Chapter 5 - Crack Principle
From this chapter, let's learn CRACK software step by step (80% of the readers in the past, and universities ... Another 20% is looking for things that can be used nearby)
Don't say three stages of learning crack:
Primary, modification procedure, modify the EXE file with tools such as UltraEdit, say violent crack, referred to as blasting
Intermediate, chasing software registration code
Advanced, write registration machine
Let this blast first. The so-called blasting means that the corresponding purpose is achieved by modifying the source files of the executable. You do not understand? Oh, give an example well, for example, a shared software, it compares the registration code entered by the user, if the user enters, with the registration code calculated by the username (or other) (that is, user input The registration code is correct), then it will jump to the place where the registration is successful, otherwise it will jump to the wrong place.
Understand, let's find this jump instruction, modify it to the "style" we need, so, can we do what we want? (A software is put on the chest, what are you doing?)
There are two common modifications, I will give you an explanation:
NO.1
In a software, this is registered:
00451239 Call 00405E02 (Key Call, used to determine if the registration code entered by the user is correct)
0045123D JZ 004572E6 (!!! <- This is the key jump, if the registration code entered by the user is correct, jump to success, ie 004572e6)
0045xxxx yyyyyyyyyy
XXXXXXX YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
XXXXXXX YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
XXXXXXXX is executed here, prompting user registration failed
... prompt user registration code incorrectly, etc.
...
004572E6 ... <- (Registered successfully !!!)
... Tip User Registration Success, etc.
Oh, do you understand? No, I will tell you. When the software is executed to 00451239, the CALL set 0045E02 is disconnected for the registration code. Then come back, come back the statement, that is, if the registration code entered by the user is jumped to 004572E6, jump to this, even if the registration is successful. If the registration code entered by the user is incorrect, then do not jump at 0045123D, and it is always performed. In the following, it is the registration failure section.
Want to understand? Hey ... Yes, we just change the key jump JZ to JNZ (if the user entered the registration code error, registration is successful, enter the correct registration failed). Of course, you can also modify JNZ to JMP, so if you entered the registration code, no matter whether it is correct. You can register success.
NO.2
Let's talk about another situation:
00451239 Call 00405E02 (Key Call, used to determine if the registration code entered by the user is correct)
0045123D JNZ 004572E6 (!!! <- This is the key jump, if the user entered the registration code is incorrect, you jump to the failure, ie 004572E6)
0045xxxx yyyyyyyyyy
XXXXXXX YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
XXXXXXX YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
XXXXXXXX is executed here, prompting the user to register successfully
... Tip User Registration Success, etc.
...
004572E6 ... <- (Registration Failed !!!)
... prompt user registration code incorrectly, etc.
I believe in this time, and I am convinced. You must understand. I still don't understand ... I don't think it is different from the first case. That's right! It is the first difference, that is, the first case is that if the registration code is correct, jump to the success of the registration. If not jumped, it will execute the failure. And this is that if the registration code is incorrect, jump to the registration failed, otherwise it will be executed to the registration success.
In this case, in addition to rewriting JNZ to JZ, it can also change it to NOP. This instruction does not have any meaning. After the instruction is modified to NOP, you can enter the registration code will be registered.
The principle tells you, let's talk about the specific modification. (I assume that you understand how the tool I said)
Let's talk about the problem of virtual addresses and offset conversions, where the address value displayed under SOFTICE and W32DASM is a so-called memory address, or called virtual address, VA. In hexadecimal tools, such as: HIEW, HEX WORKSHOP, etc. are the file address, referred to as a fly offst or physical address (RAW OFFSET).
So when we have to modify the corresponding instructions in the executable, we must find its file offset. We don't have to use those specialized conversion tools, this feature in W32DASM, for example, where you come to 0045123D in W32DASM, the virtual address and offset address of the instruction will appear in the status bar below the W32DASM interface. @: 0045123d @offset 0005063DH This 0005063DH later is the corresponding offset address. After we get this address, we can use UltraEdit and other hexadecimal tools to modify the executable. For example, using UltraEdit, you first open this executable with UltraEdit, then press CTRL G, then enter the offset address you get, you can come to its corresponding machine code.
Tell you the machine code, so-called machine code. It is the hexadecimal data you see. Do they have a one-word association with the assembly instruction?
The following are the blasting, if you are interested, you can view the relevant information yourself:
JZ = 74; JNZ = 75; JMP = EB; NOP = 90
When blasting, as long as the above machine code is modified, such as the first case, the 74 can be modified to EB, and JZ is modified to JMP. In the second case, you will need to change the 75 to 90, and JNZ is modified to NOP.
Because this chapter is only speaking, it is specific. If you find a key jump, we will talk about it in the next chapter. (A brick fly up! Hey, this time I received it)
The principle of blasting, you need to understand. Blasting is just that you learn Crack, it is a very simple means. You can play when you first started, but I hope you don't have this!
(Hey, say. Don't say it in the software, it is not allowed to make reverse modification. You move your body, how can you not buy?)
I don't like blasting, I can't do the registration machine. I have to find the registration code. Otherwise, I will not register this software. Since I don't want to save money, I have to rely on your own skills. (Waiting for me, I will consider registering those excellent shared software). So, in a sense, I am a gentleman. It is actually to find a registration code is not a difficult thing. I mean that the software you are doing is not too much. But you don't have to be afraid.
I didn't mention the key CALL when we said that blasting? In general, this critical call is the two registration code (one is the correct registration code that the software you can calculate through your registration name or machine, which makes a registration code you entered). I mentioned before, Call generally put the data used first in one place, and the CALL passed the previously putted data from these places to perform corresponding processing. This key CALL is also like this. Before Call, the two registration codes are usually placed in a stack or a register. Hey, as long as we execute in the debugger, we will execute it to the CALL. If you don't go in, you will be able to put the correct and incorrect registration code where you have passed the correct and incorrect registration code. Then use the corresponding instruction to see if it will become, I said it is not difficult.
The two most common situations are listed below (refer to the relevant tutorial):
NO.1
MOV EAX [] This can be an address or other registers
MOV EDX [], the instruction can also be POP EDX
Call 00 ?????? Key CALL
Test Eax EAX
JZ (JNZ) or JNE (JE) key jump
I understand, before the key CALL, the software will put the two registration code in Eax and EDX, and you can see the correct registration code in Call's D EAX or D EDX.
NO.2
MOV EAX [] This can be an address or other registers
MOV EDX [], the instruction can also be POP EDX
Call 00 ?????? Key CALL
JNE (JE) key jump
The above two cases are most common, and those are not commonplace, we will no longer mention it here. When I come to the next chapter, I will tell you related methods ...
About the part of the search software registration code is here. Specific content, the next chapter will say. (Isn't it said? I can get your bricks, why do you want to lose?)
Finally, let's say the last so-called advanced stage, if you believe you. And love CRACK, then you will definitely go to this stage, just time you do.
In fact, the algorithm of the analysis software is there a lot of skill inside. Oh, at most, I couldn't touch my mind at the beginning, so many calls, every look, it is very important, all chasing it? As a result, many APIs were chased in. When you really analyze a software algorithm and write the registration machine. You will understand the truth, let's talk about it next chapter. (Big Brother, you are not, even your solar energy is lost)
