【破文标题】 CrackMe之XiaoZi2 SEH.爆破.反跟踪.自校验分析
【破文作者】 二哥weiyi75[Dfcg][D.4S]
【使用工具】 UnkillOD
【破解平台】 Win2000/XP
【软件名称】 XiaoZi2
【软件大小】 3 KB
【下载地址】 本地下载
【编程语言】 MASM
【软件简介】 流行时代网友自编CrackMe
【破解目的】 从头学起,打好基础。
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
------------------------------------------------------------
CrackMe采用了SetUnhandledExceptionFilter异常,定时器,内置父进程检查,SMC防爆自校验.
过年极度郁闷,人人开心,我这里单位还精简人,害我天天上班,不是天天上网,怒,现在还有周扒皮,只怪自己不争气,羡慕那些能上网
为职业而且有收入的人啊,现在还失恋了,真是双重打击.........
从流行时代下载了一个密界文集,无意中看到一个CrackMe,本来aqtata已经快分析完了,还剩...
引用
很奇怪,调试时可以注册成功,但修改保存就不行了,打开运行发现修改的地方又变回去了。
今天看了一下,简单的SMC防爆自校验,于是我也罗嗦发泄一下郁闷的心情。
【详细过程】
首先看文件大小确认为汇编程序,OD载入看API注释再次确认。
00401508 X>/$ /EB 0B jmp short XiaoZi'C.00401515 //入口代码。
0040150A |. |55 53 45 52 33 32>ascii "USER32.DLL",0
00401515 |> \EB 0D jmp short XiaoZi'C.00401524
00401517 |. 4B 65 72 6E 65 6C>ascii "Kernel32.dll",0
00401524 |> EB 0C jmp short XiaoZi'C.00401532
00401526 |. 4D 65 73 73 61 67>ascii "MessageBoxA",0
00401532 |> EB 11 jmp short XiaoZi'C.00401545
00401534 |. 54 65 72 6D 69 6E>ascii "TerminateProcess"
00401544 |. 00 ascii 0
00401545 |> EB 0C jmp short XiaoZi'C.00401553
00401547 |. 4F 70 65 6E 50 72>ascii "OpenProcess",0
00401553 |> 68 00104000 push XiaoZi'C.00401000 ; /pTopLevelFilter =
XiaoZi'C.00401000
00401558 |. E8 F3000000 call <jmp.&KERNEL32.SetUnhandledExceptio>; \SetUnhandledExceptionFilter //
原因是它,不调试时401564处地址应该不为空,见多不怪。
0040155D |. A3 68304000 mov dword ptr ds:[403068],eax
00401562 |. 33C0 xor eax,eax
00401564 C700 01000000 mov dword ptr ds:[eax],1 //异常,地址为0,NOP掉。
0040156A |. 6A 00 push 0 ; /pModule = NULL
0040156C |. E8 AF000000 call <jmp.&KERNEL32.GetModuleHandleA> ; \GetModuleHandleA
00401571 |. A3 70304000 mov dword ptr ds:[403070],eax
00401576 |. 68 0A154000 push XiaoZi'C.0040150A ; /FileName = "USER32.DLL"
0040157B |. E8 B2000000 call <jmp.&KERNEL32.LoadLibraryA> ; \LoadLibraryA
00401580 |. 68 26154000 push XiaoZi'C.00401526 ; /ProcNameOrOrdinal =
"MessageBoxA"
00401585 |. 50 push eax ; |hModule
00401586 |. E8 9B000000 call <jmp.&KERNEL32.GetProcAddress> ; \GetProcAddress
0040158B |. A3 84384000 mov dword ptr ds:[403884],eax
00401590 |. 68 17154000 push XiaoZi'C.00401517 ; /FileName = "Kernel32.dll"
00401595 |. E8 98000000 call <jmp.&KERNEL32.LoadLibraryA> ; \LoadLibraryA
0040159A |. 8BD8 mov ebx,eax
0040159C |. 68 34154000 push XiaoZi'C.00401534 ; /ProcNameOrOrdinal =
"TerminateProcess"
004015A1 |. 50 push eax ; |hModule
004015A2 |. E8 7F000000 call <jmp.&KERNEL32.GetProcAddress> ; \GetProcAddress
004015A7 |. A3 88384000 mov dword ptr ds:[403888],eax
004015AC |. 68 47154000 push XiaoZi'C.00401547 ; /ProcNameOrOrdinal =
"OpenProcess"
004015B1 |. 53 push ebx ; |hModule
004015B2 |. E8 6F000000 call <jmp.&KERNEL32.GetProcAddress> ; \GetProcAddress
004015B7 |. A3 8C384000 mov dword ptr ds:[40388C],eax
004015BC |. E8 40FDFFFF call XiaoZi'C.00401301
004015C1 |. 6A 00 push 0 ; /lParam = NULL
004015C3 |. 68 56134000 push XiaoZi'C.00401356 ; |DlgProc = XiaoZi'C.00401356
004015C8 |. 6A 00 push 0 ; |hOwner = NULL
004015CA |. 6A 01 push 1 ; |pTemplate = 1
004015CC |. FF35 70304000 push dword ptr ds:[403070] ; |hInst = NULL
004015D2 |. E8 07000000 call <jmp.&USER32.DialogBoxParamA> ; \DialogBoxParamA
..........//F8步过004015D2后,UnkillOD即父进程被Kill。转标签1
004015D7 |. 6A 00 push 0 ; /ExitCode = 0
004015D9 \. E8 36000000 call <jmp.&KERNEL32.ExitProcess> ; \ExitProcess
..................................................................................
标签1
重新载入程序,来到
004015D2 |. E8 07000000 call <jmp.&USER32.DialogBoxParamA> ; \DialogBoxParamA
F7
004015DE $- FF25 68204000 jmp dword ptr ds:[<&USER32.DialogBoxPara>; USER32.DialogBoxParamA
F7
77E014D7 U> 55 push ebp //迷失在系统领空,不管它搞什么飞机,401000 Code段下F2断点,中断下来。
77E014D8 8BEC mov ebp,esp
77E014DA 53 push ebx
77E014DB 56 push esi
77E014DC 8B75 08 mov esi,dword ptr ss:[ebp+8]
77E014DF 57 push edi
77E014E0 6A 00 push 0
77E014E2 83CB FF or ebx,FFFFFFFF
77E014E5 FF75 0C push dword ptr ss:[ebp+C]
77E014E8 6A 05 push 5
77E014EA 56 push esi
77E014EB FF15 D882E477 call dword ptr ds:[77E482D8] ; KERNEL32.FindResourceExA
77E014F1 85C0 test eax,eax
77E014F3 74 3E je short USER32.77E01533
..................................................................................
00401356 /. 55 push ebp //到这里后,跟了一会,不得要点,仔细看到
00401385 |. E8 94FCFFFF call XiaoZi'C.0040101E 可疑,进入。
00401356 /. 55 push ebp
00401357 |. 8BEC mov ebp,esp
00401359 |. 53 push ebx
0040135A |. 57 push edi
0040135B |. 56 push esi
0040135C |. 8B45 0C mov eax,dword ptr ss:[ebp+C]
0040135F |. 83F8 10 cmp eax,10
00401362 |. 75 1A jnz short XiaoZi'C.0040137E
00401364 |. 6A 00 push 0 ; /Result = 0
00401366 |. FF75 08 push dword ptr ss:[ebp+8] ; |hWnd
00401369 |. E8 76020000 call <jmp.&USER32.EndDialog> ; \EndDialog
0040136E |. FF35 68304000 push dword ptr ds:[403068] ; /pTopLevelFilter =
MSVCRT.7800B3B9
00401374 |. E8 D7020000 call <jmp.&KERNEL32.SetUnhandledExceptio>; \SetUnhandledExceptionFilter
//SetUnhandledExceptionFilter反跟踪的函数
00401379 |. E9 7E010000 jmp XiaoZi'C.004014FC
0040137E |> 3D 10010000 cmp eax,110 //应该类似时间差方式反跟踪
00401383 |. 75 7B jnz short XiaoZi'C.00401400 //这里永远都跳走,使你无法进入00401385
00401385 |. E8 94FCFFFF call XiaoZi'C.0040101E //修改Z标志进入。
0040101E /$ 55 push ebp //往下看到一段父进程的模块代码,各种语言都类似。
0040101F |. 8BEC mov ebp,esp
00401021 |. 81C4 D4FEFFFF add esp,-12C
00401027 |. 68 28010000 push 128 ; /Length = 128 (296.)
