| EBPIG |
̽Ë÷ÔÓÖ¾ |
MHJDQ |
|
|
֪ʶ¹²Ïí ×ÊÔ´¹²Ïí
×ÊÁϹ²Ïí | |
| ¡¾ÖÆ×÷³ÉÔ±¡¿³ÌʽÁÔÈË |
| ¡¾·¢ÐÐʱ¼ä¡¿2000-9-30 |
| ¡¾ÆÚ¿¯ºÅÂë¡¿µÚÊ®ËÄÆÚ |
| ¡¾ÍøÕ¾µØÖ·¡¿http://programhunter.com |
|
¡¾±à¼¼ÄÓï¡¿ |
{~._.~}
( Y )
()~*~()
(_)-(_) |
ÇïÌìÊÇÒ»¸öÊÕ»ñµÄ¼¾½Ú£¬ÎÒÃÇÖйúÔ˶¯½¡¶ùÃÇÔÚ´ºÌìÀïÓú¹Ë®½½¹àµÄÖÖ×Ó£¬ÖÕÓÚÔÚÇïÌìµÄ¼¾½ÚÀïµÃµ½ÁËÊÕ»ñ£¬²»ÊÇÒ»°ãµÄÊÕ»ñ£¬¶øÊÇÒ»¸ö´ó·áÊÕÄ꣬ÎÒÃÇҲΪ֮¸ßÐË¡£ÏÖÔÚÖйúÒѾÓÐ28ö½ðÅÆÈëÕÊÁË¡£
½ñÌìÏò´ó¼Ò½éÉܵÄÈýƪÎÄÕ¶¼ÊÇÈ¡×Ô¹úÍâµÄ×÷Æ·£¬ÆäÖÐÒ»¸öÊǹúÍâµÄÔ×÷Æ·£¬Ã»ÓзÒ룬ÎÒ½«ÏÂÖܵÄʱ¼äÀォËü·Òë³öÀ´£¬Õâ´ÎÏÈÈôó¼Ò¿´Ò»¿´£¬Èç¹û²»Ã÷°×µÄ»°£¬½«ÔÚÏÂÆÚÔÓÖ¾Öп´Ò»¿´ÎÒ·ÒëµÄÄÚÈÝ¡£µ«²»ÖªµÀ·ÒëÈçºÎ£¿Ò²Çë¸÷λÄܹ»Ö¸³ö´íÎó£¬ÎÒ½«ÔÚÒÔºóµÄ·ÒëÖиĽø¡£ | |
| ¡¾Ä¿ ÿÿ ¼¡¿ |
|
|
| &¡¾ÆƽâÐĵá¿ |
Winpop V254a Æƽâ¹ý³Ì ×÷ÕߣºUFK 03/21/99
³ÌʽÁÔÈË·Òë
´ó¼ÒºÃ£¬Õâ¸ö³ÌÐò²»ÊÇÒ»¸öºÜÇ¿µÄ±£»¤£¬Í¨¹ýÑо¿¿ÉÒÔ¸øÄãÒ»¸öеÄÆƽâ˼Ïë¡£³ÌÐòÓÐÒ»¸ö
50ÌìµÄÏÞÖÆ£¬²¢ÓÐÁ½¸önag´°¿Ú£¬ÏÖÔھͿªÊ¼Ñо¿¡£
ÎÒÏȸÐл_yµÄ°ïÖúÕâ¸öÆƽâ½Ì³ÌºÍ¸üÕý²»Ð©´íÎó¡£
ÁíÒ»·½ÃæÒª¸Ðлytc Neural ºÍiczelion¡£
Á·Ï°³ÌÐò¿ªÊ¼¡£Wow!
ÏÖÔÚ¿ÉÒԵõ½Ò»¸öÐÅÏ¢"Messanger Service or another WinPopUp might be running.
Reciver was Disabled!"ÕâÀïûÓÐÊÂÇé¿ÉÒÔʹÓõġ£ÄãÒ²¿ÉÄܲ»¿´µ½Ëü¡£OK£¬ÏÂÒ»¸ö£¬ÏÖÔÚ
ÁíÒ»¸öÌáʾ´°¿Ú"You have 50 days to evaluate this software,
would you bla bla bla.. "ÔËÐÐIDA¿ªÊ¼¶ÔËü½øÐз´»ã±à¡£µÈµ½ËüÍê³É¡£ÏÖÔÚÎÒÃDz»Äܹ»²é
ÕÒ"you have 50 days.."£¬ÒòΪÕâ¸ö50ÊÇÿÌ춼Ôڱ仯µÄ£¬ÏÖÔھͲéÕÒ¶Ô"you have".
.data:0046A250 59 6F 75 20 68 61+str->YouHaveDDaysToE db 'You have %d\
days to evaluate this software',0
.data:0046A250 76 65 20 25 64 20+
.data:0046A27B 0
cool! ÏÖÔÚÎÒÃDz»²»Äܵõ½Õâ¸ö³ÌÐò×¢²á£¬ÔÚÎÒʹÓöÔ"register"½øÐвéÕÒ£¬Ã»ÓÐÈκνá¹û
¡£Òò´ËÎÒÃǽ«²éÕÒ´´½¨ÌáʾµÄ´°¿Úº¯Êý£¬²¢ÏûÈ¥Ëü¡£Ê×ÏÈ°´ÔÚX-RefÔÚ×Ö·û´®ÉÏ£¬¿´Ò»¿´Ê²
ô¶«Î÷¿ÉÒÔʹÓà ||
_||_
(the X-Ref points here) \ /
\/
.text:004020AF 68 50 A2 46 00 push offset str->YouHaveDDaysToE
(our string)
.text:004020B4 52 push edx
.text:004020B5 E8 F8 B5 02 00 call _text_42D6B2
.text:004020BA 83 C4 0C add esp, 0Ch
.text:004020BD _text_4020BD:
.text:004020BD 68 18 A2 46 00 push offset str->WouldYouSeeTheR
(the rest of the nag screen text)
.text:004020C2 8D 4C 24 30 lea ecx, [esp+2Ch+arg_0]
.text:004020C6 E8 64 D5 02 00 call _text_42F62F
.text:004020CB 8B 86 18 03 00 00 mov eax, [esi+318h]
ok ÔËÐÐsoftice symbol loader. ¼ÓÔØÎÒÃǵijÌÐò£¬µ±ËüÔÚ¿ªÊ¼Ê±ÖжϺó£¬ÉèÒ»¸öÔÚ "4020
AF"ÔÚÕâ¸öµØÖ·µÄÖжϣ¬È»ºóʹÓÃs-ice ÃüÁîP or F10(µ¥²½ÂÔ¹ýcalls, Ints, Etc) µ½´ï³Ì
ÐòÏÔʾnag ´°¿Úʱ£¬ÎÒÃǾÍÖªµÀʲôÃüÁî´´½¨ÁËËü¡£µ½´ïnag´°¿ÚµÄʱ£¬Ä㻹µÃ°´ F10 ¼¸´Î
¡£ÌáʾÎÒÃÇÊÇ·ñä¯ÀÀÍøÒ³£¬Ñ¡Ôñno¡£È»ºósofticeµ¯³ö¡£ÎÒÃÇ¿´Ò»ÏÂÄǸöcallµÄµØÖ·¡£Ò²¾Í
ÊÇÄǸö´´½¨´°¿ÚµÄÃüÁyuck! :D ¿ªÊ¼É¾³ýËü¡£ÎÒÃÇÔÚsoftice ¿´µ½µÄµØַΪ£º 001B:004020F2.
µ±ÄãʹÓÃÌøµ½:
.text:004020F2 E8 61 DA 03 00 call _text_43FB58
.text:004020F7 83 F8 06 cmp eax, 6
.text:004020FA 75 07 jnz short _text_402103
cool ÏÖÔÚÔËÐÐÒ»¸öÊ®ÁùλµÄ±à¼Æ÷£¬ÕÒµ½Õâ¸öµØÖ·£¬Äã¿ÉÒÔʹÓòéÕÒÊ®ÁùλֵµÄ·½·¨»òʹ
ÓÃÓÉIczelion ³ÆΪ"Virtual Address to File Offset"²éÕÒ£¬ÄǸöÄã¿ÉÒÔ´Óiczelion.cjb.
netÏÂÔصõ½¡£Õâ¸öº¯ÊýµÄÆ«ÒÆÁ¿ÊÇ$14F2¡£Õâ¾Í¿ÉÒÔÔÚÊ®ÁùλµÄ±à¼ÖвéÕÒµ½ÁË¡££¨±¸·ÝÄã
µÄÔÀ´µÄÎļþ£©¡£ÏÖÔÚ½«Õâ¸öÃüÁîµÄËùÓÐÊ®Áùλֵ¸ÄΪnop(ÔÚ»ã±àÖÐnop¾ÍÊDz»Ö´ÐÐÈκÎÃü
ÁËüµÄ»úеÂëΪ90H)ÏÖÔÚÈçÏ£º
.text:004020F2 90 nop
.text:004020F3 90 nop
.text:004020F4 90 nop
.text:004020F5 90 nop
.text:004020F6 90 nop
.text:004020F7 83 F8 06 cmp eax, 6
.text:004020FA 75 07 jnz short _text_402103
ÏÖÔÚ±£´æËü£¬ÔËÐгÌÐò¡£ÈÃÎÒÃÇ¿´Ò»¿´·¢ÉúÁËʲô£¿³ÌÐò³ö´íÁË¡£ÎªÊ²Ã´???!?!!ÔÚÏÂÃ潫
ÓÐÄÚÈÝ»áÌáʾÄ㣬ËüºÃÏóÊdzÌÐòÖеĺ¯ÊýÔÚ´´½¨Ê±·µ»ØÒ»¸öÖµÕâ¸öÖµÒ²ÓÃÔÚÒÔºóµÄº¯ÊýÖС£
Èç¹ûÏóÎÒÃÇÄÇÑùÈ¥×öµÄ»°£¬Ëü½«²»·µ»ØÖµ£¬Òò´Ë³ÌÐò³ö´íÁË¡£ÎÒÃǽ«Òª×öʲôÄØ£¿ÔÚÄǸöca
ll´¦ÉèÖжϣ¬ÔÚsofticeÖа´F10¿´µ½µÄÊÇÒ»¸ö¸ßÁÁ¶ÈµÄ¹â±ê£¬£¨¿ÉÄÜÔÚÄãµÄµçÄÔÖÐΪ²»Í¬µÄ
ÑÕÉ«£©½«ÄǸ½½üµÄ¼Ä´æÆ÷ºÍÊýֵдÔÚÒ»ÕÅÖ½ÉÏ¡£´ÓÍ·¿ªÊ¼ÔËÐÐÔËÐÐthe symbol loader, ÔÚ
004020F2ÉèÒ»¸öÖжϣ¨µ±È»ÄãÐèÒªÖØмÓÔØÎļþÒòΪÄãÒѾ¸Ä±äËüÁË£©ÏÖÔÚËüÖжÏÁËÂ𣿰´
F10£¬½«¿½±´ÄÇЩ¼Ä´æÆ÷£¬¼°ËüÃǵÄÖµ ËüÃÇÊÇÄÇЩ¸ßÁÁ¶ÈµÄ¼Ä´æÆ÷¡£ÔÚÎҵĵçÄÔµÄÖµÈçÏ£º
EAX=00000007
ECX=0012FD4C
ESP=0012FD30
EDX=00020000
EIP=004020F7
well Ëü²»ÊÇEIP
EIP = extended instruction pointer, Ö¸ÏòÕýÈ·µÄ½á¹¹
ok ÏÖÔÚÈÃÎÒÃÇ¿´Ò»ÏÂÔ´úÂë
.text:004020F2 E8 61 DA 03 00 call _text_43FB58 <- rans NAG
.text:004020F7 83 F8 06 cmp eax, 6
.text:004020FA 75 07 jnz short _text_402103 <- if Zero
.text:004020FE E8 0D FC FF FF call _text_401D10 Flag on
.text:00402103 _text_402103: so show
.text:00402103 39 9E 18 03 00 00 cmp [esi+318h], ebx www pages.
.text:00402109 7D 1B jge short _text_402126
ÏÖÔڹ۲쵱ÄãÔÚä¯ÀÀÍøÒ³µÄʱºò»ò²»£¬³ÌÐò½«ÔÚÄÄÀï½øÐмì²é£¬Èç¹ûÄãÔÚÄÇÐÐÖжϣ¬¸Ä±äze
roµÄÆì±ê£¬Ä㽫¼ÌÐø³ÌÐò£º£©½«ËüÓÉjpg¸ÄΪjmp£º
.text:00402126 _text_402126:
.text:00402126 8D 4C 24 2C lea ecx, [esp+28h+arg_0]
.text:0040212A 88 5C 24 24 mov byte ptr [esp+28h+var_4], bl
.text:0040212E E8 60 D1 02 00 call _text_42F293
ÏÖÔÚ¼ÌÐø×·×Ù³ÌÐò£¬Äã¾Í¿ÉÒÔ¿´µ½´íÎóÌáʾ¡£
.text:0040212E E8 60 D1 02 00 call _text_42F293
so lets see what registers it used so far! remember! the registers
that got changed are: Eax, Ecx, Esp, Edx and EIP.
ÔÚÕâÀï:
.text:004020F7 83 F8 06 cmp eax, 6
ÎÒÃÇ¿ÉÒÔ¿´µ½µ±ÄãÑ¡Ôñä¯ÀÀÍøҳʱ£¬Õâ¸öeaxÖµ²»·¢Éú±ä»¯¡£
ÔÚÕâÀï: .text:00402126 8D 4C 24 2C lea ecx, [esp+28h+arg_0]
ÎÒÃÇ¿´µ½ÕâÀï¸øecxÒ»¸öÖµ£¬µ«ÊǶÔÓÚÎÒÃǵļĴæÆ÷ҲûÓб仯¡£
ÏÖÔÚ¾ÍÊ£ÏÂESP, EDX ºÍEIP. ÄǸöEIPҲûÓÐÓô¦£¬¾ÍÊ£ÏÂESP and EDX¡£ÎÒûÓп´µ½³ÌÐòʹ
ÓÃEDX£¬ÏÖÔÚ½öÁôÏÂESP :) Òò´ËÄÇÒâζ×Åʲô°¡£¿ÕâÒâζ×Å´Ó³ÌÐò²úÉúµÄnagº¯ÊýֵΪesp½«
ÔÚÏÂÃæʹÓõ½¡£Ê¹ÓÃ"mov esp, 0012fd30"ÒÔ´úÌænopµÄÃüÁî¡£ÏÖÔÚÔËÐÐhex editorµ½´ï14F2
´¦£¬×¢ÒâÄǸöº¯ÊýÊÇ5¸ö×Ö½Ú£¬ÒªÔõÑù¸Ä±äÄØ£¿ÏÖÔÚ¿´Ò»ÏÂmovµÄÃüÁîÓÐ5¸ö×Ö½Ú£¬¾Í²»ÐèÒª
¼ÓÈënopÃüÁÈç¹ûmovµÄÃüÁîΪ4¸ö×Ö½Ú£¬ÎÒÃÇÒ²²»½«nopµÚÎå¸ö×Ö½Ú£¬ÓÉÓÚËüÄܹ»²úÉú±ä»¯
¡£
ÏÖÔÚÈçÏ£º
.text:004020F2 BC 30 FD 12 00 mov esp, 0012fd30
.text:004020F7 83 F8 06 cmp eax, 6
.text:004020FA 75 07 jnz short _text_402103
cool! ÎÒÃDz»Óõ£eaxµÄÖµ£¬ÒòΪeaxÎÞ·¨µÈÓÚ³¤£¬ËùÒÔËüÎÞ·¨ÏÔʾÍøÒ³£¬Èç¹ûÄ㻹µ£ÐĵĻ°
£¬¿ÉÒÔ½«jnz¸ÄΪjmp :D¡£ÏÖÔÚÔËÐÐÕâ¸ö³ÌÐò£¬¿´Ò»Ï·¢ÉúÁËʲô¡£Great!ûÓÐnagµÄ´°¿ÚÁË
¡£µ«ÊÇÕâ¸ö»¹²»¹»£¬ÎÒÃÇÒѾ³ýµôÁ˵ÚÒ»¸önagÁË£¬µ«ÊǶÔÄǸöÌáʾÌìÊýµÄnagûÓÐÆƽ⡣
½«Ê±¼äµ÷ºóÒ»Ä꣬ÔËÐгÌÐò£¬Äã¿´µ½ÁËʲô?³ÌÐò½ö½öÊÇÍ˳öÁË¡£Ã»ÓÐnagÌáʾ£¬Ã»ÓÐÈκÎ
ÊÂÇ顣Ϊʲô?ÓÉÓÚ¡¡¼ÇסÄǸöÒªÇóä¯ÀÀÍøÒ³µÄnag´°¿ÚÂð?³ÌÐòÔÚÕâʱʹÓÃͬһ¸ö´°¿ÚÀ´
Ìáʾʱ¼äºÍä¯ÀÀÍøÒ³µÄ¡£ÎÒÃÇÓÖ¸Ã×öʲôÄØ£¿ÖØпªÊ¼:) ʹÓÃÔÀ´µÄÄǸö³ÌÐòÀ´¿´Ò»¿´ÓÐ
ʲô¸Ä±ä¡£ÏÖÔÚÔËÐгÌÐò,nag³öÏÖÁË¡£"This program has expired". good, ÔÚIDA.
²éÕÒÕâ¾ä£¬ÈçÏÂ:
.text:00402098 7D 10 jge short _text_4020AA
.text:0040209A 68 7C A2 46 00 push offset str->ThisProgramHasE
cool.. ¸ÕºÃÔÚÉÏÃæÓÐÒ»¸öjge¡£ÎÒÃǽ«¸Ä±äjgeΪ"jmp"? À´ÊÔÒ»ÊÔ£¬¿ªÊ¼ÔËÐгÌÐò£¬ÔÚÕâ¸ö
µØÖ·ÉÏÖжϣ¬¸Ä±äSµÄÆì±ê£¬Ê¹ËüΪjmp¡£ÎÒÃÇ¿´µ½ÁËʲô?ÎÒ¿´µ½ÁËÒ»¸öºÃµÄnag´°¿Ú"you h
ave -317 days left to evaluate.."ºÃµÄ£¬ÎÒÃǸıäΪjmp£¬É¾³ýÎÒÔÚÇ°Ãæ½âÊ͵Änag£¬ÎÒ
ÃǽáÊøÁ˹¤×÷ :DÏ£ÍûËüÄÜ°ïÖúÄãÃÇ¡£
Èç¹ûÓÐʲôÒâ¼û»ò½¨ÒéµÄ»°£¬²»ÒªÍü¼Çe-mail.
neat! means we change that jmp and eliminate the nag like i explaned
ufk@hotmail.com
ICQ:1416041
Irc Nick: UFK
|
| ·µ»Ø |
³õ̽Èí¼þÖеĴúÂëµÄ¼ÓÃÜ
×÷Õß:n0p3x
-ÃÎÐÑʱ·ÖÒë
½ñÌìµÄШ×Ó,Õâ¸ö½Ì³Ì½«½Ì»áÄãÔõÑùÆƽâ¼ÓÃܳÌÐò. ÎÒÃǽ«ÓÃÒ»¸öÎÒ±àµÄʾ·¶³ÌÐò.Õâ¸ö
³ÌÐòÊÇÈ¥µôÒ»¸ö¼òµ¥µÄÌáʾ¿ò.Ìáʾ¿òÊÇ´ÓºÊýAPI MessageBoxA,Òò´Ë£¬Õý³£µÄ³ýÈ¥½«
ºÜ¼òµ¥.¾¡¹ÜÈç´Ë,Õâ¸ö³ÌÐò¼ÓÃÜ£¬ËùÒÔÐÞ²¹Ö»ÊÇÒ»¸öСÎÊÌâ.ÎÒÕâÀï³ýÈ¥Õâ¸öÎÊÌâ´ò¿ª
ÆƽâÊÀ½çµÄSMC¸øһЩû¾ÑéµÄÅóÓÑÃÇ.
ʲôÊǼÓÃÜÊõ?¼ÓÃÜÊõ,ÊÇij´¦µÄ×ÊÁÏÓÃijÖÖ·½·¨Ð޸ĺóʹËüÎÞ·¨ÔĶÁ. ÄÚ²¿Éè¼Æ°üÀ¨Ò»
¸öijЩ³ÌÐò,ͨ³£ÔÚÈí¼þÖ´ÐÐ֮ǰ½â¿ª²¿·Ö³ÌÐò.
ΪʲôÓüÓÃÜÊõ? Ó¦ÓÃÈí¼þ¾³£¼ÓÃÜÓÃÀ´Í£Ö¹ËûÃǵÄÄæת.Èç¹ûÄã³¢ÊÔÈ¥·Ö½âÒ»¸ö¼ÓÃÜ
¹ýµÄÓ¦ÓÃÈí¼þ£¬ÄãºÜ¿ÉÄÜ»á»ìÂÒ£¬²î²»¶àÖ»µÃµ½Ò»Ð©¿ÉÓõĶ«Î÷.
Ó¦ÓÃÈí¼þ¼ÓÃܵÄÎÊÌâҪδ¼ÓÃÜÔÚËüʵÐÐ֮ǰִÐдúÂë.ËùÒÔ,Ïà¶ÔµÄ£¬Ä³ÈËÔÚ³ÌÐòÖ´ÐÐʵ
ÔÚÄÚ´æÖй۲ì±È½ÏÈÝÒ×,²¢Ñо¿Ëü¸Éʲô.¾¡¹ÜÈç´Ë,Ò»¸ö´ÏÃ÷µÄ³ÌÐò¿ÉÒÔÔÚËüÒѾִÐÐ
Ö®ºóÖØмÓÃÜËüµÄ×ÊÁÏʹÃ÷°×´úÂë¸ü¼ÓÀ§ÄÑһЩ.
ÄÇôʲôÊÇSMC?SMC ƴΪ'Self Modifying Code'(×Ô¼ºÐ޸ĴúÂë). ÕâÊÇÒ»¸öÓ¦ÓÃÈí¼þ
ÔÚÔËÐÐʱ×Ô¼ºÐÞ¸Ä.Ò»¸ö¼ÓÃܳÌÐò·Ç³£ÏñÓÃSMCÒ»ÑùÐèÒª¶ÁÈ¡ËüµÄ´úÂë, ÕâʱÓÃÀ´ÖØд¶Á
È¡¹ýµÄ³ÌÐò´úÂ뻹Ô,²¢ÇÒÔÚ»ù±¾µÄµØ·½×Ô¼ºÐÞ¸Ä1.
SMCÓÐһЩ¸ü¶àµÄÓô¦Âð?SMCÓÐÐí¶àÓô¦ÔÚÉè¼ÆÊÀ½çµÄÄÚ²¿.¾¡¹ÜÈç´Ë,ËüȷʵÓõ½ÁË.
SMC´úÂëÓÃÔÚ¼ÓÃÜÊõµÄÄÚ²¿,°ü×°......µ«ÊÇÒªÌáÆðһЩ¹²ÏíÈí¼þ.ÿµ±Ò»¸ö³ÌÐòÓÐÁ¦
±£»¤×Ô¼ºµÄÍêÕûÐÔSMCÊÇÒ»¸öºÜºÃµÄÑ¡Ôñ.
ÎÒÃǵÄÄ¿±ê:
ÏÖÔÚΪÁËÎÒÃǵÄÈí¼þ.µ±ÎÒÃÇÔËÐÐÈí¼þ,ÎÒÃÇÓöµ½Ò»¸ö¿ÉŵÄÌáʾ¿ò.ÏÖÔÚ,¾ÍÏñÎÒÃǹýÈ¥
ÔÚWin32Éè¼Æ£¬ÎÒÃÇÈÏΪÕâÀàµÄ¶Ô»°±»º¯ÊýMessageBoxºô½Ð³ö. ÏÖÔÚÒ²ÐíÄã²»ÖªµÀÔÚ
WINDOWSÖк¯ÊýmessageboxÓÐÁ½ÖÖ°æ±¾.Ò»¸öÊÇ16bit,WINDOWSÓÃÀ´Áô¸øWin3.1 Ó¦ÓÃÈí¼þ
ʹÓõģ¬È·±£ËûÃÇÈÔÄÜÕý³£Ê¹ÓÃ,ÁîÒ»¸öÊÇȫеÄ,Win32°æ±¾.ÎÒÃÇÔõÑùÖªµÀÄĸöÊÇÄĸö
ÄØ?Æäʵ,Õâ¸öºÜ¼òµ¥.ÈËÃÇÔÚMicrosoftÉè¼ÆµÄÄÇЩÐÂ32bit CALLÓ¦¸ÃÓÐÒ»¸ö×ÖĸA¸½¼Ó
ÔÚCALLµÄÃû×ÖÉÏ.Òò´Ë,ÎÒÃǵÄÓ¦ÓÃÈí¼þÊÇ32λӦÓÃÈí¼þ,ÎÒÃÇ¿ÉÒԴ󵨵IJ²â¶Ô»°ÊÇÓÃ
º¯ÊýMessageBoxAÏÔʾµÄ.
ÏÖÔÚ,Äã¿ÉÄÜÕýÔÚµ£ÐIJ»ÄܼüÈëMessageBoxAµ±ÄãÓÃÕâЩÐÅÏ¢¿òÔÚÄãµÄÓ¦ÓÃÈí¼þÖÐʱ,
ÕâÑù,ÄÇÒ²²»ÊǸöÎÊÌâ,ÔÚ´ó¶àÊý¸ßˮƽ×Ô¶¯µÄ±à¼Ê±ÓÃWin32º¯ÊýÒ²³ÉΪ¿ÉÄÜ. Èç¹û
ÕâÑù, ÄãÓÃÒ»¸öÕæʵµÄÓïÑÔдÄãµÄ³ÌÐò£¬ÈçAssembly,ÄÇô,Äã¾ÍÓÐÒ»¸öÎÊÌâ.
ÏÖÔÚÎÒÃÇÖªµÀÄǸö³ÌÐòÓÃʲôº¯Êý,ÎÒÃÇ¿ÉÒԳɹ¦µÄ³¢ÊÔ³·³ý³ÌÐòµÄ²¿·ÖÀ´³¢ÊÔÈ¥ Íê³É
Õâ¸öÐÅÏ¢.³É¹¦µÄÍê³ÉÕâЩÎÒÃǽ«ÐèÒªÖªµÀº¯ÊýÏ£ÍûµÄparamaters,ºÍ·µ»ØÖµ¸øµÄʲô.
Òò´ËÎÒÃÇ´ò¿ªÎÒÃǵÄWindows API²Î¿¼×ÊÁÏ.ÕÒµ½call MessageBoxµÄÏêϸ×ÊÁÏ(ÊÇ,windo
wsÈËÃDz»¹ØÐÄWin16ºÍWin32²»Í¬).ÄãÓ¦¸Ã¿´µ½º¯ÊýÈçϵÄÐÎʽ:
int MessageBox(
HWND hWnd, // window×Ô¼ºµÄ¾ä±ú
LPCTSTR lpText, // Ìáʾ¿òµÄÎı¾µØÖ·
LPCTSTR lpCaption, // Ìáʾ¿òµÄ±êÌâµØÖ·
UINT uType // Ìáʾ¿òµÄ×ÖÌå
);
ÏÖÔÚһЩWin32asm֪ʶÊÇ»ù±¾µÄ.ÎÒÃÇÐèÒªÖªµÀÕâ¸öº¯Êý½«»áÔÚÒ»¸ö»ã±à³ÌÐòÖÐÔËÐÐ.
ÕâÓÐÒ»¸öMessageBox callÖеÄһС²¿·ÖʵÀý´úÂë :
push MB_OK ;Ìáʾ¿òµÄ×ÖÌå
push offset MsgTitle ;Ìáʾ¿òµÄ±êÌâµØÖ·
push offset MsgText ;Ìáʾ¿òµÄÎı¾µØÖ·
push hwnd ;window×Ô¼ºµÄ¾ä±ú
call MessageBoxA ;Ö´Ðк¯Êý
ÄãÓ¦¸Ã×¢Òâµ½º¯ÊýµÄ¶¨Òå±»·ÅÈëÁ˶ÑÕ»Ö®ºó,call¾ÍʵÐÐÁË.ʲôÊǶÑÕ»?¶ÑÕ»ÊdzÌÐòÁÙ
ʱ´¢´æ¿ÉÓõ½µÄÒ»ÖÖÐÎʽ.¶ÑÕ»ÔÚÒ»¸öLILO»ù´¡.ËùÒÔµ±Äã³¢ÊÔÈ¥µÃµ½¶ÑÕ»»ØÀ´µÄÖµ,Äã
½« µÃµ½Äã·Åµ½¶ÑÕ»×îºóµÄÖµ.ÀýÈç:
push Value1 ;·ÅÈëÎÒÃǵĵÚÒ»¸öÖµÔÚ¶ÑÕ»¶¥ÉÏ
push Value2 ;·ÅÈëÎÒÃǵĵڶþ¸öÖµÔÚ¶ÑÕ»ÖеĵÚÒ»¸öÖµÉÏ
Push Value3 ;·ÅÈë×îºóÖµÔÚ¶ÑÕ»ÖÐÆäËüÖµµÄÉϱß
pop Value3 ;¹é»¹µÚÈý¸öÖµ
pop Value2 ;¹é»¹µÚ¶þ¸öÖµ
pop Value1 ;¹é»¹µÚÒ»¸öÖµ
ͨ³£µÄ,µ±Ò»¸öwindowsº¯ÊýʵÐÐ,Ëü½«'pop'¶ÑÕ»ÖÐËùÓÐÄÚÈÝ,À뿪ÄãµÄ¶ÑÕ»µ±Äã³¢ÊÔ¹ý
È¥pushËùÓк¯Êý¶¨ÒåºÍºô½Ðº¯Êý֮ǰ.Ëü×÷ÁË,¿ÉÊÇ,ÒÀ¿¿ÔÚcalling¹ßÀýÓõ½µÄ,µ«ÊDz»
Óõ£ÐÄ. Windows²î²»¶àÒ»Ö±ÓÃÕâÖÖ·½·¨ÔËÐÐ.ÎҸղŸøÄãµÄº¯Êý֪ʶӦ¸Ã×ã¹»Äã´ó¶àÊý
µÄÄæת¹¤³ÌËùÐèÒªµÄ.
ÄÇô£¬ÎÒÃÇÖªµÀÁ˳ÌÐòÏÔʾÐÅÏ¢¿òµÄÔÀí,ÎÒÃÇÐèÒªÓÃÎÒÃǵĵ÷ÊÔÆ÷Í£Ö¹ÔÚ³ÌÐòÖк¯Êý
½«ÊµÐеÄλÖõÄÒ»µãÉÏ.ÎÒÓÃSoftICE×÷ΪÎҵĵ÷ÊÔÆ÷,ÿÈ˶¼Ó¦¸ÃÓÐ.SoftICEÊÇ¿ÉÒÔ´Ó
INTERNATÉÏÐí¶à'warez'Ò³ÃæÕÒµ½,ÎÒÓõÄÊÇ×îÖÕµÄ4.01°æ±¾,µ«ÊÇÖ»¿´¹ýºÍÓùýµÄ°æ±¾
4. ÊÇÎÒ,¾¡¹ÜÈç´Ë,²»ÈĵÁ°æÐÐΪ,Òò´ËÄãÓ¦¸Ã´Ówww.numega.comÉÏÂòÕâ¸ö¼«ºÃµÄÈí¼þÓ¦
ÓÃÈí¼þ.ÏàÐÅÎÒ,Õâ²»ÊÇÀË·ÑÇ®.³ä×ãµÄÌáÉý,ÈÃÎÒÃÇ¿ªÊ¼°É.
È·ÐÅÄãÄãÒѾ³É¹¦°²×°ÁËSoftICE,°üÀ¨ËùÓеÄÏà¹ØµÄÄÚÈÝ (Õâ¶ùÓÖÓÐÒ»¸ö½Ì³Ì,ËûÃÇÓÐ
Ðí¶à),ÎÒÃÇÐèÒªÈõ÷ÊÔÆ÷Í£ÔÚº¯Êý MessageBoxA.×î³õÓð´ÏÂ'CTRL-D'½øÈëSoftICEÔÚ
WINDOWS ÄÚ²¿. ÄãÏÖÔÚÓ¦¸ÃÔÚSoftICEµÄÊÀ½çÖÐ.ÏÖÔÚ ÔÚ SoftICEÄÚ²¿ÊäÈë'BPX Message
BoxA'. Äã²»Ó¦¸ÃµÃµ½ÈκδíÎóÐÅÏ¢.ÄÇôÄã ¾ÍûÓÐÕýÈ·µÄÉèÖÃSoftICE.ÏÖÔÚÎÒÃÇÔÙ´ÎÊä
Èë'CTRL-D'Í˳öSoftICE»Øµ½Windows,ÎÒÃdz¢ÊÔÔËÐÐÈí¼þ.¾ÍÔÚÄãÔËÐÐÈí¼þʱ,ÄãÓ¦¸Ã·µ»Ø
µ½SoftICE.
´ËʱÎÒÃÇÔÚwindows´úÂëµÄÉî´¦.ÎÒÃÇÏ£Íûµ½´ï³ÌÐòºô½Ðº¯Êý´¦(ÎÒÃǵÄÄ¿±êÈí¼þ).ÎÒô°´
'F12'È¥µ½´ï²¿·Ö´úÂëÖ±µ½ÎÒÃÇ·µ»Øwindows²¢ÇÒ¿´µ½ÌÖÑáµÄÌáʾ¿ò.Èç¹ûÄãµã'OK'¼ü,Äã
Óֻص½SoftICE.ÔÚwindowÏÂÃæ,ÄãÓ¦¸Ã¿´µ½Èí¼þµÄÃû×ÖÏñÕâÑù:
n0p3x!CODE+###ÄÇÀï ### ÊÇһЩʮÁù½øÖƵÄ×ÖĸÅÅÁÐ.ÏÖÔÚÎÒÃǽ«Òªµ½ÄÄ.¿´Ò»ÏÂÕⲿ
·Ö´úÂë,¼ÌÐø,Ëû²»Ò§ÈË.´Ó´úÂëÖеõ½ÕæʵµÄ¸Ð¾õ.°´¼ü'CTRL'ÉÏÏÂÒƶ¯¼ýÍ·.Äã¿ÉÒÔÔÚ×Ô
¼ºµÄÐÄÖÐÉÏϹö¶¯´úÂë.
ÄãÓ¦¸Ã¿´µ½ËĸöPUSHÖµÔÚCALL֮ǰ·ÅÈëÁ˶ÑÕ» .Èç¹ûÄãÏëÑо¿Ò»Ð©¶¨ÒåÀ´È·±£ÄÇÕý
ÊÇmessage box.Äã¿ÉÊäÈë'D [MEMORY ADDRESS]'push ³ÂÊöµÄÐÅÏ¢µÄ×ÖĸµØÖ·.Èç¹ûÄãÕâ
Ñù×öÁ˶Եڶþ¸öºÍµÚÈý¸öPOSH.ÄãÄãÓ¦¸Ã¿´µ½Ìáʾ¿òµÄ±êÌâºÍÎÄ×Ö. ºÃµÄ×߸ãÂÒÖÜΧ.ÎÒ
ÃÇÐèÒª³ýÈ¥Õâ×ÅÕû¸öcall. Õâ¸öÒâζ×ÅÓó·µôËùÓеÄPUSHµÄ·½·¨£¬ÎÒÃǽ«»áÏÝÈë³ÌÐò¶Ñ
Õ»»òÕß±ÀÀ£µÄÀ§¾³¡£
³·µôcallºÜ¼òµ¥. ÓÐÒ»¸öÌØÊâµÄÃüÁî½Ð×ö'NOP'ËüʲôҲ²»Ö´ÐÐÖ»ÊÇÓеãÂý.(²»Óõ£
ÐÄ,µ±ÎÒ˵Âý,Òâ˼ÊÇС). ÎÒÃÇÖ»ÊÇÐèÒªÓÃһЩnopsÌî³äcallºÍËùÓÐPUSHes. ¿ÉÊÇ, Ò»¸ö
NOPÖ»ÓÐÒ»×Ö½Ú, ²¢ÇÒºÁÎÞÒÉÎÊÎÒÃǵÄÌáʾ¿òÔ¶Ô¶²»Ö¹Ò»×Ö½Ú.Èç¹ûÎÒÃǼòµ¥µÄÓÃNOPÌî³ä
CALLÖÐËùÓеÄ×Ö½Ú£¬¾¡¹ÜÎÒÃDz»Ïë¸ãÂÒ³ÌÐò£¬µ«ÊÇÖ»»áµÃµ½Ò»¸ö±ÀÀ£µÄ½á¹û.ÎÒÃÇÔõÑùÖª
µÀÎÒÃǵĺ¯ÊýÓÃÁ˶àÉÙ×Ö½Ú?ÆäʵÕâºÜ¼òµ¥.Èç¹ûÄã¼üÈë'CODE ON'ÔÚSOftICEÄÚ²¿.Ä㽫»á
¿´µ½Ã¿¸öÃüÁîµÄ°üº¬µÄ´úÂë.ËüÓ¦¸ÃÏñÕâÑù:
6A00 push 00 ;Ìáʾ¿òµÄ×ÖÌå
6800204000 push 402000 ;±êÌâ
6885204000 push 402085 ;Îı¾
6A00 push 00 ;windowsµÄ¾ä±ú
E84E000000 call USER32!MessageBoxA
²»Óõ£ÐÄwindows¾ä±úÊÇ0.Õâֻ˵Ã÷Ìáʾ¿òûÓи¸window. Ò»¸ö×Ö½ÚÁ½¸ö×Öĸ.ÎÒÃÇ¿ÉÒÔ
˵µÚÒ»¸öPUSHÓÐÁ½¸ö×Ö½Ú£¬ÐèÒªÓÃÁ½¸öNOPÀ´Ìî³ä. ÎÒÃÇÐèÒªÔÚ±àÒë¹ýEXEÎļþÖÐÑ°ÕÒÕâ
¸ö²¿·ÖÄÚÈÝÒªÔÚÒ»¸ö±à¼Æ÷ÖÐ.ÎÒÓÃHIEWºÍHex Workshop.¾¡¹ÜHex Workshop¿ÉÄܶÔÐÂѧ
Õ߸üºÃ.ÔÚhex editorÄÚ²¿²éÕÒ×Ö½Ú˳Ðò'6A006800204000'.ÕâÊÇÇ°Á½¸öPUSHÒ»ÆðµÄ¼òµ¥
µÄ¿ª·Å´úÂë.Èç¹ûÄã·¢ÏÖÕâ¸ö,ÄÇôÄãÔÙÕÒÒ»±ã¿´³ÌÐòÄÚ²¿ÊÇ·ñÓÐÆäËüµÄµØ·½,Èç¹ûÕÒµ½
ÁË,ÄãÐèÒªÔö¼ÓÄãµÄ×Ö½Ú˳ÐòÔÚ²¿·Ö´úÂë²éÕÒÖ±µ½ÄãÄãµÃµ½Ò»¸öºÃ½á¹û.µÚÒ»´ÎÄãÑ°ÕÒ´ú
Âë,Ä㽫ÔÚEXEÎļþÖÐÿ¸ö×Ö½ÚÖÐÊäÈë90. 90 ±íʾ NOP,µ«ÎÒÈ·ÐÅ´ó¶àÊýÈ˶¼ÖªµÀÕâ¸ö.
ÔÚ´Ë,ÎÒÃÇÓиöÎÊÌâ.×Ö½Ú²éÕÒ²»´æÔÚ. ÕâÀï·¢ÉúÁËʲô?ÔÚÕâ,³ÌÐòÓÃijÖÖ·½·¨¼ÓÃÜÓÃÀ´
×èÖ¹Äã¸Ä±äËü.Èç¹û³ÌÐòΪ¼ÓÃÜÄã¿ÉÄÜÈÝÒ×µÄÕÒµ½×Ö½Ú,²¢ÇÒ³ÌÐòÒ²»áÏñÏ£ÍûµÄÄÇÑù¹¤×÷
ÎÒ¸Ò´ò¶ÄÊǶÁÈ¡ÔÚÖ´ÐÐ֮ǰ.ÎÒÃÇÈÝÒ×µÄÐèÒªÕÒ³öÔÚÄÇ·¢Éú¼ÌÐøÔõÑù.ÔÚ·Ö½â³ÌÐò´ò¿ª³Ì
Ðò.ÎÒÓÃWinDasm 8.9.ÄãÐèÒªÕÒµ½´úÂë.Ëü±ØÐëÏñÕâÑù:
mov reg1, addr-to-write-to
mov reg2, [reg1]
;manipulate reg2
mov [reg1], reg2
ÎÒÃÇÖªµÀËü±ØÐëÔÚÌáʾ¿òÏÔʾ֮ǰִÐУ¬³ÌÐò½«ÊÔͼÓÃÆäËü·½·¨¼ÓÃÜ×Ö½Ú, ÄÄÒ»¸öÏà×ó
±ÀÀ£ÄØ. ÎÒÃÇÖªµÀµÚÒ»¸öPUSHÔÚÄÚ´æÖеØַΪ4011b0.¼òµ¥µÄµ½´ïÄǸö´úÂëλÖÃÔÚÄãµÄ·Ö
½â³ÌÐòÖУ¬²¢ÇÒÓ¦¸Ã¿´µ½´óÁ¿·¦Î¶µÄÐÅÏ¢.ÕâÊÇÎÒÃǼÓÃܹýµÄ³ÌÐò°æ±¾. Èç¹ûÎÒÃǼòµ¥µÄ
·ÅÆúÕâÒ»µã£¬ÎÒÃǽ«¿´µ½³ÌÐòÖØдÕâ¶ÎÐÅÏ¢¡£Èç¹ûÄãÏòÉÏÒƶ¯Ò»µãÄ㽫¿´µ½ÕâÑùµÄÐÅÏ¢:
*Referenced by a CALL at address:
:00401020
ÄÇô,ÎÒÃÇÖªµÀÕâ¸öСÌáʾ¿ò³ÌÐò´ÓÄÄÀïºô¹ýÀ´µÄ.ÔÚ·Ö½âÆ÷Öе½ÄǸöµØÖ·.µ÷²éÄãÂäÔÚÐÂ
µØÇøµÄ´úÂë.×¢Òâµ½ÕâÓë³ÌÐò¿ªÊ¼·Ç³£½ü£¬²¢ÇÒÖ»ÓÐËĸöº¯ÊýÔÚÎÒÃǵÄÌáʾ¿ò֮ǰִÐÐ.
Õâ²»Áôϸü¶àµÄ¿Õ¼äÈÃÎÒÃÇÒþ²Ø´úÂë.ÕâЩÖÐÈý¸öº¯ÊýÊÇwindowsº¯Êý.ÎÒÃÇÖªµÀ¼ÓÃܳÌÐò
Ó¦¸ÃÔÚÎÞÃûµÄcallÖÐ,ÄÄÒ»¸ö, ÇɺϵÄÊÇÔÚÎÒÃÇÌáʾ¿òÇ°Ò»ÐÐÖ´ÐÐ.µ½ÄǸöcallµÄµØÖ·ÔÚ
ÄãµÄ·Ö½â³ÌÐòÖÐ.ÄãÓ¦¸Ã¿´ÆðÀ´ÊǷdz£»³ÒɵĿ´×ųÌÐò. ËüÓ¦¸ÃÏñÕâÑù:
* Referenced by a CALL at Address:
|:0040101B
|
:00401194 B8AB114000 mov eax, 004011AB
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004011A8(U)
|
:00401199 8A18 mov bl, byte ptr [eax]
:0040119B 80F301 xor bl, 01
:0040119E 8818 mov byte ptr [eax], bl
:004011A0 40 inc eax
:004011A1 3DC3114000 cmp eax, 004011C3
:004011A6 7F02 jg 004011AA
:004011A8 EBEF jmp 00401199
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004011A6(C)
|
:004011AA C3 ret
ͨ¹ýÄã»ã±à»ù±¾µÄ֪ʶ£¬ÄãÓ¦¸ÃÄܹ»½âÊÍÕⲿ·ÖµÄÕû¸ö´úÂë. µ«ÎÒ½«È·ÐÅÈ¥½âÊÍËü:-).
ºÃµÄ, Ê×ÏÈ mov eax,004011AB Òƶ¯¼ÓÃÜÂëµØÖ·µ½Ò»¸ö¼Ä´æÆ÷.½Ó×Åmov bl, byte ptr
[eax]Òƶ¯¼ÓÃÜÂëµÄµÚÒ»¸ö×Ö½Úµ½¼Ä´æÆ÷bl.ÏÂÃæxor bl, 01¼ÓÃÜ×Ö½Ú;-).½Ó×Åinc eax
Ôö¼Ó¼Ä´æÆ÷ eax µÄÖµÖ¸Ïò¼ÓÃܳÌÐòµÄÏÂÒ»¸ö×Ö½Ú.³ÌÐò½Ó×Å(cmp eax, 004011C3)¼ì²éÎÒ
ÃÇÊÇ·ñÔÚ¼ÓÃܳÌÐòµÄ½áβ, Èç¹ûÎÒÃÇÕýÊÇÔÚµØÖ·µÄ½á⣬ÄÇô(jg 00401AA)Ìøµ½Ò»¸öret
·µ»ØµÄº¯Êý.Èç¹ûÎÒÃDz»ÔÚ¼ÓÃÜÊý¾ÝµÄ½á⣬ÄÇô(jmp 00401199)Ìøµ½Êý¾Ý¿ªÊ¼¶ÁÈ¡ÏÂÒ»
¸ö×Ö½Ú.
