Decryption code-10 tips to learn how to collect software cracking loads)

Source: Internet
Author: User

I have talked about some problems that I often encounter during the process of learning and decryption. I will give you a brief talk based on my own experience. These problems are often very understandable for beginners. Based on my own learning experience, if you follow a lot of tutorials to learn, most people will confuse themselves, because there are many concepts, either they are not very clear, or they do not know what it is, so I hope to give you some help through the following discussion:

1. breakpoint

The so-called breakpoint isProgramWhere it is interrupted, this word is no longer familiar to the decrypted. So what is interruption? Interruption occurs because of a special event (interruption event). The computer suspends the current task (Program) and executes another task (service interruption program ), then return to the original task to continue the execution. For example, when you were at work, someone suddenly called to tell you that he was taking a train from another place and asked you to pick him up at the train station. Then, you will ask your boss for a temporary leave and rush to the train station to pick up your classmates. Then you will settle in and go back to the company to continue working. This is an interruption process. The decryption process is to wait until the program obtains the entered registration code and prepares to compare it with the correct registration code to interrupt it. Then we can find the correct registration code through the analysis program. Therefore, we need to set a breakpoint for the decrypted program, and track the registration code of the program in the program as appropriate to achieve the crack goal.

2. Airspace

This is a very important concept, but it is often hard for beginners to understand. We are cracking a variety of attacksArticleWe can see the term "airspace". If you don't know where the program's airspace is, you won't be able to enter the door to crack. Maybe you have cracked some software, but it's just that a blind cat has met a dead mouse (I used to be like this ^ _ ^, so I'm sorry for it now !). The so-called program's airspace, to put it bluntly, is the place where the program itself is located, that is, the location where the program code we are going to crack is located. Maybe you will immediately ask: I set the breakpoint when the program is running. Why is it not in the program's own space after the interruption? Because there is no fixed mode for writing each program, we need to interrupt the program when we want to cut into the program, we must not rely on the specific program to set breakpoints, that is, the breakpoint we set should be something that every program will use. In the DOS era, basically all programs work on interrupt programs, that is, almost all DOS Programs call various interruptions to complete tasks.

However, in the Windows era, the program has no right to directly call the interrupt. In Windows, the system provides a system function calling platform (API), which is the same as the DOS program based on the interrupt program, windows programs use APIs as the basis for dealing with systems and various functions. Therefore, the breakpoint settings of software cracking in windwos are based on API functions, that is, when a program calls an API function, it interrupts its normal operation and decrypts it. For example, in SoftICE, set the following breakpoint: BPX getdlgitemtext (get the dialog box text). When the program to be cracked needs to read the input data and call getdlgitemtext, it is immediately intercepted by SoftICE, therefore, the cracked program stays in the getdlgitemtext program area, while getdlgitemtext is in the system area managed by windwos. If we change this part of the program without authorizationCode, Then there is a big disaster. ^_^! Therefore, we need to return from the system area to the location of the cracked Program (that is, the program's airspace) to crack the program. For how to view the program's airspace, see the SoftICE diagram above. Imagine: Where can we find something useful for the program segments that every program calls? (How to encrypt is decided by the program, rather than calling system functions !)

3. API

It is short for application programming interface, which is called an Application Programming Interface in Chinese. It is a large collection of system-defined functions and provides methods to access operating system features. APIS contain functions called by hundreds of applications. These functions perform all required operating system-related operations, such as memory allocation, on-screen output, and window creation, A user's program calls an API to deal with windows. No matter what kind of application, the underlying layer of the user's program eventually implements various functions by calling various API functions. Generally, an API has two basic forms: Win16 and Win32. Win16 is the original API 16-bit version for Windows 3.1. Win32 is the current API 32-bit version for Windows 95/98/NT/ME/2000. Win32 includes Win16, which is a superset of Win16. The names and usage of most functions are the same.

