我为一个文件加壳,发现该文件有自检验,
我看了一下下面这段代码
* Reference to: kernel32.GetFileSize()
|
00404027 E8D4F7FFFF call 00403800
0040402C 8BF0 mov esi, eax
0040402E 2B35C8674000 sub esi, dword ptr [$004067C8]
00404034 2B35CC674000 sub esi, dword ptr [$004067CC]
0040403A 85F6 test esi, esi
0040403C 751C jnz 0040405A
0040403E 6A10 push $10
* Possible String Reference to: 'CFG'
|
00404040 68A8464000 push $004046A8
* Possible String Reference to: 'This program must be installed in o
| rder to run'
|
00404045 6874464000 push $00404674
把jnz修改jmp
但是发现程序还是不能运行,后发现有5个自检验的地方,全部改了,前面四个改了的时候还是它第5个自检验报的错,但是当我改了第5个自检验以后
也就是把下面jz改成jmp,
* Reference to: kernel32.ReadFile()
|
0040408A E8C1F7FFFF call 00403850
0040408F A18C674000 mov eax, dword ptr [$0040678C]
00404094 813847333534 cmp dword ptr [eax], $34353347
0040409A 741C jz 004040B8
不加壳可以运行,加了以后弹出004040CF所指的地址不能为"read"..
004040B8 8B0D90674000 mov ecx, [$00406790]
004040BE 83E904 sub ecx, +$04
004040C1 8B158C674000 mov edx, [$0040678C](不知道这里加了壳后是什么地址)
004040C7 01CA add edx, ecx
004040C9 83E904 sub ecx, +$04
004040CC 83EA01 sub edx, +$01
004040CF 8B02 mov eax, [edx](就这里出错了)
004040D1 C1C802 ror eax, $02
004040D4 8902 mov [edx], eax
希望高手帮忙,文件可以问我拿一下:)谢谢了,我的qq:437801769
004040D6 E2F4 loop -$0C
[课程]Android-CTF解题方法汇总!