环境:
Windows xp sp3
工具:
exeinfope, ollydbg
查壳:
用exeinfope查壳,发现加了壳 -- WWPack32 ver 1.xx ,用f8单步调试法,脱壳。
脱掉之后发现是delphi写的
运行之后发现界面整洁,目标明确,输入一个serial后会生成一串数字,使得生成的数字和界面的数字相同。
因为这次即使输入不正确,也不会出现错误提示。幸好,当serial为空的时候点“spider"会有错误消息框出现。
在栈中找到这次错误消息框函数调用的位置,下断点,再输入serial,观察是否被断下,如果没有就找更前一点的函数调用的位置。
直到当输入serial后点确定会被断下来。
可以找到这里:
0044A314 |. E8 EFD6FBFF call unpack.00407A08
0044A319 |. 8BF0 mov esi,eax
0044A31B |. 8B45 FC mov eax,[local.1]
0044A31E |. E8 5DD7FBFF call unpack.00407A80 ; 这里是算出serial的值的地方
0044A323 |. 52 push edx
0044A324 |. 50 push eax
0044A325 |. 8BC6 mov eax,esi
0044A327 |. 99 cdq
0044A328 |. 030424 add eax,dword ptr ss:[esp] ; 这里是加上算出来的值
0044A32B |. 135424 04 adc edx,dword ptr ss:[esp+0x4]
0044A32F |. 83C4 08 add esp,0x8
0044A332 |. 52 push edx
0044A333 |. 50 push eax
0044A334 |. 8BC6 mov eax,esi
0044A336 |. 99 cdq
0044A337 |. 030424 add eax,dword ptr ss:[esp] ; 这里也是,所以可以理解为算出的serial *= 3
0044A33A |. 135424 04 adc edx,dword ptr ss:[esp+0x4]
0044A33E |. 83C4 08 add esp,0x8
在0044A31E进去:
00407A80 /$ 55 push ebp
00407A81 |. 8BEC mov ebp,esp
00407A83 |. 83C4 E8 add esp,-0x18
00407A86 |. 53 push ebx
00407A87 |. 33D2 xor edx,edx
00407A89 |. 8955 F0 mov [local.4],edx
00407A8C |. 8BD8 mov ebx,eax
00407A8E |. 33C0 xor eax,eax
00407A90 |. 55 push ebp
00407A91 |. 68 EB7A4000 push unpack.00407AEB
00407A96 |. 64:FF30 push dword ptr fs:[eax]
00407A99 |. 64:8920 mov dword ptr fs:[eax],esp
00407A9C |. 8D55 F4 lea edx,[local.3]
00407A9F |. 8BC3 mov eax,ebx
00407AA1 |. E8 4ECEFFFF call unpack.004048F4 ; 这里是计算的地方
00407AA6 |. 8945 F8 mov [local.2],eax
00407AA9 |. 8955 FC mov [local.1],edx
00407AAC |. 837D F4 00 cmp [local.3],0x0
00407AB0 |. 74 23 je Xunpack.00407AD5
00407AB2 |. 8D55 F0 lea edx,[local.4]
00407AB5 |. A1 7CBC4400 mov eax,dword ptr ds:[0x44BC7C]
00407ABA |. E8 2DD6FFFF call unpack.004050EC
00407ABF |. 8B45 F0 mov eax,[local.4]
00407AC2 |. 50 push eax
00407AC3 |. 895D E8 mov [local.6],ebx
00407AC6 |. C645 EC 0B mov byte ptr ss:[ebp-0x14],0xB
00407ACA |. 8D55 E8 lea edx,[local.6]
00407ACD |. 33C9 xor ecx,ecx
00407ACF |. 58 pop eax
00407AD0 |. E8 B7FCFFFF call unpack.0040778C
00407AD5 |> 33C0 xor eax,eax
00407AD7 |. 5A pop edx
00407AD8 |. 59 pop ecx
00407AD9 |. 59 pop ecx
00407ADA |. 64:8910 mov dword ptr fs:[eax],edx
00407ADD |. 68 F27A4000 push unpack.00407AF2
00407AE2 |> 8D45 F0 lea eax,[local.4]
00407AE5 |. E8 72BDFFFF call unpack.0040385C
00407AEA \. C3 retn
在00407AA1跟进去:
004048F4 /$ 53 push ebx
004048F5 |. 56 push esi
004048F6 |. 57 push edi
004048F7 |. 55 push ebp
004048F8 |. 83C4 EC add esp,-0x14
004048FB |. 891424 mov dword ptr ss:[esp],edx
004048FE |. 8BF0 mov esi,eax
00404900 |. BD 01000000 mov ebp,0x1
00404905 |. 33FF xor edi,edi
00404907 |. C74424 08 000>mov dword ptr ss:[esp+0x8],0x0
0040490F |. C74424 0C 000>mov dword ptr ss:[esp+0xC],0x0
00404917 |. 85F6 test esi,esi
00404919 |. 75 0B jnz Xunpack.00404926
0040491B |. 8B0424 mov eax,dword ptr ss:[esp]
0040491E |. 8928 mov dword ptr ds:[eax],ebp
00404920 |. E9 E1010000 jmp unpack.00404B06
00404925 |> 45 /inc ebp
00404926 |> 807C2E FF 20 cmp byte ptr ds:[esi+ebp-0x1],0x20
0040492B |.^ 74 F8 \je Xunpack.00404925
0040492D |. C64424 10 00 mov byte ptr ss:[esp+0x10],0x0
00404932 |. 8A442E FF mov al,byte ptr ds:[esi+ebp-0x1]
00404936 |. 3C 2D cmp al,0x2D
00404938 |. 75 08 jnz Xunpack.00404942
0040493A |. C64424 10 01 mov byte ptr ss:[esp+0x10],0x1
0040493F |. 45 inc ebp
00404940 |. EB 05 jmp Xunpack.00404947
00404942 |> 3C 2B cmp al,0x2B
00404944 |. 75 01 jnz Xunpack.00404947
00404946 |. 45 inc ebp
00404947 |> B3 01 mov bl,0x1
00404949 |. 807C2E FF 24 cmp byte ptr ds:[esi+ebp-0x1],0x24
0040494E |. 74 1B je Xunpack.0040496B
00404950 |. 807C2E FF 30 cmp byte ptr ds:[esi+ebp-0x1],0x30
00404955 |. 0F85 DA000000 jnz unpack.00404A35
0040495B |. 8A042E mov al,byte ptr ds:[esi+ebp]
0040495E |. E8 99DEFFFF call unpack.004027FC
00404963 |. 3C 58 cmp al,0x58
00404965 |. 0F85 CA000000 jnz unpack.00404A35
0040496B |> 807C2E FF 30 cmp byte ptr ds:[esi+ebp-0x1],0x30
00404970 |. 75 01 jnz Xunpack.00404973
00404972 |. 45 inc ebp
00404973 |> 45 inc ebp
00404974 |> 8A442E FF /mov al,byte ptr ds:[esi+ebp-0x1]
00404978 |. 8BD0 |mov edx,eax
0040497A |. 80C2 D0 |add dl,0xD0 ; Switch (cases FFFFFD61..FFFFFF39)
0040497D |. 80EA 0A |sub dl,0xA
00404980 |. 72 12 |jb Xunpack.00404994
00404982 |. 80C2 F9 |add dl,0xF9
00404985 |. 80EA 06 |sub dl,0x6
00404988 |. 72 17 |jb Xunpack.004049A1
0040498A |. 80C2 E6 |add dl,0xE6
0040498D |. 80EA 06 |sub dl,0x6
00404990 |. 72 1C |jb Xunpack.004049AE
00404992 |. EB 7A |jmp Xunpack.00404A0E
00404994 |> 8BF8 |mov edi,eax ; Cases FFFFFF30,FFFFFF31,FFFFFF32,FFFFFF33,FFFFFF34,FFFFFF35,FFFFFF36,FFFFFF37,FFFFFF38,FFFFFF39 of switch 0040497A
00404996 |. 81E7 FF000000 |and edi,0xFF
0040499C |. 83EF 30 |sub edi,0x30
0040499F |. EB 18 |jmp Xunpack.004049B9
004049A1 |> 8BF8 |mov edi,eax ; Cases FFFFFE41,FFFFFE42,FFFFFE43,FFFFFE44,FFFFFE45,FFFFFE46 of switch 0040497A
004049A3 |. 81E7 FF000000 |and edi,0xFF
004049A9 |. 83EF 37 |sub edi,0x37
004049AC |. EB 0B |jmp Xunpack.004049B9
004049AE |> 8BF8 |mov edi,eax ; Cases FFFFFD61,FFFFFD62,FFFFFD63,FFFFFD64,FFFFFD65,FFFFFD66 of switch 0040497A
004049B0 |. 81E7 FF000000 |and edi,0xFF
004049B6 |. 83EF 57 |sub edi,0x57
004049B9 |> 837C24 0C 00 |cmp dword ptr ss:[esp+0xC],0x0
004049BE |. 75 09 |jnz Xunpack.004049C9
004049C0 |. 837C24 08 00 |cmp dword ptr ss:[esp+0x8],0x0
004049C5 |. 72 47 |jb Xunpack.00404A0E
004049C7 |. EB 02 |jmp Xunpack.004049CB
004049C9 |> 7C 43 |jl Xunpack.00404A0E
004049CB |> 817C24 0C FFF>|cmp dword ptr ss:[esp+0xC],0xFFFFFFF
004049D3 |. 75 09 |jnz Xunpack.004049DE
004049D5 |. 837C24 08 FF |cmp dword ptr ss:[esp+0x8],-0x1
004049DA |. 76 04 |jbe Xunpack.004049E0
004049DC |. EB 30 |jmp Xunpack.00404A0E
004049DE |> 7F 2E |jg Xunpack.00404A0E
004049E0 |> 8BC7 |mov eax,edi
004049E2 |. 99 |cdq
004049E3 |. 52 |push edx
004049E4 |. 50 |push eax
004049E5 |. 8B4424 10 |mov eax,dword ptr ss:[esp+0x10]
004049E9 |. 8B5424 14 |mov edx,dword ptr ss:[esp+0x14]
004049ED |. 0FA4C2 04 |shld edx,eax,0x4
004049F1 |. C1E0 04 |shl eax,0x4
004049F4 |. 030424 |add eax,dword ptr ss:[esp]
004049F7 |. 135424 04 |adc edx,dword ptr ss:[esp+0x4]
004049FB |. 83C4 08 |add esp,0x8
004049FE |. 894424 08 |mov dword ptr ss:[esp+0x8],eax
00404A02 |. 895424 0C |mov dword ptr ss:[esp+0xC],edx
00404A06 |. 45 |inc ebp
00404A07 |. 33DB |xor ebx,ebx
00404A09 |.^ E9 66FFFFFF \jmp unpack.00404974
00404A0E |> 807C24 10 00 cmp byte ptr ss:[esp+0x10],0x0 ; Default case of switch 0040497A
00404A13 |. 0F84 D3000000 je unpack.00404AEC
00404A19 |. 8B4424 08 mov eax,dword ptr ss:[esp+0x8]
00404A1D |. 8B5424 0C mov edx,dword ptr ss:[esp+0xC]
00404A21 |. F7D8 neg eax
00404A23 |. 83D2 00 adc edx,0x0
00404A26 |. F7DA neg edx
00404A28 |. 894424 08 mov dword ptr ss:[esp+0x8],eax
00404A2C |. 895424 0C mov dword ptr ss:[esp+0xC],edx
00404A30 |. E9 B7000000 jmp unpack.00404AEC
00404A35 |> 8A442E FF /mov al,byte ptr ds:[esi+ebp-0x1] ; 前面的作用也不大,主要看这里
00404A39 |. 8BD0 |mov edx,eax
00404A3B |. 80C2 D0 |add dl,0xD0
00404A3E |. 80EA 0A |sub dl,0xA
00404A41 |. 73 62 |jnb Xunpack.00404AA5
00404A43 |. 8BF8 |mov edi,eax
00404A45 |. 81E7 FF000000 |and edi,0xFF ;
00404A4B |. 83EF 30 |sub edi,0x30 ; 这里是将输入的字符转成对应的值。
00404A4E |. 837C24 0C 00 |cmp dword ptr ss:[esp+0xC],0x0
00404A53 |. 75 09 |jnz Xunpack.00404A5E
00404A55 |. 837C24 08 00 |cmp dword ptr ss:[esp+0x8],0x0
00404A5A |. 72 49 |jb Xunpack.00404AA5
00404A5C |. EB 02 |jmp Xunpack.00404A60
00404A5E |> 7C 45 |jl Xunpack.00404AA5
00404A60 |> 817C24 0C CCC>|cmp dword ptr ss:[esp+0xC],0xCCCCCCC
00404A68 |. 75 0C |jnz Xunpack.00404A76
00404A6A |. 817C24 08 CCC>|cmp dword ptr ss:[esp+0x8],0xCCCCCCCC
00404A72 |. 76 04 |jbe Xunpack.00404A78
00404A74 |. EB 2F |jmp Xunpack.00404AA5
00404A76 |> 7F 2D |jg Xunpack.00404AA5
00404A78 |> 6A 00 |push 0x0
00404A7A |. 6A 0A |push 0xA
00404A7C |. 8B4424 10 |mov eax,dword ptr ss:[esp+0x10]
00404A80 |. 8B5424 14 |mov edx,dword ptr ss:[esp+0x14]
00404A84 |. E8 F30E0000 |call unpack.0040597C ; 这个call是将之前算出的值*0xA,第一次执行循环时为0
00404A89 |. 52 |push edx
00404A8A |. 50 |push eax
00404A8B |. 8BC7 |mov eax,edi
00404A8D |. 99 |cdq
00404A8E |. 030424 |add eax,dword ptr ss:[esp] ; 这里是将上面的call算出来的值加上字符对应的值(也就是00404A4B算出的结果的值)
00404A91 |. 135424 04 |adc edx,dword ptr ss:[esp+0x4]
00404A95 |. 83C4 08 |add esp,0x8
00404A98 |. 894424 08 |mov dword ptr ss:[esp+0x8],eax
00404A9C |. 895424 0C |mov dword ptr ss:[esp+0xC],edx
00404AA0 |. 45 |inc ebp
00404AA1 |. 33DB |xor ebx,ebx
00404AA3 |.^ EB 90 \jmp Xunpack.00404A35
00404AA5 |> 807C24 10 00 cmp byte ptr ss:[esp+0x10],0x0
00404AAA |. 74 17 je Xunpack.00404AC3
00404AAC |. 8B4424 08 mov eax,dword ptr ss:[esp+0x8]
00404AB0 |. 8B5424 0C mov edx,dword ptr ss:[esp+0xC]
00404AB4 |. F7D8 neg eax
00404AB6 |. 83D2 00 adc edx,0x0
00404AB9 |. F7DA neg edx
00404ABB |. 894424 08 mov dword ptr ss:[esp+0x8],eax
00404ABF |. 895424 0C mov dword ptr ss:[esp+0xC],edx
00404AC3 |> 837C24 0C 00 cmp dword ptr ss:[esp+0xC],0x0
00404AC8 |. 75 05 jnz Xunpack.00404ACF
00404ACA |. 837C24 08 00 cmp dword ptr ss:[esp+0x8],0x0
00404ACF |> 74 1B je Xunpack.00404AEC
00404AD1 |. 837C24 0C 00 cmp dword ptr ss:[esp+0xC],0x0
00404AD6 |. 75 0A jnz Xunpack.00404AE2
00404AD8 |. 837C24 08 00 cmp dword ptr ss:[esp+0x8],0x0
00404ADD |. 0F92C0 setb al
00404AE0 |. EB 03 jmp Xunpack.00404AE5
00404AE2 |> 0F9CC0 setl al
00404AE5 |> 3A4424 10 cmp al,byte ptr ss:[esp+0x10]
00404AE9 |. 74 01 je Xunpack.00404AEC
00404AEB |. 4D dec ebp
00404AEC |> 807C2E FF 00 cmp byte ptr ds:[esi+ebp-0x1],0x0
00404AF1 |. 0F95C0 setne al
00404AF4 |. 0AD8 or bl,al
00404AF6 |. 74 07 je Xunpack.00404AFF
00404AF8 |. 8B0424 mov eax,dword ptr ss:[esp]
00404AFB |. 8928 mov dword ptr ds:[eax],ebp
00404AFD |. EB 07 jmp Xunpack.00404B06
00404AFF |> 8B0424 mov eax,dword ptr ss:[esp]
00404B02 |. 33D2 xor edx,edx
00404B04 |. 8910 mov dword ptr ds:[eax],edx
00404B06 |> 8B4424 08 mov eax,dword ptr ss:[esp+0x8]
00404B0A |. 8B5424 0C mov edx,dword ptr ss:[esp+0xC]
00404B0E |. 83C4 14 add esp,0x14
00404B11 |. 5D pop ebp
00404B12 |. 5F pop edi
00404B13 |. 5E pop esi
00404B14 |. 5B pop ebx
00404B15 \. C3 retn
)
2——安装Java运行环境(JDK))
:搜索范围)
)
 - 12-26没有弄完 - 暂停)
![[C++]搞清楚类中构造与析构的顺序](http://pic.xiahunao.cn/[C++]搞清楚类中构造与析构的顺序)
...)
大全 建立你自己的菜单)