本帖最后由 潇未然 于 2019-6-6 22:36 编辑
查找A5A5
二.跟踪到00AC6916处,段首有14处调用,看倒数第2处。00AC66DF 三.00AC66DF 处向上到段首,有5处调用, 00AC66AF $ 53 push ebx <=== 这里有5处调用,在倒数第一 00AC66B0 . BB 90030E01 mov ebx,UClient.010E0390 00AC66B5 . 52 push edx 00AC66B6 . 51 push ecx 00AC66B7 . B8 7C5CAC00 mov eax,UClient.00AC5C7C 00AC66BC . 8903 mov dword ptr ds:[ebx],eax 00AC66BE . 51 push ecx 00AC66BF . 31C9 xor ecx,ecx 00AC66C1 . E3 01 jecxz short UClient.00AC66C4 00AC66C3 . 98 cwde 00AC66C4 > 59 pop ecx 00AC66C5 . C743 08 64000>mov dword ptr ds:[ebx+8],64 00AC66CC . 79 03 jns short UClient.00AC66D1 00AC66CE . 78 01 js short UClient.00AC66D1 00AC66D0 76 db 76 ; CHAR 'v' 00AC66D1 . B8 3961AC00 mov eax,UClient.00AC6139 00AC66D6 . 8943 04 mov dword ptr ds:[ebx+4],eax 00AC66D9 . FF73 08 push dword ptr ds:[ebx+8] 00AC66DC . 50 push eax 00AC66DD . FF33 push dword ptr ds:[ebx] 00AC66DF . E8 1C020000 call UClient.00AC6900
四、跳转到调用处,向下看,找特殊字符。 00AAD304 $ 55 push ebp 00AAD305 . 8BEC mov ebp,esp 00AAD307 . 83C4 D0 add esp,-30 00AAD30A . 53 push ebx 00AAD30B . 56 push esi 00AAD30C . 57 push edi 00AAD30D . 33C0 xor eax,eax 00AAD30F . 8945 D0 mov dword ptr ss:[ebp-30],eax 00AAD312 . 8945 F8 mov dword ptr ss:[ebp-8],eax 00AAD315 . 8945 F4 mov dword ptr ss:[ebp-C],eax 00AAD318 . BE C04F1001 mov esi,UClient.01104FC0 00AAD31D . 33C0 xor eax,eax 00AAD31F . 55 push ebp 00AAD320 . 68 D2D4AA00 push UClient.00AAD4D2 00AAD325 . 64:FF30 push dword ptr fs:[eax] 00AAD328 . 64:8920 mov dword ptr fs:[eax],esp 00AAD32B . C745 FC FFFFF>mov dword ptr ss:[ebp-4],-1 00AAD332 . 33C0 xor eax,eax 00AAD334 . A3 E44F1001 mov dword ptr ds:[1104FE4],eax 00AAD339 . 33C0 xor eax,eax 00AAD33B . A3 F04F1001 mov dword ptr ds:[1104FF0],eax 00AAD340 . E8 6A930100 call UClient.00AC66AF 调用在这里 00AAD345 . 8906 mov dword ptr ds:[esi],eax 00AAD347 . 33DB xor ebx,ebx 00AAD349 > E8 E66095FF call UClient.00403434 00AAD34E . B8 E8030000 mov eax,3E8 00AAD353 . E8 886795FF call UClient.00403AE0 00AAD358 . B9 03000000 mov ecx,3 00AAD35D . 99 cdq 00AAD35E . F7F9 idiv ecx 00AAD360 . 85D2 test edx,edx 00AAD362 . 75 09 jnz short UClient.00AAD36D 00AAD364 . 8BC3 mov eax,ebx 00AAD366 . F7EB imul ebx 00AAD368 . 83C0 7A add eax,7A 00AAD36B . 8906 mov dword ptr ds:[esi],eax 00AAD36D > 43 inc ebx 00AAD36E . 81FB E9030000 cmp ebx,3E9 00AAD374 .^ 75 D3 jnz short UClient.00AAD349 00AAD376 . E8 FD910100 call UClient.00AC6578 00AAD37B . 