Easy language program cracking ideas

First, check that the program is compiled in easy language. The confirmation method is as follows:
1. If the PEID is found to be VC ++ 6.0 and the entry OEP is 3831
2. Search for two databases with string E (one of which is the krnln database)
3. There are. eCode segments (not necessarily)
After confirming that the program is compiled in easy language, the methods for cracking are:
1. Ecode method (this method is used for Ecode segments ):
We use OD to load the target program, F9 to run the program, Alt + E to open the Module window, find the krnln module, and right-click the module. The dialog box is displayed.




Click view memory, find the ECODE segment, disconnect the ECODE segment F2, and then fill in any registration code and click Register
 
 

The OD is interrupted on the button event.
 

After that, F8 goes one step and immediately reaches the core of the attack. At this time, you can also find the string to directly locate the cracking core.
2. Tool-assisted Method
Start E-Debug Events, open the target program, and enter any registration code points for registration. (If you cannot obtain the button event, change the compilation method in E-Debug Events)
 

We can see that the button event address 0040A0BD is the same as the Ecode method. After that, F8 will go one step and immediately reach the core of the attack. At this time, you can also find the string to directly locate the cracking core.
 
 
 
 
3. pattern (SCRIPT)
This easy-to-use search method is also suitable for Shell programs. Other programs must be shelled before continuing to operate.
After OD is loaded, run the program F9. After the program runs, ALT + E opens the Module window,
Select krnln, a core library that is easy to use, and double-click it.
 

Then CTRL + B to find FF 55 FC


This CALL is found, and F2 is disconnected. after entering the required content, click the corresponding button.



Look, let's just take a break. Follow up with F7 next to the button event.
Similarly, write a script, save it as a text file, and run it.
Gpa "GetProcessHeap", "kernel32.dll"
Cmp $ RESULT, 0
Je err
Bp $ RESULT
Run
Run
Run
Bc $ RESULT
Rtu
Find 10001000, # FF55FC5F5E895D ?? 8945 #
Bp $ RESULT
Find eip, # FFE0 #
Cmp $ RESULT, 0
Je err
Bp $ RESULT
Run
Bc $ RESULT
Sto
MSG "the event search is complete! "
Ret
Err:
MSG "script running error! Check the error before running the script! "
Ret
 
Www.2cto.com
 
4. API breakpoint method (this method is used if the program has a registration dialog box)
The registration dialog box APIs are generally MessageBoxA, MessageBoxW, MessageBoxExA, and MessageBoxExW. The command box input BP MessageBoxExA is interrupted as follows:
 

The stack drop-down box shows the return program's airspace address. Click the Disassembly window, Ctrl + G, and enter the return address 0040A292, for example:
 

Right-click and select the Super String reference in the pop-up dialog box (a plug-in needs to be loaded for this function). The search result is as follows:
 

You can directly locate the cracking core and analyze it.
5. Find the fixed string (\. \ physicaldrive0)
OD loader, F9 run the program, then Alt + E open the Module window, double-click the module in krnln, and then search for the string in the Disassembly window and find \\. \ physicaldrive0, double-click it, break down in this line, reload the program, F9, the program is interrupted, and then f8. a little patience, go to the program's airspace to search for strings, directly locate the core of the attack.