环境:windows xp
工具:
1、OllyDBG
2、IDA
3、exeinfo
查壳发现是程序无壳且用Delphi语言编写
可以通过搜索字符串的方式定位关键函数地址
这里定位到是
00427B44
ReadInput(a2, &v17); // 读取输入的usernameif ( StrLen(v17) >= 1 // 判断username长度是否大于等于1&& (v5 = *(_DWORD *)(v2 + 492),ReadInput(v4,&v17), // 获取输入的serialserial = v17,v7 = *(_DWORD *)(v2 + 476),ReadInput(v8,&username), // 获取输入的usernameKeyFun_427A20(username, serial) >= 12345678) )// 判断这个几个条件是否符合要求{v10 = (HWND)sub_4199FC();MessageBoxA_0(v10, "Congratulation ! You've Did It.\rMail Us : ekhmail@egroups.com", "Success", 0);}else{v9 = (HWND)sub_4199FC();MessageBoxA_0(v9, "Wrong Serial Number !", "ERROR", 0);}
可以看出程序判断输入的username是否为空后就进KeyFun函数进行判断了,当KeyFun函数返回值大于等于12345678时才能得到正确结果
KeyFun:
v4 = StrLen(username);if ( v4 > 0 ){v5 = 1;do{v6 = v5;v7 = *(_BYTE *)(username + v5 - 1); // 遍历每个字符v8 = __OFADD__(v7, v2);v9 = v7 + v2;if ( v8 ) // 判断这个字符是不是0v5 = sub_402A30(v19, v20, v21);v3 = off_428880; // LANNYDIBANDINGINANAKEKHYANGNGENTOTv2 = (unsigned __int8)off_428880[v6 - 1] | (v9 << 8);if ( v2 < 0 ) // 如果移动后是负数{v10 = -v2; // 取绝对值if ( (unsigned __int64)-(signed __int64)v2 >> 32 )v5 = sub_402A30(v19, v20, v21);v2 = v10;}++v5;--v4;}while ( v4 ); // 循环次数为username长度}v11 = v2 ^ 0x12345678; //上面就是利用username来计算出v11sub_4063F4(v3, &v22);v12 = StrLen(v22); // serial长度if ( v12 > 0 ){do{_EDX = v11 % 10; //这里是计算v11的每一位数字,得到该数字为下标所对应字符,将所有对应的组合起来就是serial__asm { bound edx, qword_427B3C }LOBYTE(_EDX) = byte_428884[v11 % 10]; // LANNY5646521sub_4036D8(10, _EDX);sub_4037B8(v14, v22);v11 /= 10;--v12;}while ( v12 );}flag = strcmp(v23, serial);if ( flag ) // flagv16 = 12345678;elsev16 = 1234577;v17 = v21;__writefsdword(0, v19);v21 = (int *)&loc_427B31;sub_403558(v17, 4);return v16;
)
)
...)
![SSH出错--hibernate--org.hibernate.hql.ast.QuerySyntaxException: User is not mapped [from User]](http://pic.xiahunao.cn/SSH出错--hibernate--org.hibernate.hql.ast.QuerySyntaxException: User is not mapped [from User])
加载DLL)
调用DLL函数)
