-
-
[原创]ty123 Reverseme 1 简单解答
-
发表于: 2007-2-10 21:56
-
闲来无事...再写篇杂文吧...
正文开始...
先来看看作者的要求吧:
- 窗体中有一个隐藏按钮,将它显示出来并起作用
- 按F7功能键,显示出About消息框
- 程序字节数不能增加(这个不强求)
- 编写Reverse教程
OK,开工...
OD载入ty123 Reverseme 1,Ctrl+G来到以下位置:
00401174 . 817D 0C 10010>CMP DWORD PTR SS:[EBP+C],110 ; WM_INITDIALOG消息.
0040117B . 75 4C JNZ SHORT ty123_Re.004011C9
0040117D . FF35 74314000 PUSH DWORD PTR DS:[403174] ; /lParam = 0
00401183 . 6A 01 PUSH 1 ; |wParam = 1
00401185 . 68 80000000 PUSH 80 ; |Message = WM_SETICON
0040118A . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
0040118D . E8 B8000000 CALL <JMP.&user32.SendMessageA> ; \SendMessageA
00401192 . 6A 02 PUSH 2 ; /ControlID = 2
00401194 . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00401197 . E8 9C000000 CALL <JMP.&user32.GetDlgItem> ; \GetDlgItem
0040119C . A3 78314000 MOV DWORD PTR DS:[403178],EAX
004011A1 . 6A 00 PUSH 0 ;这里改为1后'退出'按钮可正常显示.
004011A3 . FF35 78314000 PUSH DWORD PTR DS:[403178]
004011A9 . 74 12 JE SHORT ty123_Re.004011BD
004011AB . 75 10 JNZ SHORT ty123_Re.004011BD
004011AD . 57 PUSH EDI
004011AE . 65:6C INS BYTE PTR ES:[EDI],DX
004011B0 . 636F 6D ARPL WORD PTR DS:[EDI+6D],BP
004011B3 . 65:20746F 20 AND BYTE PTR GS:[EDI+EBP*2+20],DH
004011B8 . 44 INC ESP
004011B9 . 46 INC ESI
004011BA . 43 INC EBX
004011BB . 47 INC EDI
004011BC 21 DB 21 ; CHAR '!'
004011BD . B8 58124000 MOV EAX,ty123_Re.00401258 ; |
004011C2 . 83E8 08 SUB EAX,8 ; |
004011C5 . FFD0 CALL EAX ; \ShowWindow
004011C7 . EB 3F JMP SHORT ty123_Re.00401208
OK,继续..."按F7功能键,显示出About消息框"...哎 麻烦,注册热键吧....
还是上面那段代码,该为如下:
00401174 . 817D 0C 10010>CMP DWORD PTR SS:[EBP+C],110 ; WM_INITDIALOG消息.
0040117D . /E9 DA000000 JMP ty123_Re.0040125C ; 跳到自己的代码(空白处N大,随便写)
自己的代码:
0040125C > \6A 76 PUSH 76 ; /Key = VK_F7 ;我们需要的F7热键
0040125E . 6A 00 PUSH 0 ; |Modifiers = 0
00401260 . 6A 01 PUSH 1 ; |HotKeyID = 1 ;ID号
00401262 . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd ;窗口句柄,直接取于00401192的GetDlgItem过程
00401265 . 36:FF15 1C504>CALL DWORD PTR SS:[<&user32.RegisterHotK>; \RegisterHotKey ;oh,yeah...注册热键吧...
0040126C . FF35 74314000 PUSH DWORD PTR DS:[403174] ; 程序原来的代码,还是得补回去
00401272 .^ E9 0CFFFFFF JMP ty123_Re.00401183 ; 跳回去继续执行原代码
对了,别忘了用LordPe添加user32.RegisterHotKey函数.(唯一没达到的要求..本来想用动态获取API地址,貌似不行..
)
现在按钮也显示了,热键也注册了..该让他们起作用了..GO ON BABY...
来到下列代码处:
004011C9 > \817D 0C 11010>CMP DWORD PTR SS:[EBP+C],111 ; 比较是否为WM_COMMAND消息...我们从这里入手,加入热键消息判断
004011D0 . 75 26 JNZ SHORT ty123_Re.004011F8
004011D2 . 837D 10 01 CMP DWORD PTR SS:[EBP+10],1
004011D6 . 75 16 JNZ SHORT ty123_Re.004011EE
004011D8 . 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
004011DA . 68 13314000 PUSH ty123_Re.00403113 ; |Title = "ty123's Reverseme #1, Level: 1/10"
004011DF . 68 00304000 PUSH ty123_Re.00403000 ; |Text = "....略....^_^
004011E4 . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner
004011E7 . E8 58000000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
004011EC . EB 1A JMP SHORT ty123_Re.00401208
004011EE > 837D 10 02 CMP DWORD PTR SS:[EBP+10],2
004011F2 . 75 14 JNZ SHORT ty123_Re.00401208
004011F4 . EB 00 JMP SHORT ty123_Re.004011F6
004011F6 > EB 10 JMP SHORT ty123_Re.00401208
004011F8 > 837D 0C 10 CMP DWORD PTR SS:[EBP+C],10
004011FC . 75 0A JNZ SHORT ty123_Re.00401208
004011FE . 6A 00 PUSH 0 ; /Result = 0
00401200 . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00401203 . E8 2A000000 CALL <JMP.&user32.EndDialog> ; \EndDialog
00401208 > 33C0 XOR EAX,EAX
0040120A . C9 LEAVE
0040120B . C2 1000 RETN 10
更改004011C9的代码为 JMP 004012D0 ; 跳到自己的代码处...
004012D0 > \817D 0C 12030>CMP DWORD PTR SS:[EBP+C],312 ; 判断是否为WM_HOTKEY消息..
004012D7 . 75 05 JNZ SHORT ty123_Re.004012DE ; 不是..那继续判断去吧
004012D9 .^ E9 FAFEFFFF JMP ty123_Re.004011D8 ; 是的话那就跳到显示消息框的代码那里
004012DE > 817D 0C 11010>CMP DWORD PTR SS:[EBP+C],111 ; 补回原来的代码:判断是否为WM_COMMAND消息
004012E5 .^ E9 E6FEFFFF JMP ty123_Re.004011D0 ; 跳回去继续执行原代码.
搞定...收工...(果然越写越杂..希望大家都能看明白,呵呵~)
唯一的遗憾..增加了大小
By sLtYJ[D.4s][DFCG][BCG](4stone)
2007.02.10
2.11日补充内容:
看回帖时浏览了一下自己的"杂文"...发现没有写怎么让'退出'按钮起作用....大汗...补上.....
Ctrl+G来到以下代码处:
004011EE > \837D 10 02 CMP DWORD PTR SS:[EBP+10],2 ; 比较是否为2号按钮,也就是'退出'按钮
004011F2 . 75 14 JNZ SHORT ty123_Re.00401208 ; 执行了几个跳转,直接返回了...等于啥都没做
004011F4 . EB 00 JMP SHORT ty123_Re.004011F6
004011F6 > EB 10 JMP SHORT ty123_Re.00401208
004011F8 > 837D 0C 10 CMP DWORD PTR SS:[EBP+C],10
004011FC . 75 0A JNZ SHORT ty123_Re.00401208
004011FE . 6A 00 PUSH 0 ; /Result = 0
00401200 . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00401203 . E8 2A000000 CALL <JMP.&user32.EndDialog> ; \EndDialog
00401208 > 33C0 XOR EAX,EAX
0040120A . C9 LEAVE
0040120B . C2 1000 RETN 10
知道了代码的意思..我们就可以改了...呵呵~如下:
004011EE > \837D 10 02 CMP DWORD PTR SS:[EBP+10],2 ; 比较是否为2号按钮,也就是'退出'按钮
004011F2 . 74 0A JE SHORT ty123_Re.004011FE ; 是的话跳到4011FE,去执行EndDialog...也就是退出.
004011F4 . EB 00 JMP SHORT ty123_Re.004011F6
004011F6 > EB 10 JMP SHORT ty123_Re.00401208
004011F8 > 837D 0C 10 CMP DWORD PTR SS:[EBP+C],10
004011FC . 75 0A JNZ SHORT ty123_Re.00401208
004011FE > 6A 00 PUSH 0 ; /Result = 0
00401200 . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00401203 . E8 2A000000 CALL <JMP.&user32.EndDialog> ; \EndDialog
00401208 > 33C0 XOR EAX,EAX
0040120A . C9 LEAVE
0040120B . C2 1000 RETN 10
这下终于可以收工了...郁闷...老了啊~~~哎
-------------------------------------------------------------------
原创于看雪软件安全论坛(bbs.pediy.com),转载请保持文章的完整性.
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
|
|
|
|
|
呵呵,没注意.多谢提醒
|
|
|
|
|
|
呵呵,谢谢~
很少玩ReverseMe,有很多不足的地方,还望大家指教了.... PS:文章漏了点东西.现在补上了.. 
|
