【文章作者】: 无聊之人
【软件名称】: 清华宝迪工作日记
【软件大小】: 5M
【下载地址】: www.tsinghuabaodi.siteem.com
【加壳方式】: ASP
【保护方式】: 无
【编写语言】: Borland Delphi
【使用工具】: Peid、OD
【操作平台】: xp sp3
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
1、查壳脱壳
2、OD载入分析
0060276C /. 55 push ebp
0060276D |. 8BEC mov ebp,esp
0060276F |. B9 07000000 mov ecx,0x7
00602774 |> 6A 00 /push 0x0
00602776 |. 6A 00 |push 0x0
00602778 |. 49 |dec ecx
00602779 |.^ 75 F9 \jnz short NoteBook.00602774
0060277B |. 51 push ecx
0060277C |. 53 push ebx
0060277D |. 56 push esi
0060277E |. 8BD8 mov ebx,eax
00602780 |. 33C0 xor eax,eax
00602782 |. 55 push ebp
00602783 |. 68 51296000 push NoteBook.00602951
00602788 |. 64:FF30 push dword ptr fs:[eax]
0060278B |. 64:8920 mov dword ptr fs:[eax],esp
0060278E |. 8D55 F4 lea edx,[local.3]
00602791 |. 8B83 08030000 mov eax,dword ptr ds:[ebx+0x308]
00602797 |. E8 7845E6FF call NoteBook.00466D14
0060279C |. 8B45 F4 mov eax,[local.3] ; kernel32.7C839AA8
0060279F |. 8D55 F8 lea edx,[local.2]
006027A2 |. E8 5572E0FF call NoteBook.004099FC
006027A7 |. 8B45 F8 mov eax,[local.2] ; kernel32.7C817080
006027AA |. E8 A125E0FF call NoteBook.00404D50
006027AF |. 85C0 test eax,eax
006027B1 |. 75 1D jnz short NoteBook.006027D0
006027B3 |. 6A 40 push 0x40
006027B5 |. B9 60296000 mov ecx,NoteBook.00602960 ; 信息
006027BA |. BA 68296000 mov edx,NoteBook.00602968 ; 注册码为空或不正确,请在左边的编辑框中输入正确注册码
006027BF |. A1 481E6A00 mov eax,dword ptr ds:[0x6A1E48]
006027C4 |. 8B00 mov eax,dword ptr ds:[eax]
006027C6 |. E8 FD48E8FF call NoteBook.004870C8
006027CB |. E9 24010000 jmp NoteBook.006028F4
006027D0 |> B2 01 mov dl,0x1
006027D2 |. A1 BCD94100 mov eax,dword ptr ds:[0x41D9BC]
006027D7 |. E8 A013E0FF call NoteBook.00403B7C
006027DC |. 8BF0 mov esi,eax
006027DE |. 68 A4296000 push NoteBook.006029A4 ; 01234567891bcdef
006027E3 |. 6A 02 push 0x2
006027E5 |. 8D45 FC lea eax,[local.1]
006027E8 |. 50 push eax
006027E9 |. 8D55 DC lea edx,[local.9]
006027EC |. 8B83 00030000 mov eax,dword ptr ds:[ebx+0x300]
006027F2 |. E8 1D45E6FF call NoteBook.00466D14
006027F7 |. 8B45 DC mov eax,[local.9]
006027FA |. 8D55 E0 lea edx,[local.8]
006027FD |. E8 FA71E0FF call NoteBook.004099FC
00602802 |. 8B55 E0 mov edx,[local.8]
00602805 |. 8D45 E4 lea eax,[local.7]
00602808 |. E8 533CE1FF call NoteBook.00416460
0060280D |. 8D4D E4 lea ecx,[local.7]
00602810 |. A1 3C176A00 mov eax,dword ptr ds:[0x6A173C]
00602815 |. 8B00 mov eax,dword ptr ds:[eax]
00602817 |. BA 01000000 mov edx,0x1
0060281C |. E8 DB570900 call NoteBook.00697FFC
00602821 |. 8D55 D8 lea edx,[local.10]
00602824 |. 8B45 FC mov eax,[local.1]
00602827 |. E8 346FE0FF call NoteBook.00409760 下断点的位置
060282C |. 8B45 D8 mov eax,[local.10] ; ntdll.7C930208
060282F |. 50 push eax 出注册码
0602830 |. 8D55 CC lea edx,[local.13]
00602833 |. 8B83 08030000 mov eax,dword ptr ds:[ebx+0x308]
00602839 |. E8 D644E6FF call NoteBook.00466D14
0060283E |. 8B45 CC mov eax,[local.13]
00602841 |. 8D55 D0 lea edx,[local.12]
00602844 |. E8 B371E0FF call NoteBook.004099FC
00602849 |. 8B45 D0 mov eax,[local.12]
0060284C |. 8D55 D4 lea edx,[local.11]
0060284F |. E8 0C6FE0FF call NoteBook.00409760
00602854 |. 8B55 D4 mov edx,[local.11] ; kernel32.7C817077
00602857 |. 58 pop eax ; kernel32.7C817077
00602858 |. E8 3F26E0FF call NoteBook.00404E9C
0060285D |. 75 76 jnz short NoteBook.006028D5
0060285F |. 8D55 C8 lea edx,[local.14]
00602862 |. 8B83 08030000 mov eax,dword ptr ds:[ebx+0x308]
