Art 1, 2, 3

Gangyilovevc Column

This is a very simple software Cracking Process for beginners. If you want to learn advanced cracking techniques, You may be disappointed. This article mainly uses brute-force cracking techniques to crack some common software, that is, anti-debugging, encryption, shelling, virtual machines, and other related technologies are not used. The purpose is to describe the simple process of using the software to crack.

The author assumes that the reader is familiar with related knowledge.

1. Understand assembly and understand simple assembly code.

2. Be familiar with at least one debugging tool. Here we use Ollydbg.

4. Know some common terms, such as when to crack and API disconnection.

3. Strong interest in cracking. Recognize the art of cracking, rather than commercial interests (....)

Disclaimer: for the software used in this article, we just use it for practice, just to better learn the art of cracking, without infringing the copyright of the original author and other matters. Declare again.

Next, let's take a step-by-step tour of the brute force attack!

Tutorial object: FeiQ is a local area network communication tool. Here, our version is ver2.4.

First, let's thank Lao Lu for providing us with this powerful software. Why should we have to thank him first, because we are about to perform an operation on his work. Feiqiu has a very dazzling function with QQ. If it is used, it will know that it is used. It will support Lao Lu again.

Begin:

Here we mention the level setting function of feiqiu. Set your profile picture to a very handsome sun. It is very handsome, but it cannot be set. Because old lu .....! An authorization code is required. If you enter an authorization code, the authorization code is incorrect"

Pedal .. Let's go out.

Take out the OD. Because the dialog box is displayed, we will first disconnect MessageBoxA.

(Disconnected. Input bp MessageBoxA under the plug-in)

After the breakpoint is input, go to the user32 module. After the F8 step-by-step execution, go to the pop-up registration failure dialog box and return to the program's airspace to find out what?

...)

(Ps: I don't want to finish it all at once. For many reasons .. Including machines and time (there are machines at home, but they cannot surf the Internet to sweat ...)

Please forgive me

Today, this is because there is no tool, because it is obviously hard to understand for beginners, and it will be added next time,

The first time I wrote such articles, I am sorry for writing them. Don't laugh. Our goals and pursuits are the same ..)

Of course, I also hope you can support it more... It is a waste of writing things that no one supports ...,

Art 2

In the previous article, we forgot that the first step of cracking is to analyze the language in which the target is written and whether the program has been shelled. Here we analyze the usage, and our tool is peid.exe.

Analyze feiqiu. Effect.

 

You can use VC6 ++ to compile Zhifei Qiu without shelling. This is of course the most convenient.

At depends for feiqiu. Let's see what DLL has been imported by feiqiu. Please check it by yourself.

In the previous article, we said that when we break the point to MessageBoxA and return to the application's airspace, we will see the following:

 

After the above pop-up authorization code error dialog box, let's go to JMP. Of course, the registration fails, but we found that the correct authorization code is below feiqiu. So we thought what would happen if we changed the process. It must be changed because it needs to be cracked! But don't take a look at the code first. Analyze the process.

Below are some OD copy code. Integration

Test eax, EAX; TEST eax

Je short FeiQ.0046352A; ZF = 1 Jump

Note that the code at jump statement 00463503 does not jump when the authorization code is entered. Then, execute the following code. The error dialog box is displayed. In order to redirect the code, change je to jne and check the effect. Haha authorization code is correct. Next, look at the Avatar. Wow, there are stars. You are changing the sun. Is it nice?

 

But you have to wait for a while. You have to try and exit feiqiu!

What should I do? What about me?

You quit first and try again... well, I can't bear to see you like this.

. What, my sun is gone?

... Don't hit me. Not me.

Haha. Both software registration and unregistered versions are marked, generally through the registry, configuration files, and other means. Everyone knows this. Feiqiu stores registration information through the configuration file. Open the FeiqCfg. xml file in the directory and find the SerialNo node. The authorization code is saved. (Pay attention to the user level and display level marked after UserDenji and ShowDenji of the other two nodes.) feiqiu will use them when it starts. This is wrong, so our sun is gone. What should we do? If you are smart, you must immediately think that, as long as we find and authorize the code to compare and modify it, that's not enough .... Hey. Good. Looking for a comparison code is what we need to do. Where can I find it? It's hard to be smart!

What are you looking?

.... You are too .. Smart, that's fine. But not professional.

I like it. I will change it every time.

Han. If you want.

Yes. Of course we must be professional. This is not our style.

 

Art 3

Cracking software requires not only solid programming skills, but also flexible and easy-to-think thinking. Butterfly Effect.

In the previous article, we modified a jump to je xxxx statement. Naturally, we can think that the entered authorization code is compared with the correct authorization code. Let's look at the code above je xxxx.

When debugging part of the Copy OD code, you can combine the power of OD and disassembly!

Mov esi, dword ptr ds: [EDI + 64]; The register display is the authorization code we entered.

Mov eax, dword ptr ss: [ESP + C]; The register displays a string that is assumed to be the correct authorization code

Mov dword ptr ss: [ESP + 1C], 0

Mov dl, byte ptr ds: [EAX]; the first character of eax

Mov bl, byte ptr ds: [ESI]; first character of esi

Mov cl, DL; to cl

Cmp dl, BL; Comparison

Jnz short FeiQ.004634FC;

Test cl, CL; end?

Je short FeiQ.004634F8; end hop

Mov dl, byte ptr ds: [EAX + 1]; remove characters

Mov bl, byte ptr ds: [ESI + 1]; remove characters

Mov cl, DL; to cl

Cmp dl, BL; Comparison

Jnz short FeiQ.004634FC;

Add eax, 2; next character address

Add esi, 2; next character address

Test cl, CL

Jnz short FeiQ.004634D4; the typical loop comparison proves that eax is the correct authorization code!

Xor eax, EAX

Jmp short FeiQ.00463501

Sbb eax, EAX

Sbb eax,-1 //

Test eax, EAX //

Je short FeiQ.0046352A; we have modified the Redirect command to compare the result.

 

Finally, we found the authorization code. Let's test it and copy the authorization code to re-register it (run it on an unmodified target)

Sure enough. Exit and open. The sun is already there. Haha.

I am so cool.

But wait a moment. You should try it first... (Interrupted)

What's wrong?

Sorry, you are modifying the level.

"To modify, I registered successfully, and what. Why not? Depend

And beat me again!

Haha makes everyone happy.

Or take the OD breakpoint to mov eax, dword ptr ss: [ESP + C] En? Why can't I find a problem with different level authorization codes? What should we do?

 

If you don't want to think of this question, you can set the level as you enter the authorization code. Why do you still need to find the correct authorization code? Yes, it can be set. But we are looking for a comparison of the authorization code when the program starts. How can we find this? There are many methods

1. You can perform the analysis logic flow in one step. It can be found theoretically, but it is quite difficult.

2. You can speculate the Location Based on the program type, for example, the MFC program can be in APP: InitInstance, CMainFrame: OnCreatezh. And other locations that may be considered initialization.

3. The authorization code is in the file, so the file API can be disconnected. Analysis Programs