进入:10001FD9 处的call 10008000::10008038 894C2450 mov dword ptr [esp+50], ecx:1000803C 89542410 mov dword ptr [esp+10], edx:10008040 89442420 mov dword ptr [esp+20], eax:10008044 894C2454 mov dword ptr [esp+54], ecx:10008048 56 push esi:10008049 6689542418 mov word ptr [esp+18], dx:1000804E 6689442428 mov word ptr [esp+28], ax:10008053 66894C245C mov word ptr [esp+5C], cx:10008058 57 push edi:10008059 8854241E mov byte ptr [esp+1E], dl:1000805D 8844242E mov byte ptr [esp+2E], al:10008061 884C2462 mov byte ptr [esp+62], cl:10008065 E826A4FFFF call 10002490 〈======注意此call:1000806A 8BF8 mov edi, eax:1000806C 83C9FF or ecx, FFFFFFFF:1000806F 33C0 xor eax, eax:10008071 8D542410 lea edx, dword ptr [esp+10]:10008075 F2 repnz:10008076 AE scasb:10008077 F7D1 not ecx
10008065 处的call将调用ShellExecuteA的window api 产生getdiskserial.exe进程。假设刚才没改getdiskserial.exe的话,有两个进程要跟踪,比较麻烦,如果非法用户的话getdiskserial将弹出MESSAGEBOX,注册失败。
继续跟踪来到这里:* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:10008191(C)|:1000817D 8A540430 mov dl, byte ptr [esp+eax+30] 〈==这是假注册码:10008181 8A4C0468 mov cl, byte ptr [esp+eax+68] 〈==正确注册码:10008185 3AD1 cmp dl, cl:10008187 0F851BFFFFFF jne 100080A8:1000818D 40 inc eax:1000818E 83F809 cmp eax, 00000009:10008191 7CEA jl 1000817D:10008193 5F pop edi:10008194 C705ACF9011001000000 mov dword ptr [1001F9AC], 00000001:1000819E 5E pop esi:1000819F 81C480000000 add esp, 00000080:100081A5 C3 ret
“d esp+eax+68”将看到正确注册码:2023252219。
到此pj完成。打了那么多字,好累