📄 chap6-1-61.htm.primary
字号:
program is run from harddisk <br>
015F:004011E6 56
PUSH ESI <br>
015F:004011E7 E820070000 CALL
KERNEL32!FreeLibrary ; free the kernel :) he
didnt do it.. <br>
015F:004011EC 682C010000 PUSH
0000012C ; size of buffer
to store windows directory <br>
015F:004011F1 8D85BCFAFFFF LEA
EAX,[EBP+FFFFFABC] <br>
015F:004011F7 50
PUSH EAX
; pointer to buffer <br>
015F:004011F8 E8EB060000 CALL
KERNEL32!GetWindowsDirectoryA <br>
015F:004011FD 6880000000 PUSH
00000080 ; size of buffer
for modulefilename <br>
015F:00401202 8D95E8FBFFFF LEA
EDX,[EBP+FFFFFBE8] <br>
015F:00401208 52
PUSH EDX
; pointer to buffer <br>
015F:00401209 FF35B0254000 PUSH
DWORD PTR [004025B0] ; 00400000, this module...
<br>
015F:0040120F E8DA060000 CALL
KERNEL32!GetModuleFileNameA <br>
015F:00401214 8A8DBCFAFFFF MOV
CL,[EBP+FFFFFABC] ; [c:\windows] ;WindowsDirectoryA
<br>
015F:0040121A 3A8DE8FBFFFF CMP
CL,[EBP+FFFFFBE8] ; [c:\checkcd1\checkcd.exe]
;ModuleFileNameA <br>
015F:00401220 7518
JNZ 0040123A ; check the drive letters...jump
if not equal <br>
<br>
yah, all the above code does is get the windows path/directory, get its
own path/directory, <br>
compare the drive letters, so it cant be run from the same drive that
windows is installed on. <br>
it also get's the drivetype of the current drive, and stores this in EDI...
<br>
<br>
015F:00401220 7518
JNZ 0040123A ; has to be taken, so change it
to a JMP <br>
eb18
<br>
<br>
on with the reversing... <br>
<br>
015F:00401222 6A00
PUSH 00 <br>
015F:00401224 6A00
PUSH 00 <br>
015F:00401226 8D45B0
LEA EAX,[EBP-50] <br>
015F:00401229 50
PUSH EAX ;
pointer to wide char 'HeHe! Try again' <br>
015F:0040122A 53
PUSH EBX <br>
015F:0040122B E81C020000 CALL
0040144C ; convert wide char, display messagebox
<br>
015F:00401230 83C410
ADD ESP,10 <br>
015F:00401233 33C0
XOR EAX,EAX <br>
015F:00401235 E909020000 JMP
00401443 ; jump to exit (failed cd-check) <br>
<br>
015F:0040123A 83EF05
SUB EDI,05 ; where we end up if we take
the first good-check jump <br>
015F:0040123D 0F8596010000 JNZ
004013D9 ; 05=cd-rom, 05-05=0, so edi must be
0 to carry on. <br>
015F:00401243 8D9574FCFFFF LEA
EDX,[EBP-038C] ; total number of clusters <br>
015F:00401249 52
PUSH EDX ;
pointers <br>
015F:0040124A 8D8D78FCFFFF LEA
ECX,[EBP-0388] ; how many free clusters <br>
015F:00401250 51
PUSH ECX ;
to <br>
015F:00401251 8D857CFCFFFF LEA
EAX,[EBP-0384] ; bytes per sector <br>
015F:00401257 50
PUSH EAX ;
various <br>
015F:00401258 8D9580FCFFFF LEA
EDX,[EBP-0380] ; sectors per cluster <br>
015F:0040125E 52
PUSH EDX ;
buffers <br>
015F:0040125F 6A00
PUSH 00 ; pRootPathName,
null = current drive <br>
015F:00401261 E8BE060000 CALL
KERNEL32!GetDiskFreeSpaceA <br>
015F:00401266 83BD78FCFFFF00 CMP
DWORD PTR [EBP-0388],00 ; compare the amount of free
clusters with '0' <br>
015F:0040126D 7418
JZ 00401287 ; again, if it
was run from CD, the freespace is always '0' <br>
<br>
okay, still simple enough, subtracts 5 from the returned value for this
drive, if its not equal, <br>
i.e. not zero, jumps to the 'hehe try again' messagebox, if it passed
this part, it checks for <br>
free space, and there should be none on a CD, so ... <br>
<br>
015F:0040123D 0F8596010000 JNZ
004013D9 ; this jump has to be killed to carry on with the check
<br>
0f8500000000 <br>
<br>
015F:0040126D 7418
JZ 00401287 ; this jump has to be taken to
carry on... <br>
eb18 <br>
<br>
on with the reversing... <br>
<br>
015F:0040126F 6A00
PUSH 00 <br>
015F:00401271 6A00
PUSH 00 <br>
015F:00401273 8D4DB0
LEA ECX,[EBP-50] ; de-ja-vu <br>
015F:00401276 51
PUSH ECX ;
pointer to wide char 'HeHe! Try again' <br>
015F:00401277 53
PUSH EBX <br>
015F:00401278 E8CF010000 CALL
0040144C ; our message box friend again <br>
015F:0040127D 83C410
ADD ESP,10 <br>
015F:00401280 33C0
XOR EAX,EAX <br>
015F:00401282 E9BC010000 JMP
00401443 ; jump to exit (failed cd-check) <br>
<br>
015F:00401287 6880000000 PUSH
00000080 <br>
015F:0040128C 8D95BCF9FFFF LEA
EDX,[EBP+FFFFF9BC] <br>
015F:00401292 52
PUSH EDX <br>
015F:00401293 8D8D68FCFFFF LEA
ECX,[EBP-0398] <br>
015F:00401299 51
PUSH ECX <br>
015F:0040129A 8D856CFCFFFF LEA
EAX,[EBP-0394] <br>
015F:004012A0 50
PUSH EAX <br>
015F:004012A1 8D9570FCFFFF LEA
EDX,[EBP-0390] <br>
015F:004012A7 52
PUSH EDX <br>
015F:004012A8 6880000000 PUSH
00000080 <br>
015F:004012AD 8D8D3CFAFFFF LEA
ECX,[EBP+FFFFFA3C] <br>
015F:004012B3 51
PUSH ECX <br>
015F:004012B4 6A00
PUSH 00 <br>
015F:004012B6 E839060000 CALL
KERNEL32!GetVolumeInformationA <br>
015F:004012BB 81BD70FCFFFF21787573CMP DWORD PTR [EBP-0390],73757821
; compare read label with 'sux!' <br>
015F:004012C5 0F85F9000000 JNZ
004013C4 ; jump if not equal to failed check...
<br>
015F:004012CB F68568FCFFFF10 TEST
BYTE PTR [EBP-0398],10 ; i dont know, but it has to
be equal :) <br>
015F:004012D2 7418
JZ 004012EC ; jump passed
horrid message if above test is true <br>
015F:004012D4 6A00
PUSH 00 <br>
015F:004012D6 6A00
PUSH 00 <br>
015F:004012D8 8D45B0
LEA EAX,[EBP-50] ;de-ja-vu again <br>
015F:004012DB 50
PUSH EAX
; see the pattern, ebp-50, call 40144c? <br>
015F:004012DC 53
PUSH EBX <br>
015F:004012DD E86A010000 CALL
0040144C <br>
015F:004012E2 83C410
ADD ESP,10 <br>
015F:004012E5 33C0
XOR EAX,EAX <br>
015F:004012E7 E957010000 JMP
00401443 <br>
<br>
015F:004012EC F68569FCFFFF80 TEST
BYTE PTR [EBP-0397],80 ; i dont know, but it has to
be equal :) <br>
015F:004012F3 7418
JZ 0040130D ; jump passed
horrid message if above test is true <br>
015F:004012F5 6A00
PUSH 00 <br>
015F:004012F7 6A00
PUSH 00 <br>
015F:004012F9 8D55B0
LEA EDX,[EBP-50] ; we know this is the
bad cracker bit <br>
015F:004012FC 52
PUSH EDX
; so we take the above jump... <br>
015F:004012FD 53
PUSH EBX <br>
015F:004012FE E849010000 CALL
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -