Cracking plug-in Series No.1 (later)

Author: NetKi1l [ESST]
Information Source: China cracking alliance [edevil-Soul Security Team] (http://www.cncracker.com)
This article was published in the May magazine of the hacker XFile
Reprinted please famous
The wolf in the Group sent an offline plug-in for me to check out! This is the time to analyze it!
I scanned the Microsoft Visual C ++ v6.0 CIDR Block with PEID 0.95! I like to analyze Shell programs! Run the following interface: a logon interface 1 is displayed.

Trial? I did not respond after I clicked the trial.-# Is it not for trial? If you log on to the system, enter a username "Netki1l" password "123456" and click "OK". "failed" and "Incorrect username or password" will pop up! "Too good. There is a pop-up prompt. Needless to say, the MessageBoxA breakpoint stack is directly loaded with OD and the following content is returned:

0012EE20 00C02C86/CALL to MessageBoxA from krnln.00C02C80
0012EE24 00000000 | hOwner = NULL
0012EE28 0000008ca | Text = "incorrect user name or password! "
0012EE2C 0040C068 | Title = "failed"
0012EE30 00002030 Style = MB_ OK | MB_ICONEXCLAMATION | MB_TASKMODAL

Then ALT + F9 twice, but when the first alt + f9 was returned, it was found that krnln's airspace had an Disassembly window and a series of jnz... retn 2

 

It turned out to be an e-language plug-in, so we had to go through the F8 step until the back of the program's airspace (here, it shows that many of our friends said that they could not find the character seek, but they did not find the program's airspace as they returned at this time. we can try to find the ASCII code) I found a total of 5635 characters here--#3

 

The place where the Red Circle is circled is the interrupted place when we returned just now. The line above is the place where the password is incorrect. We double-click the interrupted place in the red circle or right-click and follow in. or press Enter on the disk to go To the Disassembly window. 4

 

At this point, you should note that the address 0054A1A9 is black, indicating that the program is interrupted, and the first CALL above is the CALL Msgbox function. The comment prompt is displayed on the right, because we searched for a word seek. If no search is found in general, if it is empty, especially when shelling, It is null. In the case of 0054A153, it is the key to jump. We double-click here to change je to jne. At this time, we will copy, save, and run the message "md5file does not exist or the file (blcx.exe) is displayed) "I had to close the OD modification program name and run it again. This time, the prompt" file (blcx.exe) was modified, the trojan program may be used. "This is really annoying. no matter whether the verification is performed, first try a patch. I will use the domestic KeyMake 1.73 to create a patch. (I will not elaborate on it in order to save space. process: Only screenshots are captured) 5

Please watch with the 4th images. Then we will run the patch and prompt 6.

 

It still doesn't work. It's annoying to run it again and it prompts that the user name or password is incorrect. Is the Key address changed? What should I do? Is it really troublesome to give up like this?

[Come later]

The above is the general method of cracking. Now let's try this new method and run the program again. Let's take a look at the complete interface 7.

 

 

 

In addition to the login interface, the plug-in main forms are displayed at the end of the login interface, and all the plug-ins are loaded. It is not feasible to directly click the plug-in after loading, because the focus is always in the previous login window. in this case, can we make the login interface lose focus? Let's just refresh our ideas. We first use the findwindow function to get the title and then use the enablewindow function to get the focus of the plug-in main form. Several minutes later, I wrote the program and tried it. The effect was okay, but the login window was always there. the display is not good. We can use the showwindow function to hide it. 8

 

 

The buttons inside can also be used to send the patch to the wolf. It didn't take long for the wolf to reflect that the program was not cracked and functional limitations existed. When you click [Military]-> [attach to the armed forces] prompt 9 is displayed.

This is easy to do. Run the SDK directly after loading the SDK with OD, run the patch I wrote, run the MessageBoxA breakpoint, and click [add to the armed forces] to return to the program's airspace. Here 10

0055E065 833D B40C3501 0> cmp dword ptr ds: [1350CB4], 2
This cmp statement compares the values at the address 135CB4 with those at 2. We can change 2 to 0 or the values at the 135CB4 to 2.

0055E06C 0F8D 3B000000 JGE Blcx.0055E0AD; functional limitations
You can also modify jge to jmp to achieve the same effect.

This article serves as an example. In fact, there are still many methods to crack it.