为程序添加显示注册码的Messagebox
-
【目标程序】:电子笔记簿V2.52
【修改目的】:为程序添加显示注册码的Messagebox
【修改类型】:Reverse Engineering
第一次做pediy的工作,没有经验,不足之处请各位指教!
为了添加代码和数据,先查看一下Section Table,注意一下.text块的RO为1000,VS为8794E,所以在1000+8794E=8894E后有大段的空白区,可以从这里开始添加代码,且不超过1000+88000=89000位置。同样,在AB000+7000=B2000处可以添加数据 。
Section Virtual Size Virtual Offset Raw Size Raw Offset Characteristics
.text 0008794E 00001000 00088000 00001000 60000020
.rdata 00021BFC 00089000 00022000 00089000 40000040
.data 0000D9A8 000AB000 00007000 000AB000 C0000040
.rsrc 00000E80 000B9000 00001000 000B2000 40000040
:0041A2F5 51 push ecx
:0041A2F6 8BCC mov ecx, esp
:0041A2F8 8965E8 mov dword ptr [ebp-18], esp
:0041A2FB 57 push edi
:0041A2FC E8BD790400 call 00461CBE
:0041A301 51 push ecx
:0041A302 C645FC02 mov [ebp-04], 02
:0041A306 8BCC mov ecx, esp
:0041A308 8965E4 mov dword ptr [ebp-1C], esp
:0041A30B 53 push ebx
:0041A30C E8AD790400 call 00461CBE
:0041A311 B9381E4B00 mov ecx, 004B1E38
:0041A316 C645FC01 mov [ebp-04], 01
:0041A31A E891CB0100 call 00436EB0//关键call,追进去!
:0041A31F 85C0 test eax, eax//成功与否的判断
:0041A321 7519 jne 0041A33C
:0041A323 50 push eax
:0041A324 6A40 push 00000040
:0041A326 680A810000 push 0000810A
:0041A32B E800F2FEFF call 00409530//失败提示
:0041A330 83C40C add esp, 0000000C
:0041A333 8BCE mov ecx, esi
:0041A335 E8153B0400 call 0045DE4F
:0041A33A EB70 jmp 0041A3AC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041A321(C)
|
:0041A33C 51 push ecx//程序启动时不经过这里,所以在这儿插入Messagebox的调用,修改如下:
:0041A33D 8BCC mov ecx, esp
:0041A33F 8965E4 mov dword ptr [ebp-1C], esp
:0041A342 57 push edi
:0041A343 E876790400 call 00461CBE//成功提示
———————————————————————————————————————
修改后的代码:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041A321(C)
|
:0041A33C 6872894800 push 00488972
:0041A341 C3 ret//这里跳到添加的代码处
:0041A342 57 push edi
:0041A343 E876790400 call 00461CBE
:0041A348 51 push ecx
:0041A349 C645FC03 mov [ebp-04], 03
:0041A34D 8BCC mov ecx, esp
以下是增加的代码:
:00488972 90 nop
:00488973 90 nop
:00488974 90 nop
:00488975 90 nop
:00488976 90 nop
:00488977 90 nop
:00488978 90 nop
:00488979 6A40 push 00000040//Messagebox类型
* Possible StringData Ref from Data Obj ->"注册码"
|
:0048897B 68561B4B00 push 004B1B56//窗口标题入栈,这个标题我们放在数据区4B1B56(VA)处,占七个字节(包括‘\0')的“注册码”字符串,这三个字的代码的获得我会在最后讲解。
:00488980 685D1B4B00 push 004B1B5D//真正的注册码入栈,地址在4B1B5D
:00488985 6A00 push 00000000
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:00488987 FF1584964800 Call dword ptr [00489684]//Messagebox的调用代码可以从原程序的反汇编代码获得,点击 函数->导入,然后查找Messageboxa
:0048898D 51 push ecx//这里补上原来的程序代码
:0048898E 8BCC mov ecx, esp
:00488990 8965E4 mov dword ptr [ebp-1C], esp
:00488993 6842A34100 push 0041A342//从这里返回
:00488998 C3 ret
———————————————————————————————————
:0041A348 51 push ecx
:0041A349 C645FC03 mov [ebp-04], 03
:0041A34D 8BCC mov ecx, esp
:0041A34F 8965E8 mov dword ptr [ebp-18], esp
**********************************************************************
call 00436EB0:
* Referenced by a CALL at Address:
|:0041A31A
|
:00436EB0 55 push ebp
:00436EB1 8BEC mov ebp, esp
:00436EB3 6AFF push FFFFFFFF
:00436EB5 68B85B4800 push 00485BB8
:00436EBA 64A100000000 mov eax, dword ptr fs:[00000000]
................
..........
:00436FAF 50 push eax
:00436FB0 57 push edi
:00436FB1 E81ACAFDFF call 004139D0
:00436FB6 57 push edi
:00436FB7 E81EAC0200 call 00461BDA
:00436FBC 8B4D0C mov ecx, dword ptr [ebp+0C]
:00436FBF 83C404 add esp, 00000004
:00436FC2 8B59F8 mov ebx, dword ptr [ecx-08]
:00436FC5 83FB0E cmp ebx, 0000000E//这里是对注册码长度的判断,我已经把下面改为绝对跳转
:00436FC8 EB1D jmp 00436FE7
:00436FCA C645FC01 mov [ebp-04], 01
:00436FCE E8CDAC0200 call 00461CA0
:00436FD3 8D4D08 lea ecx, dword ptr [ebp+08]
:00436FD6 C645FC00 mov [ebp-04], 00
:00436FDA E86AAF0200 call 00461F49
:00436FDF 8975FC mov dword ptr [ebp-04], esi
:00436FE2 E9D9000000 jmp 004370C0
.....................
.................
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00437024(C)
|
:00437032 6A00 push 00000000
:00437034 8D8D14FFFFFF lea ecx, dword ptr [ebp+FFFFFF14]
:0043703A 57 push edi
:0043703B 51 push ecx
:0043703C 8B4DE8 mov ecx, dword ptr [ebp-18]
:0043703F E87C050000 call 004375C0//判断点,追进去!
:00437044 57 push edi
:00437045 8BD8 mov ebx, eax
:00437047 E88EAB0200 call 00461BDA
***********************************************************************
call 004375C0:
* Referenced by a CALL at Addresses:
|:0043703F , :004372AF
|
:004375C0 55 push ebp
:004375C1 8BEC mov ebp, esp
:004375C3 6AFF push FFFFFFFF
:004375C5 68285C4800 push 00485C28
:004375CA 64A100000000 mov eax, dword ptr fs:[00000000]
:004375D0 50 push eax
:004375D1 64892500000000 mov dword ptr fs:[00000000], esp
:004375D8 83EC18 sub esp, 00000018
:004375DB 53 push ebx
:004375DC 56 push esi
:004375DD 57 push edi
:004375DE 8D4DDC lea ecx, dword ptr [ebp-24]
:004375E1 8965F0 mov dword ptr [ebp-10], esp
:004375E4 E879A60200 call 00461C62
:004375E9 A1D8CF4A00 mov eax, dword ptr [004ACFD8]
:004375EE 8A0DDCCF4A00 mov cl, byte ptr [004ACFDC]
:004375F4 8B750C mov esi, dword ptr [ebp+0C]
:004375F7 C745FC00000000 mov [ebp-04], 00000000
:004375FE 8945E4 mov dword ptr [ebp-1C], eax
:00437601 C645FC01 mov [ebp-04], 01
:00437605 BF01000000 mov edi, 00000001
:0043760A 884DE8 mov byte ptr [ebp-18], cl
:0043760D 33C0 xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00437623(U)
|
:0043760F 83F804 cmp eax, 00000004
:00437612 7D11 jge 00437625
:00437614 8A1430 mov dl, byte ptr [eax+esi]
:00437617 8A4C05E4 mov cl, byte ptr [ebp+eax-1C]
:0043761B 80F238 xor dl, 38
:0043761E 3ACA cmp cl, dl//这里是判断注册码前四位是否为ENB-,所以把下面的判断nop掉
:00437620 7544 jne 00437666//改为9090
—————————————————————————————————
修改后的代码:
:0043761E 3ACA cmp cl, dl
:00437620 90 nop
:00437621 90 nop
:00437622 40 inc eax
—————————————————————————————————
:00437622 40 inc eax
:00437623 EBEA jmp 0043760F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00437612(C)
|
:00437625 85FF test edi, edi//从这里插入一段代码,在数据区存入"ENB-"这个字符串,改动如下:
:00437627 743F je 00437668
:00437629 8B4D08 mov ecx, dword ptr [ebp+08]
:0043762C 33C0 xor eax, eax
——————————————————————————————————
修改后的代码:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00437612(C)
|
:00437625 85FF test edi, edi
:00437627 685B894800 push 0048895B//跳到插入代码区
:0043762C C3 ret
:0043762D 90 nop
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00437664(U)
|
:0043762E 83F80A cmp eax, 0000000A
:00437631 7D35 jge 00437668
下面是.text块添加的代码:
:0048895B 743F je 0048899C//补上原程序中的代码
:0048895D 8B4D08 mov ecx, dword ptr [ebp+08]
:00488960 33C0 xor eax, eax
:00488962 C7055D1B4B00454E422D mov dword ptr [004B1B5D], 2D424E45//在数据区存入"ENB-"
:0048896C 682E764300 push 0043762E//返回
:00488971 C3 ret
——————————————————————————————————
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00437664(U)
|
:0043762E 83F80A cmp eax, 0000000A
:00437631 7D35 jge 00437668
:00437633 8A1408 mov dl, byte ptr [eax+ecx]
:00437636 80E27F and dl, 7F
:00437639 80FA41 cmp dl, 41
:0043763C 881408 mov byte ptr [eax+ecx], dl
:0043763F 7D06 jge 00437647
:00437641 80CA41 or dl, 41
:00437644 881408 mov byte ptr [eax+ecx], dl
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043763F(C)
|
:00437647 8A1408 mov dl, byte ptr [eax+ecx]
:0043764A 80FA5A cmp dl, 5A
:0043764D 7E06 jle 00437655
:0043764F 80E25A and dl, 5A
:00437652 881408 mov byte ptr [eax+ecx], dl
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043764D(C)
|
:00437655 8A543004 mov dl, byte ptr [eax+esi+04]
:00437659 8A1C08 mov bl, byte ptr [eax+ecx]
:0043765C 80F238 xor dl, 38
:0043765F 3ADA cmp bl, dl//上面这段算法产生注册码后十位并比较,由于这里是直接与真码逐位比较,所以要设法把真码的每一位保存下来,最后调用一个Messagebox来显示,但这个调用不能放在这里,因为软件每次启动时都要调用这个call来验证注册码,把Messagebox插在这里每次启动都会弹出。所以在这里要插入的就是把真码保存的代码。我在数据区找了一个地方4B1B61,这里我们先让程序跳到添加的代码处:
—————————————————————————————————
修改后的代码:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043764D(C)
|
:00437655 8A543004 mov dl, byte ptr [eax+esi+04]
:00437659 8A1C08 mov bl, byte ptr [eax+ecx]
:0043765C 684E894800 push 0048894E
:00437661 C3 ret//这两步跳到添加的代码处
:00437662 90 nop
:00437663 40 inc eax
:00437664 EBC8 jmp 0043762E
:00437666 33FF xor edi, edi
以上是在原代码中的改动,下面是加在原.text块末尾的代码,从48894E处开始,执行结束后返回:
:0048894E 8898611B4B00 mov byte ptr [eax+004B1B61], bl
:00488954 90 nop
:00488955 6863764300 push 00437663
:0048895A C3 ret
—————————————————————————————————
:00437661 7503 jne 00437666
:00437663 40 inc eax
:00437664 EBC8 jmp 0043762E
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00437620(C), :00437661(C)
|
:00437666 33FF xor edi, edi
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00437627(C), :00437631(C)
|
:00437668 8B4510 mov eax, dword ptr [ebp+10]
:0043766B 85C0 test eax, eax
:0043766D 7406 je 00437675
:0043766F 893D5C454B00 mov dword ptr [004B455C], edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043766D(C)
|
:00437675 C745FCFFFFFFFF mov [ebp-04], FFFFFFFF
:0043767C E81FA60200 call 00461CA0
:00437681 8BC7 mov eax, edi
:00437683 8B4DF4 mov ecx, dword ptr [ebp-0C]
:00437686 64890D00000000 mov dword ptr fs:[00000000], ecx
:0043768D 5F pop edi
:0043768E 5E pop esi
:0043768F 5B pop ebx
:00437690 8BE5 mov esp, ebp
:00437692 5D pop ebp
:00437693 C20C00 ret 000C
*****************************************************************
最后讲一下如何取得字符串“注册码”在内存中的形式
在输入注册码时,我们注意到如果输入的注册码是错误的,程序会弹出一个Messagebox说:注册号码不对!
我们就从这个Messagebox的参数入手来取得“注册号码”的存放形式。
下断点bpx Messageboxa来到下面的地方:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046CA9A(U)
|
:0046CAB6 53 push ebx
:0046CAB7 57 push edi
:0046CAB8 FF7508 push [ebp+08]//这里压入lpText,用d *(ebp+8)查看,得到
0187:01234700 D7 A2 B2 E1 BA C5 C2 E0
这就是“注册号码”在内存中的形式,我们把第1、2、3、4、7、8个字节复制到000B1B56(Raw Offset)处
:0046CABB FF75F4 push [ebp-0C]
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:0046CABE FF1584964800 Call dword ptr [00489684]
:0046CAC4 85F6 test esi, esi
:0046CAC6 8BF8 mov edi, eax
:0046CAC8 7405 je 0046CACF
:0046CACA 8B45F8 mov eax, dword ptr [ebp-08]
:0046CACD 8906 mov dword ptr [esi], eax
这样我们就完成了对程序的修改。运行一下试试!
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
- 文章评论
-
热门文章
去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有1条评论>>