-
-
[旧帖] 菜鸟破解nag 0.00雪花
-
发表于: 2009-12-26 14:48 1045
-
軟件名稱 crackeme.upx.exe,upx加的壳,要求去掉nag。
olydbg打开軟件提示加壳,因是upx壳故直接脫之,滾动汇編窗口找到popad柡志然后到oep,用lordpe转存完整,然后打开軟件,再用Import.re修复輸入表
用olydbg打开脫壳后的軟件,汇編窗口如下
004012C0 > 55 PUSH EBP
004012C1 8BEC MOV EBP,ESP
004012C3 6A FF PUSH -1
004012C5 68 F8404000 PUSH ea_.004040F8
004012CA 68 F41D4000 PUSH ea_.00401DF4
004012CF 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
004012D5 50 PUSH EAX
004012D6 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
004012DD 83EC 58 SUB ESP,58
004012E0 53 PUSH EBX
004012E1 56 PUSH ESI
004012E2 57 PUSH EDI
004012E3 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
004012E6 FF15 58A04000 CALL DWORD PTR DS:[<&kernel32.#478>] ; kernel32.GetVersion
004012EC 33D2 XOR EDX,EDX
004012EE 8AD4 MOV DL,AH
004012F0 8915 54564000 MOV DWORD PTR DS:[405654],EDX
004012F6 8BC8 MOV ECX,EAX
004012F8 81E1 FF000000 AND ECX,0FF
004012FE 890D 50564000 MOV DWORD PTR DS:[405650],ECX
00401304 C1E1 08 SHL ECX,8
00401307 03CA ADD ECX,EDX
00401309 890D 4C564000 MOV DWORD PTR DS:[40564C],ECX
0040130F C1E8 10 SHR EAX,10
00401312 A3 48564000 MOV DWORD PTR DS:[405648],EAX
00401317 33F6 XOR ESI,ESI
00401319 56 PUSH ESI
0040131A E8 A1090000 CALL ea_.00401CC0
0040131F 59 POP ECX
00401320 85C0 TEST EAX,EAX
00401322 75 08 JNZ SHORT ea_.0040132C
00401324 6A 1C PUSH 1C
00401326 E8 B0000000 CALL ea_.004013DB
0040132B 59 POP ECX
0040132C 8975 FC MOV DWORD PTR SS:[EBP-4],ESI
0040132F E8 E1070000 CALL ea_.00401B15
00401334 FF15 54A04000 CALL DWORD PTR DS:[<&kernel32.#266>] ; kernel32.GetCommandLineA
0040133A A3 585B4000 MOV DWORD PTR DS:[405B58],EAX
0040133F E8 9F060000 CALL ea_.004019E3
00401344 A3 30564000 MOV DWORD PTR DS:[405630],EAX
00401349 E8 48040000 CALL ea_.00401796
0040134E E8 8A030000 CALL ea_.004016DD
00401353 E8 A7000000 CALL ea_.004013FF
00401358 8975 D0 MOV DWORD PTR SS:[EBP-30],ESI
0040135B 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
0040135E 50 PUSH EAX
0040135F FF15 50A04000 CALL DWORD PTR DS:[<&kernel32.#431>] ; kernel32.GetStartupInfoA
00401365 E8 1B030000 CALL ea_.00401685
0040136A 8945 9C MOV DWORD PTR SS:[EBP-64],EAX
0040136D F645 D0 01 TEST BYTE PTR SS:[EBP-30],1
00401371 74 06 JE SHORT ea_.00401379
00401373 0FB745 D4 MOVZX EAX,WORD PTR SS:[EBP-2C]
00401377 EB 03 JMP SHORT ea_.0040137C
00401379 6A 0A PUSH 0A
0040137B 58 POP EAX
0040137C 50 PUSH EAX
0040137D FF75 9C PUSH DWORD PTR SS:[EBP-64]
00401380 56 PUSH ESI
00401381 56 PUSH ESI
00401382 FF15 00A04000 CALL DWORD PTR DS:[<&kernel32.#375>] ; kernel32.GetModuleHandleA
00401388 50 PUSH EAX
00401389 E8 C2FDFFFF CALL ea_.00401150
0040138E 8945 A0 MOV DWORD PTR SS:[EBP-60],EAX
00401391 50 PUSH EAX
00401392 E8 95000000 CALL ea_.0040142C
00401397 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
0040139A 8B08 MOV ECX,DWORD PTR DS:[EAX]
0040139C 8B09 MOV ECX,DWORD PTR DS:[ECX]
0040139E 894D 98 MOV DWORD PTR SS:[EBP-68],ECX
004013A1 50 PUSH EAX
004013A2 51 PUSH ECX
004013A3 E8 59010000 CALL ea_.00401501
004013A8 59 POP ECX
004013A9 59 POP ECX
004013AA C3 RETN
004013AB 8B65 E8 MOV ESP,DWORD PTR SS:[EBP-18]
004013AE FF75 98 PUSH DWORD PTR SS:[EBP-68]
004013B1 E8 87000000 CALL ea_.0040143D
004013B6 833D 38564000 0>CMP DWORD PTR DS:[405638],1
004013BD 75 05 JNZ SHORT ea_.004013C4
004013BF E8 080B0000 CALL ea_.00401ECC
004013C4 FF7424 04 PUSH DWORD PTR SS:[ESP+4]
004013C8 E8 380B0000 CALL ea_.00401F05
004013CD 68 FF000000 PUSH 0FF
004013D2 FF15 D4514000 CALL DWORD PTR DS:[4051D4] ; ea_.0040143D
004013D8 59 POP ECX
004013D9 59 POP ECX
004013DA C3 RETN
004013DB 833D 38564000 0>CMP DWORD PTR DS:[405638],1
004013E2 75 05 JNZ SHORT ea_.004013E9
004013E4 E8 E30A0000 CALL ea_.00401ECC
