好友
阅读权限10
听众
最后登录1970-1-1
|
本帖最后由 lawrences 于 2013-6-9 13:27 编辑
最近看了恒大的破解 ,找软件练手 ,正好手头有个辅助软件,开的时候总是弹几个没用的框 ,还TM弹网页,壳已经搞掉了,但是载入OD的时候还是说压缩什么的,直接否,看了几遍也没找出来,pE查也干净了 C++写的,
第1次用NOP 直接把PUSH 给填充成0 ,软件直接打不开了,查了一下,说会导致堆栈不平衡,恒大的修复什么的直接没用啊。。。 想找JMP 翻了大半天,直接没找到。。
截取了部分程序,下边事弹网页和 弹窗的部分(360哪个提示) 去掉广告和弹窗,是该call 还是push 能直接jmp跳过这写么?
求高手,大鸟指导下, 尽可能的详细,弄好了给分!!! ,加关注!!!, 给热心值!!!
@Shark恒
高手给个思路啊
00401A3F 83C4 04 add esp,0x4
00401A42 68 04000080 push 0x80000004
00401A47 6A 00 push 0x0
00401A49 68 FF394A00 push 123456.004A39FF ; C:\WINDOWS\XHTS.XIN
00401A4E 68 01000000 push 0x1
00401A53 BB C0ED4100 mov ebx,123456.0041EDC0
00401A58 E8 2FBC0100 call 123456.0041D68C
00401A5D 83C4 10 add esp,0x10
00401A60 68 04000080 push 0x80000004
00401A65 6A 00 push 0x0
00401A67 68 133A4A00 push 123456.004A3A13 ; Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\52xifan.com\www
00401A6C 68 01030080 push 0x80000301
00401A71 6A 00 push 0x0
00401A73 68 03000000 push 0x3
00401A78 68 02000000 push 0x2
00401A7D BB 20F84100 mov ebx,123456.0041F820
00401A82 E8 05BC0100 call 123456.0041D68C
00401A87 83C4 1C add esp,0x1C
00401A8A 68 04000080 push 0x80000004
00401A8F 6A 00 push 0x0
00401A91 68 6F3A4A00 push 123456.004A3A6F ; Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xifan520.com\www
00401A96 68 01030080 push 0x80000301
00401A9B 6A 00 push 0x0
00401A9D 68 03000000 push 0x3
00401AA2 68 02000000 push 0x2
00401AA7 BB 20F84100 mov ebx,123456.0041F820
00401AAC E8 DBBB0100 call 123456.0041D68C
00401AB1 83C4 1C add esp,0x1C
00401AB4 68 04000080 push 0x80000004
00401AB9 6A 00 push 0x0
00401ABB 68 CC3A4A00 push 123456.004A3ACC ; Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\tuigoo.com\js
00401AC0 68 01030080 push 0x80000301
00401AC5 6A 00 push 0x0
00401AC7 68 03000000 push 0x3
00401ACC 68 02000000 push 0x2
00401AD1 BB 20F84100 mov ebx,123456.0041F820
00401AD6 E8 B1BB0100 call 123456.0041D68C
00401ADB 83C4 1C add esp,0x1C
00401ADE 68 04000080 push 0x80000004
00401AE3 6A 00 push 0x0
00401AE5 68 263B4A00 push 123456.004A3B26 ; Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\tuigoo.com\www
00401AEA 68 01030080 push 0x80000301
00401AEF 6A 00 push 0x0
00401AF1 68 03000000 push 0x3
00401AF6 68 02000000 push 0x2
00401AFB BB 20F84100 mov ebx,123456.0041F820
00401B00 E8 87BB0100 call 123456.0041D68C
00401B05 83C4 1C add esp,0x1C
00401B08 68 01030080 push 0x80000301
00401B0D 6A 00 push 0x0
00401B0F 68 04000000 push 0x4
00401B14 68 04000080 push 0x80000004
00401B19 6A 00 push 0x0
00401B1B 68 813B4A00 push 123456.004A3B81 ; Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\rebornne-cn.com\www\*
00401B20 68 01030080 push 0x80000301
00401B25 6A 00 push 0x0
00401B27 68 03000000 push 0x3
00401B2C 68 03000000 push 0x3
00401B31 BB 00F84100 mov ebx,123456.0041F800
00401B36 E8 51BB0100 call 123456.0041D68C
00401B3B 83C4 28 add esp,0x28
00401B3E 6A 00 push 0x0
00401B40 6A 00 push 0x0
00401B42 6A 00 push 0x0
00401B44 68 01030080 push 0x80000301
00401B49 6A 00 push 0x0
00401B4B 68 00000000 push 0x0
00401B50 68 04000080 push 0x80000004
00401B55 6A 00 push 0x0
00401B57 68 E33B4A00 push 123456.004A3BE3 ; 360你能在傻X一点吗?总误报毒,烦躁,正在解决中,可以放心使用!\r\n\r\n\r\n\r\n请麻烦把所有弹出广告注册下,不然可能随时停止更新,麻烦了请认真注册,不要乱写用户名!\r\n请认真注册填写用户名,不用重复顺序,注册了就一定要玩5级以上,注册一个玩5级也好!!\r\n注
00401B5C 68 03000000 push 0x3
00401B61 BB D0F84100 mov ebx,123456.0041F8D0
00401B66 E8 21BB0100 call 123456.0041D68C
00401B6B 83C4 28 add esp,0x28
00401B6E 6A 00 push 0x0
00401B70 6A 00 push 0x0
00401B72 6A 00 push 0x0
00401B74 68 01030080 push 0x80000301
00401B79 6A 00 push 0x0
00401B7B 68 00000000 push 0x0
00401B80 68 04000080 push 0x80000004
00401B85 6A 00 push 0x0
00401B87 68 EB3D4A00 push 123456.004A3DEB ; 切记!同一个IP一次就可以了,要隔天请重启路由再注册!谢谢!\r\n请认真注册弹窗广告用户名!切记不要乱填!\r\n注册的广告游戏至少玩到5级,谢谢,要么就不要轻易注册\r\n哪怕你注册一个玩到5级都可以!
00401B8C 68 03000000 push 0x3
00401B91 BB D0F84100 mov ebx,123456.0041F8D0
00401B96 E8 F1BA0100 call 123456.0041D68C
00401B9B 83C4 28 add esp,0x28
00401B9E 68 04000080 push 0x80000004
00401BA3 6A 00 push 0x0
00401BA5 68 A43E4A00 push 123456.004A3EA4 ; 稀饭提示
00401BAA 68 01030080 push 0x80000301
00401BAF 6A 00 push 0x0
00401BB1 68 00000000 push 0x0
00401BB6 68 04000080 push 0x80000004
00401BBB 6A 00 push 0x0
00401BBD 68 AD3E4A00 push 123456.004A3EAD
00401BC2 68 03000000 push 0x3
00401BC7 BB D0F84100 mov ebx,123456.0041F8D0
00401BCC E8 BBBA0100 call 123456.0041D68C
00401BD1 83C4 28 add esp,0x28
00401BD4 8BE5 mov esp,ebp
00401BD6 5D pop ebp
00401BD7 C3 retn
00401BD8 8B5424 04 mov edx,dword ptr ss:[esp+0x4]
00401BDC 8B4C24 08 mov ecx,dword ptr ss:[esp+0x8]
00401BE0 85D2 test edx,edx
00401BE2 75 0D jnz X123456.00401BF1
00401BE4 33C0 xor eax,eax
00401BE6 85C9 test ecx,ecx
00401BE8 74 06 je X123456.00401BF0
00401BEA 8039 00 cmp byte ptr ds:[ecx],0x0
00401BED 74 01 je X123456.00401BF0
00401BEF 48 dec eax
00401BF0 C3 retn
00401BF1 85C9 test ecx,ecx
00401BF3 75 09 jnz X123456.00401BFE
00401BF5 33C0 xor eax,eax
00401BF7 803A 00 cmp byte ptr ds:[edx],0x0
00401BFA 74 01 je X123456.00401BFD
00401BFC 40 inc eax
00401BFD C3 retn
00401BFE F7C2 03000000 test edx,0x3
00401C04 75 37 jnz X123456.00401C3D
00401C06 8B02 mov eax,dword ptr ds:[edx]
00401C08 3A01 cmp al,byte ptr ds:[ecx]
00401C0A 75 2B jnz X123456.00401C37
00401C0C 0AC0 or al,al
00401C0E 74 24 je X123456.00401C34
00401C10 3A61 01 cmp ah,byte ptr ds:[ecx+0x1]
00401C13 75 22 jnz X123456.00401C37
00401C15 0AE4 or ah,ah
|
|
发帖前要善用【论坛搜索】功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。 |
|
|
|
|
|
|
发表于 2013-6-9 11:06
|
发表于 2013-6-9 11:16
