Go to: the legendary basis for cracking-the backend will be almost cracked

Source: Internet
Author: User

1) classic comparison, usually at the registration code (by programhunter)
1
MoV eax [] can be an address or another register.
MoV edX [] the preceding two addresses usually store important information.
Call 00 ??????
Test eax
JZ (jnz)
2
MoV eax [] can be an address or another register.
MoV edX [] the preceding two addresses usually store important information.
Call 00 ??????
JNE (JE)
3
MoV eax []
MoV edX []
CMP eax, EDX
Jnz (JZ)
Or
Begin mov al []
MoV cl []
CMP Al, Cl
Jnz (JZ)
MoV al [+ 1]
MoV cl [+ 1]
CMP Al, Cl
Jnz (JZ)
CMP eax ECx (eax is a counter)
JNL begin
MoV Al 01
4
Lea EDI []
Lea ESI []
Repz cmpsd
JZ (jnz)
5
MoV eax [] can be an address or another register.
MoV edX [] the preceding two addresses usually store important information.
Call 00 ??????
Setz (setnz) Al (BL, CL ...)
6
MoV eax [] can be an address or another register.
MoV edX [] the preceding two addresses usually store important information.
Call 00 ??????
Test eax
Setz (setnz) BL, CL...
7
Call 00 ?????? ***
Push eax (EBX, ECx ...)
......
......
Call 00 ??????
Pop eax (EBX, ECx ...)
Test eax
JZ (jnz)
This form is special. The key is not in the second call, but in the first call.
(2) The registration code is given in bytes.
: 0042a159 0fbe03 movsx eax, byte PTR [EBX]
: 0042a15c 50 push eax ^
: 0042a15d e8228c0400 call 00472d84
: 0042a162 59 pop ECx
: 0042a163 83f84a CMP eax, 2017004a ----> J
: 0042a166 7559 JNE 0042a1c1
: 0042a168 0fbe5301 movsx edX, byte PTR [EBX + 01]
: 0042a16c 52 push edX ^
: 0042a16d e8128c0400 call 00472d84
: 0042a172 59 pop ECx
: 0042a173 83f853 CMP eax, 00000053
^ ----> S
: 0042a176 7549 JNE 0042a1c1
: 0042a178 0fbe4b02 movsx ECx, byte PTR [EBX + 02]
: 0042a17c 83f924 CMP ECx, 00000024 ^
^ ----> $
: 0042a17f 7540 JNE 0042a1c1
: 0042a181 0fbedomain3 movsx eax, byte PTR [EBX + 03]
: 0042a185 83f832 CMP eax, 00000032 ^
^ ----> 2
: 0042a1887537 JNE 0042a1c1
: 0042a18a 0fbe5304 movsx edX, byte PTR [EBX + 04]
: 0042a18e 83fa38 CMP edX, 00000038 ^
^ ----> 8
: 0042a191 752e JNE 0042a1c1
: 0042a193 0fbe4b05 movsx ECx, byte PTR [EBX + 05]
: 0042a197 83f939 CMP ECx, 00000039 ^
^ ----> 9
: 0042a19a 7525 JNE 0042a1c1
: 0042a19c 0fbe00006 movsx eax, byte PTR [EBX + 06]
: 0042a1a0 83f832 CMP eax, 00000032 ^
^ ----> 2
: 0042a1a3 751c JNE 0042a1c1
: 0042a1a5 0fbe5307 movsx edX, byte PTR [EBX + 07]
: 0042a1a9 83fa31 CMP edX, 00000031 ^
^
-----> 1
(3) number of comparative digits
Cmp dword ptr [ebp-04], 2017000a
JNE/jge/jle/Je 00 xxxx
Or
MoV eax, dword ptr [ebp-04]
Call 00 xxxx
CMP eax, 0000000a <---- compare whether the registration code is 10 digits
JNE 00 XXXXX <---- No, error
(4) classic comparison of vbprogram
Push XXX // false registration code
Push XXX // real registration code
Call [msvbvm60! _ Vbastrcmp]
Test eax, eax
Jnz 00 XXXXX
(5) In smartcheck, registration codes often appear
_ Vbasrtcmp (string: "zzzzzzz", string: "yyyyy") returns
_ Vbastrvarval (variatn: string "A") returns
