Switch from [Blow a sword to the cloud] to crack

Source: Internet
Author: User
Find a software to be registered. Can it be cracked first? There is such a sentence: if the software can run completely on the local machine, it can be cracked. if the software is demo (demo version), you don't have to be busy. you can rest.
If it can be broken, check the shell first. tools such as peid and die have shell. The conventional method is to detach the shell first. Different shells have different detaching methods, and some have several detaching methods, this depends on your capabilities. generally, small shells can be done with shelling machines, such as rl! Depacker, quick unpack, automatic shell removal for super patrol virtual machines. I am a lazy man. I can use a shelling machine to take off the shell without my hands. I personally think that shelling is only part of the attack. What's important is cracking. What I want is only one result, just take it off. The process of how to take it off is free.
Speaking of handoffs, let's talk about several basic methods ~ Tool: OD
1. Single-step tracking
Od loading, no code analysis ,. near CALL-F7, far CALL-F8, achieve downward jump. there is a return hop, And the next line of code-F4 (right-click the code breakpoint to run to the selected), a large jump (large span segment, JMP ***, je ***, or retn.
2. ESP Law
F8: Check whether ESP is implemented (red) in the upper-right register of OD ),. command line dd ****** (current Code ESP value), press enter, DD selects the lower end address, breakpoint-hardware access-DWORD breakpoint, F9 run, press F8 to Dep at the jump point.
3. Last exception
OD Open-dot option-debug option-Remove all exceptions-Ctrl + F2 heavy load, Shift + f9. only run the program, write down the number of times m, CTRL + F2 overload-press SHIFT + F9 (times of M-1), press Ctrl + G-enter the address before the se handle in the lower right corner of OE, f2 offline-Shift + F9 to the breakpoint, and then press F8 to OEP.
4. memory image
Od load software, Point Options-debugging options-ignore all-Ctrl + F2 heavy load, ALT + N open the memory image, find the first program. rsrc-F2 down-Shift + F9 run to the breakpoint, then open find the first program. above rsrc. code (that is, 00401000), F2-Shift + F9, or F9 without exception, to OEP.
5. Simulated tracking
Use without hidden Piles
F9 trial run, there will be no seh hidden piles and so on, otherwise there will be ,. alt + N open the memory image, find the character "= SFX, imports reloco tions", address = *** command line Input: tceip <***, and press Enter.
6. Step by step to OEP
Only applicable to a few shells, such as UPX and ASPack
CTRL + F-input: popad. Press enter to find-F2 offline-F9 run here, go to the big jump location, and click F8 to OEP.
7. SFX
Set OD, ignore all exceptions, switch to the SFX tab, select "byte mode trace actual entry", OK,. Reload-"no" to compress the code to OEP.
As for the Deformed Shell, dual shell, and super shell, you may need to use several methods, or use scripts or modify something. This is basically summarized by some people, what shell method, detailed steps, and so on, you can find it on a special website.
Don't forget to fix it after shell removal. Tool: Import reconstructor (Birdie, my name, huh, huh)
Remember this sentence: it is normal for a software to be repaired after shelling.
After the fix is completed, you can enter something to register, disable it, and run it again. You can view the registration type of the software:
If there is a registration error or a Correct prompt, run the BP rtcmsgbox command under the BP messageboxa breakpoint vbprogram.
If no message is displayed, run the following command: BP getdlgitem
If you are prompted to start the next time, go to the BP getdlgitem get button Event code
If you do not register a registry, a registration box or prompt box is displayed, including BP regopenkey (A), BP createfilea, or BP getprivateprofilestringa.
If you have not registered a website, open the webpage link as soon as it is enabled or disabled, and click BP shellexecutea.
If not registered, the date is limited. Get the local time by BP getlocaltime, and get the system time by BP getfiletime.
If the network is verified, change the BP exitprocess to the local network for verification.
If the dog is encrypted, the required Dog file will be detected at startup, and BP createfilea will be downloaded. If no dog file exists, an error will be prompted.
Find the key call and key jump, and then you want to crack or chase the code or write the registration machine, it really depends on your ability.
