Simple OCX control cracking Solution

Source: Internet
Author: User

Everyone who has learned programming and cracking in the past knows that OCX and dll com are all executable files named "Dynamic Link Library", which can be directly executed like EXE files, although it is an executable file, it is used to expand the application function. The process is to load the caller's address space for the caller to use, therefore, it is not more difficult to crack OCX and DLL files than to crack EXE programs (I used to find it difficult to crack internal forces, but after reading this article, you will say it is not difficult ).

For example, let's take a "Jin Feng File Download control" to describe it! :

Jinfeng File Download control supports both HTTP and FTP protocols and supports resumable data transfer, URL redirection, Cookie, proxy server, and other functions. You can output file download logs, and customize the customer ID, the source of the submitter, and the server host name. You can also easily use this control to create a multi-thread download tool. It can be easily used in C ++ Builder, Delphi, VB, VC ++, C #,,, and other development tools that support ActiveX Control calling. This control can be easily used on the webpage (the control has been signed and can be installed at IE's default security level ). At the same time, it also provides functions to dynamically call functions in DLL (dynamic connection library. You can dynamically declare various types of parameters of a function, dynamically declare arrays, and dynamically declare struct Based on strings, and then dynamically call functions in a DLL Based on Dynamically declared parameters, function return values can also be read.

The registration fee for the jinfeng File Download control is 120 yuan/set. After you register for a payment, you will get a piece of code, as long as this code is inserted into your program, when you use this control in your program, No unregistered prompts will pop up. In addition, the registration of the control is not related to the machine and will not be verified through the network. It is just a piece of registration code. The software with this registration code inserted does not display the prompt that the control is not registered on any machine.

The registration fee of this control is ¥120. The control is versatile and supports many languages (it is used by an auto-download tool of an internet cafe of xiaoq ), you can use BAIDU to download the software ).

Tool: OD, PEID, source code of case given by the author

Objective: to remove the damn NAG

Previous method of cracking: querying the shell/loading and analyzing with the OD loaddll program. If this is a bit of a protected control (not to mention shelling)
This is the dead end of our cracking: the string cannot be found (the broken point cannot be located), the limitations of the OD loaddll loader (nothing more than static analysis ), so why I used to think it was so difficult to crack OCX and DLL? So we have to change our thinking.

As mentioned above: "OCX, DLL, and other files are all executable files" (that's right, I'm doing the OCX parity, DLL and EXE equivalent cracking ).

PEID 0.94 can be found as follows: Nothing found *. I don't know what language to write.

If they are all executable files, load them as example source code B! In this way, the shell control will not be broken!
OD runs after the source program is loaded. (I loaded the Borland Delphi call example. Why? This language is so bad !).
NAG registration method, so in the OD command line: the bp MessageBoxA point program runs and calls OCX, and soon the program stops calling the MessageBoxA function in USER32.DLL.

The Code is as follows:
77D36476> 833D D0C3D677 0> cmp dword ptr [77D6C3D0], 0 ---> disconnected here
77D3647D 0F85 885B0100 jnz 77D4C00B
77D36483 6A 00 push 0
77d361_ff7424 14 push dword ptr [esp + 14]
77D36489 FF7424 14 push dword ptr [esp + 14]
77D3648D FF7424 14 push dword ptr [esp + 14]
77D36491 FF7424 14 push dword ptr [esp + 14]
77D36495 E8 03000000 call MessageBoxExA -----> something you don't want to see
77D3649A C2 1000 retn 10 -----> the OCX control's airspace is returned here.

Retn returns the following:
00B6454B 55 push ebp
00B6454C 68 1946B600 push 00B64619
00B64551 64: FF30 push dword ptr fs: [eax]
00B64554 64: 8920 mov fs: [eax], esp
00B64557 B8 0B000000 mov eax, 0B
00B6455C E8 EFE5F9FF call 00B02B50
00B64561 83F8 04 cmp eax, 4; compare Random Number
00B64564 0F8F 94000000 jg 00B645FE; equal to 4. You are lucky to skip NAG this time.
00B6456A 6A 24 push 24
00B6456C 8D55 FC lea edx, [ebp-4]
00B6456F B8 3046B600 mov eax, 00B64630; ASCII "3F28236E2978505A2260515C4A46214622603F29"
00B64574 E8 E7FEFFFF call 00B64460
00B64579 8B45 FC mov eax, [ebp-4]
00B6457C E8 03FBF9FF call 00B04084
00B64581 50 push eax
00B64582 8D55 F4 lea edx, [ebp-C]
00B64585 B8 6446B600 mov eax, 00B64664; ASCII "bytes"
00B6458A E8 D1FEFFFF call 00B64460
00B6458F FF75 F4 push dword ptr [ebp-C]
00B64592 68 0047B600 push 00B64700
00B64597 68 0C47B600 push 00B6470C
00B6459C 68 0047B600 push 00B64700
00B645A1 68 0C47B600 push 00B6470C
00B645A6 8D55 F0 lea edx, [ebp-10]
00B645A9 B8 1847B600 mov eax, 00B64718; ASCII "bytes"
00B645AE E8 ADFEFFFF call 00B64460
00B645B3 FF75 F0 push dword ptr [ebp-10]
00B645B6 8D45 F8 lea eax, [ebp-8]
00B645B9 BA 06000000 mov edx, 6
00B645BE E8 BDF9F9FF call 00B03F80
00B645C3 8B45 F8 mov eax, [ebp-8]
00B645C6 E8 B9FAF9FF call 00B04084
00B645CB 50 push eax
00B645CC 53 push ebx
00B645CD E8 AE2FFAFF call <jmp. & user32.MessageBoxA>
00B645D2 83F8 06 cmp eax, 6; return here, look up!
00B645D5 75 27 jnz short 00B645FE
00B645D7 6A 01 push 1; do you want to register ??
00B645D9 6A 00 push 0
00B645DB 6A 00 push 0
00B645DD 8D55 EC lea edx, [ebp-14]
00B645E0 B8 C047B600 mov eax, 00B647C0; ASCII "hour"
00B645E5 E8 76 FEFFFF call 00B64460
00B645EA 8B45 EC mov eax, [ebp-14]
00B645ED E8 92FAF9FF call 00B04084
00B645F2 50 push eax
00B645F3 68 8048B600 push 00B64880; ASCII "open"
00B645F8 53 push ebx
00B645F9 E8 DEC5FEFF call <jmp. & shell32.ShellExecuteA>; yes! Open registration address
00B645FE 33C0 xor eax, eax; GO --> OCX
00B64600 5A pop edx
00B64601 59 pop ecx
00B64602 59 pop ecx

Haha, jmp is changed for Ja at 00B64564. Now OCX will ignore the registration statement of the software author. (When the author asks to insert a registration statement under the source program, it is actually an advanced Statement, which is scary to use: register for money! Success # fail .#.! Fast #)

You can see that OCX control cracking is not as difficult as it is in the legend!

Summary OXC and DLL Control cracking:
1. Find the source code example ("very important" for debugging) ^-^ you can also write it yourself.
2. System-level API interrupt functions, such as bp MessageBoxA (so that OXC is returned ).

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.