00602868 |. E8 A744E6FF call NoteBook.00466D14
0060286D |. 8B55 C8 mov edx,[local.14]
00602870 |. 8BC6 mov eax,esi
00602872 |. 8B08 mov ecx,dword ptr ds:[eax]
00602874 |. FF51 38 call dword ptr ds:[ecx+0x38] ; kernel32.7C817080
00602877 |. 8B15 48196A00 mov edx,dword ptr ds:[0x6A1948] ; x]j
0060287D |. 8B12 mov edx,dword ptr ds:[edx]
0060287F |. 8D45 C4 lea eax,[local.15]
00602882 |. B9 C0296000 mov ecx,NoteBook.006029C0 ; reg.bd
00602887 |. E8 1025E0FF call NoteBook.00404D9C
0060288C |. 8B55 C4 mov edx,[local.15] ; kernel32.7C817074
0060288F |. 8BC6 mov eax,esi
00602891 |. 8B08 mov ecx,dword ptr ds:[eax]
00602893 |. FF51 74 call dword ptr ds:[ecx+0x74]
00602896 |. A1 C01A6A00 mov eax,dword ptr ds:[0x6A1AC0] ; |]j
0060289B |. E8 E021E0FF call NoteBook.00404A80
006028A0 |. 6A 40 push 0x40
006028A2 |. B9 60296000 mov ecx,NoteBook.00602960 ; 信息
006028A7 |. BA C8296000 mov edx,NoteBook.006029C8 ; 注册成功,您已成为正版用户
006028AC |. A1 481E6A00 mov eax,dword ptr ds:[0x6A1E48]
006028B1 |. 8B00 mov eax,dword ptr ds:[eax]
006028B3 |. E8 1048E8FF call NoteBook.004870C8
006028B8 |. A1 C01A6A00 mov eax,dword ptr ds:[0x6A1AC0] ; |]j
006028BD |. BA EC296000 mov edx,NoteBook.006029EC ; [正式版]
006028C2 |. E8 0D22E0FF call NoteBook.00404AD4
006028C7 |. A1 3C176A00 mov eax,dword ptr ds:[0x6A173C]
006028CC |. 8B00 mov eax,dword ptr ds:[eax]
006028CE |. E8 F9EF0800 call NoteBook.006918CC
006028D3 |. EB 18 jmp short NoteBook.006028ED
006028D5 |> 6A 40 push 0x40
006028D7 |. B9 60296000 mov ecx,NoteBook.00602960 ; 信息
006028DC |. BA F8296000 mov edx,NoteBook.006029F8 ; 注册失败
006028E1 |. A1 481E6A00 mov eax,dword ptr ds:[0x6A1E48]
006028E6 |. 8B00 mov eax,dword ptr ds:[eax]
006028E8 |. E8 DB47E8FF call NoteBook.004870C8
006028ED |> 8BC6 mov eax,esi
006028EF |. E8 B812E0FF call NoteBook.00403BAC
006028F4 |> 33C0 xor eax,eax
006028F6 |. 5A pop edx ; kernel32.7C817077
006028F7 |. 59 pop ecx ; kernel32.7C817077
006028F8 |. 59 pop ecx ; kernel32.7C817077
006028F9 |. 64:8910 mov dword ptr fs:[eax],edx ; ntdll.KiFastSystemCallRet
006028FC |. 68 58296000 push NoteBook.00602958
00602901 |> 8D45 C4 lea eax,[local.15]
00602904 |. E8 7721E0FF call NoteBook.00404A80
00602909 |. 8D45 C8 lea eax,[local.14]
0060290C |. BA 02000000 mov edx,0x2
00602911 |. E8 8E21E0FF call NoteBook.00404AA4
00602916 |. 8D45 D0 lea eax,[local.12]
00602919 |. BA 03000000 mov edx,0x3
0060291E |. E8 8121E0FF call NoteBook.00404AA4
00602923 |. 8D45 DC lea eax,[local.9]
00602926 |. E8 5521E0FF call NoteBook.00404A80
0060292B |. 8D45 E0 lea eax,[local.8]
0060292E |. E8 4D21E0FF call NoteBook.00404A80
00602933 |. 8D45 E4 lea eax,[local.7]
00602936 |. E8 D9F3E0FF call NoteBook.00411D14
0060293B |. 8D45 F4 lea eax,[local.3]
0060293E |. E8 3D21E0FF call NoteBook.00404A80
00602943 |. 8D45 F8 lea eax,[local.2]
00602946 |. BA 02000000 mov edx,0x2
0060294B |. E8 5421E0FF call NoteBook.00404AA4
00602950 \. C3 retn
堆栈 ss:[0012F258]=00E00DF4, (ASCII "zlbz-luxh-efsd-mngp-a")
eax=0012F261
0012F258 00E00DF4 ASCII "zlbz-luxh-efsd-mngp-a"
--------------------------------------------------------------------------------
【经验总结】
1、 适合入门新手练习追码和爆破.
2、 可做内存补丁与算法补丁.
3、 可以练习多个方面的知识.
这家公司的软件比较适合练手.初学者可以自己尝试.
我电脑的激活码:zlbz-luxh-efsd-mngp-a
--------------------------------------------------------------------------------
【版权声明】: 本文原创于无聊之人, 转载请注明作者并保持文章的完整, 谢谢!
2014年01月08日 上午 11:29:40
|
发表于 2014-1-15 17:19:27
