Crack实战系列教程-《Delphi系列-第三课》
【软件名称】: RiskManager【作者邮箱】: 2714608453@qq.com
【下载地址】: http://www.paconsulting.net.au/uploads/setup.exe
【软件语言】: Delphi
【使用工具】: OD
【操作平台】: XP SP2
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
1.查壳
如图1:
delphi的无误
2.分析
第一步:
这个程序有14天的使用时间,这14天是由以下三个文件的创建时间和修改时间判断的.
如图2:
因此我们只要把这三个文件删除就能重新计算使用时间,从而免费使用.
第二步:
跳过时间框只需修改一处注册标志位就好,无论过期与否,点击时间框后的Try按钮,都要判断这处标志位。
第三步:
双进程保护,主程序RiskManager.exe使用CreateProcessA创建RiskManager_xshld4.exe,然后自己作为调试器附加上去,RiskManager_xshld4代码不完整,运行时产生异常,RiskManager.exe接收并对异常进行处理,如像他写入正常的代码数据,然后再把执行权教给它。
3.实例分析
判断创建时间和修改时间的代码模型如下:
0047A46F .8D85 34FFFFFF lea eax,dword ptr ss:
0047A475 .BA FADB9A00 mov edx,RiskMana.009ADBFA
0047A47A .E8 BD9AF8FF call <RiskMana.@@LStrFromPCharLen>
0047A47F .8D85 E4DDF9FF lea eax,dword ptr ss:
0047A485 .E8 06D4FDFF call RiskMana.00457890
0047A48A .FFB5 E4DDF9FF push dword ptr ss:
0047A490 .68 84DA4700 push RiskMana.0047DA84 ;\
0047A495 .FF75 CC push dword ptr ss:
0047A498 .8D85 ECDDF9FF lea eax,dword ptr ss:
0047A49E .BA 03000000 mov edx,0x3
0047A4A3 .E8 B09BF8FF call <RiskMana.合并?>
0047A4A8 .8B85 ECDDF9FF mov eax,dword ptr ss:
0047A4AE .E8 F9E6F8FF call <RiskMana.@FileAge获取文件创建时间>
0047A4B3 .84C0 test al,al
0047A4B5 .0F84 A9000000 je RiskMana.0047A564
此时eax=00EEBA64, (ASCII "C:\Documents andSettings\AllUsers\Documents\{36c8a1524f83f4dd9c0876c205fb2f73}\RISKMANAGER.LIC")
如果过期了则进入以下代码
0047A8A3 .803D 0FDE9A00>cmp byte ptr ds:,0x1 ;值为1表示已过期
0047A8AA .75 6C jnz short RiskMana.0047A918
0047A8AC .A1 3C3D4800 mov eax,dword ptr ds:
0047A8B1 .E8 6694F8FF call RiskMana.00403D1C
0047A8B6 .6A 00 push 0x0 ; /pPreviousCount = NULL
0047A8B8 .6A 01 push 0x1 ; |ReleaseCount = 0x1
0047A8BA .A1 E8009B00 mov eax,dword ptr ds:[<hSemaphore>] ; |
0047A8BF .50 push eax ; |hSemaphore = 00000001
0047A8C0 .E8 C7C4F8FF call <RiskMana.ReleaseSemaphore> ; \ReleaseSemaphore
0047A8C5 .8B45 FC mov eax,dword ptr ss:
0047A8C8 .E8 A3A7FFFF call <RiskMana.弹出过期对话框>
0047A8CD .A1 3C3D4800 mov eax,dword ptr ds:
0047A8D2 .8B00 mov eax,dword ptr ds:
0047A8D4 .BA 04DE4700 mov edx,<RiskMana.aRegistered_5> ;REGISTERED
0047A8D9 .E8 CA97F8FF call <RiskMana.@@LStrCmp> ;判断是否为注册标志
0047A8DE .75 0C jnz short RiskMana.0047A8EC
0047A8E0 .C685 0FFFFFFF>mov byte ptr ss:,0x1 ;已注册标志位
0047A8E7 .E9 20240000 jmp RiskMana.0047CD0C
下断0047A8CD,点击Try就会断下,把0047A8DE nop掉,让他给标志位赋值。
mov byte ptr ss:,0x1这就是我们的标志位。
如果没过期的话,代码如下:
00474D71 .FF92 CC000000 call dword ptr ds:
00474D77 .E9 97000000 jmp RiskMana.00474E13
00474D7C >837D C4 00 cmp dword ptr ss:,0x0
00474D80 .0F8F 8D000000 jg RiskMana.00474E13
00474D86 .833D 74019B00>cmp dword ptr ds:,0x0
00474D8D .0F8F 80000000 jg RiskMana.00474E13
00474D93 .803D 22E19A00>cmp byte ptr ds:,0x1
00474D9A .75 15 jnz short RiskMana.00474DB1
00474D9C .837D C4 00 cmp dword ptr ss:,0x0
00474DA0 .75 0F jnz short RiskMana.00474DB1
00474DA2 .A1 4C3C4800 mov eax,dword ptr ds:
00474DA7 .8B00 mov eax,dword ptr ds:
00474DA9 .8B10 mov edx,dword ptr ds:
00474DAB .FF92 CC000000 call dword ptr ds: ;弹出对话框,没过期
00474DB1 >803D 09019B00>cmp byte ptr ds:,0x1 ;值为1继续保持原来对话框
00474DB8 .75 0F jnz short RiskMana.00474DC9
00474DBA .A1 4C3C4800 mov eax,dword ptr ds:
00474DBF .8B00 mov eax,dword ptr ds:
00474DC1 .8B10 mov edx,dword ptr ds:
00474DC3 .FF92 CC000000 call dword ptr ds:
00474DC9 >833D A6FF9A00>cmp dword ptr ds:,0x0
00474DD0 .7E 41 jle short RiskMana.00474E13
要想直接爆破的话且不出现对话框的话,代码如下:
0047A433 > \833D 23E19A00>cmp dword ptr ds:,0x3
0047A43A .75 07 jnz short RiskMana.0047A443
0047A43C .C605 F8009B00>mov byte ptr ds:,0x1
0047A443 >833D 23E19A00>cmp dword ptr ds:,0x4
0047A44A .75 16 jnz short RiskMana.0047A462
0047A44C .C685 0FFFFFFF>mov byte ptr ss:,0x1
0047A453 .C705 23E19A00>mov dword ptr ds:,0x1
0047A45D .E9 AA280000 jmp RiskMana.0047CD0C
0047A462 >833D A2FE9A00>cmp dword ptr ds:,0x1
0047A469 .0F84 F5000000 je RiskMana.0047A564
0047A46F .8D85 34FFFFFF lea eax,dword ptr ss:
0047A475 .BA FADB9A00 mov edx,RiskMana.009ADBFA
0047A47A .E8 BD9AF8FF call <RiskMana.@@LStrFromPCharLen>
0047A47F .8D85 E4DDF9FF lea eax,dword ptr ss:
把0047A44A . /75 16 jnz short RiskMana.0047A462处nop掉.
