📄 chap6-1-21.htm.primary
字号:
pop ebp <br>
:00401154 C21000
ret 0010 <br>
================================================================= <br>
最后一处的004014EE调用USER32.DialogBoxParamA 和我们没什么关系。 <br>
看看这两段代码,你将看到"DialogID_0001" 和"DialodID_0002"在 DialogBoxParamA之前。因此让我们想想这函数有些什么参数?我们参考W32
API手册: <br>
int DialogBoxParam( <br>
<br>
HINSTANCE hInstance, // handle to application
instance <br>
LPCTSTR lpTemplateName, // identifies
dialog box template <br>
HWND hWndParent, //
handle to owner window <br>
DLGPROC lpDialogFunc, // pointer to
dialog box procedure <br>
LPARAM dwInitParam //
initialization value <br>
); <br>
<br>
Ok.在这函数前你需5个参数。 <br>
<br>
现在,这两个"DialogID_0001" 和"DialodID_0002"是哪个部分调用的??让我们来到代码开始处: <br>
<br>
+++++++++++++++++ DIALOG INFORMATION ++++++++++++++++++ <br>
<br>
Number of Dialogs = 2 (decimal) <br>
<br>
Name: DialogID_0001, # of Controls=009, Caption:"Crackme 2a - n0p3x",
ClassName:"" <br>
001 - ControlID:0002, Control Class:"BUTTON" Control Text:"E&xit"
<br>
002 - ControlID:0009, Control Class:"BUTTON" Control Text:"A&bout"
<br>
003 - ControlID:0065, Control Class:"EDIT" Control Text:"Nag
Removal
The previous programs have" <br>
004 - ControlID:0066, Control Class:"BUTTON" Control Text:"-=n0p3x=-"
<br>
005 - ControlID:FFFF, Control Class:"STATIC" Control Text:"Coded
By n0p3x. 10th May 1999." <br>
006 - ControlID:FFFF, Control Class:"STATIC" Control Text:"EMAIL:
adminno1@yahoo.com" <br>
007 - ControlID:FFFF, Control Class:"STATIC" Control Text:"WEB:
http://cod3r.cjb.net" <br>
008 - ControlID:FFFF, Control Class:"STATIC" Control Text:"If
you suceed in killing this nag screen and write a tutorial on it then
email" <br>
009 - ControlID:FFFF, Control Class:"STATIC" Control Text:"Frame2"
<br>
Name: DialogID_0002, # of Controls=004, Caption:"<font color="#0000FF">The
deadly NAG!</font>", ClassName:"" <br>
001 - ControlID:FFFF, Control Class:"STATIC" Control Text:"This
is a demonstration version of this program." <br>
002 - ControlID:0065, Control Class:"BUTTON" Control Text:"Uhh,
youv'e made me feel guilty now. Heres all my money." <br>
003 - ControlID:0066, Control Class:"BUTTON" Control Text:"Take
the program for a test drive before paying." <br>
004 - ControlID:FFFF, Control Class:"STATIC" Control Text:"SOFTWARE
PIRACY IS ILLEGAL" <br>
================================================================= <br>
现在,如你运行程序,你将看到其NAG的标题是"<font color="#3333FF">The deadly NAG!</font>"。因此NAG是DialogID_0002而主程序调用的是0001.
<br>
还记得在导入(imports)处的"USER32.EndDialog" ?它是根据DialogID的push参数来关掉相应的对话框的,OK,让我们来crack它:
<br>
<br>
USER32.DialogBoxParamA at 004010AF <br>
================================================================= <br>
* Possible Reference to Dialog: DialogID_0002
<<Nag ID <br>
| <br>
:00401098 6A02
push 00000002 <br>
:0040109A FF7508
push [ebp+08] <br>
<br>
* Reference To: USER32.EndDialog, Ord:0000h <br>
| <br>
:0040109D E858040000
Call 004014FA <<关闭Nag!! <br>
:004010A2 6A00
push 00000000 <<主程序调用
<br>
:004010A4 68DF104000
push 004010DF USER32.DialogBoxParamA的第一参数
<br>
:004010A9 6A00
push 00000000
<br>
<br>
* Possible Reference to Dialog: DialogID_0001
<<主程序的 ID <br>
| <br>
:004010AB 6A01
push 00000001 <br>
:004010AD 6A00
push 00000000 <br>
<br>
* Reference To: USER32.DialogBoxParamA, Ord:0000h <<显示程序
<br>
| <br>
:004010AF E83A040000
Call 004014EE <br>
<br>
* Possible Reference to Dialog: DialogID_0001 <br>
| <br>
:004010B4 B801000000
mov eax, 00000001 <br>
:004010B9 EB20
jmp 004010DB <br>
================================================================= <br>
<br>
USER32.DialogBoxParamA at 0040114C <br>
================================================================= <br>
:0040113B 55
push ebp <br>
:0040113C 8BEC
mov ebp, esp <br>
:0040113E 6A00
push 00000000 <<
Nag调用函数 <br>
:00401140 687C104000
push 0040107C USER32.DialogBoxParamA第一参数
<br>
:00401145 6A00
push 00000000
<br>
<br>
* Possible Reference to Dialog: DialogID_0002
<<Nag ID <br>
| <br>
:00401147 6A02
push 00000002 <br>
:00401149 FF7508
push [ebp+08] <br>
<br>
* Reference To: USER32.DialogBoxParamA, Ord:0000h <<显示Nag!!
<br>
| <br>
:0040114C E89D030000
Call 004014EE <br>
:00401151 33C0
xor eax, eax <br>
:00401153 5D
pop ebp <br>
:00401154 C21000
ret 0010 <br>
================================================================= <br>
<br>
如果你将代码0040113E到0040114C中6行NOP掉,你将出错,程序运行将崩溃! <br>
该如何打这个补丁? <br>
OK,我们直接从0040113E跳转到004010A2,为什么是004010A2?? <br>
因从00401098到0040109D这段代码是NAG的结束,我们停止程序的NAG进程,不需要End-Nag这段代码。 <br>
现在我们需要发现用什么机器码补丁,程序跳到主程序时不经NAG的显示和End-Nag。 <br>
你可用SOFTICE来做。当然你也可用W32Dasm来代替。 <br>
1) 在 "Debug", 选择 "Load Process" <br>
2) 点击 "Load" <br>
3) 你将会看到三个窗口,不要害怕. 8P <br>
4) 来到右边的窗口(那个显示"Code Address ...") <br>
5) 点击"Goto Address" <br>
6) 填上地址0040113E (你还记得我们将要从这跳走) <br>
7) 你将看到来到那里,PUSH... <br>
8) 点击 "Patch Code" <br>
9) 在 "Enter New Instruction Below" 这行, 键入 "jmp 004010A2" (这没有引号). (记住我们将要跳到这儿)
<br>
10) 点击 "回车键" .你将看到 jmp 004010A2... <br>
11) 机器码是 E95FFFFFFF <br>
12) 现在, 点击 "Clear Patch"回答"Yes"然后点击 "Close" <br>
13) 回到右窗口点击"Terminate"因为我们己结束了。 <br>
<br>
返回主窗口,来到0040113E,在W32Dasm的最底部,你将看到: <br>
Line:298 Pg 4 of 12 Code Data @:0040113E @Offset 0000073Eh in File:crackme2a.exe
<br>
<br>
你将看到其偏移地址: 0000073E <br>
现在复制一份这crackme程序,用十六进制程序打开(不然你在W32Dasm下是不能修改文件的),来到地址0000073E,你将看到字节:
6A 00 68 7C 10(机器码) <br>
** 同 W32Dasm比较一下 (它们是一样的) <br>
<br>
改 E9 5F FF FF FF 并存盘 <br>
crack结束。 <br>
<br>
小结:其实作者修改机器码不需这麻烦,可直接在hievw用汇编代码改。但大家可进一步了解W32DASM的动态调试功能。
</table>
</div>
<div id="KB5Parent" class="parent" align="left"> <a href="#" onClick="expandIt('KB5'); return false" class="p9">
5、习题五 答案</a> </div>
<div id="KB5Child" class="child" align="left">
<table width="100%" align="center" cellspacing="0">
<tr bgcolor="#EFEFEF">
<td height="28">
<p class="p9"><br>
用TRW LOAD 需破解的cm_id11.exe <br>
按F10直到: <br>
00447D90 CALL 0043EA00 <br>
跳出NAG <br>
尝试把这句NOP掉,可是出错。 <br>
那就按F8进入此CALL <br>
0043EA00 PUSH EBP <br>
。。。 。。。 <br>
。。。 。。。 <br>
按F10,直到: <br>
0043EA31 CALL [EDI+2C] <br>
跳出NAG <br>
尝试把这句NOP掉,可是出错。 <br>
那就按F8进入此CALL <br>
按F10,直到: <br>
00437E8B CMP
BYTE PTR [EBP-05], 00 <br>
00437E8F 740f JE 00437EAO
<br>
00437E91 e876b1fcff CALL 0040300C ----跳出NAG
<br>
尝试修改00437E8F 一句,出错。 <br>
再尝试把00437E91的CALL NOP掉,即将机器码e876b1fcff改成9090909090,成功! <br>
<br>
ZXEM 2000.3.26
</table>
</div>
<div id="KB6Parent" class="parent" align="left"> <a href="#" onClick="expandIt('KB6'); return false">
</a></div>
<div align="left">
<script language='JavaScript'>
if (NS4) {
firstEl = "KB1Parent";
firstInd = getIndex(firstEl);
arrange();
}
</script>
</div>
<p align="center"><a href="../Catalog.htm"><img src="../image/navtoc.gif" width="84" height="23" border="0"></a><a href="Chap6-1-2.htm"><img src="../image/Navprev.gif" width="80" height="23" border="0"></a><a href="Chap6-1-3.htm"><img src="../image/navnext.gif" width="83" height="23" border="0"></a></p>
<hr width=735>
<div align="center"><span class="p9"><font size="2"><span class="p9"><font size="2"><span class="p9">Copyright
© 2000-2001 <a href="http://www.pediy.com/">KanXue Studio</a> All Rights
Reserved.</span></font></span></font></span></div>
</body>
</html>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -