从逆向作品的结论出发，再逆向再研究：

冥界3大法王 · 发表于 2014-3-7 12:10

本帖最后由冥界3大法王于 2014-3-7 12:34 编辑

突然在某论坛发现一个破解版本的按键精灵，

1.启动退出无广告
2.无需登录和联网生成小精灵
3.小精灵无广告
4.资源库直接导入 ZZZZZZZZ

实际使用测试了下，他的汇编方法比我的方法要精练些，但广告的去除程度不如我的搞法彻底，最难容忍的是他的 按键精灵的启动补丁条没有NOP掉（如果你没有爆破的话，即使你使用的是正版的，按键精灵的启动速度也会直接拖慢）
已知：通过WinHEX分析得知：
1. 按键精灵9.XXexe:                   9,756,200 字节
2. 按键精灵9.XX破解版.exe:          9,756,200 字节
Offsets: 十六进制
1B8: 9F 92       :4001b8                               －－－－－A
1B9: D6 17
1EC: 30 BE       :4001EC                            －－－－－B
1ED: 06 02
2D8: 30 BE        :4002D8                            －－－－－C
2D9: 06 02
20D4: 0F E9        :004020D4    /E9 53040000 jmp    0040252C       －－－－－D
20D5: 8E 53
20D6: 52 04
20D7: 04 00
20D9: 00 90
－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－
00402084 > \E8 B30C1100 call <jmp.&MFC42.#CString::~CString_800>    1
00402089 >  8B46 10    mov    eax, dword ptr [esi+0x10]
0040208C .  8D4E 08    lea    ecx, dword ptr [esi+0x8]
0040208F .  3BC0       cmp    eax, eax
00402091 .  8B71 04    mov    esi, dword ptr [ecx+0x4]
00402094 .  8BC8       mov    ecx, eax
00402096 .  74 0E       je    short 004020A6
00402098 >  8B11       mov    edx, dword ptr [ecx]
0040209A .  83C1 04    add    ecx, 0x4
0040209D .  8916       mov    dword ptr [esi], edx
0040209F .  83C6 04    add    esi, 0x4
004020A2 .  3BC8       cmp    ecx, eax
004020A4 .^ 75 F2       jnz    short 00402098
004020A6 >  8B4424 64    mov    eax, dword ptr [esp+0x64]
004020AA .  8D78 08    lea    edi, dword ptr [eax+0x8]
004020AD .  8BCF       mov    ecx, edi
004020AF .  8B47 08    mov    eax, dword ptr [edi+0x8]
004020B2 .  50          push eax
004020B3 .  56          push esi
004020B4 .  E8 37220000 call 004042F0                            2
004020B9 .  8D6B 44    lea    ebp, dword ptr [ebx+0x44]
004020BC .  8977 08    mov    dword ptr [edi+0x8], esi
004020BF .  8BCD       mov    ecx, ebp
004020C1 .  C74424 14 000>mov    dword ptr [esp+0x14], 0x0
004020C9 .  896C24 28    mov    dword ptr [esp+0x28], ebp
004020CD    E8 FEF50A00 call 004B16D0                               3
004020D2 .  85C0       test eax, eax
004020D4    0F8E 52040000 jle    0040252C          这里我们要改JMP的地方
－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－
由DLL 看到一个返回用户处的地址，就是下面行的
eax=00483BB0 (Z3_备份.00483BB0)
00483E26    E8 6558FFFF call 00479690                      ;  该死的启动补丁处 NOP了之后速度秒速
00483E2B .  85C0       test eax, eax
00483E2D .  0F85 2F020000 jnz    00484062
00483E33 >  8D4C24 18    lea    ecx, dword ptr [esp+0x18]
00483E37 .  E8 142E0800 call <jmp.&MFC42.#CString::CString_54>
00483E3C .  68 78608300 push 00836078                      ;  ASCII "9.51.11790"
00483E41 .  8D5424 1C    lea    edx, dword ptr [esp+0x1C]
00483E45 .  68 99000000 push 0x99
00483E4A .  52          push edx
00483E4B .  C68424 AC1000>mov    byte ptr [esp+0x10AC], 0x3
00483E53 .  E8 A6310800 call <jmp.&MFC42.#CString::Format_281>
00483E58 .  83C4 08    add    esp, 0x8
00483E5B .  8BCC       mov    ecx, esp
00483E5D .  896424 28    mov    dword ptr [esp+0x28], esp
00483E61 .  68 18638300 push 00836318                      ;  ASCII "?lan=chs"
－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－

