Crack the Bible of the---inside article-vulnerability warning-the black bar safety net

2005-12-21T00:00:00
ID MYHACK58:6220055646
Type myhack58
Reporter 佚名
Modified 2005-12-21T00:00:00

Description

Crack the Bible of the---inside article(back 5 0 pass)(master Mo)

(1)classic comparison of the portfolio,often for the registration code appears(by programhunter) 1 mov eax [ ] here can be a address, it can be the other register mov edx, [] Ibid. usually these two addresses are stored important information call 0 0?????? test eax eax jz(jnz) 2 mov eax [ ] here can be a address, it can be the other register mov edx, [] Ibid. usually these two addresses are stored important information call 0 0?????? jne(je) 3 mov eax [ ] mov edx, [] cmp eax,edx jnz(jz) Or begin mov al [ ] mov cl, [] cmp al,cl jnz(jz) mov al, [+1] mov cl [ +1] cmp al,cl jnz(jz) cmp eax ecx (eax is a counter jnl begin mov al 0 1 4 lea edi, [] lea esi, [] repz cmpsd jz(jnz) 5 mov eax [ ] here can be a address, it can be the other register mov edx, [] Ibid. usually these two addresses are stored important information call 0 0?????? setz (setnz) al (bl,cl...) 6 mov eax [ ] here can be a address, it can be the other register mov edx, [] Ibid. usually these two addresses are stored important information call 0 0?????? test eax eax setz (setnz) bl,cl... 7 call 0 0?????? *** push eax (ebx,ecx...) ...... ...... call 0 0?????? pop eax (ebx,ecx...) test eax eax jz(jnz) This form of comparison in particular, it's critical to comparison place not in the second call, while on the first call.

(2)The registration code by byte sequentially to the :0042A159 0FBE03 movsx eax, byte ptr [ebx] :0042A15C 5 0 push eax^^^^^ :0042A15D E8228C0400 call 00472D84 :0042A162 5 9 pop ecx :0042A163 83F84A cmp eax, 0000004A---->J :0042A166 7 5 5 9 jne 0042A1C1 :0042A168 0FBE5301 movsx edx, byte ptr [ebx+0 1] :0042A16C 5 2 push edx^^^^^^^ :0042A16D E8128C0400 call 00472D84 :0042A172 5 9 pop ecx :0042A173 83F853 cmp eax, 0 0 0 0 0 0 5 3 ^^^^^^^^^^^^^^^^^----> S :0042A176 7 5 4 9 jne 0042A1C1 :0042A178 0FBE4B02 movsx ecx, byte ptr [ebx+0 2] :0042A17C 83F924 cmp ecx, 0 0 0 0 0 0 2 4^^^^^^^ ^^^^^^^^^^^^^^^^^----> $ :0042A17F 7 5 4 0 jne 0042A1C1 :0042A181 0FBE4303 movsx eax, byte ptr [ebx+0 3] :0042A185 83F832 cmp eax, 0 0 0 0 0 0 3 2 ^^^^^^^^ ^^^^^^^^^^^^^^^^^----> 2 :0042A188 7 5 3 7 jne 0042A1C1 :0042A18A 0FBE5304 movsx edx, byte ptr [ebx+0 4] :0042A18E 83FA38 cmp edx, 0 0 0 0 0 0 3 8 ^^^^^^^^ ^^^^^^^^^^^^^^^^^----> 8 :0042A191 752E jne 0042A1C1 :0042A193 0FBE4B05 movsx ecx, byte ptr [ebx+0 5] :0042A197 83F939 cmp ecx, 0 0 0 0 0 0 3 9^^^^^^^ ^^^^^^^^^^^^^^^^^----> 9 :0042A19A 7 5 2 5 jne 0042A1C1 :0042A19C 0FBE4306 movsx eax, byte ptr [ebx+0 6] :0042A1A0 83F832 cmp eax, 0 0 0 0 0 0 3 2 ^^^^^^^^ ^^^^^^^^^^^^^^^^^----> 2 :0042A1A3 751C jne 0042A1C1 :0042A1A5 0FBE5307 movsx edx, byte ptr [ebx+0 7] :0042A1A9 83FA31 cmp edx, 0 0 0 0 0 0 3 1 ^^^^^^^^ ^^^^^^^^^^^^^^^^^ ----->1 (3)comparing the number of bits cmp dword ptr[ebp-0 4],0000000A jne/jge/jle/je 00xxxx Or mov eax, dword ptr [ebp-0 4] call 00xxxx cmp eax, 0000000A <---- comparing the registration code is 1 0 bit jne 00xxxxx <---- not,wrong (4)VB program classic comparison PUSH XXX //fake registration code PUSH XXX //true registration code CALL [MSVBVM60! vbaStrCmp] TEST EAX,EAX JNZ 00XXXXX (5)SmartCheck,registration code often appear at the vbasrtcmp(String:"zzzzz",String:"yyyyy")returns vbaStrVarVal(VARIATN:String"a") returns vbaVarTstEq(VARIANT:*, VARIANT:*) returns (6)in order to take the two compare :004044D8 8A10 mov dl, byte ptr [eax] :004044DA 8ACA mov cl, dl :004044DC 3A16 cmp dl, byte ptr [esi] :004044DE 751C jne 004044FC :004044E0 84C9 test cl, cl :004044E2 7 4 1 4 je 004044F8 :004044E4 8A5001 mov dl, byte ptr [eax+0 1] :004044E7 8ACA mov cl, dl :004044E9 3A5601 cmp dl, byte ptr [esi+0 1] :004044EC 750E jne 004044FC :004044EE 83C002 add eax, 0 0 0 0 0 0 0 2 :004044F1 83C602 add esi, 0 0 0 0 0 0 0 2 :004044F4 84C9 test cl, cl :004044F6 75E0 jne 004044D8 Each time the program in order to take the two, put it into a byte ptr [esi], byte ptr [esi+1], and eax, eax+1 comparison. So the cycle (7)a lowercase turn capitalized(time find,yourself Supplement) (8)the uppercase transfer to lowercase(time find,yourself Supplement)