【破解分析】
PEID查壳 无壳
00403831 >/$ 55 PUSH EBP //OD在入停在这里
00403832 |. 8BEC MOV EBP,ESP
00403834 |. 6A FF PUSH -1
00403836 |. 68 F0624000 PUSH 发贴-测?004062F0
0040383B |. 68 A44C4000 PUSH 发贴-测?00404CA4 ; SE 处理程序安装
00403840 |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00403846 |. 50 PUSH EAX
00403847 |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP
0040384E |. 83EC 58 SUB ESP,58
00403851 |. 53 PUSH EBX
00403852 |. 56 PUSH ESI
00403853 |. 57 PUSH EDI
00403854 |. 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
00403857 |. FF15 48604000 CALL DWORD PTR DS:[<&KERNEL32.GetVersion>; kernel32.GetVersion
0040385D |. 33D2 XOR EDX,EDX
0040385F |. 8AD4 MOV DL,AH
00403861 |. 8915 6C8A4000 MOV DWORD PTR DS:[408A6C],EDX
00403867 |. 8BC8 MOV ECX,EAX
00403869 |. 81E1 FF000000 AND ECX,0FF
0040386F |. 890D 688A4000 MOV DWORD PTR DS:[408A68],ECX
00403875 |. C1E1 08 SHL ECX,8
00403878 |. 03CA ADD ECX,EDX
0040387A |. 890D 648A4000 MOV DWORD PTR DS:[408A64],ECX
00403880 |. C1E8 10 SHR EAX,10
00403883 |. A3 608A4000 MOV DWORD PTR DS:[408A60],EAX
00403888 |. 33F6 XOR ESI,ESI
0040388A |. 56 PUSH ESI
0040388B |. E8 D3010000 CALL 发贴-测?00403A63
F9跑起来后 提示XXXXXXXX 按ALT+E
Executable modules, 项目 3
基址=10000000
大小=00121000 (1183744.)
入口=1011E001 krnln.<模块入口点>
名称=krnln
文件版本=1, 0, 0, 1
路径=C:\DOCUME~1\BLACKP~1\LOCALS~1\Temp\E_4\krnln.fnr
找到这个模块
双击来到这里
10001000 55 PUSH EBP //来到这里
10001001 8BEC MOV EBP,ESP
10001003 6A FF PUSH -1
10001005 68 B8910B10 PUSH krnln.100B91B8
1000100A 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
10001010 50 PUSH EAX
10001011 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
10001018 83EC 10 SUB ESP,10
1000101B 53 PUSH EBX
1000101C 56 PUSH ESI
1000101D 57 PUSH EDI
1000101E 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
10001021 8965 F0 MOV DWORD PTR SS:[EBP-10],ESP
10001024 E8 63C30A00 CALL krnln.100AD38C
10001029 8B55 10 MOV EDX,DWORD PTR SS:[EBP+10]
1000102C 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
1000102F 52 PUSH EDX
10001030 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
10001033 8B01 MOV EAX,DWORD PTR DS:[ECX]
10001035 C745 FC 0000000>MOV DWORD PTR SS:[EBP-4],0
1000103C 52 PUSH EDX
1000103D C645 FC 01 MOV BYTE PTR SS:[EBP-4],1
10001041 FF50 34 CALL DWORD PTR DS:[EAX+34]
10001044 8BF0 MOV ESI,EAX
10001046 C745 FC FFFFFFF>MOV DWORD PTR SS:[EBP-4],-1
1000104D E8 78C30A00 CALL krnln.100AD3CA
10001052 8BC6 MOV EAX,ESI
使用OD插件 Ultra string Reference的Find ASCII功能,找到超级字串参考, 项目 64
地址=1000DEE6
反汇编=PUSH krnln.100DDFCC
文本字串=\\.\PhysicalDrive0
双击
1000DEDA 53 PUSH EBX
1000DEDB 53 PUSH EBX
1000DEDC 6A 03 PUSH 3
1000DEDE 53 PUSH EBX
1000DEDF 6A 03 PUSH 3
1000DEE1 68 000000C0 PUSH C0000000
1000DEE6 68 CCDF0D10 PUSH krnln.100DDFCC ; \\.\PhysicalDrive0
1000DEEB FF15 20240C10 CALL DWORD PTR DS:[100C2420] ; kernel32.CreateFileA
1000DEF1 8BF0 MOV ESI,EAX
1000DEF3 83FE FF CMP ESI,-1
1000DEF6 0F84 C0000000 JE krnln.1000DFBC
1000DEFC 57 PUSH EDI
1000DEFD B9 06000000 MOV ECX,6
1000DF02 33C0 XOR EAX,EAX
1000DF04 8D7C24 14 LEA EDI,DWORD PTR SS:[ESP+14]
1000DF08 F3:AB REP STOS DWORD PTR ES:[EDI]
1000DF0A 8D4424 0C LEA EAX,DWORD PTR SS:[ESP+C]
1000DF0E 53 PUSH EBX
1000DF0F 50 PUSH EAX
1000DF10 8D4C24 1C LEA ECX,DWORD PTR SS:[ESP+1C]
1000DF14 6A 18 PUSH 18
1000DF16 51 PUSH ECX
1000DF17 53 PUSH EBX
1000DF18 53 PUSH EBX
1000DF19 68 80400700 PUSH 74080
1000DF1E 56 PUSH ESI
1000DF1F 895C24 2C MOV DWORD PTR SS:[ESP+2C],EBX
1000DF23 FF15 28240C10 CALL DWORD PTR DS:[100C2428] ; kernel32.DeviceIoControl
1000DF29 8A4424 17 MOV AL,BYTE PTR SS:[ESP+17]
1000DF2D 3AC3 CMP AL,BL
1000DF2F 76 78 JBE SHORT krnln.1000DFA9
1000DF31 24 10 AND AL,10
1000DF33 B9 08000000 MOV ECX,8
1000DF38 F6D8 NEG AL
在1000DEE6访问断点 重新载入程序 跑起来后 提示XXX输入假玛 点确定 自动退出!
如果下硬件执行断点 可以断下来 但是不能输入假玛了
跟过来跟过去 没找到爆破点 也没找到注册玛比较
请大家帮忙分析下
软件下载地址
http://www.onlinedown.net/soft/39990.htm
[课程]Linux pwn 探索篇!