-
-
[旧帖] [求助]调试1toX1.63后进入 VERSION模块,无法完成调试 0.00雪花
-
发表于: 2011-9-2 14:48 1001
-
看了
标 题:破解实录(六)之 1toX 1.63 (6千字)
作 者:xiA Qin
时 间:2000-7-20 11:27:47
链 接:http://bbs.pediy.com
后,自己也想调试下这个程序, 发现那种爆破,不能成功,就想自己调试下。
00408F37 . 8B0D 98A64200 MOV ECX,DWORD PTR DS:[42A698]
00408F3D . 83C4 04 ADD ESP,4
00408F40 . 3BC1 CMP EAX,ECX
00408F42 . 74 2E JE SHORT 1toX.00408F72
00408F44 . 6A 10 PUSH 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
00408F46 . 68 FC724200 PUSH 1toX.004272FC ; |register
00408F4B . 68 54724200 PUSH 1toX.00427254 ; |invalid key\nplease enter your name and key as they have been delivered to you
00408F50 . 55 PUSH EBP ; |hOwner
00408F51 . FF15 E4314200 CALL DWORD PTR DS:[<&USER32.MessageBoxA>] ; \MessageBoxA
00408F57 . 6A 01 PUSH 1 ; /Result = 1
00408F59 . 55 PUSH EBP ; |hWnd
00408F5A . FF15 0C324200 CALL DWORD PTR DS:[<&USER32.EndDialog>] ; \EndDialog
其中: 00408F42 是关键跳, 我将je改成jne后,程序转到00408F72
00408F72 > \8B0D 24F64200 MOV ECX,DWORD PTR DS:[42F624] ; 1toX.00400000
00408F78 . 8D8424 400100>LEA EAX,DWORD PTR SS:[ESP+140]
00408F7F . 68 04010000 PUSH 104 ; /BufSize = 104 (260.)
00408F84 . 50 PUSH EAX ; |PathBuffer
00408F85 . 51 PUSH ECX ; |hModule => 00400000 (1toX)
00408F86 . FF15 9C304200 CALL DWORD PTR DS:[<&KERNEL32.GetModuleFileNameA>; \GetModuleFileNameA
00408F8C . 8D9424 400100>LEA EDX,DWORD PTR SS:[ESP+140]
00408F93 . 8D8424 400100>LEA EAX,DWORD PTR SS:[ESP+140]
00408F9A . 52 PUSH EDX ; /Translation
00408F9B . 50 PUSH EAX ; |OemString
00408F9C . FF15 08324200 CALL DWORD PTR DS:[<&USER32.OemToCharA>] ; \OemToCharA
00408FA2 . 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
00408FA6 . 8D9424 400100>LEA EDX,DWORD PTR SS:[ESP+140]
00408FAD . 51 PUSH ECX ; /pHandle
00408FAE . 52 PUSH EDX ; |FileName
00408FAF . E8 049F0000 CALL <JMP.&VERSION.GetFileVersionInfoSizeA> ; \GetFileVersionInfoSizeA
00408FB4 . 8BF0 MOV ESI,EAX
00408FB6 . 56 PUSH ESI ; /MemSize
00408FB7 . 6A 02 PUSH 2 ; |Flags = GMEM_MOVEABLE
00408FB9 . FF15 98304200 CALL DWORD PTR DS:[<&KERNEL32.GlobalAlloc>] ; \GlobalAlloc
00408FBF . 8BE8 MOV EBP,EAX
00408FC1 . 55 PUSH EBP ; /hMem
00408FC2 . FF15 94304200 CALL DWORD PTR DS:[<&KERNEL32.GlobalLock>] ; \GlobalLock
00408FC8 . 50 PUSH EAX
00408FC9 . 8D8424 440100>LEA EAX,DWORD PTR SS:[ESP+144]
00408FD0 . 56 PUSH ESI ; MemSize
00408FD1 . 50 PUSH EAX ; Memhandle
00408FD2 . E8 89F5FFFF CALL 1toX.00408560 :此处后,进入 模块VERSION
00408FD7 . 68 64644200 PUSH 1toX.00426464 ; 1tox
00408FDC . 8D8C24 3C0400>LEA ECX,DWORD PTR SS:[ESP+43C]
00408FE3 . 68 C8634200 PUSH 1toX.004263C8 ; %s
程序执行到 00408FD2, 按F8后,进入 模块VERSION, oD显示 访问违规:读取[BAADF011], 按shift+F8后进入NTDLL中
ALT+F9,返回源程序, oD显示 访问违规:读取[BAADF000], 按SHIFT+F8,出错
不知如何在地址 BAADF000执行单步命令
标 题:破解实录(六)之 1toX 1.63 (6千字)
作 者:xiA Qin
时 间:2000-7-20 11:27:47
链 接:http://bbs.pediy.com
后,自己也想调试下这个程序, 发现那种爆破,不能成功,就想自己调试下。
00408F37 . 8B0D 98A64200 MOV ECX,DWORD PTR DS:[42A698]
00408F3D . 83C4 04 ADD ESP,4
00408F40 . 3BC1 CMP EAX,ECX
00408F42 . 74 2E JE SHORT 1toX.00408F72
00408F44 . 6A 10 PUSH 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
00408F46 . 68 FC724200 PUSH 1toX.004272FC ; |register
00408F4B . 68 54724200 PUSH 1toX.00427254 ; |invalid key\nplease enter your name and key as they have been delivered to you
00408F50 . 55 PUSH EBP ; |hOwner
00408F51 . FF15 E4314200 CALL DWORD PTR DS:[<&USER32.MessageBoxA>] ; \MessageBoxA
00408F57 . 6A 01 PUSH 1 ; /Result = 1
00408F59 . 55 PUSH EBP ; |hWnd
00408F5A . FF15 0C324200 CALL DWORD PTR DS:[<&USER32.EndDialog>] ; \EndDialog
其中: 00408F42 是关键跳, 我将je改成jne后,程序转到00408F72
00408F72 > \8B0D 24F64200 MOV ECX,DWORD PTR DS:[42F624] ; 1toX.00400000
00408F78 . 8D8424 400100>LEA EAX,DWORD PTR SS:[ESP+140]
00408F7F . 68 04010000 PUSH 104 ; /BufSize = 104 (260.)
00408F84 . 50 PUSH EAX ; |PathBuffer
00408F85 . 51 PUSH ECX ; |hModule => 00400000 (1toX)
00408F86 . FF15 9C304200 CALL DWORD PTR DS:[<&KERNEL32.GetModuleFileNameA>; \GetModuleFileNameA
00408F8C . 8D9424 400100>LEA EDX,DWORD PTR SS:[ESP+140]
00408F93 . 8D8424 400100>LEA EAX,DWORD PTR SS:[ESP+140]
00408F9A . 52 PUSH EDX ; /Translation
00408F9B . 50 PUSH EAX ; |OemString
00408F9C . FF15 08324200 CALL DWORD PTR DS:[<&USER32.OemToCharA>] ; \OemToCharA
00408FA2 . 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
00408FA6 . 8D9424 400100>LEA EDX,DWORD PTR SS:[ESP+140]
00408FAD . 51 PUSH ECX ; /pHandle
00408FAE . 52 PUSH EDX ; |FileName
00408FAF . E8 049F0000 CALL <JMP.&VERSION.GetFileVersionInfoSizeA> ; \GetFileVersionInfoSizeA
00408FB4 . 8BF0 MOV ESI,EAX
00408FB6 . 56 PUSH ESI ; /MemSize
00408FB7 . 6A 02 PUSH 2 ; |Flags = GMEM_MOVEABLE
00408FB9 . FF15 98304200 CALL DWORD PTR DS:[<&KERNEL32.GlobalAlloc>] ; \GlobalAlloc
00408FBF . 8BE8 MOV EBP,EAX
00408FC1 . 55 PUSH EBP ; /hMem
00408FC2 . FF15 94304200 CALL DWORD PTR DS:[<&KERNEL32.GlobalLock>] ; \GlobalLock
00408FC8 . 50 PUSH EAX
00408FC9 . 8D8424 440100>LEA EAX,DWORD PTR SS:[ESP+144]
00408FD0 . 56 PUSH ESI ; MemSize
00408FD1 . 50 PUSH EAX ; Memhandle
00408FD2 . E8 89F5FFFF CALL 1toX.00408560 :此处后,进入 模块VERSION
00408FD7 . 68 64644200 PUSH 1toX.00426464 ; 1tox
00408FDC . 8D8C24 3C0400>LEA ECX,DWORD PTR SS:[ESP+43C]
00408FE3 . 68 C8634200 PUSH 1toX.004263C8 ; %s
程序执行到 00408FD2, 按F8后,进入 模块VERSION, oD显示 访问违规:读取[BAADF011], 按shift+F8后进入NTDLL中
ALT+F9,返回源程序, oD显示 访问违规:读取[BAADF000], 按SHIFT+F8,出错
不知如何在地址 BAADF000执行单步命令
赞赏
他的文章
看原图
赞赏
雪币:
留言: