[Article Title]: ida static analysis/cracking of a software Time Limit
[Author]: kusky
[Author mailbox]: p_168@163.com
[Author Home Page]: http://diylab.cnblogs.com
[Author's QQ number]: 109427716
[Software name]: A Video Monitoring Software
[Software size]: None
[]: None
[Shelling method]: None
[Protection method]: Time Limit
[Language]: Borland c ++ builder 1999
[Tools]: ida pro
[Operating platform]: windows xp
[Author's statement]: I am only interested and have no other purpose. For errors, please enlighten us!
--------------------------------------------------------------------------------
[Detailed process]
This article is a cainiao's practice of static ida analysis.
Compared with the previous static analysis tool W32DASM, ida pro's most powerful function is the identification of library functions. Ida pro uses the library function, thunk, and other symbols to identify a lot of non-manual code, which greatly saves the energy of code analysis. In addition, IDA even decompile the names of some manually written functions. SIGHS: how comfortable it is!
Idle talk. If you are not clear about the use of ida in this article, see related content in 3.2.1 -- 3.2.14, the third edition of encryption and decryption.
Symptom: after an hour of running the program, the program does not run properly. Some Characters start to beat. No other prompts.
Idea: It is difficult to analyze the key code dynamically because there is no clear prompt or sign. Start with obtaining the system time API and find the time comparison code. It is relatively feasible.
To compare the time in the program, you must obtain the current time. There are two methods. One is to obtain the current system time (getlocaltime ). One way is to get the start time (getticktime ). The former is affected by the system modification time. The latter is not affected by the modification time.
Start the program and directly move the system time one hour later. The program encountered an exception. It indicates that modifying the system time may affect the program's judgment on the running time. Therefore, you can find the API getlocaltime.
Load the program with ida. In the "functions window" window (if the menu is not found, windows> functions window or alt + 1), find the time-related API.
Find the getlocaltime function. Right-click getlocaltime and choose next breakpoint.
Screen. width * 0.6) {this. width = screen. width * 0.6; this. alt =; this. onmouseover = this. style. cursor = pointer; this. onclick = function () {window. open (http://www.bkjia.com/uploads/allimg/131120/01242H1L-0.PNG)} "border = 0>
F9 runs the program and the program is disconnected.
Screen. width * 0.6) {this. width = screen. width * 0.6; this. alt =; this. onmouseover = this. style. cursor = pointer; this. onclick = function () {window. open (http://www.bkjia.com/uploads/allimg/131120/01242M015-1.PNG)} "border = 0>
Code xref: The function called. The green section lists two items. Right-click the function name and choose "jump to xref to operand ". We can see that there are four calls:
Screen. width * 0.6) {this. width = screen. width * 0.6; this. alt =; this. onmouseover = this. style. cursor = pointer; this. onclick = function () {window. open (http://www.bkjia.com/uploads/allimg/131120/01242G542-2.PNG)} "border = 0>
Above, the second place Sysutils: CurrentYear, as the name suggests, can only get the year, do not consider. The other three items need to be traced back until the user code.
Screen. width * 0.6) {this. width = screen. width * 0.6; this. alt =; this. onmouseover = this. style. cursor = pointer; this. onclick = function () {window. open (http://www.bkjia.com/uploads/allimg/131120/01242H911-3.PNG)} "border = 0>
Continue to call now.
Screen. width * 0.6) {this. width = screen. width * 0.6; this. alt =; this. onmouseover = this. style. cursor = pointer; this. onclick = function () {window. open (http://www.bkjia.com/uploads/allimg/131120/01242LS7-4.PNG)} "border = 0>
You can see that there are many calls. In general, we need to track every one. But now we see a very interesting thing: FormShow. I have written vb and know that the first step to writing a graphic interface program is FormShow. This is probably the case with delphi. No need to make difficult decisions. Direct tracking. Double-click "_ TFNewGoMain_FormShow + 33 ". Go to the following interface.
Screen. width * 0.6) {this. width = screen. width * 0.6; this. alt =; this. onmouseover = this. style. cursor = pointer; this. onclick = function () {window. open (http://www.bkjia.com/uploads/allimg/131120/01242KB5-5.PNG)} "border = 0>
. Text: 00408E43 call @ Sysutils @ Now $ qqrv; Sysutils: Now (void)
. Text: 00408E48 fstp dbl_CEEC9C
According to the instruction manual, Sysutils: Now () returns a floating point value. The integer part stores the number of days since January 1, 1900, and the fractional part stores the time ratio that has elapsed today. In delphi, floating point numbers are stored in the floating point register fpu registers.
The fstp instruction means to save the data in the floating point instruction register to the variable dbl_CEEC9C.
Right-click dbl_CEEC9C, select rename, and mark the variable dbl_CEEC9C as my_dbl_CEEC9_now for easy identification.
Now we have a clear idea of program design. According to the current analysis, the program records the system time at startup. And constantly check, if more than an hour, it will start to make trouble. We only need to find the code to read my_dbl_CEEC9_now to track the key code.
Right-click my_dbl_CEEC9_now, and choose "jump to xref operator". The following eight calls are displayed.
Screen. width * 0.6) {this. width = screen. width * 0.6; this. alt =; this. onmouseover = this. style. cursor = pointer; this. onclick = function () {window. open (http://www.bkjia.com/uploads/allimg/131120/01242L430-6.PNG)} "border = 0>
According to the type column, the my_dbl_CEEC9_now operation involves four reads (r) and three writes (w). We should first consider the read code.
Screen. width * 0.6) {this. width = screen. width * 0.6; this. alt =; this. onmouseover = this. style. cursor = pointer; this. onclick = function () {window. open (http://www.bkjia.com/uploads/allimg/131120/01242G3I-7.PNG)} "border = 0>
Fortunately, for the first time, we were right. See the classic comparison and jump.
The above three codes:
. Text: 00404195 call @ Sysutils @ Now $ qqrv; Sysutils: Now (void)
. Text: 0040419A fstp [ebp + var_380]; current time
. Text: 004041A0 1_my_dbl_ceec9c_now; time of saving at startup
. Text: 004041A6 fadd ds: dbl_404AA0