I hope you can come up with some ideas ~
Check whether there is any shell... Microsoft Visual C ++ 6.0, indicating no shell ~
Let's enter an account and password for trial run ~ The error message "incorrect registration name or registration code!" is displayed !"
Okay. Let's load it with OD ~~ Search for asii, find the error message, and double-click it to go to the code ~
00401d00/0f85 df1_00 jnz ultradic.00401de5
00401d06. | 68 01100000 push 1001
00401d0b. | 68 f4704300 push ultradic.004370f4; ASCII "C:/regbanyet. dat"; if the registration is successful, the C:/regbanyet. dat file is generated.
00401d10. | 8d4c24 18 Lea ECx, dword ptr ss: [esp + 18]
00401d14. | E8 8fef0100 call ultradic.00420ca8
00401d19. | 8d7c24 20 Lea EDI, dword ptr ss: [esp + 20]
00401d1d. | 83c9 FF or ECX, ffffffff
00401d20. | 33c0 XOR eax, eax
00401d22. | B2 0d mov DL, 0d
00401d24. | F2: AE repne SCAs byte PTR ES: [EDI]
00401d26. | f7d1 not ECx
00401d28. | 49 dec ECx
00401d29. | 8dbc24 84000000 Lea EDI, dword ptr ss: [esp + 84]
00401d29. 8dbc24 84000000 Lea EDI, dword ptr ss: [esp + 84]
00401d30. c68424 b4010000> mov byte ptr ss: [esp + 1B4], 1
00401d38. 88540c 20 mov byte ptr ss: [esp + ECx + 20], DL
00401d3c. 41 Inc ECx
00401d3d. c6440c 20 0a mov byte ptr ss: [esp + ECx + 20], 0a
00401d42. 885c0c 21 mov byte ptr ss: [esp + ECx + 21], BL
00401d46. 83c9 FF or ECX, ffffffff
00401d49. F2: AE repne SCAs byte PTR ES: [EDI]
00401d4b. f7d1 not ECx
00401d4d. 49 dec ECx
00401d4e. 8d7c24 20 Lea EDI, dword ptr ss: [esp + 20]
00401d52. 88940c 84000000 mov byte ptr ss: [esp + ECx + 84], DL
00401d59. 41 Inc ECx
00401d5a. c6840c 84000000> mov byte ptr ss: [esp + ECx + 84], 0a
00401d62. 889c0c 85000000 mov byte ptr ss: [esp + ECx + 85], BL
00401d69. 83c9 FF or ECX, ffffffff
00401d6c. F2: AE repne SCAs byte PTR ES: [EDI]
00401d6e. f7d1 not ECx
00401d70. 49 dec ECx
00401d71. 8d4424 20 Lea eax, dword ptr ss: [esp + 20]
00401d75. 51 push ECx;/arg2
00401d76. 50 push eax; | arg1
00401d77. 8d4c24 18 Lea ECx, dword ptr ss: [esp + 18]; |
00401d7b. E8 dcf10100 call ultradic.00420f5c;/ultradic.00420f5c
00401d80. 8dbc24 84000000 Lea EDI, dword ptr ss: [esp + 84]
00401d87. 83c9 FF or ECX, ffffffff
00401d8a. 33c0 XOR eax, eax
00401d8c. F2: AE repne SCAs byte PTR ES: [EDI]
00401d8e. f7d1 not ECx
00401d90. 49 dec ECx
00401d91. 51 push ECx;/arg2
00401d92. 8d8c24 88000000 Lea ECx, dword ptr ss: [esp + 88]; |
00401d99. 51 push ECx; | arg1
00401d9a. 8d4c24 18 Lea ECx, dword ptr ss: [esp + 18]; |
00401d9e. E8 b9f10100 call ultradic.00420f5c;/ultradic.00420f5c
00401da3. 6a 03 Push 3;/fileattributes = readonly | hidden
00401da5. 68 f4704300 push ultradic.004370f4; | filename = "C:/regbanyet. dat"
00401daa. ff15 8cb24200 call dword ptr ds: [<& kernel32.setfile>;/setfileattributesa
00401db0. 68 d8704300 push ultradic.004370d8
00401db5. 8d8c24 ec000000 Lea ECx, dword ptr ss: [esp + EC]
00401dbc. E8 af010000 call ultradic.00401f70
00401dc1. 8d4c24 10 Lea ECx, dword ptr ss: [esp + 10]
00401dc5. 889c24 b4010000 mov byte ptr ss: [esp + 1B4], BL
00401dcc. E8 77ef0100 call ultradic.00420d48
00401dd1. 8bcd mov ECx, EBP
00401dd3. E8 44b50100 call ultradic.0041d31c
00401dd8. c78424 b4010000> mov dword ptr ss: [esp + 1B4], 3
00401de3. EB 1C JMP short ultradic.00401e01
00401de5> 68 c0704300 push ultradic.004370c0 // here, push the stack, an error message is displayed!
We can see this red line... The error message is displayed when you jump from 00401d00 to 00401de5 ~ (The red line indicates that the redirection is implemented)
Let's go and check it out ~
00401cfe>/3bc3 CMP eax, EBX // compare the real and false registration codes...
00401d00/0f85 df1_00 jnz ultradic.00401de5 // skip if it is not equal to 0 ~
So you can think about it ~ If I do not allow this jump implementation ~ So there will be no error messages?
Hoho, good ~ Let's try. Modify jnz to JZ (opposite to it ~ ^_^), Save a copy ~~ Is the test successful ~?
Tip ~ Registered successfully ~~
Is it easy ~ In fact, we can also ~ 00401d00: Change jnz to NOP, as long as it does not implement this jump, it will be OK ~, It can also be successful ~