好友
阅读权限25
听众
最后登录1970-1-1
|
揰掵佲
发表于 2021-3-22 12:33
打开易语言,CTRL+O打开带有该模块命令的源码
会有以下提示
按下F5调试程序会提示类似的代码..
由于易语言模块可以反编译,所以该模块作者把算法写到了支持库内,因此,我们基本上是对支持库的一个逆向
直接OD载入支持库 Game-EC.fne
fne实际上就是DLL 改了扩展名
ALT+E选择fne模块,双击进入
右键搜索字符串
找到错误提示 模块验证状态:不正常
由于字符串带有广告,过滤后剩下关键字符
[Asm] 纯文本查看 复制代码
1002151D /$ 55 PUSH EBP
1002151E |. 8BEC MOV EBP, ESP
10021520 |. 81EC 04000000 SUB ESP, 0x4
10021526 |. B8 631D0610 MOV EAX, 10061D63 ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\r\n
1002152B |. 8945 FC MOV [LOCAL.1], EAX
1002152E |. 8D45 FC LEA EAX, [LOCAL.1]
10021531 |. 50 PUSH EAX
10021532 |. E8 DEAEFEFF CALL 1000C415
10021537 |. 8B5D FC MOV EBX, [LOCAL.1] ; Game-EC.10000000
1002153A |. 85DB TEST EBX, EBX
1002153C |. 74 09 JE SHORT 10021547
1002153E |. 53 PUSH EBX
1002153F |. E8 199B0000 CALL 1002B05D
10021544 |. 83C4 04 ADD ESP, 0x4
10021547 |> B8 C31D0610 MOV EAX, 10061DC3
1002154C |. 8945 FC MOV [LOCAL.1], EAX
1002154F |. 8D45 FC LEA EAX, [LOCAL.1]
10021552 |. 50 PUSH EAX
10021553 |. E8 BDAEFEFF CALL 1000C415
10021558 |. 8B5D FC MOV EBX, [LOCAL.1] ; Game-EC.10000000
1002155B |. 85DB TEST EBX, EBX
1002155D |. 74 09 JE SHORT 10021568
1002155F |. 53 PUSH EBX
10021560 |. E8 F89A0000 CALL 1002B05D
10021565 |. 83C4 04 ADD ESP, 0x4
10021568 |> B8 241E0610 MOV EAX, 10061E24
1002156D |. 8945 FC MOV [LOCAL.1], EAX
10021570 |. 8D45 FC LEA EAX, [LOCAL.1]
10021573 |. 50 PUSH EAX
10021574 |. E8 9CAEFEFF CALL 1000C415
10021579 |. 8B5D FC MOV EBX, [LOCAL.1] ; Game-EC.10000000
1002157C |. 85DB TEST EBX, EBX
1002157E |. 74 09 JE SHORT 10021589
10021580 |. 53 PUSH EBX
10021581 |. E8 D79A0000 CALL 1002B05D
10021586 |. 83C4 04 ADD ESP, 0x4
10021589 |> B8 851E0610 MOV EAX, 10061E85 ; ┣━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫\r\n
1002158E |. 8945 FC MOV [LOCAL.1], EAX
10021591 |. 8D45 FC LEA EAX, [LOCAL.1]
10021594 |. 50 PUSH EAX
10021595 |. E8 7BAEFEFF CALL 1000C415
1002159A |. 8B5D FC MOV EBX, [LOCAL.1] ; Game-EC.10000000
1002159D |. 85DB TEST EBX, EBX
1002159F |. 74 09 JE SHORT 100215AA
100215A1 |. 53 PUSH EBX
100215A2 |. E8 B69A0000 CALL 1002B05D
100215A7 |. 83C4 04 ADD ESP, 0x4
100215AA |> B8 E25E1A10 MOV EAX, 101A5EE2 ; ┣ 模块验证状态:不正常
100215AF |. 8945 FC MOV [LOCAL.1], EAX
100215B2 |. 8D45 FC LEA EAX, [LOCAL.1]
100215B5 |. 50 PUSH EAX
100215B6 |. E8 5AAEFEFF CALL 1000C415
100215BB |. 8B5D FC MOV EBX, [LOCAL.1] ; Game-EC.10000000
100215BE |. 85DB TEST EBX, EBX
100215C0 |. 74 09 JE SHORT 100215CB
100215C2 |. 53 PUSH EBX
100215C3 |. E8 959A0000 CALL 1002B05D
100215C8 |. 83C4 04 ADD ESP, 0x4
100215CB |> B8 851E0610 MOV EAX, 10061E85 ; ┣━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫\r\n
100215D0 |. 8945 FC MOV [LOCAL.1], EAX
100215D3 |. 8D45 FC LEA EAX, [LOCAL.1]
100215D6 |. 50 PUSH EAX
100215D7 |. E8 39AEFEFF CALL 1000C415
100215DC |. 8B5D FC MOV EBX, [LOCAL.1] ; Game-EC.10000000
100215DF |. 85DB TEST EBX, EBX
100215E1 |. 74 09 JE SHORT 100215EC
100215E3 |. 53 PUSH EBX
100215E4 |. E8 749A0000 CALL 1002B05D
100215E9 |. 83C4 04 ADD ESP, 0x4
100215EC |> B8 471F0610 MOV EAX, 10061F47 ; ┣ 当前模块版本:8.5.3 ┫\r\n
100215F1 |. 8945 FC MOV [LOCAL.1], EAX
100215F4 |. 8D45 FC LEA EAX, [LOCAL.1]
100215F7 |. 50 PUSH EAX
100215F8 |. E8 18AEFEFF CALL 1000C415
