-
-
[小技巧]如何中断Themida的MessageBox对话框
-
发表于: 2006-5-10 10:03
-
运行无key的Themida会跳出如下的对话框:
图一
这个对话框是调用MessageBox函数显示的,但你用MessageBox下断是拦不住的,因为外壳将MessageBox函数代码搬到自己的地址空间执行了。
感兴趣的可以看看这个实例:http://bbs.pediy.com/showthread.php?s=&threadid=23721
对策:
在这用Themida1.3.3.0为例演示一下。
先用OD加载Themida,运行,直到出现图一那个对话框。这里最终调用MessageBoxExW显示对话框的,在OD里查看MessageBoxExW函数:
77D50538 USER32.MessageBoxExW 8BFF mov edi, edi
77D5053A 55 push ebp
77D5053B 8BEC mov ebp, esp
77D5053D 6A FF push -1
77D5053F FF75 18 push dword ptr [ebp+18]
77D50542 FF75 14 push dword ptr [ebp+14]
77D50545 FF75 10 push dword ptr [ebp+10]
77D50548 FF75 0C push dword ptr [ebp+C]
77D5054B FF75 08 push dword ptr [ebp+8]
77D5054E E8 EE590100 call MessageBoxTimeoutW
77D50553 5D pop ebp
77D50554 C2 1400 retn 14
用二进制复制,将MessageBoxExW 开始一段的机器码复制出来:8B FF 55 8B EC 6A FF FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08
在OD里按Alt+M打开内存窗口,查找刚才复制出来的机器码:
找到的数据:
013FF938 8B FF 55 8B EC 6A FF FF 75 18 FF 75 14 FF 75 10 ?U?j?u??
013FF948 FF 75 0C FF 75 08 E8 EE 59 01 00 5D C2 14 00 90 ?.?桀Y.]?.
然后在反汇编窗口跳到013FF938代码处:
013FF938 8BFF mov edi, edi
013FF93A 55 push ebp
013FF93B 8BEC mov ebp, esp
013FF93D 6A FF push -1
013FF93F FF75 18 push dword ptr [ebp+18]
013FF942 FF75 14 push dword ptr [ebp+14]
013FF945 FF75 10 push dword ptr [ebp+10]
013FF948 FF75 0C push dword ptr [ebp+C]
013FF94B FF75 08 push dword ptr [ebp+8]
013FF94E E8 EE590100 call 01415341
013FF953 5D pop ebp
013FF954 C2 1400 retn 14
013FF957 90 nop
013FF958 90 nop
013FF959 90 nop
013FF95A 90 nop
013FF95B 90 nop
013FF95C 8BFF mov edi, edi
013FF95E 55 push ebp
013FF95F 8BEC mov ebp, esp
013FF961 6A FF push -1
013FF963 FF75 18 push dword ptr [ebp+18]
013FF966 FF75 14 push dword ptr [ebp+14]
013FF969 FF75 10 push dword ptr [ebp+10]
013FF96C FF75 0C push dword ptr [ebp+C]
013FF96F FF75 08 push dword ptr [ebp+8]
013FF972 E8 4D5A0100 call 014153C4 //这里显示图1的窗口
013FF977 5D pop ebp //这里下断就可断下
013FF978 C2 1400 retn 14
在013FF977处下断,单击图一对话框的OK后,就能中断。
http://www.pediy.com
2006.5.10
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
支持!~
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
最初由 heXer 发布  原来heXer也不知道啊,学习
|
|
|
|
|
|
|
|
|
|
|
|
File 'F:\Downloads\BlazeL1K.1.3.0.Release\BlazeL1K.exe'
New process with ID 00000A4C created 004EC014 Main thread with ID 00000CB8 created 00400000 Module F:\Downloads\BlazeL1K.1.3.0.Release\BlazeL1K.exe 00401000 Code size in header is 00081000, extending to size of section ' ' CRC changed, discarding .udd data 71710000 Module C:\WINNT\system32\COMCTL32.dll 77DF0000 Module C:\WINNT\system32\USER32.dll 77E60000 Module C:\WINNT\system32\KERNEL32.dll 77F40000 Module C:\WINNT\system32\GDI32.dll 77F80000 Module C:\WINNT\system32\ntdll.dll 786F0000 Module C:\WINNT\system32\RPCRT4.DLL 796D0000 Module C:\WINNT\system32\ADVAPI32.dll 77FA144B System startup breakpoint 004EC014 Program entry point 0068FE63 Illegal instruction 0068FFE6 Privileged instruction 00690821 Access violation when reading [FFFFFFFF] 0069910D Hardware breakpoint 1 at BlazeL1K.0069910D eax = 00699243 [esp] = FEC8742A ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E6F79F | KERNEL32.OutputDebugStringA [esp] = 00699191 ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E6F79F | KERNEL32.OutputDebugStringA [esp] = 0069B95E ----------------- 77E8BBF3 Debug string: ------------------------------------------------ --- Themida Professional --- --- (c)2006 Oreans Technologies --- ------------------------------------------------ 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E14197 | USER32.MessageBoxExA [esp] = 0069B99A ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E7C1AB | KERNEL32.CreateFileA [esp] = 0069B9A4 ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E693EF | KERNEL32.DeviceIoControl [esp] = 0069B9AE ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E8BA9B | KERNEL32.TerminateThread [esp] = 0069BDF8 ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E7E845 | KERNEL32.VirtualAlloc [esp] = 0069C1F3 ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E8B7BE | KERNEL32.CreateThread [esp] = 0069C3B9 ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E8A203 | KERNEL32.Sleep [esp] = 0069C499 ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E8BB51 | KERNEL32.SuspendThread [esp] = 0069C598 ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E8BB03 | KERNEL32.GetCurrentThreadId [esp] = 0069C63C ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E878C1 | KERNEL32.GetCurrentProcessId [esp] = 0069C6FA ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E8B8AB | KERNEL32.SetThreadPriority [esp] = 0069CD1A ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E8BB0D | KERNEL32.GetThreadContext [esp] = 0069CDD4 ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E69723 | KERNEL32.SetEvent [esp] = 0069CED6 ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E6B3CC | KERNEL32.WaitForSingleObject [esp] = 0069CFC3 ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E898A0 | KERNEL32.CreateEventA [esp] = 0069D093 ----------------- 75E00000 Module C:\WINNT\system32\IMM32.DLL 77530000 Module C:\WINNT\system32\winmm.dll 77E6B700 New thread with ID 00000CE4 created 77E6B700 New thread with ID 00000D08 created 77E6B700 New thread with ID 00000C0C created 77E6B700 New thread with ID 00000C6C created 77E6B700 New thread with ID 00000C28 created 77E6B700 New thread with ID 00000BF4 created 77E6B700 New thread with ID 00000BF0 created 77E6B700 New thread with ID 00000A94 created 77E6B700 New thread with ID 00000D8C created 77E6B700 New thread with ID 00000CF0 created 77E6B700 New thread with ID 00000B2C created 77E6B700 New thread with ID 00000CD0 created 77E6B700 New thread with ID 00000A3C created 77E6B700 New thread with ID 00000D20 created 77E6B700 New thread with ID 00000B7C created 77E6B700 New thread with ID 00000D90 created 77E6B700 New thread with ID 000009A8 created 77E6B700 New thread with ID 00000B94 created 77E6B700 New thread with ID 00000CF8 created 77E6B700 New thread with ID 00000CB0 created 77E6B700 New thread with ID 00000C14 created 77E6B700 New thread with ID 00000D98 created 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E87143 | KERNEL32.SetEnvironmentVariableA [esp] = 006B582A ----------------- 77E6B700 New thread with ID 00000658 created 77E6B700 New thread with ID 00000B20 created 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E7E845 | KERNEL32.VirtualAlloc [esp] = 006BAC54 ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E80ACE | KERNEL32.GetModuleHandleA [esp] = 006BAC74 ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E80C5F | KERNEL32.GetProcAddress [esp] = 006BAC94 ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E7E85F | KERNEL32.VirtualFree [esp] = 006BACB4 ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E80D02 | KERNEL32.GetVersionExA [esp] = 006BC907 ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E6F5A3 | KERNEL32.IsDebuggerPresent [esp] = 006BC91B ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E139A4 | USER32.FindWindowA [esp] = 006BF555 ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E139A4 | USER32.FindWindowA [esp] = 006C1646 ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E801D5 | KERNEL32.LoadLibraryA [esp] = 006C1A9D ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E80C5F | KERNEL32.GetProcAddress [esp] = 006C1ACD ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E80CD1 | KERNEL32.GetVersion [esp] = 006C586A ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E7E845 | KERNEL32.VirtualAlloc [esp] = 006C587E ----------------- 76AF0000 Module C:\WINNT\system32\comdlg32.dll 772A0000 Module C:\WINNT\system32\SHLWAPI.DLL 78000000 Module C:\WINNT\system32\msvcrt.dll 78F90000 Module C:\WINNT\system32\SHELL32.DLL 777C0000 Module C:\WINNT\system32\WINSPOOL.DRV 79B20000 Module C:\WINNT\system32\MPR.DLL 75280000 Module C:\WINNT\system32\oledlg.dll 77A30000 Module C:\WINNT\system32\OLE32.DLL 68E90000 Module C:\WINNT\system32\OLEPRO32.DLL 77990000 Module C:\WINNT\system32\OLEAUT32.dll 74FD0000 Module C:\WINNT\system32\WSOCK32.dll 74FB0000 Module C:\WINNT\system32\WS2_32.DLL 0069F374 Access violation when reading [FFFFFFFF] 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E8BB2F | KERNEL32.SetThreadContext [esp] = 006C70E6 ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E8BB77 | KERNEL32.ResumeThread [esp] = 006C70F0 ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E6EC18 | KERNEL32.GetLocalTime [esp] = 006C84FE ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E7E845 | KERNEL32.VirtualAlloc [esp] = 006C7BDE ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E7E956 | KERNEL32.VirtualProtect [esp] = 006CABD2 ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E7E845 | KERNEL32.VirtualAlloc [esp] = 006CC81D ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E7E85F | KERNEL32.VirtualFree [esp] = 006CC89A ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E7E845 | KERNEL32.VirtualAlloc [esp] = 006CCAF2 ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E7E85F | KERNEL32.VirtualFree [esp] = 006CCB72 ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E7E845 | KERNEL32.VirtualAlloc [esp] = 006D98FF ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E86972 | KERNEL32.ExitProcess [esp] = 006D993D ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E8B7BE | KERNEL32.CreateThread [esp] = 006D995D ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E8BA9B | KERNEL32.TerminateThread [esp] = 006D997D ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E8B99D | KERNEL32.ExitThread [esp] = 006D999D ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77F89103 | ntdll.RtlEnterCriticalSection [esp] = 006D9A0F ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77F89134 | ntdll.RtlLeaveCriticalSection [esp] = 006D9A2F ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E76168 | KERNEL32.ReadFile [esp] = 006D9A4F ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E00214 | USER32.wsprintfA [esp] = 006D9A6F ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E8BB9D | KERNEL32.RaiseException [esp] = 006D9A8F ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E7E85F | KERNEL32.VirtualFree [esp] = 006D9AAF ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E80A10 | KERNEL32.GetModuleFileNameA [esp] = 006D9ACF ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E80C5F | KERNEL32.GetProcAddress [esp] = 006D9AEF ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E7E85F | KERNEL32.VirtualFree [esp] = 006C7D1B | ASCII "RPh" ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E7E956 | KERNEL32.VirtualProtect [esp] = 006E2B3F ----------------- 0069F374 Access violation when reading [FFFFFFFF] 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E87D06 | KERNEL32.GetPriorityClass [esp] = 006E4914 ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E87C75 | KERNEL32.SetPriorityClass [esp] = 006E49DD ----------------- 005E0316 Breakpoint at BlazeL1K.005E0316 eax = 77E7E956 | KERNEL32.VirtualProtect [esp] = 006E4BC1 ----------------- 74FA0000 Module C:\WINNT\system32\WS2HELP.DLL 6DD30000 Module C:\WINNT\system32\INDICDLL.dll 0069F374 Access violation when reading [FFFFFFFF] 0069F374 Access violation when reading [FFFFFFFF] themida调用api过程和大概调用地址 
|
|
|
|
|
|
学习了!
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
学习
|
|
|
学习了
|
|
|
怎么不加点小花呢
|
|
|
|
|
|
|
|
|
|
