能力值:
![]()
(RANK:1060 )
|
-
-
4 楼
怎么破解?我替换了123456.dll 运行还是这个
00401000 6A 00 push 0
00401002 68 38604000 push cracke_m.00406038 ; ASCII "Test"
00401007 68 30604000 push cracke_m.00406030 ; ASCII "Hello1"
0040100C 6A 00 push 0
0040100E FF15 A4504000 call [<&USER32.MessageBoxA>] ; USER32.MessageBoxA
00401014 FF15 00504000 call [<&1234567.Test>] ; 1234567.Test
0040101A 33C0 xor eax, eax ; cracke_m.00400000
0040101C C2 1000 retn 10
|
能力值:
![]()
(RANK:1060 )
|
-
-
5 楼
ext:10001155 mov eax, [ebp+dwProcessId]
.text:10001158 push eax ; dwProcessId
.text:10001159 call GetParentProcessId
.text:1000115E add esp, 4
.text:10001161 mov esi, eax
.text:10001163 mov al, 0FFh
.text:10001165 mov dl, 25h
.text:10001167 push esi ; dwProcessId
.text:10001168 mov cl, 50h
.text:1000116A push ebx ; bInheritHandle
.text:1000116B push 1F0FFFh ; dwDesiredAccess
.text:10001170 mov [ebp+tmp], al
.text:10001173 mov [ebp+tmp+1], dl
.text:10001176 mov [ebp+tmp+2], 0ACh
.text:1000117A mov [ebp+tmp+3], 0D4h
.text:1000117E mov [ebp+tmp+4], cl
.text:10001181 mov [ebp+tmp+5], bl
.text:10001184 mov [ebp+tmp+6], al
.text:10001187 mov [ebp+tmp+7], dl
.text:1000118A mov [ebp+tmp+8], 0B0h
.text:1000118E mov [ebp+tmp+9], 0D4h
.text:10001192 mov [ebp+tmp+0Ah], cl
.text:10001195 mov [ebp+tmp+0Bh], bl
.text:10001198 mov [ebp+tmp+0Ch], al
.text:1000119B mov [ebp+tmp+0Dh], dl
.text:1000119E mov [ebp+tmp+0Eh], 0B4h
.text:100011A2 mov [ebp+tmp+0Fh], 0D4h
.text:100011A6 mov [ebp+tmp+10h], cl
.text:100011A9 mov [ebp+tmp+11h], bl
.text:100011AC mov [ebp+tmp+12h], al
.text:100011AF mov [ebp+tmp+13h], dl
.text:100011B2 mov [ebp+tmp+14h], 0B8h
.text:100011B6 mov [ebp+tmp+15h], 0D4h
.text:100011BA mov [ebp+tmp+16h], cl
.text:100011BD mov [ebp+tmp+17h], bl
.text:100011C0 mov [ebp+tmp+18h], al
.text:100011C3 mov [ebp+tmp+19h], dl
.text:100011C6 mov [ebp+tmp+1Ah], 40h
.text:100011CA mov [ebp+tmp+1Bh], 0D5h
.text:100011CE mov [ebp+tmp+1Ch], cl
.text:100011D1 mov [ebp+tmp+1Dh], bl
.text:100011D4 mov [ebp+tmp+1Eh], al
.text:100011D7 mov [ebp+tmp+1Fh], dl
.text:100011DA mov [ebp+tmp+20h], 44h
.text:100011DE mov [ebp+tmp+21h], 0D5h
.text:100011E2 mov [ebp+tmp+22h], cl
.text:100011E5 mov [ebp+tmp+23h], bl
.text:100011E8 call ds:OpenProcess
.text:100011EE push ebx ; lpNumberOfBytesRead
.text:100011EF lea ecx, [ebp+Buffer]
.text:100011F2 push 24h ; nSize
.text:100011F4 mov esi, eax
.text:100011F6 push ecx ; lpBuffer
.text:100011F7 push 4AF25Ch ; lpBaseAddress
.text:100011FC push esi ; hProcess
.text:100011FD call ds:ReadProcessMemory
.text:10001203 xor edi, edi
.text:10001205 xor eax, eax
.text:10001207
.text:10001207 loc_10001207: ; CODE XREF: DllMain(x,x,x)+1B8�j
.text:10001207 mov dl, byte ptr [ebp+eax+Buffer]
.text:1000120B mov cl, [ebp+eax+tmp]
.text:1000120F cmp dl, cl
.text:10001211 jnz short loc_10001214
.text:10001213 inc edi
.text:10001214
.text:10001214 loc_10001214: ; CODE XREF: DllMain(x,x,x)+1B1�j
.text:10001214 inc eax
.text:10001215 cmp eax, 24h
.text:10001218 jl short loc_10001207
.text:1000121A cmp edi, 24h
.text:1000121D jnz short loc_10001273
.text:1000121F push offset ProcName ; "WriteProcessMemory"
.text:10001224 push offset LibFileName ; "kernel32.dll"
.text:10001229 mov [ebp+buf], 14C2h
.text:10001230 call ds:LoadLibraryA
.text:10001236 push eax ; hModule
.text:10001237 call ds:GetProcAddress
.text:1000123D mov edi, eax
.text:1000123F lea eax, [ebp+dwProcessId]
.text:10001242 push eax ; lpflOldProtect
.text:10001243 push 4 ; flNewProtect
.text:10001245 push 4 ; dwSize
.text:10001247 push edi ; lpAddress
.text:10001248 call ds:VirtualProtect
.text:1000124E push ebx ; lpNumberOfBytesWritten
.text:1000124F lea ecx, [ebp+buf]
.text:10001252 push 4 ; nSize
.text:10001254 push ecx ; lpBuffer
.text:10001255 push edi ; lpBaseAddress
.text:10001256 push esi ; hProcess
.text:10001257 call ds:WriteProcessMemory
.text:1000125D test eax, eax
.text:1000125F jnz short loc_10001273
.text:10001261 push ebx ; uType
.text:10001262 push offset aError ; "error"
.text:10001267 push offset aInsertFunAddrE ; "insert fun addr err"
.text:1000126C push ebx ; hWnd
.text:1000126D call ds:MessageBoxA
.text:10001273
.text:10001273 loc_10001273: ; CODE XREF: DllMain(x,x,x)+F�j
.text:10001273 ; DllMain(x,x,x)+1BD�j ...
.text:10001273 pop edi
.text:10001274 pop esi
.text:10001275 mov eax, 1
.text:1000127A pop ebx
.text:1000127B mov esp, ebp
.text:1000127D pop ebp
.text:1000127E retn 0Ch
|
能力值:
( LV9,RANK:850 )
|
-
-
6 楼
我出现的情况和楼上的一样,
bp OpenProcess修改了123456.dll,结果好像系一样哒!
入口有一个0xcc,int3断点,不能单步跟了! 
晚上回去再研究一下
|
能力值:
( LV5,RANK:60 )
|
-
-
7 楼
forgot版主厉害!!! 佩服!!!
我的程序被OD正常加载之前首先执行dll里面的hook api使OD下断点失效,我不知道forgot版主你是怎么破的?
想请教一下你的破解思路,请多多指教!!!
|
能力值:
![]()
(RANK:1060 )
|
-
-
8 楼
第一次尝试发现直接load挂了,因为以前弄过一个超级加壳,估计是dll的问题,
自己伪造了一个dll导出Test还是一个Hello,那么anti就在dll里面。
直接把dll加载了,走了几步看到一个xor循环,等你WriteProcessMemory抓出来一份放进IDA,翻翻就翻到了。
|
能力值:
( LV5,RANK:60 )
|
-
-
9 楼
谢谢forgot版主提供的思路!!!
这里的学习氛围真的不错!!!
|
