我怎么一直追不出来。。。。那位给点思路,并且里面有好多异常啊、请看我分析的。。。。
软件的下载地址:
7a9K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4Z5j5i4u0W2N6$3q4J5k6g2)9J5k6h3y4F1i4K6u0r3M7s2g2T1i4K6u0r3z5e0V1%4y4g2)9J5k6h3S2@1L8h3H3`.
-------------------------------------------------------------
首先用PEID看了一下,没壳,DEPLHI编写的。。
所以就用OD、DEDE、IDA
在过程:UntReg的Button1click 虚拟地址是:0049ED5C
* Possible String Reference to: '槿Q?腚[YY]?
|
0049ED69 68F3ED4900 push $0049EDF3
***** TRY
|
0049ED6E 64FF30 push dword ptr fs:[eax]
0049ED71 648920 mov fs:[eax], esp
0049ED74 8D55FC lea edx, [ebp-$04]
0049ED77 8B8308030000 mov eax, [ebx+$0308]
* Reference to : TControl.GetText(TControl):TCaption;() //取假注册码
|
0049ED7D E83AAEFBFF call 00459BBC
0049ED82 8B45FC mov eax, [ebp-$04]
0049ED85 50 push eax
0049ED86 8D55F8 lea edx, [ebp-$08]
0049ED89 8B8300030000 mov eax, [ebx+$0300]
* Reference to : TControl.GetText(TControl):TCaption;() //取机器码
|
0049ED8F E828AEFBFF call 00459BBC
0049ED94 8B55F8 mov edx, [ebp-$08]
* Reference to TfrmMain instance
|
0049ED97 A170464A00 mov eax, dword ptr [$004A4670]
0049ED9C 8B00 mov eax, [eax]
0049ED9E 8B8070030000 mov eax, [eax+$0370]
0049EDA4 33C9 xor ecx, ecx
|
0049EDA6 E805EAFFFF call 0049D7B0 //关键CALL进
0049EDAB 84C0 test al, al
0049EDAD 741F jz 0049EDCE
* Reference to TfrmMain instance
|
0049EDAF A170464A00 mov eax, dword ptr [$004A4670]
0049EDB4 8B00 mov eax, [eax]
|
0049EDB6 E8852D0000 call 004A1B40
* Possible String Reference to: '注册成功,感谢您注册本软件!'
|
0049EDBB B808EE4900 mov eax, $0049EE08
* Reference to : TMessageForm._PROC_00430EF4()
|
0049EDC0 E82F21F9FF call 00430EF4
0049EDC5 8BC3 mov eax, ebx
* Reference to : TCustomForm.Close(TCustomForm);()
|
0049EDC7 E8D477FDFF call 004765A0
0049EDCC EB0A jmp 0049EDD8
* Possible String Reference to: '无效的注册码,注册失败。'
|
0049EDCE B830EE4900 mov eax, $0049EE30
* Reference to : TMessageForm._PROC_00430EF4()
|
0049EDD3 E81C21F9FF call 00430EF4
0049EDD8 33C0 xor eax, eax
0049EDDA 5A pop edx
0049EDDB 59 pop ecx
0049EDDC 59 pop ecx
0049EDDD 648910 mov fs:[eax], edx
-----------------------------------------------------------------
关键CALL的代码如下:
0049D7B0 55 push ebp
0049D7B1 8BEC mov ebp, esp
0049D7B3 83C4F8 add esp, -$08
0049D7B6 53 push ebx
0049D7B7 894DF8 mov [ebp-$08], ecx
0049D7BA 8955FC mov [ebp-$04], edx
0049D7BD 8BD8 mov ebx, eax
0049D7BF 8B45FC mov eax, [ebp-$04]
* Reference to : TObject.System.@LStrAddRef(void;void):Pointer;()
|
0049D7C2 E8CD72F6FF call 00404A94
0049D7C7 8B45F8 mov eax, [ebp-$08]
* Reference to : TObject.System.@LStrAddRef(void;void):Pointer;() //不知道这些是干什么。。好象没什么意义
|
0049D7CA E8C572F6FF call 00404A94
0049D7CF 8B4508 mov eax, [ebp+$08]
* Reference to : TObject.System.@LStrAddRef(void;void):Pointer;()
