In cracking, protect your sharing software Crossbow [original]
- This article has been published in the "Computer Daily" in the "Computer Daily" in 2003, as to reprint, please indicate from "Computer News"
- I am just an initiator, if there is an omission, please ask the seniors to advise, thank you! CrossBow@citiz.net sharing software is the topic of the software in the world. This is even more like this. Thousands of Chinese programmers have invested in this field with great enthusiasm, they all have a rich return; but, in fact, it is not the case, the vast majority of people are 弑弑. It is worth noting that in addition to topics and technologies, the biggest reason is that sharing software is cracked (CRACK).
There is much more obvious, it is inevitable. Most of the authors are new software to release a week or even within one day, they will find the registration machine or modified software on the Internet (the broughtly called "blast"). The cracker has made the registration machine of English, Chinese, Russian, German, etc., and often give the author to send a copy, plus a letter of excavation. Ugh! Who have we sin? Didn't stay up late to coding day and night, is it that this is the pain and unscrupulous humiliation?
Do not! never! We have reason to protect our labor results! But the problem is: How to protect? Pay attention to the domestic, online on cracking materials and tutorial push, and information about software protection is a phoenix roller (most of the technical monopoly), this malformation has led to a considerable number of friends' encryption very fragile and even Ideated to be "mentally wisdom"! To know, you have to face a number of people who have formed a gang, what CCG, BCG, foreign EGIS, KING, CORE, TNT, DAMN and TMG are all horizontally first-class crack tissues. The global pirated software is not less than 80% of their crack, and the technical strength connects software companies cannot be underestimated.
See here, is you already discouraged? Don't be afraid, although we can't completely avoid being cracked, if we can effectively delay the time of crack, and fully combat the self-confidence of the crack, it is possible to let the crack can't stand this torture and finally give up.
Crack, usually there are two kinds of violent cracking (blasting) and write registration machines. Below I will explain the principles and ways of each crack method, these are some shared software protection experience accumulated, some of the crucial routines (Delphi code, friends who use C and VB can be slightly Modify it), I hope to have some help from the novices, and can protect their labor more effectively.
§ Violent crack (blast)
This is the most common, and the simplest method of crack. The method is best suited to deal with software without a CRC test, cracking a novice carrying.
Dafan sharing software, verify that most registrations should be judged to use the IF condition statement, even if you use a strong encryption algorithm such as RSA or ECC, it will not use the IF conditional statement. Oh, here is the most dangerous place to share software, of course, is also the goal of blasting hands and tireless!
For example, your registration function is similar to:
{Use RSA to register for digital signature verification} if r}), md5 (code), e, n) Then ShowMessage ('registration success!') Else showmessage ('registration failed!'); {Here KEY It is the registration code entered by the user, which is sent to the registered user's} {code is the registration code} {e is the male bit of the RSA algorithm based on the username entered by the username, and N is the modulus of the RSA algorithm. }
Even if the registration function is verified, even if the strong RSA algorithm is verified, it is still easy to be cracked. We only need to modify this here: {Change the logic to no} if not rsaverify (MD5 (KEY), MD5 (Code) , E, N) THAN ShowMessage ('Registration Success!') Else ShowMessage ('Registration Failure!'); The dramatic result will occur: Just enter any registration code can be registered, but the correct registration code cannot be registered. :) The specific operation is the first anti-assembly or track your program, find the critical jump instructions after the CMP, Test, Test of the registration code, usually the assembly instructions such as JE, JZ, and modify them to JNE Or JNZ, this often only needs to modify one byte, you can perfectly crack. :) Unfortunately, most shared software is judged, this is why the main reason why the software that is built online is covered. Because this crack is really simple ... Is there any way to prevent it? Of course! As long as the key code of the software is embedded in the registration code or in the registration file, you can fully prevent the crack. But now the problem is, how to embed it? The easiest way is to make a small DLL (dynamic link library) with a strong symmetric algorithm (key can be the main symmetric algorithm) with a powerful symmetric algorithm (key can be a main program) The constant part or shell feature hash value) After generating a registration file (license file, huh, the format is only you know!), Or if the base64 encodes generates a registry file, the user can double-click the import registry. The test process is as follows: When the registered user verifies the registration code, verify that there is no file, no files naturally restricted, can not be used. If there is a registration file, decrypt it to generate a small temporary file. If the main program is removed or modified (blast), the natural HASH value is not in conformity, and the decrypted is definitely spam, there is no use. Only if there is no modified main program to decode correctly, and of course only decryption of the correct file is a real DLL file, can be found by the getProcAddress function to call the key function address to call. This only has a registered user to enjoy all the features of your software. In this way, Cracker cracked your software very difficult: First, if he has no registration file, even if he takes the main program shell, he does not fix it due to restricted parts and registration documents. complete. Second, even if he got your registration document, he couldn't use it directly, so it was forced him to dismantle your algorithm, this is the thing they are most reluctant! If you come to this step, I think 99% of Cracker will give up, huh, huh, only the Cracker master who really studies the encryption algorithm will continue to crack. Third, you can use some tips to make his life more painful, huh, huh. Here I recommend you to use the DSA public key encryption algorithm, which can be digitally signed (RSA can also be encrypted, and DSA can only perform digital signatures). The reason I choose here is that it has a very practical feature: random number fill mechanism.
That is, the DSA has a random number k each sign, and it is because of the existence of this K, even the same username and machine identification code, each registered file encrypted by the DSA will not be the same. This is a great barrier for Cracker to dismantle your registration file. Fourth, even if he gets the dense DLL file, he also needs to significantly modify the main program or remove the critical code of your DLL section to fill in the master executable. Oh, this will see how he understands the format of PE files. Even so, if you have a lot of HASH papers and crash code in your program, huh, you are patient waiting for our lovely Cracker comrades vomiting blood ... :) So remember: Use this DLL temporary file immediately from memory from memory Uninstall this DLL and delete it, and pay attention to probing it before decrypting, there is no Filemon in the system that threatens the great detector! {Detecting FileMon} function DetectFileMon: Boolean; begin if CreateFile (PChar ( '//./ FILEVXD'), GENERIC_READ or GENERIC_WRITE, FILE_SHARE_READ or FILE_SHARE_WRITE, nil, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0) <> INVALID_HANDLE_VALUE then Result: = True // If so, DOWN machine! Else Result: = false; END; The specified location of the memory page. This is more difficult to crack because there is no interim file after the disk is not decrypted. In fact, the most powerful professional protection software in the world is the way Armadillo is used. Moreover, this method can sufficiently prevent the debugger DUMP. But it is more difficult to achieve, especially in the operating system after WinNT 5. Since this approach is uniquely associated with the registration file and the restricted code, the blasting hand has only done your software. It is recommended that everyone adds functional restrictions to shared software, which is more secure than time and number of times. § Write the registration machine as the name suggests, this method is to imitate your registration code generation algorithm or the reverse registration code verification algorithm written in the same way as the same registration machine. This stress threat is great, and it can be upgraded by blasting. If you are written, huh, huh, your software is free. Or you must replace the algorithm, but the legitimate users who have been registered before, have to be forced to change the registration code, exhausted you! Oh ... The above method can avoid blasting, but the threat of the registration machine still exists. Cracker To write a registration machine must study your software's verification module, which must first take your software to shell, and then compile or use the debugger. There are many housings and protective software on the market that impossible to be retired, and it is a pity that there is no software to honor their promise so far. Since the CPU is finally executed is a valid instruction, you can take a shell after the self-decompression is completed. So don't spend a lot of effort on the shell, because there is no need. The anti-assessment is also impossible to prevent it, because all Win32 programs must call key DLLs in the Windows system (such as kernel32.dll, gdi32.dll, etc.) through the API, but the API is Hook. We can only start from our own code to protect our labor.
In order to make your own debugging and future maintenance, we generally name our function to our function, which gives Cracker Machine. For example, what is the meaning of such a function, should you be a glimpse? IsRegistered (), ISLICENSED (), LICENSEVERIFY (), Checkreg () ... This Cracker can easily find his goals from thousands of functions - Your registration code test function! And cracking the software written by Delphi, there is a TMG team's crash --- Dede, it can easily see the form, unit and function name in your software, and can also disassemble some code, but also cooperate with Win32DASM. More code, great threats to Delphi software. In order not to create a warm and comfortable crack environment for Cracker, we have to confuse our code, replace all the function names in the software to randomly generated function names. For example, func_3dfsa_fs32zlfv () What does this function mean? I am afraid I only know. There is a ready-made code chaotic on the Internet, and you can find some of the types of programming languages you use. Note, only when you want to publish the software, and you must pay attention to backup source code. Otherwise, don't blame me when you don't understand your own code! :) Advice must use the public key algorithm to protect your software, RSA, DSA, and EL Gamal, can be found from the Internet. Note: All strings that involve all of your algorithm cells involved in the algorithm name are all renamed. Avoid being discovered by Cracker to mimic the registration machine! You can also Zhang Guan Li Dai, clearly used DSA, replace all the names into RSA, huh, let him imitate! :) Other algorithms such as symmetry algorithms and haveh algorithms should also be approved, otherwise: EncryptedCode = Blowfish (MD5 (UserName), MD5 (KEY)); // Your encryption algorithm, uses a Blowfish (symmetric algorithm) and MD5 (Hash Algorithm) Although I don't know the principle of Blowfish and MD5 algorithms, I will not reverse them, but I understand the process and algorithm name of your test algorithm, I will find similar Blowfish and MD5 algorithm packages from the Internet. Simulate your software to copy the registration machine, ah? ! Really ... $ & * & ($ #% @! If you use any other uncommon algorithm (such as Skipjack (NASA US Space Branch Standard Algorithm), Loki, 3-Way, Safer is not famous, but high Algorithm), and all renamed, let them go to study what the following code is the following code in the software! :) 0167: 005B9F70 MOV EAX, [EBP-10] 0167000 0167: 005B9F78 PUSH EAX 0167 : 005B9F79 MOV EAX, [EBP-10] 0167: 005B9F7C Call 004041C4 0167: 005B9F81 LEA ECX, [EBP-14] 0167: 005B9F84 POP EDX 0167: 005B9F85 Call 004b860c is of course, it is best to change the Hash algorithm to all, give They make more difficulties. Note that the initial value of Hash, MD5 and SHA will be found in Cracker from memory so that he knows how you use it. All recommendations simultaneously use MD5 deformation algorithms RIPE-MD (RMD) 128 or 160 and other Hash, such as Tiger, Haval, etc.
Also, note that your program is modified frequently, if you are modified, exit. However, please note that some viruses will modify the process's handles and the kernel objects it point to, so that the virus can directly modify the PE files in the run, and there are also network transmission errors, which will also cause the software CRC error. So please do not think that the CRC of the executable file does not match, the program has been taken away. In fact, the most obvious sign of the procedure of the program is that its size is significantly larger than the shell. 1M PE file is usually only 400 after compression of UPX, Aspack, and there are only about 400. If your software finds your size greater than 800K in the run, I think you should know how to do it? Oh ... there is a little, the debugger is very threat to us, we will not let Cracker use Softice, TRW and OLLYDBG to debug our programs comfortably.
In addition to the commonly used Meitice method, I will give a method I wrote: {Check if the parent process of your process is Explorer.exe, otherwise loading} {{Loading} {Parent Process of the console program in WinNT It is cmd.exe! } {Note Load Tlhelp32.PAS Unit} Procedure CheckParentProc; VAR / / Check your process Parent process PN: TProcessentry32; SHANDLE: THANDLE; H, EXPLPROC, PARENTPROC: hWnd; Found: boolean; buffer: array [0..1023 ] of char; path: string; begin h: = 0; explproc: = 0; ParentProc: = 0; // Get Windows directory setString (Path, Buffer, GetWindowsDirectory (Buffer, Sizeof (Buffer) - 1); PATH : = Uppercase (PATH) '/EXPLORER.EXE'; // Gets the path of Explorer // Get all processes Snapshot SHANDLE: = CreateToolHelp32Snapshot (TH32CS_SNAPALL, 0); Found: = Process32First (Shandle, PN); // Find Process While Found Do // Traverse All Process Begin if Pn.szexefile = paramstr (0) The // 自 自己 Process Begin ParentProc: = pn.th32parentProcessId; // Get the process ID // parent process of the Parent process H: = OpenProcess (PROCESS_ALL_ACCESS, True, Pn.th32ParentProcessID); end else if UpperCase (Pn.szExeFile) = Path then ExplProc: = Pn.th32ProcessID; // Explorer's PID Found: = Process32Next (sHandle, Pn); // Find next One end; // Well, the parent process is not Explorer, is a debugger ... if ParentProc <> expenented (h, 0); // Kill! In addition to it! / / You can also add any crazy code to recreational this cute cracker end; end; you can try it in Delphi or VC, huh, is it kill Delphi and VC, because you are using it now It is the built-in debugger of Delphi and VC to run your program. Of course it will not recognize it, huh, huh! When you debug, you still pay out, don't forget to activate when you are released! The last problem, this is also a very important issue: protect your string! ! ! String is very important in the registration module! When a rich Cracker cracks your software, you should first take your string. For example, he will enter the wrong registration code, get your prompts about the error registration code, usually "invalid registration code, please re-enter!" Or "Invalid Key, please input again!", Etc., then use ollydbg to break down Debug or use static analysis tools such as WINDASM, IDA PRO to find that string in the procedure behind him and find it.
