Windbg爆破之路之三
无费话,直接开搞,拉来从微软商店请来的Windbg如图设置
[*]观察敌营火力部署
[*]布置前沿观察哨
[*]记录敌方运作情况
[*]发射导弹改变敌方运作流程
设1)2)3)4) 为四个主要观察点
接下来运行细节的分析,内容较多,自己上机体会。{:301_997:}
00DEF741 | E8 AA390000 | call <wnskininst.sub_DF30F0> ===>这里也设一个断点
00DEF746 | 84C0 | test al,al |
00DEF748 | 75 18 | jne wnskininst.DEF762 | a1
00DEF74A | 3885 C6E7FFFF | cmp byte ptr ss:,al |
00DEF750 | 0F84 56010000 | je wnskininst.DEF8AC | a2
00DEF756 | 8BCF | mov ecx,edi | ecx:EntryPoint, edi:EntryPoint
00DEF758 | E8 E6EFFFFF | call <wnskininst.sub_DEE743> |
00DEF75D | E9 5C010000 | jmp wnskininst.DEF8BE | a3
00DEF762 | 53 | push ebx |
00DEF763 | 8D85 D0F7FFFF | lea eax,dword ptr ss: |
00DEF769 | 50 | push eax |
00DEF76A | 8D85 F8EDFFFF | lea eax,dword ptr ss: |
00DEF770 | 50 | push eax |
00DEF771 | FF15 C0A1F300 | call dword ptr ds:[<&CopyFileW>] |
00DEF777 | FFB5 C0E7FFFF | push dword ptr ss: |
00DEF77D | 8BD8 | mov ebx,eax |
00DEF77F | 56 | push esi | esi:EntryPoint
00DEF780 | E8 9AD90100 | call <wnskininst.sub_E0D11F> |
00DEF785 | 59 | pop ecx | ecx:EntryPoint
00DEF786 | 59 | pop ecx | ecx:EntryPoint
00DEF787 | 33C9 | xor ecx,ecx | ecx:EntryPoint
00DEF789 | 85C0 | test eax,eax |
00DEF78B | 6A 01 | push 1 |
00DEF78D | 58 | pop eax |
00DEF78E | 0F44C8 | cmove ecx,eax | ecx:EntryPoint
00DEF791 | 8D85 D0F7FFFF | lea eax,dword ptr ss: |
00DEF797 | 6A 00 | push 0 |
00DEF799 | 898D C0E7FFFF | mov dword ptr ss:,ecx | ecx:EntryPoint
00DEF79F | 8D8D C7E7FFFF | lea ecx,dword ptr ss: | ecx:EntryPoint
00DEF7A5 | 50 | push eax |
00DEF7A6 | E8 10250000 | call <wnskininst.sub_DF1CBB> |
00DEF7AB | E8 C955FFFF | call <wnskininst.sub_DE4D79> |
00DEF7B0 | 8BC8 | mov ecx,eax | ecx:EntryPoint
00DEF7B2 | E8 906F0100 | call <wnskininst.sub_E06747> |
00DEF7B7 | 8B3D C0A3F300 | mov edi,dword ptr ds:[<&WritePriva | edi:EntryPoint
00DEF7BD | 8BF0 | mov esi,eax | esi:EntryPoint
00DEF7BF | 56 | push esi | esi:EntryPoint
00DEF7C0 | 68 14A7F300 | push wnskininst.F3A714 | F3A714:L"1"
00DEF7C5 | 68 B4CFF300 | push wnskininst.F3CFB4 | F3CFB4:L"IsModifyUIStyle"
00DEF7CA | 68 D4CFF300 | push wnskininst.F3CFD4 | F3CFD4:L"SetModify"
00DEF7CF | FFD7 | call edi | edi:EntryPoint
00DEF7D1 | 56 | push esi | esi:EntryPoint
00DEF7D2 | 68 14A7F300 | push wnskininst.F3A714 | F3A714:L"1"
00DEF7D7 | 68 E8CFF300 | push wnskininst.F3CFE8 | F3CFE8:L"IsModifyUIStyle64"
00DEF7DC | 68 D4CFF300 | push wnskininst.F3CFD4 | F3CFD4:L"SetModify"
00DEF7E1 | FFD7 | call edi | edi:EntryPoint
00DEF7E3 | 56 | push esi | esi:EntryPoint
00DEF7E4 | 68 14A7F300 | push wnskininst.F3A714 | F3A714:L"1"
00DEF7E9 | 68 0CD0F300 | push wnskininst.F3D00C | F3D00C:L"IsTempModifyUIStyle"
00DEF7EE | 68 D4CFF300 | push wnskininst.F3CFD4 | F3CFD4:L"SetModify"
00DEF7F3 | FFD7 | call edi | edi:EntryPoint
00DEF7F5 | 56 | push esi | esi:EntryPoint
00DEF7F6 | BE 14A7F300 | mov esi,wnskininst.F3A714 | esi:EntryPoint, F3A714:L"1"
00DEF7FB | 56 | push esi | esi:EntryPoint
00DEF7FC | 68 34D0F300 | push wnskininst.F3D034 | F3D034:L"IsTempModifyUIStyle64"
00DEF801 | 68 D4CFF300 | push wnskininst.F3CFD4 | F3CFD4:L"SetModify"
00DEF806 | FFD7 | call edi | edi:EntryPoint
00DEF808 | 68 08020000 | push 208 |
00DEF80D | 8D85 E0FBFFFF | lea eax,dword ptr ss: |
00DEF813 | 6A 00 | push 0 |
00DEF815 | 50 | push eax |
00DEF816 | E8 A5A00100 | call <wnskininst.sub_E098C0> |
00DEF81B | 83C4 0C | add esp,C |
00DEF81E | E8 5655FFFF | call <wnskininst.sub_DE4D79> |
00DEF823 | 8BC8 | mov ecx,eax | ecx:EntryPoint
00DEF825 | E8 D6B20000 | call <wnskininst.sub_DFAB00> |
00DEF82A | 50 | push eax |
00DEF82B | 8D85 E0FBFFFF | lea eax,dword ptr ss: |
00DEF831 | 68 7CCFF300 | push wnskininst.F3CF7C | F3CF7C:L"%sConfig\\"
00DEF836 | 50 | push eax |
00DEF837 | E8 B256FFFF | call <wnskininst.sub_DE4EEE> |
00DEF83C | 8D85 E0FBFFFF | lea eax,dword ptr ss: |
00DEF842 | 68 90CFF300 | push wnskininst.F3CF90 | F3CF90:L"Config.ini"==&L"搀"
00DEF847 | 50 | push eax |
00DEF848 | E8 4E620200 | call <wnskininst.sub_E15A9B> |
00DEF84D | 83C4 14 | add esp,14 |
00DEF850 | 8D85 E0FBFFFF | lea eax,dword ptr ss: |
00DEF856 | 50 | push eax |
00DEF857 | 56 | push esi | esi:EntryPoint
00DEF858 | 68 00A7F300 | push wnskininst.F3A700 | F3A700:L"IsUseSkin"
00DEF85D | BE F0A6F300 | mov esi,wnskininst.F3A6F0 | esi:EntryPoint, F3A6F0:L"Setting"
00DEF862 | 56 | push esi | esi:EntryPoint
00DEF863 | FFD7 | call edi | edi:EntryPoint
00DEF865 | 8D85 E0FBFFFF | lea eax,dword ptr ss: |
00DEF86B | 50 | push eax |
00DEF86C | 8D85 C8F5FFFF | lea eax,dword ptr ss: |
00DEF872 | 50 | push eax |
00DEF873 | 68 DCA6F300 | push wnskininst.F3A6DC | F3A6DC:L"SkinName"
00DEF878 | 56 | push esi | esi:EntryPoint
00DEF879 | FFD7 | call edi | edi:EntryPoint
00DEF87B | 8D85 E0FBFFFF | lea eax,dword ptr ss: |
00DEF881 | 50 | push eax |
00DEF882 | 68 14A7F300 | push wnskininst.F3A714 | F3A714:L"1"
00DEF887 | 68 80D0F300 | push wnskininst.F3D080 | F3D080:L"InstallSkin"
00DEF88C | 56 | push esi | esi:EntryPoint
00DEF88D | FFD7 | call edi | edi:EntryPoint
00DEF88F | 85DB | test ebx,ebx |
00DEF891 | 74 0F | je wnskininst.DEF8A2 | a4
00DEF893 | 33DB | xor ebx,ebx |
00DEF895 | 53 | push ebx |
00DEF896 | 68 60CFF300 | push wnskininst.F3CF60 | F3CF60:L"安装皮肤"
00DEF89B | 68 98D0F300 | push wnskininst.F3D098 | F3D098:L"安装皮肤成功"
00DEF8A0 | EB 15 | jmp wnskininst.DEF8B7 |
00DEF8A2 | 33DB | xor ebx,ebx |
00DEF8A4 | 399D C0E7FFFF | cmp dword ptr ss:,ebx |
00DEF8AA | 75 E9 | jne wnskininst.DEF895 |
00DEF8AC | 53 | push ebx |
00DEF8AD | 68 60CFF300 | push wnskininst.F3CF60 | F3CF60:L"安装皮肤"
00DEF8B2 | 68 6CCFF300 | push wnskininst.F3CF6C | F3CF6C:L"安装皮肤失败"
00DEF8B7 | 53 | push ebx |
00DEF8B8 | FF15 3CA4F300 | call dword ptr ds:[<&MessageBoxW>] |
00DEF8BE | 8D8D C7E7FFFF | lea ecx,dword ptr ss: | ecx:EntryPoint
00DEF8C4 | E8 27420400 | call <wnskininst.sub_E33AF0> |
00DEF8C9 | 33C0 | xor eax,eax |
00DEF8CB | 8D8D C8E7FFFF | lea ecx,dword ptr ss: | ecx:EntryPoint
00DEF8D1 | 53 | push ebx |
00DEF8D2 | 40 | inc eax |
00DEF8D3 | 50 | push eax |
========================================================
地址 反汇编 字符串
00DEEBD1 push wnskininst.F3CF6C L"安装皮肤失败" 1)
00DEEF18 push wnskininst.F3CF6C L"安装皮肤失败"2)
00DEF162 push wnskininst.F3CF6C L"安装皮肤失败"3)
00DEF8B2 push wnskininst.F3CF6C L"安装皮肤失败"4)
==========================================================
第 1)处前往
00DEE814 | 55 | push ebp ====》保险起见,在段首这里设断观察!
00DEE815 | 8BEC | mov ebp,esp |
00DEE817 | 6A FF | push FFFFFFFF |
00DEE819 | 68 7F82F300 | push <wnskininst.sub_F3827F> |
00DEE81E | 64:A1 00000000 | mov eax,dword ptr fs: | 00000000:L"︰O"
00DEE824 | 50 | push eax |
00DEE825 | B8 80180000 | mov eax,1880 |
00DEE82A | E8 11550000 | call <wnskininst.sub_DF3D40> |
00DEE82F | A1 44C0F900 | mov eax,dword ptr ds: |
00DEE834 | 33C5 | xor eax,ebp |
00DEE836 | 8945 F0 | mov dword ptr ss:,eax |
00DEE839 | 53 | push ebx |
00DEE83A | 56 | push esi | esi:EntryPoint
00DEE83B | 57 | push edi | edi:EntryPoint
00DEE83C | 50 | push eax |
00DEE83D | 8D45 F4 | lea eax,dword ptr ss: |
00DEE840 | 64:A3 00000000 | mov dword ptr fs:,eax | 00000000:L"︰O"
00DEE846 | 8BD9 | mov ebx,ecx | ecx:EntryPoint
00DEE848 | 8B75 08 | mov esi,dword ptr ss: | esi:EntryPoint
00DEE84B | 83EC 18 | sub esp,18 |
00DEE84E | 8BCC | mov ecx,esp | ecx:EntryPoint
00DEE850 | 56 | push esi | esi:EntryPoint
00DEE851 | E8 AA2FFFFF | call <wnskininst.sub_DE1800> |
00DEE856 | 8D85 80E7FFFF | lea eax,dword ptr ss: |
00DEE85C | 50 | push eax |
00DEE85D | E8 BB180100 | call <wnskininst.sub_E0011D> |
00DEE862 | 83C4 1C | add esp,1C |
00DEE865 | 33FF | xor edi,edi | edi:EntryPoint
00DEE867 | 8D85 80E7FFFF | lea eax,dword ptr ss: |
00DEE86D | 83BD 94E7FFFF 08 | cmp dword ptr ss:,8 |
00DEE874 | 8D8D 74E7FFFF | lea ecx,dword ptr ss: | ecx:EntryPoint
00DEE87A | 897D FC | mov dword ptr ss:,edi | edi:EntryPoint
00DEE87D | 0F4385 80E7FFFF | cmovae eax,dword ptr ss: |
00DEE884 | 50 | push eax |
00DEE885 | E8 A2500100 | call <wnskininst.sub_E0392C> |
00DEE88A | 8D8D 74E7FFFF | lea ecx,dword ptr ss: | ecx:EntryPoint
00DEE890 | C645 FC 01 | mov byte ptr ss:,1 |
00DEE894 | E8 F736FFFF | call <wnskininst.sub_DE1F90> |
00DEE899 | 85C0 | test eax,eax |
00DEE89B | 0F85 22080000 | jne wnskininst.DEF0C3 | b8
00DEE8A1 | 68 E8030000 | push 3E8 |
00DEE8A6 | 8D85 00FAFFFF | lea eax,dword ptr ss: |
00DEE8AC | 57 | push edi | edi:EntryPoint
00DEE8AD | 50 | push eax |
00DEE8AE | E8 0DB00100 | call <wnskininst.sub_E098C0> |
00DEE8B3 | 83C4 0C | add esp,C |
00DEE8B6 | 8D8D B0E7FFFF | lea ecx,dword ptr ss: | ecx:EntryPoint
00DEE8BC | 56 | push esi | esi:EntryPoint
00DEE8BD | E8 3E2FFFFF | call <wnskininst.sub_DE1800> |
00DEE8C2 | BE 6CB6F300 | mov esi,wnskininst.F3B66C | esi:EntryPoint, F3B66C:L"-untie"
00DEE8C7 | C645 FC 02 | mov byte ptr ss:,2 |
00DEE8CB | 56 | push esi | esi:EntryPoint
00DEE8CC | E8 B0E70100 | call <wnskininst.sub_E0D081> |
00DEE8D1 | 59 | pop ecx | ecx:EntryPoint
00DEE8D2 | 50 | push eax |
00DEE8D3 | 57 | push edi | edi:EntryPoint
00DEE8D4 | 56 | push esi | esi:EntryPoint
00DEE8D5 | 8D8D B0E7FFFF | lea ecx,dword ptr ss: | ecx:EntryPoint
00DEE8DB | E8 2058FFFF | call <wnskininst.sub_DE4100> |
00DEE8E0 | 83CE FF | or esi,FFFFFFFF | esi:EntryPoint
00DEE8E3 | 3BC6 | cmp eax,esi | esi:EntryPoint
00DEE8E5 | 0F8E 4A010000 | jle wnskininst.DEEA35 | b7
00DEE8EB | 83BD C4E7FFFF 08 | cmp dword ptr ss:,8 |
00DEE8F2 | 8DB5 B0E7FFFF | lea esi,dword ptr ss: | esi:EntryPoint
00DEE8F8 | 68 6CB6F300 | push wnskininst.F3B66C | F3B66C:L"-untie"
00DEE8FD | 0F43B5 B0E7FFFF | cmovae esi,dword ptr ss: | esi:EntryPoint
00DEE904 | E8 78E70100 | call <wnskininst.sub_E0D081> |
00DEE909 | 83C6 02 | add esi,2 | esi:EntryPoint
00DEE90C | 8D0446 | lea eax,dword ptr ds: |
00DEE90F | 50 | push eax |
00DEE910 | 8D85 00FAFFFF | lea eax,dword ptr ss: |
00DEE916 | 50 | push eax |
00DEE917 | E8 7F710200 | call <wnskininst.sub_E15A9B> |
00DEE91C | 83C4 0C | add esp,C |
00DEE91F | 8D8D 7FE7FFFF | lea ecx,dword ptr ss: | ecx:EntryPoint
00DEE925 | E8 A5F3FFFF | call <wnskininst.sub_DEDCCF> |
00DEE92A | 8D85 7EE7FFFF | lea eax,dword ptr ss: |
00DEE930 | C645 FC 03 | mov byte ptr ss:,3 |
00DEE934 | 50 | push eax |
00DEE935 | 8D85 00FAFFFF | lea eax,dword ptr ss: |
00DEE93B | 50 | push eax |
00DEE93C | 8D8D 7FE7FFFF | lea ecx,dword ptr ss: | ecx:EntryPoint
00DEE942 | E8 A9470000 | call <wnskininst.sub_DF30F0> |
00DEE947 | 84C0 | test al,al |
00DEE949 | 0F84 6A020000 | je wnskininst.DEEBB9 | b6
00DEE94F | 57 | push edi | edi:EntryPoint
00DEE950 | 8D85 00FAFFFF | lea eax,dword ptr ss: |
00DEE956 | 50 | push eax |
00DEE957 | 8D8D 7FE7FFFF | lea ecx,dword ptr ss: | ecx:EntryPoint
00DEE95D | E8 59330000 | call <wnskininst.sub_DF1CBB> |
00DEE962 | 68 08020000 | push 208 |
00DEE967 | 8D85 E8FDFFFF | lea eax,dword ptr ss: |
00DEE96D | 57 | push edi | edi:EntryPoint
00DEE96E | 50 | push eax |
00DEE96F | E8 4CAF0100 | call <wnskininst.sub_E098C0> |
00DEE974 | 83C4 0C | add esp,C |
00DEE977 | E8 FD63FFFF | call <wnskininst.sub_DE4D79> |
00DEE97C | 8BC8 | mov ecx,eax | ecx:EntryPoint
00DEE97E | E8 7DC10000 | call <wnskininst.sub_DFAB00> |
00DEE983 | 50 | push eax |
00DEE984 | 8D85 E8FDFFFF | lea eax,dword ptr ss: |
00DEE98A | 68 7CCFF300 | push wnskininst.F3CF7C | F3CF7C:L"%sConfig\\"
00DEE98F | 50 | push eax |
00DEE990 | E8 5965FFFF | call <wnskininst.sub_DE4EEE> |
00DEE995 | 8D85 E8FDFFFF | lea eax,dword ptr ss: |
00DEE99B | 68 90CFF300 | push wnskininst.F3CF90 | F3CF90:L"Config.ini"==&L"搀"
00DEE9A0 | 50 | push eax |
00DEE9A1 | E8 F5700200 | call <wnskininst.sub_E15A9B> |
00DEE9A6 | 8D85 00FAFFFF | lea eax,dword ptr ss: |
00DEE9AC | 50 | push eax |
00DEE9AD | 8D85 C8E7FFFF | lea eax,dword ptr ss: |
00DEE9B3 | 50 | push eax |
00DEE9B4 | E8 01790100 | call <wnskininst.sub_E062BA> |
00DEE9B9 | 83C4 1C | add esp,1C |
00DEE9BC | 8B35 C0A3F300 | mov esi,dword ptr ds:[<&WritePriva | esi:EntryPoint
00DEE9C2 | 8D85 E8FDFFFF | lea eax,dword ptr ss: |
00DEE9C8 | 50 | push eax |
00DEE9C9 | 68 14A7F300 | push wnskininst.F3A714 | F3A714:L"1"
00DEE9CE | 68 00A7F300 | push wnskininst.F3A700 | F3A700:L"IsUseSkin"
00DEE9D3 | BF F0A6F300 | mov edi,wnskininst.F3A6F0 | edi:EntryPoint, F3A6F0:L"Setting"
00DEE9D8 | C645 FC 04 | mov byte ptr ss:,4 |
00DEE9DC | 57 | push edi | edi:EntryPoint
00DEE9DD | FFD6 | call esi | esi:EntryPoint
00DEE9DF | 83BD DCE7FFFF 08 | cmp dword ptr ss:,8 |
00DEE9E6 | 8D8D E8FDFFFF | lea ecx,dword ptr ss: | ecx:EntryPoint
00DEE9EC | 51 | push ecx | ecx:EntryPoint
00DEE9ED | 8D85 C8E7FFFF | lea eax,dword ptr ss: |
00DEE9F3 | 0F4385 C8E7FFFF | cmovae eax,dword ptr ss: |
00DEE9FA | 50 | push eax |
00DEE9FB | 68 DCA6F300 | push wnskininst.F3A6DC | F3A6DC:L"SkinName"
00DEEA00 | 57 | push edi | edi:EntryPoint
