00401EF0 . |85C9       test ecx, ecx
00401EF2 . |74 0C       je    short 00401F00
00401EF4 . |8BC6       mov eax, esi
00401EF6 . |2BC1       sub eax, ecx
00401EF8 . |C1F8 02    sar eax, 0x2
00401EFB . |83F8 01    cmp eax, 0x1
00401EFE . |77 05       ja    short 00401F05
00401F00 > |B8 01000000 mov eax, 0x1
00401F05 > |85C9       test ecx, ecx
00401F07 . |75 04       jnz short 00401F0D
00401F09 . |33F6       xor esi, esi
00401F0B . |EB 05       jmp short 00401F12
00401F0D > |2BF1       sub esi, ecx
00401F0F . |C1FE 02    sar esi, 0x2
00401F12 > |03C6       add eax, esi
00401F14 . |85C0       test eax, eax
00401F16 . |894424 38 mov dword ptr , eax
00401F1A . |7D 02       jge short 00401F1E
00401F1C . |33C0       xor eax, eax
00401F1E > |C1E0 02    shl eax, 0x2
00401F21 . |50          push eax
00401F22 . |E8 414D1000 call <jmp.&MFC42.#operator new_823>
00401F27 . |8B73 04    mov esi, dword ptr
00401F2A . |83C4 04    add esp, 0x4
00401F2D . |3BF7       cmp esi, edi
00401F2F . |894424 2C mov dword ptr , eax
00401F33 . |8BE8       mov ebp, eax
00401F35 . |74 14       je    short 00401F4B
00401F37 > |56          push esi
00401F38 . |55          push ebp
00401F39 . |E8 C2F60A00 call 004B1600
00401F3E . |83C6 04    add esi, 0x4
00401F41 . |83C4 08    add esp, 0x8
00401F44 . |83C5 04    add ebp, 0x4
00401F47 . |3BF7       cmp esi, edi
00401F49 .^|75 EC       jnz short 00401F37
00401F4B > |8D4C24 18 lea ecx, dword ptr
00401F4F . |51          push ecx
00401F50 . |55          push ebp
00401F51 . |E8 AAF60A00 call 004B1600
00401F56 . |8B5424 6C mov edx, dword ptr
00401F5A . |83C4 08    add esp, 0x8
00401F5D . |8BF7       mov esi, edi
00401F5F . |8B5A 10    mov ebx, dword ptr
00401F62 . |8D42 08    lea eax, dword ptr
00401F65 . |3BFB       cmp edi, ebx
00401F67 . |74 17       je    short 00401F80
00401F69 . |8D7D 04    lea edi, dword ptr
00401F6C > |56          push esi
00401F6D . |57          push edi
00401F6E . |E8 8DF60A00 call 004B1600
00401F73 . |83C6 04    add esi, 0x4
00401F76 . |83C4 08    add esp, 0x8
00401F79 . |83C7 04    add edi, 0x4
00401F7C . |3BF3       cmp esi, ebx
00401F7E .^|75 EC       jnz short 00401F6C
00401F80 > |8B4424 64 mov eax, dword ptr
00401F84 . |8D70 08    lea esi, dword ptr
00401F87 . |8B40 0C    mov eax, dword ptr
00401F8A . |50          push eax
00401F8B . |894424 48 mov dword ptr , eax
00401F8F . |E8 C84C1000 call <jmp.&MFC42.#operator delete_825>
00401F94 . |8B4C24 30 mov ecx, dword ptr
00401F98 . |8B5424 3C mov edx, dword ptr
00401F9C . |83C4 04    add esp, 0x4
00401F9F . |8D0491    lea eax, dword ptr
00401FA2 . |8B56 04    mov edx, dword ptr
00401FA5 . |85D2       test edx, edx
00401FA7 . |8946 0C    mov dword ptr , eax
00401FAA . |75 15       jnz short 00401FC1
00401FAC . |8B6C24 28 mov ebp, dword ptr
00401FB0 . |33C0       xor eax, eax
00401FB2 . |894E 04    mov dword ptr , ecx
00401FB5 . |8D5481 04 lea edx, dword ptr
00401FB9 . |8956 08    mov dword ptr , edx
00401FBC . |E9 E4000000 jmp 004020A5
00401FC1 > |8B46 08    mov eax, dword ptr
00401FC4 . |8B6C24 28 mov ebp, dword ptr
00401FC8 . |2BC2       sub eax, edx
00401FCA . |894E 04    mov dword ptr , ecx
00401FCD . |C1F8 02    sar eax, 0x2
00401FD0 . |8D5481 04 lea edx, dword ptr
00401FD4 . |8956 08    mov dword ptr , edx
00401FD7 . |E9 C9000000 jmp 004020A5
00401FDC > |8BC6       mov eax, esi
00401FDE . |2BC7       sub eax, edi
00401FE0 . |C1F8 02    sar eax, 0x2
