|
實(shí)驗(yàn)?zāi)康? : 想直接攔截按鈕操作的消息處理, 分析按鈕操作的邏輯.
實(shí)驗(yàn)程序 : <<使用OllyDbg從零開(kāi)始Cracking 第一章翻譯>> 中附帶的一個(gè)CrackMe.
使用OD加載目標(biāo)程序, 當(dāng)程序運(yùn)行起來(lái)后, 暫停OD
經(jīng)過(guò)實(shí)驗(yàn), 點(diǎn)擊菜單會(huì)觸發(fā)主窗體WM_COMMAND消息.
如果直接捕獲彈出的注冊(cè)窗口的WM_COMMAND, 捕獲不到.
準(zhǔn)備捕獲主窗體的WM_COMMAND消息, 找到菜單生成注冊(cè)窗體的處理.
找到注冊(cè)窗體的創(chuàng)建函數(shù)傳入的注冊(cè)窗口處理過(guò)程���,從而找到注冊(cè)窗體的所有消息處理實(shí)現(xiàn)邏輯.
點(diǎn)擊菜單屬于WM_COMMAND, 按照消息名稱排序, 好找一些.
下完消息斷電后, 確認(rèn)一下是否消息斷點(diǎn)已下.
F9, 讓程序跑起來(lái). 點(diǎn)擊注冊(cè)菜單. 程序被斷在WM_COMMAND消息斷點(diǎn)處.
- 00401128 > $ C8 000000 ENTER 0,0 ; 主窗體消息斷點(diǎn)WM_COMMAND
- 0040112C . 56 PUSH ESI
- 0040112D . 57 PUSH EDI
- 0040112E . 53 PUSH EBX
- 0040112F . 837D 0C 02 CMP DWORD PTR SS:[EBP+C],2
- 00401133 . 74 5E JE SHORT CRACKME.00401193
- 00401135 . 817D 0C 040200>CMP DWORD PTR SS:[EBP+C],204
- 0040113C . 74 65 JE SHORT CRACKME.004011A3
F8往下走���, 找到創(chuàng)建注冊(cè)窗體的代碼.
- 00401209 > 6A 00 PUSH 0 ; /lParam = NULL
- 0040120B . 68 53124000 PUSH CRACKME.00401253 ; |DlgProc = CRACKME.00401253
- 00401210 . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner
- 00401213 . 68 15214000 PUSH CRACKME.00402115 ; |pTemplate = "DLG_REGIS"
- 00401218 . FF35 CA204000 PUSH DWORD PTR DS:[4020CA] ; |hInst = 00400000
- 0040121E . E8 7D020000 CALL <JMP.&USER32.DialogBoxParamA> ; \DialogBoxParamA
CRACKME.00401253 是注冊(cè)窗體的消息處理過(guò)程. 轉(zhuǎn)到那看看.
- 00401253 /. C8 000000 ENTER 0,0 ; 注冊(cè)窗體消息處理過(guò)程
- 00401257 |. 53 PUSH EBX
- 00401258 |. 56 PUSH ESI
- 00401259 |. 57 PUSH EDI
- 0040125A |. 817D 0C 100100>CMP DWORD PTR SS:[EBP+C],110 ; WM_INITDIALOG
- 00401261 |. 74 34 JE SHORT CRACKME.00401297
- 00401263 |. 817D 0C 110100>CMP DWORD PTR SS:[EBP+C],111 ; WM_COMMAND
- 0040126A |. 74 35 JE SHORT CRACKME.004012A1
- 0040126C |. 837D 0C 10 CMP DWORD PTR SS:[EBP+C],10 ; WM_CLOSE
- 00401270 |. 0F84 81000000 JE CRACKME.004012F7
- 00401276 |. 817D 0C 010200>CMP DWORD PTR SS:[EBP+C],201 ; WM_LBUTTONDOWN
- 0040127D |. 74 0C JE SHORT CRACKME.0040128B
- 0040127F |. B8 00000000 MOV EAX,0
- 00401284 |> 5F POP EDI
- 00401285 |. 5E POP ESI
- 00401286 |. 5B POP EBX
- 00401287 |. C9 LEAVE
- 00401288 |. C2 1000 RETN 10
可以看到 CRACKME.004012A1 是注冊(cè)窗體WM_COMMAND命令處理函數(shù).
注冊(cè)窗體一共處理了4種消息(窗體初始化, 退出, 確定, 命令處理)
在 地址 0040126A 上回車(chē), 去看看按鈕處理邏輯.
- 004012A1 |> 33C0 /XOR EAX,EAX ; 注冊(cè)窗體: 按鈕處理邏輯
- 004012A3 |. 817D 10 EB0300>|CMP DWORD PTR SS:[EBP+10],3EB
- 004012AA |. 74 4B |JE SHORT CRACKME.004012F7
- 004012AC |. 817D 10 EA0300>|CMP DWORD PTR SS:[EBP+10],3EA
- 004012B3 |. 75 3B |JNZ SHORT CRACKME.004012F0
- 004012B5 |. 6A 0B |PUSH 0B ; /Count = B (11.)
- 004012B7 |. 68 8E214000 |PUSH CRACKME.0040218E ; |Buffer = CRACKME.0040218E
- 004012BC |. 68 E8030000 |PUSH 3E8 ; |ControlID = 3E8 (1000.)
- 004012C1 |. FF75 08 |PUSH DWORD PTR SS:[EBP+8] ; |hWnd
- 004012C4 |. E8 07020000 |CALL <JMP.&USER32.GetDlgItemTextA> ; \GetDlgItemTextA
- 004012C9 |. 83F8 01 |CMP EAX,1
- 004012CC |. C745 10 EB0300>|MOV DWORD PTR SS:[EBP+10],3EB
- 004012D3 |.^72 CC \JB SHORT CRACKME.004012A1
- 004012D5 |. 6A 0B PUSH 0B ; /Count = B (11.)
- 004012D7 |. 68 7E214000 PUSH CRACKME.0040217E ; |Buffer = CRACKME.0040217E
- 004012DC |. 68 E9030000 PUSH 3E9 ; |ControlID = 3E9 (1001.)
- 004012E1 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
- 004012E4 |. E8 E7010000 CALL <JMP.&USER32.GetDlgItemTextA> ; \GetDlgItemTextA
- 004012E9 |. B8 01000000 MOV EAX,1
- 004012EE |. EB 07 JMP SHORT CRACKME.004012F7
- 004012F0 |> B8 00000000 MOV EAX,0
- 004012F5 |.^EB 8D JMP SHORT CRACKME.00401284
- 004012F7 |> 50 PUSH EAX ; /Result
- 004012F8 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
- 004012FB |. E8 B2010000 CALL <JMP.&USER32.EndDialog> ; \EndDialog
- 00401300 |. B8 01000000 MOV EAX,1
- 00401305 \.^E9 7AFFFFFF JMP CRACKME.00401284
為了只斷住按鈕(OK, Quit)的處理, 將斷點(diǎn)下在004012B5
F9, 讓程序跑起來(lái). 填入Name, SN, 按下確定按鈕
可以看出, 注冊(cè)窗口消息處理只是得到用戶輸入
- 004012A1 |> 33C0 /XOR EAX,EAX ; 注冊(cè)窗體: 按鈕處理邏輯
- 004012A3 |. 817D 10 EB0300>|CMP DWORD PTR SS:[EBP+10],3EB
- 004012AA |. 74 4B |JE SHORT CRACKME.004012F7
- 004012AC |. 817D 10 EA0300>|CMP DWORD PTR SS:[EBP+10],3EA
- 004012B3 |. 75 3B |JNZ SHORT CRACKME.004012F0
- 004012B5 |. 6A 0B |PUSH 0B ; /Count = B (11.)
- 004012B7 |. 68 8E214000 |PUSH CRACKME.0040218E ; |name
- 004012BC |. 68 E8030000 |PUSH 3E8 ; |ControlID = 3E8 (1000.)
- 004012C1 |. FF75 08 |PUSH DWORD PTR SS:[EBP+8] ; |hWnd
- 004012C4 |. E8 07020000 |CALL <JMP.&USER32.GetDlgItemTextA> ; \GetDlgItemTextA
- 004012C9 |. 83F8 01 |CMP EAX,1
- 004012CC |. C745 10 EB0300>|MOV DWORD PTR SS:[EBP+10],3EB
- 004012D3 |.^72 CC \JB SHORT CRACKME.004012A1
- 004012D5 |. 6A 0B PUSH 0B ; /Count = B (11.)
- 004012D7 |. 68 7E214000 PUSH CRACKME.0040217E ; |pwd
- 004012DC |. 68 E9030000 PUSH 3E9 ; |ControlID = 3E9 (1001.)
- 004012E1 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
- 004012E4 |. E8 E7010000 CALL <JMP.&USER32.GetDlgItemTextA> ; \GetDlgItemTextA
- 004012E9 |. B8 01000000 MOV EAX,1
- 004012EE |. EB 07 JMP SHORT CRACKME.004012F7
- 004012F0 |> B8 00000000 MOV EAX,0
- 004012F5 |.^EB 8D JMP SHORT CRACKME.00401284
- 004012F7 |> 50 PUSH EAX ; /Result
- 004012F8 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
- 004012FB |. E8 B2010000 CALL <JMP.&USER32.EndDialog> ; \EndDialog
- 00401300 |. B8 01000000 MOV EAX,1
- 00401305 \.^E9 7AFFFFFF JMP CRACKME.00401284
總結(jié):通過(guò)消息斷點(diǎn), 可以從父窗口WMCOMMAND操作(菜單點(diǎn)擊, 按鈕點(diǎn)擊)得到子窗體的消息處理過(guò)程.
|
