【文章作者】: 无聊之人
【软件名称】: 合同生成大师
【软件大小】: 8M
【下载地址】: www.tsinghuabaodi.siteem.com
【加壳方式】: ASP
【保护方式】: 无
【编写语言】: Borland Delphi6.0-7.0
【使用工具】: Peid、OD
【操作平台】: xp sp3
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
1、查壳脱壳
2、OD载入分析
00700D1C /. 55 push ebp
00700D1D |. 8BEC movebp,esp
00700D1F |. B9 07000000 mov ecx,0x7
00700D24 |> 6A00 /push 0x0
00700D26 |. 6A00 |push 0x0
00700D28 |. 49 |dec ecx
00700D29 |.^ 75F9 \jnz shortcontract.00700D24
00700D2B |. 51 push ecx
00700D2C |. 53 push ebx
00700D2D |. 56 push esi
00700D2E |. 8BD8 movebx,eax
00700D30 |. 33C0 xoreax,eax
00700D32 |. 55 push ebp
00700D33 |. 68 DC0E7000 pushcontract.00700EDC
00700D38 |. 64:FF30 push dword ptr fs:[eax]
00700D3B |. 64:8920 mov dword ptr fs:[eax],esp
00700D3E |. 8D55 F4 lea edx,[local.3]
00700D41 |. 8B83 08030000 mov eax,dword ptrds:[ebx+0x308]
00700D47 |. E8 1CC2D7FF callcontract.0047CF68
00700D4C |. 8B45 F4 moveax,[local.3] ; kernel32.7C839AA8
00700D4F |. 8D55 F8 lea edx,[local.2]
00700D52 |. E8 1584D0FF callcontract.0040916C
00700D57 |. 8B45 F8 moveax,[local.2] ; kernel32.7C817080
00700D5A |. E8 093AD0FF callcontract.00404768
00700D5F |. 85C0 testeax,eax
00700D61 |. 751D jnz shortcontract.00700D80
00700D63 |. 6A40 push 0x40
00700D65 |. B9 EC0E7000 movecx,contract.00700EEC ; 信息
00700D6A |. BA F40E7000 movedx,contract.00700EF4 ; 注册码不能为空,请在左边的编辑框中输入注册码
00700D6F |. A1 2CBE7100 mov eax,dword ptrds:[0x71BE2C]
00700D74 |. 8B00 moveax,dword ptr ds:[eax]
00700D76 |. E8 2DD2D9FF callcontract.0049DFA8
00700D7B |. E9 FF000000 jmpcontract.00700E7F
00700D80 |> B201 mov dl,0x1
00700D82 |. A1 089A4100 mov eax,dword ptrds:[0x419A08]
00700D87 |. E8 8C28D0FF callcontract.00403618
00700D8C |. 8BF0 movesi,eax
00700D8E |. 6A02 push 0x2
00700D90 |. 8D45 FC lea eax,[local.1]
00700D93 |. 50 push eax
00700D94 |. 8D55 DC lea edx,[local.9]
00700D97 |. 8B83 00030000 mov eax,dword ptrds:[ebx+0x300]
00700D9D |. E8 C6C1D7FF callcontract.0047CF68
00700DA2 |. 8B45 DC mov eax,[local.9]
00700DA5 |. 8D55 E0 lea edx,[local.8]
00700DA8 |. E8 BF83D0FF callcontract.0040916C
00700DAD |. 8B55 E0 mov edx,[local.8]
00700DB0 |. 8D45 E4 lea eax,[local.7]
00700DB3 |. E8 B04CD1FF callcontract.00415A68
00700DB8 |. 8D55 E4 lea edx,[local.7]
00700DBB |. B9 280F7000 movecx,contract.00700F28 ; 01234567891bcdef
00700DC0 |. 33C0 xoreax,eax
00700DC2 |. E8 D1DEFFFF callcontract.006FEC98
00700DC7 |. 8D55 D8 lea edx,[local.10]
00700DCA |. 8B45 FC mov eax,[local.1]
00700DCD |. E8 4681D0FF callcontract.00408F18 下断点,F9运行程序,随便输入注册码。返回OD,按F8出注册码
00700DD2 |. 8B45 D8 moveax,[local.10] ; ntdll.7C930208
00700DD5 |. 50 push eax
00700DD6 |. 8D55 CC lea edx,[local.13]
00700DD9 |. 8B83 08030000 mov eax,dword ptrds:[ebx+0x308]
00700DDF |. E8 84C1D7FF callcontract.0047CF68
00700DE4 |. 8B45 CC mov eax,[local.13]
00700DE7 |. 8D55 D0 lea edx,[local.12]
00700DEA |. E8 7D83D0FF callcontract.0040916C
00700DEF |. 8B45 D0 mov eax,[local.12]
00700DF2 |. 8D55 D4 lea edx,[local.11]
00700DF5 |. E8 1E81D0FF callcontract.00408F18
00700DFA |. 8B55 D4 movedx,[local.11] ; kernel32.7C817077
00700DFD |. 58 popeax ; kernel32.7C817077
00700DFE |. E8 B13AD0FF callcontract.004048B4
00700E03 |. 755B jnz shortcontract.00700E60
00700E05 |. 8D55 C8 lea edx,[local.14]
00700E08 |. 8B83 08030000 mov eax,dword ptrds:[ebx+0x308]
00700E0E |. E8 55C1D7FF callcontract.0047CF68
00700E13 |. 8B55 C8 mov edx,[local.14]
00700E16 |. 8BC6 moveax,esi
00700E18 |. 8B08 movecx,dword ptr ds:[eax]
00700E1A |. FF51 38 call dword ptrds:[ecx+0x38] ; kernel32.7C817080
00700E1D |. 8B15 20BA7100 mov edx,dword ptrds:[0x71BA20] ; p霉
00700E23 |. 8B12 movedx,dword ptr ds:[edx]
00700E25 |. 8D45 C4 lea eax,[local.15]
00700E28 |. B9 440F7000 movecx,contract.00700F44 ; reg.bd
00700E2D |. E8 8239D0FF callcontract.004047B4
00700E32 |. 8B55 C4 movedx,[local.15] ; kernel32.7C817074
00700E35 |. 8BC6 moveax,esi
00700E37 |. 8B08 movecx,dword ptr ds:[eax]
00700E39 |. FF51 74 call dword ptr ds:[ecx+0x74]
00700E3C |. A1 28BB7100 mov eax,dword ptrds:[0x71BB28] ; t霉
00700E41 |. E8 5236D0FF callcontract.00404498
00700E46 |. 6A40 push 0x40
00700E48 |. B9 EC0E7000 movecx,contract.00700EEC ; 信息
00700E4D |. BA 4C0F7000 movedx,contract.00700F4C ; 注册成功,您已成为正版用户
00700E52 |. A1 2CBE7100 mov eax,dword ptrds:[0x71BE2C]
00700E57 |. 8B00 moveax,dword ptr ds:[eax]
00700E59 |. E8 4AD1D9FF callcontract.0049DFA8
00700E5E |. EB18 jmp shortcontract.00700E78
00700E60 |> 6A40 push 0x40
00700E62 |. B9 EC0E7000 movecx,contract.00700EEC ; 信息
00700E67 |. BA 680F7000 movedx,contract.00700F68 ; 注册失败
00700E6C |. A1 2CBE7100 mov eax,dword ptrds:[0x71BE2C]
00700E71 |. 8B00 moveax,dword ptr ds:[eax]
00700E73 |. E8 30D1D9FF callcontract.0049DFA8
00700E78 |> 8BC6 moveax,esi
00700E7A |. E8 C927D0FF callcontract.00403648
00700E7F |> 33C0 xoreax,eax
00700E81 |. 5A popedx ; kernel32.7C817077
00700E82 |. 59 popecx ; kernel32.7C817077
00700E83 |. 59 popecx ; kernel32.7C817077
00700E84 |. 64:8910 mov dword ptrfs:[eax],edx ; ntdll.KiFastSystemCallRet
00700E87 |. 68 E30E7000 pushcontract.00700EE3
00700E8C |> 8D45 C4 lea eax,[local.15]
00700E8F |. E8 0436D0FF callcontract.00404498
00700E94 |. 8D45 C8 lea eax,[local.14]
00700E97 |. BA 02000000 mov edx,0x2
00700E9C |. E8 1B36D0FF callcontract.004044BC
00700EA1 |. 8D45 D0 lea eax,[local.12]
00700EA4 |. BA 03000000 mov edx,0x3
00700EA9 |. E8 0E36D0FF callcontract.004044BC
00700EAE |. 8D45 DC lea eax,[local.9]
00700EB1 |. E8 E235D0FF callcontract.00404498
00700EB6 |. 8D45 E0 lea eax,[local.8]
00700EB9 |. E8 DA35D0FF callcontract.00404498
00700EBE |. 8D45 E4 lea eax,[local.7]
00700EC1 |. E8 EE06D1FF callcontract.004115B4
00700EC6 |. 8D45 F4 lea eax,[local.3]
00700EC9 |. E8 CA35D0FF callcontract.00404498
00700ECE |. 8D45 F8 lea eax,[local.2]
00700ED1 |. BA 02000000 mov edx,0x2
00700ED6 |. E8 E135D0FF callcontract.004044BC
00700EDB \. C3 retn
3、堆栈 ss:[0012F160]=00F1A574, (ASCII"qyfa-qhrc-avmc-fnkx-r")
eax=0012F172
0012F160 00F1A574 ASCII"qyfa-qhrc-avmc-fnkx-r"
--------------------------------------------------------------------------------
【经验总结】
1、 适合入门新手练习追码和爆破.
2、 可做内存补丁与算法补丁.
3、 可以练习多个方面的知识.
--------------------------------------------------------------------------------
【版权声明】: 本文原创于无聊之人, 转载请注明作者并保持文章的完整, 谢谢!
2014年01月08日 上午 11:12:00
|
发表于 2014-1-15 17:21:47
发表于 2014-1-16 12:05:49
