A Method for dongle cracking Based on Virtual Machine Branch judgment

Today, a friend's company obtained software for similar products and wanted to refer to the software for analysis. However, the software was equipped with dongle protection and could not run without dogs. So I asked to analyze the software, check whether it can run without a dog. After a long time, I found that the software had anti-debugging, virtual machines, and other protection methods. It was difficult to successfully construct dog data by simulating the software. Later I came up with this method based on the virtual machine Branch judgment to crack the software successfully. This method does not require dongle encryption, data encryption and decryption algorithms, or virtual machine handler analysis.
The technical idea is to record the virtual machine execution process and observe the jump process of virtual commands. Observe the virtual command execution process under the error condition, analyze the two branch functions at the jump, and correct the virtual machine data to execute the correct branch. The correct path is finally found through repeated record and correction.

Let's briefly describe this method and discuss it with you.

1. Preliminary Analysis and judgment
Run the software directly. The following message is displayed:

Finding the drive to open the dog is relatively simple and reading the dog data is not important here. After a series of dog data encryption and decryption calculations, the program will return here:

Multiple run verification shows that the function 00C06D20 is a function that determines whether there is a dongle and verifies the validity of the data. It can be confirmed that if there is a legitimate dongle, this function should return 0, however, if the return value is directly changed to 0, the program will still prompt, which means that the subsequent program execution will use the data computing result of the function.

2. Basic Analysis of Virtual Machine Structure
The subsequent program execution obviously enters the Virtual Machine loop execution.
The virtual machine looks like a Standard Cyclic execution structure,

Here we can see the structure of the Virtual Machine: 00BD974C address stores the Virtual Machine command IP address, and is a virtual machine with fixed instruction length, that is, each instruction is 8 bytes in length. Www.2cto.com

3. Key Issues
Because the VM instruction length is fixed, it is easy to observe the redirection process of the virtual instruction based on the execution process of the recorded VM. By observing the virtual command execution process without a dog, you can analyze the two branch functions at the jump, and correct the virtual machine data to execute the correct branch. The correct path is finally found through repeated record and correction.
First, modify the return value of 00C06D20 to 0 and then record the running of a virtual command,

The Command record results are as follows:

It can be seen that when the VM command IP address is = 00BD9D58, a branch jump occurs and the software prompts you. Therefore, you can determine that 00BD9D58 is a judgment command, and the valid execution should continue to execute 00BD9D60. By setting the conditional breakpoint observation, we can also prove this point:

That is to say, if [[00BD9748] is 0, the virtual command jump will be performed if it is not 0.
You can use the Mdebug script to complete the automated execution and correction:
Bp 00BE6C87, "ecx = 00BD9D58"
G
Bc *
[[00BD9748] = 0

After the modification, repeat the above steps to find the next Branch judgment point until the software finally runs correctly. (The Script function can be used to conveniently stop the program being debugged at the current operation point)
The script is as follows:
Bc *
G 00BFDE17
Eax = 0

Bp 00BE6C87, "ecx = 00BD9D58"
G
Bc *
[[00BD9748] = 0

Bp 00BE6C87, "ecx = 00BD9E88"
G
Bc *
[[00BD9748] = 0

Bp 00BE6C87, "ecx = 00BD8360"
G
Bc *
[[00BD9748] = 0

Bp 00BE6C87, "ecx = 00BD8390"
G
Bc *
[[00BD9748] = 0

Bp 00BE6C87, "ecx = 00BD9988"
G
Bc *
[[00BD9748] = 0

Bp 00BE6C87, "ecx = 00BD9a88"
G
Bc *
[[00BD9748] = 0

Bp 00BE6C87, "ecx = 00BD9AB0"
G
Bc *
[[00BD9748] = 0


Finally, the software running interface is attached:


4. Summary
This method is only one of the ideas for analyzing virtual machines or dongle, not necessarily applicable in all circumstances. For virtual machines with Variable Instruction lengths or more complex ones, the results can be achieved only when combined with the anti-compiler of Virtual Machine commands and the analysis of the control flow diagram and call flow diagram.