Software cracking note

Recently, I was suddenly interested in software cracking, mainly to improve software encryption. I have been catching up with a software version recently. I am struggling to find the only one on the Internet, but there are still thirty restrictions. Now, we can use the software to crack it. :) it seems that I have a future to study it :))

In the case of a rogue attack, he decided to crack the attack on his own. This decision is actually a big challenge for me recently-I have not been passionate about new things for a long time. So although I like it, I am a bit skeptical about whether it can be completed.

The target of the attack is a financial software named XXXXX (I intentionally hidden the product name ). The software is an online software with a C/S structure. The software requires support for encryption locks. If the encryption lock is passed, the current version is displayed. Otherwise, the trial version is used. From the demonstration, the software only detects the encryption lock at startup, which tells us that there should be more encryption points ).

An additional condition is that the cracking found on the Internet is the cracking of a dynamic link library XXXXX. dll in the program. This reminds me that I only need to crack XXXXX. dll. Because the cracked version on the Internet has been shelled, I do not know how to crack the shell software, so the goal is to turn to the original XXXXX. dll. Open with W32DAsm and find that the definition and implementation of each output function can be found. This proves that the Dll is not encrypted.

Debugging a binary program is generally divided into static analysis and dynamic debugging. Generally, W32Dasm is used for static analysis. W32Dasm allows you to easily locate the starting position of the output function. By reading the code, we can find several situations:

FindNetRockey

FindRockey

CheckNetRockey

CheckRockey

HaspLogin

HaspLogout

Based on my knowledge, our company also uses these encryption locks). These programs are all functions for reading encryption locks. However, after static analysis, I found that my capabilities are limited and I cannot fully understand the code. However, in this process, I reviewed the knowledge of Win32 assembly code, including stack balancing and the method of returning values through EAX.

After being recommended by my colleagues, I used OllyDbg for dynamic debugging. This is a correct decision ).

To load the Dll. With this program, you can perform dynamic debugging without a host Program, and guess the function parameters and return values. However, I did not directly use this method later.

The logging program should be fine. Xxxxxclient.exe is written in VB, and there are a lot of VB shadows in the assembly code.

The first thing I need to do is to locate the function entry for reading the encryption lock. At the beginning, I used a single-step trace to find that it was too slow and lost patience. Later I remembered that since it was a Dll, it would call LoadLibrary and GetProcAdress. So long as you know the function address, you may be able to quickly find it.

How do I get the address of GetProcAdress? I used Dependency, used Dependency to open Ac990Client. dll, and selected the Walk button to find out when XXXXX. dll was called in the output Log.

I got function address A. In OllyDbg, locate A, and indeed locate the LoadLibrary function call. In addition, I found that in OllyDbg, it can be tracked into the Dll it calls. So if I directly go to XXXXX. dll to set a breakpoint, can I go in? Facts have proved that my conjecture is correct, which laid the foundation for faster results. It should be said that many detours have taken place before.

After some tracking, I was almost disappointed at the end. I found that when the HaspLogin function was called, the function had only two exits. Before one of the responses is returned, Xor EAX and EAX are performed (set EAX to 0), while the other sets EAX to 1. Through debugging, it is found that the first route is taken without the encryption lock. What if the second one is used? I set eaxto 1 and found xxxxxclient.exe to display genuine words! Great!

The following is how to modify the program. Unfortunately, I have not found out how to modify and edit the OllyDbg. Think of the HiView program recommended at the same time, before the location just found, there must be a few jump addresses before this code, such as jne a316753, as long as the jump to xor EAX, in addition, I changed a time-consuming call to a combination of nop. Save, test! Well, it's always successful.

This is my first attempt to crack the program. I am not very familiar with the use of a lot of related software and have a complete understanding of the process of cracking. Continue cracking later!