终于去掉了一个crackme的反调试(作者说是最简单的囧)
crackme的相关东西在上面的链接,下面具体说一下破解anti debug的全过程,首先当然是OD载入程序,代码如下:
代码
00401D80
>/
$
55
push ebp
00401D81 | . 8BEC mov ebp, esp
00401D83 | . 6A FF push - 1
00401D85 | . 68 68344000 push 00403468
00401D8A | . 68 061F4000 push < jmp. & MSVCRT._except_handler3 > ; SE 处理程序安装
00401D8F | . 64 :A1 0000000 > mov eax, dword ptr fs:[ 0 ]
00401D95 | . 50 push eax
00401D96 | . 64 : 8925 00000 > mov dword ptr fs:[ 0 ], esp ; 异常处理安装结束
00401D9D | . 83EC 68 sub esp, 68
00401DA0 | . 53 push ebx
00401DA1 | . 56 push esi
00401DA2 | . 57 push edi
00401DA3 | . 8965 E8 mov dword ptr [ebp - 18 ], esp
00401DA6 | . 33DB xor ebx, ebx
00401DA8 | . 895D FC mov dword ptr [ebp - 4 ], ebx
00401DAB | . 6A 02 push 2
00401DAD | . FF15 A8314000 call dword ptr [ <& MSVCRT.__set_app_ty > ; msvcrt.__set_app_type
00401DB3 | . 59 pop ecx
00401DB4 | . 830D 10414000 > or dword ptr [ 404110 ], FFFFFFFF ; 404110 ff
00401DBB | . 830D 14414000 > or dword ptr [ 404114 ], FFFFFFFF ; 404114 ff
00401DC2 | . FF15 A0314000 call dword ptr [ <& MSVCRT.__p__fmode > ] ; msvcrt.__p__fmode
00401DC8 | . 8B0D 04414000 mov ecx, dword ptr [ 404104 ]
00401DCE | . 8908 mov dword ptr [eax], ecx
00401DD0 | . FF15 9C314000 call dword ptr [ <& MSVCRT.__p__commode > ; msvcrt.__p__commode
00401DD6 | . 8B0D 00414000 mov ecx, dword ptr [ 404100 ]
00401DDC | . 8908 mov dword ptr [eax], ecx
00401DDE | . A1 A4314000 mov eax, dword ptr [ <& MSVCRT._adjust >
00401DE3 | . 8B00 mov eax, dword ptr [eax]
00401DE5 | . A3 0C414000 mov dword ptr [40410C], eax
00401DEA | . E8 16010000 call 00401F05 ;
00401DEF | . 391D 20404000 cmp dword ptr [ 404020 ], ebx
00401DF5 75 0C jnz short 00401E03
00401DF7 | . 68 021F4000 push 00401F02
00401DFC | . FF15 D0314000 call dword ptr [ <& MSVCRT.__setusermat > ; msvcrt.__setusermatherr
00401E02 | . 59 pop ecx
00401E03 |> E8 E8000000 call 00401EF0 ; call controlfp
00401E08 | . 68 14404000 push 00404014
00401E0D | . 68 10404000 push 00404010
00401E12 | . E8 D3000000 call < jmp. & MSVCRT._initterm >
00401E17 | . A1 FC404000 mov eax, dword ptr [4040FC]
00401E1C | . 8945 94 mov dword ptr [ebp - 6C], eax
00401E1F | . 8D45 94 lea eax, dword ptr [ebp - 6C]
00401E22 | . 50 push eax
00401E23 | . FF35 F8404000 push dword ptr [4040F8]
00401E29 | . 8D45 9C lea eax, dword ptr [ebp - 64 ]
00401E2C | . 50 push eax
00401E2D | . 8D45 90 lea eax, dword ptr [ebp - 70 ]
00401E30 | . 50 push eax
00401E31 | . 8D45 A0 lea eax, dword ptr [ebp - 60 ]
00401E34 | . 50 push eax
00401E35 | . FF15 B8314000 call dword ptr [ <& MSVCRT.__getmainarg > ; msvcrt.__getmainargs
00401E3B | . 68 0C404000 push 0040400C
00401E40 | . 68 00404000 push 00404000
00401E45 | . E8 A0000000 call < jmp. & MSVCRT._initterm >
00401E4A | . 83C4 24 add esp, 24
00401E4D | . A1 BC314000 mov eax, dword ptr [ <& MSVCRT._acmdln >
00401E52 | . 8B30 mov esi, dword ptr [eax]
00401E54 | . 8975 8C mov dword ptr [ebp - 74 ], esi
00401E57 | . 803E 22 cmp byte ptr [esi], 22
00401E5A | . 75 3A jnz short 00401E96
00401E5C |> 46 / inc esi
00401E5D | . 8975 8C | mov dword ptr [ebp - 74 ], esi
00401E60 | . 8A06 | mov al, byte ptr [esi]
00401E62 | . 3AC3 | cmp al, bl
00401E64 | . 74 04 | je short 00401E6A
00401E66 | . 3C 22 | cmp al, 22
00401E68 | . ^ 75 F2 \jnz short 00401E5C
00401E6A |> 803E 22 cmp byte ptr [esi], 22
00401E6D | . 75 04 jnz short 00401E73
00401E6F |> 46 inc esi
00401E70 | . 8975 8C mov dword ptr [ebp - 74 ], esi
00401E73 |> 8A06 mov al, byte ptr [esi]
00401E75 | . 3AC3 cmp al, bl
00401E77 | . 74 04 je short 00401E7D
00401E79 | . 3C 20 cmp al, 20
00401E7B | . ^ 76 F2 jbe short 00401E6F
00401E7D |> 895D D0 mov dword ptr [ebp - 30 ], ebx
00401E80 | . 8D45 A4 lea eax, dword ptr [ebp - 5C]
00401E83 | . 50 push eax ; / pStartupinfo
00401E84 | . FF15 20304000 call dword ptr [ <& KERNEL32.GetStartup > ; \GetStartupInfoA
00401E8A | . F645 D0 01 test byte ptr [ebp - 30 ], 1
00401E8E | . 74 11 je short 00401EA1
00401E90 | . 0FB745 D4 movzx eax, word ptr [ebp - 2C]
00401E94 | . EB 0E jmp short 00401EA4
00401E96 |> 803E 20 / cmp byte ptr [esi], 20
00401E99 | . ^ 76 D8 | jbe short 00401E73
00401E9B | . 46 | inc esi
00401E9C | . 8975 8C | mov dword ptr [ebp - 74 ], esi
00401E9F | . ^ EB F5 \jmp short 00401E96
00401EA1 |> 6A 0A push 0A
00401EA3 | . 58 pop eax
00401EA4 |> 50 push eax
00401EA5 | . 56 push esi
00401EA6 | . 53 push ebx
00401EA7 | . 53 push ebx ; / pModule
00401EA8 | . FF15 1C304000 call dword ptr [ <& KERNEL32.GetModuleH > ; \GetModuleHandleA
00401EAE | . 50 push eax
00401EAF | . E8 5E000000 call 00401F12 ; 呼叫winmain函数
00401EB4 | . 8945 98 mov dword ptr [ebp - 68 ], eax
00401EB7 | . 50 push eax ; / status
00401EB8 | . FF15 C0314000 call dword ptr [ <& MSVCRT.exit > ] ; \exit
00401EBE | . 8B45 EC mov eax, dword ptr [ebp - 14 ]
00401EC1 | . 8B08 mov ecx, dword ptr [eax]
00401EC3 | . 8B09 mov ecx, dword ptr [ecx]
00401EC5 | . 894D 88 mov dword ptr [ebp - 78 ], ecx
00401EC8 | . 50 push eax
00401EC9 | . 51 push ecx
00401ECA | . E8 15000000 call < jmp. & MSVCRT._XcptFilter >
00401ECF | . 59 pop ecx
00401ED0 | . 59 pop ecx
00401ED1 \. C3 retn
00401D81 | . 8BEC mov ebp, esp
00401D83 | . 6A FF push - 1
00401D85 | . 68 68344000 push 00403468
00401D8A | . 68 061F4000 push < jmp. & MSVCRT._except_handler3 > ; SE 处理程序安装
00401D8F | . 64 :A1 0000000 > mov eax, dword ptr fs:[ 0 ]
00401D95 | . 50 push eax
00401D96 | . 64 : 8925 00000 > mov dword ptr fs:[ 0 ], esp ; 异常处理安装结束
00401D9D | . 83EC 68 sub esp, 68
00401DA0 | . 53 push ebx
00401DA1 | . 56 push esi
00401DA2 | . 57 push edi
00401DA3 | . 8965 E8 mov dword ptr [ebp - 18 ], esp
00401DA6 | . 33DB xor ebx, ebx
00401DA8 | . 895D FC mov dword ptr [ebp - 4 ], ebx
00401DAB | . 6A 02 push 2
00401DAD | . FF15 A8314000 call dword ptr [ <& MSVCRT.__set_app_ty > ; msvcrt.__set_app_type
00401DB3 | . 59 pop ecx
00401DB4 | . 830D 10414000 > or dword ptr [ 404110 ], FFFFFFFF ; 404110 ff
00401DBB | . 830D 14414000 > or dword ptr [ 404114 ], FFFFFFFF ; 404114 ff
00401DC2 | . FF15 A0314000 call dword ptr [ <& MSVCRT.__p__fmode > ] ; msvcrt.__p__fmode
00401DC8 | . 8B0D 04414000 mov ecx, dword ptr [ 404104 ]
00401DCE | . 8908 mov dword ptr [eax], ecx
00401DD0 | . FF15 9C314000 call dword ptr [ <& MSVCRT.__p__commode > ; msvcrt.__p__commode
00401DD6 | . 8B0D 00414000 mov ecx, dword ptr [ 404100 ]
00401DDC | . 8908 mov dword ptr [eax], ecx
00401DDE | . A1 A4314000 mov eax, dword ptr [ <& MSVCRT._adjust >
00401DE3 | . 8B00 mov eax, dword ptr [eax]
00401DE5 | . A3 0C414000 mov dword ptr [40410C], eax
00401DEA | . E8 16010000 call 00401F05 ;
00401DEF | . 391D 20404000 cmp dword ptr [ 404020 ], ebx
00401DF5 75 0C jnz short 00401E03
00401DF7 | . 68 021F4000 push 00401F02
00401DFC | . FF15 D0314000 call dword ptr [ <& MSVCRT.__setusermat > ; msvcrt.__setusermatherr
00401E02 | . 59 pop ecx
00401E03 |> E8 E8000000 call 00401EF0 ; call controlfp
00401E08 | . 68 14404000 push 00404014
00401E0D | . 68 10404000 push 00404010
00401E12 | . E8 D3000000 call < jmp. & MSVCRT._initterm >
00401E17 | . A1 FC404000 mov eax, dword ptr [4040FC]
00401E1C | . 8945 94 mov dword ptr [ebp - 6C], eax
00401E1F | . 8D45 94 lea eax, dword ptr [ebp - 6C]
00401E22 | . 50 push eax
00401E23 | . FF35 F8404000 push dword ptr [4040F8]
00401E29 | . 8D45 9C lea eax, dword ptr [ebp - 64 ]
00401E2C | . 50 push eax
00401E2D | . 8D45 90 lea eax, dword ptr [ebp - 70 ]
00401E30 | . 50 push eax
00401E31 | . 8D45 A0 lea eax, dword ptr [ebp - 60 ]
00401E34 | . 50 push eax
00401E35 | . FF15 B8314000 call dword ptr [ <& MSVCRT.__getmainarg > ; msvcrt.__getmainargs
00401E3B | . 68 0C404000 push 0040400C
00401E40 | . 68 00404000 push 00404000
00401E45 | . E8 A0000000 call < jmp. & MSVCRT._initterm >
00401E4A | . 83C4 24 add esp, 24
00401E4D | . A1 BC314000 mov eax, dword ptr [ <& MSVCRT._acmdln >
00401E52 | . 8B30 mov esi, dword ptr [eax]
00401E54 | . 8975 8C mov dword ptr [ebp - 74 ], esi
00401E57 | . 803E 22 cmp byte ptr [esi], 22
00401E5A | . 75 3A jnz short 00401E96
00401E5C |> 46 / inc esi
00401E5D | . 8975 8C | mov dword ptr [ebp - 74 ], esi
00401E60 | . 8A06 | mov al, byte ptr [esi]
00401E62 | . 3AC3 | cmp al, bl
00401E64 | . 74 04 | je short 00401E6A
00401E66 | . 3C 22 | cmp al, 22
00401E68 | . ^ 75 F2 \jnz short 00401E5C
00401E6A |> 803E 22 cmp byte ptr [esi], 22
00401E6D | . 75 04 jnz short 00401E73
00401E6F |> 46 inc esi
00401E70 | . 8975 8C mov dword ptr [ebp - 74 ], esi
00401E73 |> 8A06 mov al, byte ptr [esi]
00401E75 | . 3AC3 cmp al, bl
00401E77 | . 74 04 je short 00401E7D
00401E79 | . 3C 20 cmp al, 20
00401E7B | . ^ 76 F2 jbe short 00401E6F
00401E7D |> 895D D0 mov dword ptr [ebp - 30 ], ebx
00401E80 | . 8D45 A4 lea eax, dword ptr [ebp - 5C]
00401E83 | . 50 push eax ; / pStartupinfo
00401E84 | . FF15 20304000 call dword ptr [ <& KERNEL32.GetStartup > ; \GetStartupInfoA
00401E8A | . F645 D0 01 test byte ptr [ebp - 30 ], 1
00401E8E | . 74 11 je short 00401EA1
00401E90 | . 0FB745 D4 movzx eax, word ptr [ebp - 2C]
00401E94 | . EB 0E jmp short 00401EA4
00401E96 |> 803E 20 / cmp byte ptr [esi], 20
00401E99 | . ^ 76 D8 | jbe short 00401E73
00401E9B | . 46 | inc esi
00401E9C | . 8975 8C | mov dword ptr [ebp - 74 ], esi
00401E9F | . ^ EB F5 \jmp short 00401E96
00401EA1 |> 6A 0A push 0A
00401EA3 | . 58 pop eax
00401EA4 |> 50 push eax
00401EA5 | . 56 push esi
00401EA6 | . 53 push ebx
00401EA7 | . 53 push ebx ; / pModule
00401EA8 | . FF15 1C304000 call dword ptr [ <& KERNEL32.GetModuleH > ; \GetModuleHandleA
00401EAE | . 50 push eax
00401EAF | . E8 5E000000 call 00401F12 ; 呼叫winmain函数
00401EB4 | . 8945 98 mov dword ptr [ebp - 68 ], eax
00401EB7 | . 50 push eax ; / status
00401EB8 | . FF15 C0314000 call dword ptr [ <& MSVCRT.exit > ] ; \exit
00401EBE | . 8B45 EC mov eax, dword ptr [ebp - 14 ]
00401EC1 | . 8B08 mov ecx, dword ptr [eax]
00401EC3 | . 8B09 mov ecx, dword ptr [ecx]
00401EC5 | . 894D 88 mov dword ptr [ebp - 78 ], ecx
00401EC8 | . 50 push eax
00401EC9 | . 51 push ecx
00401ECA | . E8 15000000 call < jmp. & MSVCRT._XcptFilter >
00401ECF | . 59 pop ecx
00401ED0 | . 59 pop ecx
00401ED1 \. C3 retn
就在我注释的地方“呼叫winmain函数”是crackme的主函数,所以我们要进去看看,so,f4执行到00401EAF处,进去
代码
00401F12
/
$ FF7424
10
push dword ptr [esp
+
10
]
00401F16 | . FF7424 10 push dword ptr [esp + 10 ]
00401F1A | . FF7424 10 push dword ptr [esp + 10 ]
00401F1E | . FF7424 10 push dword ptr [esp + 10 ]
00401F22 | . E8 43000000 call < jmp. & MFC42.#1576_AfxWinMain >
00401F27 \. C2 1000 retn 10
00401F16 | . FF7424 10 push dword ptr [esp + 10 ]
00401F1A | . FF7424 10 push dword ptr [esp + 10 ]
00401F1E | . FF7424 10 push dword ptr [esp + 10 ]
00401F22 | . E8 43000000 call < jmp. & MFC42.#1576_AfxWinMain >
00401F27 \. C2 1000 retn 10
这个函数里面只有一个call,进去
代码
73D3CF2B
>
8BFF mov edi, edi ; ntdll.7C930228
73D3CF2D 53 push ebx
73D3CF2E 56 push esi
73D3CF2F 57 push edi
73D3CF30 83CB FF or ebx, FFFFFFFF
73D3CF33 E8 CD40FFFF call #1175_AfxGetThread
73D3CF38 8BF0 mov esi, eax
73D3CF3A E8 97B30800 call #1168_AfxGetModuleState
73D3CF3F FF7424 1C push dword ptr [esp + 1C]
73D3CF43 8B78 04 mov edi, dword ptr [eax + 4 ]
73D3CF46 FF7424 1C push dword ptr [esp + 1C]
73D3CF4A FF7424 1C push dword ptr [esp + 1C]
73D3CF4E FF7424 1C push dword ptr [esp + 1C]
73D3CF52 E8 C1CC0800 call #1575_AfxWinInit
73D3CF57 85C0 test eax, eax
73D3CF59 74 3C je short 73D3CF97
73D3CF5B 85FF test edi, edi
73D3CF5D 74 0E je short 73D3CF6D
73D3CF5F 8B07 mov eax, dword ptr [edi]
73D3CF61 8BCF mov ecx, edi
73D3CF63 FF90 8C000000 call dword ptr [eax + 8C]
73D3CF69 85C0 test eax, eax
73D3CF6B 74 2A je short 73D3CF97
73D3CF6D 8B06 mov eax, dword ptr [esi]
73D3CF6F 8BCE mov ecx, esi ; 关键call
73D3CF71 FF50 58 call dword ptr [eax + 58 ] ; ispresent & crc
73D3CF74 85C0 test eax, eax
73D3CF76 75 16 jnz short 73D3CF8E
73D3CF78 3946 20 cmp dword ptr [esi + 20 ], eax
73D3CF7B 74 08 je short 73D3CF85
73D3CF7D 8B4E 20 mov ecx, dword ptr [esi + 20 ]
73D3CF80 8B01 mov eax, dword ptr [ecx]
73D3CF82 FF50 60 call dword ptr [eax + 60 ]
73D3CF85 8B06 mov eax, dword ptr [esi]
73D3CF87 8BCE mov ecx, esi
73D3CF89 FF50 70 call dword ptr [eax + 70 ] ; 退出
73D3CF8C EB 07 jmp short 73D3CF95
73D3CF8E 8B06 mov eax, dword ptr [esi]
73D3CF90 8BCE mov ecx, esi
73D3CF92 FF50 5C call dword ptr [eax + 5C]
73D3CF95 8BD8 mov ebx, eax
73D3CF97 E8 37B6FFFF call #1577_AfxWinTerm
73D3CF9C 5F pop edi
73D3CF9D 5E pop esi
73D3CF9E 8BC3 mov eax, ebx
73D3CFA0 5B pop ebx
73D3CFA1 C2 1000 retn 10
73D3CF2D 53 push ebx
73D3CF2E 56 push esi
73D3CF2F 57 push edi
73D3CF30 83CB FF or ebx, FFFFFFFF
73D3CF33 E8 CD40FFFF call #1175_AfxGetThread
73D3CF38 8BF0 mov esi, eax
73D3CF3A E8 97B30800 call #1168_AfxGetModuleState
73D3CF3F FF7424 1C push dword ptr [esp + 1C]
73D3CF43 8B78 04 mov edi, dword ptr [eax + 4 ]
73D3CF46 FF7424 1C push dword ptr [esp + 1C]
73D3CF4A FF7424 1C push dword ptr [esp + 1C]
73D3CF4E FF7424 1C push dword ptr [esp + 1C]
73D3CF52 E8 C1CC0800 call #1575_AfxWinInit
73D3CF57 85C0 test eax, eax
73D3CF59 74 3C je short 73D3CF97
73D3CF5B 85FF test edi, edi
73D3CF5D 74 0E je short 73D3CF6D
73D3CF5F 8B07 mov eax, dword ptr [edi]
73D3CF61 8BCF mov ecx, edi
73D3CF63 FF90 8C000000 call dword ptr [eax + 8C]
73D3CF69 85C0 test eax, eax
73D3CF6B 74 2A je short 73D3CF97
73D3CF6D 8B06 mov eax, dword ptr [esi]
73D3CF6F 8BCE mov ecx, esi ; 关键call
73D3CF71 FF50 58 call dword ptr [eax + 58 ] ; ispresent & crc
73D3CF74 85C0 test eax, eax
73D3CF76 75 16 jnz short 73D3CF8E
73D3CF78 3946 20 cmp dword ptr [esi + 20 ], eax
73D3CF7B 74 08 je short 73D3CF85
73D3CF7D 8B4E 20 mov ecx, dword ptr [esi + 20 ]
73D3CF80 8B01 mov eax, dword ptr [ecx]
73D3CF82 FF50 60 call dword ptr [eax + 60 ]
73D3CF85 8B06 mov eax, dword ptr [esi]
73D3CF87 8BCE mov ecx, esi
73D3CF89 FF50 70 call dword ptr [eax + 70 ] ; 退出
73D3CF8C EB 07 jmp short 73D3CF95
73D3CF8E 8B06 mov eax, dword ptr [esi]
73D3CF90 8BCE mov ecx, esi
73D3CF92 FF50 5C call dword ptr [eax + 5C]
73D3CF95 8BD8 mov ebx, eax
73D3CF97 E8 37B6FFFF call #1577_AfxWinTerm
73D3CF9C 5F pop edi
73D3CF9D 5E pop esi
73D3CF9E 8BC3 mov eax, ebx
73D3CFA0 5B pop ebx
73D3CFA1 C2 1000 retn 10
在注释的地方是进行调试器检测和文件crc的地方,进去
代码
004010B0 . 6A FF push
-
1
004010B2 . 68 881F4000 push 00401F88 ; SE 处理程序安装
004010B7 . 64 :A1 0000000 > mov eax, dword ptr fs:[ 0 ]
004010BD . 50 push eax
004010BE . 64 : 8925 00000 > mov dword ptr fs:[ 0 ], esp
004010C5 . 83EC 70 sub esp, 70
004010C8 . 56 push esi
004010C9 . 8BF1 mov esi, ecx
004010CB . 6A 00 push 0
004010CD . E8 4A0B0000 call < jmp. & MFC42.#1134_AfxEnableControlContainer >
004010D2 . 83C4 04 add esp, 4
004010D5 . 8BCE mov ecx, esi
004010D7 . E8 3A0B0000 call < jmp. & MFC42.#2621_CWinApp::Enable3dControls >
004010DC . 6A 00 push 0
004010DE . 8D4C24 08 lea ecx, dword ptr [esp + 8 ]
004010E2 . E8 F9000000 call 004011E0
004010E7 . 8D4424 04 lea eax, dword ptr [esp + 4 ]
004010EB . 8D4C24 04 lea ecx, dword ptr [esp + 4 ]
004010EF . C74424 7C 000 > mov dword ptr [esp + 7C], 0
004010F7 . 8946 20 mov dword ptr [esi + 20 ], eax
004010FA . E8 41050000 call 00401640 ; 这里是调用isdebugpresent和文件crc
004010FF . 8D4C24 04 lea ecx, dword ptr [esp + 4 ]
00401103 . E8 080B0000 call < jmp. & MFC42.#2514_CDialog::DoModal >
00401108 . 8D4C24 68 lea ecx, dword ptr [esp + 68 ]
0040110C . C74424 7C 020 > mov dword ptr [esp + 7C], 2
00401114 . E8 F10A0000 call < jmp. & MFC42.#800_CString:: ~ CString >
00401119 . 8D4C24 64 lea ecx, dword ptr [esp + 64 ]
0040111D . C64424 7C 01 mov byte ptr [esp + 7C], 1
00401122 . E8 E30A0000 call < jmp. & MFC42.#800_CString:: ~ CString >
00401127 . 8D4C24 04 lea ecx, dword ptr [esp + 4 ]
0040112B . C74424 7C FFF > mov dword ptr [esp + 7C], - 1
00401133 . E8 CC0A0000 call < jmp. & MFC42.#641_CDialog:: ~ CDialog >
00401138 . 8B4C24 74 mov ecx, dword ptr [esp + 74 ]
0040113C . 33C0 xor eax, eax
0040113E . 5E pop esi
0040113F . 64 :890D 00000 > mov dword ptr fs:[ 0 ], ecx
00401146 . 83C4 7C add esp, 7C
00401149 . C3 retn
004010B2 . 68 881F4000 push 00401F88 ; SE 处理程序安装
004010B7 . 64 :A1 0000000 > mov eax, dword ptr fs:[ 0 ]
004010BD . 50 push eax
004010BE . 64 : 8925 00000 > mov dword ptr fs:[ 0 ], esp
004010C5 . 83EC 70 sub esp, 70
004010C8 . 56 push esi
004010C9 . 8BF1 mov esi, ecx
004010CB . 6A 00 push 0
004010CD . E8 4A0B0000 call < jmp. & MFC42.#1134_AfxEnableControlContainer >
004010D2 . 83C4 04 add esp, 4
004010D5 . 8BCE mov ecx, esi
004010D7 . E8 3A0B0000 call < jmp. & MFC42.#2621_CWinApp::Enable3dControls >
004010DC . 6A 00 push 0
004010DE . 8D4C24 08 lea ecx, dword ptr [esp + 8 ]
004010E2 . E8 F9000000 call 004011E0
004010E7 . 8D4424 04 lea eax, dword ptr [esp + 4 ]
004010EB . 8D4C24 04 lea ecx, dword ptr [esp + 4 ]
004010EF . C74424 7C 000 > mov dword ptr [esp + 7C], 0
004010F7 . 8946 20 mov dword ptr [esi + 20 ], eax
004010FA . E8 41050000 call 00401640 ; 这里是调用isdebugpresent和文件crc
004010FF . 8D4C24 04 lea ecx, dword ptr [esp + 4 ]
00401103 . E8 080B0000 call < jmp. & MFC42.#2514_CDialog::DoModal >
00401108 . 8D4C24 68 lea ecx, dword ptr [esp + 68 ]
0040110C . C74424 7C 020 > mov dword ptr [esp + 7C], 2
00401114 . E8 F10A0000 call < jmp. & MFC42.#800_CString:: ~ CString >
00401119 . 8D4C24 64 lea ecx, dword ptr [esp + 64 ]
0040111D . C64424 7C 01 mov byte ptr [esp + 7C], 1
00401122 . E8 E30A0000 call < jmp. & MFC42.#800_CString:: ~ CString >
00401127 . 8D4C24 04 lea ecx, dword ptr [esp + 4 ]
0040112B . C74424 7C FFF > mov dword ptr [esp + 7C], - 1
00401133 . E8 CC0A0000 call < jmp. & MFC42.#641_CDialog:: ~ CDialog >
00401138 . 8B4C24 74 mov ecx, dword ptr [esp + 74 ]
0040113C . 33C0 xor eax, eax
0040113E . 5E pop esi
0040113F . 64 :890D 00000 > mov dword ptr fs:[ 0 ], ecx
00401146 . 83C4 7C add esp, 7C
00401149 . C3 retn
里面又是一层调用,nnd,跟进
代码
00401640
/
$ 6A FF push
-
1
; 关键代码,作一些比较
00401642 | . 68 18204000 push 00402018 ; SE 处理程序安装
00401647 | . 64 :A1 0000000 > mov eax, dword ptr fs:[ 0 ]
0040164D | . 50 push eax
0040164E | . 64 : 8925 00000 > mov dword ptr fs:[ 0 ], esp
00401655 | . 83EC 28 sub esp, 28
00401658 | . 53 push ebx
00401659 | . 55 push ebp
0040165A | . 8BE9 mov ebp, ecx
0040165C | . B0 65 mov al, 65
0040165E | . B1 6C mov cl, 6C
00401660 | . B2 72 mov dl, 72
00401662 | . 884C24 11 mov byte ptr [esp + 11 ], cl
00401666 | . 884C24 16 mov byte ptr [esp + 16 ], cl
0040166A | . 884C24 17 mov byte ptr [esp + 17 ], cl
0040166E | . B1 67 mov cl, 67
00401670 | . B3 73 mov bl, 73
00401672 | . 884C24 22 mov byte ptr [esp + 22 ], cl
00401676 | . 884C24 23 mov byte ptr [esp + 23 ], cl
0040167A | . 56 push esi
0040167B | . 8D4C24 0C lea ecx, dword ptr [esp + C]
0040167F | . C64424 10 4B mov byte ptr [esp + 10 ], 4B ; 这一段就是传说中的硬编码啊
00401684 | . 884424 11 mov byte ptr [esp + 11 ], al
00401688 | . 885424 12 mov byte ptr [esp + 12 ], dl
0040168C | . C64424 13 6E mov byte ptr [esp + 13 ], 6E
00401691 | . 884424 14 mov byte ptr [esp + 14 ], al
00401695 | . C64424 16 33 mov byte ptr [esp + 16 ], 33
0040169A | . C64424 17 32 mov byte ptr [esp + 17 ], 32
0040169F | . C64424 18 2E mov byte ptr [esp + 18 ], 2E
004016A4 | . C64424 19 64 mov byte ptr [esp + 19 ], 64
004016A9 | . C64424 1C 00 mov byte ptr [esp + 1C], 0
004016AE | . C64424 20 49 mov byte ptr [esp + 20 ], 49
004016B3 | . 885C24 21 mov byte ptr [esp + 21 ], bl
004016B7 | . C64424 22 44 mov byte ptr [esp + 22 ], 44
004016BC | . 884424 23 mov byte ptr [esp + 23 ], al
004016C0 | . C64424 24 62 mov byte ptr [esp + 24 ], 62
004016C5 | . C64424 25 75 mov byte ptr [esp + 25 ], 75
004016CA | . 884424 28 mov byte ptr [esp + 28 ], al
004016CE | . 885424 29 mov byte ptr [esp + 29 ], dl
004016D2 | . C64424 2A 50 mov byte ptr [esp + 2A], 50
004016D7 | . 885424 2B mov byte ptr [esp + 2B], dl
004016DB | . 884424 2C mov byte ptr [esp + 2C], al
004016DF | . 885C24 2D mov byte ptr [esp + 2D], bl
004016E3 | . 884424 2E mov byte ptr [esp + 2E], al
004016E7 | . C64424 2F 6E mov byte ptr [esp + 2F], 6E
004016EC | . C64424 30 74 mov byte ptr [esp + 30 ], 74
004016F1 | . C64424 31 00 mov byte ptr [esp + 31 ], 0
004016F6 | . E8 ED050000 call < jmp. & MFC42.#540_CString::CString >
004016FB | . C74424 3C 000 > mov dword ptr [esp + 3C], 0
00401703 | . 33F6 xor esi, esi
00401705 |> 8A4434 10 / mov al, byte ptr [esp + esi + 10 ]
00401709 | . 8D4C24 0C | lea ecx, dword ptr [esp + C]
0040170D | . 50 | push eax
0040170E | . E8 05060000 | call < jmp. & MFC42.#940_CString:: operator +=>
00401713 | . 46 | inc esi
00401714 | . 83FE 0C | cmp esi, 0C
00401717 | . ^ 7C EC \jl short 00401705
00401719 | . 8B4C24 0C mov ecx, dword ptr [esp + C]
0040171D | . 57 push edi
0040171E | . 51 push ecx ; / FileName
0040171F | . FF15 04304000 call dword ptr [ <& KERNEL32.LoadLibraryA > ] ; \LoadLibraryA
00401725 | . 68 EC404000 push 004040EC
0040172A | . 8D4C24 14 lea ecx, dword ptr [esp + 14 ]
0040172E | . 8BF8 mov edi, eax
00401730 | . E8 AD050000 call < jmp. & MFC42.#860_CString:: operator =>
00401735 | . 8B1D 00324000 mov ebx, dword ptr [ <& USER32.PostQuitMessage > ] ; USER32.PostQuitMessage
0040173B | . 85FF test edi, edi
0040173D | . 74 2C je short 0040176B
0040173F | . 33F6 xor esi, esi
00401741 |> 8A5434 24 / mov dl, byte ptr [esp + esi + 24 ]
00401745 | . 8D4C24 10 | lea ecx, dword ptr [esp + 10 ]
00401749 | . 52 | push edx
0040174A | . E8 C9050000 | call < jmp. & MFC42.#940_CString:: operator +=>
0040174F | . 46 | inc esi
00401750 | . 83FE 11 | cmp esi, 11
00401753 | . ^ 7C EC \jl short 00401741
00401755 | . 8B4424 10 mov eax, dword ptr [esp + 10 ] ; isdebuggerpresent
00401759 | . 50 push eax ; / ProcNameOrOrdinal
0040175A | . 57 push edi ; | hModule
0040175B | . FF15 00304000 call dword ptr [ <& KERNEL32.GetProcAddress > ] ; \GetProcAddress
00401761 | . FFD0 call eax ; 调用IsDebuggerPresent
00401763 | . 85C0 test eax, eax
00401765 74 04 je short 0040176B ; 如果检测到调试器就退出
00401767 6A 00 push 0
00401769 | . FFD3 call ebx ; 调用PostQuitMessage
0040176B |> 8BCD mov ecx, ebp
0040176D | . E8 2E000000 call 004017A0 ; 如果没检测到就进行文件crc
00401772 | . 85C0 test eax, eax
00401774 | . 5F pop edi
00401775 | . 75 03 jnz short 0040177A
00401777 | . 50 push eax
00401778 | . FFD3 call ebx
0040177A |> 8D4C24 0C lea ecx, dword ptr [esp + C]
0040177E | . C74424 3C FFF > mov dword ptr [esp + 3C], - 1
00401786 | . E8 7F040000 call < jmp. & MFC42.#800_CString:: ~ CString >
0040178B | . 8B4C24 34 mov ecx, dword ptr [esp + 34 ]
0040178F | . 5E pop esi
00401790 | . 5D pop ebp
00401791 | . 5B pop ebx
00401792 | . 64 :890D 00000 > mov dword ptr fs:[ 0 ], ecx
00401799 | . 83C4 34 add esp, 34
0040179C \. C3 retn
00401642 | . 68 18204000 push 00402018 ; SE 处理程序安装
00401647 | . 64 :A1 0000000 > mov eax, dword ptr fs:[ 0 ]
0040164D | . 50 push eax
0040164E | . 64 : 8925 00000 > mov dword ptr fs:[ 0 ], esp
00401655 | . 83EC 28 sub esp, 28
00401658 | . 53 push ebx
00401659 | . 55 push ebp
0040165A | . 8BE9 mov ebp, ecx
0040165C | . B0 65 mov al, 65
0040165E | . B1 6C mov cl, 6C
00401660 | . B2 72 mov dl, 72
00401662 | . 884C24 11 mov byte ptr [esp + 11 ], cl
00401666 | . 884C24 16 mov byte ptr [esp + 16 ], cl
0040166A | . 884C24 17 mov byte ptr [esp + 17 ], cl
0040166E | . B1 67 mov cl, 67
00401670 | . B3 73 mov bl, 73
00401672 | . 884C24 22 mov byte ptr [esp + 22 ], cl
00401676 | . 884C24 23 mov byte ptr [esp + 23 ], cl
0040167A | . 56 push esi
0040167B | . 8D4C24 0C lea ecx, dword ptr [esp + C]
0040167F | . C64424 10 4B mov byte ptr [esp + 10 ], 4B ; 这一段就是传说中的硬编码啊
00401684 | . 884424 11 mov byte ptr [esp + 11 ], al
00401688 | . 885424 12 mov byte ptr [esp + 12 ], dl
0040168C | . C64424 13 6E mov byte ptr [esp + 13 ], 6E
00401691 | . 884424 14 mov byte ptr [esp + 14 ], al
00401695 | . C64424 16 33 mov byte ptr [esp + 16 ], 33
0040169A | . C64424 17 32 mov byte ptr [esp + 17 ], 32
0040169F | . C64424 18 2E mov byte ptr [esp + 18 ], 2E
004016A4 | . C64424 19 64 mov byte ptr [esp + 19 ], 64
004016A9 | . C64424 1C 00 mov byte ptr [esp + 1C], 0
004016AE | . C64424 20 49 mov byte ptr [esp + 20 ], 49
004016B3 | . 885C24 21 mov byte ptr [esp + 21 ], bl
004016B7 | . C64424 22 44 mov byte ptr [esp + 22 ], 44
004016BC | . 884424 23 mov byte ptr [esp + 23 ], al
004016C0 | . C64424 24 62 mov byte ptr [esp + 24 ], 62
004016C5 | . C64424 25 75 mov byte ptr [esp + 25 ], 75
004016CA | . 884424 28 mov byte ptr [esp + 28 ], al
004016CE | . 885424 29 mov byte ptr [esp + 29 ], dl
004016D2 | . C64424 2A 50 mov byte ptr [esp + 2A], 50
004016D7 | . 885424 2B mov byte ptr [esp + 2B], dl
004016DB | . 884424 2C mov byte ptr [esp + 2C], al
004016DF | . 885C24 2D mov byte ptr [esp + 2D], bl
004016E3 | . 884424 2E mov byte ptr [esp + 2E], al
004016E7 | . C64424 2F 6E mov byte ptr [esp + 2F], 6E
004016EC | . C64424 30 74 mov byte ptr [esp + 30 ], 74
004016F1 | . C64424 31 00 mov byte ptr [esp + 31 ], 0
004016F6 | . E8 ED050000 call < jmp. & MFC42.#540_CString::CString >
004016FB | . C74424 3C 000 > mov dword ptr [esp + 3C], 0
00401703 | . 33F6 xor esi, esi
00401705 |> 8A4434 10 / mov al, byte ptr [esp + esi + 10 ]
00401709 | . 8D4C24 0C | lea ecx, dword ptr [esp + C]
0040170D | . 50 | push eax
0040170E | . E8 05060000 | call < jmp. & MFC42.#940_CString:: operator +=>
00401713 | . 46 | inc esi
00401714 | . 83FE 0C | cmp esi, 0C
00401717 | . ^ 7C EC \jl short 00401705
00401719 | . 8B4C24 0C mov ecx, dword ptr [esp + C]
0040171D | . 57 push edi
0040171E | . 51 push ecx ; / FileName
0040171F | . FF15 04304000 call dword ptr [ <& KERNEL32.LoadLibraryA > ] ; \LoadLibraryA
00401725 | . 68 EC404000 push 004040EC
0040172A | . 8D4C24 14 lea ecx, dword ptr [esp + 14 ]
0040172E | . 8BF8 mov edi, eax
00401730 | . E8 AD050000 call < jmp. & MFC42.#860_CString:: operator =>
00401735 | . 8B1D 00324000 mov ebx, dword ptr [ <& USER32.PostQuitMessage > ] ; USER32.PostQuitMessage
0040173B | . 85FF test edi, edi
0040173D | . 74 2C je short 0040176B
0040173F | . 33F6 xor esi, esi
00401741 |> 8A5434 24 / mov dl, byte ptr [esp + esi + 24 ]
00401745 | . 8D4C24 10 | lea ecx, dword ptr [esp + 10 ]
00401749 | . 52 | push edx
0040174A | . E8 C9050000 | call < jmp. & MFC42.#940_CString:: operator +=>
0040174F | . 46 | inc esi
00401750 | . 83FE 11 | cmp esi, 11
00401753 | . ^ 7C EC \jl short 00401741
00401755 | . 8B4424 10 mov eax, dword ptr [esp + 10 ] ; isdebuggerpresent
00401759 | . 50 push eax ; / ProcNameOrOrdinal
0040175A | . 57 push edi ; | hModule
0040175B | . FF15 00304000 call dword ptr [ <& KERNEL32.GetProcAddress > ] ; \GetProcAddress
00401761 | . FFD0 call eax ; 调用IsDebuggerPresent
00401763 | . 85C0 test eax, eax
00401765 74 04 je short 0040176B ; 如果检测到调试器就退出
00401767 6A 00 push 0
00401769 | . FFD3 call ebx ; 调用PostQuitMessage
0040176B |> 8BCD mov ecx, ebp
0040176D | . E8 2E000000 call 004017A0 ; 如果没检测到就进行文件crc
00401772 | . 85C0 test eax, eax
00401774 | . 5F pop edi
00401775 | . 75 03 jnz short 0040177A
00401777 | . 50 push eax
00401778 | . FFD3 call ebx
0040177A |> 8D4C24 0C lea ecx, dword ptr [esp + C]
0040177E | . C74424 3C FFF > mov dword ptr [esp + 3C], - 1
00401786 | . E8 7F040000 call < jmp. & MFC42.#800_CString:: ~ CString >
0040178B | . 8B4C24 34 mov ecx, dword ptr [esp + 34 ]
0040178F | . 5E pop esi
00401790 | . 5D pop ebp
00401791 | . 5B pop ebx
00401792 | . 64 :890D 00000 > mov dword ptr fs:[ 0 ], ecx
00401799 | . 83C4 34 add esp, 34
0040179C \. C3 retn
很牛啊,硬编码调用isdebugpresent,如果没检测到调试器就再进行文件crc,跟进crc看看
代码
004017A0
/
$ 81EC 0C010000 sub esp, 10C
004017A6 | . 8D4424 08 lea eax, dword ptr [esp + 8 ]
004017AA | . 53 push ebx
004017AB | . 55 push ebp
004017AC | . 56 push esi
004017AD | . 68 04010000 push 104 ; / BufSize = 104 ( 260 .)
004017B2 | . 50 push eax ; | PathBuffer
004017B3 | . 8BE9 mov ebp, ecx ; |
004017B5 | . 6A 00 push 0 ; | hModule = NULL
004017B7 | . FF15 18304000 call dword ptr [ <& KERNEL32.GetModuleFileNameA > ] ; \GetModuleFileNameA
004017BD | . 6A 00 push 0 ; / hTemplateFile = NULL
004017BF | . 68 80000000 push 80 ; | Attributes = NORMAL
004017C4 | . 6A 03 push 3 ; | Mode = OPEN_EXISTING
004017C6 | . 6A 00 push 0 ; | pSecurity = NULL
004017C8 | . 6A 01 push 1 ; | ShareMode = FILE_SHARE_READ
004017CA | . 8D4C24 28 lea ecx, dword ptr [esp + 28 ] ; |
004017CE | . 68 00000080 push 80000000 ; | Access = GENERIC_READ
004017D3 | . 51 push ecx ; | FileName
004017D4 | . FF15 14304000 call dword ptr [ <& KERNEL32.CreateFileA > ] ; \CreateFileA
004017DA | . 8BD8 mov ebx, eax
004017DC | . 83FB FF cmp ebx, - 1
004017DF | . 75 0C jnz short 004017ED
004017E1 | . 5E pop esi
004017E2 | . 5D pop ebp
004017E3 | . 33C0 xor eax, eax
004017E5 | . 5B pop ebx
004017E6 | . 81C4 0C010000 add esp, 10C
004017EC | . C3 retn
004017ED |> 6A 00 push 0 ; / pFileSizeHigh = NULL
004017EF | . 53 push ebx ; | hFile
004017F0 | . FF15 10304000 call dword ptr [ <& KERNEL32.GetFileSize > ] ; \GetFileSize
004017F6 | . 8BF0 mov esi, eax
004017F8 | . 83FE FF cmp esi, - 1
004017FB | . 75 0C jnz short 00401809
004017FD | . 5E pop esi
004017FE | . 5D pop ebp
004017FF | . 33C0 xor eax, eax
00401801 | . 5B pop ebx
00401802 | . 81C4 0C010000 add esp, 10C
00401808 | . C3 retn
00401809 |> 57 push edi
0040180A | . 56 push esi
0040180B | . E8 1A050000 call < jmp. & MFC42.#823_operator new >
00401810 | . 83C4 04 add esp, 4
00401813 | . 8D5424 14 lea edx, dword ptr [esp + 14 ]
00401817 | . 8BF8 mov edi, eax
00401819 | . 6A 00 push 0 ; / pOverlapped = NULL
0040181B | . 52 push edx ; | pBytesRead
0040181C | . 56 push esi ; | BytesToRead
0040181D | . 57 push edi ; | Buffer
0040181E | . 53 push ebx ; | hFile
0040181F | . FF15 0C304000 call dword ptr [ <& KERNEL32.ReadFile > ] ; \ReadFile
00401825 | . 53 push ebx ; / hObject
00401826 | . FF15 08304000 call dword ptr [ <& KERNEL32.CloseHandle > ] ; \CloseHandle
0040182C | . 8A47 3C mov al, byte ptr [edi + 3C]
0040182F | . 884424 10 mov byte ptr [esp + 10 ], al
00401833 | . 8B4424 10 mov eax, dword ptr [esp + 10 ]
00401837 | . 25 FF000000 and eax, 0FF
0040183C | . 2BF0 sub esi, eax
0040183E | . 8D0C38 lea ecx, dword ptr [eax + edi]
00401841 | . 56 push esi
00401842 | . 51 push ecx
00401843 | . 8B79 FC mov edi, dword ptr [ecx - 4 ]
00401846 | . 8BCD mov ecx, ebp
00401848 | . E8 23000000 call 00401870
0040184D | . 33C9 xor ecx, ecx
0040184F | . 3BC7 cmp eax, edi
00401851 | . 5F pop edi
00401852 | . 5E pop esi
00401853 | . 0F94C1 sete cl
00401856 | . 5D pop ebp
00401857 | . 8BC1 mov eax, ecx
00401859 | . 5B pop ebx
0040185A | . 81C4 0C010000 add esp, 10C
00401860 \. C3 retn
004017A6 | . 8D4424 08 lea eax, dword ptr [esp + 8 ]
004017AA | . 53 push ebx
004017AB | . 55 push ebp
004017AC | . 56 push esi
004017AD | . 68 04010000 push 104 ; / BufSize = 104 ( 260 .)
