In-class experiments-small software hack

Source: Internet
Author: User

Binary Code Analysis report (a crack of good water)

The first step, language.exe detection of the program shell, through the aspack shell.

Step two, AspackDie.exe shelling.

The third step, language.exe detection after shelling procedures, found that the program was written using Delphi.

Fourth step, the shelling program into IDA, through the viewsàstrings to view the string information, found the "Registration code Error" string, located to the code. Such as:

There are two branches in the 0x004acad7, and the branch that observes 0x004acadd is a successful branch of registration, and the branches of 0X004ACC3D are the branches that failed to register. Therefore, in order to register successfully, I will change the 0x004acad7 jnz to JZ, so casually enter the registration information, will jump to the 0x004acadd branch, that is, the registration is successful. Modifications to the JNZ can be modified using ollydbg. Effect

However, when I close the program again, the prompt page still exists, the program is still unregistered (for example), and I realize that there is also a code snippet to verify the registration information when the program starts.

Using Ida and OllyDbg, I started the analysis from the entry point of the program.

The program first uses Getprivateprofilestringa to remove the user's registered information from the User.dat, including the user name and serial number. Such as:

Next, the user's registration information is analyzed, the analysis process should be to verify the registration information is correct, so as to determine whether to register the results.

From Ida's Disassembly window, the registration information is verified in three places. Such as:

The first two places:

Third place:

In the use of ollydbg for debugging, found that the first two judgments can pass, in the third step to judge, failed to pass. Therefore, I changed the 0X004AD5C5 place jnz to JZ, so that successfully passed three judgments, so registration verification through, will not display the prompt page, and registration success.

Effect

Report:

I also try to find the real registration code, and successfully found, the process is as follows.

, the left branch is the branch that registered successfully, and the right branch is the branch that failed to register. Key to success of registration look at the return value of call sub_404b04 at 0x004acad2, I conclude that this function should be the key function to verify the success of the registration. If Sub_4-4b04 returns nonzero, the registration code is wrong. Analyzing the SUB_404B04 function in Ida, it was found that the function accepted two parameters, namely EAX and EdX (Delphi's parameter rules are the first three parameters in turn eax, edx, ECX Register). In sub_404b04 the first comparison of two parameters is the same, if not the same, directly return the first parameter (that is, not 0), so the first thing to ensure that the two parameters are the same.

In ollydbg, I break the breakpoint under this function and try to enter the registration information and click the Register button when the breakpoint is triggered. At this time, observing eax and edx, I found that edx entered the registration code for me, while EAX was the parameter with the comparison, so I can conclude that the correct registration code is what eax points to. Such as:

Therefore, the correct registration code for the user named "Wah" is "2EA4B10". Verified to be true,

In-class experiments-small software hack

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.