160
来源:互联网 发布:广东开放大学网络 编辑:程序博客网 时间:2024/05/10 05:33
环境:
Windows xp sp3
工具:
exeinfope, ollydbg
查壳:
用exeinfope查壳,发现加了壳 -- WWPack32 ver 1.xx ,用f8单步调试法,脱壳。
脱掉之后发现是delphi写的
运行之后发现界面整洁,目标明确,输入一个serial后会生成一串数字,使得生成的数字和界面的数字相同。
因为这次即使输入不正确,也不会出现错误提示。幸好,当serial为空的时候点“spider"会有错误消息框出现。
在栈中找到这次错误消息框函数调用的位置,下断点,再输入serial,观察是否被断下,如果没有就找更前一点的函数调用的位置。
直到当输入serial后点确定会被断下来。
可以找到这里:
0044A314 |. E8 EFD6FBFF call unpack.00407A080044A319 |. 8BF0 mov esi,eax0044A31B |. 8B45 FC mov eax,[local.1]0044A31E |. E8 5DD7FBFF call unpack.00407A80 ; 这里是算出serial的值的地方0044A323 |. 52 push edx0044A324 |. 50 push eax0044A325 |. 8BC6 mov eax,esi0044A327 |. 99 cdq0044A328 |. 030424 add eax,dword ptr ss:[esp] ; 这里是加上算出来的值0044A32B |. 135424 04 adc edx,dword ptr ss:[esp+0x4]0044A32F |. 83C4 08 add esp,0x80044A332 |. 52 push edx0044A333 |. 50 push eax0044A334 |. 8BC6 mov eax,esi0044A336 |. 99 cdq0044A337 |. 030424 add eax,dword ptr ss:[esp] ; 这里也是,所以可以理解为算出的serial *= 30044A33A |. 135424 04 adc edx,dword ptr ss:[esp+0x4]0044A33E |. 83C4 08 add esp,0x8
在0044A31E进去:
00407A80 /$ 55 push ebp00407A81 |. 8BEC mov ebp,esp00407A83 |. 83C4 E8 add esp,-0x1800407A86 |. 53 push ebx00407A87 |. 33D2 xor edx,edx00407A89 |. 8955 F0 mov [local.4],edx00407A8C |. 8BD8 mov ebx,eax00407A8E |. 33C0 xor eax,eax00407A90 |. 55 push ebp00407A91 |. 68 EB7A4000 push unpack.00407AEB00407A96 |. 64:FF30 push dword ptr fs:[eax]00407A99 |. 64:8920 mov dword ptr fs:[eax],esp00407A9C |. 8D55 F4 lea edx,[local.3]00407A9F |. 8BC3 mov eax,ebx00407AA1 |. E8 4ECEFFFF call unpack.004048F4 ; 这里是计算的地方00407AA6 |. 8945 F8 mov [local.2],eax00407AA9 |. 8955 FC mov [local.1],edx00407AAC |. 837D F4 00 cmp [local.3],0x000407AB0 |. 74 23 je Xunpack.00407AD500407AB2 |. 8D55 F0 lea edx,[local.4]00407AB5 |. A1 7CBC4400 mov eax,dword ptr ds:[0x44BC7C]00407ABA |. E8 2DD6FFFF call unpack.004050EC00407ABF |. 8B45 F0 mov eax,[local.4]00407AC2 |. 50 push eax00407AC3 |. 895D E8 mov [local.6],ebx00407AC6 |. C645 EC 0B mov byte ptr ss:[ebp-0x14],0xB00407ACA |. 8D55 E8 lea edx,[local.6]00407ACD |. 33C9 xor ecx,ecx00407ACF |. 58 pop eax00407AD0 |. E8 B7FCFFFF call unpack.0040778C00407AD5 |> 33C0 xor eax,eax00407AD7 |. 5A pop edx00407AD8 |. 59 pop ecx00407AD9 |. 59 pop ecx00407ADA |. 64:8910 mov dword ptr fs:[eax],edx00407ADD |. 68 F27A4000 push unpack.00407AF200407AE2 |> 8D45 F0 lea eax,[local.4]00407AE5 |. E8 72BDFFFF call unpack.0040385C00407AEA \. C3 retn
在00407AA1跟进去:
004048F4 /$ 53 push ebx004048F5 |. 56 push esi004048F6 |. 57 push edi004048F7 |. 55 push ebp004048F8 |. 83C4 EC add esp,-0x14004048FB |. 891424 mov dword ptr ss:[esp],edx004048FE |. 8BF0 mov esi,eax00404900 |. BD 01000000 mov ebp,0x100404905 |. 33FF xor edi,edi00404907 |. C74424 08 000>mov dword ptr ss:[esp+0x8],0x00040490F |. C74424 0C 000>mov dword ptr ss:[esp+0xC],0x000404917 |. 85F6 test esi,esi00404919 |. 75 0B jnz Xunpack.004049260040491B |. 8B0424 mov eax,dword ptr ss:[esp]0040491E |. 8928 mov dword ptr ds:[eax],ebp00404920 |. E9 E1010000 jmp unpack.00404B0600404925 |> 45 /inc ebp00404926 |> 807C2E FF 20 cmp byte ptr ds:[esi+ebp-0x1],0x200040492B |.^ 74 F8 \je Xunpack.004049250040492D |. C64424 10 00 mov byte ptr ss:[esp+0x10],0x000404932 |. 8A442E FF mov al,byte ptr ds:[esi+ebp-0x1]00404936 |. 3C 2D cmp al,0x2D00404938 |. 75 08 jnz Xunpack.004049420040493A |. C64424 10 01 mov byte ptr ss:[esp+0x10],0x10040493F |. 45 inc ebp00404940 |. EB 05 jmp Xunpack.0040494700404942 |> 3C 2B cmp al,0x2B00404944 |. 75 01 jnz Xunpack.0040494700404946 |. 45 inc ebp00404947 |> B3 01 mov bl,0x100404949 |. 807C2E FF 24 cmp byte ptr ds:[esi+ebp-0x1],0x240040494E |. 74 1B je Xunpack.0040496B00404950 |. 807C2E FF 30 cmp byte ptr ds:[esi+ebp-0x1],0x3000404955 |. 0F85 DA000000 jnz unpack.00404A350040495B |. 8A042E mov al,byte ptr ds:[esi+ebp]0040495E |. E8 99DEFFFF call unpack.004027FC00404963 |. 3C 58 cmp al,0x5800404965 |. 0F85 CA000000 jnz unpack.00404A350040496B |> 807C2E FF 30 cmp byte ptr ds:[esi+ebp-0x1],0x3000404970 |. 75 01 jnz Xunpack.0040497300404972 |. 45 inc ebp00404973 |> 45 inc ebp00404974 |> 8A442E FF /mov al,byte ptr ds:[esi+ebp-0x1]00404978 |. 8BD0 |mov edx,eax0040497A |. 80C2 D0 |add dl,0xD0 ; Switch (cases FFFFFD61..FFFFFF39)0040497D |. 80EA 0A |sub dl,0xA00404980 |. 72 12 |jb Xunpack.0040499400404982 |. 80C2 F9 |add dl,0xF900404985 |. 80EA 06 |sub dl,0x600404988 |. 72 17 |jb Xunpack.004049A10040498A |. 80C2 E6 |add dl,0xE60040498D |. 80EA 06 |sub dl,0x600404990 |. 72 1C |jb Xunpack.004049AE00404992 |. EB 7A |jmp Xunpack.00404A0E00404994 |> 8BF8 |mov edi,eax ; Cases FFFFFF30,FFFFFF31,FFFFFF32,FFFFFF33,FFFFFF34,FFFFFF35,FFFFFF36,FFFFFF37,FFFFFF38,FFFFFF39 of switch 0040497A00404996 |. 81E7 FF000000 |and edi,0xFF0040499C |. 83EF 30 |sub edi,0x300040499F |. EB 18 |jmp Xunpack.004049B9004049A1 |> 8BF8 |mov edi,eax ; Cases FFFFFE41,FFFFFE42,FFFFFE43,FFFFFE44,FFFFFE45,FFFFFE46 of switch 0040497A004049A3 |. 81E7 FF000000 |and edi,0xFF004049A9 |. 83EF 37 |sub edi,0x37004049AC |. EB 0B |jmp Xunpack.004049B9004049AE |> 8BF8 |mov edi,eax ; Cases FFFFFD61,FFFFFD62,FFFFFD63,FFFFFD64,FFFFFD65,FFFFFD66 of switch 0040497A004049B0 |. 81E7 FF000000 |and edi,0xFF004049B6 |. 83EF 57 |sub edi,0x57004049B9 |> 837C24 0C 00 |cmp dword ptr ss:[esp+0xC],0x0004049BE |. 75 09 |jnz Xunpack.004049C9004049C0 |. 837C24 08 00 |cmp dword ptr ss:[esp+0x8],0x0004049C5 |. 72 47 |jb Xunpack.00404A0E004049C7 |. EB 02 |jmp Xunpack.004049CB004049C9 |> 7C 43 |jl Xunpack.00404A0E004049CB |> 817C24 0C FFF>|cmp dword ptr ss:[esp+0xC],0xFFFFFFF004049D3 |. 75 09 |jnz Xunpack.004049DE004049D5 |. 837C24 08 FF |cmp dword ptr ss:[esp+0x8],-0x1004049DA |. 76 04 |jbe Xunpack.004049E0004049DC |. EB 30 |jmp Xunpack.00404A0E004049DE |> 7F 2E |jg Xunpack.00404A0E004049E0 |> 8BC7 |mov eax,edi004049E2 |. 99 |cdq004049E3 |. 52 |push edx004049E4 |. 50 |push eax004049E5 |. 8B4424 10 |mov eax,dword ptr ss:[esp+0x10]004049E9 |. 8B5424 14 |mov edx,dword ptr ss:[esp+0x14]004049ED |. 0FA4C2 04 |shld edx,eax,0x4004049F1 |. C1E0 04 |shl eax,0x4004049F4 |. 030424 |add eax,dword ptr ss:[esp]004049F7 |. 135424 04 |adc edx,dword ptr ss:[esp+0x4]004049FB |. 83C4 08 |add esp,0x8004049FE |. 894424 08 |mov dword ptr ss:[esp+0x8],eax00404A02 |. 895424 0C |mov dword ptr ss:[esp+0xC],edx00404A06 |. 45 |inc ebp00404A07 |. 33DB |xor ebx,ebx00404A09 |.^ E9 66FFFFFF \jmp unpack.0040497400404A0E |> 807C24 10 00 cmp byte ptr ss:[esp+0x10],0x0 ; Default case of switch 0040497A00404A13 |. 0F84 D3000000 je unpack.00404AEC00404A19 |. 8B4424 08 mov eax,dword ptr ss:[esp+0x8]00404A1D |. 8B5424 0C mov edx,dword ptr ss:[esp+0xC]00404A21 |. F7D8 neg eax00404A23 |. 83D2 00 adc edx,0x000404A26 |. F7DA neg edx00404A28 |. 894424 08 mov dword ptr ss:[esp+0x8],eax00404A2C |. 895424 0C mov dword ptr ss:[esp+0xC],edx00404A30 |. E9 B7000000 jmp unpack.00404AEC00404A35 |> 8A442E FF /mov al,byte ptr ds:[esi+ebp-0x1] ; 前面的作用也不大,主要看这里00404A39 |. 8BD0 |mov edx,eax00404A3B |. 80C2 D0 |add dl,0xD000404A3E |. 80EA 0A |sub dl,0xA00404A41 |. 73 62 |jnb Xunpack.00404AA500404A43 |. 8BF8 |mov edi,eax00404A45 |. 81E7 FF000000 |and edi,0xFF ; 00404A4B |. 83EF 30 |sub edi,0x30 ; 这里是将输入的字符转成对应的值。00404A4E |. 837C24 0C 00 |cmp dword ptr ss:[esp+0xC],0x000404A53 |. 75 09 |jnz Xunpack.00404A5E00404A55 |. 837C24 08 00 |cmp dword ptr ss:[esp+0x8],0x000404A5A |. 72 49 |jb Xunpack.00404AA500404A5C |. EB 02 |jmp Xunpack.00404A6000404A5E |> 7C 45 |jl Xunpack.00404AA500404A60 |> 817C24 0C CCC>|cmp dword ptr ss:[esp+0xC],0xCCCCCCC00404A68 |. 75 0C |jnz Xunpack.00404A7600404A6A |. 817C24 08 CCC>|cmp dword ptr ss:[esp+0x8],0xCCCCCCCC00404A72 |. 76 04 |jbe Xunpack.00404A7800404A74 |. EB 2F |jmp Xunpack.00404AA500404A76 |> 7F 2D |jg Xunpack.00404AA500404A78 |> 6A 00 |push 0x000404A7A |. 6A 0A |push 0xA00404A7C |. 8B4424 10 |mov eax,dword ptr ss:[esp+0x10]00404A80 |. 8B5424 14 |mov edx,dword ptr ss:[esp+0x14]00404A84 |. E8 F30E0000 |call unpack.0040597C ; 这个call是将之前算出的值*0xA,第一次执行循环时为000404A89 |. 52 |push edx00404A8A |. 50 |push eax00404A8B |. 8BC7 |mov eax,edi00404A8D |. 99 |cdq00404A8E |. 030424 |add eax,dword ptr ss:[esp] ; 这里是将上面的call算出来的值加上字符对应的值(也就是00404A4B算出的结果的值)00404A91 |. 135424 04 |adc edx,dword ptr ss:[esp+0x4]00404A95 |. 83C4 08 |add esp,0x800404A98 |. 894424 08 |mov dword ptr ss:[esp+0x8],eax00404A9C |. 895424 0C |mov dword ptr ss:[esp+0xC],edx00404AA0 |. 45 |inc ebp00404AA1 |. 33DB |xor ebx,ebx00404AA3 |.^ EB 90 \jmp Xunpack.00404A3500404AA5 |> 807C24 10 00 cmp byte ptr ss:[esp+0x10],0x000404AAA |. 74 17 je Xunpack.00404AC300404AAC |. 8B4424 08 mov eax,dword ptr ss:[esp+0x8]00404AB0 |. 8B5424 0C mov edx,dword ptr ss:[esp+0xC]00404AB4 |. F7D8 neg eax00404AB6 |. 83D2 00 adc edx,0x000404AB9 |. F7DA neg edx00404ABB |. 894424 08 mov dword ptr ss:[esp+0x8],eax00404ABF |. 895424 0C mov dword ptr ss:[esp+0xC],edx00404AC3 |> 837C24 0C 00 cmp dword ptr ss:[esp+0xC],0x000404AC8 |. 75 05 jnz Xunpack.00404ACF00404ACA |. 837C24 08 00 cmp dword ptr ss:[esp+0x8],0x000404ACF |> 74 1B je Xunpack.00404AEC00404AD1 |. 837C24 0C 00 cmp dword ptr ss:[esp+0xC],0x000404AD6 |. 75 0A jnz Xunpack.00404AE200404AD8 |. 837C24 08 00 cmp dword ptr ss:[esp+0x8],0x000404ADD |. 0F92C0 setb al00404AE0 |. EB 03 jmp Xunpack.00404AE500404AE2 |> 0F9CC0 setl al00404AE5 |> 3A4424 10 cmp al,byte ptr ss:[esp+0x10]00404AE9 |. 74 01 je Xunpack.00404AEC00404AEB |. 4D dec ebp00404AEC |> 807C2E FF 00 cmp byte ptr ds:[esi+ebp-0x1],0x000404AF1 |. 0F95C0 setne al00404AF4 |. 0AD8 or bl,al00404AF6 |. 74 07 je Xunpack.00404AFF00404AF8 |. 8B0424 mov eax,dword ptr ss:[esp]00404AFB |. 8928 mov dword ptr ds:[eax],ebp00404AFD |. EB 07 jmp Xunpack.00404B0600404AFF |> 8B0424 mov eax,dword ptr ss:[esp]00404B02 |. 33D2 xor edx,edx00404B04 |. 8910 mov dword ptr ds:[eax],edx00404B06 |> 8B4424 08 mov eax,dword ptr ss:[esp+0x8]00404B0A |. 8B5424 0C mov edx,dword ptr ss:[esp+0xC]00404B0E |. 83C4 14 add esp,0x1400404B11 |. 5D pop ebp00404B12 |. 5F pop edi00404B13 |. 5E pop esi00404B14 |. 5B pop ebx00404B15 \. C3 retn
阅读全文
0 0
- 160
- 160---
- 160
- 160
- 160
- 160
- 160
- 160
- 160
- 160
- 160
- 160
- 160
- 160
- 160
- 160
- 160
- 160
- 文本数据处理—结合mysql模拟实现消息队列
- JZOJ 5436. 【NOIP2017提高A组集训10.30】Group
- 每日练习10.31
- Toolbar的使用
- SPI三线制 四线制
- 160
- spring整合aspectj实现aop的一个简单案例(xml)
- 伯努力抛硬币实验连续出现n个正面的概率
- Java进阶(二)当我们说线程安全时,到底在说什么
- SpringMVC的拦截器和过滤器的区别与联系
- 程序人生
- 阶段的练习(易错点)
- Android LayoutInflater.inflate的原理
- String、StringBuffer与StringBuilder的区别。