004013E9 FF7424 04 PUSH DWORD PTR SS:[ESP+4]
004013ED E8 130B0000 CALL ea_.00401F05
004013F2 59 POP ECX
004013F3 68 FF000000 PUSH 0FF
004013F8 FF15 5CA04000 CALL DWORD PTR DS:[<&kernel32.#183>] ; kernel32.ExitProcess
004013FE C3 RETN
004013FF A1 545B4000 MOV EAX,DWORD PTR DS:[405B54]
00401404 85C0 TEST EAX,EAX
00401406 74 02 JE SHORT ea_.0040140A
00401408 FFD0 CALL EAX
0040140A 68 10504000 PUSH ea_.00405010
0040140F 68 08504000 PUSH ea_.00405008
00401414 E8 CE000000 CALL ea_.004014E7
00401419 68 04504000 PUSH ea_.00405004
0040141E 68 00504000 PUSH ea_.00405000
00401423 E8 BF000000 CALL ea_.004014E7
00401428 83C4 10 ADD ESP,10
0040142B C3 RETN
0040142C 6A 00 PUSH 0
0040142E 6A 00 PUSH 0
00401430 FF7424 0C PUSH DWORD PTR SS:[ESP+C]
00401434 E8 15000000 CALL ea_.0040144E
00401439 83C4 0C ADD ESP,0C
0040143C C3 RETN
0040143D 6A 00 PUSH 0
0040143F 6A 01 PUSH 1
00401441 FF7424 0C PUSH DWORD PTR SS:[ESP+C]
00401445 E8 04000000 CALL ea_.0040144E
0040144A 83C4 0C ADD ESP,0C
0040144D C3 RETN
0040144E 57 PUSH EDI
0040144F 6A 01 PUSH 1
00401451 5F POP EDI
00401452 393D 84564000 CMP DWORD PTR DS:[405684],EDI
00401458 75 11 JNZ SHORT ea_.0040146B
0040145A FF7424 08 PUSH DWORD PTR SS:[ESP+8]
0040145E FF15 64A04000 CALL DWORD PTR DS:[<&kernel32.#316>] ; kernel32.GetCurrentProcess
00401464 50 PUSH EAX
00401465 FF15 60A04000 CALL DWORD PTR DS:[<&kernel32.#843>] ; kernel32.TerminateProcess
0040146B 837C24 0C 00 CMP DWORD PTR SS:[ESP+C],0
00401470 53 PUSH EBX
00401471 8B5C24 14 MOV EBX,DWORD PTR SS:[ESP+14]
00401475 893D 80564000 MOV DWORD PTR DS:[405680],EDI
0040147B 881D 7C564000 MOV BYTE PTR DS:[40567C],BL
00401481 75 3C JNZ SHORT ea_.004014BF
00401483 A1 505B4000 MOV EAX,DWORD PTR DS:[405B50]
00401488 85C0 TEST EAX,EAX
0040148A 74 22 JE SHORT ea_.004014AE
0040148C 8B0D 4C5B4000 MOV ECX,DWORD PTR DS:[405B4C]
00401492 56 PUSH ESI
00401493 8D71 FC LEA ESI,DWORD PTR DS:[ECX-4]
00401496 3BF0 CMP ESI,EAX
00401498 72 13 JB SHORT ea_.004014AD
0040149A 8B06 MOV EAX,DWORD PTR DS:[ESI]
0040149C 85C0 TEST EAX,EAX
0040149E 74 02 JE SHORT ea_.004014A2
004014A0 FFD0 CALL EAX
004014A2 83EE 04 SUB ESI,4
004014A5 3B35 505B4000 CMP ESI,DWORD PTR DS:[405B50]
004014AB ^ 73 ED JNB SHORT ea_.0040149A
004014AD 5E POP ESI
004014AE 68 18504000 PUSH ea_.00405018
004014B3 68 14504000 PUSH ea_.00405014
004014B8 E8 2A000000 CALL ea_.004014E7
004014BD 59 POP ECX
004014BE 59 POP ECX
004014BF 68 20504000 PUSH ea_.00405020
004014C4 68 1C504000 PUSH ea_.0040501C
004014C9 E8 19000000 CALL ea_.004014E7
004014CE 59 POP ECX
004014CF 59 POP ECX
004014D0 85DB TEST EBX,EBX
004014D2 5B POP EBX
004014D3 75 10 JNZ SHORT ea_.004014E5
004014D5 FF7424 08 PUSH DWORD PTR SS:[ESP+8]
004014D9 893D 84564000 MOV DWORD PTR DS:[405684],EDI
004014DF FF15 5CA04000 CALL DWORD PTR DS:[<&kernel32.#183>] ; kernel32.ExitProcess
004014E5 5F POP EDI
004014E6 C3 RETN
004014E7 56 PUSH ESI
004014E8 8B7424 08 MOV ESI,DWORD PTR SS:[ESP+8]
004014EC 3B7424 0C CMP ESI,DWORD PTR SS:[ESP+C]
004014F0 73 0D JNB SHORT ea_.004014FF
004014F2 8B06 MOV EAX,DWORD PTR DS:[ESI]
004014F4 85C0 TEST EAX,EAX
004014F6 74 02 JE SHORT ea_.004014FA
004014F8 FFD0 CALL EAX
004014FA 83C6 04 ADD ESI,4
004014FD ^ EB ED JMP SHORT ea_.004014EC
004014FF 5E POP ESI
00401500 C3 RETN
00401501 55 PUSH EBP
00401502 8BEC MOV EBP,ESP
00401504 53 PUSH EBX
00401505 FF75 08 PUSH DWORD PTR SS:[EBP+8]
00401508 E8 35010000 CALL ea_.00401642
0040150D 85C0 TEST EAX,EAX
0040150F 59 POP ECX
00401510 0F84 20010000 JE ea_.00401636
00401516 8B58 08 MOV EBX,DWORD PTR DS:[EAX+8]
00401519 85DB TEST EBX,EBX
0040151B 0F84 15010000 JE ea_.00401636
00401521 83FB 05 CMP EBX,5
00401524 75 0C JNZ SHORT ea_.00401532
00401526 8360 08 00 AND DWORD PTR DS:[EAX+8],0
