📄 lesson14031.htm
字号:
|:004010E8(C)<br>
|<br>
:004010EE 6840100000 push 00001040</span></p>
<p><span class="p9">* Possible StringData Ref from Data Obj ->"ERROR"<br>
|<br>
:004010F3 68BD204000 push 004020BD</span></p>
<p><span class="p9">* Possible StringData Ref from Data Obj ->"ERROR:
Program has detected tampering. "<br>
->"Execution terminated"<br>
|<br>
:004010F8 6881204000 push 00402081<br>
:004010FD FF3500204000 push dword ptr [00402000]</span></p>
<p><span class="p9"><br>
上述被[004010E8]调用,让我们来到那里:</span></p>
<p><span class="p9">* Referenced by a (U)nconditional or (C)onditional
Jump at Address:<br>
|:004010D0(C)<br>
|<br>
:004010DE 813D04204000697A0000 cmp dword ptr [00402004], 00007A69<br>
:004010E8 7504 jne 004010EE<br>
:004010EA C9 leave<br>
:004010EB C21000 ret 0010</span></p>
<p><span class="p9">好了,我们不必再了解此段代码是何处引用了,足够了。这段程序是检测源代码是否修改,如果修改将给出出错信息,我们将:004010E8处的JNE
NOP掉或改成JE.。<br>
Ok,再运行,YE.。成功!<br>
小结:本题主要是了解如何用W32DASM来静态反汇编调试程序,以及HVIEW的用法。</span> </p>
</table>
</div>
<div id="KB4Parent" class="parent" align="left"> <a href="#" onClick="expandIt('KB4'); return false" class="p9">
4、习题四 答案 </a> </div>
<div id="KB4Child" class="child" align="left">
<table width="100%" align="center" cellspacing="0">
<tr bgcolor="#EFEFEF">
<td height="28">
<p class="p9">作者:Etenal Bliss <br>
用W32Dasm装载程序,在菜单处选择功能→导入(imports),在弹出的菜单中你将看到几个"cw3220.__XXX"函数,这些是该程序调用的cw3220.dll。还有这些:
<br>
USER32.DialogboxParamA <br>
USER32.EndDialog <br>
USER32.MessageBoxA <br>
USER32.DialogboxParamA <br>
USER32.EndDialog <br>
其中MessageBoxA肯定没用在NAG。(因为作者在程序己说明了) <br>
因此很可能:函数DialogBoxParamA产生NAG,EndDialog结束NAG <br>
双击SER32.DialogBoxParamA我们看看哪里代码调用此函数,你多双击几次,将会看到几处地方 都引用了它: <br>
004010AF, 0040114C, 004014EE <br>
<br>
具体如下... <br>
<br>
USER32.DialogBoxParamA at 004010AF <br>
=================================================================
<br>
* Possible Reference to Dialog: DialogID_0002 <br>
| <br>
:00401098 6A02
push 00000002 <br>
:0040109A FF7508
push [ebp+08] <br>
<br>
* Reference To: USER32.EndDialog, Ord:0000h <br>
| <br>
:0040109D E858040000
Call 004014FA <br>
:004010A2 6A00
push 00000000 <br>
:004010A4 68DF104000
push 004010DF <br>
:004010A9 6A00
push 00000000 <br>
<br>
* Possible Reference to Dialog: DialogID_0001 <br>
| <br>
:004010AB 6A01
push 00000001 <br>
:004010AD 6A00
push 00000000 <br>
<br>
* Reference To: USER32.DialogBoxParamA, Ord:0000h <br>
| <br>
:004010AF E83A040000
Call 004014EE <br>
<br>
* Possible Reference to Dialog: DialogID_0001 <br>
| <br>
:004010B4 B801000000
mov eax, 00000001 <br>
:004010B9 EB20
jmp 004010DB <br>
=================================================================
<br>
<br>
USER32.DialogBoxParamA at 0040114C <br>
=================================================================
<br>
:0040113B 55
push ebp <br>
:0040113C 8BEC
mov ebp, esp <br>
:0040113E 6A00
push 00000000 <br>
:00401140 687C104000
push 0040107C <br>
