2019-04-15 07:42:42 +00:00
<!DOCTYPE html>
2021-04-10 12:03:10 +00:00
< html class = "theme-next muse use-motion" lang = "zh-Hans" >
2019-04-15 07:42:42 +00:00
< head > < meta name = "generator" content = "Hexo 3.8.0" >
< meta charset = "UTF-8" >
< meta http-equiv = "X-UA-Compatible" content = "IE=edge" >
< meta name = "viewport" content = "width=device-width, initial-scale=1, maximum-scale=1" >
< meta name = "theme-color" content = "#222" >
2021-04-10 19:19:48 +00:00
< script src = "/lib/pace/pace.min.js?v=1.0.2" > < / script >
< link href = "/lib/pace/pace-theme-center-atom.min.css?v=1.0.2" rel = "stylesheet" >
2019-04-15 07:42:42 +00:00
< meta http-equiv = "Cache-Control" content = "no-transform" >
< meta http-equiv = "Cache-Control" content = "no-siteapp" >
< link href = "/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel = "stylesheet" type = "text/css" >
< link href = "/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel = "stylesheet" type = "text/css" >
< link href = "/css/main.css?v=5.1.4" rel = "stylesheet" type = "text/css" >
< link rel = "apple-touch-icon" sizes = "180x180" href = "/images/hackerrank.png?v=5.1.4" >
< link rel = "icon" type = "image/png" sizes = "32x32" href = "/images/hackerrank.png?v=5.1.4" >
< link rel = "icon" type = "image/png" sizes = "16x16" href = "/images/hackerrank.png?v=5.1.4" >
< link rel = "mask-icon" href = "/images/logo.svg?v=5.1.4" color = "#222" >
< meta name = "keywords" content = "逆向,破解," >
2021-04-11 06:53:08 +00:00
< link rel = "alternate" href = "/atom.xml" title = "混元霹雳手" type = "application/atom+xml" >
2019-04-15 07:42:42 +00:00
2021-04-10 13:53:56 +00:00
< meta name = "description" content = "一些逆向的小实验" >
2019-04-15 07:42:42 +00:00
< meta name = "keywords" content = "逆向,破解" >
< meta property = "og:type" content = "article" >
< meta property = "og:title" content = "逆向工程与软件破解" >
< meta property = "og:url" content = "https://cool-y.github.io/2019/03/28/逆向工程实验/index.html" >
< meta property = "og:site_name" content = "混元霹雳手" >
2021-04-10 13:53:56 +00:00
< meta property = "og:description" content = "一些逆向的小实验" >
2019-04-15 07:42:42 +00:00
< meta property = "og:locale" content = "zh-Hans" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1553759246/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E5%9B%BE%E7%89%871.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1553772615/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B71.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1553773066/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B72.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1553775053/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B74.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1553775817/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B75.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1553776239/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B76.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1553858953/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B77.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1553937461/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B79.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1553937531/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B711.png" >
2019-05-07 11:32:10 +00:00
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1557128745/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/1.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1557128848/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/2.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1557129711/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/3.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1557131510/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/4.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1557132091/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/5.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1557133154/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/6.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1557133828/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/7.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1557227067/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/8.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1557227506/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/9.png" >
2021-04-10 13:53:56 +00:00
< meta property = "og:updated_time" content = "2021-04-10T13:34:37.251Z" >
2019-04-15 07:42:42 +00:00
< meta name = "twitter:card" content = "summary" >
< meta name = "twitter:title" content = "逆向工程与软件破解" >
2021-04-10 13:53:56 +00:00
< meta name = "twitter:description" content = "一些逆向的小实验" >
2019-04-15 07:42:42 +00:00
< meta name = "twitter:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1553759246/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E5%9B%BE%E7%89%871.png" >
< script type = "text/javascript" id = "hexo.configurations" >
var NexT = window.NexT || {};
var CONFIG = {
root: '/',
2021-04-10 12:03:10 +00:00
scheme: 'Muse',
2019-04-15 07:42:42 +00:00
version: '5.1.4',
2021-04-10 20:13:11 +00:00
sidebar: {"position":"left","display":"always","offset":12,"b2t":false,"scrollpercent":true,"onmobile":true},
2019-04-15 07:42:42 +00:00
fancybox: true,
tabs: true,
motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
duoshuo: {
userId: '0',
author: '博主'
},
algolia: {
applicationID: '',
apiKey: '',
indexName: '',
hits: {"per_page":10},
labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
}
};
< / script >
< link rel = "canonical" href = "https://cool-y.github.io/2019/03/28/逆向工程实验/" >
< title > 逆向工程与软件破解 | 混元霹雳手< / title >
< / head >
< body itemscope itemtype = "http://schema.org/WebPage" lang = "zh-Hans" >
< div class = "container sidebar-position-left page-post-detail" >
< div class = "headband" > < / div >
< header id = "header" class = "header" itemscope itemtype = "http://schema.org/WPHeader" >
< div class = "header-inner" > < div class = "site-brand-wrapper" >
< div class = "site-meta " >
< div class = "custom-logo-site-title" >
< a href = "/" class = "brand" rel = "start" >
< span class = "logo-line-before" > < i > < / i > < / span >
< span class = "site-title" > 混元霹雳手< / span >
< span class = "logo-line-after" > < i > < / i > < / span >
< / a >
< / div >
2021-04-10 20:10:04 +00:00
< p class = "site-subtitle" > Battle⚔️ < / p >
2019-04-15 07:42:42 +00:00
< / div >
< div class = "site-nav-toggle" >
< button >
< span class = "btn-bar" > < / span >
< span class = "btn-bar" > < / span >
< span class = "btn-bar" > < / span >
< / button >
< / div >
< / div >
< nav class = "site-nav" >
< ul id = "menu" class = "menu" >
< li class = "menu-item menu-item-home" >
< a href = "/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-home" > < / i > < br >
首页
< / a >
< / li >
< li class = "menu-item menu-item-about" >
< a href = "/about/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-user" > < / i > < br >
关于
< / a >
< / li >
< li class = "menu-item menu-item-tags" >
< a href = "/tags/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-tags" > < / i > < br >
标签
< / a >
< / li >
< li class = "menu-item menu-item-categories" >
< a href = "/categories/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-th" > < / i > < br >
分类
< / a >
< / li >
< li class = "menu-item menu-item-archives" >
< a href = "/archives/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-archive" > < / i > < br >
归档
< / a >
< / li >
< li class = "menu-item menu-item-bookmarks" >
< a href = "/bookmarks/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-map" > < / i > < br >
书签
< / a >
< / li >
2019-08-08 12:42:56 +00:00
2021-04-11 06:53:08 +00:00
< li class = "menu-item menu-item-album" >
< a href = "/album/" rel = "section" >
2019-08-08 12:42:56 +00:00
2019-08-08 12:52:19 +00:00
< i class = "menu-item-icon fa fa-fw fa-heartbeat" > < / i > < br >
2019-08-08 12:42:56 +00:00
2021-04-11 06:53:08 +00:00
相簿
2019-08-08 12:42:56 +00:00
< / a >
< / li >
2019-04-15 07:42:42 +00:00
< / ul >
< / nav >
< / div >
< / header >
< main id = "main" class = "main" >
< div class = "main-inner" >
< div class = "content-wrap" >
< div id = "content" class = "content" >
< div id = "posts" class = "posts-expand" >
< article class = "post post-type-normal" itemscope itemtype = "http://schema.org/Article" >
< div class = "post-block" >
< link itemprop = "mainEntityOfPage" href = "https://cool-y.github.io/2019/03/28/逆向工程实验/" >
< span hidden itemprop = "author" itemscope itemtype = "http://schema.org/Person" >
< meta itemprop = "name" content = "Cool-Y" >
< meta itemprop = "description" content >
< meta itemprop = "image" content = "/images/avatar.png" >
< / span >
< span hidden itemprop = "publisher" itemscope itemtype = "http://schema.org/Organization" >
< meta itemprop = "name" content = "混元霹雳手" >
< / span >
< header class = "post-header" >
< h1 class = "post-title" itemprop = "name headline" > 逆向工程与软件破解< / h1 >
< div class = "post-meta" >
< span class = "post-time" >
< span class = "post-meta-item-icon" >
< i class = "fa fa-calendar-o" > < / i >
< / span >
< span class = "post-meta-item-text" > 发表于< / span >
< time title = "创建于" itemprop = "dateCreated datePublished" datetime = "2019-03-28T15:25:04+08:00" >
2019-03-28
< / time >
< / span >
< span class = "post-category" >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-folder-o" > < / i >
< / span >
< span class = "post-meta-item-text" > 分类于< / span >
< span itemprop = "about" itemscope itemtype = "http://schema.org/Thing" >
< a href = "/categories/二进制/" itemprop = "url" rel = "index" >
< span itemprop = "name" > 二进制< / span >
< / a >
< / span >
< / span >
< span id = "/2019/03/28/逆向工程实验/" class = "leancloud_visitors" data-flag-title = "逆向工程与软件破解" >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-eye" > < / i >
< / span >
< span class = "post-meta-item-text" > 阅读次数: < / span >
< span class = "leancloud-visitors-count" > < / span >
< / span >
< div class = "post-wordcount" >
< span class = "post-meta-item-icon" >
< i class = "fa fa-file-word-o" > < / i >
< / span >
< span title = "字数统计" >
2019-07-16 09:15:34 +00:00
3.1k 字
2019-04-15 07:42:42 +00:00
< / span >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-clock-o" > < / i >
< / span >
< span title = "阅读时长" >
2019-05-07 11:32:10 +00:00
11 分钟
2019-04-15 07:42:42 +00:00
< / span >
< / div >
2021-04-10 13:53:56 +00:00
< div class = "post-description" >
一些逆向的小实验
< / div >
2019-04-15 07:42:42 +00:00
< / div >
< / header >
< div class = "post-body" itemprop = "articleBody" >
< h1 id = "软件保护方式" > < a href = "#软件保护方式" class = "headerlink" title = "软件保护方式" > < / a > 软件保护方式< / h1 > < ol >
< li > 功能限制< / li >
< li > 时间限制< / li >
< / ol >
< ul >
< li > 运行时长限制< / li >
< li > 使用日期限制< / li >
< li > 使用次数限制< / li >
< / ul >
< ol start = "3" >
< li > 警告窗口< / li >
< / ol >
< h2 id > < a href = "#" class = "headerlink" title > < / a > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1553759246/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E5%9B%BE%E7%89%871.png" alt > < / h2 > < h1 id = "分析工具" > < a href = "#分析工具" class = "headerlink" title = "分析工具" > < / a > 分析工具< / h1 > < ol >
< li > 静态分析工具< / li >
< / ol >
< ul >
< li > IDA< / li >
< li > W32Dasm< / li >
< li > lordPE< / li >
< li > Resource Hacker< / li >
< / ul >
< ol start = "2" >
< li > 动态分析工具< / li >
< / ol >
< ul >
< li > OllyDbg< / li >
< li > WinDbg< / li >
< / ul >
< hr >
< h1 id = "对抗分析技术" > < a href = "#对抗分析技术" class = "headerlink" title = "对抗分析技术" > < / a > 对抗分析技术< / h1 > < ol >
< li > 反静态分析技术< / li >
< / ol >
< ul >
< li > 花指令< / li >
< li > 自修改代码技术< / li >
< li > 多态技术< / li >
< li > 变形技术< / li >
< li > 虚拟机保护技术< / li >
< / ul >
< ol start = "2" >
< li > 反动态分析技术< / li >
< / ol >
< ul >
< li > 检测调试状态< / li >
< li > 检测用户态调试器< / li >
< li > 检测内核态调试器< / li >
< li > 其他方法: ; ; ; < / li >
< / ul >
< ol start = "3" >
< li > 发现调试器后的处理< / li >
< / ol >
< ul >
< li > 程序自身退出< / li >
< li > 向调试器窗口发送消息使调试器退出< / li >
< li > 使调试器窗口不可用< / li >
< li > 终止调试器进程< / li >
< / ul >
< hr >
< h1 id = "PE文件格式基础" > < a href = "#PE文件格式基础" class = "headerlink" title = "PE文件格式基础" > < / a > PE文件格式基础< / h1 > < hr >
< h1 id = "加壳脱壳" > < a href = "#加壳脱壳" class = "headerlink" title = "加壳脱壳" > < / a > 加壳脱壳< / h1 > < hr >
< h1 id = "反调试技术" > < a href = "#反调试技术" class = "headerlink" title = "反调试技术" > < / a > 反调试技术< / h1 > < p > 反调试技术,程序用它来识别是否被调试,或者让调试器失效。为了阻止调试器的分析,当程序意识到自己被调试时,它们可能改变正常的执行路径或者修改自身程序让自己崩溃,从而增加调试时间和复杂度。< / p >
< h2 id = "探测windows调试器" > < a href = "#探测windows调试器" class = "headerlink" title = "探测windows调试器" > < / a > 探测windows调试器< / h2 > < ol >
< li > 使用windows API< br > 使用Windows API函数探测调试器是否存在是最简单的反调试技术。< br > 通常, , , , , < br > 常用来探测调试器的API函数有: < code > IsDebuggerPresent< / code > < code > CheckRemoteDebuggerPresent< / code > < code > NtQueryInformationProcess< / code > < code > OutputDebuggString< / code > < / li >
< li > 手动检测数据结构< br > 程序编写者经常手动执行与这些API功能相同的操作< / li >
< / ol >
< ul >
< li > 检查BeingDebugged属性< / li >
< li > 检测ProcessHeap属性< / li >
< li > 检测NTGlobalFlag< / li >
< / ul >
< ol start = "3" >
< li > 系统痕迹检测< br > 通常, , , , , , , , < / li >
< / ol >
< h2 id = "识别调试器的行为" > < a href = "#识别调试器的行为" class = "headerlink" title = "识别调试器的行为" > < / a > 识别调试器的行为< / h2 > < p > 在逆向工程中, , , < / p >
< ol >
< li > INT扫描< br > 调试器设置断点的基本机制是用软件中断INT 3, , < / li >
< li > 执行代码校验和检查< br > 与INT扫描目的相同, < / li >
< li > 时钟检测< br > 被调试时,进程的运行速度大大降低,常用指令有:< code > rdstc< / code > < code > QueryPerformanceCounter< / code > < code > GetTickCount< / code > ,有如下两种方式探测时钟:< / li >
< / ol >
< ul >
< li > 记录执行一段操作前后的时间戳< / li >
< li > 记录触发一个异常前后的时间戳< h2 id = "干扰调试器的功能" > < a href = "#干扰调试器的功能" class = "headerlink" title = "干扰调试器的功能" > < / a > 干扰调试器的功能< / h2 > 本地存储(TLS)回调: , < br > 使用异常: , , , < br > 插入中断: < h2 id = "调试器漏洞" > < a href = "#调试器漏洞" class = "headerlink" title = "调试器漏洞" > < / a > 调试器漏洞< / h2 > PE头漏洞、OutputDebugString漏洞< / li >
< / ul >
< hr >
< h1 id = "实验一:软件破解" > < a href = "#实验一:软件破解" class = "headerlink" title = "实验一:软件破解" > < / a > 实验一:软件破解< / h1 > < h2 id = "对象" > < a href = "#对象" class = "headerlink" title = "对象" > < / a > 对象< / h2 > < p > < a href = "https://res.cloudinary.com/dozyfkbg3/raw/upload/v1553761280/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/crack.exe1" target = "_blank" rel = "noopener" > crack.exe< / a > , < / p >
< ul >
< li > 无保护措施:无壳、未加密、无反调试措施< / li >
< li > 用户名至少要5个字节< / li >
< li > 输入错误验证码时输出: < / li >
< / ul >
< h2 id = "爆破" > < a href = "#爆破" class = "headerlink" title = "爆破" > < / a > 爆破< / h2 > < h3 id = "查找显示注册结果相关代码" > < a href = "#查找显示注册结果相关代码" class = "headerlink" title = "查找显示注册结果相关代码" > < / a > 查找显示注册结果相关代码< / h3 > < p > 当输入错误验证码时, , , , : < br > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1553772615/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B71.png" alt > < / p >
< h3 id = "查找注册码验证相关代码" > < a href = "#查找注册码验证相关代码" class = "headerlink" title = "查找注册码验证相关代码" > < / a > 查找注册码验证相关代码< / h3 > < p > 用鼠标选中程序分支点,按空格切换回汇编指令界面< br > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1553773066/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B72.png" alt > < / p >
< p > 可以看到, , < code > VA:004010F9< / code > < / p >
< h3 id = "修改程序跳转" > < a href = "#修改程序跳转" class = "headerlink" title = "修改程序跳转" > < / a > 修改程序跳转< / h3 > < ul >
< li > 现在关闭IDA, < code > Ctrl+G< / code > 直接跳到由IDA得到的< code > VA:004010F9< / code > 处查看那条引起程序分支的关键指令< / li >
< li > 选中这条指令, , , , , ( ) , , , , : < br > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1553775053/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B74.png" alt > < / li >
< li > < p > 验证函数的返回值存于EAX寄存器中, < / p >
2019-07-16 09:15:34 +00:00
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > cmp eax,ecx< / span > < br > < span class = "line" > jnz xxxxxxx< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
2019-04-15 07:42:42 +00:00
< / li >
< li > < p > 也就是说, , , < br > 如果我们把< code > jnz< / code > 这条指令修改为< code > jz< / code > ,那么整个程序的逻辑就会反过来。< br > 双击< code > jnz< / code > 这条指令,将其改为< code > jz< / code > ,单击”汇编”将其写入内存< br > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1553775817/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B75.png" alt > < br > 可以看到此时程序执行了相反的路径< / p >
< / li >
< li > < p > 上面只是在内存中修改程序, , < / p >
< / li >
2019-07-16 09:15:34 +00:00
< li > 用LordPE打开.exe文件, < br > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1553776239/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B76.png" alt > < br > 根据VA与文件地址的换算公式: < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > 文件偏移地址 = VA - Image Base - 节偏移< / span > < br > < span class = "line" > = 0x004010F9 - 0x00400000 - 0< / span > < br > < span class = "line" > = 0x10F9< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
2019-04-15 07:42:42 +00:00
< / li >
< / ul >
< p > 也就是说, < code > 10F9< / code > 字节处, , < code > 75(JNZ)`< / code > 改为< code > 74(JZ)`< / code > ,保存后重新执行,破解成功!< / p >
< h2 id = "编写注册机" > < a href = "#编写注册机" class = "headerlink" title = "编写注册机" > < / a > 编写注册机< / h2 > < h3 id = "查找显示注册结果相关代码-1" > < a href = "#查找显示注册结果相关代码-1" class = "headerlink" title = "查找显示注册结果相关代码" > < / a > 查找显示注册结果相关代码< / h3 > < p > 通过查找字符串“good boy”等, < / p >
< h3 id = "查找注册码验证相关代码-1" > < a href = "#查找注册码验证相关代码-1" class = "headerlink" title = "查找注册码验证相关代码" > < / a > 查找注册码验证相关代码< / h3 > < p > 因为检测密钥是否正确时会将结果返回到EAX寄存器中, , , < br > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1553858953/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B77.png" alt > < / p >
2019-07-16 09:15:34 +00:00
< h3 id = "根据注册码验证代码编写注册机" > < a href = "#根据注册码验证代码编写注册机" class = "headerlink" title = "根据注册码验证代码编写注册机" > < / a > 根据注册码验证代码编写注册机< / h3 > < p > 分析上图算法, < br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > for ( i = 0; i < v6; v12 = v10 )< / span > < br > < span class = "line" > v10 = (v6 + v12) * lpStringa[i++];< / span > < br > < span class = "line" > if ( (v12 ^ 0xA9F9FA) == atoi(v15) )< / span > < br > < span class = "line" > MessageBoxA(hDlg, aTerimaKasihKer, aGoodBoy, 0);< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< p > 可以看出, , , < br > 所以,只要能弄明白< code > v6, , , < / code > 的含义,我们就可以轻松的编写注册机。< br > 打开ollybdg, , < br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > 004010CC |> /8B4D 10 |mov ecx,[arg.3] //此时ecx为name< / span > < br > < span class = "line" > 004010CF |. 8B55 0C |mov edx,[arg.2] //edx为0x1908< / span > < br > < span class = "line" > 004010D2 |. 03D3 |add edx,ebx //edx加上name的长度( ) < / span > < br > < span class = "line" > 004010D4 |. 0FBE0C08 |movsx ecx,byte ptr ds:[eax+ecx] //ecx=61h< / span > < br > < span class = "line" > 004010D8 |. 0FAFCA |imul ecx,edx //61h(a) * edx< / span > < br > < span class = "line" > 004010DB |. 40 |inc eax //eax加1( ) < / span > < br > < span class = "line" > 004010DC |. 894D 0C |mov [arg.2],ecx< / span > < br > < span class = "line" > 004010DF |. 3BC3 |cmp eax,ebx //循环是否结束< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< p > < code > arg.3< / code > 为输入的< code > name< / code > , < code > arg.2< / code > 初始为< code > 0x1908< / code > , < code > ebx< / code > 为< code > name< / code > 的长度,< code > eax< / code > 每次循环加1直到等于长度< br > 因此,我们可以对参数的含义进行解释如下< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > v12 = 6408; //0x1908< / span > < br > < span class = "line" > v10 = 6408; //0x1908< / span > < br > < span class = "line" > v6 = len(name);< / span > < br > < span class = "line" > v12 = input_serial;< / span > < br > < span class = "line" > for ( i = 0; i < v6; i++ ){ < / span > < br > < span class = "line" > v12 = v10; < / span > < br > < span class = "line" > v10 = (v6 + v12) * lpStringa[i];< / span > < br > < span class = "line" > } < / span > < br > < span class = "line" > if ((v12 ^ 0xA9F9FA) == atoi(v15)){ < / span > < br > < span class = "line" > MessageBoxA(hDlg, aTerimaKasihKer, aGoodBoy, 0);< / span > < br > < span class = "line" > } < / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< p > 可见,< code > v12^0xA9F9FA< / code > 的结果即是正确的注册码,我们编写一个< a href = "https://res.cloudinary.com/dozyfkbg3/raw/upload/v1553937750/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/reg.cpp" target = "_blank" rel = "noopener" > 简单的程序< / a > 帮助我们生成注册码:< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > #include < iostream> < / span > < br > < span class = "line" > #include< stdio.h> < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > using namespace::std;< / span > < br > < span class = "line" > int main(){ < / span > < br > < span class = "line" > int v12;< / span > < br > < span class = "line" > int v10 = 6408; //0x1908< / span > < br > < span class = "line" > string name;< / span > < br > < span class = "line" > cout < < " 请输入name: " ;< / span > < br > < span class = "line" > cin > > name;< / span > < br > < span class = "line" > int len = name.size();< / span > < br > < span class = "line" > for(int i = 0; i < len+1; i++ ){ < / span > < br > < span class = "line" > v12 = v10;< / span > < br > < span class = "line" > v10 = (len + v12) * name[i];< / span > < br > < span class = "line" > } < / span > < br > < span class = "line" > cout< < " \n" < < " 注册码为: " < < (v12 ^ 0xA9F9FA)< < endl;< / span > < br > < span class = "line" > return 0;< / span > < br > < span class = "line" > } < / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
2019-04-15 07:42:42 +00:00
< p > 计算出”testname”的对应注册码< br > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1553937461/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B79.png" alt > < br > 注册成功!< / p >
< h2 id = "-1" > < a href = "#-1" class = "headerlink" title > < / a > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1553937531/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B711.png" alt > < / h2 > < h1 id = "实验二:软件反动态调试技术分析" > < a href = "#实验二:软件反动态调试技术分析" class = "headerlink" title = "实验二:软件反动态调试技术分析" > < / a > 实验二:软件反动态调试技术分析< / h1 > < h2 id = "对象-1" > < a href = "#对象-1" class = "headerlink" title = "对象" > < / a > 对象< / h2 > < p > < a href = "https://res.cloudinary.com/dozyfkbg3/raw/upload/v1553779243/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/CrackMe1.exe1" target = "_blank" rel = "noopener" > CrackMe1.exe< / a > 1641.0 KB< br > 无保护措施:无壳、未加密、无反调试措施< br > 使用OllyDbg对该程序进行调试时, < / p >
< h2 id = "要求" > < a href = "#要求" class = "headerlink" title = "要求" > < / a > 要求< / h2 > < ol >
< li > 分析CrackMe1.exe是如何通过父进程检测实现反OllyDbg调试的< / li >
< li > 分析除父进程检测外,该程序用到的反动态调试技术< / li >
< / ol >
2019-05-07 11:35:07 +00:00
< h2 id = "父进程检测" > < a href = "#父进程检测" class = "headerlink" title = "父进程检测" > < / a > 父进程检测< / h2 > < p > 一般双击运行的进程的父进程都是explorer.exe, < / p >
2019-07-16 09:15:34 +00:00
