我破解这个外挂,根据字符串找到
00415449 |. E8 B9EFFFFF call 00414407
0041544E |. 0FBE85 B0D5FF>movsx eax, byte ptr [ebp-2A50]
00415455 |. 2BC7 sub eax, edi
00415457 |. 59 pop ecx
00415458 |. 57 push edi
00415459 74 45 je short 004154A0
0041545B |. 48 dec eax ; Switch (cases 1..4)
0041545C |. 8BCE mov ecx, esi
0041545E |. 68 30BB4400 push 0044BB30 ; 霸王剑提示
00415463 |. 74 31 je short 00415496
00415465 |. 48 dec eax
00415466 |. 74 24 je short 0041548C
00415468 |. 48 dec eax
00415469 |. 74 17 je short 00415482
0041546B |. 48 dec eax
0041546C |. 74 0A je short 00415478
0041546E |. 68 F8BA4400 push 0044BAF8 ; 网络传输故障!
00415473 |. E9 32180000 jmp 00416CAA
00415478 |> 68 E8BA4400 push 0044BAE8 ; 可使用次数为0!; Case 4 of switch 0041545B
0041547D |. E9 28180000 jmp 00416CAA
00415482 |> 68 18B84400 push 0044B818 ; 抱歉,服务器忙,请稍后再试!; Case 3 of switch 0041545B
00415487 |. E9 1E180000 jmp 00416CAA
0041548C |> 68 DCBA4400 push 0044BADC ; 账号过期!; Case 2 of switch 0041545B
00415491 |. E9 14180000 jmp 00416CAA
00415496 |> 68 D0BA4400 push 0044BAD0 ; 账号错误!; Case 1 of switch 0041545B
0041549B |. E9 0A180000 jmp 00416CAA
004154A0 |> 57 push edi
004154A1 |. 57 push edi
004154A2 |. 57 push edi
004154A3 |. 57 push edi
004154A4 |. 68 C9424100 push 004142C9
004154A9 |. E8 03FA0100 call 00434EB1
004154AE |. FF15 18854400 call dword ptr [<&USER32.GetForegroun>; [GetForegroundWindow
004154B4 |. 68 30626200 push 00626230 ; /Buffer = ctfmon.00626230
004154B9 |. 68 FF000000 push 0FF ; |BufSize = FF (255.)
004154BE |. FF15 0C834400 call dword ptr [<&KERNEL32.GetCurrent>; \GetCurrentDirectoryA
004154C4 |. 8D45 FC lea eax, dword ptr [ebp-4]
004154C7 |. 50 push eax ; /pHandle
004154C8 |. 68 7CB54400 push 0044B57C ; |system\bwdata
004154CD |. 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
004154D2 |. C745 F8 01000>mov dword ptr [ebp-8], 1 ; |
004154D9 |. FF15 0C804400 call dword ptr [<&ADVAPI32.RegCreateK>; \RegCreateKeyA
004154DF |. 85C0 test eax, eax
004154E1 |. 75 21 jnz short 00415504
004154E3 |. 6A 20 push 20 ; /BufSize = 20 (32.)
004154E5 |. 8D46 70 lea eax, dword ptr [esi+70] ; |
004154E8 |. 50 push eax ; |Buffer
004154E9 |. FF75 F8 push dword ptr [ebp-8] ; |ValueType
004154EC |. 57 push edi ; |Reserved
004154ED |. 68 C4BA4400 push 0044BAC4 ; |lastuser
004154F2 |. FF75 FC push dword ptr [ebp-4] ; |hKey
004154F5 |. FF15 08804400 call dword ptr [<&ADVAPI32.RegSetValu>; \RegSetValueExA
004154FB |. FF75 FC push dword ptr [ebp-4] ; /hKey
004154FE |. FF15 00804400 call dword ptr [<&ADVAPI32.RegCloseKe>; \RegCloseKey
00415504 |> 8D46 70 lea eax, dword ptr [esi+70]
00415507 |. 50 push eax
00415508 |. 8D85 C8FDFFFF lea eax, dword ptr [ebp-238]
0041550E |. 68 D8914400 push 004491D8 ; system\bwdata\%s
00415513 |. 50 push eax
00415514 |. E8 98020100 call 004257B1
00415519 |. 83C4 0C add esp, 0C
0041551C |. 6A 04 push 4
0041551E |. 58 pop eax
0041551F |. 8945 F8 mov dword ptr [ebp-8], eax
00415522 |. 8945 F4 mov dword ptr [ebp-C], eax
00415525 |. 8D45 FC lea eax, dword ptr [ebp-4]
00415528 |. 50 push eax ; /pHandle
00415529 |. 68 3F000F00 push 0F003F ; |Access = KEY_ALL_ACCESS
0041552E |. 57 push edi ; |Reserved
0041552F |. 8D85 C8FDFFFF lea eax, dword ptr [ebp-238] ; |
00415535 |. 50 push eax ; |Subkey
00415536 |. 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
0041553B |. FF15 04804400 call dword ptr [<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
00415541 |. 85C0 test eax, eax
00415543 |. 0F85 2C100000 jnz 00416575
00415549 |. 8B35 24804400 mov esi, dword ptr [<&ADVAPI32.RegQu>; ADVAPI32.RegQueryValueExA
0041554F |. 8D45 F4 lea eax, dword ptr [ebp-C]
00415552 |. 50 push eax ; /pBufSize
00415553 |. 68 F05E5200 push 00525EF0 ; |Buffer = ctfmon.00525EF0
00415558 |. 8D45 F8 lea eax, dword ptr [ebp-8] ; |
0041555B |. 50 push eax ; |pValueType
0041555C |. 57 push edi ; |Reserved
0041555D |. 68 C0914400 push 004491C0 ; |base
00415562 |. FF75 FC push dword ptr [ebp-4] ; |hKey
我将00415459 74 45 je short 004154A0里的je改成jnz保存后进入结果进到一半挂就死掉了,因此判断有自校验,在堆栈里找退出的程序ExitProcess来到
00425AB0 |. FF15 A4824400 call dword ptr [<&KERNEL32.GetModuleH>; \GetModuleHandleA
00425AB6 |. 85C0 test eax, eax
00425AB8 |. 74 16 je short 00425AD0
00425ABA |. 68 540D4500 push 00450D54 ; /corexitprocess
00425ABF |. 50 push eax ; |hModule
00425AC0 |. FF15 FC824400 call dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
00425AC6 |. 85C0 test eax, eax
00425AC8 |. 74 06 je short 00425AD0
00425ACA |. FF7424 04 push dword ptr [esp+4]
00425ACE |. FFD0 call eax
00425AD0 |> FF7424 04 push dword ptr [esp+4] ; /ExitCode
00425AD4 \. FF15 D0824400 call dword ptr [<&KERNEL32.ExitProces>; \ExitProcess
00425ADA CC int3
00425ADB /$ 6A 08 push 8
00425ADD |. E8 E8230000 call 00427ECA
00425AE2 |. 59 pop ecx
00425AE3 \. C3 retn
00425AE4 /$ 6A 08 push 8
00425AE6 |. E8 2A230000 call 00427E15
00425AEB |. 59 pop ecx
00425AEC \. C3 retn
00425AED /$ 56 push esi
00425AEE |. 8BF0 mov esi, eax
00425AF0 |. EB 0B jmp short 00425AFD
00425AF2 |> 8B06 /mov eax, dword ptr [esi]
00425AF4 |. 85C0 |test eax, eax
00425AF6 |. 74 02 |je short 00425AFA
00425AF8 |. FFD0 |call eax
00425AFA |> 83C6 04 |add esi, 4
00425AFD |> 3B7424 08 cmp esi, dword ptr [esp+8]
00425B01 |.^ 72 EF \jb short 00425AF2
00425B03 |. 5E pop esi
00425B04 \. C3 retn
00425B05 /$ A1 48CE4500 mov eax, dword ptr [45CE48]
00425B0A |. 85C0 test eax, eax
00425B0C |. 74 07 je short 00425B15
00425B0E |. FF7424 04 push dword ptr [esp+4]
00425B12 |. FFD0 call eax
00425B14 |. 59 pop ecx
00425B15 |> 56 push esi
00425B16 |. 57 push edi
00425B17 |. B9 80B04500 mov ecx, 0045B080
00425B1C |. BF 94B04500 mov edi, 0045B094
00425B21 |. 33C0 xor eax, eax
00425B23 |. 3BCF cmp ecx, edi
00425B25 |. 8BF1 mov esi, ecx
00425B27 |. 73 17 jnb short 00425B40
00425B29 |> 85C0 /test eax, eax
00425B2B |. 75 3F |jnz short 00425B6C
00425B2D |. 8B0E |mov ecx, dword ptr [esi]
00425B2F |. 85C9 |test ecx, ecx
00425B31 |. 74 02 |je short 00425B35
00425B33 |. FFD1 |call ecx
00425B35 |> 83C6 04 |add esi, 4
00425B38 |. 3BF7 |cmp esi, edi
00425B3A |.^ 72 ED \jb short 00425B29
00425B3C |. 85C0 test eax, eax
00425B3E |. 75 2C jnz short 00425B6C
00425B40 |> 68 F3C44200 push 0042C4F3
00425B45 |. E8 63F9FFFF call 004254AD
00425B4A |. BE 00B04500 mov esi, 0045B000
00425B4F |. 8BC6 mov eax, esi
00425B51 |. BF 7CB04500 mov edi, 0045B07C
00425B56 |. 3BC7 cmp eax, edi
00425B58 |. 59 pop ecx
00425B59 |. 73 0F jnb short 00425B6A
00425B5B |> 8B06 /mov eax, dword ptr [esi]
00425B5D |. 85C0 |test eax, eax
00425B5F |. 74 02 |je short 00425B63
00425B61 |. FFD0 |call eax
00425B63 |> 83C6 04 |add esi, 4
00425B66 |. 3BF7 |cmp esi, edi
00425B68 |.^ 72 F1 \jb short 00425B5B
00425B6A |> 33C0 xor eax, eax
00425B6C |> 5F pop edi
00425B6D |. 5E pop esi
00425B6E \. C3 retn
00425B6F /$ 6A 08 push 8
00425B71 |. 68 700D4500 push 00450D70
00425B76 |. E8 99E6FFFF call 00424214
00425B7B |. 6A 08 push 8 ; /Arg1 = 00000008
00425B7D |. E8 48230000 call 00427ECA ; \ctfmon.00427ECA
00425B82 |. 59 pop ecx
00425B83 |. 33FF xor edi, edi
00425B85 |. 897D FC mov dword ptr [ebp-4], edi
00425B88 |. 33F6 xor esi, esi
00425B8A |. 46 inc esi
00425B8B |. 3935 34886200 cmp dword ptr [628834], esi
00425B91 |. 75 10 jnz short 00425BA3
00425B93 |. FF75 08 push dword ptr [ebp+8] ; /ExitCode
00425B96 |. FF15 F4814400 call dword ptr [<&KERNEL32.GetCurrent>; |[GetCurrentProcess
00425B9C |. 50 push eax ; |hProcess
00425B9D |. FF15 04834400 call dword ptr [<&KERNEL32.TerminateP>; \TerminateProcess
00425BA3 |> 8935 30886200 mov dword ptr [628830], esi
00425BA9 |. 8A45 10 mov al, byte ptr [ebp+10]
00425BAC |. A2 2C886200 mov byte ptr [62882C], al
00425BB1 |. 397D 0C cmp dword ptr [ebp+C], edi
00425BB4 |. 75 37 jnz short 00425BED
00425BB6 |. 393D CCA06200 cmp dword ptr [62A0CC], edi
00425BBC |. 74 1F je short 00425BDD
00425BBE |> A1 C8A06200 /mov eax, dword ptr [62A0C8]
00425BC3 |. 83E8 04 |sub eax, 4
00425BC6 |. A3 C8A06200 |mov dword ptr [62A0C8], eax
00425BCB |. 3B05 CCA06200 |cmp eax, dword ptr [62A0CC]
00425BD1 |. 72 0A |jb short 00425BDD
00425BD3 |. 8B00 |mov eax, dword ptr [eax]
00425BD5 |. 3BC7 |cmp eax, edi
00425BD7 |.^ 74 E5 |je short 00425BBE
00425BD9 |. FFD0 |call eax
00425BDB |.^ EB E1 \jmp short 00425BBE
00425BDD |> 68 A0B04500 push 0045B0A0
00425BE2 |. B8 98B04500 mov eax, 0045B098
00425BE7 |. E8 01FFFFFF call 00425AED
00425BEC |. 59 pop ecx
00425BED |> 68 ACB04500 push 0045B0AC
00425BF2 |. B8 A4B04500 mov eax, 0045B0A4
00425BF7 |. E8 F1FEFFFF call 00425AED
00425BFC |. 59 pop ecx
00425BFD |. 834D FC FF or dword ptr [ebp-4], FFFFFFFF
00425C01 |. E8 18000000 call 00425C1E
00425C06 |. 397D 10 cmp dword ptr [ebp+10], edi
00425C09 75 21 jnz short 00425C2C
00425C0B |. 8935 34886200 mov dword ptr [628834], esi
00425C11 |. FF75 08 push dword ptr [ebp+8]
00425C14 |. E8 92FEFFFF call 00425AAB
00425C19 |. 33FF xor edi, edi
00425C1B |. 33F6 xor esi, esi
00425C1D |. 46 inc esi
00425C1E |$ 397D 10 cmp dword ptr [ebp+10], edi
00425C21 |. 74 08 je short 00425C2B
00425C23 |. 6A 08 push 8
00425C25 |. E8 EB210000 call 00427E15
00425C2A |. 59 pop ecx
00425C2B |> C3 retn
00425C2C |> E8 1EE6FFFF call 0042424F
00425C31 \. C3 retn
把00425C09 75 21 jnz short 00425C2C处的jnz改成je保存后进入结果游戏进到一半挂和游戏都关了再到在堆栈里找退出的程序ExitProcess却找不到了。通过跟踪
00414708 . FFD5 call ebp
0041470A . 3BC3 cmp eax, ebx
0041470C . 74 2D je short 0041473B
0041470E . 8D4C24 14 lea ecx, dword ptr [esp+14]
00414712 . 51 push ecx ; /pProcessID
00414713 . 50 push eax ; |hWnd
00414714 . 895C24 1C mov dword ptr [esp+1C], ebx ; |
00414718 . FF15 20854400 call dword ptr [<&USER32.GetWindowThr>; \GetWindowThreadProcessId
0041471E . FF7424 14 push dword ptr [esp+14] ; /ProcessId
00414722 . 53 push ebx ; |Inheritable
00414723 . 68 FF0F1F00 push 1F0FFF ; |Access = PROCESS_ALL_ACCESS
00414728 . FF15 00834400 call dword ptr [<&KERNEL32.OpenProces>; \OpenProcess
0041472E . 3BC3 cmp eax, ebx
00414730 . 74 09 je short 0041473B
00414732 . 6A FF push -1 ; /ExitCode = FFFFFFFF (-1.)
