GetDriveTypeA的疑问-经典问答-看雪-安全社区|安全招聘|kanxue.com

GetDriveTypeA的疑问

发表于: 2007-2-26 17:26 5945

GetDriveTypeA的疑问

skswujian

2007-2-26 17:26

5945

看到好多破解免CD的文章,里面都提到了GetDriveTypeA,因为我需要破解一个免CD的游戏,所以按例子操作.我使用的是ollyICE软件,用"查看">"文件"菜单打开了这个游戏的EXE文件,搜索GetDriveTypeA,找到了...然后点右键>反汇编
看到了这段代码:
add  byte ptr [edi+65],al
je short 44
jb short 69
jbe  short 65
push esp
jns  short 70
inc  ecx
这段不汇编的话,就是GetDriveTypeA,照这么说所有EXE这段都是一样的了?当然44.69.65.70是偏移地址,不同的EXE会加到不同的实际地址上去.

然后看帮助:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040B7B5(C)
|
:0040B7E5 0FBE0DE8724200       movsx ecx, byte ptr [004272E8] //取出内存中一个字节，我用的光盘是Z盘，这里是 Z
:0040B7EC 51                   push ecx                         //压入堆栈
:0040B7ED 8D542434             lea edx, dword ptr [esp+34]

* Possible StringData Ref from Data Obj ->"%c:\"                   //取出变量值 %c:\，%c是用来被取代的变量
                              |
:0040B7F1 6890744200             push 00427490
:0040B7F6 52                   push edx
:0040B7F7 E815040100             call 0041BC11                   //取代变量 %c:\ -> Z:\
:0040B7FC 83C40C                add esp, 0000000C
:0040B7FF 8D442430             lea eax, dword ptr [esp+30]
:0040B803 50                   push eax

* Reference To: KERNEL32.GetDriveTypeA, Ord:0104h
                              |
:0040B804 FF154C504200          Call dword ptr [0042504C]       //判断Z:是不是光盘
:0040B80A 83F805                cmp eax, 00000005                //如果是光盘，那么返回值就是5，硬盘则为4
:0040B80D 7420                   je 0040B82F                      //是光盘就跳，否则弹出插入光盘的提示
:0040B80F 8B0DC8B64200          mov ecx, dword ptr [0042B6C8]
:0040B815 6A00                   push 00000000
:0040B817 6A00                   push 00000000
:0040B819 6A10                   push 00000010
:0040B81B 51                   push ecx

……以下代码省略…………
这三段是从何而来?我的转向就转不到这些里..且有四个转向呀?

[课程]Android-CTF解题方法汇总！

收藏・0

免费・0

支持

最新回复 (14)
skswujian 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 13 粉丝 0 关注私信	skswujian 2 楼没人回答,我顶 2007-2-27 00:22 0
kanxue 雪币： 44229 活跃值： (19955) 能力值： (RANK：350 ) 在线值：发帖 2369 回帖 17027 粉丝 528 关注私信	kanxue 8 3 楼你在OD里，用GetDriveTypeA设断，可以在命令行里： bp GetDriveTypeA 断下后，回到程序里，将代码复制出来。 2007-2-27 09:41 0
skswujian 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 13 粉丝 0 关注私信	skswujian 4 楼程序是断下来了,但不知复制哪里?是从断点到末尾,那太长了... 004935D0 > $ 55 push ebp 004935D1 . 8BEC mov ebp, esp 004935D3 . 6A FF push -1 004935D5 . 68 A8B64A00 push 004AB6A8 004935DA . 68 88924900 push 00499288 ; SE 处理程序安装 004935DF . 64:A1 0000000>mov eax, dword ptr fs:[0] 004935E5 . 50 push eax 004935E6 . 64:8925 00000>mov dword ptr fs:[0], esp 004935ED . 83C4 A8 add esp, -58 004935F0 . 53 push ebx 004935F1 . 56 push esi 004935F2 . 57 push edi 004935F3 . 8965 E8 mov dword ptr [ebp-18], esp 004935F6 . FF15 00B14A00 call dword ptr [<&KERNEL32.GetVersion>; kernel32.GetVersion 004935FC . 33D2 xor edx, edx 004935FE . 8AD4 mov dl, ah 00493600 . 8915 80545500 mov dword ptr [555480], edx 00493606 . 8BC8 mov ecx, eax 00493608 . 81E1 FF000000 and ecx, 0FF 0049360E . 890D 7C545500 mov dword ptr [55547C], ecx 00493614 . C1E1 08 shl ecx, 8 00493617 . 03CA add ecx, edx 00493619 . 890D 78545500 mov dword ptr [555478], ecx 0049361F . C1E8 10 shr eax, 10 00493622 . A3 74545500 mov dword ptr [555474], eax 00493627 . E8 64430000 call 00497990 0049362C . 85C0 test eax, eax 0049362E . 75 0A jnz short 0049363A 后面还很多... 2007-2-27 17:59 0
skswujian 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 13 粉丝 0 关注私信	skswujian 5 楼版主还没来? 再顶一下 2007-2-27 20:10 0
smartbear 雪币： 216 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 11 回帖 47 粉丝 0 关注私信	smartbear 6 楼是啊,高手带我们,要说得详细点,不要简写,简称,我们看不懂,如OD\bp\命令行,我现在才懂是不是先在命令行里输:bq GetDriveTypeA,然后再打开EXE呀? 2007-2-27 20:30 0
kanxue 雪币： 44229 活跃值： (19955) 能力值： (RANK：350 ) 在线值：发帖 2369 回帖 17027 粉丝 528 关注私信	kanxue 8 7 楼最初由 skswujian* 发布* 程序是断下来了,但不知复制哪里?是从断点到末尾,那太长了... 004935D0 > $ 55 push ebp 004935D1 . 8BEC mov ebp, esp 004935D3 . 6A FF push -1 004935D5 . 68 A8B64A00 push 004AB6A8 ........ 这段代码没用，你用GetDriveTypeA设断看看，程序是不是调用了，调用了分析程序如何处理的。 2007-2-27 21:50 0
skswujian 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 13 粉丝 0 关注私信	skswujian 8 楼不是先在命令行里输:bq GetDriveTypeA,然后再打开EXE吗? 2007-2-27 22:50 0
skswujian 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 13 粉丝 0 关注私信	skswujian 9 楼这次对不对? 7C8214E3 > 8BFF mov edi, edi 7C8214E5 . 55 push ebp 7C8214E6 . 8BEC mov ebp, esp 7C8214E8 . 837D 08 00 cmp dword ptr [ebp+8], 0 7C8214EC 74 1D je short 7C82150B 7C8214EE FF75 08 push dword ptr [ebp+8] 7C8214F1 E8 7ECBFEFF call 7C80E074 7C8214F6 85C0 test eax, eax 7C8214F8 0F84 83020200 je 7C841781 7C8214FE 8B40 04 mov eax, dword ptr [eax+4] 7C821501 50 push eax 7C821502 E8 C99DFEFF call GetDriveTypeW 7C821507 5D pop ebp 7C821508 C2 0400 retn 4 7C82150B > 33C0 xor eax, eax 7C82150D .^ EB F2 jmp short 7C821501 7C82150F > 3B45 14 cmp eax, dword ptr [ebp+14] 7C821512 . 7C 45 jl short 7C821559 7C821514 . E9 84000000 jmp 7C82159D 7C821519 > FF45 0C inc dword ptr [ebp+C] 7C82151C . EB 7F jmp short 7C82159D 2007-2-27 23:26 0
