⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 lesson14031.htm

📁 为所有对破解感兴趣的朋友准备的礼物。希望大家能够喜欢。
💻 HTM
📖 第 1 页 / 共 4 页
字号:
🔍
1234 
            按F10,走出此CALL,会来到: <br>
            :00439721 8D4000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; lea eax, dword ptr [eax+00] <br>
            :00439724 53&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; &nbsp; push ebx <br>
            :00439725 6683B86602000000&nbsp; &nbsp; &nbsp; &nbsp; cmp word ptr 
            [eax+00000266], 0000 <br>
            :0043972D 7410&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; je 0043973F-------此处可跳出NAg的call <br>
            :0043972F 8BD8&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; mov ebx, eax <br>
            :00439731 8BD0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; mov edx, eax <br>
            :00439733 8B8368020000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov 
            eax, dword ptr [ebx+00000268] <br>
            :00439739 FF9364020000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; call 
            dword ptr [ebx+00000264] ----产生NAg的窗口 <br>
            :0043973F 5B&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; &nbsp; pop ebx&lt;---你来到此 <br>
            :00439740 C3&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; &nbsp; ret <br>
            好,现在找到1个地方,此时按F5,程序运行。最后,关闭程序,将再次中断。(你不要禁止开始的断点) <br>
            按f11,NAG出现,点击Ok,再次中断,按F10来到: <br>
            :0043709B 8945FC&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; mov dword ptr [ebp-04], eax <br>
            :0043709E 8B45FC&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; mov eax, dword ptr [ebp-04] <br>
            :004370A1 6683B8B602000000&nbsp; &nbsp; &nbsp; &nbsp; cmp word ptr 
            [eax+000002B6], 0000 <br>
            :004370A9 7441&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; je 004370EC-------此处可跳出NAg的call <br>
            :004370AB 33C0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; xor eax, eax <br>
            :004370AD 55&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; &nbsp; push ebp <br>
            :004370AE 68D5704300&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            push 004370D5 <br>
            :004370B3 64FF30&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; push dword ptr fs:[eax] <br>
            :004370B6 648920&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; mov dword ptr fs:[eax], esp <br>
            :004370B9 8B5DFC&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; mov ebx, dword ptr [ebp-04] <br>
            :004370BC 8B55FC&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; mov edx, dword ptr [ebp-04] <br>
            :004370BF 8B83B8020000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov 
            eax, dword ptr [ebx+000002B8] <br>
            :004370C5 FF93B4020000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; call 
            dword ptr [ebx+000002B4]----产生NAg的窗口 <br>
            :004370CB 33C0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; xor eax, eax---你将会来到此 <br>
            :004370CD 5A&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; &nbsp; pop edx <br>
            :004370CE 59&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; &nbsp; pop ecx <br>
            :004370CF 59&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; &nbsp; pop ecx <br>
            <br>
            好了,在十六进制工具修改0043972D和004370A9处,将两处的je改jne (74 to 75) 
          
    </table>
  </div>
  <div id="KB2Parent" class="parent" align="left"> <a href="#" onClick="expandIt('KB2'); return false" class="p9"> 
    2、习题二 答案</a></div>
  <div id="KB2Child" class="child" align="left"> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <table width="100%" align="center" cellspacing="0">
      <tr bgcolor="#EFEFEF"> 
        <td height="28"> 
          <p class="p9">在SOFTICE下命令:bpx&nbsp; MessageBoxA <br>
            然后再运行程序,将会中断,按f11后NAG将出现,点击OK,将再次被中断,具体如下: <br>
            :0040100C&nbsp; 6A30&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; PUSH&nbsp; &nbsp; 30&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; &nbsp; &lt;-- 这四个PUSH是 <br>
            :0040100E&nbsp; 6879204000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; PUSH&nbsp; 
            &nbsp; 00402079&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &lt;-- 把参数传给 
            <br>
            :00401013&nbsp; 688D204000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; PUSH&nbsp; 
            &nbsp; 0040208D&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &lt;-- 下面的MessageBoxA 
            函数 <br>
            :00401018&nbsp; FF3548204000&nbsp; &nbsp; &nbsp; &nbsp; PUSH&nbsp; 
            &nbsp; DWORD PTR [00402048] &lt;-- <br>
            :0040101E&nbsp; E8DA010000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; CALL&nbsp; 
            &nbsp; USER32!MessageBoxA ------产生NAG的窗口 <br>
            :00401023&nbsp; C7050020400003400000MOV&nbsp; &nbsp; DWORD PTR [00402000],00004003 
            <br>
            :0040102D&nbsp; C705042040003D114000MOV&nbsp; &nbsp; DWORD PTR [00402004],0040113D 
            <br>
            :00401037&nbsp; C7050820400000000000MOV&nbsp; &nbsp; DWORD PTR [00402008],00000000 
            <br>
            :00401041&nbsp; C7050C20400000000000MOV&nbsp; &nbsp; DWORD PTR [0040200C],00000000 
            <br>
            :0040104B&nbsp; A144204000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; MOV&nbsp; 
            &nbsp; EAX,[00402044] <br>
            :00401050&nbsp; A310204000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; MOV&nbsp; 
            &nbsp; [00402010],EAX <br>
            <br>
            向上看也没代码跳过:0040101E的call,有什么好办法能跳过此call? <br>
            <font color="#3333FF">方法一: </font><br>
            这方法我比较推荐,在0040100C处加一跳转指令,路过此call。 <br>
            也就是改成:jmp 00401023 <br>
            在SOFTICE下,在:0040100C这一行,下A命令,改成jmp 00401023,记下机器码的变化。 <br>
            机器码的结果是:EB 15(15是401023-40100E的值) <br>
            <font color="#0000FF">方法二:</font> <br>
            向上看也没代码跳过:0040101E的call,因此我们干脆将此处NOP(就是无操作No Operation),该指令不执行任何操作,其机器码占有一个字节。 
            <br>
            因此:E8DA010000改9090909090 后NAG将不出现。(指令nop的机器码是90) 
        
    </table>
  </div>
  <div id="KB3Parent" class="parent" align="left"> <span class="p9"><a href="#" onClick="expandIt('KB3'); return false"> 
    3、习题三 答案</a> </span></div>
  <div id="KB3Child" class="child" align="left"> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <table width="100%" align="center" cellspacing="0">
      <tr bgcolor="#EFEFEF"> 
        <td height="1843"> 
          <p class="p9"><span class="p9">这程序显示NAG是用了另一种方法,不是用messagebox.<br>
            让我们先运行程序,开始的NAG窗口有2个按钮,按第一个给出一小的信息窗口(Don't be lame ... blah blah blah) 
            ,第2个将带你进入程序。<br>
            想想我们该如何去掉nag?第一件事是用W32Dasm看看...<br>
            装载程序后,点击W32Dasm 的串式数据参考(String Data References),列出相关字符串,双击[Don't be 
            lame ...] ,这时你将来到:</span> 
          <p><span class="p9">* Referenced by a (U)nconditional or (C)onditional 
            Jump at Address:<br>
            |:0040105F(C)<br>
            |<br>
            :0040109E 6840100000 push 00001040</span></p>
          <p><span class="p9">* Possible StringData Ref from Data Obj -&gt;&quot;NO!&quot;<br>
            | <br>
            :004010A3 6808204000 push 00402008</span></p>
          <p><span class="p9">* Possible StringData Ref from Data Obj -&gt;&quot;Don't 
            be lame, crack the program.&quot; <br>
            | <br>
            :004010A8 680C204000 push 0040200C <br>
            :004010AD FF3500204000 push dword ptr [00402000]</span></p>
          <p><span class="p9">* Reference To: USER32.MessageBoxA, Ord:0000h<br>
            |<br>
            :004010B3 E89B000000 Call 00401153 <br>
            :004010B8 C9 leave <br>
            :004010B9 C21000 ret 0010</span></p>
          <p><span class="p9">第一行* Referenced by...是告诉你这个信息框调用来自于[0040105F](小c意思是条件转移)<br>
            因此我们用转到代码位置命令(shift+F12)跳到0040105F,来到:</span></p>
          <p><span class="p9">* Referenced by a (U)nconditional or (C)onditional 
            Jump at Address:<br>
            |:00401032(C)<br>
            |<br>
            :0040105B 837D1001 cmp dword ptr [ebp+10], 00000001<br>
            :0040105F 743D je 0040109E<br>
            :00401061 837D1002 cmp dword ptr [ebp+10], 00000002<br>
            :00401065 7404 je 0040106B<br>
            :00401067 C9 leave<br>
            :00401068 C21000 ret 0010</span></p>
          <p><span class="p9">这里是程序判断你的按钮,如你按第一个按钮,0040105B测试,然后跳出一对话框&quot;Don't 
            be lame..&quot;,如你按第二个按钮,将在:00401061测试,....</span></p>
          <p><span class="p9">现在我们需要做的是,不管你按第一还是第二个按钮,都应带我们进入程序,这样做可防止我们改别的东西程序运行出错。我们将 
            [je 0040109E] 改成 [je 0040106B]<br>
            我们现在HVIEW里改:<br>
            打开程序,按F4选择模式,有3个,在这里先DECODE,将反汇编程序,按F7查找机器码837D1001,将来到:</span></p>
          <p><span class="p9">0000065B: 837D1001 cmp d,[ebp][00010],001 ;&quot;&quot; 
            <br>
            0000065F: 743D je 00000069E <br>
            00000661: 837D1002 cmp d,[ebp][00010],002 ;&quot;&quot; <br>
            00000665: 7404 je 00000066B </span></p>
          <p><span class="p9">大家注意了在HVIEW看到的地址和我们在W32DASM看到不同,HVIEW是显示的是文件的偏移地址(File 
            offset),而W32DASM和SOFTICE下显示的地址完全一样,是内存地址(memory offset)或称虚拟地址。它们之间的换算有多种方法:<br>
            <font color="#3333FF">第一、</font>用我刚才方法,查找机器码来确定其位置。<br>
            <font color="#3333FF">第二、</font>是借助些这方面的工具软件来计算,在主页的工具下载中第2个链接站点有这方面的工具。<br>
            <font color="#3333FF">第三、</font>此种方法更简单:你在W32DASM中光标定位需要一行,看看W32Dasm的最底端,将会看到类似:<br>
            </span><span class="p9">Line:298 Pg 4 of 12 Code Data @:0040113E @Offset 
            0000073Eh in File:????.exe <br>
            其中 Offset 0000073Eh就是HVIEW中的位置。<br>
            </span><span class="p9"><br>
            我们按F3进入编辑状态,按TAB键或回车键,将[je 00000069E] 改成 [je 00000066B],按F9存盘。当然这时你的W32DASM不能调用此文件,不然是不能存盘的。<br>
            Ok,完成第一步<br>
            看看,上一段代码是何处被调用?是00401032(C)处,因此我们跳转此处:</span></p>
          <p><span class="p9">* Reference To: USER32.DialogBoxParamA, Ord:0000h<br>
            |<br>
            :0040101D E82B010000 Call 0040114D<br>
            :00401022 E911010000 jmp 00401138<br>
            :00401027 C8000000 enter 0000, 00<br>
            :0040102B 817D0C11010000 cmp dword ptr [ebp+0C], 00000111<br>
            :00401032 7427 je 0040105B<br>
            :00401034 817D0C10010000 cmp dword ptr [ebp+0C], 00000110<br>
            :0040103B 7410 je 0040104D<br>
            :0040103D 837D0C10 cmp dword ptr [ebp+0C], 00000010<br>
            :00401041 0F84F1000000 je 00401138<br>
            :00401047 33C0 xor eax, eax<br>
            :00401049 C9 leave<br>
            :0040104A C21000 ret 0010</span></p>
          <p><span class="p9"><br>
            看看[00401032],另一条件指令(一个检测你按了哪个按钮的指令),你不需了解它是如何比较的,因此我们让它直接跳转0040105B处,不让它在那里循环等待你按哪个键,因此我们简单将 
            00401032 处的JE改成JNE,这样程序应被cracked了!<br>
            让我运行程序看看,天啊!跳出一警告窗口!!ERROR...说什么程序被改了!因此这程序有CRC检测功能(如检测你修改程序将停止运行),好吧,再让我们把它干掉。<br>
            在W32Dasm串式数据参考(String Data References)中查找'ERROR' 信息,双击来到:</span></p>
          <p><span class="p9">* Referenced by a (U)nconditional or (C)onditional 
            Jump at Address:<br>
1234

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -