Collect X to test the shelling and cracking of one of the easy series software

A friend asked me if I could help crack the software. It was just a newbie and I used it to train my hands. But the cracking process is really hard... If you don't talk much about it, check the shell first: ASProtect 2.3 SKE build 04.26 Beta [3], and use the script or shell removal machine to take it off smoothly. Then I encountered the first problem: clearly all the pointers are valid, but the shelling file stops running on the startup interface. Start to guess the reason. Do you want to fill in the section? Self-validation? After a loop, the OD loads the file after shelling and F12 pauses after running. Call the stack: I guess some code may have been modified after shelling, and I just gave it to Sleep. Well, directly go to the called place: Code: 00530E5E. /74 18 je Xde_Hzkqs.00530E7800530E60> | 68 7F969800 push 0x98967F;/Timeout = 9999999. ms00530E65. | E8 3 ADDEDFF call <jmp. & kernel32.Sleep>; \ Sleep00530E6A. ^ | EB F4 jmp Xde_Hzkqs.00530E6000530E6C. | A1 98F65300 mov eax, dword ptr ds: [0x53F698] 00530E71. | 8B00 mov eax, dword ptr ds: [eax] 00530E73. | E8 F45CF4FF call De_Hzkqs.00476B6C00530E78> \ 33C0 xor eax. eax changes je to jmp and OK. The program can run. The second step is to crack the software. This software provides multiple registration methods: Two registration methods are tried, both of which are for INI file restart verification. I wanted to enter a false code to see if I could follow the registration code, however, peid adds n encryption algorithms. After a while, encrypted strings appear in the memory. This method cannot be implemented. So I want to directly clear the restart verification process. The most commonly used part is the next breakpoint BP GetPrivateProfileStringA, but I found that several threads will be added after the software is started, not only does it read an INI file, but it is messy. Therefore, the following tracing method is adopted: 1. Start the software and the prompt dialog box for the trial version is displayed. F12 is paused at this time, in the Stack window, locate the MessageBox function to be called and return to the beginning of the section. The Code: the local call is from notify, 0052E8FE, 0052EA6C, 0052EA91, 0052F97D, 0052FAF9, 00530D34, 00530fb, 00531042,005 31D54, 00531DDE, 00532210,005 3229A, 00532F55, 00533AC0, 00534B24, 00534F34, 00535F83, 0053604B, 00536534, 0 0536685,005 running D0, 0053711A, Ctrl + R are disconnected on all addresses, and the program is rerun and stuck at 00534B24. At the beginning of the section 00534B24, there is a prompt: Code: Local calls from 0053199E, 005319DC, 00533A20, 00533A5F, same method as above, all disconnected and re-run, stay at 005319DC (this is actually the idea of the 15th advanced edition of tiancao ). Code: 005319CF. 8B55 9C mov edx, dword ptr ss: [ebp-0x64] 005319D2. e8 A533EDFF call paper.00404D7C005319D7. 74 15 je Xpaper.005319EE; Skip 005319D9 here. 8B45 FC mov eax, dword ptr ss: [ebp-0x4] 005319DC. e8 AB300000 call paper.00534A8C; call the trial version 005319E1. 33C0 xor eax, eax005319E3. 5A pop edx005319E4. 59 pop ecx005319E5. 59 pop ecx005319E6. 64: 8910 mov dword ptr fs: [eax], edx005319E9. e9 DC200000 Jmp paper.00533ACA005319EE> 8D85 78 FAFFFF lea eax, dword ptr ss: [ebp-0x588] 005319F4. 