100215FD |. 8B5D FC MOV EBX, [LOCAL.1] ; Game-EC.10000000
10021600 |. 85DB TEST EBX, EBX
10021602 |. 74 09 JE SHORT 1002160D
10021604 |. 53 PUSH EBX
10021605 |. E8 539A0000 CALL 1002B05D
1002160A |. 83C4 04 ADD ESP, 0x4
1002160D |> B8 851E0610 MOV EAX, 10061E85 ; ┣━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫\r\n
10021612 |. 8945 FC MOV [LOCAL.1], EAX
10021615 |. 8D45 FC LEA EAX, [LOCAL.1]
10021618 |. 50 PUSH EAX
10021619 |. E8 F7ADFEFF CALL 1000C415
1002161E |. 8B5D FC MOV EBX, [LOCAL.1] ; Game-EC.10000000
10021621 |. 85DB TEST EBX, EBX
10021623 |. 74 09 JE SHORT 1002162E
10021625 |. 53 PUSH EBX
10021626 |. E8 329A0000 CALL 1002B05D
1002162B |. 83C4 04 ADD ESP, 0x4
1002162E |> B8 A81F0610 MOV EAX, 10061FA8
10021633 |. 8945 FC MOV [LOCAL.1], EAX
10021636 |. 8D45 FC LEA EAX, [LOCAL.1]
10021639 |. 50 PUSH EAX
1002163A |. E8 D6ADFEFF CALL 1000C415
1002163F |. 8B5D FC MOV EBX, [LOCAL.1] ; Game-EC.10000000
10021642 |. 85DB TEST EBX, EBX
10021644 |. 74 09 JE SHORT 1002164F
10021646 |. 53 PUSH EBX
10021647 |. E8 119A0000 CALL 1002B05D
1002164C |. 83C4 04 ADD ESP, 0x4
1002164F |> B8 851E0610 MOV EAX, 10061E85 ; ┣━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫\r\n
10021654 |. 8945 FC MOV [LOCAL.1], EAX
10021657 |. 8D45 FC LEA EAX, [LOCAL.1]
1002165A |. 50 PUSH EAX
1002165B |. E8 B5ADFEFF CALL 1000C415
10021660 |. 8B5D FC MOV EBX, [LOCAL.1] ; Game-EC.10000000
10021663 |. 85DB TEST EBX, EBX
10021665 |. 74 09 JE SHORT 10021670
10021667 |. 53 PUSH EBX
10021668 |. E8 F0990000 CALL 1002B05D
1002166D |. 83C4 04 ADD ESP, 0x4
10021670 |> 8BE5 MOV ESP, EBP
10021672 |. 5D POP EBP ; ntdll.77351D36
10021673 \. C3 RETN
我们找到谁调用这个函数即可 最常见的就是 Call 1002151D
CTRL+S 直接搜索
得到下面的地址
[Asm] 纯文本查看 复制代码 10020A23 |> \E8 F50A0000 CALL 1002151D ; 状态不正常
我们看谁跳过不正常即可
[Asm] 纯文本查看 复制代码 100209CF |. E8 B6AEFEFF CALL 1000B88A
100209D4 |. 8945 F8 MOV [LOCAL.2], EAX
100209D7 |. 837D F8 00 CMP [LOCAL.2], 0x0
100209DB |. 0F85 4C000000 JNZ 10020A2D
100209E1 |. B8 C96C0410 MOV EAX, 10046CC9 ; \r\n
100209E6 |. 8945 FC MOV [LOCAL.1], EAX
100209E9 |. 8D45 FC LEA EAX, [LOCAL.1]
100209EC |. 50 PUSH EAX
100209ED |. E8 23BAFEFF CALL 1000C415
100209F2 |. 8B5D FC MOV EBX, [LOCAL.1] ; Game-EC.10000000
100209F5 |. 85DB TEST EBX, EBX
100209F7 |. 74 09 JE SHORT 10020A02
100209F9 |. 53 PUSH EBX
100209FA |. E8 5EA60000 CALL 1002B05D
100209FF |. 83C4 04 ADD ESP, 0x4
10020A02 |> B8 725E1A10 MOV EAX, 101A5E72 ; ★ ━━━━━━未检测到xx加密狗,请插入xx团加密狗,再使用xx团模块!━━━━━━\r\n
10020A07 |. 8945 FC MOV [LOCAL.1], EAX
10020A0A |. 8D45 FC LEA EAX, [LOCAL.1]
10020A0D |. 50 PUSH EAX
10020A0E |. E8 02BAFEFF CALL 1000C415
10020A13 |. 8B5D FC MOV EBX, [LOCAL.1] ; Game-EC.10000000
10020A16 |. 85DB TEST EBX, EBX
10020A18 |. 74 09 JE SHORT 10020A23
10020A1A |. 53 PUSH EBX
10020A1B |. E8 3DA60000 CALL 1002B05D
10020A20 |. 83C4 04 ADD ESP, 0x4
10020A23 |> E8 F50A0000 CALL 1002151D ; 状态不正常
10020A28 |. E9 00000000 JMP 10020A2D
10020A2D |> 68 649E1A10 PUSH 101A9E64 ; 看谁跳过来
101A9E64=101A9E64
跳转来自 10020318, 100209DB, 10020A28
跳转很有3个,一个一个看
10020A28 就是上一行,直接忽略
10020318 跳转太长,恐怕会导致模块部分功能失效
100209DB 最像
分析附近代码
[Asm] 纯文本查看 复制代码 100209CF |. E8 B6AEFEFF CALL 1000B88A
100209D4 |. 8945 F8 MOV [LOCAL.2], EAX
100209D7 |. 837D F8 00 CMP [LOCAL.2], 0x0
100209DB |. 0F85 4C000000 JNZ 10020A2D
明显 CALL 1000B88A 的返回值 决定是否跳转 一般就是返回1 就是成功 0就是失败
看CMP 也知道了 进入call看看吧,
这个call有点长
[Asm] 纯文本查看 复制代码 1000B88A /$ 55 PUSH EBP
1000B88B |. 8BEC MOV EBP, ESP
1000B88D |. 81EC 38000000 SUB ESP, 0x38
1000B893 |. C745 FC 00000>MOV [LOCAL.1], 0x0
1000B89A |. 68 2C000000 PUSH 0x2C
1000B89F |. E8 B3F70100 CALL 1002B057
1000B8A4 |. 83C4 04 ADD ESP, 0x4
1000B8A7 |. 8945 F8 MOV [LOCAL.2], EAX
1000B8AA |. 8BF8 MOV EDI, EAX
1000B8AC |. BE 3E1D0610 MOV ESI, 10061D3E
1000B8B1 |. AD LODS DWORD PTR DS:[ESI]
1000B8B2 |. AB STOS DWORD PTR ES:[EDI]
1000B8B3 |. AD LODS DWORD PTR DS:[ESI]
1000B8B4 |. AB STOS DWORD PTR ES:[EDI]
1000B8B5 |. 33C0 XOR EAX, EAX
1000B8B7 |. B9 09000000 MOV ECX, 0x9
1000B8BC |. F3:AB REP STOS DWORD PTR ES:[EDI]
1000B8BE |. B8 286D0410 MOV EAX, 10046D28
1000B8C3 |. 85C0 TEST EAX, EAX
1000B8C5 |. 74 13 JE SHORT 1000B8DA
1000B8C7 |. 50 PUSH EAX
1000B8C8 |. 8B40 04 MOV EAX, DWORD PTR DS:[EAX+0x4]
1000B8CB |. 83C0 08 ADD EAX, 0x8
1000B8CE |. 50 PUSH EAX
1000B8CF |. E8 83F70100 CALL 1002B057
1000B8D4 |. 59 POP ECX ; ntdll.77351D36
1000B8D5 |. 5E POP ESI ; ntdll.77351D36
1000B8D6 |. 8BF8 MOV EDI, EAX
1000B8D8 |. F3:A4 REP MOVS BYTE PTR ES:[EDI], BYTE PTR DS:>
1000B8DA |> 50 PUSH EAX
1000B8DB |. 8B5D FC MOV EBX, [LOCAL.1] ; Game-EC.10000000
1000B8DE |. 85DB TEST EBX, EBX
1000B8E0 |. 74 09 JE SHORT 1000B8EB
1000B8E2 |. 53 PUSH EBX
1000B8E3 |. E8 75F70100 CALL 1002B05D
1000B8E8 |. 83C4 04 ADD ESP, 0x4
1000B8EB |> 58 POP EAX ; ntdll.77351D36
1000B8EC |. 8945 FC MOV [LOCAL.1], EAX
1000B8EF |. 833D D49D1A10>CMP DWORD PTR DS:[0x101A9DD4], 0x0
1000B8F6 |. 0F85 19000000 JNZ 1000B915
1000B8FC |. 8D45 FC LEA EAX, [LOCAL.1]
1000B8FF |. 50 PUSH EAX
1000B900 |. E8 B0050000 CALL 1000BEB5
1000B905 |. 50 PUSH EAX
1000B906 |. E8 C9050000 CALL 1000BED4
1000B90B |. A3 D49D1A10 MOV DWORD PTR DS:[0x101A9DD4], EAX
1000B910 |. E9 00000000 JMP 1000B915
1000B915 |> 68 010100A0 PUSH 0xA0000101
1000B91A |. 6A 00 PUSH 0x0
1000B91C |. 68 301D0610 PUSH 10061D30
1000B921 |. 68 01000000 PUSH 0x1
1000B926 |. BB 68010000 MOV EBX, 0x168
1000B92B |. E8 20080200 CALL 1002C150
1000B930 |. 83C4 10 ADD ESP, 0x10
1000B933 |. 8945 F4 MOV [LOCAL.3], EAX
1000B936 |. 8D45 F4 LEA EAX, [LOCAL.3]
1000B939 |. 50 PUSH EAX
1000B93A |. FF35 D49D1A10 PUSH DWORD PTR DS:[0x101A9DD4]
1000B940 |. E8 98070000 CALL 1000C0DD
1000B945 |. 8945 F0 MOV [LOCAL.4], EAX
1000B948 |. 8B5D F4 MOV EBX, [LOCAL.3]
1000B94B |. 85DB TEST EBX, EBX
1000B94D |. 74 09 JE SHORT 1000B958
1000B94F |. 53 PUSH EBX
1000B950 |. E8 08F70100 CALL 1002B05D
1000B955 |. 83C4 04 ADD ESP, 0x4
1000B958 |> 8B45 F0 MOV EAX, [LOCAL.4]
1000B95B |. A3 D89D1A10 MOV DWORD PTR DS:[0x101A9DD8], EAX
1000B960 |. 68 01030080 PUSH 0x80000301
1000B965 |. 6A 00 PUSH 0x0
1000B967 |. 68 4A000000 PUSH 0x4A
1000B96C |. 68 01030080 PUSH 0x80000301
1000B971 |. 6A 00 PUSH 0x0
1000B973 |. 68 6B7F0000 PUSH 0x7F6B
1000B978 |. 68 02000000 PUSH 0x2
1000B97D |. BB CC000000 MOV EBX, 0xCC
1000B982 |. E8 69340200 CALL 1002EDF0
1000B987 |. 83C4 1C ADD ESP, 0x1C
1000B98A |. 66:A3 DC9D1A1>MOV WORD PTR DS:[0x101A9DDC], AX
1000B990 |. 68 01030080 PUSH 0x80000301
1000B995 |. 6A 00 PUSH 0x0
1000B997 |. 68 4A000000 PUSH 0x4A
1000B99C |. 68 01030080 PUSH 0x80000301
1000B9A1 |. 6A 00 PUSH 0x0
1000B9A3 |. 68 9A500000 PUSH 0x509A
1000B9A8 |. 68 02000000 PUSH 0x2
1000B9AD |. BB CC000000 MOV EBX, 0xCC
1000B9B2 |. E8 39340200 CALL 1002EDF0
1000B9B7 |. 83C4 1C ADD ESP, 0x1C
1000B9BA |. 66:A3 E09D1A1>MOV WORD PTR DS:[0x101A9DE0], AX
1000B9C0 |. 8B5D F8 MOV EBX, [LOCAL.2] ; Game-EC.<ModuleEntryPoint>
1000B9C3 |. E8 FD64FFFF CALL 10001EC5
1000B9C8 |. B8 00000000 MOV EAX, 0x0
1000B9CD |. 3BC1 CMP EAX, ECX ; Game-EC.<ModuleEntryPoint>
1000B9CF |. 7C 0D JL SHORT 1000B9DE
1000B9D1 |. 68 01000000 PUSH 0x1
1000B9D6 |. E8 88F60100 CALL 1002B063
1000B9DB |. 83C4 04 ADD ESP, 0x4
1000B9DE |> C1E0 02 SHL EAX, 0x2
1000B9E1 |. 03D8 ADD EBX, EAX
1000B9E3 |. 895D F4 MOV [LOCAL.3], EBX
1000B9E6 |. 8B5D F4 MOV EBX, [LOCAL.3]
1000B9E9 |. C703 01000000 MOV DWORD PTR DS:[EBX], 0x1
1000B9EF |. 8B5D F8 MOV EBX, [LOCAL.2] ; Game-EC.<ModuleEntryPoint>
1000B9F2 |. E8 CE64FFFF CALL 10001EC5
1000B9F7 |. B8 01000000 MOV EAX, 0x1
1000B9FC |. 3BC1 CMP EAX, ECX ; Game-EC.<ModuleEntryPoint>
1000B9FE |. 7C 0D JL SHORT 1000BA0D
1000BA00 |. 68 01000000 PUSH 0x1
1000BA05 |. E8 59F60100 CALL 1002B063
1000BA0A |. 83C4 04 ADD ESP, 0x4
1000BA0D |> C1E0 02 SHL EAX, 0x2
1000BA10 |. 03D8 ADD EBX, EAX
1000BA12 |. 895D F4 MOV [LOCAL.3], EBX
1000BA15 |. 68 01020080 PUSH 0x80000201
1000BA1A |. 6A 00 PUSH 0x0
1000BA1C |. 68 E49D1A10 PUSH 101A9DE4
1000BA21 |. 68 01000000 PUSH 0x1
1000BA26 |. BB 0C000000 MOV EBX, 0xC
1000BA2B |. B8 60300310 MOV EAX, 10033060
1000BA30 |. E8 9BFC0100 CALL 1002B6D0
1000BA35 |. 83C4 10 ADD ESP, 0x10
1000BA38 |. 8B5D F4 MOV EBX, [LOCAL.3]
1000BA3B |. 8903 MOV DWORD PTR DS:[EBX], EAX
1000BA3D |. 8B5D F8 MOV EBX, [LOCAL.2] ; Game-EC.<ModuleEntryPoint>
1000BA40 |. E8 8064FFFF CALL 10001EC5
1000BA45 |. B8 02000000 MOV EAX, 0x2
1000BA4A |. 3BC1 CMP EAX, ECX ; Game-EC.<ModuleEntryPoint>
1000BA4C |. 7C 0D JL SHORT 1000BA5B
1000BA4E |. 68 01000000 PUSH 0x1
1000BA53 |. E8 0BF60100 CALL 1002B063
1000BA58 |. 83C4 04 ADD ESP, 0x4
1000BA5B |> C1E0 02 SHL EAX, 0x2
1000BA5E |. 03D8 ADD EBX, EAX
1000BA60 |. 895D F4 MOV [LOCAL.3], EBX
1000BA63 |. 68 01040080 PUSH 0x80000401
1000BA68 |. 6A 00 PUSH 0x0
1000BA6A |. 68 E89D1A10 PUSH 101A9DE8
1000BA6F |. 68 01000000 PUSH 0x1
1000BA74 |. BB 0C000000 MOV EBX, 0xC
1000BA79 |. B8 60300310 MOV EAX, 10033060
1000BA7E |. E8 4DFC0100 CALL 1002B6D0
1000BA83 |. 83C4 10 ADD ESP, 0x10
1000BA86 |. 8B5D F4 MOV EBX, [LOCAL.3]
1000BA89 |. 8903 MOV DWORD PTR DS:[EBX], EAX
1000BA8B |. 8B5D F8 MOV EBX, [LOCAL.2] ; Game-EC.<ModuleEntryPoint>
1000BA8E |. E8 3264FFFF CALL 10001EC5
1000BA93 |. B8 03000000 MOV EAX, 0x3
1000BA98 |. 3BC1 CMP EAX, ECX ; Game-EC.<ModuleEntryPoint>
1000BA9A |. 7C 0D JL SHORT 1000BAA9
1000BA9C |. 68 01000000 PUSH 0x1
1000BAA1 |. E8 BDF50100 CALL 1002B063
1000BAA6 |. 83C4 04 ADD ESP, 0x4
1000BAA9 |> C1E0 02 SHL EAX, 0x2
1000BAAC |. 03D8 ADD EBX, EAX
1000BAAE |. 895D F4 MOV [LOCAL.3], EBX
1000BAB1 |. 68 01040080 PUSH 0x80000401
1000BAB6 |. 6A 00 PUSH 0x0
1000BAB8 |. 68 F09D1A10 PUSH 101A9DF0
1000BABD |. 68 01000000 PUSH 0x1
1000BAC2 |. BB 0C000000 MOV EBX, 0xC
1000BAC7 |. B8 60300310 MOV EAX, 10033060
1000BACC |. E8 FFFB0100 CALL 1002B6D0
1000BAD1 |. 83C4 10 ADD ESP, 0x10
1000BAD4 |. 8B5D F4 MOV EBX, [LOCAL.3]
1000BAD7 |. 8903 MOV DWORD PTR DS:[EBX], EAX
1000BAD9 |. 8B5D F8 MOV EBX, [LOCAL.2] ; Game-EC.<ModuleEntryPoint>
1000BADC |. E8 E463FFFF CALL 10001EC5
1000BAE1 |. B8 04000000 MOV EAX, 0x4
1000BAE6 |. 3BC1 CMP EAX, ECX ; Game-EC.<ModuleEntryPoint>
1000BAE8 |. 7C 0D JL SHORT 1000BAF7
1000BAEA |. 68 01000000 PUSH 0x1
1000BAEF |. E8 6FF50100 CALL 1002B063
1000BAF4 |. 83C4 04 ADD ESP, 0x4
1000BAF7 |> C1E0 02 SHL EAX, 0x2
1000BAFA |. 03D8 ADD EBX, EAX
1000BAFC |. 895D F4 MOV [LOCAL.3], EBX
1000BAFF |. 68 01020080 PUSH 0x80000201
1000BB04 |. 6A 00 PUSH 0x0
1000BB06 |. 68 DC9D1A10 PUSH 101A9DDC
1000BB0B |. 68 01000000 PUSH 0x1
1000BB10 |. BB 0C000000 MOV EBX, 0xC
1000BB15 |. B8 60300310 MOV EAX, 10033060
1000BB1A |. E8 B1FB0100 CALL 1002B6D0
1000BB1F |. 83C4 10 ADD ESP, 0x10
1000BB22 |. 8B5D F4 MOV EBX, [LOCAL.3]
1000BB25 |. 8903 MOV DWORD PTR DS:[EBX], EAX
1000BB27 |. 8B5D F8 MOV EBX, [LOCAL.2] ; Game-EC.<ModuleEntryPoint>
1000BB2A |. E8 9663FFFF CALL 10001EC5
1000BB2F |. B8 05000000 MOV EAX, 0x5
1000BB34 |. 3BC1 CMP EAX, ECX ; Game-EC.<ModuleEntryPoint>
1000BB36 |. 7C 0D JL SHORT 1000BB45
1000BB38 |. 68 01000000 PUSH 0x1
1000BB3D |. E8 21F50100 CALL 1002B063
1000BB42 |. 83C4 04 ADD ESP, 0x4
1000BB45 |> C1E0 02 SHL EAX, 0x2
1000BB48 |. 03D8 ADD EBX, EAX
1000BB4A |. 895D F4 MOV [LOCAL.3], EBX
1000BB4D |. 68 01020080 PUSH 0x80000201
1000BB52 |. 6A 00 PUSH 0x0
1000BB54 |. 68 E09D1A10 PUSH 101A9DE0
1000BB59 |. 68 01000000 PUSH 0x1
1000BB5E |. BB 0C000000 MOV EBX, 0xC
1000BB63 |. B8 60300310 MOV EAX, 10033060
1000BB68 |. E8 63FB0100 CALL 1002B6D0
1000BB6D |. 83C4 10 ADD ESP, 0x10
1000BB70 |. 8B5D F4 MOV EBX, [LOCAL.3]
1000BB73 |. 8903 MOV DWORD PTR DS:[EBX], EAX
1000BB75 |. 8B5D F8 MOV EBX, [LOCAL.2] ; Game-EC.<ModuleEntryPoint>
1000BB78 |. E8 4863FFFF CALL 10001EC5
1000BB7D |. B8 06000000 MOV EAX, 0x6
1000BB82 |. 3BC1 CMP EAX, ECX ; Game-EC.<ModuleEntryPoint>
1000BB84 |. 7C 0D JL SHORT 1000BB93
1000BB86 |. 68 01000000 PUSH 0x1
1000BB8B |. E8 D3F40100 CALL 1002B063
1000BB90 |. 83C4 04 ADD ESP, 0x4
1000BB93 |> C1E0 02 SHL EAX, 0x2
1000BB96 |. 03D8 ADD EBX, EAX
1000BB98 |. 895D F4 MOV [LOCAL.3], EBX
1000BB9B |. 68 01020080 PUSH 0x80000201
1000BBA0 |. 6A 00 PUSH 0x0
1000BBA2 |. 68 F89D1A10 PUSH 101A9DF8
1000BBA7 |. 68 01000000 PUSH 0x1
1000BBAC |. BB 0C000000 MOV EBX, 0xC
1000BBB1 |. B8 60300310 MOV EAX, 10033060
1000BBB6 |. E8 15FB0100 CALL 1002B6D0
1000BBBB |. 83C4 10 ADD ESP, 0x10
1000BBBE |. 8B5D F4 MOV EBX, [LOCAL.3]
1000BBC1 |. 8903 MOV DWORD PTR DS:[EBX], EAX
1000BBC3 |. 8B5D F8 MOV EBX, [LOCAL.2] ; Game-EC.<ModuleEntryPoint>
1000BBC6 |. E8 FA62FFFF CALL 10001EC5
1000BBCB |. B8 07000000 MOV EAX, 0x7
1000BBD0 |. 3BC1 CMP EAX, ECX ; Game-EC.<ModuleEntryPoint>
1000BBD2 |. 7C 0D JL SHORT 1000BBE1
1000BBD4 |. 68 01000000 PUSH 0x1
1000BBD9 |. E8 85F40100 CALL 1002B063
1000BBDE |. 83C4 04 ADD ESP, 0x4
1000BBE1 |> C1E0 02 SHL EAX, 0x2
1000BBE4 |. 03D8 ADD EBX, EAX
1000BBE6 |. 895D F4 MOV [LOCAL.3], EBX
1000BBE9 |. 68 01020080 PUSH 0x80000201
1000BBEE |. 6A 00 PUSH 0x0
1000BBF0 |. 68 FC9D1A10 PUSH 101A9DFC
1000BBF5 |. 68 01000000 PUSH 0x1
1000BBFA |. BB 0C000000 MOV EBX, 0xC
1000BBFF |. B8 60300310 MOV EAX, 10033060
1000BC04 |. E8 C7FA0100 CALL 1002B6D0
1000BC09 |. 83C4 10 ADD ESP, 0x10
1000BC0C |. 8B5D F4 MOV EBX, [LOCAL.3]
1000BC0F |. 8903 MOV DWORD PTR DS:[EBX], EAX
1000BC11 |. 8B5D F8 MOV EBX, [LOCAL.2] ; Game-EC.<ModuleEntryPoint>
1000BC14 |. E8 AC62FFFF CALL 10001EC5
1000BC19 |. B8 08000000 MOV EAX, 0x8
1000BC1E |. 3BC1 CMP EAX, ECX ; Game-EC.<ModuleEntryPoint>
1000BC20 |. 7C 0D JL SHORT 1000BC2F
1000BC22 |. 68 01000000 PUSH 0x1
1000BC27 |. E8 37F40100 CALL 1002B063
1000BC2C |. 83C4 04 ADD ESP, 0x4
1000BC2F |> C1E0 02 SHL EAX, 0x2
1000BC32 |. 03D8 ADD EBX, EAX
1000BC34 |. 895D F4 MOV [LOCAL.3], EBX
1000BC37 |. 68 05000080 PUSH 0x80000005
1000BC3C |. 6A 00 PUSH 0x0
1000BC3E |. 68 009E1A10 PUSH 101A9E00
1000BC43 |. 68 01000000 PUSH 0x1
1000BC48 |. BB 0C000000 MOV EBX, 0xC
1000BC4D |. B8 60300310 MOV EAX, 10033060
1000BC52 |. E8 79FA0100 CALL 1002B6D0
1000BC57 |. 83C4 10 ADD ESP, 0x10
1000BC5A |. 8B5D F4 MOV EBX, [LOCAL.3]
1000BC5D |. 8903 MOV DWORD PTR DS:[EBX], EAX
1000BC5F |. 8B5D F8 MOV EBX, [LOCAL.2] ; Game-EC.<ModuleEntryPoint>
1000BC62 |. E8 5E62FFFF CALL 10001EC5
1000BC67 |. B8 00000000 MOV EAX, 0x0
1000BC6C |. 3BC1 CMP EAX, ECX ; Game-EC.<ModuleEntryPoint>
1000BC6E |. 7C 0D JL SHORT 1000BC7D
1000BC70 |. 68 01000000 PUSH 0x1
1000BC75 |. E8 E9F30100 CALL 1002B063
1000BC7A |. 83C4 04 ADD ESP, 0x4
1000BC7D |> C1E0 02 SHL EAX, 0x2
1000BC80 |. 03D8 ADD EBX, EAX
1000BC82 |. 895D F4 MOV [LOCAL.3], EBX
1000BC85 |. 8B5D F8 MOV EBX, [LOCAL.2] ; Game-EC.<ModuleEntryPoint>
1000BC88 |. E8 3862FFFF CALL 10001EC5
1000BC8D |. B8 01000000 MOV EAX, 0x1
1000BC92 |. 3BC1 CMP EAX, ECX ; Game-EC.<ModuleEntryPoint>
1000BC94 |. 7C 0D JL SHORT 1000BCA3
1000BC96 |. 68 01000000 PUSH 0x1
1000BC9B |. E8 C3F30100 CALL 1002B063
1000BCA0 |. 83C4 04 ADD ESP, 0x4
1000BCA3 |> C1E0 02 SHL EAX, 0x2
1000BCA6 |. 03D8 ADD EBX, EAX
1000BCA8 |. 895D F0 MOV [LOCAL.4], EBX
1000BCAB |. 8B5D F8 MOV EBX, [LOCAL.2] ; Game-EC.<ModuleEntryPoint>
1000BCAE |. E8 1262FFFF CALL 10001EC5
1000BCB3 |. B8 02000000 MOV EAX, 0x2
1000BCB8 |. 3BC1 CMP EAX, ECX ; Game-EC.<ModuleEntryPoint>
1000BCBA |. 7C 0D JL SHORT 1000BCC9
1000BCBC |. 68 01000000 PUSH 0x1
1000BCC1 |. E8 9DF30100 CALL 1002B063
1000BCC6 |. 83C4 04 ADD ESP, 0x4
1000BCC9 |> C1E0 02 SHL EAX, 0x2
1000BCCC |. 03D8 ADD EBX, EAX
1000BCCE |. 895D EC MOV [LOCAL.5], EBX
1000BCD1 |. 8B5D F8 MOV EBX, [LOCAL.2] ; Game-EC.<ModuleEntryPoint>
1000BCD4 |. E8 EC61FFFF CALL 10001EC5
1000BCD9 |. B8 03000000 MOV EAX, 0x3
1000BCDE |. 3BC1 CMP EAX, ECX ; Game-EC.<ModuleEntryPoint>
1000BCE0 |. 7C 0D JL SHORT 1000BCEF
1000BCE2 |. 68 01000000 PUSH 0x1
1000BCE7 |. E8 77F30100 CALL 1002B063
1000BCEC |. 83C4 04 ADD ESP, 0x4
1000BCEF |> C1E0 02 SHL EAX, 0x2
1000BCF2 |. 03D8 ADD EBX, EAX
1000BCF4 |. 895D E8 MOV [LOCAL.6], EBX
1000BCF7 |. 8B5D F8 MOV EBX, [LOCAL.2] ; Game-EC.<ModuleEntryPoint>
1000BCFA |. E8 C661FFFF CALL 10001EC5
1000BCFF |. B8 04000000 MOV EAX, 0x4
1000BD04 |. 3BC1 CMP EAX, ECX ; Game-EC.<ModuleEntryPoint>
1000BD06 |. 7C 0D JL SHORT 1000BD15
1000BD08 |. 68 01000000 PUSH 0x1
1000BD0D |. E8 51F30100 CALL 1002B063
1000BD12 |. 83C4 04 ADD ESP, 0x4
1000BD15 |> C1E0 02 SHL EAX, 0x2
1000BD18 |. 03D8 ADD EBX, EAX
1000BD1A |. 895D E4 MOV [LOCAL.7], EBX
1000BD1D |. 8B5D F8 MOV EBX, [LOCAL.2] ; Game-EC.<ModuleEntryPoint>
1000BD20 |. E8 A061FFFF CALL 10001EC5
1000BD25 |. B8 05000000 MOV EAX, 0x5
1000BD2A |. 3BC1 CMP EAX, ECX ; Game-EC.<ModuleEntryPoint>
1000BD2C |. 7C 0D JL SHORT 1000BD3B
1000BD2E |. 68 01000000 PUSH 0x1
1000BD33 |. E8 2BF30100 CALL 1002B063
1000BD38 |. 83C4 04 ADD ESP, 0x4
1000BD3B |> C1E0 02 SHL EAX, 0x2
1000BD3E |. 03D8 ADD EBX, EAX
1000BD40 |. 895D E0 MOV [LOCAL.8], EBX
1000BD43 |. 8B5D F8 MOV EBX, [LOCAL.2] ; Game-EC.<ModuleEntryPoint>
1000BD46 |. E8 7A61FFFF CALL 10001EC5
1000BD4B |. B8 06000000 MOV EAX, 0x6
1000BD50 |. 3BC1 CMP EAX, ECX ; Game-EC.<ModuleEntryPoint>
1000BD52 |. 7C 0D JL SHORT 1000BD61
1000BD54 |. 68 01000000 PUSH 0x1
1000BD59 |. E8 05F30100 CALL 1002B063
1000BD5E |. 83C4 04 ADD ESP, 0x4
1000BD61 |> C1E0 02 SHL EAX, 0x2
1000BD64 |. 03D8 ADD EBX, EAX
1000BD66 |. 895D DC MOV [LOCAL.9], EBX
1000BD69 |. 8B5D F8 MOV EBX, [LOCAL.2] ; Game-EC.<ModuleEntryPoint>
1000BD6C |. E8 5461FFFF CALL 10001EC5
1000BD71 |. B8 07000000 MOV EAX, 0x7
1000BD76 |. 3BC1 CMP EAX, ECX ; Game-EC.<ModuleEntryPoint>
1000BD78 |. 7C 0D JL SHORT 1000BD87
1000BD7A |. 68 01000000 PUSH 0x1
1000BD7F |. E8 DFF20100 CALL 1002B063
1000BD84 |. 83C4 04 ADD ESP, 0x4
1000BD87 |> C1E0 02 SHL EAX, 0x2
1000BD8A |. 03D8 ADD EBX, EAX
1000BD8C |. 895D D8 MOV [LOCAL.10], EBX
1000BD8F |. 8B5D F8 MOV EBX, [LOCAL.2] ; Game-EC.<ModuleEntryPoint>
1000BD92 |. E8 2E61FFFF CALL 10001EC5
1000BD97 |. B8 08000000 MOV EAX, 0x8
1000BD9C |. 3BC1 CMP EAX, ECX ; Game-EC.<ModuleEntryPoint>
1000BD9E |. 7C 0D JL SHORT 1000BDAD
1000BDA0 |. 68 01000000 PUSH 0x1
1000BDA5 |. E8 B9F20100 CALL 1002B063
1000BDAA |. 83C4 04 ADD ESP, 0x4
1000BDAD |> C1E0 02 SHL EAX, 0x2
1000BDB0 |. 03D8 ADD EBX, EAX
1000BDB2 |. 895D D4 MOV [LOCAL.11], EBX
1000BDB5 |. 6A 01 PUSH 0x1
1000BDB7 |. 8B5D D4 MOV EBX, [LOCAL.11] ; oleaut32.75150000
1000BDBA |. FF33 PUSH DWORD PTR DS:[EBX]
1000BDBC |. 6A 01 PUSH 0x1
1000BDBE |. 8B5D D8 MOV EBX, [LOCAL.10]
1000BDC1 |. FF33 PUSH DWORD PTR DS:[EBX]
1000BDC3 |. 6A 01 PUSH 0x1
1000BDC5 |. 8B5D DC MOV EBX, [LOCAL.9] ; ntdll.77315558
1000BDC8 |. FF33 PUSH DWORD PTR DS:[EBX]
1000BDCA |. 6A 01 PUSH 0x1
1000BDCC |. 8B5D E0 MOV EBX, [LOCAL.8] ; oleaut32.<ModuleEntryPoint>
1000BDCF |. FF33 PUSH DWORD PTR DS:[EBX]
1000BDD1 |. 6A 01 PUSH 0x1
1000BDD3 |. 8B5D E4 MOV EBX, [LOCAL.7] ; ntdll.77351D36
1000BDD6 |. FF33 PUSH DWORD PTR DS:[EBX]
1000BDD8 |. 6A 01 PUSH 0x1
1000BDDA |. 8B5D E8 MOV EBX, [LOCAL.6] ; Game-EC.10000000
1000BDDD |. FF33 PUSH DWORD PTR DS:[EBX]
1000BDDF |. 6A 01 PUSH 0x1
1000BDE1 |. 8B5D EC MOV EBX, [LOCAL.5]
1000BDE4 |. FF33 PUSH DWORD PTR DS:[EBX]
1000BDE6 |. 6A 01 PUSH 0x1
1000BDE8 |. 8B5D F0 MOV EBX, [LOCAL.4]
1000BDEB |. FF33 PUSH DWORD PTR DS:[EBX]
1000BDED |. 6A 01 PUSH 0x1
1000BDEF |. 8B5D F4 MOV EBX, [LOCAL.3]
1000BDF2 |. FF33 PUSH DWORD PTR DS:[EBX]
1000BDF4 |. FF35 D89D1A10 PUSH DWORD PTR DS:[0x101A9DD8]
1000BDFA |. E8 8D020000 CALL 1000C08C
1000BDFF |. 8945 CC MOV [LOCAL.13], EAX
1000BE02 |. 837D CC 03 CMP [LOCAL.13], 0x3
1000BE06 |. 0F85 0A000000 JNZ 1000BE16
1000BE0C |. B8 00000000 MOV EAX, 0x0
1000BE11 |. E9 7D000000 JMP 1000BE93
1000BE16 |> 68 01040080 PUSH 0x80000401
1000BE1B |. FF35 EC9D1A10 PUSH DWORD PTR DS:[0x101A9DEC]
1000BE21 |. FF35 E89D1A10 PUSH DWORD PTR DS:[0x101A9DE8]
1000BE27 |. 68 01000000 PUSH 0x1
1000BE2C |. BB 68010000 MOV EBX, 0x168
1000BE31 |. E8 1A030200 CALL 1002C150
1000BE36 |. 83C4 10 ADD ESP, 0x10
1000BE39 |. 8945 F4 MOV [LOCAL.3], EAX
1000BE3C |. 68 04000080 PUSH 0x80000004
1000BE41 |. 6A 00 PUSH 0x0
1000BE43 |. 8B45 F4 MOV EAX, [LOCAL.3]
1000BE46 |. 85C0 TEST EAX, EAX
1000BE48 |. 75 05 JNZ SHORT 1000BE4F
1000BE4A |. B8 4B520410 MOV EAX, 1004524B
1000BE4F |> 50 PUSH EAX
1000BE50 |. 68 01000000 PUSH 0x1
1000BE55 |. BB 30010000 MOV EBX, 0x130
1000BE5A |. E8 21FA0100 CALL 1002B880
1000BE5F |. 83C4 10 ADD ESP, 0x10
1000BE62 |. 8945 F0 MOV [LOCAL.4], EAX
1000BE65 |. 8B5D F4 MOV EBX, [LOCAL.3]
1000BE68 |. 85DB TEST EBX, EBX
1000BE6A |. 74 09 JE SHORT 1000BE75
1000BE6C |. 53 PUSH EBX
1000BE6D |. E8 EBF10100 CALL 1002B05D
1000BE72 |. 83C4 04 ADD ESP, 0x4
1000BE75 |> 837D F0 0A CMP [LOCAL.4], 0xA
1000BE79 |. 0F85 0A000000 JNZ 1000BE89
1000BE7F |. B8 01000000 MOV EAX, 0x1
1000BE84 |. E9 0A000000 JMP 1000BE93
1000BE89 |> B8 00000000 MOV EAX, 0x0
1000BE8E |. E9 00000000 JMP 1000BE93
1000BE93 |> 50 PUSH EAX
1000BE94 |. 8B5D FC MOV EBX, [LOCAL.1] ; Game-EC.10000000
1000BE97 |. 85DB TEST EBX, EBX
1000BE99 |. 74 09 JE SHORT 1000BEA4
1000BE9B |. 53 PUSH EBX
1000BE9C |. E8 BCF10100 CALL 1002B05D
1000BEA1 |. 83C4 04 ADD ESP, 0x4
1000BEA4 |> 8B5D F8 MOV EBX, [LOCAL.2] ; Game-EC.<ModuleEntryPoint>
1000BEA7 |. 53 PUSH EBX
1000BEA8 |. E8 B0F10100 CALL 1002B05D
1000BEAD |. 83C4 04 ADD ESP, 0x4
1000BEB0 |. 58 POP EAX ; ntdll.77351D36
1000BEB1 |. 8BE5 MOV ESP, EBP
1000BEB3 |. 5D POP EBP ; ntdll.77351D36
1000BEB4 \. C3 RETN
着重看尾部代码 如下面代码,我们主要看eax那里赋值
1000BE93是调转过来的 看看就行了 确定返回值
[Asm] 纯文本查看 复制代码
1000BE93 |> \50 PUSH EAX
1000BE94 |. 8B5D FC MOV EBX, [LOCAL.1] ; Game-EC.10000000
1000BE97 |. 85DB TEST EBX, EBX
1000BE99 |. 74 09 JE SHORT 1000BEA4
1000BE9B |. 53 PUSH EBX
1000BE9C |. E8 BCF10100 CALL 1002B05D
1000BEA1 |. 83C4 04 ADD ESP, 0x4
1000BEA4 |> 8B5D F8 MOV EBX, [LOCAL.2] ; Game-EC.<ModuleEntryPoint>
1000BEA7 |. 53 PUSH EBX
1000BEA8 |. E8 B0F10100 CALL 1002B05D
1000BEAD |. 83C4 04 ADD ESP, 0x4
1000BEB0 |. 58 POP EAX ; ntdll.77351D36
1000BEB1 |. 8BE5 MOV ESP, EBP
1000BEB3 |. 5D POP EBP ; ntdll.77351D36
1000BEB4 \. C3 RETN
[Asm] 纯文本查看 复制代码 EAX=00000000
跳转来自 1000BE11, 1000BE84, 1000BE8E
还是一个一个的看
[Asm] 纯文本查看 复制代码
1000BE0C |. B8 00000000 MOV EAX, 0x0
1000BE11 |. E9 7D000000 JMP 1000BE93
1000BE7F |. B8 01000000 MOV EAX, 0x1
1000BE84 |. E9 0A000000 JMP 1000BE93
1000BE89 |> B8 00000000 MOV EAX, 0x0
1000BE8E |. E9 00000000 JMP 1000BE93
可以确定返回值是1就好了 修改方法有很多
1.把这3个地址中 mov eax,0 改成mov eax,1
2.改中间的跳转
3.继续找核心的验证.
4.在函数尾部补码
我选择补码
[Asm] 纯文本查看 复制代码
1000BEB0 |. 58 POP EAX ; ntdll.77351D36
1000BEB1 8BE5 MOV ESP, EBP
1000BEB3 5D POP EBP ; ntdll.77351D36
1000BEB4 C3 RETN
尾部JMP到空白区域
[Asm] 纯文本查看 复制代码
1001B0D5 58 POP EAX ; ntdll.77351D36
1001B0D6 B8 01000000 MOV EAX, 0x1
1001B0DB 8BE5 MOV ESP, EBP
1001B0DD 5D POP EBP ; ntdll.77351D36
1001B0DE C3 RETN
然后保存下来,覆盖到支持库 关闭易语言重新打开源码,没有了未授权的提示
调试状态输出正常
静态编译测试正常
本文仅供学习交流,不提供任何成品,由于模块引用下载均涉及广告内容,所以不做共享,有需要样本的,可以私聊我.
如有违规,请删除
|
免费评分
-
查看全部评分
|
|
发表于 2021-3-22 13:42
