Easy Pediy
[Observation]: Cyclotron's skin care treasure (IDT protector 1.0)
[Tu]: Olydbg1.1 (DIY Version), Lordpe
[Task]: Very simple to add a small function for the program
[Operation Platform]: Windows XP SP2
[Author]: loveboom [dfcg] [fcg] [US]
[Brief Description]: This software should be more familiar to frequent shelter friends, I am often used, and I can work in Windows XP and save IDT to files. Just sometimes accidentally happened, I have to go to delete the registry, not very habit, so I want to let the program go to delete it. (I.I. If the information in the registration is not cleared, the program will report an error, but will not ask if it is deleted, we want our own DIY ^ _ ^)
[Detailed Procedure]:
Before you operate, let's first clear, what is the function, what "guy" is to be used.
The function we have to increase is:
1. Delete the registry key;
2. Select if you want to restart the system immediately.
The first problem related to extensions:
To delete a registry, we click on such a few APIs:
RegopenKeyexa
RegdeleteKeya
RegcloseKey
There is no direct operation of the registry, so we have to manually add it. To add, we must have related key value information, so we write the relevant key value to the program. I am adding such a few places:
Delete Registry Related API
RVA API
703b RegopenKeyexa
703f RegdeleteKeya
7043 Regclosekey
Delete Registry Related Keys
RVA information
6EB0 ENUM child
6EB5 Security child
6E60 System / CurrentControlSet / Services / IDTPROT primary key
Ok, we have solved the first question.
second question:
To prompt to use the Messageboxa this API, use this API we have to add two values, one is title, one is content.
If you choose to restart, you should pay attention to it, because you can't send EXITWINDOWSEX, EWX_REBOOT, 0. To have permission, if you have permission, if you have permission, if you have permission, if you have permissions, if you have direct write is comparison I bother, so I chose my own use of DLL write function and then call it directly in the program.
Information box content:
RVA information
6E90 Restart Your Computer Now
6EBE INFORMATION
Information and restart API
RVA API
205C Messageboxa
8014 Reboot (this is my own defined API)
After collecting the relevant information, we started to operate, add related APIs with Lordpe, and add relevant information with HEXEDIT. That DLL can write it yourself or refer to me.
Open the OD loader, first find the location where the error is located, because the program is relatively small, so it can be found directly in the CPU window. Find the following location:
004011df |> / 6A 10 push 10; / style = MB_OK | MB_ICONHAND | MB_APPLMODAL004011E1 |. 6a 00 push 0; | Title = NULL
004011E3 |. 68 BF304000 PUSH 004030BF; | Text = "can't register driver!
Try to delete
HKLM / System / CurrentControlSet / Services / IDtprot
And Restart you computer ... "
004011E8 |. FF75 08 Push DWORD PTR SS: [EBP 8]; | HOWNER
004011eb |. E8 A4040000 Call
After finding it, the program is originally only one determination button, I want to choose whether to delete the registry. So change it
004011df> / 6A 14 push 14; / style = MB_YESNO | MB_ICONHAND | MB_APPLMODAL
004011E1. 6A 00 Push 0; | Title = NULL
004011E3. 68 BF304000 PUSH 004030BF; | TEXT = "Can't register driver!
Try to delete'HKLM / SYSTEM / CURRENTCONTROLSET / SERVICES / IDTPROT '? "
004011E8. FF75 08 PUSH DWORD PTR SS: [EBP 8]; | HOWNER
004011EB. E8 A4040000 Call
004011f0. E9 EB040000 JMP 004016E0; jump to our own code
004011f5 90 NOP
For specific values, you can refer to MSDN
Our own code begins:
004016E0> / 83F8 06 CMP EAX, 6; Judgment is a certain button
004016E3. 74 0B JE SHORT 004016F0; if yes, add deletion registry code
004016E5> FF35 E0374000 PUSH DWORD PTR DS: [4037E0]; if you choose otherwise returned to the original program
004016EB. ^ E9 06fbffff jmp 004011f6
004016F0> 68 00184000 push 00401800; / phandle = IDTPROTM.00401800004016F5. 68 3F000F00 PUSH 0F003F; | Access = key_all_access
004016fa. 6A 00 push 0; | reserved = 0
004016FC. 68 606E4000 Push 00406E60; | Subkey = "System / CurrentControlSet / Services / IDTPROT"
00401701. 68 02000080 Push 80000002; | HKEY = HKEY_LOCAL_MACHINE
00401706. FF15 3B704000 Call DWORD PTR DS: [<& Advapi32.RegopenKey>; / Open Registry
0040170c. 68 b06e4000 push 00406eb0; / Delete Enum
00401711. Ff35 00184000 Push DWORD PTR DS: [401800]; | HKEY = 0
00401717. FF15 3F704000 Call DWORD PTR DS: [<& Advapi32.Regdeletek>; / RegdeleteKeya
0040171D. 68 B56E4000 Push 00406EB5; / Delete Child SECURITY
00401722. Ff35 00184000 Push DWORD PTR DS: [401800]; | HKEY = 0
00401728. FF15 3F704000 Call DWORD PTR DS: [<& Advapi32.Regdeletek>; / RegdeleteKeya
0040172E. 68 10184000 push 00401810; / Because RegdeleteKey does not delete the key with children in it, we must first delete child
00401733. Ff35 00184000 Push DWORD PTR DS: [401800]; | HKEY = 0
00401739. FF15 3F704000 Call DWORD PTR DS: [<& Advapi32.Regdeletek>; / RegdeteKeya
0040173f. Ff35 00184000 Push DWORD PTR DS: [401800]; Close the registry after deletion
00401745. FF15 43704000 Call DWORD PTR DS: [<& Advapi32.RegCloseke>; / RegCloseKey
0040174B. 6A 21 Push 21; / Here be started to restart immediately
0040174d. 68 be6e4000 push 00406ebe; | title = "information" 00401752. 68 906E4000 push 00406e90; | text = "restart your computer now?"
00401757. FF75 08 Push DWORD PTR SS: [EBP 8]; | HOWNER
0040175A. FF15 5C204000 Call DWORD PTR DS: [<& User32.MessageBoxa >>; / MessageBoxa
00401760. 83F8 02 CMP EAX, 2
00401763. ^ 74 80 JE SHORT 004016E5; if you choose otherwise returning the original process
00401765. Ff35 E0374000 Push DWORD PTR DS: [4037E0]; turn off first, then restart
0040176b. E8 42fffff Call
00401770. FF15 14804000 Call DWORD PTR DS: [408014]; Enter our own write to restart the DLL
00401776. ^ E9 b1feffff jmp 0040162c; Here, it can be not written because it has been restarted.
After writing these code, we save the file.
OK, I will write such a little, the article content is not what the masters have not meant. There is no reference value.
Greetz:
Fly.jingulong, Yock, Tdasm.david.ahao.ufo (brother) .alan (Sister) .all of my friends and you!
By LoveBoom [DFCG] [FCG]
Email: bmd2chen@tom.com
