脱壳技术,Upx之enablewebcompiler1.0 去除Crc校验(图),Upx 2008年06月23日 星期一 下午 03:31 【破文标题】 Upx之enablewebcompiler1.0 去除Crc校验 【脱文作者】 weiyi75[Dfcg] 【作者邮箱】 weiyi75@sohu.com 【作者主页】 Dfcg官方大本营 --- http://www.chinadfcg.com/ 【使用工具】 Fi3.01,Upxshell,olldbg1.10b 【脱壳平台】 Win2K/Xp 【软件名称】 enablewebcompiler 【下载地址】 本地下载 【软件简介】 普通Upx壳,Crc脱壳校验。 【软件大小】 76.5k 【加壳方式】 UPX V1.20 【脱壳声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:) -------------------------------------------------------------------------------- 【脱壳内容】 Fi查壳,为Upx V1.20。用Upxshell干净完美脱壳,运行程序提示Crc校验错误,请重装软件。 本来很简单的一个问题,搞了半天。 先从麻烦入手吧,软件Crc校验,当然和GetfileSize有关。 命令行 bp GetFileSize F9运行。 77E68854 > 55 PUSH EBP //中断,这里是系统领空,我们要返回到程序领空才能爆破或者修改Z标志。不能简单的Ctrl F9或Alt F9返回用户代码。 77E68855 8BEC MOV EBP,ESP 77E68857 51 PUSH ECX 77E68858 51 PUSH ECX 77E68859 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8] 77E6885C 50 PUSH EAX 77E6885D FF75 08 PUSH DWORD PTR SS:[EBP 8] 77E68860 E8 24000000 CALL KERNEL32.GetFileSizeEx 77E68865 85C0 TEST EAX,EAX 77E68867 0F84 D3690200 JE KERNEL32.77E8F240 77E6886D 8B45 0C MOV EAX,DWORD PTR SS:[EBP C] 77E68870 85C0 TEST EAX,EAX 77E68872 ^ 0F85 B5E6FFFF JNZ KERNEL32.77E66F2D 77E68878 837D F8 FF CMP DWORD PTR SS:[EBP-8],-1 77E6887C 0F84 B2690200 JE KERNEL32.77E8F234 77E68882 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 77E68885 C9 LEAVE 77E68886 C2 0800 RETN 8 .......................................................... 取消断点,Alt M打开内存镜像。 内存镜像,项目 13 地址=0043A000 //这次要对data段下内存访问断点。 大小=00004000 (16384.) Owner=enablewe 00400000 区段=.data 包含=data 类型=Imag 01001002 访问=R 初始访问=RWE 00420912 . FF50 04 CALL DWORD PTR DS:[EAX 4] ; MSVBVM50.BASIC_CLASS_AddRef //好,回家了,清除内存断点。Getfilesize只是取文件大小,比较过程还要往下看。 00420915 . C745 FC 01000>MOV DWORD PTR SS:[EBP-4],1 0042091C . C745 FC 02000>MOV DWORD PTR SS:[EBP-4],2 00420923 . 6A FF PUSH -1 00420925 . FF15 00E34300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaOnErr>; MSVBVM50.__vbaOnError 0042092B . C745 FC 03000>MOV DWORD PTR SS:[EBP-4],3 00420932 . E8 99420100 CALL enablewe.00434BD0 00420937 . C745 FC 04000>MOV DWORD PTR SS:[EBP-4],4 0042093E . E8 1D160100 CALL enablewe.00431F60 //经过这个Call,Crc校验错误。 .................................................................... Vb语言特点是容易入手,但代码效率实在无法恭维,垃圾代码非常多。 要找到这个Magic Jmp 还不是很容易的事。 Ctrl F2 重启Od,直接 Ctrl G 0042093E ,F4直接到达,F7跟进。 00431F60 $Content$nbsp; 55 PUSH EBP //跟进后,代码实在太多,Ctrl F8让Od帮我们减一点负担。一段眼花缭乱后,转标签1 00431F61 . 8BEC MOV EBP,ESP 00431F63 . 83EC 18 SUB ESP,18 00431F66 . 68 261D4000 PUSH 00431F6B . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0] 00431F71 . 50 PUSH EAX 00431F72 . 64:8925 00000>MOV DWORD PTR FS:[0],ESP 00431F79 . B8 58110000 MOV EAX,1158 00431F7E . E8 9DFDFCFF CALL 00431F83 . 53 PUSH EBX 00431F84 . 56 PUSH ESI 00431F85 . 57 PUSH EDI 00431F86 . 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP 00431F89 . C745 EC 501A4>MOV DWORD PTR SS:[EBP-14],enablewe.00401> 00431F90 . C745 F0 00000>MOV DWORD PTR SS:[EBP-10],0 00431F97 . C745 F4 00000>MOV DWORD PTR SS:[EBP-C],0 00431F9E . C745 FC 01000>MOV DWORD PTR SS:[EBP-4],1 00431FA5 . C745 FC 02000>MOV DWORD PTR SS:[EBP-4],2 00431FAC . 6A FF PUSH -1 00431FAE . FF15 00E34300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaOnErr>; MSVBVM50.__vbaOnError 00431FB4 . C745 FC 03000>MOV DWORD PTR SS:[EBP-4],3 00431FBB . 833D CCAA4300>CMP DWORD PTR DS:[43AACC],0 00431FC2 . 75 1C JNZ SHORT enablewe.00431FE0 00431FC4 . 68 CCAA4300 PUSH enablewe.0043AACC 00431FC9 . 68 2C674000 PUSH enablewe.0040672C 00431FCE . FF15 14E44300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>; MSVBVM50.__vbaNew2 00431FD4 . C785 D4EEFFFF>MOV DWORD PTR SS:[EBP-112C],enablewe.004> 00431FDE . EB 0A JMP SHORT enablewe.00431FEA ................................................................... 标签1,向上找Magic Jmp 吧,再转标签2 004341D2 . FF15 08E34300 CALL DWORD PTR DS:[<&MSVBVM50.#595>] ; MSVBVM50.rtcMsgBox 004341D8 . 8D85 D8FDFFFF LEA EAX,DWORD PTR SS:[EBP-228] 004341DE . 50 PUSH EAX 004341DF . 8D8D E8FDFFFF LEA ECX,DWORD PTR SS:[EBP-218] 004341E5 . 51 PUSH ECX 004341E6 . 8D95 F8FDFFFF LEA EDX,DWORD PTR SS:[EBP-208] 004341EC . 52 PUSH EDX 004341ED . 8D85 08FEFFFF LEA EAX,DWORD PTR SS:[EBP-1F8] 004341F3 . 50 PUSH EAX 004341F4 . 8D8D 18FEFFFF LEA ECX,DWORD PTR SS:[EBP-1E8] 004341FA . 51 PUSH ECX 004341FB . 8D95 28FEFFFF LEA EDX,DWORD PTR SS:[EBP-1D8] 00434201 . 52 PUSH EDX ................................................................... 标签2 00433EB4 . FF15 34E44300 CALL DWORD PTR DS:[<&MSVBVM50.#578>] ; MSVBVM50.rtcFileLen 00433EBA . 8985 A4EEFFFF MOV DWORD PTR SS:[EBP-115C],EAX 00433EC0 . DB85 A4EEFFFF FILD DWORD PTR SS:[EBP-115C] 00433EC6 . DD9D 9CEEFFFF FSTP QWORD PTR SS:[EBP-1164] 00433ECC . DD85 10EFFFFF FLD QWORD PTR SS:[EBP-10F0] 00433ED2 . FF15 24E34300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFpR8>>; MSVBVM50.__vbaFpR8 00433ED8 . DC9D 9CEEFFFF FCOMP QWORD PTR SS:[EBP-1164] 00433EDE . DFE0 FSTSW AX 00433EE0 . F6C4 01 TEST AH,1 00433EE3 . 74 0C JE SHORT enablewe.00433EF1 00433EE5 . C785 98EEFFFF>MOV DWORD PTR SS:[EBP-1168],1 00433EEF . EB 0A JMP SHORT enablewe.00433EFB 00433EF1 > C785 98EEFFFF>MOV DWORD PTR SS:[EBP-1168],0 00433EFB > 8B8D 98EEFFFF MOV ECX,DWORD PTR SS:[EBP-1168] 00433F01 . F7D9 NEG ECX 00433F03 . 0FBFD1 MOVSX EDX,CX 00433F06 . 85D2 TEST EDX,EDX 00433F08 . 0F84 33040000 JE enablewe.00434341 //找了半天就是这里,直接爆破它。 直接修改为 00433F08 /0F85 33040000 JNZ enablewe.00434341 保存为一个文件。 00433F0E . C745 FC 06000>MOV DWORD PTR SS:[EBP-4],6 00433F15 . 6A 41 PUSH 41 00433F17 . 8D45 A8 LEA EAX,DWORD PTR SS:[EBP-58] 00433F1A . 50 PUSH EAX 00433F1B . FF15 C4E34300 CALL DWORD PTR DS:[<&MSVBVM50.#608>] ; MSVBVM50.rtcVarBstrFromAnsi 00433F21 . 6A 6C PUSH 6C 00433F23 . 8D4D 98 LEA ECX,DWORD PTR SS:[EBP-68] 00433F26 . 51 PUSH ECX 00433F27 . FF15 C4E34300 CALL DWORD PTR DS:[<&MSVBVM50.#608>] ; MSVBVM50.rtcVarBstrFromAnsi 00433F2D . 6A 65 PUSH 65 00433F2F . 8D95 78FFFFFF LEA EDX,DWORD PTR SS:[EBP-88] 00433F35 . 52 PUSH EDX 00433F36 . FF15 C4E34300 CALL DWORD PTR DS:[<&MSVBVM50.#608>] ; MSVBVM50.rtcVarBstrFromAnsi 00433F3C . 6A 72 PUSH 72 00433F3E . 8D85 58FFFFFF LEA EAX,DWORD PTR SS:[EBP-A8] 00433F44 . 50 PUSH EAX 00433F45 . FF15 C4E34300 CALL DWORD PTR DS:[<&MSVBVM50.#608>] ; MSVBVM50.rtcVarBstrFromAnsi 00433F4B . 6A 74 PUSH 74 00433F4D . 8D8D 38FFFFFF LEA ECX,DWORD PTR SS:[EBP-C8] 00433F53 . 51 PUSH ECX 00433F54 . FF15 C4E34300 CALL DWORD PTR DS:[<&MSVBVM50.#608>] ; MSVBVM50.rtcVarBstrFromAnsi 00433F5A . 6A 21 PUSH 21 00433F5C . 8D95 18FFFFFF LEA EDX,DWORD PTR SS:[EBP-E8] 00433F62 . 52 PUSH EDX 00433F63 . FF15 C4E34300 CALL DWORD PTR DS:[<&MSVBVM50.#608>] ; MSVBVM50.rtcVarBstrFromAnsi 00433F69 . 6A 20 PUSH 20 00433F6B . 8D85 F8FEFFFF LEA EAX,DWORD PTR SS:[EBP-108] 00433F71 . 50 PUSH EAX 00433F72 . FF15 C4E34300 CALL DWORD PTR DS:[<&MSVBVM50.#608>] ; MSVBVM50.rtcVarBstrFromAnsi 00433F78 . 6A 3A PUSH 3A 00433F7A . 8D8D D8FEFFFF LEA ECX,DWORD PTR SS:[EBP-128] 00433F80 . 51 PUSH ECX 00433F81 . FF15 C4E34300 CALL DWORD PTR DS:[<&MSVBVM50.#608>] ; MSVBVM50.rtcVarBstrFromAnsi 00433F87 . 6A 20 PUSH 20 00433F89 . 8D95 B8FEFFFF LEA EDX,DWORD PTR SS:[EBP-148] 00433F8F . 52 PUSH EDX 00433F90 . FF15 C4E34300 CALL DWORD PTR DS:[<&MSVBVM50.#608>] ; MSVBVM50.rtcVarBstrFromAnsi 00433F96 . 6A 43 PUSH 43 00433F98 . 8D85 98FEFFFF LEA EAX,DWORD PTR SS:[EBP-168] 00433F9E . 50 PUSH EAX 00433F9F . FF15 C4E34300 CALL DWORD PTR DS:[<&MSVBVM50.#608>] ; MSVBVM50.rtcVarBstrFromAnsi 00433FA5 . 6A 52 PUSH 52 00433FA7 . 8D8D 78FEFFFF LEA ECX,DWORD PTR SS:[EBP-188] 00433FAD . 51 PUSH ECX 00433FAE . FF15 C4E34300 CALL DWORD PTR DS:[<&MSVBVM50.#608>] ; MSVBVM50.rtcVarBstrFromAnsi 00433FB4 . 6A 43 PUSH 43 00433FB6 . 8D95 58FEFFFF LEA EDX,DWORD PTR SS:[EBP-1A8] 00433FBC . 52 PUSH EDX 00433FBD . FF15 C4E34300 CALL DWORD PTR DS:[<&MSVBVM50.#608>] ; MSVBVM50.rtcVarBstrFromAnsi 00433FC3 . 6A 20 PUSH 20 00433FC5 . 8D85 38FEFFFF LEA EAX,DWORD PTR SS:[EBP-1C8] 00433FCB . 50 PUSH EAX 00433FCC . FF15 C4E34300 CALL DWORD PTR DS:[<&MSVBVM50.#608>] ; MSVBVM50.rtcVarBstrFromAnsi 00433FD2 . 6A 45 PUSH 45 00433FD4 . 8D8D 18FEFFFF LEA ECX,DWORD PTR SS:[EBP-1E8] 00433FDA . 51 PUSH ECX 00433FDB . FF15 C4E34300 CALL DWORD PTR DS:[<&MSVBVM50.#608>] ; MSVBVM50.rtcVarBstrFromAnsi 00433FE1 . 6A 72 PUSH 72 00433FE3 . 8D95 F8FDFFFF LEA EDX,DWORD PTR SS:[EBP-208] 00433FE9 . 52 PUSH EDX 00433FEA . FF15 C4E34300 CALL DWORD PTR DS:[<&MSVBVM50.#608>] ; MSVBVM50.rtcVarBstrFromAnsi 00433FF0 . 6A 72 PUSH 72 00433FF2 . 8D85 D8FDFFFF LEA EAX,DWORD PTR SS:[EBP-228] 00433FF8 . 50 PUSH EAX 00433FF9 . FF15 C4E34300 CALL DWORD PTR DS:[<&MSVBVM50.#608>] ; MSVBVM50.rtcVarBstrFromAnsi 00433FFF . 6A 6F PUSH 6F 00434001 . 8D8D B8FDFFFF LEA ECX,DWORD PTR SS:[EBP-248] 00434007 . 51 PUSH ECX 00434008 . FF15 C4E34300 CALL DWORD PTR DS:[<&MSVBVM50.#608>] ; MSVBVM50.rtcVarBstrFromAnsi 0043400E . 6A 72 PUSH 72 00434010 . 8D95 98FDFFFF LEA EDX,DWORD PTR SS:[EBP-268] 00434016 . 52 PUSH EDX 00434017 . FF15 C4E34300 CALL DWORD PTR DS:[<&MSVBVM50.#608>] ; MSVBVM50.rtcVarBstrFromAnsi 0043401D . C785 70FDFFFF>MOV DWORD PTR SS:[EBP-290],80020004 00434027 . C785 68FDFFFF>MOV DWORD PTR SS:[EBP-298],0A 00434031 . C785 80FDFFFF>MOV DWORD PTR SS:[EBP-280],80020004 0043403B . C785 78FDFFFF>MOV DWORD PTR SS:[EBP-288],0A 00434045 . 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C] 00434048 . 8985 40EFFFFF MOV DWORD PTR SS:[EBP-10C0],EAX 0043404E . C785 38EFFFFF>MOV DWORD PTR SS:[EBP-10C8],4008 00434058 . 8D8D 68FDFFFF LEA ECX,DWORD PTR SS:[EBP-298] 0043405E . 51 PUSH ECX 0043405F . 8D95 78FDFFFF LEA EDX,DWORD PTR SS:[EBP-288] 00434065 . 52 PUSH EDX 00434066 . 8D45 A8 LEA EAX,DWORD PTR SS:[EBP-58] 00434069 . 50 PUSH EAX 0043406A . 8D4D 98 LEA ECX,DWORD PTR SS:[EBP-68] 0043406D . 51 PUSH ECX 0043406E . 8D55 88 LEA EDX,DWORD PTR SS:[EBP-78] 00434071 . 52 PUSH EDX 00434072 . FF15 4CE44300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarAd>; MSVBVM50.__vbaVarAdd 00434078 . 50 PUSH EAX 00434079 . 8D85 78FFFFFF LEA EAX,DWORD PTR SS:[EBP-88] 0043407F . 50 PUSH EAX 00434080 . 8D8D 68FFFFFF LEA ECX,DWORD PTR SS:[EBP-98] 00434086 . 51 PUSH ECX 00434087 . FF15 4CE44300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarAd>; MSVBVM50.