好友
阅读权限25
听众
最后登录1970-1-1
|
【文章标题】: 环球网络影视 笔记
【文章作者】: vienna
【作者主页】: http://hi.baidu.com/vi_orz
【软件名称】: 环球网络影视
【下载地址】: http://www.skycn.com/soft/23922.html
【加壳方式】: UPX
【保护方式】: 注册码
【编写语言】: VB
【使用工具】: OD
【操作平台】: XP SP3
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
使用UPX解压一个出来,用GETVBRES找到关键字符,改成英文方便OD查找
都在这里了~
0049EAC3 . 68 EC6A4600 push 环球网络.00466AEC ; 错误提示
0049EA5D . 68 D06A4600 push 环球网络.00466AD0 ; 成功提示
好像有anti,菜鸟~~直接把SOD的选项全选了
好了,由提示的地址找上去,在段头下硬件断点
0049E890 55 push ebp
机器码:WD-WMAM9EE15366
注册码:555555555555555(假)
断了下来
0049E890 55 push ebp ; 断下了
0049E891 8BEC mov ebp,esp
0049E893 83EC 0C sub esp,0C
0049E896 68 26164000 push 复件_环?00401626 ; jmp 到 offset MSVBVM60.__vbaExceptHandler
0049E89B 64:A1 00000000 mov eax,dword ptr fs:[0]
0049E8A1 50 push eax
0049E8A2 64:8925 0000000>mov dword ptr fs:[0],esp
0049E8A9 83EC 64 sub esp,64
0049E8AC 53 push ebx
0049E8AD 56 push esi
0049E8AE 57 push edi
0049E8AF 8965 F4 mov dword ptr ss:[ebp-C],esp
0049E8B2 C745 F8 9813400>mov dword ptr ss:[ebp-8],复件_环?00401398
0049E8B9 8B75 08 mov esi,dword ptr ss:[ebp+8]
0049E8BC 8BC6 mov eax,esi
0049E8BE 83E0 01 and eax,1
0049E8C1 8945 FC mov dword ptr ss:[ebp-4],eax
0049E8C4 83E6 FE and esi,FFFFFFFE
0049E8C7 56 push esi
0049E8C8 8975 08 mov dword ptr ss:[ebp+8],esi
0049E8CB 8B0E mov ecx,dword ptr ds:[esi]
0049E8CD FF51 04 call dword ptr ds:[ecx+4]
0049E8D0 8B16 mov edx,dword ptr ds:[esi]
0049E8D2 33DB xor ebx,ebx
0049E8D4 56 push esi
0049E8D5 895D E8 mov dword ptr ss:[ebp-18],ebx
0049E8D8 895D E4 mov dword ptr ss:[ebp-1C],ebx
0049E8DB 895D E0 mov dword ptr ss:[ebp-20],ebx
0049E8DE 895D DC mov dword ptr ss:[ebp-24],ebx
0049E8E1 895D D8 mov dword ptr ss:[ebp-28],ebx
0049E8E4 895D D4 mov dword ptr ss:[ebp-2C],ebx
0049E8E7 895D D0 mov dword ptr ss:[ebp-30],ebx
0049E8EA 895D C0 mov dword ptr ss:[ebp-40],ebx
0049E8ED 895D B0 mov dword ptr ss:[ebp-50],ebx
0049E8F0 FF92 04030000 call dword ptr ds:[edx+304]
0049E8F6 50 push eax
0049E8F7 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
0049E8FA 50 push eax
0049E8FB FF15 7C104000 call dword ptr ds:[40107C] ; MSVBVM60.__vbaObjSet
0049E901 8BF8 mov edi,eax
0049E903 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
0049E906 52 push edx
0049E907 57 push edi
0049E908 8B0F mov ecx,dword ptr ds:[edi]
0049E90A FF91 A0000000 call dword ptr ds:[ecx+A0]
0049E910 3BC3 cmp eax,ebx
0049E912 DBE2 fclex
0049E914 7D 12 jge short 复件_环?0049E928
0049E916 68 A0000000 push 0A0
0049E91B 68 F8564600 push 复件_环?004656F8
0049E920 57 push edi
0049E921 50 push eax
0049E922 FF15 60104000 call dword ptr ds:[401060] ; MSVBVM60.__vbaHresultCheckObj
0049E928 395D E8 cmp dword ptr ss:[ebp-18],ebx
0049E92B 75 0F jnz short 复件_环?0049E93C
0049E92D 8D45 E8 lea eax,dword ptr ss:[ebp-18]
0049E930 50 push eax
0049E931 68 30164600 push 复件_环?00461630
0049E936 FF15 60114000 call dword ptr ds:[401160] ; MSVBVM60.__vbaNew2
0049E93C 8B0E mov ecx,dword ptr ds:[esi]
