- UID
- 32386
注册时间2007-6-1
阅读权限10
最后登录1970-1-1
周游历练
该用户从未签到
|
【软件大小】: 323KB
【下载地址】: 附件
【加壳方式】: ASPack 2.12 -> Alexey Solodovnikov
【保护方式】: 加壳
【编写语言】: Borland Delphi 4.0 - 5.0
【使用工具】: OD PEID ImportREC DEDE
【操作平台】: 2K/XP
--------------------------------------------------------------------------------
【详细过程】
我用OD手动脱壳 后用ImportREC 修复 ,软件可以正常运行 ,本想分析它的算法 ,想不到的事情发生了
在算法分析过程中用OD跟踪到关键算法内部的某个CALL就无法过去 OD状态栏提示进程退出 !不知是何原
因
004B1C94 >/. 55 PUSH EBP ; <-
Tfrmreg@FlatButton9Click
004B1C95 |. 8BEC MOV EBP,ESP
004B1C97 |. 83C4 F0 ADD ESP,-10
004B1C9A |. 33C9 XOR ECX,ECX
004B1C9C |. 894D F0 MOV DWORD PTR SS:[EBP-10],ECX
004B1C9F |. 894D F4 MOV DWORD PTR SS:[EBP-C],ECX
004B1CA2 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
004B1CA5 |. 33C0 XOR EAX,EAX
004B1CA7 |. 55 PUSH EBP
004B1CA8 |. 68 951D4B00 PUSH <1_exe_un.->system.@HandleFinally;>
004B1CAD |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004B1CB0 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004B1CB3 |. B2 01 MOV DL,1
004B1CB5 |. A1 BCC14400 MOV EAX,DWORD PTR DS:[44C1BC]
004B1CBA >|. E8 FDA5F9FF CALL 1_exe_un.0044C2BC ; -
>Unit_0044C15C.Proc_0044C2BC
004B1CBF |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
004B1CC2 |. 33C0 XOR EAX,EAX
004B1CC4 |. 55 PUSH EBP
004B1CC5 |. 68 4C1D4B00 PUSH <1_exe_un.->system.@HandleFinally;>
004B1CCA |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004B1CCD |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004B1CD0 |. BA 02000080 MOV EDX,80000002
004B1CD5 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004B1CD8 >|. E8 7FA6F9FF CALL 1_exe_un.0044C35C ; -
>Unit_0044C15C.Proc_0044C35C
004B1CDD |. B1 01 MOV CL,1
004B1CDF |. BA A81D4B00 MOV EDX,1_exe_un.004B1DA8 ; ASCII
"\SOFTWARE\qqpic"
004B1CE4 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004B1CE7 >|. E8 D4A6F9FF CALL 1_exe_un.0044C3C0 ; -
>Unit_0044C15C.Proc_0044C3C0
004B1CEC |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
004B1CEF |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B1CF2 |. 8B80 04030000 MOV EAX,DWORD PTR DS:[EAX+304]
004B1CF8 >|. E8 7BB0F7FF CALL 1_exe_un.0042CD78 ; -
>controls.TControl.GetText(TControl):TCaption;取得用户名长度EAX
004B1CFD |. 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C] ; 用户名字符
004B1D00 |. BA C01D4B00 MOV EDX,1_exe_un.004B1DC0 ; ASCII "reguser"
004B1D05 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004B1D08 >|. E8 4FA8F9FF CALL 1_exe_un.0044C55C ; -
>Unit_0044C15C.Proc_0044C55C
004B1D0D |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
004B1D10 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B1D13 |. 8B80 08030000 MOV EAX,DWORD PTR DS:[EAX+308]
004B1D19 >|. E8 5AB0F7FF CALL 1_exe_un.0042CD78 ; -
>controls.TControl.GetText(TControl):TCaption;取得假码长度EAX
004B1D1E |. 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10] ; 假码指针
004B1D21 |. BA D01D4B00 MOV EDX,1_exe_un.004B1DD0 ; ASCII "regcode"
004B1D26 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004B1D29 >|. E8 2EA8F9FF CALL 1_exe_un.0044C55C ; -
>Unit_0044C15C.Proc_0044C55C
004B1D2E |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004B1D31 >|. E8 F6A5F9FF CALL 1_exe_un.0044C32C ; -
>Unit_0044C15C.Proc_0044C32C
004B1D36 |. 33C0 XOR EAX,EAX
004B1D38 |. 5A POP EDX
004B1D39 |. 59 POP ECX
004B1D3A |. 59 POP ECX
004B1D3B |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004B1D3E |. 68 531D4B00 PUSH 1_exe_un.004B1D53
004B1D43 |> 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004B1D46 >|. E8 9912F5FF CALL 1_exe_un.00402FE4 ; -
>system.TObject.Free(TObject);
004B1D4B \. C3 RETN ; 跳到004B1D53
004B1D4C > .^ E9 B319F5FF JMP 1_exe_un.00403704 ; -
>system.@HandleFinally;
004B1D51 .^ EB F0 JMP SHORT 1_exe_un.004B1D43
004B1D53 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B1D56 > . E8 295FF9FF CALL 1_exe_un.00447C84 ; -
>forms.TCustomForm.Close(TCustomForm);
004B1D5B > . E8 14F7FFFF CALL <1_exe_un.<-Tfrmreg@Proc_004B1474> ; -
>:Tfrmreg.Proc_004B1474()关键部分算法
004B1D60 . 3C 01 CMP AL,1
004B1D62 75 0C JNZ SHORT 1_exe_un.004B1D70 ; 跳就完
004B1D64 . B8 E01D4B00 MOV EAX,1_exe_un.004B1DE0
004B1D69 > . E8 6A81FBFF CALL 1_exe_un.00469ED8 ; -
>dialogs.ShowMessage(AnsiString);
004B1D6E . EB 0A JMP SHORT 1_exe_un.004B1D7A ; 跳过注册失败信息
004B1D70 > B8 F81D4B00 MOV EAX,1_exe_un.004B1DF8
004B1D75 > . E8 5E81FBFF CALL 1_exe_un.00469ED8 ; -
>dialogs.ShowMessage(AnsiString);
004B1D7A > 33C0 XOR EAX,EAX
004B1D7C . 5A POP EDX
004B1D7D . 59 POP ECX
004B1D7E . 59 POP ECX
004B1D7F . 64:8910 MOV DWORD PTR FS:[EAX],EDX
004B1D82 . 68 9C1D4B00 PUSH 1_exe_un.004B1D9C
004B1D87 > 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004B1D8A . BA 02000000 MOV EDX,2
004B1D8F > . E8 D81FF5FF CALL 1_exe_un.00403D6C ; -
>system.@LStrArrayClr;
004B1D94 . C3 RETN
004B1D95 > .^ E9 6A19F5FF JMP 1_exe_un.00403704 ; -
>system.@HandleFinally;
004B1D9A .^ EB EB JMP SHORT 1_exe_un.004B1D87
004B1D9C . 8BE5 MOV ESP,EBP
004B1D9E . 5D POP EBP
004B1D9F . C3 RETN
跟入关键部分:
004B1474 >/$ 55 PUSH EBP ; <-
Tfrmreg@Proc_004B1474
004B1475 |. 8BEC MOV EBP,ESP
004B1477 |. B9 06000000 MOV ECX,6
004B147C |> 6A 00 /PUSH 0
004B147E |. 6A 00 |PUSH 0
004B1480 |. 49 |DEC ECX ; ECX清零
004B1481 |.^ 75 F9 \JNZ SHORT 1_exe_un.004B147C
004B1483 |. 51 PUSH ECX
004B1484 |. 53 PUSH EBX
004B1485 |. 33C0 XOR EAX,EAX
004B1487 |. 55 PUSH EBP
004B1488 |. 68 6F164B00 PUSH <1_exe_un.->system.@HandleFinally;>
004B148D |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004B1490 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004B1493 |. C645 FF 00 MOV BYTE PTR SS:[EBP-1],0
004B1497 |. B2 01 MOV DL,1
004B1499 |. A1 BCC14400 MOV EAX,DWORD PTR DS:[44C1BC]
004B149E >|. E8 19AEF9FF CALL 1_exe_un.0044C2BC ; -
>Unit_0044C15C.Proc_0044C2BC
004B14A3 |. 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX ; SEH
004B14A6 |. 33C0 XOR EAX,EAX
004B14A8 |. 55 PUSH EBP
004B14A9 |. 68 0E154B00 PUSH <1_exe_un.->system.@HandleFinally;>
004B14AE |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004B14B1 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004B14B4 |. BA 02000080 MOV EDX,80000002
004B14B9 |. 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
004B14BC >|. E8 9BAEF9FF CALL 1_exe_un.0044C35C ; -
>Unit_0044C15C.Proc_0044C35C
004B14C1 |. B1 01 MOV CL,1
004B14C3 |. BA 88164B00 MOV EDX,1_exe_un.004B1688 ; ASCII
"\SOFTWARE\qqpic"
004B14C8 |. 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
004B14CB >|. E8 F0AEF9FF CALL 1_exe_un.0044C3C0 ; -
>Unit_0044C15C.Proc_0044C3C0,
004B14D0 |. 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24] ; 用户名
004B14D3 |. BA A0164B00 MOV EDX,1_exe_un.004B16A0 ; ASCII "reguser"
004B14D8 |. 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
004B14DB >|. E8 A8B0F9FF CALL 1_exe_un.0044C588 ; -
>Unit_0044C15C.Proc_0044C588
004B14E0 |. 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28] ; 注册码
004B14E3 |. BA B0164B00 MOV EDX,1_exe_un.004B16B0 ; ASCII "regcode"
004B14E8 |. 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
004B14EB >|. E8 98B0F9FF CALL 1_exe_un.0044C588 ; -
>Unit_0044C15C.Proc_0044C588
004B14F0 |. 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
004B14F3 >|. E8 34AEF9FF CALL 1_exe_un.0044C32C ; -
>Unit_0044C15C.Proc_0044C32C
004B14F8 |. 33C0 XOR EAX,EAX ;
004B14FA |. 5A POP EDX ;
004B14FB |. 59 POP ECX
004B14FC |. 59 POP ECX
004B14FD |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004B1500 |. 68 15154B00 PUSH 1_exe_un.004B1515
004B1505 |> 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
004B1508 >|. E8 D71AF5FF CALL 1_exe_un.00402FE4 ; -
>system.TObject.Free(TObject);
004B150D \. C3 RETN ; 跳到4B1515
004B150E > .^ E9 F121F5FF JMP 1_exe_un.00403704 ; -
>system.@HandleFinally;
004B1513 .^ EB F0 JMP SHORT 1_exe_un.004B1505
004B1515 . 837D DC 00 CMP DWORD PTR SS:[EBP-24],0 ; 判断用户名是否存在
004B1519 . 0F84 1B010000 JE 1_exe_un.004B163A
004B151F . 837D D8 00 CMP DWORD PTR SS:[EBP-28],0 ; 判断注册码是否存在
004B1523 . 0F84 11010000 JE 1_exe_un.004B163A
004B1529 . 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28]
004B152C > . E8 972AF5FF CALL 1_exe_un.00403FC8 ; -
>system.@LStrLen:Integer;取得假码长度存入EAX
004B1531 . 25 01000080 AND EAX,80000001 ; 判断假码长度奇偶性
004B1536 . 79 05 JNS SHORT 1_exe_un.004B153D ; 假码长度是奇数就跳
004B1538 . 48 DEC EAX
004B1539 . 83C8 FE OR EAX,FFFFFFFE ;
004B153C . 40 INC EAX
004B153D > 85C0 TEST EAX,EAX
004B153F . 0F85 F5000000 JNZ 1_exe_un.004B163A ; 假码长度要是偶数才不
跳死
004B1545 . 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20] ; 飞过海
004B1548 . B8 C0164B00 MOV EAX,1_exe_un.004B16C0 ; ASCII "922198542863"
004B154D > . E8 EAE6FFFF CALL 1_exe_un.004AFC3C ; -
>Unit_004AE7C0.Proc_004AFC3C
004B1552 . 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
004B1555 . B8 D8164B00 MOV EAX,1_exe_un.004B16D8 ; ASCII "3323005532047"
004B155A > . E8 DDE6FFFF CALL 1_exe_un.004AFC3C ; -
>Unit_004AE7C0.Proc_004AFC3C
004B155F . 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004B1562 . 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24] ; 用户名
004B1565 > . E8 7628F5FF CALL 1_exe_un.00403DE0 ; -
>system.@LStrLAsg;string之间是数据Copy
004B156A . 33DB XOR EBX,EBX ;
004B156C . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; 用户名
004B156F > . E8 542AF5FF CALL 1_exe_un.00403FC8 ; -
>system.@LStrLen:Integer;取得用户名长度EAX
004B1574 . 85C0 TEST EAX,EAX
004B1576 . 7E 13 JLE SHORT 1_exe_un.004B158B
004B1578 . BA 01000000 MOV EDX,1
004B157D > 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8] ; 用户名
004B1580 . 0FB64C11 FF MOVZX ECX,BYTE PTR DS:[ECX+EDX-1] ; 用户名字符ASC十六进制
004B1585 . 03D9 ADD EBX,ECX ; 把每个用户名字符ASC十
六进制相加起来保存在EBX
004B1587 . 42 INC EDX
004B1588 . 48 DEC EAX ; EAX为计数器
004B1589 .^ 75 F2 JNZ SHORT 1_exe_un.004B157D ; 每个用户名字符都计算
完就不跳
004B158B > 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004B158E . 50 PUSH EAX
004B158F . B9 01000000 MOV ECX,1
004B1594 . BA 01000000 MOV EDX,1
004B1599 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; 用户名
004B159C > . E8 2F2CF5FF CALL 1_exe_un.004041D0 ; ->system.@LStrCopy;
004B15A1 . 8BC3 MOV EAX,EBX ; 将上面计算结果存入EAX
004B15A3 . B9 09000000 MOV ECX,9
004B15A8 . 99 CDQ
004B15A9 . F7F9 IDIV ECX ; eax=eax div 9
004B15AB . 8BC2 MOV EAX,EDX ; 将其余数送到EAX
004B15AD . 8D55 D0 LEA EDX,DWORD PTR SS:[EBP-30]
004B15B0 > . E8 2F83F5FF CALL 1_exe_un.004098E4 ; -
>Unit_00408838.Proc_004098E4
004B15B5 . 8B55 D0 MOV EDX,DWORD PTR SS:[EBP-30]
004B15B8 . 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004B15BB > . E8 102AF5FF CALL 1_exe_un.00403FD0 ; ->system.@LStrCat;
004B15C0 . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004B15C3 . 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28] ; 假码
004B15C6 > . E8 1528F5FF CALL 1_exe_un.00403DE0 ; ->system.@LStrLAsg;
004B15CB 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
004B15CE 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] ; 假码
004B15D1 > . E8 AEFDFFFF CALL <1_exe_un.<-Tfrmreg@Proc_004B1384> ; -
>:Tfrmreg.Proc_004B1384() 就在跟踪到这里时按F8步过时,程序退出
004B15D6 . 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004B15D9 . 50 PUSH EAX
004B15DA . 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C]
004B15DD . 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-20]
004B15E0 . 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
004B15E3 > . E8 98F7FFFF CALL 1_exe_un.004B0D80 ; -
>Unit_004B0D48.Proc_004B0D80
004B15E8 . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
004B15EB . 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
004B15EE > . E8 E52AF5FF CALL 1_exe_un.004040D8 ; ->system.@LStrCmp;
004B15F3 . 75 06 JNZ SHORT 1_exe_un.004B15FB
004B15F5 . C645 FF 01 MOV BYTE PTR SS:[EBP-1],1
004B15F9 . EB 2F JMP SHORT 1_exe_un.004B162A
004B15FB > 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
004B15FE . 50 PUSH EAX
004B15FF . B9 01000000 MOV ECX,1
004B1604 . BA 01000000 MOV EDX,1
004B1609 . 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
004B160C > . E8 BF2BF5FF CALL 1_exe_un.004041D0 ; ->system.@LStrCopy;
004B1611 . 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34]
004B1614 . BA F0164B00 MOV EDX,1_exe_un.004B16F0
004B1619 > . E8 BA2AF5FF CALL 1_exe_un.004040D8 ; ->system.@LStrCmp;
004B161E . 75 06 JNZ SHORT 1_exe_un.004B1626
004B1620 . C645 FF 01 MOV BYTE PTR SS:[EBP-1],1
004B1624 . EB 04 JMP SHORT 1_exe_un.004B162A
004B1626 > C645 FF 00 MOV BYTE PTR SS:[EBP-1],0
004B162A > 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
004B162D > . E8 FAE8FFFF CALL 1_exe_un.004AFF2C ; -
>Unit_004AE7C0.Proc_004AFF2C
004B1632 . 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
004B1635 > . E8 F2E8FFFF CALL 1_exe_un.004AFF2C ; -
>Unit_004AE7C0.Proc_004AFF2C
004B163A > 33C0 XOR EAX,EAX
004B163C . 5A POP EDX
004B163D . 59 POP ECX
004B163E . 59 POP ECX
004B163F . 64:8910 MOV DWORD PTR FS:[EAX],EDX
004B1642 . 68 76164B00 PUSH 1_exe_un.004B1676
004B1647 > 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
004B164A . BA 02000000 MOV EDX,2
004B164F > . E8 1827F5FF CALL 1_exe_un.00403D6C ; -
>system.@LStrArrayClr;
004B1654 . 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
004B1657 . BA 02000000 MOV EDX,2
004B165C > . E8 0B27F5FF CALL 1_exe_un.00403D6C ; -
>system.@LStrArrayClr;
004B1661 . 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
004B1664 . BA 05000000 MOV EDX,5
004B1669 > . E8 FE26F5FF CALL 1_exe_un.00403D6C ; -
>system.@LStrArrayClr;
004B166E . C3 RETN
004B166F > .^ E9 9020F5FF JMP 1_exe_un.00403704 ; -
>system.@HandleFinally;
004B1674 .^ EB D1 JMP SHORT 1_exe_un.004B1647
004B1676 . 8A45 FF MOV AL,BYTE PTR SS:[EBP-1]
004B1679 . 5B POP EBX
004B167A . 8BE5 MOV ESP,EBP
004B167C . 5D POP EBP
004B167D . C3 RETN
--------------------------------------------------------------------------------
004B15D1 > . E8 AEFDFFFF CALL <1_exe_un.<-Tfrmreg@Proc_004B1384> ; -
>:Tfrmreg.Proc_004B1384() 就在跟踪
到这里时按F8步过时,程序退出 使得算法分析无法继续下去了 :(
还望高手指教,小弟不胜感激!
--------------------------------------------------------------------------------
2007年06月16日 0:19:20 |
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有账号?加入我们
x
|
IP卡
发表于 2007-6-16 00:35:23
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主