【目 标】:QQ象棋刷分外挂
【工 具】:flyodbg1.1、Keymake2.0 ,网络防火墙
【任 务】:内存注册机,内存补丁
【操作平台】:Windows XP sp2
【等 级】:菜鸟级
【作 者】: hcfhcf
【相关链接】: google
【简要说明】:QQ象棋刷分外挂,UPX壳+自校验+网络验证,开始运行程序弹出注册窗口,明码比较,试用版刷10盘,速度慢,正式版无限制
用FI检测,是UPX壳,版本号未知,手动跟进
。。。。
。。。。
。。。。
0043A890 FF96 94040400 call dword ptr ds:[esi+40494]
0043A896 09C0 or eax,eax
0043A898 74 07 je short chess.0043A8A1
0043A89A 8903 mov dword ptr ds:[ebx],eax
0043A89C 83C3 04 add ebx,4
0043A89F ^ EB D8 jmp short chess.0043A879
0043A8A1 FF96 98040400 call dword ptr ds:[esi+40498]
0043A8A7 61 popad 到此UPX壳结束
0043A8A8 - E9 0BC9FCFF jmp chess.004071B8 跳到程序入口
004071B8 6A 60 push 60 由上跳到此处,程序入口,按F9运行弹出程序注册窗口
004071BA 68 A8294200 push chess.004229A8
004071BF E8 EC0A0000 call chess.00407CB0
004071C4 BF 94000000 mov edi,94
004071C9 8BC7 mov eax,edi
004071CB E8 B0FBFFFF call chess.00406D80
004071D0 8965 E8 mov dword ptr ss:[ebp-18],esp
004071D3 8BF4 mov esi,esp
004071D5 893E mov dword ptr ds:[esi],edi
004071D7 56 push esi
004071D8 FF15 80024200 call dword ptr ds:[420280] ; kernel32.GetVersionExA
004071DE 8B4E 10 mov ecx,dword ptr ds:[esi+10]
004071E1 890D 08BA4200 mov dword ptr ds:[42BA08],ecx
004071E7 8B46 04 mov eax,dword ptr ds:[esi+4]
004071EA A3 14BA4200 mov dword ptr ds:[42BA14],eax
004071EF 8B56 08 mov edx,dword ptr ds:[esi+8]
004071F2 8915 18BA4200 mov dword ptr ds:[42BA18],edx
004071F8 8B76 0C mov esi,dword ptr ds:[esi+C]
004071FB 81E6 FF7F0000 and esi,7FFF
00407201 8935 0CBA4200 mov dword ptr ds:[42BA0C],esi
00407207 83F9 02 cmp ecx,2
0040720A 74 0C je short chess.00407218
0040720C 81CE 00800000 or esi,8000
按F9运行,程序弹出注册窗口,下bpx getwindowtexta断点,输入试炼码78787878,点确定
OD拦截
0041B07E FF15 00044200 call dword ptr ds:[420400] ; USER32.GetWindowTextA
0041B084 8B4D 10 mov ecx,dword ptr ss:[ebp+10]
0041B087 6A FF push -1
0041B089 E8 ED9BFEFF call chess.00404C7B
0041B08E EB 0B jmp short chess.0041B09B
0041B090 8B45 10 mov eax,dword ptr ss:[ebp+10]
0041B093 FF30 push dword ptr ds:[eax]
0041B095 56 push esi
0041B096 E8 09FBFFFF call chess.0041ABA4
0041B09B 5F pop edi
0041B09C 5E pop esi
0041B09D 5D pop ebp
。。。。。。
。。。。。。
下BPX 00403963断点(群里xiaoxiao高手指点,偶找不出来,郁闷)
两次F9程序断在00403963
00403963 E8 68EBFFFF call chess.004024D0 跟进,注册码就在里面比较
00403968 83C4 04 add esp,4
0040396B 84C0 test al,al
0040396D 53 push ebx
0040396E 8BCE mov ecx,esi
00403970 53 push ebx
00403971 75 13 jnz short chess.00403986
00403973 68 280D4200 push chess.00420D28
00403978 E8 E9100100 call chess.00414A66
0040397D C605 A0994200 0>mov byte ptr ds:[4299A0],0
00403984 ^ EB B0 jmp short chess.00403936
00403986 68 DC0C4200 push chess.00420CDC
.....
,,,,,
跟进后代码如下
004024D0 6A FF push -1
004024D2 68 80EE4100 push chess.0041EE80
004024D7 64:A1 00000000 mov eax,dword ptr fs:[0]
004024DD 50 push eax
004024DE 64:8925 0000000>mov dword ptr fs:[0],esp
004024E5 83EC 18 sub esp,18
004024E8 55 push ebp
004024E9 33ED xor ebp,ebp
004024EB 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
004024EF 896C24 24 mov dword ptr ss:[esp+24],ebp
004024F3 E8 D8F7FFFF call chess.00401CD0
004024F8 8BC8 mov ecx,eax
004024FA E8 21F3FFFF call chess.00401820
。。。。。。
。。。。。。
。。。。。。
0040270C 83F8 5A cmp eax,5A
0040270F 7F 09 jg short chess.0040271A
00402711 83F8 41 cmp eax,41
00402714 7C 04 jl short chess.0040271A
00402716 FEC2 inc dl
00402718 8ADA mov bl,dl
0040271A 8B5424 18 mov edx,dword ptr ss:[esp+18]
0040271E 8B42 FC mov eax,dword ptr ds:[edx-4]
00402721 8B7A F4 mov edi,dword ptr ds:[edx-C]
00402724 B9 01000000 mov ecx,1
00402729 2BC8 sub ecx,eax
0040272B 8B42 F8 mov eax,dword ptr ds:[edx-8]
0040272E 8D77 01 lea esi,dword ptr ds:[edi+1]
00402731 2BC6 sub eax,esi
00402733 0BC1 or eax,ecx
00402735 7D 0E jge short chess.00402745
00402737 56 push esi
00402738 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
0040273C E8 7FEDFFFF call chess.004014C0
00402741 8B5424 18 mov edx,dword ptr ss:[esp+18]
00402745 85F6 test esi,esi
00402747 881C17 mov byte ptr ds:[edi+edx],bl
0040274A 7C 71 jl short chess.004027BD
0040274C 3B72 F8 cmp esi,dword ptr ds:[edx-8]
0040274F 7F 6C jg short chess.004027BD
00402751 8B4424 1C mov eax,dword ptr ss:[esp+1C]
00402755 8972 F4 mov dword ptr ds:[edx-C],esi
00402758 83C0 F0 add eax,-10
0040275B C60416 00 mov byte ptr ds:[esi+edx],0
0040275F C64424 30 02 mov byte ptr ss:[esp+30],2
00402764 8D50 0C lea edx,dword ptr ds:[eax+C]
00402767 83C9 FF or ecx,FFFFFFFF
0040276A F0:0FC10A lock xadd dword ptr ds:[edx],ecx
0040276E 49 dec ecx
0040276F 85C9 test ecx,ecx
00402771 7F 08 jg short chess.0040277B
00402773 8B08 mov ecx,dword ptr ds:[eax]
00402775 8B11 mov edx,dword ptr ds:[ecx]
00402777 50 push eax
00402778 FF52 04 call dword ptr ds:[edx+4]
0040277B 8B5424 14 mov edx,dword ptr ss:[esp+14]
0040277F 8B42 F4 mov eax,dword ptr ds:[edx-C]
00402782 45 inc ebp
00402783 3BE8 cmp ebp,eax
00402785 ^ 0F8C 25FEFFFF jl chess.004025B0
0040278B 8B7C24 18 mov edi,dword ptr ss:[esp+18] 此处就是真注册码
0040278F 8B7424 38 mov esi,dword ptr ss:[esp+38] 此处是试炼码
至此,注册码有了,有兴趣可写内存注册机直接读取0040278B,拦截注册码
重新运行,输出注册码,注册成功,但是这样写出的注册机,移动到别的文件夹就不能运行了,点解?
[课程]Linux pwn 探索篇!
