软件大小: 3706 KB
软件语言: 英文
软件类别: 国外软件 / 共享版 / 网络编程
应用平台: Win9x/NT/2000/XP
界面预览:
加入时间: 2005-10-26 09:39:22
下载次数: 81274
推荐等级: 投诉
联 系 人: support@jcreator.com
开 发 商:
ccaK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3A6U0M7X3g2S2N6r3!0J5i4K6u0W2j5$3!0E0i4K6u0r3
JCreator 是一个Java程序开发工具,无论你是要开发Java应用程序或者网页上的Applet元件都难不倒它。在功能上与Sun公司所公布的JDK等文字模式程序工具相较之下来得容易操作,还允许使用者自订义操作窗口界面及无限Undo /Redo等功能。
【作者声明】:只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教
【调试环境】:WinXP、OllyDBD、PEiD、LordPE、ImportREC、ArmInline
老规矩忽略所有异常,在添加以下几个:
C0000005(ACCESS VIOLATION)
C000001D(ILLEGAL INSTRUCTION)
C000001E(INVALID LOCK SEQUENCE)
C0000096(PRIVILEGED INSTRUCTION)
用OD载入,先下OpenMutexA断点shift+F9运行
77E62391 > 55 PUSH EBP
77E62392 8BEC MOV EBP,ESP
77E62394 51 PUSH ECX
77E62395 51 PUSH ECX
77E62396 837D 10 00 CMP DWORD PTR SS:[EBP+10],0
77E6239A 56 PUSH ESI
77E6239B 0F84 C2E30100 JE kernel32.77E80763
77E623A1 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
77E623A7 FF75 10 PUSH DWORD PTR SS:[EBP+10]
77E623AA 8DB0 F80B0000 LEA ESI,DWORD PTR DS:[EAX+BF8]
看堆栈
0012D784 008BC418 /CALL 到 OpenMutexA 来自 JCreatorV.008BC412
0012D788 001F0001 |Access = 1F0001
0012D78C 00000000 |Inheritable = FALSE
0012D790 0012DDC4 \MutexName = "218:ABE688952"
CTRL+G 401000
00401000 60 PUSHAD
00401001 9C PUSHFD
00401002 68 C4DD1200 PUSH 12DDC4 ; ASCII "218:ABE688952"
00401007 33C0 XOR EAX,EAX
00401009 50 PUSH EAX
0040100A 50 PUSH EAX
0040100B E8 B5A6A577 CALL kernel32.CreateMutexA
00401010 9D POPFD
00401011 61 POPAD
00401012 - E9 7A13A677 JMP kernel32.OpenMutexA
60 9C 68 C4 DD 12 00 33 C0 50 50 E8 B5 A6 A5 77 9D 61 E9 7A 13 A6 77
在401000处新建起源,右键-》此处新建EIP
F9运行,再次中断在OpenMutexA处,取消断点。
再次Ctrl+G 401000
撤消刚才做的选择,右键-》撤消选择
BP OutputDebugStringA
F9运行
77E749B7 > 68 2C020000 PUSH 22C
77E749BC 68 8853E777 PUSH kernel32.77E75388
77E749C1 E8 1259FEFF CALL kernel32.77E5A2D8
77E749C6 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
77E749CA 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
看堆栈
0012CD98 01373CBB /CALL 到 OutputDebugStringA 来自 01373CB5
0012CD9C 0012D5E4 \String = "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s"
转到数据窗口 2进 00添
f9
看堆栈
0012CD98 0137425A /CALL 到 OutputDebugStringA 来自 01374254
