Common protection Attacks: Serial Number continuation

Attack serial number Protection

To locate the serial number or modify the jump command after the serial number is determined, the most important thing is to use various tools to locate the code segment that judges the serial number. Common APIs include GetDlgItemInt, GetDlgItemTextA, GetTabbedTextExtentA, GetWindowTextA, Hmemcpy (Windows System 9x only), lstrcmp, lstrlen, and memcpy (NT/2000 only ).

1) Tips for Data Binding

This concept is proposed by + ORC. It is only applicable to the protection method that compares the registration code in plaintext. In most serial number-protected programs, the real and correct registration code or Password will appear in the current memory at a certain time. Of course, the location of his appearance is not fixed, but in most cases, it is within the same range, that is, the memory address that stores the user's input serial number is ± 0X90 bytes. This is determined by the constraints on data transmission in a Windows system within the tool used by the encryptor.

2) The Hmemcpy function is commonly called a universal breakpoint)

The Hmemcpy function is an internal function of Windows 9x system. It is located in KERNEL32.DLL and is used to copy a piece of data in the memory to another place. Because Windows 9x system frequently uses this function to process various strings, It is very practical to use it as a breakpoint. It is the most commonly used breakpoint on Windows 9x platform. Windows NT/2 K does not have this breakpoint, because its kernel is completely different from Windows 9x.

3) S command

Because the S command ignores pages not in memory, you can use 32-bit flat address data segment descriptor 30h throughout the entire 4GB0 ~ FFFFFFFFh) Space query, which is generally used under Windows 9x. The specific steps are as follows: first enter the name or false serial number such as: 78787878), press Ctrl + D to convert to SoftICE, and run the following SEARCH command:

S 30: 0 L ffffffff'000000'

Will search for more than one address: ss: ssssssss), and then use bpm breakpoint to monitor the searched false registration code to track how the program processes the input serial number, it is possible to find the correct serial number.

4) use message breakpoint

The message breakpoint WM_GETTEXT and WM_COMMAND can be used to process strings. The former is used to read the text in a control, such as copying the serial number in the editing window to a buffer provided by the program; the latter is used to notify the parent window of a control, for example, if you click OK after entering the serial number, the parent window of the button will receive a message indicating that the button is clicked.

BMSG xxxx WM_GETTEXT interception serial number)

BMSG xxxx WM_COMMAND (intercept OK button)

You can use the HWND Command provided by SoftICE to obtain the window handle information, use the Spy ++ utility in Visual Studio to obtain the handle value of the corresponding window, and then use BMSG to set breakpoint interception. Example:

BMSG 0129 WM_COMMAND

The serial number protection method has been introduced to you. For more information, see: common protection Attacks: serial number