x64dbg - 第十九章 | 反匯編練習(八)
目標程式
檔案下載:MrBills.exe
解壓密碼:morosedog
程式簡介
MrBills允許你輕鬆地掃描、分類和存儲你的檔案、支票、發票、收據,和其他文件以電子方式使用你的TWAIN或WIA兼容的掃描儀。
任務目標
- 輸入信箱及許許可證號讓其註冊成功。
分析程式
- 開啟
MrBills.exe - 彈出視窗,標題
Tip of the Day下方顯示The tip of the file is missing.(文件的提示丟失了)註:這應該是程式的提示視窗,比如如何使用或是介紹。
- 按下
Close
- 點擊
About - 彈出視窗,發現有三個按鈕,分別為
OK、Check for Update...、Refister...
- 點擊
Refister... - 要求輸入
Email address、License number來做註冊 Email address輸入abcd@hotmail.com,License number輸入12345678
- 點擊
Refister Now - 彈出視窗顯示
You have entered an invalid email address or license number.Please try again.(你輸入了無效的電子郵件地址或許可證號。請重試。)
檢驗顯示是使用Microsoft Visual C++ 7.0編寫。
額外補充
所有的
call最後都是eax回傳結果eax如放地址位址,就不是call的回傳結果
搜尋思路
- 使用搜尋字串找關鍵字。
註:
You have entered an invalid email address or license number.Please try again.
修改思路
- 使用
jmp跳過驗證的部分 - 找到驗證的邏輯修改為驗證通過
實際分析
開啟
MrBills.exe於反匯編視窗點選右鍵選擇
搜尋(S)->目前模組->字串引用(S)搜尋輸入Please try again.發現
You have entered an invalid email address or license number. Please try again.",對其設定中斷點F9執行程式Email address輸入abcd@hotmail.com,License number輸入12345678點擊
Refister Now斷點在
004299BD | 68 70134C00 | push mrbills.4C1370 | 4C1370:"You have entered an invalid email address or license number. Please try again."F8一步一步過步過到下方指令時
1
004299C2 | E8 74270800 | call mrbills.4AC13B |
彈出視窗顯示
You have entered an invalid email address or license number.Please try again.(你輸入了無效的電子郵件地址或許可證號。請重試。)
- 在此可以確認
004299C2位址為彈出驗證失敗的視窗
向上觀察會跳轉實現會跳過彈出訊息視窗的指令
1
2
3
4004299B9 | 75 36 | jne mrbills.4299F1 |
004299BB | 6A 30 | push 30 |
004299BD | 68 70134C00 | push mrbills.4C1370 | 4C1370:"You have entered an invalid email address or license number. Please try again."
004299C2 | E8 74270800 | call mrbills.4AC13B |004299B9 | 75 36 | jne mrbills.4299F1 |會跳過004299B9設定中斷點移除其他中斷點
Ctrl + F2重新啟動(S)F9執行程式Email address輸入abcd@hotmail.com,License number輸入12345678點擊
Refister Now斷點在
004299B9 | 75 36 | jne mrbills.4299F1 |跳轉未實現jne跳轉未實現為ZF=1,我們將其修改為ZF=0F9執行程式彈出視窗顯示
Thank you for registering!(感謝你註冊!)按下
確定發現程式並沒有真正被註冊
在此可以確認單存跳過只是修改顯示的彈出訊息內容
向上觀察
1
2
3
4
5
6
7004299AD | E8 9AD7FDFF | call mrbills.40714C |
004299B2 | 59 | pop ecx |
004299B3 | 33DB | xor ebx,ebx |
004299B5 | 84C0 | test al,al |
004299B7 | 59 | pop ecx |
004299B8 | 53 | push ebx |
004299B9 | 75 36 | jne mrbills.4299F1 |test al,al影響jne的跳轉結果call mrbills.40714C會異動al的值004299AD設定中斷點移除其他中斷點
Email address輸入abcd@hotmail.com,License number輸入12345678點擊
Refister Now斷點在
004299AD | E8 9AD7FDFF | call mrbills.40714C |F7步入斷點在
0040714C | 55 | push ebp |F8一步一步過,並持續觀察eax的變化1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
190040714C | 55 | push ebp |
0040714D | 8BEC | mov ebp,esp |
0040714F | FF75 0C | push dword ptr ss:[ebp+C] |
00407152 | FF75 08 | push dword ptr ss:[ebp+8] |
