逆向工程-第一次修改.exe

入门参考资料-《黑客反汇编揭秘》，实验环境WIN7+VS2010,源代码

#include "stdafx.h"#include<iostream>using namespace std;int _tmain(int argc, _TCHAR* argv[]){#pragma data_seg("knpc")char* password="dsadasd";#pragma data_seg()cout<<"please input the correct word\n";char *input_word;input_word=new char[strlen(password)+1];memset(input_word,0,strlen(password)+1);cin>>input_word;if(strcmp(input_word,password)==0){cout<<"graduations!\n";}else{cout<<"sorry\n";}while(1){;}return 0;}

生成release版本，较少的冗余信息。首先使用IDA工具，查看可能的密码

.text:00401046 add esp, 0Ch

.text:00401049 mov [esi+4], eax.

text:0040104C mov ecx, ds:__imp_?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A ; std::basic_istream<char,std::char_traits<char>> std::cin

.text:00401052 push esi ; _Str

.text:00401053 push ecx ; _Istr

.text:00401054 call ??$?5DU?$char_traits@D@std@@@std@@YAAAV?$basic_istream@DU?$char_traits@D@std@@@0@$$QAV10@PAD@Z

.text:00401059 add esp, 8

.text:0040105C mov eax, offset aDsadasd ; "dsadasd"

.text:00401061

.text:00401061 loc_401061: ; CODE XREF: _wmain+5Bj

.text:00401061 mov cl, [esi]

可以查出密码是"dsadasd"

.text:00401086 loc_401086:                             ; CODE XREF: _wmain+5Fj.text:00401086                 test    eax, eax.text:00401088                 jnz     short loc_4010A0.text:0040108A                 mov     edx, ds.text:00401090                 push    offset aGraduations ; "graduations!\n".text:00401095                 push    edx             ; _Ostr.text:00401096                 call    .text:0040109B                 add     esp, 8.text:0040109E                 jmp     short loc_4010B3.text:004010A0 ; ---------------------------------------------------------------------------.text:004010A0.text:004010A0 loc_4010A0:                             ; CODE XREF: _wmain+68j.text:004010A0                 mov     eax, ds.text:004010A5                 push    offset aSorry   ; "sorry\n".text:004010AA                 push    eax             ; _Ostr.text:004010AB                 call  .text:004010B0                 add     esp, 8.text:004010B3.text:004010B3 loc_4010B3:                             ; CODE XREF: _wmain+7Ej.text:004010B3                                         ; _wmain:loc_4010B3j

由上面可以看出，在.00401086开始的代码段中有"graduations!"和在.004010A0中有“sorry”字样，因而在test指令则是比较的输入字符和“dsadasd”，如果相同则输出graduations，不同则输出sorry，现在只消记录下该指令的地址“00401086”，然后使用hiew32demo.exe，进行修改即可。

HIEW32DEMO指令：F5是定位，F3是编辑，回车是确定，Esc是取消，F9是存盘。将test eax,eax更换成XOR eax,eax即可实现无论输入什么密码都可以自由进入