快速锁定功能项进行爆破,从而达到跳过网络机制
00F7EC04 /. 55 push ebp
00F7EC05 |. 8BEC mov ebp,esp
00F7EC07 |. 6A 00 push 0x0
00F7EC09 |. 53 push ebx
00F7EC0A |. 8BD8 mov ebx,eax
00F7EC0C |. 33C0 xor eax,eax
00F7EC0E |. 55 push ebp
00F7EC0F |. 68 8DECF700 push chkdll.00F7EC8D
00F7EC14 |. 64:FF30 push dword ptr fs:[eax]
00F7EC17 |. 64:8920 mov dword ptr fs:[eax],esp
00F7EC1A |. 8B83 40030000 mov eax,dword ptr ds:[ebx+0x340]
00F7EC20 |. BA A0ECF700 mov edx,chkdll.00F7ECA0 ; yes
00F7EC25 |. E8 E660F6FF call chkdll.00EE4D10
00F7EC2A |. 74 3A je short chkdll.00F7EC66
00F7EC2C |. 8D55 FC lea edx,[local.1]
00F7EC2F |. 8B83 08030000 mov eax,dword ptr ds:[ebx+0x308]
00F7EC35 |. E8 068FFBFF call chkdll.00F37B40
00F7EC3A |. 8B45 FC mov eax,[local.1]
00F7EC3D |. E8 8261F6FF call chkdll.00EE4DC4
00F7EC42 |. 8B8B 34030000 mov ecx,dword ptr ds:[ebx+0x334]
00F7EC48 |. 8B93 30030000 mov edx,dword ptr ds:[ebx+0x330]
00F7EC4E |. E8 C5EBFFFF call chkdll.00F7D818
00F7EC53 |. 84C0 test al,al
00F7EC55 |. 74 20 je short chkdll.00F7EC77
00F7EC57 |. B2 01 mov dl,0x1
00F7EC59 |. 8B83 18030000 mov eax,dword ptr ds:[ebx+0x318]
00F7EC5F |. E8 5CD6FAFF call chkdll.00F2C2C0
00F7EC64 |. EB 11 jmp short chkdll.00F7EC77
00F7EC66 |> 8B93 44030000 mov edx,dword ptr ds:[ebx+0x344]
00F7EC6C |. 8B83 14030000 mov eax,dword ptr ds:[ebx+0x314]
00F7EC72 |. E8 F98EFBFF call chkdll.00F37B70
00F7EC77 |> 33C0 xor eax,eax
00F7EC79 |. 5A pop edx ; 0012F998
00F7EC7A |. 59 pop ecx ; 0012F998
00F7EC7B |. 59 pop ecx ; 0012F998
00F7EC7C |. 64:8910 mov dword ptr fs:[eax],edx
00F7EC7F |. 68 94ECF700 push chkdll.00F7EC94
00F7EC84 |> 8D45 FC lea eax,[local.1]
00F7EC87 |. E8 4C5CF6FF call chkdll.00EE48D8
00F7EC8C \. C3 retn
00F7EC8D .^ E9 5A54F6FF jmp chkdll.00EE40EC
00F7EC92 .^ EB F0 jmp short chkdll.00F7EC84
00F7EC94 . 5B pop ebx ; 0012F998
00F7EC95 . 59 pop ecx ; 0012F998
00F7EC96 . 5D pop ebp ; 0012F998
00F7EC97 . C3 retn
注册按钮的事件
堆栈地址=0012F624
edx=00FC5EE8, (ASCII "http://768087.yeewg.com/setcheck//getyy.asp?s1=6c60868a764300bde9d8599116e6f4e4")
这句和网页通信后得到的结果是
no|注册码错误!请检查您是否正确输入。||no|注册码错误!请检查您是否正确输入。||
00F7DB18 |. BA A4DDF700 mov edx,chkdll.00F7DDA4 ; |
00F7DB1D |. 8B45 D8 mov eax,[local.10]
00F7DB20 |. E8 4B53FFFF call chkdll.00F72E70
00F7DB25 |. 8BD0 mov edx,eax
00F7DB27 |. 8B45 CC mov eax,[local.13]
00F7DB2A |. 8B08 mov ecx,dword ptr ds:[eax]
00F7DB2C |. FF51 40 call dword ptr ds:[ecx+0x40]
分割字符串,用于判断
0055D90F /75 1E jnz short 4586631.0055D92F
0055D911 |8B83 95040000 mov eax,dword ptr ds:[ebx+0x495] ; 4586631.00400000
0055D917 |8BD0 mov edx,eax
0055D919 |2B93 B1040000 sub edx,dword ptr ds:[ebx+0x4B1] ; 4586631.00400000
0055D91F |03D0 add edx,eax
0055D921 |0393 B5040000 add edx,dword ptr ds:[ebx+0x4B5]
0055D927 |8955 F8 mov dword ptr ss:[ebp-0x8],edx ; ntdll.7C99C0D8
0055D92A |8B45 F8 mov eax,dword ptr ss:[ebp-0x8]
0055D92D -|FFE0 jmp eax
0055D92F \6A 00 push 0x0
0055D931 FF53 18 call dword ptr ds:[ebx+0x18] ; kernel32.ExitProcess
调用退出句
标准的易语言入口
0048BF8D 55 push ebp
0048BF8E 8BEC mov ebp,esp
0048BF90 6A FF push -0x1
0048BF92 68 C0F84C00 push 4586631.004CF8C0
0048BF97 68 C4EA4800 push 4586631.0048EAC4
0048BF9C 64:A1 00000000 mov eax,dword ptr fs:[0]
0048BFA2 50 push eax ; 4586631.0055C02C
0048BFA3 64:8925 0000000>mov dword ptr fs:[0],esp
0048BFAA 83EC 58 sub esp,0x58
0048BFAD 53 push ebx ; 4586631.0055D000
0048BFAE 56 push esi
0048BFAF 57 push edi
0048BFB0 8965 E8 mov dword ptr ss:[ebp-0x18],esp
0048BFB3 FF15 F0014B00 call dword ptr ds:[<&KERNEL32.GetVersion>;
当我们破解程序限制时,可以借助彗星小助手和XT去查找他是否有多窗体,如果有多窗体,我们可以通过这两个工具去穿透第一层验证窗体,去第二层,实施功能爆破