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < span class = "line" > 25< / span > < br > < span class = "line" > 26< / span > < br > < span class = "line" > 27< / span > < br > < span class = "line" > 28< / span > < br > < span class = "line" > 29< / span > < br > < span class = "line" > 30< / span > < br > < span class = "line" > 31< / span > < br > < span class = "line" > 32< / span > < br > < span class = "line" > 33< / span > < br > < span class = "line" > 34< / span > < br > < span class = "line" > 35< / span > < br > < span class = "line" > 36< / span > < br > < span class = "line" > 37< / span > < br > < span class = "line" > 38< / span > < br > < span class = "line" > 39< / span > < br > < span class = "line" > 40< / span > < br > < span class = "line" > 41< / span > < br > < span class = "line" > 42< / span > < br > < span class = "line" > 43< / span > < br > < span class = "line" > 44< / span > < br > < span class = "line" > 45< / span > < br > < span class = "line" > 46< / span > < br > < span class = "line" > 47< / span > < br > < span class = "line" > 48< / span > < br > < span class = "line" > 49< / span > < br > < span class = "line" > 50< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > BOOL IsInDebugger(){ < / span > < br > < span class = "line" > HANDLE hProcessSnap = NULL;< / span > < br > < span class = "line" > char Expchar[] =" \\EXPLORER.EXE" ;< / span > < br > < span class = "line" > char szBuffer[MAX_PATH]={ 0} ;< / span > < br > < span class = "line" > char FileName[MAX_PATH]={ 0} ;< / span > < br > < span class = "line" > PROCESSENTRY32 pe32 = { 0} ;< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); //得到所有进程的列表快照< / span > < br > < span class = "line" > if (hProcessSnap == INVALID_HANDLE_VALUE)< / span > < br > < span class = "line" > return FALSE; < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > pe32.dwSize = sizeof(PROCESSENTRY32);< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > if (!Process32First(hProcessSnap, & pe32)) // 查找进程< / span > < br > < span class = "line" > { < / span > < br > < span class = "line" > CloseHandle (hProcessSnap);< / span > < br > < span class = "line" > return FALSE;< / span > < br > < span class = "line" > } < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > do // 遍历所有进程< / span > < br > < span class = "line" > { < / span > < br > < span class = "line" > if(pe32.th32ProcessID==GetCurrentProcessId() )//判断是否是自己的进程?< / span > < br > < span class = "line" > { < / span > < br > < span class = "line" > HANDLE hProcess = OpenProcess (PROCESS_ALL_ACCESS, FALSE, pe32.th32ParentProcessID); //打开父进程< / span > < br > < span class = "line" > if (hProcess)< / span > < br > < span class = "line" > { < / span > < br > < span class = "line" > if (GetModuleFileNameEx(hProcess, NULL, FileName, MAX_PATH) ) // 得到父进程名< / span > < br > < span class = "line" > { < / span > < br > < span class = "line" > GetWindowsDirectory(szBuffer,MAX_PATH); //得到系统所在目录< / span > < br > < span class = "line" > strcat(szBuffer,Expchar); //组合成类似的字串D:\Winnt\Explorer.EXE< / span > < br > < span class = "line" > if(strcmpi (FileName,szBuffer)) // 比较当前是否为Explorer.EXE进程< / span > < br > < span class = "line" > { < / span > < br > < span class = "line" > return TRUE; // 父进程若不是Explorer.EXE, < / span > < br > < span class = "line" >
< p > 由上述示例代码, < br > 因此在Ollydbg中首先找到GetCurrentProcessId模块( ) , < br > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1557128745/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/1.png" alt > < br > 查看断点是否设置成功< br > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1557128848/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/2.png" alt > < br > 运行该程序,在断点00401932停下, , < br > 程序在调用完GetCurrentProcessId后, , < br > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1557129711/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/3.png" alt > < br > 然后调用Openprocess函数, , ( ) < br > 通过ntdll.dll中的LoadLibraryA和GetProcAddress函数找到NtQueryInformationProcess:< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > PNTQUERYINFORMATIONPROCESS NtQueryInformationProcess = (PNTQUERYINFORMATIONPROCESS)GetProcAddress(GetModuleHandleA(" ntdll" )," NtQueryInformationProcess" );< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
2019-05-07 11:32:10 +00:00
< p > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1557131510/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/4.png" alt > < br > 用OpenProcess获得的句柄设置NtQueryInformationProcess的对应参数, , < br > 然后再次调用openprocess获得父进程的句柄< br > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1557132091/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/5.png" alt > < br > 最后, : < br > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1557133154/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/6.png" alt > < br > 至此, , < br > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1557133828/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/7.png" alt > < br > EDX中保存explorer字符串, < br > 然后进入循环逐位比较, , , , , , ; , , , , < / p >
< h2 id = "其他检测" > < a href = "#其他检测" class = "headerlink" title = "其他检测" > < / a > 其他检测< / h2 > < p > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1557227067/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/8.png" alt > < br > 用EnumWindows枚举所有屏幕上的顶层窗口, , ( ) < br > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1557227506/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/9.png" alt > < br > 将得到的窗口标题与”ollydbg”等进行比较, < / p >
2019-04-15 07:42:42 +00:00
< hr >
2019-05-07 11:32:10 +00:00
< h1 id = "实验三:加花加密反调试技术分析" > < a href = "#实验三:加花加密反调试技术分析" class = "headerlink" title = "实验三:加花加密反调试技术分析" > < / a > 实验三:加花加密反调试技术分析< / h1 > < h2 id = "对象-2" > < a href = "#对象-2" class = "headerlink" title = "对象" > < / a > 对象< / h2 > < p > < a href = "https://res.cloudinary.com/dozyfkbg3/raw/upload/v1553779413/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/CrackMe2.exe1" target = "_blank" rel = "noopener" > CrackMe2.exe< / a > 9.00 KB< br > 保护措施:部分加花、部分加密、简单反调试< br > 根据< a href = "https://res.cloudinary.com/dozyfkbg3/raw/upload/v1553779403/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/Crackme2%E6%8F%90%E7%A4%BA.docx" target = "_blank" rel = "noopener" > 提示< / a > < / p >
2019-04-15 07:42:42 +00:00
< h2 id = "内容" > < a href = "#内容" class = "headerlink" title = "内容" > < / a > 内容< / h2 > < ol >
< li > 加壳脱壳深入理解< / li >
< li > 尝试手动脱壳< / li >
< li > 分析CrackMe2.exe中花指令< / li >
< li > 分析CrackMe2.exe中的被加密的函数的功能< / li >
< li > 分析CrackMe2.exe中的反调试手段< / li >
< li > 分析CrackMe2.exe中混合的64位代码的功能< / li >
< / ol >
< / div >
< div >
< div style = "padding: 10px 0; margin: 20px auto; width: 90%; text-align: center;" >
< div > 您的支持将鼓励我继续创作!< / div >
< button id = "rewardButton" disable = "enable" onclick = "var qr = document.getElementById('QR'); if (qr.style.display === 'none') {qr.style.display='block';} else {qr.style.display='none'}" >
< span > 打赏< / span >
< / button >
< div id = "QR" style = "display: none;" >
< div id = "wechat" style = "display: inline-block" >
< img id = "wechat_qr" src = "/images/Wechatpay.png" alt = "Cool-Y 微信支付" >
< p > 微信支付< / p >
< / div >
< div id = "alipay" style = "display: inline-block" >
< img id = "alipay_qr" src = "/images/Alipay.png" alt = "Cool-Y 支付宝" >
< p > 支付宝< / p >
< / div >
< / div >
< / div >
< / div >
2021-04-10 12:03:10 +00:00
< div >
< ul class = "post-copyright" >
< li class = "post-copyright-author" >
< strong > 本文作者:< / strong >
Cool-Y
< / li >
< li class = "post-copyright-link" >
< strong > 本文链接:< / strong >
< a href = "https://cool-y.github.io/2019/03/28/逆向工程实验/" title = "逆向工程与软件破解" > https://cool-y.github.io/2019/03/28/逆向工程实验/< / a >
< / li >
< li class = "post-copyright-license" >
< strong > 版权声明: < / strong >
本博客所有文章除特别声明外,均采用 < a href = "https://creativecommons.org/licenses/by-nc-sa/3.0/" rel = "external nofollow" target = "_blank" > CC BY-NC-SA 3.0< / a > 许可协议。转载请注明出处!
< / li >
< / ul >
< / div >
2019-04-15 07:42:42 +00:00
< footer class = "post-footer" >
< div class = "post-tags" >
< a href = "/tags/逆向/" rel = "tag" > # 逆向< / a >
< a href = "/tags/破解/" rel = "tag" > # 破解< / a >
< / div >
2021-04-10 19:19:48 +00:00
< div class = "post-widgets" >
< div id = "needsharebutton-postbottom" >
< span class = "btn" >
< i class = "fa fa-share-alt" aria-hidden = "true" > < / i >
< / span >
< / div >
< / div >
2019-04-15 07:42:42 +00:00
< div class = "post-nav" >
< div class = "post-nav-next post-nav-item" >
2019-07-27 06:42:04 +00:00
< a href = "/2019/03/25/Samba-CVE/" rel = "next" title = "某厂商路由器与Samba漏洞CVE-2017-7494" >
< i class = "fa fa-chevron-left" > < / i > 某厂商路由器与Samba漏洞CVE-2017-7494
2019-04-15 07:42:42 +00:00
< / a >
< / div >
< span class = "post-nav-divider" > < / span >
< div class = "post-nav-prev post-nav-item" >
2019-04-15 08:02:11 +00:00
< a href = "/2019/04/15/Caving-db-storage/" rel = "prev" title = "复原数据库存储以检测和跟踪安全漏洞" >
复原数据库存储以检测和跟踪安全漏洞 < i class = "fa fa-chevron-right" > < / i >
2019-04-15 07:58:23 +00:00
< / a >
2019-04-15 07:42:42 +00:00
< / div >
< / div >
< / footer >
< / div >
< / article >
< div class = "post-spread" >
< / div >
< / div >
< / div >
2021-04-10 12:37:40 +00:00
< div class = "comments" id = "comments" >
< div id = "gitalk-container" > < / div >
< / div >
2019-04-15 07:42:42 +00:00
< / div >
< div class = "sidebar-toggle" >
< div class = "sidebar-toggle-line-wrap" >
< span class = "sidebar-toggle-line sidebar-toggle-line-first" > < / span >
< span class = "sidebar-toggle-line sidebar-toggle-line-middle" > < / span >
< span class = "sidebar-toggle-line sidebar-toggle-line-last" > < / span >
< / div >
< / div >
< aside id = "sidebar" class = "sidebar" >
2021-04-10 20:13:11 +00:00
< div id = "sidebar-dimmer" > < / div >
2019-04-15 07:42:42 +00:00
< div class = "sidebar-inner" >
< ul class = "sidebar-nav motion-element" >
< li class = "sidebar-nav-toc sidebar-nav-active" data-target = "post-toc-wrap" >
文章目录
< / li >
< li class = "sidebar-nav-overview" data-target = "site-overview-wrap" >
站点概览
< / li >
< / ul >
< section class = "site-overview-wrap sidebar-panel" >
< div class = "site-overview" >
< div class = "site-author motion-element" itemprop = "author" itemscope itemtype = "http://schema.org/Person" >
< img class = "site-author-image" itemprop = "image" src = "/images/avatar.png" alt = "Cool-Y" >
< p class = "site-author-name" itemprop = "name" > Cool-Y< / p >
2021-04-10 20:10:04 +00:00
< p class = "site-description motion-element" itemprop = "description" > Juice is temporary but Sauce is forever< / p >
2019-04-15 07:42:42 +00:00
< / div >
< nav class = "site-state motion-element" >
< div class = "site-state-item site-state-posts" >
< a href = "/archives/" >
2021-05-20 11:39:04 +00:00
< span class = "site-state-item-count" > 31< / span >
2019-04-15 07:42:42 +00:00
< span class = "site-state-item-name" > 日志< / span >
< / a >
< / div >
< div class = "site-state-item site-state-categories" >
< a href = "/categories/index.html" >
2019-10-15 11:24:26 +00:00
< span class = "site-state-item-count" > 7< / span >
2019-04-15 07:42:42 +00:00
< span class = "site-state-item-name" > 分类< / span >
< / a >
< / div >
< div class = "site-state-item site-state-tags" >
< a href = "/tags/index.html" >
2021-04-10 10:53:27 +00:00
< span class = "site-state-item-count" > 55< / span >
2019-04-15 07:42:42 +00:00
< span class = "site-state-item-name" > 标签< / span >
< / a >
< / div >
< / nav >
2021-04-11 06:53:08 +00:00
< div class = "feed-link motion-element" >
< a href = "/atom.xml" rel = "alternate" >
< i class = "fa fa-rss" > < / i >
RSS
< / a >
< / div >
2019-04-15 07:42:42 +00:00
< div class = "links-of-author motion-element" >
< span class = "links-of-author-item" >
< a href = "https://github.com/Cool-Y" target = "_blank" title = "GitHub" >
< i class = "fa fa-fw fa-github" > < / i > GitHub< / a >
< / span >
< span class = "links-of-author-item" >
< a href = "mailto:cool.yim@whu.edu.cn" target = "_blank" title = "E-Mail" >
< i class = "fa fa-fw fa-envelope" > < / i > E-Mail< / a >
< / span >
< span class = "links-of-author-item" >
< a href = "https://www.instagram.com/yan__han/" target = "_blank" title = "Instagram" >
< i class = "fa fa-fw fa-instagram" > < / i > Instagram< / a >
< / span >
< / div >
2019-10-01 12:45:37 +00:00
< div id = "music163player" >
2021-04-10 12:03:10 +00:00
< iframe frameborder = "no" border = "0" marginwidth = "0" marginheight = "0" width = "330" height = "110" src = "//music.163.com/outchain/player?type=4&id=334277093&auto=1&height=90" > < / iframe >
2019-10-01 12:45:37 +00:00
< / div >
2019-04-15 07:42:42 +00:00
< / div >
< / section >
<!-- noindex -->
< section class = "post-toc-wrap motion-element sidebar-panel sidebar-panel-active" >
< div class = "post-toc" >
2019-07-01 11:52:45 +00:00
< div class = "post-toc-content" > < ol class = "nav" > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#软件保护方式" > < span class = "nav-text" > 软件保护方式< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#" > < span class = "nav-text" > < / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#分析工具" > < span class = "nav-text" > 分析工具< / span > < / a > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#对抗分析技术" > < span class = "nav-text" > 对抗分析技术< / span > < / a > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#PE文件格式基础" > < span class = "nav-text" > PE文件格式基础< / span > < / a > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#加壳脱壳" > < span class = "nav-text" > 加壳脱壳< / span > < / a > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#反调试技术" > < span class = "nav-text" > 反调试技术< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#探测windows调试器" > < span class = "nav-text" > 探测windows调试器< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#识别调试器的行为" > < span class = "nav-text" > 识别调试器的行为< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#干扰调试器的功能" > < span class = "nav-text" > 干扰调试器的功能< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#调试器漏洞" > < span class = "nav-text" > 调试器漏洞< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#实验一:软件破解" > < span class = "nav-text" > 实验一:软件破解< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#对象" > < span class = "nav-text" > 对象< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#爆破" > < span class = "nav-text" > 爆破< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#查找显示注册结果相关代码" > < span class = "nav-text" > 查找显示注册结果相关代码< / span > < / a > < / li > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#查找注册码验证相关代码" > < span class = "nav-text" > 查找注册码验证相关代码< / span > < / a > < / li > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#修改程序跳转" > < span class = "nav-text" > 修改程序跳转< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#编写注册机" > < span class = "nav-text" > 编写注册机< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#查找显示注册结果相关代码-1" > < span class = "nav-text" > 查找显示注册结果相关代码< / span > < / a > < / li > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#查找注册码验证相关代码-1" > < span class = "nav-text" > 查找注册码验证相关代码< / span > < / a > < / li > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#根据注册码验证代码编写注册机" > < span class = "nav-text" > 根据注册码验证代码编写注册机< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#-1" > < span class = "nav-text" > < / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#实验二:软件反动态调试技术分析" > < span class = "nav-text" > 实验二:软件反动态调试技术分析< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#对象-1" > < span class = "nav-text" > 对象< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#要求" > < span class = "nav-text" > 要求< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#父进程检测" > < span class = "nav-text" > 父进程检测< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#其他检测" > < span class = "nav-text" > 其他检测< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#实验三:加花加密反调试技术分析" > < span
2019-04-15 07:42:42 +00:00
< / div >
< / section >
<!-- /noindex -->
< / div >
< / aside >
< / div >
< / main >
< footer id = "footer" class = "footer" >
< div class = "footer-inner" >
2021-01-08 04:26:24 +00:00
< div class = "copyright" > © 2019 — < span itemprop = "copyrightYear" > 2021< / span >
2019-04-15 07:42:42 +00:00
< span class = "with-love" >
< i class = "fa fa-user" > < / i >
< / span >
< span class = "author" itemprop = "copyrightHolder" > Cool-Y< / span >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-area-chart" > < / i >
< / span >
2021-05-20 11:39:04 +00:00
< span title = "Site words total count" > 105.1k< / span >
2019-04-15 07:42:42 +00:00
< / div >
< div class = "powered-by" > 由 < a class = "theme-link" target = "_blank" href = "https://hexo.io" > Hexo< / a > 强力驱动< / div >
< div class = "busuanzi-count" >
< script async src = "//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js" > < / script >
< span class = "site-uv" >
< i class = "fa fa-user" > < / i >
< span class = "busuanzi-value" id = "busuanzi_value_site_uv" > < / span >
< / span >
< span class = "site-pv" >
< i class = "fa fa-eye" > < / i >
< span class = "busuanzi-value" id = "busuanzi_value_site_pv" > < / span >
< / span >
< / div >
< / div >
< / footer >
< div class = "back-to-top" >
< i class = "fa fa-arrow-up" > < / i >
2021-04-10 19:19:48 +00:00
< span id = "scrollpercent" > < span > 0< / span > %< / span >
2019-04-15 07:42:42 +00:00
< / div >
2021-04-10 19:19:48 +00:00
< div id = "needsharebutton-float" >
< span class = "btn" >
< i class = "fa fa-share-alt" aria-hidden = "true" > < / i >
< / span >
< / div >
2019-04-15 07:42:42 +00:00
< / div >
< script type = "text/javascript" >
if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
window.Promise = null;
}
< / script >
< script type = "text/javascript" src = "/lib/jquery/index.js?v=2.1.3" > < / script >
< script type = "text/javascript" src = "/lib/fastclick/lib/fastclick.min.js?v=1.0.6" > < / script >
< script type = "text/javascript" src = "/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7" > < / script >
< script type = "text/javascript" src = "/lib/velocity/velocity.min.js?v=1.2.1" > < / script >
< script type = "text/javascript" src = "/lib/velocity/velocity.ui.min.js?v=1.2.1" > < / script >
< script type = "text/javascript" src = "/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5" > < / script >
< script type = "text/javascript" src = "/js/src/utils.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/motion.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/scrollspy.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/post-details.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/bootstrap.js?v=5.1.4" > < / script >
2021-04-10 12:37:40 +00:00
2021-04-10 12:40:26 +00:00
<!-- LOCAL: You can save these files to your site and update links -->
< link rel = "stylesheet" href = "https://unpkg.com/gitalk/dist/gitalk.css" >
< script src = "https://unpkg.com/gitalk/dist/gitalk.min.js" > < / script >
<!-- END LOCAL -->
< script type = "text/javascript" >
function renderGitalk(){
var gitalk = new Gitalk({
owner: 'Cool-Y',
repo: 'gitment-comments',
clientID: '180955a2c3ae3d966d9a',
clientSecret: '1c5db4da72df5e6fc318d12afe5f4406f7c54343',
admin: 'Cool-Y',
2021-04-10 12:47:46 +00:00
id: decodeURI(location.pathname),
2021-04-10 12:40:26 +00:00
distractionFreeMode: 'true'
});
gitalk.render('gitalk-container');
}
renderGitalk();
< / script >
2019-04-15 07:42:42 +00:00
< script src = "https://cdn1.lncld.net/static/js/av-core-mini-0.6.4.js" > < / script >
2021-05-21 07:35:38 +00:00
< script > AV . initialize ( "CnxMogaLcXQrm9Q03lF8XH7j-gzGzoHsz" , "EHqNuJ6AYvuHnY6bN6w2SMXl" ) ; < / script >
2019-04-15 07:42:42 +00:00
< script >
function showTime(Counter) {
var query = new AV.Query(Counter);
var entries = [];
var $visitors = $(".leancloud_visitors");
$visitors.each(function () {
entries.push( $(this).attr("id").trim() );
});
query.containedIn('url', entries);
query.find()
.done(function (results) {
var COUNT_CONTAINER_REF = '.leancloud-visitors-count';
if (results.length === 0) {
$visitors.find(COUNT_CONTAINER_REF).text(0);
return;
}
for (var i = 0; i < results.length ; i + + ) {
var item = results[i];
var url = item.get('url');
var time = item.get('time');
var element = document.getElementById(url);
$(element).find(COUNT_CONTAINER_REF).text(time);
}
for(var i = 0; i < entries.length ; i + + ) {
var url = entries[i];
var element = document.getElementById(url);
var countSpan = $(element).find(COUNT_CONTAINER_REF);
if( countSpan.text() == '') {
countSpan.text(0);
}
}
})
.fail(function (object, error) {
console.log("Error: " + error.code + " " + error.message);
});
}
function addCount(Counter) {
var $visitors = $(".leancloud_visitors");
var url = $visitors.attr('id').trim();
var title = $visitors.attr('data-flag-title').trim();
var query = new AV.Query(Counter);
query.equalTo("url", url);
query.find({
success: function(results) {
if (results.length > 0) {
var counter = results[0];
counter.fetchWhenSave(true);
counter.increment("time");
counter.save(null, {
success: function(counter) {
var $element = $(document.getElementById(url));
$element.find('.leancloud-visitors-count').text(counter.get('time'));
},
error: function(counter, error) {
console.log('Failed to save Visitor num, with error message: ' + error.message);
}
});
} else {
var newcounter = new Counter();
/* Set ACL */
var acl = new AV.ACL();
acl.setPublicReadAccess(true);
acl.setPublicWriteAccess(true);
newcounter.setACL(acl);
/* End Set ACL */
newcounter.set("title", title);
newcounter.set("url", url);
newcounter.set("time", 1);
newcounter.save(null, {
success: function(newcounter) {
var $element = $(document.getElementById(url));
$element.find('.leancloud-visitors-count').text(newcounter.get('time'));
},
error: function(newcounter, error) {
console.log('Failed to create');
}
});
}
},
error: function(error) {
console.log('Error:' + error.code + " " + error.message);
}
});
}
$(function() {
var Counter = AV.Object.extend("Counter");
if ($('.leancloud_visitors').length == 1) {
addCount(Counter);
} else if ($('.post-title-link').length > 1) {
showTime(Counter);
}
});
< / script >
< script >
(function(){
var bp = document.createElement('script');
var curProtocol = window.location.protocol.split(':')[0];
if (curProtocol === 'https') {
bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
}
else {
bp.src = 'http://push.zhanzhang.baidu.com/push.js';
}
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(bp, s);
})();
< / script >
2021-04-10 19:19:48 +00:00
< link rel = "stylesheet" href = "/lib/needsharebutton/needsharebutton.css" >
2019-04-15 07:42:42 +00:00
2021-04-10 19:19:48 +00:00
< script src = "/lib/needsharebutton/needsharebutton.js" > < / script >
< script >
pbOptions = {};
pbOptions.iconStyle = "box";
pbOptions.boxForm = "horizontal";
pbOptions.position = "bottomCenter";
pbOptions.networks = "Weibo,Wechat,Douban,QQZone,Twitter,Facebook";
new needShareButton('#needsharebutton-postbottom', pbOptions);
flOptions = {};
flOptions.iconStyle = "box";
flOptions.boxForm = "horizontal";
flOptions.position = "middleRight";
flOptions.networks = "Weibo,Wechat,Douban,QQZone,Twitter,Facebook";
new needShareButton('#needsharebutton-float', flOptions);
< / script >
2019-04-15 07:42:42 +00:00
2021-04-10 19:19:48 +00:00
< script type = "text/javascript" src = "/js/src/js.cookie.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/scroll-cookie.js?v=5.1.4" > < / script >
2019-04-15 07:42:42 +00:00
< / body >
< / html >
