The so-called brute-force cracking is to modify the assembly code to control the running process of the program, so that the software can be used normally without a registration code. Compared with the algorithm to write the registration machine, the technical content of brute-force cracking is relatively low. But it was also because of an article about brute-force cracking in a 05-year magazine that brought me into this trap. To regain the debugger, we should start with the simplest crackme and familiarize ourselves with the tools and methods.
Download the crackme3 file (I'm using the CFF crackme #3 program http://pan.baidu.com/s/1dD9v9x3 in the snow encryption and decryption ).
1. Check whether the program is shelled. Shelling is required. Drag the crackme to the peid, and the display is compiled in Delphi. No shell, very good.
3. Open the program and check if the registration code prompts an exception. Well, enter the wrong registration code and confirm. "Wrong serial, try again!" is displayed !". Write down this string and use it later.
4. Exit the program, open ollydbg, and load the program. (W32dasm was used in the past. It is a static disassembly software that supports win APIs and has powerful series reference functions. Therefore, it becomes the best choice for cracking entry software. This time, we used ollydbg to crack the attack. We just reviewed the operation. The cracking principle is the same.) ollyice is an optimized version of ollydbg. It is also easy to use.
After the program is loaded, the following interface is displayed:
The module-crackme3 above the title indicates the program's airspace. We are currently in the crackme code.
5. In the Disassembly window, right-click and choose "Search"> "all reference text strings ":
A text string dialog box is displayed. Right-click and choose search text ":
Then, a dialog box is displayed. Enter the string "Wrong serial, try again !". In fact, for convenience, you can only enter the "wrong" string. After all, there are not many characters in the program, such:
After you click "OK", the search result is highlighted. Right-click the corresponding string and choose "follow in the Disassembly window". The Assembly command corresponding to the string is displayed in the Disassembly window:
Run the following command to analyze the program process: after entering the ID and registration code, call the sub-function to determine whether the registration code is correct (call the sub-function at 00347f51 and call 00403b2c). If the sub-function is incorrect, A jnz jumps to 00366f72, and "Wrong serial, try again!" is displayed! ", It reminds you that your registration code is wrong.
To verify our ideas, we press F2 next breakpoint before the call, and then follow up step by step to see what functions are called:
Then F9 let the program run, enter the false ID "wwwwww", and press "register ". In this case, the program will naturally go to the call subfunction to verify that our registration code is correct. Unfortunately, before the call, it stops at the breakpoint we set (we can see the stack content "wwwww" in the information window. I wonder if there will be a buffer overflow? XD ):
Then press F8 several times to go through step by step until the 00366f34 Call Command, the program will summon a subroutine to check whether the registration code is correct! At this point, change to F7 and track the called function step by step (the function address is at 00403b2c ):
After following, This is the program used to verify the registration code (starting from three pushes into the stack, to three pop-up stacks + retn ):
It can be found from the code that the program compares the entered registration code with the built-in registration code with the CMP command. (CMP command execution will affect the ZF mark register. For example, CMP ax, BX. If AX = Bx, ZF = 1; ax! If it is BX, ZF = 0 .)
That is to say, if the registration code is not the same as the input string, ZF = 0. At this time, the subroutine returns and executes the jnz command at 00366f39. Because the entered registration code is incorrect, ZF = 0, start to execute jnz, jump to 0020.f8c, the "Wrong serial" dialog box appears, prompting the registration code error.
This is the legendary "Key Hop". If you change jnz (jump when ZF = 0) to JE (jump when ZF = 1), the opposite result will be obtained, that is, the incorrect registration code will prompt that the registration is successful, and the correct registration code will prompt an error.
6. Now find out the two "Key hops" (call when entering the ID, and then a jnz. When I entered the registration code, I called again and another jnz .), For example:
Okay, now we only need to modify the assembly code. Double-click the corresponding jnz command to bring up the "compile here" dialog box. Change "jnz" to "Je" and click "Assemble. Modify another "jnz" in the same way ":
After the modification is completed, "right-click to copy to the executable file -- all modifications":
In the displayed dialog box, click "Copy all ":
In the displayed dialog box, right-click and choose Save file.
Open the new file, enter an ID and registration code at will, and click "register" to bring up the "Registration successful" dialog box:
Summary: This article reviews the ollydbg operations. Brute-force cracking is nothing more than modifying the verification process of the program. For example, changing the JNE in the key field to JE or JMP is not elegant. What is more elegant is to figure out the verification algorithm of the program author and write out the memory patch or the registration machine. This is the method of the high level. I have no choice but to use algorithms. I still need to work hard.
Getting started with software cracking (brute-force cracking crackme)