简简单单搞定论坛yechunlin的CM

1354669803 · 发表于 2014-2-9 21:48

无壳无花直接载入OD
右键---搜索字符串（“配置”）
拉到字符串的开头然后往下找找到这个字符串
我们找最后的那个一个
00408825 68 55334900    push CM第二弹.00493355                   ; 配置  这个是最后的那个

00408811 50             push eax
00408812 68 04000080    push 0x80000004
00408817 6A 00          push 0x0
00408819 68 4C334900    push CM第二弹.0049334C                   ; 注册码：
0040881E 68 04000080    push 0x80000004
00408823 6A 00          push 0x0
00408825 68 55334900    push CM第二弹.00493355                   ; 配置
0040882A 68 04000080    push 0x80000004
0040882F 6A 00          push 0x0
00408831 8B45 E0       mov eax,dword ptr ss:[ebp-0x20]
00408834 85C0          test eax,eax
00408836 75 05          jnz XCM第二弹.0040883D
00408838 B8 3A334900    mov eax,CM第二弹.0049333A
0040883D 50             push eax
0040883E 68 04000000    push 0x4
00408843 BB 20E44000    mov ebx,CM第二弹.0040E420
00408848 E8 193D0000    call CM第二弹.0040C566
0040884D 83C4 34       add esp,0x34
00408850 8B5D E0       mov ebx,dword ptr ss:[ebp-0x20]
00408853 85DB          test ebx,ebx
00408855 74 09          je XCM第二弹.00408860
00408857 53             push ebx
00408858 E8 033D0000    call CM第二弹.0040C560
0040885D 83C4 04       add esp,0x4
00408860 8B5D DC       mov ebx,dword ptr ss:[ebp-0x24]
00408863 85DB          test ebx,ebx
00408865 74 09          je XCM第二弹.00408870
00408867 53             push ebx
00408868 E8 F33C0000    call CM第二弹.0040C560
0040886D 83C4 04       add esp,0x4
00408870 DB05 EC214B00 fild dword ptr ds:[0x4B21EC]
00408876 DD5D E0       fstp qword ptr ss:[ebp-0x20]
00408879 DD45 E0       fld qword ptr ss:[ebp-0x20]
0040887C DB05 F0214B00 fild dword ptr ds:[0x4B21F0]
00408882 DD5D D8       fstp qword ptr ss:[ebp-0x28]
00408885 DC45 D8       fadd qword ptr ss:[ebp-0x28]
00408888 DB05 F4214B00 fild dword ptr ds:[0x4B21F4]
0040888E DD5D D0       fstp qword ptr ss:[ebp-0x30]
00408891 DC45 D0       fadd qword ptr ss:[ebp-0x30]
00408894 DB05 FC214B00 fild dword ptr ds:[0x4B21FC]
0040889A DD5D C8       fstp qword ptr ss:[ebp-0x38]
0040889D DC45 C8       fadd qword ptr ss:[ebp-0x38]
004088A0 DB05 00224B00 fild dword ptr ds:[0x4B2200]
004088A6 DD5D C0       fstp qword ptr ss:[ebp-0x40]
004088A9 DC45 C0       fadd qword ptr ss:[ebp-0x40]
004088AC DD5D B8       fstp qword ptr ss:[ebp-0x48]
004088AF DD45 B8       fld qword ptr ss:[ebp-0x48]
004088B2 DC25 DC354900 fsub qword ptr ds:[0x4935DC]
004088B8 D9E4          ftst
004088BA DFE0          fstsw ax
004088BC F6C4 01       test ah,0x1                                     \\\\\\这个跳
004088BF 74 02          je XCM第二弹.004088C3
004088C1 D9E0          fchs
004088C3 DC1D 16344900 fcomp qword ptr ds:[0x493416]
004088C9 DFE0          fstsw ax
004088CB F6C4 41       test ah,0x41                                     \\\\\\\这个跳是关键的
004088CE 0F84 84000000 je CM第二弹.00408958
004088D4 DB05 EC214B00 fild dword ptr ds:[0x4B21EC]
004088DA DD5D E0       fstp qword ptr ss:[ebp-0x20]
004088DD DD45 E0       fld qword ptr ss:[ebp-0x20]
004088E0 DB05 F0214B00 fild dword ptr ds:[0x4B21F0]
004088E6 DD5D D8       fstp qword ptr ss:[ebp-0x28]
004088E9 DC45 D8       fadd qword ptr ss:[ebp-0x28]
004088EC DB05 F4214B00 fild dword ptr ds:[0x4B21F4]
004088F2 DD5D D0       fstp qword ptr ss:[ebp-0x30]
004088F5 DC45 D0       fadd qword ptr ss:[ebp-0x30]
004088F8 DB05 FC214B00 fild dword ptr ds:[0x4B21FC]
004088FE DD5D C8       fstp qword ptr ss:[ebp-0x38]
00408901 DC45 C8       fadd qword ptr ss:[ebp-0x38]
00408904 DB05 00224B00 fild dword ptr ds:[0x4B2200]
0040890A DD5D C0       fstp qword ptr ss:[ebp-0x40]
0040890D DC45 C0       fadd qword ptr ss:[ebp-0x40]
00408910 DD5D B8       fstp qword ptr ss:[ebp-0x48]
00408913 DD45 B8       fld qword ptr ss:[ebp-0x48]
00408916 E8 009BFFFF    call CM第二弹.0040241B
0040891B A3 04224B00    mov dword ptr ds:[0x4B2204],eax
00408920 68 02000080    push 0x80000002
00408925 6A 00          push 0x0
00408927 68 01000000    push 0x1
0040892C 6A 00          push 0x0
0040892E 6A 00          push 0x0
00408930 6A 00          push 0x0
00408932 68 01000100    push 0x10001
00408937 68 5D1A0106    push 0x6011A5D
0040893C 68 5E1A0152    push 0x52011A5E                \\\\\这个是窗体
00408941 68 03000000    push 0x3
00408946 BB 80C94000    mov ebx,CM第二弹.0040C980
0040894B E8 163C0000    call CM第二弹.0040C566
00408950 83C4 28       add esp,0x28
00408953  ^ E9 18FFFFFF    jmp CM第二弹.00408870
00408958 E9 00000000    jmp CM第二弹.0040895D
0040895D 8BE5          mov esp,ebp
0040895F 5D             pop ebp
00408960 C3             retn

所以我们可以push窗体
或者超级跳

00407AF9 55             push ebp       \\\\这里是段首
00407AFA 8BEC          mov ebp,esp
00407AFC 81EC A8000000 sub esp,0xA8
00407B02 C745 FC 0000000>mov dword ptr ss:[ebp-0x4],0x0
00407B09 C745 F8 0000000>mov dword ptr ss:[ebp-0x8],0x0
00407B10 C745 F4 0000000>mov dword ptr ss:[ebp-0xC],0x0
00407B17 C745 F0 0000000>mov dword ptr ss:[ebp-0x10],0x0
00407B1E C745 EC 0000000>mov dword ptr ss:[ebp-0x14],0x0
00407B25 C745 E8 0000000>mov dword ptr ss:[ebp-0x18],0x0
00407B2C 837D FC 01    cmp dword ptr ss:[ebp-0x4],0x1
00407B30 0F85 AD000000 jnz CM第二弹.00407BE3                   \\\这是一个跳我们改这里

00407B30 /0F85 EA0D0000 jnz CM第二弹.00408920 这样改就可以了

压力不是很大主要是跳过验证不然循环太多有点烦

小雨细无声 · 发表于 2014-2-9 21:55

沙发，谢谢!

Syer · 发表于 2014-2-9 22:09

膜拜格盘大大

storm · 发表于 2014-2-9 22:20

很强大感谢分享

少一点帅气 · 发表于 2014-2-9 22:27

厉害，感谢分享，还得继续学习

ingdear · 发表于 2014-2-9 23:07

厉害啊。。

阳光好青年 · 发表于 2014-2-9 23:07

赞楼主，原帖地址可否给我一观？

boyljx · 发表于 2014-2-10 15:48

楼主厉害，感谢分享

帐号		自动登录	找回密码
密码			注册[Register]

[原创] 简简单单搞定论坛yechunlin的CM

免费评分

点评

点评