对软件破解有向往,来看雪让我长了不少见识,谢谢如此好的论坛一!
破解一软件EXE DLL已脱壳,但不能判断关键跳转
求助朋友们
我在MessageBoxA下断, 跟踪到MessageBox 跳出:00420DD4 |. 85F6 test esi, esi
截取部分如下:
00420C5D . 85C9 test ecx, ecx
00420C5F . 74 09 je short 00420C6A
00420C61 . 8B01 mov eax, dword ptr [ecx]
00420C63 . FF7424 04 push dword ptr [esp+4]
00420C67 . FF50 04 call dword ptr [eax+4]
00420C6A > C2 0400 retn 4
00420C6D . 8B89 80000000 mov ecx, dword ptr [ecx+80]
00420C73 . FF7424 04 push dword ptr [esp+4]
00420C77 . 8B01 mov eax, dword ptr [ecx]
00420C79 . FF50 1C call dword ptr [eax+1C]
00420C7C . C2 0400 retn 4
00420C7F . 8B89 A8000000 mov ecx, dword ptr [ecx+A8]
00420C85 . 85C9 test ecx, ecx
00420C87 . 75 0C jnz short 00420C95
00420C89 . 8B4C24 04 mov ecx, dword ptr [esp+4]
00420C8D . 6A 00 push 0
00420C8F . 8B01 mov eax, dword ptr [ecx]
00420C91 . FF10 call dword ptr [eax]
00420C93 . EB 09 jmp short 00420C9E
00420C95 > 8B01 mov eax, dword ptr [ecx]
00420C97 . FF7424 04 push dword ptr [esp+4]
00420C9B . FF50 08 call dword ptr [eax+8]
00420C9E > C2 0400 retn 4
00420CA1 . 8B89 80000000 mov ecx, dword ptr [ecx+80]
00420CA7 . 85C9 test ecx, ecx
00420CA9 . 74 0B je short 00420CB6
00420CAB . 8B01 mov eax, dword ptr [ecx]
00420CAD . FF7424 04 push dword ptr [esp+4]
00420CB1 . FF50 30 call dword ptr [eax+30]
00420CB4 . EB 02 jmp short 00420CB8
00420CB6 > 33C0 xor eax, eax
00420CB8 > C2 0400 retn 4
00420CBB . 8B4424 04 mov eax, dword ptr [esp+4]
00420CBF . 56 push esi
00420CC0 . 8DB1 A8000000 lea esi, dword ptr [ecx+A8]
00420CC6 . 57 push edi
00420CC7 . 8DB8 F01EFFFF lea edi, dword ptr [eax+FFFF1EF0]
00420CCD . 8B11 mov edx, dword ptr [ecx]
00420CCF . 8B06 mov eax, dword ptr [esi]
00420CD1 . 8B40 08 mov eax, dword ptr [eax+8]
00420CD4 . 8B04B8 mov eax, dword ptr [eax+edi*4]
00420CD7 . 50 push eax
00420CD8 . FF52 7C call dword ptr [edx+7C]
00420CDB . 85C0 test eax, eax
00420CDD . 75 07 jnz short 00420CE6
00420CDF . 8B0E mov ecx, dword ptr [esi]
00420CE1 . 57 push edi
00420CE2 . 8B01 mov eax, dword ptr [ecx]
00420CE4 . FF10 call dword ptr [eax]
00420CE6 > 6A 01 push 1
00420CE8 . 58 pop eax
00420CE9 . 5F pop edi
00420CEA . 5E pop esi
00420CEB . C2 0400 retn 4
00420CEE /$ 56 push esi
00420CEF |. E8 682BFEFF call 0040385C
00420CF4 |. 8BF0 mov esi, eax
00420CF6 |. 85F6 test esi, esi
00420CF8 |. 74 1E je short 00420D18
00420CFA |. 8B06 mov eax, dword ptr [esi]
00420CFC |. 8BCE mov ecx, esi
00420CFE |. FF90 B0000000 call dword ptr [eax+B0]
00420D04 |. 85C0 test eax, eax
00420D06 |. 74 10 je short 00420D18
00420D08 |. 8B4E 68 mov ecx, dword ptr [esi+68]
00420D0B |. 85C9 test ecx, ecx
00420D0D |. 74 09 je short 00420D18
00420D0F |. 8B01 mov eax, dword ptr [ecx]
00420D11 |. FF7424 08 push dword ptr [esp+8]
00420D15 |. FF50 64 call dword ptr [eax+64]
00420D18 |> 5E pop esi
00420D19 \. C2 0400 retn 4
00420D1C /$ 55 push ebp
00420D1D |. 8BEC mov ebp, esp
00420D1F |. 81EC 14010000 sub esp, 114
00420D25 |. 53 push ebx
00420D26 |. 56 push esi
00420D27 |. 57 push edi
00420D28 |. 33DB xor ebx, ebx
00420D2A |. 8BF9 mov edi, ecx
00420D2C |. 53 push ebx
00420D2D |. 897D F0 mov dword ptr [ebp-10], edi
00420D30 |. E8 B9FFFFFF call 00420CEE
00420D35 |. 8D45 FC lea eax, dword ptr [ebp-4]
00420D38 |. 50 push eax
00420D39 |. 53 push ebx
00420D3A |. E8 55010000 call 00420E94
00420D3F |. 33F6 xor esi, esi
00420D41 |. 3BC3 cmp eax, ebx
00420D43 |. 8945 F4 mov dword ptr [ebp-C], eax
00420D46 |. 74 18 je short 00420D60
00420D48 |. 53 push ebx ; /lParam
00420D49 |. 53 push ebx ; |wParam
00420D4A |. 68 76030000 push 376 ; |Message = MSG(376)
00420D4F |. FF75 FC push dword ptr [ebp-4] ; |hWnd
00420D52 |. FF15 AC144800 call dword ptr [<&user32.#572>] ; \SendMessageA
00420D58 |. 3BC3 cmp eax, ebx
00420D5A |. 74 04 je short 00420D60
00420D5C |. 8BF0 mov esi, eax
00420D5E |. EB 0A jmp short 00420D6A
00420D60 |> 3BFB cmp edi, ebx
00420D62 |. 74 06 je short 00420D6A
00420D64 |. 8DB7 9C000000 lea esi, dword ptr [edi+9C]
00420D6A |> 3BF3 cmp esi, ebx
00420D6C |. 895D F8 mov dword ptr [ebp-8], ebx
00420D6F |. 74 13 je short 00420D84
00420D71 |. 8B06 mov eax, dword ptr [esi]
00420D73 |. 8945 F8 mov dword ptr [ebp-8], eax
00420D76 |. 8B45 10 mov eax, dword ptr [ebp+10]
00420D79 |. 3BC3 cmp eax, ebx
00420D7B |. 74 07 je short 00420D84
00420D7D |. 05 00000300 add eax, 30000
00420D82 |. 8906 mov dword ptr [esi], eax
00420D84 |> 8B5D 0C mov ebx, dword ptr [ebp+C]
00420D87 |. F6C3 F0 test bl, 0F0
00420D8A |. 75 17 jnz short 00420DA3
00420D8C |. 8BC3 mov eax, ebx
00420D8E |. 83E0 0F and eax, 0F
00420D91 |. 83F8 01 cmp eax, 1
00420D94 |. 76 0A jbe short 00420DA0
00420D96 |. 83F8 02 cmp eax, 2
00420D99 |. 76 08 jbe short 00420DA3
00420D9B |. 83F8 04 cmp eax, 4
00420D9E |. 77 03 ja short 00420DA3
00420DA0 |> 83CB 30 or ebx, 30
00420DA3 |> 85FF test edi, edi
00420DA5 |. 74 05 je short 00420DAC
00420DA7 |. 8B7F 78 mov edi, dword ptr [edi+78]
00420DAA EB 1A jmp short 00420DC6
00420DAC |> 8D85 ECFEFFFF lea eax, dword ptr [ebp-114]
00420DB2 |. 68 04010000 push 104 ; /BufSize = 104 (260.)
00420DB7 |. 50 push eax ; |PathBuffer
00420DB8 |. 6A 00 push 0 ; |hModule = NULL
00420DBA |. 8DBD ECFEFFFF lea edi, dword ptr [ebp-114] ; |
00420DC0 |. FF15 C8114800 call dword ptr [<&kernel32.#372>] ; \GetModuleFileNameA
00420DC6 |> 53 push ebx ; /Style
00420DC7 |. 57 push edi ; |Title
00420DC8 |. FF75 08 push dword ptr [ebp+8] ; |Text
00420DCB |. FF75 F4 push dword ptr [ebp-C] ; |hOwner
00420DCE |. FF15 AC134800 call dword ptr [<&user32.#477>] ; \MessageBoxA
00420DD4 |. 85F6 test esi, esi
寻求朋友指导!谢。
[课程]Linux pwn 探索篇!