好友 阅读权限 80
听众 最后登录 1970-1-1
楼主
烟99
发表于 2024-11-25 07:50
先讲我的想法: 把游戏主程序EXE拽入IDA 里,搜到了很多“.ini”的字符串,然后每一个下方都 call了sub_402A50这个函数,再往下就看到 有不能打开这个文件的错误提醒,基本可以断定此函数与加载并解密INI文件有关 跳转到 sub_402A50 按空格进入流程图模式 [Asm] 纯文本查看 复制代码
; int __stdcall sub_402A50(char ArgList)
sub_402A50 proc near
ArgList= byte ptr 4
push ebx
push ebp
push esi
push edi
mov edi, dword ptr [esp+10h+ArgList]
mov ebp, ecx
test edi, edi
jnz short loc_402A81 如上图所示, 首先压入四种寄存器,然后 从内存中取数据加载到edi寄存器。计算内存地址的方式是栈指针esp加上十六进制的10h(16字节)再加上ArgList所表示的偏移量(4字节),然后从这个计算得到的内存地址取出一个双字(32位,dword ptr表示)的数据放到edi寄存器中、 将ecx寄存器的值移动到ebp寄存器中,测试检查,如果test指令的结果不为0则继续,否则报参数无效。 接着,执行下面的操作 [Asm] 纯文本查看 复制代码
mov eax, [ebp+14h]
lea esi, [ebp+14h]
push 4
push edi
mov ecx, esi
call dword ptr [eax+14h]
test al, al
jnz short loc_402AC7 这里又看到了一个call,应该是INI解密操作,call到eax寄存器的值加上十六进制的14h,然后从这个地址取出一个双字(32位)的值作为函数的入口地址。 后来发现这样效率很低,exe本身无壳,有很多明文的错误提示,在想错误提示应该会写到log文件里,于是故意破坏掉一个ini文件,看输出的错误类型。 [Asm] 纯文本查看 复制代码
.text:004031F0 ; =============== S U B R O U T I N E =======================================
.text:004031F0
.text:004031F0
.text:004031F0 ; unsigned __int8 *__thiscall sub_4031F0(_DWORD *this, unsigned __int8 *, int)
.text:004031F0 sub_4031F0 proc near ; CODE XREF: sub_403040+49↑p
.text:004031F0
.text:004031F0 var_8= dword ptr -8
.text:004031F0 Count= dword ptr -4
.text:004031F0 arg_0= dword ptr 4
.text:004031F0 arg_4= dword ptr 8
.text:004031F0
.text:004031F0 83 EC 08 sub esp, 8
.text:004031F3 89 4C 24 00 mov [esp+8+var_8], ecx
.text:004031F7 53 push ebx
.text:004031F8 8B 4C 24 14 mov ecx, [esp+0Ch+arg_4]
.text:004031FC 55 push ebp
.text:004031FD 56 push esi
.text:004031FE 57 push edi
.text:004031FF 85 C9 test ecx, ecx
.text:00403201 7F 2A jg short loc_40322D
.text:00403201
.text:00403203 68 EC 75 5B 00 push offset aBadLengthParam ; "Bad length parameter."
.text:00403208 68 96 01 00 00 push 196h
.text:0040320D 68 90 74 5B 00 push offset aEDevAbaseAwndi ; "E:\\dev\\ABASE\\AWndIniFile.cpp"
.text:00403212 68 84 74 5B 00 push offset aSDS ; "%s(%d) : %s"
.text:00403217 6A 00 push 0 ; int
.text:00403219 E8 62 0E 00 00 call sub_404080
.text:00403219
.text:0040321E 83 C4 14 add esp, 14h
.text:00403221 33 C0 xor eax, eax
.text:00403223 5F pop edi
.text:00403224 5E pop esi
.text:00403225 5D pop ebp
.text:00403226 5B pop ebx
.text:00403227 83 C4 08 add esp, 8
.text:0040322A C2 08 00 retn 8
.text:0040322A
.text:0040322D ; ---------------------------------------------------------------------------
.text:0040322D
.text:0040322D loc_40322D: ; CODE XREF: sub_4031F0+11↑j
.text:0040322D 8B 74 24 1C mov esi, [esp+18h+arg_0]
.text:00403231 33 ED xor ebp, ebp
.text:00403233 85 C9 test ecx, ecx
.text:00403235 7E 1C jle short loc_403253
.text:00403235
.text:00403237
.text:00403237 loc_403237: ; CODE XREF: sub_4031F0+61↓j
.text:00403237 8A 04 2E mov al, [esi+ebp]
