For example, perfect cracking and ideas

Text/figure laoxuetong
Brute-force cracking: Old birds and cainiao are both doing this. In most cases, it is a last resort. The reason is that some software authors use complicated verification algorithms, which are not easy to recover and sometimes even difficult to understand. In this case, it is wise to turn to brute force. I have already described the issue of blasting in the article "blasting, blasting analysis and blasting methods". I will not repeat it here. In this article, we only want to discuss and discuss the problem of perfection during blasting and Its Analysis and Thinking Methods Based on several examples.
The so-called perfect brute-force attack actually requires that the modified shared software, like free software, be registered and have incomplete functions at work. In terms of display, it is required to have a pleasant effect and a sense of accomplishment like the registered shared software.
To achieve this, three issues need to be considered: first, the registration of the Nag cover (if any) should be eliminated during software startup; the second is to analyze the functional limitations of software registration verification; the third is to display the visual requirements of registration information when registration is correct.
On the surface, the above problems are not difficult to solve, but in fact, it is not easy to accurately locate the corresponding position in the code, let alone the word "perfect. Observe and analyze carefully and patiently, test various software functions, and track the OD in the process (fresh !) Will provide us with a variety of reflection materials. As long as you reflect on these materials, it is not difficult to find a breakthrough. Let's talk about it using an instance.

[Instance 1] Active WebCam
Active WebCam is a video monitoring software with multiple registration modes. Its functions vary greatly depending on the registration modes. This software can be used for personal recording, home unit theft, and bank road safety remote monitoring.
Through careful tracking of the software, it is found that the registration code requires a 16-bit hexadecimal number, and each two digits need to be combined into a Hex data in a single byte during operation. However, the Verification Algorithm of the software is very troublesome, the code is very long, and a large number of arrays are used for data exchange. These arrays are of the DWORD type, and each size is 256. What is more troublesome is that the algorithm is irreversible and non-explicit Code comparison type. If you want to create a registration machine, you can only make the effort without knowing the symmetric algorithm. As a result, brute-force cracking becomes the first choice.
To crack down, we do not need tracking and analysis algorithms. What is important is post-calculation judgment. In this way, we can find the following main program about computing and judgment.

005AD260 mov eax, dword ptr ss: [EBP-10]; pointing to name
005AD263 CALL WebCam.0040413C; Length
005AD268 push eax; save Length
005AD269 lea eax, dword ptr ss: [EBP-10]
005AD26C CALL webcam.0040450c; Transfer
005AD271 POP EDX
005AD272 CALL WebCam.004612C; Name Conversion
005AD277 mov ebx, EAX; Transfer result E92A1C01

The above process is to prepare for verification. The following part is the core and can be divided into five sections. Observe the situation of each function call during tracking.
Section 1:
005AD279 mov eax, WebCam.005AD454; ASCII "Active WebCam"
005AD27E CALL WebCam.00404300
005AD283 mov edx, 0D
005AD288 CALL WebCam.004612CC; obtain a fixed data using the preceding string calculation.
005AD28D mov dword ptr ss: [EBP-20], EAX; fixed data 6BEA18E3

Calculate the string "Active WebCam" using the name transformation method to get the data 6BEA18E3. This is fixed.

005AD290 PUSH 0;/Arg1 = 00000000
005AD292 lea edx, dword ptr ss: [EBP-20]; |
005AD295 lea eax, dword ptr ss: [EBP-1B4]; |
005AD29B mov ecx, 4; |
005AD2A0 CALL WebCam.004D9B84; the calculation here is amazing
Although the computation is powerful, the computation results are clear. A fixed array is obtained, which is V1: Hangzhou, Hangzhou, 0x39BBFBD5, Hangzhou, 0x84F87D4A, 0x20c000082, 0x7B05FE67, 0x67806E12, 0x72b4dac, listen, 0x93F014D5, 0x2F40D8EB, 0x9EFB2478, 0x561367F4, 0x6E7E6413, 0x0000000A, 0x00000000, 0x00000002, 0x0000000C, 0x00000012, 0x00000018, 0x00000001, 0x00000018, 0x00000011, 0x00000017, 0x0000001A, 0x00000003, 0x00000008, 0x00000018, 0x000000 0D, 0x0000001F. This array should be divided into two parts, the first part is the data, and the last part is the index.

005AD2A5 lea ecx, dword ptr ss: [EBP-8]
005AD2A8 lea edx, dword ptr ss: [EBP-19]
005AD2AB lea eax, dword ptr ss: [EBP-1B4]
005AD2B1 CALL WebCam.004DA424; process the Registration Code Conversion Result
005AD2B6 cmp ebx, dword ptr ss: [EBP-8]; comparison of name transformation results with 0x652796E5
005AD2B9 jnz short WebCam.005AD2CF

If the value range is 1, the system jumps. If the value is equal, the subsequent calculation and judgment are not performed.

005AD2BB mov byte ptr ss: [EBP-11], 1
005AD2BF mov eax, dword ptr ds: [6867E8]
005AD2C4 mov dword ptr ds: [EAX], 1
005AD2CA JMP WebCam.005AD41F

Section 2: Take a closer look. The calculation methods for each of the following sections are the same. The difference is that the fixed strings involved in calculation.
005AD2CF mov eax, WebCam.005AD46C; ASCII "Active WebCam Pro"
005AD2D4 CALL WebCam.00404300
005AD2D9 mov edx, 11
005AD2DE CALL WebCam.004612CC
005AD2E3 mov dword ptr ss: [EBP-20], EAX
005AD2E6 PUSH 0;/Arg1 = 00000000
005AD2E8 lea edx, dword ptr ss: [EBP-20]; |
005AD2EB lea eax, dword ptr ss: [EBP-1B4]; |
005AD2F1 mov ecx, 4; |
005AD2F6 CALL WebCam.004D9B84; WebCam.004D9B84
005AD2FB lea ecx, dword ptr ss: [EBP-8]
005AD2FE lea edx, dword ptr ss: [EBP-19]
005AD301 lea eax, dword ptr ss: [EBP-1B4]
005AD307 CALL WebCam.004DA424
005AD30C cmp ebx, dword ptr ss: [EBP-8]
005AD30F jnz short WebCam.005AD325

Judgment 2. The description is shown in.

