Like Share Discussion Bookmark Smile

J.J. Huang   2019-08-08   x64dbg   瀏覽次數:

x64dbg - 第十九章 | 反匯編練習(八)

目標程式

檔案下載:MrBills.exe
解壓密碼:morosedog


程式簡介

MrBills允許你輕鬆地掃描、分類和存儲你的檔案、支票、發票、收據,和其他文件以電子方式使用你的TWAINWIA兼容的掃描儀。


任務目標

  • 輸入信箱及許許可證號讓其註冊成功。

分析程式

  • 開啟MrBills.exe
  • 彈出視窗,標題Tip of the Day下方顯示The tip of the file is missing. (文件的提示丟失了)

    註:這應該是程式的提示視窗,比如如何使用或是介紹。

  • 按下Close

  • 點擊About
  • 彈出視窗,發現有三個按鈕,分別為OKCheck for Update...Refister...

  • 點擊Refister...
  • 要求輸入Email addressLicense number來做註冊
  • Email address輸入abcd@hotmail.comLicense number輸入12345678

  • 點擊Refister Now
  • 彈出視窗顯示You have entered an invalid email address or license number.Please try again. (你輸入了無效的電子郵件地址或許可證號。請重試。)

檢驗顯示是使用Microsoft Visual C++ 7.0編寫。


額外補充

  • 所有的call最後都是eax回傳結果

  • eax如放地址位址,就不是call的回傳結果


搜尋思路

  • 使用搜尋字串找關鍵字。

    註:You have entered an invalid email address or license number.Please try again.


修改思路

  • 使用jmp跳過驗證的部分
  • 找到驗證的邏輯修改為驗證通過

實際分析

  • 開啟MrBills.exe

  • 於反匯編視窗點選右鍵選擇搜尋(S)->目前模組->字串引用(S)

  • 搜尋輸入Please try again.

  • 發現You have entered an invalid email address or license number. Please try again.",對其設定中斷點

  • F9執行程式

  • Email address輸入abcd@hotmail.comLicense number輸入12345678

  • 點擊Refister Now

  • 斷點在004299BD | 68 70134C00 | push mrbills.4C1370 | 4C1370:"You have entered an invalid email address or license number. Please try again."

  • F8一步一步過

  • 步過到下方指令時

    1
    004299C2 | E8 74270800           | call mrbills.4AC13B                      |
  • 彈出視窗顯示You have entered an invalid email address or license number.Please try again. (你輸入了無效的電子郵件地址或許可證號。請重試。)

  • 在此可以確認004299C2位址為彈出驗證失敗的視窗

  • 向上觀察會跳轉實現會跳過彈出訊息視窗的指令

    1
    2
    3
    4
    004299B9 | 75 36                 | jne mrbills.4299F1                       |
    004299BB | 6A 30 | push 30 |
    004299BD | 68 70134C00 | push mrbills.4C1370 | 4C1370:"You have entered an invalid email address or license number. Please try again."
    004299C2 | E8 74270800 | call mrbills.4AC13B |
  • 004299B9 | 75 36 | jne mrbills.4299F1 |會跳過

  • 004299B9設定中斷點

  • 移除其他中斷點

  • Ctrl + F2重新啟動(S)

  • F9執行程式

  • Email address輸入abcd@hotmail.comLicense number輸入12345678

  • 點擊Refister Now

  • 斷點在004299B9 | 75 36 | jne mrbills.4299F1 |跳轉未實現

  • jne跳轉未實現為ZF=1,我們將其修改為ZF=0

  • F9執行程式

  • 彈出視窗顯示Thank you for registering! (感謝你註冊!)

  • 按下確定

  • 發現程式並沒有真正被註冊

  • 在此可以確認單存跳過只是修改顯示的彈出訊息內容


  • 向上觀察

    1
    2
    3
    4
    5
    6
    7
    004299AD | E8 9AD7FDFF           | call mrbills.40714C                      |
    004299B2 | 59 | pop ecx |
    004299B3 | 33DB | xor ebx,ebx |
    004299B5 | 84C0 | test al,al |
    004299B7 | 59 | pop ecx |
    004299B8 | 53 | push ebx |
    004299B9 | 75 36 | jne mrbills.4299F1 |
  • test al,al影響jne的跳轉結果

  • call mrbills.40714C會異動al的值

  • 004299AD設定中斷點

  • 移除其他中斷點

  • Email address輸入abcd@hotmail.comLicense number輸入12345678

  • 點擊Refister Now

  • 斷點在004299AD | E8 9AD7FDFF | call mrbills.40714C |

  • F7步入

  • 斷點在0040714C | 55 | push ebp |

  • F8一步一步過,並持續觀察eax的變化

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    0040714C | 55                    | push ebp                                 |
    0040714D | 8BEC | mov ebp,esp |
    0040714F | FF75 0C | push dword ptr ss:[ebp+C] |
    00407152 | FF75 08 | push dword ptr ss:[ebp+8] |
    00407155 | E8 77FEFFFF | call mrbills.406FD1 |
    0040715A | 84C0 | test al,al |
    0040715C | 59 | pop ecx |
    0040715D | 59 | pop ecx |
    0040715E | A2 A0765000 | mov byte ptr ds:[5076A0],al |
    00407163 | 75 1B | jne mrbills.407180 |
    00407165 | FF75 0C | push dword ptr ss:[ebp+C] |
    00407168 | FF75 08 | push dword ptr ss:[ebp+8] |
    0040716B | E8 ADFEFFFF | call mrbills.40701D |
    00407170 | 84C0 | test al,al |
    00407172 | 59 | pop ecx |
    00407173 | 59 | pop ecx |
    00407174 | A2 A0765000 | mov byte ptr ds:[5076A0],al |
    00407179 | A2 A2765000 | mov byte ptr ds:[5076A2],al |
    0040717E | 74 0D | je mrbills.40718D |
  • 004071550040716Bcall回傳eax的值,故這兩個需要在F7步入觀察

  • 004071550040716B設定中斷點

  • 移除其他中斷點


  • Email address輸入abcd@hotmail.comLicense number輸入12345678

  • 點擊Refister Now

  • 斷點在00407155 | E8 77FEFFFF | call mrbills.406FD1 |

  • F7步入00407155 (0040716B步入後,重點也是call mrbills.406F4B)

  • 斷點在00406FD1 | B8 AB374B00 | mov eax,mrbills.4B37AB | eax:"鴨/"==&"12345678"

  • F8一步一步過,並持續觀察eax的變化

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    00406FD1 | B8 AB374B00           | mov eax,mrbills.4B37AB                   | eax:&"ORUWOZ3FOI"
    00406FD6 | E8 EDF00700 | call mrbills.4860C8 |
    00406FDB | 51 | push ecx |
    00406FDC | 53 | push ebx |
    00406FDD | FF35 A4415000 | push dword ptr ds:[5041A4] | 005041A4:&"ORUWOZ3FOI"
    00406FE3 | 8D4D F0 | lea ecx,dword ptr ss:[ebp-10] | [ebp-10]:"ORUWOZ3FOI"
    00406FE6 | E8 84B1FFFF | call mrbills.40216F |
    00406FEB | FF75 0C | push dword ptr ss:[ebp+C] | [ebp+C]:"(j0"==&"abcd@hotmail.com"
    00406FEE | 8365 FC 00 | and dword ptr ss:[ebp-4],0 |
    00406FF2 | FF75 08 | push dword ptr ss:[ebp+8] | [ebp+8]:&"12345678"
    00406FF5 | 8D45 F0 | lea eax,dword ptr ss:[ebp-10] | [ebp-10]:"ORUWOZ3FOI""
    00406FF8 | 50 | push eax | eax:&"ORUWOZ3FOI"
    00406FF9 | E8 4DFFFFFF | call mrbills.406F4B |
    00406FFE | 8B4D F0 | mov ecx,dword ptr ss:[ebp-10] | [ebp-10]:"ORUWOZ3FOI"
    00407001 | 83C4 0C | add esp,C |
    00407004 | 83C1 F0 | add ecx,FFFFFFF0 |
    00407007 | 8AD8 | mov bl,al |
    00407009 | E8 3AA1FFFF | call mrbills.401148 |
    0040700E | 8B4D F4 | mov ecx,dword ptr ss:[ebp-C] |
    00407011 | 8AC3 | mov al,bl |
    00407013 | 5B | pop ebx |
    00407014 | 64:890D 00000000 | mov dword ptr fs:[0],ecx |
    0040701B | C9 | leave |
    0040701C | C3 | ret |
  • 00406FF9call回傳eax的值,故這個需要在F7步入觀察

  • F7步入

  • 觀察程式

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    00406F4B | B8 E9374B00           | mov eax,mrbills.4B37E9                   | eax:&"ORUWOZ3FOI"
    00406F50 | E8 73F10700 | call mrbills.4860C8 |
    00406F55 | 51 | push ecx |
    00406F56 | 8B45 08 | mov eax,dword ptr ss:[ebp+8] | [ebp+8]:&"12345678"I"
    00406F59 | 53 | push ebx |
    00406F5A | 56 | push esi |
    00406F5B | FF30 | push dword ptr ds:[eax] | [eax]:"ORUWOZ3FOI"
    00406F5D | 8D45 08 | lea eax,dword ptr ss:[ebp+8] | [ebp+8]:&"12345678"I"
    00406F60 | 50 | push eax | eax:&"ORUWOZ3FOI"
    00406F61 | E8 38FBFFFF | call mrbills.406A9E |
    00406F66 | 8B45 0C | mov eax,dword ptr ss:[ebp+C] | [ebp+C]:"(j0"==&"abcd@hotmail.com"
    00406F69 | FF30 | push dword ptr ds:[eax] | [eax]:"ORUWOZ3FOI"
    00406F6B | 8365 FC 00 | and dword ptr ss:[ebp-4],0 |
    00406F6F | 8D45 F0 | lea eax,dword ptr ss:[ebp-10] | [ebp-10]:"ORUWOZ3FOI""
    00406F72 | 50 | push eax | eax:&"ORUWOZ3FOI"
    00406F73 | E8 26FBFFFF | call mrbills.406A9E |
    00406F78 | FF75 10 | push dword ptr ss:[ebp+10] |
    00406F7B | C645 FC 01 | mov byte ptr ss:[ebp-4],1 |
    00406F7F | 50 | push eax | eax:&"ORUWOZ3FOI"
    00406F80 | 8D45 08 | lea eax,dword ptr ss:[ebp+8] | [ebp+8]:&"12345678"I"
    00406F83 | 50 | push eax | eax:&"ORUWOZ3FOI"
    00406F84 | 8D45 0C | lea eax,dword ptr ss:[ebp+C] | [ebp+C]:"(j0"==&"abcd@hotmail.com"
    00406F87 | 50 | push eax | eax:&"ORUWOZ3FOI"
    00406F88 | E8 89FDFFFF | call mrbills.406D16 |
    00406F8D | FF30 | push dword ptr ds:[eax] | [eax]:"ORUWOZ3FOI"
    00406F8F | 8B75 08 | mov esi,dword ptr ss:[ebp+8] | [ebp+8]:&"12345678"
    00406F92 | 56 | push esi |
    00406F93 | E8 4FF10700 | call mrbills.4860E7 |
    00406F98 | 8B4D 0C | mov ecx,dword ptr ss:[ebp+C] | [ebp+C]:"(j0"==&"abcd@hotmail.com"
    00406F9B | 83C4 28 | add esp,28 |
    00406F9E | 8BD8 | mov ebx,eax | eax:&"ORUWOZ3FOI"
    00406FA0 | F7DB | neg ebx |
    00406FA2 | 1ADB | sbb bl,bl |
    00406FA4 | 83C1 F0 | add ecx,FFFFFFF0 |
    00406FA7 | FEC3 | inc bl |
    00406FA9 | E8 9AA1FFFF | call mrbills.401148 |
    00406FAE | 8B4D F0 | mov ecx,dword ptr ss:[ebp-10] | [ebp-10]:"ORUWOZ3FOI"
    00406FB1 | 83C1 F0 | add ecx,FFFFFFF0 |
    00406FB4 | E8 8FA1FFFF | call mrbills.401148 |
    00406FB9 | 8D4E F0 | lea ecx,dword ptr ds:[esi-10] |
    00406FBC | E8 87A1FFFF | call mrbills.401148 |
    00406FC1 | 8B4D F4 | mov ecx,dword ptr ss:[ebp-C] |
    00406FC4 | 5E | pop esi |
    00406FC5 | 8AC3 | mov al,bl |
    00406FC7 | 5B | pop ebx |
    00406FC8 | 64:890D 00000000 | mov dword ptr fs:[0],ecx |
    00406FCF | C9 | leave |
    00406FD0 | C3 | ret |
  • 中間過程的Ccall沒有在跟進去,是假設都是判斷註冊是否成功

  • 00406FC5 | 8AC3 | mov al,bl |最後傳入eax的值

  • 在此可以假設00406FC5回傳的eax是否註冊成功

  • 00406FC5 | 8AC3 | mov al,bl |按下空白鍵

  • 將指令修改為mov al, 0X1,按下確定

  • 修改後如下

    1
    2
    3
    4
    // 修改前
    00406FC5 | 8AC3 | mov al,bl |
    // 修改後
    00406FC5 | B0 01 | mov al,1 |
  • F9執行程式

  • 彈出視窗顯示Thank you for registering! (感謝你註冊!)

  • 按下確定

  • 恭喜程式真正被註冊


分析總結

  • 00406FC5 回傳是否註冊成功的關鍵eax

修改思路

根據分析總結

  • 修改直接賦予al的值為0x1

實際修改

  • 開啟MrBills.exe

  • 00406FC5 | 8AC3 | mov al,bl |按下空白鍵

  • 將指令修改為mov al, 0X1,按下確定

  • 修改後如下

    1
    2
    3
    4
    // 修改前
    00406FC5 | 8AC3 | mov al,bl |
    // 修改後
    00406FC5 | B0 01 | mov al,1 |
  • 點擊修補程式 或是快捷鍵Ctrl + P

  • 點擊修補檔案(P)

  • 另存檔名MrBills.crack.exe

  • 恭喜補丁產生MrBills.crack.exe


註:以上參考了
x64dbg
x64dbg’s documentation!
CSDN billvsme的专栏OllyDbg 使用笔记 (八)
知乎汇编语言–x86汇编指令集大全