Summary
Winzip is a compressed decompression tool that everyone is familiar with, and the installed must-have tools. Winzip is a free shared software, not registering, just an unregistered picture. It is not complicated to the registration code, and it is relatively simple to crack this software.
Program Name: Winzip
Version: v8.0 (3105)
Size: 1,230kb
Running platform: Windows 95/98 / NT / 2000
Protection method: registration code
Crack mode: make registration patches?
1 ???????? Crack preparation work
(1) I have installed Softice and enter Windows. Check if Softice is available via Ctrl D.
(2) Add the symbol table, two ways can be adopted: First, in the current case, use Symbol Loader dynamically loaded, the other is to modify the WinCE.DAT file in the Windows directory, remove the usr32.dll in front of "" Exp = ".
2 ??????? Monitoring software code
2.1 ????? Set breakpoint
(1) ?? Windows Get the user input text through the four API functions of the user32.dll library, they are getWindowText, GetWindowTexta, GetdlgitemText, GetdlgiteMtexta.
(2) ?? User32.dll has been loaded, you can use Exp GetWindowText to see if the getWindowText is loaded, the rest is used. If you don't load, please refer to 1. (2) load.
(3) ?? To set the breakpoint to the four functions listed in (1), the method is BPX getWindowText ......
(4) ?? After setting up four breakpoints, use the BL command to confirm.
(5) ?? Use the bd * command to temporarily disable all breakpoints
2.2 ????? Interrupt registration process
(1) ??? Install the Winzip, select "Enter Registration Code ..." below in the main interface, enter the username "feizhaod", the registration code "bingo".
(2) ??? Press CTRL D to call out Softice, and use the be * command to enable all breakpoints.
(3) ??? Press F5 to return to the WinZip registration interface, press the "OK" button, the program quickly interrupt in the "getDlgitemtexta". Press F11 to continue, you can see it in "getDlgitemtexta" once. This allows us to guess that Winzip is a function that uses getDlgitemtexta to get username and registration code.
(4) ??? Use the BC command to clear the three breakpoints other than getDLGItemTexta.
(5) ??? Re-enter the username and registration code (ibid), ready for formal dismantling process.
2.3 ????? Analyze the verification process of the registration code
(1) ??? Press the "OK" button, the program stays in the entry of getDLGItemTexta, press F11 to jump out of this function, which can see the following assembly code:
?
0167: 00407F6D Call [user32! Getdlgitemtexta] 0167: 00407f73 push edi; program stay here, EDI points "feizhaodoing"
0167: 00407F74 Call 0043F89A
0167: 00407F79 PUSH EDI
0167: 00407F7A Call 0043F8C3
0167: 00407F7F POP ECX
0167: 00407F80 MOV ESI, 0048CDA4
0167: 00407F85 POP ECX
0167: 00407F86 PUSH 0B0167: 00407F88 Push ESI
0167: 00407F89 push 0000c81
0167: 00407F8E PUSH EBX
0167: 00407f8f call [user32! Getdlgitemtexta]
0167: 00407F95 Push ESI; ESI points to "bingo"
?
After pressing F11, the program stays on the above flag, can be seen with D eDI command, the content of the address in EDI is the username. Press F10 to step by step, not far from another getDLGItemTexta, press F10 to follow, then press F11 to jump, you can use B ESI to see ESI to point to the registration code.
This has proven that the previous judgment is correct, WinZip is a function that uses getDlgitemtexta to get username and registration code.
?
(2) ??? Winzip has got the username and registration code it wanted, and then it should be the verification process. Press F10 to go, we see a piece of code:
?
0167: 00407F96 CALL 0043F89A
0167: 00407F9B PUSH ESI
0167: 00407F9C Call 0043F8C3
0167: 00407FA1 CMP BYTE PTR [0048CD78], 00; [0048CD78] Point "feizhaod"
0167: 00407FA8 POP ECX
0167: 00407FA9 POP ECX
0167: 00407FAA JZ 00408005
0167: 00407FAC CMP BYTE PTR [0048CDA4], 00; [0048CDA4] points to "bingo"
0167: 00407fb3 jz 00408005
0167: 00407fb5 call 00407905
0167: 00407FBA Test Eax, EAX
0167: 00407FC3 jz 00408005
?
Note two part of code
0167: 00407FA1 CMP BYTE PTR [0048CD78], 00; [0048CD78] Point "feizhaod"
......
0167: 00407FAA JZ 00408005
0167: 00407FAC CMP BYTE PTR [0048CDA4], 00; [0048CDA4] points to "bingo"
......
