能力值:
( LV2,RANK:10 )
|
-
-
2 楼
大家简单的说下思路就好了,或者谈谈自己的看法,只是我现在一点头绪也没有。。
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
大概试了一下,觉得是利用SEH,设置eip指针执行代码的。异常处理我整理了一下,代码如下,去掉了许多jmp
xchg ebp,ebp
xchg ebx,ebx
mov ebx,ebx
mov eax,dword ptr ss:[esp+0x4]
mov ecx,dword ptr ds:[eax]
cmp dword ptr ds:[ecx],0x80000003
jnz 00401364
push esi
mov esi,dword ptr ds:[eax+0x4]
mov edx,dword ptr ds:[esi+0xB8] // eip
cmp byte ptr ds:[edx],0xCC
jnz 004013CE
inc edx
xchg ebp,ebp
mov ebx,ebx
mov cl,byte ptr ds:[edx]
mov al,cl
shl al,0x6
shr cl,0x2
add al,cl
xor al,0xD
mov cl,al
shr cl,0x5
shl al,0x3
xchg ebp,ebp
xchg ebx,ebx
mov ebx,ebx
add cl,al
add cl,0x11
mov al,cl
shl al,0x5
shr cl,0x3
add al,cl
xor al,0x51
mov cl,al
shl cl,0x7
shr al,1
xchg ebp,ebp
xchg ebx,ebx
mov ebx,ebx
add cl,al
sub cl,0x6F
and ecx,0xFF
and ecx,0x80000007
add edx,ecx
xchg ebp,ebp
mov ebx,ebx
inc edx
or eax,0xFFFFFFFF
mov dword ptr ds:[esi+0xB8],edx //eip
pop esi
retn 0x4
注意倒数第三行的 mov dword ptr ds:[esi+0xB8],edx 这个是设置eip。
我的方法是在这一行,设置条件记录断点,把所有的执行过的eip地址都打印出来,挨个找,貌似每12条int 3指令后,有一条有效指令,只找了下面几条,后面就没耐心了。。。 咱们可以一起研究下
push 0x1
mov ebx,0x1D9E2
lea esi,dword ptr ds:[edi+0x64]
mov eax,dword ptr ds:[esi]
|
能力值:
( LV2,RANK:10 )
|
-
-
4 楼
哎~~~ 条件记录断点的条件弄错了~~可以过滤出不为CC的eip地址~~~~
|
能力值:
( LV2,RANK:10 )
|
-
-
5 楼
流程跟了一下,算法貌似也挺简单的,明天再看算法
0040168D 6A 01 push 0x1
0040168F E8 30100000 call <jmp.&MFC42.#CWnd::UpdateData_6334>
004016CE BB E2D90100 mov ebx,0x1D9E2
00401715 8D77 64 lea esi,dword ptr ds:[edi+0x64]
00401718 6A 00 push 0x0
0040171A 8BCE mov ecx,esi
0040171C E8 9D0F0000 call <jmp.&MFC42.#CString::GetBuffer_2915>
00401721 8945 F8 mov dword ptr ss:[ebp-0x8],eax //获取用户名
0040175A 8B06 mov eax,dword ptr ds:[esi]
0040175C 8B48 F8 mov ecx,dword ptr ds:[eax-0x8] //获取用户名长度
0040175F 894D FC mov dword ptr ss:[ebp-0x4],ecx
004017A1 8B36 mov esi,dword ptr ds:[esi]
004017A3 68 0C414000 push 0040410C
004017A8 56 push esi
004017A9 8B35 B4314000 mov esi,dword ptr ds:[<&MSVCRT._mbscmp>] ; msvcrt._mbscmp
004017AF FFD6 call esi
004017B1 83C4 08 add esp,0x8
004017B4 85C0 test eax,eax
004017B6 74 4C je short 00401804
004017F2 8B47 60 mov eax,dword ptr ds:[edi+0x60]
004017F5 68 0C414000 push 0040410C
004017FA 50 push eax
004017FB FFD6 call esi
004017FD 83C4 08 add esp,0x8
00401800 85C0 test eax,eax
00401802 75 17 jnz short 0040181B
00401804 6A 00 push 0x0
00401806 6A 00 push 0x0
00401808 68 2C404000 push 0040402C ; ASCII "注册失败!"
0040180D 8BCF mov ecx,edi
0040180F E8 A40E0000 call <jmp.&MFC42.#CWnd::MessageBoxA_4224>
00401814 5F pop edi
00401815 5E pop esi
00401816 5B pop ebx
00401817 8BE5 mov esp,ebp
00401819 5D pop ebp
0040181A C3 retn
004018ED 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
004018F0 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]
004018F3 83C9 FF or ecx,0xFFFFFFFF
004018F6 8D7410 01 lea esi,dword ptr ds:[eax+edx+0x1]
004018FA 2BCA sub ecx,edx
004018FC 8BC6 mov eax,esi
// 循环
00401947 0FBE50 FE movsx edx,byte ptr ds:[eax-0x2]
0040194B 48 dec eax
0040194C 03DA add ebx,edx
00401994 8D149B lea edx,dword ptr ds:[ebx+ebx*4]
00401997 8D14D3 lea edx,dword ptr ds:[ebx+edx*8]
0040199A 8D1C52 lea ebx,dword ptr ds:[edx+edx*2]
004019E4 8818 mov byte ptr ds:[eax],bl
00401A22 81F3 3A45AC14 xor ebx,0x14AC453A
00401A66 0018 add byte ptr ds:[eax],bl
00401AA1 8D1401 lea edx,dword ptr ds:[ecx+eax]
00401AA4 85D2 test edx,edx
00401AA6 ^ 0F8F 52FEFFFF jg 00401947
// 循环
00401B42 8BC6 mov eax,esi
00401B96 0FBE50 FE movsx edx,byte ptr ds:[eax-0x2]
00401B9A 48 dec eax
00401B9B 03DA add ebx,edx
00401BD6 8D149B lea edx,dword ptr ds:[ebx+ebx*4]
00401BD9 8D14D3 lea edx,dword ptr ds:[ebx+edx*8]
00401BDC 8D1C52 lea ebx,dword ptr ds:[edx+edx*2]
00401C2F 8818 mov byte ptr ds:[eax],bl
00401C6C 81F3 3A45AC14 xor ebx,0x14AC453A
00401CAE 0018 add byte ptr ds:[eax],bl
00401CF8 8D1408 lea edx,dword ptr ds:[eax+ecx]
00401CFB 85D2 test edx,edx
00401CFD ^ 0F8F 41FEFFFF jg 00401B96
// 循环
00401D92 8BC6 mov eax,esi
00401DDC 0FBE50 FE movsx edx,byte ptr ds:[eax-0x2]
00401DE0 48 dec eax
00401DE1 03DA add ebx,edx
00401E27 8D149B lea edx,dword ptr ds:[ebx+ebx*4]
00401E2A 8D14D3 lea edx,dword ptr ds:[ebx+edx*8]
00401E2D 8D1C52 lea ebx,dword ptr ds:[edx+edx*2]
00401E75 8818 mov byte ptr ds:[eax],bl
00401ECD 81F3 3A45AC14 xor ebx,0x14AC453A
00401F0A 0018 add byte ptr ds:[eax],bl
00401F4E 8D1408 lea edx,dword ptr ds:[eax+ecx]
00401F51 85D2 test edx,edx
00401F53 ^ 0F8F 3BFEFFFF jg 00401DDC
00401F9E 8BC3 mov eax,ebx
00401FA0 33D2 xor edx,edx
00401FA2 B9 1F011500 mov ecx,0x15011F
00401FA7 F7F1 div ecx
00401FA9 8BDA mov ebx,edx
00401FF0 8D77 60 lea esi,dword ptr ds:[edi+0x60] //获取注册码
00401FF3 6A 00 push 0x0
00401FF5 8BCE mov ecx,esi
00401FF7 E8 C2060000 call <jmp.&MFC42.#CString::GetBuffer_2915>
00402043 8B16 mov edx,dword ptr ds:[esi]
00402045 8B52 F8 mov edx,dword ptr ds:[edx-0x8]
004020D5 33C9 xor ecx,ecx
00402111 83CE FF or esi,0xFFFFFFFF
00402114 8D5402 01 lea edx,dword ptr ds:[edx+eax+0x1]
00402118 2BF0 sub esi,eax
//循环
004021A6 0FBE42 FE movsx eax,byte ptr ds:[edx-0x2]
004021AA 4A dec edx
004021AB 8D0C89 lea ecx,dword ptr ds:[ecx+ecx*4]
004021AE 8D4C48 D0 lea ecx,dword ptr ds:[eax+ecx*2-0x30]
004021F9 880A mov byte ptr ds:[edx],cl
00402245 8D0432 lea eax,dword ptr ds:[edx+esi]
00402248 85C0 test eax,eax
0040224A ^ 0F8F CAFEFFFF jg 004021A6
00402290 3BD9 cmp ebx,ecx
00402292 75 17 jnz short 00402384 // 关键跳
00402294 6A 00 push 0x0
00402296 6A 00 push 0x0
00402298 68 20404000 push 00404020 ; ASCII "注册成功!"
0040229D 8BCF mov ecx,edi
0040229F E8 14040000 call <jmp.&MFC42.#CWnd::MessageBoxA_4224>
004022A4 5F pop edi
004022A5 5E pop esi
004022A6 5B pop ebx
004022A7 8BE5 mov esp,ebp
004022A9 5D pop ebp
004022AA C3 retn
00402384 6A 00 push 0x0
00402386 6A 00 push 0x0
00402388 68 2C404000 push 0040402C ; ASCII "注册失败!"
0040238D 8BCF mov ecx,edi
0040238F E8 24030000 call <jmp.&MFC42.#CWnd::MessageBoxA_4224>
|