_ Vbavartsteq (variant: *****, variant: *****) returns
(6) compare two values in sequence
: 004044d8 8a10 mov DL, byte PTR [eax]
: 004044da 8aca mov Cl, DL
: 004044dc 3a16 cmp dl, byte PTR [esi]
: 004044de 751c JNE 004044fc
: 004044e0 84c9 test Cl, Cl
: 004044e2 7414 je 004044f8
: 004044e4 8a5001 mov DL, byte PTR [eax + 01]
: 004044e7 8aca mov Cl, DL
: 004044e9 3a5601 cmp dl, byte PTR [ESI + 01]
: 004044ec 750e JNE 004044fc
: 004044ee 83c002 add eax, 00000002 ***
: 004044f1 83c602 add ESI, 00000002 ***
: 004044f4 84c9 test Cl, Cl
: 004044f6 75e0 JNE 004044d8
Each program extracts two digits in sequence and puts them in byte PTR [esi] and byte PTR [ESI + 1], which is compared with eax and eax + 1. This cycle
(7) convert lowercase letters to uppercase letters (I cannot find them at the moment and add them myself)
(8) convert uppercase to lowercase (cannot be found at the moment, add your own)
I think this is also good !!
Common breakpoint (in OD)
Interception window:
BP createwindow creation window
BP createmediawex (a) creation window
BP showwindow display window
BP updatewindow update window
BP getwindowtext (a) obtains the window text
Intercept message box:
BP MessageBox (a) create a message box
BP messageboxexa create message box
BP messageboxindirect (a) creates a custom message box
BP isdialogmessagew
Interception warning:
BP messagebeep sends a system warning sound (if there is no sound card, the system speaker is directly driven)
Interception dialog box:
BP dialogbox create mode dialog box
BP dialogboxparam (a) create mode dialog box
BP dialogboxindirect create mode dialog box
BP dialogboxindirectparam (a) create mode dialog box
Create non-modal dialog box of BP createdialog
BP createdialogparam (a) create a non-Modal Dialog Box
BP createdialogindirect create non-Modal Dialog Box
BP createdialogindirectparam (a) create a non-Modal Dialog Box
BP getdlgitemtext (a) to obtain the text of the dialog box
BP getdlgitemint: obtains the integer of the dialog box.
Intercept clipboard:
BP getclipboarddata obtains the Clipboard data
Interception registry:
BP regopenkey ()
BP regopenkeyex
BP regqueryvalue (a) Search for child keys
BP regqueryvalueex
BP regsetvalue (a) sets the child key
BP regsetvalueex ()
Function restrictions:
BP enablemenuitem: Disable or allow menu items
BP enablewindow: Disable or allow a window
BP send network access breakpoint
BP Recv returned information breakpoint
Intercept shutdown and restart:
BP exitwindowsex restart problem BP disconnected from system airspace
BPX exitwindowsex
Interception time:
BP getlocaltime get local time
BP getsystemtime obtains the system time
BP getfiletime
BP gettickcount: the number of milliseconds that have elapsed since the system was successfully started.
BP getcurrenttime get current time (16 bits)
BP settimer create Timer
BP timerproc timer timeout callback function
Getdlgitemint must specify the integer of the input box.
Getdlgitemtext must specify the input string in the input box.