Cracking common changes:
Jnz/JNE-> NOP 75-> 90
Jnz/JNE-> JMP 75-> EB
JZ/Je-> NOP 74-> 90
JZ/Je-> JMP 74-> EB
Jnz-> JZ 75-> 74 or 0f 85-> 0f 84
JZ-> jnz 74-> 75 or 0f 84-> 0f 85
Jnz-> JZ 75-> 74 or 0f 85-> 0f 84
Je-> JNE 74-> 75 or 0f 84-> 0f 85
Brute force cracking:
One (HOP) will die, and nine (90) will be Hu (corresponding to (2) above-changed to NOP)
One (HOP) is Hu, one (EB) serves (corresponding to (1) above-changed to JMP)
Wife (74) No wife (75)
Dad is dead (84) Dad is absent (85)
Methods I know about code tracing:
1. OD loading. Use the built-in "Ultra string reference" plug-in (Unicode is used for general VB Programs! If it is not VB, ASCII is used). Double-click the prompt information and look up to find the key call, F2 disconnection, F9 running, enter registration at will. If the program is disconnected, check the register window on the right.
2. press Ctrl + n to find the comparison function (for example, written in C ++, written in lstrcmpa or VB, and written in _ vbastrcomp). Right-click Enter, and press f2 to break down, run F9 and enter registration at will. If the program is disconnected, check the register on the right or the content on the lower right.
3. use w32dasm (non-promise version) to load the program. For details, refer to --- serial reference, find the prompt information, double-click the code, and find the key call (generally, a key hop-on call is the key call ), write down the previous Code, load the OD, press Ctrl + G, write down the code, F2 and F9, and enter registration at will. If it is disconnected, check the right side.
4. load data with w32dasm (non-promise version), click function-input, find a comparison function, and double-click it. debug-load processing (CTRL + l), load directly, w32dasm stops, if it is run in disorder, re-start again, the line that is broken and highlighted under F2, after a small yellow block appears in front, press F9, enter registration at will. If it is disconnected, you can see the fake registration Trojan we entered and find the real registration Trojan.
5. enter registration information at will and write down the prompt. use winhex, open Ram, find the bottom line, click OK-click the entire memory and then OK, CTRL + F-fill in the fake registration code you enter at will, generally the real registration code is above, if not, press F3 to continue searching.
I am used to using keymake to write a registration machine. Of course, if you use keymake in one or more programming languages, you will be better able to write a registration machine ~~~
Many people ask: Are there any conditions for learning to crack?
Some people joked that the gender can only be male or female, age> 7 years old, IQ is normal, can independently complete the computer boot shutdown, no comprehension obstacle, no visual impairment ......
I personally think that it is best to know assembly knowledge when learning to crack. There is a famous saying that the hacker who does not know how to crack the Assembly will always be a cainiao. This is not an exaggeration at all. It is true.
Here is the most basic Compilation:
Cmp a, B // compare A and B
MoV A, B // send the value of B to a so that a = B
RET // return the main program
NOP // no effect, abbreviated as "no operation", meaning "do nothing" (machine code 90, equivalent to the compilation statement NOP)
Call // call a subroutine ending with RET
Je or JZ // skip if equal (machine code 74 or 0f84)
JNE or jnz // skip if not equal (machine code 75 or 0f85)
JMP // unconditional jump (machine code EB)
JB // skip if the value is smaller
Ja // skip if the value is greater
JG // skip if the value is greater
Jge // skip if the value is greater than or equal
Jl // skip if the value is smaller
Jle // skip if the value is smaller than or equal
Pop XX // xx
Push XX // XX pressure Stack
For more detailed instructions, refer to the compilation books.
I know the attack is like this. Let's briefly describe it. cracking is the inverse proposition of programming, and learning is beneficial to programming. however, we recommend that you do not break it all over the world. Currently, Chinese laws are not perfect for the Internet and there will certainly be provisions in the future. After all, it is not easy for the software author to protect his rights and interests, however, the price of some software is a little too high ~~~ You can learn about cracking. It is absolutely no harm to learn any knowledge. yes. What should I use to register the software and use it on my computer? Haha ~~~

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.