Comments: Let's first check the labor equipment required by the work: (1) Soft-ICE For Windows95/98 v4.05 the best software For dynamic tracking, although there is TRW, I still love it, it is often called brother (2) URSoft W32Dasm v8.93, the best static analysis tool used to crack the software. IDA is too professional and I don't need it (3) R! Let's first check the labor equipment required by the work:
(1) Soft-ICE For Windows95/98 v4.05
The best software for dynamic tracking, despite TRW, I still love it and call it brother.
(2) URSoft W32Dasm v8.93
The best static analysis tool for cracking software. IDA is too professional and I don't need it
(3) R! SC's Process Patcher v1.5.1
Memory Patch software, which I will talk about below
UltraEdit-32 v7.2
Used to modify files. Old brands are used by experts (western region, I am not a master)
(5) FileInfo v2.4
I often use it to see what software encrypts files!
(6) A bottle of Pepsi)
I don't need to talk about it anymore. It's a breeze, but I'm afraid I will not be able to have any children in the future!
My machine configuration: celeon 400 (Slot 1), 128 m hy (PC-100), Trident 9880 (8 M ),
FireBall 10G, Acer 40XCD, Creative VIBRA128, Motorola 56 K Modem, Daytek 17"
Take a sip of cola and yell, "I have, I can ". Enter the familiar SIW and enter our work platform Windows 98. Don't think my desktop is messy. Hey hey, my desktop has only two icons. system resources: 98% available, amazing! What, you only have 80%. Forget it. If you won't optimize your system or your desktop is messy, I suggest you learn how to optimize the system first! A good Cracker should be very familiar with its own work platform!
Go to the topic and have a sip of cola. Use FileInfo to check whether the execution file is encrypted? Fortunately, it's okay. I can save a lot of time to celebrate. Since there is no encryption, now it's time to upload our old-level tool W32Dasm and load the file. It's okay. So kind. Today I am lucky. Let me have another sip... after a long wait (3 minutes), the code in the program will be clearly displayed in front of me! Run CCED to check the encryption method. Ah, an error occurred. What is the Invalid Address call? Zhu chongjun should not be so idiotic. It seems that my Soft-ICE has a problem. Alas, why do all current software defend against you? My poor Soft-ICE, in order not to let others find you, I have already filled your body with patches... now, there are only two ways in front: Find the anti-tracking code, or use FrogeICE (Hey, dude, is there a third way? Yes. delete your CCED, turn off your computer, and go to bed !) Alas, who made me like difficulties and challenges if I knew there were tigers in the mountains! Here, I used CreateFileA to intercept it. It seems that I was lucky to be caught again. Haha, I used this method to find my brother. I don't want to give you K.
* Possible StringData Ref from Data Obj->"
[Url = file: // \. \ SICE] \. \ SICE [/url]
"
|
: 00530B99 68A4226100 push 006122A4
: 00530B9E FF15D87E6200 Call KERNEL32.CreateFileA
: 00530BA4 8945FC mov dword ptr [ebp-04], eax
: 00530BA7 837 DFCFF cmp dword ptr [ebp-04], FFFFFFFF
: 00530BAB 7411 je 00530BBE
: 00530BAD 8B45FC mov eax, dword ptr [ebp-04]
: 00530BB0 50 push eax
: 00530BB1 FF15E47E6200 Call KERNEL32.CloseHandle
: 00530BB7 b80000000 mov eax, 00000001
: 00530BBC EB39 jmp 00530BF7
: 00530BBE 6A00 push 00000000
: 00530BC0 6880000000 push 00000080
: 00530BC5 6A03 push 00000003
: 00530BC7 6A00 push 00000000
: 00530BC9 6A03 push 00000003
: 00530BCB 681_00c0 push C0000000
* Possible StringData Ref from Data Obj->"
[Url = file: // \. \ NTICE] \. \ NTICE [/url]
"
|
: 00530BD0 68B0226100 push 006122B0
: 00530BD5 FF15D87E6200 Call KERNEL32.CreateFileA
: 00530BDB 8945FC mov dword ptr [ebp-04], eax
: 00530BDE 837 DFCFF cmp dword ptr [ebp-04], FFFFFFFF
: 00530BE2 7411 je 00530BF5
: 00530BE4 8B4DFC mov ecx, dword ptr [ebp-04]
: 00530BE7 51 push ecx
: 00530BE8 FF15E47E6200 Call KERNEL32.CloseHandle
: 00530BEE B802000000 mov eax, 00000002
: 00530BF3 EB02 jmp 00530BF7
: 00530BF5 33C0 xor eax, eax
: 00530BF7 8BE5 mov esp, ebp
: 00530BF9 5D pop ebp
: 00530BFA C3 ret
Have you seen it? The above code is used to find a Soft-ICE method, which can be used either under 98 or NT. Now let me perform a minor operation on it, change the code at 530BAB to the redirection direction, West. Have you guessed it? Where to jump?
Well, I have cleared a huge stepping stone. Have a good drink of cola and reward myself! The next step is to make it a registered version. But where should we start? A Software Dialog Box usually contains registration information, and CCED is no exception: not registered or not registered successfully.
Find the breakthrough, use W32Dasm to find this information, locate at 407E21, and prompt to jump from 407DCC. Okay. Let's take a look at this Code:
* Possible StringData Ref from Data Obj-> "Authorization result :"
|
: 00407DB4 6868875F00 push 005F8768
: 00407DB9 8D4DF0 lea ecx, dword ptr [ebp-10]
: 00407DBC E841CF1700 call 00584D02
: 00407DC1 C645FC03 mov [ebp-04], 03
: 00407DC5 833D981F620001 cmp dword ptr [00621F98], 00000001
: 00407DCC 7E53 jle 00407E21
: 00407DCE A164236200 mov eax, dword ptr [0, 00622364]
: 00407DD3 2500000800 and eax, 00080000
: 00407DD8 85C0 test eax, eax
: 00407DDA 7536 jne 00407E12
* Possible StringData Ref from Data Obj-> "the encrypted disk is identified successfully. Software id ="
|
: 00407DDC 6874875F00 push 005F8774
: 00407DE1 8D4DF0 lea ecx, dword ptr [ebp-10]
: 00407DE4 E849D21700 call 00585032
: 00407DE9 6A10 push 00000010
: 00407DEB 8D8DCCFEFFFF lea ecx, dword ptr [ebp FFFFFECC]
: 00407DF1 51 push ecx
: 00407DF2 8B1564236200 mov edx, dword ptr [0, 00622364]
: 00407DF8 52 push edx
: 00407DF9 E8C28C1600 call 00570AC0
: 00407DFE 83C40C add esp, 0000000C
: 00407E01 8D85CCFEFFFF lea eax, dword ptr [ebp FFFFFECC]
: 00407E07 50 push eax
: 00407E08 8D4DF0 lea ecx, dword ptr [ebp-10]
: 00407E0B E822D21700 call 00585032
: 00407E10 EB0D jmp 00407E1F
* Possible StringData Ref from Data Obj-> "registration successful"
|
: 00407E12 6890875F00 push 005F8790
: 00407E17 8D4DF0 lea ecx, dword ptr [ebp-10]
: 00407E1A E813D21700 call 00585032
: 00407E1F EB0D jmp 00407E2E
* Possible StringData Ref from Data Obj-> "unregistered or not registered"
|
: 00407E21 689C875F00 push 005F879C
: 00407E26 8D4DF0 lea ecx, dword ptr [ebp-10]
: 00407E29 E804D21700 call 00585032
Have you seen it? The key command is the judgment at 407DC5. If the value at 621F98 is small or equal to 1, nothing will happen, the jump knowledge at 407DDA determines whether you use the registration code or encrypted disk for authorization. The registration method is registration code or encrypted disk. It depends on your personal preferences! I selected the registration code method. I first called out Soft-ICE and went to BPM 621F98 W. Then I used BD to close the breakpoint, enter the software's "Electronic Registration", and enter the registration code "8888888888 ", exit after confirmation. Call out Soft-ICE, use BE to open the breakpoint, and then run CCED2000. This Code stops here.
: 004056E3 c781180400000000 mov dword ptr [ebx 00000418], 0
Then the software no longer writes data to this address. It seems that I only have to step on this command! Since small and equal to 1 are incorrect, I will replace it with 2. Change the preceding command
: 004056E3 C7811804000002000000 mov dword ptr [ebx 00000418], 2
What are the results? Xi, I don't need to say that everyone knows it! (I want to drink Cola) but obviously this command is not really a place to judge the registration code, but initialization of the registered global variable, the real judgment is still behind, but today I don't want to write everything out, or it doesn't make any sense, so I don't need to write this guide. It's better to tell you how to change it! In fact, the above method is not perfect. If you are a real Cracker, you should study it later.
Then, of course, the code in the file is modified. Then, the system prompts "error: the CCED2000 execution file has been illegally modified. Check the virus and reinstall the system !". It seems that this software has a self-protection function. I like it! Use bpx messageboxa to intercept the message window. You can quickly find the following code and change the judgment at 405F49 to JMP!
: 00405F3F 668B8455E0FEFFFF mov ax, word ptr [ebp 2 * edx-00000120]
: 00405F47 3BC8 cmp ecx, eax
: 00405f497433 je 00405F7E
How about running it again? It saves more than 60 yuan. Please drink cola! Ah? After a.m., I had to finish drinking cola.