__vbaVarAdd 0043408D . 50 PUSH EAX 0043408E . 8D95 58FFFFFF LEA EDX,DWORD PTR SS:[EBP-A8] 00434094 . 52 PUSH EDX 00434095 . 8D85 48FFFFFF LEA EAX,DWORD PTR SS:[EBP-B8] 0043409B . 50 PUSH EAX 0043409C . FF15 4CE44300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarAd>; MSVBVM50.__vbaVarAdd 004340A2 . 50 PUSH EAX 004340A3 . 8D8D 38FFFFFF LEA ECX,DWORD PTR SS:[EBP-C8] 004340A9 . 51 PUSH ECX 004340AA . 8D95 28FFFFFF LEA EDX,DWORD PTR SS:[EBP-D8] 004340B0 . 52 PUSH EDX 004340B1 . FF15 4CE44300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarAd>; MSVBVM50.__vbaVarAdd 004340B7 . 50 PUSH EAX 004340B8 . 8D85 18FFFFFF LEA EAX,DWORD PTR SS:[EBP-E8] 004340BE . 50 PUSH EAX 004340BF . 8D8D 08FFFFFF LEA ECX,DWORD PTR SS:[EBP-F8] 004340C5 . 51 PUSH ECX 004340C6 . FF15 4CE44300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarAd>; MSVBVM50.__vbaVarAdd 004340CC . 50 PUSH EAX 004340CD . 8D95 F8FEFFFF LEA EDX,DWORD PTR SS:[EBP-108] 004340D3 . 52 PUSH EDX 004340D4 . 8D85 E8FEFFFF LEA EAX,DWORD PTR SS:[EBP-118] 004340DA . 50 PUSH EAX 004340DB . FF15 4CE44300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarAd>; MSVBVM50.__vbaVarAdd 004340E1 . 50 PUSH EAX 004340E2 . 8D8D D8FEFFFF LEA ECX,DWORD PTR SS:[EBP-128] 004340E8 . 51 PUSH ECX 004340E9 . 8D95 C8FEFFFF LEA EDX,DWORD PTR SS:[EBP-138] 004340EF . 52 PUSH EDX 004340F0 . FF15 4CE44300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarAd>; MSVBVM50.__vbaVarAdd 004340F6 . 50 PUSH EAX 004340F7 . 8D85 B8FEFFFF LEA EAX,DWORD PTR SS:[EBP-148] 004340FD . 50 PUSH EAX 004340FE . 8D8D A8FEFFFF LEA ECX,DWORD PTR SS:[EBP-158] 00434104 . 51 PUSH ECX 00434105 . FF15 4CE44300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarAd>; MSVBVM50.__vbaVarAdd 0043410B . 50 PUSH EAX 0043410C . 8D95 98FEFFFF LEA EDX,DWORD PTR SS:[EBP-168] 00434112 . 52 PUSH EDX 00434113 . 8D85 88FEFFFF LEA EAX,DWORD PTR SS:[EBP-178] 00434119 . 50 PUSH EAX 0043411A . FF15 4CE44300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarAd>; MSVBVM50.__vbaVarAdd 00434120 . 50 PUSH EAX 00434121 . 8D8D 78FEFFFF LEA ECX,DWORD PTR SS:[EBP-188] 00434127 . 51 PUSH ECX 00434128 . 8D95 68FEFFFF LEA EDX,DWORD PTR SS:[EBP-198] 0043412E . 52 PUSH EDX 0043412F . FF15 4CE44300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarAd>; MSVBVM50.__vbaVarAdd 00434135 . 50 PUSH EAX 00434136 . 8D85 58FEFFFF LEA EAX,DWORD PTR SS:[EBP-1A8] 0043413C . 50 PUSH EAX 0043413D . 8D8D 48FEFFFF LEA ECX,DWORD PTR SS:[EBP-1B8] 00434143 . 51 PUSH ECX 00434144 . FF15 4CE44300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarAd>; MSVBVM50.__vbaVarAdd 0043414A . 50 PUSH EAX 0043414B . 8D95 38FEFFFF LEA EDX,DWORD PTR SS:[EBP-1C8] 00434151 . 52 PUSH EDX 00434152 . 8D85 28FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D8] 00434158 . 50 PUSH EAX 00434159 . FF15 4CE44300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarAd>; MSVBVM50.__vbaVarAdd 0043415F . 50 PUSH EAX 00434160 . 8D8D 18FEFFFF LEA ECX,DWORD PTR SS:[EBP-1E8] 00434166 . 51 PUSH ECX 00434167 . 8D95 08FEFFFF LEA EDX,DWORD PTR SS:[EBP-1F8] 0043416D . 52 PUSH EDX 0043416E . FF15 4CE44300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarAd>; MSVBVM50.__vbaVarAdd 00434174 . 50 PUSH EAX 00434175 . 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:[EBP-208] 0043417B . 50 PUSH EAX 0043417C . 8D8D E8FDFFFF LEA ECX,DWORD PTR SS:[EBP-218] 00434182 . 51 PUSH ECX 00434183 . FF15 4CE44300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarAd>; MSVBVM50.__vbaVarAdd 00434189 . 50 PUSH EAX 0043418A . 8D95 D8FDFFFF LEA EDX,DWORD PTR SS:[EBP-228] 00434190 . 52 PUSH EDX 00434191 . 8D85 C8FDFFFF LEA EAX,DWORD PTR SS:[EBP-238] 00434197 . 50 PUSH EAX 00434198 . FF15 4CE44300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarAd>; MSVBVM50.__vbaVarAdd 0043419E . 50 PUSH EAX 0043419F . 8D8D B8FDFFFF LEA ECX,DWORD PTR SS:[EBP-248] 004341A5 . 51 PUSH ECX 004341A6 . 8D95 A8FDFFFF LEA EDX,DWORD PTR SS:[EBP-258] 004341AC . 52 PUSH EDX 004341AD . FF15 4CE44300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarAd>; MSVBVM50.__vbaVarAdd 004341B3 . 50 PUSH EAX 004341B4 . 8D85 98FDFFFF LEA EAX,DWORD PTR SS:[EBP-268] 004341BA . 50 PUSH EAX 004341BB . 8D8D 88FDFFFF LEA ECX,DWORD PTR SS:[EBP-278] 004341C1 . 51 PUSH ECX 004341C2 . FF15 4CE44300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarAd>; MSVBVM50.__vbaVarAdd 004341C8 . 50 PUSH EAX 004341C9 . 6A 40 PUSH 40 004341CB . 8D95 38EFFFFF LEA EDX,DWORD PTR SS:[EBP-10C8] 004341D1 . 52 PUSH EDX 004341D2 . FF15 08E34300 CALL DWORD PTR DS:[<&MSVBVM50.#595>] ; MSVBVM50.rtcMsgBox //Crc校验错误。 .......................................................................... 其实简单办法就是,命令行下断点 bp rtcMsgBox ,断下后返回,然后往上看,一会就会可以找到Magic Jmp。 今天胡涂了,忘记Vb程序用bp MessageBoxA 是不能断下来的。 顺路复习一下GetFileSize和Code内存断点。 最后当然看看胜利截图了。  看出字体确实存在Bug,免费软件作者当然没有什么热情更新除错了。 【破解小结】 我很忙,没时间总结了,谢谢大家耐心看完! |
|小黑屋|最新主题|手机版|微赢网络技术论坛
( 苏ICP备08020429号 )
GMT+8, 2024-9-29 23:33 , Processed in 0.264765 second(s), 12 queries , Gzip On, MemCache On.
Powered by Discuz! X3.5
© 2001-2023 Discuz! Team.
