Some ideas on Using SMC technology to crack

I. It is generally applicable to the use of SMC technology to crack software protected by shell ~ Layer-3 compression protection: If the software is protected by multiple layers of shells, it will be very troublesome to use the SMC technology, as it is better to decrypt the shells quickly.
2. If OEP exists in plain text in the original file, it will save a lot of trouble. Otherwise, you must determine the OEP encryption algorithm. For different shells and different versions of the same shell, the encryption algorithms are different. This is based on others' experience.
Directly searches for the entry point data.
Here we will illustrate how to use uedit32.exe to directly search for the entry point data and modify the entry point data:
1. Assume that the impact wave 2000or other attack program abc.exe's access point is 0040c0501_open abc.exe with peditor.exe. the base address is 00400000, and the data in the file is 0040C050-00400000 = 109c050.
2. Open abc.exe with uedit32.exeand search for the hexadecimal number 50C00000. The unique position should be found, indicating that the entry point exists in plaintext.
3. If the starting point of the Code to be patched is 00505B6C in the memory, you can change 50C00000 in the file to 6C5B1000 directly. (00505B6C-00400000 = 00105B6C)
The following is an example of the most commonly used dynamic tracing program:
When you enter softICE, you must use F7 to run the program. When you arrive at the real entry point, press F10 carefully to check which command redirects the program to the real entry point. (Common Commands include JMP + OEP and push + OEP + ret ).
2. Now we see 0187: 0050A5D3 E944F9F8FF JMP 00499F1C
3. Remember e944f9f8ff, and use uedit32.exeto open def.exe and find the hexadecimal number E944F9F8FF. The unique position indicates that the entry point exists in plaintext. (Apparently, if the above method cannot be found, 1C9F0900)
4. If the starting point of the Code to be patched is 00400370 in the memory, run the command to modify the code when the program reaches 0187: 0050A5D3:
Original 0187: 0050A5D3 E944F9F8FF JMP 00499F1C
Changed to 0187: 0050A5D3 E9985DEFFF JMP 00400370
Use uedit32.exeto open def.exe and change E944F9F8FF to E9985DEFFF.
3. Find a free part in the program and write the code for executing the modification program. The idle part is required to be mapped to the memory. After the program is decompressed, it cannot be overwritten, the section to be modified by SMC must have writable attributes (to be changed to E0000020 or C0000040 !). Most of the idle parts are placed in the space in front of the first section (generally H ~ H ~ No space is found in the H section. I think it is best to place it in a row of 00 parts of the compressed shell itself. For example, if aspackage is used, open the software with peditor.exe to view its block table. Note that the Raw Offset of block. aspack is 00000c00 ~ Open the software with uedit32.exe at 00000c00 ~ For segment 2c00, find the idle place, that is, the place where the segment is consecutive 00.
4. As long as the entry point is changed correctly, you do not need to use the command in SoftICE to write assembly code. Directly use the following method to enter the hexadecimal number consecutively in idle space for convenience.
C605 + memory address + one byte, modify one byte;
66C705 + memory address + two bytes, modify two bytes;
C705 + memory address + four bytes, modify four bytes;
68 + entry point memory address, Push OEP;
C3 and ret return the entry point.
Note: The memory address is written backwards, and the data is written along.