00401FE3 . |83F8 01    cmp eax, 0x1
00401FE6 . |73 72       jnb short 0040205A
00401FE8 . |3BFE       cmp edi, esi
00401FEA . |8BC7       mov eax, edi
00401FEC . |74 13       je    short 00402001
00401FEE > |8D68 04    lea ebp, dword ptr
00401FF1 . |50          push eax
00401FF2 . |55          push ebp
00401FF3 . |E8 08F60A00 call 004B1600
00401FF8 . |8BC5       mov eax, ebp
00401FFA . |83C4 08    add esp, 0x8
00401FFD . |3BC6       cmp eax, esi
00401FFF .^|75 ED       jnz short 00401FEE
00402001 > |8B6C24 64 mov ebp, dword ptr
00402005 . |B8 01000000 mov eax, 0x1
0040200A . |8B4D 10    mov ecx, dword ptr
0040200D . |8BD1       mov edx, ecx
0040200F . |8BF1       mov esi, ecx
00402011 . |2BD7       sub edx, edi
00402013 . |C1FA 02    sar edx, 0x2
00402016 . |2BC2       sub eax, edx
00402018 . |74 16       je    short 00402030
0040201A . |8BD8       mov ebx, eax
0040201C > |8D4424 18 lea eax, dword ptr
00402020 . |50          push eax
00402021 . |56          push esi
00402022 . |E8 D9F50A00 call 004B1600
00402027 . |83C4 08    add esp, 0x8
0040202A . |83C6 04    add esi, 0x4
0040202D . |4B          dec ebx
0040202E .^|75 EC       jnz short 0040201C
00402030 > |8B4D 10    mov ecx, dword ptr
00402033 . |8D45 08    lea eax, dword ptr
00402036 . |3BF9       cmp edi, ecx
00402038 . |8BC7       mov eax, edi
0040203A . |74 0D       je    short 00402049
0040203C > |8B5424 18 mov edx, dword ptr
00402040 . |8910       mov dword ptr , edx
00402042 . |83C0 04    add eax, 0x4
00402045 . |3BC1       cmp eax, ecx
00402047 .^|75 F3       jnz short 0040203C
00402049 > |8B4424 64 mov eax, dword ptr
0040204D . |8B6C24 28 mov ebp, dword ptr
00402051 . |83C0 08    add eax, 0x8
00402054 . |8340 08 04 add dword ptr , 0x4
00402058 . |EB 4B       jmp short 004020A5
0040205A > |8D46 FC    lea eax, dword ptr
0040205D . |56          push esi
0040205E . |56          push esi
0040205F . |50          push eax
00402060 . |8BCB       mov ecx, ebx
00402062 . |894424 50 mov dword ptr , eax
00402066 . |E8 85190000 call 004039F0
0040206B . |8B4B 08    mov ecx, dword ptr
0040206E . |8D41 FC    lea eax, dword ptr
00402071 . |3BF8       cmp edi, eax
00402073 . |74 0F       je    short 00402084
00402075 > |8B50 FC    mov edx, dword ptr
00402078 . |83E8 04    sub eax, 0x4
0040207B . |83E9 04    sub ecx, 0x4
0040207E . |3BC7       cmp eax, edi
00402080 . |8911       mov dword ptr , edx
00402082 .^|75 F1       jnz short 00402075
00402084 > |8D4F 04    lea ecx, dword ptr
00402087 . |8BC7       mov eax, edi
00402089 . |3BF9       cmp edi, ecx
0040208B . |74 0D       je    short 0040209A
0040208D > |8B5424 18 mov edx, dword ptr
00402091 . |8910       mov dword ptr , edx
00402093 . |83C0 04    add eax, 0x4
00402096 . |3BC1       cmp eax, ecx
00402098 .^|75 F3       jnz short 0040208D
0040209A > |8B4424 64 mov eax, dword ptr
0040209E . |83C0 08    add eax, 0x8
004020A1 . |8340 08 04 add dword ptr , 0x4
004020A5 > |8B5C24 14 mov ebx, dword ptr
004020A9 > |43          inc ebx
004020AA . |8BCD       mov ecx, ebp
004020AC . |895C24 14 mov dword ptr , ebx
004020B0 . |90          nop
004020B1 . |90          nop
004020B2 . |90          nop
004020B3 . |90          nop
004020B4 . |90          nop
004020B5 . |3BD8       cmp ebx, eax
004020B7 .^|0F8C B2FBFFFF jl    00401C6F
004020BD > \8B4C24 64 mov ecx, dword ptr

看到上面的拨号的API原形了没有？
这就是困扰了很多天没有跟到的地方~~
原来如此啊~~~{:301_1006:}

页: [1]

吾爱破解 - 52pojie.cn's Archiver

从逆向作品的结论出发，再逆向再研究：