cyto 雪币： 417 活跃值： (475) 能力值： ( LV9，RANK：1250 ) 在线值：发帖 41 回帖 624 粉丝 0 关注私信	cyto 31 10 楼这个还是在系统空间,返回程序空间. 打开exe后,在命令行bp GetDriveTypeA 或者打开exe,Ctrl+g:GetDriveTypeA,F2下断. 2007-2-28 07:36 0
skswujian 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 13 粉丝 0 关注私信	skswujian 11 楼不行呀,按你说得方法也是断在Kernel32模块里,断不到用户模块里呀... 是不是没有脱壳的缘故? 2007-2-28 11:29 0
skswujian 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 13 粉丝 0 关注私信	skswujian 12 楼最初由 cyto* 发布* 这个还是在系统空间,返回程序空间. 打开exe后,在命令行或者打开exe,Ctrl+g:GetDriveTypeA,F2下断. 这次对吗?这次我是用运行exe后,用bp GetDriveTypeA设断,然后查看>断点,找到后双击会回到Kernel32模块的断点中,然后按F4,堆栈里会出现: 0012FB98 00408A9D /CALL 到 GetDriveTypeA 0012FB9C 0012FBF8 \RootPathName = "a:\" 点上面行,回车,这下才会回到用户模块中,以下是代码: 00408A97 ? FF15 BCB14A00 call dword ptr[<&GetDriveTypeA>] 00408A9C ? 83F8 05 cmp eax, 5 00408A9D 75 6F jnz short 0048B11 00408AA2 . 6A 00 push 0 00408AA4 . 6A 00 push 0 00408AA6 . 6A 00 push 0 00408AA8 . 6A 00 push 0 00408AAA . 6A 00 push 0 00408AAC ? 8D55 AC lea edx, dword ptr [ebp-54] 00408AAF 6A db 6A 00408AB0 50 db 50 00408AB1 8D db 8D 00408AB2 45 db 45 00408AB3 FC db FC 00408AB4 52 db 52 00408AB5 50 db 50 00408AB6 FF15 C0B14A00 call dword ptr [<&KERNEL32.GetVolumeI> 00408ABC . 85C0 test eax, eax 00408ABE . 74 51 je short 00408B11 00408AC0 . B9 06000000 mov ecx, 6 00408AC5 . 8D7D AC lea edi, dword ptr [ebp-54] 00408AC8 BE db BE 00408AC9 50 db 50 00408ACA FA db FA 00408ACB 4A db 4A 00408ACC 00 db 00 00408ACD 33 db 33 00408ACE D2 db D2 00408ACF F3 db F3 00408AD0 A6 db A6 00408AD1 75 db 75 00408AD2 3E db 3E 00408AD3 0F db 0F 00408AD4 BE db BE 00408AD5 45 db 45 00408AD6 B2 db B2 00408AD7 83 db 83 00408AD8 E8 db E8 00408AD9 31 db 31 00408ADA A3 db A3 00408ADB 9C db 9C 00408ADC 6D db 6D 00408ADD 4B db 4B 00408ADE 00 db 00 00408ADF 78 db 78 00408AE0 26 db 26 00408AE1 83 db 83 00408AE2 F8 db F8 00408AE3 02 db 02 00408AE4 7D db 7D 00408AE5 21 db 21 00408AE6 66 db 66 00408AE7 0F db 0F 00408AE8 BE db BE 00408AE9 45 inc ebp 00408AEA FC db FC 00408AEB 66 db 66 00408AEC A3 db A3 00408AED A0 db A0 00408AEE 6D db 6D 00408AEF 4B db 4B 00408AF0 00 db 00 00408AF1 66 db 66 00408AF2 C7 db C7 00408AF3 05 db 05 00408AF4 A2 db A2 00408AF5 6D db 6D 00408AF6 4B dec ebx 00408AF7 00 db 00 00408AF8 3A db 3A 00408AF9 00 db 00 00408AFA 66 db 66 00408AFB 89 db 89 00408AFC 15 db 15 00408AFD A4 db A4 00408AFE 6D db 6D 00408AFF 4B db 4B 00408B00 00 db 00 00408B01 5F db 5F 00408B02 5E db 5E 00408B03 8B db 8B 00408B04 E5 db E5 00408B05 5D pop ebp 00408B06 C3 db C3 00408B07 C7 db C7 00408B08 . 05 9C6D4B00 add eax, 004B6D9C 00408B0D > FFFF ??? 00408B0F . FFFF ??? 00408B11 . 5F pop edi 00408B12 ? 5E pop esi 00408B13 ? 8BE5 mov esp, ebp 00408B15 ? 5D pop ebp 00408B16 . C3 retn 00408B17 ? 90 nop 00408B18 ? 90 nop 00408B19 ? 90 nop 00408B1A ? 90 nop 00408B1B ? 90 nop 00408B1C . 90 nop 00408B1D . 90 nop 00408B1E ? 90 nop 00408B1F . 90 nop 00408B20 ? 833D 9C6D4B00>cmp dword ptr [4B6D9C], -1 00408B27 74 db 74 00408B28 3C db 3C 00408B29 E8 db E8 00408B2A 32 db 32 00408B2B B0 db B0 00408B2C 02 db 02 00408B2D 00 db 00 00408B2E 3C db 3C 00408B2F FF db FF 00408B30 74 db 74 00408B31 2D db 2D 00408B32 84 db 84 00408B33 C0 db C0 00408B34 74 db 74 00408B35 14 db 14 00408B36 8B db 8B 00408B37 0D db 0D 00408B38 9C db 9C 00408B39 6D db 6D 00408B3A 4B db 4B 00408B3B 00 db 00 00408B3C 0F db 0F 00408B3D BE db BE 00408B3E D0 db D0 00408B3F 41 db 41 00408B40 3B db 3B 00408B41 D1 db D1 00408B42 75 db 75 00408B43 21 db 21 00408B44 B8 db B8 00408B45 01 db 01 00408B46 00 db 00 00408B47 00 db 00 00408B48 00 db 00 00408B49 C3 db C3 00408B4A 8B db 8B 00408B4B 0D db 0D 00408B4C 9C db 9C 00408B4D 6D db 6D 00408B4E 4B db 4B 00408B4F 00 db 00 00408B50 33 db 33 00408B51 C0 db C0 00408B52 3B db 3B 00408B53 C1 db C1 00408B54 74 db 74 00408B55 09 db 09 00408B56 40 db 40 00408B57 83 db 83 00408B58 F8 db F8 00408B59 02 db 02 00408B5A 7C db 7C 00408B5B F6 db F6 00408B5C 33 db 33 00408B5D C0 db C0 00408B5E C3 db C3 00408B5F B8 db B8 00408B60 01 db 01 00408B61 00 db 00 00408B62 00 db 00 00408B63 00 db 00 00408B64 C3 db C3 00408B65 33 db 33 00408B66 C0 db C0 00408B67 C3 db C3 00408B68 90 db 90 00408B69 90 db 90 00408B6A 90 db 90 00408B6B 90 db 90 00408B6C 90 db 90 00408B6D 90 db 90 00408B6E 90 db 90 00408B6F 90 db 90 00408B70 E8 db E8 00408B71 2B db 2B 00408B72 00 db 00 00408B73 00 db 00 00408B74 00 db 00 00408B75 83 db 83 00408B76 3D db 3D 00408B77 9C db 9C 00408B78 6D db 6D 00408B79 4B db 4B 00408B7A 00 db 00 00408B7B FF db FF 00408B7C 74 db 74 00408B7D 19 db 19 00408B7E A1 db A1 00408B7F 60 db 60 00408B80 B1 db B1 00408B81 4D db 4D 00408B82 00 db 00 00408B83 85 db 85 00408B84 C0 db C0 00408B85 74 db 74 00408B86 10 db 10 00408B87 6A db 6A 00408B88 00 db 00 00408B89 6A db 6A 00408B8A . 0168 11 add dword ptr [eax+11], ebp 00408B8D . 0100 add dword ptr [eax], eax 00408B8F ? 0050 FF add byte ptr [eax-1], dl 00408B92 ? 15 84B24A00 adc eax, <&USER32.PostMessageA> 00408B97 ? C3 retn 后面还有,不知有用吗? 2007-2-28 17:03 0
skswujian 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 13 粉丝 0 关注私信	skswujian 13 楼破解一个exe文件的cd-check,运行exe后,用bp GetDriveTypeA设断,然后查看>断点,找到后双击回到Kernel32模块的断点中,然后按F4,堆栈里会出现: 0012FB98 00408A9D /CALL 到 GetDriveTypeA 0012FB9C 0012FBF8 \RootPathName = "a:\" 点上面行,回车,会回到用户模块中,以下是代码: 00408A97 ? FF15 BCB14A00 call dword ptr[<&GetDriveTypeA>] 00408A9C ? 83F8 05 cmp eax, 5 00408A9D 75 6F jnz short 0048B11 00408AA2 . 6A 00 push 0 00408AA4 . 6A 00 push 0 00408AA6 . 6A 00 push 0 00408AA8 . 6A 00 push 0 00408AAA . 6A 00 push 0 00408AAC ? 8D55 AC lea edx, dword ptr [ebp-54] 00408AAF 6A db 6A 00408AB0 50 db 50 00408AB1 8D db 8D 00408AB2 45 db 45 00408AB3 FC db FC 00408AB4 52 db 52 00408AB5 50 db 50 00408AB6 FF15 C0B14A00 call dword ptr [<&KERNEL32.GetVolumeI> 00408ABC . 85C0 test eax, eax 00408ABE . 74 51 je short 00408B11 00408AC0 . B9 06000000 mov ecx, 6 00408AC5 . 8D7D AC lea edi, dword ptr [ebp-54] 00408AC8 BE db BE 00408AC9 50 db 50 00408ACA FA db FA 00408ACB 4A db 4A 00408ACC 00 db 00 00408ACD 33 db 33 00408ACE D2 db D2 00408ACF F3 db F3 00408AD0 A6 db A6 00408AD1 75 db 75 00408AD2 3E db 3E 00408AD3 0F db 0F 00408AD4 BE db BE 00408AD5 45 db 45 00408AD6 B2 db B2 00408AD7 83 db 83 00408AD8 E8 db E8 00408AD9 31 db 31 00408ADA A3 db A3 00408ADB 9C db 9C 00408ADC 6D db 6D 00408ADD 4B db 4B 00408ADE 00 db 00 00408ADF 78 db 78 00408AE0 26 db 26 00408AE1 83 db 83 00408AE2 F8 db F8 00408AE3 02 db 02 00408AE4 7D db 7D 00408AE5 21 db 21 00408AE6 66 db 66 00408AE7 0F db 0F 00408AE8 BE db BE 00408AE9 45 inc ebp 00408AEA FC db FC 00408AEB 66 db 66 00408AEC A3 db A3 00408AED A0 db A0 00408AEE 6D db 6D 00408AEF 4B db 4B 00408AF0 00 db 00 00408AF1 66 db 66 00408AF2 C7 db C7 00408AF3 05 db 05 00408AF4 A2 db A2 00408AF5 6D db 6D 00408AF6 4B dec ebx 00408AF7 00 db 00 00408AF8 3A db 3A 00408AF9 00 db 00 00408AFA 66 db 66 00408AFB 89 db 89 00408AFC 15 db 15 00408AFD A4 db A4 00408AFE 6D db 6D 00408AFF 4B db 4B 00408B00 00 db 00 00408B01 5F db 5F 00408B02 5E db 5E 00408B03 8B db 8B 00408B04 E5 db E5 00408B05 5D pop ebp 00408B06 C3 db C3 00408B07 C7 db C7 00408B08 . 05 9C6D4B00 add eax, 004B6D9C 00408B0D > FFFF ??? 00408B0F . FFFF ??? 00408B11 . 5F pop edi 00408B12 ? 5E pop esi 00408B13 ? 8BE5 mov esp, ebp 00408B15 ? 5D pop ebp 00408B16 . C3 retn 00408B17 ? 90 nop 00408B18 ? 90 nop 00408B19 ? 90 nop 00408B1A ? 90 nop 00408B1B ? 90 nop 00408B1C . 90 nop 00408B1D . 90 nop 00408B1E ? 90 nop 00408B1F . 90 nop 00408B20 ? 833D 9C6D4B00>cmp dword ptr [4B6D9C], -1 00408B27 74 db 74 00408B28 3C db 3C 00408B29 E8 db E8 00408B2A 32 db 32 00408B2B B0 db B0 00408B2C 02 db 02 00408B2D 00 db 00 00408B2E 3C db 3C 00408B2F FF db FF 00408B30 74 db 74 00408B31 2D db 2D 00408B32 84 db 84 00408B33 C0 db C0 00408B34 74 db 74 00408B35 14 db 14 00408B36 8B db 8B 00408B37 0D db 0D 00408B38 9C db 9C 00408B39 6D db 6D 00408B3A 4B db 4B 00408B3B 00 db 00 00408B3C 0F db 0F 00408B3D BE db BE 00408B3E D0 db D0 00408B3F 41 db 41 00408B40 3B db 3B 00408B41 D1 db D1 00408B42 75 db 75 00408B43 21 db 21 00408B44 B8 db B8 00408B45 01 db 01 00408B46 00 db 00 00408B47 00 db 00 00408B48 00 db 00 00408B49 C3 db C3 00408B4A 8B db 8B 00408B4B 0D db 0D 00408B4C 9C db 9C 00408B4D 6D db 6D 00408B4E 4B db 4B 00408B4F 00 db 00 00408B50 33 db 33 00408B51 C0 db C0 00408B52 3B db 3B 00408B53 C1 db C1 00408B54 74 db 74 00408B55 09 db 09 00408B56 40 db 40 00408B57 83 db 83 00408B58 F8 db F8 00408B59 02 db 02 00408B5A 7C db 7C 00408B5B F6 db F6 00408B5C 33 db 33 00408B5D C0 db C0 00408B5E C3 db C3 00408B5F B8 db B8 00408B60 01 db 01 00408B61 00 db 00 00408B62 00 db 00 00408B63 00 db 00 00408B64 C3 db C3 00408B65 33 db 33 00408B66 C0 db C0 00408B67 C3 db C3 00408B68 90 db 90 00408B69 90 db 90 00408B6A 90 db 90 00408B6B 90 db 90 00408B6C 90 db 90 00408B6D 90 db 90 00408B6E 90 db 90 00408B6F 90 db 90 00408B70 E8 db E8 00408B71 2B db 2B 00408B72 00 db 00 00408B73 00 db 00 00408B74 00 db 00 00408B75 83 db 83 00408B76 3D db 3D 00408B77 9C db 9C 00408B78 6D db 6D 00408B79 4B db 4B 00408B7A 00 db 00 00408B7B FF db FF 00408B7C 74 db 74 00408B7D 19 db 19 00408B7E A1 db A1 00408B7F 60 db 60 00408B80 B1 db B1 00408B81 4D db 4D 00408B82 00 db 00 00408B83 85 db 85 00408B84 C0 db C0 00408B85 74 db 74 00408B86 10 db 10 00408B87 6A db 6A 00408B88 00 db 00 00408B89 6A db 6A 00408B8A . 0168 11 add dword ptr [eax+11], ebp 00408B8D . 0100 add dword ptr [eax], eax 00408B8F ? 0050 FF add byte ptr [eax-1], dl 00408B92 ? 15 84B24A00 adc eax, <&USER32.PostMessageA> 00408B97 ? C3 retn 后面还很多,请牛人看一下...下一步怎么做? 2007-2-28 17:13 0
skswujian 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 13 粉丝 0 关注私信	skswujian 14 楼这个游戏需要光盘,但其实就是检查一下光盘卷标为XXX即能通过,我用WINISO制作了一个空的卷标为XXX的ISO文件,加载上,这个程序都可通过...现在要做得是如何跳过光盘检查... IDA是什么? 2007-2-28 21:22 0
skswujian 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 13 粉丝 0 关注私信	skswujian 15 楼版主没来呀,顶一下 2007-3-1 21:24 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

skswujian

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (14)
skswujian 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 13 粉丝 0 关注私信	skswujian 2 楼没人回答,我顶 2007-2-27 00:22 0
kanxue 雪币： 44229 活跃值： (19955) 能力值： (RANK：350 ) 在线值：发帖 2369 回帖 17027 粉丝 528 关注私信	kanxue 8 3 楼你在OD里，用GetDriveTypeA设断，可以在命令行里： bp GetDriveTypeA 断下后，回到程序里，将代码复制出来。 2007-2-27 09:41 0
skswujian 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 13 粉丝 0 关注私信	skswujian 4 楼程序是断下来了,但不知复制哪里?是从断点到末尾,那太长了... 004935D0 > $ 55 push ebp 004935D1 . 8BEC mov ebp, esp 004935D3 . 6A FF push -1 004935D5 . 68 A8B64A00 push 004AB6A8 004935DA . 68 88924900 push 00499288 ; SE 处理程序安装 004935DF . 64:A1 0000000>mov eax, dword ptr fs:[0] 004935E5 . 50 push eax 004935E6 . 64:8925 00000>mov dword ptr fs:[0], esp 004935ED . 83C4 A8 add esp, -58 004935F0 . 53 push ebx 004935F1 . 56 push esi 004935F2 . 57 push edi 004935F3 . 8965 E8 mov dword ptr [ebp-18], esp 004935F6 . FF15 00B14A00 call dword ptr [<&KERNEL32.GetVersion>; kernel32.GetVersion 004935FC . 33D2 xor edx, edx 004935FE . 8AD4 mov dl, ah 00493600 . 8915 80545500 mov dword ptr [555480], edx 00493606 . 8BC8 mov ecx, eax 00493608 . 81E1 FF000000 and ecx, 0FF 0049360E . 890D 7C545500 mov dword ptr [55547C], ecx 00493614 . C1E1 08 shl ecx, 8 00493617 . 03CA add ecx, edx 00493619 . 890D 78545500 mov dword ptr [555478], ecx 0049361F . C1E8 10 shr eax, 10 00493622 . A3 74545500 mov dword ptr [555474], eax 00493627 . E8 64430000 call 00497990 0049362C . 85C0 test eax, eax 0049362E . 75 0A jnz short 0049363A 后面还很多... 2007-2-27 17:59 0
skswujian 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 13 粉丝 0 关注私信	skswujian 5 楼版主还没来? 再顶一下 2007-2-27 20:10 0
smartbear 雪币： 216 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 11 回帖 47 粉丝 0 关注私信	smartbear 6 楼是啊,高手带我们,要说得详细点,不要简写,简称,我们看不懂,如OD\bp\命令行,我现在才懂是不是先在命令行里输:bq GetDriveTypeA,然后再打开EXE呀? 2007-2-27 20:30 0
kanxue 雪币： 44229 活跃值： (19955) 能力值： (RANK：350 ) 在线值：发帖 2369 回帖 17027 粉丝 528 关注私信	kanxue 8 7 楼最初由 skswujian* 发布* 程序是断下来了,但不知复制哪里?是从断点到末尾,那太长了... 004935D0 > $ 55 push ebp 004935D1 . 8BEC mov ebp, esp 004935D3 . 6A FF push -1 004935D5 . 68 A8B64A00 push 004AB6A8 ........ 这段代码没用，你用GetDriveTypeA设断看看，程序是不是调用了，调用了分析程序如何处理的。 2007-2-27 21:50 0
skswujian 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 13 粉丝 0 关注私信	skswujian 8 楼不是先在命令行里输:bq GetDriveTypeA,然后再打开EXE吗? 2007-2-27 22:50 0
skswujian 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 13 粉丝 0 关注私信	skswujian 9 楼这次对不对? 7C8214E3 > 8BFF mov edi, edi 7C8214E5 . 55 push ebp 7C8214E6 . 8BEC mov ebp, esp 7C8214E8 . 837D 08 00 cmp dword ptr [ebp+8], 0 7C8214EC 74 1D je short 7C82150B 7C8214EE FF75 08 push dword ptr [ebp+8] 7C8214F1 E8 7ECBFEFF call 7C80E074 7C8214F6 85C0 test eax, eax 7C8214F8 0F84 83020200 je 7C841781 7C8214FE 8B40 04 mov eax, dword ptr [eax+4] 7C821501 50 push eax 7C821502 E8 C99DFEFF call GetDriveTypeW 7C821507 5D pop ebp 7C821508 C2 0400 retn 4 7C82150B > 33C0 xor eax, eax 7C82150D .^ EB F2 jmp short 7C821501 7C82150F > 3B45 14 cmp eax, dword ptr [ebp+14] 7C821512 . 7C 45 jl short 7C821559 7C821514 . E9 84000000 jmp 7C82159D 7C821519 > FF45 0C inc dword ptr [ebp+C] 7C82151C . EB 7F jmp short 7C82159D 2007-2-27 23:26 0
cyto 雪币： 417 活跃值： (475) 能力值： ( LV9，RANK：1250 ) 在线值：发帖 41 回帖 624 粉丝 0 关注私信	cyto 31 10 楼这个还是在系统空间,返回程序空间. 打开exe后,在命令行bp GetDriveTypeA 或者打开exe,Ctrl+g:GetDriveTypeA,F2下断. 2007-2-28 07:36 0
skswujian 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 13 粉丝 0 关注私信	skswujian 11 楼不行呀,按你说得方法也是断在Kernel32模块里,断不到用户模块里呀... 是不是没有脱壳的缘故? 2007-2-28 11:29 0
skswujian 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 13 粉丝 0 关注私信	skswujian 12 楼最初由 cyto* 发布* 这个还是在系统空间,返回程序空间. 打开exe后,在命令行或者打开exe,Ctrl+g:GetDriveTypeA,F2下断. 这次对吗?这次我是用运行exe后,用bp GetDriveTypeA设断,然后查看>断点,找到后双击会回到Kernel32模块的断点中,然后按F4,堆栈里会出现: 0012FB98 00408A9D /CALL 到 GetDriveTypeA 0012FB9C 0012FBF8 \RootPathName = "a:\" 点上面行,回车,这下才会回到用户模块中,以下是代码: 00408A97 ? FF15 BCB14A00 call dword ptr[<&GetDriveTypeA>] 00408A9C ? 83F8 05 cmp eax, 5 00408A9D 75 6F jnz short 0048B11 00408AA2 . 6A 00 push 0 00408AA4 . 6A 00 push 0 00408AA6 . 6A 00 push 0 00408AA8 . 6A 00 push 0 00408AAA . 6A 00 push 0 00408AAC ? 8D55 AC lea edx, dword ptr [ebp-54] 00408AAF 6A db 6A 00408AB0 50 db 50 00408AB1 8D db 8D 00408AB2 45 db 45 00408AB3 FC db FC 00408AB4 52 db 52 00408AB5 50 db 50 00408AB6 FF15 C0B14A00 call dword ptr [<&KERNEL32.GetVolumeI> 00408ABC . 85C0 test eax, eax 00408ABE . 74 51 je short 00408B11 00408AC0 . B9 06000000 mov ecx, 6 00408AC5 . 8D7D AC lea edi, dword ptr [ebp-54] 00408AC8 BE db BE 00408AC9 50 db 50 00408ACA FA db FA 00408ACB 4A db 4A 00408ACC 00 db 00 00408ACD 33 db 33 00408ACE D2 db D2 00408ACF F3 db F3 00408AD0 A6 db A6 00408AD1 75 db 75 00408AD2 3E db 3E 00408AD3 0F db 0F 00408AD4 BE db BE 00408AD5 45 db 45 00408AD6 B2 db B2 00408AD7 83 db 83 00408AD8 E8 db E8 00408AD9 31 db 31 00408ADA A3 db A3 00408ADB 9C db 9C 00408ADC 6D db 6D 00408ADD 4B db 4B 00408ADE 00 db 00 00408ADF 78 db 78 00408AE0 26 db 26 00408AE1 83 db 83 00408AE2 F8 db F8 00408AE3 02 db 02 00408AE4 7D db 7D 00408AE5 21 db 21 00408AE6 66 db 66 00408AE7 0F db 0F 00408AE8 BE db BE 00408AE9 45 inc ebp 00408AEA FC db FC 00408AEB 66 db 66 00408AEC A3 db A3 00408AED A0 db A0 00408AEE 6D db 6D 00408AEF 4B db 4B 00408AF0 00 db 00 00408AF1 66 db 66 00408AF2 C7 db C7 00408AF3 05 db 05 00408AF4 A2 db A2 00408AF5 6D db 6D 00408AF6 4B dec ebx 00408AF7 00 db 00 00408AF8 3A db 3A 00408AF9 00 db 00 00408AFA 66 db 66 00408AFB 89 db 89 00408AFC 15 db 15 00408AFD A4 db A4 00408AFE 6D db 6D 00408AFF 4B db 4B 00408B00 00 db 00 00408B01 5F db 5F 00408B02 5E db 5E 00408B03 8B db 8B 00408B04 E5 db E5 00408B05 5D pop ebp 00408B06 C3 db C3 00408B07 C7 db C7 00408B08 . 05 9C6D4B00 add eax, 004B6D9C 00408B0D > FFFF ??? 00408B0F . FFFF ??? 00408B11 . 5F pop edi 00408B12 ? 5E pop esi 00408B13 ? 8BE5 mov esp, ebp 00408B15 ? 5D pop ebp 00408B16 . C3 retn 00408B17 ? 90 nop 00408B18 ? 90 nop 00408B19 ? 90 nop 00408B1A ? 90 nop 00408B1B ? 90 nop 00408B1C . 90 nop 00408B1D . 90 nop 00408B1E ? 90 nop 00408B1F . 90 nop 00408B20 ? 833D 9C6D4B00>cmp dword ptr [4B6D9C], -1 00408B27 74 db 74 00408B28 3C db 3C 00408B29 E8 db E8 00408B2A 32 db 32 00408B2B B0 db B0 00408B2C 02 db 02 00408B2D 00 db 00 00408B2E 3C db 3C 00408B2F FF db FF 00408B30 74 db 74 00408B31 2D db 2D 00408B32 84 db 84 00408B33 C0 db C0 00408B34 74 db 74 00408B35 14 db 14 00408B36 8B db 8B 00408B37 0D db 0D 00408B38 9C db 9C 00408B39 6D db 6D 00408B3A 4B db 4B 00408B3B 00 db 00 00408B3C 0F db 0F 00408B3D BE db BE 00408B3E D0 db D0 00408B3F 41 db 41 00408B40 3B db 3B 00408B41 D1 db D1 00408B42 75 db 75 00408B43 21 db 21 00408B44 B8 db B8 00408B45 01 db 01 00408B46 00 db 00 00408B47 00 db 00 00408B48 00 db 00 00408B49 C3 db C3 00408B4A 8B db 8B 00408B4B 0D db 0D 00408B4C 9C db 9C 00408B4D 6D db 6D 00408B4E 4B db 4B 00408B4F 00 db 00 00408B50 33 db 33 00408B51 C0 db C0 00408B52 3B db 3B 00408B53 C1 db C1 00408B54 74 db 74 00408B55 09 db 09 00408B56 40 db 40 00408B57 83 db 83 00408B58 F8 db F8 00408B59 02 db 02 00408B5A 7C db 7C 00408B5B F6 db F6 00408B5C 33 db 33 00408B5D C0 db C0 00408B5E C3 db C3 00408B5F B8 db B8 00408B60 01 db 01 00408B61 00 db 00 00408B62 00 db 00 00408B63 00 db 00 00408B64 C3 db C3 00408B65 33 db 33 00408B66 C0 db C0 00408B67 C3 db C3 00408B68 90 db 90 00408B69 90 db 90 00408B6A 90 db 90 00408B6B 90 db 90 00408B6C 90 db 90 00408B6D 90 db 90 00408B6E 90 db 90 00408B6F 90 db 90 00408B70 E8 db E8 00408B71 2B db 2B 00408B72 00 db 00 00408B73 00 db 00 00408B74 00 db 00 00408B75 83 db 83 00408B76 3D db 3D 00408B77 9C db 9C 00408B78 6D db 6D 00408B79 4B db 4B 00408B7A 00 db 00 00408B7B FF db FF 00408B7C 74 db 74 00408B7D 19 db 19 00408B7E A1 db A1 00408B7F 60 db 60 00408B80 B1 db B1 00408B81 4D db 4D 00408B82 00 db 00 00408B83 85 db 85 00408B84 C0 db C0 00408B85 74 db 74 00408B86 10 db 10 00408B87 6A db 6A 00408B88 00 db 00 00408B89 6A db 6A 00408B8A . 0168 11 add dword ptr [eax+11], ebp 00408B8D . 0100 add dword ptr [eax], eax 00408B8F ? 0050 FF add byte ptr [eax-1], dl 00408B92 ? 15 84B24A00 adc eax, <&USER32.PostMessageA> 00408B97 ? C3 retn 后面还有,不知有用吗? 2007-2-28 17:03 0
skswujian 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 13 粉丝 0 关注私信	skswujian 13 楼破解一个exe文件的cd-check,运行exe后,用bp GetDriveTypeA设断,然后查看>断点,找到后双击回到Kernel32模块的断点中,然后按F4,堆栈里会出现: 0012FB98 00408A9D /CALL 到 GetDriveTypeA 0012FB9C 0012FBF8 \RootPathName = "a:\" 点上面行,回车,会回到用户模块中,以下是代码: 00408A97 ? FF15 BCB14A00 call dword ptr[<&GetDriveTypeA>] 00408A9C ? 83F8 05 cmp eax, 5 00408A9D 75 6F jnz short 0048B11 00408AA2 . 6A 00 push 0 00408AA4 . 6A 00 push 0 00408AA6 . 6A 00 push 0 00408AA8 . 6A 00 push 0 00408AAA . 6A 00 push 0 00408AAC ? 8D55 AC lea edx, dword ptr [ebp-54] 00408AAF 6A db 6A 00408AB0 50 db 50 00408AB1 8D db 8D 00408AB2 45 db 45 00408AB3 FC db FC 00408AB4 52 db 52 00408AB5 50 db 50 00408AB6 FF15 C0B14A00 call dword ptr [<&KERNEL32.GetVolumeI> 00408ABC . 85C0 test eax, eax 00408ABE . 74 51 je short 00408B11 00408AC0 . B9 06000000 mov ecx, 6 00408AC5 . 8D7D AC lea edi, dword ptr [ebp-54] 00408AC8 BE db BE 00408AC9 50 db 50 00408ACA FA db FA 00408ACB 4A db 4A 00408ACC 00 db 00 00408ACD 33 db 33 00408ACE D2 db D2 00408ACF F3 db F3 00408AD0 A6 db A6 00408AD1 75 db 75 00408AD2 3E db 3E 00408AD3 0F db 0F 00408AD4 BE db BE 00408AD5 45 db 45 00408AD6 B2 db B2 00408AD7 83 db 83 00408AD8 E8 db E8 00408AD9 31 db 31 00408ADA A3 db A3 00408ADB 9C db 9C 00408ADC 6D db 6D 00408ADD 4B db 4B 00408ADE 00 db 00 00408ADF 78 db 78 00408AE0 26 db 26 00408AE1 83 db 83 00408AE2 F8 db F8 00408AE3 02 db 02 00408AE4 7D db 7D 00408AE5 21 db 21 00408AE6 66 db 66 00408AE7 0F db 0F 00408AE8 BE db BE 00408AE9 45 inc ebp 00408AEA FC db FC 00408AEB 66 db 66 00408AEC A3 db A3 00408AED A0 db A0 00408AEE 6D db 6D 00408AEF 4B db 4B 00408AF0 00 db 00 00408AF1 66 db 66 00408AF2 C7 db C7 00408AF3 05 db 05 00408AF4 A2 db A2 00408AF5 6D db 6D 00408AF6 4B dec ebx 00408AF7 00 db 00 00408AF8 3A db 3A 00408AF9 00 db 00 00408AFA 66 db 66 00408AFB 89 db 89 00408AFC 15 db 15 00408AFD A4 db A4 00408AFE 6D db 6D 00408AFF 4B db 4B 00408B00 00 db 00 00408B01 5F db 5F 00408B02 5E db 5E 00408B03 8B db 8B 00408B04 E5 db E5 00408B05 5D pop ebp 00408B06 C3 db C3 00408B07 C7 db C7 00408B08 . 05 9C6D4B00 add eax, 004B6D9C 00408B0D > FFFF ??? 00408B0F . FFFF ??? 00408B11 . 5F pop edi 00408B12 ? 5E pop esi 00408B13 ? 8BE5 mov esp, ebp 00408B15 ? 5D pop ebp 00408B16 . C3 retn 00408B17 ? 90 nop 00408B18 ? 90 nop 00408B19 ? 90 nop 00408B1A ? 90 nop 00408B1B ? 90 nop 00408B1C . 90 nop 00408B1D . 90 nop 00408B1E ? 90 nop 00408B1F . 90 nop 00408B20 ? 833D 9C6D4B00>cmp dword ptr [4B6D9C], -1 00408B27 74 db 74 00408B28 3C db 3C 00408B29 E8 db E8 00408B2A 32 db 32 00408B2B B0 db B0 00408B2C 02 db 02 00408B2D 00 db 00 00408B2E 3C db 3C 00408B2F FF db FF 00408B30 74 db 74 00408B31 2D db 2D 00408B32 84 db 84 00408B33 C0 db C0 00408B34 74 db 74 00408B35 14 db 14 00408B36 8B db 8B 00408B37 0D db 0D 00408B38 9C db 9C 00408B39 6D db 6D 00408B3A 4B db 4B 00408B3B 00 db 00 00408B3C 0F db 0F 00408B3D BE db BE 00408B3E D0 db D0 00408B3F 41 db 41 00408B40 3B db 3B 00408B41 D1 db D1 00408B42 75 db 75 00408B43 21 db 21 00408B44 B8 db B8 00408B45 01 db 01 00408B46 00 db 00 00408B47 00 db 00 00408B48 00 db 00 00408B49 C3 db C3 00408B4A 8B db 8B 00408B4B 0D db 0D 00408B4C 9C db 9C 00408B4D 6D db 6D 00408B4E 4B db 4B 00408B4F 00 db 00 00408B50 33 db 33 00408B51 C0 db C0 00408B52 3B db 3B 00408B53 C1 db C1 00408B54 74 db 74 00408B55 09 db 09 00408B56 40 db 40 00408B57 83 db 83 00408B58 F8 db F8 00408B59 02 db 02 00408B5A 7C db 7C 00408B5B F6 db F6 00408B5C 33 db 33 00408B5D C0 db C0 00408B5E C3 db C3 00408B5F B8 db B8 00408B60 01 db 01 00408B61 00 db 00 00408B62 00 db 00 00408B63 00 db 00 00408B64 C3 db C3 00408B65 33 db 33 00408B66 C0 db C0 00408B67 C3 db C3 00408B68 90 db 90 00408B69 90 db 90 00408B6A 90 db 90 00408B6B 90 db 90 00408B6C 90 db 90 00408B6D 90 db 90 00408B6E 90 db 90 00408B6F 90 db 90 00408B70 E8 db E8 00408B71 2B db 2B 00408B72 00 db 00 00408B73 00 db 00 00408B74 00 db 00 00408B75 83 db 83 00408B76 3D db 3D 00408B77 9C db 9C 00408B78 6D db 6D 00408B79 4B db 4B 00408B7A 00 db 00 00408B7B FF db FF 00408B7C 74 db 74 00408B7D 19 db 19 00408B7E A1 db A1 00408B7F 60 db 60 00408B80 B1 db B1 00408B81 4D db 4D 00408B82 00 db 00 00408B83 85 db 85 00408B84 C0 db C0 00408B85 74 db 74 00408B86 10 db 10 00408B87 6A db 6A 00408B88 00 db 00 00408B89 6A db 6A 00408B8A . 0168 11 add dword ptr [eax+11], ebp 00408B8D . 0100 add dword ptr [eax], eax 00408B8F ? 0050 FF add byte ptr [eax-1], dl 00408B92 ? 15 84B24A00 adc eax, <&USER32.PostMessageA> 00408B97 ? C3 retn 后面还很多,请牛人看一下...下一步怎么做? 2007-2-28 17:13 0
skswujian 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 13 粉丝 0 关注私信	skswujian 14 楼这个游戏需要光盘,但其实就是检查一下光盘卷标为XXX即能通过,我用WINISO制作了一个空的卷标为XXX的ISO文件,加载上,这个程序都可通过...现在要做得是如何跳过光盘检查... IDA是什么? 2007-2-28 21:22 0
skswujian 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 13 粉丝 0 关注私信	skswujian 15 楼版主没来呀,顶一下 2007-3-1 21:24 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复