Do not mention the three stages of learning to crack:
Elementary: modify the program. Use ultraedit and other tools to modify the exe file. It is called brute-force cracking, or brute-force cracking.
Intermediate: obtains the registration code of the software.
Advanced, write registration Machine
Let's talk about this brute-force cracking. The so-called brute-force cracking refers to modifying the source file of an executable file to achieve the corresponding goal. You don't understand? For example, if a shared software is used to compare the registration code entered by the user) if the calculated registration code is equal (that is, the user entered the correct registration code), it will jump to the place where the registration is successful, otherwise it will jump to the place where the error occurs.
Come on, let's see. We just need to find this jump command and change it to the "shape" we need. In this way, can we do what we want? (What do you want to do if a software has hands on your chest ?)
There are two common modification methods. I will give you an example:
No.1
In a software project, register as follows:
00451239 CALL 00405E02 (key CALL, used to determine whether the user entered the registration code is correct)
0045123D JZ 004572E6 (!!! <-- This is the key jump. If the user entered the correct registration code, it will jump to the successful place, that is, at 004572E6)
0045 XXXX YYYYYYYYYY
XXXXXXXX YYYYYYYYYY
XXXXXXXX YYYYYYYYYY
When XXXXXXXX is executed here, the user registration fails.
... Prompt related information such as incorrect user registration code
...
004572E6... <-- (registration successful !!!)
... Prompts the user to register successfully and other related information
Have you understood it? If not, let me tell you something. When the software is executed at 00451239, the CALL is set to 0045E02 for registration code judgment. Then, a jump statement will be provided, that is, if the user entered the correct registration code, it will jump to the 004572E6 place, jump here, even if the registration is successful. If the registration code entered by the user is incorrect, the user will not jump to 0045123D, but will continue to execute. Wait for it below, which is the registration failure part.
Do you understand? Hey hey... Yes, we only need to change the key jump to JZ to JNZ (if the user entered the registration code is incorrect, the registration is successful, and if the input is correct, the registration fails ). Of course, you can also change JNZ to Jmp. In this case, the registration code you entered is correct or not. Can be registered successfully.
No. 2
Let's talk about another situation:
00451239 CALL 00405E02 (key CALL, used to determine whether the user entered the registration code is correct)
0045123D JNZ 004572E6 (!!! <-- This is the key jump. If the registration code entered by the user is incorrect, it will jump to the failed place, that is, at 004572E6)
0045 XXXX YYYYYYYYYY
XXXXXXXX YYYYYYYYYY
XXXXXXXX YYYYYYYYYY
When XXXXXXXX is executed here, the user registration is successful.
... Prompts the user to register successfully and other related information
...
004572E6... <-- (registration failed !!!)
... Prompt related information such as incorrect user registration code
This time I believe and believe in it. You must understand. I still don't understand...
You must see something different from the first case. That's right! It is different from the first one, that is, if the registration code is correct, it will jump to the registration successful place. If it does not jump, It will be executed to the failed place. In this case, if the registration code is incorrect, the registration fails. Otherwise, the registration is successful.
In this case, in addition to changing JNZ to JZ, you can also change it to Nop. The Nop command does not make any sense. After you change this command to Nop, you can enter the registration code at will for registration.
The principle has been explained to you. Next let's talk about the specific modification method. (I assume that you have understood how to use the tool)
First, let's talk about the conversion of virtual addresses and offsets. The Address values displayed under SoftICE and W32Dasm are the so-called memory offset or Virual Address (VA ). In hexadecimal tools, the addresses displayed in Hiew and Hex Workshop are File addresses, which are called File offset or RAW offset ).
So when we want to use the hexadecimal tools to modify the corresponding commands in the executable File, we need to first find its File offset. We do not need to use specialized conversion tools. This function is available in W32Dasm. For example, you came to 0045123D in W32Dasm, the virtual address and offset address of the command are displayed in the status bar at the bottom of the W32Dasm interface, that is, the 0005063Dh following @: 0045123D @ offset 0005063Dh is the corresponding offset address. After we get the address, we can use UltraEdit and other hexadecimal tools to modify the executable file. For example, if you use UltraEdit, you first open the executable file with UltraEdit, press Ctrl + G, and enter the offset address you get to the corresponding machine code.
Let's talk about the machine code, the so-called machine code. The hexadecimal data you see. Are they one-to-one correspondence with assembly instructions?
The following items are used for blasting. If you are interested, you can view the relevant information on your own:
JZ = 74; JNZ = 75; JMP = EB; Nop = 90
During brute-force cracking, you only need to modify the above machine code. For example, in the first case, you can change 74 to EB and change JZ to JMP. In the second case, you need to change 75 to 90, and change JNZ to Nop.
This chapter only describes the principles and details. For example, how to find the key jump, let's talk about it in the next chapter. (A brick flew up! Hey, this time I got it)
What you need to understand is the theory of brute-force cracking. Brute-force cracking is just the beginning of Crack learning. It is a simple method. You can play when you get started, but I hope you don't stop it!
(Hey, let's talk about it again. I have not said anything about the software. I am not allowed to reverse modify it. How can you stop buying accounts when you move people's bodies? )
I do not like brute-force attacks. If I cannot create a registration machine, I need to find the registration code. Otherwise, I will not register the software. If I want to pay for it, it depends on my own skills. (When I have money, I will consider registering those excellent shared software ). So, in a sense, I am a gentleman
In fact, it is not so difficult to find a registration code. I mean when you are not very specific to the software, you don't have to worry about it.
Didn't we mention the key CALL when talking about brute-force cracking? In general, this key CALL is two registration codes (one is the correct registration code calculated by the software itself through your registration name or machine or something, and the other is the wrong registration code you entered). As I mentioned earlier, the data used in the CALL operation is usually put in one place, and the previously put data is retrieved from the called before for corresponding processing. The same is true for this key CALL. Before a CALL, the two registration codes are usually put in the stack or a register. Hey, we only need to execute the CALL in a single step in the debugger. Before we get in, we can use the command before the CALL to determine where the correct and incorrect registration codes are put. Then you can use the corresponding command to view it. As I said, it is not difficult.
The following lists the two most common cases (refer to relevant tutorials ):
No.1
Mov eax [] can be an address or another register.
Mov edx [] is the same as above. This command can also be pop edx.
Call 00 ?????? Key call
Test eax
Jz (jnz) or jne (je) key jump
You can see, before the key CALL, the software will put the two registration codes into eax and edx respectively, you only need to place d eax or d edx at the CALL to see the correct registration code.
No. 2
Mov eax [] can be an address or another register.
Mov edx [] is the same as above. This command can also be pop edx.
Call 00 ?????? Key call
Jne (je) key jump
The above two situations are the most common, and we will not mention them here. In the next chapter, I will explain the relevant methods to you...
Here is the part about finding the software registration code. For more information, see the next chapter. (Didn't you say that? Why should I lose your bricks? )
Finally, let's talk about the last so-called advanced stage if you believe in yourself. And love Crack, then you will definitely survive this stage, but time varies from person to person.
In fact, there are a lot of skills in analyzing software algorithms. Well, at least I was confused at the very beginning. So many calls, each of which seems to be very important, are all pursued? As a result, many apis were chased. After you have carefully analyzed a software algorithm and written a register machine. You will understand the truth.