Detailed process of cracking multiple verification and removing functional limitations

[Article Title]: [original] the entire process of cracking keyfile by a novice and functional limitations
[Author]: Dummies
[Author mailbox]: 369989309@163.com
[Author's QQ number]: 381561450
[Software name]: DSDNC
[Software size]: 3.80 M
[]: Www.dssoft.com.cn
[Shelling method]: UPX
[Language]: Microsoft Visual C ++ 6.0
[Tools]: OllyICE, PEID, UPXShell
[Operating platform]: XP SP3
[Author's statement]: I am a newbie. This is the first software I have cracked. For errors, please enlighten us!
--------------------------------------------------------------------------------
[Detailed process]
The software is described as follows:
Registration restrictions:
1. Open the prompt for registration. Enter the incorrect registration code and close it directly.
2. after successful registration, the key is generated. INI file, the detection key is started each time. ini. If it is about to expire, it will expire, it will be invalid, and cannot be used. messagebox will pop up in these four cases, and then automatically exit.
Function restrictions:
1. After the registration is successful, open the software. There is a combox drop-down box in the setting interface, which contains only the 10 options com1 to com10, and a friend asks to add them to com100.
====================

Step 1: Shelling
Check the shell with PEID (which can be downloaded from the tool area of xixue website). The shell of UPX is displayed,
Use UPXShell (which can be downloaded from the tool area of xixue website) For shelling.
After shelling, you can see that the software is written in Microsoft Visual C ++ 6.0. The EP Section displays. text, EntryPoint, and File Offset values are the same.
The information remains unchanged after a deep scan. It indicates that shelling is successful.
 



Step 2: dynamic debugging
Use OllyICE (which can be downloaded from the tool area of xixue website) to load the program,
Right-click and use the plug-in to view all reference strings.

 
Four prompts are displayed. Double-click one.
 
No, it is here,
 
If the registration code expires, the system automatically exits. You have to worry about it. The registration code is about to expire. It is invalid and cannot be used. In these four cases, the system automatically exits. If you enter an invalid registration code, you are not prompted to exit directly. We only need to find the fifth place to exit without reason.
Double-click
Code:
00403B6F |. FF15 30804000 call dword ptr [<& KERNEL32.ExitProcess>]; \ ExitProcess
Copy
Code:
Call dword ptr [408030]
Ctrl + F search
Code:
Call dword ptr [408030]
A total of 10 locations are found, except the four. There are four more.
First look at the last two.
 
Code:
00404000. E8 25270000 call <jmp. & MFC42. # 1168_AfxGetModuleState>
00404005. 8B48 04 mov ecx, dword ptr [eax + 4]
00404008. E8 09290000 call <jmp. & MFC42. # 2652_c1_target: EndWaitCu>
0040400D. 8D4C24 30 lea ecx, dword ptr [esp + 30]
00404011. C64424 48 02 mov byte ptr [esp + 48], 2
00404016. FF15 FC834000 call dword ptr [<& ncuicore. cmulti1_agetoo>; ncuicore. cmulti1_agetool ::~ Cmulti1_agetool
0040401C. 8D4C24 20 lea ecx, dword ptr [esp + 20]
00404020. C64424 48 01 mov byte ptr [esp + 48], 1
00404025. E8 E6280000 call <jmp. & MFC42. # 665_CFile ::~ CFile>
0040402A. 8D4C24 0C lea ecx, dword ptr [esp + C]
004040402e. C64424 48 00 mov byte ptr [esp + 48], 0
00404033. E8 6E260000 call <jmp. & MFC42. # 800_CString ::~ CString>
00404038. 8D4C24 14 lea ecx, dword ptr [esp + 14]
004040403c. C74424 48 FFF> mov dword ptr [esp + 48],-1
00404044. E8 5D260000 call <jmp. & MFC42. # 800_CString ::~ CString>
00404049. 8B4C24 40 mov ecx, dword ptr [esp + 40]
004040404d. 5F pop edi
0040404E. 5E pop esi
004040404f. B8 01000000 mov eax, 1
00404054. 64: 890D 00000> mov dword ptr fs: [0], ecx
0040405B. 5D pop ebp
004040405c. 83C4 40 add esp, 40
0040405F. C3 retn
00404060> 6A 00 push 0;/ExitCode = 0
00404062. FF15 30804000 call dword ptr [<& KERNEL32.ExitProcess>]; \ ExitProcess
 
This is similar. No judgment statement before exiting. It should not.
Let's look at the other four.
 
Code:
00402BC2. 6A 04 push 4;/ExitCode = 4
00402BC4. FF15 30804000 call dword ptr [<& KERNEL32.ExitProcess>]; \ ExitProcess
First, ExitCode = 4 should not be.
Third and fourth
00403852 |. FF15 04804000 call dword ptr [<& ADVAPI32.RegOpenKeyA>]; \ RegOpenKeyA
00403858 |. 85C0 test eax, eax
0040385A |. 74 16 je short 00403872
00401_c |. 6A 00 push 0
00400000e |. 6A 00 push 0
00403860 |. 68 BCC04000 push 0040C0BC; system error!
00403865 |. E8 8E300000 call <jmp. & MFC42. # pai_afxmessagebox>
004020.a |. 6A 00 push 0;/ExitCode = 0
00401_c |. FF15 30804000 call dword ptr [<& KERNEL32.ExitProcess>]; \ ExitProcess
 
There are judgments and exits. However, the comment before exiting is "system error !" These two should be system errors and exits.
There is only the second division,
 
Code:
00403767 |. 3BF7 cmp esi, edi
00403769 74 07 je short 00403772
0040376B |. 57 push edi;/ExitCode
0040376C |. FF15 30804000 call dword ptr [<& KERNEL32.ExitProcess>]; \ ExitProcess
00403772 |> 8D4C24 30 lea ecx, dword ptr [esp + 30]
 
 
 
He must have determined this before exiting. If I did not guess it was wrong, this judgment is to determine whether the registration code is valid. If it is valid, it will jump to 00403772.
This is easy to handle. Double-click
Code:
Je short 00403772
Change
Code:
Jmp short 00403772
,
Right-click to copy to the executable file and save the file.
Run the command. Enter a registration code. The software is not automatically disabled. We have succeeded ~!!
However, a prompt box is displayed, prompting that the registration code is invalid.



 
Step 3: Solve the Problem of invalid and expired key. ini.
You can directly find the reference string and find the four strings. Double-click the first one.
 
Code:
Je short 00403B75
Change
 
Code:
Jmp short 00403B75
The other three are the same.
Open the software again and the software runs normally.
Click set and you will find that there is a combox drop-down box in the settings interface. There are only the 10 options com1 to com10 in it, and a friend asks to add them to com100.
 
Step 4: Modify functional limitations
Since there is a limit on the quantity. It indicates that the content in this combox must be dynamically added. To dynamically add strings, you must format them,
Remember that we used peid to see that this software was written in Microsoft Visual C ++ 6.0.
The formatted string must be com % d.
 
Find com % d in the reference string and double-click it.
 
Code:
300032E9 8D4C24 18 lea ecx, dword ptr [esp + 18]
300032ED 68 1C010230 push 3002011C; ASCII "COM % d"
300032F2 51 push ecx
300032F3 E8 00E10000 call <jmp. & MFC42. # 2818_CString: Format>
300032F8 8B5424 20 mov edx, dword ptr [esp + 20]
300032FC 8B86 B4010000 mov eax, dword ptr [esi + 1B4]
30003302 83C4 0C add esp, 0C
30003305 52 push edx
30003306 53 push ebx
30003307 68 43010000 push 143
3000330C 50 push eax
3000330D FFD7 call edi
3000330F 45 inc ebp
30003310 83FD 0A cmp ebp, 0A
30003313 ^ 7E D3 jle short 300032E8
 
 
I can't see it. A typical cyclic body is compared with 0A each time. If it is less than 0A, it will jump back and continue to add. Change the number of cycles 0A to 64.
Run the software again and you can see 100 COM ports.
 
Close the job .~
By the way, how do I become a formal member?
 
--------------------------------------------------------------------------------
[Experience Summary]
Thanks to my friend hyp, he found the relief feature. Thank you very much.