📄 chap6-1-21.htm.primary
字号:
:0040100C 6A30
PUSH 30
<-- 这四个PUSH是 <br>
:0040100E 6879204000 PUSH
00402079 <-- 把参数传给
<br>
:00401013 688D204000 PUSH
0040208D <-- 下面的MessageBoxA
函数 <br>
:00401018 FF3548204000 PUSH
DWORD PTR [00402048] <-- <br>
:0040101E E8DA010000 CALL
USER32!MessageBoxA ------产生NAG的窗口 <br>
:00401023 C7050020400003400000MOV DWORD PTR [00402000],00004003
<br>
:0040102D C705042040003D114000MOV DWORD PTR [00402004],0040113D
<br>
:00401037 C7050820400000000000MOV DWORD PTR [00402008],00000000
<br>
:00401041 C7050C20400000000000MOV DWORD PTR [0040200C],00000000
<br>
:0040104B A144204000 MOV
EAX,[00402044] <br>
:00401050 A310204000 MOV
[00402010],EAX <br>
<br>
向上看也没代码跳过:0040101E的call,有什么好办法能跳过此call? <br>
<font color="#3333FF">方法一: </font><br>
这方法我比较推荐,在0040100C处加一跳转指令,路过此call。 <br>
也就是改成:jmp 00401023 <br>
在SOFTICE下,在:0040100C这一行,下A命令,改成jmp 00401023,记下机器码的变化。 <br>
机器码的结果是:EB 15(15是401023-40100E的值) <br>
<font color="#0000FF">方法二:</font> <br>
向上看也没代码跳过:0040101E的call,因此我们干脆将此处NOP(就是无操作No Operation),该指令不执行任何操作,其机器码占有一个字节。
<br>
因此:E8DA010000改9090909090 后NAG将不出现。(指令nop的机器码是90)
</table>
</div>
<div id="KB3Parent" class="parent" align="left"> <span class="p9"><a href="#" onClick="expandIt('KB3'); return false">
3、习题三 答案</a> </span></div>
<div id="KB3Child" class="child" align="left">
<table width="100%" align="center" cellspacing="0">
<tr bgcolor="#EFEFEF">
<td height="1534">
<p class="p9"><span class="p9">这程序显示NAG是用了另一种方法,不是用messagebox.<br>
让我们先运行程序,开始的NAG窗口有2个按钮,按第一个给出一小的信息窗口(Don't be lame ... blah blah blah)
,第2个将带你进入程序。<br>
想想我们该如何去掉nag?第一件事是用W32Dasm看看...<br>
装载程序后,点击W32Dasm 的串式数据参考(String Data References),列出相关字符串,双击[Don't be
lame ...] ,这时你将来到:</span>
<p><span class="p9">* Referenced by a (U)nconditional or (C)onditional
Jump at Address:<br>
|:0040105F(C)<br>
|<br>
:0040109E 6840100000 push 00001040</span></p>
<p><span class="p9">* Possible StringData Ref from Data Obj ->"NO!"<br>
| <br>
:004010A3 6808204000 push 00402008</span></p>
<p><span class="p9">* Possible StringData Ref from Data Obj ->"Don't
be lame, crack the program." <br>
| <br>
:004010A8 680C204000 push 0040200C <br>
:004010AD FF3500204000 push dword ptr [00402000]</span></p>
<p><span class="p9">* Reference To: USER32.MessageBoxA, Ord:0000h<br>
|<br>
:004010B3 E89B000000 Call 00401153 <br>
:004010B8 C9 leave <br>
:004010B9 C21000 ret 0010</span></p>
<p><span class="p9">第一行* Referenced by...是告诉你这个信息框调用来自于[0040105F](小c意思是条件转移)<br>
因此我们用转到代码位置命令(shift+F12)跳到0040105F,来到:</span></p>
<p><span class="p9">* Referenced by a (U)nconditional or (C)onditional
Jump at Address:<br>
|:00401032(C)<br>
|<br>
:0040105B 837D1001 cmp dword ptr [ebp+10], 00000001<br>
:0040105F 743D je 0040109E<br>
:00401061 837D1002 cmp dword ptr [ebp+10], 00000002<br>
:00401065 7404 je 0040106B<br>
:00401067 C9 leave<br>
:00401068 C21000 ret 0010</span></p>
<p><span class="p9">这里是程序判断你的按钮,如你按第一个按钮,0040105B测试,然后跳出一对话框"Don't
be lame..",如你按第二个按钮,将在:00401061测试,....</span></p>
<p><span class="p9">现在我们需要做的是,不管你按第一还是第二个按钮,都应带我们进入程序,这样做可防止我们改别的东西程序运行出错。我们将
[je 0040109E] 改成 [je 0040106B]<br>
我们现在HVIEW里改:<br>
打开程序,按F4选择模式,有3个,在这里先DECODE,将反汇编程序,按F7查找机器码837D1001,将来到:</span></p>
<p><span class="p9">0000065B: 837D1001 cmp d,[ebp][00010],001 ;""
<br>
0000065F: 743D je 00000069E <br>
00000661: 837D1002 cmp d,[ebp][00010],002 ;"" <br>
00000665: 7404 je 00000066B </span></p>
<p><span class="p9">大家注意了在HVIEW看到的地址和我们在W32DASM看到不同,HVIEW是显示的是文件的偏移地址(File
offset),而W32DASM和SOFTICE下显示的地址完全一样,是内存地址(memory offset)或称虚拟地址。它们之间的换算有多种方法:<br>
<font color="#3333FF">第一、</font>用我刚才方法,查找机器码来确定其位置。<br>
<font color="#3333FF">第二、</font>是借助些这方面的工具软件来计算,在主页的工具下载中第2个链接站点有这方面的工具。<br>
<font color="#3333FF">第三、</font>此种方法更简单:你在W32DASM中光标定位需要一行,看看W32Dasm的最底端,将会看到类似:<br>
</span><span class="p9">Line:298 Pg 4 of 12 Code Data @:0040113E @Offset
0000073Eh in File:????.exe <br>
其中 Offset 0000073Eh就是HVIEW中的位置。<br>
</span><span class="p9"><br>
我们按F3进入编辑状态,按TAB键或回车键,将[je 00000069E] 改成 [je 00000066B],按F9存盘。当然这时你的W32DASM不能调用此文件,不然是不能存盘的。<br>
Ok,完成第一步<br>
看看,上一段代码是何处被调用?是00401032(C)处,因此我们跳转此处:</span></p>
<p><span class="p9">* Reference To: USER32.DialogBoxParamA, Ord:0000h<br>
|<br>
:0040101D E82B010000 Call 0040114D<br>
:00401022 E911010000 jmp 00401138<br>
:00401027 C8000000 enter 0000, 00<br>
:0040102B 817D0C11010000 cmp dword ptr [ebp+0C], 00000111<br>
:00401032 7427 je 0040105B<br>
:00401034 817D0C10010000 cmp dword ptr [ebp+0C], 00000110<br>
:0040103B 7410 je 0040104D<br>
:0040103D 837D0C10 cmp dword ptr [ebp+0C], 00000010<br>
:00401041 0F84F1000000 je 00401138<br>
:00401047 33C0 xor eax, eax<br>
:00401049 C9 leave<br>
:0040104A C21000 ret 0010</span></p>
<p><span class="p9"><br>
看看[00401032],另一条件指令(一个检测你按了哪个按钮的指令),你不需了解它是如何比较的,因此我们让它直接跳转0040105B处,不让它在那里循环等待你按哪个键,因此我们简单将
00401032 处的JE改成JNE,这样程序应被cracked了!<br>
让我运行程序看看,天啊!跳出一警告窗口!!ERROR...说什么程序被改了!因此这程序有CRC检测功能(如检测你修改程序将停止运行),好吧,再让我们把它干掉。<br>
在W32Dasm串式数据参考(String Data References)中查找'ERROR' 信息,双击来到:</span></p>
<p><span class="p9">* Referenced by a (U)nconditional or (C)onditional
Jump at Address:<br>
|:004010E8(C)<br>
|<br>
:004010EE 6840100000 push 00001040</span></p>
<p><span class="p9">* Possible StringData Ref from Data Obj ->"ERROR"<br>
|<br>
:004010F3 68BD204000 push 004020BD</span></p>
<p><span class="p9">* Possible StringData Ref from Data Obj ->"ERROR:
Program has detected tampering. "<br>
->"Execution terminated"<br>
|<br>
:004010F8 6881204000 push 00402081<br>
:004010FD FF3500204000 push dword ptr [00402000]</span></p>
<p><span class="p9"><br>
上述被[004010E8]调用,让我们来到那里:</span></p>
<p><span class="p9">* Referenced by a (U)nconditional or (C)onditional
Jump at Address:<br>
|:004010D0(C)<br>
|<br>
:004010DE 813D04204000697A0000 cmp dword ptr [00402004], 00007A69<br>
:004010E8 7504 jne 004010EE<br>
:004010EA C9 leave<br>
:004010EB C21000 ret 0010</span></p>
<p><span class="p9">好了,我们不必再了解此段代码是何处引用了,足够了。这段程序是检测源代码是否修改,如果修改将给出出错信息,我们将:004010E8处的JNE
NOP掉或改成JE.。<br>
Ok,再运行,YE.。成功!<br>
小结:本题主要是了解如何用W32DASM来静态反汇编调试程序,以及HVIEW的用法。</span> </p>
</table>
</div>
<div id="KB4Parent" class="parent" align="left"> <a href="#" onClick="expandIt('KB4'); return false" class="p9">
4、习题四 答案 </a> </div>
<div id="KB4Child" class="child" align="left">
<table width="100%" align="center" cellspacing="0">
<tr bgcolor="#EFEFEF">
<td height="28">
<p class="p9">作者:Etenal Bliss <br>
用W32Dasm装载程序,在菜单处选择功能→导入(imports),在弹出的菜单中你将看到几个"cw3220.__XXX"函数,这些是该程序调用的cw3220.dll。还有这些:
<br>
USER32.DialogboxParamA <br>
USER32.EndDialog <br>
USER32.MessageBoxA <br>
USER32.DialogboxParamA <br>
USER32.EndDialog <br>
其中MessageBoxA肯定没用在NAG。(因为作者在程序己说明了) <br>
因此很可能:函数DialogBoxParamA产生NAG,EndDialog结束NAG <br>
双击SER32.DialogBoxParamA我们看看哪里代码调用此函数,你多双击几次,将会看到几处地方 都引用了它: <br>
004010AF, 0040114C, 004014EE <br>
<br>
具体如下... <br>
<br>
USER32.DialogBoxParamA at 004010AF <br>
================================================================= <br>
* Possible Reference to Dialog: DialogID_0002 <br>
| <br>
:00401098 6A02
push 00000002 <br>
:0040109A FF7508
push [ebp+08] <br>
<br>
* Reference To: USER32.EndDialog, Ord:0000h <br>
| <br>
:0040109D E858040000
Call 004014FA <br>
:004010A2 6A00
push 00000000 <br>
:004010A4 68DF104000
push 004010DF <br>
:004010A9 6A00
push 00000000 <br>
<br>
* Possible Reference to Dialog: DialogID_0001 <br>
| <br>
:004010AB 6A01
push 00000001 <br>
:004010AD 6A00
push 00000000 <br>
<br>
* Reference To: USER32.DialogBoxParamA, Ord:0000h <br>
| <br>
:004010AF E83A040000
Call 004014EE <br>
<br>
* Possible Reference to Dialog: DialogID_0001 <br>
| <br>
:004010B4 B801000000
mov eax, 00000001 <br>
:004010B9 EB20
jmp 004010DB <br>
================================================================= <br>
<br>
USER32.DialogBoxParamA at 0040114C <br>
================================================================= <br>
:0040113B 55
push ebp <br>
:0040113C 8BEC
mov ebp, esp <br>
:0040113E 6A00
push 00000000 <br>
:00401140 687C104000
push 0040107C <br>
:00401145 6A00
push 00000000 <br>
<br>
* Possible Reference to Dialog: DialogID_0002 <br>
| <br>
:00401147 6A02
push 00000002 <br>
:00401149 FF7508
push [ebp+08] <br>
<br>
* Reference To: USER32.DialogBoxParamA, Ord:0000h <br>
| <br>
:0040114C E89D030000
Call 004014EE <br>
:00401151 33C0
xor eax, eax <br>
:00401153 5D
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -