该点菜系统如下:
打开时由于没有狗提示:
该文件没有加壳,发现狗的验证都在fea.dll文件中,
很容易定位到 0048453C,如下:
VC编写的东东,用IDA很方便的看到流程:
伪代码摘录如下:
int __usercall check_dog_zhw<eax>(int a1<edi>)
{
long double v1; // fst7@1
int v2; // ebx@2
int v3; // edx@4
int v4; // eax@4
int v5; // eax@4
char v6; // zf@4
char *v7; // ebx@8
signed int v8; // edi@8
char *v9; // esi@8
int v10; // ecx@9
int v11; // ecx@9
char v12; // zf@10
int v13; // eax@12
int v14; // edx@13
const CHAR *v15; // eax@17
const CHAR *v16; // eax@18
int *v18; // ecx@19
int v19; // ecx@19
int v20; // ecx@19
int v21; // ecx@19
int v22; // [sp-24h] [bp-D8h]@8
int (*v23)(); // [sp-20h] [bp-D4h]@8
UINT v24; // [sp-1Ch] [bp-D0h]@8
int v25; // [sp-18h] [bp-CCh]@1
int (*v26)(); // [sp-14h] [bp-C8h]@1
int *v27; // [sp-10h] [bp-C4h]@1
signed int v28; // [sp-Ch] [bp-C0h]@1
int (*v29)(); // [sp-8h] [bp-BCh]@1
int *v30; // [sp-4h] [bp-B8h]@1
int v31; // [sp+Ch] [bp-A8h]@19
int v32; // [sp+10h] [bp-A4h]@18
int v33; // [sp+14h] [bp-A0h]@17
int v34; // [sp+18h] [bp-9Ch]@13
__int64 v35; // [sp+1Ch] [bp-98h]@12
int v36; // [sp+24h] [bp-90h]@10
int v37; // [sp+2Ch] [bp-88h]@10
char v38; // [sp+30h] [bp-84h]@9
char v39; // [sp+31h] [bp-83h]@9
char v40; // [sp+34h] [bp-80h]@9
int v41; // [sp+38h] [bp-7Ch]@9
int v42; // [sp+3Ch] [bp-78h]@4
int v43; // [sp+40h] [bp-74h]@4
int v44; // [sp+44h] [bp-70h]@4
int v45; // [sp+48h] [bp-6Ch]@2
int v46; // [sp+4Ch] [bp-68h]@2
char v47; // [sp+53h] [bp-61h]@10
char v48; // [sp+63h] [bp-51h]@8
char v49; // [sp+73h] [bp-41h]@4
double v50; // [sp+94h] [bp-20h]@13
double v51; // [sp+9Ch] [bp-18h]@1
int v52; // [sp+A8h] [bp-Ch]@1
int v53; // [sp+ACh] [bp-8h]@13
int v54; // [sp+B0h] [bp-4h]@4
int v55; // [sp+B4h] [bp+0h]@1
v30 = &v55;
v29 = loc_484AEF;
v28 = *MK_FP(__FS__, 0);
*MK_FP(__FS__, 0) = &v28;
dword_609558 = 0;
System____linkproc___LStrAsg(&unk_60F644, &str_1_3[1]);
v27 = &v55;
v26 = loc_484A4E;
v25 = *MK_FP(__FS__, 0);
*MK_FP(__FS__, 0) = &v25;
v1 = Sysutils__Now();
v51 = v1;
sub_4840D0();
v52 = 0;
dword_60F63C = fea_findToken("9A4FF014", &v52);
if ( v52 )
{
dword_60F63C = fea_opentoken(&dword_60F634, "9A4FF014", 1, v25, v26, v27, v28, v29, v30);
check_token_zhw(&str____________1[1], 0);
System____linkproc___FillChar(&byte_60F654, 128, 0);
dword_60F63C = fea_getSN(dword_60F634, &byte_60F654);
check_token_zhw(&str____________2[1], 0);
sub_4844C0(8, &v46);
System____linkproc___LStrAsg(&dword_60F640, v46);
v45 = dword_60F640;
v2 = dword_60F640;
if ( dword_60F640 )
v2 = *(_DWORD *)(dword_60F640 - 4);
v30 = (int *)&byte_60F654;
v29 = (int (*)())&v49;
v28 = 8;
v27 = dword_484B48;
v26 = (int (*)())v2;
v4 = System____linkproc___LStrToPChar(dword_60F640);
dword_60F63C = fea_MD5_HASH(v4, v26, v27, v28, v29, v30);
check_token_zhw(&str____________3[1], 0);
sub_4844C0(16, &v54);
System____linkproc___LStrCopy(&v44);
v5 = System____linkproc___LStrToPChar(v44);
dword_60F63C = fae_verify(dword_60F634, 0, v5);
check_token_zhw(&str____________4[1], 0);
dword_60F63C = fea_read(dword_60F634, 10, 6, &byte_60F654);
check_token_zhw(&str____________5[1], 0);
v30 = &v43;
unknown_libname_83(&v42, &byte_60F654, 128);
System____linkproc___LStrCopy(v30);
System____linkproc___LStrCmp(v43, &str_FBMini[1]);
if ( !v6 )
{
LOBYTE(v3) = 1;
unknown_libname_189(off_409528, v3, &str_________________3[1]);
System____linkproc___RaiseExcept();
}
dword_60F63C = fea_read(dword_60F634, 16, 8, &byte_60F654);
check_token_zhw(&str____________6[1], 0);
System__Move(&byte_60F654, &dword_609550, 8);
System____linkproc___FillChar(&byte_60F654, 128, 0);
dword_60F63C = fea_read(dword_60F634, 48, 32, &byte_60F654);
if ( byte_60F654 == -1 )
sub_484530(&str_________________4[1]);
v24 = (UINT)&v55;
v23 = loc_484867;
v22 = *MK_FP(__FS__, 0);
*MK_FP(__FS__, 0) = &v22;
v8 = 16;
v7 = &byte_60F654;
v9 = &v48;
do
{
System____linkproc___PStrCpy(&v40, dword_484C3C);
v39 = *v7;
v38 = 1;
LOBYTE(v10) = 2;
System____linkproc___PStrNCat(&v40, &v38, v10);
System____linkproc___PStrCpy(&v45, &v40);
v39 = v7[1];
v38 = 1;
LOBYTE(v11) = 3;
System____linkproc___PStrNCat(&v45, &v38, v11);
unknown_libname_82(&v41, &v45);
*v9++ = Sysutils__StrToInt(v41);
v7 += 2;
--v8;
}
while ( v8 );
System____linkproc___LStrCat3(&v37, dword_484C48, dword_60F640);
sub_483890(15, &v47);
*MK_FP(__FS__, 0) = v22;
System__Move(&v47, &dword_60F6D4, 16);
unknown_libname_83(&v36, &unk_60F6DC, 4);
System____linkproc___LStrCmp(v36, &str_FBM3[1]);
if ( !v12 )
sub_484530(&str_________________6[1]);
dword_609558 = dword_60F6D4;
unknown_libname_83(&unk_60F644, &unk_60F6D8, 4);
v35 = (unsigned int)dword_60F6E0;
dbl_60F648 = (long double)(unsigned int)dword_60F6E0;
v13 = System____linkproc___TRUNC(0, v1);
if ( v13 <= 4000 )
{
if ( v13 < 0 )
sub_484530(&str_________________8[1]);
if ( v13 < 30 )
{
v24 = 48;
LODWORD(v35) = v13;
BYTE4(v35) = 0;
unknown_libname_155(&v33);
v15 = (const CHAR *)System____linkproc___LStrToPChar(v33);
Forms__TApplication__MessageBox(*off_60B9BC, v15, (int)dword_484D9C, v24);
}
}
else
{
v50 = dbl_60F648;
Sysutils__DateTimeToString(LODWORD(dbl_60F648), HIDWORD(dbl_60F648));
System____linkproc___LStrCat3(&v34, &str_________________7[1], v53);
LOBYTE(v14) = 1;
unknown_libname_189(off_409528, v14, v34);
System____linkproc___RaiseExcept();
}
}
else
{
dword_609558 = 0;
System____linkproc___LStrAsg(&unk_60F644, &str_1_3[1]);
LODWORD(v35) = a1;
BYTE4(v35) = 0;
unknown_libname_155(&v32);
v16 = (const CHAR *)System____linkproc___LStrToPChar(v32);
Forms__TApplication__MessageBox(*off_60B9BC, v16, (int)dword_484D9C, 0x30u);
}
*MK_FP(__FS__, 0) = v25;
v18 = v30;
*MK_FP(__FS__, 0) = v28;
v30 = (int *)loc_484AF6;
System____linkproc___LStrArrayClr(&v31, 4, v18);
System____linkproc___LStrArrayClr(&v36, 3, v19);
System____linkproc___LStrArrayClr(&v41, 4, v20);
System____linkproc___LStrClr(&v46);
return System____linkproc___LStrArrayClr(&v53, 2, v21);
}
对于fea中的返回值进行修正,接触对狗的验证和对设备的授权即可。