菜鸟一个 就不写那么多题外话啦
GIF Movie Gear 动画制作软件
软件下载区有的
用到工具 OD C32ASM
复制代码
01.00433CEF . 52 PUSH EDX ///////////// 程序在这下断
02.00433CF0 . E8 EBFBFFFF CALL 004338E0 ///关键call
03.00433CF5 . 83C4 08 ADD ESP,8
04.00433CF8 . 85C0 TEST EAX,EAX
05.00433CFA . 0F84 B6000000 JE 00433DB6 ///////关键跳
06.00433D00 . 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]
07.00433D04 . 50 PUSH EAX ; /pDisposition
08.00433D05 . 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10] ; |
09.00433D09 . 51 PUSH ECX ; |pHandle
10.00433D0A . 6A 00 PUSH 0 ; |pSecurity = NULL
11.00433D0C . 68 3F000F00 PUSH 0F003F ; |Access = KEY_ALL_ACCESS
12.00433D11 . 6A 00 PUSH 0 ; |Options = REG_OPTION_NON_VOLATILE
13.00433D13 . 68 85F64700 PUSH 0047F685 ; |Class = ""
14.00433D18 . 6A 00 PUSH 0 ; |Reserved = 0
15.00433D1A . 68 84E44800 PUSH 0048E484 ; |Subkey = "Software\gamani\GIFMovieGear\2.0"
16.00433D1F . 68 02000080 PUSH 80000002 ; |hKey = HKEY_LOCAL_MACHINE
17.00433D24 . FF15 0CF04700 CALL DWORD PTR DS:[<&ADVAPI32.RegCreateK>; \RegCreateKeyExA
18.00433D2A . 8D4424 60 LEA EAX,DWORD PTR SS:[ESP+60]
19.00433D2E . 8D50 01 LEA EDX,DWORD PTR DS:[EAX+1]
20.00433D31 > 8A08 MOV CL,BYTE PTR DS:[EAX]
21.00433D33 . 40 INC EAX
22.00433D34 . 84C9 TEST CL,CL
23.00433D36 .^ 75 F9 JNZ SHORT 00433D31
24.00433D38 . 8B35 00F04700 MOV ESI,DWORD PTR DS:[<&ADVAPI32.RegSetV>; advapi32.RegSetValueExA
25.00433D3E . 2BC2 SUB EAX,EDX
26.00433D40 . 40 INC EAX
27.00433D41 . 50 PUSH EAX ; /BufSize
28.00433D42 . 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10] ; |
29.00433D46 . 8D5424 64 LEA EDX,DWORD PTR SS:[ESP+64] ; |
30.00433D4A . 52 PUSH EDX ; |Buffer
31.00433D4B . 6A 01 PUSH 1 ; |ValueType = REG_SZ
32.00433D4D . 6A 00 PUSH 0 ; |Reserved = 0
33.00433D4F . 68 C8F34800 PUSH 0048F3C8 ; |ValueName = "RegName3"
34.00433D54 . 50 PUSH EAX ; |hKey
35.00433D55 . FFD6 CALL ESI ; \RegSetValueExA
36.00433D57 . 8D8424 C40000>LEA EAX,DWORD PTR SS:[ESP+C4]
37.00433D5E . 8D48 01 LEA ECX,DWORD PTR DS:[EAX+1]
38.00433D61 > 8A10 MOV DL,BYTE PTR DS:[EAX]
39.00433D63 . 40 INC EAX
40.00433D64 . 84D2 TEST DL,DL
41.00433D66 .^ 75 F9 JNZ SHORT 00433D61
42.00433D68 . 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C]
43.00433D6C . 2BC1 SUB EAX,ECX
44.00433D6E . 40 INC EAX
45.00433D6F . 50 PUSH EAX
46.00433D70 . 8D8C24 C80000>LEA ECX,DWORD PTR SS:[ESP+C8]
47.00433D77 . 51 PUSH ECX
48.00433D78 . 6A 01 PUSH 1
49.00433D7A . 6A 00 PUSH 0
50.00433D7C . 68 D4F34800 PUSH 0048F3D4 ; ASCII "RegCode3"
51.00433D81 . 52 PUSH EDX
52.00433D82 . FFD6 CALL ESI
53.00433D84 . 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]
54.00433D88 . 50 PUSH EAX ; /hKey
55.00433D89 . FF15 18F04700 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; \RegCloseKey
56.00433D8F . 68 E0F34800 PUSH 0048F3E0 ; /Subkey = "Software\Loani\MG4"
57.00433D94 . 68 02000080 PUSH 80000002 ; |hKey = HKEY_LOCAL_MACHINE
58.00433D99 . FF15 14F04700 CALL DWORD PTR DS:[<&ADVAPI32.RegDeleteK>; \RegDeleteKeyA
59.00433D9F . 6A 01 PUSH 1 ; /Result = 1
60.00433DA1 . 57 PUSH EDI ; |hWnd
61.00433DA2 . FF15 A4F34700 CALL DWORD PTR DS:[<&USER32.EndDialog>] ; \EndDialog
62.00433DA8 . 5F POP EDI
63.00433DA9 . 5E POP ESI
64.00433DAA . 33C0 XOR EAX,EAX
65.00433DAC . 5B POP EBX
66.00433DAD . 81C4 1C010000 ADD ESP,11C
67.00433DB3 . C2 1000 RETN 10
68.00433DB6 > 6A 30 PUSH 30 /////注册信息无效
69.
进入关键CALL
复制代码
01.004338E0 /$ 53 PUSH EBX ; user32.GetWindowTextA
02.004338E1 |. 55 PUSH EBP
03.004338E2 |. 8B6C24 10 MOV EBP,DWORD PTR SS:[ESP+10]
04.004338E6 |. 807D 00 6D CMP BYTE PTR SS:[EBP],6D
05.004338EA |. 56 PUSH ESI
06.004338EB |. 57 PUSH EDI
07.004338EC |. 0F85 AD000000 JNZ 0043399F
08.004338F2 |. 807D 01 67 CMP BYTE PTR SS:[EBP+1],67
09.004338F6 |. 0F85 A3000000 JNZ 0043399F
10.004338FC |. 807D 02 33 CMP BYTE PTR SS:[EBP+2],33
11.00433900 |. 0F85 99000000 JNZ 0043399F
12.00433906 |. 807D 03 37 CMP BYTE PTR SS:[EBP+3],37
13.0043390A |. 0F85 8F000000 JNZ 0043399F
14.00433910 |. 33DB XOR EBX,EBX
15.00433912 |> 8BBB F8F34800 /MOV EDI,DWORD PTR DS:[EBX+48F3F8]
16.00433918 |. 8BC7 |MOV EAX,EDI
17.0043391A |. 8D50 01 |LEA EDX,DWORD PTR DS:[EAX+1]
18.0043391D |. 8D49 00 |LEA ECX,DWORD PTR DS:[ECX]
19.00433920 |> 8A08 |/MOV CL,BYTE PTR DS:[EAX]
20.00433922 |. 40 ||INC EAX
21.00433923 |. 84C9 ||TEST CL,CL
22.00433925 |.^ 75 F9 |\JNZ SHORT 00433920
23.00433927 |. 2BC2 |SUB EAX,EDX
24.00433929 |. 8BC8 |MOV ECX,EAX
25.0043392B |. 8BF5 |MOV ESI,EBP
26.0043392D |. 33C0 |XOR EAX,EAX
27.0043392F |. F3:A6 |REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS>
28.00433931 |. 74 65 |JE SHORT 00433998
29.00433933 |. 83C3 04 |ADD EBX,4
30.00433936 |. 81FB 80000000 |CMP EBX,80
31.0043393C |.^ 72 D4 \JB SHORT 00433912
32.0043393E |. 807D 04 73 CMP BYTE PTR SS:[EBP+4],73
33.00433942 |. 75 01 JNZ SHORT 00433945
34.00433944 |. 45 INC EBP
35.00433945 |> 8D4D 07 LEA ECX,DWORD PTR SS:[EBP+7]
36.00433948 |. 51 PUSH ECX
37.00433949 |. E8 76BD0300 CALL 0046F6C4
38.0043394E |. 8B5C24 18 MOV EBX,DWORD PTR SS:[ESP+18]
39.00433952 |. 8A13 MOV DL,BYTE PTR DS:[EBX]
40.00433954 |. 83C4 04 ADD ESP,4
41.00433957 |. 33C9 XOR ECX,ECX
42.00433959 |. 84D2 TEST DL,DL
43.0043395B |. 8BFB MOV EDI,EBX
44.0043395D |. BE DF0B0000 MOV ESI,0BDF
45.00433962 |. 74 26 JE SHORT 0043398A
46.00433964 |> 0FBED2 /MOVSX EDX,DL
47.00433967 |. 41 |INC ECX
48.00433968 |. 0FAFD1 |IMUL EDX,ECX
49.0043396B |. 03F2 |ADD ESI,EDX
50.0043396D |. 81FE BE170000 |CMP ESI,17BE
51.00433973 |. 7E 06 |JLE SHORT 0043397B
52.00433975 |. 81EE BE170000 |SUB ESI,17BE
53.0043397B |> 83F9 0A |CMP ECX,0A
54.0043397E |. 7E 02 |JLE SHORT 00433982
55.00433980 |. 33C9 |XOR ECX,ECX
56.00433982 |> 8A57 01 |MOV DL,BYTE PTR DS:[EDI+1]
57.00433985 |. 47 |INC EDI
58.00433986 |. 84D2 |TEST DL,DL
59.00433988 |.^ 75 DA \JNZ SHORT 00433964
60.0043398A |> 3BF0 CMP ESI,EAX
61.0043398C |. 75 15 JNZ SHORT 004339A3
62.0043398E |. 5F POP EDI
63.0043398F |. 5E POP ESI
64.00433990 |. 5D POP EBP
65.00433991 |. B8 01000000 MOV EAX,1
66.00433996 |. 5B POP EBX
67.00433997 |. C3 RETN
68.00433998 |> 5F POP EDI
69.00433999 |. 5E POP ESI
70.0043399A |. 5D POP EBP
71.0043399B |. 33C0 XOR EAX,EAX
72.0043399D |. 5B POP EBX
73.0043399E |. C3 RETN
74.0043399F |> 8B5C24 14 MOV EBX,DWORD PTR SS:[ESP+14]
75.004339A3 |> 55 PUSH EBP
76.004339A4 |. 53 PUSH EBX
77.004339A5 |. E8 16FCFFFF CALL 004335C0 //观察寄存器 EAX的值 当EAX为0是跳向注册失败 关键CALL中的关键CALL
78.004339AA |. 83C4 08 ADD ESP,8 ///eax过了这个call后为0
79.004339AD |. 5F POP EDI
80.004339AE |. 5E POP ESI
81.004339AF |. 5D POP EBP
82.004339B0 |. 5B POP EBX
83.004339B1 \. C3 RETN
84.
进入关键call中的关键call看看 注意观察寄存器的eax的值 看看在哪里为0了 这个call也就是算法call 里面有真码我就不分析了
复制代码
01.004335C0 /$ 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
02.004335C4 |. 8D9424 38FFFF>LEA EDX,DWORD PTR SS:[ESP-C8]
03.004335CB |. 81EC D8000000 SUB ESP,0D8
04.004335D1 |. 2BD0 SUB EDX,EAX
05.004335D3 |> 8A08 /MOV CL,BYTE PTR DS:[EAX] 假码出现
06.004335D5 |. 880C02 |MOV BYTE PTR DS:[EDX+EAX],CL
07.004335D8 |. 40 |INC EAX
08.004335D9 |. 84C9 |TEST CL,CL
09.004335DB |.^ 75 F6 \JNZ SHORT 004335D3
10.004335DD |. 53 PUSH EBX
11.004335DE |. 55 PUSH EBP
12.004335DF |. 56 PUSH ESI
13.004335E0 |. 57 PUSH EDI
14.004335E1 |. 8D4424 20 LEA EAX,DWORD PTR SS:[ESP+20]
15.004335E5 |. 50 PUSH EAX ; /StringOrChar
16.004335E6 |. FF15 1CF34700 CALL DWORD PTR DS:[<&USER32.CharUpperA>] ; \CharUpperA
17.004335EC |. 8A4424 20 MOV AL,BYTE PTR SS:[ESP+20]
18.004335F0 |. 84C0 TEST AL,AL
19.004335F2 |. 8D7424 20 LEA ESI,DWORD PTR SS:[ESP+20]
20.004335F6 |. 8D7C24 20 LEA EDI,DWORD PTR SS:[ESP+20]
21.004335FA |. 74 26 JE SHORT 00433622
22.004335FC |. 8D6424 00 LEA ESP,DWORD PTR SS:[ESP]
23.00433600 |> 0FBE0E /MOVSX ECX,BYTE PTR DS:[ESI]
24.00433603 |. 51 |PUSH ECX
25.00433604 |. 68 78F44800 |PUSH 0048F478 ; ASCII "HKRWQV2958DWNTQRGNSCFSXAZPYK"
26.00433609 |. E8 02C10300 |CALL 0046F710
27.0043360E |. 83C4 08 |ADD ESP,8
28.00433611 |. 85C0 |TEST EAX,EAX
29.00433613 |. 74 05 |JE SHORT 0043361A
30.00433615 |. 8A16 |MOV DL,BYTE PTR DS:[ESI]
31.00433617 |. 8817 |MOV BYTE PTR DS:[EDI],DL
32.00433619 |. 47 |INC EDI
33.0043361A |> 8A46 01 |MOV AL,BYTE PTR DS:[ESI+1]
34.0043361D |. 46 |INC ESI
35.0043361E |. 84C0 |TEST AL,AL
36.00433620 |.^ 75 DE \JNZ SHORT 00433600
37.00433622 |> 8D4424 20 LEA EAX,DWORD PTR SS:[ESP+20]
