|
原帖由 lxl1638 于 2007-4-16 08:10 AM 发表
原理上只需该一个字节
我是这样分析的,不知老大认为正确否?原程序用来显示左上角字符串的子程序如下:
00405B1B /$ 55 push ebp
00405B1C |. 8D6C24 88 lea ebp, dword ptr [esp-78]
00405B20 |. 81EC 4C030000 sub esp, 34C
00405B26 |. A1 04304100 mov eax, dword ptr [413004]
..........
00405BE8 |. 33C0 xor eax, eax
00405BEA |> 66:8B0C85 1826400>/mov cx, word ptr [eax*4+402618]
00405BF2 |. 66:03C8 |add cx, ax
00405BF5 |. 66:41 |inc cx
00405BF7 |. 66:894C45 D4 |mov word ptr [ebp+eax*2-2C], cx
00405BFC |. 40 |inc eax
00405BFD |. 83F8 28 |cmp eax, 28
00405C00 |.^7C E8 \jl short 00405BEA
上面的内存单元[402618]内容如下:
00402618 1F 00 00 00 2B 00 00 00 1D 00 00 00 53 00 00 00 ...+......S...
00402628 64 00 00 00 68 00 00 00 49 00 00 00 3D 00 00 00 d...h...I...=...
00402638 17 00 00 00 39 00 00 00 64 00 00 00 61 00 00 00 ...9...d...a...
00402648 60 00 00 00 53 00 00 00 5F 00 00 00 54 00 00 00 `...S..._...T...
00402658 54 00 00 00 60 00 00 00 0D 00 00 00 14 00 00 00 T...`..........
00402668 38 00 00 00 59 00 00 00 4D 00 00 00 51 00 00 00 8...Y...M...Q...
00402678 4D 00 00 00 4F 00 00 00 4A 00 00 00 48 00 00 00 M...O...J...H...
00402688 03 00 00 00 24 00 00 00 5A 00 00 00 00 00 00 00 ...$...Z.......
00402698 2B 00 00 00 56 00 00 00 49 00 00 00 0D 00 00 00 +...V...I.......
004026A8 11 00 00 00 0D 00 00 00 11 00 00 00 01 00 00 00 .............
以上内存单元内容加上其位置值就是真实内容。譬如[00402618]=1F,其位置=1,1F+1=20,
就是空格字符;又如[402624]=53,位置=4,53+4=57,就是大写W字符;依此类推,最后结果
存在堆栈[ebp-2C]内存中。
[ebp-2C]= - Winpe Commander (Modified By Lxl1638)
00405C02 |. 33C0 xor eax, eax
00405C04 |> 66:8B0C85 B826400>/mov cx, word ptr [eax*4+4026B8]
00405C0C |. 66:03C8 |add cx, ax
00405C0F |. 66:41 |inc cx
00405C11 |. 66:898C45 34FFFFF>|mov word ptr [ebp+eax*2-CC], cx
00405C19 |. 40 |inc eax
00405C1A |. 83F8 0F |cmp eax, 0F
00405C1D |.^7C E5 \jl short 00405C04
内存单元[4026B8]内容如下:
004026B8 22 00 00 00 4A 00 00 00 35 00 00 00 50 00 00 00 "...J...5...P...
004026C8 33 00 00 00 4C 00 00 00 2D 00 00 00 28 00 00 00 3...L...-...(...
004026D8 27 00 00 00 38 00 00 00 29 00 00 00 2C 00 00 00 '...8...)...,...
004026E8 17 00 00 00 23 00 00 00 25 00 00 00 00 00 00 00 ...#...%.......
跟前面一样计算方法,最后解密结果为:
[ebp-CC]= #L8T8R400B48$14
这就是PECMD的TEXT命令用来显示[ebp-2C]内容的位置与字体。
00405C1F |. 8D85 34FFFFFF lea eax, dword ptr [ebp-CC]
00405C25 |. 50 push eax ; /<%s>
00405C26 |. 68 9C2B4000 push 00402B9C ; |2.7.831.2302
00405C2B |. 8D45 D4 lea eax, dword ptr [ebp-2C] ; |
00405C2E |. 50 push eax ; |<%s>
00405C2F |. 68 B82B4000 push 00402BB8 ; |PECMD
00405C34 |. 68 C42B4000 push 00402BC4 ; |%s%s , V%s%s*
00405C39 |. 68 00634100 push 00416300 ; |s
00405C3E |. FF15 FC124000 call dword ptr [<&USER32.wsprintfW>] ; \wsprintfW
调用API函数wsprintfW来格式化上面字符串,存在[00416300]单元中,容易看出其结果为:
PECMD - Winpe Commander (Modified By Lxl1638),V2.7.831.2302#L8T8R400B48$14
00405C44 |. 83C4 18 add esp, 18
00405C47 |. 393D B8624100 cmp dword ptr [4162B8], edi ;比较是否显示字符串
00405C4D 74 4C je short 00405C9B ;相等不显示,可以改为jmp,亦即74->EB
00405C4F |> 68 00634100 push 00416300 ; /<%s> = ""
00405C54 |. 8D85 2CFDFFFF lea eax, dword ptr [ebp-2D4] ; |
00405C5A |. 68 7C2B4000 push 00402B7C ; |%s
00405C5F |. 50 push eax ; |s
00405C60 |. FF15 FC124000 call dword ptr [<&USER32.wsprintfW>] ; \wsprintfW
00405C66 |. 6A 01 push 1
00405C68 |. E8 2DFEFFFF call 00405A9A
00405C6D |. 8D85 2CFDFFFF lea eax, dword ptr [ebp-2D4]
00405C73 |. 50 push eax
00405C74 |. C705 2C3D4100 FFF>mov dword ptr [413D2C], 0FFFFFF
00405C7E |. E8 38000000 call 00405CBB ;调用写字符串子程序
00405C83 |. 83C4 14 add esp, 14
00405C86 |. 68 D0070000 push 7D0 ;/Timeout=2000.ms
00405C8B |. FF15 64104000 call dword ptr [<&KERNEL32.Sleep>] ;\Sleep
00405C91 |. 6A 00 push 0
00405C93 |. E8 02FEFFFF call 00405A9A
00405C98 |. 83C4 04 add esp, 4
00405C9B |> 8B4D 74 mov ecx, dword ptr [ebp+74]
00405C9E |. A1 B8624100 mov eax, dword ptr [4162B8]
00405CA3 |. 5F pop edi
00405CA4 |. 5E pop esi
这个子程序只要修改00405C4D这一行,亦即74改为EB就达到不显示字符串目的,不过更好方法还是不去
调用它,毕竟它会占用CPU周期与内存。它是被下面子程序来调用的:
00409A14 |. 53 push ebx
00409A15 |. E8 4BBFFFFF call 00405965
00409A1A |. 59 pop ecx
00409A1B E8 FBC0FFFF call 00405B1B ;这里调用上面,把它改为nop就好
00409A20 |. EB 20 jmp short 00409A42
00409A22 |> 53 push ebx
最后,用十六进制软件如WinHex打开PECMD.EXE,搜索“E8FBC0FFFF”替换为“9090909090”即好。 |
|