小黑冰 发表于 2008-8-31 14:12

看别人破刷流量软件说是软柿子破文的补充  注意<这个3CALL验证

http://bbs.52pojie.cn/read.php?tid=9300&page=1&toread=1
看这篇文章的补充:
看楼主的方法做了次发现图如

00478ECB|.55push ebp
00478ECC|.68 AD904700 push 刷网页访.004790AD
00478ED1|.64:FF30 push dword ptr fs:
00478ED4|.64:8920 mov dword ptr fs:,esp
00478ED7|.8D55 FC lea edx,
00478EDA|.8B83 44030000 mov eax,dword ptr ds:
00478EE0|.E8 A76CFDFF call 刷网页访.0044FB8C ;取注册码
00478EE5|.8B45 FC mov eax,
00478EE8|.E8 37B3F8FF call 刷网页访.00404224 ;取注册码位数
00478EED|.83F8 0C cmp eax,0C ;与12比较
00478EF0|.74 3F je short 刷网页访.00478F31 ;必须跳
00478EF2|.6A 10 push 10
00478EF4|.8D55 F8 lea edx,
00478EF7|.A1 FCD34700 mov eax,dword ptr ds:
00478EFC|.8B00mov eax,dword ptr ds:
00478EFE|.E8 5167FFFF call 刷网页访.0046F654
00478F03|.8B45 F8 mov eax,
00478F06|.E8 19B5F8FF call 刷网页访.00404424
00478F0B|.50push eax
00478F0C|.68 BC904700 push 刷网页访.004790BC
00478F11|.8BC3mov eax,ebx
00478F13|.E8 A8D5FDFF call 刷网页访.004564C0
00478F18|.50push eax ; |hOwner
00478F19|.E8 CADBF8FF call <jmp.&user32.MessageBoxA> ; \出错
00478F1E|.8B83 44030000 mov eax,dword ptr ds:
00478F24|.8B10mov edx,dword ptr ds:
00478F26|.FF92 C4000000 call dword ptr ds:
00478F2C|.E9 34010000 jmp 刷网页访.00479065
00478F31|>8D55 F4 lea edx,
00478F34|.8B83 44030000 mov eax,dword ptr ds:
00478F3A|.E8 4D6CFDFF call 刷网页访.0044FB8C
00478F3F|.8B45 F4 mov eax,
00478F42|.50push eax
00478F43|.8D55 F0 lea edx,
00478F46|.8B83 20030000 mov eax,dword ptr ds:
00478F4C|.E8 3B6CFDFF call 刷网页访.0044FB8C
00478F51|.8B45 F0 mov eax,
00478F54|.5Apop edx
00478F55|.E8 720D0000 call 刷网页访.00479CCC ;关键CALL
00478F5A|.84C0test al,al
00478F5C|.0F85 C9000000 jnz 刷网页访.0047902B;不能跳
00478F62|.A1 7CD14700 mov eax,dword ptr ds:
00478F67|.C600 01 mov byte ptr ds:,1
00478F6A|.8D55 EC lea edx,
00478F6D|.8B83 44030000 mov eax,dword ptr ds:
00478F73|.E8 146CFDFF call 刷网页访.0044FB8C
00478F78|.8B55 EC mov edx,
00478F7B|.A1 A8D14700 mov eax,dword ptr ds:
00478F80|.E8 33B0F8FF call 刷网页访.00403FB8
00478F85|.8D45 E8 lea eax,
00478F88|.8B15 C0D24700 mov edx,dword ptr ds:;刷网页访.0047EC78
00478F8E|.B9 05010000 mov ecx,105
00478F93|.E8 3CB2F8FF call 刷网页访.004041D4
00478F98|.8D45 E8 lea eax,
00478F9B|.BA D4904700 mov edx,刷网页访.004790D4;ASCII "\ARefresh.ini"
00478FA0|.E8 87B2F8FF call 刷网页访.0040422C
00478FA5|.8B4D E8 mov ecx,
00478FA8|.B2 01 mov dl,1
00478FAA|.A1 F02B4300 mov eax,dword ptr ds:
00478FAF|.E8 EC9CFBFF call 刷网页访.00432CA0
00478FB4|.8BF0mov esi,eax
00478FB6|.8D55 E4 lea edx,
00478FB9|.8B83 44030000 mov eax,dword ptr ds:
00478FBF|.E8 C86BFDFF call 刷网页访.0044FB8C
00478FC4|.8B45 E4 mov eax,
00478FC7|.50push eax
00478FC8|.B9 EC904700 mov ecx,刷网页访.004790EC;ASCII "KEY"
00478FCD|.BA F8904700 mov edx,刷网页访.004790F8;ASCII "REGCODE"
00478FD2|.8BC6mov eax,esi
00478FD4|.8B38mov edi,dword ptr ds:
00478FD6|.FF57 04 call dword ptr ds:
00478FD9|.B2 01 mov dl,1
00478FDB|.8BC6mov eax,esi
00478FDD|.8B08mov ecx,dword ptr ds:
00478FDF|.FF51 FC call dword ptr ds:
00478FE2|.6A 40 push 40
00478FE4|.8D55 E0 lea edx,
00478FE7|.A1 FCD34700 mov eax,dword ptr ds:
00478FEC|.8B00mov eax,dword ptr ds:
00478FEE|.E8 6166FFFF call 刷网页访.0046F654
00478FF3|.8B45 E0 mov eax,
00478FF6|.E8 29B4F8FF call 刷网页访.00404424
00478FFB|.50push eax
00478FFC|.68 00914700 push 刷网页访.00479100
00479001|.8BC3mov eax,ebx
00479003|.E8 B8D4FDFF call 刷网页访.004564C0
00479008|.50push eax ; |hOwner
00479009|.E8 DADAF8FF call <jmp.&user32.MessageBoxA> ; \成功
0047900E|.A1 0CD54700 mov eax,dword ptr ds:
00479013|.8B00mov eax,dword ptr ds:
00479015|.8B80 7C030000 mov eax,dword ptr ds:
0047901B|.33D2xor edx,edx
0047901D|.E8 8A6AFDFF call 刷网页访.0044FAAC
00479022|.8BC3mov eax,ebx
00479024|.E8 5F33FFFF call 刷网页访.0046C388
00479029|.EB 3A jmp short 刷网页访.00479065
0047902B|>6A 10 push 10
0047902D|.8D55 DC lea edx,
00479030|.A1 FCD34700 mov eax,dword ptr ds:
00479035|.8B00mov eax,dword ptr ds:
00479037|.E8 1866FFFF call 刷网页访.0046F654
0047903C|.8B45 DC mov eax,
0047903F|.E8 E0B3F8FF call 刷网页访.00404424
00479044|.50push eax
00479045|.68 BC904700 push 刷网页访.004790BC
0047904A|.8BC3mov eax,ebx
0047904C|.E8 6FD4FDFF call 刷网页访.004564C0
00479051|.50push eax ; |hOwner
00479052|.E8 91DAF8FF call <jmp.&user32.MessageBoxA> ; 错误