|
0049D7D2 E8BD72F6FF call 00404A94
0049D7D7 33C0 xor eax, eax
0049D7D9 55 push ebp
0049D7DA 681DD84900 push $0049D81D
***** TRY
|
0049D7DF 64FF30 push dword ptr fs:[eax]
0049D7E2 648920 mov fs:[eax], esp
0049D7E5 8B4508 mov eax, [ebp+$08]
0049D7E8 50 push eax
0049D7E9 6A00 push $00
0049D7EB 8B4DF8 mov ecx, [ebp-$08]
0049D7EE 8B55FC mov edx, [ebp-$04]
0049D7F1 8BC3 mov eax, ebx
* Reference to : TRegware4._PROC_0049D830()
|
0049D7F3 E838000000 call 0049D830 //这个CALL要跟进
0049D7F8 8BD8 mov ebx, eax
0049D7FA 33C0 xor eax, eax
0049D7FC 5A pop edx
0049D7FD 59 pop ecx
0049D7FE 59 pop ecx
0049D7FF 648910 mov fs:[eax], edx
****** FINALLY
|
0049D802 6824D84900 push $0049D824
0049D807 8D45F8 lea eax, [ebp-$08]
0049D80A BA02000000 mov edx, $00000002
* Reference to : TObject.System.@LStrArrayClr(void;void;Integer);()
|
0049D80F E8F46DF6FF call 00404608
0049D814 8D4508 lea eax, [ebp+$08]
* Reference to : TObject.System.@LStrClr(void;void);()
|
0049D817 E8C86DF6FF call 004045E4
0049D81C C3 ret
* Reference to : TObject.System.@HandleFinally;()
|
0049D81D E99E67F6FF jmp 00403FC0
0049D822 EBE3 jmp 0049D807
****** END
----------------------------------------------------------------
0049D7F3 E838000000 call 0049D830 //这个CALL要跟进
这个CALL的代码如下
0049D830 55 push ebp
0049D831 8BEC mov ebp, esp
0049D833 83C4BC add esp, -$44
0049D836 53 push ebx
0049D837 56 push esi
0049D838 57 push edi
0049D839 33DB xor ebx, ebx
0049D83B 895DBC mov [ebp-$44], ebx
0049D83E 895DC0 mov [ebp-$40], ebx
0049D841 895DC4 mov [ebp-$3C], ebx
0049D844 895DC8 mov [ebp-$38], ebx
0049D847 895DDC mov [ebp-$24], ebx
0049D84A 895DF0 mov [ebp-$10], ebx
0049D84D 895DEC mov [ebp-$14], ebx
0049D850 895DE8 mov [ebp-$18], ebx
0049D853 894DF8 mov [ebp-$08], ecx
0049D856 8955FC mov [ebp-$04], edx
0049D859 8BD8 mov ebx, eax
0049D85B 8B45FC mov eax, [ebp-$04]
* Reference to : TObject.System.@LStrAddRef(void;void):Pointer;()
|
0049D85E E83172F6FF call 00404A94
0049D863 8B45F8 mov eax, [ebp-$08]
* Reference to : TObject.System.@LStrAddRef(void;void):Pointer;()
|
0049D866 E82972F6FF call 00404A94
0049D86B 8B450C mov eax, [ebp+$0C]
* Reference to : TObject.System.@LStrAddRef(void;void):Pointer;()
|
0049D86E E82172F6FF call 00404A94
0049D873 8B4508 mov eax, [ebp+$08]
* Reference to : TObject.System.@LStrAddRef(void;void):Pointer;()
|
0049D876 E81972F6FF call 00404A94
0049D87B 33C0 xor eax, eax
0049D87D 55 push ebp
0049D87E 6868DB4900 push $0049DB68
***** TRY
|
0049D883 64FF30 push dword ptr fs:[eax]
0049D886 648920 mov fs:[eax], esp
* Reference to: kernel32.GetTickCount()
|
0049D889 E85292F6FF call 00406AE0
0049D88E 8BF0 mov esi, eax
0049D890 68D0070000 push $000007D0
* Reference to: kernel32.Sleep()
|
0049D895 E8BA06F7FF call 0040DF54
0049D89A 8B4354 mov eax, [ebx+$54]
0049D89D 80780400 cmp byte ptr [eax+$04], $00
0049D8A1 740A jz 0049D8AD
0049D8A3 8D55FC lea edx, [ebp-$04]
0049D8A6 8BC3 mov eax, ebx
* Reference to : TRegware4._PROC_0049D1D4()
|
0049D8A8 E827F9FFFF call 0049D1D4
* Reference to: kernel32.GetTickCount()
|
0049D8AD E82E92F6FF call 00406AE0
0049D8B2 81C6CF070000 add esi, $000007CF
0049D8B8 3BC6 cmp eax, esi
0049D8BA 72CD jb 0049D889
0049D8BC 8B45FC mov eax, [ebp-$04]
* Reference to : TInterfacedObject._PROC_004048A4()
|
0049D8BF E8E06FF6FF call 004048A4 //取机器码的长度如果大于32就跳到返回出
0049D8C4 3B4358 cmp eax, [ebx+$58]
0049D8C7 7F19 jnle 0049D8E2
0049D8C9 8B45FC mov eax, [ebp-$04]
* Reference to : TInterfacedObject._PROC_004048A4() //取机器码的长度如果小于5就跳到返回出
|
0049D8CC E8D36FF6FF call 004048A4
0049D8D1 3B435C cmp eax, [ebx+$5C]
0049D8D4 7C0C jl 0049D8E2
0049D8D6 8B450C mov eax, [ebp+$0C]
* Reference to : TInterfacedObject._PROC_004048A4()
|
0049D8D9 E8C66FF6FF call 004048A4 //取假注册码判断是否为空,如果为空也跳到返回出
0049D8DE 85C0 test eax, eax
0049D8E0 7509 jnz 0049D8EB
0049D8E2 C645F700 mov byte ptr [ebp-$09], $00
0049D8E6 E933020000 jmp 0049DB1E
0049D8EB 8D55DC lea edx, [ebp-$24]
0049D8EE 8B450C mov eax, [ebp+$0C]
|
0049D8F1 E8D6ADF6FF call 004086CC //将假注册码中的字母全部转化为大写
* Reference to RegForm
|
0049D8F6 8B55DC mov edx, [ebp-$24]
0049D8F9 8D450C lea eax, [ebp+$0C]
* Reference to : TObject.System.@LStrLAsg(void;void;void;void);()
|
0049D8FC E87B6DF6FF call 0040467C
0049D901 C645F700 mov byte ptr [ebp-$09], $00
0049D905 B101 mov cl, $01
0049D907 8B550C mov edx, [ebp+$0C]
0049D90A 8BC3 mov eax, ebx
* Reference to : TRegware4._PROC_0049D394()
|
0049D90C E883FAFFFF call 0049D394
0049D911 84C0 test al, al
0049D913 0F8505020000 jnz 0049DB1E
0049D919 33C9 xor ecx, ecx
0049D91B 55 push ebp
0049D91C 68A4DA4900 push $0049DAA4
***** TRY
|
0049D921 64FF31 push dword ptr fs:[ecx]
0049D924 648921 mov fs:[ecx], esp
0049D927 8D45F0 lea eax, [ebp-$10]
0049D92A 8B550C mov edx, [ebp+$0C]
* Reference to field RegForm.OFFS_0001
|
0049D92D 8A5201 mov dl, byte ptr [edx+$01] { 取假注册码的第二个值 }
* Reference to : TInterfacedObject._PROC_004047CC()
|
0049D930 E8976EF6FF call 004047CC
0049D935 8D45D8 lea eax, [ebp-$28]
0049D938 8B550C mov edx, [ebp+$0C]
* Reference to field RegForm.OFFS_0009
|
0049D93B 8A5209 mov dl, byte ptr [edx+$09] //取假注册码第十个
0049D93E 885001 mov [eax+$01], dl
0049D941 C60001 mov byte ptr [eax], $01
0049D944 8D55D8 lea edx, [ebp-$28]
0049D947 8D45D4 lea eax, [ebp-$2C]
* Reference to : TObject.System.@PStrCpy(PShortString;PShortString);()
|
0049D94A E8BD57F6FF call 0040310C
0049D94F 8D45D0 lea eax, [ebp-$30]
0049D952 8B550C mov edx, [ebp+$0C]
0049D955 8A5207 mov dl, byte ptr [edx+$07] //第8 个字符
0049D958 885001 mov [eax+$01], dl
0049D95B C60001 mov byte ptr [eax], $01
0049D95E 8D55D0 lea edx, [ebp-$30]
0049D961 8D45D4 lea eax, [ebp-$2C]
0049D964 B102 mov cl, $02
* Reference to : TObject.System.@PStrNCat;()
|
0049D966 E87157F6FF call 004030DC
0049D96B 8D55D4 lea edx, [ebp-$2C]
0049D96E 8D45EC lea eax, [ebp-$14]
* Reference to : TInterfacedObject._PROC_00404848()
|
0049D971 E8D26EF6FF call 00404848
0049D976 8D45D8 lea eax, [ebp-$28]
0049D979 8B550C mov edx, [ebp+$0C]
0049D97C 8A5203 mov dl, byte ptr [edx+$03] //取第四个
0049D97F 885001 mov [eax+$01], dl
0049D982 C60001 mov byte ptr [eax], $01
0049D985 8D55D8 lea edx, [ebp-$28]
0049D988 8D45D4 lea eax, [ebp-$2C]
* Reference to : TObject.System.@PStrCpy(PShortString;PShortString);()
|
0049D98B E87C57F6FF call 0040310C
0049D990 8D45D0 lea eax, [ebp-$30]
0049D993 8B550C mov edx, [ebp+$0C]
0049D996 8A5205 mov dl, byte ptr [edx+$05] 。//第六个
0049D999 885001 mov [eax+$01], dl
0049D99C C60001 mov byte ptr [eax], $01
0049D99F 8D55D0 lea edx, [ebp-$30]
0049D9A2 8D45D4 lea eax, [ebp-$2C]
0049D9A5 B102 mov cl, $02
* Reference to : TObject.System.@PStrNCat;()
|
0049D9A7 E83057F6FF call 004030DC
0049D9AC 8D55D4 lea edx, [ebp-$2C]
0049D9AF 8D45CC lea eax, [ebp-$34]
* Reference to : TObject.System.@PStrCpy(PShortString;PShortString);()
|
0049D9B2 E85557F6FF call 0040310C
0049D9B7 8D45D0 lea eax, [ebp-$30]
0049D9BA 8B550C mov edx, [ebp+$0C]
0049D9BD 8A520B mov dl, byte ptr [edx+$0B] //取第十三个
0049D9C0 885001 mov [eax+$01], dl
0049D9C3 C60001 mov byte ptr [eax], $01
0049D9C6 8D55D0 lea edx, [ebp-$30]
0049D9C9 8D45CC lea eax, [ebp-$34]
0049D9CC B103 mov cl, $03
* Reference to : TObject.System.@PStrNCat;()
|
0049D9CE E80957F6FF call 004030DC
0049D9D3 8D55CC lea edx, [ebp-$34]
0049D9D6 8D45E8 lea eax, [ebp-$18]
* Reference to : TInterfacedObject._PROC_00404848()
|
0049D9D9 E86A6EF6FF call 00404848
0049D9DE 8D45C8 lea eax, [ebp-$38]
* Reference to RegForm
|
0049D9E1 8B4DF0 mov ecx, [ebp-$10]
0049D9E4 BA84DB4900 mov edx, $0049DB84
* Reference to : TObject.System.@LStrCat3;()
|
0049D9E9 E8026FF6FF call 004048F0
* Reference to RegForm
|
0049D9EE 8B45C8 mov eax, [ebp-$38]
0049D9F1 BAFFFF0000 mov edx, $0000FFFF
* Reference to : Unit SysUtils.SysUtils.StrToIntDef(AnsiString;Integer):Integer;()
|
0049D9F6 E869B3F6FF call 00408D64
0049D9FB 8BF0 mov esi, eax
0049D9FD 8D45C4 lea eax, [ebp-$3C]
* Reference to RegForm
|
0049DA00 8B4DEC mov ecx, [ebp-$14]
0049DA03 BA84DB4900 mov edx, $0049DB84
* Reference to : TObject.System.@LStrCat3;()
|
