Cracking is the art of exploring assembler code in order to find a vulnerable point, with its subsequent analysis and breaking
Introduction to Cracking
Start
I will grieve those who think that you can do cracking just without certain knowledge, skills, perseverance. It will not work just to download the software you need to crack and crack the program. Do not think that the program breaks down in 5 minutes (although if there is already experience, and protection of the program by 1 then this is possible even in a shorter period of time).
So, if you are interested in learning cracking, ready to read a lot of documents, spend a lot of time then this article is for you.
First you need to learn the basics of assembler , you do not even have to learn how to write programs on it. You just need to know the meaning of functions and commands, you need to be able to read the code. Do you think you can read a book in Spanish without knowing it? I recommend you read the material on asm: Kalashnikov's (http://www.Kalashnikoff.ru), "IBM PC assembler" Yurova, from the articles "Assembler for Cracker" S "from Dr.Golova and" Cracking for the Cowboys "from Crack.
Having mastered the material, you should know the purpose of the functions, understand the assembler code of the program a little. Understand that any program written in any programming language is transferred for processing to the processor in the form of machine code, for further processing and execution of the functions inherent in it. The machine code for it to be readable is converted into assembler. We can review it, change it with the help of special programs. But the changes are not possible if the program is packed. Packaging of the program is done in order to reduce its size and protect it from burglary (for example, UPX, Aspack and many others).
Varieties and purposes of programs
(OllyDBG)
(KWdsm)
(QUnpack)
(Hiew)
(Tpe)
All this software can be downloaded separately, but there is a combined version, called CrackersKit (version at the time of writing the article: 1.1, weight: 7 MB). You can download it from cracklab.ru. Almost all of the above programs are there (or their analogs). After we have the initial knowledge in this area, and we have the software we need to study, we'll figure it out in Software Types:
Shareware - shareware
Freeware - freeware
Adware - advertising paid programs
Commercialware - Pay!
Donation ware - fee if desired
The goal is programs like shareware, ad ware and commercial ware.
Toolbar in Olly and DASM
I think you already have at least some experience with the ollie (if you can not read the article Olly Debugger from A to Z cracklab.ru)
I will remind you the functions of the debugger, with which we will work:
Always in mind, there must be a CPU (main window is an ally), Breakpoints and Patches.
CPU Window:
We will understand the purpose of the most basic functions of the dasma.
In order to analyze the security code to begin it needs to be found.
Ways to find the verification code (with OllyDGB and kWdsm)
The purpose of the search is to search for and arbitrarily modify the code, or to find the serial number. The search for the verification code is mandatory for hacking the program.
The main purpose of this code is:
1 check the validity of the serial number (entered data in the form of input CH)
2 go to the address if it is correct / incorrect
3 report non-correct registration
The main ways to find the verification code are:
1 breakpoint (Intermodular call)
2 Referenced
3 search by window (dump) memory
4 Search the stack
5 search with kWdsm
You can set breakpoints either through
Command line, for example:
Bpx MessageBoxA
Bpx - breakpoint command
MessageBoxA is the function on which the breakpoint is set
About the functions of the functions can be learned from the WinAPI DIRECTORY (cracklab.ru)
Either
_Intermodular calls for example:
Find the MessageBoxA function, right-click and select Set breakpoint on every call MessageBoxA
With this type of search, a phrase is used which is displayed for example when entering an incorrect serial number. Run the program, enter the CH, the program swears that the CH is not correct (for example: Wrong SN! Trying again) => to search and this phrase will be used, then go to All referenced text string (which is in the Search for tab) and search for this phrase .
An example of hacking programs with different types of protection
1 form of CH administration
2 an inscription in the program (for example, Unregistered)
Programs for research we take either from the journal discs (PL, hacker, gambling), or from sites such as softodrom.ru, and others (looking for there sharny software (ie kind of shareware) and explore).
Theoretical plan of hacking:
Let's start the process of finding the code itself and hacking it, I'll show you these operations using the example of EscapeClosePro
All the actions listed below I recommend to perform together with me, as this is hard to perceive only by reading the material. If you do not yet understand how it worked out for me, practice on kryakmis is possible from phantom and crafting (ngh.void.ru/soft/d/crackme.rar; ngh.void.ru/soft/d/craft1.rar)
EscapeClosePro
Protection method: CH, inscription Unregistered in the program window
Packer / Protector: absent (and we learned it thanks to PEiD, and if the program was packed, then it would just be necessary to find under it anpacker)
Cost: 100 rubles
Hacking by searching for SN:
This method of hacking is characterized by the fact that the task is to find the verification code, this can be by installing the breakpoint on the desired command, either by viewing the reference text string, or by simply viewing the disassembled code of the program and searching for a valid serial number.
Name vizor
CH vizor
The program stopped at the address 0040262E at this address is the command call with this command is output (in our case) the text: Wrong code !. Pay attention to the memory dump window (in the main CPU window), try to find interesting things by simply viewing the code, scrolim Up and see at the address 0012F3D0 some figures more than 10 digits at a glance: 56C520AE713B563D5119 there is a suspicion of HF, testing and bummer.
Nobody forbade the use of several (at least all) ways of searching immediately
Now we set the breakpoint not on the message itself, but on the command to extract the phrase (Wrong code!) Ie on the push. Again, fill in the input forms, ok, the program stopped at 00402620 (where PUSH 0). Again, turn your attention to the memory dump And see there:
0012F438 004088E8 ASCII "9B2BC2C55272E0C32B44" << Suspicion of SN 0012F43C 0012F518 << here is our crack 0012F440 00402200 EscapeCl.00402200Test another 1 found by us SN for validity. (Name vizor sn 9B2BC2C55272E0C32B44) and Thanks for registering!
Change function output:
Change the output of the function in turn is characterized by the search for a verification code, an arbitrary change to a cyclic one, such that for any data entered it will consider itself registered.
Again, we set the breakpoint on MessageBoxA as before, enter the same data in the field name, CH, we stop there. Only now we move higher in the search for the transition (jump, jump). On the way up we analyze all the transitions. And upward promotion is done because, for example, if the message output function is roughly speaking at address 5, then its testing occurs above this address, since testing always occurs above the result (the concept of the stack).
Scrolling above we see:
004025CD> 85C0 TEST EAX, EAX 004025CF. A3 58AF4000 MOV DWORD PTR DS: [40AF58], EAX 004025D4 74 4A JNE SHORT EscapeCl.00402620Analyzing JNE 00402620 transition, we pay attention first of all to the jump address ie 00402620. We look at this address, we see that the output of the message that the program is unregistered. Now if we change the transition JNE (jump if not equal ie jump If not equal) to JE (jump if equal ie jump if equal). Double clicking the left mouse button, click on:
004025D4 74 4A JNE SHORT EscapeCl.00402620And change JNE to JE. Now any introduced SN program counts for the correct (of course, apart from the present SN , But this is due to the fact that its output is changed so that the program always returns a positive result for any data entered.
But this is not all, do not rush and run the patch 1 output of this program. Recall, what other method of protection does the program use? True, simple at first glance, the inscription Unregistered in the program window. Simply after restarting the program, it looks whether this inscription was changed to something else and if it is so then she considers herself to be registered, but we have such nebylo therefore not everything is done we move on.
We set the breakpoint on the already pretty annoying MessageBoxA.
We start to argue if the program is unregistered, then it shows the inscription Unregistered, hence somewhere in the code of the program it should be. We begin the search, but before that just read the code and see it .. scroll down and see:
0040265F. 85C0 TEST EAX, EAX << comparison of data in registers 00402661 74 23 JE SHORT EscapeCl.00402686 << jump 00402663. 8B5424 70 MOV EDX, DWORD PTR SS: [ESP + 70] 00402667. 68 64724000 PUSH EscapeCl.00407264; / Text = "Unregistered version!" ... 00402686> 8B7424 70 MOV ESI, DWORD PTR SS: [ESP + 70] 0040268A. 8B3D 70714000 MOV EDI, DWORD PTR DS: [<& USER32.SetDlgIte>; USER32.SetDlgItemTextA 00402690. 68,547,400 PUSH EscapeCl.00407254; / Text = "Registered to:""SetDlgItemTextA - header or text function in the"
And here is this message. We begin the analysis of the code. We see the standard construction of checking the contents of registers and the function of the jump. JE 00402686 - JE - go further by code. Look what to be at 00402686 and there is a message stating that RegiRegistered to: => if you change JE to JNZ, the program assumes itself to be registered in any scenario and writes about it in its main window.
Thus, by changing these 2 functions, the program will always be registered and all of this is due to all 2 bytes changed in the code.
Patching:
Patching the program is performed immediately after the hacking program.
In order to patch our experimental program you need to change:
Address function and change Function address Transition 004025D4 JNE 00402620 JE 00402661 JE 00402686 JNEFor patching we will use hiew, we can learn more about hiew commands from my article (ngh.void.ru/lec/crack.html).
Before we produce the program patching, we need to create a folder (where it's more convenient, you can at the root of the disk) and copy the exe file EscapeClosePro there, in case we did something wrong. After we copied it, we run hiew and find our file (EscapeClosePro.exe). In this place I would like to tell you a little about the main options of hiew'a.In this menu, choose Decode.
The main hiew panel:
Download our file, EscapeClosePro.exe in hiew, search for either the phrase (F7) or the address (F5). I would advise you to search for the phrase, so click F7 and type Registered to :, after finding this phrase, You need to patch:
004025D4 JNE 00402620 JE 00402661 JE 00402686 JNEPatches. After patching, (remember, I told you we need to copy the program file and patch it) duck after we patched it for example in p.exe and copy the UNEXIGNED program file, ie now we have 2 files in the folder, 1 patch, and another deflovy programmny.Eto we need in order to make a patch with a patchmaker tpe:
In order to create a patch in this window in the Original file form (original, ie unmodified / unpatched), you need to select the unpatched file, and in the Patched File window, respectively, the patched file. After in the main window of tpe, fill in the forms, who created the patch, And his site. And in the File tab, choose to create a patch. After you save under the desired name and the patch is ready!
I hope this article helped you in mastering the basics of cracker art, answered some of your questions. Then everything will be much more interesting, practice more, read and you will succeed.
Ps to this article there is an application in the form of video clips of hacking the program EscapeClosePro in various ways.
Ps thank you so much Armiоlu For what nudged me is not the right way, Helped in the development of incomprehensible things for me)
By Rel4nium (ngh.void.ru)
Comments
Commenting on, remember that the content and tone of your message can hurt the feelings of real people, show respect and tolerance to your interlocutors even if you do not share their opinion, your behavior in the conditions of freedom of expression and anonymity provided by the Internet, changes Not only virtual, but also the real world. All comments are hidden from the index, spam is controlled.