03 Use of common patch tools

Summary of this chapter:

1. The principle of immlebel in od

Why after I modify mineral water.004019B3, all the labels in od will be modified?

We use ctrl+g to enter the jump address

Add a label to the head of the function

When I came back, I found that it had been renamed.

In fact, this is not black magic at all. It's just that when od encounters the address we labeled, it automatically recognizes it and presents it in the form of a string. To put it bluntly, it just gives him an alias for the call xxxx address!

Naming functions will often be encountered in our future inverse VM, but the tool used is not od.

2. Why sometimes strings that cannot be searched by od can be searched by ida?

》This is because of the problem of the od plug-in. By analyzing the source code ustrref of the od string search engine and finding its findascii function, you can see that it is by checking whether the data in the address after the push mov lea instruction starts with '\0' To determine the end of a string

We can check the source code of od Chinese search engine plug-in:

It can be found that it first loops to check the push mov lea instruction in the code. If so, it checks the operands after the instruction.

Determine whether the operand ends with '\0', if so, it will judge the operand as a string

Then what is pushed is a constant, which is the first address of the string.

If the data in this address ends with '\0', od will determine it as a string.

The principle of ida is to directly search PE files. That is to say, when the exe file is compiled, the string constants are usually hard-coded. After compilation, they are placed directly in the constant area. By detecting whether they end with '\0', It is easy to determine whether it is a string.

3. So how to make both ida and od not searchable?

After compilation, it is no longer a string.

This code will only take effect when it is run, which means that it is mixed with the instructions and made into hexadecimal instructions by the compiler.

What about defining it as a global variable?

Global search is possible because global variables are hard-coded before running and are fixed in the PE file.

4. Typical multi-threading features in Yi Language

Sandwiched between two rets, a call is very short

Undo operation: select multiple lines and then undo

How to achieve the breaking of this multi-threaded program?

Break off at the end of the messagebox and come all the way back

Find the typical thread characteristics of Yi Language, and then click Find Reference > Select the command

Choose the one that is not red

Then go up to find the key and jump, then nop him and it will be ok.

Behind the jump is the function that starts the thread

4.1 How to judge whether the code written by others interferes with you through multi-threading?

When you follow from MessageBox, if you enter the system airspace starting with 7, it is likely to be multi-threaded technology. Don't continue to follow. Instead, use the above method to achieve a breakthrough.

5. How to save the modified exe in ida?

52：52

Static analysis is very useful. It is used to analyze software that has a strong shell and cannot be debugged at all. It can reverse the algorithm of the program but cannot debug it.