标题:emailverify.exe注册及DIY
链接:http://www.unpack.cn/viewthread.php?tid=20465
贴者:kongfoo
日期:2007-12-20 16:11
国产电子邮件校验软件,模拟发信检查邮件地址是否有效。是很旧的软件了,文件的创建日期是2001年12月的。Delphi写的,没壳。扔DeDe。要注册。
在DeDe里翻一下代码,找到TForm1.N10Click:
004A00D4 55 push ebp
004A00D5 8BEC mov ebp, esp
004A00D7 83C4D4 add esp, -$2C
004A00DA 53 push ebx
004A00DB 56 push esi
004A00DC 33C9 xor ecx, ecx
004A00DE 894DD4 mov [ebp-$2C], ecx
004A00E1 894DFC mov [ebp-$04], ecx
004A00E4 8BD8 mov ebx, eax
004A00E6 33C0 xor eax, eax
004A00E8 55 push ebp
004A00E9 6867024A00 push $004A0267
***** TRY
|
004A00EE 64FF30 push dword ptr fs:[eax]
004A00F1 648920 mov fs:[eax], esp
004A00F4 8D45FC lea eax, [ebp-$04]
* Possible String Reference to: '00000000'
|
004A00F7 BA7C024A00 mov edx, $004A027C
* Reference to: system.@LStrLAsg;
|
004A00FC E8573BF6FF call 00403C58
004A0101 8D4DFC lea ecx, [ebp-$04]
* Possible String Reference to: '请输入您的软件注册号'
|
004A0104 BA90024A00 mov edx, $004A0290
* Possible String Reference to: '登记注册'
|
004A0109 B8B0024A00 mov eax, $004A02B0
* Reference to: dialogs.InputQuery(AnsiString;AnsiString;AnsiString;AnsiString):Boolean;
|
004A010E E899EAFAFF call 0044EBAC ==出输入注册码对话框
004A0113 3C01 cmp al, $01
004A0115 0F852E010000 jnz 004A0249
004A011B 8D55D4 lea edx, [ebp-$2C]
004A011E 8B45FC mov eax, [ebp-$04]
* Reference to: sysutils.Trim(AnsiString):AnsiString;
|
004A0121 E82685F6FF call 0040864C
004A0126 8B45D4 mov eax, [ebp-$2C]
* Reference to: sysutils.StrToInt64(AnsiString):Int64;
|
004A0129 E83E87F6FF call 0040886C
004A012E 8945F0 mov [ebp-$10], eax
004A0131 8955F4 mov [ebp-$0C], edx
004A0134 6A00 push $00
004A0136 689A020000 push $0000029A ==除以666($29A)
004A013B 8B45F0 mov eax, [ebp-$10]
004A013E 8B55F4 mov edx, [ebp-$0C]
* Reference to: system.@_lldiv;
|
004A0141 E85C62F6FF call 004063A2
004A0146 8945F0 mov [ebp-$10], eax
004A0149 8955F4 mov [ebp-$0C], edx
004A014C 8B45F0 mov eax, [ebp-$10]
004A014F 8B55F4 mov edx, [ebp-$0C]
004A0152 2D19D90000 sub eax, $0000D919 ==减55577
004A0157 83DA00 sbb edx, +$00
004A015A 8945F0 mov [ebp-$10], eax
004A015D 8955F4 mov [ebp-$0C], edx
004A0160 8D45D8 lea eax, [ebp-$28]
|
004A0163 E808BDFFFF call 0049BE70 ==取cpuid数据
004A0168 8B45D8 mov eax, [ebp-$28]
004A016B 99 cdq
004A016C 8945E8 mov [ebp-$18], eax
004A016F 8955EC mov [ebp-$14], edx
004A0172 8B45F0 mov eax, [ebp-$10]
004A0175 8B55F4 mov edx, [ebp-$0C]
004A0178 3B55EC cmp edx, [ebp-$14]
004A017B 0F85B3000000 jnz 004A0234 ==比较
004A0181 3B45E8 cmp eax, [ebp-$18]
004A0184 0F85AA000000 jnz 004A0234
004A018A 6A00 push $00
004A018C 668B0DBC024A00 mov cx, word ptr [$004A02BC]
004A0193 B202 mov dl, $02
* Possible String Reference to: '软件登记注册成功!'
注册码为:cpuid+55577*666,将49be70整个函数搬出来就可以写个注册机:
0049BE70 53 push ebx
0049BE71 57 push edi
0049BE72 89C7 mov edi, eax
0049BE74 B801000000 mov eax, $00000001
0049BE79 0FA2 cpuid
0049BE7B AB stosd
0049BE7C 89D8 mov eax, ebx
0049BE7E AB stosd
0049BE7F 89C8 mov eax, ecx
0049BE81 AB stosd
0049BE82 89D0 mov eax, edx
0049BE84 AB stosd
0049BE85 5F pop edi
0049BE86 5B pop ebx
0049BE87 C3 ret
代码:
var
Form1: TForm1;
returnValue:array[0..3]of Dword;
implementation
{$R *.dfm}
procedure getCode;
asm
push ebx
push edi
mov edi, eax
mov eax, $00000001
cpuid
stosd
mov eax, ebx
stosd
mov eax, ecx
stosd
mov eax, edx
stosd
pop edi
pop ebx
ret
end;
procedure TForm1.Button1Click(Sender: TObject);
begin
asm
lea eax,returnValue
call getCode
end;
Edit1.Text:=IntToStr((returnValue[0]+55577)*666);
end;
注册OK。
导出有效、无效、未知电子邮件地址时还是提示只有付费用户才能使用,
有暗桩?DeDe里看看:
004A044C 6A00 push $00
004A044E 668B0D64044A00 mov cx, word ptr [$004A0464]
004A0455 B202 mov dl, $02
* Possible String Reference to: '付费注册用户才能保存电邮'
|
004A0457 B870044A00 mov eax, $004A0470
|
004A045C E82FE6FAFF call 0044EA90
004A0461 C3 ret
晕,软件本身不是完整版。
再看看另外几个导出电子邮件地址的函数:
004A0497 8BD8 mov ebx, eax
004A0499 33C0 xor eax, eax
004A049B 55 push ebp
004A049C 68AB054A00 push $004A05AB
***** TRY
|
004A04A1 64FF30 push dword ptr fs:[eax]
004A04A4 648920 mov fs:[eax], esp
* Reference to control ComboBox2 : N.A.
|
004A04A7 8B8314050000 mov eax, [ebx+$0514]
004A04AD 83780C09 cmp dword ptr [eax+$0C], +$09
004A04B1 741A jz 004A04CD
004A04B3 6A00 push $00
004A04B5 668B0DB8054A00 mov cx, word ptr [$004A05B8]
004A04BC B202 mov dl, $02
* Possible String Reference to: '付费注册用户才能保存电邮'
...
所在函数为N26Click,是有功能的,用于导出无法解析域名的电邮地址,N33Click,N34Click,N35Click也一样。
注册机注册后这些有功能的函数都能正确使用,不提示'付费注册用户才能保存电邮'。
而导出有效、无效电邮地址本身没有实现功能的代码,只是出个对话框,开发者没有发布完整版。so,要DIY一下。
导出的工作流程,在校验结果StringGrid中第3列是校验状态,根据状态字串的比较而进行导出。
所以我们可以利用原有功能加入新功能,改造其中一个有功能的导出电邮地址函数就可以实现。
只需把字串比较部分改改即可。
N33Click的代码:
004ACCDC 55 push ebp
004ACCDD 8BEC mov ebp, esp
004ACCDF 6A00 push $00
004ACCE1 6A00 push $00
004ACCE3 6A00 push $00
004ACCE5 53 push ebx
004ACCE6 56 push esi
004ACCE7 8BD8 mov ebx, eax
004ACCE9 33C0 xor eax, eax
004ACCEB 55 push ebp
004ACCEC 68FBCD4A00 push $004ACDFB
***** TRY
|
004ACCF1 64FF30 push dword ptr fs:[eax]
004ACCF4 648920 mov fs:[eax], esp
* Reference to control ComboBox2 : N.A.
|
004ACCF7 8B8314050000 mov eax, [ebx+$0514]
004ACCFD 83780C09 cmp dword ptr [eax+$0C], +$09
004ACD01 741A jz 004ACD1D
004ACD03 6A00 push $00
004ACD05 668B0D08CE4A00 mov cx, word ptr [$004ACE08]
004ACD0C B202 mov dl, $02
* Possible String Reference to: '付费注册用户才能保存电邮'
|
004ACD0E B814CE4A00 mov eax, $004ACE14
|
004ACD13 E8781DFAFF call 0044EA90
004ACD18 E9BB000000 jmp 004ACDD8
004ACD1D A1F01B4B00 mov eax, dword ptr [$004B1BF0]
* Reference to: controls.TControl.Refresh(TControl);
|
004ACD22 E869F2F7FF call 0042BF90
* Reference to control SaveDialog1 : N.A.
|
004ACD27 8B834C030000 mov eax, [ebx+$034C]
004ACD2D 8B10 mov edx, [eax]
004ACD2F FF523C call dword ptr [edx+$3C]
004ACD32 84C0 test al, al
004ACD34 0F849E000000 jz 004ACDD8
004ACD3A BE01000000 mov esi, $00000001
004ACD3F 8D55FC lea edx, [ebp-$04]
* Reference to control SaveDialog1 : N.A.
|
004ACD42 8B834C030000 mov eax, [ebx+$034C]
* Reference to: dialogs.TOpenDialog.GetFileName(TOpenDialog):TFileName;
|
004ACD48 E8D313FAFF call 0044E120
004ACD4D 8B55FC mov edx, [ebp-$04]
004ACD50 B8481F4B00 mov eax, $004B1F48
* Reference to: system.@Assign(Text;Text;ShortString);
|
004ACD55 E8308DF5FF call 00405A8A
004ACD5A B8481F4B00 mov eax, $004B1F48
|
004ACD5F E86690F5FF call 00405DCA
|
004ACD64 E8835AF5FF call 004027EC
004ACD69 3B3518214B00 cmp esi, [$004B2118]
004ACD6F 7F58 jnle 004ACDC9
004ACD71 8D45F8 lea eax, [ebp-$08]
004ACD74 50 push eax
004ACD75 8BCE mov ecx, esi
004ACD77 BA02000000 mov edx, $00000002
* Reference to control StringGrid1 : N.A.
|
004ACD7C 8B83B4030000 mov eax, [ebx+$03B4]
* Reference to: grids.TStringGrid.GetCells(TStringGrid;Integer;Integer):AnsiString;
|
004ACD82 E87D92FBFF call 00466004
004ACD87 8B45F8 mov eax, [ebp-$08]
* Possible String Reference to: '无法解析域名'
|
004ACD8A BA38CE4A00 mov edx, $004ACE38 ==在这里动手
* Reference to: system.@LStrCmp;
|
004ACD8F E8BC71F5FF call 00403F50
004ACD94 752A jnz 004ACDC0
004ACD96 8D45F4 lea eax, [ebp-$0C]
004ACD99 50 push eax
004ACD9A 8BCE mov ecx, esi
004ACD9C 33D2 xor edx, edx
* Reference to control StringGrid1 : N.A.
|
004ACD9E 8B83B4030000 mov eax, [ebx+$03B4]
* Reference to: grids.TStringGrid.GetCells(TStringGrid;Integer;Integer):AnsiString;
|
004ACDA4 E85B92FBFF call 00466004
004ACDA9 8B55F4 mov edx, [ebp-$0C]
004ACDAC B8481F4B00 mov eax, $004B1F48
* Reference to: system.@Write0Bool;
| or: system.@Write0Long;
| or: system.@Write0LString;
|
004ACDB1 E82274F5FF call 004041D8
|
004ACDB6 E82092F5FF call 00405FDB
|
004ACDBB E82C5AF5FF call 004027EC
004ACDC0 46 inc esi
004ACDC1 3B3518214B00 cmp esi, [$004B2118]
004ACDC7 7EA8 jle 004ACD71
004ACDC9 B8481F4B00 mov eax, $004B1F48
* Reference to: system.@Close;
|
004ACDCE E8BD8DF5FF call 00405B90
|
004ACDD3 E8145AF5FF call 004027EC
004ACDD8 33C0 xor eax, eax
004ACDDA 5A pop edx
004ACDDB 59 pop ecx
004ACDDC 59 pop ecx
004ACDDD 648910 mov fs:[eax], edx
****** FINALLY
|
004ACDE0 6802CE4A00 push $004ACE02
004ACDE5 8D45F4 lea eax, [ebp-$0C]
004ACDE8 BA02000000 mov edx, $00000002
* Reference to: system.@LStrArrayClr;
|
004ACDED E8F26DF5FF call 00403BE4
004ACDF2 8D45FC lea eax, [ebp-$04]
* Reference to: system.@LStrClr(String;String);
|
004ACDF5 E8C66DF5FF call 00403BC0
004ACDFA C3 ret
* Reference to: system.@HandleFinally;
|
004ACDFB E9D467F5FF jmp 004035D4
004ACE00 EBE3 jmp 004ACDE5
****** END
|
004ACE02 5E pop esi
004ACE03 5B pop ebx
004ACE04 8BE5 mov esp, ebp
004ACE06 5D pop ebp
004ACE07 C3 ret
无功能的函数:N16Click(4a0364),N25Click(4a044c),OD里测试一下分别是哪个功能:
N16Click为导出有效地址,N25CLick为导出无效地址。
原本想找块空地把上面N33Click的代码整个搬进去,但发现文件的物理空间不够,
只好用改代码的方法了。btw,PEEditor改大CODE节物理size再用LordPE rebuild pe并不会
真的扩大CODE节的物理空间。
4ACD8A处跳到patch代码中另作处理。
patch(1)
首先在数据节找个地方做标志,在点击菜单调用函数前设置,和原函数进行区分。这里用4ae0b0。
004AD93D 803D B0E04A00 01 cmp byte ptr [4AE0B0], 1 ==导出有效列表?
004AD944 74 10 je short 004AD956
004AD946 803D B0E04A00 02 cmp byte ptr [4AE0B0], 2 ==导出无效列表?
004AD94D 74 0E je short 004AD95D
004AD94F BA 38CE4A00 mov edx, 004ACE38 ==原函数所用字串
004AD954 EB 0C jmp short 004AD962
004AD956 BA 6BD94A00 mov edx, 004AD96B =='邮件地址正确'(有效)
004AD95B EB 05 jmp short 004AD962
004AD95D BA 7DD94A00 mov edx, 004AD97D =='邮件地址错误'(无效)
004AD962 ^ E9 28F4FFFF jmp 004ACD8F
004AD967 0C 00 or al, 0 ==由于接下来调用LStrCmp函数进行比较,参数要求为string,所以要构造string型的字串
004AD969 0000 add byte ptr [eax], al==即字串前1Dword声明字串长度。否则LStrCmp比较结果不正确。
004AD96B D3CA ror edx, cl
004AD96D BC FEB5D8D6 mov esp, D6D8B5FE
004AD972 B7 D5 mov bh, 0D5
004AD974 FD std
004AD975 C8 B70000 enter 0B7, 0
004AD979 0C 00 or al, 0
004AD97B 0000 add byte ptr [eax], al
004AD97D D3CA ror edx, cl
004AD97F BC FEB5D8D6 mov esp, D6D8B5FE
004AD984 B7 B4 mov bh, 0B4
004AD986 ED in eax, dx
004AD987 CE into
004AD988 F3: prefix rep:
80 3D B0 E0 4A 00 01 74 10 80 3D B0 E0 4A 00 02 74 0E BA 38 CE 4A 00 EB 0C BA 6B D9 4A 00 EB 05
BA 7D D9 4A 00 E9 28 F4 FF FF 0C 00 00 00 D3 CA BC FE B5 D8 D6 B7 D5 FD C8 B7 00 00 0C 00 00 00
D3 CA BC FE B5 D8 D6 B7 B4 ED CE F3
偏移:4ad93d-400000-c00(地址所在节VA-RA)=acd3d
patch(2)
004ACD8A BA 38CE4A00 MOV EDX,emailver.004ACE38
改为:
004ACD8A /E9 AE0B0000 JMP 004AD93D
偏移:4acd8a-400000-c00=ac18a
patch(3)
N16Click代码patch:
004A0364 C605 B0E04A00 01 MOV BYTE PTR DS:[4AE0B0],1
004A036B E8 6CC90000 CALL emailver.004ACCDC
004A0370 C605 B0E04A00 00 MOV BYTE PTR DS:[4AE0B0],0
004A0377 90 NOP
004A0378 90 NOP
004A0379 C3 RETN
C6 05 B0 E0 4A 00 01 E8 6C C9 00 00 C6 05 B0 E0 4A 00 00 90 90 C3
偏移:9f764
patch(4)
N25Click代码patch:
004A044C C605 B0E04A00 02 MOV BYTE PTR DS:[4AE0B0],2
004A0453 E8 84C80000 CALL emailver.004ACCDC
004A0458 C605 B0E04A00 00 MOV BYTE PTR DS:[4AE0B0],0
004A045F 90 NOP
004A0460 90 NOP
004A0461 C3 RETN
C6 05 B0 E0 4A 00 02 E8 84 C8 00 00 C6 05 B0 E0 4A 00 00 90 90 C3
偏移:9f84c
十六进制工具编辑一下,运行测试OK,完工。软件很旧,估计发上来让有兴趣的兄弟玩玩也无防?
下载链接:http://www.unpack.cn/attachment.php?aid=13939
|