8906 mov dword ptr ds:[esi],eax 00AAD37D . 33C0 xor eax,eax 00AAD37F . 55 push ebp 00AAD380 . 68 D1D3AA00 push UClient.00AAD3D1 00AAD385 . 64:FF30 push dword ptr fs:[eax] 00AAD388 . 64:8920 mov dword ptr fs:[eax],esp 00AAD38B . B8 65000000 mov eax,65 00AAD390 . 2B06 sub eax,dword ptr ds:[esi] 00AAD392 . 50 push eax 00AAD393 . 8D45 F8 lea eax,dword ptr ss:[ebp-8] 00AAD396 . B9 01000000 mov ecx,1 00AAD39B . 8B15 E0D2AA00 mov edx,dword ptr ds:[AAD2E0] ; UClient.00AAD2E4 00AAD3A1 . E8 1A9E95FF call UClient.004071C0 00AAD3A6 . 83C4 04 add esp,4 00AAD3A9 . B8 65000000 mov eax,65 00AAD3AE . 2B06 sub eax,dword ptr ds:[esi] 00AAD3B0 . 50 push eax 00AAD3B1 . 8D45 F4 lea eax,dword ptr ss:[ebp-C] 00AAD3B4 . B9 01000000 mov ecx,1 00AAD3B9 . 8B15 E0D2AA00 mov edx,dword ptr ds:[AAD2E0] ; UClient.00AAD2E4 00AAD3BF . E8 FC9D95FF call UClient.004071C0 00AAD3C4 . 83C4 04 add esp,4 00AAD3C7 . 33C0 xor eax,eax 00AAD3C9 . 5A pop edx 00AAD3CA . 59 pop ecx 00AAD3CB . 59 pop ecx 00AAD3CC . 64:8910 mov dword ptr fs:[eax],edx 00AAD3CF . EB 14 jmp short UClient.00AAD3E5 00AAD3D1 .^ E9 0A7A95FF jmp UClient.00404DE0 00AAD3D6 . E8 317E95FF call UClient.0040520C 00AAD3DB . E9 C9000000 jmp UClient.00AAD4A9 00AAD3E0 . E8 277E95FF call UClient.0040520C 00AAD3E5 > 47 inc edi 00AAD3E6 . 0F84 BD000000 je UClient.00AAD4A9 00AAD3EC . 33DB xor ebx,ebx 00AAD3EE > 8B45 F8 mov eax,dword ptr ss:[ebp-8] 00AAD3F1 . 8B16 mov edx,dword ptr ds:[esi] 00AAD3F3 . 891498 mov dword ptr ds:[eax+ebx*4],edx 00AAD3F6 . 43 inc ebx 00AAD3F7 . 83FB 65 cmp ebx,65 00AAD3FA .^ 75 F2 jnz short UClient.00AAD3EE 00AAD3FC . 33DB xor ebx,ebx 00AAD3FE > 8B45 F8 mov eax,dword ptr ss:[ebp-8] 00AAD401 . 8B0498 mov eax,dword ptr ds:[eax+ebx*4] 00AAD404 . 8B55 F4 mov edx,dword ptr ss:[ebp-C] 00AAD407 . 89049A mov dword ptr ds:[edx+ebx*4],eax 00AAD40A . 43 inc ebx 00AAD40B . 83FB 65 cmp ebx,65 00AAD40E .^ 75 EE jnz short UClient.00AAD3FE 00AAD410 . 833E 00 cmp dword ptr ds:[esi],0 00AAD413 . 0F85 90000000 jnz UClient.00AAD4A9 00AAD419 . 8B45 F4 mov eax,dword ptr ss:[ebp-C] 00AAD41C . 83B8 90010000>cmp dword ptr ds:[eax+190],0 00AAD423 . 0F85 80000000 jnz UClient.00AAD4A9 00AAD429 . 8D45 D6 lea eax,dword ptr ss:[ebp-2A] 00AAD42C . A3 F84F1001 mov dword ptr ds:[1104FF8],eax<===== 注意这个字符串,关键字符串
00AAD431 . C645 D5 08 mov byte ptr ss:[ebp-2B],8 00AAD435 . C705 EC4F1001>mov dword ptr ds:[1104FEC],8 00AAD43F . 33C0 xor eax,eax 00AAD441 . A3 E84F1001 mov dword ptr ds:[1104FE8],eax<===== 注意这个字符串,关键字符串
00AAD446 . 33DB xor ebx,ebx 00AAD448 > E8 E75F95FF call UClient.00403434 00AAD44D . B8 E8030000 mov eax,3E8 00AAD452 . E8 896695FF call UClient.00403AE0 00AAD457 . B9 03000000 mov ecx,3 00AAD45C . 99 cdq 00AAD45D . F7F9 idiv ecx 00AAD45F . 85D2 test edx,edx 00AAD461 . 75 09 jnz short UClient.00AAD46C 00AAD463 . 8BC3 mov eax,ebx 00AAD465 . F7EB imul ebx 00AAD467 . 83C0 7A add eax,7A 00AAD46A . 8906 mov dword ptr ds:[esi],eax 00AAD46C > 43 inc ebx 00AAD46D . 81FB E9030000 cmp ebx,3E9 00AAD473 .^ 75 D3 jnz short UClient.00AAD448 00AAD475 . E8 3F910100 call UClient.00AC65B9 00AAD47A . 8906 mov dword ptr ds:[esi],eax 00AAD47C . 8D45 D0 lea eax,dword ptr ss:[ebp-30] 00AAD47F . 8D55 D5 lea edx,dword ptr ss:[ebp-2B] 00AAD482 . E8 198695FF call UClient.00405AA0 00AAD487 . 8B45 D0 mov eax,dword ptr ss:[ebp-30] 00AAD48A . 8B15 A0330E01 mov edx,dword ptr ds:[10E33A0] ; UClient.010EBAEC 00AAD490 . 8B12 mov edx,dword ptr ds:[edx] 00AAD492 . E8 C5F695FF call UClient.0040CB5C 00AAD497 . 84C0 test al,al 00AAD499 . 74 07 je short UClient.00AAD4A2 00AAD49B . 33C0 xor eax,eax 00AAD49D . 8945 FC mov dword ptr ss:[ebp-4],eax 00AAD4A0 . EB 07 jmp short UClient.00AAD4A9 00AAD4A2 > C745 FC FEFFF>mov dword ptr ss:[ebp-4],-2 00AAD4A9 > 33C0 xor eax,eax 00AAD4AB . 5A pop edx 00AAD4AC . 59 pop ecx 00AAD4AD . 59 pop ecx 00AAD4AE . 64:8910 mov dword ptr fs:[eax],edx 00AAD4B1 . 68 D9D4AA00 push UClient.00AAD4D9 00AAD4B6 > 8D45 D0 lea eax,dword ptr ss:[ebp-30] 00AAD4B9 . E8 7E8395FF call UClient.0040583C 00AAD4BE . 8D45 F4 lea eax,dword ptr ss:[ebp-C] 00AAD4C1 . 8B15 E0D2AA00 mov edx,dword ptr ds:[AAD2E0] ; UClient.00AAD2E4 00AAD4C7 . B9 02000000 mov ecx,2 00AAD4CC . E8 F79195FF call UClient.004066C8 00AAD4D1 . C3 retn 00AAD4D2 .^ E9 BD7B95FF jmp UClient.00405094 00AAD4D7 .^ EB DD jmp short UClient.00AAD4B6 00AAD4D9 . 8B45 FC mov eax,dword ptr ss:[ebp-4] 00AAD4DC . 5F pop edi 00AAD4DD . 5E pop esi 00AAD4DE . 5B pop ebx 00AAD4DF . 8BE5 mov esp,ebp 00AAD4E1 . 5D pop ebp 00AAD4E2 . C3 retn 回到A5A5代码处写二进制软狗;
