前言
看到一个cm, 楼主用的是强改流程,程序闪退. 这正常, 应该是后面用到了输入的注册码.
cm用弹框(MessageBoxA)来提示注册码”不对”, 是一个用到数据库操作的小程序, 单EXE.
通过注册码校验后,因为数据库没配好,提示数据库操作错误, 我不关心.
注册码用的明码比对, 很好找.
记录
用MessageBoxA弹错误信息
断在MessageBoxA,返回用户领空,下断点,重新跟注册码判断流程
注册码判断函数
004619D4 /. 55 push ebp
004619D5 |. 8BEC mov ebp,esp
004619D7 |. 33C9 xor ecx,ecx
004619D9 |. 51 push ecx
004619DA |. 51 push ecx
004619DB |. 51 push ecx
004619DC |. 51 push ecx
004619DD |. 53 push ebx
004619DE |. 8BD8 mov ebx,eax ; eax 是新的ebx
004619E0 |. 33C0 xor eax,eax
004619E2 |. 55 push ebp ; 看口令, ds:[ebx+0x2ec] is the pwd ok
004619E3 |. 68 DB1A4600 push djsetup.00461ADB
004619E8 |. 64:FF30 push dword ptr fs:[eax]
004619EB |. 64:8920 mov dword ptr fs:[eax],esp
004619EE |. FF83 E8020000 inc dword ptr ds:[ebx+0x2E8]
004619F4 |. 83BB E8020000>cmp dword ptr ds:[ebx+0x2E8],0x3
004619FB |. 7C 4D jl short djsetup.00461A4A ; 口令重试次数判断
004619FD |. 8D55 F8 lea edx,dword ptr ss:[ebp-0x8]
00461A00 |. 8B83 E4020000 mov eax,dword ptr ds:[ebx+0x2E4]
00461A06 |. E8 09B8FDFF call djsetup.0043D214
00461A0B |. 8B45 F8 mov eax,dword ptr ss:[ebp-0x8]
00461A0E |. 8D55 FC lea edx,dword ptr ss:[ebp-0x4]
00461A11 |. E8 3291FAFF call djsetup.0040AB48
00461A16 |. 8B55 FC mov edx,dword ptr ss:[ebp-0x4]
00461A19 |. 8B83 EC020000 mov eax,dword ptr ds:[ebx+0x2EC]
00461A1F |. E8 8C28FAFF call <djsetup.fnIsPwdOk1>
00461A24 |. 74 24 je short djsetup.00461A4A
00461A26 |. 6A 40 push 0x40
00461A28 |. B9 E81A4600 mov ecx,djsetup.00461AE8
00461A2D |. BA F41A4600 mov edx,djsetup.00461AF4
00461A32 |. A1 D0035A00 mov eax,dword ptr ds:[0x5A03D0]
00461A37 |. 8B00 mov eax,dword ptr ds:[eax]
00461A39 |. E8 CA3EFFFF call <djsetup.fnPwdDiff>
00461A3E |. C783 34020000>mov dword ptr ds:[ebx+0x234],0x2
00461A48 |. EB 63 jmp short djsetup.00461AAD
00461A4A |> 8D55 F0 lea edx,dword ptr ss:[ebp-0x10]
00461A4D |. 8B83 E4020000 mov eax,dword ptr ds:[ebx+0x2E4]
00461A53 |. E8 BCB7FDFF call djsetup.0043D214
00461A58 |. 8B45 F0 mov eax,dword ptr ss:[ebp-0x10] ; pwd input
00461A5B |. 8D55 F4 lea edx,dword ptr ss:[ebp-0xC]
00461A5E |. E8 E590FAFF call djsetup.0040AB48
00461A63 |. 8B55 F4 mov edx,dword ptr ss:[ebp-0xC]
00461A66 |. 8B83 EC020000 mov eax,dword ptr ds:[ebx+0x2EC] ; ds:[ebx+0x2ec] is the pwd ok
00461A6C |. E8 3F28FAFF call <djsetup.fnIsPwdOk1> ; edx is userPwd, eax is Pwd ok
00461A71 |. 75 0C jnz short djsetup.00461A7F
00461A73 |. C783 34020000>mov dword ptr ds:[ebx+0x234],0x1 ; 口令正确
00461A7D |. EB 2E jmp short djsetup.00461AAD
00461A7F |> 6A 40 push 0x40
00461A81 |. B9 E81A4600 mov ecx,djsetup.00461AE8
00461A86 |. BA 101B4600 mov edx,djsetup.00461B10
00461A8B |. A1 D0035A00 mov eax,dword ptr ds:[0x5A03D0]
00461A90 |. 8B00 mov eax,dword ptr ds:[eax]
00461A92 |. E8 713EFFFF call <djsetup.fnPwdDiff> ; pwd diff, 如果有错误弹框提示
00461A97 |. 8B83 E4020000 mov eax,dword ptr ds:[ebx+0x2E4]
00461A9D |. 8B10 mov edx,dword ptr ds:[eax]
00461A9F |. FF92 B0000000 call dword ptr ds:[edx+0xB0]
00461AA5 |. 33C0 xor eax,eax
00461AA7 |. 8983 34020000 mov dword ptr ds:[ebx+0x234],eax
00461AAD |> 33C0 xor eax,eax
00461AAF |. 5A pop edx ; 00B6B350
00461AB0 |. 59 pop ecx ; 00B6B350
00461AB1 |. 59 pop ecx ; 00B6B350
00461AB2 |. 64:8910 mov dword ptr fs:[eax],edx
00461AB5 |. 68 E21A4600 push djsetup.00461AE2
00461ABA |> 8D45 F0 lea eax,dword ptr ss:[ebp-0x10]
00461ABD |. E8 5E24FAFF call djsetup.00403F20
00461AC2 |. 8D45 F4 lea eax,dword ptr ss:[ebp-0xC]
00461AC5 |. E8 5624FAFF call djsetup.00403F20
00461ACA |. 8D45 F8 lea eax,dword ptr ss:[ebp-0x8]
00461ACD |. E8 4E24FAFF call djsetup.00403F20
00461AD2 |. 8D45 FC lea eax,dword ptr ss:[ebp-0x4]
00461AD5 |. E8 4624FAFF call djsetup.00403F20
00461ADA \. C3 retn
00461ADB .^ E9 A01EFAFF jmp djsetup.00403980
00461AE0 .^ EB D8 jmp short djsetup.00461ABA
00461AE2 . 5B pop ebx ; 00B6B350
00461AE3 . 8BE5 mov esp,ebp
00461AE5 . 5D pop ebp ; 00B6B350
00461AE6 . C3 retn
// 比对注册码, 拿用户输入的口令和预留的注册码进行比对.
004042B0 <djsetup.fnIsPwdOk1> /$ 53 push ebx
004042B1 |. 56 push esi
004042B2 |. 57 push edi
004042B3 |. 89C6 mov esi,eax
004042B5 |. 89D7 mov edi,edx
004042B7 |. 39D0 cmp eax,edx
004042B9 |. 0F84 8F000000 je djsetup.0040434E
004042BF |. 85F6 test esi,esi ; SpaceTime
004042C1 |. 74 68 je short djsetup.0040432B
004042C3 |. 85FF test edi,edi ; 123456
004042C5 |. 74 6B je short djsetup.00404332
004042C7 |. 8B46 FC mov eax,dword ptr ds:[esi-0x4] ; str len 1
004042CA |. 8B57 FC mov edx,dword ptr ds:[edi-0x4] ; str len 2
004042CD |. 29D0 sub eax,edx
004042CF |. 77 02 ja short djsetup.004042D3
004042D1 |. 01C2 add edx,eax
004042D3 |> 52 push edx
004042D4 |. C1EA 02 shr edx,0x2
004042D7 |. 74 26 je short djsetup.004042FF
004042D9 |> 8B0E /mov ecx,dword ptr ds:[esi]
004042DB |. 8B1F |mov ebx,dword ptr ds:[edi]
004042DD |. 39D9 |cmp ecx,ebx ; 比较4个字节(byte0~byte3)
004042DF |. 75 58 |jnz short djsetup.00404339
004042E1 |. 4A |dec edx
004042E2 |. 74 15 |je short djsetup.004042F9
004042E4 |. 8B4E 04 |mov ecx,dword ptr ds:[esi+0x4] ; 比较4个字节(byte4~byte7)
004042E7 |. 8B5F 04 |mov ebx,dword ptr ds:[edi+0x4]
004042EA |. 39D9 |cmp ecx,ebx
004042EC |. 75 4B |jnz short djsetup.00404339
004042EE |. 83C6 08 |add esi,0x8
004042F1 |. 83C7 08 |add edi,0x8
004042F4 |. 4A |dec edx
004042F5 |.^ 75 E2 \jnz short djsetup.004042D9
004042F7 |. EB 06 jmp short djsetup.004042FF
004042F9 |> 83C6 04 add esi,0x4
004042FC |. 83C7 04 add edi,0x4
004042FF |> 5A pop edx ; 00B6B350
00404300 |. 83E2 03 and edx,0x3
00404303 |. 74 22 je short djsetup.00404327
00404305 |. 8B0E mov ecx,dword ptr ds:[esi]
00404307 |. 8B1F mov ebx,dword ptr ds:[edi]
00404309 |. 38D9 cmp cl,bl ; 比较最后一个字节
0040430B |. 75 41 jnz short djsetup.0040434E
0040430D |. 4A dec edx
0040430E |. 74 17 je short djsetup.00404327
00404310 |. 38FD cmp ch,bh
00404312 |. 75 3A jnz short djsetup.0040434E
00404314 |. 4A dec edx
00404315 |. 74 10 je short djsetup.00404327
00404317 |. 81E3 0000FF00 and ebx,0xFF0000
0040431D |. 81E1 0000FF00 and ecx,0xFF0000
00404323 |. 39D9 cmp ecx,ebx
00404325 |. 75 27 jnz short djsetup.0040434E
00404327 |> 01C0 add eax,eax
00404329 |. EB 23 jmp short djsetup.0040434E
0040432B |> 8B57 FC mov edx,dword ptr ds:[edi-0x4]
0040432E |. 29D0 sub eax,edx
00404330 |. EB 1C jmp short djsetup.0040434E
00404332 |> 8B46 FC mov eax,dword ptr ds:[esi-0x4]
00404335 |. 29D0 sub eax,edx
00404337 |. EB 15 jmp short djsetup.0040434E
00404339 |> 5A pop edx ; 00B6B350
0040433A |. 38D9 cmp cl,bl
0040433C |. 75 10 jnz short djsetup.0040434E
0040433E |. 38FD cmp ch,bh
00404340 |. 75 0C jnz short djsetup.0040434E
00404342 |. C1E9 10 shr ecx,0x10
00404345 |. C1EB 10 shr ebx,0x10
00404348 |. 38D9 cmp cl,bl
0040434A |. 75 02 jnz short djsetup.0040434E
0040434C |. 38FD cmp ch,bh
0040434E |> 5F pop edi ; 00B6B350
0040434F |. 5E pop esi ; 00B6B350
00404350 |. 5B pop ebx ; 00B6B350
00404351 \. C3 retn ; 比较成功后,返回的是0
// 报错弹框
00455908 <djsetup.fnPwdDiff> /$ 55 push ebp
00455909 |. 8BEC mov ebp,esp
0045590B |. 83C4 B0 add esp,-0x50
0045590E |. 53 push ebx
0045590F |. 56 push esi
00455910 |. 57 push edi
00455911 |. 8BF9 mov edi,ecx
00455913 |. 8BF2 mov esi,edx
00455915 |. 8945 FC mov dword ptr ss:[ebp-0x4],eax
00455918 |. 8B5D 08 mov ebx,dword ptr ss:[ebp+0x8]
0045591B |. E8 E427FBFF call <jmp.&user32.GetActiveWindow> ; [GetActiveWindow
00455920 |. 8945 F4 mov dword ptr ss:[ebp-0xC],eax
00455923 |. 6A 02 push 0x2
00455925 |. 8B45 F4 mov eax,dword ptr ss:[ebp-0xC]
00455928 |. 50 push eax
00455929 |. A1 70025A00 mov eax,dword ptr ds:[0x5A0270]
0045592E |. 8B00 mov eax,dword ptr ds:[eax]
00455930 |. FFD0 call eax
00455932 |. 8945 EC mov dword ptr ss:[ebp-0x14],eax
00455935 |. 6A 02 push 0x2
00455937 |. 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
0045593A |. 8B40 24 mov eax,dword ptr ds:[eax+0x24]
0045593D |. 50 push eax
0045593E |. A1 70025A00 mov eax,dword ptr ds:[0x5A0270]
00455943 |. 8B00 mov eax,dword ptr ds:[eax]
00455945 |. FFD0 call eax
00455947 |. 8945 E8 mov dword ptr ss:[ebp-0x18],eax
0045594A |. 8B45 EC mov eax,dword ptr ss:[ebp-0x14]
0045594D |. 3B45 E8 cmp eax,dword ptr ss:[ebp-0x18]
00455950 |. 74 60 je short djsetup.004559B2
00455952 |. C745 C0 28000>mov dword ptr ss:[ebp-0x40],0x28
00455959 |. 8D45 C0 lea eax,dword ptr ss:[ebp-0x40]
0045595C |. 50 push eax
0045595D |. 8B45 EC mov eax,dword ptr ss:[ebp-0x14]
00455960 |. 50 push eax
00455961 |. A1 24015A00 mov eax,dword ptr ds:[0x5A0124]
00455966 |. 8B00 mov eax,dword ptr ds:[eax]
00455968 |. FFD0 call eax
0045596A |. 8D45 B0 lea eax,dword ptr ss:[ebp-0x50]
0045596D |. 50 push eax ; /pRect = NULL
0045596E |. 8B45 FC mov eax,dword ptr ss:[ebp-0x4] ; |
00455971 |. 8B40 24 mov eax,dword ptr ds:[eax+0x24] ; |
00455974 |. 50 push eax ; |hWnd = NULL
00455975 |. E8 0A29FBFF call <jmp.&user32.GetWindowRect> ; \GetWindowRect
0045597A |. 6A 1D push 0x1D
0045597C |. 6A 00 push 0x0
0045597E |. 6A 00 push 0x0
00455980 |. 8B4D D0 mov ecx,dword ptr ss:[ebp-0x30]
00455983 |. 8B55 C8 mov edx,dword ptr ss:[ebp-0x38]
00455986 |. 2BCA sub ecx,edx
00455988 |. D1F9 sar ecx,1
0045598A |. 79 03 jns short djsetup.0045598F
0045598C |. 83D1 00 adc ecx,0x0
0045598F |> 03CA add ecx,edx
00455991 |. 51 push ecx
00455992 |. 8B55 CC mov edx,dword ptr ss:[ebp-0x34]
00455995 |. 8B45 C4 mov eax,dword ptr ss:[ebp-0x3C] ; djsetup.0040AB90
00455998 |. 2BD0 sub edx,eax
0045599A |. D1FA sar edx,1
0045599C |. 79 03 jns short djsetup.004559A1
0045599E |. 83D2 00 adc edx,0x0
004559A1 |> 03D0 add edx,eax ; |
004559A3 |. 52 push edx ; |X = 12F71C (1242908.)
004559A4 |. 6A 00 push 0x0 ; |InsertAfter = HWND_TOP
004559A6 |. 8B45 FC mov eax,dword ptr ss:[ebp-0x4] ; |
004559A9 |. 8B40 24 mov eax,dword ptr ds:[eax+0x24] ; |
004559AC |. 50 push eax ; |hWnd = NULL
004559AD |. E8 1A2BFBFF call <jmp.&user32.SetWindowPos> ; \SetWindowPos
004559B2 |> 33C0 xor eax,eax
004559B4 |. E8 6F72FFFF call djsetup.0044CC28
004559B9 |. 8945 F0 mov dword ptr ss:[ebp-0x10],eax
004559BC |. 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
004559BF |. E8 84EFFFFF call djsetup.00454948
004559C4 |. 84C0 test al,al
004559C6 |. 74 06 je short djsetup.004559CE
004559C8 |. 81CB 00001000 or ebx,0x100000
004559CE |> 33C9 xor ecx,ecx
004559D0 |. 55 push ebp
004559D1 |. 68 4D5A4500 push djsetup.00455A4D
004559D6 |. 64:FF31 push dword ptr fs:[ecx]
004559D9 |. 64:8921 mov dword ptr fs:[ecx],esp
004559DC |. 53 push ebx ; /Style = MB_OK|MB_DEFBUTTON2|MB_APPLMODAL|MB_NOFOCUS|B60C80
004559DD |. 57 push edi ; |Title = "?
004559DE |. 56 push esi ; |Text = "?
004559DF |. 8B45 FC mov eax,dword ptr ss:[ebp-0x4] ; |
004559E2 |. 8B40 24 mov eax,dword ptr ds:[eax+0x24] ; |
004559E5 |. 50 push eax ; |hOwner = NULL
004559E6 |. E8 8929FBFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004559EB |. 8945 F8 mov dword ptr ss:[ebp-0x8],eax
004559EE |. 33C0 xor eax,eax
004559F0 |. 5A pop edx ; 00B6B350
004559F1 |. 59 pop ecx ; 00B6B350
004559F2 |. 59 pop ecx ; 00B6B350
004559F3 |. 64:8910 mov dword ptr fs:[eax],edx
004559F6 |. 68 545A4500 push djsetup.00455A54
004559FB |> 8B45 EC mov eax,dword ptr ss:[ebp-0x14]
004559FE |. 3B45 E8 cmp eax,dword ptr ss:[ebp-0x18]
00455A01 |. 74 38 je short djsetup.00455A3B
00455A03 |. 6A 1D push 0x1D
00455A05 |. 6A 00 push 0x0
00455A07 |. 6A 00 push 0x0
00455A09 |. 8B4D BC mov ecx,dword ptr ss:[ebp-0x44] ; djsetup.004043D0
00455A0C |. 8B55 B4 mov edx,dword ptr ss:[ebp-0x4C]
00455A0F |. 2BCA sub ecx,edx
00455A11 |. D1F9 sar ecx,1
00455A13 |. 79 03 jns short djsetup.00455A18
00455A15 |. 83D1 00 adc ecx,0x0
00455A18 |> 03CA add ecx,edx
00455A1A |. 51 push ecx
00455A1B |. 8B55 B8 mov edx,dword ptr ss:[ebp-0x48]
00455A1E |. 8B45 B0 mov eax,dword ptr ss:[ebp-0x50]
00455A21 |. 2BD0 sub edx,eax
00455A23 |. D1FA sar edx,1
00455A25 |. 79 03 jns short djsetup.00455A2A
00455A27 |. 83D2 00 adc edx,0x0
00455A2A |> 03D0 add edx,eax ; |
00455A2C |. 52 push edx ; |X = 12F71C (1242908.)
00455A2D |. 6A 00 push 0x0 ; |InsertAfter = HWND_TOP
00455A2F |. 8B45 FC mov eax,dword ptr ss:[ebp-0x4] ; |
00455A32 |. 8B40 24 mov eax,dword ptr ds:[eax+0x24] ; |
00455A35 |. 50 push eax ; |hWnd = NULL
00455A36 |. E8 912AFBFF call <jmp.&user32.SetWindowPos> ; \SetWindowPos
00455A3B |> 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]
00455A3E |. E8 9972FFFF call djsetup.0044CCDC
00455A43 |. 8B45 F4 mov eax,dword ptr ss:[ebp-0xC]
00455A46 |. 50 push eax ; /hWnd = NULL
00455A47 |. E8 E829FBFF call <jmp.&user32.SetActiveWindow> ; \SetActiveWindow
00455A4C \. C3 retn
扫一扫
775
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