进关键CALL
00479CCC/$55push ebp
00479CCD|.8BECmov ebp,esp
00479CCF|.83C4 F8 add esp,-8
00479CD2|.53push ebx
00479CD3|.33C9xor ecx,ecx
00479CD5|.894D F8 mov ,ecx
00479CD8|.8955 FC mov ,edx
00479CDB|.8B45 FC mov eax,
00479CDE|.E8 31A7F8FF call 刷网页访.00404414
00479CE3|.33C0xor eax,eax
00479CE5|.55push ebp
00479CE6|.68 349D4700 push 刷网页访.00479D34
00479CEB|.64:FF30 push dword ptr fs:
00479CEE|.64:8920 mov dword ptr fs:,esp
00479CF1|.8D45 F8 lea eax,
00479CF4|.50push eax
00479CF5|.B9 04000000 mov ecx,4
00479CFA|.33D2xor edx,edx
00479CFC|.8B45 FC mov eax,;假码到EAX
00479CFF|.E8 80A7F8FF call 刷网页访.00404484 ;取注册码前四位
00479D04|.8B45 F8 mov eax,;到EAX
00479D07|.BA 4C9D4700 mov edx,刷网页访.00479D4C;取0871到EDX
00479D0C|.E8 5FA6F8FF call 刷网页访.00404370 ;比较CALL
00479D11|.75 04 jnz short 刷网页访.00479D17;不能跳
00479D13|.B3 01 mov bl,1
00479D15|.EB 02 jmp short 刷网页访.00479D19
00479D17|>33DBxor ebx,ebx
00479D19|>33C0xor eax,eax
00479D1B|.5Apop edx
00479D1C|.59pop ecx
00479D1D|.59pop ecx
00479D1E|.64:8910 mov dword ptr fs:,edx
00479D21|.68 3B9D4700 push 刷网页访.00479D3B
00479D26|>8D45 F8 lea eax,
00479D29|.BA 02000000 mov edx,2
00479D2E|.E8 55A2F8FF call 刷网页访.00403F88
00479D33\.C3retn
00479D34 .^ E9 2F9CF8FF jmp 刷网页访.00403968
00479D39 .^ EB EB jmp short 刷网页访.00479D26
00479D3B .8BC3mov eax,ebx
00479D3D .5Bpop ebx
00479D3E .59pop ecx
00479D3F .59pop ecx
00479D40 .5Dpop ebp
00479D41 .C3retn

