最近大家对Armadillo 3.X脱壳的研究文章很多了,再写就有灌水的嫌疑。只是前几天答应fly写一篇的,我不想失言。
补充:保存的暗桩
工具:OllyDBG1.1汉化版;LordPE ;Import.Reconstructor.v1.6.Fanal.CHS
操作系统:WIN2K3
目标程序:围棋助手8.13a
围棋助手8.13a是Armadillo 3.X(standard protection plus Debug-Blocker)方式加的壳,就是用Ricardo Narvaja的文章的方法
无法脱壳的方式。由于有了mysqladm大虾对Armadillo的深入研究的文章,Armadillo加的壳脱起来就容易多了。请大家先看看那篇文章
(http://www.chat001.com/forum/crackforum/282540.html)强烈推荐!
第一步:查找OEP
用OD载入主程序Go600.exe后隐藏OD,忽略所有异常。然后BP OpenMutexA,F9运行中断在OpenMutexA函数的人口,Ctrl+G填入00401000 然后输入下面的代码(mysqladm大虾的杰作,感谢):
00401000 60 PUSHAD
00401001 9C PUSHFD
00401002 68 B4FB1200 PUSH 12FBB4
00401007 33C0 XOR EAX,EAX
00401009 50 PUSH EAX
0040100A 50 PUSH EAX
0040100B E8 E694A677 CALL KERNEL32.CreateMutexA
00401010 9D POPFD
00401011 61 POPAD
00401012 - E9 8F9FA777 JMP KERNEL32.OpenMutexA
在00401000行新建起源,F9运行,再次中断在OpenMutexA函数的入口,在cpu窗口中看到ERROR_SUCCESS (00000000)说明上面的代码运行成功
程序把自己当成子进程运行了。命令行输入:bp VirtualProtect F9运行被中断在这个函数的入口地址,继续F9运行直到在堆栈窗口中看到内存地址不在4XXXXXXX范围时:
0012C0DC 00B5DB42 /CALL 到 VirtualProtect 来自 00B5DB3C ;<--看这里
0012C0E0 00401000 |Address = Go6000.00401000
0012C0E4 0006C000 |Size = 6C000 (442368.)
0012C0E8 00000004 |NewProtect = PAGE_READWRITE
0012C0EC 0012D7FC pOldProtect = 0012D7FC
关闭原来所有的断点,在OD中Alt+M打开内存窗口,在00401000 开始程序的代码段下内存访问断点,F9运行被中断在入口地址:
00460C3C >PUSH EBP ;<--完好的入口
00460C3D >MOV EBP,ESP
00460C3F >PUSH -1
00460C41 >PUSH Go6000.004733E8
00460C46 >PUSH Go6000.00460DA6 ; JMP to msvcrt._except_handler3
00460C4B >MOV EAX,DWORD PTR FS:[0]
00460C51 >PUSH EAX
00460C52 >MOV DWORD PTR FS:[0],ESP
00460C59 >SUB ESP,68
拿出LordPE程序dump主程序。
第二步:修复IAT
上面dump后打开ImportREC在入口地址填60C3C 按自动搜索IAT 发现IAT表的首地址是46D000,大小00000B24
记下这个地址,重新加载主程序,重复上面的过程,直到bp VirtualProtect后发现内存地址不在4XXXXXXX范围时,
堆栈中为
0012C0DC 00B5DB42 /CALL 到 VirtualProtect 来自 00B5DB3C ;<--看这里
0012C0E0 00401000 |Address = Go6000.00401000
0012C0E4 0006C000 |Size = 6C000 (442368.)
0012C0E8 00000004 |NewProtect = PAGE_READWRITE
0012C0EC 0012D7FC pOldProtect = 0012D7FC
Alt+F9回到主程序中,直到回到主程序时是下面的代码:
00B5E866 CALL DWORD PTR DS:[B6C134] ; kernel32.VirtualProtect
00B5E86C PUSH 1 ;Alt+F9回到的地方
00B5E86E POP EAX
00B5E86F TEST EAX,EAX
00B5E871 JE 00B5EBF0
00B5E877 AND WORD PTR SS:[EBP-1884],0
00B5E87F AND DWORD PTR SS:[EBP-188C],0
00B5E886 AND DWORD PTR SS:[EBP-1888],0
00B5E88D MOV EAX,DWORD PTR SS:[EBP-1378]
00B5E893 MOVSX EAX,BYTE PTR DS:[EAX]
00B5E896 TEST EAX,EAX
00B5E898 JNZ 00B5E9AA
00B5E89E MOV DWORD PTR SS:[EBP-18DC],0B479AB
00B5E8A8 MOV DWORD PTR SS:[EBP-18D8],0B478FC
00B5E8B2 MOV DWORD PTR SS:[EBP-18D4],0B4791F
00B5E8BC MOV DWORD PTR SS:[EBP-18D0],0B47932
00B5E8C6 MOV DWORD PTR SS:[EBP-18CC],0B4796F
00B5E8D0 MOV DWORD PTR SS:[EBP-18C8],0B47974
00B5E8DA MOV DWORD PTR SS:[EBP-18C4],0B47979
00B5E8E4 MOV DWORD PTR SS:[EBP-18C0],0B479E0
00B5E8EE MOV DWORD PTR SS:[EBP-18BC],0B4797E
00B5E8F8 MOV DWORD PTR SS:[EBP-18B8],0B479A4
00B5E902 MOV DWORD PTR SS:[EBP-18B4],0B479AB
00B5E90C MOV DWORD PTR SS:[EBP-18B0],0B478FC
00B5E916 MOV DWORD PTR SS:[EBP-18AC],0B4791F
00B5E920 MOV DWORD PTR SS:[EBP-18A8],0B47932
00B5E92A MOV DWORD PTR SS:[EBP-18A4],0B479D1
00B5E934 MOV DWORD PTR SS:[EBP-18A0],0B479D6
00B5E93E MOV DWORD PTR SS:[EBP-189C],0B479DB
00B5E948 MOV DWORD PTR SS:[EBP-1898],0B479E0
00B5E952 MOV DWORD PTR SS:[EBP-1894],0B4797E
00B5E95C MOV DWORD PTR SS:[EBP-1890],0B47A06
00B5E966 LEA ECX,DWORD PTR SS:[EBP-13A4]
00B5E96C CALL 00B41040
00B5E971 MOVZX EAX,AL
00B5E974 CDQ
00B5E975 PUSH 14
00B5E977 POP ECX
00B5E978 IDIV ECX
00B5E97A MOV EAX,DWORD PTR SS:[EBP-1668]
00B5E980 MOV ECX,DWORD PTR SS:[EBP+EDX*4-18DC]
00B5E987 MOV DWORD PTR DS:[EAX],ECX
00B5E989 MOV EAX,DWORD PTR SS:[EBP-1668]
00B5E98F ADD EAX,4
00B5E992 MOV DWORD PTR SS:[EBP-1668],EAX
00B5E998 MOV EAX,DWORD PTR SS:[EBP-1378]
00B5E99E INC EAX
00B5E99F MOV DWORD PTR SS:[EBP-1378],EAX
00B5E9A5 JMP 00B5EBF0
00B5E9AA MOV EAX,DWORD PTR SS:[EBP-1378]
00B5E9B0 MOVZX EAX,BYTE PTR DS:[EAX]
00B5E9B3 CMP EAX,0FF
00B5E9B8 JNZ 00B5EA48
00B5E9BE MOV EAX,DWORD PTR SS:[EBP-1378]
00B5E9C4 INC EAX
00B5E9C5 MOV DWORD PTR SS:[EBP-1378],EAX
00B5E9CB MOV EAX,DWORD PTR SS:[EBP-1378]
00B5E9D1 MOV AX,WORD PTR DS:[EAX]
00B5E9D4 MOV WORD PTR SS:[EBP-1884],AX
00B5E9DB MOV EAX,DWORD PTR SS:[EBP-1378]
00B5E9E1 INC EAX
00B5E9E2 INC EAX
00B5E9E3 MOV DWORD PTR SS:[EBP-1378],EAX
00B5E9E9 CMP DWORD PTR SS:[EBP-1654],0
00B5E9F0 JE SHORT 00B5EA43
00B5E9F2 MOV EAX,DWORD PTR SS:[EBP-1654]
00B5E9F8 MOV DWORD PTR SS:[EBP-18E0],EAX
00B5E9FE JMP SHORT 00B5EA0F
00B5EA00 MOV EAX,DWORD PTR SS:[EBP-18E0]
00B5EA06 ADD EAX,0C
00B5EA09 MOV DWORD PTR SS:[EBP-18E0],EAX
00B5EA0F MOV EAX,DWORD PTR SS:[EBP-18E0]
00B5EA15 CMP DWORD PTR DS:[EAX+8],0
00B5EA19 JE SHORT 00B5EA43
00B5EA1B MOVZX EAX,WORD PTR SS:[EBP-1884]
00B5EA22 MOV ECX,DWORD PTR SS:[EBP-18E0]
00B5EA28 MOVZX ECX,WORD PTR DS:[ECX+4]
00B5EA2C CMP EAX,ECX
00B5EA2E JNZ SHORT 00B5EA41
00B5EA30 MOV EAX,DWORD PTR SS:[EBP-18E0]
00B5EA36 MOV EAX,DWORD PTR DS:[EAX+8]
00B5EA39 MOV DWORD PTR SS:[EBP-1888],EAX
00B5EA3F JMP SHORT 00B5EA43
00B5EA41 JMP SHORT 00B5EA00
00B5EA43 JMP 00B5EAE3
00B5EA48 MOV EAX,DWORD PTR SS:[EBP-1378]
00B5EA4E MOV DWORD PTR SS:[EBP-188C],EAX
00B5EA54 PUSH 0
00B5EA56 PUSH DWORD PTR SS:[EBP-1378]
00B5EA5C CALL 00B64A80
00B5EA61 POP ECX
00B5EA62 POP ECX
00B5EA63 INC EAX
00B5EA64 MOV DWORD PTR SS:[EBP-1378],EAX
00B5EA6A CMP DWORD PTR SS:[EBP-1654],0
00B5EA71 JE SHORT 00B5EAE3
00B5EA73 MOV EAX,DWORD PTR SS:[EBP-1654]
00B5EA79 MOV DWORD PTR SS:[EBP-18E4],EAX
00B5EA7F JMP SHORT 00B5EA90
00B5EA81 MOV EAX,DWORD PTR SS:[EBP-18E4]
00B5EA87 ADD EAX,0C
00B5EA8A MOV DWORD PTR SS:[EBP-18E4],EAX
00B5EA90 MOV EAX,DWORD PTR SS:[EBP-18E4]
00B5EA96 CMP DWORD PTR DS:[EAX+8],0
00B5EA9A JE SHORT 00B5EAE3
00B5EA9C PUSH 100
00B5EAA1 LEA EAX,DWORD PTR SS:[EBP-19E4]
00B5EAA7 PUSH EAX
00B5EAA8 MOV EAX,DWORD PTR SS:[EBP-18E4]
00B5EAAE PUSH DWORD PTR DS:[EAX]
00B5EAB0 CALL 00B4509A
00B5EAB5 ADD ESP,0C
00B5EAB8 LEA EAX,DWORD PTR SS:[EBP-19E4]
00B5EABE PUSH EAX
00B5EABF PUSH DWORD PTR SS:[EBP-188C]
00B5EAC5 CALL 00B6B950
00B5EACA POP ECX
00B5EACB POP ECX
00B5EACC TEST EAX,EAX
00B5EACE JNZ SHORT 00B5EAE1
00B5EAD0 MOV EAX,DWORD PTR SS:[EBP-18E4]
00B5EAD6 MOV EAX,DWORD PTR DS:[EAX+8]
00B5EAD9 MOV DWORD PTR SS:[EBP-1888],EAX
00B5EADF JMP SHORT 00B5EAE3
00B5EAE1 JMP SHORT 00B5EA81
