Multiple methods to crack general steps

Multiple methods to crack general steps
I. Summary of knowledge about common shell Methods
1. PEID shell check
2. indicates whether the code is compressed when the OD is loaded.
3. According to the program entry code
4. Check whether the plaintext string can be found.
5. Check whether the resource can be changed using the resource editing tool.

Ii. Summary of common judgment and solutions to additional data knowledge
1. when PEID is checked for shell, [overlay] is displayed. in 95% of cases, there is additional data, but some programs do not have additional data. PEID may be a false positive. At this time, you can test run the program after shelling, if the running instructions are available, no data is attached;
2. Files after shelling are much smaller than files before shelling, and cannot be run after repair --> In, additional data is playing tricks!
3. Run the prompt "Invalid data in the file." after shelling, it indicates there is additional data.

Solution
1. Tool overlay repair
2. Enable the copy data Repair Tool
Iii. Summary of common self-checking Solutions
1. Dual-open OD method (if the software has restrictions on multi-open windows protection, you need to solve this problem first. (It is not recommended that you cannot learn anything because of this)
2. Trace and exit the function. Generally, ExitProcess and PostQuitMessage are called.
3. Use the PEID plug-in KANAL V2.90. Find the key points of cryptographic algorithms and core CRC or MD5 for Disk File verification or memory image Verification
Iv. Knowledge of common self-checking Solutions
1. Check date
2. Checking size
3. School inspection documents

General method of checking the size of software
Let's take a look at the size of the unshelled file: 10752 bytes to the hexadecimal format of 2A00, and then look at the size of the file after shelling 30208 bytes, that is, 7600, the key is how to find the statement to compare its own size,
1. W32Dasm is playing. Use W32Dasm to load the shelling file. You only need to search for the dig 2a00 file. Change the code 002A00 to the size of 007600 after shelling. (Too many limitations)
2. we can also track the FileLen function for the software whose VB detects its own size, because VB usually uses FileLen to detect its own size, and uses OD to load the shelling file and disconnects BP rtcFileLen, and F9 to the next, ALT + F9 returns.
5. common tool brute-force method knowledge summary cannot find the jump, and returns to the main program code segment in a critical jump
1. Skip errors. The opposite is JMP.
2. The opposite is NOP.
3. Change the comparison.
4. Modify and compare one of the returned values.
6. Summary of common methods for removing the NAG window
1. Call the Window Function Method below
2. Stack F12 call Method
3. Change the hop forwarding method (if it is a registered NAG window)
Idea: Don't let the NAG window run on the line '''

VII. Knowledge Summary of common tools and methods
1. OD code tracing method
Locate the key CALL and directly go down to the INT segment. Then run it here to check whether the stack is up or down or the register is straight.
Data transmission, such as push pop lea, on key calls ''''
2. WinHex CAPTCHA
Steps:
1. Start the software to crack
2. Enter the user name and registration code, and then press OK
3. A dialog box is displayed (Remember, do not press OK !!!!!!!!)
4. Start WinHex
5. Select the Ram Editor
6. Open the main Ram memory of the software you want to crack (basically the bottom +)
7. Search for the registration code
8. If the next search by F3 is not found for the first time
9. Then you can find the registration code

3. Methods for TRW2000 registration code tracing
1. Open the registration dialog box and enter your name and any registration code (987654321 is recommended)
2. Press Ctrl + N to call TRW2000, and then interrupt (generally bpx hmemcpy). Press enter, type g, and press Enter.
3. Return to the registration page and click "OK" in the registration window.
4. if it is blocked by TRW, it indicates that the interruption just played a role and you can continue to work. if the "Registration failed" dialog box appears, it indicates that the TRW interruption is ineffective. You only need to repeat Step 2 and try another interruption. (Interrupt settings, see the snow tutorial in detail, not repeated)
5. Type bc *, press enter, type pmodule, press enter, and press F12. When the screen shows "failed to register", write down the press number of the F12 key.
6. Repeat Step 1 to Step 4 for the second time. This time, press (the number marked in step 5 minus 1) to stop.
7. start to press the F10 key to search for the key Call and key jump. In this key Call area, d eax d edx. Check more. Sometimes you will see the registration code in the upper-right corner of TRW.
8. If not found, of course, press F8 to enter the key Call for observation. Continue to track suspicious calls and redirection.

Note: If you still haven't found the final result, you can use the following method and try again. (If you can't find it, you can only use other software)
It seems that this method is useless for software without a pop-up dialog box !!!!
1. If the registration code is not found, search the user name.
2. Some software does not support Chinese user names, so the english user name is used.
3. Some software requires a long registration code, so it uses a longer or shorter registration code than the original registration code.
4. We recommend that you enter a registration code of 987654321, because if it is 123456789, it will be repeated with some numbers in the machine.

8. Summary of common webpage Solutions
Now we can find the webpage that jumps out at the same time.
Right-click the real code that appears in the heap line -- follow in the data window
You can see that there are a lot of strings you want to change in the data window.

First look up to see the 004F5040 webpage address... Is it looking for it

We should not worry about it first. Then we can look up for the address 004F4418, which is the real address we are looking.

How to change it:
Open one more OD and add dd 004F4418> ENTER> in the command bar.
Then point to the address to HEX/ASCLL (8 bits)
Change to 00 at 004F4418> 1A.

Add a webpage

006CE000> 6A 01 push 1
006CE002 6A 00 push 0
006CE004 6A 00 push 0
006CE006 68 00E16C00 push dumped _. 006CE100; ASCII "http://Blog.ShowHmily.Cn"
006CE00B 68 19E16C00 push dumped _. 006CE119; ASCII "open"
006CE010 6A 00 push 0
006CE012 E8 C92EF47C call ShellExecuteA

You only need to run this code. You can also switch the code to OEP after it is run.