00DEEA01 | FFD6 | call esi | esi:EntryPoint
00DEEA03 | 83BD DCE7FFFF 08 | cmp dword ptr ss:,8 |
00DEEA0A | 8D8D C8E7FFFF | lea ecx,dword ptr ss: | ecx:EntryPoint
00DEEA10 | 0FB685 7EE7FFFF | movzx eax,byte ptr ss: |
00DEEA17 | 0F438D C8E7FFFF | cmovae ecx,dword ptr ss: | ecx:EntryPoint
00DEEA1E | 50 | push eax |
00DEEA1F | 51 | push ecx | ecx:EntryPoint
00DEEA20 | E8 9263FFFF | call <wnskininst.sub_DE4DB7> |
00DEEA25 | 59 | pop ecx | ecx:EntryPoint
00DEEA26 | 59 | pop ecx | ecx:EntryPoint
00DEEA27 | 8BCB | mov ecx,ebx | ecx:EntryPoint
00DEEA29 | E8 F1200000 | call <wnskininst.sub_DF0B1F> |
00DEEA2E | 33FF | xor edi,edi | edi:EntryPoint
00DEEA30 | E9 01020000 | jmp wnskininst.DEEC36 |
00DEEA35 | 68 A8CFF300 | push wnskininst.F3CFA8 | F3CFA8:L"-temp"
00DEEA3A | E8 42E60100 | call <wnskininst.sub_E0D081> |
00DEEA3F | 59 | pop ecx | ecx:EntryPoint
00DEEA40 | 50 | push eax |
00DEEA41 | 57 | push edi | edi:EntryPoint
00DEEA42 | 68 A8CFF300 | push wnskininst.F3CFA8 | F3CFA8:L"-temp"
00DEEA47 | 8D8D B0E7FFFF | lea ecx,dword ptr ss: | ecx:EntryPoint
00DEEA4D | E8 AE56FFFF | call <wnskininst.sub_DE4100> |
00DEEA52 | 3BC6 | cmp eax,esi | esi:EntryPoint
00DEEA54 | 0F8E DA000000 | jle wnskininst.DEEB34 | b5
00DEEA5A | 83BD C4E7FFFF 08 | cmp dword ptr ss:,8 |
00DEEA61 | 8DB5 B0E7FFFF | lea esi,dword ptr ss: | esi:EntryPoint
00DEEA67 | 68 A8CFF300 | push wnskininst.F3CFA8 | F3CFA8:L"-temp"
00DEEA6C | 0F43B5 B0E7FFFF | cmovae esi,dword ptr ss: | esi:EntryPoint
00DEEA73 | E8 09E60100 | call <wnskininst.sub_E0D081> |
00DEEA78 | 83C6 02 | add esi,2 | esi:EntryPoint
00DEEA7B | 8D0446 | lea eax,dword ptr ds: |
00DEEA7E | 50 | push eax |
00DEEA7F | 8D85 00FAFFFF | lea eax,dword ptr ss: |
00DEEA85 | 50 | push eax |
00DEEA86 | E8 10700200 | call <wnskininst.sub_E15A9B> |
00DEEA8B | 83C4 0C | add esp,C |
00DEEA8E | 8D8D 7FE7FFFF | lea ecx,dword ptr ss: | ecx:EntryPoint
00DEEA94 | E8 36F2FFFF | call <wnskininst.sub_DEDCCF> |
00DEEA99 | 8D85 7EE7FFFF | lea eax,dword ptr ss: |
00DEEA9F | C645 FC 05 | mov byte ptr ss:,5 |
00DEEAA3 | 50 | push eax |
00DEEAA4 | 8D85 00FAFFFF | lea eax,dword ptr ss: |
00DEEAAA | 50 | push eax |
00DEEAAB | 8D8D 7FE7FFFF | lea ecx,dword ptr ss: | ecx:EntryPoint
00DEEAB1 | E8 3A460000 | call <wnskininst.sub_DF30F0> |
00DEEAB6 | 84C0 | test al,al |
00DEEAB8 | 0F84 FB000000 | je wnskininst.DEEBB9 | b4
00DEEABE | 6A 01 | push 1 |
00DEEAC0 | 8D85 00FAFFFF | lea eax,dword ptr ss: |
00DEEAC6 | 50 | push eax |
00DEEAC7 | 8D8D 7FE7FFFF | lea ecx,dword ptr ss: | ecx:EntryPoint
00DEEACD | E8 E9310000 | call <wnskininst.sub_DF1CBB> |
00DEEAD2 | E8 A262FFFF | call <wnskininst.sub_DE4D79> |
00DEEAD7 | 8BC8 | mov ecx,eax | ecx:EntryPoint
00DEEAD9 | E8 697C0100 | call <wnskininst.sub_E06747> |
00DEEADE | 8B35 C0A3F300 | mov esi,dword ptr ds:[<&WritePriva | esi:EntryPoint
00DEEAE4 | 8BF8 | mov edi,eax | edi:EntryPoint
00DEEAE6 | 57 | push edi | edi:EntryPoint
00DEEAE7 | BB 14A7F300 | mov ebx,wnskininst.F3A714 | F3A714:L"1"
00DEEAEC | 53 | push ebx |
00DEEAED | 68 B4CFF300 | push wnskininst.F3CFB4 | F3CFB4:L"IsModifyUIStyle"
00DEEAF2 | 68 D4CFF300 | push wnskininst.F3CFD4 | F3CFD4:L"SetModify"