.text:0040323A 3C 3D cmp al, 3Dh ; '='
.text:0040323C 74 15 jz short loc_403253
.text:0040323C
.text:0040323E 3C 0A cmp al, 0Ah
.text:00403240 0F 84 8B 00 00 00 jz loc_4032D1
.text:00403240
.text:00403246 3C 0D cmp al, 0Dh
.text:00403248 0F 84 83 00 00 00 jz loc_4032D1
.text:00403248
.text:0040324E 45 inc ebp
.text:0040324F 3B E9 cmp ebp, ecx
.text:00403251 7C E4 jl short loc_403237
.text:00403251
.text:00403253
.text:00403253 loc_403253: ; CODE XREF: sub_4031F0+45↑j
.text:00403253 ; sub_4031F0+4C↑j
.text:00403253 33 C0 xor eax, eax
.text:00403255 33 DB xor ebx, ebx
.text:00403257 8A 06 mov al, [esi]
.text:00403259 89 5C 24 1C mov [esp+18h+arg_0], ebx
.text:0040325D 50 push eax ; C
.text:0040325E 8D 7D FF lea edi, [ebp-1]
.text:00403261 FF 15 0C B3 58 00 call ds:__imp_isspace
.text:00403261
.text:00403267 83 C4 04 add esp, 4
.text:0040326A 85 C0 test eax, eax
.text:0040326C 74 1E jz short loc_40328C
.text:0040326C
.text:0040326E
.text:0040326E loc_40326E: ; CODE XREF: sub_4031F0+96↓j
.text:0040326E 3B 5C 24 20 cmp ebx, [esp+18h+arg_4]
.text:00403272 7D 14 jge short loc_403288
.text:00403272
.text:00403274 43 inc ebx
.text:00403275 33 C9 xor ecx, ecx
.text:00403277 8A 0C 33 mov cl, [ebx+esi]
.text:0040327A 51 push ecx ; C
.text:0040327B FF 15 0C B3 58 00 call ds:__imp_isspace
.text:0040327B
.text:00403281 83 C4 04 add esp, 4
.text:00403284 85 C0 test eax, eax
.text:00403286 75 E6 jnz short loc_40326E
.text:00403286
.text:00403288
.text:00403288 loc_403288: ; CODE XREF: sub_4031F0+82↑j
.text:00403288 89 5C 24 1C mov [esp+18h+arg_0], ebx
.text:00403288
.text:0040328C
.text:0040328C loc_40328C: ; CODE XREF: sub_4031F0+7C↑j
.text:0040328C 33 D2 xor edx, edx
.text:0040328E 8A 14 37 mov dl, [edi+esi]
.text:00403291 52 push edx ; C
.text:00403292 FF 15 0C B3 58 00 call ds:__imp_isspace
.text:00403292
.text:00403298 83 C4 04 add esp, 4
.text:0040329B 85 C0 test eax, eax
.text:0040329D 74 18 jz short loc_4032B7
.text:0040329D
.text:0040329F
.text:0040329F loc_40329F: ; CODE XREF: sub_4031F0+C5↓j
.text:0040329F 3B FB cmp edi, ebx
.text:004032A1 7C 14 jl short loc_4032B7
.text:004032A1
.text:004032A3 4F dec edi
.text:004032A4 33 C0 xor eax, eax
.text:004032A6 8A 04 37 mov al, [edi+esi]
.text:004032A9 50 push eax ; C
.text:004032AA FF 15 0C B3 58 00 call ds:__imp_isspace
.text:004032AA
.text:004032B0 83 C4 04 add esp, 4
.text:004032B3 85 C0 test eax, eax
.text:004032B5 75 E8 jnz short loc_40329F
.text:004032B5
.text:004032B7
.text:004032B7 loc_4032B7: ; CODE XREF: sub_4031F0+AD↑j
.text:004032B7 ; sub_4031F0+B1↑j
.text:004032B7 2B FB sub edi, ebx
.text:004032B9 47 inc edi
.text:004032BA 85 FF test edi, edi
.text:004032BC 89 7C 24 14 mov [esp+18h+Count], edi
.text:004032C0 7F 1E jg short loc_4032E0
.text:004032C0
.text:004032C2 68 D4 75 5B 00 push offset aBadKeyValueFor ; "Bad key value format."
