OllyDbg use notes (7) and ollydbg use notes

OllyDbg use notes (7) and ollydbg use notes

OllyDbg usage notes (7)

Reference

Book: encryption and decryption

Video: Little Turtle decryption series video

Sample program download: http://pan.baidu.com/s/1gvwlS

Brute force cracking

Observe this program. Start with <unregistered and <Unregistered Version> in the program title.

Open the program with OD, right click --> Search --> all reference text strings

Image 1

On the displayed page, move the scroll bar to the top of the page (because it is searched from the cursor), right-click to find the text, and search for <unregistered

Image 2

Double-click the text to the code.

005CC81B   .  E8 9C5FEDFF   call    004A27BC005CC820   .  A1 8CEB6000   mov     eax, dword ptr [60EB8C]005CC825   .  8038 00       cmp     byte ptr [eax], 0005CC828   .  0F85 07010000 jnz     005CC935005CC82E   .  A1 DCF16000   mov     eax, dword ptr [60F1DC]005CC833   .  8038 00       cmp     byte ptr [eax], 0005CC836   .  0F85 F9000000 jnz     005CC935005CC83C   .  68 70CB5C00   push    005CCB70                         ;  ASCII "PC Surgeon <unregistered - "005CC841   .  D905 3CCA5C00 fld     dword ptr [5CCA3C]005CC847   .  A1 8CEC6000   mov     eax, dword ptr [60EC8C]005CC84C   .  DC20          fsub    qword ptr [eax]005CC84E   .  83C4 F4       add     esp, -0C005CC851   .  DB3C24        fstp    tbyte ptr [esp]005CC854   .  9B            wait

Check carefully. The previous jump shows that jnz 005CC935 is critical. Run the program again at the breakpoint at the previous jnz 005CC935 and find that the two jnz 005CC935 are not redirected.

Change the first cmp byte ptr [eax], 0 to cmp byte ptr [eax], and 1 to implement the redirection.

Search for <Unregistered Version> In the same way, follow the redirection implementation to crack the program.

Other methods

Let's take a look at this Code:

005CC811   .  E8 12B9E6FF                   call    <jmp.&shell32.ShellExecuteA>     ; \ShellExecuteA005CC816   >  B8 58CB5C00                   mov     eax, 005CCB58                    ;  ASCII "Show: splash"005CC81B   .  E8 9C5FEDFF                   call    004A27BC005CC820   .  A1 8CEB6000                   mov     eax, dword ptr [60EB8C]005CC825   .  8038 00                       cmp     byte ptr [eax], 0005CC828   .  0F85 07010000                 jnz     005CC935005CC82E   .  A1 DCF16000                   mov     eax, dword ptr [60F1DC]005CC833      8038 00                       cmp     byte ptr [eax], 0005CC836      0F85 F9000000                 jnz     005CC935005CC83C   .  68 70CB5C00                   push    005CCB70                         ;  ASCII "PC Surgeon <unregistered - "005CC841   .  D905 3CCA5C00                 fld     dword ptr [5CCA3C]005CC847   .  A1 8CEC6000                   mov     eax, dword ptr [60EC8C]005CC84C   .  DC20                          fsub    qword ptr [eax]005CC84E   .  83C4 F4                       add     esp, -0C005CC851   .  DB3C24                        fstp    tbyte ptr [esp]005CC854   .  9B                            wait

Here there are two jnz 005CC935. Determine whether [[60EB8C] and [[60F1DC] are 0. From mongodword ptr [5CCA3C], we can find that the number of [5CCA3C] is 15.0, that is, the number of trial days.

After careful analysis, we can find that the first jnz is to judge whether it is normal, and the second is to determine whether it has been used for more than 15 days.

Therefore, the value of [[60EB8C] is critical. Find out where to change the value of [[60EB8C.

Select mov eax, dword ptr [60EB8C], right-click --> Find reference --> address constant to list all the commands that use this address.

Image 3

In this window, right-click --> set a breakpoint on each command. Run the program again.

Image 4

Press F9 to come here:

005C2BF6   .  8B15 8CEB6000                 mov     edx, dword ptr [60EB8C]          ;  pcsurgeo.00610C4A005C2BFC   .  8802                          mov     byte ptr [edx], al005C2BFE   .  A1 8CEB6000                   mov     eax, dword ptr [60EB8C]005C2C03   .  8038 00                       cmp     byte ptr [eax], 0005C2C06   .  75 0D                         jnz     short 005C2C15005C2C08   .  E8 6307EEFF                   call    004A3370005C2C0D   .  A1 8CEC6000                   mov     eax, dword ptr [60EC8C]005C2C12   .  DD18                          fstp    qword ptr [eax]005C2C14   .  9B                            wait

If you see mov byte ptr [edx], al is the place where the [[60EB8C] value is assigned. Change it to mov byte ptr [edx] and 1 to crack it.

(The relocation Prompt window will appear during the saving process. Because mov byte ptr [edx], al is changed to mov byte ptr [edx]. After 1, the code will increase, to be relocated, the system may run normally. You don't need to worry about it here .)

How many courses are there in the first (seventh grade? What courses should I take notes? (Which of the following can I take notes with the same notebook ?)

I am a sophomore. The first-year course is for Chinese, mathematics, English, politics, history, biology, and geography. In the second-year course, we also added physics and chemistry to the third-year course, of course, these three years have seen sound and body beauty.
For junior high school students,
1. Establish an error correction book in mathematics, but the average person cannot stick to it.

2. english must have a notebook in the classroom (remember the grammar, phrases + incorrect things on weekdays). This is a must, because English teachers will not talk about simple grammar phrases during their freshman years, at this time, your junior high school notes will play a role, and the junior high school review will be very well adjusted.

3. classroom notes should be set up in history. Generally, the history teacher will organize the blackboard and every lesson should be organized. In this way, the review should be organized. Therefore, we must build a notebook in the history classroom, we recommend that you buy a big book and sort it out. This is a rare trick for you to take notes in a history class. You must never take notes without listening to them. Therefore, it takes a short time to take notes. We recommend that you find a blank pile of white paper, in each lesson, the instructor's blackboard is quickly written into white paper. After the lesson, you can sort it out slowly. If you are lazy after the lesson, you can combine the notes of other students. Of course, you 'd better organize it yourself.

4. There is no need to create a notebook for politics. The teacher will instruct you to draw one or two key questions in one lesson. There are all the books in the book, and no notebook ------- Of course, if your teacher does not stipulate this.

5. we will take an exam in biology and geography on the second day. After the test, we will not learn biology and geography on the third day. (Of course, you may not, because I am from Shandong, and the policy may be different ), biology and geography do not need class notes, so they can be previewed well. It is not difficult to learn well in class, and the focus is on books.

6. It is important to establish classroom notes in physics and chemistry.

7. You do not need to set up classroom notes for Chinese, but you need to set up a read/write book or book notebook. This is based on the requirements of your Chinese teacher.

In junior high school, you don't have to be too nervous. As long as you carefully preview, listen, practice, and review your work, your score will not be too bad.
To sum up, the English language and history must establish classroom notes, and the mathematics should voluntarily establish an error correction book. When the physics and chemistry arrive at learning, the classroom notebook should be established. The focus of other courses should be carefully recorded in the book.
After reading your questions, you will know that you are very interested in learning. It's good. Continue to cheer up.
I'm tired of typing.

I bought a new notebook and used Master Lu to test hard drive usage for seven hours. The number of times is 31. This is a genuine computer.

This is normal, because the factory needs to go through the boot shutdown detection, installation system and other operations, this is necessary, the goods are shipped to the store, after-sales also need to go through the boot inspection, etc, in short, the genuine computer does not use the boot time to evaluate, mainly depends on the serial number, a computer serial number on the official online verification to know if it is a genuine computer.