풀이방법
-
등록칸에 입력 -> invalid 메시지 생성-> text 검색으로 분기문 확인 -> 등록 키값 입력 함수 들어감 -> ret 전에 xor eax, eax를 mov eax,1로 변경 -> text al, al이 1이 됨으로 zf 0이다
-
this licnese of xoftspy has not been registered. -> text 검색 -> 분기문을 변경
추가적으로
OFTEN USED API's IN REGISTRATION SCHEMES AND OTHER
Windows programs use API's to interact with the kernel. Hence, also finding input from users in a registration window for example is done with API's. A technique to find info on and to land in the registration scheme, is to use the API's to our advantage. The API's that most used in this matter are :
DialogBoxes:
DialogBoxParamA
GetDlgItem
GetDlgItemInt
GetDlgItemTextA
GetWindowTextA
GetWindowWord
MessageBoxes:
MessageBeep
MessageBoxA
MessageBoxExA
SendMessageA
SendDlgItemMessageA
Registry Access:
RegCreateKeyA
RegDeleteKeyA
RegQueryValueA
RegQueryValueExA
RegCloseKeyA
RegOpenKeyA
Reading/Writing files:
ReadFile
WriteFile
CreateFileA
Reading data from INI file:
GetPrivateProfileStringA
GetPrivateProfileIntA
WritePrivateProfileStringA
Reading data (other) :
LoadStringA
lstrcmpA
MultiByteToWideChar
WideCharToMultiByte
wsprintfA
Time And Date:
GetFileTime
GetLocalTime
GetSystemTime
GetSystemTimeAsFileTime
SetTimer
SystemTimeToFileTime
Creating a NAG-window:
CreateWindowExA
ShowWindow
UpdateWindow
Find messageboxtext :
SendDlgItemMessageA
SendMessageA
SetDlgItemTextA
SetWindowTextA
For a registration scheme,
I normally place a breakpoint in one (or all) of the next API calls :
GetdlgItemTextA
GetWindowTextA
lstrcmpA
GetPrivateProfileStringA
GetPrivateProfileIntA
RegQueryValueExA
WritePrivateProfileStringA
WritePrivateProfileIntA
알아가야되는 점 :
api에 브레이크 포인트 -> invalid 메시지 창 시작에 멈춤 -> 스택을 통해서 어디서 왔는지 확인 -> 이를 통해서 분기문 확인