00414734 . 50 push eax ; |hProcess
00414735 . FF15 04834400 call dword ptr [<&KERNEL32.TerminateP>; \TerminateProcess
0041473B > 68 88130000 push 1388 ; /Timeout = 5000. ms
00414740 . FF15 08834400 call dword ptr [<&KERNEL32.Sleep>] ; \Sleep
00414746 . 803D 28606200>cmp byte ptr [626028], 2
0041474D .^ 0F85 7FFEFFFF jnz 004145D2
00414753 . 6A FF push -1
00414755 . E8 D8140100 call 00425C32
0041475A . 5F pop edi
0041475B . 5E pop esi
0041475C . 5D pop ebp
0041475D . 5B pop ebx
0041475E /$ B8 14714400 mov eax, 00447114
00414763 |. E8 2C010100 call 00424894
00414768 |. 51 push ecx
00414769 |. 56 push esi
0041476A |. 8BF1 mov esi, ecx
0041476C |. 57 push edi
0041476D |. 8975 F0 mov dword ptr [ebp-10], esi
00414770 |. C706 E0B54400 mov dword ptr [esi], 0044B5E0
00414776 |. 833D 28646200>cmp dword ptr [626428], 0
0041477D |. C745 FC 09000>mov dword ptr [ebp-4], 9
00414784 |. 74 13 je short 00414799
00414786 |. 68 D8B54400 push 0044B5D8 ; /ProcNameOrOrdinal = "_pSend"
0041478B |. FF35 1C606200 push dword ptr [62601C] ; |hModule = NULL
00414791 |. FF15 FC824400 call dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
00414797 |. FFD0 call eax
00414799 |> 8B8E E0010000 mov ecx, dword ptr [esi+1E0]
0041479F |. 6A 10 push 10
004147A1 |. 5F pop edi
004147A2 |. 2BCF sub ecx, edi
发现在00414770 |. C706 E0B54400 mov dword ptr [esi], 0044B5E0 OD报出现异常把0041476A |. 8BF1 mov esi, ecx改成mov esi, esi可是跟踪到
00401257 /$ 8B4424 08 mov eax, dword ptr [esp+8]
0040125B |. C1E8 04 shr eax, 4
0040125E |. 40 inc eax
0040125F |. 0FB7C0 movzx eax, ax
00401262 |. 6A 06 push 6 ; /ResourceType = RT_STRING
00401264 |. 50 push eax ; |ResourceName
00401265 |. FF7424 0C push dword ptr [esp+C] ; |hModule
00401269 |. FF15 34834400 call dword ptr [<&KERNEL32.FindResour>; \FindResourceA
0040126F |. 85C0 test eax, eax
00401271 |. 75 01 jnz short 00401274
00401273 |. C3 retn
00401274 |> FF7424 08 push dword ptr [esp+8] ; /Arg3
00401278 |. 50 push eax ; |Arg2
00401279 |. FF7424 0C push dword ptr [esp+C] ; |Arg1
0040127D |. E8 79FFFFFF call 004011FB ; \ctfmon.004011FB
00401282 |. 83C4 0C add esp, 0C
00401285 \. C3 retn
00401286 /$ 8D41 0C lea eax, dword ptr [ecx+C]
00401289 |. 83CA FF or edx, FFFFFFFF
0040128C |. F0:0FC110 lock xadd dword ptr [eax], edx
00401290 |. 4A dec edx
00401291 |. 85D2 test edx, edx
00401293 |. 7F 0A jg short 0040129F
00401295 |. 8B01 mov eax, dword ptr [ecx]
00401297 |. 8B10 mov edx, dword ptr [eax]
00401299 |. 51 push ecx
0040129A |. 8BC8 mov ecx, eax
0040129C |. FF52 04 call dword ptr [edx+4]
0040129F \> C3 retn
在0040128C |. F0:0FC110 lock xadd dword ptr [eax], edx又是异常错误然后就死了,谁能帮忙看看这是什么原因!感谢!感谢!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
