edx c

+var_14], 0 . text:0040138b JMP Short Loc_4013b1 . text:0040138d; ---------------------------------------------------------------------------. text:0040138d . text:0040138d loc_40138d:; CODE XREF: main+8f J . text:0040138d mov eax, [esp+5ch+var_14] . text:00401391 mov eax, [esp+eax*4+5ch+var_34] . text:00401395 mov ecx, eax . text:00401397 xor ecx, 1 . text:0040139a Lea edx, [esp+5ch+var_3e] . text:0040139e mov eax, [esp+5ch+var_14] . text:004013a2 ad

and follow up with F7 in one step. The program goes to the upper-layer function: When the execution reaches 00401051, observe the function stack as follows: We can see that the return address will be overwritten at the 13 offset of the TXT text. Step 3: (1) Compile the program code for the general pop-up calculator and extract the shellcode # Include "stdio. h "int main () {unsigned int KerdllAddress; // defines the address unsigned int GetProcessAddr of kernel32; // defines the function a

by 0x80. The following is an explanation. First, run the command "gdb-q/usr/src/kernels/2.6.19/vmlinux" to decompile the kernel, run the "disass system_call" and "disass syscall_call" gdb commands to view the assembly code of the kernel. The result is as follows: (Gdb) disass system_call Dump of worker er code for function system_call: 0xc0103e04 : Push % eax 0xc0103e05 : Cld 0xc0103e06 : Push % es 0xc0103e07 : Push % ds 0x

[Article Title]: cracking of a CrackMe that requires a run trace[Author]: bxm[Author mailbox]: bxm78@163.com[Protection method]: name, serial[Language]: Borland C ++[Tools]: peid, od[Operating platform]: winxp[Author's statement]: I am only interested and have no other purpose. For errors, please enlighten us!--------------------------------------------------------------------------------[Detailed process]Use peid for Shell check, no shell, run, input name and serial, No prompts, load with OD, s

fails.004012BD |. 68 80000000 push 80;/Count = 80 (128 .)004012C2 |. 8D85 00 FFFFFF lea eax, [ebp-100]; |004012C8 |. 50 push eax; | Buffer004012C9 |. 68 EE030000 push 3EE; | ControlID = 3EE (1006 .)004012CE |. FF35 0C304000 push dword ptr [40300C]; | hWnd = 00190644 (B2C _2k5, class = DLGCLASS)004012D4 |. E8 15010000 call 004012D9 |. 83F8 08 cmp eax, 8; number of registration codes compared with 8004012DC |. 0F85 A2000000 jnz 00401384; The redirect fails if the registration code is not equal to

(my current Internet cafe is the Pubwin charging system. This system has something that will monitor all processes, so when OD runs, there will be a pop-up prompt, if it is also PUBWIN, it does not have any impact on the debugging program) after running, we press ALT + E or the E icon on the menu bar (this is to display the current module) after opening the program, we can select the process EXE of the program. Double-click 6 After double-clicking the program, I came to the Disassembly window a

up the bomb. Initially the direct conjecture called the last callThis CALL3 a parameter, 1 registers, 2 stacks. Analysis Parameters:Move Ecx,14call 0069f7e0...mov Ebx,eax...mov eax,[ebx+98]mov ecx,008324e0push eaxpush 1FI thought that just using one of the above functions is enough, the front is initialized, and the result is--just add a nuke option, not ready, or countdown ...So the above a call 0069ccf0 is also necessary (altogether there are 4, one is the output debugging information, one is

, which are the most common primitives. Compare after Exchange Long __stdcall CompareExchange (longvolatile*destination,long Exchange, Long comperand) { __asm { mov ecx, Destination; mov edx, Exchange; mov eax, comperand; Lock Cmpxchg [ecx], edx; }}ExchangeLong __stdcall Exchange (longvolatile* Target,long Value) { __asm { mov ecx, Target; mov

input can be based on my hobbies, habits to be determined, do not have to rigidly adhere to a fixed pattern.8. Questions about how to track the program : Beginners often do not know how to follow the program when they start to learn how to track the code, how to find a place to compare the registry, when faced with a long heap of code when it seems overwhelmed. Usually the software inside the program using a subroutine (that is, call ********) to verify that we entered the correct registration

8a16 MOV dl,byte PTR Ds:[esi]004041b0 INC ESI004041b1 10D2 ADC dl,dl004041b3 C3 RETN004041b4 31c9 XOR ecx,ecx004041b6 INC ECX004041b7 E8 eeffffff call AHPACK.004041AA004041BC 11c9 ADC ecx,ecx004041BE E8 e7ffffff call AHPACK.004041AA004041c3 ^ F2 JB short Ahpack.004041b7004041c5 C3 RETN004041c6 Popad; End Aplib, data is solved in memory of 404120 applications004041c7 B9 FC070000 MOV ECX,7FC004041CC 8b1c08 MOV ebx,dword PTR DS:[EAX+ECX]004041CF 8999 00104000 MOV DWORD PTR ds:[ecx+401000],ebx00404

Software cracking-questions about how to track programs: When beginners start to learn decryption, they often don't know how to track the program, how to find a place where the registration code is compared, and how to feel overwhelmed when facing a long pile of program code. Generally, software programs use a sub-program called CALL ********* to verify whether the entered registration code is correct or not. For programs with an explicit registration code, generally, the entered registration co

] 00961731 mov dword ptr [ebp-14h], ECx Void (_ thiscall vtblreal1: * PFn) (void) = vtblreal1: F2; // assign values to the member function pointer Declaration 00961734 mov dword ptr [ebp-2Ch], offset vtblreal1: 'vcall' {4} '(9611feh) // vtblreal1: 'vcall' {4 }': // 00da11fe JMP vtblreal1: 'vcall' {4} '(0da1c80h) // 00da1c80 mov eax, dword ptr [ECx] // 00da1c82 jmp dword ptr [eax + 4] // Jump to ECx + 4 vtblreal1: F2 () Address // Void * ptemp = (void *) ( vtblreal1: F2 );

equivalent to the pseudocode below:Btsl NR and ADDR, the two operands of this instruction cannot be all memory variables. Therefore, the qualified string of NR is specified as "LR" (which will be explained below) and associated with the immediate number or register, in this way, only ADDR is the memory variable in the two operands. Character limitThere are many types of restricted characters, some of which are related to the specific architecture. Here, only the commonly used qualified characte

GCC operation mode.Take a piece of code in arch/i386/kernel/APM. C as an example to compare the situations before and after compilation:Compilation code after source program Compilation_ ASM __("Pushl % EDI/n/T" "Pushl % EBP/n/T" "Lcall % CS:/n/T" "SETC % Al/n/T" "Addl % 1, % 2/n/T" "Popl % EBP/n/T" "Popl % EDI/n/T" :"="(Ea ),"= B"(EB ),"= C"(EC ),"= D"(Ed ),"= S"(ES):"A"(Eax_in ),"B"(Ebx_in ),"C"(Ecx_in):"Memory","CC");Movl eax_in, % eaxMovl ebx_in, % EBXMovl ecx_in, % ECx# AppPushl % EDIPushl

determined based on my hobbies and habits, without sticking to a fixed pattern. 8. Questions about how to track programs When beginners start to learn decryption, they often don't know how to track the program, how to find a place where the registration code is compared, and how to feel overwhelmed when facing a long pile of program code. Generally, software programs use a sub-Program (call *********) to verify whether the entered registration code is correct. For programs whose registr

now wval stores word-type data, and [EBX] uses 32-bit data by default; this can be done through the pseudo-command PTR to specify the data size; at the same time, the received data must be replaced with 16 (such as Ax), because mov requires that the sizes of the two operands must be consistent XOR eax, eax; clear eax mov ax, word PTR [EBX] printdec eax; 123; you can also directly use movzx, which can be small to large (movzx R16/R32, r/8/R16/M8/M16) movzx eax, word PTR [EBX] printdec eax; 123 r

PTR [ebp-4], Cl11: A = P [1];0040106d 8B 55 EC mov edX, dword ptr [ebp-14h]00401070 8A 42 01 mov Al, byte PTR [edX + 1]00401073 88 45 FC mov byte PTR [ebp-4], AlThe first type reads the elements in the string directly into the CL register, while the second type reads the pointer value into EDX. Reading the characters based on

track programs: beginners often do not know how to track programs when learning to decrypt, how to find a place where the registration code is compared, and are overwhelmed when faced with a long pile of program code. Generally, software programs use a sub-Program (CALL *********) to verify whether the entered registration code is correct. For programs whose registration code explicitly exists, generally, the entered registration code and the correct registration code are put into the Register,

(swap) (00401005)004010A3 83 C4 08 add esp, 8 // Swap assembly code Void swap (int * x, int * y){00401020 55 push ebp00401021 8B EC mov ebp, esp00401023 83 EC 44 sub esp, 44 h00401026 53 push ebx00401027 56 push esi00401028 57 push edi00401029 8D 7D BC lea edi, [ebp-44h]0040102C B9 11 00 00 00 mov ecx, 11 h00401031 B8 CC mov eax, 0 CCCCCCCCh00401036 F3 AB rep stos dword ptr [edi]Int temp;Temp = * x;00401038 8B 45 08 mov eax, dword ptr [ebp + 8]0040103B 8B 08 mov ecx, dword ptr [eax]0040103D 89

; 07000054B4: (): mov eax, 0x2800005c; b85c000028000054B9: (): Push ESP; 54000054BA: (): Or byte ptr ds:[eax], AL; 0800000054BC: (): Add byte ptr ds:[esi+0x54280000], cl; 008e00002854(0) Breakpoint 6, 0x54a7 in?? ()Next at t=16677775(0) [0x000054a7] 0008:000054a7 (UNK. Ctxt): RETN; C3Next at t=16677776(0) [0x0000664c] 0008:0000664c (UNK. Ctxt): Push EBP; 550000664C: (): Push EBP; 550000664D: (): MOV ebp, esp; 89e50000664f: (): movzx ecx, Word ptr [DS:0X901FC]; 0fb70dfc01090000006656: (): mov dwo