Skin ++ ultimate Cracking Method

* [Title]: Skin ++ general interface skin replacement system v2.0.1 cracking

* [Author]: gz1x <gz1x (AT) TOM (DOT) COM>

* [From]: China black guest Alliance

* [Preface]:

Skin technology is familiar to everyone. For example, Winamp can be used to flexibly change the interface style. In the early days, the program had to do a lot of processing to implement the custom appearance method, which was too troublesome for coding.

Later, there was a special skin plug-in, such as activeskin. Later, the DLL-called skin software emerged. The skin-supported program needs to call several methods to completely change the appearance of the program. programmers do not need to have any knowledge about the skin technology. Skin ++ universal interface skin replacement system v2.0.1 is one of the most famous ones.

However, it is annoying for many "poor" users to charge fees. I did a small project just a few days ago and used the software recommended by my friends.

* [Software Principle Analysis]:

I reversed this software, because it is a commercial software and there is no way to get the source code, so I am also subjective speculation.

The principle is basically as follows:

The message hook is used to change the appearance of existing controls. The function prototype is setwindowshookex (wh_callwndproc, hookproc, 0, lthreadid );

This function will not be explained much. Refer to msdn. Set the hook type to wh_callwndproc.

The next step is to intercept messages. Of course, the same messages sent by different controls must be processed separately. The simple method is to get the window handle and get the window class through the window handle, it is generally available in the hook callback function. The next step is message processing, generally starting from intercepting the wm_create message, and then wm_paint. Other messages, such as mouse messages, also need to be processed. However, the details here, such as the hook record, are complicated. The solution is to create a class for the window type, then, the instance solves the processing of window messages and records of window status data. After obtaining the window handle, use setwindowlong technology to associate the window handle to the window class. In addition, the same class can display different styles according to the window style.

The specific code implementation is limited to my level and time issues, so there will be no more entanglement.

* [Software usage instructions]:

Go to skin ++'s official website http://www.uipower.com to download the trial version. Install.

Set include, Lib, tools/options/directory on the VC platform. You can also copy the include and Lib files under skinppdemosystem (VC)/vccases to the corresponding directory of VC. Add skinppwtl. lib to project/settings/link.

Then copy the skinppwtl. dll in The dll Directory to the System32 directory in the Windows directory (note that this is not cracked ).

When a project is generated, copy a skin in the skins directory to the project directory, and add # include "skinppwtl. H ", int cmainframe: oncreate or cmfc_skinapp: initinstance with skinpploadskin (_ T (" XXX. SSK.

For detailed code, refer to the demo.

If you are not a genuine user, a dialog box is displayed asking for registration after the executable file is generated. Next we will crack it. The key is to crack skinppwtl. dll.

* [Software Cracking Analysis]:

This software seems not very protective, Explorer "http://www.uipower.com ". I'm not used to calling this kind of pop-up type as nag.

Skinppwtl. DLL, the "skin ++ allows you to add skinning ability to your applications. for informationon obtaining a license to use this control, please visit [url] www.uipower.com [/url] or e-mail sales@uipwer.com.Are you registering? ".

Let's get rid of it.

[Code]

10033097 |. 68 7c120710 push skinppwt.1007108c; ASCII "uipower :...? "

1003309c |. E8 f7e9fcff call skinppwt.10001a98

100330a1 |. 8365 FC 00 and dword ptr ss: [EBP-4], 0

100330a5 |. 51 push ECx

100330a6 |. 8bcc mov ECx, ESP

100330a8 |. 8965 EC mov dword ptr ss: [EBP-14], ESP

100330ab |. 68 10030710 push skinppwt.10070310; ASCII "uipower"

100330b0 |. E8 e3e9fcff call skinppwt.10001a98

100330b5 |. ff35 a8270710 push dword ptr ds: [100727a8]

