📄 lesson1512.htm
字号:
<font face="宋体" color="#000000">里输入</font> <font face="Times New Roman" color="#000000">'bpx hmemcpy' </font>
<font face="宋体" color="#000000">。(插曲:</font> <font face="Times New Roman" color="#000000">hmemcpy</font>
<font face="宋体" color="#000000">是什么意思?</font> </span><span class="p9"><font face="Times New Roman" color="#000000">windows</font>
<font face="宋体" color="#000000">用</font> <font face="Times New Roman" color="#000000">hmemcpy</font>
<font face="宋体" color="#000000">函数将内存中的一块数据</font><font face="宋体" color="#000000">拷贝到另一个地方,在这一例中,它将复制字符串到</font>
<font face="Times New Roman" color="#000000">VB dll</font> <font face="宋体" color="#000000">入口处的内存里。你还记得我说过,我们将中断在</font>
<font face="Times New Roman" color="#000000">windows</font> <font face="宋体" color="#000000">将字符串输入</font>
<font face="Times New Roman" color="#000000">VB dll</font> <font face="宋体" color="#000000">入口处?)</font>
</span></p>
<p> </p>
<p> <span class="p9"><font face="宋体" color="#000000">第三步:用</font> <font face="Times New Roman" color="#000000">CTRL</font>
<font face="宋体" color="#000000">+</font> <font face="Times New Roman" color="#000000">D</font>
<font face="Times New Roman" color="#000000">回到windows下,</font> <font face="宋体" color="#000000">然后按“</font>
<font face="Times New Roman" color="#000000">OK</font> <font face="宋体" color="#000000">”,马上会中断在在</font>
<font face="Times New Roman" color="#000000">hmemcpy</font> <font face="宋体" color="#000000">函数处。</font>
</span></p>
<p> </p>
<p> <span class="p9"><font face="宋体" color="#000000">第四步:现在我们在</font> <font face="Times New Roman" color="#000000">hmemcpy</font>
<font face="宋体" color="#000000">中将更深入跟踪,以发现哪儿存放我们输的字符串。保持按</font> <font face="Times New Roman" color="#000000">F10</font>
<font face="宋体" color="#000000">直到你看到:</font> </span> <span class="p9"><font face="Times New Roman" color="#000000"> </font>
</span></p>
<p> </p>
<p> <span class="p9"><font face="Times New Roman" color="#000000"> JMP 9E9F</font>
</span></p>
<p> </p>
<p> <span class="p9"><font face="Times New Roman" color="#000000"> PUSH ECX ;</font>
<font face="宋体" color="#000000">这一行复制</font> </span></p>
<p> </p>
<p> <span class="p9"><font face="Times New Roman" color="#000000"> SHR ECX,02 ;</font>
<font face="宋体" color="#000000">字符串</font> <font face="Times New Roman" color="#000000"> </font>
<font face="宋体" color="#000000">从</font> <font face="Times New Roman" color="#000000"> ds:si </font>
<font face="宋体" color="#000000">到</font> <font face="Times New Roman" color="#000000"> es:di</font>
</span></p>
<p> </p>
<p> <span class="p9"><font face="Times New Roman" color="#000000"> REPZ MOVSD</font>
</span></p>
<p> </p>
<p> <span class="p9"><font face="Times New Roman" color="#000000"> POP ECX</font>
</span></p>
<p> </p>
<p> <span class="p9"><font face="Times New Roman" color="#000000"> AND ECX,03</font>
</span></p>
<p> </p>
<p> <span class="p9"><font face="Times New Roman" color="#000000"> REPZ MOVSB</font>
</span></p>
<p> </p>
<p> <span class="p9"><font face="Times New Roman" color="#000000"> XOR DX,DX</font>
</span></p>
<p> </p>
<p> </p>
<p> </p>
<p> <span class="p9"><font face="宋体" color="#000000">第五步:在</font> <font face="Times New Roman" color="#000000">REPZ MOVSD</font>
<font face="宋体" color="#000000">执行前,做</font> <font face="Times New Roman" color="#000000"> 'ed si'</font>
<font face="宋体" color="#000000">,你将看到你输入的字符串,在我这里显示“</font> <font face="Times New Roman" color="#000000">0987654321</font>
<font face="宋体" color="#000000">”。你执行</font> <font face="Times New Roman" color="#000000">'ed es:di'</font>
<font face="宋体" color="#000000">,你将什么没看到,但是,你按</font> <font face="Times New Roman" color="#000000">F10</font>
<font face="宋体" color="#000000">通过</font> <font face="Times New Roman" color="#000000">REPZ MOVSB</font>
<font face="宋体" color="#000000">这一行,你将发现字符串己被复制在</font> <font face="Times New Roman" color="#000000">es:di</font>
<font face="宋体" color="#000000">处,这地方就是</font> <font face="Times New Roman" color="#000000">VB dll</font>
<font face="宋体" color="#000000">字符串入口。</font> </span><span class="p9"> </span>
</p>
<p> <span class="p9"><font face="宋体" color="#000000">第六步:现在我们知道字符串的位置。让我们回顾一下前面的策略,我们计划是发现</font>
<font face="Times New Roman" color="#000000">VB dll</font> <font face="宋体" color="#000000">在何处保存我们的序列号,然后在此内存设置断点,以观察</font>
<font face="Times New Roman" color="#000000">VB dll</font> <font face="宋体" color="#000000">何时取字符串比较。因此让我们设断</font>
<font face="Times New Roman" color="#000000">,bpr(</font> <font face="宋体" color="#000000">在一个内存范围上下断点</font>
<font face="Times New Roman" color="#000000">),</font> <font face="宋体" color="#000000">因为指令</font>
<font face="Times New Roman" color="#000000">REPZ MOVS(D/B)</font> <font face="宋体" color="#000000">它现在指向我们字符串的末尾,因此我们用命令</font>
<font face="Times New Roman" color="#000000">bpr es:di-8 es:di-1 rw</font>
<font face="宋体" color="#000000">在这段范围设断,如有对字符串任何操作(读</font> <font face="Times New Roman" color="#000000">/</font>
<font face="宋体" color="#000000">写)就会中断。现在不要敲回车</font> <font face="Times New Roman" color="#000000">--</font>
<font face="宋体" color="#000000">先读第七步。</font> </span><span class="p9"> </span>
</p>
<p> <span class="p9"><font face="宋体" color="#000000">第七步:在你敲回车之前,我将告诉你所期待的,</font>
<font face="Times New Roman" color="#000000">SOFTICE</font> <font face="宋体" color="#000000">将中断在对这段内存读写操作的任何代码处。</font>
</span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000"> </font>
</span><span class="p9"><font face="宋体" color="#000000">例如:你将中断在函数</font> <font face="Times New Roman" color="#000000">strlen</font>
<font face="宋体" color="#000000">取字符串长度处;你将中断在指令把字符串从这一地方复制到另一地方(象</font> <font face="Times New Roman" color="#000000"> REPZ MOVSW</font>
<font face="宋体" color="#000000">指令)。</font> </span></p>
<p> <span class="p9"><font face="宋体" color="#000000">当字符串被删除时,它也将中断。你也可能再次中断在</font>
<font face="Times New Roman" color="#000000">hmemcpy</font> <font face="宋体" color="#000000">处,</font>
<font face="Times New Roman" color="#000000">hmemcpy</font> <font face="宋体" color="#000000">将在</font>
<font face="Times New Roman" color="#000000">dll</font> <font face="宋体" color="#000000">内存处读另一块字符串,请在此也用</font>
<font face="Times New Roman" color="#000000">BPR</font> <font face="宋体" color="#000000">命令设断。</font>
</span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000"> </font>
</span><span class="p9"> <font face="宋体" color="#000000">最后你将可能中断在代码比较处(在这里你将看到指令</font>
<font face="Times New Roman" color="#000000"> REPZ CMPSB</font> <font face="宋体" color="#000000">)。</font>
</span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000"> </font>
</span><span class="p9"><font face="宋体" color="#000000">当我到达那块地方中断了四次。一个中断在</font>
<font face="Times New Roman" color="#000000">hmemcpy</font> <font face="宋体" color="#000000">,另外三个中断在字符串操作上。</font>
</span></p>
<p> </p>
<p> <span class="p9"><font face="宋体" color="#000000">第八步:现在我们发现</font> <font face="Times New Roman" color="#000000">VB3 dll</font>
<font face="宋体" color="#000000">比较核心处,我们在那设断,并禁止其它断点的调用,我们不在需要它们了。我们在</font>
<font face="Times New Roman" color="#000000">VB3 dll</font> <font face="宋体" color="#000000">将发现如下地方比较指令:</font>
</span></p>
<p> </p>
<p> <span class="p9"><font face="Times New Roman" color="#000000"> </font>
</span><span class="p9"><font face="Times New Roman" color="#000000">: 8BCA mov cx, dx</font>
</span></p>
<p> </p>
<p> <span class="p9"><font face="Times New Roman" color="#000000"> : F3A6 repz cmpsb ;<- </font>
<font face="宋体" color="#000000">这里字符串被比较</font> <font face="Times New Roman" color="#000000"> ds:si and es:di</font>
</span></p>
<p> </p>
<p> <span class="p9"><font face="Times New Roman" color="#000000"> : 7401 je 8CB6 ; </font>
</span></p>
<p> </p>
<p> <span class="p9"><font face="Times New Roman" color="#000000"> : 9F lahf</font>
</span></p>
<p> </p>
<p> <span class="p9"><font face="Times New Roman" color="#000000"> : 92 xchg ax,dx</font>
</span></p>
<p> </p>
<p> <span class="p9"><font face="Times New Roman" color="#000000"> : 8D5E08 lea bx, [bp+08]</font>
</span></p>
<p> </p>
<p> <span class="p9"><font face="Times New Roman" color="#000000"> : E80E06 call 92CB</font>
</span></p>
<p> </p>
<p> </p>
<p> </p>
<p> <span class="p9"><font face="宋体" color="#000000">在指令</font> <font face="Times New Roman" color="#000000">REPZ CMPSB</font>
<font face="宋体" color="#000000">执行前,你用命令</font> <font face="Times New Roman" color="#000000"> 'ed si' </font>
<font face="宋体" color="#000000">和</font> <font face="Times New Roman" color="#000000"> 'ed es:di'</font>
<font face="宋体" color="#000000">,你将看到字符串。在这一例中,我们输入的字符串中第二和第三字节和“</font> <font face="Times New Roman" color="#000000">V8</font>
<font face="宋体" color="#000000">”来比较,因此你重新运行程序并输入</font> <font face="Times New Roman" color="#000000">0V87654321</font>
<font face="宋体" color="#000000">将成功注册。</font> </span></p>
<p> </p>
<p> </p>
<p> </p>
<p> <span class="p9"><font face="宋体" color="#000000">第九步:我们仍还没结束。</font> <font face="Times New Roman" color="#000000"> </font>
<font face="宋体" color="#000000">我们需总结一下,下次碰到</font> <font face="Times New Roman" color="#000000">VB3</font>
<font face="宋体" color="#000000">程序,我们可快速设断找到正确的序列号。</font> </span></p>
<p> </p>
<p> <span class="p9"><font face="宋体" color="#000000">整理如下:</font> </span></p>
<table width="100%" cellspacing="0" cellpadding="0">
<tr bgcolor="#FEFBD8">
<td>
<p> </p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">-</font>
<font face="宋体" color="#000000">开始运行被破解</font> <font face="Times New Roman" color="#000000">VB3</font>
<font face="宋体" color="#000000">程序,输入假的序列号;</font> </span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">-</font>
<font face="宋体" color="#000000">切换到</font> <font face="Times New Roman" color="#000000">SOFTICE</font>
<font face="宋体" color="#000000">下,</font> <font face="Times New Roman" color="#000000">bpx hmemcpy</font>
<font face="宋体" color="#000000">设断;</font> </span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">-</font>
<font face="宋体" color="#000000">离开</font> <font face="Times New Roman" color="#000000">SOFTICE</font>
<font face="宋体" color="#000000">,按“</font> <font face="Times New Roman" color="#000000">OK</font>
<font face="宋体" color="#000000">”按钮,将被</font> <font face="Times New Roman" color="#000000">SOFTICE</font>
<font face="宋体" color="#000000">中断;</font> </span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">-</font>
<font face="宋体" color="#000000">现在,用</font> <font face="Times New Roman" color="#000000">F11</font>
<font face="宋体" color="#000000">和</font> <font face="Times New Roman" color="#000000">F10</font>
<font face="宋体" color="#000000">走出</font> <font face="Times New Roman" color="#000000"> kernel</font>
<font face="宋体" color="#000000">领空,直到来到</font> <font face="Times New Roman" color="#000000">VBRUN300</font>
<font face="宋体" color="#000000">领空处;</font> </span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">-</font>
<font face="宋体" color="#000000">查找如下字符串:(这些字符是</font> <font face="Times New Roman" color="#000000">VB3 dll</font>
<font face="宋体" color="#000000">比较核心的代码)</font> </span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000"> 8B,CA,F3,A6,74,01,9f,92,8D,5E,08,E8,0E,06</font>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -