去除DeDe反汇编讨厌的警告框
前几天刚刚下载了这个软件,真郁闷,每次打开都要弹出这个讨厌的红色的对话框,而且中间什么都不能做
过了好久才能点击按钮
界面1
于是自已动手起来采用逆推法找到关键代码
1.运行DeDe程序,用OD中断,然后点击运行再暂停,堆栈窗口中出现如下界面2
2.上图中显然最近的地址为00444C34,保存下该地址A=00444C34
打开OD,Ctrl+G,输入上面的A地址,转到此地址,F2中断,最后F9运行,
程序中断后, 堆栈窗口中出现如下界面3
3.查到返回地址为00444B2C保存下该地址B=00444B2C
重新载入,打开OD,取消中断A地址,Ctrl+G,输入上面的B地址,转到此地址,F2中断,最后F9运行
中断在关键子函数这:
00444AFC 55 PUSH EBP
00444AFD 8BEC MOV EBP,ESP
00444AFF 51 PUSH ECX
00444B00 53 PUSH EBX
00444B01 56 PUSH ESI
00444B02 57 PUSH EDI
00444B03 8BDA MOV EBX,EDX
00444B05 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00444B08 8B33 MOV ESI,DWORD PTR DS:[EBX]
00444B0A 81FE 13010000 CMP ESI,113 ; 比较是否达到时间
00444B10 75 3F JNZ SHORT DeDe.00444B51 ;关键跳转
00444B12 33C0 XOR EAX,EAX
00444B14 55 PUSH EBP
00444B15 68 364B4400 PUSH DeDe.00444B36
00444B1A 64:FF30 PUSH DWORD PTR FS:[EAX]
00444B1D 64:8920 MOV DWORD PTR FS:[EAX],ESP
00444B20 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00444B23 66:BE EFFF MOV SI,0FFEF
00444B27 E8 F8F4FBFF CALL DeDe.00404024
00444B2C 33C0 XOR EAX,EAX ;上面的中断处,上下打量后发现是一个子函数
00444B2E 5A POP EDX
00444B2F 59 POP ECX
00444B30 59 POP ECX
00444B31 64:8910 MOV DWORD PTR FS:[EAX],EDX
00444B34 EB 33 JMP SHORT DeDe.00444B69
00444B36 E9 CDF7FBFF JMP DeDe.00404308
00444B3B A1 D0CA5A00 MOV EAX,DWORD PTR DS:[5ACAD0]
00444B40 8B00 MOV EAX,DWORD PTR DS:[EAX]
00444B42 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00444B45 E8 6ACE0200 CALL DeDe.004719B4
00444B4A E8 21FBFBFF CALL DeDe.00404670
00444B4F EB 18 JMP SHORT DeDe.00444B69
00444B51 8B43 08 MOV EAX,DWORD PTR DS:[EBX+8]
00444B54 50 PUSH EAX ; /lParam
00444B55 8B43 04 MOV EAX,DWORD PTR DS:[EBX+4] ; |
00444B58 50 PUSH EAX ; |wParam
00444B59 56 PUSH ESI ; |Message
00444B5A 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; |
00444B5D 8B40 34 MOV EAX,DWORD PTR DS:[EAX+34] ; |
00444B60 50 PUSH EAX ; |hWnd
00444B61 E8 EA2FFCFF CALL <JMP.&user32.DefWindowProcA> ; \DefWindowProcA
00444B66 8943 0C MOV DWORD PTR DS:[EBX+C],EAX
00444B69 5F POP EDI
00444B6A 5E POP ESI
00444B6B 5B POP EBX
00444B6C 59 POP ECX
00444B6D 5D POP EBP
00444B6E C3 RETN
4.回想自已刚才打开时是过一段时间才出现这个警告框的,故一定有个时间的控件,也一定有个比较时间的代码
00444B0A 81FE 13010000 CMP ESI,113 ; 比较是否达到时间
00444B10 75 3F JNZ SHORT DeDe.00444B51 ;关键跳转
这里改关键跳转是没用的,反而会影起内存错误,这是因为,这是时间控件的一个子函数,,会执行其他操作
5.我们完全可以用OD把00444B0A汇编代码NOP掉,但得讲究方法,既然时间是从0到113,当时间到113就弹出那个可恶的框框,我就改成-1,呵呵,
结果可想而知,永远都没有那个框框了
不过想复习下内存补丁的用法
6.就来个汇编的内存补丁吧,还是选择win32汇编,呵呵
原理:
修改之前:
00444B0A 81FE 13010000 CMP ESI,113
修改之后:
00444B0A 83FE FF CMP ESI,-1
00444B0D 90 NOP
00444B0E 90 NOP
00444B0F 90 NOP
修改方法:
00444B0A 81h ---> 83h
00444B0C 13h ---> FFh
00444B0D 01h ---> 90h
00444B0E 00h ---> 90h
00444B0F 00h ---> 90h
代码如下
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; DeDe 3.05反汇编
; by aoanzhishu 2008
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; reg.asm
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.386
.model flat,stdcall
option casemap:none
include D:\masm32\include\windows.inc
include D:\masm32\include\kernel32.inc
include D:\masm32\include\user32.inc
includelib D:\masm32\lib\kernel32.lib
includelib D:\masm32\lib\user32.lib
.data
AppName db 'DeDe反汇编5.3内存补丁',0
msg_run db '此补丁必须在同一文件目录下',0
msg_read db '错误',0
msg_ver db '请检查程序版本',0
msg_cap db '启动失败',0
msg_write db '错误',0
m_programe db 'DeDe.exe',0
m_addr1 dd 00444B0Ah
m_addr2 dd 00444B0Ch
m_addr3 dd 00444B0Dh
m_addr4 dd 00444B0Eh
m_addr5 dd 00444B0Fh
m_bytesold1 db 081h
m_bytesnew1 db 083h
m_bytesold2 db 013h
m_bytesnew2 db 0FFh
m_bytesold3 db 001h
m_bytesnew3 db 090h
m_bytesold4 db 000h
m_bytesnew4 db 090h
m_bytesold5 db 000h
m_bytesnew5 db 090h
m_num dd 1 ;读取字节数
.data?
read_buffer db 512 dup (?)
startinfo STARTUPINFO <>
info PROCESS_INFORMATION <>
.code
start:
invoke GetStartupInfo,addr startinfo
invoke CreateProcess,addr m_programe,NULL,NULL,NULL,FALSE,20h,0,0,addr startinfo,addr info
test eax,eax
jz _launch_error
invoke ReadProcessMemory,dword ptr [info],m_addr1,addr read_buffer,m_num,0
test eax,eax
jz _read_error
lea esi,read_buffer
lea edi,m_bytesold1
mov ecx,m_num
repz cmpsb
jnz _down
invoke ReadProcessMemory,dword ptr [info],m_addr2,addr read_buffer,m_num,0
test eax,eax
jz _read_error
lea esi,read_buffer
lea edi,m_bytesold2
mov ecx,m_num
repz cmpsb
jnz _down
invoke ReadProcessMemory,dword ptr [info],m_addr3,addr read_buffer,m_num,0
test eax,eax
jz _read_error
lea esi,read_buffer
lea edi,m_bytesold3
mov ecx,m_num
repz cmpsb
jnz _down
invoke ReadProcessMemory,dword ptr [info],m_addr4,addr read_buffer,m_num,0
test eax,eax
jz _read_error
lea esi,read_buffer
lea edi,m_bytesold4
mov ecx,m_num
repz cmpsb
jnz _down
invoke ReadProcessMemory,dword ptr [info],m_addr5,addr read_buffer,m_num,0
test eax,eax
jz _read_error
lea esi,read_buffer
lea edi,m_bytesold5
mov ecx,m_num
repz cmpsb
jnz _down
jmp _patch
_down:
jmp _wrong
_patch:
invoke SuspendThread,info.hProcess
invoke WriteProcessMemory,info.hProcess ,m_addr1,addr m_bytesnew1,m_num,NULL
test eax,eax
jz _write_error
invoke WriteProcessMemory,info.hProcess ,m_addr2,addr m_bytesnew2,m_num,NULL
test eax,eax
jz _write_error
invoke WriteProcessMemory,info.hProcess ,m_addr3,addr m_bytesnew3,m_num,NULL
test eax,eax
jz _write_error
invoke WriteProcessMemory,info.hProcess ,m_addr4,addr m_bytesnew4,m_num,NULL
test eax,eax
jz _write_error
invoke WriteProcessMemory,info.hProcess ,m_addr5,addr m_bytesnew5,m_num,NULL
test eax,eax
jz _write_error
invoke ResumeThread,info.hProcess
jmp _exit
_launch_error:
invoke MessageBox,NULL,addr msg_run,addr msg_cap,MB_OK
jmp _exit
_read_error:
invoke MessageBox,NULL,addr msg_read,addr msg_cap,MB_OK
jmp _exit
_wrong:
invoke MessageBox,NULL,addr msg_ver,addr msg_cap,MB_OK
jmp _exit
_write_error:
invoke MessageBox,NULL,addr msg_write,addr msg_cap,MB_OK
_exit:
invoke CloseHandle,dword ptr [info]
invoke CloseHandle,dword ptr [startinfo]
invoke ExitProcess,0
end start
7.总结下,我们遇到弹出窗口广告,首先要定位代码,最好选择动态调试定位,然后确定是什么周期函数引发的,在决定怎么绕过这个东东
如果其中有描述不当或错误,欢迎指点与建议
[课程]Android-CTF解题方法汇总!
