Cracking articles for cainiao-cracking software

Author: younger brother [blasting King]
Source: bbs.pediy.com
[Author of the article] younger brother [blow up the king]
[Article Title] cracking articles required by cainiao (1)-cracking software
[Software name] crackme
[] See the following
Bytes ----------------------------------------------------------------------------------------------
[Encryption method] disc encryption
[Cracking tool] OllyDbg v1.10b
[Software restrictions] No
[Cracking platform] XP SP2
Bytes ----------------------------------------------------------------------------------------------
[Introduction]
This article is intended for cainiao. I can only write such an article and don't laugh at me.
If you have any questions, post them below.
Bytes ----------------------------------------------------------------------------------------------
[Cracking process]
This post cracked a crackme, mainly because the real software cannot be cracked.
Here we will explain the principles of brute-force cracking.
If qqq = 1 then
Correct Registration
End if
Here we use this statement to describe,
If QQ = 1, the registration is correct, but we can change the condition to the opposite.
If not qqq = 1 then
Correct Registration
End if
In this way, we can use an incorrect registration code, but the correct registration code is incorrect. Because our conditions are reversed.
This is the basic principle of blasting.
Here are some common jumps for the main user.
If Jc has a forward position, jump to jnc without carry.
Jz IS 0 jump jnz is not 0 jump
If Je is equal to, jne is redirected if jne is not equal.
If Js is set to negative, jns is redirected if it is not set to negative.
Jump to jno if Jo overflows.
Jp parity: Even jnp parity: odd
Now let's start our blasting journey ^_^
First use OllyDbg v1.10bto load unabexcm1.exe
Then you can see the code
00401000 u>/$ 6A 00 push 0;/Style = MB_ OK | MB_APPLMODAL
00401002 |. 68 00204000 push unabexcr.00402000; | Title = "abex 3rd crackme"
00401007 |. 68 12204000 push unabexcr.00402012; | Text = "Click OK to check for the keyfile ."
0040100C |. 6A 00 push 0; | hOwner = NULL
0040100E |. E8 8C000000 call; MessageBoxA
00401013 |. 6A 00 push 0;/hTemplateFile = NULL
00401015 |. 68 80000000 push 80; | Attributes = NORMAL
0040101A |. 6A 03 push 3; | Mode = OPEN_EXISTING
0040101C |. 6A 00 push 0; | pSecurity = NULL
0040101E |. 6A 00 push 0; | idle mode = 0
00401020 |. 68 00000080 push 80000000; | Access = GENERIC_READ
00401025 |. 68 B9204000 push unabexcr.004020B9; | FileName = "abex. l2c"
Don't you understand? Don't worry about him. Press F9 to continue and click OK to prompt Hmmmmm, I cant find the file! Useful
Right-click the assembly code and choose search> character reference.
After a while, I will see a bunch of characters and find Hmmmmm, I cant find the file! Double-click
Here
00401034 |. 83F8 FF cmp eax,-1 -----------------------
00401037 |. 74 3C je short unabexcr.00401075 <----- | --- Have you seen this jump? |
00401039 |. 6A 00 push 0 | he will first check whether |
0040103B |. FF35 CA204000 push dword ptr ds: [4020CA] | the error message is displayed if no CD is available.
00401041 |. E8 4D000000 call | after (1) there is a change, the jump will not appear
00401046 |. 83F8 12 cmp eax, 12 | file error prompt
00401049 |. 75 15 jnz short unabexcr.00401060 | <-- the reason for this jump, It will compare whether the file
0040104B |. 6A 00 push 0 | correct. If not, the system jumps to the file with an error.
0040104D |. 68 35204000 push unabexcr.00402035 | incorrect prompt -------------------------
00401052 |. 68 40204000 push unabexcr.00402040 | we can change it to jz to crack it perfectly. |
00401057 |. 6A 00 push 0 |; | hOwner = NULL |
00401059 |. E8 41000000 call |; MessageBoxA |
0040105E |. EB 28 jmp short unabexcr.00401088 |
00401060 |> 6A 00 push 0 |;/Style = MB_ OK | MB_APPLMODAL <-(2)
00401062 |. 68 79204000 push unabexcr.00402079 |; | Title = "Error"
00401067 |. 68 7F204000 push unabexcr.0040207F |; | Text = "The found file is not a valid keyfile! "
00401_c |. 6A 00 push 0 |; | hOwner = NULL
00400000e |. E8 2C000000 call |; Me