- UID
- 49158
注册时间2008-5-1
阅读权限10
最后登录1970-1-1
周游历练
该用户从未签到
|
这是一个安装程序,中间需要注册码。
用OD载入,分析。发现下面这段代码最值得“怀疑”。
0040981D |. 6A 00 PUSH 0
0040981F |. 6A 00 PUSH 0
00409821 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00409824 |. E8 EB9BFFFF CALL l2jANGEL.00403414
00409829 |. 50 PUSH EAX ; |CommandLine
0040982A |. 6A 00 PUSH 0 ; |ModuleFileName = NULL
0040982C |. E8 ABABFFFF CALL <JMP.&kernel32.CreateProcessA> ; \CreateProcessA
00409831 |. 85C0 TEST EAX,EAX
00409833 75 07 JNZ SHORT l2jANGEL.0040983C
00409835 |. B0 62 MOV AL,62
00409837 |. E8 58FBFFFF CALL l2jANGEL.00409394
0040983C |> 8B45 AC MOV EAX,DWORD PTR SS:[EBP-54]
0040983F |. 50 PUSH EAX ; /hObject
00409840 |. E8 7FABFFFF CALL <JMP.&kernel32.CloseHandle> ; \CloseHandle
00409845 |> E8 46FFFFFF /CALL l2jANGEL.00409790
0040984A |. 68 FF000000 |PUSH 0FF ; /WakeMask = QS_ALLINPUT
0040984F |. 6A FF |PUSH -1 ; |Timeout = INFINITE
00409851 |. 6A 00 |PUSH 0 ; |WaitAll = FALSE
00409853 |. 8D45 A8 |LEA EAX,DWORD PTR SS:[EBP-58] ; |
00409856 |. 50 |PUSH EAX ; |phObjects
00409857 |. 6A 01 |PUSH 1 ; |nObjects = 1
00409859 |. E8 FEACFFFF |CALL <JMP.&user32.MsgWaitForMultipleObj>; \MsgWaitForMultipleObjects
0040985E |. 48 |DEC EAX
0040985F ^ 74 E4 \JE SHORT l2jANGEL.00409845
00409861 |. E8 2AFFFFFF CALL l2jANGEL.00409790
00409866 |. 57 PUSH EDI ; /pExitCode
00409867 |. 8B45 A8 MOV EAX,DWORD PTR SS:[EBP-58] ; |
0040986A |. 50 PUSH EAX ; |hProcess
0040986B |. E8 B4ABFFFF CALL <JMP.&kernel32.GetExitCodeProcess> ; \GetExitCodeProcess
00409870 |. 8B45 A8 MOV EAX,DWORD PTR SS:[EBP-58]
00409873 |. 50 PUSH EAX ; /hObject
00409874 |. E8 4BABFFFF CALL <JMP.&kernel32.CloseHandle> ; \CloseHandle
00409879 |. 33C0 XOR EAX,EAX
0040987B |. 5A POP EDX
0040987C |. 59 POP ECX
我用F7跟进了0040982C |. E8 ABABFFFF CALL <JMP.&kernel32.CreateProcessA> ; \CreateProcessA
这个进程出现一个直接跳转:
004043DC $- FF25 FCD14000 JMP DWORD PTR DS:[<&kernel32.CreateProce>; kernel32.CreateProcessA
跟进,直到
7C802367 > 8BFF MOV EDI,EDI
7C802369 55 PUSH EBP
7C80236A 8BEC MOV EBP,ESP
7C80236C 6A 00 PUSH 0
7C80236E FF75 2C PUSH DWORD PTR SS:[EBP+2C]
7C802371 FF75 28 PUSH DWORD PTR SS:[EBP+28]
7C802374 FF75 24 PUSH DWORD PTR SS:[EBP+24]
7C802377 FF75 20 PUSH DWORD PTR SS:[EBP+20]
7C80237A FF75 1C PUSH DWORD PTR SS:[EBP+1C]
7C80237D FF75 18 PUSH DWORD PTR SS:[EBP+18]
7C802380 FF75 14 PUSH DWORD PTR SS:[EBP+14]
7C802383 FF75 10 PUSH DWORD PTR SS:[EBP+10]
7C802386 FF75 0C PUSH DWORD PTR SS:[EBP+C]
7C802389 FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C80238C 6A 00 PUSH 0
7C80238E E8 43BA0100 CALL kernel32.CreateProcessInternalA
7C802393 5D POP EBP ; 0012FF4C
7C802394 C2 2800 RETN 28
出现了安装界面!
执行到00409840 |. E8 7FABFFFF CALL <JMP.&kernel32.CloseHandle> ; \CloseHandle
出现如下信息:
7C809B5B /0F84 F16E0200 JE kernel32.7C830A52
7C809B61 |83F8 F5 CMP EAX,-0B
7C809B64 |0F84 DD6E0200 JE kernel32.7C830A47
7C809B6A |83F8 F6 CMP EAX,-0A
7C809B6D |0F84 36000300 JE kernel32.7C839BA9
7C809B73 |8BC8 MOV ECX,EAX
7C809B75 |81E1 03000010 AND ECX,10000003
7C809B7B |83F9 03 CMP ECX,3
7C809B7E |50 PUSH EAX
7C809B7F |0F84 EA400100 JE kernel32.7C81DC6F
7C809B85 |FF15 3C10807C CALL DWORD PTR DS:[<&ntdll.NtClose>] ; ntdll.ZwClose
7C809B8B |85C0 TEST EAX,EAX
7C809B8D |0F8C A76E0200 JL kernel32.7C830A3A
7C809B93 |33C0 XOR EAX,EAX
7C809B95 |40 INC EAX
7C809B96 |5D POP EBP
7C809B97 |C2 0400 RETN 4
7C809B9A |33C0 XOR EAX,EAX
7C809B9C ^|E9 9FF7FFFF JMP kernel32.7C809340
7C809BA1 |90 NOP
接着往下执行,00409859 |. E8 FEACFFFF |CALL <JMP.&user32.MsgWaitForMultipleObj>; \MsgWaitForMultipleObjects
怀疑这个地方就是等待输入注册码之处!!跟进
出现如下信息:
77D19689 > 8BFF MOV EDI,EDI
77D1968B 55 PUSH EBP
77D1968C 8BEC MOV EBP,ESP
77D1968E 33C0 XOR EAX,EAX
77D19690 3945 10 CMP DWORD PTR SS:[EBP+10],EAX
77D19693 0F95C0 SETNE AL
77D19696 50 PUSH EAX
77D19697 FF75 18 PUSH DWORD PTR SS:[EBP+18]
77D1969A FF75 14 PUSH DWORD PTR SS:[EBP+14]
77D1969D FF75 0C PUSH DWORD PTR SS:[EBP+C]
77D196A0 FF75 08 PUSH DWORD PTR SS:[EBP+8]
77D196A3 E8 9DFFFFFF CALL user32.MsgWaitForMultipleObjectsEx
77D196A8 5D POP EBP
77D196A9 C2 1400 RETN 14
跟进77D196A3 E8 9DFFFFFF CALL user32.MsgWaitForMultipleObjectsEx
出现:
77D19645 > 8BFF MOV EDI,EDI ; l2jANGEL.0040B240
77D19647 55 PUSH EBP
77D19648 8BEC MOV EBP,ESP
77D1964A E8 D5FFFFFF CALL user32.77D19624
77D1964F 85C0 TEST EAX,EAX
77D19651 0F85 90E50000 JNZ user32.77D27BE7
77D19657 5D POP EBP
77D19658 ^ E9 C3FEFFFF JMP user32.77D19520
77D1965D 90 NOP
77D1965E 90 NOP
77D1965F 90 NOP
77D19660 90 NOP
77D19661 90 NOP
77D19662 8BFF MOV EDI,EDI
77D19664 55 PUSH EBP
77D19665 8BEC MOV EBP,ESP
77D19667 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
77D1966A 33C9 XOR ECX,ECX
77D1966C 394D 10 CMP DWORD PTR SS:[EBP+10],ECX
77D1966F 0F85 BF520100 JNZ user32.77D2E934
77D19675 0FB740 04 MOVZX EAX,WORD PTR DS:[EAX+4]
77D19679 0BC1 OR EAX,ECX
77D1967B 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C]
77D1967E 23C1 AND EAX,ECX
77D19680 5D POP EBP
77D19681 C2 0C00 RETN 0C
就在这块,感觉跟飞了一样!!不知道如何处理?
并且一直执行到这里:
00409845 |> /E8 46FFFFFF /CALL l2jANGEL.00409790
0040984A |. |68 FF000000 |PUSH 0FF ; /WakeMask = QS_ALLINPUT
0040984F |. |6A FF |PUSH -1 ; |Timeout = INFINITE
00409851 |. |6A 00 |PUSH 0 ; |WaitAll = FALSE
00409853 |. |8D45 A8 |LEA EAX,DWORD PTR SS:[EBP-58] ; |
00409856 |. |50 |PUSH EAX ; |phObjects
00409857 |. |6A 01 |PUSH 1 ; |nObjects = 1
00409859 |. |E8 FEACFFFF |CALL <JMP.&user32.MsgWaitForMultipleObj>; \MsgWaitForMultipleObjects
0040985E |. |48 |DEC EAX
0040985F ^\74 E4 \JE SHORT l2jANGEL.00409845
感觉这里是一个死循环!
因为比较菜,在试图爆破的时候修改过一处:
00409833 /75 07 JNZ SHORT l2jANGEL.0040983C
改为74,在执行安装程序时出现××临时文件无法操作
我想可能是证明了在注册码验证之前的存取注册码信息
但不明白的是这个被我怀疑为注册码验证的程序段为什么是一个死循环呢?
如果把最后的0040985F ^\74 E4 \JE SHORT l2jANGEL.00409845
更改为75,则直接退出了安装程序。
希望大大们能够帮帮我。
再次感谢!! |
|