.text:004032C7 68 B8 01 00 00 push 1B8h
.text:004032CC E9 EB 00 00 00 jmp loc_4033BC
.text:004032CC
.text:004032D1 ; ---------------------------------------------------------------------------
.text:004032D1
.text:004032D1 loc_4032D1: ; CODE XREF: sub_4031F0+50↑j
.text:004032D1 ; sub_4031F0+58↑j
.text:004032D1 68 C0 75 5B 00 push offset aBadKeyNameForm ; "Bad key name format"
.text:004032D6 68 AC 01 00 00 push 1ACh
.text:004032DB E9 DC 00 00 00 jmp loc_4033BC
.text:004032DB
.text:004032E0 ; ---------------------------------------------------------------------------
.text:004032E0
.text:004032E0 loc_4032E0: ; CODE XREF: sub_4031F0+D0↑j
.text:004032E0 8B 4C 24 20 mov ecx, [esp+18h+arg_4]
.text:004032E4 45 inc ebp
.text:004032E5 3B E9 cmp ebp, ecx
.text:004032E7 7C 0F jl short loc_4032F8
.text:004032E7
.text:004032E9 68 D4 75 5B 00 push offset aBadKeyValueFor ; "Bad key value format."
.text:004032EE 68 BF 01 00 00 push 1BFh
.text:004032F3 E9 C4 00 00 00 jmp loc_4033BC
.text:004032F3
.text:004032F8 ; ---------------------------------------------------------------------------
.text:004032F8
.text:004032F8 loc_4032F8: ; CODE XREF: sub_4031F0+F7↑j
.text:004032F8 8B FD mov edi, ebp
.text:004032F8
.text:004032FA
.text:004032FA loc_4032FA: ; CODE XREF: sub_4031F0+11C↓j
.text:004032FA 8A 04 2E mov al, [esi+ebp]
.text:004032FD 3C 0A cmp al, 0Ah
.text:004032FF 74 0F jz short loc_403310
.text:004032FF
.text:00403301 3C 0D cmp al, 0Dh
.text:00403303 74 0B jz short loc_403310
.text:00403303
.text:00403305 84 C0 test al, al
.text:00403307 74 07 jz short loc_403310
.text:00403307
.text:00403309 45 inc ebp
.text:0040330A 3B E9 cmp ebp, ecx
.text:0040330C 7C EC jl short loc_4032FA
.text:0040330C
.text:0040330E EB 07 jmp short loc_403317
.text:0040330E
.text:00403310 ; ---------------------------------------------------------------------------
.text:00403310
.text:00403310 loc_403310: ; CODE XREF: sub_4031F0+10F↑j
.text:00403310 ; sub_4031F0+113↑j
.text:00403310 ; sub_4031F0+117↑j
.text:00403310 3B E9 cmp ebp, ecx
.text:00403312 8D 5D FF lea ebx, [ebp-1]
.text:00403315 7C 02 jl short loc_403319
.text:00403315
.text:00403317
.text:00403317 loc_403317: ; CODE XREF: sub_4031F0+11E↑j
.text:00403317 8B DD mov ebx, ebp
.text:00403317
.text:00403319
.text:00403319 loc_403319: ; CODE XREF: sub_4031F0+125↑j
.text:00403319 33 C9 xor ecx, ecx
.text:0040331B 8A 0C 37 mov cl, [edi+esi]
.text:0040331E 51 push ecx ; C
.text:0040331F FF 15 0C B3 58 00 call ds:__imp_isspace
.text:0040331F
.text:00403325 83 C4 04 add esp, 4
.text:00403328 85 C0 test eax, eax
.text:0040332A 74 1A jz short loc_403346
.text:0040332A
.text:0040332C
.text:0040332C loc_40332C: ; CODE XREF: sub_4031F0+154↓j
.text:0040332C 3B 7C 24 20 cmp edi, [esp+18h+arg_4]
.text:00403330 7D 14 jge short loc_403346
.text:00403330
.text:00403332 47 inc edi
.text:00403333 33 D2 xor edx, edx
.text:00403335 8A 14 37 mov dl, [edi+esi]
.text:00403338 52 push edx ; C
.text:00403339 FF 15 0C B3 58 00 call ds:__imp_isspace
.text:00403339
.text:0040333F 83 C4 04 add esp, 4
.text:00403342 85 C0 test eax, eax
.text:00403344 75 E6 jnz short loc_40332C
.text:00403344
.text:00403346
.text:00403346 loc_403346: ; CODE XREF: sub_4031F0+13A↑j
.text:00403346 ; sub_4031F0+140↑j
.text:00403346 33 C0 xor eax, eax
.text:00403348 8A 04 33 mov al, [ebx+esi]
.text:0040334B 50 push eax ; C
.text:0040334C FF 15 0C B3 58 00 call ds:__imp_isspace
.text:0040334C
.text:00403352 83 C4 04 add esp, 4
.text:00403355 85 C0 test eax, eax
.text:00403357 74 18 jz short loc_403371
.text:00403357
.text:00403359
.text:00403359 loc_403359: ; CODE XREF: sub_4031F0+17F↓j
.text:00403359 3B DF cmp ebx, edi
.text:0040335B 7C 14 jl short loc_403371
.text:0040335B
.text:0040335D 4B dec ebx
.text:0040335E 33 C9 xor ecx, ecx
.text:00403360 8A 0C 33 mov cl, [ebx+esi]
.text:00403363 51 push ecx ; C
.text:00403364 FF 15 0C B3 58 00 call ds:__imp_isspace
.text:00403364
.text:0040336A 83 C4 04 add esp, 4
.text:0040336D 85 C0 test eax, eax
.text:0040336F 75 E8 jnz short loc_403359
.text:0040336F
.text:00403371
.text:00403371 loc_403371: ; CODE XREF: sub_4031F0+167↑j
.text:00403371 ; sub_4031F0+16B↑j
.text:00403371 2B DF sub ebx, edi
.text:00403373 43 inc ebx
.text:00403374 85 DB test ebx, ebx
.text:00403376 7F 0C jg short loc_403384
.text:00403376
.text:00403378 68 D4 75 5B 00 push offset aBadKeyValueFor ; "Bad key value format."
