yyhd第九课问题求教
学到第九课以后感觉不是很懂,找到了关键CALL,但是不知道如何破解,因为登陆失败信息弹窗前面没有关键JMP可以跳转,有大佬能帮忙看看如何跳过吗?说一下具体方法00401670 .E8 1BFEFFFF CALL 00401490
00401675 .83C4 08 ADD ESP, 0x8
00401678 .EB 42 JMP SHORT 004016BC
0040167A >81FF 04000080 CMP EDI, 0x80000004 ;分支 (案例 80000002..80000004)
00401680 .75 04 JNZ SHORT 00401686
00401682 .8B3E MOV EDI, DWORD PTR DS: ;案例 80000004 (SINGLE STEP) --> 分支 0040167A
00401684 .EB 3A JMP SHORT 004016C0
00401686 >81FF 02000080 CMP EDI, 0x80000002
0040168C .75 12 JNZ SHORT 004016A0
0040168E .8B16 MOV EDX, DWORD PTR DS: ;案例 80000002 (DATATYPE MISALIGNMENT) --> 分支 0040167A
00401690 .8D4C24 0C LEA ECX, DWORD PTR SS:
00401694 .51 PUSH ECX
00401695 .52 PUSH EDX
00401696 .E8 459C0100 CALL 0041B2E0
0040169B .83C4 08 ADD ESP, 0x8
0040169E .EB 1C JMP SHORT 004016BC
004016A0 >81FF 03000080 CMP EDI, 0x80000003
004016A6 .75 1C JNZ SHORT 004016C4
004016A8 .8B4E 04 MOV ECX, DWORD PTR DS: ;案例 80000003 (BREAKPOINT) --> 分支 0040167A
004016AB .8B16 MOV EDX, DWORD PTR DS:
004016AD .8D4424 0C LEA EAX, DWORD PTR SS:
004016B1 .50 PUSH EAX ;CM(有错.0049519C
004016B2 .51 PUSH ECX
004016B3 .52 PUSH EDX
004016B4 .E8 57950100 CALL 0041AC10
004016B9 .83C4 0C ADD ESP, 0xC
004016BC >8D7C24 0C LEA EDI, DWORD PTR SS:
004016C0 >85FF TEST EDI, EDI
004016C2 .75 09 JNZ SHORT 004016CD
004016C4 >C64424 0C 00MOV BYTE PTR SS:, 0x0 ;分支 0040167A 默认案例
004016C9 .8D7C24 0C LEA EDI, DWORD PTR SS:
004016CD >8B4424 78 MOV EAX, DWORD PTR SS:
004016D1 .33DB XOR EBX, EBX
004016D3 .83F8 04 CMP EAX, 0x4
004016D6 7C 2C JL SHORT 00401704
004016D8 .8B46 2C MOV EAX, DWORD PTR DS:
004016DB .3D 01000100 CMP EAX, 0x10001
004016E0 75 18 JNZ SHORT 004016FA
004016E2 .8B46 24 MOV EAX, DWORD PTR DS:
004016E5 .53 PUSH EBX
004016E6 .50 PUSH EAX ;CM(有错.0049519C
004016E7 .68 D6070000 PUSH 0x7D6
004016EC .E8 5F150100 CALL 00412C50
004016F1 .85C0 TEST EAX, EAX ;CM(有错.0049519C
004016F3 .74 0F JE SHORT 00401704
004016F5 .8B58 1C MOV EBX, DWORD PTR DS: ;CM(有错.00498B60
004016F8 .EB 0A JMP SHORT 00401704
004016FA >3D 01030080 CMP EAX, 0x80000301
004016FF .75 03 JNZ SHORT 00401704
00401701 .8B5E 24 MOV EBX, DWORD PTR DS:
00401704 >8B46 20 MOV EAX, DWORD PTR DS:
00401707 .85C0 TEST EAX, EAX ;CM(有错.0049519C
00401709 .B8 9C514900 MOV EAX, 0049519C ;ASCII "信息:"
0040170E .74 03 JE SHORT 00401713
00401710 .8B46 18 MOV EAX, DWORD PTR DS:
00401713 >8B76 0C MOV ESI, DWORD PTR DS:
00401716 .8BCE MOV ECX, ESI
00401718 .F7D1 NOT ECX
0040171A .81E1 00100000 AND ECX, 0x1000
00401720 .8D144E LEA EDX, DWORD PTR DS:
00401723 .52 PUSH EDX ; /Style = MB_OK|MB_TASKMODAL
00401724 .50 PUSH EAX ; |Title = "信息:"
00401725 .57 PUSH EDI ; |Text = "登录失败!"
00401726 .53 PUSH EBX ; |hOwner = NULL
00401727 .FF15 A0034800 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA
0040172D .5F POP EDI ;CM(有错.0040172D
0040172E .5E POP ESI ;CM(有错.0040172D
0040172F .83F8 03 CMP EAX, 0x3 ;分支 (案例 2..7)
00401732 .5B POP EBX ;CM(有错.0040172D
00401733 .75 0F JNZ SHORT 00401744
00401735 .8B4C24 68 MOV ECX, DWORD PTR SS: ;CM(有错.00401540; 案例 3 --> 分支 0040172F
00401739 .B8 02000000 MOV EAX, 0x2
0040173E .8901 MOV DWORD PTR DS:, EAX ;CM(有错.0049519C
00401740 .83C4 64 ADD ESP, 0x64
00401743 .C3 RETN
应该说我只找到了这个弹窗位置,接下来YYHD的教程是F8一步步往下走,那问题就来了,走到什么时候才是关键CALL 简单来说就是看有没有跳转能跳过这个错误提示,如果没有就F8往下走,回溯到上一层继续找。
页:
[1]