005AD311 mov byte ptr ss: [EBP-11], 1
005AD315 mov eax, dword ptr ds: [6867E8]
005AD31A mov dword ptr ds: [EAX], 2
005AD320 JMP WebCam.005AD41F

Section 3:
005AD325 mov eax, WebCam.005AD488; ASCII "Active WebCam Dx"
005AD32A CALL WebCam.00404300
005AD32F mov edx, 10
005AD334 CALL WebCam.004612CC
005AD339 mov dword ptr ss: [EBP-20], EAX
005AD33C PUSH 0;/Arg1 = 00000000
005AD33E lea edx, dword ptr ss: [EBP-20]; |
005AD341 lea eax, dword ptr ss: [EBP-1B4]; |
005AD347 mov ecx, 4; |
005AD34C CALL WebCam.004D9B84; WebCam.004D9B84
005AD351 lea ecx, dword ptr ss: [EBP-8]
005AD354 lea edx, dword ptr ss: [EBP-19]
005AD357 lea eax, dword ptr ss: [EBP-1B4]
005AD35D CALL WebCam.004DA424
005ad1_cmp EBX, dword ptr ss: [EBP-8]
005AD365 jnz short WebCam.005AD37B

Judgment 3. The description is shown in.

005AD367 mov byte ptr ss: [EBP-11], 1
005AD36B mov eax, dword ptr ds: [6867E8]
005AD370 mov dword ptr ds: [EAX], 3
005AD376 JMP WebCam.005AD41F

Section 4:
005AD37B mov eax, WebCam.005AD4A4; ASCII "Active WebCam St"
005AD380 CALL WebCam.00404300
005AD385 mov edx, 10
005AD38A CALL WebCam.004612CC
005AD38F mov dword ptr ss: [EBP-20], EAX
005AD392 PUSH 0;/Arg1 = 00000000
005AD394 lea edx, dword ptr ss: [EBP-20]; |
005AD397 lea eax, dword ptr ss: [EBP-1B4]; |
005AD39D mov ecx, 4; |
005AD3A2 CALL WebCam.004D9B84; WebCam.004D9B84
005AD3A7 lea ecx, dword ptr ss: [EBP-8]
005AD3AA lea edx, dword ptr ss: [EBP-19]
005AD3AD lea eax, dword ptr ss: [EBP-1B4]
005AD3B3 CALL WebCam.004DA424
005AD3B8 cmp ebx, dword ptr ss: [EBP-8]
005AD3BB jnz short WebCam.005AD3CE

Judgment 4. The description is displayed.

005AD3BD mov byte ptr ss: [EBP-11], 1
005AD3C1 mov eax, dword ptr ds: [6867E8]
005AD3C6 mov dword ptr ds: [EAX], 4
005AD3CC jmp short WebCam.005AD41F

Section 5:
005AD3CE mov eax, WebCam.005AD4C0; ASCII "Active WebCam Wr"
005AD3D3 CALL WebCam.00404300
005AD3D8 mov edx, 10
005AD3DD CALL WebCam.004612CC
005AD3E2 mov dword ptr ss: [EBP-20], EAX
005AD3E5 PUSH 0;/Arg1 = 00000000
005AD3E7 lea edx, dword ptr ss: [EBP-20]; |
005AD3EA lea eax, dword ptr ss: [EBP-1B4]; |
005AD3F0 mov ecx, 4; |
005AD3F5 CALL WebCam.004D9B84; WebCam.004D9B84
005AD3FA lea ecx, dword ptr ss: [EBP-8]
005AD3FD lea edx, dword ptr ss: [EBP-19]
005AD400 lea eax, dword ptr ss: [EBP-1B4]
005AD406 CALL WebCam.004DA424
005AD40B cmp ebx, dword ptr ss: [EBP-8]
005AD40E jnz short WebCam.005AD41F

Judge 5. See the description.

005AD410 mov byte ptr ss: [EBP-11], 1
005AD414 mov eax, dword ptr ds: [6867E8]
005AD419 mov dword ptr ds: [EAX], 5

In any case, the exit of all code is here.

005AD41F xor eax, EAX
005AD421 POP EDX
005AD422 POP ECX
005AD423 POP ECX
005AD424 mov dword ptr fs: [EAX], EDX
005AD427 PUSH WebCam.005AD441
005AD42C lea eax, dword ptr ss: [EBP-10]
005AD42F mov edx, 2
005AD434 CALL WebCam.00403EE4
005AD439 RETN

Take a closer look at the code structure. We can see that each piece of code contains the following code snippet:

Mov byte ptr ss: [EBP-11], 1
Mov eax, dword ptr ds: [6867E8]
Mov dword ptr ds: [EAX], 5

It can be considered that this is two important signs. Where, [EBP-11] is a local variable, saving whether to register the sign 0 or 1; [6867E8] is a global variable, save the registered version of the Flag Information, its value is 1 ~ 5. It is not hard to see that the address of the global variable is fixed. You can use the "search all constants" method to find out where the flag will be called to determine the solution.
Q: What are the differences between the above five paragraphs? Open the Help file of the software and view the authorization section. The following information is displayed:
Single User License