004017B2 | . 50 push eax ; | PathBuffer
004017B3 | . 8BE9 mov ebp, ecx ; |
004017B5 | . 6A 00 push 0 ; | hModule = NULL
004017B7 | . FF15 18304000 call dword ptr [ <& KERNEL32.GetModuleFileNameA > ] ; \GetModuleFileNameA
004017BD | . 6A 00 push 0 ; / hTemplateFile = NULL
004017BF | . 68 80000000 push 80 ; | Attributes = NORMAL
004017C4 | . 6A 03 push 3 ; | Mode = OPEN_EXISTING
004017C6 | . 6A 00 push 0 ; | pSecurity = NULL
004017C8 | . 6A 01 push 1 ; | ShareMode = FILE_SHARE_READ
004017CA | . 8D4C24 28 lea ecx, dword ptr [esp + 28 ] ; |
004017CE | . 68 00000080 push 80000000 ; | Access = GENERIC_READ
004017D3 | . 51 push ecx ; | FileName
004017D4 | . FF15 14304000 call dword ptr [ <& KERNEL32.CreateFileA > ] ; \CreateFileA
004017DA | . 8BD8 mov ebx, eax
004017DC | . 83FB FF cmp ebx, - 1
004017DF | . 75 0C jnz short 004017ED
004017E1 | . 5E pop esi
004017E2 | . 5D pop ebp
004017E3 | . 33C0 xor eax, eax
004017E5 | . 5B pop ebx
004017E6 | . 81C4 0C010000 add esp, 10C
004017EC | . C3 retn
004017ED |> 6A 00 push 0 ; / pFileSizeHigh = NULL
004017EF | . 53 push ebx ; | hFile
004017F0 | . FF15 10304000 call dword ptr [ <& KERNEL32.GetFileSize > ] ; \GetFileSize
004017F6 | . 8BF0 mov esi, eax
004017F8 | . 83FE FF cmp esi, - 1
004017FB | . 75 0C jnz short 00401809
004017FD | . 5E pop esi
004017FE | . 5D pop ebp
004017FF | . 33C0 xor eax, eax
00401801 | . 5B pop ebx
00401802 | . 81C4 0C010000 add esp, 10C
00401808 | . C3 retn
00401809 |> 57 push edi
0040180A | . 56 push esi
0040180B | . E8 1A050000 call < jmp. & MFC42.#823_operator new >
00401810 | . 83C4 04 add esp, 4
00401813 | . 8D5424 14 lea edx, dword ptr [esp + 14 ]
00401817 | . 8BF8 mov edi, eax
00401819 | . 6A 00 push 0 ; / pOverlapped = NULL
0040181B | . 52 push edx ; | pBytesRead
0040181C | . 56 push esi ; | BytesToRead
0040181D | . 57 push edi ; | Buffer
0040181E | . 53 push ebx ; | hFile
0040181F | . FF15 0C304000 call dword ptr [ <& KERNEL32.ReadFile > ] ; \ReadFile
00401825 | . 53 push ebx ; / hObject
00401826 | . FF15 08304000 call dword ptr [ <& KERNEL32.CloseHandle > ] ; \CloseHandle
0040182C | . 8A47 3C mov al, byte ptr [edi + 3C]
0040182F | . 884424 10 mov byte ptr [esp + 10 ], al
00401833 | . 8B4424 10 mov eax, dword ptr [esp + 10 ]
00401837 | . 25 FF000000 and eax, 0FF
0040183C | . 2BF0 sub esi, eax
0040183E | . 8D0C38 lea ecx, dword ptr [eax + edi]
00401841 | . 56 push esi
00401842 | . 51 push ecx
00401843 | . 8B79 FC mov edi, dword ptr [ecx - 4 ]
00401846 | . 8BCD mov ecx, ebp
00401848 | . E8 23000000 call 00401870
0040184D | . 33C9 xor ecx, ecx
0040184F | . 3BC7 cmp eax, edi
00401851 | . 5F pop edi
00401852 | . 5E pop esi
00401853 | . 0F94C1 sete cl
00401856 | . 5D pop ebp
00401857 | . 8BC1 mov eax, ecx
00401859 | . 5B pop ebx
0040185A | . 81C4 0C010000 add esp, 10C
00401860 \. C3 retn
很典型的文件校验代码,具体校验的算法在00401848行,进去看看
代码
00401870
/
$ 81EC
00040000
sub esp,
400
00401876 | . 33C9 xor ecx, ecx
00401878 | . 8D5424 00 lea edx, dword ptr [esp]
0040187C | . 56 push esi
0040187D |> 8BC1 / mov eax, ecx
0040187F | . BE 08000000 | mov esi, 8
00401884 |> A8 01 |/ test al, 1
00401886 | . 74 09 || je short 00401891
00401888 | . D1E8 || shr eax, 1
0040188A | . 35 2083B8ED || xor eax, EDB88320
0040188F | . EB 02 || jmp short 00401893
00401891 |> D1E8 || shr eax, 1
00401893 |> 4E || dec esi
00401894 | . ^ 75 EE | \jnz short 00401884
00401896 | . 8902 | mov dword ptr [edx], eax
00401898 | . 41 | inc ecx
00401899 | . 83C2 04 | add edx, 4
0040189C | . 81F9 00010000 | cmp ecx, 100
004018A2 | . ^ 7C D9 \jl short 0040187D
004018A4 | . 8B8C24 0C0400 > mov ecx, dword ptr [esp + 40C]
004018AB | . 83C8 FF or eax, FFFFFFFF
004018AE | . 8BD1 mov edx, ecx
004018B0 | . 49 dec ecx
004018B1 | . 85D2 test edx, edx
004018B3 | . 74 27 je short 004018DC
004018B5 | . 8D71 01 lea esi, dword ptr [ecx + 1 ]
004018B8 | . 8B8C24 080400 > mov ecx, dword ptr [esp + 408 ]
004018BF | . 53 push ebx
004018C0 |> 8BD0 / mov edx, eax
004018C2 | . 33DB | xor ebx, ebx
004018C4 | . 8A19 | mov bl, byte ptr [ecx]
004018C6 | . 81E2 FF000000 | and edx, 0FF
004018CC | . 33D3 | xor edx, ebx
004018CE | . C1E8 08 | shr eax, 8
004018D1 | . 8B5494 08 | mov edx, dword ptr [esp + edx * 4 + 8 ]
004018D5 | . 33C2 | xor eax, edx
004018D7 | . 41 | inc ecx
004018D8 | . 4E | dec esi
004018D9 | . ^ 75 E5 \jnz short 004018C0
004018DB | . 5B pop ebx
004018DC |> F7D0 not eax
004018DE | . 5E pop esi
004018DF | . 81C4 00040000 add esp, 400
004018E5 \. C2 0800 retn 8
00401876 | . 33C9 xor ecx, ecx
00401878 | . 8D5424 00 lea edx, dword ptr [esp]
0040187C | . 56 push esi
0040187D |> 8BC1 / mov eax, ecx
0040187F | . BE 08000000 | mov esi, 8
00401884 |> A8 01 |/ test al, 1
00401886 | . 74 09 || je short 00401891
00401888 | . D1E8 || shr eax, 1
0040188A | . 35 2083B8ED || xor eax, EDB88320
0040188F | . EB 02 || jmp short 00401893
00401891 |> D1E8 || shr eax, 1
00401893 |> 4E || dec esi
00401894 | . ^ 75 EE | \jnz short 00401884
00401896 | . 8902 | mov dword ptr [edx], eax
00401898 | . 41 | inc ecx
00401899 | . 83C2 04 | add edx, 4
0040189C | . 81F9 00010000 | cmp ecx, 100
004018A2 | . ^ 7C D9 \jl short 0040187D
004018A4 | . 8B8C24 0C0400 > mov ecx, dword ptr [esp + 40C]
004018AB | . 83C8 FF or eax, FFFFFFFF
004018AE | . 8BD1 mov edx, ecx
004018B0 | . 49 dec ecx
004018B1 | . 85D2 test edx, edx
004018B3 | . 74 27 je short 004018DC
004018B5 | . 8D71 01 lea esi, dword ptr [ecx + 1 ]
004018B8 | . 8B8C24 080400 > mov ecx, dword ptr [esp + 408 ]
004018BF | . 53 push ebx
004018C0 |> 8BD0 / mov edx, eax
004018C2 | . 33DB | xor ebx, ebx
004018C4 | . 8A19 | mov bl, byte ptr [ecx]
004018C6 | . 81E2 FF000000 | and edx, 0FF
004018CC | . 33D3 | xor edx, ebx
004018CE | . C1E8 08 | shr eax, 8
004018D1 | . 8B5494 08 | mov edx, dword ptr [esp + edx * 4 + 8 ]
004018D5 | . 33C2 | xor eax, edx
004018D7 | . 41 | inc ecx
004018D8 | . 4E | dec esi
004018D9 | . ^ 75 E5 \jnz short 004018C0
004018DB | . 5B pop ebx
004018DC |> F7D0 not eax
004018DE | . 5E pop esi
004018DF | . 81C4 00040000 add esp, 400
004018E5 \. C2 0800 retn 8
算法没看,感兴趣的就自己研究了,以上就是反调试的一部分,把这部分去掉(具体怎么去俺就不说了,很简单:)),本以为就能调试了,但是很囧啊,还是退出了,看看crackme的输入表,发现有settimeer很奇怪,估计是他搞的鬼,那就看看settimer函数吧。crackme里settimer的调用是这个样子滴
代码
00401300
.
56
push esi
00401301 . 57 push edi
00401302 . 8BF1 mov esi, ecx
00401304 . E8 F1090000 call < jmp. & MFC42.#4710_CDialog::OnInitDialog >
00401309 . 8B46 20 mov eax, dword ptr [esi + 20 ]
0040130C . 6A 00 push 0 ; / Timerproc = NULL
0040130E . 68 F4010000 push 1F4 ; | Timeout = 500 . ms
00401313 . 6A 02 push 2 ; | TimerID = 2
00401315 . 50 push eax ; | hWnd
00401316 . FF15 F4314000 call dword ptr [ <& USER32.SetTimer > ] ; \SetTimer
0040131C . 8B4E 6C mov ecx, dword ptr [esi + 6C]
0040131F . 8B56 20 mov edx, dword ptr [esi + 20 ]
00401322 . 8B3D FC314000 mov edi, dword ptr [ <& USER32.SendMessageA > ] ; USER32.SendMessageA
00401328 . 51 push ecx ; / lParam
00401329 . 6A 01 push 1 ; | wParam = 1
0040132B . 68 80000000 push 80 ; | Message = WM_SETICON
00401330 . 52 push edx ; | hWnd
00401331 . 8946 68 mov dword ptr [esi + 68 ], eax ; |
00401334 . FFD7 call edi ; \SendMessageA
00401336 . 8B46 6C mov eax, dword ptr [esi + 6C]
00401339 . 8B4E 20 mov ecx, dword ptr [esi + 20 ]
0040133C . 50 push eax ; / lParam
0040133D . 6A 00 push 0 ; | wParam = 0
0040133F . 68 80000000 push 80 ; | Message = WM_SETICON
00401344 . 51 push ecx ; | hWnd
00401345 . FFD7 call edi ; \SendMessageA
00401347 . 5F pop edi
00401348 . B8 01000000 mov eax, 1
0040134D . 5E pop esi
0040134E . C3 retn
00401301 . 57 push edi
00401302 . 8BF1 mov esi, ecx
00401304 . E8 F1090000 call < jmp. & MFC42.#4710_CDialog::OnInitDialog >
00401309 . 8B46 20 mov eax, dword ptr [esi + 20 ]
0040130C . 6A 00 push 0 ; / Timerproc = NULL
0040130E . 68 F4010000 push 1F4 ; | Timeout = 500 . ms
00401313 . 6A 02 push 2 ; | TimerID = 2
00401315 . 50 push eax ; | hWnd
00401316 . FF15 F4314000 call dword ptr [ <& USER32.SetTimer > ] ; \SetTimer
0040131C . 8B4E 6C mov ecx, dword ptr [esi + 6C]
0040131F . 8B56 20 mov edx, dword ptr [esi + 20 ]
00401322 . 8B3D FC314000 mov edi, dword ptr [ <& USER32.SendMessageA > ] ; USER32.SendMessageA
00401328 . 51 push ecx ; / lParam
00401329 . 6A 01 push 1 ; | wParam = 1
0040132B . 68 80000000 push 80 ; | Message = WM_SETICON
00401330 . 52 push edx ; | hWnd
00401331 . 8946 68 mov dword ptr [esi + 68 ], eax ; |
00401334 . FFD7 call edi ; \SendMessageA
00401336 . 8B46 6C mov eax, dword ptr [esi + 6C]
00401339 . 8B4E 20 mov ecx, dword ptr [esi + 20 ]
0040133C . 50 push eax ; / lParam
0040133D . 6A 00 push 0 ; | wParam = 0
0040133F . 68 80000000 push 80 ; | Message = WM_SETICON
00401344 . 51 push ecx ; | hWnd
00401345 . FFD7 call edi ; \SendMessageA
00401347 . 5F pop edi
00401348 . B8 01000000 mov eax, 1
0040134D . 5E pop esi
0040134E . C3 retn
尝试把这个timer的时间间隔调到1天,ok了,程序可以调试了!还有中方法,就是找到定时器的消息响应函数,然后看看这个响应函数做了什么,没时间看,下篇日志再研究下吧:)