ollydbg using notes (12)

ollydbg using notes (12)

References

Book: "Encryption and decryption"

Video: Small Turtle decryption Series video

Demo sample program: Http://pan.baidu.com/s/1eQiV6aI

After the program is installed, the open program can see the registration interface in about. You can start with the input API.

Right--Find the call between all modules, search for getwindowtexta (you can search directly by typing these letters), select the call found, right---"set breakpoints at every call to Getwindowtexta". We were able to view OD with 3 breakpoints set. (We can also press CTRL + N to view the input and output table search Getwindowtexta set breakpoints).

Press F9 to execute the program, when the program has not yet executed to the actual interface. The first two breakpoints are triggered and triggered many times.

To know that the previous 2 are irrelevant to the input of the About interface, cancel both breakpoints. Execute the program again. In the About registration enter name and key, click OK, you can find the program broken on the 3rd breakpoint.

Press F8 to step through the program. Execute to the following code:

00417457.  8BCE mov ecx, esi00417459.  C64424 mov byte ptr [esp+30], 10041745E.  E8 2d020000 call 0041769000417463.  84c0 Test Al, al00417465.  7C jnz short 004174E300417467.  ecx00417468 push.  8d5424 Lea edx, DWORD ptr [esp+14]0041746c.  8BCC mov ecx, esp0041746e.  896424 mov dword ptr [esp+20], esp00417472.  edx00417473 push.  E8 9d6a0400 call 0045df1500417478.  ecx00417479 push.  8d4424 1C Lea eax, DWORD ptr [esp+1c]0041747d.  8BCC mov ecx, esp0041747f.  896424 mov dword ptr [esp+20], esp00417483.  Push eax00417484.  C64424 mov byte ptr [esp+34], 300417489.  E8 876a0400 call 0045df150041748e.  8BCE mov ecx, esi00417490.  C64424 mov byte ptr [esp+30], 100417495. E8 F6010000 Call 004176900041749A.  84c0 Test Al, al0041749c.  JNZ short 004174e30041749e.  6A. Push 0004174a0.  04544800 push 00485404;  ASCII "XOFTspy" 004174a5.  C4684800 push 004868c4; ASCII "Invalid code."  004174AA.  8BCE mov ecx, esi004174ac.  E8 664f0400 call 0045C417004174B1.  48fa4800 push 0048fa48004174b6.  8BCD mov ecx, ebp004174b8.  E8 206E0400 call 0045E2DD004174BD.  48fa4800 push 0048fa48004174c2.  8BCF mov ecx, edi004174c4.  E8 146E0400 call 0045e2dd004174c9.  48fa4800 push 0048fa48004174ce.  8BCB mov ecx, ebx004174d0.  E8 086E0400 call 0045e2dd004174d5.  6A. Push 0004174d7.  8BCE mov ecx, esi004174d9.  E8 03590400 call 0045CDE1004174DE.           E9 9d000000 jmp 00417580004174E3 > 57 Push Edi004174e4.  Push Ebp004174e5.  E8 769d0100 call 00431260004174EA.  83C4 add ESP, 8004174ED.  8BCE mov ecx, esi004174ef.  6A. Push 0004174f1.  04544800 push 00485404;  ASCII "XOFTspy" 004174f6.  98684800 push 00486898; ASCII "congratulations!  Successfully registered "004174FB. E8 174f0400 Call 0045c417

We were able to find jnz short 004174E3 very critical It's jump determines the back output form is "Invalid code." or "congratulations! Successfully registered ". But let's say we just change it to jmp short 004174E3, although a successful form will pop up. But in fact there is no register. We can look at the call 00417690 in front of it.

Execute the procedure again, enter 00417690. We were able to look at the 00417690 function and find that the function returned in two places. First place before returning. The function causes Al to change to 1, and the second returns before the function makes Al 0. Press F8, step into the program, change the flag register or instruction to make the 00417690 function return at the first retn. However, the implementation of this will still be a successful registration of the form, but in fact there is no manual.

We can try other ways to hack.

Start with the key string.

We can re-start with the "This XOFTspy license have not been registered" in the About interface, search for the second string, and see where the code is.

0040147D   .            push    eax0040147e   .            ecx0040147f push   .  C64424 3C  , mov     byte ptr [esp+3c], 300401484   .  E8 17ff0200   call    004313a000401489   .  8b8e C0000000 mov     ecx, DWORD ptr [esi+c0]0040148f   .  83C4       Add     ESP, 800401492   .  E8 093c0300   call    004350a000401497   .  84C0          Test    al, al00401499   .  Je short      004014ad0040149b   .  C4514800   push    004851c4                           ;  ASCII "This license of XOFTspy have been registered" 004014a0   .  8D 4C24     Lea     ecx, DWORD ptr [Esp+8]004014a4   .  E8 34ce0500   call    0045e2dd004014a9   .  6A         push    0004014AB   .  EB         jmp short     004014bd004014ad   >  94514800   push    00485194                           ;  ASCII "This XOFTspy license have not been registered" 004014B2   .  8D 4C24     Lea     ecx, DWORD ptr [Esp+8]

The breakpoint is down at 0040147D. Execute the program again. Be able to discover when the Aboutbutton of the main interface is pressed. will be interrupted at 0040147D. Try to change the JE short 004014AD to NOP directly. To be able to find the program is registered.

ollydbg using notes (12)