有一个软件,嗅探是由Microsoft Visual Studio .NET 2005 -- 2008 (应该是MFC)编写的,其保护机制是日期限制,超过2011年即不能运行,将弹出对话框“软件已过期……”,找到这个字符串地址和相关代码:
:004091B7 85F6 test esi, esi
:004091B9 7474 je 0040922F
(将此处的7474改成EB74,直接爆破)
:004091BB E83AE80300 call 004479FA
:004091C0 33C9 xor ecx, ecx
:004091C2 85C0 test eax, eax
:004091C4 0F95C1 setne cl
:004091C7 85C9 test ecx, ecx
:004091C9 750A jne 004091D5
:004091CB 6805400080 push 80004005
:004091D0 E8BB8FFFFF call 00402190
:004091D5 8B10 mov edx, dword ptr [eax]
:004091D7 8BC8 mov ecx, eax
:004091D9 8B420C mov eax, dword ptr [edx+0C]
:004091DC FFD0 call eax
:004091DE 83C010 add eax, 00000010
:004091E1 89442414 mov dword ptr [esp+14], eax
:004091E5 83FE01 cmp esi, 00000001
:004091E8 C784243C06000000000000 mov dword ptr [esp+0000063C], 00000000
:004091F3 7411 je 00409206
:004091F5 83FE02 cmp esi, 00000002
:004091F8 740C je 00409206
:004091FA 6860A84900 push 0049A860
:004091FF 8D4C2418 lea ecx, dword ptr [esp+18]
:00409203 51 push ecx
:00409204 EB0A jmp 00409210
:00409206 68F8A74900 push 0049A7F8
(就是这个地址保存了字符串)
:0040920B 8D542418 lea edx, dword ptr [esp+18]
:0040920F 52 push edx
:00409210 E86B93FFFF call 00402580
:00409215 8B44241C mov eax, dword ptr [esp+1C]
:00409219 83C408 add esp, 00000008
:0040921C 6A00 push 00000000
:0040921E 6A00 push 00000000
:00409220 50 push eax
:00409221 8BCD mov ecx, ebp
:00409223 E8398B0300 call 00441D61
:00409228 6A00 push 00000000
:0040922A E8C7470500 call 0045D9F6
:0040922F 8B8C2434060000 mov ecx, dword ptr [esp+00000634]
:00409236 64890D00000000 mov dword ptr fs:[00000000], ecx
:0040923D 59 pop ecx
:0040923E 5F pop edi
:0040923F 5E pop esi
:00409240 5D pop ebp
:00409241 5B pop ebx
:00409242 8B8C241C060000 mov ecx, dword ptr [esp+0000061C]
:00409249 33CC xor ecx, esp
:0040924B E803360500 call 0045C853
:00409250 81C42C060000 add esp, 0000062C
:00409256 C20C00 ret 000C
直接爆破后,对话框不出现,正常工作界面出来后却发现功能不正常,可见简单的直接爆破是不行的。再看软件与日期时间的相关调用,
函数GetSystemTimeAsFileTime 取得系统时间为文件时间引起了注意,那么,这个函数在调用后各寄存器的状态如何呢?特别是返回的日期参数保存在哪个寄存器呢?知道了这个寄存器的话,那么就可以对其赋值,将2012改为2011从而满足软件正常运行的条件,软件代码中GetSystemTimeAsFileTime出场了两次:
一处是:
:0045E92E 55 push ebp
:0045E92F 8BEC mov ebp, esp
:0045E931 51 push ecx
:0045E932 51 push ecx
:0045E933 8D45F8 lea eax, dword ptr [ebp-08]
:0045E936 50 push eax
* Reference To: KERNEL32.GetSystemTimeAsFileTime, Ord:01CAh
|
:0045E937 FF1518714700 Call dword ptr [00477118]
:0045E93D 8B45F8 mov eax, dword ptr [ebp-08]
:0045E940 8B4DFC mov ecx, dword ptr [ebp-04]
:0045E943 6A00 push 00000000
:0045E945 050080C12A add eax, 2AC18000
:0045E94A 6880969800 push 00989680
:0045E94F 81D1214E62FE adc ecx, FE624E21
:0045E955 51 push ecx
:0045E956 50 push eax
:0045E957 E864990000 call 004682C0
:0045E95C 8B4D08 mov ecx, dword ptr [ebp+08]
:0045E95F 85C9 test ecx, ecx
:0045E961 7405 je 0045E968
:0045E963 8901 mov dword ptr [ecx], eax
:0045E965 895104 mov dword ptr [ecx+04], edx
:0045E968 C9 leave
:0045E969 C3 ret
另一处是:
:00462DB3 55 push ebp
:00462DB4 8BEC mov ebp, esp
:00462DB6 83EC10 sub esp, 00000010
:00462DB9 A1745A4A00 mov eax, dword ptr [004A5A74]
:00462DBE 8365F800 and dword ptr [ebp-08], 00000000
:00462DC2 8365FC00 and dword ptr [ebp-04], 00000000
:00462DC6 53 push ebx
:00462DC7 57 push edi
:00462DC8 BF4EE640BB mov edi, BB40E64E
:00462DCD 3BC7 cmp eax, edi
:00462DCF BB0000FFFF mov ebx, FFFF0000
:00462DD4 740D je 00462DE3
:00462DD6 85C3 test ebx, eax
:00462DD8 7409 je 00462DE3
:00462DDA F7D0 not eax
:00462DDC A3785A4A00 mov dword ptr [004A5A78], eax
:00462DE1 EB60 jmp 00462E43
:00462DE3 56 push esi
:00462DE4 8D45F8 lea eax, dword ptr [ebp-08]
:00462DE7 50 push eax
* Reference To: KERNEL32.GetSystemTimeAsFileTime, Ord:01CAh
|
:00462DE8 FF1518714700 Call dword ptr [00477118]
:00462DEE 8B75FC mov esi, dword ptr [ebp-04]
:00462DF1 3375F8 xor esi, dword ptr [ebp-08]
* Reference To: KERNEL32.GetCurrentProcessId, Ord:0143h
|
:00462DF4 FF1564724700 Call dword ptr [00477264]
:00462DFA 33F0 xor esi, eax
* Reference To: KERNEL32.GetCurrentThreadId, Ord:0146h
|
:00462DFC FF1598724700 Call dword ptr [00477298]
:00462E02 33F0 xor esi, eax
* Reference To: KERNEL32.GetTickCount, Ord:01DFh
|
:00462E04 FF15D0714700 Call dword ptr [004771D0]
:00462E0A 33F0 xor esi, eax
:00462E0C 8D45F0 lea eax, dword ptr [ebp-10]
:00462E0F 50 push eax
* Reference To: KERNEL32.QueryPerformanceCounter, Ord:02A3h
|
:00462E10 FF1574714700 Call dword ptr [00477174]
:00462E16 8B45F4 mov eax, dword ptr [ebp-0C]
:00462E19 3345F0 xor eax, dword ptr [ebp-10]
:00462E1C 33F0 xor esi, eax
:00462E1E 3BF7 cmp esi, edi
:00462E20 7507 jne 00462E29
:00462E22 BE4FE640BB mov esi, BB40E64F
:00462E27 EB0B jmp 00462E34
:00462E29 85F3 test ebx, esi
:00462E2B 7507 jne 00462E34
:00462E2D 8BC6 mov eax, esi
:00462E2F C1E010 shl eax, 10
:00462E32 0BF0 or esi, eax
:00462E34 8935745A4A00 mov dword ptr [004A5A74], esi
:00462E3A F7D6 not esi
:00462E3C 8935785A4A00 mov dword ptr [004A5A78], esi
:00462E42 5E pop esi
:00462E43 5F pop edi
:00462E44 5B pop ebx
:00462E45 C9 leave
:00462E46 C3 ret
从这两处代码都可以看到,有足够的代码空间执行设想中的对寄存器赋值操作。
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