0012CD9C 0012D5E4 \String = "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s"
转到数据窗口 2进 00添
bp GetModuleHandleA ,f9
77E5AD86 > 837C24 04 00 CMP DWORD PTR SS:[ESP+4],0//取消断点
77E5AD8B 0F84 37010000 JE kernel32.77E5AEC8 //F2下断
77E5AD91 FF7424 04 PUSH DWORD PTR SS:[ESP+4]
77E5AD95 E8 F8050000 CALL kernel32.77E5B392
77E5AD9A 85C0 TEST EAX,EAX
77E5AD9C 74 08 JE SHORT kernel32.77E5ADA6
77E5AD9E FF70 04 PUSH DWORD PTR DS:[EAX+4]
77E5ADA1 E8 27060000 CALL kernel32.GetModuleHandleW
运行看堆栈
00127A6C 013751E0 返回到 013751E0 来自 kernel32.GetModuleHandleA
00127A70 01388BAC ASCII "kernel32.dll"
00127A74 01389CC4 ASCII "VirtualAlloc"
00127A78 0138C8D8
00127A7C 77F75690 ntdll.RtlLeaveCriticalSection
00127A6C 013751FD 返回到 013751FD 来自 kernel32.GetModuleHandleA
00127A70 01388BAC ASCII "kernel32.dll"
00127A74 01389CB8 ASCII "VirtualFree"
00127A78 0138C8D8
00127A7C 77F75690 ntdll.RtlLeaveCriticalSection
00127A80 00000000
001277D0 01364E69 返回到 01364E69 来自 kernel32.GetModuleHandleA
001277D4 00127920 ASCII "kernel32.dll"
取消断点alt+f9返回
01364E69 8B0D AC0D3901 MOV ECX,DWORD PTR DS:[1390DAC]
01364E6F 89040E MOV DWORD PTR DS:[ESI+ECX],EAX
01364E72 A1 AC0D3901 MOV EAX,DWORD PTR DS:[1390DAC]
01364E77 391C06 CMP DWORD PTR DS:[ESI+EAX],EBX
01364E7A 75 16 JNZ SHORT 01364E92
01364E7C 8D85 B4FEFFFF LEA EAX,DWORD PTR SS:[EBP-14C]
01364E82 50 PUSH EAX
01364E83 FF15 B4323801 CALL DWORD PTR DS:[13832B4] ; kernel32.LoadLibraryA
01364E89 8B0D AC0D3901 MOV ECX,DWORD PTR DS:[1390DAC]
01364E8F 89040E MOV DWORD PTR DS:[ESI+ECX],EAX
01364E92 A1 AC0D3901 MOV EAX,DWORD PTR DS:[1390DAC]
01364E97 391C06 CMP DWORD PTR DS:[ESI+EAX],EBX
01364E9A 0F84 2F010000 JE 01364FCF//修改为jmp
01364EA0 33C9 XOR ECX,ECX
01364EA2 8B07 MOV EAX,DWORD PTR DS:[EDI]
01364EA4 3918 CMP DWORD PTR DS:[EAX],EBX
01364EA6 74 06 JE SHORT 01364EAE
he VirtualAlloc
77E5AC72 > 55 PUSH EBP
77E5AC73 8BEC MOV EBP,ESP
77E5AC75 FF75 14 PUSH DWORD PTR SS:[EBP+14]
77E5AC78 FF75 10 PUSH DWORD PTR SS:[EBP+10]
77E5AC7B FF75 0C PUSH DWORD PTR SS:[EBP+C]
77E5AC7E FF75 08 PUSH DWORD PTR SS:[EBP+8]
77E5AC81 6A FF PUSH -1
77E5AC83 E8 9CFFFFFF CALL kernel32.VirtualAllocEx
001270B4 6A281D17 /CALL 到 VirtualAlloc 来自 6A281D15
001270B8 00000000 |Address = NULL
001270BC 00400000 |Size = 400000 (4194304.)
001270C0 00002000 |AllocationType = MEM_RESERVE
001270C4 00000004 \Protect = PAGE_READWRITE
ALT+F9,F9
6A281D17 8BF0 MOV ESI,EAX
6A281D19 85F6 TEST ESI,ESI
6A281D1B 0F84 F56B0400 JE 6A2C8916
6A281D21 6A 04 PUSH 4
6A281D23 68 00100000 PUSH 1000
6A281D28 68 00000100 PUSH 10000 ; UNICODE "=::=::\"
6A281D2D 56 PUSH ESI
6A281D2E FFD7 CALL EDI
6A281D30 85C0 TEST EAX,EAX
6A281D32 0F84 D06B0400 JE 6A2C8908
001270C8 00000000
001270CC 00000001
001270D0 /00127118
001270D4 |6A281CDD 返回到 6A281CDD 来自 6A281CEB
001270D8 |6A281BDE 返回到 6A281BDE 来自 6A281CBC
001270DC |6A281B60 返回到 6A281B60 来自 6A281B8C
ALT+F9,F9
77E5AC72 > 55 PUSH EBP
77E5AC73 8BEC MOV EBP,ESP
77E5AC75 FF75 14 PUSH DWORD PTR SS:[EBP+14]
77E5AC78 FF75 10 PUSH DWORD PTR SS:[EBP+10]
77E5AC7B FF75 0C PUSH DWORD PTR SS:[EBP+C]
77E5AC7E FF75 08 PUSH DWORD PTR SS:[EBP+8]
77E5AC81 6A FF PUSH -1
77E5AC83 E8 9CFFFFFF CALL kernel32.VirtualAllocEx
001270B4 6A281D30 /CALL 到 VirtualAlloc 来自 6A281D2E
001270B8 02210000 |Address = 02210000
001270BC 00010000 |Size = 10000 (65536.)
001270C0 00001000 |AllocationType = MEM_COMMIT
001270C4 00000004 \Protect = PAGE_READWRITE
6A281D30 85C0 TEST EAX,EAX
6A281D32 0F84 D06B0400 JE 6A2C8908
6A281D38 81FD 30C0386A CMP EBP,6A38C030
6A281D3E 0F85 A46B0400 JNZ 6A2C88E8
6A281D44 A1 30C0386A MOV EAX,DWORD PTR DS:[6A38C030]
6A281D49 85C0 TEST EAX,EAX
6A281D4B 0F84 796B0400 JE 6A2C88CA
6A281D51 A1 34C0386A MOV EAX,DWORD PTR DS:[6A38C034]
6A281D56 85C0 TEST EAX,EAX
6A281D58 0F84 7B6B0400 JE 6A2C88D9
6A281D5E 8D86 00004000 LEA EAX,DWORD PTR DS:[ESI+400000]
6A281D64 8D4D 18 LEA ECX,DWORD PTR SS:[EBP+18]
6A281D67 8D95 98000000 LEA EDX,DWORD PTR SS:[EBP+98]
6A281D6D 8945 14 MOV DWORD PTR SS:[EBP+14],EAX
6A281D70 8975 10 MOV DWORD PTR SS:[EBP+10],ESI
6A281D73 894D 08 MOV DWORD PTR SS:[EBP+8],ECX
001270C8 00000000
001270CC 00000001
001270D0 /00127118
001270D4 |6A281CDD 返回到 6A281CDD 来自 6A281CEB
001270D8 |6A281BDE 返回到 6A281BDE 来自 6A281CBC
001270DC |6A281B60 返回到 6A281B60 来自 6A281B8C
ALT+F9,F9
77E5AC72 > 55 PUSH EBP
77E5AC73 8BEC MOV EBP,ESP
77E5AC75 FF75 14 PUSH DWORD PTR SS:[EBP+14]
77E5AC78 FF75 10 PUSH DWORD PTR SS:[EBP+10]
77E5AC7B FF75 0C PUSH DWORD PTR SS:[EBP+C]
77E5AC7E FF75 08 PUSH DWORD PTR SS:[EBP+8]
77E5AC81 6A FF PUSH -1
77E5AC83 E8 9CFFFFFF CALL kernel32.VirtualAllocEx
77E5AC88 5D POP EBP
77E5AC89 C2 1000 RETN 10
00127A64 013780D4 /CALL 到 VirtualAlloc 来自 013780CE
00127A68 03910000 |Address = 03910000
00127A6C 0001FFC5 |Size = 1FFC5 (131013.)
00127A70 00002000 |AllocationType = MEM_RESERVE
00127A74 00000040 \Protect = PAGE_EXECUTE_READWRITE
00127A78 0138C8D8
00127A7C 77F75690 ntdll.RtlLeaveCriticalSection
013780D4 8985 6CD7FFFF MOV DWORD PTR SS:[EBP-2894],EAX//断在这里
013780DA 83BD 6CD7FFFF 0>CMP DWORD PTR SS:[EBP-2894],0
013780E1 74 64 JE SHORT 01378147
013780E3 6A 40 PUSH 40
013780E5 68 00100000 PUSH 1000
013780EA FFB5 64D7FFFF PUSH DWORD PTR SS:[EBP-289C]
013780F0 FF35 F06C3901 PUSH DWORD PTR DS:[1396CF0]
013780F6 FF15 88313801 CALL DWORD PTR DS:[1383188] ; kernel32.VirtualAlloc //F8走
013780FC 8985 6CD7FFFF MOV DWORD PTR SS:[EBP-2894],EAX//EAX=03910000
ALT+M
内存映射, 条目 28
地址=008E5000
大小=00010000 (65536.)
属主=JCreatorV 00400000
区段=.adata
包含=SFX
类型=Imag 01001002
访问=R
初始访问=RWE
把寄存器窗口中的eax改为EAX=008E5000
HD VirtualAlloc, F9
77E749B7 > 68 2C020000 PUSH 22C
77E749BC 68 8853E777 PUSH kernel32.77E75388
77E749C1 E8 1259FEFF CALL kernel32.77E5A2D8
77E749C6 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
77E749CA 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
77E749CD 8BC1 MOV EAX,ECX
00127A70 0137824D /CALL 到 OutputDebugStringA 来自 01378247
00127A74 0012A3D4 \String = "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s" 同上2次超做
he SetProcessWorkingSetSize ,F9
he GetCurrentThreadId ,F9
77E5A7DF > 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
77E5A7E5 8B40 24 MOV EAX,DWORD PTR DS:[EAX+24]
77E5A7E8 C3 RETN
77E5A7E9 > 8B4C24 04 MOV ECX,DWORD PTR SS:[ESP+4]
77E5A7ED 8B5424 08 MOV EDX,DWORD PTR SS:[ESP+8]
77E5A7F1 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]
77E5A7F5 F0:0FB111 LOCK CMPXCHG DWORD PTR DS:[ECX],EDX ; 锁定前缀
0012D76C 01365235 /CALL 到 GetCurrentThreadId 来自 0136522F
0012D770 00000000
0012D774 000000A8
0012D778 /0012DEEC
ALT+F9 取消所有断点
01365235 50 PUSH EAX
01365236 FF75 FC PUSH DWORD PTR SS:[EBP-4]
01365239 E8 05000000 CALL 01365243
0136523E 83C4 0C ADD ESP,0C
01365241 C9 LEAVE
01365242 C3 RETN
.................................
0137D6C2 6A 00 PUSH 0
0137D6C4 E8 28DBFEFF CALL 0136B1F1
0137D6C9 59 POP ECX
0137D6CA BF D8C83801 MOV EDI,138C8D8
0137D6CF 8BCF MOV ECX,EDI
0137D6D1 E8 84AAFDFF CALL 0135815A
0137D6D6 84C0 TEST AL,AL
0137D6D8 75 09 JNZ SHORT 0137D6E3
0137D6DA 6A 01 PUSH 1
0137D6DC 8BCF MOV ECX,EDI
0137D6DE E8 53F8FDFF CALL 0135CF36
0137D6E3 B9 40BB3801 MOV ECX,138BB40
0137D6E8 C705 70903801 D>MOV DWORD PTR DS:[1389070],1389DD8 ; ASCII "RC"
0137D6F2 E8 C074FEFF CALL 01364BB7
0137D6F7 6A 00 PUSH 0
0137D6F9 E8 B974FEFF CALL 01364BB7
0137D6FE A1 20CF3801 MOV EAX,DWORD PTR DS:[138CF20]
0137D703 59 POP ECX
0137D704 8B15 38CF3801 MOV EDX,DWORD PTR DS:[138CF38] ; 2r.00400000
0137D70A 8B3E MOV EDI,DWORD PTR DS:[ESI]
0137D70C 8B88 88000000 MOV ECX,DWORD PTR DS:[EAX+88]
0137D712 3348 40 XOR ECX,DWORD PTR DS:[EAX+40]
0137D715 3348 20 XOR ECX,DWORD PTR DS:[EAX+20]
0137D718 03CA ADD ECX,EDX
0137D71A 85FF TEST EDI,EDI
0137D71C 75 18 JNZ SHORT 0137D736
0137D71E 8B50 74 MOV EDX,DWORD PTR DS:[EAX+74]
0137D721 FF76 14 PUSH DWORD PTR DS:[ESI+14]
0137D724 3350 28 XOR EDX,DWORD PTR DS:[EAX+28]
0137D727 FF76 10 PUSH DWORD PTR DS:[ESI+10]
0137D72A 3350 20 XOR EDX,DWORD PTR DS:[EAX+20]
0137D72D FF76 0C PUSH DWORD PTR DS:[ESI+C]
0137D730 2BCA SUB ECX,EDX
0137D732 FFD1 CALL ECX
0137D734 EB 1B JMP SHORT 0137D751
0137D736 83FF 01 CMP EDI,1
0137D739 75 18 JNZ SHORT 0137D753
0137D73B FF76 04 PUSH DWORD PTR DS:[ESI+4]
0137D73E FF76 08 PUSH DWORD PTR DS:[ESI+8]
0137D741 6A 00 PUSH 0
0137D743 52 PUSH EDX
0137D744 8B50 74 MOV EDX,DWORD PTR DS:[EAX+74]
0137D747 3350 28 XOR EDX,DWORD PTR DS:[EAX+28]
0137D74A 3350 20 XOR EDX,DWORD PTR DS:[EAX+20]
0137D74D 2BCA SUB ECX,EDX
0137D74F FFD1 CALL ECX //F7进入OEP,一片红 呵呵
0137D751 8BD8 MOV EBX,EAX
0137D753 5F POP EDI
0137D754 8BC3 MOV EAX,EBX
0137D756 5E POP ESI
0137D757 5B POP EBX
0137D758 C3 RETN
005159DF 55 PUSH EBP
005159E0 8BEC MOV EBP,ESP
005159E2 6A FF PUSH -1
005159E4 68 C0B57D00 PUSH JCreatorV.007DB5C0
005159E9 68 24A85100 PUSH JCreatorV.0051A824
005159EE 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
005159F4 50 PUSH EAX
005159F5 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
005159FC 83EC 58 SUB ESP,58
005159FF 53 PUSH EBX
00515A00 56 PUSH ESI
00515A01 57 PUSH EDI
00515A02 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
00515A05 FF15 30747B00 CALL DWORD PTR DS:[7B7430] ; kernel32.GetVersion
00515A0B 33D2 XOR EDX,EDX
00515A0D 8AD4 MOV DL,AH
LORDPE DUMP之 直接打开ImprotREC JCreatorV.EXE 然后输入OEP 1159DF 自动搜索IAT-》获取输入表,有一个假指针-》点显示无效函数-》右键-》剪切指针-》修复抓取文件
呵呵~~成功
破解程序下次继续 今天就能到这里了,待续破解,
夜凉如水 [BCG] D.C.T
2005 11 30
[培训]传播安全知识、拓宽行业人脉——看雪讲师团队等你加入!