50 push eax005319F5. b9 01000000 mov ecx, 0x1005319FA. BA 14000000 mov edx, 0x14005319FF. 8B45 CC mov eax, dword ptr ss: [ebp-0x34] 00531A02. e8 8934 EDFF call paper.00404E9000531A07. 8B85 78 FAFFFF mov eax, dword ptr ss: [ebp-0x588] 00531A0D. 8B55 98 mov edx, dword ptr ss: [ebp-0x68] 00531A10. the E8 6733 EDFF call paper. 00404D7C00531A15. 0F85 41200000 jnz paper.00533A5C; cannot let it skip 00531A1B. 6A 07 push 0x700531A1D. b9 06000000 mov ecx, 0x600531A22. BA 09000000 mov edx, 0x900531A27. 8B45 E0 mov eax, dword ptr ss: [ebp-0x20] 00531A2A. e8 45F4F9FF call paper.004D0E7400531A2F. 33D2 xor edx, edx00531A31. 52 push edx we can find that there is a je judgment at 005319D7, and we change it to jmp. After one-step debugging, there is a huge jump in 00531A15. If the jump fails, it will fail directly, so NOP should be dropped. The next step is Manual single-step debugging. The debugging fails several times and two items are summarized: 1. All the items that encounter Sleep must jump over. Code: 00531E72. /74 63 je Xpaper.00531ED700531E74. | A1 FCF65300 mov eax, dword ptr ds: [0x53F6FC] 00531E79. | FF30 push dword ptr ds: [eax] 00531E7B. | 68 74445300 push paper.00534474; ASCII "hz" 00531E80. | 8D85 04 FAFFFF lea eax, dword ptr ss: [ebp-0x5FC] 00531E86. | 50 push eax00531E87. | B9 05000000 mov ecx, 0x500531E8C. | BA 03000000 mov edx, 0x300531E91. | 8B45 D8 mov eax, dword ptr ss: [ebp-0x28] 00531E94. | E8 F72FEDFF call paper.00404E9000531E99. | FFB5 04 FAFFFF push dword ptr ss: [ebp-0x5FC] 00531E9F. | 68 80445300 push paper.00534133; ASCII ". dll "00531EA4. | 8D85 08 FAFFFF lea eax, dword ptr ss: [ebp-0x5F8] 00531EAA. | BA 04000000 mov edx, 0x400531EAF. | E8 3C2EEDFF call paper.00404CF000531EB4. | 8B85 08 FAFFFF mov eax, dword ptr ss: [ebp-0x5F8] 00531EBA. | E8 697 DEDFF call paper.00409C2800531EBF> | 68 7 F969800 push 0x98967F;/Timeout = 9999999. ms00531EC4. | E8 DBCCEDFF call <jmp. & kernel32.Sleep>; \ Sleep 2. anyone encountering LoadLibraryA must jump over. Code: 00531EFC. /0F87 2F010000 ja paper.0053203100531F02. | A1 FCF65300 mov eax, dword ptr ds: [0x53F6FC] 00531F07. | FF30 push dword ptr ds: [eax] 00531F09. | 68 74445300 push paper.00534474; ASCII "hz" 00531F0E. | 8D85 FCF9FFFF lea eax, dword ptr ss: [ebp-0x604] 00531F14. | 50 push eax00531F15. | B9 05000000 mov ecx, 0x500531F1A. | BA 03000000 mov edx, 0x300531F1F. | 8B45 D8 mov eax, dword ptr ss: [ebp-0x28] 00 531F22. | E8 692 FEDFF call paper.00404E9000531F27. | FFB5 FCF9FFFF push dword ptr ss: [ebp-0x604] 00531F2D. | 68 80445300 push paper.00534133; ASCII ". dll "00531F32. | 8D85 00 FAFFFF lea eax, dword ptr ss: [ebp-0x600] 00531F38. | BA 04000000 mov edx, 0x400531F3D. | E8 AE2DEDFF call paper.00404CF000531F42. | 8B85 00 FAFFFF mov eax, dword ptr ss: [ebp-0x600] 00531F48. | E8 E32EEDFF call paper.00404E3000531F4D. | 50 push eax;/FileName00531F4E. | E8 2554 EDFF call <jmp. & kernel32.LoadLibraryA>; \ LoadLibraryA00531F53. | A3 f00005400 mov dword ptr ds: [0x5424F4], eax manual debugging only requires patience and attention, a lot of code, and slowly skip the above two traps, the operation was successful! After the modified program is run, the verification process is no longer available. Click "register" to directly prompt that the registration is successful:

Haha, the first time I tried to train my hands and met such a complicated program, the method was too stupid. If you have a better way to circumvent Sleep and LoadLibraryA functions, please advise.