0049E93E 8B5D E8 mov ebx,dword ptr ss:[ebp-18]
0049E941 56 push esi
0049E942 FF91 08030000 call dword ptr ds:[ecx+308]
0049E948 8D55 D0 lea edx,dword ptr ss:[ebp-30]
0049E94B 50 push eax
0049E94C 52 push edx
0049E94D FF15 7C104000 call dword ptr ds:[40107C] ; MSVBVM60.__vbaObjSet
0049E953 8BF8 mov edi,eax
0049E955 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0049E958 51 push ecx
0049E959 57 push edi
0049E95A 8B07 mov eax,dword ptr ds:[edi]
0049E95C FF90 A0000000 call dword ptr ds:[eax+A0]
0049E962 85C0 test eax,eax
0049E964 DBE2 fclex
0049E966 7D 12 jge short 复件_环?0049E97A
0049E968 68 A0000000 push 0A0
0049E96D 68 F8564600 push 复件_环?004656F8
0049E972 57 push edi
0049E973 50 push eax
0049E974 FF15 60104000 call dword ptr ds:[401060] ; MSVBVM60.__vbaHresultCheckObj
0049E97A 8B45 E0 mov eax,dword ptr ss:[ebp-20] ; 出现机器码
0049E97D 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
0049E980 8945 C8 mov dword ptr ss:[ebp-38],eax
0049E983 8D45 B0 lea eax,dword ptr ss:[ebp-50]
0049E986 C745 E0 0000000>mov dword ptr ss:[ebp-20],0
0049E98D C745 C0 0800000>mov dword ptr ss:[ebp-40],8
0049E994 8B13 mov edx,dword ptr ds:[ebx]
0049E996 50 push eax
0049E997 51 push ecx
0049E998 53 push ebx ; 下面好像是算法call
0049E999 FF52 1C call dword ptr ds:[edx+1C]
0049E99C 85C0 test eax,eax ; 下面出现注册码
0049E99E DBE2 fclex
0049E9A0 7D 0F jge short 复件_环?0049E9B1
0049E9A2 6A 1C push 1C
0049E9A4 68 586A4600 push 复件_环?00466A58
0049E9A9 53 push ebx
0049E9AA 50 push eax
0049E9AB FF15 60104000 call dword ptr ds:[401060] ; MSVBVM60.__vbaHresultCheckObj
0049E9B1 8B55 E4 mov edx,dword ptr ss:[ebp-1C] ; 取假码:55555555什么的
0049E9B4 8D45 B0 lea eax,dword ptr ss:[ebp-50]
0049E9B7 52 push edx
0049E9B8 8D4D DC lea ecx,dword ptr ss:[ebp-24]
0049E9BB 50 push eax
0049E9BC 51 push ecx
0049E9BD FF15 3C114000 call dword ptr ds:[40113C] ; MSVBVM60.__vbaStrVarVal
0049E9C3 50 push eax ; 压入真码,不知道是不是这么说
0049E9C4 FF15 1C114000 call dword ptr ds:[40111C] ; MSVBVM60.rtcStrReverse
0049E9CA 8BD0 mov edx,eax ; 真码放edx
0049E9CC 8D4D D8 lea ecx,dword ptr ss:[ebp-28] ; 内存注册机请断这里
0049E9CF FF15 D8114000 call dword ptr ds:[4011D8] ; MSVBVM60.__vbaStrMove
0049E9D5 50 push eax ; 上面把所谓真码移动了位置,现在的才是真码,下面比较~~
0049E9D6 FF15 C4104000 call dword ptr ds:[4010C4] ; MSVBVM60.__vbaStrCmp
0049E9DC 8BF8 mov edi,eax
0049E9DE 8D55 D8 lea edx,dword ptr ss:[ebp-28]
0049E9E1 F7DF neg edi
0049E9E3 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
0049E9E6 52 push edx
0049E9E7 1BFF sbb edi,edi
0049E9E9 8D4D DC lea ecx,dword ptr ss:[ebp-24]
0049E9EC 50 push eax
0049E9ED 47 inc edi
0049E9EE 51 push ecx
0049E9EF 6A 03 push 3
0049E9F1 F7DF neg edi
0049E9F3 FF15 84114000 call dword ptr ds:[401184] ; MSVBVM60.__vbaFreeStrList
0049E9F9 8B1D 3C104000 mov ebx,dword ptr ds:[40103C] ; MSVBVM60.__vbaFreeObjList
0049E9FF 8D55 D0 lea edx,dword ptr ss:[ebp-30]
0049EA02 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
0049EA05 52 push edx
0049EA06 50 push eax
0049EA07 6A 02 push 2
0049EA09 FFD3 call ebx
0049EA0B 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
0049EA0E 8D55 C0 lea edx,dword ptr ss:[ebp-40]
0049EA11 51 push ecx
0049EA12 52 push edx
0049EA13 6A 02 push 2
0049EA15 FF15 34104000 call dword ptr ds:[401034] ; MSVBVM60.__vbaFreeVarList
0049EA1B 83C4 28 add esp,28
0049EA1E 66:85FF test di,di
0049EA21 74 66 je short 复件_环?0049EA89 ; 跳就提示错误,不跳就提示成功,爆破就爆这里
0049EA23 8B06 mov eax,dword ptr ds:[esi]
0049EA25 56 push esi
0049EA26 FF90 0C030000 call dword ptr ds:[eax+30C]
0049EA2C 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
0049EA2F 50 push eax
0049EA30 51 push ecx
0049EA31 FF15 7C104000 call dword ptr ds:[40107C] ; MSVBVM60.__vbaObjSet
0049EA37 8BF0 mov esi,eax
0049EA39 8D45 D0 lea eax,dword ptr ss:[ebp-30]
0049EA3C 50 push eax
0049EA3D 6A 02 push 2
0049EA3F 8B16 mov edx,dword ptr ds:[esi]
0049EA41 56 push esi
0049EA42 FF52 40 call dword ptr ds:[edx+40]
0049EA45 85C0 test eax,eax
0049EA47 DBE2 fclex
0049EA49 7D 0F jge short 复件_环?0049EA5A
0049EA4B 6A 40 push 40
0049EA4D 68 F0524600 push 复件_环?004652F0
0049EA52 56 push esi
0049EA53 50 push eax
0049EA54 FF15 60104000 call dword ptr ds:[401060] ; MSVBVM60.__vbaHresultCheckObj
0049EA5A 8B45 D0 mov eax,dword ptr ss:[ebp-30]
0049EA5D 68 D06A4600 push 复件_环?00466AD0 ; 成功提示
0049EA62 50 push eax
0049EA63 8BF0 mov esi,eax
0049EA65 8B08 mov ecx,dword ptr ds:[eax]
0049EA67 FF51 54 call dword ptr ds:[ecx+54]
0049EA6A 85C0 test eax,eax
0049EA6C DBE2 fclex
0049EA6E 7D 0F jge short 复件_环?0049EA7F
0049EA70 6A 54 push 54
0049EA72 68 E8564600 push 复件_环?004656E8
0049EA77 56 push esi
0049EA78 50 push eax
0049EA79 FF15 60104000 call dword ptr ds:[401060] ; MSVBVM60.__vbaHresultCheckObj
0049EA7F 8D55 D0 lea edx,dword ptr ss:[ebp-30]
0049EA82 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
0049EA85 52 push edx
0049EA86 50 push eax
0049EA87 EB 64 jmp short 复件_环?0049EAED
0049EA89 8B0E mov ecx,dword ptr ds:[esi]
0049EA8B 56 push esi
0049EA8C FF91 0C030000 call dword ptr ds:[ecx+30C]
0049EA92 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
0049EA95 50 push eax
0049EA96 52 push edx
0049EA97 FF15 7C104000 call dword ptr ds:[40107C] ; MSVBVM60.__vbaObjSet
0049EA9D 8BF0 mov esi,eax
0049EA9F 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
0049EAA2 51 push ecx
0049EAA3 6A 02 push 2
0049EAA5 8B06 mov eax,dword ptr ds:[esi]
0049EAA7 56 push esi
0049EAA8 FF50 40 call dword ptr ds:[eax+40]
0049EAAB 85C0 test eax,eax
0049EAAD DBE2 fclex
0049EAAF 7D 0F jge short 复件_环?0049EAC0
0049EAB1 6A 40 push 40
0049EAB3 68 F0524600 push 复件_环?004652F0
0049EAB8 56 push esi
0049EAB9 50 push eax
0049EABA FF15 60104000 call dword ptr ds:[401060] ; MSVBVM60.__vbaHresultCheckObj
0049EAC0 8B45 D0 mov eax,dword ptr ss:[ebp-30]
0049EAC3 68 EC6A4600 push 复件_环?00466AEC ; 错误提示
0049EAC8 50 push eax
0049EAC9 8BF0 mov esi,eax
0049EACB 8B10 mov edx,dword ptr ds:[eax]