注：上述地址，你通过  虚拟地址转换工具，输入  1B8，你是不能正确得到偏移地址的，所以正确的做法是使用WinHEX看到的16进制机器码，F5到HIEW中得到
求证：将他的结论与我的结论结合，去掉不该有的
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
OD中，通过字串搜索 lan=chs
－－－－－－－－－－－－－－－－－－－－－－－－－
下面的地方下好断点：
00415F2A 按键精灵始终 call <jmp.&MFC42.#CString::Format_2818>
00415F41 按键精灵始终 push 0084CABC 9.60.12177
0041A5EA 按键精灵始终 push 0084CCA8 lan=chs&
0041AAA1 按键精灵始终 push 0084CCA8 lan=chs&
00472C8B 按键精灵始终 push 0084E3B8 ?lan=chs
0048AFDE 按键精灵始终 call 00480210
0048AFF2 按键精灵始终 call <jmp.&MFC42.#CCommandLineInfo::~CCommandLineInfo_617>
0048B016 按键精灵始终 call <jmp.&MFC42.#CString::CString_540>
0048B040 按键精灵始终 push 0084E3B8 ?lan=chs
00492983 按键精灵始终 push 0084E3B8 ?lan=chs
004977C1 按键精灵始终 push 0084E3B8 ?lan=chs
－－－－－－－－－－－－－－－－－－－－－－－－－之后F9开球~~~
你会断在这里：
0048AFDE    E8 2D52FFFF call 00480210    ；但这里不是我们所要的地方
我们接着F9，因为有断点所以不怕跟丢~~
－－－－－－－－－－－－
00415F24 .  68 C8CA8400 push 0084CAC8                                              ;  res://%s%s.EXE/bottom_bar_ad.htm
00415F29 .  52          push edx
00415F2A .  E8 4FCE0F00 call <jmp.&MFC42.#CString::Format_2818>    是的，就是这里，我们可以下手了~~~ NOP掉
此时，程序的补丁条被爆破掉，跟我搞的那个低版本效果一样了。同样1秒速度进界面，享受  ZZZZZZZZ 处所提到的待遇。
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝

文章为了交流汇编和逆向技术，所以不提供其他东东~~
按键精灵论坛大家要多多支持哟~~
其他不是之处也与吾爱破解论坛，楼主等没有关系，不追究法律责任哟~

＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
未完，下面修补我自己的那个版本，未搞的几个地方。

Some · 发表于 2014-3-7 12:15

前途无可限量，支持一下。

yutao531315 · 发表于 2014-3-7 12:32

来支持下楼主真愁按键精灵破解的呢.

247605832 · 发表于 2014-3-7 12:38

如此吊的作品,怎能不支持

冥界3大法王 · 发表于 2014-3-7 12:39

好了，先吃饭，接下来，把我自己的那个也同样处理的象他那个
可以生成没有广告的小精灵，就OK了，
我那个除网址更底层，只留下一个编程时用到的例子网址。
先去吃饭了，回来写教程跟逆向心得，还有要贴图像说明最近进步很快，弄死好多共享软件。

飘舞的雪花 · 发表于 2014-3-7 12:54

谢谢楼主的分析。

lwdzb · 发表于 2014-3-7 14:33

谢谢楼主分享！学习了！！！

人气天子 · 发表于 2014-3-7 15:28

支持我看不懂

冥界3大法王 · 发表于 2014-3-7 22:32

第二部分：
20D4: 0F E9 :004020D4 /E9 53040000 jmp 0040252C
20D5: 8E 53
20D6: 52 04
20D7: 04 00
20D9: 00 90
－－－－－－－－－－－－－－－－－－－－－－－－－－－－
这是人家的修改的位置

我们可以搜索特征码：0F8E52040000

前3处的位置，实在是太特殊，位于PE头的位置，实在不好定位，在OD中也断不下，好像两个版本解压缩的代码差异性太——，所以暂时那个生成商业小精灵部分

目前不知思路是什么，人家是如何做到得到在此位置修改的结论？

1B8: 9F 92       :4001b8
1B9: D6 17

1EC: 30 BE       :4001EC                   0020BD2200
1ED: 06 02

2D8: 30 BE       :4002D8                   0020BD2200
2D9: 06 02

冥界3大法王 · 发表于 2014-3-7 22:52

00401C65 . /E9 53040000 jmp    004020BD                      ;  如果这里不跳的话，按键精灵可始做坏事，自动网络检测，自己给你拨号上网
00401C6A    |90          nop
00401C6B . |8B5C24 14    mov    ebx, dword ptr [esp+0x14]
00401C6F > |53          push ebx
00401C70 . |8BCD       mov    ecx, ebp
00401C72 . |E8 69660A00 call 004A82E0
00401C77 . |8B7424 10    mov    esi, dword ptr [esp+0x10]
00401C7B . |8B00       mov    eax, dword ptr [eax]
00401C7D > |8A10       mov    dl, byte ptr [eax]
00401C7F . |8ACA       mov    cl, dl
00401C81 . |3A16       cmp    dl, byte ptr [esi]
00401C83 . |75 1C       jnz    short 00401CA1
00401C85 . |84C9       test cl, cl
00401C87 . |74 14       je    short 00401C9D
00401C89 . |8A50 01    mov    dl, byte ptr [eax+0x1]
00401C8C . |8ACA       mov    cl, dl
00401C8E . |3A56 01    cmp    dl, byte ptr [esi+0x1]
00401C91 . |75 0E       jnz    short 00401CA1
00401C93 . |83C0 02    add    eax, 0x2
00401C96 . |83C6 02    add    esi, 0x2
00401C99 . |84C9       test cl, cl
00401C9B .^|75 E0       jnz    short 00401C7D
00401C9D > |33C0       xor    eax, eax
00401C9F . |EB 05       jmp    short 00401CA6
00401CA1 > |1BC0       sbb    eax, eax
00401CA3 . |83D8 FF    sbb    eax, -0x1
00401CA6 > |85C0       test eax, eax
00401CA8 . |0F85 FB030000 jnz    004020A9
00401CAE . |68 74468300 push 00834674                      ;  ASCII "begintime"
00401CB3 . |53          push ebx
00401CB4 . |8BCD       mov    ecx, ebp
00401CB6 . |E8 25660A00 call 004A82E0
00401CBB . |8BC8       mov    ecx, eax
00401CBD . |E8 8E650A00 call 004A8250
00401CC2 . |50          push eax
00401CC3 . |8D4C24 24    lea    ecx, dword ptr [esp+0x24]
00401CC7 . |E8 20501000 call <jmp.&MFC42.#CString::operator=_>
00401CCC . |8B7C24 20    mov    edi, dword ptr [esp+0x20]
00401CD0 . |BE A0C68400 mov    esi, 0084C6A0
00401CD5 . |8BC7       mov    eax, edi
00401CD7 > |8A10       mov    dl, byte ptr [eax]
00401CD9 . |8ACA       mov    cl, dl
00401CDB . |3A16       cmp    dl, byte ptr [esi]
00401CDD . |75 1C       jnz    short 00401CFB
00401CDF . |84C9       test cl, cl
00401CE1 . |74 14       je    short 00401CF7
00401CE3 . |8A50 01    mov    dl, byte ptr [eax+0x1]
00401CE6 . |8ACA       mov    cl, dl
00401CE8 . |3A56 01    cmp    dl, byte ptr [esi+0x1]
00401CEB . |75 0E       jnz    short 00401CFB
00401CED . |83C0 02    add    eax, 0x2
00401CF0 . |83C6 02    add    esi, 0x2
00401CF3 . |84C9       test cl, cl
00401CF5 .^|75 E0       jnz    short 00401CD7
00401CF7 > |33C0       xor    eax, eax
00401CF9 . |EB 05       jmp    short 00401D00
00401CFB > |1BC0       sbb    eax, eax
00401CFD . |83D8 FF    sbb    eax, -0x1
00401D00 > |85C0       test eax, eax
00401D02 . |74 5E       je    short 00401D62
00401D04 . |68 00040000 push 0x400
00401D09 . |6A 00       push 0x0
00401D0B . |57          push edi
00401D0C . |8D4C24 54    lea    ecx, dword ptr [esp+0x54]
00401D10 . |E8 D14F1000 call <jmp.&MFC42.#COleDateTime::Parse>
00401D15 . |6A FF       push -0x1
00401D17 . |8D4C24 4C    lea    ecx, dword ptr [esp+0x4C]
00401D1B . |E8 C04F1000 call <jmp.&MFC42.#COleDateTime::GetSe>
00401D20 . |50          push eax
00401D21 . |8D4C24 50    lea    ecx, dword ptr [esp+0x50]
00401D25 . |E8 B04F1000 call <jmp.&MFC42.#COleDateTime::GetMi>
00401D2A . |50          push eax
00401D2B . |8D4C24 54    lea    ecx, dword ptr [esp+0x54]
00401D2F . |E8 A04F1000 call <jmp.&MFC42.#COleDateTime::GetHo>
00401D34 . |50          push eax
00401D35 . |8D4C24 58    lea    ecx, dword ptr [esp+0x58]
00401D39 . |E8 904F1000 call <jmp.&MFC42.#COleDateTime::GetDa>
00401D3E . |50          push eax
00401D3F . |8D4C24 5C    lea    ecx, dword ptr [esp+0x5C]
00401D43 . |E8 804F1000 call <jmp.&MFC42.#COleDateTime::GetMo>
00401D48 . |50          push eax
00401D49 . |8D4C24 60    lea    ecx, dword ptr [esp+0x60]
00401D4D . |E8 704F1000 call <jmp.&MFC42.#COleDateTime::GetYe>
00401D52 . |50          push eax
00401D53 . |8D4C24 58    lea    ecx, dword ptr [esp+0x58]
00401D57 . |E8 604F1000 call <jmp.&MFC42.#CTime::CTime_551>
00401D5C . |8B00       mov    eax, dword ptr [eax]
00401D5E . |894424 30    mov    dword ptr [esp+0x30], eax
00401D62 > |68 6C468300 push 0083466C                      ;  ASCII "endtime"
00401D67 . |53          push ebx
00401D68 . |8BCD       mov    ecx, ebp
00401D6A . |E8 71650A00 call 004A82E0
00401D6F . |8BC8       mov    ecx, eax
00401D71 . |E8 DA640A00 call 004A8250
00401D76 . |50          push eax
00401D77 . |8D4C24 20    lea    ecx, dword ptr [esp+0x20]
00401D7B . |E8 6C4F1000 call <jmp.&MFC42.#CString::operator=_>
00401D80 . |8B7C24 1C    mov    edi, dword ptr [esp+0x1C]
00401D84 . |BE A0C68400 mov    esi, 0084C6A0
00401D89 . |8BC7       mov    eax, edi
00401D8B > |8A10       mov    dl, byte ptr [eax]
00401D8D . |8ACA       mov    cl, dl
00401D8F . |3A16       cmp    dl, byte ptr [esi]
00401D91 . |75 1C       jnz    short 00401DAF
00401D93 . |84C9       test cl, cl
00401D95 . |74 14       je    short 00401DAB
00401D97 . |8A50 01    mov    dl, byte ptr [eax+0x1]
00401D9A . |8ACA       mov    cl, dl
00401D9C . |3A56 01    cmp    dl, byte ptr [esi+0x1]
00401D9F . |75 0E       jnz    short 00401DAF
00401DA1 . |83C0 02    add    eax, 0x2
00401DA4 . |83C6 02    add    esi, 0x2
00401DA7 . |84C9       test cl, cl
00401DA9 .^|75 E0       jnz    short 00401D8B
00401DAB > |33C0       xor    eax, eax
00401DAD . |EB 05       jmp    short 00401DB4
00401DAF > |1BC0       sbb    eax, eax
00401DB1 . |83D8 FF    sbb    eax, -0x1
00401DB4 > |85C0       test eax, eax
00401DB6 . |74 62       je    short 00401E1A
00401DB8 . |68 00040000 push 0x400
00401DBD . |6A 00       push 0x0
00401DBF . |57          push edi
00401DC0 . |8D4C24 54    lea    ecx, dword ptr [esp+0x54]
00401DC4 . |E8 1D4F1000 call <jmp.&MFC42.#COleDateTime::Parse>
00401DC9 . |6A FF       push -0x1
00401DCB . |8D4C24 4C    lea    ecx, dword ptr [esp+0x4C]
00401DCF . |E8 0C4F1000 call <jmp.&MFC42.#COleDateTime::GetSe>
00401DD4 . |50          push eax
00401DD5 . |8D4C24 50    lea    ecx, dword ptr [esp+0x50]
00401DD9 . |E8 FC4E1000 call <jmp.&MFC42.#COleDateTime::GetMi>
00401DDE . |50          push eax
00401DDF . |8D4C24 54    lea    ecx, dword ptr [esp+0x54]
00401DE3 . |E8 EC4E1000 call <jmp.&MFC42.#COleDateTime::GetHo>
00401DE8 . |50          push eax
00401DE9 . |8D4C24 58    lea    ecx, dword ptr [esp+0x58]
00401DED . |E8 DC4E1000 call <jmp.&MFC42.#COleDateTime::GetDa>
00401DF2 . |50          push eax
00401DF3 . |8D4C24 5C    lea    ecx, dword ptr [esp+0x5C]
00401DF7 . |E8 CC4E1000 call <jmp.&MFC42.#COleDateTime::GetMo>
00401DFC . |50          push eax
00401DFD . |8D4C24 60    lea    ecx, dword ptr [esp+0x60]
00401E01 . |E8 BC4E1000 call <jmp.&MFC42.#COleDateTime::GetYe>
00401E06 . |50          push eax
00401E07 . |8D4C24 5C    lea    ecx, dword ptr [esp+0x5C]
00401E0B . |E8 AC4E1000 call <jmp.&MFC42.#CTime::CTime_551>
00401E10 . |8B00       mov    eax, dword ptr [eax]
00401E12 . |8B7C24 1C    mov    edi, dword ptr [esp+0x1C]
00401E16 . |894424 34    mov    dword ptr [esp+0x34], eax
00401E1A > |8B4424 20    mov    eax, dword ptr [esp+0x20]
00401E1E . |BE A0C68400 mov    esi, 0084C6A0
00401E23 > |8A10       mov    dl, byte ptr [eax]
00401E25 . |8ACA       mov    cl, dl
00401E27 . |3A16       cmp    dl, byte ptr [esi]
00401E29 . |75 1C       jnz    short 00401E47
00401E2B . |84C9       test cl, cl
00401E2D . |74 14       je    short 00401E43
00401E2F . |8A50 01    mov    dl, byte ptr [eax+0x1]
00401E32 . |8ACA       mov    cl, dl
00401E34 . |3A56 01    cmp    dl, byte ptr [esi+0x1]
00401E37 . |75 0E       jnz    short 00401E47
00401E39 . |83C0 02    add    eax, 0x2
00401E3C . |83C6 02    add    esi, 0x2
00401E3F . |84C9       test cl, cl
00401E41 .^|75 E0       jnz    short 00401E23
00401E43 > |33C0       xor    eax, eax
00401E45 . |EB 05       jmp    short 00401E4C
00401E47 > |1BC0       sbb    eax, eax
00401E49 . |83D8 FF    sbb    eax, -0x1
00401E4C > |85C0       test eax, eax
00401E4E . |74 70       je    short 00401EC0
00401E50 . |BE A0C68400 mov    esi, 0084C6A0
00401E55 . |8BC7       mov    eax, edi
00401E57 > |8A10       mov    dl, byte ptr [eax]
00401E59 . |8ACA       mov    cl, dl
00401E5B . |3A16       cmp    dl, byte ptr [esi]
00401E5D . |75 1C       jnz    short 00401E7B
00401E5F . |84C9       test cl, cl
00401E61 . |74 14       je    short 00401E77
00401E63 . |8A50 01    mov    dl, byte ptr [eax+0x1]
00401E66 . |8ACA       mov    cl, dl
00401E68 . |3A56 01    cmp    dl, byte ptr [esi+0x1]
00401E6B . |75 0E       jnz    short 00401E7B
00401E6D . |83C0 02    add    eax, 0x2
00401E70 . |83C6 02    add    esi, 0x2
00401E73 . |84C9       test cl, cl
00401E75 .^|75 E0       jnz    short 00401E57
00401E77 > |33C0       xor    eax, eax
00401E79 . |EB 05       jmp    short 00401E80
00401E7B > |1BC0       sbb    eax, eax
00401E7D . |83D8 FF    sbb    eax, -0x1
00401E80 > |85C0       test eax, eax
00401E82 . |74 3C       je    short 00401EC0
00401E84 . |51          push ecx
00401E85 . |8B4C24 38    mov    ecx, dword ptr [esp+0x38]
00401E89 . |8BC4       mov    eax, esp
00401E8B . |896424 3C    mov    dword ptr [esp+0x3C], esp
00401E8F . |8908       mov    dword ptr [eax], ecx
00401E91 . |8D4C24 28    lea    ecx, dword ptr [esp+0x28]
00401E95 . |E8 E6190000 call 00403880
00401E9A . |85C0       test eax, eax
00401E9C . |0F85 07020000 jnz    004020A9
00401EA2 . |8B5424 30    mov    edx, dword ptr [esp+0x30]
00401EA6 . |51          push ecx
00401EA7 . |8BC4       mov    eax, esp
00401EA9 . |8D4C24 28    lea    ecx, dword ptr [esp+0x28]
00401EAD . |896424 3C    mov    dword ptr [esp+0x3C], esp
00401EB1 . |8910       mov    dword ptr [eax], edx
00401EB3 . |E8 B8190000 call 00403870
00401EB8 . |85C0       test eax, eax
00401EBA . |0F85 E9010000 jnz    004020A9
00401EC0 > |8B4424 14    mov    eax, dword ptr [esp+0x14]
00401EC4 . |8BCD       mov    ecx, ebp
00401EC6 . |50          push eax
00401EC7 . |E8 14640A00 call 004A82E0
00401ECC . |8B4C24 64    mov    ecx, dword ptr [esp+0x64]
00401ED0 . |894424 18    mov    dword ptr [esp+0x18], eax
00401ED4 . |8B71 10    mov    esi, dword ptr [ecx+0x10]
00401ED7 . |8B51 14    mov    edx, dword ptr [ecx+0x14]
00401EDA . |8D59 08    lea    ebx, dword ptr [ecx+0x8]
00401EDD . |2BD6       sub    edx, esi
00401EDF . |C1FA 02    sar    edx, 0x2
00401EE2 . |83FA 01    cmp    edx, 0x1
00401EE5 . |8BFE       mov    edi, esi
00401EE7 . |0F83 EF000000 jnb    00401FDC
00401EED . |8B4B 04    mov    ecx, dword ptr [ebx+0x4]
00401EF0 . |85C9       test ecx, ecx
00401EF2 . |74 0C       je    short 00401F00
00401EF4 . |8BC6       mov    eax, esi
00401EF6 . |2BC1       sub    eax, ecx
00401EF8 . |C1F8 02    sar    eax, 0x2
00401EFB . |83F8 01    cmp    eax, 0x1
00401EFE . |77 05       ja    short 00401F05
00401F00 > |B8 01000000 mov    eax, 0x1
00401F05 > |85C9       test ecx, ecx
00401F07 . |75 04       jnz    short 00401F0D
00401F09 . |33F6       xor    esi, esi
00401F0B . |EB 05       jmp    short 00401F12
00401F0D > |2BF1       sub    esi, ecx
00401F0F . |C1FE 02    sar    esi, 0x2
00401F12 > |03C6       add    eax, esi
00401F14 . |85C0       test eax, eax
00401F16 . |894424 38    mov    dword ptr [esp+0x38], eax
00401F1A . |7D 02       jge    short 00401F1E
00401F1C . |33C0       xor    eax, eax
00401F1E > |C1E0 02    shl    eax, 0x2
00401F21 . |50          push eax
00401F22 . |E8 414D1000 call <jmp.&MFC42.#operator new_823>
00401F27 . |8B73 04    mov    esi, dword ptr [ebx+0x4]
00401F2A . |83C4 04    add    esp, 0x4
00401F2D . |3BF7       cmp    esi, edi
00401F2F . |894424 2C    mov    dword ptr [esp+0x2C], eax
00401F33 . |8BE8       mov    ebp, eax
00401F35 . |74 14       je    short 00401F4B
00401F37 > |56          push esi
00401F38 . |55          push ebp
00401F39 . |E8 C2F60A00 call 004B1600
00401F3E . |83C6 04    add    esi, 0x4
00401F41 . |83C4 08    add    esp, 0x8
00401F44 . |83C5 04    add    ebp, 0x4
00401F47 . |3BF7       cmp    esi, edi
00401F49 .^|75 EC       jnz    short 00401F37
00401F4B > |8D4C24 18    lea    ecx, dword ptr [esp+0x18]
00401F4F . |51          push ecx
00401F50 . |55          push ebp