这是简要的分析,这个代码段很长,很磨人,我也跟了好久,他是在From.Show里,其实判断创建的时间以及写入注册等相关信息用了很长的代码段,其中还夹杂着MD5以及SHA1算法,有兴趣的朋友可以自己跟下.
4.关于双进程
以上验证都成功后就开始创建进程了,代码如下:
00476CFE .50 push eax ; |CommandLine = "E:\JBL Risk Manager\RiskManager_xshld4.exe "
00476CFF .6A 00 push 0x0 ; |ModuleFileName = NULL
00476D01 .E8 36FEF8FF call <RiskMana.CreateProcessA> ; \CreateProcessA
00476D06 >8B85 78FFFFFF mov eax,dword ptr ss:
00476D0C .A3 D0DA9A00 mov dword ptr ds:,eax
00476D11 .8B85 70FFFFFF mov eax,dword ptr ss:
00476D17 .A3 F4009B00 mov dword ptr ds:,eax
00476D1C .6A 01 push 0x1 ; /Level = SLE_ERROR
00476D1E .E8 B107F9FF call <RiskMana.SetDebugErrorLevel> ; \SetDebugErrorLevel
00476D23 .8B85 78FFFFFF mov eax,dword ptr ss:
00476D29 .33D2 xor edx,edx
00476D2B .52 push edx
00476D2C .50 push eax
00476D2D .8D85 20E2F9FF lea eax,dword ptr ss:
00476D33 .E8 B01CF9FF call <RiskMana.转成十进制> ;新建立的进程ID转成十进制
00476D38 .8B95 20E2F9FF mov edx,dword ptr ss:
00476D3E .8B0D 3C3D4800 mov ecx,dword ptr ds: ;RiskMana.00484888
00476D44 .8B09 mov ecx,dword ptr ds:
00476D46 .B8 C4009B00 mov eax,RiskMana.009B00C4
00476D4B .E8 94D2F8FF call <RiskMana.@@LStrCat3>
00476D50 .A1 C4009B00 mov eax,dword ptr ds:
00476D55 .E8 02D4F8FF call <RiskMana.@@LStrToPChar>
00476D5A .50 push eax ; /MutexName = "E:\JBL Risk Manager\RiskManager_xshld4.exe "
00476D5B .6A 01 push 0x1 ; |InitialOwner = TRUE
00476D5D .6A 00 push 0x0 ; |pSecurity = NULL
00476D5F .E8 D0FDF8FF call <RiskMana.CreateMutexA> ; \CreateMutexA
00476D64 .A3 C0009B00 mov dword ptr ds:[<hMutex>],eax ;创建互斥量对象
00476D69 .6A 40 push 0x40
00476D6B .8B45 FC mov eax,dword ptr ss:
00476D6E .8B48 2C mov ecx,dword ptr ds:
00476D71 .B2 01 mov dl,0x1
00476D73 .A1 8CF34000 mov eax,dword ptr ds: ;伢@
00476D78 .E8 3BB8F9FF call <RiskMana.unknown_libname_205>
00476D7D .8945 E0 mov dword ptr ss:,eax
00476D80 .8D95 D0FEFFFF lea edx,dword ptr ss:
00476D86 .B9 40000000 mov ecx,0x40
00476D8B .8B45 E0 mov eax,dword ptr ss: ;RiskMana.00403842
00476D8E .8B18 mov ebx,dword ptr ds:
00476D90 .FF53 04 call dword ptr ds:
00476D93 .33C9 xor ecx,ecx
00476D95 .8B95 0CFFFFFF mov edx,dword ptr ss:
00476D9B .8B45 E0 mov eax,dword ptr ss: ;RiskMana.00403842
00476D9E .8B18 mov ebx,dword ptr ds:
00476DA0 .FF53 0C call dword ptr ds:
00476DA3 .8D55 F4 lea edx,dword ptr ss:
00476DA6 .B9 04000000 mov ecx,0x4
00476DAB .8B45 E0 mov eax,dword ptr ss: ;RiskMana.00403842
00476DAE .8B18 mov ebx,dword ptr ds:
00476DB0 .FF53 04 call dword ptr ds:
00476DB3 .8D95 BCFEFFFF lea edx,dword ptr ss:
00476DB9 .B9 14000000 mov ecx,0x14
00476DBE .8B45 E0 mov eax,dword ptr ss: ;RiskMana.00403842
00476DC1 .8B18 mov ebx,dword ptr ds:
00476DC3 .FF53 04 call dword ptr ds:
00476DC6 .8D95 34E3F9FF lea edx,dword ptr ss:
00476DCC .B9 28000000 mov ecx,0x28
00476DD1 .8B45 E0 mov eax,dword ptr ss: ;RiskMana.00403842
00476DD4 .8B18 mov ebx,dword ptr ds:
00476DD6 .FF53 04 call dword ptr ds:
00476DD9 .8D95 5CE3F9FF lea edx,dword ptr ss:
00476DDF .B9 601B0600 mov ecx,0x61B60
00476DE4 .8B45 E0 mov eax,dword ptr ss: ;RiskMana.00403842
00476DE7 .8B18 mov ebx,dword ptr ds:
00476DE9 .FF53 04 call dword ptr ds:
00476DEC .8B45 F0 mov eax,dword ptr ss:
00476DEF .8D0480 lea eax,dword ptr ds:
00476DF2 .8B84C5 20E4F9>mov eax,dword ptr ss:
00476DF9 .A3 BC009B00 mov dword ptr ds:,eax
00476DFE .8D95 F4E2F9FF lea edx,dword ptr ss:
00476E04 .B9 40000000 mov ecx,0x40
00476E09 .8B45 E0 mov eax,dword ptr ss: ;RiskMana.00403842
00476E0C .8B18 mov ebx,dword ptr ds:
00476E0E .FF53 04 call dword ptr ds:
00476E11 .33C9 xor ecx,ecx
00476E13 .8B95 0CFFFFFF mov edx,dword ptr ss:
00476E19 .8B45 E0 mov eax,dword ptr ss: ;RiskMana.00403842
00476E1C .8B18 mov ebx,dword ptr ds:
00476E1E .FF53 0C call dword ptr ds:
00476E21 .BA 40BE9400 mov edx,RiskMana.0094BE40
00476E26 .B9 781B0600 mov ecx,0x61B78
00476E2B .8B45 E0 mov eax,dword ptr ss: ;RiskMana.00403842
00476E2E .8B18 mov ebx,dword ptr ds:
00476E30 .FF53 04 call dword ptr ds:
00476E33 .A1 68BE9400 mov eax,dword ptr ds:
00476E38 .A3 B8D99A00 mov dword ptr ds:,eax
00476E3D .A1 74BE9400 mov eax,dword ptr ds:
00476E42 .A3 C8DA9A00 mov dword ptr ds:,eax
00476E47 .8B45 E0 mov eax,dword ptr ss: ;RiskMana.00403842
00476E4A .E8 A9C2F8FF call RiskMana.004030F8
00476E4F .8B85 70FFFFFF mov eax,dword ptr ss:
00476E55 .A3 3CBE9400 mov dword ptr ds:,eax
00476E5A .A1 C8DA9A00 mov eax,dword ptr ds:
00476E5F .0305 BC009B00 add eax,dword ptr ds:
00476E65 .8945 E4 mov dword ptr ss:,eax
00476E68 .803D D8DA9A00>cmp byte ptr ds:,0x1
00476E6F .75 0E jnz short RiskMana.00476E7F
00476E71 .A1 C8DA9A00 mov eax,dword ptr ds:
00476E76 .0305 B8D99A00 add eax,dword ptr ds:
00476E7C .8945 E4 mov dword ptr ss:,eax
00476E7F >8B15 E83C4800 mov edx,dword ptr ds: ;tHH
00476E85 .8B12 mov edx,dword ptr ds:
00476E87 .8D85 20E2F9FF lea eax,dword ptr ss:
00476E8D .B9 C0754700 mov ecx,<RiskMana.aLicense_4> ;license
00476E92 .E8 4DD1F8FF call <RiskMana.@@LStrCat3>
00476E97 .8B85 20E2F9FF mov eax,dword ptr ss:
00476E9D .E8 0A1DF9FF call <RiskMana.@FileAge获取文件创建时间>
00476EA2 .84C0 test al,al
00476EA4 .74 23 je short RiskMana.00476EC9
00476EA6 .8B15 E83C4800 mov edx,dword ptr ds: ;tHH
00476EAC .8B12 mov edx,dword ptr ds:
00476EAE .8D85 20E2F9FF lea eax,dword ptr ss:
00476EB4 .B9 C0754700 mov ecx,<RiskMana.aLicense_4> ;license
00476EB9 .E8 26D1F8FF call <RiskMana.@@LStrCat3>
00476EBE .8B85 20E2F9FF mov eax,dword ptr ss:
00476EC4 .E8 BF1EF9FF call <RiskMana.删除文件>
00476EC9 >8B15 E83C4800 mov edx,dword ptr ds: ;tHH
00476ECF .8B12 mov edx,dword ptr ds:
00476ED1 .8D85 20E2F9FF lea eax,dword ptr ss:
00476ED7 .B9 D0754700 mov ecx,<RiskMana.aVlicense_0> ;vlicense
00476EDC .E8 03D1F8FF call <RiskMana.@@LStrCat3>
00476EE1 .8B85 20E2F9FF mov eax,dword ptr ss:
00476EE7 .E8 C01CF9FF call <RiskMana.@FileAge获取文件创建时间>
00476EEC .84C0 test al,al
00476EEE .74 23 je short RiskMana.00476F13
00476EF0 .8B15 E83C4800 mov edx,dword ptr ds: ;tHH
00476EF6 .8B12 mov edx,dword ptr ds:
00476EF8 .8D85 20E2F9FF lea eax,dword ptr ss:
00476EFE .B9 D0754700 mov ecx,<RiskMana.aVlicense_0> ;vlicense
00476F03 .E8 DCD0F8FF call <RiskMana.@@LStrCat3>
00476F08 .8B85 20E2F9FF mov eax,dword ptr ss:
00476F0E .E8 751EF9FF call <RiskMana.删除文件>
00476F13 >8D45 CC lea eax,dword ptr ss:
00476F16 .50 push eax ; /pOldProtect = 00ED5064
00476F17 .6A 40 push 0x40 ; |NewProtect = PAGE_EXECUTE_READWRITE
00476F19 .A1 D4DA9A00 mov eax,dword ptr ds:[<dwSize>] ; |
00476F1E .50 push eax ; |Size = ED5064 (15552612.)
00476F1F .8B45 E4 mov eax,dword ptr ss: ; |RiskMana.00400000
00476F22 .50 push eax ; |Address = 00ED5064
00476F23 .8B85 70FFFFFF mov eax,dword ptr ss: ; |
00476F29 .50 push eax ; |hProcess = 00ED5064
00476F2A .E8 EDFEF8FF call <RiskMana.VirtualProtectEx> ; \VirtualProtectEx
00476F2F .A1 6C3E4800 mov eax,dword ptr ds:
00476F34 .C600 00 mov byte ptr ds:,0x0
00476F37 >C645 FB 00 mov byte ptr ss:,0x0
00476F3B .A1 6C3E4800 mov eax,dword ptr ds:
00476F40 .8038 00 cmp byte ptr ds:,0x0
00476F43 .75 0E jnz short RiskMana.00476F53
00476F45 .6A FF push -0x1 ; /Timeout = INFINITE
00476F47 .8D85 10FFFFFF lea eax,dword ptr ss: ; |
00476F4D .50 push eax ; |pDebugEvent = 00ED5064
00476F4E .E8 D9FEF8FF call <RiskMana.WaitForDebugEvent> ; \WaitForDebugEvent
00476F53 >A1 6C3E4800 mov eax,dword ptr ds:
00476F58 .8038 01 cmp byte ptr ds:,0x1
00476F5B .75 0E jnz short RiskMana.00476F6B
00476F5D .6A 64 push 0x64 ; /Timeout = 100. ms
00476F5F .8D85 10FFFFFF lea eax,dword ptr ss: ; |
00476F65 .50 push eax ; |pDebugEvent = 00ED5064
00476F66 .E8 C1FEF8FF call <RiskMana.WaitForDebugEvent> ; \WaitForDebugEvent
00476F6B >8B85 10FFFFFF mov eax,dword ptr ss:
00476F71 .48 dec eax ;Switch (cases 1..5)
00476F72 .0F84 87000000 je RiskMana.00476FFF
00476F78 .83E8 02 sub eax,0x2
00476F7B .74 0E je short RiskMana.00476F8B
00476F7D .83E8 02 sub eax,0x2
00476F80 .0F84 E1030000 je RiskMana.00477367
00476F86 .E9 0B050000 jmp RiskMana.00477496
00476F8B >837D DC 00 cmp dword ptr ss:,0x0 ;Case 3 of switch 00476F71
00476F8F .0F85 01050000 jnz RiskMana.00477496
00476F95 .C745 DC 01000>mov dword ptr ss:,0x1
00476F9C .8B85 78FFFFFF mov eax,dword ptr ss:
00476FA2 .50 push eax ; /ProcessId = 0xED5064
00476FA3 .E8 ACFBF8FF call <RiskMana.DebugActiveProcess> ; \DebugActiveProcess
00476FA8 .F7D8 neg eax ;将自己处为调试器附加
00476FAA .1BC0 sbb eax,eax
00476FAC .F7D8 neg eax
00476FAE .8845 FA mov byte ptr ss:,al
00476FB1 .803D D8DA9A00>cmp byte ptr ds:,0x0 ;1
00476FB8 .0F85 D8040000 jnz RiskMana.00477496
00476FBE .8B85 74FFFFFF mov eax,dword ptr ss:
00476FC4 .50 push eax ; /hThread = 00ED5064
00476FC5 .E8 32FEF8FF call <RiskMana.SuspendThread> ; \SuspendThread
00476FCA .8D45 EC lea eax,dword ptr ss: ;暂停线程执行
00476FCD .50 push eax ; /pBytesWritten = 00ED5064
00476FCE .A1 D4DA9A00 mov eax,dword ptr ds:[<dwSize>] ; |
00476FD3 .50 push eax ; |BytesToWrite = ED5064 (15552612.)
00476FD4 .68 E04B4800 push RiskMana.00484BE0 ; |Buffer = RiskMana.00484BE0
00476FD9 .8B45 E4 mov eax,dword ptr ss: ; |RiskMana.00400000
00476FDC .50 push eax ; |Address = 0xED5064
00476FDD .8B85 70FFFFFF mov eax,dword ptr ss: ; |
00476FE3 .50 push eax ; |hProcess = 00ED5064
00476FE4 .E8 63FEF8FF call <RiskMana.WriteProcessMemory> ; \WriteProcessMemory
00476FE9 .E8 D25FF9FF call <RiskMana.unknown_libname_186> ;写入数据
00476FEE .8B85 74FFFFFF mov eax,dword ptr ss:
00476FF4 .50 push eax ; /hThread = 00ED5064
00476FF5 .E8 9AFDF8FF call <RiskMana.ResumeThread> ; \ResumeThread
00476FFA .E9 97040000 jmp RiskMana.00477496 ;恢复线程运行
00476FFF >8B85 1CFFFFFF mov eax,dword ptr ss: ;Case 1 of switch 00476F71
00477005 .2D 03000080 sub eax,0x80000003
0047700A .0F85 4E030000 jnz RiskMana.0047735E
00477010 .6A 7B push 0x7B ; /Key = VK_F12
00477012 .E8 ED01F9FF call <RiskMana.GetAsyncKeyState> ; \GetAsyncKeyState
00477017 .66:85C0 test ax,ax
0047701A .0F8C C4020000 jl RiskMana.004772E4
00477020 .FF05 CC009B00 inc dword ptr ds:
00477026 .833D CC009B00>cmp dword ptr ds:,0x1
0047702D .0F8E B1020000 jle RiskMana.004772E4
00477033 .C705 CC009B00>mov dword ptr ds:,0x2
0047703D .803D 30BE9400>cmp byte ptr ds:,0x1
00477044 .0F85 97000000 jnz RiskMana.004770E1
0047704A .C605 30BE9400>mov byte ptr ds:,0x0
00477051 .8B85 74FFFFFF mov eax,dword ptr ss:
00477057 .50 push eax ; /hThread = 00ED5064
00477058 .E8 9FFDF8FF call <RiskMana.SuspendThread> ; \SuspendThread
0047705D .8D45 CC lea eax,dword ptr ss:
00477060 .50 push eax ; /pOldProtect = 00ED5064
00477061 .6A 40 push 0x40 ; |NewProtect = PAGE_EXECUTE_READWRITE
00477063 .68 00100000 push 0x1000 ; |Size = 1000 (4096.)
00477068 .A1 38BE9400 mov eax,dword ptr ds:[<lpAddress>] ; |
0047706D .50 push eax ; |Address = 00ED5064
0047706E .8B85 70FFFFFF mov eax,dword ptr ss: ; |
00477074 .50 push eax ; |hProcess = 00ED5064
00477075 .E8 A2FDF8FF call <RiskMana.VirtualProtectEx> ; \VirtualProtectEx
0047707A .8D45 EC lea eax,dword ptr ss:
0047707D .50 push eax ; /pBytesWritten = 00ED5064
0047707E .A1 34BE9400 mov eax,dword ptr ds:[<nSize>] ; |
00477083 .50 push eax ; |BytesToWrite = ED5064 (15552612.)
00477084 .68 A8AA9400 push RiskMana.0094AAA8 ; |Buffer = RiskMana.0094AAA8
00477089 .A1 38BE9400 mov eax,dword ptr ds:[<lpAddress>] ; |
0047708E .50 push eax ; |Address = 0xED5064
0047708F .8B85 70FFFFFF mov eax,dword ptr ss: ; |
00477095 .50 push eax ; |hProcess = 00ED5064
00477096 .E8 B1FDF8FF call <RiskMana.WriteProcessMemory> ; \WriteProcessMemory
0047709B .E8 205FF9FF call <RiskMana.unknown_libname_186>
004770A0 .8B45 EC mov eax,dword ptr ss: ;RiskMana.00402486
004770A3 .50 push eax ; /RegionSize = 0xED5064
004770A4 .A1 38BE9400 mov eax,dword ptr ds:[<lpAddress>] ; |
004770A9 .50 push eax ; |RegionBase = 00ED5064
004770AA .8B85 70FFFFFF mov eax,dword ptr ss: ; |
004770B0 .50 push eax ; |hProcess = 00ED5064
004770B1 .E8 0EFBF8FF call <RiskMana.FlushInstructionCache> ; \FlushInstructionCache
004770B6 .8D45 CC lea eax,dword ptr ss:
004770B9 .50 push eax ; /pOldProtect = 00ED5064
004770BA .8B45 CC mov eax,dword ptr ss: ; |
004770BD .50 push eax ; |NewProtect = PAGE_READWRITE|PAGE_EXECUTE_READ|PAGE_EXECUTE_READWRITE|MEM_COMMIT|MEM_DECOMMIT|MEM_FREE|MEM_MAPPED|SEC_FILE|680000
004770BE .68 00100000 push 0x1000 ; |Size = 1000 (4096.)
004770C3 .A1 38BE9400 mov eax,dword ptr ds:[<lpAddress>] ; |
004770C8 .50 push eax ; |Address = 00ED5064
004770C9 .8B85 70FFFFFF mov eax,dword ptr ss: ; |
004770CF .50 push eax ; |hProcess = 00ED5064
004770D0 .E8 47FDF8FF call <RiskMana.VirtualProtectEx> ; \VirtualProtectEx
004770D5 .8B85 74FFFFFF mov eax,dword ptr ss:
004770DB .50 push eax ; /hThread = 00ED5064
004770DC .E8 B3FCF8FF call <RiskMana.ResumeThread> ; \ResumeThread
004770E1 >C785 28E2F9FF>mov dword ptr ss:,0x10001
004770EB .8D85 28E2F9FF lea eax,dword ptr ss:
004770F1 .50 push eax ; /pContext = 00ED5064
004770F2 .8B85 74FFFFFF mov eax,dword ptr ss: ; |
004770F8 .50 push eax ; |hThread = 00ED5064
004770F9 .E8 8EFBF8FF call <RiskMana.GetThreadContext> ; \GetThreadContext
004770FE .8B85 74FFFFFF mov eax,dword ptr ss:
00477104 .50 push eax ; /hThread = 00ED5064
00477105 .E8 F2FCF8FF call <RiskMana.SuspendThread> ; \SuspendThread
0047710A .8D45 CC lea eax,dword ptr ss:
0047710D .50 push eax ; /pOldProtect = 00ED5064
0047710E .6A 40 push 0x40 ; |NewProtect = PAGE_EXECUTE_READWRITE
00477110 .68 00100000 push 0x1000 ; |Size = 1000 (4096.)
00477115 .8B85 E0E2F9FF mov eax,dword ptr ss: ; |
0047711B .48 dec eax ; |
0047711C .50 push eax ; |Address = 00ED5064
0047711D .8B85 70FFFFFF mov eax,dword ptr ss: ; |
00477123 .50 push eax ; |hProcess = 00ED5064
00477124 .E8 F3FCF8FF call <RiskMana.VirtualProtectEx> ; \VirtualProtectEx
00477129 .8D45 E8 lea eax,dword ptr ss:
0047712C .50 push eax ; /pBytesRead = 00ED5064
0047712D .68 00100000 push 0x1000 ; |BytesToRead = 1000 (4096.)
00477132 .68 20979400 push RiskMana.00949720 ; |Buffer = RiskMana.00949720
00477137 .8B85 E0E2F9FF mov eax,dword ptr ss: ; |
0047713D .48 dec eax ; |
0047713E .50 push eax ; |pBaseAddress = 0xED5064
0047713F .8B85 70FFFFFF mov eax,dword ptr ss: ; |
00477145 .50 push eax ; |hProcess = 00ED5064
00477146 .E8 31FCF8FF call <RiskMana.ReadProcessMemory> ; \ReadProcessMemory
0047714B .E8 705EF9FF call <RiskMana.unknown_libname_186>
00477150 .68 34BE9400 push offset <RiskMana.nSize> ; /pBytesRead = offset <RiskMana.nSize>
00477155 .68 00100000 push 0x1000 ; |BytesToRead = 1000 (4096.)
0047715A .68 A8AA9400 push RiskMana.0094AAA8 ; |Buffer = RiskMana.0094AAA8
0047715F .8B85 E0E2F9FF mov eax,dword ptr ss: ; |
00477165 .48 dec eax ; |
00477166 .50 push eax ; |pBaseAddress = 0xED5064
00477167 .8B85 70FFFFFF mov eax,dword ptr ss: ; |
0047716D .50 push eax ; |hProcess = 00ED5064
0047716E .E8 09FCF8FF call <RiskMana.ReadProcessMemory> ; \ReadProcessMemory
00477173 .E8 485EF9FF call <RiskMana.unknown_libname_186>
00477178 .8B85 E0E2F9FF mov eax,dword ptr ss:
0047717E .48 dec eax
0047717F .A3 38BE9400 mov dword ptr ds:[<lpAddress>],eax
00477184 .803D 20979400>cmp byte ptr ds:,0xCC
0047718B .75 15 jnz short RiskMana.004771A2
0047718D .803D 21979400>cmp byte ptr ds:,0x3
00477194 .74 0C je short RiskMana.004771A2
00477196 .8B85 74FFFFFF mov eax,dword ptr ss:
0047719C .50 push eax ; /hThread = 00ED5064
0047719D .E8 F2FBF8FF call <RiskMana.ResumeThread> ; \ResumeThread
004771A2 >803D 20979400>cmp byte ptr ds:,0xCC
004771A9 .0F85 35010000 jnz RiskMana.004772E4
004771AF .803D 21979400>cmp byte ptr ds:,0x3
004771B6 .0F85 28010000 jnz RiskMana.004772E4
004771BC .803D 22979400>cmp byte ptr ds:,0xD6
004771C3 .0F85 1B010000 jnz RiskMana.004772E4
004771C9 .803D 23979400>cmp byte ptr ds:,0xD7
004771D0 .0F85 0E010000 jnz RiskMana.004772E4
004771D6 .C745 D8 06000>mov dword ptr ss:,0x6
004771DD >8B45 D8 mov eax,dword ptr ss: ;RiskMana.00402485
004771E0 .80B8 1F979400>cmp byte ptr ds:,0xEB
004771E7 .75 24 jnz short RiskMana.0047720D
004771E9 .8B45 D8 mov eax,dword ptr ss: ;RiskMana.00402485
004771EC .80B8 20979400>cmp byte ptr ds:,0x3
004771F3 .75 18 jnz short RiskMana.0047720D
004771F5 .8B45 D8 mov eax,dword ptr ss: ;RiskMana.00402485
004771F8 .80B8 21979400>cmp byte ptr ds:,0xD6
004771FF .75 0C jnz short RiskMana.0047720D
00477201 .8B45 D8 mov eax,dword ptr ss: ;RiskMana.00402485
00477204 .80B8 22979400>cmp byte ptr ds:,0xD7
0047720B .74 0C je short RiskMana.00477219
0047720D >FF45 D8 inc dword ptr ss: ;RiskMana.00402485
00477210 .817D D8 01100>cmp dword ptr ss:,0x1001
00477217 .^ 75 C4 jnz short RiskMana.004771DD
00477219 >C605 20979400>mov byte ptr ds:,0xEB
00477220 .8B45 D8 mov eax,dword ptr ss: ;RiskMana.00402485
00477223 .48 dec eax
00477224 .83E8 06 sub eax,0x6
00477227 .7C 30 jl short RiskMana.00477259
00477229 .40 inc eax
0047722A .8945 C8 mov dword ptr ss:,eax
0047722D .C745 D4 06000>mov dword ptr ss:,0x6
00477234 >8B45 D4 mov eax,dword ptr ss:
00477237 .0FB680 1F9794>movzx eax,byte ptr ds:
0047723E .8945 D0 mov dword ptr ss:,eax
00477241 .8375 D0 02 xor dword ptr ss:,0x2
00477245 .8A45 D0 mov al,byte ptr ss:
00477248 .8B55 D4 mov edx,dword ptr ss:
0047724B .8882 1F979400 mov byte ptr ds:,al
00477251 .FF45 D4 inc dword ptr ss:
00477254 .FF4D C8 dec dword ptr ss:
00477257 .^ 75 DB jnz short RiskMana.00477234
00477259 >8D45 EC lea eax,dword ptr ss:
0047725C .50 push eax ; /pBytesWritten = 00ED5064
0047725D .8B45 E8 mov eax,dword ptr ss: ; |
00477260 .50 push eax ; |BytesToWrite = ED5064 (15552612.)
00477261 .68 20979400 push RiskMana.00949720 ; |Buffer = RiskMana.00949720
00477266 .8B85 E0E2F9FF mov eax,dword ptr ss: ; |
0047726C .48 dec eax ; |
0047726D .50 push eax ; |Address = 0xED5064
0047726E .8B85 70FFFFFF mov eax,dword ptr ss: ; |
00477274 .50 push eax ; |hProcess = 00ED5064
00477275 .E8 D2FBF8FF call <RiskMana.WriteProcessMemory> ; \WriteProcessMemory
0047727A .E8 415DF9FF call <RiskMana.unknown_libname_186>
0047727F .FF8D E0E2F9FF dec dword ptr ss:
00477285 .8D85 28E2F9FF lea eax,dword ptr ss:
0047728B .50 push eax ; /pContext = 00ED5064
0047728C .8B85 74FFFFFF mov eax,dword ptr ss: ; |
00477292 .50 push eax ; |hThread = 00ED5064
00477293 .E8 44FBF8FF call <RiskMana.SetThreadContext> ; \SetThreadContext
00477298 .8B45 EC mov eax,dword ptr ss: ;RiskMana.00402486
0047729B .50 push eax ; /RegionSize = 0xED5064
0047729C .8B85 E0E2F9FF mov eax,dword ptr ss: ; |
004772A2 .48 dec eax ; |
004772A3 .50 push eax ; |RegionBase = 00ED5064
004772A4 .8B85 70FFFFFF mov eax,dword ptr ss: ; |
004772AA .50 push eax ; |hProcess = 00ED5064
004772AB .E8 14F9F8FF call <RiskMana.FlushInstructionCache> ; \FlushInstructionCache
004772B0 .8D45 CC lea eax,dword ptr ss:
004772B3 .50 push eax ; /pOldProtect = 00ED5064
004772B4 .8B45 CC mov eax,dword ptr ss: ; |
004772B7 .50 push eax ; |NewProtect = PAGE_READWRITE|PAGE_EXECUTE_READ|PAGE_EXECUTE_READWRITE|MEM_COMMIT|MEM_DECOMMIT|MEM_FREE|MEM_MAPPED|SEC_FILE|680000
004772B8 .68 00100000 push 0x1000 ; |Size = 1000 (4096.)
