00409602下段
F8单步
部分代码不一样是因为我用了去花指令插件
0.
00409650 E8 F7710000 call 0041084C Software\Microsoft\jsmkk\LOGIN\LOGIN 取字节集注册项 此时正确值未知 因为没注册所以返回的是0
0040968B E8 BC710000 call 0041084C 取字节集数据(正确值,文本型)
00409702 E8 45710000 call 0041084C 结果到数值 结果=0
下面是与本地计算的值对比
1.
00409717 68 04000080 push 0x80000004
0040971C 6A 00 push 0x0
0040971E 68 3FFD4C00 push 004CFD3F ; (211768 × 2153)÷ 391
00409723 68 01000000 push 0x1
00409728 BB 80114100 mov ebx,<到数值>
0040972D E8 1A710000 call 0041084C
到数值(“(211768 × 2153)÷ 391”)返回0
2.
0040973E DD05 58FD4C00 fld qword ptr ds:[0x4CFD58]
00409744 DC65 EC fsub qword ptr ss:[ebp-0x14]
00409747 DD5D E4 fstp qword ptr ss:[ebp-0x1C]
0040974A DD45 E4 fld qword ptr ss:[ebp-0x1C]
0040974D E8 C591FFFF call 00402917
[0x4CFD58]值44353402-0结果未变
3.
00409756 68 01030080 push 0x80000301
0040975B 6A 00 push 0x0
0040975D 50 push eax eax=44353402
0040975E 68 01030080 push 0x80000301
00409763 6A 00 push 0x0
00409765 FF35 E4905400 push dword ptr ds:[0x5490E4] [0x5490E4]= 012C4CA0 十进制19680416
0040976B 68 02000000 push 0x2
00409770 BB D00B4100 mov ebx,<位异或>
00409775 E8 D2700000 call 0041084C
位异或结果=59280346
4.
0040978B . DB45 E0 fild dword ptr ss:[ebp-0x20] [ebp-0x20]=59280346
0040978E . DD5D D8 fstp qword ptr ss:[ebp-0x28]
00409791 . DD45 F4 fld qword ptr ss:[ebp-0xC] [ebp-0xC]=0
00409794 . DC65 D8 fsub qword ptr ss:[ebp-0x28]
00409797 . D9E4 ftst
00409799 . DFE0 fstsw ax
0040979B . F6C4 01 test ah,0x1
0040979E . 74 02 je short 004097A2
004097A0 . D9E0 fchs
004097A2 > DC1D 99E94C00 fcomp qword ptr ds:[0x4CE999]
004097A8 . DFE0 fstsw ax
004097AA . F6C4 41 test ah,0x41
004097AD . 0F85 7E020000 jnz 00409A31 [ebp-0x20]≠[ebp-0xC] 不跳转 可知Software\Microsoft\jsmkk\LOGIN\LOGIN内容应为59280346 将其转换为文本型再转到字节集(35
39 32 38 30 33 34 36)写到Software\Microsoft\jsmkk\LOGIN\LOGIN
5.
把正确内容写入注册表后发现还提示未注册 重新开启软件 0040978B 下断点会发现 [ebp-0xC]已经变成了正确的值 但[ebp-0x20]却变了 往上翻会看到变成了3.里的eax的值
0040978B . DB45 E0 fild dword ptr ss:[ebp-0x20] [ebp-0x20]=44353402
0040978E . DD5D D8 fstp qword ptr ss:[ebp-0x28]
00409791 . DD45 F4 fld qword ptr ss:[ebp-0xC] [ebp-0xC]=59280346
00409794 . DC65 D8 fsub qword ptr ss:[ebp-0x28]
00409797 . D9E4 ftst
00409799 . DFE0 fstsw ax
0040979B . F6C4 01 test ah,0x1
0040979E . 74 02 je short 004097A2
004097A0 . D9E0 fchs
004097A2 > DC1D 99E94C00 fcomp qword ptr ds:[0x4CE999]
004097A8 . DFE0 fstsw ax
004097AA . F6C4 41 test ah,0x41
004097AD . 0F85 7E020000 jnz 00409A31
6.
点击 00409765 . FF35 E4905400 push dword ptr ds:[0x5490E4] 会看到 ds:[005490E4]=00000000 与3.里的对不上 所以应该还有一处对[005490E4]进行了赋值 右键复制二进制FF 35 E4 90 54 00
去掉FF35 搜索字节集
会跳到
004028FC |. C705 DC905400 A04C2>mov dword ptr ds:[0x5490DC],0x12C4CA0
00402906 |. 90 nop
00402907 |. 90 nop
00402908 |. 90 nop
00402909 |. A1 DC905400 mov eax,dword ptr ds:[0x5490DC]
0040290E |. A3 E4905400 mov dword ptr ds:[0x5490E4],eax
7.
上面有两个跳转
004028B9 |. FF0D E0905400 dec dword ptr ds:[0x5490E0] [0x5490E0] = 5 dec减一 此段执行五次后 [0x5490E0] = 0 下面的jnz就不会跳转所以应该不是这个跳转
004028BF |. 90 nop
004028C0 |. 90 nop
004028C1 |. 90 nop
004028C2 |. 90 nop
004028C3 |. 833D E0905400 00 cmp dword ptr ds:[0x5490E0],0x0
004028CA |. 0F85 43000000 jnz 00402913
8.
0040286C |. E8 CD000000 call 0040293E call内读取注册表 Software\Microsoft\jsmkk\LOGIN\BJH的内容 与0.步骤差不多
00402871 |. 8945 FC mov [local.1],eax
00402874 |. 90 nop
00402875 |. 90 nop
00402876 |. 90 nop
00402877 |. 90 nop
00402878 |. 8B45 FC mov eax,[local.1]
0040287B |. A3 DC905400 mov dword ptr ds:[0x5490DC],eax
00402880 |. 90 nop
00402881 |. 90 nop
00402882 |. 90 nop
00402883 |. 90 nop
00402884 |. 833D DC905400 00 cmp dword ptr ds:[0x5490DC],0x0
0040288B |. 0F84 25000000 je 004028B6
删除LOGIN注册表会发现这里会正确的执行到mov dword ptr ds:[0x5490DC],0x12C4CA0
所以这里应该是一个校验如果LOGIN有内容就会读取BJH的内容进行0.-4.的校验 如果读取不到LOGIN内容就会正确赋值以便注册时使用
将0x12C4CA0转换到十进制(19680416)再转换到字节集(31 39 36 38 30 34 31 36) 写到注册表Software\Microsoft\jsmkk\LOGIN\BJH
重新打开软件会发现已经注册成功了
|