- UID
- 54196
注册时间2008-7-2
阅读权限95
最后登录1970-1-1
超级版主
  
TA的每日心情 | 开心
2019-2-26 11:14 |
|---|
签到天数: 459 天 [LV.9]以坛为家II
|
本帖最后由 wgz001 于 2015-12-3 10:59 编辑
偶然看到一个cm,还有两关,于是下载来学习下,结果略受伤。见附件
OD直接载入,Ctrl+g 去00401000搜字符串,看到有个"You passed level1!",双击,来到代码处,下个断点
[AppleScript] 纯文本查看 复制代码 00401B6C E8 275F0000 call <jmp.&msvcrt.strcmp> //这里下断点
00401B71 85C0 test eax,eax
00401B73 75 18 jnz short rev200.00401B8D
00401B75 C70424 26914000 mov dword ptr ss:[esp],rev200.00409126 ; You passed level1!
00401B7C E8 0F5F0000 call <jmp.&msvcrt.puts>
00401B81 C70424 00000000 mov dword ptr ss:[esp],0x0
00401B88 E8 5DFAFFFF call rev200.004015EA
0022FD80 0022FD91 |s1 = "123456"
0022FD84 0022FDA5 \s2 = "r0b0RUlez!"
重新来过,输入真码,成功过了第一关,但是下面一关有点问题,看下面的代码
[AppleScript] 纯文本查看 复制代码 00401614 E8 00000000 call rev200.00401619
00401619 58 pop eax ; 0022FE05
0040161A A3 A8AD4000 mov dword ptr ds:[0x40ADA8],eax
0040161F CC int3 //这里有个异常,单步过来会进入异常处理
00401620 B8 00000000 mov eax,0x0
00401625 C9 leave
进入异常后,结合F7,F8会走到这里
[AppleScript] 纯文本查看 复制代码 7C96261A FF76 08 push dword ptr ds:[esi+0x8]
7C96261D E8 E30DFDFF call ntdll.RtlDecodePointer
7C962622 8D4D F8 lea ecx,dword ptr ss:[ebp-0x8]
7C962625 51 push ecx
7C962626 FFD0 call eax ; rev200.0040157F //这里就可以去程序领空了
7C962628 83F8 FF cmp eax,-0x1
7C96262B 74 1A je short ntdll.7C962647
7C96262D 8B36 mov esi,dword ptr ds:[esi] ; ntdll.7C99B3C0
啧啧 [AppleScript] 纯文本查看 复制代码 0040157F 55 push ebp
00401580 89E5 mov ebp,esp
00401582 83EC 38 sub esp,0x38
00401585 8B45 08 mov eax,dword ptr ss:[ebp+0x8]
00401588 8B40 04 mov eax,dword ptr ds:[eax+0x4]
0040158B 8B80 B8000000 mov eax,dword ptr ds:[eax+0xB8]
00401591 8945 F4 mov dword ptr ss:[ebp-0xC],eax ; rev200.0040157F
00401594 8B45 F4 mov eax,dword ptr ss:[ebp-0xC]
00401597 8B15 A8AD4000 mov edx,dword ptr ds:[0x40ADA8] ; rev200.00401619
[AppleScript] 纯文本查看 复制代码 004015B2 E8 D1640000 call <jmp.&msvcrt.scanf>
004015B7 A1 98AD4000 mov eax,dword ptr ds:[0x40AD98]
004015BC 894424 04 mov dword ptr ss:[esp+0x4],eax ; rev200.0040157F
004015C0 8D45 E0 lea eax,dword ptr ss:[ebp-0x20]
004015C3 890424 mov dword ptr ss:[esp],eax ; rev200.0040157F
004015C6 E8 7CFFFFFF call rev200.00401547 //这里比较,F7
004015CB 85C0 test eax,eax ; rev200.0040157F
004015CD 75 0D jnz short rev200.004015DC
004015CF A1 A4AD4000 mov eax,dword ptr ds:[0x40ADA4] ; 洱"
004015D4 890424 mov dword ptr ss:[esp],eax ; rev200.0040157F
004015D7 E8 B4640000 call <jmp.&msvcrt.puts>
004015DC C70424 00000000 mov dword ptr ss:[esp],0x0
004015E3 A1 48B14000 mov eax,dword ptr ds:[<&KERNEL32.ExitProcess>]
比较的过程
[AppleScript] 纯文本查看 复制代码 00401547 55 push ebp
00401548 89E5 mov ebp,esp
0040154A EB 22 jmp short rev200.0040156E
0040154C 8B45 08 mov eax,dword ptr ss:[ebp+0x8]
0040154F 0FB610 movzx edx,byte ptr ds:[eax]
00401552 8B45 0C mov eax,dword ptr ss:[ebp+0xC]
00401555 0FB600 movzx eax,byte ptr ds:[eax]
00401558 83F0 02 xor eax,0x2
0040155B 38C2 cmp dl,al //al中就是真码的位了
0040155D 74 07 je short rev200.00401566
0040155F B8 01000000 mov eax,0x1
00401564 EB 17 jmp short rev200.0040157D
00401566 8345 08 01 add dword ptr ss:[ebp+0x8],0x1
0040156A 8345 0C 01 add dword ptr ss:[ebp+0xC],0x1
0040156E 8B45 0C mov eax,dword ptr ss:[ebp+0xC]
00401571 0FB600 movzx eax,byte ptr ds:[eax]
00401574 3C 02 cmp al,0x2
00401576 ^ 75 D4 jnz short rev200.0040154C
00401578 B8 00000000 mov eax,0x0
0040157D 5D pop ebp ; 0022F884
那么问题来了,能不能通过API断点快速到这个异常返回的程序领空,单步有点麻烦啊,还有作者写的思路是什么,请大大们指点,最后上个图
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有账号?加入我们
x
|
IP卡
发表于 2015-12-3 10:48:29
提升卡
置顶卡
变色卡
千斤顶
显身卡