Optimize brute-force cracking and modify flag Space

Text/figure Hokkien
Many of my friends take it for granted that brute-force cracking is very simple. In fact, it is not that easy to achieve simple and elegant blasting. So today we will discuss how to optimize the brute force cracking.
The flag position modification is a method with strong skill in blasting. If we can make good use of the flag modification, the complexity of software blasting will be greatly reduced. Therefore, we have reason to think that the modification of the Flag bit will be the key to the perfect cracking of a software.
When talking about the implementation of the Flag bit, let's take a look at the example below.

BOOL IsReg () // verify whether the function is registered
{
......
If (RegFlag = Ture) // RegFlag is the registration mark
Return Ture;
Else
Return False;
}
Void Function1 () // software function 1
{
If (IsReg ())
{
......
}
Else
{
Printf ("Sorry, you have not registered yet, you cannot use this function 1 !");
Return;
}
}
Void Function2 () // software function 2
{
If (IsReg ())
{
......
}
Else
{
Printf ("Sorry, you have not registered yet, you cannot use this function 2 !");
Return;
}
}
Although the above is a simple verification method, it is a process in many software verification. For similar verification procedures, the general brute-force modification method is to change JNE To JE in the comparison jump between Function1 () and Function2. Although such a reform method is feasible, there is an obvious drawback, that is, there are too many modifications, which is a big taboo for cracking. Imagine that if the software calls the IsReg function for registration and judgment, it would be hard to imagine the time required for this change. Therefore, it is necessary for us to find a simpler method that allows us to achieve the same goal with the least time and minimum modification. This method is to modify the flag. For a clearer understanding, you may wish to observe the above Code. In the code above, Function1 and Function2 determine whether to implement this function based on the condition that IsReg is true. Now let's think about another way of thinking. If IsReg returns true in any case, will Function1 and Function2 be able to implement their own functions? The answer is yes. Therefore, we can find the IsReg code and directly modify the return value to true, that is, to directly assign a value to the return value to true, then the software will run according to the expected process, this is the modification of the flag. The following two typical examples are provided to help you better understand this method.

Modify the flag to crack Ultra MP3 to CD Burner v1.6.0
Ultra MP3 to CD Burner v1.6.0 is a powerful and simple recording software that supports MP3, WAV, WMA, OGG, and other audio formats. The overall feeling is quite good. However, it is a shared software with limited time. When the software is started, a prompt registration window appears, as shown in figure 1.

Figure 1
Now let's crack it. First, check the shell and display the "Microsoft Visual C ++ 6.0" compilation. It seems that the author is very confident in his own algorithms and has no shelling. Well, use OD to load the software. After several exceptions are ignored, the program stops at the entrance. Find the string reference, find "invalid user name or register code", and double-click the corresponding code.

0040EA92. E8 99F9FFFF CALL Ultra_MP.0040E430
0040EA97. 83C4 08 add esp, 8
0040EA9A. 85C0 test eax, EAX
0040EA9C 75 2B jnz short Ultra_MP.0040EAC9
0040EA9E. 6A 40 PUSH 40
0040EAA0. 68 E49D4100 PUSH Ultra_MP.00419DE4; sorry
0040EAA5. 68 C09D4100 PUSH Ultra_MP.00419DC0
; Invalid user name or register code

We choose to run the software at the breakpoint at ea92, enter the user name "Hokkien" in the registration box, and enter the registration code "12345abcde". After you click OK, the program is disconnected from the corresponding place. F7 enters ea92 and comes to the following code.

0040E430/$ 6A ff push-1
0040E432 68D9384100 PUSH Ultra_MP.004138D9
; SE handler Installation
0040E437 |. 64: A1 0000000> mov eax, dword ptr fs: [0]
0040E43D |. 50 PUSH EAX
0040E43E |. 64: 8925 00000> mov dword ptr fs: [0], ESP
0040E445 |. 81EC 94000000 sub esp, 94
0040E44B |. 8B8424 A40000> mov eax, dword ptr ss: [ESP + A4]
0040E452 |. 53 PUSH EBX
0040E453 |. 56 PUSH ESI
0040E454 |. 50 PUSH EAX
0040E455 |. 8D4C24 10 lea ecx, dword ptr ss: [ESP + 10]
0040E459 |. C74424 60 E1B> mov dword ptr ss: [ESP + 60], 6547BCE1
0040E461 |. C74424 64 133> mov dword ptr ss: [ESP + 64], C43F3613
0040E469 |. C74424 68 CF1> mov dword ptr ss: [ESP + 68], 2EFD1DCF
0040E471 |. C74424 6C C56> mov dword ptr ss: [ESP + 6C], 1D286CC5
0040E479 |. C74424 70 7F7> mov dword ptr ss: [ESP + 70], 1DB07B7F
0040E481 |. C74424 74 016> mov dword ptr ss: [ESP + 74], 775F6901
0040E489 |. C74424 78 B94> mov dword ptr ss: [ESP + 78], 5BEC44B9
0040E491 |. C74424 7C 38D> mov dword ptr ss: [ESP + 7C], 3637D938

Wow, so many numbers! It seems that the algorithm is really complicated! But we don't need to worry about it, because our goal is to crack it. However, do not worry before the brute-force cracking. You may wish to take a rough look at the OD Code so as to help you find the brute-force cracking. Continue to go through the code and come here.

0040EA92. E8 99F9FFFF call 0040E430
0040EA97. 83C4 08 add esp, 8
0040EA9A. 85C0 test eax, eax
0040EA9C. 75 2B jnz short 0040EAC9; key jump
0040EA9E. 6A 40 push 40
0040EAA0. 68 E49D4100 push 00419DE4; ASCII "Sorry"
0040EAA5. 68 C09D4100 push 00419DC0
; ASCII "Invalid user name or register code"

We can see this code. Isn't it a key hop? Can this key hop be modified to be cracked successfully? Practice shows that this will not succeed. If you are interested, you can try it and it will not be nonsense here. Can't it be cracked? Before answering this question, let's analyze the above Code.

0040EA9A. 85C0 test eax, eax
0040EA9C. 75 2B jnz short 0040EAC9

The two lines of code test EAX. If the value is 0, the registration fails. Obviously, there should be a CALL above. Then, this CALL is equivalent to the BOOL type declared in C language. If the registration is TRUE, TRUE is returned; otherwise, FAULSE is returned. Therefore, the key to brute-force cracking is to find the EAX assignment code in the preceding CALL and then modify it. Now, let's take a look at the CALL above and go to the code below.

0040E696 |. 85C0 test eax, eax
0040E698 |. C68424 A40000> mov byte ptr [esp + A4], 6
0040E6A0 0F84 86000000 je 0040E72C; key jump!
0040E6A6 |. E8 0F350000 call <jmp. & MFC42. #800>
0040E6AB |. 8D4C24 4C lea ecx, dword ptr [esp + 4C]
0040E6AF |. C68424 A40000> mov byte ptr [esp + A4], 5
0040E6B7 |. E8 e00000000 call 000000da0
0040E6BC |. 8D4C24 34 lea ecx, dword ptr [esp + 34]
0040E6C0 |. 889C24 A40000> mov byte ptr [esp + A4], bl
0040E6C7 |. E8 d00000000 call 000000da0
0040E6CC |. 8D4C24 44 lea ecx, dword ptr [esp + 44]
0040E6D0 |. C68424 A40000> mov byte ptr [esp + A4], 8
0040E6D8 |. E8 C3260000 call 001_da0
0040E6DD |. 8D4C24 3C lea ecx, dword ptr [esp + 3C]
0040E6E1 |. C68424 A40000> mov byte ptr [esp + A4], 1
0040E6E9 |. E8 B2260000 call 001_da0
0040E6EE |> 8D4C24 08 lea ecx, dword ptr [esp + 8]
0040E6F2 |. C68424 A40000> mov byte ptr [esp + A4], 0
0040E6FA |. E8 BB340000 call <jmp. & MFC42. #800>
0040E6FF |. 8D4C24 0C lea & nb