Modify existing procedures into Keygen

zhaozj2021-02-16  97

Modify existing procedures into keygendoskey [nuke group]

Cracker for KEYGEN can have encountered this situation: the algorithm that generates the registration code is very complicated. Although the entire algorithm can be reversed, it takes a long time. When the program has a function of a registration code, we can use the program's internal scale function to achieve our own keygen to achieve the effect of four or two dials. The target program is a domestic mobile phone write code software. The program requires the program request to enter the username and registration code based on the machine code. After scanning with FI scans, I learned that the target software has no shell, written with VC6, currently small domestic software does not housing, it seems that we are lucky, omitting the step of shelling. Next, we load target software with ollydbg, and F9 runs. Enter the username "doskey" and registration code U20-1111111111111, point OK, and pop up the prompt window with "registration failure!". Regardless of it, switch back to OLLYDBG Press F12 to pause at the main thread. Then press CTRL F12 until the OLLYDBG status is "Till Return", switch the determination button to the target program point message box.

The process of the target program is again suspended by Ollydbg. It has been pressing Ctrl F12 to return to the main thread. We come here: 0042675F / $ 55 Push EBP00426760 |. 8BEC MOV EBP, ESP00426762 |. E8 91140000 Call 2210.00427BF800426767 |. 8b40 04 MOV EAX, DWORD PTR DS: [EAX 4] 0042676A |. 85c0 Test Eax, EAX0042676C |. 74 15 Je Short 2210.004267830042676E |. FF75 10 Push DWORD PTR SS: [EBP 10] 00426771 |. 8b10 MOV EDX, DWORD PTR DS: [EAX] 00426773 |. 8bc8 MOV ECX, EAX00426775 |. FF75 0C Push DWORD PTR SS: [EBP C] 00426778 |. FF75 08 PUSH DWORD PTR SS: [EBP 8] 0042677B |. FF92 8C000000 Call DWORD PTR DS: [EDX 8C] 00426781 |. EB 10 JMP Short 2210.00426793 <= Return here, the above is called the MessageBox display message box Call00426783 |> FF75 10 Push DWORD PTR SS: [EBP 10]; / arg300426786 |. 33c9 XOR ECX, ECX; | 0042678 . 8 | FF75 0C PUSH DWORD PTR SS: [EBP C]; | Arg20042678B | FF75 08 PUSH DWORD PTR SS: [EBP 8]; | Arg10042678E | E8 E5FEFFFF CALL 2210.00426678; /2210.0042667800426793 |> 5D POP EBP00426794 /.. C2 0C00 RETN 0C is obviously only a sub-function that displays the indirect message box, Ctrl F12 returns to this place: 00403815> 6A 00 Push 0; / arg3 = 0000000000403817. 6a 00 push 0; | arg2 =

0000000000403819 68 14844300 PUSH 2210.00438414; |. Arg1 = 004384140040381E E8 3C2F0200 CALL 2210.0042675F; /2210.0042675F00403823 8BCD MOV ECX, EBP00403825 E8 36000000 CALL 2210.004038600040382A> 8BCD MOV ECX, EBP <= return here 0040382C E8 9AC40100 CALL 2210.0041.... FCCB00403831. 8D4C24 10 LEA ECX, DWORD PTR SS: [ESP 10] See 438414h in 403819H is "Registration Failure!", It seems that we have not far from comparing the registration code. See ">" in front of 403815H, explained that there is a statement jump here. Select 403815h this statement on the front of this statement, OllyDbg the Information column shows "Jump from 004037E2", we came to office 4037E2h:... 004037DB E8 5AFB0100 CALL 2210.0042333A004037E0 84DB TEST BL, BL004037E2 74 31 JE SHORT 2210.00403815 <= put here NOP broke down this Call is a place where the registration code is compared. We took the 4037 E2H statement NOP to blast. But we are not this result. It was the time when the killer tool IDA of Cracker was. Open the target program with IDA. After the IDA is analyzed, press the G to jump to 4037dBH. Turn on the top 4036a0h of this function, here is where we want to analyze:

.text: 004036A0 sub_4036A0 proc near; DATA XREF: .rdata: 0042DA8Co.text: 004036A0 .text: 004036A0 var_1C = dword ptr -1Ch.text: 004036A0 var_18 = dword ptr -18h.text: 004036A0 var_14 = dword ptr -14h. text: 004036A0 var_10 = dword ptr -10h.text: 004036A0 var_C = dword ptr -0Ch.text: 004036A0 var_4 = dword ptr -4.text: 004036A0 .text: 004036A0 000 mov eax, large fs: 0.text: 004036A6 000 push 0FFFFFFFFh.text: 004036A8 004 push offset loc_42ADE8.text: 004036AD 008 push eax.text: 004036AE 00C mov large fs: 0, esp.text: 004036B5 00C sub esp, 10h.text: 004036B8 01C push ebx.text: 004036B9 020 Push ebp.text: 004036BA 024 Push ESITETET: 004036BB 028 Push Edi.Text: 004036BC 02C MOV EBP, ECX.Text: 004 036BE 02C PUSH 1.Text: 004036C0 030 Call fun_updatedata (); refresh data, cdialog :: updatedata (). TEXT: 004036C5 02C MOV EAX, [EBP 60H] .Text: 004036C8 02C LEA EDI, [EBP 60H]. TEXT: 004036CB 02C CMP DWORD PTR [EAX-8], 10h : 004036D3 030 Push 0.Text: 004036D5 034 PUSH OFFSET AVSIDA; "Registration Code Length Error!". Text: 004036DA 038 CALL FUN_MESSAGEBOX; Prompt Registration Code Length Error .Text: 004036DF 02C MOV ECX, [ESP 2CH

var_C] .text: 004036E3 02C mov large fs: 0, ecx.text: 004036EA 02C pop edi.text: 004036EB 028 pop esi.text: 004036EC 024 pop ebp.text: 004036ED 020 pop ebx.text: 004036EE 01C add esp, 1ch.Text: 004036f1 000 retn.text: 004036F2; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ .text: 004036F2 .text: 004036F2 loc_4036F2:; CODE XREF: sub_4036A0 2Fj.text: 004036F2 02C mov ecx, [ebp 64h] .text: 004036F5 02C push 0.text: 004036F7 030 cmp dword ptr [ecx-8] , 5; compare whether the user name is greater than 5 characters, larger than jumping, otherwise the prompt is displayed and end .Text: 004036fb 030 JG Short Loc_40371c.text: 004036FD 030 Push 0.Text: 004036FF 034 PUSH Offset AVSZDJ5; "Registered user name length Should be greater than 5! ". Text: 00403704 038 Call Fun_MessageBox.Text: 00403709 02C MOV ECX, [ESP 2CH VAR_C]. text: 0040370D 02C mov large fs: 0, ecx.text: 00403714 02C pop edi.text: 00403715 028 pop esi.text: 00403716 024 pop ebp.text: 00403717 020 pop ebx.text: 00403718 01C add esp, 1Ch.text : 0040371B 000 RETN; TIME_T * ========================================== The code may be nothing, but I don't know if you find it.

[EBP 60] is the address of the registration code, and then the address of the registration code is 8 is the length of the registration code. Username is [EBP 64] is the string address of the username, the address of the username is 8 is the length of the username. Similarly, you can get the address of the machine code [EBP 5C]. These are very critical data. =========================================

.Text: 0040371C; ━━━━━━━━━━━━━━━━━━━━━━━━━..━.━━━━━━..text: 0040371C .Text: 0040371C loc_40371C:; CODE XREF: sub_4036A0 5Bj.text: 0040371C 030 call _time; get the system time .text: 00403721 030 push eax; unsigned int.text: 00403722 034 call _srand; the system time to do SEED.text: 00403727 034 add ESP, 8.Text: 0040372A 02C Call_Rand; Generate random number .Text: 0040372F 02c MOV BL, Al; Al; Al; is random number .Text: 00403731 02C Push EDI.TEXT: 00403732 030 LEA ECX, [ESP 30H var_1c ] .text: 00403736 030 MOV BYTE PTR [ESP 30H VAR_14], BL; Save random number to temporary variables .Text: 0040373A 030 Call fun_getbuf; take buffer .Text: 0040373F 02c MOV Eax, [EDI]; EDI = Registration code address .TEXT: 00403741 02C MOV ESI, 4; initialization for loop control variable, no operation "u20 -". Text: 00403746 02C MOV [ESP 2CH VAR_4], 0.Text: 0040374E 02C CMP [EAX-8], ESI; into the first comparison of the loop, [EAX-8] is the registration code length .Text: 00403751 02C Jle Short Loc_403789 .Text: 00403753 .Text: 00403753 Loc_403753:; code Xref: SUB_4036A0 E7J.TEXT: 00403753 02C MOV Al, [EAX ESI]; Net in the registration code is the character of ESI ESI .Text: 00403756 02C MOV DL, BL; BL is the random number, DL is the calculation variable .Text: 00403758 02c and DL, 7FH; retention low 7 bits .Text: 0040375B 02C MOV ECX, EDI .TEXT: 0040375D 02C XOR DL, Al; Registration code characters and random The number is different or the operation,

The result is in DL.Text: 0040375F 02C Add DL, 20H; Computing result plus 20H.TEXT: 00403762 02C MOV BYTE PTR [ESP 2CH VAR_18], DL; save operation results to temporary variables .Text: 00403766 02C MOV EAX [ESP 2CH VAR_18]; Take it back to prepare the stack .Text: 0040376A 02C Push EAX; after pressing the calculation result .Text: 0040376B 030 Push ESI; pinch position .TEXT: 0040376C 034 Call? sett @ cstring @ @ Qaexhd @ z; cstring :: setat (int, char); call cstract :: setat () Replace the character in the original registration code .Text: 00403771 02C Inc BL; Random number plus 1.Text: 00403773 02C Test BL If the random is equal to one jump to 40377f .Text: 00403776 02C JZ Short Loc_40377f.text: 00403778 02C SHR BL, 1; right shift .Text: 0040377A 02c or BL, 80H; logic plus 80h.Text: 0040377d 02C JMP Short Loc_403781.Text: 0040377F; ━━━━━━━━━━━━━━━━━━━━━━━━━..━━━━.......━.......... 0040377f .text: 0040377F LOC_40377F: ; CODE XREF: sub_4036A0 D6j.text: 0040377F 02C shr bl, 1; right .text: 00403781 .text: 00403781 loc_403781:; CODE XREF: sub_4036A0 DDj.text: 00403781 02C mov eax, [edi] .text: 00403783 02C Inc ESI; For the third part of the FOR cycle, the control variable plus one .Text: 00403784 02C CMP ESI, [EAX-8]; the second part of the for loop, whether the control variable is less than the registration code length, and continue to cycle, Otherwise, leave the loop .Text: 00403787 02C JL Short Loc_403753.Text: 00403789 .text: 00403789 LOC_403789:; code Xref: SUB_4036A0 B1J =========

=============================== The FOR cycle here will be encoded. For the back of the next comparison is not direct, but doing this is not high.

Look, you will know later:) ================================================. Text : 00403789 02C MOV ECX, [ESP 2CH VAR_14]; Requires the random number of just protected .Text: 0040378D 02C LEA EDX, [EBP 5CH]; picking machine code .Text: 00403790 02C Push Ecx.Text: 00403791 030 Push ECX; Press the random number .Text: 00403792 034 MOV ECX, ESP ;.Text: 00403794 034 MOV [ESP 34H VAR_14], Esp.Text: 00403798 034 Push Edx.Text: 00403799 038 Call Fun_GetBuf; Code Cushion .Text: 0040379E 034 Push ECX; Pressing machine code .Text: 0040379f 038 Lea ESI, [EBP 64H] .Text: 004037A2 038 MOV ECX, ESP.TEXT: 004037A4 038 MOV [ESP 38H VAR_10], ESP .Text: 004037A8 038 Push ESI; pressing user name .Text: 004037A9 03c MOV BYTE PTR [ESP 3CH VAR_4], 1.Text: 004037AE 03c Call fun_getbuf.text: 004037B3 038 Lea EAX, [ESP 38H var_18 ] .text: 0040 37B7 038 MOV ECX, EBP.TEXT: 004037B9 038 PUSH EAX; Press to save the correct coded temporary space .Text: 004037BA 03C MOV BYTE PTR [ESP 3CH VAR_4], 0.Text: 004037BF 03C Call FUN_MAIN =======================

================= This Call is calculated to calculate the correct encoded registration code.

Here is the calculation function to use! We look at the contents of the stack before entering CALL: 0012F904 0012F928 | Arg1 = 0012F928 <= temporary space 0012F908 00936F38 | Arg2 = 00936F38 ASCII "DOSKEY" <= username 0012F90C 00936EE8 | Arg3 = 00936EE8 ASCII "0000E87C1C92" <= machine code 0012F910 000000CE / Arg4 = 000000 CE <= random number, encoding ===================================== ===. TEXT: 004037C4 02C MOV EAX, [EAX]; saved in Eax is the correct encoded registration code. TEXT: 004037C6 02c MOV EDI, [EDI]; we entered the registration code, encoded .Text: 004037C8 02C Push EAX; Press the correct .Text: 004037C9 030 Push EDI; press us .Text: 004037CA 034 Call __MBscmp; Comparison .Text: 004037CF 034 Add ESP, 8.Text: 004037D2 02C LEA ECX [ESP 2CH VAR_18] .Text: 004037D6 02C Test Eax, Eax.Text: 004037D8 02C Setz Bl.Text: 004037DB 02C Call Sub_42333A.TEXT: 004037E0 02C Test BL, BL; If not the same, jump, display "Registration Failure ".Text: 004037E2 02C JZ Short Loc_403815.Text: 004037E4 02C push ecx.text: 004037E5 030 mov ecx, esp.text: 004037E7 030 mov [esp 30h var_10], esp.text: 004037EB 030 push esi.text: 004037EC 034 call FUN_GetBuf.text: 004037F1 030 push ecx.text: 004037f2 034 Lea EDX, [ESP

34H VAR_1C] .Text: 004037F6 034 MOV ECX, Esp.Text: 004037F8 034 MOV [ESP 34H VAR_14], ESP.TEXT: 004037FC 034 Push Edx.Text: 004037FD 038 MOV BYTE PTR [ESP 38H VAR_4] , 2.Text: 00403802 038 Call fun_getbuf.text: 00403807 034 MOV ECX, EBP.TEXT: 00403809 034 MOV BYTE PTR [ESP 34H VAR_4], 0.Text: 0040380E 034 CALL SUB_402950; Save the registration code to the registry In the next startup, check .Text: 00403813 02C JMP Short Loc_40382a.text: 00403815; ━━━━━━━━━━━━━━━━━━━━━━ ━━━━━━━━━.text: 00403815 .text: 00403815 loc_403815:; CODE XREF: sub_4036A0 142j.text: 00403815 02C push 0.text: 00403817 030 push 0.text: 00403819 034 push offset aVSZ; " Registration failed! ". Text: 0040381e 038 call fun_messagebox.text: 00403823 02c MOV ECX, EBP.TEXT: 00403825 02C call sub_403860.text: 0040382A .text: 0040382A loc_40382A:; CODE XREF: sub_4036A0 173j.text: 0040382A 02C mov ecx, ebp.text: 0040382C 02C call OnOK @ CDialog @@ MAEXXZ; CDialog :: OnOK (void)?. text: 00403831 02C lea ecx, [esp 2Ch var_1C] .text: 00403835 02C mov [esp 2Ch var_4], 0FFFFFFFFh.text: 0040383D 02C call sub_42333A.text: 00403842 02C mov ecx, [esp 2Ch

var_C] .text: 00403846 02C pop edi.text: 00403847 028 pop esi.text: 00403848 024 pop ebp.text: 00403849 020 mov large fs: 0, ecx.text: 00403850 020 pop ebx.text: 00403851 01C add esp, 1ch.Text: 00403854 000 retn.text: 00403854 SUB_4036A0 endp.text: 00403854 .Text: 00403854; ━━━━━━━━━━━━━━━━━━━━━━━━ ━━━━━━━━━━, we have already analyzed the process of comparison. Probably this: 1, generate random number 2, encoding the input registration code 3, generate the correct encoded registration code based on the input registration code, user name, machine code, and random number. 4. Compare whether the encoded registration code is the same. If you do different, you will be prompted. Otherwise, register successfully.

Let's take a look at the function of generating the registration code at 4037 bfh. We jump to 402A30H. sweat. The variable is more than one hundred, the code has a lot of 1.8k bytes. We can only find shortcuts. Turn down here: .text: 004030B8 LOC_4030B8:; Code Xref: fun_main 6acj.text: 004030B8 18C MOV CL, BYTE PTR [ESP ESI 18CH VAR_158] .text: 004030BC 18C MOV DL, Al.Text : 004030BE 18C and DL, 7fh.Text: 004030C1 18C XOR DL, CL.TEXT: 004030C3 18C Add DL, 20H.Text: 004030C6 18C Inc Al.Text: 004030C8 18C Test Al, 1.Text: 004030CA 18C MOV BYTE PTR [ esp esi 18Ch var_158], dl.text: 004030CE 18C jz short loc_4030D6.text: 004030D0 18C shr al, 1.text: 004030D2 18C or al, 80h.text: 004030D4 18C jmp short loc_4030D8.text: 004030D6; ━ ━━━━━━━━━━━━━━━━━━━━━━━━━━..━━━━━━━━.................Text: 004030D6 LOC_4030D6:; Code Xref : Fun_main 69ej.text: 004030D6 18C SHR Al, 1.Text: 004030D8 .TEXT: 004030D8 Loc_4030d8:; code xref: fun_main 6a4j.text: 004030d8 18c incni.text: 004030d9 18C CMP ESI, 0ch.Text: 004030DC 18C JL SHORT LOC_4030B8 found no? And the FOR cycle of our previous analysis is exactly the same, only this code is a direct operation of memory. We tracked to 4030b8h with ollydbg. ESP ESI 18CH VAR_158 is the correct registration code without "U20-". Then: .text: 004030f9 18C Push ECX.TEXT: 004030FA 190 Push Offset AU20; "U20 -". Text: 004030ff 194 Push EDX.TEXT: 00403100 198 CALL SUB_4235CF This function connects "U20-" and encoded registration code Correctly encoded registration code.

The final function returns the address of this string. With OLLYDBG to 4030b8h, the code 4030B8H to 4030DCH is filled into NOP. We will continue to run, this function returns the correct uncoiled registration code. All right. It is already done here. We want to start DIY this program :) First, back up the original file, to prevent everyone. Then we want to modify the dialog to accept the input machine code. Use Resource Hacker to open the target program, find the 2052 code page of the dialog resource 1160, point the dialog box, select the EDIT control of the machine code, remove the ES_READOONLY property in the editor, save exit. Modify the log for the registration code, it can generate uncoded registration codes. Use the HIEW to open the target program, populate 4030b8h to 4030dch data into 90h, save exit. Use Lordpe to open the target file, click ".." in the introduction table in the directory, right-click Add the introduction table, add two API functions we want to use, one is the USER32's FindWindowa and USER32's setdlgitemtexta. Finally, we have started to do the main modifications, but the target program can display the registration code yourself. Use ollydbg to open the target program that has just been modified. CTRL G jumps to 4036C5H (4036C5H is a place to refresh data), F2 break, then F9 runs the target program. Just enter the username and registration code, and is interrupted by the ollydbg after point OK. Click Right-click, select Search for / Name (Label) in Current Module in the context menu to find the address of FindWindowa, SetdlgiteMtexta, VirtualAlloc, VirtualFree. Below I want to call these APIs to write: Call [API Address], these addresses are the address in the introduction table, if not called, the program cannot cross the platform. Asked what? Take a look at the detailed explanation of the PE format. Select the code 4036C5H to 40371BH, right click, select Binary / Fill with NOPS in the upper and lower question menu, populate the code behind this function to NOP. Then we enter the following code by line:

004036A0. 64: A1 00000000 MOV EAX, DWORD PTR FS: [0] 004036A6. 6A FF PUSH-1004036A8. 68 E8AD4200 PUSH Copy_221.0042ade 8004036AD. 50 PUSH EAX004036AE. 64: 8925 0000000> Mov DWORD PTR FS: [0], ESP004036B5. 83EC 10 SUB ESP, 10004036B8. 53 PUSH EBX004036B9. 55 PUSH EBP004036BA. 56 PUSH ESI004036BB. 57 PUSH EDI004036BC. 8BE9 MOV EBP, ECX004036BE. 6A 01 PUSH 1004036C0. E8 B4E80100 CALL copy _221.00421F79 ======= ========================= The above is the original code ==================== ========================004036C5. 8b45 64 MOV EAX, DWORD PTR [EBP 64]; acquire username address 004036C8. 8b58 F8 MOV EBX, DWORD PTR [EAX-8], acquisition user name length 004036cb. 83fb 05 CMP EBX, 5; whether the length is greater than 5, otherwise the prompt string is displayed using the 42675FH function in the original code, and terminates the function 004036CE. 7f 21 JG Short Component_221.004036f1004036d0. 6A 00 PUSH 0; / arg3 = 0000000000000000004036D2. 6A 00 push 0; | arg2 = 0000000000004036D4 - Database & Sql Blog Articles

/ Copy _221.0042675F004036DE 8B4C24 20 MOV ECX, DWORD PTR [ESP 20] 004036E2 64:.. 890D 0000000> MOV DWORD PTR FS:.... [0], ECX004036E9 5F POP EDI004036EA 5E POP ESI004036EB 5D POP EBP004036EC 5B POP EBX004036ED. 83C4 1C Add ESP, 1C004036F0. C3 Retn ====================================== User name length OK Jump to the following Come ====================================================================================================================================================================================================================================================】

By reasoning, you can write directly to save the registration code, then use Updatedata (false) to write to the interface, but I have not passed many times, so using a relatively low-level method: p004036f1> 6a 04 PUSH 4; / protect = page_readwrite Readable 004036F3. 68 00100000 PUSH 1000; | ALLOCATIONTYPE = MEM_COMMIT submission 004036F8. 6A 11 Push 11; | SIZE = 11 (17.) Length 17, do not forget the string 0004036fa. 6A 00 Push 0; | address = null address null, does not specify address 004036FC. FF15 B4D24200 Call DWORD PTR [<& kernel32.virtualalloc>]; / virtualalloc allocates memory, address 00403702. 8BD0 MOV EDX, EAX00403704. 52 Push EDX; Assign The rear address saves stack protection, for the back release 00403705. 6a 00 push 0; / arg4 = 00000000; Pressing parameter 4, random number, because we have dropped the random number above, so we can press it casually A value 00403707 8B45 5C MOV EAX, DWORD PTR [EBP 5C]; | 0040370A. 50 PUSH EAX; | ARG3; Pressing parameter 3, machine code 0040370B. 8B45 64 MOV EAX, DWORD PTR [EBP 64]; | 0040370E. 50 Push Eax; | Arg2; Press Parameter 2, User Name 0040370F. 52 Push EDX; | ARG1; Pressed Parameter 1,

We allocate memory 00403710 E8 1BF3FFFF CALL copies _221.00402A30;. / Copies _221.00402A30; key operator function code, the address registration code in EAX 00403715 8B00 MOV EAX, DWORD PTR [EAX];. Directivity returned License String address, let's get back ========================================================================================================================================================================================================================================= Display back edit box ==============================================00403717. 50 push eax; / text; just now Retrieved sequence number 00403718. 68 32040000 Push 432; | ControlID = 432 (1074.); ID of the registration code editing box, this ID can be obtained with ollydbg or reshacker 0040371D. 68 53374000 Push copy _221.00403753; | / Title = "Swreg"; find the title of the main window, this string is modified by our own, in this function, the last is the last 00403722. 6a 00 push 0; || Class = 0; Class No, Pressing 000404400 Call DWORD PTR [<& user32.findWindowa>]; | / findwindowa; find the main window handle to save 0040372A. 50 Push Eax; | HWND; Press the main window handle 0040372b. FF15 27904400 Call DWORD PTR [<& user32.setdlgitemtexta>]; / setdlgitemtexta; call this API settings dialog project text 00403731. 58 Pop Eax; popping us , Our own memory space of the memory space,

Prepare release 00403732. 68 00400000 Push 4000; / freetype = MEM_DECOMMIT; one to one 00403737. 6A 11 push 11; | size = 11 (17.); length 00403739. 50 push eax; | address; address 0040373a. Ff15 b4d14200 call dword PTR [<& kernel32.virtualfree>]; / virtualfree; release ================================================================================================== Code of 403842H to 403854H ===============================================00403740. 8b4c24 20 MOV ECX , DWORD PTR [ESP 20] 00403744 64:. 890D 0000000> MOV DWORD PTR FS:.... [0], ECX0040374B 5F POP EDI0040374C 5E POP ESI0040374D 5D POP EBP0040374E 5B POP EBX0040374F 83C4 1C ADD ESP, 1C00403752 C3.. Retn00403753. 53 57 20 52 65> ASCII "SW register", 0; window title string to here we have already begun Steps will be modified. Then we save it. Right-click, select Copy to Executable / All Modifications in the context menu, and then select Save File to save in the pop-up. Test it, it feels good. Do a decoration, change the title name, and put a propaganda text into the following picture.

I haven't written articles for a long time. If there is a mistake or insufficient, please hit.

By the way :) Undertake all kinds of software development, encrypted decryption, reverse analysis project http://www.eawtfos.comhttp://www.eawtfos.net

转载请注明原文地址:https://www.9cbs.com/read-11279.html

New Post(0)