:00401145 6A00
push 00000000 <br>
<br>
* Possible Reference to Dialog: DialogID_0002 <br>
| <br>
:00401147 6A02
push 00000002 <br>
:00401149 FF7508
push [ebp+08] <br>
<br>
* Reference To: USER32.DialogBoxParamA, Ord:0000h <br>
| <br>
:0040114C E89D030000
Call 004014EE <br>
:00401151 33C0
xor eax, eax <br>
:00401153 5D
pop ebp <br>
:00401154 C21000
ret 0010 <br>
=================================================================
<br>
最后一处的004014EE调用USER32.DialogBoxParamA 和我们没什么关系。 <br>
看看这两段代码,你将看到"DialogID_0001" 和"DialodID_0002"在 DialogBoxParamA之前。因此让我们想想这函数有些什么参数?我们参考W32
API手册: <br>
int DialogBoxParam( <br>
<br>
HINSTANCE hInstance, // handle to
application instance <br>
LPCTSTR lpTemplateName, // identifies
dialog box template <br>
HWND hWndParent, //
handle to owner window <br>
DLGPROC lpDialogFunc, // pointer to
dialog box procedure <br>
LPARAM dwInitParam //
initialization value <br>
); <br>
<br>
Ok.在这函数前你需5个参数。 <br>
<br>
现在,这两个"DialogID_0001" 和"DialodID_0002"是哪个部分调用的??让我们来到代码开始处: <br>
<br>
+++++++++++++++++ DIALOG INFORMATION ++++++++++++++++++ <br>
<br>
Number of Dialogs = 2 (decimal) <br>
<br>
Name: DialogID_0001, # of Controls=009, Caption:"Crackme 2a - n0p3x",
ClassName:"" <br>
001 - ControlID:0002, Control Class:"BUTTON" Control
Text:"E&xit" <br>
002 - ControlID:0009, Control Class:"BUTTON" Control
Text:"A&bout" <br>
003 - ControlID:0065, Control Class:"EDIT" Control Text:"Nag
Removal
The previous programs have" <br>
004 - ControlID:0066, Control Class:"BUTTON" Control
Text:"-=n0p3x=-" <br>
005 - ControlID:FFFF, Control Class:"STATIC" Control
Text:"Coded By n0p3x. 10th May 1999." <br>
006 - ControlID:FFFF, Control Class:"STATIC" Control
Text:"EMAIL: adminno1@yahoo.com" <br>
007 - ControlID:FFFF, Control Class:"STATIC" Control
Text:"WEB: http://cod3r.cjb.net" <br>
008 - ControlID:FFFF, Control Class:"STATIC" Control
Text:"If you suceed in killing this nag screen and write a tutorial
on it then email" <br>
009 - ControlID:FFFF, Control Class:"STATIC" Control
Text:"Frame2" <br>
Name: DialogID_0002, # of Controls=004, Caption:"<font color="#0000FF">The
deadly NAG!</font>", ClassName:"" <br>
001 - ControlID:FFFF, Control Class:"STATIC" Control
Text:"This is a demonstration version of this program." <br>
002 - ControlID:0065, Control Class:"BUTTON" Control
Text:"Uhh, youv'e made me feel guilty now. Heres all my money." <br>
003 - ControlID:0066, Control Class:"BUTTON" Control
Text:"Take the program for a test drive before paying." <br>
004 - ControlID:FFFF, Control Class:"STATIC" Control
Text:"SOFTWARE PIRACY IS ILLEGAL" <br>
=================================================================
<br>
现在,如你运行程序,你将看到其NAG的标题是"<font color="#3333FF">The deadly NAG!</font>"。因此NAG是DialogID_0002而主程序调用的是0001.
<br>
还记得在导入(imports)处的"USER32.EndDialog" ?它是根据DialogID的push参数来关掉相应的对话框的,OK,让我们来crack它:
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -