天气: 晴朗 心情: 高兴
软件:step7-micro/win4.0.3.08 工具:OllDbg v1.10 作者:浪客剑心 Email:s_blin@126.com
用OllDbg载入microwin,新建项目,右键点击SBR_0,属性,设定保护密码为4321,确定。
再次进入属性,输入错误密码1234,提示输入了不正确密码,于是从该处入手,中断。
思路:在输入密码时,程序会判断输入的密码跟保存的POU密码进行判断,关键点就是输入后中断程序,用分析软件单步运行,
找到程序判断密码的地方,由于密码错误时有消息框提示,我们便可从此处入手中断,然后往前查找程序判断密码的地方。
切换到OllDbg,在命令栏插件中输入bpx messageboxa,切换到microwin再次输入错误密码,非常幸运,OllDbg中断在这里:
0051DA0C |. 8B00 mov eax,dword ptr ds:[eax]
0051DA0E |. 52 push edx ; /Style 0051DA0F |. 50 push eax ; |Title 0051DA10 |. 8B4424 18 mov eax,dword ptr ss:[esp+18] ; | 0051DA14 |. 50 push eax ; |Text 0051DA15 |. 53 push ebx ; |hOwner
0051DA16 |. FF15 88306C00 call dword ptr ds:[<&USER32.MessageBoxA>] \\MessageBoxA <==中断在此处
0051DA1C |. 8D4C24 7C lea ecx,dword ptr ss:[esp+7C] 0051DA20 |. FFD7 call edi
0051DA22 |. 8B7424 14 mov esi,dword ptr ss:[esp+14] 0051DA26 |. 8B8424 800000>mov eax,dword ptr ss:[esp+80]
;
0051DA2D |. 8B4C24 18 mov ecx,dword ptr ss:[esp+18] 0051DA31 |. 85C0 test eax,eax
0051DA33 |. 898E 9C010000 mov dword ptr ds:[esi+19C],ecx 0051DA39 |. 74 09 je short microwin.0051DA44
0051DA3B |. 6A 01 push 1 ; /Enable = TRUE 0051DA3D |. 50 push eax ; |hWnd
0051DA3E |. FF15 C0306C00 call dword ptr ds:[<&USER32.EnableWindow>] ; \\EnableWindow 0051DA44 |> 6A 01 push 1 0051DA46 |. 8BCE mov ecx,esi
0051DA48 |. E8 47C00900 call
0051DA6C |. 64:890D 00000>mov dword ptr fs:[0],ecx 0051DA73 |. 81C4 80000000 add esp,80 0051DA79 \\. C2 1000 retn 10
往下看,从中断到返回处都没有越过该中断的跳转,于是按F8到0051DA79,返回上一级。返回后来到这里:
0047F050 /$ 56 push esi
0047F051 |. E8 0C9A1300 call
0047F05B |. 74 32 je short microwin.0047F08F <==此处跳转 0047F05D |. 8B7424 0C mov esi,dword ptr ss:[esp+C]
0047F061 |. 8D8E 2EF8FF5F lea ecx,dword ptr ds:[esi+5FFFF82E] ; Switch (cases A00007D2..A00007DD)
0047F067 |. 83F9 0B cmp ecx,0B
0047F06A |. 77 0F ja short microwin.0047F07B 0047F06C |. 33D2 xor edx,edx
0047F06E |. 8A91 A0F04700 mov dl,byte ptr ds:[ecx+47F0A0] 0047F074 |. FF2495 98F047>jmp dword ptr ds:[edx*4+47F098]
0047F07B |> 8B4C24 10 mov ecx,dword ptr ss:[esp+10] ; Default case of switch 0047F061 0047F07F |. 8B5424 08 mov edx,dword ptr ss:[esp+8]
0047F083 |. 6A 00 push 0 ; /Arg4 = 00000000 0047F085 |. 51 push ecx ; |Arg3 0047F086 |. 56 push esi ; |Arg2 0047F087 |. 52 push edx ; |Arg1 0047F088 |. 8BC8 mov ecx,eax ; |
0047F08A |. E8 C1E20900 call microwin.0051D350 ; \\microwin.0051D350 <==此处是调用刚才call的地方 0047F08F
|>
B8
01000000
mov
eax,1
;
Cases
A00007D2,A00007D3,A00007DC,A00007DD of switch 0047F061 0047F094 |. 5E pop esi 0047F095 \\. C3 retn
注意从0047F05B处有一跳转到0047F08F,刚好绕过错误提示框,于是在0047F05B处下断,重复运行后中断在此处。
修改标志位,强制跳转到0047F08F,按F9运行。此时提示框没再出来,但访问权限依然没变,不得不继续往上继续寻找关键点。
在0047F095处下断点,重复运行后来到断点处,F8返回到上一级CALL: 0042FB35 |. 83C4 10 add esp,10 0042FB38 |. C3 retn
0042FB39 |> 68 30200000 push 2030 <==注意这里,有一跳转到此处 0042FB3E |. 50 push eax 0042FB3F |. 68 7E130000 push 137E
0042FB44 |. E8 07F50400 call microwin.0047F050 <==此处为返回call 0042FB49 |. 8DB5 B0000000 lea esi,dword ptr ss:[ebp+B0]
往上查找,发现跳转在此处: 0042F883 |. 53 push ebx 0042F884 |. 57 push edi 0042F885
|.
FF15
2C396C00
call
dword
ptr
ds:[<&executive200.TAB_AuthorizeP>; executiv.TAB_AuthorizePassword 0042F88B |. 83C4 08 add esp,8 0042F88E |. 85C0 test eax,eax
0042F890 |. 0F85 A3020000 jnz microwin.0042FB39 <==此处跳转 0042F896 |. 50 push eax
不知大家注意到没,executiv.TAB_AuthorizePassword这几个字眼非常敏感,呵呵。于是尝试在此处下断点。 重复后来到此处,F7跟进去看看有啥东东^_^
00B0A280 e> 51 push ecx
00B0A281 8B4C24 08 mov ecx,dword ptr ss:[esp+8] 00B0A285 C74424 00 F00A0>mov dword ptr ss:[esp],E0000AF0 00B0A28D 8B41 04 mov eax,dword ptr ds:[ecx+4] 00B0A290 3D E8030000 cmp eax,3E8
00B0A295 7C 1A jl short executiv.00B0A2B1 00B0A297 3D EC030000 cmp eax,3EC
00B0A29C 7F 13 jg short executiv.00B0A2B1 00B0A29E 8B4424 0C mov eax,dword ptr ss:[esp+C] 00B0A2A2 50 push eax 00B0A2A3 51 push ecx
00B0A2A4 8B0D A4C1B300 mov ecx,dword ptr ds:[<&storeretrieveverify200.g_Store>] ; storeret.g_Store
00B0A2AA E8 F1A70200 call
00B0A2AF EB 1F jmp short executiv.00B0A2D0 00B0A2B1 3D 88130000 cmp eax,1388
00B0A2B6 7C 1C jl short executiv.00B0A2D4 00B0A2B8 3D 8A130000 cmp eax,138A
00B0A2BD 7F 15 jg short executiv.00B0A2D4
00B0A2BF 8B5424 0C mov edx,dword ptr ss:[esp+C] 00B0A2C3 52 push edx 00B0A2C4 51 push ecx
00B0A2C5 8B0D A4C1B300 mov ecx,dword ptr ds:[<&storeretrieveverify200.g_Store>] ; storeret.g_Store
00B0A2CB E8 CAA70200 call
00B0A2D9 E8 22CAFFFF call executiv.00B06D00 00B0A2DE 83C4 08 add esp,8 00B0A2E1 C3 retn
此段程序比较短,不用想你也明白了,到00B0A2AA时F7跟进去看看:
跳到这里:
00BF5D7F 90 nop
00BF5D80 s> 8B4424 08 mov eax,dword ptr ss:[esp+8] 00BF5D84 8B4C24 04 mov ecx,dword ptr ss:[esp+4] 00BF5D88 50 push eax 00BF5D89 51 push ecx
00BF5D8A 8B0D B033C300 mov ecx,dword ptr ds:[<&datamanagers200.g_PouDataMgr>] ; datamana.g_PouDataMgr
00BF5D90 E8 47640200 call
00BF5D95 C2 0800 retn 8 00BF5D98 90 nop
几番转折后,终于来到了这里: 00D0A330 d> 6A FF push -1
00D0A332 68 5036DD00 push datamana.00DD3650 00D0A337 64:A1 00000000 mov eax,dword ptr fs:[0] 00D0A33D 50 push eax
百度搜索“77cn”或“免费范文网”即可找到本站免费阅读全部范文。收藏本站方便下次阅读,免费范文网,提供经典小说教育文库手把手教你破解microwin4的POU密码在线全文阅读。
相关推荐: