首先打开
发现这是一个CD-check的题目
这里推荐一下《加密与解密 第三版》的5.7节CD-Check还有一个博客
CD-check
大家可以参考
之后PEID查,没有壳,C++程序,CD-Check我们只能够通过爆破:
OD运行:
接下来大致分成三种找到关键位置的方式:
1.正常运行:F9之后弹出对话框,我们点击Check for CD之后,弹出错误对话框,不点击确定,直接F12暂停程序之Alt+K找对话框的函数调用(这是弹出错误对话框类型的处理方式)
找到函数调用的部分,show call过去
2.既然是一个CD-Check那么我们就去找关键函数呗,GetDirvertypeA是获取磁盘驱动器类型的关键函数
OD之后,Crtl+N 查找所有调用函数模块
查看调用树,找到调用位置
反汇编窗口跟随过去即可
3.最简单使用的,直接找参考文本字符串
失败的成功一起找到,很简单
之后找到关键位置,找跳转语句就很轻松了
0040138C /0F84 F3000000 je Cosh_1.00401485 ; 跳转语句
00401392 > |FF45 EC inc dword ptr ss:[ebp-0x14]
00401395 . |83C7 04 add edi,0x4
00401398 . |837D EC 07 cmp dword ptr ss:[ebp-0x14],0x7
0040139C .^|75 9F jnz short Cosh_1.0040133D
0040139E . |53 push ebx
0040139F . |68 4C304000 push Cosh_1.0040304C ; ASCII "Try again"
004013A4 . |68 40304000 push Cosh_1.00403040 ; ASCII "You lost"
004013A9 > |8B4D E4 mov ecx,dword ptr ss:[ebp-0x1C]
004013AC . |E8 D1020000 call <jmp.&MFC42.#CWnd::MessageBoxA_4224>
004013B1 . |8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
004013B4 . |C645 FC 0E mov byte ptr ss:[ebp-0x4],0xE
004013B8 . |E8 DD020000 call <jmp.&MFC42.#CString::~CString_800>
004013BD . |56 push esi ; Cosh_1.<ModuleEntryPoint>
004013BE . |6A 01 push 0x1
004013C0 . |8D45 DC lea eax,dword ptr ss:[ebp-0x24]
004013C3 . |6A 04 push 0x4
004013C5 . |50 push eax
004013C6 . |C645 FC 0D mov byte ptr ss:[ebp-0x4],0xD
004013CA . |E8 27030000 call Cosh_1.004016F6
004013CF . |8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]
004013D2 . |C645 FC 0C mov byte ptr ss:[ebp-0x4],0xC
004013D6 . |E8 BF020000 call <jmp.&MFC42.#CString::~CString_800>
004013DB . |8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C]
004013DE . |C645 FC 0B mov byte ptr ss:[ebp-0x4],0xB
004013E2 . |E8 B3020000 call <jmp.&MFC42.#CString::~CString_800>
004013E7 . |8D4D D0 lea ecx,dword ptr ss:[ebp-0x30]
004013EA . |C645 FC 0A mov byte ptr ss:[ebp-0x4],0xA
004013EE . |E8 A7020000 call <jmp.&MFC42.#CString::~CString_800>
004013F3 . |8D4D CC lea ecx,dword ptr ss:[ebp-0x34]
004013F6 . |C645 FC 09 mov byte ptr ss:[ebp-0x4],0x9
004013FA . |E8 9B020000 call <jmp.&MFC42.#CString::~CString_800>
004013FF . |8D4D C8 lea ecx,dword ptr ss:[ebp-0x38]
00401402 . |C645 FC 08 mov byte ptr ss:[ebp-0x4],0x8
00401406 . |E8 8F020000 call <jmp.&MFC42.#CString::~CString_800>
0040140B . |8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C]
0040140E . |C645 FC 07 mov byte ptr ss:[ebp-0x4],0x7
00401412 . |E8 83020000 call <jmp.&MFC42.#CString::~CString_800>
00401417 . |8D4D C0 lea ecx,dword ptr ss:[ebp-0x40]
0040141A . |C645 FC 06 mov byte ptr ss:[ebp-0x4],0x6
0040141E . |E8 77020000 call <jmp.&MFC42.#CString::~CString_800>
00401423 . |8D4D BC lea ecx,dword ptr ss:[ebp-0x44]
00401426 . |C645 FC 05 mov byte ptr ss:[ebp-0x4],0x5
0040142A . |E8 6B020000 call <jmp.&MFC42.#CString::~CString_800>
0040142F . |8D4D B8 lea ecx,dword ptr ss:[ebp-0x48]
00401432 . |C645 FC 04 mov byte ptr ss:[ebp-0x4],0x4
00401436 . |E8 5F020000 call <jmp.&MFC42.#CString::~CString_800>
0040143B . |8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
0040143E . |C645 FC 03 mov byte ptr ss:[ebp-0x4],0x3
00401442 . |E8 53020000 call <jmp.&MFC42.#CString::~CString_800>
00401447 . |8D4D B0 lea ecx,dword ptr ss:[ebp-0x50]
0040144A . |C645 FC 02 mov byte ptr ss:[ebp-0x4],0x2
0040144E . |E8 47020000 call <jmp.&MFC42.#CString::~CString_800>
00401453 . |8D4D AC lea ecx,dword ptr ss:[ebp-0x54]
00401456 . |C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1
0040145A . |E8 3B020000 call <jmp.&MFC42.#CString::~CString_800>
0040145F . |8D4D A8 lea ecx,dword ptr ss:[ebp-0x58]
00401462 . |885D FC mov byte ptr ss:[ebp-0x4],bl
00401465 . |E8 30020000 call <jmp.&MFC42.#CString::~CString_800>
0040146A . |834D FC FF or dword ptr ss:[ebp-0x4],-0x1
0040146E . |8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C]
00401471 . |E8 24020000 call <jmp.&MFC42.#CString::~CString_800>
00401476 . |8B4D F4 mov ecx,dword ptr ss:[ebp-0xC]
00401479 . |5F pop edi ; kernel32.740738F4
0040147A . |5E pop esi ; kernel32.740738F4
0040147B . |5B pop ebx ; kernel32.740738F4
0040147C . |64:890D 00000>mov dword ptr fs:[0],ecx ; Cosh_1.<ModuleEntryPoint>
00401483 . |C9 leave
00401484 . |C3 retn
00401485 > \53 push ebx
00401486 . 68 34304000 push Cosh_1.00403034 ; ASCII "You did it"
0040148B . 68 20304000 push Cosh_1.00403020 ; ASCII "Well done, Cracker"
00401490 .^ E9 14FFFFFF jmp Cosh_1.004013A9
爆破,更改
0040138C /0F84 F3000000 je Cosh_1.00401485 ; 跳转语句
无脑跳转
0040138C /E9 F4000000 jmp Cosh_1.00401485 ; 跳转语句
00401391 |90 nop
dump下来成一个新文件
成功.
向上看一下这个CD-Check的过程:
使用Creatflie()函数从C盘符查找到P盘符,看看有没有
CD_CHECK.DAT这个文件,如果有就打开,但是明显我们没有,所以就失败了。