IDM的OD手记
注册信息保存在注册表里:"AdvIntDriverEnabled2"=dword:00000001
"FName"="GG"
"LName"="LHY"
"Email"="123@163.COM"
"Serial"="22279-222Q7-222QJ-222QA"
待续...............
20140509.1137
重启,弹窗。。。
搜索所有命令:CMP ECX,17,找到段首, 都下断。运行后发现断在:
004435F0|.8D7D 80 LEA EDI,DWORD PTR SS: ; (ASCII "22279-222Q7-222QJ-222QA")
004435F3|.83C9 FF OR ECX,FFFFFFFF
004435F6|.33C0 XOR EAX,EAX
004435F8|.F2:AE REPNE SCAS BYTE PTR ES:
004435FA|.F7D1 NOT ECX
004435FC|.49 DEC ECX
004435FD|.83F9 17 CMP ECX,17
00443600|.75 1C JNZ SHORT IDMan---.0044361E
00443602|.807D 85 2D CMP BYTE PTR SS:,2D
00443606|.75 16 JNZ SHORT IDMan---.0044361E
00443608|.807D 8B 2D CMP BYTE PTR SS:,2D
0044360C|.75 10 JNZ SHORT IDMan---.0044361E
0044360E|.807D 91 2D CMP BYTE PTR SS:,2D
00443612|.75 0A JNZ SHORT IDMan---.0044361E
00443614|.C705 A43E6900 0>MOV DWORD PTR DS:,0 ;本地全局???貌似意义不大
(省略部分代码...)
00443E64|.E8 17F90A00 CALL IDMan---.004F3780
00443E69|.B8 03000000 MOV EAX,3 ;这里应该改为 MOV EAX,0 !!!!!
00443E6E|.8B4D F4 MOV ECX,DWORD PTR SS:
00443E71|.64:890D 0000000>MOV DWORD PTR FS:,ECX
00443E78|.5F POP EDI
00443E79|.5E POP ESI
00443E7A|.5B POP EBX
00443E7B|.8BE5 MOV ESP,EBP
00443E7D|.5D POP EBP
00443E7E|.C3 RETN因为接着往下会看到:
00443F7D|.49 DEC ECX
00443F7E|.83F9 17 CMP ECX,17
00443F81|.75 57 JNZ SHORT IDMan---.00443FDA
00443F83|.807D 85 2D CMP BYTE PTR SS:,2D
00443F87|.75 51 JNZ SHORT IDMan---.00443FDA
00443F89|.807D 8B 2D CMP BYTE PTR SS:,2D
00443F8D|.75 4B JNZ SHORT IDMan---.00443FDA
00443F8F|.807D 91 2D CMP BYTE PTR SS:,2D
00443F93|.75 45 JNZ SHORT IDMan---.00443FDA
00443F95|.A1 84E86B00 MOV EAX,DWORD PTR DS:
(省略部分代码)
00443FC7|.33C0 XOR EAX,EAX ; EAX =0 !!!
00443FC9|.8B4D F4 MOV ECX,DWORD PTR SS:
00443FCC|.64:890D 0000000>MOV DWORD PTR FS:,ECX
00443FD3|.5F POP EDI
00443FD4|.5E POP ESI
00443FD5|.5B POP EBX
00443FD6|.8BE5 MOV ESP,EBP
00443FD8|.5D POP EBP
00443FD9|.C3 RETN 小结:00443E69处的 MOV EAX,3改为 MOV EAX,0 !!!!!
启动保存修改后的程序,还会弹窗。。。接着来,老办法CMP EAX,17找到段首下断
断在:
0044C150/[ DISCUZ_CODE_15 ]nbsp; 55 PUSH EBP ;2!!!!!
0044C151|.8BEC MOV EBP,ESP
0044C153|.6A FF PUSH -1
(省略部分代码..)
0044C824|> /C745 E0 0400000>MOV DWORD PTR SS:,4
0044C82B|. |E9 B5010000 JMP IDMan---.0044C9E5
0044C830|> |8A45 90 MOV AL,BYTE PTR SS: ;保存的注册码!
0044C833|. |84C0 TEST AL,AL
0044C835|. |74 47 JE SHORT IDMan---.0044C87E
(省略部分代码..又是那几个字符串与注册码的比较~~~)
0044C97E|> \85C0 TEST EAX,EAX
0044C980|. /75 5A JNZ SHORT IDMan---.0044C9DC
0044C982|.8DBD 4CFFFFFF LEA EDI,DWORD PTR SS:
0044C988|.83C9 FF OR ECX,FFFFFFFF</span>
0044C98B|.F2:AE REPNE SCAS BYTE PTR ES:
0044C98D|.F7D1 NOT ECX
0044C98F|.49 DEC ECX
0044C990|.^ 0F84 8EFEFFFF JE IDMan---.0044C824
0044C996|.8D7D 90 LEA EDI,DWORD PTR SS:
0044C999|.83C9 FF OR ECX,FFFFFFFF
0044C99C|.F2:AE REPNE SCAS BYTE PTR ES:
0044C99E|.F7D1 NOT ECX
0044C9A0|.49 DEC ECX
0044C9A1|.83F9 17 CMP ECX,17
0044C9A4|.^ 0F85 7AFEFFFF JNZ IDMan---.0044C824
0044C9AA|.8A4D 95 MOV CL,BYTE PTR SS:
0044C9AD|.B0 2D MOV AL,2D
0044C9AF|.3AC8 CMP CL,AL
0044C9B1|.^ 0F85 6DFEFFFF JNZ IDMan---.0044C824
0044C9B7|.3845 9B CMP BYTE PTR SS:,AL
0044C9BA|.^ 0F85 64FEFFFF JNZ IDMan---.0044C824
0044C9C0|.3845 A1 CMP BYTE PTR SS:,AL
0044C9C3|.^ 0F85 5BFEFFFF JNZ IDMan---.0044C824
0044C9C9|.33C0 XOR EAX,EAX ;猜测EAX清零为正确的选择~~~~
0044C9CB|.8B4D F4 MOV ECX,DWORD PTR SS:
0044C9CE|.64:890D 0000000>MOV DWORD PTR FS:,ECX
0044C9D5|.5F POP EDI
0044C9D6|.5E POP ESI
0044C9D7|.5B POP EBX
0044C9D8|.8BE5 MOV ESP,EBP
0044C9DA|.5D POP EBP
0044C9DB|.C3 RETN
0044C9DC|>895D E0 MOV DWORD PTR SS:,EBX ;到这里,小心啦!!!
0044C9DF ^ 75 04 JE SHORT IDMan---.0044C9E5 ;跳过 settimer 试试?或者跳到0044cA52?
0044C9E1|>85C0 TEST EAX,EAX
0044C9E3|.74 6D JE SHORT IDMan---.0044CA52
0044C9E5|>6A 00 PUSH 0 ;这下面有settimer 、还有 exit PROCESS
0044C9E7|.E8 8FBD1600 CALL IDMan---.005B877B
0044C9EC|.50 PUSH EAX
0044C9ED|.E8 DBCB1600 CALL IDMan---.005B95CD
0044C9F2|.83C4 08 ADD ESP,8
0044C9F5|.E8 E0CB1600 CALL IDMan---.005B95DA
0044C9FA|.8945 EC MOV DWORD PTR SS:,EAX
0044C9FD|.DB45 EC FILD DWORD PTR SS:
0044CA00|.DC0D 98C56000 FMUL QWORD PTR DS:
0044CA06|.E8 FDA91600 CALL IDMan---.005B7408
0044CA0B|.8B7D 08 MOV EDI,DWORD PTR SS:
0044CA0E|.BE E8030000 MOV ESI,3E8
0044CA13|.8B1D 98176000 MOV EBX,DWORD PTR DS:[<&USER32.SetT>;USER32.SetTimer
0044CA19|.2BF0 SUB ESI,EAX
0044CA1B|.8B4F 1C MOV ECX,DWORD PTR DS:
0044CA1E|.6A 00 PUSH 0 ; /Timerproc = NULL
0044CA20|.8D86 204E0000 LEA EAX,DWORD PTR DS: ; |
0044CA26|.C787 24020000 B>MOV DWORD PTR DS:,88B8 ; |
0044CA30|.50 PUSH EAX ; |Timeout
0044CA31|.6A 01 PUSH 1 ; |TimerID = 1
0044CA33|.51 PUSH ECX ; |hWnd
0044CA34|.FFD3 CALL EBX ; \SetTimer
0044CA36|.8A87 FC010000 MOV AL,BYTE PTR DS:
0044CA3C|.84C0 TEST AL,AL
0044CA3E|.75 26 JNZ SHORT IDMan---.0044CA66
0044CA40|.8B57 1C MOV EDX,DWORD PTR DS:
0044CA43|.6A 00 PUSH 0 ; /Timerproc = NULL
0044CA45|.56 PUSH ESI ; |Timeout
0044CA46|.6A 6F PUSH 6F ; |TimerID = 6F (111.)
0044CA48|.52 PUSH EDX ; |hWnd
0044CA49|.C687 FC010000 0>MOV BYTE PTR DS:,1 ; |
0044CA50|.FFD3 CALL EBX ; \SetTimer
0044CA52|>8B45 E0 MOV EAX,DWORD PTR SS:
0044CA55|.8B4D F4 MOV ECX,DWORD PTR SS:
0044CA58|.64:890D 0000000>MOV DWORD PTR FS:,ECX
0044CA5F|.5F POP EDI
0044CA60|.5E POP ESI
0044CA61|.5B POP EBX
0044CA62|.8BE5 MOV ESP,EBP
0044CA64|.5D POP EBP
0044CA65|.C3 RETN
0044CA66|>6A 00 PUSH 0 ; /ExitCode = 0
0044CA68\.FF15 74146000 CALL DWORD PTR DS:[<&KERNEL32.ExitP>; \ExitProcess小结:0044C9DF 改为 JMP SHORT IDMan.0044C9C9 ;跳过 settimer 试试?
OK。。。
貌似还有CMP ECX,17的命令没被断住 估计还有验证弹窗吧。。。。。
待续...........................
哈哈,第3处终于暴露了。。。原来是它!
回去贴出来!
感谢奔腾450兄弟的友情测试!
2014.05.1012.25
今儿早开电脑后没多久终于弹窗了。。。哈哈
于是,仍然OD载入。。。。。
运行中,发现保存的注册码会与固定字符串“506938841”经常谈心~~~~,于是把所有这个字符串所在的位置下断..
点 检查更新的时候,出问题的:
00450921 50 push eax
00450922 51 push ecx
00450923 8D55 0C lea edx,dword ptr ss:
00450926 68 7C546900 push IDMan.0069547C ; "%%s" /ch %ld /w %I64d
0045092B 52 push edx
0045092C C645 FC 0D mov byte ptr ss:,0xD
00450930 E8 53BA1700 call IDMan.005CC388
00450935 8BBB E8120000 mov edi,dword ptr ds:
0045093B 83C4 14 add esp,0x14
0045093E 47 inc edi
0045093F 33C0 xor eax,eax
00450941 89BB E8120000 mov dword ptr ds:,edi
00450947 8985 68FFFFFF mov dword ptr ss:,eax
0045094D 89B5 70FFFFFF mov dword ptr ss:,esi
00450953 66:89B5 6CFFFFF>mov word ptr ss:,si
0045095A 8B4D D4 mov ecx,dword ptr ss:
(可惜当时前半部分没记录下来断在哪里!{:sweat:})直到:
<span style="line-height: 1.5;">00450A75 56 push esi</span>
00450A76 56 push esi
00450A77 6A 30 push 0x30
00450A79 6A 01 push 0x1
00450A7B 56 push esi
00450A7C 56 push esi
00450A7D 50 push eax
00450A7E 56 push esi
00450A7F FF15 78146000 call dword ptr ds:[<&KERNEL32.CreatePro>; KERNEL32.CreateProcessW
00450A85 3BC6 cmp eax,esi ; 弹窗了~~~
00450A87 74 18 je short IDMan.00450AA1
00450A89 8B95 38FEFFFF mov edx,dword ptr ss:
00450A8F 8B35 AC146000 mov esi,dword ptr ds:[<&KERNEL32.CloseH>; KERNEL32.CloseHandle
在
00450882 FF15 AC126000 call dword ptr ds:[<&KERNEL32.GetFileAt>; KERNEL32.GetFileAttributesW
00450888 83F8 FF cmp eax,-0x1看了下堆栈,貌似是检测安装后的文件夹里是否存在“ IDMGrHlp.exe”这个文件。。。
于是往上找。看到:
00450746 85F6 test esi,esi
00450748 0F84 28010000 je IDMan.00450876
0045074E B8 94546900 mov eax,IDMan.00695494 ; IDMGrHlp.exe
00450753 85C0 test eax,eax
00450755 0F84 1B010000 je IDMan.00450876
0045075B 33C0 xor eax,eax
0045075D 8D8D 50FFFFFF lea ecx,dword ptr ss:
00450763 50 push eax
00450764 52 push edx
00450765 8985 50FFFFFF mov dword ptr ss:,eax
0045076B 8985 58FFFFFF mov dword ptr ss:,eax
00450771 66:8985 54FFFFFF mov word ptr ss:,ax
00450778 E8 1321FBFF call IDMan.00402890
0045077D 56 push esi
0045077E 8D8D 40FFFFFF lea ecx,dword ptr ss:
00450784 C645 FC 0A mov byte ptr ss:,0xA
00450788 E8 B3CFFBFF call IDMan.0040D740
0045078D 68 94546900 push IDMan.00695494 ; IDMGrHlp.exe
00450792 8D8D 78FFFFFF lea ecx,dword ptr ss:
联系到前面弹窗的上面一句
00450A7F FF15 78146000 call dword ptr ds:[<&KERNEL32.CreatePro>; KERNEL32.CreateProcessW
猜测这个“IDMGrHlp.exe”偷偷的干了坏事啊!!!
于是找了下,看看有没有能跳过这个“CreateProcessW”的。
很好,找到一句:
0045088B /0F84 2B020000 je IDMan.00450ABC ; ???改为:
0045088B /E9 2C020000 jmp IDMan.00450ABC ;理论上强行跳过这个CreateProcess..........,呵呵~~~
等下把这个JE nop掉来比对下~~~看看测试结果如何~~~
到目前为止,未弹窗。附上KO后的程序,望大家都来帮忙测试下。。。。。。。谢谢!
⊙﹏⊙b汗,提示附件超过服务器大小的限制。。。算了,扔PDG群里吧
很受益!!!! 新版难度增加了么 我的帖子应该是爆破的比较完美的,就是修改较多 cjteam 发表于 2014-5-9 20:21
新版难度增加了么 我的帖子应该是爆破的比较完美的,就是修改较多
{:handshake:}
从目前来看,我修改完这3处后,暂时还没出现弹窗~~~
感谢G大,嘿嘿,总算能看到了{:soso_e102:}
进来膜拜一下,谢谢分享。。。
页:
[1]