Six basic software cracking concepts

1. breakpoint: the so-called breakpoint is the place where the program is interrupted. This word is no longer familiar to the decrypted. So what is interruption? Interruption occurs because of a special event (interruption event). The computer suspends the current task (Program) and executes another task (service interruption program ), then return to the original task to continue the execution. For example, when you were at work, someone suddenly called to tell you that he was taking a train from another place and asked you to pick him up at the train station. Then, you will ask your boss for a temporary leave and rush to the train station to pick up your classmates. Then you will settle in and go back to the company to continue working. This is an interruption process. The decryption process is to wait until the program obtains the entered registration code and prepares to compare it with the correct registration code to interrupt it. Then we can find the correct registration code through the analysis program. Therefore, we need to set a breakpoint for the decrypted program, and track the registration code of the program in the program as appropriate to achieve the crack goal.

2. airspace: This is a very important concept, but it is often hard for beginners to understand. We can see the term "airspace" in various cracking articles. If you don't know where the program's airspace is, you won't be able to enter the door for cracking. Maybe you have cracked some software, but it's just that a blind cat has met a dead mouse (I used to be like this ^ _ ^, so I'm sorry for it now !). The so-called program's airspace, to put it bluntly, is the place where the program itself is located, that is, the location where the program code we are going to crack is located. Maybe you will immediately ask: I set the breakpoint when the program is running. Why is it not in the program's own space after the interruption? Because there is no fixed mode for writing each program, we need to interrupt the program when we want to cut into the program, we must not rely on the specific program to set breakpoints, that is, the breakpoint we set should be something that every program will use. In the DOS era, basically all programs work on interrupt programs, that is, almost all DOS Programs call various interruptions to complete tasks. However, in the WINDOWS era, the program has no right to directly call the interrupt. In WINDOWS, the system provides a system function calling platform (API), which is the same as the DOS program based on the interrupt program, WINDOWS programs use APIs as the basis for dealing with systems and various functions. Therefore, the breakpoint settings of software cracking in windwos are based on API functions, that is, when a program calls an API function, it interrupts its normal operation and decrypts it. For example, in SOFTICE, set the following breakpoint: bpx GetDlgItemText (get the dialog box text). When the program to be cracked needs to read the input data and call GetDlgItemText, it is immediately intercepted by SOFTICE, therefore, the cracked program stays in the GetDlgItemText program zone, while GetDlgItemText is in the system zone managed by WINDWOS. If we get rid of this part of program code without authorization, it is a big disaster! Therefore, we need to return from the system area to the location of the cracked Program (that is, the program's airspace) to crack the program. For how to view the program's airspace, see the SOFTICE diagram above. Imagine: Where can we find something useful for the program segments that every program calls? (How to encrypt is decided by the program, rather than calling system functions !)

3. API: Short for Application Programming Interface. It is called an Application Programming Interface in Chinese. It is a large collection of system-defined functions and provides methods to access operating system features. APIS contain functions called by hundreds of applications. These functions perform all required operating system-related operations, such as memory allocation, on-screen output, and window creation, A user's program calls an API to deal with WINDOWS. No matter what kind of application, the underlying layer of the user's program eventually implements various functions by calling various API functions. Generally, an API has two basic forms: Win16 and Win32. Win16 is the original API 16-bit version for Windows 3.1. Win32 is the current API 32-bit version for Windows 95/98/NT/ME/2000. Win32 includes Win16, which is a superset of Win16. The names and usage of most functions are the same. The difference between a 16-bit API function and a 32-bit API function is the last letter. For example, we set a breakpoint: bpx GetDlgItemText, bpx GetDlgItemTextA, and bpx GetDlgItemTextW, getDlgItemText is a 16-bit API function, GetDlgItemTextA and GetDlgItemTextW are 32-bit API functions, while GetDlgItemTextA indicates that the function uses a single byte, and GetDlgItemTextW indicates that the function uses dubyte. Currently, we often use Win32 single-byte API functions, which are similar to GetDlgItemTextA functions. The other two types (Win16 API and Win32 double-byte API functions) are rare. Win32 API functions are included in the Dynamic Link library (DLLs), that is, in kernel32.dll, user32.dll, gdi32.dll, and comctl32.dll, this is why we need to use commands such as exp = C: windowssystemkernel32.dll in softice to import these dynamic link libraries into softice. If this is not done, we cannot intercept system Win32 API function calls.

4. the method of existence of the registration code in the program: During the cracking process, we will go to the program to compare the entered registration code with the correct registration code, then, we track and analyze the program to find the correct registration code. But the correct registration code usually exists in two forms in the program: explicit and implicit. For the explicit registration code, we can see it directly in the memory of the program, for example, you can directly see a registration code similar to "297500523" in the SOFTICE data window (this is written at will), it is easier to crack the software with the explicit registration code; however, some software programs do not directly compare the entered registration code with the correct registration code, such as converting the registration code into an integer or splitting the registration code, then, we will separate each registration code and compare them one by one in different places, or convert the entered registration code, and then use a special program for verification. In short, applications adopt different complex calculation methods to avoid direct registration code comparison. For such programs, we usually need to carefully track, analyze each program function, and find the encryption algorithm, then we can crack it. Of course, this requires a certain level of 8086 assembly programming skills and a lot of patience and energy.

5. Software cracking methods: I divide the methods into two categories: full and brute-force. The so-called complete cracking is mainly for software that requires entering the registration code or password. If we can find the correct registration code through tracking the program, the software is successfully registered through the software registration function, which is called a complete cracking. However, if some software itself does not provide the registration function, it only provides a trial (DEMO ), or the registration cannot be performed through the software itself (for example, You need to obtain another dedicated registration program and register through the INTERNET), or the encryption technology of the software itself is complicated, the software Cracker has limited capabilities, energy, and time, and cannot directly obtain the correct registration code. At this time, we need to modify the program code of the software, that is to say, it is more natural for humans to change the number of crabs than the amount of sodium flat in pupu, and the amount of flat?

6. Address of the program code in the cracking Tutorial: Some program code will be added in the cracking tutorial to help explain the analysis method of the program, for example, the following code section:
......
0167: 00408033 PUSH 00
0167: 00408035 PUSH EBX
0167: 00408036 CALL [USER32! EndDialog]
0167: 0040803C JMP 0040812C
......
Here, the Code address in the program, such as 0167: 00408033, the code segment value (that is, 0167) may vary depending on different computers, not necessarily the same, but the offset value should be fixed (that is, 00408033 remains unchanged). If you see the address value of the program code in the Cracked article is different from the address value in your computer, do not think it is wrong, as long as your program code is correct, no problem will occur.