0040152A 6A 01 PUSH 1
0040152C 58 POP EAX
0040152D E9 0D010000 JMP ea_.0040163F
00401532 83FB 01 CMP EBX,1
00401535 0F84 F6000000 JE ea_.00401631
0040153B 8B0D 88564000 MOV ECX,DWORD PTR DS:[405688]
00401541 894D 08 MOV DWORD PTR SS:[EBP+8],ECX
00401544 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C]
00401547 890D 88564000 MOV DWORD PTR DS:[405688],ECX
0040154D 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4]
00401550 83F9 08 CMP ECX,8
00401553 0F85 C8000000 JNZ ea_.00401621
00401559 8B0D 58524000 MOV ECX,DWORD PTR DS:[405258]
0040155F 8B15 5C524000 MOV EDX,DWORD PTR DS:[40525C]
00401565 03D1 ADD EDX,ECX
00401567 56 PUSH ESI
00401568 3BCA CMP ECX,EDX
0040156A 7D 15 JGE SHORT ea_.00401581
0040156C 8D3449 LEA ESI,DWORD PTR DS:[ECX+ECX*2]
0040156F 2BD1 SUB EDX,ECX
00401571 8D34B5 E8514000 LEA ESI,DWORD PTR DS:[ESI*4+4051E8]
00401578 8326 00 AND DWORD PTR DS:[ESI],0
0040157B 83C6 0C ADD ESI,0C
0040157E 4A DEC EDX
0040157F ^ 75 F7 JNZ SHORT ea_.00401578
00401581 8B00 MOV EAX,DWORD PTR DS:[EAX]
00401583 8B35 64524000 MOV ESI,DWORD PTR DS:[405264]
00401589 3D 8E0000C0 CMP EAX,C000008E
0040158E 75 0C JNZ SHORT ea_.0040159C
00401590 C705 64524000 8>MOV DWORD PTR DS:[405264],83
0040159A EB 70 JMP SHORT ea_.0040160C
0040159C 3D 900000C0 CMP EAX,C0000090
004015A1 75 0C JNZ SHORT ea_.004015AF
004015A3 C705 64524000 8>MOV DWORD PTR DS:[405264],81
004015AD EB 5D JMP SHORT ea_.0040160C
004015AF 3D 910000C0 CMP EAX,C0000091
004015B4 75 0C JNZ SHORT ea_.004015C2
004015B6 C705 64524000 8>MOV DWORD PTR DS:[405264],84
004015C0 EB 4A JMP SHORT ea_.0040160C
004015C2 3D 930000C0 CMP EAX,C0000093
004015C7 75 0C JNZ SHORT ea_.004015D5
004015C9 C705 64524000 8>MOV DWORD PTR DS:[405264],85
004015D3 EB 37 JMP SHORT ea_.0040160C
004015D5 3D 8D0000C0 CMP EAX,C000008D
004015DA 75 0C JNZ SHORT ea_.004015E8
004015DC C705 64524000 8>MOV DWORD PTR DS:[405264],82
004015E6 EB 24 JMP SHORT ea_.0040160C
004015E8 3D 8F0000C0 CMP EAX,C000008F
004015ED 75 0C JNZ SHORT ea_.004015FB
004015EF C705 64524000 8>MOV DWORD PTR DS:[405264],86
004015F9 EB 11 JMP SHORT ea_.0040160C
004015FB 3D 920000C0 CMP EAX,C0000092
00401600 75 0A JNZ SHORT ea_.0040160C
00401602 C705 64524000 8>MOV DWORD PTR DS:[405264],8A
0040160C FF35 64524000 PUSH DWORD PTR DS:[405264]
00401612 6A 08 PUSH 8
00401614 FFD3 CALL EBX
00401616 59 POP ECX
00401617 8935 64524000 MOV DWORD PTR DS:[405264],ESI
0040161D 59 POP ECX
0040161E 5E POP ESI
0040161F EB 08 JMP SHORT ea_.00401629
00401621 8360 08 00 AND DWORD PTR DS:[EAX+8],0
00401625 51 PUSH ECX
00401626 FFD3 CALL EBX
00401628 59 POP ECX
00401629 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
0040162C A3 88564000 MOV DWORD PTR DS:[405688],EAX
00401631 83C8 FF OR EAX,FFFFFFFF
00401634 EB 09 JMP SHORT ea_.0040163F
00401636 FF75 0C PUSH DWORD PTR SS:[EBP+C]
00401639 FF15 68A04000 CALL DWORD PTR DS:[<&kernel32.#860>] ; kernel32.UnhandledExceptionFilter
0040163F 5B POP EBX
00401640 5D POP EBP
00401641 C3 RETN
00401642 8B5424 04 MOV EDX,DWORD PTR SS:[ESP+4]
00401646 8B0D 60524000 MOV ECX,DWORD PTR DS:[405260]
0040164C 3915 E0514000 CMP DWORD PTR DS:[4051E0],EDX
00401652 56 PUSH ESI
00401653 B8 E0514000 MOV EAX,ea_.004051E0
00401658 74 15 JE SHORT ea_.0040166F
0040165A 8D3449 LEA ESI,DWORD PTR DS:[ECX+ECX*2]
0040165D 8D34B5 E0514000 LEA ESI,DWORD PTR DS:[ESI*4+4051E0]
00401664 83C0 0C ADD EAX,0C
00401667 3BC6 CMP EAX,ESI
00401669 73 04 JNB SHORT ea_.0040166F
0040166B 3910 CMP DWORD PTR DS:[EAX],EDX
0040166D ^ 75 F5 JNZ SHORT ea_.00401664
0040166F 8D0C49 LEA ECX,DWORD PTR DS:[ECX+ECX*2]
00401672 5E POP ESI
00401673 8D0C8D E0514000 LEA ECX,DWORD PTR DS:[ECX*4+4051E0]
0040167A 3BC1 CMP EAX,ECX
然后运行軟件出现nag框 , "I'm stupid Nag-Screen..
U can choose to remove me"重启軟件在od的字串参考找到字符串所在40103b,向上几個跳转,但若改跳转
軟件的主窗口亦不出现了,所以只能灭call,从401034-401041用nop添充掉,运行軟件nag去掉了,破解結束。
00401000 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
00401004 83F8 10 CMP EAX,10
00401007 0F87 BC000000 JA ea_.004010C9
0040100D 0F84 A6000000 JE ea_.004010B9
00401013 8BC8 MOV ECX,EAX
00401015 49 DEC ECX
00401016 74 14 JE SHORT ea_.0040102C
00401018 49 DEC ECX
00401019 0F85 B1000000 JNZ ea_.004010D0
0040101F 6A 00 PUSH 0
00401021 FF15 BCA04000 CALL DWORD PTR DS:[<&user32.#514>] ; user32.PostQuitMessage
00401027 33C0 XOR EAX,EAX
00401029 C2 1000 RETN 10
0040102C 53 PUSH EBX
0040102D 55 PUSH EBP
0040102E 8B6C24 0C MOV EBP,DWORD PTR SS:[ESP+C]
00401032 56 PUSH ESI
00401033 57 PUSH EDI
00401034 6A 10 PUSH 10
00401036 68 70514000 PUSH ea_.00405170 ; ASCII "Warning!!"
0040103B 68 3C514000 PUSH ea_.0040513C ; ASCII "I'm stupid Nag-Screen..
U can choose to remove me"
00401040 55 PUSH EBP
00401041 FF15 C0A04000 CALL DWORD PTR DS:[<&user32.#477>] ; user32.MessageBoxA
00401047 FF15 C4A04000 CALL DWORD PTR DS:[<&user32.#94>] ; user32.CreateMenu
0040104D 8BF8 MOV EDI,EAX
0040104F FF15 C8A04000 CALL DWORD PTR DS:[<&user32.#95>] ; user32.CreatePopupMenu
00401055 8B35 CCA04000 MOV ESI,DWORD PTR DS:[<&user32.#9>] ; user32.AppendMenuA
0040105B 68 34514000 PUSH ea_.00405134 ; ASCII "E&xit"
00401060 8BD8 MOV EBX,EAX
00401062 68 29230000 PUSH 2329
00401067 6A 00 PUSH 0
00401069 53 PUSH EBX
0040106A FFD6 CALL ESI
0040106C 68 2C514000 PUSH ea_.0040512C ; ASCII "&File"
00401071 53 PUSH EBX
00401072 6A 10 PUSH 10
00401074 57 PUSH EDI
00401075 FFD6 CALL ESI
00401077 FF15 C8A04000 CALL DWORD PTR DS:[<&user32.#95>] ; user32.CreatePopupMenu
0040107D 68 24514000 PUSH ea_.00405124 ; ASCII "&Secret"
00401082 8BD8 MOV EBX,EAX
00401084 68 2B230000 PUSH 232B
00401089 6A 01 PUSH 1
0040108B 53 PUSH EBX
0040108C FFD6 CALL ESI
0040108E 68 1C514000 PUSH ea_.0040511C ; ASCII "&About"
00401093 68 2A230000 PUSH 232A
00401098 6A 00 PUSH 0
0040109A 53 PUSH EBX
0040109B FFD6 CALL ESI
0040109D 68 14514000 PUSH ea_.00405114 ; ASCII "&Help"
004010A2 53 PUSH EBX
004010A3 6A 10 PUSH 10
004010A5 57 PUSH EDI
004010A6 FFD6 CALL ESI
004010A8 57 PUSH EDI
004010A9 55 PUSH EBP
004010AA FF15 D0A04000 CALL DWORD PTR DS:[<&user32.#606>] ; user32.SetMenu
004010B0 5F POP EDI
004010B1 5E POP ESI
004010B2 5D POP EBP
004010B3 5B POP EBX
004010B4 33C0 XOR EAX,EAX
004010B6 C2 1000 RETN 10
004010B9 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
004010BD 50 PUSH EAX
004010BE FF15 D4A04000 CALL DWORD PTR DS:[<&user32.#154>] ; user32.DestroyWindow
004010C4 33C0 XOR EAX,EAX
004010C6 C2 1000 RETN 10
004010C9 3D 11010000 CMP EAX,111
004010CE 74 19 JE SHORT ea_.004010E9
004010D0 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
004010D4 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C]
破解总結
這個軟件是外國人写的一個crackeme,对高手可能太簡單了,但对我這樣一個菜鸟可不簡單,竟花了我一星期以上時間,nag 的意思是 我是愚蠢的 nag,你不能弄掉我。即气我這個菜鸟没能奈,最后知道滅call得看堆栈,即寄存器入栈还得對应出栈最后解决了這個nag, 或者對刚學破解的朋友有用,故写下這篇破文。最后有個問題,用od脫壳以后,用od再打开脫壳后的軟件,od还显示有壳不知怎回事?
olydbg打开軟件提示加壳,因是upx壳故直接脫之,滾动汇編窗口找到popad柡志然后到oep,用lordpe转存完整,然后打开軟件,再用Import.re修复輸入表
用olydbg打开脫壳后的軟件,汇編窗口如下
004012C0 > 55 PUSH EBP
004012C1 8BEC MOV EBP,ESP
004012C3 6A FF PUSH -1
004012C5 68 F8404000 PUSH ea_.004040F8
004012CA 68 F41D4000 PUSH ea_.00401DF4
004012CF 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
004012D5 50 PUSH EAX
004012D6 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
004012DD 83EC 58 SUB ESP,58
004012E0 53 PUSH EBX
004012E1 56 PUSH ESI
004012E2 57 PUSH EDI
004012E3 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
004012E6 FF15 58A04000 CALL DWORD PTR DS:[<&kernel32.#478>] ; kernel32.GetVersion
004012EC 33D2 XOR EDX,EDX
004012EE 8AD4 MOV DL,AH
004012F0 8915 54564000 MOV DWORD PTR DS:[405654],EDX
004012F6 8BC8 MOV ECX,EAX
004012F8 81E1 FF000000 AND ECX,0FF
004012FE 890D 50564000 MOV DWORD PTR DS:[405650],ECX
00401304 C1E1 08 SHL ECX,8
00401307 03CA ADD ECX,EDX
00401309 890D 4C564000 MOV DWORD PTR DS:[40564C],ECX
0040130F C1E8 10 SHR EAX,10
00401312 A3 48564000 MOV DWORD PTR DS:[405648],EAX
00401317 33F6 XOR ESI,ESI
00401319 56 PUSH ESI
0040131A E8 A1090000 CALL ea_.00401CC0
0040131F 59 POP ECX
00401320 85C0 TEST EAX,EAX
00401322 75 08 JNZ SHORT ea_.0040132C
00401324 6A 1C PUSH 1C
00401326 E8 B0000000 CALL ea_.004013DB
0040132B 59 POP ECX
0040132C 8975 FC MOV DWORD PTR SS:[EBP-4],ESI
0040132F E8 E1070000 CALL ea_.00401B15
00401334 FF15 54A04000 CALL DWORD PTR DS:[<&kernel32.#266>] ; kernel32.GetCommandLineA
0040133A A3 585B4000 MOV DWORD PTR DS:[405B58],EAX
0040133F E8 9F060000 CALL ea_.004019E3
00401344 A3 30564000 MOV DWORD PTR DS:[405630],EAX
00401349 E8 48040000 CALL ea_.00401796
0040134E E8 8A030000 CALL ea_.004016DD
00401353 E8 A7000000 CALL ea_.004013FF
00401358 8975 D0 MOV DWORD PTR SS:[EBP-30],ESI
0040135B 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
0040135E 50 PUSH EAX
0040135F FF15 50A04000 CALL DWORD PTR DS:[<&kernel32.#431>] ; kernel32.GetStartupInfoA
00401365 E8 1B030000 CALL ea_.00401685
0040136A 8945 9C MOV DWORD PTR SS:[EBP-64],EAX
0040136D F645 D0 01 TEST BYTE PTR SS:[EBP-30],1
00401371 74 06 JE SHORT ea_.00401379
00401373 0FB745 D4 MOVZX EAX,WORD PTR SS:[EBP-2C]
00401377 EB 03 JMP SHORT ea_.0040137C
00401379 6A 0A PUSH 0A
0040137B 58 POP EAX
0040137C 50 PUSH EAX
0040137D FF75 9C PUSH DWORD PTR SS:[EBP-64]
00401380 56 PUSH ESI
00401381 56 PUSH ESI
00401382 FF15 00A04000 CALL DWORD PTR DS:[<&kernel32.#375>] ; kernel32.GetModuleHandleA
00401388 50 PUSH EAX
00401389 E8 C2FDFFFF CALL ea_.00401150
0040138E 8945 A0 MOV DWORD PTR SS:[EBP-60],EAX
00401391 50 PUSH EAX
00401392 E8 95000000 CALL ea_.0040142C
00401397 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
0040139A 8B08 MOV ECX,DWORD PTR DS:[EAX]
0040139C 8B09 MOV ECX,DWORD PTR DS:[ECX]
0040139E 894D 98 MOV DWORD PTR SS:[EBP-68],ECX
004013A1 50 PUSH EAX
004013A2 51 PUSH ECX
004013A3 E8 59010000 CALL ea_.00401501
004013A8 59 POP ECX
004013A9 59 POP ECX
004013AA C3 RETN
004013AB 8B65 E8 MOV ESP,DWORD PTR SS:[EBP-18]
004013AE FF75 98 PUSH DWORD PTR SS:[EBP-68]
004013B1 E8 87000000 CALL ea_.0040143D
004013B6 833D 38564000 0>CMP DWORD PTR DS:[405638],1
004013BD 75 05 JNZ SHORT ea_.004013C4
004013BF E8 080B0000 CALL ea_.00401ECC
004013C4 FF7424 04 PUSH DWORD PTR SS:[ESP+4]
004013C8 E8 380B0000 CALL ea_.00401F05
004013CD 68 FF000000 PUSH 0FF
004013D2 FF15 D4514000 CALL DWORD PTR DS:[4051D4] ; ea_.0040143D
004013D8 59 POP ECX
004013D9 59 POP ECX
004013DA C3 RETN
004013DB 833D 38564000 0>CMP DWORD PTR DS:[405638],1
004013E2 75 05 JNZ SHORT ea_.004013E9
004013E4 E8 E30A0000 CALL ea_.00401ECC
004013E9 FF7424 04 PUSH DWORD PTR SS:[ESP+4]
004013ED E8 130B0000 CALL ea_.00401F05
004013F2 59 POP ECX
004013F3 68 FF000000 PUSH 0FF
004013F8 FF15 5CA04000 CALL DWORD PTR DS:[<&kernel32.#183>] ; kernel32.ExitProcess
004013FE C3 RETN
004013FF A1 545B4000 MOV EAX,DWORD PTR DS:[405B54]
00401404 85C0 TEST EAX,EAX
00401406 74 02 JE SHORT ea_.0040140A
00401408 FFD0 CALL EAX
0040140A 68 10504000 PUSH ea_.00405010
0040140F 68 08504000 PUSH ea_.00405008
00401414 E8 CE000000 CALL ea_.004014E7
00401419 68 04504000 PUSH ea_.00405004
0040141E 68 00504000 PUSH ea_.00405000
00401423 E8 BF000000 CALL ea_.004014E7
00401428 83C4 10 ADD ESP,10
0040142B C3 RETN
0040142C 6A 00 PUSH 0
0040142E 6A 00 PUSH 0
00401430 FF7424 0C PUSH DWORD PTR SS:[ESP+C]
00401434 E8 15000000 CALL ea_.0040144E
00401439 83C4 0C ADD ESP,0C
0040143C C3 RETN
0040143D 6A 00 PUSH 0
0040143F 6A 01 PUSH 1
00401441 FF7424 0C PUSH DWORD PTR SS:[ESP+C]
00401445 E8 04000000 CALL ea_.0040144E
0040144A 83C4 0C ADD ESP,0C
0040144D C3 RETN
0040144E 57 PUSH EDI
0040144F 6A 01 PUSH 1
00401451 5F POP EDI
00401452 393D 84564000 CMP DWORD PTR DS:[405684],EDI
00401458 75 11 JNZ SHORT ea_.0040146B
0040145A FF7424 08 PUSH DWORD PTR SS:[ESP+8]
0040145E FF15 64A04000 CALL DWORD PTR DS:[<&kernel32.#316>] ; kernel32.GetCurrentProcess
00401464 50 PUSH EAX
00401465 FF15 60A04000 CALL DWORD PTR DS:[<&kernel32.#843>] ; kernel32.TerminateProcess
0040146B 837C24 0C 00 CMP DWORD PTR SS:[ESP+C],0
00401470 53 PUSH EBX
00401471 8B5C24 14 MOV EBX,DWORD PTR SS:[ESP+14]
00401475 893D 80564000 MOV DWORD PTR DS:[405680],EDI
0040147B 881D 7C564000 MOV BYTE PTR DS:[40567C],BL
00401481 75 3C JNZ SHORT ea_.004014BF
00401483 A1 505B4000 MOV EAX,DWORD PTR DS:[405B50]
00401488 85C0 TEST EAX,EAX
0040148A 74 22 JE SHORT ea_.004014AE
0040148C 8B0D 4C5B4000 MOV ECX,DWORD PTR DS:[405B4C]
00401492 56 PUSH ESI
00401493 8D71 FC LEA ESI,DWORD PTR DS:[ECX-4]
00401496 3BF0 CMP ESI,EAX
00401498 72 13 JB SHORT ea_.004014AD
0040149A 8B06 MOV EAX,DWORD PTR DS:[ESI]
0040149C 85C0 TEST EAX,EAX
0040149E 74 02 JE SHORT ea_.004014A2
004014A0 FFD0 CALL EAX
004014A2 83EE 04 SUB ESI,4
004014A5 3B35 505B4000 CMP ESI,DWORD PTR DS:[405B50]
004014AB ^ 73 ED JNB SHORT ea_.0040149A
004014AD 5E POP ESI
004014AE 68 18504000 PUSH ea_.00405018
004014B3 68 14504000 PUSH ea_.00405014
004014B8 E8 2A000000 CALL ea_.004014E7
004014BD 59 POP ECX
004014BE 59 POP ECX
004014BF 68 20504000 PUSH ea_.00405020
004014C4 68 1C504000 PUSH ea_.0040501C
004014C9 E8 19000000 CALL ea_.004014E7
004014CE 59 POP ECX
004014CF 59 POP ECX
004014D0 85DB TEST EBX,EBX
004014D2 5B POP EBX
004014D3 75 10 JNZ SHORT ea_.004014E5
004014D5 FF7424 08 PUSH DWORD PTR SS:[ESP+8]
004014D9 893D 84564000 MOV DWORD PTR DS:[405684],EDI
004014DF FF15 5CA04000 CALL DWORD PTR DS:[<&kernel32.#183>] ; kernel32.ExitProcess
004014E5 5F POP EDI
004014E6 C3 RETN
004014E7 56 PUSH ESI
004014E8 8B7424 08 MOV ESI,DWORD PTR SS:[ESP+8]
004014EC 3B7424 0C CMP ESI,DWORD PTR SS:[ESP+C]
004014F0 73 0D JNB SHORT ea_.004014FF
004014F2 8B06 MOV EAX,DWORD PTR DS:[ESI]
004014F4 85C0 TEST EAX,EAX
004014F6 74 02 JE SHORT ea_.004014FA
004014F8 FFD0 CALL EAX
004014FA 83C6 04 ADD ESI,4
004014FD ^ EB ED JMP SHORT ea_.004014EC
004014FF 5E POP ESI
00401500 C3 RETN
00401501 55 PUSH EBP
00401502 8BEC MOV EBP,ESP
00401504 53 PUSH EBX
00401505 FF75 08 PUSH DWORD PTR SS:[EBP+8]
00401508 E8 35010000 CALL ea_.00401642
0040150D 85C0 TEST EAX,EAX
0040150F 59 POP ECX
00401510 0F84 20010000 JE ea_.00401636
00401516 8B58 08 MOV EBX,DWORD PTR DS:[EAX+8]
00401519 85DB TEST EBX,EBX
0040151B 0F84 15010000 JE ea_.00401636
00401521 83FB 05 CMP EBX,5
00401524 75 0C JNZ SHORT ea_.00401532
00401526 8360 08 00 AND DWORD PTR DS:[EAX+8],0
0040152A 6A 01 PUSH 1
0040152C 58 POP EAX
0040152D E9 0D010000 JMP ea_.0040163F
00401532 83FB 01 CMP EBX,1
00401535 0F84 F6000000 JE ea_.00401631
0040153B 8B0D 88564000 MOV ECX,DWORD PTR DS:[405688]
00401541 894D 08 MOV DWORD PTR SS:[EBP+8],ECX
00401544 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C]
00401547 890D 88564000 MOV DWORD PTR DS:[405688],ECX
0040154D 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4]
00401550 83F9 08 CMP ECX,8
00401553 0F85 C8000000 JNZ ea_.00401621
00401559 8B0D 58524000 MOV ECX,DWORD PTR DS:[405258]
0040155F 8B15 5C524000 MOV EDX,DWORD PTR DS:[40525C]
00401565 03D1 ADD EDX,ECX
00401567 56 PUSH ESI
00401568 3BCA CMP ECX,EDX
0040156A 7D 15 JGE SHORT ea_.00401581
0040156C 8D3449 LEA ESI,DWORD PTR DS:[ECX+ECX*2]
0040156F 2BD1 SUB EDX,ECX
00401571 8D34B5 E8514000 LEA ESI,DWORD PTR DS:[ESI*4+4051E8]
00401578 8326 00 AND DWORD PTR DS:[ESI],0
0040157B 83C6 0C ADD ESI,0C
0040157E 4A DEC EDX
0040157F ^ 75 F7 JNZ SHORT ea_.00401578
00401581 8B00 MOV EAX,DWORD PTR DS:[EAX]
00401583 8B35 64524000 MOV ESI,DWORD PTR DS:[405264]
00401589 3D 8E0000C0 CMP EAX,C000008E
0040158E 75 0C JNZ SHORT ea_.0040159C
00401590 C705 64524000 8>MOV DWORD PTR DS:[405264],83
0040159A EB 70 JMP SHORT ea_.0040160C
0040159C 3D 900000C0 CMP EAX,C0000090
004015A1 75 0C JNZ SHORT ea_.004015AF
004015A3 C705 64524000 8>MOV DWORD PTR DS:[405264],81
004015AD EB 5D JMP SHORT ea_.0040160C
004015AF 3D 910000C0 CMP EAX,C0000091
004015B4 75 0C JNZ SHORT ea_.004015C2
004015B6 C705 64524000 8>MOV DWORD PTR DS:[405264],84
004015C0 EB 4A JMP SHORT ea_.0040160C
004015C2 3D 930000C0 CMP EAX,C0000093
004015C7 75 0C JNZ SHORT ea_.004015D5
004015C9 C705 64524000 8>MOV DWORD PTR DS:[405264],85
004015D3 EB 37 JMP SHORT ea_.0040160C
004015D5 3D 8D0000C0 CMP EAX,C000008D
004015DA 75 0C JNZ SHORT ea_.004015E8
004015DC C705 64524000 8>MOV DWORD PTR DS:[405264],82
004015E6 EB 24 JMP SHORT ea_.0040160C
004015E8 3D 8F0000C0 CMP EAX,C000008F
004015ED 75 0C JNZ SHORT ea_.004015FB
004015EF C705 64524000 8>MOV DWORD PTR DS:[405264],86
004015F9 EB 11 JMP SHORT ea_.0040160C
004015FB 3D 920000C0 CMP EAX,C0000092
00401600 75 0A JNZ SHORT ea_.0040160C
00401602 C705 64524000 8>MOV DWORD PTR DS:[405264],8A
0040160C FF35 64524000 PUSH DWORD PTR DS:[405264]
00401612 6A 08 PUSH 8
00401614 FFD3 CALL EBX
00401616 59 POP ECX
00401617 8935 64524000 MOV DWORD PTR DS:[405264],ESI
0040161D 59 POP ECX
0040161E 5E POP ESI
0040161F EB 08 JMP SHORT ea_.00401629
00401621 8360 08 00 AND DWORD PTR DS:[EAX+8],0
00401625 51 PUSH ECX
00401626 FFD3 CALL EBX
00401628 59 POP ECX
00401629 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
0040162C A3 88564000 MOV DWORD PTR DS:[405688],EAX
00401631 83C8 FF OR EAX,FFFFFFFF
00401634 EB 09 JMP SHORT ea_.0040163F
00401636 FF75 0C PUSH DWORD PTR SS:[EBP+C]
00401639 FF15 68A04000 CALL DWORD PTR DS:[<&kernel32.#860>] ; kernel32.UnhandledExceptionFilter
0040163F 5B POP EBX
00401640 5D POP EBP
00401641 C3 RETN
00401642 8B5424 04 MOV EDX,DWORD PTR SS:[ESP+4]
00401646 8B0D 60524000 MOV ECX,DWORD PTR DS:[405260]
0040164C 3915 E0514000 CMP DWORD PTR DS:[4051E0],EDX
00401652 56 PUSH ESI
00401653 B8 E0514000 MOV EAX,ea_.004051E0
00401658 74 15 JE SHORT ea_.0040166F
0040165A 8D3449 LEA ESI,DWORD PTR DS:[ECX+ECX*2]
0040165D 8D34B5 E0514000 LEA ESI,DWORD PTR DS:[ESI*4+4051E0]
00401664 83C0 0C ADD EAX,0C
00401667 3BC6 CMP EAX,ESI
00401669 73 04 JNB SHORT ea_.0040166F
0040166B 3910 CMP DWORD PTR DS:[EAX],EDX
0040166D ^ 75 F5 JNZ SHORT ea_.00401664
0040166F 8D0C49 LEA ECX,DWORD PTR DS:[ECX+ECX*2]
00401672 5E POP ESI
00401673 8D0C8D E0514000 LEA ECX,DWORD PTR DS:[ECX*4+4051E0]
0040167A 3BC1 CMP EAX,ECX
然后运行軟件出现nag框 , "I'm stupid Nag-Screen..
