edx cybersecurity

pattern.8. Questions about how to track the program : Beginners often do not know how to follow the program when they start to learn how to track the code, how to find a place to compare the registry, when faced with a long heap of code when it seems overwhelmed. Usually the software inside the program using a subroutine (that is, call ********) to verify that we entered the correct registration code, for the registration code explicit existence of the program, generally will enter the registra

; End Aplib, data is solved in memory of 404120 applications004041c7 B9 FC070000 MOV ECX,7FC004041CC 8b1c08 MOV ebx,dword PTR DS:[EAX+ECX]004041CF 8999 00104000 MOV DWORD PTR ds:[ecx+401000],ebx004041d5 ^ E2 F5 loopd Short ahpack.004041cc; 404120 of the requested memory contains the extracted data, copy it to the Oep place004041d7-NOP; The following start to repair the IAT, hehe, 9090 will not be deliberately to a split it004041d8-NOP004041d9 BA 00004000 MOV

Software cracking-questions about how to track programs: When beginners start to learn decryption, they often don't know how to track the program, how to find a place where the registration code is compared, and how to feel overwhelmed when facing a long pile of program code. Generally, software programs use a sub-program called CALL ********* to verify whether the entered registration code is correct or not. For programs with an explicit registration code, generally, the entered registration co

] // Jump to ECx + 4 vtblreal1: F2 () Address // Void * ptemp = (void *) ( vtblreal1: F2 ); If (pvtbl! = NULL) 0096173b cmp dword ptr [ebp-14h], 0 0096173f je wmain + 128 H (9617b8h) { Pvtbl-> F1 (); 00961741 mov eax, dword ptr [ebp-14h] 00961744 mov edX, dword ptr [eax] 00961746 mov ESI, ESP 00961748 mov ECx, dword ptr [ebp-14h] 0096174b mov eax, dword ptr [edX] // The first fu

example, whether to place the variables in registers or in memory, the following table lists frequently used qualified letters. "B" puts the input variable into EBX"C" puts input variables into ECx"D" puts the input variable in edX"S" puts the input variable into ESI"D" puts the input variable into EDI"Q" puts the input variables into one of eax, EBX, ECx, and EDX."R" puts the input variables into a genera

" "Popl % EDI/n/T" :"="(Ea ),"= B"(EB ),"= C"(EC ),"= D"(Ed ),"= S"(ES):"A"(Eax_in ),"B"(Ebx_in ),"C"(Ecx_in):"Memory","CC");Movl eax_in, % eaxMovl ebx_in, % EBXMovl ecx_in, % ECx# AppPushl % EDIPushl % EBPLcall % CS:SETC % AlAddl EB, ECPopl % EBPPopl % EDI# No_appMovl % eax, EAMovl % EBX, EBMovl % ECx, ECMovl % edX, EdMovl % ESI, es2. Explanation of the content after the third colonThe content after the third colon is mainly for GCC optimization. It

how to track programs When beginners start to learn decryption, they often don't know how to track the program, how to find a place where the registration code is compared, and how to feel overwhelmed when facing a long pile of program code. Generally, software programs use a sub-Program (call *********) to verify whether the entered registration code is correct. For programs whose registration code explicitly exists, generally, the entered registration code and the correct registration c

pseudo-command PTR to specify the data size; at the same time, the received data must be replaced with 16 (such as Ax), because mov requires that the sizes of the two operands must be consistent XOR eax, eax; clear eax mov ax, word PTR [EBX] printdec eax; 123; you can also directly use movzx, which can be small to large (movzx R16/R32, r/8/R16/M8/M16) movzx eax, word PTR [EBX] printdec eax; 123 retmain endpend main [] Is generally used for Arrays: ; Test14_3.asm.386.model flat, std

[] = "aaaaaaaaaaaaa ";Char * S2 = "bbbbbbbbbbbbbbbbb ";Aaaaaaaaaaa is assigned a value at the runtime;Bbbbbbbbbbbbb is determined during compilation;However, in future access, the array on the stack is faster than the string pointed to by the pointer (such as the heap.For example:# Include Void main (){Char A = 1;Char C [] = "1234567890 ";Char * P = "1234567890 ";A = C [1];A = P [1];Return;}Corresponding assembly code10: A = C [1];00401067 8A 4D F1 mov Cl, byte PTR [ebp-0Fh]0040106a 88 4D FC mo

find a place where the registration code is compared, and are overwhelmed when faced with a long pile of program code. Generally, software programs use a sub-Program (CALL *********) to verify whether the entered registration code is correct. For programs whose registration code explicitly exists, generally, the entered registration code and the correct registration code are put into the Register, and then the verification subroutine is called to judge and return the result. The application det

ebx00401027 56 push esi00401028 57 push edi00401029 8D 7D BC lea edi, [ebp-44h]0040102C B9 11 00 00 00 mov ecx, 11 h00401031 B8 CC mov eax, 0 CCCCCCCCh00401036 F3 AB rep stos dword ptr [edi]Int temp;Temp = * x;00401038 8B 45 08 mov eax, dword ptr [ebp + 8]0040103B 8B 08 mov ecx, dword ptr [eax]0040103D 89 4D FC mov dword ptr [ebp-4], ecx* X = * y;00401040 8B 55 08 mov edx, dword ptr [ebp + 8]00401043 8B 45 0C mov eax, dword ptr [ebp + 0Ch]00401046 8B

in?? ()Next at t=16677775(0) [0x000054a7] 0008:000054a7 (UNK. Ctxt): RETN; C3Next at t=16677776(0) [0x0000664c] 0008:0000664c (UNK. Ctxt): Push EBP; 550000664C: (): Push EBP; 550000664D: (): MOV ebp, esp; 89e50000664f: (): movzx ecx, Word ptr [DS:0X901FC]; 0fb70dfc01090000006656: (): mov dword ptr [ds:0x1a964], ecx; 890d64a901000000665C: (): mov eax, 0x90080; b88000090000006661: (): mov edx, 0x1dd6c; ba6cdd010000006666: (): mov ecx, dword ptr ds:[eax

, with XP, plus its local PDB path) Bugcheck 7E, {c0000005, f889b0d3, f8935b88, f8935884}: The same effect as above, indicating the blue screen type and four sub-parameters 0xc0000005:status_access_violation Indicates a memory access violation OCCURRED:MSDN indicates that this is an error Probably caused By:BSODCheck.sys (bsodcheck! ISEXITPROCESS+A3): Indicates the drive FAULTING_IP caused by the blue screen : bsodcheck! ISEXITPROCESS+A3 [e:\bsodcheck\bsodcheck.c @ +] f889b0d3 8b08 mov ecx,dword

replicates the system process information (Task[n]) and sets the necessary registers. * It also replicates data segments entirely. *///the replication process. Where the parameter nr is called Find_empty_process () assigns the task array item number. None is the return address that is pressed into the stack when called//sys_call_table in SYSTEM_CALL.S. intcopy_process (int nr, long ebp, long edi, long esi, long GS, long none, long ebx, long ecx, long edx