-
-
[原创]第七题
-
发表于:
2017-6-15 10:47
4693
-
1、处理int3反调试,可以看到:
0040F2CA |> \68 E2DE4000 PUSH 7-不问少.0040DEE2 ; /pTopLevelFilter = 7-不问少.0040DEE2
0040F2CF |. FF15 F83C4500 CALL DWORD PTR DS:[<&KERNEL32.SetUnhandledExceptio>; \SetUnhandledExceptionFilter
0040DEE2 为程序处理异常的函数:
0040DEE2 /. 55 PUSH EBP
0040DEE3 |. 8BEC MOV EBP,ESP
0040DEE5 |. 56 PUSH ESI
0040DEE6 |. 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
0040DEE9 |. 8B06 MOV EAX,DWORD PTR DS:[ESI]
0040DEEB |. 8138 03000080 CMP DWORD PTR DS:[EAX],80000003 比较是不是int3
0040DEF1 |. 75 25 JNZ SHORT 7-不问少.0040DF18
0040DEF3 |. 6A 00 PUSH 0 ; /lParam = 0
0040DEF5 |. 6A 00 PUSH 0 ; |wParam = 0
0040DEF7 |. FF35 302C4000 PUSH DWORD PTR DS:[402C30] ; |Message = MSG(464)
0040DEFD |. FF35 00264500 PUSH DWORD PTR DS:[452600] ; |hWnd = 9303D4
0040DF03 |. FF15 E03D4500 CALL DWORD PTR DS:[<&USER32.PostMessageW>] ; \PostMessageW //发送窗口消息,执行正常的流程
0040DF09 |. 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4]
0040DF0C |. 8380 B8000000>ADD DWORD PTR DS:[EAX+B8],9
0040DF13 |. 83C8 FF OR EAX,FFFFFFFF
0040DF16 |. EB 02 JMP SHORT 7-不问少.0040DF1A
0040DF18 |> 33C0 XOR EAX,EAX
0040DF1A |> 5E POP ESI
0040DF1B |. 5D POP EBP
0040DF1C \. C2 0400 RETN 4
通过PostMessageW发送消息,可以推断出,最终会执行到0040E3ED :
0040E3ED |. 8D45 1C LEA EAX,DWORD PTR SS:[EBP+1C]
0040E3F0 |. C745 1C 01000>MOV DWORD PTR SS:[EBP+1C],1
0040E3F7 |. 50 PUSH EAX
0040E3F8 |. FF75 14 PUSH DWORD PTR SS:[EBP+14]
0040E3FB |. 8BCB MOV ECX,EBX
0040E3FD |. 56 PUSH ESI
0040E3FE |. 57 PUSH EDI
0040E3FF |. E8 C9200000 CALL 7-不问少.004104CD 这里就是效验key的函数
然而每次按下按钮会执行到:
0040E478 |. 8D45 1C LEA EAX,DWORD PTR SS:[EBP+1C]
0040E47B |. 897D 1C MOV DWORD PTR SS:[EBP+1C],EDI
0040E47E |. 50 PUSH EAX
0040E47F |. FF75 14 PUSH DWORD PTR SS:[EBP+14]
0040E482 |. 51 PUSH ECX
0040E483 |. 6A 00 PUSH 0
0040E485 |. 8BCB MOV ECX,EBX
0040E487 |. E8 F91D0000 CALL 7-不问少.00410285 这个为执行int3反调试
00410285如下:
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
