BBS水木清华站∶精华区
发信人: I007 (阿健), 信区: Linux
标 题: Linux下破解实战(3)
发信站: BBS 水木清华站 (Sat Oct 3 23:35:23 1998) WWW-POST
到注册信息不对的警告框出现,只有一个函数调用比较可疑:
0x804ebd9 call 0x8055978 <whereError+11004>
而且调用结束后还有一个比较跳转的动作, 那么我们就跟踪进去看看
(gdb) break *0x8055978
Breakpoint 3 at 0x8055978
(gdb) c
Continuing.
Breakpoint 3, 0x8055978 in whereError ()
(gdb) disass 0x8055978 0x805ffff
Dump of assembler code from 0x8055978 to 0x805ffff:
0x8055978 <whereError+11004>: subl $0x8,%esp
0x805597b <whereError+11007>: pushl %ebp
0x805597c <whereError+11008>: pushl %edi
0x805597d <whereError+11009>: pushl %esi
0x805597e <whereError+11010>: pushl %ebx
0x805597f <whereError+11011>: movl 0x1c(%esp,1),%ebp (0x809e850)
0x8055983 <whereError+11015>: movl 0x20(%esp,1),%esi (0x809e880)
0x8055987 <whereError+11019>: movl 0x24(%esp,1),%ebx (0x806e9ac)
0x805598b <whereError+11023>: testb $0x1,(%ebx)
0x805598e <whereError+11026>: je 0x80559c0 <whereError+11076> -
..... |
0x80559c0 <whereError+11076>: pushl %eax <
0x80559c1 <whereError+11077>: leal 0x18(%esp,1),%eax
0x80559c5 <whereError+11081>: pushl %eax (eax:0xbffff70c)
0x80559c6 <whereError+11082>: pushl $0x8060cbb (0x8060cbb->" %x")
0x80559cb <whereError+11087>: pushl %esi (esi:0x809e880->"87654321")
0x80559cc <whereError+11088>: call 0x804a294 <sscanf>
0x80559d1 <whereError+11093>: movl %eax,%edi(此时0xbffff70c->0x87654321)
0x80559d3 <whereError+11095>: addl $0x10,%esp
0x80559d6 <whereError+11098>: cmpl $0x1,%edi
0x80559d9 <whereError+11101>: je 0x8055a01 <whereError+11141> -
..... |
0x8055a01 <whereError+11141>: testb $0x1,(%ebx) <-
0x8055a04 <whereError+11144>: je 0x8055a3a <whereError+11198> -
..... |
0x8055a3a <whereError+11198>: pushl %ebp(ebp:0x809e850->"B123456789") <-
0x8055a3b <whereError+11199>: pushl $0x0
0x8055a3d <whereError+11201>: call 0x80561d9 <whereError+13149>
^______会不会去算正确的Key?
0x8055a42 <whereError+11206>: movl %eax,%esi (eax:0x8eee5816)
0x8055a44 <whereError+11208>: addl $0x8,%esp
0x8055a47 <whereError+11211>: testb $0x1,(%ebx)
0x8055a4a <whereError+11214>: je 0x8055a7a <whereError+11262> -
..... |
0x8055a7a <whereError+11262>: movl 0x14(%esp,1),%edx <-
0x8055a7e <whereError+11266>: cmpl %esi,%edx
(edx:0x87654321,这是我输入的Key
它在与0x8eee5816比较???)
0x8055a80 <whereError+11268>: jne 0x8055ab9 <whereError+11325> -
.... |
0x8055ab9 <whereError+11325>: testb $0x1,(%ebx) <-
0x8055abc <whereError+11328>: je 0x8055aec <whereError+11376> -
.... |
0x8055aec <whereError+11376>: xorl %eax,%eax <-
0x8055aee <whereError+11378>: popl %ebx
0x8055aef <whereError+11379>: popl %esi
0x8055af0 <whereError+11380>: popl %edi
0x8055af1 <whereError+11381>: popl %ebp
0x8055af2 <whereError+11382>: addl $0x8,%esp
0x8055af5 <whereError+11385>: ret
0x8055a7e处的比较说明, 很有可能函数0x80561d9就是在依照我输入的Order
number算正确的Key,而后比较结果,所以不妨先用 8EEE5816 做Key试一试.
结果,8EEE5816果然就是正确的Key, mtv检查正确后在$HOME目录中产生一个
.mtvrc文件, 以后每次使用都会自动读出.mtvrc中的注册信息并检查..
还可以据0x80561d9函数写出注册机:
(gdb) disass 0x80561d9 0x805624e
Dump of assembler code from 0x80561d9 to 0x805624e:
0x80561d9 <whereError+13149>: pushl %edi
0x80561da <whereError+13150>: pushl %esi
0x80561db <whereError+13151>: pushl %ebx
0x80561dc <whereError+13152>: movl 0x14(%esp,1),%edi
0x80561e0 <whereError+13156>: movl 0x10(%esp,1),%edx
0x80561e4 <whereError+13160>: xorl %ebx,%ebx
0x80561e6 <whereError+13162>: movl %edi,%eax
0x80561e8 <whereError+13164>: movl %edi,%esi
0x80561ea <whereError+13166>: andl $0x3,%eax
0x80561ed <whereError+13169>: je 0x8056205 <whereError+13193>
0x80561ef <whereError+13171>: jp 0x8056200 <whereError+13188>
0x80561f1 <whereError+13173>: cmpl $0x2,%eax
0x80561f4 <whereError+13176>: je 0x80561fb <whereError+13183>
0x80561f6 <whereError+13178>: cmpb %ah,(%esi)
0x80561f8 <whereError+13180>: je 0x8056229 <whereError+13229>
0x80561fa <whereError+13182>: incl %esi
0x80561fb <whereError+13183>: cmpb %ah,(%esi)
0x80561fd <whereError+13185>: je 0x8056229 <whereError+13229>
0x80561ff <whereError+13187>: incl %esi
0x8056200 <whereError+13188>: cmpb %ah,(%esi)
0x8056202 <whereError+13190>: je 0x8056229 <whereError+13229>
0x8056204 <whereError+13192>: incl %esi
0x8056205 <whereError+13193>: movl (%esi),%eax
0x8056207 <whereError+13195>: testb %ah,%al
0x8056209 <whereError+13197>: jne 0x8056213 <whereError+13207>
0x805620b <whereError+13199>: testb %al,%al
0x805620d <whereError+13201>: je 0x8056229 <whereError+13229>
0x805620f <whereError+13203>: testb %ah,%ah
0x8056211 <whereError+13205>: je 0x8056228 <whereError+13228>
0x8056213 <whereError+13207>: testl $0xff0000,%eax
0x8056218 <whereError+13212>: je 0x8056227 <whereError+13227>
0x805621a <whereError+13214>: addl $0x4,%esi
0x805621d <whereError+13217>: testl $0xff000000,%eax
0x8056222 <whereError+13222>: jne 0x8056205 <whereError+13193>
0x8056224 <whereError+13224>: subl $0x3,%esi
0x8056227 <whereError+13227>: incl %esi
0x8056228 <whereError+13228>: incl %esi
0x8056229 <whereError+13229>: subl %edi,%esi
0x805622b <whereError+13231>: cmpl %esi,%ebx
0x805622d <whereError+13233>: jnl 0x8056248 <whereError+13260>
0x805622f <whereError+13235>: movb (%ebx,%edi,1),%al
0x8056232 <whereError+13238>: incl %ebx
0x8056233 <whereError+13239>: andl $0xff,%eax
0x8056238 <whereError+13244>: pushl %eax
0x8056239 <whereError+13245>: pushl %edx
0x805623a <whereError+13246>: call 0x8055b58 <whereError+11484>
0x805623f <whereError+13251>: movl %eax,%edx
0x8056241 <whereError+13253>: addl $0x8,%esp
0x8056244 <whereError+13256>: cmpl %esi,%ebx
0x8056246 <whereError+13258>: jl 0x805622f <whereError+13235>
0x8056248 <whereError+13260>: popl %ebx
0x8056249 <whereError+13261>: movl %edx,%eax
0x805624b <whereError+13263>: popl %esi
0x805624c <whereError+13264>: popl %edi
0x805624d <whereError+13265>: ret
0x8055b58处的函数太长了, bbs不让我发..:( 砍掉了
由这个程序的破解可以看出, linux下的破解并不困难, 只是gdb有点不太方便
有时会有点小毛病(比如ni有时也会跟到函数中), 不过用多了就习惯了.
--
~0 (_| . - ' - . _ . - ' - . _ . - ' - . |_) O
|(_~|^~~| |~~^|~_)|
TT/_ T"T 网络连着你我她 T"T _\HH
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
※ 来源:·BBS 水木清华站 bbs.net.tsinghua.edu.cn·[FROM: sun.swjtu.edu.cn]
BBS水木清华站∶精华区