How it works (1)

Do not mention the three stages of learning to crack:

Elementary: modify the program. Use ultraedit and other tools to modify the exe file. It is called brute-force cracking, or brute-force cracking.

Intermediate: gets the registration code of the software.

Advanced: Write the registration machine.

Let's talk about this brute-force cracking. The so-called brute-force cracking refers to modifying the source file of an executable file to achieve the corresponding goal. You don't understand? For example, if a shared software is used, it compares the registration code entered by the user) if the calculated registration code is equal, that is, the user entered the correct registration code), it will jump to the place where the registration is successful, otherwise it will jump to the place where the error occurs.

Come on, let's see. We just need to find this jump command and change it to the "shape" we need. In this way, can we do what we want? What do you want to do if a software has hands on your chest ?)

There are two common modification methods. I will give you an example:

No.1

In a software project, register as follows:

00451239 CALL 00405E02 (key CALL, used to determine whether the user entered the registration code is correct)

0045123D JZ 004572E6 (!!! <-- This is the key jump. If the user entered the correct registration code, it will jump to the successful place, that is, at 004572E6)

0045 XXXX YYYYYYYYYY

XXXXXXXX YYYYYYYYYY

XXXXXXXX YYYYYYYYYY

When XXXXXXXX is executed here, the user registration fails.

.. Prompt related information such as incorrect user registration code

...

004572E6... <-- (registration successful !!!)

... Prompts the user to register successfully and other related information

Have you understood it? If not, let me tell you something. When the software is executed at 00451239, the CALL is set to 0045E02 for registration code judgment. Then, a jump statement will be provided, that is, if the user entered the correct registration code, it will jump to the 004572E6 place, jump here, even if the registration is successful. If the registration code entered by the user is incorrect, the user will not jump to 0045123D, but will continue to execute. Wait for it below, which is the registration failure part.

Do you understand? Hey hey... Yes, we only need to change the key jump to JZ to JNZ (if the user entered the registration code is incorrect, the registration is successful, and if the input is correct, the registration fails ). Of course, you can also change JNZ to Jmp. In this case, the registration code you entered is correct or not. Can be registered successfully.

No. 2

Let's talk about another situation:

00451239 CALL 00405E02 (key CALL, used to determine whether the user entered the registration code is correct)

0045123D JNZ 004572E6 (!!! <-- This is the key jump. If the registration code entered by the user is incorrect, it will jump to the failed place, that is, at 004572E6)

0045 XXXX YYYYYYYYYY

XXXXXXXX YYYYYYYYYY

XXXXXXXX YYYYYYYYYY

When XXXXXXXX is executed here, the user registration is successful.

... Prompts the user to register successfully and other related information

...

004572E6... <-- (registration failed !!!)

... Prompt related information such as incorrect user registration code

This time I believe and believe in it. You must understand. I still don't understand...

You must see something different from the first case. That's right! It is different from the first one, that is, if the registration code is correct, it will jump to the registration successful place. If it does not jump, It will be executed to the failed place. In this case, if the registration code is incorrect, the registration fails. Otherwise, the registration is successful.

In this case, in addition to changing JNZ to JZ, you can also change it to Nop. The Nop command does not make any sense. After you change this command to Nop, you can enter the registration code at will for registration.

The principle has been explained to you. Next let's talk about the specific modification method. I suppose you have understood how to use the tool)

First, let's talk about the virtual Address and offset conversion. The Address value displayed in SoftICE and W32Dasm is the memory Address memory offset), or the virtual Address Virual Address, VA ).
In hexadecimal tools, for example, the addresses displayed by Hiew and Hex Workshop are File addresses, which are called offset File offset and physical addresses (RAW offset ).

So when we want to use the hexadecimal tools to modify the corresponding commands in the executable File, we need to first find its File offset. We do not need to use specialized conversion tools. This function is available in W32Dasm. For example, you came to 0045123D in W32Dasm, the virtual address and offset address of the command are displayed in the status bar at the bottom of the W32Dasm interface, that is, the 0005063Dh following @: 0045123D @ offset 0005063Dh is the corresponding offset address. After we get the address, we can use UltraEdit and other hexadecimal tools to modify the executable file. For example, if you use UltraEdit, you first open the executable file with UltraEdit, press Ctrl + G, and enter the offset address you get to the corresponding machine code.