(1) 查找字符串
IOLI-crackme程序下载
以下通过ODbgScript
来找到密码和修改程序。
;修改strcmp的返回值eax
var start
var addr_pass
var pass
var strcmp
;reset = control+f2
;clear
lclr
gmi eip,entry
mov start,$RESULT
eval "entry = {start}"
log $RESULT
;rax2 -S "Password OK" 50617373776f7264204f4b
findmem #50617373776f7264204f4b#,start
;log $RESULT 00404041
sub $RESULT,1a
mov addr_pass,$RESULT
;00404027 250382
gstr addr_pass
mov pass,$RESULT
log pass
;push addr_pass
;pop addr_pass
;findcmd start,"test eax,eax"
;00401373 >|. E8 98190000 call <jmp.&msvcrt.strcmp> 00402D20 strcmp
findop start,#E898190000#
mov strcmp,$RESULT
eval "strcmp = {$RESULT}"
log $RESULT
bp strcmp
esto
sto
log eip
log eax
mov eax,0
esto
;run
ret
;修改je
var start
var strcmp
var jump
var tmp
lclr
gmi eip,entry
mov start,$RESULT
eval "entry = {start}"
log $RESULT
;00401373 >|. E8 98190000 call <jmp.&msvcrt.strcmp> 00402D20 strcmp
findop start,#E898190000#
mov strcmp,$RESULT
bp strcmp
mov jump,strcmp
add jump,7
log jump
;0040137A /74 0E /je short 0040138A /jmp 0040138A /EB 0E
repl jump,#740E#,#EB0E#,2
(2) msvcrt.strcmp
调用strcmp
00401368 |. C74424 04 274>mov dword ptr [esp+4], 00404027 ; ||ASCII "250382"
00401370 |. 890424 mov dword ptr [esp], eax ; ||
00401373 >|. E8 98190000 call <jmp.&msvcrt.strcmp> ; |\strcmp
00401378 |. 85C0 test eax, eax ; |
0040137A 74 0E je short 0040138A
;strcmp
77089B40 > 8B5424 04 mov edx, dword ptr [esp+4]
77089B44 8B4C24 08 mov ecx, dword ptr [esp+8]
77089B48 F7C2 03000000 test edx, 3
...
77089B82 C3 retn
调用strcmp前的参数来源(按[esp]地址大小) strcmp(eax,pstr)
调用strcmp前时的参数来源 strcmp(edx,ecx)
调用strcmp返回值 eax = ffffffff(-1),0,1
(3) strcmp源码跟踪
调试源码 : microsoft doc
// crt_strcmp.c
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
char string1[] = "The quick brown dog jumps over the lazy fox";
char string2[] = "The QUICK brown dog jumps over the lazy fox";
int main( void )
{
char tmp[20];