004772BD .8B85 E0E2F9FF mov eax,dword ptr ss: ; |
004772C3 .48 dec eax ; |
004772C4 .50 push eax ; |Address = 00ED5064
004772C5 .8B85 70FFFFFF mov eax,dword ptr ss: ; |
004772CB .50 push eax ; |hProcess = 00ED5064
004772CC .E8 4BFBF8FF call <RiskMana.VirtualProtectEx> ; \VirtualProtectEx
004772D1 .8B85 74FFFFFF mov eax,dword ptr ss:
004772D7 .50 push eax ; /hThread = 00ED5064
004772D8 .E8 B7FAF8FF call <RiskMana.ResumeThread> ; \ResumeThread
004772DD .C605 30BE9400>mov byte ptr ds:,0x1
004772E4 >803D D8DA9A00>cmp byte ptr ds:,0x1
004772EB .75 20 jnz short RiskMana.0047730D
004772ED .8D45 EC lea eax,dword ptr ss:
004772F0 .50 push eax ; /pBytesWritten = 00ED5064
004772F1 .6A 04 push 0x4 ; |BytesToWrite = 0x4
004772F3 .68 E04B4800 push RiskMana.00484BE0 ; |Buffer = RiskMana.00484BE0
004772F8 .8B45 E4 mov eax,dword ptr ss: ; |RiskMana.00400000
004772FB .50 push eax ; |Address = 0xED5064
004772FC .8B85 70FFFFFF mov eax,dword ptr ss: ; |
00477302 .50 push eax ; |hProcess = 00ED5064
00477303 .E8 44FBF8FF call <RiskMana.WriteProcessMemory> ; \WriteProcessMemory
00477308 .E8 B35CF9FF call <RiskMana.unknown_libname_186>
0047730D >833D CC009B00>cmp dword ptr ds:,0x1
00477314 .75 09 jnz short RiskMana.0047731F
00477316 .803D F8009B00>cmp byte ptr ds:,0x0
0047731D .75 04 jnz short RiskMana.00477323
0047731F >33C0 xor eax,eax
00477321 .EB 02 jmp short RiskMana.00477325
00477323 >B0 01 mov al,0x1
00477325 >84C0 test al,al
00477327 .75 15 jnz short RiskMana.0047733E
00477329 .A1 D84B4800 mov eax,dword ptr ds:
0047732E .8B80 C4020000 mov eax,dword ptr ds:
00477334 .BA B80B0000 mov edx,0xBB8
00477339 .E8 1A26FEFF call <RiskMana.@THTMLTableAttributes@Set>
0047733E >803D F8009B00>cmp byte ptr ds:,0x1
00477345 .75 17 jnz short RiskMana.0047735E
00477347 .A1 D84B4800 mov eax,dword ptr ds:
0047734C .8078 47 01 cmp byte ptr ds:,0x1
00477350 .75 0C jnz short RiskMana.0047735E
00477352 .33D2 xor edx,edx
00477354 .A1 D84B4800 mov eax,dword ptr ds:
00477359 .E8 DE9BFCFF call RiskMana.00440F3C
0047735E >C645 FB 01 mov byte ptr ss:,0x1
00477362 .E9 2F010000 jmp RiskMana.00477496
00477367 >8B85 14FFFFFF mov eax,dword ptr ss: ;Case 5 of switch 00476F71
0047736D .3B85 78FFFFFF cmp eax,dword ptr ss:
00477373 .0F85 1D010000 jnz RiskMana.00477496
00477379 .A1 7C019B00 mov eax,dword ptr ds:[<lpNewFileName>]
0047737E .E8 11C5FFFF call RiskMana.00473894
00477383 .84C0 test al,al
00477385 .0F84 D1000000 je RiskMana.0047745C
0047738B .33C0 xor eax,eax
0047738D .55 push ebp
0047738E .68 52744700 push RiskMana.00477452
00477393 .64:FF30 push dword ptr fs:
00477396 .64:8920 mov dword ptr fs:,esp
00477399 .6A 00 push 0x0
0047739B .8D85 20E2F9FF lea eax,dword ptr ss:
004773A1 .B9 E4754700 mov ecx,RiskMana.004775E4 ;\netctrl.ini
004773A6 .8B15 7C019B00 mov edx,dword ptr ds:[<lpNewFileName>]
004773AC .E8 33CCF8FF call <RiskMana.@@LStrCat3>
004773B1 .8B85 20E2F9FF mov eax,dword ptr ss:
004773B7 .E8 A0CDF8FF call <RiskMana.@@LStrToPChar>
004773BC .50 push eax
004773BD .8B15 243F4800 mov edx,dword ptr ds: ;RiskMana.004848A0
004773C3 .8B12 mov edx,dword ptr ds:
004773C5 .8D85 1CE2F9FF lea eax,dword ptr ss:
004773CB .B9 E4754700 mov ecx,RiskMana.004775E4 ;\netctrl.ini
004773D0 .E8 0FCCF8FF call <RiskMana.@@LStrCat3>
004773D5 .8B85 1CE2F9FF mov eax,dword ptr ss:
004773DB .E8 7CCDF8FF call <RiskMana.@@LStrToPChar>
004773E0 .50 push eax ; |ExistingFileName = "E:\JBL Risk Manager\RiskManager_xshld4.exe "
004773E1 .E8 36F7F8FF call <RiskMana.CopyFileA> ; \CopyFileA
004773E6 .6A 00 push 0x0
004773E8 .FF35 7C019B00 push dword ptr ds:[<lpNewFileName>]
004773EE .68 FC754700 push RiskMana.004775FC ;\
004773F3 .FF35 80019B00 push dword ptr ds: ;T项
004773F9 .8D85 20E2F9FF lea eax,dword ptr ss:
004773FF .BA 03000000 mov edx,0x3
00477404 .E8 4FCCF8FF call <RiskMana.合并?>
00477409 .8B85 20E2F9FF mov eax,dword ptr ss:
0047740F .E8 48CDF8FF call <RiskMana.@@LStrToPChar>
00477414 .50 push eax
00477415 .A1 243F4800 mov eax,dword ptr ds:
0047741A .FF30 push dword ptr ds:
0047741C .68 FC754700 push RiskMana.004775FC ;\
00477421 .FF35 80019B00 push dword ptr ds: ;T项
00477427 .8D85 1CE2F9FF lea eax,dword ptr ss:
0047742D .BA 03000000 mov edx,0x3
00477432 .E8 21CCF8FF call <RiskMana.合并?>
00477437 .8B85 1CE2F9FF mov eax,dword ptr ss:
0047743D .E8 1ACDF8FF call <RiskMana.@@LStrToPChar>
00477442 .50 push eax ; |ExistingFileName = "E:\JBL Risk Manager\RiskManager_xshld4.exe "
00477443 .E8 D4F6F8FF call <RiskMana.CopyFileA> ; \CopyFileA
00477448 .33C0 xor eax,eax
0047744A .5A pop edx
0047744B .59 pop ecx
0047744C .59 pop ecx
0047744D .64:8910 mov dword ptr fs:,edx
00477450 .EB 0A jmp short RiskMana.0047745C
00477452 .^ E9 F9C0F8FF jmp RiskMana.00403550
00477457 .E8 A4C3F8FF call <RiskMana.@@DoneExcept>
0047745C >A1 6C3E4800 mov eax,dword ptr ds:
00477461 .C600 01 mov byte ptr ds:,0x1
00477464 .833D C0009B00>cmp dword ptr ds:[<hMutex>],0x0
0047746B .76 0B jbe short RiskMana.00477478
0047746D .A1 C0009B00 mov eax,dword ptr ds:[<hMutex>]
00477472 .50 push eax ; /hMutex = 00ED5064
00477473 .E8 0CF9F8FF call <RiskMana.ReleaseMutex> ; \ReleaseMutex
00477478 >803D F8009B00>cmp byte ptr ds:,0x1
0047747F .75 15 jnz short RiskMana.00477496
00477481 .A1 D84B4800 mov eax,dword ptr ds:
00477486 .8B80 C4020000 mov eax,dword ptr ds:
0047748C .BA 64000000 mov edx,0x64
00477491 .E8 C224FEFF call <RiskMana.@THTMLTableAttributes@Set>
00477496 >807D FB 00 cmp byte ptr ss:,0x0 ;Default case of switch 00476F71
0047749A .74 50 je short RiskMana.004774EC
0047749C .81BD 1CFFFFFF>cmp dword ptr ss:,0x80000003
004774A6 .75 22 jnz short RiskMana.004774CA
004774A8 .68 02000100 push 0x10002 ; /ContinueStatus = DBG_CONTINUE
004774AD .8B85 18FFFFFF mov eax,dword ptr ss: ; |
004774B3 .50 push eax ; |ThreadId = 0xED5064
004774B4 .8B85 14FFFFFF mov eax,dword ptr ss: ; |
004774BA .50 push eax ; |ProcessId = 0xED5064
004774BB .E8 54F6F8FF call <RiskMana.ContinueDebugEvent> ; \ContinueDebugEvent
004774C0 .E8 FB5AF9FF call <RiskMana.unknown_libname_186>
004774C5 .^ E9 6DFAFFFF jmp RiskMana.00476F37
004774CA >68 01000180 push 0x80010001 ; /ContinueStatus = DBG_EXCEPTION_NOT_HANDLED
004774CF .8B85 18FFFFFF mov eax,dword ptr ss: ; |
004774D5 .50 push eax ; |ThreadId = 0xED5064
004774D6 .8B85 14FFFFFF mov eax,dword ptr ss: ; |
004774DC .50 push eax ; |ProcessId = 0xED5064
004774DD .E8 32F6F8FF call <RiskMana.ContinueDebugEvent> ; \ContinueDebugEvent
004774E2 .E8 D95AF9FF call <RiskMana.unknown_libname_186>
004774E7 .^ E9 4BFAFFFF jmp RiskMana.00476F37
004774EC >68 02000100 push 0x10002 ; /ContinueStatus = DBG_CONTINUE
004774F1 .8B85 18FFFFFF mov eax,dword ptr ss: ; |
004774F7 .50 push eax ; |ThreadId = 0xED5064
004774F8 .8B85 14FFFFFF mov eax,dword ptr ss: ; |
004774FE .50 push eax ; |ProcessId = 0xED5064
004774FF .E8 10F6F8FF call <RiskMana.ContinueDebugEvent> ; \ContinueDebugEvent
00477504 .E8 B75AF9FF call <RiskMana.unknown_libname_186> ;返回
00477509 .^ E9 29FAFFFF jmp RiskMana.00476F37
0047750E .33C0 xor eax,eax
00477510 .5A pop edx
00477511 .59 pop ecx
00477512 .59 pop ecx
00477513 .64:8910 mov dword ptr fs:,edx
00477516 .^ E9 05C1F8FF jmp RiskMana.00403620
流程大至如下:
先用CreateProcessA创建进程,然后用CreateMutexA创建互斥对象,接着用VirtualProtectEx来使子进程的代码段可写,再用DebugActiveProcess将自己作为调试器附加,当子进程报错时,父进程用WaitForDebugEvent来接收异常,并对他进行相应的处理。
如以下两个处理,是用WriteProcessMemory从父进程向子进程写入数据
00476FE4 向子进程写入数据1
数据地址1
子进程00401000+01C5E10=5C6E10
父进程00484BE0+01C5E10=64A9F0
00477BE7 向子进程写入数据2
子进程005C6CF8+08=5C6D00
父进程00484BE0+08=484BE8
所以我们把要单独把子进程提取出来是要花一定的工夫的。
最后这个程序是由@wjl 提供的,感谢!
PS:修改后的程序要把程序名改成原来的,不然会报错。
感谢分享教程 老规矩,藤椅我的
谢谢分享!! 沙发有奖前排没有? 谢谢大牛,跑步过来学习。 顶 你哦!! 感谢分享,来看一看。目测好像比上一课难度低!CB和热心就明天再补吧! 我想子道怎么才能成为撸主这样的大牛 感谢楼主用我请教的程序做分享教程 JBL Risk Manager这个程序的窗口高度设计的不人性化,不能自适应屏幕分辨率,不知道这种窗口属性能更改吗?在哪里改?
页:
[1]
2