本帖最后由 Godkiller 于 2012-4-6 12:41 编辑
首先OD载入CCProxy.dll
正常基地是在:0x10000000 地方(不对的花自己算下偏移)
100320E4 |. 52 push edx ; 特征码
100320E5 |. 57 push edi ; 用户名
100320E6 |. 50 push eax ; 注册码
100320E7 |. E8 24F8FFFF call CCProx_1.10031910 ; 验证注册码的CALL
100320EC |. 68 FF030000 push 0x3FF
100320F1 |. 8D8C24 790200>lea ecx,dword ptr ss:[esp+0x279]
100320F8 |. 6A 00 push 0x0
100320FA |. 51 push ecx
100320FB |. 8BE8 mov ebp,eax
100320FD |. C68424 800200>mov byte ptr ss:[esp+0x280],0x0
10032105 |. E8 468A0100 call CCProx_1.1004AB50
1003210A |. 8D9424 800600>lea edx,dword ptr ss:[esp+0x680]
10032111 |. 52 push edx
10032112 |. 8D8424 840200>lea eax,dword ptr ss:[esp+0x284]
10032119 |. 57 push edi
1003211A |. 50 push eax
1003211B |. E8 D0F2FFFF call CCProx_1.100313F0 ; 网络验证CALL
=========================================================
验证注册码的CALL:
10031910 /[ DISCUZ_CODE_1 ]nbsp; B8 14140000 mov eax,0x1414
10031915 |. E8 06920100 call CCProx_1.1004AB20
1003191A |. A1 80980710 mov eax,dword ptr ds:[0x10079880]
1003191F |. 33C4 xor eax,esp
10031921 |. 898424 101400>mov dword ptr ss:[esp+0x1410],eax
10031928 |. 53 push ebx
10031929 |. 56 push esi
1003192A |. 8BB424 281400>mov esi,dword ptr ss:[esp+0x1428]
10031931 |. 57 push edi
10031932 |. 8BBC24 281400>mov edi,dword ptr ss:[esp+0x1428] ; 第一次运算
10031939 |. 57 push edi ; 用户名
1003193A |. 57 push edi ; 用户名
1003193B |. E8 80FEFFFF call CCProx_1.100317C0 ; 用用户名算出一串值
=========================================================
用户: 111111111111
算出的一串值:597dbfdbdb93d55d5ff7efcfefebfffe38
=========================================================
10031940 |. 83C4 08 add esp,0x8
10031943 |. 8D5424 18 lea edx,dword ptr ss:[esp+0x18]
10031947 |. 33DB xor ebx,ebx
10031949 |. 8DA424 000000>lea esp,dword ptr ss:[esp]
10031950 |> 8A08 /mov cl,byte ptr ds:[eax]
10031952 |. 880A |mov byte ptr ds:[edx],cl
10031954 |. 40 |inc eax
10031955 |. 42 |inc edx
10031956 |. 3ACB |cmp cl,bl
10031958 |.^ 75 F6 \jnz XCCProx_1.10031950
1003195A |. 8D4424 18 lea eax,dword ptr ss:[esp+0x18]
1003195E |. 56 push esi ; 特征码
1003195F |. 50 push eax ; 用户名算出的那串值
10031960 |. E8 5BFEFFFF call CCProx_1.100317C0 ; 第二次算真正的注册码
10031965 |. 68 00100000 push 0x1000 ; 算出的真正注册码保存在 EAX 中
1003196A |. 8D8C24 250400>lea ecx,dword ptr ss:[esp+0x425]
=========================================================
网络验证CALL:
100313F0 /[ DISCUZ_CODE_1 ]nbsp; B8 20340000 mov eax,0x3420
100313F5 |. E8 26970100 call CCProxy.1004AB20
100313FA |. A1 80980710 mov eax,dword ptr ds:[0x10079880]
100313FF |. 33C4 xor eax,esp
10031401 |. 898424 1C3400>mov dword ptr ss:[esp+0x341C],eax
10031408 |. 8B8424 243400>mov eax,dword ptr ss:[esp+0x3424]
1003140F |. 53 push ebx
10031410 |. 55 push ebp
10031411 |. 56 push esi
10031412 |. 8BB424 343400>mov esi,dword ptr ss:[esp+0x3434]
10031419 |. 57 push edi
1003141A |. 8BBC24 3C3400>mov edi,dword ptr ss:[esp+0x343C]
10031421 |. 33DB xor ebx,ebx
10031423 |. 53 push ebx
10031424 |. 53 push ebx
10031425 |. 53 push ebx
10031426 |. 53 push ebx
10031427 |. 53 push ebx
10031428 |. 894424 2C mov dword ptr ss:[esp+0x2C],eax
1003142C |. FF15 A0840610 call dword ptr ds:[<&WININET.InternetOpe>; wininet.InternetOpenA
10031432 |. 53 push ebx
10031433 |. 53 push ebx
10031434 |. 6A 03 push 0x3
10031436 |. 53 push ebx
10031437 |. 53 push ebx
10031438 |. 6A 50 push 0x50
1003143A |. 8BE8 mov ebp,eax
1003143C |. 68 14AD0610 push CCProxy.1006AD14 ; ASCII "www.youngzsoft.com"
; 网络验证的地址, 修改这个地址1006AD14内容为127.0.0.1 就OK了
10031441 |. 55 push ebp
10031442 |. FF15 A4840610 call dword ptr ds:[<&WININET.InternetCon>; wininet.InternetConnectA
10031448 |. 68 00100000 push 0x1000
| 
[复制链接]
发表于 2012-4-6 11:53
|
发表于 2012-4-6 16:46
