Cool-Y.github.io/2019/03/28/逆向工程实验/index.html

1280 lines
59 KiB
HTML
Raw Normal View History

2019-04-15 07:42:42 +00:00
<!DOCTYPE html>
2021-04-10 12:03:10 +00:00
<html class="theme-next muse use-motion" lang="zh-Hans">
2019-04-15 07:42:42 +00:00
<head><meta name="generator" content="Hexo 3.8.0">
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<meta name="theme-color" content="#222">
2021-04-10 19:19:48 +00:00
<script src="/lib/pace/pace.min.js?v=1.0.2"></script>
<link href="/lib/pace/pace-theme-center-atom.min.css?v=1.0.2" rel="stylesheet">
2019-04-15 07:42:42 +00:00
<meta http-equiv="Cache-Control" content="no-transform">
<meta http-equiv="Cache-Control" content="no-siteapp">
<link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css">
<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css">
<link href="/css/main.css?v=5.1.4" rel="stylesheet" type="text/css">
<link rel="apple-touch-icon" sizes="180x180" href="/images/hackerrank.png?v=5.1.4">
<link rel="icon" type="image/png" sizes="32x32" href="/images/hackerrank.png?v=5.1.4">
<link rel="icon" type="image/png" sizes="16x16" href="/images/hackerrank.png?v=5.1.4">
<link rel="mask-icon" href="/images/logo.svg?v=5.1.4" color="#222">
<meta name="keywords" content="逆向,破解,">
2021-04-10 13:53:56 +00:00
<meta name="description" content="一些逆向的小实验">
2019-04-15 07:42:42 +00:00
<meta name="keywords" content="逆向,破解">
<meta property="og:type" content="article">
<meta property="og:title" content="逆向工程与软件破解">
<meta property="og:url" content="https://cool-y.github.io/2019/03/28/逆向工程实验/index.html">
<meta property="og:site_name" content="混元霹雳手">
2021-04-10 13:53:56 +00:00
<meta property="og:description" content="一些逆向的小实验">
2019-04-15 07:42:42 +00:00
<meta property="og:locale" content="zh-Hans">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553759246/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E5%9B%BE%E7%89%871.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553772615/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B71.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553773066/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B72.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553775053/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B74.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553775817/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B75.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553776239/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B76.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553858953/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B77.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553937461/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B79.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553937531/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B711.png">
2019-05-07 11:32:10 +00:00
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1557128745/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/1.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1557128848/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/2.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1557129711/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/3.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1557131510/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/4.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1557132091/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/5.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1557133154/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/6.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1557133828/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/7.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1557227067/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/8.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1557227506/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/9.png">
2021-04-10 13:53:56 +00:00
<meta property="og:updated_time" content="2021-04-10T13:34:37.251Z">
2019-04-15 07:42:42 +00:00
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="逆向工程与软件破解">
2021-04-10 13:53:56 +00:00
<meta name="twitter:description" content="一些逆向的小实验">
2019-04-15 07:42:42 +00:00
<meta name="twitter:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553759246/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E5%9B%BE%E7%89%871.png">
<script type="text/javascript" id="hexo.configurations">
var NexT = window.NexT || {};
var CONFIG = {
root: '/',
2021-04-10 12:03:10 +00:00
scheme: 'Muse',
2019-04-15 07:42:42 +00:00
version: '5.1.4',
2021-04-10 19:19:48 +00:00
sidebar: {"position":"left","display":"always","offset":12,"b2t":false,"scrollpercent":true,"onmobile":false},
2019-04-15 07:42:42 +00:00
fancybox: true,
tabs: true,
motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
duoshuo: {
userId: '0',
author: '博主'
},
algolia: {
applicationID: '',
apiKey: '',
indexName: '',
hits: {"per_page":10},
labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
}
};
</script>