8A 44 24 04 3C 64 75 03 33 C0 C3 3C 01 75 03 33 C0 C3 A1 F8 4F 10 01 8B 0D E8 4F 10 01 80 F9 00 75 17 C7 00 33 30 38 30 C7 40 04 30 30 31 30 C7 40 08 39 36 00 00 33 C0 C3 80 F9 28 75 09 C7 00 01 00 00 00 33 C0 C3 80 F9 2C 75 09 C7 00 9C FF FF FF 33 C0 C3 80 F9 C2 75 09 66 C7 00 54 52 90 33 C0 C3 80 F9 91 75 09 66 C7 00 D8 65 90 33 C0 C3 80 F9 93 75 09 66 C7 00 BF 05 90 33 C0 C3 80 F9 97 75 17 C7 00 32 30 31 32 C7 40 04 2D 30 31 2D C7 40 08 31 35 00 00 33 C0 C3 80 F9 47 75 3A C7 00 C8 CA BA CD C7 40 04 BB DD C3 F1 C7 40 08 D2 A9 B7 BF C7 40 0C 00 00 00 00 C7 40 10 00 00 00 00 C7 40 14 00 00 00 00 C7 40 18 00 00 00 00 C7 40 1C 00 00 00 00 33 C0 C3 80 F9 8D 75 09 66 C7 00 32 32 90 33 C0 C3 80 F9 A1 75 17 C7 00 32 30 31 32 C7 40 04 2D 30 31 2D C7 40 08 31 36 00 00 33 C0 C3 80 F9 B5 75 14 C7 00 31 34 32 31 C7 40 04 35 38 35 36 C7 40 08 36 39 37 32 33 C0 C3 33 C0
00AC49B2 8A4424 04 mov al,byte ptr ss:[esp+4] 00AC49B6 3C 64 cmp al,64 00AC49B8 75 03 jnz short UClient.00AC49BD 00AC49BA 33C0 xor eax,eax 00AC49BC C3 retn 00AC49BD 3C 01 cmp al,1 00AC49BF 75 03 jnz short UClient.00AC49C4 00AC49C1 33C0 xor eax,eax 00AC49C3 C3 retn 00AC49C4 A1 F84F1001 mov eax,dword ptr ds:[1104FF8] 00AC49C9 8B0D E84F1001 mov ecx,dword ptr ds:[1104FE8] 00AC49CF 80F9 00 cmp cl,0 00AC49D2 75 17 jnz short UClient.00AC49EB 00AC49D4 C700 33303830 mov dword ptr ds:[eax],30383033 00AC49DA C740 04 30303>mov dword ptr ds:[eax+4],30313030 00AC49E1 C740 08 39360>mov dword ptr ds:[eax+8],3639 00AC49E8 33C0 xor eax,eax 00AC49EA C3 retn 00AC49EB 80F9 28 cmp cl,28 00AC49EE 75 09 jnz short UClient.00AC49F9 00AC49F0 C700 01000000 mov dword ptr ds:[eax],1 00AC49F6 33C0 xor eax,eax 00AC49F8 C3 retn 00AC49F9 80F9 2C cmp cl,2C 00AC49FC 75 09 jnz short UClient.00AC4A07 00AC49FE C700 9CFFFFFF mov dword ptr ds:[eax],-64 00AC4A04 33C0 xor eax,eax 00AC4A06 C3 retn 00AC4A07 80F9 C2 cmp cl,0C2 00AC4A0A 75 09 jnz short UClient.00AC4A15 00AC4A0C 66:C700 5452 mov word ptr ds:[eax],5254 00AC4A11 90 nop 00AC4A12 33C0 xor eax,eax 00AC4A14 C3 retn 00AC4A15 80F9 91 cmp cl,91 00AC4A18 75 09 jnz short UClient.00AC4A23 00AC4A1A 66:C700 D865 mov word ptr ds:[eax],65D8 00AC4A1F 90 nop 00AC4A20 33C0 xor eax,eax 00AC4A22 C3 retn 00AC4A23 80F9 93 cmp cl,93 00AC4A26 75 09 jnz short UClient.00AC4A31 00AC4A28 66:C700 BF05 mov word ptr ds:[eax],5BF 00AC4A2D 90 nop 00AC4A2E 33C0 xor eax,eax 00AC4A30 C3 retn 00AC4A31 80F9 97 cmp cl,97 00AC4A34 75 17 jnz short UClient.00AC4A4D 00AC4A36 C700 32303132 mov dword ptr ds:[eax],32313032 00AC4A3C C740 04 2D303>mov dword ptr ds:[eax+4],2D31302D 00AC4A43 C740 08 31350>mov dword ptr ds:[eax+8],3531 00AC4A4A 33C0 xor eax,eax 00AC4A4C C3 retn 00AC4A4D 80F9 47 cmp cl,47 00AC4A50 75 3A jnz short UClient.00AC4A8C 00AC4A52 C700 C8CABACD mov dword ptr ds:[eax],CDBACAC8 00AC4A58 C740 04 BBDDC>mov dword ptr ds:[eax+4],F1C3DDBB 00AC4A5F C740 08 D2A9B>mov dword ptr ds:[eax+8],BFB7A9D2 00AC4A66 C740 0C 00000>mov dword ptr ds:[eax+C],0 ; Case 0 of switch 00AC4A51 00AC4A6D C740 10 00000>mov dword ptr ds:[eax+10],0 00AC4A74 C740 14 00000>mov dword ptr ds:[eax+14],0 ; Case 10 of switch 00AC4A51 00AC4A7B C740 18 00000>mov dword ptr ds:[eax+18],0 00AC4A82 C740 1C 00000>mov dword ptr ds:[eax+1C],0 00AC4A89 33C0 xor eax,eax 00AC4A8B C3 retn 00AC4A8C 80F9 8D cmp cl,8D 00AC4A8F 75 09 jnz short UClient.00AC4A9A 00AC4A91 66:C700 3232 mov word ptr ds:[eax],3232 00AC4A96 90 nop 00AC4A97 33C0 xor eax,eax 00AC4A99 C3 retn 00AC4A9A 80F9 A1 cmp cl,0A1 00AC4A9D 75 17 jnz short UClient.00AC4AB6 00AC4A9F C700 32303132 mov dword ptr ds:[eax],32313032 00AC4AA5 C740 04 2D303>mov dword ptr ds:[eax+4],2D31302D 00AC4AAC C740 08 31360>mov dword ptr ds:[eax+8],3631 00AC4AB3 33C0 xor eax,eax 00AC4AB5 C3 retn 00AC4AB6 80F9 B5 cmp cl,0B5 00AC4AB9 75 14 jnz short UClient.00AC4ACF 00AC4ABB C700 31343231 mov dword ptr ds:[eax],31323431 00AC4AC1 C740 04 35383>mov dword ptr ds:[eax+4],36353835 00AC4AC8 C740 08 36393>mov dword ptr ds:[eax+8],32373936 00AC4ACF 33C0 xor eax,eax 00AC4AD1 C3 retn 00AC4AD2 33C0 xor eax,eax
查找关键字“本功能需要单独付费购买注册后才可使用”,然后到段首。 00AFAAD8 55 push ebp => mov al,1 00AFAAD9 8BEC mov ebp,esp => retn 00AFAADB |. 83C4 F0 add esp,-10 00AFAADE |. 53 push ebx 00AFAADF |. 56 push esi 00AFAAE0 |. 57 push edi 00AFAAE1 |. 8BF0 mov esi,eax 00AFAAE3 |. 8D7D F0 lea edi,[local.4] 00AFAAE6 |. A5 movs dword ptr es:[edi],dword ptr ds:[esi] 00AFAAE7 |. A5 movs dword ptr es:[edi],dword ptr ds:[esi] 00AFAAE8 |. A5 movs dword ptr es:[edi],dword ptr ds:[esi] 00AFAAE9 |. A5 movs dword ptr es:[edi],dword ptr ds:[esi] 00AFAAEA |. 8D45 F0 lea eax,[local.4] 00AFAAED |. E8 DA3392FF call UClient.0041DECC 00AFAAF2 |. 33C0 xor eax,eax 00AFAAF4 |. 55 push ebp 00AFAAF5 |. 68 ADABAF00 push UClient.00AFABAD 00AFAAFA |. 64:FF30 push dword ptr fs:[eax] 00AFAAFD |. 64:8920 mov dword ptr fs:[eax],esp 00AFAB00 |. 33DB xor ebx,ebx 00AFAB02 |. 33D2 xor edx,edx 00AFAB04 |. 8D45 F0 lea eax,[local.4] 00AFAB07 |. E8 18F0FFFF call UClient.00AF9B24 00AFAB0C |. 83F8 FF cmp eax,-1 00AFAB0F |. 75 3E jnz short UClient.00AFAB4F 00AFAB11 |. 6A 24 push 24 00AFAB13 |. 6A 00 push 0 00AFAB15 |. A1 603F0E01 mov eax,dword ptr ds:[10E3F60] 00AFAB1A |. 8B00 mov eax,dword ptr ds:[eax] 00AFAB1C |. B9 C8ABAF00 mov ecx,UClient.00AFABC8 ; 提示 00AFAB21 |. BA D8ABAF00 mov edx,UClient.00AFABD8 ; 本功能需要单独付费购买注册后才可使用,你是否需要注册证书?\n证书文件需要向经销商购买! 00AFAB26 E8 C5D35800 call UClient.01087EF0 00AFAB2B |. 83F8 06 cmp eax,6 00AFAB2E |. 75 67 jnz short UClient.00AFAB97 00AFAB30 |. 33D2 xor edx,edx 00AFAB32 |. 8D45 F0 lea eax,[local.4] 00AFAB35 |. E8 26EFFFFF call UClient.00AF9A60 00AFAB3A |. 84C0 test al,al 00AFAB3C |. 74 59 je short UClient.00AFAB97 00AFAB3E |. 33D2 xor edx,edx 00AFAB40 |. 8D45 F0 lea eax,[local.4] 00AFAB43 |. E8 DCEFFFFF call UClient.00AF9B24 00AFAB48 |. 85C0 test eax,eax 00AFAB4A |. 0F94C3 sete bl 00AFAB4D |. EB 48 jmp short UClient.00AFAB97 00AFAB4F |> 83F8 FE cmp eax,-2 00AFAB52 |. 75 3E jnz short UClient.00AFAB92 00AFAB54 |. 6A 24 push 24 00AFAB56 |. 6A 00 push 0 00AFAB58 |. A1 603F0E01 mov eax,dword ptr ds:[10E3F60] 00AFAB5D |. 8B00 mov eax,dword ptr ds:[eax] 00AFAB5F |. B9 C8ABAF00 mov ecx,UClient.00AFABC8 ; 提示 00AFAB64 |. BA 38ACAF00 mov edx,UClient.00AFAC38 ; 读取证书文件错误,请检查证书文件是否正确,你是否需要重新注册证书? 00AFAB69 |. E8 82D35800 call UClient.01087EF0 00AFAB6E |. 83F8 06 cmp eax,6 00AFAB71 |. 75 24 jnz short UClient.00AFAB97 00AFAB73 |. 33D2 xor edx,edx 00AFAB75 |. 8D45 F0 lea eax,[local.4] 00AFAB78 |. E8 E3EEFFFF call UClient.00AF9A60 00AFAB7D |. 84C0 test al,al 00AFAB7F |. 74 16 je short UClient.00AFAB97 00AFAB81 |. 33D2 xor edx,edx 00AFAB83 |. 8D45 F0 lea eax,[local.4] 00AFAB86 |. E8 99EFFFFF call UClient.00AF9B24 00AFAB8B |. 85C0 test eax,eax 00AFAB8D |. 0F94C3 sete bl 00AFAB90 |. EB 05 jmp short UClient.00AFAB97 00AFAB92 |> 85C0 test eax,eax 00AFAB94 |. 0F94C3 sete bl 00AFAB97 |> 33C0 xor eax,eax 00AFAB99 |. 5A pop edx 00AFAB9A |. 59 pop ecx 00AFAB9B |. 59 pop ecx 00AFAB9C |. 64:8910 mov dword ptr fs:[eax],edx 00AFAB9F |. 68 B4ABAF00 push UClient.00AFABB4 00AFABA4 |> 8D45 F0 lea eax,[local.4] 00AFABA7 |. E8 68C891FF call UClient.00417414 00AFABAC \. C3 retn
| 
发表于 2015-9-8 16:49
