- UID
- 48683
注册时间2008-3-31
阅读权限20
最后登录1970-1-1
以武会友
 
TA的每日心情 | 无聊
2015-8-12 00:27 |
|---|
签到天数: 1 天 [LV.1]初来乍到
|
这个程序我查找到IP后,爆破成功,但是运行了一会会就自动关闭啦,还请高手指教下,为什么会出现这样的现象是不是我那里爆破出现问题导致关闭.下面是我爆破后的两个文件,请高手指教
这个程序是运行起来后就关闭,他能点开进入,但是一进入程序后就自行关闭,请问高手这样的程序该下什么断点合适些,我下了BP CreateFileA断点,断是断下来啦,可是我按AIT+F9返回程序领空向上,向下都找不到他效验的地方,还请高手指教一二,这个文件脱壳前才200多K,脱了有1M多,我从这方面判断,去找文件大小的效验地址,可是怎么找也找不到,程序都跑遍啦
文件是运行起来后才会自动关闭的,能运行,但是是运行途中关闭,希望高手能给点自点
http://www.fs2you.com/files/016f63e3-15c3-11dd-a583-0014221f4662/
我下断在退出函数上,他拦截不住程序,自动就启动啦
00401000 未>/$ E8 06000000 CALL 未破.0040100B
00401005 |. 50 PUSH EAX ; /ExitCode
00401006 \. E8 BB010000 CALL <JMP.&KERNEL32.ExitProcess> ; \ExitProcess
0040100B /$ 55 PUSH EBP
0040100C |. 8BEC MOV EBP,ESP
0040100E |. 81C4 F0FEFFFF ADD ESP,-110
00401014 |. E9 83000000 JMP 未破.0040109C
00401019 |. 6B 72 6E 6C 6E 2E>ASCII "krnln.fnr",0
00401023 |. 6B 72 6E 6C 6E 2E>ASCII "krnln.fne",0
0040102D |. 47 65 74 4E 65 77>ASCII "GetNewSock",0
00401038 |. 53 6F 66 74 77 61>ASCII "Software\FlySky\"
00401048 |. 45 5C 49 6E 73 74>ASCII "E\Install",0
00401052 |. 50 61 74 68 00 ASCII "Path",0
00401057 |. 4E 6F 74 20 66 6F>ASCII "Not found the ke"
00401067 |. 72 6E 65 6C 20 6C>ASCII "rnel library or "
00401077 |. 74 68 65 20 6B 65>ASCII "the kernel libra"
00401087 |. 72 79 20 69 73 20>ASCII "ry is invalid!",0
00401096 |. 45 72 72 6F 72 00>ASCII "Error",0
0040109C |> 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
004010A2 |. 50 PUSH EAX
004010A3 |. E8 44010000 CALL 未破.004011EC
004010A8 |. 68 19104000 PUSH 未破.00401019 ; /StringToAdd = "krnln.fnr"
004010AD |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] ; |
004010B3 |. 50 PUSH EAX ; |ConcatString
004010B4 |. E8 25010000 CALL <JMP.&KERNEL32.lstrcatA> ; \lstrcatA
004010B9 |. 50 PUSH EAX ; /FileName
004010BA |. E8 19010000 CALL <JMP.&KERNEL32.LoadLibraryA> ; \LoadLibraryA
004010BF |. 85C0 TEST EAX,EAX
004010C1 |. 0F85 9E000000 JNZ 未破.00401165
004010C7 |. 8D85 F4FEFFFF LEA EAX,DWORD PTR SS:[EBP-10C]
004010CD |. 50 PUSH EAX ; /pHandle
004010CE |. 68 19000200 PUSH 20019 ; |Access = KEY_READ
004010D3 |. 6A 00 PUSH 0 ; |Reserved = 0
004010D5 |. 68 38104000 PUSH 未破.00401038 ; |Subkey = "Software\FlySky\E\Install"
004010DA |. 68 01000080 PUSH 80000001 ; |hKey = HKEY_CURRENT_USER
004010DF |. E8 36010000 CALL <JMP.&ADVAPI32.RegOpenKeyExA> ; \RegOpenKeyExA
004010E4 |. 83F8 00 CMP EAX,0
004010E7 |. 0F85 B8000000 JNZ 未破.004011A5
004010ED |. C785 F0FEFFFF 030>MOV DWORD PTR SS:[EBP-110],103
004010F7 |. 8D85 F0FEFFFF LEA EAX,DWORD PTR SS:[EBP-110]
004010FD |. 50 PUSH EAX ; /pBufSize
004010FE |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] ; |
00401104 |. 50 PUSH EAX ; |Buffer
00401105 |. 6A 00 PUSH 0 ; |pValueType = NULL
00401107 |. 6A 00 PUSH 0 ; |Reserved = NULL
00401109 |. 68 52104000 PUSH 未破.00401052 ; |ValueName = "Path"
0040110E |. FFB5 F4FEFFFF PUSH DWORD PTR SS:[EBP-10C] ; |hKey
00401114 |. E8 07010000 CALL <JMP.&ADVAPI32.RegQueryValueExA> ; \RegQueryValueExA
00401119 |. 50 PUSH EAX
0040111A |. FFB5 F4FEFFFF PUSH DWORD PTR SS:[EBP-10C] ; /hKey
00401120 |. E8 EF000000 CALL <JMP.&ADVAPI32.RegCloseKey> ; \RegCloseKey
00401125 |. 58 POP EAX
00401126 |. 83F8 00 CMP EAX,0
00401129 |. 75 7A JNZ SHORT 未破.004011A5
0040112B |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00401131 |. 50 PUSH EAX ; /String
00401132 |. E8 AD000000 CALL <JMP.&KERNEL32.lstrlenA> ; \lstrlenA
00401137 |. 8D9D FCFEFFFF LEA EBX,DWORD PTR SS:[EBP-104]
0040113D |. 03D8 ADD EBX,EAX
0040113F |. 4B DEC EBX
00401140 |. 803B 5C CMP BYTE PTR DS:[EBX],5C
00401143 |. 74 05 JE SHORT 未破.0040114A
00401145 |. 66:C703 5C00 MOV WORD PTR DS:[EBX],5C
0040114A |> 68 23104000 PUSH 未破.00401023 ; /StringToAdd = "krnln.fne"
0040114F |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] ; |
00401155 |. 50 PUSH EAX ; |ConcatString
00401156 |. E8 83000000 CALL <JMP.&KERNEL32.lstrcatA> ; \lstrcatA
0040115B |. 50 PUSH EAX ; /FileName
0040115C |. E8 77000000 CALL <JMP.&KERNEL32.LoadLibraryA> ; \LoadLibraryA
00401161 |. 85C0 TEST EAX,EAX
00401163 |. 74 40 JE SHORT 未破.004011A5
00401165 |> 8985 F8FEFFFF MOV DWORD PTR SS:[EBP-108],EAX
0040116B |. 68 2D104000 PUSH 未破.0040102D ; /ProcNameOrOrdinal = "GetNewSock"
00401170 |. 50 PUSH EAX ; |hModule
00401171 |. E8 5C000000 CALL <JMP.&KERNEL32.GetProcAddress> ; \GetProcAddress
00401176 |. 85C0 TEST EAX,EAX
00401178 |. 74 20 JE SHORT 未破.0040119A
0040117A |. 68 E8030000 PUSH 3E8
0040117F |. FFD0 CALL EAX
00401181 |. 85C0 TEST EAX,EAX
00401183 |. 74 15 JE SHORT 未破.0040119A
00401185 |. E8 00000000 CALL 未破.0040118A
0040118A |$ 810424 761E0000 ADD DWORD PTR SS:[ESP],1E76
00401191 |. FFD0 CALL EAX
00401193 |. 6A 00 PUSH 0 ; /ExitCode = 0
00401195 |. E8 2C000000 CALL <JMP.&KERNEL32.ExitProcess> ; \ExitProcess
0040119A |> FFB5 F8FEFFFF PUSH DWORD PTR SS:[EBP-108] ; /hLibModule
004011A0 |. E8 27000000 CALL <JMP.&KERNEL32.FreeLibrary> ; \FreeLibrary
004011A5 |> 6A 10 PUSH 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
004011A7 |. 68 96104000 PUSH 未破.00401096 ; |Title = "Error"
004011AC |. 68 57104000 PUSH 未破.00401057 ; |Text = "Not found the kernel library or the kernel library is invalid!"
004011B1 |. 6A 00 PUSH 0 ; |hOwner = NULL
004011B3 |. E8 08000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
004011B8 |. B8 FFFFFFFF MOV EAX,-1
004011BD |. C9 LEAVE
004011BE \. C3 RETN
004011BF CC INT3
004011C0 $- FF25 30204000 JMP DWORD PTR DS:[<&USER32.MessageBoxA>] ; USER32.MessageBoxA
004011C6 .- FF25 1C204000 JMP DWORD PTR DS:[<&KERNEL32.ExitProcess>] ; kernel32.ExitProcess
004011CC $- FF25 10204000 JMP DWORD PTR DS:[<&KERNEL32.FreeLibrary>] ; kernel32.FreeLibrary
004011D2 $- FF25 24204000 JMP DWORD PTR DS:[<&KERNEL32.GetProcAddress>] ; kernel32.GetProcAddress
004011D8 $- FF25 20204000 JMP DWORD PTR DS:[<&KERNEL32.LoadLibraryA>] ; kernel32.LoadLibraryA
004011DE $- FF25 14204000 JMP DWORD PTR DS:[<&KERNEL32.lstrcatA>] ; kernel32.lstrcatA
004011E4 $- FF25 28204000 JMP DWORD PTR DS:[<&KERNEL32.lstrlenA>] ; kernel32.lstrlenA
004011EA CC INT3
004011EB CC INT3
004011EC /$ 55 PUSH EBP
004011ED |. 8BEC MOV EBP,ESP
004011EF |. 68 80000000 PUSH 80 ; /BufSize = 80 (128.)
004011F4 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |PathBuffer
004011F7 |. 6A 00 PUSH 0 ; |hModule = NULL
004011F9 |. E8 28000000 CALL <JMP.&KERNEL32.GetModuleFileNameA> ; \GetModuleFileNameA
004011FE |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
00401201 |. 8D4C08 FA LEA ECX,DWORD PTR DS:[EAX+ECX-6]
00401205 |> 8A01 MOV AL,BYTE PTR DS:[ECX]
00401207 |. 49 DEC ECX
00401208 |. 3C 5C CMP AL,5C
0040120A |.^ 75 F9 JNZ SHORT 未破.00401205
0040120C |. C641 02 00 MOV BYTE PTR DS:[ECX+2],0
00401210 |. C9 LEAVE
00401211 \. C2 0400 RETN 4
00401214 $- FF25 04204000 JMP DWORD PTR DS:[<&ADVAPI32.RegCloseKey>] ; ADVAPI32.RegCloseKey
0040121A $- FF25 08204000 JMP DWORD PTR DS:[<&ADVAPI32.RegOpenKeyExA>] ; ADVAPI32.RegOpenKeyExA
00401220 $- FF25 00204000 JMP DWORD PTR DS:[<&ADVAPI32.RegQueryValueExA>] ; ADVAPI32.RegQueryValueExA
00401226 $- FF25 18204000 JMP DWORD PTR DS:[<&KERNEL32.GetModuleFileNameA>] ; kernel32.GetModuleFileNameA
[ 本帖最后由 小生我怕怕 于 2008-4-30 03:09 编辑 ] |
|
IP卡
发表于 2008-4-28 23:23:22
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主
发表于 2008-4-29 17:08:12
