| 【分析过程】
经查,为无壳vb6程序,Native Code. 用wdasm返回编后查到字符串如下:
* Possible StringData Ref from Code Obj ->"RRegistration Successful"
|
:00472002 C7854CFFFFFF1C434100 mov dword ptr [ebp+FFFFFF4C], 0041431C
======================================================
* Possible StringData Ref from Code Obj ->"RRegistration Failed"
|
:004723F2 C7854CFFFFFFA0434100 mov dword ptr [ebp+FFFFFF4C], 004143A0
从这个地址开始往上找,发现如下代码:
:00471B4B 57 push edi
:00471B4C 50 push eax
:00471B4D E8DEA8FCFF call 0043C430 <========== 关键计算
:00471B52 8D4DD4 lea ecx, dword ptr [ebp-2C]
:00471B55 66894338 mov word ptr [ebx+38], ax <=========返回值在此
==========================================================
:00471C21 66837B38FF cmp word ptr [ebx+38], FFFF
:00471C26 0F857F070000 jne 004723AB <========= 跳去显示注册失败消息
=============================================================
* Possible StringData Ref from Code Obj ->"PPW"
|
:00471C94 6870104100 push 00411070
* Possible StringData Ref from Code Obj ->"DData"
|
:00471C99 680C0F4100 push 00410F0C
:00471C9E 51 push ecx
* Reference To: MSVBVM60.rtcSaveSetting, Ord:02B2h
|
:00471C9F FF1508104000 Call dword ptr [00401008] <============保存注册信息
可见,只要关键call 43C430 返回-1就算注册成功。如果就此进行爆破,可以显示注册成功消息,但重新启动之后仍然是未注册版本。用OD跟入此函数,结果如下:
0043C430 $ 55 PUSH EBP
0043C431 . 8BEC MOV EBP,ESP
0043C433 . 83EC 08 SUB ESP,8
0043C436 . 68 36314000 PUSH <JMP.&MSVBVM60.__vbaExceptHandler> ; SE handler installation
0043C43B . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0043C441 . 50 PUSH EAX
0043C442 . 64:8925 000000>MOV DWORD PTR FS:[0],ESP
0043C449 . 81EC 50010000 SUB ESP,150
0043C44F . 53 PUSH EBX
0043C450 . 56 PUSH ESI
0043C451 . 57 PUSH EDI
0043C452 . 8965 F8 MOV DWORD PTR SS:[EBP-8],ESP
0043C455 . C745 FC F81B40>MOV DWORD PTR SS:[EBP-4],CollegeB.00401B>
0043C45C . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; 取得注册名字
0043C45F . 33F6 XOR ESI,ESI
0043C461 . 8975 EC MOV DWORD PTR SS:[EBP-14],ESI
0043C464 . 8975 DC MOV DWORD PTR SS:[EBP-24],ESI
0043C467 . 8B08 MOV ECX,DWORD PTR DS:[EAX] ; name
0043C469 . 8975 D4 MOV DWORD PTR SS:[EBP-2C],ESI
0043C46C . 51 PUSH ECX ; name
0043C46D . 8975 D8 MOV DWORD PTR SS:[EBP-28],ESI ; initialize local vars
0043C470 . 8975 C8 MOV DWORD PTR SS:[EBP-38],ESI
0043C473 . 8975 C4 MOV DWORD PTR SS:[EBP-3C],ESI
0043C476 . 8975 C0 MOV DWORD PTR SS:[EBP-40],ESI
0043C479 . 8975 B0 MOV DWORD PTR SS:[EBP-50],ESI
0043C47C . 8975 A0 MOV DWORD PTR SS:[EBP-60],ESI
0043C47F . 8975 90 MOV DWORD PTR SS:[EBP-70],ESI
0043C482 . 8975 80 MOV DWORD PTR SS:[EBP-80],ESI
0043C485 . 89B5 70FFFFFF MOV DWORD PTR SS:[EBP-90],ESI
0043C48B . 89B5 60FFFFFF MOV DWORD PTR SS:[EBP-A0],ESI
0043C491 . 89B5 50FFFFFF MOV DWORD PTR SS:[EBP-B0],ESI
0043C497 . 89B5 40FFFFFF MOV DWORD PTR SS:[EBP-C0],ESI
0043C49D . FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>;注册名字长度
0043C4A3 . 85C0 TEST EAX,EAX ; string length 0A (name)
0043C4A5 . 0F84 A00C0000 JE CollegeB.0043D14B
0043C4AB . 8B3D C8124000 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrMove
0043C4B1 . 8B1D 34104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrVarMove
0043C4B7 > 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
0043C4BA . 52 PUSH EDX
0043C4BB . FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>; MSVBVM60.__vbaLenBstr
0043C4C1 . 83F8 29 CMP EAX,29 ; 看长度是否达到 0x29 字节
0043C4C4 . 0F8D 81000000 JGE CollegeB.0043C54B ;若够长就继续
0043C4CA . 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; name
0043C4CD . 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] ; 0
0043C4D0 . 56 PUSH ESI &nbs [1] [2] [3] [4] [5] 下一页 |
