【文章标题】: sF_crmeRECC
【软件名称】: sF_crmeRECC
【软件大小】: 269K
【编写语言】: Delphi
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
——————————————————————————–
【详细过程】
通过查壳为Delphi编写..提示框内容有点象英文..
DEDE打开查看信息..btnOKclick的偏移地址:0042F2C0,于是OD打开程序.
查找到42F2C0,F2下断.F9..填入测试码
0042F2C0 . E8 03FFFFFF CALL sF_crmeR.0042F1C8 //断到这里,F7跟进
0042F2C5 . C3 RETN
0042F2C6 8BC0 MOV EAX,EAX
0042F2C8 /$ 55 PUSH EBP
0042F2C9 |. 8BEC MOV EBP,ESP
0042F1D8 |. 55 PUSH EBP
0042F1D9 |. 68 B1F24200 PUSH sF_crmeR.0042F2B1
0042F1DE |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0042F1E1 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0042F1E4 |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
0042F1E7 |. 8B87 EC010000 MOV EAX,DWORD PTR DS:[EDI+1EC]
0042F1ED |. E8 2EADFEFF CALL sF_crmeR.00419F20
0042F1F2 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] //测试码放入EAX中
0042F1F5 |. 8078 05 2D CMP BYTE PTR DS:[EAX+5],2D //比较测试码第六位是否等于“2D”(2D转换后为‘-’)
0042F1F9 |. 0F85 88000000 JNZ sF_crmeR.0042F287 //不等则跳
0042F1FF |. B3 01 MOV BL,1
0042F201 |. BE F0084300 MOV ESI,sF_crmeR.004308F0
0042F206 |> 8D55 F4 /LEA EDX,DWORD PTR SS:[EBP-C]
0042F209 |. 8B87 EC010000 |MOV EAX,DWORD PTR DS:[EDI+1EC]
0042F20F |. E8 0CADFEFF |CALL sF_crmeR.00419F20
0042F214 |. 8B45 F4 |MOV EAX,DWORD PTR SS:[EBP-C] //测试码长度
0042F217 |. 33D2 |XOR EDX,EDX
0042F219 |. 8AD3 |MOV DL,BL
0042F21B |. 8A4410 FF |MOV AL,BYTE PTR DS:[EAX+EDX-1]
0042F21F |. 3A06 |CMP AL,BYTE PTR DS:[ESI] //取测试码前五位依次与SN比较 88451
0042F221 |. 74 09 |JE SHORT sF_crmeR.0042F22C
0042F223 |. 8BC7 |MOV EAX,EDI
0042F225 |. E8 6A020000 |CALL sF_crmeR.0042F494
0042F22A |. EB 62 |JMP SHORT sF_crmeR.0042F28E
0042F22C |> 43 |INC EBX
0042F22D |. 46 |INC ESI
0042F22E |. 80FB 06 |CMP BL,6
0042F231 |.^ 75 D3 JNZ SHORT sF_crmeR.0042F206 //测试完前六位后跳出
0042F233 |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
0042F236 |. 8B87 EC010000 MOV EAX,DWORD PTR DS:[EDI+1EC]
0042F23C |. E8 DFACFEFF CALL sF_crmeR.00419F20
0042F241 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0042F244 |. 50 PUSH EAX
0042F245 |. B9 0B000000 MOV ECX,0B
0042F24A |. BA 07000000 MOV EDX,7
0042F24F |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0042F252 |. E8 6D47FDFF CALL sF_crmeR.004039C4
0042F257 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0042F25A |. E8 7573FDFF CALL sF_crmeR.004065D4
0042F25F |. 8BD8 MOV EBX,EAX
0042F261 |. 8D4D F8 LEA ECX,DWORD PTR SS:[EBP-8]
0042F264 |. 33D2 XOR EDX,EDX
0042F266 |. 8BC3 MOV EAX,EBX
0042F268 |. E8 2B73FDFF CALL sF_crmeR.00406598
0042F26D |. 81FB BF1B0100 CMP EBX,11BBF //后五位转换16进制与11BBF比较
0042F273 |. 75 09 JNZ SHORT sF_crmeR.0042F27E //相等则成功
0042F275 |. 8BC7 MOV EAX,EDI
0042F277 |. E8 74010000 CALL sF_crmeR.0042F3F0
0042F27C |. EB 10 JMP SHORT sF_crmeR.0042F28E
0042F27E |> 8BC7 MOV EAX,EDI
0042F280 |. E8 0F020000 CALL sF_crmeR.0042F494
——————————————————————————–
【版权声明】: 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
2007年08月06日 1:00:15
[原创] 分析sF_crmeRECC
转载请附本站链接,未经允许不得转载,,谢谢:微慑信息网-VulSee.com » [原创] 分析sF_crmeRECC
![Ubuntu 16.04 LTS 0day priv escalation[最新提权漏洞]-微慑信息网-VulSee.com](http://vulsee.com/wp-content/uploads/2018/03/712.png)
![[业界] 国内热门软件作者真人照片(附多图)-微慑信息网-VulSee.com](http://www.pconline.com.cn/news/yj/0603/pic/060306-news-maxthon3.jpg)
![[八卦] 王婷婷—揭秘一个大三女生的性爱录像-微慑信息网-VulSee.com](http://free.86hy.com/crack/pic/1.jpg)
![[随笔]今天国际警察节-微慑信息网-VulSee.com](http://photo.sohu.com/20041017/Img222528326.jpg)
青云网
