Chapter 6: blasting Software

Blasting is actually very easy. At least it is much easier to squeeze out all your toothpaste. You only need to buy a few detonators first on the street and put them on your monitor and then click it. (It's not hard to remember to click it and run away)
I have also said the theory of brute force cracking. I believe you can understand it easily. Today we will talk about how to find the key jump and how to buy cheap and easy-to-use detonator...
It usually takes a few steps to crack a software. First, let's take a look at whether it has been shelled or not, after you know it, use the corresponding tools to take it off or manually shell it out. For more information, see the tutorial. Then we can open the software after shelling. You have two options: w32dasm or debugger. Generally, you can use w32dasm if you encounter a very popular software. If you don't know what to expect, buy a stock because the stock is your rubber-like wife! When! Wake up... Oh, generally, if you're not using a very good software, use a debugger. W32dasm: We use w32dasm for disassembly (nonsense !) Then, find the error message in the serial reference or the prompt message may be correct. Double-click the left mouse button to go to the corresponding address. Analyze the corresponding assembly code in the main window of w32dasm to find the key jump and key call. The green light bar stops at the key jump and finds the offset address of the key jump at the bottom of the w32dasm Main Window (the actual modification address ). Use ultraedit to find the offset address (actually changed address), modify the machine code (or put a detonator), and save the setting )! The use of the debugger is also simple and will be described in detail later.
If there is so much nonsense, Let's explain it through examples:
First, we will explain how to use w32dasm for brute force cracking:
[Software name] chinazip)
[Software Version] 7.0
[File size] 1041kb
[Applicable platform] Win9x/ME/NT/2000
[Software Overview] chinazip is a tool for compressing and extracting various compressed documents. It supports common compression formats including ZIP files, such: ARJ, cab, Gzip, jar, LHA, tar, zoo, arc, lzh, and Pak.
The source of the software is the subscription related CD of the Computer newspaper in 2001. The protection at the time of 7.0 is very good. The latest version should be much better now...
Okay, let's get started. The first step is to install it (attracting the nheader of the Wolf), and then enter a string for registration. An error dialog box is displayed, the error message "the registration code is incorrect and cannot be registered" is displayed ". Then let's use Fi to see what shell it uses. ASPack 2.001, caspr. After shelling, we use w32dasm to perform disassembly for half a minute or half an hour. We have completed the disassembly. Find the error message you saw in the string reference (string data reference), double-click it several times, and find that there is only one call. We will be at 004f0e64. I will paste the specific code (please start from the bottom of the Code ):
: 004f4dd1 e84ee1f3ff call 00432f24
: 004f4dd6 8b55f0 mov edX, dword ptr [ebp-10]
: 004f4dd9 8d4df4 Lea ECx, dword ptr [ebp-0C]
: 004f4ddc 8bc3 mov eax, EBX
: 004f4dde e8c9010000 call 004f4fac
: 004f4de3 8b55f4 mov edX, dword ptr [ebp-0C]
: 004f4de6 58 pop eax
: 004f4de7 e830f3f0ff call 0040411c
: 004f4dec 7576 JNE 004f4e64 <-- this is the legendary man, stop! This is the legendary key jump
: 004f4dee b201 mov DL, 01
: 004f4df0 a158254500 mov eax, dword ptr [0, 00452558]

* Referenced by a (u) nconditional or (c) onditional jump at address:
|: 004f4d86 (c)
|
: 004f4df5 e85ed8f5ff call 00452658
: 004f4dfa 8945fc mov dword ptr [ebp-04], eax
: 004f4dfd 33c0 XOR eax, eax
: 004f4dff 55 push EBP
: 004f4e00 685d4e4f00 push 004f4e5d
: 004f4e05 64ff30 push dword ptr fs: [eax]
: 004f4e08 648920 mov dword ptr fs: [eax], ESP
: 004f4e0b b101 mov Cl, 01

* Possible stringdata ref from code obj-> "SOFTWARE \ xdzhan \ chinazip"
|
: 004f4e0d baa84e4f00 mov edX, 004f4ea8
: 004f4e12 8b45fc mov eax, dword ptr [ebp-04]
: 004f4e15 e822daf5ff call 0045283c

* Possible stringdata ref from code obj-> "Real programmers use Pascal! "
|
: 004f4e1a b9cc4e4f00 mov ECx, 004f4ecc

* Possible stringdata ref from code obj-> "key"
|
: 004f4e1f baf44e4f00 mov edX, 004f4ef4
: 004f4e24 8b45fc mov eax, dword ptr [ebp-04]
: 004f4e27 e854def5ff call 00452c80

* Possible stringdata ref from code obj-> "software registration successful. Thank you for your support! "<-- We can see the correct information after successful registration here. The first jump to the correct information is the key jump we are looking.
|
: 004f4e2c b8004f4f00 mov eax, 004f4f00
: 004f4e31 e8563df6ff call 00458b8c
: 004f4e36 a16c305000 mov eax, dword ptr [0050306c]
: 004f4e3b 8b00 mov eax, dword ptr [eax]

* Possible stringdata ref from code obj-> "chinazip-registered version"
|
: 004f4e3d ba244f4f00 mov edX, 004f4f24
: 004f4e42 e80de1f3ff call 00432f54
: 004f4e47 33c0 XOR eax, eax
: 004f4e49 5A pop edX
: 004f4e4a 59 pop ECx
: 004f4e4b 59 pop ECx
: 004f4e4c 648910 mov dword ptr fs: [eax], EDX
: 004f4e4f 686e4e4f00 push 004f4e6e

* Referenced by a (u) nconditional or (c) onditional jump at address:
|: 004f4e62 (u)
|
: 004f4e54 8b45fc mov eax, dword ptr [ebp-04]
: 004f4e57 e868e2f0ff call 004030c4
: 004f4e5c C3 RET


: 004f4e5d e9c2e9f0ff JMP 00403824.
: 004f4e62 ebf0 JMP 004f4e54

* Referenced by a (u) nconditional or (c) onditional jump at address:
|: 004f4dec (c)
|

* Possible stringdata ref from code obj-> "the registration code is incorrect and cannot be registered! "<-- This is the error message, and the correct information is nearby. Let's look up and down.
|
: 004f4e64 b8484f4f00 mov eax, 004f4f48 <-- double click here
: 004f4e69 e81e3df6ff call 00458b8c
: 004f4e6e 33c0 XOR eax, eax
: 004f4e70 5A pop edX
: 004f4e71 59 pop ECx
: 004f4e72 59 pop ECx
: 004f4e73 648910 mov dword ptr fs: [eax], EDX
: 004f4e76 689b4e4f00 push 004f4e9b
You may not understand why I say it is a key jump? Do you still remember the example I gave in the cracking principle?
I will explain it to you again. Generally, we will encounter two key jumps. I will illustrate them separately:
(1)
Je (JNE, JZ, jnz) 19870219
... Xxxxxxxxxx
... Xxxxxxxxxx
... Correct Software Registration Information
...
...
19870219 software error information
.......
.......
That is to say, the first case is to first judge whether the registration code is correct. If it is not correct, it will jump to 19870219. If it is correct, it will not jump and will continue until the registration is correct.
In this case, the key jump we are looking for is the first jump above the correct information. It may be okay if we modify it or drop it to NOP.
(2)
Je (JNE, JZ, jnz) 19870219
... Xxxxxxxxxx
... Xxxxxxxxxx
... Software error information
...
...
19870219 correct Software Registration Information
.......
.......
The second case is to first judge whether the registration code is correct or not. If it is correct, it will jump to 19870219. If it is incorrect, it will not jump and will continue until the error occurs.
In this case, the key jump we are looking for is the first jump above the error message. Modify it or change it to JMP. Then we can do whatever we want.
The truth is also explained to you. Let's change it. In w32dasm, select the key jump. In the status bar in the lower right corner, the corresponding offset address is 000f41ec. Okay. Use ultraedit to open it. CTRL + G, enter 0xf41ec, and press enter to jump to the corresponding position. The corresponding machine code is 75 (JNE). We change it to 74 (JZ) and then save the disk and exit.
Okay. Let's take a look. Let's enter a registration code to register. Haha, registration successful!
Let's talk about it here with w32dasm. Haha, it's very simple. After you go down, find some easy-to-Protect Software.
We will continue to use the debugger to crack the attack.
If you try to use w32dasm to crack a few software programs, you will find some problems in a short time. For example, some software you use w32dasm disassembly and post-string reference cannot be used at all. Or there is no error or correct information in the string reference. There is also some software, even if you come to the corresponding place through the serial reference, you just want to find the key jump, you will find that the current thing is much more chaotic than you think... although you may find it carefully, I don't think it is a smart thing. After all, some movements can only be seen during program execution. Okay. If you use w32dasm and cannot find the key jump software, use the debugger! (You can open w32dasm first before using the debugger. If it is easy, you can find it. It is unnecessary)
Before we start, we need to explain the steps of using a debugger to crack (I know you will use a debugger): first, of course, we still need to install the software you want to crack (I am blocking me, Don't litter !) Then I entered the registration code, and I still entered one randomly. Then I don't want to press OK until we call the debugger first. Do you still remember the apis I mentioned earlier? The software will call an API function to obtain the registration code you entered. The corresponding API is used as the breakpoint in the debugger. In this way, as long as a program calls this API, it will be intercepted by the debugger.
The getdlgitemint, getdlgitemtext, and getdlgitemtexta functions may be useful. But if you use 98, why not use hmemcpy? That is really a good idea. After the breakpoint is closed, we will return to the software you want to register and click "OK. If it is broken by the debugger, it indicates that the breakpoint you just placed is useful. If it is not broken, try another breakpoint. Next we will cancel the breakpoint you just placed in the debugger. We will use trw2000 as an example (SoftICE is roughly the same as its operation) to cancel the breakpoint using the BC * command. Then we enter the pmodule command to return to the program's airspace (because there are no commands in SoftICE, huh, let's press F12 ). Now let's take a look at the topic. What is airspace? For example, if your program needs to obtain the registration code you entered, it will call the corresponding function. For example, if getdlgitemtexta is called, and getdlgitemtexta itself calls the hmemcpy function, all of these functions exist in a DLL file in the system. Then, when this program calls the corresponding API function, the program's airspace will be transferred to the corresponding DLL file to execute this API function. (You can understand it in this way.) As I said before, the hmemcpy function application itself is not directly called, but called by other API functions. Then, you can understand that your program calls an API function, and the program's airspace will be transferred to the DLL file where the API is located at the same time, this API calls the hmemcpy function again, so the airspace will be transferred to the DLL file where hmemcpy is located, and then when hmemcpy is executed, it will return to the airspace of the API that calls it, and when the API is executed, it will return to the airspace of the application that calls it. For example, we use the hmemcpy function as a breakpoint. After we enter the registration code and press OK, the program will call an API to obtain the data you entered, and this "an API" will call hmemcpy again, so the program is broken. Of course, the program's airspace will not be in the application at this time, but when we enter the pmodule command, we can reverse back to the application's own airspace. In this case, you will see the code of the application, not the API! Well, I went on to say (where is it ?) When we go back to the program's own airspace, we will continue to press F12. The function of F12 is to execute the program until it encounters commands such as ret. That is, execute the program until you press F12 until the program registration error dialog box appears. Then write down the number of times you followed and start from scratch. The number of times you pressed F12 is-1, that is, the number is less than once. Then press F12 to change to F10 (why not F4 ?), Continue to press until the software prompts an error. Write down the number of times you press F10. Okay, let's start from scratch again. When we press F10 again, we need to step by step. Generally, when you press F10, the difference between the number of times you press F10 is five or six, generally, you will see a call, followed by a jump command. You can skip the jump command step by step. If you skip the command step by step, you will not go wrong in two or three steps. Of course, it may be that you did not jump, but an error occurs after two or three steps. This should not be difficult to understand, because it is basically the same as what I introduced to you before. However, in another case, you press F10. at the end, you will find that there are no jump commands at all. Well, don't be afraid. This is very common. In this case, we only need to change the frequency of F10 to the number of-1 that pressed F10 last time, so that you will usually stop at a call, and this call, it is the key call in the program. We will have to take some trouble later. We need to follow F8 to analyze it. the success and failure of the program registration will be in this call, that is to say, the key jump we want to modify is also in this call. In fact, it is quite understandable to put the judgments I mentioned above into a call. After we followed F8, we continued to execute it step by pressing F10. In a short time, you will find the key jump. The method for finding the key jump is the same as what I said before, that is to say, when the frequency of F10 is slower than five or six steps, we can see it.
You should understand that the program is very flexible and there are not so many formula things in it. The approximate analysis method is like this. Everything needs to be mastered by yourself, others tell you that it is just a method of analysis. I believe that as your experience increases, you will be able to cope with various situations.
Now, we use a debugger to analyze the chinazip software. I hope you can master this method.
First, you need to change the cracked items and reload them directly. Then we open it, enter the registration code at will, and press Ctrl + n to call out TRW, and then the next breakpoint hmemcpy. Press F5 to exit (it does not use F4, and I cannot renew _^) and click OK. Okay, the program is broken down:
Kernel? Hmemcpy
0147: 9e62 push BP
0147: 9e63 mov bp, SP
0147: 9e65 PUSH DS
0147: 9e66 push EDI
0147: 9e68 push ESI
0147: 9e6a ClD
0147: 9e6b mov ECx, [bp + 06]
0147: 9e6f jcxz 9ee9
...... The following n multiple codes are omitted ......
We enter BC * to cancel the breakpoint, and then use pmodule to return to the program's airspace:
0167: 00436d13 mov [EBX + 0C], eax
0167: 00436d16 mov eax, [EBX]
0167: 00436d18 CMP eax, byte + 0c
0167: 00436d1b jnz 00436d38
0167: 00436d1d mov edX, [EBX + 08]
0167: 00436d20 push edX
0167: 00436d21 mov ECx, [EBX + 04]
0167: 00436d24 mov edX, eax
0167: 00436d26 mov eax, ESI
0167: 00436d28 call 00432b24
...... N multiple codes are still omitted ......
Press F12 under 7 and add F10 under 1 to 0167: 004f4dc4. Next we will press F10, and press 10 or more times to see a jump at 004f4dec, we jumped to f4dec. It will jump to f4e64. After the jump, we cannot press three times, and the program prompts an error. Well, come on. The jump at 004f4dec jnz 004f4e64 is the key jump. Hey, you don't need to talk about it after you find it.
0167: 004f4dc4 mov eax, [ebp-08]
0167: 004f4dc7 push eax
0167: 004f4dc8 Lea edX, [ebp-10]
0167: 004f4dcb mov eax, [EBX + 02e0]
0167: 004f4dd1 call 00432f24
0167: 004f4dd6 mov edX, [ebp-10]
0167: 004f4dd9 Lea ECx, [ebp-0c]
0167: 004f4ddc mov eax, EBX
0167: 004f4dde call 004f4fac
0167: 004f4de3 mov edX, [ebp-0c]
0167: 004f4de6 pop eax
0167: 004f4de7 call 0040411c
0167: 004f4dec jnz 004f4e64 <-- Key jump !!
0167: 004f4dee mov DL, 01
0167: 004f4df0 mov eax, [00452558]
0167: 004f4df5 call 00452658
0167: 004f4dfa mov [ebp-04], eax
0167: 004f4dfd XOR eax, eax
0167: 004f4dff push EBP
0167: 004f4e00 push DWORD 004f4e5d
0167: 004f4e05 push DWORD [FS: eax]
0167: 004f4e08 mov [FS: eax], ESP
0167: 004f4e0b mov Cl, 01
0167: 004f4e0d mov edX, 004f4ea8
0167: 004f4e12 mov eax, [ebp-04]
0167: 004f4e15 call 0045283c
0167: 004f4e1a mov ECx, 004f4ecc
0167: 004f4e1f mov edX, 004f4ef4
0167: 004f4e24 mov eax, [ebp-04]
0167: 004f4e27 call 00452c80
0167: 004f4e2c mov eax, 004f4f00
0167: 004f4e31 call 00458b8c
0167: 004f4e36 mov eax, [0050306c]
0167: 004f4e3b mov eax, [eax]
0167: 004f4e3d mov edX, 004f4f24
0167: 004f4e42 call 00432f54
0167: 004f4e47 XOR eax, eax
0167: 004f4e49 pop edX
0167: 004f4e4a pop ECx
0167: 004f4e4b pop ECx
0167: 004f4e4c mov [FS: eax], EDX
0167: 004f4e4f push DWORD 004f4e6e
0167: 004f4e54 mov eax, [ebp-04]
0167: 004f4e57 call 004030c4
0167: 004f4e5c RET
0167: 004f4e5d JMP 00403824
0167: 004f4e62 JMP short 004f4e54
0167: 004f4e64 mov eax, 004f4f48 <--- the error is caused by the above 0167: 004f4dec !;
0167: 004f4e69 call 00458b8c
0167: 004f4e6e XOR eax, eax
Let's give you another example:
[Software name] Skynet Firewall
[Software Version] 2.46 Beta
[File size] 1289kb
[Applicable platform] Win9x/ME/NT/2000
[Software Overview] Skynet firewall Personal Edition is a set of network security programs for personal computers. It can help you resist network intrusion and attacks, prevent information leakage, and cooperate with our website, attackers can be found based on suspicious attack information. At the same time, the Personal Edition of Skynet firewall divides networks into two types: the Internet and the Internet. Different security solutions can be set for different network information. It is suitable for users who access the Internet through dial-up, it is also suitable for users who access the Internet through network sharing software.
The software is still found from the related CD of the subscription book of the Computer newspaper on April 9. The registration code of the software can be obtained from its website for free...
We still need to install it first (a migrant worker: You can try it out again! ^_^) Then we will use Fi to check whether it has been shelled. Haha, BC ++ compilation, no shelling, great! Run it and enter anything in the registration dialog box. For example, there are several new movies and their names this week...
Okay. Let's start trw2000. Enter two strings randomly. For example, the first input is "what is the hero's director ?" The second input "may be Zhao Benshan ":)
Next, press Ctrl + n to name trw2k, run BPX hmemcpy, and press F5 to exit.
Then you can press "OK" and the program will be broken by trw2k. Then we enter BC * And pmodule.