0049DA08 E8E36EF6FF call 004048F0
* Reference to RegForm
|
0049DA0D 8B45C4 mov eax, [ebp-$3C]
0049DA10 BAFFFF0000 mov edx, $0000FFFF
* Reference to : Unit SysUtils.SysUtils.StrToIntDef(AnsiString;Integer):Integer;()
|
0049DA15 E84AB3F6FF call 00408D64
0049DA1A 8BF8 mov edi, eax
0049DA1C 8D45C0 lea eax, [ebp-$40]
* Reference to RegForm
|
0049DA1F 8B4DE8 mov ecx, [ebp-$18]
0049DA22 BA84DB4900 mov edx, $0049DB84
* Reference to : TObject.System.@LStrCat3;()
|
0049DA27 E8C46EF6FF call 004048F0
* Reference to RegForm
|
0049DA2C 8B45C0 mov eax, [ebp-$40]
0049DA2F BAFFFF0000 mov edx, $0000FFFF
* Reference to : Unit SysUtils.SysUtils.StrToIntDef(AnsiString;Integer):Integer;()
|
0049DA34 E82BB3F6FF call 00408D64
0049DA39 8BD7 mov edx, edi
0049DA3B 0BD6 or edx, esi
0049DA3D 0BD0 or edx, eax
0049DA3F 81FAFFFF0000 cmp edx, $0000FFFF
0049DA45 750F jnz 0049DA56 //这个要改变这里需要改变条件。。。。但是后面有好多异常啊。。。。我跟了好几次,就有一次从异常中出来了。。。。
0049DA47 648F0500000000 pop dword ptr fs:[$00000000]
0049DA4E 83C408 add esp, +$08
0049DA51 E9C8000000 jmp 0049DB1E
0049DA56 8BD6 mov edx, esi
0049DA58 6683F207 xor dx, +$07
0049DA5C 8BF7 mov esi, edi
0049DA5E 6681F6B700 xor si, $00B7
0049DA63 6635B705 xor ax, $05B7
0049DA67 8BCE mov ecx, esi
* Reference to : Unit SysUtils.SysUtils.EncodeDate(Word;Word;Word):TDateTime;()
|
0049DA69 E8A6CDF6FF call 0040A814
0049DA6E DD5DE0 fstp qword ptr [ebp-$20]
0049DA71 9B wait
* Reference to : Unit SysUtils.SysUtils.Date:TDateTime;()
|
0049DA72 E865CFF6FF call 0040A9DC
0049DA77 DC5DE0 fcomp qword ptr [ebp-$20]
0049DA7A DFE0 fstsw ax
0049DA7C 9E sahf
0049DA7D 761B jbe 0049DA9A
0049DA7F DD45E0 fld qword ptr [ebp-$20]
0049DA82 D81D88DB4900 fcomp dword ptr [$0049DB88]
0049DA88 DFE0 fstsw ax
0049DA8A 9E sahf
0049DA8B 740D jz 0049DA9A
0049DA8D 33C0 xor eax, eax
0049DA8F 5A pop edx
0049DA90 59 pop ecx
0049DA91 59 pop ecx
0049DA92 648910 mov fs:[eax], edx
0049DA95 E984000000 jmp 0049DB1E
0049DA9A 33C0 xor eax, eax
0049DA9C 5A pop edx
0049DA9D 59 pop ecx
0049DA9E 59 pop ecx
0049DA9F 648910 mov fs:[eax], edx
0049DAA2 EB11 jmp 0049DAB5
* Reference to : TObject.System.@HandleAnyException;()
|
0049DAA4 E96362F6FF jmp 00403D0C
* Reference to : TObject.System.@DoneExcept;()
|
0049DAA9 E8C665F6FF call 00404074
0049DAAE EB6E jmp 0049DB1E
* Reference to : TObject.System.@DoneExcept;()
|
0049DAB0 E8BF65F6FF call 00404074
****** END
|
0049DAB5 8D45BC lea eax, [ebp-$44]
0049DAB8 50 push eax
0049DAB9 8B4D0C mov ecx, [ebp+$0C]
0049DABC 8B55FC mov edx, [ebp-$04]
0049DABF 8BC3 mov eax, ebx
* Reference to : TRegware4._PROC_0049CB3C()
|
0049DAC1 E876F0FFFF call 0049CB3C
* Reference to RegForm
|
0049DAC6 8B45BC mov eax, [ebp-$44]