00DEEAF7 | FFD6 | call esi | esi:EntryPoint
00DEEAF9 | 57 | push edi | edi:EntryPoint
00DEEAFA | 53 | push ebx |
00DEEAFB | 68 E8CFF300 | push wnskininst.F3CFE8 | F3CFE8:L"IsModifyUIStyle64"
00DEEB00 | 68 D4CFF300 | push wnskininst.F3CFD4 | F3CFD4:L"SetModify"
00DEEB05 | FFD6 | call esi | esi:EntryPoint
00DEEB07 | 57 | push edi | edi:EntryPoint
00DEEB08 | 53 | push ebx |
00DEEB09 | 68 0CD0F300 | push wnskininst.F3D00C | F3D00C:L"IsTempModifyUIStyle"
00DEEB0E | 68 D4CFF300 | push wnskininst.F3CFD4 | F3CFD4:L"SetModify"
00DEEB13 | FFD6 | call esi | esi:EntryPoint
00DEEB15 | 57 | push edi | edi:EntryPoint
00DEEB16 | 53 | push ebx |
00DEEB17 | 68 34D0F300 | push wnskininst.F3D034 | F3D034:L"IsTempModifyUIStyle64"
00DEEB1C | 68 D4CFF300 | push wnskininst.F3CFD4 | F3CFD4:L"SetModify"
00DEEB21 | FFD6 | call esi | esi:EntryPoint
00DEEB23 | C705 A07CFA00 6400 | mov dword ptr ds:,64 | 64:'d'
00DEEB2D | 33FF | xor edi,edi | edi:EntryPoint
00DEEB2F | E9 1A010000 | jmp wnskininst.DEEC4E |
00DEEB34 | 68 88B6F300 | push wnskininst.F3B688 | F3B688:L"-install"
00DEEB39 | E8 43E50100 | call <wnskininst.sub_E0D081> |
00DEEB3E | 59 | pop ecx | ecx:EntryPoint
00DEEB3F | 50 | push eax |
00DEEB40 | 57 | push edi | edi:EntryPoint
00DEEB41 | 68 88B6F300 | push wnskininst.F3B688 | F3B688:L"-install"
00DEEB46 | 8D8D B0E7FFFF | lea ecx,dword ptr ss: | ecx:EntryPoint
00DEEB4C | E8 AF55FFFF | call <wnskininst.sub_DE4100> |
00DEEB51 | 3BC6 | cmp eax,esi | esi:EntryPoint
00DEEB53 | 0F8E 05010000 | jle wnskininst.DEEC5E | b3
00DEEB59 | 83BD C4E7FFFF 08 | cmp dword ptr ss:,8 |
00DEEB60 | 8DB5 B0E7FFFF | lea esi,dword ptr ss: | esi:EntryPoint
00DEEB66 | 68 88B6F300 | push wnskininst.F3B688 | F3B688:L"-install"
00DEEB6B | 0F43B5 B0E7FFFF | cmovae esi,dword ptr ss: | esi:EntryPoint
00DEEB72 | E8 0AE50100 | call <wnskininst.sub_E0D081> |
00DEEB77 | 83C6 02 | add esi,2 | esi:EntryPoint
00DEEB7A | 8D0446 | lea eax,dword ptr ds: |
00DEEB7D | 50 | push eax |
00DEEB7E | 8D85 00FAFFFF | lea eax,dword ptr ss: |
00DEEB84 | 50 | push eax |
00DEEB85 | E8 116F0200 | call <wnskininst.sub_E15A9B> |
00DEEB8A | 83C4 0C | add esp,C |
00DEEB8D | 8D8D 7FE7FFFF | lea ecx,dword ptr ss: | ecx:EntryPoint
00DEEB93 | E8 37F1FFFF | call <wnskininst.sub_DEDCCF> |
00DEEB98 | 8D85 7EE7FFFF | lea eax,dword ptr ss: |
00DEEB9E | C645 FC 06 | mov byte ptr ss:,6 |
00DEEBA2 | 50 | push eax |
00DEEBA3 | 8D85 00FAFFFF | lea eax,dword ptr ss: |
00DEEBA9 | 50 | push eax |
00DEEBAA | 8D8D 7FE7FFFF | lea ecx,dword ptr ss: | ecx:EntryPoint
00DEEBB0 | E8 3B450000 | call <wnskininst.sub_DF30F0> |
00DEEBB5 | 84C0 | test al,al |
00DEEBB7 | 75 2C | jne wnskininst.DEEBE5 | b1
00DEEBB9 | 80BD 7EE7FFFF 00 | cmp byte ptr ss:,0 |
00DEEBC0 | 74 09 | je wnskininst.DEEBCB | b2
00DEEBC2 | 8BCB | mov ecx,ebx | ecx:EntryPoint
00DEEBC4 | E8 7AFBFFFF | call <wnskininst.sub_DEE743> |
00DEEBC9 | EB 12 | jmp wnskininst.DEEBDD |
00DEEBCB | 57 | push edi | edi:EntryPoint
00DEEBCC | 68 60CFF300 | push wnskininst.F3CF60 | F3CF60:L"安装皮肤"
00DEEBD1 | 68 6CCFF300 | push wnskininst.F3CF6C | F3CF6C:L"安装皮肤失败"
00DEEBD6 | 57 | push edi | edi:EntryPoint
00DEEBD7 | FF15 3CA4F300 | call dword ptr ds:[<&MessageBoxW>]
------------------------------------------------------------------------------
第2)处向上分析
00DEEEFB | 75 32 | jne wnskininst.DEEF2F | c1
00DEEEFD | 3885 7EE7FFFF | cmp byte ptr ss:,al |
00DEEF03 | 74 0B | je wnskininst.DEEF10 |
00DEEF05 | 8BCB | mov ecx,ebx | ecx:EntryPoint
00DEEF07 | E8 37F8FFFF | call <wnskininst.sub_DEE743> |
00DEEF0C | 33FF | xor edi,edi | edi:EntryPoint
00DEEF0E | EB 14 | jmp wnskininst.DEEF24 |
00DEEF10 | 33FF | xor edi,edi | edi:EntryPoint
00DEEF12 | 57 | push edi | edi:EntryPoint
00DEEF13 | 68 60CFF300 | push wnskininst.F3CF60 | F3CF60:L"安装皮肤"
00DEEF18 | 68 6CCFF300 | push wnskininst.F3CF6C | F3CF6C:L"安装皮肤失败"
00DEEF1D | 57 | push edi | edi:EntryPoint
00DEEF1E | FF15 3CA4F300 | call dword ptr ds:[<&MessageBoxW>]
与a1)处起点交汇
---------------------------------------------------------------------------------
第3)处向上分析
00DEF0FA | 68 40020000 | push 240 =====>这里的代码很短
00DEF0FF | B8 C882F300 | mov eax,<wnskininst.sub_F382C8> |
00DEF104 | E8 5E4B0000 | call <wnskininst.sub_DF3C67> |
00DEF109 | 8BF9 | mov edi,ecx | edi:EntryPoint, ecx:EntryPoint
00DEF10B | 8B75 08 | mov esi,dword ptr ss: | esi:EntryPoint
00DEF10E | 8D8D B8FDFFFF | lea ecx,dword ptr ss: | ecx:EntryPoint
00DEF114 | 56 | push esi | esi:EntryPoint
00DEF115 | E8 E626FFFF | call <wnskininst.sub_DE1800> |
00DEF11A | 33DB | xor ebx,ebx |
00DEF11C | 8D8D B6FDFFFF | lea ecx,dword ptr ss: | ecx:EntryPoint
00DEF122 | 895D FC | mov dword ptr ss:,ebx |
00DEF125 | E8 A5EBFFFF | call <wnskininst.sub_DEDCCF> |
00DEF12A | 8D85 B7FDFFFF | lea eax,dword ptr ss: |
00DEF130 | C645 FC 01 | mov byte ptr ss:,1 |
00DEF134 | 50 | push eax |
00DEF135 | 56 | push esi | esi:EntryPoint
00DEF136 | 8D8D B6FDFFFF | lea ecx,dword ptr ss: | ecx:EntryPoint
00DEF13C | 889D B7FDFFFF | mov byte ptr ss:,bl |
00DEF142 | E8 A93F0000 | call <wnskininst.sub_DF30F0> |
00DEF147 | 84C0 | test al,al |
00DEF149 | 75 2E | jne wnskininst.DEF179 | d2
00DEF14B | 3885 B7FDFFFF | cmp byte ptr ss:,al |
00DEF151 | 74 09 | je wnskininst.DEF15C | d1
00DEF153 | 8BCF | mov ecx,edi | ecx:EntryPoint, edi:EntryPoint
00DEF155 | E8 E9F5FFFF | call <wnskininst.sub_DEE743> |
00DEF15A | EB 12 | jmp wnskininst.DEF16E |
00DEF15C | 53 | push ebx |
00DEF15D | 68 60CFF300 | push wnskininst.F3CF60 | F3CF60:L"安装皮肤"
00DEF162 | 68 6CCFF300 | push wnskininst.F3CF6C | F3CF6C:L"安装皮肤失败"
---------------------------------------------------------------------
a4)
00DEF891 | 74 0F | je wnskininst.DEF8A2 | a4
00DEF893 | 33DB | xor ebx,ebx |
00DEF895 | 53 | push ebx |
00DEF896 | 68 60CFF300 | push wnskininst.F3CF60 | F3CF60:L"安装皮肤"
00DEF89B | 68 98D0F300 | push wnskininst.F3D098 | F3D098:L"安装皮肤成功"
00DEF8A0 | EB 15 | jmp wnskininst.DEF8B7 |
00DEF8A2 | 33DB | xor ebx,ebx |
00DEF8A4 | 399D C0E7FFFF | cmp dword ptr ss:,ebx |
00DEF8AA | 75 E9 | jne wnskininst.DEF895 |
00DEF8AC | 53 | push ebx |
00DEF8AD | 68 60CFF300 | push wnskininst.F3CF60 | F3CF60:L"安装皮肤"
00DEF8B2 | 68 6CCFF300 | push wnskininst.F3CF6C | F3CF6C:L"安装皮肤失败"
又发现a4)处向上与上面a1)处交汇
g $exentry 我们先转到OEP
00df4535 e8a4040000 call WnSkinInst+0x149de (00df49de)
用法王三A地址定位法,到x32dbg中看一眼,是否能对上?
