環境:windows xp
工具:
1、OllyDBG
2、IDA
3、exeinfo
查殼發現是程序無殼且用Delphi語言編寫
可以通過搜索字符串的方式定位關鍵函數地址
這里定位到是
00427B44
ReadInput(a2, &v17); // 讀取輸入的usernameif ( StrLen(v17) >= 1 // 判斷username長度是否大于等于1&& (v5 = *(_DWORD *)(v2 + 492),ReadInput(v4,&v17), // 獲取輸入的serialserial = v17,v7 = *(_DWORD *)(v2 + 476),ReadInput(v8,&username), // 獲取輸入的usernameKeyFun_427A20(username, serial) >= 12345678) )// 判斷這個幾個條件是否符合要求{v10 = (HWND)sub_4199FC();MessageBoxA_0(v10, "Congratulation ! You've Did It.\rMail Us : ekhmail@egroups.com", "Success", 0);}else{v9 = (HWND)sub_4199FC();MessageBoxA_0(v9, "Wrong Serial Number !", "ERROR", 0);}
可以看出程序判斷輸入的username是否為空后就進KeyFun函數進行判斷了,當KeyFun函數返回值大于等于12345678時才能得到正確結果
KeyFun:
v4 = StrLen(username);if ( v4 > 0 ){v5 = 1;do{v6 = v5;v7 = *(_BYTE *)(username + v5 - 1); // 遍歷每個字符v8 = __OFADD__(v7, v2);v9 = v7 + v2;if ( v8 ) // 判斷這個字符是不是0v5 = sub_402A30(v19, v20, v21);v3 = off_428880; // LANNYDIBANDINGINANAKEKHYANGNGENTOTv2 = (unsigned __int8)off_428880[v6 - 1] | (v9 << 8);if ( v2 < 0 ) // 如果移動后是負數{v10 = -v2; // 取絕對值if ( (unsigned __int64)-(signed __int64)v2 >> 32 )v5 = sub_402A30(v19, v20, v21);v2 = v10;}++v5;--v4;}while ( v4 ); // 循環次數為username長度}v11 = v2 ^ 0x12345678; //上面就是利用username來計算出v11sub_4063F4(v3, &v22);v12 = StrLen(v22); // serial長度if ( v12 > 0 ){do{_EDX = v11 % 10; //這里是計算v11的每一位數字,得到該數字為下標所對應字符,將所有對應的組合起來就是serial__asm { bound edx, qword_427B3C }LOBYTE(_EDX) = byte_428884[v11 % 10]; // LANNY5646521sub_4036D8(10, _EDX);sub_4037B8(v14, v22);v11 /= 10;--v12;}while ( v12 );}flag = strcmp(v23, serial);if ( flag ) // flagv16 = 12345678;elsev16 = 1234577;v17 = v21;__writefsdword(0, v19);v21 = (int *)&loc_427B31;sub_403558(v17, 4);return v16;
)
)
...)
![SSH出錯--hibernate--org.hibernate.hql.ast.QuerySyntaxException: User is not mapped [from User]](http://pic.xiahunao.cn/SSH出錯--hibernate--org.hibernate.hql.ast.QuerySyntaxException: User is not mapped [from User])
加載DLL)
調用DLL函數)