0049EACD FF52 54 call dword ptr ds:[edx+54]
0049EAD0 85C0 test eax,eax
0049EAD2 DBE2 fclex
0049EAD4 7D 0F jge short 复件_环?0049EAE5
0049EAD6 6A 54 push 54
0049EAD8 68 E8564600 push 复件_环?004656E8
0049EADD 56 push esi
0049EADE 50 push eax
0049EADF FF15 60104000 call dword ptr ds:[401060] ; MSVBVM60.__vbaHresultCheckObj
0049EAE5 8D45 D0 lea eax,dword ptr ss:[ebp-30]
0049EAE8 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
0049EAEB 50 push eax
0049EAEC 51 push ecx
0049EAED 6A 02 push 2
0049EAEF FFD3 call ebx
0049EAF1 83C4 0C add esp,0C
0049EAF4 C745 FC 0000000>mov dword ptr ss:[ebp-4],0
0049EAFB 68 48EB4900 push 复件_环?0049EB48
0049EB00 EB 3C jmp short 复件_环?0049EB3E
0049EB02 8D55 D8 lea edx,dword ptr ss:[ebp-28]
0049EB05 8D45 DC lea eax,dword ptr ss:[ebp-24]
0049EB08 52 push edx
0049EB09 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0049EB0C 50 push eax
0049EB0D 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
0049EB10 51 push ecx
0049EB11 52 push edx
0049EB12 6A 04 push 4
0049EB14 FF15 84114000 call dword ptr ds:[401184] ; MSVBVM60.__vbaFreeStrList
0049EB1A 8D45 D0 lea eax,dword ptr ss:[ebp-30]
0049EB1D 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
0049EB20 50 push eax
0049EB21 51 push ecx
0049EB22 6A 02 push 2
0049EB24 FF15 3C104000 call dword ptr ds:[40103C] ; MSVBVM60.__vbaFreeObjList
0049EB2A 8D55 B0 lea edx,dword ptr ss:[ebp-50]
0049EB2D 8D45 C0 lea eax,dword ptr ss:[ebp-40]
0049EB30 52 push edx
0049EB31 50 push eax
0049EB32 6A 02 push 2
0049EB34 FF15 34104000 call dword ptr ds:[401034] ; MSVBVM60.__vbaFreeVarList
0049EB3A 83C4 2C add esp,2C
0049EB3D C3 retn
0049EB3E 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
0049EB41 FF15 04124000 call dword ptr ds:[401204] ; MSVBVM60.__vbaFreeObj
0049EB47 C3 retn
0049EB48 8B45 08 mov eax,dword ptr ss:[ebp+8]
0049EB4B 50 push eax
0049EB4C 8B08 mov ecx,dword ptr ds:[eax]
0049EB4E FF51 08 call dword ptr ds:[ecx+8]
0049EB51 8B45 FC mov eax,dword ptr ss:[ebp-4]
0049EB54 8B4D EC mov ecx,dword ptr ss:[ebp-14]
0049EB57 5F pop edi
0049EB58 5E pop esi
0049EB59 64:890D 0000000>mov dword ptr fs:[0],ecx
0049EB60 5B pop ebx
0049EB61 8BE5 mov esp,ebp
0049EB63 5D pop ebp
0049EB64 C2 0400 retn 4
--------------------------------------------------------------------------
0049E996 50 push eax ; eax = 12f4b8
0049E997 51 push ecx ; ecx = 12f4c8
0049E998 53 push ebx ; ebx = 22c450 ,下面好像是算法call
0049E999 FF52 1C call dword ptr ds:[edx+1C] ; 复件_环?004617F2
0012F4C0 002193F4 UNICODE "60A074F9C11313CC"
把算出来的倒序一下
eax=0021B254, (UNICODE "CC31311C9F470A06")
我的
机器码:WD-WMAM9EE15366
注册码:CC31311C9F470A06
完了。。本来想找东西入门算法。。看见那个貌似算法call的东西NNNN长。。。顿时再次非常膜拜那些大牛了~~
好了,我把找出来的码输入,我发现输入后会被时钟关掉注册窗口。。。输入其他假码没事。。现在郁闷了,这是验证还是根本没有注册的。。。
--------------------------------------------------------------------------------
【版权声明】: 转载请注明作者并保持文章的完整, 谢谢!
2010年03月24日 下午 06:35:45 |
|
发表于 2010-3-24 18:46
发表于 2010-3-24 20:34
