两个ANTI-W32dasm的程序的解决办法(3千字),ANTI,反跟踪技术 2008年06月23日 星期一 下午 02:23 两个ANTI-W32dasm的程序的解决办法 作者:小牧童[CCG] 版权:CCG所有,转载请保持完整。 难度:易 程序1:http://www.my169.com/~zxhxmz/porciins.exe 程序2:就是上面这位大哥所想要解决的轻松试卷。http://www.shijun.com/easypaper/cn/download/eps404.zip 现象:这两个程序用W32dasm打开后陷入没有反应之中,只有用Ctrl alt del才能使其退出。 思路:W32dasm陷入无应之中估计进入某处死循环。呵呵,小牧童就是会钻死牛角尖^_^!有了思路ANTI功能自然就解了。 方法: 程序1: 运行W32dasm 并打开animal.exe文件进行编译,W32dasm进入死循环。 下Ctrl D 进入softice按2次F12到下面: :0046149F E8DCDB0400 call 004AF080 :004614A4 83C408 add esp, 00000008 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00461494(C) | :004614A7 8A9C35E9FDFFFF mov bl, byte ptr [ebp esi-00000217] :004614AE 80FB2F cmp bl, 2F :004614B1 7615 jbe 004614C8 :004614B3 80FB3A cmp bl, 3A :004614B6 7310 jnb 004614C8 :004614B8 889D0CF6FFFF mov byte ptr [ebp FFFFF60C], bl :004614BE C6850DF6FFFF00 mov byte ptr [ebp FFFFF60D], 00 :004614C5 83C602 add esi, 00000002 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:004614B1(C), :004614B6(C) | :004614C8 8D850CF6FFFF lea eax, dword ptr [ebp FFFFF60C] :004614CE 50 push eax :004614CF E8EC9D0400 call 004AB2C0 :004614D4 59 pop ecx :004614D5 8945F4 mov dword ptr [ebp-0C], eax :004614D8 33D2 xor edx, edx :004614DA 8955F8 mov dword ptr [ebp-08], edx :004614DD 8B4DF8 mov ecx, dword ptr [ebp-08] :004614E0 8B45F4 mov eax, dword ptr [ebp-0C] :004614E3 3BC8 cmp ecx, eax :004614E5 0F83B6FDFFFF jae 004612a1 //这里改为909090909090跳出死循环。 :004614E6 90 nop :004614E7 90 nop :004614E8 90 nop :004614E9 90 nop :004614EA 90 nop 程序2: 运行W32dasm 并打开easypaper.exe文件进行编译,W32dasm进入死循环。 下Ctrl D 进入softice按2次F12到下面: :0046151B E8BCD60400 call KERNEL32!lstrcat //按2次F12后到这里 :00461520 FF45F8 inc [ebp-08] :00461523 8B4DF8 mov ecx, dword ptr [ebp-08] :00461526 8B45F4 mov eax, dword ptr [ebp-0C] :00461529 3BC8 cmp ecx, eax :0046152B 72BE jb 004614EB //将这里改为9090 :0046152D E96FFDFFFF jmp 004612A1 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0046121D(C) | :00461532 8B957CFFFFFF mov edx, dword ptr [ebp FFFFFF7C] :00461538 85D2 test edx, edx :0046153A 7411 je 0046154D 将0046152b的比较取消,顺着0046152d的jmp 来到下面: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0046152D(U) | :004612A1 C7857CFFFFFF01000000 mov dword ptr [ebp FFFFFF7C], 00000001 :004612AB 8B8D78FFFFFF mov ecx, dword ptr [ebp FFFFFF78] :004612B1 85C9 test ecx, ecx :004612B3 7410 je 004612C5 :004612B5 33C0 xor eax, eax :004612B7 89857CFFFFFF mov dword ptr [ebp FFFFFF7C], eax :004612BD 33D2 xor edx, edx :004612BF 899578FFFFFF mov dword ptr [ebp FFFFFF78], edx * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004612B3(C) | :004612C5 84DB test bl, bl :004612C7 0F85D9FEFFFF jne 004611A6 //这里改为9090909090跳出死循环。 :004612CD 6A01 push 00000001 |
|小黑屋|最新主题|手机版|微赢网络技术论坛 ( 苏ICP备08020429号 )
GMT+8, 2024-9-30 01:29 , Processed in 0.120106 second(s), 12 queries , Gzip On, MemCache On.
Powered by Discuz! X3.5
© 2001-2023 Discuz! Team.