水晶分班5.21-分析记录
目录
- 程序信息
- 注册按钮事件-TfrmZc_btnZcClick_008C41B4
- 浏览器回调-TForm1_WebBrowserZcDocumentComplete_008D6EDC
- 启动时检验-TForm1_FormShow_008D71B0
MG_MD5_81D008(todo)- ps
程序信息
版本"5.21 <2024.9.7>"
PE32操作系统: Windows(2000)[I386, 32 位, GUI]链接程序: Turbo Linker(2.25*,Delphi)[GUI32]编译器: Embarcadero Delphi(XE)[Enterprise]语言: Object Pascal (Delphi)
Delphi程序分析:
ida 插件--DelphiHelper
x64dbg插件--SwissArmyKnife --》加载ida map文件
注册按钮事件-TfrmZc_btnZcClick_008C41B4
_DWORD *__fastcall TfrmZc_btnZcClick(int a1)
{// [COLLAPSED LOCAL DECLARATIONS. PRESS NUMPAD "+" TO EXPAND]v3[1] = &loc_8C4351;v3[0] = __readfsdword(0);__writefsdword(0, v3);Controls::TControl::GetText(*(a1 + 904), &v11);if ( v11 ){Controls::TControl::GetText(*(a1 + 904), &zcm);check_8C3D4C(zcm, out);System::__linkproc__ UStrAsg(&zcm_number_wstr_9074CC, *out);if ( zcm_number_wstr_9074CC ){if ( TApplication_MessageBox(*Application,L"确认是您的电脑吗?若不是,请不要输入注册码。每一个注册码都有机器台数限制。",L"确认是要注册的电脑吗?",0x121u) == 1 ){// TLabelTControl_SetText(*(a1 + 916), 0); // 官方网址MG_MD5_81D008(zcm_number_wstr_9074CC, 0, v7);hexstr_81D094(v7, &v8);System::__linkproc__ UStrAsg(&sn_9074D0, v8);System::__linkproc__ UStrCat3(&zm_9074D4, TCPUIDInfo_MGMD5_9074C4, sn_9074D0);MG_MD5_81D008(TCPUIDInfo_MGMD5_9074C4, 0, v7);hexstr_81D094(v7, &v6);System::__linkproc__ UStrAsg(&sn2_9074C8, v6);TForm1_saveIni();System::__linkproc__ UStrCat3(&v4, L"http://www.myzan.cn/fbser/zcfb.asp?zm=", zm_9074D4);System::__linkproc__ WStrFromUStr(&v5, v4);TWebBrowser_Navigate(*(*gvar_00900480 + 1304), v5);TCustomForm_Close(a1);}}else{TControl_SetText(*(a1 + 916), L"请输入正确的注册码");}}__writefsdword(0, v3[0]);v3[2] = &loc_8C4358;free_407530(&v4);System::__linkproc__ WStrClr(&v5);free_407530(&v6);free_407530(&v8);free_407530(&zcm);free_407530(out);return free_407530(&v11);
}
浏览器回调-TForm1_WebBrowserZcDocumentComplete_008D6EDC
int __fastcall TForm1_WebBrowserZcDocumentComplete(int a1, int a2, __int32 a3, int a4)
{// [COLLAPSED LOCAL DECLARATIONS. PRESS NUMPAD "+" TO EXPAND]_InterlockedExchange(&v17, a3);v10 = &savedregs;v9[1] = &loc_8D6FEB;v9[0] = __readfsdword(0);__writefsdword(0, v9);v8[2] = &savedregs;v8[1] = &loc_8D6FB8;v8[0] = __readfsdword(0);__writefsdword(0, v8);Olectrls::TOleControl::GetOleObject(*(dword_90751C + 1304));Variants::__linkproc__ DispInvoke(v14, v13, &word_8D7014, &unk_8D700C);Variants::__linkproc__ DispInvoke(v15, v14, v6, &unk_8D6FFC);Variants::__linkproc__ DispInvoke(v16, v15, v7, v8[0]);System::Variants::__linkproc__ VarToUStr(ptr_sn_target_00900040, v16);MG_MD5_81D008(*ptr_sn_008FFA08, 1, a3a); hexstr_81D094(a3a, &v12);System::__linkproc__ UStrEqual(v12, *ptr_sn_target_00900040);if ( v4 ){isregister_907520 = 1;TfrmZc_reshowZc(*gvar_008FFEC8);}__writefsdword(0, v8[0]);__writefsdword(0, v9[0]);v10 = &loc_8D6FF2;free_407530(&v12);return System::__linkproc__ FinalizeArray(v13, RTTI_4012C0_Variant_Variant, 4, v10);
}
启动时检验-TForm1_FormShow_008D71B0
int __fastcall TForm1_FormShow(int a1)
