- 有需要工具或书籍的联系QQ:3198280360
程序运行原本状态
初次运行,暂时还不清楚程序需要怎么破解,但是推断应该是对消息内容进行修改,接下来使用OD附加程序
使用OD附加
- 选择程序,右键点击 使用OllyICE 打开(或者打开OD 在里面选择打开文件)
这里解释一下上面的汇编代码
abex’crackme#1程序是使用汇编编写的,所以EP代码非常短
// MessageBox API
//MessageBox(NULL, L"Make me think your HD is a CD-Rom.", L"abex' 1st crackme", MB_OK|MB_APPLMODAL)
00401000 >/$ 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
00401002 |. 68 00204000 PUSH abexcm1-.00402000 ; |Title = "abex' 1st crackme"
00401007 |. 68 12204000 PUSH abexcm1-.00402012 ; |Text = "Make me think your HD is a CD-Rom."
0040100C |. 6A 00 PUSH 0 ; |hOwner = NULL
// 调用MessageBOxA
0040100E |. E8 4E000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
00401013 |. 68 94204000 PUSH abexcm1-.00402094 ; /RootPathName = "c:\\"
00401018 |. E8 38000000 CALL <JMP.&KERNEL32.GetDriveTypeA> ; \GetDriveTypeA
0040101D |. 46 INC ESI ; ESI ++
0040101E |. 48 DEC EAX ; EAX --
// 无意义的跳转,垃圾代码
0040101F |. EB 00 JMP SHORT abexcm1-.00401021
00401021 |> 46 INC ESI
00401022 |. 46 INC ESI
00401023 |. 48 DEC EAX
00401024 |. 3BC6 CMP EAX,ESI
00401026 EB 15 JE SHORT abexcm1-.0040103D
// MessageBox API
//MessageBox(NULL, L"Nah... This is not a CD-ROM Drive!", L"Error", MB_OK|MB_APPLMODAL)
00401028 |. 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
0040102A |. 68 35204000 PUSH abexcm1-.00402035 ; |Title = "Error"
0040102F |. 68 3B204000 PUSH abexcm1-.0040203B ; |Text = "Nah... This is not a CD-ROM Drive!"
00401034 |. 6A 00 PUSH 0 ; |hOwner = NULL
00401036 |. E8 26000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
0040103B |. EB 13 JMP SHORT abexcm1-.0040105
// MessageBox API
//MessageBox(NULL, L"Ok, I really think that your HD is a CD-ROM! :p", L"YEAH!", MB_OK|MB_APPLMODAL)
0040103D |> 6A 00 PUSH 0 ; |/Style = MB_OK|MB_APPLMODAL
0040103F |. 68 5E204000 PUSH abexcm1-.0040205E ; ||Title = "YEAH!"
00401044 |. 68 64204000 PUSH abexcm1-.00402064 ; ||Text = "Ok, I really think that your HD is a CD-ROM! :p"
00401049 |. 6A 00 PUSH 0 ; ||hOwner = NULL
0040104B |. E8 11000000 CALL <JMP.&USER32.MessageBoxA> ; |\MessageBoxA
// 退出进程
00401050 \> E8 06000000 CALL <JMP.&KERNEL32.ExitProcess> ; \ExitProces
- 涉及到的汇编指令
指令 解释 PUSH 入栈 CALL 调用函数 INC 加1 DEC 减1 JMP 跳转到指定位置 CMP 比较操作数(若两个操作数一致,SUB结果为0,ZF置1) JE 条件跳转指令(Jump if equal)若ZF为1,则跳转
分析
查看代码,发现存在3个MessageBox API的调用,而初始程序之调用了以下两个MessageBox
由于条件不满足,导致标题为“YEAN” 的MessageBox 没有调用,那么不难得出该程序的目的就是显示出该处的MessageBox
0040103D |> \6A 00 PUSH 0 ; |/Style = MB_OK|MB_APPLMODAL
0040103F |. 68 5E204000 PUSH abexcm1-.0040205E ; ||Title = "YEAH!"
00401044 |. 68 64204000 PUSH abexcm1-.00402064 ; ||Text = "Ok, I really think that your HD is a CD-ROM! :p"
00401049 |. 6A 00 PUSH 0 ; ||hOwner = NULL
0040104B |. E8 11000000 CALL <JMP.&USER32.MessageBoxA> ; |\MessageBoxA
破解
-
方法一:
不考虑比较的结果,直接跳转到0x04103D处继续执行
修改0x00401026处汇编语句00401026 /75 15 JMP SHORT abexcm1-.0040103
-
方法二
修改跳转条件,当结果为假的手环跳转
修改0x00401026处汇编语句00401026 /75 15 JNZ SHORT abexcm1-.0040103D
-
方法三
修改比较语句00401024 3BC0 CMP EAX,EAX