38.00433626 |. C607 00 MOV BYTE PTR DS:[EDI],0
39.00433629 |. 8D50 01 LEA EDX,DWORD PTR DS:[EAX+1]
40.0043362C |. 8D6424 00 LEA ESP,DWORD PTR SS:[ESP]
41.00433630 |> 8A08 /MOV CL,BYTE PTR DS:[EAX]
42.00433632 |. 40 |INC EAX
43.00433633 |. 84C9 |TEST CL,CL
44.00433635 |.^ 75 F9 \JNZ SHORT 00433630
45.00433637 |. 2BC2 SUB EAX,EDX
46.00433639 |. 83F8 18 CMP EAX,18
47.0043363C |. 7D 1E JGE SHORT 0043365C
48.0043363E |. B9 18000000 MOV ECX,18
49.00433643 |. 2BC8 SUB ECX,EAX
50.00433645 |. 8D7C04 20 LEA EDI,DWORD PTR SS:[ESP+EAX+20]
51.00433649 |. 8BC1 MOV EAX,ECX
52.0043364B |. C1E9 02 SHR ECX,2
53.0043364E |. BE 78F44800 MOV ESI,0048F478 ; ASCII "HKRWQV2958DWNTQRGNSCFSXAZPYK"
54.00433653 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
55.00433655 |. 8BC8 MOV ECX,EAX
56.00433657 |. 83E1 03 AND ECX,3
57.0043365A |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
58.0043365C |> B8 78F44800 MOV EAX,0048F478 ; ASCII "HKRWQV2958DWNTQRGNSCFSXAZPYK"
59.00433661 |. C64424 39 00 MOV BYTE PTR SS:[ESP+39],0
60.00433666 |. C68424 840000>MOV BYTE PTR SS:[ESP+84],0
61.0043366E |. 33ED XOR EBP,EBP
62.00433670 |. 8D48 01 LEA ECX,DWORD PTR DS:[EAX+1]
63.00433673 |> 8A10 /MOV DL,BYTE PTR DS:[EAX]
64.00433675 |. 40 |INC EAX
65.00433676 |. 84D2 |TEST DL,DL
66.00433678 |.^ 75 F9 \JNZ SHORT 00433673
67.0043367A |. 2BC1 SUB EAX,ECX
68.0043367C |. 894424 10 MOV DWORD PTR SS:[ESP+10],EAX
69.00433680 |. B8 01000000 MOV EAX,1
70.00433685 |. 2D 78F44800 SUB EAX,0048F478 ; ASCII "HKRWQV2958DWNTQRGNSCFSXAZPYK"
71.0043368A |. 894424 18 MOV DWORD PTR SS:[ESP+18],EAX
72.0043368E |. 33DB XOR EBX,EBX
73.00433690 |. B8 78F44800 MOV EAX,0048F478 ; ASCII "HKRWQV2958DWNTQRGNSCFSXAZPYK"
74.00433695 |. 48 DEC EAX
75.00433696 |. 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
76.0043369A |. 8D4424 20 LEA EAX,DWORD PTR SS:[ESP+20]
77.0043369E |. 48 DEC EAX
78.0043369F |. 8DBC24 840000>LEA EDI,DWORD PTR SS:[ESP+84]
79.004336A6 |. 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX
80.004336AA |. EB 04 JMP SHORT 004336B0
81.004336AC |> 8B4424 1C /MOV EAX,DWORD PTR SS:[ESP+1C]
82.004336B0 |> 0FBE4C18 01 MOVSX ECX,BYTE PTR DS:[EAX+EBX+1]
83.004336B5 |. 8D73 01 |LEA ESI,DWORD PTR DS:[EBX+1]
84.004336B8 |. 51 |PUSH ECX
85.004336B9 |. 68 78F44800 |PUSH 0048F478 ; ASCII "HKRWQV2958DWNTQRGNSCFSXAZPYK"
86.004336BE |. E8 4DC00300 |CALL 0046F710
87.004336C3 |. 8B5424 20 |MOV EDX,DWORD PTR SS:[ESP+20]
88.004336C7 |. 8BC8 |MOV ECX,EAX
89.004336C9 |. 03CA |ADD ECX,EDX
90.004336CB |. 8D41 FF |LEA EAX,DWORD PTR DS:[ECX-1]
91.004336CE |. 0FAFC1 |IMUL EAX,ECX
92.004336D1 |. 03C5 |ADD EAX,EBP
93.004336D3 |. 99 |CDQ
94.004336D4 |. F77C24 18 |IDIV DWORD PTR SS:[ESP+18]
95.004336D8 |. 83C4 08 |ADD ESP,8
96.004336DB |. B9 06000000 |MOV ECX,6
97.004336E0 |. 42 |INC EDX
98.004336E1 |. 8BEA |MOV EBP,EDX
99.004336E3 |. 8B5424 14 |MOV EDX,DWORD PTR SS:[ESP+14]
100.004336E7 |. 8A042A |MOV AL,BYTE PTR DS:[EDX+EBP]
101.004336EA |. 8807 |MOV BYTE PTR DS:[EDI],AL
102.004336EC |. 8BC6 |MOV EAX,ESI
103.004336EE |. 99 |CDQ
104.004336EF |. F7F9 |IDIV ECX
105.004336F1 |. 47 |INC EDI
106.004336F2 |. 85D2 |TEST EDX,EDX
107.004336F4 |. 75 09 |JNZ SHORT 004336FF
108.004336F6 |. 83FB 17 |CMP EBX,17
109.004336F9 |. 7D 04 |JGE SHORT 004336FF
110.004336FB |. C607 2D |MOV BYTE PTR DS:[EDI],2D
111.004336FE |. 47 |INC EDI
112.004336FF |> 8BDE |MOV EBX,ESI
113.00433701 |. 83FB 18 |CMP EBX,18
114.00433704 |.^ 7C A6 \JL SHORT 004336AC
115.00433706 |. 8B8424 F00000>MOV EAX,DWORD PTR SS:[ESP+F0]
116.0043370D |. C607 00 MOV BYTE PTR DS:[EDI],0
117.00433710 |. 8DB424 840000>LEA ESI,DWORD PTR SS:[ESP+84]
118.00433717 |> 8A10 /MOV DL,BYTE PTR DS:[EAX]
119.00433719 |. 8A1E |MOV BL,BYTE PTR DS:[ESI]
120.0043371B |. 8ACA |MOV CL,DL
121.0043371D |. 3AD3 |CMP DL,BL
122.0043371F |. 75 1E |JNZ SHORT 0043373F
123.00433721 |. 84C9 |TEST CL,CL
124.00433723 |. 74 16 |JE SHORT 0043373B
125.00433725 |. 8A50 01 |MOV DL,BYTE PTR DS:[EAX+1]
126.00433728 |. 8A5E 01 |MOV BL,BYTE PTR DS:[ESI+1]
127.0043372B |. 8ACA |MOV CL,DL
128.0043372D |. 3AD3 |CMP DL,BL
129.0043372F |. 75 0E |JNZ SHORT 0043373F
130.00433731 |. 83C0 02 |ADD EAX,2
131.00433734 |. 83C6 02 |ADD ESI,2
132.00433737 |. 84C9 |TEST CL,CL
133.00433739 |.^ 75 DC \JNZ SHORT 00433717
134.0043373B |> 33C0 XOR EAX,EAX
135.0043373D |. EB 05 JMP SHORT 00433744
136.0043373F |> 1BC0 SBB EAX,EAX
137.00433741 |. 83D8 FF SBB EAX,-1
138.00433744 |> 85C0 TEST EAX,EAX
139.00433746 |. 5F POP EDI
140.00433747 |. 5E POP ESI
141.00433748 |. 5D POP EBP
142.00433749 |. 5B POP EBX
143.0043374A |. 75 0C JNZ SHORT 00433758
144.0043374C |. B8 01000000 MOV EAX,1
145.00433751 |. 81C4 D8000000 ADD ESP,0D8
146.00433757 |. C3 RETN
147.00433758 33C0 XOR EAX,EAX //标志位 eax清0 发现eax过了这就为0
148.0043375A |. 81C4 D8000000 ADD ESP,0D8
149.00433760 \. C3 RETN
150.
所以 00433758 33C0 XOR EAX,EAX 就是爆破点了
改为 OR EAX,EAX
[课程]Linux pwn 探索篇!