U can choose to remove me"重启軟件在od的字串参考找到字符串所在40103b,向上几個跳转,但若改跳转
軟件的主窗口亦不出现了,所以只能灭call,从401034-401041用nop添充掉,运行軟件nag去掉了,破解結束。
00401000 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
00401004 83F8 10 CMP EAX,10
00401007 0F87 BC000000 JA ea_.004010C9
0040100D 0F84 A6000000 JE ea_.004010B9
00401013 8BC8 MOV ECX,EAX
00401015 49 DEC ECX
00401016 74 14 JE SHORT ea_.0040102C
00401018 49 DEC ECX
00401019 0F85 B1000000 JNZ ea_.004010D0
0040101F 6A 00 PUSH 0
00401021 FF15 BCA04000 CALL DWORD PTR DS:[<&user32.#514>] ; user32.PostQuitMessage
00401027 33C0 XOR EAX,EAX
00401029 C2 1000 RETN 10
0040102C 53 PUSH EBX
0040102D 55 PUSH EBP
0040102E 8B6C24 0C MOV EBP,DWORD PTR SS:[ESP+C]
00401032 56 PUSH ESI
00401033 57 PUSH EDI
00401034 6A 10 PUSH 10
00401036 68 70514000 PUSH ea_.00405170 ; ASCII "Warning!!"
0040103B 68 3C514000 PUSH ea_.0040513C ; ASCII "I'm stupid Nag-Screen..
U can choose to remove me"
00401040 55 PUSH EBP
00401041 FF15 C0A04000 CALL DWORD PTR DS:[<&user32.#477>] ; user32.MessageBoxA
00401047 FF15 C4A04000 CALL DWORD PTR DS:[<&user32.#94>] ; user32.CreateMenu
0040104D 8BF8 MOV EDI,EAX
0040104F FF15 C8A04000 CALL DWORD PTR DS:[<&user32.#95>] ; user32.CreatePopupMenu
00401055 8B35 CCA04000 MOV ESI,DWORD PTR DS:[<&user32.#9>] ; user32.AppendMenuA
0040105B 68 34514000 PUSH ea_.00405134 ; ASCII "E&xit"
00401060 8BD8 MOV EBX,EAX
00401062 68 29230000 PUSH 2329
00401067 6A 00 PUSH 0
00401069 53 PUSH EBX
0040106A FFD6 CALL ESI
0040106C 68 2C514000 PUSH ea_.0040512C ; ASCII "&File"
00401071 53 PUSH EBX
00401072 6A 10 PUSH 10
00401074 57 PUSH EDI
00401075 FFD6 CALL ESI
00401077 FF15 C8A04000 CALL DWORD PTR DS:[<&user32.#95>] ; user32.CreatePopupMenu
0040107D 68 24514000 PUSH ea_.00405124 ; ASCII "&Secret"
00401082 8BD8 MOV EBX,EAX
00401084 68 2B230000 PUSH 232B
00401089 6A 01 PUSH 1
0040108B 53 PUSH EBX
0040108C FFD6 CALL ESI
0040108E 68 1C514000 PUSH ea_.0040511C ; ASCII "&About"
00401093 68 2A230000 PUSH 232A
00401098 6A 00 PUSH 0
0040109A 53 PUSH EBX
0040109B FFD6 CALL ESI
0040109D 68 14514000 PUSH ea_.00405114 ; ASCII "&Help"
004010A2 53 PUSH EBX
004010A3 6A 10 PUSH 10
004010A5 57 PUSH EDI
004010A6 FFD6 CALL ESI
004010A8 57 PUSH EDI
004010A9 55 PUSH EBP
004010AA FF15 D0A04000 CALL DWORD PTR DS:[<&user32.#606>] ; user32.SetMenu
004010B0 5F POP EDI
004010B1 5E POP ESI
004010B2 5D POP EBP
004010B3 5B POP EBX
004010B4 33C0 XOR EAX,EAX
004010B6 C2 1000 RETN 10
004010B9 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
004010BD 50 PUSH EAX
004010BE FF15 D4A04000 CALL DWORD PTR DS:[<&user32.#154>] ; user32.DestroyWindow
004010C4 33C0 XOR EAX,EAX
004010C6 C2 1000 RETN 10
004010C9 3D 11010000 CMP EAX,111
004010CE 74 19 JE SHORT ea_.004010E9
004010D0 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
004010D4 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C]
破解总結
這個軟件是外國人写的一個crackeme,对高手可能太簡單了,但对我這樣一個菜鸟可不簡單,竟花了我一星期以上時間,nag 的意思是 我是愚蠢的 nag,你不能弄掉我。即气我這個菜鸟没能奈,最后知道滅call得看堆栈,即寄存器入栈还得對应出栈最后解决了這個nag, 或者對刚學破解的朋友有用,故写下這篇破文。最后有個問題,用od脫壳以后,用od再打开脫壳后的軟件,od还显示有壳不知怎回事?
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
|
|
|---|---|
|
|
赞赏
雪币:
留言:
