首页
社区
课程
招聘
读狗的一个关键CALL,如何修改其返回结果?
发表于: 2004-10-26 21:07 4566

读狗的一个关键CALL,如何修改其返回结果?

2004-10-26 21:07
4566
近日遇到一软件,有多处读狗的地方,经观察,提示加密狗出错的上面都有一个 CALL 00404ECC 紧接着一个跳转。跳后就死。我想:是不是改这个CALL 里面的某个东西,让它 CALL 结束时返回的结果与有狗时相反,就能躲开所有的加密狗检查。但是不知道如何改这个CALL。请高手指教。
下面是这个CALL的代码:

============================================
:00404ECC 53 push ebx
:00404ECD 56 push esi
:00404ECE 57 push edi
:00404ECF 89C6 mov esi, eax
:00404ED1 89D7 mov edi, edx
:00404ED3 39D0 cmp eax, edx
:00404ED5 0F848F000000 je 00404F6A
:00404EDB 85F6 test esi, esi
:00404EDD 7468 je 00404F47
:00404EDF 85FF test edi, edi
:00404EE1 746B je 00404F4E
:00404EE3 8B46FC mov eax, dword ptr [esi-04]
:00404EE6 8B57FC mov edx, dword ptr [edi-04]
:00404EE9 29D0 sub eax, edx
:00404EEB 7702 ja 00404EEF
:00404EED 01C2 add edx, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404EEB(C)
|
:00404EEF 52 push edx
:00404EF0 C1EA02 shr edx, 02
:00404EF3 7426 je 00404F1B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404F11(C)
|
:00404EF5 8B0E mov ecx, dword ptr [esi]
:00404EF7 8B1F mov ebx, dword ptr [edi]
:00404EF9 39D9 cmp ecx, ebx
:00404EFB 7558 jne 00404F55
:00404EFD 4A dec edx
:00404EFE 7415 je 00404F15
:00404F00 8B4E04 mov ecx, dword ptr [esi+04]
:00404F03 8B5F04 mov ebx, dword ptr [edi+04]
:00404F06 39D9 cmp ecx, ebx
:00404F08 754B jne 00404F55
:00404F0A 83C608 add esi, 00000008
:00404F0D 83C708 add edi, 00000008
:00404F10 4A dec edx
:00404F11 75E2 jne 00404EF5
:00404F13 EB06 jmp 00404F1B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404EFE(C)
|
:00404F15 83C604 add esi, 00000004
:00404F18 83C704 add edi, 00000004

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00404EF3(C), :00404F13(U)
|
:00404F1B 5A pop edx
:00404F1C 83E203 and edx, 00000003
:00404F1F 7422 je 00404F43
:00404F21 8B0E mov ecx, dword ptr [esi]
:00404F23 8B1F mov ebx, dword ptr [edi]
:00404F25 38D9 cmp cl, bl
:00404F27 7541 jne 00404F6A
:00404F29 4A dec edx
:00404F2A 7417 je 00404F43
:00404F2C 38FD cmp ch, bh
:00404F2E 753A jne 00404F6A
:00404F30 4A dec edx
:00404F31 7410 je 00404F43
:00404F33 81E30000FF00 and ebx, 00FF0000
:00404F39 81E10000FF00 and ecx, 00FF0000
:00404F3F 39D9 cmp ecx, ebx
:00404F41 7527 jne 00404F6A

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00404F1F(C), :00404F2A(C), :00404F31(C)
|
:00404F43 01C0 add eax, eax
:00404F45 EB23 jmp 00404F6A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404EDD(C)
|
:00404F47 8B57FC mov edx, dword ptr [edi-04]
:00404F4A 29D0 sub eax, edx
:00404F4C EB1C jmp 00404F6A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404EE1(C)
|
:00404F4E 8B46FC mov eax, dword ptr [esi-04]
:00404F51 29D0 sub eax, edx
:00404F53 EB15 jmp 00404F6A

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00404EFB(C), :00404F08(C)
|
:00404F55 5A pop edx
:00404F56 38D9 cmp cl, bl
:00404F58 7510 jne 00404F6A
:00404F5A 38FD cmp ch, bh
:00404F5C 750C jne 00404F6A
:00404F5E C1E910 shr ecx, 10
:00404F61 C1EB10 shr ebx, 10
:00404F64 38D9 cmp cl, bl
:00404F66 7502 jne 00404F6A
:00404F68 38FD cmp ch, bh

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00404ED5(C), :00404F27(C), :00404F2E(C), :00404F41(C), :00404F45(U)
|:00404F4C(U), :00404F53(U), :00404F58(C), :00404F5C(C), :00404F66(C)
|
:00404F6A 5F pop edi
:00404F6B 5E pop esi
:00404F6C 5B pop ebx
:00404F6D C3 ret

:00404F6E 8BC0 mov eax, eax
============================================

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 1
支持
分享
最新回复 (1)
雪    币: 213
活跃值: (81)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
这个问题是太简单还是根本无解?怎么高手都不愿回答啊?
眼看沉底了,自己顶一下。
2004-10-27 22:21
0
游客
登录 | 注册 方可回帖
返回
//