Principles and experiences of brute-force software cracking

Comments: For brute-force cracking, it is usually too complicated to get the registration code or the calculation process of the registration code. It cannot be calculated normally (here, the repeat method is used to calculate the registration code) so we can use the method of modifying the program to crack the software, which is usually brute force cracking. Now we can split the software that uses brute-force cracking into different types to let everyone know how the calculation process for different brute-force cracking methods is too complicated to get the registration code or registration code, it cannot be calculated normally (Here we use the reverse method to calculate the registration code), so we can use the method of modifying the program to crack the software, which is usually a brute force cracking.


Now we can split the software that uses brute-force cracking into different types to let everyone know how to crack the registration code or brute-force cracking of different software.


1. Test Software


This type of software is used for testing and generally cannot be registered. Therefore, it has only one time bomb limit and can only be used for brute force cracking. Just remove the time bomb.


2. registration code input is not required in Shared Software


This kind of software is relatively mature, but the author usually does not use the registration code protection software, but only makes a time bomb, the same as above, so the cracking is the same as above.


3. The registration code calculation process in shared software is too complicated


This software is designed by the author to use a very complex computing process. You cannot obtain its registration code using reverse push, so it can only use brute force cracking to use this software.


4. Prompt window for sharing software


Generally, this kind of software has a prompt window when it starts to run. the most annoying thing is that some software Prompt Windows have certain time requirements. You need to wait 10 seconds to run the software, therefore, brute-force cracking is usually used to crack it. (This does not include cracking the registration code)


5. Key File Protection for Shared Software


For such software, it is usually difficult to decrypt people, but it is quite easy to use brute force cracking. You only need to find the right place to crack it.


6. Shared Software shelling


This type of cracking is the most difficult of brute-force cracking, because if you have no knowledge about shelling, you will not be able to use brute-force cracking to crack the software. Therefore, we must have a good knowledge of shelling to deal with this attack.


Now let's take an example to explain how to perform brute force cracking.


Brief Introduction: A software installation program can be used to create very small installation files and support Win95/98/NT. The files created with it are very small and only 2-3 kb, SETUP is not required. EXE file, you just need to right-click and choose Install, but you can also use it to create a file containing SETUP. the INF package of the EXE file. It can generate one or more ZIP or EXE files. It uses INI file and can be packaged in multiple languages.


Tracking: After I load the software, it notifies me that the software has expired, so I will solve the problem first. I used softice to load it at the beginning, but I didn't analyze it. So I used the w32dasm tool to analyze it, using this software to analyze such expiration software is quite a level. Therefore, as a decryption person, you must have such a good tool.


As follows:


: 004B3882 D805E04A4B00 fadd dword ptr [004B4AE0]


: 004B3888 DB7DC8 fstp tbyte ptr [ebp-38]


: 004B388B 9B wait


: 004B388C e8d0000f5ff call 00409F64


: 004B3891 DB6DC8 rjtbyte ptr [ebp-38]


: 004B3894 DED9 fcompp


: 004B3896 DFE0 fstsw ax


: 004B3898 9E sahf


: 004B3899 7321 jnb 004B38BC


: 004B389B 6A00 push 00000000


: 004B389D 668B0DE44A4B00 mov cx, word ptr [004B4AE4]


: 004B38A4 B202 mov dl, 02


* Possible StringData Ref from Code Obj-> "This version of INF-Tool Lite"

-> "Is outdated ."


　


: 004B38A6 B8F04A4B00 mov eax, 004B4AF0


: 004B38AB E8383BFAFF call 004573E8


: 004B38B0 A180C74C00 mov eax, dword ptr [004CC780]


: 004B38B5 8B00 mov eax, dword ptr [eax]


: 004B38B7 E894AAF9FF call 0044E350


* Referenced by a (U) nconditional or (C) onditional Jump at Address:


: 004B3899 (C)


　


: 004B38BC C605ADFC4C0000 mov byte ptr [004 CFCAD], 00


: 004B38C3 C605ACFC4C0000 mov byte ptr [004 CFCAC], 00


: 004B38CA B201 mov dl, 01


: 004B38CC A120F44000 mov eax, dword ptr [0040F420]


: 004B38D1 E8FAF7F4FF call 004030D0


: 004B38D6 898644160000 mov dword ptr [esi 00001644], eax


Have you seen the software expiration? Let's look up a jne command that can be skipped here. It is estimated that it is a relatively expired place, but we have to confirm it, change it. Hey, that's it. You'll know it in a try. After the software entered, it was found that the registration code was not entered, so it was cracked. The software was cracked.


********************************


* Search: 9E 73 21 6A 00 *


* Replace: 9E EB 21 6A 00 *


********************************


This software uses brute-force cracking. Now, let's analyze how to perform brute-force cracking.


For brute-force cracking, it is best to use the disassembly software such as W32DASM. Why? This is mainly because the brute-force cracking software usually has a prompt window about the time of use or the number of times of use, therefore, you can remember the prompt window and use W32 to find the corresponding statement to get the error, and then find out how to avoid the jump of this place to crack such software. This is usually the method of brute-force cracking.


Let's take a good look at the above example. I think this method is usually used for brute-force cracking. The following methods should be used for cracking.


1. after the call date, it is usually one year after the call, so that the software with time restrictions will prompt you that the software has expired, so that you can normally load the analysis using W32 analysis or TRW or SI.


2. Search for the key value in the registry. After deletion, the system prompts expiration or registration requirements.


3. You can find the corresponding registry or file value for the software that requires the number of times of use. This can also crack the software.