1、Delphi 2程序,无壳
2、定位按钮事件
DerkDe貌似不支持,OD载入,搜不到字符串,反编译窗口右击查找二进制字串,搜TForm1。事件地址很明显。
00421D2C . /B41D4200 dd Dope2112.00421DB4
00421D30 . |0C db 0C
00421D31 . |42 75 74 74 6F 6E 32 43 6C >ascii "Button2Click"
00421D3D |13 db 13
00421D3E |00 db 00
00421D3F . |C01D4200 dd Dope2112.00421DC0
00421D43 . |0C db 0C
00421D44 . |42 75 74 74 6F 6E 33 43 6C >ascii "Button3Click"
00421D50 |13 db 13
00421D51 |00 db 00
00421D52 . |C81D4200 dd Dope2112.00421DC8
00421D56 . |0C db 0C
00421D57 . |42 75 74 74 6F 6E 31 43 6C >ascii "Button1Click"
00421D63 |12 db 12
00421D64 |00 db 00
00421D65 . |941E4200 dd Dope2112.00421E94
00421D69 . |0B db 0B
00421D6A . |54 69 6D 65 72 31 54 69 6D >ascii "Timer1Timer"
00421D75 |11 db 11
00421D76 |00 db 00
00421D77 . |7C1F4200 dd Dope2112.00421F7C
00421D7B . |0A db 0A
00421D7C . |46 6F 72 6D 43 72 65 61 74 >ascii "FormCreate"
00421D86 . |06 db 06
00421D87 . |54 46 6F 72 6D 31 ascii "TForm1"
00421D8D |02 db 02
Check按钮的地址是 00421DCB
下断
00421DC8 /. 55 push ebp ; check
00421DC9 |. 8BEC mov ebp,esp
00421DCB |. 6A 00 push 0x0
00421DCD |. 6A 00 push 0x0
00421DCF |. 6A 00 push 0x0
00421DD1 |. 53 push ebx
00421DD2 |. 56 push esi
00421DD3 |. 57 push edi
00421DD4 |. 8BF0 mov esi,eax
00421DD6 |. 33C0 xor eax,eax
00421DD8 |. 55 push ebp
00421DD9 |. 68 861E4200 push Dope2112.00421E86
00421DDE |. 64:FF30 push dword ptr fs:[eax]
00421DE1 |. 64:8920 mov dword ptr fs:[eax],esp
00421DE4 |. BB 37000000 mov ebx,0x37
00421DE9 |. 8D55 F8 lea edx,[local.2]
00421DEC |. 8B86 B0010000 mov eax,dword ptr ds:[esi+0x1B0]
00421DF2 |. E8 89FAFEFF call Dope2112.00411880
00421DF7 |. 8D55 FC lea edx,[local.1]
00421DFA |. 8B86 AC010000 mov eax,dword ptr ds:[esi+0x1AC]
00421E00 |. E8 7BFAFEFF call Dope2112.00411880
00421E05 |. 8B45 FC mov eax,[local.1] ; Name
00421E08 |. E8 5715FEFF call Dope2112.00403364
00421E0D |. 83F8 04 cmp eax,0x4
00421E10 |. 7D 0C jge XDope2112.00421E1E
00421E12 |. A1 64464200 mov eax,dword ptr ds:[0x424664]
00421E17 |. E8 C8BAFFFF call Dope2112.0041D8E4
00421E1C |. EB 4D jmp XDope2112.00421E6B
00421E1E |> 8B45 FC mov eax,[local.1]
00421E21 |. E8 3E15FEFF call Dope2112.00403364
00421E26 |. 85C0 test eax,eax
00421E28 |. 7C 14 jl XDope2112.00421E3E
00421E2A |. 40 inc eax
00421E2B |. 33D2 xor edx,edx
00421E2D |> 8B4D FC /mov ecx,[local.1]
00421E30 |. 0FB64C11 FF |movzx ecx,byte ptr ds:[ecx+edx-0x1]
00421E35 |. C1E1 09 |shl ecx,0x9 ; ebx += Name[i] << 9
00421E38 |. 03D9 |add ebx,ecx
00421E3A |. 42 |inc edx
00421E3B |. 48 |dec eax
00421E3C |.^ 75 EF \jnz XDope2112.00421E2D
00421E3E |> 8D55 F4 lea edx,[local.3]
00421E41 |. 8BC3 mov eax,ebx
00421E43 |. E8 E834FEFF call Dope2112.00405330
00421E48 |. 8B45 F4 mov eax,[local.3] ; Key
00421E4B |. 8B55 F8 mov edx,[local.2]
00421E4E |. E8 2116FEFF call Dope2112.00403474 ; strcmp
00421E53 |. 75 0C jnz XDope2112.00421E61
00421E55 |. A1 68464200 mov eax,dword ptr ds:[0x424668]
00421E5A |. E8 85BAFFFF call Dope2112.0041D8E4
00421E5F |. EB 0A jmp XDope2112.00421E6B
00421E61 |> A1 64464200 mov eax,dword ptr ds:[0x424664]
00421E66 |. E8 79BAFFFF call Dope2112.0041D8E4
00421E6B |> 33C0 xor eax,eax
00421E6D |. 5A pop edx
00421E6E |. 59 pop ecx
00421E6F |. 59 pop ecx
00421E70 |. 64:8910 mov dword ptr fs:[eax],edx
00421E73 |. 68 8D1E4200 push Dope2112.00421E8D
00421E78 |> 8D45 F4 lea eax,[local.3]
00421E7B |. BA 03000000 mov edx,0x3
00421E80 |. E8 8B13FEFF call Dope2112.00403210
00421E85 \. C3 retn
00421E86 .^ E9 E50FFEFF jmp Dope2112.00402E70
00421E8B .^ EB EB jmp XDope2112.00421E78
00421E8D . 5F pop edi
00421E8E . 5E pop esi
00421E8F . 5B pop ebx
00421E90 . 8BE5 mov esp,ebp
00421E92 . 5D pop ebp
00421E93 . C3 retn
3、注册机
>>> def keygen(name):
ebx = 0x37
for i in name:
ebx += ord(i) << 0x9
return ebx
>>> keygen('123456')
158263