Site updated: 2019-03-28 21:06:09

This commit is contained in:
Cool-Y 2019-03-28 21:06:21 +08:00
parent f59e8d8063
commit 5f3fc855b2
61 changed files with 80 additions and 67 deletions

View File

@ -657,7 +657,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -845,7 +845,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -747,7 +747,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -747,7 +747,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -752,7 +752,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -875,7 +875,7 @@ Server -------wire----------|
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -724,7 +724,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -731,7 +731,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -741,7 +741,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -766,7 +766,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -90,7 +90,10 @@
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553759246/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E5%9B%BE%E7%89%871.png"> <meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553759246/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E5%9B%BE%E7%89%871.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553772615/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B71.png"> <meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553772615/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B71.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553773066/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B72.png"> <meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553773066/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B72.png">
<meta property="og:updated_time" content="2019-03-28T13:04:12.572Z"> <meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553775053/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B74.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553775817/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B75.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553776239/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B76.png">
<meta property="og:updated_time" content="2019-03-28T13:05:56.799Z">
<meta name="twitter:card" content="summary"> <meta name="twitter:card" content="summary">
<meta name="twitter:title" content="逆向工程实验"> <meta name="twitter:title" content="逆向工程实验">
<meta name="twitter:description" content="软件保护方式 功能限制 时间限制 运行时长限制 使用日期限制 使用次数限制 警告窗口 分析工具 静态分析工具 IDA W32Dasm lordPE Resource Hacker 动态分析工具 OllyDbg WinDbg 对抗分析技术 反静态分析技术 花指令 自修改代码技术 多态技术 变形技术 虚拟机保护技术 反动态分析技术 检测调试状态 检测用户态调试器"> <meta name="twitter:description" content="软件保护方式 功能限制 时间限制 运行时长限制 使用日期限制 使用次数限制 警告窗口 分析工具 静态分析工具 IDA W32Dasm lordPE Resource Hacker 动态分析工具 OllyDbg WinDbg 对抗分析技术 反静态分析技术 花指令 自修改代码技术 多态技术 变形技术 虚拟机保护技术 反动态分析技术 检测调试状态 检测用户态调试器">
@ -411,7 +414,7 @@
</span> </span>
<span title="字数统计"> <span title="字数统计">
927 845
</span> </span>
@ -513,10 +516,20 @@
<h3 id="查找注册码验证相关代码"><a href="#查找注册码验证相关代码" class="headerlink" title="查找注册码验证相关代码"></a>查找注册码验证相关代码</h3><p>用鼠标选中程序分支点,按空格切换回汇编指令界面<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553773066/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B72.png" alt></p> <h3 id="查找注册码验证相关代码"><a href="#查找注册码验证相关代码" class="headerlink" title="查找注册码验证相关代码"></a>查找注册码验证相关代码</h3><p>用鼠标选中程序分支点,按空格切换回汇编指令界面<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553773066/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B72.png" alt></p>
<p>可以看到这条指令位于PE文件的.text节并且IDA已经自动将地址转换为运行时的内存地址VA:004010F9</p> <p>可以看到这条指令位于PE文件的.text节并且IDA已经自动将地址转换为运行时的内存地址VA:004010F9</p>
<h3 id="修改程序跳转"><a href="#修改程序跳转" class="headerlink" title="修改程序跳转"></a>修改程序跳转</h3><ul> <h3 id="修改程序跳转"><a href="#修改程序跳转" class="headerlink" title="修改程序跳转"></a>修改程序跳转</h3><ul>
<li>现在关闭IDA换用OllyDbg进行动态调试来看看程序时如何分支跳转的<figure class="highlight plain"><figcaption><span>直接跳到由IDA得到的VA:```004010F9```处查看那条引起程序分支的关键指令</span></figcaption><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">- 选中这条指令按F2设置断点再按F9运行程序这时候控制权会回到程序OllyDbg暂时挂起。到程序提示输入名字和序列号随意输入名字大于五个字节点击ok后OllyDbg会重新中断程序收回控制权如图</span><br><span class="line">![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1553775053/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B74.png)</span><br><span class="line">- 验证函数的返回值存于EAX寄存器中if语句通过以下两条指令执行</span><br></pre></td></tr></table></figure></li> <li>现在关闭IDA换用OllyDbg进行动态调试来看看程序时如何分支跳转的Ctrl+G直接跳到由IDA得到的VA:004010F9处查看那条引起程序分支的关键指令</li>