00401F51 . |E8 AAF60A00 call 004B1600
00401F56 . |8B5424 6C    mov    edx, dword ptr [esp+0x6C]
00401F5A . |83C4 08    add    esp, 0x8
00401F5D . |8BF7       mov    esi, edi
00401F5F . |8B5A 10    mov    ebx, dword ptr [edx+0x10]
00401F62 . |8D42 08    lea    eax, dword ptr [edx+0x8]
00401F65 . |3BFB       cmp    edi, ebx
00401F67 . |74 17       je    short 00401F80
00401F69 . |8D7D 04    lea    edi, dword ptr [ebp+0x4]
00401F6C > |56          push esi
00401F6D . |57          push edi
00401F6E . |E8 8DF60A00 call 004B1600
00401F73 . |83C6 04    add    esi, 0x4
00401F76 . |83C4 08    add    esp, 0x8
00401F79 . |83C7 04    add    edi, 0x4
00401F7C . |3BF3       cmp    esi, ebx
00401F7E .^|75 EC       jnz    short 00401F6C
00401F80 > |8B4424 64    mov    eax, dword ptr [esp+0x64]
00401F84 . |8D70 08    lea    esi, dword ptr [eax+0x8]
00401F87 . |8B40 0C    mov    eax, dword ptr [eax+0xC]
00401F8A . |50          push eax
00401F8B . |894424 48    mov    dword ptr [esp+0x48], eax
00401F8F . |E8 C84C1000 call <jmp.&MFC42.#operator delete_825>
00401F94 . |8B4C24 30    mov    ecx, dword ptr [esp+0x30]
00401F98 . |8B5424 3C    mov    edx, dword ptr [esp+0x3C]
00401F9C . |83C4 04    add    esp, 0x4
00401F9F . |8D0491       lea    eax, dword ptr [ecx+edx*4]
00401FA2 . |8B56 04    mov    edx, dword ptr [esi+0x4]
00401FA5 . |85D2       test edx, edx
00401FA7 . |8946 0C    mov    dword ptr [esi+0xC], eax
00401FAA . |75 15       jnz    short 00401FC1
00401FAC . |8B6C24 28    mov    ebp, dword ptr [esp+0x28]
00401FB0 . |33C0       xor    eax, eax
00401FB2 . |894E 04    mov    dword ptr [esi+0x4], ecx
00401FB5 . |8D5481 04    lea    edx, dword ptr [ecx+eax*4+0x4]
00401FB9 . |8956 08    mov    dword ptr [esi+0x8], edx
00401FBC . |E9 E4000000 jmp    004020A5
00401FC1 > |8B46 08    mov    eax, dword ptr [esi+0x8]
00401FC4 . |8B6C24 28    mov    ebp, dword ptr [esp+0x28]
00401FC8 . |2BC2       sub    eax, edx
00401FCA . |894E 04    mov    dword ptr [esi+0x4], ecx
00401FCD . |C1F8 02    sar    eax, 0x2
00401FD0 . |8D5481 04    lea    edx, dword ptr [ecx+eax*4+0x4]
00401FD4 . |8956 08    mov    dword ptr [esi+0x8], edx
00401FD7 . |E9 C9000000 jmp    004020A5
00401FDC > |8BC6       mov    eax, esi
00401FDE . |2BC7       sub    eax, edi
00401FE0 . |C1F8 02    sar    eax, 0x2
00401FE3 . |83F8 01    cmp    eax, 0x1
00401FE6 . |73 72       jnb    short 0040205A
00401FE8 . |3BFE       cmp    edi, esi
00401FEA . |8BC7       mov    eax, edi
00401FEC . |74 13       je    short 00402001
00401FEE > |8D68 04    lea    ebp, dword ptr [eax+0x4]
00401FF1 . |50          push eax
00401FF2 . |55          push ebp
00401FF3 . |E8 08F60A00 call 004B1600
00401FF8 . |8BC5       mov    eax, ebp
00401FFA . |83C4 08    add    esp, 0x8
00401FFD . |3BC6       cmp    eax, esi
00401FFF .^|75 ED       jnz    short 00401FEE
00402001 > |8B6C24 64    mov    ebp, dword ptr [esp+0x64]
00402005 . |B8 01000000 mov    eax, 0x1
0040200A . |8B4D 10    mov    ecx, dword ptr [ebp+0x10]
0040200D . |8BD1       mov    edx, ecx
0040200F . |8BF1       mov    esi, ecx
00402011 . |2BD7       sub    edx, edi
00402013 . |C1FA 02    sar    edx, 0x2
00402016 . |2BC2       sub    eax, edx
00402018 . |74 16       je    short 00402030
0040201A . |8BD8       mov    ebx, eax
0040201C > |8D4424 18    lea    eax, dword ptr [esp+0x18]
00402020 . |50          push eax
00402021 . |56          push esi
00402022 . |E8 D9F50A00 call 004B1600
00402027 . |83C4 08    add    esp, 0x8
0040202A . |83C6 04    add    esi, 0x4
0040202D . |4B          dec    ebx
0040202E .^|75 EC       jnz    short 0040201C
00402030 > |8B4D 10    mov    ecx, dword ptr [ebp+0x10]
00402033 . |8D45 08    lea    eax, dword ptr [ebp+0x8]
00402036 . |3BF9       cmp    edi, ecx
00402038 . |8BC7       mov    eax, edi
0040203A . |74 0D       je    short 00402049
0040203C > |8B5424 18    mov    edx, dword ptr [esp+0x18]
00402040 . |8910       mov    dword ptr [eax], edx
00402042 . |83C0 04    add    eax, 0x4
00402045 . |3BC1       cmp    eax, ecx
00402047 .^|75 F3       jnz    short 0040203C
00402049 > |8B4424 64    mov    eax, dword ptr [esp+0x64]
0040204D . |8B6C24 28    mov    ebp, dword ptr [esp+0x28]
00402051 . |83C0 08    add    eax, 0x8
00402054 . |8340 08 04 add    dword ptr [eax+0x8], 0x4
00402058 . |EB 4B       jmp    short 004020A5
0040205A > |8D46 FC    lea    eax, dword ptr [esi-0x4]
0040205D . |56          push esi
0040205E . |56          push esi
0040205F . |50          push eax
00402060 . |8BCB       mov    ecx, ebx
00402062 . |894424 50    mov    dword ptr [esp+0x50], eax
00402066 . |E8 85190000 call 004039F0
0040206B . |8B4B 08    mov    ecx, dword ptr [ebx+0x8]
0040206E . |8D41 FC    lea    eax, dword ptr [ecx-0x4]
00402071 . |3BF8       cmp    edi, eax
00402073 . |74 0F       je    short 00402084
00402075 > |8B50 FC    mov    edx, dword ptr [eax-0x4]
00402078 . |83E8 04    sub    eax, 0x4
0040207B . |83E9 04    sub    ecx, 0x4
0040207E . |3BC7       cmp    eax, edi
00402080 . |8911       mov    dword ptr [ecx], edx
00402082 .^|75 F1       jnz    short 00402075
00402084 > |8D4F 04    lea    ecx, dword ptr [edi+0x4]
00402087 . |8BC7       mov    eax, edi
00402089 . |3BF9       cmp    edi, ecx
0040208B . |74 0D       je    short 0040209A
0040208D > |8B5424 18    mov    edx, dword ptr [esp+0x18]
00402091 . |8910       mov    dword ptr [eax], edx
00402093 . |83C0 04    add    eax, 0x4
00402096 . |3BC1       cmp    eax, ecx
00402098 .^|75 F3       jnz    short 0040208D
0040209A > |8B4424 64    mov    eax, dword ptr [esp+0x64]
0040209E . |83C0 08    add    eax, 0x8
004020A1 . |8340 08 04 add    dword ptr [eax+0x8], 0x4
004020A5 > |8B5C24 14    mov    ebx, dword ptr [esp+0x14]
004020A9 > |43          inc    ebx
004020AA . |8BCD       mov    ecx, ebp
004020AC . |895C24 14    mov    dword ptr [esp+0x14], ebx
004020B0 . |90          nop
004020B1 . |90          nop
004020B2 . |90          nop
004020B3 . |90          nop
004020B4 . |90          nop
004020B5 . |3BD8       cmp    ebx, eax
004020B7 .^|0F8C B2FBFFFF jl    00401C6F
004020BD > \8B4C24 64    mov    ecx, dword ptr [esp+0x64]

看到上面的拨号的API原形了没有？
这就是困扰了很多天没有跟到的地方~~
原来如此啊~~~

帐号		自动登录	找回密码
密码			注册[Register]

[原创] 从逆向作品的结论出发，再逆向再研究：

免费评分

点评