00B5EAE3 CMP DWORD PTR SS:[EBP-1888],0
00B5EAEA JNZ SHORT 00B5EB2B
00B5EAEC MOVZX EAX,WORD PTR SS:[EBP-1884]
00B5EAF3 TEST EAX,EAX
00B5EAF5 JE SHORT 00B5EB06
00B5EAF7 MOVZX EAX,WORD PTR SS:[EBP-1884]
00B5EAFE MOV DWORD PTR SS:[EBP-2C50],EAX
00B5EB04 JMP SHORT 00B5EB12
00B5EB06 MOV EAX,DWORD PTR SS:[EBP-188C]
00B5EB0C MOV DWORD PTR SS:[EBP-2C50],EAX
00B5EB12 PUSH DWORD PTR SS:[EBP-2C50]
00B5EB18 PUSH DWORD PTR SS:[EBP-1650]
00B5EB1E CALL 00B46EF7
00B5EB23 POP ECX
00B5EB24 POP ECX
00B5EB25 MOV DWORD PTR SS:[EBP-1888],EAX
00B5EB2B CMP DWORD PTR SS:[EBP-1888],0
00B5EB32 JNZ 00B5EBCE
00B5EB38 MOVZX EAX,WORD PTR SS:[EBP-1884]
00B5EB3F TEST EAX,EAX
00B5EB41 JE SHORT 00B5EB96
00B5EB43 CALL DWORD PTR DS:[B6C0D4] ; ntdll.RtlGetLastWin32Error
00B5EB49 CMP EAX,32
00B5EB4C JNZ SHORT 00B5EB5A
00B5EB4E MOV DWORD PTR SS:[EBP-1888],0B46EEC
00B5EB58 JMP SHORT 00B5EB94
00B5EB5A MOV EAX,DWORD PTR SS:[EBP+8]
00B5EB5D MOV EAX,DWORD PTR DS:[EAX]
00B5EB5F MOV DWORD PTR DS:[EAX],3
00B5EB65 CALL DWORD PTR DS:[B6C0D4] ; ntdll.RtlGetLastWin32Error
00B5EB6B PUSH EAX
00B5EB6C MOVZX EAX,WORD PTR SS:[EBP-1884]
00B5EB73 PUSH EAX
00B5EB74 PUSH DWORD PTR SS:[EBP-1770]
00B5EB7A PUSH 0B72120 ; ASCII "File "%s", ordinal %d (error %d)"
00B5EB7F MOV EAX,DWORD PTR SS:[EBP+8]
00B5EB82 PUSH DWORD PTR DS:[EAX+4]
00B5EB85 CALL 00B64B3C
00B5EB8A ADD ESP,14
00B5EB8D XOR EAX,EAX
00B5EB8F JMP 00B5F824
00B5EB94 JMP SHORT 00B5EBCE
00B5EB96 MOV EAX,DWORD PTR SS:[EBP+8]
00B5EB99 MOV EAX,DWORD PTR DS:[EAX]
00B5EB9B MOV DWORD PTR DS:[EAX],3
00B5EBA1 CALL DWORD PTR DS:[B6C0D4] ; ntdll.RtlGetLastWin32Error
00B5EBA7 PUSH EAX
00B5EBA8 PUSH DWORD PTR SS:[EBP-188C]
00B5EBAE PUSH DWORD PTR SS:[EBP-1770]
00B5EBB4 PUSH 0B720FC ; ASCII "File "%s", function "%s" (error %d)"
00B5EBB9 MOV EAX,DWORD PTR SS:[EBP+8]
00B5EBBC PUSH DWORD PTR DS:[EAX+4]
00B5EBBF CALL 00B64B3C
00B5EBC4 ADD ESP,14
00B5EBC7 XOR EAX,EAX
00B5EBC9 JMP 00B5F824
00B5EBCE MOV EAX,DWORD PTR SS:[EBP-1668]
00B5EBD4 MOV ECX,DWORD PTR SS:[EBP-1888]
00B5EBDA MOV DWORD PTR DS:[EAX],ECX
00B5EBDC MOV EAX,DWORD PTR SS:[EBP-1668]
00B5EBE2 ADD EAX,4
00B5EBE5 MOV DWORD PTR SS:[EBP-1668],EAX
00B5EBEB JMP 00B5E86C
这段代码就是解码和加密IAT表的地方,查找的方法就是上面说的,比较容易。所以下次脱这种壳时就不要分二步了
经分析发现:
00B5E980 MOV ECX,DWORD PTR SS:[EBP+EDX*4-18DC]
00B5E987 MOV DWORD PTR DS:[EAX],ECX <--这里
上面这个地址就是把输入表的模块分段数据用加密地址代替,所以把上面的代码修改为:
00B5E980 XOR ECX,ECX
恢复分段标志00 00 00 00
又发现:
00B5EA6A CMP DWORD PTR SS:[EBP-1654],0
00B5EA71 JE SHORT 00B5EAE3 <--这里
上面这个地址就是通过标志加密输入表的地方,修改为JMP即可:
00B5EA6A CMP DWORD PTR SS:[EBP-1654],0
00B5EA71 JMP SHORT 00B5EAE3 ; <---********这里改为jmp
修改完成后,在内存窗口中下代码段的访问中断,F9运行中断在入口地址处,用ImportREC修复IAT成功。
第三步:去暗桩
运行ImportREC修复后的程序,发现程序无法运行且出现系统内存减小的错误。用OD加载,F9运行发现程序进入了这个死循环:
004107FE CALL EDI // 效验函数
00410800 TEST BL,BL
00410802 MOV EDI,EAX
00410804 JNZ SHORT dumped_.00410815 // 修改
00410806 PUSH 1F40
0041080B CALL <JMP.&mfc42.#823_??2@YAPAXI@Z> | <--死循环
00410810 ADD ESP,4 |
00410813 JMP SHORT dumped_.00410806 /
修改上面的代码:
00410804 Jmp SHORT dumped_.00410815
用OD保存修改,再次运行程序,出现错误如果你的OD设置为及时调试程序,那么按‘取消’键就会调出OD的调试窗口,调试加载后在
堆栈窗口中发现这个错误是
0012EC44 00446175 返回到 dumped_?00446175 来自 <JMP.&mfc42.#2642_?EnableWindow@CWnd@@QAEHH@Z>
0012EC48 00000000
在代码窗口中Ctrl+G输入446175地址,回到程序中:
00446164 JMP SHORT dumped_?00446168
00446166 XOR ESI,ESI
00446168 PUSH 0
0044616A LEA ECX,DWORD PTR DS:[ESI+2CC]
00446170 CALL <JMP.&mfc42.#2642_?EnableWindow@CWnd@@QAEHH@Z>
00446175 PUSH 0
00446177 MOV ECX,ESI
发现是00446170 CALL <JMP.&mfc42.#2642_?EnableWindow@CWnd@@QAEHH@Z> 这个函数出现的错误,向上看看:
00446108 PUSH 0
0044610A PUSH 186A8
0044610F LEA ECX,DWORD PTR SS:[ESP+28]
00446113 CALL <JMP.&mfc42.#5773_?Seek@CFile@@UAEJJI@Z>
00446118 LEA EDX,DWORD PTR SS:[ESP+B]
0044611C PUSH EBX
0044611D PUSH EDX
0044611E LEA ECX,DWORD PTR SS:[ESP+28]
00446122 CALL <JMP.&mfc42.#5442_?Read@CFile@@UAEIPAXI@Z>
00446127 PUSH dumped_?00480F84
0044612C LEA ECX,DWORD PTR SS:[ESP+1C]
00446130 MOV BYTE PTR SS:[ESP+54],BL
00446134 CALL <JMP.&mfc42.#537_??0CString@@QAE@PBD@Z>
00446139 MOV AL,BYTE PTR SS:[ESP+B]
0044613D MOV BYTE PTR SS:[ESP+48],3
00446142 CMP AL,9C
00446144 JE SHORT dumped_?0044618D
00446146 CMP AL,0CE
00446148 JE SHORT dumped_?0044618D
0044614A CMP AL,34
0044614C JE SHORT dumped_?0044618D
0044614E CMP AL,1C
00446150 JE SHORT dumped_?0044618D
00446152 CALL <JMP.&mfc42.#1175_?AfxGetThread@@YGPAVCWinThread@@X>
00446157 TEST EAX,EAX
00446159 JE SHORT dumped_?00446166
0044615B MOV EDX,DWORD PTR DS:[EAX]
0044615D MOV ECX,EAX
0044615F CALL DWORD PTR DS:[EDX+7C]
00446162 MOV ESI,EAX
00446164 JMP SHORT dumped_?00446168
00446166 XOR ESI,ESI
00446168 PUSH 0
0044616A LEA ECX,DWORD PTR DS:[ESI+2CC]
00446170 CALL <JMP.&mfc42.#2642_?EnableWindow@CWnd@@QAEHH@Z> <--这个函数出错
00446175 PUSH 0
00446177 MOV ECX,ESI
00446179 CALL <JMP.&mfc42.#2642_?EnableWindow@CWnd@@QAEHH@Z>
0044617E PUSH 0FA0
00446183 CALL <JMP.&mfc42.#823_??2@YAPAXI@Z>
00446188 ADD ESP,4
0044618B JMP SHORT dumped_?0044617E
0044618D LEA ECX,DWORD PTR SS:[ESP+20]
00446191 CALL <JMP.&mfc42.#1979_?Close@CFile@@UAEXXZ>
00446196 LEA ECX,DWORD PTR SS:[ESP+18]
0044619A MOV BYTE PTR SS:[ESP+48],2
分析发现:
00446142 CMP AL,9C
00446144 JE SHORT dumped_?0044618D
00446146 CMP AL,0CE
00446148 JE SHORT dumped_?0044618D
0044614A CMP AL,34
0044614C JE SHORT dumped_?0044618D
0044614E CMP AL,1C
00446150 JE SHORT dumped_?0044618D
都能跳过这个错误的地方,所以把上面的任何一个跳转修改为JMP 无条件跳转即可。修改代码,用OD保存修改后的程序,重新运行OK 到这里程序脱壳修复成功。
00428FA0 PUSH -1
00428FA2 MOV EAX,DWORD PTR FS:[0]
00428FA8 PUSH dumped_?004647F7
00428FAD PUSH EAX
00428FAE MOV EAX,4010
00428FB3 MOV DWORD PTR FS:[0],ESP
00428FBA CALL dumped_?00460970
00428FBF PUSH EBX
00428FC0 PUSH EBP
00428FC1 PUSH ESI
00428FC2 PUSH EDI
00428FC3 MOV ESI,ECX
00428FC5 MOV EDI,DWORD PTR DS:[ESI+40]
00428FC8 MOV DWORD PTR SS:[ESP+4028],0
00428FD3 MOV DWORD PTR SS:[ESP+1C],EDI
00428FD7 CALL DWORD PTR DS:[<&msvcrt.__p___argv>] ; MSVCRT.__p___argv
00428FDD MOV EAX,DWORD PTR DS:[EAX]
00428FDF MOV ECX,DWORD PTR DS:[EAX]
00428FE1 PUSH ECX
00428FE2 LEA ECX,DWORD PTR SS:[ESP+14]
00428FE6 CALL <JMP.&mfc42.#537_??0CString@@QAE@PB>
00428FEB MOV EDX,DWORD PTR SS:[ESP+10]
00428FEF MOV EBX,1
00428FF4 XOR ECX,ECX
00428FF6 MOV BYTE PTR SS:[ESP+4028],BL
00428FFD MOV EAX,DWORD PTR DS:[EDX-8]
00429000 TEST EAX,EAX
00429002 JLE SHORT dumped_?00429019
00429004 LEA EDX,DWORD PTR DS:[EAX+EDX-1]
00429008 CMP BYTE PTR DS:[EDX],5C
0042900B JE SHORT dumped_?00429015
0042900D INC ECX
0042900E DEC EDX
0042900F CMP ECX,EAX
00429011 JL SHORT dumped_?00429008
00429013 JMP SHORT dumped_?00429019
