0x05 ajj_2
发现加了UPX壳,先脱壳,脱壳后继续分析。
D:\Tools\Security_Tools\010\upx-3.95-win64\upx-3.95-win64>upx.exe -d CKme002.exe
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2018
UPX 3.95w Markus Oberhumer, Laszlo Molnar & John Reiser Aug 26th 2018
File size Ratio Format Name
-------------------- ------ ----------- -----------
458752 <- 146432 31.92% win32/pe CKme002.exe
Unpacked 1 file.
这道题好像看起来有点复杂,从看雪工具包中下载Delphi的反汇编工具:DeDe
分析文件看到如下事件:
分别查看这些事件的代码,在Timer2Timer中看到如下代码:
004473E4 53 push ebx
004473E5 8BD8 mov ebx, eax
004473E7 81BB04030000340C0000 cmp dword ptr [ebx+$0304], $00000C34
004473F1 0F8488000000 jz 0044747F
004473F7 81BB080300000D230000 cmp dword ptr [ebx+$0308], $0000230D
00447401 747C jz 0044747F
00447403 81BB10030000940F0000 cmp dword ptr [ebx+$0310], $00000F94
0044740D 7570 jnz 0044747F
0044740F 8B8318030000 mov eax, [ebx+$0318]
00447415 3B8314030000 cmp eax, [ebx+$0314]
0044741B 7562 jnz 0044747F
0044741D 81BB1C030000E7030000 cmp dword ptr [ebx+$031C], $000003E7
00447427 7456 jz 0044747F
00447429 33D2 xor edx, edx
修改跳转逻辑之后可以看到注册成功的界面: