软件名称:FcwApp.exe
软件主页:没有
公司名称:鸿图科技
软件作用:专业生产各种电脑提花商标、木梭商标、钩边商标、提花织带、彩带、标签、印刷商标、洗水唛、挂牌、不干胶贴的专业CAD软件
目的有很诱惑:
爬泰山耍的时候可以包吃住,可以看望abc大牛
作者:qiweixue新年与论坛各个兄弟们混脸熟悉!
来邮件海涵一下:qiweixue666@126.com这东东不提供下载!缘由:
前几天,
大xxx鸟(真实姓名隐去)给我一个程序,能否修复在xp平台运行,他说可以在98,me,2k下运行.拿到
xp就跑不起来,跟踪调试异常一大堆!
这是一个能在
98,me,2k环境下跑的一个CAD提花软件
(软件不提供任何web下载),但是在
xp以上的Window os环境就不行捏厄,是不是软件中的一保护呢,不清楚!
程序目的: 能否修复一下可以跨windows各个平台,比如在xp上跑.假如是DLL过期,比如win98,me,2k的DLL里的服务例程或函数Hint等失效了,恐怕出了微软,无他能修复了.先mark几个主函数和其SEH链子,为分析以后异常栈的展开和异常函数过滤SEH链子用.
用到的所有方法过程我会详细的全部贴出来给大家.
系统运行库注册的栈SEH开始链,位于程序栈最底端,过滤所有的
非非想的异常.
0013FFE0 FFFFFFFF End of SEH chain
0013FFE4 7C8399F3 SE handler修复程序实例注册的栈SEH链,过滤所有Inistance异常.
0013FFB0 0013FFE0 Pointer to next SEH record
0013FFB4 004919B6 SE handler---->异常句柄所指向的代码领空是在要修复的进程中.
00491973 |> \6A 0A push 0A
00491975 |. 58 pop eax
00491976 |> 50 push eax
00491977 |. 56 push esi
00491978 |. 53 push ebx
00491979 |. 53 push ebx
0049197A |. FF15 58EE4C00 call dword ptr [<&KERNEL32.GetModuleHandleA>]
00491980 |. 50 push eax
00491981 |. E8 1A030000 call 00491CA0---------------------->编译器连接的主函数大家很熟悉捏不用全部贴.
00491986 |. 8945 98 mov dword ptr [ebp-68], eax
00491989 |. 50 push eax
0049198A |. FF15 98F74C00 call dword ptr [<&MSVCRT.exit>]
进入
00491CA0 /$ FF7424 10 push dword ptr [esp+10]
00491CA4 |. FF7424 10 push dword ptr [esp+10]
00491CA8 |. FF7424 10 push dword ptr [esp+10]
00491CAC |. FF7424 10 push dword ptr [esp+10]
00491CB0 |. E8 55000000 call <jmp.&MFC42.#1576_AfxWinMain>---------->之后来到AfxWinMain MFC的
app入口函数
00491CB5 \. C2 1000 retn 10
AfxWinMain如下:
73D3CF2B > 8BFF mov edi, edi ------>
AfxWinMain
73D3CF2D 53 push ebx
73D3CF2E 56 push esi
73D3CF2F 57 push edi
73D3CF30 83CB FF or ebx, FFFFFFFF
73D3CF33 E8 CD40FFFF call #1175_AfxGetThread
73D3CF38 8BF0 mov esi, eax
73D3CF3A E8 97B30800 call #1168_AfxGetModuleState
73D3CF3F FF7424 1C push dword ptr [esp+1C]
73D3CF43 8B78 04 mov edi, dword ptr [eax+4]
73D3CF46 FF7424 1C push dword ptr [esp+1C]
73D3CF4A FF7424 1C push dword ptr [esp+1C]
73D3CF4E FF7424 1C push dword ptr [esp+1C]
73D3CF52 E8 C1CC0800 call
#1575_AfxWinInit
73D3CF57 85C0 test eax, eax
73D3CF59 74 3C je short 73D3CF97
73D3CF5B 85FF test edi, edi
73D3CF5D 74 0E je short 73D3CF6D
73D3CF5F 8B07 mov eax, dword ptr [edi]
73D3CF61 8BCF mov ecx, edi
73D3CF63 FF90 8C000000 call dword ptr [eax+8C]----->
&MFC42.#3922_CWinApp::InitApplication
73D3CF69 85C0 test eax, eax
73D3CF6B 74 2A je short 73D3CF97
73D3CF6D 8B06 mov eax, dword ptr [esi]
73D3CF6F 8BCE mov ecx, esi
73D3CF71 FF50 58 call dword ptr [eax+58] -------------->
&MFC42.#3922_CWinApp::InitInstance
73D3CF74 85C0 test eax, eax
73D3CF76 75 16 jnz short 73D3CF8E
73D3CF78 3946 20 cmp dword ptr [esi+20], eax
73D3CF7B 74 08 je short 73D3CF85
73D3CF7D 8B4E 20 mov ecx, dword ptr [esi+20]
73D3CF80 8B01 mov eax, dword ptr [ecx]
73D3CF82 FF50 60 call dword ptr [eax+60]
73D3CF85 8B06 mov eax, dword ptr [esi]
73D3CF87 8BCE mov ecx, esi
73D3CF89 FF50 70 call dword ptr [eax+70]
73D3CF8C EB 07 jmp short 73D3CF95
73D3CF8E 8B06 mov eax, dword ptr [esi]
73D3CF90 8BCE mov ecx, esi
73D3CF92 FF50 5C call dword ptr [eax+5C]
73D3CF95 8BD8 mov ebx, eax
73D3CF97 E8 37B6FFFF call #1577_AfxWinTerm
73D3CF9C 5F pop edi
73D3CF9D 5E pop esi
73D3CF9E 8BC3 mov eax, ebx
73D3CFA0 5B pop ebx
73D3CFA1 C2 1000 retn 10
以上都没有任何异常.而且都完成最基本的SEH异常栈,准备过滤异常.
进入方法:
&MFC42.#3922_CWinApp::InitInstance
十之八九是这个方法里面有异常,程序初始化运行关键所在!
方法
CWinApp::InitInstance的栈展开过滤异常句柄如下:
0012FEF8 0012FFB0 Pointer to next SEH record
0012FEFC 00496F8C SE handler
软件太大等其他原因不准备放出,这里会贴出完整的详细的过程代码
000440C00 > \6A FF push -1
00440C02 . 68 8C6F4900
push 00496F8C ----------->到这里目前是第
三个异常点
00440C07 . 64:A1 0000000>
mov eax, dword ptr fs:[0]
00440C0D . 50
push eax
00440C0E . 64:8925 00000>
mov dword ptr fs:[0], esp
00440C15 . 83EC 28
sub esp, 28
00440C18 . 56 push esi
00440C19 . 57 push edi
00440C1A . 8BF1 mov esi, ecx
00440C1C . 6A 00 push 0
00440C1E . E8 6F060500 call <jmp.&MFC42.#1134_AfxEnableControlContainer>
00440C23 . 83C4 04 add esp, 4
00440C26 . 8D4C24 0C lea ecx, dword ptr [esp+C]
00440C2A . E8 5D060500 call <jmp.&MFC42.#296_CCommandLineInfo::CCommandLineInfo>
00440C2F . 8D4424 0C lea eax, dword ptr [esp+C]
00440C33 . 8BCE mov ecx, esi
00440C35 . 50 push eax
00440C36 . C74424 3C 000>mov dword ptr [esp+3C], 0
00440C3E . E8 43060500 call <jmp.&MFC42.#5214_CWinApp::ParseCommandLine>
00440C43 . 8B4C24 10 mov ecx, dword ptr [esp+10]
00440C47 . 51 push ecx
00440C48 . E8 B218FCFF call 004024FF
00440C4D . 83C4 04 add esp, 4
00440C50 . 8D4C24 0C lea ecx, dword ptr [esp+C]
00440C54 . C74424 38 FFF>mov dword ptr [esp+38], -1
00440C5C . E8 1F060500 call <jmp.&MFC42.#617_CCommandLineInfo::~CCommandLineInfo>
00440C61 . 8BCE mov ecx, esi
00440C63 . E8 12060500 call <jmp.&MFC42.#2621_CWinApp::Enable3dControls>
00440C68 . 6A 00 push 0
00440C6A . 68 C0C0C000 push 0C0C0C0
00440C6F . 8BCE mov ecx, esi
00440C71 . E8 FE050500 call <jmp.&MFC42.#5943_CWinApp::SetDialogBkColor>
00440C76 . 6A 04 push 4
00440C78 . 8BCE mov ecx, esi
00440C7A . E8 EF050500 call <jmp.&MFC42.#4159_CWinApp::LoadStdProfileSettings>
00440C7F . 68 90000000 push 90
00440C84 . E8 63000500 call <jmp.&MFC42.#823_operator new>
00440C89 . 83C4 04 add esp, 4
00440C8C . 894424 08 mov dword ptr [esp+8], eax
00440C90 . 85C0 test eax, eax
00440C92 . C74424 38 010>mov dword ptr [esp+38], 1
00440C9A . 74 1F je short 00440CBB
00440C9C . 8B15 D4F54C00 mov edx, dword ptr [<&MFC42.#1858_CMDIChildWnd::classCMDIChildW>;
00440CA2 . 68 F8F44900 push 0049F4F8
00440CA7 . 52 push edx
00440CA8 . 68 28E84900 push 0049E828
00440CAD . 68 81000000 push 81
00440CB2 . 8BC8 mov ecx, eax
00440CB4 . E8 AF050500 call <jmp.&MFC42.#411_CMultiDocTemplate::CMultiDocTemplate>
00440CB9 . EB 02 jmp short 00440CBD
00440CBB > 33C0 xor eax, eax
00440CBD > 50 push eax
00440CBE . 8BCE mov ecx, esi
00440CC0 . C74424 3C FFF>mov dword ptr [esp+3C], -1
00440CC8 . E8 95050500 call <jmp.&MFC42.#986_CWinApp::AddDocTemplate>
00440CCD . 68 300F0000 push 0F30
00440CD2 . E8 15000500 call <jmp.&MFC42.#823_operator new>
00440CD7 . 83C4 04 add esp, 4
00440CDA . 894424 08 mov dword ptr [esp+8], eax
00440CDE . 85C0 test eax, eax
00440CE0 . C74424 38 020>mov dword ptr [esp+38], 2
00440CE8 . 74 0B je short 00440CF5
00440CEA . 8BC8 mov ecx, eax
00440CEC . E8 A508FCFF call 00401596
00440CF1 . 8BF8 mov edi, eax
00440CF3 . EB 02 jmp short 00440CF7
00440CF5 > 33FF xor edi, edi
00440CF7 > 8B07 mov eax, dword ptr [edi]
00440CF9 . 6A 00 push 0
00440CFB . 6A 00 push 0
00440CFD . 68 0080CF00 push 0CF8000
00440D02 . 68 80000000 push 80
00440D07 . 8BCF mov ecx, edi
00440D09 . C74424 48 FFF>mov dword ptr [esp+48], -1
00440D11 . FF90 C0000000 call dword ptr [eax+C0]
00440D17 . 85C0 test eax, eax
00440D19 . 75 11 jnz short 00440D2C
00440D1B . 5F pop edi
00440D1C . 5E pop esi
00440D1D . 8B4C24 28 mov ecx, dword ptr [esp+28]
00440D21 . 64:890D 00000>mov dword ptr fs:[0], ecx
00440D28 . 83C4 34 add esp, 34
00440D2B . C3 retn
00440D2C > 8BCE mov ecx, esi
00440D2E . 897E 20 mov dword ptr [esi+20], edi
00440D31 . E8 26050500 call <jmp.&MFC42.#2635_CWinApp::EnableShellOpen>
00440D36 . 6A 00 push 0
00440D38 . 8BCE mov ecx, esi
00440D3A . E8 17050500 call <jmp.&MFC42.#5503_CWinApp::RegisterShellFileTypes>
00440D3F . 8B46 74 mov eax, dword ptr [esi+74]
00440D42 . 8038 00 cmp byte ptr [eax], 0
00440D45 . 74 0B je short 00440D52
00440D47 . 8B16 mov edx, dword ptr [esi]
00440D49 . 50 push eax
00440D4A . 8BCE mov ecx, esi
00440D4C . FF92 84000000 call dword ptr [edx+84]
00440D52 > 8B4E 20 mov ecx, dword ptr [esi+20]
00440D55 . 6A 01 push 1
00440D57 . E8 F4040500 call <jmp.&MFC42.#2558_CWnd::DragAcceptFiles>
00440D5C . 6A 03 push 3
00440D5E . 8BCF mov ecx, edi
00440D60 . E8 6D010500 call <jmp.&MFC42.#6215_CWnd::ShowWindow>
00440D65 . 8B47 20 mov eax, dword ptr [edi+20]
00440D68 . 50 push eax
00440D69 . FF15 F0F84C00 call dword ptr [<&USER32.UpdateWindow>]
00440D6F . 8B35 5CF94C00 mov esi, dword ptr [<&USER32.LoadCursorA>]
00440D75 . 68 037F0000 push 7F03
00440D7A . 6A 00 push 0
00440D7C . FFD6 call esi
00440D7E . 68 B8000000 push 0B8
00440D83 . 6A 0C push 0C
00440D85 . 68 B8000000 push 0B8
00440D8A . A3 94F04B00 mov dword ptr [4BF094], eax
00440D8F . E8 B6040500 call <jmp.&MFC42.#1146_AfxFindResourceHandle>
00440D94 . 50 push eax
00440D95 . FFD6 call esi
00440D97 . 8B4C24 30 mov ecx, dword ptr [esp+30]
00440D9B . A3 90F04B00 mov dword ptr [4BF090], eax
00440DA0 . 5F pop edi
00440DA1 . B8 01000000 mov eax, 1
00440DA6 . 5E pop esi
00440DA7 . 64:890D 00000>mov dword ptr fs:[0], ecx
00440DAE . 83C4 34 add esp, 34
00440DB1 . C3 retn
以上信息mark的差不多.
CWinApp::InitInstance的里的方法太多,准备放开OD快马跑!
先把OD取消过滤kernel32,和user32,gui32等系统的库异常.
run一下!
代码所停下的方法:
0048CF30 /$ 83EC 08 sub esp, 8--------------->方法入口
0048CF33 |. 53 push ebx
0048CF34 |. 56 push esi
0048CF35 |. 57 push edi
0048CF36 |. 55 push ebp
0048CF37 |. 66:2BFF sub di, di
0048CF3A |. 66:2BF6 sub si, si
0048CF3D FA cli----------->具体停在这里,程序抛出越权异常:
Privilege Instruction,识别码:C0000096
0048CF3E |. 6A 40 push 40
0048CF40 |. E8 ABF8FFFF call 0048C7F0
0048CF45 |. 884424 13 mov byte ptr [esp+13], al
0048CF49 |. 6A 71 push 71
0048CF4B |. E8 A0F8FFFF call 0048C7F0
0048CF50 |. 884424 12 mov byte ptr [esp+12], al
0048CF54 |. 66:BD 1027 mov bp, 2710
0048CF58 |> 6A 40 /push 40
0048CF5A |. E8 91F8FFFF |call 0048C7F0
0048CF5F |. 8AD8 |mov bl, al
0048CF61 |. 6A 71 |push 71
0048CF63 |. E8 88F8FFFF |call 0048C7F0
0048CF68 |. 3A5C24 13 |cmp bl, byte ptr [esp+13]
0048CF6C |. 74 02 |je short 0048CF70
0048CF6E |. 66:46 |inc si
0048CF70 |> 3A4424 12 |cmp al, byte ptr [esp+12]
0048CF74 |. 74 02 |je short 0048CF78
0048CF76 |. 66:47 |inc di
0048CF78 |> 885C24 13 |mov byte ptr [esp+13], bl
0048CF7C |. 884424 12 |mov byte ptr [esp+12], al
0048CF80 |. 66:4D |dec bp
0048CF82 |.^ 75 D4 \jnz short 0048CF58
0048CF84 FB sti---------------->运行到这里程序又抛出越权异常:
Privilege Instruction,识别码:C0000096
0048CF85 |. 66:3BFE cmp di, si
0048CF88 |. 76 16 jbe short 0048CFA0
0048CF8A |. 6A 71 push 71
0048CF8C |. E8 5FF8FFFF call 0048C7F0
0048CF91 |. 66:B8 0200 mov ax, 2
0048CF95 |. 5D pop ebp
0048CF96 |. 5F pop edi
0048CF97 |. 5E pop esi
0048CF98 |. 5B pop ebx
0048CF99 |. 83C4 08 add esp, 8
0048CF9C |. C3 retn
0048CF9D | 8D49 00 lea ecx, dword ptr [ecx]
0048CFA0 |> 66:2BFF sub di, di
0048CFA3 |. 66:2BED sub bp, bp
0048CFA6 FA cli---------------------------->运行到这里程序又抛出越权异常:
Privilege Instruction,识别码:C0000096
0048CFA7 |. 6A 40 push 40
0048CFA9 |. E8 42F8FFFF call 0048C7F0
0048CFAE |. 884424 13 mov byte ptr [esp+13], al
0048CFB2 |. 6A 41 push 41
0048CFB4 |. E8 37F8FFFF call 0048C7F0
0048CFB9 |. 884424 12 mov byte ptr [esp+12], al
0048CFBD |. 66:BE 1027 mov si, 2710
0048CFC1 |> 6A 40 /push 40
0048CFC3 |. E8 28F8FFFF |call 0048C7F0
0048CFC8 |. 8AD8 |mov bl, al
0048CFCA |. 6A 41 |push 41
0048CFCC |. E8 1FF8FFFF |call 0048C7F0
0048CFD1 |. 3A5C24 13 |cmp bl, byte ptr [esp+13]
0048CFD5 |. 74 02 |je short 0048CFD9
0048CFD7 |. 66:45 |inc bp
0048CFD9 |> 3A4424 12 |cmp al, byte ptr [esp+12]
0048CFDD |. 74 02 |je short 0048CFE1
0048CFDF |. 66:47 |inc di
0048CFE1 |> 885C24 13 |mov byte ptr [esp+13], bl
0048CFE5 |. 884424 12 |mov byte ptr [esp+12], al
0048CFE9 |. 66:4E |dec si
0048CFEB |.^ 75 D4 \jnz short 0048CFC1
0048CFED FB sti------------->运行到这里程序又抛出越权异常:
Privilege Instruction,识别码:C0000096
0048CFEE |. 8BC5 mov eax, ebp
0048CFF0 |. 25 FFFF0000 and eax, 0FFFF
0048CFF5 |. 894424 14 mov dword ptr [esp+14], eax
0048CFF9 |. 8BC7 mov eax, edi
0048CFFB |. 25 FFFF0000 and eax, 0FFFF
0048D000 |. 03C0 add eax, eax
0048D002 |. 3B4424 14 cmp eax, dword ptr [esp+14]
0048D006 |. 7E 0C jle short 0048D014
0048D008 |. 66:B8 0100 mov ax, 1
0048D00C |. 5D pop ebp
0048D00D |. 5F pop edi
0048D00E |. 5E pop esi
0048D00F |. 5B pop ebx
0048D010 |. 83C4 08 add esp, 8
0048D013 |. C3 retn
0048D014 |> 66:2BF6 sub si, si
0048D017 FA cli------------------->运行到这里程序又抛出越权异常:
Privilege Instruction,识别码:C0000096
0048D018 |. 6A 52 push 52
0048D01A |. E8 D1F7FFFF call 0048C7F0
0048D01F |. 8AD8 mov bl, al
0048D021 |. 6A 52 push 52
0048D023 |. E8 C8F7FFFF call 0048C7F0
0048D028 |. 66:8BFB mov di, bx
0048D02B |. 81E7 FF00FFFF and edi, FFFF00FF
0048D031 |. 66:C1E7 08 shl di, 8
0048D035 |. 66:25 FF00 and ax, 0FF
0048D039 |. 66:0BF8 or di, ax
0048D03C |. 66:BD 1027 mov bp, 2710
0048D040 |> 6A 52 /push 52
0048D042 |. E8 A9F7FFFF |call 0048C7F0
0048D047 |. 8AD8 |mov bl, al
0048D049 |. 6A 52 |push 52
0048D04B |. E8 A0F7FFFF |call 0048C7F0
0048D050 |. 8ACB |mov cl, bl
0048D052 |. 81E1 FF00FFFF |and ecx, FFFF00FF
0048D058 |. 66:C1E1 08 |shl cx, 8
0048D05C |. 66:25 FF00 |and ax, 0FF
0048D060 |. 66:0BC8 |or cx, ax
0048D063 |. 66:3BCF |cmp cx, di
0048D066 |. 74 02 |je short 0048D06A
0048D068 |. 66:46 |inc si
0048D06A |> 66:8BF9 |mov di, cx
0048D06D |. 66:4D |dec bp
0048D06F |.^ 75 CF \jnz short 0048D040
0048D071 FB sti------------>运行到这里程序又抛出越权异常:
Privilege Instruction,识别码:C0000096
0048D072 |. 8BC6 mov eax, esi
0048D074 |. 25 FFFF0000 and eax, 0FFFF
0048D079 |. 03C0 add eax, eax
0048D07B |. 3B4424 14 cmp eax, dword ptr [esp+14]
0048D07F |. 7E 0F jle short 0048D090
0048D081 |. 66:B8 0300 mov ax, 3
0048D085 |. 5D pop ebp
0048D086 |. 5F pop edi
0048D087 |. 5E pop esi
0048D088 |. 5B pop ebx
0048D089 |. 83C4 08 add esp, 8
0048D08C |. C3 retn
0048D08D | 8D49 00 lea ecx, dword ptr [ecx]
0048D090 |> 66:2BF6 sub si, si
0048D093 FA cli-------------->运行到这里程序又抛出越权异常:
Privilege Instruction,识别码:C0000096
0048D094 |. 6A 74 push 74
0048D096 |. 6A 56 push 56
0048D098 |. E8 73F7FFFF call 0048C810
0048D09D |. 68 FD000000 push 0FD
0048D0A2 |. 6A 52 push 52
0048D0A4 |. E8 67F7FFFF call 0048C810
0048D0A9 |. 68 FE000000 push 0FE
0048D0AE |. 6A 52 push 52
0048D0B0 |. E8 5BF7FFFF call 0048C810
0048D0B5 |. 6A 52 push 52
0048D0B7 |. E8 34F7FFFF call 0048C7F0
0048D0BC |. 8AD8 mov bl, al
0048D0BE |. 6A 52 push 52
0048D0C0 |. E8 2BF7FFFF call 0048C7F0
0048D0C5 |. 66:8BFB mov di, bx
0048D0C8 |. 81E7 FF00FFFF and edi, FFFF00FF
0048D0CE |. 66:C1E7 08 shl di, 8
0048D0D2 |. 66:25 FF00 and ax, 0FF
0048D0D6 |. 66:0BF8 or di, ax
0048D0D9 |. 66:BD 1027 mov bp, 2710
0048D0DD |. 8D49 00 lea ecx, dword ptr [ecx]
0048D0E0 |> 6A 52 /push 52
0048D0E2 |. E8 09F7FFFF |call 0048C7F0
0048D0E7 |. 8AD8 |mov bl, al
0048D0E9 |. 6A 52 |push 52
0048D0EB |. E8 00F7FFFF |call 0048C7F0
0048D0F0 |. 8ACB |mov cl, bl
0048D0F2 |. 81E1 FF00FFFF |and ecx, FFFF00FF
0048D0F8 |. 66:C1E1 08 |shl cx, 8
0048D0FC |. 66:25 FF00 |and ax, 0FF
0048D100 |. 66:0BC8 |or cx, ax
0048D103 |. 66:3BCF |cmp cx, di
0048D106 |. 74 02 |je short 0048D10A
0048D108 |. 66:46 |inc si
0048D10A |> 66:8BF9 |mov di, cx
0048D10D |. 66:4D |dec bp
0048D10F |.^ 75 CF \jnz short 0048D0E0
0048D111 FB sti--------------------->运行到这里程序又抛出越权异常:
Privilege Instruction,识别码:C0000096
0048D112 |. 8BC6 mov eax, esi
0048D114 |. 25 FFFF0000 and eax, 0FFFF
0048D119 |. 03C0 add eax, eax
0048D11B |. 3B4424 14 cmp eax, dword ptr [esp+14]
0048D11F |. 7E 0F jle short 0048D130
0048D121 |. 66:B8 0300 mov ax, 3
0048D125 |. 5D pop ebp
0048D126 |. 5F pop edi
0048D127 |. 5E pop esi
0048D128 |. 5B pop ebx
0048D129 |. 83C4 08 add esp, 8
0048D12C |. C3 retn
0048D12D | 8D49 00 lea ecx, dword ptr [ecx]
0048D130 |> 66:B8 0100 mov ax, 1
0048D134 |. 5D pop ebp
0048D135 |. 5F pop edi
0048D136 |. 5E pop esi
0048D137 |. 5B pop ebx
0048D138 |. 83C4 08 add esp, 8
0048D13B \. C3 retn
上边这个过程中子方法中又有几出跨权异常:
0048C7F0 /$ 83EC 04 sub esp, 4--->子方法入口
0048C7F3 |. 66:8B5424 08 mov dx, word ptr [esp+8]
0048C7F8 EC in al, dx------------->运行到这里程序又抛出越权异常:
Privilege Instruction,识别码:C0000096
0048C7F9 |. 884424 03 mov byte ptr [esp+3], al
0048C7FD |. 8A4424 03 mov al, byte ptr [esp+3]
0048C801 |. 83C4 04 add esp, 4
0048C804 \. C2 0400 retn 4
0048C810 /$ 8A4424 08 mov al, byte ptr [esp+8]--->子方法入口
0048C814 |. 66:8B5424 04 mov dx, word ptr [esp+4]
0048C819 EE out dx, al------------->运行到这里程序又抛出越权异常:
Privilege Instruction,识别码:C0000096
0048C81A \. C2 0800 retn 8
0048C81D 8D49 00 lea ecx, dword ptr [ecx]
0048C820 /$ 83EC 04 sub esp, 4
0048C823 |. 66:8B5424 08 mov dx, word ptr [esp+8]
0048C828 |. 66:ED in ax, dx------------->运行到这里程序又抛出越权异常:
Privilege Instruction,识别码:C0000096
0048C82A |. 66:894424 02 mov word ptr [esp+2], ax
0048C82F |. 66:8B4424 02 mov ax, word ptr [esp+2]
0048C834 |. 83C4 04 add esp, 4
0048C837 \. C2 0400 retn 4
0048CC40 /$ 81EC 94000000 sub esp, 94--------------->方法入口
0048CC46 |. 53 push ebx
0048CC47 |. 56 push esi
0048CC48 |. 57 push edi
0048CC49 |. 8B8C24 A40000>mov ecx, dword ptr [esp+A4]
0048CC50 |. 8D4424 0F lea eax, dword ptr [esp+F]
0048CC54 |. 898C24 940000>mov dword ptr [esp+94], ecx
0048CC5B |. 50 push eax
0048CC5C |. 8D4424 16 lea eax, dword ptr [esp+16]
0048CC60 |. 50 push eax
0048CC61 |. 66:BE FFFF mov si, 0FFFF
0048CC65 |. 8D4424 18 lea eax, dword ptr [esp+18]
0048CC69 |. 50 push eax
0048CC6A |. 66:8B01 mov ax, word ptr [ecx]
0048CC6D |. 50 push eax
0048CC6E |. E8 4DFEFFFF call 0048CAC0
0048CC73 |. 66:BF 1E00 mov di, 1E
0048CC77 FA cli------------->运行到这里程序又抛出越权异常:
Privilege Instruction,识别码:C0000096
0048CC78 |. 66:8B4424 12 |mov ax, word ptr [esp+12]
0048CC7D |. 50 |push eax
0048CC7E |. 8A4424 13 |mov al, byte ptr [esp+13]
0048CC82 |. 50 |push eax
0048CC83 |. 66:8B4424 18 |mov ax, word ptr [esp+18]
0048CC88 |. 50 |push eax
0048CC89 |. E8 F2FDFFFF |call 0048CA80
0048CC8E |. 66:8BD8 |mov bx, ax
0048CC91 |. 6A 02 |push 2
0048CC93 |. 8D4424 18 |lea eax, dword ptr [esp+18]
0048CC97 |. 50 |push eax
0048CC98 |. E8 D3FBFFFF |call 0048C870
0048CC9D |. 66:8B4424 12 |mov ax, word ptr [esp+12]
0048CCA2 |. 50 |push eax
0048CCA3 |. 8A4424 13 |mov al, byte ptr [esp+13]
0048CCA7 |. 50 |push eax
0048CCA8 |. 66:8B4424 18 |mov ax, word ptr [esp+18]
0048CCAD |. 50 |push eax
0048CCAE |. E8 CDFDFFFF |call 0048CA80
0048CCB3 FB sti------------->运行到这里程序又抛出越权异常:
Privilege Instruction,识别码:C0000096
0048CCB4 |. 66:3BC3 |cmp ax, bx
0048CCB7 |. 77 24 |ja short 0048CCDD
0048CCB9 |. 8BD3 |mov edx, ebx
0048CCBB |. 81E2 FFFF0000 |and edx, 0FFFF
0048CCC1 |. 8BC8 |mov ecx, eax
0048CCC3 |. 81E1 FFFF0000 |and ecx, 0FFFF
0048CCC9 |. 2BD1 |sub edx, ecx
0048CCCB |. 8BCE |mov ecx, esi
0048CCCD |. 81E1 FFFF0000 |and ecx, 0FFFF
0048CCD3 |. 3BD1 |cmp edx, ecx
0048CCD5 |. 7D 06 |jge short 0048CCDD
0048CCD7 |. 66:8BF3 |mov si, bx
0048CCDA |. 66:2BF0 |sub si, ax
0048CCDD |> 66:4F |dec di
0048CCDF |.^ 75 96 \jnz short 0048CC77
0048CCE1 |. 66:8BC6 mov ax, si
0048CCE4 |. 5F pop edi
0048CCE5 |. 5E pop esi
0048CCE6 |. 5B pop ebx
0048CCE7 |. 81C4 94000000 add esp, 94
0048CCED \. C2 0400 retn 4
0048CCF0 $ 81EC 94000000 sub esp, 94--------------->方法入口
0048CCF6 . 53 push ebx
0048CCF7 . 56 push esi
0048CCF8 . 57 push edi
0048CCF9 . 55 push ebp
0048CCFA . 8BB424 A80000>mov esi, dword ptr [esp+A8]
0048CD01 . 89B424 980000>mov dword ptr [esp+98], esi
0048CD08 . 66:8B46 06 mov ax, word ptr [esi+6]
0048CD0C . 50 push eax
0048CD0D . 66:8B06 mov ax, word ptr [esi]
0048CD10 . 50 push eax
0048CD11 . E8 AAFEFFFF call 0048CBC0
0048CD16 . 66:8BF8 mov di, ax
0048CD19 . 8D4424 11 lea eax, dword ptr [esp+11]
0048CD1D . 50 push eax
0048CD1E . 8D4424 18 lea eax, dword ptr [esp+18]
0048CD22 . 50 push eax
0048CD23 . 66:BD 1E00 mov bp, 1E
0048CD27 . 8D4424 1A lea eax, dword ptr [esp+1A]
0048CD2B . 50 push eax
0048CD2C . 66:8B86 00000>mov ax, word ptr [esi]
0048CD33 . 50 push eax
0048CD34 . E8 87FDFFFF call 0048CAC0
0048CD39 . 66:C74424 16 >mov word ptr [esp+16], 0FFFF
0048CD40 FA cli------------->抛出越权异常:
Privilege Instruction,识别码:C0000096
0048CD41 . 66:8B4424 14 mov ax, word ptr [esp+14]
0048CD46 . 50 push eax
0048CD47 . 8A4424 15 mov al, byte ptr [esp+15]
0048CD4B . 50 push eax
0048CD4C . 66:8B4424 1A mov ax, word ptr [esp+1A]
0048CD51 . 50 push eax
0048CD52 . E8 29FDFFFF call 0048CA80
0048CD57 . 66:8BD8 mov bx, ax
0048CD5A . 66:8B4424 14 mov ax, word ptr [esp+14]
0048CD5F . 50 push eax
0048CD60 . 8A4424 15 mov al, byte ptr [esp+15]
0048CD64 . 50 push eax
0048CD65 . 66:8B4424 1A mov ax, word ptr [esp+1A]
0048CD6A . 50 push eax
0048CD6B . E8 10FDFFFF call 0048CA80
0048CD70 FB sti------------->抛出越权异常:
Privilege Instruction,识别码:C0000096
0048CD71 . 66:3BC3 cmp ax, bx
0048CD74 . 77 25 ja short 0048CD9B
0048CD76 . 8BCB mov ecx, ebx
0048CD78 . 81E1 FFFF0000 and ecx, 0FFFF
0048CD7E . 8BD0 mov edx, eax
0048CD80 . 81E2 FFFF0000 and edx, 0FFFF
0048CD86 . 2BCA sub ecx, edx
0048CD88 . 33D2 xor edx, edx
0048CD8A . 66:8B5424 16 mov dx, word ptr [esp+16]
0048CD8F . 3BCA cmp ecx, edx
0048CD91 . 7D 08 jge short 0048CD9B
0048CD93 . 66:2BD8 sub bx, ax
0048CD96 . 66:895C24 16 mov word ptr [esp+16], bx
0048CD9B > 66:4D dec bp
0048CD9D .^ 75 A1 jnz short 0048CD40
0048CD9F . 8BC7 mov eax, edi
0048CDA1 . 25 FFFF0000 and eax, 0FFFF
0048CDA6 . 33C9 xor ecx, ecx
0048CDA8 . 66:8B4C24 16 mov cx, word ptr [esp+16]
0048CDAD . 03C8 add ecx, eax
0048CDAF . 3BC8 cmp ecx, eax
0048CDB1 . 7D 0D jge short 0048CDC0
0048CDB3 . 66:BF FFFF mov di, 0FFFF
0048CDB7 . EB 0C jmp short 0048CDC5
0048CDB9 . 8DA424 000000>lea esp, dword ptr [esp]
0048CDC0 > 66:037C24 16 add di, word ptr [esp+16]
0048CDC5 > 66:2BED sub bp, bp
0048CDC8 FA cli------------->>抛出越权异常:
Privilege Instruction,识别码:C0000096
0048CDC9 . 66:8B4424 14 mov ax, word ptr [esp+14]
0048CDCE . 50 push eax
0048CDCF . 8A4424 15 mov al, byte ptr [esp+15]
0048CDD3 . 50 push eax
0048CDD4 . 66:8B4424 1A mov ax, word ptr [esp+1A]
0048CDD9 . 50 push eax
0048CDDA . E8 A1FCFFFF call 0048CA80
0048CDDF . 66:8BD8 mov bx, ax
0048CDE2 . 6A 02 push 2
0048CDE4 . 8D4424 1C lea eax, dword ptr [esp+1C]
0048CDE8 . 50 push eax
0048CDE9 . E8 82FAFFFF call 0048C870
0048CDEE . 66:8B4424 14 mov ax, word ptr [esp+14]
0048CDF3 . 50 push eax
0048CDF4 . 8A4424 15 mov al, byte ptr [esp+15]
0048CDF8 . 50 push eax
0048CDF9 . 66:8B4424 1A mov ax, word ptr [esp+1A]
0048CDFE . 50 push eax
0048CDFF . E8 7CFCFFFF call 0048CA80
0048CE04 FB sti------------->>抛出越权异常:
Privilege Instruction,识别码:C0000096
0048CE05 . 66:3BC3 cmp ax, bx //
这是最后一个异常指令,以后就畅通了捏!
0048CE08 . 77 25 ja short 0048CE2F
0048CE0A . 66:2BD8 sub bx, ax
0048CE0D . 78 20 js short 0048CE2F
0048CE0F . 66:3BDF cmp bx, di
0048CE12 . 77 1B ja short 0048CE2F
0048CE14 . 66:8B4E 02 mov cx, word ptr [esi+2]
0048CE18 . 66:8BC1 mov ax, cx
0048CE1B . 66:C1E8 05 shr ax, 5
0048CE1F . 8D4401 01 lea eax, dword ptr [ecx+eax+1]
0048CE23 . 66:3BC1 cmp ax, cx
0048CE26 . 72 18 jb short 0048CE40
0048CE28 . 66:8946 02 mov word ptr [esi+2], ax
0048CE2C . 66:2BED sub bp, bp
0048CE2F > 66:45 inc bp
0048CE31 . 66:83FD 1E cmp bp, 1E
0048CE35 .^ 72 91 jb short 0048CDC8
0048CE37 . EB 0D jmp short 0048CE46
0048CE39 . 8DA424 000000>lea esp, dword ptr [esp]
0048CE40 > 66:C746 02 FF>mov word ptr [esi+2], 0FFFF
0048CE46 > 66:8B46 02 mov ax, word ptr [esi+2]
0048CE4A . 5D pop ebp
0048CE4B . 5F pop edi
0048CE4C . 5E pop esi
0048CE4D . 5B pop ebx
0048CE4E . 81C4 94000000 add esp, 94
0048CE54 . C2 0400 retn 4
esp所向异常栈,
0012EF24 0048C31F RETURN to xxxApp.0048C31F from xxxApp.0048CF30
0012EF28 0048B34C RETURN to xxxApp.0048B34C from xxxApp.0048C310
0012EF2C 0012F0F0
0012EF30 00120000
0012EF34 0012F0EC
0012EF38 00018F05
0012EF3C 0048B450 RETURN to xxxApp.0048B450 from xxxApp.0048B300
0012EF40 0012F0F0
0012EF44 00370000
0012EF48 0012F054
0012EF4C 0012F0EC
0012EF50 00378200
0012EF54 0048C290 RETURN to xxxApp.0048C290 from xxxApp.0048A4C0
0012EF58 0048C29C RETURN to xxxApp.0048C29C from xxxApp.0048B400
0012EF5C 0012F0EC
0012EF60 0012F054
0012EF64 0012F020
ASCII "Br"---------------------->下面很多这样
ASCII "Br",
像不像骂人词语
0012EF68 0012F054
0012EF6C 0048D15D RETURN to xxxApp.0048D15D from xxxApp.0048C250
0012EF70 0012F020 ASCII "Br"
0012EF74 0012F054
0012EF78 00000000
0012EF7C 0012F020 ASCII "Br"
0012EF80 00378200
0012EF84 0048DB5F RETURN to xxxApp.0048DB5F from xxxApp.0048D140
0012EF88 0012F020 ASCII "Br"
0012EF8C 00377B7C
0012EF90 0012F020 ASCII "Br"
0012EF94 0012F020 ASCII "Br"
0012EF98 00378240
0012EF9C 0012F034
0012EFA0 0012F050
0012EFA4 0048C2FF RETURN to xxxApp.0048C2FF from xxxApp.0048DAB0
0012EFA8 0012F020 ASCII "Br"
0012EFAC 0012F020 ASCII "Br"
0012EFB0 0048B23A RETURN to xxxApp.0048B23A from xxxApp.0048C2B0
0012EFB4 0012F020 ASCII "Br"
0012EFB8 0048F8DA RETURN to xxxApp.0048F8DA from xxxApp.0048B230
0012EFBC 0012F020 ASCII "Br"
0012EFC0 0048EF4F RETURN to xxxApp.0048EF4F from xxxApp.0048F8D0
0012EFC4 0012F020 ASCII "Br"
0012EFC8 0048EFC1 RETURN to xxxApp.0048EFC1 from xxxApp.0048EF20
0012EFCC 0012F020 ASCII "Br"
0012EFD0 0012F020 ASCII "Br"
0012EFD4 8F050001
0012EFD8 00490338 RETURN to xxxApp.00490338 from xxxApp.0048EF60
0012EFDC 0012F020 ASCII "Br"
0012EFE0 00377F3C
0012EFE4 0012F020 ASCII "Br"
0012EFE8 8F050001
0012EFEC 0047F539 RETURN to xxxApp.0047F539 from xxxApp.00490290
0012EFF0 0012F020 ASCII "Br"
0012EFF4 00377988
0012EFF8 004675FF RETURN to xxxApp.004675FF from xxxApp.0040319D
0012EFFC 00377988
0012F000 0012F77C
0012F004 0012F560
0012F008 0040197E xxxApp.0040197E. .
. .
. .
. .
. .
0012FEF8 |0012FFB0 Pointer to next SEH record
0012FEFC |00496F8C SE handler----->
开头第三个SEH过滤句柄
0012FF00 |FFFFFFFF
0012FF04 |73D3CF74 RETURN to MFC42.73D3CF74
0012FF08 |7C930738 ntdll.7C930738
0012FF0C |00141EF3
0012FF10 |00000000
0012FF14 |00491CB5 RETURN to xxxApp.00491CB5 from <jmp.&MFC42.#1576_AfxWinMain>
0012FF18 |00400000 xxxApp.00400000
0012FF1C |00000000
0012FF20 |00141EF3
0012FF24 |0000000A
0012FF28 |00491986 RETURN to xxxApp.<ModuleEntryPoint>+134 from xxxApp.00491CA0
0012FF2C |00400000 xxxApp.00400000
0012FF30 |00000000
0012FF34 |00141EF3
0012FF38 |0000000A
0012FF3C |7C930738
0012FF40 |FFFFFFFF
0012FF44 |7FFD9000
0012FF48 |B711ACEC
0012FF4C |00141EF3
0012FF50 |003728C8
0012FF54 |00000000
0012FF58 |804E488D
0012FF5C |00372CD8
0012FF60 |00000001
0012FF64 |00000044
0012FF68 |001429D8
0012FF6C |001429F8
0012FF70 |00142A20
0012FF74 |00070003
0012FF78 |00000200
0012FF7C |00000000
0012FF80 |77D1ECD2
0012FF84 |00070001
0012FF88 |7FFDF000
0012FF8C |00000001
0012FF90 |00000081
0012FF94 |0000000A
0012FF98 |00000000
0012FF9C |FFFFFFFF
0012FFA0 |FFFFFFFF
0012FFA4 |FFFFFFFF
0012FFA8 |0012FF3C
0012FFAC |82FEF04C
0012FFB0 |0012FFE0 Pointer to next SEH record
0012FFB4 |004919B6 SE handler
开头第二个SEH过滤句柄
0012FFB8 |004A5D30 xxxApp.004A5D30
0012FFBC |00000000
0012FFC0 \0012FFF0
0012FFC4 7C816D4F RETURN to kernel32.7C816D4F
0012FFC8 7C930738 ntdll.7C930738
0012FFCC FFFFFFFF
0012FFD0 7FFD9000
0012FFD4 8054C038
0012FFD8 0012FFC8
0012FFDC 81FDD3F8
0012FFE0 FFFFFFFF End of SEH chain
0012FFE4 7C8399F3 SE handler------------>
开头第一个SEH过滤句柄
0012FFE8 7C816D58 kernel32.7C816D58
0012FFEC 00000000
0012FFF0 00000000
0012FFF4 00000000
0012FFF8 00491852 xxxApp.<ModuleEntryPoint>
0012FFFC 00000000
分别在各个SEH处理句柄下断.看看程序如何处理的.最后发现程序过滤所以异常处理方法.
最后来到第一个处理SEH方法中,进入系统库,提示程序异常,退出!
经过几次分析.这很可能是保护一种方式.把所有异常的跨权指令全部当成花指令nop或者是dispath 最后一个seh句柄,执向没有任何异常的区域运行:0048CE04 FB sti------------->这是最后一个抛出越权异常:
Privilege Instruction,识别码:C0000096
0048CE05 . 66:3BC3 cmp ax, bx
0048CE08 . 77 25 ja short 0048CE2F
0048CE0A . 66:2BD8 sub bx, ax
0048CE0D . 78 20 js short 0048CE2F
0048CE0F . 66:3BDF cmp bx, di
0048CE12 . 77 1B ja short 0048CE2F
0048CE14 . 66:8B4E 02 mov cx, word ptr [esi+2]
0048CE18 . 66:8BC1 mov ax, cx
0048CE1B . 66:C1E8 05 shr ax, 5
0048CE1F . 8D4401 01 lea eax, dword ptr [ecx+eax+1]
0048CE23 . 66:3BC1 cmp ax, cx
0048CE26 . 72 18 jb short 0048CE40
0048CE28 . 66:8946 02 mov word ptr [esi+2], ax
0048CE2C . 66:2BED sub bp, bp
0048CE2F > 66:45 inc bp
0048CE31 . 66:83FD 1E cmp bp, 1E
0048CE35 .^ 72 91 jb short 0048CDC8
0048CE37 . EB 0D jmp short 0048CE46
0048CE39 . 8DA424 000000>lea esp, dword ptr [esp]
0048CE40 > 66:C746 02 FF>mov word ptr [esi+2], 0FFFF
0048CE46 > 66:8B46 02 mov ax, word ptr [esi+2]
0048CE4A . 5D pop ebp
0048CE4B . 5F pop edi
0048CE4C . 5E pop esi
0048CE4D . 5B pop ebx
0048CE4E . 81C4 94000000 add esp, 94
0048CE54 . C2 0400 retn 4
可以把开始程序的第一个过滤SEH句柄或者是第二个等改成上边方法红颜色表示的地址就ok!
到这里提花CAD跑起来来了,功能基本全部能用.其他任何功能异常正在测试之中,发现立即
K掉它!
谢谢您看完!
新的一年即将到来.祝贺大家新春快乐.新年将是我的猪年到来.
祝所有论坛的兄弟,大牛,大鸟,BT,MM,来地球旅游的火星人,非球球人:
恭喜发财.
恭喜生子
恭喜结婚
恭喜升官
恭喜洞房
恭喜灌水
恭喜整酒
恭喜泡妹
恭喜恭喜
另外:
祝贺大家早日找到妹!
恭喜五楼Dragoner结婚!
另外给kanxue,CrakerABC老大道个歉,再也不盗用abc老大马甲了!
与论坛各个兄弟们混脸熟悉!
菩提本无树,明镜亦非台,本来无一物,何处惹尘埃
[课程]Linux pwn 探索篇!
好文章,支持七哥!
你的CrakerABC ID马甲我再也不敢盗用了
