小弟我练手,但是情况很悲催。废话少说,上脱文~~
壳很简单,一个esp定律脱得一干二净。接下来我就悲催了。
我先按照错误的运行一次。
这个软件有错误的中文提示,就从提示开始断吧。
7346CF7E > 55 push ebp ; (初始 cpu 选择)
7346CF7F 8BEC mov ebp,esp
7346CF81 83EC 4C sub esp,4C
7346CF84 8B4D 14 mov ecx,dword ptr ss:[ebp+14]
7346CF87 53 push ebx
7346CF88 56 push esi
7346CF89 57 push edi
7346CF8A 66:8339 0A cmp word ptr ds:[ecx],0A
7346CF8E B8 04000280 mov eax,80020004
7346CF93 0F85 FC000000 jnz MSVBVM60.7346D095 ; 跳出去~
7346CF99 3941 08 cmp dword ptr ds:[ecx+8],eax
7346CF9C 0F85 F3000000 jnz MSVBVM60.7346D095 ; 同上
7346CFA2 834D FC FF or dword ptr ss:[ebp-4],FFFFFFFF
7346CFA6 33F6 xor esi,esi
7346CFA8 8B4D 18 mov ecx,dword ptr ss:[ebp+18]
7346CFAB 66:8339 0A cmp word ptr ds:[ecx],0A
7346CFAF 0F85 EA000000 jnz MSVBVM60.7346D09F
7346CFB5 3941 08 cmp dword ptr ds:[ecx+8],eax
7346CFB8 0F85 E1000000 jnz MSVBVM60.7346D09F ; 先改
7346CFBE 834D F8 FF or dword ptr ss:[ebp-8],FFFFFFFF
7346CFC2 8B7D 10 mov edi,dword ptr ss:[ebp+10]
7346CFC5 66:833F 0A cmp word ptr ds:[edi],0A
7346CFC9 0F85 D8000000 jnz MSVBVM60.7346D0A7 ; 改
7346CFCF 3947 08 cmp dword ptr ds:[edi+8],eax
7346CFD2 0F85 CF000000 jnz MSVBVM60.7346D0A7
7346CFD8 834D F4 FF or dword ptr ss:[ebp-C],FFFFFFFF
7346CFDC FF75 08 push dword ptr ss:[ebp+8]
7346CFDF 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
7346CFE2 8975 F0 mov dword ptr ss:[ebp-10],esi
7346CFE5 50 push eax
7346CFE6 E8 A5040000 call MSVBVM60.7346D490 ; 没发现~~
7346CFEB 8BD8 mov ebx,eax
7346CFED 8B45 DC mov eax,dword ptr ss:[ebp-24]
7346CFF0 8945 E8 mov dword ptr ss:[ebp-18],eax
7346CFF3 8B45 0C mov eax,dword ptr ss:[ebp+C]
7346CFF6 83E0 0F and eax,0F
7346CFF9 895D E4 mov dword ptr ss:[ebp-1C],ebx
7346CFFC 3C 05 cmp al,5
7346CFFE 7F 1C jg short MSVBVM60.7346D01C ; 改
7346D000 8B45 0C mov eax,dword ptr ss:[ebp+C]
7346D003 25 F0000000 and eax,0F0
7346D008 83F8 40 cmp eax,40
7346D00B 7F 0F jg short MSVBVM60.7346D01C
7346D00D 8B45 0C mov eax,dword ptr ss:[ebp+C]
7346D010 25 000F0000 and eax,0F00
7346D015 3D 00030000 cmp eax,300
7346D01A 7E 03 jle short MSVBVM60.7346D01F ; 改
7346D01C 8975 0C mov dword ptr ss:[ebp+C],esi
7346D01F 66:3975 F4 cmp word ptr ss:[ebp-C],si
7346D023 8B35 F4193973 mov esi,dword ptr ds:[<&OLEAUT32.#6>] ; OLEAUT32.SysFreeString
7346D029 0F84 80000000 je MSVBVM60.7346D0AF ; 改
7346D02F 8365 10 00 and dword ptr ss:[ebp+10],0
7346D033 8365 08 00 and dword ptr ss:[ebp+8],0
7346D037 33C0 xor eax,eax
7346D039 66:3945 FC cmp word ptr ss:[ebp-4],ax
7346D03D 0F84 A7000000 je MSVBVM60.7346D0EA ; 关键 条出去了
7346D043 66:3945 F8 cmp word ptr ss:[ebp-8],ax
7346D047 0F84 97000000 je MSVBVM60.7346D0E4 ; 还不信你不出来
7346D04D 8945 EC mov dword ptr ss:[ebp-14],eax
7346D050 33FF xor edi,edi
7346D052 8B55 E8 mov edx,dword ptr ss:[ebp-18]
7346D055 85D2 test edx,edx
7346D057 75 03 jnz short MSVBVM60.7346D05C ; 这个不用看了
7346D059 8D55 F0 lea edx,dword ptr ss:[ebp-10]
7346D05C 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
7346D05F 85C9 test ecx,ecx
7346D061 75 09 jnz short MSVBVM60.7346D06C
7346D063 66:394D F4 cmp word ptr ss:[ebp-C],cx
7346D067 75 03 jnz short MSVBVM60.7346D06C ; 很明显不是关键跳转
7346D069 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
7346D06C 6A 01 push 1
7346D06E 50 push eax
7346D06F 57 push edi
7346D070 FF75 0C push dword ptr ss:[ebp+C]
7346D073 51 push ecx
7346D074 52 push edx
7346D075 E8 E968F8FF call MSVBVM60.733F3963 这个call就是提示注册码错误的。因为有很多错误提示,我改了那么多个跳转,都能跳到不同的错误call,真行这个软件、
但是,我不知道怎么搜索这个提示。。
无奈我,,我几乎那一直下的跳转和call都看过了,发现不了什么的,菜鸟没办法,呵呵~~但是,功夫不负有心人~运气来了,我无聊就翻了翻od右下角的注释,看到这么一段UNICODE "113105110103108105110103" 难道这就是注册码???马上试试,哈哈正确了,,,我晕死了。可能我断错了 ,,请大侠指点
[课程]Android-CTF解题方法汇总!