http://bbs.pediy.com/showthread.php?t=146873 这个是 要爆破的地址,可惜我是临时会员,不能直接回复你,就在这里发下贴,表示我入门,呵呵,是不是有点自大? 附件是我爆破后的exe。
1、在 004014B4 |. E8 4CFBFFFF call 00401005 下断点 这句是进入控制台的入口地址
00401494 |. 8B0D C0CC4200 mov ecx, dword ptr [42CCC0]
0040149A |. 890D C4CC4200 mov dword ptr [42CCC4], ecx
004014A0 |. 8B15 C0CC4200 mov edx, dword ptr [42CCC0]
004014A6 |. 52 push edx
004014A7 |. A1 B8CC4200 mov eax, dword ptr [42CCB8]
004014AC |. 50 push eax
004014AD |. 8B0D B4CC4200 mov ecx, dword ptr [42CCB4]
004014B3 |. 51 push ecx
004014B4 |. E8 4CFBFFFF call 00401005
004014B9 |. 83C4 0C add esp, 0C
004014BC |. 8945 E4 mov dword ptr [ebp-1C], eax
004014BF |. 8B55 E4 mov edx, dword ptr [ebp-1C]
004014C2 |. 52 push edx
004014C3 |. E8 B8030000 call 00401880
004014C8 |. 8B45 EC mov eax, dword ptr [ebp-14]
004014CB |. 8B08 mov ecx, dword ptr [eax]
004014CD |. 8B11 mov edx, dword ptr [ecx]
004014CF |. 8955 E0 mov dword ptr [ebp-20], edx
004014D2 |. 8B45 EC mov eax, dword ptr [ebp-14]
004014D5 |. 50 push eax
004014D6 |. 8B4D E0 mov ecx, dword ptr [ebp-20]
2. 单步来到这里
00401000 CC db CC
00401001 CC int3
00401002 CC int3
00401003 CC int3
00401004 CC int3
00401005 /$ E9 06000000 jmp 00401010
0040100A | CC int3
0040100B | CC int3
0040100C | CC int3
0040100D | CC int3
0040100E | CC int3
0040100F | CC int3
00401010 |> 55 push ebp
00401011 |. 8BEC mov ebp, esp
00401013 |. 83EC 64 sub esp, 64
00401016 |. 53 push ebx
00401017 |. 56 push esi
00401018 |. 57 push edi
00401019 |. 8D7D 9C lea edi, dword ptr [ebp-64]
0040101C |. B9 19000000 mov ecx, 19
00401021 |. B8 CCCCCCCC mov eax, CCCCCCCC
00401026 |. F3:AB rep stos dword ptr es:[edi]
00401028 |. 68 B8814200 push 004281B8
0040102D |. E8 DE020000 call 00401310
00401032 |. 83C4 04 add esp, 4
00401035 |. 68 40704200 push 00427040
0040103A |. E8 D1020000 call 00401310
0040103F |. 83C4 04 add esp, 4
00401042 |. 8D45 FC lea eax, dword ptr [ebp-4]
00401045 |. 50 push eax
00401046 |. 68 3C704200 push 0042703C ; ASCII "%d"
0040104B |. E8 60020000 call 004012B0
00401050 |. 83C4 08 add esp, 8
00401053 |. C745 F8 C8000>mov dword ptr [ebp-8], 0C8
0040105A |. C745 F4 2C010>mov dword ptr [ebp-C], 12C
00401061 |. 8B4D FC mov ecx, dword ptr [ebp-4]
00401064 |. 034D F8 add ecx, dword ptr [ebp-8]
00401067 |. 894D F0 mov dword ptr [ebp-10], ecx
0040106A |. 8B55 F8 mov edx, dword ptr [ebp-8]
0040106D |. 0355 F4 add edx, dword ptr [ebp-C]
00401070 |. 8955 EC mov dword ptr [ebp-14], edx
00401073 |. 8B45 FC mov eax, dword ptr [ebp-4]
00401076 |. 0345 F4 add eax, dword ptr [ebp-C]
00401079 |. 8945 E8 mov dword ptr [ebp-18], eax
0040107C |. 8B4D F0 mov ecx, dword ptr [ebp-10]
0040107F |. 83C1 32 add ecx, 32
00401082 |. 894D F0 mov dword ptr [ebp-10], ecx
00401085 |. 8B55 E8 mov edx, dword ptr [ebp-18]
00401088 |. 83EA 32 sub edx, 32
0040108B |. 8955 E8 mov dword ptr [ebp-18], edx
0040108E |. C745 E4 00000>mov dword ptr [ebp-1C], 0
00401095 |. C645 E0 4B mov byte ptr [ebp-20], 4B
00401099 |. C645 DC 4E mov byte ptr [ebp-24], 4E
0040109D |. 8B45 F8 mov eax, dword ptr [ebp-8]
004010A0 |. 3B45 F4 cmp eax, dword ptr [ebp-C]
004010A3 75 0D jnz short 004010B2 ;关键跳
004010A5 |. 68 38704200 push 00427038 ; ASCII "NO"
004010AA |. E8 61020000 call 00401310
004010AF |. 83C4 04 add esp, 4
004010B2 |> 50 push eax
004010B3 |. 58 pop eax
004010B4 |. 51 push ecx
004010B5 |. 59 pop ecx
004010B6 |. B8 64000000 mov eax, 64
004010BB |. 05 C8000000 add eax, 0C8
004010C0 |. 2D E6000000 sub eax, 0E6
004010C5 |. 83C0 03 add eax, 3
004010C8 |. BB 04000000 mov ebx, 4
004010CD |. 03C3 add eax, ebx
004010CF |. 33C9 xor ecx, ecx
004010D1 |. 85C9 test ecx, ecx
004010D3 75 0D jnz short 004010E2 ;关键跳。。
004010D5 |. 68 34704200 push 00427034 ; ASCII "OK"
004010DA |. E8 31020000 call 00401310
004010DF |. 83C4 04 add esp, 4
004010E2 |> 03C3 add eax, ebx
004010E4 |. BB 0A000000 mov ebx, 0A
004010E9 |. 40 inc eax
004010EA |. 43 inc ebx
004010EB |. 90 nop
004010EC |. 90 nop
大致可以看到这里从 00401053 |. C745 F8 C8000>mov dword ptr [ebp-8], 0C8
到—————— 004010A0 |. 3B45 F4 cmp eax, dword ptr [ebp-C]
是算法的计算,由于开始的时候就想好了爆破,就不管算法了。
004010A3 75 0D jnz short 004010B2 ; 第一个关键跳。(这个关键跳需要修改)
004010D3 75 0D jnz short 004010E2 ; 第二个关键跳。(这个关键跳不用修改)
004010F7 74 28 jnz short 00401121 ; 第三个关键跳。(这个关键跳需要修改)
[课程]FART 脱壳王!加量不加价!FART作者讲授!