<li>选中这条指令按F2设置断点再按F9运行程序这时候控制权会回到程序OllyDbg暂时挂起。到程序提示输入名字和序列号随意输入名字大于五个字节点击ok后OllyDbg会重新中断程序收回控制权如图<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553775053/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B74.png" alt></li>
<li>验证函数的返回值存于EAX寄存器中if语句通过以下两条指令执行</li>
</ul> </ul>
<p>cmp eax,ecx<br>jnz xxxxxxx<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line">- 也就是说当序列号输入错误时EAX中的值为0跳转将被执行。</span><br><span class="line">如果我们把jnz这条指令修改为jz那么整个程序的逻辑就会反过来。</span><br><span class="line">双击jnz这条指令将其改为jz单击&quot;汇编&quot;将其写入内存</span><br><span class="line">![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1553775817/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B75.png)</span><br><span class="line">可以看到此时程序执行了相反的路径</span><br><span class="line"></span><br><span class="line">- 上面只是在内存中修改程序我们还需要在二进制文件中也修改相应的字节这里考察VA与文件地址之间的关系</span><br><span class="line">- 用LordPE打开.exe文件查看PE文件的节信息</span><br><span class="line">![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1553776239/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B76.png)</span><br><span class="line"></span><br><span class="line">根据VA与文件地址的换算公式</span><br></pre></td></tr></table></figure></p> <figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">cmp eax,ecx</span><br><span class="line">jnz xxxxxxx</span><br></pre></td></tr></table></figure>
<p>文件偏移地址 = VA - Image Base - 节偏移<br> = 0x004010F9 - 0x00400000 - 0<br> = 0x10F9<br><code>`</code><br>也就是说这条指令在PE文件中位于10F9字节处使用010Editer打开crack.exe将这一字节的75(JNZ)改为74(JZ),保存后重新执行,破解成功!</p> <ul>
<li><p>也就是说当序列号输入错误时EAX中的值为0跳转将被执行。<br>如果我们把jnz这条指令修改为jz那么整个程序的逻辑就会反过来。<br>双击jnz这条指令将其改为jz单击”汇编”将其写入内存<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553775817/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B75.png" alt><br>可以看到此时程序执行了相反的路径</p>
</li>
<li><p>上面只是在内存中修改程序我们还需要在二进制文件中也修改相应的字节这里考察VA与文件地址之间的关系</p>
</li>
<li>用LordPE打开.exe文件查看PE文件的节信息<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553776239/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B76.png" alt></li>
</ul>
<p>根据VA与文件地址的换算公式<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">文件偏移地址 = VA - Image Base - 节偏移</span><br><span class="line"> = 0x004010F9 - 0x00400000 - 0</span><br><span class="line"> = 0x10F9</span><br></pre></td></tr></table></figure></p>
<p>也就是说这条指令在PE文件中位于10F9字节处使用010Editer打开crack.exe将这一字节的75(JNZ)改为74(JZ),保存后重新执行,破解成功!</p>
<h2 id="编写注册机"><a href="#编写注册机" class="headerlink" title="编写注册机"></a>编写注册机</h2><h3 id="1-查找显示注册结果相关代码"><a href="#1-查找显示注册结果相关代码" class="headerlink" title="1. 查找显示注册结果相关代码"></a>1. 查找显示注册结果相关代码</h3><h3 id="2-查找注册码验证相关代码"><a href="#2-查找注册码验证相关代码" class="headerlink" title="2. 查找注册码验证相关代码"></a>2. 查找注册码验证相关代码</h3><h3 id="3-根据注册码验证代码编写注册机"><a href="#3-根据注册码验证代码编写注册机" class="headerlink" title="3. 根据注册码验证代码编写注册机"></a>3. 根据注册码验证代码编写注册机</h3> <h2 id="编写注册机"><a href="#编写注册机" class="headerlink" title="编写注册机"></a>编写注册机</h2><h3 id="1-查找显示注册结果相关代码"><a href="#1-查找显示注册结果相关代码" class="headerlink" title="1. 查找显示注册结果相关代码"></a>1. 查找显示注册结果相关代码</h3><h3 id="2-查找注册码验证相关代码"><a href="#2-查找注册码验证相关代码" class="headerlink" title="2. 查找注册码验证相关代码"></a>2. 查找注册码验证相关代码</h3><h3 id="3-根据注册码验证代码编写注册机"><a href="#3-根据注册码验证代码编写注册机" class="headerlink" title="3. 根据注册码验证代码编写注册机"></a>3. 根据注册码验证代码编写注册机</h3>
</div> </div>
@ -785,7 +798,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -466,7 +466,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -496,7 +496,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -496,7 +496,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -496,7 +496,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -566,7 +566,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -601,7 +601,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -496,7 +496,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -496,7 +496,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -601,7 +601,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -671,7 +671,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -820,7 +820,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -500,7 +500,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -518,7 +518,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -529,7 +529,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -468,7 +468,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -477,7 +477,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -477,7 +477,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -477,7 +477,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -477,7 +477,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -503,7 +503,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -395,7 +395,7 @@
</span> </span>
<span title="字数统计"> <span title="字数统计">
927 845
</span> </span>
@ -2354,7 +2354,7 @@ ettercap嗅探智能设备和网关之间的流量sudo ettercap -i ens33 -T -q
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -604,7 +604,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -3,7 +3,7 @@
<entry> <entry>
<title><![CDATA[逆向工程实验]]></title> <title><![CDATA[逆向工程实验]]></title>
<url>%2F2019%2F03%2F28%2F%E9%80%86%E5%90%91%E5%B7%A5%E7%A8%8B%E5%AE%9E%E9%AA%8C%2F</url> <url>%2F2019%2F03%2F28%2F%E9%80%86%E5%90%91%E5%B7%A5%E7%A8%8B%E5%AE%9E%E9%AA%8C%2F</url>
<content type="text"><![CDATA[软件保护方式 功能限制 时间限制 运行时长限制 使用日期限制 使用次数限制 警告窗口 分析工具 静态分析工具 IDA W32Dasm lordPE Resource Hacker 动态分析工具 OllyDbg WinDbg 对抗分析技术 反静态分析技术 花指令 自修改代码技术 多态技术 变形技术 虚拟机保护技术 反动态分析技术 检测调试状态 检测用户态调试器 检测内核态调试器 其他方法父进程检测StartupInfo 结构时间差通过Trap Flag检测 发现调试器后的处理 程序自身退出 向调试器窗口发送消息使调试器退出 使调试器窗口不可用 终止调试器进程 PE文件格式基础实验1软件破解对象crack.exe28.0 KB 无保护措施:无壳、未加密、无反调试措施 用户名至少要5个字节 输入错误验证码时输出“Bad Boy!” 爆破查找显示注册结果相关代码当输入错误验证码时程序会输出“Bad Boy”因此我们将程序拖入IDA以流程图显示函数内部的跳转。查找“Bad Boy”字符串我们可以定位到显示注册结果的相关代码 查找注册码验证相关代码用鼠标选中程序分支点,按空格切换回汇编指令界面 可以看到这条指令位于PE文件的.text节并且IDA已经自动将地址转换为运行时的内存地址VA:004010F9 修改程序跳转 现在关闭IDA换用OllyDbg进行动态调试来看看程序时如何分支跳转的直接跳到由IDA得到的VA:```004010F9```处查看那条引起程序分支的关键指令123- 选中这条指令按F2设置断点再按F9运行程序这时候控制权会回到程序OllyDbg暂时挂起。到程序提示输入名字和序列号随意输入名字大于五个字节点击ok后OllyDbg会重新中断程序收回控制权如图![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1553775053/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B74.png)- 验证函数的返回值存于EAX寄存器中if语句通过以下两条指令执行 cmp eax,ecxjnz xxxxxxx123456789101112- 也就是说当序列号输入错误时EAX中的值为0跳转将被执行。如果我们把jnz这条指令修改为jz那么整个程序的逻辑就会反过来。双击jnz这条指令将其改为jz单击&quot;汇编&quot;将其写入内存![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1553775817/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B75.png)可以看到此时程序执行了相反的路径- 上面只是在内存中修改程序我们还需要在二进制文件中也修改相应的字节这里考察VA与文件地址之间的关系- 用LordPE打开.exe文件查看PE文件的节信息![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1553776239/%E8%BD%AF%E4%BB%B6%E7%A0%B4%E8%A7%A3/%E6%8D%95%E8%8E%B76.png)根据VA与文件地址的换算公式 文件偏移地址 = VA - Image Base - 节偏移 = 0x004010F9 - 0x00400000 - 0 = 0x10F9`也就是说这条指令在PE文件中位于10F9字节处使用010Editer打开crack.exe将这一字节的75(JNZ)改为74(JZ),保存后重新执行,破解成功! 编写注册机1. 查找显示注册结果相关代码2. 查找注册码验证相关代码3. 根据注册码验证代码编写注册机]]></content> <content type="text"><![CDATA[软件保护方式 功能限制 时间限制 运行时长限制 使用日期限制 使用次数限制 警告窗口 分析工具 静态分析工具 IDA W32Dasm lordPE Resource Hacker 动态分析工具 OllyDbg WinDbg 对抗分析技术 反静态分析技术 花指令 自修改代码技术 多态技术 变形技术 虚拟机保护技术 反动态分析技术 检测调试状态 检测用户态调试器 检测内核态调试器 其他方法父进程检测StartupInfo 结构时间差通过Trap Flag检测 发现调试器后的处理 程序自身退出 向调试器窗口发送消息使调试器退出 使调试器窗口不可用 终止调试器进程 PE文件格式基础实验1软件破解对象crack.exe28.0 KB 无保护措施:无壳、未加密、无反调试措施 用户名至少要5个字节 输入错误验证码时输出“Bad Boy!” 爆破查找显示注册结果相关代码当输入错误验证码时程序会输出“Bad Boy”因此我们将程序拖入IDA以流程图显示函数内部的跳转。查找“Bad Boy”字符串我们可以定位到显示注册结果的相关代码 查找注册码验证相关代码用鼠标选中程序分支点,按空格切换回汇编指令界面 可以看到这条指令位于PE文件的.text节并且IDA已经自动将地址转换为运行时的内存地址VA:004010F9 修改程序跳转 现在关闭IDA换用OllyDbg进行动态调试来看看程序时如何分支跳转的Ctrl+G直接跳到由IDA得到的VA:004010F9处查看那条引起程序分支的关键指令 选中这条指令按F2设置断点再按F9运行程序这时候控制权会回到程序OllyDbg暂时挂起。到程序提示输入名字和序列号随意输入名字大于五个字节点击ok后OllyDbg会重新中断程序收回控制权如图 验证函数的返回值存于EAX寄存器中if语句通过以下两条指令执行 12cmp eax,ecxjnz xxxxxxx 也就是说当序列号输入错误时EAX中的值为0跳转将被执行。如果我们把jnz这条指令修改为jz那么整个程序的逻辑就会反过来。双击jnz这条指令将其改为jz单击”汇编”将其写入内存可以看到此时程序执行了相反的路径 上面只是在内存中修改程序我们还需要在二进制文件中也修改相应的字节这里考察VA与文件地址之间的关系 用LordPE打开.exe文件查看PE文件的节信息 根据VA与文件地址的换算公式123文件偏移地址 = VA - Image Base - 节偏移 = 0x004010F9 - 0x00400000 - 0 = 0x10F9 也就是说这条指令在PE文件中位于10F9字节处使用010Editer打开crack.exe将这一字节的75(JNZ)改为74(JZ),保存后重新执行,破解成功! 编写注册机1. 查找显示注册结果相关代码2. 查找注册码验证相关代码3. 根据注册码验证代码编写注册机]]></content>
<categories> <categories>
<category>-二进制</category> <category>-二进制</category>
</categories> </categories>

View File

@ -4,7 +4,7 @@
<url> <url>
<loc>https://cool-y.github.io/2019/03/28/%E9%80%86%E5%90%91%E5%B7%A5%E7%A8%8B%E5%AE%9E%E9%AA%8C/</loc> <loc>https://cool-y.github.io/2019/03/28/%E9%80%86%E5%90%91%E5%B7%A5%E7%A8%8B%E5%AE%9E%E9%AA%8C/</loc>
<lastmod>2019-03-28T13:04:12.572Z</lastmod> <lastmod>2019-03-28T13:05:56.799Z</lastmod>
</url> </url>

View File

@ -476,7 +476,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -476,7 +476,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -476,7 +476,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -476,7 +476,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -476,7 +476,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -476,7 +476,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -468,7 +468,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -476,7 +476,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -476,7 +476,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -476,7 +476,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -476,7 +476,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -476,7 +476,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -476,7 +476,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -476,7 +476,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -502,7 +502,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -476,7 +476,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -476,7 +476,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -476,7 +476,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -476,7 +476,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -476,7 +476,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -476,7 +476,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -476,7 +476,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -476,7 +476,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -476,7 +476,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -476,7 +476,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>

View File

@ -476,7 +476,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">15.6k</span> <span title="Site words total count">15.5k</span>
</div> </div>