参考
书:《加密与解密》
视频:小甲鱼 解密系列 视频
示例程序下载地址:http://pan.baidu.com/s/1qWDJyiw
Resource Hacker下载地址:http://www.angusj.com/resourcehacker/reshack_cn_3.6.0.exe
此程序运行进行后有一个nag窗口,可以从这个nag窗口人手,用Resource Hacker这个软件查找这个nag的hInstance
图片1
图片2
可以知道这个nag窗口的hInstance为100(十进制),把程序加载到OD,搜索push 0x64
图片3
再所有push 0x64上下断点。运行程序,找到是产生nag窗口的那个call。删除其它断点。观察这个call 的前面的代码,可以发 je short 0040672E 可以跳过这个call,而决定这个 je 跳不跳的是 call 00431650
图片4
在 call 00431650上面下断点,重新运行程序,进入call 00431650,查看代码
00431650 /$ 81EC D0000000 sub esp, 0D0 00431656 |. 8D4424 00 lea eax, dword ptr [esp] 0043165A |. 53 push ebx 0043165B |. 56 push esi 0043165C |. 57 push edi 0043165D |. 50 push eax ; /pHandle 0043165E |. 68 19000200 push 20019 ; |Access = KEY_READ 00431663 |. 6A 00 push 0 ; |Reserved = 0 00431665 |. 68 F8B34400 push 0044B3F8 ; |Subkey = "Software\gamani\GIFMovieGear\2.0" 0043166A |. 68 01000080 push 80000001 ; |hKey = HKEY_CURRENT_USER 0043166F |. 83CB FF or ebx, FFFFFFFF ; | 00431672 |. FF15 04804400 call dword ptr [<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA 00431678 |. 85C0 test eax, eax 0043167A |. 0F85 C2000000 jnz 00431742 00431680 |. 8D4C24 10 lea ecx, dword ptr [esp+10] 00431684 |. 8B35 08804400 mov esi, dword ptr [<&ADVAPI32.RegQu>; ADVAPI32.RegQueryValueExA 0043168A |. 8D5424 14 lea edx, dword ptr [esp+14] 0043168E |. 51 push ecx ; /pBufSize 0043168F |. 52 push edx ; |Buffer 00431690 |. 50 push eax ; |pValueType 00431691 |. 50 push eax ; |Reserved 00431692 |. 8B4424 1C mov eax, dword ptr [esp+1C] ; | 00431696 |. BF 64000000 mov edi, 64 ; | 0043169B |. 68 98D44400 push 0044D498 ; |ValueName = "RegName3" 004316A0 |. 50 push eax ; |hKey 004316A1 |. 897C24 28 mov dword ptr [esp+28], edi ; | 004316A5 |. FFD6 call esi ; \RegQueryValueExA 004316A7 |. 85C0 test eax, eax 004316A9 |. 0F85 93000000 jnz 00431742 004316AF |. 8D4C24 10 lea ecx, dword ptr [esp+10] 004316B3 |. 8D5424 78 lea edx, dword ptr [esp+78] 004316B7 |. 51 push ecx ; /pBufSize 004316B8 |. 52 push edx ; |Buffer 004316B9 |. 50 push eax ; |pValueType 004316BA |. 50 push eax ; |Reserved 004316BB |. 8B4424 1C mov eax, dword ptr [esp+1C] ; | 004316BF |. 68 A4D44400 push 0044D4A4 ; |ValueName = "RegCode3" 004316C4 |. 50 push eax ; |hKey 004316C5 |. 897C24 28 mov dword ptr [esp+28], edi ; | 004316C9 |. FFD6 call esi ; \RegQueryValueExA 004316CB |. 85C0 test eax, eax 004316CD |. 75 73 jnz short 00431742 004316CF |. 8D4C24 78 lea ecx, dword ptr [esp+78] 004316D3 |. 8D5424 14 lea edx, dword ptr [esp+14] 004316D7 |. 51 push ecx 004316D8 |. 52 push edx 004316D9 |. E8 B2FEFFFF call 00431590 004316DE |. 83C4 08 add esp, 8 004316E1 |. 85C0 test eax, eax 004316E3 |. 74 5D je short 00431742 004316E5 |. 8B9424 E00000>mov edx, dword ptr [esp+E0] 004316EC |. BB 01000000 mov ebx, 1 004316F1 |. 85D2 test edx, edx 004316F3 |. 74 21 je short 00431716 004316F5 |. 8D7C24 14 lea edi, dword ptr [esp+14] 004316F9 |. 83C9 FF or ecx, FFFFFFFF 004316FC |. 33C0 xor eax, eax 004316FE |. F2:AE repne scas byte ptr es:[edi] 00431700 |. F7D1 not ecx 00431702 |. 2BF9 sub edi, ecx 00431704 |. 8BC1 mov eax, ecx 00431706 |. 8BF7 mov esi, edi 00431708 |. 8BFA mov edi, edx 0043170A |. C1E9 02 shr ecx, 2 0043170D |. F3:A5 rep movs dword ptr es:[edi], dword p> 0043170F |. 8BC8 mov ecx, eax 00431711 |. 83E1 03 and ecx, 3 00431714 |. F3:A4 rep movs byte ptr es:[edi], byte ptr> 00431716 |> 8B9424 E40000>mov edx, dword ptr [esp+E4] 0043171D |. 85D2 test edx, edx 0043171F |. 74 21 je short 00431742 00431721 |. 8D7C24 78 lea edi, dword ptr [esp+78] 00431725 |. 83C9 FF or ecx, FFFFFFFF 00431728 |. 33C0 xor eax, eax 0043172A |. F2:AE repne scas byte ptr es:[edi] 0043172C |. F7D1 not ecx 0043172E |. 2BF9 sub edi, ecx 00431730 |. 8BC1 mov eax, ecx 00431732 |. 8BF7 mov esi, edi 00431734 |. 8BFA mov edi, edx 00431736 |. C1E9 02 shr ecx, 2 00431739 |. F3:A5 rep movs dword ptr es:[edi], dword p> 0043173B |. 8BC8 mov ecx, eax 0043173D |. 83E1 03 and ecx, 3 00431740 |. F3:A4 rep movs byte ptr es:[edi], byte ptr> 00431742 |> 8B4C24 0C mov ecx, dword ptr [esp+C] 00431746 |. 51 push ecx ; /hKey 00431747 |. FF15 00804400 call dword ptr [<&ADVAPI32.RegCloseKe>; \RegCloseKey 0043174D 5F pop edi 0043174E 8BC3 mov eax, ebx 00431750 5E pop esi 00431751 5B pop ebx 00431752 81C4 D0000000 add esp, 0D0 00431758 \. C3 retn
可以发现这个函数是用来读取注册表中的name和key来通过call 00431590来判断name和key是否正确。
我们可以在函数结尾的mov eax, ebx 改成 mov al,1 来破解 (不可以改成mov eax,1因为mov eax,1占用5个字节,改后会覆盖后面的代码)