OllyDbg 使用笔记 (十六)

视频:小甲鱼 解密系列 视频


Resource Hacker下载地址:http://www.angusj.com/resourcehacker/reshack_cn_3.6.0.exe

此程序运行进行后有一个nag窗口,可以从这个nag窗口人手,用Resource Hacker这个软件查找这个nag的hInstance



可以知道这个nag窗口的hInstance为100(十进制),把程序加载到OD,搜索push 0x64


再所有push 0x64上下断点。运行程序,找到是产生nag窗口的那个call。删除其它断点。观察这个call 的前面的代码,可以发 je      short 0040672E  可以跳过这个call,而决定这个 je 跳不跳的是 call    00431650


在 call    00431650上面下断点,重新运行程序,进入call    00431650,查看代码

00431650  /$  81EC D0000000 sub     esp, 0D0
00431656  |.  8D4424 00     lea     eax, dword ptr [esp]
0043165A  |.  53            push    ebx
0043165B  |.  56            push    esi
0043165C  |.  57            push    edi
0043165D  |.  50            push    eax                              ; /pHandle
0043165E  |.  68 19000200   push    20019                            ; |Access = KEY_READ
00431663  |.  6A 00         push    0                                ; |Reserved = 0
00431665  |.  68 F8B34400   push    0044B3F8                         ; |Subkey = "Software\gamani\GIFMovieGear\2.0"
0043166A  |.  68 01000080   push    80000001                         ; |hKey = HKEY_CURRENT_USER
0043166F  |.  83CB FF       or      ebx, FFFFFFFF                    ; |
00431672  |.  FF15 04804400 call    dword ptr [<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
00431678  |.  85C0          test    eax, eax
0043167A  |.  0F85 C2000000 jnz     00431742
00431680  |.  8D4C24 10     lea     ecx, dword ptr [esp+10]
00431684  |.  8B35 08804400 mov     esi, dword ptr [<&ADVAPI32.RegQu>;  ADVAPI32.RegQueryValueExA
0043168A  |.  8D5424 14     lea     edx, dword ptr [esp+14]
0043168E  |.  51            push    ecx                              ; /pBufSize
0043168F  |.  52            push    edx                              ; |Buffer
00431690  |.  50            push    eax                              ; |pValueType
00431691  |.  50            push    eax                              ; |Reserved
00431692  |.  8B4424 1C     mov     eax, dword ptr [esp+1C]          ; |
00431696  |.  BF 64000000   mov     edi, 64                          ; |
0043169B  |.  68 98D44400   push    0044D498                         ; |ValueName = "RegName3"
004316A0  |.  50            push    eax                              ; |hKey
004316A1  |.  897C24 28     mov     dword ptr [esp+28], edi          ; |
004316A5  |.  FFD6          call    esi                              ; \RegQueryValueExA
004316A7  |.  85C0          test    eax, eax
004316A9  |.  0F85 93000000 jnz     00431742
004316AF  |.  8D4C24 10     lea     ecx, dword ptr [esp+10]
004316B3  |.  8D5424 78     lea     edx, dword ptr [esp+78]
004316B7  |.  51            push    ecx                              ; /pBufSize
004316B8  |.  52            push    edx                              ; |Buffer
004316B9  |.  50            push    eax                              ; |pValueType
004316BA  |.  50            push    eax                              ; |Reserved
004316BB  |.  8B4424 1C     mov     eax, dword ptr [esp+1C]          ; |
004316BF  |.  68 A4D44400   push    0044D4A4                         ; |ValueName = "RegCode3"
004316C4  |.  50            push    eax                              ; |hKey
004316C5  |.  897C24 28     mov     dword ptr [esp+28], edi          ; |
004316C9  |.  FFD6          call    esi                              ; \RegQueryValueExA
004316CB  |.  85C0          test    eax, eax
004316CD  |.  75 73         jnz     short 00431742
004316CF  |.  8D4C24 78     lea     ecx, dword ptr [esp+78]
004316D3  |.  8D5424 14     lea     edx, dword ptr [esp+14]
004316D7  |.  51            push    ecx
004316D8  |.  52            push    edx
004316D9  |.  E8 B2FEFFFF   call    00431590
004316DE  |.  83C4 08       add     esp, 8
004316E1  |.  85C0          test    eax, eax
004316E3  |.  74 5D         je      short 00431742
004316E5  |.  8B9424 E00000>mov     edx, dword ptr [esp+E0]
004316EC  |.  BB 01000000   mov     ebx, 1
004316F1  |.  85D2          test    edx, edx
004316F3  |.  74 21         je      short 00431716
004316F5  |.  8D7C24 14     lea     edi, dword ptr [esp+14]
004316F9  |.  83C9 FF       or      ecx, FFFFFFFF
004316FC  |.  33C0          xor     eax, eax
004316FE  |.  F2:AE         repne   scas byte ptr es:[edi]
00431700  |.  F7D1          not     ecx
00431702  |.  2BF9          sub     edi, ecx
00431704  |.  8BC1          mov     eax, ecx
00431706  |.  8BF7          mov     esi, edi
00431708  |.  8BFA          mov     edi, edx
0043170A  |.  C1E9 02       shr     ecx, 2
0043170D  |.  F3:A5         rep     movs dword ptr es:[edi], dword p>
0043170F  |.  8BC8          mov     ecx, eax
00431711  |.  83E1 03       and     ecx, 3
00431714  |.  F3:A4         rep     movs byte ptr es:[edi], byte ptr>
00431716  |>  8B9424 E40000>mov     edx, dword ptr [esp+E4]
0043171D  |.  85D2          test    edx, edx
0043171F  |.  74 21         je      short 00431742
00431721  |.  8D7C24 78     lea     edi, dword ptr [esp+78]
00431725  |.  83C9 FF       or      ecx, FFFFFFFF
00431728  |.  33C0          xor     eax, eax
0043172A  |.  F2:AE         repne   scas byte ptr es:[edi]
0043172C  |.  F7D1          not     ecx
0043172E  |.  2BF9          sub     edi, ecx
00431730  |.  8BC1          mov     eax, ecx
00431732  |.  8BF7          mov     esi, edi
00431734  |.  8BFA          mov     edi, edx
00431736  |.  C1E9 02       shr     ecx, 2
00431739  |.  F3:A5         rep     movs dword ptr es:[edi], dword p>
0043173B  |.  8BC8          mov     ecx, eax
0043173D  |.  83E1 03       and     ecx, 3
00431740  |.  F3:A4         rep     movs byte ptr es:[edi], byte ptr>
00431742  |>  8B4C24 0C     mov     ecx, dword ptr [esp+C]
00431746  |.  51            push    ecx                              ; /hKey
00431747  |.  FF15 00804400 call    dword ptr [<&ADVAPI32.RegCloseKe>; \RegCloseKey
0043174D      5F            pop     edi
0043174E      8BC3          mov     eax, ebx
00431750      5E            pop     esi
00431751      5B            pop     ebx
00431752      81C4 D0000000 add     esp, 0D0
00431758  \.  C3            retn

        可以发现这个函数是用来读取注册表中的name和key来通过call    00431590来判断name和key是否正确。

        我们可以在函数结尾的mov     eax, ebx 改成 mov al,1 来破解 (不可以改成mov eax,1因为mov eax,1占用5个字节,改后会覆盖后面的代码)
