首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 付费问答
    3. 发新帖
[旧帖] [求助]下注册表断点..堆栈里追不到地址 0.00雪花
发表于: 2010-5-18 14:40 1786

[旧帖] [求助]下注册表断点..堆栈里追不到地址 0.00雪花

lcxiaofeng 活跃值
2010-5-18 14:40
1786
用 注册表 监控软件发现..

  ..程序的注册码存放在

HKLM\SOFTWARE\NotepadPlus\Rcode:"0000000000000000000000000000000000000"

然后在OD下断点   bp RegOpenKeyExa

..能断下来..可是..一直看不到..NotepadPlus项或Rcode的值..

  ..竟是些其他的注册表项与值..而且运行几次后程序直接跑飞了.!!

  .有没有人知道这个是怎么回事儿的!!

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (2)
bailangdpj
雪    币: 75
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
这个函数是打开注册表,不是写也不是读,没什么意义.
2010-5-18 14:44
0
lcxiaofeng
雪    币: 33
活跃值: (25)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
3
谢谢你的回复..

打开注册表..他不得打开假码存在的这个位置吗??

我把我的过程贴出来吧..

HKLM\SOFTWARE\NotepadPlus\Rcode:"00000000000000000000000000000000000000"

RegOpenKeyExa   

[下断F9运行后堆栈数据跑到这里]

0012EE14   76DB3607  /CALL 到 RegOpenKeyExA 来自 MSASN1.76DB3605
0012EE18   80000002  |hKey = HKEY_LOCAL_MACHINE
0012EE1C   76DB363C  |Subkey = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1"
0012EE20   00000000  |Reserved = 0
0012EE24   00020019  |Access = KEY_READ
0012EE28   0012EE58  \pHandle = 0012EE58

[继续F9运行后堆栈数据跑到这里]

0012ED30   77DCC449  /CALL 到 RegOpenKeyExA 来自 advapi32.77DCC444
0012ED34   80000000  |hKey = HKEY_CLASSES_ROOT
0012ED38   75C67704  |Subkey = "PROTOCOLS\Name-Space Handler\"
0012ED3C   00000000  |Reserved = 0
0012ED40   02000000  |Access = 2000000
0012ED44   0012ED60  \pHandle = 0012ED60

[继续F9运行后堆栈数据跑到这里]

0012EE3C   75C68051  /CALL 到 RegOpenKeyExA 来自 75C6804B
0012EE40   80000001  |hKey = HKEY_CURRENT_USER
0012EE44   75C69E60  |Subkey = "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"
0012EE48   00000000  |Reserved = 0
0012EE4C   00000001  |Access = KEY_QUERY_VALUE
0012EE50   0012EE60  \pHandle = 0012EE60

[继续F9运行后堆栈数据跑到这里]

0012EE3C   75C69E4F  /CALL 到 RegOpenKeyExA 来自 75C69E49
0012EE40   80000001  |hKey = HKEY_CURRENT_USER
0012EE44   75C69E60  |Subkey = "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"
0012EE48   00000000  |Reserved = 0
0012EE4C   00000001  |Access = KEY_QUERY_VALUE
0012EE50   0012EE60  \pHandle = 0012EE60

[继续F9运行后堆栈数据跑到这里]

0012EE3C   75C6809F  /CALL 到 RegOpenKeyExA 来自 75C68099
0012EE40   80000002  |hKey = HKEY_LOCAL_MACHINE
0012EE44   75C676A8  |Subkey = "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
0012EE48   00000000  |Reserved = 0
0012EE4C   00000001  |Access = KEY_QUERY_VALUE
0012EE50   0012EE60  \pHandle = 0012EE60

[继续F9运行后堆栈数据跑到这里]

0012ECA0   77F4AE0F  /CALL 到 RegOpenKeyExA 来自 SHLWAPI.77F4AE0D
0012ECA4   80000002  |hKey = HKEY_LOCAL_MACHINE
0012ECA8   00161660  |Subkey = "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\"
0012ECAC   00000000  |Reserved = 0
0012ECB0   00000001  |Access = KEY_QUERY_VALUE
0012ECB4   00161658  \pHandle = 00161658

[继续F9运行后堆栈数据跑到这里]

0012ECA4   77F4AE0F  /CALL 到 RegOpenKeyExA 来自 SHLWAPI.77F4AE0D
0012ECA8   80000001  |hKey = HKEY_CURRENT_USER
0012ECAC   00161708  |Subkey = "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\"
0012ECB0   00000000  |Reserved = 0
0012ECB4   00020019  |Access = KEY_READ
0012ECB8   001616F8  \pHandle = 001616F8

[继续F9运行后堆栈数据跑到这里]

0012ECA4   77F4AE59  /CALL 到 RegOpenKeyExA 来自 SHLWAPI.77F4AE57
0012ECA8   80000002  |hKey = HKEY_LOCAL_MACHINE
0012ECAC   00161708  |Subkey = "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\"
0012ECB0   00000000  |Reserved = 0
0012ECB4   00020019  |Access = KEY_READ
0012ECB8   00161700  \pHandle = 00161700

[继续F9运行后堆栈数据跑到这里]

0012ECA4   77F4AE0F  /CALL 到 RegOpenKeyExA 来自 SHLWAPI.77F4AE0D
0012ECA8   80000001  |hKey = HKEY_CURRENT_USER
0012ECAC   00161708  |Subkey = "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\"
0012ECB0   00000000  |Reserved = 0
0012ECB4   00020019  |Access = KEY_READ
0012ECB8   001616F8  \pHandle = 001616F8

[继续F9运行后堆栈数据跑到这里]

0012ECA4   77F4AE59  /CALL 到 RegOpenKeyExA 来自 SHLWAPI.77F4AE57
0012ECA8   80000002  |hKey = HKEY_LOCAL_MACHINE
0012ECAC   00161708  |Subkey = "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\"
0012ECB0   00000000  |Reserved = 0
0012ECB4   00020019  |Access = KEY_READ
0012ECB8   00161700  \pHandle = 00161700

[继续F9运行后堆栈数据跑到这里]

0012ED78   77F55DE5  /CALL 到 RegOpenKeyExA 来自 SHLWAPI.77F55DDF
0012ED7C   80000002  |hKey = HKEY_LOCAL_MACHINE
0012ED80   10047188  |Subkey = "SOFTWARE\KasperskyLab\SetupFolders"
0012ED84   00000000  |Reserved = 0
0012ED88   00000001  |Access = KEY_QUERY_VALUE
0012ED8C   0012EDA4  \pHandle = 0012EDA4

[继续F9运行后堆栈数据跑到这里]

0012ED78   77F55DE5  /CALL 到 RegOpenKeyExA 来自 SHLWAPI.77F55DDF
0012ED7C   80000002  |hKey = HKEY_LOCAL_MACHINE
0012ED80   10047188  |Subkey = "SOFTWARE\KasperskyLab\SetupFolders"
0012ED84   00000000  |Reserved = 0
0012ED88   00000001  |Access = KEY_QUERY_VALUE
0012ED8C   0012EDA4  \pHandle = 0012EDA4

[继续F9运行后堆栈数据跑到这里]

0012ED78   77F55DE5  /CALL 到 RegOpenKeyExA 来自 SHLWAPI.77F55DDF
0012ED7C   80000002  |hKey = HKEY_LOCAL_MACHINE
0012ED80   10047188  |Subkey = "SOFTWARE\KasperskyLab\SetupFolders"
0012ED84   00000000  |Reserved = 0
0012ED88   00000001  |Access = KEY_QUERY_VALUE
0012ED8C   0012EDA4  \pHandle = 0012EDA4

[继续F9运行后堆栈数据跑到这里]
这个直接到了小布丁.exe了..不知道为什么!!

0012E974   746830A7  /CALL 到 RegOpenKeyExA 来自 746830A1
0012E978   80000002  |hKey = HKEY_LOCAL_MACHINE
0012E97C   0012EBC4  |Subkey = "SOFTWARE\Microsoft\CTF\Compatibility\小布丁.exe"
0012E980   00000000  |Reserved = 0
0012E984   00020019  |Access = KEY_READ
0012E988   0012E990  \pHandle = 0012E990

[继续F9运行后堆栈数据跑到这里]

0012EC64   746830A7  /CALL 到 RegOpenKeyExA 来自 746830A1
0012EC68   80000002  |hKey = HKEY_LOCAL_MACHINE
0012EC6C   74682F14  |Subkey = "SOFTWARE\Microsoft\CTF\SystemShared\"
0012EC70   00000000  |Reserved = 0
0012EC74   00020019  |Access = KEY_READ
0012EC78   0012EC80  \pHandle = 0012EC80

[继续F9运行后堆栈数据跑到这里]

0012EC64   746830A7  /CALL 到 RegOpenKeyExA 来自 746830A1
0012EC68   80000002  |hKey = HKEY_LOCAL_MACHINE
0012EC6C   74682F14  |Subkey = "SOFTWARE\Microsoft\CTF\SystemShared\"
0012EC70   00000000  |Reserved = 0
0012EC74   00020019  |Access = KEY_READ
0012EC78   0012EC80  \pHandle = 0012EC80

[继续F9运行后堆栈数据跑到这里]

0012ECA8   7468260A  /CALL 到 RegOpenKeyExA 来自 74682604
0012ECAC   80000002  |hKey = HKEY_LOCAL_MACHINE
0012ECB0   74682644  |Subkey = "SOFTWARE\Microsoft\CTF\"
0012ECB4   00000000  |Reserved = 0
0012ECB8   00020019  |Access = KEY_READ
0012ECBC   0012ECC4  \pHandle = 0012ECC4

[这个加载的时间比其他的要长..不过也就两三秒钟的样子]

0012F514   73FBAE76  /CALL 到 RegOpenKeyExA 来自 USP10.73FBAE70
0012F518   80000002  |hKey = HKEY_LOCAL_MACHINE
0012F51C   73FA17B0  |Subkey = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback"
0012F520   00000000  |Reserved = 0
0012F524   00000009  |Access = KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS
0012F528   0012F534  \pHandle = 0012F534

[再F9运行  程序就开始跑飞起来了.]

0012E28C   77E7FB8E  /CALL 到 RegOpenKeyExA 来自 RPCRT4.77E7FB88
0012E290   80000002  |hKey = HKEY_LOCAL_MACHINE
0012E294   77E7F88C  |Subkey = "Software\Microsoft\Rpc"
0012E298   00000000  |Reserved = 0
0012E29C   00020019  |Access = KEY_READ
0012E2A0   0012E2B8  \pHandle = 0012E2B8

[再F9 没有数据显示了]
2010-5-18 14:55
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//