OD Experiment (19)-The inverse of polymorphic and deformed programs

Program:

This window shows that this is a Nag window that needs to be removed

Click "OK"

Take a look at Peid.

This is a program written in assembly language.

Reverse:

Loading the program with OD

The caption and text of the Nag window

Right-click Find all Reference text strings

Only these two

Next breakpoint, run the program

The NAG window is still bouncing out.

Click "OK"

Then turn off the program and never stop at the breakpoint

Indicates that the place is just a distraction.

Pull up.

See some strange characters, these are some of the code that OD can't identify

Delete analysis from module, right-click analysis

The code becomes normal.

The first call statement gets the handle to the module

Go down.

00401011 exists in EDI

Press F7 to step into the call statement

This is a loop, and the loop ends after the RETN returns

MOV eax,reversem.00401000 assigns the value on the reversem.00401000 to EAX

XOR byte ptr ds:[eax],0x5a the value of EAX by byte with 0x5A or

Take a look at what's on address 00401000.

00401000 the location is a code snippet, it is different or action is to modify its code

Look at the change of address 00401000 in the hex window

Press F8 to go down, you can see the change of 00401000 value in the hexadecimal window

Inc EAX is looping once, incrementing the eax, which is the address of the increment code snippet

Loop is not finished until the address of the code snippet is 00401218

That is, 00401000 to 00401218 This section of code instruction and 0x5A by byte XOR or operation

And this code is the code that OD can't recognize.

So the XOR operation might be to decrypt this code.

F8 down, returning through RETN.

Then press F7 to step into the call command

XOR Eax,eax will eax zeroed

Assigning a 0x6A to an EDI

He changed his code to change the XOR eax,eax to push 0x0.

Go on, down.

The value of EDI at this time is 00401024

The 0X44EB covers 00401024 and 00401025, so the code is changed from 00401011 to 00401025.

Turns 00401000 after executing sub instruction

Right-click Analysis--Analysis code

There's more than one MessageBox function, the contents are garbled

Press F7 to step into that call EDI directive

This is a loop

This instruction is a decryption code that decrypts code from 00403000 to 00401005, just like the command.

When the decryption loop is finished, the garbled character becomes a string that can be read.

Go down and go to the call to the MessageBox function

Pop-up NAG window

Then go down, it's the JMP directive.

Jump to that place

Add edi,0x11 Add 11 to the EDI value

mov word ptr ds:[edi],0xa6a to overwrite EDI

Then go down.

The 0X2CEB covers 00401026 and 00401027, so the code is changed from 00401011 to 00401027.

Step into the Call function

Go down and call

A NAG window appears

After you turn off the NAG window, the program to the next statement

Then go down.

It jumps directly to the call command.

Press F7 to step into

This could be another process of decryption.

Starting from 00403000, 00403000 is the data segment area

These are the strings of the NAG window

Perform this procedure

Data turned garbled, it seems that this is an encryption process

Then go down and walk out of the call area.

Step into the call command

Call the ExitProcess function to end the process

After the procedure, we quit.

Crack: Method One:

Modifies the value of Howner, specifying an invalid parent process

The NAG window does not pop up after running the call statement

Reload the program to see where the program changed 0040101D and 0040101E

Step into the call command

EDI starting from 00401011

Go down and find a place to modify 0040101D and 0040101E

Here the 0040101d,mov word ptr ds:[edi],0x6a is modified, and 0x6A here is 6a00

Here, we're going to change the 6a00 to 6A01.

This can not be directly modified, because this code to 0x5A with the different or operation, so 01 is with the 0x5A after the different or after the result

0x5A and Z are different or get 1, then 0x5A and 1 are different or get Z

5 a XOR 1 = 5B

The 00 address to be modified is 00401039

Find where it is in memory

Change to 5B

Click "OK"

The code has also been modified.

Save the program, run

The program only pops up the window

Method Two:

Change a statement before calling the MessageBox function to a JMP jump statement, skipping directly to the MessageBox function and reversing to where it was originally needed to jump.

Perform

It jumps directly to the place, no pop-up NAG window

The machine code is EB 57, the address is 00401011 and 00401012

Reload the program to find a place to modify these two addresses

The 6a00 needs to be modified here, with addresses of 00401016 and 00401017, respectively.

EB xor 5A = b1,57 xor 5A = 0D

When you are finished modifying the

Save the program, run

Program error

We have to modify it in memory.

Double-click Modify

Change to B1 0D respectively

Next Save the program

Select where to modify, right-click to copy to executable file

Right-click Save file

Run the program

OD Experiment (19)-The inverse of polymorphic and deformed programs