* Possible String Reference to: '645364631365423154824'
|
0049DAC9 BA94DB4900 mov edx, $0049DB94 { 6453646 }
* Reference to : Unit SysUtils.SysUtils.CompareStr(AnsiString;AnsiString):Integer;()
|
0049DACE E899ACF6FF call 0040876C
0049DAD3 85C0 test eax, eax
0049DAD5 7506 jnz 0049DADD
0049DAD7 C645F701 mov byte ptr [ebp-$09], $01
0049DADB EB04 jmp 0049DAE1
0049DADD C645F700 mov byte ptr [ebp-$09], $00
0049DAE1 807DF701 cmp byte ptr [ebp-$09], $01
0049DAE5 7537 jnz 0049DB1E
0049DAE7 8D4350 lea eax, [ebx+$50]
0049DAEA 8B55FC mov edx, [ebp-$04]
* Reference to : TObject.System.@LStrAsg(void;void;void;void);()
|
0049DAED E8466BF6FF call 00404638
0049DAF2 8D4360 lea eax, [ebx+$60]
0049DAF5 8B55F8 mov edx, [ebp-$08]
* Reference to : TObject.System.@LStrAsg(void;void;void;void);()
|
0049DAF8 E83B6BF6FF call 00404638
0049DAFD 8D4368 lea eax, [ebx+$68]
0049DB00 8B550C mov edx, [ebp+$0C]
* Reference to : TObject.System.@LStrAsg(void;void;void;void);()
|
0049DB03 E8306BF6FF call 00404638
0049DB08 8D4344 lea eax, [ebx+$44]
0049DB0B 8B5508 mov edx, [ebp+$08]
* Reference to : TObject.System.@LStrAsg(void;void;void;void);()
|
0049DB0E E8256BF6FF call 00404638
0049DB13 8BC3 mov eax, ebx
|
0049DB15 E8C2020000 call 0049DDDC
0049DB1A C645F701 mov byte ptr [ebp-$09], $01
0049DB1E 33C0 xor eax, eax
0049DB20 5A pop edx
0049DB21 59 pop ecx
0049DB22 59 pop ecx
0049DB23 648910 mov fs:[eax], edx
****** FINALLY
|
0049DB26 686FDB4900 push $0049DB6F
0049DB2B 8D45BC lea eax, [ebp-$44]
0049DB2E BA04000000 mov edx, $00000004
* Reference to : TObject.System.@LStrArrayClr(void;void;Integer);()
|
0049DB33 E8D06AF6FF call 00404608
0049DB38 8D45DC lea eax, [ebp-$24]
* Reference to : TObject.System.@LStrClr(void;void);()
|
0049DB3B E8A46AF6FF call 004045E4
0049DB40 8D45E8 lea eax, [ebp-$18]
0049DB43 BA03000000 mov edx, $00000003
* Reference to : TObject.System.@LStrArrayClr(void;void;Integer);()
|
0049DB48 E8BB6AF6FF call 00404608
0049DB4D 8D45F8 lea eax, [ebp-$08]
0049DB50 BA02000000 mov edx, $00000002
* Reference to : TObject.System.@LStrArrayClr(void;void;Integer);()
|
0049DB55 E8AE6AF6FF call 00404608
0049DB5A 8D4508 lea eax, [ebp+$08]
0049DB5D BA02000000 mov edx, $00000002
* Reference to : TObject.System.@LStrArrayClr(void;void;Integer);()
|
0049DB62 E8A16AF6FF call 00404608
0049DB67 C3 ret
* Reference to : TObject.System.@HandleFinally;()
|
0049DB68 E95364F6FF jmp 00403FC0
0049DB6D EBBC jmp 0049DB2B
****** END
|
0049DB6F 8A45F7 mov al, byte ptr [ebp-$09]
0049DB72 5F pop edi
0049DB73 5E pop esi
0049DB74 5B pop ebx
0049DB75 8BE5 mov esp, ebp
0049DB77 5D pop ebp
0049DB78 C20800 ret $0008
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
