I have talked about some problems that I often encounter during the process of learning and decryption. I will give you a brief talk based on my own experience. These problems are often very understandable for beginners. Based on my own learning experience, if you follow a lot of tutorials to learn, most people will confuse themselves, because there are many concepts, either they are not very clear, or they do not know what it is, so I hope to give you some help through the following discussion:
1. breakpoint: the so-called breakpoint is the place where the program is interrupted. This word is no longer familiar to the decrypted. So what is interruption? Interruption occurs because of a special event (interruption event). The computer suspends the current task (Program) and executes another task (service interruption program ), then return to the original task to continue the execution. For example, when you were at work, someone suddenly called to tell you that he was taking a train from another place and asked you to pick him up at the train station. Then, you will ask your boss for a temporary leave and rush to the train station to pick up your classmates. Then you will settle in and go back to the company to continue working. This is an interruption process. The decryption process is to wait until the program obtains the entered registration code and prepares to compare it with the correct registration code to interrupt it. Then we can find the correct registration code through the analysis program. Therefore, we need to set a breakpoint for the decrypted program, and track the registration code of the program in the program as appropriate to achieve the crack goal.
2. airspace: This is a very important concept, but it is often hard for beginners to understand. We can see the term "airspace" in various cracking articles. If you don't know where the program's airspace is, you won't be able to enter the door for cracking. Maybe you have cracked some software, but it's just that a blind cat has met a dead mouse (I used to be like this ^ _ ^, so I'm sorry for it now !). The so-called program's airspace, to put it bluntly, is the place where the program itself is located, that is, the location where the program code we are going to crack is located. Maybe you will immediately ask: I set the breakpoint when the program is running. Why is it not in the program's own space after the interruption? Because there is no fixed mode for writing each program, we need to interrupt the program when we want to cut into the program, we must not rely on the specific program to set breakpoints, that is, the breakpoint we set should be something that every program will use. In the DOS era, basically all programs work on interrupt programs, that is, almost all DOS Programs call various interruptions to complete tasks. However, in the Windows era, the program has no right to directly call the interrupt. In Windows, the system provides a system function calling platform (API), which is the same as the DOS program based on the interrupt program, windows programs use APIs as the basis for dealing with systems and various functions. Therefore, the breakpoint settings of software cracking in windwos are based on API functions, that is, when a program calls an API function, it interrupts its normal operation and decrypts it. For example, in SoftICE, set the following breakpoint: BPX getdlgitemtext (get the dialog box text). When the program to be cracked needs to read the input data and call getdlgitemtext, it is immediately intercepted by SoftICE, therefore, the cracked program stays in the getdlgitemtext program zone, while getdlgitemtext is in the system zone managed by windwos. If we get rid of this part of program code without authorization, it is a big disaster! Therefore, we need to return from the system area to the location of the cracked Program (that is, the program's airspace) to crack the program. For how to view the program's airspace, see the SoftICE diagram above. Imagine: Where can we find something useful for the program segments that every program calls? (How to encrypt is decided by the program, rather than calling system functions !)
3. API: Short for application programming interface. It is called an Application Programming Interface in Chinese. It is a large collection of system-defined functions and provides methods to access operating system features. APIS contain functions called by hundreds of applications. These functions perform all required operating system-related operations, such as memory allocation, on-screen output, and window creation, A user's program calls an API to deal with windows. No matter what kind of application, the underlying layer of the user's program eventually implements various functions by calling various API functions. Generally, an API has two basic forms: Win16 and Win32. Win16 is the original API 16-bit version for Windows 3.1. Win32 is the current API 32-bit version for Windows 95/98/NT/ME/2000. Win32 includes Win16, which is a superset of Win16. The names and usage of most functions are the same. The difference between a 16-bit API function and a 32-bit API function is the last letter. For example, we set a breakpoint: BPX getdlgitemtext, BPX getdlgitemtexta, and BPX getdlgitemtextw, getdlgitemtext is a 16-bit API function, getdlgitemtexta and getdlgitemtextw are 32-bit API functions, while getdlgitemtexta indicates that the function uses a single byte, and getdlgitemtextw indicates that the function uses dubyte. Currently, we often use Win32 single-byte API functions, which are similar to getdlgitemtexta functions. The other two types (Win16 API and Win32 double-byte API functions) are rare. Win32 API functions are included in the dynamic link library (DLLs), that is, in kernel32.dll, user32.dll, gdi32.dll, and comctl32.dll, this is why we need to use commands such as exp = C: \ WINDOWS \ SYSTEM \ kernel32.dll in SoftICE to import these dynamic link libraries into SoftICE. If this is not done, we cannot intercept system Win32 API function calls.
4. the method of existence of the registration code in the program: During the cracking process, we will go to the program to compare the entered registration code with the correct registration code, then, we track and analyze the program to find the correct registration code. But the correct registration code usually exists in two forms in the program: explicit and implicit. For the explicit registration code, we can see it directly in the memory of the program, for example, you can directly see a registration code similar to "297500523" in the SoftICE data window (this is written at will), it is easier to crack the software with the explicit registration code; however, some software programs do not directly compare the entered registration code with the correct registration code, such as converting the registration code into an integer or splitting the registration code, then, we will separate each registration code and compare them one by one in different places, or convert the entered registration code, and then use a special program for verification. In short, applications adopt different complex calculation methods to avoid direct registration code comparison. For such programs, we usually need to carefully track, analyze each program function, and find the encryption algorithm, then we can crack it. Of course, this requires a certain level of 8086 assembly programming skills and a lot of patience and energy.
5. Software cracking methods: I divide the methods into two categories: full and brute-force. The so-called complete cracking is mainly for software that requires entering the registration code or password. If we can find the correct registration code through tracking the program, the software is successfully registered through the software registration function, which is called a complete cracking. However, if some software itself does not provide the registration function, it only provides a trial (DEMO ), or the registration cannot be performed through the software itself (for example, You need to obtain another dedicated registration program and register through the Internet), or the encryption technology of the software itself is complicated, the software Cracker has limited capabilities, energy, and time, and cannot directly obtain the correct registration code. At this time, we need to modify the program code of the software itself, that is, Manually changing the operation direction of the software, this type of cracking is called brute-force cracking.
6. Address of the program code in the cracking Tutorial: Some program code will be added in the cracking tutorial to help explain the analysis method of the program, for example, the following code section:
......
0167: 00408033push00
0167: 00408035 pushebx
0167: 00408036 call [USER32! Enddialog]
0167: 0040803cjmp0040812c
......
Here, the Code address in the program, such as 0167: 00408033, the code segment value (that is, 0167) may vary depending on different computers, not necessarily the same, but the offset value should be fixed (that is, 00408033 remains unchanged). If you see the address value of the program code in the Cracked article is different from the address value in your computer, do not think it is wrong, as long as your program code is correct, there will be no problem.
7. the question about how to set breakpoints: correct and appropriate settings of breakpoints are very important for fast and effective decryption. Good breakpoint settings allow us to quickly find key program segments, improper breakpoint may cause unnecessary energy consumption on decryption, and even cannot intercept the running of the program. However, it is hard to say when to use any breakpoint, which requires accumulation of experience. In general, BPX hmemcpy, a universal breakpoint, is useful for most software with registration code, for beginners, try this breakpoint more. (I usually use this breakpoint to set it. I am too lazy. ^ _ ^, haha ...). For software that requires brute-force password cracking, we should usually intercept the dialog box (such as BPX dialogbox) and message box (such as BPX MessageBox (. No matter which type of software, when the breakpoint we set has no effect, but try BPX lockmytask, this breakpoint is used to intercept any button action, for more information about common breakpoint settings, see section "cracking common breakpoint Settings. In addition, you usually need to enter the user name and registration code to crack the registration code. Generally, the user name and password can be entered at will, but according to my own experience, many software processes the registration code one by one. If you enter the number "78787878, so we can't know which "78" we saw at the time when tracking the program, so I prefer to use a registration code like "12345678, in this way, you can know which digit of the registration code the program is performing operations on. Similarly, for software that requires a long serial number, enter a serial number similar to "12345-67890-abcdef. However, you need to pay special attention to the following: the registration code input method "12345678" mentioned above is intended to intercept Win32 API functions. if sometimes it is difficult to find a breakthrough in programs to intercept Win32 API functions directly, when we use the "S" command to search for the user name or registration code we entered in the memory, we 'd better not use "12345678" as the registration code, because there may be many "12345678" strings in the memory, we have no way to know which program we are going to crack is "12345678 ", so we should choose a registration code that is not easy to use with the same memory data, such as: 74747474 (I like to use it, meaning: To Die... Hahaha ^_^), the corresponding SEARCH Command is: S 30: 0 l ffffffff'000000 '. Of course, the above is just my personal habits. The specific input form can be determined based on my hobbies and habits, without sticking to a fixed pattern.
8. questions about how to track programs: beginners often do not know how to track programs when learning to decrypt, how to find a place where the registration code is compared, and are overwhelmed when faced with a long pile of program code. Generally, software programs use a sub-Program (call *********) to verify whether the entered registration code is correct. For programs whose registration code explicitly exists, generally, the entered registration code and the correct registration code are put into the Register, and then the verification subroutine is called to judge and return the result. The application determines whether the registration is successful based on the result returned by the subroutine, such a program often has the following forms:
* **: ********** Moveax, [**********] (or push eax)
* *****: ********* Movedx, [**********] (or push edX, etc)
*****: ********** Call ********
*****: ********* Testeax, eax (or test Al, Al, or not in the form of this sentence)
*****: *********** Jnz ******** (or JZ)
The memory areas pointed by eax and EDX are the registration code we entered and the correct registration code. The registers eax and EDX here are written at will, or ECX, EBX, EDI, ESI and so on. For programs with an implicit registration code, although the correct registration code cannot be directly seen, the entered Registration Code address is usually first put into a register, and then the subroutine is called for verification, when cracking, you need to go to the subroutine to analyze and register the algorithm. In short, we can see that the subprogram (call ********) is followed by the jump command (jnz ********* or JZ ********) we should be vigilant when using D eax (or EBX, ECx, EDX, EDI, ESI... wait) to see what is hidden in the memory area pointed to by the register. One thing you should note: You should note that the following function is used in the program, that is, getdlgitenint. The function of this API is to convert the input text to an integer, therefore, this type of program will not display the existing registration code, because the registration code is converted to an integer, the program usually uses CMP ECx, EDX this type of command to verify the correctness of the registration code, here, ECx and EDX are stored in the integer form of the entered registration code and correct registration code. Can we use it now? EDX and? ECX is in decimal format, that is, the input format.
9. anti-installation of software: we often encounter a problem when using some software, that is, after the Shared Software expires, even if the original program is deleted and re-installed, the program is still unavailable, we also remind you that the trial period has passed, please register; or you have cracked a software, but want to continue to study it, but because the software has been registered, there is no registration option, at this time, even if you completely delete the program and re-install the software, the program will still be registered after the program runs. In this case, the reason is actually very simple, because the program will register or expiration information in the system registry, so simple re-installation of software is useless. The solution is to delete the information related to the Registry by yourself. However, because the registry is the basis of the work of the Windows system, if you are not careful, it may damage the registry and cause system exceptions, therefore, if you are not familiar with the Registry, back up the registry before modification. You can use the registry management tool "Regedit" in Windows to modify or back up the Registry. One way is to enter "Regedit" under "start-> Run" to start it, you can also click "C: \ WINDOWS \ regedit.exe" to run it. Most applications store their own information in the following path: HKEY_LOCAL_MACHINE \ Software, HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft, HKEY_CURRENT_USER \ Software, HKEY_CURRENT_USER \ Software \ Microsoft or HKEY_USERS \. in default \ Software, the specific place varies according to different programs. As long as the keys related to the application are found in the above order, delete the key values related to the user name and registration code.
10. questions about cracking exercises: Learning to crack a large number of exercises requires a lot. For the choice of cracking targets, Beginners should not aim at large-sized and well-known software because the encryption of these software is usually complicated, it is not easy to crack. You should select small and early shared software to practice, because the relatively simple encryption software helps beginners quickly master the ideas and skills of cracking. The source of exercises is extensive. You can download them from the Internet or purchase some shared software CDs on the market.