Getdlgitemtexta must specify the input string
Interception file:
BP createfilea creates or opens a file (32-bit)
BP openfile open file (32-bit)
BP readfile Read File (32-bit)
BP writefile Write File (32-bit)
Getmodulefilenamea
Getfilesize
Setfilepointer
Fileopen
Findfirstfilea
Readfile
Interception drive:
BP getdrivetypea to obtain the disk drive type
BP getlogicaldrives
BP getlogicaldrivestringsa obtains the root drive path of all current logical drives
★★Vbprogram-specific breakpoint★★
File length: rtcfilelen
BP _ vbafreestr for vbprogram restart Verification
Whether the BP _ vbastrcmp string is equal
Whether the BP _ vbastrcomp string is equal
BP _ vbavartstne comparison variable is not equal
BP _ vbavartsteq: whether the variables are equal
BP _ vbastrcopy copy string
BP _ vbastrmove move string
BP multibytetowidechar ANSI string to Unicode string
Conversion of BP widechartomultibyte Unicode string to ANSI string
====================================
Password interruption
Hmemcpy (for Win9x)
Getdlgitemtexta
Getdlgitemint
VB:
Getvolumeinformationa
Vbastrcomp (TRW)
BPX _ vbastrcomp (remember two '_')
Msvbvm60! _ Vbastrcomp | sofice
Msvbvm50! |
V3164str
CTRL + d
BPX msvbvm60! _ Vbastrcomp do "D * (esp + 0C)" (SoftICE)
Press F5 several times to generate the Register Code.
BPX regqueryvalueexa do "d ESP-> 8" (TRW)
Vbavartsteq
(0042932f 66898580 feffff mov word PTR [EBP + fffffe80], ax
Change to 0042932f 66898580 feffff mov word PTR [EBP + fffffe80], BX)
Common time interruptions
Getsystemtime
Getlocaltime
Gettickcount
VB:
Rtcgetpresentdate // get the current date
Common window kill interruptions
Lockmytask (dedicated for Win9x)
BP exitprocess exited the process
Destroywindow
Mouse_event (mouse interruption)
Postquitmessage (cracking full-color XP, useful ^_^)
VB:
_ Rtcmsgbox
INI file content is frequently interrupted
Getprivateprofilestringa
Getprivateprofileprofileint
Key file:
Getprivateprofileint
Readfile
Createfilea
Common registry interruptions
Regqueryvaluea
Regqueryvalueexa
Dog encryption interrupted
Bpio-H 278 R
Bpio-H 378 R
Breakpoint of other common functions
Createfilea (read dog driver ),
Deviceiocontrol,
Freeenvironmentstringsa (effective against HASP ).
Prestochangoselector (16-bit hasp's), '20160301' to find the string (to deal with San tiannuo). For more information, see the following example.
Disc cracking interrupted
16:
Getvolumeinformation
Getdrivetype
Int 2fh (DOS)
32:
Getdrivetypea
Getfullpathnamea
Getwindowsdirectorya
Disk Read interruption
Getlasterror returns the extended error code
Restrict interruptions
Enablemenuitem
Enablewindow allows or disables mouse and keyboard control of specified Windows and entries (menu grayed out when disabled)
I don't know what the floppy disk is interrupted? There are other special interruptions. I don't know if other friends can talk about them?
Such as ockmytask and mouse_event, Are these not api32 functions?
Win9x and Win2k are cracked. are some of the above interruptions unavailable?
I don't know what the above commonly used interrupt functions are on Win2k?
That is to say, ask the password, time, window, INI, key, registry, dongle, CD, floppy disk, restrictions, and so on!
Get familiar with common interruptions and get twice the result with half the effort!
Let's talk about it! In addition, how can we recover a software from a restart?
I don't know what is interrupted? There are three scenarios:
1. It may be in the registry.
2. Compare in special files (*. Key *. ini *. dat, etc)
3. Compared to the program, no error prompt or clear characters cannot be found for reverse translation (this is what I want to ask)
The most difficult one is to remove the watermark!
There are three possible cases:
A. the watermark is a bitmap file (bitblt, creatbitmap, and other bitmap functions)
B. the watermark is a distinctive character (reverse translation analysis)
C. The watermark is not an obvious character (for example, this a demo! It is only displayed on another production file, but *. htm *. EXE, etc)
C. It's the most difficult thing to do. It's what many people want to know! Include me. I don't know what the experts are saying?
AD:
There are two possible cases:
A. Start from the creation window and use movewindow or other window functions!
B. Use bitblt or other bitmap functions!
Finally, you can use some existing tools (such as api27, vwindset, and freespy)
Although there is no tree in the grape, the vine produces seedlings in the shed.
