【目标程序】:电子笔记簿V2.52
【修改目的】:为程序添加显示注册码的Messagebox
【修改类型】:Reverse Engineering
第一次做pediy的工作,没有经验,不足之处请各位指教!
为了添加代码和数据,先查看一下Section Table,注意一下.text块的RO为1000,VS为8794E,所以在1000+8794E=8894E后有大段的空白区,可以从这里开始添加代码,且不超过1000+88000=89000位置。同样,在AB000+7000=B2000处可以添加数据
。
Section Virtual Size Virtual Offset Raw Size Raw Offset Characteristics
.text 0008794E 00001000 00088000
00001000 60000020
.rdata 00021BFC
00089000 00022000 00089000 40000040
.data 0000D9A8 000AB000 00007000
000AB000 C0000040
.rsrc 00000E80
000B9000 00001000 000B2000 40000040
:0041A2F5
51 push
ecx
:0041A2F6 8BCC
mov ecx, esp
:0041A2F8 8965E8
mov dword ptr [ebp-18], esp
:0041A2FB 57
push edi
:0041A2FC
E8BD790400 call 00461CBE
:0041A301
51 push
ecx
:0041A302 C645FC02 mov
[ebp-04], 02
:0041A306 8BCC
mov ecx, esp
:0041A308 8965E4
mov dword ptr [ebp-1C], esp
:0041A30B 53
push
ebx
:0041A30C E8AD790400 call
00461CBE
:0041A311 B9381E4B00 mov
ecx, 004B1E38
:0041A316 C645FC01
mov [ebp-04], 01
:0041A31A E891CB0100
call 00436EB0//关键call,追进去!
:0041A31F 85C0
test eax, eax//成功与否的判断
:0041A321
7519 jne
0041A33C
:0041A323 50
push eax
:0041A324 6A40
push 00000040
:0041A326 680A810000
push 0000810A
:0041A32B E800F2FEFF
call 00409530//失败提示
:0041A330
83C40C add esp,
0000000C
:0041A333 8BCE
mov ecx, esi
:0041A335 E8153B0400
call 0045DE4F
:0041A33A EB70
jmp 0041A3AC
*
Referenced by a (U)nconditional or (C)onditional Jump at Address: ———————————————————————————————————————
|:0041A321(C)
|
:0041A33C
51 push
ecx//程序启动时不经过这里,所以在这儿插入Messagebox的调用,修改如下:
:0041A33D 8BCC
mov ecx, esp
:0041A33F 8965E4
mov dword ptr [ebp-1C],
esp
:0041A342 57
push edi
:0041A343 E876790400
call 00461CBE//成功提示
修改后的代码:
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041A321(C)
|
:0041A33C
6872894800 push 00488972
:0041A341
C3 ret//这里跳到添加的代码处
:0041A342
57 push
edi
:0041A343 E876790400 call
00461CBE
:0041A348 51
push ecx
:0041A349 C645FC03
mov [ebp-04], 03
:0041A34D 8BCC
mov ecx, esp
以下是增加的代码: *
:00488972
90 nop
:00488973
90 nop
:00488974
90 nop
:00488975
90 nop
:00488976
90 nop
:00488977
90 nop
:00488978
90 nop
:00488979
6A40 push
00000040//Messagebox类型
|
:0048897B 68561B4B00
push 004B1B56//窗口标题入栈,这个标题我们放在数据区4B1B56(VA)处,占七个字节(包括‘\0')的“注册码”字符串,这三个字的代码的获得我会在最后讲解。
:00488980
685D1B4B00 push 004B1B5D//真正的注册码入栈,地址在4B1B5D
:00488985
6A00 push
00000000
* Reference
To: USER32.MessageBoxA, Ord:01BEh
|
:00488987
FF1584964800 Call dword ptr [00489684]//Messagebox的调用代码可以从原程序的反汇编代码获得,点击
函数->导入,然后查找Messageboxa
:0048898D 51
push ecx//这里补上原来的程序代码
:0048898E 8BCC
mov ecx, esp
:00488990
8965E4 mov dword
ptr [ebp-1C], esp
:00488993 6842A34100
push 0041A342//从这里返回
:00488998 C3
ret
———————————————————————————————————
:0041A348
51 push
ecx
:0041A349 C645FC03 mov
[ebp-04], 03
:0041A34D 8BCC
mov ecx, esp
:0041A34F 8965E8
mov dword ptr [ebp-18], esp
**********************************************************************
call
00436EB0:
* Referenced by a CALL at Address:
|:0041A31A
|
:00436EB0
55 push
ebp
:00436EB1 8BEC
mov ebp, esp
:00436EB3 6AFF
push FFFFFFFF
:00436EB5 68B85B4800
push 00485BB8
:00436EBA 64A100000000
mov eax, dword ptr fs:[00000000]
:00436EC0
50 push
eax
:00436EC1 64892500000000 mov dword ptr
fs:[00000000], esp
:00436EC8 81EC60010000
sub esp, 00000160
:00436ECE 53
push ebx
:00436ECF 56
push esi
:00436ED0 57
push
edi
:00436ED1 8BF1
mov esi, ecx
:00436ED3 8965F0
mov dword ptr [ebp-10], esp
:00436ED6 8975E8
mov dword ptr [ebp-18],
esi
:00436ED9 8D4DDC
lea ecx, dword ptr [ebp-24]
:00436EDC C745FC01000000
mov [ebp-04], 00000001
:00436EE3 E87AAD0200
call 00461C62
:00436EE8 8BCE
mov ecx, esi
:00436EEA C645FC03
mov [ebp-04], 03
:00436EEE
E81D040000 call 00437310
:00436EF3
85C0 test
eax, eax
:00436EF5 8945EC
mov dword ptr [ebp-14], eax
:00436EF8 7509
jne 00436F03
:00436EFA C645FC01
mov [ebp-04], 01
:00436EFE
E9A5010000 jmp 004370A8
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00436EF8(C)
|
:00436F03
8D4508 lea eax,
dword ptr [ebp+08]
:00436F06 8BCE
mov ecx, esi
:00436F08 50
push eax
:00436F09 E812FFFFFF
call 00436E20
:00436F0E 85C0
test eax,
eax
:00436F10 7409
je 00436F1B
:00436F12 C645FC01
mov [ebp-04], 01
:00436F16 E98D010000
jmp 004370A8
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00436F10(C)
|
:00436F1B
8B4D08 mov ecx,
dword ptr [ebp+08]
:00436F1E B838383838
mov eax, 38383838
:00436F23 8DBD14FFFFFF
lea edi, dword ptr [ebp+FFFFFF14]
:00436F29 8B59F8
mov ebx, dword ptr [ecx-08]
:00436F2C
B932000000 mov ecx, 00000032
:00436F31
81FBC8000000 cmp ebx, 000000C8
:00436F37
F3 repz
:00436F38
AB stosd
:00436F39
7E05 jle
00436F40
:00436F3B BBC8000000 mov
ebx, 000000C8
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00436F39(C)
|
:00436F40
53 push
ebx
:00436F41 8D4D08
lea ecx, dword ptr [ebp+08]
:00436F44 E830B40200
call 00462379
:00436F49 8BCB
mov ecx, ebx
:00436F4B 8BF0
mov esi,
eax
:00436F4D 8BD1
mov edx, ecx
:00436F4F 8DBD14FFFFFF
lea edi, dword ptr [ebp+FFFFFF14]
:00436F55 C1E902
shr ecx, 02
:00436F58 F3
repz
:00436F59
A5 movsd
:00436F5A
8BCA mov
ecx, edx
:00436F5C 83E103
and ecx, 00000003
:00436F5F F3
repz
:00436F60 A4
movsb
:00436F61 83CEFF
or esi, FFFFFFFF
:00436F64
8D4D08 lea ecx,
dword ptr [ebp+08]
:00436F67 56
push esi
:00436F68 E85BB40200
call 004623C8
:00436F6D 83FB0A
cmp ebx, 0000000A
:00436F70 7D21
jge 00436F93
:00436F72
B9C8000000 mov ecx, 000000C8
:00436F77
B838383838 mov eax, 38383838
:00436F7C
2BCB sub
ecx, ebx
:00436F7E 8DBC1D14FFFFFF lea edi,
dword ptr [ebp+ebx-000000EC]
:00436F85 8BD1
mov edx, ecx
:00436F87 C1E902
shr ecx, 02
:00436F8A F3
repz
:00436F8B
AB stosd
:00436F8C
8BCA mov
ecx, edx
:00436F8E 83E103
and ecx, 00000003
:00436F91 F3
repz
:00436F92 AA
stosb
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00436F70(C)
|
:00436F93
8BC3 mov
eax, ebx
:00436F95 8B7DEC
mov edi, dword ptr [ebp-14]
:00436F98 99
cdq
:00436F99 83E207
and edx, 00000007
:00436F9C
8D8D94FEFFFF lea ecx, dword ptr [ebp+FFFFFE94]
:00436FA2
03C2 add
eax, edx
:00436FA4 C1F803
sar eax, 03
:00436FA7 40
inc eax
:00436FA8 50
push eax
:00436FA9 8D8514FFFFFF
lea eax, dword ptr [ebp+FFFFFF14]
:00436FAF
50 push
eax
:00436FB0 57
push edi
:00436FB1 E81ACAFDFF
call 004139D0
:00436FB6 57
push edi
:00436FB7 E81EAC0200
call 00461BDA
:00436FBC 8B4D0C
mov ecx, dword ptr [ebp+0C]
:00436FBF
83C404 add esp,
00000004
:00436FC2 8B59F8
mov ebx, dword ptr [ecx-08]
:00436FC5 83FB0E
cmp ebx, 0000000E//这里是对注册码长度的判断,我已经把下面改为绝对跳转
:00436FC8
EB1D jmp
00436FE7
:00436FCA C645FC01
mov [ebp-04], 01
:00436FCE E8CDAC0200
call 00461CA0
:00436FD3 8D4D08
lea ecx, dword ptr [ebp+08]
:00436FD6 C645FC00
mov [ebp-04], 00
:00436FDA
E86AAF0200 call 00461F49
:00436FDF
8975FC mov dword
ptr [ebp-04], esi
:00436FE2 E9D9000000
jmp 004370C0
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00436FC8(U)
|
:00436FE7
6A0E push
0000000E
:00436FE9 E8C3AB0200 call
00461BB1
:00436FEE 83C404
add esp, 00000004
:00436FF1 8D4D0C
lea ecx, dword ptr [ebp+0C]
:00436FF4 8BF8
mov edi,
eax
:00436FF6 6A0E
push 0000000E
:00436FF8 E87CB30200
call 00462379
:00436FFD 8B08
mov ecx, dword ptr [eax]
:00436FFF
8BD7 mov
edx, edi
:00437001 56
push esi
:00437002 890A
mov dword ptr [edx], ecx
:00437004 8B4804
mov ecx, dword ptr
[eax+04]
:00437007 894A04
mov dword ptr [edx+04], ecx
:0043700A 8B4808
mov ecx, dword ptr [eax+08]
:0043700D
894A08 mov dword
ptr [edx+08], ecx
:00437010 668B400C
mov ax, word ptr [eax+0C]
:00437014 8D4D0C
lea ecx, dword ptr [ebp+0C]
:00437017
6689420C mov word ptr [edx+0C],
ax
:0043701B E8A8B30200 call
004623C8
:00437020 33C0
xor eax, eax
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00437030(U)
|
:00437022
3BC3 cmp
eax, ebx
:00437024 7D0C
jge 00437032
:00437026 8A1438
mov dl, byte ptr [eax+edi]
:00437029 80F238
xor dl, 38
:0043702C
881438 mov byte
ptr [eax+edi], dl
:0043702F 40
inc eax
:00437030 EBF0
jmp 00437022
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00437024(C)
|
:00437032
6A00 push
00000000
:00437034 8D8D14FFFFFF lea
ecx, dword ptr [ebp+FFFFFF14]
:0043703A 57
push edi
:0043703B 51
push ecx
:0043703C
8B4DE8 mov ecx,
dword ptr [ebp-18]
:0043703F E87C050000
call 004375C0//判断点,追进去!
:00437044 57
push edi
:00437045 8BD8
mov ebx, eax
:00437047
E88EAB0200 call 00461BDA
:0043704C
83C404 add esp,
00000004
:0043704F C645FC01
mov [ebp-04], 01
:00437053 E848AC0200
call 00461CA0
:00437058 8D4D08
lea ecx, dword ptr [ebp+08]
:0043705B C645FC00
mov [ebp-04], 00
:0043705F
E8E5AE0200 call 00461F49
:00437064
8D4D0C lea ecx,
dword ptr [ebp+0C]
:00437067 8975FC
mov dword ptr [ebp-04], esi
:0043706A E8DAAE0200
call 00461F49
:0043706F 8BC3
mov eax, ebx
:00437071
8B4DF4 mov ecx,
dword ptr [ebp-0C]
:00437074 64890D00000000 mov
dword ptr fs:[00000000], ecx
:0043707B 5F
pop edi
:0043707C 5E
pop esi
:0043707D
5B pop
ebx
:0043707E 8BE5
mov esp, ebp
:00437080 5D
pop ebp
:00437081 C20800
ret 0008
***********************************************************************
call
004375C0:
* Referenced by a CALL at Addresses:
|:0043703F , :004372AF
|
:004375C0 55
push ebp
:004375C1 8BEC
mov ebp, esp
:004375C3 6AFF
push FFFFFFFF
:004375C5
68285C4800 push 00485C28
:004375CA
64A100000000 mov eax, dword ptr fs:[00000000]
:004375D0
50 push
eax
:004375D1 64892500000000 mov dword ptr
fs:[00000000], esp
:004375D8 83EC18
sub esp, 00000018
:004375DB 53
push ebx
:004375DC 56
push esi
:004375DD
57 push
edi
:004375DE 8D4DDC
lea ecx, dword ptr [ebp-24]
:004375E1 8965F0
mov dword ptr [ebp-10], esp
:004375E4 E879A60200
call 00461C62
:004375E9 A1D8CF4A00
mov eax, dword ptr [004ACFD8]
:004375EE
8A0DDCCF4A00 mov cl, byte ptr [004ACFDC]
:004375F4
8B750C mov esi,
dword ptr [ebp+0C]
:004375F7 C745FC00000000 mov
[ebp-04], 00000000
:004375FE 8945E4
mov dword ptr [ebp-1C], eax
:00437601 C645FC01
mov [ebp-04], 01
:00437605 BF01000000
mov edi, 00000001
:0043760A
884DE8 mov byte
ptr [ebp-18], cl
:0043760D 33C0
xor eax, eax
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00437623(U)
|
:0043760F
83F804 cmp eax,
00000004
:00437612 7D11
jge 00437625
:00437614 8A1430
mov dl, byte ptr [eax+esi]
:00437617 8A4C05E4
mov cl, byte ptr [ebp+eax-1C]
:0043761B
80F238 xor dl, 38
:0043761E
3ACA cmp
cl, dl//这里是判断注册码前四位是否为ENB-,所以把下面的判断nop掉
:00437620 7544
jne 00437666//改为9090
—————————————————————————————————
修改后的代码:
:0043761E
3ACA cmp
cl, dl
:00437620 90
nop
:00437621 90
nop
:00437622 40
inc eax
—————————————————————————————————
:00437622
40 inc
eax
:00437623 EBEA
jmp 0043760F
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00437612(C)
|
:00437625
85FF test
edi, edi//从这里插入一段代码,在数据区存入"ENB-"这个字符串,改动如下:
:00437627 743F
je 00437668
:00437629
8B4D08 mov ecx,
dword ptr [ebp+08]
:0043762C 33C0
xor eax, eax
——————————————————————————————————
修改后的代码:
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00437612(C)
|
:00437625
85FF test
edi, edi
:00437627 685B894800 push
0048895B//跳到插入代码区
:0043762C C3
ret
:0043762D
90 nop
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00437664(U)
|
:0043762E
83F80A cmp eax,
0000000A
:00437631 7D35
jge 00437668
下面是.text块添加的代码:
:0048895B
743F je 0048899C//补上原程序中的代码
:0048895D
8B4D08 mov ecx,
dword ptr [ebp+08]
:00488960 33C0
xor eax, eax
:00488962 C7055D1B4B00454E422D
mov dword ptr [004B1B5D], 2D424E45//在数据区存入"ENB-"
:0048896C
682E764300 push 0043762E//返回
:00488971
C3 ret
——————————————————————————————————
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00437664(U)
|
:0043762E
83F80A cmp eax,
0000000A
:00437631 7D35
jge 00437668
:00437633 8A1408
mov dl, byte ptr [eax+ecx]
:00437636 80E27F
and dl, 7F
:00437639
80FA41 cmp dl, 41
:0043763C
881408 mov byte
ptr [eax+ecx], dl
:0043763F 7D06
jge 00437647
:00437641 80CA41
or dl, 41
:00437644 881408
mov byte ptr [eax+ecx],
dl
* Referenced by a
(U)nconditional or (C)onditional Jump at Address:
|:0043763F(C)
|
:00437647
8A1408 mov dl, byte
ptr [eax+ecx]
:0043764A 80FA5A
cmp dl, 5A
:0043764D 7E06
jle 00437655
:0043764F 80E25A
and dl, 5A
:00437652 881408
mov byte ptr [eax+ecx],
dl
* Referenced by a
(U)nconditional or (C)onditional Jump at Address:
|:0043764D(C)
|
:00437655
8A543004 mov dl, byte ptr
[eax+esi+04]
:00437659 8A1C08
mov bl, byte ptr [eax+ecx]
:0043765C 80F238
xor dl, 38
:0043765F 3ADA
cmp bl, dl//上面这段算法产生注册码后十位并比较,由于这里是直接与真码逐位比较,所以要设法把真码的每一位保存下来,最后调用一个Messagebox来显示,但这个调用不能放在这里,因为软件每次启动时都要调用这个call来验证注册码,把Messagebox插在这里每次启动都会弹出。所以在这里要插入的就是把真码保存的代码。我在数据区找了一个地方4B1B61,这里我们先让程序跳到添加的代码处:
—————————————————————————————————
修改后的代码:
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043764D(C)
|
:00437655
8A543004 mov dl, byte ptr
[eax+esi+04]
:00437659 8A1C08
mov bl, byte ptr [eax+ecx]
:0043765C 684E894800
push 0048894E
:00437661 C3
ret//这两步跳到添加的代码处
:00437662
90 nop
:00437663
40 inc
eax
:00437664 EBC8
jmp 0043762E
:00437666 33FF
xor edi, edi
以上是在原代码中的改动,下面是加在原.text块末尾的代码,从48894E处开始,执行结束后返回:
:0048894E
8898611B4B00 mov byte ptr [eax+004B1B61],
bl
:00488954 90
nop
:00488955 6863764300
push 00437663
:0048895A C3
ret
—————————————————————————————————
:00437661
7503 jne
00437666
:00437663 40
inc eax
:00437664 EBC8
jmp 0043762E
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00437620(C),
:00437661(C)
|
:00437666 33FF
xor edi, edi
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00437627(C),
:00437631(C)
|
:00437668 8B4510
mov eax, dword ptr [ebp+10]
:0043766B 85C0
test eax, eax
:0043766D
7406 je 00437675
:0043766F
893D5C454B00 mov dword ptr [004B455C],
edi
* Referenced by
a (U)nconditional or (C)onditional Jump at Address:
|:0043766D(C)
|
:00437675
C745FCFFFFFFFF mov [ebp-04], FFFFFFFF
:0043767C
E81FA60200 call 00461CA0
:00437681
8BC7 mov
eax, edi
:00437683 8B4DF4
mov ecx, dword ptr [ebp-0C]
:00437686 64890D00000000
mov dword ptr fs:[00000000], ecx
:0043768D 5F
pop edi
:0043768E
5E pop
esi
:0043768F 5B
pop ebx
:00437690 8BE5
mov esp, ebp
:00437692 5D
pop ebp
:00437693 C20C00
ret 000C
*****************************************************************
最后讲一下如何取得字符串“注册码”在内存中的形式
在输入注册码时,我们注意到如果输入的注册码是错误的,程序会弹出一个Messagebox说:注册号码不对!
我们就从这个Messagebox的参数入手来取得“注册号码”的存放形式。
下断点bpx
Messageboxa来到下面的地方:
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:0046CA9A(U)
|
:0046CAB6 53
push ebx
:0046CAB7 57
push edi
:0046CAB8
FF7508 push [ebp+08]//这里压入lpText,用d
*(ebp+8)查看,得到
0187:01234700
D7 A2 B2 E1 BA C5 C2 E0
这就是“注册号码”在内存中的形式,我们把第1、2、3、4、7、8个字节复制到000B1B56(Raw
Offset)处
:0046CABB FF75F4 push [ebp-0C]
*
Reference To: USER32.MessageBoxA, Ord:01BEh
|
:0046CABE
FF1584964800 Call dword ptr [00489684]
:0046CAC4
85F6 test
esi, esi
:0046CAC6 8BF8
mov edi, eax
:0046CAC8 7405
je 0046CACF
:0046CACA 8B45F8
mov eax, dword ptr [ebp-08]
:0046CACD
8906 mov
dword ptr [esi], eax
这样我们就完成了对程序的修改。运行一下试试!
cyclotron
2003.4.26