00429015 MOV DWORD PTR SS:[ESP+18],ECX
00429019 MOV EBP,DWORD PTR SS:[ESP+18]
0042901D LEA EDX,DWORD PTR SS:[ESP+14]
00429021 SUB EAX,EBP
00429023 LEA ECX,DWORD PTR SS:[ESP+10]
00429027 PUSH EAX
00429028 PUSH EDX
00429029 CALL <JMP.&mfc42.#4129_?Left@CString@@QB>
0042902E LEA ECX,DWORD PTR SS:[ESP+20]
00429032 MOV BYTE PTR SS:[ESP+4028],2
0042903A CALL <JMP.&mfc42.#354_??0CFile@@QAE@XZ>
0042903F MOV EAX,DWORD PTR SS:[ESP+10]
00429043 PUSH 0
00429045 PUSH 40
00429047 PUSH EAX
00429048 LEA ECX,DWORD PTR SS:[ESP+2C]
0042904C MOV BYTE PTR SS:[ESP+4034],3
00429054 CALL <JMP.&mfc42.#5186_?Open@CFile@@UAEH>
00429059 TEST EAX,EAX
0042905B JE SHORT dumped_?00429084
0042905D LEA ECX,DWORD PTR SS:[ESP+20]
00429061 CALL <JMP.&mfc42.#3318_?GetLength@CFile@>
00429066 CMP EAX,0B4000 //效验的地方
0042906B JMP SHORT dumped_?0042907B //修改为jmp即可
0042906D PUSH 0
0042906F MOV BYTE PTR DS:[ESI+20112],BL
00429075 CALL DWORD PTR DS:[<&msvcrt.exit>] ; MSVCRT.exit
0042907B LEA ECX,DWORD PTR SS:[ESP+20]
0042907F CALL <JMP.&mfc42.#1979_?Close@CFile@@UAE>
00429084 LEA ECX,DWORD PTR SS:[ESP+20]
00429088 MOV BYTE PTR SS:[ESP+4028],2
00429090 CALL <JMP.&mfc42.#665_??1CFile@@UAE@XZ>
00429095 LEA ECX,DWORD PTR SS:[ESP+14]
00429099 MOV BYTE PTR SS:[ESP+4028],BL
004290A0 CALL <JMP.&mfc42.#800_??1CString@@QAE@XZ>
004290A5 LEA ECX,DWORD PTR SS:[ESP+10]
004290A9 MOV BYTE PTR SS:[ESP+4028],0
004290B1 CALL <JMP.&mfc42.#800_??1CString@@QAE@XZ>
004290B6 MOV EAX,DWORD PTR DS:[ESI+20260]
004290BC CMP EAX,3
004290BF JE SHORT dumped_?00429125
004290C1 CMP EAX,4
004290C4 JE SHORT dumped_?00429125
004290C6 MOV EAX,DWORD PTR DS:[ESI+201F8]
004290CC PUSH ECX
004290CD CMP EAX,EBX
004290CF MOV ECX,ESP
004290D1 JNZ SHORT dumped_?004290FC
004290D3 LEA EDX,DWORD PTR SS:[ESP+4034]
004290DA MOV DWORD PTR SS:[ESP+20],ESP
004290DE PUSH EDX
004290DF CALL <JMP.&mfc42.#535_??0CString@@QAE@AB>
004290E4 MOV ECX,DWORD PTR DS:[ESI+200DC]
004290EA ADD ECX,11A4
004290F0 CALL dumped_?0044C4A0
004290F5 MOV BL,AL
004290F7 JMP dumped_?00429344
跟了一下
打谱暗桩:
004205F9 >CALL <JMP.&mfc42.#5773_?Seek@CFile@@UAEJ>
004205FE >LEA EAX,DWORD PTR SS:[ESP+1F]
00420602 >PUSH 1
00420604 >PUSH EAX
00420605 >LEA ECX,DWORD PTR SS:[ESP+34]
00420609 >CALL <JMP.&mfc42.#5442_?Read@CFile@@UAEI>
0042060E >MOV AL,BYTE PTR SS:[ESP+1F]
00420612 >CMP AL,0E4
00420614 >JE SHORT dumped_?0042065C
00420616 >CMP AL,45
00420618 >JE SHORT dumped_?0042065C
0042061A >CMP AL,90
0042061C >JE SHORT dumped_?0042065C <--修改为jmp
0042061E >MOV BYTE PTR DS:[ESI+20112],1
00420625 >MOV BL,0C
00420627 >PUSH dumped_?00480988 ; ASCII "500"
0042062C >LEA ECX,DWORD PTR SS:[ESP+24]
00420630 >CALL <JMP.&mfc42.#537_??0CString@@QAE@PB>
00420635 >PUSH 0FA0
0042063A >MOV BYTE PTR SS:[ESP+FC],BL
00420641 >CALL <JMP.&mfc42.#823_??2@YAPAXI@Z>
00420646 >ADD ESP,4
00420649 >LEA ECX,DWORD PTR SS:[ESP+20]
0042064D >MOV BYTE PTR SS:[ESP+F8],0B
00420655 >CALL <JMP.&mfc42.#800_??1CString@@QAE@XZ>
0042065A ^>JMP SHORT dumped_?00420627 <--这个死循环
0042065C >LEA ECX,DWORD PTR SS:[ESP+2C]
00420660 >CALL <JMP.&mfc42.#1979_?Close@CFile@@UAE>
00420665 >LEA ECX,DWORD PTR SS:[ESP+2C]
00420669 >MOV BYTE PTR SS:[ESP+F8],0A
00420671 >CALL <JMP.&mfc42.#665_??1CFile@@UAE@XZ>
00420676 >LEA ECX,DWORD PTR SS:[ESP+14]
0042067A >MOV BYTE PTR SS:[ESP+F8],9
00420682 >CALL <JMP.&mfc42.#800_??1CString@@QAE@XZ>
00420687 >LEA ECX,DWORD PTR SS:[ESP+10]
0042068B >MOV DWORD PTR SS:[ESP+F8],-1
00420696 >CALL <JMP.&mfc42.#800_??1CString@@QAE@XZ>
0042069B >LEA ECX,DWORD PTR SS:[ESP+24]
0042069F >CALL <JMP.&mfc42.#540_??0CString@@QAE@XZ>
004206A4 >PUSH 0F907
004206A9 >LEA ECX,DWORD PTR SS:[ESP+28]
004206AD >MOV DWORD PTR SS:[ESP+FC],0D
004206B8 >CALL <JMP.&mfc42.#4160_?LoadStringA@CStr>
004206BD >MOV ECX,DWORD PTR SS:[ESP+24]
004206C1 >PUSH ECX
004206C2 >MOV ECX,DWORD PTR SS:[ESP+1C]
004206C6 >CALL <JMP.&mfc42.#6199_?SetWindowTextA@C>
004206CB >MOV ECX,DWORD PTR SS:[ESP+28]
004206CF >PUSH EDI
004206D0 >MOV EDX,DWORD PTR DS:[ECX]
004206D2 >CALL DWORD PTR DS:[EDX+64]
004206D5 >LEA ECX,DWORD PTR SS:[ESP+24]
004206D9 >MOV DWORD PTR SS:[ESP+F8],-1
004206E4 >CALL <JMP.&mfc42.#800_??1CString@@QAE@XZ>
004206E9 >MOV ECX,DWORD PTR SS:[ESP+F0]
004206F0 >POP EDI
004206F1 >POP ESI
004206F2 >POP EBP
004206F3 >POP EBX
004206F4 >MOV DWORD PTR FS:[0],ECX
004206FB >ADD ESP,0EC
00420701 >RETN 4
fxyang[OCN][BCG][FCG]
2004.3.14