Chapter 6 - Blasting Software
Blasting is actually very simple, at least than you can put your home toothpaste to all squeeze out more. As long as you first go to the street to buy a few detonatics, then put it on your monitor and then click ok (it's not difficult, I'm going to run away)
I also said the principle of blasting, I believe you can understand it. We specifically talk about how to find that key jump and how to buy a thunder tube that is cheap and easy.
Blasting a software generally only requires a few steps, first look at it, there is a case where there is a case, and some tools are added, know that it will take it off with the corresponding tools or handle it. Reference to have a tutorial. Then we can open the software after the shell. You have two options, with a W32DASM or debugger, usually if you encounter the kind of food, you can get it in W32DASM. If you encounter, you buy a stock, because the stock is a painted wife! when! Wake up ... Oh, usually if you are not the kind of software, you will use the debugger. First, W32DASM: We first use W32DASM to make an anti-assessment (nonsense!), Find the error message in the string reference or may be the correct prompt information Double-click the left mouse button to come to the appropriate address. Analyze the corresponding assembly code in the W32DASM's main window, find the key jump and key CALL. The green light stops at the key jump, finds the offset address of the critical jump at the bottom of the W32DASM main window (actually modified address). Use UltraEdit to find offset addresses (actual modified addresses) Modify the machine code (or put a detonator), save (ignition)! The same is equally simple to use the debugger, and will explain it in detail.
The truth has been nonsense, so many examples of doctors:
First explain W32DASM to blast:
[Software Name] China Compression (Chinazip)
[Software version] 7.0
[Document size] 1041KB
[Applicable platform] Win9X / ME / NT / 2000
[Introduction to software] CHINAZIP is a tool software that compresses, extracts various compressed documents, which support a variety of common compressed formats, including ZIP format, as: ARJ, CAB, GZIP, JAR, LHA, TAR , ZOO, ARC, LZH, PAK, etc.
The software's source is a computer report 2001 agency, and the protection of 7.0 is very, the latest version should be much ...
Ok, let's get started, first step is that you have to put it (the wild wolf n head), then find a string to find a string, you will see an error dialog, prompt "registration The code is incorrect and cannot be registered. " Then we look at the shell it uses. Aspack 2.001, Casprr appearance. After the shell, we used W32DASM for half a minute or half an hour to disassemble it. We have completed it after contraction. After that, in the string reference (string data reference), find the error prompt you just saw. After finding it, double-click a few times, and find that it is only one call. We will come to 004f0e64, I put the specific code to the application (please see you from the bottom side of the code):
: 004F4DD1 E84EE1F3FF CALL 00432F24
: 004F4DD6 8B55F0 MOV EDX, DWORD PTR [EBP-10]
: 004F4DD9 8D4DF4 LEA ECX, DWORD PTR [EBP-0C]
: 004F4DDC 8BC3 MOV EAX, EBX
: 004F4DDE E8C9010000 Call 004F4FAC
: 004F4DE3 8B55F4 MOV EDX, DWORD PTR [EBP-0C]
: 004F4DE6 58 POP EAX
: 004F4DE7 E830F3F0FF CALL 0040411C: 004F4DEC 7576 JNE 004F4E64 <- This is the legendary man, STOP! This is the legendary key jump
: 004F4DEE B201 MOV DL, 01
: 004F4DF0 A158254500 MOV EAX, DWORD PTR [00452558]
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 004F4D86 (C)
|
: 004F4DF5 E85ED8F5FF CALL 00452658
: 004F4DFA 8945FC MOV DWORD PTR [EBP-04], EAX
: 004F4DFD 33c0 xor Eax, EAX
: 004F4DFF 55 PUSH EBP
: 004F4E00 685D4E4F00 PUSH 004F4E5D
: 004F4E05 64FF30 Push DWORD PTR FS: [EAX]
: 004F4E08 648920 MOV DWORD PTR FS: [EAX], ESP
: 004F4E0B B101 MOV CL, 01
* Possible StringData Ref from code obj -> "software / xdzhan / chinazip"
|
: 004F4E0D BAA84E4F00 MOV EDX, 004F4EA8
: 004F4E12 8B45FC MOV EAX, DWORD PTR [EBP-04]
: 004F4E15 E822DAF5FF CALL 0045283C
* Possible StringData Ref from code obj -> "Real Programmers Use Pascal!"
|
: 004F4E1A B9CC4E4F00 MOV ECX, 004F4ECC
* Possible stringdata ref from code obj -> "key"
|
: 004F4E1F BAF44E4F00 MOV EDX, 004F4EF4
: 004F4E24 8B45FC MOV EAX, DWORD PTR [EBP-04]
: 004F4E27 E854DEF5FF CALL 00452C80
* Possible StringData Ref from code obj -> "Software registration is successful, thank you for your support!" <- We will see the correct information after the registration is successful. The correct information is looking for the first jump up is the key jump we have to find.
|
: 004F4E2C B8004F4F00 MOV EAX, 004F4F00
: 004F4E31 E8563DF6FF CALL 00458B8C
: 004F4E36 A16C305000 MOV Eax, DWORD PTR [0050306C]
: 004F4E3B 8B00 MOV EAX, DWORD PTR [EAX]
* Possible StringData Ref from code obj -> "Chinazip - Registration"
|
: 004F4E3D BA244F4F00 MOV EDX, 004F4F24
: 004F4E42 E80DE1F3FF CALL 00432F54
: 004F4E47 33C0 XOR EAX, EAX
004F4E49 5A POP EDX
: 004F4E4A 59 POP ECX
: 004F4E4B 59 POP ECX
: 004F4E4C 648910 MOV DWORD PTR FS: [EAX], EDX
: 004F4E4F 686E4E4F00 Push 004F4E6E
* Reference by a (u) Nconditional or (c) ONDITIONAL JUMP AT Address: |: 004F4E62 (U)
|
: 004F4E54 8B45FC MOV EAX, DWORD PTR [EBP-04]
: 004F4E57 E868E2F0FF CALL 004030C4
: 004F4E5C C3 RET
: 004F4E5D E9C2E9F0FF JMP 00403824
: 004F4E62 EBF0 JMP 004F4E54
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 004F4DEC (c)
|
* Possible StringData Ref from code obj -> "Registration code is incorrect, unable to register!" <- This is an error message, the correct information is nearby, look up.
|
: 004F4E64 B8484F4F00 MOV EAX, 004F4F48 <- Double click here
: 004F4E69 E81E3DF6FF CALL 00458B8C
: 004F4E6E 33c0 xor Eax, EAX
: 004F4E70 5A POP EDX
: 004F4E71 59 POP ECX
004F4E72 59 POP ECX
: 004F4E73 648910 MOV DWORD PTR FS: [EAX], EDX
: 004F4E76 689B4E4F00 PUSH 004F4E9B
You may not understand, why do I say it is the key jump? Do you still remember the example of me?
I will tell you a time later, usually we will encounter two key jumps, I will give an explanation separately:
(1)
Je (JNE, JZ, JNZ) 19870219
........ xxxxxxxxxx
........ xxxxxxxxxx
........ Software registration correct information
...
...
19870219 Error information
.......
.......
That is to say, this is the first condition to judge whether the registration code is correct. If you don't get rid of the 19870219, you will not jump correctly, and you will do it until the registration is correct.
For this situation, the key jump we have to find is the first jump on the correct information. We may modify it accordingly or to the NOP.
(2)
Je (JNE, JZ, JNZ) 19870219
........ xxxxxxxxxx
........ xxxxxxxxxx
........ Error information
...
...
19870219 software registration correct information
.......
.......
And this is the first to judge whether the registration code is correct or not, if you jump to 19870219, if you don't do it correctly, you will not jump, and you will do it until the error.
For this situation, the key jump we have to find is the first jump on the error message. We can do whatever they want to make the corresponding modification or change to JMP.
Oh, the truth is also telling you, let's try it. We selected key jumps in W32DASM, see the corresponding offset address in the status bar in the lower right corner is 000f41ec. Ok, we use UltraEdit to open it. Ctrl g, then enter 0xF41EC and jump to the corresponding position after entering the bus. The corresponding machine code is 75 (JNE), and we change it to 74 (jz) to exit.
Ok, let's take a look, let's just enter a registration code to register try. Oh, registration is successful!
With W32DASM, we talked here, huh, very simple, you will find some protection simple software to protect your simple software. We will then use the debugger to blast.
If you really try to use W32DASM to blap a few software, you can't find some questions. For example, some software you cannot use after the W32DASM disassembly. Or there is no error or correct information in a string reference. There is also some software, even if you come to the corresponding place through a string, just want to find the key jump, you will find things in front of you than you imagine ... Although you may be carefully Look carefully, still find it, but I don't think that is a smart thing. After all, some movement is only available during the execution of the program. Ok, if you have a software that can't find the key jump with W32DASM, go with the debugger! (You can use W32DASM to open it first with W32DASM, if you are easy, let you find it. That is not necessary)
We need to talk to the steps to blast with the debugger (I know you will definitely use the debugger): First, we still have to put the software you want CRACK (I block me gently, Don't lose things!) Then come to enter the registration code, still just enter one, then do not press OK, wait until we call the debugger. Still remember what I told you in front of the API? Software To get the registration code you entered, you will definite an API function to achieve the purpose. We use the corresponding API to make a breakpoint in the debugger, so as long as a program calls this API, it will be intercepted by the debugger.
Getdlgitemint, getdlgitemtext, getDLGItemTexta these three functions may be useful. But if you use 98, why don't you use HMEMCPY? That is really a good idea. When we will return to the software you want to register after break, click the button. If the debugger is made, it means that the breakpoint you just have is useful. If it is not broken, it will try to change the breakpoint. Next, we will cancel the breakpoints you just under the debugger, we take TRW2000 as an example (Softice is substantially the same as its operation) cancels the breakpoint BC * instruction. Then we enter the PModule instruction to return to the proceedings of the program (and because there is no corresponding instruction in Softice, huh, press F12. Now let's open the topic, what is the airspace? For example, your program is to get the registration code you entered, you will call the corresponding function. For example, calling getDlgitemtexta, and getdlgitemtexta itself will call HMemcpy this function, and these functions are existing in a DLL file in the system. Then when this program calls the corresponding API function, the airspace of the program will go to this corresponding DLL file to perform this API function. (You can understand this way) I also said in front, HMEMCPY this function application itself is not directly called, but is called by other API functions. So, you can understand that a API function is called for your program, and the shortage of the program that is called will go to the DLL file where this API is located, and this API calls the HMemcpy function, then the airspace will turn again. In the DLL file where HMemcpy is located, then when HMemcpy is executed, it will return to the airspace calling its API, and when this API is executed, it will return to the airspace calling it. For example, we use the hmemcpy function to be a breakpoint. When we enter the registration code, then the program will call an API to get the data you entered, and this "an API" will call HMemcpy again. Therefore, the program was broken. Of course, the speech of the program will not be in the app, but when we entered the PModule instruction, we can reverse it to the app itself. If you see what you see is the application itself, not the API! Ok, I just said (where did you come?) When we return to the procedure of the program, you will follow the F12, the F12 'role is to execute the program until you meet RET and other instructions. That is, a big 坨 大 坨 执行 执行 程序 _ f f f f f 按 按 f 按 按 按 按 按 按 按,,,,,,,, Then I will write down the number of times you press, then start from the head, this time the number of times the f12 is the number of times you just pressed, that is, it is less than the last time. Then the button is changed from F12 to F10 (why not f4?), Or all the way, until the software prompts wrong, this time you write down the number of times you press F10. Ok, then from the beginning, we will press F10 again, you have to come slowly step by step. Generally, you will press the number of times the number of times the number of times the number of times is five or six steps, and it will generally see a Call, then It is a jump instruction. Step by step, I will not jump after I have seen this jump instruction. If you jump away, it will never have two or three steps. Of course, it may be that you didn't jump, and it was wrong for two or three steps. This should not understand, because it is basically the truth that I will introduce you before and I will introduce you.
However, another situation is that you press F10 all the way, and finally I will find that there is no jump instruction at all, huh, don't be afraid, this is very common. In this case, we will change the number of f10s to the number of times the number of F10 is pressed. Pointing, press F8 to follow the analysis of it, the success and failure of the program registration, in this call, that is, the key jump we have to modify, and in this call. Oh, it is actually very understanding, that is, put what the one who said on the side is put in a call. After I follow F8, I still followed the F10 step by step. After you can't find the key jump, find the key jump method to say to me, that is, the number of times the f10 is followed once. When you are five or six steps, you will see it. You should understand that the program is very flexible, there is no so many formulation of things in the inside, and the approximate analysis method is this look, everything depends on yourself to master, others talk to you, just talk about a method And, I believe that with your future experience, you will slowly get a variety of situations.
Now, we use the debugger to analyze the software of CHINAZIP, I hope you can master this is not difficult.
First of all, you have to change it again, or reload it directly. After that we open it, enter the registration code anywhere, then call the TRW, and break down HMEMCPY. After the next, press F5 to exit (it is not F4, I can't do it if I do ^ _ ^) and then we click OK. Ok, the program was broken:
KERNEL? HMEMCPY
0147: 9E62 PUSH BP
0147: 9E63 MOV BP, SP
0147: 9E65 Push DS
0147: 9E66 Push EDI
0147: 9E68 PUSH ESI
0147: 9E6A CLD
0147: 9E6B MOV ECX, [BP 06]
0147: 9E6F JCXZ 9EE9
...... The following N multi-code code is omitted ...
We entered BC * to cancel the breakpoint, then use PModule to return to the programs:
0167: 00436D13 MOV [EBX 0C], EAX
0167: 00436D16 MOV EAX, [EBX]
0167: 00436D18 CMP EAX, BYTE 0C
0167: 00436D1B jnz 00436d38
0167: 00436D1D MOV EDX, [EBX 08]
0167: 00436D20 Push EDX
0167: 00436D21 MOV ECX, [EBX 04]
0167: 00436D24 MOV EDX, EAX
0167: 00436D26 MOV EAX, ESI
0167: 00436D28 CALL 00432B24
...... N multi-code is still omitted ...
Press 7 F12 and add 1 F10 to 0167:004f4dc4, then we will follow the F10, probably press more, you can see that there is a jump at 004f4DEC, we execute the 004f4DEC Suddenly gone. Will you jump to 004f4e64, we can't press it after skipping, and the program prompts an error. Oh, I understand, the jump JNZ 004F4E64 at 004f4Dec is the key jump, hey, I don't need to say it after I found it.
0167: 004F4DC4 MOV Eax, [EBP-08]
0167: 004f4dc7 push eax
0167: 004f4dc8 Lea EDX, [EBP-10] 0167: 004f4dcb MOV EAX, [EBX 02E0]
0167: 004f4dd1 call 00432f24
0167: 004F4DD6 MOV EDX, [EBP-10]
0167: 004f4dd9 Lea ECX, [EBP-0C]
0167F4DDC MOV EAX, EBX
0167: 004f4dde call 004f4fac
0167: 004F4DE3 MOV EDX, [EBP-0C]
0167: 004F4DE6 POP EAX
0167: 004F4DE7 CALL 0040411C
0167: 004F4DEC JNZ 004f4e64 <- Key jump! !
0167: 004f4dee MoV DL, 01
0167: 004F4DF0 MOV Eax, [00452558]
0167: 004f4df5 call 00452658
0167: 004F4DFA MOV [EBP-04], EAX
0167: 004f4dfd xor Eax, EAX
0167: 004F4DFF PUSH EBP
0167: 004f4e00 Push DWORD 004F4E5D
0167: 004f4e05 push dword [fs: EAX]
0167: 004F4E08 MOV [fs: eax], ESP
0167: 004F4E0B MOV CL, 01
0167: 004F4E0D MOV EDX, 004F4EA8
0167: 004f4e12 MOV EAX, [EBP-04]
0167: 004F4E15 Call 0045283C
0167: 004F4E1A MOV ECX, 004F4ECC
0167: 004f4e1f MOV EDX, 004F4EF4
0167: 004f4e24 MOV EAX, [EBP-04]
0167: 004F4E27 Call 00452C80
0167: 004f4e2c MOV EAX, 004F4F00
0167: 004F4E31 Call 00458B8C
0167: 004f4e36 MOV Eax, [0050306C]
0167: 004f4e3b MOV Eax, [EAX]
0167: 004F4E3D MOV EDX, 004F4F24
0167: 004F4E42 Call 00432F54
0167: 004f4E47 xor Eax, EAX
0167: 004F4E49 POP EDX
0167: 004F4E4A POP ECX
0167: 004F4E4B POP ECX
0167: 004F4E4C MOV [fs: eax], EDX
0167: 004F4E4F Push DWORD 004F4E6E
0167: 004F4E54 MOV EAX, [EBP-04]
0167: 004F4E57 Call 004030C4
0167: 004f4e5c RET
0167: 004F4E5D JMP 00403824
0167: 004f4e62 JMP Short 004f4e54
0167: 004f4e64 MOV EAX, 004F4F48 <--- Jumping by the above 0167: 004f4DEC, error!
0167: 004F4E69 Call 00458B8C
0167: 004f4e6e xor Eax, EAX
Come to give you another example:
[Software Name] Tianwang firewall
[Software version] 2.46 Beta
[Document size] 1289KB
[Applicable platform] Win9X / ME / NT / 2000
[Software Introduction] The personal version of the Tianwang firewall is a network security program for personal computers. It can help you resist network intrusion and attacks, prevent information disclosure, and can cooperate with our website, according to suspacked information, Come find an attacker. At the same time, Tian Net Firewall Personal Edition divide the network into the local network and the Internet, which can set different security schemes for information from different networks, which is suitable for users who dial-up Internet access, and users are also suitable for users accessing software through the network. The software is still looking for it from the computer report 2001, the software registration code can be obtained free of charge to its website ...
We still have to put it into it (certain migrant workers: Your kid dare to say nonsense! ^ _ ^) After we look at it with fi, huh, huh, BC compile, no housing, cool! Run it, when you enter something in the Registration dialog, this week, a few new movies, what is the name, etc. ...
Ok, let's first ask TRW2000. First, enter the two strings, such as the first input "Hero's director is?" The second input "may be Zhao Benshan" :)
Next, press CTRL N to call the TRW2K, under BPX HMEMCPY, then press F5 to exit.
Then you can be determined, the program will be broken by TRW2K, and we turn it back to BC * and PModule.
Below you can start pressing F12, pressing 8 procedures will report an error, then press 7 and then start pressing F10, pressing 70 F10 programs to report an error (huh, must have patience).
Ok, I put it back the code after the contraction:
0167: 0041c617 Lea EDX, [EBP-04] <- 7 After F12, press F10 to here.
0167: 0041C61A MOV ECX, [0052AE7C]
0167: 0041C620 MOV EAX, [ECX]
0167: 0041C622 MOV EAX, [EAX 0318]
0167: 0041C628 Add Eax, Byte 2C
0167: 0041C62B Call 00517740
0167: 0041C630 DEC DWORD [EBP-20]
0167: 0041C633 Lea Eax, [EBP-04]
0167: 0041C636 MOV EDX, 02
0167: 0041C63B Call 00517710
0167: 0041C640 MOV WORD [EBP-2C], 14
0167: 0041C646 Lea Eax, [EBP-08]
0167: 0041C649 CALL 00401D60
0167: 0041C64E MOV EDX, EAX
0167: 0041C650 Inc DWORD [EBP-20]
0167: 0041C653 MOV ECX, [EBP-40]
0167: 0041C656 MOV EAX, [ECX 02E0]
0167: 0041C65C Call 004b9f14
0167: 0041c661 Lea EDX, [EBP-08]
0167: 0041C664 MOV ECX, [0052AE7C]
0167: 0041C66A MOV EAX, [ECX]
0167: 0041C66C MOV EAX, [EAX 0318]
0167: 0041C672 Add Eax, Byte 30
0167: 0041C675 Call 00517740
0167: 0041C67A DEC DWORD [EBP-20]
0167: 0041C67D LEA EAX, [EBP-08]
0167: 0041C680 MOV EDX, 02
0167: 0041C685 Call 005177100167: 0041C68A Lea EAX, [EBP-10]
0167: 0041C68D Call 00401D60
0167: 0041C692 MOV EDX, EAX
0167: 0041C694 Inc DWORD [EBP-20]
0167: 0041C697 MOV ECX, [EBP-40]
0167: 0041C69A MOV EAX, [ECX 02E0]
0167: 0041C6A0 CALL 004B9F14
0167: 0041C6A5 LEA EDX, [EBP-10]
0167: 0041C6A8 Push DWORD [EDX]
0167: 0041C6AA MOV WORD [EBP-2C], 20
0167: 0041c6b0 Lea Eax, [EBP-0C]
0167: 0041C6B3 CALL 00401D60
0167: 0041C6B8 MOV EDX, EAX
0167: 0041C6BA Inc DWORD [EBP-20]
0167: 0041C6BD MOV ECX, [EBP-40]
0167: 0041C6C0 MOV EAX, [ECX 02D4]
0167: 0041C6C6 CALL 004B9F14
0167: 0041C6CB LEA EDX, [EBP-0C]
0167: 0041C6CE MOV EDX, [EDX]
0167: 0041C6D0 MOV EAX, [0052AE7C]
0167: 0041C6D5 MOV EAX, [EAX]
0167: 0041C6D7 POP ECX
0167: 0041C6D8 CALL 0040525C
0167: 0041C6DD MOV [EBP-45], Al
0167: 0041C6E0 DEC DWORD [EBP-20]
0167: 0041C6E3 LEA EAX, [EBP-10]
0167: 0041C6E6 MOV EDX, 02
0167: 0041C6EB CALL 00517710
0167: 0041C6F0 DEC DWORD [EBP-20]
0167: 0041C6F3 LEA EAX, [EBP-0C]
0167: 0041C6F6 MOV EDX, 02
0167: 0041C6FB Call 00517710
0167: 0041C700 CMP BYTE [EBP-45], 00
0167: 0041C704 JZ 0041C750 <- More than 60 F10 will find a jump here, 嘿嘿, it is it! ! !
0167: 0041C706 MOV ECX, [0052AE7C]
0167: 0041C70C MOV EAX, [ECX]
0167: 0041C70E MOV EAX, [EAX 0318]
0167: 0041C714 CALL 00411FD0
0167: 0041C719 MOV Word [EBP-2C], 2C
0167: 0041C71F MOV EDX, 00521B50
0167: 0041C724 Lea Eax, [EBP-14]
0167: 0041C727 CALL 005175B0
0167: 0041C72C Inc DWORD [EBP-20]
0167: 0041C72F MOV EAX, [EAX]
0167: 0041C731 CALL 004B41B0
0167: 0041C736 DEC DWORD [EBP-20]
0167: 0041c739 Lea Eax, [EBP-14]
0167: 0041C73C MOV EDX, 02
0167: 0041C741 CALL 00517710
0167: 0041C746 MOV EAX, [EBP-40]
0167: 0041C749 CALL 004A81D0
0167: 0041C74E JMP SHORT 0041C77D
0167: 0041C750 MOV WORD [EBP-2C], 380167: 0041C756 MOV EDX, 00521B6B
0167: 0041C75B Lea Eax, [EBP-18]
0167: 0041C75E CALL 005175B0
0167: 0041C763 Inc DWORD [EBP-20]
Don't be idle after finding the key jump, huh, let's let out! (You can open this file with W32DASM, then press SHIFT F12, then enter 0041C704, so you can see the corresponding offset address in the lower right corner)
Tips: In TRW, if you may be a critical jump, you can use the R FL z to be tested. This instruction can be tied to the establishment condition. For example, JZ XXXXXXXX is established, you can Jumping, the instruction is not set up after using the R FL Z instruction, ie, will not jump. The above is also, you can enter r fls at 0041C704, huh, take a few steps, is it successful? There is also if you just want to reach the purpose of the registration software, and the software only verifies once when you register, you can use this method to replace the thunder!
Oh, in the end, I still have to say, blasting is just some spurs. It's enough to play a few times when I first started.
Later: You may slowly discover that some software does not seem to be as simple as you think, you can't even find its key jump. This is normal, you have to do more exercises, slowly you will understand. I will give you two examples today, because they are more simple, and can explain the focus, tell you the blasting of the software, but will let you see a fog ...
