能力值:
( LV13,RANK:920 )
|
-
-
2 楼
郁闷,都告诉大家:
id:ImmIsIME
sn:ImmIsIME
貌似利用模拟时钟,隔一段时间就检查一次输入框,如果正确就隐藏掉按钮一,说明按钮一是个摆设和陷阱,一按就倒~~
破出来一点成就都没有,先取用户名,比较是否“ImmIsIME”,不是就拉倒,然后就退出程序。
用户名检测完毕后,检测注册码,同样注册码是“ImmIsIME”的话就显示“Good!”否则也无声息得退出...
设置断点的技巧:先F9运行,填好注册信息后,在42C703下断点,大概一秒左右就断下来了,可见是定时检测的。
0042C6F5 . 66:8378 3A 00 cmp word ptr [eax+3A], 0——比较是否已经成功注册过,是的话就跳走,解除时间限制
0042C6FA 74 0A je short 0042C706 ;
0042C6FC . 8BD8 mov ebx, eax
0042C6FE . 8BD0 mov edx, eax
0042C700 . 8B43 3C mov eax, dword ptr [ebx+3C]
0042C703 . FF53 38 call dword ptr [ebx+38] ; 调用计时器,跟进,见表一
0042C706 > 5B pop ebx
0042C707 . C3 retn
表一:
00459890 /. 55 push ebp
00459891 |. 8BEC mov ebp, esp
00459893 |. 33C9 xor ecx, ecx
00459895 |. 51 push ecx
00459896 |. 51 push ecx
00459897 |. 51 push ecx
00459898 |. 51 push ecx
00459899 |. 51 push ecx
0045989A |. 51 push ecx
0045989B |. 51 push ecx
0045989C |. 53 push ebx
0045989D |. 8BD8 mov ebx, eax
0045989F |. 33C0 xor eax, eax
004598A1 |. 55 push ebp
004598A2 |. 68 5A9A4500 push 00459A5A
004598A7 |. 64:FF30 push dword ptr fs:[eax]
004598AA |. 64:8920 mov dword ptr fs:[eax], esp
004598AD |. 8D55 FC lea edx, dword ptr [ebp-4]
004598B0 |. 8B83 64030000 mov eax, dword ptr [ebx+364]
004598B6 |. E8 9D1AFEFF call 0043B358 ; 取假用户名和长度
004598BB |. 8B45 FC mov eax, dword ptr [ebp-4] ; EAX可见假用户名
004598BE |. 8945 F8 mov dword ptr [ebp-8], eax ; 放入地址,先捏着
004598C1 |. 8B45 F8 mov eax, dword ptr [ebp-8]
004598C4 |. 85C0 test eax, eax
004598C6 |. 74 05 je short 004598CD ; 是否输入用户名?不输入的话,下面要骂人FUCK了
004598C8 |. 83E8 04 sub eax, 4
004598CB |. 8B00 mov eax, dword ptr [eax]
004598CD |> 83F8 08 cmp eax, 8 ; 比较用户名是否小于等于8位,不是的话骂人FUCK了
004598D0 |. 7E 04 jle short 004598D6
004598D2 |. B0 01 mov al, 1
004598D4 |. EB 26 jmp short 004598FC
004598D6 |> 8D55 F4 lea edx, dword ptr [ebp-C]
004598D9 |. 8B83 6C030000 mov eax, dword ptr [ebx+36C]
004598DF |. E8 741AFEFF call 0043B358 ; 取假注册码
004598E4 |. 8B45 F4 mov eax, dword ptr [ebp-C] ; EAX可见假注册码
004598E7 |. 8945 F8 mov dword ptr [ebp-8], eax ; 先存入地址捏着
004598EA |. 8B45 F8 mov eax, dword ptr [ebp-8] ; 送入假注册码
004598ED |. 85C0 test eax, eax
004598EF |. 74 05 je short 004598F6 ; 注册码是否为空?为空就骂人
004598F1 |. 83E8 04 sub eax, 4
004598F4 |. 8B00 mov eax, dword ptr [eax]
004598F6 |> 83F8 08 cmp eax, 8 ; 跟8比较,利用SETG来置AL为0或者1
004598F9 |. 0F9FC0 setg al ; 大于时,置OPRD为1,否则清0,这是针对有符号数的
004598FC |> 84C0 test al, al ; 如果标志是0则OK了,不然又FUCK了。即要求注册码不大于8位
004598FE |. 74 29 je short 00459929
00459900 |. B8 709A4500 mov eax, 00459A70 ; fuck!
