Shelling and cracking Techniques

General process of brute-force cracking
1. Shell removal is required for shelled users
2. Try to register and see if you have any tips. Let's catch a small tail.
3. If any prompt is displayed, use the OD dynamic debugger or W32 static debugger to find the registration prompt.
4. Go to the error prompt and analyze the code to find the key call and key jump!
5. modify the code
6. Copy and save!

If no prompt is displayed, we can use multiple breakpoints to complete these operations.
Today's softwareProtection methodsYes
1,Serial number protection method (registration code = f (machine code/serial number ))
2,Warning (NAG) window
3,Time limit/frequency limit ..
4,Menu restrictions
5,Key File Protection
6,CD-Check
7,Run only one instance

Some Software saves the registration code in. Ini file,Registry,.DAT fileAnd so on.

Common breakpoint settings

String
BP getdlgitemtexta (w )****
BP getdlgitemint
BP getwindowtexta (w )****
BP getwindowword
Bmsg XXXX wm_gettext

Dialog Box
BP messagebeep
BP messageboxa (w )****
BP messageboxexa (W)
BP dialogboxparama (W)
BP greatew.wexa (W)
BP showwindow
BP updatewindow
Bmsg XXXX wm_command

ForVBThe program with BP messageboxa cannot be broken down,BP rtcmsgbox

Registry related
BP regcreatekeya (W)
BP regdeletekeya (W)
BP regqueryvaluea (W)
BP regclosekey
BP regopenkeya (w )****

Time-related
BP getlocaltime
BP getfiletime
BP getsystemtime

CD-ROM or disk related
BP getfileattributesa (W)
BP getfilesize
BP getdrivetype
BP getlasterror
BP readfile
Bpio-H (CD-ROM port address) r

Software dog
Bpio-H 278r
Bpio-H Branch R

Ini initialization file
BP getprivateprofilestringa ****
BP getprivateprofileint
BP writeprivateprofilestring
BP writeprivateprofileint

File Access Problems
BP readfile
BP writefile
BP createfilea ****
BP setfilepointer
BP getsystemdirectory

Network Verification:Generally, it is used in many plug-ins. Generally, it is used to change the network verification to local verification to deceive remote network hosts to pass verification!
Restart verification to determine whether the program is registered:It is very common. He generally saves the registration code entered by the user directly or the value obtained after encryption to the file and registry, and then prompts the user to restart to verify Registration, when you re-open the program, he will read the registration code entered by the user from the file or the Registry, and then compare it with the program registration algorithm. The correct one will naturally become a genuine one, the error is naturally 88. In addition, the software for restart verification usually stores the registration code in the registry or file!

The following describes a general solution to this type of software!

Restart the verification software for a rough verification process.
1. Run the software, enter registration information, and click Register. General Software prompts you to re-run the software to verify the correctness of registration information (such as flashget );
This prompt is displayed only when you enter the correct registration information. Otherwise, the prompt will tell you that the entered registration information is incorrect (this software belongs to this type)

2. to crack this software, first determine where the registration information is stored (because it is required for verification restart ). There are roughly two storage methods: the first is in the registry, and the second is in the file. (We can check the registration information by using monitoring software, such as Filemon and regshot, before entering Registration Information and clicking OK)

3. After knowing the location where her registration information is stored, you can select the corresponding API breakpoint for debugging.

Common APIs for accessing the Registry
BP regopenkeya open an existing registry key ****
BP regopenkeyexa open an existing registry key ****
BP regcreatekeya creates or opens an item under a specified item
BP regcreatekeyexa: a more complex way to create a new project under a specified item
BP regdeletekeya: deletes a specified subitem under an existing item.
BP regdeletevaluea deletes a value under a specified item
BP regqueryvaluea obtains the setting value of an item.
BP regqueryvalueexa obtains the setting value of an item.
BP regsetvaluea sets the value of a specified item or subitem
BP regsetvalueexa: set the value of the specified item.
BP regclosekey disables an entry (or key) in the system registry)

Common APIs for accessing files
BP createfilea opens and creates files, pipelines, mail slots, communication services, devices, and the console ****
The BP openfile function can perform a large number of different file operations.
BP readfile reads data from the file
BP readfileex is similar to readfile, but it can only be used for asynchronous read operations and contains a complete callback.
........................................ ........................................ ........................................ ............................

Common shelling Methods

Prerequisites

1. pushad (pressure stack) indicates the entry point of the program,
2. popad (Out stack) indicates the exit point of the program, which corresponds to pushad. Generally, this OEP is located nearby.
3. OEP: the entry point of the program. The software shelling means that the OEP is hidden (or false OEP/foep is used). As long as we find the real OEP of the program, we can immediately shell it.

Method 1: One-Step Tracing
1. Load with OD, click "do not analyze code !"
2. Track F8 in one step to perform a downward hop. That is to say, the jump up won't be implemented! (Through F4)
3. When the program jumps back (including loops), we press F4 in the next code (or right-click the code and select the breakpoint --> run to the selected code)
4. The green line indicates that the jump is not implemented. Ignore it. The red line indicates that the jump has been implemented!
5. If you have just loaded the program and there is a call nearby, we will follow F7, otherwise the program will easily run and fly, so that we can quickly get to the program's OEP
6. During tracking, if a call program runs, F7 enters
7. There are usually large jumps (large-span segments), such as JMP xxxxxx or je xxxxxx, or the OEP of the program will soon be available if there is a retn.

BTW:When some shells cannot be traced down, We can find the unimplemented large jump nearby, right-click --> "follow", and then F2 is disconnected, Shift + F9 stops at the "follow" position, and then cancel the breakpoint, continue the f8. Generally, you can easily reach OEP!

Method 2: ESP Law
ESP theorem shelling (esp in the OD register, we only need to set the ESP hardware access breakpoint in the command line, and we will come to the program's OEP !)
1. Click F8 at the beginning. Note that the ESP in the register in the top-right corner of the OD is not displayed (red ). (This is generally the first ESP value after the key sentence)
2. In the command line: dd XXXXXXXX (the ESP address in the current Code, or hr xxxxxxxx), press Enter!
3. Select the broken address, breakpoint ---> hardware access ---> word breakpoint.
4. Press F9 to run the program and go directly to the jump point. Press F8 to reach the program OEP.

Method 3: Memory Mirroring
1: Open the software with od!
2: click "option"> "debug option"> "exception" to ignore all the errors! CTRL + F2 reload the program!
3: press Alt + m to open the memory image and find the first image of the program. rsrc. press the breakpoint under F2, then press SHIFT + F9 to run to the breakpoint, and then press Alt + m to open the memory image and find the first program. rsrc. above. code (that is, 00401000 points), and press f2 to open a breakpoint! Then press SHIFT + F9 (or press F9 without exception) to directly reach the program OEP!

Method 4: Get to OEP in one step
1. Start to press Ctrl + F, input: popad (applicable only to a few shells, including UPX and ASPack shells), and then press F2 and F9 to run here
2. Go to the big jump and click F8 to reach OEP!

Method 5: last exception Method
1: Open the software with OD
2: click option-debug option-exception to remove all √! CTRL + F2 reload the program
3: At the beginning, the program is a jump. Here we press SHIFT + F9 until the program runs, and write down the number of times from start SHIFT + F9 to program running M!
4: Ctrl + F2 reload program, and press SHIFT + F9 (the number of times this operation was run as expressed as the number of times the program was run as expressed as 1-1)
5: In the lower-right corner of the OD, we can see a "se handle". Press Ctrl + G to enter the address before the se handle!
6: press the F2 breakpoint! Then press SHIFT + F9 to go To the breakpoint!
7: remove the breakpoint and press F8 to go down slowly!
8: OEP of the program!

Method 6: Simulated Tracing
1: run the test run first and follow up the program to see if there are any seh hidden piles or the like.
2: Alt + M open the memory image and find (including = SFX, imports, relocations)

Memory image, Project 30
Address = 0054b000
Size = 00002000 (8192 .)
Owner = check00400000
Segment =. ASPack
Include = SFX, imports, relocations
Type = imag 01001002
Access = r
Initial access = RWE

3: The address is 0054b000, So we enter tc eip <0054b000 on the command line, press enter, and track ing ..

BTW: when you use this method, you need to understand the situation in which it will be available.

Method 7: SFX Method
1: Set the OD to ignore all exceptions, that is, check the exception tab.
2: Switch to The SFX tab, select "byte mode to track the actual entry (very slow)", and click OK.
3: Reload the program (if it jumps out, do you want to "compress the code ?" Select "no" and OD will arrive at OEP)