.text:0040337D 68 DC 01 00 00 push 1DCh
.text:00403382 EB 38 jmp short loc_4033BC
.text:00403382
.text:00403384 ; ---------------------------------------------------------------------------
.text:00403384
.text:00403384 loc_403384: ; CODE XREF: sub_4031F0+186↑j
.text:00403384 8B 4C 24 10 mov ecx, [esp+18h+var_8]
.text:00403388 8B 41 1C mov eax, [ecx+1Ch]
.text:0040338B 85 C0 test eax, eax
.text:0040338D 7C 23 jl short loc_4033B2
.text:0040338D
.text:0040338F 8B 54 24 14 mov edx, [esp+18h+Count]
.text:00403393 03 FE add edi, esi
.text:00403395 53 push ebx ; size_t
.text:00403396 57 push edi ; char *
.text:00403397 52 push edx ; Count
.text:00403398 8B 54 24 28 mov edx, [esp+24h+arg_0]
.text:0040339C 03 D6 add edx, esi
.text:0040339E 52 push edx ; Source
.text:0040339F 50 push eax ; int
.text:004033A0 E8 9B 02 00 00 call sub_403640
.text:004033A0
.text:004033A5 8D 04 2E lea eax, [esi+ebp]
.text:004033A8 5F pop edi
.text:004033A9 5E pop esi
.text:004033AA 5D pop ebp
.text:004033AB 5B pop ebx
.text:004033AC 83 C4 08 add esp, 8
.text:004033AF C2 08 00 retn 8
.text:004033AF
.text:004033B2 ; ---------------------------------------------------------------------------
.text:004033B2
.text:004033B2 loc_4033B2: ; CODE XREF: sub_4031F0+19D↑j
.text:004033B2 68 A4 75 5B 00 push offset aTheKeyMustInAS ; "The key must in a section"
.text:004033B7 68 E6 01 00 00 push 1E6h
.text:004033B7
.text:004033BC
.text:004033BC loc_4033BC: ; CODE XREF: sub_4031F0+DC↑j
.text:004033BC ; sub_4031F0+EB↑j
.text:004033BC ; sub_4031F0+103↑j
.text:004033BC ; sub_4031F0+192↑j
.text:004033BC 68 90 74 5B 00 push offset aEDevAbaseAwndi ; "E:\\dev\\ABASE\\AWndIniFile.cpp"
.text:004033C1 68 84 74 5B 00 push offset aSDS ; "%s(%d) : %s"
.text:004033C6 6A 00 push 0 ; int
.text:004033C8 E8 B3 0C 00 00 call sub_404080
.text:004033C8
.text:004033CD 83 C4 14 add esp, 14h
.text:004033D0 8D 04 2E lea eax, [esi+ebp]
.text:004033D3 5F pop edi
.text:004033D4 5E pop esi
.text:004033D5 5D pop ebp
.text:004033D6 5B pop ebx
.text:004033D7 83 C4 08 add esp, 8
.text:004033DA C2 08 00 retn 8
.text:004033DA
.text:004033DA sub_4031F0 endp
查看全部评分
[复制链接]
发表于 2024-11-25 09:15
|
发表于 2024-11-25 11:13
|楼主
发表于 2024-11-25 12:30
收藏
淘帖
有用
分享到朋友圈
要不试试直接用内存修改器,在内存里面检索修改呢?