00459905 |. E8 D63FFDFF call 0042D8E0
0045990A |. 33D2 xor edx, edx
0045990C |. 8B83 64030000 mov eax, dword ptr [ebx+364]
00459912 |. E8 711AFEFF call 0043B388
00459917 |. 33D2 xor edx, edx
00459919 |. 8B83 6C030000 mov eax, dword ptr [ebx+36C]
0045991F |. E8 641AFEFF call 0043B388
00459924 |. E9 0E010000 jmp 00459A37
00459929 |> 8D55 F0 lea edx, dword ptr [ebp-10]
0045992C |. 8B83 64030000 mov eax, dword ptr [ebx+364]
00459932 |. E8 211AFEFF call 0043B358 ; 取假用户名
00459937 |. 8B45 F0 mov eax, dword ptr [ebp-10] ; EAX可见假用户名
0045993A |. BA 809A4500 mov edx, 00459A80 ; immisime ——取真的用户名
0045993F |. E8 50B1FAFF call 00404A94 ; 比较
00459944 |. 75 45 jnz short 0045998B ; 绝对不能跳
00459946 |. 8D55 EC lea edx, dword ptr [ebp-14]
00459949 |. 8B83 6C030000 mov eax, dword ptr [ebx+36C]
0045994F |. E8 041AFEFF call 0043B358 ; 取假注册码
00459954 |. 8B45 EC mov eax, dword ptr [ebp-14] ; EAX可见假注册码
00459957 |. BA 809A4500 mov edx, 00459A80 ; immisime——真的注册码
0045995C |. E8 33B1FAFF call 00404A94 ; 比较
00459961 |. 75 28 jnz short 0045998B ; 绝对不能跳
00459963 |. 8D55 E8 lea edx, dword ptr [ebp-18]
00459966 |. 8B83 64030000 mov eax, dword ptr [ebx+364]
0045996C |. E8 E719FEFF call 0043B358 ; 再取用户名,进行是否爆破的检测。即比较检测两次
00459971 |. 8B45 E8 mov eax, dword ptr [ebp-18] ; EAX可见用户名
00459974 |. 8945 F8 mov dword ptr [ebp-8], eax ; 先存入地址捏着
00459977 |. 8B45 F8 mov eax, dword ptr [ebp-8] ; 取用户名
0045997A |. 85C0 test eax, eax ; 比较是否为空
0045997C |. 74 05 je short 00459983 ; 绝对不能跳
0045997E |. 83E8 04 sub eax, 4
00459981 |. 8B00 mov eax, dword ptr [eax] ; 取用户名长度
00459983 |> 83F8 08 cmp eax, 8 ; 与8比较
00459986 |. 0F94C0 sete al ; 等于0时(ZF=1),置AL为1,否则清0,即比较是否等于8位
00459989 |. EB 02 jmp short 0045998D
0045998B |> 33C0 xor eax, eax
0045998D |> 84C0 test al, al ; 检测标志
0045998F |. 74 28 je short 004599B9 ; 不等于8位也跳,阴险的地方。如果爆破的话要改的还挺多
00459991 |. 8D55 E4 lea edx, dword ptr [ebp-1C]
00459994 |. 8B83 6C030000 mov eax, dword ptr [ebx+36C]
0045999A |. E8 B919FEFF call 0043B358 ; 取注册码
0045999F |. 8B45 E4 mov eax, dword ptr [ebp-1C] ; EAX可见注册码
004599A2 |. 8945 F8 mov dword ptr [ebp-8], eax ; 存入地址先捏着
004599A5 |. 8B45 F8 mov eax, dword ptr [ebp-8] ; EAX为注册码
004599A8 |. 85C0 test eax, eax ; 是否为空?为空就完蛋,FUCK
004599AA |. 74 05 je short 004599B1
004599AC |. 83E8 04 sub eax, 4
004599AF |. 8B00 mov eax, dword ptr [eax] ; 取注册码长度
004599B1 |> 83F8 08 cmp eax, 8 ; 与8比较
004599B4 |. 0F94C0 sete al ; 等于0时(ZF=1),置AL为1,否则清0,即比较是否等于8位
004599B7 |. EB 02 jmp short 004599BB
004599B9 |> 33C0 xor eax, eax
004599BB |> 84C0 test al, al ; 检测标志
004599BD |. 74 1A je short 004599D9 ; 不等于8位也跳,阴险的地方。如果爆破的话要改的还挺多
004599BF |. B2 01 mov dl, 1
004599C1 |. 8B83 74030000 mov eax, dword ptr [ebx+374]
004599C7 |. 8B08 mov ecx, dword ptr [eax]
004599C9 |. FF51 68 call dword ptr [ecx+68]
004599CC |. 8B83 60030000 mov eax, dword ptr [ebx+360]
004599D2 |. E8 351FFEFF call 0043B90C
004599D7 |. EB 5E jmp short 00459A37
004599D9 |> E8 32CDFAFF call <jmp.&kernel32.GetTickCount> ; [GetTickCount
004599DE |. B9 E8030000 mov ecx, 3E8
004599E3 |. 33D2 xor edx, edx
004599E5 |. F7F1 div ecx
004599E7 |. 33D2 xor edx, edx
004599E9 |. 2B05 D0054600 sub eax, dword ptr [4605D0]
004599EF |. 1B15 D4054600 sbb edx, dword ptr [4605D4]
004599F5 |. 83FA 00 cmp edx, 0
004599F8 |. 75 07 jnz short 00459A01
004599FA |. 83F8 14 cmp eax, 14
004599FD |. 76 38 jbe short 00459A37
004599FF |. EB 02 jmp short 00459A03
00459A01 |> 7E 34 jle short 00459A37
00459A03 |> E8 08CDFAFF call <jmp.&kernel32.GetTickCount> ; [GetTickCount
00459A08 |. B9 E8030000 mov ecx, 3E8
00459A0D |. 33D2 xor edx, edx
00459A0F |. F7F1 div ecx
00459A11 |. 33D2 xor edx, edx
00459A13 |. 8905 D0054600 mov dword ptr [4605D0], eax
00459A19 |. 8915 D4054600 mov dword ptr [4605D4], edx
00459A1F |. B8 949A4500 mov eax, 00459A94 ; see you!
00459A24 |. E8 B73EFDFF call 0042D8E0
00459A29 |. 8BC3 mov eax, ebx
00459A2B |. E8 A0A5FFFF call 00453FD0
00459A30 |. 8BC3 mov eax, ebx
00459A32 |. E8 219EFAFF call 00403858
00459A37 |> 33C0 xor eax, eax
00459A39 |. 5A pop edx
00459A3A |. 59 pop ecx
00459A3B |. 59 pop ecx
00459A3C |. 64:8910 mov dword ptr fs:[eax], edx
00459A3F |. 68 619A4500 push 00459A61
00459A44 |> 8D45 E4 lea eax, dword ptr [ebp-1C]
00459A47 |. BA 05000000 mov edx, 5
00459A4C |. E8 57ACFAFF call 004046A8
00459A51 |. 8D45 FC lea eax, dword ptr [ebp-4]
00459A54 |. E8 2BACFAFF call 00404684
00459A59 \. C3 retn
挺不错的思路,将比较的地方写入非按钮事件中,赞!呵呵,不过不够隐蔽~~
|
,没有注意fuck,不好意思,无恶意的
。
