area of the last 48 hours.
00401039 Lea EDI, [ebp-48h]
0040103c mov ECx, 12 h
00401041 mov eax, 0 cccccccch
00401046 rep STOs dword ptr [EDI].
In the next three stack commands, EBX, ESI, and EDI are pushed into the stack, which is also part of "protecting the site". These are some data of the main function execution. EBX, ESI, and
caller must be responsible for Stack cleaning when using this convention. Because the parameters are variable, this Convention is more flexible, but the performance is relatively low. In the generated code, the letter number has a _ (underline) prefix.Example:Int _ cdecl Add (int a, int B){Return (a + B );}Function call:Add (1, 2 );
Push 2Push 1Call @ Add; in fact, the expression used by the compiler to locate the function is omitted here.Add esp, 8; clear Stack
Function body:
Push ebpMov ebp,
program can be interrupted here.
Figure 10
After many trace analyses, we found that the following modifications can make the program run normally without prompting registration. If you want to study the registration algorithm of the software, you have to track and analyze J:
Nqqtools. checkreg. Check
00000093 0f B6 F0 movzx ESI, Al; Modify mov Al, 01
00000096 8B C6 mov eax, ESI; changed to mov ESI, eax
00000098 25 ff 00 00 00 and eax, 0ffh
2017009d 89 45 E0 mov dword ptr [ebp-20h], eax
201700
the call command. This command will return the address, that is, the next command location (eip, command pointer) is pushed into the stack, such
Eip = 0x00401363 before call (next eip = 0x00401368)
Eip = 0x0040100A, esp = 0x0012FEF4 after call
Then the call ends. __cdecl indicates that the last ret command of the function will pop the stack top to the eip pointer.
Eip = 0x00401368 ESP = 0x0012FEF8
Then add esp, 0xc, Here 0xC = 12, that is, the three Dwords are the number of pushes pushed in fro
choose four bytes starting from the 40339c address, mainly to let you know how to manage the hardware breakpoint in advance, because the hardware breakpoint can only select up to four bytes. The selected part is displayed in gray. After the selection, release the left mouse button and right-click the selected gray area: after the operation, we have set the memory breakpoint (note that the memory breakpoint is only valid in the current debugging process, that is to say, if you re-load the progr
Windows process. With the EXE main program module, the data size to be checked for integrity check is generally between several megabytes and dozens of megabytes. A good detection algorithm is necessary for such data volumes. D2hackmap uses a policy to create a "clean" module for each module to be scanned, and then compare the two modules by byte. In x86, the memory has dedicated and efficient compilation commands cmpsd and cmpsb.
DWORD _ declspec (naked) _ fastcall mymemcmpd (DWORD nsize, void
]. dwofs indicates that the key is pressed or released.// Didod [I]. dwdata records the state of the key. The highest bit of low byte is 1, which indicates that the key is pressed, and 0 indicates that the key is released.// Generally, didod [I]. dwdata 0x80 is used for testing.}Return s_ OK;}How is the keyboard status obtained? See the following IDA analysis results.. Text: 6d18c5ea _ ckbd_getdevicestate @ 8 proc near; Data xref:. Text: 6d18c37co. Text: 6d18c5ea. Text: 6d18c5ea arg_0 = dword p
is located.MoV eax, [eax + 8] // A list_entry8 byteIn the current eax, it is the start position of the kernel. dll in the memory image, that is, its handle value.
After finding kernel. dll, the following part is related to the PE file format,
MoV EBX, eax // get the starting address of kernel32.dllMoV ESI, dword ptr [EBX + 0x3c] // u get PE Header in e_lfanewMoV ESI, dword ptr [ESI + EBX + 0x78] // U export directory RVAAdd ESI, EBXMoV EDI, dword ptr
subtract a value from the ESP, allocating space directly for all local variables, such as esp=esp-0x00e4 in the Foo function, (depending on the candle fall's test on other compiled environments, you may also use the Push command to assign an address, There is no difference in nature, it is hereby stated):Figure 5Oddly, in debug mode, the compiler allocates more space for local variables than is actually needed, and the address between local variables is not contiguous (as I observe, always 8 by
What is the code after this code Disassembly?
# Include
Long test (int a, int B){A = a + 3;B = B + 5;Return a + B;}
Int main (int argc, char * argv []){Printf ("% d", test (10, 90 ));Return 0;}
Let's look at an overview.
16: int main (int argc, char * argv [])17 :{00401070 push ebp00401071 mov ebp, esp00401073 sub esp, 40 h00401076 push ebx00401077 push esi00401078 push edi00401079 lea edi, [ebp-40h]00401_c mov ecx, 10 h00401081 mov eax, 0 CCCCCCCCh0
variables, such as esp=esp-0x00e4 in the Foo function, (depending on the candle fall's test on other compiled environments, you may also use the Push command to assign an address, There is no difference in nature, it is hereby stated):Figure 5Oddly, in debug mode, the compiler allocates more space for local variables than is actually needed, and the address between local variables is not contiguous (as I observe, always 8 bytes apart) as shown:Figure 6I don't know why the compiler designed this
Program Description: Output multi-line content, the content is as follows:*************************1#include 2 using namespacestd;3 intMain ()4 {5cout " *"Endl;6cout " ***"Endl;7cout " *****"Endl;8cout "*******"Endl;9cout " *****"Endl;Tencout " ***"Endl; Onecout " *"Endl; A -System"Pause"); - return 0; the}Debug Disassembly CodeintMain () {00ff5e00 push ebp //Enter function after the first thing, save the bottom pointer, used to exit the function to restore the bottom of the stack. 00
The usage of "[]" has been explained in the "FAQ" and is quoted as follows:1, push DWORD ptr [024c1100] stack 024c1100 value double word2, CMP eax,[ebp+14] eax-ebp+14 valid values, do not retain the value, mainly see the flag bit3. CMP byte ptr [eax],46 byte type eax-46, see flag bit4. Lea EAX,[EDX-02] give the valid value of edx-02 (an address value) to EAX5, MOV ecx,[edx+08] edx+8 value as the address, this address points to the value to ECXI will add a few more examples of the situation I hav
!=invalid_handle_value to determine if the file is turned on properlyMOV hfile, eax; save file handleInvoke CreateFileMapping, \ Creates file-mapping object for the specified file.hfile, \ Identifies the file from which to create a mapping objectNULL, \; ignoredPage_readwrite, \; access0, \ high-order bits of the maximum size0, \ low-order bits of the maximum sizeNULL; The mapping object is created without a name. if Eax!=null;MOV Hmap,eax The return value are a handle to the File-mapping object
Let's talk about stack. What is it? We have already talked about it. You won't forget it. It's a piece of memory. If you forget, I --!
I want to talk about the stack. I want to talk about some compilation knowledge. I want to know more about these dishes, yido doesn't press it down. If you will be woodworking, electrician, steel engineer, and welder, you will not do welders in the summer, for the other three, you may have to consider which one you want to give more money and which one you want t
booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: 80000003, The exception code that was not handled
Arg2: 84289848, The address that the exception occurred at
Arg3: 8d389614, Exception Record Address
Arg4: 8d3891f0, Context Record Address
Debugging Details:
------
[Article Title]: Let's talk about the mathematical principle of a CrackMe decryption algorithm.[Author]: kaien[Author mailbox]: kkaien@hotmail.com[Software name]: echapcmd.exe[Shelling method]: No shell[Use tools]: OllyDbg, calculator and VC (for writing Registration) provided by winxp)[Operating platform]: winxp--------------------------------------------------------------------------------[Detailed process]Yesterday, I saw a Cracked article titled "A CrackMe attack on the Therefore, I cannot h
mainly to determine whether to enter the registration code and check whether the entered registration code is legal, it is successful if it is legal, it fails if it is illegal. In this case, let's take a look at the key call. The next breakpoint at the key call is followed by the interruption.00411610 E8 B59F0200 call 00411615 8D4C24 14 lea ecx, dword ptr ss: [esp + 14]00411619 E8 F2DE0000 call unpacked.0041F510;00400001e 8D4C24 10 lea ecx, dword ptr ss: [esp + 10]00411622 C74424 2C 0000> mov d
finally calls. In this case, let's take a look at what is followed by so many 41414141.
Pay attention to the stack growth direction from high address to low address. From the perspective of 41414141, 00000000 01b8a000001b99fe8 should be ebx esi and edi. Continue to see ffffffff 0012e3bc. (Why, because this is obviously not the return address. 0012e3bc is within the range of the stack where the function fails, and it cannot be the return address.)
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.