PEDIY for Skype

Bugging.com.cn

Sadly, the horrible College Entrance Examination has finally ended. It has never been online for a long time, and the technology has regressed more than N. Now, I just have time to relax. I just got on QQ, one of my friends gave me a chance to get live and asked me to build a Skype phishing software for him. Well, I am so busy that I have no time to access the Internet, as a result, no technical skills were involved when I got online. It was strange that the technology did not regress!
It took more than an hour to generate and see,

= 700) window. open (http://www.bkjia.com/uploads/allimg/131120/014K91331-0.png); "height = 226 src =" http://www.bkjia.com/uploads/allimg/131120/014K91331-0.png "width = 607 onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "vspace = 5 border = 0 resized =" 1 "otitle oheight =" 285 "owidth =" 700 ">

 

Now I have no confidence in my aesthetics. VC is used to it. VS is not ready to use.
As soon as I saw it, I had no confidence to continue. Don't worry. Let's take a look at the Black Lanzhou cigarette. After the smoke, the results were really different. Suddenly, there was a brainwave. Ah, I am stupid. It is definitely not perfect to do this. Then we will use its original interface directly, perform PEDIY once on it.
PEDIY is what we often call code secondary development, that is, to expand executable files without the original code or interface. For the second development of code, there are two methods in general:
I. Use assembly code to directly add the functions we need.
2. Use assembly code to add an interface and then use advanced languages to develop the functions we need.
The second method is to write a function in advanced language as the output function, and then Call the function directly in the original program. Here we will use the first method. After all, we only need a small function to record the password, so we don't need to worry too much.
Let's take out the PEID and check the file,

= 700) window. open (http://www.bkjia.com/uploads/allimg/131120/014K922S-1.png); "src =" http://www.bkjia.com/uploads/allimg/131120/014K922S-1.png "onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>

The result is written using "Borland Delphi 6.0-7.0 [Overlay]", but in my later analysis, I found that it was written using C ++ Builder, ah, what year have you learned to lie to me, even PEID? It's just a real life.
Next, let's load the Skype into OD and analyze it. The 20 M stuff is loaded into OD, and my poor computer is broken, so I almost got stuck ...... %% 5555% %! · # ￥ % ...... -* () _ +
After a long time, the loading is complete. We press F9 to let Skype run first in OD. When we enter the account password, we can use the command plug-in to execute the command "BP GetWindowTextA" to see if it can be disconnected, but the result is useless. Then we can try BP GetWindowTextW. The result is really broken. 3,

= 700) window. open (http://www.bkjia.com/uploads/allimg/131120/014K94O2-2.png); "src =" http://www.bkjia.com/uploads/allimg/131120/014K94O2-2.png "onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>

I saw the ANSI function just now. How can I change it to UNICODE? The program author is so BT?
Ignore it first. Analyze it first. Wait until we have analyzed it and then BS it slowly. We can enter an account and password to log on and try it. As a result, a letter program is disconnected. I am so sweaty. Go back to OD and press Alt + B to open the breakpoint List window, delete the breakpoint under GetWindowTextW and press F9 to run it.
After entering the account and password, we can go back to OD and continue "BP GetWindowTextW". Then, click "Log on, the program is broken in 4.

= 700) window. open (http://www.bkjia.com/uploads/allimg/131120/014K931Z-3.png); "height = 336 src =" http://www.bkjia.com/uploads/allimg/131120/014K931Z-3.png "width = 607 onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "vspace = 5 border = 0 resized =" 1 "otitle oheight =" 412 "owidth =" 700 ">

 

Now our OD is in system airspace. press Alt + F9 to let it return to the program airspace. The Code returned is as follows:
00492503 push eax; | the handle of the target editing box
00492504 call <jmp. & user32.GetWindowTextW>; Retrieve the content in the edit box.
00492509 mov eax, dword ptr ds: [esi]; put the content retrieved from the edit box in eax
We continue to track F8. When we encounter a Retn, the program will return here, the Code is as follows:
0063E637 call Skype1.004BBBEC; get the edit box content, which we just came out from this Call.
0063E63C mov eax, dword ptr ss: [ebp-8]; put the obtained content in eax
After tracking this, we need to pay attention to the content in the eax register, 5.

= 700) window. open (http://www.bkjia.com/uploads/allimg/131120/014K9AY-4.png); "src =" http://www.bkjia.com/uploads/allimg/131120/014K9AY-4.png "onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>

We can see that the eax register stores the pointer of the password we entered (the password I entered is 123456789. Okay. In this case, we only need to add a few codes here to save the data pointed to by the eax register.
Now we need to determine whether the code for the button event is the code here. If it is not the code for the button event, the data pointed to by the eax register is not necessarily the password, we continue to press Alt + B to open the breakpoint List window, delete the breakpoint just now, and then input the command "BP 0063E63C" to 0063E63C mov eax, dword ptr ss: [ebp-8] This sentence is broken, then press Ctrl + F2 to reload the re-program, and then press F9 to let the program run, as shown in result 6.

= 700) window. open (http://www.bkjia.com/uploads/allimg/131120/014K95L8-5.png); "src =" http://www.bkjia.com/uploads/allimg/131120/014K95L8-5.png "onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>

 

My mom has B and the program has self-verification. It seems we have to continue the analysis. Enter the "BP MessageBoxW" command to check the next breakpoint after the pop-up dialog box, the result didn't respond. It's okay. Let's go back to "BP MessageBoxA". The result is successfully broken down in the area shown in 7,

= 700) window. open (http://www.bkjia.com/uploads/allimg/131120/014K914V-6.png); "height = 485 src =" http://www.bkjia.com/uploads/allimg/131120/014K914V-6.png "width = 607 onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "vspace = 5 border = 0 resized =" 1 "otitle oheight =" 522 "owidth =" 614 ">

Now I am speechless to this programmer. It will be ANSI for a while, UNICODE for a while, and BT for a moment.
Now press Alt + F9 to let OD return to the program's airspace. After returning, we will see this Code:
00E17C7F test al, al; whether the self-verification is successful
00E17C81 jnz short Skype.00E17CA0; skip when passing through
00E17C83 push 30;/Style = MB_ OK | MB_ICONEXCLAMATION | MB_APPLMODAL
00E17C85 push Skype.00E17F30; | Title = "Skype"
00E17C8A push Skype.00E17F38; | Text = "Error: Unfortunately the Skype executable is already upted. Please re-install ."
00E17C8F push 0; | hOwner = NULL
00E17C91 call <jmp. & user32.MessageBoxA>; dialog box
00E17C96 push 26AD