Initial understanding of Reverse Technology

Text/figure laoxuetong anti-DDoS pro

Reverse engineering is a fascinating technology. I believe many of my friends like me and like to study it. Of course, this requires several tools to track, view, modify, and edit the software. Although there are many tools, I recommend the following combination:

OllyDbg-Excellent tracing debugging software in Windows. It can be used for tracking, and software can be easily modified.

PEiD-Good reconnaissance software. That is, you can view the software editing platform and the detection shell, and prepare enough plug-ins to detect the encryption algorithms of the software.

LordPE-PE File Viewing and modification tools. When the conditions are not met, you can't help it.

WinHex or UltraEdit-text editing tool. You can select either of the following types to edit some text resources.

Well, next we will select a software named WinPatrol v8.1.2.0 to see what we can do?

 

Brief Introduction to software

WinPatrol is a network security tool that can detect worms, spyware, Trojans, and other malicious programs. Interface 1:

 

Figure 1

In addition to viewing various possible projects and related information, you can also set monitoring for a project to track and monitor the running of suspicious viruses and Trojans. After the software is started, a black puppy will appear in the taskbar. It is cute to turn around from time to time.

Software runs in three states. They are: unregistered, registered in PLUS, and registered in Professional status. The interfaces registered with the PLUS status are slightly different from those registered with the Professional status, as shown in figure 2 and 3:

 

 

 

Figure 2 Registration in PLUS status

 

 

Figure 3 registered in Professional status

About the registration method of PLUS, there is a ready-made registration machine on the Internet, so I will not talk about it here. Now I want to register in the Professional status. What can we do?

 

Problem Analysis

Through the tracking of the software, it is found that the software registration verification is not complex. The Code is as follows:

Read Name:

00408CF1 PUSH 40;/Count = 40 (64 .)

00408CF3 PUSH WinPatro.004276E0; | Buffer = WinPatro.004276E0

00408CF8 PUSH 432; | ControlID = 432 (1074 .)

00408CFD push esi; | hWnd

00408CFE call edi; GetDlgItemTextA

Read the registration code:

00408D00 PUSH 20;/Count = 20 (32 .)

00408D02 PUSH WinPatro.00427720; | Buffer = WinPatro.00427720

00408D07 PUSH 430; | ControlID = 430 (1072 .)

00408D0C push esi; | hWnd

00408D0D mov ebx, EAX; | transfer Name Length

00408D0F call edi; GetDlgItemTextA

Judgment:

00408D11 lea eax, dword ptr ds: [EBX-1]; Name Length-1

00408D14 test eax, EAX

00408D16 jle short WinPatro.00408D33

00408D18 jmp short WinPatro.00408D20

00408D1A lea ebx, dword ptr ds: [EBX]

00408D20 cmp byte ptr ds: [EAX + 4276E0], 20; is the last digit of the name a space?

00408D27 jnz short WinPatro.00408D30

00408D29 DEC EAX

00408D2A test eax, EAX

00408D2C jg short WinPatro.00408D20

00408D2E jmp short WinPatro.00408D33

00408D30 lea ebx, dword ptr ds: [EAX + 1]; restore Name Length

00408D33 movsx eax, byte ptr ds: [427721]; get the second digit of the registration code

00408D3A add bl, 40; Name Length + 0x40 = second place of registration code

00408D3D movzx edx, BL

00408D40 cmp eax, EDX; Comparison

00408D42 je short WinPatro.00408D9B; equal, skip

00408D44 PUSH 200

00408D49 lea ecx, dword ptr ss: [ESP + D0]

00408D50 PUSH ECX

00408D51 PUSH 26C

00408D56 CALL WinPatro.0041A290; read the message about registration failure.

00408D5B xor edx, EDX

00408D5D mov dx, word ptr ds: [42C100]

00408D64 add esp, 0C

00408D67 lea eax, dword ptr ss: [ESP + CC]

Failed to register message:

00408D6E push edx;/LanguageID

00408D6F PUSH 40040; | Style = MB_ OK | MB_ICONASTERISK | MB_APPLMODAL | 40000

00408D74 PUSH WinPatro.00427DC0 & nb