发布网友 发布时间:2022-04-20 10:04
共1个回答
热心网友 时间:2023-06-28 06:19
先用OD载入这个文件,查找字符串“isvip”找到后,在它上面的“register.ini”语句上面的call语句下断点
21987044 . E8 C882FFFF CALL XLUser.2197F311 ; 在此处下断点 ,F7跟入
21987049 . 68 B43D9921 PUSH XLUser.21993DB4 ; register.ini
2198704E . 8D86 14050000 LEA EAX,DWORD PTR DS:[ESI+514]
21987054 . 50 PUSH EAX
21987055 . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-]
21987058 . 50 PUSH EAX
21987059 . E8 CE4EFFFF CALL XLUser.2197BF2C
2198705E . 83C4 0C ADD ESP,0C
21987061 . 80BE FC050000>CMP BYTE PTR DS:[ESI+5FC],0
21987068 . C5 FC 12 MOV BYTE PTR SS:[EBP-4],12
2198706C . 8D4D 9C LEA ECX,DWORD PTR SS:[EBP-]
2198706F . 74 0E JE SHORT XLUser.2198707F
21987071 . FF15 DC209921 CALL DWORD PTR DS:[<&MSVCP71.std::basic_string<cha>;
msvcp71.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::data
21987077 . 50 PUSH EAX
21987078 . 68 C8259921 PUSH XLUser.219925C8 ; 1
2198707D . EB 0C JMP SHORT XLUser.2198708B
2198707F > FF15 DC209921 CALL DWORD PTR DS:[<&MSVCP71.std::basic_string<cha>;
msvcp71.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::data
21987085 . 50 PUSH EAX
21987086 . 68 C4259921 PUSH XLUser.219925C4 ; 0
2198708B > 68 003A9921 PUSH XLUser.21993A00 ; |isvip
21987090 . 68 F8399921 PUSH XLUser.219939F8 ; |login
21987095 . FF15 34209921 CALL DWORD PTR DS:[<&KERNEL32.WritePrivateProfileS>; \WritePrivateProfileStringA
————————————————————————————————————
此时就用OD载入“Thunder.exe”,F9运行迅雷。在这里中断后,F7跟入。
21987044 . E8 C882FFFF CALL XLUser.2197F311 ; 在此处下断点 ,F7跟入
进入call子程序后,我们找子程序的末尾处,找到后,找最后一个跳转语句,在找跳转语句上面的call语句,在call语句上面下断点,然后F9,待到程序中断后,F7跟进去。
————————————————————————————————————
2197F311 /$ 55 PUSH EBP ; 子程序开始处
2197F312 |. 8BEC MOV EBP,ESP
2197F314 |. 51 PUSH ECX
2197F315 |. 53 PUSH EBX
2197F316 |. 56 PUSH ESI
2197F317 |. 8BF1 MOV ESI,ECX
2197F319 |. 57 PUSH EDI
2197F31A |. 8D9E 4C100000 LEA EBX,DWORD PTR DS:[ESI+104C]
2197F320 |. 53 PUSH EBX ; /pCriticalSection
2197F321 |. 5D FC MOV DWORD PTR SS:[EBP-4],EBX ; |
2197F324 |. FF15 24209921 CALL DWORD PTR DS:[<&KERNEL32.EnterCriticalSection>] ; \EnterCriticalSection
2197F32A |. 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]
2197F32D |. 39BE 24100000 CMP DWORD PTR DS:[ESI+1024],EDI
2197F333 |. 75 06 JNZ SHORT XLUser.2197F33B
2197F335 |. 53 PUSH EBX
2197F336 |. E9 ED000000 JMP XLUser.2197F428
2197F33B |> 33DB XOR EBX,EBX
2197F33D |. 399E 100000 CMP DWORD PTR DS:[ESI+10],EBX
2197F343 |. 74 2F JE SHORT XLUser.2197F374
2197F345 |. 83FF 02 CMP EDI,2
2197F348 |. 75 0F JNZ SHORT XLUser.2197F359
2197F34A |. 399E A4000000 CMP DWORD PTR DS:[ESI+A4],EBX
2197F350 |. 75 07 JNZ SHORT XLUser.2197F359
2197F352 |. 8BCE MOV ECX,ESI
2197F354 |. E8 AED9FFFF CALL XLUser.2197CD07
2197F359 |> 399E 100000 CMP DWORD PTR DS:[ESI+10],EBX
2197F35F |. 74 13 JE SHORT XLUser.2197F374
2197F361 |. 3BFB CMP EDI,EBX
2197F363 |. 75 0F JNZ SHORT XLUser.2197F374
2197F365 |. 399E A4000000 CMP DWORD PTR DS:[ESI+A4],EBX
2197F36B |. 75 07 JNZ SHORT XLUser.2197F374
2197F36D |. 8BCE MOV ECX,ESI
2197F36F |. E8 C8D9FFFF CALL XLUser.2197CD3C
2197F374 |> 3BFB CMP EDI,EBX
2197F376 |. 8B86 24100000 MOV EAX,DWORD PTR DS:[ESI+1024]
2197F37C |. 86 28100000 MOV DWORD PTR DS:[ESI+1028],EAX
2197F382 |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
2197F385 |. BE 24100000 MOV DWORD PTR DS:[ESI+1024],EDI
2197F38B |. 86 2C100000 MOV DWORD PTR DS:[ESI+102C],EAX
2197F391 |. 75 69 JNZ SHORT XLUser.2197F3FC
2197F393 |. 68 F0229921 PUSH XLUser.219922F0
2197F398 |. 8D8E F0060000 LEA ECX,DWORD PTR DS:[ESI+6F0]
2197F39E |. 8E FC050000 MOV BYTE PTR DS:[ESI+5FC],BL
2197F3A4 |. FF15 E8209921 CALL DWORD PTR DS:[<&MSVCP71.std::basic_string<char,std>;
msvcp71.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::operator=
2197F3AA |. 68 484C9921 PUSH XLUser.21994C48 ; 19000000
2197F3AF |. 8D8E 3C060000 LEA ECX,DWORD PTR DS:[ESI+63C]
2197F3B5 |. 9E 34060000 MOV DWORD PTR DS:[ESI+634],EBX
2197F3BB |. 9E 38060000 MOV DWORD PTR DS:[ESI+638],EBX
2197F3C1 |. FF15 E8209921 CALL DWORD PTR DS:[<&MSVCP71.std::basic_string<char,std>;
msvcp71.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::operator=
2197F3C7 |. 8D8E D4060000 LEA ECX,DWORD PTR DS:[ESI+6D4]
2197F3CD |. 9E 10060000 MOV DWORD PTR DS:[ESI+610],EBX
2197F3D3 |. 9E 14060000 MOV DWORD PTR DS:[ESI+614],EBX
2197F3D9 |. 9E 60060000 MOV DWORD PTR DS:[ESI+660],EBX
2197F3DF |. 9E 1C060000 MOV DWORD PTR DS:[ESI+61C],EBX
2197F3E5 |. 9E 18060000 MOV DWORD PTR DS:[ESI+618],EBX
2197F3EB |. 9E 20060000 MOV DWORD PTR DS:[ESI+620],EBX
2197F3F1 |. 9E D0060000 MOV DWORD PTR DS:[ESI+6D0],EBX
2197F3F7 |. E8 08F2FFFF CALL XLUser.2197E604
2197F3FC |> 83BE 100000>CMP DWORD PTR DS:[ESI+10],2
2197F403 |. 75 07 JNZ SHORT XLUser.2197F40C
2197F405 |. 8BCE MOV ECX,ESI
2197F407 |. E8 41EDFFFF CALL XLUser.2197E14D ; 这里是跳转语句上面的第一个call,我们F7
跟进去。
2197F40C |> 83FF 02 CMP EDI,2
2197F40F |. 75 14 JNZ SHORT XLUser.2197F425 ; 子程序的最后一个跳转语句
2197F411 |. 53 PUSH EBX
2197F412 |. 53 PUSH EBX
2197F413 |. 8D46 10 LEA EAX,DWORD PTR DS:[ESI+10]
2197F416 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
2197F418 |. 6A 0F PUSH 0F
2197F41A |. 50 PUSH EAX
2197F41B |. FF51 2C CALL DWORD PTR DS:[ECX+2C]
2197F41E |. 8BCE MOV ECX,ESI
2197F420 |. E8 65EAFFFF CALL XLUser.2197DE8A
2197F425 |> FF75 FC PUSH DWORD PTR SS:[EBP-4] ; /pCriticalSection
2197F428 |> FF15 28209921 CALL DWORD PTR DS:[<&KERNEL32.LeaveCriticalSection>] ; \LeaveCriticalSection
2197F42E |. 5F POP EDI
2197F42F |. 5E POP ESI
2197F430 |. 5B POP EBX
2197F431 |. C9 LEAVE
2197F432 \. C2 0800 RETN 8 ; 子程序的结尾处
————————————————————————————————————
“2197F407” F7跟进去后,来到下面
2197E14D /$ B8 66FF9821 MOV EAX,XLUser.2198FF66
2197E152 |. E8 79050100 CALL XLUser.2198E6D0
2197E157 |. 51 PUSH ECX
2197E158 |. 53 PUSH EBX
2197E159 |. 56 PUSH ESI
2197E15A |. 8BF1 MOV ESI,ECX
2197E15C |. 57 PUSH EDI
2197E15D |. 8D86 98100000 LEA EAX,DWORD PTR DS:[ESI+1098]
2197E163 |. 50 PUSH EAX ; /pCriticalSection
2197E1 |. FF15 24209921 CALL DWORD PTR DS:[<&KERNEL32.EnterCriticalSection>] ; \EnterCriticalSection
2197E16A |. 8D86 7C100000 LEA EAX,DWORD PTR DS:[ESI+107C]
2197E170 |. 45 F0 MOV DWORD PTR SS:[EBP-10],EAX
2197E173 |. 8D9E 6C100000 LEA EBX,DWORD PTR DS:[ESI+106C]
2197E179 |. 33FF XOR EDI,EDI
2197E17B |. 8BCB MOV ECX,EBX
2197E17D |. 7D FC MOV DWORD PTR SS:[EBP-4],EDI
2197E180 |. E8 49D8FFFF CALL XLUser.2197B9CE
2197E185 |. 85C0 TEST EAX,EAX
2197E187 |. 76 2F JBE SHORT XLUser.2197E1B8
2197E1 |> FFB6 2C100000 /PUSH DWORD PTR DS:[ESI+102C]
2197E18F |. 8B86 70100000 |MOV EAX,DWORD PTR DS:[ESI+1070]
2197E195 |. FFB6 28100000 |PUSH DWORD PTR DS:[ESI+1028]
2197E19B |. 8D04B8 |LEA EAX,DWORD PTR DS:[EAX+EDI*4]
2197E19E |. 8B00 |MOV EAX,DWORD PTR DS:[EAX]
2197E1A0 |. FFB6 24100000 |PUSH DWORD PTR DS:[ESI+1024]
2197E1A6 |. 8B08 |MOV ECX,DWORD PTR DS:[EAX]
2197E1A8 |. 50 |PUSH EAX
2197E1A9 |. FF51 0C |CALL DWORD PTR DS:[ECX+C] ; F7 跟进去
2197E1AC |. 8BCB |MOV ECX,EBX
2197E1AE |. 47 |INC EDI
2197E1AF |. E8 1AD8FFFF |CALL XLUser.2197B9CE
2197E1B4 |. 3BF8 |CMP EDI,EAX
2197E1B6 |.^ 72 D1 \JB SHORT XLUser.2197E1
2197E1B8 |> 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
2197E1BB |. 83C0 1C ADD EAX,1C
2197E1BE |. 50 PUSH EAX ; /pCriticalSection
2197E1BF |. FF15 28209921 CALL DWORD PTR DS:[<&KERNEL32.LeaveCriticalSection>] ; \LeaveCriticalSection
2197E1C5 |. 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
2197E1C8 |. 5F POP EDI
2197E1C9 |. 5E POP ESI
2197E1CA |. 5B POP EBX
2197E1CB |. :0D 00000>MOV DWORD PTR FS:[0],ECX
2197E1D2 |. C9 LEAVE
2197E1D3 \. C3 RETN
————————————————————————————————————
“2197E1A9” F7跟进去后,来到下面,进入 “BaseCommunity.dll”领空
1000B9D0 . 6A FF PUSH -1
1000B9D2 . 68 F7030510 PUSH BaseComm.100503F7 ; SE 处理程序安装
1000B9D7 . :A1 0000000>MOV EAX,DWORD PTR FS:[0]
1000B9DD . 50 PUSH EAX
1000B9DE . :25 00000>MOV DWORD PTR FS:[0],ESP
1000B9E5 . 81EC 9C000000 SUB ESP,9C
1000B9EB . A1 C42D0810 MOV EAX,DWORD PTR DS:[10082DC4]
1000B9F0 . 33C4 XOR EAX,ESP
1000B9F2 . 55 PUSH EBP
1000B9F3 . 8BAC24 B80000>MOV EBP,DWORD PTR SS:[ESP+B8]
1000B9FA . 57 PUSH EDI
1000B9FB . 8BBC24 B80000>MOV EDI,DWORD PTR SS:[ESP+B8]
1000BA02 . 3BFD CMP EDI,EBP
1000BA04 . 8424 A00000>MOV DWORD PTR SS:[ESP+A0],EAX
1000BA0B . 0F84 1A030000 JE BaseComm.1000BD2B
1000BA11 . 83FF 02 CMP EDI,2
1000BA14 . 53 PUSH EBX
1000BA15 . 56 PUSH ESI
1000BA16 . 0F85 6C020000 JNZ BaseComm.1000BC88
1000BA1C . E8 AFA9FFFF CALL BaseComm.100063D0
1000BA21 . 8BC8 MOV ECX,EAX
1000BA23 . E8 9865FFFF CALL BaseComm.10001FC0 ; F7跟进去
1000BA28 . 85C0 TEST EAX,EAX
1000BA2A . 8B35 54710610 MOV ESI,DWORD PTR DS:[<&KERNEL32.GetTickCount>] ; kernel32.GetTickCount
------------------------------------------
“1000BA23” F7跟进去后,来到下面
10001FC0 /$ 51 PUSH ECX ; (Initial CPU selection)
10001FC1 |. 8B41 1C MOV EAX,DWORD PTR DS:[ECX+1C]
10001FC4 |. 85C0 TEST EAX,EAX
10001FC6 |. 74 17 JE SHORT BaseComm.10001FDF
10001FC8 |. 8D1424 LEA EDX,DWORD PTR SS:[ESP]
10001FCB |. 52 PUSH EDX
10001FCC |. C74424 04 000>MOV DWORD PTR SS:[ESP+4],0
10001FD4 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
10001FD6 |. 50 PUSH EAX
10001FD7 |. FF51 0C CALL DWORD PTR DS:[ECX+C] ; F7跟进去
10001FDA |. 8B0424 MOV EAX,DWORD PTR SS:[ESP]
10001FDD |. 59 POP ECX
10001FDE |. C3 RETN
10001FDF |> 33C0 XOR EAX,EAX
10001FE1 |. 59 POP ECX
10001FE2 \. C3 RETN
------------------------------------------
“10001FD7” F7跟进去后,来到下面,进入 “XLUser.dll”领空
2197A95B . 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
2197A95F . 83B8 10100000>CMP DWORD PTR DS:[EAX+1010],2
2197A966 . 74 07 JE SHORT XLUser.2197A96F
2197A968 . B8 04400080 MOV EAX,80004004
2197A96D . EB 0F JMP SHORT XLUser.2197A97E
2197A96F > 0FB680 E80500>MOVZX EAX,BYTE PTR DS:[EAX+5E8] ; 修改为 mov eax,1
2197A976 . 8B4C24 08 MOV ECX,DWORD PTR SS:[ESP+8]
2197A97A . 01 MOV DWORD PTR DS:[ECX],EAX
2197A97C . 33C0 XOR EAX,EAX
2197A97E > C2 0800 RETN 8
在 2197A96F 打补丁,
MOVZX EAX,BYTE PTR DS:[EAX+5E8] 修改为 mov eax,1
------------------------------------------
修改后,保存,即可,这样就是VIP用户了。