ollydbg using notes (eight)

ollydbg using notes (eight)

Reference

Book: "Encryption and decryption"

Video: Small Turtle decryption Series video

Sample program Download: Http://pan.baidu.com/s/1jG5NKBs

Analysis

This program, the unregistered version limits some features.

Attempt to write email and key in register interface

An unsuccessful registration window will pop up. You can use the text in the window as a breach. Find all reference text strings in OD

Picture 1

Brute Force hack

To view the code for a string that is not registered successfully after the popup window:

004299AB.  EDI004299AC push.  Push EAX004299AD.  E8 9AD7FDFF call 0040714c004299b2.  ECX004299B3 pop.  33DB xor ebx, ebx004299b5 84c0 test al, Al004299b7.  Ecx004299b8 pop.  EBX004299B9 push jnz short 004299F1004299BB.  6A push 30004299BD.  70134C00 push 004c1370;  ASCII "You are entered an invalid email address or license number. Please try again. "  004299c2.  E8 74270800 call 004ac13b004299c7.  8d8e 20010000 Lea ecx, DWORD ptr [ESI+120]004299CD.  E8 567CFDFF call 00401628004299d2.  8BCF mov ecx, edi004299d4.  E8 4F7CFDFF call 00401628004299d9.  Ebx004299da push.  8BCE mov ecx, ESI004299DC.  E8 d5a60700 call 004a40b6004299e1. 8d8e 7c010000 Lea ecx, DWORD ptr [esi+17c]004299E7.  E8 83d00700 call 004a6a6f004299ec.  E9 29010000 jmp 00429b1a004299f1 > 6A push 40004299f3.  50134C00 push 004c1350; ASCII "Thank for registering!"  004299f8.  E8 3E270800 call 004AC13B004299FD.  6A push 1004299FF.  8BCE mov ecx, esi00429a01.  E8 2f8e0700 call 004a283500429a06. E8 C1E9FDFF Call 004083CC

JNZ short 004299f1 can be found to be critical. But if it's just jnz short 004299f1 to jmp short 004299f1, just click on Register, the "Thank You for registering!" window appears, in essence or not registered.

You can look at the code in front of the jnz short 004299f1, and the effect of it jumping is Test Al, AL, which affects Al is the front call 0040714C. Call 0040714C is critical, under breakpoints, rerun, F7 into.

Enter call 0040714C to see the following code

0040714C $ ebp0040714d Push.  8BEC mov ebp, esp0040714f.  FF75 0C push DWORD ptr [ebp+c]00407152.  FF75 push DWORD ptr [ebp+8]00407155.  E8 77FEFFFF call 00406fd10040715a.  84c0 Test Al, al0040715c.  Ecx0040715d pop.  ECX0040715E pop.  A2 A0765000 mov byte ptr [5076a0], al00407163.  1 b jnz short 0040718000407165.  FF75 0C push DWORD ptr [ebp+c]00407168.  FF75 push DWORD ptr [ebp+8]0040716b.  E8 adfeffff call 0040701d00407170.  84c0 Test Al, al00407172.  ecx00407173 pop.  ecx00407174 pop.  A2 A0765000 mov byte ptr [5076a0], al00407179.  A2 A2765000 mov byte ptr [5076a2], al0040717e.  0D JE Short 0040718d00407180 > FF75 0C push DWORD ptr [ebp+c]00407183. FF75 push DWORD ptr [EBP+8]00407186.  E8 45f8ffff call 004069d00040718b.  ecx0040718c pop. ecx0040718d pop > 5D pop ebp0040718e ^ E9 d6feffff jmp 0040706900407193/  $ esi00407194 Push |  FF7424 push DWORD ptr [esp+8]00407198 |.  8BF1 mov esi, ecx0040719a |. 8366 and DWORD ptr [Esi+4], 0

We can see that there are two Call:call 00406fd1 and call 0040701D ahead. The code before and after the two call is similar. While observing the EAX register, the side presses F8 to run one step, it can be found that if the first call after the Al==0 will execute a second call, if a! =0 will not execute the second call, it can be assumed that the second call is just one more validation to prevent errors.

Under the first call breakpoint, rerun the entry.

Enter call 00406FD1 to see:

00406FD1/$ B8 ab374b00 mov eax, 004B37AB00406FD6 |.  E8 EDF00700 Call 004860c800406fdb |.  Wuyi Push ECX00406FDC |.  EBX00406FDD Push |.  FF35 A4415000 push DWORD ptr [5041A4];  Mrbills.004ba70400406fe3 |.  8D4D F0 Lea ecx, DWORD ptr [Ebp-10]00406fe6 |.  E8 84b1ffff Call 0040216f00406feb |.  FF75 0C push DWORD ptr [Ebp+c]00406fee |.  8365 FC xx and DWORD ptr [ebp-4], 000406FF2 |.  FF75 push DWORD ptr [EBP+8]00406FF5 |.  8D45 F0 Lea eax, DWORD ptr [EBP-10]00406FF8 |.  Push Eax00406ff9 |.  E8 4DFFFFFF Call 00406f4b00406ffe |.  8B4D F0 mov ecx, dword ptr [ebp-10]00407001 |.  83C4 0C add esp, 0c00407004 |.  83C1 F0 add ecx,-1000407007 |.  8ad8 mov bl, al00407009 |.  E8 3aa1ffff Call 004011480040700E |. 8B4D F4 mov ecx, DWORD ptr [ebp-c]00407011 8AC3 mov al, bl00407013 |.  5 B pop ebx00407014 |.  64:890d 00000>mov dword ptr fs:[0], ecx0040701b |.  C9 leave0040701c \. C3 RETN

by pressing F8, while observing Al, you can find that call 00406f4b is critical, and Al becomes 0 after call 00406f4b.

As you can see, the following code is also critical

00407007  |.  8ad8          mov     bl, al00407009  |.  E8 3aa1ffff   call    004011480040700E  |.  8b4d F4       mov     ecx, DWORD ptr [ebp-c]00407011      8ac3          mov     al, bl

Before running call 00401148, it saved Al and then resumed AL, which indicated that it needed to use AL.

Can use Mov al, bl, change it to mov al, 1, can be cracked.