放点古老资料:
BP OutputDebugStringA 断下第二次后:
// 7.x版本
// ebp在堆栈跟随 $-28 > 72C8BCEC // KEY11 $-24 > 11D2B505 // KEY12 $-20 > 2AD7A3FF // KEY13 $-1C > 249758E3 // KEY14 $-18 > 00000000 $-14 > 54677693 // CRC32
// Patch方法
; patch CRC values push eax mov dword ptr ds:[ebp-0x14],0x54677693 mov dword ptr ds:[ebp-0x1C],0x249758E3 mov dword ptr ds:[ebp-0x20],0x2AD7A3FF mov dword ptr ds:[ebp-0x24],0x11D2B505 mov dword ptr ds:[ebp-0x28],0x72C8BCEC
// 高版本的复杂一点点
0507AC79 FF15 C0111505 CALL NEAR DWORD PTR DS:[0x51511C0] ; KernelBa.OutputDebugStringA 进去[ebp-0x14] == CRC32 0507AC7F 68 58501505 PUSH 0x5155058 0507AC84 E8 87750200 CALL 050A2210 0507AC89 83C4 04 ADD ESP, 0x4 0507AC8C 8B0D 84C61805 MOV ECX, DWORD PTR DS:[0x518C684] ; UserData.044EFCB8 0507AC92 8B15 84C61805 MOV EDX, DWORD PTR DS:[0x518C684] ; UserData.044EFCB8 0507AC98 A1 84C61805 MOV EAX, DWORD PTR DS:[0x518C684] 0507AC9D 8B40 64 MOV EAX, DWORD PTR DS:[EAX+0x64] 0507ACA0 3342 3C XOR EAX, DWORD PTR DS:[EDX+0x3C] 0507ACA3 3341 44 XOR EAX, DWORD PTR DS:[ECX+0x44] 0507ACA6 3345 EC XOR EAX, DWORD PTR SS:[EBP-0x14] ; // CRC32值 0507ACA9 8985 04F8FFFF MOV DWORD PTR SS:[EBP-0x7FC], EAX 0507ACAF 8B8D 04F8FFFF MOV ECX, DWORD PTR SS:[EBP-0x7FC] 0507ACB5 894D E8 MOV DWORD PTR SS:[EBP-0x18], ECX 0507ACB8 8B15 7C541905 MOV EDX, DWORD PTR DS:[0x519547C] ; UserData.04613B0E 0507ACBE 8995 DCFEFFFF MOV DWORD PTR SS:[EBP-0x124], EDX 0507ACC4 8B85 D4FEFFFF MOV EAX, DWORD PTR SS:[EBP-0x12C] 0507ACCA C1E8 02 SHR EAX, 0x2 0507ACCD 8B8D DCFEFFFF MOV ECX, DWORD PTR SS:[EBP-0x124] 0507ACD3 8D1481 LEA EDX, DWORD PTR DS:[ECX+EAX*4] 0507ACD6 8995 90FEFFFF MOV DWORD PTR SS:[EBP-0x170], EDX 0507ACDC 8B85 DCFEFFFF MOV EAX, DWORD PTR SS:[EBP-0x124] 0507ACE2 3B85 90FEFFFF CMP EAX, DWORD PTR SS:[EBP-0x170] 0507ACE8 73 29 JNB SHORT 0507AD13 0507ACEA 8D4D E8 LEA ECX, DWORD PTR SS:[EBP-0x18] 0507ACED E8 AED2FAFF CALL 05027FA0 0507ACF2 8B8D DCFEFFFF MOV ECX, DWORD PTR SS:[EBP-0x124] 0507ACF8 3301 XOR EAX, DWORD PTR DS:[ECX] 0507ACFA 8B95 DCFEFFFF MOV EDX, DWORD PTR SS:[EBP-0x124] 0507AD00 8902 MOV DWORD PTR DS:[EDX], EAX 0507AD02 8B85 DCFEFFFF MOV EAX, DWORD PTR SS:[EBP-0x124] 0507AD08 83C0 04 ADD EAX, 0x4 0507AD0B 8985 DCFEFFFF MOV DWORD PTR SS:[EBP-0x124], EAX 0507AD11 ^ EB C9 JMP SHORT 0507ACDC 0507AD13 6A 00 PUSH 0x0 0507AD15 8B8D D4FEFFFF MOV ECX, DWORD PTR SS:[EBP-0x12C] 0507AD1B 51 PUSH ECX 0507AD1C 8B15 7C541905 MOV EDX, DWORD PTR DS:[0x519547C] ; UserData.04613B0E 0507AD22 52 PUSH EDX 0507AD23 68 84541905 PUSH 0x5195484 ; 秘钥-4组-从原版抓取 0507AD28 E8 C3660200 CALL 050A13F0 ; TEA解密 0507AD2D 83C4 10 ADD ESP, 0x10
// Patch方法:
; patch CRC values push eax mov dword ptr ds:[ebp-0x14],0x49347234 mov eax,dword ptr ds:[esp+4] mov eax,dword ptr ds:[eax+0xA5] mov dword ptr ds:[eax],0x27507ED0 mov dword ptr ds:[eax+4],0xF8C0577C mov dword ptr ds:[eax+8],0x2AA3FF6 mov dword ptr ds:[eax+0xC],0x41EDD1E5 pop eax
发表评论