请教思路WaitForSingleObject
今天分析一软件发现与以前的不同,弄来弄去没有头绪了,只能求助于大家:
我跟进了一个注册的按钮事件内大概结构是:(VC程序,注册码是激活用户数数量)
。。。。
获取长度与假注册码
CALL
判断一个堆栈的值是否为0
真则跳 @A
给一个正确的提示资源ID
@A 给个错误的提示资源ID
。。。。
MessageBOX
进入CALL:( 我以为找到了关键CALL,但跟进去发现不对,
我的思路是判断他什么时候去写这个堆栈地址的值就是哪个处理的
最后反复测试在WaitForSingleObject前后下断发现是此API时改变了
栈内的值。 )
00421540 /$ 6A FF PUSH -1
00421542 |. 68 B3774700 PUSH OControl.004777B3 ; SE 处理程序安装
00421547 |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
0042154D |. 50 PUSH EAX
0042154E |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP
00421555 |. 83EC 1C SUB ESP,1C
00421558 |. 53 PUSH EBX
00421559 |. 55 PUSH EBP
0042155A |. 56 PUSH ESI
0042155B |. 33DB XOR EBX,EBX
0042155D |. 57 PUSH EDI
0042155E |. 53 PUSH EBX
0042155F |. 8BF9 MOV EDI,ECX
00421561 |. 53 PUSH EBX
00421562 |. 6A 01 PUSH 1
00421564 |. 53 PUSH EBX
00421565 |. 8D4C24 34 LEA ECX,DWORD PTR SS:[ESP+34]
00421569 |. 897C24 20 MOV DWORD PTR SS:[ESP+20],EDI
0042156D |. E8 36ECFEFF CALL OControl.004101A8 ; ;;;;;;;;;;;;;;;;;;;;
00421572 |. 8B4424 28 MOV EAX,DWORD PTR SS:[ESP+28]
00421576 |. 895C24 34 MOV DWORD PTR SS:[ESP+34],EBX
0042157A |. 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
0042157E |. FF15 08934700 CALL DWORD PTR DS:[<&KERNEL32.GetCurrentThreadId>] ; [GetCurrentThreadId
00421584 |. 6A 20 PUSH 20
00421586 |. 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX
0042158A |. E8 4EA50400 CALL OControl.0046BADD
0042158F |. 83C4 04 ADD ESP,4
00421592 |. 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX
00421596 |. 3BC3 CMP EAX,EBX
00421598 |. C64424 34 01 MOV BYTE PTR SS:[ESP+34],1
0042159D |. 74 10 JE SHORT OControl.004215AF
0042159F |. 8B4C24 3C MOV ECX,DWORD PTR SS:[ESP+3C]
004215A3 |. 51 PUSH ECX
004215A4 |. 8BC8 MOV ECX,EAX
004215A6 |. E8 85D8FFFF CALL OControl.0041EE30
004215AB |. 8BE8 MOV EBP,EAX
004215AD |. EB 02 JMP SHORT OControl.004215B1
004215AF |> 33ED XOR EBP,EBP
004215B1 |> 8BCD MOV ECX,EBP
004215B3 |. C64424 34 00 MOV BYTE PTR SS:[ESP+34],0
004215B8 |. E8 E3D8FFFF CALL OControl.0041EEA0
004215BD |. 8B45 1C MOV EAX,DWORD PTR SS:[EBP+1C]
004215C0 |. 3BC3 CMP EAX,EBX
004215C2 |. 76 2A JBE SHORT OControl.004215EE
004215C4 |. 8B7424 40 MOV ESI,DWORD PTR SS:[ESP+40]
004215C8 |. 3BF3 CMP ESI,EBX
004215CA |. 74 22 JE SHORT OControl.004215EE
004215CC |. 50 PUSH EAX
004215CD |. E8 0BA50400 CALL OControl.0046BADD
004215D2 |. 8B4D 1C MOV ECX,DWORD PTR SS:[EBP+1C]
004215D5 |. 8BD8 MOV EBX,EAX
004215D7 |. 8BD1 MOV EDX,ECX
004215D9 |. 8BFB MOV EDI,EBX
004215DB |. C1E9 02 SHR ECX,2
004215DE |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
004215E0 |. 8BCA MOV ECX,EDX
004215E2 |. 83C4 04 ADD ESP,4
004215E5 |. 83E1 03 AND ECX,3
004215E8 |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
004215EA |. 8B7C24 10 MOV EDI,DWORD PTR SS:[ESP+10]
004215EE |> 8B4424 48 MOV EAX,DWORD PTR SS:[ESP+48]
004215F2 |. 8B4C24 44 MOV ECX,DWORD PTR SS:[ESP+44]
004215F6 |. 8B5424 14 MOV EDX,DWORD PTR SS:[ESP+14]
004215FA |. 50 PUSH EAX ; /Arg7
004215FB |. 8B4424 1C MOV EAX,DWORD PTR SS:[ESP+1C] ; |
004215FF |. 51 PUSH ECX ; |Arg6
00421600 |. 52 PUSH EDX ; |Arg5
00421601 |. 50 PUSH EAX ; |Arg4
00421602 |. 6A 03 PUSH 3 ; |Arg3 = 00000003
00421604 |. 53 PUSH EBX ; |Arg2
00421605 |. 55 PUSH EBP ; |Arg1
00421606 |. 8BCF MOV ECX,EDI ; |
00421608 |. E8 43FDFFFF CALL OControl.00421350 ; \OControl.00421350
0042160D |. 8BF0 MOV ESI,EAX
0042160F |. 83CB FF OR EBX,FFFFFFFF
00421612 |. 3BF3 CMP ESI,EBX
00421614 |. 74 77 JE SHORT OControl.0042168D
00421616 |. 8B4424 4C MOV EAX,DWORD PTR SS:[ESP+4C]
0042161A |. 85C0 TEST EAX,EAX
0042161C |. 75 31 JNZ SHORT OControl.0042164F
0042161E |. 8B4C24 50 MOV ECX,DWORD PTR SS:[ESP+50]
00421622 |. 8B5424 28 MOV EDX,DWORD PTR SS:[ESP+28]
00421626 |. 51 PUSH ECX ; /Timeout
00421627 |. 52 PUSH EDX ; |hObject
00421628 |. FF15 34934700 CALL DWORD PTR DS:[<&KERNEL32.WaitForSingleObject>] ; \WaitForSingleObject
0042162E |. 85C0 TEST EAX,EAX
00421630 |. 75 53 JNZ SHORT OControl.00421685
00421632 |. 8B4424 44 MOV EAX,DWORD PTR SS:[ESP+44]
00421636 |. 8338 00 CMP DWORD PTR DS:[EAX],0
00421639 |> 895C24 34 MOV DWORD PTR SS:[ESP+34],EBX
0042163D |. 8D4C24 24 LEA ECX,DWORD PTR SS:[ESP+24]
00421641 |. 74 52 JE SHORT OControl.00421695
00421643 |. E8 CEEBFEFF CALL OControl.00410216
00421648 |. B8 01000000 MOV EAX,1
0042164D |. EB 4D JMP SHORT OControl.0042169C
0042164F |> 8B5424 50 MOV EDX,DWORD PTR SS:[ESP+50]
00421653 |. 8B4C24 28 MOV ECX,DWORD PTR SS:[ESP+28]
00421657 |. 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX
0042165B |. 52 PUSH EDX ; /Timeout
0042165C |. 8D4424 20 LEA EAX,DWORD PTR SS:[ESP+20] ; |
00421660 |. 6A 00 PUSH 0 ; |WaitForAll = FALSE
00421662 |. 50 PUSH EAX ; |pObjects
00421663 |. C74424 2C 000>MOV DWORD PTR SS:[ESP+2C],0 ; |
0042166B |. 6A 02 PUSH 2 ; |nObjects = 2
0042166D |. 894C24 30 MOV DWORD PTR SS:[ESP+30],ECX ; |
00421671 |. FF15 3C934700 CALL DWORD PTR DS:[<&KERNEL32.WaitForMultipleObjects>] ; \WaitForMultipleObjects
00421677 |. 83F8 01 CMP EAX,1
0042167A |. 75 09 JNZ SHORT OControl.00421685
0042167C |. 8B4C24 44 MOV ECX,DWORD PTR SS:[ESP+44]
00421680 |. 8339 00 CMP DWORD PTR DS:[ECX],0
00421683 |.^ EB B4 JMP SHORT OControl.00421639
00421685 |> 56 PUSH ESI ; /Arg1
00421686 |. 8BCF MOV ECX,EDI ; |
00421688 |. E8 53000000 CALL OControl.004216E0 ; \OControl.004216E0
0042168D |> 895C24 34 MOV DWORD PTR SS:[ESP+34],EBX
00421691 |. 8D4C24 24 LEA ECX,DWORD PTR SS:[ESP+24]
00421695 |> E8 7CEBFEFF CALL OControl.00410216
0042169A |. 33C0 XOR EAX,EAX
0042169C |> 8B4C24 2C MOV ECX,DWORD PTR SS:[ESP+2C]
004216A0 |. 5F POP EDI
004216A1 |. 5E POP ESI
004216A2 |. 5D POP EBP
004216A3 |. 5B POP EBX
004216A4 |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX
004216AB |. 83C4 28 ADD ESP,28
004216AE \. C2 1800 RETN 18
请问我接下来应该怎么跟下去?我查了一下API函数的说明,应该是等等事件啥的,有可能是给另外的线程去处理
了,然后由线程完成后产生一个事件。
光改跳是没有用的,,用户数还是没有变,只有跟进到他的处理注册码的代码分析才行
如果哪位高手熟悉的话请指导一下小弟!!!!
[招生]科锐逆向工程师培训(2025年3月11日实地,远程教学同时开班, 第52期)!
