一、查壳 UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
二、脱壳
用OD载入,00491560 > 60 PUSHAD
00491561 BE 00904500 MOV ESI,CrackmeN.00459000//这里用ESP定律
004916C3 - E9 B4FFFBFF JMP CrackmeN.0045167C//ESP定律后到这里,jmp到OEP
004916C8 E0 16 LOOPDNE SHORT CrackmeN.004916E0
004916C8 E0 16 LOOPDNE SHORT CrackmeN.004916E0
0045167C 55 PUSH EBP//用OD的插件DUMP,用Import Fix 1.6修复
IAT地址为5167C,即可运行
IAT地址为5167C,即可运行
二、查找字符串“I am Sad”
超级字串参考, 项目 239
地址=004513E6
反汇编=MOV EDX,dump_.00451454
文本字串=i am sad!
双击返回这里
00451384 55 PUSH EBP
00451385 68 11144500 PUSH dump_.00451411
0045138A 64:FF30 PUSH DWORD PTR FS:[EAX]
0045138D 64:8920 MOV DWORD PTR FS:[EAX],ESP
00451390 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4] ; loB
00451393 8B83 F4020000 MOV EAX,DWORD PTR DS:[EBX+2F4] ; 8dB
00451399 E8 D2E1FDFF CALL dump_.0042F570
0045139E 837D FC 00 CMP DWORD PTR SS:[EBP-4],0 ; 注册码与0比较
004513A2 75 12 JNZ SHORT dump_.004513B6 ; 注册码不能为空
004513A4 BA 28144500 MOV EDX,dump_.00451428 ; 请输入注册码
004513A9 8B83 F0020000 MOV EAX,DWORD PTR DS:[EBX+2F0]
004513AF E8 ECF3FFFF CALL dump_.004507A0
004513B4 EB 40 JMP SHORT dump_.004513F6
004513B6 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
004513B9 8B83 F4020000 MOV EAX,DWORD PTR DS:[EBX+2F4]
004513BF E8 ACE1FDFF CALL dump_.0042F570
004513C4 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004513C7 8B15 2C3C4500 MOV EDX,DWORD PTR DS:[453C2C] ;
00451385 68 11144500 PUSH dump_.00451411
0045138A 64:FF30 PUSH DWORD PTR FS:[EAX]
0045138D 64:8920 MOV DWORD PTR FS:[EAX],ESP
00451390 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4] ; loB
00451393 8B83 F4020000 MOV EAX,DWORD PTR DS:[EBX+2F4] ; 8dB
00451399 E8 D2E1FDFF CALL dump_.0042F570
0045139E 837D FC 00 CMP DWORD PTR SS:[EBP-4],0 ; 注册码与0比较
004513A2 75 12 JNZ SHORT dump_.004513B6 ; 注册码不能为空
004513A4 BA 28144500 MOV EDX,dump_.00451428 ; 请输入注册码
004513A9 8B83 F0020000 MOV EAX,DWORD PTR DS:[EBX+2F0]
004513AF E8 ECF3FFFF CALL dump_.004507A0
004513B4 EB 40 JMP SHORT dump_.004513F6
004513B6 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
004513B9 8B83 F4020000 MOV EAX,DWORD PTR DS:[EBX+2F4]
004513BF E8 ACE1FDFF CALL dump_.0042F570
004513C4 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004513C7 8B15 2C3C4500 MOV EDX,DWORD PTR DS:[453C2C] ;
固定码,真码yjcf&15202727
004513CD E8 3632FBFF CALL dump_.00404608 ; 真假码比较
004513D2 75 12 JNZ SHORT dump_.004513E6 ; NOP这里实现暴破
004513D4 BA 40144500 MOV EDX,dump_.00451440 ; welcome!
004513D9 8B83 F0020000 MOV EAX,DWORD PTR DS:[EBX+2F0]
004513DF E8 BCF3FFFF CALL dump_.004507A0
004513E4 EB 10 JMP SHORT dump_.004513F6
004513E6 BA 54144500 MOV EDX,dump_.00451454 ; i am sad!
004513CD E8 3632FBFF CALL dump_.00404608 ; 真假码比较
004513D2 75 12 JNZ SHORT dump_.004513E6 ; NOP这里实现暴破
004513D4 BA 40144500 MOV EDX,dump_.00451440 ; welcome!
004513D9 8B83 F0020000 MOV EAX,DWORD PTR DS:[EBX+2F0]
004513DF E8 BCF3FFFF CALL dump_.004507A0
004513E4 EB 10 JMP SHORT dump_.004513F6
004513E6 BA 54144500 MOV EDX,dump_.00451454 ; i am sad!
本文转自 lvcaolhx 51CTO博客,原文链接:http://blog.51cto.com/lvcaolhx/48585