{// [COLLAPSED LOCAL DECLARATIONS. PRESS NUMPAD "+" TO EXPAND]v13 = &loc_8D75E5;v12 = __readfsdword(0);__writefsdword(0, &v12);System::__linkproc__ UStrAsg(&dword_9075D8, L"5.21 <2024.9.7>");Extctrls::TTimer::SetInterval(*(a1 + 1316), 0x2328u);LOBYTE(v2) = 1;Vcl::Forms::TTitleBar::SetAlignment(*(a1 + 1316), v2);System::__linkproc__ UStrCat3(&v26, dword_8D762C, dword_9075D8);TControl_SetText(*(a1 + 1428), v26);System::__linkproc__ UStrCatN(&v25, 3, v3, dword_9075D8, asc_8D7738);Comctrls::TCustomStatusBar::SetSimpleText(*(a1 + 1040), v25);LOBYTE(v4) = 1;v5 = TCPUIDInfo_Create(VMT_8C4688_TCPUIDInfo, v4);TCPUIDInfo_GetCPUIDstr(v5, &a1a);MG_MD5_81D008(a1a, 0, a3);hexstr_81D094(a3, &v22);System::__linkproc__ WStrFromUStr(&v23, v22);Strutils::LeftStr(v23, 20, &v24);System::__linkproc__ UStrFromWStr(PTR_TCPUIDInfo_MGMD5_008FFB54, v24);System::TObject::Free(v5);isregister_907520 = 0;TForm1_loadIni();dword_9075CC = 0;if ( *ptr_sn_008FFA08 ){MG_MD5_81D008(*PTR_TCPUIDInfo_MGMD5_008FFB54, 0, a3);hexstr_81D094(a3, &v19);System::__linkproc__ UStrEqual(*ptr_sn2_008FFE00, v19);if ( v6 ){System::__linkproc__ UStrCat3(gvar_008FFD84[0], *PTR_TCPUIDInfo_MGMD5_008FFB54, *ptr_sn_008FFA08);System::__linkproc__ UStrCat3(&v17, L"http://www.myzan.cn/fbser/zcfb.asp?zm=", *gvar_008FFD84[0]);System::__linkproc__ WStrFromUStr(&v18, v17);TWebBrowser_Navigate(*(a1 + 1304), v18);}}System::ParamStr(1);if ( v27 ){LOBYTE(v7) = 1;if ( System::Sysutils::FileExists(v27, v7, v8) ){TForm1_loadDataFile(a1, v27, v16);goto LABEL_12;}}LOBYTE(v7) = 1;if ( System::Sysutils::FileExists(*dword_907524, v7, v8) ){TControl_SetText(*(*gvar_00900650 + 936), *dword_907524);Controls::TControl::SetVisible(*(*gvar_00900650 + 932), 1);v12 = 35;(*(**(*gvar_00900650 + 908) + 152))(*(*gvar_00900650 + 908), 517, 147, 35, 51);TControl_SetText(*(*gvar_00900650 + 908), 0);TControl_SetText(*(*gvar_00900650 + 928), dword_8D77B4);Controls::TControl::SetTop(*(*gvar_00900650 + 928), 205);Controls::TControl::SetLeft(*(*gvar_00900650 + 928), 517);v12 = 60;(*(**(*gvar_00900650 + 904) + 152))(*(*gvar_00900650 + 904), 8, 280, 60, 60);Controls::TControl::SetLeft(*(*gvar_00900650 + 924), 5);Controls::TControl::SetTop(*(*gvar_00900650 + 924), 260);Controls::TControl::SetLeft(*(*gvar_00900650 + 912), 531);Controls::TControl::SetTop(*(*gvar_00900650 + 912), 171);byte_907521 = 0;(*(**gvar_00900650 + 276))(*gvar_00900650);if ( byte_907521 )goto LABEL_12;}else{byte_907521 = 0;(*(**gvar_00900650 + 276))(*gvar_00900650);if ( byte_907521 )goto LABEL_12;}TCustomForm_Close(a1);
LABEL_12:WICImage = Vcl::Graphics::TPicture::GetWICImage(*(*(a1 + 960) + 432));Imglist::TCustomImageList::GetBitmap(*(a1 + 1048), 0, WICImage);Controls::TControl::SetLeft(*(a1 + 956), *(*(a1 + 912) + 72) - 1);v15 = *(*(a1 + 908) + 76) - 27;v10 = System::__linkproc__ TRUNC(v15 / 2.0);Controls::TControl::SetTop(*(a1 + 956), v10);if ( dword_90761C == 1 )Extctrls::TImage::SetPicture(*(a1 + 1440), *(*(a1 + 1452) + 432));elseExtctrls::TImage::SetPicture(*(a1 + 1440), *(*(a1 + 1448) + 432));__writefsdword(0, v13);v14 = &loc_8D75EC;unknown_libname_2139(v16, 2);System::__linkproc__ WStrClr(&v18);unknown_libname_2139(&v19, 2);free_407530(&v22);System::__linkproc__ WStrArrayClr(&v23, 2);return unknown_libname_2139(&v25, 3);
}
MG_MD5_81D008(todo)
魔改md5,后续有时间补充
ps
TForm1_FormShow 中
if ( *ptr_sn_008FFA08 ){MG_MD5_81D008(*PTR_TCPUIDInfo_MGMD5_008FFB54, 0, a3);hexstr_81D094(a3, &v19);System::__linkproc__ UStrEqual(*ptr_sn2_008FFE00, v19);if ( v6 ){System::__linkproc__ UStrCat3(gvar_008FFD84[0], *PTR_TCPUIDInfo_MGMD5_008FFB54, *ptr_sn_008FFA08);System::__linkproc__ UStrCat3(&v17, L"http://www.myzan.cn/fbser/zcfb.asp?zm=", *gvar_008FFD84[0]);System::__linkproc__ WStrFromUStr(&v18, v17);TWebBrowser_Navigate(*(a1 + 1304), v18);}}
汇编
.text:008D72C2 054 83 38 00 cmp dword ptr [eax], 0
.text:008D72C5 054 74 75 jz short loc_8D733C
.text:008D72C7 054 8D 4D D8 lea ecx, [ebp+a3] ; a3
.text:008D72CA 054 A1 54 FB 8F 00 mov eax, PTR_TCPUIDInfo_MGMD5_008FFB54
.text:008D72CF 054 8B 00 mov eax, [eax] ; a1
.text:008D72D1 054 33 D2 xor edx, edx ; char
.text:008D72D3 054 E8 30 5D F4 FF call MG_MD5_81D008
.text:008D72D8 054 8D 45 D8 lea eax, [ebp+a3]
.text:008D72DB 054 8D 55 D0 lea edx, [ebp+var_30]
.text:008D72DE 054 E8 B1 5D F4 FF call hexstr_81D094
.text:008D72E3 054 8B 55 D0 mov edx, [ebp+var_30]
.text:008D72E6 054 A1 00 FE 8F 00 mov eax, ptr_sn2_008FFE00
.text:008D72EB 054 8B 00 mov eax, [eax]
.text:008D72ED 054 E8 8E 15 B3 FF call @System@@UStrEqual$qqrv ; System::__linkproc__ UStrEqual(void)
.text:008D72F2 054 75 48 jnz short loc_8D733C
.text:008D72F4 054 8B 0D 08 FA 8F 00 mov ecx, ptr_sn_008FFA08
.text:008D72FA 054 8B 09 mov ecx, [ecx]
.text:008D72FC 054 8B 15 54 FB 8F 00 mov edx, PTR_TCPUIDInfo_MGMD5_008FFB54
.text:008D7302 054 8B 12 mov edx, [edx]
.text:008D7304 054 A1 84 FD 8F 00 mov eax, gvar_008FFD84
.text:008D7309 054 E8 DA 13 B3 FF call @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2 ; System::__linkproc__ UStrCat3(System::UnicodeString &,System::UnicodeString,System::UnicodeString)
.text:008D730E 054 8B 0D 84 FD 8F 00 mov ecx, gvar_008FFD84
.text:008D7314 054 8B 09 mov ecx, [ecx]
.text:008D7316 054 8D 45 C8 lea eax, [ebp+var_38]
.text:008D7319 054 BA 58 77 8D 00 mov edx, offset aHttpWwwMyzanCn_0 ; "http://www.myzan.cn/fbser/zcfb.asp?zm="
.text:008D731E 054 E8 C5 13 B3 FF call @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2 ; System::__linkproc__ UStrCat3(System::UnicodeString &,System::UnicodeString,System::UnicodeString)
.text:008D7323 054 8B 55 C8 mov edx, [ebp+var_38]
.text:008D7326 054 8D 45 CC lea eax, [ebp+var_34]
.text:008D7329 054 E8 5A 12 B3 FF call @System@@WStrFromUStr$qqrr17System@WideStringx20System@UnicodeString ; System::__linkproc__ WStrFromUStr(System::WideString &,System::UnicodeString)
.text:008D732E 054 8B 55 CC mov edx, [ebp+var_34]
.text:008D7331 054 8B 83 18 05 00 00 mov eax, [ebx+518h] ; 'TForm1.WebBrowserZc:TWebBrowser'
.text:008D7337 054 E8 48 48 F4 FF call TWebBrowser_Navigate ; BDS2008-RADxe10 Component Library & Packages
替换为
isregister_907520 = 1;TfrmZc_reshowZc(*gvar_008FFEC8);
对应汇编
008D72C2 | C605 20759000 01 | mov byte ptr ds:[0x907520],0x1 |
008D72C9 | A1 C8FE8F00 | mov eax,dword ptr ds:[0x8FFEC8] |
008D72CE | 8B00 | mov eax,dword ptr ds:[eax] |
008D72D0 | E8 73D1FEFF | call <水晶分班._Unit123.TfrmZc.reshowZc_008C4448> |
![[Docker] 如何给 Docker 配置网络代理?](https://blog-static.cnblogs.com/files/johnnyzen/cnblogs-qq-group-qrcode.gif?t=1679679148)
