大家好,最近破解一个注册机,没有找到EOP断点处,程序如下:
-----------------------------------
使用PEID检查壳是SoftSentry 2.11 -> 20/20 Software
用OD打开软件,停在这里
0042AE90 > 55 PUSH EBP
0042AE91 8BEC MOV EBP,ESP
0042AE93 83EC 64 SUB ESP,64
0042AE96 53 PUSH EBX
0042AE97 56 PUSH ESI
0042AE98 57 PUSH EDI
0042AE99 E9 50000000 JMP password.0042AEEE
0042AE9E 0000 ADD BYTE PTR DS:[EAX],AL
0042AEA0 90 NOP
0042AEA1 AE SCAS BYTE PTR ES:[EDI]
0042AEA2 0200 ADD AL,BYTE PTR DS:[EAX]
0042AEA4 0000 ADD BYTE PTR DS:[EAX],AL
0042AEA6 40 INC EAX
0042AEA7 0070 00 ADD BYTE PTR DS:[EAX],DH
0042AEAA 805401 00 66 ADC BYTE PTR DS:[ECX+EAX],66
0042AEAF 3D 0100663D CMP EAX,3D660001
0042AEB4 0100 ADD DWORD PTR DS:[EAX],EAX
0042AEB6 66:3D 0100 CMP AX,1
0042AEBA 66:3D 0100 CMP AX,1
0042AEBE 66:3D 0100 CMP AX,1
0042AEC2 66:3D 0100 CMP AX,1
0042AEC6 66:3D 0100 CMP AX,1
0042AECA 66:3D 0100 CMP AX,1
0042AECE 66:3D 0100 CMP AX,1
0042AED2 66:3D 0100 CMP AX,1
0042AED6 66:3D 0100 CMP AX,1
0042AEDA 66:3D 0100 CMP AX,1
0042AEDE 66:3D 0100 CMP AX,1
0042AEE2 66:3D 0100 CMP AX,1
0042AEE6 66:3D 0100 CMP AX,1
0042AEEA 66:3D 0100 CMP AX,1
0042AEEE C745 E8 0000000>MOV DWORD PTR SS:[EBP-18],0
0042AEF5 8D45 BC LEA EAX,DWORD PTR SS:[EBP-44]
0042AEF8 50 PUSH EAX
0042AEF9 FF15 0C444300 CALL DWORD PTR DS:[<&KERNEL32.GetStartup>; kernel32.GetStartupInfoA
0042AEFF F645 E8 01 TEST BYTE PTR SS:[EBP-18],1
0042AF03 0F84 10000000 JE password.0042AF19
0042AF09 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
0042AF0C 25 FFFF0000 AND EAX,0FFFF
0042AF11 8945 14 MOV DWORD PTR SS:[EBP+14],EAX
0042AF14 E9 07000000 JMP password.0042AF20
0042AF19 C745 14 0A00000>MOV DWORD PTR SS:[EBP+14],0A
0042AF20 6A 00 PUSH 0
0042AF22 FF15 14444300 CALL DWORD PTR DS:[<&KERNEL32.GetModuleH>; kernel32.GetModuleHandleA
0042AF28 8945 08 MOV DWORD PTR SS:[EBP+8],EAX
0042AF2B C745 0C 0000000>MOV DWORD PTR SS:[EBP+C],0
0042AF32 FF15 F8434300 CALL DWORD PTR DS:[<&KERNEL32.GetCommand>; kernel32.GetCommandLineA
0042AF38 8945 10 MOV DWORD PTR SS:[EBP+10],EAX
0042AF3B 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
0042AF3E 8945 B4 MOV DWORD PTR SS:[EBP-4C],EAX
0042AF41 66:C705 B801430>MOV WORD PTR DS:[4301B8],0
0042AF4A 66:C705 423C430>MOV WORD PTR DS:[433C42],0
0042AF53 837D 0C 00 CMP DWORD PTR SS:[EBP+C],0
0042AF57 0F85 17000000 JNZ password.0042AF74
0042AF5D 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
0042AF60 E8 8B0E0000 CALL password.0042BDF0
0042AF65 85C0 TEST EAX,EAX
0042AF67 0F85 07000000 JNZ password.0042AF74
0042AF6D 33C0 XOR EAX,EAX
0042AF6F E9 C8030000 JMP password.0042B33C
0042AF74 68 04010000 PUSH 104
0042AF79 68 703A4300 PUSH password.00433A70
0042AF7E 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
0042AF81 50 PUSH EAX
0042AF82 FF15 FC434300 CALL DWORD PTR DS:[<&KERNEL32.GetModuleF>; kernel32.GetModuleFileNameA
0042AF88 85C0 TEST EAX,EAX
0042AF8A 0F85 07000000 JNZ password.0042AF97
0042AF90 33C0 XOR EAX,EAX
0042AF92 E9 A5030000 JMP password.0042B33C
0042AF97 8B55 14 MOV EDX,DWORD PTR SS:[EBP+14]
0042AF9A 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
0042AF9D E8 9E0E0000 CALL password.0042BE40
0042AFA2 85C0 TEST EAX,EAX
0042AFA4 0F85 1B000000 JNZ password.0042AFC5
0042AFAA 6A 00 PUSH 0
0042AFAC 68 B8004300 PUSH password.004300B8
0042AFB1 68 14024300 PUSH password.00430214 ; ASCII "InitInstance FALSE"
0042AFB6 6A 00 PUSH 0
0042AFB8 FF15 98444300 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; USER32.MessageBoxA
0042AFBE 33C0 XOR EAX,EAX
0042AFC0 E9 77030000 JMP password.0042B33C
0042AFC5 C745 B0 0100000>MOV DWORD PTR SS:[EBP-50],1
0042AFCC 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
0042AFCF A3 D0394300 MOV DWORD PTR DS:[4339D0],EAX
0042AFD4 BA 503A4300 MOV EDX,password.00433A50
0042AFD9 8D0D B1394300 LEA ECX,DWORD PTR DS:[4339B1]
0042AFDF E8 CC2B0000 CALL password.0042DBB0
0042AFE4 E8 F72B0000 CALL password.0042DBE0
0042AFE9 85C0 TEST EAX,EAX
0042AFEB 0F84 18000000 JE password.0042B009
0042AFF1 66:C705 B801430>MOV WORD PTR DS:[4301B8],1
0042AFFA C705 68014300 0>MOV DWORD PTR DS:[430168],1
0042B004 E9 9A020000 JMP password.0042B2A3
0042B009 B9 01000000 MOV ECX,1
0042B00E E8 7D2A0000 CALL password.0042DA90
0042B013 33C0 XOR EAX,EAX
0042B015 66:A1 423C4300 MOV AX,WORD PTR DS:[433C42]
0042B01B F6C4 C0 TEST AH,0C0
0042B01E 0F85 2E000000 JNZ password.0042B052
0042B024 33C0 XOR EAX,EAX
0042B026 66:A1 423C4300 MOV AX,WORD PTR DS:[433C42]
0042B02C F6C4 10 TEST AH,10
0042B02F 0F84 1D000000 JE password.0042B052
0042B035 6A 00 PUSH 0
0042B037 68 03800000 PUSH 8003
0042B03C 68 11010000 PUSH 111
0042B041 A1 903B4300 MOV EAX,DWORD PTR DS:[433B90]
0042B046 50 PUSH EAX
0042B047 FF15 A8444300 CALL DWORD PTR DS:[<&USER32.SendMessageA>; USER32.SendMessageA
0042B04D E9 05000000 JMP password.0042B057
0042B052 E8 19060000 CALL password.0042B670
0042B057 833D 70014300 0>CMP DWORD PTR DS:[430170],0
0042B05E 0F84 16000000 JE password.0042B07A
0042B064 8B4D B0 MOV ECX,DWORD PTR SS:[EBP-50]
0042B067 E8 442C0000 CALL password.0042DCB0
0042B06C 8945 B0 MOV DWORD PTR SS:[EBP-50],EAX
0042B06F 8B4D B0 MOV ECX,DWORD PTR SS:[EBP-50]
0042B072 E8 F92C0000 CALL password.0042DD70
0042B077 8945 B0 MOV DWORD PTR SS:[EBP-50],EAX
0042B07A 837D B0 01 CMP DWORD PTR SS:[EBP-50],1
0042B07E 0F85 27000000 JNZ password.0042B0AB
0042B084 33C0 XOR EAX,EAX
0042B086 66:A1 B8014300 MOV AX,WORD PTR DS:[4301B8]
0042B08C 85C0 TEST EAX,EAX
0042B08E 0F84 17000000 JE password.0042B0AB
0042B094 33C0 XOR EAX,EAX
0042B096 66:A1 AF394300 MOV AX,WORD PTR DS:[4339AF]
0042B09C 85C0 TEST EAX,EAX
0042B09E 0F84 07000000 JE password.0042B0AB
0042B0A4 66:FF0D AF39430>DEC WORD PTR DS:[4339AF]
0042B0AB 837D B0 01 CMP DWORD PTR SS:[EBP-50],1
0042B0AF 0F85 0C010000 JNZ password.0042B1C1
0042B0B5 33C0 XOR EAX,EAX
0042B0B7 66:A1 B8014300 MOV AX,WORD PTR DS:[4301B8]
0042B0BD 85C0 TEST EAX,EAX
0042B0BF 0F84 FC000000 JE password.0042B1C1
0042B0C5 33C0 XOR EAX,EAX
0042B0C7 66:A1 7C014300 MOV AX,WORD PTR DS:[43017C]
0042B0CD A8 02 TEST AL,2
0042B0CF 0F85 1E000000 JNZ password.0042B0F3
0042B0D5 833D 78014300 0>CMP DWORD PTR DS:[430178],0
0042B0DC 0F84 11000000 JE password.0042B0F3
0042B0E2 33C0 XOR EAX,EAX
0042B0E4 66:A1 7C014300 MOV AX,WORD PTR DS:[43017C]
0042B0EA 83C8 02 OR EAX,2
0042B0ED 66:A3 7C014300 MOV WORD PTR DS:[43017C],AX
0042B0F3 33C0 XOR EAX,EAX
0042B0F5 66:A1 7C014300 MOV AX,WORD PTR DS:[43017C]
0042B0FB A8 02 TEST AL,2
0042B0FD 0F84 2F000000 JE password.0042B132
0042B103 E8 38310000 CALL password.0042E240
0042B108 66:A3 B8014300 MOV WORD PTR DS:[4301B8],AX
0042B10E 33C0 XOR EAX,EAX
0042B110 66:A1 B8014300 MOV AX,WORD PTR DS:[4301B8]
0042B116 85C0 TEST EAX,EAX
0042B118 0F85 14000000 JNZ password.0042B132
0042B11E 6A 00 PUSH 0
0042B120 68 B8004300 PUSH password.004300B8
0042B125 68 04024300 PUSH password.00430204 ; ASCII "Server is full!"
0042B12A 6A 00 PUSH 0
0042B12C FF15 98444300 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; USER32.MessageBoxA
0042B132 33C0 XOR EAX,EAX
0042B134 66:A1 7C014300 MOV AX,WORD PTR DS:[43017C]
0042B13A A8 01 TEST AL,1
0042B13C 0F85 7F000000 JNZ password.0042B1C1
0042B142 833D 74014300 0>CMP DWORD PTR DS:[430174],0
0042B149 0F84 35000000 JE password.0042B184
0042B14F 0FBF05 C1394300 MOVSX EAX,WORD PTR DS:[4339C1]
0042B156 85C0 TEST EAX,EAX
0042B158 0F8C 26000000 JL password.0042B184
0042B15E 0FBF05 C1394300 MOVSX EAX,WORD PTR DS:[4339C1]
0042B165 C1E0 02 SHL EAX,2
0042B168 8D0440 LEA EAX,DWORD PTR DS:[EAX+EAX*2]
0042B16B 8D0480 LEA EAX,DWORD PTR DS:[EAX+EAX*4]
0042B16E 8B0D 4C3C4300 MOV ECX,DWORD PTR DS:[433C4C]
0042B174 33D2 XOR EDX,EDX
0042B176 66:8B5408 28 MOV DX,WORD PTR DS:[EAX+ECX+28]
0042B17B F6C2 08 TEST DL,8
0042B17E 0F85 2C000000 JNZ password.0042B1B0
0042B184 833D 74014300 0>CMP DWORD PTR DS:[430174],0
0042B18B 0F84 30000000 JE password.0042B1C1
0042B191 0FBF05 C1394300 MOVSX EAX,WORD PTR DS:[4339C1]
0042B198 85C0 TEST EAX,EAX
0042B19A 0F8D 21000000 JGE password.0042B1C1
0042B1A0 33C0 XOR EAX,EAX
0042B1A2 66:A1 543C4300 MOV AX,WORD PTR DS:[433C54]
0042B1A8 A8 08 TEST AL,8
0042B1AA 0F84 11000000 JE password.0042B1C1
0042B1B0 33C0 XOR EAX,EAX
0042B1B2 66:A1 7C014300 MOV AX,WORD PTR DS:[43017C]
0042B1B8 83C8 01 OR EAX,1
0042B1BB 66:A3 7C014300 MOV WORD PTR DS:[43017C],AX
0042B1C1 33C0 XOR EAX,EAX
0042B1C3 66:A1 7C014300 MOV AX,WORD PTR DS:[43017C]
0042B1C9 85C0 TEST EAX,EAX
0042B1CB 0F84 D2000000 JE password.0042B2A3
0042B1D1 837D B0 01 CMP DWORD PTR SS:[EBP-50],1
0042B1D5 0F85 C8000000 JNZ password.0042B2A3
0042B1DB 33C0 XOR EAX,EAX
0042B1DD 66:A1 B8014300 MOV AX,WORD PTR DS:[4301B8]
0042B1E3 85C0 TEST EAX,EAX
0042B1E5 0F84 B8000000 JE password.0042B2A3
0042B1EB 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64]
0042B1EE 50 PUSH EAX
0042B1EF BA 803B4300 MOV EDX,password.00433B80
0042B1F4 8D0D B1394300 LEA ECX,DWORD PTR DS:[4339B1]
0042B1FA E8 41390000 CALL password.0042EB40
0042B1FF B9 50394300 MOV ECX,password.00433950
0042B204 83C1 61 ADD ECX,61
0042B207 8B10 MOV EDX,DWORD PTR DS:[EAX]
0042B209 8911 MOV DWORD PTR DS:[ECX],EDX
0042B20B 8B50 04 MOV EDX,DWORD PTR DS:[EAX+4]
0042B20E 8951 04 MOV DWORD PTR DS:[ECX+4],EDX
0042B211 8B50 08 MOV EDX,DWORD PTR DS:[EAX+8]
0042B214 8951 08 MOV DWORD PTR DS:[ECX+8],EDX
0042B217 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]
0042B21A 8941 0C MOV DWORD PTR DS:[ECX+C],EAX
0042B21D E8 0E240000 CALL password.0042D630
0042B222 85C0 TEST EAX,EAX
0042B224 0F85 0F000000 JNZ password.0042B239
0042B22A BA FC014300 MOV EDX,password.004301FC ; ASCII "0201"
0042B22F B9 E0014300 MOV ECX,password.004301E0 ; ASCII "Error in saving message!"
0042B234 E8 B7330000 CALL password.0042E5F0
0042B239 BA 503A4300 MOV EDX,password.00433A50
0042B23E 8D0D B1394300 LEA ECX,DWORD PTR DS:[4339B1]
0042B244 E8 67290000 CALL password.0042DBB0
0042B249 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
0042B24C E8 9F2E0000 CALL password.0042E0F0
0042B251 85C0 TEST EAX,EAX
0042B253 0F84 28000000 JE password.0042B281
0042B259 E8 122E0000 CALL password.0042E070
0042B25E 8945 B0 MOV DWORD PTR SS:[EBP-50],EAX
0042B261 6A 00 PUSH 0
0042B263 6A 00 PUSH 0
0042B265 6A 10 PUSH 10
0042B267 A1 903B4300 MOV EAX,DWORD PTR DS:[433B90]
0042B26C 50 PUSH EAX
0042B26D FF15 A8444300 CALL DWORD PTR DS:[<&USER32.SendMessageA>; USER32.SendMessageA
0042B273 66:C705 B801430>MOV WORD PTR DS:[4301B8],0
0042B27C E9 22000000 JMP password.0042B2A3
0042B281 C745 B0 0000000>MOV DWORD PTR SS:[EBP-50],0
0042B288 66:C705 B801430>MOV WORD PTR DS:[4301B8],0
0042B291 6A 00 PUSH 0
0042B293 6A 00 PUSH 0
0042B295 6A 10 PUSH 10
0042B297 A1 903B4300 MOV EAX,DWORD PTR DS:[433B90]
0042B29C 50 PUSH EAX
0042B29D FF15 A8444300 CALL DWORD PTR DS:[<&USER32.SendMessageA>; USER32.SendMessageA
0042B2A3 8D55 B4 LEA EDX,DWORD PTR SS:[EBP-4C]
0042B2A6 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
0042B2A9 E8 12010000 CALL password.0042B3C0
0042B2AE 8945 B8 MOV DWORD PTR SS:[EBP-48],EAX
0042B2B1 6A 00 PUSH 0
0042B2B3 6A 00 PUSH 0
0042B2B5 6A 10 PUSH 10
0042B2B7 A1 903B4300 MOV EAX,DWORD PTR DS:[433B90]
0042B2BC 50 PUSH EAX
0042B2BD FF15 A8444300 CALL DWORD PTR DS:[<&USER32.SendMessageA>; USER32.SendMessageA
0042B2C3 833D 80014300 0>CMP DWORD PTR DS:[430180],2
0042B2CA 0F84 48000000 JE password.0042B318
0042B2D0 837D B0 01 CMP DWORD PTR SS:[EBP-50],1
0042B2D4 0F85 3E000000 JNZ password.0042B318
0042B2DA 33C0 XOR EAX,EAX
0042B2DC 66:A1 B8014300 MOV AX,WORD PTR DS:[4301B8]
0042B2E2 85C0 TEST EAX,EAX
0042B2E4 0F84 2E000000 JE password.0042B318
0042B2EA 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
0042B2ED 50 PUSH EAX
0042B2EE 68 A8014300 PUSH password.004301A8 ; ASCII "sSENTRYWndClass"
0042B2F3 FF15 68444300 CALL DWORD PTR DS:[<&USER32.UnregisterCl>; USER32.UnregisterClassA
0042B2F9 33C0 XOR EAX,EAX
0042B2FB 66:A1 BC014300 MOV AX,WORD PTR DS:[4301BC]
0042B301 85C0 TEST EAX,EAX
0042B303 0F84 0F000000 JE password.0042B318
0042B309 8B45 B4 MOV EAX,DWORD PTR SS:[EBP-4C]
0042B30C 50 PUSH EAX
0042B30D 8D55 AC LEA EDX,DWORD PTR SS:[EBP-54]
0042B310 8B4D B8 MOV ECX,DWORD PTR SS:[EBP-48]
0042B313 E8 38000000 CALL password.0042B350
0042B318 837D AC 00 CMP DWORD PTR SS:[EBP-54],0
0042B31C 0F84 08000000 JE password.0042B32A
0042B322 8B4D AC MOV ECX,DWORD PTR SS:[EBP-54]
0042B325 E8 B6320000 CALL password.0042E5E0
0042B32A 8B45 B0 MOV EAX,DWORD PTR SS:[EBP-50]
0042B32D 50 PUSH EAX
0042B32E FF15 00444300 CALL DWORD PTR DS:[<&KERNEL32.ExitProces>; kernel32.ExitProcess
0042B334 8B45 B0 MOV EAX,DWORD PTR SS:[EBP-50]
0042B337 E9 00000000 JMP password.0042B33C
0042B33C 5F POP EDI
0042B33D 5E POP ESI
0042B33E 5B POP EBX
0042B33F C9 LEAVE
0042B340 C2 1000 RETN 10
0042B343 CC INT3
0042B344 CC INT3
0042B345 CC INT3
0042B346 CC INT3
0042B347 CC INT3
0042B348 CC INT3
0042B349 CC INT3
0042B34A CC INT3
0042B34B CC INT3
0042B34C CC INT3
0042B34D CC INT3
0042B34E CC INT3
0042B34F CC INT3
0042B350 56 PUSH ESI
0042B351 57 PUSH EDI
----------------------------
按F8跳到这里0042B067 E8 442C0000 CALL password.0042DCB0
启动软件。od中没有看雪中说的有push ad?更找不到popad
请求高手帮助分析!
[课程]Android-CTF解题方法汇总!