0040102C |. 8D85 D8FEFFFF lea eax,dword ptr ss:[ebp-128] ; |
00401032 |. 50 push eax ; |Destination
00401033 |. E8 12060000 call <jmp.&KERNEL32.RtlZeroMemory> ; \RtlZeroMemory
00401038 |. C785 D8FEFFFF 280>mov dword ptr ss:[ebp-128],128
00401042 |. 6A 00 push 0 ; /ProcessID = 0
00401044 |. 6A 02 push 2 ; |Flags = TH32CS_SNAPPROCESS
00401046 |. E8 C3050000 call <jmp.&KERNEL32.CreateToolhelp32Snap>; \CreateToolhelp32Snapshot //快照
进程。
0040104B |. 8985 D4FEFFFF mov dword ptr ss:[ebp-12C],eax
00401051 |. 8D85 D8FEFFFF lea eax,dword ptr ss:[ebp-128]
00401057 |. 50 push eax ; /pProcessentry
00401058 |. FFB5 D4FEFFFF push dword ptr ss:[ebp-12C] ; |hSnapshot
0040105E |. E8 DB050000 call <jmp.&KERNEL32.Process32First> ; \Process32First
00401063 |. EB 1F jmp short XiaoZi'C.00401084
00401065 |> E8 B0050000 /call <jmp.&KERNEL32.GetCurrentProcessId>; [GetCurrentProcessId
0040106A |. 3B85 E0FEFFFF |cmp eax,dword ptr ss:[ebp-120]
00401070 |. 74 26 |je short XiaoZi'C.00401098
00401072 |. 8D85 D8FEFFFF |lea eax,dword ptr ss:[ebp-128]
00401078 |. 50 |push eax ; /pProcessentry
00401079 |. FFB5 D4FEFFFF |push dword ptr ss:[ebp-12C] ; |hSnapshot
0040107F |. E8 C0050000 |call <jmp.&KERNEL32.Process32Next> ; \Process32Next
00401084 |> 0BC0 or eax,eax
00401086 |.^ 75 DD \jnz short XiaoZi'C.00401065
00401088 |. FFB5 D4FEFFFF push dword ptr ss:[ebp-12C] ; /hObject
0040108E |. E8 6F050000 call <jmp.&KERNEL32.CloseHandle> ; \CloseHandle
00401093 |. E9 E6000000 jmp XiaoZi'C.0040117E
00401098 |> FFB5 F0FEFFFF push dword ptr ss:[ebp-110] ; /ProcessId
0040109E |. 6A 00 push 0 ; |Inheritable = FALSE
004010A0 |. 68 FF0F1F00 push 1F0FFF ; |Access = PROCESS_ALL_ACCESS
004010A5 |. E8 8E050000 call <jmp.&KERNEL32.OpenProcess> ; \OpenProcess
004010AA |. A3 6C304000 mov dword ptr ds:[40306C],eax
004010AF |. 68 04010000 push 104
004010B4 |. 68 74344000 push XiaoZi'C.00403474 ; ASCII
"E:\armitage\Tools\David\System\Ollydbg\1.10\ExPloReR.exe" //UnkillOD进程名发现。
004010B9 |. 6A 00 push 0
004010BB |. FF35 6C304000 push dword ptr ds:[40306C]
004010C1 |. E8 A8050000 call <jmp.&PSAPI.GetModuleFileNameExA>
004010C6 |. 68 04010000 push 104 ; /BufSize = 104 (260.)
