ollydbg using notes (10)

ollydbg using notes (10)

Reference

Book: "Encryption and decryption"

Video: Small Turtle decryption Series video

Example program: http://pan.baidu.com/s/1kT1ce83

This program can start with "unregistered" in the title bar, find all reference text strings, search "unregistered"

You can find this code:

004046DD nop004046de nop004046df nop004046e0/$ 8a4424 m  Ov al, byte ptr [esp+4]004046e4 |.  84c0 Test Al, Al004046e6 |.  Je Short 004046fa004046e8 |.  A1 440a4300 mov eax, dword ptr [430a44]004046ed |. f09c4200 push 00429cf0;  /text = "Flash Jigsaw Producer" 004046f2 |.  eax; |hwnd = Null004046f3 |. FF15 5c924200 call DWORD ptr [<&user32. setwindowtex>;  \setwindowtexta004046f9 |.  C3 retn004046fa |> 8b0d 440a4300 mov ecx, dword ptr [430a44]00404700 |. c89c4200 push 00429CC8;  /text = "Flash Jigsaw Producer (unregistered)" 00404705 |.  ecx; |hwnd = NULL00404706 |. FF15 5c924200 call DWORD ptr [<&user32. setwindowtex>;  \setwindowtexta0040470c \.     C3       retn0040470d nop0040470e-NOP 

You can see that 004046e0~0040470c is a function.

We can find JE Jump is the key, here can first try to let JE do not jump. However, this can only make the title does not appear (unregistered), the blocked function is still not available.

Direct Change JE Jump no, we can see the cause JE jump not jump to Al,al is the call this function parameter, we need to find the function of calls, see the change of al.

Breakpoint at 004046E0. Reload the program. Press F9 to run to the breakpoint.

You can see the address in the message version that called the function.

Picture 1

Select the right button to jump to the address of call.

To find the address of call this function, you can also select 004046E0, right---〉 Find reference--〉 selected command, you will see the address of call this function.

Picture 2

We can see that there are two places to call this function, in which all two places are under breakpoints. Reload the program and press F9 to run to the first command that invokes the function.

004047AB |. 60034300 push 00430360;  /inifilename = "C:\Users\vbox32\AppData\Local\YavSoft\fjproducer\startup.ini" 004047b0 |. 6A Push 28; | BufSize = 28 (40.)  004047b2 |. 34034300 Push 00430334; |  Returnbuffer = Fjproduc.00430334004047b7 |. 089d4200 Push 00429d08; |  Default = "<-no pass->" 004047BC |. ECX push; |  Key = "Password" 004047BD |. 149d4200 Push 00429d14; |  Section = "Registration" 004047C2 |. FF15 68904200 call DWORD ptr [&LT;&AMP;KERNEL32. getprivate>;  \getprivateprofilestringa004047c8 |.  34034300 push 00430334;  ASCII "<no pass>" 004047CD |.  E8 6EFEFFFF Call 00404640004047d2 |.  Push Eax004047d3 |.  E8 08FFFFFF Call 004046e0004047d8 |. 83C4 Add ESP,8004047DB |.  5E Pop ESI004047DC |.  83C4 add ESP, 28004047DF \. C3 RETN

We can find that the change of Al is call 004046E0, and the breakpoint above it, into this function, can be found that the function is to calculate the key is the function of the right.

00404640/$ 83EC 2C sub ESP, 2c00404643 |.  esi00404644 Push |.  8b7424 mov esi, dword ptr [esp+34]00404648 |.  8BC6 mov eax, esi0040464a |.  8D50 Lea edx, DWORD ptr [EAX+1]0040464D |.  8d49/Lea ECX, DWORD ptr [ecx]00404650 |> 8a08/mov cl, byte ptr [eax]00404652 |.  |inc eax00404653 |. 84c9 |test cl, cl00404655 |.  ^ F9 \jnz short 0040465000404657 |.  2BC2 sub eax, edx00404659 |.  83F8 cmp eax, 40040465C |.  JNB Short 004046650040465E 32c0 xor al, al00404660 |.  5E Pop esi00404661 |.  83C4 2C add esp, 2c00404664 |.  C3 retn00404665 |> 6A 300404667 |.  c49c4200 push 00429cc4;  ASCII "FJR" 0040466C |.  ESI0040466D Push |. E8 6eaa0100 Call 0041f0e000404672 |.  83C4 0C add esp, 0c00404675 |. 85C0 test eax, eax00404677 |. ^ E5 JNZ Short 0040465E

F8 single-step operation, you can find that the XOR Al,al turn al into 0, you can change the XOR al,al to MOV al,1. In operation, the function that can be blocked is already available.

ollydbg using notes (10)