Below we can start to press F12, a total of 8 under the program will report an error, we press 7 for the second time and then start to press F10, press 70 Under the F10 program again reported an error (haha, be patient ).
Okay. I will post the code after disassembly to you:
0167: 0041c617 Lea edX, [ebp-04] <-- 7 F12 after pressing F10 here
0167: 0041c61a mov ECx, [0052ae7c]
0167: 0041c620 mov eax, [ECx]
0167: 0041c622 mov eax, [eax + 0318]
0167: 0041c628 add eax, byte + 2C
0167: 0041c62b call 00517740
0167: 0041c630 dec DWORD [ebp-20]
0167: 0041c633 Lea eax, [ebp-04]
0167: 0041c636 mov edX, 02
0167: 0041c63b call 00517710
0167: 0041c640 mov word [ebp-2c], 14
0167: 0041c646 Lea eax, [ebp-08]
0167: 0041c649 call 00401d60
0167: 0041c64e mov edX, eax
0167: 0041c650 Inc DWORD [ebp-20]
0167: 0041c653 mov ECx, [ebp-40]
0167: 0041c656 mov eax, [ECx + 02e0]
0167: 0041c65c call 004b9f14
0167: 0041c661 Lea edX, [ebp-08]
0167: 0041c664 mov ECx, [0052ae7c]
0167: 0041c66a mov eax, [ECx]
0167: 0041c66c mov eax, [eax + 0318]
0167: 0041c672 add eax, byte + 30
0167: 0041c675 call 00517740
0167: 0041c67a dec DWORD [ebp-20]
0167: 0041c67d Lea eax, [ebp-08]
0167: 0041c680 mov edX, 02
0167: 0041c685 call 00517710
0167: 0041c68a Lea eax, [ebp-10]
0167: 0041c68d call 00401d60
0167: 0041c692 mov edX, eax
0167: 0041c694 Inc DWORD [ebp-20]
0167: 0041c697 mov ECx, [ebp-40]
0167: 0041c69a mov eax, [ECx + 02e0]
0167: 0041c6a0 call 004b9f14
0167: 0041c6a5 Lea edX, [ebp-10]
0167: 0041c6a8 push DWORD [edX]
0167: 0041c6aa mov word [ebp-2c], 20
0167: 0041c6b0 Lea eax, [ebp-0c]
0167: 0041c6b3 call 00401d60
0167: 0041c6b8 mov edX, eax
0167: 0041c6ba Inc DWORD [ebp-20]
0167: 0041c6bd mov ECx, [ebp-40]
0167: 0041c6c0 mov eax, [ECx + 02d4]
0167: 0041c6c6 call 004b9f14
0167: 0041c6cb Lea edX, [ebp-0c]
0167: 0041c6ce mov edX, [edX]
0167: 0041c6d0 mov eax, [0052ae7c]
0167: 0041c6d5 mov eax, [eax]
0167: 0041c6d7 pop ECx
0167: 0041c6d8 call 0040525c
0167: 0041c6dd mov [ebp-45], Al
0167: 0041c6e0 dec DWORD [ebp-20]
0167: 0041c6e3 Lea eax, [ebp-10]
0167: 0041c6e6 mov edX, 02
0167: 0041c6eb call 00517710
0167: 0041c6f0 dec DWORD [ebp-20]
0167: 0041c6f3 Lea eax, [ebp-0c]
0167: 0041c6f6 mov edX, 02
0167: 0041c6fb call 00517710
0167: 0041c700 CMP byte [ebp-45], 00
0167: 0041c704 JZ 0041c750 <-- after pressing F10 for more than 60 times, we will find a jump here. Hey, it's it !!!
0167: 0041c706 mov ECx, [0052ae7c]
0167: 0041c70c mov eax, [ECx]
0167: 0041c70e mov eax, [eax + 0318]
0167: 0041c714 call 00411fd0
0167: 0041c719 mov word [ebp-2c], 2c
0167: 0041c71f mov edX, 00521b50
0167: 0041c724 Lea eax, [ebp-14]
0167: 0041c727 call 005175b0
0167: 0041c72c Inc DWORD [ebp-20]
0167: 0041c72f mov eax, [eax]
0167: 0041c731 call 004b41b0
0167: 0041c736 dec DWORD [ebp-20]
0167: 0041c739 Lea eax, [ebp-14]
0167: 0041c73c mov edX, 02
0167: 0041c741 call 00517710
0167: 0041c746 mov eax, [ebp-40]
0167: 0041c749 call 004a81d0
0167: 0041c74e JMP short 0041c77d
0167: 0041c750 mov word [ebp-2c], 38
0167: 0041c756 mov edX, 00521b6b
0167: 0041c75b Lea eax, [ebp-18]
0167: 0041c75e call 005175b0
0167: 0041c763 Inc DWORD [ebp-20]
After finding the key jump, don't be idle! (You can use w32dasm to open the file, press SHIFT + F12, and enter 0041c704, so that you can see the corresponding offset address in the lower right corner)
TIPS: In TRW, If you think somewhere is a key jump, you can use the r fl z command for testing. This command can reverse the Set condition, for example, if jz xxxxxxxx was set up, you can skip it. After using the r fl z command, this command will not be set up, that is, it will not jump away. The above is also true. You can enter r fl z at 0041c704. Well, you can execute a few more steps to check whether the operation is successful? In addition, if you just want to register the software, and the software is verified only once during registration, you can use this method to replace the detonator!
In the end, the brute-force cracking is only a small skill. It's enough to play a few times at the beginning, so don't stop it...
Afterwards: you may find that some software is not as simple as you think, and you cannot even find the key jump. This is normal. You have to do more hands-on and exercises, and you will understand it later. The reason why I want to give you these two examples today is that they are both simple and important, and I will tell you how to crack the software, it will make you look confused...
<End of this chapter>