自效验的问题
这个程序我查找到IP后,爆破成功,但是运行了一会会就自动关闭啦,还请高手指教下,为什么会出现这样的现象是不是我那里爆破出现问题导致关闭.下面是我爆破后的两个文件,请高手指教这个程序是运行起来后就关闭,他能点开进入,但是一进入程序后就自行关闭,请问高手这样的程序该下什么断点合适些,我下了BP CreateFileA断点,断是断下来啦,可是我按AIT+F9返回程序领空向上,向下都找不到他效验的地方,还请高手指教一二,这个文件脱壳前才200多K,脱了有1M多,我从这方面判断,去找文件大小的效验地址,可是怎么找也找不到,程序都跑遍啦
文件是运行起来后才会自动关闭的,能运行,但是是运行途中关闭,希望高手能给点自点
http://www.fs2you.com/files/016f63e3-15c3-11dd-a583-0014221f4662/
我下断在退出函数上,他拦截不住程序,自动就启动啦
00401000 未>/$E8 06000000 CALL 未破.0040100B
00401005 |.50 PUSH EAX ; /ExitCode
00401006 \.E8 BB010000 CALL <JMP.&KERNEL32.ExitProcess> ; \ExitProcess
0040100B /$55 PUSH EBP
0040100C |.8BEC MOV EBP,ESP
0040100E |.81C4 F0FEFFFF ADD ESP,-110
00401014 |.E9 83000000 JMP 未破.0040109C
00401019 |.6B 72 6E 6C 6E 2E>ASCII "krnln.fnr",0
00401023 |.6B 72 6E 6C 6E 2E>ASCII "krnln.fne",0
0040102D |.47 65 74 4E 65 77>ASCII "GetNewSock",0
00401038 |.53 6F 66 74 77 61>ASCII "Software\FlySky\"
00401048 |.45 5C 49 6E 73 74>ASCII "E\Install",0
00401052 |.50 61 74 68 00 ASCII "Path",0
00401057 |.4E 6F 74 20 66 6F>ASCII "Not found the ke"
00401067 |.72 6E 65 6C 20 6C>ASCII "rnel library or "
00401077 |.74 68 65 20 6B 65>ASCII "the kernel libra"
00401087 |.72 79 20 69 73 20>ASCII "ry is invalid!",0
00401096 |.45 72 72 6F 72 00>ASCII "Error",0
0040109C |>8D85 FCFEFFFF LEA EAX,DWORD PTR SS:
004010A2 |.50 PUSH EAX
004010A3 |.E8 44010000 CALL 未破.004011EC
004010A8 |.68 19104000 PUSH 未破.00401019 ; /StringToAdd = "krnln.fnr"
004010AD |.8D85 FCFEFFFF LEA EAX,DWORD PTR SS: ; |
004010B3 |.50 PUSH EAX ; |ConcatString
004010B4 |.E8 25010000 CALL <JMP.&KERNEL32.lstrcatA> ; \lstrcatA
004010B9 |.50 PUSH EAX ; /FileName
004010BA |.E8 19010000 CALL <JMP.&KERNEL32.LoadLibraryA> ; \LoadLibraryA
004010BF |.85C0 TEST EAX,EAX
004010C1 |.0F85 9E000000 JNZ 未破.00401165
004010C7 |.8D85 F4FEFFFF LEA EAX,DWORD PTR SS:
004010CD |.50 PUSH EAX ; /pHandle
004010CE |.68 19000200 PUSH 20019 ; |Access = KEY_READ
004010D3 |.6A 00 PUSH 0 ; |Reserved = 0
004010D5 |.68 38104000 PUSH 未破.00401038 ; |Subkey = "Software\FlySky\E\Install"
004010DA |.68 01000080 PUSH 80000001 ; |hKey = HKEY_CURRENT_USER
004010DF |.E8 36010000 CALL <JMP.&ADVAPI32.RegOpenKeyExA> ; \RegOpenKeyExA
004010E4 |.83F8 00 CMP EAX,0
004010E7 |.0F85 B8000000 JNZ 未破.004011A5
004010ED |.C785 F0FEFFFF 030>MOV DWORD PTR SS:,103
004010F7 |.8D85 F0FEFFFF LEA EAX,DWORD PTR SS:
004010FD |.50 PUSH EAX ; /pBufSize
004010FE |.8D85 FCFEFFFF LEA EAX,DWORD PTR SS: ; |
00401104 |.50 PUSH EAX ; |Buffer
00401105 |.6A 00 PUSH 0 ; |pValueType = NULL
00401107 |.6A 00 PUSH 0 ; |Reserved = NULL
00401109 |.68 52104000 PUSH 未破.00401052 ; |ValueName = "Path"
0040110E |.FFB5 F4FEFFFF PUSH DWORD PTR SS: ; |hKey
00401114 |.E8 07010000 CALL <JMP.&ADVAPI32.RegQueryValueExA> ; \RegQueryValueExA
00401119 |.50 PUSH EAX
0040111A |.FFB5 F4FEFFFF PUSH DWORD PTR SS: ; /hKey
00401120 |.E8 EF000000 CALL <JMP.&ADVAPI32.RegCloseKey> ; \RegCloseKey
00401125 |.58 POP EAX
00401126 |.83F8 00 CMP EAX,0
00401129 |.75 7A JNZ SHORT 未破.004011A5
0040112B |.8D85 FCFEFFFF LEA EAX,DWORD PTR SS:
00401131 |.50 PUSH EAX ; /String
00401132 |.E8 AD000000 CALL <JMP.&KERNEL32.lstrlenA> ; \lstrlenA
00401137 |.8D9D FCFEFFFF LEA EBX,DWORD PTR SS:
0040113D |.03D8 ADD EBX,EAX
0040113F |.4B DEC EBX
00401140 |.803B 5C CMP BYTE PTR DS:,5C
00401143 |.74 05 JE SHORT 未破.0040114A
00401145 |.66:C703 5C00 MOV WORD PTR DS:,5C
0040114A |>68 23104000 PUSH 未破.00401023 ; /StringToAdd = "krnln.fne"
0040114F |.8D85 FCFEFFFF LEA EAX,DWORD PTR SS: ; |
00401155 |.50 PUSH EAX ; |ConcatString
00401156 |.E8 83000000 CALL <JMP.&KERNEL32.lstrcatA> ; \lstrcatA
0040115B |.50 PUSH EAX ; /FileName
0040115C |.E8 77000000 CALL <JMP.&KERNEL32.LoadLibraryA> ; \LoadLibraryA
00401161 |.85C0 TEST EAX,EAX
00401163 |.74 40 JE SHORT 未破.004011A5
00401165 |>8985 F8FEFFFF MOV DWORD PTR SS:,EAX
0040116B |.68 2D104000 PUSH 未破.0040102D ; /ProcNameOrOrdinal = "GetNewSock"
00401170 |.50 PUSH EAX ; |hModule
00401171 |.E8 5C000000 CALL <JMP.&KERNEL32.GetProcAddress> ; \GetProcAddress
00401176 |.85C0 TEST EAX,EAX
00401178 |.74 20 JE SHORT 未破.0040119A
0040117A |.68 E8030000 PUSH 3E8
0040117F |.FFD0 CALL EAX
00401181 |.85C0 TEST EAX,EAX
00401183 |.74 15 JE SHORT 未破.0040119A
00401185 |.E8 00000000 CALL 未破.0040118A
0040118A |$810424 761E0000 ADD DWORD PTR SS:,1E76
00401191 |.FFD0 CALL EAX
00401193 |.6A 00 PUSH 0 ; /ExitCode = 0
00401195 |.E8 2C000000 CALL <JMP.&KERNEL32.ExitProcess> ; \ExitProcess
0040119A |>FFB5 F8FEFFFF PUSH DWORD PTR SS: ; /hLibModule
004011A0 |.E8 27000000 CALL <JMP.&KERNEL32.FreeLibrary> ; \FreeLibrary
004011A5 |>6A 10 PUSH 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
004011A7 |.68 96104000 PUSH 未破.00401096 ; |Title = "Error"
004011AC |.68 57104000 PUSH 未破.00401057 ; |Text = "Not found the kernel library or the kernel library is invalid!"
004011B1 |.6A 00 PUSH 0 ; |hOwner = NULL
004011B3 |.E8 08000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
004011B8 |.B8 FFFFFFFF MOV EAX,-1
004011BD |.C9 LEAVE
004011BE \.C3 RETN
004011BF CC INT3
004011C0 $- FF25 30204000 JMP DWORD PTR DS:[<&USER32.MessageBoxA>] ;USER32.MessageBoxA
004011C6 .- FF25 1C204000 JMP DWORD PTR DS:[<&KERNEL32.ExitProcess>] ;kernel32.ExitProcess
004011CC $- FF25 10204000 JMP DWORD PTR DS:[<&KERNEL32.FreeLibrary>] ;kernel32.FreeLibrary
004011D2 $- FF25 24204000 JMP DWORD PTR DS:[<&KERNEL32.GetProcAddress>] ;kernel32.GetProcAddress
004011D8 $- FF25 20204000 JMP DWORD PTR DS:[<&KERNEL32.LoadLibraryA>] ;kernel32.LoadLibraryA
004011DE $- FF25 14204000 JMP DWORD PTR DS:[<&KERNEL32.lstrcatA>] ;kernel32.lstrcatA
004011E4 $- FF25 28204000 JMP DWORD PTR DS:[<&KERNEL32.lstrlenA>] ;kernel32.lstrlenA
004011EA CC INT3
004011EB CC INT3
004011EC /$55 PUSH EBP
004011ED |.8BEC MOV EBP,ESP
004011EF |.68 80000000 PUSH 80 ; /BufSize = 80 (128.)
004011F4 |.FF75 08 PUSH DWORD PTR SS: ; |PathBuffer
004011F7 |.6A 00 PUSH 0 ; |hModule = NULL
004011F9 |.E8 28000000 CALL <JMP.&KERNEL32.GetModuleFileNameA> ; \GetModuleFileNameA
004011FE |.8B4D 08 MOV ECX,DWORD PTR SS:
00401201 |.8D4C08 FA LEA ECX,DWORD PTR DS:
00401205 |>8A01 MOV AL,BYTE PTR DS:
00401207 |.49 DEC ECX
00401208 |.3C 5C CMP AL,5C
0040120A |.^ 75 F9 JNZ SHORT 未破.00401205
0040120C |.C641 02 00 MOV BYTE PTR DS:,0
00401210 |.C9 LEAVE
00401211 \.C2 0400 RETN 4
00401214 $- FF25 04204000 JMP DWORD PTR DS:[<&ADVAPI32.RegCloseKey>] ;ADVAPI32.RegCloseKey
0040121A $- FF25 08204000 JMP DWORD PTR DS:[<&ADVAPI32.RegOpenKeyExA>] ;ADVAPI32.RegOpenKeyExA
00401220 $- FF25 00204000 JMP DWORD PTR DS:[<&ADVAPI32.RegQueryValueExA>] ;ADVAPI32.RegQueryValueExA
00401226 $- FF25 18204000 JMP DWORD PTR DS:[<&KERNEL32.GetModuleFileNameA>];kernel32.GetModuleFileNameA
[ 本帖最后由 小生我怕怕 于 2008-4-30 03:09 编辑 ] 还请路过的高手指教下 软件退出一般都是调用ExitProcess、PostQuitMessage等,你下断这些看看。 3Q,他是自效验的问题,真是纳闷,先是牛壳,在是网关,现在又是自效验 那位高手告诉下有没有可能是通过旁边附带的文件来进行自效验的 怎么没有高手解答下啊 bp GetFileSize 开2个OD对比着F8跑 我试过的,两个,一个是脱壳后破解了的,一个是没有破解,只脱了壳的,一路跑起去都是一样的 难道就没有高手帮忙看下么 怎么还是没有强人指教下
页:
[1]
2