不小心在网上看到一篇调试决战的文章,作为新手,有例子当然最好.于是呼就找了一个决战SF的客户端[因为现在决战上5.0了,而人家写的文章是4.0,现在的决战SF大部分都是4.0],找到后用OD打开
004E2067 >/$ 55 PUSH EBP
004E2068 |. 8BEC MOV EBP,ESP
004E206A |. 6A FF PUSH -1
004E206C |. 68 30BB4F00 PUSH Droiyan_.004FBB30
004E2071 |. 68 8C064E00 PUSH Droiyan_.004E068C ; SE 处理程序安装
004E2076 |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
004E207C |. 50 PUSH EAX
004E207D |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP
004E2084 |. 83EC 58 SUB ESP,58
004E2087 |. 53 PUSH EBX
004E2088 |. 56 PUSH ESI
004E2089 |. 57 PUSH EDI
004E208A |. 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
004E208D |. FF15 AC914F00 CALL DWORD PTR DS:[<&KERNEL32.GetVersion>; kernel32.GetVersion
004E2093 |. 33D2 XOR EDX,EDX
004E2095 |. 8AD4 MOV DL,AH
004E2097 |. 8915 341F5700 MOV DWORD PTR DS:[571F34],EDX
004E209D |. 8BC8 MOV ECX,EAX
004E209F |. 81E1 FF000000 AND ECX,0FF
004E20A5 |. 890D 301F5700 MOV DWORD PTR DS:[571F30],ECX
004E20AB |. C1E1 08 SHL ECX,8
004E20AE |. 03CA ADD ECX,EDX
004E20B0 |. 890D 2C1F5700 MOV DWORD PTR DS:[571F2C],ECX
004E20B6 |. C1E8 10 SHR EAX,10
004E20B9 |. A3 281F5700 MOV DWORD PTR DS:[571F28],EAX
然后找到例子中的这段:[据写例子的人说书生成8个初始化密值]
004E17E0 /$ 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C]
004E17E4 |. 57 PUSH EDI
004E17E5 |. 85C9 TEST ECX,ECX
004E17E7 |. 74 7A JE SHORT Droiyan_.004E1863
004E17E9 |. 56 PUSH ESI
004E17EA |. 53 PUSH EBX
004E17EB |. 8BD9 MOV EBX,ECX
004E17ED |. 8B7424 14 MOV ESI,DWORD PTR SS:[ESP+14]
004E17F1 |. F7C6 03000000 TEST ESI,3
004E17F7 |. 8B7C24 10 MOV EDI,DWORD PTR SS:[ESP+10]
004E17FB |. 75 07 JNZ SHORT Droiyan_.004E1804
004E17FD |. C1E9 02 SHR ECX,2
004E1800 |. 75 6F JNZ SHORT Droiyan_.004E1871
004E1802 |. EB 21 JMP SHORT Droiyan_.004E1825
004E1804 |> 8A06 /MOV AL,BYTE PTR DS:[ESI]
004E1806 |. 46 |INC ESI
004E1807 |. 8807 |MOV BYTE PTR DS:[EDI],AL
004E1809 |. 47 |INC EDI
004E180A |. 49 |DEC ECX
004E180B |. 74 25 |JE SHORT Droiyan_.004E1832
004E180D |. 84C0 |TEST AL,AL
004E180F |. 74 29 |JE SHORT Droiyan_.004E183A
004E1811 |. F7C6 03000000 |TEST ESI,3
004E1817 |.^ 75 EB \JNZ SHORT Droiyan_.004E1804
004E1819 |. 8BD9 MOV EBX,ECX
004E181B |. C1E9 02 SHR ECX,2
004E181E |. 75 51 JNZ SHORT Droiyan_.004E1871
004E1820 |> 83E3 03 AND EBX,3
004E1823 |. 74 0D JE SHORT Droiyan_.004E1832
004E1825 |> 8A06 /MOV AL,BYTE PTR DS:[ESI]
004E1827 |. 46 |INC ESI
004E1828 |. 8807 |MOV BYTE PTR DS:[EDI],AL
004E182A |. 47 |INC EDI
004E182B |. 84C0 |TEST AL,AL
004E182D |. 74 2F |JE SHORT Droiyan_.004E185E
004E182F |. 4B |DEC EBX
004E1830 |.^ 75 F3 \JNZ SHORT Droiyan_.004E1825
004E1832 |> 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
004E1836 |. 5B POP EBX
004E1837 |. 5E POP ESI
004E1838 |. 5F POP EDI
004E1839 |. C3 RETN
004E183A |> F7C7 03000000 TEST EDI,3
004E1840 |. 74 12 JE SHORT Droiyan_.004E1854
004E1842 |> 8807 /MOV BYTE PTR DS:[EDI],AL
004E1844 |. 47 |INC EDI
004E1845 |. 49 |DEC ECX
004E1846 |. 0F84 8A000000 |JE Droiyan_.004E18D6
004E184C |. F7C7 03000000 |TEST EDI,3
004E1852 |.^ 75 EE \JNZ SHORT Droiyan_.004E1842
004E1854 |> 8BD9 MOV EBX,ECX
004E1856 |. C1E9 02 SHR ECX,2
004E1859 |. 75 6C JNZ SHORT Droiyan_.004E18C7
004E185B |> 8807 MOV BYTE PTR DS:[EDI],AL
004E185D |. 47 INC EDI
004E185E |> 4B DEC EBX
004E185F |.^ 75 FA JNZ SHORT Droiyan_.004E185B
004E1861 |. 5B POP EBX
004E1862 |. 5E POP ESI
004E1863 |> 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
004E1867 |. 5F POP EDI
004E1868 |. C3 RETN
-------------根说以下是重点???
004E1869 |> 8917 /MOV DWORD PTR DS:[EDI],EDX
004E186B |. 83C7 04 |ADD EDI,4
004E186E |. 49 |DEC ECX
004E186F |.^ 74 AF |JE SHORT Droiyan_.004E1820
004E1871 |> BA FFFEFE7E MOV EDX,7EFEFEFF
004E1876 |. 8B06 |MOV EAX,DWORD PTR DS:[ESI]
004E1878 |. 03D0 |ADD EDX,EAX
004E187A |. 83F0 FF |XOR EAX,FFFFFFFF
004E187D |. 33C2 |XOR EAX,EDX
004E187F |. 8B16 |MOV EDX,DWORD PTR DS:[ESI]
004E1881 |. 83C6 04 |ADD ESI,4
004E1884 |. A9 00010181 |TEST EAX,81010100
004E1889 |.^ 74 DE |JE SHORT Droiyan_.004E1869
004E188B |. 84D2 |TEST DL,DL
004E188D |. 74 2C |JE SHORT Droiyan_.004E18BB
004E188F |. 84F6 |TEST DH,DH
004E1891 |. 74 1E |JE SHORT Droiyan_.004E18B1
004E1893 |. F7C2 0000FF00 |TEST EDX,0FF0000
004E1899 |. 74 0C |JE SHORT Droiyan_.004E18A7
004E189B |. F7C2 000000FF |TEST EDX,FF000000
004E18A1 |.^ 75 C6 \JNZ SHORT Droiyan_.004E1869
004E18A3 |. 8917 MOV DWORD PTR DS:[EDI],EDX
004E18A5 |. EB 18 JMP SHORT Droiyan_.004E18BF
004E18A7 |> 81E2 FFFF0000 AND EDX,0FFFF
004E18AD |. 8917 MOV DWORD PTR DS:[EDI],EDX
004E18AF |. EB 0E JMP SHORT Droiyan_.004E18BF
004E18B1 |> 81E2 FF000000 AND EDX,0FF
004E18B7 |. 8917 MOV DWORD PTR DS:[EDI],EDX
004E18B9 |. EB 04 JMP SHORT Droiyan_.004E18BF
004E18BB |> 33D2 XOR EDX,EDX
004E18BD |. 8917 MOV DWORD PTR DS:[EDI],EDX
004E18BF |> 83C7 04 ADD EDI,4
004E18C2 |. 33C0 XOR EAX,EAX
004E18C4 |. 49 DEC ECX
004E18C5 |. 74 0A JE SHORT Droiyan_.004E18D1
004E18C7 |> 33C0 XOR EAX,EAX
004E18C9 |> 8907 /MOV DWORD PTR DS:[EDI],EAX
004E18CB |. 83C7 04 |ADD EDI,4
004E18CE |. 49 |DEC ECX
004E18CF |.^ 75 F8 \JNZ SHORT Droiyan_.004E18C9
004E18D1 |> 83E3 03 AND EBX,3
004E18D4 |.^ 75 85 JNZ SHORT Droiyan_.004E185B
004E18D6 |> 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
004E18DA |. 5B POP EBX
004E18DB |. 5E POP ESI
004E18DC |. 5F POP EDI
004E18DD \. C3 RETN
跟也跟了,就是找不到8个初始化密值是怎么产生的,大哥们帮帮忙啊
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
