电子笔记簿V2.52

标题：pediy系列——为程序添加显示注册码的Messagebox　
作者：cyclotron
时间：2003/04/26 10:11pm
链接：http://bbs.pediy.com

【目标程序】：电子笔记簿V2.52

【修改目的】：为程序添加显示注册码的Messagebox

【修改类型】：Reverse Engineering

第一次做pediy的工作，没有经验，不足之处请各位指教！
为了添加代码和数据，先查看一下Section Table,注意一下.text块的RO为1000，VS为8794E，所以在1000+8794E=8894E后有大段的空白区，可以从这里开始添加代码，且不超过1000+88000=89000位置。同样，在AB000+7000=B2000处可以添加数据。
Section Virtual Size Virtual Offset Raw Size Raw Offset Characteristics

.text 0008794E 00001000 00088000 00001000 60000020
.rdata 00021BFC 00089000 00022000 00089000 40000040
.data 0000D9A8 000AB000 00007000 000AB000 C0000040
.rsrc 00000E80 000B9000 00001000 000B2000 40000040

:0041A2F5 51 push ecx
:0041A2F6 8BCC mov ecx, esp
:0041A2F8 8965E8 mov dword ptr [ebp-18], esp
:0041A2FB 57 push edi
:0041A2FC E8BD790400 call 00461CBE
:0041A301 51 push ecx
:0041A302 C645FC02 mov [ebp-04], 02
:0041A306 8BCC mov ecx, esp
:0041A308 8965E4 mov dword ptr [ebp-1C], esp
:0041A30B 53 push ebx
:0041A30C E8AD790400 call 00461CBE
:0041A311 B9381E4B00 mov ecx, 004B1E38
:0041A316 C645FC01 mov [ebp-04], 01
:0041A31A E891CB0100 call 00436EB0//关键call,追进去！
:0041A31F 85C0 test eax, eax//成功与否的判断
:0041A321 7519 jne 0041A33C
:0041A323 50 push eax
:0041A324 6A40 push 00000040
:0041A326 680A810000 push 0000810A
:0041A32B E800F2FEFF call 00409530//失败提示
:0041A330 83C40C add esp, 0000000C
:0041A333 8BCE mov ecx, esi
:0041A335 E8153B0400 call 0045DE4F
:0041A33A EB70 jmp 0041A3AC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041A321(C)
|
:0041A33C 51 push ecx//程序启动时不经过这里，所以在这儿插入Messagebox的调用，修改如下：
:0041A33D 8BCC mov ecx, esp
:0041A33F 8965E4 mov dword ptr [ebp-1C], esp
:0041A342 57 push edi
:0041A343 E876790400 call 00461CBE//成功提示

———————————————————————————————————————
修改后的代码：
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041A321(C)
|
:0041A33C 6872894800 push 00488972
:0041A341 C3 ret//这里跳到添加的代码处

:0041A342 57 push edi
:0041A343 E876790400 call 00461CBE
:0041A348 51 push ecx
:0041A349 C645FC03 mov [ebp-04], 03
:0041A34D 8BCC mov ecx, esp

以下是增加的代码：
:00488972 90 nop
:00488973 90 nop
:00488974 90 nop
:00488975 90 nop
:00488976 90 nop
:00488977 90 nop
:00488978 90 nop
:00488979 6A40 push 00000040//Messagebox类型

* Possible StringData Ref from Data Obj ->"注册码"
|
:0048897B 68561B4B00 push 004B1B56//窗口标题入栈，这个标题我们放在数据区4B1B56（VA）处，占七个字节（包括‘\0')的“注册码”字符串,这三个字的代码的获得我会在最后讲解。
:00488980 685D1B4B00 push 004B1B5D//真正的注册码入栈，地址在4B1B5D
:00488985 6A00 push 00000000

* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:00488987 FF1584964800 Call dword ptr [00489684]//Messagebox的调用代码可以从原程序的反汇编代码获得，点击函数－>导入，然后查找Messageboxa
:0048898D 51 push ecx//这里补上原来的程序代码
:0048898E 8BCC mov ecx, esp
:00488990 8965E4 mov dword ptr [ebp-1C], esp
:00488993 6842A34100 push 0041A342//从这里返回
:00488998 C3 ret

———————————————————————————————————

:0041A348 51 push ecx
:0041A349 C645FC03 mov [ebp-04], 03
:0041A34D 8BCC mov ecx, esp
:0041A34F 8965E8 mov dword ptr [ebp-18], esp
**********************************************************************
call 00436EB0：
* Referenced by a CALL at Address:
|:0041A31A
|
:00436EB0 55 push ebp
:00436EB1 8BEC mov ebp, esp
:00436EB3 6AFF push FFFFFFFF
:00436EB5 68B85B4800 push 00485BB8
:00436EBA 64A100000000 mov eax, dword ptr fs:[00000000]
:00436EC0 50 push eax
:00436EC1 64892500000000 mov dword ptr fs:[00000000], esp
:00436EC8 81EC60010000 sub esp, 00000160
:00436ECE 53 push ebx
:00436ECF 56 push esi
:00436ED0 57 push edi
:00436ED1 8BF1 mov esi, ecx
:00436ED3 8965F0 mov dword ptr [ebp-10], esp
:00436ED6 8975E8 mov dword ptr [ebp-18], esi
:00436ED9 8D4DDC lea ecx, dword ptr [ebp-24]
:00436EDC C745FC01000000 mov [ebp-04], 00000001
:00436EE3 E87AAD0200 call 00461C62
:00436EE8 8BCE mov ecx, esi
:00436EEA C645FC03 mov [ebp-04], 03
:00436EEE E81D040000 call 00437310
:00436EF3 85C0 test eax, eax
:00436EF5 8945EC mov dword ptr [ebp-14], eax
:00436EF8 7509 jne 00436F03
:00436EFA C645FC01 mov [ebp-04], 01
:00436EFE E9A5010000 jmp 004370A8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00436EF8(C)
|
:00436F03 8D4508 lea eax, dword ptr [ebp+08]
:00436F06 8BCE mov ecx, esi
:00436F08 50 push eax
:00436F09 E812FFFFFF call 00436E20
:00436F0E 85C0 test eax, eax
:00436F10 7409 je 00436F1B
:00436F12 C645FC01 mov [ebp-04], 01
:00436F16 E98D010000 jmp 004370A8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00436F10(C)
|
:00436F1B 8B4D08 mov ecx, dword ptr [ebp+08]
:00436F1E B838383838 mov eax, 38383838
:00436F23 8DBD14FFFFFF lea edi, dword ptr [ebp+FFFFFF14]
:00436F29 8B59F8 mov ebx, dword ptr [ecx-08]
:00436F2C B932000000 mov ecx, 00000032
:00436F31 81FBC8000000 cmp ebx, 000000C8
:00436F37 F3 repz
:00436F38 AB stosd
:00436F39 7E05 jle 00436F40
:00436F3B BBC8000000 mov ebx, 000000C8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00436F39(C)
|
:00436F40 53 push ebx
:00436F41 8D4D08 lea ecx, dword ptr [ebp+08]
:00436F44 E830B40200 call 00462379
:00436F49 8BCB mov ecx, ebx
:00436F4B 8BF0 mov esi, eax
:00436F4D 8BD1 mov edx, ecx
:00436F4F 8DBD14FFFFFF lea edi, dword ptr [ebp+FFFFFF14]
:00436F55 C1E902 shr ecx, 02
:00436F58 F3 repz
:00436F59 A5 movsd
:00436F5A 8BCA mov ecx, edx
:00436F5C 83E103 and ecx, 00000003
:00436F5F F3 repz
:00436F60 A4 movsb
:00436F61 83CEFF or esi, FFFFFFFF
:00436F64 8D4D08 lea ecx, dword ptr [ebp+08]
:00436F67 56 push esi
:00436F68 E85BB40200 call 004623C8
:00436F6D 83FB0A cmp ebx, 0000000A
:00436F70 7D21 jge 00436F93
:00436F72 B9C8000000 mov ecx, 000000C8
:00436F77 B838383838 mov eax, 38383838
:00436F7C 2BCB sub ecx, ebx
:00436F7E 8DBC1D14FFFFFF lea edi, dword ptr [ebp+ebx-000000EC]
:00436F85 8BD1 mov edx, ecx
:00436F87 C1E902 shr ecx, 02
:00436F8A F3 repz
:00436F8B AB stosd
:00436F8C 8BCA mov ecx, edx
:00436F8E 83E103 and ecx, 00000003
:00436F91 F3 repz
:00436F92 AA stosb

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00436F70(C)
|
:00436F93 8BC3 mov eax, ebx
:00436F95 8B7DEC mov edi, dword ptr [ebp-14]
:00436F98 99 cdq
:00436F99 83E207 and edx, 00000007
:00436F9C 8D8D94FEFFFF lea ecx, dword ptr [ebp+FFFFFE94]
:00436FA2 03C2 add eax, edx
:00436FA4 C1F803 sar eax, 03
:00436FA7 40 inc eax
:00436FA8 50 push eax
:00436FA9 8D8514FFFFFF lea eax, dword ptr [ebp+FFFFFF14]
:00436FAF 50 push eax
:00436FB0 57 push edi
:00436FB1 E81ACAFDFF call 004139D0
:00436FB6 57 push edi
:00436FB7 E81EAC0200 call 00461BDA
:00436FBC 8B4D0C mov ecx, dword ptr [ebp+0C]
:00436FBF 83C404 add esp, 00000004
:00436FC2 8B59F8 mov ebx, dword ptr [ecx-08]
:00436FC5 83FB0E cmp ebx, 0000000E//这里是对注册码长度的判断，我已经把下面改为绝对跳转
:00436FC8 EB1D jmp 00436FE7
:00436FCA C645FC01 mov [ebp-04], 01
:00436FCE E8CDAC0200 call 00461CA0
:00436FD3 8D4D08 lea ecx, dword ptr [ebp+08]
:00436FD6 C645FC00 mov [ebp-04], 00
:00436FDA E86AAF0200 call 00461F49
:00436FDF 8975FC mov dword ptr [ebp-04], esi
:00436FE2 E9D9000000 jmp 004370C0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00436FC8(U)
|
:00436FE7 6A0E push 0000000E
:00436FE9 E8C3AB0200 call 00461BB1
:00436FEE 83C404 add esp, 00000004
:00436FF1 8D4D0C lea ecx, dword ptr [ebp+0C]
:00436FF4 8BF8 mov edi, eax
:00436FF6 6A0E push 0000000E
:00436FF8 E87CB30200 call 00462379
:00436FFD 8B08 mov ecx, dword ptr [eax]
:00436FFF 8BD7 mov edx, edi
:00437001 56 push esi
:00437002 890A mov dword ptr [edx], ecx
:00437004 8B4804 mov ecx, dword ptr [eax+04]
:00437007 894A04 mov dword ptr [edx+04], ecx
:0043700A 8B4808 mov ecx, dword ptr [eax+08]
:0043700D 894A08 mov dword ptr [edx+08], ecx
:00437010 668B400C mov ax, word ptr [eax+0C]
:00437014 8D4D0C lea ecx, dword ptr [ebp+0C]
:00437017 6689420C mov word ptr [edx+0C], ax
:0043701B E8A8B30200 call 004623C8
:00437020 33C0 xor eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00437030(U)
|
:00437022 3BC3 cmp eax, ebx
:00437024 7D0C jge 00437032
:00437026 8A1438 mov dl, byte ptr [eax+edi]
:00437029 80F238 xor dl, 38
:0043702C 881438 mov byte ptr [eax+edi], dl
:0043702F 40 inc eax
:00437030 EBF0 jmp 00437022

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00437024(C)
|
:00437032 6A00 push 00000000
:00437034 8D8D14FFFFFF lea ecx, dword ptr [ebp+FFFFFF14]
:0043703A 57 push edi
:0043703B 51 push ecx
:0043703C 8B4DE8 mov ecx, dword ptr [ebp-18]
:0043703F E87C050000 call 004375C0//判断点，追进去！
:00437044 57 push edi
:00437045 8BD8 mov ebx, eax
:00437047 E88EAB0200 call 00461BDA
:0043704C 83C404 add esp, 00000004
:0043704F C645FC01 mov [ebp-04], 01
:00437053 E848AC0200 call 00461CA0
:00437058 8D4D08 lea ecx, dword ptr [ebp+08]
:0043705B C645FC00 mov [ebp-04], 00
:0043705F E8E5AE0200 call 00461F49
:00437064 8D4D0C lea ecx, dword ptr [ebp+0C]
:00437067 8975FC mov dword ptr [ebp-04], esi
:0043706A E8DAAE0200 call 00461F49
:0043706F 8BC3 mov eax, ebx
:00437071 8B4DF4 mov ecx, dword ptr [ebp-0C]
:00437074 64890D00000000 mov dword ptr fs:[00000000], ecx
:0043707B 5F pop edi
:0043707C 5E pop esi
:0043707D 5B pop ebx
:0043707E 8BE5 mov esp, ebp
:00437080 5D pop ebp
:00437081 C20800 ret 0008
***********************************************************************
call 004375C0：
* Referenced by a CALL at Addresses:
|:0043703F , :004372AF
|
:004375C0 55 push ebp
:004375C1 8BEC mov ebp, esp
:004375C3 6AFF push FFFFFFFF
:004375C5 68285C4800 push 00485C28
:004375CA 64A100000000 mov eax, dword ptr fs:[00000000]
:004375D0 50 push eax
:004375D1 64892500000000 mov dword ptr fs:[00000000], esp
:004375D8 83EC18 sub esp, 00000018
:004375DB 53 push ebx
:004375DC 56 push esi
:004375DD 57 push edi
:004375DE 8D4DDC lea ecx, dword ptr [ebp-24]
:004375E1 8965F0 mov dword ptr [ebp-10], esp
:004375E4 E879A60200 call 00461C62
:004375E9 A1D8CF4A00 mov eax, dword ptr [004ACFD8]
:004375EE 8A0DDCCF4A00 mov cl, byte ptr [004ACFDC]
:004375F4 8B750C mov esi, dword ptr [ebp+0C]
:004375F7 C745FC00000000 mov [ebp-04], 00000000
:004375FE 8945E4 mov dword ptr [ebp-1C], eax
:00437601 C645FC01 mov [ebp-04], 01
:00437605 BF01000000 mov edi, 00000001
:0043760A 884DE8 mov byte ptr [ebp-18], cl
:0043760D 33C0 xor eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00437623(U)
|
:0043760F 83F804 cmp eax, 00000004
:00437612 7D11 jge 00437625
:00437614 8A1430 mov dl, byte ptr [eax+esi]
:00437617 8A4C05E4 mov cl, byte ptr [ebp+eax-1C]
:0043761B 80F238 xor dl, 38
:0043761E 3ACA cmp cl, dl//这里是判断注册码前四位是否为ENB-,所以把下面的判断nop掉
:00437620 7544 jne 00437666//改为9090
—————————————————————————————————
修改后的代码：
:0043761E 3ACA cmp cl, dl
:00437620 90 nop
:00437621 90 nop
:00437622 40 inc eax
—————————————————————————————————
:00437622 40 inc eax
:00437623 EBEA jmp 0043760F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00437612(C)
|
:00437625 85FF test edi, edi//从这里插入一段代码，在数据区存入"ENB-"这个字符串，改动如下：
:00437627 743F je 00437668
:00437629 8B4D08 mov ecx, dword ptr [ebp+08]
:0043762C 33C0 xor eax, eax
——————————————————————————————————
修改后的代码：
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00437612(C)
|
:00437625 85FF test edi, edi
:00437627 685B894800 push 0048895B//跳到插入代码区
:0043762C C3 ret

:0043762D 90 nop

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00437664(U)
|
:0043762E 83F80A cmp eax, 0000000A
:00437631 7D35 jge 00437668

下面是.text块添加的代码：
:0048895B 743F je 0048899C//补上原程序中的代码
:0048895D 8B4D08 mov ecx, dword ptr [ebp+08]
:00488960 33C0 xor eax, eax
:00488962 C7055D1B4B00454E422D mov dword ptr [004B1B5D], 2D424E45//在数据区存入"ENB-"
:0048896C 682E764300 push 0043762E//返回
:00488971 C3 ret

——————————————————————————————————
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00437664(U)
|
:0043762E 83F80A cmp eax, 0000000A
:00437631 7D35 jge 00437668
:00437633 8A1408 mov dl, byte ptr [eax+ecx]
:00437636 80E27F and dl, 7F
:00437639 80FA41 cmp dl, 41
:0043763C 881408 mov byte ptr [eax+ecx], dl
:0043763F 7D06 jge 00437647
:00437641 80CA41 or dl, 41
:00437644 881408 mov byte ptr [eax+ecx], dl

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043763F(C)
|
:00437647 8A1408 mov dl, byte ptr [eax+ecx]
:0043764A 80FA5A cmp dl, 5A
:0043764D 7E06 jle 00437655
:0043764F 80E25A and dl, 5A
:00437652 881408 mov byte ptr [eax+ecx], dl

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043764D(C)
|
:00437655 8A543004 mov dl, byte ptr [eax+esi+04]
:00437659 8A1C08 mov bl, byte ptr [eax+ecx]
:0043765C 80F238 xor dl, 38
:0043765F 3ADA cmp bl, dl//上面这段算法产生注册码后十位并比较，由于这里是直接与真码逐位比较，所以要设法把真码的每一位保存下来，最后调用一个Messagebox来显示，但这个调用不能放在这里，因为软件每次启动时都要调用这个call来验证注册码，把Messagebox插在这里每次启动都会弹出。所以在这里要插入的就是把真码保存的代码。我在数据区找了一个地方4B1B61,这里我们先让程序跳到添加的代码处：
—————————————————————————————————
修改后的代码：
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043764D(C)
|
:00437655 8A543004 mov dl, byte ptr [eax+esi+04]
:00437659 8A1C08 mov bl, byte ptr [eax+ecx]
:0043765C 684E894800 push 0048894E
:00437661 C3 ret//这两步跳到添加的代码处
:00437662 90 nop
:00437663 40 inc eax
:00437664 EBC8 jmp 0043762E
:00437666 33FF xor edi, edi

以上是在原代码中的改动，下面是加在原.text块末尾的代码，从48894E处开始，执行结束后返回：
:0048894E 8898611B4B00 mov byte ptr [eax+004B1B61], bl
:00488954 90 nop
:00488955 6863764300 push 00437663
:0048895A C3 ret
—————————————————————————————————
:00437661 7503 jne 00437666
:00437663 40 inc eax
:00437664 EBC8 jmp 0043762E

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00437620(C), :00437661(C)
|
:00437666 33FF xor edi, edi

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00437627(C), :00437631(C)
|
:00437668 8B4510 mov eax, dword ptr [ebp+10]
:0043766B 85C0 test eax, eax
:0043766D 7406 je 00437675
:0043766F 893D5C454B00 mov dword ptr [004B455C], edi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043766D(C)
|
:00437675 C745FCFFFFFFFF mov [ebp-04], FFFFFFFF
:0043767C E81FA60200 call 00461CA0
:00437681 8BC7 mov eax, edi
:00437683 8B4DF4 mov ecx, dword ptr [ebp-0C]
:00437686 64890D00000000 mov dword ptr fs:[00000000], ecx
:0043768D 5F pop edi
:0043768E 5E pop esi
:0043768F 5B pop ebx
:00437690 8BE5 mov esp, ebp
:00437692 5D pop ebp
:00437693 C20C00 ret 000C
*****************************************************************
最后讲一下如何取得字符串“注册码”在内存中的形式
在输入注册码时，我们注意到如果输入的注册码是错误的，程序会弹出一个Messagebox说：注册号码不对！
我们就从这个Messagebox的参数入手来取得“注册号码”的存放形式。
下断点bpx Messageboxa来到下面的地方：
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046CA9A(U)
|
:0046CAB6 53 push ebx
:0046CAB7 57 push edi
:0046CAB8 FF7508 push [ebp+08]//这里压入lpText，用d *(ebp+8)查看，得到

0187:01234700 D7 A2 B2 E1 BA C5 C2 E0
这就是“注册号码”在内存中的形式，我们把第1、2、3、4、7、8个字节复制到000B1B56（Raw Offset）处

:0046CABB FF75F4 push [ebp-0C]

* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:0046CABE FF1584964800 Call dword ptr [00489684]
:0046CAC4 85F6 test esi, esi
:0046CAC6 8BF8 mov edi, eax
:0046CAC8 7405 je 0046CACF
:0046CACA 8B45F8 mov eax, dword ptr [ebp-08]
:0046CACD 8906 mov dword ptr [esi], eax

这样我们就完成了对程序的修改。运行一下试试！

cyclotron
2003.4.26