-
-
[旧帖] [求助]跟关键CALL,越跟越糊涂。帮忙指点指点 0.00雪花
-
发表于: 2007-5-12 15:02
-
前面破一个这公司的软件,第一个关键跳跟进后就发现在明码比较。可是这个我真是越跟越空白。
不明白什么意思了。
0073540A . 55 PUSH EBP 我把断点下在这里
0073540B . 68 49557300 PUSH PDepot.00735549
00735410 . 64:FF30 PUSH DWORD PTR FS:[EAX]
00735413 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
00735416 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00735419 . E8 AE020000 CALL PDepot.007356CC 要F7跟进,不然跳注册失败(暂把这个CALL称 c1)
0073541E 84C0 TEST AL,AL
00735420 0F84 DB000000 JE PDepot.00735501
00735426 . 33C0 XOR EAX,EAX
00735428 . 55 PUSH EBP
00735429 . 68 E5547300 PUSH PDepot.007354E5
0073542E . 64:FF30 PUSH DWORD PTR FS:[EAX]
00735431 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
00735434 . B2 01 MOV DL,1
00735436 . A1 84B34400 MOV EAX,DWORD PTR DS:[44B384]
0073543B . E8 6861D1FF CALL PDepot.0044B5A8
00735440 . 8BD8 MOV EBX,EAX
00735442 . BA 02000080 MOV EDX,80000002
00735447 . 8BC3 MOV EAX,EBX
00735449 . E8 3662D1FF CALL PDepot.0044B684
0073544E . B1 01 MOV CL,1
00735450 . BA 60557300 MOV EDX,PDepot.00735560 ; Software\zy\PDepot
00735455 . 8BC3 MOV EAX,EBX
00735457 . E8 6C63D1FF CALL PDepot.0044B7C8
0073545C . 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
0073545F . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00735462 . 8B80 04030000 MOV EAX,DWORD PTR DS:[EAX+304]
00735468 . E8 736CD5FF CALL PDepot.0048C0E0
0073546D . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
00735470 . 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
00735473 . E8 184CCDFF CALL PDepot.0040A090
00735478 . 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
0073547B . BA 7C557300 MOV EDX,PDepot.0073557C ; Name
00735480 . 8BC3 MOV EAX,EBX
00735482 . E8 9168D1FF CALL PDepot.0044BD18
00735487 . 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
0073548A . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0073548D . 8B80 08030000 MOV EAX,DWORD PTR DS:[EAX+308]
00735493 . E8 486CD5FF CALL PDepot.0048C0E0
00735498 . 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
0073549B . 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
0073549E . E8 ED4BCDFF CALL PDepot.0040A090
007354A3 . 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
007354A6 . BA 8C557300 MOV EDX,PDepot.0073558C ; Pass
007354AB . 8BC3 MOV EAX,EBX
007354AD . E8 6668D1FF CALL PDepot.0044BD18
007354B2 . 8BC3 MOV EAX,EBX
007354B4 . E8 BBEACCFF CALL PDepot.00403F74
007354B9 . 6A 40 PUSH 40
007354BB . 68 94557300 PUSH PDepot.00735594 ; 软件注册
007354C0 . 68 A0557300 PUSH PDepot.007355A0 ; 注册成功,本程序所有功能限制下次启动时将被自动解除,欢迎您成为我们正式版本用户!
007354C5 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
007354C8 . E8 C3D6D5FF CALL PDepot.00492B90
007354CD . 50 PUSH EAX ; |hOwner
007354CE . E8 9931CDFF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
007354D3 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
007354D6 . E8 294BD7FF CALL PDepot.004AA004
007354DB . 33C0 XOR EAX,EAX
007354DD . 5A POP EDX
007354DE . 59 POP ECX
007354DF . 59 POP ECX
007354E0 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
007354E3 . EB 36 JMP SHORT PDepot.0073551B
007354E5 .^ E9 6AEFCCFF JMP PDepot.00404454
007354EA . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
007354ED . E8 124BD7FF CALL PDepot.004AA004
007354F2 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
007354F5 . E8 1A010000 CALL PDepot.00735614
007354FA . E8 81F3CCFF CALL PDepot.00404880
007354FF . EB 1A JMP SHORT PDepot.0073551B
00735501 > 6A 40 PUSH 40
00735503 . 68 94557300 PUSH PDepot.00735594 ; 软件注册
00735508 68 F0557300 PUSH PDepot.007355F0 ; 注册失败,请检查您的注册名和注册码!
0073550D . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00735510 . E8 7BD6D5FF CALL PDepot.00492B90
00735515 . 50 PUSH EAX ; |hOwner
00735516 . E8 5131CDFF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
0073551B > 33C0 XOR EAX,EAX
0073551D . 5A POP EDX
0073551E . 59 POP ECX
c1跟进后到这里
007356CC $ 55 PUSH EBP
007356CD |. 8BEC MOV EBP,ESP
007356CF |. B9 04000000 MOV ECX,4
007356D4 |> 6A 00 /PUSH 0 1这里四句我不明白是什么意思
007356D6 |. 6A 00 |PUSH 0 2到了JNZ了又往回跳到007356d4
007356D8 |. 49 |DEC ECX 3形成一个循环跳
007356D9 ^ 75 F9 JNZ SHORT PDepot.007356D4 4暂且我只有把JNZ改JZ让它往下走
007356DB 51 PUSH ECX
007356DC 53 PUSH EBX
007356DD 56 PUSH ESI
007356DE 8BF0 MOV ESI,EAX
007356E0 33C0 XOR EAX,EAX
007356E2 55 PUSH EBP
007356E3 68 E1577300 PUSH PDepot.007357E1
007356E8 64:FF30 PUSH DWORD PTR FS:[EAX]
007356EB 64:8920 MOV DWORD PTR FS:[EAX],ESP
007356EE 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
007356F1 8B86 08030000 MOV EAX,DWORD PTR DS:[ESI+308]
007356F7 E8 E469D5FF CALL PDepot.0048C0E0
007356FC 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 把假注册传送给eax
007356FF 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
00735702 E8 8949CDFF CALL PDepot.0040A090
00735707 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 把假注册传送给eax
0073570A 50 PUSH EAX
0073570B 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
0073570E 8B86 04030000 MOV EAX,DWORD PTR DS:[ESI+304]
00735714 E8 C769D5FF CALL PDepot.0048C0E0 F7跟进,不然跳走(这里称c2)
00735719 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
0073571C 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
0073571F E8 6C49CDFF CALL PDepot.0040A090
00735724 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
00735727 8D4D F4 LEA ECX,DWORD PTR SS:[EBP-C]
0073572A 8BC6 MOV EAX,ESI
0073572C E8 FF000000 CALL PDepot.00735830
跟进后来到C2
0048C0E0 /$ 53 PUSH EBX
0048C0E1 |. 56 PUSH ESI
0048C0E2 |. 57 PUSH EDI
0048C0E3 |. 8BFA MOV EDI,EDX
0048C0E5 |. 8BF0 MOV ESI,EAX
0048C0E7 |. 8BC6 MOV EAX,ESI
0048C0E9 |. E8 66FFFFFF CALL PDepot.0048C054
0048C0EE |. 8BD8 MOV EBX,EAX
0048C0F0 |. 8BC7 MOV EAX,EDI
0048C0F2 |. 8BCB MOV ECX,EBX
0048C0F4 |. 33D2 XOR EDX,EDX
0048C0F6 |. E8 7D8EF7FF CALL PDepot.00404F78 跟进,不然跳走(c3)
0048C0FB |. 85DB TEST EBX,EBX
0048C0FD |. 74 0C JE SHORT PDepot.0048C10B
0048C0FF |. 8D4B 01 LEA ECX,DWORD PTR DS:[EBX+1]
0048C102 |. 8B17 MOV EDX,DWORD PTR DS:[EDI]
0048C104 |. 8BC6 MOV EAX,ESI
0048C106 |. E8 59FFFFFF CALL PDepot.0048C064
0048C10B |> 5F POP EDI
0048C10C |. 5E POP ESI
0048C10D |. 5B POP EBX
0048C10E \. C3 RETN
0048C10F 90 NOP
C3如下
00404F78 /$ 53 PUSH EBX
00404F79 |. 56 PUSH ESI
00404F7A |. 57 PUSH EDI
00404F7B |. 89C3 MOV EBX,EAX
00404F7D |. 89D6 MOV ESI,EDX
00404F7F |. 89CF MOV EDI,ECX
00404F81 |. 89F8 MOV EAX,EDI
00404F83 |. E8 C4FFFFFF CALL PDepot.00404F4C 跟进,不然跳走(c4)
00404F88 |. 89F9 MOV ECX,EDI
00404F8A |. 89C7 MOV EDI,EAX
00404F8C |. 85F6 TEST ESI,ESI
00404F8E |. 74 09 JE SHORT PDepot.00404F99
00404F90 |. 89C2 MOV EDX,EAX
00404F92 |. 89F0 MOV EAX,ESI
00404F94 |. E8 D3DBFFFF CALL PDepot.00402B6C
00404F99 |> 89D8 MOV EAX,EBX
00404F9B |. E8 E8FEFFFF CALL PDepot.00404E88
00404FA0 |. 893B MOV DWORD PTR DS:[EBX],EDI
00404FA2 |. 5F POP EDI
00404FA3 |. 5E POP ESI
00404FA4 |. 5B POP EBX
00404FA5 \. C3 RETN
c4后
00404F4C /$ 85C0 TEST EAX,EAX
00404F4E |. 7E 24 JLE SHORT PDepot.00404F74 跳转未实现
00404F50 |. 50 PUSH EAX
00404F51 |. 83C0 0A ADD EAX,0A
00404F54 |. 83E0 FE AND EAX,FFFFFFFE
00404F57 |. 50 PUSH EAX
00404F58 |. E8 F3D8FFFF CALL PDepot.00402850
00404F5D |. 5A POP EDX
00404F5E |. 66:C74402 FE >MOV WORD PTR DS:[EDX+EAX-2],0
00404F65 |. 83C0 08 ADD EAX,8
00404F68 |. 5A POP EDX
00404F69 |. 8950 FC MOV DWORD PTR DS:[EAX-4],EDX
00404F6C |. C740 F8 01000>MOV DWORD PTR DS:[EAX-8],1
00404F73 |. C3 RETN F8后就自动来到了00404f88
00404F74 |> 31C0 XOR EAX,EAX
00404F76 \. C3 RETN
00404F77 90 NOP
00404F78 /$ 53 PUSH EBX
00404F79 |. 56 PUSH ESI
00404F7A |. 57 PUSH EDI
00404F7B |. 89C3 MOV EBX,EAX
00404F7D |. 89D6 MOV ESI,EDX
00404F7F |. 89CF MOV EDI,ECX
00404F81 |. 89F8 MOV EAX,EDI
00404F83 |. E8 C4FFFFFF CALL PDepot.00404F4C
00404F88 |. 89F9 MOV ECX,EDI 也就是来到了这里
00404F8A |. 89C7 MOV EDI,EAX
00404F8C |. 85F6 TEST ESI,ESI
00404F8E |. 74 09 JE SHORT PDepot.00404F99 跳到0040f99
00404F90 |. 89C2 MOV EDX,EAX
00404F92 |. 89F0 MOV EAX,ESI
00404F94 |. E8 D3DBFFFF CALL PDepot.00402B6C
00404F99 |> 89D8 MOV EAX,EBX
00404F9B |. E8 E8FEFFFF CALL PDepot.00404E88 还跟进吗?跟进后是C5
00404FA0 |. 893B MOV DWORD PTR DS:[EBX],EDI
00404FA2 |. 5F POP EDI
00404FA3 |. 5E POP ESI
00404FA4 |. 5B POP EBX
00404FA5 \. C3 RETN
C5
00404E88 $ 8B10 MOV EDX,DWORD PTR DS:[EAX] ; PDepot.0044890C
00404E8A . 85D2 TEST EDX,EDX
00404E8C . 74 1C JE SHORT PDepot.00404EAA
00404E8E . C700 00000000 MOV DWORD PTR DS:[EAX],0
00404E94 . 8B4A F8 MOV ECX,DWORD PTR DS:[EDX-8]
00404E97 . 49 DEC ECX
00404E98 . 7C 10 JL SHORT PDepot.00404EAA
00404E9A . F0:FF4A F8 LOCK DEC DWORD PTR DS:[EDX-8] ; 锁定前缀
00404E9E . 75 0A JNZ SHORT PDepot.00404EAA
00404EA0 . 50 PUSH EAX
00404EA1 . 8D42 F8 LEA EAX,DWORD PTR DS:[EDX-8]
00404EA4 . E8 C7D9FFFF CALL PDepot.00402870
00404EA9 . 58 POP EAX
00404EAA > C3 RETN
00404EAB 90 NOP
C5走几步就到ntdll领空了。然后走步就弹出错误窗口
不知如何单步,因为内存地址00000000不可读,尝试更改EIP或忽略程序异常
我没有发现明码比较。也不知道爆破
不明白什么意思了。
0073540A . 55 PUSH EBP 我把断点下在这里
0073540B . 68 49557300 PUSH PDepot.00735549
00735410 . 64:FF30 PUSH DWORD PTR FS:[EAX]
00735413 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
00735416 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00735419 . E8 AE020000 CALL PDepot.007356CC 要F7跟进,不然跳注册失败(暂把这个CALL称 c1)
0073541E 84C0 TEST AL,AL
00735420 0F84 DB000000 JE PDepot.00735501
00735426 . 33C0 XOR EAX,EAX
00735428 . 55 PUSH EBP
00735429 . 68 E5547300 PUSH PDepot.007354E5
0073542E . 64:FF30 PUSH DWORD PTR FS:[EAX]
00735431 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
00735434 . B2 01 MOV DL,1
00735436 . A1 84B34400 MOV EAX,DWORD PTR DS:[44B384]
0073543B . E8 6861D1FF CALL PDepot.0044B5A8
00735440 . 8BD8 MOV EBX,EAX
00735442 . BA 02000080 MOV EDX,80000002
00735447 . 8BC3 MOV EAX,EBX
00735449 . E8 3662D1FF CALL PDepot.0044B684
0073544E . B1 01 MOV CL,1
00735450 . BA 60557300 MOV EDX,PDepot.00735560 ; Software\zy\PDepot
00735455 . 8BC3 MOV EAX,EBX
00735457 . E8 6C63D1FF CALL PDepot.0044B7C8
0073545C . 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
0073545F . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00735462 . 8B80 04030000 MOV EAX,DWORD PTR DS:[EAX+304]
00735468 . E8 736CD5FF CALL PDepot.0048C0E0
0073546D . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
00735470 . 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
00735473 . E8 184CCDFF CALL PDepot.0040A090
00735478 . 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
0073547B . BA 7C557300 MOV EDX,PDepot.0073557C ; Name
00735480 . 8BC3 MOV EAX,EBX
00735482 . E8 9168D1FF CALL PDepot.0044BD18
00735487 . 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
0073548A . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0073548D . 8B80 08030000 MOV EAX,DWORD PTR DS:[EAX+308]
00735493 . E8 486CD5FF CALL PDepot.0048C0E0
00735498 . 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
0073549B . 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
0073549E . E8 ED4BCDFF CALL PDepot.0040A090
007354A3 . 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
007354A6 . BA 8C557300 MOV EDX,PDepot.0073558C ; Pass
007354AB . 8BC3 MOV EAX,EBX
007354AD . E8 6668D1FF CALL PDepot.0044BD18
007354B2 . 8BC3 MOV EAX,EBX
007354B4 . E8 BBEACCFF CALL PDepot.00403F74
007354B9 . 6A 40 PUSH 40
007354BB . 68 94557300 PUSH PDepot.00735594 ; 软件注册
007354C0 . 68 A0557300 PUSH PDepot.007355A0 ; 注册成功,本程序所有功能限制下次启动时将被自动解除,欢迎您成为我们正式版本用户!
007354C5 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
007354C8 . E8 C3D6D5FF CALL PDepot.00492B90
007354CD . 50 PUSH EAX ; |hOwner
007354CE . E8 9931CDFF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
007354D3 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
007354D6 . E8 294BD7FF CALL PDepot.004AA004
007354DB . 33C0 XOR EAX,EAX
007354DD . 5A POP EDX
007354DE . 59 POP ECX
007354DF . 59 POP ECX
007354E0 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
007354E3 . EB 36 JMP SHORT PDepot.0073551B
007354E5 .^ E9 6AEFCCFF JMP PDepot.00404454
007354EA . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
007354ED . E8 124BD7FF CALL PDepot.004AA004
007354F2 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
007354F5 . E8 1A010000 CALL PDepot.00735614
007354FA . E8 81F3CCFF CALL PDepot.00404880
007354FF . EB 1A JMP SHORT PDepot.0073551B
00735501 > 6A 40 PUSH 40
00735503 . 68 94557300 PUSH PDepot.00735594 ; 软件注册
00735508 68 F0557300 PUSH PDepot.007355F0 ; 注册失败,请检查您的注册名和注册码!
0073550D . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00735510 . E8 7BD6D5FF CALL PDepot.00492B90
00735515 . 50 PUSH EAX ; |hOwner
00735516 . E8 5131CDFF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
0073551B > 33C0 XOR EAX,EAX
0073551D . 5A POP EDX
0073551E . 59 POP ECX
c1跟进后到这里
007356CC $ 55 PUSH EBP
007356CD |. 8BEC MOV EBP,ESP
007356CF |. B9 04000000 MOV ECX,4
007356D4 |> 6A 00 /PUSH 0 1这里四句我不明白是什么意思
007356D6 |. 6A 00 |PUSH 0 2到了JNZ了又往回跳到007356d4
007356D8 |. 49 |DEC ECX 3形成一个循环跳
007356D9 ^ 75 F9 JNZ SHORT PDepot.007356D4 4暂且我只有把JNZ改JZ让它往下走
007356DB 51 PUSH ECX
007356DC 53 PUSH EBX
007356DD 56 PUSH ESI
007356DE 8BF0 MOV ESI,EAX
007356E0 33C0 XOR EAX,EAX
007356E2 55 PUSH EBP
007356E3 68 E1577300 PUSH PDepot.007357E1
007356E8 64:FF30 PUSH DWORD PTR FS:[EAX]
007356EB 64:8920 MOV DWORD PTR FS:[EAX],ESP
007356EE 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
007356F1 8B86 08030000 MOV EAX,DWORD PTR DS:[ESI+308]
007356F7 E8 E469D5FF CALL PDepot.0048C0E0
007356FC 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 把假注册传送给eax
007356FF 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
00735702 E8 8949CDFF CALL PDepot.0040A090
00735707 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 把假注册传送给eax
0073570A 50 PUSH EAX
0073570B 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
0073570E 8B86 04030000 MOV EAX,DWORD PTR DS:[ESI+304]
00735714 E8 C769D5FF CALL PDepot.0048C0E0 F7跟进,不然跳走(这里称c2)
00735719 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
0073571C 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
0073571F E8 6C49CDFF CALL PDepot.0040A090
00735724 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
00735727 8D4D F4 LEA ECX,DWORD PTR SS:[EBP-C]
0073572A 8BC6 MOV EAX,ESI
0073572C E8 FF000000 CALL PDepot.00735830
跟进后来到C2
0048C0E0 /$ 53 PUSH EBX
0048C0E1 |. 56 PUSH ESI
0048C0E2 |. 57 PUSH EDI
0048C0E3 |. 8BFA MOV EDI,EDX
0048C0E5 |. 8BF0 MOV ESI,EAX
0048C0E7 |. 8BC6 MOV EAX,ESI
0048C0E9 |. E8 66FFFFFF CALL PDepot.0048C054
0048C0EE |. 8BD8 MOV EBX,EAX
0048C0F0 |. 8BC7 MOV EAX,EDI
0048C0F2 |. 8BCB MOV ECX,EBX
0048C0F4 |. 33D2 XOR EDX,EDX
0048C0F6 |. E8 7D8EF7FF CALL PDepot.00404F78 跟进,不然跳走(c3)
0048C0FB |. 85DB TEST EBX,EBX
0048C0FD |. 74 0C JE SHORT PDepot.0048C10B
0048C0FF |. 8D4B 01 LEA ECX,DWORD PTR DS:[EBX+1]
0048C102 |. 8B17 MOV EDX,DWORD PTR DS:[EDI]
0048C104 |. 8BC6 MOV EAX,ESI
0048C106 |. E8 59FFFFFF CALL PDepot.0048C064
0048C10B |> 5F POP EDI
0048C10C |. 5E POP ESI
0048C10D |. 5B POP EBX
0048C10E \. C3 RETN
0048C10F 90 NOP
C3如下
00404F78 /$ 53 PUSH EBX
00404F79 |. 56 PUSH ESI
00404F7A |. 57 PUSH EDI
00404F7B |. 89C3 MOV EBX,EAX
00404F7D |. 89D6 MOV ESI,EDX
00404F7F |. 89CF MOV EDI,ECX
00404F81 |. 89F8 MOV EAX,EDI
00404F83 |. E8 C4FFFFFF CALL PDepot.00404F4C 跟进,不然跳走(c4)
00404F88 |. 89F9 MOV ECX,EDI
00404F8A |. 89C7 MOV EDI,EAX
00404F8C |. 85F6 TEST ESI,ESI
00404F8E |. 74 09 JE SHORT PDepot.00404F99
00404F90 |. 89C2 MOV EDX,EAX
00404F92 |. 89F0 MOV EAX,ESI
00404F94 |. E8 D3DBFFFF CALL PDepot.00402B6C
00404F99 |> 89D8 MOV EAX,EBX
00404F9B |. E8 E8FEFFFF CALL PDepot.00404E88
00404FA0 |. 893B MOV DWORD PTR DS:[EBX],EDI
00404FA2 |. 5F POP EDI
00404FA3 |. 5E POP ESI
00404FA4 |. 5B POP EBX
00404FA5 \. C3 RETN
c4后
00404F4C /$ 85C0 TEST EAX,EAX
00404F4E |. 7E 24 JLE SHORT PDepot.00404F74 跳转未实现
00404F50 |. 50 PUSH EAX
00404F51 |. 83C0 0A ADD EAX,0A
00404F54 |. 83E0 FE AND EAX,FFFFFFFE
00404F57 |. 50 PUSH EAX
00404F58 |. E8 F3D8FFFF CALL PDepot.00402850
00404F5D |. 5A POP EDX
00404F5E |. 66:C74402 FE >MOV WORD PTR DS:[EDX+EAX-2],0
00404F65 |. 83C0 08 ADD EAX,8
00404F68 |. 5A POP EDX
00404F69 |. 8950 FC MOV DWORD PTR DS:[EAX-4],EDX
00404F6C |. C740 F8 01000>MOV DWORD PTR DS:[EAX-8],1
00404F73 |. C3 RETN F8后就自动来到了00404f88
00404F74 |> 31C0 XOR EAX,EAX
00404F76 \. C3 RETN
00404F77 90 NOP
00404F78 /$ 53 PUSH EBX
00404F79 |. 56 PUSH ESI
00404F7A |. 57 PUSH EDI
00404F7B |. 89C3 MOV EBX,EAX
00404F7D |. 89D6 MOV ESI,EDX
00404F7F |. 89CF MOV EDI,ECX
00404F81 |. 89F8 MOV EAX,EDI
00404F83 |. E8 C4FFFFFF CALL PDepot.00404F4C
00404F88 |. 89F9 MOV ECX,EDI 也就是来到了这里
00404F8A |. 89C7 MOV EDI,EAX
00404F8C |. 85F6 TEST ESI,ESI
00404F8E |. 74 09 JE SHORT PDepot.00404F99 跳到0040f99
00404F90 |. 89C2 MOV EDX,EAX
00404F92 |. 89F0 MOV EAX,ESI
00404F94 |. E8 D3DBFFFF CALL PDepot.00402B6C
00404F99 |> 89D8 MOV EAX,EBX
00404F9B |. E8 E8FEFFFF CALL PDepot.00404E88 还跟进吗?跟进后是C5
00404FA0 |. 893B MOV DWORD PTR DS:[EBX],EDI
00404FA2 |. 5F POP EDI
00404FA3 |. 5E POP ESI
00404FA4 |. 5B POP EBX
00404FA5 \. C3 RETN
C5
00404E88 $ 8B10 MOV EDX,DWORD PTR DS:[EAX] ; PDepot.0044890C
00404E8A . 85D2 TEST EDX,EDX
00404E8C . 74 1C JE SHORT PDepot.00404EAA
00404E8E . C700 00000000 MOV DWORD PTR DS:[EAX],0
00404E94 . 8B4A F8 MOV ECX,DWORD PTR DS:[EDX-8]
00404E97 . 49 DEC ECX
00404E98 . 7C 10 JL SHORT PDepot.00404EAA
00404E9A . F0:FF4A F8 LOCK DEC DWORD PTR DS:[EDX-8] ; 锁定前缀
00404E9E . 75 0A JNZ SHORT PDepot.00404EAA
00404EA0 . 50 PUSH EAX
00404EA1 . 8D42 F8 LEA EAX,DWORD PTR DS:[EDX-8]
00404EA4 . E8 C7D9FFFF CALL PDepot.00402870
00404EA9 . 58 POP EAX
00404EAA > C3 RETN
00404EAB 90 NOP
C5走几步就到ntdll领空了。然后走步就弹出错误窗口
不知如何单步,因为内存地址00000000不可读,尝试更改EIP或忽略程序异常
我没有发现明码比较。也不知道爆破
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