<link rel="canonical" href="https://cool-y.github.io/2019/03/28/逆向工程实验/">
<title>逆向工程与软件破解 | 混元霹雳手</title>
</head>
<body itemscope itemtype="http://schema.org/WebPage" lang="zh-Hans">
<div class="container sidebar-position-left page-post-detail">
<div class="headband"></div>
<header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
<div class="header-inner"><div class="site-brand-wrapper">
<div class="site-meta ">
<div class="custom-logo-site-title">
<a href="/" class="brand" rel="start">
<span class="logo-line-before"><i></i></span>
<span class="site-title">混元霹雳手</span>
<span class="logo-line-after"><i></i></span>
</a>
</div>
2019-07-24 03:51:42 +00:00
<p class="site-subtitle"></p>
2019-04-15 07:42:42 +00:00
</div>
<div class="site-nav-toggle">
<button>
<span class="btn-bar"></span>
<span class="btn-bar"></span>
<span class="btn-bar"></span>
</button>
</div>
</div>
<nav class="site-nav">
<ul id="menu" class="menu">
<li class="menu-item menu-item-home">
<a href="/" rel="section">
<i class="menu-item-icon fa fa-fw fa-home"></i> <br>
首页
</a>
</li>
<li class="menu-item menu-item-about">
<a href="/about/" rel="section">
<i class="menu-item-icon fa fa-fw fa-user"></i> <br>
关于
</a>
</li>
<li class="menu-item menu-item-tags">
<a href="/tags/" rel="section">
<i class="menu-item-icon fa fa-fw fa-tags"></i> <br>
标签
</a>
</li>
<li class="menu-item menu-item-categories">
<a href="/categories/" rel="section">
<i class="menu-item-icon fa fa-fw fa-th"></i> <br>
分类
</a>
</li>
<li class="menu-item menu-item-archives">
<a href="/archives/" rel="section">
<i class="menu-item-icon fa fa-fw fa-archive"></i> <br>
归档
</a>
</li>
<li class="menu-item menu-item-bookmarks">
<a href="/bookmarks/" rel="section">
<i class="menu-item-icon fa fa-fw fa-map"></i> <br>
书签
</a>
</li>
2019-08-08 12:42:56 +00:00
2019-08-08 12:47:43 +00:00
<li class="menu-item menu-item-hack之外">
2019-08-08 12:42:56 +00:00
<a href="/hack之外/" rel="section">
2019-08-08 12:52:19 +00:00
<i class="menu-item-icon fa fa-fw fa-heartbeat"></i> <br>
2019-08-08 12:42:56 +00:00
2019-08-08 12:52:19 +00:00
HACK之外
2019-08-08 12:42:56 +00:00
</a>
</li>
2019-04-15 07:42:42 +00:00
</ul>
</nav>
</div>
</header>
<main id="main" class="main">
<div class="main-inner">
<div class="content-wrap">
<div id="content" class="content">
<div id="posts" class="posts-expand">
<article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
<div class="post-block">
<link itemprop="mainEntityOfPage" href="https://cool-y.github.io/2019/03/28/逆向工程实验/">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="name" content="Cool-Y">
<meta itemprop="description" content>
<meta itemprop="image" content="/images/avatar.png">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="混元霹雳手">
</span>
<header class="post-header">
<h1 class="post-title" itemprop="name headline">逆向工程与软件破解</h1>
<div class="post-meta">
<span class="post-time">
<span class="post-meta-item-icon">
<i class="fa fa-calendar-o"></i>
</span>
<span class="post-meta-item-text">发表于</span>
<time title="创建于" itemprop="dateCreated datePublished" datetime="2019-03-28T15:25:04+08:00">
2019-03-28
</time>
</span>
<span class="post-category">
<span class="post-meta-divider">|</span>
<span class="post-meta-item-icon">
<i class="fa fa-folder-o"></i>
</span>
<span class="post-meta-item-text">分类于</span>
<span itemprop="about" itemscope itemtype="http://schema.org/Thing">
<a href="/categories/二进制/" itemprop="url" rel="index">
<span itemprop="name">二进制</span>
</a>
</span>
</span>
<span id="/2019/03/28/逆向工程实验/" class="leancloud_visitors" data-flag-title="逆向工程与软件破解">
<span class="post-meta-divider">|</span>
<span class="post-meta-item-icon">
<i class="fa fa-eye"></i>
</span>
<span class="post-meta-item-text">阅读次数&#58;</span>
<span class="leancloud-visitors-count"></span>
</span>
<div class="post-wordcount">
<span class="post-meta-item-icon">
<i class="fa fa-file-word-o"></i>
</span>
<span title="字数统计">
2019-07-16 09:15:34 +00:00
3.1k 字
2019-04-15 07:42:42 +00:00
</span>
<span class="post-meta-divider">|</span>
<span class="post-meta-item-icon">
<i class="fa fa-clock-o"></i>
</span>
<span title="阅读时长">
2019-05-07 11:32:10 +00:00
11 分钟
2019-04-15 07:42:42 +00:00
</span>
</div>
2021-04-10 13:53:56 +00:00
<div class="post-description">
一些逆向的小实验
</div>
2019-04-15 07:42:42 +00:00
</div>
</header>
<div class="post-body" itemprop="articleBody">
<h1 id="软件保护方式"><a href="#软件保护方式" class="headerlink" title="软件保护方式"></a>软件保护方式</h1><ol>
<li>功能限制</li>
<li>时间限制</li>
</ol>
<ul>
<li>运行时长限制</li>
<li>使用日期限制</li>
<li>使用次数限制</li>
</ul>
<ol start="3">
<li>警告窗口</li>
</ol>
<h2 id><a href="#" class="headerlink" title></a><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553759246/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E5%9B%BE%E7%89%871.png" alt></h2><h1 id="分析工具"><a href="#分析工具" class="headerlink" title="分析工具"></a>分析工具</h1><ol>
<li>静态分析工具</li>
</ol>
<ul>
<li>IDA</li>
<li>W32Dasm</li>
<li>lordPE</li>
<li>Resource Hacker</li>
</ul>
<ol start="2">
<li>动态分析工具</li>
</ol>
<ul>
<li>OllyDbg</li>
<li>WinDbg</li>
</ul>
<hr>
<h1 id="对抗分析技术"><a href="#对抗分析技术" class="headerlink" title="对抗分析技术"></a>对抗分析技术</h1><ol>
<li>反静态分析技术</li>
</ol>
<ul>
<li>花指令</li>
<li>自修改代码技术</li>
<li>多态技术</li>
<li>变形技术</li>
<li>虚拟机保护技术</li>
</ul>
<ol start="2">
<li>反动态分析技术</li>
</ol>
<ul>
<li>检测调试状态</li>
<li>检测用户态调试器</li>
<li>检测内核态调试器</li>
<li>其他方法父进程检测StartupInfo 结构时间差通过Trap Flag检测</li>
</ul>
<ol start="3">
<li>发现调试器后的处理</li>
</ol>
<ul>
<li>程序自身退出</li>
<li>向调试器窗口发送消息使调试器退出</li>
<li>使调试器窗口不可用</li>
<li>终止调试器进程</li>
</ul>
<hr>
<h1 id="PE文件格式基础"><a href="#PE文件格式基础" class="headerlink" title="PE文件格式基础"></a>PE文件格式基础</h1><hr>
<h1 id="加壳脱壳"><a href="#加壳脱壳" class="headerlink" title="加壳脱壳"></a>加壳脱壳</h1><hr>
<h1 id="反调试技术"><a href="#反调试技术" class="headerlink" title="反调试技术"></a>反调试技术</h1><p>反调试技术,程序用它来识别是否被调试,或者让调试器失效。为了阻止调试器的分析,当程序意识到自己被调试时,它们可能改变正常的执行路径或者修改自身程序让自己崩溃,从而增加调试时间和复杂度。</p>
<h2 id="探测windows调试器"><a href="#探测windows调试器" class="headerlink" title="探测windows调试器"></a>探测windows调试器</h2><ol>
<li>使用windows API<br>使用Windows API函数探测调试器是否存在是最简单的反调试技术。<br>通常防止使用API进行反调试的方法有在程序运行期间修改恶意代码使其不能调用API函数或修改返回值确保执行合适的路径还有挂钩这些函数。<br>常用来探测调试器的API函数有<code>IsDebuggerPresent</code> <code>CheckRemoteDebuggerPresent</code> <code>NtQueryInformationProcess</code> <code>OutputDebuggString</code></li>
<li>手动检测数据结构<br>程序编写者经常手动执行与这些API功能相同的操作</li>
</ol>
<ul>
<li>检查BeingDebugged属性</li>
<li>检测ProcessHeap属性</li>
<li>检测NTGlobalFlag</li>
</ul>
<ol start="3">
<li>系统痕迹检测<br>通常我们使用调试工具来分析程序但这些工具会在系统中驻留一些痕迹。程序通过搜索这种系统的痕迹来确定你是否试图分析它。例如查找调试器引用的注册表项。同时程序也可以查找系统的文件和目录查找当前内存的痕迹或者查看当前进程列表更普遍的做法是通过FindWindows来查找调试器。</li>
</ol>
<h2 id="识别调试器的行为"><a href="#识别调试器的行为" class="headerlink" title="识别调试器的行为"></a>识别调试器的行为</h2><p>在逆向工程中可以使用断点或单步调试来帮助分析但执行这些操作时会修改进程中的代码。因此可以使用几种反调试技术探测INT扫描、完整性校验以及时钟检测等几种类型的调试器行为。</p>
<ol>
<li>INT扫描<br>调试器设置断点的基本机制是用软件中断INT 3机器码为0xCC临时替换程序中的一条指令。因此可以通过扫描INT 3修改来检测。</li>
<li>执行代码校验和检查<br>与INT扫描目的相同但仅执行机器码的CRC或MD5校验和检查。</li>
<li>时钟检测<br>被调试时,进程的运行速度大大降低,常用指令有:<code>rdstc</code> <code>QueryPerformanceCounter</code> <code>GetTickCount</code>,有如下两种方式探测时钟:</li>
</ol>
<ul>
<li>记录执行一段操作前后的时间戳</li>
<li>记录触发一个异常前后的时间戳<h2 id="干扰调试器的功能"><a href="#干扰调试器的功能" class="headerlink" title="干扰调试器的功能"></a>干扰调试器的功能</h2>本地存储(TLS)回调TLS回调被用来在程序入口点执行之前运行代码这发生在程序刚被加载到调试器时<br>使用异常使用SEH链可以实现异常程序可以使用异常来破坏或探测调试器调试器捕获异常后并不会将处理权立即返回给被调试进程。<br>插入中断插入INT 3、INT 2D、ICE<h2 id="调试器漏洞"><a href="#调试器漏洞" class="headerlink" title="调试器漏洞"></a>调试器漏洞</h2>PE头漏洞、OutputDebugString漏洞</li>
</ul>
<hr>
<h1 id="实验一:软件破解"><a href="#实验一:软件破解" class="headerlink" title="实验一:软件破解"></a>实验一:软件破解</h1><h2 id="对象"><a href="#对象" class="headerlink" title="对象"></a>对象</h2><p><a href="https://res.cloudinary.com/dozyfkbg3/raw/upload/v1553761280/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/crack.exe1" target="_blank" rel="noopener">crack.exe</a>28.0 KB</p>
<ul>
<li>无保护措施:无壳、未加密、无反调试措施</li>
<li>用户名至少要5个字节</li>
<li>输入错误验证码时输出“Bad Boy!”</li>
</ul>
<h2 id="爆破"><a href="#爆破" class="headerlink" title="爆破"></a>爆破</h2><h3 id="查找显示注册结果相关代码"><a href="#查找显示注册结果相关代码" class="headerlink" title="查找显示注册结果相关代码"></a>查找显示注册结果相关代码</h3><p>当输入错误验证码时程序会输出“Bad Boy”因此我们将程序拖入IDA以流程图显示函数内部的跳转。查找“Bad Boy”字符串我们可以定位到显示注册结果的相关代码<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553772615/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B71.png" alt></p>
<h3 id="查找注册码验证相关代码"><a href="#查找注册码验证相关代码" class="headerlink" title="查找注册码验证相关代码"></a>查找注册码验证相关代码</h3><p>用鼠标选中程序分支点,按空格切换回汇编指令界面<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553773066/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B72.png" alt></p>
<p>可以看到这条指令位于PE文件的.text节并且IDA已经自动将地址转换为运行时的内存地址<code>VA:004010F9</code></p>
<h3 id="修改程序跳转"><a href="#修改程序跳转" class="headerlink" title="修改程序跳转"></a>修改程序跳转</h3><ul>
<li>现在关闭IDA换用OllyDbg进行动态调试来看看程序时如何分支跳转的<code>Ctrl+G</code>直接跳到由IDA得到的<code>VA:004010F9</code>处查看那条引起程序分支的关键指令</li>
<li>选中这条指令按F2设置断点再按F9运行程序这时候控制权会回到程序OllyDbg暂时挂起。到程序提示输入名字和序列号随意输入名字大于五个字节点击ok后OllyDbg会重新中断程序收回控制权如图<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553775053/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B74.png" alt></li>
<li><p>验证函数的返回值存于EAX寄存器中if语句通过以下两条指令执行</p>
2019-07-16 09:15:34 +00:00
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">cmp eax,ecx</span><br><span class="line">jnz xxxxxxx</span><br></pre></td></tr></table></figure>
2019-04-15 07:42:42 +00:00
</li>
<li><p>也就是说当序列号输入错误时EAX中的值为0跳转将被执行。<br>如果我们把<code>jnz</code>这条指令修改为<code>jz</code>,那么整个程序的逻辑就会反过来。<br>双击<code>jnz</code>这条指令,将其改为<code>jz</code>,单击”汇编”将其写入内存<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553775817/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B75.png" alt><br>可以看到此时程序执行了相反的路径</p>
</li>
<li><p>上面只是在内存中修改程序我们还需要在二进制文件中也修改相应的字节这里考察VA与文件地址之间的关系</p>
</li>
2019-07-16 09:15:34 +00:00
<li>用LordPE打开.exe文件查看PE文件的节信息<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553776239/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B76.png" alt><br>根据VA与文件地址的换算公式<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">文件偏移地址 = VA - Image Base - 节偏移</span><br><span class="line"> = 0x004010F9 - 0x00400000 - 0</span><br><span class="line"> = 0x10F9</span><br></pre></td></tr></table></figure>
2019-04-15 07:42:42 +00:00
</li>
</ul>
<p>也就是说这条指令在PE文件中位于<code>10F9</code>字节处使用010Editer打开crack.exe将这一字节的<code>75(JNZ)`</code>改为<code>74(JZ)`</code>,保存后重新执行,破解成功!</p>
<h2 id="编写注册机"><a href="#编写注册机" class="headerlink" title="编写注册机"></a>编写注册机</h2><h3 id="查找显示注册结果相关代码-1"><a href="#查找显示注册结果相关代码-1" class="headerlink" title="查找显示注册结果相关代码"></a>查找显示注册结果相关代码</h3><p>通过查找字符串“good boy”等我们可以找到显示注册结果的相关代码</p>
<h3 id="查找注册码验证相关代码-1"><a href="#查找注册码验证相关代码-1" class="headerlink" title="查找注册码验证相关代码"></a>查找注册码验证相关代码</h3><p>因为检测密钥是否正确时会将结果返回到EAX寄存器中因此在检测密钥前必然会对EAX寄存器清空由此我们可以找到注册码验证的相关代码。<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553858953/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B77.png" alt></p>
2019-07-16 09:15:34 +00:00
<h3 id="根据注册码验证代码编写注册机"><a href="#根据注册码验证代码编写注册机" class="headerlink" title="根据注册码验证代码编写注册机"></a>根据注册码验证代码编写注册机</h3><p>分析上图算法按tab键转换为高级语言<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">for ( i = 0; i &lt; v6; v12 = v10 )</span><br><span class="line"> v10 = (v6 + v12) * lpStringa[i++];</span><br><span class="line">if ( (v12 ^ 0xA9F9FA) == atoi(v15) )</span><br><span class="line"> MessageBoxA(hDlg, aTerimaKasihKer, aGoodBoy, 0);</span><br></pre></td></tr></table></figure></p>
<p>可以看出生成注册码主要在for循环中完成之后将生成的注册码与输入相比较判断是否正确。<br>所以,只要能弄明白<code>v6v12v10v15</code>的含义,我们就可以轻松的编写注册机。<br>打开ollybdg在进入循环之前设下断点动态调试程序<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">004010CC |&gt; /8B4D 10 |mov ecx,[arg.3] //此时ecx为name</span><br><span class="line">004010CF |. 8B55 0C |mov edx,[arg.2] //edx为0x1908</span><br><span class="line">004010D2 |. 03D3 |add edx,ebx //edx加上name的长度ebx</span><br><span class="line">004010D4 |. 0FBE0C08 |movsx ecx,byte ptr ds:[eax+ecx] //ecx=61h</span><br><span class="line">004010D8 |. 0FAFCA |imul ecx,edx //61h(a) * edx</span><br><span class="line">004010DB |. 40 |inc eax //eax加1初始为0</span><br><span class="line">004010DC |. 894D 0C |mov [arg.2],ecx</span><br><span class="line">004010DF |. 3BC3 |cmp eax,ebx //循环是否结束</span><br></pre></td></tr></table></figure></p>
<p><code>arg.3</code>为输入的<code>name</code><code>arg.2</code>初始为<code>0x1908</code><code>ebx</code><code>name</code>的长度,<code>eax</code>每次循环加1直到等于长度<br>因此,我们可以对参数的含义进行解释如下<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">v12 = 6408; //0x1908</span><br><span class="line">v10 = 6408; //0x1908</span><br><span class="line">v6 = len(name);</span><br><span class="line">v12 = input_serial;</span><br><span class="line">for ( i = 0; i &lt; v6; i++ )&#123;</span><br><span class="line"> v12 = v10</span><br><span class="line"> v10 = (v6 + v12) * lpStringa[i];</span><br><span class="line">&#125;</span><br><span class="line">if ((v12 ^ 0xA9F9FA) == atoi(v15))&#123;</span><br><span class="line"> MessageBoxA(hDlg, aTerimaKasihKer, aGoodBoy, 0);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure></p>
<p>可见,<code>v12^0xA9F9FA</code>的结果即是正确的注册码,我们编写一个<a href="https://res.cloudinary.com/dozyfkbg3/raw/upload/v1553937750/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/reg.cpp" target="_blank" rel="noopener">简单的程序</a>帮助我们生成注册码:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line">#include &lt;iostream&gt;</span><br><span class="line">#include&lt;stdio.h&gt;</span><br><span class="line"></span><br><span class="line">using namespace::std;</span><br><span class="line">int main()&#123;</span><br><span class="line"> int v12;</span><br><span class="line"> int v10 = 6408; //0x1908</span><br><span class="line"> string name;</span><br><span class="line"> cout &lt;&lt; &quot;请输入name: &quot;;</span><br><span class="line"> cin &gt;&gt; name;</span><br><span class="line"> int len = name.size();</span><br><span class="line"> for(int i = 0; i &lt; len+1; i++ )&#123;</span><br><span class="line"> v12 = v10;</span><br><span class="line"> v10 = (len + v12) * name[i];</span><br><span class="line"> &#125;</span><br><span class="line"> cout&lt;&lt;&quot;\n&quot;&lt;&lt;&quot;注册码为: &quot;&lt;&lt;(v12 ^ 0xA9F9FA)&lt;&lt;endl;</span><br><span class="line"> return 0;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure></p>
2019-04-15 07:42:42 +00:00
<p>计算出”testname”的对应注册码<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553937461/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B79.png" alt><br>注册成功!</p>
<h2 id="-1"><a href="#-1" class="headerlink" title></a><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553937531/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B711.png" alt></h2><h1 id="实验二:软件反动态调试技术分析"><a href="#实验二:软件反动态调试技术分析" class="headerlink" title="实验二:软件反动态调试技术分析"></a>实验二:软件反动态调试技术分析</h1><h2 id="对象-1"><a href="#对象-1" class="headerlink" title="对象"></a>对象</h2><p><a href="https://res.cloudinary.com/dozyfkbg3/raw/upload/v1553779243/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/CrackMe1.exe1" target="_blank" rel="noopener">CrackMe1.exe</a> 1641.0 KB<br>无保护措施:无壳、未加密、无反调试措施<br>使用OllyDbg对该程序进行调试时程序会自动退出</p>
<h2 id="要求"><a href="#要求" class="headerlink" title="要求"></a>要求</h2><ol>
<li>分析CrackMe1.exe是如何通过父进程检测实现反OllyDbg调试的</li>
<li>分析除父进程检测外,该程序用到的反动态调试技术</li>
</ol>
2019-05-07 11:35:07 +00:00