004010CB |. 68 7C364000 push XiaoZi'C.0040367C ; |Buffer = XiaoZi'C.0040367C
004010D0 |. E8 57050000 call <jmp.&KERNEL32.GetWindowsDirectoryA>; \GetWindowsDirectoryA
004010D5 |. 68 7C364000 push XiaoZi'C.0040367C ; /String2 =
"C:\WINNT\Explorer.EXE"
004010DA |. 68 80374000 push XiaoZi'C.00403780 ; |String1 = XiaoZi'C.00403780
004010DF |. E8 84050000 call <jmp.&KERNEL32.lstrcpyA> ; \lstrcpyA
004010E4 |. EB 0E jmp short XiaoZi'C.004010F4
004010E6 |. 5C 45 78 70 6C 6F>ascii "\Explorer.EXE",0
004010F4 |> 68 E6104000 push XiaoZi'C.004010E6 ; /StringToAdd = "\Explorer.EXE"
//获取系统Explorer.EXE的位置
004010F9 |. 68 7C364000 push XiaoZi'C.0040367C ; |ConcatString =
"C:\WINNT\Explorer.EXE"
004010FE |. E8 59050000 call <jmp.&KERNEL32.lstrcatA> ; \lstrcatA
00401103 |. 68 74344000 push XiaoZi'C.00403474 ; /String2 =
"E:\armitage\Tools\David\System\Ollydbg\1.10\ExPloReR.exe" 假Explorer
00401108 |. 68 7C364000 push XiaoZi'C.0040367C ; |String1 =
"C:\WINNT\Explorer.EXE" //真Explorer
0040110D |. E8 50050000 call <jmp.&KERNEL32.lstrcmpA> //经典比较。
00401112 |. 85C0 test eax,eax
00401114 |. 74 68 je short XiaoZi'C.0040117E //不跳还有一次机会,比较父进程名是否是真Cmd.exe
00401116 |. EB 12 jmp short XiaoZi'C.0040112A
00401118 |. 5C 53 79 73 74 65>ascii "\System32\cmd.ex"
00401128 |. 65 00 ascii "e",0
0040112A |> 68 18114000 push XiaoZi'C.00401118 ; /StringToAdd =
"\System32\cmd.exe"
0040112F |. 68 80374000 push XiaoZi'C.00403780 ; |ConcatString = "C:\WINNT"
00401134 |. E8 23050000 call <jmp.&KERNEL32.lstrcatA> ; \lstrcatA
00401139 |. 68 74344000 push XiaoZi'C.00403474 ; /String2 =
"E:\armitage\Tools\David\System\Ollydbg\1.10\ExPloReR.exe"
0040113E |. 68 80374000 push XiaoZi'C.00403780 ; |String1 =
"C:\WINNT\System32\cmd.exe" //CMD全路径。
00401143 |. E8 1A050000 call <jmp.&KERNEL32.lstrcmpA> //再次经典比较
00401148 |. 85C0 test eax,eax
0040114A |. 74 32 je short XiaoZi'C.0040117E //不跳Over。
0040114C |. FFB5 F0FEFFFF push dword ptr ss:[ebp-110] ; /ProcessId
00401152 |. 6A 00 push 0 ; |Inheritable = FALSE
00401154 |. 68 FF0F1F00 push 1F0FFF ; |Access = PROCESS_ALL_ACCESS
00401159 |. E8 DA040000 call <jmp.&KERNEL32.OpenProcess> ; \OpenProcess
0040115E |. 6A 00 push 0 ; /ExitCode = 0
00401160 |. 50 push eax ; |hProcess
00401161 |. A1 88384000 mov eax,dword ptr ds:[403888] ; |
00401166 |. FFD0 call eax ; \TerminateProcess
...........//执行Over,这里重启OD,选择TNT。
先两处。
00401564 |. C700 01000000 mov dword ptr ds:[eax],1 //SetUnhandledExceptio反跟踪
修改为
00401564 90 nop
00401565 90 nop
00401566 90 nop
00401567 90 nop
00401568 90 nop
00401569 90 nop
00401114 |. 74 68 je short XiaoZi'C.0040117E //父进程校验。
修改为
00401114 /EB 68 jmp short XiaoZi'C.0040117E
OD载入程序,进入主界面,然后爆破主程序,算法没兴趣,以后基本都是Rsa,Md5,算清楚时一缸水都写完了。
输入用户名
David
注册码
12345
确定提示用户名太短
Bp MessageBoxA
77E23D68 U> 55 push ebp //确定后中断
77E23D69 8BEC mov ebp,esp
77E23D6B 51 push ecx
77E23D6C 833D B884E477 00 cmp dword ptr ds:[77E484B8],0
77E23D73 74 29 je short USER32.77E23D9E
77E23D75 64:A1 18000000 mov eax,dword ptr fs:[18]
77E23D7B 8B40 24 mov eax,dword ptr ds:[eax+24]
77E23D7E 8945 FC mov dword ptr ss:[ebp-4],eax
77E23D81 B8 00000000 mov eax,0
77E23D86 B9 8088E477 mov ecx,USER32.77E48880
77E23D8B 8B55 FC mov edx,dword ptr ss:[ebp-4]
77E23D8E F0:0FB111 lock cmpxchg dword ptr ds:[ecx],edx
77E23D92 85C0 test eax,eax
77E23D94 75 08 jnz short USER32.77E23D9E
堆栈友好提示
0012FC8C 004012AF /CALL 到 MessageBoxA 来自 XiaoZi'C.004012AD
0012FC90 00000000 |hOwner = NULL
0012FC94 004011E2 |Text = "用户名太短!"
0012FC98 0040119F |Title = "Error"
0012FC9C 00000000 \Style = MB_OK|MB_APPLMODAL
0012FCA0 004014D2 返回到 XiaoZi'C.004014D2
Alt+F9确定错误后返回到标签2
004011EF > \A1 56304000 mov eax,dword ptr ds:[403056]
004011F4 . 83F8 06 cmp eax,6 //用户名必须大于6个字符
004011F7 . 0F8C 97000000 jl XiaoZi'C.00401294 //跳走Over,NOP
004011FD . 50 push eax
004011FE . 59 pop ecx
004011FF . 8D35 00304000 lea esi,dword ptr ds:[403000]
00401205 . 8D3D 74304000 lea edi,dword ptr ds:[403074]
0040120B > 33C0 xor eax,eax
0040120D . 33DB xor ebx,ebx
0040120F . 8B07 mov eax,dword ptr ds:[edi]
00401211 . 8B1E mov ebx,dword ptr ds:[esi]
00401213 . 25 FF000000 and eax,0FF
00401218 . 81E3 FF000000 and ebx,0FF
0040121E . 33C3 xor eax,ebx
00401220 . 0305 4E304000 add eax,dword ptr ds:[40304E]
00401226 . A3 4E304000 mov dword ptr ds:[40304E],eax
0040122B . 46 inc esi
0040122C . 47 inc edi
0040122D .^ E2 DC loopd short XiaoZi'C.0040120B
0040122F . 33C9 xor ecx,ecx
00401231 . 8B0D 5A304000 mov ecx,dword ptr ds:[40305A]
00401237 . 8D35 25304000 lea esi,dword ptr ds:[403025]
0040123D . 8D3D F4304000 lea edi,dword ptr ds:[4030F4]
00401243 > 33C0 xor eax,eax
00401245 . 33DB xor ebx,ebx
00401247 . 8B07 mov eax,dword ptr ds:[edi]
00401249 . 8B1E mov ebx,dword ptr ds:[esi]
0040124B . 25 FF000000 and eax,0FF
00401250 . 81E3 FF000000 and ebx,0FF
00401256 . 33C3 xor eax,ebx
00401258 . 0305 52304000 add eax,dword ptr ds:[403052]
0040125E . A3 52304000 mov dword ptr ds:[403052],eax
00401263 . 46 inc esi
00401264 . 47 inc edi
00401265 .^ E2 DC loopd short XiaoZi'C.00401243
00401267 . A1 52304000 mov eax,dword ptr ds:[403052]
0040126C . 8B1D 4A304000 mov ebx,dword ptr ds:[40304A]
00401272 . 85DB test ebx,ebx
00401274 . 75 3A jnz short XiaoZi'C.004012B0 //分次比较1,NOP
00401276 . 8505 4E304000 test dword ptr ds:[40304E],eax
0040127C . 75 32 jnz short XiaoZi'C.004012B0 //分次比较2,NOP
0040127E . 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
00401280 . 68 98114000 push XiaoZi'C.00401198 ; |Title = "Yeah"
00401285 . 68 C4114000 push XiaoZi'C.004011C4 ; |Text = "你真棒,小子祝贺你这个高
手!" //经典提示。
0040128A . 6A 00 push 0 ; |hOwner = NULL
0040128C . A1 84384000 mov eax,dword ptr ds:[403884] ; |
00401291 . FFD0 call eax ; \MessageBoxA
00401293 . C3 retn
00401294 > 68 9A124000 push XiaoZi'C.0040129A
00401299 . C3 retn
0040129A . 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
0040129C . 68 9F114000 push XiaoZi'C.0040119F ; |Title = "Error"
004012A1 . 68 E2114000 push XiaoZi'C.004011E2 ; |Text = "用户名太短!"
004012A6 . 6A 00 push 0 ; |hOwner = NULL
004012A8 . A1 84384000 mov eax,dword ptr ds:[403884] ; |
004012AD . FFD0 call eax ; \MessageBoxA
004012AF . C3 retn //标签2,向上看。
.................................................................................
放TNT
004011F7 /0F8C 97000000 jl XiaoZi'C.00401294
修改为
004011F7 90 nop
004011F8 90 nop
004011F9 90 nop
004011FA 90 nop
004011FB 90 nop
004011FC 90 nop
00401274 . /75 3A jnz short XiaoZi'C.004012B0
修改为
00401274 90 nop
00401275 90 nop
0040127C /75 32 jnz short XiaoZi'C.004012B0
修改为
0040127C 90 nop
0040127D 90 nop
保存修改,重新载入运行,发现这里代码都还原了,看来程序用一个类似备份的程序启动时还原几处关键代码防爆。如果你再次修改
保存,OD提示你代码并未修改,只是程序用SMC技术临时还原了内存里面的代码,文件代码没还原,必须治本。
治本。
OD载入程序,Ctrl+G 去 401274发现代码还是
00401274 90 nop
00401275 90 nop
好,我们知道SMC技术修改代码必然有内存写入事件,这里内存写入断点无效,用Hw吧。
命令行分别
hw 00401274
hw 0040127C
F9立即中断
00401301 /$ B8 74124000 mov eax,XiaoZi'C.00401274
00401306 |. A3 90384000 mov dword ptr ds:[403890],eax
0040130B |. 8B18 mov ebx,dword ptr ds:[eax]
0040130D |. 66:81FB 753A cmp bx,3A75 //判断00401274 处代码是否为3A75,爆破点1
00401312 |. 74 41 je short XiaoZi'C.00401355
00401314 |. 68 94384000 push XiaoZi'C.00403894 ; /pOldProtect = XiaoZi'C.00403894
00401319 |. 6A 40 push 40 ; |NewProtect =
PAGE_EXECUTE_READWRITE
0040131B |. 6A 10 push 10 ; |Size = 10 (16.)
0040131D |. FF35 90384000 push dword ptr ds:[403890] ; |Address = XiaoZi'C.00401274
00401323 |. E8 2E030000 call <jmp.&KERNEL32.VirtualProtect> ; \VirtualProtect
00401328 |. A1 90384000 mov eax,dword ptr ds:[403890]
0040132D |. BB 753A0000 mov ebx,3A75
00401332 |. 66:8918 mov word ptr ds:[eax],bx
00401335 |. B8 7C124000 mov eax,XiaoZi'C.0040127C //这里硬件中断,程序已还原401274处代码为3A75
0040133A |. A3 90384000 mov dword ptr ds:[403890],eax
0040133F |. 8B18 mov ebx,dword ptr ds:[eax]
00401341 |. 66:81FB 7532 cmp bx,3275 //爆破点2,判断0040127C 处代码是否为3275
00401346 |. 74 0D je short XiaoZi'C.00401355
00401348 |. A1 90384000 mov eax,dword ptr ds:[403890]
0040134D |. BB 75320000 mov ebx,3275
00401352 |. 66:8918 mov word ptr ds:[eax],bx
00401355 \> C3 retn //这里硬件中断,程序还原40127C处代码为3275
好啦,一切真相大白。
【破解总结】
00401564 |. C700 01000000 mov dword ptr ds:[eax],1 //SetUnhandledExceptio反跟踪
修改为
00401564 90 nop
00401565 90 nop
00401566 90 nop
00401567 90 nop
00401568 90 nop
00401569 90 nop
00401114 |. 74 68 je short XiaoZi'C.0040117E //父进程校验。
修改为
00401114 /EB 68 jmp short XiaoZi'C.0040117E
004011F7 /0F8C 97000000 jl XiaoZi'C.00401294
修改为
004011F7 90 nop
004011F8 90 nop
004011F9 90 nop
004011FA 90 nop
004011FB 90 nop
004011FC 90 nop
00401274 . /75 3A jnz short XiaoZi'C.004012B0
修改为
00401274 90 nop
00401275 90 nop
0040127C /75 32 jnz short XiaoZi'C.004012B0
修改为
0040127C 90 nop
0040127D 90 nop
0040130D 66:81FB 753A cmp bx,3A75
自己和自己比,当然永远校验通过。
0040130D 66:3BDB cmp bx,bx
00401310 90 nop
00401311 90 nop
00401341 66:81FB 7532 cmp bx,3275
自己和自己比,当然永远校验通过。
00401341 66:3BDB cmp bx,bx
00401344 90 nop
00401345 90 nop
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
软柿子.
