-
-
[原创]ParaBytes ReVerSeMe2 逆向分析过程
-
发表于: 2006-4-10 15:04
-
ParaBytes ReVerSeMe2 逆向分析过程
Written By lnn1123 06.4.10
最新老受打击,朋友一个个混的不错,感觉自己不行啊,没自信啊,找了一个软柿子来搞,发泄一下.由于本人技术有限,文章很可能
存在错误,所以如有发现请告诉我,最后谢谢你看此文.
看一个这个ReVerseMe要求,如图(1)
图(1)
意思:要你自己添加2个edit框,一个button,然后添加代码验证输入的内容是否是内定的内容
思路: 要求是添加2个edit,一个button应该想到用CreateWindowEx函数来创建,然后才添加验证输入的代码
添加代码前一定先查看区块缝隙,如图(2)
图(2)
400-33a=C6 由于代码可能多余这么大,所以应该添加一个区块,添加区块后,因为要添加验证部分功能,所以还得添加输入表部分
需要的函数 virtulealloc,GetWindowText,一切用lordpe搞定,搞定后如图(3)
图(3)
现在到分析代码的时候了,为wndpro修改跳转添加代码用
004010C4 |. 6A 00 PUSH 0 ; /lParam = NULL
004010C6 |. FF35 20314000 PUSH DWORD PTR DS:[403120] ; |hInst = NULL
004010CC |. 6A 00 PUSH 0 ; |hMenu = NULL
004010CE |. 6A 00 PUSH 0 ; |hParent = NULL
004010D0 |. FF75 F8 PUSH DWORD PTR SS:[EBP-8] ; |Height
004010D3 |. FF75 FC PUSH DWORD PTR SS:[EBP-4] ; |Width
004010D6 |. FF75 F0 PUSH DWORD PTR SS:[EBP-10] ; |Y
004010D9 |. FF75 F4 PUSH DWORD PTR SS:[EBP-C] ; |X
004010DC |. 68 00000800 PUSH 80000 ; |Style = WS_OVERLAPPED|WS_SYSMENU
004010E1 |. 68 00304000 PUSH Reme5.00403000 ; |WindowName = "ParaBytes ReverseMe 2"
004010E6 |. 68 0E314000 PUSH Reme5.0040310E ; |Class = "WINDOWCLASS"
004010EB |. 6A 00 PUSH 0 ; |ExtStyle = 0
004010ED |. E8 E2010000 CALL <JMP.&USER32.CreateWindowExA> ; \CreateWindowExA
004010F2 |. A3 38314000 MOV DWORD PTR DS:[403138],EAX ;保存窗口句柄,这个以后用到的
004010F7 |. 6A 01 PUSH 1 ; /ShowState = SW_SHOWNORMAL
004010F9 |. FF35 38314000 PUSH DWORD PTR DS:[403138] ; |hWnd = NULL
004010FF |. E8 12020000 CALL <JMP.&USER32.ShowWindow> ; \ShowWindow
00401104 |. FF35 38314000 PUSH DWORD PTR DS:[403138] ; /hWnd = NULL
0040110A |. E8 13020000 CALL <JMP.&USER32.UpdateWindow> ; \UpdateWindow
0040110F |. E8 7A000000 CALL Reme5.0040118E
00401114 |. EB 13 JMP SHORT Reme5.00401129
00401116 |> 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
00401118 |. 68 00304000 PUSH Reme5.00403000 ; |Title = "ParaBytes ReverseMe 2"
0040111D |. 68 FE304000 PUSH Reme5.004030FE ; |Text = "Ahhh, bad kid !"
00401122 |. 6A 00 PUSH 0 ; |hOwner = NULL
00401124 |. E8 D5010000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
00401129 |> C9 LEAVE
0040112A \. C3 RETN
0040112B /$ 55 PUSH EBP
0040112C |. 8BEC MOV EBP,ESP
0040112E |. 83C4 D0 ADD ESP,-30
00401131 |. C745 D0 300000>MOV DWORD PTR SS:[EBP-30],30
00401138 |. C745 D4 003000>MOV DWORD PTR SS:[EBP-2C],3000
0040113F |. FF75 08 PUSH DWORD PTR SS:[EBP+8]
00401142 |. 8F45 D8 POP DWORD PTR SS:[EBP-28]
00401145 |. C745 DC 000000>MOV DWORD PTR SS:[EBP-24],0
0040114C |. C745 E0 000000>MOV DWORD PTR SS:[EBP-20],0
00401153 |. FF35 20314000 PUSH DWORD PTR DS:[403120]
00401159 |. 8F45 E4 POP DWORD PTR SS:[EBP-1C]
0040115C |. FF75 18 PUSH DWORD PTR SS:[EBP+18]
0040115F |. 8F45 F0 POP DWORD PTR SS:[EBP-10]
00401162 |. C745 F4 000000>MOV DWORD PTR SS:[EBP-C],0
00401169 |. FF75 0C PUSH DWORD PTR SS:[EBP+C]
0040116C |. 8F45 F8 POP DWORD PTR SS:[EBP-8]
0040116F |. FF75 10 PUSH DWORD PTR SS:[EBP+10]
00401172 |. 8F45 E8 POP DWORD PTR SS:[EBP-18]
00401175 |. FF75 14 PUSH DWORD PTR SS:[EBP+14]
00401178 |. 8F45 EC POP DWORD PTR SS:[EBP-14]
0040117B |. FF75 10 PUSH DWORD PTR SS:[EBP+10]
0040117E |. 8F45 FC POP DWORD PTR SS:[EBP-4]
00401181 |. 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
00401184 |. 50 PUSH EAX ; /pWndClassEx
00401185 |. E8 80010000 CALL <JMP.&USER32.RegisterClassExA> ; \RegisterClassExA
0040118A |. C9 LEAVE
0040118B \. C2 1400 RETN 14
0040118E /$ 55 PUSH EBP
0040118F |. 8BEC MOV EBP,ESP
00401191 |. 83C4 E4 ADD ESP,-1C
00401194 |> 6A 00 /PUSH 0 ; /MsgFilterMax = 0
00401196 |. 6A 00 |PUSH 0 ; |MsgFilterMin = 0
00401198 |. 6A 00 |PUSH 0 ; |hWnd = NULL
0040119A |. 8D45 E4 |LEA EAX,DWORD PTR SS:[EBP-1C] ; |
0040119D |. 50 |PUSH EAX ; |pMsg
0040119E |. E8 43010000 |CALL <JMP.&USER32.GetMessageA> ; \GetMessageA
004011A3 |. 83F8 00 |CMP EAX,0
004011A6 |. 74 14 |JE SHORT Reme5.004011BC
004011A8 |. 8D45 E4 |LEA EAX,DWORD PTR SS:[EBP-1C]
004011AB |. 50 |PUSH EAX ; /pMsg
004011AC |. E8 6B010000 |CALL <JMP.&USER32.TranslateMessage> ; \TranslateMessage
004011B1 |. 8D45 E4 |LEA EAX,DWORD PTR SS:[EBP-1C]
004011B4 |. 50 |PUSH EAX ; /pMsg
004011B5 |. E8 26010000 |CALL <JMP.&USER32.DispatchMessageA> ; \DispatchMessageA
004011BA |.^EB D8 \JMP SHORT Reme5.00401194
004011BC |> 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
004011BF |. C9 LEAVE
004011C0 \. C3 RETN
004011C1 /. 55 PUSH EBP
004011C2 |. 8BEC MOV EBP,ESP
004011C4 |. 81C4 E4FEFFFF ADD ESP,-11C
004011CA |. 817D 0C 110100>CMP DWORD PTR SS:[EBP+C],111 ;是WM_COMMAND?
004011D1 |. 75 1D JNZ SHORT Reme5.004011F0
004011D3 |. 837D 10 03 CMP DWORD PTR SS:[EBP+10],3 ; Button'ID is 3?,要修改这里跳向自己的代码处
004011D7 |. 0F85 CC000000 JNZ Reme5.004012A9
004011DD |. 6A 00 PUSH 0 ; /lParam = 0
004011DF |. 6A 00 PUSH 0 ; |wParam = 0
004011E1 |. 6A 10 PUSH 10 ; |Message = WM_CLOSE
004011E3 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
004011E6 |. E8 25010000 CALL <JMP.&USER32.SendMessageA> ; \SendMessageA
004011EB |. E9 B9000000 JMP Reme5.004012A9
004011F0 |> 837D 0C 01 CMP DWORD PTR SS:[EBP+C],1 ;是程序处始化吗?
004011F4 |. 75 7E JNZ SHORT Reme5.00401274
004011F6 |. 6A 00 PUSH 0 ; /lParam = NULL
004011F8 |. FF35 20314000 PUSH DWORD PTR DS:[403120] ; |hInst = NULL
004011FE |. 6A 00 PUSH 0 ; |hMenu = NULL
00401200 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hParent
00401203 |. 68 C8000000 PUSH 0C8 ; |Height = C8 (200.)
00401208 |. 68 5E010000 PUSH 15E ; |Width = 15E (350.)
0040120D |. 6A 00 PUSH 0 ; |Y = 0
0040120F |. 6A 05 PUSH 5 ; |X = 5
00401211 |. 68 00000050 PUSH 50000000 ; |Style = WS_CHILD|WS_VISIBLE
00401216 |. 68 16304000 PUSH Reme5.00403016 ; |WindowName = "Your Task is To Make 2 Edits and button,
when the button is pressed, it should check
if the name is yours, and the serial is 31337"
0040121B |. 68 9B304000 PUSH Reme5.0040309B ; |Class = "STATIC"
00401220 |. 6A 00 PUSH 0 ; |ExtStyle = 0
00401222 |. E8 AD000000 CALL <JMP.&USER32.CreateWindowExA> ; \CreateWindowExA
00401227 |. 6A 00 PUSH 0 ; /lParam = NULL
00401229 |. FF35 20314000 PUSH DWORD PTR DS:[403120] ; |hInst = NULL
0040122F |. 6A 03 PUSH 3 ; |hMenu = 00000003 //这个是Button ID
00401231 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hParent
00401234 |. 6A 28 PUSH 28 ; |Height = 28 (40.)
00401236 |. 6A 50 PUSH 50 ; |Width = 50 (80.)
00401238 |. 6A 3C PUSH 3C ; |Y = 3C (60.)
0040123A |. 6A 3C PUSH 3C ; |X = 3C (60.)
0040123C |. 68 01100050 PUSH 50001001 ; |Style = WS_CHILD|WS_VISIBLE|1001
00401241 |. 68 F9304000 PUSH Reme5.004030F9 ; |WindowName = "Exit"
00401246 |. 68 F2304000 PUSH Reme5.004030F2 ; |Class = "BUTTON"
0040124B |. 6A 08 PUSH 8 ; |ExtStyle = WS_EX_TOPMOST
0040124D |. E8 82000000 CALL <JMP.&USER32.CreateWindowExA> ; \CreateWindowExA
00401252 |. A3 3C314000 MOV DWORD PTR DS:[40313C],EAX ;保存句柄
00401257 |. 85C0 TEST EAX,EAX
00401259 |. 75 17 JNZ SHORT Reme5.00401272
0040125B |. 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
0040125D |. 68 00304000 PUSH Reme5.00403000 ; |Title = "ParaBytes ReverseMe 2"
00401262 |. 68 16304000 PUSH Reme5.00403016 ; |Text = "Your Task is To Make 2 Edits and button,
when the button is pressed, it should check
if the name is yours, and the serial is 31337"
00401267 |. FF35 38314000 PUSH DWORD PTR DS:[403138] ; |hOwner = NULL
0040126D |. E8 8C000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
00401272 |> EB 35 JMP SHORT Reme5.004012A9
00401274 |> 837D 0C 10 CMP DWORD PTR SS:[EBP+C],10
00401278 |. 75 19 JNZ SHORT Reme5.00401293
0040127A |. 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
0040127C |. 68 00304000 PUSH Reme5.00403000 ; |Title = "ParaBytes ReverseMe 2"
00401281 |. 68 A2304000 PUSH Reme5.004030A2 ; |Text = "Thanks to Crudd and SantMat for helpin me so much and made this ReMe working ;)"
00401286 |. FF35 38314000 PUSH DWORD PTR DS:[403138] ; |hOwner = NULL
0040128C |. E8 6D000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
00401291 |. EB 16 JMP SHORT Reme5.004012A9
00401293 |> 837D 0C 02 CMP DWORD PTR SS:[EBP+C],2
00401297 |. 75 10 JNZ SHORT Reme5.004012A9
00401299 |. 6A 00 PUSH 0 ; /ExitCode = 0
0040129B |. E8 64000000 CALL <JMP.&USER32.PostQuitMessage> ; \PostQuitMessage
004012A0 |. B8 00000000 MOV EAX,0
004012A5 |. C9 LEAVE
004012A6 |. C2 1000 RETN 10
004012A9 |> FF75 14 PUSH DWORD PTR SS:[EBP+14] ; /lParam
004012AC |. FF75 10 PUSH DWORD PTR SS:[EBP+10] ; |wParam
004012AF |. FF75 0C PUSH DWORD PTR SS:[EBP+C] ; |Message
004012B2 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
004012B5 |. E8 20000000 CALL <JMP.&USER32.DefWindowProcA> ; \DefWindowProcA
004012BA |. C9 LEAVE
004012BB \. C2 1000 RETN 10
004012BE /$ 55 PUSH EBP
004012BF |. 8BEC MOV EBP,ESP
004012C1 |. D16D 0C SHR DWORD PTR SS:[EBP+C],1
004012C4 |. D16D 08 SHR DWORD PTR SS:[EBP+8],1
004012C7 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
004012CA |. 2945 0C SUB DWORD PTR SS:[EBP+C],EAX
004012CD |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
004012D0 |. C9 LEAVE
004012D1 \. C2 0800 RETN 8
004012D4 $-FF25 3C204000 JMP DWORD PTR DS:[<&USER32.CreateWindowE>; USER32.CreateWindowExA
004012DA $-FF25 10204000 JMP DWORD PTR DS:[<&USER32.DefWindowProc>; USER32.DefWindowProcA
004012E0 $-FF25 24204000 JMP DWORD PTR DS:[<&USER32.DispatchMessa>; USER32.DispatchMessageA
004012E6 $-FF25 28204000 JMP DWORD PTR DS:[<&USER32.GetMessageA>] ; USER32.GetMessageA
004012EC $-FF25 14204000 JMP DWORD PTR DS:[<&USER32.GetSystemMetr>; USER32.GetSystemMetrics
004012F2 $-FF25 18204000 JMP DWORD PTR DS:[<&USER32.LoadCursorA>] ; USER32.LoadCursorA
004012F8 $-FF25 1C204000 JMP DWORD PTR DS:[<&USER32.LoadIconA>] ; USER32.LoadIconA
004012FE $-FF25 20204000 JMP DWORD PTR DS:[<&USER32.MessageBoxA>] ; USER32.MessageBoxA
00401304 $-FF25 40204000 JMP DWORD PTR DS:[<&USER32.PostQuitMessa>; USER32.PostQuitMessage
0040130A $-FF25 44204000 JMP DWORD PTR DS:[<&USER32.RegisterClass>; USER32.RegisterClassExA
00401310 $-FF25 2C204000 JMP DWORD PTR DS:[<&USER32.SendMessageA>>; USER32.SendMessageA
00401316 $-FF25 30204000 JMP DWORD PTR DS:[<&USER32.ShowWindow>] ; USER32.ShowWindow
0040131C $-FF25 34204000 JMP DWORD PTR DS:[<&USER32.TranslateMess>; USER32.TranslateMessage
00401322 $-FF25 38204000 JMP DWORD PTR DS:[<&USER32.UpdateWindow>>; USER32.UpdateWindow
00401328 .-FF25 08204000 JMP DWORD PTR DS:[<&KERNEL32.ExitProcess>; KERNEL32.ExitProcess
0040132E $-FF25 04204000 JMP DWORD PTR DS:[<&KERNEL32.GetCommandL>; KERNEL32.GetCommandLineA
00401334 $-FF25 00204000 JMP DWORD PTR DS:[<&KERNEL32.GetModuleHa>; KERNEL32.GetModuleHandleA
0040133A 00 DB 00
0040133B 00 DB 00
0040133C 00 DB 00
0040133D 00 DB 00
0040133E 00 DB 00
0040133F 00 DB 00
00401340 00 DB 00
00401341 00 DB 00
00401342 00 DB 00
00401343 00 DB 00
00401344 00 DB 00
00401345 00 DB 00
00401346 00 DB 00
00401347 00 DB 00
00401348 00 DB 00
00401349 00 DB 00
0040134A 00 DB 00
0040134B 00 DB 00
0040134C 00 DB 00
0040134D 00 DB 00
0040134E 00 DB 00
0040134F 00 DB 00
00401350 00 DB 00
00401351 00 DB 00
00401352 00 DB 00
00401353 00 DB 00
00401354 00 DB 00
00401355 00 DB 00
00401356 00 DB 00
00401357 00 DB 00
00401358 00 DB 00
00401359 00 DB 00
0040135A 00 DB 00
0040135B 00 DB 00
0040135C 00 DB 00
0040135D 00 DB 00
0040135E 00 DB 00
0040135F 00 DB 00
00401360 00 DB 00
00401361 00 DB 00
00401362 00 DB 00
00401363 00 DB 00
00401364 00 DB 00
00401365 00 DB 00
00401366 00 DB 00
00401367 00 DB 00
00401368 00 DB 00
00401369 00 DB 00
0040136A 00 DB 00
0040136B 00 DB 00
0040136C 00 DB 00
0040136D 00 DB 00
0040136E 00 DB 00
0040136F 00 DB 00
00401370 00 DB 00
00401371 00 DB 00
00401372 00 DB 00
00401373 00 DB 00
00401374 00 DB 00
00401375 00 DB 00
00401376 00 DB 00
00401377 00 DB 00
00401378 00 DB 00
00401379 00 DB 00
0040137A 00 DB 00
0040137B 00 DB 00
0040137C 00 DB 00
0040137D 00 DB 00
0040137E 00 DB 00
0040137F 00 DB 00
00401380 00 DB 00
00401381 00 DB 00
00401382 00 DB 00
00401383 00 DB 00
00401384 00 DB 00
00401385 00 DB 00
00401386 00 DB 00
00401387 00 DB 00
00401388 00 DB 00
00401389 00 DB 00
0040138A 00 DB 00
0040138B 00 DB 00
0040138C 00 DB 00
0040138D 00 DB 00
0040138E 00 DB 00
0040138F 00 DB 00
00401390 00 DB 00
00401391 00 DB 00
00401392 00 DB 00
00401393 00 DB 00
00401394 00 DB 00
00401395 00 DB 00
00401396 00 DB 00
00401397 00 DB 00
00401398 00 DB 00
00401399 00 DB 00
0040139A 00 DB 00
0040139B 00 DB 00
0040139C 00 DB 00
0040139D 00 DB 00
0040139E 00 DB 00
0040139F 00 DB 00
004013A0 00 DB 00
004013A1 00 DB 00
004013A2 00 DB 00
004013A3 00 DB 00
004013A4 00 DB 00
004013A5 00 DB 00
004013A6 00 DB 00
004013A7 00 DB 00
004013A8 00 DB 00
004013A9 00 DB 00
004013AA 00 DB 00
004013AB 00 DB 00
004013AC 00 DB 00
004013AD 00 DB 00
004013AE 00 DB 00
004013AF 00 DB 00
004013B0 00 DB 00
004013B1 00 DB 00
004013B2 00 DB 00
004013B3 00 DB 00
004013B4 00 DB 00
004013B5 00 DB 00
004013B6 00 DB 00
004013B7 00 DB 00
004013B8 00 DB 00
004013B9 00 DB 00
004013BA 00 DB 00
004013BB 00 DB 00
004013BC 00 DB 00
004013BD 00 DB 00
004013BE 00 DB 00
004013BF 00 DB 00
004013C0 00 DB 00
004013C1 00 DB 00
004013C2 00 DB 00
004013C3 00 DB 00
004013C4 00 DB 00
004013C5 00 DB 00
004013C6 00 DB 00
004013C7 00 DB 00
004013C8 00 DB 00
004013C9 00 DB 00
004013CA 00 DB 00
004013CB 00 DB 00
004013CC 00 DB 00
004013CD 00 DB 00
004013CE 00 DB 00
004013CF 00 DB 00
004013D0 00 DB 00
004013D1 00 DB 00
004013D2 00 DB 00
004013D3 00 DB 00
004013D4 00 DB 00
004013D5 00 DB 00
004013D6 00 DB 00
004013D7 00 DB 00
004013D8 00 DB 00
004013D9 00 DB 00
004013DA 00 DB 00
004013DB 00 DB 00
004013DC 00 DB 00
004013DD 00 DB 00
004013DE 00 DB 00
004013DF 00 DB 00
004013E0 00 DB 00
004013E1 00 DB 00
004013E2 00 DB 00
004013E3 00 DB 00
004013E4 00 DB 00
004013E5 00 DB 00
004013E6 00 DB 00
004013E7 00 DB 00
004013E8 00 DB 00
004013E9 00 DB 00
004013EA 00 DB 00
004013EB 00 DB 00
004013EC 00 DB 00
004013ED 00 DB 00
004013EE 00 DB 00
004013EF 00 DB 00
004013F0 00 DB 00
004013F1 00 DB 00
004013F2 00 DB 00
004013F3 00 DB 00
004013F4 00 DB 00
004013F5 00 DB 00
004013F6 00 DB 00
004013F7 00 DB 00
004013F8 00 DB 00
004013F9 00 DB 00
004013FA 00 DB 00
004013FB 00 DB 00
004013FC 00 DB 00
004013FD 00 DB 00
004013FE 00 DB 00
004013FF 00 DB 00
00401400 00 DB 00
00401401 00 DB 00
00401402 00 DB 00
00401403 00 DB 00
00401404 00 DB 00
00401405 00 DB 00
00401406 00 DB 00
00401407 00 DB 00
00401408 00 DB 00
00401409 00 DB 00
0040140A 00 DB 00
0040140B 00 DB 00
修改后的代码是这样的:
004011C1 . 55 PUSH EBP
004011C2 . 8BEC MOV EBP,ESP
004011C4 . 81C4 E4FEFFFF ADD ESP,-11C
004011CA . 817D 0C 110100>CMP DWORD PTR SS:[EBP+C],111
004011D1 . 75 1D JNZ SHORT reme2_By.004011F0
004011D3 . E9 E7010000 JMP reme2_By.004013BF ; 跳到自己添加的代码处
004011D8 > 90 NOP
004011D9 . 90 NOP
004011DA . 90 NOP
004011DB . 90 NOP
004011DC . 90 NOP
004011DD . 6A 00 PUSH 0 ; /lParam = 0
004011DF . 6A 00 PUSH 0 ; |wParam = 0
004011E1 . 6A 10 PUSH 10 ; |Message = WM_CLOSE
004011E3 . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
004011E6 . E8 25010000 CALL <JMP.&USER32.SendMessageA> ; \SendMessageA
004011EB . E9 B9000000 JMP reme2_By.004012A9
004011F0 > 837D 0C 01 CMP DWORD PTR SS:[EBP+C],1
004011F4 . 75 7E JNZ SHORT reme2_By.00401274 ;应该下面这个CreateWindowEx函数为Button
004011F6 . 6A 00 PUSH 0 ; /lParam = NULL
004011F8 . FF35 20314000 PUSH DWORD PTR DS:[403120] ; |hInst = NULL
004011FE . 6A 05 PUSH 5 ; |hMenu = 00000005 //Button ID
00401200 . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hParent
00401203 . 6A 16 PUSH 16 ; |Height = 16 (22.)
00401205 . 90 NOP ; |
00401206 . 90 NOP ; |
00401207 . 90 NOP ; |
00401208 . 6A 32 PUSH 32 ; |Width = 32 (50.)
0040120A . 90 NOP ; |
0040120B . 90 NOP ; |
0040120C . 90 NOP ; |
0040120D . 6A 10 PUSH 10 ; |Y = 10 (16.)
0040120F . 6A 3C PUSH 3C ; |X = 3C (60.)
00401211 . 68 00000050 PUSH 50000000 ; |Style = WS_CHILD|WS_VISIBLE
00401216 . 68 3F134000 PUSH reme2_By.0040133F ; |WindowName = "Cleck"
0040121B . 68 F2304000 PUSH reme2_By.004030F2 ; |Class = "BUTTON"
00401220 . 6A 00 PUSH 0 ; |ExtStyle = 0
00401222 . E8 AD000000 CALL <JMP.&USER32.CreateWindowExA> ; \CreateWindowExA
00401227 . 6A 00 PUSH 0 ; /lParam = NULL
00401229 . FF35 20314000 PUSH DWORD PTR DS:[403120] ; |hInst = NULL
0040122F . 6A 03 PUSH 3 ; |hMenu = 00000003
00401231 . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hParent
00401234 . 6A 16 PUSH 16 ; |Height = 16 (22.)
00401236 . 6A 32 PUSH 32 ; |Width = 32 (50.)
00401238 . 6A 3C PUSH 3C ; |Y = 3C (60.)
0040123A . 6A 3C PUSH 3C ; |X = 3C (60.)
0040123C . 68 01100050 PUSH 50001001 ; |Style = WS_CHILD|WS_VISIBLE|1001
00401241 . 68 F9304000 PUSH reme2_By.004030F9 ; |WindowName = "Exit"
00401246 . 68 F2304000 PUSH reme2_By.004030F2 ; |Class = "BUTTON"
0040124B . 6A 08 PUSH 8 ; |ExtStyle = WS_EX_TOPMOST
0040124D . E8 82000000 CALL <JMP.&USER32.CreateWindowExA> ; \CreateWindowExA
00401252 . E9 FD000000 JMP reme2_By.00401354 ; 跳到我的代码处
00401257 > 85C0 TEST EAX,EAX
00401259 . 75 17 JNZ SHORT reme2_By.00401272
0040125B . 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
0040125D . 68 00304000 PUSH reme2_By.00403000 ; |Title = "ParaBytes ReverseMe 2"
00401262 . 68 16304000 PUSH reme2_By.00403016 ; |Text = "Your Task is To Make 2 Edits and button,
when the button is pressed, it should check
if the name is yours, and the serial is 31337"
00401267 . FF35 38314000 PUSH DWORD PTR DS:[403138] ; |hOwner = NULL
0040126D . E8 8C000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
00401272 > EB 35 JMP SHORT reme2_By.004012A9
00401274 > 837D 0C 10 CMP DWORD PTR SS:[EBP+C],10
00401278 . 75 19 JNZ SHORT reme2_By.00401293
0040127A . 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
0040127C . 68 00304000 PUSH reme2_By.00403000 ; |Title = "ParaBytes ReverseMe 2"
00401281 . 68 A2304000 PUSH reme2_By.004030A2 ; |Text = "Thanks to Crudd and SantMat for helpin me so much and made this ReMe working ;)"
00401286 . FF35 38314000 PUSH DWORD PTR DS:[403138] ; |hOwner = NULL
0040128C . E8 6D000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
00401291 . EB 16 JMP SHORT reme2_By.004012A9
00401293 > 837D 0C 02 CMP DWORD PTR SS:[EBP+C],2
00401297 . 75 10 JNZ SHORT reme2_By.004012A9
00401299 . 6A 00 PUSH 0 ; /ExitCode = 0
0040129B . E8 64000000 CALL <JMP.&USER32.PostQuitMessage> ; \PostQuitMessage
004012A0 . B8 00000000 MOV EAX,0
004012A5 . C9 LEAVE
004012A6 . C2 1000 RETN 10
004012A9 > FF75 14 PUSH DWORD PTR SS:[EBP+14] ; /lParam
004012AC . FF75 10 PUSH DWORD PTR SS:[EBP+10] ; |wParam
004012AF . FF75 0C PUSH DWORD PTR SS:[EBP+C] ; |Message
004012B2 . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
004012B5 . E8 20000000 CALL <JMP.&USER32.DefWindowProcA> ; \DefWindowProcA
004012BA . C9 LEAVE
004012BB . C2 1000 RETN 10
004012BE /$ 55 PUSH EBP
004012BF |. 8BEC MOV EBP,ESP
004012C1 |. D16D 0C SHR DWORD PTR SS:[EBP+C],1
004012C4 |. D16D 08 SHR DWORD PTR SS:[EBP+8],1
004012C7 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
004012CA |. 2945 0C SUB DWORD PTR SS:[EBP+C],EAX
004012CD |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
004012D0 |. C9 LEAVE
004012D1 \. C2 0800 RETN 8
004012D4 $-FF25 3C204000 JMP DWORD PTR DS:[<&USER32.CreateWindowE>; USER32.CreateWindowExA
004012DA $-FF25 10204000 JMP DWORD PTR DS:[<&USER32.DefWindowProc>; USER32.DefWindowProcA
004012E0 $-FF25 24204000 JMP DWORD PTR DS:[<&USER32.DispatchMessa>; USER32.DispatchMessageA
004012E6 $-FF25 28204000 JMP DWORD PTR DS:[<&USER32.GetMessageA>] ; USER32.GetMessageA
004012EC $-FF25 14204000 JMP DWORD PTR DS:[<&USER32.GetSystemMetr>; USER32.GetSystemMetrics
004012F2 $-FF25 18204000 JMP DWORD PTR DS:[<&USER32.LoadCursorA>] ; USER32.LoadCursorA
004012F8 $-FF25 1C204000 JMP DWORD PTR DS:[<&USER32.LoadIconA>] ; USER32.LoadIconA
004012FE $-FF25 20204000 JMP DWORD PTR DS:[<&USER32.MessageBoxA>] ; USER32.MessageBoxA
00401304 $-FF25 40204000 JMP DWORD PTR DS:[<&USER32.PostQuitMessa>; USER32.PostQuitMessage
0040130A $-FF25 44204000 JMP DWORD PTR DS:[<&USER32.RegisterClass>; USER32.RegisterClassExA
00401310 $-FF25 2C204000 JMP DWORD PTR DS:[<&USER32.SendMessageA>>; USER32.SendMessageA
00401316 $-FF25 30204000 JMP DWORD PTR DS:[<&USER32.ShowWindow>] ; USER32.ShowWindow
0040131C $-FF25 34204000 JMP DWORD PTR DS:[<&USER32.TranslateMess>; USER32.TranslateMessage
00401322 $-FF25 38204000 JMP DWORD PTR DS:[<&USER32.UpdateWindow>>; USER32.UpdateWindow
00401328 .-FF25 08204000 JMP DWORD PTR DS:[<&KERNEL32.ExitProcess>; KERNEL32.ExitProcess
0040132E $-FF25 04204000 JMP DWORD PTR DS:[<&KERNEL32.GetCommandL>; KERNEL32.GetCommandLineA
00401334 $-FF25 00204000 JMP DWORD PTR DS:[<&KERNEL32.GetModuleHa>; KERNEL32.GetModuleHandleA
0040133A . 00000000 DD 00000000
0040133E 00 DB 00
0040133F . 43 6C 65 63 6B>ASCII "Cleck",0 ;button上的文本
00401345 00 DB 00
00401346 . 45 44 49 54 00>ASCII "EDIT",0 ;edit类名
0040134B . 00000000 DD 00000000
0040134F 00 DB 00
00401350 00 DB 00
00401351 00 DB 00
00401352 00 DB 00
00401353 00 DB 00
00401354 > A3 3C314000 MOV DWORD PTR DS:[40313C],EAX ;补上原来代码
00401359 . 60 PUSHAD ;保存堆栈
0040135A . 6A 00 PUSH 0 ; /lParam = NULL
0040135C . FF35 20314000 PUSH DWORD PTR DS:[403120] ; |hInst = NULL
00401362 . 6A 00 PUSH 0 ; |hMenu = NULL
00401364 . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hParent
00401367 . 6A 16 PUSH 16 ; |Height = 16 (22.)
00401369 . 6A 60 PUSH 60 ; |Width = 60 (96.)
0040136B . 90 NOP ; |
0040136C . 90 NOP ; |
0040136D . 90 NOP ; |
0040136E . 6A 10 PUSH 10 ; |Y = 10 (16.)
00401370 . 6A 7F PUSH 7F ; |X = 7F (127.)
00401372 . 68 00000050 PUSH 50000000 ; |Style = WS_CHILD|WS_VISIBLE
00401377 . 6A 00 PUSH 0 ; |WindowName = NULL
00401379 . 68 46134000 PUSH reme2_By.00401346 ; |Class = "EDIT"
0040137E . 6A 00 PUSH 0 ; |ExtStyle = 0
00401380 . FF15 3C204000 CALL DWORD PTR DS:[<&USER32.CreateWindow>; \CreateWindowExA
00401386 . A3 4B134000 MOV DWORD PTR DS:[40134B],EAX ; 保存句柄,以后用到
0040138B . 6A 00 PUSH 0 ; /lParam = NULL
0040138D . FF35 20314000 PUSH DWORD PTR DS:[403120] ; |hInst = NULL
00401393 . 6A 00 PUSH 0 ; |hMenu = NULL
00401395 . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hParent
00401398 . 6A 16 PUSH 16 ; |Height = 16 (22.)
0040139A . 6A 60 PUSH 60 ; |Width = 60 (96.)
0040139C . 6A 3C PUSH 3C ; |Y = 3C (60.)
0040139E . 6A 7F PUSH 7F ; |X = 7F (127.)
004013A0 . 68 00000150 PUSH 50010000 ; |Style = WS_CHILD|WS_TABSTOP|WS_VISIBLE
004013A5 . 6A 00 PUSH 0 ; |WindowName = NULL
004013A7 . 68 46134000 PUSH reme2_By.00401346 ; |Class = "EDIT"
004013AC . 6A 00 PUSH 0 ; |ExtStyle = 0
004013AE . FF15 3C204000 CALL DWORD PTR DS:[<&USER32.CreateWindow>; \CreateWindowExA
004013B4 . A3 3A134000 MOV DWORD PTR DS:[40133A],EAX ; 保存句柄以后用到
004013B9 . 68 57124000 PUSH reme2_By.00401257
004013BE . C3 RETN ; RET used as a jump to 00401257
004013BF > 837D 10 03 CMP DWORD PTR SS:[EBP+10],3 ; 按的是Exit Button?
004013C3 .^0F84 0FFEFFFF JE reme2_By.004011D8
004013C9 . 837D 10 05 CMP DWORD PTR SS:[EBP+10],5 ; 按的是Cleck Button?
004013CD . 74 06 JE SHORT reme2_By.004013D5 ; 如果是跳到我的代码处
004013CF .^E9 D5FEFFFF JMP reme2_By.004012A9
004013D4 90 NOP
004013D5 > 6A 04 PUSH 4 ; /Protect = PAGE_READWRITE
004013D7 . 68 00100000 PUSH 1000 ; |AllocationType = MEM_COMMIT
004013DC . 6A 20 PUSH 20 ; |Size = 20 (32.)
004013DE . 6A 00 PUSH 0 ; |Address = NULL
004013E0 . FF15 1C604000 CALL DWORD PTR DS:[<&KERNEL32.VirtualAll>; \VirtualAlloc
004013E6 . 8BF8 MOV EDI,EAX ; 转移申请到的内存Buffer1
004013E8 . 6A 64 PUSH 64 ; /Count = 64 (100.)
004013EA . 57 PUSH EDI ; |Buffer
004013EB . FF35 4B134000 PUSH DWORD PTR DS:[40134B] ; |hWnd = NULL
004013F1 . FF15 40604000 CALL DWORD PTR DS:[406040] ; \GetWindowTextA
004013F7 . 6A 04 PUSH 4 ; /Protect = PAGE_READWRITE
004013F9 . 68 00100000 PUSH 1000 ; |AllocationType = MEM_COMMIT
004013FE . 6A 20 PUSH 20 ; |Size = 20 (32.)
00401400 . 6A 00 PUSH 0 ; |Address = NULL
00401402 . FF15 1C604000 CALL DWORD PTR DS:[<&KERNEL32.VirtualAll>; \VirtualAlloc
00401408 . 8BF0 MOV ESI,EAX ; 转移申请到的内存Buffer2
0040140A . 6A 64 PUSH 64 ; /Count = 64 (100.)
0040140C . 56 PUSH ESI ; |Buffer
0040140D . FF35 3A134000 PUSH DWORD PTR DS:[40133A] ; |hWnd = NULL
00401413 . FF15 40604000 CALL DWORD PTR DS:[406040] ; \GetWindowTextA
00401419 . 8BDE MOV EBX,ESI ; 保存Buffer2
0040141B . 33C0 XOR EAX,EAX
0040141D B9 08000000 MOV ECX,8
00401422 . BE 48144000 MOV ESI,reme2_By.00401448 ; ASCII "lnn1123"
00401427 . F3:A6 REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS:>
00401429 . 8BD1 MOV EDX,ECX ; 保存ecx
0040142B . 8BFB MOV EDI,EBX
0040142D . BE 7E144000 MOV ESI,reme2_By.0040147E ; ASCII "31337"
00401432 . B9 06000000 MOV ECX,6
00401437 . F3:A6 REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS:>
00401439 . 09D1 OR ECX,EDX ; 都相等?
0040143B . 74 23 JE SHORT reme2_By.00401460
0040143D .^E9 67FEFFFF JMP reme2_By.004012A9
00401442 90 NOP
00401443 90 NOP
00401444 90 NOP
00401445 90 NOP
00401446 90 NOP
00401447 90 NOP
00401448 . 6C 6E 6E 31 31>ASCII "lnn1123",0
00401450 00 DB 00
00401451 00 DB 00
00401452 00 DB 00
00401453 00 DB 00
00401454 00 DB 00
00401455 00 DB 00
00401456 00 DB 00
00401457 00 DB 00
00401458 90 NOP
00401459 90 NOP
0040145A 90 NOP
0040145B 90 NOP
0040145C . C2 2100 RETN 21
0040145F 00 DB 00
00401460 > 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
00401462 . 68 48144000 PUSH reme2_By.00401448 ; |Title = "lnn1123"
00401467 . 68 48144000 PUSH reme2_By.00401448 ; |Text = "lnn1123"
0040146C . FF35 38314000 PUSH DWORD PTR DS:[403138] ; |hOwner = NULL
00401472 . FF15 20204000 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA
00401478 .^E9 2CFEFFFF JMP reme2_By.004012A9
0040147D 00 DB 00
0040147E . 33 31 33 33 37>ASCII "31337",0
这样修改后就完成了这个ReVerseME
修改后的ReVerseMe
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
好兄弟,支持!
|
|
|
没看也顶一下,就为逆向二字
|
|
|
顶了
|
|
|
|
|
|
支持~呵呵
|