在进算法CALL
00404370/$53push ebx
00404371|.56push esi
00404372|.57push edi
00404373|.89C6mov esi,eax
00404375|.89D7mov edi,edx
00404377|.39D0cmp eax,edx;真假比较
00404379|.0F84 8F000000 je 刷网页访.0040440E ;必须跳
0040437F|.85F6test esi,esi ;↓检测注册码是否有
00404381|.74 68 je short 刷网页访.004043EB
00404383|.85FFtest edi,edi
00404385|.74 6B je short 刷网页访.004043F2 ;↑检测注册码是否有
00404387|.8B46 FC mov eax,dword ptr ds: ;假码位数4到EAX
0040438A|.8B57 FC mov edx,dword ptr ds: ;真码位数4到EDX
0040438D|.29D0sub eax,edx;EAX=EAX-EDX=4-4=0
0040438F|.77 02 ja short 刷网页访.00404393 ;大于跳
00404391|.01C2add edx,eax;EDX=EDX+EAX=4+EAX=4+0=4
00404393|>52push edx
00404394|.C1EA 02 shr edx,2;EDX/4
00404397|.74 26 je short 刷网页访.004043BF
00404399|>8B0E/mov ecx,dword ptr ds:;把16进的假码前四位34333231倒放到ECX
0040439B|.8B1F|mov ebx,dword ptr ds:;把16进的真码前四位30383731倒放到ECX
0040439D|.39D9|cmp ecx,ebx ;前四位16进假码与真码比较
0040439F|.75 58 |jnz short 刷网页访.004043F9 ;不能跳
004043A1|.4A|dec edx ;EDX-1=0
004043A2|.74 15 |je short 刷网页访.004043B9
004043A4|.8B4E 04 |mov ecx,dword ptr ds:
004043A7|.8B5F 04 |mov ebx,dword ptr ds:
004043AA|.39D9|cmp ecx,ebx
004043AC|.75 4B |jnz short 刷网页访.004043F9
004043AE|.83C6 08 |add esi,8
004043B1|.83C7 08 |add edi,8
004043B4|.4A|dec edx
004043B5|.^ 75 E2 \jnz short 刷网页访.00404399
004043B7|.EB 06 jmp short 刷网页访.004043BF
004043B9|>83C6 04 add esi,4
004043BC|.83C7 04 add edi,4
004043BF|>5Apop edx
004043C0|.83E2 03 and edx,3
004043C3|.74 22 je short 刷网页访.004043E7
004043C5|.8B0Emov ecx,dword ptr ds:
004043C7|.8B1Fmov ebx,dword ptr ds:
004043C9|.38D9cmp cl,bl
004043CB|.75 41 jnz short 刷网页访.0040440E
004043CD|.4Adec edx
004043CE|.74 17 je short 刷网页访.004043E7
004043D0|.38FDcmp ch,bh
004043D2|.75 3A jnz short 刷网页访.0040440E
004043D4|.4Adec edx
004043D5|.74 10 je short 刷网页访.004043E7
004043D7|.81E3 0000FF00 and ebx,0FF0000
004043DD|.81E1 0000FF00 and ecx,0FF0000
004043E3|.39D9cmp ecx,ebx
004043E5|.75 27 jnz short 刷网页访.0040440E
004043E7|>01C0add eax,eax
004043E9|.EB 23 jmp short 刷网页访.0040440E
004043EB|>8B57 FC mov edx,dword ptr ds:
004043EE|.29D0sub eax,edx
004043F0|.EB 1C jmp short 刷网页访.0040440E
004043F2|>8B46 FC mov eax,dword ptr ds:
004043F5|.29D0sub eax,edx
004043F7|.EB 15 jmp short 刷网页访.0040440E
004043F9|>5Apop edx
004043FA|.38D9cmp cl,bl
004043FC|.75 10 jnz short 刷网页访.0040440E
004043FE|.38FDcmp ch,bh
00404400|.75 0C jnz short 刷网页访.0040440E
00404402|.C1E9 10 shr ecx,10
00404405|.C1EB 10 shr ebx,10
00404408|.38D9cmp cl,bl
0040440A|.75 02 jnz short 刷网页访.0040440E
0040440C|.38FDcmp ch,bh
0040440E|>5Fpop edi
0040440F|.5Epop esi
00404410|.5Bpop ebx
00404411\.C3retn


注册成功的话写入文件 C:\WINDOWS\system32\ARefresh.ini
完美暴破点00478EF0 je 00478F31改JMP
00478F5C jnz 改JZ或NOP
楼主忽略了
00479D11|. /75 04 jnz short 刷网页访.00479D17 上面判断所以这是否跳
00479D13|. |B3 01 mov bl,1               注意这里图中失败原因之一
00479D15|. |EB 02 jmp short 刷网页访.00479D19

004043C3|. /74 22 je short 刷网页访.004043E7
004043C5|. |8B0Emov ecx,dword ptr ds:
004043C7|. |8B1Fmov ebx,dword ptr ds:
004043C9|. |38D9cmp cl,bl 细微比较CALL
004043CB|. |75 41 jnz short 刷网页访.0040440E
004043CD|. |4Adec edx
004043CE|. |74 17 je short 刷网页访.004043E7
004043D0|. |38FDcmp ch,bh细微比较CALL
004043D2|. |75 3A jnz short 刷网页访.0040440E
004043D4|. |4Adec edx
004043D5|. |74 10 je short 刷网页访.004043E7
004043D7|. |81E3 0000FF00 and ebx,0FF0000
004043DD|. |81E1 0000FF00 and ecx,0FF0000
004043E3|. |39D9cmp ecx,ebx细微比较CALL
004043E5|. |75 27 jnz short 刷网页访.0040440E
004043E7|> \01C0add eax,eax
004043E9|.EB 23 jmp short 刷网页访.0040440E
004043EB|>8B57 FC mov edx,dword ptr ds:
004043EE|.29D0sub eax,edx
004043F0|.EB 1C jmp short 刷网页访.0040440E
004043F2|>8B46 FC mov eax,dword ptr ds:
004043F5|.29D0sub eax,edx
004043F7|.EB 15 jmp short 刷网页访.0040440E
004043F9|>5Apop edx
004043FA|.38D9cmp cl,bl 细微比较CALL
004043FC|.75 10 jnz short 刷网页访.0040440E
004043FE|.38FDcmp ch,bh细微比较CALL
00404400|.75 0C jnz short 刷网页访.0040440E
00404402|.C1E9 10 shr ecx,10
00404405|.C1EB 10 shr ebx,10
00404408|.38D9cmp cl,bl细微比较CALL
0040440A|.75 02 jnz short 刷网页访.0040440E
0040440C|.38FDcmp ch,bh 细微比较CALL
0040440E|>5Fpop edi
0040440F|.5Epop esi
00404410|.5Bpop ebx
00404411\.C3retn
注意这段全是比较 那文楼主说只要是0871开头的12位数就对了吗?错
不要认为软柿子好捏```````软柿子会更难捏```

ps520 发表于 2008-8-31 14:25

SOFA


看不懂额..



走落~~

小黑冰 发表于 2008-8-31 15:26

引用第2楼ill于2008-08-31 14:28发表的:
蛤!牛人,
解释一下:
我是转载过来的,发现分析得很好,应该不会有漏洞的,自己也没下载这个软件试
所以原谅一下吧
也许因为软件更新了
我也是菜鸟 比你还菜  分析不了  简单猜猜而已```过奖了

guoyonghao 发表于 2008-9-1 08:19

看不懂潜水!

gfansenhua 发表于 2008-9-14 09:31

两位都是高手啊!!!

dujia008 发表于 2010-6-11 00:50

太深奥了......不懂

jakegreey 发表于 2010-6-12 18:22

看不懂...饿

feob 发表于 2012-12-29 19:24

kan不明白啊看不懂

ibq00 发表于 2012-12-29 19:47

你说了个啥呀 我怎么就是不明白呢

1354669803 发表于 2012-12-30 00:32

注册码错误?本地验证么
页: [1]
查看完整版本: 看别人破刷流量软件说是软柿子破文的补充&nbsp;&nbsp;注意<这个3CALL验证