【D01E04】电子管 反破解教程之四【隐藏API入口,Anti OD的API断点】
本帖最后由 dianziguan 于 2013-7-21 15:12 编辑隐藏API入口,让od的api断点失效。
这样,BP MessageBoxA会跑飞了的。
偶然发现几乎所有的API入口都是MOV EDI,EDI这一句废话,针对这一点,改变调用地址,起到对抗API断点的作用。
完整源代码如下:
.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\advapi32.inc
includelib \masm32\lib\advapi32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \MASM32\LIB\oleaut32.lib
include \MASM32\include\oleaut32.inc
DlgProc PROTO :DWORD,:DWORD,:DWORD,:DWORD
.data
AppName db "注册程序,(C)电子管 2012.07.19",0
DlgName db "MyDialog",0
dllname1 db "user32.dll",0
dllname2 db "kernel32.dll",0
tDialogBoxParam db "DialogBoxParamA",0
tExitProcess db "ExitProcess",0
tEndDialog db "EndDialog",0
tGetDlgItemText db "GetDlgItemTextA",0
tGetModuleHandle db "GetModuleHandleA",0
tMessageBoxA db "MessageBoxA",0
tLoadLibrary db "LoadLibraryA",0
taGetProcAddress db "GetProcAddress",0
chck2 dd 363734a1h
.data?
hInstance HINSTANCE ?
err1 dd ?
ok1 dd ?
ok2 dd ?
mesbok_1 db 10 dup(?)
regbuffer1 db 512 dup(?)
aGetModuleHandle dd ?
aLoadLibrary dd ?
dllhnd1 dd ?
dllhnd2 dd ?
aDialogBoxParam dd ?
aGetDlgItemText dd ?
aEndDialog dd ?
aMessageBoxA dd ?
aExitProcess dd ?
aGetProcAddress dd ?
chck1 dd ?
.const
IDC_EDIT2 equ 3800
IDC_EDIT3 equ 3801
IDC_BUTTON equ 3001
IDC_EXIT equ 3002
.code
start:;LoadLibrary GetProcAddress
mov aGetModuleHandle,GetModuleHandle
push 0
pushoffset loc_1
mov eax,aGetModuleHandle
jmp eax
;invoke GetModuleHandle, NULL
loc_1:
mov hInstance,eax
mov aGetModuleHandle,GetModuleHandle
push offset dllname2
pushoffset loc_2
mov eax,aGetModuleHandle
jmp eax
;invoke GetModuleHandle, NULL
loc_2:
mov dllhnd2,eax
mov aGetProcAddress,GetProcAddress
push offset tLoadLibrary
push dllhnd2
push offset loc_4
mov eax,aGetProcAddress
jmp eax
;invokeGetProcAddress,dllhnd2,addr tLoadLibrary
loc_4: add eax,2
mov aLoadLibrary,eax
push offset taGetProcAddress
push dllhnd2
mov eax,aGetProcAddress
call eax
loc_6:
add eax,2
mov aGetProcAddress,eax
push offset dllname1
mov eax,aLoadLibrary
call eax
;invoke LoadLibrary,addr dllname1
mov dllhnd1,eax
push offset tDialogBoxParam
push dllhnd1
call aGetProcAddress
;invokeGetProcAddress,dllhnd1,addr tDialogBoxParam
add eax,2
mov aDialogBoxParam,eax
push offset tEndDialog
push dllhnd1
mov eax, aGetProcAddress
call eax
add eax,2
;invoke GetProcAddress,dllhnd1,addr tEndDialog
mov aEndDialog,eax
push offset tGetDlgItemText
push dllhnd1
mov eax,aGetProcAddress
call eax
;invoke GetProcAddress,dllhnd1,addr tGetDlgItemText
inc eax
add eax,1
mov aGetDlgItemText,eax
push offset tMessageBoxA
push dllhnd1
mov eax,aGetProcAddress
call eax
;invoke GetProcAddress,dllhnd1,addr tMessageBoxA
add eax,1
inc eax
mov aMessageBoxA,eax
push offset tExitProcess
push dllhnd2
mov eax, aGetProcAddress
call eax
;invoke GetProcAddress,dllhnd2,addr tExitProcess
add eax,2
mov aExitProcess,eax
push 0
push offset DlgProc
push 0
push offset DlgName
push hInstance
mov eax,aDialogBoxParam
push offset loc_3
jmp eax
;invoke DialogBoxParam, hInstance, ADDR DlgName,NULL,addr DlgProc,NULL
loc_3: ret;invoke ExitProcess,eax
DlgProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
.IF uMsg==WM_INITDIALOG
; invoke SetDlgItemText,hWnd,IDC_EDIT2,ADDR AppName
cld
mov esi,offset start
mov ecx,offset f_1
sub ecx,esi
mov edx,0
mov eax,0
lloc_1:lodsb
add edx,eax
loop lloc_1
add edx,36363636h
mov chck1,edx ;检查和
nop
nop
.ELSEIF uMsg== WM_CLOSE
push 0
pushhWnd
mov eax,aEndDialog
call eax
;invoke EndDialog, hWnd,NULL
.ELSEIF uMsg==WM_COMMAND
mov edx,wParam
mov eax,edx
shr edx,16
.if dx==BN_CLICKED
.IF ax==IDC_BUTTON
mov edi,chck1
mov eax ,offset ok_1
mov ok1,eax
mov eax ,offset ok_2
mov ok2,eax
mov eax,offset err_1
mov err1,eax
;invoke GetDlgItemText,hWnd,IDC_EDIT3,ADDR regbuffer1,512
push 512
push offset regbuffer1
push IDC_EDIT3
push hWnd
push offset lloc_3
mov eax,aGetDlgItemText
nop
jmp eax
lloc_3: push esi
mov esi,offset regbuffer1
cld
lodsd
sub eax,30303030h
push eax
pop edx
lodsd
sub eax,30303030h
add eax,edx
sub eax,09090909h
pushfd
pop eax
and eax,40h
shr eax,4
mov edx,offset err1
add eax,edx
mov eax,
jmp eax
err_1:
pop esi
;invoke MessageBoxA,NULL,ADDR mesberr_1,ADDR AppName,MB_OK
exit_1:
push 0
pushhWnd
mov eax,aEndDialog
call eax
;invoke EndDialog, hWnd,NULL
push 0
mov eax,aExitProcess
jmp eax
;invoke ExitProcess,eax
ok_1:
;pop esi
;jmp ok_2
mov eax,chck2
;cmp eax,edi
sub eax,edi
pushfd
pop eax
and eax,40h
shr eax,3
mov edx,offset err1
add eax,edx
mov eax,
jmp eax
ok_2:pop esi
mov edi,offset mesbok_1
mov eax,0e1b2a2d7h;'注册'
stosd
mov eax,0a6b9c9b3h;'成功'
stosd
;invoke MessageBox,NULL,ADDR mesbok_1,ADDR AppName,MB_OK
push MB_OK
push offset mesbok_1
push offset mesbok_1
push 0
mov eax,offset exit_1
push eax
mov eax, aMessageBoxA
jmp eax
jmp exit_1
.ELSEIF ax==IDC_EXIT
push 0
pushhWnd
mov eax,aEndDialog
call eax
;invoke EndDialog, hWnd,NULL
.ENDIF
.ENDIF
.ELSE
mov eax,FALSE
ret
.ENDIF
mov eax,TRUE
ret
DlgProc endp
f_1:
end start
资源文件 rsrc.rc内容如下:
#include "resource.h"
500 ICON DISCARDABLE "ico1.ICO"
#define IDC_EDIT2 3800
#define IDC_EDIT3 3801
#define IDC_BUTTON 3001
#define IDC_EXIT 3002
MyDialog DIALOG 10, 10, 200, 85
STYLE 0x0004 | DS_CENTER | WS_CAPTION | WS_MINIMIZEBOX |
WS_SYSMENU | WS_VISIBLE | WS_OVERLAPPED | DS_MODALFRAME | DS_3DLOOK
CAPTION "注册程序,(C)电子管 2013.7.19"
BEGIN
LTEXT "序列号",-1,10,13,25,10
LTEXT "注册码",-1,10,32,25,10
LTEXT "请与本程序作者联系索取注册码",-1,10,49,205,10
LTEXT "QQ:5611409",-1,10,62,205,10
EDITTEXT IDC_EDIT2,36,11,100,10, ES_AUTOHSCROLL | ES_LEFT
EDITTEXT IDC_EDIT3,36,30,100,10, ES_AUTOHSCROLL | ES_LEFT
DEFPUSHBUTTON "注册", IDC_BUTTON, 141,10,52,12
PUSHBUTTON "退出", IDC_EXIT,141,29,52,12
END
@珈蓝夜雨
试试这个,还是无壳,无花指令,汇编语言编制。
我是用户 发表于 2013-7-19 17:52 static/image/common/back.gif
运行一下修改后的exe试试?
dianziguan 发表于 2013-7-19 17:54 static/image/common/back.gif
运行一下修改后的exe试试?
你是需要什么效果?重新启动后?
我是用户 发表于 2013-7-19 17:58 static/image/common/back.gif
你是需要什么效果?重新启动后?
我的意思是看看你修改后是否跳过了自身检验 dianziguan 发表于 2013-7-19 18:03 static/image/common/back.gif
我的意思是看看你修改后是否跳过了自身检验
有检验吗。。。。。直接爆破就好了。。。。
给个附件你看看
本帖最后由 不会用鼠标的人 于 2013-7-19 20:30 编辑
咳咳,先占好楼,。。。。
好吧,这次我败了。
我只发现了一个关键,另一个找不到。。。。。。
坐等LZ发源码。
页:
[1]
2