Announcement of mandatory technologies-use signatures to locate key code and kill the MFC program in seconds

【ArticleTitle: Announcement of mandatory technologies-key identification with signaturesCode, Seckilling MFCProgram
[Author]: Shumeng Peng
[]: Search and download by yourself
[Tools]: VC and ollyice
[Author's statement]: I am only interested and have no other purpose. For errors, please enlighten us!
--------------------------------------------------------------------------------

My supplement:

Some signatures:

(Vc6 SP6) mfc42d. dll: Call [ebp-4]

(Vs 2008) mfc90ud. dll: Call [ebp-8]

--------------------------------------------------------------------------------

[Detailed process]
The method mentioned in this article is actually a very old method. In the past, this method was too lethal to be published.

With the increasing awareness of software developers' protection and the development of software protection technology, the lethality of this method is gradually reduced to a general level.

I have a lot of courses and tasks in this semester. I plan to temporarily release my hobby of program debugging. It is estimated that at least half a year may not be enough to see the snow.

Writing this method is a farewell gift for everyone.



For programs that directly use the SDK without a third-party library, it is not difficult to locate the "key code" of the program. Generally, when you break a breakpoint under the createwindow function or dialogboxparam function, you can directly obtain the window or dialog process on the main interface. However, for a program that uses MFC, the window process or dialog box process we find is within the framework of the program provided by MFC. After layers of distribution and filtering, messages are finally delivered to the user code, direct analysis is complex.

Fortunately, there is an Olly script that can help us find functions such as onok. The method used by this script is based on a thorough understanding of the internal mechanism of the MFC and completed by a breakpoint under the Code of message delivery.

However, the method I will talk about now is better than this script to some extent. you can locate the code we are interested in. In addition, you can draw a line by mistake. If you understand the ideas, you can expand to a very powerful "killer", not only for MFC, but also for other application frameworks.


I will not talk about how I think of this method. I will only talk about two examples. If you have understood this example, you will certainly understand the idea. Moreover, it is very simple.


I use mfc42 as an example. Open vc6 first, create an MFC Dialog Box program, and follow the default settings. At the beginning of onok (), let's write the following sentence:

_ Asm int 3

Then, compile by release.

Now, use od to debug the program. Do not ignore int3 exceptions. Run F9 and click "OK". OD will be disconnected immediately.

View the stack:

Code: 0012f80c 73efe938 returned to mfc42.73efe938 0012f810 00000000 0012f814 004022e8 mfcdialo.004022e8


Let's take a look at mfc42.73efe938:

Code: 73efe932 8b4d 08 mov ECx, dword ptr ss: [EBP + 8] 73efe935 ff55 14 call dword ptr ss: [EBP + 14]; this is the call 73efe938 5f pop EDI that calls the user function. This is the mfc42.73efe938 73efe939 8bc6 mov eax, ESI...

We can see that the target function of call [EBP + 14] At 73efe935 is our onok (). Remember this address.

Press Alt + e to open the module list and double-click the mfc42.dll line below:

Code: executable modules base address size entry name file version path 00400000 00005000 00401780 mfcsigna 1, 0, 0, 1 F: /documents/my code/mfcdialog/release/mfcdialog.exe 00460000 0009b000 00486e23 advapi32 Runtime (s d:/Windows/syswow64/42400500000 0008b000 0050155c oleaut32 5.2.20.0.4202: /Windows/syswow64/oleaut32.dll 00590000 00052000 005a006d shlwapi 6.00.20.0.3959 (D:/Windows/syswow64/shlwapi. DLL 02160000 00017000 odbcint 3.526.1830.0 (sr d:/Windows/system32/odbcint. DLL 48890000 0003d000 488c5681 odbc32 3.526.3959.0 (sr d:/Windows/system32/odbc32.dll 4b3c0000 00050000 4b3c1574 msctf 5.2.20.0.3959 (s d:/Windows/syswow64/msctf. DLL 4dc30000 0002e000 4dc49f69 msctfime 5.2.20.0.3959 (s d:/Windows/system32/msctfime. IME 71bb0000 00009000 71bb1060 wsock32 5.2.20.0.0 (srv0 D:/Windows/system32/wsock32.dll 71bf0000 00008000 71bf123d ws2help 5.2.20.0.1830 (s d:/Windows/system32/ws2help. DLL 71c00000 00017000 71c02560 ws2_32 running (s d:/Windows/system32/ws2_32.dll 73eb0000 00121000 running mfc42 6.06.8063.0 D:/Windows/system32/mfc42.dll 75490000 00065000 754c93ca US10 release D: /Windows/system32/usp10.dll 75e60000 00027000 75e61239 apphelp 5.2.20.0.3959 (s d:/Windows/system32/apphelp. DLL 76190000 00012000 76193341 msasn1 release (s d:/Windows/syswow64/MSASN1.DLL 761b0000 00093000 761b15fa crypt32 release D:/Windows/syswow64/crypt32.dll 762b0000 00049000 export comdlg32 release (d: /Windows/syswow64/comdlg32.dll 77210000 000ab000 772115a2 wininet 6.00.20.0.4392 (D:/Windows/syswow64/wininet. DLL 77530000 00097000 775948ba comctl32 5.82 (srv03_sp2 _ D:/Windows/winsxs/x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_5.82.3790.3959_x-ww_78FCF8D0/comctl32.dll 77670000 00139000 776bc692 OLE32 5.2.20.0.3959 (s d: /Windows/syswow64/ole32.dll 77ba0000 0005a000 77baf78b msvcrt 7.0.20.0.3959 (s d:/Windows/syswow64/msvcrt. DLL 0000007ff000 7c92bb2b shell32 kernel (D:/Windows/syswow64/shell32.dll 000000130000 kernel Kernel32 kernel (s d:/Windows/syswow64/kernel32.dll 7d600000 000f0000 NTDLL limit (s: /Windows/system32/NTDLL. DLL 7d800000 00090000 running GDI32 kernel (s d:/Windows/syswow64/gdi32.dll 7d8d0000 00050000 running secur32 kernel (s d:/Windows/syswow64/secur32.dll 7d930000 000d0000 running USER32 kernel (s: /Windows/syswow64/user32.dll 7da20000 000e0000 7da3049e rpcrt4 running (s d:/Windows/syswow64/rpcrt4.dll 7dbc0000 00009000 running LPK running. DLL 7dbd0000 00103000 7dc5a99e comctl_1 6.0 (srv03_sp2_r D:/Windows/winsxs/WOW64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_5FA17F4E/comctl32.dll 7dee0000 00060000 7def02d0 imm32 5.2.20.0.3959 (s d: /Windows/system32/imm32.dll 7df50000 00070000 7df637d7 uxtheme 6.00.20.0.3959 (D:/Windows/system32/uxtheme. DLL

The. text section of the mfc42.dll module is now available. Press Ctrl + F, enter call [EBP + 0x14], and press Enter. The first result is:

Code: 73efe935 ff55 14 call dword ptr ss: [EBP + 14]; this is the call


Now I understand the meaning of this article...


Let's take a look at the application of this method.

Find a cm of mfc42 and load it with OD. It is case-insensitive and F9 is used directly. Alt + e, double-click mfc42.dll, CTRL + F, and enter call [EBP + 14]. break the point at F2 at the first address.

Click the OK button at cm. If OD is disconnected, F2 deletes the breakpoint And F7.

Here is the button processing function. It can be analyzed.


--------------------------------------------------------------------------------
[Experience Summary]
If you understand my process, you should also understand my ideas.

Mfc42.dll is the instruction call [EBP + 14].

By the way, the onxxxclick () function of all button controls goes through this. Besides, edit the onchange () function of the box control and many other controls.
Messages, such as checkbox messages, and even onclose () are also passed here. Why? Because the message distribution process in the MFC framework is based on the parameter type
Template category. If you don't understand it, you don't need to understand it. You just need to remember the method.

In addition, this method can be used for all MFC programs, such as mfc71d and mfc90u, and static connections can also be used, and Delphi programs can also be used, only
The methods for understanding the principles are similar. As for what their "signatures" are, find them by yourself.


I wish you an early master.