Author: IceWorld ice and snow site: http://iceworld.126.com/
Alas, it's about to start again ...... before I start work every day, I always sigh so much, and then I can't help but fight 12 copies of the spirit, with one hand mechanically turn on the power switch, display, chassis power, with a beep from a PC horn, I was pulled back from the edge of my imagination.
Well, I don't want to talk nonsense much. (in this case, people may say that I am lying about the draft fee, XiXi.) Let's first check the labor equipment required for our work:
(1) Soft-ICE For Windows95/98 v4.05
The best software for dynamic tracking, despite TRW, I still love it and call it brother.
(2) URSoft W32Dasm v8.93
The best static analysis tool for cracking software. IDA is too professional and I don't need it
(3) R! SC's Process Patcher v1.5.1
Memory Patch software, which I will talk about below
UltraEdit-32 v7.2
Used to modify files. Old brands are used by experts (western region, I am not a master)
(5) FileInfo v2.4
I often use it to see what software encrypts files!
(6) A bottle of Pepsi)
I don't need to talk about it anymore. It's a breeze, but I'm afraid I will not be able to have any children in the future!
My machine configuration: celeon 400 (Slot 1), 128 m hy (PC-100), Trident 9880 (8 M ),
FireBall 10G, Acer 40XCD, Creative VIBRA128, Motorola 56 K Modem, Daytek 17"
Take a sip of cola and yell, "I have, I can ". Enter the familiar SIW and enter our work platform Windows 98. Don't think my desktop is messy. Hey hey, my desktop has only two icons. system resources: 98% available, amazing! What, you only have 80%. Forget it. If you won't optimize your system or your desktop is messy, I suggest you learn how to optimize the system first! A good Cracker should be very familiar with its own work platform!
Go to the topic and have a sip of cola. Use FileInfo to check whether the execution file is encrypted? Fortunately, it's okay. I can save a lot of time to celebrate. Since there is no encryption, now it's time to upload our old-level tool W32Dasm and load the file. It's okay. So kind. Today I am lucky. Let me have another sip... after a long wait (3 minutes), the code in the program will be clearly displayed in front of me! Run CCED to check the encryption method. Ah, an error occurred. What is the Invalid Address call? Zhu chongjun should not be so idiotic. It seems that my Soft-ICE has a problem. Alas, why do all current software defend against you? My poor Soft-ICE, in order not to let others find you, I have already filled your body with patches... now, there are only two ways in front: Find the anti-tracking code, or use FrogeICE (Hey, dude, is there a third way? Yes. delete your CCED, turn off your computer, and go to bed !) Alas, who made me like difficulties and challenges if I knew there were tigers in the mountains! Here, I used CreateFileA to intercept it. It seems that I was lucky to be caught again. Haha, I used this method to find my brother. I don't want to give you K.
* Possible StringData Ref from Data Obj-> "\. SICE"
|
: 00530B99 68A4226100 push 006122A4
: 00530B9E FF15D87E6200 Call KERNEL32.CreateFileA
: 00530BA4 8945FC mov dword ptr [ebp-04], eax
: 00530BA7 837 DFCFF cmp dword ptr [ebp-04], FFFFFFFF
: 00530BAB 7411 je 00530BBE
: 00530BAD 8B45FC mov eax, dword ptr [ebp-04]
: 00530BB0 50 push eax
: 00530BB1 FF15E47E6200 Call KERNEL32.CloseHandle
: 00530BB7 b80000000 mov eax, 00000001
: 00530BBC EB39 jmp 00530BF7
: 00530BBE 6A00 push 00000000
: 00530BC0 6880000000 push 00000080
: 00530BC5 6A03 push 00000003
: 00530BC7 6A00 push 00000000
: 00530BC9 6A03 push 00000003
: 00530BCB 681_00c0 push C0000000
* Possible StringData Ref from Data Obj-> "\. NTICE"
|
: 00530BD0 68B0226100 push 006122B0
: 00530BD5 FF15D87E6200 Call KERNEL32.CreateFileA
: 00530BDB 8945FC mov dword ptr [ebp-04], eax
: 00530BDE 837 DFCFF cmp dword ptr [ebp-04], FFFFFFFF
: 00530BE2 7411 je 00530BF5
: 00530BE4 8B4DFC mov ecx, dword ptr [ebp-04]
: 00530BE7 51 push ecx
: 00530BE8 FF15E47E6200 Call KERNEL32.CloseHandle
: 00530BEE B802000000 mov eax, 00000002
: 00530BF3 EB02 jmp 00530BF7
: 00530BF5 33C0 xor eax, eax
: 00530BF7 8BE5 mov esp, ebp
: 00530BF9 5D pop ebp
: 00530BFA C3 ret
Have you seen it? The above code is used to find a Soft-ICE method, which can be used either under 98 or NT. Now let me perform a minor operation on it, change the code at 530BAB to the redirection direction, West. Have you guessed it? Where to jump?
Well, I have cleared a huge stepping stone. Have a good drink of cola and reward myself! The next step is to make it a registered version. But where should we start? A Software Dialog Box usually contains registration information, and CCED is no exception: not registered or not registered successfully.
Find the breakthrough, use W32Dasm to find this information, locate at 407E21, and prompt to jump from 407DCC. Good