本帖最后由 solly 于 2020-8-1 02:06 编辑
通过在 DefWindowProcW 下断点,可以找到消息循环处理函数,WndProc :
[Asm] 纯文本查看 复制代码 000000014099EF60 | 40:53 | push rbx |
000000014099EF62 | 55 | push rbp |
000000014099EF63 | 56 | push rsi |
000000014099EF64 | 57 | push rdi |
000000014099EF65 | 48:83EC 48 | sub rsp,48 | 条件断点:rdx == WM_LBUTTONUP
000000014099EF69 | 48:8B05 A0E06900 | mov rax,qword ptr ds:[14103D010] |
000000014099EF70 | 48:33C4 | xor rax,rsp |
000000014099EF73 | 48:894424 38 | mov qword ptr ss:[rsp+38],rax |
000000014099EF78 | 49:8BE9 | mov rbp,r9 |
000000014099EF7B | C74424 20 00000000 | mov dword ptr ss:[rsp+20],0 |
000000014099EF83 | 49:8BF0 | mov rsi,r8 |
000000014099EF86 | 4C:8D0D 13D78200 | lea r9,qword ptr ds:[1411CC6A0] |
000000014099EF8D | 8BFA | mov edi,edx |
000000014099EF8F | 4C:8D05 5AAD7400 | lea r8,qword ptr ds:[1410E9CF0] |
000000014099EF96 | 48:8BD9 | mov rbx,rcx |
000000014099EF99 | 33D2 | xor edx,edx |
000000014099EF9B | 48:8B0D BE468700 | mov rcx,qword ptr ds:[141213660] |
000000014099EFA2 | E8 B1BF1200 | call simplecrackme.140ACAF58 |
000000014099EFA7 | 48:85C0 | test rax,rax | rax == 0 未处理
000000014099EFAA | 74 34 | je simplecrackme.14099EFE0 |
000000014099EFAC | 48:8D4C24 30 | lea rcx,qword ptr ss:[rsp+30] |
000000014099EFB1 | 48:C74424 30 00000000 | mov qword ptr ss:[rsp+30],0 |
000000014099EFBA | 48:894C24 28 | mov qword ptr ss:[rsp+28],rcx |
000000014099EFBF | 4C:8BCE | mov r9,rsi |
000000014099EFC2 | 48:8BC8 | mov rcx,rax |
000000014099EFC5 | 48:896C24 20 | mov qword ptr ss:[rsp+20],rbp |
000000014099EFCA | 44:8BC7 | mov r8d,edi |
000000014099EFCD | 48:8BD3 | mov rdx,rbx |
000000014099EFD0 | E8 5BEBFFFF | call simplecrackme.14099DB30 |
000000014099EFD5 | 84C0 | test al,al | al == 0 未处理
000000014099EFD7 | 74 07 | je simplecrackme.14099EFE0 |
000000014099EFD9 | 48:8B4424 30 | mov rax,qword ptr ss:[rsp+30] |
000000014099EFDE | EB 11 | jmp simplecrackme.14099EFF1 |
000000014099EFE0 | 4C:8BCD | mov r9,rbp |
000000014099EFE3 | 4C:8BC6 | mov r8,rsi |
000000014099EFE6 | 8BD7 | mov edx,edi |
000000014099EFE8 | 48:8BCB | mov rcx,rbx |
000000014099EFEB | FF15 A7D41B00 | call qword ptr ds:[<&NtdllDefWindowProc_W>] |
000000014099EFF1 | 48:8B4C24 38 | mov rcx,qword ptr ss:[rsp+38] |
000000014099EFF6 | 48:33CC | xor rcx,rsp |
000000014099EFF9 | E8 621F1100 | call simplecrackme.140AB0F60 |
000000014099EFFE | 48:83C4 48 | add rsp,48 |
000000014099F002 | 5F | pop rdi |
000000014099F003 | 5E | pop rsi |
000000014099F004 | 5D | pop rbp |
000000014099F005 | 5B | pop rbx |
000000014099F006 | C3 | ret |
如上所示,下一个 rdx == WM_LBUTTONUP 的条件断点,然后输入一长串字符,点按钮就会中断,然后切换到 x64dbg的内存布局界面,依次在显示信息为空,PRV 类型的内存段中搜索刚才输入的 Unicode 字符串,就会在某个内存段中找到两条保存该字符串的地址,对两个地址都下硬件断点,就可以找到操作字符串的代码(这里要有耐心,要搜好多个段才能搜到):
[Asm] 纯文本查看 复制代码 0000000140AB5D70 | 0F100411 | movups xmm0,xmmword ptr ds:[rcx+rdx] | rcx+rdx*1:L"234568889994545435999999998666"
0000000140AB5D74 | 48:83C1 10 | add rcx,10 |
0000000140AB5D78 | 49:83E8 10 | sub r8,10 |
0000000140AB5D7C | 4D:8BC8 | mov r9,r8 |
0000000140AB5D7F | 49:C1E9 04 | shr r9,4 |
0000000140AB5D83 | 74 1C | je simplecrackme.140AB5DA1 |
0000000140AB5D85 | 666666:0F1F8400 000000 | nop word ptr ds:[rax+rax],ax |
0000000140AB5D90 | 0F1141 F0 | movups xmmword ptr ds:[rcx-10],xmm0 |
0000000140AB5D94 | 0F100411 | movups xmm0,xmmword ptr ds:[rcx+rdx] | rcx+rdx*1:L"234568889994545435999999998666"
这是在一个字符串复制函数内,然后几个ret返回就到了这里,可以看到密码了:
[Asm] 纯文本查看 复制代码 000000014000378D | 48:8B09 | mov rcx,qword ptr ds:[rcx] | rcx:L"AngeloTheCat-52Pojie-SimpleCrackMe"
0000000140003790 | 48:8B01 | mov rax,qword ptr ds:[rcx] | rcx:L"AngeloTheCat-52Pojie-SimpleCrackMe"
0000000140003793 | 48:8B80 B8000000 | mov rax,qword ptr ds:[rax+B8] |
000000014000379A | FF15 488FB500 | call qword ptr ds:[140B5C6E8] |
00000001400037A0 | 48:8D4D D7 | lea rcx,qword ptr ss:[rbp-29] |
00000001400037A4 | 4C:8B50 20 | mov r10,qword ptr ds:[rax+20] |
00000001400037A8 | 4D:8BC2 | mov r8,r10 |
00000001400037AB | 4D:85D2 | test r10,r10 |
00000001400037AE | 74 31 | je simplecrackme.1400037E1 |
00000001400037B0 | 48:8B50 18 | mov rdx,qword ptr ds:[rax+18] |
00000001400037B4 | 48:8B40 08 | mov rax,qword ptr ds:[rax+8] | [rax+8]:L"234568889994545435999999998666"
00000001400037B8 | 4C:8D0C50 | lea r9,qword ptr ds:[rax+rdx*2] |
00000001400037BC | 48:8D45 D7 | lea rax,qword ptr ss:[rbp-29] |
00000001400037C0 | 4C:2BC8 | sub r9,rax |
00000001400037C3 | 49:FFC8 | dec r8 |
00000001400037C6 | 0FB711 | movzx edx,word ptr ds:[rcx] | rcx:L"AngeloTheCat-52Pojie-SimpleCrackMe"
00000001400037C9 | 66:85D2 | test dx,dx |
00000001400037CC | 74 13 | je simplecrackme.1400037E1 |
|