tailieunhanh - reversing secrets of reverse engineering phần 8

có một người sử dụng thực hiện chế độ tinh khiết, mà buộc bạn phải sử dụng phương pháp chỉ số chức năng. API GetCommandLineW. Thật vậy, nó trả về một con trỏ tới dòng lệnh kiểm tra của chúng tôi. Các cuộc gọi tiếp theo là một API . | Breaking Protections 405 has a pure user-mode implementation which forces you to use the function index method. It turns out the API is GetCommandLineW. Indeed it returns a pointer to our test command line. The next call is to a API. Again a SHELL32 API would probably never make a direct call down into the kernel so you re just stuck with some long function and you ve no idea what it is. You have to use the function s index again to figure out which API Defender is calling. This time it turns out that it s CommandLineToArgvW. CommandLineToArgvW performs parsing on a command-line string and returns an array of strings each containing a single parameter. Defender must call this function directly because it doesn t make use of a runtime library which usually takes care of such things. After the CommandLineToArgvW call you reach an area in Defender that you ve been trying to get to for a really long time the parsing of the commandline arguments. You start with simple code that verifies that the parameters are valid. The code checks the total number of arguments sent back from CommandLine ToArgvW to make sure that it is three s name plus username and serial number . Then the third parameter is checked for a 16-character length. If it s not 16 characters defender jumps to the same place as if there aren t three parameters. Afterward Defender calls an internal function 401CA8 that verifies that the hexadecimal string only contains digits and letters either lowercase or uppercase . The function returns a Boolean indicating whether the serial is a valid hexadecimal number. Again if the return value is 0 the code jumps to the same position 402 9 9C which is apparently the bad parameters code sequence. The code proceeds to call another function 401CE3 that confirms that the username only contains letters either lowercase or uppercase . After this you reach the following three lines 00402994 TEST EAX EAX 00402996 JNZ 0040299C CALL .

TỪ KHÓA LIÊN QUAN