0040115C E8 77000000 CALL <JMP.&KERNEL32.LoadLibraryA>
00401161 85C0 TEST EAX,EAX
00401163 74 40 JE SHORT Cracking.004011A5
00401165 8985 F8FEFFFF MOV DWORD PTR SS:[EBP-108],EAX
0040116B 68 2D104000 PUSH Cracking.0040102D ; ASCII "GetNewSock"
00401170 50 PUSH EAX
00401171 E8 5C000000 CALL <JMP.&KERNEL32.GetProcAddress>
00401176 85C0 TEST EAX,EAX
00401178 74 20 JE SHORT Cracking.0040119A
0040117A 68 E8030000 PUSH 3E8
0040117F FFD0 CALL EAX
00401181 85C0 TEST EAX,EAX
00401183 74 15 JE SHORT Cracking.0040119A
00401185 E8 00000000 CALL Cracking.0040118A
0040118A 810424 761E0000 ADD DWORD PTR SS:[ESP],1E76
00401191 FFD0 CALL EAX ; E封装入口F7
00401193 6A 00 PUSH 0
00401195 E8 2C000000 CALL <JMP.&KERNEL32.ExitProcess>
1002998A 55 PUSH EBP
1002998B 8BEC MOV EBP,ESP
1002998D 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
10029990 50 PUSH EAX
10029991 B9 10DB0E10 MOV ECX,krnln.100EDB10
10029996 E8 04F5FFFF CALL krnln.10028E9F ; F7跟进
1002999B 5D POP EBP
1002999C C2 0400 RETN 4
10028E9F 55 PUSH EBP
10028EA0 8BEC MOV EBP,ESP
10028EA2 83EC 08 SUB ESP,8
10028EA5 53 PUSH EBX
10028EA6 56 PUSH ESI
10028EA7 57 PUSH EDI
10028EA8 894D F8 MOV DWORD PTR SS:[EBP-8],ECX
10028EAB FF15 E0230C10 CALL DWORD PTR DS:[<&KERNEL32.GetProcess>; kernel32.GetProcessHeap
10028EB1 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
10028EB4 8981 50040000 MOV DWORD PTR DS:[ECX+450],EAX
10028EBA 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
10028EBD 8B42 30 MOV EAX,DWORD PTR DS:[EDX+30]
10028EC0 83E0 01 AND EAX,1
10028EC3 85C0 TEST EAX,EAX
10028EC5 75 10 JNZ SHORT krnln.10028ED7
10028EC7 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
10028ECA 51 PUSH ECX
10028ECB 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
10028ECE E8 4DFB0200 CALL krnln.10058A20
10028ED3 FFE0 JMP EAX ; 跳向OEP
10028ED5 EB 0E JMP SHORT krnln.10028EE5
10028ED7 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
10028EDA 52 PUSH EDX
004643CB C3 RETN
004643CC FC CLD
004643CD DBE3 FINIT
004643CF E8 EAF5FFFF CALL Cracking.004639BE
004643D4 68 FA394600 PUSH Cracking.004639FA
004643D9 B8 03000000 MOV EAX,3
004643DE E8 36000000 CALL Cracking.00464419
004643E3 83C4 04 ADD ESP,4
004643E6 E8 53E2FEFF CALL Cracking.0045263E
004643EB 68 01000152 PUSH 52010001
004643F0 E8 1E000000 CALL Cracking.00464413
004643F5 83C4 04 ADD ESP,4
004643F8 6A 00 PUSH 0
004643FA E8 0E000000 CALL Cracking.0046440D
004643FF E8 03000000 CALL Cracking.00464407
00464404 83C4 04 ADD ESP,4
00464407 - FF25 A1564200 JMP DWORD PTR DS:[4256A1] ; krnln.10029892
0046440D - FF25 A5564200 JMP DWORD PTR DS:[4256A5] ; krnln.100297FD
00464413 - FF25 A9564200 JMP DWORD PTR DS:[4256A9] ; krnln.10029827
00464419 - FF25 AD564200 JMP DWORD PTR DS:[4256AD] ; krnln.10028F95
0046441F - FF25 9D564200 JMP DWORD PTR DS:[42569D] ; krnln.1002995A
00464425 - FF25 85564200 JMP DWORD PTR DS:[425685] ; krnln.10028FBA
0046442B - FF25 95564200 JMP DWORD PTR DS:[425695] ; krnln.10029852
00464431 - FF25 91564200 JMP DWORD PTR DS:[425691] ; krnln.100297D6
00464437 - FF25 89564200 JMP DWORD PTR DS:[425689] ; krnln.10029011
0046443D - FF25 8D564200 JMP DWORD PTR DS:[42568D] ; krnln.100297B7
00464443 - FF25 7D564200 JMP DWORD PTR DS:[42567D] ; krnln.10029799
00464449 - FF25 81564200 JMP DWORD PTR DS:[425681] ; krnln.10028FAF
0046444F 3800 CMP BYTE PTR DS:[EAX],AL
00464451 0000 ADD BYTE PTR DS:[EAX],AL
这里的JMP是变形的call吗?
0040403F C3 RETN
00404040 A1 A3003132 MOV EAX,DWORD PTR DS:[323100A3]
00404045 333435 006C6F76 XOR ESI,DWORD PTR DS:[ESI+766F6C00]
0040404C 65:6361 67 ARPL WORD PTR GS:[ECX+67],SP
00404050 73 69 JNB SHORT Cracking.004040BB
00404052 74 6E JE SHORT Cracking.004040C2
00404054 5C POP ESP
00404055 74 61 JE SHORT Cracking.004040B8
00404057 6F OUTS DX,DWORD PTR ES:[EDI]
00404058 6261 6F BOUND ESP,QWORD PTR DS:[ECX+6F]
0040405B 5C POP ESP
0040405C 46 INC ESI
0040405D 76 62 JBE SHORT Cracking.004040C1
0040405F 68 7279682D PUSH 2D687972
00404064 77 73 JA SHORT Cracking.004040D9
00404066 74 71 JE SHORT Cracking.004040D9
00404068 79 62 JNS SHORT Cracking.004040CC
0040406A 002A ADD BYTE PTR DS:[EDX],CH
0040406C CE INTO
0040406D B4 D7 MOV AH,0D7
0040406F A2 B2E1B0E6 MOV BYTE PTR DS:[E6B0E1B2],AL
00404074 00CC ADD AH,CL
00404076 D4 B1 AAM 0B1
00404078 A6 CMPS BYTE PTR DS:[ESI],BYTE PTR ES:[EDI]
00404079 D0C5 ROL CH,1
0040407B CA B900 RETF 0B9
0040407E C4E3 LES ESP,EBX ; 非法使用寄存器
00404080 CA B9D3 RETF 0D3B9
这个非法全用寄存器,是未注册信息。这个信息调用是用EIP指向的。
77D505D3 90 NOP
77D505D4 90 NOP
77D505D5 90 NOP
77D505D6 90 NOP
77D505D7 90 NOP
77D505D8 > 8BFF MOV EDI,EDI
77D505DA 55 PUSH EBP
77D505DB 8BEC MOV EBP,ESP
77D505DD 6A FF PUSH -1
77D505DF FF75 18 PUSH DWORD PTR SS:[EBP+18]
77D505E2 FF75 14 PUSH DWORD PTR SS:[EBP+14]
77D505E5 FF75 10 PUSH DWORD PTR SS:[EBP+10]
77D505E8 FF75 0C PUSH DWORD PTR SS:[EBP+C]
77D505EB FF75 08 PUSH DWORD PTR SS:[EBP+8]
77D505EE E8 665B0100 CALL USER32.MessageBoxTimeoutW
77D505F3 5D POP EBP
77D505F4 C2 1400 RETN 14
77D505F7 90 NOP
77D505F8 90 NOP
77D505F9 90 NOP
77D505FA 90 NOP
77D505FB 90 NOP
77D505FC > 8BFF MOV EDI,EDI
77D505FE 55 PUSH EBP
77D505FF 8BEC MOV EBP,ESP
77D50601 6A FF PUSH -1
77D50603 FF75 18 PUSH DWORD PTR SS:[EBP+18]
77D50606 FF75 14 PUSH DWORD PTR SS:[EBP+14]
77D50609 FF75 10 PUSH DWORD PTR SS:[EBP+10]
77D5060C FF75 0C PUSH DWORD PTR SS:[EBP+C]
77D5060F FF75 08 PUSH DWORD PTR SS:[EBP+8]
77D50612 E8 C55B0100 CALL USER32.MessageBoxTimeoutA
77D50617 5D POP EBP
77D50618 C2 1400 RETN 14
这两个是对话框断点,在USER32中,可是跟或回查,找找不到call和跳。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课