Hardware tuning program brute-force (cracking a Simple plug-in) Written in easy language)

[Article Title]: hardware tuning program brute-force written in easy language
[Author]: v Zi
[Author mailbox]: vxf155@sina.com
[Software name]: Magic baby plug-in
[Software size]: 1.49 MB
[Shelling method]: None
[Protection method]: Depends on the machine
[Language]: Easy language
[Tools]: OD
[Operating platform]: Windows2003
[Software introduction]: The author writes a Simple plug-in for a game.
[Author's statement]: I am only interested and have no other purpose. I am a newbie. Please give me more advice!
--------------------------------------------------------------------------------
[Detailed process]
It seems that snow is also a cainiao. This is my first article. Don't laugh when it is cracked.
First, let's look at the behavior of the plug-in to a friend:
1. The program will have a file, and the unregistered machine will not be able to run. The window will flash during startup.
2. Send the machine code to the author before running the machine, and then the author sends the program that can run on the machine.
3. The program is easy to write.
Based on these situations, it is estimated that the program hardcoded the machine code into the program.
Although I know it is written in easy language, I still need to use PEID to check whether there is a shell. Microsoft Visual C ++ 6.0, no shell. (Lucky for the first time)
Let's look at the Section. No. ecode is found. It is written in easy language of the new version (this is what I learned when I checked it online. It's OUT !).
Search online for a while and find out the approximate solution.
If the hardware is set, find the string \. PhysicalDrive0.
OD loading, right-click any position in the CPU window-> super string reference-> Find ASCII-> \. PhysicalDrive0
Double-click to go

0046F6AA |. 53 push ebx;/hTemplateFile => NULL
0046F6AB |. 53 push ebx; | Attributes => 0
0046F6AC |. 6A 03 PUSH 3; | Mode = OPEN_EXISTING
0046F6AE |. 53 push ebx; | pSecurity => NULL
0046F6AF |. 6A 03 PUSH 3; | export mode = file_0000_read | file_0000_write
0046F6B1 |. 68 000000C0 PUSH C0000000; | Access = GENERIC_READ | GENERIC_WRITE
0046F6B6 |. 68 28C45500 PUSH replica _ hot? 0055C428; | \. PhysicalDrive0
0046F6BB |. FF15 E0B25100 call near dword ptr ds: [<& KERNEL32.Cr>; CreateFileA

Return, return, and return are returned to the place where the function is called. The method found on the internet is similar.
However, I couldn't find a general starting point on the snow forum.
No matter what it is, it returns. When it reaches the airspace of the dynamic library, Ctrl + F9 will continue to be executed. Return to the current program and find that EAX has obtained the machine code.
Then return the call location.
Generally, after the machine code is obtained, the following functions may be compared. One by one.

004182BF |. 50 | PUSH EAX
004182C0 |. E8 A5D10000 | CALL duplicate _ hot? 0036646a; this function obtains the machine code
004182C5 |. 8945 E8 | MOV [LOCAL.6], EAX; Save the return value
004182C8 |. 8B5D EC | mov ebx, [LOCAL.5]
004182CB |. 85DB | test ebx, EBX
004182CD |. 74 09 | je short duplicate _ hot? 004182D8
004182CF |. 53 | PUSH EBX
004182D0 |. E8 BC780200 | CALL duplicate _ hot? 0043FB91; suspicious Function
004182D5 |. 83C4 04 | add esp, 4
004182D8 |> 8B5D F0 | mov ebx, [LOCAL.4]
004182DB |. E8 759 AFEFF | CALL duplicate _ hot? 00401D55; suspicious Function
004182E0 |. 53 | PUSH EBX
004182E1 |. 51 | PUSH ECX
004182E2 |. 8B45 F8 | mov eax, [LOCAL.2]
004182E5 |. 48 | DEC EAX
004182E6 |. 79 0D | jns short reply _ hot? 004182F5
004182E8 |. 68 04000000 | PUSH 4
004182ED |. E8 AB780200 | CALL duplicate _ hot? 0043FB9D
004182F2 |. 83C4 04 | add esp, 4
004182F5 |> 59 | POP ECX
004182F6 |. 5B | POP EBX
004182F7 |. 3BC1 | cmp eax, ECX
004182F9 |. 7C 0D | jl short reply _ hot? 00418308
004182FB |. 68 01000000 | PUSH 1
00418300 |. E8 98780200 | CALL duplicate _ hot? 0043FB9D

A few lines are omitted here
After finding this, I realized that I would not need to find it one by one if I had to be patient.

00418319 |. E8 ED8CFEFF | CALL duplicate _ hot? 0040100B; comparison Function
0041831E |. 83C4 08