ollydbg using notes (14)

ollydbg using notes (14)

Reference

Book: "Encryption and decryption"

Video: Small Turtle decryption Series video

Example program: http://pan.baidu.com/s/1hqqYZ6c

This program will have a NAG window before it runs and a nag window after the run ends. The purpose of the hack is to remove these two nag windows.

Load this program with OD, press F9 to run, and when the first Nag window appears, press pause. View Stack Calls

Picture 1

Observe these calls, find the call that generated the Nag window, this program is written in vc6.0++, using MFC, you can find this dialog very critical

Picture 2

Click on it's "call from" to see the following code:

Picture 3

At 0042039A, place a breakpoint and rerun the program. You can find the Nag window before the program runs, the program window, and the Nag window after the program is run by the 0042039A

Call <jmp.&mfc42. #2514_CDialog::D omod> generated, so as long as the first time with the third time to let the program skip 0042039A at the call <jmp.&mfc42. #2514_ CDialog::D Omod> let the call <jmp.&mfc42. #2514_CDialog run at 0042039A for the second time::D omod>. Look closely at the code before and after it, you can find JE short 004203BA is critical, it can skip the call <jmp.&mfc42. #2514_CDialog::D omod>. We can change it to a program to count a variable, when the variable is 1 or 3 o'clock Skip call <jmp.&mfc42. #2514_CDialog::D Omod> for 2 to make call <jmp.&mfc42.# 2514_cdialog::D omod>.

We can use an inline patch to find a blank area at the end of the program code, such as using 00437D70 here.

First Change the JE short 004203BA to jmp 00437d70, since the original code only accounts for 2 bytes, the changed code takes up 5 bytes, the Lea ECX, and the DWORD ptr [ESP+4C] will be overwritten. In the 00437D70-typed code, because the number of hit Code table, one line of change is not efficient, you can use nonawrite this plugin to write code (: http://tools.pediy.com/Debuggers/ollydbg/ollydbg1/ Plugin/nonawrite/nonawrite1.2.rar, after downloading, unzip directly to the plugin folder in the Od directory), open the plugin, typing

0x00437d70:lea ecx, DWORD ptr [Esp+4c]inc byte ptr  [445EE0] cmp byte ptr [445ee0],2je 0042037Fjmp 004203BA

Picture 4

Click Assemble and click Done (do not forget to do, otherwise there will be a problem), save the changes, you can complete the hack. In the code [445EE0] is treated as a variable, the equivalent of I, 445ee0 this address is casually selected, as long as the program's data area of the blank cut will not be used in the place to run. Press Alt+m to click. Data from the Memory map table to view the data area, where you can see a large space behind the data area. If there is no shortage of space will be used when the program is running, as long as the hardware in the desired place to write a breakpoint, run the program to see if it is broken.

ollydbg using notes (14)