d *(ebp+8) 星花是什么意思?为什么加在前面???
本帖最后由 冥界3大法王 于 2019-8-19 20:57 编辑标 题:pediy系列——为程序添加显示注册码的Messagebox
发信人:cyclotron
时 间:2003/04/26 10:11pm
详细信息:
【目标程序】:电子笔记簿V2.52【修改目的】:为程序添加显示注册码的Messagebox【修改类型】:Reverse Engineering 第一次做pediy的工作,没有经验,不足之处请各位指教!
为了添加代码和数据,先查看一下Section Table,注意一下.text块的RO为1000,VS为8794E,所以在1000+8794E=8894E后有大段的空白区,可以从这里开始添加代码,且不超过1000+88000=89000位置。同样,在AB000+7000=B2000处可以添加数据 。
Section Virtual Size Virtual Offset Raw Size Raw Offset Characteristics.text 0008794E 00001000 0008800000001000 60000020
.rdata 00021BFC 00089000 0002200000089000 40000040
.data 0000D9A8 000AB000 00007000000AB000 C0000040
.rsrc 00000E80 000B9000 00001000000B2000 40000040:0041A2F5 51 push ecx
:0041A2F6 8BCC mov ecx, esp
:0041A2F8 8965E8 mov dword ptr [ebp-18], esp
:0041A2FB 57 push edi
:0041A2FC E8BD790400 call 00461CBE
:0041A301 51 push ecx
:0041A302 C645FC02 mov [ebp-04], 02
:0041A306 8BCC mov ecx, esp
:0041A308 8965E4 mov dword ptr [ebp-1C], esp
:0041A30B 53 push ebx
:0041A30C E8AD790400 call 00461CBE
:0041A311 B9381E4B00 mov ecx, 004B1E38
:0041A316 C645FC01 mov [ebp-04], 01
:0041A31A E891CB0100 call 00436EB0//关键call,追进去!
:0041A31F 85C0 test eax, eax//成功与否的判断
:0041A321 7519 jne 0041A33C
:0041A323 50 push eax
:0041A324 6A40 push 00000040
:0041A326 680A810000 push 0000810A
:0041A32B E800F2FEFF call 00409530//失败提示
:0041A330 83C40C add esp, 0000000C
:0041A333 8BCE mov ecx, esi
:0041A335 E8153B0400 call 0045DE4F
:0041A33A EB70 jmp 0041A3AC* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041A321(C)
|
:0041A33C 51 push ecx//程序启动时不经过这里,所以在这儿插入Messagebox的调用,修改如下:
:0041A33D 8BCC mov ecx, esp
:0041A33F 8965E4 mov dword ptr [ebp-1C], esp
:0041A342 57 push edi
:0041A343 E876790400 call 00461CBE//成功提示———————————————————————————————————————
修改后的代码:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041A321(C)
|
:0041A33C 6872894800 push 00488972
:0041A341 C3 ret//这里跳到添加的代码处
:0041A342 57 push edi
:0041A343 E876790400 call 00461CBE
:0041A348 51 push ecx
:0041A349 C645FC03 mov [ebp-04], 03
:0041A34D 8BCC mov ecx, esp以下是增加的代码:
:00488972 90 nop
:00488973 90 nop
:00488974 90 nop
:00488975 90 nop
:00488976 90 nop
:00488977 90 nop
:00488978 90 nop
:00488979 6A40 push 00000040//Messagebox类型* Possible StringData Ref from Data Obj ->"注册码"
|
:0048897B 68561B4B00 push 004B1B56//窗口标题入栈,这个标题我们放在数据区4B1B56(VA)处,占七个字节(包括‘\0')的“注册码”字符串,这三个字的代码的获得我会在最后讲解。
:00488980 685D1B4B00 push 004B1B5D//真正的注册码入栈,地址在4B1B5D
:00488985 6A00 push 00000000* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:00488987 FF1584964800 Call dword ptr //Messagebox的调用代码可以从原程序的反汇编代码获得,点击 函数->导入,然后查找Messageboxa
:0048898D 51 push ecx//这里补上原来的程序代码
:0048898E 8BCC mov ecx, esp
:00488990 8965E4 mov dword ptr [ebp-1C], esp
:00488993 6842A34100 push 0041A342//从这里返回
:00488998 C3 ret———————————————————————————————————:0041A348 51 push ecx
:0041A349 C645FC03 mov [ebp-04], 03
:0041A34D 8BCC mov ecx, esp
:0041A34F 8965E8 mov dword ptr [ebp-18], esp
**********************************************************************
call 00436EB0:
* Referenced by a CALL at Address:
|:0041A31A
|
:00436EB0 55 push ebp
:00436EB1 8BEC mov ebp, esp
:00436EB3 6AFF push FFFFFFFF
:00436EB5 68B85B4800 push 00485BB8
:00436EBA 64A100000000 mov eax, dword ptr fs:
:00436EC0 50 push eax
:00436EC1 64892500000000 mov dword ptr fs:, esp
:00436EC8 81EC60010000 sub esp, 00000160
:00436ECE 53 push ebx
:00436ECF 56 push esi
:00436ED0 57 push edi
:00436ED1 8BF1 mov esi, ecx
:00436ED3 8965F0 mov dword ptr [ebp-10], esp
:00436ED6 8975E8 mov dword ptr [ebp-18], esi
:00436ED9 8D4DDC lea ecx, dword ptr [ebp-24]
:00436EDC C745FC01000000 mov [ebp-04], 00000001
:00436EE3 E87AAD0200 call 00461C62
:00436EE8 8BCE mov ecx, esi
:00436EEA C645FC03 mov [ebp-04], 03
:00436EEE E81D040000 call 00437310
:00436EF3 85C0 test eax, eax
:00436EF5 8945EC mov dword ptr [ebp-14], eax
:00436EF8 7509 jne 00436F03
:00436EFA C645FC01 mov [ebp-04], 01
:00436EFE E9A5010000 jmp 004370A8* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00436EF8(C)
|
:00436F03 8D4508 lea eax, dword ptr [ebp+08]
:00436F06 8BCE mov ecx, esi
:00436F08 50 push eax
:00436F09 E812FFFFFF call 00436E20
:00436F0E 85C0 test eax, eax
:00436F10 7409 je 00436F1B
:00436F12 C645FC01 mov [ebp-04], 01
:00436F16 E98D010000 jmp 004370A8* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00436F10(C)
|
:00436F1B 8B4D08 mov ecx, dword ptr [ebp+08]
:00436F1E B838383838 mov eax, 38383838
:00436F23 8DBD14FFFFFF lea edi, dword ptr [ebp+FFFFFF14]
:00436F29 8B59F8 mov ebx, dword ptr [ecx-08]
:00436F2C B932000000 mov ecx, 00000032
:00436F31 81FBC8000000 cmp ebx, 000000C8
:00436F37 F3 repz
:00436F38 AB stosd
:00436F39 7E05 jle 00436F40
:00436F3B BBC8000000 mov ebx, 000000C8* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00436F39(C)
|
:00436F40 53 push ebx
:00436F41 8D4D08 lea ecx, dword ptr [ebp+08]
:00436F44 E830B40200 call 00462379
:00436F49 8BCB mov ecx, ebx
:00436F4B 8BF0 mov esi, eax
:00436F4D 8BD1 mov edx, ecx
:00436F4F 8DBD14FFFFFF lea edi, dword ptr [ebp+FFFFFF14]
:00436F55 C1E902 shr ecx, 02
:00436F58 F3 repz
:00436F59 A5 movsd
:00436F5A 8BCA mov ecx, edx
:00436F5C 83E103 and ecx, 00000003
:00436F5F F3 repz
:00436F60 A4 movsb
:00436F61 83CEFF or esi, FFFFFFFF
:00436F64 8D4D08 lea ecx, dword ptr [ebp+08]
:00436F67 56 push esi
:00436F68 E85BB40200 call 004623C8
:00436F6D 83FB0A cmp ebx, 0000000A
:00436F70 7D21 jge 00436F93
:00436F72 B9C8000000 mov ecx, 000000C8
:00436F77 B838383838 mov eax, 38383838
:00436F7C 2BCB sub ecx, ebx
:00436F7E 8DBC1D14FFFFFF lea edi, dword ptr [ebp+ebx-000000EC]
:00436F85 8BD1 mov edx, ecx
:00436F87 C1E902 shr ecx, 02
:00436F8A F3 repz
:00436F8B AB stosd
:00436F8C 8BCA mov ecx, edx
:00436F8E 83E103 and ecx, 00000003
:00436F91 F3 repz
:00436F92 AA stosb* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00436F70(C)
|
:00436F93 8BC3 mov eax, ebx
:00436F95 8B7DEC mov edi, dword ptr [ebp-14]
:00436F98 99 cdq
:00436F99 83E207 and edx, 00000007
:00436F9C 8D8D94FEFFFF lea ecx, dword ptr [ebp+FFFFFE94]
:00436FA2 03C2 add eax, edx
:00436FA4 C1F803 sar eax, 03
:00436FA7 40 inc eax
:00436FA8 50 push eax
:00436FA9 8D8514FFFFFF lea eax, dword ptr [ebp+FFFFFF14]
:00436FAF 50 push eax
:00436FB0 57 push edi
:00436FB1 E81ACAFDFF call 004139D0
:00436FB6 57 push edi
:00436FB7 E81EAC0200 call 00461BDA
:00436FBC 8B4D0C mov ecx, dword ptr [ebp+0C]
:00436FBF 83C404 add esp, 00000004
:00436FC2 8B59F8 mov ebx, dword ptr [ecx-08]
:00436FC5 83FB0E cmp ebx, 0000000E//这里是对注册码长度的判断,我已经把下面改为绝对跳转
:00436FC8 EB1D jmp 00436FE7
:00436FCA C645FC01 mov [ebp-04], 01
:00436FCE E8CDAC0200 call 00461CA0
:00436FD3 8D4D08 lea ecx, dword ptr [ebp+08]
:00436FD6 C645FC00 mov [ebp-04], 00
:00436FDA E86AAF0200 call 00461F49
:00436FDF 8975FC mov dword ptr [ebp-04], esi
:00436FE2 E9D9000000 jmp 004370C0* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00436FC8(U)
|
:00436FE7 6A0E push 0000000E
:00436FE9 E8C3AB0200 call 00461BB1
:00436FEE 83C404 add esp, 00000004
:00436FF1 8D4D0C lea ecx, dword ptr [ebp+0C]
:00436FF4 8BF8 mov edi, eax
:00436FF6 6A0E push 0000000E
:00436FF8 E87CB30200 call 00462379
:00436FFD 8B08 mov ecx, dword ptr [eax]
:00436FFF 8BD7 mov edx, edi
:00437001 56 push esi
:00437002 890A mov dword ptr [edx], ecx
:00437004 8B4804 mov ecx, dword ptr [eax+04]
:00437007 894A04 mov dword ptr [edx+04], ecx
:0043700A 8B4808 mov ecx, dword ptr [eax+08]
:0043700D 894A08 mov dword ptr [edx+08], ecx
:00437010 668B400C mov ax, word ptr [eax+0C]
:00437014 8D4D0C lea ecx, dword ptr [ebp+0C]
:00437017 6689420C mov word ptr [edx+0C], ax
:0043701B E8A8B30200 call 004623C8
:00437020 33C0 xor eax, eax* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00437030(U)
|
:00437022 3BC3 cmp eax, ebx
:00437024 7D0C jge 00437032
:00437026 8A1438 mov dl, byte ptr [eax+edi]
:00437029 80F238 xor dl, 38
:0043702C 881438 mov byte ptr [eax+edi], dl
:0043702F 40 inc eax
:00437030 EBF0 jmp 00437022* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00437024(C)
|
:00437032 6A00 push 00000000
:00437034 8D8D14FFFFFF lea ecx, dword ptr [ebp+FFFFFF14]
:0043703A 57 push edi
:0043703B 51 push ecx
:0043703C 8B4DE8 mov ecx, dword ptr [ebp-18]
:0043703F E87C050000 call 004375C0//判断点,追进去!
:00437044 57 push edi
:00437045 8BD8 mov ebx, eax
:00437047 E88EAB0200 call 00461BDA
:0043704C 83C404 add esp, 00000004
:0043704F C645FC01 mov [ebp-04], 01
:00437053 E848AC0200 call 00461CA0
:00437058 8D4D08 lea ecx, dword ptr [ebp+08]
:0043705B C645FC00 mov [ebp-04], 00
:0043705F E8E5AE0200 call 00461F49
:00437064 8D4D0C lea ecx, dword ptr [ebp+0C]
:00437067 8975FC mov dword ptr [ebp-04], esi
:0043706A E8DAAE0200 call 00461F49
:0043706F 8BC3 mov eax, ebx
:00437071 8B4DF4 mov ecx, dword ptr [ebp-0C]
:00437074 64890D00000000 mov dword ptr fs:, ecx
:0043707B 5F pop edi
:0043707C 5E pop esi
:0043707D 5B pop ebx
:0043707E 8BE5 mov esp, ebp
:00437080 5D pop ebp
:00437081 C20800 ret 0008
***********************************************************************
call 004375C0:
* Referenced by a CALL at Addresses:
|:0043703F , :004372AF
|
:004375C0 55 push ebp
:004375C1 8BEC mov ebp, esp
:004375C3 6AFF push FFFFFFFF
:004375C5 68285C4800 push 00485C28
:004375CA 64A100000000 mov eax, dword ptr fs:
:004375D0 50 push eax
:004375D1 64892500000000 mov dword ptr fs:, esp
:004375D8 83EC18 sub esp, 00000018
:004375DB 53 push ebx
:004375DC 56 push esi
:004375DD 57 push edi
:004375DE 8D4DDC lea ecx, dword ptr [ebp-24]
:004375E1 8965F0 mov dword ptr [ebp-10], esp
:004375E4 E879A60200 call 00461C62
:004375E9 A1D8CF4A00 mov eax, dword ptr
:004375EE 8A0DDCCF4A00 mov cl, byte ptr
:004375F4 8B750C mov esi, dword ptr [ebp+0C]
:004375F7 C745FC00000000 mov [ebp-04], 00000000
:004375FE 8945E4 mov dword ptr [ebp-1C], eax
:00437601 C645FC01 mov [ebp-04], 01
:00437605 BF01000000 mov edi, 00000001
:0043760A 884DE8 mov byte ptr [ebp-18], cl
:0043760D 33C0 xor eax, eax* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00437623(U)
|
:0043760F 83F804 cmp eax, 00000004
:00437612 7D11 jge 00437625
:00437614 8A1430 mov dl, byte ptr [eax+esi]
:00437617 8A4C05E4 mov cl, byte ptr [ebp+eax-1C]
:0043761B 80F238 xor dl, 38
:0043761E 3ACA cmp cl, dl//这里是判断注册码前四位是否为ENB-,所以把下面的判断nop掉
:00437620 7544 jne 00437666//改为9090
—————————————————————————————————
修改后的代码:
:0043761E 3ACA cmp cl, dl
:00437620 90 nop
:00437621 90 nop
:00437622 40 inc eax
—————————————————————————————————
:00437622 40 inc eax
:00437623 EBEA jmp 0043760F* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00437612(C)
|
:00437625 85FF test edi, edi//从这里插入一段代码,在数据区存入"ENB-"这个字符串,改动如下:
:00437627 743F je 00437668
:00437629 8B4D08 mov ecx, dword ptr [ebp+08]
:0043762C 33C0 xor eax, eax
——————————————————————————————————
修改后的代码:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00437612(C)
|
:00437625 85FF test edi, edi
:00437627 685B894800 push 0048895B//跳到插入代码区
:0043762C C3 ret
:0043762D 90 nop* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00437664(U)
|
:0043762E 83F80A cmp eax, 0000000A
:00437631 7D35 jge 00437668下面是.text块添加的代码:
:0048895B 743F je 0048899C//补上原程序中的代码
:0048895D 8B4D08 mov ecx, dword ptr [ebp+08]
:00488960 33C0 xor eax, eax
:00488962 C7055D1B4B00454E422D mov dword ptr , 2D424E45//在数据区存入"ENB-"
:0048896C 682E764300 push 0043762E//返回
:00488971 C3 ret——————————————————————————————————
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00437664(U)
|
:0043762E 83F80A cmp eax, 0000000A
:00437631 7D35 jge 00437668
:00437633 8A1408 mov dl, byte ptr [eax+ecx]
:00437636 80E27F and dl, 7F
:00437639 80FA41 cmp dl, 41
:0043763C 881408 mov byte ptr [eax+ecx], dl
:0043763F 7D06 jge 00437647
:00437641 80CA41 or dl, 41
:00437644 881408 mov byte ptr [eax+ecx], dl* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043763F(C)
|
:00437647 8A1408 mov dl, byte ptr [eax+ecx]
:0043764A 80FA5A cmp dl, 5A
:0043764D 7E06 jle 00437655
:0043764F 80E25A and dl, 5A
:00437652 881408 mov byte ptr [eax+ecx], dl* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043764D(C)
|
:00437655 8A543004 mov dl, byte ptr [eax+esi+04]
:00437659 8A1C08 mov bl, byte ptr [eax+ecx]
:0043765C 80F238 xor dl, 38
:0043765F 3ADA cmp bl, dl//上面这段算法产生注册码后十位并比较,由于这里是直接与真码逐位比较,所以要设法把真码的每一位保存下来,最后调用一个Messagebox来显示,但这个调用不能放在这里,因为软件每次启动时都要调用这个call来验证注册码,把Messagebox插在这里每次启动都会弹出。所以在这里要插入的就是把真码保存的代码。我在数据区找了一个地方4B1B61,这里我们先让程序跳到添加的代码处:
—————————————————————————————————
修改后的代码:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043764D(C)
|
:00437655 8A543004 mov dl, byte ptr [eax+esi+04]
:00437659 8A1C08 mov bl, byte ptr [eax+ecx]
:0043765C 684E894800 push 0048894E
:00437661 C3 ret//这两步跳到添加的代码处
:00437662 90 nop
:00437663 40 inc eax
:00437664 EBC8 jmp 0043762E
:00437666 33FF xor edi, edi以上是在原代码中的改动,下面是加在原.text块末尾的代码,从48894E处开始,执行结束后返回:
:0048894E 8898611B4B00 mov byte ptr [eax+004B1B61], bl
:00488954 90 nop
:00488955 6863764300 push 00437663
:0048895A C3 ret
—————————————————————————————————
:00437661 7503 jne 00437666
:00437663 40 inc eax
:00437664 EBC8 jmp 0043762E* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00437620(C), :00437661(C)
|
:00437666 33FF xor edi, edi* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00437627(C), :00437631(C)
|
:00437668 8B4510 mov eax, dword ptr [ebp+10]
:0043766B 85C0 test eax, eax
:0043766D 7406 je 00437675
:0043766F 893D5C454B00 mov dword ptr , edi* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043766D(C)
|
:00437675 C745FCFFFFFFFF mov [ebp-04], FFFFFFFF
:0043767C E81FA60200 call 00461CA0
:00437681 8BC7 mov eax, edi
:00437683 8B4DF4 mov ecx, dword ptr [ebp-0C]
:00437686 64890D00000000 mov dword ptr fs:, ecx
:0043768D 5F pop edi
:0043768E 5E pop esi
:0043768F 5B pop ebx
:00437690 8BE5 mov esp, ebp
:00437692 5D pop ebp
:00437693 C20C00 ret 000C
*****************************************************************
最后讲一下如何取得字符串“注册码”在内存中的形式
在输入注册码时,我们注意到如果输入的注册码是错误的,程序会弹出一个Messagebox说:注册号码不对!
我们就从这个Messagebox的参数入手来取得“注册号码”的存放形式。
下断点bpx Messageboxa来到下面的地方:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046CA9A(U)
|
:0046CAB6 53 push ebx
:0046CAB7 57 push edi
:0046CAB8 FF7508 push [ebp+08]//这里压入lpText,用d *(ebp+8)查看,得到0187:01234700 D7 A2 B2 E1 BA C5 C2 E0
这就是“注册号码”在内存中的形式,我们把第1、2、3、4、7、8个字节复制到000B1B56(Raw Offset)处:0046CABB FF75F4 push [ebp-0C]* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:0046CABE FF1584964800 Call dword ptr
:0046CAC4 85F6 test esi, esi
:0046CAC6 8BF8 mov edi, eax
:0046CAC8 7405 je 0046CACF
:0046CACA 8B45F8 mov eax, dword ptr [ebp-08]
:0046CACD 8906 mov dword ptr [esi], eax
这样我们就完成了对程序的修改。运行一下试试! 本帖最后由 blsn3548 于 2019-8-19 20:27 编辑
是windbg的命令d*吧,用于查看内存地址内容
参见:https://www.cnblogs.com/jiangxueqiao/p/7418195.html blsn3548 发表于 2019-8-19 20:26
是windbg的命令d*吧,用于查看内存地址内容
参见:https://www.cnblogs.com/jiangxueqiao/p/7418195.htm ...
还是没有明确说出 星花的意思
到底是乘以 还是 统配符?为啥要加在前面? 要么地址,要么地址对应的内存,自己写个小例子或是从crackme中找代码测试下就明白了。 朱朱你堕落了 发表于 2019-8-19 20:53
要么地址,要么地址对应的内存,自己写个小例子或是从crackme中找代码测试下就明白了。
功能明白,就是显示内存地址或 堆栈中的东西等
就想知道 为啥要加个 星花呢? 冥界3大法王 发表于 2019-8-19 20:56
功能明白,就是显示内存地址或 堆栈中的东西等
就想知道 为啥要加个 星花呢?
C++中,
如:
int a = 1;
int *p;
p = &a; //把a在内存中的地址给p,p指向a, 即p指向1
那么*p = 1 //那么*p,就是地址对应的内存,
应该是沿用的和C++指针的思想 #include "stdafx.h"
#include "stdio.h"
int _tmain(int argc, _TCHAR* argv[])
{
int a = 1;
int *p;
p = &a;
printf("p=0x%p, *p = %d\n",p, *p);
getchar();
return 0;
}
冥界3大法王 发表于 2019-8-19 20:50
还是没有明确说出 星花的意思
到底是乘以 还是 统配符?为啥要加在前面?
通配符
d*命令
d{a|b|c|d|D|f|p|q|u|w|W} Address
Address:查看address地址处的内存。
ColumnWidth:Windbg每行显示的多少个数据单位。默认为16进制数字,十进制需加前缀0n
Length:总共显示Address地址后的多少个数据单位。
页:
[1]