100330bb |. 834d fc ff or dword ptr ss: [EBP-4], ffffffff

100330bf |. E8 b7f10000 call skinppwt.1004227b

100330c4 |. 83c4 14 add ESP, 14

100330c7 |. 83f8 06 CMP eax, 6

100330ca |. 75 18 jnz short skinppwt.100330e4

100330cc |. 6a 05 Push 5;/isshown = 5

100330ce |. 6a 00 push 0; | defdir = NULL

100330d0 |. 6a 00 push 0; | parameters = NULL

100330d2 |. 68 64120710 push skinppwt.10071264; | filename = "http://www.uipower.com"

100330d7 |. 68 5c120710 push skinppwt.1007125c; | operation = "open"

100330dc |. 6a 00 push 0; | hwnd = NULL

100330de |. ff15 3c840510 call dword ptr ds: [<& shell32.shellexecut>;/shellexecutea

100330e4 |> 8b4d F4 mov ECx, dword ptr ss: [EBP-C]

100330e7 |. 64: 890d 000000> mov dword ptr fs: [0], ECx

100330ee |. C9 leave

100330ef/. C3 retn

The most annoying thing is:

100330bf |. E8 b7f10000 call skinppwt.1004227b

Follow up to see that it is a function called messageboxindirect.

Directly drop NOP.

Next, let's look at the following:

100330ca |. 75 18 jnz short skinppwt.100330e4

Jump:

100330ca. EB 18 JMP short skinppwt.100330e4

Add the context when searching for 75 18, so that 83 F8 06 75 18 6a 05 is replaced with 83 F8 06 EB 18 6a 05.

Save skinppwtl. dll. Copy to the following two places: the vccases/bin directory in the skin ++ installation directory and the System32 directory in the Windows directory.

* [Software Service cracking]:

With this skin ++, of course more skin is needed, and the software itself provides less than 10 pieces. Only genuine users can download the skin on the official website. No matter how many, I went to the official website and analyzed the download link of the website. I found a fun thing. You can download more skins using the following methods:

Use thunder to create a batch download task, as shown in the following code:

Http://www.uipower.com/skindown/hit.asp? Id = (*)

(*) The value range is 115-160.

Download... you should be able to get more than 50 skins... Enjoy!

 

 

The above is the part written by gz1x, a netizen. I tried it and the attack was very successful. After getting rid of the cmessagedialog that was popped up every time the program was started, I wanted to add something I thought was necessary:

1. debugging software used:

Software: ollyice

Download link: http://www.pediy.com/tools/Debuggers/ollydbg/OllyICE.rar

2. Use of software:

Quick Start reference: http://hi.baidu.com/hack1015/blog/item/877eef2426bd43034c088d12.html

Select the skinppwtl to be cracked. after the DLL file is modified according to the above steps, there is a problem of saving and modifying. I searched the entire menu bar while using it, but I did not find the existence of saving and modifying this item, the procedure was as follows:

A. Right-click the modified part, select copy to executable file, and select all changes"

B. In the prompt box "Copy selected content to an executable file", select "Copy all"

C. A new window is displayed. Click X to close the subwindow. The system prompts "file changed", selects "yes", and then plays the "Save as" box. Do not make any changes at this time, remember not to change the file name. Then, the system prompts "the file already exists" and asks if the file is overwritten. Click "yes" to overwrite the original file, close ollyice, and finish the task.

At this point, these software operations are sufficient for the ultimate goal, but there is still a serious problem after the program is used: "skin ++ unregistered !!!" This is nothing for a programmer, but gz1x has not perfected this problem. After debugging, the attack is finally successfully cracked. The procedure is as follows:

A. Right-click in the Disassembly window and choose search> all reference text strings from the shortcut menu.

B. In another dialog box, right-click it, select the "Search Text" menu item, and enter "skin ++ unregistered !!!" (Note that the content to be searched here must be case-sensitive) to find one, located at 008dace2.

C. In this line, the Assembly command is push 00920784, which is used to set "skin ++ unregistered !!!" The memory address is passed to the subroutine. You only need to modify the address to change the displayed characters. The string contains 22 characters in total, the last two addresses of the stack are 84 + 22 = A6, So we changed this command to push 009297a6, save, and exit.

Try again. Is the problem solved?

 

This article from the csdn blog, reproduced please indicate the source: http://blog.csdn.net/pbe_sedm/archive/2008/06/12/2538048.aspx