首先催定咣?的IP 用OD加蒌搜?ASCII字串找到IP的位址? 211.72.255.6
字串在 00404D43 上 然後逆向跟?
找出Call 00404CB0 的地方 在 00404CB0 上按右嫔->弈到->看啉?上锢示Call?自 00426E33
00404CB0 /$ 6A FF push -1
00404CB2 |. 68 9A324300 push srobot.0043329A ; SE ?理程序安砚
00404CB7 |. 64:A1 00000000 mov eax,dword ptr fs:[0]
00404CBD |. 50 push eax
00404CBE |. 64:8925 00000000 mov dword ptr fs:[0],esp
00404CC5 |. 51 push ecx
00404CC6 |. 56 push esi
00404CC7 |. 8BF1 mov esi,ecx
00404CC9 |. 8B8E C8B41401 mov ecx,dword ptr ds:[esi+114B4C8]
00404CCF |. 41 inc ecx
00404CD0 |. 68 91200600 push 62091
00404CD5 |. 898E C8B41401 mov dword ptr ds:[esi+114B4C8],ecx
00404CDB |. E8 FAD60200 call srobot.004323DA
00404CE0 |. 83C4 04 add esp,4
00404CE3 |. 894424 04 mov dword ptr ss:[esp+4],eax
00404CE7 |. 85C0 test eax,eax
00404CE9 |. C74424 10 00000000 mov dword ptr ss:[esp+10],0
00404CF1 |. 74 09 je short srobot.00404CFC
00404CF3 |. 8BC8 mov ecx,eax
00404CF5 |. E8 56D90000 call srobot.00412650
00404CFA |. EB 02 jmp short srobot.00404CFE
00404CFC |> 33C0 xor eax,eax
00404CFE |> 6A 00 push 0 ; /timer = NULL
00404D00 |. C74424 14 FFFFFFFF mov dword ptr ss:[esp+14],-1 ; |
00404D08 |. 8986 C4B41401 mov dword ptr ds:[esi+114B4C4],eax ; |
00404D0E |. C786 6E060000 A33D00>mov dword ptr ds:[esi+66E],3DA3 ; |
00404D18 |. 90 nop ; |
00404D19 |. E8 C6CCF67B call MSVCR71.time ; \time
00404D1E |. 50 push eax ; /seed
00404D1F |. 90 nop ; \srand
00404D20 |? E8 B71EF67B call MSVCR71.srand
00404D25 |. 83C4 08 add esp,8
00404D28 |. 90 nop
00404D29 |. E8 BB1EF67B call MSVCR71.rand ; [rand
00404D2E |. 25 01000080 and eax,80000001
00404D33 |. 79 05 jns short srobot.00404D3A
00404D35 |. 48 dec eax
00404D36 |. 83C8 FE or eax,FFFFFFFE
00404D39 |. 40 inc eax
00404D3A |> 75 0E jnz short srobot.00404D4A
00404D3C |. 8B86 6E060000 mov eax,dword ptr ds:[esi+66E]
00404D42 |. 50 push eax
00404D43 |. 68 006D4300 push srobot.00436D00 ; ASCII "211.72.255.6"
00404D48 |. EB 0C jmp short srobot.00404D56
00404D4A |> 8B8E 6E060000 mov ecx,dword ptr ds:[esi+66E]
00404D50 |. 51 push ecx
00404D51 |. 68 F06C4300 push srobot.00436CF0 ; ASCII "211.72.255.7"
接著到 00426E33 上 如下
00426D42 |. C74424 74 00000000 mov dword ptr ss:[esp+74],0
00426D4A |. E8 2592D27B call MFC71.7C14FF74
00426D4F |? 90 nop
00426D50 |. 6A 04 push 4
00426D52 |. 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
00426D56 |. 51 push ecx
00426D57 |. 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
00426D5B |. 90 nop
00426D5C |. E8 D520D67B call MFC71.7C188E36
00426D61 |. 68 DC954300 push srobot.004395DC
00426D66 |. 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
00426D6A |. C68424 60080000 03 mov byte ptr ss:[esp+860],3