The difference between a 16-bit API function and a 32-bit API function is the last letter. For example, we set a breakpoint: BPX getdlgitemtext, BPX getdlgitemtexta, and BPX getdlgitemtextw, getdlgitemtext is a 16-bit API function, getdlgitemtexta and getdlgitemtextw are 32-bit API functions, while getdlgitemtexta indicates that the function uses a single byte, and getdlgitemtextw indicates that the function uses dubyte. Currently, we often use Win32 single-byte API functions, which are similar to getdlgitemtexta functions. The other two types (Win16 API and Win32 double-byte API functions) are rare. Win32 API functions are included in the dynamic link library (DLLs), that is, in kernel32.dll, user32.dll, gdi32.dll, and comctl32.dll, this is why we need to use commands such as exp = C: \ WINDOWS \ SYSTEM \ kernel32.dll in SoftICE to import these dynamic link libraries into SoftICE. If this is not done, we cannot intercept system Win32 API function calls.

4. How the registration code in the program exists

During the cracking process, we will go to the place where the entered registration code is compared with the correct registration code, and then find the correct registration code through tracking and analysis of the program. But the correct registration code usually exists in two forms in the program: explicit and implicit. For the explicit registration code, we can see it directly in the memory of the program, for example, you can directly see a registration code similar to "297500523" in the SoftICE data window (this is written at will), it is easier to crack the software with the explicit registration code; however, some software programs do not directly compare the entered registration code with the correct registration code, such as converting the registration code into an integer or splitting the registration code, then, we will separate each registration code and compare them one by one in different places, or convert the entered registration code, and then use a special program for verification.

In short, the application uses a variety of complex calculation methods to avoid direct registration code comparison. For such programs, we usually need to carefully track, analyze each program function, find EncryptionAlgorithmAnd then crack it. Of course, this requires a certain level of 8086 assembly programming skills and a lot of patience and energy.

5. Software cracking methods

 

I divided the methods of cracking into two categories, namely, full cracking and brute force cracking. The so-called complete cracking is mainly for software that requires entering the registration code or password. If we can find the correct registration code through tracking the program, the software is successfully registered through the software registration function, which is called a complete cracking. However, if some software itself does not provide the registration function, it only provides a trial (DEMO ), or the registration cannot be performed through the software itself (for example, You need to obtain another dedicated registration program and register through the Internet), or the encryption technology of the software itself is complicated, the software Cracker has limited capabilities, energy, and time, and cannot directly obtain the correct registration code. At this time, we need to modify the program code of the software.

6. Address of the program code in the cracking tutorial

In the cracking tutorial, some program code will be added to help explain the analysis method of the program. For example, the following program code:

......

0167: 00408033 push 00

0167: 00408035 push EBX

0167: 00408036 call [USER32! Enddialog]

0167: 0040803c JMP 0040812c

......

Here, the Code address in the program, such as 0167: 00408033, the code segment value (that is, 0167) may vary depending on different computers, not necessarily the same, but the offset value should be fixed (that is, 00408033 remains unchanged). If you see the address value of the program code in the Cracked article is different from the address value in your computer, do not think it is wrong, as long as your program code is correct, there will be no problem.

7. Questions about how to set breakpoints

Setting breakpoints correctly and appropriately is very important for fast and effective decryption. A good breakpoint setting allows us to quickly find key program segments, improper breakpoint may cause unnecessary energy consumption on decryption, and even cannot intercept the running of the program.

However, it is hard to say when to use any breakpoint, which requires accumulation of experience. In general, BPX hmemcpy, a universal breakpoint, is useful for most software with registration code, for beginners, try this breakpoint more. (I usually use this breakpoint to set it. I am too lazy. ^ _ ^, haha ...).

For software that requires brute-force password cracking, we should usually intercept the dialog box (such as BPX dialogbox) and message box (such as BPX MessageBox (. No matter which type of software, when the breakpoint we set has no effect, but try BPX lockmytask, this breakpoint is used to intercept any button action, for more information about common breakpoint settings, see section "cracking common breakpoint Settings.

In addition, you usually need to enter the user name and registration code to crack the registration code. Generally, the user name and password can be entered at will, but according to my own experience, many software processes the registration code one by one. If you enter the number "78787878, so we can't know which "78" we saw at the time when tracking the program, so I prefer to use a registration code like "12345678, in this way, you can know which digit of the registration code the program is performing operations on. Similarly, for software that requires a long serial number, enter a serial number similar to "12345-67890-abcdef.

However, you need to pay special attention to the following: the registration code input method "12345678" mentioned above is intended to intercept Win32 API functions. if sometimes it is difficult to find a breakthrough in programs to intercept Win32 API functions directly, when we use the "S" command to search for the user name or registration code we entered in the memory, we 'd better not use "12345678" as the registration code, because there may be many "12345678" strings in the memory, we have no way to know which program we are going to crack is "12345678 ", so we should choose a registration code that is not easy to use with the same memory data, such as: 74747474 (I like to use it, meaning: To Die... Hahaha ^_^), the corresponding SEARCH Command is: S 30: 0 l ffffffff'000000 '. Of course, the above is just my personal habits. The specific input form can be determined based on my hobbies and habits, without sticking to a fixed pattern.

8. Questions about how to track programs

 

When beginners start to learn decryption, they often don't know how to track the program, how to find a place where the registration code is compared, and how to feel overwhelmed when facing a long pile of program code. Generally, software programs use a sub-Program (call *********) to verify whether the entered registration code is correct. For programs whose registration code explicitly exists, generally, the entered registration code and the correct registration code are put into the Register, and then the verification subroutine is called to judge and return the result. The application determines whether the registration is successful based on the result returned by the subroutine, such a program often has the following forms:

*****: ********* Mov eax, [***********] (or push eax)

* *****: ********* Mov edX, [**********] (or push edX, etc)

*****: ********** Call ********

*****: ********* Test eax, eax (or test Al, Al, or do not have such a sentence)

*****: *********** Jnz ******** (or JZ)

The memory areas pointed by eax and EDX are the registration code we entered and the correct registration code. The registers eax and EDX here are written at will, or ECX, EBX, EDI, ESI and so on. For programs with an implicit registration code, although the correct registration code cannot be directly seen, the entered Registration Code address is usually first put into a register, and then the subroutine is called for verification, when cracking, you need to go to the subroutine to analyze and register the algorithm. In short, we can see that the subprogram (call ********) is followed by the jump command (jnz ********* or JZ ********) we should be vigilant when using D eax (or EBX, ECx, EDX, EDI, ESI... wait) to see what is hidden in the memory area pointed to by the register.

One thing you should note: You should note that the following function is used in the program, that is, getdlgitenint. The function of this API is to convert the input text to an integer, therefore, this type of program will not display the existing registration code, because the registration code is converted to an integer, the program usually uses CMP ECx, EDX this type of command to verify the correctness of the registration code, here, ECx and EDX are stored in the integer form of the entered registration code and correct registration code. Can we use it now? EDX and? ECX is in decimal format, that is, the input format.

9. Software anti-Installation Problems

We often encounter a problem when using some software, that is, after the Shared Software expires, even if the original program is deleted and re-installed, the program still cannot be used. We still remind you that the trial period has passed, please register; or you have cracked a software, but you still want to study it, but because the software has been registered and there is no registration option, even if you completely delete the program and re-install the software, the result is registered after the program runs.

In this case, the reason is actually very simple, because the program will register or expiration information in the system registry, so simple re-installation of software is useless. The solution is to delete the information related to the Registry by yourself. However, because the registry is the basis of the work of the Windows system, if you are not careful, it may damage the registry and cause system exceptions, therefore, if you are not familiar with the Registry, back up the registry before modification.

You can use the registry management tool "Regedit" in Windows to modify or back up the Registry. One way is to enter "Regedit" under "start-> Run" to start it, you can also click "C: \ WINDOWS \ regedit.exe" to run it. Most applications store their own information in the following path: HKEY_LOCAL_MACHINE \ Software, HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft, HKEY_CURRENT_USER \ Software, HKEY_CURRENT_USER \ Software \ Microsoft or HKEY_USERS \. in default \ Software, the specific place varies according to different programs. As long as the keys related to the application are found in the above order, delete the key values related to the user name and registration code.

10. Questions about cracking exercises

Learning to crack requires a lot of exercises. For the choice of cracking targets, Beginners should not aim at large-sized and well-known software, because these software usually has complicated encryption and is difficult to crack, we recommend that you use small-sized and earlier shared software that is not well-known for practice, because the relatively simple encryption software helps beginners quickly master the ideas and skills of cracking. The source of exercises is extensive. You can download them from the Internet or purchase some shared software CDs on the market.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.