0167: 00407fb3 jz 00408005
People who are familiar with the assembly language can easily see if the string is empty. Winzip jumps to [00408005] after judging the string is empty, and that place is estimated to pop up the registration failed dialog. Go again, you can see:
0167: 00407fb5 call 00407905
0167: 00407FBA Test Eax, EAX
0167: 00407FC3 JZ 00408005; Note that the jump here
After Winzip is called [00407905], it is determined whether the EAX is 0, if it is jump to [00408005].
Many familiar [00408005]!
Followed down to [00408005], play out of the message box that fen quickly registered with F10. This demonstrates the previous judgment, [00408005] is the place to pop up the registration failed dialog.
?
(3) The program saw that there is no suspense here, [00407905] The call is to determine if the registration code is correct. If it is correct, then return EAX is a non-0 value, otherwise returns 0, the registration will fail . 2.4 ????? in-depth registration code calculation process
(1) ??? Our goal is to let this verification code will always return to 1 of this representative's correct value, so it is necessary to enter [00407905] to see, press F10 step by step, monitor ESI, ECX and EAX point to content, be sure to find the last change to change the EAX value!
(2) ??? Looking at the unexpected gain:
0167: 00407AA9 PUSH ESI?; ESI points to the entered registration code "bingo"
0167: 00407AAA PUSH EAX ??; EAX points to the correct registration code "3E41159C"
......
0167: 00407AD2 PUSH ESI; ESI points to the entered registration code "bingo"
0167: 00407AD3 PUSH EAX; EAX points to the correct registration code "65293585"
?
In fact, we can have been able to use the correct registration code given to the correct registration code, but the target is still not reached.
?
(3) Press F10 for a long time (how long? Try it ^ _ ^), finally saw the following code:
0167: 00407B3A? MOV EAX, [0048FDC]; the last change of Eax's value, here is 0
......
0167: 00407B46? RET
Then I went down, the verification process was over, and the message box that quickly filed up the registration failed after returning. We have found the last time to change the EAX value, and then the next is to modify the assembly code.
?
2.5 ????? small knot
Through the above tracking process, we can see:
(1) ??????? Winzip's protection of the verification process is indeed very weak, we can easily find the sign of the success of whether it is successful;
(2) ??????? To pay attention to the first PUSH directive after calling the API, this is often important data and logo;
(3) ??????? Be careful to determine the code, and the jump behind it is often a significant sign.
Ok, let's let us go directly to the program's binary code.
3 ??????? production registration patch
3.1 ????? Modify the code in the memory
(1) ??? First modify the code in the memory, the purpose is to let the verification process returns a value forever.
(2) ??? 0167: 00407B3A? MOV EAX, [0048FDC] This code is the key, considering that the MOV instruction has the function of the immediate assignment, try to change:
0167: 00407B3A? MOV Eax, 1
(3) ??? Let the program stop in [00407B3A], use the A command, modify the code as described above, and then press ESC to exit the modification mode.
(4) ??? Use bd * to disable all breakpoints.
(5) ??? Press F5 and then execute the program, haha, and register successful message box. Select Retry to try again, still can be successfully registered.
3.2 ????? Making registration patch
(1) ??? Finally, the EXE file directly modifies the registration patch. Repeating 3.1 process, when walking to [00407B3A], do not change directly, first look at the binary code of this instruction, use the D 407B3A command, you can see the following:
00407B3A: A1 DC 9F 48 00 83 ......
(2) After the modification of the assembly code, use the D 407B3A command, you can see the following: 00407B3A: B8 01 00 00 83 ......
(3) Turn off Winzip, use WinHex to open the Winzip32.exe file, directly find the hex string A1 DC 9F 48 00 83, find later modified to b8 01 00 00 00 83, turn the file, OK! Come. Save the modified Winzip32.exe file, this is the patch we want.
4 ??????? patch effect
Reinstall Winzip, then replace the original Winzip32.exe file with patch file, open the registration interface, enter the username "feizhaod", registration code "bingo", then press "OK", register successfully. After restarting WinZip, you can see the registration information in "Help". As with the drawings.
5 Conclusion
Through this crack process, I am familiar with Softice how to use as an excellent debugging tool, and Softice will inevitably have a wide range of applications in future work. In addition, the basic principle of software registration code protection and cracking patch production is also understood.
China's good encryption website is to see the snow college, there are many related materials related to the encryption, some are not free, you can see. Enter "See Xuexue Court" directly in your browser.
Reference:
(1) Demolition tutorial, see Snow Academy
(2) ??? Softice manual?
?
(图 略)
?
Fischandong
