软件使用的是Armadillo+注册码用了10次就到期,
于是我动手学习学习
查壳发现是
Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks [Overlay]
于是我开始了脱
这是程序的入口点
下断bp OpenMutexA回车 shift+f9
005DA740 > 55 push ebp
005DA741 8BEC mov ebp,esp
005DA743 6A FF push -1
005DA745 68 A05A5F00 push jqw.005F5AA0
005DA74A 68 18A45D00 push jqw.005DA418
005DA74F 64:A1 00000000 mov eax,dword ptr fs:[0]
005DA755 50 push eax
005DA756 64:8925 0000000>mov dword ptr fs:[0],esp
005DA75D 83EC 58 sub esp,58
005DA760 53 push ebx
005DA761 56 push esi
005DA762 57 push edi
005DA763 8965 E8 mov dword ptr ss:[ebp-18],esp
005DA766 FF15 78015F00 call dword ptr ds:[<&KERNEL32.GetVersion>] ; kernel32.GetVersion
这时到了这断下来
7C80EC1B > 8BFF mov edi,edi
7C80EC1D 55 push ebp
7C80EC1E 8BEC mov ebp,esp
7C80EC20 51 push ecx
7C80EC21 51 push ecx
7C80EC22 837D 10 00 cmp dword ptr ss:[ebp+10],0
7C80EC26 56 push esi
7C80EC27 0F84 7A500300 je kernel32.7C843CA7
堆栈
005C6380 /CALL 到 OpenMutexA 来自 jqw.005C637A
001F0001 |Access = 1F0001
00000000 |Inheritable = FALSE
0012DDE0 \MutexName = "48C::DA5B386B4A"
到401000复制以下代码
60 9C 68 DC FB 12 00 33 C0 50 50 E8 2F DB 40 7C 9D 61 E9 04 DC 40 7C
并push 12FBDC这个改成了push 12dde0然后新建eip断下,这时取消断点
下断bp GetModuleHandleA+5 shift+f9
第一次
/0012CE8C
|5D175394 返回到 5D175394 来自 kernel32.GetModuleHandleA
|5D1753E0 ASCII "kernel32.dll"
第2次
/0012CF30
|77F45BB0 返回到 SHLWAPI.77F45BB0 来自 kernel32.GetModuleHandleA
|77F44FF4 ASCII "KERNEL32.DLL"
第3次
/0012D7A8
|005C54D3 返回到 jqw.005C54D3 来自 kernel32.GetModuleHandleA
|00CD18FE 返回到 00CD18FE 来自 kernel32.GetModuleHandleA
|00CE6364 ASCII "kernel32.dll"
|00CE7588 ASCII "VirtualAlloc"
第4次
|00CD191B 返回到 00CD191B 来自 kernel32.GetModuleHandleA
|00CE6364 ASCII "kernel32.dll"
|00CE757C ASCII "VirtualFree"
第5次
|00CDC790 返回到 00CDC790 来自 kernel32.GetModuleHandleA
|00000000
很多人都说到了这里然后alt+f9就是能找的Magic Jump
于是我就alt+f9
但我使终没找到"je"
这是alt+f9后的代码
00CDC75C /75 79 jnz short 00CDC7D7
00CDC75E |6A 28 push 28
00CDC760 |8D45 D8 lea eax,dword ptr ss:[ebp-28]
00CDC763 |53 push ebx
00CDC764 |50 push eax
00CDC765 |C605 5006CF00 0>mov byte ptr ds:[CF0650],1
00CDC76C |E8 21270000 call 00CDEE92 ; jmp to msvcrt.memset
00CDC771 |83C4 0C add esp,0C
00CDC774 |C745 D8 0B00000>mov dword ptr ss:[ebp-28],0B
00CDC77B |C745 DC DDC7CD0>mov dword ptr ss:[ebp-24],0CDC7DD
00CDC782 |C745 E4 2600000>mov dword ptr ss:[ebp-1C],26
00CDC789 |53 push ebx
00CDC78A |FF15 D400CE00 call dword ptr ds:[CE00D4] ; kernel32.GetModuleHandleA
00CDC790 |68 007F0000 push 7F00 这是返回后停住的地方
00CDC795 |53 push ebx
00CDC796 |8945 E8 mov dword ptr ss:[ebp-18],eax
00CDC799 |FF15 8004CE00 call dword ptr ds:[CE0480] ; USER32.LoadCursorA
00CDC79F |BE 4C76CE00 mov esi,0CE764C ; UNICODE "SRTSmartDlg"
00CDC7A4 |8945 F0 mov dword ptr ss:[ebp-10],eax
00CDC7A7 |C745 F4 1000000>mov dword ptr ss:[ebp-C],10
00CDC7AE |8975 FC mov dword ptr ss:[ebp-4],esi
00CDC7B1 |8D45 D8 lea eax,dword ptr ss:[ebp-28]
00CDC7B4 |50 push eax
00CDC7B5 |E8 28100000 call 00CDD7E2
00CDC7BA |66:85C0 test ax,ax
00CDC7BD |75 18 jnz short 00CDC7D7
00CDC7BF |68 E08CCE00 push 0CE8CE0
00CDC7C4 |56 push esi
00CDC7C5 |FF15 7803CE00 call dword ptr ds:[CE0378] ; msvcrt.wcscat
00CDC7CB |43 inc ebx
00CDC7CC |59 pop ecx
00CDC7CD |83FB 0A cmp ebx,0A
00CDC7D0 |59 pop ecx
00CDC7D1 ^|7C DE jl short 00CDC7B1
00CDC7D3 |32C0 xor al,al
00CDC7D5 |EB 02 jmp short 00CDC7D9
00CDC7D7 \B0 01 mov al,1
00CDC7D9 5E pop esi
00CDC7DA 5B pop ebx
00CDC7DB C9 leave
00CDC7DC C3 ret
00CDC7DD 55 push ebp
00CDC7DE 8BEC mov ebp,esp
00CDC7E0 837D 0C 46 cmp dword ptr ss:[ebp+C],46
00CDC7E4 8B45 14 mov eax,dword ptr ss:[ebp+14]
00CDC7E7 75 04 jnz short 00CDC7ED
00CDC7E9 8348 18 01 or dword ptr ds:[eax+18],1
00CDC7ED 56 push esi
00CDC7EE 57 push edi
00CDC7EF 50 push eax
00CDC7F0 FF75 10 push dword ptr ss:[ebp+10]
00CDC7F3 FF75 0C push dword ptr ss:[ebp+C]
00CDC7F6 FF75 08 push dword ptr ss:[ebp+8]
00CDC7F9 E8 A10F0000 call 00CDD79F
00CDC7FE 837D 0C 02 cmp dword ptr ss:[ebp+C],2
00CDC802 8BF8 mov edi,eax
00CDC804 75 1F jnz short 00CDC825
00CDC806 FF75 08 push dword ptr ss:[ebp+8]
00CDC809 E8 81F7FFFF call 00CDBF8F
请大侠帮我找一下Magic Jump
盼回复
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
