0x06 aLoNg3x_1
还是一个Delphi程序,DeDe看一下发现几个比较重要的事件,分别下断分析函数执行逻辑。
在ResoucesHacker中可以看到窗口控件的信息:
在00442E22
处看到一个cmp
,修改跳转路径之后发现ok按钮可用了:
00442E22 | 8078 47 00 | cmp byte ptr ds:[eax+47],0 |
00442E26 | 75 0F | jne along3x.1.442E37 |
00442E28 | B2 01 | mov dl,1 |
00442E2A | 8B83 CC020000 | mov eax,dword ptr ds:[ebx+2CC] |
00442E30 | 8B08 | mov ecx,dword ptr ds:[eax] |
00442E32 | FF51 60 | call dword ptr ds:[ecx+60] |
在Ok按钮的处理函数中爆破掉两个跳转指令之后按钮消失:
00442D80 | 8078 47 01 | cmp byte ptr ds:[eax+47],1 |
00442D84 | 75 12 | jne along3x.1.442D98 |
00442D86 | BA 002E4400 | mov edx,along3x.1.442E00 |
00442D8B | 8B83 E0020000 | mov eax,dword ptr ds:[ebx+2E0] |
00442D91 | E8 5A05FEFF | call along3x.1.4232F0 |
00442D96 | EB 3F | jmp along3x.1.442DD7 |
00442D98 | 8D55 FC | lea edx,dword ptr ss:[ebp-4] |
00442D9B | 8B83 E0020000 | mov eax,dword ptr ds:[ebx+2E0] |
00442DA1 | E8 1A05FEFF | call along3x.1.4232C0 |
00442DA6 | 8B45 FC | mov eax,dword ptr ss:[ebp-4] |
00442DA9 | E8 C248FCFF | call along3x.1.407670 |
00442DAE | 50 | push eax |
00442DAF | 8D55 FC | lea edx,dword ptr ss:[ebp-4] |
00442DB2 | 8B83 DC020000 | mov eax,dword ptr ds:[ebx+2DC] |
00442DB8 | E8 0305FEFF | call along3x.1.4232C0 |
00442DBD | 8B45 FC | mov eax,dword ptr ss:[ebp-4] |
00442DC0 | 5A | pop edx |
00442DC1 | E8 DAFDFFFF | call along3x.1.442BA0 |
00442DC6 | 84C0 | test al,al |
00442DC8 | 74 0D | je along3x.1.442DD7 |
00442DCA | 33D2 | xor edx,edx |
00442DCC | 8B83 CC020000 | mov eax,dword ptr ds:[ebx+2CC] |
00442DD2 | E8 D903FEFF | call along3x.1.4231B0 |
同样在Cancella
按钮的处理函数中也有如下逻辑:
00442EE7 | E8 08FCFFFF | call along3x.1.442AF4 |
00442EEC | 84C0 | test al,al |
00442EEE | 74 1C | je along3x.1.4