Break The network verification of The IP address of Hide

Source: Internet
Author: User

After playing for so long, I have not seriously tried network verification. I have always felt that network cracking is very troublesome. It gives me a lot of confidence to deal with The software of Hide The IP. As long as The method is proper, it is very easy to crack such software. Let's take a look at how I crack it. Preparation tools: OD, PEiD, EasyPHP, dede, etc. When using dede to generate a MAP file, we first use PEiD to detect the shell. It is very good, but there is no shelling, saving the trouble of shelling, as shown in figure 1. This software was written in Delphi 7.0. We use dede, a powerful tool to crack Delphi, to "see" it. Figure 1 after loading The IP address of Hide with dede, dede starts The processing program. After The processing is complete, The message box "dump successful" appears, press "OK" to display the prompt box shown in 2. Click "yes ". Because this function helps us to expand and analyze the unit and class of the Delphi Program and others, it is very helpful for us to obtain more information, so we should select "yes ". Similarly, the "identify standard VCL process" is also "yes", which is also very important, as shown in 3. Figure 2 fig 3dede is specifically for reverse Delphi (.. net Program). It has a high recognition rate on the symbols and functions of the Delphi Program (dede is only one of IDA's functions ). In this article, dede is used to assist OD. If you use OD to crack it at the beginning, you will find it much more difficult. After a long Analysis of dede, The result shown in 4 is finally displayed. After clicking "Done", dede is used to prepare for the OD analysis:Export"Map"File, 5.The map file can help us create useful identification information, including event processing and control reference. In OD, we can use the plug-in "GODUP" to import, so it is no longer difficult to analyze in OD. Figure 4 5 there is a time limit for using the OD analysis software. After you enter false registration information, the error message shown in Figure 6 appears. Right-click in OD, if you select "search-> all reference text strings", the following error message is displayed: Figure 6 The text string reference is at HideTheI: CODE, entry 6502 address = 004EEECB text string = ASCII "Invalid registration. "double-click the CPU window: 004 EEECB. b> mov ecx, 004EF118; ASCII "Invalid registration. here, we can see that this error is redirected from the 004EED31 branch, so the breakpoint should be before 004EED31, and I will be at 004EEC58. 004EEC58. 5> push ebp; disconnects 004EEC59. 8> mov ebp, esp004EEC5B. b> mov ecx, 8. If you have tracked the Delphi file, you will know that the Delphi Program has many library functions. IF Manual identification is very difficult, however, parsing the disassembly code with the previous map file will make it more readable. In OD, select "Load labels" and "Load comments" in "plug-in-> GODUP Plugin-> Map Loader" to Load the "hide the ip address" generated by dede. map file, so that the GODUP plug-in will import the parsed labels and annotations in the map file. Let's analyze the parsed code.004EEC58> push ebp; <-TForm3 @ ALButton1Click; the Click function of the control Button1 starts with 004EEC59 mov ebp, esp004EEC5B mov ecx, 8004EEC60 push 0004EEC62 push 0004EEC64 dec running jnz short pushed ebx004EEC68 push esi004EEC69 push edi004EEC6A mov ebx, release xor eax, and release push Pull <-> System. @ HandleFinall> 004EEC74 push dword ptr fs: [eax] 004EEC77 mov dword ptr fs: [eax], 1_mov dl, 1_mov eax, dword ptr [416D8C] 004EEC81> call 00403B38; -> System. TObject. create (TObject; Boolean); 004EEC86 mov dword ptr [ebp-4], eax004EEC89 mov dl, 1004EEC8B mov eax, dword ptr [416D8C] 004EEC90> call 00403B38;-> System. TObject. create (TObject; Boolean); 004EEC95 mov esi, eax004EEC97 lea edx, dword ptr [ebp-C] 004EEC9A> mov eax, dword ptr [ebx + 300>; * TForm3.Edit1: TEdit004EECA0> call 004478D8;-> Controls. TControl. getText (TControl): TCaption; get email address layper@12.com004EECA5 mov ecx, dword ptr [ebp-C] 004EECA8 lea eax, dword ptr [ebp-8] 004 EECAB edx mov, 004 EEFEC; ASCII "email =" 004EECB0> call 00404C48;-> System. @ LStrCat3; Connect "email =" and "" to "email =" 004EECB5 mov edx, dword ptr [ebp-8] 004EECB8 mov eax, dword ptr [ebp-4] 004 EECBB mov ecx, dword ptr [eax] 004 EECBD> call dword ptr [ecx + 38];-> TStringList. add (string) 004EECC0 lea edx, dword ptr [ebp-14] 004EECC3> mov eax, dword ptr [ebx + 304>; * TForm3.Edit2: TEdit004EECC9> call 004478D8;-> Controls. TControl. getText (TControl): TCaption; get the registration code of Serial key 1357924680004 EECCE mov ecx, dword ptr [ebp-14] 004EECD1 lea eax, dword ptr [ebp-10] 004EECD4 mov edx, 004 EEFFC; ASCII "ser =" 004EECD9> call 00404C48;-> System. @ LStrCat3; connection string to ser = 1357924680004 EECDE mov edx, dword ptr [ebp-10] 004EECE1 mov eax, dword ptr [ebp-4] 004EECE4 mov ecx, dword ptr [eax] 004EECE6> call dword ptr [ecx + 38];-> TStringList. add (string) 004EECE9 xor eax, eax004EECEB push ebp004EECEC push <-> System. @ HandleAnyExc> 004EECF1 push dword ptr fs: [eax] 004EECF4 mov dword ptr fs: [eax], esp004EECF7 lea eax, dword ptr [ebp-18] 004 EECFA push lead> mov eax, dword ptr [ebx + 31C>; * TForm3.ip1: TIdHTTP; note that the TIdHTTP control is used here. This is the basis for determining whether it uses network verification: 004EED01 mov ecx, dword ptr [ebp-4] 004EED04 mov edx, 004EF00C; ASCII This is to verify the web page 004EED09 call 0048077C004EED0E mov edx, dword ptr [ebp-18]; here there are more than one breakpoint, because 004EED09 will cause an exception, after an exception occurs, Shift + F9 returns the result here. The returned string is "00FE0894, (ASCII" no ")" 004EED11 mov eax, esi004EED13 mov ecx, dword ptr [eax] 004EED15> call dword ptr [ecx + 2C];-> TStringList. setTextStr (string) 004EED18 lea ecx, dword ptr [ebp-1C] 004EED1B xor edx, edx004EED1D mov eax, esi004EED1F mov edi, dword ptr [eax] 004EED21> call dword ptr [edi + C];-> TStringList. get (Integer) 004EED24 mov eax, dword ptr [ebp-1C]; 00FFC514, (ASCII "no") 004EED27 mov edx, 004EF03C; ASCII "yes" 004EED2C> call 00404D48; -> System. @ LStrCmp; compare whether the string is yes004EED31 jnz 004EEEC4; if not, skip to errorIf you are not sure whether online verification is available, keep the two breakpoints 004EEC58 and 004EED0E set in the OD, input the information to run, and disconnect the function after 004EED0E again. The breakpoint at the OD is: bp recv. Recv is a commonly used breakpoint function for network cracking. The prototype of the recv () function is int recv (int sockfd, void * buf, int len, unsigned int flags );, sockfd is the socket descriptor for receiving data, buf is the buffer for storing received data, len is the buffer length, and Flags is set to 0. Recv () returns the number of actually received bytes. If an error occurs,-1 is returned and the corresponding errno value is set. F9 is disconnected from the following code.71A2615A> 8BFF mov edi, edi71A2615C 55 push ebp71A2615D 8BEC mov ebp, esp71A2615F 83EC 10 sub esp, 1071A26162 53 push ebxThe Recv is successfully disconnected from 71A2615A. Now we can see the Stack window at the bottom right of OD.0012F4DC 0046DAC2/CALL to recv from listen 00000260 | Socket = 2600012F4E4 001E4008 | Buffer = 001E4008; this is the Buffer address, subject to your machine's size 0012F4E8 00008000 | BufSiz </p>

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.