能力值:
( LV2,RANK:10 )
|
-
-
2 楼
设断点在getDlgItemTextA, 停下来后alt+f9就来到地址0047D75F 这里。
试过正确的密码和错误的密码,执行顺序都差不多
0047D752 |. 68 B83B4D00 PUSH WinRAR.004D3BB8 ; |Buffer = WinRAR.004D3BB8
0047D757 |. 6A 65 PUSH 65 ; |ControlID = 65 (101.)
0047D759 |. 56 PUSH ESI ; |hWnd
0047D75A |. E8 0D450200 CALL <JMP.&USER32.GetDlgItemTextA> ; \GetDlgItemTextA
0047D75F |. 6A 01 PUSH 1 ; /Result = 1
0047D761 |. 56 PUSH ESI ; |hWnd
0047D762 |. E8 93440200 CALL <JMP.&USER32.EndDialog> ; \EndDialog
0047D767 |. B8 01000000 MOV EAX,1
0047D76C |. EB 15 JMP SHORT WinRAR.0047D783
0047D76E |> 6A 00 PUSH 0 ; /Result = 0
0047D770 |. 56 PUSH ESI ; |hWnd
0047D771 |. E8 84440200 CALL <JMP.&USER32.EndDialog> ; \EndDialog
0047D776 |. B8 01000000 MOV EAX,1
0047D77B |. EB 06 JMP SHORT WinRAR.0047D783
0047D77D |> 33C0 XOR EAX,EAX
0047D77F |. EB 02 JMP SHORT WinRAR.0047D783
0047D781 |> 33C0 XOR EAX,EAX ; Default case of switch 0047D71D
0047D783 |> 5F POP EDI
0047D784 |. 5E POP ESI
0047D785 |. 5B POP EBX
0047D786 |. 5D POP EBP
0047D787 \. C2 1000 RETN 10 《==这里返回到USER
0047D78A /. 55 PUSH EBP
0047D78B |. 8BEC MOV EBP,ESP
这是调用0047D762是的堆栈。
00107284 002A108C |hWnd = 002A108C ('输入密码',class='#32770',parent=00090C58)
00107288 00000001 \Result = 1
0010728C 00107300
00107290 0047D6F4 WinRAR.0047D6F4
00107294 00000000
00107298 /001072C4
0010729C |7E418734 返回到 USER32.7E418734
一直按F8 在USER里retn 9-10次后,来到这里,
7E41B517 E8 88DFFFFF CALL USER32.7E4194A4
正确的密码,这条指令把文件解压缩出来。对于错误的密码,弹出crc校验错误的对话框。
7E41B50C 6A 00 PUSH 0
7E41B50E 6A 0C PUSH 0C
7E41B510 5A POP EDX
7E41B511 8D4D F4 LEA ECX,DWORD PTR SS:[EBP-C]
7E41B514 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
7E41B517 E8 88DFFFFF CALL USER32.7E4194A4
7E41B51C C9 LEAVE
7E41B51D C2 0400 RETN 4
|
|
|