00DF4535 | E8 A4040000 | call <wnskininst.sub_DF49DE>
nice,此时正好完全吻合!00DF4535 正好是一样的哟~~ ,也就是说 VA可以直接使用!
对不上,就自己加基址转换呗。。。
bp 00DEE814
bp 00DEF741
bp 00DEF0FA
别忘了把 is_vip 返回1
所以eb 00DE5258 b0 01 c3
一路单步向下运行
00DEE89B | 0F85 22080000 | jne wnskininst.DEF0C3 | b8 发现没有跳走!
00e098d1没跳
00e098e0 0f8edf000000 jle WnSkinInst+0x299c5 (00e099c5) 依然没有跳
00e098ec 0f8c8b000000 jl WnSkinInst+0x2997d (00e0997d) 依然没有跳
00e098fa 7309 jae WnSkinInst+0x29905 (00e09905) 依然没有跳
00dee8e5 0f8e4a010000 jle WnSkinInst+0xea35 (00deea35) 这里跳走了
00deea54 0f8eda000000 jle WnSkinInst+0xeb34 (00deeb34) 这里跳走了
00deeb53 0f8e05010000 jle WnSkinInst+0xec5e (00deec5e) 没有跳
00deebb0 e83b450000 call WnSkinInst+0x130f0 (00df30f0)====>====>所以修改这里
00deebb5 84c0 test al, al
00deebb7 752c jne WnSkinInst+0xebe5 (00deebe5) 直到这里!也就是咱们的a1)处或修改这里
00DEF741 | E8 AA390000 | call <wnskininst.sub_DF30F0> | 接下来我们来到了这里====>====>所以修改这里
00DEF746 | 84C0 | test al,al |
00DEF748 | 75 18 | jne wnskininst.DEF762 | a1必须实现=====>或修改这里
00DEF74A | 3885 C6E7FFFF | cmp byte ptr ss:,al |
00DEF750 | 0F84 56010000 | je wnskininst.DEF8AC | a2实现以完蛋
00DEF756 | 8BCF | mov ecx,edi | ecx:EntryPoint, edi:EntryPoint
00DEF758 | E8 E6EFFFFF | call <wnskininst.sub_DEE743> |
00DEF75D | E9 5C010000 | jmp wnskininst.DEF8BE | a3跳走也完蛋
eb DEF748 eb 18
00def763 8d85d0f7ffff lea eax, 改完来到这里
00DEF88D | FFD7 | call edi | edi:EntryPoint
00DEF88F | 85DB | test ebx,ebx |
00DEF891 | 74 0F | je wnskininst.DEF8A2 | a4=======>看这句
00DEF893 | 33DB | xor ebx,ebx |
00DEF895 | 53 | push ebx |
00DEF896 | 68 60CFF300 | push wnskininst.F3CF60 | F3CF60:L"安装皮肤"
00DEF89B | 68 98D0F300 | push wnskininst.F3D098 | F3D098:L"安装皮肤成功"
00DEF8A0 | EB 15 | jmp wnskininst.DEF8B7 |
00DEF8A2 | 33DB | xor ebx,ebx |
00DEF8A4 | 399D C0E7FFFF | cmp dword ptr ss:,ebx |
00DEF8AA | 75 E9 | jne wnskininst.DEF895 |========》还有这句!
00DEF8AC | 53 | push ebx |
00DEF8AD | 68 60CFF300 | push wnskininst.F3CF60 | F3CF60:L"安装皮肤"
00DEF8B2 | 68 6CCFF300 | push wnskininst.F3CF6C | F3CF6C:L"安装皮肤失败"
00DEF8B7 | 53 | push ebx |
00DEF8B8 | FF15 3CA4F300 | call dword ptr ds:[<&MessageBoxW>] |
本帖最后由 冥界3大法王 于 2022-2-28 11:59 编辑
1789912406 发表于 2022-2-27 08:50
大佬,求windbg中文版,或者怎么设置中文,我从应用商店下载下来的是英文谢谢@1789912406
报告,世上没有中文版,法姥爷自己瞎汉化的。{:301_976:}
再说给你中文版也没用,内部的命令,伪代码加起来上千句
光汉化一个帮助的索引,一天都没折腾完。{:301_972:} 本帖最后由 冥界3大法王 于 2022-2-25 18:35 编辑
最后总结一下:WinDbg Preview 1.1910.3003.0 可以调试非常道的。
最好虚拟机里调试,不然搞不好一个兰屏等着你。{:301_976:}
{:301_1008:}
这个思路有点意思,;www 技术大佬学习了
技术大佬学习了 感谢分享 厉害👍,谢谢大佬分享 为啥我的windbg怎么都打不开,微软商店下的那个 pipiji233 发表于 2022-2-26 00:38
为啥我的windbg怎么都打不开,微软商店下的那个
@pipiji233
又重新自己下载了一个竟然是1.2202.7001.0
菜单项也比以前多了。{:301_976:} @pipiji233 我明白为啥了,权限问题。复制到其他文件夹,再把它咔嚓就能正常了。{:301_1008:}
启动个程序还要通过商店,这是什么鬼?
页:
[1]
2