Serial Monitor是一款功能强大的串口监视、检测、分析工具,软件使用更加简单,尤其适合开发人员使用。
用PEiD0.94测不出是用什么软件写的,但肯定无壳。有13天时间限制和100次限制
爆破没有成功!用Ollydbg载入把系统时间后调14天,开始跟踪...
0043535A > $ 6A 74 PUSH 74 ; (初始 cpu 选择)
0043535C . 68 F0864300 PUSH Device_M.004386F0
00435361 . E8 46020000 CALL Device_M.004355AC
00435366 . 33FF XOR EDI,EDI
00435368 . 897D E0 MOV DWORD PTR SS:[EBP-20],EDI
0043536B . 57 PUSH EDI ; /pModule => NULL
0043536C . 8B1D 98814300 MOV EBX,DWORD PTR DS:[<&KERNEL32.GetModu>; |kernel32.GetModuleHandleA
00435372 . FFD3 CALL EBX ; \GetModuleHandleA
00435374 . 66:8138 4D5A CMP WORD PTR DS:[EAX],5A4D
00435379 . 75 1F JNZ SHORT Device_M.0043539A
0043537B . 8B48 3C MOV ECX,DWORD PTR DS:[EAX+3C]
......
---------------------------------------------------------以下是爆破
67E4BA07 |. 8B35 D8A0E567 MOV ESI,DWORD PTR DS:[<&KERNEL32.DeviceI>; |kernel32.DeviceIoControl
67E4BA0D |. 6A 00 PUSH 0 ; |OutBuffer = NULL
67E4BA0F |. 51 PUSH ECX ; |InBufferSize = 86 (134.)
67E4BA10 |. 52 PUSH EDX ; |InBuffer
67E4BA11 |. 68 08201B10 PUSH 101B2008 ; |IoControlCode = 101B2008
67E4BA16 |. 50 PUSH EAX ; |hDevice
67E4BA17 |. FFD6 CALL ESI 这里是读注册表进行比较,跟进去是SYSTEM权限跟不了,读注册表也是 SYSTEM权限 ; \DeviceIoControl
67E4BA19 |. 33C9 XOR ECX,ECX 返回到这里比较已经完成,使用次数加1
67E4BA1B |. 3BC1 CMP EAX,ECX
67E4BA1D 0F85 9D010000 JNZ serlpt.67E4BBC0 关键跳转(跳了界面可以打开但无法监视串口,不跳出错)
67E4BA23 FF15 D4A0E567 CALL DWORD PTR DS:[<&KERNEL32.GetLastErr>; ntdll.RtlGetLastWin32Error
67E4BA29 |. 6A 00 PUSH 0 ; /pOverlapped = NULL
67E4BA2B |. 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C] ; |
67E4BA2E |. 51 PUSH ECX ; |pBytesReturned
67E4BA2F |. 6A 04 PUSH 4 ; |OutBufferSize = 4
67E4BA31 |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14] ; |
67E4BA34 |. 52 PUSH EDX ; |OutBuffer
67E4BA35 |. 6A 00 PUSH 0 ; |InBufferSize = 0
67E4BA37 |. 6A 00 PUSH 0 ; |InBuffer = NULL
67E4BA39 |. 8BF0 MOV ESI,EAX ; |
67E4BA3B |. 8B87 8C000000 MOV EAX,DWORD PTR DS:[EDI+8C] ; |
67E4BA41 |. 68 14201B10 PUSH 101B2014 ; |IoControlCode = 101B2014
67E4BA46 |. 50 PUSH EAX ; |hDevice
67E4BA47 |. C745 EC 00000>MOV DWORD PTR SS:[EBP-14],0 ; |
67E4BA4E |. FF15 D8A0E567 CALL DWORD PTR DS:[<&KERNEL32.DeviceIoCo>; \DeviceIoControl
67E4BA54 |. 83FE 05 CMP ESI,5
67E4BA57 0F85 A4000000 JNZ serlpt.67E4BB01
67E4BA5D |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
67E4BA60 |. 83F8 01 CMP EAX,1
67E4BA63 |. 74 1D JE SHORT serlpt.67E4BA82
67E4BA65 |. 83F8 02 CMP EAX,2
67E4BA68 |. 74 18 JE SHORT serlpt.67E4BA82
67E4BA6A |. 83F8 03 CMP EAX,3
67E4BA6D |. 74 13 JE SHORT serlpt.67E4BA82
67E4BA6F |. 83F8 04 CMP EAX,4
67E4BA72 |. 74 0E JE SHORT serlpt.67E4BA82
67E4BA74 |. 83F8 0C CMP EAX,0C
67E4BA77 |. 74 09 JE SHORT serlpt.67E4BA82
67E4BA79 |. 3BC6 CMP EAX,ESI
67E4BA7B |. 74 05 JE SHORT serlpt.67E4BA82
67E4BA7D |. 83F8 06 CMP EAX,6
67E4BA80 |. 75 7F JNZ SHORT serlpt.67E4BB01
67E4BA82 |> 8B0D 4C30E667 MOV ECX,DWORD PTR DS:[67E6304C] ; serlpt.67E63060
67E4BA88 |. 894D 0C MOV DWORD PTR SS:[EBP+C],ECX
67E4BA8B |. 894D 08 MOV DWORD PTR SS:[EBP+8],ECX
67E4BA8E |. 50 PUSH EAX
67E4BA8F |. 8D4D 0C LEA ECX,DWORD PTR SS:[EBP+C]
67E4BA92 |. 68 FC030000 PUSH 3FC
67E4BA97 |. 51 PUSH ECX
67E4BA98 |. C645 FC 02 MOV BYTE PTR SS:[EBP-4],2
67E4BA9C |. E8 FF59FFFF CALL serlpt.67E414A0
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法