Detailed description of brute force cracking principles in cracking technology

Comments: Do not mention the three stages of learning to crack: Elementary, modifying programs, using ultraedit and other tools to modify the exe file, known as brute force cracking, or brute force cracking. Intermediate: gets the registration code of the software. Advanced: Write the registration machine. Let's talk about this brute-force cracking. The so-called brute-force cracking refers to modifying the source file of an executable file to achieve the corresponding goal. Do not mention the three stages of learning to crack: Elementary, modifying the program, using ultraedit and other tools to modify the exe file, known as brute force cracking, or brute force cracking. Intermediate: gets the registration code of the software. Advanced: Write the registration machine. Let's talk about this brute-force cracking. The so-called brute-force cracking refers to modifying the source file of an executable file to achieve the corresponding goal. You don't understand? For example, if a shared software is used to compare the registration code entered by the user) if the calculated registration code is equal (that is, the user entered the correct registration code), it will jump to the place where the registration is successful, otherwise it will jump to the place where the error occurs. Come on, let's see. We just need to find this jump command and change it to the "shape" we need. In this way, can we do what we want? There are two common modification methods. I will give you an example: No. 1 is registered in a software program in this way: 00451239 CALL 00405E02 (key CALL, used to determine whether the user entered the correct registration code) 0045123D JZ 004572E6 (!!! <-- This is the key jump. If the entered registration code is correct, it will jump to the successful place, that is, at 004572E6) 0045 XXXX yyyyyyyyyyyyyyxxxx yyyyyyyyyyyyyyyyyyyyxxxx to execute here, the user registration fails .. prompt the user's registration code is incorrect and other related information... 004572E6... <-- (registration successful !!!)... Prompt the user to register successfully and other related information. Are you sure you understand? If not, let me tell you something. When the software is executed at 00451239, the CALL is set to 0045E02 for registration code judgment. Then, a jump statement will be provided, that is, if the user entered the correct registration code, it will jump to the 004572E6 place, jump here, even if the registration is successful. If the registration code entered by the user is incorrect, the user will not jump to 0045123D, but will continue to execute. Wait for it below, which is the registration failure part. Do you understand? Hey hey... Yes, we only need to change the key jump to JZ to JNZ (if the user entered the registration code is incorrect, the registration is successful, and if the input is correct, the registration fails ). Of course, you can also change JNZ to Jmp. In this case, the registration code you entered is correct or not. Can be registered successfully. No. 2 let's talk about another situation: 00451239 CALL 00405E02 (key CALL, used to determine whether the user entered the registration code is correct) 0045123D JNZ 004572E6 (!!! <-- This is the key jump. If the entered registration code is incorrect, it will jump to the failed place, that is, at 004572E6) 0045 XXXX yyyyyyyyyyyyyyxxxxxx yyyyyyyyyyyyyyyyyyyyyyxxxx to execute here, prompt that the user registration is successful... prompt the user to register successfully and other related information... 004572E6... <-- (registration failed !!!)... Prompts that the user's registration code is incorrect. You must see the difference with the first case. That's right! It is different from the first one, that is, if the registration code is correct, it will jump to the registration successful place. If it does not jump, It will be executed to the failed place. In this case, if the registration code is incorrect, the registration fails. Otherwise, the registration is successful. In this case, in addition to changing JNZ to JZ, you can also change it to Nop. The Nop command does not make any sense. After you change this command to Nop, you can enter the registration code at will for registration. The principle has been explained to you. Next let's talk about the specific modification method. First, let's talk about the conversion of virtual addresses and offsets. The Address values displayed under SoftICE and W32Dasm are the so-called memory offset or Virual Address (VA ). In hexadecimal tools, the addresses displayed in Hiew and Hex Workshop are File addresses, which are called File offset or RAW offset ). So when we want to use the hexadecimal tools to modify the corresponding commands in the executable File, we need to first find its File offset. We do not need to use specialized conversion tools. This function is available in W32Dasm. For example, you came to 0045123D in W32Dasm, the virtual address and offset address of the command are displayed in the status bar at the bottom of the W32Dasm interface, that is, the 0005063Dh following @: 0045123D @ offset 0005063Dh is the corresponding offset address. After we get the address, we can use UltraEdit and other hexadecimal tools to modify the executable file. For example, if UltraEdit is used, you first open the executable file with UltraEdit, press Ctrl G, and enter the offset address you get to the corresponding machine code. Let's talk about the machine code, the so-called machine code. The hexadecimal data you see. Are they one-to-one correspondence with assembly instructions? The following items are used for blasting. If you are interested, you can view the relevant information: JZ = 74; JNZ = 75; JMP = EB; when Nop = 90 is cracked, you only need to modify the above machine code. For example, in the first case, you can change 74 to EB and change JZ to JMP. In the second case, you need to change 75 to 90, and change JNZ to Nop. What you need to understand is the theory of brute-force cracking. Brute-force cracking is just the beginning of Crack learning. It is a simple method. You can play when you get started, but I hope you don't stop it! In fact, it is not so difficult to find a registration code. I mean when you are not very specific to the software, you don't have to worry about it. Didn't we mention the key CALL when talking about brute-force cracking? In general, this key CALL is two registration codes (one is the correct registration code calculated by the software itself through your registration name or machine or something, and the other is the wrong registration code you entered). As I mentioned earlier, the data used in the CALL operation is usually put in one place, and the previously put data is retrieved from the called before for corresponding processing. The same is true for this key CALL. Before a CALL, the two registration codes are usually put in the stack or a register. Hey, we only need to execute the CALL in a single step in the debugger. Before we get in, we can use the command before the CALL to determine where the correct and incorrect registration codes are put. Then you can use the corresponding command to view it. As I said, it is not difficult. The following lists the two most common cases: no.1 mov eax [] here can be the address or another register mov edx, this command can also be pop edx call 00 ?????? The key call test eax jz (jnz) or jne (je) key jump is clear. Before the key CALL, the software will put the two registration codes into eax and edx respectively, you only need to place d eax or d edx at the CALL to see the correct registration code. No. 2 mov eax [] can be an address or another register mov edx []. This command can also be pop edx call 00 ?????? Key call jne (je) key jump the two situations above are the most common, and we will not mention them here. In the next chapter, I will introduce you to the related methods... for the part about finding the software registration code, this is here. For more information, see the next chapter. (Didn't you say that? Why should I lose your bricks?) Finally, let's talk about the last so-called advanced stage, if you believe in yourself. And love Crack, then you will definitely survive this stage, but time varies from person to person. In fact, there are a lot of skills in analyzing software algorithms. Well, at least I was confused at the very beginning. So many calls, each of which seems to be very important, are all pursued? As a result, many apis were chased. After you have carefully analyzed a software algorithm and written a register machine. You will understand the truth.