想爆破一软件密码, 找到DLL比较密码的关键代码(DLL 调用驱动, DeviceIoControl 中的 Buffer 是密码!!!)
请问, 如何知道它加载了什么驱动并调试???(或已知它加载了*.sys 驱动, 如何调试?)
100044E0 > 83EC 14 sub esp, 14
100044E3 33C0 xor eax, eax
100044E5 53 push ebx
100044E6 894424 08 mov dword ptr [esp+8], eax
100044EA 55 push ebp
100044EB 894424 10 mov dword ptr [esp+10], eax
100044EF 68 00040000 push 400
100044F4 894424 18 mov dword ptr [esp+18], eax
100044F8 33ED xor ebp, ebp
100044FA 894424 1C mov dword ptr [esp+1C], eax
100044FE E8 F72A0000 call 10006FFA
10004503 8BD8 mov ebx, eax
10004505 83C4 04 add esp, 4
10004508 85DB test ebx, ebx
1000450A 0F84 A7000000 je 100045B7
10004510 56 push esi
10004511 57 push edi
10004512 B9 00010000 mov ecx, 100
10004517 33C0 xor eax, eax
10004519 8BFB mov edi, ebx
1000451B 8D53 10 lea edx, dword ptr [ebx+10]
1000451E F3:AB rep stos dword ptr es:[edi]
10004520 8B0D E4D20010 mov ecx, dword ptr [1000D2E4]
10004526 8B7C24 28 mov edi, dword ptr [esp+28]
1000452A 890B mov dword ptr [ebx], ecx
1000452C 83C9 FF or ecx, FFFFFFFF
1000452F C743 04 0520000>mov dword ptr [ebx+4], 2005
10004536 55 push ebp
10004537 F2:AE repne scas byte ptr es:[edi]
10004539 F7D1 not ecx
1000453B 2BF9 sub edi, ecx
1000453D 55 push ebp
1000453E 8BC1 mov eax, ecx
10004540 8BF7 mov esi, edi
10004542 8BFA mov edi, edx
10004544 6A 03 push 3
10004546 C1E9 02 shr ecx, 2
10004549 F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
1000454B 8BC8 mov ecx, eax ; EDX = pass
1000454D 55 push ebp
1000454E 83E1 03 and ecx, 3
10004551 6A 03 push 3
10004553 68 000000C0 push C0000000
10004558 68 D0D20010 push 1000D2D0 ; ASCII "\\.\physicaldrive0"
1000455D F3:A4 rep movs byte ptr es:[edi], byte ptr [esi]
1000455F FF15 80C00010 call dword ptr [<&KERNEL32.CreateFileA>] ; kernel32.CreateFileA
0012FC20 1000D2D0 |FileName = "\\.\physicaldrive0"
0012FC24 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FC28 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FC2C 00000000 |pSecurity = NULL
0012FC30 00000003 |Mode = OPEN_EXISTING
0012FC34 00000000 |Attributes = 0
0012FC38 00000000 \hTemplateFile = NULL
10004565 8BF0 mov esi, eax
10004567 83FE FF cmp esi, -1
1000456A 74 56 je short 100045C2
1000456C 8D4C24 10 lea ecx, dword ptr [esp+10]
10004570 55 push ebp
10004571 51 push ecx
10004572 8D5424 1C lea edx, dword ptr [esp+1C]
10004576 6A 10 push 10
10004578 52 push edx
10004579 68 00040000 push 400
1000457E 53 push ebx
1000457F 68 40260700 push 72640
10004584 56 push esi
10004585 FF15 40C00010 call dword ptr [<&KERNEL32.DeviceIoControl>] ; kernel32.DeviceIoControl
0012FC1C 000000AC |hDevice = 000000AC (window)
0012FC20 00072640 |IoControlCode = 72640
0012FC24 003E61D8 |InBuffer = 003E61D8 // 我输入的密码
0012FC28 00000400 |InBufferSize = 400 (1024.)
0012FC2C 0012FC50 |OutBuffer = 0012FC50
0012FC30 00000010 |OutBufferSize = 10 (16.)
0012FC34 0012FC4C |pBytesReturned = 0012FC4C
0012FC38 00000000 \pOverlapped = NULL
1000458B 85C0 test eax, eax
1000458D 56 push esi
1000458E 74 56 je short 100045E6
10004590 FF15 28C00010 call dword ptr [<&KERNEL32.CloseHandle>] ; kernel32.CloseHandle
10004596 8B4424 14 mov eax, dword ptr [esp+14]
1000459A 8B0D C8D20010 mov ecx, dword ptr [1000D2C8]
100045A0 3BC1 cmp eax, ecx // 比较密码???
100045A2 75 54 jnz short 100045F8 // 改这可爆破
100045A4 53 push ebx
100045A5 E8 06290000 call 10006EB0
100045AA 83C4 04 add esp, 4
100045AD 8BC5 mov eax, ebp
100045AF 5F pop edi
100045B0 5E pop esi
100045B1 5D pop ebp
100045B2 5B pop ebx
100045B3 83C4 14 add esp, 14
100045B6 C3 retn
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)