图书馆保卫战手记
本帖最后由 十二 于 2010-12-19 11:36 编辑F3打开程序载入 = =
bp CreateFileA 下断直到堆栈窗口显示FileName的名字为td00.dat。
Alt+F9返回
00412967 |. FF15 6C404500 CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; \CreateFileA
0041296D |. 8BF0 MOV ESI,EAX-----------------------------停在此处
0041296F |. 83FE FF CMP ESI,-1
00412972 |. 75 07 JNZ SHORT game.0041297B
00412974 |. 32C0 XOR AL,AL
00412976 |. E9 71010000 JMP game.00412AEC
0041297B |> 57 PUSH EDI
0041297C |. 68 04010000 PUSH 104
00412981 |. 55 PUSH EBP
00412982 |. E8 EB710100 CALL game.00429B72
00412987 |. 8B1D 3C404500 MOV EBX,DWORD PTR DS:[<&KERNEL32.ReadFil>; kernel32.ReadFile
0041298D |. 83C4 0C ADD ESP,0C
00412990 |. 6A 00 PUSH 0 ; /pOverlapped = NULL
00412992 |. 8D4424 24 LEA EAX,DWORD PTR SS: ; |
00412996 |. 50 PUSH EAX ; |pBytesRead
00412997 |. 6A 02 PUSH 2 ; |BytesToRead = 2
00412999 |. 8D4C24 24 LEA ECX,DWORD PTR SS: ; |
0041299D |. 51 PUSH ECX ; |Buffer
0041299E |. 56 PUSH ESI ; |hFile
0041299F |. FFD3 CALL EBX ; \ReadFile
004129A1 |. 6A 00 PUSH 0 ; /pOverlapped = NULL
004129A3 |. 8D5424 24 LEA EDX,DWORD PTR SS: ; |
004129A7 |. 52 PUSH EDX ; |pBytesRead
004129A8 |. 6A 04 PUSH 4 ; |BytesToRead = 4
004129AA |. 8D4424 28 LEA EAX,DWORD PTR SS: ; |
004129AE |. 50 PUSH EAX ; |Buffer
004129AF |. 56 PUSH ESI ; |hFile
004129B0 |. FFD3 CALL EBX ; \ReadFile
004129B2 |. 8B4C24 1C MOV ECX,DWORD PTR SS:
004129B6 |. 51 PUSH ECX
004129B7 |. E8 ED380000 CALL game.004162A9
004129BC |. 83C4 04 ADD ESP,4
004129BF |. 6A 00 PUSH 0
004129C1 |. 8BF8 MOV EDI,EAX
004129C3 |. 8B4424 20 MOV EAX,DWORD PTR SS:
004129C7 |. 8D5424 24 LEA EDX,DWORD PTR SS:
004129CB |. 52 PUSH EDX
004129CC |. 50 PUSH EAX
004129CD |. 57 PUSH EDI
004129CE |. 56 PUSH ESI
004129CF |. 897C24 44 MOV DWORD PTR SS:,EDI
004129D3 |. FFD3 CALL EBX-----------------------给此处下断,注释变为ReadFile,查看堆栈。
0012FC14 000000C4
0012FC18 010A3F48-------------点此右键跟踪,F8步过CALL EBX。010A3F48被填充为解密的索引表数据
0012FC1C 00001D9E
0012FC20 0012FC48
0012FC24 00000000
0012FC28 FDF2EE5F
0012FC2C 00400000 game.00400000
004129D5 |. 56 PUSH ESI ; /hObject
004129D6 |. FF15 38404500 CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle-----------------关闭句柄
004129DC |. 8B5C24 1C MOV EBX,DWORD PTR SS:
004129E0 |. 8D43 06 LEA EAX,DWORD PTR DS:
004129E3 |. E8 4899FFFF CALL game.0040C330
004129E8 |. 33F6 XOR ESI,ESI
004129EA |. 85DB TEST EBX,EBX
004129EC |. 76 13 JBE SHORT game.00412A01
004129EE |. 8BFF MOV EDI,EDI
004129F0 |> E8 7B99FFFF /CALL game.0040C370-------------索引表解密密匙
004129F5 |. 30043E |XOR BYTE PTR DS:,AL
004129F8 |. 83C6 01 |ADD ESI,1
004129FB |. 3B7424 1C |CMP ESI,DWORD PTR SS:
004129FF |.^ 72 EF \JB SHORT game.004129F0-------------循环解密
00412A01 |> 66:837C24 18 >CMP WORD PTR SS:,0-------------下断此处F9运行得到010A3F48解密后的索引表。
00412A07 |. 8BF7 MOV ESI,EDI
00412A09 |. C74424 24 000>MOV DWORD PTR SS:,0
00412A11 |. 0F86 CA000000 JBE game.00412AE1
00412A17 |. 81C5 04010000 ADD EBP,104
00412A1D |. 896C24 2C MOV DWORD PTR SS:,EBP
00412A21 |> /8B1E /MOV EBX,DWORD PTR DS:
00412A23 |. |8B4E 04 |MOV ECX,DWORD PTR DS:
00412A26 |. |83C6 04 |ADD ESI,4
00412A29 |. |8A46 04 |MOV AL,BYTE PTR DS:
00412A2C |. |83C6 04 |ADD ESI,4
00412A2F |. |0FB6F8 |MOVZX EDI,AL
00412A32 |. |57 |PUSH EDI
00412A33 |. |83C6 01 |ADD ESI,1
00412A36 |. |8D5424 50 |LEA EDX,DWORD PTR SS:
00412A3A |. |56 |PUSH ESI
00412A3B |. |52 |PUSH EDX
00412A3C |. |894C24 34 |MOV DWORD PTR SS:,ECX
00412A40 |. |E8 0B810100 |CALL game.0042AB50
00412A45 |. |83C4 0C |ADD ESP,0C
00412A48 |. |8D4424 4C |LEA EAX,DWORD PTR SS:
00412A4C |. |C6443C 4C 00 |MOV BYTE PTR SS:,0
00412A51 |. |03F7 |ADD ESI,EDI
00412A53 |. |8D78 01 |LEA EDI,DWORD PTR DS:
00412A56 |> |8A08 |/MOV CL,BYTE PTR DS:
00412A58 |. |83C0 01 ||ADD EAX,1
00412A5B |. |84C9 ||TEST CL,CL
00412A5D |.^|75 F7 |\JNZ SHORT game.00412A56
00412A5F |. |2BC7 |SUB EAX,EDI
00412A61 |. |8D68 01 |LEA EBP,DWORD PTR DS:
00412A64 |. |55 |PUSH EBP
00412A65 |. |E8 3F380000 |CALL game.004162A9
00412A6A |. |8BF8 |MOV EDI,EAX
00412A6C |. |83C4 04 |ADD ESP,4
00412A6F |. |8D4424 4C |LEA EAX,DWORD PTR SS:
00412A73 |. |50 |PUSH EAX
00412A74 |. |55 |PUSH EBP
00412A75 |. |57 |PUSH EDI
00412A76 |. |897C24 40 |MOV DWORD PTR SS:,EDI
00412A7A |. |E8 F3700100 |CALL game.00429B72
00412A7F |. |8B4C24 34 |MOV ECX,DWORD PTR SS:
00412A83 |. |83C4 0C |ADD ESP,0C
00412A86 |. |894C24 38 |MOV DWORD PTR SS:,ECX
00412A8A |. |895C24 3C |MOV DWORD PTR SS:,EBX
00412A8E |. |8B4C24 2C |MOV ECX,DWORD PTR SS:
00412A92 |. |8D5424 34 |LEA EDX,DWORD PTR SS:
00412A96 |. |52 |PUSH EDX ; /Arg3
00412A97 |. |8D4424 44 |LEA EAX,DWORD PTR SS: ; |
00412A9B |. |50 |PUSH EAX ; |Arg2
00412A9C |. |51 |PUSH ECX ; |Arg1
00412A9D |. |C78424 680100>|MOV DWORD PTR SS:,0 ; |
00412AA8 |. |E8 23030000 |CALL game.00412DD0 ; \game.00412DD0
00412AAD |. |85FF |TEST EDI,EDI
00412AAF |. |C78424 5C0100>|MOV DWORD PTR SS:,-1
00412ABA |. |74 09 |JE SHORT game.00412AC5
00412ABC |. |57 |PUSH EDI
00412ABD |. |E8 C46C0100 |CALL game.00429786
00412AC2 |. |83C4 04 |ADD ESP,4
00412AC5 |> |8B4424 24 |MOV EAX,DWORD PTR SS:
00412AC9 |. |0FB75424 18 |MOVZX EDX,WORD PTR SS:
00412ACE |. |83C0 01 |ADD EAX,1
00412AD1 |. |3BC2 |CMP EAX,EDX
00412AD3 |. |894424 24 |MOV DWORD PTR SS:,EAX
00412AD7 |.^\0F82 44FFFFFF \JB game.00412A21
已经完了 - =。。。。。。。。。。。随后的文件解密两次CreateFile后会有SetFilePointer。。。。。。
和ZUN的解包是一样的 = = 和FXTZ的解包和封包器通用 = = 这个是图书馆战的代码……
想不到玩是挺爽的,实际背后是这么……复杂的…… 汇编没学好结果看不懂了,回去复习
页:
[1]