首先打开软件
发现这是一个CD-check的题目
这里推荐一下《加密与解密 第三版》的5.7节CD-Check还有一个博客
CD-check
大家可以参考
之后PEID查,没有壳,C++程序,CD-Check我们只能够通过爆破:
OD运行:
接下来大致分成三种找到关键位置的方式:
1.正常运行:F9之后弹出对话框,我们点击Check for CD之后,弹出错误对话框,不点击确定,直接F12暂停程序之Alt+K找对话框的函数调用(这是弹出错误对话框类型的处理方式)
找到函数调用的部分,show call过去
2.既然是一个CD-Check那么我们就去找关键函数呗,GetDirvertypeA是获取磁盘驱动器类型的关键函数
OD之后,Crtl+N 查找所有调用函数模块
查看调用树,找到调用位置
反汇编窗口跟随过去即可
3.最简单使用的,直接找参考文本字符串
失败的成功一起找到,很简单
之后找到关键位置,找跳转语句就很轻松了
0040138C /0F84 F3000000 je Cosh_1.00401485 ; 跳转语句 00401392 > |FF45 EC inc dword ptr ss:[ebp-0x14] 00401395 . |83C7 04 add edi,0x4 00401398 . |837D EC 07 cmp dword ptr ss:[ebp-0x14],0x7 0040139C .^|75 9F jnz short Cosh_1.0040133D 0040139E . |53 push ebx 0040139F . |68 4C304000 push Cosh_1.0040304C ; ASCII "Try again" 004013A4 . |68 40304000 push Cosh_1.00403040 ; ASCII "You lost" 004013A9 > |8B4D E4 mov ecx,dword ptr ss:[ebp-0x1C] 004013AC . |E8 D1020000 call <jmp.&MFC42.#CWnd::MessageBoxA_4224> 004013B1 . |8D4D E8 lea ecx,dword ptr ss:[ebp-0x18] 004013B4 . |C645 FC 0E mov byte ptr ss:[ebp-0x4],0xE 004013B8 . |E8 DD020000 call <jmp.&MFC42.#CString::~CString_800> 004013BD . |56 push esi ; Cosh_1.<ModuleEntryPoint> 004013BE . |6A 01 push 0x1 004013C0 . |8D45 DC lea eax,dword ptr ss:[ebp-0x24] 004013C3 . |6A 04 push 0x4 004013C5 . |50 push eax 004013C6 . |C645 FC 0D mov byte ptr ss:[ebp-0x4],0xD 004013CA . |E8 27030000 call Cosh_1.004016F6 004013CF . |8D4D D8 lea ecx,dword ptr ss:[ebp-0x28] 004013D2 . |C645 FC 0C mov byte ptr ss:[ebp-0x4],0xC 004013D6 . |E8 BF020000 call <jmp.&MFC42.#CString::~CString_800> 004013DB . |8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C] 004013DE . |C645 FC 0B mov byte ptr ss:[ebp-0x4],0xB 004013E2 . |E8 B3020000 call <jmp.&MFC42.#CString::~CString_800> 004013E7 . |8D4D D0 lea ecx,dword ptr ss:[ebp-0x30] 004013EA . |C645 FC 0A mov byte ptr ss:[ebp-0x4],0xA 004013EE . |E8 A7020000 call <jmp.&MFC42.#CString::~CString_800> 004013F3 . |8D4D CC lea ecx,dword ptr ss:[ebp-0x34] 004013F6 . |C645 FC 09 mov byte ptr ss:[ebp-0x4],0x9 004013FA . |E8 9B020000 call <jmp.&MFC42.#CString::~CString_800> 004013FF . |8D4D C8 lea ecx,dword ptr ss:[ebp-0x38] 00401402 . |C645 FC 08 mov byte ptr ss:[ebp-0x4],0x8 00401406 . |E8 8F020000 call <jmp.&MFC42.#CString::~CString_800> 0040140B . |8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C] 0040140E . |C645 FC 07 mov byte ptr ss:[ebp-0x4],0x7 00401412 . |E8 83020000 call <jmp.&MFC42.#CString::~CString_800> 00401417 . |8D4D C0 lea ecx,dword ptr ss:[ebp-0x40] 0040141A . |C645 FC 06 mov byte ptr ss:[ebp-0x4],0x6 0040141E . |E8 77020000 call <jmp.&MFC42.#CString::~CString_800> 00401423 . |8D4D BC lea ecx,dword ptr ss:[ebp-0x44] 00401426 . |C645 FC 05 mov byte ptr ss:[ebp-0x4],0x5 0040142A . |E8 6B020000 call <jmp.&MFC42.#CString::~CString_800> 0040142F . |8D4D B8 lea ecx,dword ptr ss:[ebp-0x48] 00401432 . |C645 FC 04 mov byte ptr ss:[ebp-0x4],0x4 00401436 . |E8 5F020000 call <jmp.&MFC42.#CString::~CString_800> 0040143B . |8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C] 0040143E . |C645 FC 03 mov byte ptr ss:[ebp-0x4],0x3 00401442 . |E8 53020000 call <jmp.&MFC42.#CString::~CString_800> 00401447 . |8D4D B0 lea ecx,dword ptr ss:[ebp-0x50] 0040144A . |C645 FC 02 mov byte ptr ss:[ebp-0x4],0x2 0040144E . |E8 47020000 call <jmp.&MFC42.#CString::~CString_800> 00401453 . |8D4D AC lea ecx,dword ptr ss:[ebp-0x54] 00401456 . |C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1 0040145A . |E8 3B020000 call <jmp.&MFC42.#CString::~CString_800> 0040145F . |8D4D A8 lea ecx,dword ptr ss:[ebp-0x58] 00401462 . |885D FC mov byte ptr ss:[ebp-0x4],bl 00401465 . |E8 30020000 call <jmp.&MFC42.#CString::~CString_800> 0040146A . |834D FC FF or dword ptr ss:[ebp-0x4],-0x1 0040146E . |8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C] 00401471 . |E8 24020000 call <jmp.&MFC42.#CString::~CString_800> 00401476 . |8B4D F4 mov ecx,dword ptr ss:[ebp-0xC] 00401479 . |5F pop edi ; kernel32.740738F4 0040147A . |5E pop esi ; kernel32.740738F4 0040147B . |5B pop ebx ; kernel32.740738F4 0040147C . |64:890D 00000>mov dword ptr fs:[0],ecx ; Cosh_1.<ModuleEntryPoint> 00401483 . |C9 leave 00401484 . |C3 retn 00401485 > \53 push ebx 00401486 . 68 34304000 push Cosh_1.00403034 ; ASCII "You did it" 0040148B . 68 20304000 push Cosh_1.00403020 ; ASCII "Well done, Cracker" 00401490 .^ E9 14FFFFFF jmp Cosh_1.004013A9
爆破,更改
0040138C /0F84 F3000000 je Cosh_1.00401485 ; 跳转语句
无脑跳转
0040138C /E9 F4000000 jmp Cosh_1.00401485 ; 跳转语句 00401391 |90 nop
dump下来成一个新文件
成功.
向上看一下这个CD-Check的过程:
使用Creatflie()函数从C盘符查找到P盘符,看看有没有
CD_CHECK.DAT这个文件,如果有就打开,但是明显我们没有,所以就失败了。