00426D72 |. 90 nop
00426D73 |. E8 36E0D17B call MFC71.7C144DAE
00426D78 |. 85C0 test eax,eax
00426D7A |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
00426D7E 75 0C jnz short srobot.00426D8C ; 呃彦一定要跳 不跳就走不到IP的Call了
00426D80 |. E8 481ED37B call MFC71.7C158BCD
00426D85 |? 90 nop
00426D86 |. 50 push eax
00426D87 |. E9 C3020000 jmp srobot.0042704F
00426D8C |> 68 D8954300 push srobot.004395D8 ; ASCII "ok"
00426D91 |. 90 nop
00426D92 |. E8 17E0D17B call MFC71.7C144DAE
00426D97 |. 85C0 test eax,eax
00426D99 |. 0F84 D3020000 je srobot.00427072 ; 呃彦跳就走不到IP的Call了
00426D9F |. 8D73 0F lea esi,dword ptr ds:[ebx+F]
00426DA2 |. 56 push esi
00426DA3 |. 8D5424 1C lea edx,dword ptr ss:[esp+1C]
00426DA7 |. 52 push edx
00426DA8 |. 8D4424 1C lea eax,dword ptr ss:[esp+1C]
00426DAC |. 50 push eax
00426DAD |. E8 7EBCFDFF call srobot.00402A30
00426DB2 |. 68 CC954300 push srobot.004395CC
00426DB7 |. 50 push eax
00426DB8 |. 8D4C24 30 lea ecx,dword ptr ss:[esp+30]
00426DBC |. 51 push ecx
00426DBD |. C68424 74080000 04 mov byte ptr ss:[esp+874],4
00426DC5 |. E8 66BCFDFF call srobot.00402A30
00426DCA |. 83C4 18 add esp,18
00426DCD |. 6A 00 push 0
00426DCF |. 8BC8 mov ecx,eax
00426DD1 |. E8 F71DD37B call MFC71.7C158BCD
00426DD6 |? 90 nop
00426DD7 |. 50 push eax
00426DD8 |. 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
00426DDC |. E8 2C1FD67B call MFC71.7C188D0D
00426DE1 |? 90 nop
00426DE2 |. 83F8 FF cmp eax,-1
00426DE5 |. 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
00426DE9 |. 0F954424 0F setne byte ptr ss:[esp+F]
00426DEE |. 90 nop
00426DEF |. E8 BD03D57B call MFC71.7C1771B1
00426DF4 |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00426DF8 |. C68424 5C080000 03 mov byte ptr ss:[esp+85C],3
00426E00 |. 90 nop
00426E01 |? E8 AB03D57B call MFC71.7C1771B1
00426E06 |. 8A4424 0F mov al,byte ptr ss:[esp+F]
00426E0A |. 84C0 test al,al
00426E0C |. 0F84 97010000 je srobot.00426FA9 ; 呃彦跳就走不到IP的Call了
00426E12 |. BE 01000000 mov esi,1
00426E17 |. 8973 08 mov dword ptr ds:[ebx+8],esi
00426E1A |. 8B15 F8164600 mov edx,dword ptr ds:[4616F8]
00426E20 |. C682 EEE63301 01 mov byte ptr ds:[edx+133E6EE],1
00426E27 |. 8B0D F8164600 mov ecx,dword ptr ds:[4616F8]
00426E2D |. 81C1 19E21600 add ecx,16E219
00426E33 |. E8 78DEFDFF call srobot.00404CB0 ; Call IP的位址
00426E38 |. A1 F8164600 mov eax,dword ptr ds:[4616F8]
00426E3D |. 8B48 20 mov ecx,dword ptr ds:[eax+20]
00426E40 |. 6A 00 push 0
00426E42 |. 68 A8610000 push 61A8
00426E47 |. 56 push esi
00426E48 |. 51 push ecx
00426E49 |. 90 nop
00426E4A |? E8 7C936403 call 03A701CB
00426E4F |. 8B8B 39010000 mov ecx,dword ptr ds:[ebx+139]
00426E55 |. 8A53 0E mov dl,byte ptr ds:[ebx+E]
00426E58 |. 8A43 0C mov al,byte ptr ds:[ebx+C]
00426E5B |. 41 inc ecx
00426E5C |. 6A 00 push 0
00426E5E |. 898B 39010000 mov dword ptr ds:[ebx+139],ecx
00426E64 |. 68 CC954300 push srobot.004395CC
00426E69 |. 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
00426E6D |. 89B3 41010000 mov dword ptr ds:[ebx+141],esi
00426E73 |. 8893 46010000 mov byte ptr ds:[ebx+146],dl
00426E79 |. 8883 45010000 mov byte ptr ds:[ebx+145],al
00426E7F |. E8 891ED67B call MFC71.7C188D0D
00426E84 |? 90 nop
00426E85 |. 83C0 08 add eax,8
00426E88 |. 50 push eax
00426E89 |. 6A 00 push 0
00426E8B |. 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
00426E8F |. 90 nop
00426E90 |. E8 D326D67B call MFC71.7C189568
00426E95 |. 8BCB mov ecx,ebx
00426E97 |. E8 84FAFFFF call srobot.00426920
00426E9C |. 8BCF mov ecx,edi
00426E9E |. 8BBB 4B010000 mov edi,dword ptr ds:[ebx+14B]
00426EA4 |. 8BD1 mov edx,ecx
00426EA6 |. C1E9 02 shr ecx,2
00426EA9 |. 81C7 38140000 add edi,1438
00426EAF |. 8DB424 60040000 lea esi,dword ptr ss:[esp+460]
00426EB6 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[es>
00426EB8 |. 8BCA mov ecx,edx
00426EBA |. 83E1 03 and ecx,3
00426EBD |. F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
00426EBF |. 8B83 4B010000 mov eax,dword ptr ds:[ebx+14B]
00426EC5 |. 8B4C24 24 mov ecx,dword ptr ss:[esp+24]
00426EC9 |. 8988 20180000 mov dword ptr ds:[eax+1820],ecx
00426ECF |. 8BCB mov ecx,ebx
00426ED1 |. E8 6AFAFFFF call srobot.00426940
00426ED6 |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
00426EDA |. E8 D1FBD17B call MFC71.7C146AB0
00426EDF |? 90 nop
00426EE0 |. 85C0 test eax,eax
00426EE2 |. 74 6A je short srobot.00426F4E
00426EE4 |. 8D5424 10 lea edx,dword ptr ss:[esp+10]
00426EE8 |. 52 push edx
00426EE9 |. 8D4424 18 lea eax,dword ptr ss:[esp+18]
00426EED |. 68 B8954300 push srobot.004395B8
00426EF2 |. 50 push eax
00426EF3 |. E8 B8B6FEFF call srobot.004125B0
00426EF8 |. 83C4 0C add esp,0C
00426EFB |. 50 push eax
00426EFC |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00426F00 |. C68424 60080000 05 mov byte ptr ss:[esp+860],5
00426F08 |. 90 nop
00426F09 |. E8 07A0D27B call MFC71.7C150F15
00426F0E |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00426F12 |. C68424 5C080000 03 mov byte ptr ss:[esp+85C],3
00426F1A |. 90 nop
00426F1B |? E8 9102D57B call MFC71.7C1771B1
00426F20 |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
00426F24 |. 90 nop
00426F25 |. E8 A31CD37B call MFC71.7C158BCD
00426F2A |. 8B0D F8164600 mov ecx,dword ptr ds:[4616F8]
00426F30 |. 50 push eax
00426F31 |. 81C1 19E21600 add ecx,16E219
00426F37 |. E8 54B7FDFF call srobot.00402690
00426F3C |. 8B0D F8164600 mov ecx,dword ptr ds:[4616F8]
00426F42 |. 50 push eax
00426F43 |. 81C1 78A71200 add ecx,12A778 ; UNICODE "shdocvw.dll"
00426F49 |. E8 A2BBFDFF call srobot.00402AF0
00426F4E |> 8B0D F8164600 mov ecx,dword ptr ds:[4616F8]
00426F54 |. 8B51 20 mov edx,dword ptr ds:[ecx+20]
00426F57 |. 6A 0B push 0B
00426F59 |. 52 push edx
00426F5A |. E8 0B926403 call 03A7016A
00426F5F |. 90 nop
00426F60 |. A1 F8164600 mov eax,dword ptr ds:[4616F8]
00426F65 |. 8B48 20 mov ecx,dword ptr ds:[eax+20]
00426F68 |. 6A 00 push 0
00426F6A |. 68 00974901 push 1499700
00426F6F |. 6A 0B push 0B
00426F71 |. 51 push ecx
00426F72 |. E8 54926403 call 03A701CB
00426F77 |. 90 nop
00426F78 |. 8BCB mov ecx,ebx
00426F7A |. E8 A1F9FFFF call srobot.00426920
00426F7F |. 8B93 4B010000 mov edx,dword ptr ds:[ebx+14B]
00426F85 |. 8A43 0C mov al,byte ptr ds:[ebx+C]
00426F88 |. 8882 25180000 mov byte ptr ds:[edx+1825],al
00426F8E |. 8B8B 4B010000 mov ecx,dword ptr ds:[ebx+14B]
00426F94 |. 8A53 0D mov dl,byte ptr ds:[ebx+D]
00426F97 |. 8891 24180000 mov byte ptr ds:[ecx+1824],dl
00426F9D |. 8BCB mov ecx,ebx
00426F9F |. E8 9CF9FFFF call srobot.00426940
00426FA4 |. E9 C9000000 jmp srobot.00427072
00426FA9 |> 56 push esi
00426FAA |. 8D4424 1C lea eax,dword ptr ss:[esp+1C]
00426FAE |. 50 push eax
00426FAF |. 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
00426FB3 |. 51 push ecx
00426FB4 |. E8 77BAFDFF call srobot.00402A30
00426FB9 |. 68 AC954300 push srobot.004395AC
00426FBE |. 50 push eax
00426FBF |. 8D5424 28 lea edx,dword ptr ss:[esp+28]
00426FC3 |. 52 push edx
00426FC4 |. C68424 74080000 06 mov byte ptr ss:[esp+874],6
00426FCC |. E8 5FBAFDFF call srobot.00402A30
00426FD1 |. 83C4 18 add esp,18
00426FD4 |. 8BC8 mov ecx,eax
00426FD6 |. E8 F21BD37B call MFC71.7C158BCD
00426FDB |. 90 nop
00426FDC |. 50 push eax
00426FDD |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00426FE1 |. 90 nop
00426FE2 |. E8 C7DDD17B call MFC71.7C144DAE
00426FE7 |. F7D8 neg eax
00426FE9 |. 1AC0 sbb al,al
00426FEB |. FEC0 inc al
00426FED |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00426FF1 |. 884424 0F mov byte ptr ss:[esp+F],al
00426FF5 |. E8 B701D57B call MFC71.7C1771B1
00426FFA |. 90 nop
00426FFB |. 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
00426FFF |. C68424 5C080000 03 mov byte ptr ss:[esp+85C],3
00427007 |. E8 A501D57B call MFC71.7C1771B1
0042700C |. 90 nop
0042700D |. 8A4424 0F mov al,byte ptr ss:[esp+F]
00427011 |. 84C0 test al,al
00427013 |. 74 08 je short srobot.0042701D
00427015 |. FF83 39010000 inc dword ptr ds:[ebx+139]
0042701B |. EB 55 jmp short srobot.00427072
0042701D |> 33F6 xor esi,esi
0042701F |. 90 nop
00427020 |> 8B44B4 28 /mov eax,dword ptr ss:[esp+esi*4+28]
00427024 |. 50 |push eax
00427025 |. 8D4C24 14 |lea ecx,dword ptr ss:[esp+14]
00427029 |. 90 |nop
0042702A |. E8 7FDDD17B |call MFC71.7C144DAE
0042702F |. 85C0 |test eax,eax
00427031 |. 74 10 |je short srobot.00427043
00427033 |. 8B44B4 2C |mov eax,dword ptr ss:[esp+esi*4+2C]
00427037 |. 85C0 |test eax,eax
00427039 |. 74 0F |je short srobot.0042704A
0042703B |. 46 |inc esi
0042703C |. 83FE 64 |cmp esi,64
0042703F |.^ 7E DF \jle short srobot.00427020
00427041 |. EB 2F jmp short srobot.00427072
00427043 |> 8B4CB4 28 mov ecx,dword ptr ss:[esp+esi*4+28]
00427047 |. 51 push ecx
00427048 |. EB 05 jmp short srobot.0042704F
0042704A |> 68 84954300 push srobot.00439584
0042704F |> 8B0D F8164600 mov ecx,dword ptr ds:[4616F8]
00427055 |. 81C1 19E21600 add ecx,16E219
0042705B |. E8 30B6FDFF call srobot.00402690
00427060 |. 8B0D F8164600 mov ecx,dword ptr ds:[4616F8]
00427066 |. 81C1 78A71200 add ecx,12A778 ; UNICODE "shdocvw.dll"
0042706C |. 50 push eax
0042706D |. E8 7EBAFDFF call srobot.00402AF0
00427072 |> 8B13 mov edx,dword ptr ds:[ebx]
00427074 |. 8BCB mov ecx,ebx
00427076 |. FF52 18 call dword ptr ds:[edx+18]
00427079 |. 6A 00 push 0
0042707B |. 6A 3F push 3F
0042707D |. 6A 01 push 1
0042707F |. 6A 00 push 0
00427081 |. 8BCB mov ecx,ebx
00427083 |. E8 C0B40000 call srobot.00432548
00427088 |. 8B45 08 mov eax,dword ptr ss:[ebp+8]
0042708B |. 50 push eax
0042708C |. 8BCB mov ecx,ebx
0042708E |. C743 08 00000000 mov dword ptr ds:[ebx+8],0
00427095 |. E8 BAB40000 call srobot.00432554
0042709A |. 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
0042709E |. 90 nop
0042709F |. E8 0D01D57B call MFC71.7C1771B1
004270A4 |. 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
004270A8 |. 90 nop
004270A9 |? E8 0301D57B call MFC71.7C1771B1
004270AE |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
004270B2 |. 90 nop
004270B3 |. E8 F900D57B call MFC71.7C1771B1
004270B8 |> 8B8C24 54080000 mov ecx,dword ptr ss:[esp+854]
004270BF |. 64:890D 00000000 mov dword ptr fs:[0],ecx
004270C6 |. 8B8C24 4C080000 mov ecx,dword ptr ss:[esp+84C]
004270CD |. E8 6CB70000 call srobot.0043283E
004270D2 |. 5F pop edi
004270D3 |. 5E pop esi
004270D4 |. 5B pop ebx
004270D5 |. 8BE5 mov esp,ebp
004270D7 |. 5D pop ebp
004270D8 \. C2 0400 retn 4
劫?是
把 00426D7E 的 75 0C 改? EB 0C JMP的意思
把 00426D99 的 0F84 D3020000 陪 00426E0C 的 0F84 97010000 NOP 掉
由於是themida 1.0.0.5 的版本加? 能力不足 宣告??失? 所以我用 WinHEX ?修改 所以每次檫外? 都要檫WinHEX?修改
就降子 看我的成品吧 ^^
[课程]Android-CTF解题方法汇总!