First, Memory Echo (Author CRuehead)
This is the common method of discovering the serial number. There will be a place in the memory where we entered the serial number, and one is the correct serial number (often calculated using our name). Many of our cracks are this protection method. If you find the following code, you should pay attention:
MOV BL, [ESI]; remove a character MOV BH, [EDI] from the correct serial number; remove a character CMP BL, BH; compare them JNE ... If not, please judge you Is illegal serial number
Therefore, the code is compared from the memory call sequence number, under Softice, the key: "D ESI", will see the correct serial number in the data window. Another form:
MOV ECX, Length ThermthofValidSerial; How many bytes are compared to comparison, comparison string DS: ESI (correct number) and ES: EDI (input number) compare JE ...; judgment
If you find some code in Softice, you can use the command: "D ESI" View
Second, on the Win9X message, break points (using the BMSG command, specific reference Softice manual)
BMSG XXXX WM_GETTEXT (Good for Passwords) BMSG XXXX WM_COMMAND (Good Fro Ok Buttons)
The xxxx is of course the HWnd Value, But Important Info:
assuming you are using wm_command to try to locate the button push, you hwnd the result and see the hwnd of the button is 0324 and the hwnd of the window is 0129to find the button, use the window value, not the button value to bmsg on (The Other Just Won't wor)
So for the example here, to find outston push we would
BMSG 0129 WM_COMMAND
Third, use BPR to set up
It is usually used to accurately set a function such as getDLGItemText (a), getWindowText), where the above function is not used, with the HMEMCPY function, Note: HMEMCPY (memory byte replication).
When we interrupt in hmemcpy, it is generally simply from approximately 17 to 25 lines. You should generally see the following similar code:
Push ECX
SHR ECX, 2; Copying
REPZ MOVSD; word by data DS: ESI (32-bit) to additional segment ES: EDI (32-bit)
POP ECX
And ECX, 3
REPZ MOVSB; similar to REPZ MOVSD, just bytes
XOR DX
XOR AX
I should now find a little skill, you can use this method easy to interrupt the serial number or name of your input.
Under Softice, in the REPZ MOVSD, the next command: D DS: ESI (32 Bit) or D DS: Si (16 bit). You should see your name or serial number; or D ES: EDI (32 bit ) OR D ES: DI (16 bit), this order see is where your information will be copied. For example: What you see is: 22BF: 00000000. Pay attention to this more unfamiliar field. If you use BPR in this memory range, you may not stop. Now you press F10 until your information is copied (via the REPZ MOVSB). You should type in this point: Page 22BF: 000000 (or you see the seg: offset). (Page Specific Meaning Reference Softice Handbook) Generally occur: Linear Physical Attributes Type 80284960 01603960 PD A au rw System Now we can use BPR in "Linear", before the break, you should know how much bytes you need to monitor. The segment address is generally selected as 30.
Such as:
BPR 30: 80284960 30: 80284969 RW
This role is to be interrupted in this 9 byte range.
We use the address 30 because it always exists.
At this point, you will be disabled first. Press F5, it is possible to be blocked to read your serial number or name, and then analyze to find the correct serial number. This method is particularly effective for 16-bit procedures.
Fourth, use hmemcpy method
The maximum of the breaking serial number is the HMemcpy function, and its role is to replicate memory characters. Before using HMemcpy, enter detailed information (such as serial number, name, etc.) to the registration box, then set (Ctrl-d, bpx hmemcpy), then press (CTRL-D) to return the program, click the program OK will be Interception, you press F12 or F10 to come to the proceedings of the program, and the middle will pass some system districts, such as kernel, user, etc. These places cannot be changed, otherwise the system will crash (crash). But in this case, some software is very embarrassing, with the user.dll file in its software directory, the serial number comparison code is inside, when you track, you will distinguish whether the USER airspace is the system or the software itself. The heart (version 1.0) is this.
Generally, find the error Call and analyze the previous code, find out which instruction will skip this error CALL, and further analyze the sequence number.
Sometimes the situation may be complicated, we should use W32DASM analysis, with its "string data reference" test function, find the wrong statement, if you are lucky, it is possible to find the serial number directly. Combine W32DASM and Softice to make us more effort.
V. Use S command
This is also a method for the serial number to crack more (Taiwan friends "78 Dafa law), the general steps: first enter the name or false serial number (eg 78787878), press Ctrl D to switch to Softice,
Next command: S 30: 0 l fffffff '78787878', will search the address: SSSSSSSS
Use BPM SS: SSSSSSSSSSSSSSSSSSSSSSS, press F5 to return, click OK software will be intercepted, then pause the previous breakpoint: bd *;
Set up with BPM ES: EDI-8: Because you play 8 words, so
Press F5 to be intercepted again, then press F12 and F10 to the program to charge, and other operations are four in the same manner.
Sixth, Visual Basic serial number
The specific features of the VB program can be referred to the fifteenth lesson.
Method 1, first, be sure to load the VB runtime, generally in the input number: BPX RTCMSGBox will be intercepted, at this point, you use W32DASM to neglect your program, use the RTCMSGBOX address you just found, you It is easy to find which local calls are called, if the serial number is compared before the code is set. Note that the VB function is different from the Win32 API function, and VB must put its various parameters into the stack (push command), so you may find the correct serial number before the PUSH before the comparison function.
In the cracking VB, the following functions are worth causing us to pay attention: __ vbalenbstr (getting the length of the string) __ vbastrcopy__vbastrmove
Method 2, here the serial number of VB3, VB4, VB5 is compared the code number: (You need to open the Winice.dat file to add the following 3 lines, but also add the VB runtime, specifically refer to the 5 class Softice installation)
Visual Basic 3 AF3 = "^ s 0 L fffffff 8b, CA, F3, A6, 74, 01, 9F, 92, 8D, 5E, 08;" Visual Basic 4 AF4 = "^ s 0 L fffffff 56, 57,8b 7C, 24, 10, 8b, 74, 24, 0c, 8b, 4c, 24, 14, 33, c0, f3, 66, a7; "Searching String Comparison Codes, Visual Basic 5 Visual Visual Basic 5 Visual Basic 5 AF5 = "^ s 0 L fffffff FF, 75, E0, E8, 85, EF, FF, FF, DC, 1D, 28, 10, 40, 100, DF, E0, 9E, 75, 03;" Find Integer or real-purpose comparison code, only valid specific steps for VB5:
- Start running the cracking VB program, enter a false serial number;
- Switch to Softice, BPX Hmemcpy is set;
- Leave Softice, press the "OK" button, will be interrupted by the Softice;
- Now, use F11 and F10 to go out of the Kernel airspace until coming to the VB Running Bank;
- Find a string: (These characters are the core code of the VB DLL comparison "Now the ALT-F4 detects VB4 or VB5, Alt-F5 detects VB5, ALT-F3 detects VB3. (These decide which key based on your actual situation)
- Set the correct breakpoint at the return address
(BPX
- Press F5 you will fall in the above comparison code.
- The last step is to view the serial number with ES: DI and DS: SI.
Method 3, VB6 serial number capture (this method is for reference only)
Enter a false serial number to the program, switch to Softice, set: BPX MSVBVM60! __ vbastrcat, return to the program Click OK to be intercepted, you will see the following code :: 66060b5f push ebp
: 66060B60 MOV EBP, ESP
: 66060B60 MOV EBP, ESP
: 66060B62 Push EBP
: 66060B65 Push EAX
: 66060B66 Push DWORD PTR [EBP 08]
: 66060B69 Push DWORD PTR [EBP 0C]
: 66060B6C Call [661106e8]
: 66060B72 Test Eax, EAX
: 66060B7A MOV EAX, [EBP 08]; we will see EAX here
: 66060B7D POP EBP;
: 66060B7E RET 0008
Type the following command now:
BC *
BPX 66060B7D
At this time, press F5 to be interrupted, then the command DD EAX looks at whether the data window has a string of the WideChar format. Repeat F5 this action until you see the correct serial number. (DD EAX, is double font)
Seven, small knot
In the interception of the serial number, the following function is generally turned off under Softice: getdlgitemint, getdlgitemtexta, gettabbedtexta, getWindowTexta, HMemcpy (only Windows 95/98), LSTRCMP, LSTRLEN, MEMCPY (limited to NT).