ÄÇô,´ÓÕâÄ㽫Äܹ»Ëµ³öËùÓеijÌÐòµÄÿ¸ö×Ö½Ú¶¼ºÍÊý×Ö1½øÐÐxor.Õâ»áÁô¸øÎÒÃÇÐí¶à·½
·¨È¥¹¥»÷³ÌÐò.ÎÒÃÇ¿ÉÒÔ¼òµ¥µÄ×Ô¼º¶ÁÈ¡×Ö½Ú²¢ÇÒ NOPµôÕû¸ö¶ÁÈ¡³ÌÐò,дÈëNOP'sÔÚmes
sage box callÖÐ, »òÕß¼òµ¥µÄNOP ³ÌÐòûÓÐÍê³ÉµÄһЩ¶«Î÷£¬³ýÌáʾ¿ò.
ÎÒÃÇÐèҪѡÔñ½ÏÄѵÄÑ¡Ïî.ÎÒÃǽ«ÈüÓÃÜ´úÂë»Øµ½ÎļþÖÐ. ÕýÈçÎÒÃÇÖªµÀµÄ¼ÓÃܵØÖ·ÔÚWi
ndasmÖÐÎÒÃÇ¿ÉÒÔÇáËÉÕÒ³öÆ«ÒÆÁ¿.Èç¹ûÄãµãÒ»ÐдúÂëµÚÒ»¸öÓ¦¸ÃÊÇû¼ÓÃܵÄpushÓ¦¸ÃÈç
¹ûËüû¼ÓÃÜ£¬×´¿öÀ¸Ó¦¸ÃÏÔʾoffset.ÔÚÒ»¸öhex±à¼Æ÷Öе½´ïoffset.ÏÖÔÚ, Windasm ÏÔ
ʾ¸øÎÒÃǵļÓÃÜ´úÂëÏñÕâÑù:
:004011B0 6B0169 imul eax, dword ptr [ecx], 00000069
:004011B3 0121 add dword ptr [ecx], esp
:004011B5 41 inc ecx
:004011B6 016984 add dword ptr [ecx-7C], ebp
:004011B9 214101 and dword ptr [ecx+01], eax
:004011BC 6B01E9 imul eax, dword ptr [ecx], FFFFFFE9
:004011BF 4F dec edi
:004011C0 0101 add dword ptr [ecx], eax
:004011C2 01C2 add edx, eax
ÎÒÃÇÒªÌîÂúNOP.Èç¹ûÄãÖ»ÓÃ90h xor 1h,ÄãÓ¦¸Ã¼ÓÃܺóµÄNOP.ÊÇ91h.ÏÖÔÚÔÚhex±à¼Æ÷ÖÐ
¶¼¸Ä³ÉNOP.ÖØÐÂÖ´ÐгÌÐò.¶Ô»°¿òûÁË.
½áÊøµÄ»°£º
²»ÐÒµÄÊÇ, ´ó¶àÊý¼ÓÃܳÌÐò±ÈÒ»¸ö¼òµ¥µÄ xor¸ü¸´ÔÓ. µ«ÊÇ,µ±ÄãÖªµÀÁËÒªµã.ËüÈ«ÊÇÏà
ͬµÄÔÀí, Ö»ÊǸü¼Ó¸´ÔÓ. ÓÐʱºò¿ÉÄܲ»Ö¹Ò»´¦¶ÁÈ¡³ÌÐò.ÓÐʱºòÕû¸ö³ÌÐò(°üÀ¨×ÊÔ´)
½«±»¼ÓÃÜ.¾¡¹ÜÈç´Ë,¶¼ÓжÁÈ¡³ÌÐò.¾¡¹ÜÕâÑù,¼ÓÃܳÌÐò¿ÉÄÜ»á×Ô¼º¼ÓÃÜ , ²¢ÇÒÓÐ×Ô¼º
µÄ¶ÁÈ¡³ÌÐò,µ«ÊÇÄǸö½«°üÀ¨Í¬ÑùµÄÔÀí,Ö»ÊÇÓиü¶à´ÎÊý.
һЩÈË¿ÉÄܶÔÎÒ±§Ô¹,ΪʲôÎÒÖ»ÓÃNOP'sÐÞ¸Ä. ÎÒ²»ÖªµÀΪʲô.ËûÃDZ§Ô¹ÄÇÑùÓÐЩ³Ì
Ðò»áÓÐCRC´íÎó,µ«ÊÇÕâ·Ç³£º±¼ûÔÚ¼ÓÃܳÌÐòÖÐ,³ý´Ë, һЩ CRC ¿ÉÒԸĵô,¿ÉÒÔ±»Æƽâ
µô:-). ÎÒÏ뽫»áÊÇÁíÒ»¸ö½Ì³Ì :-)
--end
|
| ·µ»Ø |
Manually unpacking a Neolite packed DLL file
Rebuilding and cracking Neolite's Pecomp.DLL file
09/09/00 by Bit Reaper
Courtesy of Reverser's page of reverse engineering slightly edited
by Tsehp
There is a crack, a crack in everything That's how the light gets in
Rating ( )Beginner (x )Intermediate ( )Advanced ( )Expert
Manually unpacking a Neolite packed DLL file
Rebuilding and cracking Neolite's Pecomp.DLL file
Written by Bit Reaper
Introduction
I've read a lot of tutorials on the web on the subject of reverse engineering, a
nd I thought it would be nice to work on something I have very little knowledge
about and give back a little something to those who have written essays, and for
those who are thinking about it. I choose Neolite because I had tried long ago
to unpack a program packed with it, and couldn't. I gave it another go recently,
and it remains a challenge no longer. I'm not going to write an essay about it,
because if you can unpack the pecomp.dll file, then you should be able to unpac
k any Neolite packed .exe file. Tools required
Soft-ice
Sdump
Hiew
Dumppe
Hex Workshop
A PE editor(I used Procdump)
Target's URL/FTP
http://www.neoworx.com/neolite
Program History
None Essay I've had Neolite on my list of things I wanted to work on for a long time now. U
ntil recently, I didn't have enough knowledge to work on it. I've unpacked a few
executables in the past, but never a .dll file. From a posting on one of the re
versing message boards, I learned a little how the .dll file works. I know that
inside your .exe file, you use Loadlibrarya to load the file, and Getprocaddress
to find the address of the function you wish to call in the .dll file. But how
do you compress or uncompress a dll file, if all I am doing is calling functions
? There is code that starts when the executable is run. This code first uncompre
sses the sections then jumps to the code that would have been run originally, ex
cept that it was compressed. It's similar to an executable file, so that means t
hat we need to find the OEP. The nice thing about this compresser is that a few
lines down from the start of the compresser there is: 4xxxxxx JMP EAX <-- Original Entry Point We will need to write the value of EAX down for use later. Now what I did prior
to working in Soft-ice, was to get some information about the file, such as raw
size, raw offset, etc. Section Table - Before
----------------------
v/a v/s r/o r/s characteristics
--- --- --- --- ---------------
BEGTEXT 00001000 00015C00 00000000 00015C00 C0000080
DGROUP 00017000 00004000 00000000 00004000
.bss 0001B000 00000000 00000000 00022600
.idata 0003E000 00000600 00000000 00000600
.edata 0003F000 00000200 00000000 00000200
Oreloc 00040000 00001000 00000400 00000200
.rsrc 00041000 00022E00 00000600 00000600
.neolit 00064000 0000612C 00000C00 00001C00
.reloc 0006B000 000000D8 00002800 00000200
Notice how for the first four section we have no raw offset, we will have to rem
ember to adjust this after we are done dumping our unpacked sections and re-crea
ting our new file.
So I wouldn't have to worry about using the test version of Neolite, I copied my
unpacked .exe file to whatever name I wanted and with hiew changed all the occu
rances of pecomp.dll to say qecomp.dll. You will find two occurances. Then I cop
ies pecomp.dll to qecomp.dll. This may not be the best way, but it's the only way I can think of right now. If
anyone has a better suggestion I would like to know about it. I found the entry
point(not the OEP) for qecomp.dll, wrote down the bytes for it -- which are E9
A6 00 00 00. I replaced the E9 with a CC(int 03), and in Soft-ice I turned int 0
3 checking on by typing: i3here on
I then replaced the CC with a E9 again, and adjusted the EIP to where the CC use
d to be so we can continue on with unpacking the file, with us in control. Once
I hit F10 a few times and come to the JMP EAX, which is 43C638 on my machine, I
type map32 qecomp in Soft-ice. This shows me where my sections are loaded in at.
BEGTEXT starts at 431000, so for out virtual address, we need only to add 30000
h to them to find out where each section is. I still use the dumper SDUMP, and l
ooking at 431000 and I have data. I then look at DGROUP - got data, .bss - ?????
. I saw this in the executable, and through trial and error saw that the ??? wer
e simple zero's. This is really just temporary space that program uses. I'll hav
e to play with the characteristic and see if I can see the true data, otherwise
what I did was wrote a byte to the location that was hidden by ??? and then scro
lled through it. Not a great technique but it worked. I copied the data from 431
000 with a length of 1A000 to my dumper memory location and hit enter to dumped
it. Looking at our sections the first raw offset is at 400, but to make things e
asier on ourselves for creating the .dll file, lets erase everything from 400 on
down on another copy of pecomp.dll. Then let's add C00h bytes of zero's(can be
anything) and paste our dump to it. There now we have two sections dumped. Let's
add a few more zero's, say 23000h of them for the .bss section. Why not 22600,
because our section alignment is 1000h, and it would be easier for us to have th
e raw offset match the virtual offset, so let's do that. At the end we should ha
ve seven unpacked sections to our .dll file, and the last remaining two, which w
e just need to copy untouched. Now going back in under soft-ice, and having Sdum
p waiting, we move memory from 43e000 for a length of 26000h bytes. Note: I am d
umping multiple sections when possible. Then paste to the end of our dll file we
are constructing. Then last but not least past the last two sections in. Yes, w
e are almost done, but not quite yet. We need to now fix the header up to reflect our changes. We need to adjust the h
eader to look like the one below and also change the Entry point to be C638. Tha
t should be all for unpacking the file. You can try to crack the program yoursel
f, or follow along with the rest of the tutorial. Section Table - After
--------------------- v/a v/s r/o r/s characteristics
--- --- --- --- ---------------
BEGTEXT 00001000 00015C00 00001000 00015C00 C0000080
DGROUP 00017000 00004000 00017000 00004000
.bss 0001B000 00000000 0001B000 00022600
.idata 0003E000 00000600 0003E000 00000600
.edata 0003F000 00000200 0003F000 00000200
Oreloc 00040000 00001000 00040000 00000200
.rsrc 00041000 00022E00 00041000 00000600
.neolit 00064000 0000612C 00064000 00001C00
.reloc 0006B000 000000D8 0006B000 00000200
Cracking the nag
----------------
The nag that appears at the beginning is created by a messageboxa, and allows yo
u to run the program, or connect to the Neoworx web page. I want to run it, but
I don't want the hassle of clicking yes or no. Cracking it on our compressed fil
e is simple, but where does the code come from that is inserted into our compres
sed file? I at first hunted a little in the .exe file, but that would be a littl
e to easy. And I was right, it's not there; it's in the pecomp.dll file, actuall
y residing in the .rsrc section. The code is just copied over to a memory locati
on that will be used to write the first chunk of data for our new compressed fil
e. How do we know this? Write down the call bytes and cmp bytes in our file, the
n do a search in Soft-ice. All we have to do is overwrite the call with a jmp st
atement. Actually we need to go two more lines up in the code and overwrite the
two pushes. Becuase of testing in Soft-ice I replaced the code containing the pu
shes with 90 E9 9F 00 00 00.
Now try to compress your program, I used notepad, and then run it. No more nag s
creen! Bit Reaper Final Notes I think this is a nice essay for people who have a little knowledge about assemb
ly, the PE format, and are just really curious. What makes Neolite a nice steppi
ng stone is the lack of anti-debugging code and how easy it is to uncompress the
file without tracing through tons of code. Ob Duh I wont even bother explaining you that you should BUY this target program if you
intend to use it for a longer period than the allowed one. Should you want to S
TEAL this software instead, you don't need to crack its protection scheme at all
: you'll find it on most Warez sites, complete and already regged, farewell, don
't come back. -------------------------------------------------------------------------------- You are deep inside reverser's page of reverse engineering, choose your way out:
homepage links search_forms +ORC how to protect academy database
reality cracking how to search javascript wars
tools anonymity academy cocktails antismut CGI-scripts mail_reverser
Is reverse engineering legal?
|
| ·µ»Ø |
|
| ·µ»Ø |
|
%¡¾³õѧÌìµØ¡¿ |
|
ÕâÆڵijõѧÌìµØÀïÎÒ½«Ïò´ó¼Ò½éÉÜÒ»¸ötkc±àдµÄ½ÌѧÈí¼þ£¬Õâ¸öÈí¼þÊdzõѧÕßѧϰµÄÒ»¸ö½Ì³Ì¡£Ö»²»¹ýÕâ¸öÈí¼þ¶¼ÊÇʹÓÃÓ¢ÎÄ£¬Èç¹ûÄãÓ¢ÎIJ»ºÃµÄ»°£¬¾ÍҪŬÁ¦Ñ§Ï°ËüÁË¡£Ó¢ÓïÒÔºó¿ÉÊDZر¸µÄ¹¤¾ß¡£ÔÚÕâʱÎÒÌṩ¸ø´ó¼ÒµÄÏÂÔصØÖ·£¬´ó¼Ò¿ÉÒÔµ½ÎÒµÄÍøÕ¾ÖвéÕÒÏÂÔØËü£¬Ò²¿ÉÒÔ´ÓÏÂÃæµÄµØÖ·ÏÂÔØËü¡£http://go18.163.com/~programhunter/download/c_tkct10.zip.ËüµÄÄÚÈÝÈçÏ£º
Tutor Part 1 - How to remove a CD-Check in Age of Empires
Tutor Part 2 - How to get a serial in Easy CD-DA Extractor 3.0
Tutor Part 3 - How to get a serial in MP3 to EXE 1.01
Tutor Part 4 - How to get a serial in Visual Day Planner 6.1
ÎÒÔÚÕâʱ½«»áÖð½¥µÄÏò´ó¼Ò½éÉܳõѧÕßѧϰµÄÈí¼þ£¬²¢ÇÒ½üÀ´ÕýÔÚ²éÕÒcrackmeµÄÈí¼þ£¬×î½ü½«ÒªÃæÏò´ó¼Ò£¬Ï£Íû´ó¼ÒÄܹ»´ÓÕâЩ½ÌѧÈí¼þÖÐѧµ½½âÃÜ¡£Ò²Ï£ÍûÎÒÃǵĽâÃܽçÓиü¶àµÄ¸ßÊÖ³öÏÖ£¬ÈÃÎÒÃÇһͬŬÁ¦°É¡£ |
| ·µ»Ø |
|
O¡¾ÎÊÌâ´ðÒÉ¡¿ |
| |
| ·µ»Ø |
|
4¡¾ÍøÕ¾½éÉÜ¡¿ |
| |
| |
| ·µ»Ø |
|
,¡¾ÔÓÖ¾ÐÅÏä¡¿ |
| Ͷ¸åÐÅÏ䣺discoveredit@china.com |
| ´ðÒÉÐÅÏ䣺discoveranswer@china.com |
| °ßÖñÐÅÏ䣺programhunter@china.com |
| ·µ»Ø | |