160 - 27 Cosh.1
生活随笔
收集整理的這篇文章主要介紹了
160 - 27 Cosh.1
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
環境
Windows XP sp3
工具
exeinfope
ollydbg
查殼
無殼的MFC程序
測試
彈出這個:
是一個CD-CHECK保護的程序。
字符串搜索,一下子就能來到這里:
0040121A . 68 9C304000 push Cosh_1.0040309C ; ASCII "C:\" 0040121F . 8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C] 00401222 . E8 79040000 call <jmp.&MFC42.#CString::CString_537> 00401227 . 33DB xor ebx,ebx 00401229 . 68 98304000 push Cosh_1.00403098 ; ASCII "D:\" 0040122E . 8D4D A8 lea ecx,dword ptr ss:[ebp-0x58] 00401231 . 895D FC mov dword ptr ss:[ebp-0x4],ebx 00401234 . E8 67040000 call <jmp.&MFC42.#CString::CString_537> 00401239 . 68 94304000 push Cosh_1.00403094 ; ASCII "E:\" 0040123E . 8D4D AC lea ecx,dword ptr ss:[ebp-0x54] 00401241 . C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1 00401245 . E8 56040000 call <jmp.&MFC42.#CString::CString_537> 0040124A . 68 90304000 push Cosh_1.00403090 ; ASCII "F:\" 0040124F . 8D4D B0 lea ecx,dword ptr ss:[ebp-0x50] 00401252 . C645 FC 02 mov byte ptr ss:[ebp-0x4],0x2 00401256 . E8 45040000 call <jmp.&MFC42.#CString::CString_537> 0040125B . 68 8C304000 push Cosh_1.0040308C ; ASCII "G:\" 00401260 . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C] 00401263 . C645 FC 03 mov byte ptr ss:[ebp-0x4],0x3 00401267 . E8 34040000 call <jmp.&MFC42.#CString::CString_537> 0040126C . 68 88304000 push Cosh_1.00403088 ; ASCII "H:\" 00401271 . 8D4D B8 lea ecx,dword ptr ss:[ebp-0x48] 00401274 . C645 FC 04 mov byte ptr ss:[ebp-0x4],0x4 00401278 . E8 23040000 call <jmp.&MFC42.#CString::CString_537> 0040127D . 68 84304000 push Cosh_1.00403084 ; ASCII "I:\" 00401282 . 8D4D BC lea ecx,dword ptr ss:[ebp-0x44] 00401285 . C645 FC 05 mov byte ptr ss:[ebp-0x4],0x5 00401289 . E8 12040000 call <jmp.&MFC42.#CString::CString_537> 0040128E . 68 80304000 push Cosh_1.00403080 ; ASCII "J:\" 00401293 . 8D4D C0 lea ecx,dword ptr ss:[ebp-0x40] 00401296 . C645 FC 06 mov byte ptr ss:[ebp-0x4],0x6 0040129A . E8 01040000 call <jmp.&MFC42.#CString::CString_537> 0040129F . 68 7C304000 push Cosh_1.0040307C ; ASCII "K:\" 004012A4 . 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C] 004012A7 . C645 FC 07 mov byte ptr ss:[ebp-0x4],0x7 004012AB . E8 F0030000 call <jmp.&MFC42.#CString::CString_537> 004012B0 . 68 78304000 push Cosh_1.00403078 ; ASCII "L:\" 004012B5 . 8D4D C8 lea ecx,dword ptr ss:[ebp-0x38] 004012B8 . C645 FC 08 mov byte ptr ss:[ebp-0x4],0x8 004012BC . E8 DF030000 call <jmp.&MFC42.#CString::CString_537> 004012C1 . 68 74304000 push Cosh_1.00403074 ; ASCII "M:\" 004012C6 . 8D4D CC lea ecx,dword ptr ss:[ebp-0x34] 004012C9 . C645 FC 09 mov byte ptr ss:[ebp-0x4],0x9 004012CD . E8 CE030000 call <jmp.&MFC42.#CString::CString_537> 004012D2 . 68 70304000 push Cosh_1.00403070 ; ASCII "N:\" 004012D7 . 8D4D D0 lea ecx,dword ptr ss:[ebp-0x30] 004012DA . C645 FC 0A mov byte ptr ss:[ebp-0x4],0xA 004012DE . E8 BD030000 call <jmp.&MFC42.#CString::CString_537> 004012E3 . 68 6C304000 push Cosh_1.0040306C ; ASCII "O:\" 004012E8 . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C] 004012EB . C645 FC 0B mov byte ptr ss:[ebp-0x4],0xB 004012EF . E8 AC030000 call <jmp.&MFC42.#CString::CString_537> 004012F4 . 68 68304000 push Cosh_1.00403068 ; ASCII "P:\" 004012F9 . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28] 004012FC . C645 FC 0C mov byte ptr ss:[ebp-0x4],0xC 00401300 . E8 9B030000 call <jmp.&MFC42.#CString::CString_537> 00401305 . BE 9A164000 mov esi,<jmp.&MFC42.#CString::~CString_800> ; 入口地址 0040130A . 33C0 xor eax,eax 0040130C . 8D7D DC lea edi,dword ptr ss:[ebp-0x24] 0040130F . 56 push esi 00401310 . C645 FC 0D mov byte ptr ss:[ebp-0x4],0xD 00401314 . 68 94164000 push <jmp.&MFC42.#CString::CString_540> ; 入口地址 00401319 . AB stos dword ptr es:[edi] 0040131A . 6A 01 push 0x1 0040131C . 8D45 DC lea eax,dword ptr ss:[ebp-0x24] 0040131F . 6A 04 push 0x4 00401321 . 50 push eax 00401322 . E8 C3040000 call Cosh_1.004017EA 00401327 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18] 0040132A . C645 FC 0E mov byte ptr ss:[ebp-0x4],0xE 0040132E . E8 61030000 call <jmp.&MFC42.#CString::CString_540> 00401333 . C645 FC 0F mov byte ptr ss:[ebp-0x4],0xF 00401337 . 895D EC mov dword ptr ss:[ebp-0x14],ebx 0040133A . 8D7D A4 lea edi,dword ptr ss:[ebp-0x5C] 0040133D > 57 push edi 0040133E . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18] 00401341 . E8 48030000 call <jmp.&MFC42.#CString::operator=_858> 00401346 . FF75 E8 push dword ptr ss:[ebp-0x18] ; /RootPathName 00401349 . FF15 04204000 call dword ptr ds:[<&KERNEL32.GetDriveTypeA>] ; \GetDriveTypeA 0040134F 83F8 03 cmp eax,0x3 00401352 . 74 3E je XCosh_1.00401392 00401354 . 8D45 E8 lea eax,dword ptr ss:[ebp-0x18] 00401357 . 68 58304000 push Cosh_1.00403058 ; ASCII "CD_CHECK.DAT" 0040135C . 50 push eax 0040135D . 8D45 E0 lea eax,dword ptr ss:[ebp-0x20] 00401360 . 50 push eax 00401361 . E8 22030000 call <jmp.&MFC42.#operator+_924> 00401366 . 8B00 mov eax,dword ptr ds:[eax] 00401368 . 53 push ebx ; /hTemplateFile 00401369 . 53 push ebx ; |Attributes 0040136A . 53 push ebx ; |Mode 0040136B . 53 push ebx ; |pSecurity 0040136C . 6A 01 push 0x1 ; |ShareMode = FILE_SHARE_READ 0040136E . 68 00000080 push 0x80000000 ; |Access = GENERIC_READ 00401373 . 50 push eax ; |FileName 00401374 . FF15 00204000 call dword ptr ds:[<&KERNEL32.CreateFileA>] ; \CreateFileA 0040137A . 83F8 FF cmp eax,-0x1 0040137D . 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20] 00401380 . 0F9445 F3 sete byte ptr ss:[ebp-0xD] 00401384 . E8 11030000 call <jmp.&MFC42.#CString::~CString_800> 00401389 . 385D F3 cmp byte ptr ss:[ebp-0xD],bl 0040138C . 0F84 F3000000 je Cosh_1.00401485 00401392 > FF45 EC inc dword ptr ss:[ebp-0x14] 00401395 . 83C7 04 add edi,0x4 00401398 . 837D EC 07 cmp dword ptr ss:[ebp-0x14],0x7 0040139C .^ 75 9F jnz XCosh_1.0040133D 0040139E . 53 push ebx 0040139F . 68 4C304000 push Cosh_1.0040304C ; ASCII "Try again" 004013A4 . 68 40304000 push Cosh_1.00403040 ; ASCII "You lost" 004013A9 > 8B4D E4 mov ecx,dword ptr ss:[ebp-0x1C] 004013AC . E8 D1020000 call <jmp.&MFC42.#CWnd::MessageBoxA_4224>00401485 > 53 push ebx 00401486 . 68 34304000 push Cosh_1.00403034 ; ASCII "You did it" 0040148B . 68 20304000 push Cosh_1.00403020 ; ASCII "Well done, Cracker" 00401490 .^ E9 14FFFFFF jmp Cosh_1.004013A9 ; 跳回上面去看看OD給的注釋幾乎就能猜到這個程序保護的思路了。
程序似乎是在檢測每個磁盤分區里是否存在一個叫做“CD_CHECK.DAT”的文件。如果存在就顯示正確,不然的話判斷下一個分區是否存在該文件,總共判斷7次。
然后發現即使是創建了一個叫做“CD_CHECK.DAT”文件在C盤,在調用完CreateFileA后返回值仍然是-1,通過編寫類似的程序,發現是參數錯誤,
CreateFileA("c:\\CD_CHECK.DAT",GENERIC_READ,FILE_SHARE_READ,NULL,0,0,NULL);int d = GetLastError();printf("%d",d);結果為:87
查看System Error Codes,得到:
改為:
CreateFileA("c:\\CD_CHECK.DAT",GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,0,NULL);int d = GetLastError();printf("%d",d);結果為:0
再查一查CreateFileA函數,并沒有發現dwCreationDisposition形參(即OD里的Mode)可以允許值為0
dwCreationDisposition [in]
An action to take on a file or device that exists or does not exist.
For devices other than files, this parameter is usually set to OPEN_EXISTING.
For more information, see the Remarks section.
This parameter must be one of the following values, which cannot be combined:
| CREATE_ALWAYS 2 | Creates a new file, always.If the specified file exists and is writable, the function overwrites the file, the function succeeds, and last-error code is set to ERROR_ALREADY_EXISTS (183). If the specified file does not exist and is a valid path, a new file is created, the function succeeds, and the last-error code is set to zero.For more information, see the Remarks section of this topic. |
| CREATE_NEW 1 | Creates a new file, only if it does not already exist.If the specified file exists, the function fails and the last-error code is set to ERROR_FILE_EXISTS (80).If the specified file does not exist and is a valid path to a writable location, a new file is created. |
| OPEN_ALWAYS 4 | Opens a file, always.If the specified file exists, the function succeeds and the last-error code is set to ERROR_ALREADY_EXISTS (183).If the specified file does not exist and is a valid path to a writable location, the function creates a file and the last-error code is set to zero. |
| OPEN_EXISTING 3 | Opens a file or device, only if it exists.If the specified file or device does not exist, the function fails and the last-error code is set to ERROR_FILE_NOT_FOUND (2).For more information about devices, see the Remarks section. |
| TRUNCATE_EXISTING 5 | Opens a file and truncates it so that its size is zero bytes, only if it exists.If the specified file does not exist, the function fails and the last-error code is set to ERROR_FILE_NOT_FOUND (2).The calling process must open the file with the GENERIC_WRITE bit set as part of the dwDesiredAccess parameter. |
所以可以認為這個CreaterFileA沒有作用
于是可以在此處修改代碼:
改為:
0040134F /E9 31010000 jmp Cosh_1.00401485出現結果:
總結
以上是生活随笔為你收集整理的160 - 27 Cosh.1的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 160 - 26 Colormaster
- 下一篇: 猎寇飞龙剧情介绍