-
-
[旧帖] [原创]回复CDEATH 的问题 0.00雪花
-
发表于: 2007-9-20 17:34
-
我也不知道这样对不对,反正我爆掉了
看操作
00562787 >/$ 55 push ebp /脱壳之后入口在这里
00562788 |. 8BEC mov ebp,esp
0056278A |. 6A FF push -1
0056278C |. 68 70636700 push yh.00676370
00562791 |. 68 60415600 push yh.00564160
00562796 |. 64:A1 00000000 mov eax,dword ptr fs:[0]
0056279C |. 50 push eax
0056279D |. 64:8925 00000000 mov dword ptr fs:[0],esp
005627A4 |. 83EC 58 sub esp,58
005627A7 |. 53 push ebx
005627A8 |. 56 push esi
005627A9 |. 57 push edi
005627AA |. 8965 E8 mov [local.6],esp
005627AD |. FF15 94F26600 call dword ptr ds:[<&kernel32.Get>
005627B3 |. 33D2 xor edx,edx
005627B5 |. 8AD4 mov dl,ah
005627B7 |. 8915 84C26E00 mov dword ptr ds:[6EC284],edx
shift+f9运行
点注册窗口,用工具这样下断
点注册按钮,自动断在
77D6AE36 > 8BFF mov edi,edi//断在这里
77D6AE38 55 push ebp
77D6AE39 8BEC mov ebp,esp
77D6AE3B FF75 0C push dword ptr ss:[ebp+C]
77D6AE3E FF75 08 push dword ptr ss:[ebp+8]
77D6AE41 E8 888FFBFF call USER32.GetDlgItem
77D6AE46 85C0 test eax,eax
77D6AE48 74 0E je short USER32.77D6AE58
77D6AE4A FF75 14 push dword ptr ss:[ebp+14]
77D6AE4D FF75 10 push dword ptr ss:[ebp+10]
77D6AE50 50 push eax
77D6AE51 E8 D572FCFF call USER32.GetWindowTextA
77D6AE56 EB 0E jmp short USER32.77D6AE66
77D6AE58 837D 14 00 cmp dword ptr ss:[ebp+14],0
77D6AE5C 74 06 je short USER32.77D6AE64
77D6AE5E 8B45 10 mov eax,dword ptr ss:[ebp+10]
77D6AE61 C600 00 mov byte ptr ds:[eax],0
77D6AE64 33C0 xor eax,eax
77D6AE66 5D pop ebp
77D6AE67 C2 1000 retn 10
77D6AE6A 90 nop
77D6AE6B 90 nop
看堆栈
0012F5E8 00537CC7 /CALL 到 GetDlgItemTextA 来自 yh.00537CC5
0012F5EC 00110950 |hWnd = 00110950 ('注册',class='#32770')
0012F5F0 000007D0 |ControlID = 7D0 (2000.)
0012F5F4 0012F66C |Buffer = 0012F66C
0012F5F8 00000100 \Count = 100 (256.)
0012F5FC 00000001
显然这不是我们要找的,因为没有我们出现那个非法注册的提示,我们再SHIFT+F9运行同样方法看堆栈,当运行第N次的时候出现了
0012F5E8 00537D3D /CALL 到 MessageBoxA 来自 yh.00537D37
0012F5EC 00110950 |hOwner = 00110950 ('注册',class='#32770')
0012F5F0 0012F62C |Text = "注册非法"
0012F5F4 006E84DC |Title = ""
0012F5F8 00000010 \Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
0012F5FC 00000001
这个信息说明我们已经走过了它的算法而且结果不正确。
那么怎么办呢,我从新从头来,刚才是N次,现在N—1次也就是刚好不让它过它的算法再返回程序领空用鼠标上下看看???是不是有个地方?
00137CF7 50 push eax
00137CF8 E8 230CFAFF call 000D8920
00137CFD 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
00137D01 51 push ecx
00137D02 E8 0C6E0200 call 0015EB13//……
00137D07 8B4C24 14 mov ecx,dword ptr ss:[esp+14]
00137D0B 83C4 0C add esp,0C
00137D0E 3BC8 cmp ecx,eax
00137D10 75 5D je short 00137D6F//这里比较
00137D12 A1 C0046F00 mov eax,dword ptr ds:[6F04C0]
00137D17 8D5424 30 lea edx,dword ptr ss:[esp+30]
00137D1B 6A 40 push 40
00137D1D 52 push edx
00137D1E 68 93130000 push 1393
00137D23 50 push eax
00137D24 FF15 0CF76600 call dword ptr ds:[66F70C]
看操作
00562787 >/$ 55 push ebp /脱壳之后入口在这里
00562788 |. 8BEC mov ebp,esp
0056278A |. 6A FF push -1
0056278C |. 68 70636700 push yh.00676370
00562791 |. 68 60415600 push yh.00564160
00562796 |. 64:A1 00000000 mov eax,dword ptr fs:[0]
0056279C |. 50 push eax
0056279D |. 64:8925 00000000 mov dword ptr fs:[0],esp
005627A4 |. 83EC 58 sub esp,58
005627A7 |. 53 push ebx
005627A8 |. 56 push esi
005627A9 |. 57 push edi
005627AA |. 8965 E8 mov [local.6],esp
005627AD |. FF15 94F26600 call dword ptr ds:[<&kernel32.Get>
005627B3 |. 33D2 xor edx,edx
005627B5 |. 8AD4 mov dl,ah
005627B7 |. 8915 84C26E00 mov dword ptr ds:[6EC284],edx
shift+f9运行
点注册窗口,用工具这样下断
点注册按钮,自动断在
77D6AE36 > 8BFF mov edi,edi//断在这里
77D6AE38 55 push ebp
77D6AE39 8BEC mov ebp,esp
77D6AE3B FF75 0C push dword ptr ss:[ebp+C]
77D6AE3E FF75 08 push dword ptr ss:[ebp+8]
77D6AE41 E8 888FFBFF call USER32.GetDlgItem
77D6AE46 85C0 test eax,eax
77D6AE48 74 0E je short USER32.77D6AE58
77D6AE4A FF75 14 push dword ptr ss:[ebp+14]
77D6AE4D FF75 10 push dword ptr ss:[ebp+10]
77D6AE50 50 push eax
77D6AE51 E8 D572FCFF call USER32.GetWindowTextA
77D6AE56 EB 0E jmp short USER32.77D6AE66
77D6AE58 837D 14 00 cmp dword ptr ss:[ebp+14],0
77D6AE5C 74 06 je short USER32.77D6AE64
77D6AE5E 8B45 10 mov eax,dword ptr ss:[ebp+10]
77D6AE61 C600 00 mov byte ptr ds:[eax],0
77D6AE64 33C0 xor eax,eax
77D6AE66 5D pop ebp
77D6AE67 C2 1000 retn 10
77D6AE6A 90 nop
77D6AE6B 90 nop
看堆栈
0012F5E8 00537CC7 /CALL 到 GetDlgItemTextA 来自 yh.00537CC5
0012F5EC 00110950 |hWnd = 00110950 ('注册',class='#32770')
0012F5F0 000007D0 |ControlID = 7D0 (2000.)
0012F5F4 0012F66C |Buffer = 0012F66C
0012F5F8 00000100 \Count = 100 (256.)
0012F5FC 00000001
显然这不是我们要找的,因为没有我们出现那个非法注册的提示,我们再SHIFT+F9运行同样方法看堆栈,当运行第N次的时候出现了
0012F5E8 00537D3D /CALL 到 MessageBoxA 来自 yh.00537D37
0012F5EC 00110950 |hOwner = 00110950 ('注册',class='#32770')
0012F5F0 0012F62C |Text = "注册非法"
0012F5F4 006E84DC |Title = ""
0012F5F8 00000010 \Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
0012F5FC 00000001
这个信息说明我们已经走过了它的算法而且结果不正确。
那么怎么办呢,我从新从头来,刚才是N次,现在N—1次也就是刚好不让它过它的算法再返回程序领空用鼠标上下看看???是不是有个地方?
00137CF7 50 push eax
00137CF8 E8 230CFAFF call 000D8920
00137CFD 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
00137D01 51 push ecx
00137D02 E8 0C6E0200 call 0015EB13//……
00137D07 8B4C24 14 mov ecx,dword ptr ss:[esp+14]
00137D0B 83C4 0C add esp,0C
00137D0E 3BC8 cmp ecx,eax
00137D10 75 5D je short 00137D6F//这里比较
00137D12 A1 C0046F00 mov eax,dword ptr ds:[6F04C0]
00137D17 8D5424 30 lea edx,dword ptr ss:[esp+30]
00137D1B 6A 40 push 40
00137D1D 52 push edx
00137D1E 68 93130000 push 1393
00137D23 50 push eax
00137D24 FF15 0CF76600 call dword ptr ds:[66F70C]
掌....