<h2 id="父进程检测"><a href="#父进程检测" class="headerlink" title="父进程检测"></a>父进程检测</h2><p>一般双击运行的进程的父进程都是explorer.exe但是如果进程被调试父进程则是调试器进程。也就是说如果父进程不是explorer.exe则可以认为程序正在被调试。</p>
2019-07-16 09:15:34 +00:00
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br></pre></td><td class="code"><pre><span class="line">BOOL IsInDebugger()&#123;</span><br><span class="line"> HANDLE hProcessSnap = NULL;</span><br><span class="line"> char Expchar[] =&quot;\\EXPLORER.EXE&quot;;</span><br><span class="line"> char szBuffer[MAX_PATH]=&#123;0&#125;;</span><br><span class="line"> char FileName[MAX_PATH]=&#123;0&#125;;</span><br><span class="line"> PROCESSENTRY32 pe32 = &#123;0&#125;;</span><br><span class="line"></span><br><span class="line"> hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); //得到所有进程的列表快照</span><br><span class="line"> if (hProcessSnap == INVALID_HANDLE_VALUE)</span><br><span class="line"> return FALSE; </span><br><span class="line"></span><br><span class="line"> pe32.dwSize = sizeof(PROCESSENTRY32);</span><br><span class="line"></span><br><span class="line"> if (!Process32First(hProcessSnap, &amp;pe32)) // 查找进程</span><br><span class="line"> &#123;</span><br><span class="line"> CloseHandle (hProcessSnap);</span><br><span class="line"> return FALSE;</span><br><span class="line"> &#125;</span><br><span class="line"></span><br><span class="line"> do // 遍历所有进程</span><br><span class="line"> &#123;</span><br><span class="line"> if(pe32.th32ProcessID==GetCurrentProcessId() )//判断是否是自己的进程?</span><br><span class="line"> &#123;</span><br><span class="line"> HANDLE hProcess = OpenProcess (PROCESS_ALL_ACCESS, FALSE, pe32.th32ParentProcessID); //打开父进程</span><br><span class="line"> if (hProcess)</span><br><span class="line"> &#123;</span><br><span class="line"> if (GetModuleFileNameEx(hProcess, NULL, FileName, MAX_PATH) ) // 得到父进程名</span><br><span class="line"> &#123;</span><br><span class="line"> GetWindowsDirectory(szBuffer,MAX_PATH); //得到系统所在目录</span><br><span class="line"> strcat(szBuffer,Expchar); //组合成类似的字串D:\Winnt\Explorer.EXE</span><br><span class="line"> if(strcmpi (FileName,szBuffer)) // 比较当前是否为Explorer.EXE进程</span><br><span class="line"> &#123;</span><br><span class="line"> return TRUE; // 父进程若不是Explorer.EXE则是调试器</span><br><span class="line">
<p>由上述示例代码我们可以看到父进程检测中调用了GetCurrentProcessId函数来判断。<br>因此在Ollydbg中首先找到GetCurrentProcessId模块Ctrl+N然后设置断点<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1557128745/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/1.png" alt><br>查看断点是否设置成功<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1557128848/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/2.png" alt><br>运行该程序,在断点00401932停下打开任务管理器CrackMe1的pid为4020=0xFB4<br>程序在调用完GetCurrentProcessId后pid被放入EAX寄存器中值为0xFB4<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1557129711/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/3.png" alt><br>然后调用Openprocess函数其参数processId为0xFB4返回进程CrackMe1的句柄<br>通过ntdll.dll中的LoadLibraryA和GetProcAddress函数找到NtQueryInformationProcess:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">PNTQUERYINFORMATIONPROCESS NtQueryInformationProcess = (PNTQUERYINFORMATIONPROCESS)GetProcAddress(GetModuleHandleA(&quot;ntdll&quot;),&quot;NtQueryInformationProcess&quot;);</span><br></pre></td></tr></table></figure></p>
2019-05-07 11:32:10 +00:00
<p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1557131510/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/4.png" alt><br>用OpenProcess获得的句柄设置NtQueryInformationProcess的对应参数然后调用NtQueryInformationProcess从其返回值中可以获取到CrackMe1.exe的父进程PID=0xDB4=3508,在任务管理器中查看进程名确实是ollydbg<br>然后再次调用openprocess获得父进程的句柄<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1557132091/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/5.png" alt><br>最后调用GetModuleFileNameExA通过OpenProcess返回的句柄获取父进程的文件名<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1557133154/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/6.png" alt><br>至此成功获取到父进程的文件名接下来将进行父进程文件名与“c:\windows\explore.exe”的字符串比较。<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1557133828/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/7.png" alt><br>EDX中保存explorer字符串ESI中保存ollydbg字符串<br>然后进入循环逐位比较比较流程是首先取esi中第一个字符到eax将EAX的值减去41然后存入exc中并与19比较大小判断是否大写若是则eax加上20转化为小写转化为小写之后对edx中的字符做同样操作然后test eax eax判断是否比较完毕若没有则逐个比较直到遇到不相等的字符。</p>
<h2 id="其他检测"><a href="#其他检测" class="headerlink" title="其他检测"></a>其他检测</h2><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1557227067/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/8.png" alt><br>用EnumWindows枚举所有屏幕上的顶层窗口并将窗口句柄传送给应用程序定义的回调函数此处的回调函数调用了GetWindowTextA将指定窗口的标题栏如果有的话的文字拷贝到缓冲区内<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1557227506/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/9.png" alt><br>将得到的窗口标题与”ollydbg”等进行比较看是否为调试器。</p>
2019-04-15 07:42:42 +00:00
<hr>
2019-05-07 11:32:10 +00:00
<h1 id="实验三:加花加密反调试技术分析"><a href="#实验三:加花加密反调试技术分析" class="headerlink" title="实验三:加花加密反调试技术分析"></a>实验三:加花加密反调试技术分析</h1><h2 id="对象-2"><a href="#对象-2" class="headerlink" title="对象"></a>对象</h2><p><a href="https://res.cloudinary.com/dozyfkbg3/raw/upload/v1553779413/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/CrackMe2.exe1" target="_blank" rel="noopener">CrackMe2.exe</a> 9.00 KB<br>保护措施:部分加花、部分加密、简单反调试<br>根据<a href="https://res.cloudinary.com/dozyfkbg3/raw/upload/v1553779403/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/Crackme2%E6%8F%90%E7%A4%BA.docx" target="_blank" rel="noopener">提示</a></p>
2019-04-15 07:42:42 +00:00
<h2 id="内容"><a href="#内容" class="headerlink" title="内容"></a>内容</h2><ol>
<li>加壳脱壳深入理解</li>
<li>尝试手动脱壳</li>
<li>分析CrackMe2.exe中花指令</li>
<li>分析CrackMe2.exe中的被加密的函数的功能</li>
<li>分析CrackMe2.exe中的反调试手段</li>
<li>分析CrackMe2.exe中混合的64位代码的功能</li>
</ol>
</div>
<div>
<div style="padding: 10px 0; margin: 20px auto; width: 90%; text-align: center;">
<div>您的支持将鼓励我继续创作!</div>
<button id="rewardButton" disable="enable" onclick="var qr = document.getElementById('QR'); if (qr.style.display === 'none') {qr.style.display='block';} else {qr.style.display='none'}">
<span>打赏</span>
</button>
<div id="QR" style="display: none;">
<div id="wechat" style="display: inline-block">
<img id="wechat_qr" src="/images/Wechatpay.png" alt="Cool-Y 微信支付">
<p>微信支付</p>
</div>
<div id="alipay" style="display: inline-block">
<img id="alipay_qr" src="/images/Alipay.png" alt="Cool-Y 支付宝">
<p>支付宝</p>
</div>
</div>
</div>
</div>
2021-04-10 12:03:10 +00:00
<div>
<ul class="post-copyright">
<li class="post-copyright-author">
<strong>本文作者:</strong>
Cool-Y
</li>
<li class="post-copyright-link">
<strong>本文链接:</strong>
<a href="https://cool-y.github.io/2019/03/28/逆向工程实验/" title="逆向工程与软件破解">https://cool-y.github.io/2019/03/28/逆向工程实验/</a>
</li>
<li class="post-copyright-license">
<strong>版权声明: </strong>
本博客所有文章除特别声明外,均采用 <a href="https://creativecommons.org/licenses/by-nc-sa/3.0/" rel="external nofollow" target="_blank">CC BY-NC-SA 3.0</a> 许可协议。转载请注明出处!
</li>
</ul>
</div>
2019-04-15 07:42:42 +00:00
<footer class="post-footer">
<div class="post-tags">
<a href="/tags/逆向/" rel="tag"># 逆向</a>
<a href="/tags/破解/" rel="tag"># 破解</a>
</div>
2021-04-10 19:19:48 +00:00
<div class="post-widgets">
<div id="needsharebutton-postbottom">
<span class="btn">
<i class="fa fa-share-alt" aria-hidden="true"></i>
</span>
</div>
</div>
2019-04-15 07:42:42 +00:00
<div class="post-nav">
<div class="post-nav-next post-nav-item">
2019-07-27 06:42:04 +00:00
<a href="/2019/03/25/Samba-CVE/" rel="next" title="某厂商路由器与Samba漏洞CVE-2017-7494">
<i class="fa fa-chevron-left"></i> 某厂商路由器与Samba漏洞CVE-2017-7494
2019-04-15 07:42:42 +00:00
</a>
</div>
<span class="post-nav-divider"></span>
<div class="post-nav-prev post-nav-item">
2019-04-15 08:02:11 +00:00
<a href="/2019/04/15/Caving-db-storage/" rel="prev" title="复原数据库存储以检测和跟踪安全漏洞">
复原数据库存储以检测和跟踪安全漏洞 <i class="fa fa-chevron-right"></i>
2019-04-15 07:58:23 +00:00
</a>
2019-04-15 07:42:42 +00:00
</div>
</div>
</footer>
</div>
</article>
<div class="post-spread">
</div>
</div>
</div>
2021-04-10 12:37:40 +00:00
<div class="comments" id="comments">
<div id="gitalk-container"></div>
</div>
2019-04-15 07:42:42 +00:00
</div>
<div class="sidebar-toggle">
<div class="sidebar-toggle-line-wrap">
<span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
<span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
<span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
</div>
</div>
<aside id="sidebar" class="sidebar">
<div class="sidebar-inner">
<ul class="sidebar-nav motion-element">
<li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
文章目录
</li>
<li class="sidebar-nav-overview" data-target="site-overview-wrap">
站点概览
</li>
</ul>
<section class="site-overview-wrap sidebar-panel">
<div class="site-overview">
<div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
<img class="site-author-image" itemprop="image" src="/images/avatar.png" alt="Cool-Y">
<p class="site-author-name" itemprop="name">Cool-Y</p>
2021-04-10 13:26:15 +00:00
<p class="site-description motion-element" itemprop="description">Sauce is forever</p>
2019-04-15 07:42:42 +00:00
</div>
<nav class="site-state motion-element">
<div class="site-state-item site-state-posts">
<a href="/archives/">
2021-04-10 10:53:27 +00:00
<span class="site-state-item-count">30</span>
2019-04-15 07:42:42 +00:00
<span class="site-state-item-name">日志</span>
</a>
</div>
<div class="site-state-item site-state-categories">
<a href="/categories/index.html">
2019-10-15 11:24:26 +00:00
<span class="site-state-item-count">7</span>
2019-04-15 07:42:42 +00:00
<span class="site-state-item-name">分类</span>
</a>
</div>
<div class="site-state-item site-state-tags">
<a href="/tags/index.html">
2021-04-10 10:53:27 +00:00
<span class="site-state-item-count">55</span>
2019-04-15 07:42:42 +00:00
<span class="site-state-item-name">标签</span>
</a>
</div>
</nav>
<div class="links-of-author motion-element">
<span class="links-of-author-item">
<a href="https://github.com/Cool-Y" target="_blank" title="GitHub">
<i class="fa fa-fw fa-github"></i>GitHub</a>
</span>
<span class="links-of-author-item">
<a href="mailto:cool.yim@whu.edu.cn" target="_blank" title="E-Mail">
<i class="fa fa-fw fa-envelope"></i>E-Mail</a>
</span>
<span class="links-of-author-item">
<a href="https://www.instagram.com/yan__han/" target="_blank" title="Instagram">
<i class="fa fa-fw fa-instagram"></i>Instagram</a>
</span>
</div>
2019-10-01 12:45:37 +00:00
<div id="music163player">
2021-04-10 12:03:10 +00:00
<iframe frameborder="no" border="0" marginwidth="0" marginheight="0" width="330" height="110" src="//music.163.com/outchain/player?type=4&id=334277093&auto=1&height=90"></iframe>
2019-10-01 12:45:37 +00:00
</div>
2019-04-15 07:42:42 +00:00
</div>
</section>
<!--noindex-->
<section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
<div class="post-toc">
2019-07-01 11:52:45 +00:00
<div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#软件保护方式"><span class="nav-text">软件保护方式</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#"><span class="nav-text"></span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#分析工具"><span class="nav-text">分析工具</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#对抗分析技术"><span class="nav-text">对抗分析技术</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#PE文件格式基础"><span class="nav-text">PE文件格式基础</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#加壳脱壳"><span class="nav-text">加壳脱壳</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#反调试技术"><span class="nav-text">反调试技术</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#探测windows调试器"><span class="nav-text">探测windows调试器</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#识别调试器的行为"><span class="nav-text">识别调试器的行为</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#干扰调试器的功能"><span class="nav-text">干扰调试器的功能</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#调试器漏洞"><span class="nav-text">调试器漏洞</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#实验一:软件破解"><span class="nav-text">实验一:软件破解</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#对象"><span class="nav-text">对象</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#爆破"><span class="nav-text">爆破</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#查找显示注册结果相关代码"><span class="nav-text">查找显示注册结果相关代码</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#查找注册码验证相关代码"><span class="nav-text">查找注册码验证相关代码</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#修改程序跳转"><span class="nav-text">修改程序跳转</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#编写注册机"><span class="nav-text">编写注册机</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#查找显示注册结果相关代码-1"><span class="nav-text">查找显示注册结果相关代码</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#查找注册码验证相关代码-1"><span class="nav-text">查找注册码验证相关代码</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#根据注册码验证代码编写注册机"><span class="nav-text">根据注册码验证代码编写注册机</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#-1"><span class="nav-text"></span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#实验二:软件反动态调试技术分析"><span class="nav-text">实验二:软件反动态调试技术分析</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#对象-1"><span class="nav-text">对象</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#要求"><span class="nav-text">要求</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#父进程检测"><span class="nav-text">父进程检测</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#其他检测"><span class="nav-text">其他检测</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#实验三:加花加密反调试技术分析"><span
2019-04-15 07:42:42 +00:00
</div>
</section>
<!--/noindex-->
</div>
</aside>
</div>
</main>
<footer id="footer" class="footer">
<div class="footer-inner">
2021-01-08 04:26:24 +00:00
<div class="copyright">&copy; 2019 &mdash; <span itemprop="copyrightYear">2021</span>
2019-04-15 07:42:42 +00:00
<span class="with-love">
<i class="fa fa-user"></i>
</span>
<span class="author" itemprop="copyrightHolder">Cool-Y</span>
<span class="post-meta-divider">|</span>
<span class="post-meta-item-icon">
<i class="fa fa-area-chart"></i>
</span>
2021-04-10 13:53:56 +00:00
<span title="Site words total count">104.8k</span>
2019-04-15 07:42:42 +00:00
</div>
<div class="powered-by"><a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a> 强力驱动</div>
<div class="busuanzi-count">
<script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
<span class="site-uv">
<i class="fa fa-user"></i>
<span class="busuanzi-value" id="busuanzi_value_site_uv"></span>
</span>
<span class="site-pv">
<i class="fa fa-eye"></i>
<span class="busuanzi-value" id="busuanzi_value_site_pv"></span>
</span>
</div>
</div>
</footer>
<div class="back-to-top">
<i class="fa fa-arrow-up"></i>
2021-04-10 19:19:48 +00:00
<span id="scrollpercent"><span>0</span>%</span>
2019-04-15 07:42:42 +00:00
</div>
2021-04-10 19:19:48 +00:00
<div id="needsharebutton-float">
<span class="btn">
<i class="fa fa-share-alt" aria-hidden="true"></i>
</span>
</div>
2019-04-15 07:42:42 +00:00
</div>
<script type="text/javascript">
if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
window.Promise = null;
}
</script>
<script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>
<script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
<script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
<script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>
<script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
<script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
<script type="text/javascript" src="/js/src/utils.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/motion.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/scrollspy.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/post-details.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.4"></script>
2021-04-10 12:37:40 +00:00
2021-04-10 12:40:26 +00:00
<!-- LOCAL: You can save these files to your site and update links -->
<link rel="stylesheet" href="https://unpkg.com/gitalk/dist/gitalk.css">
<script src="https://unpkg.com/gitalk/dist/gitalk.min.js"></script>
<!-- END LOCAL -->
<script type="text/javascript">
function renderGitalk(){
var gitalk = new Gitalk({
owner: 'Cool-Y',
repo: 'gitment-comments',
clientID: '180955a2c3ae3d966d9a',
clientSecret: '1c5db4da72df5e6fc318d12afe5f4406f7c54343',
admin: 'Cool-Y',
2021-04-10 12:47:46 +00:00
id: decodeURI(location.pathname),
2021-04-10 12:40:26 +00:00
distractionFreeMode: 'true'
});
gitalk.render('gitalk-container');
}
renderGitalk();
</script>
2019-04-15 07:42:42 +00:00
<script src="https://cdn1.lncld.net/static/js/av-core-mini-0.6.4.js"></script>
<script>AV.initialize("EWwoJgHNdlj6iBjiFlMcabUO-gzGzoHsz", "x8FxDrYG79C8YFrTww9ljo8K");</script>
<script>
function showTime(Counter) {
var query = new AV.Query(Counter);
var entries = [];
var $visitors = $(".leancloud_visitors");
$visitors.each(function () {
entries.push( $(this).attr("id").trim() );
});
query.containedIn('url', entries);
query.find()
.done(function (results) {
var COUNT_CONTAINER_REF = '.leancloud-visitors-count';
if (results.length === 0) {
$visitors.find(COUNT_CONTAINER_REF).text(0);
return;
}
for (var i = 0; i < results.length; i++) {
var item = results[i];
var url = item.get('url');
var time = item.get('time');
var element = document.getElementById(url);
$(element).find(COUNT_CONTAINER_REF).text(time);
}
for(var i = 0; i < entries.length; i++) {
var url = entries[i];
var element = document.getElementById(url);
var countSpan = $(element).find(COUNT_CONTAINER_REF);
if( countSpan.text() == '') {
countSpan.text(0);
}
}
})
.fail(function (object, error) {
console.log("Error: " + error.code + " " + error.message);
});
}
function addCount(Counter) {
var $visitors = $(".leancloud_visitors");
var url = $visitors.attr('id').trim();
var title = $visitors.attr('data-flag-title').trim();
var query = new AV.Query(Counter);
query.equalTo("url", url);
query.find({
success: function(results) {
if (results.length > 0) {
var counter = results[0];
counter.fetchWhenSave(true);
counter.increment("time");
counter.save(null, {
success: function(counter) {
var $element = $(document.getElementById(url));
$element.find('.leancloud-visitors-count').text(counter.get('time'));
},
error: function(counter, error) {
console.log('Failed to save Visitor num, with error message: ' + error.message);
}
});
} else {
var newcounter = new Counter();
/* Set ACL */
var acl = new AV.ACL();
acl.setPublicReadAccess(true);
acl.setPublicWriteAccess(true);
newcounter.setACL(acl);
/* End Set ACL */
newcounter.set("title", title);
newcounter.set("url", url);
newcounter.set("time", 1);
newcounter.save(null, {
success: function(newcounter) {
var $element = $(document.getElementById(url));
$element.find('.leancloud-visitors-count').text(newcounter.get('time'));
},
error: function(newcounter, error) {
console.log('Failed to create');
}
});
}
},
error: function(error) {
console.log('Error:' + error.code + " " + error.message);
}
});
}
$(function() {
var Counter = AV.Object.extend("Counter");
if ($('.leancloud_visitors').length == 1) {
addCount(Counter);
} else if ($('.post-title-link').length > 1) {
showTime(Counter);
}
});
</script>
<script>
(function(){
var bp = document.createElement('script');
var curProtocol = window.location.protocol.split(':')[0];
if (curProtocol === 'https') {
bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
}
else {
bp.src = 'http://push.zhanzhang.baidu.com/push.js';
}
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(bp, s);
})();
</script>
2021-04-10 19:19:48 +00:00
<link rel="stylesheet" href="/lib/needsharebutton/needsharebutton.css">
2019-04-15 07:42:42 +00:00
2021-04-10 19:19:48 +00:00
<script src="/lib/needsharebutton/needsharebutton.js"></script>
<script>
pbOptions = {};
pbOptions.iconStyle = "box";
pbOptions.boxForm = "horizontal";
pbOptions.position = "bottomCenter";
pbOptions.networks = "Weibo,Wechat,Douban,QQZone,Twitter,Facebook";
new needShareButton('#needsharebutton-postbottom', pbOptions);
flOptions = {};
flOptions.iconStyle = "box";
flOptions.boxForm = "horizontal";
flOptions.position = "middleRight";
flOptions.networks = "Weibo,Wechat,Douban,QQZone,Twitter,Facebook";
new needShareButton('#needsharebutton-float', flOptions);
</script>
2019-04-15 07:42:42 +00:00
2021-04-10 19:19:48 +00:00
<script type="text/javascript" src="/js/src/js.cookie.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/scroll-cookie.js?v=5.1.4"></script>
2019-04-15 07:42:42 +00:00
</body>
</html>