00407155 | E8 77FEFFFF | call mrbills.406FD1 |
0040715A | 84C0 | test al,al |
0040715C | 59 | pop ecx |
0040715D | 59 | pop ecx |
0040715E | A2 A0765000 | mov byte ptr ds:[5076A0],al |
00407163 | 75 1B | jne mrbills.407180 |
00407165 | FF75 0C | push dword ptr ss:[ebp+C] |
00407168 | FF75 08 | push dword ptr ss:[ebp+8] |
0040716B | E8 ADFEFFFF | call mrbills.40701D |
00407170 | 84C0 | test al,al |
00407172 | 59 | pop ecx |
00407173 | 59 | pop ecx |
00407174 | A2 A0765000 | mov byte ptr ds:[5076A0],al |
00407179 | A2 A2765000 | mov byte ptr ds:[5076A2],al |
0040717E | 74 0D | je mrbills.40718D |00407155與0040716B的call回傳eax的值,故這兩個需要在F7步入觀察00407155與0040716B設定中斷點移除其他中斷點
Email address輸入abcd@hotmail.com,License number輸入12345678點擊
Refister Now斷點在
00407155 | E8 77FEFFFF | call mrbills.406FD1 |F7步入00407155(0040716B步入後,重點也是call mrbills.406F4B)斷點在
00406FD1 | B8 AB374B00 | mov eax,mrbills.4B37AB | eax:"鴨/"==&"12345678"F8一步一步過,並持續觀察eax的變化1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
2400406FD1 | B8 AB374B00 | mov eax,mrbills.4B37AB | eax:&"ORUWOZ3FOI"
00406FD6 | E8 EDF00700 | call mrbills.4860C8 |
00406FDB | 51 | push ecx |
00406FDC | 53 | push ebx |
00406FDD | FF35 A4415000 | push dword ptr ds:[5041A4] | 005041A4:&"ORUWOZ3FOI"
00406FE3 | 8D4D F0 | lea ecx,dword ptr ss:[ebp-10] | [ebp-10]:"ORUWOZ3FOI"
00406FE6 | E8 84B1FFFF | call mrbills.40216F |
00406FEB | FF75 0C | push dword ptr ss:[ebp+C] | [ebp+C]:"(j0"==&"abcd@hotmail.com"
00406FEE | 8365 FC 00 | and dword ptr ss:[ebp-4],0 |
00406FF2 | FF75 08 | push dword ptr ss:[ebp+8] | [ebp+8]:&"12345678"
00406FF5 | 8D45 F0 | lea eax,dword ptr ss:[ebp-10] | [ebp-10]:"ORUWOZ3FOI""
00406FF8 | 50 | push eax | eax:&"ORUWOZ3FOI"
00406FF9 | E8 4DFFFFFF | call mrbills.406F4B |
00406FFE | 8B4D F0 | mov ecx,dword ptr ss:[ebp-10] | [ebp-10]:"ORUWOZ3FOI"
00407001 | 83C4 0C | add esp,C |
00407004 | 83C1 F0 | add ecx,FFFFFFF0 |
00407007 | 8AD8 | mov bl,al |
00407009 | E8 3AA1FFFF | call mrbills.401148 |
0040700E | 8B4D F4 | mov ecx,dword ptr ss:[ebp-C] |
00407011 | 8AC3 | mov al,bl |
00407013 | 5B | pop ebx |
00407014 | 64:890D 00000000 | mov dword ptr fs:[0],ecx |
0040701B | C9 | leave |
0040701C | C3 | ret |00406FF9的call回傳eax的值,故這個需要在F7步入觀察F7步入觀察程式
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
4800406F4B | B8 E9374B00 | mov eax,mrbills.4B37E9 | eax:&"ORUWOZ3FOI"
00406F50 | E8 73F10700 | call mrbills.4860C8 |
00406F55 | 51 | push ecx |
00406F56 | 8B45 08 | mov eax,dword ptr ss:[ebp+8] | [ebp+8]:&"12345678"I"
00406F59 | 53 | push ebx |
00406F5A | 56 | push esi |
00406F5B | FF30 | push dword ptr ds:[eax] | [eax]:"ORUWOZ3FOI"
00406F5D | 8D45 08 | lea eax,dword ptr ss:[ebp+8] | [ebp+8]:&"12345678"I"
00406F60 | 50 | push eax | eax:&"ORUWOZ3FOI"
00406F61 | E8 38FBFFFF | call mrbills.406A9E |
00406F66 | 8B45 0C | mov eax,dword ptr ss:[ebp+C] | [ebp+C]:"(j0"==&"abcd@hotmail.com"
00406F69 | FF30 | push dword ptr ds:[eax] | [eax]:"ORUWOZ3FOI"
00406F6B | 8365 FC 00 | and dword ptr ss:[ebp-4],0 |
00406F6F | 8D45 F0 | lea eax,dword ptr ss:[ebp-10] | [ebp-10]:"ORUWOZ3FOI""
00406F72 | 50 | push eax | eax:&"ORUWOZ3FOI"
00406F73 | E8 26FBFFFF | call mrbills.406A9E |
00406F78 | FF75 10 | push dword ptr ss:[ebp+10] |
00406F7B | C645 FC 01 | mov byte ptr ss:[ebp-4],1 |
00406F7F | 50 | push eax | eax:&"ORUWOZ3FOI"
00406F80 | 8D45 08 | lea eax,dword ptr ss:[ebp+8] | [ebp+8]:&"12345678"I"
00406F83 | 50 | push eax | eax:&"ORUWOZ3FOI"
00406F84 | 8D45 0C | lea eax,dword ptr ss:[ebp+C] | [ebp+C]:"(j0"==&"abcd@hotmail.com"
00406F87 | 50 | push eax | eax:&"ORUWOZ3FOI"
00406F88 | E8 89FDFFFF | call mrbills.406D16 |
00406F8D | FF30 | push dword ptr ds:[eax] | [eax]:"ORUWOZ3FOI"
00406F8F | 8B75 08 | mov esi,dword ptr ss:[ebp+8] | [ebp+8]:&"12345678"
00406F92 | 56 | push esi |
00406F93 | E8 4FF10700 | call mrbills.4860E7 |
00406F98 | 8B4D 0C | mov ecx,dword ptr ss:[ebp+C] | [ebp+C]:"(j0"==&"abcd@hotmail.com"
00406F9B | 83C4 28 | add esp,28 |
00406F9E | 8BD8 | mov ebx,eax | eax:&"ORUWOZ3FOI"
00406FA0 | F7DB | neg ebx |
00406FA2 | 1ADB | sbb bl,bl |
00406FA4 | 83C1 F0 | add ecx,FFFFFFF0 |
00406FA7 | FEC3 | inc bl |
00406FA9 | E8 9AA1FFFF | call mrbills.401148 |
00406FAE | 8B4D F0 | mov ecx,dword ptr ss:[ebp-10] | [ebp-10]:"ORUWOZ3FOI"
00406FB1 | 83C1 F0 | add ecx,FFFFFFF0 |
00406FB4 | E8 8FA1FFFF | call mrbills.401148 |
00406FB9 | 8D4E F0 | lea ecx,dword ptr ds:[esi-10] |
00406FBC | E8 87A1FFFF | call mrbills.401148 |
00406FC1 | 8B4D F4 | mov ecx,dword ptr ss:[ebp-C] |
00406FC4 | 5E | pop esi |
00406FC5 | 8AC3 | mov al,bl |
00406FC7 | 5B | pop ebx |
00406FC8 | 64:890D 00000000 | mov dword ptr fs:[0],ecx |
00406FCF | C9 | leave |
00406FD0 | C3 | ret |中間過程的
Ccall沒有在跟進去,是假設都是判斷註冊是否成功00406FC5 | 8AC3 | mov al,bl |最後傳入eax的值在此可以假設
00406FC5回傳的eax是否註冊成功00406FC5 | 8AC3 | mov al,bl |按下空白鍵將指令修改為
mov al, 0X1,按下確定修改後如下
1
2
3
4// 修改前
00406FC5 | 8AC3 | mov al,bl |
// 修改後
00406FC5 | B0 01 | mov al,1 |F9執行程式彈出視窗顯示
Thank you for registering!(感謝你註冊!)按下
確定恭喜程式真正被註冊
分析總結
00406FC5回傳是否註冊成功的關鍵eax值
修改思路
根據分析總結
- 修改直接賦予
al的值為0x1
實際修改
開啟
MrBills.exe00406FC5 | 8AC3 | mov al,bl |按下空白鍵將指令修改為
mov al, 0X1,按下確定修改後如下
1
2
3
4// 修改前
00406FC5 | 8AC3 | mov al,bl |
// 修改後
00406FC5 | B0 01 | mov al,1 |點擊
修補程式或是快捷鍵Ctrl + P點擊
修補檔案(P)另存檔名
MrBills.crack.exe恭喜補丁產生
MrBills.crack.exe
註:以上參考了
x64dbg
x64dbg’s documentation!
CSDN billvsme的专栏 的 OllyDbg 使用笔记 (八)
知乎 的 汇编语言–x86汇编指令集大全
