Shulou(Shulou.com)06/01 Report--

I was reading the post that Xuefa asked for the code two years ago. I haven't touched this thing for a long time. I suddenly thought I was still alive today. Back up the link to see the snow

A few days ago, I saw someone asking for help that there was a problem during loading and debugging after shelling, so I tried it myself, and I didn't find any so-called problems.

I am still a temporary member, and I can't come up with any material to become a regular member. Now I will write out this process for everyone to comment on. In view of their limited level, do not dare to show off in front of Daniel, this article is written for rookies like me to learn and communicate, I rookie, but also hope you Daniel's advice.

Don't say much nonsense, let's go to the text

Step 1: use PEiD to detect the shell

UPX 0.89.6-1.02 / 1.05-1.24-> Markus & Laszlo

Step 2: shelling

1 、

00673C50 > $60 PUSHAD

00673C51. BE 00C05100 MOV ESI, Youyi ip generation. 0051C000

00673C56. 8DBE 0050EEFF LEA EDI,DWORD PTR DS: [ESI+FFEE5000]

00673C5C. 57 PUSH EDI

00673C5D. 83CD FF OR EBP,FFFFFFFF

00673C60. EB 10 JMP SHORT Youyi ip generation. 00673C72

After loading OD, I see PUSHAD. Since there is a stack, there must be a stack. When the stack is off, the shell restores the real original program.

0012FF6C 00000000

0012FF70 00000000

0012FF74 0012FF94

0012FF78 0012FF8C

0012FF7C 7FFD3000

0012FF80 00673C50 is easy for ip generation.

0012FF84 00000000

0012FF88 768CED5A kernel32.BaseThreadInitThunk

The content of the stack after the first push of the stack ~ ~ then comes the breakpoint

2 、

Enter the command hw 12FF6C and press F9

Next, it's near the exit, isn't it? Isn't it amazing?

3 、

Just use OD to remove the shell after the jump.

Using PEiD to detect

Microsoft Visual C++ 6.0

Step 3: crack

1 、

Click authentic authentication

It turns out that if you want to buy a serial number, but also buy it online, the worst thing is through QQ.

It seems that this is not an ordinary user name & registration code thing, and then take a look at the restrictions. After looking for it for a long time, it turns out that a box will pop up after 5 minutes of running the program.

Since you can't get the genuine copy through the serial number, you can at least remove the 300-second limit. Come on~~~

2 、

If the program wants to check the time, there must be a timer, and most programs call SetTimer to achieve ~ try one, if it works

3 、

A, load with OD, set breakpoint in SetTimer and press F9 to run

B. I wanted to jump back to the airspace of the program directly with Alt+F9, but I found that it was not the place to call SetTimer after the jump.

C, execute a

D, since b can't do this, just take it one step at a time.

Press F8, you can see which airspace you are in. If it is not the program airspace, press F9, then come to SetTimer, press F8.

Loop the steps on the previous line until you return to the airspace of the program. Don't cancel the breakpoint, or the program will get out of hand. After going back and forth from SetTimer several times, we finally returned to the airspace of our lovely program.

Look at the notes. That's right if there is no USER32.SetTimer.

E 、

0048E750 6A 00 PUSH 0

0048E752 68 C8000000 PUSH 0C8

0048E757 6A 01 PUSH 1

0048E759 50 PUSH EAX

0048E75A FF15 ECE54E00 CALL DWORD PTR DS: []; USER32.SetTimer

0048E760 8BC7 MOV EAX,EDI

We look up at four PUSH. These are the things needed to call SetTimer. All we need to do is to prevent the program from generating events like SetTimer, so that we can take care of the timing function of the program, hehe.

The specific way is to change the 0048E750 6A 00 PUSH 0 to JMP 0048E760.

F, OK, save ~

G, the next step is to test whether it is successful or not, which is obviously not a problem in theory. Open the program to run, tick-tock, 5 minutes later, unexpectedly popped up this thing again. Nani, let's do the axif step again, and then there will be no more prompts to close the box in 5 minutes.

The original program has two places to call SetTimer, but now it is still an unregistered version, the function is basically available, but now there is no prompt to close the program. In view of the fact that mine is a campus network, it is a bit difficult to debug.

The level is limited, welcome to comment.

Attachment: http://down.51cto.com/data/2362454

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.