Cracking Device Monitor

Cracking Device Monitor

Author: rockhwnd
Time: 2004.8.10
Web: http://blog.csdn.net/rockhwnd

When device Monitor starts, it reads a file named license. DM in its directory and determines whether the file has been registered based on the content. The code for reading the file and analyzing the file content is
C:/program files/common files/HHD software/device Monitor/silk. dll file
So the createfile breakpoint

: 67f917af ff15d041f967 call dword ptr [67f941d0] // createfile open the file
: 67f917b5 8bf8 mov EDI, eax
: 67f917b7 83 ffff cmp edi, ffffffff // failed to open the file?
: 67f917ba 745d je 67f91819 // The failure is over!
: 67f917bc 53 push EBX // receive file size cache address into Stack
: 67f917bd 57 push EDI // The obtained file handle to stack
: 67f917be ff15ac41f967 call dword ptr [67f941ac] // getfilesize
: 67f917c4 8bd8 mov EBX, eax // eax = 79C file size save to BX
: 67f917c6 53 push EBX // BX into Stack
: 67f917c7 e87a120000 call 67f92a46 // apply for a storage cache
: 67f917cc 83c404 add ESP, 00000004
: 67f917cf 6a00 push 00000000
: 67f917d1 8d5584 Lea edX, dword ptr [ebp-7C]
: 67f917d4 52 push edX // edX = NULL
: 67f917d5 53 push EBX // Read File Size
: 67f917d6 50 push eax // Save the File Cache address! Important! Pay close attention to it in the future
: 67f917d7 57 push EDI // file handle
: 67f917d8 8945c0 mov dword ptr [ebp-40], eax
: 67f917db ff156841f967 call dword ptr [67f94168] // call the readfile Function
: 67f917e1 57 push EDI
: 67f917e2 ff15d441f967 call dword ptr [67f941d4] // closes the file. Check the memory pointed to by eax, which is indeed the content of the license. DM file.
: 67f917e8 8b7508 mov ESI, dword ptr [EBP + 08]
: 67f917eb 83c634 add ESI, 00000034
: 67f917ee e82df2ffff call 67f90a20 // key function 1. The program checks the file content here.
: 67f917f3 8b7dc0 mov EDI, dword ptr [ebp-40]
: 67f917f6 8b45b4 mov eax, dword ptr [ebp-4C]
: 67f917f9 53 push EBX
: 67f917fa 57 push EDI
: 67f917fb 50 push eax
: 67f917fc e86ff8ffff call 67f91070 // key function 2, the program checks the file content here
: 67f91801 57 push EDI
: 67f91802 8bf0 mov ESI, eax
: 67f91804 e843120000 call 67f92a4c
// Release the memory. The reason for knowing that the previous check is the file content is mainly based on the memory of the file to be released here. Since it is released, the program has been verified, therefore, the first two functions are important
: 67f9180983c404 add ESP, 00000004
: 67f9180c 85f6 test ESI, ESI
// Is the returned file correct?
: 67f9180e 0f8568010000 JNE 67f9197c // if it is not registered, go to hell. If it is registered, go to heaven. :) the address of heaven is 67f9197c. Change it to JMP here.
: 67f91814 8b750c mov ESI, dword ptr [EBP + 0C] // The following information is displayed: unregistered
: 67f91817 33db xor ebx, EBX
.....

: 67f9197c 8b7508 mov ESI, dword ptr [EBP + 08] // code executed after successful registration
: 67f9197f 33ff xor edi, EDI
: 67f91981 2017e40 cmp dword ptr [ESI + 40], EDI
: 67f91984 c745bc00000000 mov [ebp-44], 00000000
: 67f9198b 761d jbe 67f919aa
: 67f9198d 33db xor ebx, EBX
: 67f9198f 90 NOP
: 67f91990 8b563c mov edX, dword ptr [ESI + 3C]
: 67f91993 8b45d4 mov eax, dword ptr [ebp-2C]
: 67f91996 8b08 mov ECx, dword ptr [eax]
: 67f91998 03d3 add edX, EBX
: 67f9199a 52 push edX
: 67f9199b 50 push eax
: 67f9199c ff510c call [ECx + 0C]
: 67f919f 83c701 add EDI, 00000001
: 67f919a2 83c310 add EBX, 00000010
: 67f919a5 3b7e40 cmp edi, dword ptr [ESI + 40]
: 67f919a8 72e6 JB 67f91990

 

Note that there are two solutions to modify the sentence 67f9180e 0f8568010000 JNE 67f9197c.
One method is to change to JE, but this method does not work if the registration code is valid, and the other method is to change to JMP.
0f85 68010000 jnz silk.67f9197c
E9 69010000 JMP silk.67f9197c the loss of a byte may lead to asymmetry. Therefore, remember to add a NOP command after the JMP command, so that the code is symmetric.