160个crackme之cm042
貌似没有人做出这道题,今天我把它补完程序非常简单 以下为反汇编
defiler.2.exe: file format pei-i386
Disassembly of section .text:
00401000 <.text>:
401000: 6a 40 push $0x40
401002: 68 00 30 40 00 push $0x403000
401007: 68 1f 30 40 00 push $0x40301f
40100c: 6a 00 push $0x0
40100e: e8 0d 00 00 00 call 0x401020 <user32.MessageBoxA>
401013: 6a 00 push $0x0
401015: e8 00 00 00 00 call 0x40101a <kernel32.ExitProcess>
40101a: ff 25 00 20 40 00 jmp *0x402000
401020: ff 25 08 20 40 00 jmp *0x402008
要求不patch程序去nag 较为简单的方法是patch掉user.dll
MessageBoxA原入口为
69e81290: 8b ff mov %edi,%edi
69e81292: 55 push %ebp
69e81293: 8b ec mov %esp,%ebp
69e81295: 83 3d 94 5c ea 69 00 cmpl $0x0,0x69ea5c94
69e8129c: 74 22 je 0x69e812c0
69e8129e: 64 a1 18 00 00 00 mov %fs:0x18,%eax
69e812a4: ba b0 61 ea 69 mov $0x69ea61b0,%edx
69e812a9: 8b 48 24 mov 0x24(%eax),%ecx
69e812ac: 33 c0 xor %eax,%eax
69e812ae: f0 0f b1 0a lock cmpxchg %ecx,(%edx)
69e812b2: 85 c0 test %eax,%eax
69e812b4: 75 0a jne 0x69e812c0
69e812b6: c7 05 00 5d ea 69 01 movl $0x1,0x69ea5d00
69e812bd: 00 00 00
69e812c0: 6a ff push $0xffffffff
69e812c2: 6a 00 push $0x0
69e812c4: ff 75 14 pushl0x14(%ebp)
69e812c7: ff 75 10 pushl0x10(%ebp)
69e812ca: ff 75 0c pushl0xc(%ebp)
69e812cd: ff 75 08 pushl0x8(%ebp)
69e812d0: e8 3b 02 00 00 call 0x69e81510 <user32.MessageBoxTimeoutA>
69e812d5: 5d pop %ebp
69e812d6: c2 10 00 ret $0x10
将入口修改为retn即可
win10dll劫持有好多坑,要把注册表中系统dll删除或者直接替换%WINDIR%\SysWoW64\user32.dll 不愧是大佬666666666666666 我靠,大佬牛逼。学到了 厉害。崇拜,偶像 大佬,貌似不允许打补丁,不允许(反向器进程的)进程打补丁。
也许可以编写一个不同进程的小processpatcher,或者一个小vxd。。
页:
[1]