📄 chap6-1-61.htm.primary
字号:
0040144C <br>
015F:00401303 83C410
ADD ESP,10 <br>
015F:00401306 33C0
XOR EAX,EAX <br>
015F:00401308 E936010000 JMP
00401443 <br>
<br>
right, i have been a very naughty boy, and admit that two parts of this
code i dont understand, <br>
but from the bad-cracker code being duped everywhere, i know to take the
jumps.. basicaly, this <br>
is a label check, chacks the disk label against 'sux!', and if they are
the same, does these <br>
other two tests, which have to pass to skip the 'hehe! try again' message..
<br>
<br>
015F:004012C5 0F85F9000000 JNZ
004013C4 ; label check, we want to skip this
jump... <br>
0f8500000000 <br>
<br>
015F:004012D2 7418
JZ 004012EC ; dont know,
but it needs taking (JMP) <br>
eb18 <br>
<br>
015F:004012F3 7418
JZ 0040130D ; still dont
know, but take it (JMP) <br>
eb18 <br>
<br>
on with the reversing... <br>
<br>
015F:0040130D 6814244000 PUSH
00402414 ; some bullshit 'stack overflow' <br>
015F:00401312 8D953CFAFFFF LEA
EDX,[EBP+FFFFFA3C] ;[ebp+fffffa3c] is from getvolumeinformationa
routine <br>
015F:00401318 52
PUSH EDX ;
some more bullshit 'OVERFLOW' <br>
015F:00401319 E888050000 CALL
004018A6 ; dont care :( <br>
015F:0040131E 83C408
ADD ESP,08 <br>
015F:00401321 85C0
TEST EAX,EAX ; fuckit, change this
to xor eax,eax <br>
015F:00401323 0F8586000000 JNZ
004013AF ; so this jump wont be taken cause at
4013af, is the bad check code <br>
015F:00401329 681A244000 PUSH
0040241A ; pointer to a new label <br>
015F:0040132E 6A00
PUSH 00 ; what
drive to change <br>
015F:00401330 E8DD050000 CALL
KERNEL32!SetVolumeLabelA <br>
015F:00401335 48
DEC EAX ;
eax = 1 if function succeed <br>
015F:00401336 7526
JNZ 0040135E ; you cant change a
CD's label, so eax should be 0 or -1 <br>
; but after the dec eax, if it failed, this jump would be
taken.. <br>
<br>
015F:00401338 8D8D3CFAFFFF LEA
ECX,[EBP+FFFFFA3C] ; waste <br>
015F:0040133E 51
PUSH ECX
; of <br>
015F:0040133F 6A00
PUSH 00
; time <br>
015F:00401341 E8CC050000 CALL
KERNEL32!SetVolumeLabelA <br>
015F:00401346 6A00
PUSH 00 <br>
015F:00401348 6A00
PUSH 00 <br>
015F:0040134A 8D45B0
LEA EAX,[EBP-50] ; bad cracker routine
<br>
015F:0040134D 50
PUSH EAX <br>
015F:0040134E 53
PUSH EBX <br>
015F:0040134F E8F8000000 CALL
0040144C ; again :) <br>
015F:00401354 83C410
ADD ESP,10 <br>
015F:00401357 33C0
XOR EAX,EAX <br>
015F:00401359 E9E5000000 JMP
00401443 <br>
<br>
015F:0040135E 6A00
PUSH 00 <br>
015F:00401360 8D55A8
LEA EDX,[EBP-58] <br>
015F:00401363 52
PUSH EDX ;pointer
to a filename <br>
015F:00401364 E891050000 CALL
KERNEL32!_lcreat ;try to create a file <br>
015F:00401369 83F8FF
CMP EAX,-01 ; would fail, if it tried to
create a file on a CD <br>
015F:0040136C 7428
JZ 00401396 ; as they are
read-only, so force this jump... <br>
<br>
015F:0040136E 50
PUSH EAX <br>
015F:0040136F E892050000 CALL
KERNEL32!_lclose ; whoops, we succeeded, so close
the newly created file-handle <br>
015F:00401374 8D4DA8
LEA ECX,[EBP-58] <br>
015F:00401377 51
PUSH ECX <br>
015F:00401378 E835050000 CALL
004018B2 <br>
015F:0040137D 59
POP ECX <br>
015F:0040137E 6A00
PUSH 00 <br>
015F:00401380 6A00
PUSH 00 <br>
015F:00401382 8D45B0
LEA EAX,[EBP-50] ;DEJAVU again :0 <br>
015F:00401385 50
PUSH EAX <br>
015F:00401386 53
PUSH EBX <br>
015F:00401387 E8C0000000 CALL
0040144C ; messagebox <br>
015F:0040138C 83C410
ADD ESP,10 <br>
015F:0040138F 33C0
XOR EAX,EAX <br>
015F:00401391 E9AD000000 JMP
00401443 <br>
<br>
015F:00401396 6A00
PUSH 00 ; if
we couldnt create the file, we end up here <br>
015F:00401398 6823244000 PUSH
00402423 ; pointer to 'y.e.p.' <br>
015F:0040139D 8D55D4
LEA EDX,[EBP-2C] <br>
015F:004013A0 52
PUSH EDX ;
pointer to 'y.a.y.!. .y.o.u. .c.r.a.c.k.e.d. .i.t.!.' <br>
015F:004013A1 53
PUSH EBX <br>
015F:004013A2 E8A5000000 CALL
0040144C ; messagebox... <br>
015F:004013A7 83C410
ADD ESP,10 <br>
015F:004013AA E992000000 JMP
00401441 <br>
<br>
hmm, the bit at the start, stack overflow, dont understand what or why,
but kill this jump <br>
<br>
015F:00401323 0F8586000000 JNZ
004013AF <br>
0f8500000000 <br>
<br>
you cant change the label of a CD, so this jump needs forcing <br>
<br>
015F:00401336 7526
JNZ 0040135E <br>
eb26 <br>
<br>
last but not least, you cant create a file on a CD, so this jump needs
forcing aswell.. <br>
<br>
015F:0040136C 7428
JZ 00401396 <br>
eb28 <br>
<br>
wayhey, then we finally reach the good boy message box!! yippee!!! <br>
<br>
after studying the code, and realising what has been done, it just does
some simple checks, <br>
then compares the return codes against what they should be, we dont want
it re-labeling our <br>
hard disk drive to 'overflow', or creating a file called 'my.dog', basically,
we can skip the <br>
whole routine, and just end up at the goodboy message box..so bpx at the
first instruction <br>
<br>
015F:004011B3 68EB234000 PUSH
004023EB ; pointer to 'kernel32.dll',0 <br>
<br>
and re-assemble it to jump to the good-boy message box.. <br>
<br>
a 4011b3 <ret> <br>
jmp 401396 <ret> <br>
<esc> <br>
x <ret> <br>
<br>
015F:004011B3 E9DE010000 JMP
00401396 ; skip whole of check, go straight to
jail <br>
; do not pass go, do not collect 200.. <br>
:) <br>
<br>
then you have a almost cracked checkcd.exe... just gotta patch it, but
i cant be bothered, so <br>
i used my process patcher to create a loader for it..(availble from http://csir.xxx.xxx
:) <br>
<br>
no plugz.. :) <br>
<br>
happy reversing / cracking / whatever.. <br>
<br>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -