一个CM的疑问
本帖最后由 wgz001 于 2015-12-3 10:59 编辑偶然看到一个cm,还有两关,于是下载来学习下,结果略受伤。见附件
OD直接载入,Ctrl+g 去00401000搜字符串,看到有个"You passed level1!",双击,来到代码处,下个断点
00401B6C E8 275F0000 call <jmp.&msvcrt.strcmp>//这里下断点
00401B71 85C0 test eax,eax
00401B73 75 18 jnz short rev200.00401B8D
00401B75 C70424 26914000 mov dword ptr ss:,rev200.00409126 ; You passed level1!
00401B7C E8 0F5F0000 call <jmp.&msvcrt.puts>
00401B81 C70424 00000000 mov dword ptr ss:,0x0
00401B88 E8 5DFAFFFF call rev200.004015EA
输入假码123456,后运行,成功断下,此时看堆栈窗口,出现真码
0022FD80 0022FD91|s1 = "123456"
0022FD84 0022FDA5\s2 = "r0b0RUlez!"
重新来过,输入真码,成功过了第一关,但是下面一关有点问题,看下面的代码
00401614 E8 00000000 call rev200.00401619
00401619 58 pop eax ; 0022FE05
0040161A A3 A8AD4000 mov dword ptr ds:,eax
0040161F CC int3 //这里有个异常,单步过来会进入异常处理
00401620 B8 00000000 mov eax,0x0
00401625 C9 leave
进入异常后,结合F7,F8会走到这里
7C96261A FF76 08 push dword ptr ds:
7C96261D E8 E30DFDFF call ntdll.RtlDecodePointer
7C962622 8D4D F8 lea ecx,dword ptr ss:
7C962625 51 push ecx
7C962626 FFD0 call eax ; rev200.0040157F //这里就可以去程序领空了
7C962628 83F8 FF cmp eax,-0x1
7C96262B 74 1A je short ntdll.7C962647
7C96262D 8B36 mov esi,dword ptr ds: ; ntdll.7C99B3C0
啧啧0040157F 55 push ebp
00401580 89E5 mov ebp,esp
00401582 83EC 38 sub esp,0x38
00401585 8B45 08 mov eax,dword ptr ss:
00401588 8B40 04 mov eax,dword ptr ds:
0040158B 8B80 B8000000 mov eax,dword ptr ds:
00401591 8945 F4 mov dword ptr ss:,eax ; rev200.0040157F
00401594 8B45 F4 mov eax,dword ptr ss:
00401597 8B15 A8AD4000 mov edx,dword ptr ds: ; rev200.00401619
下面这里就比较关键了004015B2 E8 D1640000 call <jmp.&msvcrt.scanf>
004015B7 A1 98AD4000 mov eax,dword ptr ds:
004015BC 894424 04 mov dword ptr ss:,eax ; rev200.0040157F
004015C0 8D45 E0 lea eax,dword ptr ss:
004015C3 890424 mov dword ptr ss:,eax ; rev200.0040157F
004015C6 E8 7CFFFFFF call rev200.00401547 //这里比较,F7
004015CB 85C0 test eax,eax ; rev200.0040157F
004015CD 75 0D jnz short rev200.004015DC
004015CF A1 A4AD4000 mov eax,dword ptr ds: ; 洱"
004015D4 890424 mov dword ptr ss:,eax ; rev200.0040157F
004015D7 E8 B4640000 call <jmp.&msvcrt.puts>
004015DC C70424 00000000 mov dword ptr ss:,0x0
004015E3 A1 48B14000 mov eax,dword ptr ds:[<&KERNEL32.ExitProcess>]
比较的过程
00401547 55 push ebp
00401548 89E5 mov ebp,esp
0040154A EB 22 jmp short rev200.0040156E
0040154C 8B45 08 mov eax,dword ptr ss:
0040154F 0FB610 movzx edx,byte ptr ds:
00401552 8B45 0C mov eax,dword ptr ss:
00401555 0FB600 movzx eax,byte ptr ds:
00401558 83F0 02 xor eax,0x2
0040155B 38C2 cmp dl,al //al中就是真码的位了
0040155D 74 07 je short rev200.00401566
0040155F B8 01000000 mov eax,0x1
00401564 EB 17 jmp short rev200.0040157D
00401566 8345 08 01 add dword ptr ss:,0x1
0040156A 8345 0C 01 add dword ptr ss:,0x1
0040156E 8B45 0C mov eax,dword ptr ss:
00401571 0FB600 movzx eax,byte ptr ds:
00401574 3C 02 cmp al,0x2
00401576^ 75 D4 jnz short rev200.0040154C
00401578 B8 00000000 mov eax,0x0
0040157D 5D pop ebp ; 0022F884
最终记录下真码是:w3lld0ne(固定字符串" u1nnf2lg" xor 2="w3lld0ne")
那么问题来了,能不能通过API断点快速到这个异常返回的程序领空,单步有点麻烦啊,还有作者写的思路是什么,请大大们指点,最后上个图
页:
[1]