OD根据API下断点调试程序

来源：互联网发布：nestopia mac 连发编辑：程序博客网时间：2024/06/05 17:09

我们先看下C++语言的源代码，一般而言，类似于这样的界面，我们可以猜测首先要获得编辑框的句柄，而后根据句柄得到其内容，而后进行比较

所以，对于GetDlgItem(),和GetWindowTextA函数则是我们需要注意的，C++源代码是这样的,

void CCrackMeDlg::OnBnClickedOk()
{
// TODO: 在此添加控件通知处理程序代码
CString con;
GetDlgItem(IDC_EDIT1)->GetWindowTextW(con);
if(con==L"123456")
{
MessageBox(L"恭喜，破解成功",L"提示",0);
}
else
{
MessageBox(L"哎呀，又错了",0,0);
}
}

在OD中打开该程序，而后使用快捷键Ctrl+G转到GetDlgItem下断点,再输入dsaadq121，点击按钮就会在GetDlgItem之下中断

如下：

75C642BB > 6A 0C            PUSH 0C75C642BD   68 1043C675      PUSH USER32.75C6431075C642C2   E8 5981FEFF      CALL USER32.75C4C42075C642C7   8B4D 08          MOV ECX,DWORD PTR SS:[EBP+8]75C642CA   E8 4182FEFF      CALL USER32.75C4C51075C642CF   85C0             TEST EAX,EAX75C642D1   74 30            JE SHORT USER32.75C6430375C642D3   8365 FC 00       AND DWORD PTR SS:[EBP-4],075C642D7   FF75 0C          PUSH DWORD PTR SS:[EBP+C]75C642DA   50               PUSH EAX75C642DB   E8 41FCFFFF      CALL USER32.75C63F2175C642E0   85C0             TEST EAX,EAX75C642E2  ^0F85 2DFCFFFF    JNZ USER32.75C63F1575C642E8   8945 E4          MOV DWORD PTR SS:[EBP-1C],EAX75C642EB   85C0             TEST EAX,EAX75C642ED   75 0A            JNZ SHORT USER32.75C642F975C642EF   68 8D050000      PUSH 58D75C642F4   E8 0A86FDFF      CALL USER32.75C3C90375C642F9   C745 FC FEFFFFFF MOV DWORD PTR SS:[EBP-4],-275C64300   8B45 E4          MOV EAX,DWORD PTR SS:[EBP-1C]75C64303   E8 6881FEFF      CALL USER32.75C4C47075C64308   C2 0800          RETN 8

在第一行中断，不断摁下F8，或者直接按Alt+F9,再或者使用Alt+M在调试程序的.text断设置访问断点则可直到跳转回CrackMe的领空即可查看该按钮下的代码

011117D8  |. 8BCE           MOV ECX,ESI011117DA  |. C745 FC 000000>MOV DWORD PTR SS:[EBP-4],0011117E1  |. FF15 58311101  CALL DWORD PTR DS:[<&mfc100u.#4805>]     ; GetDlgItem011117E7  |. 8BC8           MOV ECX,EAX                              ;  在这儿看下0024F094的内容011117E9  |. FF15 54311101  CALL DWORD PTR DS:[<&mfc100u.#7006>]     ;  GetWindowTextA011117EF  |. 68 98371101    PUSH OFFSET CrackMe.??_C@_1O@ODDLNOLO@?$>;  UNICODE "123456"//密码所在011117F4  |. 8D4D F0        LEA ECX,DWORD PTR SS:[EBP-10]011117F7  |. FF15 5C311101  CALL DWORD PTR DS:[<&mfc100u.#2614>]     ; CString的==重载操作符011117FD  |. 6A 00          PUSH 0011117FF  |. 8BCE           MOV ECX,ESI01111801  |. 85C0           TEST EAX,EAX                             ;测试是否相等的结果放在eax当中01111803  |. 75 0C          JNZ SHORT CrackMe.01111811               ;不相等，即密码错误的处理放在01111181101111805  |. 68 A8371101    PUSH OFFSET CrackMe.??_C@_15EGCHAEPE@c?P>0111180A  |. 68 B0371101    PUSH OFFSET CrackMe.??_C@_1BA@PFFMMFML@?>0111180F  |. EB 07          JMP SHORT CrackMe.0111181801111811  |> 6A 00          PUSH 001111813  |. 68 C0371101    PUSH OFFSET CrackMe.??_C@_1O@HBCGHOGJ@T?>01111818  |> FF15 60311101  CALL DWORD PTR DS:[<&mfc100u.#7911>]     ;  mfc100u.59F7C7110111181E  |. 8D4D F0        LEA ECX,DWORD PTR SS:[EBP-10]01111821  |. FF15 14331101  CALL DWORD PTR DS:[<&mfc100u.#902>]      ;  mfc100u.59DA0BEE01111827  |. 8B4D F4        MOV ECX,DWORD PTR SS:[EBP-C]0111182A  |. 64:890D 000000>MOV DWORD PTR FS:[0],ECX01111831  |. 59             POP ECX01111832  |. 5E             POP ESI01111833  |. 8BE5           MOV ESP,EBP01111835  |. 5D             POP EBP01111836  \. C3             RETN01111837     CC             INT3

到此,只需将01111803 |. 75 0C JNZ SHORT CrackMe.01111811 ;不相等，即密码错误的处理放在011111811

改成NOP就成，破解成功