Directly crack software without shelling

Some skills and luck are required to implement direct patching of Shelled software. Although this seems to be very difficult to implement, it is not as difficult as you may think. Let's take a look at it.
To implement such a shell Patch, you must make the following prerequisites:
Excellent Software tracking and analysis capabilities, because you do not have the software author's source code, everything should be done by yourself;
The ability to write simple code, of course, is to compile code. You can use debugging software to help;
Required tools: PEiD, OllyDbg, W32DasM, Text Editor (WinHex or UltraEdit or others), file fatelling tool (such as ZeroAdd), etc;
Any programming platform used to compile the patch program (similar to the Chinese version );
The simplest addition and subtraction operations (Icefire: this is also ?).
As an exercise, the following uses the LS timer as an example to see how to write a cracking patch with a shell. This software provides the following features: it can remind you when you need it according to your settings, to prevent you from forgetting important things; it can run the program as needed according to your settings. Various prompts can be repeated, it can cough up every minute, every hour, and instantly shake it, and fear that Changhui will make a cool fight, and then change the cool of the cool? Shutdown at on January 1, January 1, 004; countdown to a certain period of time, for example, shutdown after 2 hours and 30 minutes; when the keyboard and mouse are not operated for a certain period of time, for example: shut down after you leave your computer for 30 minutes.
This software can only be used for 30 days if it is not registered. It can only be used after 30 days.
Prerequisites
The PEiD test shows that the software uses the ASPack 2.12-> Alexey Solodovnikov plus shell. This shell shelling is also easier, and the feature marks are more obvious. When the software with such a shell is running, the shell first releases the software with the shell, and then runs the software with the shell. We only need to find the location after release and before running, jump to our patch code to perform the patch action, return after the patch is complete, and then proceed to the software.
Use OllyDbg to load programs without running them. Scroll down the code area until the following code is found:
006083AF 61 POPAD
006083B0 75 08 jnz short LsDown.006083BA
006083B2 B8 01000000 mov eax, 1
006083B7 C2 0C00 RETN 0C
006083BA 68 00000000 PUSH 0
006083BF C3 RETN
Copy it out for backup. In the OllyDbg code area, hold down the scroll bar on the right and drag it down until the entire 0 area at the bottom. In the front of the entire 0 area, select an offset note location. Double-click the code area and enter any assembly command in the pop-up editing box, for example, RETN.
Select this code in OllyDbg, right-click it, and execute "Copy to executable file-Select part (the OD menu of different versions is slightly different)" in the pop-up menu )", right-click the pop-up code box and execute "save file" in the pop-up menu. Set a new name and save it as an alternative (this process is required to simplify computing ).

In-depth tracking
This is a high-intensity job, and you need to have enough endurance and observation and analysis judgment. You have not registered and have passed the trial period. Therefore, you must find all the key jumps to determine whether to register or not, and record the relevant code section (The software uses the non-reversible registration algorithm, which can only be cracked ). Find the following key code:
1. 005366fa SETE AL
2. 0051321E jnz short LsDown.00513227
3. 00533C89 je short LsDown.00533C91
Through analysis and testing, we found that they need to be changed:
1. 005da-fa mov al, 1
NOP
2. 0051321E je short LsDown.00513227
3. 00533C89 jnz short LsDown.00533C91
The software can be used without any restrictions.

Create simulated patch
Because the patch production mentioned here is not directly completed in the software, but made with another programming software, it is necessary to obtain the Assembly-level machine code of the patch. The machine code of the assembly code to be modified is:
Mov al, 1 --> B0 01
NOP --> 90
Je short LsDown.00513227 --> 74 07
Jnz short LsDown.00533C91 --> 75 06
The offset addresses are:
005366fa
0051321E
00533C89
So the simulated patch is like:
Mov word ptr ss: [5366fa], 1B0
Mov byte ptr ds: [5366fc], 90
Mov byte ptr ds: [51321E], 74
Mov byte ptr ds: [533C89], 75
JMP LsDown.006083BA; returned after patch completion
NOP
NOP
Then, enter the assembly code above anywhere in the entire 0 area of the Code area in the OllyDbg, and copy the corresponding assembly machine code for backup. At the offset 006083B0 returned, change jnz short LsDown.006083BA to the form such as JMP 0060A310 (your selected position) and copy the machine code for backup. At this point, the acquisition of simulated patch code is complete.

Compile Patches
As we all know, the offset of the Code position after disassembly is different from the physical offset after the software is compiled. to implant patches outside the shell, you must obtain the physical offset at the corresponding position. Here we need two physical offsets, one corresponding to jnz short LsDown.006083BA, and the other is the starting position of the patch part, which must be carried out using the text editor.
Use UltraEdit (or another text editor) to open the previously saved renamed file, and use the search function to find hex: 75 08 B8 01 (corresponding to jnz short LsDown.006083BA ). Get the first address: 000935B0h, write down the backup, then pull it to the end of the file, find the added code location (corresponding to RETN), and get the first address: 00095510 h (depending on the location you choose), write down the backup, and now all the preparation is complete.
After completing the above preparations, you can use any programming software to compile your patch application.
Please pay attention to the work we need to do: Modify the jump at 006083B0; implant the dynamic patch code and set the return jump. Other issues such as Version Detection, original file backup, and prompt help should also be considered. The following are some of the code I wrote in VB:
Open Fname For Binary As fhandle
& Apos; re-test
& Apos; ========================================================== =====
& Apos; key marker for finding a software version
& Apos; the Get command in VB reads the Data Pointer starting from 1. Note that the address in the hex Editor
& Apos. That is, offset + 1.
Get fhandle, & H935B0, data1 & apos; four bytes can be read for insurance purposes.
Get fhandle, & H935B1, data2
Get fhandle, & H935B2, data3
Get fhandle, & H935B3, data4
& Apos; ========================================================== =====
If (data1 <> & H61) And (data2 <> & H75) And (data3 <> & H8 )_
And (data4 <> & HB8) Then MsgBox "Check the software version! ",_
VbCritical + vbOKOnly, "file error:": Close fhandle: Exit Sub
& Apos; modify all data to be patched
& Amp; apos ;===============================
& Apos; modify the exit of Shell
Put fhandle, & H935B1, & HE9
Put fhandle, & H935B2, & H5B
Put fhandle, & H935B3, & H1F
Put fhandle, & H935B4, & H0
Put fhandle, & H935B5, & H0
Put fhandle, & H935B6, & H90
Put fhandle, & H935B7, & H90
& Apos; added dynamic modification code
Put fhandle, & H95511, & H66
Put fhandle, & H95512, & H36
Put fhandle, & H95513, & HC7
Put fhandle, & H95514, & H5
Put fhandle, & H95515, & HFA
Put fhandle, & H95516, & H31
Put fhandle, & H95517, & H51
Put fhandle, & H95518, & H0
Put fhandle, & H95519, & HB0
Put fhandle, & H9551A, & H1
Put fhandle, & H9551B, & HC6
Put fhandle, & H9551C, & H5
Put fhandle, & H9551D, & HFCs
Put fhandle, & H9551E, & H31
Put fhandle, & H9551F, & H51
Put fhandle, & H95520, & H0
Put fhandle, & H95521, & H90
Put fhandle, & H95522, & HC6
Put fhandle, & H95523, & H5
Put fhandle, & H95524, & H1E
Put fhandle, & H95525, & H32
Put fhandle, & H95526, & H52
Put fhandle, & H95527, & H0
Put fhandle, & H95528, & H74
Put fhandle, & H95529, & HC6
Put fhandle, & H9552A, & H5
Put fhandle, & H9552B, & H89
Put fhandle, & H9552C, & H3C
Put fhandle, & H9552D, & H53
Put fhandle, & H9552E, & H0
Put fhandle, & H9552F, & H75
Put fhandle, & H95530, & HE9
Put fhandle, & H95531, & H86
Put fhandle, & H95532, & HE0
Put fhandle, & H95533, & HFF
Put fhandle, & H95534, & HFF
Put fhandle, & H95535, & H90
Put fhandle, & H95536, & H90
Put fhandle, & H95537, & H90
& Apos; close the write.
Close fhandle

Icefire: careful readers may notice that the first address used in the two pieces of code is 1 more than the first address we recorded, because the smallest pointer unit of VB is 1 rather than 0, the smallest pointer unit of the text editor is 0, so pay more attention to programming on different programming platforms.

Compile the patch code, compile it as an executable program, and then try your stuff to see if the software with shells can be patched and work properly! If everything is normal, you're done.

Postscript
Sometimes, you may want to add something special to your software, such as warning boxes. It is not difficult, as long as you know what conditions and code are required for the pop-up dialog box. For example, I want to bring up a dialog box before the software starts.
What should we do? Of course, this problem is more difficult. If there is a ready-made dialog box to call a function outside the shell, you can simply call it. If not, you need to add more code, so I won't talk about it here, so as to avoid fraud.
In short, writing a patch is like writing a software. It can also achieve your own goals and aspirations, and show your talents and wisdom. You can only taste it in person.

Author: laoxuetong [NukeGroup]