In the dust of people, do not provoke dust?
Ball [CCG]
It depends on the mark, which usually leaves information in the registry!
In SoftICE, we need to use BPX regqueryvalueexa do "d ESP-> 8" to interrupt the query,
In TRW, use BPX regqueryvalueexa do "D * (esp + 8)" to interrupt the query.
Some also leave registration information in this directory, common include. dat. ini. dll, etc,
I used BPX readfile for interruption, and some left registration information in the Windows directory.
You can use dedicated tools to view and import Filemon!
VB:
1. _ vbavartstne // compare whether the two variables are not equal
2. rtcr8valfrombstr // converts a string to a floating point number.
3. The rtcmsgbox dialog box displays information.
4. rtcbeep // call the speaker
5. rtcgetpresentdate // get the current date
For strings:
_ Vbastrcomp
_ Vbastrcmp
_ Vbastrcompvar
_ Vbastrlike
_ Vbastrtextcomp
_ Vbastrtextlike
For variables:
_ Vbavarcompeq
_ Vbavarcomple
_ Vbavarcomplt
_ Vbavarcompge
_ Vbavarcompgt
_ Vbavarcompne
VB pointer:
Throw
Vb dll also calls some functions in oleauto32.dll. Oleauto32.dll is a common proxy/stub DLL. The prototype of each function is defined in <oleauto. h> and is described in detail in msdn. This also helps to understand the role of functions in vb dll.
Example:
Lea eax, [EBP-58]
Push eax
Call [msvbvm60! _ V1_4var]
Run dd eax + 8 before calling. The value is 3;
After the call is completed, eax = 3
It can be seen that _ v1_4var is used to convert a variant to I4 (that is, a long integer ).
_ Vbavartstne seems to be used for self-verification. Normally, the return value is 0.
Available Software: smart robots in Three Kingdoms networks and music greeting card manufacturers. When the two software are shelled, an error occurs. Smart robots in the Three Kingdoms network will generate illegal work, and the music and greeting card factory will tell you that it is an illegal copy, you can modify the return values of _ vbavartstne to make them run normally.
So when you encounter a VB Software that cannot run normally after shelling, but you cannot find other problems, you can try to intercept this function, maybe it will be useful. 8 -)
I don't know about the API. Maybe I can read and write sectors through bios on the 98 platform, but in 2000/NT, I can write sectors through inner black atapi and Hal.
Machoman [CCG]
BPX write_port_buffer_ushort
At this breakpoint at NT/2000, when edX = 1f0h, you can see that the data in the EDI address is the data in the sector position, which must first be in winice. add Hal to dat. for details about sys, refer to the atapi manual.
Supplement:
Breakpoint for vbprograms and time limit programs
Crackerabc
First, the address of w32dasm that can correctly decompile the vbprogram is given:
======================================
Offsets 0x16b6c-0x16b6d
Modify the machine code to: 98 F4
======================================
Tracking breakpoint of vbprogram:
================
Multibytetowidechar,
Rtcr8valfrombstr,
Widechartomultibyte,
_ Vbastrcmp
_ Vbastrcomp
_ Vbastrcopy
_ Vbastrmove
_ Vbavartstne
Rtcbeep
Rtcgetpresentdate (Time API)
Rtcmsgbox
==========
Time limit breakpoint:
======================
Comparefiletime
Getlocaltime
Getsystemtime
Gettimezoneinformation
Msvcrt. difftime ()
Msvcrt. Time ()
======================
General Processing
BPX hmemcpy
BPX MessageBox
BPX messageboxexa
BPX messagebeep
BPX sendmessage
BPX getdlgitemtext
BPX getdlgitemint
BPX getwindowtext
BPX getwindowword
BPX getwindowint
BPX dialogboxparama
BPX createwindow
BPX createmediawex
BPX showwindow
BPX updatewindow
Bmsg XXXX wm_move
Bmsg XXXX wm_gettext
Bmsg XXXX wm_command
Bmsg XXXX wm_activate
Time-related
Bpint 21 if ah = 2a (DOS)
BPX getlocaltime
BPX getfiletime
BPX getsystemtime
CD-ROM or disk related
Bpint 13 If Ah = 2 (DOS)
Bpint 13 If Ah = 3 (DOS)
Bpint 13 If Ah = 4 (DOS)
BPX getfileattributesa
BPX getfilesize
BPX getdrivetype
BPX getlasterror
BPX readfile
Bpio-H (your CD-ROM port address) r
Software dog problems
Bpio-H 278 R
Bpio-H 378 R
Keyboard Input
Bpint 16 if ah = 0 (DOS)
Bpint 21 if ah = 0xa (DOS)
File Access Problems
Bpint 21 if ah = 3DH (DOS)
Bpint 31 if ah = 3fh (DOS)
Bpint 21 if ah = 3DH (DOS)
BPX readfile
BPX writefile
BPX createfile
BPX setfilepointer
BPX getsystemdirectory
Ini initialization file
BPX getprivateprofilestring
BPX getprivateprofileint
BPX writeprivateprofilestring
BPX writeprivateprofileint
Registry related
BPX regcreatekey
BPX regdeletekey
BPX regqueryvalue
BPX regclosekey
BPX regopenkey
Registration Mark
BPX Cs: EIP if eax = 0
Memory standards
Bpmb Cs: eip rw if 0x30: 0x45aa = 0
Display related
BPX 0x30: 0x45aa do "D 0x30: 0x44bb"
BPX Cs: 0x66cc do "? Eax"
Search window
Find0000wa
BP setfilepointer
BPX hmemcpy; crack the omnipotent breakpoint and intercept the memory copy action (Note: Win9x special breakpoint)
BPX lockmytask; when other breakpoints are ineffective, you can try this breakpoint to intercept the button action (dedicated to Win9x)
If you cannot find a breakpoint, try the following method:
Bmsg handle wm_gettext; intercept the registration code (handle is the handle of the corresponding window)
Bmsg handle wm_command; intercept the OK button (handle is the handle of the corresponding window)
Interception window:
BPX createwindow; Create window
BPX createmediawex (A/W); Create window
BPX showwindow; display window
BPX updatewindow; update window
BPX getwindowtext (A/W); get window text
Intercept message box:
BPX MessageBox (A/W); create a message box
BPX messageboxexa (w); create a message box
BPX messageboxindirect (A/W); create a custom message box
Interception warning:
BPX messagebeep; generates system alerts (if there is no sound card, the system speaker is directly driven)
Interception dialog box:
BPX dialogbox; Create mode dialog box
BPX dialogboxparam (A/W); Create mode dialog box
BPX dialogboxindirect; Create mode dialog box
BPX dialogboxindirectparam (A/W); Create mode dialog box
BPX createdialog; create non-Modal Dialog Box
BPX createdialogparam (A/W); create a non-Modal Dialog Box
BPX createdialogindirect; create non-Modal Dialog Box
BPX createdialogindirectparam (A/W); create non-Modal Dialog Box
BPX getdlgitemtext (A/W); get the text of the dialog box
BPX getdlgitemint; obtains the integer of the dialog box.
Intercept clipboard:
BPX getclipboarddata; obtain Clipboard data
Interception registry:
BPX regopenkey (A/W); open the child key (for example, BPX regopenkey (A) if * (ESP-> 8) = '****')
BPX regopenkeyexa (w); enable the sub-Key (for example, BPX regopenkeyex if * (ESP-> 8) = '****')
BPX regqueryvalue (A/W); search for child keys (for example, BPX regqueryvalue (A) if * (ESP-> 8) = '****')
BPX regqueryvalueex (A/W); search for child keys (for example, BPX regqueryvalueex if * (ESP-> 8) = '****')
BPX regsetvalue (A/W); set the child key (for example, BPX regsetvalue (A) if * (ESP-> 8) = '****')
BPX regsetvalueex (A/W); Set sub-keys (for example, BPX regsetvalueex (A) if * (ESP-> 8) = '****')
Note: '*****' indicates the first four characters of the subkey name. If the subkey is 'regcode', '*****' = 'regc'
Function restrictions:
BPX enablemenuitem; disable or allow menu items
BPX enablewindow; disable or allow a window
Bmsg hmenu wm_command; intercepts menu button events, where hmenu is the menu handle
BPX k32thk1632prolog; used with bmsg hmenu wm_command, you can use this breakpoint to enter the menu Handler
Application Example:
Call [Kernel32! K32thk1632prolog]
Call [......] <-- this trail enters the menu Handler
Call [Kernel32! K32thk1632epilog]
Interception time:
BPX getlocaltime; get local time
BPX getsystemtime; obtain the system time
BPX getfiletime; get file time
BPX gettickcount; the number of milliseconds that have elapsed since the system was successfully started.
BPX getcurrenttime; get the current time (16 bits)
BPX settimer; create a timer
BPX timerproc; timer timeout callback function
Interception file:
BPX createfilea (w); Create or open a file (32-bit)
BPX openfile; open the file (32-bit)
BPX readfile; read file (32-bit)
BPX writefile; Write File (32-bit)
BPX _ lcreat; create or open a file (16 bits)
BPX _ lopen; open the file (16 bits)
BPX _ lread; read a file (16 bits)
BPX _ lwrite; write a file (16 bits)
BPX _ hread; read a file (16 bits)
BPX _ hwrite; write a file (16 bits)
Interception drive:
BPX getdrivetype (A/W); obtain the disk drive type
BPX getlogicaldrives; get the logical drive symbol
BPX getlogicaldrivestringsa (w); get the root drive path of all current logical drives
Dog interception:
Bpio-H 378 (or 278, 3BC) r; 378, 278, and 3BC are parallel printing ports
Bpio-H 3f8 (or 2f8, 3e8, 2e8) r; 3f8, 2f8, 3e8, 2e8 are serial ports
Special breakpoint for vbprogram:
BPX msvbvm60! Rtcmsgbox
BPX msvbvm60! _ Vbastrcmp
BPX msvbvm60! _ Vbastrcomp
BPX msvbvm60! _ Vbastrcompvar
BPX msvbvm60! _ Vbastrtextcmp
BPX msvbvm60! _ Vbafileopen
BPX msvbvm60! _ Vbainputfile
BPX msvbvm60! _ Vbafileseek
BPX msvbvm60! _ Vbawritefile
BPX msvbvm60! _ Vbafileclose
BPX msvbvm60! Rtcfileattributes
BPX msvbvm60! Rtcfiledatetime
BPX msvbvm60! Rtcfilelen
BPX msvbvm60! Rtcfilelength
BPX msvbvm60! _ Vbavarint
BPX msvbvm60! _ Vbavarcmpge
BPX msvbvm60! _ Vbavarcmpgt
BPX msvbvm60! _ Vbavarcmple
BPX msvbvm60! _ Vbavarcmplt
BPX msvbvm60! _ Vbavarcmpne
BPX msvbvm60! _ Vbavartextcmpeq
BPX msvbvm60! _ Vbavartextcmpge
BPX msvbvm60! _ Vbavartextcmpgt
BPX msvbvm60! _ Vbavartextcmple
BPX msvbvm60! _ Vbavartextcmplt
BPX msvbvm60! _ Vbavartextcmpne
BPX msvbvm60! _ Vbavartexttsteq
BPX msvbvm60! _ Vbavartexttstge
BPX msvbvm60! _ Vbavartexttstgt
BPX msvbvm60! _ Vbavartexttstle
BPX msvbvm60! _ Vbavartexttstlt
BPX msvbvm60! _ Vbavartexttstne
BPX msvbvm60! _ Vbavartsteq
BPX msvbvm60! _ Vbavartstge
BPX msvbvm60! _ Vbavartstgt
BPX msvbvm60! _ Vbavartstle
BPX msvbvm60! _ Vbavartstlt
BPX msvbvm60! _ Vbavartstne
Note: The vbprogram can still use common API functions, as long as the function "eventually" calls this function
The above breakpoint corresponds to the VB6 program. If it is a vb5 program, change msvbvm60 to msvbvm50.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.