首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 社区
  2. 付费问答
    3. 发新帖
[已解决] [悬赏]请教一段CR代码 2.00雪花
发表于: 2017-6-15 10:11 2490

[已解决] [悬赏]请教一段CR代码 2.00雪花

雪中夕阳 活跃值
2017-6-15 10:11
2490
在看别人的一个破解,如下代码,58FEE 处进行了nop。请问上面的58FDAcall是关键call吗?谁能帮忙说下原理,谢谢了。

.text:0000000180058F7A                 mov     eax, [rsp+138h+var_64]

.text:0000000180058F81                 mov     rdx, [rsp+138h+var_70]

.text:0000000180058F89                 add     rdx, rax

.text:0000000180058F8C                 lea     rcx, [rsp+138h+var_D8]

.text:0000000180058F91                 call    sub_1800D86B0

.text:0000000180058F96                 lea     rdx, [rsp+138h+var_D8]

.text:0000000180058F9B                 lea     rcx, [rsp+138h+var_F8]

.text:0000000180058FA0                 call    sub_1800D87E0

.text:0000000180058FA5                 mov     rax, [rsp+138h+arg_0]

.text:0000000180058FAD                 mov     rax, [rax+8]

.text:0000000180058FB1                 mov     [rsp+138h+var_110], rax

.text:0000000180058FB6                 mov     eax, dword ptr [rsp+138h+Size]

.text:0000000180058FBD                 mov     [rsp+138h+var_118], eax

.text:0000000180058FC1                 mov     r9, [rsp+138h+arg_0]

.text:0000000180058FC9                 mov     r9, [r9+10h]

.text:0000000180058FCD                 mov     r8d, 14h

.text:0000000180058FD3                 lea     rdx, [rsp+138h+var_F8]

.text:0000000180058FD8                 xor     ecx, ecx

.text:0000000180058FDA                 call    sub_1800D8600

.text:0000000180058FDF                 mov     dword ptr [rsp+138h+Size+4], eax

.text:0000000180058FE6                 cmp     dword ptr [rsp+138h+Size+4], 1

.text:0000000180058FEE                 jnz     short loc_180058FFD

.text:0000000180058FF0                 mov     [rsp+138h+var_18], 0

.text:0000000180058FFB                 jmp     short loc_180059008

.text:0000000180058FFD ; ---------------------------------------------------------------------------

.text:0000000180058FFD

.text:0000000180058FFD loc_180058FFD:                          ; CODE XREF: sub_180058D30+2BEj

.text:0000000180058FFD                 mov     [rsp+138h+var_18], 27h

.text:0000000180059008

.text:0000000180059008 loc_180059008:                          ; CODE XREF: sub_180058D30+2CBj

.text:0000000180059008                 mov     eax, [rsp+138h+var_18]

.text:000000018005900F                 mov     [rsp+138h+var_24], eax

.text:0000000180059016

.text:0000000180059016 loc_180059016:                          ; DATA XREF: .rdata:stru_18019DFD8o

.text:0000000180059016                 lea     rcx, [rsp+138h+var_60] ; this

.text:000000018005901E                 call    ??1_Locimp@locale@std@@MEAA@XZ ; std::locale::_Locimp::~_Locimp(void)

.text:0000000180059023                 mov     eax, [rsp+138h+var_24]

.text:000000018005902A

.text:000000018005902A loc_18005902A:                          ; CODE XREF: sub_180058D30+7Bj

.text:000000018005902A                                         ; sub_180058D30+E6j ...

.text:000000018005902A                 mov     rcx, [rsp+138h+var_10]

.text:0000000180059032                 xor     rcx, rsp        ; StackCookie

.text:0000000180059035                 call    __security_check_cookie

.text:000000018005903A                 add     rsp, 138h

.text:0000000180059041                 retn

.text:0000000180059041 sub_180058D30   endp

.text:0000000180059041



58FDA的call如下

D8600

.text:00000001800D8600

.text:00000001800D8600 ; =============== S U B R O U T I N E =======================================

.text:00000001800D8600

.text:00000001800D8600

.text:00000001800D8600 sub_1800D8600   proc near               ; CODE XREF: sub_1800542D0+189p

.text:00000001800D8600                                         ; _cftoe_l+8Fp ...

.text:00000001800D8600

.text:00000001800D8600 var_18          = qword ptr -18h

.text:00000001800D8600 arg_0           = qword ptr  8

.text:00000001800D8600 arg_8           = qword ptr  10h

.text:00000001800D8600 arg_10          = qword ptr  18h

.text:00000001800D8600 arg_18          = qword ptr  20h

.text:00000001800D8600 arg_20          = dword ptr  28h

.text:00000001800D8600 arg_28          = qword ptr  30h

.text:00000001800D8600

.text:00000001800D8600                 mov     [rsp+arg_8], rbx



[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (5)
_委员长
雪    币: 238
活跃值: (197)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
私信
(+2.00雪花)
2
或许是,
他把call的返回值拿出来跟1比较  再决定跳不跳
2017-6-15 11:11
(+2.00雪花)
0
_委员长
雪    币: 238
活跃值: (197)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
私信
3
相当于 
if(fun())
{}
else
{}
2017-6-15 11:12
0
雪中夕阳
雪    币: 144
活跃值: (33)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
4
请问call后面的D8600这一段啥意思?
2017-6-15 13:52
0
雪中夕阳
雪    币: 144
活跃值: (33)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
5

在同一软件,不同版本号中,这两段代码变为如下,修改该call下的jnz,却提示失败,原因是啥。

.text:000000018004D0F4                 lea     rcx, [rsp+148h+var_A8]

.text:000000018004D0FC                 mov     r8d, 2

.text:000000018004D102                 call    sub_1800CEA90

.text:000000018004D107                 lea     rcx, [rsp+148h+var_A8]

.text:000000018004D10F                 mov     r8d, 8

.text:000000018004D115                 mov     rdx, rbx

.text:000000018004D118                 call    sub_1800CEA90

.text:000000018004D11D                 lea     rdx, [rdi+24h]

.text:000000018004D121                 lea     rcx, [rsp+148h+var_A8]

.text:000000018004D129                 mov     r8d, 10h

.text:000000018004D12F                 call    sub_1800CEA90

.text:000000018004D134                 lea     rdx, [rsp+148h+var_A8]

.text:000000018004D13C                 lea     rcx, [rsp+148h+var_48]

.text:000000018004D144                 call    sub_1800CEBC0

.text:000000018004D149                 movzx   ecx, byte ptr [rbp+10h]

.text:000000018004D14D                 mov     rax, [rdi+10h]

.text:000000018004D151                 mov     [rsp+148h+var_120], rax

.text:000000018004D156                 mov     [rsp+148h+var_128], ecx

.text:000000018004D15A                 lea     r9, [rbp+11h]

.text:000000018004D15E                 lea     rdx, [rsp+148h+var_48]

.text:000000018004D166                 xor     ecx, ecx

.text:000000018004D168                 mov     r8d, 14h

.text:000000018004D16E                 call    sub_1800CE9E0

.text:000000018004D173                 cmp     eax, 1

.text:000000018004D176                 jz      short loc_18004D17F

.text:000000018004D178                 mov     eax, 16h

.text:000000018004D17D                 jmp     short loc_18004D1DE

.text:000000018004D17F ; ---------------------------------------------------------------------------

.text:000000018004D17F

.text:000000018004D17F loc_18004D17F:                          ; CODE XREF: sub_18004D060+116j

.text:000000018004D17F                 xor     eax, eax

.text:000000018004D181                 lea     rcx, [rsp+148h+var_108]

.text:000000018004D186                 mov     [rdi+38h], rax

.text:000000018004D18A                 mov     [rdi+40h], rax

.text:000000018004D18E                 call    sub_1800CB820

.text:000000018004D193                 lea     rdx, [rdi+24h]

.text:000000018004D197                 lea     rcx, [rsp+148h+var_108]

.text:000000018004D19C                 mov     r8d, 10h

.text:000000018004D1A2                 call    sub_1800CB580

.text:000000018004D1A7                 lea     rdx, [rbp+10h]

.text:000000018004D1AB                 lea     rcx, [rsp+148h+var_108]

.text:000000018004D1B0                 mov     r8d, 1

.text:000000018004D1B6                 call    sub_1800CB580

.text:000000018004D1BB                 movzx   r8d, byte ptr [rbp+10h]

.text:000000018004D1C0                 lea     rdx, [rbp+11h]

.text:000000018004D1C4                 lea     rcx, [rsp+148h+var_108]

.text:000000018004D1C9                 call    sub_1800CB580

 

 

 

.text:00000001800CE9D0 ; ---------------------------------------------------------------------------

.text:00000001800CE9D1 algn_1800CE9D1:                         ; DATA XREF: .pdata:00000001801E26D4o

.text:00000001800CE9D1                 align 20h

.text:00000001800CE9E0

.text:00000001800CE9E0 ; =============== S U B R O U T I N E =======================================

.text:00000001800CE9E0

.text:00000001800CE9E0

.text:00000001800CE9E0 sub_1800CE9E0   proc near               ; CODE XREF: sub_18004D060+10Ep

.text:00000001800CE9E0                                         ; sub_18004DBB0+79p ...

.text:00000001800CE9E0

.text:00000001800CE9E0 var_18          = qword ptr -18h

.text:00000001800CE9E0 arg_0           = qword ptr  8

.text:00000001800CE9E0 arg_8           = qword ptr  10h

.text:00000001800CE9E0 arg_10          = qword ptr  18h

.text:00000001800CE9E0 arg_18          = qword ptr  20h

.text:00000001800CE9E0 arg_20          = dword ptr  28h

.text:00000001800CE9E0 arg_28          = qword ptr  30h

.text:00000001800CE9E0

.text:00000001800CE9E0                 mov     [rsp+arg_8], rbx

.text:00000001800CE9E5                 mov     [rsp+arg_10], rbp

.text:00000001800CE9EA                 mov     [rsp+arg_18], r9

2017-6-15 14:06
0
雪中夕阳
雪    币: 144
活跃值: (33)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
6
说明这是64位程序。
2017-6-15 17:23
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//